From 99e98bafcb4e984d62acd4a07ad73f4e1aca6b97 Mon Sep 17 00:00:00 2001 From: Timo Aaltonen Date: Wed, 22 Aug 2018 14:34:01 +0100 Subject: [PATCH] Import sssd_1.16.3.orig.tar.gz [dgit import orig sssd_1.16.3.orig.tar.gz] --- ABOUT-NLS | 986 + BUILD.txt | 6 + COPYING | 674 + Makefile.am | 5179 +++ Makefile.in | 35698 ++++++++++++++++ aclocal.m4 | 2371 + build/ar-lib | 270 + build/compile | 348 + build/config.guess | 1476 + build/config.rpath | 571 + build/config.sub | 1836 + build/depcomp | 791 + build/install-sh | 501 + build/ltmain.sh | 11149 +++++ build/missing | 215 + build/mkinstalldirs | 162 + build/test-driver | 148 + config.h.in | 752 + configure | 30464 +++++++++++++ configure.ac | 522 + contrib/ci/README.md | 73 + contrib/ci/clean | 25 + contrib/ci/configure.sh | 80 + contrib/ci/deps.sh | 160 + contrib/ci/distro.sh | 100 + contrib/ci/misc.sh | 73 + contrib/ci/rpm-spec-builddeps | 38 + contrib/ci/run | 409 + contrib/ci/sssd.supp | 223 + contrib/ci/valgrind-condense | 135 + contrib/fedora/bashrc_sssd | 121 + contrib/fedora/make_srpm.sh | 177 + contrib/kcm_default_ccache | 12 + contrib/sssd-pcsc.rules | 15 + contrib/sssd-pcsc.rules.in | 15 + contrib/sssd.spec.in | 1487 + contrib/systemtap/dp_request.stp | 85 + contrib/systemtap/id_perf.stp | 167 + contrib/systemtap/nested_group_perf.stp | 333 + m4/.dir | 0 m4/codeset.m4 | 21 + m4/gettext.m4 | 549 + m4/glibc2.m4 | 30 + m4/glibc21.m4 | 30 + m4/iconv.m4 | 101 + m4/intdiv0.m4 | 70 + m4/intmax.m4 | 30 + m4/inttypes-pri.m4 | 30 + m4/inttypes.m4 | 25 + m4/inttypes_h.m4 | 26 + m4/isc-posix.m4 | 24 + m4/lcmessage.m4 | 30 + m4/lib-ld.m4 | 110 + m4/lib-link.m4 | 553 + m4/lib-prefix.m4 | 153 + m4/libtool.m4 | 8372 ++++ m4/longdouble.m4 | 28 + m4/longlong.m4 | 23 + m4/ltoptions.m4 | 437 + m4/ltsugar.m4 | 124 + m4/ltversion.m4 | 23 + m4/lt~obsolete.m4 | 99 + m4/nls.m4 | 51 + m4/po.m4 | 429 + m4/printf-posix.m4 | 44 + m4/progtest.m4 | 92 + m4/signed.m4 | 17 + m4/size_max.m4 | 59 + m4/stdint_h.m4 | 26 + m4/uintmax_t.m4 | 30 + m4/ulonglong.m4 | 23 + m4/wchar_t.m4 | 20 + m4/wint_t.m4 | 20 + m4/xsize.m4 | 13 + po/LINGUAS | 23 + po/Makefile.in.in | 384 + po/Makevars | 41 + po/POTFILES.in | 33 + po/Rules-quot | 47 + po/bg.gmo | Bin 0 -> 17131 bytes po/bg.po | 2806 ++ po/boldquot.sed | 10 + po/ca.gmo | Bin 0 -> 51438 bytes po/ca.po | 2966 ++ po/de.gmo | Bin 0 -> 45862 bytes po/de.po | 2933 ++ po/en@boldquot.header | 25 + po/en@quot.header | 22 + po/es.gmo | Bin 0 -> 39027 bytes po/es.po | 2901 ++ po/eu.gmo | Bin 0 -> 5262 bytes po/eu.po | 2800 ++ po/fr.gmo | Bin 0 -> 51843 bytes po/fr.po | 2962 ++ po/hu.gmo | Bin 0 -> 6792 bytes po/hu.po | 2804 ++ po/id.gmo | Bin 0 -> 10852 bytes po/id.po | 2813 ++ po/insert-header.sin | 23 + po/it.gmo | Bin 0 -> 18794 bytes po/it.po | 2829 ++ po/ja.gmo | Bin 0 -> 46752 bytes po/ja.po | 2847 ++ po/nb.gmo | Bin 0 -> 1557 bytes po/nb.po | 2800 ++ po/nl.gmo | Bin 0 -> 42204 bytes po/nl.po | 2908 ++ po/pl.gmo | Bin 0 -> 70148 bytes po/pl.po | 2983 ++ po/pt.gmo | Bin 0 -> 18097 bytes po/pt.po | 2828 ++ po/pt_BR.gmo | Bin 0 -> 1087 bytes po/pt_BR.po | 2794 ++ po/quot.sed | 6 + po/remove-potcdate.sin | 19 + po/ru.gmo | Bin 0 -> 27809 bytes po/ru.po | 2845 ++ po/sssd.pot | 2797 ++ po/stamp-po | 1 + po/sv.gmo | Bin 0 -> 67517 bytes po/sv.po | 2939 ++ po/tg.gmo | Bin 0 -> 1155 bytes po/tg.po | 2799 ++ po/tr.gmo | Bin 0 -> 858 bytes po/tr.po | 2800 ++ po/uk.gmo | Bin 0 -> 94209 bytes po/uk.po | 3031 ++ po/zh_CN.gmo | Bin 0 -> 1268 bytes po/zh_CN.po | 2800 ++ po/zh_TW.gmo | Bin 0 -> 10259 bytes po/zh_TW.po | 2799 ++ src/build_macros.m4 | 50 + src/conf_macros.m4 | 950 + src/confdb/confdb.c | 2203 + src/confdb/confdb.h | 669 + src/confdb/confdb_private.h | 35 + src/confdb/confdb_setup.c | 449 + src/confdb/confdb_setup.h | 54 + src/config/SSSDConfig/__init__.py | 2162 + src/config/SSSDConfig/__init__.py.in | 2162 + src/config/SSSDConfig/ipachangeconf.py | 595 + src/config/SSSDConfigTest.py | 2100 + src/config/SSSDConfigTest.py2.sh | 5 + src/config/SSSDConfigTest.py3.sh | 5 + src/config/cfg_rules.ini | 750 + src/config/etc/sssd.api.conf | 218 + src/config/etc/sssd.api.d/crash_test_dummy | 1 + src/config/etc/sssd.api.d/sssd-ad.conf | 190 + src/config/etc/sssd.api.d/sssd-files.conf | 3 + src/config/etc/sssd.api.d/sssd-ipa.conf | 275 + src/config/etc/sssd.api.d/sssd-krb5.conf | 29 + src/config/etc/sssd.api.d/sssd-ldap.conf | 176 + src/config/etc/sssd.api.d/sssd-local.conf | 16 + src/config/etc/sssd.api.d/sssd-proxy.conf | 12 + src/config/etc/sssd.api.d/sssd-simple.conf | 7 + src/config/setup.py | 32 + src/config/setup.py.in | 32 + src/config/testconfigs/noparse.api.conf | 7 + src/config/testconfigs/sssd-badversion.conf | 42 + .../testconfigs/sssd-invalid-badbool.conf | 43 + src/config/testconfigs/sssd-invalid.conf | 3 + .../sssd-nonexisting-services-domains.conf | 13 + src/config/testconfigs/sssd-noversion.conf | 63 + src/config/testconfigs/sssd-valid.conf | 60 + src/db/sysdb.c | 1975 + src/db/sysdb.h | 1430 + src/db/sysdb_autofs.c | 527 + src/db/sysdb_autofs.h | 89 + src/db/sysdb_certmap.c | 428 + src/db/sysdb_domain_resolution_order.c | 169 + src/db/sysdb_domain_resolution_order.h | 37 + src/db/sysdb_gpo.c | 685 + src/db/sysdb_idmap.c | 316 + src/db/sysdb_init.c | 1058 + src/db/sysdb_ops.c | 5581 +++ src/db/sysdb_private.h | 305 + src/db/sysdb_ranges.c | 359 + src/db/sysdb_search.c | 2485 ++ src/db/sysdb_selinux.c | 328 + src/db/sysdb_selinux.h | 59 + src/db/sysdb_services.c | 837 + src/db/sysdb_services.h | 112 + src/db/sysdb_ssh.c | 401 + src/db/sysdb_ssh.h | 79 + src/db/sysdb_subdomains.c | 1392 + src/db/sysdb_sudo.c | 1134 + src/db/sysdb_sudo.h | 157 + src/db/sysdb_upgrade.c | 2574 ++ src/db/sysdb_views.c | 1810 + src/doxy.config.in | 1885 + src/examples/logrotate | 12 + src/examples/rwtab.in | 1 + src/examples/sssd-example.conf | 54 + src/examples/sssd-shadowutils | 6 + src/examples/sssd.conf | 15 + src/examples/sssdproxytest | 5 + src/examples/sudo | 6 + src/external/cifsidmap.m4 | 19 + src/external/crypto.m4 | 10 + src/external/cwrap.m4 | 30 + src/external/docbook.m4 | 32 + src/external/glib.m4 | 11 + src/external/inotify.m4 | 34 + src/external/intgcheck.m4 | 35 + src/external/krb5.m4 | 116 + src/external/ldap.m4 | 96 + src/external/libcares.m4 | 15 + src/external/libcmocka.m4 | 18 + src/external/libcollection.m4 | 9 + src/external/libcurl.m4 | 28 + src/external/libdhash.m4 | 9 + src/external/libhttp_parser.m4 | 22 + src/external/libini_config.m4 | 48 + src/external/libjansson.m4 | 18 + src/external/libkeyutils.m4 | 11 + src/external/libldb.m4 | 42 + src/external/libnfsidmap.m4 | 29 + src/external/libnl.m4 | 88 + src/external/libpcre.m4 | 21 + src/external/libpopt.m4 | 15 + src/external/libresolv.m4 | 12 + src/external/libtalloc.m4 | 15 + src/external/libtdb.m4 | 15 + src/external/libtevent.m4 | 15 + src/external/libunistring.m4 | 31 + src/external/libuuid.m4 | 17 + src/external/nscd.m4 | 9 + src/external/nsupdate.m4 | 19 + src/external/p11-kit.m4 | 4 + src/external/pac_responder.m4 | 39 + src/external/pam.m4 | 41 + src/external/pkg.m4 | 156 + src/external/platform.m4 | 48 + src/external/python.m4 | 102 + src/external/samba.m4 | 132 + src/external/sasl.m4 | 15 + src/external/selinux.m4 | 25 + src/external/service.m4 | 13 + src/external/signal.m4 | 1 + src/external/sizes.m4 | 50 + src/external/systemd.m4 | 57 + src/external/systemtap.m4 | 35 + src/external/test_ca.m4 | 68 + src/krb5_plugin/sssd_krb5_localauth_plugin.c | 195 + src/krb5_plugin/sssd_krb5_locator_plugin.c | 597 + src/ldb_modules/memberof.c | 4585 ++ src/lib/certmap/sss_cert_content_common.c | 199 + src/lib/certmap/sss_cert_content_crypto.c | 814 + src/lib/certmap/sss_cert_content_nss.c | 925 + src/lib/certmap/sss_certmap.c | 916 + src/lib/certmap/sss_certmap.doxy.in | 3 + src/lib/certmap/sss_certmap.exports | 13 + src/lib/certmap/sss_certmap.h | 152 + src/lib/certmap/sss_certmap.pc.in | 11 + src/lib/certmap/sss_certmap_attr_names.c | 134 + src/lib/certmap/sss_certmap_int.h | 210 + src/lib/certmap/sss_certmap_krb5_match.c | 562 + src/lib/certmap/sss_certmap_ldap_mapping.c | 371 + src/lib/cifs_idmap_sss/cifs_idmap_sss.c | 335 + src/lib/idmap/sss_idmap.c | 1613 + src/lib/idmap/sss_idmap.doxy.in | 1883 + src/lib/idmap/sss_idmap.exports | 66 + src/lib/idmap/sss_idmap.h | 962 + src/lib/idmap/sss_idmap.pc.in | 11 + src/lib/idmap/sss_idmap_conv.c | 569 + src/lib/idmap/sss_idmap_private.h | 84 + src/lib/ipa_hbac/hbac_evaluator.c | 520 + src/lib/ipa_hbac/ipa_hbac.doxy.in | 1883 + src/lib/ipa_hbac/ipa_hbac.exports | 20 + src/lib/ipa_hbac/ipa_hbac.h | 344 + src/lib/ipa_hbac/ipa_hbac.pc.in | 11 + src/lib/sifp/sss_sifp.c | 473 + src/lib/sifp/sss_sifp.h | 564 + src/lib/sifp/sss_sifp_attrs.c | 317 + src/lib/sifp/sss_sifp_common.c | 183 + src/lib/sifp/sss_sifp_dbus.c | 275 + src/lib/sifp/sss_sifp_dbus.h | 174 + src/lib/sifp/sss_sifp_parser.c | 723 + src/lib/sifp/sss_sifp_private.h | 112 + src/lib/sifp/sss_sifp_utils.c | 90 + src/lib/sifp/sss_simpleifp.doxy.in | 1539 + src/lib/sifp/sss_simpleifp.exports | 56 + src/lib/sifp/sss_simpleifp.pc.in | 12 + .../libdlopen-test-winbind-idmap.c | 31 + src/lib/winbind_idmap_sss/winbind_idmap_sss.c | 216 + src/lib/winbind_idmap_sss/winbind_idmap_sss.h | 102 + src/m4/.dir | 0 src/man/Makefile.am | 260 + src/man/Makefile.in | 1053 + src/man/br/include/ad_modified_defaults.xml | 77 + src/man/br/include/autofs_restart.xml | 5 + src/man/br/include/debug_levels.xml | 86 + src/man/br/include/debug_levels_tools.xml | 72 + src/man/br/include/experimental.xml | 2 + src/man/br/include/failover.xml | 97 + src/man/br/include/homedir_substring.xml | 17 + src/man/br/include/ipa_modified_defaults.xml | 123 + src/man/br/include/ldap_id_mapping.xml | 278 + src/man/br/include/ldap_search_bases.xml | 31 + src/man/br/include/local.xml | 17 + src/man/br/include/override_homedir.xml | 63 + src/man/br/include/param_help.xml | 10 + src/man/br/include/param_help_py.xml | 10 + src/man/br/include/seealso.xml | 61 + src/man/br/include/service_discovery.xml | 41 + src/man/br/include/upstream.xml | 3 + src/man/ca/include/ad_modified_defaults.xml | 77 + src/man/ca/include/autofs_restart.xml | 5 + src/man/ca/include/debug_levels.xml | 92 + src/man/ca/include/debug_levels_tools.xml | 77 + src/man/ca/include/experimental.xml | 2 + src/man/ca/include/failover.xml | 97 + src/man/ca/include/homedir_substring.xml | 17 + src/man/ca/include/ipa_modified_defaults.xml | 123 + src/man/ca/include/ldap_id_mapping.xml | 278 + src/man/ca/include/ldap_search_bases.xml | 31 + src/man/ca/include/local.xml | 17 + src/man/ca/include/override_homedir.xml | 63 + src/man/ca/include/param_help.xml | 10 + src/man/ca/include/param_help_py.xml | 10 + src/man/ca/include/seealso.xml | 61 + src/man/ca/include/service_discovery.xml | 41 + src/man/ca/include/upstream.xml | 3 + src/man/ca/pam_sss.8.xml | 205 + src/man/ca/sss_cache.8.xml | 221 + src/man/ca/sss_groupadd.8.xml | 58 + src/man/ca/sss_groupdel.8.xml | 46 + src/man/ca/sss_groupmod.8.xml | 72 + src/man/ca/sss_groupshow.8.xml | 59 + src/man/ca/sss_obfuscate.8.xml | 98 + src/man/ca/sss_rpcidmapd.5.xml | 113 + src/man/ca/sss_seed.8.xml | 169 + src/man/ca/sss_useradd.8.xml | 166 + src/man/ca/sss_userdel.8.xml | 92 + src/man/ca/sss_usermod.8.xml | 170 + src/man/ca/sssd-ifp.5.xml | 140 + src/man/ca/sssd-simple.5.xml | 154 + src/man/ca/sssd.8.xml | 232 + src/man/cs/include/ad_modified_defaults.xml | 77 + src/man/cs/include/autofs_restart.xml | 5 + src/man/cs/include/debug_levels.xml | 86 + src/man/cs/include/debug_levels_tools.xml | 72 + src/man/cs/include/experimental.xml | 2 + src/man/cs/include/failover.xml | 97 + src/man/cs/include/homedir_substring.xml | 17 + src/man/cs/include/ipa_modified_defaults.xml | 123 + src/man/cs/include/ldap_id_mapping.xml | 278 + src/man/cs/include/ldap_search_bases.xml | 31 + src/man/cs/include/local.xml | 17 + src/man/cs/include/override_homedir.xml | 63 + src/man/cs/include/param_help.xml | 10 + src/man/cs/include/param_help_py.xml | 10 + src/man/cs/include/seealso.xml | 61 + src/man/cs/include/service_discovery.xml | 41 + src/man/cs/include/upstream.xml | 3 + src/man/cs/sss_groupdel.8.xml | 46 + src/man/de/include/ad_modified_defaults.xml | 77 + src/man/de/include/autofs_restart.xml | 6 + src/man/de/include/debug_levels.xml | 89 + src/man/de/include/debug_levels_tools.xml | 75 + src/man/de/include/experimental.xml | 2 + src/man/de/include/failover.xml | 102 + src/man/de/include/homedir_substring.xml | 18 + src/man/de/include/ipa_modified_defaults.xml | 123 + src/man/de/include/ldap_id_mapping.xml | 290 + src/man/de/include/ldap_search_bases.xml | 33 + src/man/de/include/local.xml | 18 + src/man/de/include/override_homedir.xml | 64 + src/man/de/include/param_help.xml | 10 + src/man/de/include/param_help_py.xml | 10 + src/man/de/include/seealso.xml | 61 + src/man/de/include/service_discovery.xml | 43 + src/man/de/include/upstream.xml | 3 + src/man/de/sss_groupadd.8.xml | 59 + src/man/de/sss_groupdel.8.xml | 46 + src/man/de/sss_groupmod.8.xml | 72 + src/man/de/sss_groupshow.8.xml | 60 + src/man/de/sss_obfuscate.8.xml | 97 + src/man/de/sss_seed.8.xml | 169 + src/man/de/sss_ssh_knownhostsproxy.1.xml | 107 + src/man/de/sss_useradd.8.xml | 168 + src/man/de/sss_userdel.8.xml | 92 + src/man/de/sss_usermod.8.xml | 170 + src/man/de/sssd-ifp.5.xml | 141 + src/man/de/sssd-krb5.5.xml | 555 + src/man/de/sssd-ldap.5.xml | 2643 ++ src/man/de/sssd-simple.5.xml | 155 + src/man/de/sssd-sudo.5.xml | 196 + src/man/de/sssd.8.xml | 234 + src/man/de/sssd_krb5_locator_plugin.8.xml | 68 + src/man/es/include/ad_modified_defaults.xml | 77 + src/man/es/include/autofs_restart.xml | 6 + src/man/es/include/debug_levels.xml | 87 + src/man/es/include/debug_levels_tools.xml | 73 + src/man/es/include/experimental.xml | 2 + src/man/es/include/failover.xml | 108 + src/man/es/include/homedir_substring.xml | 17 + src/man/es/include/ipa_modified_defaults.xml | 123 + src/man/es/include/ldap_id_mapping.xml | 284 + src/man/es/include/ldap_search_bases.xml | 33 + src/man/es/include/local.xml | 17 + src/man/es/include/override_homedir.xml | 63 + src/man/es/include/param_help.xml | 10 + src/man/es/include/param_help_py.xml | 10 + src/man/es/include/seealso.xml | 61 + src/man/es/include/service_discovery.xml | 44 + src/man/es/include/upstream.xml | 3 + src/man/es/sss_groupadd.8.xml | 58 + src/man/es/sss_groupdel.8.xml | 46 + src/man/es/sss_groupmod.8.xml | 72 + src/man/es/sss_groupshow.8.xml | 59 + src/man/es/sss_obfuscate.8.xml | 97 + src/man/es/sss_seed.8.xml | 165 + src/man/es/sss_useradd.8.xml | 167 + src/man/es/sss_userdel.8.xml | 92 + src/man/es/sss_usermod.8.xml | 169 + src/man/es/sssd-simple.5.xml | 152 + src/man/es/sssd-sudo.5.xml | 193 + src/man/es/sssd.8.xml | 230 + src/man/eu/include/ad_modified_defaults.xml | 77 + src/man/eu/include/autofs_restart.xml | 5 + src/man/eu/include/debug_levels.xml | 86 + src/man/eu/include/debug_levels_tools.xml | 72 + src/man/eu/include/experimental.xml | 2 + src/man/eu/include/failover.xml | 97 + src/man/eu/include/homedir_substring.xml | 17 + src/man/eu/include/ipa_modified_defaults.xml | 123 + src/man/eu/include/ldap_id_mapping.xml | 278 + src/man/eu/include/ldap_search_bases.xml | 31 + src/man/eu/include/local.xml | 17 + src/man/eu/include/override_homedir.xml | 63 + src/man/eu/include/param_help.xml | 10 + src/man/eu/include/param_help_py.xml | 10 + src/man/eu/include/seealso.xml | 61 + src/man/eu/include/service_discovery.xml | 41 + src/man/eu/include/upstream.xml | 3 + src/man/fi/include/ad_modified_defaults.xml | 77 + src/man/fi/include/autofs_restart.xml | 5 + src/man/fi/include/debug_levels.xml | 86 + src/man/fi/include/debug_levels_tools.xml | 72 + src/man/fi/include/experimental.xml | 2 + src/man/fi/include/failover.xml | 97 + src/man/fi/include/homedir_substring.xml | 17 + src/man/fi/include/ipa_modified_defaults.xml | 123 + src/man/fi/include/ldap_id_mapping.xml | 278 + src/man/fi/include/ldap_search_bases.xml | 31 + src/man/fi/include/local.xml | 17 + src/man/fi/include/override_homedir.xml | 63 + src/man/fi/include/param_help.xml | 10 + src/man/fi/include/param_help_py.xml | 10 + src/man/fi/include/seealso.xml | 61 + src/man/fi/include/service_discovery.xml | 41 + src/man/fi/include/upstream.xml | 3 + src/man/fr/include/ad_modified_defaults.xml | 77 + src/man/fr/include/autofs_restart.xml | 6 + src/man/fr/include/debug_levels.xml | 89 + src/man/fr/include/debug_levels_tools.xml | 75 + src/man/fr/include/experimental.xml | 2 + src/man/fr/include/failover.xml | 103 + src/man/fr/include/homedir_substring.xml | 17 + src/man/fr/include/ipa_modified_defaults.xml | 123 + src/man/fr/include/ldap_id_mapping.xml | 288 + src/man/fr/include/ldap_search_bases.xml | 33 + src/man/fr/include/local.xml | 17 + src/man/fr/include/override_homedir.xml | 64 + src/man/fr/include/param_help.xml | 10 + src/man/fr/include/param_help_py.xml | 10 + src/man/fr/include/seealso.xml | 61 + src/man/fr/include/service_discovery.xml | 44 + src/man/fr/include/upstream.xml | 3 + src/man/fr/sss_groupadd.8.xml | 58 + src/man/fr/sss_groupdel.8.xml | 46 + src/man/fr/sss_groupmod.8.xml | 72 + src/man/fr/sss_groupshow.8.xml | 60 + src/man/fr/sss_obfuscate.8.xml | 97 + src/man/fr/sss_seed.8.xml | 169 + src/man/fr/sss_ssh_knownhostsproxy.1.xml | 107 + src/man/fr/sss_useradd.8.xml | 168 + src/man/fr/sss_userdel.8.xml | 93 + src/man/fr/sss_usermod.8.xml | 169 + src/man/fr/sssd-krb5.5.xml | 547 + src/man/fr/sssd-ldap.5.xml | 2628 ++ src/man/fr/sssd-simple.5.xml | 151 + src/man/fr/sssd-sudo.5.xml | 196 + src/man/fr/sssd.8.xml | 232 + src/man/fr/sssd_krb5_locator_plugin.8.xml | 70 + src/man/idmap_sss.8.xml | 62 + src/man/include/ad_modified_defaults.xml | 79 + src/man/include/autofs_restart.xml | 6 + src/man/include/debug_levels.xml | 100 + src/man/include/debug_levels_tools.xml | 81 + src/man/include/experimental.xml | 4 + src/man/include/failover.xml | 108 + src/man/include/homedir_substring.xml | 18 + src/man/include/ipa_modified_defaults.xml | 123 + src/man/include/ldap_id_mapping.xml | 307 + src/man/include/ldap_search_bases.xml | 36 + src/man/include/local.xml | 20 + src/man/include/override_homedir.xml | 69 + src/man/include/param_help.xml | 10 + src/man/include/param_help_py.xml | 10 + src/man/include/seealso.xml | 107 + src/man/include/service_discovery.xml | 48 + src/man/include/upstream.xml | 4 + src/man/ja/include/ad_modified_defaults.xml | 77 + src/man/ja/include/autofs_restart.xml | 5 + src/man/ja/include/debug_levels.xml | 86 + src/man/ja/include/debug_levels_tools.xml | 72 + src/man/ja/include/experimental.xml | 2 + src/man/ja/include/failover.xml | 95 + src/man/ja/include/homedir_substring.xml | 17 + src/man/ja/include/ipa_modified_defaults.xml | 123 + src/man/ja/include/ldap_id_mapping.xml | 273 + src/man/ja/include/ldap_search_bases.xml | 30 + src/man/ja/include/local.xml | 17 + src/man/ja/include/override_homedir.xml | 62 + src/man/ja/include/param_help.xml | 10 + src/man/ja/include/param_help_py.xml | 10 + src/man/ja/include/seealso.xml | 61 + src/man/ja/include/service_discovery.xml | 37 + src/man/ja/include/upstream.xml | 3 + src/man/ja/sss_groupadd.8.xml | 56 + src/man/ja/sss_groupdel.8.xml | 46 + src/man/ja/sss_groupmod.8.xml | 68 + src/man/ja/sss_groupshow.8.xml | 57 + src/man/ja/sss_obfuscate.8.xml | 91 + src/man/ja/sss_ssh_knownhostsproxy.1.xml | 103 + src/man/ja/sss_useradd.8.xml | 155 + src/man/ja/sss_userdel.8.xml | 87 + src/man/ja/sss_usermod.8.xml | 164 + src/man/ja/sssd-krb5.5.xml | 505 + src/man/ja/sssd-simple.5.xml | 135 + src/man/ja/sssd.8.xml | 221 + src/man/lv/include/ad_modified_defaults.xml | 77 + src/man/lv/include/autofs_restart.xml | 5 + src/man/lv/include/debug_levels.xml | 86 + src/man/lv/include/debug_levels_tools.xml | 72 + src/man/lv/include/experimental.xml | 2 + src/man/lv/include/failover.xml | 97 + src/man/lv/include/homedir_substring.xml | 17 + src/man/lv/include/ipa_modified_defaults.xml | 123 + src/man/lv/include/ldap_id_mapping.xml | 278 + src/man/lv/include/ldap_search_bases.xml | 31 + src/man/lv/include/local.xml | 17 + src/man/lv/include/override_homedir.xml | 63 + src/man/lv/include/param_help.xml | 10 + src/man/lv/include/param_help_py.xml | 10 + src/man/lv/include/seealso.xml | 61 + src/man/lv/include/service_discovery.xml | 41 + src/man/lv/include/upstream.xml | 3 + src/man/man.stamp | 0 src/man/nl/include/ad_modified_defaults.xml | 77 + src/man/nl/include/autofs_restart.xml | 5 + src/man/nl/include/debug_levels.xml | 86 + src/man/nl/include/debug_levels_tools.xml | 72 + src/man/nl/include/experimental.xml | 2 + src/man/nl/include/failover.xml | 97 + src/man/nl/include/homedir_substring.xml | 17 + src/man/nl/include/ipa_modified_defaults.xml | 123 + src/man/nl/include/ldap_id_mapping.xml | 278 + src/man/nl/include/ldap_search_bases.xml | 31 + src/man/nl/include/local.xml | 17 + src/man/nl/include/override_homedir.xml | 63 + src/man/nl/include/param_help.xml | 10 + src/man/nl/include/param_help_py.xml | 10 + src/man/nl/include/seealso.xml | 61 + src/man/nl/include/service_discovery.xml | 41 + src/man/nl/include/upstream.xml | 3 + src/man/nl/sss_groupmod.8.xml | 72 + src/man/pam_sss.8.xml | 238 + src/man/po/br.po | 15636 +++++++ src/man/po/ca.po | 16694 ++++++++ src/man/po/cs.po | 15624 +++++++ src/man/po/de.po | 17789 ++++++++ src/man/po/es.po | 17192 ++++++++ src/man/po/eu.po | 15612 +++++++ src/man/po/fi.po | 15619 +++++++ src/man/po/fr.po | 17659 ++++++++ src/man/po/ja.po | 16668 ++++++++ src/man/po/lv.po | 15623 +++++++ src/man/po/nl.po | 15688 +++++++ src/man/po/po4a.cfg | 53 + src/man/po/pt.po | 15708 +++++++ src/man/po/pt_BR.po | 15609 +++++++ src/man/po/ru.po | 15622 +++++++ src/man/po/sssd-docs.pot | 15583 +++++++ src/man/po/sv.po | 15679 +++++++ src/man/po/tg.po | 15620 +++++++ src/man/po/uk.po | 19726 +++++++++ src/man/po/zh_CN.po | 15631 +++++++ src/man/pt/include/ad_modified_defaults.xml | 77 + src/man/pt/include/autofs_restart.xml | 5 + src/man/pt/include/debug_levels.xml | 86 + src/man/pt/include/debug_levels_tools.xml | 72 + src/man/pt/include/experimental.xml | 2 + src/man/pt/include/failover.xml | 97 + src/man/pt/include/homedir_substring.xml | 17 + src/man/pt/include/ipa_modified_defaults.xml | 123 + src/man/pt/include/ldap_id_mapping.xml | 278 + src/man/pt/include/ldap_search_bases.xml | 31 + src/man/pt/include/local.xml | 17 + src/man/pt/include/override_homedir.xml | 63 + src/man/pt/include/param_help.xml | 10 + src/man/pt/include/param_help_py.xml | 10 + src/man/pt/include/seealso.xml | 61 + src/man/pt/include/service_discovery.xml | 41 + src/man/pt/include/upstream.xml | 3 + src/man/pt/sss_groupdel.8.xml | 46 + src/man/pt/sss_groupmod.8.xml | 72 + .../pt_BR/include/ad_modified_defaults.xml | 77 + src/man/pt_BR/include/autofs_restart.xml | 5 + src/man/pt_BR/include/debug_levels.xml | 86 + src/man/pt_BR/include/debug_levels_tools.xml | 72 + src/man/pt_BR/include/experimental.xml | 2 + src/man/pt_BR/include/failover.xml | 97 + src/man/pt_BR/include/homedir_substring.xml | 17 + .../pt_BR/include/ipa_modified_defaults.xml | 123 + src/man/pt_BR/include/ldap_id_mapping.xml | 278 + src/man/pt_BR/include/ldap_search_bases.xml | 31 + src/man/pt_BR/include/local.xml | 17 + src/man/pt_BR/include/override_homedir.xml | 63 + src/man/pt_BR/include/param_help.xml | 10 + src/man/pt_BR/include/param_help_py.xml | 10 + src/man/pt_BR/include/seealso.xml | 61 + src/man/pt_BR/include/service_discovery.xml | 41 + src/man/pt_BR/include/upstream.xml | 3 + src/man/ru/include/ad_modified_defaults.xml | 77 + src/man/ru/include/autofs_restart.xml | 5 + src/man/ru/include/debug_levels.xml | 86 + src/man/ru/include/debug_levels_tools.xml | 72 + src/man/ru/include/experimental.xml | 2 + src/man/ru/include/failover.xml | 97 + src/man/ru/include/homedir_substring.xml | 17 + src/man/ru/include/ipa_modified_defaults.xml | 123 + src/man/ru/include/ldap_id_mapping.xml | 278 + src/man/ru/include/ldap_search_bases.xml | 31 + src/man/ru/include/local.xml | 17 + src/man/ru/include/override_homedir.xml | 63 + src/man/ru/include/param_help.xml | 10 + src/man/ru/include/param_help_py.xml | 10 + src/man/ru/include/seealso.xml | 61 + src/man/ru/include/service_discovery.xml | 41 + src/man/ru/include/upstream.xml | 3 + src/man/sss-certmap.5.xml | 602 + src/man/sss_cache.8.xml | 226 + src/man/sss_debuglevel.8.xml | 41 + src/man/sss_groupadd.8.xml | 62 + src/man/sss_groupdel.8.xml | 50 + src/man/sss_groupmod.8.xml | 76 + src/man/sss_groupshow.8.xml | 62 + src/man/sss_obfuscate.8.xml | 105 + src/man/sss_override.8.xml | 279 + src/man/sss_rpcidmapd.5.xml | 132 + src/man/sss_seed.8.xml | 177 + src/man/sss_ssh_authorizedkeys.1.xml | 151 + src/man/sss_ssh_knownhostsproxy.1.xml | 112 + src/man/sss_useradd.8.xml | 175 + src/man/sss_userdel.8.xml | 97 + src/man/sss_usermod.8.xml | 178 + src/man/sssctl.8.xml | 68 + src/man/sssd-ad.5.xml | 1096 + src/man/sssd-files.5.xml | 120 + src/man/sssd-ifp.5.xml | 155 + src/man/sssd-ipa.5.xml | 848 + src/man/sssd-kcm.8.xml | 191 + src/man/sssd-krb5.5.xml | 591 + src/man/sssd-ldap.5.xml | 2881 ++ src/man/sssd-secrets.5.xml | 625 + src/man/sssd-session-recording.5.xml | 162 + src/man/sssd-simple.5.xml | 164 + src/man/sssd-sudo.5.xml | 215 + src/man/sssd-systemtap.5.xml | 386 + src/man/sssd.8.xml | 240 + src/man/sssd.conf.5.xml | 3277 ++ src/man/sssd_krb5_locator_plugin.8.xml | 82 + src/man/sv/include/ad_modified_defaults.xml | 77 + src/man/sv/include/autofs_restart.xml | 5 + src/man/sv/include/debug_levels.xml | 86 + src/man/sv/include/debug_levels_tools.xml | 72 + src/man/sv/include/experimental.xml | 2 + src/man/sv/include/failover.xml | 97 + src/man/sv/include/homedir_substring.xml | 17 + src/man/sv/include/ipa_modified_defaults.xml | 123 + src/man/sv/include/ldap_id_mapping.xml | 278 + src/man/sv/include/ldap_search_bases.xml | 31 + src/man/sv/include/local.xml | 17 + src/man/sv/include/override_homedir.xml | 63 + src/man/sv/include/param_help.xml | 10 + src/man/sv/include/param_help_py.xml | 10 + src/man/sv/include/seealso.xml | 61 + src/man/sv/include/service_discovery.xml | 41 + src/man/sv/include/upstream.xml | 3 + src/man/sv/sss_groupmod.8.xml | 71 + src/man/tg/include/ad_modified_defaults.xml | 77 + src/man/tg/include/autofs_restart.xml | 5 + src/man/tg/include/debug_levels.xml | 86 + src/man/tg/include/debug_levels_tools.xml | 72 + src/man/tg/include/experimental.xml | 2 + src/man/tg/include/failover.xml | 97 + src/man/tg/include/homedir_substring.xml | 17 + src/man/tg/include/ipa_modified_defaults.xml | 123 + src/man/tg/include/ldap_id_mapping.xml | 278 + src/man/tg/include/ldap_search_bases.xml | 31 + src/man/tg/include/local.xml | 17 + src/man/tg/include/override_homedir.xml | 63 + src/man/tg/include/param_help.xml | 10 + src/man/tg/include/param_help_py.xml | 10 + src/man/tg/include/seealso.xml | 61 + src/man/tg/include/service_discovery.xml | 41 + src/man/tg/include/upstream.xml | 3 + src/man/uk/idmap_sss.8.xml | 61 + src/man/uk/include/ad_modified_defaults.xml | 78 + src/man/uk/include/autofs_restart.xml | 6 + src/man/uk/include/debug_levels.xml | 93 + src/man/uk/include/debug_levels_tools.xml | 77 + src/man/uk/include/experimental.xml | 3 + src/man/uk/include/failover.xml | 105 + src/man/uk/include/homedir_substring.xml | 18 + src/man/uk/include/ipa_modified_defaults.xml | 124 + src/man/uk/include/ldap_id_mapping.xml | 292 + src/man/uk/include/ldap_search_bases.xml | 33 + src/man/uk/include/local.xml | 19 + src/man/uk/include/override_homedir.xml | 64 + src/man/uk/include/param_help.xml | 10 + src/man/uk/include/param_help_py.xml | 10 + src/man/uk/include/seealso.xml | 61 + src/man/uk/include/service_discovery.xml | 45 + src/man/uk/include/upstream.xml | 3 + src/man/uk/pam_sss.8.xml | 209 + src/man/uk/sss-certmap.5.xml | 593 + src/man/uk/sss_cache.8.xml | 228 + src/man/uk/sss_debuglevel.8.xml | 39 + src/man/uk/sss_groupadd.8.xml | 59 + src/man/uk/sss_groupdel.8.xml | 46 + src/man/uk/sss_groupmod.8.xml | 71 + src/man/uk/sss_groupshow.8.xml | 60 + src/man/uk/sss_obfuscate.8.xml | 98 + src/man/uk/sss_override.8.xml | 260 + src/man/uk/sss_rpcidmapd.5.xml | 110 + src/man/uk/sss_seed.8.xml | 168 + src/man/uk/sss_ssh_knownhostsproxy.1.xml | 107 + src/man/uk/sss_useradd.8.xml | 169 + src/man/uk/sss_userdel.8.xml | 93 + src/man/uk/sss_usermod.8.xml | 170 + src/man/uk/sssctl.8.xml | 65 + src/man/uk/sssd-ad.5.xml | 1017 + src/man/uk/sssd-ifp.5.xml | 141 + src/man/uk/sssd-ipa.5.xml | 791 + src/man/uk/sssd-kcm.8.xml | 176 + src/man/uk/sssd-krb5.5.xml | 552 + src/man/uk/sssd-ldap.5.xml | 2648 ++ src/man/uk/sssd-secrets.5.xml | 594 + src/man/uk/sssd-session-recording.5.xml | 151 + src/man/uk/sssd-simple.5.xml | 152 + src/man/uk/sssd-sudo.5.xml | 198 + src/man/uk/sssd-systemtap.5.xml | 364 + src/man/uk/sssd.8.xml | 237 + src/man/uk/sssd.conf.5.xml | 2960 ++ src/man/uk/sssd_krb5_locator_plugin.8.xml | 69 + .../zh_CN/include/ad_modified_defaults.xml | 77 + src/man/zh_CN/include/autofs_restart.xml | 5 + src/man/zh_CN/include/debug_levels.xml | 86 + src/man/zh_CN/include/debug_levels_tools.xml | 72 + src/man/zh_CN/include/experimental.xml | 2 + src/man/zh_CN/include/failover.xml | 97 + src/man/zh_CN/include/homedir_substring.xml | 17 + .../zh_CN/include/ipa_modified_defaults.xml | 123 + src/man/zh_CN/include/ldap_id_mapping.xml | 278 + src/man/zh_CN/include/ldap_search_bases.xml | 31 + src/man/zh_CN/include/local.xml | 17 + src/man/zh_CN/include/override_homedir.xml | 63 + src/man/zh_CN/include/param_help.xml | 10 + src/man/zh_CN/include/param_help_py.xml | 10 + src/man/zh_CN/include/seealso.xml | 61 + src/man/zh_CN/include/service_discovery.xml | 41 + src/man/zh_CN/include/upstream.xml | 3 + src/monitor/monitor.c | 2697 ++ src/monitor/monitor.h | 46 + src/monitor/monitor_iface.xml | 47 + src/monitor/monitor_iface_generated.c | 101 + src/monitor/monitor_iface_generated.h | 83 + src/monitor/monitor_interfaces.h | 54 + src/monitor/monitor_netlink.c | 885 + src/monitor/monitor_sbus.c | 208 + src/p11_child/p11_child.h | 55 + src/p11_child/p11_child_common.c | 381 + src/p11_child/p11_child_nss.c | 686 + src/p11_child/p11_child_openssl.c | 771 + src/providers/ad/ad_access.c | 548 + src/providers/ad/ad_access.h | 65 + src/providers/ad/ad_autofs.c | 50 + src/providers/ad/ad_common.c | 1446 + src/providers/ad/ad_common.h | 215 + src/providers/ad/ad_domain_info.c | 454 + src/providers/ad/ad_domain_info.h | 43 + src/providers/ad/ad_dyndns.c | 275 + src/providers/ad/ad_gpo.c | 4644 ++ src/providers/ad/ad_gpo.h | 65 + src/providers/ad/ad_gpo_child.c | 841 + src/providers/ad/ad_gpo_ndr.c | 508 + src/providers/ad/ad_id.c | 1434 + src/providers/ad/ad_id.h | 67 + src/providers/ad/ad_init.c | 654 + src/providers/ad/ad_machine_pw_renewal.c | 403 + src/providers/ad/ad_opts.c | 285 + src/providers/ad/ad_opts.h | 51 + src/providers/ad/ad_pac.c | 744 + src/providers/ad/ad_pac.h | 82 + src/providers/ad/ad_pac_common.c | 86 + src/providers/ad/ad_srv.c | 928 + src/providers/ad/ad_srv.h | 56 + src/providers/ad/ad_subdomains.c | 1979 + src/providers/ad/ad_subdomains.h | 36 + src/providers/ad/ad_sudo.c | 51 + src/providers/backend.h | 229 + src/providers/be_dyndns.c | 1368 + src/providers/be_dyndns.h | 143 + src/providers/be_ptask.c | 484 + src/providers/be_ptask.h | 131 + src/providers/be_ptask_private.h | 48 + src/providers/be_refresh.c | 341 + src/providers/be_refresh.h | 71 + src/providers/data_provider.h | 336 + src/providers/data_provider/dp.c | 135 + src/providers/data_provider/dp.h | 204 + src/providers/data_provider/dp_builtin.c | 118 + src/providers/data_provider/dp_builtin.h | 50 + src/providers/data_provider/dp_client.c | 259 + src/providers/data_provider/dp_custom_data.h | 79 + src/providers/data_provider/dp_flags.h | 29 + src/providers/data_provider/dp_iface.c | 70 + src/providers/data_provider/dp_iface.h | 100 + src/providers/data_provider/dp_iface.xml | 90 + .../data_provider/dp_iface_backend.c | 60 + .../data_provider/dp_iface_failover.c | 345 + .../data_provider/dp_iface_generated.c | 486 + .../data_provider/dp_iface_generated.h | 157 + src/providers/data_provider/dp_methods.c | 128 + src/providers/data_provider/dp_modules.c | 224 + src/providers/data_provider/dp_private.h | 248 + src/providers/data_provider/dp_reply_std.c | 131 + src/providers/data_provider/dp_request.c | 465 + src/providers/data_provider/dp_request.h | 77 + .../data_provider/dp_request_reply.c | 372 + .../data_provider/dp_request_table.c | 263 + src/providers/data_provider/dp_resp_client.c | 236 + .../data_provider/dp_responder_iface.h | 29 + src/providers/data_provider/dp_sbus.c | 46 + src/providers/data_provider/dp_target_auth.c | 322 + .../data_provider/dp_target_autofs.c | 55 + .../data_provider/dp_target_hostid.c | 63 + src/providers/data_provider/dp_target_id.c | 672 + .../data_provider/dp_target_subdomains.c | 50 + src/providers/data_provider/dp_target_sudo.c | 199 + src/providers/data_provider/dp_targets.c | 466 + src/providers/data_provider_be.c | 682 + src/providers/data_provider_callbacks.c | 306 + src/providers/data_provider_fo.c | 894 + src/providers/data_provider_opts.c | 474 + src/providers/data_provider_req.c | 53 + src/providers/data_provider_req.h | 50 + src/providers/dp_auth_util.c | 323 + src/providers/dp_pam_data_util.c | 198 + src/providers/fail_over.c | 1752 + src/providers/fail_over.h | 227 + src/providers/fail_over_srv.c | 719 + src/providers/fail_over_srv.h | 133 + src/providers/files/files_id.c | 179 + src/providers/files/files_init.c | 226 + src/providers/files/files_ops.c | 964 + src/providers/files/files_private.h | 74 + src/providers/ipa/ipa_access.c | 761 + src/providers/ipa/ipa_access.h | 76 + src/providers/ipa/ipa_auth.c | 459 + src/providers/ipa/ipa_auth.h | 42 + src/providers/ipa/ipa_autofs.c | 55 + src/providers/ipa/ipa_common.c | 1318 + src/providers/ipa/ipa_common.h | 304 + src/providers/ipa/ipa_config.c | 157 + src/providers/ipa/ipa_config.h | 53 + src/providers/ipa/ipa_deskprofile_config.c | 156 + src/providers/ipa/ipa_deskprofile_config.h | 45 + src/providers/ipa/ipa_deskprofile_private.h | 50 + src/providers/ipa/ipa_deskprofile_rules.c | 367 + src/providers/ipa/ipa_deskprofile_rules.h | 43 + .../ipa/ipa_deskprofile_rules_util.c | 1149 + .../ipa/ipa_deskprofile_rules_util.h | 74 + src/providers/ipa/ipa_dn.c | 145 + src/providers/ipa/ipa_dn.h | 43 + src/providers/ipa/ipa_dyndns.c | 256 + src/providers/ipa/ipa_dyndns.h | 38 + src/providers/ipa/ipa_hbac_common.c | 748 + src/providers/ipa/ipa_hbac_hosts.c | 335 + src/providers/ipa/ipa_hbac_private.h | 132 + src/providers/ipa/ipa_hbac_rules.c | 313 + src/providers/ipa/ipa_hbac_rules.h | 41 + src/providers/ipa/ipa_hbac_services.c | 686 + src/providers/ipa/ipa_hbac_users.c | 368 + src/providers/ipa/ipa_hostid.c | 30 + src/providers/ipa/ipa_hosts.c | 365 + src/providers/ipa/ipa_hosts.h | 44 + src/providers/ipa/ipa_id.c | 1459 + src/providers/ipa/ipa_id.h | 146 + src/providers/ipa/ipa_idmap.c | 345 + src/providers/ipa/ipa_init.c | 950 + src/providers/ipa/ipa_netgroups.c | 1026 + src/providers/ipa/ipa_opts.c | 397 + src/providers/ipa/ipa_opts.h | 69 + src/providers/ipa/ipa_rules_common.c | 455 + src/providers/ipa/ipa_rules_common.h | 89 + src/providers/ipa/ipa_s2n_exop.c | 2935 ++ src/providers/ipa/ipa_selinux.c | 1698 + src/providers/ipa/ipa_selinux.h | 50 + src/providers/ipa/ipa_selinux_maps.c | 222 + src/providers/ipa/ipa_selinux_maps.h | 45 + src/providers/ipa/ipa_session.c | 866 + src/providers/ipa/ipa_session.h | 54 + src/providers/ipa/ipa_srv.c | 224 + src/providers/ipa/ipa_srv.h | 48 + src/providers/ipa/ipa_subdomains.c | 3147 ++ src/providers/ipa/ipa_subdomains.h | 151 + src/providers/ipa/ipa_subdomains_ext_groups.c | 1212 + src/providers/ipa/ipa_subdomains_id.c | 1754 + src/providers/ipa/ipa_subdomains_server.c | 1191 + src/providers/ipa/ipa_subdomains_utils.c | 100 + src/providers/ipa/ipa_sudo.c | 322 + src/providers/ipa/ipa_sudo.h | 131 + src/providers/ipa/ipa_sudo_async.c | 1137 + src/providers/ipa/ipa_sudo_conversion.c | 1338 + src/providers/ipa/ipa_sudo_refresh.c | 460 + src/providers/ipa/ipa_utils.c | 63 + src/providers/ipa/ipa_views.c | 533 + src/providers/ipa/selinux_child.c | 411 + src/providers/krb5/krb5_access.c | 219 + src/providers/krb5/krb5_auth.c | 1338 + src/providers/krb5/krb5_auth.h | 155 + src/providers/krb5/krb5_ccache.c | 789 + src/providers/krb5/krb5_ccache.h | 73 + src/providers/krb5/krb5_child.c | 3404 ++ src/providers/krb5/krb5_child_handler.c | 785 + src/providers/krb5/krb5_common.c | 1151 + src/providers/krb5/krb5_common.h | 236 + .../krb5/krb5_delayed_online_authentication.c | 388 + src/providers/krb5/krb5_init.c | 234 + src/providers/krb5/krb5_init_shared.c | 103 + src/providers/krb5/krb5_init_shared.h | 29 + src/providers/krb5/krb5_keytab.c | 228 + src/providers/krb5/krb5_opts.c | 47 + src/providers/krb5/krb5_opts.h | 30 + src/providers/krb5/krb5_renew_tgt.c | 633 + src/providers/krb5/krb5_utils.c | 605 + src/providers/krb5/krb5_utils.h | 59 + src/providers/krb5/krb5_wait_queue.c | 375 + src/providers/ldap/ldap_access.c | 128 + src/providers/ldap/ldap_auth.c | 1344 + src/providers/ldap/ldap_auth.h | 46 + src/providers/ldap/ldap_child.c | 756 + src/providers/ldap/ldap_common.c | 886 + src/providers/ldap/ldap_common.h | 373 + src/providers/ldap/ldap_id.c | 1898 + src/providers/ldap/ldap_id_cleanup.c | 498 + src/providers/ldap/ldap_id_enum.c | 197 + src/providers/ldap/ldap_id_netgroup.c | 247 + src/providers/ldap/ldap_id_services.c | 307 + src/providers/ldap/ldap_init.c | 685 + src/providers/ldap/ldap_options.c | 845 + src/providers/ldap/ldap_opts.c | 393 + src/providers/ldap/ldap_opts.h | 65 + src/providers/ldap/sdap.c | 1782 + src/providers/ldap/sdap.h | 676 + src/providers/ldap/sdap_access.c | 2045 + src/providers/ldap/sdap_access.h | 101 + src/providers/ldap/sdap_ad_groups.c | 68 + src/providers/ldap/sdap_async.c | 2817 ++ src/providers/ldap/sdap_async.h | 413 + src/providers/ldap/sdap_async_ad.h | 59 + src/providers/ldap/sdap_async_autofs.c | 958 + src/providers/ldap/sdap_async_connection.c | 2290 + src/providers/ldap/sdap_async_enum.c | 771 + src/providers/ldap/sdap_async_enum.h | 49 + src/providers/ldap/sdap_async_groups.c | 2649 ++ src/providers/ldap/sdap_async_groups_ad.c | 249 + src/providers/ldap/sdap_async_hosts.c | 209 + src/providers/ldap/sdap_async_initgroups.c | 3594 ++ src/providers/ldap/sdap_async_initgroups_ad.c | 2000 + src/providers/ldap/sdap_async_nested_groups.c | 2887 ++ src/providers/ldap/sdap_async_netgroups.c | 778 + src/providers/ldap/sdap_async_private.h | 187 + src/providers/ldap/sdap_async_services.c | 646 + src/providers/ldap/sdap_async_sudo.c | 693 + src/providers/ldap/sdap_async_sudo_hostinfo.c | 516 + src/providers/ldap/sdap_async_users.c | 1208 + src/providers/ldap/sdap_autofs.c | 321 + src/providers/ldap/sdap_autofs.h | 47 + src/providers/ldap/sdap_certmap.c | 152 + src/providers/ldap/sdap_child_helpers.c | 522 + src/providers/ldap/sdap_domain.c | 202 + src/providers/ldap/sdap_dyndns.c | 922 + src/providers/ldap/sdap_dyndns.h | 61 + src/providers/ldap/sdap_fd_events.c | 323 + src/providers/ldap/sdap_hostid.c | 324 + src/providers/ldap/sdap_hostid.h | 40 + src/providers/ldap/sdap_id_op.c | 892 + src/providers/ldap/sdap_id_op.h | 76 + src/providers/ldap/sdap_idmap.c | 619 + src/providers/ldap/sdap_idmap.h | 63 + src/providers/ldap/sdap_online_check.c | 249 + src/providers/ldap/sdap_ops.c | 547 + src/providers/ldap/sdap_ops.h | 97 + src/providers/ldap/sdap_range.c | 142 + src/providers/ldap/sdap_range.h | 34 + src/providers/ldap/sdap_refresh.c | 291 + src/providers/ldap/sdap_reinit.c | 335 + src/providers/ldap/sdap_sudo.c | 220 + src/providers/ldap/sdap_sudo.h | 102 + src/providers/ldap/sdap_sudo_refresh.c | 469 + src/providers/ldap/sdap_sudo_shared.c | 202 + src/providers/ldap/sdap_sudo_shared.h | 40 + src/providers/ldap/sdap_users.h | 41 + src/providers/ldap/sdap_utils.c | 235 + src/providers/proxy/proxy.h | 193 + src/providers/proxy/proxy_auth.c | 860 + src/providers/proxy/proxy_child.c | 621 + src/providers/proxy/proxy_client.c | 178 + src/providers/proxy/proxy_id.c | 1786 + src/providers/proxy/proxy_iface.xml | 17 + src/providers/proxy/proxy_iface_generated.c | 83 + src/providers/proxy/proxy_iface_generated.h | 72 + src/providers/proxy/proxy_init.c | 406 + src/providers/proxy/proxy_netgroup.c | 206 + src/providers/proxy/proxy_services.c | 373 + src/providers/simple/simple_access.c | 332 + src/providers/simple/simple_access.h | 47 + src/providers/simple/simple_access_check.c | 847 + src/providers/simple/simple_access_pvt.h | 43 + src/providers/sssd_be.exports | 4 + src/python/pyhbac.c | 1998 + src/python/pysss.c | 1173 + src/python/pysss_murmur.c | 98 + src/python/pysss_nss_idmap.c | 599 + src/resolv/async_resolv.c | 2511 ++ src/resolv/async_resolv.h | 224 + src/resolv/async_resolv_utils.c | 343 + src/responder/autofs/autofs_private.h | 107 + src/responder/autofs/autofssrv.c | 252 + src/responder/autofs/autofssrv_cmd.c | 1527 + src/responder/autofs/autofssrv_dp.c | 150 + src/responder/common/cache_req/cache_req.c | 1559 + src/responder/common/cache_req/cache_req.h | 428 + .../common/cache_req/cache_req_data.c | 379 + .../common/cache_req/cache_req_domain.c | 299 + .../common/cache_req/cache_req_domain.h | 62 + .../common/cache_req/cache_req_plugin.h | 318 + .../common/cache_req/cache_req_private.h | 198 + .../common/cache_req/cache_req_result.c | 274 + .../common/cache_req/cache_req_search.c | 585 + .../common/cache_req/cache_req_sr_overlay.c | 328 + .../cache_req/plugins/cache_req_common.c | 177 + .../cache_req/plugins/cache_req_enum_groups.c | 114 + .../cache_req/plugins/cache_req_enum_svc.c | 106 + .../cache_req/plugins/cache_req_enum_users.c | 114 + .../plugins/cache_req_group_by_filter.c | 162 + .../cache_req/plugins/cache_req_group_by_id.c | 244 + .../plugins/cache_req_group_by_name.c | 227 + .../plugins/cache_req_host_by_name.c | 131 + .../plugins/cache_req_initgroups_by_name.c | 242 + .../plugins/cache_req_initgroups_by_upn.c | 130 + .../plugins/cache_req_netgroup_by_name.c | 160 + .../plugins/cache_req_object_by_id.c | 234 + .../plugins/cache_req_object_by_name.c | 238 + .../plugins/cache_req_object_by_sid.c | 153 + .../cache_req/plugins/cache_req_svc_by_name.c | 185 + .../cache_req/plugins/cache_req_svc_by_port.c | 159 + .../plugins/cache_req_user_by_cert.c | 127 + .../plugins/cache_req_user_by_filter.c | 162 + .../cache_req/plugins/cache_req_user_by_id.c | 244 + .../plugins/cache_req_user_by_name.c | 256 + .../cache_req/plugins/cache_req_user_by_upn.c | 135 + src/responder/common/data_provider/rdp.h | 80 + .../common/data_provider/rdp_client.c | 55 + .../common/data_provider/rdp_message.c | 308 + src/responder/common/iface/responder_domain.c | 73 + src/responder/common/iface/responder_iface.c | 43 + src/responder/common/iface/responder_iface.h | 42 + .../common/iface/responder_iface.xml | 19 + .../common/iface/responder_iface_generated.c | 121 + .../common/iface/responder_iface_generated.h | 85 + src/responder/common/iface/responder_ncache.c | 41 + src/responder/common/negcache.c | 1267 + src/responder/common/negcache.h | 165 + src/responder/common/negcache_files.c | 112 + src/responder/common/negcache_files.h | 31 + src/responder/common/responder.h | 492 + src/responder/common/responder_cmd.c | 302 + src/responder/common/responder_common.c | 1892 + src/responder/common/responder_dp.c | 941 + src/responder/common/responder_dp_ssh.c | 159 + src/responder/common/responder_get_domains.c | 799 + src/responder/common/responder_packet.c | 326 + src/responder/common/responder_packet.h | 45 + src/responder/common/responder_sbus.h | 46 + src/responder/common/responder_utils.c | 488 + src/responder/ifp/ifp_cache.c | 344 + src/responder/ifp/ifp_cache.h | 59 + src/responder/ifp/ifp_components.c | 661 + src/responder/ifp/ifp_components.h | 70 + src/responder/ifp/ifp_domains.c | 654 + src/responder/ifp/ifp_domains.h | 114 + src/responder/ifp/ifp_groups.c | 1031 + src/responder/ifp/ifp_groups.h | 98 + src/responder/ifp/ifp_iface.c | 175 + src/responder/ifp/ifp_iface.h | 40 + src/responder/ifp/ifp_iface.xml | 234 + src/responder/ifp/ifp_iface_generated.c | 1346 + src/responder/ifp/ifp_iface_generated.h | 385 + src/responder/ifp/ifp_iface_nodes.c | 170 + src/responder/ifp/ifp_private.h | 117 + src/responder/ifp/ifp_users.c | 1559 + src/responder/ifp/ifp_users.h | 135 + src/responder/ifp/ifpsrv.c | 417 + src/responder/ifp/ifpsrv_cmd.c | 703 + src/responder/ifp/ifpsrv_util.c | 522 + .../ifp/org.freedesktop.sssd.infopipe.conf | 47 + .../ifp/org.freedesktop.sssd.infopipe.service | 5 + .../org.freedesktop.sssd.infopipe.service.in | 5 + src/responder/kcm/kcm.c | 321 + src/responder/kcm/kcm.h | 97 + src/responder/kcm/kcmsrv_ccache.c | 1432 + src/responder/kcm/kcmsrv_ccache.h | 351 + src/responder/kcm/kcmsrv_ccache_be.h | 205 + src/responder/kcm/kcmsrv_ccache_json.c | 957 + src/responder/kcm/kcmsrv_ccache_mem.c | 827 + src/responder/kcm/kcmsrv_ccache_pvt.h | 62 + src/responder/kcm/kcmsrv_ccache_secrets.c | 2172 + src/responder/kcm/kcmsrv_cmd.c | 656 + src/responder/kcm/kcmsrv_op_queue.c | 326 + src/responder/kcm/kcmsrv_ops.c | 1987 + src/responder/kcm/kcmsrv_ops.h | 46 + src/responder/kcm/kcmsrv_pvt.h | 101 + src/responder/nss/nss_cmd.c | 1285 + src/responder/nss/nss_enum.c | 365 + src/responder/nss/nss_get_object.c | 286 + src/responder/nss/nss_iface.c | 234 + src/responder/nss/nss_iface.h | 30 + src/responder/nss/nss_iface.xml | 21 + src/responder/nss/nss_iface_generated.c | 149 + src/responder/nss/nss_iface_generated.h | 79 + src/responder/nss/nss_private.h | 150 + src/responder/nss/nss_protocol.c | 442 + src/responder/nss/nss_protocol.h | 204 + src/responder/nss/nss_protocol_grent.c | 416 + src/responder/nss/nss_protocol_netgr.c | 210 + src/responder/nss/nss_protocol_pwent.c | 332 + src/responder/nss/nss_protocol_sid.c | 641 + src/responder/nss/nss_protocol_svcent.c | 270 + src/responder/nss/nss_utils.c | 38 + src/responder/nss/nsssrv.c | 486 + src/responder/nss/nsssrv_mmap_cache.c | 1426 + src/responder/nss/nsssrv_mmap_cache.h | 78 + src/responder/pac/pacsrv.c | 271 + src/responder/pac/pacsrv.h | 42 + src/responder/pac/pacsrv_cmd.c | 295 + src/responder/pam/pam_LOCAL_domain.c | 351 + src/responder/pam/pam_helpers.c | 156 + src/responder/pam/pam_helpers.h | 40 + src/responder/pam/pamsrv.c | 454 + src/responder/pam/pamsrv.h | 132 + src/responder/pam/pamsrv_cmd.c | 2311 + src/responder/pam/pamsrv_dp.c | 164 + src/responder/pam/pamsrv_p11.c | 1030 + src/responder/secrets/local.c | 1170 + src/responder/secrets/providers.c | 693 + src/responder/secrets/proxy.c | 598 + src/responder/secrets/secsrv.c | 386 + src/responder/secrets/secsrv.h | 59 + src/responder/secrets/secsrv_cmd.c | 618 + src/responder/secrets/secsrv_local.h | 28 + src/responder/secrets/secsrv_private.h | 160 + src/responder/secrets/secsrv_proxy.h | 28 + src/responder/ssh/ssh_cmd.c | 256 + src/responder/ssh/ssh_known_hosts.c | 329 + src/responder/ssh/ssh_private.h | 84 + src/responder/ssh/ssh_protocol.c | 252 + src/responder/ssh/ssh_reply.c | 408 + src/responder/ssh/sshsrv.c | 256 + src/responder/sudo/sudosrv.c | 269 + src/responder/sudo/sudosrv_cmd.c | 302 + src/responder/sudo/sudosrv_dp.c | 228 + src/responder/sudo/sudosrv_get_sudorules.c | 793 + src/responder/sudo/sudosrv_private.h | 112 + src/responder/sudo/sudosrv_query.c | 307 + src/sbus/sbus_client.c | 79 + src/sbus/sbus_client.h | 34 + src/sbus/sbus_codegen | 831 + src/sbus/sssd_dbus.h | 454 + src/sbus/sssd_dbus_common.c | 381 + src/sbus/sssd_dbus_common_signals.c | 91 + src/sbus/sssd_dbus_connection.c | 615 + src/sbus/sssd_dbus_errors.h | 34 + src/sbus/sssd_dbus_interface.c | 1050 + src/sbus/sssd_dbus_introspect.c | 407 + src/sbus/sssd_dbus_invokers.c | 583 + src/sbus/sssd_dbus_invokers.h | 124 + src/sbus/sssd_dbus_meta.c | 67 + src/sbus/sssd_dbus_meta.h | 107 + src/sbus/sssd_dbus_private.h | 188 + src/sbus/sssd_dbus_properties.c | 348 + src/sbus/sssd_dbus_request.c | 585 + src/sbus/sssd_dbus_server.c | 400 + src/sbus/sssd_dbus_signals.c | 262 + src/sbus/sssd_dbus_utils.c | 277 + src/sbus/sssd_dbus_utils.h | 71 + src/shared/io.h | 33 + src/shared/murmurhash3.h | 21 + src/shared/safealign.h | 146 + src/sss_client/COPYING | 674 + src/sss_client/COPYING.LESSER | 165 + src/sss_client/autofs/autofs_test_client.c | 130 + src/sss_client/autofs/sss_autofs.c | 478 + src/sss_client/autofs/sss_autofs.exports | 14 + src/sss_client/autofs/sss_autofs_private.h | 45 + src/sss_client/common.c | 1223 + src/sss_client/common_private.h | 41 + src/sss_client/idmap/common_ex.c | 107 + src/sss_client/idmap/sss_nss_ex.c | 531 + src/sss_client/idmap/sss_nss_idmap.c | 613 + src/sss_client/idmap/sss_nss_idmap.doxy.in | 1539 + src/sss_client/idmap/sss_nss_idmap.exports | 59 + src/sss_client/idmap/sss_nss_idmap.h | 487 + src/sss_client/idmap/sss_nss_idmap.pc.in | 11 + src/sss_client/idmap/sss_nss_idmap.unit_tests | 6 + src/sss_client/idmap/sss_nss_idmap_private.h | 30 + src/sss_client/krb5_authdata_int.h | 185 + src/sss_client/libwbclient/libwbclient.h | 46 + src/sss_client/libwbclient/wbc_ctx_sssd.c | 403 + src/sss_client/libwbclient/wbc_err_internal.h | 44 + src/sss_client/libwbclient/wbc_guid.c | 100 + src/sss_client/libwbclient/wbc_idmap_common.c | 89 + src/sss_client/libwbclient/wbc_idmap_sssd.c | 230 + src/sss_client/libwbclient/wbc_pam_sssd.c | 183 + src/sss_client/libwbclient/wbc_pwd_sssd.c | 659 + src/sss_client/libwbclient/wbc_sid_common.c | 199 + src/sss_client/libwbclient/wbc_sid_sssd.c | 289 + .../libwbclient/wbc_sssd_internal.h | 41 + src/sss_client/libwbclient/wbc_util_common.c | 97 + src/sss_client/libwbclient/wbc_util_sssd.c | 160 + src/sss_client/libwbclient/wbclient.exports | 155 + src/sss_client/libwbclient/wbclient_common.c | 178 + .../libwbclient/wbclient_internal.h | 44 + src/sss_client/libwbclient/wbclient_sssd.c | 40 + src/sss_client/libwbclient/wbclient_sssd.h | 2069 + .../libwbclient/wbclient_sssd.pc.in | 11 + src/sss_client/nfs/nfsidmap_internal.h | 78 + src/sss_client/nfs/sss_nfs_client.c | 577 + src/sss_client/nss_common.h | 43 + src/sss_client/nss_compat.h | 67 + src/sss_client/nss_group.c | 752 + src/sss_client/nss_mc.h | 93 + src/sss_client/nss_mc_common.c | 383 + src/sss_client/nss_mc_group.c | 250 + src/sss_client/nss_mc_initgr.c | 164 + src/sss_client/nss_mc_passwd.c | 243 + src/sss_client/nss_netgroup.c | 326 + src/sss_client/nss_passwd.c | 472 + src/sss_client/nss_services.c | 501 + src/sss_client/pam_message.c | 179 + src/sss_client/pam_message.h | 71 + src/sss_client/pam_sss.c | 2653 ++ src/sss_client/ssh/sss_ssh_authorizedkeys.c | 126 + src/sss_client/ssh/sss_ssh_client.c | 265 + src/sss_client/ssh/sss_ssh_client.h | 41 + src/sss_client/ssh/sss_ssh_knownhostsproxy.c | 352 + src/sss_client/sss_cli.h | 673 + src/sss_client/sss_nss.exports | 73 + src/sss_client/sss_pac_responder_client.c | 137 + src/sss_client/sss_pam.exports | 4 + src/sss_client/sss_pam_compat.h | 45 + src/sss_client/sss_pam_macros.h | 61 + src/sss_client/sss_sudo.exports | 16 + src/sss_client/sssd_pac.c | 325 + src/sss_client/sudo/sss_sudo.c | 251 + src/sss_client/sudo/sss_sudo.h | 195 + src/sss_client/sudo/sss_sudo_private.h | 33 + src/sss_client/sudo/sss_sudo_response.c | 257 + src/sss_client/sudo_testcli/sudo_testcli.c | 159 + src/systemtap/sssd.stp.in | 274 + src/systemtap/sssd_functions.stp | 134 + src/systemtap/sssd_probes.d | 73 + src/sysv/SUSE/sssd.in | 77 + src/sysv/gentoo/sssd.in | 18 + src/sysv/sssd.in | 148 + src/sysv/systemd/sssd-autofs.service.in | 19 + src/sysv/systemd/sssd-autofs.socket.in | 16 + src/sysv/systemd/sssd-ifp.service.in | 13 + src/sysv/systemd/sssd-kcm.service.in | 12 + src/sysv/systemd/sssd-kcm.socket.in | 10 + src/sysv/systemd/sssd-nss.service.in | 15 + src/sysv/systemd/sssd-nss.socket.in | 15 + src/sysv/systemd/sssd-pac.service.in | 19 + src/sysv/systemd/sssd-pac.socket.in | 16 + src/sysv/systemd/sssd-pam-priv.socket.in | 19 + src/sysv/systemd/sssd-pam.service.in | 19 + src/sysv/systemd/sssd-pam.socket.in | 17 + src/sysv/systemd/sssd-secrets.service.in | 12 + src/sysv/systemd/sssd-secrets.socket.in | 9 + src/sysv/systemd/sssd-ssh.service.in | 19 + src/sysv/systemd/sssd-ssh.socket.in | 16 + src/sysv/systemd/sssd-sudo.service.in | 19 + src/sysv/systemd/sssd-sudo.socket.in | 16 + src/sysv/systemd/sssd.service.in | 16 + src/tests/ad_ldap_opt-tests.c | 109 + src/tests/auth-tests.c | 345 + src/tests/check_and_open-tests.c | 257 + src/tests/cmocka/common_mock.h | 56 + src/tests/cmocka/common_mock_be.c | 39 + src/tests/cmocka/common_mock_be.h | 30 + src/tests/cmocka/common_mock_krb5.c | 103 + src/tests/cmocka/common_mock_krb5.h | 47 + src/tests/cmocka/common_mock_resp.c | 92 + src/tests/cmocka/common_mock_resp.h | 67 + src/tests/cmocka/common_mock_resp_dp.c | 204 + src/tests/cmocka/common_mock_sdap.c | 139 + src/tests/cmocka/common_mock_sdap.h | 40 + src/tests/cmocka/common_mock_sysdb_objects.c | 203 + src/tests/cmocka/common_mock_sysdb_objects.h | 51 + src/tests/cmocka/data_provider/mock_dp.c | 121 + src/tests/cmocka/data_provider/mock_dp.h | 42 + .../cmocka/data_provider/test_dp_builtin.c | 191 + .../cmocka/data_provider/test_dp_request.c | 469 + .../data_provider/test_dp_request_table.c | 356 + src/tests/cmocka/dummy_child.c | 140 + src/tests/cmocka/sbus_internal_tests.c | 267 + src/tests/cmocka/sss_nss_idmap-tests.c | 160 + src/tests/cmocka/test_ad_access_filter.c | 361 + src/tests/cmocka/test_ad_common.c | 1045 + src/tests/cmocka/test_ad_gpo.c | 389 + src/tests/cmocka/test_ad_subdomains.c | 328 + src/tests/cmocka/test_authtok.c | 710 + src/tests/cmocka/test_be_ptask.c | 1021 + src/tests/cmocka/test_cert_utils.c | 631 + src/tests/cmocka/test_certmap.c | 1615 + src/tests/cmocka/test_child_common.c | 560 + src/tests/cmocka/test_config_check.c | 308 + src/tests/cmocka/test_copy_ccache.c | 240 + src/tests/cmocka/test_copy_keytab.c | 310 + src/tests/cmocka/test_data_provider_be.c | 258 + src/tests/cmocka/test_deskprofile_utils.c | 162 + .../cmocka/test_domain_resolution_order.c | 228 + src/tests/cmocka/test_dp_opts.c | 528 + src/tests/cmocka/test_dyndns.c | 1085 + src/tests/cmocka/test_expire_common.c | 131 + src/tests/cmocka/test_expire_common.h | 39 + src/tests/cmocka/test_find_uid.c | 105 + src/tests/cmocka/test_fo_srv.c | 809 + src/tests/cmocka/test_fqnames.c | 528 + src/tests/cmocka/test_ifp.c | 448 + src/tests/cmocka/test_inotify.c | 582 + src/tests/cmocka/test_io.c | 243 + src/tests/cmocka/test_iobuf.c | 195 + src/tests/cmocka/test_ipa_dn.c | 235 + src/tests/cmocka/test_ipa_idmap.c | 251 + src/tests/cmocka/test_ipa_subdomains_server.c | 1005 + src/tests/cmocka/test_ipa_subdomains_utils.c | 227 + src/tests/cmocka/test_kcm_json_marshalling.c | 309 + src/tests/cmocka/test_kcm_queue.c | 365 + src/tests/cmocka/test_krb5_common.c | 297 + src/tests/cmocka/test_krb5_wait_queue.c | 365 + src/tests/cmocka/test_ldap_auth.c | 102 + src/tests/cmocka/test_ldap_id_cleanup.c | 342 + src/tests/cmocka/test_negcache.c | 998 + src/tests/cmocka/test_nested_groups.c | 1335 + src/tests/cmocka/test_nss_srv.c | 5161 +++ src/tests/cmocka/test_pam_srv.c | 2942 ++ src/tests/cmocka/test_resolv_fake.c | 401 + src/tests/cmocka/test_responder_cache_req.c | 4114 ++ src/tests/cmocka/test_responder_common.c | 399 + src/tests/cmocka/test_sbus_opath.c | 310 + src/tests/cmocka/test_sdap.c | 1221 + src/tests/cmocka/test_sdap_access.c | 264 + src/tests/cmocka/test_sdap_access.h | 36 + src/tests/cmocka/test_sdap_certmap.c | 244 + src/tests/cmocka/test_sdap_initgr.c | 540 + src/tests/cmocka/test_search_bases.c | 191 + src/tests/cmocka/test_simple_access.c | 836 + src/tests/cmocka/test_ssh_srv.c | 658 + src/tests/cmocka/test_sss_idmap.c | 781 + src/tests/cmocka/test_sss_sifp.c | 2250 + src/tests/cmocka/test_sss_ssh.c | 100 + .../cmocka/test_sssd_krb5_localauth_plugin.c | 197 + .../cmocka/test_sssd_krb5_locator_plugin.c | 631 + src/tests/cmocka/test_string_utils.c | 271 + src/tests/cmocka/test_sysdb_certmap.c | 261 + .../test_sysdb_domain_resolution_order.c | 190 + src/tests/cmocka/test_sysdb_subdomains.c | 605 + src/tests/cmocka/test_sysdb_sudo.c | 1056 + src/tests/cmocka/test_sysdb_ts_cache.c | 1493 + src/tests/cmocka/test_sysdb_utils.c | 178 + src/tests/cmocka/test_sysdb_views.c | 1129 + src/tests/cmocka/test_tools_colondb.c | 417 + src/tests/cmocka/test_utils.c | 1978 + src/tests/cmocka/test_utils.h | 36 + src/tests/cmocka/test_wbc_calls.c | 122 + .../wrap_sss_nss_make_request_timeout.c | 37 + src/tests/common.c | 141 + src/tests/common.h | 156 + src/tests/common_check.c | 40 + src/tests/common_check.h | 36 + src/tests/common_dbus.c | 199 + src/tests/common_dom.c | 429 + src/tests/common_tev.c | 91 + src/tests/crypto-tests.c | 296 + src/tests/cwrap/Makefile.am | 219 + src/tests/cwrap/Makefile.in | 3293 ++ src/tests/cwrap/cwrap_test_setup.sh | 19 + src/tests/cwrap/group | 2 + src/tests/cwrap/passwd | 2 + src/tests/cwrap/test_become_user.c | 165 + src/tests/cwrap/test_negcache.c | 741 + src/tests/cwrap/test_responder_common.c | 237 + src/tests/cwrap/test_server.c | 210 + src/tests/cwrap/test_usertools.c | 106 + src/tests/debug-tests.c | 704 + src/tests/dlopen-tests.c | 270 + src/tests/double_semicolon_test | 38 + src/tests/fail_over-tests.c | 336 + src/tests/files-tests.c | 475 + src/tests/find_uid-tests.c | 129 + src/tests/intg/Makefile.am | 144 + src/tests/intg/Makefile.in | 1087 + src/tests/intg/__init__.py | 13 + src/tests/intg/config.py.m4 | 24 + src/tests/intg/cwrap-dbus-system.conf | 83 + src/tests/intg/data/ad_data.ldif | 815 + src/tests/intg/data/ad_schema.ldif | 42 + src/tests/intg/data/cwrap-dbus-system.conf.in | 83 + src/tests/intg/data/sudo_schema.ldif | 11 + src/tests/intg/ds.py | 58 + src/tests/intg/ds_openldap.py | 390 + src/tests/intg/ent.py | 505 + src/tests/intg/ent_test.py | 424 + src/tests/intg/files_ops.py | 159 + src/tests/intg/getsockopt_wrapper.c | 59 + src/tests/intg/kdc.py | 175 + src/tests/intg/krb5utils.py | 160 + src/tests/intg/ldap_ent.py | 188 + src/tests/intg/ldap_local_override_test.py | 1120 + src/tests/intg/secrets.py | 137 + src/tests/intg/sssd_group.py | 131 + src/tests/intg/sssd_id.py | 129 + src/tests/intg/sssd_ldb.py | 96 + src/tests/intg/sssd_netgroup.py | 247 + src/tests/intg/sssd_nss.py | 46 + src/tests/intg/sssd_passwd.py | 209 + src/tests/intg/test_enumeration.py | 771 + src/tests/intg/test_files_ops.py | 84 + src/tests/intg/test_files_provider.py | 1235 + src/tests/intg/test_infopipe.py | 547 + src/tests/intg/test_kcm.py | 516 + src/tests/intg/test_ldap.py | 1802 + src/tests/intg/test_local_domain.py | 276 + src/tests/intg/test_memory_cache.py | 920 + src/tests/intg/test_netgroup.py | 511 + src/tests/intg/test_pac_responder.py | 120 + src/tests/intg/test_pam_responder.py | 130 + src/tests/intg/test_pysss_nss_idmap.py | 290 + src/tests/intg/test_secrets.py | 688 + src/tests/intg/test_session_recording.py | 1001 + src/tests/intg/test_ssh_pubkey.py | 290 + src/tests/intg/test_sssctl.py | 381 + src/tests/intg/test_sudo.py | 280 + src/tests/intg/test_ts_cache.py | 678 + src/tests/intg/util.py | 87 + src/tests/ipa_hbac-tests.c | 884 + src/tests/ipa_ldap_opt-tests.c | 553 + src/tests/krb5_child-test.c | 545 + src/tests/krb5_proxy_check_test_data.conf | 8 + src/tests/krb5_utils-tests.c | 819 + src/tests/leak_check.c | 147 + src/tests/pyhbac-test.py | 567 + src/tests/pyhbac-test.py2.sh | 5 + src/tests/pyhbac-test.py3.sh | 5 + src/tests/pysss_murmur-test.py | 138 + src/tests/pysss_murmur-test.py2.sh | 5 + src/tests/pysss_murmur-test.py3.sh | 5 + src/tests/python-test.py | 469 + src/tests/refcount-tests.c | 237 + src/tests/resolv-tests.c | 1051 + src/tests/responder_socket_access-tests.c | 178 + src/tests/safe-format-tests.c | 252 + src/tests/sbus_codegen_tests.c | 1563 + src/tests/sbus_codegen_tests.xml | 150 + src/tests/sbus_codegen_tests_generated.c | 637 + src/tests/sbus_codegen_tests_generated.h | 151 + src/tests/sbus_tests.c | 470 + src/tests/sss_idmap-tests.c | 970 + src/tests/stress-tests.c | 332 + src/tests/strtonum-tests.c | 615 + src/tests/sysdb-tests.c | 7683 ++++ src/tests/sysdb_ssh-tests.c | 425 + src/tests/tcurl_test_tool.c | 382 + src/tests/test_CA/Makefile.am | 136 + src/tests/test_CA/Makefile.in | 831 + src/tests/test_CA/README | 26 + src/tests/test_CA/SSSD_test_CA.config | 47 + src/tests/test_CA/SSSD_test_CA_key.pem | 52 + src/tests/test_CA/SSSD_test_cert_0001.config | 20 + src/tests/test_CA/SSSD_test_cert_0002.config | 19 + src/tests/test_CA/SSSD_test_cert_0003.config | 18 + src/tests/test_CA/SSSD_test_cert_key_0001.pem | 28 + src/tests/test_CA/SSSD_test_cert_key_0002.pem | 28 + src/tests/test_CA/SSSD_test_cert_key_0003.pem | 28 + src/tests/test_ssh_client.c | 138 + src/tests/util-tests.c | 1237 + src/tests/whitespace_test | 50 + src/tools/common/sss_colondb.c | 316 + src/tools/common/sss_colondb.h | 96 + src/tools/common/sss_process.c | 124 + src/tools/common/sss_process.h | 29 + src/tools/common/sss_tools.c | 574 + src/tools/common/sss_tools.h | 113 + src/tools/sss_cache.c | 962 + src/tools/sss_groupadd.c | 166 + src/tools/sss_groupdel.c | 151 + src/tools/sss_groupmod.c | 281 + src/tools/sss_groupshow.c | 775 + src/tools/sss_obfuscate | 123 + src/tools/sss_override.c | 1936 + src/tools/sss_seed.c | 873 + src/tools/sss_signal.c | 38 + src/tools/sss_sync_ops.c | 844 + src/tools/sss_sync_ops.h | 105 + src/tools/sss_useradd.c | 294 + src/tools/sss_userdel.c | 343 + src/tools/sss_usermod.c | 346 + src/tools/sssctl/sssctl.c | 290 + src/tools/sssctl/sssctl.h | 141 + src/tools/sssctl/sssctl_access_report.c | 424 + src/tools/sssctl/sssctl_cache.c | 705 + src/tools/sssctl/sssctl_config.c | 147 + src/tools/sssctl/sssctl_data.c | 335 + src/tools/sssctl/sssctl_domains.c | 403 + src/tools/sssctl/sssctl_logs.c | 371 + src/tools/sssctl/sssctl_sifp.c | 166 + src/tools/sssctl/sssctl_systemd.c | 136 + src/tools/sssctl/sssctl_user_checks.c | 299 + .../sssd_check_socket_activated_responders.c | 197 + src/tools/tools_mc_util.c | 404 + src/tools/tools_util.c | 592 + src/tools/tools_util.h | 114 + src/tools/wrappers/sss_debuglevel.in | 4 + src/util/atomic_io.c | 60 + src/util/atomic_io.h | 40 + src/util/auth_utils.h | 44 + src/util/authtok-utils.c | 165 + src/util/authtok-utils.h | 126 + src/util/authtok.c | 775 + src/util/authtok.h | 351 + src/util/backup_file.c | 120 + src/util/become_user.c | 212 + src/util/cert.h | 70 + src/util/cert/cert_common.c | 208 + src/util/cert/cert_common_p11_child.c | 331 + src/util/cert/libcrypto/cert.c | 275 + src/util/cert/nss/cert.c | 337 + src/util/check_and_open.c | 152 + src/util/child_common.c | 833 + src/util/child_common.h | 124 + src/util/crypto/libcrypto/crypto_base64.c | 133 + src/util/crypto/libcrypto/crypto_hmac_sha1.c | 94 + src/util/crypto/libcrypto/crypto_nite.c | 288 + src/util/crypto/libcrypto/crypto_obfuscate.c | 309 + .../crypto/libcrypto/crypto_sha512crypt.c | 393 + src/util/crypto/libcrypto/sss_openssl.h | 39 + src/util/crypto/nss/nss_base64.c | 92 + src/util/crypto/nss/nss_crypto.h | 66 + src/util/crypto/nss/nss_hmac_sha1.c | 90 + src/util/crypto/nss/nss_nite.c | 303 + src/util/crypto/nss/nss_obfuscate.c | 328 + src/util/crypto/nss/nss_sha512crypt.c | 388 + src/util/crypto/nss/nss_util.c | 284 + src/util/crypto/nss/nss_util.h | 28 + src/util/crypto/sss_crypto.c | 51 + src/util/crypto/sss_crypto.h | 74 + src/util/debug.c | 510 + src/util/debug.h | 161 + src/util/dlinklist.h | 155 + src/util/domain_info_utils.c | 936 + src/util/files.c | 886 + src/util/find_uid.c | 352 + src/util/find_uid.h | 36 + src/util/inotify.c | 563 + src/util/inotify.h | 61 + src/util/io.c | 98 + src/util/memory.c | 68 + src/util/mmap_cache.h | 155 + src/util/murmurhash3.c | 116 + src/util/nscd.c | 223 + src/util/probes.h | 46 + src/util/refcount.c | 92 + src/util/refcount.h | 63 + src/util/safe-format-string.c | 309 + src/util/safe-format-string.h | 81 + src/util/selinux.c | 83 + src/util/server.c | 730 + src/util/session_recording.c | 113 + src/util/session_recording.h | 76 + src/util/signal.c | 89 + src/util/sss_cli_cmd.c | 238 + src/util/sss_cli_cmd.h | 28 + src/util/sss_endian.h | 57 + src/util/sss_format.h | 66 + src/util/sss_ini.c | 761 + src/util/sss_ini.h | 101 + src/util/sss_iobuf.c | 313 + src/util/sss_iobuf.h | 151 + src/util/sss_krb5.c | 1351 + src/util/sss_krb5.h | 200 + src/util/sss_ldap.c | 469 + src/util/sss_ldap.h | 99 + src/util/sss_log.c | 132 + src/util/sss_nss.c | 221 + src/util/sss_nss.h | 42 + src/util/sss_ptr_hash.c | 375 + src/util/sss_ptr_hash.h | 117 + src/util/sss_python.c | 56 + src/util/sss_python.h | 54 + src/util/sss_selinux.c | 255 + src/util/sss_selinux.h | 54 + src/util/sss_semanage.c | 452 + src/util/sss_sockets.c | 365 + src/util/sss_sockets.h | 39 + src/util/sss_ssh.c | 270 + src/util/sss_ssh.h | 56 + src/util/sss_tc_utf8.c | 88 + src/util/sss_utf8.c | 194 + src/util/sss_utf8.h | 45 + src/util/string_utils.c | 148 + src/util/strtonum.c | 83 + src/util/strtonum.h | 34 + src/util/tev_curl.c | 1123 + src/util/tev_curl.h | 261 + src/util/user_info_msg.c | 57 + src/util/user_info_msg.h | 33 + src/util/usertools.c | 885 + src/util/util.c | 1198 + src/util/util.h | 725 + src/util/util_creds.h | 83 + src/util/util_errors.c | 134 + src/util/util_errors.h | 167 + src/util/util_ext.c | 143 + src/util/util_lock.c | 87 + src/util/util_preauth.c | 86 + src/util/util_sss_idmap.c | 32 + src/util/util_sss_idmap.h | 28 + src/util/util_watchdog.c | 263 + src/util/well_known_sids.c | 313 + version.m4 | 12 + 1657 files changed, 973088 insertions(+) create mode 100644 ABOUT-NLS create mode 100644 BUILD.txt create mode 100644 COPYING create mode 100644 Makefile.am create mode 100644 Makefile.in create mode 100644 aclocal.m4 create mode 100755 build/ar-lib create mode 100755 build/compile create mode 100755 build/config.guess create mode 100755 build/config.rpath create mode 100755 build/config.sub create mode 100755 build/depcomp create mode 100755 build/install-sh create mode 100644 build/ltmain.sh create mode 100755 build/missing create mode 100755 build/mkinstalldirs create mode 100755 build/test-driver create mode 100644 config.h.in create mode 100755 configure create mode 100644 configure.ac create mode 100644 contrib/ci/README.md create mode 100755 contrib/ci/clean create mode 100644 contrib/ci/configure.sh create mode 100644 contrib/ci/deps.sh create mode 100644 contrib/ci/distro.sh create mode 100644 contrib/ci/misc.sh create mode 100755 contrib/ci/rpm-spec-builddeps create mode 100755 contrib/ci/run create mode 100644 contrib/ci/sssd.supp create mode 100755 contrib/ci/valgrind-condense create mode 100644 contrib/fedora/bashrc_sssd create mode 100755 contrib/fedora/make_srpm.sh create mode 100644 contrib/kcm_default_ccache create mode 100644 contrib/sssd-pcsc.rules create mode 100644 contrib/sssd-pcsc.rules.in create mode 100644 contrib/sssd.spec.in create mode 100644 contrib/systemtap/dp_request.stp create mode 100644 contrib/systemtap/id_perf.stp create mode 100644 contrib/systemtap/nested_group_perf.stp create mode 100644 m4/.dir create mode 100644 m4/codeset.m4 create mode 100644 m4/gettext.m4 create mode 100644 m4/glibc2.m4 create mode 100644 m4/glibc21.m4 create mode 100644 m4/iconv.m4 create mode 100644 m4/intdiv0.m4 create mode 100644 m4/intmax.m4 create mode 100644 m4/inttypes-pri.m4 create mode 100644 m4/inttypes.m4 create mode 100644 m4/inttypes_h.m4 create mode 100644 m4/isc-posix.m4 create mode 100644 m4/lcmessage.m4 create mode 100644 m4/lib-ld.m4 create mode 100644 m4/lib-link.m4 create mode 100644 m4/lib-prefix.m4 create mode 100644 m4/libtool.m4 create mode 100644 m4/longdouble.m4 create mode 100644 m4/longlong.m4 create mode 100644 m4/ltoptions.m4 create mode 100644 m4/ltsugar.m4 create mode 100644 m4/ltversion.m4 create mode 100644 m4/lt~obsolete.m4 create mode 100644 m4/nls.m4 create mode 100644 m4/po.m4 create mode 100644 m4/printf-posix.m4 create mode 100644 m4/progtest.m4 create mode 100644 m4/signed.m4 create mode 100644 m4/size_max.m4 create mode 100644 m4/stdint_h.m4 create mode 100644 m4/uintmax_t.m4 create mode 100644 m4/ulonglong.m4 create mode 100644 m4/wchar_t.m4 create mode 100644 m4/wint_t.m4 create mode 100644 m4/xsize.m4 create mode 100644 po/LINGUAS create mode 100644 po/Makefile.in.in create mode 100644 po/Makevars create mode 100644 po/POTFILES.in create mode 100644 po/Rules-quot create mode 100644 po/bg.gmo create mode 100644 po/bg.po create mode 100644 po/boldquot.sed create mode 100644 po/ca.gmo create mode 100644 po/ca.po create mode 100644 po/de.gmo create mode 100644 po/de.po create mode 100644 po/en@boldquot.header create mode 100644 po/en@quot.header create mode 100644 po/es.gmo create mode 100644 po/es.po create mode 100644 po/eu.gmo create mode 100644 po/eu.po create mode 100644 po/fr.gmo create mode 100644 po/fr.po create mode 100644 po/hu.gmo create mode 100644 po/hu.po create mode 100644 po/id.gmo create mode 100644 po/id.po create mode 100644 po/insert-header.sin create mode 100644 po/it.gmo create mode 100644 po/it.po create mode 100644 po/ja.gmo create mode 100644 po/ja.po create mode 100644 po/nb.gmo create mode 100644 po/nb.po create mode 100644 po/nl.gmo create mode 100644 po/nl.po create mode 100644 po/pl.gmo create mode 100644 po/pl.po create mode 100644 po/pt.gmo create mode 100644 po/pt.po create mode 100644 po/pt_BR.gmo create mode 100644 po/pt_BR.po create mode 100644 po/quot.sed create mode 100644 po/remove-potcdate.sin create mode 100644 po/ru.gmo create mode 100644 po/ru.po create mode 100644 po/sssd.pot create mode 100644 po/stamp-po create mode 100644 po/sv.gmo create mode 100644 po/sv.po create mode 100644 po/tg.gmo create mode 100644 po/tg.po create mode 100644 po/tr.gmo create mode 100644 po/tr.po create mode 100644 po/uk.gmo create mode 100644 po/uk.po create mode 100644 po/zh_CN.gmo create mode 100644 po/zh_CN.po create mode 100644 po/zh_TW.gmo create mode 100644 po/zh_TW.po create mode 100644 src/build_macros.m4 create mode 100644 src/conf_macros.m4 create mode 100644 src/confdb/confdb.c create mode 100644 src/confdb/confdb.h create mode 100644 src/confdb/confdb_private.h create mode 100644 src/confdb/confdb_setup.c create mode 100644 src/confdb/confdb_setup.h create mode 100644 src/config/SSSDConfig/__init__.py create mode 100644 src/config/SSSDConfig/__init__.py.in create mode 100644 src/config/SSSDConfig/ipachangeconf.py create mode 100755 src/config/SSSDConfigTest.py create mode 100755 src/config/SSSDConfigTest.py2.sh create mode 100755 src/config/SSSDConfigTest.py3.sh create mode 100644 src/config/cfg_rules.ini create mode 100644 src/config/etc/sssd.api.conf create mode 100644 src/config/etc/sssd.api.d/crash_test_dummy create mode 100644 src/config/etc/sssd.api.d/sssd-ad.conf create mode 100644 src/config/etc/sssd.api.d/sssd-files.conf create mode 100644 src/config/etc/sssd.api.d/sssd-ipa.conf create mode 100644 src/config/etc/sssd.api.d/sssd-krb5.conf create mode 100644 src/config/etc/sssd.api.d/sssd-ldap.conf create mode 100644 src/config/etc/sssd.api.d/sssd-local.conf create mode 100644 src/config/etc/sssd.api.d/sssd-proxy.conf create mode 100644 src/config/etc/sssd.api.d/sssd-simple.conf create mode 100644 src/config/setup.py create mode 100644 src/config/setup.py.in create mode 100644 src/config/testconfigs/noparse.api.conf create mode 100644 src/config/testconfigs/sssd-badversion.conf create mode 100644 src/config/testconfigs/sssd-invalid-badbool.conf create mode 100644 src/config/testconfigs/sssd-invalid.conf create mode 100644 src/config/testconfigs/sssd-nonexisting-services-domains.conf create mode 100644 src/config/testconfigs/sssd-noversion.conf create mode 100644 src/config/testconfigs/sssd-valid.conf create mode 100644 src/db/sysdb.c create mode 100644 src/db/sysdb.h create mode 100644 src/db/sysdb_autofs.c create mode 100644 src/db/sysdb_autofs.h create mode 100644 src/db/sysdb_certmap.c create mode 100644 src/db/sysdb_domain_resolution_order.c create mode 100644 src/db/sysdb_domain_resolution_order.h create mode 100644 src/db/sysdb_gpo.c create mode 100644 src/db/sysdb_idmap.c create mode 100644 src/db/sysdb_init.c create mode 100644 src/db/sysdb_ops.c create mode 100644 src/db/sysdb_private.h create mode 100644 src/db/sysdb_ranges.c create mode 100644 src/db/sysdb_search.c create mode 100644 src/db/sysdb_selinux.c create mode 100644 src/db/sysdb_selinux.h create mode 100644 src/db/sysdb_services.c create mode 100644 src/db/sysdb_services.h create mode 100644 src/db/sysdb_ssh.c create mode 100644 src/db/sysdb_ssh.h create mode 100644 src/db/sysdb_subdomains.c create mode 100644 src/db/sysdb_sudo.c create mode 100644 src/db/sysdb_sudo.h create mode 100644 src/db/sysdb_upgrade.c create mode 100644 src/db/sysdb_views.c create mode 100644 src/doxy.config.in create mode 100644 src/examples/logrotate create mode 100644 src/examples/rwtab.in create mode 100644 src/examples/sssd-example.conf create mode 100644 src/examples/sssd-shadowutils create mode 100644 src/examples/sssd.conf create mode 100644 src/examples/sssdproxytest create mode 100644 src/examples/sudo create mode 100644 src/external/cifsidmap.m4 create mode 100644 src/external/crypto.m4 create mode 100644 src/external/cwrap.m4 create mode 100644 src/external/docbook.m4 create mode 100644 src/external/glib.m4 create mode 100644 src/external/inotify.m4 create mode 100644 src/external/intgcheck.m4 create mode 100644 src/external/krb5.m4 create mode 100644 src/external/ldap.m4 create mode 100644 src/external/libcares.m4 create mode 100644 src/external/libcmocka.m4 create mode 100644 src/external/libcollection.m4 create mode 100644 src/external/libcurl.m4 create mode 100644 src/external/libdhash.m4 create mode 100644 src/external/libhttp_parser.m4 create mode 100644 src/external/libini_config.m4 create mode 100644 src/external/libjansson.m4 create mode 100644 src/external/libkeyutils.m4 create mode 100644 src/external/libldb.m4 create mode 100644 src/external/libnfsidmap.m4 create mode 100644 src/external/libnl.m4 create mode 100644 src/external/libpcre.m4 create mode 100644 src/external/libpopt.m4 create mode 100644 src/external/libresolv.m4 create mode 100644 src/external/libtalloc.m4 create mode 100644 src/external/libtdb.m4 create mode 100644 src/external/libtevent.m4 create mode 100644 src/external/libunistring.m4 create mode 100644 src/external/libuuid.m4 create mode 100644 src/external/nscd.m4 create mode 100644 src/external/nsupdate.m4 create mode 100644 src/external/p11-kit.m4 create mode 100644 src/external/pac_responder.m4 create mode 100644 src/external/pam.m4 create mode 100644 src/external/pkg.m4 create mode 100644 src/external/platform.m4 create mode 100644 src/external/python.m4 create mode 100644 src/external/samba.m4 create mode 100644 src/external/sasl.m4 create mode 100644 src/external/selinux.m4 create mode 100644 src/external/service.m4 create mode 100644 src/external/signal.m4 create mode 100644 src/external/sizes.m4 create mode 100644 src/external/systemd.m4 create mode 100644 src/external/systemtap.m4 create mode 100644 src/external/test_ca.m4 create mode 100644 src/krb5_plugin/sssd_krb5_localauth_plugin.c create mode 100644 src/krb5_plugin/sssd_krb5_locator_plugin.c create mode 100644 src/ldb_modules/memberof.c create mode 100644 src/lib/certmap/sss_cert_content_common.c create mode 100644 src/lib/certmap/sss_cert_content_crypto.c create mode 100644 src/lib/certmap/sss_cert_content_nss.c create mode 100644 src/lib/certmap/sss_certmap.c create mode 100644 src/lib/certmap/sss_certmap.doxy.in create mode 100644 src/lib/certmap/sss_certmap.exports create mode 100644 src/lib/certmap/sss_certmap.h create mode 100644 src/lib/certmap/sss_certmap.pc.in create mode 100644 src/lib/certmap/sss_certmap_attr_names.c create mode 100644 src/lib/certmap/sss_certmap_int.h create mode 100644 src/lib/certmap/sss_certmap_krb5_match.c create mode 100644 src/lib/certmap/sss_certmap_ldap_mapping.c create mode 100644 src/lib/cifs_idmap_sss/cifs_idmap_sss.c create mode 100644 src/lib/idmap/sss_idmap.c create mode 100644 src/lib/idmap/sss_idmap.doxy.in create mode 100644 src/lib/idmap/sss_idmap.exports create mode 100644 src/lib/idmap/sss_idmap.h create mode 100644 src/lib/idmap/sss_idmap.pc.in create mode 100644 src/lib/idmap/sss_idmap_conv.c create mode 100644 src/lib/idmap/sss_idmap_private.h create mode 100644 src/lib/ipa_hbac/hbac_evaluator.c create mode 100644 src/lib/ipa_hbac/ipa_hbac.doxy.in create mode 100644 src/lib/ipa_hbac/ipa_hbac.exports create mode 100644 src/lib/ipa_hbac/ipa_hbac.h create mode 100644 src/lib/ipa_hbac/ipa_hbac.pc.in create mode 100644 src/lib/sifp/sss_sifp.c create mode 100644 src/lib/sifp/sss_sifp.h create mode 100644 src/lib/sifp/sss_sifp_attrs.c create mode 100644 src/lib/sifp/sss_sifp_common.c create mode 100644 src/lib/sifp/sss_sifp_dbus.c create mode 100644 src/lib/sifp/sss_sifp_dbus.h create mode 100644 src/lib/sifp/sss_sifp_parser.c create mode 100644 src/lib/sifp/sss_sifp_private.h create mode 100644 src/lib/sifp/sss_sifp_utils.c create mode 100644 src/lib/sifp/sss_simpleifp.doxy.in create mode 100644 src/lib/sifp/sss_simpleifp.exports create mode 100644 src/lib/sifp/sss_simpleifp.pc.in create mode 100644 src/lib/winbind_idmap_sss/libdlopen-test-winbind-idmap.c create mode 100644 src/lib/winbind_idmap_sss/winbind_idmap_sss.c create mode 100644 src/lib/winbind_idmap_sss/winbind_idmap_sss.h create mode 100644 src/m4/.dir create mode 100644 src/man/Makefile.am create mode 100644 src/man/Makefile.in create mode 100644 src/man/br/include/ad_modified_defaults.xml create mode 100644 src/man/br/include/autofs_restart.xml create mode 100644 src/man/br/include/debug_levels.xml create mode 100644 src/man/br/include/debug_levels_tools.xml create mode 100644 src/man/br/include/experimental.xml create mode 100644 src/man/br/include/failover.xml create mode 100644 src/man/br/include/homedir_substring.xml create mode 100644 src/man/br/include/ipa_modified_defaults.xml create mode 100644 src/man/br/include/ldap_id_mapping.xml create mode 100644 src/man/br/include/ldap_search_bases.xml create mode 100644 src/man/br/include/local.xml create mode 100644 src/man/br/include/override_homedir.xml create mode 100644 src/man/br/include/param_help.xml create mode 100644 src/man/br/include/param_help_py.xml create mode 100644 src/man/br/include/seealso.xml create mode 100644 src/man/br/include/service_discovery.xml create mode 100644 src/man/br/include/upstream.xml create mode 100644 src/man/ca/include/ad_modified_defaults.xml create mode 100644 src/man/ca/include/autofs_restart.xml create mode 100644 src/man/ca/include/debug_levels.xml create mode 100644 src/man/ca/include/debug_levels_tools.xml create mode 100644 src/man/ca/include/experimental.xml create mode 100644 src/man/ca/include/failover.xml create mode 100644 src/man/ca/include/homedir_substring.xml create mode 100644 src/man/ca/include/ipa_modified_defaults.xml create mode 100644 src/man/ca/include/ldap_id_mapping.xml create mode 100644 src/man/ca/include/ldap_search_bases.xml create mode 100644 src/man/ca/include/local.xml create mode 100644 src/man/ca/include/override_homedir.xml create mode 100644 src/man/ca/include/param_help.xml create mode 100644 src/man/ca/include/param_help_py.xml create mode 100644 src/man/ca/include/seealso.xml create mode 100644 src/man/ca/include/service_discovery.xml create mode 100644 src/man/ca/include/upstream.xml create mode 100644 src/man/ca/pam_sss.8.xml create mode 100644 src/man/ca/sss_cache.8.xml create mode 100644 src/man/ca/sss_groupadd.8.xml create mode 100644 src/man/ca/sss_groupdel.8.xml create mode 100644 src/man/ca/sss_groupmod.8.xml create mode 100644 src/man/ca/sss_groupshow.8.xml create mode 100644 src/man/ca/sss_obfuscate.8.xml create mode 100644 src/man/ca/sss_rpcidmapd.5.xml create mode 100644 src/man/ca/sss_seed.8.xml create mode 100644 src/man/ca/sss_useradd.8.xml create mode 100644 src/man/ca/sss_userdel.8.xml create mode 100644 src/man/ca/sss_usermod.8.xml create mode 100644 src/man/ca/sssd-ifp.5.xml create mode 100644 src/man/ca/sssd-simple.5.xml create mode 100644 src/man/ca/sssd.8.xml create mode 100644 src/man/cs/include/ad_modified_defaults.xml create mode 100644 src/man/cs/include/autofs_restart.xml create mode 100644 src/man/cs/include/debug_levels.xml create mode 100644 src/man/cs/include/debug_levels_tools.xml create mode 100644 src/man/cs/include/experimental.xml create mode 100644 src/man/cs/include/failover.xml create mode 100644 src/man/cs/include/homedir_substring.xml create mode 100644 src/man/cs/include/ipa_modified_defaults.xml create mode 100644 src/man/cs/include/ldap_id_mapping.xml create mode 100644 src/man/cs/include/ldap_search_bases.xml create mode 100644 src/man/cs/include/local.xml create mode 100644 src/man/cs/include/override_homedir.xml create mode 100644 src/man/cs/include/param_help.xml create mode 100644 src/man/cs/include/param_help_py.xml create mode 100644 src/man/cs/include/seealso.xml create mode 100644 src/man/cs/include/service_discovery.xml create mode 100644 src/man/cs/include/upstream.xml create mode 100644 src/man/cs/sss_groupdel.8.xml create mode 100644 src/man/de/include/ad_modified_defaults.xml create mode 100644 src/man/de/include/autofs_restart.xml create mode 100644 src/man/de/include/debug_levels.xml create mode 100644 src/man/de/include/debug_levels_tools.xml create mode 100644 src/man/de/include/experimental.xml create mode 100644 src/man/de/include/failover.xml create mode 100644 src/man/de/include/homedir_substring.xml create mode 100644 src/man/de/include/ipa_modified_defaults.xml create mode 100644 src/man/de/include/ldap_id_mapping.xml create mode 100644 src/man/de/include/ldap_search_bases.xml create mode 100644 src/man/de/include/local.xml create mode 100644 src/man/de/include/override_homedir.xml create mode 100644 src/man/de/include/param_help.xml create mode 100644 src/man/de/include/param_help_py.xml create mode 100644 src/man/de/include/seealso.xml create mode 100644 src/man/de/include/service_discovery.xml create mode 100644 src/man/de/include/upstream.xml create mode 100644 src/man/de/sss_groupadd.8.xml create mode 100644 src/man/de/sss_groupdel.8.xml create mode 100644 src/man/de/sss_groupmod.8.xml create mode 100644 src/man/de/sss_groupshow.8.xml create mode 100644 src/man/de/sss_obfuscate.8.xml create mode 100644 src/man/de/sss_seed.8.xml create mode 100644 src/man/de/sss_ssh_knownhostsproxy.1.xml create mode 100644 src/man/de/sss_useradd.8.xml create mode 100644 src/man/de/sss_userdel.8.xml create mode 100644 src/man/de/sss_usermod.8.xml create mode 100644 src/man/de/sssd-ifp.5.xml create mode 100644 src/man/de/sssd-krb5.5.xml create mode 100644 src/man/de/sssd-ldap.5.xml create mode 100644 src/man/de/sssd-simple.5.xml create mode 100644 src/man/de/sssd-sudo.5.xml create mode 100644 src/man/de/sssd.8.xml create mode 100644 src/man/de/sssd_krb5_locator_plugin.8.xml create mode 100644 src/man/es/include/ad_modified_defaults.xml create mode 100644 src/man/es/include/autofs_restart.xml create mode 100644 src/man/es/include/debug_levels.xml create mode 100644 src/man/es/include/debug_levels_tools.xml create mode 100644 src/man/es/include/experimental.xml create mode 100644 src/man/es/include/failover.xml create mode 100644 src/man/es/include/homedir_substring.xml create mode 100644 src/man/es/include/ipa_modified_defaults.xml create mode 100644 src/man/es/include/ldap_id_mapping.xml create mode 100644 src/man/es/include/ldap_search_bases.xml create mode 100644 src/man/es/include/local.xml create mode 100644 src/man/es/include/override_homedir.xml create mode 100644 src/man/es/include/param_help.xml create mode 100644 src/man/es/include/param_help_py.xml create mode 100644 src/man/es/include/seealso.xml create mode 100644 src/man/es/include/service_discovery.xml create mode 100644 src/man/es/include/upstream.xml create mode 100644 src/man/es/sss_groupadd.8.xml create mode 100644 src/man/es/sss_groupdel.8.xml create mode 100644 src/man/es/sss_groupmod.8.xml create mode 100644 src/man/es/sss_groupshow.8.xml create mode 100644 src/man/es/sss_obfuscate.8.xml create mode 100644 src/man/es/sss_seed.8.xml create mode 100644 src/man/es/sss_useradd.8.xml create mode 100644 src/man/es/sss_userdel.8.xml create mode 100644 src/man/es/sss_usermod.8.xml create mode 100644 src/man/es/sssd-simple.5.xml create mode 100644 src/man/es/sssd-sudo.5.xml create mode 100644 src/man/es/sssd.8.xml create mode 100644 src/man/eu/include/ad_modified_defaults.xml create mode 100644 src/man/eu/include/autofs_restart.xml create mode 100644 src/man/eu/include/debug_levels.xml create mode 100644 src/man/eu/include/debug_levels_tools.xml create mode 100644 src/man/eu/include/experimental.xml create mode 100644 src/man/eu/include/failover.xml create mode 100644 src/man/eu/include/homedir_substring.xml create mode 100644 src/man/eu/include/ipa_modified_defaults.xml create mode 100644 src/man/eu/include/ldap_id_mapping.xml create mode 100644 src/man/eu/include/ldap_search_bases.xml create mode 100644 src/man/eu/include/local.xml create mode 100644 src/man/eu/include/override_homedir.xml create mode 100644 src/man/eu/include/param_help.xml create mode 100644 src/man/eu/include/param_help_py.xml create mode 100644 src/man/eu/include/seealso.xml create mode 100644 src/man/eu/include/service_discovery.xml create mode 100644 src/man/eu/include/upstream.xml create mode 100644 src/man/fi/include/ad_modified_defaults.xml create mode 100644 src/man/fi/include/autofs_restart.xml create mode 100644 src/man/fi/include/debug_levels.xml create mode 100644 src/man/fi/include/debug_levels_tools.xml create mode 100644 src/man/fi/include/experimental.xml create mode 100644 src/man/fi/include/failover.xml create mode 100644 src/man/fi/include/homedir_substring.xml create mode 100644 src/man/fi/include/ipa_modified_defaults.xml create mode 100644 src/man/fi/include/ldap_id_mapping.xml create mode 100644 src/man/fi/include/ldap_search_bases.xml create mode 100644 src/man/fi/include/local.xml create mode 100644 src/man/fi/include/override_homedir.xml create mode 100644 src/man/fi/include/param_help.xml create mode 100644 src/man/fi/include/param_help_py.xml create mode 100644 src/man/fi/include/seealso.xml create mode 100644 src/man/fi/include/service_discovery.xml create mode 100644 src/man/fi/include/upstream.xml create mode 100644 src/man/fr/include/ad_modified_defaults.xml create mode 100644 src/man/fr/include/autofs_restart.xml create mode 100644 src/man/fr/include/debug_levels.xml create mode 100644 src/man/fr/include/debug_levels_tools.xml create mode 100644 src/man/fr/include/experimental.xml create mode 100644 src/man/fr/include/failover.xml create mode 100644 src/man/fr/include/homedir_substring.xml create mode 100644 src/man/fr/include/ipa_modified_defaults.xml create mode 100644 src/man/fr/include/ldap_id_mapping.xml create mode 100644 src/man/fr/include/ldap_search_bases.xml create mode 100644 src/man/fr/include/local.xml create mode 100644 src/man/fr/include/override_homedir.xml create mode 100644 src/man/fr/include/param_help.xml create mode 100644 src/man/fr/include/param_help_py.xml create mode 100644 src/man/fr/include/seealso.xml create mode 100644 src/man/fr/include/service_discovery.xml create mode 100644 src/man/fr/include/upstream.xml create mode 100644 src/man/fr/sss_groupadd.8.xml create mode 100644 src/man/fr/sss_groupdel.8.xml create mode 100644 src/man/fr/sss_groupmod.8.xml create mode 100644 src/man/fr/sss_groupshow.8.xml create mode 100644 src/man/fr/sss_obfuscate.8.xml create mode 100644 src/man/fr/sss_seed.8.xml create mode 100644 src/man/fr/sss_ssh_knownhostsproxy.1.xml create mode 100644 src/man/fr/sss_useradd.8.xml create mode 100644 src/man/fr/sss_userdel.8.xml create mode 100644 src/man/fr/sss_usermod.8.xml create mode 100644 src/man/fr/sssd-krb5.5.xml create mode 100644 src/man/fr/sssd-ldap.5.xml create mode 100644 src/man/fr/sssd-simple.5.xml create mode 100644 src/man/fr/sssd-sudo.5.xml create mode 100644 src/man/fr/sssd.8.xml create mode 100644 src/man/fr/sssd_krb5_locator_plugin.8.xml create mode 100644 src/man/idmap_sss.8.xml create mode 100644 src/man/include/ad_modified_defaults.xml create mode 100644 src/man/include/autofs_restart.xml create mode 100644 src/man/include/debug_levels.xml create mode 100644 src/man/include/debug_levels_tools.xml create mode 100644 src/man/include/experimental.xml create mode 100644 src/man/include/failover.xml create mode 100644 src/man/include/homedir_substring.xml create mode 100644 src/man/include/ipa_modified_defaults.xml create mode 100644 src/man/include/ldap_id_mapping.xml create mode 100644 src/man/include/ldap_search_bases.xml create mode 100644 src/man/include/local.xml create mode 100644 src/man/include/override_homedir.xml create mode 100644 src/man/include/param_help.xml create mode 100644 src/man/include/param_help_py.xml create mode 100644 src/man/include/seealso.xml create mode 100644 src/man/include/service_discovery.xml create mode 100644 src/man/include/upstream.xml create mode 100644 src/man/ja/include/ad_modified_defaults.xml create mode 100644 src/man/ja/include/autofs_restart.xml create mode 100644 src/man/ja/include/debug_levels.xml create mode 100644 src/man/ja/include/debug_levels_tools.xml create mode 100644 src/man/ja/include/experimental.xml create mode 100644 src/man/ja/include/failover.xml create mode 100644 src/man/ja/include/homedir_substring.xml create mode 100644 src/man/ja/include/ipa_modified_defaults.xml create mode 100644 src/man/ja/include/ldap_id_mapping.xml create mode 100644 src/man/ja/include/ldap_search_bases.xml create mode 100644 src/man/ja/include/local.xml create mode 100644 src/man/ja/include/override_homedir.xml create mode 100644 src/man/ja/include/param_help.xml create mode 100644 src/man/ja/include/param_help_py.xml create mode 100644 src/man/ja/include/seealso.xml create mode 100644 src/man/ja/include/service_discovery.xml create mode 100644 src/man/ja/include/upstream.xml create mode 100644 src/man/ja/sss_groupadd.8.xml create mode 100644 src/man/ja/sss_groupdel.8.xml create mode 100644 src/man/ja/sss_groupmod.8.xml create mode 100644 src/man/ja/sss_groupshow.8.xml create mode 100644 src/man/ja/sss_obfuscate.8.xml create mode 100644 src/man/ja/sss_ssh_knownhostsproxy.1.xml create mode 100644 src/man/ja/sss_useradd.8.xml create mode 100644 src/man/ja/sss_userdel.8.xml create mode 100644 src/man/ja/sss_usermod.8.xml create mode 100644 src/man/ja/sssd-krb5.5.xml create mode 100644 src/man/ja/sssd-simple.5.xml create mode 100644 src/man/ja/sssd.8.xml create mode 100644 src/man/lv/include/ad_modified_defaults.xml create mode 100644 src/man/lv/include/autofs_restart.xml create mode 100644 src/man/lv/include/debug_levels.xml create mode 100644 src/man/lv/include/debug_levels_tools.xml create mode 100644 src/man/lv/include/experimental.xml create mode 100644 src/man/lv/include/failover.xml create mode 100644 src/man/lv/include/homedir_substring.xml create mode 100644 src/man/lv/include/ipa_modified_defaults.xml create mode 100644 src/man/lv/include/ldap_id_mapping.xml create mode 100644 src/man/lv/include/ldap_search_bases.xml create mode 100644 src/man/lv/include/local.xml create mode 100644 src/man/lv/include/override_homedir.xml create mode 100644 src/man/lv/include/param_help.xml create mode 100644 src/man/lv/include/param_help_py.xml create mode 100644 src/man/lv/include/seealso.xml create mode 100644 src/man/lv/include/service_discovery.xml create mode 100644 src/man/lv/include/upstream.xml create mode 100644 src/man/man.stamp create mode 100644 src/man/nl/include/ad_modified_defaults.xml create mode 100644 src/man/nl/include/autofs_restart.xml create mode 100644 src/man/nl/include/debug_levels.xml create mode 100644 src/man/nl/include/debug_levels_tools.xml create mode 100644 src/man/nl/include/experimental.xml create mode 100644 src/man/nl/include/failover.xml create mode 100644 src/man/nl/include/homedir_substring.xml create mode 100644 src/man/nl/include/ipa_modified_defaults.xml create mode 100644 src/man/nl/include/ldap_id_mapping.xml create mode 100644 src/man/nl/include/ldap_search_bases.xml create mode 100644 src/man/nl/include/local.xml create mode 100644 src/man/nl/include/override_homedir.xml create mode 100644 src/man/nl/include/param_help.xml create mode 100644 src/man/nl/include/param_help_py.xml create mode 100644 src/man/nl/include/seealso.xml create mode 100644 src/man/nl/include/service_discovery.xml create mode 100644 src/man/nl/include/upstream.xml create mode 100644 src/man/nl/sss_groupmod.8.xml create mode 100644 src/man/pam_sss.8.xml create mode 100644 src/man/po/br.po create mode 100644 src/man/po/ca.po create mode 100644 src/man/po/cs.po create mode 100644 src/man/po/de.po create mode 100644 src/man/po/es.po create mode 100644 src/man/po/eu.po create mode 100644 src/man/po/fi.po create mode 100644 src/man/po/fr.po create mode 100644 src/man/po/ja.po create mode 100644 src/man/po/lv.po create mode 100644 src/man/po/nl.po create mode 100644 src/man/po/po4a.cfg create mode 100644 src/man/po/pt.po create mode 100644 src/man/po/pt_BR.po create mode 100644 src/man/po/ru.po create mode 100644 src/man/po/sssd-docs.pot create mode 100644 src/man/po/sv.po create mode 100644 src/man/po/tg.po create mode 100644 src/man/po/uk.po create mode 100644 src/man/po/zh_CN.po create mode 100644 src/man/pt/include/ad_modified_defaults.xml create mode 100644 src/man/pt/include/autofs_restart.xml create mode 100644 src/man/pt/include/debug_levels.xml create mode 100644 src/man/pt/include/debug_levels_tools.xml create mode 100644 src/man/pt/include/experimental.xml create mode 100644 src/man/pt/include/failover.xml create mode 100644 src/man/pt/include/homedir_substring.xml create mode 100644 src/man/pt/include/ipa_modified_defaults.xml create mode 100644 src/man/pt/include/ldap_id_mapping.xml create mode 100644 src/man/pt/include/ldap_search_bases.xml create mode 100644 src/man/pt/include/local.xml create mode 100644 src/man/pt/include/override_homedir.xml create mode 100644 src/man/pt/include/param_help.xml create mode 100644 src/man/pt/include/param_help_py.xml create mode 100644 src/man/pt/include/seealso.xml create mode 100644 src/man/pt/include/service_discovery.xml create mode 100644 src/man/pt/include/upstream.xml create mode 100644 src/man/pt/sss_groupdel.8.xml create mode 100644 src/man/pt/sss_groupmod.8.xml create mode 100644 src/man/pt_BR/include/ad_modified_defaults.xml create mode 100644 src/man/pt_BR/include/autofs_restart.xml create mode 100644 src/man/pt_BR/include/debug_levels.xml create mode 100644 src/man/pt_BR/include/debug_levels_tools.xml create mode 100644 src/man/pt_BR/include/experimental.xml create mode 100644 src/man/pt_BR/include/failover.xml create mode 100644 src/man/pt_BR/include/homedir_substring.xml create mode 100644 src/man/pt_BR/include/ipa_modified_defaults.xml create mode 100644 src/man/pt_BR/include/ldap_id_mapping.xml create mode 100644 src/man/pt_BR/include/ldap_search_bases.xml create mode 100644 src/man/pt_BR/include/local.xml create mode 100644 src/man/pt_BR/include/override_homedir.xml create mode 100644 src/man/pt_BR/include/param_help.xml create mode 100644 src/man/pt_BR/include/param_help_py.xml create mode 100644 src/man/pt_BR/include/seealso.xml create mode 100644 src/man/pt_BR/include/service_discovery.xml create mode 100644 src/man/pt_BR/include/upstream.xml create mode 100644 src/man/ru/include/ad_modified_defaults.xml create mode 100644 src/man/ru/include/autofs_restart.xml create mode 100644 src/man/ru/include/debug_levels.xml create mode 100644 src/man/ru/include/debug_levels_tools.xml create mode 100644 src/man/ru/include/experimental.xml create mode 100644 src/man/ru/include/failover.xml create mode 100644 src/man/ru/include/homedir_substring.xml create mode 100644 src/man/ru/include/ipa_modified_defaults.xml create mode 100644 src/man/ru/include/ldap_id_mapping.xml create mode 100644 src/man/ru/include/ldap_search_bases.xml create mode 100644 src/man/ru/include/local.xml create mode 100644 src/man/ru/include/override_homedir.xml create mode 100644 src/man/ru/include/param_help.xml create mode 100644 src/man/ru/include/param_help_py.xml create mode 100644 src/man/ru/include/seealso.xml create mode 100644 src/man/ru/include/service_discovery.xml create mode 100644 src/man/ru/include/upstream.xml create mode 100644 src/man/sss-certmap.5.xml create mode 100644 src/man/sss_cache.8.xml create mode 100644 src/man/sss_debuglevel.8.xml create mode 100644 src/man/sss_groupadd.8.xml create mode 100644 src/man/sss_groupdel.8.xml create mode 100644 src/man/sss_groupmod.8.xml create mode 100644 src/man/sss_groupshow.8.xml create mode 100644 src/man/sss_obfuscate.8.xml create mode 100644 src/man/sss_override.8.xml create mode 100644 src/man/sss_rpcidmapd.5.xml create mode 100644 src/man/sss_seed.8.xml create mode 100644 src/man/sss_ssh_authorizedkeys.1.xml create mode 100644 src/man/sss_ssh_knownhostsproxy.1.xml create mode 100644 src/man/sss_useradd.8.xml create mode 100644 src/man/sss_userdel.8.xml create mode 100644 src/man/sss_usermod.8.xml create mode 100644 src/man/sssctl.8.xml create mode 100644 src/man/sssd-ad.5.xml create mode 100644 src/man/sssd-files.5.xml create mode 100644 src/man/sssd-ifp.5.xml create mode 100644 src/man/sssd-ipa.5.xml create mode 100644 src/man/sssd-kcm.8.xml create mode 100644 src/man/sssd-krb5.5.xml create mode 100644 src/man/sssd-ldap.5.xml create mode 100644 src/man/sssd-secrets.5.xml create mode 100644 src/man/sssd-session-recording.5.xml create mode 100644 src/man/sssd-simple.5.xml create mode 100644 src/man/sssd-sudo.5.xml create mode 100644 src/man/sssd-systemtap.5.xml create mode 100644 src/man/sssd.8.xml create mode 100644 src/man/sssd.conf.5.xml create mode 100644 src/man/sssd_krb5_locator_plugin.8.xml create mode 100644 src/man/sv/include/ad_modified_defaults.xml create mode 100644 src/man/sv/include/autofs_restart.xml create mode 100644 src/man/sv/include/debug_levels.xml create mode 100644 src/man/sv/include/debug_levels_tools.xml create mode 100644 src/man/sv/include/experimental.xml create mode 100644 src/man/sv/include/failover.xml create mode 100644 src/man/sv/include/homedir_substring.xml create mode 100644 src/man/sv/include/ipa_modified_defaults.xml create mode 100644 src/man/sv/include/ldap_id_mapping.xml create mode 100644 src/man/sv/include/ldap_search_bases.xml create mode 100644 src/man/sv/include/local.xml create mode 100644 src/man/sv/include/override_homedir.xml create mode 100644 src/man/sv/include/param_help.xml create mode 100644 src/man/sv/include/param_help_py.xml create mode 100644 src/man/sv/include/seealso.xml create mode 100644 src/man/sv/include/service_discovery.xml create mode 100644 src/man/sv/include/upstream.xml create mode 100644 src/man/sv/sss_groupmod.8.xml create mode 100644 src/man/tg/include/ad_modified_defaults.xml create mode 100644 src/man/tg/include/autofs_restart.xml create mode 100644 src/man/tg/include/debug_levels.xml create mode 100644 src/man/tg/include/debug_levels_tools.xml create mode 100644 src/man/tg/include/experimental.xml create mode 100644 src/man/tg/include/failover.xml create mode 100644 src/man/tg/include/homedir_substring.xml create mode 100644 src/man/tg/include/ipa_modified_defaults.xml create mode 100644 src/man/tg/include/ldap_id_mapping.xml create mode 100644 src/man/tg/include/ldap_search_bases.xml create mode 100644 src/man/tg/include/local.xml create mode 100644 src/man/tg/include/override_homedir.xml create mode 100644 src/man/tg/include/param_help.xml create mode 100644 src/man/tg/include/param_help_py.xml create mode 100644 src/man/tg/include/seealso.xml create mode 100644 src/man/tg/include/service_discovery.xml create mode 100644 src/man/tg/include/upstream.xml create mode 100644 src/man/uk/idmap_sss.8.xml create mode 100644 src/man/uk/include/ad_modified_defaults.xml create mode 100644 src/man/uk/include/autofs_restart.xml create mode 100644 src/man/uk/include/debug_levels.xml create mode 100644 src/man/uk/include/debug_levels_tools.xml create mode 100644 src/man/uk/include/experimental.xml create mode 100644 src/man/uk/include/failover.xml create mode 100644 src/man/uk/include/homedir_substring.xml create mode 100644 src/man/uk/include/ipa_modified_defaults.xml create mode 100644 src/man/uk/include/ldap_id_mapping.xml create mode 100644 src/man/uk/include/ldap_search_bases.xml create mode 100644 src/man/uk/include/local.xml create mode 100644 src/man/uk/include/override_homedir.xml create mode 100644 src/man/uk/include/param_help.xml create mode 100644 src/man/uk/include/param_help_py.xml create mode 100644 src/man/uk/include/seealso.xml create mode 100644 src/man/uk/include/service_discovery.xml create mode 100644 src/man/uk/include/upstream.xml create mode 100644 src/man/uk/pam_sss.8.xml create mode 100644 src/man/uk/sss-certmap.5.xml create mode 100644 src/man/uk/sss_cache.8.xml create mode 100644 src/man/uk/sss_debuglevel.8.xml create mode 100644 src/man/uk/sss_groupadd.8.xml create mode 100644 src/man/uk/sss_groupdel.8.xml create mode 100644 src/man/uk/sss_groupmod.8.xml create mode 100644 src/man/uk/sss_groupshow.8.xml create mode 100644 src/man/uk/sss_obfuscate.8.xml create mode 100644 src/man/uk/sss_override.8.xml create mode 100644 src/man/uk/sss_rpcidmapd.5.xml create mode 100644 src/man/uk/sss_seed.8.xml create mode 100644 src/man/uk/sss_ssh_knownhostsproxy.1.xml create mode 100644 src/man/uk/sss_useradd.8.xml create mode 100644 src/man/uk/sss_userdel.8.xml create mode 100644 src/man/uk/sss_usermod.8.xml create mode 100644 src/man/uk/sssctl.8.xml create mode 100644 src/man/uk/sssd-ad.5.xml create mode 100644 src/man/uk/sssd-ifp.5.xml create mode 100644 src/man/uk/sssd-ipa.5.xml create mode 100644 src/man/uk/sssd-kcm.8.xml create mode 100644 src/man/uk/sssd-krb5.5.xml create mode 100644 src/man/uk/sssd-ldap.5.xml create mode 100644 src/man/uk/sssd-secrets.5.xml create mode 100644 src/man/uk/sssd-session-recording.5.xml create mode 100644 src/man/uk/sssd-simple.5.xml create mode 100644 src/man/uk/sssd-sudo.5.xml create mode 100644 src/man/uk/sssd-systemtap.5.xml create mode 100644 src/man/uk/sssd.8.xml create mode 100644 src/man/uk/sssd.conf.5.xml create mode 100644 src/man/uk/sssd_krb5_locator_plugin.8.xml create mode 100644 src/man/zh_CN/include/ad_modified_defaults.xml create mode 100644 src/man/zh_CN/include/autofs_restart.xml create mode 100644 src/man/zh_CN/include/debug_levels.xml create mode 100644 src/man/zh_CN/include/debug_levels_tools.xml create mode 100644 src/man/zh_CN/include/experimental.xml create mode 100644 src/man/zh_CN/include/failover.xml create mode 100644 src/man/zh_CN/include/homedir_substring.xml create mode 100644 src/man/zh_CN/include/ipa_modified_defaults.xml create mode 100644 src/man/zh_CN/include/ldap_id_mapping.xml create mode 100644 src/man/zh_CN/include/ldap_search_bases.xml create mode 100644 src/man/zh_CN/include/local.xml create mode 100644 src/man/zh_CN/include/override_homedir.xml create mode 100644 src/man/zh_CN/include/param_help.xml create mode 100644 src/man/zh_CN/include/param_help_py.xml create mode 100644 src/man/zh_CN/include/seealso.xml create mode 100644 src/man/zh_CN/include/service_discovery.xml create mode 100644 src/man/zh_CN/include/upstream.xml create mode 100644 src/monitor/monitor.c create mode 100644 src/monitor/monitor.h create mode 100644 src/monitor/monitor_iface.xml create mode 100644 src/monitor/monitor_iface_generated.c create mode 100644 src/monitor/monitor_iface_generated.h create mode 100644 src/monitor/monitor_interfaces.h create mode 100644 src/monitor/monitor_netlink.c create mode 100644 src/monitor/monitor_sbus.c create mode 100644 src/p11_child/p11_child.h create mode 100644 src/p11_child/p11_child_common.c create mode 100644 src/p11_child/p11_child_nss.c create mode 100644 src/p11_child/p11_child_openssl.c create mode 100644 src/providers/ad/ad_access.c create mode 100644 src/providers/ad/ad_access.h create mode 100644 src/providers/ad/ad_autofs.c create mode 100644 src/providers/ad/ad_common.c create mode 100644 src/providers/ad/ad_common.h create mode 100644 src/providers/ad/ad_domain_info.c create mode 100644 src/providers/ad/ad_domain_info.h create mode 100644 src/providers/ad/ad_dyndns.c create mode 100644 src/providers/ad/ad_gpo.c create mode 100644 src/providers/ad/ad_gpo.h create mode 100644 src/providers/ad/ad_gpo_child.c create mode 100644 src/providers/ad/ad_gpo_ndr.c create mode 100644 src/providers/ad/ad_id.c create mode 100644 src/providers/ad/ad_id.h create mode 100644 src/providers/ad/ad_init.c create mode 100644 src/providers/ad/ad_machine_pw_renewal.c create mode 100644 src/providers/ad/ad_opts.c create mode 100644 src/providers/ad/ad_opts.h create mode 100644 src/providers/ad/ad_pac.c create mode 100644 src/providers/ad/ad_pac.h create mode 100644 src/providers/ad/ad_pac_common.c create mode 100644 src/providers/ad/ad_srv.c create mode 100644 src/providers/ad/ad_srv.h create mode 100644 src/providers/ad/ad_subdomains.c create mode 100644 src/providers/ad/ad_subdomains.h create mode 100644 src/providers/ad/ad_sudo.c create mode 100644 src/providers/backend.h create mode 100644 src/providers/be_dyndns.c create mode 100644 src/providers/be_dyndns.h create mode 100644 src/providers/be_ptask.c create mode 100644 src/providers/be_ptask.h create mode 100644 src/providers/be_ptask_private.h create mode 100644 src/providers/be_refresh.c create mode 100644 src/providers/be_refresh.h create mode 100644 src/providers/data_provider.h create mode 100644 src/providers/data_provider/dp.c create mode 100644 src/providers/data_provider/dp.h create mode 100644 src/providers/data_provider/dp_builtin.c create mode 100644 src/providers/data_provider/dp_builtin.h create mode 100644 src/providers/data_provider/dp_client.c create mode 100644 src/providers/data_provider/dp_custom_data.h create mode 100644 src/providers/data_provider/dp_flags.h create mode 100644 src/providers/data_provider/dp_iface.c create mode 100644 src/providers/data_provider/dp_iface.h create mode 100644 src/providers/data_provider/dp_iface.xml create mode 100644 src/providers/data_provider/dp_iface_backend.c create mode 100644 src/providers/data_provider/dp_iface_failover.c create mode 100644 src/providers/data_provider/dp_iface_generated.c create mode 100644 src/providers/data_provider/dp_iface_generated.h create mode 100644 src/providers/data_provider/dp_methods.c create mode 100644 src/providers/data_provider/dp_modules.c create mode 100644 src/providers/data_provider/dp_private.h create mode 100644 src/providers/data_provider/dp_reply_std.c create mode 100644 src/providers/data_provider/dp_request.c create mode 100644 src/providers/data_provider/dp_request.h create mode 100644 src/providers/data_provider/dp_request_reply.c create mode 100644 src/providers/data_provider/dp_request_table.c create mode 100644 src/providers/data_provider/dp_resp_client.c create mode 100644 src/providers/data_provider/dp_responder_iface.h create mode 100644 src/providers/data_provider/dp_sbus.c create mode 100644 src/providers/data_provider/dp_target_auth.c create mode 100644 src/providers/data_provider/dp_target_autofs.c create mode 100644 src/providers/data_provider/dp_target_hostid.c create mode 100644 src/providers/data_provider/dp_target_id.c create mode 100644 src/providers/data_provider/dp_target_subdomains.c create mode 100644 src/providers/data_provider/dp_target_sudo.c create mode 100644 src/providers/data_provider/dp_targets.c create mode 100644 src/providers/data_provider_be.c create mode 100644 src/providers/data_provider_callbacks.c create mode 100644 src/providers/data_provider_fo.c create mode 100644 src/providers/data_provider_opts.c create mode 100644 src/providers/data_provider_req.c create mode 100644 src/providers/data_provider_req.h create mode 100644 src/providers/dp_auth_util.c create mode 100644 src/providers/dp_pam_data_util.c create mode 100644 src/providers/fail_over.c create mode 100644 src/providers/fail_over.h create mode 100644 src/providers/fail_over_srv.c create mode 100644 src/providers/fail_over_srv.h create mode 100644 src/providers/files/files_id.c create mode 100644 src/providers/files/files_init.c create mode 100644 src/providers/files/files_ops.c create mode 100644 src/providers/files/files_private.h create mode 100644 src/providers/ipa/ipa_access.c create mode 100644 src/providers/ipa/ipa_access.h create mode 100644 src/providers/ipa/ipa_auth.c create mode 100644 src/providers/ipa/ipa_auth.h create mode 100644 src/providers/ipa/ipa_autofs.c create mode 100644 src/providers/ipa/ipa_common.c create mode 100644 src/providers/ipa/ipa_common.h create mode 100644 src/providers/ipa/ipa_config.c create mode 100644 src/providers/ipa/ipa_config.h create mode 100644 src/providers/ipa/ipa_deskprofile_config.c create mode 100644 src/providers/ipa/ipa_deskprofile_config.h create mode 100644 src/providers/ipa/ipa_deskprofile_private.h create mode 100644 src/providers/ipa/ipa_deskprofile_rules.c create mode 100644 src/providers/ipa/ipa_deskprofile_rules.h create mode 100644 src/providers/ipa/ipa_deskprofile_rules_util.c create mode 100644 src/providers/ipa/ipa_deskprofile_rules_util.h create mode 100644 src/providers/ipa/ipa_dn.c create mode 100644 src/providers/ipa/ipa_dn.h create mode 100644 src/providers/ipa/ipa_dyndns.c create mode 100644 src/providers/ipa/ipa_dyndns.h create mode 100644 src/providers/ipa/ipa_hbac_common.c create mode 100644 src/providers/ipa/ipa_hbac_hosts.c create mode 100644 src/providers/ipa/ipa_hbac_private.h create mode 100644 src/providers/ipa/ipa_hbac_rules.c create mode 100644 src/providers/ipa/ipa_hbac_rules.h create mode 100644 src/providers/ipa/ipa_hbac_services.c create mode 100644 src/providers/ipa/ipa_hbac_users.c create mode 100644 src/providers/ipa/ipa_hostid.c create mode 100644 src/providers/ipa/ipa_hosts.c create mode 100644 src/providers/ipa/ipa_hosts.h create mode 100644 src/providers/ipa/ipa_id.c create mode 100644 src/providers/ipa/ipa_id.h create mode 100644 src/providers/ipa/ipa_idmap.c create mode 100644 src/providers/ipa/ipa_init.c create mode 100644 src/providers/ipa/ipa_netgroups.c create mode 100644 src/providers/ipa/ipa_opts.c create mode 100644 src/providers/ipa/ipa_opts.h create mode 100644 src/providers/ipa/ipa_rules_common.c create mode 100644 src/providers/ipa/ipa_rules_common.h create mode 100644 src/providers/ipa/ipa_s2n_exop.c create mode 100644 src/providers/ipa/ipa_selinux.c create mode 100644 src/providers/ipa/ipa_selinux.h create mode 100644 src/providers/ipa/ipa_selinux_maps.c create mode 100644 src/providers/ipa/ipa_selinux_maps.h create mode 100644 src/providers/ipa/ipa_session.c create mode 100644 src/providers/ipa/ipa_session.h create mode 100644 src/providers/ipa/ipa_srv.c create mode 100644 src/providers/ipa/ipa_srv.h create mode 100644 src/providers/ipa/ipa_subdomains.c create mode 100644 src/providers/ipa/ipa_subdomains.h create mode 100644 src/providers/ipa/ipa_subdomains_ext_groups.c create mode 100644 src/providers/ipa/ipa_subdomains_id.c create mode 100644 src/providers/ipa/ipa_subdomains_server.c create mode 100644 src/providers/ipa/ipa_subdomains_utils.c create mode 100644 src/providers/ipa/ipa_sudo.c create mode 100644 src/providers/ipa/ipa_sudo.h create mode 100644 src/providers/ipa/ipa_sudo_async.c create mode 100644 src/providers/ipa/ipa_sudo_conversion.c create mode 100644 src/providers/ipa/ipa_sudo_refresh.c create mode 100644 src/providers/ipa/ipa_utils.c create mode 100644 src/providers/ipa/ipa_views.c create mode 100644 src/providers/ipa/selinux_child.c create mode 100644 src/providers/krb5/krb5_access.c create mode 100644 src/providers/krb5/krb5_auth.c create mode 100644 src/providers/krb5/krb5_auth.h create mode 100644 src/providers/krb5/krb5_ccache.c create mode 100644 src/providers/krb5/krb5_ccache.h create mode 100644 src/providers/krb5/krb5_child.c create mode 100644 src/providers/krb5/krb5_child_handler.c create mode 100644 src/providers/krb5/krb5_common.c create mode 100644 src/providers/krb5/krb5_common.h create mode 100644 src/providers/krb5/krb5_delayed_online_authentication.c create mode 100644 src/providers/krb5/krb5_init.c create mode 100644 src/providers/krb5/krb5_init_shared.c create mode 100644 src/providers/krb5/krb5_init_shared.h create mode 100644 src/providers/krb5/krb5_keytab.c create mode 100644 src/providers/krb5/krb5_opts.c create mode 100644 src/providers/krb5/krb5_opts.h create mode 100644 src/providers/krb5/krb5_renew_tgt.c create mode 100644 src/providers/krb5/krb5_utils.c create mode 100644 src/providers/krb5/krb5_utils.h create mode 100644 src/providers/krb5/krb5_wait_queue.c create mode 100644 src/providers/ldap/ldap_access.c create mode 100644 src/providers/ldap/ldap_auth.c create mode 100644 src/providers/ldap/ldap_auth.h create mode 100644 src/providers/ldap/ldap_child.c create mode 100644 src/providers/ldap/ldap_common.c create mode 100644 src/providers/ldap/ldap_common.h create mode 100644 src/providers/ldap/ldap_id.c create mode 100644 src/providers/ldap/ldap_id_cleanup.c create mode 100644 src/providers/ldap/ldap_id_enum.c create mode 100644 src/providers/ldap/ldap_id_netgroup.c create mode 100644 src/providers/ldap/ldap_id_services.c create mode 100644 src/providers/ldap/ldap_init.c create mode 100644 src/providers/ldap/ldap_options.c create mode 100644 src/providers/ldap/ldap_opts.c create mode 100644 src/providers/ldap/ldap_opts.h create mode 100644 src/providers/ldap/sdap.c create mode 100644 src/providers/ldap/sdap.h create mode 100644 src/providers/ldap/sdap_access.c create mode 100644 src/providers/ldap/sdap_access.h create mode 100644 src/providers/ldap/sdap_ad_groups.c create mode 100644 src/providers/ldap/sdap_async.c create mode 100644 src/providers/ldap/sdap_async.h create mode 100644 src/providers/ldap/sdap_async_ad.h create mode 100644 src/providers/ldap/sdap_async_autofs.c create mode 100644 src/providers/ldap/sdap_async_connection.c create mode 100644 src/providers/ldap/sdap_async_enum.c create mode 100644 src/providers/ldap/sdap_async_enum.h create mode 100644 src/providers/ldap/sdap_async_groups.c create mode 100644 src/providers/ldap/sdap_async_groups_ad.c create mode 100644 src/providers/ldap/sdap_async_hosts.c create mode 100644 src/providers/ldap/sdap_async_initgroups.c create mode 100644 src/providers/ldap/sdap_async_initgroups_ad.c create mode 100644 src/providers/ldap/sdap_async_nested_groups.c create mode 100644 src/providers/ldap/sdap_async_netgroups.c create mode 100644 src/providers/ldap/sdap_async_private.h create mode 100644 src/providers/ldap/sdap_async_services.c create mode 100644 src/providers/ldap/sdap_async_sudo.c create mode 100644 src/providers/ldap/sdap_async_sudo_hostinfo.c create mode 100644 src/providers/ldap/sdap_async_users.c create mode 100644 src/providers/ldap/sdap_autofs.c create mode 100644 src/providers/ldap/sdap_autofs.h create mode 100644 src/providers/ldap/sdap_certmap.c create mode 100644 src/providers/ldap/sdap_child_helpers.c create mode 100644 src/providers/ldap/sdap_domain.c create mode 100644 src/providers/ldap/sdap_dyndns.c create mode 100644 src/providers/ldap/sdap_dyndns.h create mode 100644 src/providers/ldap/sdap_fd_events.c create mode 100644 src/providers/ldap/sdap_hostid.c create mode 100644 src/providers/ldap/sdap_hostid.h create mode 100644 src/providers/ldap/sdap_id_op.c create mode 100644 src/providers/ldap/sdap_id_op.h create mode 100644 src/providers/ldap/sdap_idmap.c create mode 100644 src/providers/ldap/sdap_idmap.h create mode 100644 src/providers/ldap/sdap_online_check.c create mode 100644 src/providers/ldap/sdap_ops.c create mode 100644 src/providers/ldap/sdap_ops.h create mode 100644 src/providers/ldap/sdap_range.c create mode 100644 src/providers/ldap/sdap_range.h create mode 100644 src/providers/ldap/sdap_refresh.c create mode 100644 src/providers/ldap/sdap_reinit.c create mode 100644 src/providers/ldap/sdap_sudo.c create mode 100644 src/providers/ldap/sdap_sudo.h create mode 100644 src/providers/ldap/sdap_sudo_refresh.c create mode 100644 src/providers/ldap/sdap_sudo_shared.c create mode 100644 src/providers/ldap/sdap_sudo_shared.h create mode 100644 src/providers/ldap/sdap_users.h create mode 100644 src/providers/ldap/sdap_utils.c create mode 100644 src/providers/proxy/proxy.h create mode 100644 src/providers/proxy/proxy_auth.c create mode 100644 src/providers/proxy/proxy_child.c create mode 100644 src/providers/proxy/proxy_client.c create mode 100644 src/providers/proxy/proxy_id.c create mode 100644 src/providers/proxy/proxy_iface.xml create mode 100644 src/providers/proxy/proxy_iface_generated.c create mode 100644 src/providers/proxy/proxy_iface_generated.h create mode 100644 src/providers/proxy/proxy_init.c create mode 100644 src/providers/proxy/proxy_netgroup.c create mode 100644 src/providers/proxy/proxy_services.c create mode 100644 src/providers/simple/simple_access.c create mode 100644 src/providers/simple/simple_access.h create mode 100644 src/providers/simple/simple_access_check.c create mode 100644 src/providers/simple/simple_access_pvt.h create mode 100644 src/providers/sssd_be.exports create mode 100644 src/python/pyhbac.c create mode 100644 src/python/pysss.c create mode 100644 src/python/pysss_murmur.c create mode 100644 src/python/pysss_nss_idmap.c create mode 100644 src/resolv/async_resolv.c create mode 100644 src/resolv/async_resolv.h create mode 100644 src/resolv/async_resolv_utils.c create mode 100644 src/responder/autofs/autofs_private.h create mode 100644 src/responder/autofs/autofssrv.c create mode 100644 src/responder/autofs/autofssrv_cmd.c create mode 100644 src/responder/autofs/autofssrv_dp.c create mode 100644 src/responder/common/cache_req/cache_req.c create mode 100644 src/responder/common/cache_req/cache_req.h create mode 100644 src/responder/common/cache_req/cache_req_data.c create mode 100644 src/responder/common/cache_req/cache_req_domain.c create mode 100644 src/responder/common/cache_req/cache_req_domain.h create mode 100644 src/responder/common/cache_req/cache_req_plugin.h create mode 100644 src/responder/common/cache_req/cache_req_private.h create mode 100644 src/responder/common/cache_req/cache_req_result.c create mode 100644 src/responder/common/cache_req/cache_req_search.c create mode 100644 src/responder/common/cache_req/cache_req_sr_overlay.c create mode 100644 src/responder/common/cache_req/plugins/cache_req_common.c create mode 100644 src/responder/common/cache_req/plugins/cache_req_enum_groups.c create mode 100644 src/responder/common/cache_req/plugins/cache_req_enum_svc.c create mode 100644 src/responder/common/cache_req/plugins/cache_req_enum_users.c create mode 100644 src/responder/common/cache_req/plugins/cache_req_group_by_filter.c create mode 100644 src/responder/common/cache_req/plugins/cache_req_group_by_id.c create mode 100644 src/responder/common/cache_req/plugins/cache_req_group_by_name.c create mode 100644 src/responder/common/cache_req/plugins/cache_req_host_by_name.c create mode 100644 src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c create mode 100644 src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c create mode 100644 src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c create mode 100644 src/responder/common/cache_req/plugins/cache_req_object_by_id.c create mode 100644 src/responder/common/cache_req/plugins/cache_req_object_by_name.c create mode 100644 src/responder/common/cache_req/plugins/cache_req_object_by_sid.c create mode 100644 src/responder/common/cache_req/plugins/cache_req_svc_by_name.c create mode 100644 src/responder/common/cache_req/plugins/cache_req_svc_by_port.c create mode 100644 src/responder/common/cache_req/plugins/cache_req_user_by_cert.c create mode 100644 src/responder/common/cache_req/plugins/cache_req_user_by_filter.c create mode 100644 src/responder/common/cache_req/plugins/cache_req_user_by_id.c create mode 100644 src/responder/common/cache_req/plugins/cache_req_user_by_name.c create mode 100644 src/responder/common/cache_req/plugins/cache_req_user_by_upn.c create mode 100644 src/responder/common/data_provider/rdp.h create mode 100644 src/responder/common/data_provider/rdp_client.c create mode 100644 src/responder/common/data_provider/rdp_message.c create mode 100644 src/responder/common/iface/responder_domain.c create mode 100644 src/responder/common/iface/responder_iface.c create mode 100644 src/responder/common/iface/responder_iface.h create mode 100644 src/responder/common/iface/responder_iface.xml create mode 100644 src/responder/common/iface/responder_iface_generated.c create mode 100644 src/responder/common/iface/responder_iface_generated.h create mode 100644 src/responder/common/iface/responder_ncache.c create mode 100644 src/responder/common/negcache.c create mode 100644 src/responder/common/negcache.h create mode 100644 src/responder/common/negcache_files.c create mode 100644 src/responder/common/negcache_files.h create mode 100644 src/responder/common/responder.h create mode 100644 src/responder/common/responder_cmd.c create mode 100644 src/responder/common/responder_common.c create mode 100644 src/responder/common/responder_dp.c create mode 100644 src/responder/common/responder_dp_ssh.c create mode 100644 src/responder/common/responder_get_domains.c create mode 100644 src/responder/common/responder_packet.c create mode 100644 src/responder/common/responder_packet.h create mode 100644 src/responder/common/responder_sbus.h create mode 100644 src/responder/common/responder_utils.c create mode 100644 src/responder/ifp/ifp_cache.c create mode 100644 src/responder/ifp/ifp_cache.h create mode 100644 src/responder/ifp/ifp_components.c create mode 100644 src/responder/ifp/ifp_components.h create mode 100644 src/responder/ifp/ifp_domains.c create mode 100644 src/responder/ifp/ifp_domains.h create mode 100644 src/responder/ifp/ifp_groups.c create mode 100644 src/responder/ifp/ifp_groups.h create mode 100644 src/responder/ifp/ifp_iface.c create mode 100644 src/responder/ifp/ifp_iface.h create mode 100644 src/responder/ifp/ifp_iface.xml create mode 100644 src/responder/ifp/ifp_iface_generated.c create mode 100644 src/responder/ifp/ifp_iface_generated.h create mode 100644 src/responder/ifp/ifp_iface_nodes.c create mode 100644 src/responder/ifp/ifp_private.h create mode 100644 src/responder/ifp/ifp_users.c create mode 100644 src/responder/ifp/ifp_users.h create mode 100644 src/responder/ifp/ifpsrv.c create mode 100644 src/responder/ifp/ifpsrv_cmd.c create mode 100644 src/responder/ifp/ifpsrv_util.c create mode 100644 src/responder/ifp/org.freedesktop.sssd.infopipe.conf create mode 100644 src/responder/ifp/org.freedesktop.sssd.infopipe.service create mode 100644 src/responder/ifp/org.freedesktop.sssd.infopipe.service.in create mode 100644 src/responder/kcm/kcm.c create mode 100644 src/responder/kcm/kcm.h create mode 100644 src/responder/kcm/kcmsrv_ccache.c create mode 100644 src/responder/kcm/kcmsrv_ccache.h create mode 100644 src/responder/kcm/kcmsrv_ccache_be.h create mode 100644 src/responder/kcm/kcmsrv_ccache_json.c create mode 100644 src/responder/kcm/kcmsrv_ccache_mem.c create mode 100644 src/responder/kcm/kcmsrv_ccache_pvt.h create mode 100644 src/responder/kcm/kcmsrv_ccache_secrets.c create mode 100644 src/responder/kcm/kcmsrv_cmd.c create mode 100644 src/responder/kcm/kcmsrv_op_queue.c create mode 100644 src/responder/kcm/kcmsrv_ops.c create mode 100644 src/responder/kcm/kcmsrv_ops.h create mode 100644 src/responder/kcm/kcmsrv_pvt.h create mode 100644 src/responder/nss/nss_cmd.c create mode 100644 src/responder/nss/nss_enum.c create mode 100644 src/responder/nss/nss_get_object.c create mode 100644 src/responder/nss/nss_iface.c create mode 100644 src/responder/nss/nss_iface.h create mode 100644 src/responder/nss/nss_iface.xml create mode 100644 src/responder/nss/nss_iface_generated.c create mode 100644 src/responder/nss/nss_iface_generated.h create mode 100644 src/responder/nss/nss_private.h create mode 100644 src/responder/nss/nss_protocol.c create mode 100644 src/responder/nss/nss_protocol.h create mode 100644 src/responder/nss/nss_protocol_grent.c create mode 100644 src/responder/nss/nss_protocol_netgr.c create mode 100644 src/responder/nss/nss_protocol_pwent.c create mode 100644 src/responder/nss/nss_protocol_sid.c create mode 100644 src/responder/nss/nss_protocol_svcent.c create mode 100644 src/responder/nss/nss_utils.c create mode 100644 src/responder/nss/nsssrv.c create mode 100644 src/responder/nss/nsssrv_mmap_cache.c create mode 100644 src/responder/nss/nsssrv_mmap_cache.h create mode 100644 src/responder/pac/pacsrv.c create mode 100644 src/responder/pac/pacsrv.h create mode 100644 src/responder/pac/pacsrv_cmd.c create mode 100644 src/responder/pam/pam_LOCAL_domain.c create mode 100644 src/responder/pam/pam_helpers.c create mode 100644 src/responder/pam/pam_helpers.h create mode 100644 src/responder/pam/pamsrv.c create mode 100644 src/responder/pam/pamsrv.h create mode 100644 src/responder/pam/pamsrv_cmd.c create mode 100644 src/responder/pam/pamsrv_dp.c create mode 100644 src/responder/pam/pamsrv_p11.c create mode 100644 src/responder/secrets/local.c create mode 100644 src/responder/secrets/providers.c create mode 100644 src/responder/secrets/proxy.c create mode 100644 src/responder/secrets/secsrv.c create mode 100644 src/responder/secrets/secsrv.h create mode 100644 src/responder/secrets/secsrv_cmd.c create mode 100644 src/responder/secrets/secsrv_local.h create mode 100644 src/responder/secrets/secsrv_private.h create mode 100644 src/responder/secrets/secsrv_proxy.h create mode 100644 src/responder/ssh/ssh_cmd.c create mode 100644 src/responder/ssh/ssh_known_hosts.c create mode 100644 src/responder/ssh/ssh_private.h create mode 100644 src/responder/ssh/ssh_protocol.c create mode 100644 src/responder/ssh/ssh_reply.c create mode 100644 src/responder/ssh/sshsrv.c create mode 100644 src/responder/sudo/sudosrv.c create mode 100644 src/responder/sudo/sudosrv_cmd.c create mode 100644 src/responder/sudo/sudosrv_dp.c create mode 100644 src/responder/sudo/sudosrv_get_sudorules.c create mode 100644 src/responder/sudo/sudosrv_private.h create mode 100644 src/responder/sudo/sudosrv_query.c create mode 100644 src/sbus/sbus_client.c create mode 100644 src/sbus/sbus_client.h create mode 100755 src/sbus/sbus_codegen create mode 100644 src/sbus/sssd_dbus.h create mode 100644 src/sbus/sssd_dbus_common.c create mode 100644 src/sbus/sssd_dbus_common_signals.c create mode 100644 src/sbus/sssd_dbus_connection.c create mode 100644 src/sbus/sssd_dbus_errors.h create mode 100644 src/sbus/sssd_dbus_interface.c create mode 100644 src/sbus/sssd_dbus_introspect.c create mode 100644 src/sbus/sssd_dbus_invokers.c create mode 100644 src/sbus/sssd_dbus_invokers.h create mode 100644 src/sbus/sssd_dbus_meta.c create mode 100644 src/sbus/sssd_dbus_meta.h create mode 100644 src/sbus/sssd_dbus_private.h create mode 100644 src/sbus/sssd_dbus_properties.c create mode 100644 src/sbus/sssd_dbus_request.c create mode 100644 src/sbus/sssd_dbus_server.c create mode 100644 src/sbus/sssd_dbus_signals.c create mode 100644 src/sbus/sssd_dbus_utils.c create mode 100644 src/sbus/sssd_dbus_utils.h create mode 100644 src/shared/io.h create mode 100644 src/shared/murmurhash3.h create mode 100644 src/shared/safealign.h create mode 100644 src/sss_client/COPYING create mode 100644 src/sss_client/COPYING.LESSER create mode 100644 src/sss_client/autofs/autofs_test_client.c create mode 100644 src/sss_client/autofs/sss_autofs.c create mode 100644 src/sss_client/autofs/sss_autofs.exports create mode 100644 src/sss_client/autofs/sss_autofs_private.h create mode 100644 src/sss_client/common.c create mode 100644 src/sss_client/common_private.h create mode 100644 src/sss_client/idmap/common_ex.c create mode 100644 src/sss_client/idmap/sss_nss_ex.c create mode 100644 src/sss_client/idmap/sss_nss_idmap.c create mode 100644 src/sss_client/idmap/sss_nss_idmap.doxy.in create mode 100644 src/sss_client/idmap/sss_nss_idmap.exports create mode 100644 src/sss_client/idmap/sss_nss_idmap.h create mode 100644 src/sss_client/idmap/sss_nss_idmap.pc.in create mode 100644 src/sss_client/idmap/sss_nss_idmap.unit_tests create mode 100644 src/sss_client/idmap/sss_nss_idmap_private.h create mode 100644 src/sss_client/krb5_authdata_int.h create mode 100644 src/sss_client/libwbclient/libwbclient.h create mode 100644 src/sss_client/libwbclient/wbc_ctx_sssd.c create mode 100644 src/sss_client/libwbclient/wbc_err_internal.h create mode 100644 src/sss_client/libwbclient/wbc_guid.c create mode 100644 src/sss_client/libwbclient/wbc_idmap_common.c create mode 100644 src/sss_client/libwbclient/wbc_idmap_sssd.c create mode 100644 src/sss_client/libwbclient/wbc_pam_sssd.c create mode 100644 src/sss_client/libwbclient/wbc_pwd_sssd.c create mode 100644 src/sss_client/libwbclient/wbc_sid_common.c create mode 100644 src/sss_client/libwbclient/wbc_sid_sssd.c create mode 100644 src/sss_client/libwbclient/wbc_sssd_internal.h create mode 100644 src/sss_client/libwbclient/wbc_util_common.c create mode 100644 src/sss_client/libwbclient/wbc_util_sssd.c create mode 100644 src/sss_client/libwbclient/wbclient.exports create mode 100644 src/sss_client/libwbclient/wbclient_common.c create mode 100644 src/sss_client/libwbclient/wbclient_internal.h create mode 100644 src/sss_client/libwbclient/wbclient_sssd.c create mode 100644 src/sss_client/libwbclient/wbclient_sssd.h create mode 100644 src/sss_client/libwbclient/wbclient_sssd.pc.in create mode 100644 src/sss_client/nfs/nfsidmap_internal.h create mode 100644 src/sss_client/nfs/sss_nfs_client.c create mode 100644 src/sss_client/nss_common.h create mode 100644 src/sss_client/nss_compat.h create mode 100644 src/sss_client/nss_group.c create mode 100644 src/sss_client/nss_mc.h create mode 100644 src/sss_client/nss_mc_common.c create mode 100644 src/sss_client/nss_mc_group.c create mode 100644 src/sss_client/nss_mc_initgr.c create mode 100644 src/sss_client/nss_mc_passwd.c create mode 100644 src/sss_client/nss_netgroup.c create mode 100644 src/sss_client/nss_passwd.c create mode 100644 src/sss_client/nss_services.c create mode 100644 src/sss_client/pam_message.c create mode 100644 src/sss_client/pam_message.h create mode 100644 src/sss_client/pam_sss.c create mode 100644 src/sss_client/ssh/sss_ssh_authorizedkeys.c create mode 100644 src/sss_client/ssh/sss_ssh_client.c create mode 100644 src/sss_client/ssh/sss_ssh_client.h create mode 100644 src/sss_client/ssh/sss_ssh_knownhostsproxy.c create mode 100644 src/sss_client/sss_cli.h create mode 100644 src/sss_client/sss_nss.exports create mode 100644 src/sss_client/sss_pac_responder_client.c create mode 100644 src/sss_client/sss_pam.exports create mode 100644 src/sss_client/sss_pam_compat.h create mode 100644 src/sss_client/sss_pam_macros.h create mode 100644 src/sss_client/sss_sudo.exports create mode 100644 src/sss_client/sssd_pac.c create mode 100644 src/sss_client/sudo/sss_sudo.c create mode 100644 src/sss_client/sudo/sss_sudo.h create mode 100644 src/sss_client/sudo/sss_sudo_private.h create mode 100644 src/sss_client/sudo/sss_sudo_response.c create mode 100644 src/sss_client/sudo_testcli/sudo_testcli.c create mode 100644 src/systemtap/sssd.stp.in create mode 100644 src/systemtap/sssd_functions.stp create mode 100644 src/systemtap/sssd_probes.d create mode 100644 src/sysv/SUSE/sssd.in create mode 100644 src/sysv/gentoo/sssd.in create mode 100644 src/sysv/sssd.in create mode 100644 src/sysv/systemd/sssd-autofs.service.in create mode 100644 src/sysv/systemd/sssd-autofs.socket.in create mode 100644 src/sysv/systemd/sssd-ifp.service.in create mode 100644 src/sysv/systemd/sssd-kcm.service.in create mode 100644 src/sysv/systemd/sssd-kcm.socket.in create mode 100644 src/sysv/systemd/sssd-nss.service.in create mode 100644 src/sysv/systemd/sssd-nss.socket.in create mode 100644 src/sysv/systemd/sssd-pac.service.in create mode 100644 src/sysv/systemd/sssd-pac.socket.in create mode 100644 src/sysv/systemd/sssd-pam-priv.socket.in create mode 100644 src/sysv/systemd/sssd-pam.service.in create mode 100644 src/sysv/systemd/sssd-pam.socket.in create mode 100644 src/sysv/systemd/sssd-secrets.service.in create mode 100644 src/sysv/systemd/sssd-secrets.socket.in create mode 100644 src/sysv/systemd/sssd-ssh.service.in create mode 100644 src/sysv/systemd/sssd-ssh.socket.in create mode 100644 src/sysv/systemd/sssd-sudo.service.in create mode 100644 src/sysv/systemd/sssd-sudo.socket.in create mode 100644 src/sysv/systemd/sssd.service.in create mode 100644 src/tests/ad_ldap_opt-tests.c create mode 100644 src/tests/auth-tests.c create mode 100644 src/tests/check_and_open-tests.c create mode 100644 src/tests/cmocka/common_mock.h create mode 100644 src/tests/cmocka/common_mock_be.c create mode 100644 src/tests/cmocka/common_mock_be.h create mode 100644 src/tests/cmocka/common_mock_krb5.c create mode 100644 src/tests/cmocka/common_mock_krb5.h create mode 100644 src/tests/cmocka/common_mock_resp.c create mode 100644 src/tests/cmocka/common_mock_resp.h create mode 100644 src/tests/cmocka/common_mock_resp_dp.c create mode 100644 src/tests/cmocka/common_mock_sdap.c create mode 100644 src/tests/cmocka/common_mock_sdap.h create mode 100644 src/tests/cmocka/common_mock_sysdb_objects.c create mode 100644 src/tests/cmocka/common_mock_sysdb_objects.h create mode 100644 src/tests/cmocka/data_provider/mock_dp.c create mode 100644 src/tests/cmocka/data_provider/mock_dp.h create mode 100644 src/tests/cmocka/data_provider/test_dp_builtin.c create mode 100644 src/tests/cmocka/data_provider/test_dp_request.c create mode 100644 src/tests/cmocka/data_provider/test_dp_request_table.c create mode 100644 src/tests/cmocka/dummy_child.c create mode 100644 src/tests/cmocka/sbus_internal_tests.c create mode 100644 src/tests/cmocka/sss_nss_idmap-tests.c create mode 100644 src/tests/cmocka/test_ad_access_filter.c create mode 100644 src/tests/cmocka/test_ad_common.c create mode 100644 src/tests/cmocka/test_ad_gpo.c create mode 100644 src/tests/cmocka/test_ad_subdomains.c create mode 100644 src/tests/cmocka/test_authtok.c create mode 100644 src/tests/cmocka/test_be_ptask.c create mode 100644 src/tests/cmocka/test_cert_utils.c create mode 100644 src/tests/cmocka/test_certmap.c create mode 100644 src/tests/cmocka/test_child_common.c create mode 100644 src/tests/cmocka/test_config_check.c create mode 100644 src/tests/cmocka/test_copy_ccache.c create mode 100644 src/tests/cmocka/test_copy_keytab.c create mode 100644 src/tests/cmocka/test_data_provider_be.c create mode 100644 src/tests/cmocka/test_deskprofile_utils.c create mode 100644 src/tests/cmocka/test_domain_resolution_order.c create mode 100644 src/tests/cmocka/test_dp_opts.c create mode 100644 src/tests/cmocka/test_dyndns.c create mode 100644 src/tests/cmocka/test_expire_common.c create mode 100644 src/tests/cmocka/test_expire_common.h create mode 100644 src/tests/cmocka/test_find_uid.c create mode 100644 src/tests/cmocka/test_fo_srv.c create mode 100644 src/tests/cmocka/test_fqnames.c create mode 100644 src/tests/cmocka/test_ifp.c create mode 100644 src/tests/cmocka/test_inotify.c create mode 100644 src/tests/cmocka/test_io.c create mode 100644 src/tests/cmocka/test_iobuf.c create mode 100644 src/tests/cmocka/test_ipa_dn.c create mode 100644 src/tests/cmocka/test_ipa_idmap.c create mode 100644 src/tests/cmocka/test_ipa_subdomains_server.c create mode 100644 src/tests/cmocka/test_ipa_subdomains_utils.c create mode 100644 src/tests/cmocka/test_kcm_json_marshalling.c create mode 100644 src/tests/cmocka/test_kcm_queue.c create mode 100644 src/tests/cmocka/test_krb5_common.c create mode 100644 src/tests/cmocka/test_krb5_wait_queue.c create mode 100644 src/tests/cmocka/test_ldap_auth.c create mode 100644 src/tests/cmocka/test_ldap_id_cleanup.c create mode 100644 src/tests/cmocka/test_negcache.c create mode 100644 src/tests/cmocka/test_nested_groups.c create mode 100644 src/tests/cmocka/test_nss_srv.c create mode 100644 src/tests/cmocka/test_pam_srv.c create mode 100644 src/tests/cmocka/test_resolv_fake.c create mode 100644 src/tests/cmocka/test_responder_cache_req.c create mode 100644 src/tests/cmocka/test_responder_common.c create mode 100644 src/tests/cmocka/test_sbus_opath.c create mode 100644 src/tests/cmocka/test_sdap.c create mode 100644 src/tests/cmocka/test_sdap_access.c create mode 100644 src/tests/cmocka/test_sdap_access.h create mode 100644 src/tests/cmocka/test_sdap_certmap.c create mode 100644 src/tests/cmocka/test_sdap_initgr.c create mode 100644 src/tests/cmocka/test_search_bases.c create mode 100644 src/tests/cmocka/test_simple_access.c create mode 100644 src/tests/cmocka/test_ssh_srv.c create mode 100644 src/tests/cmocka/test_sss_idmap.c create mode 100644 src/tests/cmocka/test_sss_sifp.c create mode 100644 src/tests/cmocka/test_sss_ssh.c create mode 100644 src/tests/cmocka/test_sssd_krb5_localauth_plugin.c create mode 100644 src/tests/cmocka/test_sssd_krb5_locator_plugin.c create mode 100644 src/tests/cmocka/test_string_utils.c create mode 100644 src/tests/cmocka/test_sysdb_certmap.c create mode 100644 src/tests/cmocka/test_sysdb_domain_resolution_order.c create mode 100644 src/tests/cmocka/test_sysdb_subdomains.c create mode 100644 src/tests/cmocka/test_sysdb_sudo.c create mode 100644 src/tests/cmocka/test_sysdb_ts_cache.c create mode 100644 src/tests/cmocka/test_sysdb_utils.c create mode 100644 src/tests/cmocka/test_sysdb_views.c create mode 100644 src/tests/cmocka/test_tools_colondb.c create mode 100644 src/tests/cmocka/test_utils.c create mode 100644 src/tests/cmocka/test_utils.h create mode 100644 src/tests/cmocka/test_wbc_calls.c create mode 100644 src/tests/cmocka/wrap_sss_nss_make_request_timeout.c create mode 100644 src/tests/common.c create mode 100644 src/tests/common.h create mode 100644 src/tests/common_check.c create mode 100644 src/tests/common_check.h create mode 100644 src/tests/common_dbus.c create mode 100644 src/tests/common_dom.c create mode 100644 src/tests/common_tev.c create mode 100644 src/tests/crypto-tests.c create mode 100644 src/tests/cwrap/Makefile.am create mode 100644 src/tests/cwrap/Makefile.in create mode 100755 src/tests/cwrap/cwrap_test_setup.sh create mode 100644 src/tests/cwrap/group create mode 100644 src/tests/cwrap/passwd create mode 100644 src/tests/cwrap/test_become_user.c create mode 100644 src/tests/cwrap/test_negcache.c create mode 100644 src/tests/cwrap/test_responder_common.c create mode 100644 src/tests/cwrap/test_server.c create mode 100644 src/tests/cwrap/test_usertools.c create mode 100644 src/tests/debug-tests.c create mode 100644 src/tests/dlopen-tests.c create mode 100755 src/tests/double_semicolon_test create mode 100644 src/tests/fail_over-tests.c create mode 100644 src/tests/files-tests.c create mode 100644 src/tests/find_uid-tests.c create mode 100644 src/tests/intg/Makefile.am create mode 100644 src/tests/intg/Makefile.in create mode 100644 src/tests/intg/__init__.py create mode 100644 src/tests/intg/config.py.m4 create mode 100644 src/tests/intg/cwrap-dbus-system.conf create mode 100644 src/tests/intg/data/ad_data.ldif create mode 100644 src/tests/intg/data/ad_schema.ldif create mode 100644 src/tests/intg/data/cwrap-dbus-system.conf.in create mode 100644 src/tests/intg/data/sudo_schema.ldif create mode 100644 src/tests/intg/ds.py create mode 100644 src/tests/intg/ds_openldap.py create mode 100644 src/tests/intg/ent.py create mode 100644 src/tests/intg/ent_test.py create mode 100644 src/tests/intg/files_ops.py create mode 100644 src/tests/intg/getsockopt_wrapper.c create mode 100644 src/tests/intg/kdc.py create mode 100644 src/tests/intg/krb5utils.py create mode 100644 src/tests/intg/ldap_ent.py create mode 100644 src/tests/intg/ldap_local_override_test.py create mode 100644 src/tests/intg/secrets.py create mode 100644 src/tests/intg/sssd_group.py create mode 100644 src/tests/intg/sssd_id.py create mode 100644 src/tests/intg/sssd_ldb.py create mode 100644 src/tests/intg/sssd_netgroup.py create mode 100644 src/tests/intg/sssd_nss.py create mode 100644 src/tests/intg/sssd_passwd.py create mode 100644 src/tests/intg/test_enumeration.py create mode 100644 src/tests/intg/test_files_ops.py create mode 100644 src/tests/intg/test_files_provider.py create mode 100644 src/tests/intg/test_infopipe.py create mode 100644 src/tests/intg/test_kcm.py create mode 100644 src/tests/intg/test_ldap.py create mode 100644 src/tests/intg/test_local_domain.py create mode 100644 src/tests/intg/test_memory_cache.py create mode 100644 src/tests/intg/test_netgroup.py create mode 100644 src/tests/intg/test_pac_responder.py create mode 100644 src/tests/intg/test_pam_responder.py create mode 100644 src/tests/intg/test_pysss_nss_idmap.py create mode 100644 src/tests/intg/test_secrets.py create mode 100644 src/tests/intg/test_session_recording.py create mode 100644 src/tests/intg/test_ssh_pubkey.py create mode 100644 src/tests/intg/test_sssctl.py create mode 100644 src/tests/intg/test_sudo.py create mode 100644 src/tests/intg/test_ts_cache.py create mode 100644 src/tests/intg/util.py create mode 100644 src/tests/ipa_hbac-tests.c create mode 100644 src/tests/ipa_ldap_opt-tests.c create mode 100644 src/tests/krb5_child-test.c create mode 100644 src/tests/krb5_proxy_check_test_data.conf create mode 100644 src/tests/krb5_utils-tests.c create mode 100644 src/tests/leak_check.c create mode 100755 src/tests/pyhbac-test.py create mode 100755 src/tests/pyhbac-test.py2.sh create mode 100755 src/tests/pyhbac-test.py3.sh create mode 100755 src/tests/pysss_murmur-test.py create mode 100755 src/tests/pysss_murmur-test.py2.sh create mode 100755 src/tests/pysss_murmur-test.py3.sh create mode 100644 src/tests/python-test.py create mode 100644 src/tests/refcount-tests.c create mode 100644 src/tests/resolv-tests.c create mode 100644 src/tests/responder_socket_access-tests.c create mode 100644 src/tests/safe-format-tests.c create mode 100644 src/tests/sbus_codegen_tests.c create mode 100755 src/tests/sbus_codegen_tests.xml create mode 100644 src/tests/sbus_codegen_tests_generated.c create mode 100644 src/tests/sbus_codegen_tests_generated.h create mode 100644 src/tests/sbus_tests.c create mode 100644 src/tests/sss_idmap-tests.c create mode 100644 src/tests/stress-tests.c create mode 100644 src/tests/strtonum-tests.c create mode 100644 src/tests/sysdb-tests.c create mode 100644 src/tests/sysdb_ssh-tests.c create mode 100644 src/tests/tcurl_test_tool.c create mode 100644 src/tests/test_CA/Makefile.am create mode 100644 src/tests/test_CA/Makefile.in create mode 100644 src/tests/test_CA/README create mode 100644 src/tests/test_CA/SSSD_test_CA.config create mode 100644 src/tests/test_CA/SSSD_test_CA_key.pem create mode 100644 src/tests/test_CA/SSSD_test_cert_0001.config create mode 100644 src/tests/test_CA/SSSD_test_cert_0002.config create mode 100644 src/tests/test_CA/SSSD_test_cert_0003.config create mode 100644 src/tests/test_CA/SSSD_test_cert_key_0001.pem create mode 100644 src/tests/test_CA/SSSD_test_cert_key_0002.pem create mode 100644 src/tests/test_CA/SSSD_test_cert_key_0003.pem create mode 100644 src/tests/test_ssh_client.c create mode 100644 src/tests/util-tests.c create mode 100755 src/tests/whitespace_test create mode 100644 src/tools/common/sss_colondb.c create mode 100644 src/tools/common/sss_colondb.h create mode 100644 src/tools/common/sss_process.c create mode 100644 src/tools/common/sss_process.h create mode 100644 src/tools/common/sss_tools.c create mode 100644 src/tools/common/sss_tools.h create mode 100644 src/tools/sss_cache.c create mode 100644 src/tools/sss_groupadd.c create mode 100644 src/tools/sss_groupdel.c create mode 100644 src/tools/sss_groupmod.c create mode 100644 src/tools/sss_groupshow.c create mode 100644 src/tools/sss_obfuscate create mode 100644 src/tools/sss_override.c create mode 100644 src/tools/sss_seed.c create mode 100644 src/tools/sss_signal.c create mode 100644 src/tools/sss_sync_ops.c create mode 100644 src/tools/sss_sync_ops.h create mode 100644 src/tools/sss_useradd.c create mode 100644 src/tools/sss_userdel.c create mode 100644 src/tools/sss_usermod.c create mode 100644 src/tools/sssctl/sssctl.c create mode 100644 src/tools/sssctl/sssctl.h create mode 100644 src/tools/sssctl/sssctl_access_report.c create mode 100644 src/tools/sssctl/sssctl_cache.c create mode 100644 src/tools/sssctl/sssctl_config.c create mode 100644 src/tools/sssctl/sssctl_data.c create mode 100644 src/tools/sssctl/sssctl_domains.c create mode 100644 src/tools/sssctl/sssctl_logs.c create mode 100644 src/tools/sssctl/sssctl_sifp.c create mode 100644 src/tools/sssctl/sssctl_systemd.c create mode 100644 src/tools/sssctl/sssctl_user_checks.c create mode 100644 src/tools/sssd_check_socket_activated_responders.c create mode 100644 src/tools/tools_mc_util.c create mode 100644 src/tools/tools_util.c create mode 100644 src/tools/tools_util.h create mode 100644 src/tools/wrappers/sss_debuglevel.in create mode 100644 src/util/atomic_io.c create mode 100644 src/util/atomic_io.h create mode 100644 src/util/auth_utils.h create mode 100644 src/util/authtok-utils.c create mode 100644 src/util/authtok-utils.h create mode 100644 src/util/authtok.c create mode 100644 src/util/authtok.h create mode 100644 src/util/backup_file.c create mode 100644 src/util/become_user.c create mode 100644 src/util/cert.h create mode 100644 src/util/cert/cert_common.c create mode 100644 src/util/cert/cert_common_p11_child.c create mode 100644 src/util/cert/libcrypto/cert.c create mode 100644 src/util/cert/nss/cert.c create mode 100644 src/util/check_and_open.c create mode 100644 src/util/child_common.c create mode 100644 src/util/child_common.h create mode 100644 src/util/crypto/libcrypto/crypto_base64.c create mode 100644 src/util/crypto/libcrypto/crypto_hmac_sha1.c create mode 100644 src/util/crypto/libcrypto/crypto_nite.c create mode 100644 src/util/crypto/libcrypto/crypto_obfuscate.c create mode 100644 src/util/crypto/libcrypto/crypto_sha512crypt.c create mode 100644 src/util/crypto/libcrypto/sss_openssl.h create mode 100644 src/util/crypto/nss/nss_base64.c create mode 100644 src/util/crypto/nss/nss_crypto.h create mode 100644 src/util/crypto/nss/nss_hmac_sha1.c create mode 100644 src/util/crypto/nss/nss_nite.c create mode 100644 src/util/crypto/nss/nss_obfuscate.c create mode 100644 src/util/crypto/nss/nss_sha512crypt.c create mode 100644 src/util/crypto/nss/nss_util.c create mode 100644 src/util/crypto/nss/nss_util.h create mode 100644 src/util/crypto/sss_crypto.c create mode 100644 src/util/crypto/sss_crypto.h create mode 100644 src/util/debug.c create mode 100644 src/util/debug.h create mode 100644 src/util/dlinklist.h create mode 100644 src/util/domain_info_utils.c create mode 100644 src/util/files.c create mode 100644 src/util/find_uid.c create mode 100644 src/util/find_uid.h create mode 100644 src/util/inotify.c create mode 100644 src/util/inotify.h create mode 100644 src/util/io.c create mode 100644 src/util/memory.c create mode 100644 src/util/mmap_cache.h create mode 100644 src/util/murmurhash3.c create mode 100644 src/util/nscd.c create mode 100644 src/util/probes.h create mode 100644 src/util/refcount.c create mode 100644 src/util/refcount.h create mode 100644 src/util/safe-format-string.c create mode 100644 src/util/safe-format-string.h create mode 100644 src/util/selinux.c create mode 100644 src/util/server.c create mode 100644 src/util/session_recording.c create mode 100644 src/util/session_recording.h create mode 100644 src/util/signal.c create mode 100644 src/util/sss_cli_cmd.c create mode 100644 src/util/sss_cli_cmd.h create mode 100644 src/util/sss_endian.h create mode 100644 src/util/sss_format.h create mode 100644 src/util/sss_ini.c create mode 100644 src/util/sss_ini.h create mode 100644 src/util/sss_iobuf.c create mode 100644 src/util/sss_iobuf.h create mode 100644 src/util/sss_krb5.c create mode 100644 src/util/sss_krb5.h create mode 100644 src/util/sss_ldap.c create mode 100644 src/util/sss_ldap.h create mode 100644 src/util/sss_log.c create mode 100644 src/util/sss_nss.c create mode 100644 src/util/sss_nss.h create mode 100644 src/util/sss_ptr_hash.c create mode 100644 src/util/sss_ptr_hash.h create mode 100644 src/util/sss_python.c create mode 100644 src/util/sss_python.h create mode 100644 src/util/sss_selinux.c create mode 100644 src/util/sss_selinux.h create mode 100644 src/util/sss_semanage.c create mode 100644 src/util/sss_sockets.c create mode 100644 src/util/sss_sockets.h create mode 100644 src/util/sss_ssh.c create mode 100644 src/util/sss_ssh.h create mode 100644 src/util/sss_tc_utf8.c create mode 100644 src/util/sss_utf8.c create mode 100644 src/util/sss_utf8.h create mode 100644 src/util/string_utils.c create mode 100644 src/util/strtonum.c create mode 100644 src/util/strtonum.h create mode 100644 src/util/tev_curl.c create mode 100644 src/util/tev_curl.h create mode 100644 src/util/user_info_msg.c create mode 100644 src/util/user_info_msg.h create mode 100644 src/util/usertools.c create mode 100644 src/util/util.c create mode 100644 src/util/util.h create mode 100644 src/util/util_creds.h create mode 100644 src/util/util_errors.c create mode 100644 src/util/util_errors.h create mode 100644 src/util/util_ext.c create mode 100644 src/util/util_lock.c create mode 100644 src/util/util_preauth.c create mode 100644 src/util/util_sss_idmap.c create mode 100644 src/util/util_sss_idmap.h create mode 100644 src/util/util_watchdog.c create mode 100644 src/util/well_known_sids.c create mode 100644 version.m4 diff --git a/ABOUT-NLS b/ABOUT-NLS new file mode 100644 index 0000000..ed3565a --- /dev/null +++ b/ABOUT-NLS @@ -0,0 +1,986 @@ +1 Notes on the Free Translation Project +*************************************** + +Free software is going international! The Free Translation Project is +a way to get maintainers of free software, translators, and users all +together, so that free software will gradually become able to speak many +languages. A few packages already provide translations for their +messages. + + If you found this `ABOUT-NLS' file inside a distribution, you may +assume that the distributed package does use GNU `gettext' internally, +itself available at your nearest GNU archive site. But you do _not_ +need to install GNU `gettext' prior to configuring, installing or using +this package with messages translated. + + Installers will find here some useful hints. These notes also +explain how users should proceed for getting the programs to use the +available translations. They tell how people wanting to contribute and +work on translations can contact the appropriate team. + + When reporting bugs in the `intl/' directory or bugs which may be +related to internationalization, you should tell about the version of +`gettext' which is used. The information can be found in the +`intl/VERSION' file, in internationalized packages. + +1.1 Quick configuration advice +============================== + +If you want to exploit the full power of internationalization, you +should configure it using + + ./configure --with-included-gettext + +to force usage of internationalizing routines provided within this +package, despite the existence of internationalizing capabilities in the +operating system where this package is being installed. So far, only +the `gettext' implementation in the GNU C library version 2 provides as +many features (such as locale alias, message inheritance, automatic +charset conversion or plural form handling) as the implementation here. +It is also not possible to offer this additional functionality on top +of a `catgets' implementation. Future versions of GNU `gettext' will +very likely convey even more functionality. So it might be a good idea +to change to GNU `gettext' as soon as possible. + + So you need _not_ provide this option if you are using GNU libc 2 or +you have installed a recent copy of the GNU gettext package with the +included `libintl'. + +1.2 INSTALL Matters +=================== + +Some packages are "localizable" when properly installed; the programs +they contain can be made to speak your own native language. Most such +packages use GNU `gettext'. Other packages have their own ways to +internationalization, predating GNU `gettext'. + + By default, this package will be installed to allow translation of +messages. It will automatically detect whether the system already +provides the GNU `gettext' functions. If not, the included GNU +`gettext' library will be used. This library is wholly contained +within this package, usually in the `intl/' subdirectory, so prior +installation of the GNU `gettext' package is _not_ required. +Installers may use special options at configuration time for changing +the default behaviour. The commands: + + ./configure --with-included-gettext + ./configure --disable-nls + +will, respectively, bypass any pre-existing `gettext' to use the +internationalizing routines provided within this package, or else, +_totally_ disable translation of messages. + + When you already have GNU `gettext' installed on your system and run +configure without an option for your new package, `configure' will +probably detect the previously built and installed `libintl.a' file and +will decide to use this. This might not be desirable. You should use +the more recent version of the GNU `gettext' library. I.e. if the file +`intl/VERSION' shows that the library which comes with this package is +more recent, you should use + + ./configure --with-included-gettext + +to prevent auto-detection. + + The configuration process will not test for the `catgets' function +and therefore it will not be used. The reason is that even an +emulation of `gettext' on top of `catgets' could not provide all the +extensions of the GNU `gettext' library. + + Internationalized packages usually have many `po/LL.po' files, where +LL gives an ISO 639 two-letter code identifying the language. Unless +translations have been forbidden at `configure' time by using the +`--disable-nls' switch, all available translations are installed +together with the package. However, the environment variable `LINGUAS' +may be set, prior to configuration, to limit the installed set. +`LINGUAS' should then contain a space separated list of two-letter +codes, stating which languages are allowed. + +1.3 Using This Package +====================== + +As a user, if your language has been installed for this package, you +only have to set the `LANG' environment variable to the appropriate +`LL_CC' combination. Here `LL' is an ISO 639 two-letter language code, +and `CC' is an ISO 3166 two-letter country code. For example, let's +suppose that you speak German and live in Germany. At the shell +prompt, merely execute `setenv LANG de_DE' (in `csh'), +`export LANG; LANG=de_DE' (in `sh') or `export LANG=de_DE' (in `bash'). +This can be done from your `.login' or `.profile' file, once and for +all. + + You might think that the country code specification is redundant. +But in fact, some languages have dialects in different countries. For +example, `de_AT' is used for Austria, and `pt_BR' for Brazil. The +country code serves to distinguish the dialects. + + The locale naming convention of `LL_CC', with `LL' denoting the +language and `CC' denoting the country, is the one use on systems based +on GNU libc. On other systems, some variations of this scheme are +used, such as `LL' or `LL_CC.ENCODING'. You can get the list of +locales supported by your system for your country by running the command +`locale -a | grep '^LL''. + + Not all programs have translations for all languages. By default, an +English message is shown in place of a nonexistent translation. If you +understand other languages, you can set up a priority list of languages. +This is done through a different environment variable, called +`LANGUAGE'. GNU `gettext' gives preference to `LANGUAGE' over `LANG' +for the purpose of message handling, but you still need to have `LANG' +set to the primary language; this is required by other parts of the +system libraries. For example, some Swedish users who would rather +read translations in German than English for when Swedish is not +available, set `LANGUAGE' to `sv:de' while leaving `LANG' to `sv_SE'. + + Special advice for Norwegian users: The language code for Norwegian +bokma*l changed from `no' to `nb' recently (in 2003). During the +transition period, while some message catalogs for this language are +installed under `nb' and some older ones under `no', it's recommended +for Norwegian users to set `LANGUAGE' to `nb:no' so that both newer and +older translations are used. + + In the `LANGUAGE' environment variable, but not in the `LANG' +environment variable, `LL_CC' combinations can be abbreviated as `LL' +to denote the language's main dialect. For example, `de' is equivalent +to `de_DE' (German as spoken in Germany), and `pt' to `pt_PT' +(Portuguese as spoken in Portugal) in this context. + +1.4 Translating Teams +===================== + +For the Free Translation Project to be a success, we need interested +people who like their own language and write it well, and who are also +able to synergize with other translators speaking the same language. +Each translation team has its own mailing list. The up-to-date list of +teams can be found at the Free Translation Project's homepage, +`http://www.iro.umontreal.ca/contrib/po/HTML/', in the "National teams" +area. + + If you'd like to volunteer to _work_ at translating messages, you +should become a member of the translating team for your own language. +The subscribing address is _not_ the same as the list itself, it has +`-request' appended. For example, speakers of Swedish can send a +message to `sv-request@li.org', having this message body: + + subscribe + + Keep in mind that team members are expected to participate +_actively_ in translations, or at solving translational difficulties, +rather than merely lurking around. If your team does not exist yet and +you want to start one, or if you are unsure about what to do or how to +get started, please write to `translation@iro.umontreal.ca' to reach the +coordinator for all translator teams. + + The English team is special. It works at improving and uniformizing +the terminology in use. Proven linguistic skill are praised more than +programming skill, here. + +1.5 Available Packages +====================== + +Languages are not equally supported in all packages. The following +matrix shows the current state of internationalization, as of April +2005. The matrix shows, in regard of each package, for which languages +PO files have been submitted to translation coordination, with a +translation percentage of at least 50%. + + Ready PO files af am ar az be bg bs ca cs cy da de el en en_GB + +-------------------------------------------------+ + GNUnet | | + a2ps | [] [] [] [] [] | + aegis | () | + ant-phone | () | + anubis | [] | + ap-utils | | + aspell | [] [] [] [] | + bash | [] [] | + batchelor | [] | + bfd | | + bibshelf | [] | + binutils | [] | + bison | [] [] | + bluez-pin | [] [] [] [] | + clisp | [] [] | + console-tools | [] [] | + coreutils | [] [] [] [] | + cpio | | + cpplib | [] [] [] | + darkstat | [] () [] | + dialog | [] [] [] [] [] [] | + diffutils | [] [] [] [] [] | + doodle | [] | + e2fsprogs | [] [] | + enscript | [] [] [] [] | + error | [] [] [] [] | + fetchmail | [] () [] [] [] | + fileutils | [] [] | + findutils | [] [] [] | + flex | [] [] [] | + fslint | [] | + gas | | + gawk | [] [] [] | + gbiff | [] | + gcal | [] | + gcc | [] | + gettext-examples | [] [] [] [] | + gettext-runtime | [] [] [] [] | + gettext-tools | [] [] | + gimp-print | [] [] [] [] | + gip | | + gliv | [] | + glunarclock | | + gmult | [] [] | + gnubiff | () | + gnucash | [] () () [] | + gnucash-glossary | [] () | + gpe-aerial | [] [] | + gpe-beam | [] [] | + gpe-calendar | [] [] | + gpe-clock | [] [] | + gpe-conf | [] [] | + gpe-contacts | | + gpe-edit | [] | + gpe-go | [] | + gpe-login | [] [] | + gpe-ownerinfo | [] [] | + gpe-sketchbook | [] [] | + gpe-su | [] [] | + gpe-taskmanager | [] [] | + gpe-timesheet | [] | + gpe-today | [] [] | + gpe-todo | [] [] | + gphoto2 | [] [] [] [] | + gprof | [] [] | + gpsdrive | () () | + gramadoir | [] [] | + grep | [] [] [] [] [] [] | + gretl | | + gsasl | [] | + gss | | + gst-plugins | [] [] [] [] [] [] | + gstreamer | [] [] [] [] [] | + gtick | [] () | + gtkspell | [] [] [] | + hello | [] [] [] [] | + id-utils | [] [] | + impost | | + indent | [] [] | + iso_3166 | | + iso_3166_1 | [] [] [] [] [] | + iso_3166_2 | | + iso_3166_3 | [] | + iso_4217 | | + iso_639 | | + jpilot | [] | + jtag | | + jwhois | | + kbd | [] [] [] [] | + latrine | () | + ld | [] | + libc | [] [] [] [] [] | + libextractor | | + libgpewidget | [] [] [] | + libgsasl | | + libiconv | [] [] [] [] [] | + libidn | | + lifelines | [] () | + lilypond | [] | + lingoteach | | + lynx | [] [] [] [] | + m4 | [] [] [] [] | + mailutils | [] | + make | [] [] | + man-db | [] () [] [] | + minicom | [] [] | + mysecretdiary | [] [] | + nano | [] () [] | + nano_1_0 | [] () [] [] | + opcodes | [] | + parted | [] [] [] [] | + psmisc | | + ptx | [] [] [] | + pwdutils | | + python | | + radius | [] | + recode | [] [] [] [] [] | + rpm | [] [] | + screem | | + scrollkeeper | [] [] [] [] [] [] [] [] | + sed | [] [] | + sh-utils | [] [] | + shared-mime-info | [] [] | + sharutils | [] [] [] [] [] | + silky | | + skencil | [] () | + sketch | [] () | + solfege | [] | + soundtracker | [] [] | + sp | [] | + stardict | [] | + tar | | + texinfo | [] [] | + textutils | [] [] [] | + tin | () () | + tp-robot | [] | + tuxpaint | [] [] [] [] [] [] [] | + unicode-han-tra... | | + unicode-transla... | | + util-linux | [] [] [] [] | + vorbis-tools | [] [] [] [] | + wastesedge | () | + wdiff | [] [] [] [] | + wget | [] [] [] [] [] [] | + xchat | [] [] [] [] | + xkeyboard-config | | + xpad | | + +-------------------------------------------------+ + af am ar az be bg bs ca cs cy da de el en en_GB + 10 0 0 2 7 4 0 41 43 3 52 90 20 1 15 + + eo es et eu fa fi fr ga gl he hr hu id is it + +-----------------------------------------------+ + GNUnet | | + a2ps | [] [] [] () | + aegis | | + ant-phone | [] | + anubis | [] | + ap-utils | [] | + aspell | [] [] | + bash | [] [] [] [] | + batchelor | [] [] | + bfd | [] | + bibshelf | [] [] [] | + binutils | [] [] | + bison | [] [] [] [] [] [] | + bluez-pin | [] [] [] [] [] [] | + clisp | [] [] | + console-tools | | + coreutils | [] [] [] [] [] | + cpio | [] [] | + cpplib | [] [] | + darkstat | [] () [] [] [] | + dialog | [] [] [] [] [] [] [] [] | + diffutils | [] [] [] [] [] [] [] [] [] [] | + doodle | [] [] | + e2fsprogs | [] [] [] | + enscript | [] [] | + error | [] [] [] [] [] | + fetchmail | [] | + fileutils | [] [] [] [] [] [] | + findutils | [] [] [] [] [] | + flex | [] [] [] | + fslint | [] | + gas | [] [] | + gawk | [] [] [] [] | + gbiff | [] | + gcal | [] [] | + gcc | [] | + gettext-examples | [] [] [] [] | + gettext-runtime | [] [] [] [] [] [] | + gettext-tools | [] [] [] | + gimp-print | [] [] | + gip | [] [] [] | + gliv | () | + glunarclock | [] [] [] | + gmult | [] [] [] | + gnubiff | () () | + gnucash | [] () [] | + gnucash-glossary | [] [] | + gpe-aerial | [] [] | + gpe-beam | [] [] | + gpe-calendar | [] [] [] [] | + gpe-clock | [] [] [] | + gpe-conf | [] | + gpe-contacts | [] | + gpe-edit | [] [] | + gpe-go | [] [] | + gpe-login | [] [] [] | + gpe-ownerinfo | [] [] [] [] [] | + gpe-sketchbook | [] [] | + gpe-su | [] [] [] | + gpe-taskmanager | [] [] [] | + gpe-timesheet | [] [] [] [] | + gpe-today | [] [] [] [] | + gpe-todo | [] [] [] | + gphoto2 | [] [] [] [] [] | + gprof | [] [] [] | + gpsdrive | () () [] () | + gramadoir | [] [] | + grep | [] [] [] [] [] [] [] [] [] [] [] [] | + gretl | [] [] [] | + gsasl | [] [] [] | + gss | [] | + gst-plugins | [] [] [] | + gstreamer | [] | + gtick | [] [] [] [] [] | + gtkspell | [] [] [] [] [] [] | + hello | [] [] [] [] [] [] [] [] [] [] [] [] [] [] | + id-utils | [] [] [] [] | + impost | [] [] | + indent | [] [] [] [] [] [] [] [] [] [] [] | + iso_3166 | [] [] [] | + iso_3166_1 | [] [] [] [] [] [] [] | + iso_3166_2 | [] | + iso_3166_3 | [] | + iso_4217 | [] [] [] | + iso_639 | [] [] [] [] | + jpilot | [] [] | + jtag | [] | + jwhois | [] [] [] [] [] | + kbd | [] [] | + latrine | [] [] [] | + ld | [] [] | + libc | [] [] [] [] [] | + libextractor | | + libgpewidget | [] [] [] [] [] | + libgsasl | [] [] | + libiconv | [] [] [] [] [] [] [] [] [] [] [] | + libidn | [] [] | + lifelines | () | + lilypond | [] | + lingoteach | [] [] [] | + lynx | [] [] [] | + m4 | [] [] [] [] | + mailutils | [] [] | + make | [] [] [] [] [] [] [] | + man-db | () | + minicom | [] [] [] [] | + mysecretdiary | [] [] [] | + nano | [] [] () [] [] | + nano_1_0 | [] [] [] [] [] | + opcodes | [] [] | + parted | [] [] [] [] | + psmisc | [] [] | + ptx | [] [] [] [] [] [] [] [] [] | + pwdutils | | + python | | + radius | [] [] | + recode | [] [] [] [] [] [] [] [] | + rpm | [] | + screem | | + scrollkeeper | [] [] [] | + sed | [] [] [] [] [] | + sh-utils | [] [] [] [] [] [] [] | + shared-mime-info | [] [] [] [] [] [] | + sharutils | [] [] [] [] [] [] [] | + silky | [] | + skencil | [] [] | + sketch | [] [] | + solfege | [] | + soundtracker | [] [] [] | + sp | [] | + stardict | [] | + tar | [] [] [] [] [] | + texinfo | [] [] [] | + textutils | [] [] [] [] [] | + tin | [] () | + tp-robot | [] [] | + tuxpaint | [] [] [] [] [] [] [] [] [] | + unicode-han-tra... | | + unicode-transla... | [] [] | + util-linux | [] [] [] [] [] [] | + vorbis-tools | [] [] | + wastesedge | () | + wdiff | [] [] [] [] [] [] [] [] | + wget | [] [] [] [] [] [] [] [] [] [] | + xchat | [] [] [] [] [] | + xkeyboard-config | | + xpad | [] [] [] | + +-----------------------------------------------+ + eo es et eu fa fi fr ga gl he hr hu id is it + 13 85 21 15 2 35 115 45 17 8 6 40 27 1 45 + + ja ko ku lg lt lv mk mn ms mt nb nl nn no nso + +-----------------------------------------------+ + GNUnet | | + a2ps | () [] [] () | + aegis | () | + ant-phone | [] | + anubis | [] [] [] | + ap-utils | | + aspell | [] [] | + bash | [] | + batchelor | [] | + bfd | | + bibshelf | | + binutils | | + bison | [] [] [] | + bluez-pin | [] | + clisp | [] | + console-tools | | + coreutils | [] [] | + cpio | | + cpplib | | + darkstat | [] [] | + dialog | [] | + diffutils | [] [] [] | + doodle | | + e2fsprogs | | + enscript | [] | + error | [] | + fetchmail | [] [] | + fileutils | [] [] | + findutils | [] | + flex | [] [] | + fslint | [] | + gas | | + gawk | [] [] | + gbiff | [] | + gcal | | + gcc | | + gettext-examples | [] [] | + gettext-runtime | [] [] [] | + gettext-tools | [] [] | + gimp-print | [] [] | + gip | [] | + gliv | [] | + glunarclock | [] [] | + gmult | [] | + gnubiff | | + gnucash | () () [] | + gnucash-glossary | [] | + gpe-aerial | [] | + gpe-beam | [] | + gpe-calendar | [] | + gpe-clock | [] | + gpe-conf | [] | + gpe-contacts | | + gpe-edit | [] | + gpe-go | [] | + gpe-login | [] | + gpe-ownerinfo | [] | + gpe-sketchbook | [] | + gpe-su | [] | + gpe-taskmanager | [] [] | + gpe-timesheet | [] | + gpe-today | [] | + gpe-todo | [] | + gphoto2 | [] [] | + gprof | | + gpsdrive | () () () | + gramadoir | () | + grep | [] [] [] | + gretl | | + gsasl | [] | + gss | | + gst-plugins | [] | + gstreamer | [] | + gtick | [] | + gtkspell | [] [] | + hello | [] [] [] [] [] [] [] [] | + id-utils | [] | + impost | | + indent | [] [] | + iso_3166 | [] | + iso_3166_1 | [] [] | + iso_3166_2 | [] | + iso_3166_3 | [] | + iso_4217 | [] [] [] | + iso_639 | [] [] [] | + jpilot | () () () | + jtag | | + jwhois | [] | + kbd | [] | + latrine | [] | + ld | | + libc | [] [] [] [] [] | + libextractor | | + libgpewidget | [] | + libgsasl | [] | + libiconv | [] | + libidn | | + lifelines | [] | + lilypond | [] | + lingoteach | [] | + lynx | [] [] | + m4 | [] [] | + mailutils | | + make | [] [] [] | + man-db | () | + minicom | [] | + mysecretdiary | [] | + nano | [] [] | + nano_1_0 | [] [] [] | + opcodes | [] | + parted | [] [] | + psmisc | [] [] | + ptx | [] [] [] | + pwdutils | | + python | | + radius | | + recode | [] | + rpm | [] [] | + screem | [] | + scrollkeeper | [] [] [] | + sed | [] [] | + sh-utils | [] [] | + shared-mime-info | [] [] [] [] | + sharutils | [] [] | + silky | [] | + skencil | | + sketch | | + solfege | [] [] | + soundtracker | | + sp | () | + stardict | [] [] | + tar | [] [] | + texinfo | [] [] [] | + textutils | [] [] [] | + tin | | + tp-robot | [] | + tuxpaint | [] [] [] [] [] [] | + unicode-han-tra... | | + unicode-transla... | | + util-linux | [] [] | + vorbis-tools | [] | + wastesedge | [] | + wdiff | [] [] | + wget | [] [] | + xchat | [] [] [] [] | + xkeyboard-config | [] | + xpad | [] | + +-----------------------------------------------+ + ja ko ku lg lt lv mk mn ms mt nb nl nn no nso + 33 11 1 1 1 2 2 3 11 0 15 96 7 5 0 + + or pa pl pt pt_BR rm ro ru rw sk sl sq sr sv ta + +-------------------------------------------------+ + GNUnet | | + a2ps | () [] [] [] [] [] [] | + aegis | () () | + ant-phone | [] | + anubis | [] [] [] | + ap-utils | () | + aspell | [] [] | + bash | [] [] [] | + batchelor | [] | + bfd | | + bibshelf | | + binutils | [] [] | + bison | [] [] [] [] [] | + bluez-pin | [] [] [] [] [] [] [] [] | + clisp | [] | + console-tools | [] | + coreutils | [] [] [] [] | + cpio | [] [] | + cpplib | | + darkstat | [] [] [] [] [] [] | + dialog | [] [] [] [] [] [] [] | + diffutils | [] [] [] [] [] [] | + doodle | [] | + e2fsprogs | [] [] | + enscript | [] [] [] [] | + error | [] [] [] | + fetchmail | [] () [] [] [] | + fileutils | [] [] [] [] [] | + findutils | [] [] [] [] [] [] | + flex | [] [] [] [] [] | + fslint | [] [] [] | + gas | | + gawk | [] [] [] [] | + gbiff | [] | + gcal | [] | + gcc | | + gettext-examples | [] [] [] [] [] [] | + gettext-runtime | [] [] [] [] [] [] [] | + gettext-tools | [] [] [] [] [] [] [] | + gimp-print | [] [] | + gip | [] [] [] | + gliv | [] [] [] | + glunarclock | [] [] [] [] [] [] | + gmult | [] [] [] [] | + gnubiff | () [] | + gnucash | () [] [] [] [] | + gnucash-glossary | [] [] [] | + gpe-aerial | [] [] [] [] [] [] | + gpe-beam | [] [] [] [] [] [] | + gpe-calendar | [] [] [] [] [] [] [] | + gpe-clock | [] [] [] [] [] [] [] | + gpe-conf | [] [] [] [] [] [] | + gpe-contacts | [] [] [] | + gpe-edit | [] [] [] [] [] [] [] | + gpe-go | [] [] [] [] [] | + gpe-login | [] [] [] [] [] [] [] | + gpe-ownerinfo | [] [] [] [] [] [] [] | + gpe-sketchbook | [] [] [] [] [] [] [] | + gpe-su | [] [] [] [] [] [] [] | + gpe-taskmanager | [] [] [] [] [] [] [] | + gpe-timesheet | [] [] [] [] [] [] [] | + gpe-today | [] [] [] [] [] [] [] | + gpe-todo | [] [] [] [] [] [] [] | + gphoto2 | [] [] [] [] | + gprof | [] [] [] | + gpsdrive | [] | + gramadoir | [] | + grep | [] [] [] [] [] [] [] | + gretl | [] | + gsasl | [] [] [] [] [] | + gss | [] [] [] | + gst-plugins | [] [] [] [] | + gstreamer | [] [] [] [] | + gtick | [] [] [] | + gtkspell | [] [] [] [] [] [] | + hello | [] [] [] [] [] [] [] | + id-utils | [] [] [] [] | + impost | | + indent | [] [] [] [] [] [] | + iso_3166 | [] [] [] [] [] | + iso_3166_1 | [] [] [] [] | + iso_3166_2 | | + iso_3166_3 | [] [] [] | + iso_4217 | [] [] | + iso_639 | [] [] [] | + jpilot | | + jtag | [] | + jwhois | [] [] [] () () | + kbd | [] [] [] | + latrine | [] [] | + ld | [] | + libc | [] [] [] [] [] | + libextractor | [] | + libgpewidget | [] [] [] [] [] [] | + libgsasl | [] [] [] | + libiconv | [] [] [] [] [] [] [] [] [] [] | + libidn | [] () | + lifelines | [] [] | + lilypond | [] | + lingoteach | [] | + lynx | [] [] [] | + m4 | [] [] [] [] [] | + mailutils | [] [] [] | + make | [] [] [] [] | + man-db | [] [] | + minicom | [] [] [] [] | + mysecretdiary | [] [] [] [] | + nano | [] [] [] | + nano_1_0 | [] [] [] [] | + opcodes | [] [] | + parted | [] [] [] [] | + psmisc | [] [] | + ptx | [] [] [] [] [] [] | + pwdutils | [] | + python | | + radius | [] [] | + recode | [] [] [] [] [] [] | + rpm | [] [] [] [] | + screem | | + scrollkeeper | [] [] [] [] [] [] [] | + sed | [] [] [] [] [] [] [] [] | + sh-utils | [] [] [] | + shared-mime-info | [] [] [] [] [] | + sharutils | [] [] [] | + silky | [] | + skencil | [] [] [] | + sketch | [] [] [] | + solfege | | + soundtracker | [] [] | + sp | | + stardict | [] [] | + tar | [] [] [] [] | + texinfo | [] [] [] [] | + textutils | [] [] [] | + tin | | + tp-robot | [] | + tuxpaint | [] [] [] [] [] [] [] [] | + unicode-han-tra... | | + unicode-transla... | | + util-linux | [] [] [] | + vorbis-tools | [] [] | + wastesedge | | + wdiff | [] [] [] [] [] [] | + wget | [] [] [] [] [] [] [] [] [] | + xchat | [] [] [] [] [] [] | + xkeyboard-config | | + xpad | | + +-------------------------------------------------+ + or pa pl pt pt_BR rm ro ru rw sk sl sq sr sv ta + 1 0 48 30 58 6 79 71 5 45 13 12 50 86 0 + + tg th tk tr uk ven vi wa xh zh_CN zh_TW zu + +--------------------------------------------+ + GNUnet | | 0 + a2ps | [] [] [] | 19 + aegis | | 0 + ant-phone | [] | 4 + anubis | [] | 9 + ap-utils | () | 1 + aspell | [] [] [] | 13 + bash | | 10 + batchelor | [] [] | 7 + bfd | | 1 + bibshelf | [] | 5 + binutils | [] | 6 + bison | [] | 17 + bluez-pin | [] [] [] [] [] | 24 + clisp | | 7 + console-tools | [] | 4 + coreutils | [] | 16 + cpio | [] [] | 6 + cpplib | [] [] | 7 + darkstat | [] () () | 15 + dialog | [] [] [] | 25 + diffutils | [] [] [] [] | 28 + doodle | [] | 5 + e2fsprogs | [] | 8 + enscript | [] | 12 + error | [] [] [] | 16 + fetchmail | [] | 12 + fileutils | [] [] [] | 18 + findutils | [] [] | 17 + flex | [] [] | 15 + fslint | [] | 7 + gas | [] | 3 + gawk | [] | 14 + gbiff | | 4 + gcal | [] | 5 + gcc | [] | 3 + gettext-examples | [] [] [] [] | 20 + gettext-runtime | [] [] [] [] [] | 25 + gettext-tools | [] [] [] | 17 + gimp-print | [] | 11 + gip | [] | 8 + gliv | [] | 6 + glunarclock | [] [] | 13 + gmult | [] [] [] | 13 + gnubiff | [] | 3 + gnucash | () [] | 10 + gnucash-glossary | [] | 8 + gpe-aerial | [] [] | 13 + gpe-beam | [] [] | 13 + gpe-calendar | [] [] [] [] | 18 + gpe-clock | [] [] [] [] | 17 + gpe-conf | [] [] | 12 + gpe-contacts | [] [] | 6 + gpe-edit | [] [] [] [] | 15 + gpe-go | [] [] | 11 + gpe-login | [] [] [] [] [] | 18 + gpe-ownerinfo | [] [] [] [] | 19 + gpe-sketchbook | [] [] | 14 + gpe-su | [] [] [] | 16 + gpe-taskmanager | [] [] [] | 17 + gpe-timesheet | [] [] [] [] | 17 + gpe-today | [] [] [] [] [] | 19 + gpe-todo | [] [] [] | 16 + gphoto2 | [] [] | 17 + gprof | [] [] | 10 + gpsdrive | | 2 + gramadoir | [] | 6 + grep | [] [] [] [] | 32 + gretl | | 4 + gsasl | [] [] | 12 + gss | [] | 5 + gst-plugins | [] [] | 16 + gstreamer | [] [] [] | 14 + gtick | [] | 11 + gtkspell | [] [] [] | 20 + hello | [] [] [] [] | 37 + id-utils | [] [] | 13 + impost | [] | 3 + indent | [] [] [] | 24 + iso_3166 | [] [] [] | 12 + iso_3166_1 | [] [] | 20 + iso_3166_2 | | 2 + iso_3166_3 | [] [] | 8 + iso_4217 | [] [] | 10 + iso_639 | [] [] | 12 + jpilot | [] [] [] | 6 + jtag | | 2 + jwhois | [] [] [] | 12 + kbd | [] [] | 12 + latrine | [] [] | 8 + ld | [] | 5 + libc | [] [] | 22 + libextractor | | 1 + libgpewidget | [] [] | 17 + libgsasl | [] | 7 + libiconv | [] [] [] [] [] | 32 + libidn | [] [] | 5 + lifelines | | 4 + lilypond | [] | 5 + lingoteach | | 5 + lynx | [] [] | 14 + m4 | [] [] | 17 + mailutils | [] | 7 + make | [] [] | 18 + man-db | | 5 + minicom | | 11 + mysecretdiary | [] [] | 12 + nano | | 11 + nano_1_0 | [] [] | 17 + opcodes | [] | 7 + parted | [] [] [] | 17 + psmisc | [] | 7 + ptx | [] [] | 23 + pwdutils | | 1 + python | | 0 + radius | [] | 6 + recode | [] [] | 22 + rpm | [] [] | 11 + screem | | 1 + scrollkeeper | [] [] | 23 + sed | [] [] | 19 + sh-utils | [] | 15 + shared-mime-info | [] [] | 19 + sharutils | [] [] [] | 20 + silky | | 3 + skencil | | 6 + sketch | | 6 + solfege | | 4 + soundtracker | [] | 8 + sp | [] | 3 + stardict | [] [] [] [] | 10 + tar | [] [] | 13 + texinfo | [] [] | 14 + textutils | [] [] [] | 17 + tin | | 1 + tp-robot | [] [] | 7 + tuxpaint | [] [] [] [] | 34 + unicode-han-tra... | | 0 + unicode-transla... | | 2 + util-linux | [] [] | 17 + vorbis-tools | [] | 10 + wastesedge | | 1 + wdiff | [] [] | 22 + wget | [] [] [] [] | 31 + xchat | [] [] [] | 22 + xkeyboard-config | | 1 + xpad | [] | 5 + +--------------------------------------------+ + 72 teams tg th tk tr uk ven vi wa xh zh_CN zh_TW zu + 147 domains 0 0 1 78 29 0 71 16 0 41 20 0 1711 + + Some counters in the preceding matrix are higher than the number of +visible blocks let us expect. This is because a few extra PO files are +used for implementing regional variants of languages, or language +dialects. + + For a PO file in the matrix above to be effective, the package to +which it applies should also have been internationalized and +distributed as such by its maintainer. There might be an observable +lag between the mere existence a PO file and its wide availability in a +distribution. + + If April 2005 seems to be old, you may fetch a more recent copy of +this `ABOUT-NLS' file on most GNU archive sites. The most up-to-date +matrix with full percentage details can be found at +`http://www.iro.umontreal.ca/contrib/po/HTML/matrix.html'. + +1.6 Using `gettext' in new packages +=================================== + +If you are writing a freely available program and want to +internationalize it you are welcome to use GNU `gettext' in your +package. Of course you have to respect the GNU Library General Public +License which covers the use of the GNU `gettext' library. This means +in particular that even non-free programs can use `libintl' as a shared +library, whereas only free software can use `libintl' as a static +library or use modified versions of `libintl'. + + Once the sources are changed appropriately and the setup can handle +the use of `gettext' the only thing missing are the translations. The +Free Translation Project is also available for packages which are not +developed inside the GNU project. Therefore the information given above +applies also for every other Free Software Project. Contact +`translation@iro.umontreal.ca' to make the `.pot' files available to +the translation teams. + diff --git a/BUILD.txt b/BUILD.txt new file mode 100644 index 0000000..f2921a8 --- /dev/null +++ b/BUILD.txt @@ -0,0 +1,6 @@ +The instructions on how to build the SSSD and contribute to the +project can be found here: +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +https://docs.pagure.org/SSSD.sssd/developers/index.html + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/COPYING b/COPYING new file mode 100644 index 0000000..94a9ed0 --- /dev/null +++ b/COPYING @@ -0,0 +1,674 @@ + GNU GENERAL PUBLIC LICENSE + Version 3, 29 June 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU General Public License is a free, copyleft license for +software and other kinds of works. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +the GNU General Public License is intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. We, the Free Software Foundation, use the +GNU General Public License for most of our software; it applies also to +any other work released this way by its authors. You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + To protect your rights, we need to prevent others from denying you +these rights or asking you to surrender the rights. Therefore, you have +certain responsibilities if you distribute copies of the software, or if +you modify it: responsibilities to respect the freedom of others. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must pass on to the recipients the same +freedoms that you received. You must make sure that they, too, receive +or can get the source code. And you must show them these terms so they +know their rights. + + Developers that use the GNU GPL protect your rights with two steps: +(1) assert copyright on the software, and (2) offer you this License +giving you legal permission to copy, distribute and/or modify it. + + For the developers' and authors' protection, the GPL clearly explains +that there is no warranty for this free software. For both users' and +authors' sake, the GPL requires that modified versions be marked as +changed, so that their problems will not be attributed erroneously to +authors of previous versions. + + Some devices are designed to deny users access to install or run +modified versions of the software inside them, although the manufacturer +can do so. This is fundamentally incompatible with the aim of +protecting users' freedom to change the software. The systematic +pattern of such abuse occurs in the area of products for individuals to +use, which is precisely where it is most unacceptable. Therefore, we +have designed this version of the GPL to prohibit the practice for those +products. If such problems arise substantially in other domains, we +stand ready to extend this provision to those domains in future versions +of the GPL, as needed to protect the freedom of users. + + Finally, every program is threatened constantly by software patents. +States should not allow patents to restrict development and use of +software on general-purpose computers, but in those that do, we wish to +avoid the special danger that patents applied to a free program could +make it effectively proprietary. To prevent this, the GPL assures that +patents cannot be used to render the program non-free. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Use with the GNU Affero General Public License. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU Affero General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the special requirements of the GNU Affero General Public License, +section 13, concerning interaction through a network will apply to the +combination as such. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + + If the program does terminal interaction, make it output a short +notice like this when it starts in an interactive mode: + + Copyright (C) + This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, your program's commands +might be different; for a GUI interface, you would use an "about box". + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU GPL, see +. + + The GNU General Public License does not permit incorporating your program +into proprietary programs. If your program is a subroutine library, you +may consider it more useful to permit linking proprietary applications with +the library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. But first, please read +. diff --git a/Makefile.am b/Makefile.am new file mode 100644 index 0000000..484b449 --- /dev/null +++ b/Makefile.am @@ -0,0 +1,5179 @@ +extra_distcheck_flags = +if HAVE_DEVSHM + extra_distcheck_flags += --with-test-dir=/dev/shm +endif + +if WITH_JOURNALD + extra_distcheck_flags += --with-syslog=journald +endif + +DISTCHECK_CONFIGURE_FLAGS = --with-ldb-lib-dir="$$dc_install_base"/lib/ldb \ + --disable-dbus-tests \ + --enable-all-experimental-features \ + $(extra_distcheck_flags) \ + $(AUX_DISTCHECK_CONFIGURE_FLAGS) +CLEANFILES = $(NULL) +BUILT_SOURCES = $(NULL) + +SUBDIRS = po + +if HAVE_MANPAGES +SUBDIRS += src/man +endif + +SUBDIRS += . src/tests/cwrap src/tests/intg src/tests/test_CA + +# Some old versions of automake don't define builddir +builddir ?= . + +DOXYGEN = @DOXYGEN@ + +DISTSETUPOPTS = +if HAVE_DEBIAN +DISTSETUPOPTS += --install-layout=deb +endif + +sssdlibexecdir = $(libexecdir)/sssd +sssdlibdir = $(libdir)/sssd +sssddefaultconfdir = $(sssdlibdir)/conf +ldblibdir = @ldblibdir@ +if BUILD_KRB5_LOCATOR_PLUGIN +krb5plugindir = @krb5pluginpath@ +endif +if BUILD_KRB5_LOCALAUTH_PLUGIN +krb5localauth_plugindir = @appmodpath@ +endif +if BUILD_PAC_RESPONDER +krb5authdata_plugindir = @krb5authdatapluginpath@ +endif +if BUILD_CIFS_IDMAP_PLUGIN +cifsplugindir = @cifspluginpath@ +endif +if BUILD_SAMBA +winbindplugindir = @winbindpluginpath@ +endif +if BUILD_LIBWBCLIENT +libwbclientdir = @appmodpath@ +endif +sssdconfdir = $(sysconfdir)/sssd +sssddatadir = $(datadir)/sssd +sssdapiplugindir = $(sssddatadir)/sssd.api.d +sssdtapscriptdir = $(sssddatadir)/systemtap +dbuspolicydir = $(sysconfdir)/dbus-1/system.d +dbusservicedir = $(datadir)/dbus-1/system-services +sss_statedir = $(localstatedir)/lib/sss +runstatedir = @runstatedir@ +localedir = @localedir@ +nsslibdir = @nsslibdir@ +pamlibdir = @pammoddir@ +autofslibdir = @appmodpath@ +nfslibdir = @nfsidmaplibdir@ + +dbpath = @dbpath@ +pluginpath = @pluginpath@ +pidpath = @pidpath@ +pipepath = @pipepath@ +mcpath = @mcpath@ +initdir = @initdir@ +systemdunitdir = @systemdunitdir@ +systemdconfdir = @systemdconfdir@ +logpath = @logpath@ +pubconfpath = @pubconfpath@ +gpocachepath = @gpocachepath@ +keytabdir = $(sss_statedir)/keytabs +pkgconfigdir = $(libdir)/pkgconfig +krb5rcachedir = @krb5rcachedir@ +sudolibdir = @sudolibpath@ +polkitdir = @polkitdir@ +pamconfdir = $(sysconfdir)/pam.d +systemtap_tapdir = @tapset_dir@ +sssdkcmdatadir = $(datadir)/sssd-kcm +deskprofilepath = $(sss_statedir)/deskprofile + +if HAVE_SYSTEMD_UNIT +ifp_exec_cmd = $(sssdlibexecdir)/sssd_ifp --uid 0 --gid 0 --dbus-activated +ifp_systemdservice = SystemdService=sssd-ifp.service +ifp_restart = Restart=on-failure +else +ifp_exec_cmd = $(sssdlibexecdir)/sss_signal +ifp_systemdservice = +ifp_restart = +endif + +secdbpath = @secdbpath@ + +UNICODE_LIBS=@UNICODE_LIBS@ + +MKDIR_P = @MKDIR_P@ +INSTALL = @INSTALL@ + +SSSD_USER = @SSSD_USER@ + + +AM_CFLAGS = +if WANT_AUX_INFO + AM_CFLAGS += -aux-info $@.X +endif +if HAVE_GCC + AM_CFLAGS += -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith \ + -Wcast-qual -Wcast-align -Wwrite-strings -Wundef \ + -Werror-implicit-function-declaration -Winit-self \ + -Wmissing-include-dirs \ + -fno-strict-aliasing \ + -std=gnu99 +endif + +pkgconfig_DATA = + +ACLOCAL_AMFLAGS = -I m4 -I . + +if BUILD_SSH +bin_PROGRAMS = \ + sss_ssh_authorizedkeys \ + sss_ssh_knownhostsproxy +endif + +sbin_PROGRAMS = \ + sssd \ + sss_useradd \ + sss_userdel \ + sss_groupadd \ + sss_groupdel \ + sss_usermod \ + sss_groupmod \ + sss_groupshow \ + sss_cache \ + sss_override \ + sss_seed \ + sssctl \ + $(NULL) + +sssdlibexec_PROGRAMS = \ + sssd_nss \ + sssd_pam \ + sssd_be \ + krb5_child \ + ldap_child \ + proxy_child \ + sss_signal \ + $(NULL) +if BUILD_SUDO +sssdlibexec_PROGRAMS += sssd_sudo +endif +if BUILD_AUTOFS +sssdlibexec_PROGRAMS += sssd_autofs +endif +if BUILD_SSH +sssdlibexec_PROGRAMS += sssd_ssh +endif +if BUILD_IFP +sssdlibexec_PROGRAMS += sssd_ifp +endif +if BUILD_SAMBA +sssdlibexec_PROGRAMS += gpo_child +endif +if BUILD_SEMANAGE +sssdlibexec_PROGRAMS += selinux_child +endif +sssdlibexec_PROGRAMS += p11_child +if SSSD_USER +if HAVE_POLKIT_RULES_D +polkit_rulesdir = $(polkitdir) +dist_polkit_rules_DATA = contrib/sssd-pcsc.rules +endif +endif +if BUILD_SECRETS +sssdlibexec_PROGRAMS += sssd_secrets +endif +if BUILD_KCM +sssdlibexec_PROGRAMS += sssd_kcm +dist_sssdkcmdata_DATA = contrib/kcm_default_ccache +endif + + +if BUILD_PAC_RESPONDER + sssdlibexec_PROGRAMS += sssd_pac +endif +if HAVE_SYSTEMD_UNIT +sssdlibexec_PROGRAMS += sssd_check_socket_activated_responders +endif + +if HAVE_CHECK + non_interactive_check_based_tests = \ + dlopen-tests \ + sysdb-tests \ + strtonum-tests \ + resolv-tests \ + krb5-utils-tests \ + check_and_open-tests \ + files-tests \ + refcount-tests \ + fail_over-tests \ + find_uid-tests \ + auth-tests \ + ipa_ldap_opt-tests \ + ad_ldap_opt-tests \ + crypto-tests \ + util-tests \ + debug-tests \ + ipa_hbac-tests \ + sss_idmap-tests \ + responder_socket_access-tests \ + safe-format-tests + +if BUILD_SSH + non_interactive_check_based_tests += sysdb_ssh-tests +endif + +if BUILD_DBUS_TESTS + non_interactive_check_based_tests += \ + sbus_tests \ + sbus_codegen_tests +endif # BUILD_DBUS_TESTS + +endif # HAVE_CHECK + +if HAVE_CMOCKA + non_interactive_cmocka_based_tests = \ + nss-srv-tests \ + test-find-uid \ + test-io \ + test-negcache \ + test-authtok \ + sss_nss_idmap-tests \ + deskprofile_utils-tests \ + dyndns-tests \ + domain_resolution_order-tests \ + fqnames-tests \ + nestedgroups-tests \ + test_sss_idmap \ + test_ipa_idmap \ + test_utils \ + dp_opt_tests \ + responder-get-domains-tests \ + sbus-internal-tests \ + config_check-tests \ + sss_sifp-tests \ + test_search_bases \ + test_ldap_auth \ + test_sdap_access \ + test_sdap_certmap \ + sdap-tests \ + test_sysdb_ts_cache \ + test_sysdb_views \ + test_sysdb_subdomains \ + test_sysdb_certmap \ + test_sysdb_sudo \ + test_sysdb_utils \ + test_sysdb_domain_resolution_order \ + test_wbc_calls \ + test_be_ptask \ + test_copy_ccache \ + test_copy_keytab \ + test_child_common \ + responder_cache_req-tests \ + test_sbus_opath \ + test_fo_srv \ + pam-srv-tests \ + ssh-srv-tests \ + test_ipa_subdom_util \ + test_tools_colondb \ + test_krb5_wait_queue \ + test_cert_utils \ + test_ldap_id_cleanup \ + test_data_provider_be \ + test_dp_request_table \ + test_dp_request \ + test_dp_builtin \ + test_ipa_dn \ + simple-access-tests \ + krb5_common_test \ + test_iobuf \ + sss_certmap_test \ + test_sssd_krb5_locator_plugin \ + $(NULL) + + +if HAVE_LIBRESOLV +non_interactive_cmocka_based_tests += test_resolv_fake +endif # HAVE_LIBRESOLV + +if BUILD_IFP +non_interactive_cmocka_based_tests += ifp_tests +endif # BUILD_IFP + +if HAVE_INOTIFY +non_interactive_cmocka_based_tests += test_inotify +endif # HAVE_INOTIFY + +if BUILD_KCM +non_interactive_cmocka_based_tests += \ + test_kcm_json \ + test_kcm_queue \ + $(NULL) +endif # BUILD_KCM + +if BUILD_SAMBA +non_interactive_cmocka_based_tests += \ + ad_access_filter_tests \ + ad_gpo_tests \ + ad_common_tests \ + test_sdap_initgr \ + test_ad_subdom \ + test_ipa_subdom_server \ + $(NULL) +endif + +if BUILD_KRB5_LOCALAUTH_PLUGIN +non_interactive_cmocka_based_tests += test_sssd_krb5_localauth_plugin +endif # BUILD_KRB5_LOCALAUTH_PLUGIN + +endif # HAVE_CMOCKA + +check_PROGRAMS = \ + stress-tests \ + krb5-child-test \ + test_ssh_client \ + $(non_interactive_cmocka_based_tests) \ + $(non_interactive_check_based_tests) + +if HAVE_CMOCKA +check_PROGRAMS += dummy-child +endif # HAVE_CMOCKA + +PYTHON_TESTS = + +if BUILD_PYTHON2_BINDINGS +PYTHON_TESTS += src/config/SSSDConfigTest.py2.sh \ + src/tests/pyhbac-test.py2.sh \ + src/tests/pysss_murmur-test.py2.sh \ + $(NULL) +endif +if BUILD_PYTHON3_BINDINGS +PYTHON_TESTS += src/config/SSSDConfigTest.py3.sh \ + src/tests/pyhbac-test.py3.sh \ + src/tests/pysss_murmur-test.py3.sh \ + $(NULL) +endif + +TEST_EXTENSIONS = .sh +TESTS = \ + $(PYTHON_TESTS) \ + $(non_interactive_cmocka_based_tests) \ + $(non_interactive_check_based_tests) \ + src/tests/whitespace_test \ + src/tests/double_semicolon_test \ + $(NULL) + +sssdlib_LTLIBRARIES = \ + libsss_ldap.la \ + libsss_krb5.la \ + libsss_proxy.la \ + libsss_simple.la \ + $(NULL) + +if BUILD_SAMBA +sssdlib_LTLIBRARIES += \ + libsss_ipa.la \ + libsss_ad.la +endif + +if HAVE_INOTIFY +sssdlib_LTLIBRARIES += \ + libsss_files.la \ + $(NULL) +endif # HAVE_INOTIFY + +ldblib_LTLIBRARIES = \ + memberof.la + +if BUILD_KRB5_LOCATOR_PLUGIN +krb5plugin_LTLIBRARIES = \ + sssd_krb5_locator_plugin.la +endif + +if BUILD_KRB5_LOCALAUTH_PLUGIN +krb5localauth_plugin_LTLIBRARIES = \ + sssd_krb5_localauth_plugin.la +endif + +if BUILD_PAC_RESPONDER +krb5authdata_plugin_LTLIBRARIES = \ + sssd_pac_plugin.la +endif + +if BUILD_CIFS_IDMAP_PLUGIN +cifsplugin_LTLIBRARIES = \ + cifs_idmap_sss.la +endif + +if BUILD_SAMBA +winbindplugin_LTLIBRARIES = \ + winbind_idmap_sss.la \ + $(NULL) +endif + +noinst_LTLIBRARIES = + +pkglib_LTLIBRARIES = + +if BUILD_PYTHON2_BINDINGS +py2exec_LTLIBRARIES = \ + _py2sss.la \ + _py2hbac.la \ + _py2sss_murmur.la \ + _py2sss_nss_idmap.la \ + $(NULL) +endif + +if BUILD_PYTHON3_BINDINGS +py3exec_LTLIBRARIES = \ + _py3sss.la \ + _py3hbac.la \ + _py3sss_murmur.la \ + _py3sss_nss_idmap.la \ + $(NULL) +endif + +sbin_SCRIPTS = \ + src/tools/wrappers/sss_debuglevel \ + $(NULL) + +dist_noinst_SCRIPTS = \ + $(EXTRA_SCRIPTS) \ + src/config/setup.py \ + src/config/SSSDConfig/ipachangeconf.py \ + src/config/SSSDConfig/__init__.py \ + src/config/SSSDConfigTest.py \ + src/config/SSSDConfigTest.py2.sh \ + src/config/SSSDConfigTest.py3.sh \ + contrib/fedora/bashrc_sssd \ + contrib/fedora/make_srpm.sh \ + contrib/ci/clean \ + contrib/ci/rpm-spec-builddeps \ + contrib/ci/run \ + contrib/ci/valgrind-condense \ + src/tests/pyhbac-test.py \ + src/tests/pyhbac-test.py2.sh \ + src/tests/pyhbac-test.py3.sh \ + src/tests/pysss_murmur-test.py \ + src/tests/pysss_murmur-test.py2.sh \ + src/tests/pysss_murmur-test.py3.sh \ + src/tests/python-test.py \ + src/tests/whitespace_test \ + src/tests/double_semicolon_test \ + src/tests/krb5_proxy_check_test_data.conf \ + $(NULL) + +dist_noinst_DATA = \ + src/config/testconfigs/sssd-valid.conf \ + src/config/testconfigs/noparse.api.conf \ + src/config/testconfigs/sssd-noversion.conf \ + src/config/testconfigs/sssd-badversion.conf \ + src/config/testconfigs/sssd-invalid.conf \ + src/config/testconfigs/sssd-invalid-badbool.conf \ + src/config/testconfigs/sssd-nonexisting-services-domains.conf \ + src/config/etc/sssd.api.d/crash_test_dummy \ + contrib/ci/README.md \ + contrib/ci/configure.sh \ + contrib/ci/deps.sh \ + contrib/ci/distro.sh \ + contrib/ci/misc.sh \ + contrib/ci/sssd.supp \ + $(SYSTEMTAP_PROBES) \ + $(NULL) + +############################### +# Global compilation settings # +############################### + +AM_CPPFLAGS = \ + -Wall \ + -I.. \ + -I$(srcdir)/src/sss_client \ + -I$(srcdir)/src \ + -I. \ + $(POPT_CFLAGS) \ + $(TALLOC_CFLAGS) \ + $(TDB_CFLAGS) \ + $(TEVENT_CFLAGS) \ + $(LDB_CFLAGS) \ + $(DBUS_CFLAGS) \ + $(PCRE_CFLAGS) \ + $(INI_CONFIG_CFLAGS) \ + $(DHASH_CFLAGS) \ + $(LIBNL_CFLAGS) \ + $(OPENLDAP_CFLAGS) \ + $(GLIB2_CFLAGS) \ + $(JOURNALD_CFLAGS) \ + -DLIBDIR=\"$(libdir)\" \ + -DVARDIR=\"$(localstatedir)\" \ + -DSSS_STATEDIR=\"$(sss_statedir)\" \ + -DSYSCONFDIR=\"$(sysconfdir)\" \ + -DSHLIBEXT=\"$(SHLIBEXT)\" \ + -DSSSDDATADIR=\"$(sssddatadir)\" \ + -DSSSD_LIBEXEC_PATH=\"$(sssdlibexecdir)\" \ + -DSSSD_CONF_DIR=\"$(sssdconfdir)\" \ + -DSSS_NSS_MCACHE_DIR=\"$(mcpath)\" \ + -DSSS_NSS_SOCKET_NAME=\"$(pipepath)/nss\" \ + -DSSS_PAM_SOCKET_NAME=\"$(pipepath)/pam\" \ + -DSSS_PAC_SOCKET_NAME=\"$(pipepath)/pac\" \ + -DSSS_PAM_PRIV_SOCKET_NAME=\"$(pipepath)/private/pam\" \ + -DSSS_SEC_SOCKET_NAME=\"$(runstatedir)/secrets.socket\" \ + -DSSS_SUDO_SOCKET_NAME=\"$(pipepath)/sudo\" \ + -DSSS_AUTOFS_SOCKET_NAME=\"$(pipepath)/autofs\" \ + -DSSS_SSH_SOCKET_NAME=\"$(pipepath)/ssh\" \ + -DLOCALEDIR=\"$(localedir)\" \ + -DBASE_FILE_STEM=\"$(*F)\" \ + $(NULL) + +EXTRA_DIST = + +SSSD_CACHE_REQ_OBJ = \ + src/responder/common/cache_req/cache_req.c \ + src/responder/common/cache_req/cache_req_result.c \ + src/responder/common/cache_req/cache_req_search.c \ + src/responder/common/cache_req/cache_req_data.c \ + src/responder/common/cache_req/cache_req_domain.c \ + src/responder/common/cache_req/cache_req_sr_overlay.c \ + src/responder/common/cache_req/plugins/cache_req_common.c \ + src/responder/common/cache_req/plugins/cache_req_enum_users.c \ + src/responder/common/cache_req/plugins/cache_req_enum_groups.c \ + src/responder/common/cache_req/plugins/cache_req_enum_svc.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_upn.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_filter.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_cert.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_filter.c \ + src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_sid.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_svc_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_svc_by_port.c \ + src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_host_by_name.c \ + $(NULL) + +SSSD_RESPONDER_IFACE_OBJ = \ + src/responder/common/iface/responder_iface.c \ + src/responder/common/iface/responder_domain.c \ + src/responder/common/iface/responder_ncache.c \ + src/responder/common/iface/responder_iface_generated.c \ + $(NULL) + +SSSD_RESPONDER_OBJ = \ + src/responder/common/negcache_files.c \ + src/responder/common/negcache.c \ + src/responder/common/responder_cmd.c \ + src/responder/common/responder_common.c \ + src/responder/common/responder_dp.c \ + src/responder/common/responder_dp_ssh.c \ + src/responder/common/responder_packet.c \ + src/responder/common/responder_get_domains.c \ + src/responder/common/responder_utils.c \ + src/responder/common/data_provider/rdp_message.c \ + src/responder/common/data_provider/rdp_client.c \ + src/monitor/monitor_iface_generated.c \ + src/providers/data_provider_req.c \ + src/util/session_recording.c \ + $(SSSD_RESPONDER_IFACE_OBJ) \ + $(SSSD_CACHE_REQ_OBJ) \ + $(NULL) + +SSSD_TOOLS_OBJ = \ + src/tools/sss_sync_ops.c \ + src/tools/tools_util.c \ + src/tools/common/sss_tools.c \ + src/tools/common/sss_process.c \ + src/confdb/confdb_setup.c \ + src/util/nscd.c \ + $(NULL) + +SSSD_LCL_TOOLS_OBJ = \ + src/sss_client/common.c \ + src/tools/tools_mc_util.c \ + $(SSSD_TOOLS_OBJ) + +SSSD_RESOLV_OBJ = \ + src/resolv/async_resolv.c \ + src/resolv/async_resolv_utils.c + +SSSD_FAILOVER_OBJ = \ + src/providers/fail_over.c \ + src/providers/fail_over_srv.c \ + $(SSSD_RESOLV_OBJ) + +SSSD_LIBS = \ + $(TALLOC_LIBS) \ + $(TEVENT_LIBS) \ + $(POPT_LIBS) \ + $(LDB_LIBS) \ + $(DBUS_LIBS) \ + $(DHASH_LIBS) \ + $(SELINUX_LIBS) \ + $(TDB_LIBS) + +PYTHON_BINDINGS_LIBS = \ + $(TALLOC_LIBS) \ + $(POPT_LIBS) \ + $(LDB_LIBS) \ + $(NULL) + +TOOLS_LIBS = \ + $(LTLIBINTL) \ + $(TALLOC_LIBS) \ + $(TEVENT_LIBS) \ + $(POPT_LIBS) \ + $(LDB_LIBS) \ + $(DBUS_LIBS) \ + $(DHASH_LIBS) \ + $(TDB_LIBS) + +if BUILD_SELINUX + PYTHON_BINDINGS_LIBS += $(SELINUX_LIBS) + TOOLS_LIBS += $(SELINUX_LIBS) +endif + +dist_noinst_HEADERS = \ + src/monitor/monitor.h \ + src/util/crypto/sss_crypto.h \ + src/util/crypto/libcrypto/sss_openssl.h \ + src/util/cert.h \ + src/util/dlinklist.h \ + src/util/debug.h \ + src/util/util.h \ + src/util/util_errors.h \ + src/util/safe-format-string.h \ + src/util/session_recording.h \ + src/util/strtonum.h \ + src/util/sss_cli_cmd.h \ + src/util/sss_ptr_hash.h \ + src/util/sss_endian.h \ + src/util/sss_nss.h \ + src/util/sss_ldap.h \ + src/util/sss_python.h \ + src/util/sss_krb5.h \ + src/util/sss_selinux.h \ + src/util/sss_sockets.h \ + src/util/sss_utf8.h \ + src/util/sss_ssh.h \ + src/util/sss_ini.h \ + src/util/sss_format.h \ + src/util/refcount.h \ + src/util/find_uid.h \ + src/util/user_info_msg.h \ + src/util/mmap_cache.h \ + src/util/atomic_io.h \ + src/util/auth_utils.h \ + src/util/authtok.h \ + src/util/authtok-utils.h \ + src/util/util_sss_idmap.h \ + src/util/util_creds.h \ + src/util/inotify.h \ + src/util/sss_iobuf.h \ + src/util/tev_curl.h \ + src/monitor/monitor.h \ + src/monitor/monitor_interfaces.h \ + src/monitor/monitor_iface_generated.h \ + src/responder/common/responder.h \ + src/responder/common/responder_packet.h \ + src/responder/common/responder_sbus.h \ + src/responder/common/iface/responder_iface.h \ + src/responder/common/iface/responder_iface_generated.h \ + src/responder/common/cache_req/cache_req.h \ + src/responder/common/cache_req/cache_req_domain.h \ + src/responder/common/cache_req/cache_req_plugin.h \ + src/responder/common/cache_req/cache_req_private.h \ + src/responder/common/data_provider/rdp.h \ + src/responder/pam/pamsrv.h \ + src/responder/pam/pam_helpers.h \ + src/responder/nss/nss_private.h \ + src/responder/nss/nss_protocol.h \ + src/responder/nss/nss_iface_generated.h \ + src/responder/nss/nss_iface.h \ + src/responder/nss/nsssrv_mmap_cache.h \ + src/responder/pac/pacsrv.h \ + src/responder/common/negcache_files.h \ + src/responder/common/negcache.h \ + src/responder/sudo/sudosrv_private.h \ + src/responder/autofs/autofs_private.h \ + src/responder/ssh/ssh_private.h \ + src/responder/ifp/ifp_iface_generated.h \ + src/responder/ifp/ifp_iface.h \ + src/responder/ifp/ifp_private.h \ + src/responder/ifp/ifp_domains.h \ + src/responder/ifp/ifp_components.h \ + src/responder/ifp/ifp_users.h \ + src/responder/ifp/ifp_groups.h \ + src/responder/ifp/ifp_cache.h \ + src/responder/secrets/secsrv.h \ + src/responder/secrets/secsrv_private.h \ + src/responder/secrets/secsrv_local.h \ + src/responder/secrets/secsrv_proxy.h \ + src/responder/kcm/kcm.h \ + src/responder/kcm/kcmsrv_pvt.h \ + src/responder/kcm/kcmsrv_ccache.h \ + src/responder/kcm/kcmsrv_ccache_pvt.h \ + src/responder/kcm/kcmsrv_ccache_be.h \ + src/responder/kcm/kcmsrv_ops.h \ + src/sbus/sbus_client.h \ + src/sbus/sssd_dbus.h \ + src/sbus/sssd_dbus_meta.h \ + src/sbus/sssd_dbus_private.h \ + src/sbus/sssd_dbus_invokers.h \ + src/sbus/sssd_dbus_errors.h \ + src/sbus/sssd_dbus_utils.h \ + src/db/sysdb.h \ + src/db/sysdb_sudo.h \ + src/db/sysdb_autofs.h \ + src/db/sysdb_selinux.h \ + src/db/sysdb_private.h \ + src/db/sysdb_services.h \ + src/db/sysdb_ssh.h \ + src/db/sysdb_domain_resolution_order.h \ + src/confdb/confdb.h \ + src/confdb/confdb_private.h \ + src/confdb/confdb_setup.h \ + src/providers/data_provider.h \ + src/providers/data_provider_req.h \ + src/providers/data_provider/dp.h \ + src/providers/data_provider/dp_flags.h \ + src/providers/data_provider/dp_responder_iface.h \ + src/providers/data_provider/dp_private.h \ + src/providers/data_provider/dp_request.h \ + src/providers/data_provider/dp_custom_data.h \ + src/providers/data_provider/dp_builtin.h \ + src/providers/data_provider/dp_iface_generated.h \ + src/providers/data_provider/dp_iface.h \ + src/providers/backend.h \ + src/providers/be_dyndns.h \ + src/providers/be_ptask_private.h \ + src/providers/be_ptask.h \ + src/providers/be_refresh.h \ + src/providers/fail_over.h \ + src/providers/fail_over_srv.h \ + src/util/child_common.h \ + src/providers/simple/simple_access.h \ + src/providers/simple/simple_access_pvt.h \ + src/providers/krb5/krb5_auth.h \ + src/providers/krb5/krb5_common.h \ + src/providers/krb5/krb5_utils.h \ + src/providers/krb5/krb5_init_shared.h \ + src/providers/krb5/krb5_opts.h \ + src/providers/krb5/krb5_ccache.h \ + src/providers/ldap/ldap_common.h \ + src/providers/ldap/sdap.h \ + src/providers/ldap/sdap_access.h \ + src/providers/ldap/sdap_async.h \ + src/providers/ldap/sdap_async_ad.h \ + src/providers/ldap/sdap_async_private.h \ + src/providers/ldap/sdap_sudo.h \ + src/providers/ldap/sdap_sudo_shared.h \ + src/providers/ldap/sdap_autofs.h \ + src/providers/ldap/sdap_id_op.h \ + src/providers/ldap/ldap_opts.h \ + src/providers/ldap/ldap_auth.h \ + src/providers/ldap/sdap_range.h \ + src/providers/ldap/sdap_users.h \ + src/providers/ldap/sdap_dyndns.h \ + src/providers/ldap/sdap_async_enum.h \ + src/providers/ldap/sdap_ops.h \ + src/providers/ipa/ipa_common.h \ + src/providers/ipa/ipa_config.h \ + src/providers/ipa/ipa_access.h \ + src/providers/ipa/ipa_selinux.h \ + src/providers/ipa/ipa_hosts.h \ + src/providers/ipa/ipa_selinux_maps.h \ + src/providers/ipa/ipa_auth.h \ + src/providers/ipa/ipa_dyndns.h \ + src/providers/ipa/ipa_subdomains.h \ + src/providers/ipa/ipa_id.h \ + src/providers/ipa/ipa_opts.h \ + src/providers/ipa/ipa_srv.h \ + src/providers/ipa/ipa_dn.h \ + src/providers/ipa/ipa_sudo.h \ + src/providers/ipa/ipa_session.h \ + src/providers/ad/ad_srv.h \ + src/providers/ad/ad_common.h \ + src/providers/ad/ad_pac.h \ + src/providers/ad/ad_id.h \ + src/providers/ad/ad_access.h \ + src/providers/ad/ad_gpo.h \ + src/providers/ad/ad_opts.h \ + src/providers/ad/ad_domain_info.h \ + src/providers/ad/ad_subdomains.h \ + src/providers/proxy/proxy.h \ + src/providers/proxy/proxy_iface_generated.h \ + src/providers/files/files_private.h \ + src/tools/tools_util.h \ + src/tools/sss_sync_ops.h \ + src/resolv/async_resolv.h \ + src/tests/common.h \ + src/tests/common_check.h \ + src/tests/cmocka/common_mock.h \ + src/tests/cmocka/common_mock_resp.h \ + src/tests/cmocka/common_mock_sdap.h \ + src/tests/cmocka/common_mock_sysdb_objects.h \ + src/tests/cmocka/common_mock_krb5.h \ + src/tests/cmocka/common_mock_be.h \ + src/tests/cmocka/test_expire_common.h \ + src/tests/cmocka/test_sdap_access.h \ + src/tests/cmocka/data_provider/mock_dp.h \ + src/tests/sbus_codegen_tests_generated.h \ + src/sss_client/pam_message.h \ + src/sss_client/ssh/sss_ssh_client.h \ + src/sss_client/sudo/sss_sudo.h \ + src/sss_client/libwbclient/libwbclient.h \ + src/sss_client/libwbclient/wbc_err_internal.h \ + src/sss_client/libwbclient/wbclient_internal.h \ + src/sss_client/libwbclient/wbc_sssd_internal.h \ + src/sss_client/nfs/nfsidmap_internal.h \ + src/lib/idmap/sss_idmap_private.h \ + src/lib/sifp/sss_sifp_private.h \ + src/lib/winbind_idmap_sss/winbind_idmap_sss.h \ + src/tests/cmocka/test_utils.h \ + src/tools/common/sss_tools.h \ + src/tools/common/sss_process.h \ + src/tools/common/sss_colondb.h \ + src/tools/sssctl/sssctl.h \ + src/util/probes.h \ + src/shared/io.h \ + src/shared/murmurhash3.h \ + src/shared/safealign.h \ + src/p11_child/p11_child.h \ + $(NULL) + + +if HAVE_NSS + dist_noinst_HEADERS += src/util/crypto/nss/nss_util.h \ + src/util/crypto/nss/nss_crypto.h +endif + +SSSD_DOCS = \ + doc \ + hbac_doc \ + idmap_doc \ + nss_idmap_doc + +if BUILD_IFP + SSSD_DOCS += sss_simpleifp_doc +endif + +CLIENT_LIBS = $(LTLIBINTL) + +if WITH_JOURNALD +SYSLOG_LIBS = $(JOURNALD_LIBS) +endif + +##################### +# Utility libraries # +##################### +pkglib_LTLIBRARIES += libsss_debug.la +libsss_debug_la_SOURCES = \ + src/util/debug.c \ + src/util/sss_log.c \ + src/util/sss_cli_cmd.c \ + $(NULL) +libsss_debug_la_LIBADD = \ + $(SYSLOG_LIBS) +libsss_debug_la_LDFLAGS = \ + -avoid-version + +pkglib_LTLIBRARIES += libsss_child.la +libsss_child_la_SOURCES = src/util/child_common.c +libsss_child_la_LIBADD = \ + $(TALLOC_LIBS) \ + $(TEVENT_LIBS) \ + $(DHASH_LIBS) \ + libsss_debug.la \ + $(NULL) +libsss_child_la_LDFLAGS = -avoid-version + +pkglib_LTLIBRARIES += libsss_crypt.la + +# NOTE: +# Please try to avoid using SSS_CRYPT_{CFLAGS,LIBS} directly for compiling and +# linking programs or libraries. This is purpose of wrapper library +# libsss_crypt.so to hide internals. SSS_CRYPT_{CFLAGS,LIBS} might be used +# in unit tests if you directly uses functions from underlining crypto libraries +if HAVE_NSS + SSS_CRYPT_SOURCES = src/util/crypto/nss/nss_base64.c \ + src/util/crypto/nss/nss_hmac_sha1.c \ + src/util/crypto/nss/nss_sha512crypt.c \ + src/util/crypto/nss/nss_obfuscate.c \ + src/util/crypto/nss/nss_nite.c \ + src/util/crypto/nss/nss_util.c \ + src/util/crypto/sss_crypto.c \ + src/util/atomic_io.c \ + $(NULL) + SSS_CRYPT_CFLAGS = $(NSS_CFLAGS) + SSS_CRYPT_LIBS = $(NSS_LIBS) + + SSS_CERT_SOURCES = \ + src/util/cert/cert_common.c \ + src/util/cert/cert_common_p11_child.c \ + src/util/cert/nss/cert.c \ + $(NULL) + SSS_CERT_CFLAGS = \ + $(NSS_CFLAGS) \ + $(NULL) + SSS_CERT_LIBS = \ + $(NSS_LIBS) \ + $(NULL) +else + SSS_CRYPT_SOURCES = src/util/crypto/libcrypto/crypto_base64.c \ + src/util/crypto/libcrypto/crypto_hmac_sha1.c \ + src/util/crypto/libcrypto/crypto_sha512crypt.c \ + src/util/crypto/libcrypto/crypto_obfuscate.c \ + src/util/crypto/libcrypto/crypto_nite.c \ + src/util/crypto/sss_crypto.c \ + src/util/atomic_io.c \ + $(NULL) + SSS_CRYPT_CFLAGS = $(CRYPTO_CFLAGS) + SSS_CRYPT_LIBS = $(CRYPTO_LIBS) + + SSS_CERT_SOURCES = \ + src/util/cert/cert_common.c \ + src/util/cert/cert_common_p11_child.c \ + src/util/cert/libcrypto/cert.c \ + $(NULL) + SSS_CERT_CFLAGS = \ + $(CRYPTO_CFLAGS) \ + $(NULL) + SSS_CERT_LIBS = \ + $(CRYPTO_LIBS) \ + $(NULL) +endif + +libsss_crypt_la_SOURCES = \ + $(SSS_CRYPT_SOURCES) +libsss_crypt_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(SSS_CRYPT_CFLAGS) \ + $(DHASH_CFLAGS) +libsss_crypt_la_LIBADD = \ + $(SSS_CRYPT_LIBS) \ + $(DHASH_LIBS) \ + $(TALLOC_LIBS) \ + libsss_debug.la \ + $(NULL) +libsss_crypt_la_LDFLAGS = \ + -avoid-version + +pkglib_LTLIBRARIES += libsss_cert.la + +libsss_cert_la_SOURCES = \ + $(SSS_CERT_SOURCES) \ + $(NULL) +libsss_cert_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(SSS_CERT_CFLAGS) \ + $(NULL) +# NOTE: +# There is a dependency between libsss_cert and libsss_child which should +# always be declared explicitly and if missing might cause issue in some +# environments (e.g. Gentoo or OpenSUSE build service), even if it is +# resolved otherwise while linking the binaries. +libsss_cert_la_LIBADD = \ + $(SSS_CERT_LIBS) \ + $(TALLOC_LIBS) \ + $(TEVENT_LIBS) \ + libsss_crypt.la \ + libsss_child.la \ + libsss_debug.la \ + libsss_certmap.la \ + $(NULL) +libsss_cert_la_LDFLAGS = \ + -avoid-version \ + $(NULL) + +pkglib_LTLIBRARIES += libsss_util.la +libsss_util_la_SOURCES = \ + src/confdb/confdb.c \ + src/db/sysdb.c \ + src/db/sysdb_ops.c \ + src/db/sysdb_search.c \ + src/db/sysdb_selinux.c \ + src/db/sysdb_upgrade.c \ + src/db/sysdb_init.c \ + src/db/sysdb_services.c \ + src/db/sysdb_autofs.c \ + src/db/sysdb_subdomains.c \ + src/db/sysdb_views.c \ + src/db/sysdb_ranges.c \ + src/db/sysdb_idmap.c \ + src/db/sysdb_gpo.c \ + src/db/sysdb_certmap.c \ + src/db/sysdb_domain_resolution_order.c \ + src/monitor/monitor_sbus.c \ + src/providers/dp_auth_util.c \ + src/providers/dp_pam_data_util.c \ + src/providers/data_provider/dp_sbus.c \ + src/sbus/sbus_client.c \ + src/sbus/sssd_dbus_common.c \ + src/sbus/sssd_dbus_connection.c \ + src/sbus/sssd_dbus_meta.c \ + src/sbus/sssd_dbus_interface.c \ + src/sbus/sssd_dbus_introspect.c \ + src/sbus/sssd_dbus_invokers.c \ + src/sbus/sssd_dbus_properties.c \ + src/sbus/sssd_dbus_request.c \ + src/sbus/sssd_dbus_server.c \ + src/sbus/sssd_dbus_signals.c \ + src/sbus/sssd_dbus_common_signals.c \ + src/sbus/sssd_dbus_utils.c \ + src/util/util.c \ + src/util/util_ext.c \ + src/util/util_preauth.c \ + src/util/memory.c \ + src/util/safe-format-string.c \ + src/util/server.c \ + src/util/signal.c \ + src/util/usertools.c \ + src/util/backup_file.c \ + src/util/strtonum.c \ + src/util/check_and_open.c \ + src/util/refcount.c \ + src/util/sss_nss.c \ + src/util/sss_utf8.c \ + src/util/sss_tc_utf8.c \ + src/util/murmurhash3.c \ + src/util/atomic_io.c \ + src/util/authtok.c \ + src/util/authtok-utils.c \ + src/util/sss_selinux.c \ + src/util/domain_info_utils.c \ + src/util/util_lock.c \ + src/util/util_errors.c \ + src/util/find_uid.c \ + src/util/sss_ini.c \ + src/util/io.c \ + src/util/util_sss_idmap.c \ + src/util/well_known_sids.c \ + src/util/string_utils.c \ + src/util/become_user.c \ + src/util/util_watchdog.c \ + src/util/sss_ptr_hash.c \ + src/util/files.c \ + src/util/selinux.c \ + $(NULL) +libsss_util_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(SYSTEMD_LOGIN_CFLAGS) \ + $(NULL) +libsss_util_la_LIBADD = \ + $(LIBADD_TIMER) \ + $(SSSD_LIBS) \ + $(SYSTEMD_LOGIN_LIBS) \ + $(UNICODE_LIBS) \ + $(PCRE_LIBS) \ + $(INI_CONFIG_LIBS) \ + libsss_debug.la \ + libsss_child.la \ + libsss_crypt.la \ + libsss_cert.la \ + $(NULL) +if BUILD_SUDO + libsss_util_la_SOURCES += src/db/sysdb_sudo.c +endif +if BUILD_SSH +libsss_util_la_SOURCES += \ + src/db/sysdb_ssh.c \ + src/util/sss_ssh.c +endif +if BUILD_SYSTEMTAP +libsss_util_la_LIBADD += stap_generated_probes.lo +endif +libsss_util_la_LDFLAGS = -avoid-version + +pkglib_LTLIBRARIES += libsss_semanage.la +libsss_semanage_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(TALLOC_CFLAGS) \ + $(NULL) +libsss_semanage_la_SOURCES = \ + src/util/sss_semanage.c \ + $(NULL) +libsss_semanage_la_LIBADD = \ + $(TALLOC_LIBS) \ + libsss_debug.la \ + $(NULL) +if BUILD_SEMANAGE +libsss_semanage_la_LIBADD += $(SEMANAGE_LIBS) +endif + +libsss_semanage_la_LDFLAGS = \ + -avoid-version + +SSSD_INTERNAL_LTLIBS = \ + libsss_util.la \ + libsss_crypt.la \ + libsss_debug.la \ + libsss_child.la \ + $(NULL) + +lib_LTLIBRARIES = libipa_hbac.la \ + libsss_idmap.la \ + libsss_nss_idmap.la \ + libsss_certmap.la \ + $(NULL) + +pkgconfig_DATA += src/lib/ipa_hbac/ipa_hbac.pc +libipa_hbac_la_DEPENDENCIES = src/lib/ipa_hbac/ipa_hbac.exports +libipa_hbac_la_SOURCES = \ + src/lib/ipa_hbac/hbac_evaluator.c \ + src/util/sss_utf8.c +# libipa_hbac is also used by external projects such as pam_hbac which +# support platforms that do not have a C99 compiler. We add -std=c89 +# explicitly here to make sure we don't accidentally add a C99 feature +# to the libipa_hbac code +libipa_hbac_la_CFLAGS = \ + $(AM_CFLAGS) \ + -I$(top_srcdir)/src/util \ + -std=c89 \ + $(NULL) +libipa_hbac_la_LIBADD = \ + $(UNICODE_LIBS) +libipa_hbac_la_LDFLAGS = \ + -Wl,--version-script,$(srcdir)/src/lib/ipa_hbac/ipa_hbac.exports \ + -version-info 1:0:1 + +dist_noinst_DATA += src/lib/ipa_hbac/ipa_hbac.exports + +pkgconfig_DATA += src/lib/idmap/sss_idmap.pc +libsss_idmap_la_DEPENDENCIES = src/lib/idmap/sss_idmap.exports +libsss_idmap_la_SOURCES = \ + src/lib/idmap/sss_idmap.c \ + src/lib/idmap/sss_idmap_conv.c \ + src/util/murmurhash3.c +libsss_idmap_la_LDFLAGS = \ + -Wl,--version-script,$(srcdir)/src/lib/idmap/sss_idmap.exports \ + -version-info 5:1:5 + +dist_noinst_DATA += src/lib/idmap/sss_idmap.exports + +pkgconfig_DATA += src/sss_client/idmap/sss_nss_idmap.pc +libsss_nss_idmap_la_DEPENDENCIES = src/sss_client/idmap/sss_nss_idmap.exports +libsss_nss_idmap_la_SOURCES = \ + src/sss_client/idmap/sss_nss_idmap.c \ + src/sss_client/idmap/sss_nss_ex.c \ + src/sss_client/idmap/sss_nss_idmap_private.h \ + src/sss_client/common.c \ + src/sss_client/idmap/common_ex.c \ + src/sss_client/nss_mc_passwd.c \ + src/sss_client/nss_passwd.c \ + src/sss_client/nss_mc_group.c \ + src/sss_client/nss_group.c \ + src/sss_client/nss_mc_initgr.c \ + src/sss_client/nss_mc_common.c \ + src/util/strtonum.c \ + src/util/murmurhash3.c \ + src/util/io.c \ + $(NULL) +libsss_nss_idmap_la_LIBADD = \ + $(LIBCLOCK_GETTIME) \ + $(CLIENT_LIBS) \ + -lpthread \ + $(NULL) +libsss_nss_idmap_la_LDFLAGS = \ + -Wl,--version-script,$(srcdir)/src/sss_client/idmap/sss_nss_idmap.exports \ + -version-info 5:0:5 + +dist_noinst_DATA += src/sss_client/idmap/sss_nss_idmap.exports + +include_HEADERS = \ + src/lib/ipa_hbac/ipa_hbac.h \ + src/lib/idmap/sss_idmap.h \ + src/sss_client/idmap/sss_nss_idmap.h \ + src/lib/certmap/sss_certmap.h \ + $(NULL) + +if BUILD_LIBWBCLIENT +libwbclient_LTLIBRARIES = libwbclient.la +pkgconfig_DATA += src/sss_client/libwbclient/wbclient_sssd.pc + +EXTRA_libwbclient_la_DEPENDENCIES = \ + src/sss_client/libwbclient/wbclient.exports \ + $(NULL) + +libwbclient_la_SOURCES = \ + src/sss_client/libwbclient/wbc_guid.c \ + src/sss_client/libwbclient/wbc_idmap_common.c \ + src/sss_client/libwbclient/wbc_idmap_sssd.c \ + src/sss_client/libwbclient/wbclient_common.c \ + src/sss_client/libwbclient/wbclient_sssd.c \ + src/sss_client/libwbclient/wbc_pam_sssd.c \ + src/sss_client/libwbclient/wbc_pwd_sssd.c \ + src/sss_client/libwbclient/wbc_sid_common.c \ + src/sss_client/libwbclient/wbc_sid_sssd.c \ + src/sss_client/libwbclient/wbc_sssd_internal.h \ + src/sss_client/libwbclient/wbc_util_common.c \ + src/sss_client/libwbclient/wbc_util_sssd.c \ + src/sss_client/libwbclient/wbc_ctx_sssd.c \ + $(NULL) +libwbclient_la_LIBADD = \ + $(LIBADD_DL) \ + libsss_nss_idmap.la \ + $(CLIENT_LIBS) \ + $(NULL) + +libwbclient_la_LDFLAGS = \ + -Wl,--version-script,$(srcdir)/src/sss_client/libwbclient/wbclient.exports \ + -version-info @libwbclient_version_info@ \ + $(NULL) + +dist_noinst_DATA += src/sss_client/libwbclient/wbclient.exports \ + $(NULL) + +include_HEADERS += src/sss_client/libwbclient/wbclient_sssd.h +endif #BUILD_LIBWBCLIENT + +if BUILD_IFP +lib_LTLIBRARIES += libsss_simpleifp.la +pkgconfig_DATA += src/lib/sifp/sss_simpleifp.pc + +libsss_simpleifp_la_SOURCES = \ + src/lib/sifp/sss_sifp.c \ + src/lib/sifp/sss_sifp_dbus.c \ + src/lib/sifp/sss_sifp_attrs.c \ + src/lib/sifp/sss_sifp_common.c \ + src/lib/sifp/sss_sifp_parser.c \ + src/lib/sifp/sss_sifp_utils.c +libsss_simpleifp_la_CFLAGS = \ + $(AM_CFLAGS) \ + -I$(top_srcdir)/src/lib/sifp +libsss_simpleifp_la_LIBADD = \ + $(DBUS_LIBS) \ + $(DHASH_LIBS) +libsss_simpleifp_la_LDFLAGS = \ + -Wl,--version-script,$(srcdir)/src/lib/sifp/sss_simpleifp.exports \ + -version-info 1:1:1 + +dist_noinst_DATA += src/lib/sifp/sss_simpleifp.exports + +include_HEADERS += \ + src/lib/sifp/sss_sifp.h \ + src/lib/sifp/sss_sifp_dbus.h +endif + +######################### +# Systemtap tracing # +######################### + +if BUILD_SYSTEMTAP +SYSTEMTAP_PROBES = \ + $(srcdir)/src/systemtap/sssd_probes.d \ + $(NULL) + +systemtap_tap_DATA = $(builddir)/src/systemtap/sssd.stp + +dist_systemtap_tap_DATA = \ + $(builddir)/src/systemtap/sssd_functions.stp \ + $(NULL) + +dist_sssdtapscript_DATA = \ + contrib/systemtap/id_perf.stp \ + contrib/systemtap/nested_group_perf.stp \ + contrib/systemtap/dp_request.stp \ + $(NULL) + +stap_generated_probes.h: $(srcdir)/src/systemtap/sssd_probes.d + $(AM_V_GEN)$(DTRACE) -C -h -s $< -o $@ + +stap_generated_probes.o: $(srcdir)/src/systemtap/sssd_probes.d stap_generated_probes.h + $(AM_V_GEN)$(DTRACE) -C -G -s $< -o $@ + +stap_generated_probes.lo: stap_generated_probes.o + $(AM_V_GEN)printf %s\\n \ + '# $@ - a libtool object file' \ + '# Generated by libtool (GNU libtool) 2.4' \ + '# Actually generated by Makefile.am, in order to shut up libtool' \ + "pic_object='$<'" \ + "non_pic_object='$<'" \ + > $@ + +BUILT_SOURCES += stap_generated_probes.h + +CLEANFILES += stap_generated_probes.h \ + stap_generated_probes.o \ + stap_generated_probes.lo \ + $(NULL) +endif + +#################### +# Sbus Codegen # +#################### + +# Yes, the goal here is that the generated files end up in $(srcdir) +# not $(builddir). Always use $(srcdir) here. +CODEGEN_XML = \ + $(srcdir)/src/tests/sbus_codegen_tests.xml \ + $(srcdir)/src/monitor/monitor_iface.xml \ + $(srcdir)/src/providers/data_provider/dp_iface.xml \ + $(srcdir)/src/providers/proxy/proxy_iface.xml \ + $(srcdir)/src/responder/ifp/ifp_iface.xml \ + $(srcdir)/src/responder/nss/nss_iface.xml \ + $(srcdir)/src/responder/common/iface/responder_iface.xml \ + $(NULL) + +SBUS_CODEGEN = src/sbus/sbus_codegen + +EXTRA_DIST += \ + $(SBUS_CODEGEN) \ + $(CODEGEN_XML) + +SUFFIXES = .xml _generated.h _generated.c + +.xml_generated.h: + $(srcdir)/$(SBUS_CODEGEN) --mode=header --output=$@ $< +.xml_generated.c: + $(srcdir)/$(SBUS_CODEGEN) --mode=source --include=$(@:.c=.h) --output=$@ $< + +# Regenerate when codegen changes +CODEGEN_CODE = \ + $(CODEGEN_XML:.xml=_generated.c) \ + $(CODEGEN_XML:.xml=_generated.h) + +$(CODEGEN_CODE): $(SBUS_CODEGEN) + +BUILT_SOURCES += $(CODEGEN_CODE) + +#################### +# Program Binaries # +#################### +sssd_SOURCES = \ + src/monitor/monitor.c \ + src/monitor/monitor_netlink.c \ + src/confdb/confdb_setup.c \ + src/monitor/monitor_iface_generated.c \ + src/util/nscd.c \ + src/util/inotify.c \ + $(NULL) +sssd_LDADD = \ + $(SSSD_LIBS) \ + $(INOTIFY_LIBS) \ + $(LIBNL_LIBS) \ + $(KEYUTILS_LIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) + +sssd_nss_SOURCES = \ + src/responder/nss/nsssrv.c \ + src/responder/nss/nss_cmd.c \ + src/responder/nss/nss_enum.c \ + src/responder/nss/nss_get_object.c \ + src/responder/nss/nss_protocol.c \ + src/responder/nss/nss_protocol_pwent.c \ + src/responder/nss/nss_protocol_grent.c \ + src/responder/nss/nss_protocol_netgr.c \ + src/responder/nss/nss_protocol_svcent.c \ + src/responder/nss/nss_protocol_sid.c \ + src/responder/nss/nss_utils.c \ + src/responder/nss/nss_iface_generated.c \ + src/responder/nss/nss_iface.c \ + src/responder/nss/nsssrv_mmap_cache.c \ + $(SSSD_RESPONDER_OBJ) +sssd_nss_LDADD = \ + $(TDB_LIBS) \ + $(SSSD_LIBS) \ + libsss_idmap.la \ + libsss_cert.la \ + $(SYSTEMD_DAEMON_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) + +sssd_pam_SOURCES = \ + src/responder/pam/pam_LOCAL_domain.c \ + src/responder/pam/pamsrv.c \ + src/responder/pam/pamsrv_cmd.c \ + src/responder/pam/pamsrv_p11.c \ + src/responder/pam/pamsrv_dp.c \ + src/responder/pam/pam_helpers.c \ + $(SSSD_RESPONDER_OBJ) +sssd_pam_LDADD = \ + $(TDB_LIBS) \ + $(SSSD_LIBS) \ + $(SELINUX_LIBS) \ + $(PAM_LIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ + libsss_certmap.la \ + $(SSSD_INTERNAL_LTLIBS) \ + $(NULL) + +if BUILD_SUDO +sssd_sudo_SOURCES = \ + src/responder/sudo/sudosrv.c \ + src/responder/sudo/sudosrv_cmd.c \ + src/responder/sudo/sudosrv_get_sudorules.c \ + src/responder/sudo/sudosrv_query.c \ + src/responder/sudo/sudosrv_dp.c \ + $(SSSD_RESPONDER_OBJ) +sssd_sudo_LDADD = \ + $(SSSD_LIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) +endif + +if BUILD_AUTOFS +sssd_autofs_SOURCES = \ + src/responder/autofs/autofssrv.c \ + src/responder/autofs/autofssrv_cmd.c \ + src/responder/autofs/autofssrv_dp.c \ + $(SSSD_RESPONDER_OBJ) +sssd_autofs_LDADD = \ + $(SSSD_LIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) +endif + +if BUILD_SSH +sssd_ssh_SOURCES = \ + src/responder/ssh/sshsrv.c \ + src/responder/ssh/ssh_cmd.c \ + src/responder/ssh/ssh_known_hosts.c \ + src/responder/ssh/ssh_protocol.c \ + src/responder/ssh/ssh_reply.c \ + $(SSSD_RESPONDER_OBJ) \ + $(NULL) +sssd_ssh_LDADD = \ + $(SSSD_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ + libsss_cert.la \ + $(NULL) +endif + +sssd_pac_SOURCES = \ + src/responder/pac/pacsrv.c \ + src/responder/pac/pacsrv_cmd.c \ + src/providers/ad/ad_pac_common.c \ + $(SSSD_RESPONDER_OBJ) +sssd_pac_CFLAGS = \ + $(AM_CFLAGS) \ + $(NDR_KRB5PAC_CFLAGS) +sssd_pac_LDADD = \ + $(NDR_KRB5PAC_LIBS) \ + $(TDB_LIBS) \ + $(SSSD_LIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ + libsss_idmap.la \ + $(SSSD_INTERNAL_LTLIBS) + +if BUILD_IFP +sssd_ifp_SOURCES = \ + src/responder/ifp/ifpsrv.c \ + src/responder/ifp/ifpsrv_cmd.c \ + src/responder/ifp/ifp_iface_generated.c \ + src/responder/ifp/ifp_iface.c \ + src/responder/ifp/ifp_iface_nodes.c \ + src/responder/ifp/ifpsrv_util.c \ + src/responder/ifp/ifp_domains.c \ + src/responder/ifp/ifp_components.c \ + src/responder/ifp/ifp_users.c \ + src/responder/ifp/ifp_groups.c \ + src/responder/ifp/ifp_cache.c \ + $(SSSD_RESPONDER_OBJ) +sssd_ifp_CFLAGS = \ + $(AM_CFLAGS) +sssd_ifp_LDADD = \ + $(SSSD_LIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_cert.la \ + $(NULL) +dist_dbuspolicy_DATA = \ + src/responder/ifp/org.freedesktop.sssd.infopipe.conf +dist_dbusservice_DATA = \ + src/responder/ifp/org.freedesktop.sssd.infopipe.service + +EXTRA_DIST += \ + src/responder/ifp/org.freedesktop.sssd.infopipe.service.in \ + $(NULL) + +ifp_edit_cmd = $(edit_cmd) \ + -e 's|@ifp_exec_cmd[@]|$(ifp_exec_cmd)|g' \ + -e 's|@ifp_systemdservice[@]|$(ifp_systemdservice)|g' \ + -e 's|@ifp_restart[@]|$(ifp_restart)|g' + +ifp_replace_script = \ + @rm -f $@ $@.tmp; \ + srcdir=''; \ + test -f ./$@.in || srcdir=$(srcdir)/; \ + $(ifp_edit_cmd) $${srcdir}$@.in >$@.tmp; \ + mv $@.tmp $@ + +src/responder/ifp/org.freedesktop.sssd.infopipe.service: src/responder/ifp/org.freedesktop.sssd.infopipe.service.in Makefile + $(ifp_replace_script) + +endif + +if BUILD_SECRETS +sssd_secrets_SOURCES = \ + src/responder/secrets/secsrv.c \ + src/responder/secrets/secsrv_cmd.c \ + src/responder/secrets/providers.c \ + src/responder/secrets/local.c \ + src/responder/secrets/proxy.c \ + src/util/sss_sockets.c \ + src/util/sss_iobuf.c \ + src/util/tev_curl.c \ + $(SSSD_RESPONDER_OBJ) \ + $(NULL) +sssd_secrets_LDADD = \ + $(HTTP_PARSER_LIBS) \ + $(JANSSON_LIBS) \ + $(TDB_LIBS) \ + $(SSSD_LIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(CURL_LIBS) \ + $(NULL) +endif + +if BUILD_KCM +sssd_kcm_SOURCES = \ + src/responder/kcm/kcm.c \ + src/responder/kcm/kcmsrv_cmd.c \ + src/responder/kcm/kcmsrv_ccache.c \ + src/responder/kcm/kcmsrv_ccache_mem.c \ + src/responder/kcm/kcmsrv_ccache_json.c \ + src/responder/kcm/kcmsrv_ccache_secrets.c \ + src/responder/kcm/kcmsrv_ops.c \ + src/responder/kcm/kcmsrv_op_queue.c \ + src/util/sss_sockets.c \ + src/util/sss_krb5.c \ + src/util/sss_iobuf.c \ + src/util/tev_curl.c \ + $(SSSD_RESPONDER_OBJ) \ + $(NULL) +sssd_kcm_CFLAGS = \ + $(AM_CFLAGS) \ + $(KRB5_CFLAGS) \ + $(UUID_CFLAGS) \ + $(CURL_CFLAGS) \ + $(JANSSON_CFLAGS) \ + $(NULL) +sssd_kcm_LDADD = \ + $(KRB5_LIBS) \ + $(CURL_LIBS) \ + $(JANSSON_LIBS) \ + $(SSSD_LIBS) \ + $(UUID_LIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(NULL) +endif + +sssd_be_SOURCES = \ + src/providers/data_provider_be.c \ + src/providers/data_provider_req.c \ + src/providers/data_provider_fo.c \ + src/providers/data_provider_opts.c \ + src/providers/data_provider_callbacks.c \ + src/providers/be_dyndns.c \ + src/providers/be_ptask.c \ + src/providers/be_refresh.c \ + src/monitor/monitor_iface_generated.c \ + src/providers/data_provider/dp.c \ + src/providers/data_provider/dp_modules.c \ + src/providers/data_provider/dp_targets.c \ + src/providers/data_provider/dp_methods.c \ + src/providers/data_provider/dp_builtin.c \ + src/providers/data_provider/dp_iface.c \ + src/providers/data_provider/dp_iface_backend.c \ + src/providers/data_provider/dp_iface_failover.c \ + src/providers/data_provider/dp_client.c \ + src/providers/data_provider/dp_resp_client.c \ + src/providers/data_provider/dp_iface_generated.c \ + src/providers/data_provider/dp_request.c \ + src/providers/data_provider/dp_request_reply.c \ + src/providers/data_provider/dp_request_table.c \ + src/providers/data_provider/dp_reply_std.c \ + src/providers/data_provider/dp_target_sudo.c \ + src/providers/data_provider/dp_target_hostid.c \ + src/providers/data_provider/dp_target_autofs.c \ + src/providers/data_provider/dp_target_subdomains.c \ + src/providers/data_provider/dp_target_id.c \ + src/providers/data_provider/dp_target_auth.c \ + src/util/session_recording.c \ + $(SSSD_FAILOVER_OBJ) +sssd_be_LDADD = \ + $(LIBADD_DL) \ + $(SSSD_LIBS) \ + $(CARES_LIBS) \ + $(PAM_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) +sssd_be_LDFLAGS = \ + -Wl,--version-script,$(srcdir)/src/providers/sssd_be.exports \ + -export-dynamic +if BUILD_SYSTEMTAP +sssd_be_LDADD += stap_generated_probes.lo +endif + +if BUILD_PYTHON_BINDINGS +sss_obfuscate_pythondir = $(sbindir) +dist_sss_obfuscate_python_SCRIPTS = \ + src/tools/sss_obfuscate +endif + + + +dist_noinst_DATA += \ + src/examples/sssd-example.conf \ + src/examples/sssdproxytest \ + src/examples/sudo \ + src/examples/logrotate \ + src/providers/sssd_be.exports \ + src/sss_client/COPYING \ + src/sss_client/COPYING.LESSER \ + src/m4 + +dist_sssddefaultconf_DATA = \ + src/examples/sssd.conf + +dist_pamconf_DATA = \ + src/examples/sssd-shadowutils + +###################### +# Command-line Tools # +###################### +sss_useradd_SOURCES = \ + src/tools/sss_useradd.c \ + $(SSSD_TOOLS_OBJ) +sss_useradd_LDADD = \ + $(TOOLS_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_semanage.la \ + $(NULL) + +sss_userdel_SOURCES = \ + src/tools/sss_userdel.c \ + $(SSSD_LCL_TOOLS_OBJ) +sss_userdel_LDADD = \ + $(TOOLS_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(CLIENT_LIBS) \ + libsss_semanage.la \ + $(NULL) +sss_userdel_CFLAGS = \ + $(AM_CFLAGS) + +sss_groupadd_SOURCES = \ + src/tools/sss_groupadd.c \ + $(SSSD_TOOLS_OBJ) +sss_groupadd_LDADD = \ + $(TOOLS_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) + +sss_groupdel_SOURCES = \ + src/tools/sss_groupdel.c \ + $(SSSD_LCL_TOOLS_OBJ) +sss_groupdel_LDADD = \ + $(TOOLS_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(CLIENT_LIBS) +sss_groupdel_CFLAGS = $(AM_CFLAGS) + +sss_usermod_SOURCES = \ + src/tools/sss_usermod.c \ + $(SSSD_LCL_TOOLS_OBJ) +sss_usermod_LDADD = \ + $(TOOLS_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(CLIENT_LIBS) \ + libsss_semanage.la \ + $(NULL) +sss_usermod_CFLAGS = $(AM_CFLAGS) + +sss_groupmod_SOURCES = \ + src/tools/sss_groupmod.c \ + $(SSSD_LCL_TOOLS_OBJ) +sss_groupmod_LDADD = \ + $(TOOLS_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(CLIENT_LIBS) +sss_groupmod_CFLAGS = $(AM_CFLAGS) + +sss_groupshow_SOURCES = \ + src/tools/sss_groupshow.c \ + $(SSSD_TOOLS_OBJ) +sss_groupshow_LDADD = \ + $(TOOLS_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) + +sss_cache_SOURCES = \ + src/tools/sss_cache.c \ + $(SSSD_LCL_TOOLS_OBJ) +sss_cache_LDADD = \ + $(TOOLS_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(CLIENT_LIBS) +sss_cache_CFLAGS = $(AM_CFLAGS) + +sss_seed_SOURCES = \ + src/tools/sss_seed.c \ + $(SSSD_TOOLS_OBJ) +sss_seed_LDADD = \ + $(TOOLS_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) + +sss_signal_SOURCES = \ + src/tools/sss_signal.c \ + src/tools/common/sss_process.c + $(NULL) +sss_signal_LDADD = \ + libsss_debug.la \ + $(NULL) + +sss_override_SOURCES = \ + src/tools/sss_override.c \ + src/tools/common/sss_colondb.c \ + $(SSSD_TOOLS_OBJ) \ + $(NULL) +sss_override_LDADD = \ + $(TOOLS_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(NULL) +sss_override_CFLAGS = \ + $(AM_CFLAGS) \ + $(NULL) + +sssctl_SOURCES = \ + src/tools/sssctl/sssctl.c \ + src/tools/sssctl/sssctl_systemd.c \ + src/tools/sssctl/sssctl_cache.c \ + src/tools/sssctl/sssctl_data.c \ + src/tools/sssctl/sssctl_logs.c \ + src/tools/sssctl/sssctl_domains.c \ + src/tools/sssctl/sssctl_sifp.c \ + src/tools/sssctl/sssctl_config.c \ + src/tools/sssctl/sssctl_user_checks.c \ + src/tools/sssctl/sssctl_access_report.c \ + $(SSSD_TOOLS_OBJ) \ + $(NULL) +sssctl_LDADD = \ + $(TOOLS_LIBS) \ + $(INI_CONFIG_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(PAM_LIBS) \ + $(PAM_MISC_LIBS) \ + $(LIBADD_DL) \ + libsss_simpleifp.la \ + $(NULL) +sssctl_CFLAGS = \ + $(AM_CFLAGS) \ + -I$(top_srcdir)/src/lib/sifp + $(NULL) + +if BUILD_SUDO +sss_sudo_cli_SOURCES = \ + src/sss_client/common.c \ + src/sss_client/sudo/sss_sudo.c \ + src/sss_client/sudo/sss_sudo_response.c \ + src/sss_client/sudo_testcli/sudo_testcli.c +sss_sudo_cli_CFLAGS = $(AM_CFLAGS) +sss_sudo_cli_LDADD = $(CLIENT_LIBS) +endif + +if BUILD_SSH +sss_ssh_authorizedkeys_SOURCES = \ + src/sss_client/common.c \ + src/sss_client/ssh/sss_ssh_client.c \ + src/sss_client/ssh/sss_ssh_authorizedkeys.c +sss_ssh_authorizedkeys_CFLAGS = $(AM_CFLAGS) +sss_ssh_authorizedkeys_LDADD = \ + $(SSSD_INTERNAL_LTLIBS) \ + $(CLIENT_LIBS) $(TALLOC_LIBS) $(POPT_LIBS) + +sss_ssh_knownhostsproxy_SOURCES = \ + src/sss_client/common.c \ + src/sss_client/ssh/sss_ssh_client.c \ + src/sss_client/ssh/sss_ssh_knownhostsproxy.c +sss_ssh_knownhostsproxy_CFLAGS = $(AM_CFLAGS) +sss_ssh_knownhostsproxy_LDADD = \ + $(SSSD_INTERNAL_LTLIBS) \ + $(CLIENT_LIBS) $(TALLOC_LIBS) $(POPT_LIBS) +endif + +if HAVE_SYSTEMD_UNIT +sssd_check_socket_activated_responders_SOURCES = \ + src/tools/sssd_check_socket_activated_responders.c \ + $(NULL) +sssd_check_socket_activated_responders_CFLAGS = \ + $(AM_CFLAGS) \ + $(NULL) +sssd_check_socket_activated_responders_LDADD = \ + $(SSSD_INTERNAL_LTLIBS) \ + $(LTLIBINTL) \ + $(TALLOC_LIBS) \ + $(POPT_LIBS) \ + $(INI_CONFIG_LIBS) \ + $(NULL) +endif + +pkgconfig_DATA += src/lib/certmap/sss_certmap.pc +libsss_certmap_la_DEPENDENCIES = src/lib/certmap/sss_certmap.exports +libsss_certmap_la_SOURCES = \ + src/lib/certmap/sss_certmap.c \ + src/lib/certmap/sss_certmap_attr_names.c \ + src/lib/certmap/sss_certmap_krb5_match.c \ + src/lib/certmap/sss_certmap_ldap_mapping.c \ + src/lib/certmap/sss_cert_content_common.c \ + src/util/util_ext.c \ + src/util/cert/cert_common.c \ + $(NULL) +libsss_certmap_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(TALLOC_CFLAGS) \ + $(NULL) +libsss_certmap_la_LIBADD = \ + $(TALLOC_LIBS) \ + $(NULL) +libsss_certmap_la_LDFLAGS = \ + -Wl,--version-script,$(srcdir)/src/lib/certmap/sss_certmap.exports \ + -version-info 0:0:0 + +if HAVE_NSS +libsss_certmap_la_SOURCES += \ + src/lib/certmap/sss_cert_content_nss.c \ + src/util/crypto/nss/nss_base64.c \ + src/util/cert/nss/cert.c \ + src/util/crypto/nss/nss_util.c \ + $(NULL) +libsss_certmap_la_CFLAGS += $(NSS_CFLAGS) +libsss_certmap_la_LIBADD += $(NSS_LIBS) +else +libsss_certmap_la_SOURCES += \ + src/lib/certmap/sss_cert_content_crypto.c \ + src/util/crypto/libcrypto/crypto_base64.c \ + src/util/cert/libcrypto/cert.c \ + $(NULL) + +libsss_certmap_la_CFLAGS += $(CRYPTO_CFLAGS) +libsss_certmap_la_LIBADD += $(CRYPTO_LIBS) +endif + +dist_noinst_DATA += src/lib/certmap/sss_certmap.exports +dist_noinst_HEADERS += src/lib/certmap/sss_certmap_int.h + +################# +# Feature Tests # +################# +TESTS_ENVIRONMENT = LDB_MODULES_PATH=$(abs_top_builddir)/ldb_mod_test_dir \ + SSS_TEST_DIR=$(TEST_DIR) \ + ABS_TOP_SRCDIR=$(abs_top_srcdir) \ + $(AUX_TESTS_ENVIRONMENT) + +ldb_mod_test_dir: memberof.la + $(MKDIR_P) $(builddir)/ldb_mod_test_dir + cp $(builddir)/.libs/memberof.so $(builddir)/ldb_mod_test_dir + +check_LTLIBRARIES = \ + libsss_test_common.la + +libsss_test_common_la_SOURCES = \ + src/tests/common_tev.c \ + src/tests/common_dom.c \ + src/tests/leak_check.c \ + src/tests/common.c +libsss_test_common_la_LIBADD = \ + $(TALLOC_LIBS) \ + $(TEVENT_LIBS) \ + $(LDB_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(NULL) + +if HAVE_CHECK +libsss_test_common_la_SOURCES += \ + src/tests/common_check.c + +check_LTLIBRARIES += \ + libdlopen_test_providers.la \ + libsss_nss_idmap_tests.la \ + $(NULL) + +if BUILD_SAMBA +check_LTLIBRARIES += \ + libsss_ad_tests.la \ + libdlopen_test_winbind_idmap.la \ + $(NULL) +endif + +# libdlopen_test_providers is a helper library to provide missing symbols for +# dlopen_tests. It is mainly used for the backend modules but is used as well +# to provide __wrap_sss_nss_make_request_timeout needed make make dlopen_tests +# pass for libsss_nss_idmap_tests. +libdlopen_test_providers_la_SOURCES = \ + $(sssd_be_SOURCES) \ + src/tests/cmocka/wrap_sss_nss_make_request_timeout.c \ + $(NULL) +libdlopen_test_providers_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(CHECK_CFLAGS) \ + -DUNIT_TESTING +libdlopen_test_providers_la_LIBADD = \ + $(LIBADD_DL) \ + $(PAM_LIBS) \ + $(SSSD_LIBS) \ + $(CARES_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(NULL) +if BUILD_SYSTEMTAP +libdlopen_test_providers_la_LIBADD += stap_generated_probes.lo +endif +libdlopen_test_providers_la_LDFLAGS = \ + -shared \ + -avoid-version \ + -Wl,--version-script,$(srcdir)/src/providers/sssd_be.exports \ + -rpath $(abs_top_builddir) \ + -export-dynamic + +libsss_nss_idmap_tests_la_SOURCES = $(libsss_nss_idmap_la_SOURCES) +libsss_nss_idmap_tests_la_LIBADD = $(libsss_nss_idmap_la_LIBADD) +libsss_nss_idmap_tests_la_LDFLAGS = \ + $(libsss_nss_idmap_la_LDFLAGS) \ + -shared \ + -rpath $(libdir) \ + -Wl,-wrap,sss_nss_make_request_timeout \ + -Wl,--version-script,$(srcdir)/src/sss_client/idmap/sss_nss_idmap.unit_tests + +dist_noinst_DATA += src/sss_client/idmap/sss_nss_idmap.unit_tests + +libsss_ad_tests_la_SOURCES = $(libsss_ad_la_SOURCES) +libsss_ad_tests_la_CFLAGS = $(libsss_ad_la_CFLAGS) +libsss_ad_tests_la_LIBADD = \ + $(libsss_ad_la_LIBADD) \ + libdlopen_test_providers.la \ + $(NULL) +libsss_ad_tests_la_LDFLAGS = \ + -shared \ + -rpath $(abs_top_builddir) \ + $(NULL) + +dlopen_tests_SOURCES = \ + src/tests/dlopen-tests.c +dlopen_tests_CFLAGS = \ + $(AM_CFLAGS) \ + $(CHECK_CFLAGS) +dlopen_tests_LDADD = \ + $(LIBADD_DL) \ + $(CHECK_LIBS) + +EXTRA_sysdb_tests_DEPENDENCIES = \ + $(ldblib_LTLIBRARIES) +sysdb_tests_SOURCES = \ + src/tests/sysdb-tests.c +sysdb_tests_CFLAGS = \ + $(AM_CFLAGS) \ + $(CHECK_CFLAGS) +sysdb_tests_LDADD = \ + $(SSSD_LIBS) \ + $(CHECK_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la + +EXTRA_sysdb_ssh_tests_DEPENDENCIES = \ + $(ldblib_LTLIBRARIES) +sysdb_ssh_tests_SOURCES = \ + src/tests/sysdb_ssh-tests.c +sysdb_ssh_tests_CFLAGS = \ + $(AM_CFLAGS)\ + $(CHECK_CFLAGS) +sysdb_ssh_tests_LDADD = \ + $(SSSD_LIBS) \ + $(CHECK_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la + +strtonum_tests_SOURCES = \ + src/tests/strtonum-tests.c \ + src/util/strtonum.c +strtonum_tests_CFLAGS = \ + $(AM_CFLAGS) \ + $(CHECK_CFLAGS) +strtonum_tests_LDADD = \ + $(SSSD_LIBS) \ + $(CHECK_LIBS) \ + libsss_debug.la \ + libsss_test_common.la + +krb5_utils_tests_SOURCES = \ + src/tests/krb5_utils-tests.c \ + src/providers/krb5/krb5_utils.c \ + src/providers/krb5/krb5_ccache.c \ + src/providers/krb5/krb5_common.c \ + src/providers/krb5/krb5_opts.c \ + src/util/sss_krb5.c \ + src/util/sss_iobuf.c \ + src/providers/data_provider_fo.c \ + src/providers/data_provider_opts.c \ + src/providers/data_provider_callbacks.c \ + src/util/become_user.c \ + $(SSSD_FAILOVER_OBJ) \ + $(NULL) +krb5_utils_tests_CFLAGS = \ + $(AM_CFLAGS) \ + $(KRB5_CFLAGS) \ + $(CHECK_CFLAGS) +krb5_utils_tests_LDADD = \ + $(SSSD_LIBS)\ + $(CARES_LIBS) \ + $(KRB5_LIBS) \ + $(CHECK_LIBS) \ + $(PCRE_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la + + +check_and_open_tests_SOURCES = \ + src/tests/check_and_open-tests.c \ + src/util/check_and_open.c +check_and_open_tests_CFLAGS = \ + $(AM_CFLAGS) \ + $(CHECK_CFLAGS) +check_and_open_tests_LDADD = \ + libsss_debug.la \ + $(CHECK_LIBS) \ + libsss_test_common.la + +FILES_TESTS_LIBS = \ + $(CHECK_LIBS) \ + $(POPT_LIBS) \ + $(TALLOC_LIBS) \ + libsss_test_common.la +if BUILD_SELINUX + FILES_TESTS_LIBS += $(SELINUX_LIBS) +endif +if BUILD_SEMANAGE + FILES_TESTS_LIBS += $(SEMANAGE_LIBS) +endif + +if HAVE_INOTIFY +files_tests_SOURCES = \ + src/tests/files-tests.c \ + src/util/check_and_open.c \ + src/util/atomic_io.c \ + src/util/selinux.c \ + src/util/files.c +files_tests_CFLAGS = \ + $(AM_CFLAGS) \ + $(CHECK_CFLAGS) +files_tests_LDADD = \ + $(FILES_TESTS_LIBS) \ + libsss_test_common.la \ + $(SSSD_INTERNAL_LTLIBS) +endif # HAVE_INOTIFY + +SSSD_RESOLV_TESTS_OBJ = \ + $(SSSD_RESOLV_OBJ) + +resolv_tests_SOURCES = \ + src/tests/resolv-tests.c \ + src/tests/common.c \ + $(SSSD_RESOLV_TESTS_OBJ) +resolv_tests_CFLAGS = \ + $(AM_CFLAGS) \ + $(CHECK_CFLAGS) \ + -DBUILD_TXT +resolv_tests_LDADD = \ + $(SSSD_LIBS) \ + $(CHECK_LIBS) \ + $(CARES_LIBS) \ + libsss_debug.la \ + libsss_test_common.la + +refcount_tests_SOURCES = \ + src/tests/refcount-tests.c \ + $(NULL) +refcount_tests_CFLAGS = \ + $(AM_CFLAGS) \ + $(CHECK_CFLAGS) +refcount_tests_LDADD = \ + $(SSSD_LIBS) \ + $(CHECK_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la + +fail_over_tests_SOURCES = \ + src/tests/fail_over-tests.c \ + $(SSSD_FAILOVER_OBJ) \ + $(NULL) +fail_over_tests_CFLAGS = \ + $(AM_CFLAGS) \ + $(CHECK_CFLAGS) +fail_over_tests_LDADD = \ + $(SSSD_LIBS) \ + $(CHECK_LIBS) \ + $(CARES_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la + +find_uid_tests_SOURCES = \ + src/tests/find_uid-tests.c \ + src/util/find_uid.c \ + src/util/atomic_io.c \ + src/util/strtonum.c +find_uid_tests_CFLAGS = \ + $(AM_CFLAGS) \ + $(TALLOC_CFLAGS) \ + $(DHASH_CFLAGS) \ + $(CHECK_CFLAGS) \ + $(SYSTEMD_LOGIN_CFLAGS) +find_uid_tests_LDADD = \ + libsss_debug.la \ + $(TALLOC_LIBS) \ + $(DHASH_LIBS) \ + $(CHECK_LIBS) \ + $(SYSTEMD_LOGIN_LIBS) \ + libsss_test_common.la + +auth_tests_SOURCES = \ + src/tests/auth-tests.c +auth_tests_CFLAGS = \ + $(AM_CFLAGS) \ + $(CHECK_CFLAGS) +auth_tests_LDADD = \ + $(SSSD_LIBS) \ + $(CHECK_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la + +ipa_ldap_opt_tests_SOURCES = \ + src/providers/data_provider_opts.c \ + src/providers/ldap/sdap.c \ + src/providers/ldap/sdap_range.c \ + src/providers/ldap/sdap_domain.c \ + src/providers/ldap/ldap_opts.c \ + src/providers/ad/ad_opts.c \ + src/providers/ipa/ipa_opts.c \ + src/providers/krb5/krb5_opts.c \ + src/util/sss_sockets.c \ + src/util/sss_ldap.c \ + src/tests/ipa_ldap_opt-tests.c +ipa_ldap_opt_tests_CFLAGS = \ + $(AM_CFLAGS) \ + $(CHECK_CFLAGS) +ipa_ldap_opt_tests_LDADD = \ + $(CHECK_LIBS) \ + $(TALLOC_LIBS) \ + $(LDB_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(OPENLDAP_LIBS) \ + libsss_test_common.la + +ad_ldap_opt_tests_SOURCES = \ + src/providers/ldap/ldap_opts.c \ + src/providers/ad/ad_opts.c \ + src/providers/krb5/krb5_opts.c \ + src/tests/ad_ldap_opt-tests.c +ad_ldap_opt_tests_CFLAGS = \ + $(AM_CFLAGS) \ + $(CHECK_CFLAGS) +ad_ldap_opt_tests_LDADD = \ + $(CHECK_LIBS) \ + $(TALLOC_LIBS) \ + libsss_test_common.la + +util_tests_SOURCES = \ + src/tests/util-tests.c \ + $(NULL) +util_tests_CFLAGS = \ + $(AM_CFLAGS) \ + $(CHECK_CFLAGS) \ + $(NULL) +util_tests_LDADD = \ + $(SSSD_LIBS) \ + $(CHECK_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la \ + $(NULL) + +safe_format_tests_SOURCES = \ + src/tests/safe-format-tests.c +safe_format_tests_CFLAGS = \ + $(AM_CFLAGS) \ + $(CHECK_CFLAGS) +safe_format_tests_LDADD = \ + $(SSSD_LIBS) \ + $(CHECK_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la + +debug_tests_SOURCES = \ + src/tests/debug-tests.c \ + src/tests/common.c +debug_tests_CFLAGS = \ + $(AM_CFLAGS) \ + $(CHECK_CFLAGS) +debug_tests_LDADD = \ + $(SSSD_LIBS) \ + $(CHECK_LIBS) \ + libsss_debug.la + +crypto_tests_SOURCES = \ + src/tests/crypto-tests.c +crypto_tests_CFLAGS = \ + $(AM_CFLAGS) \ + $(CHECK_CFLAGS) +crypto_tests_LDADD = \ + $(CHECK_LIBS) \ + $(POPT_LIBS) \ + $(TALLOC_LIBS) \ + libsss_crypt.la \ + libsss_debug.la \ + libsss_test_common.la + +ipa_hbac_tests_SOURCES = \ + src/tests/ipa_hbac-tests.c +ipa_hbac_tests_CFLAGS = \ + $(AM_CFLAGS) \ + $(CHECK_CFLAGS) +ipa_hbac_tests_LDADD = \ + $(SSSD_LIBS) \ + $(CHECK_LIBS) \ + libsss_test_common.la \ + libipa_hbac.la + +sss_idmap_tests_SOURCES = \ + src/tests/sss_idmap-tests.c +sss_idmap_tests_CFLAGS = \ + $(AM_CFLAGS) \ + $(CHECK_CFLAGS) +sss_idmap_tests_LDADD = \ + $(CHECK_LIBS) \ + $(TALLOC_LIBS) \ + libsss_test_common.la \ + libsss_idmap.la + +responder_socket_access_tests_SOURCES = \ + src/tests/responder_socket_access-tests.c \ + src/responder/common/negcache_files.c \ + src/responder/common/negcache.c \ + src/responder/common/responder_common.c \ + src/responder/common/responder_packet.c \ + src/responder/common/responder_cmd.c \ + src/responder/common/cache_req/cache_req_domain.c \ + src/responder/common/data_provider/rdp_message.c \ + src/responder/common/data_provider/rdp_client.c \ + src/util/session_recording.c \ + $(SSSD_RESPONDER_IFACE_OBJ) \ + $(NULL) +responder_socket_access_tests_CFLAGS = \ + $(AM_CFLAGS) \ + $(CHECK_CFLAGS) +responder_socket_access_tests_LDADD = \ + $(CHECK_LIBS) \ + $(SSSD_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ + libsss_test_common.la +endif + +stress_tests_SOURCES = \ + src/tests/stress-tests.c +stress_tests_LDADD = \ + $(SSSD_LIBS) \ + libsss_test_common.la + +krb5_child_test_SOURCES = \ + src/tests/krb5_child-test.c \ + src/providers/krb5/krb5_utils.c \ + src/providers/krb5/krb5_ccache.c \ + src/providers/krb5/krb5_child_handler.c \ + src/providers/krb5/krb5_common.c \ + src/providers/krb5/krb5_opts.c \ + src/util/sss_krb5.c \ + src/util/sss_iobuf.c \ + src/providers/data_provider_fo.c \ + src/providers/data_provider_opts.c \ + src/providers/data_provider_callbacks.c \ + src/util/become_user.c \ + $(SSSD_FAILOVER_OBJ) \ + $(NULL) +krb5_child_test_CFLAGS = \ + $(AM_CFLAGS) \ + -DKRB5_CHILD_DIR=\"$(builddir)\" \ + $(KRB5_CFLAGS) \ + $(CHECK_CFLAGS) +krb5_child_test_LDADD = \ + $(SSSD_LIBS) \ + $(CARES_LIBS) \ + $(KRB5_LIBS) \ + $(CHECK_LIBS) \ + $(PCRE_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la + +test_ssh_client_SOURCES = \ + src/tests/test_ssh_client.c \ + $(NULL) +test_ssh_client_CFLAGS = \ + $(AM_CFLAGS) \ + -DSSH_CLIENT_DIR=\"$(abs_top_builddir)\" \ + $(NULL) +test_ssh_client_LDADD = \ + $(SSSD_INTERNAL_LTLIBS) \ + $(SSSD_LIBS) \ + $(NULL) + +if BUILD_DBUS_TESTS + +sbus_tests_SOURCES = \ + src/tests/common_dbus.c \ + src/tests/sbus_tests.c +sbus_tests_CFLAGS = \ + $(AM_CFLAGS) \ + $(CHECK_CFLAGS) +sbus_tests_LDADD = \ + $(SSSD_INTERNAL_LTLIBS) \ + $(SSSD_LIBS) \ + $(CHECK_LIBS) + +sbus_codegen_tests_SOURCES = \ + src/tests/common_dbus.c \ + src/tests/sbus_codegen_tests.c \ + src/tests/sbus_codegen_tests_generated.c \ + $(NULL) +sbus_codegen_tests_CFLAGS = \ + $(AM_CFLAGS) \ + $(CHECK_CFLAGS) +sbus_codegen_tests_LDADD = \ + $(SSSD_INTERNAL_LTLIBS) \ + $(SSSD_LIBS) \ + $(CHECK_LIBS) + +endif # BUILD_DBUS_TESTS + +if HAVE_CMOCKA + +TEST_MOCK_RESP_OBJ = \ + src/tests/cmocka/common_mock_resp.c \ + src/tests/cmocka/common_mock_resp_dp.c \ + src/responder/common/responder_packet.c \ + src/responder/common/responder_cmd.c \ + src/responder/common/negcache_files.c \ + src/responder/common/negcache.c \ + src/responder/common/responder_common.c \ + src/responder/common/data_provider/rdp_message.c \ + src/responder/common/data_provider/rdp_client.c \ + src/responder/common/responder_utils.c \ + src/util/session_recording.c \ + $(SSSD_CACHE_REQ_OBJ) \ + $(SSSD_RESPONDER_IFACE_OBJ) \ + $(NULL) + +TEST_MOCK_PROVIDER_OBJ = \ + src/util/sss_sockets.c \ + src/util/sss_ldap.c \ + src/providers/data_provider_opts.c \ + src/providers/ldap/ldap_opts.c \ + src/providers/ldap/ldap_options.c \ + src/providers/ldap/sdap_domain.c \ + src/providers/ldap/sdap.c \ + src/providers/ldap/sdap_utils.c \ + src/providers/ldap/sdap_range.c \ + src/tests/cmocka/common_mock_sdap.c \ + src/tests/cmocka/common_mock_sysdb_objects.c + +EXTRA_nss_srv_tests_DEPENDENCIES = \ + $(ldblib_LTLIBRARIES) +nss_srv_tests_SOURCES = \ + $(TEST_MOCK_RESP_OBJ) \ + src/tests/cmocka/test_nss_srv.c \ + src/responder/nss/nss_cmd.c \ + src/responder/nss/nss_enum.c \ + src/responder/nss/nss_get_object.c \ + src/responder/nss/nss_protocol.c \ + src/responder/nss/nss_protocol_pwent.c \ + src/responder/nss/nss_protocol_grent.c \ + src/responder/nss/nss_protocol_netgr.c \ + src/responder/nss/nss_protocol_svcent.c \ + src/responder/nss/nss_protocol_sid.c \ + src/responder/nss/nss_utils.c \ + src/responder/nss/nsssrv_mmap_cache.c +nss_srv_tests_CFLAGS = \ + $(AM_CFLAGS) +nss_srv_tests_LDFLAGS = \ + -Wl,-wrap,sss_ncache_check_user \ + -Wl,-wrap,sss_ncache_check_upn \ + -Wl,-wrap,sss_ncache_check_uid \ + -Wl,-wrap,sss_ncache_check_sid \ + -Wl,-wrap,sss_ncache_check_cert \ + -Wl,-wrap,sss_packet_get_body \ + -Wl,-wrap,sss_packet_get_cmd \ + -Wl,-wrap,sss_cmd_send_empty \ + -Wl,-wrap,sss_cmd_done +nss_srv_tests_LDADD = \ + $(CMOCKA_LIBS) \ + $(SSSD_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ + libsss_test_common.la \ + libsss_cert.la \ + libsss_idmap.la + +EXTRA_pam_srv_tests_DEPENDENCIES = \ + $(ldblib_LTLIBRARIES) \ + $(NULL) +EXTRA_pam_srv_tests_DEPENDENCIES += p11_child +pam_srv_tests_SOURCES = \ + $(TEST_MOCK_RESP_OBJ) \ + src/tests/cmocka/test_pam_srv.c \ + src/sss_client/pam_message.c \ + src/responder/pam/pamsrv_cmd.c \ + src/responder/pam/pamsrv_p11.c \ + src/responder/pam/pam_helpers.c \ + src/responder/pam/pamsrv_dp.c \ + src/responder/pam/pam_LOCAL_domain.c \ + $(NULL) +pam_srv_tests_CFLAGS = \ + -U SSSD_LIBEXEC_PATH -DSSSD_LIBEXEC_PATH=\"$(abs_builddir)\" \ + -I$(abs_builddir)/src \ + $(AM_CFLAGS) \ + $(NULL) +pam_srv_tests_LDFLAGS = \ + -Wl,-wrap,sss_packet_get_body \ + -Wl,-wrap,sss_packet_get_cmd \ + -Wl,-wrap,sss_cmd_send_empty \ + -Wl,-wrap,sss_cmd_done \ + -Wl,-wrap,pam_dp_send_req \ + $(NULL) +pam_srv_tests_LDADD = \ + $(CMOCKA_LIBS) \ + $(PAM_LIBS) \ + $(SSSD_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ + libsss_test_common.la \ + libsss_idmap.la \ + libsss_certmap.la \ + $(NULL) + +EXTRA_ssh_srv_tests_DEPENDENCIES = \ + $(ldblib_LTLIBRARIES) \ + $(NULL) +EXTRA_ssh_srv_tests_DEPENDENCIES += p11_child +ssh_srv_tests_SOURCES = \ + $(TEST_MOCK_RESP_OBJ) \ + src/tests/cmocka/test_ssh_srv.c \ + src/responder/ssh/ssh_cmd.c \ + src/responder/ssh/ssh_known_hosts.c \ + src/responder/ssh/ssh_protocol.c \ + src/responder/ssh/ssh_reply.c \ + src/util/cert/cert_common_p11_child.c \ + $(NULL) +ssh_srv_tests_CFLAGS = \ + -U SSSD_LIBEXEC_PATH -DSSSD_LIBEXEC_PATH=\"$(abs_builddir)\" \ + -I$(abs_builddir)/src \ + $(AM_CFLAGS) \ + $(NULL) +ssh_srv_tests_LDFLAGS = \ + -Wl,-wrap,sss_packet_get_body \ + -Wl,-wrap,sss_packet_get_cmd \ + -Wl,-wrap,sss_cmd_send_empty \ + -Wl,-wrap,sss_cmd_done \ + -Wl,-wrap,ssh_dp_send_req \ + $(NULL) +ssh_srv_tests_LDADD = \ + $(CMOCKA_LIBS) \ + $(SSSD_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ + libsss_test_common.la \ + $(NULL) + +EXTRA_responder_get_domains_tests_DEPENDENCIES = \ + $(ldblib_LTLIBRARIES) +responder_get_domains_tests_SOURCES = \ + $(SSSD_RESPONDER_OBJ) \ + src/tests/cmocka/test_responder_common.c \ + src/tests/cmocka/common_mock_resp.c +responder_get_domains_tests_CFLAGS = \ + $(AM_CFLAGS) +responder_get_domains_tests_LDFLAGS = \ + -Wl,-wrap,sss_parse_name_for_domains \ + -Wl,-wrap,sss_ncache_reset_repopulate_permanent +responder_get_domains_tests_LDADD = \ + $(CMOCKA_LIBS) \ + $(SSSD_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ + libsss_test_common.la + +sbus_internal_tests_SOURCES = \ + src/tests/cmocka/sbus_internal_tests.c \ + src/sbus/sssd_dbus_request.c +sbus_internal_tests_CFLAGS = \ + $(AM_CFLAGS) +sbus_internal_tests_LDFLAGS = \ + -Wl,-wrap,dbus_bus_get \ + -Wl,-wrap,dbus_pending_call_steal_reply \ + -Wl,-wrap,dbus_pending_call_unref \ + -Wl,-wrap,dbus_message_unref \ + -Wl,-wrap,dbus_connection_unref \ + -Wl,-wrap,dbus_connection_set_exit_on_disconnect \ + -Wl,-wrap,hash_lookup +sbus_internal_tests_LDADD = \ + $(CMOCKA_LIBS) \ + $(SSSD_LIBS) \ + libsss_util.la \ + libsss_crypt.la \ + libsss_debug.la \ + libsss_test_common.la + +config_check_tests_SOURCES = \ + src/tests/cmocka/test_config_check.c \ + $(NULL) +config_check_tests_CFLAGS = \ + $(AM_CFLAGS) \ + $(NULL) +config_check_tests_LDADD = \ + $(CMOCKA_LIBS) \ + $(POPT_LIBS) \ + $(INI_CONFIG_LIBS) \ + $(TALLOC_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la \ + $(NULL) + +test_find_uid_SOURCES = \ + src/tests/cmocka/test_find_uid.c \ + src/util/find_uid.c \ + src/util/atomic_io.c \ + src/util/strtonum.c +test_find_uid_CFLAGS = \ + $(AM_CFLAGS) \ + $(TALLOC_CFLAGS) \ + $(DHASH_CFLAGS) \ + $(SYSTEMD_LOGIN_CFLAGS) +test_find_uid_LDADD = \ + $(TALLOC_LIBS) \ + $(DHASH_LIBS) \ + $(CMOCKA_LIBS) \ + $(SYSTEMD_LOGIN_LIBS) \ + libsss_debug.la + +test_io_SOURCES = \ + src/tests/cmocka/test_io.c \ + src/util/io.c \ + src/tests/common.c +test_io_CFLAGS = \ + $(AM_CFLAGS) +test_io_LDADD = \ + $(CMOCKA_LIBS) + +EXTRA_test_negcache_DEPENDENCIES = \ + $(ldblib_LTLIBRARIES) +test_negcache_SOURCES = \ + $(SSSD_RESPONDER_OBJ) \ + src/tests/cmocka/common_mock_resp.c \ + src/tests/cmocka/test_negcache.c +test_negcache_CFLAGS = \ + $(AM_CFLAGS) \ + $(TALLOC_CFLAGS) \ + $(DHASH_CFLAGS) +test_negcache_LDADD = \ + $(CMOCKA_LIBS) \ + $(SSSD_LIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la \ + libsss_idmap.la + +test_authtok_SOURCES = \ + src/tests/cmocka/test_authtok.c \ + src/util/authtok.c \ + src/util/authtok-utils.c \ + src/util/util.c \ + src/util/util_ext.c \ + $(NULL) +test_authtok_CFLAGS = \ + $(AM_CFLAGS) \ + $(TALLOC_CFLAGS) \ + $(POPT_CFLAGS) \ + $(DHASH_CFLAGS) \ + $(NULL) +test_authtok_LDADD = \ + $(TALLOC_LIBS) \ + $(CMOCKA_LIBS) \ + $(DHASH_LIBS) \ + $(POPT_LIBS) \ + libsss_test_common.la \ + libsss_debug.la \ + $(NULL) + +sss_nss_idmap_tests_SOURCES = \ + src/tests/cmocka/sss_nss_idmap-tests.c +sss_nss_idmap_tests_CFLAGS = \ + $(AM_CFLAGS) +sss_nss_idmap_tests_LDADD = \ + $(CMOCKA_LIBS) \ + libsss_nss_idmap_tests.la \ + $(NULL) + +deskprofile_utils_tests_SOURCES = \ + src/tests/cmocka/test_deskprofile_utils.c \ + src/providers/ipa/ipa_deskprofile_rules_util.c \ + src/providers/ipa/ipa_rules_common.c +deskprofile_utils_tests_CFLAGS = \ + $(AM_CFLAGS) +deskprofile_utils_tests_LDADD = \ + $(CMOCKA_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la + +EXTRA_dyndns_tests_DEPENDENCIES = \ + $(ldblib_LTLIBRARIES) +dyndns_tests_SOURCES = \ + $(SSSD_RESOLV_OBJ) \ + src/tests/cmocka/common_mock_be.c \ + src/tests/cmocka/test_dyndns.c \ + src/providers/data_provider_opts.c +dyndns_tests_CFLAGS = \ + $(AM_CFLAGS) \ + -DDYNDNS_TIMEOUT=2 +dyndns_tests_LDFLAGS = \ + -Wl,-wrap,execv \ + -Wl,-wrap,getifaddrs \ + -Wl,-wrap,freeifaddrs +dyndns_tests_LDADD = \ + $(CARES_LIBS) \ + $(CMOCKA_LIBS) \ + $(SSSD_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la + +domain_resolution_order_tests_SOURCES = \ + src/tests/cmocka/test_domain_resolution_order.c \ + src/responder/common/cache_req/cache_req_domain.c +domain_resolution_order_tests_CFLAGS = \ + $(AM_CFLAGS) +domain_resolution_order_tests_LDADD = \ + $(CMOCKA_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la + +fqnames_tests_SOURCES = \ + src/tests/cmocka/test_fqnames.c +fqnames_tests_CFLAGS = \ + $(AM_CFLAGS) +fqnames_tests_LDADD = \ + $(CMOCKA_LIBS) \ + $(SSSD_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la + +nestedgroups_tests_SOURCES = \ + $(TEST_MOCK_PROVIDER_OBJ) \ + src/providers/ldap/sdap_idmap.c \ + src/tests/cmocka/test_nested_groups.c \ + src/tests/cmocka/common_mock_be.c \ + src/providers/ldap/sdap_async_nested_groups.c \ + src/providers/ldap/sdap_ad_groups.c \ + src/providers/ipa/ipa_dn.c \ + $(NULL) +nestedgroups_tests_CFLAGS = \ + $(AM_CFLAGS) \ + -DEXTERNAL_MEMBERS_CHUNK=1 \ + $(NULL) +nestedgroups_tests_LDADD = \ + $(CMOCKA_LIBS) \ + $(OPENLDAP_LIBS) \ + $(SSSD_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_idmap.la \ + libsss_test_common.la \ + $(NULL) +if BUILD_SYSTEMTAP +nestedgroups_tests_LDADD += stap_generated_probes.lo +endif + +test_sss_idmap_SOURCES = \ + src/tests/cmocka/test_sss_idmap.c +test_sss_idmap_CFLAGS = \ + $(AM_CFLAGS) +test_sss_idmap_LDADD = \ + $(CMOCKA_LIBS) \ + $(POPT_LIBS) \ + libsss_idmap.la \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la + +test_ipa_idmap_SOURCES = \ + src/tests/cmocka/test_ipa_idmap.c \ + src/providers/ipa/ipa_idmap.c +test_ipa_idmap_CFLAGS = \ + $(AM_CFLAGS) +test_ipa_idmap_LDFLAGS = \ + -Wl,-wrap,sysdb_get_ranges +test_ipa_idmap_LDADD = \ + $(CMOCKA_LIBS) \ + $(POPT_LIBS) \ + libsss_idmap.la \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la + +test_utils_SOURCES = \ + src/tests/cmocka/test_utils.c \ + src/tests/cmocka/test_string_utils.c \ + $(NULL) +if BUILD_SSH +test_utils_SOURCES += src/tests/cmocka/test_sss_ssh.c +endif +test_utils_CFLAGS = \ + $(AM_CFLAGS) +test_utils_LDADD = \ + $(CMOCKA_LIBS) \ + $(POPT_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la + +test_search_bases_SOURCES = \ + src/tests/cmocka/test_search_bases.c +test_search_bases_LDADD = \ + $(CMOCKA_LIBS) \ + $(TALLOC_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_ldap_common.la \ + libsss_test_common.la \ + libdlopen_test_providers.la \ + $(NULL) + +test_ldap_auth_SOURCES = \ + src/tests/cmocka/test_ldap_auth.c \ + src/tests/cmocka/test_expire_common.c \ + $(NULL) +test_ldap_auth_LDADD = \ + $(CMOCKA_LIBS) \ + $(TALLOC_LIBS) \ + libsss_ldap_common.la \ + libsss_test_common.la \ + libdlopen_test_providers.la \ + $(NULL) + +test_ldap_id_cleanup_SOURCES = \ + src/tests/cmocka/test_ldap_id_cleanup.c \ + $(NULL) +test_ldap_id_cleanup_LDADD = \ + $(CMOCKA_LIBS) \ + $(POPT_LIBS) \ + $(TALLOC_LIBS) \ + $(TEVENT_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_ldap_common.la \ + libsss_test_common.la \ + libdlopen_test_providers.la \ + $(NULL) + +test_sdap_access_SOURCES = \ + src/tests/cmocka/test_sdap_access.c \ + src/tests/cmocka/test_expire_common.c \ + $(NULL) +test_sdap_access_LDADD = \ + $(CMOCKA_LIBS) \ + $(TALLOC_LIBS) \ + libsss_ldap_common.la \ + libsss_test_common.la \ + libdlopen_test_providers.la \ + $(NULL) + +test_sdap_certmap_SOURCES = \ + src/tests/cmocka/test_sdap_certmap.c \ + src/providers/ldap/sdap_certmap.c \ + $(NULL) +test_sdap_certmap_CFLAGS = \ + $(AM_CFLAGS) \ + $(TALLOC_CFLAGS) \ + $(POPT_CFLAGS) \ + $(NULL) +test_sdap_certmap_LDADD = \ + $(CMOCKA_LIBS) \ + $(TALLOC_LIBS) \ + $(POPT_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la \ + libsss_certmap.la \ + $(NULL) + +ad_access_filter_tests_SOURCES = \ + src/tests/cmocka/test_ad_access_filter.c +ad_access_filter_tests_LDADD = \ + $(CMOCKA_LIBS) \ + $(POPT_LIBS) \ + $(TALLOC_LIBS) \ + $(TEVENT_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_ldap_common.la \ + libsss_ad_tests.la \ + libsss_test_common.la \ + $(NULL) + +ad_gpo_tests_SOURCES = \ + src/tests/cmocka/test_ad_gpo.c +ad_gpo_tests_CFLAGS = \ + $(AM_CFLAGS) \ + $(NDR_NBT_CFLAGS) \ + $(NULL) +ad_gpo_tests_LDADD = \ + $(CMOCKA_LIBS) \ + $(OPENLDAP_LIBS) \ + $(SSSD_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(NDR_NBT_LIBS) \ + libsss_ldap_common.la \ + libsss_idmap.la \ + libsss_krb5_common.la \ + libsss_ad_tests.la \ + libsss_test_common.la \ + libdlopen_test_providers.la \ + $(NULL) + +ad_common_tests_SOURCES = \ + $(libsss_krb5_common_la_SOURCES) \ + src/tests/cmocka/common_mock_krb5.c \ + src/tests/cmocka/test_ad_common.c \ + src/providers/ad/ad_opts.c \ + src/providers/ad/ad_pac.c \ + src/providers/ad/ad_pac_common.c \ + src/providers/ad/ad_domain_info.c \ + src/providers/ldap/sdap_async_initgroups_ad.c \ + $(NULL) +ad_common_tests_CFLAGS = \ + $(AM_CFLAGS) \ + $(NDR_NBT_CFLAGS) \ + $(NDR_KRB5PAC_CFLAGS) \ + $(NULL) +ad_common_tests_LDFLAGS = \ + -Wl,-wrap,sdap_set_sasl_options \ + -Wl,-wrap,krb5_kt_default \ + $(NULL) +ad_common_tests_LDADD = \ + $(CMOCKA_LIBS) \ + $(SSSD_LIBS) \ + $(KEYUTILS_LIBS) \ + $(NDR_NBT_LIBS) \ + $(NDR_KRB5PAC_LIBS) \ + $(KRB5_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_idmap.la \ + libsss_ldap_common.la \ + libsss_test_common.la \ + libdlopen_test_providers.la \ + $(NULL) + +dp_opt_tests_SOURCES = \ + src/providers/data_provider_opts.c \ + src/tests/cmocka/test_dp_opts.c +dp_opt_tests_CFLAGS = \ + $(AM_CFLAGS) +dp_opt_tests_LDADD = \ + $(CMOCKA_LIBS) \ + $(TALLOC_LIBS) \ + $(POPT_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la + +sdap_tests_SOURCES = \ + src/providers/data_provider_opts.c \ + src/providers/ldap/sdap_domain.c \ + src/providers/ldap/sdap.c \ + src/providers/ldap/sdap_range.c \ + src/providers/ldap/ldap_opts.c \ + src/providers/ipa/ipa_opts.c \ + src/util/sss_sockets.c \ + src/util/sss_ldap.c \ + src/tests/cmocka/test_sdap.c \ + $(NULL) +sdap_tests_CFLAGS = \ + $(AM_CFLAGS) \ + $(NULL) +sdap_tests_LDFLAGS = \ + -Wl,-wrap,ldap_set_option \ + -Wl,-wrap,ldap_get_dn \ + -Wl,-wrap,ldap_memfree \ + -Wl,-wrap,ldap_get_values_len \ + -Wl,-wrap,ldap_value_free_len \ + -Wl,-wrap,ldap_first_attribute \ + -Wl,-wrap,ldap_next_attribute \ + $(NULL) +sdap_tests_LDADD = \ + $(CMOCKA_LIBS) \ + $(TALLOC_LIBS) \ + $(LDB_LIBS) \ + $(POPT_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(OPENLDAP_LIBS) \ + libsss_test_common.la \ + $(NULL) + +if BUILD_IFP +ifp_tests_SOURCES = \ + $(TEST_MOCK_RESP_OBJ) \ + src/tests/cmocka/test_ifp.c \ + src/responder/ifp/ifpsrv_cmd.c \ + src/responder/ifp/ifp_iface_generated.c \ + src/responder/ifp/ifpsrv_util.c \ + $(NULL) +ifp_tests_CFLAGS = \ + $(AM_CFLAGS) +ifp_tests_LDADD = \ + $(CMOCKA_LIBS) \ + $(SSSD_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ + libsss_test_common.la + +sss_sifp_tests_SOURCES = \ + src/tests/cmocka/test_sss_sifp.c \ + src/lib/sifp/sss_sifp_attrs.c \ + src/lib/sifp/sss_sifp_common.c \ + src/lib/sifp/sss_sifp_parser.c \ + src/lib/sifp/sss_sifp_utils.c \ + src/lib/sifp/sss_sifp_dbus.c \ + src/lib/sifp/sss_sifp.c +sss_sifp_tests_CFLAGS = \ + $(AM_CFLAGS) \ + -I$(top_srcdir)/src/lib/sifp +sss_sifp_tests_LDFLAGS = \ + -Wl,-wrap,dbus_bus_get \ + -Wl,-wrap,dbus_connection_send_with_reply_and_block +sss_sifp_tests_LDADD = \ + $(CMOCKA_LIBS) \ + $(DBUS_LIBS) \ + $(TALLOC_LIBS) \ + $(DHASH_LIBS) \ + $(POPT_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) +endif # BUILD_IFP + +test_sysdb_views_SOURCES = \ + src/tests/cmocka/test_sysdb_views.c \ + src/providers/ipa/ipa_utils.c \ + $(NULL) +test_sysdb_views_CFLAGS = \ + $(AM_CFLAGS) \ + $(NULL) +test_sysdb_views_LDADD = \ + $(CMOCKA_LIBS) \ + $(LDB_LIBS) \ + $(POPT_LIBS) \ + $(TALLOC_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la \ + $(NULL) + +test_sysdb_ts_cache_SOURCES = \ + src/tests/cmocka/test_sysdb_ts_cache.c \ + src/providers/ipa/ipa_utils.c \ + $(NULL) +test_sysdb_ts_cache_CFLAGS = \ + $(AM_CFLAGS) \ + $(NULL) +test_sysdb_ts_cache_LDADD = \ + $(CMOCKA_LIBS) \ + $(LDB_LIBS) \ + $(POPT_LIBS) \ + $(TALLOC_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la \ + $(NULL) + +test_sysdb_subdomains_SOURCES = \ + src/tests/cmocka/test_sysdb_subdomains.c \ + $(NULL) +test_sysdb_subdomains_CFLAGS = \ + $(AM_CFLAGS) \ + $(NULL) +test_sysdb_subdomains_LDADD = \ + $(CMOCKA_LIBS) \ + $(LDB_LIBS) \ + $(POPT_LIBS) \ + $(TALLOC_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la \ + $(NULL) + +test_sysdb_certmap_SOURCES = \ + src/tests/cmocka/test_sysdb_certmap.c \ + $(NULL) +test_sysdb_certmap_CFLAGS = \ + $(AM_CFLAGS) \ + $(NULL) +test_sysdb_certmap_LDADD = \ + $(CMOCKA_LIBS) \ + $(LDB_LIBS) \ + $(POPT_LIBS) \ + $(TALLOC_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la \ + $(NULL) + +test_sysdb_sudo_SOURCES = \ + src/tests/cmocka/test_sysdb_sudo.c \ + $(NULL) +test_sysdb_sudo_CFLAGS = \ + $(AM_CFLAGS) \ + $(NULL) +test_sysdb_sudo_LDADD = \ + $(CMOCKA_LIBS) \ + $(LDB_LIBS) \ + $(POPT_LIBS) \ + $(TALLOC_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la \ + $(NULL) + +test_sysdb_utils_SOURCES = \ + src/tests/cmocka/test_sysdb_utils.c \ + $(NULL) +test_sysdb_utils_CFLAGS = \ + $(AM_CFLAGS) \ + $(NULL) +test_sysdb_utils_LDADD = \ + $(CMOCKA_LIBS) \ + $(LDB_LIBS) \ + $(POPT_LIBS) \ + $(TALLOC_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la \ + $(NULL) + +test_sysdb_domain_resolution_order_SOURCES = \ + src/tests/cmocka/test_sysdb_domain_resolution_order.c \ + $(NULL) +test_sysdb_domain_resolution_order_CFLAGS = \ + $(AM_CFLAGS) \ + $(NULL) +test_sysdb_domain_resolution_order_LDADD = \ + $(CMOCKA_LIBS) \ + $(LDB_LIBS) \ + $(POPT_LIBS) \ + $(TALLOC_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la \ + $(NULL) + +test_wbc_calls_SOURCES = \ + src/tests/cmocka/test_wbc_calls.c \ + src/sss_client/libwbclient/wbc_sid_sssd.c \ + src/sss_client/libwbclient/wbclient_common.c \ + src/sss_client/libwbclient/wbc_sid_common.c \ + src/sss_client/common.c \ + $(NULL) +test_wbc_calls_CFLAGS = \ + $(AM_CFLAGS) \ + $(NULL) +test_wbc_calls_LDFLAGS = \ + -Wl,-wrap,sss_nss_getnamebysid \ + $(NULL) +test_wbc_calls_LDADD = \ + $(CLIENT_LIBS) \ + $(CMOCKA_LIBS) \ + $(POPT_LIBS) \ + $(TALLOC_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la \ + libsss_nss_idmap.la \ + $(NULL) + +test_be_ptask_SOURCES = \ + src/tests/cmocka/common_mock_be.c \ + src/tests/cmocka/test_be_ptask.c \ + src/providers/be_ptask.c \ + $(NULL) +test_be_ptask_CFLAGS = \ + $(AM_CFLAGS) \ + $(NULL) +test_be_ptask_LDADD = \ + $(CMOCKA_LIBS) \ + $(POPT_LIBS) \ + $(TALLOC_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la \ + $(NULL) + +test_copy_ccache_SOURCES = \ + src/tests/cmocka/test_copy_ccache.c \ + src/providers/krb5/krb5_ccache.c \ + src/util/sss_krb5.c \ + src/util/sss_iobuf.c \ + $(NULL) +test_copy_ccache_CFLAGS = \ + $(AM_CFLAGS) \ + $(NULL) +test_copy_ccache_LDADD = \ + $(CMOCKA_LIBS) \ + $(POPT_LIBS) \ + $(TALLOC_LIBS) \ + $(KRB5_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la \ + $(NULL) + +test_copy_keytab_SOURCES = \ + src/tests/cmocka/common_mock_krb5.c \ + src/tests/cmocka/test_copy_keytab.c \ + src/providers/krb5/krb5_keytab.c \ + src/util/sss_krb5.c \ + src/util/sss_iobuf.c \ + $(NULL) +test_copy_keytab_CFLAGS = \ + $(AM_CFLAGS) \ + $(NULL) +test_copy_keytab_LDADD = \ + $(CMOCKA_LIBS) \ + $(POPT_LIBS) \ + $(TALLOC_LIBS) \ + $(KRB5_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la \ + $(NULL) + +dummy_child_SOURCES = \ + src/tests/cmocka/dummy_child.c \ + $(NULL) +dummy_child_LDADD = \ + $(POPT_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(NULL) + +test_child_common_SOURCES = \ + src/tests/cmocka/test_child_common.c \ + src/util/child_common.c \ + src/util/signal.c \ + src/util/atomic_io.c \ + src/util/util_errors.c \ + src/util/util.c \ + src/util/util_ext.c \ + $(NULL) +test_child_common_CFLAGS = \ + $(AM_CFLAGS) \ + -DCHILD_DIR=\"$(builddir)\" \ + $(NULL) +test_child_common_LDFLAGS = \ + -Wl,-wrap,child_io_destructor \ + $(NULL) +test_child_common_LDADD = \ + $(CMOCKA_LIBS) \ + $(POPT_LIBS) \ + $(TALLOC_LIBS) \ + $(DHASH_LIBS) \ + libsss_debug.la \ + libsss_test_common.la \ + $(NULL) + +responder_cache_req_tests_SOURCES = \ + $(TEST_MOCK_RESP_OBJ) \ + src/tests/cmocka/test_responder_cache_req.c \ + $(NULL) +responder_cache_req_tests_CFLAGS = \ + $(AM_CFLAGS) \ + $(NULL) +responder_cache_req_tests_LDFLAGS = \ + -Wl,-wrap,sss_dp_get_account_send \ + $(NULL) +responder_cache_req_tests_LDADD = \ + $(CMOCKA_LIBS) \ + $(SSSD_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ + libsss_test_common.la \ + $(NULL) + +test_sbus_opath_SOURCES = \ + src/tests/cmocka/test_sbus_opath.c \ + $(NULL) +test_sbus_opath_CFLAGS = \ + $(AM_CFLAGS) +test_sbus_opath_LDADD = \ + $(CMOCKA_LIBS) \ + $(SSSD_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_debug.la \ + libsss_test_common.la + +if HAVE_LIBRESOLV +test_resolv_fake_SOURCES = \ + src/tests/cmocka/test_resolv_fake.c \ + src/resolv/async_resolv.c \ + $(NULL) +test_resolv_fake_CFLAGS = \ + $(AM_CFLAGS) \ + $(NULL) +test_resolv_fake_LDFLAGS = \ + -Wl,-wrap,ares_query \ + $(NULL) +test_resolv_fake_LDADD = \ + $(CMOCKA_LIBS) \ + $(POPT_LIBS) \ + $(TALLOC_LIBS) \ + $(CARES_LIBS) \ + $(DHASH_LIBS) \ + $(RESOLV_LIBS) \ + libsss_debug.la \ + libsss_test_common.la \ + $(NULL) +endif # HAVE_LIBRESOLV + +test_fo_srv_SOURCES = \ + src/tests/cmocka/test_fo_srv.c \ + src/providers/fail_over.c \ + src/providers/fail_over_srv.c \ + $(NULL) +test_fo_srv_CFLAGS = \ + $(AM_CFLAGS) \ + $(NULL) +test_fo_srv_LDADD = \ + $(CMOCKA_LIBS) \ + $(POPT_LIBS) \ + $(TALLOC_LIBS) \ + $(CARES_LIBS) \ + $(DHASH_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la \ + $(NULL) + +test_sdap_initgr_SOURCES = \ + src/tests/cmocka/common_mock_sdap.c \ + src/tests/cmocka/common_mock_sysdb_objects.c \ + src/tests/cmocka/test_sdap_initgr.c \ + $(NULL) +test_sdap_initgr_CFLAGS = \ + $(AM_CFLAGS) \ + $(NDR_NBT_CFLAGS) \ + $(NULL) +test_sdap_initgr_LDADD = \ + $(CMOCKA_LIBS) \ + $(POPT_LIBS) \ + $(DHASH_LIBS) \ + $(TALLOC_LIBS) \ + $(TEVENT_LIBS) \ + $(LDB_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_ldap_common.la \ + libsss_test_common.la \ + libdlopen_test_providers.la \ + $(NULL) + +test_ad_subdom_SOURCES = \ + src/tests/cmocka/test_ad_subdomains.c \ + $(NULL) +test_ad_subdom_CFLAGS = \ + $(AM_CFLAGS) \ + $(NDR_NBT_CFLAGS) \ + $(NULL) +test_ad_subdom_LDADD = \ + $(CMOCKA_LIBS) \ + $(POPT_LIBS) \ + $(TALLOC_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_ldap_common.la \ + libsss_ad_tests.la \ + libsss_idmap.la \ + libsss_test_common.la \ + libdlopen_test_providers.la \ + $(NULL) + +test_ipa_subdom_util_SOURCES = \ + src/tests/cmocka/test_ipa_subdomains_utils.c \ + src/providers/ipa/ipa_subdomains_utils.c \ + $(NULL) +test_ipa_subdom_util_CFLAGS = \ + $(AM_CFLAGS) \ + $(NULL) +test_ipa_subdom_util_LDADD = \ + $(CMOCKA_LIBS) \ + $(POPT_LIBS) \ + $(TALLOC_LIBS) \ + $(LDB_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la \ + $(NULL) + +test_ipa_subdom_server_SOURCES = \ + $(libsss_krb5_common_la_SOURCES) \ + src/tests/cmocka/common_mock_sdap.c \ + src/tests/cmocka/common_mock_be.c \ + src/tests/cmocka/common_mock_krb5.c \ + src/tests/cmocka/test_ipa_subdomains_server.c \ + src/providers/ipa/ipa_subdomains_server.c \ + src/providers/ipa/ipa_subdomains_utils.c \ + src/providers/ipa/ipa_opts.c \ + $(NULL) +test_ipa_subdom_server_CFLAGS = \ + $(AM_CFLAGS) \ + -DIPA_TRUST_KEYTAB_DIR=TEST_DIR\"/tp_test_ipa_subdom_server-test_ipa_subdomains_server\" \ + $(NULL) +test_ipa_subdom_server_LDFLAGS = \ + -Wl,-wrap,krb5_kt_default \ + -Wl,-wrap,execle \ + -Wl,-wrap,execve \ + -Wl,-wrap,rename \ + -Wl,-wrap,sss_unique_filename \ + $(NULL) +test_ipa_subdom_server_LDADD = \ + $(CMOCKA_LIBS) \ + $(SSSD_LIBS) \ + $(KEYUTILS_LIBS) \ + $(KRB5_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_ldap_common.la \ + libsss_ad_tests.la \ + libsss_test_common.la \ + libdlopen_test_providers.la \ + $(NULL) + +test_tools_colondb_SOURCES = \ + src/tests/cmocka/test_tools_colondb.c \ + src/tools/common/sss_colondb.c \ + $(NULL) +test_tools_colondb_CFLAGS = \ + $(AM_CFLAGS) \ + $(NULL) +test_tools_colondb_LDFLAGS = \ + $(NULL) +test_tools_colondb_LDADD = \ + $(CMOCKA_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(POPT_LIBS) \ + libsss_test_common.la \ + $(NULL) + +test_krb5_wait_queue_SOURCES = \ + src/tests/cmocka/common_mock_be.c \ + src/tests/cmocka/test_krb5_wait_queue.c \ + src/providers/krb5/krb5_wait_queue.c \ + $(NULL) +test_krb5_wait_queue_CFLAGS = \ + $(AM_CFLAGS) \ + $(NULL) +test_krb5_wait_queue_LDADD = \ + $(CMOCKA_LIBS) \ + $(POPT_LIBS) \ + $(DHASH_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la \ + $(NULL) + +test_cert_utils_SOURCES = \ + src/tests/cmocka/test_cert_utils.c \ + src/util/cert/cert_common_p11_child.c \ + $(NULL) +test_cert_utils_CFLAGS = \ + $(AM_CFLAGS) \ + -U SSSD_LIBEXEC_PATH -DSSSD_LIBEXEC_PATH=\"$(abs_builddir)\" \ + -I$(abs_builddir)/src \ + $(CRYPTO_CFLAGS) \ + $(NULL) +test_cert_utils_LDADD = \ + $(CMOCKA_LIBS) \ + $(POPT_LIBS) \ + $(TALLOC_LIBS) \ + $(CRYPTO_LIBS) \ + libsss_debug.la \ + libsss_test_common.la \ + libsss_cert.la \ + libsss_crypt.la \ + $(NULL) + +test_data_provider_be_SOURCES = \ + src/providers/data_provider_be.c \ + src/tests/cmocka/test_data_provider_be.c \ + src/tests/cmocka/common_mock_be.c \ + $(NULL) +test_data_provider_be_CFLAGS = \ + $(AM_CFLAGS) \ + -DUNIT_TESTING \ + $(NULL) +test_data_provider_be_LDFLAGS = \ + -Wl,-wrap,_tevent_add_timer \ + $(NULL) +test_data_provider_be_LDADD = \ + $(CMOCKA_LIBS) \ + $(PAM_LIBS) \ + $(SSSD_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(LIBADD_DL) \ + libsss_test_common.la \ + libdlopen_test_providers.la \ + $(NULL) + +test_dp_request_table_SOURCES = \ + src/providers/data_provider/dp_request_table.c \ + src/tests/cmocka/data_provider/test_dp_request_table.c \ + $(NULL) +test_dp_request_table_CFLAGS = \ + $(AM_CFLAGS) \ + -DUNIT_TESTING \ + $(NULL) +test_dp_request_table_LDFLAGS = \ + $(NULL) +test_dp_request_table_LDADD = \ + $(CMOCKA_LIBS) \ + $(SSSD_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la \ + $(NULL) + +test_dp_request_SOURCES = \ + src/providers/data_provider/dp_request.c \ + src/providers/data_provider/dp_modules.c \ + src/providers/data_provider/dp_targets.c \ + src/providers/data_provider/dp_methods.c \ + src/providers/data_provider/dp_builtin.c \ + src/tests/cmocka/data_provider/mock_dp.c \ + src/tests/cmocka/data_provider/test_dp_request.c \ + src/tests/cmocka/common_mock_be.c \ + $(NULL) +test_dp_request_CFLAGS = \ + $(AM_CFLAGS) \ + -DUNIT_TESTING \ + $(NULL) +test_dp_request_LDFLAGS = \ + -Wl,-wrap,be_is_offline \ + $(NULL) +test_dp_request_LDADD = \ + $(CMOCKA_LIBS) \ + $(SSSD_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(LIBADD_DL) \ + libsss_test_common.la \ + $(NULL) +if BUILD_SYSTEMTAP +test_dp_request_LDADD += stap_generated_probes.lo +endif + +test_dp_builtin_SOURCES = \ + src/providers/data_provider/dp_modules.c \ + src/providers/data_provider/dp_targets.c \ + src/providers/data_provider/dp_methods.c \ + src/providers/data_provider/dp_builtin.c \ + src/tests/cmocka/data_provider/mock_dp.c \ + src/tests/cmocka/data_provider/test_dp_builtin.c \ + src/tests/cmocka/common_mock_be.c \ + $(NULL) +test_dp_builtin_CFLAGS = \ + $(AM_CFLAGS) \ + -DUNIT_TESTING \ + $(NULL) +test_dp_builtin_LDFLAGS = \ + $(NULL) +test_dp_builtin_LDADD = \ + $(CMOCKA_LIBS) \ + $(SSSD_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(LIBADD_DL) \ + libsss_test_common.la \ + $(NULL) + +test_ipa_dn_SOURCES = \ + src/providers/ipa/ipa_dn.c \ + src/tests/cmocka/test_ipa_dn.c \ + $(NULL) +test_ipa_dn_LDADD = \ + $(CMOCKA_LIBS) \ + $(POPT_LIBS) \ + $(LDB_LIBS) \ + $(TEVENT_LIBS) \ + $(TALLOC_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la \ + $(NULL) + +test_iobuf_SOURCES = \ + src/util/sss_iobuf.c \ + src/tests/cmocka/test_iobuf.c \ + $(NULL) +test_iobuf_CFLAGS = \ + $(AM_CFLAGS) \ + $(NULL) +test_iobuf_LDADD = \ + $(CMOCKA_LIBS) \ + $(SSSD_LIBS) \ + $(NULL) + +EXTRA_simple_access_tests_DEPENDENCIES = \ + $(ldblib_LTLIBRARIES) +simple_access_tests_SOURCES = \ + src/tests/cmocka/test_simple_access.c \ + src/tests/cmocka/common_mock_be.c \ + src/providers/simple/simple_access.c \ + src/providers/simple/simple_access_check.c \ + $(NULL) +simple_access_tests_CFLAGS = \ + $(AM_CFLAGS) \ + $(NULL) +simple_access_tests_LDFLAGS = \ + $(NULL) +simple_access_tests_LDADD = \ + $(CMOCKA_LIBS) \ + $(SSSD_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la \ + libdlopen_test_providers.la \ + $(NULL) + +krb5_common_test_SOURCES = \ + src/tests/cmocka/test_krb5_common.c \ + $(NULL) +krb5_common_test_CFLAGS = \ + $(KRB5_CFLAGS) \ + $(AM_CFLAGS) \ + $(NULL) +krb5_common_test_LDADD = \ + $(CMOCKA_LIBS) \ + $(POPT_LIBS) \ + $(TALLOC_LIBS) \ + libsss_krb5_common.la \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la \ + libdlopen_test_providers.la \ + $(NULL) + +test_inotify_SOURCES = \ + src/util/inotify.c \ + src/tests/cmocka/test_inotify.c \ + $(NULL) +test_inotify_CFLAGS = \ + $(AM_CFLAGS) \ + $(NULL) +test_inotify_LDADD = \ + $(CMOCKA_LIBS) \ + $(SSSD_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(LIBADD_DL) \ + libsss_test_common.la \ + $(NULL) + +sss_certmap_test_SOURCES = \ + src/tests/cmocka/test_certmap.c \ + src/lib/certmap/sss_certmap_attr_names.c \ + $(NULL) +sss_certmap_test_CFLAGS = \ + $(AM_CFLAGS) \ + $(NSS_CFLAGS) \ + -I$(abs_builddir)/src \ + $(NULL) +sss_certmap_test_LDADD = \ + $(CMOCKA_LIBS) \ + $(POPT_LIBS) \ + $(TALLOC_LIBS) \ + $(NSS_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la \ + libsss_certmap.la \ + $(NULL) + +test_sssd_krb5_locator_plugin_SOURCES = \ + src/tests/cmocka/test_sssd_krb5_locator_plugin.c \ + src/krb5_plugin/sssd_krb5_locator_plugin.c \ + $(NULL) +test_sssd_krb5_locator_plugin_CFLAGS = \ + $(AM_CFLAGS) \ + $(POPT_CFLAGS) \ + $(TALLOC_CFLAGS) \ + $(KRB5_CFLAGS) \ + -DTEST_PUBCONF_PATH=\"$(abs_builddir)/src/tests/cmocka/pubconf\" \ + $(NULL) +test_sssd_krb5_locator_plugin_LDADD = \ + $(CMOCKA_LIBS) \ + $(POPT_LIBS) \ + $(TALLOC_LIBS) \ + $(KRB5_LIBS) \ + libsss_test_common.la \ + $(NULL) + +if BUILD_KCM +test_kcm_json_SOURCES = \ + src/tests/cmocka/test_kcm_json_marshalling.c \ + src/responder/kcm/kcmsrv_ccache_json.c \ + src/responder/kcm/kcmsrv_ccache.c \ + src/util/sss_krb5.c \ + src/util/sss_iobuf.c \ + $(NULL) +test_kcm_json_CFLAGS = \ + $(AM_CFLAGS) \ + $(UUID_CFLAGS) \ + $(NULL) +test_kcm_json_LDADD = \ + $(JANSSON_LIBS) \ + $(UUID_LIBS) \ + $(KRB5_LIBS) \ + $(CMOCKA_LIBS) \ + $(SSSD_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la \ + $(NULL) + +test_kcm_queue_SOURCES = \ + src/tests/cmocka/test_kcm_queue.c \ + src/responder/kcm/kcmsrv_op_queue.c \ + $(NULL) +test_kcm_queue_CFLAGS = \ + $(AM_CFLAGS) \ + $(NULL) +test_kcm_queue_LDADD = \ + $(CMOCKA_LIBS) \ + $(SSSD_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la \ + $(NULL) + +endif # BUILD_KCM + +endif # HAVE_CMOCKA + +noinst_PROGRAMS = +if BUILD_SUDO +noinst_PROGRAMS += sss_sudo_cli +endif +if BUILD_AUTOFS +noinst_PROGRAMS += autofs_test_client +endif +if BUILD_WITH_LIBCURL +noinst_PROGRAMS += tcurl-test-tool +endif +if BUILD_PAC_RESPONDER + noinst_PROGRAMS += sssd_pac_test_client +endif + +if BUILD_AUTOFS +autofs_test_client_SOURCES = \ + src/sss_client/autofs/autofs_test_client.c \ + src/sss_client/autofs/sss_autofs.c \ + src/sss_client/common.c +autofs_test_client_CFLAGS = $(AM_CFLAGS) +autofs_test_client_LDADD = -lpopt $(CLIENT_LIBS) +endif + +if BUILD_WITH_LIBCURL +tcurl_test_tool_SOURCES = \ + src/tests/tcurl_test_tool.c \ + src/util/tev_curl.c \ + src/util/sss_iobuf.c \ + $(NULL) +tcurl_test_tool_CFLAGS = \ + $(AM_CFLAGS) \ + $(CURL_CFLAGS) \ + $(NULL) +tcurl_test_tool_LDADD = \ + $(CURL_LIBS) \ + $(SSSD_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(NULL) +endif + +if BUILD_KRB5_LOCALAUTH_PLUGIN +test_sssd_krb5_localauth_plugin_SOURCES = \ + src/tests/cmocka/test_sssd_krb5_localauth_plugin.c \ + src/krb5_plugin/sssd_krb5_localauth_plugin.c \ + $(NULL) +test_sssd_krb5_localauth_plugin_CFLAGS = \ + $(AM_CFLAGS) \ + $(NULL) +test_sssd_krb5_localauth_plugin_LDADD = \ + $(CMOCKA_LIBS) \ + $(KRB5_LIBS) \ + $(NULL) +endif + +##################### +# Integration tests # +##################### + +intgcheck-prepare: + set -e; \ + rm -Rf intg; \ + $(MKDIR_P) intg/bld; \ + : Use /hopefully/ short prefix to keep D-Bus socket path short; \ + prefix=`mktemp --dry-run --tmpdir --directory sssd-intg.XXXXXXXX`; \ + prefix=`echo $$prefix | tr '[:upper:]' '[:lower:]'`; \ + mkdir -p $$prefix; \ + $(LN_S) "$$prefix" intg/pfx; \ + cd intg/bld; \ + $(abs_top_srcdir)/configure \ + --prefix="$$prefix" \ + --with-ldb-lib-dir="$$prefix"/lib/ldb \ + --enable-intgcheck-reqs \ + --without-semanage \ + --with-session-recording-shell=/bin/false \ + $(INTGCHECK_CONFIGURE_FLAGS) \ + CFLAGS="-O2 -g $$CFLAGS -DKCM_PEER_UID=$$(id -u)"; \ + $(MAKE) $(AM_MAKEFLAGS) ; \ + $(MAKE) $(AM_MAKEFLAGS) test_ssh_client; \ + : Force single-thread install to workaround concurrency issues; \ + $(MAKE) $(AM_MAKEFLAGS) -j1 install; \ + : Remove .la files from LDB module directory to avoid loader warnings; \ + rm "$$prefix"/lib/ldb/*.la; \ + cd ../.. + +intgcheck-run: + set -e; \ + if [ ! -d intg/pfx ]; then $(MAKE) intgcheck-prepare; fi; \ + cd intg/bld; \ + $(MAKE) $(AM_MAKEFLAGS) -C src/tests/intg intgcheck-installed; \ + cd ../.. + +intgcheck-clean: + set -e; \ + prefix=`readlink -e intg/pfx`; \ + rm -Rf "$$prefix" intg + +intgcheck: + $(MAKE) intgcheck-prepare + $(MAKE) intgcheck-run + $(MAKE) intgcheck-clean + +#################### +# Client Libraries # +#################### + +nsslib_LTLIBRARIES = libnss_sss.la +libnss_sss_la_SOURCES = \ + src/sss_client/common.c \ + src/sss_client/nss_passwd.c \ + src/sss_client/nss_group.c \ + src/sss_client/nss_netgroup.c \ + src/sss_client/nss_services.c \ + src/sss_client/sss_cli.h \ + src/sss_client/nss_compat.h \ + src/sss_client/nss_common.h \ + src/sss_client/common_private.h \ + src/sss_client/nss_mc_common.c \ + src/util/io.c \ + src/util/murmurhash3.c \ + src/sss_client/nss_mc_passwd.c \ + src/sss_client/nss_mc_group.c \ + src/sss_client/nss_mc_initgr.c \ + src/sss_client/nss_mc.h +libnss_sss_la_LIBADD = \ + $(CLIENT_LIBS) +libnss_sss_la_LDFLAGS = \ + -module \ + -version-info 2:0:0 \ + -Wl,--version-script,$(srcdir)/src/sss_client/sss_nss.exports + +if BUILD_NFS_IDMAP +nfslib_LTLIBRARIES = sss.la +sss_la_SOURCES = \ + src/sss_client/common.c \ + src/sss_client/nss_mc_common.c \ + src/util/io.c \ + src/util/murmurhash3.c \ + src/sss_client/nss_mc_passwd.c \ + src/sss_client/nss_mc_group.c \ + src/sss_client/nfs/sss_nfs_client.c \ + $(NULL) +sss_la_CFLAGS = $(AM_CFLAGS) +sss_la_LIBADD = \ + $(CLIENT_LIBS) \ + $(NFSIDMAP_LIBS) \ + $(NULL) +sss_la_LDFLAGS = \ + -module \ + -avoid-version \ + $(NULL) +endif + +pamlib_LTLIBRARIES = pam_sss.la +pam_sss_la_SOURCES = \ + src/sss_client/pam_sss.c \ + src/sss_client/pam_message.c \ + src/sss_client/common.c \ + src/sss_client/sss_cli.h \ + src/util/atomic_io.c \ + src/util/authtok-utils.c \ + src/sss_client/sss_pam_macros.h \ + src/sss_client/sss_pam_compat.h + +pam_sss_la_LIBADD = \ + $(CLIENT_LIBS) \ + $(PAM_LIBS) +pam_sss_la_LDFLAGS = \ + -module \ + -avoid-version \ + -Wl,--version-script,$(srcdir)/src/sss_client/sss_pam.exports + +if BUILD_SUDO + +libsss_sudo_la_SOURCES = \ + src/sss_client/common.c \ + src/sss_client/sss_cli.h \ + src/sss_client/sudo/sss_sudo_response.c \ + src/sss_client/sudo/sss_sudo.c \ + src/sss_client/sudo/sss_sudo.h \ + src/sss_client/sudo/sss_sudo_private.h +libsss_sudo_la_LIBADD = \ + $(CLIENT_LIBS) +libsss_sudo_la_LDFLAGS = \ + -Wl,--version-script,$(srcdir)/src/sss_client/sss_sudo.exports \ + -module \ + -avoid-version + +sudolib_LTLIBRARIES = libsss_sudo.la + +endif + +if BUILD_AUTOFS +autofslib_LTLIBRARIES = libsss_autofs.la +libsss_autofs_la_SOURCES = \ + src/sss_client/common.c \ + src/sss_client/sss_cli.h \ + src/sss_client/autofs/sss_autofs.c \ + src/sss_client/autofs/sss_autofs_private.h + +libsss_autofs_la_LIBADD = \ + $(CLIENT_LIBS) +libsss_autofs_la_LDFLAGS = \ + -module \ + -avoid-version \ + -Wl,--version-script,$(srcdir)/src/sss_client/autofs/sss_autofs.exports +endif + +dist_noinst_DATA += \ + src/sss_client/sss_nss.exports \ + src/sss_client/sss_pam.exports +if BUILD_SUDO +dist_noinst_DATA += src/sss_client/sss_sudo.exports +endif + +if BUILD_AUTOFS +dist_noinst_DATA += src/sss_client/autofs/sss_autofs.exports +endif + +#################### +# Plugin Libraries # +#################### + +# libsss_krb5_common must be installed before libsss_ldap_common +# because libtool tries to relink libsss_ldap_common when installing +# libsss_ldap_common and therefore make distcheck fails +pkglib_LTLIBRARIES += libsss_krb5_common.la +pkglib_LTLIBRARIES += libsss_ldap_common.la +libsss_ldap_common_la_SOURCES = \ + src/providers/ldap/ldap_id.c \ + src/providers/ldap/ldap_id_enum.c \ + src/providers/ldap/sdap_async_enum.c \ + src/providers/ldap/ldap_id_cleanup.c \ + src/providers/ldap/ldap_id_netgroup.c \ + src/providers/ldap/ldap_id_services.c \ + src/providers/ldap/ldap_auth.c \ + src/providers/ldap/ldap_common.c \ + src/providers/ldap/ldap_options.c \ + src/providers/ldap/ldap_opts.c \ + src/providers/ldap/sdap_access.c \ + src/providers/ldap/sdap_async.c \ + src/providers/ldap/sdap_async_users.c \ + src/providers/ldap/sdap_async_groups.c \ + src/providers/ldap/sdap_async_nested_groups.c \ + src/providers/ldap/sdap_async_groups_ad.c \ + src/providers/ldap/sdap_async_initgroups.c \ + src/providers/ldap/sdap_async_initgroups_ad.c \ + src/providers/ldap/sdap_async_connection.c \ + src/providers/ldap/sdap_async_netgroups.c \ + src/providers/ldap/sdap_async_hosts.c \ + src/providers/ldap/sdap_async_services.c \ + src/providers/ldap/sdap_online_check.c \ + src/providers/ldap/sdap_ad_groups.c \ + src/providers/ldap/sdap_child_helpers.c \ + src/providers/ldap/sdap_fd_events.c \ + src/providers/ldap/sdap_hostid.h \ + src/providers/ldap/sdap_id_op.c \ + src/providers/ldap/sdap_certmap.c \ + src/providers/ldap/sdap_idmap.c \ + src/providers/ldap/sdap_idmap.h \ + src/providers/ldap/sdap_range.c \ + src/providers/ldap/sdap_reinit.c \ + src/providers/ldap/sdap_dyndns.c \ + src/providers/ldap/sdap_refresh.c \ + src/providers/ldap/sdap_utils.c \ + src/providers/ldap/sdap_domain.c \ + src/providers/ldap/sdap_ops.c \ + src/providers/ldap/sdap.c \ + src/providers/ipa/ipa_dn.c \ + src/util/user_info_msg.c \ + src/util/sss_sockets.c \ + src/util/sss_ldap.c \ + $(NULL) +libsss_ldap_common_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(KRB5_CFLAGS) \ + $(NULL) +libsss_ldap_common_la_LIBADD = \ + $(TALLOC_LIBS) \ + $(TEVENT_LIBS) \ + $(LDB_LIBS) \ + $(OPENLDAP_LIBS) \ + $(DHASH_LIBS) \ + $(KRB5_LIBS) \ + libsss_krb5_common.la \ + libsss_idmap.la \ + libsss_certmap.la \ + $(SSSD_INTERNAL_LTLIBS) \ + $(NULL) +libsss_ldap_common_la_LDFLAGS = \ + -avoid-version \ + $(NULL) +if BUILD_SYSTEMTAP +libsss_ldap_common_la_LIBADD += stap_generated_probes.lo +endif + +if BUILD_SSH +libsss_ldap_common_la_SOURCES += src/providers/ldap/sdap_hostid.c +endif + +if BUILD_SUDO +libsss_ldap_common_la_SOURCES += \ + src/providers/ldap/sdap_async_sudo.c \ + src/providers/ldap/sdap_async_sudo_hostinfo.c \ + src/providers/ldap/sdap_sudo_refresh.c \ + src/providers/ldap/sdap_sudo_shared.c \ + src/providers/ldap/sdap_sudo.c +endif + +if BUILD_AUTOFS +libsss_ldap_common_la_SOURCES += \ + src/providers/ldap/sdap_autofs.c \ + src/providers/ldap/sdap_async_autofs.c +endif + +libsss_krb5_common_la_SOURCES = \ + src/providers/krb5/krb5_utils.c \ + src/providers/krb5/krb5_delayed_online_authentication.c \ + src/providers/krb5/krb5_renew_tgt.c \ + src/providers/krb5/krb5_wait_queue.c \ + src/providers/krb5/krb5_common.c \ + src/providers/krb5/krb5_opts.c \ + src/providers/krb5/krb5_auth.c \ + src/providers/krb5/krb5_access.c \ + src/providers/krb5/krb5_child_handler.c \ + src/providers/krb5/krb5_init_shared.c \ + src/providers/krb5/krb5_ccache.c \ + src/util/sss_krb5.c \ + src/util/sss_iobuf.c \ + src/util/become_user.c \ + $(NULL) +libsss_krb5_common_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(KRB5_CFLAGS) +libsss_krb5_common_la_LIBADD = \ + $(TALLOC_LIBS) \ + $(TEVENT_LIBS) \ + $(LDB_LIBS) \ + $(KEYUTILS_LIBS) \ + $(DHASH_LIBS) \ + $(KRB5_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(NULL) +libsss_krb5_common_la_LDFLAGS = \ + -avoid-version + +libsss_ldap_la_SOURCES = \ + src/providers/ldap/ldap_init.c \ + src/providers/ldap/ldap_access.c +libsss_ldap_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(OPENLDAP_CFLAGS) +libsss_ldap_la_LIBADD = \ + $(TALLOC_LIBS) \ + $(TEVENT_LIBS) \ + $(OPENLDAP_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_ldap_common.la \ + libsss_krb5_common.la +libsss_ldap_la_LDFLAGS = \ + -avoid-version \ + -module + + +libsss_proxy_la_SOURCES = \ + src/providers/proxy/proxy_init.c \ + src/providers/proxy/proxy_client.c \ + src/providers/proxy/proxy_id.c \ + src/providers/proxy/proxy_netgroup.c \ + src/providers/proxy/proxy_services.c \ + src/providers/proxy/proxy_auth.c \ + src/providers/proxy/proxy_iface_generated.c \ + $(NULL) +libsss_proxy_la_CFLAGS = \ + $(AM_CFLAGS) +libsss_proxy_la_LIBADD = \ + $(LIBADD_DL) \ + $(TALLOC_LIBS) \ + $(TEVENT_LIBS) \ + $(LDB_LIBS) \ + $(PAM_LIBS) \ + $(DHASH_LIBS) \ + $(DBUS_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(NULL) +libsss_proxy_la_LDFLAGS = \ + -avoid-version \ + -module + +libsss_files_la_SOURCES = \ + src/providers/files/files_init.c \ + src/providers/files/files_id.c \ + src/providers/files/files_ops.c \ + src/util/inotify.c \ + $(NULL) +libsss_files_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(NULL) +libsss_files_la_LIBADD = \ + $(TALLOC_LIBS) \ + $(TEVENT_LIBS) \ + $(LDB_LIBS) \ + $(PAM_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(NULL) +libsss_files_la_LDFLAGS = \ + -avoid-version \ + -module \ + $(NULL) + +libsss_simple_la_SOURCES = \ + src/providers/simple/simple_access_check.c \ + src/providers/simple/simple_access.c +libsss_simple_la_CFLAGS = \ + $(AM_CFLAGS) +libsss_simple_la_LIBADD = \ + $(TALLOC_LIBS) \ + $(TEVENT_LIBS) \ + $(LDB_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(NULL) +libsss_simple_la_LDFLAGS = \ + -avoid-version \ + -module + +libsss_krb5_la_SOURCES = \ + src/providers/krb5/krb5_init.c +libsss_krb5_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(DHASH_CFLAGS) \ + $(KRB5_CFLAGS) +libsss_krb5_la_LIBADD = \ + $(TALLOC_LIBS) \ + $(DHASH_LIBS) \ + $(KRB5_LIBS) \ + $(PCRE_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_krb5_common.la +libsss_krb5_la_LDFLAGS = \ + -avoid-version \ + -module + +libsss_ipa_la_SOURCES = \ + src/providers/ipa/ipa_init.c \ + src/providers/ipa/ipa_opts.c \ + src/providers/ipa/ipa_common.c \ + src/providers/ipa/ipa_config.c \ + src/providers/ipa/ipa_id.c \ + src/providers/ipa/ipa_netgroups.c \ + src/providers/ipa/ipa_auth.c \ + src/providers/ipa/ipa_access.c \ + src/providers/ipa/ipa_dyndns.c \ + src/providers/ipa/ipa_hosts.c \ + src/providers/ipa/ipa_subdomains.c \ + src/providers/ipa/ipa_subdomains_id.c \ + src/providers/ipa/ipa_subdomains_server.c \ + src/providers/ipa/ipa_subdomains_utils.c \ + src/providers/ipa/ipa_subdomains_ext_groups.c \ + src/providers/ipa/ipa_views.c \ + src/providers/ipa/ipa_utils.c \ + src/providers/ipa/ipa_s2n_exop.c \ + src/providers/ipa/ipa_hbac_hosts.c \ + src/providers/ipa/ipa_hbac_private.h \ + src/providers/ipa/ipa_hbac_rules.c \ + src/providers/ipa/ipa_hbac_rules.h \ + src/providers/ipa/ipa_hbac_services.c \ + src/providers/ipa/ipa_hbac_users.c \ + src/providers/ipa/ipa_hbac_common.c \ + src/providers/ipa/ipa_rules_common.c \ + src/providers/ipa/ipa_rules_common.h \ + src/providers/ipa/ipa_session.c \ + src/providers/ipa/ipa_deskprofile_private.h \ + src/providers/ipa/ipa_deskprofile_config.c \ + src/providers/ipa/ipa_deskprofile_config.h \ + src/providers/ipa/ipa_deskprofile_rules.c \ + src/providers/ipa/ipa_deskprofile_rules.h \ + src/providers/ipa/ipa_deskprofile_rules_util.c \ + src/providers/ipa/ipa_deskprofile_rules_util.h \ + src/providers/ipa/ipa_srv.c \ + src/providers/ipa/ipa_idmap.c \ + src/providers/ipa/ipa_dn.c \ + src/providers/ad/ad_opts.c \ + src/providers/ad/ad_common.c \ + src/providers/ad/ad_dyndns.c \ + src/providers/ad/ad_id.c \ + src/providers/ad/ad_pac.c \ + src/providers/ad/ad_pac_common.c \ + src/providers/ad/ad_srv.c \ + src/providers/ad/ad_domain_info.c +libsss_ipa_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(OPENLDAP_CFLAGS) \ + $(DHASH_CFLAGS) \ + $(NDR_NBT_CFLAGS) \ + $(NDR_KRB5PAC_CFLAGS) \ + $(KRB5_CFLAGS) +libsss_ipa_la_LIBADD = \ + $(LDB_LIBS) \ + $(DBUS_LIBS) \ + $(OPENLDAP_LIBS) \ + $(DHASH_LIBS) \ + $(NDR_NBT_LIBS) \ + $(NDR_KRB5PAC_LIBS) \ + $(KRB5_LIBS) \ + $(SELINUX_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_ldap_common.la \ + libsss_krb5_common.la \ + libipa_hbac.la \ + libsss_idmap.la \ + libsss_semanage.la \ + $(NULL) +libsss_ipa_la_LDFLAGS = \ + -avoid-version \ + -module +if BUILD_AUTOFS +libsss_ipa_la_SOURCES += \ + src/providers/ipa/ipa_autofs.c +endif + +if BUILD_SUDO +libsss_ipa_la_SOURCES += \ + src/providers/ipa/ipa_sudo.c \ + src/providers/ipa/ipa_sudo_refresh.c \ + src/providers/ipa/ipa_sudo_conversion.c \ + src/providers/ipa/ipa_sudo_async.c +endif + +if BUILD_SEMANAGE +libsss_ipa_la_SOURCES += \ + src/providers/ipa/ipa_selinux.c \ + src/providers/ipa/ipa_selinux_maps.c +endif + +if BUILD_SSH +libsss_ipa_la_SOURCES += src/providers/ipa/ipa_hostid.c +endif + + +libsss_ad_la_SOURCES = \ + src/providers/ad/ad_opts.c \ + src/providers/ad/ad_common.c \ + src/providers/ad/ad_init.c \ + src/providers/ad/ad_dyndns.c \ + src/providers/ad/ad_machine_pw_renewal.c \ + src/providers/ad/ad_id.c \ + src/providers/ad/ad_pac.c \ + src/providers/ad/ad_pac_common.c \ + src/providers/ad/ad_access.c \ + src/providers/ad/ad_gpo.c \ + src/providers/ad/ad_gpo_ndr.c \ + src/providers/ad/ad_srv.c \ + src/providers/ad/ad_subdomains.c \ + src/providers/ad/ad_domain_info.c + +if BUILD_SUDO +libsss_ad_la_SOURCES += \ + src/providers/ad/ad_sudo.c +endif + +if BUILD_AUTOFS +libsss_ad_la_SOURCES += \ + src/providers/ad/ad_autofs.c +endif + +libsss_ad_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(OPENLDAP_CFLAGS) \ + $(SASL_CFLAGS) \ + $(DHASH_CFLAGS) \ + $(KRB5_CFLAGS) \ + $(NDR_NBT_CFLAGS) \ + $(NDR_KRB5PAC_CFLAGS) \ + $(SMBCLIENT_CFLAGS) +libsss_ad_la_LIBADD = \ + $(LDB_LIBS) \ + $(OPENLDAP_LIBS) \ + $(SASL_LIBS) \ + $(DHASH_LIBS) \ + $(INI_CONFIG_LIBS) \ + $(KRB5_LIBS) \ + $(NDR_NBT_LIBS) \ + $(NDR_KRB5PAC_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(SMBCLIENT_LIBS) \ + libsss_ldap_common.la \ + libsss_krb5_common.la \ + libsss_idmap.la +libsss_ad_la_LDFLAGS = \ + -avoid-version \ + -module + +krb5_child_SOURCES = \ + src/providers/krb5/krb5_child.c \ + src/providers/krb5/krb5_ccache.c \ + src/providers/krb5/krb5_keytab.c \ + src/providers/dp_pam_data_util.c \ + src/util/user_info_msg.c \ + src/util/sss_krb5.c \ + src/util/sss_iobuf.c \ + src/util/find_uid.c \ + src/util/atomic_io.c \ + src/util/authtok.c \ + src/util/authtok-utils.c \ + src/util/util.c \ + src/util/util_ext.c \ + src/util/signal.c \ + src/util/strtonum.c \ + src/util/become_user.c \ + src/util/util_errors.c \ + src/sss_client/common.c \ + $(NULL) +krb5_child_CFLAGS = \ + $(AM_CFLAGS) \ + $(POPT_CFLAGS) \ + $(KRB5_CFLAGS) \ + $(SYSTEMD_LOGIN_CFLAGS) \ + $(NULL) +krb5_child_LDADD = \ + libsss_debug.la \ + $(TALLOC_LIBS) \ + $(POPT_LIBS) \ + $(DHASH_LIBS) \ + $(KRB5_LIBS) \ + $(CLIENT_LIBS) \ + $(SYSTEMD_LOGIN_LIBS) \ + $(NULL) + +ldap_child_SOURCES = \ + src/providers/ldap/ldap_child.c \ + src/providers/krb5/krb5_keytab.c \ + src/util/sss_krb5.c \ + src/util/sss_iobuf.c \ + src/util/atomic_io.c \ + src/util/authtok.c \ + src/util/authtok-utils.c \ + src/util/util.c \ + src/util/util_ext.c \ + src/util/signal.c \ + src/util/become_user.c \ + $(NULL) +ldap_child_CFLAGS = \ + $(AM_CFLAGS) \ + $(POPT_CFLAGS) \ + $(KRB5_CFLAGS) +ldap_child_LDADD = \ + libsss_debug.la \ + $(TALLOC_LIBS) \ + $(POPT_LIBS) \ + $(DHASH_LIBS) \ + $(KRB5_LIBS) + +if BUILD_SEMANAGE +selinux_child_SOURCES = \ + src/providers/ipa/selinux_child.c \ + src/util/sss_semanage.c \ + src/util/atomic_io.c \ + src/util/util.c \ + src/util/util_ext.c \ + src/util/util_errors.c + $(NULL) +selinux_child_CFLAGS = \ + $(AM_CFLAGS) \ + $(POPT_CFLAGS) \ + $(NULL) +selinux_child_LDADD = \ + libsss_debug.la \ + $(TALLOC_LIBS) \ + $(POPT_LIBS) \ + $(DHASH_LIBS) \ + $(SEMANAGE_LIBS) \ + $(SELINUX_LIBS) \ + $(NULL) +endif + +gpo_child_SOURCES = \ + src/providers/ad/ad_gpo_child.c \ + src/util/atomic_io.c \ + src/util/util.c \ + src/util/util_ext.c \ + src/util/signal.c +gpo_child_CFLAGS = \ + $(AM_CFLAGS) \ + $(POPT_CFLAGS) \ + $(KRB5_CFLAGS) \ + $(INI_CONFIG_CFLAGS) \ + $(SMBCLIENT_CFLAGS) +gpo_child_LDADD = \ + libsss_debug.la \ + $(TALLOC_LIBS) \ + $(POPT_LIBS) \ + $(DHASH_LIBS) \ + $(INI_CONFIG_LIBS) \ + $(SMBCLIENT_LIBS) + +proxy_child_SOURCES = \ + src/providers/proxy/proxy_child.c \ + src/providers/proxy/proxy_iface_generated.c \ + $(NULL) +proxy_child_CFLAGS = \ + $(AM_CFLAGS) \ + $(POPT_CFLAGS) +proxy_child_LDADD = \ + $(PAM_LIBS) \ + $(SSSD_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) + +p11_child_SOURCES = \ + src/p11_child/p11_child_common.c \ + src/util/atomic_io.c \ + src/util/util.c \ + src/util/util_ext.c \ + $(NULL) +if HAVE_NSS +p11_child_SOURCES += src/p11_child/p11_child_nss.c +else +p11_child_SOURCES += src/p11_child/p11_child_openssl.c +endif + +p11_child_CFLAGS = \ + $(AM_CFLAGS) \ + $(POPT_CFLAGS) \ + $(NULL) +if HAVE_NSS +p11_child_CFLAGS += \ + $(NSS_CFLAGS) \ + $(NULL) +else +p11_child_CFLAGS += \ + $(P11_KIT_CFLAGS) \ + $(CRYPTO_CFLAGS) \ + $(SSL_CFLAGS) \ + $(NULL) +endif + +p11_child_LDADD = \ + libsss_debug.la \ + $(TALLOC_LIBS) \ + $(DHASH_LIBS) \ + $(POPT_LIBS) \ + libsss_crypt.la \ + $(NULL) +if HAVE_NSS +p11_child_LDADD += \ + $(NSS_LIBS) \ + $(NULL) +else +p11_child_LDADD += \ + $(P11_KIT_LIBS) \ + $(CRYPTO_LIBS) \ + $(SSL_LIBS) \ + $(NULL) +endif + +memberof_la_SOURCES = \ + src/ldb_modules/memberof.c \ + src/util/util.c \ + src/util/util_ext.c \ + $(NULL) +memberof_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(NULL) +memberof_la_LIBADD = \ + libsss_debug.la \ + $(TALLOC_LIBS) \ + $(LDB_LIBS) \ + $(DHASH_LIBS) \ + $(NULL) +memberof_la_LDFLAGS = \ + -avoid-version \ + -module \ + $(NULL) + +if BUILD_KRB5_LOCATOR_PLUGIN +sssd_krb5_locator_plugin_la_SOURCES = \ + src/krb5_plugin/sssd_krb5_locator_plugin.c \ + src/util/atomic_io.c +sssd_krb5_locator_plugin_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(KRB5_CFLAGS) +sssd_krb5_locator_plugin_la_LDFLAGS = \ + -avoid-version \ + -module +endif + +if BUILD_KRB5_LOCALAUTH_PLUGIN +sssd_krb5_localauth_plugin_la_SOURCES = \ + src/krb5_plugin/sssd_krb5_localauth_plugin.c \ + src/util/murmurhash3.c \ + src/util/io.c \ + src/sss_client/common.c \ + src/sss_client/nss_mc_common.c \ + src/sss_client/nss_mc_passwd.c \ + src/sss_client/nss_passwd.c +sssd_krb5_localauth_plugin_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(KRB5_CFLAGS) +sssd_krb5_localauth_plugin_la_LIBADD = \ + $(KRB5_LIBS) +sssd_krb5_localauth_plugin_la_LDFLAGS = \ + -avoid-version \ + -module +endif + +sssd_pac_plugin_la_SOURCES = \ + src/sss_client/sssd_pac.c \ + src/sss_client/common.c \ + src/sss_client/sss_cli.h \ + src/sss_client/krb5_authdata_int.h +sssd_pac_plugin_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(KRB5_CFLAGS) +sssd_pac_plugin_la_LIBADD = \ + $(CLIENT_LIBS) \ + $(KRB5_LIBS) +sssd_pac_plugin_la_LDFLAGS = \ + -avoid-version \ + -module + +sssd_pac_test_client_SOURCES = \ + src/sss_client/sss_pac_responder_client.c \ + src/sss_client/common.c \ + src/util/strtonum.c \ + $(NULL) +sssd_pac_test_client_CFLAGS = \ + $(AM_CFLAGS) \ + $(NULL) +sssd_pac_test_client_LDADD = \ + $(CLIENT_LIBS) \ + -lpthread \ + $(NULL) + +# python[23] bindings +pysss_la_SOURCES = \ + $(SSSD_TOOLS_OBJ) \ + src/python/pysss.c +pysss_la_LDFLAGS = \ + -avoid-version \ + -module + +_py2sss_la_SOURCES = $(pysss_la_SOURCES) +_py2sss_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(PYTHON2_CFLAGS) +_py2sss_la_LIBADD = \ + $(SSSD_INTERNAL_LTLIBS) \ + $(PYTHON_BINDINGS_LIBS) \ + $(PYTHON2_LIBS) +_py2sss_la_LDFLAGS = $(pysss_la_LDFLAGS) + +_py3sss_la_SOURCES = $(pysss_la_SOURCES) +_py3sss_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(PYTHON3_CFLAGS) +_py3sss_la_LIBADD = \ + $(SSSD_INTERNAL_LTLIBS) \ + $(PYTHON_BINDINGS_LIBS) \ + $(PYTHON3_LIBS) +_py3sss_la_LDFLAGS = $(pysss_la_LDFLAGS) + + +pyhbac_la_SOURCES = \ + src/python/pyhbac.c \ + src/util/sss_python.c +pyhbac_la_LDFLAGS = \ + -avoid-version \ + -module + +_py2hbac_la_SOURCES = $(pyhbac_la_SOURCES) +_py2hbac_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(PYTHON2_CFLAGS) +_py2hbac_la_LIBADD = \ + $(PYTHON2_LIBS) \ + libipa_hbac.la +_py2hbac_la_LDFLAGS = $(pyhbac_la_LDFLAGS) + +_py3hbac_la_SOURCES = $(pyhbac_la_SOURCES) +_py3hbac_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(PYTHON3_CFLAGS) +_py3hbac_la_LIBADD = \ + $(PYTHON3_LIBS) \ + libipa_hbac.la +_py3hbac_la_LDFLAGS = $(pyhbac_la_LDFLAGS) + + +pysss_murmur_la_SOURCES = \ + src/python/pysss_murmur.c \ + src/util/murmurhash3.c +pysss_murmur_la_LDFLAGS = \ + -avoid-version \ + -module + +_py2sss_murmur_la_SOURCES = $(pysss_murmur_la_SOURCES) +_py2sss_murmur_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(PYTHON2_CFLAGS) +_py2sss_murmur_la_LIBADD = \ + $(PYTHON2_LIBS) +_py2sss_murmur_la_LDFLAGS = $(pysss_murmur_la_LDFLAGS) + +_py3sss_murmur_la_SOURCES = $(pysss_murmur_la_SOURCES) +_py3sss_murmur_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(PYTHON3_CFLAGS) +_py3sss_murmur_la_LIBADD = \ + $(PYTHON3_LIBS) +_py3sss_murmur_la_LDFLAGS = $(pysss_murmur_la_LDFLAGS) + + +pysss_nss_idmap_la_SOURCES = \ + src/python/pysss_nss_idmap.c +pysss_nss_idmap_la_LDFLAGS = \ + -avoid-version \ + -module + +_py2sss_nss_idmap_la_SOURCES = $(pysss_nss_idmap_la_SOURCES) +_py2sss_nss_idmap_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(PYTHON2_CFLAGS) +_py2sss_nss_idmap_la_LIBADD = \ + $(PYTHON2_LIBS) \ + libsss_nss_idmap.la +_py2sss_nss_idmap_la_LDFLAGS = $(pysss_nss_idmap_la_LDFLAGS) + +_py3sss_nss_idmap_la_SOURCES = $(pysss_nss_idmap_la_SOURCES) +_py3sss_nss_idmap_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(PYTHON3_CFLAGS) +_py3sss_nss_idmap_la_LIBADD = \ + $(PYTHON3_LIBS) \ + libsss_nss_idmap.la +_py3sss_nss_idmap_la_LDFLAGS = $(pysss_nss_idmap_la_LDFLAGS) +# end of python[23] bindings + +if BUILD_CIFS_IDMAP_PLUGIN +cifs_idmap_sss_la_SOURCES = \ + src/lib/cifs_idmap_sss/cifs_idmap_sss.c +cifs_idmap_sss_la_LIBADD = \ + libsss_idmap.la \ + libsss_nss_idmap.la +cifs_idmap_sss_la_CFLAGS = \ + $(AM_CFLAGS) +cifs_idmap_sss_la_LDFLAGS = \ + -avoid-version \ + -module +endif + +if BUILD_SAMBA +winbind_idmap_sss_la_SOURCES = \ + src/lib/winbind_idmap_sss/winbind_idmap_sss.c \ + src/util/util_sss_idmap.c \ + $(NULL) +winbind_idmap_sss_la_LIBADD = \ + libsss_idmap.la \ + libsss_nss_idmap.la \ + $(TALLOC_LIBS) \ + $(NULL) +winbind_idmap_sss_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(NDR_KRB5PAC_CFLAGS) \ + $(NULL) +winbind_idmap_sss_la_LDFLAGS = \ + -avoid-version \ + -module \ + $(NULL) + +libdlopen_test_winbind_idmap_la_SOURCES = \ + src/lib/winbind_idmap_sss/libdlopen-test-winbind-idmap.c \ + $(NULL) +libdlopen_test_winbind_idmap_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(NDR_KRB5PAC_CFLAGS) \ + $(NULL) +libdlopen_test_winbind_idmap_la_LDFLAGS = \ + -shared \ + -avoid-version \ + -rpath $(abs_top_builddir) \ + -export-dynamic + $(NULL) +endif + +################ +# TRANSLATIONS # +################ +update-po: +if HAVE_MANPAGES + $(MAKE) -C src/man update-po +endif + $(MAKE) -C po update-po + +####################### +# Installation Extras # +####################### + +init_SCRIPTS = +systemdunit_DATA = +systemdconf_DATA = +if HAVE_SYSTEMD_UNIT + systemdunit_DATA += \ + src/sysv/systemd/sssd.service \ + src/sysv/systemd/sssd-nss.socket \ + src/sysv/systemd/sssd-nss.service \ + src/sysv/systemd/sssd-pam.socket \ + src/sysv/systemd/sssd-pam-priv.socket \ + src/sysv/systemd/sssd-pam.service \ + src/sysv/systemd/sssd-secrets.socket \ + src/sysv/systemd/sssd-secrets.service \ + $(NULL) +if BUILD_AUTOFS + systemdunit_DATA += \ + src/sysv/systemd/sssd-autofs.socket \ + src/sysv/systemd/sssd-autofs.service \ + $(NULL) +endif +if BUILD_IFP + systemdunit_DATA += \ + src/sysv/systemd/sssd-ifp.service \ + $(NULL) +endif +if BUILD_PAC_RESPONDER + systemdunit_DATA += \ + src/sysv/systemd/sssd-pac.socket \ + src/sysv/systemd/sssd-pac.service \ + $(NULL) +endif +if BUILD_SSH + systemdunit_DATA += \ + src/sysv/systemd/sssd-ssh.socket \ + src/sysv/systemd/sssd-ssh.service \ + $(NULL) +endif +if BUILD_SUDO + systemdunit_DATA += \ + src/sysv/systemd/sssd-sudo.socket \ + src/sysv/systemd/sssd-sudo.service \ + $(NULL) +endif +if BUILD_KCM + systemdunit_DATA += \ + src/sysv/systemd/sssd-kcm.socket \ + src/sysv/systemd/sssd-kcm.service \ + $(NULL) +endif +else +if HAVE_SUSE + init_SCRIPTS += \ + src/sysv/SUSE/sssd +else +if HAVE_GENTOO + init_SCRIPTS += \ + src/sysv/gentoo/sssd +else + init_SCRIPTS += \ + src/sysv/sssd +endif +endif +endif + + +dist_sssddata_DATA = \ + src/config/etc/sssd.api.conf \ + src/config/cfg_rules.ini \ + $(NULL) +dist_sssdapiplugin_DATA = \ + src/config/etc/sssd.api.d/sssd-ipa.conf \ + src/config/etc/sssd.api.d/sssd-ad.conf \ + src/config/etc/sssd.api.d/sssd-krb5.conf \ + src/config/etc/sssd.api.d/sssd-ldap.conf \ + src/config/etc/sssd.api.d/sssd-local.conf \ + src/config/etc/sssd.api.d/sssd-proxy.conf \ + src/config/etc/sssd.api.d/sssd-simple.conf \ + src/config/etc/sssd.api.d/sssd-files.conf + +edit_cmd = $(SED) \ + -e 's|@sbindir[@]|$(sbindir)|g' \ + -e 's|@environment_file[@]|$(environment_file)|g' \ + -e 's|@localstatedir[@]|$(localstatedir)|g' \ + -e 's|@runstatedir[@]|$(runstatedir)|g' \ + -e 's|@logpath[@]|$(logpath)|g' \ + -e 's|@libexecdir[@]|$(libexecdir)|g' \ + -e 's|@pipepath[@]|$(pipepath)|g' \ + -e 's|@prefix[@]|$(prefix)|g' \ + -e 's|@SSSD_USER[@]|$(SSSD_USER)|g' + +replace_script = \ + @rm -f $@ $@.tmp; \ + srcdir=''; \ + test -f ./$@.in || srcdir=$(srcdir)/; \ + $(edit_cmd) $${srcdir}$@.in >$@.tmp; \ + mv $@.tmp $@ + +EXTRA_DIST += \ + src/sysv/systemd/sssd.service.in \ + src/sysv/systemd/sssd-nss.socket.in \ + src/sysv/systemd/sssd-nss.service.in \ + src/sysv/systemd/sssd-pam.socket.in \ + src/sysv/systemd/sssd-pam-priv.socket.in \ + src/sysv/systemd/sssd-pam.service.in \ + src/sysv/systemd/sssd-secrets.socket.in \ + src/sysv/systemd/sssd-secrets.service.in \ + $(NULL) + +if BUILD_AUTOFS +EXTRA_DIST += \ + src/sysv/systemd/sssd-autofs.socket.in \ + src/sysv/systemd/sssd-autofs.service.in \ + $(NULL) +endif +if BUILD_IFP +EXTRA_DIST += \ + src/sysv/systemd/sssd-ifp.service.in \ + $(NULL) +endif +if BUILD_PAC_RESPONDER +EXTRA_DIST += \ + src/sysv/systemd/sssd-pac.socket.in \ + src/sysv/systemd/sssd-pac.service.in \ + $(NULL) +endif +if BUILD_SSH +EXTRA_DIST += \ + src/sysv/systemd/sssd-ssh.socket.in \ + src/sysv/systemd/sssd-ssh.service.in \ + $(NULL) +endif +if BUILD_SUDO +EXTRA_DIST += \ + src/sysv/systemd/sssd-sudo.socket.in \ + src/sysv/systemd/sssd-sudo.service.in \ + $(NULL) +endif +if BUILD_KCM +EXTRA_DIST += \ + src/sysv/systemd/sssd-kcm.socket.in \ + src/sysv/systemd/sssd-kcm.service.in \ + $(NULL) +endif + +src/sysv/systemd/sssd.service: src/sysv/systemd/sssd.service.in Makefile + @$(MKDIR_P) src/sysv/systemd/ + $(replace_script) + +src/sysv/systemd/sssd-nss.socket: src/sysv/systemd/sssd-nss.socket.in Makefile + @$(MKDIR_P) src/sysv/systemd/ + $(replace_script) + +src/sysv/systemd/sssd-nss.service: src/sysv/systemd/sssd-nss.service.in Makefile + @$(MKDIR_P) src/sysv/systemd/ + $(replace_script) + +src/sysv/systemd/sssd-pam.socket: src/sysv/systemd/sssd-pam.socket.in Makefile + @$(MKDIR_P) src/sysv/systemd/ + $(replace_script) + +src/sysv/systemd/sssd-pam-priv.socket: src/sysv/systemd/sssd-pam-priv.socket.in Makefile + @$(MKDIR_P) src/sysv/systemd/ + $(replace_script) + +src/sysv/systemd/sssd-pam.service: src/sysv/systemd/sssd-pam.service.in Makefile + @$(MKDIR_P) src/sysv/systemd/ + $(replace_script) + +src/sysv/systemd/sssd-secrets.socket: src/sysv/systemd/sssd-secrets.socket.in Makefile + @$(MKDIR_P) src/sysv/systemd/ + $(replace_script) + +src/sysv/systemd/sssd-secrets.service: src/sysv/systemd/sssd-secrets.service.in Makefile + @$(MKDIR_P) src/sysv/systemd/ + $(replace_script) + +if BUILD_AUTOFS +src/sysv/systemd/sssd-autofs.socket: src/sysv/systemd/sssd-autofs.socket.in Makefile + @$(MKDIR_P) src/sysv/systemd/ + $(replace_script) + +src/sysv/systemd/sssd-autofs.service: src/sysv/systemd/sssd-autofs.service.in Makefile + @$(MKDIR_P) src/sysv/systemd/ + $(replace_script) +endif + +if BUILD_IFP +src/sysv/systemd/sssd-ifp.service: src/sysv/systemd/sssd-ifp.service.in Makefile + @$(MKDIR_P) src/sysv/systemd/ + $(ifp_replace_script) +endif + +if BUILD_PAC_RESPONDER +src/sysv/systemd/sssd-pac.socket: src/sysv/systemd/sssd-pac.socket.in Makefile + @$(MKDIR_P) src/sysv/systemd/ + $(replace_script) + +src/sysv/systemd/sssd-pac.service: src/sysv/systemd/sssd-pac.service.in Makefile + @$(MKDIR_P) src/sysv/systemd/ + $(replace_script) +endif + +if BUILD_SSH +src/sysv/systemd/sssd-ssh.socket: src/sysv/systemd/sssd-ssh.socket.in Makefile + @$(MKDIR_P) src/sysv/systemd/ + $(replace_script) + +src/sysv/systemd/sssd-ssh.service: src/sysv/systemd/sssd-ssh.service.in Makefile + @$(MKDIR_P) src/sysv/systemd/ + $(replace_script) +endif + +if BUILD_SUDO +src/sysv/systemd/sssd-sudo.socket: src/sysv/systemd/sssd-sudo.socket.in Makefile + @$(MKDIR_P) src/sysv/systemd/ + $(replace_script) + +src/sysv/systemd/sssd-sudo.service: src/sysv/systemd/sssd-sudo.service.in Makefile + @$(MKDIR_P) src/sysv/systemd/ + $(replace_script) +endif + +if BUILD_KCM +src/sysv/systemd/sssd-kcm.socket: src/sysv/systemd/sssd-kcm.socket.in Makefile + @$(MKDIR_P) src/sysv/systemd/ + $(replace_script) + +src/sysv/systemd/sssd-kcm.service: src/sysv/systemd/sssd-kcm.service.in Makefile + @$(MKDIR_P) src/sysv/systemd/ + $(replace_script) +endif + +EXTRA_DIST += \ + src/tools/wrappers/sss_debuglevel.in \ + $(NULL) + +src/tools/wrappers/sss_debuglevel: src/tools/wrappers/sss_debuglevel.in Makefile + @$(MKDIR_P) src/tools/wrappers/ + $(replace_script) + +SSSD_USER_DIRS = \ + $(DESTDIR)$(dbpath) \ + $(DESTDIR)$(keytabdir) \ + $(DESTDIR)$(mcpath) \ + $(DESTDIR)$(pipepath) \ + $(DESTDIR)$(pubconfpath) \ + $(DESTDIR)$(pubconfpath)/krb5.include.d \ + $(DESTDIR)$(gpocachepath) \ + $(DESTDIR)$(sssdconfdir) \ + $(DESTDIR)$(sssdconfdir)/conf.d \ + $(DESTDIR)$(sssdconfdir)/pki \ + $(DESTDIR)$(sssddefaultconfdir) \ + $(DESTDIR)$(logpath) \ + $(DESTDIR)$(deskprofilepath) \ + $(NULL) + +installsssddirs:: + $(MKDIR_P) \ + $(DESTDIR)$(includedir) \ + $(DESTDIR)$(libdir) \ + $(DESTDIR)$(bindir) \ + $(DESTDIR)$(sbindir) \ + $(DESTDIR)$(mandir) \ + $(DESTDIR)$(pidpath) \ + $(DESTDIR)$(pluginpath) \ + $(DESTDIR)$(libdir)/ldb \ + $(DESTDIR)$(dbuspolicydir) \ + $(DESTDIR)$(dbusservicedir) \ + $(DESTDIR)$(sssdlibdir) \ + $(DESTDIR)$(pkglibdir) \ + $(DESTDIR)$(sssddatadir) \ + $(DESTDIR)$(sudolibdir) \ + $(DESTDIR)$(autofslibdir) \ + $(DESTDIR)$(pipepath)/private \ + $(SSSD_USER_DIRS) \ + $(NULL); +if SSSD_USER + -chown $(SSSD_USER):$(SSSD_USER) $(SSSD_USER_DIRS) + -chown $(SSSD_USER) $(DESTDIR)$(pipepath)/private +endif + $(INSTALL) -d -m 0700 $(DESTDIR)$(dbpath) $(DESTDIR)$(logpath) \ + $(DESTDIR)$(keytabdir) \ + $(NULL) + $(INSTALL) -d -m 0750 $(DESTDIR)$(pipepath)/private + $(INSTALL) -d -m 0755 $(DESTDIR)$(mcpath) $(DESTDIR)$(pipepath) \ + $(DESTDIR)$(pubconfpath) \ + $(DESTDIR)$(pubconfpath)/krb5.include.d $(DESTDIR)$(gpocachepath) + $(INSTALL) -d -m 0711 $(DESTDIR)$(sssdconfdir) \ + $(DESTDIR)$(sssdconfdir)/conf.d \ + $(DESTDIR)$(sssdconfdir)/pki +if BUILD_SECRETS + $(MKDIR_P) $(DESTDIR)$(secdbpath) +endif + +if HAVE_DOXYGEN +docs: + $(DOXYGEN) src/doxy.config + $(DOXYGEN) src/lib/ipa_hbac/ipa_hbac.doxy + $(DOXYGEN) src/lib/idmap/sss_idmap.doxy + $(DOXYGEN) src/sss_client/idmap/sss_nss_idmap.doxy + $(DOXYGEN) src/lib/certmap/sss_certmap.doxy +if BUILD_IFP + $(DOXYGEN) src/lib/sifp/sss_simpleifp.doxy +endif +else !HAVE_DOXYGEN +docs: + @echo "Doxygen not installed, cannot generate documentation" + @exit 1 +endif !HAVE_DOXYGEN + +if BUILD_PYTHON_BINDINGS +$(abs_builddir)/src/config/SSSDConfig/ipachangeconf.py: + -cp $(srcdir)/src/config/SSSDConfig/ipachangeconf.py $(builddir)/src/config/SSSDConfig/ + +SSSDCONFIG_MODULES = \ + $(abs_builddir)/src/config/SSSDConfig/ipachangeconf.py +else +SSSSCONFIG_MODULES = +endif + +all-local: ldb_mod_test_dir $(SSSDCONFIG_MODULES) +if BUILD_PYTHON2_BINDINGS + cd $(builddir)/src/config; \ + $(PYTHON2) setup.py build --build-base $(abs_builddir)/src/config +endif +if BUILD_PYTHON3_BINDINGS + cd $(builddir)/src/config; \ + $(PYTHON3) setup.py build --build-base $(abs_builddir)/src/config +endif + +install-exec-hook: installsssddirs +if BUILD_PYTHON2_BINDINGS + if [ "$(DESTDIR)" = "" ]; then \ + cd $(builddir)/src/config; \ + $(PYTHON2) setup.py build --build-base $(abs_builddir)/src/config \ + install $(DISTSETUPOPTS) --prefix=$(PYTHON2_PREFIX) \ + --record=$(abs_builddir)/src/config/.files2; \ + else \ + cd $(builddir)/src/config; \ + $(PYTHON2) setup.py build --build-base $(abs_builddir)/src/config \ + install $(DISTSETUPOPTS) --prefix=$(PYTHON2_PREFIX) \ + --record=$(abs_builddir)/src/config/.files2 --root=$(DESTDIR); \ + fi + cd $(DESTDIR)$(py2execdir) && \ + mv -f _py2sss.so pysss.so ; \ + mv -f _py2hbac.so pyhbac.so ; \ + mv -f _py2sss_murmur.so pysss_murmur.so ; \ + mv -f _py2sss_nss_idmap.so pysss_nss_idmap.so +endif +if BUILD_PYTHON3_BINDINGS + if [ "$(DESTDIR)" = "" ]; then \ + cd $(builddir)/src/config; \ + $(PYTHON3) setup.py build --build-base $(abs_builddir)/src/config \ + install $(DISTSETUPOPTS) --prefix=$(PYTHON3_PREFIX) \ + --record=$(abs_builddir)/src/config/.files3; \ + else \ + cd $(builddir)/src/config; \ + $(PYTHON3) setup.py build --build-base $(abs_builddir)/src/config \ + install $(DISTSETUPOPTS) --prefix=$(PYTHON3_PREFIX) \ + --record=$(abs_builddir)/src/config/.files3 --root=$(DESTDIR); \ + fi + cd $(DESTDIR)$(py3execdir) && \ + mv -f _py3sss.so pysss.so ; \ + mv -f _py3hbac.so pyhbac.so ; \ + mv -f _py3sss_murmur.so pysss_murmur.so ; \ + mv -f _py3sss_nss_idmap.so pysss_nss_idmap.so +endif + for doc in $(SSSD_DOCS); do \ + $(MKDIR_P) $$doc $(DESTDIR)/$(docdir); \ + cp -a $$doc $(DESTDIR)/$(docdir)/; \ + done; + +if HAVE_SYSTEMD_UNIT + $(MKDIR_P) $(DESTDIR)$(systemdunitdir) + $(MKDIR_P) $(DESTDIR)$(systemdconfdir) +else + $(MKDIR_P) $(DESTDIR)$(initdir) +endif + +if SSSD_USER + -chgrp $(SSSD_USER) $(DESTDIR)$(sssdlibexecdir)/ldap_child + chmod 4750 $(DESTDIR)$(sssdlibexecdir)/ldap_child + -chgrp $(SSSD_USER) $(DESTDIR)$(sssdlibexecdir)/krb5_child + chmod 4750 $(DESTDIR)$(sssdlibexecdir)/krb5_child + -chgrp $(SSSD_USER) $(DESTDIR)$(sssdlibexecdir)/proxy_child + chmod 4750 $(DESTDIR)$(sssdlibexecdir)/proxy_child +if BUILD_SEMANAGE + -chgrp $(SSSD_USER) $(DESTDIR)$(sssdlibexecdir)/selinux_child + chmod 4750 $(DESTDIR)$(sssdlibexecdir)/selinux_child +endif +endif + +install-data-hook: + rm $(DESTDIR)/$(nsslibdir)/libnss_sss.so.2 \ + $(DESTDIR)/$(nsslibdir)/libnss_sss.so + mv $(DESTDIR)/$(nsslibdir)/libnss_sss.so.2.0.0 $(DESTDIR)/$(nsslibdir)/libnss_sss.so.2 + if [ ! $(krb5rcachedir) = "__LIBKRB5_DEFAULTS__" ]; then \ + $(MKDIR_P) $(DESTDIR)/$(krb5rcachedir) ; \ + fi +if BUILD_SAMBA + mv $(DESTDIR)/$(winbindplugindir)/winbind_idmap_sss.so $(DESTDIR)/$(winbindplugindir)/sss.so +endif +if BUILD_KCM + $(MKDIR_P) $(DESTDIR)/$(sssdkcmdatadir) +endif + +uninstall-hook: + if [ -f $(abs_builddir)/src/config/.files2 ]; then \ + cat $(abs_builddir)/src/config/.files2 | xargs -iq rm -f $(DESTDIR)/q; \ + rm $(abs_builddir)/src/config/.files2 ; \ + fi + if [ -f $(abs_builddir)/src/config/.files3 ]; then \ + cat $(abs_builddir)/src/config/.files3 | xargs -iq rm -f $(DESTDIR)/q; \ + rm $(abs_builddir)/src/config/.files3 ; \ + fi + for doc in $(SSSD_DOCS); do \ + rm -Rf $(DESTDIR)/$(docdir)/$$doc; \ + done; +if BUILD_PYTHON2_BINDINGS + cd $(DESTDIR)$(py2execdir) && \ + rm -f pysss.so pyhbac.so pysss_murmur.so pysss_nss_idmap.so +endif +if BUILD_PYTHON3_BINDINGS + cd $(DESTDIR)$(py3execdir) && \ + rm -f pysss.so pyhbac.so pysss_murmur.so pysss_nss_idmap.so +endif +if BUILD_SAMBA + rm $(DESTDIR)/$(winbindplugindir)/sss.so +endif + +clean-local: +if BUILD_PYTHON2_BINDINGS + if [ ! $(srcdir)/src/config/SSSDConfig/ipachangeconf.py -ef $(builddir)/src/config/SSSDConfig/ipachangeconf.py ]; then \ + rm -f $(builddir)/src/config/SSSDConfig/ipachangeconf.py ; \ + fi + + rm -f $(builddir)/src/config/SSSDConfig/*.pyc + + cd $(builddir)/src/config; $(PYTHON2) setup.py build --build-base $(abs_builddir)/src/config clean --all +endif +if BUILD_PYTHON3_BINDINGS + if [ ! $(srcdir)/src/config/SSSDConfig/ipachangeconf.py -ef $(builddir)/src/config/SSSDConfig/ipachangeconf.py ]; then \ + rm -f $(builddir)/src/config/SSSDConfig/ipachangeconf.py ; \ + fi + + rm -f $(builddir)/src/config/SSSDConfig/__pycache__/*.pyc + + cd $(builddir)/src/config; $(PYTHON3) setup.py build --build-base $(abs_builddir)/src/config clean --all +endif + for doc in $(SSSD_DOCS); do \ + rm -Rf $$doc; \ + done; + rm -Rf ldb_mod_test_dir + rm -f $(builddir)/src/responder/ifp/org.freedesktop.sssd.infopipe.service + rm -f $(builddir)/src/sysv/systemd/sssd.service + rm -f $(builddir)/src/sysv/systemd/sssd-autofs.socket + rm -f $(builddir)/src/sysv/systemd/sssd-autofs.service + rm -f $(builddir)/src/sysv/systemd/sssd-ifp.service + rm -f $(builddir)/src/sysv/systemd/sssd-nss.socket + rm -f $(builddir)/src/sysv/systemd/sssd-nss.service + rm -f $(builddir)/src/sysv/systemd/sssd-pac.socket + rm -f $(builddir)/src/sysv/systemd/sssd-pac.service + rm -f $(builddir)/src/sysv/systemd/sssd-pam.socket + rm -f $(builddir)/src/sysv/systemd/sssd-pam-priv.socket + rm -f $(builddir)/src/sysv/systemd/sssd-pam.service + rm -f $(builddir)/src/sysv/systemd/sssd-ssh.socket + rm -f $(builddir)/src/sysv/systemd/sssd-ssh.service + rm -f $(builddir)/src/sysv/systemd/sssd-sudo.socket + rm -f $(builddir)/src/sysv/systemd/sssd-sudo.service + rm -f $(builddir)/src/sysv/systemd/sssd-secrets.socket + rm -f $(builddir)/src/sysv/systemd/sssd-secrets.service + rm -f $(builddir)/src/sysv/systemd/sssd-kcm.socket + rm -f $(builddir)/src/sysv/systemd/sssd-kcm.service + rm -f $(builddir)/src/tools/wrappers/sss_debuglevel + +CLEANFILES += *.X */*.X */*/*.X + +test_CA: test_CA.stamp + +test_CA.stamp: $(srcdir)/src/tests/test_CA/* + $(MAKE) -C src/tests/test_CA ca_all + touch $@ + +if BUILD_TEST_CA +BUILT_SOURCES += test_CA +endif +CLEANFILES += test_CA.stamp + +tests: all $(check_PROGRAMS) + (cd src/tests/cwrap && $(MAKE) $(AM_MAKEFLAGS) $@) || exit 1; + + +# RPM-related tasks + +RPMBUILD ?= $(PWD)/rpmbuild + +dist_noinst_DATA += \ + m4 \ + contrib/sssd.spec.in \ + BUILD.txt \ + COPYING + +rpmroot: + $(MKDIR_P) $(RPMBUILD)/BUILD + $(MKDIR_P) $(RPMBUILD)/RPMS + $(MKDIR_P) $(RPMBUILD)/SOURCES + $(MKDIR_P) $(RPMBUILD)/SPECS + $(MKDIR_P) $(RPMBUILD)/SRPMS + +# pre-release related vars + +PR_VERSION_DATE := $(shell date +%Y%m%d.%H%M) +PR_VERSION_COMMIT_HASH := $(shell git log -1 --pretty=format:%h) +PR_VERSION_NUMBER = $(PR_VERSION_DATE).git$(PR_VERSION_COMMIT_HASH) +PR_VERSION_REGEX = m4_define(\[PRERELEASE_VERSION_NUMBER\], \[.*\]) +PR_VERSION_REPL = m4_define(\[PRERELEASE_VERSION_NUMBER\], \[.$(PR_VERSION_NUMBER)\]) + +rpmbrprep: dist-gzip rpmroot +if GIT_CHECKOUT +# When we're building RPMs from a git checkout, +# we don't want to be bothered with translation +# updates + git checkout $(srcdir)/po $(srcdir)/src/man/po +endif + cp $(builddir)/contrib/sssd.spec $(RPMBUILD)/SPECS + cp $(distdir).tar.gz $(RPMBUILD)/SOURCES + +rpms: rpmbrprep + cd $(RPMBUILD); \ + rpmbuild --define "_topdir $(RPMBUILD)" -ba SPECS/sssd.spec + +if GIT_CHECKOUT +prerelease-rpms: + cp $(srcdir)/version.m4 $(srcdir)/version.m4.orig + sed -e "s/$(PR_VERSION_REGEX)/$(PR_VERSION_REPL)/" \ + < $(srcdir)/version.m4.orig > $(srcdir)/version.m4 + $(MAKE) rpms + mv $(srcdir)/version.m4.orig $(srcdir)/version.m4 +endif + +# make srpms will use the old digest algorithm to be compatible +# with RHEL5 +srpm: rpmbrprep + cd $(RPMBUILD); \ + rpmbuild --define "_topdir $(RPMBUILD)" \ + -bs SPECS/sssd.spec + +if GIT_CHECKOUT +prerelease-srpm: + cp $(srcdir)/version.m4 $(srcdir)/version.m4.orig + sed -e "s/$(PR_VERSION_REGEX)/$(PR_VERSION_REPL)/" \ + < $(srcdir)/version.m4.orig > $(srcdir)/version.m4 + $(MAKE) srpm + mv $(srcdir)/version.m4.orig $(srcdir)/version.m4 +endif diff --git a/Makefile.in b/Makefile.in new file mode 100644 index 0000000..98fec41 --- /dev/null +++ b/Makefile.in @@ -0,0 +1,35698 @@ +# Makefile.in generated by automake 1.15.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2017 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + + + + + +VPATH = @srcdir@ +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_DEVSHM_TRUE@am__append_1 = --with-test-dir=/dev/shm +@WITH_JOURNALD_TRUE@am__append_2 = --with-syslog=journald +@HAVE_MANPAGES_TRUE@am__append_3 = src/man +@HAVE_DEBIAN_TRUE@am__append_4 = --install-layout=deb +@WANT_AUX_INFO_TRUE@am__append_5 = -aux-info $@.X +@HAVE_GCC_TRUE@am__append_6 = -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith \ +@HAVE_GCC_TRUE@ -Wcast-qual -Wcast-align -Wwrite-strings -Wundef \ +@HAVE_GCC_TRUE@ -Werror-implicit-function-declaration -Winit-self \ +@HAVE_GCC_TRUE@ -Wmissing-include-dirs \ +@HAVE_GCC_TRUE@ -fno-strict-aliasing \ +@HAVE_GCC_TRUE@ -std=gnu99 + +@BUILD_SSH_TRUE@bin_PROGRAMS = sss_ssh_authorizedkeys$(EXEEXT) \ +@BUILD_SSH_TRUE@ sss_ssh_knownhostsproxy$(EXEEXT) +sbin_PROGRAMS = sssd$(EXEEXT) sss_useradd$(EXEEXT) \ + sss_userdel$(EXEEXT) sss_groupadd$(EXEEXT) \ + sss_groupdel$(EXEEXT) sss_usermod$(EXEEXT) \ + sss_groupmod$(EXEEXT) sss_groupshow$(EXEEXT) \ + sss_cache$(EXEEXT) sss_override$(EXEEXT) sss_seed$(EXEEXT) \ + sssctl$(EXEEXT) +sssdlibexec_PROGRAMS = sssd_nss$(EXEEXT) sssd_pam$(EXEEXT) \ + sssd_be$(EXEEXT) krb5_child$(EXEEXT) ldap_child$(EXEEXT) \ + proxy_child$(EXEEXT) sss_signal$(EXEEXT) $(am__EXEEXT_16) \ + $(am__EXEEXT_17) $(am__EXEEXT_18) $(am__EXEEXT_19) \ + $(am__EXEEXT_20) $(am__EXEEXT_21) p11_child$(EXEEXT) \ + $(am__EXEEXT_22) $(am__EXEEXT_23) $(am__EXEEXT_24) \ + $(am__EXEEXT_25) +@BUILD_SUDO_TRUE@am__append_7 = sssd_sudo +@BUILD_AUTOFS_TRUE@am__append_8 = sssd_autofs +@BUILD_SSH_TRUE@am__append_9 = sssd_ssh +@BUILD_IFP_TRUE@am__append_10 = sssd_ifp +@BUILD_SAMBA_TRUE@am__append_11 = gpo_child +@BUILD_SEMANAGE_TRUE@am__append_12 = selinux_child +@BUILD_SECRETS_TRUE@am__append_13 = sssd_secrets +@BUILD_KCM_TRUE@am__append_14 = sssd_kcm +@BUILD_PAC_RESPONDER_TRUE@am__append_15 = sssd_pac +@HAVE_SYSTEMD_UNIT_TRUE@am__append_16 = sssd_check_socket_activated_responders +@BUILD_SSH_TRUE@@HAVE_CHECK_TRUE@am__append_17 = sysdb_ssh-tests +@BUILD_DBUS_TESTS_TRUE@@HAVE_CHECK_TRUE@am__append_18 = \ +@BUILD_DBUS_TESTS_TRUE@@HAVE_CHECK_TRUE@ sbus_tests \ +@BUILD_DBUS_TESTS_TRUE@@HAVE_CHECK_TRUE@ sbus_codegen_tests + +@HAVE_CMOCKA_TRUE@@HAVE_LIBRESOLV_TRUE@am__append_19 = test_resolv_fake +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@am__append_20 = ifp_tests +@HAVE_CMOCKA_TRUE@@HAVE_INOTIFY_TRUE@am__append_21 = test_inotify +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@am__append_22 = \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ test_kcm_json \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ test_kcm_queue \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ $(NULL) + +@BUILD_SAMBA_TRUE@@HAVE_CMOCKA_TRUE@am__append_23 = \ +@BUILD_SAMBA_TRUE@@HAVE_CMOCKA_TRUE@ ad_access_filter_tests \ +@BUILD_SAMBA_TRUE@@HAVE_CMOCKA_TRUE@ ad_gpo_tests \ +@BUILD_SAMBA_TRUE@@HAVE_CMOCKA_TRUE@ ad_common_tests \ +@BUILD_SAMBA_TRUE@@HAVE_CMOCKA_TRUE@ test_sdap_initgr \ +@BUILD_SAMBA_TRUE@@HAVE_CMOCKA_TRUE@ test_ad_subdom \ +@BUILD_SAMBA_TRUE@@HAVE_CMOCKA_TRUE@ test_ipa_subdom_server \ +@BUILD_SAMBA_TRUE@@HAVE_CMOCKA_TRUE@ $(NULL) + +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@@HAVE_CMOCKA_TRUE@am__append_24 = test_sssd_krb5_localauth_plugin +check_PROGRAMS = stress-tests$(EXEEXT) krb5-child-test$(EXEEXT) \ + test_ssh_client$(EXEEXT) $(am__EXEEXT_7) $(am__EXEEXT_10) \ + $(am__EXEEXT_11) +@HAVE_CMOCKA_TRUE@am__append_25 = dummy-child +@BUILD_PYTHON2_BINDINGS_TRUE@am__append_26 = src/config/SSSDConfigTest.py2.sh \ +@BUILD_PYTHON2_BINDINGS_TRUE@ src/tests/pyhbac-test.py2.sh \ +@BUILD_PYTHON2_BINDINGS_TRUE@ src/tests/pysss_murmur-test.py2.sh \ +@BUILD_PYTHON2_BINDINGS_TRUE@ $(NULL) + +@BUILD_PYTHON3_BINDINGS_TRUE@am__append_27 = src/config/SSSDConfigTest.py3.sh \ +@BUILD_PYTHON3_BINDINGS_TRUE@ src/tests/pyhbac-test.py3.sh \ +@BUILD_PYTHON3_BINDINGS_TRUE@ src/tests/pysss_murmur-test.py3.sh \ +@BUILD_PYTHON3_BINDINGS_TRUE@ $(NULL) + +TESTS = $(am__EXEEXT_28) $(am__EXEEXT_7) $(am__EXEEXT_10) \ + src/tests/whitespace_test src/tests/double_semicolon_test +@BUILD_SAMBA_TRUE@am__append_28 = \ +@BUILD_SAMBA_TRUE@ libsss_ipa.la \ +@BUILD_SAMBA_TRUE@ libsss_ad.la + +@HAVE_INOTIFY_TRUE@am__append_29 = \ +@HAVE_INOTIFY_TRUE@ libsss_files.la \ +@HAVE_INOTIFY_TRUE@ $(NULL) + +@BUILD_SELINUX_TRUE@am__append_30 = $(SELINUX_LIBS) +@BUILD_SELINUX_TRUE@am__append_31 = $(SELINUX_LIBS) +@HAVE_NSS_TRUE@am__append_32 = src/util/crypto/nss/nss_util.h \ +@HAVE_NSS_TRUE@ src/util/crypto/nss/nss_crypto.h + +@BUILD_IFP_TRUE@am__append_33 = sss_simpleifp_doc +@BUILD_SUDO_TRUE@am__append_34 = src/db/sysdb_sudo.c +@BUILD_SSH_TRUE@am__append_35 = \ +@BUILD_SSH_TRUE@ src/db/sysdb_ssh.c \ +@BUILD_SSH_TRUE@ src/util/sss_ssh.c + +@BUILD_SYSTEMTAP_TRUE@am__append_36 = stap_generated_probes.lo +@BUILD_SEMANAGE_TRUE@am__append_37 = $(SEMANAGE_LIBS) +@BUILD_LIBWBCLIENT_TRUE@am__append_38 = src/sss_client/libwbclient/wbclient_sssd.pc +@BUILD_LIBWBCLIENT_TRUE@am__append_39 = src/sss_client/libwbclient/wbclient.exports \ +@BUILD_LIBWBCLIENT_TRUE@ $(NULL) + +@BUILD_LIBWBCLIENT_TRUE@am__append_40 = src/sss_client/libwbclient/wbclient_sssd.h +@BUILD_IFP_TRUE@am__append_41 = libsss_simpleifp.la +@BUILD_IFP_TRUE@am__append_42 = src/lib/sifp/sss_simpleifp.pc +@BUILD_IFP_TRUE@am__append_43 = src/lib/sifp/sss_simpleifp.exports +@BUILD_IFP_TRUE@am__append_44 = \ +@BUILD_IFP_TRUE@ src/lib/sifp/sss_sifp.h \ +@BUILD_IFP_TRUE@ src/lib/sifp/sss_sifp_dbus.h + +@BUILD_SYSTEMTAP_TRUE@am__append_45 = stap_generated_probes.h +@BUILD_SYSTEMTAP_TRUE@am__append_46 = stap_generated_probes.h \ +@BUILD_SYSTEMTAP_TRUE@ stap_generated_probes.o \ +@BUILD_SYSTEMTAP_TRUE@ stap_generated_probes.lo \ +@BUILD_SYSTEMTAP_TRUE@ $(NULL) + +@BUILD_IFP_TRUE@am__append_47 = \ +@BUILD_IFP_TRUE@ src/responder/ifp/org.freedesktop.sssd.infopipe.service.in \ +@BUILD_IFP_TRUE@ $(NULL) + +@BUILD_SYSTEMTAP_TRUE@am__append_48 = stap_generated_probes.lo +@HAVE_NSS_TRUE@am__append_49 = \ +@HAVE_NSS_TRUE@ src/lib/certmap/sss_cert_content_nss.c \ +@HAVE_NSS_TRUE@ src/util/crypto/nss/nss_base64.c \ +@HAVE_NSS_TRUE@ src/util/cert/nss/cert.c \ +@HAVE_NSS_TRUE@ src/util/crypto/nss/nss_util.c \ +@HAVE_NSS_TRUE@ $(NULL) + +@HAVE_NSS_TRUE@am__append_50 = $(NSS_CFLAGS) +@HAVE_NSS_TRUE@am__append_51 = $(NSS_LIBS) +@HAVE_NSS_FALSE@am__append_52 = \ +@HAVE_NSS_FALSE@ src/lib/certmap/sss_cert_content_crypto.c \ +@HAVE_NSS_FALSE@ src/util/crypto/libcrypto/crypto_base64.c \ +@HAVE_NSS_FALSE@ src/util/cert/libcrypto/cert.c \ +@HAVE_NSS_FALSE@ $(NULL) + +@HAVE_NSS_FALSE@am__append_53 = $(CRYPTO_CFLAGS) +@HAVE_NSS_FALSE@am__append_54 = $(CRYPTO_LIBS) +@HAVE_CHECK_TRUE@am__append_55 = \ +@HAVE_CHECK_TRUE@ src/tests/common_check.c + +@HAVE_CHECK_TRUE@am__append_56 = \ +@HAVE_CHECK_TRUE@ libdlopen_test_providers.la \ +@HAVE_CHECK_TRUE@ libsss_nss_idmap_tests.la \ +@HAVE_CHECK_TRUE@ $(NULL) + +@BUILD_SAMBA_TRUE@@HAVE_CHECK_TRUE@am__append_57 = \ +@BUILD_SAMBA_TRUE@@HAVE_CHECK_TRUE@ libsss_ad_tests.la \ +@BUILD_SAMBA_TRUE@@HAVE_CHECK_TRUE@ libdlopen_test_winbind_idmap.la \ +@BUILD_SAMBA_TRUE@@HAVE_CHECK_TRUE@ $(NULL) + +@BUILD_SYSTEMTAP_TRUE@@HAVE_CHECK_TRUE@am__append_58 = stap_generated_probes.lo +@HAVE_CHECK_TRUE@am__append_59 = src/sss_client/idmap/sss_nss_idmap.unit_tests +@BUILD_SELINUX_TRUE@@HAVE_CHECK_TRUE@am__append_60 = $(SELINUX_LIBS) +@BUILD_SEMANAGE_TRUE@@HAVE_CHECK_TRUE@am__append_61 = $(SEMANAGE_LIBS) +@BUILD_SYSTEMTAP_TRUE@@HAVE_CMOCKA_TRUE@am__append_62 = stap_generated_probes.lo +@BUILD_SSH_TRUE@@HAVE_CMOCKA_TRUE@am__append_63 = src/tests/cmocka/test_sss_ssh.c +@BUILD_SYSTEMTAP_TRUE@@HAVE_CMOCKA_TRUE@am__append_64 = stap_generated_probes.lo +noinst_PROGRAMS = $(am__EXEEXT_12) $(am__EXEEXT_13) $(am__EXEEXT_14) \ + $(am__EXEEXT_15) +@BUILD_SUDO_TRUE@am__append_65 = sss_sudo_cli +@BUILD_AUTOFS_TRUE@am__append_66 = autofs_test_client +@BUILD_WITH_LIBCURL_TRUE@am__append_67 = tcurl-test-tool +@BUILD_PAC_RESPONDER_TRUE@am__append_68 = sssd_pac_test_client +@BUILD_SUDO_TRUE@am__append_69 = src/sss_client/sss_sudo.exports +@BUILD_AUTOFS_TRUE@am__append_70 = src/sss_client/autofs/sss_autofs.exports +@BUILD_SYSTEMTAP_TRUE@am__append_71 = stap_generated_probes.lo +@BUILD_SSH_TRUE@am__append_72 = src/providers/ldap/sdap_hostid.c +@BUILD_SUDO_TRUE@am__append_73 = \ +@BUILD_SUDO_TRUE@ src/providers/ldap/sdap_async_sudo.c \ +@BUILD_SUDO_TRUE@ src/providers/ldap/sdap_async_sudo_hostinfo.c \ +@BUILD_SUDO_TRUE@ src/providers/ldap/sdap_sudo_refresh.c \ +@BUILD_SUDO_TRUE@ src/providers/ldap/sdap_sudo_shared.c \ +@BUILD_SUDO_TRUE@ src/providers/ldap/sdap_sudo.c + +@BUILD_AUTOFS_TRUE@am__append_74 = \ +@BUILD_AUTOFS_TRUE@ src/providers/ldap/sdap_autofs.c \ +@BUILD_AUTOFS_TRUE@ src/providers/ldap/sdap_async_autofs.c + +@BUILD_AUTOFS_TRUE@am__append_75 = \ +@BUILD_AUTOFS_TRUE@ src/providers/ipa/ipa_autofs.c + +@BUILD_SUDO_TRUE@am__append_76 = \ +@BUILD_SUDO_TRUE@ src/providers/ipa/ipa_sudo.c \ +@BUILD_SUDO_TRUE@ src/providers/ipa/ipa_sudo_refresh.c \ +@BUILD_SUDO_TRUE@ src/providers/ipa/ipa_sudo_conversion.c \ +@BUILD_SUDO_TRUE@ src/providers/ipa/ipa_sudo_async.c + +@BUILD_SEMANAGE_TRUE@am__append_77 = \ +@BUILD_SEMANAGE_TRUE@ src/providers/ipa/ipa_selinux.c \ +@BUILD_SEMANAGE_TRUE@ src/providers/ipa/ipa_selinux_maps.c + +@BUILD_SSH_TRUE@am__append_78 = src/providers/ipa/ipa_hostid.c +@BUILD_SUDO_TRUE@am__append_79 = \ +@BUILD_SUDO_TRUE@ src/providers/ad/ad_sudo.c + +@BUILD_AUTOFS_TRUE@am__append_80 = \ +@BUILD_AUTOFS_TRUE@ src/providers/ad/ad_autofs.c + +@HAVE_NSS_TRUE@am__append_81 = src/p11_child/p11_child_nss.c +@HAVE_NSS_FALSE@am__append_82 = src/p11_child/p11_child_openssl.c +@HAVE_NSS_TRUE@am__append_83 = \ +@HAVE_NSS_TRUE@ $(NSS_CFLAGS) \ +@HAVE_NSS_TRUE@ $(NULL) + +@HAVE_NSS_FALSE@am__append_84 = \ +@HAVE_NSS_FALSE@ $(P11_KIT_CFLAGS) \ +@HAVE_NSS_FALSE@ $(CRYPTO_CFLAGS) \ +@HAVE_NSS_FALSE@ $(SSL_CFLAGS) \ +@HAVE_NSS_FALSE@ $(NULL) + +@HAVE_NSS_TRUE@am__append_85 = \ +@HAVE_NSS_TRUE@ $(NSS_LIBS) \ +@HAVE_NSS_TRUE@ $(NULL) + +@HAVE_NSS_FALSE@am__append_86 = \ +@HAVE_NSS_FALSE@ $(P11_KIT_LIBS) \ +@HAVE_NSS_FALSE@ $(CRYPTO_LIBS) \ +@HAVE_NSS_FALSE@ $(SSL_LIBS) \ +@HAVE_NSS_FALSE@ $(NULL) + +@HAVE_SYSTEMD_UNIT_TRUE@am__append_87 = \ +@HAVE_SYSTEMD_UNIT_TRUE@ src/sysv/systemd/sssd.service \ +@HAVE_SYSTEMD_UNIT_TRUE@ src/sysv/systemd/sssd-nss.socket \ +@HAVE_SYSTEMD_UNIT_TRUE@ src/sysv/systemd/sssd-nss.service \ +@HAVE_SYSTEMD_UNIT_TRUE@ src/sysv/systemd/sssd-pam.socket \ +@HAVE_SYSTEMD_UNIT_TRUE@ src/sysv/systemd/sssd-pam-priv.socket \ +@HAVE_SYSTEMD_UNIT_TRUE@ src/sysv/systemd/sssd-pam.service \ +@HAVE_SYSTEMD_UNIT_TRUE@ src/sysv/systemd/sssd-secrets.socket \ +@HAVE_SYSTEMD_UNIT_TRUE@ src/sysv/systemd/sssd-secrets.service \ +@HAVE_SYSTEMD_UNIT_TRUE@ $(NULL) + +@BUILD_AUTOFS_TRUE@@HAVE_SYSTEMD_UNIT_TRUE@am__append_88 = \ +@BUILD_AUTOFS_TRUE@@HAVE_SYSTEMD_UNIT_TRUE@ src/sysv/systemd/sssd-autofs.socket \ +@BUILD_AUTOFS_TRUE@@HAVE_SYSTEMD_UNIT_TRUE@ src/sysv/systemd/sssd-autofs.service \ +@BUILD_AUTOFS_TRUE@@HAVE_SYSTEMD_UNIT_TRUE@ $(NULL) + +@BUILD_IFP_TRUE@@HAVE_SYSTEMD_UNIT_TRUE@am__append_89 = \ +@BUILD_IFP_TRUE@@HAVE_SYSTEMD_UNIT_TRUE@ src/sysv/systemd/sssd-ifp.service \ +@BUILD_IFP_TRUE@@HAVE_SYSTEMD_UNIT_TRUE@ $(NULL) + +@BUILD_PAC_RESPONDER_TRUE@@HAVE_SYSTEMD_UNIT_TRUE@am__append_90 = \ +@BUILD_PAC_RESPONDER_TRUE@@HAVE_SYSTEMD_UNIT_TRUE@ src/sysv/systemd/sssd-pac.socket \ +@BUILD_PAC_RESPONDER_TRUE@@HAVE_SYSTEMD_UNIT_TRUE@ src/sysv/systemd/sssd-pac.service \ +@BUILD_PAC_RESPONDER_TRUE@@HAVE_SYSTEMD_UNIT_TRUE@ $(NULL) + +@BUILD_SSH_TRUE@@HAVE_SYSTEMD_UNIT_TRUE@am__append_91 = \ +@BUILD_SSH_TRUE@@HAVE_SYSTEMD_UNIT_TRUE@ src/sysv/systemd/sssd-ssh.socket \ +@BUILD_SSH_TRUE@@HAVE_SYSTEMD_UNIT_TRUE@ src/sysv/systemd/sssd-ssh.service \ +@BUILD_SSH_TRUE@@HAVE_SYSTEMD_UNIT_TRUE@ $(NULL) + +@BUILD_SUDO_TRUE@@HAVE_SYSTEMD_UNIT_TRUE@am__append_92 = \ +@BUILD_SUDO_TRUE@@HAVE_SYSTEMD_UNIT_TRUE@ src/sysv/systemd/sssd-sudo.socket \ +@BUILD_SUDO_TRUE@@HAVE_SYSTEMD_UNIT_TRUE@ src/sysv/systemd/sssd-sudo.service \ +@BUILD_SUDO_TRUE@@HAVE_SYSTEMD_UNIT_TRUE@ $(NULL) + +@BUILD_KCM_TRUE@@HAVE_SYSTEMD_UNIT_TRUE@am__append_93 = \ +@BUILD_KCM_TRUE@@HAVE_SYSTEMD_UNIT_TRUE@ src/sysv/systemd/sssd-kcm.socket \ +@BUILD_KCM_TRUE@@HAVE_SYSTEMD_UNIT_TRUE@ src/sysv/systemd/sssd-kcm.service \ +@BUILD_KCM_TRUE@@HAVE_SYSTEMD_UNIT_TRUE@ $(NULL) + +@HAVE_SUSE_TRUE@@HAVE_SYSTEMD_UNIT_FALSE@am__append_94 = \ +@HAVE_SUSE_TRUE@@HAVE_SYSTEMD_UNIT_FALSE@ src/sysv/SUSE/sssd + +@HAVE_GENTOO_TRUE@@HAVE_SUSE_FALSE@@HAVE_SYSTEMD_UNIT_FALSE@am__append_95 = \ +@HAVE_GENTOO_TRUE@@HAVE_SUSE_FALSE@@HAVE_SYSTEMD_UNIT_FALSE@ src/sysv/gentoo/sssd + +@HAVE_GENTOO_FALSE@@HAVE_SUSE_FALSE@@HAVE_SYSTEMD_UNIT_FALSE@am__append_96 = \ +@HAVE_GENTOO_FALSE@@HAVE_SUSE_FALSE@@HAVE_SYSTEMD_UNIT_FALSE@ src/sysv/sssd + +@BUILD_AUTOFS_TRUE@am__append_97 = \ +@BUILD_AUTOFS_TRUE@ src/sysv/systemd/sssd-autofs.socket.in \ +@BUILD_AUTOFS_TRUE@ src/sysv/systemd/sssd-autofs.service.in \ +@BUILD_AUTOFS_TRUE@ $(NULL) + +@BUILD_IFP_TRUE@am__append_98 = \ +@BUILD_IFP_TRUE@ src/sysv/systemd/sssd-ifp.service.in \ +@BUILD_IFP_TRUE@ $(NULL) + +@BUILD_PAC_RESPONDER_TRUE@am__append_99 = \ +@BUILD_PAC_RESPONDER_TRUE@ src/sysv/systemd/sssd-pac.socket.in \ +@BUILD_PAC_RESPONDER_TRUE@ src/sysv/systemd/sssd-pac.service.in \ +@BUILD_PAC_RESPONDER_TRUE@ $(NULL) + +@BUILD_SSH_TRUE@am__append_100 = \ +@BUILD_SSH_TRUE@ src/sysv/systemd/sssd-ssh.socket.in \ +@BUILD_SSH_TRUE@ src/sysv/systemd/sssd-ssh.service.in \ +@BUILD_SSH_TRUE@ $(NULL) + +@BUILD_SUDO_TRUE@am__append_101 = \ +@BUILD_SUDO_TRUE@ src/sysv/systemd/sssd-sudo.socket.in \ +@BUILD_SUDO_TRUE@ src/sysv/systemd/sssd-sudo.service.in \ +@BUILD_SUDO_TRUE@ $(NULL) + +@BUILD_KCM_TRUE@am__append_102 = \ +@BUILD_KCM_TRUE@ src/sysv/systemd/sssd-kcm.socket.in \ +@BUILD_KCM_TRUE@ src/sysv/systemd/sssd-kcm.service.in \ +@BUILD_KCM_TRUE@ $(NULL) + +@BUILD_TEST_CA_TRUE@am__append_103 = test_CA +subdir = . +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ + $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ + $(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \ + $(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/m4/nls.m4 \ + $(top_srcdir)/m4/po.m4 $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/version.m4 $(top_srcdir)/src/build_macros.m4 \ + $(top_srcdir)/src/external/platform.m4 \ + $(top_srcdir)/src/conf_macros.m4 \ + $(top_srcdir)/src/external/pkg.m4 \ + $(top_srcdir)/src/external/libpopt.m4 \ + $(top_srcdir)/src/external/libtalloc.m4 \ + $(top_srcdir)/src/external/libtdb.m4 \ + $(top_srcdir)/src/external/libtevent.m4 \ + $(top_srcdir)/src/external/libldb.m4 \ + $(top_srcdir)/src/external/libdhash.m4 \ + $(top_srcdir)/src/external/libcollection.m4 \ + $(top_srcdir)/src/external/libini_config.m4 \ + $(top_srcdir)/src/external/pam.m4 \ + $(top_srcdir)/src/external/ldap.m4 \ + $(top_srcdir)/src/external/libpcre.m4 \ + $(top_srcdir)/src/external/krb5.m4 \ + $(top_srcdir)/src/external/libcares.m4 \ + $(top_srcdir)/src/external/libcmocka.m4 \ + $(top_srcdir)/src/external/docbook.m4 \ + $(top_srcdir)/src/external/sizes.m4 \ + $(top_srcdir)/src/external/python.m4 \ + $(top_srcdir)/src/external/selinux.m4 \ + $(top_srcdir)/src/external/crypto.m4 \ + $(top_srcdir)/src/external/nscd.m4 \ + $(top_srcdir)/src/external/nsupdate.m4 \ + $(top_srcdir)/src/external/libkeyutils.m4 \ + $(top_srcdir)/src/external/libnl.m4 \ + $(top_srcdir)/src/external/systemd.m4 \ + $(top_srcdir)/src/external/pac_responder.m4 \ + $(top_srcdir)/src/external/cifsidmap.m4 \ + $(top_srcdir)/src/external/signal.m4 \ + $(top_srcdir)/src/external/inotify.m4 \ + $(top_srcdir)/src/external/samba.m4 \ + $(top_srcdir)/src/external/sasl.m4 \ + $(top_srcdir)/src/external/libnfsidmap.m4 \ + $(top_srcdir)/src/external/cwrap.m4 \ + $(top_srcdir)/src/external/libresolv.m4 \ + $(top_srcdir)/src/external/intgcheck.m4 \ + $(top_srcdir)/src/external/systemtap.m4 \ + $(top_srcdir)/src/external/service.m4 \ + $(top_srcdir)/src/external/test_ca.m4 \ + $(top_srcdir)/src/external/libhttp_parser.m4 \ + $(top_srcdir)/src/external/libuuid.m4 \ + $(top_srcdir)/src/external/libcurl.m4 \ + $(top_srcdir)/src/external/libjansson.m4 \ + $(top_srcdir)/src/external/libunistring.m4 \ + $(top_srcdir)/src/external/glib.m4 \ + $(top_srcdir)/src/external/p11-kit.m4 \ + $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(top_srcdir)/configure \ + $(am__configure_deps) $(dist_noinst_SCRIPTS) \ + $(am__dist_sss_obfuscate_python_SCRIPTS_DIST) \ + $(am__dist_dbuspolicy_DATA_DIST) \ + $(am__dist_dbusservice_DATA_DIST) $(am__dist_noinst_DATA_DIST) \ + $(dist_pamconf_DATA) $(am__dist_polkit_rules_DATA_DIST) \ + $(dist_sssdapiplugin_DATA) $(dist_sssddata_DATA) \ + $(dist_sssddefaultconf_DATA) $(am__dist_sssdkcmdata_DATA_DIST) \ + $(am__dist_sssdtapscript_DATA_DIST) \ + $(am__dist_systemtap_tap_DATA_DIST) \ + $(am__dist_noinst_HEADERS_DIST) $(am__include_HEADERS_DIST) \ + $(am__DIST_COMMON) +am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \ + configure.lineno config.status.lineno +mkinstalldirs = $(SHELL) $(top_srcdir)/build/mkinstalldirs +CONFIG_HEADER = config.h +CONFIG_CLEAN_FILES = contrib/sssd.spec src/examples/rwtab \ + src/doxy.config contrib/sssd-pcsc.rules src/sysv/sssd \ + src/sysv/gentoo/sssd src/sysv/SUSE/sssd \ + src/lib/ipa_hbac/ipa_hbac.pc src/lib/ipa_hbac/ipa_hbac.doxy \ + src/lib/idmap/sss_idmap.pc src/lib/idmap/sss_idmap.doxy \ + src/lib/certmap/sss_certmap.pc \ + src/lib/certmap/sss_certmap.doxy \ + src/sss_client/idmap/sss_nss_idmap.pc \ + src/sss_client/idmap/sss_nss_idmap.doxy \ + src/sss_client/libwbclient/wbclient_sssd.pc \ + src/lib/sifp/sss_simpleifp.pc src/lib/sifp/sss_simpleifp.doxy \ + src/config/setup.py src/systemtap/sssd.stp \ + src/config/SSSDConfig/__init__.py +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +am__installdirs = "$(DESTDIR)$(autofslibdir)" \ + "$(DESTDIR)$(cifsplugindir)" \ + "$(DESTDIR)$(krb5authdata_plugindir)" \ + "$(DESTDIR)$(krb5localauth_plugindir)" \ + "$(DESTDIR)$(krb5plugindir)" "$(DESTDIR)$(ldblibdir)" \ + "$(DESTDIR)$(libdir)" "$(DESTDIR)$(libwbclientdir)" \ + "$(DESTDIR)$(nfslibdir)" "$(DESTDIR)$(nsslibdir)" \ + "$(DESTDIR)$(pamlibdir)" "$(DESTDIR)$(pkglibdir)" \ + "$(DESTDIR)$(py2execdir)" "$(DESTDIR)$(py3execdir)" \ + "$(DESTDIR)$(sssdlibdir)" "$(DESTDIR)$(sudolibdir)" \ + "$(DESTDIR)$(winbindplugindir)" "$(DESTDIR)$(bindir)" \ + "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(sssdlibexecdir)" \ + "$(DESTDIR)$(sss_obfuscate_pythondir)" "$(DESTDIR)$(initdir)" \ + "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(dbuspolicydir)" \ + "$(DESTDIR)$(dbusservicedir)" "$(DESTDIR)$(pamconfdir)" \ + "$(DESTDIR)$(polkit_rulesdir)" "$(DESTDIR)$(sssdapiplugindir)" \ + "$(DESTDIR)$(sssddatadir)" "$(DESTDIR)$(sssddefaultconfdir)" \ + "$(DESTDIR)$(sssdkcmdatadir)" "$(DESTDIR)$(sssdtapscriptdir)" \ + "$(DESTDIR)$(systemtap_tapdir)" "$(DESTDIR)$(pkgconfigdir)" \ + "$(DESTDIR)$(systemdconfdir)" "$(DESTDIR)$(systemdunitdir)" \ + "$(DESTDIR)$(systemtap_tapdir)" "$(DESTDIR)$(includedir)" +LTLIBRARIES = $(autofslib_LTLIBRARIES) $(cifsplugin_LTLIBRARIES) \ + $(krb5authdata_plugin_LTLIBRARIES) \ + $(krb5localauth_plugin_LTLIBRARIES) $(krb5plugin_LTLIBRARIES) \ + $(ldblib_LTLIBRARIES) $(lib_LTLIBRARIES) \ + $(libwbclient_LTLIBRARIES) $(nfslib_LTLIBRARIES) \ + $(noinst_LTLIBRARIES) $(nsslib_LTLIBRARIES) \ + $(pamlib_LTLIBRARIES) $(pkglib_LTLIBRARIES) \ + $(py2exec_LTLIBRARIES) $(py3exec_LTLIBRARIES) \ + $(sssdlib_LTLIBRARIES) $(sudolib_LTLIBRARIES) \ + $(winbindplugin_LTLIBRARIES) +am__DEPENDENCIES_1 = +_py2hbac_la_DEPENDENCIES = $(am__DEPENDENCIES_1) libipa_hbac.la +am__dirstamp = $(am__leading_dot)dirstamp +am__objects_1 = src/python/_py2hbac_la-pyhbac.lo \ + src/util/_py2hbac_la-sss_python.lo +am__py2hbac_la_OBJECTS = $(am__objects_1) +_py2hbac_la_OBJECTS = $(am__py2hbac_la_OBJECTS) +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +_py2hbac_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(_py2hbac_la_CFLAGS) \ + $(CFLAGS) $(_py2hbac_la_LDFLAGS) $(LDFLAGS) -o $@ +@BUILD_PYTHON2_BINDINGS_TRUE@am__py2hbac_la_rpath = -rpath \ +@BUILD_PYTHON2_BINDINGS_TRUE@ $(py2execdir) +am__DEPENDENCIES_2 = libsss_util.la libsss_crypt.la libsss_debug.la \ + libsss_child.la +@BUILD_SELINUX_TRUE@am__DEPENDENCIES_3 = $(am__DEPENDENCIES_1) +am__DEPENDENCIES_4 = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_3) +_py2sss_la_DEPENDENCIES = $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_4) \ + $(am__DEPENDENCIES_1) +am__objects_2 = src/tools/_py2sss_la-sss_sync_ops.lo \ + src/tools/_py2sss_la-tools_util.lo \ + src/tools/common/_py2sss_la-sss_tools.lo \ + src/tools/common/_py2sss_la-sss_process.lo \ + src/confdb/_py2sss_la-confdb_setup.lo \ + src/util/_py2sss_la-nscd.lo +am__objects_3 = $(am__objects_2) src/python/_py2sss_la-pysss.lo +am__py2sss_la_OBJECTS = $(am__objects_3) +_py2sss_la_OBJECTS = $(am__py2sss_la_OBJECTS) +_py2sss_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(_py2sss_la_CFLAGS) \ + $(CFLAGS) $(_py2sss_la_LDFLAGS) $(LDFLAGS) -o $@ +@BUILD_PYTHON2_BINDINGS_TRUE@am__py2sss_la_rpath = -rpath \ +@BUILD_PYTHON2_BINDINGS_TRUE@ $(py2execdir) +_py2sss_murmur_la_DEPENDENCIES = $(am__DEPENDENCIES_1) +am__objects_4 = src/python/_py2sss_murmur_la-pysss_murmur.lo \ + src/util/_py2sss_murmur_la-murmurhash3.lo +am__py2sss_murmur_la_OBJECTS = $(am__objects_4) +_py2sss_murmur_la_OBJECTS = $(am__py2sss_murmur_la_OBJECTS) +_py2sss_murmur_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(_py2sss_murmur_la_CFLAGS) $(CFLAGS) \ + $(_py2sss_murmur_la_LDFLAGS) $(LDFLAGS) -o $@ +@BUILD_PYTHON2_BINDINGS_TRUE@am__py2sss_murmur_la_rpath = -rpath \ +@BUILD_PYTHON2_BINDINGS_TRUE@ $(py2execdir) +_py2sss_nss_idmap_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \ + libsss_nss_idmap.la +am__objects_5 = src/python/_py2sss_nss_idmap_la-pysss_nss_idmap.lo +am__py2sss_nss_idmap_la_OBJECTS = $(am__objects_5) +_py2sss_nss_idmap_la_OBJECTS = $(am__py2sss_nss_idmap_la_OBJECTS) +_py2sss_nss_idmap_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(_py2sss_nss_idmap_la_CFLAGS) $(CFLAGS) \ + $(_py2sss_nss_idmap_la_LDFLAGS) $(LDFLAGS) -o $@ +@BUILD_PYTHON2_BINDINGS_TRUE@am__py2sss_nss_idmap_la_rpath = -rpath \ +@BUILD_PYTHON2_BINDINGS_TRUE@ $(py2execdir) +_py3hbac_la_DEPENDENCIES = $(am__DEPENDENCIES_1) libipa_hbac.la +am__objects_6 = src/python/_py3hbac_la-pyhbac.lo \ + src/util/_py3hbac_la-sss_python.lo +am__py3hbac_la_OBJECTS = $(am__objects_6) +_py3hbac_la_OBJECTS = $(am__py3hbac_la_OBJECTS) +_py3hbac_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(_py3hbac_la_CFLAGS) \ + $(CFLAGS) $(_py3hbac_la_LDFLAGS) $(LDFLAGS) -o $@ +@BUILD_PYTHON3_BINDINGS_TRUE@am__py3hbac_la_rpath = -rpath \ +@BUILD_PYTHON3_BINDINGS_TRUE@ $(py3execdir) +_py3sss_la_DEPENDENCIES = $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_4) \ + $(am__DEPENDENCIES_1) +am__objects_7 = src/tools/_py3sss_la-sss_sync_ops.lo \ + src/tools/_py3sss_la-tools_util.lo \ + src/tools/common/_py3sss_la-sss_tools.lo \ + src/tools/common/_py3sss_la-sss_process.lo \ + src/confdb/_py3sss_la-confdb_setup.lo \ + src/util/_py3sss_la-nscd.lo +am__objects_8 = $(am__objects_7) src/python/_py3sss_la-pysss.lo +am__py3sss_la_OBJECTS = $(am__objects_8) +_py3sss_la_OBJECTS = $(am__py3sss_la_OBJECTS) +_py3sss_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(_py3sss_la_CFLAGS) \ + $(CFLAGS) $(_py3sss_la_LDFLAGS) $(LDFLAGS) -o $@ +@BUILD_PYTHON3_BINDINGS_TRUE@am__py3sss_la_rpath = -rpath \ +@BUILD_PYTHON3_BINDINGS_TRUE@ $(py3execdir) +_py3sss_murmur_la_DEPENDENCIES = $(am__DEPENDENCIES_1) +am__objects_9 = src/python/_py3sss_murmur_la-pysss_murmur.lo \ + src/util/_py3sss_murmur_la-murmurhash3.lo +am__py3sss_murmur_la_OBJECTS = $(am__objects_9) +_py3sss_murmur_la_OBJECTS = $(am__py3sss_murmur_la_OBJECTS) +_py3sss_murmur_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(_py3sss_murmur_la_CFLAGS) $(CFLAGS) \ + $(_py3sss_murmur_la_LDFLAGS) $(LDFLAGS) -o $@ +@BUILD_PYTHON3_BINDINGS_TRUE@am__py3sss_murmur_la_rpath = -rpath \ +@BUILD_PYTHON3_BINDINGS_TRUE@ $(py3execdir) +_py3sss_nss_idmap_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \ + libsss_nss_idmap.la +am__objects_10 = src/python/_py3sss_nss_idmap_la-pysss_nss_idmap.lo +am__py3sss_nss_idmap_la_OBJECTS = $(am__objects_10) +_py3sss_nss_idmap_la_OBJECTS = $(am__py3sss_nss_idmap_la_OBJECTS) +_py3sss_nss_idmap_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(_py3sss_nss_idmap_la_CFLAGS) $(CFLAGS) \ + $(_py3sss_nss_idmap_la_LDFLAGS) $(LDFLAGS) -o $@ +@BUILD_PYTHON3_BINDINGS_TRUE@am__py3sss_nss_idmap_la_rpath = -rpath \ +@BUILD_PYTHON3_BINDINGS_TRUE@ $(py3execdir) +@BUILD_CIFS_IDMAP_PLUGIN_TRUE@cifs_idmap_sss_la_DEPENDENCIES = \ +@BUILD_CIFS_IDMAP_PLUGIN_TRUE@ libsss_idmap.la \ +@BUILD_CIFS_IDMAP_PLUGIN_TRUE@ libsss_nss_idmap.la +am__cifs_idmap_sss_la_SOURCES_DIST = \ + src/lib/cifs_idmap_sss/cifs_idmap_sss.c +@BUILD_CIFS_IDMAP_PLUGIN_TRUE@am_cifs_idmap_sss_la_OBJECTS = src/lib/cifs_idmap_sss/cifs_idmap_sss_la-cifs_idmap_sss.lo +cifs_idmap_sss_la_OBJECTS = $(am_cifs_idmap_sss_la_OBJECTS) +cifs_idmap_sss_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(cifs_idmap_sss_la_CFLAGS) $(CFLAGS) \ + $(cifs_idmap_sss_la_LDFLAGS) $(LDFLAGS) -o $@ +@BUILD_CIFS_IDMAP_PLUGIN_TRUE@am_cifs_idmap_sss_la_rpath = -rpath \ +@BUILD_CIFS_IDMAP_PLUGIN_TRUE@ $(cifsplugindir) +am__DEPENDENCIES_5 = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) +@HAVE_CHECK_TRUE@libdlopen_test_providers_la_DEPENDENCIES = \ +@HAVE_CHECK_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CHECK_TRUE@ $(am__DEPENDENCIES_5) $(am__DEPENDENCIES_1) \ +@HAVE_CHECK_TRUE@ $(am__DEPENDENCIES_2) $(am__append_58) +am__libdlopen_test_providers_la_SOURCES_DIST = \ + src/providers/data_provider_be.c \ + src/providers/data_provider_req.c \ + src/providers/data_provider_fo.c \ + src/providers/data_provider_opts.c \ + src/providers/data_provider_callbacks.c \ + src/providers/be_dyndns.c src/providers/be_ptask.c \ + src/providers/be_refresh.c \ + src/monitor/monitor_iface_generated.c \ + src/providers/data_provider/dp.c \ + src/providers/data_provider/dp_modules.c \ + src/providers/data_provider/dp_targets.c \ + src/providers/data_provider/dp_methods.c \ + src/providers/data_provider/dp_builtin.c \ + src/providers/data_provider/dp_iface.c \ + src/providers/data_provider/dp_iface_backend.c \ + src/providers/data_provider/dp_iface_failover.c \ + src/providers/data_provider/dp_client.c \ + src/providers/data_provider/dp_resp_client.c \ + src/providers/data_provider/dp_iface_generated.c \ + src/providers/data_provider/dp_request.c \ + src/providers/data_provider/dp_request_reply.c \ + src/providers/data_provider/dp_request_table.c \ + src/providers/data_provider/dp_reply_std.c \ + src/providers/data_provider/dp_target_sudo.c \ + src/providers/data_provider/dp_target_hostid.c \ + src/providers/data_provider/dp_target_autofs.c \ + src/providers/data_provider/dp_target_subdomains.c \ + src/providers/data_provider/dp_target_id.c \ + src/providers/data_provider/dp_target_auth.c \ + src/util/session_recording.c src/providers/fail_over.c \ + src/providers/fail_over_srv.c src/resolv/async_resolv.c \ + src/resolv/async_resolv_utils.c \ + src/tests/cmocka/wrap_sss_nss_make_request_timeout.c +am__objects_11 = \ + src/resolv/libdlopen_test_providers_la-async_resolv.lo \ + src/resolv/libdlopen_test_providers_la-async_resolv_utils.lo +am__objects_12 = \ + src/providers/libdlopen_test_providers_la-fail_over.lo \ + src/providers/libdlopen_test_providers_la-fail_over_srv.lo \ + $(am__objects_11) +am__objects_13 = \ + src/providers/libdlopen_test_providers_la-data_provider_be.lo \ + src/providers/libdlopen_test_providers_la-data_provider_req.lo \ + src/providers/libdlopen_test_providers_la-data_provider_fo.lo \ + src/providers/libdlopen_test_providers_la-data_provider_opts.lo \ + src/providers/libdlopen_test_providers_la-data_provider_callbacks.lo \ + src/providers/libdlopen_test_providers_la-be_dyndns.lo \ + src/providers/libdlopen_test_providers_la-be_ptask.lo \ + src/providers/libdlopen_test_providers_la-be_refresh.lo \ + src/monitor/libdlopen_test_providers_la-monitor_iface_generated.lo \ + src/providers/data_provider/libdlopen_test_providers_la-dp.lo \ + src/providers/data_provider/libdlopen_test_providers_la-dp_modules.lo \ + src/providers/data_provider/libdlopen_test_providers_la-dp_targets.lo \ + src/providers/data_provider/libdlopen_test_providers_la-dp_methods.lo \ + src/providers/data_provider/libdlopen_test_providers_la-dp_builtin.lo \ + src/providers/data_provider/libdlopen_test_providers_la-dp_iface.lo \ + src/providers/data_provider/libdlopen_test_providers_la-dp_iface_backend.lo \ + src/providers/data_provider/libdlopen_test_providers_la-dp_iface_failover.lo \ + src/providers/data_provider/libdlopen_test_providers_la-dp_client.lo \ + src/providers/data_provider/libdlopen_test_providers_la-dp_resp_client.lo \ + src/providers/data_provider/libdlopen_test_providers_la-dp_iface_generated.lo \ + src/providers/data_provider/libdlopen_test_providers_la-dp_request.lo \ + src/providers/data_provider/libdlopen_test_providers_la-dp_request_reply.lo \ + src/providers/data_provider/libdlopen_test_providers_la-dp_request_table.lo \ + src/providers/data_provider/libdlopen_test_providers_la-dp_reply_std.lo \ + src/providers/data_provider/libdlopen_test_providers_la-dp_target_sudo.lo \ + src/providers/data_provider/libdlopen_test_providers_la-dp_target_hostid.lo \ + src/providers/data_provider/libdlopen_test_providers_la-dp_target_autofs.lo \ + src/providers/data_provider/libdlopen_test_providers_la-dp_target_subdomains.lo \ + src/providers/data_provider/libdlopen_test_providers_la-dp_target_id.lo \ + src/providers/data_provider/libdlopen_test_providers_la-dp_target_auth.lo \ + src/util/libdlopen_test_providers_la-session_recording.lo \ + $(am__objects_12) +@HAVE_CHECK_TRUE@am_libdlopen_test_providers_la_OBJECTS = \ +@HAVE_CHECK_TRUE@ $(am__objects_13) \ +@HAVE_CHECK_TRUE@ src/tests/cmocka/libdlopen_test_providers_la-wrap_sss_nss_make_request_timeout.lo +libdlopen_test_providers_la_OBJECTS = \ + $(am_libdlopen_test_providers_la_OBJECTS) +libdlopen_test_providers_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) \ + $(libdlopen_test_providers_la_LDFLAGS) $(LDFLAGS) -o $@ +@HAVE_CHECK_TRUE@am_libdlopen_test_providers_la_rpath = +libdlopen_test_winbind_idmap_la_LIBADD = +am__libdlopen_test_winbind_idmap_la_SOURCES_DIST = \ + src/lib/winbind_idmap_sss/libdlopen-test-winbind-idmap.c +@BUILD_SAMBA_TRUE@am_libdlopen_test_winbind_idmap_la_OBJECTS = src/lib/winbind_idmap_sss/libdlopen_test_winbind_idmap_la-libdlopen-test-winbind-idmap.lo +libdlopen_test_winbind_idmap_la_OBJECTS = \ + $(am_libdlopen_test_winbind_idmap_la_OBJECTS) +libdlopen_test_winbind_idmap_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(libdlopen_test_winbind_idmap_la_CFLAGS) $(CFLAGS) \ + $(libdlopen_test_winbind_idmap_la_LDFLAGS) $(LDFLAGS) -o $@ +@BUILD_SAMBA_TRUE@@HAVE_CHECK_TRUE@am_libdlopen_test_winbind_idmap_la_rpath = +am_libipa_hbac_la_OBJECTS = \ + src/lib/ipa_hbac/libipa_hbac_la-hbac_evaluator.lo \ + src/util/libipa_hbac_la-sss_utf8.lo +libipa_hbac_la_OBJECTS = $(am_libipa_hbac_la_OBJECTS) +libipa_hbac_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(libipa_hbac_la_CFLAGS) $(CFLAGS) $(libipa_hbac_la_LDFLAGS) \ + $(LDFLAGS) -o $@ +am__DEPENDENCIES_6 = $(am__DEPENDENCIES_1) +libnss_sss_la_DEPENDENCIES = $(am__DEPENDENCIES_6) +am_libnss_sss_la_OBJECTS = src/sss_client/common.lo \ + src/sss_client/nss_passwd.lo src/sss_client/nss_group.lo \ + src/sss_client/nss_netgroup.lo src/sss_client/nss_services.lo \ + src/sss_client/nss_mc_common.lo src/util/io.lo \ + src/util/murmurhash3.lo src/sss_client/nss_mc_passwd.lo \ + src/sss_client/nss_mc_group.lo src/sss_client/nss_mc_initgr.lo +libnss_sss_la_OBJECTS = $(am_libnss_sss_la_OBJECTS) +libnss_sss_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libnss_sss_la_LDFLAGS) $(LDFLAGS) -o $@ +libsss_ad_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_2) \ + $(am__DEPENDENCIES_1) libsss_ldap_common.la \ + libsss_krb5_common.la libsss_idmap.la +am__libsss_ad_la_SOURCES_DIST = src/providers/ad/ad_opts.c \ + src/providers/ad/ad_common.c src/providers/ad/ad_init.c \ + src/providers/ad/ad_dyndns.c \ + src/providers/ad/ad_machine_pw_renewal.c \ + src/providers/ad/ad_id.c src/providers/ad/ad_pac.c \ + src/providers/ad/ad_pac_common.c src/providers/ad/ad_access.c \ + src/providers/ad/ad_gpo.c src/providers/ad/ad_gpo_ndr.c \ + src/providers/ad/ad_srv.c src/providers/ad/ad_subdomains.c \ + src/providers/ad/ad_domain_info.c src/providers/ad/ad_sudo.c \ + src/providers/ad/ad_autofs.c +@BUILD_SUDO_TRUE@am__objects_14 = \ +@BUILD_SUDO_TRUE@ src/providers/ad/libsss_ad_la-ad_sudo.lo +@BUILD_AUTOFS_TRUE@am__objects_15 = \ +@BUILD_AUTOFS_TRUE@ src/providers/ad/libsss_ad_la-ad_autofs.lo +am_libsss_ad_la_OBJECTS = src/providers/ad/libsss_ad_la-ad_opts.lo \ + src/providers/ad/libsss_ad_la-ad_common.lo \ + src/providers/ad/libsss_ad_la-ad_init.lo \ + src/providers/ad/libsss_ad_la-ad_dyndns.lo \ + src/providers/ad/libsss_ad_la-ad_machine_pw_renewal.lo \ + src/providers/ad/libsss_ad_la-ad_id.lo \ + src/providers/ad/libsss_ad_la-ad_pac.lo \ + src/providers/ad/libsss_ad_la-ad_pac_common.lo \ + src/providers/ad/libsss_ad_la-ad_access.lo \ + src/providers/ad/libsss_ad_la-ad_gpo.lo \ + src/providers/ad/libsss_ad_la-ad_gpo_ndr.lo \ + src/providers/ad/libsss_ad_la-ad_srv.lo \ + src/providers/ad/libsss_ad_la-ad_subdomains.lo \ + src/providers/ad/libsss_ad_la-ad_domain_info.lo \ + $(am__objects_14) $(am__objects_15) +libsss_ad_la_OBJECTS = $(am_libsss_ad_la_OBJECTS) +libsss_ad_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(libsss_ad_la_CFLAGS) \ + $(CFLAGS) $(libsss_ad_la_LDFLAGS) $(LDFLAGS) -o $@ +@BUILD_SAMBA_TRUE@am_libsss_ad_la_rpath = -rpath $(sssdlibdir) +am__DEPENDENCIES_7 = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1) \ + libsss_ldap_common.la libsss_krb5_common.la libsss_idmap.la +@HAVE_CHECK_TRUE@libsss_ad_tests_la_DEPENDENCIES = \ +@HAVE_CHECK_TRUE@ $(am__DEPENDENCIES_7) \ +@HAVE_CHECK_TRUE@ libdlopen_test_providers.la +am__libsss_ad_tests_la_SOURCES_DIST = src/providers/ad/ad_opts.c \ + src/providers/ad/ad_common.c src/providers/ad/ad_init.c \ + src/providers/ad/ad_dyndns.c \ + src/providers/ad/ad_machine_pw_renewal.c \ + src/providers/ad/ad_id.c src/providers/ad/ad_pac.c \ + src/providers/ad/ad_pac_common.c src/providers/ad/ad_access.c \ + src/providers/ad/ad_gpo.c src/providers/ad/ad_gpo_ndr.c \ + src/providers/ad/ad_srv.c src/providers/ad/ad_subdomains.c \ + src/providers/ad/ad_domain_info.c src/providers/ad/ad_sudo.c \ + src/providers/ad/ad_autofs.c +@BUILD_SUDO_TRUE@am__objects_16 = src/providers/ad/libsss_ad_tests_la-ad_sudo.lo +@BUILD_AUTOFS_TRUE@am__objects_17 = src/providers/ad/libsss_ad_tests_la-ad_autofs.lo +am__objects_18 = src/providers/ad/libsss_ad_tests_la-ad_opts.lo \ + src/providers/ad/libsss_ad_tests_la-ad_common.lo \ + src/providers/ad/libsss_ad_tests_la-ad_init.lo \ + src/providers/ad/libsss_ad_tests_la-ad_dyndns.lo \ + src/providers/ad/libsss_ad_tests_la-ad_machine_pw_renewal.lo \ + src/providers/ad/libsss_ad_tests_la-ad_id.lo \ + src/providers/ad/libsss_ad_tests_la-ad_pac.lo \ + src/providers/ad/libsss_ad_tests_la-ad_pac_common.lo \ + src/providers/ad/libsss_ad_tests_la-ad_access.lo \ + src/providers/ad/libsss_ad_tests_la-ad_gpo.lo \ + src/providers/ad/libsss_ad_tests_la-ad_gpo_ndr.lo \ + src/providers/ad/libsss_ad_tests_la-ad_srv.lo \ + src/providers/ad/libsss_ad_tests_la-ad_subdomains.lo \ + src/providers/ad/libsss_ad_tests_la-ad_domain_info.lo \ + $(am__objects_16) $(am__objects_17) +@HAVE_CHECK_TRUE@am_libsss_ad_tests_la_OBJECTS = $(am__objects_18) +libsss_ad_tests_la_OBJECTS = $(am_libsss_ad_tests_la_OBJECTS) +libsss_ad_tests_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(libsss_ad_tests_la_CFLAGS) $(CFLAGS) \ + $(libsss_ad_tests_la_LDFLAGS) $(LDFLAGS) -o $@ +@BUILD_SAMBA_TRUE@@HAVE_CHECK_TRUE@am_libsss_ad_tests_la_rpath = +@BUILD_AUTOFS_TRUE@libsss_autofs_la_DEPENDENCIES = \ +@BUILD_AUTOFS_TRUE@ $(am__DEPENDENCIES_6) +am__libsss_autofs_la_SOURCES_DIST = src/sss_client/common.c \ + src/sss_client/sss_cli.h src/sss_client/autofs/sss_autofs.c \ + src/sss_client/autofs/sss_autofs_private.h +@BUILD_AUTOFS_TRUE@am_libsss_autofs_la_OBJECTS = \ +@BUILD_AUTOFS_TRUE@ src/sss_client/common.lo \ +@BUILD_AUTOFS_TRUE@ src/sss_client/autofs/sss_autofs.lo +libsss_autofs_la_OBJECTS = $(am_libsss_autofs_la_OBJECTS) +libsss_autofs_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) $(libsss_autofs_la_LDFLAGS) $(LDFLAGS) \ + -o $@ +@BUILD_AUTOFS_TRUE@am_libsss_autofs_la_rpath = -rpath $(autofslibdir) +@HAVE_NSS_FALSE@am__DEPENDENCIES_8 = $(am__DEPENDENCIES_1) +@HAVE_NSS_TRUE@am__DEPENDENCIES_8 = $(am__DEPENDENCIES_1) +libsss_cert_la_DEPENDENCIES = $(am__DEPENDENCIES_8) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) libsss_crypt.la \ + libsss_child.la libsss_debug.la libsss_certmap.la +am__libsss_cert_la_SOURCES_DIST = src/util/cert/cert_common.c \ + src/util/cert/cert_common_p11_child.c \ + src/util/cert/libcrypto/cert.c src/util/cert/nss/cert.c +@HAVE_NSS_FALSE@am__objects_19 = \ +@HAVE_NSS_FALSE@ src/util/cert/libsss_cert_la-cert_common.lo \ +@HAVE_NSS_FALSE@ src/util/cert/libsss_cert_la-cert_common_p11_child.lo \ +@HAVE_NSS_FALSE@ src/util/cert/libcrypto/libsss_cert_la-cert.lo +@HAVE_NSS_TRUE@am__objects_19 = \ +@HAVE_NSS_TRUE@ src/util/cert/libsss_cert_la-cert_common.lo \ +@HAVE_NSS_TRUE@ src/util/cert/libsss_cert_la-cert_common_p11_child.lo \ +@HAVE_NSS_TRUE@ src/util/cert/nss/libsss_cert_la-cert.lo +am_libsss_cert_la_OBJECTS = $(am__objects_19) +libsss_cert_la_OBJECTS = $(am_libsss_cert_la_OBJECTS) +libsss_cert_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(libsss_cert_la_CFLAGS) $(CFLAGS) $(libsss_cert_la_LDFLAGS) \ + $(LDFLAGS) -o $@ +@HAVE_NSS_TRUE@am__DEPENDENCIES_9 = $(am__DEPENDENCIES_1) +@HAVE_NSS_FALSE@am__DEPENDENCIES_10 = $(am__DEPENDENCIES_1) +am__libsss_certmap_la_SOURCES_DIST = src/lib/certmap/sss_certmap.c \ + src/lib/certmap/sss_certmap_attr_names.c \ + src/lib/certmap/sss_certmap_krb5_match.c \ + src/lib/certmap/sss_certmap_ldap_mapping.c \ + src/lib/certmap/sss_cert_content_common.c src/util/util_ext.c \ + src/util/cert/cert_common.c \ + src/lib/certmap/sss_cert_content_nss.c \ + src/util/crypto/nss/nss_base64.c src/util/cert/nss/cert.c \ + src/util/crypto/nss/nss_util.c \ + src/lib/certmap/sss_cert_content_crypto.c \ + src/util/crypto/libcrypto/crypto_base64.c \ + src/util/cert/libcrypto/cert.c +@HAVE_NSS_TRUE@am__objects_20 = src/lib/certmap/libsss_certmap_la-sss_cert_content_nss.lo \ +@HAVE_NSS_TRUE@ src/util/crypto/nss/libsss_certmap_la-nss_base64.lo \ +@HAVE_NSS_TRUE@ src/util/cert/nss/libsss_certmap_la-cert.lo \ +@HAVE_NSS_TRUE@ src/util/crypto/nss/libsss_certmap_la-nss_util.lo +@HAVE_NSS_FALSE@am__objects_21 = src/lib/certmap/libsss_certmap_la-sss_cert_content_crypto.lo \ +@HAVE_NSS_FALSE@ src/util/crypto/libcrypto/libsss_certmap_la-crypto_base64.lo \ +@HAVE_NSS_FALSE@ src/util/cert/libcrypto/libsss_certmap_la-cert.lo +am_libsss_certmap_la_OBJECTS = \ + src/lib/certmap/libsss_certmap_la-sss_certmap.lo \ + src/lib/certmap/libsss_certmap_la-sss_certmap_attr_names.lo \ + src/lib/certmap/libsss_certmap_la-sss_certmap_krb5_match.lo \ + src/lib/certmap/libsss_certmap_la-sss_certmap_ldap_mapping.lo \ + src/lib/certmap/libsss_certmap_la-sss_cert_content_common.lo \ + src/util/libsss_certmap_la-util_ext.lo \ + src/util/cert/libsss_certmap_la-cert_common.lo \ + $(am__objects_20) $(am__objects_21) +libsss_certmap_la_OBJECTS = $(am_libsss_certmap_la_OBJECTS) +libsss_certmap_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(libsss_certmap_la_CFLAGS) $(CFLAGS) \ + $(libsss_certmap_la_LDFLAGS) $(LDFLAGS) -o $@ +libsss_child_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) libsss_debug.la +am_libsss_child_la_OBJECTS = src/util/child_common.lo +libsss_child_la_OBJECTS = $(am_libsss_child_la_OBJECTS) +libsss_child_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) $(libsss_child_la_LDFLAGS) $(LDFLAGS) \ + -o $@ +libsss_crypt_la_DEPENDENCIES = $(am__DEPENDENCIES_8) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) libsss_debug.la +am__libsss_crypt_la_SOURCES_DIST = \ + src/util/crypto/libcrypto/crypto_base64.c \ + src/util/crypto/libcrypto/crypto_hmac_sha1.c \ + src/util/crypto/libcrypto/crypto_sha512crypt.c \ + src/util/crypto/libcrypto/crypto_obfuscate.c \ + src/util/crypto/libcrypto/crypto_nite.c \ + src/util/crypto/sss_crypto.c src/util/atomic_io.c \ + src/util/crypto/nss/nss_base64.c \ + src/util/crypto/nss/nss_hmac_sha1.c \ + src/util/crypto/nss/nss_sha512crypt.c \ + src/util/crypto/nss/nss_obfuscate.c \ + src/util/crypto/nss/nss_nite.c src/util/crypto/nss/nss_util.c +@HAVE_NSS_FALSE@am__objects_22 = src/util/crypto/libcrypto/libsss_crypt_la-crypto_base64.lo \ +@HAVE_NSS_FALSE@ src/util/crypto/libcrypto/libsss_crypt_la-crypto_hmac_sha1.lo \ +@HAVE_NSS_FALSE@ src/util/crypto/libcrypto/libsss_crypt_la-crypto_sha512crypt.lo \ +@HAVE_NSS_FALSE@ src/util/crypto/libcrypto/libsss_crypt_la-crypto_obfuscate.lo \ +@HAVE_NSS_FALSE@ src/util/crypto/libcrypto/libsss_crypt_la-crypto_nite.lo \ +@HAVE_NSS_FALSE@ src/util/crypto/libsss_crypt_la-sss_crypto.lo \ +@HAVE_NSS_FALSE@ src/util/libsss_crypt_la-atomic_io.lo +@HAVE_NSS_TRUE@am__objects_22 = src/util/crypto/nss/libsss_crypt_la-nss_base64.lo \ +@HAVE_NSS_TRUE@ src/util/crypto/nss/libsss_crypt_la-nss_hmac_sha1.lo \ +@HAVE_NSS_TRUE@ src/util/crypto/nss/libsss_crypt_la-nss_sha512crypt.lo \ +@HAVE_NSS_TRUE@ src/util/crypto/nss/libsss_crypt_la-nss_obfuscate.lo \ +@HAVE_NSS_TRUE@ src/util/crypto/nss/libsss_crypt_la-nss_nite.lo \ +@HAVE_NSS_TRUE@ src/util/crypto/nss/libsss_crypt_la-nss_util.lo \ +@HAVE_NSS_TRUE@ src/util/crypto/libsss_crypt_la-sss_crypto.lo \ +@HAVE_NSS_TRUE@ src/util/libsss_crypt_la-atomic_io.lo +am_libsss_crypt_la_OBJECTS = $(am__objects_22) +libsss_crypt_la_OBJECTS = $(am_libsss_crypt_la_OBJECTS) +libsss_crypt_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(libsss_crypt_la_CFLAGS) $(CFLAGS) $(libsss_crypt_la_LDFLAGS) \ + $(LDFLAGS) -o $@ +@WITH_JOURNALD_TRUE@am__DEPENDENCIES_11 = $(am__DEPENDENCIES_1) +libsss_debug_la_DEPENDENCIES = $(am__DEPENDENCIES_11) +am_libsss_debug_la_OBJECTS = src/util/debug.lo src/util/sss_log.lo \ + src/util/sss_cli_cmd.lo +libsss_debug_la_OBJECTS = $(am_libsss_debug_la_OBJECTS) +libsss_debug_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) $(libsss_debug_la_LDFLAGS) $(LDFLAGS) \ + -o $@ +libsss_files_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_2) +am_libsss_files_la_OBJECTS = \ + src/providers/files/libsss_files_la-files_init.lo \ + src/providers/files/libsss_files_la-files_id.lo \ + src/providers/files/libsss_files_la-files_ops.lo \ + src/util/libsss_files_la-inotify.lo +libsss_files_la_OBJECTS = $(am_libsss_files_la_OBJECTS) +libsss_files_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(libsss_files_la_CFLAGS) $(CFLAGS) $(libsss_files_la_LDFLAGS) \ + $(LDFLAGS) -o $@ +@HAVE_INOTIFY_TRUE@am_libsss_files_la_rpath = -rpath $(sssdlibdir) +libsss_idmap_la_LIBADD = +am_libsss_idmap_la_OBJECTS = src/lib/idmap/sss_idmap.lo \ + src/lib/idmap/sss_idmap_conv.lo src/util/murmurhash3.lo +libsss_idmap_la_OBJECTS = $(am_libsss_idmap_la_OBJECTS) +libsss_idmap_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) $(libsss_idmap_la_LDFLAGS) $(LDFLAGS) \ + -o $@ +libsss_ipa_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_2) \ + libsss_ldap_common.la libsss_krb5_common.la libipa_hbac.la \ + libsss_idmap.la libsss_semanage.la +am__libsss_ipa_la_SOURCES_DIST = src/providers/ipa/ipa_init.c \ + src/providers/ipa/ipa_opts.c src/providers/ipa/ipa_common.c \ + src/providers/ipa/ipa_config.c src/providers/ipa/ipa_id.c \ + src/providers/ipa/ipa_netgroups.c src/providers/ipa/ipa_auth.c \ + src/providers/ipa/ipa_access.c src/providers/ipa/ipa_dyndns.c \ + src/providers/ipa/ipa_hosts.c \ + src/providers/ipa/ipa_subdomains.c \ + src/providers/ipa/ipa_subdomains_id.c \ + src/providers/ipa/ipa_subdomains_server.c \ + src/providers/ipa/ipa_subdomains_utils.c \ + src/providers/ipa/ipa_subdomains_ext_groups.c \ + src/providers/ipa/ipa_views.c src/providers/ipa/ipa_utils.c \ + src/providers/ipa/ipa_s2n_exop.c \ + src/providers/ipa/ipa_hbac_hosts.c \ + src/providers/ipa/ipa_hbac_private.h \ + src/providers/ipa/ipa_hbac_rules.c \ + src/providers/ipa/ipa_hbac_rules.h \ + src/providers/ipa/ipa_hbac_services.c \ + src/providers/ipa/ipa_hbac_users.c \ + src/providers/ipa/ipa_hbac_common.c \ + src/providers/ipa/ipa_rules_common.c \ + src/providers/ipa/ipa_rules_common.h \ + src/providers/ipa/ipa_session.c \ + src/providers/ipa/ipa_deskprofile_private.h \ + src/providers/ipa/ipa_deskprofile_config.c \ + src/providers/ipa/ipa_deskprofile_config.h \ + src/providers/ipa/ipa_deskprofile_rules.c \ + src/providers/ipa/ipa_deskprofile_rules.h \ + src/providers/ipa/ipa_deskprofile_rules_util.c \ + src/providers/ipa/ipa_deskprofile_rules_util.h \ + src/providers/ipa/ipa_srv.c src/providers/ipa/ipa_idmap.c \ + src/providers/ipa/ipa_dn.c src/providers/ad/ad_opts.c \ + src/providers/ad/ad_common.c src/providers/ad/ad_dyndns.c \ + src/providers/ad/ad_id.c src/providers/ad/ad_pac.c \ + src/providers/ad/ad_pac_common.c src/providers/ad/ad_srv.c \ + src/providers/ad/ad_domain_info.c \ + src/providers/ipa/ipa_autofs.c src/providers/ipa/ipa_sudo.c \ + src/providers/ipa/ipa_sudo_refresh.c \ + src/providers/ipa/ipa_sudo_conversion.c \ + src/providers/ipa/ipa_sudo_async.c \ + src/providers/ipa/ipa_selinux.c \ + src/providers/ipa/ipa_selinux_maps.c \ + src/providers/ipa/ipa_hostid.c +@BUILD_AUTOFS_TRUE@am__objects_23 = src/providers/ipa/libsss_ipa_la-ipa_autofs.lo +@BUILD_SUDO_TRUE@am__objects_24 = \ +@BUILD_SUDO_TRUE@ src/providers/ipa/libsss_ipa_la-ipa_sudo.lo \ +@BUILD_SUDO_TRUE@ src/providers/ipa/libsss_ipa_la-ipa_sudo_refresh.lo \ +@BUILD_SUDO_TRUE@ src/providers/ipa/libsss_ipa_la-ipa_sudo_conversion.lo \ +@BUILD_SUDO_TRUE@ src/providers/ipa/libsss_ipa_la-ipa_sudo_async.lo +@BUILD_SEMANAGE_TRUE@am__objects_25 = src/providers/ipa/libsss_ipa_la-ipa_selinux.lo \ +@BUILD_SEMANAGE_TRUE@ src/providers/ipa/libsss_ipa_la-ipa_selinux_maps.lo +@BUILD_SSH_TRUE@am__objects_26 = \ +@BUILD_SSH_TRUE@ src/providers/ipa/libsss_ipa_la-ipa_hostid.lo +am_libsss_ipa_la_OBJECTS = \ + src/providers/ipa/libsss_ipa_la-ipa_init.lo \ + src/providers/ipa/libsss_ipa_la-ipa_opts.lo \ + src/providers/ipa/libsss_ipa_la-ipa_common.lo \ + src/providers/ipa/libsss_ipa_la-ipa_config.lo \ + src/providers/ipa/libsss_ipa_la-ipa_id.lo \ + src/providers/ipa/libsss_ipa_la-ipa_netgroups.lo \ + src/providers/ipa/libsss_ipa_la-ipa_auth.lo \ + src/providers/ipa/libsss_ipa_la-ipa_access.lo \ + src/providers/ipa/libsss_ipa_la-ipa_dyndns.lo \ + src/providers/ipa/libsss_ipa_la-ipa_hosts.lo \ + src/providers/ipa/libsss_ipa_la-ipa_subdomains.lo \ + src/providers/ipa/libsss_ipa_la-ipa_subdomains_id.lo \ + src/providers/ipa/libsss_ipa_la-ipa_subdomains_server.lo \ + src/providers/ipa/libsss_ipa_la-ipa_subdomains_utils.lo \ + src/providers/ipa/libsss_ipa_la-ipa_subdomains_ext_groups.lo \ + src/providers/ipa/libsss_ipa_la-ipa_views.lo \ + src/providers/ipa/libsss_ipa_la-ipa_utils.lo \ + src/providers/ipa/libsss_ipa_la-ipa_s2n_exop.lo \ + src/providers/ipa/libsss_ipa_la-ipa_hbac_hosts.lo \ + src/providers/ipa/libsss_ipa_la-ipa_hbac_rules.lo \ + src/providers/ipa/libsss_ipa_la-ipa_hbac_services.lo \ + src/providers/ipa/libsss_ipa_la-ipa_hbac_users.lo \ + src/providers/ipa/libsss_ipa_la-ipa_hbac_common.lo \ + src/providers/ipa/libsss_ipa_la-ipa_rules_common.lo \ + src/providers/ipa/libsss_ipa_la-ipa_session.lo \ + src/providers/ipa/libsss_ipa_la-ipa_deskprofile_config.lo \ + src/providers/ipa/libsss_ipa_la-ipa_deskprofile_rules.lo \ + src/providers/ipa/libsss_ipa_la-ipa_deskprofile_rules_util.lo \ + src/providers/ipa/libsss_ipa_la-ipa_srv.lo \ + src/providers/ipa/libsss_ipa_la-ipa_idmap.lo \ + src/providers/ipa/libsss_ipa_la-ipa_dn.lo \ + src/providers/ad/libsss_ipa_la-ad_opts.lo \ + src/providers/ad/libsss_ipa_la-ad_common.lo \ + src/providers/ad/libsss_ipa_la-ad_dyndns.lo \ + src/providers/ad/libsss_ipa_la-ad_id.lo \ + src/providers/ad/libsss_ipa_la-ad_pac.lo \ + src/providers/ad/libsss_ipa_la-ad_pac_common.lo \ + src/providers/ad/libsss_ipa_la-ad_srv.lo \ + src/providers/ad/libsss_ipa_la-ad_domain_info.lo \ + $(am__objects_23) $(am__objects_24) $(am__objects_25) \ + $(am__objects_26) +libsss_ipa_la_OBJECTS = $(am_libsss_ipa_la_OBJECTS) +libsss_ipa_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(libsss_ipa_la_CFLAGS) \ + $(CFLAGS) $(libsss_ipa_la_LDFLAGS) $(LDFLAGS) -o $@ +@BUILD_SAMBA_TRUE@am_libsss_ipa_la_rpath = -rpath $(sssdlibdir) +libsss_krb5_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_2) \ + libsss_krb5_common.la +am_libsss_krb5_la_OBJECTS = \ + src/providers/krb5/libsss_krb5_la-krb5_init.lo +libsss_krb5_la_OBJECTS = $(am_libsss_krb5_la_OBJECTS) +libsss_krb5_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(libsss_krb5_la_CFLAGS) $(CFLAGS) $(libsss_krb5_la_LDFLAGS) \ + $(LDFLAGS) -o $@ +libsss_krb5_common_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_2) +am_libsss_krb5_common_la_OBJECTS = \ + src/providers/krb5/libsss_krb5_common_la-krb5_utils.lo \ + src/providers/krb5/libsss_krb5_common_la-krb5_delayed_online_authentication.lo \ + src/providers/krb5/libsss_krb5_common_la-krb5_renew_tgt.lo \ + src/providers/krb5/libsss_krb5_common_la-krb5_wait_queue.lo \ + src/providers/krb5/libsss_krb5_common_la-krb5_common.lo \ + src/providers/krb5/libsss_krb5_common_la-krb5_opts.lo \ + src/providers/krb5/libsss_krb5_common_la-krb5_auth.lo \ + src/providers/krb5/libsss_krb5_common_la-krb5_access.lo \ + src/providers/krb5/libsss_krb5_common_la-krb5_child_handler.lo \ + src/providers/krb5/libsss_krb5_common_la-krb5_init_shared.lo \ + src/providers/krb5/libsss_krb5_common_la-krb5_ccache.lo \ + src/util/libsss_krb5_common_la-sss_krb5.lo \ + src/util/libsss_krb5_common_la-sss_iobuf.lo \ + src/util/libsss_krb5_common_la-become_user.lo +libsss_krb5_common_la_OBJECTS = $(am_libsss_krb5_common_la_OBJECTS) +libsss_krb5_common_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(libsss_krb5_common_la_CFLAGS) $(CFLAGS) \ + $(libsss_krb5_common_la_LDFLAGS) $(LDFLAGS) -o $@ +libsss_ldap_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_2) libsss_ldap_common.la \ + libsss_krb5_common.la +am_libsss_ldap_la_OBJECTS = \ + src/providers/ldap/libsss_ldap_la-ldap_init.lo \ + src/providers/ldap/libsss_ldap_la-ldap_access.lo +libsss_ldap_la_OBJECTS = $(am_libsss_ldap_la_OBJECTS) +libsss_ldap_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(libsss_ldap_la_CFLAGS) $(CFLAGS) $(libsss_ldap_la_LDFLAGS) \ + $(LDFLAGS) -o $@ +libsss_ldap_common_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) libsss_krb5_common.la libsss_idmap.la \ + libsss_certmap.la $(am__DEPENDENCIES_2) $(am__append_71) +am__libsss_ldap_common_la_SOURCES_DIST = src/providers/ldap/ldap_id.c \ + src/providers/ldap/ldap_id_enum.c \ + src/providers/ldap/sdap_async_enum.c \ + src/providers/ldap/ldap_id_cleanup.c \ + src/providers/ldap/ldap_id_netgroup.c \ + src/providers/ldap/ldap_id_services.c \ + src/providers/ldap/ldap_auth.c \ + src/providers/ldap/ldap_common.c \ + src/providers/ldap/ldap_options.c \ + src/providers/ldap/ldap_opts.c \ + src/providers/ldap/sdap_access.c \ + src/providers/ldap/sdap_async.c \ + src/providers/ldap/sdap_async_users.c \ + src/providers/ldap/sdap_async_groups.c \ + src/providers/ldap/sdap_async_nested_groups.c \ + src/providers/ldap/sdap_async_groups_ad.c \ + src/providers/ldap/sdap_async_initgroups.c \ + src/providers/ldap/sdap_async_initgroups_ad.c \ + src/providers/ldap/sdap_async_connection.c \ + src/providers/ldap/sdap_async_netgroups.c \ + src/providers/ldap/sdap_async_hosts.c \ + src/providers/ldap/sdap_async_services.c \ + src/providers/ldap/sdap_online_check.c \ + src/providers/ldap/sdap_ad_groups.c \ + src/providers/ldap/sdap_child_helpers.c \ + src/providers/ldap/sdap_fd_events.c \ + src/providers/ldap/sdap_hostid.h \ + src/providers/ldap/sdap_id_op.c \ + src/providers/ldap/sdap_certmap.c \ + src/providers/ldap/sdap_idmap.c \ + src/providers/ldap/sdap_idmap.h \ + src/providers/ldap/sdap_range.c \ + src/providers/ldap/sdap_reinit.c \ + src/providers/ldap/sdap_dyndns.c \ + src/providers/ldap/sdap_refresh.c \ + src/providers/ldap/sdap_utils.c \ + src/providers/ldap/sdap_domain.c src/providers/ldap/sdap_ops.c \ + src/providers/ldap/sdap.c src/providers/ipa/ipa_dn.c \ + src/util/user_info_msg.c src/util/sss_sockets.c \ + src/util/sss_ldap.c src/providers/ldap/sdap_hostid.c \ + src/providers/ldap/sdap_async_sudo.c \ + src/providers/ldap/sdap_async_sudo_hostinfo.c \ + src/providers/ldap/sdap_sudo_refresh.c \ + src/providers/ldap/sdap_sudo_shared.c \ + src/providers/ldap/sdap_sudo.c \ + src/providers/ldap/sdap_autofs.c \ + src/providers/ldap/sdap_async_autofs.c +@BUILD_SSH_TRUE@am__objects_27 = src/providers/ldap/libsss_ldap_common_la-sdap_hostid.lo +@BUILD_SUDO_TRUE@am__objects_28 = src/providers/ldap/libsss_ldap_common_la-sdap_async_sudo.lo \ +@BUILD_SUDO_TRUE@ src/providers/ldap/libsss_ldap_common_la-sdap_async_sudo_hostinfo.lo \ +@BUILD_SUDO_TRUE@ src/providers/ldap/libsss_ldap_common_la-sdap_sudo_refresh.lo \ +@BUILD_SUDO_TRUE@ src/providers/ldap/libsss_ldap_common_la-sdap_sudo_shared.lo \ +@BUILD_SUDO_TRUE@ src/providers/ldap/libsss_ldap_common_la-sdap_sudo.lo +@BUILD_AUTOFS_TRUE@am__objects_29 = src/providers/ldap/libsss_ldap_common_la-sdap_autofs.lo \ +@BUILD_AUTOFS_TRUE@ src/providers/ldap/libsss_ldap_common_la-sdap_async_autofs.lo +am_libsss_ldap_common_la_OBJECTS = \ + src/providers/ldap/libsss_ldap_common_la-ldap_id.lo \ + src/providers/ldap/libsss_ldap_common_la-ldap_id_enum.lo \ + src/providers/ldap/libsss_ldap_common_la-sdap_async_enum.lo \ + src/providers/ldap/libsss_ldap_common_la-ldap_id_cleanup.lo \ + src/providers/ldap/libsss_ldap_common_la-ldap_id_netgroup.lo \ + src/providers/ldap/libsss_ldap_common_la-ldap_id_services.lo \ + src/providers/ldap/libsss_ldap_common_la-ldap_auth.lo \ + src/providers/ldap/libsss_ldap_common_la-ldap_common.lo \ + src/providers/ldap/libsss_ldap_common_la-ldap_options.lo \ + src/providers/ldap/libsss_ldap_common_la-ldap_opts.lo \ + src/providers/ldap/libsss_ldap_common_la-sdap_access.lo \ + src/providers/ldap/libsss_ldap_common_la-sdap_async.lo \ + src/providers/ldap/libsss_ldap_common_la-sdap_async_users.lo \ + src/providers/ldap/libsss_ldap_common_la-sdap_async_groups.lo \ + src/providers/ldap/libsss_ldap_common_la-sdap_async_nested_groups.lo \ + src/providers/ldap/libsss_ldap_common_la-sdap_async_groups_ad.lo \ + src/providers/ldap/libsss_ldap_common_la-sdap_async_initgroups.lo \ + src/providers/ldap/libsss_ldap_common_la-sdap_async_initgroups_ad.lo \ + src/providers/ldap/libsss_ldap_common_la-sdap_async_connection.lo \ + src/providers/ldap/libsss_ldap_common_la-sdap_async_netgroups.lo \ + src/providers/ldap/libsss_ldap_common_la-sdap_async_hosts.lo \ + src/providers/ldap/libsss_ldap_common_la-sdap_async_services.lo \ + src/providers/ldap/libsss_ldap_common_la-sdap_online_check.lo \ + src/providers/ldap/libsss_ldap_common_la-sdap_ad_groups.lo \ + src/providers/ldap/libsss_ldap_common_la-sdap_child_helpers.lo \ + src/providers/ldap/libsss_ldap_common_la-sdap_fd_events.lo \ + src/providers/ldap/libsss_ldap_common_la-sdap_id_op.lo \ + src/providers/ldap/libsss_ldap_common_la-sdap_certmap.lo \ + src/providers/ldap/libsss_ldap_common_la-sdap_idmap.lo \ + src/providers/ldap/libsss_ldap_common_la-sdap_range.lo \ + src/providers/ldap/libsss_ldap_common_la-sdap_reinit.lo \ + src/providers/ldap/libsss_ldap_common_la-sdap_dyndns.lo \ + src/providers/ldap/libsss_ldap_common_la-sdap_refresh.lo \ + src/providers/ldap/libsss_ldap_common_la-sdap_utils.lo \ + src/providers/ldap/libsss_ldap_common_la-sdap_domain.lo \ + src/providers/ldap/libsss_ldap_common_la-sdap_ops.lo \ + src/providers/ldap/libsss_ldap_common_la-sdap.lo \ + src/providers/ipa/libsss_ldap_common_la-ipa_dn.lo \ + src/util/libsss_ldap_common_la-user_info_msg.lo \ + src/util/libsss_ldap_common_la-sss_sockets.lo \ + src/util/libsss_ldap_common_la-sss_ldap.lo $(am__objects_27) \ + $(am__objects_28) $(am__objects_29) +libsss_ldap_common_la_OBJECTS = $(am_libsss_ldap_common_la_OBJECTS) +libsss_ldap_common_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) \ + $(libsss_ldap_common_la_LDFLAGS) $(LDFLAGS) -o $@ +am_libsss_nss_idmap_la_OBJECTS = \ + src/sss_client/idmap/sss_nss_idmap.lo \ + src/sss_client/idmap/sss_nss_ex.lo src/sss_client/common.lo \ + src/sss_client/idmap/common_ex.lo \ + src/sss_client/nss_mc_passwd.lo src/sss_client/nss_passwd.lo \ + src/sss_client/nss_mc_group.lo src/sss_client/nss_group.lo \ + src/sss_client/nss_mc_initgr.lo \ + src/sss_client/nss_mc_common.lo src/util/strtonum.lo \ + src/util/murmurhash3.lo src/util/io.lo +libsss_nss_idmap_la_OBJECTS = $(am_libsss_nss_idmap_la_OBJECTS) +libsss_nss_idmap_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) $(libsss_nss_idmap_la_LDFLAGS) \ + $(LDFLAGS) -o $@ +am__DEPENDENCIES_12 = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_6) +@HAVE_CHECK_TRUE@libsss_nss_idmap_tests_la_DEPENDENCIES = \ +@HAVE_CHECK_TRUE@ $(am__DEPENDENCIES_12) +am__libsss_nss_idmap_tests_la_SOURCES_DIST = \ + src/sss_client/idmap/sss_nss_idmap.c \ + src/sss_client/idmap/sss_nss_ex.c \ + src/sss_client/idmap/sss_nss_idmap_private.h \ + src/sss_client/common.c src/sss_client/idmap/common_ex.c \ + src/sss_client/nss_mc_passwd.c src/sss_client/nss_passwd.c \ + src/sss_client/nss_mc_group.c src/sss_client/nss_group.c \ + src/sss_client/nss_mc_initgr.c src/sss_client/nss_mc_common.c \ + src/util/strtonum.c src/util/murmurhash3.c src/util/io.c +am__objects_30 = src/sss_client/idmap/sss_nss_idmap.lo \ + src/sss_client/idmap/sss_nss_ex.lo src/sss_client/common.lo \ + src/sss_client/idmap/common_ex.lo \ + src/sss_client/nss_mc_passwd.lo src/sss_client/nss_passwd.lo \ + src/sss_client/nss_mc_group.lo src/sss_client/nss_group.lo \ + src/sss_client/nss_mc_initgr.lo \ + src/sss_client/nss_mc_common.lo src/util/strtonum.lo \ + src/util/murmurhash3.lo src/util/io.lo +@HAVE_CHECK_TRUE@am_libsss_nss_idmap_tests_la_OBJECTS = \ +@HAVE_CHECK_TRUE@ $(am__objects_30) +libsss_nss_idmap_tests_la_OBJECTS = \ + $(am_libsss_nss_idmap_tests_la_OBJECTS) +libsss_nss_idmap_tests_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) $(libsss_nss_idmap_tests_la_LDFLAGS) \ + $(LDFLAGS) -o $@ +@HAVE_CHECK_TRUE@am_libsss_nss_idmap_tests_la_rpath = +libsss_proxy_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_2) +am_libsss_proxy_la_OBJECTS = \ + src/providers/proxy/libsss_proxy_la-proxy_init.lo \ + src/providers/proxy/libsss_proxy_la-proxy_client.lo \ + src/providers/proxy/libsss_proxy_la-proxy_id.lo \ + src/providers/proxy/libsss_proxy_la-proxy_netgroup.lo \ + src/providers/proxy/libsss_proxy_la-proxy_services.lo \ + src/providers/proxy/libsss_proxy_la-proxy_auth.lo \ + src/providers/proxy/libsss_proxy_la-proxy_iface_generated.lo +libsss_proxy_la_OBJECTS = $(am_libsss_proxy_la_OBJECTS) +libsss_proxy_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(libsss_proxy_la_CFLAGS) $(CFLAGS) $(libsss_proxy_la_LDFLAGS) \ + $(LDFLAGS) -o $@ +@BUILD_SEMANAGE_TRUE@am__DEPENDENCIES_13 = $(am__DEPENDENCIES_1) +libsss_semanage_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \ + libsss_debug.la $(am__DEPENDENCIES_13) +am_libsss_semanage_la_OBJECTS = \ + src/util/libsss_semanage_la-sss_semanage.lo +libsss_semanage_la_OBJECTS = $(am_libsss_semanage_la_OBJECTS) +libsss_semanage_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(libsss_semanage_la_CFLAGS) $(CFLAGS) \ + $(libsss_semanage_la_LDFLAGS) $(LDFLAGS) -o $@ +libsss_simple_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_2) +am_libsss_simple_la_OBJECTS = \ + src/providers/simple/libsss_simple_la-simple_access_check.lo \ + src/providers/simple/libsss_simple_la-simple_access.lo +libsss_simple_la_OBJECTS = $(am_libsss_simple_la_OBJECTS) +libsss_simple_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(libsss_simple_la_CFLAGS) $(CFLAGS) \ + $(libsss_simple_la_LDFLAGS) $(LDFLAGS) -o $@ +@BUILD_IFP_TRUE@libsss_simpleifp_la_DEPENDENCIES = \ +@BUILD_IFP_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) +am__libsss_simpleifp_la_SOURCES_DIST = src/lib/sifp/sss_sifp.c \ + src/lib/sifp/sss_sifp_dbus.c src/lib/sifp/sss_sifp_attrs.c \ + src/lib/sifp/sss_sifp_common.c src/lib/sifp/sss_sifp_parser.c \ + src/lib/sifp/sss_sifp_utils.c +@BUILD_IFP_TRUE@am_libsss_simpleifp_la_OBJECTS = \ +@BUILD_IFP_TRUE@ src/lib/sifp/libsss_simpleifp_la-sss_sifp.lo \ +@BUILD_IFP_TRUE@ src/lib/sifp/libsss_simpleifp_la-sss_sifp_dbus.lo \ +@BUILD_IFP_TRUE@ src/lib/sifp/libsss_simpleifp_la-sss_sifp_attrs.lo \ +@BUILD_IFP_TRUE@ src/lib/sifp/libsss_simpleifp_la-sss_sifp_common.lo \ +@BUILD_IFP_TRUE@ src/lib/sifp/libsss_simpleifp_la-sss_sifp_parser.lo \ +@BUILD_IFP_TRUE@ src/lib/sifp/libsss_simpleifp_la-sss_sifp_utils.lo +libsss_simpleifp_la_OBJECTS = $(am_libsss_simpleifp_la_OBJECTS) +libsss_simpleifp_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(libsss_simpleifp_la_CFLAGS) $(CFLAGS) \ + $(libsss_simpleifp_la_LDFLAGS) $(LDFLAGS) -o $@ +@BUILD_IFP_TRUE@am_libsss_simpleifp_la_rpath = -rpath $(libdir) +@BUILD_SUDO_TRUE@libsss_sudo_la_DEPENDENCIES = $(am__DEPENDENCIES_6) +am__libsss_sudo_la_SOURCES_DIST = src/sss_client/common.c \ + src/sss_client/sss_cli.h \ + src/sss_client/sudo/sss_sudo_response.c \ + src/sss_client/sudo/sss_sudo.c src/sss_client/sudo/sss_sudo.h \ + src/sss_client/sudo/sss_sudo_private.h +@BUILD_SUDO_TRUE@am_libsss_sudo_la_OBJECTS = src/sss_client/common.lo \ +@BUILD_SUDO_TRUE@ src/sss_client/sudo/sss_sudo_response.lo \ +@BUILD_SUDO_TRUE@ src/sss_client/sudo/sss_sudo.lo +libsss_sudo_la_OBJECTS = $(am_libsss_sudo_la_OBJECTS) +libsss_sudo_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) $(libsss_sudo_la_LDFLAGS) $(LDFLAGS) -o \ + $@ +@BUILD_SUDO_TRUE@am_libsss_sudo_la_rpath = -rpath $(sudolibdir) +libsss_test_common_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_2) +am__libsss_test_common_la_SOURCES_DIST = src/tests/common_tev.c \ + src/tests/common_dom.c src/tests/leak_check.c \ + src/tests/common.c src/tests/common_check.c +@HAVE_CHECK_TRUE@am__objects_31 = src/tests/common_check.lo +am_libsss_test_common_la_OBJECTS = src/tests/common_tev.lo \ + src/tests/common_dom.lo src/tests/leak_check.lo \ + src/tests/common.lo $(am__objects_31) +libsss_test_common_la_OBJECTS = $(am_libsss_test_common_la_OBJECTS) +libsss_util_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_5) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) libsss_debug.la libsss_child.la \ + libsss_crypt.la libsss_cert.la $(am__append_36) +am__libsss_util_la_SOURCES_DIST = src/confdb/confdb.c src/db/sysdb.c \ + src/db/sysdb_ops.c src/db/sysdb_search.c \ + src/db/sysdb_selinux.c src/db/sysdb_upgrade.c \ + src/db/sysdb_init.c src/db/sysdb_services.c \ + src/db/sysdb_autofs.c src/db/sysdb_subdomains.c \ + src/db/sysdb_views.c src/db/sysdb_ranges.c \ + src/db/sysdb_idmap.c src/db/sysdb_gpo.c src/db/sysdb_certmap.c \ + src/db/sysdb_domain_resolution_order.c \ + src/monitor/monitor_sbus.c src/providers/dp_auth_util.c \ + src/providers/dp_pam_data_util.c \ + src/providers/data_provider/dp_sbus.c src/sbus/sbus_client.c \ + src/sbus/sssd_dbus_common.c src/sbus/sssd_dbus_connection.c \ + src/sbus/sssd_dbus_meta.c src/sbus/sssd_dbus_interface.c \ + src/sbus/sssd_dbus_introspect.c src/sbus/sssd_dbus_invokers.c \ + src/sbus/sssd_dbus_properties.c src/sbus/sssd_dbus_request.c \ + src/sbus/sssd_dbus_server.c src/sbus/sssd_dbus_signals.c \ + src/sbus/sssd_dbus_common_signals.c src/sbus/sssd_dbus_utils.c \ + src/util/util.c src/util/util_ext.c src/util/util_preauth.c \ + src/util/memory.c src/util/safe-format-string.c \ + src/util/server.c src/util/signal.c src/util/usertools.c \ + src/util/backup_file.c src/util/strtonum.c \ + src/util/check_and_open.c src/util/refcount.c \ + src/util/sss_nss.c src/util/sss_utf8.c src/util/sss_tc_utf8.c \ + src/util/murmurhash3.c src/util/atomic_io.c src/util/authtok.c \ + src/util/authtok-utils.c src/util/sss_selinux.c \ + src/util/domain_info_utils.c src/util/util_lock.c \ + src/util/util_errors.c src/util/find_uid.c src/util/sss_ini.c \ + src/util/io.c src/util/util_sss_idmap.c \ + src/util/well_known_sids.c src/util/string_utils.c \ + src/util/become_user.c src/util/util_watchdog.c \ + src/util/sss_ptr_hash.c src/util/files.c src/util/selinux.c \ + src/db/sysdb_sudo.c src/db/sysdb_ssh.c src/util/sss_ssh.c +@BUILD_SUDO_TRUE@am__objects_32 = src/db/libsss_util_la-sysdb_sudo.lo +@BUILD_SSH_TRUE@am__objects_33 = src/db/libsss_util_la-sysdb_ssh.lo \ +@BUILD_SSH_TRUE@ src/util/libsss_util_la-sss_ssh.lo +am_libsss_util_la_OBJECTS = src/confdb/libsss_util_la-confdb.lo \ + src/db/libsss_util_la-sysdb.lo \ + src/db/libsss_util_la-sysdb_ops.lo \ + src/db/libsss_util_la-sysdb_search.lo \ + src/db/libsss_util_la-sysdb_selinux.lo \ + src/db/libsss_util_la-sysdb_upgrade.lo \ + src/db/libsss_util_la-sysdb_init.lo \ + src/db/libsss_util_la-sysdb_services.lo \ + src/db/libsss_util_la-sysdb_autofs.lo \ + src/db/libsss_util_la-sysdb_subdomains.lo \ + src/db/libsss_util_la-sysdb_views.lo \ + src/db/libsss_util_la-sysdb_ranges.lo \ + src/db/libsss_util_la-sysdb_idmap.lo \ + src/db/libsss_util_la-sysdb_gpo.lo \ + src/db/libsss_util_la-sysdb_certmap.lo \ + src/db/libsss_util_la-sysdb_domain_resolution_order.lo \ + src/monitor/libsss_util_la-monitor_sbus.lo \ + src/providers/libsss_util_la-dp_auth_util.lo \ + src/providers/libsss_util_la-dp_pam_data_util.lo \ + src/providers/data_provider/libsss_util_la-dp_sbus.lo \ + src/sbus/libsss_util_la-sbus_client.lo \ + src/sbus/libsss_util_la-sssd_dbus_common.lo \ + src/sbus/libsss_util_la-sssd_dbus_connection.lo \ + src/sbus/libsss_util_la-sssd_dbus_meta.lo \ + src/sbus/libsss_util_la-sssd_dbus_interface.lo \ + src/sbus/libsss_util_la-sssd_dbus_introspect.lo \ + src/sbus/libsss_util_la-sssd_dbus_invokers.lo \ + src/sbus/libsss_util_la-sssd_dbus_properties.lo \ + src/sbus/libsss_util_la-sssd_dbus_request.lo \ + src/sbus/libsss_util_la-sssd_dbus_server.lo \ + src/sbus/libsss_util_la-sssd_dbus_signals.lo \ + src/sbus/libsss_util_la-sssd_dbus_common_signals.lo \ + src/sbus/libsss_util_la-sssd_dbus_utils.lo \ + src/util/libsss_util_la-util.lo \ + src/util/libsss_util_la-util_ext.lo \ + src/util/libsss_util_la-util_preauth.lo \ + src/util/libsss_util_la-memory.lo \ + src/util/libsss_util_la-safe-format-string.lo \ + src/util/libsss_util_la-server.lo \ + src/util/libsss_util_la-signal.lo \ + src/util/libsss_util_la-usertools.lo \ + src/util/libsss_util_la-backup_file.lo \ + src/util/libsss_util_la-strtonum.lo \ + src/util/libsss_util_la-check_and_open.lo \ + src/util/libsss_util_la-refcount.lo \ + src/util/libsss_util_la-sss_nss.lo \ + src/util/libsss_util_la-sss_utf8.lo \ + src/util/libsss_util_la-sss_tc_utf8.lo \ + src/util/libsss_util_la-murmurhash3.lo \ + src/util/libsss_util_la-atomic_io.lo \ + src/util/libsss_util_la-authtok.lo \ + src/util/libsss_util_la-authtok-utils.lo \ + src/util/libsss_util_la-sss_selinux.lo \ + src/util/libsss_util_la-domain_info_utils.lo \ + src/util/libsss_util_la-util_lock.lo \ + src/util/libsss_util_la-util_errors.lo \ + src/util/libsss_util_la-find_uid.lo \ + src/util/libsss_util_la-sss_ini.lo \ + src/util/libsss_util_la-io.lo \ + src/util/libsss_util_la-util_sss_idmap.lo \ + src/util/libsss_util_la-well_known_sids.lo \ + src/util/libsss_util_la-string_utils.lo \ + src/util/libsss_util_la-become_user.lo \ + src/util/libsss_util_la-util_watchdog.lo \ + src/util/libsss_util_la-sss_ptr_hash.lo \ + src/util/libsss_util_la-files.lo \ + src/util/libsss_util_la-selinux.lo $(am__objects_32) \ + $(am__objects_33) +libsss_util_la_OBJECTS = $(am_libsss_util_la_OBJECTS) +libsss_util_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(libsss_util_la_CFLAGS) $(CFLAGS) $(libsss_util_la_LDFLAGS) \ + $(LDFLAGS) -o $@ +@BUILD_LIBWBCLIENT_TRUE@libwbclient_la_DEPENDENCIES = \ +@BUILD_LIBWBCLIENT_TRUE@ $(am__DEPENDENCIES_1) \ +@BUILD_LIBWBCLIENT_TRUE@ libsss_nss_idmap.la \ +@BUILD_LIBWBCLIENT_TRUE@ $(am__DEPENDENCIES_6) +am__libwbclient_la_SOURCES_DIST = \ + src/sss_client/libwbclient/wbc_guid.c \ + src/sss_client/libwbclient/wbc_idmap_common.c \ + src/sss_client/libwbclient/wbc_idmap_sssd.c \ + src/sss_client/libwbclient/wbclient_common.c \ + src/sss_client/libwbclient/wbclient_sssd.c \ + src/sss_client/libwbclient/wbc_pam_sssd.c \ + src/sss_client/libwbclient/wbc_pwd_sssd.c \ + src/sss_client/libwbclient/wbc_sid_common.c \ + src/sss_client/libwbclient/wbc_sid_sssd.c \ + src/sss_client/libwbclient/wbc_sssd_internal.h \ + src/sss_client/libwbclient/wbc_util_common.c \ + src/sss_client/libwbclient/wbc_util_sssd.c \ + src/sss_client/libwbclient/wbc_ctx_sssd.c +@BUILD_LIBWBCLIENT_TRUE@am_libwbclient_la_OBJECTS = src/sss_client/libwbclient/wbc_guid.lo \ +@BUILD_LIBWBCLIENT_TRUE@ src/sss_client/libwbclient/wbc_idmap_common.lo \ +@BUILD_LIBWBCLIENT_TRUE@ src/sss_client/libwbclient/wbc_idmap_sssd.lo \ +@BUILD_LIBWBCLIENT_TRUE@ src/sss_client/libwbclient/wbclient_common.lo \ +@BUILD_LIBWBCLIENT_TRUE@ src/sss_client/libwbclient/wbclient_sssd.lo \ +@BUILD_LIBWBCLIENT_TRUE@ src/sss_client/libwbclient/wbc_pam_sssd.lo \ +@BUILD_LIBWBCLIENT_TRUE@ src/sss_client/libwbclient/wbc_pwd_sssd.lo \ +@BUILD_LIBWBCLIENT_TRUE@ src/sss_client/libwbclient/wbc_sid_common.lo \ +@BUILD_LIBWBCLIENT_TRUE@ src/sss_client/libwbclient/wbc_sid_sssd.lo \ +@BUILD_LIBWBCLIENT_TRUE@ src/sss_client/libwbclient/wbc_util_common.lo \ +@BUILD_LIBWBCLIENT_TRUE@ src/sss_client/libwbclient/wbc_util_sssd.lo \ +@BUILD_LIBWBCLIENT_TRUE@ src/sss_client/libwbclient/wbc_ctx_sssd.lo +libwbclient_la_OBJECTS = $(am_libwbclient_la_OBJECTS) +libwbclient_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) $(libwbclient_la_LDFLAGS) $(LDFLAGS) -o \ + $@ +@BUILD_LIBWBCLIENT_TRUE@am_libwbclient_la_rpath = -rpath \ +@BUILD_LIBWBCLIENT_TRUE@ $(libwbclientdir) +memberof_la_DEPENDENCIES = libsss_debug.la $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) +am_memberof_la_OBJECTS = src/ldb_modules/memberof_la-memberof.lo \ + src/util/memberof_la-util.lo src/util/memberof_la-util_ext.lo +memberof_la_OBJECTS = $(am_memberof_la_OBJECTS) +memberof_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(memberof_la_CFLAGS) \ + $(CFLAGS) $(memberof_la_LDFLAGS) $(LDFLAGS) -o $@ +pam_sss_la_DEPENDENCIES = $(am__DEPENDENCIES_6) $(am__DEPENDENCIES_1) +am_pam_sss_la_OBJECTS = src/sss_client/pam_sss.lo \ + src/sss_client/pam_message.lo src/sss_client/common.lo \ + src/util/atomic_io.lo src/util/authtok-utils.lo +pam_sss_la_OBJECTS = $(am_pam_sss_la_OBJECTS) +pam_sss_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(pam_sss_la_LDFLAGS) $(LDFLAGS) -o $@ +@BUILD_NFS_IDMAP_TRUE@sss_la_DEPENDENCIES = $(am__DEPENDENCIES_6) \ +@BUILD_NFS_IDMAP_TRUE@ $(am__DEPENDENCIES_1) +am__sss_la_SOURCES_DIST = src/sss_client/common.c \ + src/sss_client/nss_mc_common.c src/util/io.c \ + src/util/murmurhash3.c src/sss_client/nss_mc_passwd.c \ + src/sss_client/nss_mc_group.c \ + src/sss_client/nfs/sss_nfs_client.c +@BUILD_NFS_IDMAP_TRUE@am_sss_la_OBJECTS = \ +@BUILD_NFS_IDMAP_TRUE@ src/sss_client/sss_la-common.lo \ +@BUILD_NFS_IDMAP_TRUE@ src/sss_client/sss_la-nss_mc_common.lo \ +@BUILD_NFS_IDMAP_TRUE@ src/util/sss_la-io.lo \ +@BUILD_NFS_IDMAP_TRUE@ src/util/sss_la-murmurhash3.lo \ +@BUILD_NFS_IDMAP_TRUE@ src/sss_client/sss_la-nss_mc_passwd.lo \ +@BUILD_NFS_IDMAP_TRUE@ src/sss_client/sss_la-nss_mc_group.lo \ +@BUILD_NFS_IDMAP_TRUE@ src/sss_client/nfs/sss_la-sss_nfs_client.lo +sss_la_OBJECTS = $(am_sss_la_OBJECTS) +sss_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(sss_la_CFLAGS) $(CFLAGS) \ + $(sss_la_LDFLAGS) $(LDFLAGS) -o $@ +@BUILD_NFS_IDMAP_TRUE@am_sss_la_rpath = -rpath $(nfslibdir) +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@sssd_krb5_localauth_plugin_la_DEPENDENCIES = \ +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@ $(am__DEPENDENCIES_1) +am__sssd_krb5_localauth_plugin_la_SOURCES_DIST = \ + src/krb5_plugin/sssd_krb5_localauth_plugin.c \ + src/util/murmurhash3.c src/util/io.c src/sss_client/common.c \ + src/sss_client/nss_mc_common.c src/sss_client/nss_mc_passwd.c \ + src/sss_client/nss_passwd.c +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@am_sssd_krb5_localauth_plugin_la_OBJECTS = src/krb5_plugin/sssd_krb5_localauth_plugin_la-sssd_krb5_localauth_plugin.lo \ +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@ src/util/sssd_krb5_localauth_plugin_la-murmurhash3.lo \ +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@ src/util/sssd_krb5_localauth_plugin_la-io.lo \ +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@ src/sss_client/sssd_krb5_localauth_plugin_la-common.lo \ +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@ src/sss_client/sssd_krb5_localauth_plugin_la-nss_mc_common.lo \ +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@ src/sss_client/sssd_krb5_localauth_plugin_la-nss_mc_passwd.lo \ +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@ src/sss_client/sssd_krb5_localauth_plugin_la-nss_passwd.lo +sssd_krb5_localauth_plugin_la_OBJECTS = \ + $(am_sssd_krb5_localauth_plugin_la_OBJECTS) +sssd_krb5_localauth_plugin_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(sssd_krb5_localauth_plugin_la_CFLAGS) $(CFLAGS) \ + $(sssd_krb5_localauth_plugin_la_LDFLAGS) $(LDFLAGS) -o $@ +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@am_sssd_krb5_localauth_plugin_la_rpath = \ +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@ -rpath \ +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@ $(krb5localauth_plugindir) +sssd_krb5_locator_plugin_la_LIBADD = +am__sssd_krb5_locator_plugin_la_SOURCES_DIST = \ + src/krb5_plugin/sssd_krb5_locator_plugin.c \ + src/util/atomic_io.c +@BUILD_KRB5_LOCATOR_PLUGIN_TRUE@am_sssd_krb5_locator_plugin_la_OBJECTS = src/krb5_plugin/sssd_krb5_locator_plugin_la-sssd_krb5_locator_plugin.lo \ +@BUILD_KRB5_LOCATOR_PLUGIN_TRUE@ src/util/sssd_krb5_locator_plugin_la-atomic_io.lo +sssd_krb5_locator_plugin_la_OBJECTS = \ + $(am_sssd_krb5_locator_plugin_la_OBJECTS) +sssd_krb5_locator_plugin_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(sssd_krb5_locator_plugin_la_CFLAGS) $(CFLAGS) \ + $(sssd_krb5_locator_plugin_la_LDFLAGS) $(LDFLAGS) -o $@ +@BUILD_KRB5_LOCATOR_PLUGIN_TRUE@am_sssd_krb5_locator_plugin_la_rpath = \ +@BUILD_KRB5_LOCATOR_PLUGIN_TRUE@ -rpath $(krb5plugindir) +sssd_pac_plugin_la_DEPENDENCIES = $(am__DEPENDENCIES_6) \ + $(am__DEPENDENCIES_1) +am_sssd_pac_plugin_la_OBJECTS = \ + src/sss_client/sssd_pac_plugin_la-sssd_pac.lo \ + src/sss_client/sssd_pac_plugin_la-common.lo +sssd_pac_plugin_la_OBJECTS = $(am_sssd_pac_plugin_la_OBJECTS) +sssd_pac_plugin_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(sssd_pac_plugin_la_CFLAGS) $(CFLAGS) \ + $(sssd_pac_plugin_la_LDFLAGS) $(LDFLAGS) -o $@ +@BUILD_PAC_RESPONDER_TRUE@am_sssd_pac_plugin_la_rpath = -rpath \ +@BUILD_PAC_RESPONDER_TRUE@ $(krb5authdata_plugindir) +@BUILD_SAMBA_TRUE@winbind_idmap_sss_la_DEPENDENCIES = libsss_idmap.la \ +@BUILD_SAMBA_TRUE@ libsss_nss_idmap.la $(am__DEPENDENCIES_1) +am__winbind_idmap_sss_la_SOURCES_DIST = \ + src/lib/winbind_idmap_sss/winbind_idmap_sss.c \ + src/util/util_sss_idmap.c +@BUILD_SAMBA_TRUE@am_winbind_idmap_sss_la_OBJECTS = src/lib/winbind_idmap_sss/winbind_idmap_sss_la-winbind_idmap_sss.lo \ +@BUILD_SAMBA_TRUE@ src/util/winbind_idmap_sss_la-util_sss_idmap.lo +winbind_idmap_sss_la_OBJECTS = $(am_winbind_idmap_sss_la_OBJECTS) +winbind_idmap_sss_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(winbind_idmap_sss_la_CFLAGS) $(CFLAGS) \ + $(winbind_idmap_sss_la_LDFLAGS) $(LDFLAGS) -o $@ +@BUILD_SAMBA_TRUE@am_winbind_idmap_sss_la_rpath = -rpath \ +@BUILD_SAMBA_TRUE@ $(winbindplugindir) +@HAVE_CMOCKA_TRUE@@HAVE_LIBRESOLV_TRUE@am__EXEEXT_1 = test_resolv_fake$(EXEEXT) +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@am__EXEEXT_2 = ifp_tests$(EXEEXT) +@HAVE_CMOCKA_TRUE@@HAVE_INOTIFY_TRUE@am__EXEEXT_3 = \ +@HAVE_CMOCKA_TRUE@@HAVE_INOTIFY_TRUE@ test_inotify$(EXEEXT) +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@am__EXEEXT_4 = \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ test_kcm_json$(EXEEXT) \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ test_kcm_queue$(EXEEXT) +@BUILD_SAMBA_TRUE@@HAVE_CMOCKA_TRUE@am__EXEEXT_5 = ad_access_filter_tests$(EXEEXT) \ +@BUILD_SAMBA_TRUE@@HAVE_CMOCKA_TRUE@ ad_gpo_tests$(EXEEXT) \ +@BUILD_SAMBA_TRUE@@HAVE_CMOCKA_TRUE@ ad_common_tests$(EXEEXT) \ +@BUILD_SAMBA_TRUE@@HAVE_CMOCKA_TRUE@ test_sdap_initgr$(EXEEXT) \ +@BUILD_SAMBA_TRUE@@HAVE_CMOCKA_TRUE@ test_ad_subdom$(EXEEXT) \ +@BUILD_SAMBA_TRUE@@HAVE_CMOCKA_TRUE@ test_ipa_subdom_server$(EXEEXT) +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@@HAVE_CMOCKA_TRUE@am__EXEEXT_6 = test_sssd_krb5_localauth_plugin$(EXEEXT) +@HAVE_CMOCKA_TRUE@am__EXEEXT_7 = nss-srv-tests$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ test-find-uid$(EXEEXT) test-io$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ test-negcache$(EXEEXT) test-authtok$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ sss_nss_idmap-tests$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ deskprofile_utils-tests$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ dyndns-tests$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ domain_resolution_order-tests$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ fqnames-tests$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ nestedgroups-tests$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ test_sss_idmap$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ test_ipa_idmap$(EXEEXT) test_utils$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ dp_opt_tests$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ responder-get-domains-tests$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ sbus-internal-tests$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ config_check-tests$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ sss_sifp-tests$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ test_search_bases$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ test_ldap_auth$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ test_sdap_access$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ test_sdap_certmap$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ sdap-tests$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ test_sysdb_ts_cache$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ test_sysdb_views$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ test_sysdb_subdomains$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ test_sysdb_certmap$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ test_sysdb_sudo$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ test_sysdb_utils$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ test_sysdb_domain_resolution_order$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ test_wbc_calls$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ test_be_ptask$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ test_copy_ccache$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ test_copy_keytab$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ test_child_common$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ responder_cache_req-tests$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ test_sbus_opath$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ test_fo_srv$(EXEEXT) pam-srv-tests$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ ssh-srv-tests$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ test_ipa_subdom_util$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ test_tools_colondb$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ test_krb5_wait_queue$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ test_cert_utils$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ test_ldap_id_cleanup$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ test_data_provider_be$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ test_dp_request_table$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ test_dp_request$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ test_dp_builtin$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ test_ipa_dn$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ simple-access-tests$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ krb5_common_test$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ test_iobuf$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ sss_certmap_test$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ test_sssd_krb5_locator_plugin$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@ $(am__EXEEXT_1) $(am__EXEEXT_2) \ +@HAVE_CMOCKA_TRUE@ $(am__EXEEXT_3) $(am__EXEEXT_4) \ +@HAVE_CMOCKA_TRUE@ $(am__EXEEXT_5) $(am__EXEEXT_6) +@BUILD_SSH_TRUE@@HAVE_CHECK_TRUE@am__EXEEXT_8 = \ +@BUILD_SSH_TRUE@@HAVE_CHECK_TRUE@ sysdb_ssh-tests$(EXEEXT) +@BUILD_DBUS_TESTS_TRUE@@HAVE_CHECK_TRUE@am__EXEEXT_9 = \ +@BUILD_DBUS_TESTS_TRUE@@HAVE_CHECK_TRUE@ sbus_tests$(EXEEXT) \ +@BUILD_DBUS_TESTS_TRUE@@HAVE_CHECK_TRUE@ sbus_codegen_tests$(EXEEXT) +@HAVE_CHECK_TRUE@am__EXEEXT_10 = dlopen-tests$(EXEEXT) \ +@HAVE_CHECK_TRUE@ sysdb-tests$(EXEEXT) strtonum-tests$(EXEEXT) \ +@HAVE_CHECK_TRUE@ resolv-tests$(EXEEXT) \ +@HAVE_CHECK_TRUE@ krb5-utils-tests$(EXEEXT) \ +@HAVE_CHECK_TRUE@ check_and_open-tests$(EXEEXT) \ +@HAVE_CHECK_TRUE@ files-tests$(EXEEXT) refcount-tests$(EXEEXT) \ +@HAVE_CHECK_TRUE@ fail_over-tests$(EXEEXT) \ +@HAVE_CHECK_TRUE@ find_uid-tests$(EXEEXT) auth-tests$(EXEEXT) \ +@HAVE_CHECK_TRUE@ ipa_ldap_opt-tests$(EXEEXT) \ +@HAVE_CHECK_TRUE@ ad_ldap_opt-tests$(EXEEXT) \ +@HAVE_CHECK_TRUE@ crypto-tests$(EXEEXT) util-tests$(EXEEXT) \ +@HAVE_CHECK_TRUE@ debug-tests$(EXEEXT) ipa_hbac-tests$(EXEEXT) \ +@HAVE_CHECK_TRUE@ sss_idmap-tests$(EXEEXT) \ +@HAVE_CHECK_TRUE@ responder_socket_access-tests$(EXEEXT) \ +@HAVE_CHECK_TRUE@ safe-format-tests$(EXEEXT) $(am__EXEEXT_8) \ +@HAVE_CHECK_TRUE@ $(am__EXEEXT_9) +@HAVE_CMOCKA_TRUE@am__EXEEXT_11 = dummy-child$(EXEEXT) +@BUILD_SUDO_TRUE@am__EXEEXT_12 = sss_sudo_cli$(EXEEXT) +@BUILD_AUTOFS_TRUE@am__EXEEXT_13 = autofs_test_client$(EXEEXT) +@BUILD_WITH_LIBCURL_TRUE@am__EXEEXT_14 = tcurl-test-tool$(EXEEXT) +@BUILD_PAC_RESPONDER_TRUE@am__EXEEXT_15 = \ +@BUILD_PAC_RESPONDER_TRUE@ sssd_pac_test_client$(EXEEXT) +@BUILD_SUDO_TRUE@am__EXEEXT_16 = sssd_sudo$(EXEEXT) +@BUILD_AUTOFS_TRUE@am__EXEEXT_17 = sssd_autofs$(EXEEXT) +@BUILD_SSH_TRUE@am__EXEEXT_18 = sssd_ssh$(EXEEXT) +@BUILD_IFP_TRUE@am__EXEEXT_19 = sssd_ifp$(EXEEXT) +@BUILD_SAMBA_TRUE@am__EXEEXT_20 = gpo_child$(EXEEXT) +@BUILD_SEMANAGE_TRUE@am__EXEEXT_21 = selinux_child$(EXEEXT) +@BUILD_SECRETS_TRUE@am__EXEEXT_22 = sssd_secrets$(EXEEXT) +@BUILD_KCM_TRUE@am__EXEEXT_23 = sssd_kcm$(EXEEXT) +@BUILD_PAC_RESPONDER_TRUE@am__EXEEXT_24 = sssd_pac$(EXEEXT) +@HAVE_SYSTEMD_UNIT_TRUE@am__EXEEXT_25 = sssd_check_socket_activated_responders$(EXEEXT) +PROGRAMS = $(bin_PROGRAMS) $(noinst_PROGRAMS) $(sbin_PROGRAMS) \ + $(sssdlibexec_PROGRAMS) +am__ad_access_filter_tests_SOURCES_DIST = \ + src/tests/cmocka/test_ad_access_filter.c +@HAVE_CMOCKA_TRUE@am_ad_access_filter_tests_OBJECTS = src/tests/cmocka/test_ad_access_filter.$(OBJEXT) +ad_access_filter_tests_OBJECTS = $(am_ad_access_filter_tests_OBJECTS) +@HAVE_CMOCKA_TRUE@ad_access_filter_tests_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_2) libsss_ldap_common.la \ +@HAVE_CMOCKA_TRUE@ libsss_ad_tests.la libsss_test_common.la +am__ad_common_tests_SOURCES_DIST = src/providers/krb5/krb5_utils.c \ + src/providers/krb5/krb5_delayed_online_authentication.c \ + src/providers/krb5/krb5_renew_tgt.c \ + src/providers/krb5/krb5_wait_queue.c \ + src/providers/krb5/krb5_common.c \ + src/providers/krb5/krb5_opts.c src/providers/krb5/krb5_auth.c \ + src/providers/krb5/krb5_access.c \ + src/providers/krb5/krb5_child_handler.c \ + src/providers/krb5/krb5_init_shared.c \ + src/providers/krb5/krb5_ccache.c src/util/sss_krb5.c \ + src/util/sss_iobuf.c src/util/become_user.c \ + src/tests/cmocka/common_mock_krb5.c \ + src/tests/cmocka/test_ad_common.c src/providers/ad/ad_opts.c \ + src/providers/ad/ad_pac.c src/providers/ad/ad_pac_common.c \ + src/providers/ad/ad_domain_info.c \ + src/providers/ldap/sdap_async_initgroups_ad.c +am__objects_34 = \ + src/providers/krb5/ad_common_tests-krb5_utils.$(OBJEXT) \ + src/providers/krb5/ad_common_tests-krb5_delayed_online_authentication.$(OBJEXT) \ + src/providers/krb5/ad_common_tests-krb5_renew_tgt.$(OBJEXT) \ + src/providers/krb5/ad_common_tests-krb5_wait_queue.$(OBJEXT) \ + src/providers/krb5/ad_common_tests-krb5_common.$(OBJEXT) \ + src/providers/krb5/ad_common_tests-krb5_opts.$(OBJEXT) \ + src/providers/krb5/ad_common_tests-krb5_auth.$(OBJEXT) \ + src/providers/krb5/ad_common_tests-krb5_access.$(OBJEXT) \ + src/providers/krb5/ad_common_tests-krb5_child_handler.$(OBJEXT) \ + src/providers/krb5/ad_common_tests-krb5_init_shared.$(OBJEXT) \ + src/providers/krb5/ad_common_tests-krb5_ccache.$(OBJEXT) \ + src/util/ad_common_tests-sss_krb5.$(OBJEXT) \ + src/util/ad_common_tests-sss_iobuf.$(OBJEXT) \ + src/util/ad_common_tests-become_user.$(OBJEXT) +@HAVE_CMOCKA_TRUE@am_ad_common_tests_OBJECTS = $(am__objects_34) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/ad_common_tests-common_mock_krb5.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/ad_common_tests-test_ad_common.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/ad/ad_common_tests-ad_opts.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/ad/ad_common_tests-ad_pac.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/ad/ad_common_tests-ad_pac_common.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/ad/ad_common_tests-ad_domain_info.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/ldap/ad_common_tests-sdap_async_initgroups_ad.$(OBJEXT) +ad_common_tests_OBJECTS = $(am_ad_common_tests_OBJECTS) +@HAVE_CMOCKA_TRUE@ad_common_tests_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_5) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_2) libsss_idmap.la \ +@HAVE_CMOCKA_TRUE@ libsss_ldap_common.la libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ libdlopen_test_providers.la +ad_common_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(ad_common_tests_CFLAGS) $(CFLAGS) $(ad_common_tests_LDFLAGS) \ + $(LDFLAGS) -o $@ +am__ad_gpo_tests_SOURCES_DIST = src/tests/cmocka/test_ad_gpo.c +@HAVE_CMOCKA_TRUE@am_ad_gpo_tests_OBJECTS = src/tests/cmocka/ad_gpo_tests-test_ad_gpo.$(OBJEXT) +ad_gpo_tests_OBJECTS = $(am_ad_gpo_tests_OBJECTS) +@HAVE_CMOCKA_TRUE@ad_gpo_tests_DEPENDENCIES = $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_5) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ libsss_ldap_common.la libsss_idmap.la \ +@HAVE_CMOCKA_TRUE@ libsss_krb5_common.la libsss_ad_tests.la \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ libdlopen_test_providers.la +ad_gpo_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(ad_gpo_tests_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am__ad_ldap_opt_tests_SOURCES_DIST = src/providers/ldap/ldap_opts.c \ + src/providers/ad/ad_opts.c src/providers/krb5/krb5_opts.c \ + src/tests/ad_ldap_opt-tests.c +@HAVE_CHECK_TRUE@am_ad_ldap_opt_tests_OBJECTS = src/providers/ldap/ad_ldap_opt_tests-ldap_opts.$(OBJEXT) \ +@HAVE_CHECK_TRUE@ src/providers/ad/ad_ldap_opt_tests-ad_opts.$(OBJEXT) \ +@HAVE_CHECK_TRUE@ src/providers/krb5/ad_ldap_opt_tests-krb5_opts.$(OBJEXT) \ +@HAVE_CHECK_TRUE@ src/tests/ad_ldap_opt_tests-ad_ldap_opt-tests.$(OBJEXT) +ad_ldap_opt_tests_OBJECTS = $(am_ad_ldap_opt_tests_OBJECTS) +@HAVE_CHECK_TRUE@ad_ldap_opt_tests_DEPENDENCIES = \ +@HAVE_CHECK_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CHECK_TRUE@ libsss_test_common.la +ad_ldap_opt_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(ad_ldap_opt_tests_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) \ + -o $@ +am__auth_tests_SOURCES_DIST = src/tests/auth-tests.c +@HAVE_CHECK_TRUE@am_auth_tests_OBJECTS = \ +@HAVE_CHECK_TRUE@ src/tests/auth_tests-auth-tests.$(OBJEXT) +auth_tests_OBJECTS = $(am_auth_tests_OBJECTS) +@HAVE_CHECK_TRUE@auth_tests_DEPENDENCIES = $(am__DEPENDENCIES_5) \ +@HAVE_CHECK_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_2) \ +@HAVE_CHECK_TRUE@ libsss_test_common.la +auth_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(auth_tests_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am__autofs_test_client_SOURCES_DIST = \ + src/sss_client/autofs/autofs_test_client.c \ + src/sss_client/autofs/sss_autofs.c src/sss_client/common.c +@BUILD_AUTOFS_TRUE@am_autofs_test_client_OBJECTS = src/sss_client/autofs/autofs_test_client-autofs_test_client.$(OBJEXT) \ +@BUILD_AUTOFS_TRUE@ src/sss_client/autofs/autofs_test_client-sss_autofs.$(OBJEXT) \ +@BUILD_AUTOFS_TRUE@ src/sss_client/autofs_test_client-common.$(OBJEXT) +autofs_test_client_OBJECTS = $(am_autofs_test_client_OBJECTS) +@BUILD_AUTOFS_TRUE@autofs_test_client_DEPENDENCIES = \ +@BUILD_AUTOFS_TRUE@ $(am__DEPENDENCIES_6) +autofs_test_client_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(autofs_test_client_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +am__check_and_open_tests_SOURCES_DIST = \ + src/tests/check_and_open-tests.c src/util/check_and_open.c +@HAVE_CHECK_TRUE@am_check_and_open_tests_OBJECTS = src/tests/check_and_open_tests-check_and_open-tests.$(OBJEXT) \ +@HAVE_CHECK_TRUE@ src/util/check_and_open_tests-check_and_open.$(OBJEXT) +check_and_open_tests_OBJECTS = $(am_check_and_open_tests_OBJECTS) +@HAVE_CHECK_TRUE@check_and_open_tests_DEPENDENCIES = libsss_debug.la \ +@HAVE_CHECK_TRUE@ $(am__DEPENDENCIES_1) libsss_test_common.la +check_and_open_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(check_and_open_tests_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +am__config_check_tests_SOURCES_DIST = \ + src/tests/cmocka/test_config_check.c +@HAVE_CMOCKA_TRUE@am_config_check_tests_OBJECTS = src/tests/cmocka/config_check_tests-test_config_check.$(OBJEXT) +config_check_tests_OBJECTS = $(am_config_check_tests_OBJECTS) +@HAVE_CMOCKA_TRUE@config_check_tests_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_2) libsss_test_common.la +config_check_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(config_check_tests_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +am__crypto_tests_SOURCES_DIST = src/tests/crypto-tests.c +@HAVE_CHECK_TRUE@am_crypto_tests_OBJECTS = src/tests/crypto_tests-crypto-tests.$(OBJEXT) +crypto_tests_OBJECTS = $(am_crypto_tests_OBJECTS) +@HAVE_CHECK_TRUE@crypto_tests_DEPENDENCIES = $(am__DEPENDENCIES_1) \ +@HAVE_CHECK_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CHECK_TRUE@ libsss_crypt.la libsss_debug.la \ +@HAVE_CHECK_TRUE@ libsss_test_common.la +crypto_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(crypto_tests_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am__debug_tests_SOURCES_DIST = src/tests/debug-tests.c \ + src/tests/common.c +@HAVE_CHECK_TRUE@am_debug_tests_OBJECTS = \ +@HAVE_CHECK_TRUE@ src/tests/debug_tests-debug-tests.$(OBJEXT) \ +@HAVE_CHECK_TRUE@ src/tests/debug_tests-common.$(OBJEXT) +debug_tests_OBJECTS = $(am_debug_tests_OBJECTS) +@HAVE_CHECK_TRUE@debug_tests_DEPENDENCIES = $(am__DEPENDENCIES_5) \ +@HAVE_CHECK_TRUE@ $(am__DEPENDENCIES_1) libsss_debug.la +debug_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(debug_tests_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am__deskprofile_utils_tests_SOURCES_DIST = \ + src/tests/cmocka/test_deskprofile_utils.c \ + src/providers/ipa/ipa_deskprofile_rules_util.c \ + src/providers/ipa/ipa_rules_common.c +@HAVE_CMOCKA_TRUE@am_deskprofile_utils_tests_OBJECTS = src/tests/cmocka/deskprofile_utils_tests-test_deskprofile_utils.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/ipa/deskprofile_utils_tests-ipa_deskprofile_rules_util.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/ipa/deskprofile_utils_tests-ipa_rules_common.$(OBJEXT) +deskprofile_utils_tests_OBJECTS = \ + $(am_deskprofile_utils_tests_OBJECTS) +@HAVE_CMOCKA_TRUE@deskprofile_utils_tests_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_2) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la +deskprofile_utils_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(deskprofile_utils_tests_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +am__dlopen_tests_SOURCES_DIST = src/tests/dlopen-tests.c +@HAVE_CHECK_TRUE@am_dlopen_tests_OBJECTS = src/tests/dlopen_tests-dlopen-tests.$(OBJEXT) +dlopen_tests_OBJECTS = $(am_dlopen_tests_OBJECTS) +@HAVE_CHECK_TRUE@dlopen_tests_DEPENDENCIES = $(am__DEPENDENCIES_1) \ +@HAVE_CHECK_TRUE@ $(am__DEPENDENCIES_1) +dlopen_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(dlopen_tests_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am__domain_resolution_order_tests_SOURCES_DIST = \ + src/tests/cmocka/test_domain_resolution_order.c \ + src/responder/common/cache_req/cache_req_domain.c +@HAVE_CMOCKA_TRUE@am_domain_resolution_order_tests_OBJECTS = src/tests/cmocka/domain_resolution_order_tests-test_domain_resolution_order.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/common/cache_req/domain_resolution_order_tests-cache_req_domain.$(OBJEXT) +domain_resolution_order_tests_OBJECTS = \ + $(am_domain_resolution_order_tests_OBJECTS) +@HAVE_CMOCKA_TRUE@domain_resolution_order_tests_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_2) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la +domain_resolution_order_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(domain_resolution_order_tests_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am__dp_opt_tests_SOURCES_DIST = src/providers/data_provider_opts.c \ + src/tests/cmocka/test_dp_opts.c +@HAVE_CMOCKA_TRUE@am_dp_opt_tests_OBJECTS = src/providers/dp_opt_tests-data_provider_opts.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/dp_opt_tests-test_dp_opts.$(OBJEXT) +dp_opt_tests_OBJECTS = $(am_dp_opt_tests_OBJECTS) +@HAVE_CMOCKA_TRUE@dp_opt_tests_DEPENDENCIES = $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_2) libsss_test_common.la +dp_opt_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(dp_opt_tests_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am__dummy_child_SOURCES_DIST = src/tests/cmocka/dummy_child.c +@HAVE_CMOCKA_TRUE@am_dummy_child_OBJECTS = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/dummy_child.$(OBJEXT) +dummy_child_OBJECTS = $(am_dummy_child_OBJECTS) +@HAVE_CMOCKA_TRUE@dummy_child_DEPENDENCIES = $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_2) +am__dyndns_tests_SOURCES_DIST = src/resolv/async_resolv.c \ + src/resolv/async_resolv_utils.c \ + src/tests/cmocka/common_mock_be.c \ + src/tests/cmocka/test_dyndns.c \ + src/providers/data_provider_opts.c +am__objects_35 = src/resolv/dyndns_tests-async_resolv.$(OBJEXT) \ + src/resolv/dyndns_tests-async_resolv_utils.$(OBJEXT) +@HAVE_CMOCKA_TRUE@am_dyndns_tests_OBJECTS = $(am__objects_35) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/dyndns_tests-common_mock_be.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/dyndns_tests-test_dyndns.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/dyndns_tests-data_provider_opts.$(OBJEXT) +dyndns_tests_OBJECTS = $(am_dyndns_tests_OBJECTS) +@HAVE_CMOCKA_TRUE@dyndns_tests_DEPENDENCIES = $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_5) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_2) libsss_test_common.la +dyndns_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(dyndns_tests_CFLAGS) \ + $(CFLAGS) $(dyndns_tests_LDFLAGS) $(LDFLAGS) -o $@ +am__fail_over_tests_SOURCES_DIST = src/tests/fail_over-tests.c \ + src/providers/fail_over.c src/providers/fail_over_srv.c \ + src/resolv/async_resolv.c src/resolv/async_resolv_utils.c +am__objects_36 = src/resolv/fail_over_tests-async_resolv.$(OBJEXT) \ + src/resolv/fail_over_tests-async_resolv_utils.$(OBJEXT) +am__objects_37 = src/providers/fail_over_tests-fail_over.$(OBJEXT) \ + src/providers/fail_over_tests-fail_over_srv.$(OBJEXT) \ + $(am__objects_36) +@HAVE_CHECK_TRUE@am_fail_over_tests_OBJECTS = src/tests/fail_over_tests-fail_over-tests.$(OBJEXT) \ +@HAVE_CHECK_TRUE@ $(am__objects_37) +fail_over_tests_OBJECTS = $(am_fail_over_tests_OBJECTS) +@HAVE_CHECK_TRUE@fail_over_tests_DEPENDENCIES = $(am__DEPENDENCIES_5) \ +@HAVE_CHECK_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CHECK_TRUE@ $(am__DEPENDENCIES_2) libsss_test_common.la +fail_over_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(fail_over_tests_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) \ + -o $@ +am__files_tests_SOURCES_DIST = src/tests/files-tests.c \ + src/util/check_and_open.c src/util/atomic_io.c \ + src/util/selinux.c src/util/files.c +@HAVE_CHECK_TRUE@@HAVE_INOTIFY_TRUE@am_files_tests_OBJECTS = src/tests/files_tests-files-tests.$(OBJEXT) \ +@HAVE_CHECK_TRUE@@HAVE_INOTIFY_TRUE@ src/util/files_tests-check_and_open.$(OBJEXT) \ +@HAVE_CHECK_TRUE@@HAVE_INOTIFY_TRUE@ src/util/files_tests-atomic_io.$(OBJEXT) \ +@HAVE_CHECK_TRUE@@HAVE_INOTIFY_TRUE@ src/util/files_tests-selinux.$(OBJEXT) \ +@HAVE_CHECK_TRUE@@HAVE_INOTIFY_TRUE@ src/util/files_tests-files.$(OBJEXT) +files_tests_OBJECTS = $(am_files_tests_OBJECTS) +@BUILD_SELINUX_TRUE@@HAVE_CHECK_TRUE@am__DEPENDENCIES_14 = \ +@BUILD_SELINUX_TRUE@@HAVE_CHECK_TRUE@ $(am__DEPENDENCIES_1) +@BUILD_SEMANAGE_TRUE@@HAVE_CHECK_TRUE@am__DEPENDENCIES_15 = \ +@BUILD_SEMANAGE_TRUE@@HAVE_CHECK_TRUE@ $(am__DEPENDENCIES_1) +@HAVE_CHECK_TRUE@am__DEPENDENCIES_16 = $(am__DEPENDENCIES_1) \ +@HAVE_CHECK_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CHECK_TRUE@ libsss_test_common.la $(am__DEPENDENCIES_14) \ +@HAVE_CHECK_TRUE@ $(am__DEPENDENCIES_15) +@HAVE_CHECK_TRUE@@HAVE_INOTIFY_TRUE@files_tests_DEPENDENCIES = \ +@HAVE_CHECK_TRUE@@HAVE_INOTIFY_TRUE@ $(am__DEPENDENCIES_16) \ +@HAVE_CHECK_TRUE@@HAVE_INOTIFY_TRUE@ libsss_test_common.la \ +@HAVE_CHECK_TRUE@@HAVE_INOTIFY_TRUE@ $(am__DEPENDENCIES_2) +files_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(files_tests_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am__find_uid_tests_SOURCES_DIST = src/tests/find_uid-tests.c \ + src/util/find_uid.c src/util/atomic_io.c src/util/strtonum.c +@HAVE_CHECK_TRUE@am_find_uid_tests_OBJECTS = src/tests/find_uid_tests-find_uid-tests.$(OBJEXT) \ +@HAVE_CHECK_TRUE@ src/util/find_uid_tests-find_uid.$(OBJEXT) \ +@HAVE_CHECK_TRUE@ src/util/find_uid_tests-atomic_io.$(OBJEXT) \ +@HAVE_CHECK_TRUE@ src/util/find_uid_tests-strtonum.$(OBJEXT) +find_uid_tests_OBJECTS = $(am_find_uid_tests_OBJECTS) +@HAVE_CHECK_TRUE@find_uid_tests_DEPENDENCIES = libsss_debug.la \ +@HAVE_CHECK_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CHECK_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CHECK_TRUE@ libsss_test_common.la +find_uid_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(find_uid_tests_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o \ + $@ +am__fqnames_tests_SOURCES_DIST = src/tests/cmocka/test_fqnames.c +@HAVE_CMOCKA_TRUE@am_fqnames_tests_OBJECTS = src/tests/cmocka/fqnames_tests-test_fqnames.$(OBJEXT) +fqnames_tests_OBJECTS = $(am_fqnames_tests_OBJECTS) +@HAVE_CMOCKA_TRUE@fqnames_tests_DEPENDENCIES = $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_5) $(am__DEPENDENCIES_2) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la +fqnames_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(fqnames_tests_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am_gpo_child_OBJECTS = \ + src/providers/ad/gpo_child-ad_gpo_child.$(OBJEXT) \ + src/util/gpo_child-atomic_io.$(OBJEXT) \ + src/util/gpo_child-util.$(OBJEXT) \ + src/util/gpo_child-util_ext.$(OBJEXT) \ + src/util/gpo_child-signal.$(OBJEXT) +gpo_child_OBJECTS = $(am_gpo_child_OBJECTS) +gpo_child_DEPENDENCIES = libsss_debug.la $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) +gpo_child_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(gpo_child_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am__ifp_tests_SOURCES_DIST = src/tests/cmocka/common_mock_resp.c \ + src/tests/cmocka/common_mock_resp_dp.c \ + src/responder/common/responder_packet.c \ + src/responder/common/responder_cmd.c \ + src/responder/common/negcache_files.c \ + src/responder/common/negcache.c \ + src/responder/common/responder_common.c \ + src/responder/common/data_provider/rdp_message.c \ + src/responder/common/data_provider/rdp_client.c \ + src/responder/common/responder_utils.c \ + src/util/session_recording.c \ + src/responder/common/cache_req/cache_req.c \ + src/responder/common/cache_req/cache_req_result.c \ + src/responder/common/cache_req/cache_req_search.c \ + src/responder/common/cache_req/cache_req_data.c \ + src/responder/common/cache_req/cache_req_domain.c \ + src/responder/common/cache_req/cache_req_sr_overlay.c \ + src/responder/common/cache_req/plugins/cache_req_common.c \ + src/responder/common/cache_req/plugins/cache_req_enum_users.c \ + src/responder/common/cache_req/plugins/cache_req_enum_groups.c \ + src/responder/common/cache_req/plugins/cache_req_enum_svc.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_upn.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_filter.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_cert.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_filter.c \ + src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_sid.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_svc_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_svc_by_port.c \ + src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_host_by_name.c \ + src/responder/common/iface/responder_iface.c \ + src/responder/common/iface/responder_domain.c \ + src/responder/common/iface/responder_ncache.c \ + src/responder/common/iface/responder_iface_generated.c \ + src/tests/cmocka/test_ifp.c src/responder/ifp/ifpsrv_cmd.c \ + src/responder/ifp/ifp_iface_generated.c \ + src/responder/ifp/ifpsrv_util.c +am__objects_38 = \ + src/responder/common/cache_req/ifp_tests-cache_req.$(OBJEXT) \ + src/responder/common/cache_req/ifp_tests-cache_req_result.$(OBJEXT) \ + src/responder/common/cache_req/ifp_tests-cache_req_search.$(OBJEXT) \ + src/responder/common/cache_req/ifp_tests-cache_req_data.$(OBJEXT) \ + src/responder/common/cache_req/ifp_tests-cache_req_domain.$(OBJEXT) \ + src/responder/common/cache_req/ifp_tests-cache_req_sr_overlay.$(OBJEXT) \ + src/responder/common/cache_req/plugins/ifp_tests-cache_req_common.$(OBJEXT) \ + src/responder/common/cache_req/plugins/ifp_tests-cache_req_enum_users.$(OBJEXT) \ + src/responder/common/cache_req/plugins/ifp_tests-cache_req_enum_groups.$(OBJEXT) \ + src/responder/common/cache_req/plugins/ifp_tests-cache_req_enum_svc.$(OBJEXT) \ + src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_upn.$(OBJEXT) \ + src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_id.$(OBJEXT) \ + src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_filter.$(OBJEXT) \ + src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_cert.$(OBJEXT) \ + src/responder/common/cache_req/plugins/ifp_tests-cache_req_group_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/ifp_tests-cache_req_group_by_id.$(OBJEXT) \ + src/responder/common/cache_req/plugins/ifp_tests-cache_req_group_by_filter.$(OBJEXT) \ + src/responder/common/cache_req/plugins/ifp_tests-cache_req_initgroups_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/ifp_tests-cache_req_initgroups_by_upn.$(OBJEXT) \ + src/responder/common/cache_req/plugins/ifp_tests-cache_req_object_by_sid.$(OBJEXT) \ + src/responder/common/cache_req/plugins/ifp_tests-cache_req_object_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/ifp_tests-cache_req_object_by_id.$(OBJEXT) \ + src/responder/common/cache_req/plugins/ifp_tests-cache_req_svc_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/ifp_tests-cache_req_svc_by_port.$(OBJEXT) \ + src/responder/common/cache_req/plugins/ifp_tests-cache_req_netgroup_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/ifp_tests-cache_req_host_by_name.$(OBJEXT) +am__objects_39 = src/responder/common/iface/ifp_tests-responder_iface.$(OBJEXT) \ + src/responder/common/iface/ifp_tests-responder_domain.$(OBJEXT) \ + src/responder/common/iface/ifp_tests-responder_ncache.$(OBJEXT) \ + src/responder/common/iface/ifp_tests-responder_iface_generated.$(OBJEXT) +@HAVE_CMOCKA_TRUE@am__objects_40 = src/tests/cmocka/ifp_tests-common_mock_resp.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/ifp_tests-common_mock_resp_dp.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/common/ifp_tests-responder_packet.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/common/ifp_tests-responder_cmd.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/common/ifp_tests-negcache_files.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/common/ifp_tests-negcache.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/common/ifp_tests-responder_common.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/common/data_provider/ifp_tests-rdp_message.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/common/data_provider/ifp_tests-rdp_client.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/common/ifp_tests-responder_utils.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/util/ifp_tests-session_recording.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ $(am__objects_38) $(am__objects_39) +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@am_ifp_tests_OBJECTS = \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ $(am__objects_40) \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ src/tests/cmocka/ifp_tests-test_ifp.$(OBJEXT) \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ src/responder/ifp/ifp_tests-ifpsrv_cmd.$(OBJEXT) \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ src/responder/ifp/ifp_tests-ifp_iface_generated.$(OBJEXT) \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ src/responder/ifp/ifp_tests-ifpsrv_util.$(OBJEXT) +ifp_tests_OBJECTS = $(am_ifp_tests_OBJECTS) +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ifp_tests_DEPENDENCIES = \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_5) \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_2) \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ libsss_test_common.la +ifp_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(ifp_tests_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am__ipa_hbac_tests_SOURCES_DIST = src/tests/ipa_hbac-tests.c +@HAVE_CHECK_TRUE@am_ipa_hbac_tests_OBJECTS = src/tests/ipa_hbac_tests-ipa_hbac-tests.$(OBJEXT) +ipa_hbac_tests_OBJECTS = $(am_ipa_hbac_tests_OBJECTS) +@HAVE_CHECK_TRUE@ipa_hbac_tests_DEPENDENCIES = $(am__DEPENDENCIES_5) \ +@HAVE_CHECK_TRUE@ $(am__DEPENDENCIES_1) libsss_test_common.la \ +@HAVE_CHECK_TRUE@ libipa_hbac.la +ipa_hbac_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(ipa_hbac_tests_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o \ + $@ +am__ipa_ldap_opt_tests_SOURCES_DIST = \ + src/providers/data_provider_opts.c src/providers/ldap/sdap.c \ + src/providers/ldap/sdap_range.c \ + src/providers/ldap/sdap_domain.c \ + src/providers/ldap/ldap_opts.c src/providers/ad/ad_opts.c \ + src/providers/ipa/ipa_opts.c src/providers/krb5/krb5_opts.c \ + src/util/sss_sockets.c src/util/sss_ldap.c \ + src/tests/ipa_ldap_opt-tests.c +@HAVE_CHECK_TRUE@am_ipa_ldap_opt_tests_OBJECTS = src/providers/ipa_ldap_opt_tests-data_provider_opts.$(OBJEXT) \ +@HAVE_CHECK_TRUE@ src/providers/ldap/ipa_ldap_opt_tests-sdap.$(OBJEXT) \ +@HAVE_CHECK_TRUE@ src/providers/ldap/ipa_ldap_opt_tests-sdap_range.$(OBJEXT) \ +@HAVE_CHECK_TRUE@ src/providers/ldap/ipa_ldap_opt_tests-sdap_domain.$(OBJEXT) \ +@HAVE_CHECK_TRUE@ src/providers/ldap/ipa_ldap_opt_tests-ldap_opts.$(OBJEXT) \ +@HAVE_CHECK_TRUE@ src/providers/ad/ipa_ldap_opt_tests-ad_opts.$(OBJEXT) \ +@HAVE_CHECK_TRUE@ src/providers/ipa/ipa_ldap_opt_tests-ipa_opts.$(OBJEXT) \ +@HAVE_CHECK_TRUE@ src/providers/krb5/ipa_ldap_opt_tests-krb5_opts.$(OBJEXT) \ +@HAVE_CHECK_TRUE@ src/util/ipa_ldap_opt_tests-sss_sockets.$(OBJEXT) \ +@HAVE_CHECK_TRUE@ src/util/ipa_ldap_opt_tests-sss_ldap.$(OBJEXT) \ +@HAVE_CHECK_TRUE@ src/tests/ipa_ldap_opt_tests-ipa_ldap_opt-tests.$(OBJEXT) +ipa_ldap_opt_tests_OBJECTS = $(am_ipa_ldap_opt_tests_OBJECTS) +@HAVE_CHECK_TRUE@ipa_ldap_opt_tests_DEPENDENCIES = \ +@HAVE_CHECK_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CHECK_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_2) \ +@HAVE_CHECK_TRUE@ $(am__DEPENDENCIES_1) libsss_test_common.la +ipa_ldap_opt_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +am__objects_41 = src/resolv/krb5_child_test-async_resolv.$(OBJEXT) \ + src/resolv/krb5_child_test-async_resolv_utils.$(OBJEXT) +am__objects_42 = src/providers/krb5_child_test-fail_over.$(OBJEXT) \ + src/providers/krb5_child_test-fail_over_srv.$(OBJEXT) \ + $(am__objects_41) +am_krb5_child_test_OBJECTS = \ + src/tests/krb5_child_test-krb5_child-test.$(OBJEXT) \ + src/providers/krb5/krb5_child_test-krb5_utils.$(OBJEXT) \ + src/providers/krb5/krb5_child_test-krb5_ccache.$(OBJEXT) \ + src/providers/krb5/krb5_child_test-krb5_child_handler.$(OBJEXT) \ + src/providers/krb5/krb5_child_test-krb5_common.$(OBJEXT) \ + src/providers/krb5/krb5_child_test-krb5_opts.$(OBJEXT) \ + src/util/krb5_child_test-sss_krb5.$(OBJEXT) \ + src/util/krb5_child_test-sss_iobuf.$(OBJEXT) \ + src/providers/krb5_child_test-data_provider_fo.$(OBJEXT) \ + src/providers/krb5_child_test-data_provider_opts.$(OBJEXT) \ + src/providers/krb5_child_test-data_provider_callbacks.$(OBJEXT) \ + src/util/krb5_child_test-become_user.$(OBJEXT) \ + $(am__objects_42) +krb5_child_test_OBJECTS = $(am_krb5_child_test_OBJECTS) +krb5_child_test_DEPENDENCIES = $(am__DEPENDENCIES_5) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_2) libsss_test_common.la +krb5_child_test_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(krb5_child_test_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) \ + -o $@ +am__krb5_utils_tests_SOURCES_DIST = src/tests/krb5_utils-tests.c \ + src/providers/krb5/krb5_utils.c \ + src/providers/krb5/krb5_ccache.c \ + src/providers/krb5/krb5_common.c \ + src/providers/krb5/krb5_opts.c src/util/sss_krb5.c \ + src/util/sss_iobuf.c src/providers/data_provider_fo.c \ + src/providers/data_provider_opts.c \ + src/providers/data_provider_callbacks.c src/util/become_user.c \ + src/providers/fail_over.c src/providers/fail_over_srv.c \ + src/resolv/async_resolv.c src/resolv/async_resolv_utils.c +am__objects_43 = src/resolv/krb5_utils_tests-async_resolv.$(OBJEXT) \ + src/resolv/krb5_utils_tests-async_resolv_utils.$(OBJEXT) +am__objects_44 = src/providers/krb5_utils_tests-fail_over.$(OBJEXT) \ + src/providers/krb5_utils_tests-fail_over_srv.$(OBJEXT) \ + $(am__objects_43) +@HAVE_CHECK_TRUE@am_krb5_utils_tests_OBJECTS = src/tests/krb5_utils_tests-krb5_utils-tests.$(OBJEXT) \ +@HAVE_CHECK_TRUE@ src/providers/krb5/krb5_utils_tests-krb5_utils.$(OBJEXT) \ +@HAVE_CHECK_TRUE@ src/providers/krb5/krb5_utils_tests-krb5_ccache.$(OBJEXT) \ +@HAVE_CHECK_TRUE@ src/providers/krb5/krb5_utils_tests-krb5_common.$(OBJEXT) \ +@HAVE_CHECK_TRUE@ src/providers/krb5/krb5_utils_tests-krb5_opts.$(OBJEXT) \ +@HAVE_CHECK_TRUE@ src/util/krb5_utils_tests-sss_krb5.$(OBJEXT) \ +@HAVE_CHECK_TRUE@ src/util/krb5_utils_tests-sss_iobuf.$(OBJEXT) \ +@HAVE_CHECK_TRUE@ src/providers/krb5_utils_tests-data_provider_fo.$(OBJEXT) \ +@HAVE_CHECK_TRUE@ src/providers/krb5_utils_tests-data_provider_opts.$(OBJEXT) \ +@HAVE_CHECK_TRUE@ src/providers/krb5_utils_tests-data_provider_callbacks.$(OBJEXT) \ +@HAVE_CHECK_TRUE@ src/util/krb5_utils_tests-become_user.$(OBJEXT) \ +@HAVE_CHECK_TRUE@ $(am__objects_44) +krb5_utils_tests_OBJECTS = $(am_krb5_utils_tests_OBJECTS) +@HAVE_CHECK_TRUE@krb5_utils_tests_DEPENDENCIES = \ +@HAVE_CHECK_TRUE@ $(am__DEPENDENCIES_5) $(am__DEPENDENCIES_1) \ +@HAVE_CHECK_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CHECK_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_2) \ +@HAVE_CHECK_TRUE@ libsss_test_common.la +krb5_utils_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(krb5_utils_tests_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) \ + -o $@ +am_krb5_child_OBJECTS = \ + src/providers/krb5/krb5_child-krb5_child.$(OBJEXT) \ + src/providers/krb5/krb5_child-krb5_ccache.$(OBJEXT) \ + src/providers/krb5/krb5_child-krb5_keytab.$(OBJEXT) \ + src/providers/krb5_child-dp_pam_data_util.$(OBJEXT) \ + src/util/krb5_child-user_info_msg.$(OBJEXT) \ + src/util/krb5_child-sss_krb5.$(OBJEXT) \ + src/util/krb5_child-sss_iobuf.$(OBJEXT) \ + src/util/krb5_child-find_uid.$(OBJEXT) \ + src/util/krb5_child-atomic_io.$(OBJEXT) \ + src/util/krb5_child-authtok.$(OBJEXT) \ + src/util/krb5_child-authtok-utils.$(OBJEXT) \ + src/util/krb5_child-util.$(OBJEXT) \ + src/util/krb5_child-util_ext.$(OBJEXT) \ + src/util/krb5_child-signal.$(OBJEXT) \ + src/util/krb5_child-strtonum.$(OBJEXT) \ + src/util/krb5_child-become_user.$(OBJEXT) \ + src/util/krb5_child-util_errors.$(OBJEXT) \ + src/sss_client/krb5_child-common.$(OBJEXT) +krb5_child_OBJECTS = $(am_krb5_child_OBJECTS) +krb5_child_DEPENDENCIES = libsss_debug.la $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_6) \ + $(am__DEPENDENCIES_1) +krb5_child_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(krb5_child_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am__krb5_common_test_SOURCES_DIST = \ + src/tests/cmocka/test_krb5_common.c +@HAVE_CMOCKA_TRUE@am_krb5_common_test_OBJECTS = src/tests/cmocka/krb5_common_test-test_krb5_common.$(OBJEXT) +krb5_common_test_OBJECTS = $(am_krb5_common_test_OBJECTS) +@HAVE_CMOCKA_TRUE@krb5_common_test_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) libsss_krb5_common.la \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_2) libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ libdlopen_test_providers.la +krb5_common_test_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(krb5_common_test_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) \ + -o $@ +am_ldap_child_OBJECTS = \ + src/providers/ldap/ldap_child-ldap_child.$(OBJEXT) \ + src/providers/krb5/ldap_child-krb5_keytab.$(OBJEXT) \ + src/util/ldap_child-sss_krb5.$(OBJEXT) \ + src/util/ldap_child-sss_iobuf.$(OBJEXT) \ + src/util/ldap_child-atomic_io.$(OBJEXT) \ + src/util/ldap_child-authtok.$(OBJEXT) \ + src/util/ldap_child-authtok-utils.$(OBJEXT) \ + src/util/ldap_child-util.$(OBJEXT) \ + src/util/ldap_child-util_ext.$(OBJEXT) \ + src/util/ldap_child-signal.$(OBJEXT) \ + src/util/ldap_child-become_user.$(OBJEXT) +ldap_child_OBJECTS = $(am_ldap_child_OBJECTS) +ldap_child_DEPENDENCIES = libsss_debug.la $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) +ldap_child_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(ldap_child_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am__nestedgroups_tests_SOURCES_DIST = src/util/sss_sockets.c \ + src/util/sss_ldap.c src/providers/data_provider_opts.c \ + src/providers/ldap/ldap_opts.c \ + src/providers/ldap/ldap_options.c \ + src/providers/ldap/sdap_domain.c src/providers/ldap/sdap.c \ + src/providers/ldap/sdap_utils.c \ + src/providers/ldap/sdap_range.c \ + src/tests/cmocka/common_mock_sdap.c \ + src/tests/cmocka/common_mock_sysdb_objects.c \ + src/providers/ldap/sdap_idmap.c \ + src/tests/cmocka/test_nested_groups.c \ + src/tests/cmocka/common_mock_be.c \ + src/providers/ldap/sdap_async_nested_groups.c \ + src/providers/ldap/sdap_ad_groups.c src/providers/ipa/ipa_dn.c +@HAVE_CMOCKA_TRUE@am__objects_45 = src/util/nestedgroups_tests-sss_sockets.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/util/nestedgroups_tests-sss_ldap.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/nestedgroups_tests-data_provider_opts.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/ldap/nestedgroups_tests-ldap_opts.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/ldap/nestedgroups_tests-ldap_options.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/ldap/nestedgroups_tests-sdap_domain.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/ldap/nestedgroups_tests-sdap.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/ldap/nestedgroups_tests-sdap_utils.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/ldap/nestedgroups_tests-sdap_range.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/nestedgroups_tests-common_mock_sdap.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/nestedgroups_tests-common_mock_sysdb_objects.$(OBJEXT) +@HAVE_CMOCKA_TRUE@am_nestedgroups_tests_OBJECTS = $(am__objects_45) \ +@HAVE_CMOCKA_TRUE@ src/providers/ldap/nestedgroups_tests-sdap_idmap.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/nestedgroups_tests-test_nested_groups.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/nestedgroups_tests-common_mock_be.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/ldap/nestedgroups_tests-sdap_async_nested_groups.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/ldap/nestedgroups_tests-sdap_ad_groups.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/ipa/nestedgroups_tests-ipa_dn.$(OBJEXT) +nestedgroups_tests_OBJECTS = $(am_nestedgroups_tests_OBJECTS) +@HAVE_CMOCKA_TRUE@nestedgroups_tests_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_5) $(am__DEPENDENCIES_2) \ +@HAVE_CMOCKA_TRUE@ libsss_idmap.la libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ $(am__append_62) +nestedgroups_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(nestedgroups_tests_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +am__nss_srv_tests_SOURCES_DIST = src/tests/cmocka/common_mock_resp.c \ + src/tests/cmocka/common_mock_resp_dp.c \ + src/responder/common/responder_packet.c \ + src/responder/common/responder_cmd.c \ + src/responder/common/negcache_files.c \ + src/responder/common/negcache.c \ + src/responder/common/responder_common.c \ + src/responder/common/data_provider/rdp_message.c \ + src/responder/common/data_provider/rdp_client.c \ + src/responder/common/responder_utils.c \ + src/util/session_recording.c \ + src/responder/common/cache_req/cache_req.c \ + src/responder/common/cache_req/cache_req_result.c \ + src/responder/common/cache_req/cache_req_search.c \ + src/responder/common/cache_req/cache_req_data.c \ + src/responder/common/cache_req/cache_req_domain.c \ + src/responder/common/cache_req/cache_req_sr_overlay.c \ + src/responder/common/cache_req/plugins/cache_req_common.c \ + src/responder/common/cache_req/plugins/cache_req_enum_users.c \ + src/responder/common/cache_req/plugins/cache_req_enum_groups.c \ + src/responder/common/cache_req/plugins/cache_req_enum_svc.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_upn.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_filter.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_cert.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_filter.c \ + src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_sid.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_svc_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_svc_by_port.c \ + src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_host_by_name.c \ + src/responder/common/iface/responder_iface.c \ + src/responder/common/iface/responder_domain.c \ + src/responder/common/iface/responder_ncache.c \ + src/responder/common/iface/responder_iface_generated.c \ + src/tests/cmocka/test_nss_srv.c src/responder/nss/nss_cmd.c \ + src/responder/nss/nss_enum.c \ + src/responder/nss/nss_get_object.c \ + src/responder/nss/nss_protocol.c \ + src/responder/nss/nss_protocol_pwent.c \ + src/responder/nss/nss_protocol_grent.c \ + src/responder/nss/nss_protocol_netgr.c \ + src/responder/nss/nss_protocol_svcent.c \ + src/responder/nss/nss_protocol_sid.c \ + src/responder/nss/nss_utils.c \ + src/responder/nss/nsssrv_mmap_cache.c +am__objects_46 = src/responder/common/cache_req/nss_srv_tests-cache_req.$(OBJEXT) \ + src/responder/common/cache_req/nss_srv_tests-cache_req_result.$(OBJEXT) \ + src/responder/common/cache_req/nss_srv_tests-cache_req_search.$(OBJEXT) \ + src/responder/common/cache_req/nss_srv_tests-cache_req_data.$(OBJEXT) \ + src/responder/common/cache_req/nss_srv_tests-cache_req_domain.$(OBJEXT) \ + src/responder/common/cache_req/nss_srv_tests-cache_req_sr_overlay.$(OBJEXT) \ + src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_common.$(OBJEXT) \ + src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_enum_users.$(OBJEXT) \ + src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_enum_groups.$(OBJEXT) \ + src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_enum_svc.$(OBJEXT) \ + src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_upn.$(OBJEXT) \ + src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_id.$(OBJEXT) \ + src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_filter.$(OBJEXT) \ + src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_cert.$(OBJEXT) \ + src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_group_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_group_by_id.$(OBJEXT) \ + src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_group_by_filter.$(OBJEXT) \ + src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_initgroups_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_initgroups_by_upn.$(OBJEXT) \ + src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_object_by_sid.$(OBJEXT) \ + src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_object_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_object_by_id.$(OBJEXT) \ + src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_svc_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_svc_by_port.$(OBJEXT) \ + src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_netgroup_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_host_by_name.$(OBJEXT) +am__objects_47 = src/responder/common/iface/nss_srv_tests-responder_iface.$(OBJEXT) \ + src/responder/common/iface/nss_srv_tests-responder_domain.$(OBJEXT) \ + src/responder/common/iface/nss_srv_tests-responder_ncache.$(OBJEXT) \ + src/responder/common/iface/nss_srv_tests-responder_iface_generated.$(OBJEXT) +@HAVE_CMOCKA_TRUE@am__objects_48 = src/tests/cmocka/nss_srv_tests-common_mock_resp.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/nss_srv_tests-common_mock_resp_dp.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/common/nss_srv_tests-responder_packet.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/common/nss_srv_tests-responder_cmd.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/common/nss_srv_tests-negcache_files.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/common/nss_srv_tests-negcache.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/common/nss_srv_tests-responder_common.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/common/data_provider/nss_srv_tests-rdp_message.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/common/data_provider/nss_srv_tests-rdp_client.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/common/nss_srv_tests-responder_utils.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/util/nss_srv_tests-session_recording.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ $(am__objects_46) $(am__objects_47) +@HAVE_CMOCKA_TRUE@am_nss_srv_tests_OBJECTS = $(am__objects_48) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/nss_srv_tests-test_nss_srv.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/nss/nss_srv_tests-nss_cmd.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/nss/nss_srv_tests-nss_enum.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/nss/nss_srv_tests-nss_get_object.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/nss/nss_srv_tests-nss_protocol.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/nss/nss_srv_tests-nss_protocol_pwent.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/nss/nss_srv_tests-nss_protocol_grent.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/nss/nss_srv_tests-nss_protocol_netgr.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/nss/nss_srv_tests-nss_protocol_svcent.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/nss/nss_srv_tests-nss_protocol_sid.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/nss/nss_srv_tests-nss_utils.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/nss/nss_srv_tests-nsssrv_mmap_cache.$(OBJEXT) +nss_srv_tests_OBJECTS = $(am_nss_srv_tests_OBJECTS) +@HAVE_CMOCKA_TRUE@nss_srv_tests_DEPENDENCIES = $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_5) $(am__DEPENDENCIES_2) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ libsss_cert.la libsss_idmap.la +nss_srv_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(nss_srv_tests_CFLAGS) \ + $(CFLAGS) $(nss_srv_tests_LDFLAGS) $(LDFLAGS) -o $@ +am__p11_child_SOURCES_DIST = src/p11_child/p11_child_common.c \ + src/util/atomic_io.c src/util/util.c src/util/util_ext.c \ + src/p11_child/p11_child_nss.c \ + src/p11_child/p11_child_openssl.c +@HAVE_NSS_TRUE@am__objects_49 = src/p11_child/p11_child-p11_child_nss.$(OBJEXT) +@HAVE_NSS_FALSE@am__objects_50 = src/p11_child/p11_child-p11_child_openssl.$(OBJEXT) +am_p11_child_OBJECTS = \ + src/p11_child/p11_child-p11_child_common.$(OBJEXT) \ + src/util/p11_child-atomic_io.$(OBJEXT) \ + src/util/p11_child-util.$(OBJEXT) \ + src/util/p11_child-util_ext.$(OBJEXT) $(am__objects_49) \ + $(am__objects_50) +p11_child_OBJECTS = $(am_p11_child_OBJECTS) +@HAVE_NSS_FALSE@am__DEPENDENCIES_17 = $(am__DEPENDENCIES_1) \ +@HAVE_NSS_FALSE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) +p11_child_DEPENDENCIES = libsss_debug.la $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) libsss_crypt.la \ + $(am__DEPENDENCIES_9) $(am__DEPENDENCIES_17) +p11_child_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(p11_child_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am__pam_srv_tests_SOURCES_DIST = src/tests/cmocka/common_mock_resp.c \ + src/tests/cmocka/common_mock_resp_dp.c \ + src/responder/common/responder_packet.c \ + src/responder/common/responder_cmd.c \ + src/responder/common/negcache_files.c \ + src/responder/common/negcache.c \ + src/responder/common/responder_common.c \ + src/responder/common/data_provider/rdp_message.c \ + src/responder/common/data_provider/rdp_client.c \ + src/responder/common/responder_utils.c \ + src/util/session_recording.c \ + src/responder/common/cache_req/cache_req.c \ + src/responder/common/cache_req/cache_req_result.c \ + src/responder/common/cache_req/cache_req_search.c \ + src/responder/common/cache_req/cache_req_data.c \ + src/responder/common/cache_req/cache_req_domain.c \ + src/responder/common/cache_req/cache_req_sr_overlay.c \ + src/responder/common/cache_req/plugins/cache_req_common.c \ + src/responder/common/cache_req/plugins/cache_req_enum_users.c \ + src/responder/common/cache_req/plugins/cache_req_enum_groups.c \ + src/responder/common/cache_req/plugins/cache_req_enum_svc.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_upn.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_filter.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_cert.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_filter.c \ + src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_sid.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_svc_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_svc_by_port.c \ + src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_host_by_name.c \ + src/responder/common/iface/responder_iface.c \ + src/responder/common/iface/responder_domain.c \ + src/responder/common/iface/responder_ncache.c \ + src/responder/common/iface/responder_iface_generated.c \ + src/tests/cmocka/test_pam_srv.c src/sss_client/pam_message.c \ + src/responder/pam/pamsrv_cmd.c src/responder/pam/pamsrv_p11.c \ + src/responder/pam/pam_helpers.c src/responder/pam/pamsrv_dp.c \ + src/responder/pam/pam_LOCAL_domain.c +am__objects_51 = src/responder/common/cache_req/pam_srv_tests-cache_req.$(OBJEXT) \ + src/responder/common/cache_req/pam_srv_tests-cache_req_result.$(OBJEXT) \ + src/responder/common/cache_req/pam_srv_tests-cache_req_search.$(OBJEXT) \ + src/responder/common/cache_req/pam_srv_tests-cache_req_data.$(OBJEXT) \ + src/responder/common/cache_req/pam_srv_tests-cache_req_domain.$(OBJEXT) \ + src/responder/common/cache_req/pam_srv_tests-cache_req_sr_overlay.$(OBJEXT) \ + src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_common.$(OBJEXT) \ + src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_enum_users.$(OBJEXT) \ + src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_enum_groups.$(OBJEXT) \ + src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_enum_svc.$(OBJEXT) \ + src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_upn.$(OBJEXT) \ + src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_id.$(OBJEXT) \ + src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_filter.$(OBJEXT) \ + src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_cert.$(OBJEXT) \ + src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_group_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_group_by_id.$(OBJEXT) \ + src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_group_by_filter.$(OBJEXT) \ + src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_initgroups_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_initgroups_by_upn.$(OBJEXT) \ + src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_object_by_sid.$(OBJEXT) \ + src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_object_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_object_by_id.$(OBJEXT) \ + src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_svc_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_svc_by_port.$(OBJEXT) \ + src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_netgroup_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_host_by_name.$(OBJEXT) +am__objects_52 = src/responder/common/iface/pam_srv_tests-responder_iface.$(OBJEXT) \ + src/responder/common/iface/pam_srv_tests-responder_domain.$(OBJEXT) \ + src/responder/common/iface/pam_srv_tests-responder_ncache.$(OBJEXT) \ + src/responder/common/iface/pam_srv_tests-responder_iface_generated.$(OBJEXT) +@HAVE_CMOCKA_TRUE@am__objects_53 = src/tests/cmocka/pam_srv_tests-common_mock_resp.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/pam_srv_tests-common_mock_resp_dp.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/common/pam_srv_tests-responder_packet.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/common/pam_srv_tests-responder_cmd.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/common/pam_srv_tests-negcache_files.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/common/pam_srv_tests-negcache.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/common/pam_srv_tests-responder_common.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/common/data_provider/pam_srv_tests-rdp_message.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/common/data_provider/pam_srv_tests-rdp_client.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/common/pam_srv_tests-responder_utils.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/util/pam_srv_tests-session_recording.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ $(am__objects_51) $(am__objects_52) +@HAVE_CMOCKA_TRUE@am_pam_srv_tests_OBJECTS = $(am__objects_53) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/pam_srv_tests-test_pam_srv.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/sss_client/pam_srv_tests-pam_message.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/pam/pam_srv_tests-pamsrv_cmd.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/pam/pam_srv_tests-pamsrv_p11.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/pam/pam_srv_tests-pam_helpers.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/pam/pam_srv_tests-pamsrv_dp.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/pam/pam_srv_tests-pam_LOCAL_domain.$(OBJEXT) +pam_srv_tests_OBJECTS = $(am_pam_srv_tests_OBJECTS) +@HAVE_CMOCKA_TRUE@pam_srv_tests_DEPENDENCIES = $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_5) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la libsss_idmap.la \ +@HAVE_CMOCKA_TRUE@ libsss_certmap.la +pam_srv_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(pam_srv_tests_CFLAGS) \ + $(CFLAGS) $(pam_srv_tests_LDFLAGS) $(LDFLAGS) -o $@ +am_proxy_child_OBJECTS = \ + src/providers/proxy/proxy_child-proxy_child.$(OBJEXT) \ + src/providers/proxy/proxy_child-proxy_iface_generated.$(OBJEXT) +proxy_child_OBJECTS = $(am_proxy_child_OBJECTS) +proxy_child_DEPENDENCIES = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_5) \ + $(am__DEPENDENCIES_2) +proxy_child_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(proxy_child_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am__refcount_tests_SOURCES_DIST = src/tests/refcount-tests.c +@HAVE_CHECK_TRUE@am_refcount_tests_OBJECTS = src/tests/refcount_tests-refcount-tests.$(OBJEXT) +refcount_tests_OBJECTS = $(am_refcount_tests_OBJECTS) +@HAVE_CHECK_TRUE@refcount_tests_DEPENDENCIES = $(am__DEPENDENCIES_5) \ +@HAVE_CHECK_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_2) \ +@HAVE_CHECK_TRUE@ libsss_test_common.la +refcount_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(refcount_tests_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o \ + $@ +am__resolv_tests_SOURCES_DIST = src/tests/resolv-tests.c \ + src/tests/common.c src/resolv/async_resolv.c \ + src/resolv/async_resolv_utils.c +am__objects_54 = src/resolv/resolv_tests-async_resolv.$(OBJEXT) \ + src/resolv/resolv_tests-async_resolv_utils.$(OBJEXT) +@HAVE_CHECK_TRUE@am__objects_55 = $(am__objects_54) +@HAVE_CHECK_TRUE@am_resolv_tests_OBJECTS = src/tests/resolv_tests-resolv-tests.$(OBJEXT) \ +@HAVE_CHECK_TRUE@ src/tests/resolv_tests-common.$(OBJEXT) \ +@HAVE_CHECK_TRUE@ $(am__objects_55) +resolv_tests_OBJECTS = $(am_resolv_tests_OBJECTS) +@HAVE_CHECK_TRUE@resolv_tests_DEPENDENCIES = $(am__DEPENDENCIES_5) \ +@HAVE_CHECK_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CHECK_TRUE@ libsss_debug.la libsss_test_common.la +resolv_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(resolv_tests_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am__responder_get_domains_tests_SOURCES_DIST = \ + src/responder/common/negcache_files.c \ + src/responder/common/negcache.c \ + src/responder/common/responder_cmd.c \ + src/responder/common/responder_common.c \ + src/responder/common/responder_dp.c \ + src/responder/common/responder_dp_ssh.c \ + src/responder/common/responder_packet.c \ + src/responder/common/responder_get_domains.c \ + src/responder/common/responder_utils.c \ + src/responder/common/data_provider/rdp_message.c \ + src/responder/common/data_provider/rdp_client.c \ + src/monitor/monitor_iface_generated.c \ + src/providers/data_provider_req.c src/util/session_recording.c \ + src/responder/common/iface/responder_iface.c \ + src/responder/common/iface/responder_domain.c \ + src/responder/common/iface/responder_ncache.c \ + src/responder/common/iface/responder_iface_generated.c \ + src/responder/common/cache_req/cache_req.c \ + src/responder/common/cache_req/cache_req_result.c \ + src/responder/common/cache_req/cache_req_search.c \ + src/responder/common/cache_req/cache_req_data.c \ + src/responder/common/cache_req/cache_req_domain.c \ + src/responder/common/cache_req/cache_req_sr_overlay.c \ + src/responder/common/cache_req/plugins/cache_req_common.c \ + src/responder/common/cache_req/plugins/cache_req_enum_users.c \ + src/responder/common/cache_req/plugins/cache_req_enum_groups.c \ + src/responder/common/cache_req/plugins/cache_req_enum_svc.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_upn.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_filter.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_cert.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_filter.c \ + src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_sid.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_svc_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_svc_by_port.c \ + src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_host_by_name.c \ + src/tests/cmocka/test_responder_common.c \ + src/tests/cmocka/common_mock_resp.c +am__objects_56 = src/responder/common/iface/responder_get_domains_tests-responder_iface.$(OBJEXT) \ + src/responder/common/iface/responder_get_domains_tests-responder_domain.$(OBJEXT) \ + src/responder/common/iface/responder_get_domains_tests-responder_ncache.$(OBJEXT) \ + src/responder/common/iface/responder_get_domains_tests-responder_iface_generated.$(OBJEXT) +am__objects_57 = src/responder/common/cache_req/responder_get_domains_tests-cache_req.$(OBJEXT) \ + src/responder/common/cache_req/responder_get_domains_tests-cache_req_result.$(OBJEXT) \ + src/responder/common/cache_req/responder_get_domains_tests-cache_req_search.$(OBJEXT) \ + src/responder/common/cache_req/responder_get_domains_tests-cache_req_data.$(OBJEXT) \ + src/responder/common/cache_req/responder_get_domains_tests-cache_req_domain.$(OBJEXT) \ + src/responder/common/cache_req/responder_get_domains_tests-cache_req_sr_overlay.$(OBJEXT) \ + src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_common.$(OBJEXT) \ + src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_enum_users.$(OBJEXT) \ + src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_enum_groups.$(OBJEXT) \ + src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_enum_svc.$(OBJEXT) \ + src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_upn.$(OBJEXT) \ + src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_id.$(OBJEXT) \ + src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_filter.$(OBJEXT) \ + src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_cert.$(OBJEXT) \ + src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_group_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_group_by_id.$(OBJEXT) \ + src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_group_by_filter.$(OBJEXT) \ + src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_initgroups_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_initgroups_by_upn.$(OBJEXT) \ + src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_object_by_sid.$(OBJEXT) \ + src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_object_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_object_by_id.$(OBJEXT) \ + src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_svc_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_svc_by_port.$(OBJEXT) \ + src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_netgroup_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_host_by_name.$(OBJEXT) +am__objects_58 = src/responder/common/responder_get_domains_tests-negcache_files.$(OBJEXT) \ + src/responder/common/responder_get_domains_tests-negcache.$(OBJEXT) \ + src/responder/common/responder_get_domains_tests-responder_cmd.$(OBJEXT) \ + src/responder/common/responder_get_domains_tests-responder_common.$(OBJEXT) \ + src/responder/common/responder_get_domains_tests-responder_dp.$(OBJEXT) \ + src/responder/common/responder_get_domains_tests-responder_dp_ssh.$(OBJEXT) \ + src/responder/common/responder_get_domains_tests-responder_packet.$(OBJEXT) \ + src/responder/common/responder_get_domains_tests-responder_get_domains.$(OBJEXT) \ + src/responder/common/responder_get_domains_tests-responder_utils.$(OBJEXT) \ + src/responder/common/data_provider/responder_get_domains_tests-rdp_message.$(OBJEXT) \ + src/responder/common/data_provider/responder_get_domains_tests-rdp_client.$(OBJEXT) \ + src/monitor/responder_get_domains_tests-monitor_iface_generated.$(OBJEXT) \ + src/providers/responder_get_domains_tests-data_provider_req.$(OBJEXT) \ + src/util/responder_get_domains_tests-session_recording.$(OBJEXT) \ + $(am__objects_56) $(am__objects_57) +@HAVE_CMOCKA_TRUE@am_responder_get_domains_tests_OBJECTS = \ +@HAVE_CMOCKA_TRUE@ $(am__objects_58) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/responder_get_domains_tests-test_responder_common.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/responder_get_domains_tests-common_mock_resp.$(OBJEXT) +responder_get_domains_tests_OBJECTS = \ + $(am_responder_get_domains_tests_OBJECTS) +@HAVE_CMOCKA_TRUE@responder_get_domains_tests_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_5) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la +responder_get_domains_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(responder_get_domains_tests_CFLAGS) $(CFLAGS) \ + $(responder_get_domains_tests_LDFLAGS) $(LDFLAGS) -o $@ +am__responder_cache_req_tests_SOURCES_DIST = \ + src/tests/cmocka/common_mock_resp.c \ + src/tests/cmocka/common_mock_resp_dp.c \ + src/responder/common/responder_packet.c \ + src/responder/common/responder_cmd.c \ + src/responder/common/negcache_files.c \ + src/responder/common/negcache.c \ + src/responder/common/responder_common.c \ + src/responder/common/data_provider/rdp_message.c \ + src/responder/common/data_provider/rdp_client.c \ + src/responder/common/responder_utils.c \ + src/util/session_recording.c \ + src/responder/common/cache_req/cache_req.c \ + src/responder/common/cache_req/cache_req_result.c \ + src/responder/common/cache_req/cache_req_search.c \ + src/responder/common/cache_req/cache_req_data.c \ + src/responder/common/cache_req/cache_req_domain.c \ + src/responder/common/cache_req/cache_req_sr_overlay.c \ + src/responder/common/cache_req/plugins/cache_req_common.c \ + src/responder/common/cache_req/plugins/cache_req_enum_users.c \ + src/responder/common/cache_req/plugins/cache_req_enum_groups.c \ + src/responder/common/cache_req/plugins/cache_req_enum_svc.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_upn.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_filter.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_cert.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_filter.c \ + src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_sid.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_svc_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_svc_by_port.c \ + src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_host_by_name.c \ + src/responder/common/iface/responder_iface.c \ + src/responder/common/iface/responder_domain.c \ + src/responder/common/iface/responder_ncache.c \ + src/responder/common/iface/responder_iface_generated.c \ + src/tests/cmocka/test_responder_cache_req.c +am__objects_59 = src/responder/common/cache_req/responder_cache_req_tests-cache_req.$(OBJEXT) \ + src/responder/common/cache_req/responder_cache_req_tests-cache_req_result.$(OBJEXT) \ + src/responder/common/cache_req/responder_cache_req_tests-cache_req_search.$(OBJEXT) \ + src/responder/common/cache_req/responder_cache_req_tests-cache_req_data.$(OBJEXT) \ + src/responder/common/cache_req/responder_cache_req_tests-cache_req_domain.$(OBJEXT) \ + src/responder/common/cache_req/responder_cache_req_tests-cache_req_sr_overlay.$(OBJEXT) \ + src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_common.$(OBJEXT) \ + src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_enum_users.$(OBJEXT) \ + src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_enum_groups.$(OBJEXT) \ + src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_enum_svc.$(OBJEXT) \ + src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_upn.$(OBJEXT) \ + src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_id.$(OBJEXT) \ + src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_filter.$(OBJEXT) \ + src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_cert.$(OBJEXT) \ + src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_group_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_group_by_id.$(OBJEXT) \ + src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_group_by_filter.$(OBJEXT) \ + src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_initgroups_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_initgroups_by_upn.$(OBJEXT) \ + src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_object_by_sid.$(OBJEXT) \ + src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_object_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_object_by_id.$(OBJEXT) \ + src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_svc_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_svc_by_port.$(OBJEXT) \ + src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_netgroup_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_host_by_name.$(OBJEXT) +am__objects_60 = src/responder/common/iface/responder_cache_req_tests-responder_iface.$(OBJEXT) \ + src/responder/common/iface/responder_cache_req_tests-responder_domain.$(OBJEXT) \ + src/responder/common/iface/responder_cache_req_tests-responder_ncache.$(OBJEXT) \ + src/responder/common/iface/responder_cache_req_tests-responder_iface_generated.$(OBJEXT) +@HAVE_CMOCKA_TRUE@am__objects_61 = src/tests/cmocka/responder_cache_req_tests-common_mock_resp.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/responder_cache_req_tests-common_mock_resp_dp.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/common/responder_cache_req_tests-responder_packet.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/common/responder_cache_req_tests-responder_cmd.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/common/responder_cache_req_tests-negcache_files.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/common/responder_cache_req_tests-negcache.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/common/responder_cache_req_tests-responder_common.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/common/data_provider/responder_cache_req_tests-rdp_message.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/common/data_provider/responder_cache_req_tests-rdp_client.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/common/responder_cache_req_tests-responder_utils.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/util/responder_cache_req_tests-session_recording.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ $(am__objects_59) $(am__objects_60) +@HAVE_CMOCKA_TRUE@am_responder_cache_req_tests_OBJECTS = \ +@HAVE_CMOCKA_TRUE@ $(am__objects_61) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/responder_cache_req_tests-test_responder_cache_req.$(OBJEXT) +responder_cache_req_tests_OBJECTS = \ + $(am_responder_cache_req_tests_OBJECTS) +@HAVE_CMOCKA_TRUE@responder_cache_req_tests_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_5) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la +responder_cache_req_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(responder_cache_req_tests_CFLAGS) $(CFLAGS) \ + $(responder_cache_req_tests_LDFLAGS) $(LDFLAGS) -o $@ +am__responder_socket_access_tests_SOURCES_DIST = \ + src/tests/responder_socket_access-tests.c \ + src/responder/common/negcache_files.c \ + src/responder/common/negcache.c \ + src/responder/common/responder_common.c \ + src/responder/common/responder_packet.c \ + src/responder/common/responder_cmd.c \ + src/responder/common/cache_req/cache_req_domain.c \ + src/responder/common/data_provider/rdp_message.c \ + src/responder/common/data_provider/rdp_client.c \ + src/util/session_recording.c \ + src/responder/common/iface/responder_iface.c \ + src/responder/common/iface/responder_domain.c \ + src/responder/common/iface/responder_ncache.c \ + src/responder/common/iface/responder_iface_generated.c +am__objects_62 = src/responder/common/iface/responder_socket_access_tests-responder_iface.$(OBJEXT) \ + src/responder/common/iface/responder_socket_access_tests-responder_domain.$(OBJEXT) \ + src/responder/common/iface/responder_socket_access_tests-responder_ncache.$(OBJEXT) \ + src/responder/common/iface/responder_socket_access_tests-responder_iface_generated.$(OBJEXT) +@HAVE_CHECK_TRUE@am_responder_socket_access_tests_OBJECTS = src/tests/responder_socket_access_tests-responder_socket_access-tests.$(OBJEXT) \ +@HAVE_CHECK_TRUE@ src/responder/common/responder_socket_access_tests-negcache_files.$(OBJEXT) \ +@HAVE_CHECK_TRUE@ src/responder/common/responder_socket_access_tests-negcache.$(OBJEXT) \ +@HAVE_CHECK_TRUE@ src/responder/common/responder_socket_access_tests-responder_common.$(OBJEXT) \ +@HAVE_CHECK_TRUE@ src/responder/common/responder_socket_access_tests-responder_packet.$(OBJEXT) \ +@HAVE_CHECK_TRUE@ src/responder/common/responder_socket_access_tests-responder_cmd.$(OBJEXT) \ +@HAVE_CHECK_TRUE@ src/responder/common/cache_req/responder_socket_access_tests-cache_req_domain.$(OBJEXT) \ +@HAVE_CHECK_TRUE@ src/responder/common/data_provider/responder_socket_access_tests-rdp_message.$(OBJEXT) \ +@HAVE_CHECK_TRUE@ src/responder/common/data_provider/responder_socket_access_tests-rdp_client.$(OBJEXT) \ +@HAVE_CHECK_TRUE@ src/util/responder_socket_access_tests-session_recording.$(OBJEXT) \ +@HAVE_CHECK_TRUE@ $(am__objects_62) +responder_socket_access_tests_OBJECTS = \ + $(am_responder_socket_access_tests_OBJECTS) +@HAVE_CHECK_TRUE@responder_socket_access_tests_DEPENDENCIES = \ +@HAVE_CHECK_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_5) \ +@HAVE_CHECK_TRUE@ $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1) \ +@HAVE_CHECK_TRUE@ libsss_test_common.la +responder_socket_access_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(responder_socket_access_tests_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am__safe_format_tests_SOURCES_DIST = src/tests/safe-format-tests.c +@HAVE_CHECK_TRUE@am_safe_format_tests_OBJECTS = src/tests/safe_format_tests-safe-format-tests.$(OBJEXT) +safe_format_tests_OBJECTS = $(am_safe_format_tests_OBJECTS) +@HAVE_CHECK_TRUE@safe_format_tests_DEPENDENCIES = \ +@HAVE_CHECK_TRUE@ $(am__DEPENDENCIES_5) $(am__DEPENDENCIES_1) \ +@HAVE_CHECK_TRUE@ $(am__DEPENDENCIES_2) libsss_test_common.la +safe_format_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(safe_format_tests_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) \ + -o $@ +am__sbus_internal_tests_SOURCES_DIST = \ + src/tests/cmocka/sbus_internal_tests.c \ + src/sbus/sssd_dbus_request.c +@HAVE_CMOCKA_TRUE@am_sbus_internal_tests_OBJECTS = src/tests/cmocka/sbus_internal_tests-sbus_internal_tests.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/sbus/sbus_internal_tests-sssd_dbus_request.$(OBJEXT) +sbus_internal_tests_OBJECTS = $(am_sbus_internal_tests_OBJECTS) +@HAVE_CMOCKA_TRUE@sbus_internal_tests_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_5) \ +@HAVE_CMOCKA_TRUE@ libsss_util.la libsss_crypt.la \ +@HAVE_CMOCKA_TRUE@ libsss_debug.la libsss_test_common.la +sbus_internal_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(sbus_internal_tests_CFLAGS) $(CFLAGS) \ + $(sbus_internal_tests_LDFLAGS) $(LDFLAGS) -o $@ +am__sbus_codegen_tests_SOURCES_DIST = src/tests/common_dbus.c \ + src/tests/sbus_codegen_tests.c \ + src/tests/sbus_codegen_tests_generated.c +@BUILD_DBUS_TESTS_TRUE@am_sbus_codegen_tests_OBJECTS = src/tests/sbus_codegen_tests-common_dbus.$(OBJEXT) \ +@BUILD_DBUS_TESTS_TRUE@ src/tests/sbus_codegen_tests-sbus_codegen_tests.$(OBJEXT) \ +@BUILD_DBUS_TESTS_TRUE@ src/tests/sbus_codegen_tests-sbus_codegen_tests_generated.$(OBJEXT) +sbus_codegen_tests_OBJECTS = $(am_sbus_codegen_tests_OBJECTS) +@BUILD_DBUS_TESTS_TRUE@sbus_codegen_tests_DEPENDENCIES = \ +@BUILD_DBUS_TESTS_TRUE@ $(am__DEPENDENCIES_2) \ +@BUILD_DBUS_TESTS_TRUE@ $(am__DEPENDENCIES_5) \ +@BUILD_DBUS_TESTS_TRUE@ $(am__DEPENDENCIES_1) +sbus_codegen_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(sbus_codegen_tests_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +am__sbus_tests_SOURCES_DIST = src/tests/common_dbus.c \ + src/tests/sbus_tests.c +@BUILD_DBUS_TESTS_TRUE@am_sbus_tests_OBJECTS = src/tests/sbus_tests-common_dbus.$(OBJEXT) \ +@BUILD_DBUS_TESTS_TRUE@ src/tests/sbus_tests-sbus_tests.$(OBJEXT) +sbus_tests_OBJECTS = $(am_sbus_tests_OBJECTS) +@BUILD_DBUS_TESTS_TRUE@sbus_tests_DEPENDENCIES = \ +@BUILD_DBUS_TESTS_TRUE@ $(am__DEPENDENCIES_2) \ +@BUILD_DBUS_TESTS_TRUE@ $(am__DEPENDENCIES_5) \ +@BUILD_DBUS_TESTS_TRUE@ $(am__DEPENDENCIES_1) +sbus_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(sbus_tests_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am__sdap_tests_SOURCES_DIST = src/providers/data_provider_opts.c \ + src/providers/ldap/sdap_domain.c src/providers/ldap/sdap.c \ + src/providers/ldap/sdap_range.c src/providers/ldap/ldap_opts.c \ + src/providers/ipa/ipa_opts.c src/util/sss_sockets.c \ + src/util/sss_ldap.c src/tests/cmocka/test_sdap.c +@HAVE_CMOCKA_TRUE@am_sdap_tests_OBJECTS = src/providers/sdap_tests-data_provider_opts.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/ldap/sdap_tests-sdap_domain.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/ldap/sdap_tests-sdap.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/ldap/sdap_tests-sdap_range.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/ldap/sdap_tests-ldap_opts.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/ipa/sdap_tests-ipa_opts.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/util/sdap_tests-sss_sockets.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/util/sdap_tests-sss_ldap.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/sdap_tests-test_sdap.$(OBJEXT) +sdap_tests_OBJECTS = $(am_sdap_tests_OBJECTS) +@HAVE_CMOCKA_TRUE@sdap_tests_DEPENDENCIES = $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_2) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) libsss_test_common.la +sdap_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(sdap_tests_CFLAGS) \ + $(CFLAGS) $(sdap_tests_LDFLAGS) $(LDFLAGS) -o $@ +am__selinux_child_SOURCES_DIST = src/providers/ipa/selinux_child.c \ + src/util/sss_semanage.c src/util/atomic_io.c src/util/util.c \ + src/util/util_ext.c src/util/util_errors.c +@BUILD_SEMANAGE_TRUE@am_selinux_child_OBJECTS = src/providers/ipa/selinux_child-selinux_child.$(OBJEXT) \ +@BUILD_SEMANAGE_TRUE@ src/util/selinux_child-sss_semanage.$(OBJEXT) \ +@BUILD_SEMANAGE_TRUE@ src/util/selinux_child-atomic_io.$(OBJEXT) \ +@BUILD_SEMANAGE_TRUE@ src/util/selinux_child-util.$(OBJEXT) \ +@BUILD_SEMANAGE_TRUE@ src/util/selinux_child-util_ext.$(OBJEXT) \ +@BUILD_SEMANAGE_TRUE@ src/util/selinux_child-util_errors.$(OBJEXT) +selinux_child_OBJECTS = $(am_selinux_child_OBJECTS) +@BUILD_SEMANAGE_TRUE@selinux_child_DEPENDENCIES = libsss_debug.la \ +@BUILD_SEMANAGE_TRUE@ $(am__DEPENDENCIES_1) \ +@BUILD_SEMANAGE_TRUE@ $(am__DEPENDENCIES_1) \ +@BUILD_SEMANAGE_TRUE@ $(am__DEPENDENCIES_1) \ +@BUILD_SEMANAGE_TRUE@ $(am__DEPENDENCIES_1) \ +@BUILD_SEMANAGE_TRUE@ $(am__DEPENDENCIES_1) +selinux_child_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(selinux_child_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am__simple_access_tests_SOURCES_DIST = \ + src/tests/cmocka/test_simple_access.c \ + src/tests/cmocka/common_mock_be.c \ + src/providers/simple/simple_access.c \ + src/providers/simple/simple_access_check.c +@HAVE_CMOCKA_TRUE@am_simple_access_tests_OBJECTS = src/tests/cmocka/simple_access_tests-test_simple_access.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/simple_access_tests-common_mock_be.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/simple/simple_access_tests-simple_access.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/simple/simple_access_tests-simple_access_check.$(OBJEXT) +simple_access_tests_OBJECTS = $(am_simple_access_tests_OBJECTS) +@HAVE_CMOCKA_TRUE@simple_access_tests_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_5) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_2) libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ libdlopen_test_providers.la +simple_access_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(simple_access_tests_CFLAGS) $(CFLAGS) \ + $(simple_access_tests_LDFLAGS) $(LDFLAGS) -o $@ +am__ssh_srv_tests_SOURCES_DIST = src/tests/cmocka/common_mock_resp.c \ + src/tests/cmocka/common_mock_resp_dp.c \ + src/responder/common/responder_packet.c \ + src/responder/common/responder_cmd.c \ + src/responder/common/negcache_files.c \ + src/responder/common/negcache.c \ + src/responder/common/responder_common.c \ + src/responder/common/data_provider/rdp_message.c \ + src/responder/common/data_provider/rdp_client.c \ + src/responder/common/responder_utils.c \ + src/util/session_recording.c \ + src/responder/common/cache_req/cache_req.c \ + src/responder/common/cache_req/cache_req_result.c \ + src/responder/common/cache_req/cache_req_search.c \ + src/responder/common/cache_req/cache_req_data.c \ + src/responder/common/cache_req/cache_req_domain.c \ + src/responder/common/cache_req/cache_req_sr_overlay.c \ + src/responder/common/cache_req/plugins/cache_req_common.c \ + src/responder/common/cache_req/plugins/cache_req_enum_users.c \ + src/responder/common/cache_req/plugins/cache_req_enum_groups.c \ + src/responder/common/cache_req/plugins/cache_req_enum_svc.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_upn.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_filter.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_cert.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_filter.c \ + src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_sid.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_svc_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_svc_by_port.c \ + src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_host_by_name.c \ + src/responder/common/iface/responder_iface.c \ + src/responder/common/iface/responder_domain.c \ + src/responder/common/iface/responder_ncache.c \ + src/responder/common/iface/responder_iface_generated.c \ + src/tests/cmocka/test_ssh_srv.c src/responder/ssh/ssh_cmd.c \ + src/responder/ssh/ssh_known_hosts.c \ + src/responder/ssh/ssh_protocol.c src/responder/ssh/ssh_reply.c \ + src/util/cert/cert_common_p11_child.c +am__objects_63 = src/responder/common/cache_req/ssh_srv_tests-cache_req.$(OBJEXT) \ + src/responder/common/cache_req/ssh_srv_tests-cache_req_result.$(OBJEXT) \ + src/responder/common/cache_req/ssh_srv_tests-cache_req_search.$(OBJEXT) \ + src/responder/common/cache_req/ssh_srv_tests-cache_req_data.$(OBJEXT) \ + src/responder/common/cache_req/ssh_srv_tests-cache_req_domain.$(OBJEXT) \ + src/responder/common/cache_req/ssh_srv_tests-cache_req_sr_overlay.$(OBJEXT) \ + src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_common.$(OBJEXT) \ + src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_enum_users.$(OBJEXT) \ + src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_enum_groups.$(OBJEXT) \ + src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_enum_svc.$(OBJEXT) \ + src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_upn.$(OBJEXT) \ + src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_id.$(OBJEXT) \ + src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_filter.$(OBJEXT) \ + src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_cert.$(OBJEXT) \ + src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_group_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_group_by_id.$(OBJEXT) \ + src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_group_by_filter.$(OBJEXT) \ + src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_initgroups_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_initgroups_by_upn.$(OBJEXT) \ + src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_object_by_sid.$(OBJEXT) \ + src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_object_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_object_by_id.$(OBJEXT) \ + src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_svc_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_svc_by_port.$(OBJEXT) \ + src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_netgroup_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_host_by_name.$(OBJEXT) +am__objects_64 = src/responder/common/iface/ssh_srv_tests-responder_iface.$(OBJEXT) \ + src/responder/common/iface/ssh_srv_tests-responder_domain.$(OBJEXT) \ + src/responder/common/iface/ssh_srv_tests-responder_ncache.$(OBJEXT) \ + src/responder/common/iface/ssh_srv_tests-responder_iface_generated.$(OBJEXT) +@HAVE_CMOCKA_TRUE@am__objects_65 = src/tests/cmocka/ssh_srv_tests-common_mock_resp.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/ssh_srv_tests-common_mock_resp_dp.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/common/ssh_srv_tests-responder_packet.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/common/ssh_srv_tests-responder_cmd.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/common/ssh_srv_tests-negcache_files.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/common/ssh_srv_tests-negcache.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/common/ssh_srv_tests-responder_common.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/common/data_provider/ssh_srv_tests-rdp_message.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/common/data_provider/ssh_srv_tests-rdp_client.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/common/ssh_srv_tests-responder_utils.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/util/ssh_srv_tests-session_recording.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ $(am__objects_63) $(am__objects_64) +@HAVE_CMOCKA_TRUE@am_ssh_srv_tests_OBJECTS = $(am__objects_65) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/ssh_srv_tests-test_ssh_srv.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/ssh/ssh_srv_tests-ssh_cmd.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/ssh/ssh_srv_tests-ssh_known_hosts.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/ssh/ssh_srv_tests-ssh_protocol.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/responder/ssh/ssh_srv_tests-ssh_reply.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/util/cert/ssh_srv_tests-cert_common_p11_child.$(OBJEXT) +ssh_srv_tests_OBJECTS = $(am_ssh_srv_tests_OBJECTS) +@HAVE_CMOCKA_TRUE@ssh_srv_tests_DEPENDENCIES = $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_5) $(am__DEPENDENCIES_2) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) libsss_test_common.la +ssh_srv_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(ssh_srv_tests_CFLAGS) \ + $(CFLAGS) $(ssh_srv_tests_LDFLAGS) $(LDFLAGS) -o $@ +am__objects_66 = src/tools/sss_cache-sss_sync_ops.$(OBJEXT) \ + src/tools/sss_cache-tools_util.$(OBJEXT) \ + src/tools/common/sss_cache-sss_tools.$(OBJEXT) \ + src/tools/common/sss_cache-sss_process.$(OBJEXT) \ + src/confdb/sss_cache-confdb_setup.$(OBJEXT) \ + src/util/sss_cache-nscd.$(OBJEXT) +am__objects_67 = src/sss_client/sss_cache-common.$(OBJEXT) \ + src/tools/sss_cache-tools_mc_util.$(OBJEXT) $(am__objects_66) +am_sss_cache_OBJECTS = src/tools/sss_cache-sss_cache.$(OBJEXT) \ + $(am__objects_67) +sss_cache_OBJECTS = $(am_sss_cache_OBJECTS) +am__DEPENDENCIES_18 = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_3) +sss_cache_DEPENDENCIES = $(am__DEPENDENCIES_18) $(am__DEPENDENCIES_2) \ + $(am__DEPENDENCIES_6) +sss_cache_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(sss_cache_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am__sss_certmap_test_SOURCES_DIST = src/tests/cmocka/test_certmap.c \ + src/lib/certmap/sss_certmap_attr_names.c +@HAVE_CMOCKA_TRUE@am_sss_certmap_test_OBJECTS = src/tests/cmocka/sss_certmap_test-test_certmap.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/lib/certmap/sss_certmap_test-sss_certmap_attr_names.$(OBJEXT) +sss_certmap_test_OBJECTS = $(am_sss_certmap_test_OBJECTS) +@HAVE_CMOCKA_TRUE@sss_certmap_test_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_2) libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ libsss_certmap.la +sss_certmap_test_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(sss_certmap_test_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) \ + -o $@ +am__objects_68 = src/tools/sss_sync_ops.$(OBJEXT) \ + src/tools/tools_util.$(OBJEXT) \ + src/tools/common/sss_tools.$(OBJEXT) \ + src/tools/common/sss_process.$(OBJEXT) \ + src/confdb/confdb_setup.$(OBJEXT) src/util/nscd.$(OBJEXT) +am_sss_groupadd_OBJECTS = src/tools/sss_groupadd.$(OBJEXT) \ + $(am__objects_68) +sss_groupadd_OBJECTS = $(am_sss_groupadd_OBJECTS) +sss_groupadd_DEPENDENCIES = $(am__DEPENDENCIES_18) \ + $(am__DEPENDENCIES_2) +am__objects_69 = src/tools/sss_groupdel-sss_sync_ops.$(OBJEXT) \ + src/tools/sss_groupdel-tools_util.$(OBJEXT) \ + src/tools/common/sss_groupdel-sss_tools.$(OBJEXT) \ + src/tools/common/sss_groupdel-sss_process.$(OBJEXT) \ + src/confdb/sss_groupdel-confdb_setup.$(OBJEXT) \ + src/util/sss_groupdel-nscd.$(OBJEXT) +am__objects_70 = src/sss_client/sss_groupdel-common.$(OBJEXT) \ + src/tools/sss_groupdel-tools_mc_util.$(OBJEXT) \ + $(am__objects_69) +am_sss_groupdel_OBJECTS = \ + src/tools/sss_groupdel-sss_groupdel.$(OBJEXT) \ + $(am__objects_70) +sss_groupdel_OBJECTS = $(am_sss_groupdel_OBJECTS) +sss_groupdel_DEPENDENCIES = $(am__DEPENDENCIES_18) \ + $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_6) +sss_groupdel_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(sss_groupdel_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am__objects_71 = src/tools/sss_groupmod-sss_sync_ops.$(OBJEXT) \ + src/tools/sss_groupmod-tools_util.$(OBJEXT) \ + src/tools/common/sss_groupmod-sss_tools.$(OBJEXT) \ + src/tools/common/sss_groupmod-sss_process.$(OBJEXT) \ + src/confdb/sss_groupmod-confdb_setup.$(OBJEXT) \ + src/util/sss_groupmod-nscd.$(OBJEXT) +am__objects_72 = src/sss_client/sss_groupmod-common.$(OBJEXT) \ + src/tools/sss_groupmod-tools_mc_util.$(OBJEXT) \ + $(am__objects_71) +am_sss_groupmod_OBJECTS = \ + src/tools/sss_groupmod-sss_groupmod.$(OBJEXT) \ + $(am__objects_72) +sss_groupmod_OBJECTS = $(am_sss_groupmod_OBJECTS) +sss_groupmod_DEPENDENCIES = $(am__DEPENDENCIES_18) \ + $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_6) +sss_groupmod_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(sss_groupmod_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am_sss_groupshow_OBJECTS = src/tools/sss_groupshow.$(OBJEXT) \ + $(am__objects_68) +sss_groupshow_OBJECTS = $(am_sss_groupshow_OBJECTS) +sss_groupshow_DEPENDENCIES = $(am__DEPENDENCIES_18) \ + $(am__DEPENDENCIES_2) +am__sss_idmap_tests_SOURCES_DIST = src/tests/sss_idmap-tests.c +@HAVE_CHECK_TRUE@am_sss_idmap_tests_OBJECTS = src/tests/sss_idmap_tests-sss_idmap-tests.$(OBJEXT) +sss_idmap_tests_OBJECTS = $(am_sss_idmap_tests_OBJECTS) +@HAVE_CHECK_TRUE@sss_idmap_tests_DEPENDENCIES = $(am__DEPENDENCIES_1) \ +@HAVE_CHECK_TRUE@ $(am__DEPENDENCIES_1) libsss_test_common.la \ +@HAVE_CHECK_TRUE@ libsss_idmap.la +sss_idmap_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(sss_idmap_tests_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) \ + -o $@ +am__sss_nss_idmap_tests_SOURCES_DIST = \ + src/tests/cmocka/sss_nss_idmap-tests.c +@HAVE_CMOCKA_TRUE@am_sss_nss_idmap_tests_OBJECTS = src/tests/cmocka/sss_nss_idmap_tests-sss_nss_idmap-tests.$(OBJEXT) +sss_nss_idmap_tests_OBJECTS = $(am_sss_nss_idmap_tests_OBJECTS) +@HAVE_CMOCKA_TRUE@sss_nss_idmap_tests_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ libsss_nss_idmap_tests.la +sss_nss_idmap_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(sss_nss_idmap_tests_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +am__objects_73 = src/tools/sss_override-sss_sync_ops.$(OBJEXT) \ + src/tools/sss_override-tools_util.$(OBJEXT) \ + src/tools/common/sss_override-sss_tools.$(OBJEXT) \ + src/tools/common/sss_override-sss_process.$(OBJEXT) \ + src/confdb/sss_override-confdb_setup.$(OBJEXT) \ + src/util/sss_override-nscd.$(OBJEXT) +am_sss_override_OBJECTS = \ + src/tools/sss_override-sss_override.$(OBJEXT) \ + src/tools/common/sss_override-sss_colondb.$(OBJEXT) \ + $(am__objects_73) +sss_override_OBJECTS = $(am_sss_override_OBJECTS) +sss_override_DEPENDENCIES = $(am__DEPENDENCIES_18) \ + $(am__DEPENDENCIES_2) +sss_override_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(sss_override_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am_sss_seed_OBJECTS = src/tools/sss_seed.$(OBJEXT) $(am__objects_68) +sss_seed_OBJECTS = $(am_sss_seed_OBJECTS) +sss_seed_DEPENDENCIES = $(am__DEPENDENCIES_18) $(am__DEPENDENCIES_2) +am__sss_sifp_tests_SOURCES_DIST = src/tests/cmocka/test_sss_sifp.c \ + src/lib/sifp/sss_sifp_attrs.c src/lib/sifp/sss_sifp_common.c \ + src/lib/sifp/sss_sifp_parser.c src/lib/sifp/sss_sifp_utils.c \ + src/lib/sifp/sss_sifp_dbus.c src/lib/sifp/sss_sifp.c +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@am_sss_sifp_tests_OBJECTS = src/tests/cmocka/sss_sifp_tests-test_sss_sifp.$(OBJEXT) \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ src/lib/sifp/sss_sifp_tests-sss_sifp_attrs.$(OBJEXT) \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ src/lib/sifp/sss_sifp_tests-sss_sifp_common.$(OBJEXT) \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ src/lib/sifp/sss_sifp_tests-sss_sifp_parser.$(OBJEXT) \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ src/lib/sifp/sss_sifp_tests-sss_sifp_utils.$(OBJEXT) \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ src/lib/sifp/sss_sifp_tests-sss_sifp_dbus.$(OBJEXT) \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ src/lib/sifp/sss_sifp_tests-sss_sifp.$(OBJEXT) +sss_sifp_tests_OBJECTS = $(am_sss_sifp_tests_OBJECTS) +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@sss_sifp_tests_DEPENDENCIES = \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_2) +sss_sifp_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(sss_sifp_tests_CFLAGS) $(CFLAGS) $(sss_sifp_tests_LDFLAGS) \ + $(LDFLAGS) -o $@ +am_sss_signal_OBJECTS = src/tools/sss_signal.$(OBJEXT) \ + src/tools/common/sss_process.$(OBJEXT) +sss_signal_OBJECTS = $(am_sss_signal_OBJECTS) +sss_signal_DEPENDENCIES = libsss_debug.la +am__sss_ssh_authorizedkeys_SOURCES_DIST = src/sss_client/common.c \ + src/sss_client/ssh/sss_ssh_client.c \ + src/sss_client/ssh/sss_ssh_authorizedkeys.c +@BUILD_SSH_TRUE@am_sss_ssh_authorizedkeys_OBJECTS = src/sss_client/sss_ssh_authorizedkeys-common.$(OBJEXT) \ +@BUILD_SSH_TRUE@ src/sss_client/ssh/sss_ssh_authorizedkeys-sss_ssh_client.$(OBJEXT) \ +@BUILD_SSH_TRUE@ src/sss_client/ssh/sss_ssh_authorizedkeys-sss_ssh_authorizedkeys.$(OBJEXT) +sss_ssh_authorizedkeys_OBJECTS = $(am_sss_ssh_authorizedkeys_OBJECTS) +@BUILD_SSH_TRUE@sss_ssh_authorizedkeys_DEPENDENCIES = \ +@BUILD_SSH_TRUE@ $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_6) \ +@BUILD_SSH_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) +sss_ssh_authorizedkeys_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(sss_ssh_authorizedkeys_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +am__sss_ssh_knownhostsproxy_SOURCES_DIST = src/sss_client/common.c \ + src/sss_client/ssh/sss_ssh_client.c \ + src/sss_client/ssh/sss_ssh_knownhostsproxy.c +@BUILD_SSH_TRUE@am_sss_ssh_knownhostsproxy_OBJECTS = src/sss_client/sss_ssh_knownhostsproxy-common.$(OBJEXT) \ +@BUILD_SSH_TRUE@ src/sss_client/ssh/sss_ssh_knownhostsproxy-sss_ssh_client.$(OBJEXT) \ +@BUILD_SSH_TRUE@ src/sss_client/ssh/sss_ssh_knownhostsproxy-sss_ssh_knownhostsproxy.$(OBJEXT) +sss_ssh_knownhostsproxy_OBJECTS = \ + $(am_sss_ssh_knownhostsproxy_OBJECTS) +@BUILD_SSH_TRUE@sss_ssh_knownhostsproxy_DEPENDENCIES = \ +@BUILD_SSH_TRUE@ $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_6) \ +@BUILD_SSH_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) +sss_ssh_knownhostsproxy_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(sss_ssh_knownhostsproxy_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +am__sss_sudo_cli_SOURCES_DIST = src/sss_client/common.c \ + src/sss_client/sudo/sss_sudo.c \ + src/sss_client/sudo/sss_sudo_response.c \ + src/sss_client/sudo_testcli/sudo_testcli.c +@BUILD_SUDO_TRUE@am_sss_sudo_cli_OBJECTS = \ +@BUILD_SUDO_TRUE@ src/sss_client/sss_sudo_cli-common.$(OBJEXT) \ +@BUILD_SUDO_TRUE@ src/sss_client/sudo/sss_sudo_cli-sss_sudo.$(OBJEXT) \ +@BUILD_SUDO_TRUE@ src/sss_client/sudo/sss_sudo_cli-sss_sudo_response.$(OBJEXT) \ +@BUILD_SUDO_TRUE@ src/sss_client/sudo_testcli/sss_sudo_cli-sudo_testcli.$(OBJEXT) +sss_sudo_cli_OBJECTS = $(am_sss_sudo_cli_OBJECTS) +@BUILD_SUDO_TRUE@sss_sudo_cli_DEPENDENCIES = $(am__DEPENDENCIES_6) +sss_sudo_cli_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(sss_sudo_cli_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am_sss_useradd_OBJECTS = src/tools/sss_useradd.$(OBJEXT) \ + $(am__objects_68) +sss_useradd_OBJECTS = $(am_sss_useradd_OBJECTS) +sss_useradd_DEPENDENCIES = $(am__DEPENDENCIES_18) \ + $(am__DEPENDENCIES_2) libsss_semanage.la +am__objects_74 = src/tools/sss_userdel-sss_sync_ops.$(OBJEXT) \ + src/tools/sss_userdel-tools_util.$(OBJEXT) \ + src/tools/common/sss_userdel-sss_tools.$(OBJEXT) \ + src/tools/common/sss_userdel-sss_process.$(OBJEXT) \ + src/confdb/sss_userdel-confdb_setup.$(OBJEXT) \ + src/util/sss_userdel-nscd.$(OBJEXT) +am__objects_75 = src/sss_client/sss_userdel-common.$(OBJEXT) \ + src/tools/sss_userdel-tools_mc_util.$(OBJEXT) \ + $(am__objects_74) +am_sss_userdel_OBJECTS = src/tools/sss_userdel-sss_userdel.$(OBJEXT) \ + $(am__objects_75) +sss_userdel_OBJECTS = $(am_sss_userdel_OBJECTS) +sss_userdel_DEPENDENCIES = $(am__DEPENDENCIES_18) \ + $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_6) libsss_semanage.la +sss_userdel_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(sss_userdel_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am__objects_76 = src/tools/sss_usermod-sss_sync_ops.$(OBJEXT) \ + src/tools/sss_usermod-tools_util.$(OBJEXT) \ + src/tools/common/sss_usermod-sss_tools.$(OBJEXT) \ + src/tools/common/sss_usermod-sss_process.$(OBJEXT) \ + src/confdb/sss_usermod-confdb_setup.$(OBJEXT) \ + src/util/sss_usermod-nscd.$(OBJEXT) +am__objects_77 = src/sss_client/sss_usermod-common.$(OBJEXT) \ + src/tools/sss_usermod-tools_mc_util.$(OBJEXT) \ + $(am__objects_76) +am_sss_usermod_OBJECTS = src/tools/sss_usermod-sss_usermod.$(OBJEXT) \ + $(am__objects_77) +sss_usermod_OBJECTS = $(am_sss_usermod_OBJECTS) +sss_usermod_DEPENDENCIES = $(am__DEPENDENCIES_18) \ + $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_6) libsss_semanage.la +sss_usermod_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(sss_usermod_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am__objects_78 = src/tools/sssctl-sss_sync_ops.$(OBJEXT) \ + src/tools/sssctl-tools_util.$(OBJEXT) \ + src/tools/common/sssctl-sss_tools.$(OBJEXT) \ + src/tools/common/sssctl-sss_process.$(OBJEXT) \ + src/confdb/sssctl-confdb_setup.$(OBJEXT) \ + src/util/sssctl-nscd.$(OBJEXT) +am_sssctl_OBJECTS = src/tools/sssctl/sssctl-sssctl.$(OBJEXT) \ + src/tools/sssctl/sssctl-sssctl_systemd.$(OBJEXT) \ + src/tools/sssctl/sssctl-sssctl_cache.$(OBJEXT) \ + src/tools/sssctl/sssctl-sssctl_data.$(OBJEXT) \ + src/tools/sssctl/sssctl-sssctl_logs.$(OBJEXT) \ + src/tools/sssctl/sssctl-sssctl_domains.$(OBJEXT) \ + src/tools/sssctl/sssctl-sssctl_sifp.$(OBJEXT) \ + src/tools/sssctl/sssctl-sssctl_config.$(OBJEXT) \ + src/tools/sssctl/sssctl-sssctl_user_checks.$(OBJEXT) \ + src/tools/sssctl/sssctl-sssctl_access_report.$(OBJEXT) \ + $(am__objects_78) +sssctl_OBJECTS = $(am_sssctl_OBJECTS) +sssctl_DEPENDENCIES = $(am__DEPENDENCIES_18) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + libsss_simpleifp.la +sssctl_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(sssctl_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am_sssd_OBJECTS = src/monitor/monitor.$(OBJEXT) \ + src/monitor/monitor_netlink.$(OBJEXT) \ + src/confdb/confdb_setup.$(OBJEXT) \ + src/monitor/monitor_iface_generated.$(OBJEXT) \ + src/util/nscd.$(OBJEXT) src/util/inotify.$(OBJEXT) +sssd_OBJECTS = $(am_sssd_OBJECTS) +sssd_DEPENDENCIES = $(am__DEPENDENCIES_5) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_2) +am__sssd_autofs_SOURCES_DIST = src/responder/autofs/autofssrv.c \ + src/responder/autofs/autofssrv_cmd.c \ + src/responder/autofs/autofssrv_dp.c \ + src/responder/common/negcache_files.c \ + src/responder/common/negcache.c \ + src/responder/common/responder_cmd.c \ + src/responder/common/responder_common.c \ + src/responder/common/responder_dp.c \ + src/responder/common/responder_dp_ssh.c \ + src/responder/common/responder_packet.c \ + src/responder/common/responder_get_domains.c \ + src/responder/common/responder_utils.c \ + src/responder/common/data_provider/rdp_message.c \ + src/responder/common/data_provider/rdp_client.c \ + src/monitor/monitor_iface_generated.c \ + src/providers/data_provider_req.c src/util/session_recording.c \ + src/responder/common/iface/responder_iface.c \ + src/responder/common/iface/responder_domain.c \ + src/responder/common/iface/responder_ncache.c \ + src/responder/common/iface/responder_iface_generated.c \ + src/responder/common/cache_req/cache_req.c \ + src/responder/common/cache_req/cache_req_result.c \ + src/responder/common/cache_req/cache_req_search.c \ + src/responder/common/cache_req/cache_req_data.c \ + src/responder/common/cache_req/cache_req_domain.c \ + src/responder/common/cache_req/cache_req_sr_overlay.c \ + src/responder/common/cache_req/plugins/cache_req_common.c \ + src/responder/common/cache_req/plugins/cache_req_enum_users.c \ + src/responder/common/cache_req/plugins/cache_req_enum_groups.c \ + src/responder/common/cache_req/plugins/cache_req_enum_svc.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_upn.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_filter.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_cert.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_filter.c \ + src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_sid.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_svc_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_svc_by_port.c \ + src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_host_by_name.c +am__objects_79 = src/responder/common/iface/responder_iface.$(OBJEXT) \ + src/responder/common/iface/responder_domain.$(OBJEXT) \ + src/responder/common/iface/responder_ncache.$(OBJEXT) \ + src/responder/common/iface/responder_iface_generated.$(OBJEXT) +am__objects_80 = src/responder/common/cache_req/cache_req.$(OBJEXT) \ + src/responder/common/cache_req/cache_req_result.$(OBJEXT) \ + src/responder/common/cache_req/cache_req_search.$(OBJEXT) \ + src/responder/common/cache_req/cache_req_data.$(OBJEXT) \ + src/responder/common/cache_req/cache_req_domain.$(OBJEXT) \ + src/responder/common/cache_req/cache_req_sr_overlay.$(OBJEXT) \ + src/responder/common/cache_req/plugins/cache_req_common.$(OBJEXT) \ + src/responder/common/cache_req/plugins/cache_req_enum_users.$(OBJEXT) \ + src/responder/common/cache_req/plugins/cache_req_enum_groups.$(OBJEXT) \ + src/responder/common/cache_req/plugins/cache_req_enum_svc.$(OBJEXT) \ + src/responder/common/cache_req/plugins/cache_req_user_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/cache_req_user_by_upn.$(OBJEXT) \ + src/responder/common/cache_req/plugins/cache_req_user_by_id.$(OBJEXT) \ + src/responder/common/cache_req/plugins/cache_req_user_by_filter.$(OBJEXT) \ + src/responder/common/cache_req/plugins/cache_req_user_by_cert.$(OBJEXT) \ + src/responder/common/cache_req/plugins/cache_req_group_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/cache_req_group_by_id.$(OBJEXT) \ + src/responder/common/cache_req/plugins/cache_req_group_by_filter.$(OBJEXT) \ + src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.$(OBJEXT) \ + src/responder/common/cache_req/plugins/cache_req_object_by_sid.$(OBJEXT) \ + src/responder/common/cache_req/plugins/cache_req_object_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/cache_req_object_by_id.$(OBJEXT) \ + src/responder/common/cache_req/plugins/cache_req_svc_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/cache_req_svc_by_port.$(OBJEXT) \ + src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/cache_req_host_by_name.$(OBJEXT) +am__objects_81 = src/responder/common/negcache_files.$(OBJEXT) \ + src/responder/common/negcache.$(OBJEXT) \ + src/responder/common/responder_cmd.$(OBJEXT) \ + src/responder/common/responder_common.$(OBJEXT) \ + src/responder/common/responder_dp.$(OBJEXT) \ + src/responder/common/responder_dp_ssh.$(OBJEXT) \ + src/responder/common/responder_packet.$(OBJEXT) \ + src/responder/common/responder_get_domains.$(OBJEXT) \ + src/responder/common/responder_utils.$(OBJEXT) \ + src/responder/common/data_provider/rdp_message.$(OBJEXT) \ + src/responder/common/data_provider/rdp_client.$(OBJEXT) \ + src/monitor/monitor_iface_generated.$(OBJEXT) \ + src/providers/data_provider_req.$(OBJEXT) \ + src/util/session_recording.$(OBJEXT) $(am__objects_79) \ + $(am__objects_80) +@BUILD_AUTOFS_TRUE@am_sssd_autofs_OBJECTS = \ +@BUILD_AUTOFS_TRUE@ src/responder/autofs/autofssrv.$(OBJEXT) \ +@BUILD_AUTOFS_TRUE@ src/responder/autofs/autofssrv_cmd.$(OBJEXT) \ +@BUILD_AUTOFS_TRUE@ src/responder/autofs/autofssrv_dp.$(OBJEXT) \ +@BUILD_AUTOFS_TRUE@ $(am__objects_81) +sssd_autofs_OBJECTS = $(am_sssd_autofs_OBJECTS) +@BUILD_AUTOFS_TRUE@sssd_autofs_DEPENDENCIES = $(am__DEPENDENCIES_5) \ +@BUILD_AUTOFS_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_2) +am__objects_82 = src/resolv/async_resolv.$(OBJEXT) \ + src/resolv/async_resolv_utils.$(OBJEXT) +am__objects_83 = src/providers/fail_over.$(OBJEXT) \ + src/providers/fail_over_srv.$(OBJEXT) $(am__objects_82) +am_sssd_be_OBJECTS = src/providers/data_provider_be.$(OBJEXT) \ + src/providers/data_provider_req.$(OBJEXT) \ + src/providers/data_provider_fo.$(OBJEXT) \ + src/providers/data_provider_opts.$(OBJEXT) \ + src/providers/data_provider_callbacks.$(OBJEXT) \ + src/providers/be_dyndns.$(OBJEXT) \ + src/providers/be_ptask.$(OBJEXT) \ + src/providers/be_refresh.$(OBJEXT) \ + src/monitor/monitor_iface_generated.$(OBJEXT) \ + src/providers/data_provider/dp.$(OBJEXT) \ + src/providers/data_provider/dp_modules.$(OBJEXT) \ + src/providers/data_provider/dp_targets.$(OBJEXT) \ + src/providers/data_provider/dp_methods.$(OBJEXT) \ + src/providers/data_provider/dp_builtin.$(OBJEXT) \ + src/providers/data_provider/dp_iface.$(OBJEXT) \ + src/providers/data_provider/dp_iface_backend.$(OBJEXT) \ + src/providers/data_provider/dp_iface_failover.$(OBJEXT) \ + src/providers/data_provider/dp_client.$(OBJEXT) \ + src/providers/data_provider/dp_resp_client.$(OBJEXT) \ + src/providers/data_provider/dp_iface_generated.$(OBJEXT) \ + src/providers/data_provider/dp_request.$(OBJEXT) \ + src/providers/data_provider/dp_request_reply.$(OBJEXT) \ + src/providers/data_provider/dp_request_table.$(OBJEXT) \ + src/providers/data_provider/dp_reply_std.$(OBJEXT) \ + src/providers/data_provider/dp_target_sudo.$(OBJEXT) \ + src/providers/data_provider/dp_target_hostid.$(OBJEXT) \ + src/providers/data_provider/dp_target_autofs.$(OBJEXT) \ + src/providers/data_provider/dp_target_subdomains.$(OBJEXT) \ + src/providers/data_provider/dp_target_id.$(OBJEXT) \ + src/providers/data_provider/dp_target_auth.$(OBJEXT) \ + src/util/session_recording.$(OBJEXT) $(am__objects_83) +sssd_be_OBJECTS = $(am_sssd_be_OBJECTS) +sssd_be_DEPENDENCIES = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_5) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_2) $(am__append_48) +sssd_be_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(sssd_be_LDFLAGS) $(LDFLAGS) -o $@ +am__sssd_check_socket_activated_responders_SOURCES_DIST = \ + src/tools/sssd_check_socket_activated_responders.c +@HAVE_SYSTEMD_UNIT_TRUE@am_sssd_check_socket_activated_responders_OBJECTS = src/tools/sssd_check_socket_activated_responders-sssd_check_socket_activated_responders.$(OBJEXT) +sssd_check_socket_activated_responders_OBJECTS = \ + $(am_sssd_check_socket_activated_responders_OBJECTS) +@HAVE_SYSTEMD_UNIT_TRUE@sssd_check_socket_activated_responders_DEPENDENCIES = \ +@HAVE_SYSTEMD_UNIT_TRUE@ $(am__DEPENDENCIES_2) \ +@HAVE_SYSTEMD_UNIT_TRUE@ $(am__DEPENDENCIES_1) \ +@HAVE_SYSTEMD_UNIT_TRUE@ $(am__DEPENDENCIES_1) \ +@HAVE_SYSTEMD_UNIT_TRUE@ $(am__DEPENDENCIES_1) \ +@HAVE_SYSTEMD_UNIT_TRUE@ $(am__DEPENDENCIES_1) +sssd_check_socket_activated_responders_LINK = $(LIBTOOL) $(AM_V_lt) \ + --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link \ + $(CCLD) $(sssd_check_socket_activated_responders_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am__sssd_ifp_SOURCES_DIST = src/responder/ifp/ifpsrv.c \ + src/responder/ifp/ifpsrv_cmd.c \ + src/responder/ifp/ifp_iface_generated.c \ + src/responder/ifp/ifp_iface.c \ + src/responder/ifp/ifp_iface_nodes.c \ + src/responder/ifp/ifpsrv_util.c \ + src/responder/ifp/ifp_domains.c \ + src/responder/ifp/ifp_components.c \ + src/responder/ifp/ifp_users.c src/responder/ifp/ifp_groups.c \ + src/responder/ifp/ifp_cache.c \ + src/responder/common/negcache_files.c \ + src/responder/common/negcache.c \ + src/responder/common/responder_cmd.c \ + src/responder/common/responder_common.c \ + src/responder/common/responder_dp.c \ + src/responder/common/responder_dp_ssh.c \ + src/responder/common/responder_packet.c \ + src/responder/common/responder_get_domains.c \ + src/responder/common/responder_utils.c \ + src/responder/common/data_provider/rdp_message.c \ + src/responder/common/data_provider/rdp_client.c \ + src/monitor/monitor_iface_generated.c \ + src/providers/data_provider_req.c src/util/session_recording.c \ + src/responder/common/iface/responder_iface.c \ + src/responder/common/iface/responder_domain.c \ + src/responder/common/iface/responder_ncache.c \ + src/responder/common/iface/responder_iface_generated.c \ + src/responder/common/cache_req/cache_req.c \ + src/responder/common/cache_req/cache_req_result.c \ + src/responder/common/cache_req/cache_req_search.c \ + src/responder/common/cache_req/cache_req_data.c \ + src/responder/common/cache_req/cache_req_domain.c \ + src/responder/common/cache_req/cache_req_sr_overlay.c \ + src/responder/common/cache_req/plugins/cache_req_common.c \ + src/responder/common/cache_req/plugins/cache_req_enum_users.c \ + src/responder/common/cache_req/plugins/cache_req_enum_groups.c \ + src/responder/common/cache_req/plugins/cache_req_enum_svc.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_upn.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_filter.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_cert.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_filter.c \ + src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_sid.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_svc_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_svc_by_port.c \ + src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_host_by_name.c +am__objects_84 = \ + src/responder/common/iface/sssd_ifp-responder_iface.$(OBJEXT) \ + src/responder/common/iface/sssd_ifp-responder_domain.$(OBJEXT) \ + src/responder/common/iface/sssd_ifp-responder_ncache.$(OBJEXT) \ + src/responder/common/iface/sssd_ifp-responder_iface_generated.$(OBJEXT) +am__objects_85 = \ + src/responder/common/cache_req/sssd_ifp-cache_req.$(OBJEXT) \ + src/responder/common/cache_req/sssd_ifp-cache_req_result.$(OBJEXT) \ + src/responder/common/cache_req/sssd_ifp-cache_req_search.$(OBJEXT) \ + src/responder/common/cache_req/sssd_ifp-cache_req_data.$(OBJEXT) \ + src/responder/common/cache_req/sssd_ifp-cache_req_domain.$(OBJEXT) \ + src/responder/common/cache_req/sssd_ifp-cache_req_sr_overlay.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_ifp-cache_req_common.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_ifp-cache_req_enum_users.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_ifp-cache_req_enum_groups.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_ifp-cache_req_enum_svc.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_upn.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_id.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_filter.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_cert.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_ifp-cache_req_group_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_ifp-cache_req_group_by_id.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_ifp-cache_req_group_by_filter.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_ifp-cache_req_initgroups_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_ifp-cache_req_initgroups_by_upn.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_ifp-cache_req_object_by_sid.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_ifp-cache_req_object_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_ifp-cache_req_object_by_id.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_ifp-cache_req_svc_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_ifp-cache_req_svc_by_port.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_ifp-cache_req_netgroup_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_ifp-cache_req_host_by_name.$(OBJEXT) +am__objects_86 = \ + src/responder/common/sssd_ifp-negcache_files.$(OBJEXT) \ + src/responder/common/sssd_ifp-negcache.$(OBJEXT) \ + src/responder/common/sssd_ifp-responder_cmd.$(OBJEXT) \ + src/responder/common/sssd_ifp-responder_common.$(OBJEXT) \ + src/responder/common/sssd_ifp-responder_dp.$(OBJEXT) \ + src/responder/common/sssd_ifp-responder_dp_ssh.$(OBJEXT) \ + src/responder/common/sssd_ifp-responder_packet.$(OBJEXT) \ + src/responder/common/sssd_ifp-responder_get_domains.$(OBJEXT) \ + src/responder/common/sssd_ifp-responder_utils.$(OBJEXT) \ + src/responder/common/data_provider/sssd_ifp-rdp_message.$(OBJEXT) \ + src/responder/common/data_provider/sssd_ifp-rdp_client.$(OBJEXT) \ + src/monitor/sssd_ifp-monitor_iface_generated.$(OBJEXT) \ + src/providers/sssd_ifp-data_provider_req.$(OBJEXT) \ + src/util/sssd_ifp-session_recording.$(OBJEXT) \ + $(am__objects_84) $(am__objects_85) +@BUILD_IFP_TRUE@am_sssd_ifp_OBJECTS = \ +@BUILD_IFP_TRUE@ src/responder/ifp/sssd_ifp-ifpsrv.$(OBJEXT) \ +@BUILD_IFP_TRUE@ src/responder/ifp/sssd_ifp-ifpsrv_cmd.$(OBJEXT) \ +@BUILD_IFP_TRUE@ src/responder/ifp/sssd_ifp-ifp_iface_generated.$(OBJEXT) \ +@BUILD_IFP_TRUE@ src/responder/ifp/sssd_ifp-ifp_iface.$(OBJEXT) \ +@BUILD_IFP_TRUE@ src/responder/ifp/sssd_ifp-ifp_iface_nodes.$(OBJEXT) \ +@BUILD_IFP_TRUE@ src/responder/ifp/sssd_ifp-ifpsrv_util.$(OBJEXT) \ +@BUILD_IFP_TRUE@ src/responder/ifp/sssd_ifp-ifp_domains.$(OBJEXT) \ +@BUILD_IFP_TRUE@ src/responder/ifp/sssd_ifp-ifp_components.$(OBJEXT) \ +@BUILD_IFP_TRUE@ src/responder/ifp/sssd_ifp-ifp_users.$(OBJEXT) \ +@BUILD_IFP_TRUE@ src/responder/ifp/sssd_ifp-ifp_groups.$(OBJEXT) \ +@BUILD_IFP_TRUE@ src/responder/ifp/sssd_ifp-ifp_cache.$(OBJEXT) \ +@BUILD_IFP_TRUE@ $(am__objects_86) +sssd_ifp_OBJECTS = $(am_sssd_ifp_OBJECTS) +@BUILD_IFP_TRUE@sssd_ifp_DEPENDENCIES = $(am__DEPENDENCIES_5) \ +@BUILD_IFP_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_2) \ +@BUILD_IFP_TRUE@ libsss_cert.la +sssd_ifp_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(sssd_ifp_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am__sssd_kcm_SOURCES_DIST = src/responder/kcm/kcm.c \ + src/responder/kcm/kcmsrv_cmd.c \ + src/responder/kcm/kcmsrv_ccache.c \ + src/responder/kcm/kcmsrv_ccache_mem.c \ + src/responder/kcm/kcmsrv_ccache_json.c \ + src/responder/kcm/kcmsrv_ccache_secrets.c \ + src/responder/kcm/kcmsrv_ops.c \ + src/responder/kcm/kcmsrv_op_queue.c src/util/sss_sockets.c \ + src/util/sss_krb5.c src/util/sss_iobuf.c src/util/tev_curl.c \ + src/responder/common/negcache_files.c \ + src/responder/common/negcache.c \ + src/responder/common/responder_cmd.c \ + src/responder/common/responder_common.c \ + src/responder/common/responder_dp.c \ + src/responder/common/responder_dp_ssh.c \ + src/responder/common/responder_packet.c \ + src/responder/common/responder_get_domains.c \ + src/responder/common/responder_utils.c \ + src/responder/common/data_provider/rdp_message.c \ + src/responder/common/data_provider/rdp_client.c \ + src/monitor/monitor_iface_generated.c \ + src/providers/data_provider_req.c src/util/session_recording.c \ + src/responder/common/iface/responder_iface.c \ + src/responder/common/iface/responder_domain.c \ + src/responder/common/iface/responder_ncache.c \ + src/responder/common/iface/responder_iface_generated.c \ + src/responder/common/cache_req/cache_req.c \ + src/responder/common/cache_req/cache_req_result.c \ + src/responder/common/cache_req/cache_req_search.c \ + src/responder/common/cache_req/cache_req_data.c \ + src/responder/common/cache_req/cache_req_domain.c \ + src/responder/common/cache_req/cache_req_sr_overlay.c \ + src/responder/common/cache_req/plugins/cache_req_common.c \ + src/responder/common/cache_req/plugins/cache_req_enum_users.c \ + src/responder/common/cache_req/plugins/cache_req_enum_groups.c \ + src/responder/common/cache_req/plugins/cache_req_enum_svc.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_upn.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_filter.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_cert.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_filter.c \ + src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_sid.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_svc_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_svc_by_port.c \ + src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_host_by_name.c +am__objects_87 = \ + src/responder/common/iface/sssd_kcm-responder_iface.$(OBJEXT) \ + src/responder/common/iface/sssd_kcm-responder_domain.$(OBJEXT) \ + src/responder/common/iface/sssd_kcm-responder_ncache.$(OBJEXT) \ + src/responder/common/iface/sssd_kcm-responder_iface_generated.$(OBJEXT) +am__objects_88 = \ + src/responder/common/cache_req/sssd_kcm-cache_req.$(OBJEXT) \ + src/responder/common/cache_req/sssd_kcm-cache_req_result.$(OBJEXT) \ + src/responder/common/cache_req/sssd_kcm-cache_req_search.$(OBJEXT) \ + src/responder/common/cache_req/sssd_kcm-cache_req_data.$(OBJEXT) \ + src/responder/common/cache_req/sssd_kcm-cache_req_domain.$(OBJEXT) \ + src/responder/common/cache_req/sssd_kcm-cache_req_sr_overlay.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_kcm-cache_req_common.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_kcm-cache_req_enum_users.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_kcm-cache_req_enum_groups.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_kcm-cache_req_enum_svc.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_upn.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_id.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_filter.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_cert.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_kcm-cache_req_group_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_kcm-cache_req_group_by_id.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_kcm-cache_req_group_by_filter.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_kcm-cache_req_initgroups_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_kcm-cache_req_initgroups_by_upn.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_kcm-cache_req_object_by_sid.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_kcm-cache_req_object_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_kcm-cache_req_object_by_id.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_kcm-cache_req_svc_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_kcm-cache_req_svc_by_port.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_kcm-cache_req_netgroup_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_kcm-cache_req_host_by_name.$(OBJEXT) +am__objects_89 = \ + src/responder/common/sssd_kcm-negcache_files.$(OBJEXT) \ + src/responder/common/sssd_kcm-negcache.$(OBJEXT) \ + src/responder/common/sssd_kcm-responder_cmd.$(OBJEXT) \ + src/responder/common/sssd_kcm-responder_common.$(OBJEXT) \ + src/responder/common/sssd_kcm-responder_dp.$(OBJEXT) \ + src/responder/common/sssd_kcm-responder_dp_ssh.$(OBJEXT) \ + src/responder/common/sssd_kcm-responder_packet.$(OBJEXT) \ + src/responder/common/sssd_kcm-responder_get_domains.$(OBJEXT) \ + src/responder/common/sssd_kcm-responder_utils.$(OBJEXT) \ + src/responder/common/data_provider/sssd_kcm-rdp_message.$(OBJEXT) \ + src/responder/common/data_provider/sssd_kcm-rdp_client.$(OBJEXT) \ + src/monitor/sssd_kcm-monitor_iface_generated.$(OBJEXT) \ + src/providers/sssd_kcm-data_provider_req.$(OBJEXT) \ + src/util/sssd_kcm-session_recording.$(OBJEXT) \ + $(am__objects_87) $(am__objects_88) +@BUILD_KCM_TRUE@am_sssd_kcm_OBJECTS = \ +@BUILD_KCM_TRUE@ src/responder/kcm/sssd_kcm-kcm.$(OBJEXT) \ +@BUILD_KCM_TRUE@ src/responder/kcm/sssd_kcm-kcmsrv_cmd.$(OBJEXT) \ +@BUILD_KCM_TRUE@ src/responder/kcm/sssd_kcm-kcmsrv_ccache.$(OBJEXT) \ +@BUILD_KCM_TRUE@ src/responder/kcm/sssd_kcm-kcmsrv_ccache_mem.$(OBJEXT) \ +@BUILD_KCM_TRUE@ src/responder/kcm/sssd_kcm-kcmsrv_ccache_json.$(OBJEXT) \ +@BUILD_KCM_TRUE@ src/responder/kcm/sssd_kcm-kcmsrv_ccache_secrets.$(OBJEXT) \ +@BUILD_KCM_TRUE@ src/responder/kcm/sssd_kcm-kcmsrv_ops.$(OBJEXT) \ +@BUILD_KCM_TRUE@ src/responder/kcm/sssd_kcm-kcmsrv_op_queue.$(OBJEXT) \ +@BUILD_KCM_TRUE@ src/util/sssd_kcm-sss_sockets.$(OBJEXT) \ +@BUILD_KCM_TRUE@ src/util/sssd_kcm-sss_krb5.$(OBJEXT) \ +@BUILD_KCM_TRUE@ src/util/sssd_kcm-sss_iobuf.$(OBJEXT) \ +@BUILD_KCM_TRUE@ src/util/sssd_kcm-tev_curl.$(OBJEXT) \ +@BUILD_KCM_TRUE@ $(am__objects_89) +sssd_kcm_OBJECTS = $(am_sssd_kcm_OBJECTS) +@BUILD_KCM_TRUE@sssd_kcm_DEPENDENCIES = $(am__DEPENDENCIES_1) \ +@BUILD_KCM_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@BUILD_KCM_TRUE@ $(am__DEPENDENCIES_5) $(am__DEPENDENCIES_1) \ +@BUILD_KCM_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_2) +sssd_kcm_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(sssd_kcm_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am_sssd_nss_OBJECTS = src/responder/nss/nsssrv.$(OBJEXT) \ + src/responder/nss/nss_cmd.$(OBJEXT) \ + src/responder/nss/nss_enum.$(OBJEXT) \ + src/responder/nss/nss_get_object.$(OBJEXT) \ + src/responder/nss/nss_protocol.$(OBJEXT) \ + src/responder/nss/nss_protocol_pwent.$(OBJEXT) \ + src/responder/nss/nss_protocol_grent.$(OBJEXT) \ + src/responder/nss/nss_protocol_netgr.$(OBJEXT) \ + src/responder/nss/nss_protocol_svcent.$(OBJEXT) \ + src/responder/nss/nss_protocol_sid.$(OBJEXT) \ + src/responder/nss/nss_utils.$(OBJEXT) \ + src/responder/nss/nss_iface_generated.$(OBJEXT) \ + src/responder/nss/nss_iface.$(OBJEXT) \ + src/responder/nss/nsssrv_mmap_cache.$(OBJEXT) \ + $(am__objects_81) +sssd_nss_OBJECTS = $(am_sssd_nss_OBJECTS) +sssd_nss_DEPENDENCIES = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_5) \ + libsss_idmap.la libsss_cert.la $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_2) +am__objects_90 = \ + src/responder/common/iface/sssd_pac-responder_iface.$(OBJEXT) \ + src/responder/common/iface/sssd_pac-responder_domain.$(OBJEXT) \ + src/responder/common/iface/sssd_pac-responder_ncache.$(OBJEXT) \ + src/responder/common/iface/sssd_pac-responder_iface_generated.$(OBJEXT) +am__objects_91 = \ + src/responder/common/cache_req/sssd_pac-cache_req.$(OBJEXT) \ + src/responder/common/cache_req/sssd_pac-cache_req_result.$(OBJEXT) \ + src/responder/common/cache_req/sssd_pac-cache_req_search.$(OBJEXT) \ + src/responder/common/cache_req/sssd_pac-cache_req_data.$(OBJEXT) \ + src/responder/common/cache_req/sssd_pac-cache_req_domain.$(OBJEXT) \ + src/responder/common/cache_req/sssd_pac-cache_req_sr_overlay.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_pac-cache_req_common.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_pac-cache_req_enum_users.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_pac-cache_req_enum_groups.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_pac-cache_req_enum_svc.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_upn.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_id.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_filter.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_cert.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_pac-cache_req_group_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_pac-cache_req_group_by_id.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_pac-cache_req_group_by_filter.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_pac-cache_req_initgroups_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_pac-cache_req_initgroups_by_upn.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_pac-cache_req_object_by_sid.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_pac-cache_req_object_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_pac-cache_req_object_by_id.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_pac-cache_req_svc_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_pac-cache_req_svc_by_port.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_pac-cache_req_netgroup_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/sssd_pac-cache_req_host_by_name.$(OBJEXT) +am__objects_92 = \ + src/responder/common/sssd_pac-negcache_files.$(OBJEXT) \ + src/responder/common/sssd_pac-negcache.$(OBJEXT) \ + src/responder/common/sssd_pac-responder_cmd.$(OBJEXT) \ + src/responder/common/sssd_pac-responder_common.$(OBJEXT) \ + src/responder/common/sssd_pac-responder_dp.$(OBJEXT) \ + src/responder/common/sssd_pac-responder_dp_ssh.$(OBJEXT) \ + src/responder/common/sssd_pac-responder_packet.$(OBJEXT) \ + src/responder/common/sssd_pac-responder_get_domains.$(OBJEXT) \ + src/responder/common/sssd_pac-responder_utils.$(OBJEXT) \ + src/responder/common/data_provider/sssd_pac-rdp_message.$(OBJEXT) \ + src/responder/common/data_provider/sssd_pac-rdp_client.$(OBJEXT) \ + src/monitor/sssd_pac-monitor_iface_generated.$(OBJEXT) \ + src/providers/sssd_pac-data_provider_req.$(OBJEXT) \ + src/util/sssd_pac-session_recording.$(OBJEXT) \ + $(am__objects_90) $(am__objects_91) +am_sssd_pac_OBJECTS = src/responder/pac/sssd_pac-pacsrv.$(OBJEXT) \ + src/responder/pac/sssd_pac-pacsrv_cmd.$(OBJEXT) \ + src/providers/ad/sssd_pac-ad_pac_common.$(OBJEXT) \ + $(am__objects_92) +sssd_pac_OBJECTS = $(am_sssd_pac_OBJECTS) +sssd_pac_DEPENDENCIES = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_5) $(am__DEPENDENCIES_1) libsss_idmap.la \ + $(am__DEPENDENCIES_2) +sssd_pac_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(sssd_pac_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am_sssd_pac_test_client_OBJECTS = src/sss_client/sssd_pac_test_client-sss_pac_responder_client.$(OBJEXT) \ + src/sss_client/sssd_pac_test_client-common.$(OBJEXT) \ + src/util/sssd_pac_test_client-strtonum.$(OBJEXT) +sssd_pac_test_client_OBJECTS = $(am_sssd_pac_test_client_OBJECTS) +sssd_pac_test_client_DEPENDENCIES = $(am__DEPENDENCIES_6) +sssd_pac_test_client_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(sssd_pac_test_client_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +am_sssd_pam_OBJECTS = src/responder/pam/pam_LOCAL_domain.$(OBJEXT) \ + src/responder/pam/pamsrv.$(OBJEXT) \ + src/responder/pam/pamsrv_cmd.$(OBJEXT) \ + src/responder/pam/pamsrv_p11.$(OBJEXT) \ + src/responder/pam/pamsrv_dp.$(OBJEXT) \ + src/responder/pam/pam_helpers.$(OBJEXT) $(am__objects_81) +sssd_pam_OBJECTS = $(am_sssd_pam_OBJECTS) +sssd_pam_DEPENDENCIES = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_5) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) libsss_certmap.la $(am__DEPENDENCIES_2) +am__sssd_secrets_SOURCES_DIST = src/responder/secrets/secsrv.c \ + src/responder/secrets/secsrv_cmd.c \ + src/responder/secrets/providers.c \ + src/responder/secrets/local.c src/responder/secrets/proxy.c \ + src/util/sss_sockets.c src/util/sss_iobuf.c \ + src/util/tev_curl.c src/responder/common/negcache_files.c \ + src/responder/common/negcache.c \ + src/responder/common/responder_cmd.c \ + src/responder/common/responder_common.c \ + src/responder/common/responder_dp.c \ + src/responder/common/responder_dp_ssh.c \ + src/responder/common/responder_packet.c \ + src/responder/common/responder_get_domains.c \ + src/responder/common/responder_utils.c \ + src/responder/common/data_provider/rdp_message.c \ + src/responder/common/data_provider/rdp_client.c \ + src/monitor/monitor_iface_generated.c \ + src/providers/data_provider_req.c src/util/session_recording.c \ + src/responder/common/iface/responder_iface.c \ + src/responder/common/iface/responder_domain.c \ + src/responder/common/iface/responder_ncache.c \ + src/responder/common/iface/responder_iface_generated.c \ + src/responder/common/cache_req/cache_req.c \ + src/responder/common/cache_req/cache_req_result.c \ + src/responder/common/cache_req/cache_req_search.c \ + src/responder/common/cache_req/cache_req_data.c \ + src/responder/common/cache_req/cache_req_domain.c \ + src/responder/common/cache_req/cache_req_sr_overlay.c \ + src/responder/common/cache_req/plugins/cache_req_common.c \ + src/responder/common/cache_req/plugins/cache_req_enum_users.c \ + src/responder/common/cache_req/plugins/cache_req_enum_groups.c \ + src/responder/common/cache_req/plugins/cache_req_enum_svc.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_upn.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_filter.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_cert.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_filter.c \ + src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_sid.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_svc_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_svc_by_port.c \ + src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_host_by_name.c +@BUILD_SECRETS_TRUE@am_sssd_secrets_OBJECTS = \ +@BUILD_SECRETS_TRUE@ src/responder/secrets/secsrv.$(OBJEXT) \ +@BUILD_SECRETS_TRUE@ src/responder/secrets/secsrv_cmd.$(OBJEXT) \ +@BUILD_SECRETS_TRUE@ src/responder/secrets/providers.$(OBJEXT) \ +@BUILD_SECRETS_TRUE@ src/responder/secrets/local.$(OBJEXT) \ +@BUILD_SECRETS_TRUE@ src/responder/secrets/proxy.$(OBJEXT) \ +@BUILD_SECRETS_TRUE@ src/util/sss_sockets.$(OBJEXT) \ +@BUILD_SECRETS_TRUE@ src/util/sss_iobuf.$(OBJEXT) \ +@BUILD_SECRETS_TRUE@ src/util/tev_curl.$(OBJEXT) \ +@BUILD_SECRETS_TRUE@ $(am__objects_81) +sssd_secrets_OBJECTS = $(am_sssd_secrets_OBJECTS) +@BUILD_SECRETS_TRUE@sssd_secrets_DEPENDENCIES = $(am__DEPENDENCIES_1) \ +@BUILD_SECRETS_TRUE@ $(am__DEPENDENCIES_1) \ +@BUILD_SECRETS_TRUE@ $(am__DEPENDENCIES_1) \ +@BUILD_SECRETS_TRUE@ $(am__DEPENDENCIES_5) \ +@BUILD_SECRETS_TRUE@ $(am__DEPENDENCIES_1) \ +@BUILD_SECRETS_TRUE@ $(am__DEPENDENCIES_2) \ +@BUILD_SECRETS_TRUE@ $(am__DEPENDENCIES_1) +am__sssd_ssh_SOURCES_DIST = src/responder/ssh/sshsrv.c \ + src/responder/ssh/ssh_cmd.c \ + src/responder/ssh/ssh_known_hosts.c \ + src/responder/ssh/ssh_protocol.c src/responder/ssh/ssh_reply.c \ + src/responder/common/negcache_files.c \ + src/responder/common/negcache.c \ + src/responder/common/responder_cmd.c \ + src/responder/common/responder_common.c \ + src/responder/common/responder_dp.c \ + src/responder/common/responder_dp_ssh.c \ + src/responder/common/responder_packet.c \ + src/responder/common/responder_get_domains.c \ + src/responder/common/responder_utils.c \ + src/responder/common/data_provider/rdp_message.c \ + src/responder/common/data_provider/rdp_client.c \ + src/monitor/monitor_iface_generated.c \ + src/providers/data_provider_req.c src/util/session_recording.c \ + src/responder/common/iface/responder_iface.c \ + src/responder/common/iface/responder_domain.c \ + src/responder/common/iface/responder_ncache.c \ + src/responder/common/iface/responder_iface_generated.c \ + src/responder/common/cache_req/cache_req.c \ + src/responder/common/cache_req/cache_req_result.c \ + src/responder/common/cache_req/cache_req_search.c \ + src/responder/common/cache_req/cache_req_data.c \ + src/responder/common/cache_req/cache_req_domain.c \ + src/responder/common/cache_req/cache_req_sr_overlay.c \ + src/responder/common/cache_req/plugins/cache_req_common.c \ + src/responder/common/cache_req/plugins/cache_req_enum_users.c \ + src/responder/common/cache_req/plugins/cache_req_enum_groups.c \ + src/responder/common/cache_req/plugins/cache_req_enum_svc.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_upn.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_filter.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_cert.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_filter.c \ + src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_sid.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_svc_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_svc_by_port.c \ + src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_host_by_name.c +@BUILD_SSH_TRUE@am_sssd_ssh_OBJECTS = \ +@BUILD_SSH_TRUE@ src/responder/ssh/sshsrv.$(OBJEXT) \ +@BUILD_SSH_TRUE@ src/responder/ssh/ssh_cmd.$(OBJEXT) \ +@BUILD_SSH_TRUE@ src/responder/ssh/ssh_known_hosts.$(OBJEXT) \ +@BUILD_SSH_TRUE@ src/responder/ssh/ssh_protocol.$(OBJEXT) \ +@BUILD_SSH_TRUE@ src/responder/ssh/ssh_reply.$(OBJEXT) \ +@BUILD_SSH_TRUE@ $(am__objects_81) +sssd_ssh_OBJECTS = $(am_sssd_ssh_OBJECTS) +@BUILD_SSH_TRUE@sssd_ssh_DEPENDENCIES = $(am__DEPENDENCIES_5) \ +@BUILD_SSH_TRUE@ $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1) \ +@BUILD_SSH_TRUE@ libsss_cert.la +am__sssd_sudo_SOURCES_DIST = src/responder/sudo/sudosrv.c \ + src/responder/sudo/sudosrv_cmd.c \ + src/responder/sudo/sudosrv_get_sudorules.c \ + src/responder/sudo/sudosrv_query.c \ + src/responder/sudo/sudosrv_dp.c \ + src/responder/common/negcache_files.c \ + src/responder/common/negcache.c \ + src/responder/common/responder_cmd.c \ + src/responder/common/responder_common.c \ + src/responder/common/responder_dp.c \ + src/responder/common/responder_dp_ssh.c \ + src/responder/common/responder_packet.c \ + src/responder/common/responder_get_domains.c \ + src/responder/common/responder_utils.c \ + src/responder/common/data_provider/rdp_message.c \ + src/responder/common/data_provider/rdp_client.c \ + src/monitor/monitor_iface_generated.c \ + src/providers/data_provider_req.c src/util/session_recording.c \ + src/responder/common/iface/responder_iface.c \ + src/responder/common/iface/responder_domain.c \ + src/responder/common/iface/responder_ncache.c \ + src/responder/common/iface/responder_iface_generated.c \ + src/responder/common/cache_req/cache_req.c \ + src/responder/common/cache_req/cache_req_result.c \ + src/responder/common/cache_req/cache_req_search.c \ + src/responder/common/cache_req/cache_req_data.c \ + src/responder/common/cache_req/cache_req_domain.c \ + src/responder/common/cache_req/cache_req_sr_overlay.c \ + src/responder/common/cache_req/plugins/cache_req_common.c \ + src/responder/common/cache_req/plugins/cache_req_enum_users.c \ + src/responder/common/cache_req/plugins/cache_req_enum_groups.c \ + src/responder/common/cache_req/plugins/cache_req_enum_svc.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_upn.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_filter.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_cert.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_filter.c \ + src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_sid.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_svc_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_svc_by_port.c \ + src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_host_by_name.c +@BUILD_SUDO_TRUE@am_sssd_sudo_OBJECTS = \ +@BUILD_SUDO_TRUE@ src/responder/sudo/sudosrv.$(OBJEXT) \ +@BUILD_SUDO_TRUE@ src/responder/sudo/sudosrv_cmd.$(OBJEXT) \ +@BUILD_SUDO_TRUE@ src/responder/sudo/sudosrv_get_sudorules.$(OBJEXT) \ +@BUILD_SUDO_TRUE@ src/responder/sudo/sudosrv_query.$(OBJEXT) \ +@BUILD_SUDO_TRUE@ src/responder/sudo/sudosrv_dp.$(OBJEXT) \ +@BUILD_SUDO_TRUE@ $(am__objects_81) +sssd_sudo_OBJECTS = $(am_sssd_sudo_OBJECTS) +@BUILD_SUDO_TRUE@sssd_sudo_DEPENDENCIES = $(am__DEPENDENCIES_5) \ +@BUILD_SUDO_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_2) +am_stress_tests_OBJECTS = src/tests/stress-tests.$(OBJEXT) +stress_tests_OBJECTS = $(am_stress_tests_OBJECTS) +stress_tests_DEPENDENCIES = $(am__DEPENDENCIES_5) \ + libsss_test_common.la +am__strtonum_tests_SOURCES_DIST = src/tests/strtonum-tests.c \ + src/util/strtonum.c +@HAVE_CHECK_TRUE@am_strtonum_tests_OBJECTS = src/tests/strtonum_tests-strtonum-tests.$(OBJEXT) \ +@HAVE_CHECK_TRUE@ src/util/strtonum_tests-strtonum.$(OBJEXT) +strtonum_tests_OBJECTS = $(am_strtonum_tests_OBJECTS) +@HAVE_CHECK_TRUE@strtonum_tests_DEPENDENCIES = $(am__DEPENDENCIES_5) \ +@HAVE_CHECK_TRUE@ $(am__DEPENDENCIES_1) libsss_debug.la \ +@HAVE_CHECK_TRUE@ libsss_test_common.la +strtonum_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(strtonum_tests_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o \ + $@ +am__sysdb_tests_SOURCES_DIST = src/tests/sysdb-tests.c +@HAVE_CHECK_TRUE@am_sysdb_tests_OBJECTS = \ +@HAVE_CHECK_TRUE@ src/tests/sysdb_tests-sysdb-tests.$(OBJEXT) +sysdb_tests_OBJECTS = $(am_sysdb_tests_OBJECTS) +@HAVE_CHECK_TRUE@sysdb_tests_DEPENDENCIES = $(am__DEPENDENCIES_5) \ +@HAVE_CHECK_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_2) \ +@HAVE_CHECK_TRUE@ libsss_test_common.la +sysdb_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(sysdb_tests_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am__sysdb_ssh_tests_SOURCES_DIST = src/tests/sysdb_ssh-tests.c +@HAVE_CHECK_TRUE@am_sysdb_ssh_tests_OBJECTS = src/tests/sysdb_ssh_tests-sysdb_ssh-tests.$(OBJEXT) +sysdb_ssh_tests_OBJECTS = $(am_sysdb_ssh_tests_OBJECTS) +@HAVE_CHECK_TRUE@sysdb_ssh_tests_DEPENDENCIES = $(am__DEPENDENCIES_5) \ +@HAVE_CHECK_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_2) \ +@HAVE_CHECK_TRUE@ libsss_test_common.la +sysdb_ssh_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(sysdb_ssh_tests_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) \ + -o $@ +am__tcurl_test_tool_SOURCES_DIST = src/tests/tcurl_test_tool.c \ + src/util/tev_curl.c src/util/sss_iobuf.c +@BUILD_WITH_LIBCURL_TRUE@am_tcurl_test_tool_OBJECTS = src/tests/tcurl_test_tool-tcurl_test_tool.$(OBJEXT) \ +@BUILD_WITH_LIBCURL_TRUE@ src/util/tcurl_test_tool-tev_curl.$(OBJEXT) \ +@BUILD_WITH_LIBCURL_TRUE@ src/util/tcurl_test_tool-sss_iobuf.$(OBJEXT) +tcurl_test_tool_OBJECTS = $(am_tcurl_test_tool_OBJECTS) +@BUILD_WITH_LIBCURL_TRUE@tcurl_test_tool_DEPENDENCIES = \ +@BUILD_WITH_LIBCURL_TRUE@ $(am__DEPENDENCIES_1) \ +@BUILD_WITH_LIBCURL_TRUE@ $(am__DEPENDENCIES_5) \ +@BUILD_WITH_LIBCURL_TRUE@ $(am__DEPENDENCIES_2) +tcurl_test_tool_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(tcurl_test_tool_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) \ + -o $@ +am__test_authtok_SOURCES_DIST = src/tests/cmocka/test_authtok.c \ + src/util/authtok.c src/util/authtok-utils.c src/util/util.c \ + src/util/util_ext.c +@HAVE_CMOCKA_TRUE@am_test_authtok_OBJECTS = src/tests/cmocka/test_authtok-test_authtok.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/util/test_authtok-authtok.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/util/test_authtok-authtok-utils.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/util/test_authtok-util.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/util/test_authtok-util_ext.$(OBJEXT) +test_authtok_OBJECTS = $(am_test_authtok_OBJECTS) +@HAVE_CMOCKA_TRUE@test_authtok_DEPENDENCIES = $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ libsss_debug.la +test_authtok_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(test_authtok_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am__test_find_uid_SOURCES_DIST = src/tests/cmocka/test_find_uid.c \ + src/util/find_uid.c src/util/atomic_io.c src/util/strtonum.c +@HAVE_CMOCKA_TRUE@am_test_find_uid_OBJECTS = src/tests/cmocka/test_find_uid-test_find_uid.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/util/test_find_uid-find_uid.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/util/test_find_uid-atomic_io.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/util/test_find_uid-strtonum.$(OBJEXT) +test_find_uid_OBJECTS = $(am_test_find_uid_OBJECTS) +@HAVE_CMOCKA_TRUE@test_find_uid_DEPENDENCIES = $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) libsss_debug.la +test_find_uid_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(test_find_uid_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am__test_io_SOURCES_DIST = src/tests/cmocka/test_io.c src/util/io.c \ + src/tests/common.c +@HAVE_CMOCKA_TRUE@am_test_io_OBJECTS = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_io-test_io.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/util/test_io-io.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/tests/test_io-common.$(OBJEXT) +test_io_OBJECTS = $(am_test_io_OBJECTS) +@HAVE_CMOCKA_TRUE@test_io_DEPENDENCIES = $(am__DEPENDENCIES_1) +test_io_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(test_io_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am__test_negcache_SOURCES_DIST = \ + src/responder/common/negcache_files.c \ + src/responder/common/negcache.c \ + src/responder/common/responder_cmd.c \ + src/responder/common/responder_common.c \ + src/responder/common/responder_dp.c \ + src/responder/common/responder_dp_ssh.c \ + src/responder/common/responder_packet.c \ + src/responder/common/responder_get_domains.c \ + src/responder/common/responder_utils.c \ + src/responder/common/data_provider/rdp_message.c \ + src/responder/common/data_provider/rdp_client.c \ + src/monitor/monitor_iface_generated.c \ + src/providers/data_provider_req.c src/util/session_recording.c \ + src/responder/common/iface/responder_iface.c \ + src/responder/common/iface/responder_domain.c \ + src/responder/common/iface/responder_ncache.c \ + src/responder/common/iface/responder_iface_generated.c \ + src/responder/common/cache_req/cache_req.c \ + src/responder/common/cache_req/cache_req_result.c \ + src/responder/common/cache_req/cache_req_search.c \ + src/responder/common/cache_req/cache_req_data.c \ + src/responder/common/cache_req/cache_req_domain.c \ + src/responder/common/cache_req/cache_req_sr_overlay.c \ + src/responder/common/cache_req/plugins/cache_req_common.c \ + src/responder/common/cache_req/plugins/cache_req_enum_users.c \ + src/responder/common/cache_req/plugins/cache_req_enum_groups.c \ + src/responder/common/cache_req/plugins/cache_req_enum_svc.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_upn.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_filter.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_cert.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_filter.c \ + src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_sid.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_svc_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_svc_by_port.c \ + src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_host_by_name.c \ + src/tests/cmocka/common_mock_resp.c \ + src/tests/cmocka/test_negcache.c +am__objects_93 = src/responder/common/iface/test_negcache-responder_iface.$(OBJEXT) \ + src/responder/common/iface/test_negcache-responder_domain.$(OBJEXT) \ + src/responder/common/iface/test_negcache-responder_ncache.$(OBJEXT) \ + src/responder/common/iface/test_negcache-responder_iface_generated.$(OBJEXT) +am__objects_94 = src/responder/common/cache_req/test_negcache-cache_req.$(OBJEXT) \ + src/responder/common/cache_req/test_negcache-cache_req_result.$(OBJEXT) \ + src/responder/common/cache_req/test_negcache-cache_req_search.$(OBJEXT) \ + src/responder/common/cache_req/test_negcache-cache_req_data.$(OBJEXT) \ + src/responder/common/cache_req/test_negcache-cache_req_domain.$(OBJEXT) \ + src/responder/common/cache_req/test_negcache-cache_req_sr_overlay.$(OBJEXT) \ + src/responder/common/cache_req/plugins/test_negcache-cache_req_common.$(OBJEXT) \ + src/responder/common/cache_req/plugins/test_negcache-cache_req_enum_users.$(OBJEXT) \ + src/responder/common/cache_req/plugins/test_negcache-cache_req_enum_groups.$(OBJEXT) \ + src/responder/common/cache_req/plugins/test_negcache-cache_req_enum_svc.$(OBJEXT) \ + src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_upn.$(OBJEXT) \ + src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_id.$(OBJEXT) \ + src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_filter.$(OBJEXT) \ + src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_cert.$(OBJEXT) \ + src/responder/common/cache_req/plugins/test_negcache-cache_req_group_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/test_negcache-cache_req_group_by_id.$(OBJEXT) \ + src/responder/common/cache_req/plugins/test_negcache-cache_req_group_by_filter.$(OBJEXT) \ + src/responder/common/cache_req/plugins/test_negcache-cache_req_initgroups_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/test_negcache-cache_req_initgroups_by_upn.$(OBJEXT) \ + src/responder/common/cache_req/plugins/test_negcache-cache_req_object_by_sid.$(OBJEXT) \ + src/responder/common/cache_req/plugins/test_negcache-cache_req_object_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/test_negcache-cache_req_object_by_id.$(OBJEXT) \ + src/responder/common/cache_req/plugins/test_negcache-cache_req_svc_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/test_negcache-cache_req_svc_by_port.$(OBJEXT) \ + src/responder/common/cache_req/plugins/test_negcache-cache_req_netgroup_by_name.$(OBJEXT) \ + src/responder/common/cache_req/plugins/test_negcache-cache_req_host_by_name.$(OBJEXT) +am__objects_95 = \ + src/responder/common/test_negcache-negcache_files.$(OBJEXT) \ + src/responder/common/test_negcache-negcache.$(OBJEXT) \ + src/responder/common/test_negcache-responder_cmd.$(OBJEXT) \ + src/responder/common/test_negcache-responder_common.$(OBJEXT) \ + src/responder/common/test_negcache-responder_dp.$(OBJEXT) \ + src/responder/common/test_negcache-responder_dp_ssh.$(OBJEXT) \ + src/responder/common/test_negcache-responder_packet.$(OBJEXT) \ + src/responder/common/test_negcache-responder_get_domains.$(OBJEXT) \ + src/responder/common/test_negcache-responder_utils.$(OBJEXT) \ + src/responder/common/data_provider/test_negcache-rdp_message.$(OBJEXT) \ + src/responder/common/data_provider/test_negcache-rdp_client.$(OBJEXT) \ + src/monitor/test_negcache-monitor_iface_generated.$(OBJEXT) \ + src/providers/test_negcache-data_provider_req.$(OBJEXT) \ + src/util/test_negcache-session_recording.$(OBJEXT) \ + $(am__objects_93) $(am__objects_94) +@HAVE_CMOCKA_TRUE@am_test_negcache_OBJECTS = $(am__objects_95) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_negcache-common_mock_resp.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_negcache-test_negcache.$(OBJEXT) +test_negcache_OBJECTS = $(am_test_negcache_OBJECTS) +@HAVE_CMOCKA_TRUE@test_negcache_DEPENDENCIES = $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_5) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_2) libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ libsss_idmap.la +test_negcache_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(test_negcache_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am__test_ad_subdom_SOURCES_DIST = \ + src/tests/cmocka/test_ad_subdomains.c +@HAVE_CMOCKA_TRUE@am_test_ad_subdom_OBJECTS = src/tests/cmocka/test_ad_subdom-test_ad_subdomains.$(OBJEXT) +test_ad_subdom_OBJECTS = $(am_test_ad_subdom_OBJECTS) +@HAVE_CMOCKA_TRUE@test_ad_subdom_DEPENDENCIES = $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_2) libsss_ldap_common.la \ +@HAVE_CMOCKA_TRUE@ libsss_ad_tests.la libsss_idmap.la \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ libdlopen_test_providers.la +test_ad_subdom_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(test_ad_subdom_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o \ + $@ +am__test_be_ptask_SOURCES_DIST = src/tests/cmocka/common_mock_be.c \ + src/tests/cmocka/test_be_ptask.c src/providers/be_ptask.c +@HAVE_CMOCKA_TRUE@am_test_be_ptask_OBJECTS = src/tests/cmocka/test_be_ptask-common_mock_be.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_be_ptask-test_be_ptask.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/test_be_ptask-be_ptask.$(OBJEXT) +test_be_ptask_OBJECTS = $(am_test_be_ptask_OBJECTS) +@HAVE_CMOCKA_TRUE@test_be_ptask_DEPENDENCIES = $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_2) libsss_test_common.la +test_be_ptask_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(test_be_ptask_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am__test_cert_utils_SOURCES_DIST = src/tests/cmocka/test_cert_utils.c \ + src/util/cert/cert_common_p11_child.c +@HAVE_CMOCKA_TRUE@am_test_cert_utils_OBJECTS = src/tests/cmocka/test_cert_utils-test_cert_utils.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/util/cert/test_cert_utils-cert_common_p11_child.$(OBJEXT) +test_cert_utils_OBJECTS = $(am_test_cert_utils_OBJECTS) +@HAVE_CMOCKA_TRUE@test_cert_utils_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ libsss_debug.la libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ libsss_cert.la libsss_crypt.la +test_cert_utils_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(test_cert_utils_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) \ + -o $@ +am__test_child_common_SOURCES_DIST = \ + src/tests/cmocka/test_child_common.c src/util/child_common.c \ + src/util/signal.c src/util/atomic_io.c src/util/util_errors.c \ + src/util/util.c src/util/util_ext.c +@HAVE_CMOCKA_TRUE@am_test_child_common_OBJECTS = src/tests/cmocka/test_child_common-test_child_common.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/util/test_child_common-child_common.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/util/test_child_common-signal.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/util/test_child_common-atomic_io.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/util/test_child_common-util_errors.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/util/test_child_common-util.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/util/test_child_common-util_ext.$(OBJEXT) +test_child_common_OBJECTS = $(am_test_child_common_OBJECTS) +@HAVE_CMOCKA_TRUE@test_child_common_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ libsss_debug.la libsss_test_common.la +test_child_common_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(test_child_common_CFLAGS) $(CFLAGS) \ + $(test_child_common_LDFLAGS) $(LDFLAGS) -o $@ +am__test_copy_ccache_SOURCES_DIST = \ + src/tests/cmocka/test_copy_ccache.c \ + src/providers/krb5/krb5_ccache.c src/util/sss_krb5.c \ + src/util/sss_iobuf.c +@HAVE_CMOCKA_TRUE@am_test_copy_ccache_OBJECTS = src/tests/cmocka/test_copy_ccache-test_copy_ccache.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/krb5/test_copy_ccache-krb5_ccache.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/util/test_copy_ccache-sss_krb5.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/util/test_copy_ccache-sss_iobuf.$(OBJEXT) +test_copy_ccache_OBJECTS = $(am_test_copy_ccache_OBJECTS) +@HAVE_CMOCKA_TRUE@test_copy_ccache_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_2) libsss_test_common.la +test_copy_ccache_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(test_copy_ccache_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) \ + -o $@ +am__test_copy_keytab_SOURCES_DIST = \ + src/tests/cmocka/common_mock_krb5.c \ + src/tests/cmocka/test_copy_keytab.c \ + src/providers/krb5/krb5_keytab.c src/util/sss_krb5.c \ + src/util/sss_iobuf.c +@HAVE_CMOCKA_TRUE@am_test_copy_keytab_OBJECTS = src/tests/cmocka/test_copy_keytab-common_mock_krb5.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_copy_keytab-test_copy_keytab.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/krb5/test_copy_keytab-krb5_keytab.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/util/test_copy_keytab-sss_krb5.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/util/test_copy_keytab-sss_iobuf.$(OBJEXT) +test_copy_keytab_OBJECTS = $(am_test_copy_keytab_OBJECTS) +@HAVE_CMOCKA_TRUE@test_copy_keytab_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_2) libsss_test_common.la +test_copy_keytab_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(test_copy_keytab_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) \ + -o $@ +am__test_data_provider_be_SOURCES_DIST = \ + src/providers/data_provider_be.c \ + src/tests/cmocka/test_data_provider_be.c \ + src/tests/cmocka/common_mock_be.c +@HAVE_CMOCKA_TRUE@am_test_data_provider_be_OBJECTS = src/providers/test_data_provider_be-data_provider_be.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_data_provider_be-test_data_provider_be.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_data_provider_be-common_mock_be.$(OBJEXT) +test_data_provider_be_OBJECTS = $(am_test_data_provider_be_OBJECTS) +@HAVE_CMOCKA_TRUE@test_data_provider_be_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_5) $(am__DEPENDENCIES_2) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ libdlopen_test_providers.la +test_data_provider_be_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(test_data_provider_be_CFLAGS) $(CFLAGS) \ + $(test_data_provider_be_LDFLAGS) $(LDFLAGS) -o $@ +am__test_dp_builtin_SOURCES_DIST = \ + src/providers/data_provider/dp_modules.c \ + src/providers/data_provider/dp_targets.c \ + src/providers/data_provider/dp_methods.c \ + src/providers/data_provider/dp_builtin.c \ + src/tests/cmocka/data_provider/mock_dp.c \ + src/tests/cmocka/data_provider/test_dp_builtin.c \ + src/tests/cmocka/common_mock_be.c +@HAVE_CMOCKA_TRUE@am_test_dp_builtin_OBJECTS = src/providers/data_provider/test_dp_builtin-dp_modules.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/data_provider/test_dp_builtin-dp_targets.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/data_provider/test_dp_builtin-dp_methods.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/data_provider/test_dp_builtin-dp_builtin.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/data_provider/test_dp_builtin-mock_dp.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/data_provider/test_dp_builtin-test_dp_builtin.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_dp_builtin-common_mock_be.$(OBJEXT) +test_dp_builtin_OBJECTS = $(am_test_dp_builtin_OBJECTS) +@HAVE_CMOCKA_TRUE@test_dp_builtin_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_5) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la +test_dp_builtin_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(test_dp_builtin_CFLAGS) $(CFLAGS) $(test_dp_builtin_LDFLAGS) \ + $(LDFLAGS) -o $@ +am__test_dp_request_SOURCES_DIST = \ + src/providers/data_provider/dp_request.c \ + src/providers/data_provider/dp_modules.c \ + src/providers/data_provider/dp_targets.c \ + src/providers/data_provider/dp_methods.c \ + src/providers/data_provider/dp_builtin.c \ + src/tests/cmocka/data_provider/mock_dp.c \ + src/tests/cmocka/data_provider/test_dp_request.c \ + src/tests/cmocka/common_mock_be.c +@HAVE_CMOCKA_TRUE@am_test_dp_request_OBJECTS = src/providers/data_provider/test_dp_request-dp_request.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/data_provider/test_dp_request-dp_modules.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/data_provider/test_dp_request-dp_targets.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/data_provider/test_dp_request-dp_methods.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/data_provider/test_dp_request-dp_builtin.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/data_provider/test_dp_request-mock_dp.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/data_provider/test_dp_request-test_dp_request.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_dp_request-common_mock_be.$(OBJEXT) +test_dp_request_OBJECTS = $(am_test_dp_request_OBJECTS) +@HAVE_CMOCKA_TRUE@test_dp_request_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_5) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la $(am__append_64) +test_dp_request_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(test_dp_request_CFLAGS) $(CFLAGS) $(test_dp_request_LDFLAGS) \ + $(LDFLAGS) -o $@ +am__test_dp_request_table_SOURCES_DIST = \ + src/providers/data_provider/dp_request_table.c \ + src/tests/cmocka/data_provider/test_dp_request_table.c +@HAVE_CMOCKA_TRUE@am_test_dp_request_table_OBJECTS = src/providers/data_provider/test_dp_request_table-dp_request_table.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/data_provider/test_dp_request_table-test_dp_request_table.$(OBJEXT) +test_dp_request_table_OBJECTS = $(am_test_dp_request_table_OBJECTS) +@HAVE_CMOCKA_TRUE@test_dp_request_table_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_5) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_2) libsss_test_common.la +test_dp_request_table_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(test_dp_request_table_CFLAGS) $(CFLAGS) \ + $(test_dp_request_table_LDFLAGS) $(LDFLAGS) -o $@ +am__test_fo_srv_SOURCES_DIST = src/tests/cmocka/test_fo_srv.c \ + src/providers/fail_over.c src/providers/fail_over_srv.c +@HAVE_CMOCKA_TRUE@am_test_fo_srv_OBJECTS = src/tests/cmocka/test_fo_srv-test_fo_srv.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/test_fo_srv-fail_over.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/test_fo_srv-fail_over_srv.$(OBJEXT) +test_fo_srv_OBJECTS = $(am_test_fo_srv_OBJECTS) +@HAVE_CMOCKA_TRUE@test_fo_srv_DEPENDENCIES = $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_2) libsss_test_common.la +test_fo_srv_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(test_fo_srv_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am__test_inotify_SOURCES_DIST = src/util/inotify.c \ + src/tests/cmocka/test_inotify.c +@HAVE_CMOCKA_TRUE@am_test_inotify_OBJECTS = \ +@HAVE_CMOCKA_TRUE@ src/util/test_inotify-inotify.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_inotify-test_inotify.$(OBJEXT) +test_inotify_OBJECTS = $(am_test_inotify_OBJECTS) +@HAVE_CMOCKA_TRUE@test_inotify_DEPENDENCIES = $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_5) $(am__DEPENDENCIES_2) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) libsss_test_common.la +test_inotify_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(test_inotify_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am__test_iobuf_SOURCES_DIST = src/util/sss_iobuf.c \ + src/tests/cmocka/test_iobuf.c +@HAVE_CMOCKA_TRUE@am_test_iobuf_OBJECTS = \ +@HAVE_CMOCKA_TRUE@ src/util/test_iobuf-sss_iobuf.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_iobuf-test_iobuf.$(OBJEXT) +test_iobuf_OBJECTS = $(am_test_iobuf_OBJECTS) +@HAVE_CMOCKA_TRUE@test_iobuf_DEPENDENCIES = $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_5) +test_iobuf_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(test_iobuf_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am__test_ipa_dn_SOURCES_DIST = src/providers/ipa/ipa_dn.c \ + src/tests/cmocka/test_ipa_dn.c +@HAVE_CMOCKA_TRUE@am_test_ipa_dn_OBJECTS = \ +@HAVE_CMOCKA_TRUE@ src/providers/ipa/ipa_dn.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_ipa_dn.$(OBJEXT) +test_ipa_dn_OBJECTS = $(am_test_ipa_dn_OBJECTS) +@HAVE_CMOCKA_TRUE@test_ipa_dn_DEPENDENCIES = $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_2) libsss_test_common.la +am__test_ipa_idmap_SOURCES_DIST = src/tests/cmocka/test_ipa_idmap.c \ + src/providers/ipa/ipa_idmap.c +@HAVE_CMOCKA_TRUE@am_test_ipa_idmap_OBJECTS = src/tests/cmocka/test_ipa_idmap-test_ipa_idmap.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/ipa/test_ipa_idmap-ipa_idmap.$(OBJEXT) +test_ipa_idmap_OBJECTS = $(am_test_ipa_idmap_OBJECTS) +@HAVE_CMOCKA_TRUE@test_ipa_idmap_DEPENDENCIES = $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) libsss_idmap.la \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_2) libsss_test_common.la +test_ipa_idmap_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(test_ipa_idmap_CFLAGS) $(CFLAGS) $(test_ipa_idmap_LDFLAGS) \ + $(LDFLAGS) -o $@ +am__test_ipa_subdom_server_SOURCES_DIST = \ + src/providers/krb5/krb5_utils.c \ + src/providers/krb5/krb5_delayed_online_authentication.c \ + src/providers/krb5/krb5_renew_tgt.c \ + src/providers/krb5/krb5_wait_queue.c \ + src/providers/krb5/krb5_common.c \ + src/providers/krb5/krb5_opts.c src/providers/krb5/krb5_auth.c \ + src/providers/krb5/krb5_access.c \ + src/providers/krb5/krb5_child_handler.c \ + src/providers/krb5/krb5_init_shared.c \ + src/providers/krb5/krb5_ccache.c src/util/sss_krb5.c \ + src/util/sss_iobuf.c src/util/become_user.c \ + src/tests/cmocka/common_mock_sdap.c \ + src/tests/cmocka/common_mock_be.c \ + src/tests/cmocka/common_mock_krb5.c \ + src/tests/cmocka/test_ipa_subdomains_server.c \ + src/providers/ipa/ipa_subdomains_server.c \ + src/providers/ipa/ipa_subdomains_utils.c \ + src/providers/ipa/ipa_opts.c +am__objects_96 = src/providers/krb5/test_ipa_subdom_server-krb5_utils.$(OBJEXT) \ + src/providers/krb5/test_ipa_subdom_server-krb5_delayed_online_authentication.$(OBJEXT) \ + src/providers/krb5/test_ipa_subdom_server-krb5_renew_tgt.$(OBJEXT) \ + src/providers/krb5/test_ipa_subdom_server-krb5_wait_queue.$(OBJEXT) \ + src/providers/krb5/test_ipa_subdom_server-krb5_common.$(OBJEXT) \ + src/providers/krb5/test_ipa_subdom_server-krb5_opts.$(OBJEXT) \ + src/providers/krb5/test_ipa_subdom_server-krb5_auth.$(OBJEXT) \ + src/providers/krb5/test_ipa_subdom_server-krb5_access.$(OBJEXT) \ + src/providers/krb5/test_ipa_subdom_server-krb5_child_handler.$(OBJEXT) \ + src/providers/krb5/test_ipa_subdom_server-krb5_init_shared.$(OBJEXT) \ + src/providers/krb5/test_ipa_subdom_server-krb5_ccache.$(OBJEXT) \ + src/util/test_ipa_subdom_server-sss_krb5.$(OBJEXT) \ + src/util/test_ipa_subdom_server-sss_iobuf.$(OBJEXT) \ + src/util/test_ipa_subdom_server-become_user.$(OBJEXT) +@HAVE_CMOCKA_TRUE@am_test_ipa_subdom_server_OBJECTS = \ +@HAVE_CMOCKA_TRUE@ $(am__objects_96) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_ipa_subdom_server-common_mock_sdap.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_ipa_subdom_server-common_mock_be.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_ipa_subdom_server-common_mock_krb5.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_ipa_subdom_server-test_ipa_subdomains_server.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/ipa/test_ipa_subdom_server-ipa_subdomains_server.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/ipa/test_ipa_subdom_server-ipa_subdomains_utils.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/ipa/test_ipa_subdom_server-ipa_opts.$(OBJEXT) +test_ipa_subdom_server_OBJECTS = $(am_test_ipa_subdom_server_OBJECTS) +@HAVE_CMOCKA_TRUE@test_ipa_subdom_server_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_5) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_2) libsss_ldap_common.la \ +@HAVE_CMOCKA_TRUE@ libsss_ad_tests.la libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ libdlopen_test_providers.la +test_ipa_subdom_server_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) \ + $(test_ipa_subdom_server_LDFLAGS) $(LDFLAGS) -o $@ +am__test_ipa_subdom_util_SOURCES_DIST = \ + src/tests/cmocka/test_ipa_subdomains_utils.c \ + src/providers/ipa/ipa_subdomains_utils.c +@HAVE_CMOCKA_TRUE@am_test_ipa_subdom_util_OBJECTS = src/tests/cmocka/test_ipa_subdom_util-test_ipa_subdomains_utils.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/ipa/test_ipa_subdom_util-ipa_subdomains_utils.$(OBJEXT) +test_ipa_subdom_util_OBJECTS = $(am_test_ipa_subdom_util_OBJECTS) +@HAVE_CMOCKA_TRUE@test_ipa_subdom_util_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_2) libsss_test_common.la +test_ipa_subdom_util_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(test_ipa_subdom_util_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +am__test_kcm_json_SOURCES_DIST = \ + src/tests/cmocka/test_kcm_json_marshalling.c \ + src/responder/kcm/kcmsrv_ccache_json.c \ + src/responder/kcm/kcmsrv_ccache.c src/util/sss_krb5.c \ + src/util/sss_iobuf.c +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@am_test_kcm_json_OBJECTS = src/tests/cmocka/test_kcm_json-test_kcm_json_marshalling.$(OBJEXT) \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ src/responder/kcm/test_kcm_json-kcmsrv_ccache_json.$(OBJEXT) \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ src/responder/kcm/test_kcm_json-kcmsrv_ccache.$(OBJEXT) \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ src/util/test_kcm_json-sss_krb5.$(OBJEXT) \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ src/util/test_kcm_json-sss_iobuf.$(OBJEXT) +test_kcm_json_OBJECTS = $(am_test_kcm_json_OBJECTS) +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@test_kcm_json_DEPENDENCIES = \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_5) \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_2) \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ libsss_test_common.la +test_kcm_json_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(test_kcm_json_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am__test_kcm_queue_SOURCES_DIST = src/tests/cmocka/test_kcm_queue.c \ + src/responder/kcm/kcmsrv_op_queue.c +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@am_test_kcm_queue_OBJECTS = src/tests/cmocka/test_kcm_queue-test_kcm_queue.$(OBJEXT) \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ src/responder/kcm/test_kcm_queue-kcmsrv_op_queue.$(OBJEXT) +test_kcm_queue_OBJECTS = $(am_test_kcm_queue_OBJECTS) +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@test_kcm_queue_DEPENDENCIES = \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_5) \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_2) \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ libsss_test_common.la +test_kcm_queue_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(test_kcm_queue_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o \ + $@ +am__test_krb5_wait_queue_SOURCES_DIST = \ + src/tests/cmocka/common_mock_be.c \ + src/tests/cmocka/test_krb5_wait_queue.c \ + src/providers/krb5/krb5_wait_queue.c +@HAVE_CMOCKA_TRUE@am_test_krb5_wait_queue_OBJECTS = src/tests/cmocka/test_krb5_wait_queue-common_mock_be.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_krb5_wait_queue-test_krb5_wait_queue.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/krb5/test_krb5_wait_queue-krb5_wait_queue.$(OBJEXT) +test_krb5_wait_queue_OBJECTS = $(am_test_krb5_wait_queue_OBJECTS) +@HAVE_CMOCKA_TRUE@test_krb5_wait_queue_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_2) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la +test_krb5_wait_queue_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(test_krb5_wait_queue_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +am__test_ldap_auth_SOURCES_DIST = src/tests/cmocka/test_ldap_auth.c \ + src/tests/cmocka/test_expire_common.c +@HAVE_CMOCKA_TRUE@am_test_ldap_auth_OBJECTS = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_ldap_auth.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_expire_common.$(OBJEXT) +test_ldap_auth_OBJECTS = $(am_test_ldap_auth_OBJECTS) +@HAVE_CMOCKA_TRUE@test_ldap_auth_DEPENDENCIES = $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) libsss_ldap_common.la \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ libdlopen_test_providers.la +am__test_ldap_id_cleanup_SOURCES_DIST = \ + src/tests/cmocka/test_ldap_id_cleanup.c +@HAVE_CMOCKA_TRUE@am_test_ldap_id_cleanup_OBJECTS = src/tests/cmocka/test_ldap_id_cleanup.$(OBJEXT) +test_ldap_id_cleanup_OBJECTS = $(am_test_ldap_id_cleanup_OBJECTS) +@HAVE_CMOCKA_TRUE@test_ldap_id_cleanup_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_2) libsss_ldap_common.la \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ libdlopen_test_providers.la +am__test_resolv_fake_SOURCES_DIST = \ + src/tests/cmocka/test_resolv_fake.c src/resolv/async_resolv.c +@HAVE_CMOCKA_TRUE@@HAVE_LIBRESOLV_TRUE@am_test_resolv_fake_OBJECTS = src/tests/cmocka/test_resolv_fake-test_resolv_fake.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@@HAVE_LIBRESOLV_TRUE@ src/resolv/test_resolv_fake-async_resolv.$(OBJEXT) +test_resolv_fake_OBJECTS = $(am_test_resolv_fake_OBJECTS) +@HAVE_CMOCKA_TRUE@@HAVE_LIBRESOLV_TRUE@test_resolv_fake_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@@HAVE_LIBRESOLV_TRUE@ $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@@HAVE_LIBRESOLV_TRUE@ $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@@HAVE_LIBRESOLV_TRUE@ $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@@HAVE_LIBRESOLV_TRUE@ $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@@HAVE_LIBRESOLV_TRUE@ $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@@HAVE_LIBRESOLV_TRUE@ $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@@HAVE_LIBRESOLV_TRUE@ libsss_debug.la \ +@HAVE_CMOCKA_TRUE@@HAVE_LIBRESOLV_TRUE@ libsss_test_common.la +test_resolv_fake_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(test_resolv_fake_CFLAGS) $(CFLAGS) \ + $(test_resolv_fake_LDFLAGS) $(LDFLAGS) -o $@ +am__test_sbus_opath_SOURCES_DIST = src/tests/cmocka/test_sbus_opath.c +@HAVE_CMOCKA_TRUE@am_test_sbus_opath_OBJECTS = src/tests/cmocka/test_sbus_opath-test_sbus_opath.$(OBJEXT) +test_sbus_opath_OBJECTS = $(am_test_sbus_opath_OBJECTS) +@HAVE_CMOCKA_TRUE@test_sbus_opath_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_5) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_2) libsss_debug.la \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la +test_sbus_opath_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(test_sbus_opath_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) \ + -o $@ +am__test_sdap_access_SOURCES_DIST = \ + src/tests/cmocka/test_sdap_access.c \ + src/tests/cmocka/test_expire_common.c +@HAVE_CMOCKA_TRUE@am_test_sdap_access_OBJECTS = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_sdap_access.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_expire_common.$(OBJEXT) +test_sdap_access_OBJECTS = $(am_test_sdap_access_OBJECTS) +@HAVE_CMOCKA_TRUE@test_sdap_access_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ libsss_ldap_common.la libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ libdlopen_test_providers.la +am__test_sdap_certmap_SOURCES_DIST = \ + src/tests/cmocka/test_sdap_certmap.c \ + src/providers/ldap/sdap_certmap.c +@HAVE_CMOCKA_TRUE@am_test_sdap_certmap_OBJECTS = src/tests/cmocka/test_sdap_certmap-test_sdap_certmap.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/ldap/test_sdap_certmap-sdap_certmap.$(OBJEXT) +test_sdap_certmap_OBJECTS = $(am_test_sdap_certmap_OBJECTS) +@HAVE_CMOCKA_TRUE@test_sdap_certmap_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_2) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la libsss_certmap.la +test_sdap_certmap_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(test_sdap_certmap_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) \ + -o $@ +am__test_sdap_initgr_SOURCES_DIST = \ + src/tests/cmocka/common_mock_sdap.c \ + src/tests/cmocka/common_mock_sysdb_objects.c \ + src/tests/cmocka/test_sdap_initgr.c +@HAVE_CMOCKA_TRUE@am_test_sdap_initgr_OBJECTS = src/tests/cmocka/test_sdap_initgr-common_mock_sdap.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_sdap_initgr-common_mock_sysdb_objects.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_sdap_initgr-test_sdap_initgr.$(OBJEXT) +test_sdap_initgr_OBJECTS = $(am_test_sdap_initgr_OBJECTS) +@HAVE_CMOCKA_TRUE@test_sdap_initgr_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_2) libsss_ldap_common.la \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ libdlopen_test_providers.la +test_sdap_initgr_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(test_sdap_initgr_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) \ + -o $@ +am__test_search_bases_SOURCES_DIST = \ + src/tests/cmocka/test_search_bases.c +@HAVE_CMOCKA_TRUE@am_test_search_bases_OBJECTS = src/tests/cmocka/test_search_bases.$(OBJEXT) +test_search_bases_OBJECTS = $(am_test_search_bases_OBJECTS) +@HAVE_CMOCKA_TRUE@test_search_bases_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_2) libsss_ldap_common.la \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ libdlopen_test_providers.la +am_test_ssh_client_OBJECTS = \ + src/tests/test_ssh_client-test_ssh_client.$(OBJEXT) +test_ssh_client_OBJECTS = $(am_test_ssh_client_OBJECTS) +test_ssh_client_DEPENDENCIES = $(am__DEPENDENCIES_2) \ + $(am__DEPENDENCIES_5) +test_ssh_client_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(test_ssh_client_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) \ + -o $@ +am__test_sss_idmap_SOURCES_DIST = src/tests/cmocka/test_sss_idmap.c +@HAVE_CMOCKA_TRUE@am_test_sss_idmap_OBJECTS = src/tests/cmocka/test_sss_idmap-test_sss_idmap.$(OBJEXT) +test_sss_idmap_OBJECTS = $(am_test_sss_idmap_OBJECTS) +@HAVE_CMOCKA_TRUE@test_sss_idmap_DEPENDENCIES = $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) libsss_idmap.la \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_2) libsss_test_common.la +test_sss_idmap_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(test_sss_idmap_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o \ + $@ +am__test_sssd_krb5_localauth_plugin_SOURCES_DIST = \ + src/tests/cmocka/test_sssd_krb5_localauth_plugin.c \ + src/krb5_plugin/sssd_krb5_localauth_plugin.c +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@am_test_sssd_krb5_localauth_plugin_OBJECTS = src/tests/cmocka/test_sssd_krb5_localauth_plugin-test_sssd_krb5_localauth_plugin.$(OBJEXT) \ +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@ src/krb5_plugin/test_sssd_krb5_localauth_plugin-sssd_krb5_localauth_plugin.$(OBJEXT) +test_sssd_krb5_localauth_plugin_OBJECTS = \ + $(am_test_sssd_krb5_localauth_plugin_OBJECTS) +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@test_sssd_krb5_localauth_plugin_DEPENDENCIES = \ +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@ $(am__DEPENDENCIES_1) \ +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@ $(am__DEPENDENCIES_1) +test_sssd_krb5_localauth_plugin_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(test_sssd_krb5_localauth_plugin_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am__test_sssd_krb5_locator_plugin_SOURCES_DIST = \ + src/tests/cmocka/test_sssd_krb5_locator_plugin.c \ + src/krb5_plugin/sssd_krb5_locator_plugin.c +@HAVE_CMOCKA_TRUE@am_test_sssd_krb5_locator_plugin_OBJECTS = src/tests/cmocka/test_sssd_krb5_locator_plugin-test_sssd_krb5_locator_plugin.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/krb5_plugin/test_sssd_krb5_locator_plugin-sssd_krb5_locator_plugin.$(OBJEXT) +test_sssd_krb5_locator_plugin_OBJECTS = \ + $(am_test_sssd_krb5_locator_plugin_OBJECTS) +@HAVE_CMOCKA_TRUE@test_sssd_krb5_locator_plugin_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la +test_sssd_krb5_locator_plugin_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(test_sssd_krb5_locator_plugin_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am__test_sysdb_certmap_SOURCES_DIST = \ + src/tests/cmocka/test_sysdb_certmap.c +@HAVE_CMOCKA_TRUE@am_test_sysdb_certmap_OBJECTS = src/tests/cmocka/test_sysdb_certmap-test_sysdb_certmap.$(OBJEXT) +test_sysdb_certmap_OBJECTS = $(am_test_sysdb_certmap_OBJECTS) +@HAVE_CMOCKA_TRUE@test_sysdb_certmap_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_2) libsss_test_common.la +test_sysdb_certmap_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(test_sysdb_certmap_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +am__test_sysdb_domain_resolution_order_SOURCES_DIST = \ + src/tests/cmocka/test_sysdb_domain_resolution_order.c +@HAVE_CMOCKA_TRUE@am_test_sysdb_domain_resolution_order_OBJECTS = src/tests/cmocka/test_sysdb_domain_resolution_order-test_sysdb_domain_resolution_order.$(OBJEXT) +test_sysdb_domain_resolution_order_OBJECTS = \ + $(am_test_sysdb_domain_resolution_order_OBJECTS) +@HAVE_CMOCKA_TRUE@test_sysdb_domain_resolution_order_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_2) libsss_test_common.la +test_sysdb_domain_resolution_order_LINK = $(LIBTOOL) $(AM_V_lt) \ + --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link \ + $(CCLD) $(test_sysdb_domain_resolution_order_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am__test_sysdb_subdomains_SOURCES_DIST = \ + src/tests/cmocka/test_sysdb_subdomains.c +@HAVE_CMOCKA_TRUE@am_test_sysdb_subdomains_OBJECTS = src/tests/cmocka/test_sysdb_subdomains-test_sysdb_subdomains.$(OBJEXT) +test_sysdb_subdomains_OBJECTS = $(am_test_sysdb_subdomains_OBJECTS) +@HAVE_CMOCKA_TRUE@test_sysdb_subdomains_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_2) libsss_test_common.la +test_sysdb_subdomains_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(test_sysdb_subdomains_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +am__test_sysdb_sudo_SOURCES_DIST = src/tests/cmocka/test_sysdb_sudo.c +@HAVE_CMOCKA_TRUE@am_test_sysdb_sudo_OBJECTS = src/tests/cmocka/test_sysdb_sudo-test_sysdb_sudo.$(OBJEXT) +test_sysdb_sudo_OBJECTS = $(am_test_sysdb_sudo_OBJECTS) +@HAVE_CMOCKA_TRUE@test_sysdb_sudo_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_2) libsss_test_common.la +test_sysdb_sudo_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(test_sysdb_sudo_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) \ + -o $@ +am__test_sysdb_ts_cache_SOURCES_DIST = \ + src/tests/cmocka/test_sysdb_ts_cache.c \ + src/providers/ipa/ipa_utils.c +@HAVE_CMOCKA_TRUE@am_test_sysdb_ts_cache_OBJECTS = src/tests/cmocka/test_sysdb_ts_cache-test_sysdb_ts_cache.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/ipa/test_sysdb_ts_cache-ipa_utils.$(OBJEXT) +test_sysdb_ts_cache_OBJECTS = $(am_test_sysdb_ts_cache_OBJECTS) +@HAVE_CMOCKA_TRUE@test_sysdb_ts_cache_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_2) libsss_test_common.la +test_sysdb_ts_cache_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(test_sysdb_ts_cache_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +am__test_sysdb_utils_SOURCES_DIST = \ + src/tests/cmocka/test_sysdb_utils.c +@HAVE_CMOCKA_TRUE@am_test_sysdb_utils_OBJECTS = src/tests/cmocka/test_sysdb_utils-test_sysdb_utils.$(OBJEXT) +test_sysdb_utils_OBJECTS = $(am_test_sysdb_utils_OBJECTS) +@HAVE_CMOCKA_TRUE@test_sysdb_utils_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_2) libsss_test_common.la +test_sysdb_utils_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(test_sysdb_utils_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) \ + -o $@ +am__test_sysdb_views_SOURCES_DIST = \ + src/tests/cmocka/test_sysdb_views.c \ + src/providers/ipa/ipa_utils.c +@HAVE_CMOCKA_TRUE@am_test_sysdb_views_OBJECTS = src/tests/cmocka/test_sysdb_views-test_sysdb_views.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/providers/ipa/test_sysdb_views-ipa_utils.$(OBJEXT) +test_sysdb_views_OBJECTS = $(am_test_sysdb_views_OBJECTS) +@HAVE_CMOCKA_TRUE@test_sysdb_views_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_2) libsss_test_common.la +test_sysdb_views_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(test_sysdb_views_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) \ + -o $@ +am__test_tools_colondb_SOURCES_DIST = \ + src/tests/cmocka/test_tools_colondb.c \ + src/tools/common/sss_colondb.c +@HAVE_CMOCKA_TRUE@am_test_tools_colondb_OBJECTS = src/tests/cmocka/test_tools_colondb-test_tools_colondb.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/tools/common/test_tools_colondb-sss_colondb.$(OBJEXT) +test_tools_colondb_OBJECTS = $(am_test_tools_colondb_OBJECTS) +@HAVE_CMOCKA_TRUE@test_tools_colondb_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_2) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) libsss_test_common.la +test_tools_colondb_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(test_tools_colondb_CFLAGS) $(CFLAGS) \ + $(test_tools_colondb_LDFLAGS) $(LDFLAGS) -o $@ +am__test_utils_SOURCES_DIST = src/tests/cmocka/test_utils.c \ + src/tests/cmocka/test_string_utils.c \ + src/tests/cmocka/test_sss_ssh.c +@BUILD_SSH_TRUE@@HAVE_CMOCKA_TRUE@am__objects_97 = src/tests/cmocka/test_utils-test_sss_ssh.$(OBJEXT) +@HAVE_CMOCKA_TRUE@am_test_utils_OBJECTS = src/tests/cmocka/test_utils-test_utils.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_utils-test_string_utils.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ $(am__objects_97) +test_utils_OBJECTS = $(am_test_utils_OBJECTS) +@HAVE_CMOCKA_TRUE@test_utils_DEPENDENCIES = $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_2) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la +test_utils_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(test_utils_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am__test_wbc_calls_SOURCES_DIST = src/tests/cmocka/test_wbc_calls.c \ + src/sss_client/libwbclient/wbc_sid_sssd.c \ + src/sss_client/libwbclient/wbclient_common.c \ + src/sss_client/libwbclient/wbc_sid_common.c \ + src/sss_client/common.c +@HAVE_CMOCKA_TRUE@am_test_wbc_calls_OBJECTS = src/tests/cmocka/test_wbc_calls-test_wbc_calls.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/sss_client/libwbclient/test_wbc_calls-wbc_sid_sssd.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/sss_client/libwbclient/test_wbc_calls-wbclient_common.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/sss_client/libwbclient/test_wbc_calls-wbc_sid_common.$(OBJEXT) \ +@HAVE_CMOCKA_TRUE@ src/sss_client/test_wbc_calls-common.$(OBJEXT) +test_wbc_calls_OBJECTS = $(am_test_wbc_calls_OBJECTS) +@HAVE_CMOCKA_TRUE@test_wbc_calls_DEPENDENCIES = $(am__DEPENDENCIES_6) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ +@HAVE_CMOCKA_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_2) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la libsss_nss_idmap.la +test_wbc_calls_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(test_wbc_calls_CFLAGS) $(CFLAGS) $(test_wbc_calls_LDFLAGS) \ + $(LDFLAGS) -o $@ +am__util_tests_SOURCES_DIST = src/tests/util-tests.c +@HAVE_CHECK_TRUE@am_util_tests_OBJECTS = \ +@HAVE_CHECK_TRUE@ src/tests/util_tests-util-tests.$(OBJEXT) +util_tests_OBJECTS = $(am_util_tests_OBJECTS) +@HAVE_CHECK_TRUE@util_tests_DEPENDENCIES = $(am__DEPENDENCIES_5) \ +@HAVE_CHECK_TRUE@ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_2) \ +@HAVE_CHECK_TRUE@ libsss_test_common.la +util_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(util_tests_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am__dist_sss_obfuscate_python_SCRIPTS_DIST = src/tools/sss_obfuscate +SCRIPTS = $(dist_noinst_SCRIPTS) $(dist_sss_obfuscate_python_SCRIPTS) \ + $(init_SCRIPTS) $(sbin_SCRIPTS) +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +DEFAULT_INCLUDES = -I.@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/build/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = +CCLD = $(CC) +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = +SOURCES = $(_py2hbac_la_SOURCES) $(_py2sss_la_SOURCES) \ + $(_py2sss_murmur_la_SOURCES) $(_py2sss_nss_idmap_la_SOURCES) \ + $(_py3hbac_la_SOURCES) $(_py3sss_la_SOURCES) \ + $(_py3sss_murmur_la_SOURCES) $(_py3sss_nss_idmap_la_SOURCES) \ + $(cifs_idmap_sss_la_SOURCES) \ + $(libdlopen_test_providers_la_SOURCES) \ + $(libdlopen_test_winbind_idmap_la_SOURCES) \ + $(libipa_hbac_la_SOURCES) $(libnss_sss_la_SOURCES) \ + $(libsss_ad_la_SOURCES) $(libsss_ad_tests_la_SOURCES) \ + $(libsss_autofs_la_SOURCES) $(libsss_cert_la_SOURCES) \ + $(libsss_certmap_la_SOURCES) $(libsss_child_la_SOURCES) \ + $(libsss_crypt_la_SOURCES) $(libsss_debug_la_SOURCES) \ + $(libsss_files_la_SOURCES) $(libsss_idmap_la_SOURCES) \ + $(libsss_ipa_la_SOURCES) $(libsss_krb5_la_SOURCES) \ + $(libsss_krb5_common_la_SOURCES) $(libsss_ldap_la_SOURCES) \ + $(libsss_ldap_common_la_SOURCES) \ + $(libsss_nss_idmap_la_SOURCES) \ + $(libsss_nss_idmap_tests_la_SOURCES) \ + $(libsss_proxy_la_SOURCES) $(libsss_semanage_la_SOURCES) \ + $(libsss_simple_la_SOURCES) $(libsss_simpleifp_la_SOURCES) \ + $(libsss_sudo_la_SOURCES) $(libsss_test_common_la_SOURCES) \ + $(libsss_util_la_SOURCES) $(libwbclient_la_SOURCES) \ + $(memberof_la_SOURCES) $(pam_sss_la_SOURCES) $(sss_la_SOURCES) \ + $(sssd_krb5_localauth_plugin_la_SOURCES) \ + $(sssd_krb5_locator_plugin_la_SOURCES) \ + $(sssd_pac_plugin_la_SOURCES) $(winbind_idmap_sss_la_SOURCES) \ + $(ad_access_filter_tests_SOURCES) $(ad_common_tests_SOURCES) \ + $(ad_gpo_tests_SOURCES) $(ad_ldap_opt_tests_SOURCES) \ + $(auth_tests_SOURCES) $(autofs_test_client_SOURCES) \ + $(check_and_open_tests_SOURCES) $(config_check_tests_SOURCES) \ + $(crypto_tests_SOURCES) $(debug_tests_SOURCES) \ + $(deskprofile_utils_tests_SOURCES) $(dlopen_tests_SOURCES) \ + $(domain_resolution_order_tests_SOURCES) \ + $(dp_opt_tests_SOURCES) $(dummy_child_SOURCES) \ + $(dyndns_tests_SOURCES) $(fail_over_tests_SOURCES) \ + $(files_tests_SOURCES) $(find_uid_tests_SOURCES) \ + $(fqnames_tests_SOURCES) $(gpo_child_SOURCES) \ + $(ifp_tests_SOURCES) $(ipa_hbac_tests_SOURCES) \ + $(ipa_ldap_opt_tests_SOURCES) $(krb5_child_test_SOURCES) \ + $(krb5_utils_tests_SOURCES) $(krb5_child_SOURCES) \ + $(krb5_common_test_SOURCES) $(ldap_child_SOURCES) \ + $(nestedgroups_tests_SOURCES) $(nss_srv_tests_SOURCES) \ + $(p11_child_SOURCES) $(pam_srv_tests_SOURCES) \ + $(proxy_child_SOURCES) $(refcount_tests_SOURCES) \ + $(resolv_tests_SOURCES) $(responder_get_domains_tests_SOURCES) \ + $(responder_cache_req_tests_SOURCES) \ + $(responder_socket_access_tests_SOURCES) \ + $(safe_format_tests_SOURCES) $(sbus_internal_tests_SOURCES) \ + $(sbus_codegen_tests_SOURCES) $(sbus_tests_SOURCES) \ + $(sdap_tests_SOURCES) $(selinux_child_SOURCES) \ + $(simple_access_tests_SOURCES) $(ssh_srv_tests_SOURCES) \ + $(sss_cache_SOURCES) $(sss_certmap_test_SOURCES) \ + $(sss_groupadd_SOURCES) $(sss_groupdel_SOURCES) \ + $(sss_groupmod_SOURCES) $(sss_groupshow_SOURCES) \ + $(sss_idmap_tests_SOURCES) $(sss_nss_idmap_tests_SOURCES) \ + $(sss_override_SOURCES) $(sss_seed_SOURCES) \ + $(sss_sifp_tests_SOURCES) $(sss_signal_SOURCES) \ + $(sss_ssh_authorizedkeys_SOURCES) \ + $(sss_ssh_knownhostsproxy_SOURCES) $(sss_sudo_cli_SOURCES) \ + $(sss_useradd_SOURCES) $(sss_userdel_SOURCES) \ + $(sss_usermod_SOURCES) $(sssctl_SOURCES) $(sssd_SOURCES) \ + $(sssd_autofs_SOURCES) $(sssd_be_SOURCES) \ + $(sssd_check_socket_activated_responders_SOURCES) \ + $(sssd_ifp_SOURCES) $(sssd_kcm_SOURCES) $(sssd_nss_SOURCES) \ + $(sssd_pac_SOURCES) $(sssd_pac_test_client_SOURCES) \ + $(sssd_pam_SOURCES) $(sssd_secrets_SOURCES) \ + $(sssd_ssh_SOURCES) $(sssd_sudo_SOURCES) \ + $(stress_tests_SOURCES) $(strtonum_tests_SOURCES) \ + $(sysdb_tests_SOURCES) $(sysdb_ssh_tests_SOURCES) \ + $(tcurl_test_tool_SOURCES) $(test_authtok_SOURCES) \ + $(test_find_uid_SOURCES) $(test_io_SOURCES) \ + $(test_negcache_SOURCES) $(test_ad_subdom_SOURCES) \ + $(test_be_ptask_SOURCES) $(test_cert_utils_SOURCES) \ + $(test_child_common_SOURCES) $(test_copy_ccache_SOURCES) \ + $(test_copy_keytab_SOURCES) $(test_data_provider_be_SOURCES) \ + $(test_dp_builtin_SOURCES) $(test_dp_request_SOURCES) \ + $(test_dp_request_table_SOURCES) $(test_fo_srv_SOURCES) \ + $(test_inotify_SOURCES) $(test_iobuf_SOURCES) \ + $(test_ipa_dn_SOURCES) $(test_ipa_idmap_SOURCES) \ + $(test_ipa_subdom_server_SOURCES) \ + $(test_ipa_subdom_util_SOURCES) $(test_kcm_json_SOURCES) \ + $(test_kcm_queue_SOURCES) $(test_krb5_wait_queue_SOURCES) \ + $(test_ldap_auth_SOURCES) $(test_ldap_id_cleanup_SOURCES) \ + $(test_resolv_fake_SOURCES) $(test_sbus_opath_SOURCES) \ + $(test_sdap_access_SOURCES) $(test_sdap_certmap_SOURCES) \ + $(test_sdap_initgr_SOURCES) $(test_search_bases_SOURCES) \ + $(test_ssh_client_SOURCES) $(test_sss_idmap_SOURCES) \ + $(test_sssd_krb5_localauth_plugin_SOURCES) \ + $(test_sssd_krb5_locator_plugin_SOURCES) \ + $(test_sysdb_certmap_SOURCES) \ + $(test_sysdb_domain_resolution_order_SOURCES) \ + $(test_sysdb_subdomains_SOURCES) $(test_sysdb_sudo_SOURCES) \ + $(test_sysdb_ts_cache_SOURCES) $(test_sysdb_utils_SOURCES) \ + $(test_sysdb_views_SOURCES) $(test_tools_colondb_SOURCES) \ + $(test_utils_SOURCES) $(test_wbc_calls_SOURCES) \ + $(util_tests_SOURCES) +DIST_SOURCES = $(_py2hbac_la_SOURCES) $(_py2sss_la_SOURCES) \ + $(_py2sss_murmur_la_SOURCES) $(_py2sss_nss_idmap_la_SOURCES) \ + $(_py3hbac_la_SOURCES) $(_py3sss_la_SOURCES) \ + $(_py3sss_murmur_la_SOURCES) $(_py3sss_nss_idmap_la_SOURCES) \ + $(am__cifs_idmap_sss_la_SOURCES_DIST) \ + $(am__libdlopen_test_providers_la_SOURCES_DIST) \ + $(am__libdlopen_test_winbind_idmap_la_SOURCES_DIST) \ + $(libipa_hbac_la_SOURCES) $(libnss_sss_la_SOURCES) \ + $(am__libsss_ad_la_SOURCES_DIST) \ + $(am__libsss_ad_tests_la_SOURCES_DIST) \ + $(am__libsss_autofs_la_SOURCES_DIST) \ + $(am__libsss_cert_la_SOURCES_DIST) \ + $(am__libsss_certmap_la_SOURCES_DIST) \ + $(libsss_child_la_SOURCES) $(am__libsss_crypt_la_SOURCES_DIST) \ + $(libsss_debug_la_SOURCES) $(libsss_files_la_SOURCES) \ + $(libsss_idmap_la_SOURCES) $(am__libsss_ipa_la_SOURCES_DIST) \ + $(libsss_krb5_la_SOURCES) $(libsss_krb5_common_la_SOURCES) \ + $(libsss_ldap_la_SOURCES) \ + $(am__libsss_ldap_common_la_SOURCES_DIST) \ + $(libsss_nss_idmap_la_SOURCES) \ + $(am__libsss_nss_idmap_tests_la_SOURCES_DIST) \ + $(libsss_proxy_la_SOURCES) $(libsss_semanage_la_SOURCES) \ + $(libsss_simple_la_SOURCES) \ + $(am__libsss_simpleifp_la_SOURCES_DIST) \ + $(am__libsss_sudo_la_SOURCES_DIST) \ + $(am__libsss_test_common_la_SOURCES_DIST) \ + $(am__libsss_util_la_SOURCES_DIST) \ + $(am__libwbclient_la_SOURCES_DIST) $(memberof_la_SOURCES) \ + $(pam_sss_la_SOURCES) $(am__sss_la_SOURCES_DIST) \ + $(am__sssd_krb5_localauth_plugin_la_SOURCES_DIST) \ + $(am__sssd_krb5_locator_plugin_la_SOURCES_DIST) \ + $(sssd_pac_plugin_la_SOURCES) \ + $(am__winbind_idmap_sss_la_SOURCES_DIST) \ + $(am__ad_access_filter_tests_SOURCES_DIST) \ + $(am__ad_common_tests_SOURCES_DIST) \ + $(am__ad_gpo_tests_SOURCES_DIST) \ + $(am__ad_ldap_opt_tests_SOURCES_DIST) \ + $(am__auth_tests_SOURCES_DIST) \ + $(am__autofs_test_client_SOURCES_DIST) \ + $(am__check_and_open_tests_SOURCES_DIST) \ + $(am__config_check_tests_SOURCES_DIST) \ + $(am__crypto_tests_SOURCES_DIST) \ + $(am__debug_tests_SOURCES_DIST) \ + $(am__deskprofile_utils_tests_SOURCES_DIST) \ + $(am__dlopen_tests_SOURCES_DIST) \ + $(am__domain_resolution_order_tests_SOURCES_DIST) \ + $(am__dp_opt_tests_SOURCES_DIST) \ + $(am__dummy_child_SOURCES_DIST) \ + $(am__dyndns_tests_SOURCES_DIST) \ + $(am__fail_over_tests_SOURCES_DIST) \ + $(am__files_tests_SOURCES_DIST) \ + $(am__find_uid_tests_SOURCES_DIST) \ + $(am__fqnames_tests_SOURCES_DIST) $(gpo_child_SOURCES) \ + $(am__ifp_tests_SOURCES_DIST) \ + $(am__ipa_hbac_tests_SOURCES_DIST) \ + $(am__ipa_ldap_opt_tests_SOURCES_DIST) \ + $(krb5_child_test_SOURCES) \ + $(am__krb5_utils_tests_SOURCES_DIST) $(krb5_child_SOURCES) \ + $(am__krb5_common_test_SOURCES_DIST) $(ldap_child_SOURCES) \ + $(am__nestedgroups_tests_SOURCES_DIST) \ + $(am__nss_srv_tests_SOURCES_DIST) \ + $(am__p11_child_SOURCES_DIST) \ + $(am__pam_srv_tests_SOURCES_DIST) $(proxy_child_SOURCES) \ + $(am__refcount_tests_SOURCES_DIST) \ + $(am__resolv_tests_SOURCES_DIST) \ + $(am__responder_get_domains_tests_SOURCES_DIST) \ + $(am__responder_cache_req_tests_SOURCES_DIST) \ + $(am__responder_socket_access_tests_SOURCES_DIST) \ + $(am__safe_format_tests_SOURCES_DIST) \ + $(am__sbus_internal_tests_SOURCES_DIST) \ + $(am__sbus_codegen_tests_SOURCES_DIST) \ + $(am__sbus_tests_SOURCES_DIST) $(am__sdap_tests_SOURCES_DIST) \ + $(am__selinux_child_SOURCES_DIST) \ + $(am__simple_access_tests_SOURCES_DIST) \ + $(am__ssh_srv_tests_SOURCES_DIST) $(sss_cache_SOURCES) \ + $(am__sss_certmap_test_SOURCES_DIST) $(sss_groupadd_SOURCES) \ + $(sss_groupdel_SOURCES) $(sss_groupmod_SOURCES) \ + $(sss_groupshow_SOURCES) $(am__sss_idmap_tests_SOURCES_DIST) \ + $(am__sss_nss_idmap_tests_SOURCES_DIST) \ + $(sss_override_SOURCES) $(sss_seed_SOURCES) \ + $(am__sss_sifp_tests_SOURCES_DIST) $(sss_signal_SOURCES) \ + $(am__sss_ssh_authorizedkeys_SOURCES_DIST) \ + $(am__sss_ssh_knownhostsproxy_SOURCES_DIST) \ + $(am__sss_sudo_cli_SOURCES_DIST) $(sss_useradd_SOURCES) \ + $(sss_userdel_SOURCES) $(sss_usermod_SOURCES) \ + $(sssctl_SOURCES) $(sssd_SOURCES) \ + $(am__sssd_autofs_SOURCES_DIST) $(sssd_be_SOURCES) \ + $(am__sssd_check_socket_activated_responders_SOURCES_DIST) \ + $(am__sssd_ifp_SOURCES_DIST) $(am__sssd_kcm_SOURCES_DIST) \ + $(sssd_nss_SOURCES) $(sssd_pac_SOURCES) \ + $(sssd_pac_test_client_SOURCES) $(sssd_pam_SOURCES) \ + $(am__sssd_secrets_SOURCES_DIST) $(am__sssd_ssh_SOURCES_DIST) \ + $(am__sssd_sudo_SOURCES_DIST) $(stress_tests_SOURCES) \ + $(am__strtonum_tests_SOURCES_DIST) \ + $(am__sysdb_tests_SOURCES_DIST) \ + $(am__sysdb_ssh_tests_SOURCES_DIST) \ + $(am__tcurl_test_tool_SOURCES_DIST) \ + $(am__test_authtok_SOURCES_DIST) \ + $(am__test_find_uid_SOURCES_DIST) $(am__test_io_SOURCES_DIST) \ + $(am__test_negcache_SOURCES_DIST) \ + $(am__test_ad_subdom_SOURCES_DIST) \ + $(am__test_be_ptask_SOURCES_DIST) \ + $(am__test_cert_utils_SOURCES_DIST) \ + $(am__test_child_common_SOURCES_DIST) \ + $(am__test_copy_ccache_SOURCES_DIST) \ + $(am__test_copy_keytab_SOURCES_DIST) \ + $(am__test_data_provider_be_SOURCES_DIST) \ + $(am__test_dp_builtin_SOURCES_DIST) \ + $(am__test_dp_request_SOURCES_DIST) \ + $(am__test_dp_request_table_SOURCES_DIST) \ + $(am__test_fo_srv_SOURCES_DIST) \ + $(am__test_inotify_SOURCES_DIST) \ + $(am__test_iobuf_SOURCES_DIST) $(am__test_ipa_dn_SOURCES_DIST) \ + $(am__test_ipa_idmap_SOURCES_DIST) \ + $(am__test_ipa_subdom_server_SOURCES_DIST) \ + $(am__test_ipa_subdom_util_SOURCES_DIST) \ + $(am__test_kcm_json_SOURCES_DIST) \ + $(am__test_kcm_queue_SOURCES_DIST) \ + $(am__test_krb5_wait_queue_SOURCES_DIST) \ + $(am__test_ldap_auth_SOURCES_DIST) \ + $(am__test_ldap_id_cleanup_SOURCES_DIST) \ + $(am__test_resolv_fake_SOURCES_DIST) \ + $(am__test_sbus_opath_SOURCES_DIST) \ + $(am__test_sdap_access_SOURCES_DIST) \ + $(am__test_sdap_certmap_SOURCES_DIST) \ + $(am__test_sdap_initgr_SOURCES_DIST) \ + $(am__test_search_bases_SOURCES_DIST) \ + $(test_ssh_client_SOURCES) $(am__test_sss_idmap_SOURCES_DIST) \ + $(am__test_sssd_krb5_localauth_plugin_SOURCES_DIST) \ + $(am__test_sssd_krb5_locator_plugin_SOURCES_DIST) \ + $(am__test_sysdb_certmap_SOURCES_DIST) \ + $(am__test_sysdb_domain_resolution_order_SOURCES_DIST) \ + $(am__test_sysdb_subdomains_SOURCES_DIST) \ + $(am__test_sysdb_sudo_SOURCES_DIST) \ + $(am__test_sysdb_ts_cache_SOURCES_DIST) \ + $(am__test_sysdb_utils_SOURCES_DIST) \ + $(am__test_sysdb_views_SOURCES_DIST) \ + $(am__test_tools_colondb_SOURCES_DIST) \ + $(am__test_utils_SOURCES_DIST) \ + $(am__test_wbc_calls_SOURCES_DIST) \ + $(am__util_tests_SOURCES_DIST) +RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \ + ctags-recursive dvi-recursive html-recursive info-recursive \ + install-data-recursive install-dvi-recursive \ + install-exec-recursive install-html-recursive \ + install-info-recursive install-pdf-recursive \ + install-ps-recursive install-recursive installcheck-recursive \ + installdirs-recursive pdf-recursive ps-recursive \ + tags-recursive uninstall-recursive +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__dist_dbuspolicy_DATA_DIST = \ + src/responder/ifp/org.freedesktop.sssd.infopipe.conf +am__dist_dbusservice_DATA_DIST = \ + src/responder/ifp/org.freedesktop.sssd.infopipe.service +am__dist_noinst_DATA_DIST = src/config/testconfigs/sssd-valid.conf \ + src/config/testconfigs/noparse.api.conf \ + src/config/testconfigs/sssd-noversion.conf \ + src/config/testconfigs/sssd-badversion.conf \ + src/config/testconfigs/sssd-invalid.conf \ + src/config/testconfigs/sssd-invalid-badbool.conf \ + src/config/testconfigs/sssd-nonexisting-services-domains.conf \ + src/config/etc/sssd.api.d/crash_test_dummy \ + contrib/ci/README.md contrib/ci/configure.sh \ + contrib/ci/deps.sh contrib/ci/distro.sh contrib/ci/misc.sh \ + contrib/ci/sssd.supp $(srcdir)/src/systemtap/sssd_probes.d \ + src/lib/ipa_hbac/ipa_hbac.exports \ + src/lib/idmap/sss_idmap.exports \ + src/sss_client/idmap/sss_nss_idmap.exports \ + src/sss_client/libwbclient/wbclient.exports \ + src/lib/sifp/sss_simpleifp.exports \ + src/examples/sssd-example.conf src/examples/sssdproxytest \ + src/examples/sudo src/examples/logrotate \ + src/providers/sssd_be.exports src/sss_client/COPYING \ + src/sss_client/COPYING.LESSER src/m4 \ + src/lib/certmap/sss_certmap.exports \ + src/sss_client/idmap/sss_nss_idmap.unit_tests \ + src/sss_client/sss_nss.exports src/sss_client/sss_pam.exports \ + src/sss_client/sss_sudo.exports \ + src/sss_client/autofs/sss_autofs.exports m4 \ + contrib/sssd.spec.in BUILD.txt COPYING +am__dist_polkit_rules_DATA_DIST = contrib/sssd-pcsc.rules +am__dist_sssdkcmdata_DATA_DIST = contrib/kcm_default_ccache +am__dist_sssdtapscript_DATA_DIST = contrib/systemtap/id_perf.stp \ + contrib/systemtap/nested_group_perf.stp \ + contrib/systemtap/dp_request.stp +am__dist_systemtap_tap_DATA_DIST = \ + $(builddir)/src/systemtap/sssd_functions.stp +DATA = $(dist_dbuspolicy_DATA) $(dist_dbusservice_DATA) \ + $(dist_noinst_DATA) $(dist_pamconf_DATA) \ + $(dist_polkit_rules_DATA) $(dist_sssdapiplugin_DATA) \ + $(dist_sssddata_DATA) $(dist_sssddefaultconf_DATA) \ + $(dist_sssdkcmdata_DATA) $(dist_sssdtapscript_DATA) \ + $(dist_systemtap_tap_DATA) $(pkgconfig_DATA) \ + $(systemdconf_DATA) $(systemdunit_DATA) $(systemtap_tap_DATA) +am__dist_noinst_HEADERS_DIST = src/monitor/monitor.h \ + src/util/crypto/sss_crypto.h \ + src/util/crypto/libcrypto/sss_openssl.h src/util/cert.h \ + src/util/dlinklist.h src/util/debug.h src/util/util.h \ + src/util/util_errors.h src/util/safe-format-string.h \ + src/util/session_recording.h src/util/strtonum.h \ + src/util/sss_cli_cmd.h src/util/sss_ptr_hash.h \ + src/util/sss_endian.h src/util/sss_nss.h src/util/sss_ldap.h \ + src/util/sss_python.h src/util/sss_krb5.h \ + src/util/sss_selinux.h src/util/sss_sockets.h \ + src/util/sss_utf8.h src/util/sss_ssh.h src/util/sss_ini.h \ + src/util/sss_format.h src/util/refcount.h src/util/find_uid.h \ + src/util/user_info_msg.h src/util/mmap_cache.h \ + src/util/atomic_io.h src/util/auth_utils.h src/util/authtok.h \ + src/util/authtok-utils.h src/util/util_sss_idmap.h \ + src/util/util_creds.h src/util/inotify.h src/util/sss_iobuf.h \ + src/util/tev_curl.h src/monitor/monitor_interfaces.h \ + src/monitor/monitor_iface_generated.h \ + src/responder/common/responder.h \ + src/responder/common/responder_packet.h \ + src/responder/common/responder_sbus.h \ + src/responder/common/iface/responder_iface.h \ + src/responder/common/iface/responder_iface_generated.h \ + src/responder/common/cache_req/cache_req.h \ + src/responder/common/cache_req/cache_req_domain.h \ + src/responder/common/cache_req/cache_req_plugin.h \ + src/responder/common/cache_req/cache_req_private.h \ + src/responder/common/data_provider/rdp.h \ + src/responder/pam/pamsrv.h src/responder/pam/pam_helpers.h \ + src/responder/nss/nss_private.h \ + src/responder/nss/nss_protocol.h \ + src/responder/nss/nss_iface_generated.h \ + src/responder/nss/nss_iface.h \ + src/responder/nss/nsssrv_mmap_cache.h \ + src/responder/pac/pacsrv.h \ + src/responder/common/negcache_files.h \ + src/responder/common/negcache.h \ + src/responder/sudo/sudosrv_private.h \ + src/responder/autofs/autofs_private.h \ + src/responder/ssh/ssh_private.h \ + src/responder/ifp/ifp_iface_generated.h \ + src/responder/ifp/ifp_iface.h src/responder/ifp/ifp_private.h \ + src/responder/ifp/ifp_domains.h \ + src/responder/ifp/ifp_components.h \ + src/responder/ifp/ifp_users.h src/responder/ifp/ifp_groups.h \ + src/responder/ifp/ifp_cache.h src/responder/secrets/secsrv.h \ + src/responder/secrets/secsrv_private.h \ + src/responder/secrets/secsrv_local.h \ + src/responder/secrets/secsrv_proxy.h src/responder/kcm/kcm.h \ + src/responder/kcm/kcmsrv_pvt.h \ + src/responder/kcm/kcmsrv_ccache.h \ + src/responder/kcm/kcmsrv_ccache_pvt.h \ + src/responder/kcm/kcmsrv_ccache_be.h \ + src/responder/kcm/kcmsrv_ops.h src/sbus/sbus_client.h \ + src/sbus/sssd_dbus.h src/sbus/sssd_dbus_meta.h \ + src/sbus/sssd_dbus_private.h src/sbus/sssd_dbus_invokers.h \ + src/sbus/sssd_dbus_errors.h src/sbus/sssd_dbus_utils.h \ + src/db/sysdb.h src/db/sysdb_sudo.h src/db/sysdb_autofs.h \ + src/db/sysdb_selinux.h src/db/sysdb_private.h \ + src/db/sysdb_services.h src/db/sysdb_ssh.h \ + src/db/sysdb_domain_resolution_order.h src/confdb/confdb.h \ + src/confdb/confdb_private.h src/confdb/confdb_setup.h \ + src/providers/data_provider.h \ + src/providers/data_provider_req.h \ + src/providers/data_provider/dp.h \ + src/providers/data_provider/dp_flags.h \ + src/providers/data_provider/dp_responder_iface.h \ + src/providers/data_provider/dp_private.h \ + src/providers/data_provider/dp_request.h \ + src/providers/data_provider/dp_custom_data.h \ + src/providers/data_provider/dp_builtin.h \ + src/providers/data_provider/dp_iface_generated.h \ + src/providers/data_provider/dp_iface.h src/providers/backend.h \ + src/providers/be_dyndns.h src/providers/be_ptask_private.h \ + src/providers/be_ptask.h src/providers/be_refresh.h \ + src/providers/fail_over.h src/providers/fail_over_srv.h \ + src/util/child_common.h src/providers/simple/simple_access.h \ + src/providers/simple/simple_access_pvt.h \ + src/providers/krb5/krb5_auth.h \ + src/providers/krb5/krb5_common.h \ + src/providers/krb5/krb5_utils.h \ + src/providers/krb5/krb5_init_shared.h \ + src/providers/krb5/krb5_opts.h \ + src/providers/krb5/krb5_ccache.h \ + src/providers/ldap/ldap_common.h src/providers/ldap/sdap.h \ + src/providers/ldap/sdap_access.h \ + src/providers/ldap/sdap_async.h \ + src/providers/ldap/sdap_async_ad.h \ + src/providers/ldap/sdap_async_private.h \ + src/providers/ldap/sdap_sudo.h \ + src/providers/ldap/sdap_sudo_shared.h \ + src/providers/ldap/sdap_autofs.h \ + src/providers/ldap/sdap_id_op.h src/providers/ldap/ldap_opts.h \ + src/providers/ldap/ldap_auth.h src/providers/ldap/sdap_range.h \ + src/providers/ldap/sdap_users.h \ + src/providers/ldap/sdap_dyndns.h \ + src/providers/ldap/sdap_async_enum.h \ + src/providers/ldap/sdap_ops.h src/providers/ipa/ipa_common.h \ + src/providers/ipa/ipa_config.h src/providers/ipa/ipa_access.h \ + src/providers/ipa/ipa_selinux.h src/providers/ipa/ipa_hosts.h \ + src/providers/ipa/ipa_selinux_maps.h \ + src/providers/ipa/ipa_auth.h src/providers/ipa/ipa_dyndns.h \ + src/providers/ipa/ipa_subdomains.h src/providers/ipa/ipa_id.h \ + src/providers/ipa/ipa_opts.h src/providers/ipa/ipa_srv.h \ + src/providers/ipa/ipa_dn.h src/providers/ipa/ipa_sudo.h \ + src/providers/ipa/ipa_session.h src/providers/ad/ad_srv.h \ + src/providers/ad/ad_common.h src/providers/ad/ad_pac.h \ + src/providers/ad/ad_id.h src/providers/ad/ad_access.h \ + src/providers/ad/ad_gpo.h src/providers/ad/ad_opts.h \ + src/providers/ad/ad_domain_info.h \ + src/providers/ad/ad_subdomains.h src/providers/proxy/proxy.h \ + src/providers/proxy/proxy_iface_generated.h \ + src/providers/files/files_private.h src/tools/tools_util.h \ + src/tools/sss_sync_ops.h src/resolv/async_resolv.h \ + src/tests/common.h src/tests/common_check.h \ + src/tests/cmocka/common_mock.h \ + src/tests/cmocka/common_mock_resp.h \ + src/tests/cmocka/common_mock_sdap.h \ + src/tests/cmocka/common_mock_sysdb_objects.h \ + src/tests/cmocka/common_mock_krb5.h \ + src/tests/cmocka/common_mock_be.h \ + src/tests/cmocka/test_expire_common.h \ + src/tests/cmocka/test_sdap_access.h \ + src/tests/cmocka/data_provider/mock_dp.h \ + src/tests/sbus_codegen_tests_generated.h \ + src/sss_client/pam_message.h \ + src/sss_client/ssh/sss_ssh_client.h \ + src/sss_client/sudo/sss_sudo.h \ + src/sss_client/libwbclient/libwbclient.h \ + src/sss_client/libwbclient/wbc_err_internal.h \ + src/sss_client/libwbclient/wbclient_internal.h \ + src/sss_client/libwbclient/wbc_sssd_internal.h \ + src/sss_client/nfs/nfsidmap_internal.h \ + src/lib/idmap/sss_idmap_private.h \ + src/lib/sifp/sss_sifp_private.h \ + src/lib/winbind_idmap_sss/winbind_idmap_sss.h \ + src/tests/cmocka/test_utils.h src/tools/common/sss_tools.h \ + src/tools/common/sss_process.h src/tools/common/sss_colondb.h \ + src/tools/sssctl/sssctl.h src/util/probes.h src/shared/io.h \ + src/shared/murmurhash3.h src/shared/safealign.h \ + src/p11_child/p11_child.h src/util/crypto/nss/nss_util.h \ + src/util/crypto/nss/nss_crypto.h \ + src/lib/certmap/sss_certmap_int.h +am__include_HEADERS_DIST = src/lib/ipa_hbac/ipa_hbac.h \ + src/lib/idmap/sss_idmap.h src/sss_client/idmap/sss_nss_idmap.h \ + src/lib/certmap/sss_certmap.h \ + src/sss_client/libwbclient/wbclient_sssd.h \ + src/lib/sifp/sss_sifp.h src/lib/sifp/sss_sifp_dbus.h +HEADERS = $(dist_noinst_HEADERS) $(include_HEADERS) +RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \ + distclean-recursive maintainer-clean-recursive +am__recursive_targets = \ + $(RECURSIVE_TARGETS) \ + $(RECURSIVE_CLEAN_TARGETS) \ + $(am__extra_recursive_targets) +AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \ + cscope check recheck distdir dist dist-all distcheck +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) \ + $(LISP)config.h.in +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +ETAGS = etags +CTAGS = ctags +CSCOPE = cscope +am__tty_colors_dummy = \ + mgn= red= grn= lgn= blu= brg= std=; \ + am__color_tests=no +am__tty_colors = { \ + $(am__tty_colors_dummy); \ + if test "X$(AM_COLOR_TESTS)" = Xno; then \ + am__color_tests=no; \ + elif test "X$(AM_COLOR_TESTS)" = Xalways; then \ + am__color_tests=yes; \ + elif test "X$$TERM" != Xdumb && { test -t 1; } 2>/dev/null; then \ + am__color_tests=yes; \ + fi; \ + if test $$am__color_tests = yes; then \ + red=''; \ + grn=''; \ + lgn=''; \ + blu=''; \ + mgn=''; \ + brg=''; \ + std=''; \ + fi; \ +} +am__recheck_rx = ^[ ]*:recheck:[ ]* +am__global_test_result_rx = ^[ ]*:global-test-result:[ ]* +am__copy_in_global_log_rx = ^[ ]*:copy-in-global-log:[ ]* +# A command that, given a newline-separated list of test names on the +# standard input, print the name of the tests that are to be re-run +# upon "make recheck". +am__list_recheck_tests = $(AWK) '{ \ + recheck = 1; \ + while ((rc = (getline line < ($$0 ".trs"))) != 0) \ + { \ + if (rc < 0) \ + { \ + if ((getline line2 < ($$0 ".log")) < 0) \ + recheck = 0; \ + break; \ + } \ + else if (line ~ /$(am__recheck_rx)[nN][Oo]/) \ + { \ + recheck = 0; \ + break; \ + } \ + else if (line ~ /$(am__recheck_rx)[yY][eE][sS]/) \ + { \ + break; \ + } \ + }; \ + if (recheck) \ + print $$0; \ + close ($$0 ".trs"); \ + close ($$0 ".log"); \ +}' +# A command that, given a newline-separated list of test names on the +# standard input, create the global log from their .trs and .log files. +am__create_global_log = $(AWK) ' \ +function fatal(msg) \ +{ \ + print "fatal: making $@: " msg | "cat >&2"; \ + exit 1; \ +} \ +function rst_section(header) \ +{ \ + print header; \ + len = length(header); \ + for (i = 1; i <= len; i = i + 1) \ + printf "="; \ + printf "\n\n"; \ +} \ +{ \ + copy_in_global_log = 1; \ + global_test_result = "RUN"; \ + while ((rc = (getline line < ($$0 ".trs"))) != 0) \ + { \ + if (rc < 0) \ + fatal("failed to read from " $$0 ".trs"); \ + if (line ~ /$(am__global_test_result_rx)/) \ + { \ + sub("$(am__global_test_result_rx)", "", line); \ + sub("[ ]*$$", "", line); \ + global_test_result = line; \ + } \ + else if (line ~ /$(am__copy_in_global_log_rx)[nN][oO]/) \ + copy_in_global_log = 0; \ + }; \ + if (copy_in_global_log) \ + { \ + rst_section(global_test_result ": " $$0); \ + while ((rc = (getline line < ($$0 ".log"))) != 0) \ + { \ + if (rc < 0) \ + fatal("failed to read from " $$0 ".log"); \ + print line; \ + }; \ + printf "\n"; \ + }; \ + close ($$0 ".trs"); \ + close ($$0 ".log"); \ +}' +# Restructured Text title. +am__rst_title = { sed 's/.*/ & /;h;s/./=/g;p;x;s/ *$$//;p;g' && echo; } +# Solaris 10 'make', and several other traditional 'make' implementations, +# pass "-e" to $(SHELL), and POSIX 2008 even requires this. Work around it +# by disabling -e (using the XSI extension "set +e") if it's set. +am__sh_e_setup = case $$- in *e*) set +e;; esac +# Default flags passed to test drivers. +am__common_driver_flags = \ + --color-tests "$$am__color_tests" \ + --enable-hard-errors "$$am__enable_hard_errors" \ + --expect-failure "$$am__expect_failure" +# To be inserted before the command running the test. Creates the +# directory for the log if needed. Stores in $dir the directory +# containing $f, in $tst the test, in $log the log. Executes the +# developer- defined test setup AM_TESTS_ENVIRONMENT (if any), and +# passes TESTS_ENVIRONMENT. Set up options for the wrapper that +# will run the test scripts (or their associated LOG_COMPILER, if +# thy have one). +am__check_pre = \ +$(am__sh_e_setup); \ +$(am__vpath_adj_setup) $(am__vpath_adj) \ +$(am__tty_colors); \ +srcdir=$(srcdir); export srcdir; \ +case "$@" in \ + */*) am__odir=`echo "./$@" | sed 's|/[^/]*$$||'`;; \ + *) am__odir=.;; \ +esac; \ +test "x$$am__odir" = x"." || test -d "$$am__odir" \ + || $(MKDIR_P) "$$am__odir" || exit $$?; \ +if test -f "./$$f"; then dir=./; \ +elif test -f "$$f"; then dir=; \ +else dir="$(srcdir)/"; fi; \ +tst=$$dir$$f; log='$@'; \ +if test -n '$(DISABLE_HARD_ERRORS)'; then \ + am__enable_hard_errors=no; \ +else \ + am__enable_hard_errors=yes; \ +fi; \ +case " $(XFAIL_TESTS) " in \ + *[\ \ ]$$f[\ \ ]* | *[\ \ ]$$dir$$f[\ \ ]*) \ + am__expect_failure=yes;; \ + *) \ + am__expect_failure=no;; \ +esac; \ +$(AM_TESTS_ENVIRONMENT) $(TESTS_ENVIRONMENT) +# A shell command to get the names of the tests scripts with any registered +# extension removed (i.e., equivalently, the names of the test logs, with +# the '.log' extension removed). The result is saved in the shell variable +# '$bases'. This honors runtime overriding of TESTS and TEST_LOGS. Sadly, +# we cannot use something simpler, involving e.g., "$(TEST_LOGS:.log=)", +# since that might cause problem with VPATH rewrites for suffix-less tests. +# See also 'test-harness-vpath-rewrite.sh' and 'test-trs-basic.sh'. +am__set_TESTS_bases = \ + bases='$(TEST_LOGS)'; \ + bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ + bases=`echo $$bases` +RECHECK_LOGS = $(TEST_LOGS) +@BUILD_PYTHON2_BINDINGS_TRUE@am__EXEEXT_26 = \ +@BUILD_PYTHON2_BINDINGS_TRUE@ src/config/SSSDConfigTest.py2.sh \ +@BUILD_PYTHON2_BINDINGS_TRUE@ src/tests/pyhbac-test.py2.sh \ +@BUILD_PYTHON2_BINDINGS_TRUE@ src/tests/pysss_murmur-test.py2.sh +@BUILD_PYTHON3_BINDINGS_TRUE@am__EXEEXT_27 = \ +@BUILD_PYTHON3_BINDINGS_TRUE@ src/config/SSSDConfigTest.py3.sh \ +@BUILD_PYTHON3_BINDINGS_TRUE@ src/tests/pyhbac-test.py3.sh \ +@BUILD_PYTHON3_BINDINGS_TRUE@ src/tests/pysss_murmur-test.py3.sh +am__EXEEXT_28 = $(am__EXEEXT_26) $(am__EXEEXT_27) +TEST_SUITE_LOG = test-suite.log +LOG_DRIVER = $(SHELL) $(top_srcdir)/build/test-driver +LOG_COMPILE = $(LOG_COMPILER) $(AM_LOG_FLAGS) $(LOG_FLAGS) +am__set_b = \ + case '$@' in \ + */*) \ + case '$*' in \ + */*) b='$*';; \ + *) b=`echo '$@' | sed 's/\.log$$//'`; \ + esac;; \ + *) \ + b='$*';; \ + esac +am__test_logs1 = $(TESTS:=.log) +am__test_logs2 = $(am__test_logs1:@EXEEXT@.log=.log) +TEST_LOGS = $(am__test_logs2:.sh.log=.log) +SH_LOG_DRIVER = $(SHELL) $(top_srcdir)/build/test-driver +SH_LOG_COMPILE = $(SH_LOG_COMPILER) $(AM_SH_LOG_FLAGS) $(SH_LOG_FLAGS) +DIST_SUBDIRS = po src/man . src/tests/cwrap src/tests/intg \ + src/tests/test_CA +am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/config.h.in \ + $(top_srcdir)/build/ar-lib $(top_srcdir)/build/compile \ + $(top_srcdir)/build/config.guess \ + $(top_srcdir)/build/config.rpath \ + $(top_srcdir)/build/config.sub $(top_srcdir)/build/depcomp \ + $(top_srcdir)/build/install-sh $(top_srcdir)/build/ltmain.sh \ + $(top_srcdir)/build/missing $(top_srcdir)/build/mkinstalldirs \ + $(top_srcdir)/build/test-driver \ + $(top_srcdir)/contrib/sssd-pcsc.rules.in \ + $(top_srcdir)/contrib/sssd.spec.in \ + $(top_srcdir)/src/config/SSSDConfig/__init__.py.in \ + $(top_srcdir)/src/config/setup.py.in \ + $(top_srcdir)/src/doxy.config.in \ + $(top_srcdir)/src/examples/rwtab.in \ + $(top_srcdir)/src/lib/certmap/sss_certmap.doxy.in \ + $(top_srcdir)/src/lib/certmap/sss_certmap.pc.in \ + $(top_srcdir)/src/lib/idmap/sss_idmap.doxy.in \ + $(top_srcdir)/src/lib/idmap/sss_idmap.pc.in \ + $(top_srcdir)/src/lib/ipa_hbac/ipa_hbac.doxy.in \ + $(top_srcdir)/src/lib/ipa_hbac/ipa_hbac.pc.in \ + $(top_srcdir)/src/lib/sifp/sss_simpleifp.doxy.in \ + $(top_srcdir)/src/lib/sifp/sss_simpleifp.pc.in \ + $(top_srcdir)/src/sss_client/idmap/sss_nss_idmap.doxy.in \ + $(top_srcdir)/src/sss_client/idmap/sss_nss_idmap.pc.in \ + $(top_srcdir)/src/sss_client/libwbclient/wbclient_sssd.pc.in \ + $(top_srcdir)/src/systemtap/sssd.stp.in \ + $(top_srcdir)/src/sysv/SUSE/sssd.in \ + $(top_srcdir)/src/sysv/gentoo/sssd.in \ + $(top_srcdir)/src/sysv/sssd.in ABOUT-NLS COPYING build/ar-lib \ + build/compile build/config.guess build/config.rpath \ + build/config.sub build/depcomp build/install-sh \ + build/ltmain.sh build/missing build/mkinstalldirs +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +distdir = $(PACKAGE)-$(VERSION) +top_distdir = $(distdir) +am__remove_distdir = \ + if test -d "$(distdir)"; then \ + find "$(distdir)" -type d ! -perm -200 -exec chmod u+w {} ';' \ + && rm -rf "$(distdir)" \ + || { sleep 5 && rm -rf "$(distdir)"; }; \ + else :; fi +am__post_remove_distdir = $(am__remove_distdir) +am__relativize = \ + dir0=`pwd`; \ + sed_first='s,^\([^/]*\)/.*$$,\1,'; \ + sed_rest='s,^[^/]*/*,,'; \ + sed_last='s,^.*/\([^/]*\)$$,\1,'; \ + sed_butlast='s,/*[^/]*$$,,'; \ + while test -n "$$dir1"; do \ + first=`echo "$$dir1" | sed -e "$$sed_first"`; \ + if test "$$first" != "."; then \ + if test "$$first" = ".."; then \ + dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \ + dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \ + else \ + first2=`echo "$$dir2" | sed -e "$$sed_first"`; \ + if test "$$first2" = "$$first"; then \ + dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \ + else \ + dir2="../$$dir2"; \ + fi; \ + dir0="$$dir0"/"$$first"; \ + fi; \ + fi; \ + dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \ + done; \ + reldir="$$dir2" +DIST_ARCHIVES = $(distdir).tar.gz +GZIP_ENV = --best +DIST_TARGETS = dist-gzip +distuninstallcheck_listfiles = find . -type f -print +am__distuninstallcheck_listfiles = $(distuninstallcheck_listfiles) \ + | sed 's|^\./|$(prefix)/|' | grep -v '$(infodir)/dir$$' +distcleancheck_listfiles = find . -type f -print +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +CARES_CFLAGS = @CARES_CFLAGS@ +CARES_LIBS = @CARES_LIBS@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CERTUTIL = @CERTUTIL@ +CFLAGS = @CFLAGS@ +CHECK_CFLAGS = @CHECK_CFLAGS@ +CHECK_LIBS = @CHECK_LIBS@ +CMOCKA_CFLAGS = @CMOCKA_CFLAGS@ +CMOCKA_LIBS = @CMOCKA_LIBS@ +COLLECTION_CFLAGS = @COLLECTION_CFLAGS@ +COLLECTION_LIBS = @COLLECTION_LIBS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CRYPTO_CFLAGS = @CRYPTO_CFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CURL_CFLAGS = @CURL_CFLAGS@ +CURL_LIBS = @CURL_LIBS@ +CYGPATH_W = @CYGPATH_W@ +DBUS_CFLAGS = @DBUS_CFLAGS@ +DBUS_LIBS = @DBUS_LIBS@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DHASH_CFLAGS = @DHASH_CFLAGS@ +DHASH_LIBS = @DHASH_LIBS@ +DLLTOOL = @DLLTOOL@ +DOCBOOK_XSLT = @DOCBOOK_XSLT@ +DOXYGEN = @DOXYGEN@ +DSYMUTIL = @DSYMUTIL@ +DTRACE = @DTRACE@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GDM_PAM_EXTENSIONS_CFLAGS = @GDM_PAM_EXTENSIONS_CFLAGS@ +GDM_PAM_EXTENSIONS_LIBS = @GDM_PAM_EXTENSIONS_LIBS@ +GLIB2_CFLAGS = @GLIB2_CFLAGS@ +GLIB2_LIBS = @GLIB2_LIBS@ +GMSGFMT = @GMSGFMT@ +GPO_DEFAULT = @GPO_DEFAULT@ +GREP = @GREP@ +HAVE_FAKEROOT = @HAVE_FAKEROOT@ +HAVE_LDAPMODIFY = @HAVE_LDAPMODIFY@ +HAVE_MANPAGES = @HAVE_MANPAGES@ +HAVE_NSS_WRAPPER = @HAVE_NSS_WRAPPER@ +HAVE_PYTHON2 = @HAVE_PYTHON2@ +HAVE_PYTHON2_BINDINGS = @HAVE_PYTHON2_BINDINGS@ +HAVE_PYTHON3 = @HAVE_PYTHON3@ +HAVE_PYTHON3_BINDINGS = @HAVE_PYTHON3_BINDINGS@ +HAVE_SELINUX = @HAVE_SELINUX@ +HAVE_SEMANAGE = @HAVE_SEMANAGE@ +HAVE_UID_WRAPPER = @HAVE_UID_WRAPPER@ +HTTP_PARSER_CFLAGS = @HTTP_PARSER_CFLAGS@ +HTTP_PARSER_LIBS = @HTTP_PARSER_LIBS@ +INI_CONFIG_CFLAGS = @INI_CONFIG_CFLAGS@ +INI_CONFIG_LIBS = @INI_CONFIG_LIBS@ +INI_CONFIG_V0_CFLAGS = @INI_CONFIG_V0_CFLAGS@ +INI_CONFIG_V0_LIBS = @INI_CONFIG_V0_LIBS@ +INI_CONFIG_V1_1_CFLAGS = @INI_CONFIG_V1_1_CFLAGS@ +INI_CONFIG_V1_1_LIBS = @INI_CONFIG_V1_1_LIBS@ +INI_CONFIG_V1_3_CFLAGS = @INI_CONFIG_V1_3_CFLAGS@ +INI_CONFIG_V1_3_LIBS = @INI_CONFIG_V1_3_LIBS@ +INI_CONFIG_V1_CFLAGS = @INI_CONFIG_V1_CFLAGS@ +INI_CONFIG_V1_LIBS = @INI_CONFIG_V1_LIBS@ +INOTIFY_LIBS = @INOTIFY_LIBS@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +JANSSON_CFLAGS = @JANSSON_CFLAGS@ +JANSSON_LIBS = @JANSSON_LIBS@ +JOURNALD_CFLAGS = @JOURNALD_CFLAGS@ +JOURNALD_LIBS = @JOURNALD_LIBS@ +KEYUTILS_LIBS = @KEYUTILS_LIBS@ +KRB5_CFLAGS = @KRB5_CFLAGS@ +KRB5_CONFIG = @KRB5_CONFIG@ +KRB5_LIBS = @KRB5_LIBS@ +LD = @LD@ +LDB_CFLAGS = @LDB_CFLAGS@ +LDB_LIBS = @LDB_LIBS@ +LDFLAGS = @LDFLAGS@ +LIBADD_DL = @LIBADD_DL@ +LIBADD_DLD_LINK = @LIBADD_DLD_LINK@ +LIBADD_DLOPEN = @LIBADD_DLOPEN@ +LIBADD_SHL_LOAD = @LIBADD_SHL_LOAD@ +LIBADD_TIMER = @LIBADD_TIMER@ +LIBCLOCK_GETTIME = @LIBCLOCK_GETTIME@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNL1_CFLAGS = @LIBNL1_CFLAGS@ +LIBNL1_LIBS = @LIBNL1_LIBS@ +LIBNL3_CFLAGS = @LIBNL3_CFLAGS@ +LIBNL3_LIBS = @LIBNL3_LIBS@ +LIBNL_CFLAGS = @LIBNL_CFLAGS@ +LIBNL_LIBS = @LIBNL_LIBS@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +LT_DLLOADERS = @LT_DLLOADERS@ +LT_DLPREOPEN = @LT_DLPREOPEN@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +MKINSTALLDIRS = @MKINSTALLDIRS@ +MSGFMT = @MSGFMT@ +MSGMERGE = @MSGMERGE@ +NDR_KRB5PAC_CFLAGS = @NDR_KRB5PAC_CFLAGS@ +NDR_KRB5PAC_LIBS = @NDR_KRB5PAC_LIBS@ +NDR_NBT_CFLAGS = @NDR_NBT_CFLAGS@ +NDR_NBT_LIBS = @NDR_NBT_LIBS@ +NFSIDMAP_CFLAGS = @NFSIDMAP_CFLAGS@ +NFSIDMAP_LIBS = @NFSIDMAP_LIBS@ +NFSIDMAP_OBJ = @NFSIDMAP_OBJ@ +NM = @NM@ +NMEDIT = @NMEDIT@ +NSCD = @NSCD@ +NSCD_PATH = @NSCD_PATH@ +NSS_CFLAGS = @NSS_CFLAGS@ +NSS_LIBS = @NSS_LIBS@ +NSUPDATE = @NSUPDATE@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OPENLDAP_CFLAGS = @OPENLDAP_CFLAGS@ +OPENLDAP_LIBS = @OPENLDAP_LIBS@ +OPENSSL = @OPENSSL@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +P11TOOL = @P11TOOL@ +P11_KIT_CFLAGS = @P11_KIT_CFLAGS@ +P11_KIT_LIBS = @P11_KIT_LIBS@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_LIBS = @PAM_LIBS@ +PAM_MISC_LIBS = @PAM_MISC_LIBS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PCRE_CFLAGS = @PCRE_CFLAGS@ +PCRE_LIBS = @PCRE_LIBS@ +PK12UTIL = @PK12UTIL@ +PKG_CONFIG = @PKG_CONFIG@ +PO4A = @PO4A@ +POPT_CFLAGS = @POPT_CFLAGS@ +POPT_LIBS = @POPT_LIBS@ +POSUB = @POSUB@ +PRERELEASE_VERSION = @PRERELEASE_VERSION@ +PYTEST = @PYTEST@ +PYTHON = @PYTHON@ +PYTHON2 = @PYTHON2@ +PYTHON2_CFLAGS = @PYTHON2_CFLAGS@ +PYTHON2_EXEC_PREFIX = @PYTHON2_EXEC_PREFIX@ +PYTHON2_INCLUDES = @PYTHON2_INCLUDES@ +PYTHON2_LIBS = @PYTHON2_LIBS@ +PYTHON2_PREFIX = @PYTHON2_PREFIX@ +PYTHON2_VERSION = @PYTHON2_VERSION@ +PYTHON3 = @PYTHON3@ +PYTHON3_CFLAGS = @PYTHON3_CFLAGS@ +PYTHON3_EXEC_PREFIX = @PYTHON3_EXEC_PREFIX@ +PYTHON3_INCLUDES = @PYTHON3_INCLUDES@ +PYTHON3_LIBS = @PYTHON3_LIBS@ +PYTHON3_PREFIX = @PYTHON3_PREFIX@ +PYTHON3_VERSION = @PYTHON3_VERSION@ +PYTHON_CONFIG = @PYTHON_CONFIG@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ +RANLIB = @RANLIB@ +RESOLV_CFLAGS = @RESOLV_CFLAGS@ +RESOLV_LIBS = @RESOLV_LIBS@ +SASL_CFLAGS = @SASL_CFLAGS@ +SASL_LIBS = @SASL_LIBS@ +SED = @SED@ +SELINUX_LIBS = @SELINUX_LIBS@ +SEMANAGE_LIBS = @SEMANAGE_LIBS@ +SERVICE = @SERVICE@ +SET_MAKE = @SET_MAKE@ +SGML_CATALOG_FILES = @SGML_CATALOG_FILES@ +SHELL = @SHELL@ +SLAPD = @SLAPD@ +SMBCLIENT_CFLAGS = @SMBCLIENT_CFLAGS@ +SMBCLIENT_LIBS = @SMBCLIENT_LIBS@ +SOFTHSM2_PATH = @SOFTHSM2_PATH@ +SOFTHSM2_UTIL = @SOFTHSM2_UTIL@ +SSH_KEYGEN = @SSH_KEYGEN@ +SSL_CFLAGS = @SSL_CFLAGS@ +SSL_LIBS = @SSL_LIBS@ +SSSD_USER = @SSSD_USER@ +STRIP = @STRIP@ +SYSTEMD_DAEMON_CFLAGS = @SYSTEMD_DAEMON_CFLAGS@ +SYSTEMD_DAEMON_LIBS = @SYSTEMD_DAEMON_LIBS@ +SYSTEMD_LOGIN_CFLAGS = @SYSTEMD_LOGIN_CFLAGS@ +SYSTEMD_LOGIN_LIBS = @SYSTEMD_LOGIN_LIBS@ +TALLOC_CFLAGS = @TALLOC_CFLAGS@ +TALLOC_LIBS = @TALLOC_LIBS@ +TDB_CFLAGS = @TDB_CFLAGS@ +TDB_LIBS = @TDB_LIBS@ +TEST_DIR = @TEST_DIR@ +TEVENT_CFLAGS = @TEVENT_CFLAGS@ +TEVENT_LIBS = @TEVENT_LIBS@ +UNICODE_LIBS = @UNICODE_LIBS@ +USE_NLS = @USE_NLS@ +UUID_CFLAGS = @UUID_CFLAGS@ +UUID_LIBS = @UUID_LIBS@ +VERSION = @VERSION@ +XGETTEXT = @XGETTEXT@ +XMLLINT = @XMLLINT@ +XSLTPROC = @XSLTPROC@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +appmodpath = @appmodpath@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +cifspluginpath = @cifspluginpath@ +config_def_ccache_dir = @config_def_ccache_dir@ +config_def_ccname_template = @config_def_ccname_template@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbpath = @dbpath@ +docdir = @docdir@ +dvidir = @dvidir@ +environment_file = @environment_file@ +exec_prefix = @exec_prefix@ +gpocachepath = @gpocachepath@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +initdir = @initdir@ +install_sh = @install_sh@ +krb5authdatapluginpath = @krb5authdatapluginpath@ +krb5pluginpath = @krb5pluginpath@ +krb5rcachedir = @krb5rcachedir@ +ldblibdir = @ldblibdir@ +libdir = @libdir@ +libexecdir = @libexecdir@ +libwbclient_version = @libwbclient_version@ +libwbclient_version_info = @libwbclient_version_info@ +localedir = @localedir@ +localstatedir = @localstatedir@ +logpath = @logpath@ +mandir = @mandir@ +mcpath = @mcpath@ +mkdir_p = @mkdir_p@ +nfsidmaplibdir = @nfsidmaplibdir@ +nfslibpath = @nfslibpath@ +nsslibdir = @nsslibdir@ +oldincludedir = @oldincludedir@ +pammoddir = @pammoddir@ +pdfdir = @pdfdir@ +pidpath = @pidpath@ +pipepath = @pipepath@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ +pluginpath = @pluginpath@ +polkitdir = @polkitdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +pubconfpath = @pubconfpath@ +py2execdir = @py2execdir@ +py3execdir = @py3execdir@ +pyexecdir = @pyexecdir@ +python2dir = @python2dir@ +python3dir = @python3dir@ +pythondir = @pythondir@ +runstatedir = @runstatedir@ +sbindir = @sbindir@ +secdbpath = @secdbpath@ +session_recording_shell = @session_recording_shell@ +sharedbuilddir = @sharedbuilddir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sudolibpath = @sudolibpath@ +sysconfdir = @sysconfdir@ +systemdconfdir = @systemdconfdir@ +systemdunitdir = @systemdunitdir@ +tapset_dir = @tapset_dir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +winbindpluginpath = @winbindpluginpath@ +extra_distcheck_flags = $(am__append_1) $(am__append_2) +DISTCHECK_CONFIGURE_FLAGS = --with-ldb-lib-dir="$$dc_install_base"/lib/ldb \ + --disable-dbus-tests \ + --enable-all-experimental-features \ + $(extra_distcheck_flags) \ + $(AUX_DISTCHECK_CONFIGURE_FLAGS) + +CLEANFILES = $(NULL) $(am__append_46) *.X */*.X */*/*.X test_CA.stamp +BUILT_SOURCES = $(NULL) $(am__append_45) $(CODEGEN_CODE) \ + $(am__append_103) +SUBDIRS = po $(am__append_3) . src/tests/cwrap src/tests/intg \ + src/tests/test_CA +DISTSETUPOPTS = $(am__append_4) +sssdlibexecdir = $(libexecdir)/sssd +sssdlibdir = $(libdir)/sssd +sssddefaultconfdir = $(sssdlibdir)/conf +@BUILD_KRB5_LOCATOR_PLUGIN_TRUE@krb5plugindir = @krb5pluginpath@ +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@krb5localauth_plugindir = @appmodpath@ +@BUILD_PAC_RESPONDER_TRUE@krb5authdata_plugindir = @krb5authdatapluginpath@ +@BUILD_CIFS_IDMAP_PLUGIN_TRUE@cifsplugindir = @cifspluginpath@ +@BUILD_SAMBA_TRUE@winbindplugindir = @winbindpluginpath@ +@BUILD_LIBWBCLIENT_TRUE@libwbclientdir = @appmodpath@ +sssdconfdir = $(sysconfdir)/sssd +sssddatadir = $(datadir)/sssd +sssdapiplugindir = $(sssddatadir)/sssd.api.d +sssdtapscriptdir = $(sssddatadir)/systemtap +dbuspolicydir = $(sysconfdir)/dbus-1/system.d +dbusservicedir = $(datadir)/dbus-1/system-services +sss_statedir = $(localstatedir)/lib/sss +pamlibdir = @pammoddir@ +autofslibdir = @appmodpath@ +nfslibdir = @nfsidmaplibdir@ +keytabdir = $(sss_statedir)/keytabs +pkgconfigdir = $(libdir)/pkgconfig +sudolibdir = @sudolibpath@ +pamconfdir = $(sysconfdir)/pam.d +systemtap_tapdir = @tapset_dir@ +sssdkcmdatadir = $(datadir)/sssd-kcm +deskprofilepath = $(sss_statedir)/deskprofile +@HAVE_SYSTEMD_UNIT_FALSE@ifp_exec_cmd = $(sssdlibexecdir)/sss_signal +@HAVE_SYSTEMD_UNIT_TRUE@ifp_exec_cmd = $(sssdlibexecdir)/sssd_ifp --uid 0 --gid 0 --dbus-activated +@HAVE_SYSTEMD_UNIT_FALSE@ifp_systemdservice = +@HAVE_SYSTEMD_UNIT_TRUE@ifp_systemdservice = SystemdService=sssd-ifp.service +@HAVE_SYSTEMD_UNIT_FALSE@ifp_restart = +@HAVE_SYSTEMD_UNIT_TRUE@ifp_restart = Restart=on-failure +AM_CFLAGS = $(am__append_5) $(am__append_6) +pkgconfig_DATA = src/lib/ipa_hbac/ipa_hbac.pc \ + src/lib/idmap/sss_idmap.pc \ + src/sss_client/idmap/sss_nss_idmap.pc $(am__append_38) \ + $(am__append_42) src/lib/certmap/sss_certmap.pc +ACLOCAL_AMFLAGS = -I m4 -I . +@HAVE_POLKIT_RULES_D_TRUE@@SSSD_USER_TRUE@polkit_rulesdir = $(polkitdir) +@HAVE_POLKIT_RULES_D_TRUE@@SSSD_USER_TRUE@dist_polkit_rules_DATA = contrib/sssd-pcsc.rules +@BUILD_KCM_TRUE@dist_sssdkcmdata_DATA = contrib/kcm_default_ccache +@HAVE_CHECK_TRUE@non_interactive_check_based_tests = dlopen-tests \ +@HAVE_CHECK_TRUE@ sysdb-tests strtonum-tests resolv-tests \ +@HAVE_CHECK_TRUE@ krb5-utils-tests check_and_open-tests \ +@HAVE_CHECK_TRUE@ files-tests refcount-tests fail_over-tests \ +@HAVE_CHECK_TRUE@ find_uid-tests auth-tests ipa_ldap_opt-tests \ +@HAVE_CHECK_TRUE@ ad_ldap_opt-tests crypto-tests util-tests \ +@HAVE_CHECK_TRUE@ debug-tests ipa_hbac-tests sss_idmap-tests \ +@HAVE_CHECK_TRUE@ responder_socket_access-tests \ +@HAVE_CHECK_TRUE@ safe-format-tests $(am__append_17) \ +@HAVE_CHECK_TRUE@ $(am__append_18) +@HAVE_CMOCKA_TRUE@non_interactive_cmocka_based_tests = nss-srv-tests \ +@HAVE_CMOCKA_TRUE@ test-find-uid test-io test-negcache \ +@HAVE_CMOCKA_TRUE@ test-authtok sss_nss_idmap-tests \ +@HAVE_CMOCKA_TRUE@ deskprofile_utils-tests dyndns-tests \ +@HAVE_CMOCKA_TRUE@ domain_resolution_order-tests fqnames-tests \ +@HAVE_CMOCKA_TRUE@ nestedgroups-tests test_sss_idmap \ +@HAVE_CMOCKA_TRUE@ test_ipa_idmap test_utils dp_opt_tests \ +@HAVE_CMOCKA_TRUE@ responder-get-domains-tests \ +@HAVE_CMOCKA_TRUE@ sbus-internal-tests config_check-tests \ +@HAVE_CMOCKA_TRUE@ sss_sifp-tests test_search_bases \ +@HAVE_CMOCKA_TRUE@ test_ldap_auth test_sdap_access \ +@HAVE_CMOCKA_TRUE@ test_sdap_certmap sdap-tests \ +@HAVE_CMOCKA_TRUE@ test_sysdb_ts_cache test_sysdb_views \ +@HAVE_CMOCKA_TRUE@ test_sysdb_subdomains test_sysdb_certmap \ +@HAVE_CMOCKA_TRUE@ test_sysdb_sudo test_sysdb_utils \ +@HAVE_CMOCKA_TRUE@ test_sysdb_domain_resolution_order \ +@HAVE_CMOCKA_TRUE@ test_wbc_calls test_be_ptask \ +@HAVE_CMOCKA_TRUE@ test_copy_ccache test_copy_keytab \ +@HAVE_CMOCKA_TRUE@ test_child_common responder_cache_req-tests \ +@HAVE_CMOCKA_TRUE@ test_sbus_opath test_fo_srv pam-srv-tests \ +@HAVE_CMOCKA_TRUE@ ssh-srv-tests test_ipa_subdom_util \ +@HAVE_CMOCKA_TRUE@ test_tools_colondb test_krb5_wait_queue \ +@HAVE_CMOCKA_TRUE@ test_cert_utils test_ldap_id_cleanup \ +@HAVE_CMOCKA_TRUE@ test_data_provider_be test_dp_request_table \ +@HAVE_CMOCKA_TRUE@ test_dp_request test_dp_builtin test_ipa_dn \ +@HAVE_CMOCKA_TRUE@ simple-access-tests krb5_common_test \ +@HAVE_CMOCKA_TRUE@ test_iobuf sss_certmap_test \ +@HAVE_CMOCKA_TRUE@ test_sssd_krb5_locator_plugin $(NULL) \ +@HAVE_CMOCKA_TRUE@ $(am__append_19) $(am__append_20) \ +@HAVE_CMOCKA_TRUE@ $(am__append_21) $(am__append_22) \ +@HAVE_CMOCKA_TRUE@ $(am__append_23) $(am__append_24) +PYTHON_TESTS = $(am__append_26) $(am__append_27) +TEST_EXTENSIONS = .sh +sssdlib_LTLIBRARIES = libsss_ldap.la libsss_krb5.la libsss_proxy.la \ + libsss_simple.la $(NULL) $(am__append_28) $(am__append_29) +ldblib_LTLIBRARIES = \ + memberof.la + +@BUILD_KRB5_LOCATOR_PLUGIN_TRUE@krb5plugin_LTLIBRARIES = \ +@BUILD_KRB5_LOCATOR_PLUGIN_TRUE@ sssd_krb5_locator_plugin.la + +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@krb5localauth_plugin_LTLIBRARIES = \ +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@ sssd_krb5_localauth_plugin.la + +@BUILD_PAC_RESPONDER_TRUE@krb5authdata_plugin_LTLIBRARIES = \ +@BUILD_PAC_RESPONDER_TRUE@ sssd_pac_plugin.la + +@BUILD_CIFS_IDMAP_PLUGIN_TRUE@cifsplugin_LTLIBRARIES = \ +@BUILD_CIFS_IDMAP_PLUGIN_TRUE@ cifs_idmap_sss.la + +@BUILD_SAMBA_TRUE@winbindplugin_LTLIBRARIES = \ +@BUILD_SAMBA_TRUE@ winbind_idmap_sss.la \ +@BUILD_SAMBA_TRUE@ $(NULL) + +noinst_LTLIBRARIES = + +##################### +# Utility libraries # +##################### + +#################### +# Plugin Libraries # +#################### + +# libsss_krb5_common must be installed before libsss_ldap_common +# because libtool tries to relink libsss_ldap_common when installing +# libsss_ldap_common and therefore make distcheck fails +pkglib_LTLIBRARIES = libsss_debug.la libsss_child.la libsss_crypt.la \ + libsss_cert.la libsss_util.la libsss_semanage.la \ + libsss_krb5_common.la libsss_ldap_common.la +@BUILD_PYTHON2_BINDINGS_TRUE@py2exec_LTLIBRARIES = \ +@BUILD_PYTHON2_BINDINGS_TRUE@ _py2sss.la \ +@BUILD_PYTHON2_BINDINGS_TRUE@ _py2hbac.la \ +@BUILD_PYTHON2_BINDINGS_TRUE@ _py2sss_murmur.la \ +@BUILD_PYTHON2_BINDINGS_TRUE@ _py2sss_nss_idmap.la \ +@BUILD_PYTHON2_BINDINGS_TRUE@ $(NULL) + +@BUILD_PYTHON3_BINDINGS_TRUE@py3exec_LTLIBRARIES = \ +@BUILD_PYTHON3_BINDINGS_TRUE@ _py3sss.la \ +@BUILD_PYTHON3_BINDINGS_TRUE@ _py3hbac.la \ +@BUILD_PYTHON3_BINDINGS_TRUE@ _py3sss_murmur.la \ +@BUILD_PYTHON3_BINDINGS_TRUE@ _py3sss_nss_idmap.la \ +@BUILD_PYTHON3_BINDINGS_TRUE@ $(NULL) + +sbin_SCRIPTS = \ + src/tools/wrappers/sss_debuglevel \ + $(NULL) + +dist_noinst_SCRIPTS = \ + $(EXTRA_SCRIPTS) \ + src/config/setup.py \ + src/config/SSSDConfig/ipachangeconf.py \ + src/config/SSSDConfig/__init__.py \ + src/config/SSSDConfigTest.py \ + src/config/SSSDConfigTest.py2.sh \ + src/config/SSSDConfigTest.py3.sh \ + contrib/fedora/bashrc_sssd \ + contrib/fedora/make_srpm.sh \ + contrib/ci/clean \ + contrib/ci/rpm-spec-builddeps \ + contrib/ci/run \ + contrib/ci/valgrind-condense \ + src/tests/pyhbac-test.py \ + src/tests/pyhbac-test.py2.sh \ + src/tests/pyhbac-test.py3.sh \ + src/tests/pysss_murmur-test.py \ + src/tests/pysss_murmur-test.py2.sh \ + src/tests/pysss_murmur-test.py3.sh \ + src/tests/python-test.py \ + src/tests/whitespace_test \ + src/tests/double_semicolon_test \ + src/tests/krb5_proxy_check_test_data.conf \ + $(NULL) + +dist_noinst_DATA = src/config/testconfigs/sssd-valid.conf \ + src/config/testconfigs/noparse.api.conf \ + src/config/testconfigs/sssd-noversion.conf \ + src/config/testconfigs/sssd-badversion.conf \ + src/config/testconfigs/sssd-invalid.conf \ + src/config/testconfigs/sssd-invalid-badbool.conf \ + src/config/testconfigs/sssd-nonexisting-services-domains.conf \ + src/config/etc/sssd.api.d/crash_test_dummy \ + contrib/ci/README.md contrib/ci/configure.sh \ + contrib/ci/deps.sh contrib/ci/distro.sh contrib/ci/misc.sh \ + contrib/ci/sssd.supp $(SYSTEMTAP_PROBES) $(NULL) \ + src/lib/ipa_hbac/ipa_hbac.exports \ + src/lib/idmap/sss_idmap.exports \ + src/sss_client/idmap/sss_nss_idmap.exports $(am__append_39) \ + $(am__append_43) src/examples/sssd-example.conf \ + src/examples/sssdproxytest src/examples/sudo \ + src/examples/logrotate src/providers/sssd_be.exports \ + src/sss_client/COPYING src/sss_client/COPYING.LESSER src/m4 \ + src/lib/certmap/sss_certmap.exports $(am__append_59) \ + src/sss_client/sss_nss.exports src/sss_client/sss_pam.exports \ + $(am__append_69) $(am__append_70) m4 contrib/sssd.spec.in \ + BUILD.txt COPYING + +############################### +# Global compilation settings # +############################### +AM_CPPFLAGS = \ + -Wall \ + -I.. \ + -I$(srcdir)/src/sss_client \ + -I$(srcdir)/src \ + -I. \ + $(POPT_CFLAGS) \ + $(TALLOC_CFLAGS) \ + $(TDB_CFLAGS) \ + $(TEVENT_CFLAGS) \ + $(LDB_CFLAGS) \ + $(DBUS_CFLAGS) \ + $(PCRE_CFLAGS) \ + $(INI_CONFIG_CFLAGS) \ + $(DHASH_CFLAGS) \ + $(LIBNL_CFLAGS) \ + $(OPENLDAP_CFLAGS) \ + $(GLIB2_CFLAGS) \ + $(JOURNALD_CFLAGS) \ + -DLIBDIR=\"$(libdir)\" \ + -DVARDIR=\"$(localstatedir)\" \ + -DSSS_STATEDIR=\"$(sss_statedir)\" \ + -DSYSCONFDIR=\"$(sysconfdir)\" \ + -DSHLIBEXT=\"$(SHLIBEXT)\" \ + -DSSSDDATADIR=\"$(sssddatadir)\" \ + -DSSSD_LIBEXEC_PATH=\"$(sssdlibexecdir)\" \ + -DSSSD_CONF_DIR=\"$(sssdconfdir)\" \ + -DSSS_NSS_MCACHE_DIR=\"$(mcpath)\" \ + -DSSS_NSS_SOCKET_NAME=\"$(pipepath)/nss\" \ + -DSSS_PAM_SOCKET_NAME=\"$(pipepath)/pam\" \ + -DSSS_PAC_SOCKET_NAME=\"$(pipepath)/pac\" \ + -DSSS_PAM_PRIV_SOCKET_NAME=\"$(pipepath)/private/pam\" \ + -DSSS_SEC_SOCKET_NAME=\"$(runstatedir)/secrets.socket\" \ + -DSSS_SUDO_SOCKET_NAME=\"$(pipepath)/sudo\" \ + -DSSS_AUTOFS_SOCKET_NAME=\"$(pipepath)/autofs\" \ + -DSSS_SSH_SOCKET_NAME=\"$(pipepath)/ssh\" \ + -DLOCALEDIR=\"$(localedir)\" \ + -DBASE_FILE_STEM=\"$(*F)\" \ + $(NULL) + +EXTRA_DIST = $(SBUS_CODEGEN) $(CODEGEN_XML) $(am__append_47) \ + src/sysv/systemd/sssd.service.in \ + src/sysv/systemd/sssd-nss.socket.in \ + src/sysv/systemd/sssd-nss.service.in \ + src/sysv/systemd/sssd-pam.socket.in \ + src/sysv/systemd/sssd-pam-priv.socket.in \ + src/sysv/systemd/sssd-pam.service.in \ + src/sysv/systemd/sssd-secrets.socket.in \ + src/sysv/systemd/sssd-secrets.service.in $(NULL) \ + $(am__append_97) $(am__append_98) $(am__append_99) \ + $(am__append_100) $(am__append_101) $(am__append_102) \ + src/tools/wrappers/sss_debuglevel.in $(NULL) +SSSD_CACHE_REQ_OBJ = \ + src/responder/common/cache_req/cache_req.c \ + src/responder/common/cache_req/cache_req_result.c \ + src/responder/common/cache_req/cache_req_search.c \ + src/responder/common/cache_req/cache_req_data.c \ + src/responder/common/cache_req/cache_req_domain.c \ + src/responder/common/cache_req/cache_req_sr_overlay.c \ + src/responder/common/cache_req/plugins/cache_req_common.c \ + src/responder/common/cache_req/plugins/cache_req_enum_users.c \ + src/responder/common/cache_req/plugins/cache_req_enum_groups.c \ + src/responder/common/cache_req/plugins/cache_req_enum_svc.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_upn.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_filter.c \ + src/responder/common/cache_req/plugins/cache_req_user_by_cert.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_group_by_filter.c \ + src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_sid.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_object_by_id.c \ + src/responder/common/cache_req/plugins/cache_req_svc_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_svc_by_port.c \ + src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c \ + src/responder/common/cache_req/plugins/cache_req_host_by_name.c \ + $(NULL) + +SSSD_RESPONDER_IFACE_OBJ = \ + src/responder/common/iface/responder_iface.c \ + src/responder/common/iface/responder_domain.c \ + src/responder/common/iface/responder_ncache.c \ + src/responder/common/iface/responder_iface_generated.c \ + $(NULL) + +SSSD_RESPONDER_OBJ = \ + src/responder/common/negcache_files.c \ + src/responder/common/negcache.c \ + src/responder/common/responder_cmd.c \ + src/responder/common/responder_common.c \ + src/responder/common/responder_dp.c \ + src/responder/common/responder_dp_ssh.c \ + src/responder/common/responder_packet.c \ + src/responder/common/responder_get_domains.c \ + src/responder/common/responder_utils.c \ + src/responder/common/data_provider/rdp_message.c \ + src/responder/common/data_provider/rdp_client.c \ + src/monitor/monitor_iface_generated.c \ + src/providers/data_provider_req.c \ + src/util/session_recording.c \ + $(SSSD_RESPONDER_IFACE_OBJ) \ + $(SSSD_CACHE_REQ_OBJ) \ + $(NULL) + +SSSD_TOOLS_OBJ = \ + src/tools/sss_sync_ops.c \ + src/tools/tools_util.c \ + src/tools/common/sss_tools.c \ + src/tools/common/sss_process.c \ + src/confdb/confdb_setup.c \ + src/util/nscd.c \ + $(NULL) + +SSSD_LCL_TOOLS_OBJ = \ + src/sss_client/common.c \ + src/tools/tools_mc_util.c \ + $(SSSD_TOOLS_OBJ) + +SSSD_RESOLV_OBJ = \ + src/resolv/async_resolv.c \ + src/resolv/async_resolv_utils.c + +SSSD_FAILOVER_OBJ = \ + src/providers/fail_over.c \ + src/providers/fail_over_srv.c \ + $(SSSD_RESOLV_OBJ) + +SSSD_LIBS = \ + $(TALLOC_LIBS) \ + $(TEVENT_LIBS) \ + $(POPT_LIBS) \ + $(LDB_LIBS) \ + $(DBUS_LIBS) \ + $(DHASH_LIBS) \ + $(SELINUX_LIBS) \ + $(TDB_LIBS) + +PYTHON_BINDINGS_LIBS = $(TALLOC_LIBS) $(POPT_LIBS) $(LDB_LIBS) $(NULL) \ + $(am__append_30) +TOOLS_LIBS = $(LTLIBINTL) $(TALLOC_LIBS) $(TEVENT_LIBS) $(POPT_LIBS) \ + $(LDB_LIBS) $(DBUS_LIBS) $(DHASH_LIBS) $(TDB_LIBS) \ + $(am__append_31) +dist_noinst_HEADERS = src/monitor/monitor.h \ + src/util/crypto/sss_crypto.h \ + src/util/crypto/libcrypto/sss_openssl.h src/util/cert.h \ + src/util/dlinklist.h src/util/debug.h src/util/util.h \ + src/util/util_errors.h src/util/safe-format-string.h \ + src/util/session_recording.h src/util/strtonum.h \ + src/util/sss_cli_cmd.h src/util/sss_ptr_hash.h \ + src/util/sss_endian.h src/util/sss_nss.h src/util/sss_ldap.h \ + src/util/sss_python.h src/util/sss_krb5.h \ + src/util/sss_selinux.h src/util/sss_sockets.h \ + src/util/sss_utf8.h src/util/sss_ssh.h src/util/sss_ini.h \ + src/util/sss_format.h src/util/refcount.h src/util/find_uid.h \ + src/util/user_info_msg.h src/util/mmap_cache.h \ + src/util/atomic_io.h src/util/auth_utils.h src/util/authtok.h \ + src/util/authtok-utils.h src/util/util_sss_idmap.h \ + src/util/util_creds.h src/util/inotify.h src/util/sss_iobuf.h \ + src/util/tev_curl.h src/monitor/monitor.h \ + src/monitor/monitor_interfaces.h \ + src/monitor/monitor_iface_generated.h \ + src/responder/common/responder.h \ + src/responder/common/responder_packet.h \ + src/responder/common/responder_sbus.h \ + src/responder/common/iface/responder_iface.h \ + src/responder/common/iface/responder_iface_generated.h \ + src/responder/common/cache_req/cache_req.h \ + src/responder/common/cache_req/cache_req_domain.h \ + src/responder/common/cache_req/cache_req_plugin.h \ + src/responder/common/cache_req/cache_req_private.h \ + src/responder/common/data_provider/rdp.h \ + src/responder/pam/pamsrv.h src/responder/pam/pam_helpers.h \ + src/responder/nss/nss_private.h \ + src/responder/nss/nss_protocol.h \ + src/responder/nss/nss_iface_generated.h \ + src/responder/nss/nss_iface.h \ + src/responder/nss/nsssrv_mmap_cache.h \ + src/responder/pac/pacsrv.h \ + src/responder/common/negcache_files.h \ + src/responder/common/negcache.h \ + src/responder/sudo/sudosrv_private.h \ + src/responder/autofs/autofs_private.h \ + src/responder/ssh/ssh_private.h \ + src/responder/ifp/ifp_iface_generated.h \ + src/responder/ifp/ifp_iface.h src/responder/ifp/ifp_private.h \ + src/responder/ifp/ifp_domains.h \ + src/responder/ifp/ifp_components.h \ + src/responder/ifp/ifp_users.h src/responder/ifp/ifp_groups.h \ + src/responder/ifp/ifp_cache.h src/responder/secrets/secsrv.h \ + src/responder/secrets/secsrv_private.h \ + src/responder/secrets/secsrv_local.h \ + src/responder/secrets/secsrv_proxy.h src/responder/kcm/kcm.h \ + src/responder/kcm/kcmsrv_pvt.h \ + src/responder/kcm/kcmsrv_ccache.h \ + src/responder/kcm/kcmsrv_ccache_pvt.h \ + src/responder/kcm/kcmsrv_ccache_be.h \ + src/responder/kcm/kcmsrv_ops.h src/sbus/sbus_client.h \ + src/sbus/sssd_dbus.h src/sbus/sssd_dbus_meta.h \ + src/sbus/sssd_dbus_private.h src/sbus/sssd_dbus_invokers.h \ + src/sbus/sssd_dbus_errors.h src/sbus/sssd_dbus_utils.h \ + src/db/sysdb.h src/db/sysdb_sudo.h src/db/sysdb_autofs.h \ + src/db/sysdb_selinux.h src/db/sysdb_private.h \ + src/db/sysdb_services.h src/db/sysdb_ssh.h \ + src/db/sysdb_domain_resolution_order.h src/confdb/confdb.h \ + src/confdb/confdb_private.h src/confdb/confdb_setup.h \ + src/providers/data_provider.h \ + src/providers/data_provider_req.h \ + src/providers/data_provider/dp.h \ + src/providers/data_provider/dp_flags.h \ + src/providers/data_provider/dp_responder_iface.h \ + src/providers/data_provider/dp_private.h \ + src/providers/data_provider/dp_request.h \ + src/providers/data_provider/dp_custom_data.h \ + src/providers/data_provider/dp_builtin.h \ + src/providers/data_provider/dp_iface_generated.h \ + src/providers/data_provider/dp_iface.h src/providers/backend.h \ + src/providers/be_dyndns.h src/providers/be_ptask_private.h \ + src/providers/be_ptask.h src/providers/be_refresh.h \ + src/providers/fail_over.h src/providers/fail_over_srv.h \ + src/util/child_common.h src/providers/simple/simple_access.h \ + src/providers/simple/simple_access_pvt.h \ + src/providers/krb5/krb5_auth.h \ + src/providers/krb5/krb5_common.h \ + src/providers/krb5/krb5_utils.h \ + src/providers/krb5/krb5_init_shared.h \ + src/providers/krb5/krb5_opts.h \ + src/providers/krb5/krb5_ccache.h \ + src/providers/ldap/ldap_common.h src/providers/ldap/sdap.h \ + src/providers/ldap/sdap_access.h \ + src/providers/ldap/sdap_async.h \ + src/providers/ldap/sdap_async_ad.h \ + src/providers/ldap/sdap_async_private.h \ + src/providers/ldap/sdap_sudo.h \ + src/providers/ldap/sdap_sudo_shared.h \ + src/providers/ldap/sdap_autofs.h \ + src/providers/ldap/sdap_id_op.h src/providers/ldap/ldap_opts.h \ + src/providers/ldap/ldap_auth.h src/providers/ldap/sdap_range.h \ + src/providers/ldap/sdap_users.h \ + src/providers/ldap/sdap_dyndns.h \ + src/providers/ldap/sdap_async_enum.h \ + src/providers/ldap/sdap_ops.h src/providers/ipa/ipa_common.h \ + src/providers/ipa/ipa_config.h src/providers/ipa/ipa_access.h \ + src/providers/ipa/ipa_selinux.h src/providers/ipa/ipa_hosts.h \ + src/providers/ipa/ipa_selinux_maps.h \ + src/providers/ipa/ipa_auth.h src/providers/ipa/ipa_dyndns.h \ + src/providers/ipa/ipa_subdomains.h src/providers/ipa/ipa_id.h \ + src/providers/ipa/ipa_opts.h src/providers/ipa/ipa_srv.h \ + src/providers/ipa/ipa_dn.h src/providers/ipa/ipa_sudo.h \ + src/providers/ipa/ipa_session.h src/providers/ad/ad_srv.h \ + src/providers/ad/ad_common.h src/providers/ad/ad_pac.h \ + src/providers/ad/ad_id.h src/providers/ad/ad_access.h \ + src/providers/ad/ad_gpo.h src/providers/ad/ad_opts.h \ + src/providers/ad/ad_domain_info.h \ + src/providers/ad/ad_subdomains.h src/providers/proxy/proxy.h \ + src/providers/proxy/proxy_iface_generated.h \ + src/providers/files/files_private.h src/tools/tools_util.h \ + src/tools/sss_sync_ops.h src/resolv/async_resolv.h \ + src/tests/common.h src/tests/common_check.h \ + src/tests/cmocka/common_mock.h \ + src/tests/cmocka/common_mock_resp.h \ + src/tests/cmocka/common_mock_sdap.h \ + src/tests/cmocka/common_mock_sysdb_objects.h \ + src/tests/cmocka/common_mock_krb5.h \ + src/tests/cmocka/common_mock_be.h \ + src/tests/cmocka/test_expire_common.h \ + src/tests/cmocka/test_sdap_access.h \ + src/tests/cmocka/data_provider/mock_dp.h \ + src/tests/sbus_codegen_tests_generated.h \ + src/sss_client/pam_message.h \ + src/sss_client/ssh/sss_ssh_client.h \ + src/sss_client/sudo/sss_sudo.h \ + src/sss_client/libwbclient/libwbclient.h \ + src/sss_client/libwbclient/wbc_err_internal.h \ + src/sss_client/libwbclient/wbclient_internal.h \ + src/sss_client/libwbclient/wbc_sssd_internal.h \ + src/sss_client/nfs/nfsidmap_internal.h \ + src/lib/idmap/sss_idmap_private.h \ + src/lib/sifp/sss_sifp_private.h \ + src/lib/winbind_idmap_sss/winbind_idmap_sss.h \ + src/tests/cmocka/test_utils.h src/tools/common/sss_tools.h \ + src/tools/common/sss_process.h src/tools/common/sss_colondb.h \ + src/tools/sssctl/sssctl.h src/util/probes.h src/shared/io.h \ + src/shared/murmurhash3.h src/shared/safealign.h \ + src/p11_child/p11_child.h $(NULL) $(am__append_32) \ + src/lib/certmap/sss_certmap_int.h +SSSD_DOCS = doc hbac_doc idmap_doc nss_idmap_doc $(am__append_33) +CLIENT_LIBS = $(LTLIBINTL) +@WITH_JOURNALD_TRUE@SYSLOG_LIBS = $(JOURNALD_LIBS) +libsss_debug_la_SOURCES = \ + src/util/debug.c \ + src/util/sss_log.c \ + src/util/sss_cli_cmd.c \ + $(NULL) + +libsss_debug_la_LIBADD = \ + $(SYSLOG_LIBS) + +libsss_debug_la_LDFLAGS = \ + -avoid-version + +libsss_child_la_SOURCES = src/util/child_common.c +libsss_child_la_LIBADD = \ + $(TALLOC_LIBS) \ + $(TEVENT_LIBS) \ + $(DHASH_LIBS) \ + libsss_debug.la \ + $(NULL) + +libsss_child_la_LDFLAGS = -avoid-version +@HAVE_NSS_FALSE@SSS_CRYPT_SOURCES = src/util/crypto/libcrypto/crypto_base64.c \ +@HAVE_NSS_FALSE@ src/util/crypto/libcrypto/crypto_hmac_sha1.c \ +@HAVE_NSS_FALSE@ src/util/crypto/libcrypto/crypto_sha512crypt.c \ +@HAVE_NSS_FALSE@ src/util/crypto/libcrypto/crypto_obfuscate.c \ +@HAVE_NSS_FALSE@ src/util/crypto/libcrypto/crypto_nite.c \ +@HAVE_NSS_FALSE@ src/util/crypto/sss_crypto.c \ +@HAVE_NSS_FALSE@ src/util/atomic_io.c \ +@HAVE_NSS_FALSE@ $(NULL) + + +# NOTE: +# Please try to avoid using SSS_CRYPT_{CFLAGS,LIBS} directly for compiling and +# linking programs or libraries. This is purpose of wrapper library +# libsss_crypt.so to hide internals. SSS_CRYPT_{CFLAGS,LIBS} might be used +# in unit tests if you directly uses functions from underlining crypto libraries +@HAVE_NSS_TRUE@SSS_CRYPT_SOURCES = src/util/crypto/nss/nss_base64.c \ +@HAVE_NSS_TRUE@ src/util/crypto/nss/nss_hmac_sha1.c \ +@HAVE_NSS_TRUE@ src/util/crypto/nss/nss_sha512crypt.c \ +@HAVE_NSS_TRUE@ src/util/crypto/nss/nss_obfuscate.c \ +@HAVE_NSS_TRUE@ src/util/crypto/nss/nss_nite.c \ +@HAVE_NSS_TRUE@ src/util/crypto/nss/nss_util.c \ +@HAVE_NSS_TRUE@ src/util/crypto/sss_crypto.c \ +@HAVE_NSS_TRUE@ src/util/atomic_io.c \ +@HAVE_NSS_TRUE@ $(NULL) + +@HAVE_NSS_FALSE@SSS_CRYPT_CFLAGS = $(CRYPTO_CFLAGS) +@HAVE_NSS_TRUE@SSS_CRYPT_CFLAGS = $(NSS_CFLAGS) +@HAVE_NSS_FALSE@SSS_CRYPT_LIBS = $(CRYPTO_LIBS) +@HAVE_NSS_TRUE@SSS_CRYPT_LIBS = $(NSS_LIBS) +@HAVE_NSS_FALSE@SSS_CERT_SOURCES = \ +@HAVE_NSS_FALSE@ src/util/cert/cert_common.c \ +@HAVE_NSS_FALSE@ src/util/cert/cert_common_p11_child.c \ +@HAVE_NSS_FALSE@ src/util/cert/libcrypto/cert.c \ +@HAVE_NSS_FALSE@ $(NULL) + +@HAVE_NSS_TRUE@SSS_CERT_SOURCES = \ +@HAVE_NSS_TRUE@ src/util/cert/cert_common.c \ +@HAVE_NSS_TRUE@ src/util/cert/cert_common_p11_child.c \ +@HAVE_NSS_TRUE@ src/util/cert/nss/cert.c \ +@HAVE_NSS_TRUE@ $(NULL) + +@HAVE_NSS_FALSE@SSS_CERT_CFLAGS = \ +@HAVE_NSS_FALSE@ $(CRYPTO_CFLAGS) \ +@HAVE_NSS_FALSE@ $(NULL) + +@HAVE_NSS_TRUE@SSS_CERT_CFLAGS = \ +@HAVE_NSS_TRUE@ $(NSS_CFLAGS) \ +@HAVE_NSS_TRUE@ $(NULL) + +@HAVE_NSS_FALSE@SSS_CERT_LIBS = \ +@HAVE_NSS_FALSE@ $(CRYPTO_LIBS) \ +@HAVE_NSS_FALSE@ $(NULL) + +@HAVE_NSS_TRUE@SSS_CERT_LIBS = \ +@HAVE_NSS_TRUE@ $(NSS_LIBS) \ +@HAVE_NSS_TRUE@ $(NULL) + +libsss_crypt_la_SOURCES = \ + $(SSS_CRYPT_SOURCES) + +libsss_crypt_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(SSS_CRYPT_CFLAGS) \ + $(DHASH_CFLAGS) + +libsss_crypt_la_LIBADD = \ + $(SSS_CRYPT_LIBS) \ + $(DHASH_LIBS) \ + $(TALLOC_LIBS) \ + libsss_debug.la \ + $(NULL) + +libsss_crypt_la_LDFLAGS = \ + -avoid-version + +libsss_cert_la_SOURCES = \ + $(SSS_CERT_SOURCES) \ + $(NULL) + +libsss_cert_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(SSS_CERT_CFLAGS) \ + $(NULL) + +# NOTE: +# There is a dependency between libsss_cert and libsss_child which should +# always be declared explicitly and if missing might cause issue in some +# environments (e.g. Gentoo or OpenSUSE build service), even if it is +# resolved otherwise while linking the binaries. +libsss_cert_la_LIBADD = \ + $(SSS_CERT_LIBS) \ + $(TALLOC_LIBS) \ + $(TEVENT_LIBS) \ + libsss_crypt.la \ + libsss_child.la \ + libsss_debug.la \ + libsss_certmap.la \ + $(NULL) + +libsss_cert_la_LDFLAGS = \ + -avoid-version \ + $(NULL) + +libsss_util_la_SOURCES = src/confdb/confdb.c src/db/sysdb.c \ + src/db/sysdb_ops.c src/db/sysdb_search.c \ + src/db/sysdb_selinux.c src/db/sysdb_upgrade.c \ + src/db/sysdb_init.c src/db/sysdb_services.c \ + src/db/sysdb_autofs.c src/db/sysdb_subdomains.c \ + src/db/sysdb_views.c src/db/sysdb_ranges.c \ + src/db/sysdb_idmap.c src/db/sysdb_gpo.c src/db/sysdb_certmap.c \ + src/db/sysdb_domain_resolution_order.c \ + src/monitor/monitor_sbus.c src/providers/dp_auth_util.c \ + src/providers/dp_pam_data_util.c \ + src/providers/data_provider/dp_sbus.c src/sbus/sbus_client.c \ + src/sbus/sssd_dbus_common.c src/sbus/sssd_dbus_connection.c \ + src/sbus/sssd_dbus_meta.c src/sbus/sssd_dbus_interface.c \ + src/sbus/sssd_dbus_introspect.c src/sbus/sssd_dbus_invokers.c \ + src/sbus/sssd_dbus_properties.c src/sbus/sssd_dbus_request.c \ + src/sbus/sssd_dbus_server.c src/sbus/sssd_dbus_signals.c \ + src/sbus/sssd_dbus_common_signals.c src/sbus/sssd_dbus_utils.c \ + src/util/util.c src/util/util_ext.c src/util/util_preauth.c \ + src/util/memory.c src/util/safe-format-string.c \ + src/util/server.c src/util/signal.c src/util/usertools.c \ + src/util/backup_file.c src/util/strtonum.c \ + src/util/check_and_open.c src/util/refcount.c \ + src/util/sss_nss.c src/util/sss_utf8.c src/util/sss_tc_utf8.c \ + src/util/murmurhash3.c src/util/atomic_io.c src/util/authtok.c \ + src/util/authtok-utils.c src/util/sss_selinux.c \ + src/util/domain_info_utils.c src/util/util_lock.c \ + src/util/util_errors.c src/util/find_uid.c src/util/sss_ini.c \ + src/util/io.c src/util/util_sss_idmap.c \ + src/util/well_known_sids.c src/util/string_utils.c \ + src/util/become_user.c src/util/util_watchdog.c \ + src/util/sss_ptr_hash.c src/util/files.c src/util/selinux.c \ + $(NULL) $(am__append_34) $(am__append_35) +libsss_util_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(SYSTEMD_LOGIN_CFLAGS) \ + $(NULL) + +libsss_util_la_LIBADD = $(LIBADD_TIMER) $(SSSD_LIBS) \ + $(SYSTEMD_LOGIN_LIBS) $(UNICODE_LIBS) $(PCRE_LIBS) \ + $(INI_CONFIG_LIBS) libsss_debug.la libsss_child.la \ + libsss_crypt.la libsss_cert.la $(NULL) $(am__append_36) +libsss_util_la_LDFLAGS = -avoid-version +libsss_semanage_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(TALLOC_CFLAGS) \ + $(NULL) + +libsss_semanage_la_SOURCES = \ + src/util/sss_semanage.c \ + $(NULL) + +libsss_semanage_la_LIBADD = $(TALLOC_LIBS) libsss_debug.la $(NULL) \ + $(am__append_37) +libsss_semanage_la_LDFLAGS = \ + -avoid-version + +SSSD_INTERNAL_LTLIBS = \ + libsss_util.la \ + libsss_crypt.la \ + libsss_debug.la \ + libsss_child.la \ + $(NULL) + +lib_LTLIBRARIES = libipa_hbac.la libsss_idmap.la libsss_nss_idmap.la \ + libsss_certmap.la $(NULL) $(am__append_41) +libipa_hbac_la_DEPENDENCIES = src/lib/ipa_hbac/ipa_hbac.exports +libipa_hbac_la_SOURCES = \ + src/lib/ipa_hbac/hbac_evaluator.c \ + src/util/sss_utf8.c + +# libipa_hbac is also used by external projects such as pam_hbac which +# support platforms that do not have a C99 compiler. We add -std=c89 +# explicitly here to make sure we don't accidentally add a C99 feature +# to the libipa_hbac code +libipa_hbac_la_CFLAGS = \ + $(AM_CFLAGS) \ + -I$(top_srcdir)/src/util \ + -std=c89 \ + $(NULL) + +libipa_hbac_la_LIBADD = \ + $(UNICODE_LIBS) + +libipa_hbac_la_LDFLAGS = \ + -Wl,--version-script,$(srcdir)/src/lib/ipa_hbac/ipa_hbac.exports \ + -version-info 1:0:1 + +libsss_idmap_la_DEPENDENCIES = src/lib/idmap/sss_idmap.exports +libsss_idmap_la_SOURCES = \ + src/lib/idmap/sss_idmap.c \ + src/lib/idmap/sss_idmap_conv.c \ + src/util/murmurhash3.c + +libsss_idmap_la_LDFLAGS = \ + -Wl,--version-script,$(srcdir)/src/lib/idmap/sss_idmap.exports \ + -version-info 5:1:5 + +libsss_nss_idmap_la_DEPENDENCIES = src/sss_client/idmap/sss_nss_idmap.exports +libsss_nss_idmap_la_SOURCES = \ + src/sss_client/idmap/sss_nss_idmap.c \ + src/sss_client/idmap/sss_nss_ex.c \ + src/sss_client/idmap/sss_nss_idmap_private.h \ + src/sss_client/common.c \ + src/sss_client/idmap/common_ex.c \ + src/sss_client/nss_mc_passwd.c \ + src/sss_client/nss_passwd.c \ + src/sss_client/nss_mc_group.c \ + src/sss_client/nss_group.c \ + src/sss_client/nss_mc_initgr.c \ + src/sss_client/nss_mc_common.c \ + src/util/strtonum.c \ + src/util/murmurhash3.c \ + src/util/io.c \ + $(NULL) + +libsss_nss_idmap_la_LIBADD = \ + $(LIBCLOCK_GETTIME) \ + $(CLIENT_LIBS) \ + -lpthread \ + $(NULL) + +libsss_nss_idmap_la_LDFLAGS = \ + -Wl,--version-script,$(srcdir)/src/sss_client/idmap/sss_nss_idmap.exports \ + -version-info 5:0:5 + +include_HEADERS = src/lib/ipa_hbac/ipa_hbac.h \ + src/lib/idmap/sss_idmap.h src/sss_client/idmap/sss_nss_idmap.h \ + src/lib/certmap/sss_certmap.h $(NULL) $(am__append_40) \ + $(am__append_44) +@BUILD_LIBWBCLIENT_TRUE@libwbclient_LTLIBRARIES = libwbclient.la +@BUILD_LIBWBCLIENT_TRUE@EXTRA_libwbclient_la_DEPENDENCIES = \ +@BUILD_LIBWBCLIENT_TRUE@ src/sss_client/libwbclient/wbclient.exports \ +@BUILD_LIBWBCLIENT_TRUE@ $(NULL) + +@BUILD_LIBWBCLIENT_TRUE@libwbclient_la_SOURCES = \ +@BUILD_LIBWBCLIENT_TRUE@ src/sss_client/libwbclient/wbc_guid.c \ +@BUILD_LIBWBCLIENT_TRUE@ src/sss_client/libwbclient/wbc_idmap_common.c \ +@BUILD_LIBWBCLIENT_TRUE@ src/sss_client/libwbclient/wbc_idmap_sssd.c \ +@BUILD_LIBWBCLIENT_TRUE@ src/sss_client/libwbclient/wbclient_common.c \ +@BUILD_LIBWBCLIENT_TRUE@ src/sss_client/libwbclient/wbclient_sssd.c \ +@BUILD_LIBWBCLIENT_TRUE@ src/sss_client/libwbclient/wbc_pam_sssd.c \ +@BUILD_LIBWBCLIENT_TRUE@ src/sss_client/libwbclient/wbc_pwd_sssd.c \ +@BUILD_LIBWBCLIENT_TRUE@ src/sss_client/libwbclient/wbc_sid_common.c \ +@BUILD_LIBWBCLIENT_TRUE@ src/sss_client/libwbclient/wbc_sid_sssd.c \ +@BUILD_LIBWBCLIENT_TRUE@ src/sss_client/libwbclient/wbc_sssd_internal.h \ +@BUILD_LIBWBCLIENT_TRUE@ src/sss_client/libwbclient/wbc_util_common.c \ +@BUILD_LIBWBCLIENT_TRUE@ src/sss_client/libwbclient/wbc_util_sssd.c \ +@BUILD_LIBWBCLIENT_TRUE@ src/sss_client/libwbclient/wbc_ctx_sssd.c \ +@BUILD_LIBWBCLIENT_TRUE@ $(NULL) + +@BUILD_LIBWBCLIENT_TRUE@libwbclient_la_LIBADD = \ +@BUILD_LIBWBCLIENT_TRUE@ $(LIBADD_DL) \ +@BUILD_LIBWBCLIENT_TRUE@ libsss_nss_idmap.la \ +@BUILD_LIBWBCLIENT_TRUE@ $(CLIENT_LIBS) \ +@BUILD_LIBWBCLIENT_TRUE@ $(NULL) + +@BUILD_LIBWBCLIENT_TRUE@libwbclient_la_LDFLAGS = \ +@BUILD_LIBWBCLIENT_TRUE@ -Wl,--version-script,$(srcdir)/src/sss_client/libwbclient/wbclient.exports \ +@BUILD_LIBWBCLIENT_TRUE@ -version-info @libwbclient_version_info@ \ +@BUILD_LIBWBCLIENT_TRUE@ $(NULL) + +@BUILD_IFP_TRUE@libsss_simpleifp_la_SOURCES = \ +@BUILD_IFP_TRUE@ src/lib/sifp/sss_sifp.c \ +@BUILD_IFP_TRUE@ src/lib/sifp/sss_sifp_dbus.c \ +@BUILD_IFP_TRUE@ src/lib/sifp/sss_sifp_attrs.c \ +@BUILD_IFP_TRUE@ src/lib/sifp/sss_sifp_common.c \ +@BUILD_IFP_TRUE@ src/lib/sifp/sss_sifp_parser.c \ +@BUILD_IFP_TRUE@ src/lib/sifp/sss_sifp_utils.c + +@BUILD_IFP_TRUE@libsss_simpleifp_la_CFLAGS = \ +@BUILD_IFP_TRUE@ $(AM_CFLAGS) \ +@BUILD_IFP_TRUE@ -I$(top_srcdir)/src/lib/sifp + +@BUILD_IFP_TRUE@libsss_simpleifp_la_LIBADD = \ +@BUILD_IFP_TRUE@ $(DBUS_LIBS) \ +@BUILD_IFP_TRUE@ $(DHASH_LIBS) + +@BUILD_IFP_TRUE@libsss_simpleifp_la_LDFLAGS = \ +@BUILD_IFP_TRUE@ -Wl,--version-script,$(srcdir)/src/lib/sifp/sss_simpleifp.exports \ +@BUILD_IFP_TRUE@ -version-info 1:1:1 + + +######################### +# Systemtap tracing # +######################### +@BUILD_SYSTEMTAP_TRUE@SYSTEMTAP_PROBES = \ +@BUILD_SYSTEMTAP_TRUE@ $(srcdir)/src/systemtap/sssd_probes.d \ +@BUILD_SYSTEMTAP_TRUE@ $(NULL) + +@BUILD_SYSTEMTAP_TRUE@systemtap_tap_DATA = $(builddir)/src/systemtap/sssd.stp +@BUILD_SYSTEMTAP_TRUE@dist_systemtap_tap_DATA = \ +@BUILD_SYSTEMTAP_TRUE@ $(builddir)/src/systemtap/sssd_functions.stp \ +@BUILD_SYSTEMTAP_TRUE@ $(NULL) + +@BUILD_SYSTEMTAP_TRUE@dist_sssdtapscript_DATA = \ +@BUILD_SYSTEMTAP_TRUE@ contrib/systemtap/id_perf.stp \ +@BUILD_SYSTEMTAP_TRUE@ contrib/systemtap/nested_group_perf.stp \ +@BUILD_SYSTEMTAP_TRUE@ contrib/systemtap/dp_request.stp \ +@BUILD_SYSTEMTAP_TRUE@ $(NULL) + + +#################### +# Sbus Codegen # +#################### + +# Yes, the goal here is that the generated files end up in $(srcdir) +# not $(builddir). Always use $(srcdir) here. +CODEGEN_XML = \ + $(srcdir)/src/tests/sbus_codegen_tests.xml \ + $(srcdir)/src/monitor/monitor_iface.xml \ + $(srcdir)/src/providers/data_provider/dp_iface.xml \ + $(srcdir)/src/providers/proxy/proxy_iface.xml \ + $(srcdir)/src/responder/ifp/ifp_iface.xml \ + $(srcdir)/src/responder/nss/nss_iface.xml \ + $(srcdir)/src/responder/common/iface/responder_iface.xml \ + $(NULL) + +SBUS_CODEGEN = src/sbus/sbus_codegen +SUFFIXES = .xml _generated.h _generated.c + +# Regenerate when codegen changes +CODEGEN_CODE = \ + $(CODEGEN_XML:.xml=_generated.c) \ + $(CODEGEN_XML:.xml=_generated.h) + + +#################### +# Program Binaries # +#################### +sssd_SOURCES = \ + src/monitor/monitor.c \ + src/monitor/monitor_netlink.c \ + src/confdb/confdb_setup.c \ + src/monitor/monitor_iface_generated.c \ + src/util/nscd.c \ + src/util/inotify.c \ + $(NULL) + +sssd_LDADD = \ + $(SSSD_LIBS) \ + $(INOTIFY_LIBS) \ + $(LIBNL_LIBS) \ + $(KEYUTILS_LIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) + +sssd_nss_SOURCES = \ + src/responder/nss/nsssrv.c \ + src/responder/nss/nss_cmd.c \ + src/responder/nss/nss_enum.c \ + src/responder/nss/nss_get_object.c \ + src/responder/nss/nss_protocol.c \ + src/responder/nss/nss_protocol_pwent.c \ + src/responder/nss/nss_protocol_grent.c \ + src/responder/nss/nss_protocol_netgr.c \ + src/responder/nss/nss_protocol_svcent.c \ + src/responder/nss/nss_protocol_sid.c \ + src/responder/nss/nss_utils.c \ + src/responder/nss/nss_iface_generated.c \ + src/responder/nss/nss_iface.c \ + src/responder/nss/nsssrv_mmap_cache.c \ + $(SSSD_RESPONDER_OBJ) + +sssd_nss_LDADD = \ + $(TDB_LIBS) \ + $(SSSD_LIBS) \ + libsss_idmap.la \ + libsss_cert.la \ + $(SYSTEMD_DAEMON_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) + +sssd_pam_SOURCES = \ + src/responder/pam/pam_LOCAL_domain.c \ + src/responder/pam/pamsrv.c \ + src/responder/pam/pamsrv_cmd.c \ + src/responder/pam/pamsrv_p11.c \ + src/responder/pam/pamsrv_dp.c \ + src/responder/pam/pam_helpers.c \ + $(SSSD_RESPONDER_OBJ) + +sssd_pam_LDADD = \ + $(TDB_LIBS) \ + $(SSSD_LIBS) \ + $(SELINUX_LIBS) \ + $(PAM_LIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ + libsss_certmap.la \ + $(SSSD_INTERNAL_LTLIBS) \ + $(NULL) + +@BUILD_SUDO_TRUE@sssd_sudo_SOURCES = \ +@BUILD_SUDO_TRUE@ src/responder/sudo/sudosrv.c \ +@BUILD_SUDO_TRUE@ src/responder/sudo/sudosrv_cmd.c \ +@BUILD_SUDO_TRUE@ src/responder/sudo/sudosrv_get_sudorules.c \ +@BUILD_SUDO_TRUE@ src/responder/sudo/sudosrv_query.c \ +@BUILD_SUDO_TRUE@ src/responder/sudo/sudosrv_dp.c \ +@BUILD_SUDO_TRUE@ $(SSSD_RESPONDER_OBJ) + +@BUILD_SUDO_TRUE@sssd_sudo_LDADD = \ +@BUILD_SUDO_TRUE@ $(SSSD_LIBS) \ +@BUILD_SUDO_TRUE@ $(SYSTEMD_DAEMON_LIBS) \ +@BUILD_SUDO_TRUE@ $(SSSD_INTERNAL_LTLIBS) + +@BUILD_AUTOFS_TRUE@sssd_autofs_SOURCES = \ +@BUILD_AUTOFS_TRUE@ src/responder/autofs/autofssrv.c \ +@BUILD_AUTOFS_TRUE@ src/responder/autofs/autofssrv_cmd.c \ +@BUILD_AUTOFS_TRUE@ src/responder/autofs/autofssrv_dp.c \ +@BUILD_AUTOFS_TRUE@ $(SSSD_RESPONDER_OBJ) + +@BUILD_AUTOFS_TRUE@sssd_autofs_LDADD = \ +@BUILD_AUTOFS_TRUE@ $(SSSD_LIBS) \ +@BUILD_AUTOFS_TRUE@ $(SYSTEMD_DAEMON_LIBS) \ +@BUILD_AUTOFS_TRUE@ $(SSSD_INTERNAL_LTLIBS) + +@BUILD_SSH_TRUE@sssd_ssh_SOURCES = \ +@BUILD_SSH_TRUE@ src/responder/ssh/sshsrv.c \ +@BUILD_SSH_TRUE@ src/responder/ssh/ssh_cmd.c \ +@BUILD_SSH_TRUE@ src/responder/ssh/ssh_known_hosts.c \ +@BUILD_SSH_TRUE@ src/responder/ssh/ssh_protocol.c \ +@BUILD_SSH_TRUE@ src/responder/ssh/ssh_reply.c \ +@BUILD_SSH_TRUE@ $(SSSD_RESPONDER_OBJ) \ +@BUILD_SSH_TRUE@ $(NULL) + +@BUILD_SSH_TRUE@sssd_ssh_LDADD = \ +@BUILD_SSH_TRUE@ $(SSSD_LIBS) \ +@BUILD_SSH_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@BUILD_SSH_TRUE@ $(SYSTEMD_DAEMON_LIBS) \ +@BUILD_SSH_TRUE@ libsss_cert.la \ +@BUILD_SSH_TRUE@ $(NULL) + +sssd_pac_SOURCES = \ + src/responder/pac/pacsrv.c \ + src/responder/pac/pacsrv_cmd.c \ + src/providers/ad/ad_pac_common.c \ + $(SSSD_RESPONDER_OBJ) + +sssd_pac_CFLAGS = \ + $(AM_CFLAGS) \ + $(NDR_KRB5PAC_CFLAGS) + +sssd_pac_LDADD = \ + $(NDR_KRB5PAC_LIBS) \ + $(TDB_LIBS) \ + $(SSSD_LIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ + libsss_idmap.la \ + $(SSSD_INTERNAL_LTLIBS) + +@BUILD_IFP_TRUE@sssd_ifp_SOURCES = \ +@BUILD_IFP_TRUE@ src/responder/ifp/ifpsrv.c \ +@BUILD_IFP_TRUE@ src/responder/ifp/ifpsrv_cmd.c \ +@BUILD_IFP_TRUE@ src/responder/ifp/ifp_iface_generated.c \ +@BUILD_IFP_TRUE@ src/responder/ifp/ifp_iface.c \ +@BUILD_IFP_TRUE@ src/responder/ifp/ifp_iface_nodes.c \ +@BUILD_IFP_TRUE@ src/responder/ifp/ifpsrv_util.c \ +@BUILD_IFP_TRUE@ src/responder/ifp/ifp_domains.c \ +@BUILD_IFP_TRUE@ src/responder/ifp/ifp_components.c \ +@BUILD_IFP_TRUE@ src/responder/ifp/ifp_users.c \ +@BUILD_IFP_TRUE@ src/responder/ifp/ifp_groups.c \ +@BUILD_IFP_TRUE@ src/responder/ifp/ifp_cache.c \ +@BUILD_IFP_TRUE@ $(SSSD_RESPONDER_OBJ) + +@BUILD_IFP_TRUE@sssd_ifp_CFLAGS = \ +@BUILD_IFP_TRUE@ $(AM_CFLAGS) + +@BUILD_IFP_TRUE@sssd_ifp_LDADD = \ +@BUILD_IFP_TRUE@ $(SSSD_LIBS) \ +@BUILD_IFP_TRUE@ $(SYSTEMD_DAEMON_LIBS) \ +@BUILD_IFP_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@BUILD_IFP_TRUE@ libsss_cert.la \ +@BUILD_IFP_TRUE@ $(NULL) + +@BUILD_IFP_TRUE@dist_dbuspolicy_DATA = \ +@BUILD_IFP_TRUE@ src/responder/ifp/org.freedesktop.sssd.infopipe.conf + +@BUILD_IFP_TRUE@dist_dbusservice_DATA = \ +@BUILD_IFP_TRUE@ src/responder/ifp/org.freedesktop.sssd.infopipe.service + +@BUILD_IFP_TRUE@ifp_edit_cmd = $(edit_cmd) \ +@BUILD_IFP_TRUE@ -e 's|@ifp_exec_cmd[@]|$(ifp_exec_cmd)|g' \ +@BUILD_IFP_TRUE@ -e 's|@ifp_systemdservice[@]|$(ifp_systemdservice)|g' \ +@BUILD_IFP_TRUE@ -e 's|@ifp_restart[@]|$(ifp_restart)|g' + +@BUILD_IFP_TRUE@ifp_replace_script = \ +@BUILD_IFP_TRUE@ @rm -f $@ $@.tmp; \ +@BUILD_IFP_TRUE@ srcdir=''; \ +@BUILD_IFP_TRUE@ test -f ./$@.in || srcdir=$(srcdir)/; \ +@BUILD_IFP_TRUE@ $(ifp_edit_cmd) $${srcdir}$@.in >$@.tmp; \ +@BUILD_IFP_TRUE@ mv $@.tmp $@ + +@BUILD_SECRETS_TRUE@sssd_secrets_SOURCES = \ +@BUILD_SECRETS_TRUE@ src/responder/secrets/secsrv.c \ +@BUILD_SECRETS_TRUE@ src/responder/secrets/secsrv_cmd.c \ +@BUILD_SECRETS_TRUE@ src/responder/secrets/providers.c \ +@BUILD_SECRETS_TRUE@ src/responder/secrets/local.c \ +@BUILD_SECRETS_TRUE@ src/responder/secrets/proxy.c \ +@BUILD_SECRETS_TRUE@ src/util/sss_sockets.c \ +@BUILD_SECRETS_TRUE@ src/util/sss_iobuf.c \ +@BUILD_SECRETS_TRUE@ src/util/tev_curl.c \ +@BUILD_SECRETS_TRUE@ $(SSSD_RESPONDER_OBJ) \ +@BUILD_SECRETS_TRUE@ $(NULL) + +@BUILD_SECRETS_TRUE@sssd_secrets_LDADD = \ +@BUILD_SECRETS_TRUE@ $(HTTP_PARSER_LIBS) \ +@BUILD_SECRETS_TRUE@ $(JANSSON_LIBS) \ +@BUILD_SECRETS_TRUE@ $(TDB_LIBS) \ +@BUILD_SECRETS_TRUE@ $(SSSD_LIBS) \ +@BUILD_SECRETS_TRUE@ $(SYSTEMD_DAEMON_LIBS) \ +@BUILD_SECRETS_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@BUILD_SECRETS_TRUE@ $(CURL_LIBS) \ +@BUILD_SECRETS_TRUE@ $(NULL) + +@BUILD_KCM_TRUE@sssd_kcm_SOURCES = \ +@BUILD_KCM_TRUE@ src/responder/kcm/kcm.c \ +@BUILD_KCM_TRUE@ src/responder/kcm/kcmsrv_cmd.c \ +@BUILD_KCM_TRUE@ src/responder/kcm/kcmsrv_ccache.c \ +@BUILD_KCM_TRUE@ src/responder/kcm/kcmsrv_ccache_mem.c \ +@BUILD_KCM_TRUE@ src/responder/kcm/kcmsrv_ccache_json.c \ +@BUILD_KCM_TRUE@ src/responder/kcm/kcmsrv_ccache_secrets.c \ +@BUILD_KCM_TRUE@ src/responder/kcm/kcmsrv_ops.c \ +@BUILD_KCM_TRUE@ src/responder/kcm/kcmsrv_op_queue.c \ +@BUILD_KCM_TRUE@ src/util/sss_sockets.c \ +@BUILD_KCM_TRUE@ src/util/sss_krb5.c \ +@BUILD_KCM_TRUE@ src/util/sss_iobuf.c \ +@BUILD_KCM_TRUE@ src/util/tev_curl.c \ +@BUILD_KCM_TRUE@ $(SSSD_RESPONDER_OBJ) \ +@BUILD_KCM_TRUE@ $(NULL) + +@BUILD_KCM_TRUE@sssd_kcm_CFLAGS = \ +@BUILD_KCM_TRUE@ $(AM_CFLAGS) \ +@BUILD_KCM_TRUE@ $(KRB5_CFLAGS) \ +@BUILD_KCM_TRUE@ $(UUID_CFLAGS) \ +@BUILD_KCM_TRUE@ $(CURL_CFLAGS) \ +@BUILD_KCM_TRUE@ $(JANSSON_CFLAGS) \ +@BUILD_KCM_TRUE@ $(NULL) + +@BUILD_KCM_TRUE@sssd_kcm_LDADD = \ +@BUILD_KCM_TRUE@ $(KRB5_LIBS) \ +@BUILD_KCM_TRUE@ $(CURL_LIBS) \ +@BUILD_KCM_TRUE@ $(JANSSON_LIBS) \ +@BUILD_KCM_TRUE@ $(SSSD_LIBS) \ +@BUILD_KCM_TRUE@ $(UUID_LIBS) \ +@BUILD_KCM_TRUE@ $(SYSTEMD_DAEMON_LIBS) \ +@BUILD_KCM_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@BUILD_KCM_TRUE@ $(NULL) + +sssd_be_SOURCES = \ + src/providers/data_provider_be.c \ + src/providers/data_provider_req.c \ + src/providers/data_provider_fo.c \ + src/providers/data_provider_opts.c \ + src/providers/data_provider_callbacks.c \ + src/providers/be_dyndns.c \ + src/providers/be_ptask.c \ + src/providers/be_refresh.c \ + src/monitor/monitor_iface_generated.c \ + src/providers/data_provider/dp.c \ + src/providers/data_provider/dp_modules.c \ + src/providers/data_provider/dp_targets.c \ + src/providers/data_provider/dp_methods.c \ + src/providers/data_provider/dp_builtin.c \ + src/providers/data_provider/dp_iface.c \ + src/providers/data_provider/dp_iface_backend.c \ + src/providers/data_provider/dp_iface_failover.c \ + src/providers/data_provider/dp_client.c \ + src/providers/data_provider/dp_resp_client.c \ + src/providers/data_provider/dp_iface_generated.c \ + src/providers/data_provider/dp_request.c \ + src/providers/data_provider/dp_request_reply.c \ + src/providers/data_provider/dp_request_table.c \ + src/providers/data_provider/dp_reply_std.c \ + src/providers/data_provider/dp_target_sudo.c \ + src/providers/data_provider/dp_target_hostid.c \ + src/providers/data_provider/dp_target_autofs.c \ + src/providers/data_provider/dp_target_subdomains.c \ + src/providers/data_provider/dp_target_id.c \ + src/providers/data_provider/dp_target_auth.c \ + src/util/session_recording.c \ + $(SSSD_FAILOVER_OBJ) + +sssd_be_LDADD = $(LIBADD_DL) $(SSSD_LIBS) $(CARES_LIBS) $(PAM_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) $(am__append_48) +sssd_be_LDFLAGS = \ + -Wl,--version-script,$(srcdir)/src/providers/sssd_be.exports \ + -export-dynamic + +@BUILD_PYTHON_BINDINGS_TRUE@sss_obfuscate_pythondir = $(sbindir) +@BUILD_PYTHON_BINDINGS_TRUE@dist_sss_obfuscate_python_SCRIPTS = \ +@BUILD_PYTHON_BINDINGS_TRUE@ src/tools/sss_obfuscate + +dist_sssddefaultconf_DATA = \ + src/examples/sssd.conf + +dist_pamconf_DATA = \ + src/examples/sssd-shadowutils + + +###################### +# Command-line Tools # +###################### +sss_useradd_SOURCES = \ + src/tools/sss_useradd.c \ + $(SSSD_TOOLS_OBJ) + +sss_useradd_LDADD = \ + $(TOOLS_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_semanage.la \ + $(NULL) + +sss_userdel_SOURCES = \ + src/tools/sss_userdel.c \ + $(SSSD_LCL_TOOLS_OBJ) + +sss_userdel_LDADD = \ + $(TOOLS_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(CLIENT_LIBS) \ + libsss_semanage.la \ + $(NULL) + +sss_userdel_CFLAGS = \ + $(AM_CFLAGS) + +sss_groupadd_SOURCES = \ + src/tools/sss_groupadd.c \ + $(SSSD_TOOLS_OBJ) + +sss_groupadd_LDADD = \ + $(TOOLS_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) + +sss_groupdel_SOURCES = \ + src/tools/sss_groupdel.c \ + $(SSSD_LCL_TOOLS_OBJ) + +sss_groupdel_LDADD = \ + $(TOOLS_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(CLIENT_LIBS) + +sss_groupdel_CFLAGS = $(AM_CFLAGS) +sss_usermod_SOURCES = \ + src/tools/sss_usermod.c \ + $(SSSD_LCL_TOOLS_OBJ) + +sss_usermod_LDADD = \ + $(TOOLS_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(CLIENT_LIBS) \ + libsss_semanage.la \ + $(NULL) + +sss_usermod_CFLAGS = $(AM_CFLAGS) +sss_groupmod_SOURCES = \ + src/tools/sss_groupmod.c \ + $(SSSD_LCL_TOOLS_OBJ) + +sss_groupmod_LDADD = \ + $(TOOLS_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(CLIENT_LIBS) + +sss_groupmod_CFLAGS = $(AM_CFLAGS) +sss_groupshow_SOURCES = \ + src/tools/sss_groupshow.c \ + $(SSSD_TOOLS_OBJ) + +sss_groupshow_LDADD = \ + $(TOOLS_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) + +sss_cache_SOURCES = \ + src/tools/sss_cache.c \ + $(SSSD_LCL_TOOLS_OBJ) + +sss_cache_LDADD = \ + $(TOOLS_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(CLIENT_LIBS) + +sss_cache_CFLAGS = $(AM_CFLAGS) +sss_seed_SOURCES = \ + src/tools/sss_seed.c \ + $(SSSD_TOOLS_OBJ) + +sss_seed_LDADD = \ + $(TOOLS_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) + +sss_signal_SOURCES = \ + src/tools/sss_signal.c \ + src/tools/common/sss_process.c + +sss_signal_LDADD = \ + libsss_debug.la \ + $(NULL) + +sss_override_SOURCES = \ + src/tools/sss_override.c \ + src/tools/common/sss_colondb.c \ + $(SSSD_TOOLS_OBJ) \ + $(NULL) + +sss_override_LDADD = \ + $(TOOLS_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(NULL) + +sss_override_CFLAGS = \ + $(AM_CFLAGS) \ + $(NULL) + +sssctl_SOURCES = \ + src/tools/sssctl/sssctl.c \ + src/tools/sssctl/sssctl_systemd.c \ + src/tools/sssctl/sssctl_cache.c \ + src/tools/sssctl/sssctl_data.c \ + src/tools/sssctl/sssctl_logs.c \ + src/tools/sssctl/sssctl_domains.c \ + src/tools/sssctl/sssctl_sifp.c \ + src/tools/sssctl/sssctl_config.c \ + src/tools/sssctl/sssctl_user_checks.c \ + src/tools/sssctl/sssctl_access_report.c \ + $(SSSD_TOOLS_OBJ) \ + $(NULL) + +sssctl_LDADD = \ + $(TOOLS_LIBS) \ + $(INI_CONFIG_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(PAM_LIBS) \ + $(PAM_MISC_LIBS) \ + $(LIBADD_DL) \ + libsss_simpleifp.la \ + $(NULL) + +sssctl_CFLAGS = \ + $(AM_CFLAGS) \ + -I$(top_srcdir)/src/lib/sifp + +@BUILD_SUDO_TRUE@sss_sudo_cli_SOURCES = \ +@BUILD_SUDO_TRUE@ src/sss_client/common.c \ +@BUILD_SUDO_TRUE@ src/sss_client/sudo/sss_sudo.c \ +@BUILD_SUDO_TRUE@ src/sss_client/sudo/sss_sudo_response.c \ +@BUILD_SUDO_TRUE@ src/sss_client/sudo_testcli/sudo_testcli.c + +@BUILD_SUDO_TRUE@sss_sudo_cli_CFLAGS = $(AM_CFLAGS) +@BUILD_SUDO_TRUE@sss_sudo_cli_LDADD = $(CLIENT_LIBS) +@BUILD_SSH_TRUE@sss_ssh_authorizedkeys_SOURCES = \ +@BUILD_SSH_TRUE@ src/sss_client/common.c \ +@BUILD_SSH_TRUE@ src/sss_client/ssh/sss_ssh_client.c \ +@BUILD_SSH_TRUE@ src/sss_client/ssh/sss_ssh_authorizedkeys.c + +@BUILD_SSH_TRUE@sss_ssh_authorizedkeys_CFLAGS = $(AM_CFLAGS) +@BUILD_SSH_TRUE@sss_ssh_authorizedkeys_LDADD = \ +@BUILD_SSH_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@BUILD_SSH_TRUE@ $(CLIENT_LIBS) $(TALLOC_LIBS) $(POPT_LIBS) + +@BUILD_SSH_TRUE@sss_ssh_knownhostsproxy_SOURCES = \ +@BUILD_SSH_TRUE@ src/sss_client/common.c \ +@BUILD_SSH_TRUE@ src/sss_client/ssh/sss_ssh_client.c \ +@BUILD_SSH_TRUE@ src/sss_client/ssh/sss_ssh_knownhostsproxy.c + +@BUILD_SSH_TRUE@sss_ssh_knownhostsproxy_CFLAGS = $(AM_CFLAGS) +@BUILD_SSH_TRUE@sss_ssh_knownhostsproxy_LDADD = \ +@BUILD_SSH_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@BUILD_SSH_TRUE@ $(CLIENT_LIBS) $(TALLOC_LIBS) $(POPT_LIBS) + +@HAVE_SYSTEMD_UNIT_TRUE@sssd_check_socket_activated_responders_SOURCES = \ +@HAVE_SYSTEMD_UNIT_TRUE@ src/tools/sssd_check_socket_activated_responders.c \ +@HAVE_SYSTEMD_UNIT_TRUE@ $(NULL) + +@HAVE_SYSTEMD_UNIT_TRUE@sssd_check_socket_activated_responders_CFLAGS = \ +@HAVE_SYSTEMD_UNIT_TRUE@ $(AM_CFLAGS) \ +@HAVE_SYSTEMD_UNIT_TRUE@ $(NULL) + +@HAVE_SYSTEMD_UNIT_TRUE@sssd_check_socket_activated_responders_LDADD = \ +@HAVE_SYSTEMD_UNIT_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_SYSTEMD_UNIT_TRUE@ $(LTLIBINTL) \ +@HAVE_SYSTEMD_UNIT_TRUE@ $(TALLOC_LIBS) \ +@HAVE_SYSTEMD_UNIT_TRUE@ $(POPT_LIBS) \ +@HAVE_SYSTEMD_UNIT_TRUE@ $(INI_CONFIG_LIBS) \ +@HAVE_SYSTEMD_UNIT_TRUE@ $(NULL) + +libsss_certmap_la_DEPENDENCIES = src/lib/certmap/sss_certmap.exports +libsss_certmap_la_SOURCES = src/lib/certmap/sss_certmap.c \ + src/lib/certmap/sss_certmap_attr_names.c \ + src/lib/certmap/sss_certmap_krb5_match.c \ + src/lib/certmap/sss_certmap_ldap_mapping.c \ + src/lib/certmap/sss_cert_content_common.c src/util/util_ext.c \ + src/util/cert/cert_common.c $(NULL) $(am__append_49) \ + $(am__append_52) +libsss_certmap_la_CFLAGS = $(AM_CFLAGS) $(TALLOC_CFLAGS) $(NULL) \ + $(am__append_50) $(am__append_53) +libsss_certmap_la_LIBADD = $(TALLOC_LIBS) $(NULL) $(am__append_51) \ + $(am__append_54) +libsss_certmap_la_LDFLAGS = \ + -Wl,--version-script,$(srcdir)/src/lib/certmap/sss_certmap.exports \ + -version-info 0:0:0 + + +################# +# Feature Tests # +################# +TESTS_ENVIRONMENT = LDB_MODULES_PATH=$(abs_top_builddir)/ldb_mod_test_dir \ + SSS_TEST_DIR=$(TEST_DIR) \ + ABS_TOP_SRCDIR=$(abs_top_srcdir) \ + $(AUX_TESTS_ENVIRONMENT) + +check_LTLIBRARIES = libsss_test_common.la $(am__append_56) \ + $(am__append_57) +libsss_test_common_la_SOURCES = src/tests/common_tev.c \ + src/tests/common_dom.c src/tests/leak_check.c \ + src/tests/common.c $(am__append_55) +libsss_test_common_la_LIBADD = \ + $(TALLOC_LIBS) \ + $(TEVENT_LIBS) \ + $(LDB_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(NULL) + + +# libdlopen_test_providers is a helper library to provide missing symbols for +# dlopen_tests. It is mainly used for the backend modules but is used as well +# to provide __wrap_sss_nss_make_request_timeout needed make make dlopen_tests +# pass for libsss_nss_idmap_tests. +@HAVE_CHECK_TRUE@libdlopen_test_providers_la_SOURCES = \ +@HAVE_CHECK_TRUE@ $(sssd_be_SOURCES) \ +@HAVE_CHECK_TRUE@ src/tests/cmocka/wrap_sss_nss_make_request_timeout.c \ +@HAVE_CHECK_TRUE@ $(NULL) + +@HAVE_CHECK_TRUE@libdlopen_test_providers_la_CFLAGS = \ +@HAVE_CHECK_TRUE@ $(AM_CFLAGS) \ +@HAVE_CHECK_TRUE@ $(CHECK_CFLAGS) \ +@HAVE_CHECK_TRUE@ -DUNIT_TESTING + +@HAVE_CHECK_TRUE@libdlopen_test_providers_la_LIBADD = $(LIBADD_DL) \ +@HAVE_CHECK_TRUE@ $(PAM_LIBS) $(SSSD_LIBS) $(CARES_LIBS) \ +@HAVE_CHECK_TRUE@ $(SSSD_INTERNAL_LTLIBS) $(NULL) \ +@HAVE_CHECK_TRUE@ $(am__append_58) +@HAVE_CHECK_TRUE@libdlopen_test_providers_la_LDFLAGS = \ +@HAVE_CHECK_TRUE@ -shared \ +@HAVE_CHECK_TRUE@ -avoid-version \ +@HAVE_CHECK_TRUE@ -Wl,--version-script,$(srcdir)/src/providers/sssd_be.exports \ +@HAVE_CHECK_TRUE@ -rpath $(abs_top_builddir) \ +@HAVE_CHECK_TRUE@ -export-dynamic + +@HAVE_CHECK_TRUE@libsss_nss_idmap_tests_la_SOURCES = $(libsss_nss_idmap_la_SOURCES) +@HAVE_CHECK_TRUE@libsss_nss_idmap_tests_la_LIBADD = $(libsss_nss_idmap_la_LIBADD) +@HAVE_CHECK_TRUE@libsss_nss_idmap_tests_la_LDFLAGS = \ +@HAVE_CHECK_TRUE@ $(libsss_nss_idmap_la_LDFLAGS) \ +@HAVE_CHECK_TRUE@ -shared \ +@HAVE_CHECK_TRUE@ -rpath $(libdir) \ +@HAVE_CHECK_TRUE@ -Wl,-wrap,sss_nss_make_request_timeout \ +@HAVE_CHECK_TRUE@ -Wl,--version-script,$(srcdir)/src/sss_client/idmap/sss_nss_idmap.unit_tests + +@HAVE_CHECK_TRUE@libsss_ad_tests_la_SOURCES = $(libsss_ad_la_SOURCES) +@HAVE_CHECK_TRUE@libsss_ad_tests_la_CFLAGS = $(libsss_ad_la_CFLAGS) +@HAVE_CHECK_TRUE@libsss_ad_tests_la_LIBADD = \ +@HAVE_CHECK_TRUE@ $(libsss_ad_la_LIBADD) \ +@HAVE_CHECK_TRUE@ libdlopen_test_providers.la \ +@HAVE_CHECK_TRUE@ $(NULL) + +@HAVE_CHECK_TRUE@libsss_ad_tests_la_LDFLAGS = \ +@HAVE_CHECK_TRUE@ -shared \ +@HAVE_CHECK_TRUE@ -rpath $(abs_top_builddir) \ +@HAVE_CHECK_TRUE@ $(NULL) + +@HAVE_CHECK_TRUE@dlopen_tests_SOURCES = \ +@HAVE_CHECK_TRUE@ src/tests/dlopen-tests.c + +@HAVE_CHECK_TRUE@dlopen_tests_CFLAGS = \ +@HAVE_CHECK_TRUE@ $(AM_CFLAGS) \ +@HAVE_CHECK_TRUE@ $(CHECK_CFLAGS) + +@HAVE_CHECK_TRUE@dlopen_tests_LDADD = \ +@HAVE_CHECK_TRUE@ $(LIBADD_DL) \ +@HAVE_CHECK_TRUE@ $(CHECK_LIBS) + +@HAVE_CHECK_TRUE@EXTRA_sysdb_tests_DEPENDENCIES = \ +@HAVE_CHECK_TRUE@ $(ldblib_LTLIBRARIES) + +@HAVE_CHECK_TRUE@sysdb_tests_SOURCES = \ +@HAVE_CHECK_TRUE@ src/tests/sysdb-tests.c + +@HAVE_CHECK_TRUE@sysdb_tests_CFLAGS = \ +@HAVE_CHECK_TRUE@ $(AM_CFLAGS) \ +@HAVE_CHECK_TRUE@ $(CHECK_CFLAGS) + +@HAVE_CHECK_TRUE@sysdb_tests_LDADD = \ +@HAVE_CHECK_TRUE@ $(SSSD_LIBS) \ +@HAVE_CHECK_TRUE@ $(CHECK_LIBS) \ +@HAVE_CHECK_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CHECK_TRUE@ libsss_test_common.la + +@HAVE_CHECK_TRUE@EXTRA_sysdb_ssh_tests_DEPENDENCIES = \ +@HAVE_CHECK_TRUE@ $(ldblib_LTLIBRARIES) + +@HAVE_CHECK_TRUE@sysdb_ssh_tests_SOURCES = \ +@HAVE_CHECK_TRUE@ src/tests/sysdb_ssh-tests.c + +@HAVE_CHECK_TRUE@sysdb_ssh_tests_CFLAGS = \ +@HAVE_CHECK_TRUE@ $(AM_CFLAGS)\ +@HAVE_CHECK_TRUE@ $(CHECK_CFLAGS) + +@HAVE_CHECK_TRUE@sysdb_ssh_tests_LDADD = \ +@HAVE_CHECK_TRUE@ $(SSSD_LIBS) \ +@HAVE_CHECK_TRUE@ $(CHECK_LIBS) \ +@HAVE_CHECK_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CHECK_TRUE@ libsss_test_common.la + +@HAVE_CHECK_TRUE@strtonum_tests_SOURCES = \ +@HAVE_CHECK_TRUE@ src/tests/strtonum-tests.c \ +@HAVE_CHECK_TRUE@ src/util/strtonum.c + +@HAVE_CHECK_TRUE@strtonum_tests_CFLAGS = \ +@HAVE_CHECK_TRUE@ $(AM_CFLAGS) \ +@HAVE_CHECK_TRUE@ $(CHECK_CFLAGS) + +@HAVE_CHECK_TRUE@strtonum_tests_LDADD = \ +@HAVE_CHECK_TRUE@ $(SSSD_LIBS) \ +@HAVE_CHECK_TRUE@ $(CHECK_LIBS) \ +@HAVE_CHECK_TRUE@ libsss_debug.la \ +@HAVE_CHECK_TRUE@ libsss_test_common.la + +@HAVE_CHECK_TRUE@krb5_utils_tests_SOURCES = \ +@HAVE_CHECK_TRUE@ src/tests/krb5_utils-tests.c \ +@HAVE_CHECK_TRUE@ src/providers/krb5/krb5_utils.c \ +@HAVE_CHECK_TRUE@ src/providers/krb5/krb5_ccache.c \ +@HAVE_CHECK_TRUE@ src/providers/krb5/krb5_common.c \ +@HAVE_CHECK_TRUE@ src/providers/krb5/krb5_opts.c \ +@HAVE_CHECK_TRUE@ src/util/sss_krb5.c \ +@HAVE_CHECK_TRUE@ src/util/sss_iobuf.c \ +@HAVE_CHECK_TRUE@ src/providers/data_provider_fo.c \ +@HAVE_CHECK_TRUE@ src/providers/data_provider_opts.c \ +@HAVE_CHECK_TRUE@ src/providers/data_provider_callbacks.c \ +@HAVE_CHECK_TRUE@ src/util/become_user.c \ +@HAVE_CHECK_TRUE@ $(SSSD_FAILOVER_OBJ) \ +@HAVE_CHECK_TRUE@ $(NULL) + +@HAVE_CHECK_TRUE@krb5_utils_tests_CFLAGS = \ +@HAVE_CHECK_TRUE@ $(AM_CFLAGS) \ +@HAVE_CHECK_TRUE@ $(KRB5_CFLAGS) \ +@HAVE_CHECK_TRUE@ $(CHECK_CFLAGS) + +@HAVE_CHECK_TRUE@krb5_utils_tests_LDADD = \ +@HAVE_CHECK_TRUE@ $(SSSD_LIBS)\ +@HAVE_CHECK_TRUE@ $(CARES_LIBS) \ +@HAVE_CHECK_TRUE@ $(KRB5_LIBS) \ +@HAVE_CHECK_TRUE@ $(CHECK_LIBS) \ +@HAVE_CHECK_TRUE@ $(PCRE_LIBS) \ +@HAVE_CHECK_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CHECK_TRUE@ libsss_test_common.la + +@HAVE_CHECK_TRUE@check_and_open_tests_SOURCES = \ +@HAVE_CHECK_TRUE@ src/tests/check_and_open-tests.c \ +@HAVE_CHECK_TRUE@ src/util/check_and_open.c + +@HAVE_CHECK_TRUE@check_and_open_tests_CFLAGS = \ +@HAVE_CHECK_TRUE@ $(AM_CFLAGS) \ +@HAVE_CHECK_TRUE@ $(CHECK_CFLAGS) + +@HAVE_CHECK_TRUE@check_and_open_tests_LDADD = \ +@HAVE_CHECK_TRUE@ libsss_debug.la \ +@HAVE_CHECK_TRUE@ $(CHECK_LIBS) \ +@HAVE_CHECK_TRUE@ libsss_test_common.la + +@HAVE_CHECK_TRUE@FILES_TESTS_LIBS = $(CHECK_LIBS) $(POPT_LIBS) \ +@HAVE_CHECK_TRUE@ $(TALLOC_LIBS) libsss_test_common.la \ +@HAVE_CHECK_TRUE@ $(am__append_60) $(am__append_61) +@HAVE_CHECK_TRUE@@HAVE_INOTIFY_TRUE@files_tests_SOURCES = \ +@HAVE_CHECK_TRUE@@HAVE_INOTIFY_TRUE@ src/tests/files-tests.c \ +@HAVE_CHECK_TRUE@@HAVE_INOTIFY_TRUE@ src/util/check_and_open.c \ +@HAVE_CHECK_TRUE@@HAVE_INOTIFY_TRUE@ src/util/atomic_io.c \ +@HAVE_CHECK_TRUE@@HAVE_INOTIFY_TRUE@ src/util/selinux.c \ +@HAVE_CHECK_TRUE@@HAVE_INOTIFY_TRUE@ src/util/files.c + +@HAVE_CHECK_TRUE@@HAVE_INOTIFY_TRUE@files_tests_CFLAGS = \ +@HAVE_CHECK_TRUE@@HAVE_INOTIFY_TRUE@ $(AM_CFLAGS) \ +@HAVE_CHECK_TRUE@@HAVE_INOTIFY_TRUE@ $(CHECK_CFLAGS) + +@HAVE_CHECK_TRUE@@HAVE_INOTIFY_TRUE@files_tests_LDADD = \ +@HAVE_CHECK_TRUE@@HAVE_INOTIFY_TRUE@ $(FILES_TESTS_LIBS) \ +@HAVE_CHECK_TRUE@@HAVE_INOTIFY_TRUE@ libsss_test_common.la \ +@HAVE_CHECK_TRUE@@HAVE_INOTIFY_TRUE@ $(SSSD_INTERNAL_LTLIBS) + +@HAVE_CHECK_TRUE@SSSD_RESOLV_TESTS_OBJ = \ +@HAVE_CHECK_TRUE@ $(SSSD_RESOLV_OBJ) + +@HAVE_CHECK_TRUE@resolv_tests_SOURCES = \ +@HAVE_CHECK_TRUE@ src/tests/resolv-tests.c \ +@HAVE_CHECK_TRUE@ src/tests/common.c \ +@HAVE_CHECK_TRUE@ $(SSSD_RESOLV_TESTS_OBJ) + +@HAVE_CHECK_TRUE@resolv_tests_CFLAGS = \ +@HAVE_CHECK_TRUE@ $(AM_CFLAGS) \ +@HAVE_CHECK_TRUE@ $(CHECK_CFLAGS) \ +@HAVE_CHECK_TRUE@ -DBUILD_TXT + +@HAVE_CHECK_TRUE@resolv_tests_LDADD = \ +@HAVE_CHECK_TRUE@ $(SSSD_LIBS) \ +@HAVE_CHECK_TRUE@ $(CHECK_LIBS) \ +@HAVE_CHECK_TRUE@ $(CARES_LIBS) \ +@HAVE_CHECK_TRUE@ libsss_debug.la \ +@HAVE_CHECK_TRUE@ libsss_test_common.la + +@HAVE_CHECK_TRUE@refcount_tests_SOURCES = \ +@HAVE_CHECK_TRUE@ src/tests/refcount-tests.c \ +@HAVE_CHECK_TRUE@ $(NULL) + +@HAVE_CHECK_TRUE@refcount_tests_CFLAGS = \ +@HAVE_CHECK_TRUE@ $(AM_CFLAGS) \ +@HAVE_CHECK_TRUE@ $(CHECK_CFLAGS) + +@HAVE_CHECK_TRUE@refcount_tests_LDADD = \ +@HAVE_CHECK_TRUE@ $(SSSD_LIBS) \ +@HAVE_CHECK_TRUE@ $(CHECK_LIBS) \ +@HAVE_CHECK_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CHECK_TRUE@ libsss_test_common.la + +@HAVE_CHECK_TRUE@fail_over_tests_SOURCES = \ +@HAVE_CHECK_TRUE@ src/tests/fail_over-tests.c \ +@HAVE_CHECK_TRUE@ $(SSSD_FAILOVER_OBJ) \ +@HAVE_CHECK_TRUE@ $(NULL) + +@HAVE_CHECK_TRUE@fail_over_tests_CFLAGS = \ +@HAVE_CHECK_TRUE@ $(AM_CFLAGS) \ +@HAVE_CHECK_TRUE@ $(CHECK_CFLAGS) + +@HAVE_CHECK_TRUE@fail_over_tests_LDADD = \ +@HAVE_CHECK_TRUE@ $(SSSD_LIBS) \ +@HAVE_CHECK_TRUE@ $(CHECK_LIBS) \ +@HAVE_CHECK_TRUE@ $(CARES_LIBS) \ +@HAVE_CHECK_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CHECK_TRUE@ libsss_test_common.la + +@HAVE_CHECK_TRUE@find_uid_tests_SOURCES = \ +@HAVE_CHECK_TRUE@ src/tests/find_uid-tests.c \ +@HAVE_CHECK_TRUE@ src/util/find_uid.c \ +@HAVE_CHECK_TRUE@ src/util/atomic_io.c \ +@HAVE_CHECK_TRUE@ src/util/strtonum.c + +@HAVE_CHECK_TRUE@find_uid_tests_CFLAGS = \ +@HAVE_CHECK_TRUE@ $(AM_CFLAGS) \ +@HAVE_CHECK_TRUE@ $(TALLOC_CFLAGS) \ +@HAVE_CHECK_TRUE@ $(DHASH_CFLAGS) \ +@HAVE_CHECK_TRUE@ $(CHECK_CFLAGS) \ +@HAVE_CHECK_TRUE@ $(SYSTEMD_LOGIN_CFLAGS) + +@HAVE_CHECK_TRUE@find_uid_tests_LDADD = \ +@HAVE_CHECK_TRUE@ libsss_debug.la \ +@HAVE_CHECK_TRUE@ $(TALLOC_LIBS) \ +@HAVE_CHECK_TRUE@ $(DHASH_LIBS) \ +@HAVE_CHECK_TRUE@ $(CHECK_LIBS) \ +@HAVE_CHECK_TRUE@ $(SYSTEMD_LOGIN_LIBS) \ +@HAVE_CHECK_TRUE@ libsss_test_common.la + +@HAVE_CHECK_TRUE@auth_tests_SOURCES = \ +@HAVE_CHECK_TRUE@ src/tests/auth-tests.c + +@HAVE_CHECK_TRUE@auth_tests_CFLAGS = \ +@HAVE_CHECK_TRUE@ $(AM_CFLAGS) \ +@HAVE_CHECK_TRUE@ $(CHECK_CFLAGS) + +@HAVE_CHECK_TRUE@auth_tests_LDADD = \ +@HAVE_CHECK_TRUE@ $(SSSD_LIBS) \ +@HAVE_CHECK_TRUE@ $(CHECK_LIBS) \ +@HAVE_CHECK_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CHECK_TRUE@ libsss_test_common.la + +@HAVE_CHECK_TRUE@ipa_ldap_opt_tests_SOURCES = \ +@HAVE_CHECK_TRUE@ src/providers/data_provider_opts.c \ +@HAVE_CHECK_TRUE@ src/providers/ldap/sdap.c \ +@HAVE_CHECK_TRUE@ src/providers/ldap/sdap_range.c \ +@HAVE_CHECK_TRUE@ src/providers/ldap/sdap_domain.c \ +@HAVE_CHECK_TRUE@ src/providers/ldap/ldap_opts.c \ +@HAVE_CHECK_TRUE@ src/providers/ad/ad_opts.c \ +@HAVE_CHECK_TRUE@ src/providers/ipa/ipa_opts.c \ +@HAVE_CHECK_TRUE@ src/providers/krb5/krb5_opts.c \ +@HAVE_CHECK_TRUE@ src/util/sss_sockets.c \ +@HAVE_CHECK_TRUE@ src/util/sss_ldap.c \ +@HAVE_CHECK_TRUE@ src/tests/ipa_ldap_opt-tests.c + +@HAVE_CHECK_TRUE@ipa_ldap_opt_tests_CFLAGS = \ +@HAVE_CHECK_TRUE@ $(AM_CFLAGS) \ +@HAVE_CHECK_TRUE@ $(CHECK_CFLAGS) + +@HAVE_CHECK_TRUE@ipa_ldap_opt_tests_LDADD = \ +@HAVE_CHECK_TRUE@ $(CHECK_LIBS) \ +@HAVE_CHECK_TRUE@ $(TALLOC_LIBS) \ +@HAVE_CHECK_TRUE@ $(LDB_LIBS) \ +@HAVE_CHECK_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CHECK_TRUE@ $(OPENLDAP_LIBS) \ +@HAVE_CHECK_TRUE@ libsss_test_common.la + +@HAVE_CHECK_TRUE@ad_ldap_opt_tests_SOURCES = \ +@HAVE_CHECK_TRUE@ src/providers/ldap/ldap_opts.c \ +@HAVE_CHECK_TRUE@ src/providers/ad/ad_opts.c \ +@HAVE_CHECK_TRUE@ src/providers/krb5/krb5_opts.c \ +@HAVE_CHECK_TRUE@ src/tests/ad_ldap_opt-tests.c + +@HAVE_CHECK_TRUE@ad_ldap_opt_tests_CFLAGS = \ +@HAVE_CHECK_TRUE@ $(AM_CFLAGS) \ +@HAVE_CHECK_TRUE@ $(CHECK_CFLAGS) + +@HAVE_CHECK_TRUE@ad_ldap_opt_tests_LDADD = \ +@HAVE_CHECK_TRUE@ $(CHECK_LIBS) \ +@HAVE_CHECK_TRUE@ $(TALLOC_LIBS) \ +@HAVE_CHECK_TRUE@ libsss_test_common.la + +@HAVE_CHECK_TRUE@util_tests_SOURCES = \ +@HAVE_CHECK_TRUE@ src/tests/util-tests.c \ +@HAVE_CHECK_TRUE@ $(NULL) + +@HAVE_CHECK_TRUE@util_tests_CFLAGS = \ +@HAVE_CHECK_TRUE@ $(AM_CFLAGS) \ +@HAVE_CHECK_TRUE@ $(CHECK_CFLAGS) \ +@HAVE_CHECK_TRUE@ $(NULL) + +@HAVE_CHECK_TRUE@util_tests_LDADD = \ +@HAVE_CHECK_TRUE@ $(SSSD_LIBS) \ +@HAVE_CHECK_TRUE@ $(CHECK_LIBS) \ +@HAVE_CHECK_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CHECK_TRUE@ libsss_test_common.la \ +@HAVE_CHECK_TRUE@ $(NULL) + +@HAVE_CHECK_TRUE@safe_format_tests_SOURCES = \ +@HAVE_CHECK_TRUE@ src/tests/safe-format-tests.c + +@HAVE_CHECK_TRUE@safe_format_tests_CFLAGS = \ +@HAVE_CHECK_TRUE@ $(AM_CFLAGS) \ +@HAVE_CHECK_TRUE@ $(CHECK_CFLAGS) + +@HAVE_CHECK_TRUE@safe_format_tests_LDADD = \ +@HAVE_CHECK_TRUE@ $(SSSD_LIBS) \ +@HAVE_CHECK_TRUE@ $(CHECK_LIBS) \ +@HAVE_CHECK_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CHECK_TRUE@ libsss_test_common.la + +@HAVE_CHECK_TRUE@debug_tests_SOURCES = \ +@HAVE_CHECK_TRUE@ src/tests/debug-tests.c \ +@HAVE_CHECK_TRUE@ src/tests/common.c + +@HAVE_CHECK_TRUE@debug_tests_CFLAGS = \ +@HAVE_CHECK_TRUE@ $(AM_CFLAGS) \ +@HAVE_CHECK_TRUE@ $(CHECK_CFLAGS) + +@HAVE_CHECK_TRUE@debug_tests_LDADD = \ +@HAVE_CHECK_TRUE@ $(SSSD_LIBS) \ +@HAVE_CHECK_TRUE@ $(CHECK_LIBS) \ +@HAVE_CHECK_TRUE@ libsss_debug.la + +@HAVE_CHECK_TRUE@crypto_tests_SOURCES = \ +@HAVE_CHECK_TRUE@ src/tests/crypto-tests.c + +@HAVE_CHECK_TRUE@crypto_tests_CFLAGS = \ +@HAVE_CHECK_TRUE@ $(AM_CFLAGS) \ +@HAVE_CHECK_TRUE@ $(CHECK_CFLAGS) + +@HAVE_CHECK_TRUE@crypto_tests_LDADD = \ +@HAVE_CHECK_TRUE@ $(CHECK_LIBS) \ +@HAVE_CHECK_TRUE@ $(POPT_LIBS) \ +@HAVE_CHECK_TRUE@ $(TALLOC_LIBS) \ +@HAVE_CHECK_TRUE@ libsss_crypt.la \ +@HAVE_CHECK_TRUE@ libsss_debug.la \ +@HAVE_CHECK_TRUE@ libsss_test_common.la + +@HAVE_CHECK_TRUE@ipa_hbac_tests_SOURCES = \ +@HAVE_CHECK_TRUE@ src/tests/ipa_hbac-tests.c + +@HAVE_CHECK_TRUE@ipa_hbac_tests_CFLAGS = \ +@HAVE_CHECK_TRUE@ $(AM_CFLAGS) \ +@HAVE_CHECK_TRUE@ $(CHECK_CFLAGS) + +@HAVE_CHECK_TRUE@ipa_hbac_tests_LDADD = \ +@HAVE_CHECK_TRUE@ $(SSSD_LIBS) \ +@HAVE_CHECK_TRUE@ $(CHECK_LIBS) \ +@HAVE_CHECK_TRUE@ libsss_test_common.la \ +@HAVE_CHECK_TRUE@ libipa_hbac.la + +@HAVE_CHECK_TRUE@sss_idmap_tests_SOURCES = \ +@HAVE_CHECK_TRUE@ src/tests/sss_idmap-tests.c + +@HAVE_CHECK_TRUE@sss_idmap_tests_CFLAGS = \ +@HAVE_CHECK_TRUE@ $(AM_CFLAGS) \ +@HAVE_CHECK_TRUE@ $(CHECK_CFLAGS) + +@HAVE_CHECK_TRUE@sss_idmap_tests_LDADD = \ +@HAVE_CHECK_TRUE@ $(CHECK_LIBS) \ +@HAVE_CHECK_TRUE@ $(TALLOC_LIBS) \ +@HAVE_CHECK_TRUE@ libsss_test_common.la \ +@HAVE_CHECK_TRUE@ libsss_idmap.la + +@HAVE_CHECK_TRUE@responder_socket_access_tests_SOURCES = \ +@HAVE_CHECK_TRUE@ src/tests/responder_socket_access-tests.c \ +@HAVE_CHECK_TRUE@ src/responder/common/negcache_files.c \ +@HAVE_CHECK_TRUE@ src/responder/common/negcache.c \ +@HAVE_CHECK_TRUE@ src/responder/common/responder_common.c \ +@HAVE_CHECK_TRUE@ src/responder/common/responder_packet.c \ +@HAVE_CHECK_TRUE@ src/responder/common/responder_cmd.c \ +@HAVE_CHECK_TRUE@ src/responder/common/cache_req/cache_req_domain.c \ +@HAVE_CHECK_TRUE@ src/responder/common/data_provider/rdp_message.c \ +@HAVE_CHECK_TRUE@ src/responder/common/data_provider/rdp_client.c \ +@HAVE_CHECK_TRUE@ src/util/session_recording.c \ +@HAVE_CHECK_TRUE@ $(SSSD_RESPONDER_IFACE_OBJ) \ +@HAVE_CHECK_TRUE@ $(NULL) + +@HAVE_CHECK_TRUE@responder_socket_access_tests_CFLAGS = \ +@HAVE_CHECK_TRUE@ $(AM_CFLAGS) \ +@HAVE_CHECK_TRUE@ $(CHECK_CFLAGS) + +@HAVE_CHECK_TRUE@responder_socket_access_tests_LDADD = \ +@HAVE_CHECK_TRUE@ $(CHECK_LIBS) \ +@HAVE_CHECK_TRUE@ $(SSSD_LIBS) \ +@HAVE_CHECK_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CHECK_TRUE@ $(SYSTEMD_DAEMON_LIBS) \ +@HAVE_CHECK_TRUE@ libsss_test_common.la + +stress_tests_SOURCES = \ + src/tests/stress-tests.c + +stress_tests_LDADD = \ + $(SSSD_LIBS) \ + libsss_test_common.la + +krb5_child_test_SOURCES = \ + src/tests/krb5_child-test.c \ + src/providers/krb5/krb5_utils.c \ + src/providers/krb5/krb5_ccache.c \ + src/providers/krb5/krb5_child_handler.c \ + src/providers/krb5/krb5_common.c \ + src/providers/krb5/krb5_opts.c \ + src/util/sss_krb5.c \ + src/util/sss_iobuf.c \ + src/providers/data_provider_fo.c \ + src/providers/data_provider_opts.c \ + src/providers/data_provider_callbacks.c \ + src/util/become_user.c \ + $(SSSD_FAILOVER_OBJ) \ + $(NULL) + +krb5_child_test_CFLAGS = \ + $(AM_CFLAGS) \ + -DKRB5_CHILD_DIR=\"$(builddir)\" \ + $(KRB5_CFLAGS) \ + $(CHECK_CFLAGS) + +krb5_child_test_LDADD = \ + $(SSSD_LIBS) \ + $(CARES_LIBS) \ + $(KRB5_LIBS) \ + $(CHECK_LIBS) \ + $(PCRE_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_test_common.la + +test_ssh_client_SOURCES = \ + src/tests/test_ssh_client.c \ + $(NULL) + +test_ssh_client_CFLAGS = \ + $(AM_CFLAGS) \ + -DSSH_CLIENT_DIR=\"$(abs_top_builddir)\" \ + $(NULL) + +test_ssh_client_LDADD = \ + $(SSSD_INTERNAL_LTLIBS) \ + $(SSSD_LIBS) \ + $(NULL) + +@BUILD_DBUS_TESTS_TRUE@sbus_tests_SOURCES = \ +@BUILD_DBUS_TESTS_TRUE@ src/tests/common_dbus.c \ +@BUILD_DBUS_TESTS_TRUE@ src/tests/sbus_tests.c + +@BUILD_DBUS_TESTS_TRUE@sbus_tests_CFLAGS = \ +@BUILD_DBUS_TESTS_TRUE@ $(AM_CFLAGS) \ +@BUILD_DBUS_TESTS_TRUE@ $(CHECK_CFLAGS) + +@BUILD_DBUS_TESTS_TRUE@sbus_tests_LDADD = \ +@BUILD_DBUS_TESTS_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@BUILD_DBUS_TESTS_TRUE@ $(SSSD_LIBS) \ +@BUILD_DBUS_TESTS_TRUE@ $(CHECK_LIBS) + +@BUILD_DBUS_TESTS_TRUE@sbus_codegen_tests_SOURCES = \ +@BUILD_DBUS_TESTS_TRUE@ src/tests/common_dbus.c \ +@BUILD_DBUS_TESTS_TRUE@ src/tests/sbus_codegen_tests.c \ +@BUILD_DBUS_TESTS_TRUE@ src/tests/sbus_codegen_tests_generated.c \ +@BUILD_DBUS_TESTS_TRUE@ $(NULL) + +@BUILD_DBUS_TESTS_TRUE@sbus_codegen_tests_CFLAGS = \ +@BUILD_DBUS_TESTS_TRUE@ $(AM_CFLAGS) \ +@BUILD_DBUS_TESTS_TRUE@ $(CHECK_CFLAGS) + +@BUILD_DBUS_TESTS_TRUE@sbus_codegen_tests_LDADD = \ +@BUILD_DBUS_TESTS_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@BUILD_DBUS_TESTS_TRUE@ $(SSSD_LIBS) \ +@BUILD_DBUS_TESTS_TRUE@ $(CHECK_LIBS) + +@HAVE_CMOCKA_TRUE@TEST_MOCK_RESP_OBJ = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/common_mock_resp.c \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/common_mock_resp_dp.c \ +@HAVE_CMOCKA_TRUE@ src/responder/common/responder_packet.c \ +@HAVE_CMOCKA_TRUE@ src/responder/common/responder_cmd.c \ +@HAVE_CMOCKA_TRUE@ src/responder/common/negcache_files.c \ +@HAVE_CMOCKA_TRUE@ src/responder/common/negcache.c \ +@HAVE_CMOCKA_TRUE@ src/responder/common/responder_common.c \ +@HAVE_CMOCKA_TRUE@ src/responder/common/data_provider/rdp_message.c \ +@HAVE_CMOCKA_TRUE@ src/responder/common/data_provider/rdp_client.c \ +@HAVE_CMOCKA_TRUE@ src/responder/common/responder_utils.c \ +@HAVE_CMOCKA_TRUE@ src/util/session_recording.c \ +@HAVE_CMOCKA_TRUE@ $(SSSD_CACHE_REQ_OBJ) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_RESPONDER_IFACE_OBJ) \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@TEST_MOCK_PROVIDER_OBJ = \ +@HAVE_CMOCKA_TRUE@ src/util/sss_sockets.c \ +@HAVE_CMOCKA_TRUE@ src/util/sss_ldap.c \ +@HAVE_CMOCKA_TRUE@ src/providers/data_provider_opts.c \ +@HAVE_CMOCKA_TRUE@ src/providers/ldap/ldap_opts.c \ +@HAVE_CMOCKA_TRUE@ src/providers/ldap/ldap_options.c \ +@HAVE_CMOCKA_TRUE@ src/providers/ldap/sdap_domain.c \ +@HAVE_CMOCKA_TRUE@ src/providers/ldap/sdap.c \ +@HAVE_CMOCKA_TRUE@ src/providers/ldap/sdap_utils.c \ +@HAVE_CMOCKA_TRUE@ src/providers/ldap/sdap_range.c \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/common_mock_sdap.c \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/common_mock_sysdb_objects.c + +@HAVE_CMOCKA_TRUE@EXTRA_nss_srv_tests_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(ldblib_LTLIBRARIES) + +@HAVE_CMOCKA_TRUE@nss_srv_tests_SOURCES = \ +@HAVE_CMOCKA_TRUE@ $(TEST_MOCK_RESP_OBJ) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_nss_srv.c \ +@HAVE_CMOCKA_TRUE@ src/responder/nss/nss_cmd.c \ +@HAVE_CMOCKA_TRUE@ src/responder/nss/nss_enum.c \ +@HAVE_CMOCKA_TRUE@ src/responder/nss/nss_get_object.c \ +@HAVE_CMOCKA_TRUE@ src/responder/nss/nss_protocol.c \ +@HAVE_CMOCKA_TRUE@ src/responder/nss/nss_protocol_pwent.c \ +@HAVE_CMOCKA_TRUE@ src/responder/nss/nss_protocol_grent.c \ +@HAVE_CMOCKA_TRUE@ src/responder/nss/nss_protocol_netgr.c \ +@HAVE_CMOCKA_TRUE@ src/responder/nss/nss_protocol_svcent.c \ +@HAVE_CMOCKA_TRUE@ src/responder/nss/nss_protocol_sid.c \ +@HAVE_CMOCKA_TRUE@ src/responder/nss/nss_utils.c \ +@HAVE_CMOCKA_TRUE@ src/responder/nss/nsssrv_mmap_cache.c + +@HAVE_CMOCKA_TRUE@nss_srv_tests_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) + +@HAVE_CMOCKA_TRUE@nss_srv_tests_LDFLAGS = \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,sss_ncache_check_user \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,sss_ncache_check_upn \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,sss_ncache_check_uid \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,sss_ncache_check_sid \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,sss_ncache_check_cert \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,sss_packet_get_body \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,sss_packet_get_cmd \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,sss_cmd_send_empty \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,sss_cmd_done + +@HAVE_CMOCKA_TRUE@nss_srv_tests_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ $(SYSTEMD_DAEMON_LIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ libsss_cert.la \ +@HAVE_CMOCKA_TRUE@ libsss_idmap.la + +@HAVE_CMOCKA_TRUE@EXTRA_pam_srv_tests_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(ldblib_LTLIBRARIES) $(NULL) p11_child +@HAVE_CMOCKA_TRUE@pam_srv_tests_SOURCES = \ +@HAVE_CMOCKA_TRUE@ $(TEST_MOCK_RESP_OBJ) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_pam_srv.c \ +@HAVE_CMOCKA_TRUE@ src/sss_client/pam_message.c \ +@HAVE_CMOCKA_TRUE@ src/responder/pam/pamsrv_cmd.c \ +@HAVE_CMOCKA_TRUE@ src/responder/pam/pamsrv_p11.c \ +@HAVE_CMOCKA_TRUE@ src/responder/pam/pam_helpers.c \ +@HAVE_CMOCKA_TRUE@ src/responder/pam/pamsrv_dp.c \ +@HAVE_CMOCKA_TRUE@ src/responder/pam/pam_LOCAL_domain.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@pam_srv_tests_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ -U SSSD_LIBEXEC_PATH -DSSSD_LIBEXEC_PATH=\"$(abs_builddir)\" \ +@HAVE_CMOCKA_TRUE@ -I$(abs_builddir)/src \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@pam_srv_tests_LDFLAGS = \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,sss_packet_get_body \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,sss_packet_get_cmd \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,sss_cmd_send_empty \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,sss_cmd_done \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,pam_dp_send_req \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@pam_srv_tests_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(PAM_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ $(SYSTEMD_DAEMON_LIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ libsss_idmap.la \ +@HAVE_CMOCKA_TRUE@ libsss_certmap.la \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@EXTRA_ssh_srv_tests_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(ldblib_LTLIBRARIES) $(NULL) p11_child +@HAVE_CMOCKA_TRUE@ssh_srv_tests_SOURCES = \ +@HAVE_CMOCKA_TRUE@ $(TEST_MOCK_RESP_OBJ) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_ssh_srv.c \ +@HAVE_CMOCKA_TRUE@ src/responder/ssh/ssh_cmd.c \ +@HAVE_CMOCKA_TRUE@ src/responder/ssh/ssh_known_hosts.c \ +@HAVE_CMOCKA_TRUE@ src/responder/ssh/ssh_protocol.c \ +@HAVE_CMOCKA_TRUE@ src/responder/ssh/ssh_reply.c \ +@HAVE_CMOCKA_TRUE@ src/util/cert/cert_common_p11_child.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@ssh_srv_tests_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ -U SSSD_LIBEXEC_PATH -DSSSD_LIBEXEC_PATH=\"$(abs_builddir)\" \ +@HAVE_CMOCKA_TRUE@ -I$(abs_builddir)/src \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@ssh_srv_tests_LDFLAGS = \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,sss_packet_get_body \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,sss_packet_get_cmd \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,sss_cmd_send_empty \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,sss_cmd_done \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,ssh_dp_send_req \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@ssh_srv_tests_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ $(SYSTEMD_DAEMON_LIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@EXTRA_responder_get_domains_tests_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(ldblib_LTLIBRARIES) + +@HAVE_CMOCKA_TRUE@responder_get_domains_tests_SOURCES = \ +@HAVE_CMOCKA_TRUE@ $(SSSD_RESPONDER_OBJ) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_responder_common.c \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/common_mock_resp.c + +@HAVE_CMOCKA_TRUE@responder_get_domains_tests_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) + +@HAVE_CMOCKA_TRUE@responder_get_domains_tests_LDFLAGS = \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,sss_parse_name_for_domains \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,sss_ncache_reset_repopulate_permanent + +@HAVE_CMOCKA_TRUE@responder_get_domains_tests_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ $(SYSTEMD_DAEMON_LIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la + +@HAVE_CMOCKA_TRUE@sbus_internal_tests_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/sbus_internal_tests.c \ +@HAVE_CMOCKA_TRUE@ src/sbus/sssd_dbus_request.c + +@HAVE_CMOCKA_TRUE@sbus_internal_tests_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) + +@HAVE_CMOCKA_TRUE@sbus_internal_tests_LDFLAGS = \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,dbus_bus_get \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,dbus_pending_call_steal_reply \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,dbus_pending_call_unref \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,dbus_message_unref \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,dbus_connection_unref \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,dbus_connection_set_exit_on_disconnect \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,hash_lookup + +@HAVE_CMOCKA_TRUE@sbus_internal_tests_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_LIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_util.la \ +@HAVE_CMOCKA_TRUE@ libsss_crypt.la \ +@HAVE_CMOCKA_TRUE@ libsss_debug.la \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la + +@HAVE_CMOCKA_TRUE@config_check_tests_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_config_check.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@config_check_tests_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@config_check_tests_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(POPT_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(INI_CONFIG_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(TALLOC_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_find_uid_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_find_uid.c \ +@HAVE_CMOCKA_TRUE@ src/util/find_uid.c \ +@HAVE_CMOCKA_TRUE@ src/util/atomic_io.c \ +@HAVE_CMOCKA_TRUE@ src/util/strtonum.c + +@HAVE_CMOCKA_TRUE@test_find_uid_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(TALLOC_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(DHASH_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(SYSTEMD_LOGIN_CFLAGS) + +@HAVE_CMOCKA_TRUE@test_find_uid_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(TALLOC_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(DHASH_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SYSTEMD_LOGIN_LIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_debug.la + +@HAVE_CMOCKA_TRUE@test_io_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_io.c \ +@HAVE_CMOCKA_TRUE@ src/util/io.c \ +@HAVE_CMOCKA_TRUE@ src/tests/common.c + +@HAVE_CMOCKA_TRUE@test_io_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) + +@HAVE_CMOCKA_TRUE@test_io_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) + +@HAVE_CMOCKA_TRUE@EXTRA_test_negcache_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(ldblib_LTLIBRARIES) + +@HAVE_CMOCKA_TRUE@test_negcache_SOURCES = \ +@HAVE_CMOCKA_TRUE@ $(SSSD_RESPONDER_OBJ) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/common_mock_resp.c \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_negcache.c + +@HAVE_CMOCKA_TRUE@test_negcache_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(TALLOC_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(DHASH_CFLAGS) + +@HAVE_CMOCKA_TRUE@test_negcache_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SYSTEMD_DAEMON_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ libsss_idmap.la + +@HAVE_CMOCKA_TRUE@test_authtok_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_authtok.c \ +@HAVE_CMOCKA_TRUE@ src/util/authtok.c \ +@HAVE_CMOCKA_TRUE@ src/util/authtok-utils.c \ +@HAVE_CMOCKA_TRUE@ src/util/util.c \ +@HAVE_CMOCKA_TRUE@ src/util/util_ext.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_authtok_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(TALLOC_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(POPT_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(DHASH_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_authtok_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(TALLOC_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(DHASH_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(POPT_LIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ libsss_debug.la \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@sss_nss_idmap_tests_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/sss_nss_idmap-tests.c + +@HAVE_CMOCKA_TRUE@sss_nss_idmap_tests_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) + +@HAVE_CMOCKA_TRUE@sss_nss_idmap_tests_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_nss_idmap_tests.la \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@deskprofile_utils_tests_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_deskprofile_utils.c \ +@HAVE_CMOCKA_TRUE@ src/providers/ipa/ipa_deskprofile_rules_util.c \ +@HAVE_CMOCKA_TRUE@ src/providers/ipa/ipa_rules_common.c + +@HAVE_CMOCKA_TRUE@deskprofile_utils_tests_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) + +@HAVE_CMOCKA_TRUE@deskprofile_utils_tests_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la + +@HAVE_CMOCKA_TRUE@EXTRA_dyndns_tests_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(ldblib_LTLIBRARIES) + +@HAVE_CMOCKA_TRUE@dyndns_tests_SOURCES = \ +@HAVE_CMOCKA_TRUE@ $(SSSD_RESOLV_OBJ) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/common_mock_be.c \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_dyndns.c \ +@HAVE_CMOCKA_TRUE@ src/providers/data_provider_opts.c + +@HAVE_CMOCKA_TRUE@dyndns_tests_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ -DDYNDNS_TIMEOUT=2 + +@HAVE_CMOCKA_TRUE@dyndns_tests_LDFLAGS = \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,execv \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,getifaddrs \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,freeifaddrs + +@HAVE_CMOCKA_TRUE@dyndns_tests_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CARES_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la + +@HAVE_CMOCKA_TRUE@domain_resolution_order_tests_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_domain_resolution_order.c \ +@HAVE_CMOCKA_TRUE@ src/responder/common/cache_req/cache_req_domain.c + +@HAVE_CMOCKA_TRUE@domain_resolution_order_tests_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) + +@HAVE_CMOCKA_TRUE@domain_resolution_order_tests_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la + +@HAVE_CMOCKA_TRUE@fqnames_tests_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_fqnames.c + +@HAVE_CMOCKA_TRUE@fqnames_tests_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) + +@HAVE_CMOCKA_TRUE@fqnames_tests_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la + +@HAVE_CMOCKA_TRUE@nestedgroups_tests_SOURCES = \ +@HAVE_CMOCKA_TRUE@ $(TEST_MOCK_PROVIDER_OBJ) \ +@HAVE_CMOCKA_TRUE@ src/providers/ldap/sdap_idmap.c \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_nested_groups.c \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/common_mock_be.c \ +@HAVE_CMOCKA_TRUE@ src/providers/ldap/sdap_async_nested_groups.c \ +@HAVE_CMOCKA_TRUE@ src/providers/ldap/sdap_ad_groups.c \ +@HAVE_CMOCKA_TRUE@ src/providers/ipa/ipa_dn.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@nestedgroups_tests_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ -DEXTERNAL_MEMBERS_CHUNK=1 \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@nestedgroups_tests_LDADD = $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(OPENLDAP_LIBS) $(SSSD_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) libsss_idmap.la \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la $(NULL) \ +@HAVE_CMOCKA_TRUE@ $(am__append_62) +@HAVE_CMOCKA_TRUE@test_sss_idmap_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_sss_idmap.c + +@HAVE_CMOCKA_TRUE@test_sss_idmap_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) + +@HAVE_CMOCKA_TRUE@test_sss_idmap_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(POPT_LIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_idmap.la \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la + +@HAVE_CMOCKA_TRUE@test_ipa_idmap_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_ipa_idmap.c \ +@HAVE_CMOCKA_TRUE@ src/providers/ipa/ipa_idmap.c + +@HAVE_CMOCKA_TRUE@test_ipa_idmap_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) + +@HAVE_CMOCKA_TRUE@test_ipa_idmap_LDFLAGS = \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,sysdb_get_ranges + +@HAVE_CMOCKA_TRUE@test_ipa_idmap_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(POPT_LIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_idmap.la \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la + +@HAVE_CMOCKA_TRUE@test_utils_SOURCES = src/tests/cmocka/test_utils.c \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_string_utils.c $(NULL) \ +@HAVE_CMOCKA_TRUE@ $(am__append_63) +@HAVE_CMOCKA_TRUE@test_utils_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) + +@HAVE_CMOCKA_TRUE@test_utils_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(POPT_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la + +@HAVE_CMOCKA_TRUE@test_search_bases_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_search_bases.c + +@HAVE_CMOCKA_TRUE@test_search_bases_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(TALLOC_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_ldap_common.la \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ libdlopen_test_providers.la \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_ldap_auth_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_ldap_auth.c \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_expire_common.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_ldap_auth_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(TALLOC_LIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_ldap_common.la \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ libdlopen_test_providers.la \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_ldap_id_cleanup_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_ldap_id_cleanup.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_ldap_id_cleanup_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(POPT_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(TALLOC_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(TEVENT_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_ldap_common.la \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ libdlopen_test_providers.la \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_sdap_access_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_sdap_access.c \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_expire_common.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_sdap_access_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(TALLOC_LIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_ldap_common.la \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ libdlopen_test_providers.la \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_sdap_certmap_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_sdap_certmap.c \ +@HAVE_CMOCKA_TRUE@ src/providers/ldap/sdap_certmap.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_sdap_certmap_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(TALLOC_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(POPT_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_sdap_certmap_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(TALLOC_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(POPT_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ libsss_certmap.la \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@ad_access_filter_tests_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_ad_access_filter.c + +@HAVE_CMOCKA_TRUE@ad_access_filter_tests_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(POPT_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(TALLOC_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(TEVENT_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_ldap_common.la \ +@HAVE_CMOCKA_TRUE@ libsss_ad_tests.la \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@ad_gpo_tests_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_ad_gpo.c + +@HAVE_CMOCKA_TRUE@ad_gpo_tests_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(NDR_NBT_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@ad_gpo_tests_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(OPENLDAP_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ $(NDR_NBT_LIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_ldap_common.la \ +@HAVE_CMOCKA_TRUE@ libsss_idmap.la \ +@HAVE_CMOCKA_TRUE@ libsss_krb5_common.la \ +@HAVE_CMOCKA_TRUE@ libsss_ad_tests.la \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ libdlopen_test_providers.la \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@ad_common_tests_SOURCES = \ +@HAVE_CMOCKA_TRUE@ $(libsss_krb5_common_la_SOURCES) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/common_mock_krb5.c \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_ad_common.c \ +@HAVE_CMOCKA_TRUE@ src/providers/ad/ad_opts.c \ +@HAVE_CMOCKA_TRUE@ src/providers/ad/ad_pac.c \ +@HAVE_CMOCKA_TRUE@ src/providers/ad/ad_pac_common.c \ +@HAVE_CMOCKA_TRUE@ src/providers/ad/ad_domain_info.c \ +@HAVE_CMOCKA_TRUE@ src/providers/ldap/sdap_async_initgroups_ad.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@ad_common_tests_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(NDR_NBT_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(NDR_KRB5PAC_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@ad_common_tests_LDFLAGS = \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,sdap_set_sasl_options \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,krb5_kt_default \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@ad_common_tests_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(KEYUTILS_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(NDR_NBT_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(NDR_KRB5PAC_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(KRB5_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_idmap.la \ +@HAVE_CMOCKA_TRUE@ libsss_ldap_common.la \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ libdlopen_test_providers.la \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@dp_opt_tests_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/providers/data_provider_opts.c \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_dp_opts.c + +@HAVE_CMOCKA_TRUE@dp_opt_tests_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) + +@HAVE_CMOCKA_TRUE@dp_opt_tests_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(TALLOC_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(POPT_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la + +@HAVE_CMOCKA_TRUE@sdap_tests_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/providers/data_provider_opts.c \ +@HAVE_CMOCKA_TRUE@ src/providers/ldap/sdap_domain.c \ +@HAVE_CMOCKA_TRUE@ src/providers/ldap/sdap.c \ +@HAVE_CMOCKA_TRUE@ src/providers/ldap/sdap_range.c \ +@HAVE_CMOCKA_TRUE@ src/providers/ldap/ldap_opts.c \ +@HAVE_CMOCKA_TRUE@ src/providers/ipa/ipa_opts.c \ +@HAVE_CMOCKA_TRUE@ src/util/sss_sockets.c \ +@HAVE_CMOCKA_TRUE@ src/util/sss_ldap.c \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_sdap.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@sdap_tests_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@sdap_tests_LDFLAGS = \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,ldap_set_option \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,ldap_get_dn \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,ldap_memfree \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,ldap_get_values_len \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,ldap_value_free_len \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,ldap_first_attribute \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,ldap_next_attribute \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@sdap_tests_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(TALLOC_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(LDB_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(POPT_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ $(OPENLDAP_LIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ifp_tests_SOURCES = \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ $(TEST_MOCK_RESP_OBJ) \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_ifp.c \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ src/responder/ifp/ifpsrv_cmd.c \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ src/responder/ifp/ifp_iface_generated.c \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ src/responder/ifp/ifpsrv_util.c \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ $(NULL) + +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ifp_tests_CFLAGS = \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) + +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ifp_tests_LDADD = \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ $(SSSD_LIBS) \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ $(SYSTEMD_DAEMON_LIBS) \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ libsss_test_common.la + +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@sss_sifp_tests_SOURCES = \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_sss_sifp.c \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ src/lib/sifp/sss_sifp_attrs.c \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ src/lib/sifp/sss_sifp_common.c \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ src/lib/sifp/sss_sifp_parser.c \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ src/lib/sifp/sss_sifp_utils.c \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ src/lib/sifp/sss_sifp_dbus.c \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ src/lib/sifp/sss_sifp.c + +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@sss_sifp_tests_CFLAGS = \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ -I$(top_srcdir)/src/lib/sifp + +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@sss_sifp_tests_LDFLAGS = \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ -Wl,-wrap,dbus_bus_get \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ -Wl,-wrap,dbus_connection_send_with_reply_and_block + +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@sss_sifp_tests_LDADD = \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ $(DBUS_LIBS) \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ $(TALLOC_LIBS) \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ $(DHASH_LIBS) \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ $(POPT_LIBS) \ +@BUILD_IFP_TRUE@@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) + +@HAVE_CMOCKA_TRUE@test_sysdb_views_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_sysdb_views.c \ +@HAVE_CMOCKA_TRUE@ src/providers/ipa/ipa_utils.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_sysdb_views_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_sysdb_views_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(LDB_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(POPT_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(TALLOC_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_sysdb_ts_cache_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_sysdb_ts_cache.c \ +@HAVE_CMOCKA_TRUE@ src/providers/ipa/ipa_utils.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_sysdb_ts_cache_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_sysdb_ts_cache_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(LDB_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(POPT_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(TALLOC_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_sysdb_subdomains_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_sysdb_subdomains.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_sysdb_subdomains_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_sysdb_subdomains_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(LDB_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(POPT_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(TALLOC_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_sysdb_certmap_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_sysdb_certmap.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_sysdb_certmap_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_sysdb_certmap_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(LDB_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(POPT_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(TALLOC_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_sysdb_sudo_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_sysdb_sudo.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_sysdb_sudo_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_sysdb_sudo_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(LDB_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(POPT_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(TALLOC_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_sysdb_utils_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_sysdb_utils.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_sysdb_utils_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_sysdb_utils_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(LDB_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(POPT_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(TALLOC_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_sysdb_domain_resolution_order_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_sysdb_domain_resolution_order.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_sysdb_domain_resolution_order_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_sysdb_domain_resolution_order_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(LDB_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(POPT_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(TALLOC_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_wbc_calls_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_wbc_calls.c \ +@HAVE_CMOCKA_TRUE@ src/sss_client/libwbclient/wbc_sid_sssd.c \ +@HAVE_CMOCKA_TRUE@ src/sss_client/libwbclient/wbclient_common.c \ +@HAVE_CMOCKA_TRUE@ src/sss_client/libwbclient/wbc_sid_common.c \ +@HAVE_CMOCKA_TRUE@ src/sss_client/common.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_wbc_calls_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_wbc_calls_LDFLAGS = \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,sss_nss_getnamebysid \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_wbc_calls_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CLIENT_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(POPT_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(TALLOC_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ libsss_nss_idmap.la \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_be_ptask_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/common_mock_be.c \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_be_ptask.c \ +@HAVE_CMOCKA_TRUE@ src/providers/be_ptask.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_be_ptask_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_be_ptask_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(POPT_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(TALLOC_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_copy_ccache_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_copy_ccache.c \ +@HAVE_CMOCKA_TRUE@ src/providers/krb5/krb5_ccache.c \ +@HAVE_CMOCKA_TRUE@ src/util/sss_krb5.c \ +@HAVE_CMOCKA_TRUE@ src/util/sss_iobuf.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_copy_ccache_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_copy_ccache_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(POPT_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(TALLOC_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(KRB5_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_copy_keytab_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/common_mock_krb5.c \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_copy_keytab.c \ +@HAVE_CMOCKA_TRUE@ src/providers/krb5/krb5_keytab.c \ +@HAVE_CMOCKA_TRUE@ src/util/sss_krb5.c \ +@HAVE_CMOCKA_TRUE@ src/util/sss_iobuf.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_copy_keytab_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_copy_keytab_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(POPT_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(TALLOC_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(KRB5_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@dummy_child_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/dummy_child.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@dummy_child_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(POPT_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_child_common_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_child_common.c \ +@HAVE_CMOCKA_TRUE@ src/util/child_common.c \ +@HAVE_CMOCKA_TRUE@ src/util/signal.c \ +@HAVE_CMOCKA_TRUE@ src/util/atomic_io.c \ +@HAVE_CMOCKA_TRUE@ src/util/util_errors.c \ +@HAVE_CMOCKA_TRUE@ src/util/util.c \ +@HAVE_CMOCKA_TRUE@ src/util/util_ext.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_child_common_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ -DCHILD_DIR=\"$(builddir)\" \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_child_common_LDFLAGS = \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,child_io_destructor \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_child_common_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(POPT_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(TALLOC_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(DHASH_LIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_debug.la \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@responder_cache_req_tests_SOURCES = \ +@HAVE_CMOCKA_TRUE@ $(TEST_MOCK_RESP_OBJ) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_responder_cache_req.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@responder_cache_req_tests_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@responder_cache_req_tests_LDFLAGS = \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,sss_dp_get_account_send \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@responder_cache_req_tests_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ $(SYSTEMD_DAEMON_LIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_sbus_opath_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_sbus_opath.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_sbus_opath_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) + +@HAVE_CMOCKA_TRUE@test_sbus_opath_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_debug.la \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la + +@HAVE_CMOCKA_TRUE@@HAVE_LIBRESOLV_TRUE@test_resolv_fake_SOURCES = \ +@HAVE_CMOCKA_TRUE@@HAVE_LIBRESOLV_TRUE@ src/tests/cmocka/test_resolv_fake.c \ +@HAVE_CMOCKA_TRUE@@HAVE_LIBRESOLV_TRUE@ src/resolv/async_resolv.c \ +@HAVE_CMOCKA_TRUE@@HAVE_LIBRESOLV_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@@HAVE_LIBRESOLV_TRUE@test_resolv_fake_CFLAGS = \ +@HAVE_CMOCKA_TRUE@@HAVE_LIBRESOLV_TRUE@ $(AM_CFLAGS) \ +@HAVE_CMOCKA_TRUE@@HAVE_LIBRESOLV_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@@HAVE_LIBRESOLV_TRUE@test_resolv_fake_LDFLAGS = \ +@HAVE_CMOCKA_TRUE@@HAVE_LIBRESOLV_TRUE@ -Wl,-wrap,ares_query \ +@HAVE_CMOCKA_TRUE@@HAVE_LIBRESOLV_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@@HAVE_LIBRESOLV_TRUE@test_resolv_fake_LDADD = \ +@HAVE_CMOCKA_TRUE@@HAVE_LIBRESOLV_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@@HAVE_LIBRESOLV_TRUE@ $(POPT_LIBS) \ +@HAVE_CMOCKA_TRUE@@HAVE_LIBRESOLV_TRUE@ $(TALLOC_LIBS) \ +@HAVE_CMOCKA_TRUE@@HAVE_LIBRESOLV_TRUE@ $(CARES_LIBS) \ +@HAVE_CMOCKA_TRUE@@HAVE_LIBRESOLV_TRUE@ $(DHASH_LIBS) \ +@HAVE_CMOCKA_TRUE@@HAVE_LIBRESOLV_TRUE@ $(RESOLV_LIBS) \ +@HAVE_CMOCKA_TRUE@@HAVE_LIBRESOLV_TRUE@ libsss_debug.la \ +@HAVE_CMOCKA_TRUE@@HAVE_LIBRESOLV_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@@HAVE_LIBRESOLV_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_fo_srv_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_fo_srv.c \ +@HAVE_CMOCKA_TRUE@ src/providers/fail_over.c \ +@HAVE_CMOCKA_TRUE@ src/providers/fail_over_srv.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_fo_srv_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_fo_srv_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(POPT_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(TALLOC_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(CARES_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(DHASH_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_sdap_initgr_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/common_mock_sdap.c \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/common_mock_sysdb_objects.c \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_sdap_initgr.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_sdap_initgr_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(NDR_NBT_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_sdap_initgr_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(POPT_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(DHASH_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(TALLOC_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(TEVENT_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(LDB_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_ldap_common.la \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ libdlopen_test_providers.la \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_ad_subdom_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_ad_subdomains.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_ad_subdom_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(NDR_NBT_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_ad_subdom_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(POPT_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(TALLOC_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_ldap_common.la \ +@HAVE_CMOCKA_TRUE@ libsss_ad_tests.la \ +@HAVE_CMOCKA_TRUE@ libsss_idmap.la \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ libdlopen_test_providers.la \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_ipa_subdom_util_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_ipa_subdomains_utils.c \ +@HAVE_CMOCKA_TRUE@ src/providers/ipa/ipa_subdomains_utils.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_ipa_subdom_util_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_ipa_subdom_util_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(POPT_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(TALLOC_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(LDB_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_ipa_subdom_server_SOURCES = \ +@HAVE_CMOCKA_TRUE@ $(libsss_krb5_common_la_SOURCES) \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/common_mock_sdap.c \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/common_mock_be.c \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/common_mock_krb5.c \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_ipa_subdomains_server.c \ +@HAVE_CMOCKA_TRUE@ src/providers/ipa/ipa_subdomains_server.c \ +@HAVE_CMOCKA_TRUE@ src/providers/ipa/ipa_subdomains_utils.c \ +@HAVE_CMOCKA_TRUE@ src/providers/ipa/ipa_opts.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_ipa_subdom_server_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ -DIPA_TRUST_KEYTAB_DIR=TEST_DIR\"/tp_test_ipa_subdom_server-test_ipa_subdomains_server\" \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_ipa_subdom_server_LDFLAGS = \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,krb5_kt_default \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,execle \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,execve \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,rename \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,sss_unique_filename \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_ipa_subdom_server_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(KEYUTILS_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(KRB5_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_ldap_common.la \ +@HAVE_CMOCKA_TRUE@ libsss_ad_tests.la \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ libdlopen_test_providers.la \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_tools_colondb_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_tools_colondb.c \ +@HAVE_CMOCKA_TRUE@ src/tools/common/sss_colondb.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_tools_colondb_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_tools_colondb_LDFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_tools_colondb_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ $(POPT_LIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_krb5_wait_queue_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/common_mock_be.c \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_krb5_wait_queue.c \ +@HAVE_CMOCKA_TRUE@ src/providers/krb5/krb5_wait_queue.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_krb5_wait_queue_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_krb5_wait_queue_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(POPT_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(DHASH_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_cert_utils_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_cert_utils.c \ +@HAVE_CMOCKA_TRUE@ src/util/cert/cert_common_p11_child.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_cert_utils_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ -U SSSD_LIBEXEC_PATH -DSSSD_LIBEXEC_PATH=\"$(abs_builddir)\" \ +@HAVE_CMOCKA_TRUE@ -I$(abs_builddir)/src \ +@HAVE_CMOCKA_TRUE@ $(CRYPTO_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_cert_utils_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(POPT_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(TALLOC_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(CRYPTO_LIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_debug.la \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ libsss_cert.la \ +@HAVE_CMOCKA_TRUE@ libsss_crypt.la \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_data_provider_be_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/providers/data_provider_be.c \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_data_provider_be.c \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/common_mock_be.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_data_provider_be_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ -DUNIT_TESTING \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_data_provider_be_LDFLAGS = \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,_tevent_add_timer \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_data_provider_be_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(PAM_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ $(LIBADD_DL) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ libdlopen_test_providers.la \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_dp_request_table_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/providers/data_provider/dp_request_table.c \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/data_provider/test_dp_request_table.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_dp_request_table_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ -DUNIT_TESTING \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_dp_request_table_LDFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_dp_request_table_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_dp_request_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/providers/data_provider/dp_request.c \ +@HAVE_CMOCKA_TRUE@ src/providers/data_provider/dp_modules.c \ +@HAVE_CMOCKA_TRUE@ src/providers/data_provider/dp_targets.c \ +@HAVE_CMOCKA_TRUE@ src/providers/data_provider/dp_methods.c \ +@HAVE_CMOCKA_TRUE@ src/providers/data_provider/dp_builtin.c \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/data_provider/mock_dp.c \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/data_provider/test_dp_request.c \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/common_mock_be.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_dp_request_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ -DUNIT_TESTING \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_dp_request_LDFLAGS = \ +@HAVE_CMOCKA_TRUE@ -Wl,-wrap,be_is_offline \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_dp_request_LDADD = $(CMOCKA_LIBS) $(SSSD_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) $(LIBADD_DL) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la $(NULL) \ +@HAVE_CMOCKA_TRUE@ $(am__append_64) +@HAVE_CMOCKA_TRUE@test_dp_builtin_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/providers/data_provider/dp_modules.c \ +@HAVE_CMOCKA_TRUE@ src/providers/data_provider/dp_targets.c \ +@HAVE_CMOCKA_TRUE@ src/providers/data_provider/dp_methods.c \ +@HAVE_CMOCKA_TRUE@ src/providers/data_provider/dp_builtin.c \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/data_provider/mock_dp.c \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/data_provider/test_dp_builtin.c \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/common_mock_be.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_dp_builtin_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ -DUNIT_TESTING \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_dp_builtin_LDFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_dp_builtin_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ $(LIBADD_DL) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_ipa_dn_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/providers/ipa/ipa_dn.c \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_ipa_dn.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_ipa_dn_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(POPT_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(LDB_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(TEVENT_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(TALLOC_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_iobuf_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/util/sss_iobuf.c \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_iobuf.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_iobuf_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_iobuf_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@EXTRA_simple_access_tests_DEPENDENCIES = \ +@HAVE_CMOCKA_TRUE@ $(ldblib_LTLIBRARIES) + +@HAVE_CMOCKA_TRUE@simple_access_tests_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_simple_access.c \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/common_mock_be.c \ +@HAVE_CMOCKA_TRUE@ src/providers/simple/simple_access.c \ +@HAVE_CMOCKA_TRUE@ src/providers/simple/simple_access_check.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@simple_access_tests_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@simple_access_tests_LDFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@simple_access_tests_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ libdlopen_test_providers.la \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@krb5_common_test_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_krb5_common.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@krb5_common_test_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(KRB5_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@krb5_common_test_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(POPT_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(TALLOC_LIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_krb5_common.la \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ libdlopen_test_providers.la \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_inotify_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/util/inotify.c \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_inotify.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_inotify_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_inotify_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ $(LIBADD_DL) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@sss_certmap_test_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_certmap.c \ +@HAVE_CMOCKA_TRUE@ src/lib/certmap/sss_certmap_attr_names.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@sss_certmap_test_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(NSS_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ -I$(abs_builddir)/src \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@sss_certmap_test_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(POPT_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(TALLOC_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(NSS_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ libsss_certmap.la \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_sssd_krb5_locator_plugin_SOURCES = \ +@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_sssd_krb5_locator_plugin.c \ +@HAVE_CMOCKA_TRUE@ src/krb5_plugin/sssd_krb5_locator_plugin.c \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_sssd_krb5_locator_plugin_CFLAGS = \ +@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(POPT_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(TALLOC_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ $(KRB5_CFLAGS) \ +@HAVE_CMOCKA_TRUE@ -DTEST_PUBCONF_PATH=\"$(abs_builddir)/src/tests/cmocka/pubconf\" \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@HAVE_CMOCKA_TRUE@test_sssd_krb5_locator_plugin_LDADD = \ +@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(POPT_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(TALLOC_LIBS) \ +@HAVE_CMOCKA_TRUE@ $(KRB5_LIBS) \ +@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@HAVE_CMOCKA_TRUE@ $(NULL) + +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@test_kcm_json_SOURCES = \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_kcm_json_marshalling.c \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ src/responder/kcm/kcmsrv_ccache_json.c \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ src/responder/kcm/kcmsrv_ccache.c \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ src/util/sss_krb5.c \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ src/util/sss_iobuf.c \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ $(NULL) + +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@test_kcm_json_CFLAGS = \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ $(UUID_CFLAGS) \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ $(NULL) + +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@test_kcm_json_LDADD = \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ $(JANSSON_LIBS) \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ $(UUID_LIBS) \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ $(KRB5_LIBS) \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ $(SSSD_LIBS) \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ $(NULL) + +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@test_kcm_queue_SOURCES = \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ src/tests/cmocka/test_kcm_queue.c \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ src/responder/kcm/kcmsrv_op_queue.c \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ $(NULL) + +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@test_kcm_queue_CFLAGS = \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ $(AM_CFLAGS) \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ $(NULL) + +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@test_kcm_queue_LDADD = \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ $(CMOCKA_LIBS) \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ $(SSSD_LIBS) \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ libsss_test_common.la \ +@BUILD_KCM_TRUE@@HAVE_CMOCKA_TRUE@ $(NULL) + +@BUILD_AUTOFS_TRUE@autofs_test_client_SOURCES = \ +@BUILD_AUTOFS_TRUE@ src/sss_client/autofs/autofs_test_client.c \ +@BUILD_AUTOFS_TRUE@ src/sss_client/autofs/sss_autofs.c \ +@BUILD_AUTOFS_TRUE@ src/sss_client/common.c + +@BUILD_AUTOFS_TRUE@autofs_test_client_CFLAGS = $(AM_CFLAGS) +@BUILD_AUTOFS_TRUE@autofs_test_client_LDADD = -lpopt $(CLIENT_LIBS) +@BUILD_WITH_LIBCURL_TRUE@tcurl_test_tool_SOURCES = \ +@BUILD_WITH_LIBCURL_TRUE@ src/tests/tcurl_test_tool.c \ +@BUILD_WITH_LIBCURL_TRUE@ src/util/tev_curl.c \ +@BUILD_WITH_LIBCURL_TRUE@ src/util/sss_iobuf.c \ +@BUILD_WITH_LIBCURL_TRUE@ $(NULL) + +@BUILD_WITH_LIBCURL_TRUE@tcurl_test_tool_CFLAGS = \ +@BUILD_WITH_LIBCURL_TRUE@ $(AM_CFLAGS) \ +@BUILD_WITH_LIBCURL_TRUE@ $(CURL_CFLAGS) \ +@BUILD_WITH_LIBCURL_TRUE@ $(NULL) + +@BUILD_WITH_LIBCURL_TRUE@tcurl_test_tool_LDADD = \ +@BUILD_WITH_LIBCURL_TRUE@ $(CURL_LIBS) \ +@BUILD_WITH_LIBCURL_TRUE@ $(SSSD_LIBS) \ +@BUILD_WITH_LIBCURL_TRUE@ $(SSSD_INTERNAL_LTLIBS) \ +@BUILD_WITH_LIBCURL_TRUE@ $(NULL) + +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@test_sssd_krb5_localauth_plugin_SOURCES = \ +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@ src/tests/cmocka/test_sssd_krb5_localauth_plugin.c \ +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@ src/krb5_plugin/sssd_krb5_localauth_plugin.c \ +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@ $(NULL) + +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@test_sssd_krb5_localauth_plugin_CFLAGS = \ +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@ $(AM_CFLAGS) \ +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@ $(NULL) + +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@test_sssd_krb5_localauth_plugin_LDADD = \ +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@ $(CMOCKA_LIBS) \ +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@ $(KRB5_LIBS) \ +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@ $(NULL) + + +#################### +# Client Libraries # +#################### +nsslib_LTLIBRARIES = libnss_sss.la +libnss_sss_la_SOURCES = \ + src/sss_client/common.c \ + src/sss_client/nss_passwd.c \ + src/sss_client/nss_group.c \ + src/sss_client/nss_netgroup.c \ + src/sss_client/nss_services.c \ + src/sss_client/sss_cli.h \ + src/sss_client/nss_compat.h \ + src/sss_client/nss_common.h \ + src/sss_client/common_private.h \ + src/sss_client/nss_mc_common.c \ + src/util/io.c \ + src/util/murmurhash3.c \ + src/sss_client/nss_mc_passwd.c \ + src/sss_client/nss_mc_group.c \ + src/sss_client/nss_mc_initgr.c \ + src/sss_client/nss_mc.h + +libnss_sss_la_LIBADD = \ + $(CLIENT_LIBS) + +libnss_sss_la_LDFLAGS = \ + -module \ + -version-info 2:0:0 \ + -Wl,--version-script,$(srcdir)/src/sss_client/sss_nss.exports + +@BUILD_NFS_IDMAP_TRUE@nfslib_LTLIBRARIES = sss.la +@BUILD_NFS_IDMAP_TRUE@sss_la_SOURCES = \ +@BUILD_NFS_IDMAP_TRUE@ src/sss_client/common.c \ +@BUILD_NFS_IDMAP_TRUE@ src/sss_client/nss_mc_common.c \ +@BUILD_NFS_IDMAP_TRUE@ src/util/io.c \ +@BUILD_NFS_IDMAP_TRUE@ src/util/murmurhash3.c \ +@BUILD_NFS_IDMAP_TRUE@ src/sss_client/nss_mc_passwd.c \ +@BUILD_NFS_IDMAP_TRUE@ src/sss_client/nss_mc_group.c \ +@BUILD_NFS_IDMAP_TRUE@ src/sss_client/nfs/sss_nfs_client.c \ +@BUILD_NFS_IDMAP_TRUE@ $(NULL) + +@BUILD_NFS_IDMAP_TRUE@sss_la_CFLAGS = $(AM_CFLAGS) +@BUILD_NFS_IDMAP_TRUE@sss_la_LIBADD = \ +@BUILD_NFS_IDMAP_TRUE@ $(CLIENT_LIBS) \ +@BUILD_NFS_IDMAP_TRUE@ $(NFSIDMAP_LIBS) \ +@BUILD_NFS_IDMAP_TRUE@ $(NULL) + +@BUILD_NFS_IDMAP_TRUE@sss_la_LDFLAGS = \ +@BUILD_NFS_IDMAP_TRUE@ -module \ +@BUILD_NFS_IDMAP_TRUE@ -avoid-version \ +@BUILD_NFS_IDMAP_TRUE@ $(NULL) + +pamlib_LTLIBRARIES = pam_sss.la +pam_sss_la_SOURCES = \ + src/sss_client/pam_sss.c \ + src/sss_client/pam_message.c \ + src/sss_client/common.c \ + src/sss_client/sss_cli.h \ + src/util/atomic_io.c \ + src/util/authtok-utils.c \ + src/sss_client/sss_pam_macros.h \ + src/sss_client/sss_pam_compat.h + +pam_sss_la_LIBADD = \ + $(CLIENT_LIBS) \ + $(PAM_LIBS) + +pam_sss_la_LDFLAGS = \ + -module \ + -avoid-version \ + -Wl,--version-script,$(srcdir)/src/sss_client/sss_pam.exports + +@BUILD_SUDO_TRUE@libsss_sudo_la_SOURCES = \ +@BUILD_SUDO_TRUE@ src/sss_client/common.c \ +@BUILD_SUDO_TRUE@ src/sss_client/sss_cli.h \ +@BUILD_SUDO_TRUE@ src/sss_client/sudo/sss_sudo_response.c \ +@BUILD_SUDO_TRUE@ src/sss_client/sudo/sss_sudo.c \ +@BUILD_SUDO_TRUE@ src/sss_client/sudo/sss_sudo.h \ +@BUILD_SUDO_TRUE@ src/sss_client/sudo/sss_sudo_private.h + +@BUILD_SUDO_TRUE@libsss_sudo_la_LIBADD = \ +@BUILD_SUDO_TRUE@ $(CLIENT_LIBS) + +@BUILD_SUDO_TRUE@libsss_sudo_la_LDFLAGS = \ +@BUILD_SUDO_TRUE@ -Wl,--version-script,$(srcdir)/src/sss_client/sss_sudo.exports \ +@BUILD_SUDO_TRUE@ -module \ +@BUILD_SUDO_TRUE@ -avoid-version + +@BUILD_SUDO_TRUE@sudolib_LTLIBRARIES = libsss_sudo.la +@BUILD_AUTOFS_TRUE@autofslib_LTLIBRARIES = libsss_autofs.la +@BUILD_AUTOFS_TRUE@libsss_autofs_la_SOURCES = \ +@BUILD_AUTOFS_TRUE@ src/sss_client/common.c \ +@BUILD_AUTOFS_TRUE@ src/sss_client/sss_cli.h \ +@BUILD_AUTOFS_TRUE@ src/sss_client/autofs/sss_autofs.c \ +@BUILD_AUTOFS_TRUE@ src/sss_client/autofs/sss_autofs_private.h + +@BUILD_AUTOFS_TRUE@libsss_autofs_la_LIBADD = \ +@BUILD_AUTOFS_TRUE@ $(CLIENT_LIBS) + +@BUILD_AUTOFS_TRUE@libsss_autofs_la_LDFLAGS = \ +@BUILD_AUTOFS_TRUE@ -module \ +@BUILD_AUTOFS_TRUE@ -avoid-version \ +@BUILD_AUTOFS_TRUE@ -Wl,--version-script,$(srcdir)/src/sss_client/autofs/sss_autofs.exports + +libsss_ldap_common_la_SOURCES = src/providers/ldap/ldap_id.c \ + src/providers/ldap/ldap_id_enum.c \ + src/providers/ldap/sdap_async_enum.c \ + src/providers/ldap/ldap_id_cleanup.c \ + src/providers/ldap/ldap_id_netgroup.c \ + src/providers/ldap/ldap_id_services.c \ + src/providers/ldap/ldap_auth.c \ + src/providers/ldap/ldap_common.c \ + src/providers/ldap/ldap_options.c \ + src/providers/ldap/ldap_opts.c \ + src/providers/ldap/sdap_access.c \ + src/providers/ldap/sdap_async.c \ + src/providers/ldap/sdap_async_users.c \ + src/providers/ldap/sdap_async_groups.c \ + src/providers/ldap/sdap_async_nested_groups.c \ + src/providers/ldap/sdap_async_groups_ad.c \ + src/providers/ldap/sdap_async_initgroups.c \ + src/providers/ldap/sdap_async_initgroups_ad.c \ + src/providers/ldap/sdap_async_connection.c \ + src/providers/ldap/sdap_async_netgroups.c \ + src/providers/ldap/sdap_async_hosts.c \ + src/providers/ldap/sdap_async_services.c \ + src/providers/ldap/sdap_online_check.c \ + src/providers/ldap/sdap_ad_groups.c \ + src/providers/ldap/sdap_child_helpers.c \ + src/providers/ldap/sdap_fd_events.c \ + src/providers/ldap/sdap_hostid.h \ + src/providers/ldap/sdap_id_op.c \ + src/providers/ldap/sdap_certmap.c \ + src/providers/ldap/sdap_idmap.c \ + src/providers/ldap/sdap_idmap.h \ + src/providers/ldap/sdap_range.c \ + src/providers/ldap/sdap_reinit.c \ + src/providers/ldap/sdap_dyndns.c \ + src/providers/ldap/sdap_refresh.c \ + src/providers/ldap/sdap_utils.c \ + src/providers/ldap/sdap_domain.c src/providers/ldap/sdap_ops.c \ + src/providers/ldap/sdap.c src/providers/ipa/ipa_dn.c \ + src/util/user_info_msg.c src/util/sss_sockets.c \ + src/util/sss_ldap.c $(NULL) $(am__append_72) $(am__append_73) \ + $(am__append_74) +libsss_ldap_common_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(KRB5_CFLAGS) \ + $(NULL) + +libsss_ldap_common_la_LIBADD = $(TALLOC_LIBS) $(TEVENT_LIBS) \ + $(LDB_LIBS) $(OPENLDAP_LIBS) $(DHASH_LIBS) $(KRB5_LIBS) \ + libsss_krb5_common.la libsss_idmap.la libsss_certmap.la \ + $(SSSD_INTERNAL_LTLIBS) $(NULL) $(am__append_71) +libsss_ldap_common_la_LDFLAGS = \ + -avoid-version \ + $(NULL) + +libsss_krb5_common_la_SOURCES = \ + src/providers/krb5/krb5_utils.c \ + src/providers/krb5/krb5_delayed_online_authentication.c \ + src/providers/krb5/krb5_renew_tgt.c \ + src/providers/krb5/krb5_wait_queue.c \ + src/providers/krb5/krb5_common.c \ + src/providers/krb5/krb5_opts.c \ + src/providers/krb5/krb5_auth.c \ + src/providers/krb5/krb5_access.c \ + src/providers/krb5/krb5_child_handler.c \ + src/providers/krb5/krb5_init_shared.c \ + src/providers/krb5/krb5_ccache.c \ + src/util/sss_krb5.c \ + src/util/sss_iobuf.c \ + src/util/become_user.c \ + $(NULL) + +libsss_krb5_common_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(KRB5_CFLAGS) + +libsss_krb5_common_la_LIBADD = \ + $(TALLOC_LIBS) \ + $(TEVENT_LIBS) \ + $(LDB_LIBS) \ + $(KEYUTILS_LIBS) \ + $(DHASH_LIBS) \ + $(KRB5_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(NULL) + +libsss_krb5_common_la_LDFLAGS = \ + -avoid-version + +libsss_ldap_la_SOURCES = \ + src/providers/ldap/ldap_init.c \ + src/providers/ldap/ldap_access.c + +libsss_ldap_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(OPENLDAP_CFLAGS) + +libsss_ldap_la_LIBADD = \ + $(TALLOC_LIBS) \ + $(TEVENT_LIBS) \ + $(OPENLDAP_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_ldap_common.la \ + libsss_krb5_common.la + +libsss_ldap_la_LDFLAGS = \ + -avoid-version \ + -module + +libsss_proxy_la_SOURCES = \ + src/providers/proxy/proxy_init.c \ + src/providers/proxy/proxy_client.c \ + src/providers/proxy/proxy_id.c \ + src/providers/proxy/proxy_netgroup.c \ + src/providers/proxy/proxy_services.c \ + src/providers/proxy/proxy_auth.c \ + src/providers/proxy/proxy_iface_generated.c \ + $(NULL) + +libsss_proxy_la_CFLAGS = \ + $(AM_CFLAGS) + +libsss_proxy_la_LIBADD = \ + $(LIBADD_DL) \ + $(TALLOC_LIBS) \ + $(TEVENT_LIBS) \ + $(LDB_LIBS) \ + $(PAM_LIBS) \ + $(DHASH_LIBS) \ + $(DBUS_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(NULL) + +libsss_proxy_la_LDFLAGS = \ + -avoid-version \ + -module + +libsss_files_la_SOURCES = \ + src/providers/files/files_init.c \ + src/providers/files/files_id.c \ + src/providers/files/files_ops.c \ + src/util/inotify.c \ + $(NULL) + +libsss_files_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(NULL) + +libsss_files_la_LIBADD = \ + $(TALLOC_LIBS) \ + $(TEVENT_LIBS) \ + $(LDB_LIBS) \ + $(PAM_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(NULL) + +libsss_files_la_LDFLAGS = \ + -avoid-version \ + -module \ + $(NULL) + +libsss_simple_la_SOURCES = \ + src/providers/simple/simple_access_check.c \ + src/providers/simple/simple_access.c + +libsss_simple_la_CFLAGS = \ + $(AM_CFLAGS) + +libsss_simple_la_LIBADD = \ + $(TALLOC_LIBS) \ + $(TEVENT_LIBS) \ + $(LDB_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(NULL) + +libsss_simple_la_LDFLAGS = \ + -avoid-version \ + -module + +libsss_krb5_la_SOURCES = \ + src/providers/krb5/krb5_init.c + +libsss_krb5_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(DHASH_CFLAGS) \ + $(KRB5_CFLAGS) + +libsss_krb5_la_LIBADD = \ + $(TALLOC_LIBS) \ + $(DHASH_LIBS) \ + $(KRB5_LIBS) \ + $(PCRE_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_krb5_common.la + +libsss_krb5_la_LDFLAGS = \ + -avoid-version \ + -module + +libsss_ipa_la_SOURCES = src/providers/ipa/ipa_init.c \ + src/providers/ipa/ipa_opts.c src/providers/ipa/ipa_common.c \ + src/providers/ipa/ipa_config.c src/providers/ipa/ipa_id.c \ + src/providers/ipa/ipa_netgroups.c src/providers/ipa/ipa_auth.c \ + src/providers/ipa/ipa_access.c src/providers/ipa/ipa_dyndns.c \ + src/providers/ipa/ipa_hosts.c \ + src/providers/ipa/ipa_subdomains.c \ + src/providers/ipa/ipa_subdomains_id.c \ + src/providers/ipa/ipa_subdomains_server.c \ + src/providers/ipa/ipa_subdomains_utils.c \ + src/providers/ipa/ipa_subdomains_ext_groups.c \ + src/providers/ipa/ipa_views.c src/providers/ipa/ipa_utils.c \ + src/providers/ipa/ipa_s2n_exop.c \ + src/providers/ipa/ipa_hbac_hosts.c \ + src/providers/ipa/ipa_hbac_private.h \ + src/providers/ipa/ipa_hbac_rules.c \ + src/providers/ipa/ipa_hbac_rules.h \ + src/providers/ipa/ipa_hbac_services.c \ + src/providers/ipa/ipa_hbac_users.c \ + src/providers/ipa/ipa_hbac_common.c \ + src/providers/ipa/ipa_rules_common.c \ + src/providers/ipa/ipa_rules_common.h \ + src/providers/ipa/ipa_session.c \ + src/providers/ipa/ipa_deskprofile_private.h \ + src/providers/ipa/ipa_deskprofile_config.c \ + src/providers/ipa/ipa_deskprofile_config.h \ + src/providers/ipa/ipa_deskprofile_rules.c \ + src/providers/ipa/ipa_deskprofile_rules.h \ + src/providers/ipa/ipa_deskprofile_rules_util.c \ + src/providers/ipa/ipa_deskprofile_rules_util.h \ + src/providers/ipa/ipa_srv.c src/providers/ipa/ipa_idmap.c \ + src/providers/ipa/ipa_dn.c src/providers/ad/ad_opts.c \ + src/providers/ad/ad_common.c src/providers/ad/ad_dyndns.c \ + src/providers/ad/ad_id.c src/providers/ad/ad_pac.c \ + src/providers/ad/ad_pac_common.c src/providers/ad/ad_srv.c \ + src/providers/ad/ad_domain_info.c $(am__append_75) \ + $(am__append_76) $(am__append_77) $(am__append_78) +libsss_ipa_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(OPENLDAP_CFLAGS) \ + $(DHASH_CFLAGS) \ + $(NDR_NBT_CFLAGS) \ + $(NDR_KRB5PAC_CFLAGS) \ + $(KRB5_CFLAGS) + +libsss_ipa_la_LIBADD = \ + $(LDB_LIBS) \ + $(DBUS_LIBS) \ + $(OPENLDAP_LIBS) \ + $(DHASH_LIBS) \ + $(NDR_NBT_LIBS) \ + $(NDR_KRB5PAC_LIBS) \ + $(KRB5_LIBS) \ + $(SELINUX_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + libsss_ldap_common.la \ + libsss_krb5_common.la \ + libipa_hbac.la \ + libsss_idmap.la \ + libsss_semanage.la \ + $(NULL) + +libsss_ipa_la_LDFLAGS = \ + -avoid-version \ + -module + +libsss_ad_la_SOURCES = src/providers/ad/ad_opts.c \ + src/providers/ad/ad_common.c src/providers/ad/ad_init.c \ + src/providers/ad/ad_dyndns.c \ + src/providers/ad/ad_machine_pw_renewal.c \ + src/providers/ad/ad_id.c src/providers/ad/ad_pac.c \ + src/providers/ad/ad_pac_common.c src/providers/ad/ad_access.c \ + src/providers/ad/ad_gpo.c src/providers/ad/ad_gpo_ndr.c \ + src/providers/ad/ad_srv.c src/providers/ad/ad_subdomains.c \ + src/providers/ad/ad_domain_info.c $(am__append_79) \ + $(am__append_80) +libsss_ad_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(OPENLDAP_CFLAGS) \ + $(SASL_CFLAGS) \ + $(DHASH_CFLAGS) \ + $(KRB5_CFLAGS) \ + $(NDR_NBT_CFLAGS) \ + $(NDR_KRB5PAC_CFLAGS) \ + $(SMBCLIENT_CFLAGS) + +libsss_ad_la_LIBADD = \ + $(LDB_LIBS) \ + $(OPENLDAP_LIBS) \ + $(SASL_LIBS) \ + $(DHASH_LIBS) \ + $(INI_CONFIG_LIBS) \ + $(KRB5_LIBS) \ + $(NDR_NBT_LIBS) \ + $(NDR_KRB5PAC_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) \ + $(SMBCLIENT_LIBS) \ + libsss_ldap_common.la \ + libsss_krb5_common.la \ + libsss_idmap.la + +libsss_ad_la_LDFLAGS = \ + -avoid-version \ + -module + +krb5_child_SOURCES = \ + src/providers/krb5/krb5_child.c \ + src/providers/krb5/krb5_ccache.c \ + src/providers/krb5/krb5_keytab.c \ + src/providers/dp_pam_data_util.c \ + src/util/user_info_msg.c \ + src/util/sss_krb5.c \ + src/util/sss_iobuf.c \ + src/util/find_uid.c \ + src/util/atomic_io.c \ + src/util/authtok.c \ + src/util/authtok-utils.c \ + src/util/util.c \ + src/util/util_ext.c \ + src/util/signal.c \ + src/util/strtonum.c \ + src/util/become_user.c \ + src/util/util_errors.c \ + src/sss_client/common.c \ + $(NULL) + +krb5_child_CFLAGS = \ + $(AM_CFLAGS) \ + $(POPT_CFLAGS) \ + $(KRB5_CFLAGS) \ + $(SYSTEMD_LOGIN_CFLAGS) \ + $(NULL) + +krb5_child_LDADD = \ + libsss_debug.la \ + $(TALLOC_LIBS) \ + $(POPT_LIBS) \ + $(DHASH_LIBS) \ + $(KRB5_LIBS) \ + $(CLIENT_LIBS) \ + $(SYSTEMD_LOGIN_LIBS) \ + $(NULL) + +ldap_child_SOURCES = \ + src/providers/ldap/ldap_child.c \ + src/providers/krb5/krb5_keytab.c \ + src/util/sss_krb5.c \ + src/util/sss_iobuf.c \ + src/util/atomic_io.c \ + src/util/authtok.c \ + src/util/authtok-utils.c \ + src/util/util.c \ + src/util/util_ext.c \ + src/util/signal.c \ + src/util/become_user.c \ + $(NULL) + +ldap_child_CFLAGS = \ + $(AM_CFLAGS) \ + $(POPT_CFLAGS) \ + $(KRB5_CFLAGS) + +ldap_child_LDADD = \ + libsss_debug.la \ + $(TALLOC_LIBS) \ + $(POPT_LIBS) \ + $(DHASH_LIBS) \ + $(KRB5_LIBS) + +@BUILD_SEMANAGE_TRUE@selinux_child_SOURCES = \ +@BUILD_SEMANAGE_TRUE@ src/providers/ipa/selinux_child.c \ +@BUILD_SEMANAGE_TRUE@ src/util/sss_semanage.c \ +@BUILD_SEMANAGE_TRUE@ src/util/atomic_io.c \ +@BUILD_SEMANAGE_TRUE@ src/util/util.c \ +@BUILD_SEMANAGE_TRUE@ src/util/util_ext.c \ +@BUILD_SEMANAGE_TRUE@ src/util/util_errors.c + +@BUILD_SEMANAGE_TRUE@selinux_child_CFLAGS = \ +@BUILD_SEMANAGE_TRUE@ $(AM_CFLAGS) \ +@BUILD_SEMANAGE_TRUE@ $(POPT_CFLAGS) \ +@BUILD_SEMANAGE_TRUE@ $(NULL) + +@BUILD_SEMANAGE_TRUE@selinux_child_LDADD = \ +@BUILD_SEMANAGE_TRUE@ libsss_debug.la \ +@BUILD_SEMANAGE_TRUE@ $(TALLOC_LIBS) \ +@BUILD_SEMANAGE_TRUE@ $(POPT_LIBS) \ +@BUILD_SEMANAGE_TRUE@ $(DHASH_LIBS) \ +@BUILD_SEMANAGE_TRUE@ $(SEMANAGE_LIBS) \ +@BUILD_SEMANAGE_TRUE@ $(SELINUX_LIBS) \ +@BUILD_SEMANAGE_TRUE@ $(NULL) + +gpo_child_SOURCES = \ + src/providers/ad/ad_gpo_child.c \ + src/util/atomic_io.c \ + src/util/util.c \ + src/util/util_ext.c \ + src/util/signal.c + +gpo_child_CFLAGS = \ + $(AM_CFLAGS) \ + $(POPT_CFLAGS) \ + $(KRB5_CFLAGS) \ + $(INI_CONFIG_CFLAGS) \ + $(SMBCLIENT_CFLAGS) + +gpo_child_LDADD = \ + libsss_debug.la \ + $(TALLOC_LIBS) \ + $(POPT_LIBS) \ + $(DHASH_LIBS) \ + $(INI_CONFIG_LIBS) \ + $(SMBCLIENT_LIBS) + +proxy_child_SOURCES = \ + src/providers/proxy/proxy_child.c \ + src/providers/proxy/proxy_iface_generated.c \ + $(NULL) + +proxy_child_CFLAGS = \ + $(AM_CFLAGS) \ + $(POPT_CFLAGS) + +proxy_child_LDADD = \ + $(PAM_LIBS) \ + $(SSSD_LIBS) \ + $(SSSD_INTERNAL_LTLIBS) + +p11_child_SOURCES = src/p11_child/p11_child_common.c \ + src/util/atomic_io.c src/util/util.c src/util/util_ext.c \ + $(NULL) $(am__append_81) $(am__append_82) +p11_child_CFLAGS = $(AM_CFLAGS) $(POPT_CFLAGS) $(NULL) \ + $(am__append_83) $(am__append_84) +p11_child_LDADD = libsss_debug.la $(TALLOC_LIBS) $(DHASH_LIBS) \ + $(POPT_LIBS) libsss_crypt.la $(NULL) $(am__append_85) \ + $(am__append_86) +memberof_la_SOURCES = \ + src/ldb_modules/memberof.c \ + src/util/util.c \ + src/util/util_ext.c \ + $(NULL) + +memberof_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(NULL) + +memberof_la_LIBADD = \ + libsss_debug.la \ + $(TALLOC_LIBS) \ + $(LDB_LIBS) \ + $(DHASH_LIBS) \ + $(NULL) + +memberof_la_LDFLAGS = \ + -avoid-version \ + -module \ + $(NULL) + +@BUILD_KRB5_LOCATOR_PLUGIN_TRUE@sssd_krb5_locator_plugin_la_SOURCES = \ +@BUILD_KRB5_LOCATOR_PLUGIN_TRUE@ src/krb5_plugin/sssd_krb5_locator_plugin.c \ +@BUILD_KRB5_LOCATOR_PLUGIN_TRUE@ src/util/atomic_io.c + +@BUILD_KRB5_LOCATOR_PLUGIN_TRUE@sssd_krb5_locator_plugin_la_CFLAGS = \ +@BUILD_KRB5_LOCATOR_PLUGIN_TRUE@ $(AM_CFLAGS) \ +@BUILD_KRB5_LOCATOR_PLUGIN_TRUE@ $(KRB5_CFLAGS) + +@BUILD_KRB5_LOCATOR_PLUGIN_TRUE@sssd_krb5_locator_plugin_la_LDFLAGS = \ +@BUILD_KRB5_LOCATOR_PLUGIN_TRUE@ -avoid-version \ +@BUILD_KRB5_LOCATOR_PLUGIN_TRUE@ -module + +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@sssd_krb5_localauth_plugin_la_SOURCES = \ +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@ src/krb5_plugin/sssd_krb5_localauth_plugin.c \ +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@ src/util/murmurhash3.c \ +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@ src/util/io.c \ +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@ src/sss_client/common.c \ +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@ src/sss_client/nss_mc_common.c \ +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@ src/sss_client/nss_mc_passwd.c \ +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@ src/sss_client/nss_passwd.c + +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@sssd_krb5_localauth_plugin_la_CFLAGS = \ +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@ $(AM_CFLAGS) \ +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@ $(KRB5_CFLAGS) + +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@sssd_krb5_localauth_plugin_la_LIBADD = \ +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@ $(KRB5_LIBS) + +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@sssd_krb5_localauth_plugin_la_LDFLAGS = \ +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@ -avoid-version \ +@BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE@ -module + +sssd_pac_plugin_la_SOURCES = \ + src/sss_client/sssd_pac.c \ + src/sss_client/common.c \ + src/sss_client/sss_cli.h \ + src/sss_client/krb5_authdata_int.h + +sssd_pac_plugin_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(KRB5_CFLAGS) + +sssd_pac_plugin_la_LIBADD = \ + $(CLIENT_LIBS) \ + $(KRB5_LIBS) + +sssd_pac_plugin_la_LDFLAGS = \ + -avoid-version \ + -module + +sssd_pac_test_client_SOURCES = \ + src/sss_client/sss_pac_responder_client.c \ + src/sss_client/common.c \ + src/util/strtonum.c \ + $(NULL) + +sssd_pac_test_client_CFLAGS = \ + $(AM_CFLAGS) \ + $(NULL) + +sssd_pac_test_client_LDADD = \ + $(CLIENT_LIBS) \ + -lpthread \ + $(NULL) + + +# python[23] bindings +pysss_la_SOURCES = \ + $(SSSD_TOOLS_OBJ) \ + src/python/pysss.c + +pysss_la_LDFLAGS = \ + -avoid-version \ + -module + +_py2sss_la_SOURCES = $(pysss_la_SOURCES) +_py2sss_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(PYTHON2_CFLAGS) + +_py2sss_la_LIBADD = \ + $(SSSD_INTERNAL_LTLIBS) \ + $(PYTHON_BINDINGS_LIBS) \ + $(PYTHON2_LIBS) + +_py2sss_la_LDFLAGS = $(pysss_la_LDFLAGS) +_py3sss_la_SOURCES = $(pysss_la_SOURCES) +_py3sss_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(PYTHON3_CFLAGS) + +_py3sss_la_LIBADD = \ + $(SSSD_INTERNAL_LTLIBS) \ + $(PYTHON_BINDINGS_LIBS) \ + $(PYTHON3_LIBS) + +_py3sss_la_LDFLAGS = $(pysss_la_LDFLAGS) +pyhbac_la_SOURCES = \ + src/python/pyhbac.c \ + src/util/sss_python.c + +pyhbac_la_LDFLAGS = \ + -avoid-version \ + -module + +_py2hbac_la_SOURCES = $(pyhbac_la_SOURCES) +_py2hbac_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(PYTHON2_CFLAGS) + +_py2hbac_la_LIBADD = \ + $(PYTHON2_LIBS) \ + libipa_hbac.la + +_py2hbac_la_LDFLAGS = $(pyhbac_la_LDFLAGS) +_py3hbac_la_SOURCES = $(pyhbac_la_SOURCES) +_py3hbac_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(PYTHON3_CFLAGS) + +_py3hbac_la_LIBADD = \ + $(PYTHON3_LIBS) \ + libipa_hbac.la + +_py3hbac_la_LDFLAGS = $(pyhbac_la_LDFLAGS) +pysss_murmur_la_SOURCES = \ + src/python/pysss_murmur.c \ + src/util/murmurhash3.c + +pysss_murmur_la_LDFLAGS = \ + -avoid-version \ + -module + +_py2sss_murmur_la_SOURCES = $(pysss_murmur_la_SOURCES) +_py2sss_murmur_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(PYTHON2_CFLAGS) + +_py2sss_murmur_la_LIBADD = \ + $(PYTHON2_LIBS) + +_py2sss_murmur_la_LDFLAGS = $(pysss_murmur_la_LDFLAGS) +_py3sss_murmur_la_SOURCES = $(pysss_murmur_la_SOURCES) +_py3sss_murmur_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(PYTHON3_CFLAGS) + +_py3sss_murmur_la_LIBADD = \ + $(PYTHON3_LIBS) + +_py3sss_murmur_la_LDFLAGS = $(pysss_murmur_la_LDFLAGS) +pysss_nss_idmap_la_SOURCES = \ + src/python/pysss_nss_idmap.c + +pysss_nss_idmap_la_LDFLAGS = \ + -avoid-version \ + -module + +_py2sss_nss_idmap_la_SOURCES = $(pysss_nss_idmap_la_SOURCES) +_py2sss_nss_idmap_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(PYTHON2_CFLAGS) + +_py2sss_nss_idmap_la_LIBADD = \ + $(PYTHON2_LIBS) \ + libsss_nss_idmap.la + +_py2sss_nss_idmap_la_LDFLAGS = $(pysss_nss_idmap_la_LDFLAGS) +_py3sss_nss_idmap_la_SOURCES = $(pysss_nss_idmap_la_SOURCES) +_py3sss_nss_idmap_la_CFLAGS = \ + $(AM_CFLAGS) \ + $(PYTHON3_CFLAGS) + +_py3sss_nss_idmap_la_LIBADD = \ + $(PYTHON3_LIBS) \ + libsss_nss_idmap.la + +_py3sss_nss_idmap_la_LDFLAGS = $(pysss_nss_idmap_la_LDFLAGS) +# end of python[23] bindings +@BUILD_CIFS_IDMAP_PLUGIN_TRUE@cifs_idmap_sss_la_SOURCES = \ +@BUILD_CIFS_IDMAP_PLUGIN_TRUE@ src/lib/cifs_idmap_sss/cifs_idmap_sss.c + +@BUILD_CIFS_IDMAP_PLUGIN_TRUE@cifs_idmap_sss_la_LIBADD = \ +@BUILD_CIFS_IDMAP_PLUGIN_TRUE@ libsss_idmap.la \ +@BUILD_CIFS_IDMAP_PLUGIN_TRUE@ libsss_nss_idmap.la + +@BUILD_CIFS_IDMAP_PLUGIN_TRUE@cifs_idmap_sss_la_CFLAGS = \ +@BUILD_CIFS_IDMAP_PLUGIN_TRUE@ $(AM_CFLAGS) + +@BUILD_CIFS_IDMAP_PLUGIN_TRUE@cifs_idmap_sss_la_LDFLAGS = \ +@BUILD_CIFS_IDMAP_PLUGIN_TRUE@ -avoid-version \ +@BUILD_CIFS_IDMAP_PLUGIN_TRUE@ -module + +@BUILD_SAMBA_TRUE@winbind_idmap_sss_la_SOURCES = \ +@BUILD_SAMBA_TRUE@ src/lib/winbind_idmap_sss/winbind_idmap_sss.c \ +@BUILD_SAMBA_TRUE@ src/util/util_sss_idmap.c \ +@BUILD_SAMBA_TRUE@ $(NULL) + +@BUILD_SAMBA_TRUE@winbind_idmap_sss_la_LIBADD = \ +@BUILD_SAMBA_TRUE@ libsss_idmap.la \ +@BUILD_SAMBA_TRUE@ libsss_nss_idmap.la \ +@BUILD_SAMBA_TRUE@ $(TALLOC_LIBS) \ +@BUILD_SAMBA_TRUE@ $(NULL) + +@BUILD_SAMBA_TRUE@winbind_idmap_sss_la_CFLAGS = \ +@BUILD_SAMBA_TRUE@ $(AM_CFLAGS) \ +@BUILD_SAMBA_TRUE@ $(NDR_KRB5PAC_CFLAGS) \ +@BUILD_SAMBA_TRUE@ $(NULL) + +@BUILD_SAMBA_TRUE@winbind_idmap_sss_la_LDFLAGS = \ +@BUILD_SAMBA_TRUE@ -avoid-version \ +@BUILD_SAMBA_TRUE@ -module \ +@BUILD_SAMBA_TRUE@ $(NULL) + +@BUILD_SAMBA_TRUE@libdlopen_test_winbind_idmap_la_SOURCES = \ +@BUILD_SAMBA_TRUE@ src/lib/winbind_idmap_sss/libdlopen-test-winbind-idmap.c \ +@BUILD_SAMBA_TRUE@ $(NULL) + +@BUILD_SAMBA_TRUE@libdlopen_test_winbind_idmap_la_CFLAGS = \ +@BUILD_SAMBA_TRUE@ $(AM_CFLAGS) \ +@BUILD_SAMBA_TRUE@ $(NDR_KRB5PAC_CFLAGS) \ +@BUILD_SAMBA_TRUE@ $(NULL) + +@BUILD_SAMBA_TRUE@libdlopen_test_winbind_idmap_la_LDFLAGS = \ +@BUILD_SAMBA_TRUE@ -shared \ +@BUILD_SAMBA_TRUE@ -avoid-version \ +@BUILD_SAMBA_TRUE@ -rpath $(abs_top_builddir) \ +@BUILD_SAMBA_TRUE@ -export-dynamic + + +####################### +# Installation Extras # +####################### +init_SCRIPTS = $(am__append_94) $(am__append_95) $(am__append_96) +systemdunit_DATA = $(am__append_87) $(am__append_88) $(am__append_89) \ + $(am__append_90) $(am__append_91) $(am__append_92) \ + $(am__append_93) +systemdconf_DATA = +dist_sssddata_DATA = \ + src/config/etc/sssd.api.conf \ + src/config/cfg_rules.ini \ + $(NULL) + +dist_sssdapiplugin_DATA = \ + src/config/etc/sssd.api.d/sssd-ipa.conf \ + src/config/etc/sssd.api.d/sssd-ad.conf \ + src/config/etc/sssd.api.d/sssd-krb5.conf \ + src/config/etc/sssd.api.d/sssd-ldap.conf \ + src/config/etc/sssd.api.d/sssd-local.conf \ + src/config/etc/sssd.api.d/sssd-proxy.conf \ + src/config/etc/sssd.api.d/sssd-simple.conf \ + src/config/etc/sssd.api.d/sssd-files.conf + +edit_cmd = $(SED) \ + -e 's|@sbindir[@]|$(sbindir)|g' \ + -e 's|@environment_file[@]|$(environment_file)|g' \ + -e 's|@localstatedir[@]|$(localstatedir)|g' \ + -e 's|@runstatedir[@]|$(runstatedir)|g' \ + -e 's|@logpath[@]|$(logpath)|g' \ + -e 's|@libexecdir[@]|$(libexecdir)|g' \ + -e 's|@pipepath[@]|$(pipepath)|g' \ + -e 's|@prefix[@]|$(prefix)|g' \ + -e 's|@SSSD_USER[@]|$(SSSD_USER)|g' + +replace_script = \ + @rm -f $@ $@.tmp; \ + srcdir=''; \ + test -f ./$@.in || srcdir=$(srcdir)/; \ + $(edit_cmd) $${srcdir}$@.in >$@.tmp; \ + mv $@.tmp $@ + +SSSD_USER_DIRS = \ + $(DESTDIR)$(dbpath) \ + $(DESTDIR)$(keytabdir) \ + $(DESTDIR)$(mcpath) \ + $(DESTDIR)$(pipepath) \ + $(DESTDIR)$(pubconfpath) \ + $(DESTDIR)$(pubconfpath)/krb5.include.d \ + $(DESTDIR)$(gpocachepath) \ + $(DESTDIR)$(sssdconfdir) \ + $(DESTDIR)$(sssdconfdir)/conf.d \ + $(DESTDIR)$(sssdconfdir)/pki \ + $(DESTDIR)$(sssddefaultconfdir) \ + $(DESTDIR)$(logpath) \ + $(DESTDIR)$(deskprofilepath) \ + $(NULL) + +@BUILD_PYTHON_BINDINGS_TRUE@SSSDCONFIG_MODULES = \ +@BUILD_PYTHON_BINDINGS_TRUE@ $(abs_builddir)/src/config/SSSDConfig/ipachangeconf.py + +@BUILD_PYTHON_BINDINGS_FALSE@SSSSCONFIG_MODULES = + +# pre-release related vars +PR_VERSION_DATE := $(shell date +%Y%m%d.%H%M) +PR_VERSION_COMMIT_HASH := $(shell git log -1 --pretty=format:%h) +PR_VERSION_NUMBER = $(PR_VERSION_DATE).git$(PR_VERSION_COMMIT_HASH) +PR_VERSION_REGEX = m4_define(\[PRERELEASE_VERSION_NUMBER\], \[.*\]) +PR_VERSION_REPL = m4_define(\[PRERELEASE_VERSION_NUMBER\], \[.$(PR_VERSION_NUMBER)\]) +all: $(BUILT_SOURCES) config.h + $(MAKE) $(AM_MAKEFLAGS) all-recursive + +.SUFFIXES: +.SUFFIXES: .xml _generated.h _generated.c .c .lo .log .o .obj .sh .sh$(EXEEXT) .trs +am--refresh: Makefile + @: +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + echo ' cd $(srcdir) && $(AUTOMAKE) --foreign'; \ + $(am__cd) $(srcdir) && $(AUTOMAKE) --foreign \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + echo ' $(SHELL) ./config.status'; \ + $(SHELL) ./config.status;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + $(SHELL) ./config.status --recheck + +$(top_srcdir)/configure: $(am__configure_deps) + $(am__cd) $(srcdir) && $(AUTOCONF) +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + $(am__cd) $(srcdir) && $(ACLOCAL) $(ACLOCAL_AMFLAGS) +$(am__aclocal_m4_deps): + +config.h: stamp-h1 + @test -f $@ || rm -f stamp-h1 + @test -f $@ || $(MAKE) $(AM_MAKEFLAGS) stamp-h1 + +stamp-h1: $(srcdir)/config.h.in $(top_builddir)/config.status + @rm -f stamp-h1 + cd $(top_builddir) && $(SHELL) ./config.status config.h +$(srcdir)/config.h.in: $(am__configure_deps) + ($(am__cd) $(top_srcdir) && $(AUTOHEADER)) + rm -f stamp-h1 + touch $@ + +distclean-hdr: + -rm -f config.h stamp-h1 +contrib/sssd.spec: $(top_builddir)/config.status $(top_srcdir)/contrib/sssd.spec.in + cd $(top_builddir) && $(SHELL) ./config.status $@ +src/examples/rwtab: $(top_builddir)/config.status $(top_srcdir)/src/examples/rwtab.in + cd $(top_builddir) && $(SHELL) ./config.status $@ +src/doxy.config: $(top_builddir)/config.status $(top_srcdir)/src/doxy.config.in + cd $(top_builddir) && $(SHELL) ./config.status $@ +contrib/sssd-pcsc.rules: $(top_builddir)/config.status $(top_srcdir)/contrib/sssd-pcsc.rules.in + cd $(top_builddir) && $(SHELL) ./config.status $@ +src/sysv/sssd: $(top_builddir)/config.status $(top_srcdir)/src/sysv/sssd.in + cd $(top_builddir) && $(SHELL) ./config.status $@ +src/sysv/gentoo/sssd: $(top_builddir)/config.status $(top_srcdir)/src/sysv/gentoo/sssd.in + cd $(top_builddir) && $(SHELL) ./config.status $@ +src/sysv/SUSE/sssd: $(top_builddir)/config.status $(top_srcdir)/src/sysv/SUSE/sssd.in + cd $(top_builddir) && $(SHELL) ./config.status $@ +src/lib/ipa_hbac/ipa_hbac.pc: $(top_builddir)/config.status $(top_srcdir)/src/lib/ipa_hbac/ipa_hbac.pc.in + cd $(top_builddir) && $(SHELL) ./config.status $@ +src/lib/ipa_hbac/ipa_hbac.doxy: $(top_builddir)/config.status $(top_srcdir)/src/lib/ipa_hbac/ipa_hbac.doxy.in + cd $(top_builddir) && $(SHELL) ./config.status $@ +src/lib/idmap/sss_idmap.pc: $(top_builddir)/config.status $(top_srcdir)/src/lib/idmap/sss_idmap.pc.in + cd $(top_builddir) && $(SHELL) ./config.status $@ +src/lib/idmap/sss_idmap.doxy: $(top_builddir)/config.status $(top_srcdir)/src/lib/idmap/sss_idmap.doxy.in + cd $(top_builddir) && $(SHELL) ./config.status $@ +src/lib/certmap/sss_certmap.pc: $(top_builddir)/config.status $(top_srcdir)/src/lib/certmap/sss_certmap.pc.in + cd $(top_builddir) && $(SHELL) ./config.status $@ +src/lib/certmap/sss_certmap.doxy: $(top_builddir)/config.status $(top_srcdir)/src/lib/certmap/sss_certmap.doxy.in + cd $(top_builddir) && $(SHELL) ./config.status $@ +src/sss_client/idmap/sss_nss_idmap.pc: $(top_builddir)/config.status $(top_srcdir)/src/sss_client/idmap/sss_nss_idmap.pc.in + cd $(top_builddir) && $(SHELL) ./config.status $@ +src/sss_client/idmap/sss_nss_idmap.doxy: $(top_builddir)/config.status $(top_srcdir)/src/sss_client/idmap/sss_nss_idmap.doxy.in + cd $(top_builddir) && $(SHELL) ./config.status $@ +src/sss_client/libwbclient/wbclient_sssd.pc: $(top_builddir)/config.status $(top_srcdir)/src/sss_client/libwbclient/wbclient_sssd.pc.in + cd $(top_builddir) && $(SHELL) ./config.status $@ +src/lib/sifp/sss_simpleifp.pc: $(top_builddir)/config.status $(top_srcdir)/src/lib/sifp/sss_simpleifp.pc.in + cd $(top_builddir) && $(SHELL) ./config.status $@ +src/lib/sifp/sss_simpleifp.doxy: $(top_builddir)/config.status $(top_srcdir)/src/lib/sifp/sss_simpleifp.doxy.in + cd $(top_builddir) && $(SHELL) ./config.status $@ +src/config/setup.py: $(top_builddir)/config.status $(top_srcdir)/src/config/setup.py.in + cd $(top_builddir) && $(SHELL) ./config.status $@ +src/systemtap/sssd.stp: $(top_builddir)/config.status $(top_srcdir)/src/systemtap/sssd.stp.in + cd $(top_builddir) && $(SHELL) ./config.status $@ +src/config/SSSDConfig/__init__.py: $(top_builddir)/config.status $(top_srcdir)/src/config/SSSDConfig/__init__.py.in + cd $(top_builddir) && $(SHELL) ./config.status $@ + +install-autofslibLTLIBRARIES: $(autofslib_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(autofslib_LTLIBRARIES)'; test -n "$(autofslibdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(autofslibdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(autofslibdir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(autofslibdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(autofslibdir)"; \ + } + +uninstall-autofslibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(autofslib_LTLIBRARIES)'; test -n "$(autofslibdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(autofslibdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(autofslibdir)/$$f"; \ + done + +clean-autofslibLTLIBRARIES: + -test -z "$(autofslib_LTLIBRARIES)" || rm -f $(autofslib_LTLIBRARIES) + @list='$(autofslib_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +clean-checkLTLIBRARIES: + -test -z "$(check_LTLIBRARIES)" || rm -f $(check_LTLIBRARIES) + @list='$(check_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +install-cifspluginLTLIBRARIES: $(cifsplugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(cifsplugin_LTLIBRARIES)'; test -n "$(cifsplugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(cifsplugindir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(cifsplugindir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(cifsplugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(cifsplugindir)"; \ + } + +uninstall-cifspluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(cifsplugin_LTLIBRARIES)'; test -n "$(cifsplugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(cifsplugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(cifsplugindir)/$$f"; \ + done + +clean-cifspluginLTLIBRARIES: + -test -z "$(cifsplugin_LTLIBRARIES)" || rm -f $(cifsplugin_LTLIBRARIES) + @list='$(cifsplugin_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +install-krb5authdata_pluginLTLIBRARIES: $(krb5authdata_plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(krb5authdata_plugin_LTLIBRARIES)'; test -n "$(krb5authdata_plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(krb5authdata_plugindir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(krb5authdata_plugindir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(krb5authdata_plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(krb5authdata_plugindir)"; \ + } + +uninstall-krb5authdata_pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(krb5authdata_plugin_LTLIBRARIES)'; test -n "$(krb5authdata_plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(krb5authdata_plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(krb5authdata_plugindir)/$$f"; \ + done + +clean-krb5authdata_pluginLTLIBRARIES: + -test -z "$(krb5authdata_plugin_LTLIBRARIES)" || rm -f $(krb5authdata_plugin_LTLIBRARIES) + @list='$(krb5authdata_plugin_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +install-krb5localauth_pluginLTLIBRARIES: $(krb5localauth_plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(krb5localauth_plugin_LTLIBRARIES)'; test -n "$(krb5localauth_plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(krb5localauth_plugindir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(krb5localauth_plugindir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(krb5localauth_plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(krb5localauth_plugindir)"; \ + } + +uninstall-krb5localauth_pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(krb5localauth_plugin_LTLIBRARIES)'; test -n "$(krb5localauth_plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(krb5localauth_plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(krb5localauth_plugindir)/$$f"; \ + done + +clean-krb5localauth_pluginLTLIBRARIES: + -test -z "$(krb5localauth_plugin_LTLIBRARIES)" || rm -f $(krb5localauth_plugin_LTLIBRARIES) + @list='$(krb5localauth_plugin_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +install-krb5pluginLTLIBRARIES: $(krb5plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(krb5plugin_LTLIBRARIES)'; test -n "$(krb5plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(krb5plugindir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(krb5plugindir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(krb5plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(krb5plugindir)"; \ + } + +uninstall-krb5pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(krb5plugin_LTLIBRARIES)'; test -n "$(krb5plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(krb5plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(krb5plugindir)/$$f"; \ + done + +clean-krb5pluginLTLIBRARIES: + -test -z "$(krb5plugin_LTLIBRARIES)" || rm -f $(krb5plugin_LTLIBRARIES) + @list='$(krb5plugin_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +install-ldblibLTLIBRARIES: $(ldblib_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(ldblib_LTLIBRARIES)'; test -n "$(ldblibdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(ldblibdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(ldblibdir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(ldblibdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(ldblibdir)"; \ + } + +uninstall-ldblibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(ldblib_LTLIBRARIES)'; test -n "$(ldblibdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(ldblibdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(ldblibdir)/$$f"; \ + done + +clean-ldblibLTLIBRARIES: + -test -z "$(ldblib_LTLIBRARIES)" || rm -f $(ldblib_LTLIBRARIES) + @list='$(ldblib_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +install-libLTLIBRARIES: $(lib_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(libdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(libdir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \ + } + +uninstall-libLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$f"; \ + done + +clean-libLTLIBRARIES: + -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) + @list='$(lib_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +install-libwbclientLTLIBRARIES: $(libwbclient_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(libwbclient_LTLIBRARIES)'; test -n "$(libwbclientdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(libwbclientdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(libwbclientdir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libwbclientdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libwbclientdir)"; \ + } + +uninstall-libwbclientLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(libwbclient_LTLIBRARIES)'; test -n "$(libwbclientdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libwbclientdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libwbclientdir)/$$f"; \ + done + +clean-libwbclientLTLIBRARIES: + -test -z "$(libwbclient_LTLIBRARIES)" || rm -f $(libwbclient_LTLIBRARIES) + @list='$(libwbclient_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +install-nfslibLTLIBRARIES: $(nfslib_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(nfslib_LTLIBRARIES)'; test -n "$(nfslibdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(nfslibdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(nfslibdir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(nfslibdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(nfslibdir)"; \ + } + +uninstall-nfslibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(nfslib_LTLIBRARIES)'; test -n "$(nfslibdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(nfslibdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(nfslibdir)/$$f"; \ + done + +clean-nfslibLTLIBRARIES: + -test -z "$(nfslib_LTLIBRARIES)" || rm -f $(nfslib_LTLIBRARIES) + @list='$(nfslib_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +install-nsslibLTLIBRARIES: $(nsslib_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(nsslib_LTLIBRARIES)'; test -n "$(nsslibdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(nsslibdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(nsslibdir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(nsslibdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(nsslibdir)"; \ + } + +uninstall-nsslibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(nsslib_LTLIBRARIES)'; test -n "$(nsslibdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(nsslibdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(nsslibdir)/$$f"; \ + done + +clean-nsslibLTLIBRARIES: + -test -z "$(nsslib_LTLIBRARIES)" || rm -f $(nsslib_LTLIBRARIES) + @list='$(nsslib_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +install-pamlibLTLIBRARIES: $(pamlib_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(pamlib_LTLIBRARIES)'; test -n "$(pamlibdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(pamlibdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(pamlibdir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(pamlibdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(pamlibdir)"; \ + } + +uninstall-pamlibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(pamlib_LTLIBRARIES)'; test -n "$(pamlibdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(pamlibdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(pamlibdir)/$$f"; \ + done + +clean-pamlibLTLIBRARIES: + -test -z "$(pamlib_LTLIBRARIES)" || rm -f $(pamlib_LTLIBRARIES) + @list='$(pamlib_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +install-pkglibLTLIBRARIES: $(pkglib_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(pkglib_LTLIBRARIES)'; test -n "$(pkglibdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(pkglibdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(pkglibdir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(pkglibdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(pkglibdir)"; \ + } + +uninstall-pkglibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(pkglib_LTLIBRARIES)'; test -n "$(pkglibdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(pkglibdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(pkglibdir)/$$f"; \ + done + +clean-pkglibLTLIBRARIES: + -test -z "$(pkglib_LTLIBRARIES)" || rm -f $(pkglib_LTLIBRARIES) + @list='$(pkglib_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +install-py2execLTLIBRARIES: $(py2exec_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(py2exec_LTLIBRARIES)'; test -n "$(py2execdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(py2execdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(py2execdir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(py2execdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(py2execdir)"; \ + } + +uninstall-py2execLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(py2exec_LTLIBRARIES)'; test -n "$(py2execdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(py2execdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(py2execdir)/$$f"; \ + done + +clean-py2execLTLIBRARIES: + -test -z "$(py2exec_LTLIBRARIES)" || rm -f $(py2exec_LTLIBRARIES) + @list='$(py2exec_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +install-py3execLTLIBRARIES: $(py3exec_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(py3exec_LTLIBRARIES)'; test -n "$(py3execdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(py3execdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(py3execdir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(py3execdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(py3execdir)"; \ + } + +uninstall-py3execLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(py3exec_LTLIBRARIES)'; test -n "$(py3execdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(py3execdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(py3execdir)/$$f"; \ + done + +clean-py3execLTLIBRARIES: + -test -z "$(py3exec_LTLIBRARIES)" || rm -f $(py3exec_LTLIBRARIES) + @list='$(py3exec_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +install-sssdlibLTLIBRARIES: $(sssdlib_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(sssdlib_LTLIBRARIES)'; test -n "$(sssdlibdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(sssdlibdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(sssdlibdir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(sssdlibdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(sssdlibdir)"; \ + } + +uninstall-sssdlibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(sssdlib_LTLIBRARIES)'; test -n "$(sssdlibdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(sssdlibdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(sssdlibdir)/$$f"; \ + done + +clean-sssdlibLTLIBRARIES: + -test -z "$(sssdlib_LTLIBRARIES)" || rm -f $(sssdlib_LTLIBRARIES) + @list='$(sssdlib_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +install-sudolibLTLIBRARIES: $(sudolib_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(sudolib_LTLIBRARIES)'; test -n "$(sudolibdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(sudolibdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(sudolibdir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(sudolibdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(sudolibdir)"; \ + } + +uninstall-sudolibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(sudolib_LTLIBRARIES)'; test -n "$(sudolibdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(sudolibdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(sudolibdir)/$$f"; \ + done + +clean-sudolibLTLIBRARIES: + -test -z "$(sudolib_LTLIBRARIES)" || rm -f $(sudolib_LTLIBRARIES) + @list='$(sudolib_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +install-winbindpluginLTLIBRARIES: $(winbindplugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(winbindplugin_LTLIBRARIES)'; test -n "$(winbindplugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(winbindplugindir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(winbindplugindir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(winbindplugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(winbindplugindir)"; \ + } + +uninstall-winbindpluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(winbindplugin_LTLIBRARIES)'; test -n "$(winbindplugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(winbindplugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(winbindplugindir)/$$f"; \ + done + +clean-winbindpluginLTLIBRARIES: + -test -z "$(winbindplugin_LTLIBRARIES)" || rm -f $(winbindplugin_LTLIBRARIES) + @list='$(winbindplugin_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } +src/python/$(am__dirstamp): + @$(MKDIR_P) src/python + @: > src/python/$(am__dirstamp) +src/python/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/python/$(DEPDIR) + @: > src/python/$(DEPDIR)/$(am__dirstamp) +src/python/_py2hbac_la-pyhbac.lo: src/python/$(am__dirstamp) \ + src/python/$(DEPDIR)/$(am__dirstamp) +src/util/$(am__dirstamp): + @$(MKDIR_P) src/util + @: > src/util/$(am__dirstamp) +src/util/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/util/$(DEPDIR) + @: > src/util/$(DEPDIR)/$(am__dirstamp) +src/util/_py2hbac_la-sss_python.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) + +_py2hbac.la: $(_py2hbac_la_OBJECTS) $(_py2hbac_la_DEPENDENCIES) $(EXTRA__py2hbac_la_DEPENDENCIES) + $(AM_V_CCLD)$(_py2hbac_la_LINK) $(am__py2hbac_la_rpath) $(_py2hbac_la_OBJECTS) $(_py2hbac_la_LIBADD) $(LIBS) +src/tools/$(am__dirstamp): + @$(MKDIR_P) src/tools + @: > src/tools/$(am__dirstamp) +src/tools/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/tools/$(DEPDIR) + @: > src/tools/$(DEPDIR)/$(am__dirstamp) +src/tools/_py2sss_la-sss_sync_ops.lo: src/tools/$(am__dirstamp) \ + src/tools/$(DEPDIR)/$(am__dirstamp) +src/tools/_py2sss_la-tools_util.lo: src/tools/$(am__dirstamp) \ + src/tools/$(DEPDIR)/$(am__dirstamp) +src/tools/common/$(am__dirstamp): + @$(MKDIR_P) src/tools/common + @: > src/tools/common/$(am__dirstamp) +src/tools/common/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/tools/common/$(DEPDIR) + @: > src/tools/common/$(DEPDIR)/$(am__dirstamp) +src/tools/common/_py2sss_la-sss_tools.lo: \ + src/tools/common/$(am__dirstamp) \ + src/tools/common/$(DEPDIR)/$(am__dirstamp) +src/tools/common/_py2sss_la-sss_process.lo: \ + src/tools/common/$(am__dirstamp) \ + src/tools/common/$(DEPDIR)/$(am__dirstamp) +src/confdb/$(am__dirstamp): + @$(MKDIR_P) src/confdb + @: > src/confdb/$(am__dirstamp) +src/confdb/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/confdb/$(DEPDIR) + @: > src/confdb/$(DEPDIR)/$(am__dirstamp) +src/confdb/_py2sss_la-confdb_setup.lo: src/confdb/$(am__dirstamp) \ + src/confdb/$(DEPDIR)/$(am__dirstamp) +src/util/_py2sss_la-nscd.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/python/_py2sss_la-pysss.lo: src/python/$(am__dirstamp) \ + src/python/$(DEPDIR)/$(am__dirstamp) + +_py2sss.la: $(_py2sss_la_OBJECTS) $(_py2sss_la_DEPENDENCIES) $(EXTRA__py2sss_la_DEPENDENCIES) + $(AM_V_CCLD)$(_py2sss_la_LINK) $(am__py2sss_la_rpath) $(_py2sss_la_OBJECTS) $(_py2sss_la_LIBADD) $(LIBS) +src/python/_py2sss_murmur_la-pysss_murmur.lo: \ + src/python/$(am__dirstamp) \ + src/python/$(DEPDIR)/$(am__dirstamp) +src/util/_py2sss_murmur_la-murmurhash3.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) + +_py2sss_murmur.la: $(_py2sss_murmur_la_OBJECTS) $(_py2sss_murmur_la_DEPENDENCIES) $(EXTRA__py2sss_murmur_la_DEPENDENCIES) + $(AM_V_CCLD)$(_py2sss_murmur_la_LINK) $(am__py2sss_murmur_la_rpath) $(_py2sss_murmur_la_OBJECTS) $(_py2sss_murmur_la_LIBADD) $(LIBS) +src/python/_py2sss_nss_idmap_la-pysss_nss_idmap.lo: \ + src/python/$(am__dirstamp) \ + src/python/$(DEPDIR)/$(am__dirstamp) + +_py2sss_nss_idmap.la: $(_py2sss_nss_idmap_la_OBJECTS) $(_py2sss_nss_idmap_la_DEPENDENCIES) $(EXTRA__py2sss_nss_idmap_la_DEPENDENCIES) + $(AM_V_CCLD)$(_py2sss_nss_idmap_la_LINK) $(am__py2sss_nss_idmap_la_rpath) $(_py2sss_nss_idmap_la_OBJECTS) $(_py2sss_nss_idmap_la_LIBADD) $(LIBS) +src/python/_py3hbac_la-pyhbac.lo: src/python/$(am__dirstamp) \ + src/python/$(DEPDIR)/$(am__dirstamp) +src/util/_py3hbac_la-sss_python.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) + +_py3hbac.la: $(_py3hbac_la_OBJECTS) $(_py3hbac_la_DEPENDENCIES) $(EXTRA__py3hbac_la_DEPENDENCIES) + $(AM_V_CCLD)$(_py3hbac_la_LINK) $(am__py3hbac_la_rpath) $(_py3hbac_la_OBJECTS) $(_py3hbac_la_LIBADD) $(LIBS) +src/tools/_py3sss_la-sss_sync_ops.lo: src/tools/$(am__dirstamp) \ + src/tools/$(DEPDIR)/$(am__dirstamp) +src/tools/_py3sss_la-tools_util.lo: src/tools/$(am__dirstamp) \ + src/tools/$(DEPDIR)/$(am__dirstamp) +src/tools/common/_py3sss_la-sss_tools.lo: \ + src/tools/common/$(am__dirstamp) \ + src/tools/common/$(DEPDIR)/$(am__dirstamp) +src/tools/common/_py3sss_la-sss_process.lo: \ + src/tools/common/$(am__dirstamp) \ + src/tools/common/$(DEPDIR)/$(am__dirstamp) +src/confdb/_py3sss_la-confdb_setup.lo: src/confdb/$(am__dirstamp) \ + src/confdb/$(DEPDIR)/$(am__dirstamp) +src/util/_py3sss_la-nscd.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/python/_py3sss_la-pysss.lo: src/python/$(am__dirstamp) \ + src/python/$(DEPDIR)/$(am__dirstamp) + +_py3sss.la: $(_py3sss_la_OBJECTS) $(_py3sss_la_DEPENDENCIES) $(EXTRA__py3sss_la_DEPENDENCIES) + $(AM_V_CCLD)$(_py3sss_la_LINK) $(am__py3sss_la_rpath) $(_py3sss_la_OBJECTS) $(_py3sss_la_LIBADD) $(LIBS) +src/python/_py3sss_murmur_la-pysss_murmur.lo: \ + src/python/$(am__dirstamp) \ + src/python/$(DEPDIR)/$(am__dirstamp) +src/util/_py3sss_murmur_la-murmurhash3.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) + +_py3sss_murmur.la: $(_py3sss_murmur_la_OBJECTS) $(_py3sss_murmur_la_DEPENDENCIES) $(EXTRA__py3sss_murmur_la_DEPENDENCIES) + $(AM_V_CCLD)$(_py3sss_murmur_la_LINK) $(am__py3sss_murmur_la_rpath) $(_py3sss_murmur_la_OBJECTS) $(_py3sss_murmur_la_LIBADD) $(LIBS) +src/python/_py3sss_nss_idmap_la-pysss_nss_idmap.lo: \ + src/python/$(am__dirstamp) \ + src/python/$(DEPDIR)/$(am__dirstamp) + +_py3sss_nss_idmap.la: $(_py3sss_nss_idmap_la_OBJECTS) $(_py3sss_nss_idmap_la_DEPENDENCIES) $(EXTRA__py3sss_nss_idmap_la_DEPENDENCIES) + $(AM_V_CCLD)$(_py3sss_nss_idmap_la_LINK) $(am__py3sss_nss_idmap_la_rpath) $(_py3sss_nss_idmap_la_OBJECTS) $(_py3sss_nss_idmap_la_LIBADD) $(LIBS) +src/lib/cifs_idmap_sss/$(am__dirstamp): + @$(MKDIR_P) src/lib/cifs_idmap_sss + @: > src/lib/cifs_idmap_sss/$(am__dirstamp) +src/lib/cifs_idmap_sss/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/lib/cifs_idmap_sss/$(DEPDIR) + @: > src/lib/cifs_idmap_sss/$(DEPDIR)/$(am__dirstamp) +src/lib/cifs_idmap_sss/cifs_idmap_sss_la-cifs_idmap_sss.lo: \ + src/lib/cifs_idmap_sss/$(am__dirstamp) \ + src/lib/cifs_idmap_sss/$(DEPDIR)/$(am__dirstamp) + +cifs_idmap_sss.la: $(cifs_idmap_sss_la_OBJECTS) $(cifs_idmap_sss_la_DEPENDENCIES) $(EXTRA_cifs_idmap_sss_la_DEPENDENCIES) + $(AM_V_CCLD)$(cifs_idmap_sss_la_LINK) $(am_cifs_idmap_sss_la_rpath) $(cifs_idmap_sss_la_OBJECTS) $(cifs_idmap_sss_la_LIBADD) $(LIBS) +src/providers/$(am__dirstamp): + @$(MKDIR_P) src/providers + @: > src/providers/$(am__dirstamp) +src/providers/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/providers/$(DEPDIR) + @: > src/providers/$(DEPDIR)/$(am__dirstamp) +src/providers/libdlopen_test_providers_la-data_provider_be.lo: \ + src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/providers/libdlopen_test_providers_la-data_provider_req.lo: \ + src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/providers/libdlopen_test_providers_la-data_provider_fo.lo: \ + src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/providers/libdlopen_test_providers_la-data_provider_opts.lo: \ + src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/providers/libdlopen_test_providers_la-data_provider_callbacks.lo: \ + src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/providers/libdlopen_test_providers_la-be_dyndns.lo: \ + src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/providers/libdlopen_test_providers_la-be_ptask.lo: \ + src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/providers/libdlopen_test_providers_la-be_refresh.lo: \ + src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/monitor/$(am__dirstamp): + @$(MKDIR_P) src/monitor + @: > src/monitor/$(am__dirstamp) +src/monitor/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/monitor/$(DEPDIR) + @: > src/monitor/$(DEPDIR)/$(am__dirstamp) +src/monitor/libdlopen_test_providers_la-monitor_iface_generated.lo: \ + src/monitor/$(am__dirstamp) \ + src/monitor/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/$(am__dirstamp): + @$(MKDIR_P) src/providers/data_provider + @: > src/providers/data_provider/$(am__dirstamp) +src/providers/data_provider/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/providers/data_provider/$(DEPDIR) + @: > src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/libdlopen_test_providers_la-dp.lo: \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/libdlopen_test_providers_la-dp_modules.lo: \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/libdlopen_test_providers_la-dp_targets.lo: \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/libdlopen_test_providers_la-dp_methods.lo: \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/libdlopen_test_providers_la-dp_builtin.lo: \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/libdlopen_test_providers_la-dp_iface.lo: \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/libdlopen_test_providers_la-dp_iface_backend.lo: \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/libdlopen_test_providers_la-dp_iface_failover.lo: \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/libdlopen_test_providers_la-dp_client.lo: \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/libdlopen_test_providers_la-dp_resp_client.lo: \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/libdlopen_test_providers_la-dp_iface_generated.lo: \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/libdlopen_test_providers_la-dp_request.lo: \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/libdlopen_test_providers_la-dp_request_reply.lo: \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/libdlopen_test_providers_la-dp_request_table.lo: \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/libdlopen_test_providers_la-dp_reply_std.lo: \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/libdlopen_test_providers_la-dp_target_sudo.lo: \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/libdlopen_test_providers_la-dp_target_hostid.lo: \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/libdlopen_test_providers_la-dp_target_autofs.lo: \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/libdlopen_test_providers_la-dp_target_subdomains.lo: \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/libdlopen_test_providers_la-dp_target_id.lo: \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/libdlopen_test_providers_la-dp_target_auth.lo: \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/util/libdlopen_test_providers_la-session_recording.lo: \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) +src/providers/libdlopen_test_providers_la-fail_over.lo: \ + src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/providers/libdlopen_test_providers_la-fail_over_srv.lo: \ + src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/resolv/$(am__dirstamp): + @$(MKDIR_P) src/resolv + @: > src/resolv/$(am__dirstamp) +src/resolv/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/resolv/$(DEPDIR) + @: > src/resolv/$(DEPDIR)/$(am__dirstamp) +src/resolv/libdlopen_test_providers_la-async_resolv.lo: \ + src/resolv/$(am__dirstamp) \ + src/resolv/$(DEPDIR)/$(am__dirstamp) +src/resolv/libdlopen_test_providers_la-async_resolv_utils.lo: \ + src/resolv/$(am__dirstamp) \ + src/resolv/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/$(am__dirstamp): + @$(MKDIR_P) src/tests/cmocka + @: > src/tests/cmocka/$(am__dirstamp) +src/tests/cmocka/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/tests/cmocka/$(DEPDIR) + @: > src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/libdlopen_test_providers_la-wrap_sss_nss_make_request_timeout.lo: \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) + +libdlopen_test_providers.la: $(libdlopen_test_providers_la_OBJECTS) $(libdlopen_test_providers_la_DEPENDENCIES) $(EXTRA_libdlopen_test_providers_la_DEPENDENCIES) + $(AM_V_CCLD)$(libdlopen_test_providers_la_LINK) $(am_libdlopen_test_providers_la_rpath) $(libdlopen_test_providers_la_OBJECTS) $(libdlopen_test_providers_la_LIBADD) $(LIBS) +src/lib/winbind_idmap_sss/$(am__dirstamp): + @$(MKDIR_P) src/lib/winbind_idmap_sss + @: > src/lib/winbind_idmap_sss/$(am__dirstamp) +src/lib/winbind_idmap_sss/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/lib/winbind_idmap_sss/$(DEPDIR) + @: > src/lib/winbind_idmap_sss/$(DEPDIR)/$(am__dirstamp) +src/lib/winbind_idmap_sss/libdlopen_test_winbind_idmap_la-libdlopen-test-winbind-idmap.lo: \ + src/lib/winbind_idmap_sss/$(am__dirstamp) \ + src/lib/winbind_idmap_sss/$(DEPDIR)/$(am__dirstamp) + +libdlopen_test_winbind_idmap.la: $(libdlopen_test_winbind_idmap_la_OBJECTS) $(libdlopen_test_winbind_idmap_la_DEPENDENCIES) $(EXTRA_libdlopen_test_winbind_idmap_la_DEPENDENCIES) + $(AM_V_CCLD)$(libdlopen_test_winbind_idmap_la_LINK) $(am_libdlopen_test_winbind_idmap_la_rpath) $(libdlopen_test_winbind_idmap_la_OBJECTS) $(libdlopen_test_winbind_idmap_la_LIBADD) $(LIBS) +src/lib/ipa_hbac/$(am__dirstamp): + @$(MKDIR_P) src/lib/ipa_hbac + @: > src/lib/ipa_hbac/$(am__dirstamp) +src/lib/ipa_hbac/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/lib/ipa_hbac/$(DEPDIR) + @: > src/lib/ipa_hbac/$(DEPDIR)/$(am__dirstamp) +src/lib/ipa_hbac/libipa_hbac_la-hbac_evaluator.lo: \ + src/lib/ipa_hbac/$(am__dirstamp) \ + src/lib/ipa_hbac/$(DEPDIR)/$(am__dirstamp) +src/util/libipa_hbac_la-sss_utf8.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) + +libipa_hbac.la: $(libipa_hbac_la_OBJECTS) $(libipa_hbac_la_DEPENDENCIES) $(EXTRA_libipa_hbac_la_DEPENDENCIES) + $(AM_V_CCLD)$(libipa_hbac_la_LINK) -rpath $(libdir) $(libipa_hbac_la_OBJECTS) $(libipa_hbac_la_LIBADD) $(LIBS) +src/sss_client/$(am__dirstamp): + @$(MKDIR_P) src/sss_client + @: > src/sss_client/$(am__dirstamp) +src/sss_client/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/sss_client/$(DEPDIR) + @: > src/sss_client/$(DEPDIR)/$(am__dirstamp) +src/sss_client/common.lo: src/sss_client/$(am__dirstamp) \ + src/sss_client/$(DEPDIR)/$(am__dirstamp) +src/sss_client/nss_passwd.lo: src/sss_client/$(am__dirstamp) \ + src/sss_client/$(DEPDIR)/$(am__dirstamp) +src/sss_client/nss_group.lo: src/sss_client/$(am__dirstamp) \ + src/sss_client/$(DEPDIR)/$(am__dirstamp) +src/sss_client/nss_netgroup.lo: src/sss_client/$(am__dirstamp) \ + src/sss_client/$(DEPDIR)/$(am__dirstamp) +src/sss_client/nss_services.lo: src/sss_client/$(am__dirstamp) \ + src/sss_client/$(DEPDIR)/$(am__dirstamp) +src/sss_client/nss_mc_common.lo: src/sss_client/$(am__dirstamp) \ + src/sss_client/$(DEPDIR)/$(am__dirstamp) +src/util/io.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/murmurhash3.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/sss_client/nss_mc_passwd.lo: src/sss_client/$(am__dirstamp) \ + src/sss_client/$(DEPDIR)/$(am__dirstamp) +src/sss_client/nss_mc_group.lo: src/sss_client/$(am__dirstamp) \ + src/sss_client/$(DEPDIR)/$(am__dirstamp) +src/sss_client/nss_mc_initgr.lo: src/sss_client/$(am__dirstamp) \ + src/sss_client/$(DEPDIR)/$(am__dirstamp) + +libnss_sss.la: $(libnss_sss_la_OBJECTS) $(libnss_sss_la_DEPENDENCIES) $(EXTRA_libnss_sss_la_DEPENDENCIES) + $(AM_V_CCLD)$(libnss_sss_la_LINK) -rpath $(nsslibdir) $(libnss_sss_la_OBJECTS) $(libnss_sss_la_LIBADD) $(LIBS) +src/providers/ad/$(am__dirstamp): + @$(MKDIR_P) src/providers/ad + @: > src/providers/ad/$(am__dirstamp) +src/providers/ad/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/providers/ad/$(DEPDIR) + @: > src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/libsss_ad_la-ad_opts.lo: \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/libsss_ad_la-ad_common.lo: \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/libsss_ad_la-ad_init.lo: \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/libsss_ad_la-ad_dyndns.lo: \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/libsss_ad_la-ad_machine_pw_renewal.lo: \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/libsss_ad_la-ad_id.lo: \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/libsss_ad_la-ad_pac.lo: \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/libsss_ad_la-ad_pac_common.lo: \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/libsss_ad_la-ad_access.lo: \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/libsss_ad_la-ad_gpo.lo: \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/libsss_ad_la-ad_gpo_ndr.lo: \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/libsss_ad_la-ad_srv.lo: \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/libsss_ad_la-ad_subdomains.lo: \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/libsss_ad_la-ad_domain_info.lo: \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/libsss_ad_la-ad_sudo.lo: \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/libsss_ad_la-ad_autofs.lo: \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) + +libsss_ad.la: $(libsss_ad_la_OBJECTS) $(libsss_ad_la_DEPENDENCIES) $(EXTRA_libsss_ad_la_DEPENDENCIES) + $(AM_V_CCLD)$(libsss_ad_la_LINK) $(am_libsss_ad_la_rpath) $(libsss_ad_la_OBJECTS) $(libsss_ad_la_LIBADD) $(LIBS) +src/providers/ad/libsss_ad_tests_la-ad_opts.lo: \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/libsss_ad_tests_la-ad_common.lo: \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/libsss_ad_tests_la-ad_init.lo: \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/libsss_ad_tests_la-ad_dyndns.lo: \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/libsss_ad_tests_la-ad_machine_pw_renewal.lo: \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/libsss_ad_tests_la-ad_id.lo: \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/libsss_ad_tests_la-ad_pac.lo: \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/libsss_ad_tests_la-ad_pac_common.lo: \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/libsss_ad_tests_la-ad_access.lo: \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/libsss_ad_tests_la-ad_gpo.lo: \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/libsss_ad_tests_la-ad_gpo_ndr.lo: \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/libsss_ad_tests_la-ad_srv.lo: \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/libsss_ad_tests_la-ad_subdomains.lo: \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/libsss_ad_tests_la-ad_domain_info.lo: \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/libsss_ad_tests_la-ad_sudo.lo: \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/libsss_ad_tests_la-ad_autofs.lo: \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) + +libsss_ad_tests.la: $(libsss_ad_tests_la_OBJECTS) $(libsss_ad_tests_la_DEPENDENCIES) $(EXTRA_libsss_ad_tests_la_DEPENDENCIES) + $(AM_V_CCLD)$(libsss_ad_tests_la_LINK) $(am_libsss_ad_tests_la_rpath) $(libsss_ad_tests_la_OBJECTS) $(libsss_ad_tests_la_LIBADD) $(LIBS) +src/sss_client/autofs/$(am__dirstamp): + @$(MKDIR_P) src/sss_client/autofs + @: > src/sss_client/autofs/$(am__dirstamp) +src/sss_client/autofs/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/sss_client/autofs/$(DEPDIR) + @: > src/sss_client/autofs/$(DEPDIR)/$(am__dirstamp) +src/sss_client/autofs/sss_autofs.lo: \ + src/sss_client/autofs/$(am__dirstamp) \ + src/sss_client/autofs/$(DEPDIR)/$(am__dirstamp) + +libsss_autofs.la: $(libsss_autofs_la_OBJECTS) $(libsss_autofs_la_DEPENDENCIES) $(EXTRA_libsss_autofs_la_DEPENDENCIES) + $(AM_V_CCLD)$(libsss_autofs_la_LINK) $(am_libsss_autofs_la_rpath) $(libsss_autofs_la_OBJECTS) $(libsss_autofs_la_LIBADD) $(LIBS) +src/util/cert/$(am__dirstamp): + @$(MKDIR_P) src/util/cert + @: > src/util/cert/$(am__dirstamp) +src/util/cert/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/util/cert/$(DEPDIR) + @: > src/util/cert/$(DEPDIR)/$(am__dirstamp) +src/util/cert/libsss_cert_la-cert_common.lo: \ + src/util/cert/$(am__dirstamp) \ + src/util/cert/$(DEPDIR)/$(am__dirstamp) +src/util/cert/libsss_cert_la-cert_common_p11_child.lo: \ + src/util/cert/$(am__dirstamp) \ + src/util/cert/$(DEPDIR)/$(am__dirstamp) +src/util/cert/libcrypto/$(am__dirstamp): + @$(MKDIR_P) src/util/cert/libcrypto + @: > src/util/cert/libcrypto/$(am__dirstamp) +src/util/cert/libcrypto/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/util/cert/libcrypto/$(DEPDIR) + @: > src/util/cert/libcrypto/$(DEPDIR)/$(am__dirstamp) +src/util/cert/libcrypto/libsss_cert_la-cert.lo: \ + src/util/cert/libcrypto/$(am__dirstamp) \ + src/util/cert/libcrypto/$(DEPDIR)/$(am__dirstamp) +src/util/cert/nss/$(am__dirstamp): + @$(MKDIR_P) src/util/cert/nss + @: > src/util/cert/nss/$(am__dirstamp) +src/util/cert/nss/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/util/cert/nss/$(DEPDIR) + @: > src/util/cert/nss/$(DEPDIR)/$(am__dirstamp) +src/util/cert/nss/libsss_cert_la-cert.lo: \ + src/util/cert/nss/$(am__dirstamp) \ + src/util/cert/nss/$(DEPDIR)/$(am__dirstamp) + +libsss_cert.la: $(libsss_cert_la_OBJECTS) $(libsss_cert_la_DEPENDENCIES) $(EXTRA_libsss_cert_la_DEPENDENCIES) + $(AM_V_CCLD)$(libsss_cert_la_LINK) -rpath $(pkglibdir) $(libsss_cert_la_OBJECTS) $(libsss_cert_la_LIBADD) $(LIBS) +src/lib/certmap/$(am__dirstamp): + @$(MKDIR_P) src/lib/certmap + @: > src/lib/certmap/$(am__dirstamp) +src/lib/certmap/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/lib/certmap/$(DEPDIR) + @: > src/lib/certmap/$(DEPDIR)/$(am__dirstamp) +src/lib/certmap/libsss_certmap_la-sss_certmap.lo: \ + src/lib/certmap/$(am__dirstamp) \ + src/lib/certmap/$(DEPDIR)/$(am__dirstamp) +src/lib/certmap/libsss_certmap_la-sss_certmap_attr_names.lo: \ + src/lib/certmap/$(am__dirstamp) \ + src/lib/certmap/$(DEPDIR)/$(am__dirstamp) +src/lib/certmap/libsss_certmap_la-sss_certmap_krb5_match.lo: \ + src/lib/certmap/$(am__dirstamp) \ + src/lib/certmap/$(DEPDIR)/$(am__dirstamp) +src/lib/certmap/libsss_certmap_la-sss_certmap_ldap_mapping.lo: \ + src/lib/certmap/$(am__dirstamp) \ + src/lib/certmap/$(DEPDIR)/$(am__dirstamp) +src/lib/certmap/libsss_certmap_la-sss_cert_content_common.lo: \ + src/lib/certmap/$(am__dirstamp) \ + src/lib/certmap/$(DEPDIR)/$(am__dirstamp) +src/util/libsss_certmap_la-util_ext.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/cert/libsss_certmap_la-cert_common.lo: \ + src/util/cert/$(am__dirstamp) \ + src/util/cert/$(DEPDIR)/$(am__dirstamp) +src/lib/certmap/libsss_certmap_la-sss_cert_content_nss.lo: \ + src/lib/certmap/$(am__dirstamp) \ + src/lib/certmap/$(DEPDIR)/$(am__dirstamp) +src/util/crypto/nss/$(am__dirstamp): + @$(MKDIR_P) src/util/crypto/nss + @: > src/util/crypto/nss/$(am__dirstamp) +src/util/crypto/nss/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/util/crypto/nss/$(DEPDIR) + @: > src/util/crypto/nss/$(DEPDIR)/$(am__dirstamp) +src/util/crypto/nss/libsss_certmap_la-nss_base64.lo: \ + src/util/crypto/nss/$(am__dirstamp) \ + src/util/crypto/nss/$(DEPDIR)/$(am__dirstamp) +src/util/cert/nss/libsss_certmap_la-cert.lo: \ + src/util/cert/nss/$(am__dirstamp) \ + src/util/cert/nss/$(DEPDIR)/$(am__dirstamp) +src/util/crypto/nss/libsss_certmap_la-nss_util.lo: \ + src/util/crypto/nss/$(am__dirstamp) \ + src/util/crypto/nss/$(DEPDIR)/$(am__dirstamp) +src/lib/certmap/libsss_certmap_la-sss_cert_content_crypto.lo: \ + src/lib/certmap/$(am__dirstamp) \ + src/lib/certmap/$(DEPDIR)/$(am__dirstamp) +src/util/crypto/libcrypto/$(am__dirstamp): + @$(MKDIR_P) src/util/crypto/libcrypto + @: > src/util/crypto/libcrypto/$(am__dirstamp) +src/util/crypto/libcrypto/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/util/crypto/libcrypto/$(DEPDIR) + @: > src/util/crypto/libcrypto/$(DEPDIR)/$(am__dirstamp) +src/util/crypto/libcrypto/libsss_certmap_la-crypto_base64.lo: \ + src/util/crypto/libcrypto/$(am__dirstamp) \ + src/util/crypto/libcrypto/$(DEPDIR)/$(am__dirstamp) +src/util/cert/libcrypto/libsss_certmap_la-cert.lo: \ + src/util/cert/libcrypto/$(am__dirstamp) \ + src/util/cert/libcrypto/$(DEPDIR)/$(am__dirstamp) + +libsss_certmap.la: $(libsss_certmap_la_OBJECTS) $(libsss_certmap_la_DEPENDENCIES) $(EXTRA_libsss_certmap_la_DEPENDENCIES) + $(AM_V_CCLD)$(libsss_certmap_la_LINK) -rpath $(libdir) $(libsss_certmap_la_OBJECTS) $(libsss_certmap_la_LIBADD) $(LIBS) +src/util/child_common.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) + +libsss_child.la: $(libsss_child_la_OBJECTS) $(libsss_child_la_DEPENDENCIES) $(EXTRA_libsss_child_la_DEPENDENCIES) + $(AM_V_CCLD)$(libsss_child_la_LINK) -rpath $(pkglibdir) $(libsss_child_la_OBJECTS) $(libsss_child_la_LIBADD) $(LIBS) +src/util/crypto/libcrypto/libsss_crypt_la-crypto_base64.lo: \ + src/util/crypto/libcrypto/$(am__dirstamp) \ + src/util/crypto/libcrypto/$(DEPDIR)/$(am__dirstamp) +src/util/crypto/libcrypto/libsss_crypt_la-crypto_hmac_sha1.lo: \ + src/util/crypto/libcrypto/$(am__dirstamp) \ + src/util/crypto/libcrypto/$(DEPDIR)/$(am__dirstamp) +src/util/crypto/libcrypto/libsss_crypt_la-crypto_sha512crypt.lo: \ + src/util/crypto/libcrypto/$(am__dirstamp) \ + src/util/crypto/libcrypto/$(DEPDIR)/$(am__dirstamp) +src/util/crypto/libcrypto/libsss_crypt_la-crypto_obfuscate.lo: \ + src/util/crypto/libcrypto/$(am__dirstamp) \ + src/util/crypto/libcrypto/$(DEPDIR)/$(am__dirstamp) +src/util/crypto/libcrypto/libsss_crypt_la-crypto_nite.lo: \ + src/util/crypto/libcrypto/$(am__dirstamp) \ + src/util/crypto/libcrypto/$(DEPDIR)/$(am__dirstamp) +src/util/crypto/$(am__dirstamp): + @$(MKDIR_P) src/util/crypto + @: > src/util/crypto/$(am__dirstamp) +src/util/crypto/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/util/crypto/$(DEPDIR) + @: > src/util/crypto/$(DEPDIR)/$(am__dirstamp) +src/util/crypto/libsss_crypt_la-sss_crypto.lo: \ + src/util/crypto/$(am__dirstamp) \ + src/util/crypto/$(DEPDIR)/$(am__dirstamp) +src/util/libsss_crypt_la-atomic_io.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/crypto/nss/libsss_crypt_la-nss_base64.lo: \ + src/util/crypto/nss/$(am__dirstamp) \ + src/util/crypto/nss/$(DEPDIR)/$(am__dirstamp) +src/util/crypto/nss/libsss_crypt_la-nss_hmac_sha1.lo: \ + src/util/crypto/nss/$(am__dirstamp) \ + src/util/crypto/nss/$(DEPDIR)/$(am__dirstamp) +src/util/crypto/nss/libsss_crypt_la-nss_sha512crypt.lo: \ + src/util/crypto/nss/$(am__dirstamp) \ + src/util/crypto/nss/$(DEPDIR)/$(am__dirstamp) +src/util/crypto/nss/libsss_crypt_la-nss_obfuscate.lo: \ + src/util/crypto/nss/$(am__dirstamp) \ + src/util/crypto/nss/$(DEPDIR)/$(am__dirstamp) +src/util/crypto/nss/libsss_crypt_la-nss_nite.lo: \ + src/util/crypto/nss/$(am__dirstamp) \ + src/util/crypto/nss/$(DEPDIR)/$(am__dirstamp) +src/util/crypto/nss/libsss_crypt_la-nss_util.lo: \ + src/util/crypto/nss/$(am__dirstamp) \ + src/util/crypto/nss/$(DEPDIR)/$(am__dirstamp) + +libsss_crypt.la: $(libsss_crypt_la_OBJECTS) $(libsss_crypt_la_DEPENDENCIES) $(EXTRA_libsss_crypt_la_DEPENDENCIES) + $(AM_V_CCLD)$(libsss_crypt_la_LINK) -rpath $(pkglibdir) $(libsss_crypt_la_OBJECTS) $(libsss_crypt_la_LIBADD) $(LIBS) +src/util/debug.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/sss_log.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/sss_cli_cmd.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) + +libsss_debug.la: $(libsss_debug_la_OBJECTS) $(libsss_debug_la_DEPENDENCIES) $(EXTRA_libsss_debug_la_DEPENDENCIES) + $(AM_V_CCLD)$(libsss_debug_la_LINK) -rpath $(pkglibdir) $(libsss_debug_la_OBJECTS) $(libsss_debug_la_LIBADD) $(LIBS) +src/providers/files/$(am__dirstamp): + @$(MKDIR_P) src/providers/files + @: > src/providers/files/$(am__dirstamp) +src/providers/files/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/providers/files/$(DEPDIR) + @: > src/providers/files/$(DEPDIR)/$(am__dirstamp) +src/providers/files/libsss_files_la-files_init.lo: \ + src/providers/files/$(am__dirstamp) \ + src/providers/files/$(DEPDIR)/$(am__dirstamp) +src/providers/files/libsss_files_la-files_id.lo: \ + src/providers/files/$(am__dirstamp) \ + src/providers/files/$(DEPDIR)/$(am__dirstamp) +src/providers/files/libsss_files_la-files_ops.lo: \ + src/providers/files/$(am__dirstamp) \ + src/providers/files/$(DEPDIR)/$(am__dirstamp) +src/util/libsss_files_la-inotify.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) + +libsss_files.la: $(libsss_files_la_OBJECTS) $(libsss_files_la_DEPENDENCIES) $(EXTRA_libsss_files_la_DEPENDENCIES) + $(AM_V_CCLD)$(libsss_files_la_LINK) $(am_libsss_files_la_rpath) $(libsss_files_la_OBJECTS) $(libsss_files_la_LIBADD) $(LIBS) +src/lib/idmap/$(am__dirstamp): + @$(MKDIR_P) src/lib/idmap + @: > src/lib/idmap/$(am__dirstamp) +src/lib/idmap/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/lib/idmap/$(DEPDIR) + @: > src/lib/idmap/$(DEPDIR)/$(am__dirstamp) +src/lib/idmap/sss_idmap.lo: src/lib/idmap/$(am__dirstamp) \ + src/lib/idmap/$(DEPDIR)/$(am__dirstamp) +src/lib/idmap/sss_idmap_conv.lo: src/lib/idmap/$(am__dirstamp) \ + src/lib/idmap/$(DEPDIR)/$(am__dirstamp) + +libsss_idmap.la: $(libsss_idmap_la_OBJECTS) $(libsss_idmap_la_DEPENDENCIES) $(EXTRA_libsss_idmap_la_DEPENDENCIES) + $(AM_V_CCLD)$(libsss_idmap_la_LINK) -rpath $(libdir) $(libsss_idmap_la_OBJECTS) $(libsss_idmap_la_LIBADD) $(LIBS) +src/providers/ipa/$(am__dirstamp): + @$(MKDIR_P) src/providers/ipa + @: > src/providers/ipa/$(am__dirstamp) +src/providers/ipa/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/providers/ipa/$(DEPDIR) + @: > src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/libsss_ipa_la-ipa_init.lo: \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/libsss_ipa_la-ipa_opts.lo: \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/libsss_ipa_la-ipa_common.lo: \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/libsss_ipa_la-ipa_config.lo: \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/libsss_ipa_la-ipa_id.lo: \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/libsss_ipa_la-ipa_netgroups.lo: \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/libsss_ipa_la-ipa_auth.lo: \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/libsss_ipa_la-ipa_access.lo: \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/libsss_ipa_la-ipa_dyndns.lo: \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/libsss_ipa_la-ipa_hosts.lo: \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/libsss_ipa_la-ipa_subdomains.lo: \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/libsss_ipa_la-ipa_subdomains_id.lo: \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/libsss_ipa_la-ipa_subdomains_server.lo: \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/libsss_ipa_la-ipa_subdomains_utils.lo: \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/libsss_ipa_la-ipa_subdomains_ext_groups.lo: \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/libsss_ipa_la-ipa_views.lo: \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/libsss_ipa_la-ipa_utils.lo: \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/libsss_ipa_la-ipa_s2n_exop.lo: \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/libsss_ipa_la-ipa_hbac_hosts.lo: \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/libsss_ipa_la-ipa_hbac_rules.lo: \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/libsss_ipa_la-ipa_hbac_services.lo: \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/libsss_ipa_la-ipa_hbac_users.lo: \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/libsss_ipa_la-ipa_hbac_common.lo: \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/libsss_ipa_la-ipa_rules_common.lo: \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/libsss_ipa_la-ipa_session.lo: \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/libsss_ipa_la-ipa_deskprofile_config.lo: \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/libsss_ipa_la-ipa_deskprofile_rules.lo: \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/libsss_ipa_la-ipa_deskprofile_rules_util.lo: \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/libsss_ipa_la-ipa_srv.lo: \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/libsss_ipa_la-ipa_idmap.lo: \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/libsss_ipa_la-ipa_dn.lo: \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/libsss_ipa_la-ad_opts.lo: \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/libsss_ipa_la-ad_common.lo: \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/libsss_ipa_la-ad_dyndns.lo: \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/libsss_ipa_la-ad_id.lo: \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/libsss_ipa_la-ad_pac.lo: \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/libsss_ipa_la-ad_pac_common.lo: \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/libsss_ipa_la-ad_srv.lo: \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/libsss_ipa_la-ad_domain_info.lo: \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/libsss_ipa_la-ipa_autofs.lo: \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/libsss_ipa_la-ipa_sudo.lo: \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/libsss_ipa_la-ipa_sudo_refresh.lo: \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/libsss_ipa_la-ipa_sudo_conversion.lo: \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/libsss_ipa_la-ipa_sudo_async.lo: \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/libsss_ipa_la-ipa_selinux.lo: \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/libsss_ipa_la-ipa_selinux_maps.lo: \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/libsss_ipa_la-ipa_hostid.lo: \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) + +libsss_ipa.la: $(libsss_ipa_la_OBJECTS) $(libsss_ipa_la_DEPENDENCIES) $(EXTRA_libsss_ipa_la_DEPENDENCIES) + $(AM_V_CCLD)$(libsss_ipa_la_LINK) $(am_libsss_ipa_la_rpath) $(libsss_ipa_la_OBJECTS) $(libsss_ipa_la_LIBADD) $(LIBS) +src/providers/krb5/$(am__dirstamp): + @$(MKDIR_P) src/providers/krb5 + @: > src/providers/krb5/$(am__dirstamp) +src/providers/krb5/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/providers/krb5/$(DEPDIR) + @: > src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/libsss_krb5_la-krb5_init.lo: \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) + +libsss_krb5.la: $(libsss_krb5_la_OBJECTS) $(libsss_krb5_la_DEPENDENCIES) $(EXTRA_libsss_krb5_la_DEPENDENCIES) + $(AM_V_CCLD)$(libsss_krb5_la_LINK) -rpath $(sssdlibdir) $(libsss_krb5_la_OBJECTS) $(libsss_krb5_la_LIBADD) $(LIBS) +src/providers/krb5/libsss_krb5_common_la-krb5_utils.lo: \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/libsss_krb5_common_la-krb5_delayed_online_authentication.lo: \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/libsss_krb5_common_la-krb5_renew_tgt.lo: \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/libsss_krb5_common_la-krb5_wait_queue.lo: \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/libsss_krb5_common_la-krb5_common.lo: \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/libsss_krb5_common_la-krb5_opts.lo: \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/libsss_krb5_common_la-krb5_auth.lo: \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/libsss_krb5_common_la-krb5_access.lo: \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/libsss_krb5_common_la-krb5_child_handler.lo: \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/libsss_krb5_common_la-krb5_init_shared.lo: \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/libsss_krb5_common_la-krb5_ccache.lo: \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/util/libsss_krb5_common_la-sss_krb5.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/libsss_krb5_common_la-sss_iobuf.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/libsss_krb5_common_la-become_user.lo: \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) + +libsss_krb5_common.la: $(libsss_krb5_common_la_OBJECTS) $(libsss_krb5_common_la_DEPENDENCIES) $(EXTRA_libsss_krb5_common_la_DEPENDENCIES) + $(AM_V_CCLD)$(libsss_krb5_common_la_LINK) -rpath $(pkglibdir) $(libsss_krb5_common_la_OBJECTS) $(libsss_krb5_common_la_LIBADD) $(LIBS) +src/providers/ldap/$(am__dirstamp): + @$(MKDIR_P) src/providers/ldap + @: > src/providers/ldap/$(am__dirstamp) +src/providers/ldap/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/providers/ldap/$(DEPDIR) + @: > src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_la-ldap_init.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_la-ldap_access.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) + +libsss_ldap.la: $(libsss_ldap_la_OBJECTS) $(libsss_ldap_la_DEPENDENCIES) $(EXTRA_libsss_ldap_la_DEPENDENCIES) + $(AM_V_CCLD)$(libsss_ldap_la_LINK) -rpath $(sssdlibdir) $(libsss_ldap_la_OBJECTS) $(libsss_ldap_la_LIBADD) $(LIBS) +src/providers/ldap/libsss_ldap_common_la-ldap_id.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_common_la-ldap_id_enum.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_common_la-sdap_async_enum.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_common_la-ldap_id_cleanup.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_common_la-ldap_id_netgroup.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_common_la-ldap_id_services.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_common_la-ldap_auth.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_common_la-ldap_common.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_common_la-ldap_options.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_common_la-ldap_opts.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_common_la-sdap_access.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_common_la-sdap_async.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_common_la-sdap_async_users.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_common_la-sdap_async_groups.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_common_la-sdap_async_nested_groups.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_common_la-sdap_async_groups_ad.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_common_la-sdap_async_initgroups.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_common_la-sdap_async_initgroups_ad.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_common_la-sdap_async_connection.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_common_la-sdap_async_netgroups.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_common_la-sdap_async_hosts.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_common_la-sdap_async_services.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_common_la-sdap_online_check.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_common_la-sdap_ad_groups.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_common_la-sdap_child_helpers.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_common_la-sdap_fd_events.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_common_la-sdap_id_op.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_common_la-sdap_certmap.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_common_la-sdap_idmap.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_common_la-sdap_range.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_common_la-sdap_reinit.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_common_la-sdap_dyndns.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_common_la-sdap_refresh.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_common_la-sdap_utils.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_common_la-sdap_domain.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_common_la-sdap_ops.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_common_la-sdap.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/libsss_ldap_common_la-ipa_dn.lo: \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/util/libsss_ldap_common_la-user_info_msg.lo: \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) +src/util/libsss_ldap_common_la-sss_sockets.lo: \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) +src/util/libsss_ldap_common_la-sss_ldap.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_common_la-sdap_hostid.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_common_la-sdap_async_sudo.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_common_la-sdap_async_sudo_hostinfo.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_common_la-sdap_sudo_refresh.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_common_la-sdap_sudo_shared.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_common_la-sdap_sudo.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_common_la-sdap_autofs.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/libsss_ldap_common_la-sdap_async_autofs.lo: \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) + +libsss_ldap_common.la: $(libsss_ldap_common_la_OBJECTS) $(libsss_ldap_common_la_DEPENDENCIES) $(EXTRA_libsss_ldap_common_la_DEPENDENCIES) + $(AM_V_CCLD)$(libsss_ldap_common_la_LINK) -rpath $(pkglibdir) $(libsss_ldap_common_la_OBJECTS) $(libsss_ldap_common_la_LIBADD) $(LIBS) +src/sss_client/idmap/$(am__dirstamp): + @$(MKDIR_P) src/sss_client/idmap + @: > src/sss_client/idmap/$(am__dirstamp) +src/sss_client/idmap/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/sss_client/idmap/$(DEPDIR) + @: > src/sss_client/idmap/$(DEPDIR)/$(am__dirstamp) +src/sss_client/idmap/sss_nss_idmap.lo: \ + src/sss_client/idmap/$(am__dirstamp) \ + src/sss_client/idmap/$(DEPDIR)/$(am__dirstamp) +src/sss_client/idmap/sss_nss_ex.lo: \ + src/sss_client/idmap/$(am__dirstamp) \ + src/sss_client/idmap/$(DEPDIR)/$(am__dirstamp) +src/sss_client/idmap/common_ex.lo: \ + src/sss_client/idmap/$(am__dirstamp) \ + src/sss_client/idmap/$(DEPDIR)/$(am__dirstamp) +src/util/strtonum.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) + +libsss_nss_idmap.la: $(libsss_nss_idmap_la_OBJECTS) $(libsss_nss_idmap_la_DEPENDENCIES) $(EXTRA_libsss_nss_idmap_la_DEPENDENCIES) + $(AM_V_CCLD)$(libsss_nss_idmap_la_LINK) -rpath $(libdir) $(libsss_nss_idmap_la_OBJECTS) $(libsss_nss_idmap_la_LIBADD) $(LIBS) + +libsss_nss_idmap_tests.la: $(libsss_nss_idmap_tests_la_OBJECTS) $(libsss_nss_idmap_tests_la_DEPENDENCIES) $(EXTRA_libsss_nss_idmap_tests_la_DEPENDENCIES) + $(AM_V_CCLD)$(libsss_nss_idmap_tests_la_LINK) $(am_libsss_nss_idmap_tests_la_rpath) $(libsss_nss_idmap_tests_la_OBJECTS) $(libsss_nss_idmap_tests_la_LIBADD) $(LIBS) +src/providers/proxy/$(am__dirstamp): + @$(MKDIR_P) src/providers/proxy + @: > src/providers/proxy/$(am__dirstamp) +src/providers/proxy/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/providers/proxy/$(DEPDIR) + @: > src/providers/proxy/$(DEPDIR)/$(am__dirstamp) +src/providers/proxy/libsss_proxy_la-proxy_init.lo: \ + src/providers/proxy/$(am__dirstamp) \ + src/providers/proxy/$(DEPDIR)/$(am__dirstamp) +src/providers/proxy/libsss_proxy_la-proxy_client.lo: \ + src/providers/proxy/$(am__dirstamp) \ + src/providers/proxy/$(DEPDIR)/$(am__dirstamp) +src/providers/proxy/libsss_proxy_la-proxy_id.lo: \ + src/providers/proxy/$(am__dirstamp) \ + src/providers/proxy/$(DEPDIR)/$(am__dirstamp) +src/providers/proxy/libsss_proxy_la-proxy_netgroup.lo: \ + src/providers/proxy/$(am__dirstamp) \ + src/providers/proxy/$(DEPDIR)/$(am__dirstamp) +src/providers/proxy/libsss_proxy_la-proxy_services.lo: \ + src/providers/proxy/$(am__dirstamp) \ + src/providers/proxy/$(DEPDIR)/$(am__dirstamp) +src/providers/proxy/libsss_proxy_la-proxy_auth.lo: \ + src/providers/proxy/$(am__dirstamp) \ + src/providers/proxy/$(DEPDIR)/$(am__dirstamp) +src/providers/proxy/libsss_proxy_la-proxy_iface_generated.lo: \ + src/providers/proxy/$(am__dirstamp) \ + src/providers/proxy/$(DEPDIR)/$(am__dirstamp) + +libsss_proxy.la: $(libsss_proxy_la_OBJECTS) $(libsss_proxy_la_DEPENDENCIES) $(EXTRA_libsss_proxy_la_DEPENDENCIES) + $(AM_V_CCLD)$(libsss_proxy_la_LINK) -rpath $(sssdlibdir) $(libsss_proxy_la_OBJECTS) $(libsss_proxy_la_LIBADD) $(LIBS) +src/util/libsss_semanage_la-sss_semanage.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) + +libsss_semanage.la: $(libsss_semanage_la_OBJECTS) $(libsss_semanage_la_DEPENDENCIES) $(EXTRA_libsss_semanage_la_DEPENDENCIES) + $(AM_V_CCLD)$(libsss_semanage_la_LINK) -rpath $(pkglibdir) $(libsss_semanage_la_OBJECTS) $(libsss_semanage_la_LIBADD) $(LIBS) +src/providers/simple/$(am__dirstamp): + @$(MKDIR_P) src/providers/simple + @: > src/providers/simple/$(am__dirstamp) +src/providers/simple/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/providers/simple/$(DEPDIR) + @: > src/providers/simple/$(DEPDIR)/$(am__dirstamp) +src/providers/simple/libsss_simple_la-simple_access_check.lo: \ + src/providers/simple/$(am__dirstamp) \ + src/providers/simple/$(DEPDIR)/$(am__dirstamp) +src/providers/simple/libsss_simple_la-simple_access.lo: \ + src/providers/simple/$(am__dirstamp) \ + src/providers/simple/$(DEPDIR)/$(am__dirstamp) + +libsss_simple.la: $(libsss_simple_la_OBJECTS) $(libsss_simple_la_DEPENDENCIES) $(EXTRA_libsss_simple_la_DEPENDENCIES) + $(AM_V_CCLD)$(libsss_simple_la_LINK) -rpath $(sssdlibdir) $(libsss_simple_la_OBJECTS) $(libsss_simple_la_LIBADD) $(LIBS) +src/lib/sifp/$(am__dirstamp): + @$(MKDIR_P) src/lib/sifp + @: > src/lib/sifp/$(am__dirstamp) +src/lib/sifp/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/lib/sifp/$(DEPDIR) + @: > src/lib/sifp/$(DEPDIR)/$(am__dirstamp) +src/lib/sifp/libsss_simpleifp_la-sss_sifp.lo: \ + src/lib/sifp/$(am__dirstamp) \ + src/lib/sifp/$(DEPDIR)/$(am__dirstamp) +src/lib/sifp/libsss_simpleifp_la-sss_sifp_dbus.lo: \ + src/lib/sifp/$(am__dirstamp) \ + src/lib/sifp/$(DEPDIR)/$(am__dirstamp) +src/lib/sifp/libsss_simpleifp_la-sss_sifp_attrs.lo: \ + src/lib/sifp/$(am__dirstamp) \ + src/lib/sifp/$(DEPDIR)/$(am__dirstamp) +src/lib/sifp/libsss_simpleifp_la-sss_sifp_common.lo: \ + src/lib/sifp/$(am__dirstamp) \ + src/lib/sifp/$(DEPDIR)/$(am__dirstamp) +src/lib/sifp/libsss_simpleifp_la-sss_sifp_parser.lo: \ + src/lib/sifp/$(am__dirstamp) \ + src/lib/sifp/$(DEPDIR)/$(am__dirstamp) +src/lib/sifp/libsss_simpleifp_la-sss_sifp_utils.lo: \ + src/lib/sifp/$(am__dirstamp) \ + src/lib/sifp/$(DEPDIR)/$(am__dirstamp) + +libsss_simpleifp.la: $(libsss_simpleifp_la_OBJECTS) $(libsss_simpleifp_la_DEPENDENCIES) $(EXTRA_libsss_simpleifp_la_DEPENDENCIES) + $(AM_V_CCLD)$(libsss_simpleifp_la_LINK) $(am_libsss_simpleifp_la_rpath) $(libsss_simpleifp_la_OBJECTS) $(libsss_simpleifp_la_LIBADD) $(LIBS) +src/sss_client/sudo/$(am__dirstamp): + @$(MKDIR_P) src/sss_client/sudo + @: > src/sss_client/sudo/$(am__dirstamp) +src/sss_client/sudo/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/sss_client/sudo/$(DEPDIR) + @: > src/sss_client/sudo/$(DEPDIR)/$(am__dirstamp) +src/sss_client/sudo/sss_sudo_response.lo: \ + src/sss_client/sudo/$(am__dirstamp) \ + src/sss_client/sudo/$(DEPDIR)/$(am__dirstamp) +src/sss_client/sudo/sss_sudo.lo: src/sss_client/sudo/$(am__dirstamp) \ + src/sss_client/sudo/$(DEPDIR)/$(am__dirstamp) + +libsss_sudo.la: $(libsss_sudo_la_OBJECTS) $(libsss_sudo_la_DEPENDENCIES) $(EXTRA_libsss_sudo_la_DEPENDENCIES) + $(AM_V_CCLD)$(libsss_sudo_la_LINK) $(am_libsss_sudo_la_rpath) $(libsss_sudo_la_OBJECTS) $(libsss_sudo_la_LIBADD) $(LIBS) +src/tests/$(am__dirstamp): + @$(MKDIR_P) src/tests + @: > src/tests/$(am__dirstamp) +src/tests/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/tests/$(DEPDIR) + @: > src/tests/$(DEPDIR)/$(am__dirstamp) +src/tests/common_tev.lo: src/tests/$(am__dirstamp) \ + src/tests/$(DEPDIR)/$(am__dirstamp) +src/tests/common_dom.lo: src/tests/$(am__dirstamp) \ + src/tests/$(DEPDIR)/$(am__dirstamp) +src/tests/leak_check.lo: src/tests/$(am__dirstamp) \ + src/tests/$(DEPDIR)/$(am__dirstamp) +src/tests/common.lo: src/tests/$(am__dirstamp) \ + src/tests/$(DEPDIR)/$(am__dirstamp) +src/tests/common_check.lo: src/tests/$(am__dirstamp) \ + src/tests/$(DEPDIR)/$(am__dirstamp) + +libsss_test_common.la: $(libsss_test_common_la_OBJECTS) $(libsss_test_common_la_DEPENDENCIES) $(EXTRA_libsss_test_common_la_DEPENDENCIES) + $(AM_V_CCLD)$(LINK) $(libsss_test_common_la_OBJECTS) $(libsss_test_common_la_LIBADD) $(LIBS) +src/confdb/libsss_util_la-confdb.lo: src/confdb/$(am__dirstamp) \ + src/confdb/$(DEPDIR)/$(am__dirstamp) +src/db/$(am__dirstamp): + @$(MKDIR_P) src/db + @: > src/db/$(am__dirstamp) +src/db/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/db/$(DEPDIR) + @: > src/db/$(DEPDIR)/$(am__dirstamp) +src/db/libsss_util_la-sysdb.lo: src/db/$(am__dirstamp) \ + src/db/$(DEPDIR)/$(am__dirstamp) +src/db/libsss_util_la-sysdb_ops.lo: src/db/$(am__dirstamp) \ + src/db/$(DEPDIR)/$(am__dirstamp) +src/db/libsss_util_la-sysdb_search.lo: src/db/$(am__dirstamp) \ + src/db/$(DEPDIR)/$(am__dirstamp) +src/db/libsss_util_la-sysdb_selinux.lo: src/db/$(am__dirstamp) \ + src/db/$(DEPDIR)/$(am__dirstamp) +src/db/libsss_util_la-sysdb_upgrade.lo: src/db/$(am__dirstamp) \ + src/db/$(DEPDIR)/$(am__dirstamp) +src/db/libsss_util_la-sysdb_init.lo: src/db/$(am__dirstamp) \ + src/db/$(DEPDIR)/$(am__dirstamp) +src/db/libsss_util_la-sysdb_services.lo: src/db/$(am__dirstamp) \ + src/db/$(DEPDIR)/$(am__dirstamp) +src/db/libsss_util_la-sysdb_autofs.lo: src/db/$(am__dirstamp) \ + src/db/$(DEPDIR)/$(am__dirstamp) +src/db/libsss_util_la-sysdb_subdomains.lo: src/db/$(am__dirstamp) \ + src/db/$(DEPDIR)/$(am__dirstamp) +src/db/libsss_util_la-sysdb_views.lo: src/db/$(am__dirstamp) \ + src/db/$(DEPDIR)/$(am__dirstamp) +src/db/libsss_util_la-sysdb_ranges.lo: src/db/$(am__dirstamp) \ + src/db/$(DEPDIR)/$(am__dirstamp) +src/db/libsss_util_la-sysdb_idmap.lo: src/db/$(am__dirstamp) \ + src/db/$(DEPDIR)/$(am__dirstamp) +src/db/libsss_util_la-sysdb_gpo.lo: src/db/$(am__dirstamp) \ + src/db/$(DEPDIR)/$(am__dirstamp) +src/db/libsss_util_la-sysdb_certmap.lo: src/db/$(am__dirstamp) \ + src/db/$(DEPDIR)/$(am__dirstamp) +src/db/libsss_util_la-sysdb_domain_resolution_order.lo: \ + src/db/$(am__dirstamp) src/db/$(DEPDIR)/$(am__dirstamp) +src/monitor/libsss_util_la-monitor_sbus.lo: \ + src/monitor/$(am__dirstamp) \ + src/monitor/$(DEPDIR)/$(am__dirstamp) +src/providers/libsss_util_la-dp_auth_util.lo: \ + src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/providers/libsss_util_la-dp_pam_data_util.lo: \ + src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/libsss_util_la-dp_sbus.lo: \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/sbus/$(am__dirstamp): + @$(MKDIR_P) src/sbus + @: > src/sbus/$(am__dirstamp) +src/sbus/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/sbus/$(DEPDIR) + @: > src/sbus/$(DEPDIR)/$(am__dirstamp) +src/sbus/libsss_util_la-sbus_client.lo: src/sbus/$(am__dirstamp) \ + src/sbus/$(DEPDIR)/$(am__dirstamp) +src/sbus/libsss_util_la-sssd_dbus_common.lo: src/sbus/$(am__dirstamp) \ + src/sbus/$(DEPDIR)/$(am__dirstamp) +src/sbus/libsss_util_la-sssd_dbus_connection.lo: \ + src/sbus/$(am__dirstamp) src/sbus/$(DEPDIR)/$(am__dirstamp) +src/sbus/libsss_util_la-sssd_dbus_meta.lo: src/sbus/$(am__dirstamp) \ + src/sbus/$(DEPDIR)/$(am__dirstamp) +src/sbus/libsss_util_la-sssd_dbus_interface.lo: \ + src/sbus/$(am__dirstamp) src/sbus/$(DEPDIR)/$(am__dirstamp) +src/sbus/libsss_util_la-sssd_dbus_introspect.lo: \ + src/sbus/$(am__dirstamp) src/sbus/$(DEPDIR)/$(am__dirstamp) +src/sbus/libsss_util_la-sssd_dbus_invokers.lo: \ + src/sbus/$(am__dirstamp) src/sbus/$(DEPDIR)/$(am__dirstamp) +src/sbus/libsss_util_la-sssd_dbus_properties.lo: \ + src/sbus/$(am__dirstamp) src/sbus/$(DEPDIR)/$(am__dirstamp) +src/sbus/libsss_util_la-sssd_dbus_request.lo: \ + src/sbus/$(am__dirstamp) src/sbus/$(DEPDIR)/$(am__dirstamp) +src/sbus/libsss_util_la-sssd_dbus_server.lo: src/sbus/$(am__dirstamp) \ + src/sbus/$(DEPDIR)/$(am__dirstamp) +src/sbus/libsss_util_la-sssd_dbus_signals.lo: \ + src/sbus/$(am__dirstamp) src/sbus/$(DEPDIR)/$(am__dirstamp) +src/sbus/libsss_util_la-sssd_dbus_common_signals.lo: \ + src/sbus/$(am__dirstamp) src/sbus/$(DEPDIR)/$(am__dirstamp) +src/sbus/libsss_util_la-sssd_dbus_utils.lo: src/sbus/$(am__dirstamp) \ + src/sbus/$(DEPDIR)/$(am__dirstamp) +src/util/libsss_util_la-util.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/libsss_util_la-util_ext.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/libsss_util_la-util_preauth.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/libsss_util_la-memory.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/libsss_util_la-safe-format-string.lo: \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) +src/util/libsss_util_la-server.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/libsss_util_la-signal.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/libsss_util_la-usertools.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/libsss_util_la-backup_file.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/libsss_util_la-strtonum.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/libsss_util_la-check_and_open.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/libsss_util_la-refcount.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/libsss_util_la-sss_nss.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/libsss_util_la-sss_utf8.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/libsss_util_la-sss_tc_utf8.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/libsss_util_la-murmurhash3.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/libsss_util_la-atomic_io.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/libsss_util_la-authtok.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/libsss_util_la-authtok-utils.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/libsss_util_la-sss_selinux.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/libsss_util_la-domain_info_utils.lo: \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) +src/util/libsss_util_la-util_lock.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/libsss_util_la-util_errors.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/libsss_util_la-find_uid.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/libsss_util_la-sss_ini.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/libsss_util_la-io.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/libsss_util_la-util_sss_idmap.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/libsss_util_la-well_known_sids.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/libsss_util_la-string_utils.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/libsss_util_la-become_user.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/libsss_util_la-util_watchdog.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/libsss_util_la-sss_ptr_hash.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/libsss_util_la-files.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/libsss_util_la-selinux.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/db/libsss_util_la-sysdb_sudo.lo: src/db/$(am__dirstamp) \ + src/db/$(DEPDIR)/$(am__dirstamp) +src/db/libsss_util_la-sysdb_ssh.lo: src/db/$(am__dirstamp) \ + src/db/$(DEPDIR)/$(am__dirstamp) +src/util/libsss_util_la-sss_ssh.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) + +libsss_util.la: $(libsss_util_la_OBJECTS) $(libsss_util_la_DEPENDENCIES) $(EXTRA_libsss_util_la_DEPENDENCIES) + $(AM_V_CCLD)$(libsss_util_la_LINK) -rpath $(pkglibdir) $(libsss_util_la_OBJECTS) $(libsss_util_la_LIBADD) $(LIBS) +src/sss_client/libwbclient/$(am__dirstamp): + @$(MKDIR_P) src/sss_client/libwbclient + @: > src/sss_client/libwbclient/$(am__dirstamp) +src/sss_client/libwbclient/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/sss_client/libwbclient/$(DEPDIR) + @: > src/sss_client/libwbclient/$(DEPDIR)/$(am__dirstamp) +src/sss_client/libwbclient/wbc_guid.lo: \ + src/sss_client/libwbclient/$(am__dirstamp) \ + src/sss_client/libwbclient/$(DEPDIR)/$(am__dirstamp) +src/sss_client/libwbclient/wbc_idmap_common.lo: \ + src/sss_client/libwbclient/$(am__dirstamp) \ + src/sss_client/libwbclient/$(DEPDIR)/$(am__dirstamp) +src/sss_client/libwbclient/wbc_idmap_sssd.lo: \ + src/sss_client/libwbclient/$(am__dirstamp) \ + src/sss_client/libwbclient/$(DEPDIR)/$(am__dirstamp) +src/sss_client/libwbclient/wbclient_common.lo: \ + src/sss_client/libwbclient/$(am__dirstamp) \ + src/sss_client/libwbclient/$(DEPDIR)/$(am__dirstamp) +src/sss_client/libwbclient/wbclient_sssd.lo: \ + src/sss_client/libwbclient/$(am__dirstamp) \ + src/sss_client/libwbclient/$(DEPDIR)/$(am__dirstamp) +src/sss_client/libwbclient/wbc_pam_sssd.lo: \ + src/sss_client/libwbclient/$(am__dirstamp) \ + src/sss_client/libwbclient/$(DEPDIR)/$(am__dirstamp) +src/sss_client/libwbclient/wbc_pwd_sssd.lo: \ + src/sss_client/libwbclient/$(am__dirstamp) \ + src/sss_client/libwbclient/$(DEPDIR)/$(am__dirstamp) +src/sss_client/libwbclient/wbc_sid_common.lo: \ + src/sss_client/libwbclient/$(am__dirstamp) \ + src/sss_client/libwbclient/$(DEPDIR)/$(am__dirstamp) +src/sss_client/libwbclient/wbc_sid_sssd.lo: \ + src/sss_client/libwbclient/$(am__dirstamp) \ + src/sss_client/libwbclient/$(DEPDIR)/$(am__dirstamp) +src/sss_client/libwbclient/wbc_util_common.lo: \ + src/sss_client/libwbclient/$(am__dirstamp) \ + src/sss_client/libwbclient/$(DEPDIR)/$(am__dirstamp) +src/sss_client/libwbclient/wbc_util_sssd.lo: \ + src/sss_client/libwbclient/$(am__dirstamp) \ + src/sss_client/libwbclient/$(DEPDIR)/$(am__dirstamp) +src/sss_client/libwbclient/wbc_ctx_sssd.lo: \ + src/sss_client/libwbclient/$(am__dirstamp) \ + src/sss_client/libwbclient/$(DEPDIR)/$(am__dirstamp) + +libwbclient.la: $(libwbclient_la_OBJECTS) $(libwbclient_la_DEPENDENCIES) $(EXTRA_libwbclient_la_DEPENDENCIES) + $(AM_V_CCLD)$(libwbclient_la_LINK) $(am_libwbclient_la_rpath) $(libwbclient_la_OBJECTS) $(libwbclient_la_LIBADD) $(LIBS) +src/ldb_modules/$(am__dirstamp): + @$(MKDIR_P) src/ldb_modules + @: > src/ldb_modules/$(am__dirstamp) +src/ldb_modules/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/ldb_modules/$(DEPDIR) + @: > src/ldb_modules/$(DEPDIR)/$(am__dirstamp) +src/ldb_modules/memberof_la-memberof.lo: \ + src/ldb_modules/$(am__dirstamp) \ + src/ldb_modules/$(DEPDIR)/$(am__dirstamp) +src/util/memberof_la-util.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/memberof_la-util_ext.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) + +memberof.la: $(memberof_la_OBJECTS) $(memberof_la_DEPENDENCIES) $(EXTRA_memberof_la_DEPENDENCIES) + $(AM_V_CCLD)$(memberof_la_LINK) -rpath $(ldblibdir) $(memberof_la_OBJECTS) $(memberof_la_LIBADD) $(LIBS) +src/sss_client/pam_sss.lo: src/sss_client/$(am__dirstamp) \ + src/sss_client/$(DEPDIR)/$(am__dirstamp) +src/sss_client/pam_message.lo: src/sss_client/$(am__dirstamp) \ + src/sss_client/$(DEPDIR)/$(am__dirstamp) +src/util/atomic_io.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/authtok-utils.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) + +pam_sss.la: $(pam_sss_la_OBJECTS) $(pam_sss_la_DEPENDENCIES) $(EXTRA_pam_sss_la_DEPENDENCIES) + $(AM_V_CCLD)$(pam_sss_la_LINK) -rpath $(pamlibdir) $(pam_sss_la_OBJECTS) $(pam_sss_la_LIBADD) $(LIBS) +src/sss_client/sss_la-common.lo: src/sss_client/$(am__dirstamp) \ + src/sss_client/$(DEPDIR)/$(am__dirstamp) +src/sss_client/sss_la-nss_mc_common.lo: \ + src/sss_client/$(am__dirstamp) \ + src/sss_client/$(DEPDIR)/$(am__dirstamp) +src/util/sss_la-io.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/sss_la-murmurhash3.lo: src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/sss_client/sss_la-nss_mc_passwd.lo: \ + src/sss_client/$(am__dirstamp) \ + src/sss_client/$(DEPDIR)/$(am__dirstamp) +src/sss_client/sss_la-nss_mc_group.lo: src/sss_client/$(am__dirstamp) \ + src/sss_client/$(DEPDIR)/$(am__dirstamp) +src/sss_client/nfs/$(am__dirstamp): + @$(MKDIR_P) src/sss_client/nfs + @: > src/sss_client/nfs/$(am__dirstamp) +src/sss_client/nfs/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/sss_client/nfs/$(DEPDIR) + @: > src/sss_client/nfs/$(DEPDIR)/$(am__dirstamp) +src/sss_client/nfs/sss_la-sss_nfs_client.lo: \ + src/sss_client/nfs/$(am__dirstamp) \ + src/sss_client/nfs/$(DEPDIR)/$(am__dirstamp) + +sss.la: $(sss_la_OBJECTS) $(sss_la_DEPENDENCIES) $(EXTRA_sss_la_DEPENDENCIES) + $(AM_V_CCLD)$(sss_la_LINK) $(am_sss_la_rpath) $(sss_la_OBJECTS) $(sss_la_LIBADD) $(LIBS) +src/krb5_plugin/$(am__dirstamp): + @$(MKDIR_P) src/krb5_plugin + @: > src/krb5_plugin/$(am__dirstamp) +src/krb5_plugin/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/krb5_plugin/$(DEPDIR) + @: > src/krb5_plugin/$(DEPDIR)/$(am__dirstamp) +src/krb5_plugin/sssd_krb5_localauth_plugin_la-sssd_krb5_localauth_plugin.lo: \ + src/krb5_plugin/$(am__dirstamp) \ + src/krb5_plugin/$(DEPDIR)/$(am__dirstamp) +src/util/sssd_krb5_localauth_plugin_la-murmurhash3.lo: \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) +src/util/sssd_krb5_localauth_plugin_la-io.lo: \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) +src/sss_client/sssd_krb5_localauth_plugin_la-common.lo: \ + src/sss_client/$(am__dirstamp) \ + src/sss_client/$(DEPDIR)/$(am__dirstamp) +src/sss_client/sssd_krb5_localauth_plugin_la-nss_mc_common.lo: \ + src/sss_client/$(am__dirstamp) \ + src/sss_client/$(DEPDIR)/$(am__dirstamp) +src/sss_client/sssd_krb5_localauth_plugin_la-nss_mc_passwd.lo: \ + src/sss_client/$(am__dirstamp) \ + src/sss_client/$(DEPDIR)/$(am__dirstamp) +src/sss_client/sssd_krb5_localauth_plugin_la-nss_passwd.lo: \ + src/sss_client/$(am__dirstamp) \ + src/sss_client/$(DEPDIR)/$(am__dirstamp) + +sssd_krb5_localauth_plugin.la: $(sssd_krb5_localauth_plugin_la_OBJECTS) $(sssd_krb5_localauth_plugin_la_DEPENDENCIES) $(EXTRA_sssd_krb5_localauth_plugin_la_DEPENDENCIES) + $(AM_V_CCLD)$(sssd_krb5_localauth_plugin_la_LINK) $(am_sssd_krb5_localauth_plugin_la_rpath) $(sssd_krb5_localauth_plugin_la_OBJECTS) $(sssd_krb5_localauth_plugin_la_LIBADD) $(LIBS) +src/krb5_plugin/sssd_krb5_locator_plugin_la-sssd_krb5_locator_plugin.lo: \ + src/krb5_plugin/$(am__dirstamp) \ + src/krb5_plugin/$(DEPDIR)/$(am__dirstamp) +src/util/sssd_krb5_locator_plugin_la-atomic_io.lo: \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) + +sssd_krb5_locator_plugin.la: $(sssd_krb5_locator_plugin_la_OBJECTS) $(sssd_krb5_locator_plugin_la_DEPENDENCIES) $(EXTRA_sssd_krb5_locator_plugin_la_DEPENDENCIES) + $(AM_V_CCLD)$(sssd_krb5_locator_plugin_la_LINK) $(am_sssd_krb5_locator_plugin_la_rpath) $(sssd_krb5_locator_plugin_la_OBJECTS) $(sssd_krb5_locator_plugin_la_LIBADD) $(LIBS) +src/sss_client/sssd_pac_plugin_la-sssd_pac.lo: \ + src/sss_client/$(am__dirstamp) \ + src/sss_client/$(DEPDIR)/$(am__dirstamp) +src/sss_client/sssd_pac_plugin_la-common.lo: \ + src/sss_client/$(am__dirstamp) \ + src/sss_client/$(DEPDIR)/$(am__dirstamp) + +sssd_pac_plugin.la: $(sssd_pac_plugin_la_OBJECTS) $(sssd_pac_plugin_la_DEPENDENCIES) $(EXTRA_sssd_pac_plugin_la_DEPENDENCIES) + $(AM_V_CCLD)$(sssd_pac_plugin_la_LINK) $(am_sssd_pac_plugin_la_rpath) $(sssd_pac_plugin_la_OBJECTS) $(sssd_pac_plugin_la_LIBADD) $(LIBS) +src/lib/winbind_idmap_sss/winbind_idmap_sss_la-winbind_idmap_sss.lo: \ + src/lib/winbind_idmap_sss/$(am__dirstamp) \ + src/lib/winbind_idmap_sss/$(DEPDIR)/$(am__dirstamp) +src/util/winbind_idmap_sss_la-util_sss_idmap.lo: \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) + +winbind_idmap_sss.la: $(winbind_idmap_sss_la_OBJECTS) $(winbind_idmap_sss_la_DEPENDENCIES) $(EXTRA_winbind_idmap_sss_la_DEPENDENCIES) + $(AM_V_CCLD)$(winbind_idmap_sss_la_LINK) $(am_winbind_idmap_sss_la_rpath) $(winbind_idmap_sss_la_OBJECTS) $(winbind_idmap_sss_la_LIBADD) $(LIBS) +install-binPROGRAMS: $(bin_PROGRAMS) + @$(NORMAL_INSTALL) + @list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(bindir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(bindir)" || exit 1; \ + fi; \ + for p in $$list; do echo "$$p $$p"; done | \ + sed 's/$(EXEEXT)$$//' | \ + while read p p1; do if test -f $$p \ + || test -f $$p1 \ + ; then echo "$$p"; echo "$$p"; else :; fi; \ + done | \ + sed -e 'p;s,.*/,,;n;h' \ + -e 's|.*|.|' \ + -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \ + sed 'N;N;N;s,\n, ,g' | \ + $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \ + { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ + if ($$2 == $$4) files[d] = files[d] " " $$1; \ + else { print "f", $$3 "/" $$4, $$1; } } \ + END { for (d in files) print "f", d, files[d] }' | \ + while read type dir files; do \ + if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ + test -z "$$files" || { \ + echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(bindir)$$dir'"; \ + $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(bindir)$$dir" || exit $$?; \ + } \ + ; done + +uninstall-binPROGRAMS: + @$(NORMAL_UNINSTALL) + @list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \ + files=`for p in $$list; do echo "$$p"; done | \ + sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \ + -e 's/$$/$(EXEEXT)/' \ + `; \ + test -n "$$list" || exit 0; \ + echo " ( cd '$(DESTDIR)$(bindir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(bindir)" && rm -f $$files + +clean-binPROGRAMS: + @list='$(bin_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list + +clean-checkPROGRAMS: + @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list + +clean-noinstPROGRAMS: + @list='$(noinst_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list +install-sbinPROGRAMS: $(sbin_PROGRAMS) + @$(NORMAL_INSTALL) + @list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(sbindir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(sbindir)" || exit 1; \ + fi; \ + for p in $$list; do echo "$$p $$p"; done | \ + sed 's/$(EXEEXT)$$//' | \ + while read p p1; do if test -f $$p \ + || test -f $$p1 \ + ; then echo "$$p"; echo "$$p"; else :; fi; \ + done | \ + sed -e 'p;s,.*/,,;n;h' \ + -e 's|.*|.|' \ + -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \ + sed 'N;N;N;s,\n, ,g' | \ + $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \ + { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ + if ($$2 == $$4) files[d] = files[d] " " $$1; \ + else { print "f", $$3 "/" $$4, $$1; } } \ + END { for (d in files) print "f", d, files[d] }' | \ + while read type dir files; do \ + if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ + test -z "$$files" || { \ + echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(sbindir)$$dir'"; \ + $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(sbindir)$$dir" || exit $$?; \ + } \ + ; done + +uninstall-sbinPROGRAMS: + @$(NORMAL_UNINSTALL) + @list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \ + files=`for p in $$list; do echo "$$p"; done | \ + sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \ + -e 's/$$/$(EXEEXT)/' \ + `; \ + test -n "$$list" || exit 0; \ + echo " ( cd '$(DESTDIR)$(sbindir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(sbindir)" && rm -f $$files + +clean-sbinPROGRAMS: + @list='$(sbin_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list +install-sssdlibexecPROGRAMS: $(sssdlibexec_PROGRAMS) + @$(NORMAL_INSTALL) + @list='$(sssdlibexec_PROGRAMS)'; test -n "$(sssdlibexecdir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(sssdlibexecdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(sssdlibexecdir)" || exit 1; \ + fi; \ + for p in $$list; do echo "$$p $$p"; done | \ + sed 's/$(EXEEXT)$$//' | \ + while read p p1; do if test -f $$p \ + || test -f $$p1 \ + ; then echo "$$p"; echo "$$p"; else :; fi; \ + done | \ + sed -e 'p;s,.*/,,;n;h' \ + -e 's|.*|.|' \ + -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \ + sed 'N;N;N;s,\n, ,g' | \ + $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \ + { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ + if ($$2 == $$4) files[d] = files[d] " " $$1; \ + else { print "f", $$3 "/" $$4, $$1; } } \ + END { for (d in files) print "f", d, files[d] }' | \ + while read type dir files; do \ + if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ + test -z "$$files" || { \ + echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(sssdlibexecdir)$$dir'"; \ + $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(sssdlibexecdir)$$dir" || exit $$?; \ + } \ + ; done + +uninstall-sssdlibexecPROGRAMS: + @$(NORMAL_UNINSTALL) + @list='$(sssdlibexec_PROGRAMS)'; test -n "$(sssdlibexecdir)" || list=; \ + files=`for p in $$list; do echo "$$p"; done | \ + sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \ + -e 's/$$/$(EXEEXT)/' \ + `; \ + test -n "$$list" || exit 0; \ + echo " ( cd '$(DESTDIR)$(sssdlibexecdir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(sssdlibexecdir)" && rm -f $$files + +clean-sssdlibexecPROGRAMS: + @list='$(sssdlibexec_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list +src/tests/cmocka/test_ad_access_filter.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) + +ad_access_filter_tests$(EXEEXT): $(ad_access_filter_tests_OBJECTS) $(ad_access_filter_tests_DEPENDENCIES) $(EXTRA_ad_access_filter_tests_DEPENDENCIES) + @rm -f ad_access_filter_tests$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(ad_access_filter_tests_OBJECTS) $(ad_access_filter_tests_LDADD) $(LIBS) +src/providers/krb5/ad_common_tests-krb5_utils.$(OBJEXT): \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/ad_common_tests-krb5_delayed_online_authentication.$(OBJEXT): \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/ad_common_tests-krb5_renew_tgt.$(OBJEXT): \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/ad_common_tests-krb5_wait_queue.$(OBJEXT): \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/ad_common_tests-krb5_common.$(OBJEXT): \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/ad_common_tests-krb5_opts.$(OBJEXT): \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/ad_common_tests-krb5_auth.$(OBJEXT): \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/ad_common_tests-krb5_access.$(OBJEXT): \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/ad_common_tests-krb5_child_handler.$(OBJEXT): \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/ad_common_tests-krb5_init_shared.$(OBJEXT): \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/ad_common_tests-krb5_ccache.$(OBJEXT): \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/util/ad_common_tests-sss_krb5.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/ad_common_tests-sss_iobuf.$(OBJEXT): \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) +src/util/ad_common_tests-become_user.$(OBJEXT): \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/ad_common_tests-common_mock_krb5.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/ad_common_tests-test_ad_common.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/ad_common_tests-ad_opts.$(OBJEXT): \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/ad_common_tests-ad_pac.$(OBJEXT): \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/ad_common_tests-ad_pac_common.$(OBJEXT): \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/ad_common_tests-ad_domain_info.$(OBJEXT): \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/ad_common_tests-sdap_async_initgroups_ad.$(OBJEXT): \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) + +ad_common_tests$(EXEEXT): $(ad_common_tests_OBJECTS) $(ad_common_tests_DEPENDENCIES) $(EXTRA_ad_common_tests_DEPENDENCIES) + @rm -f ad_common_tests$(EXEEXT) + $(AM_V_CCLD)$(ad_common_tests_LINK) $(ad_common_tests_OBJECTS) $(ad_common_tests_LDADD) $(LIBS) +src/tests/cmocka/ad_gpo_tests-test_ad_gpo.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) + +ad_gpo_tests$(EXEEXT): $(ad_gpo_tests_OBJECTS) $(ad_gpo_tests_DEPENDENCIES) $(EXTRA_ad_gpo_tests_DEPENDENCIES) + @rm -f ad_gpo_tests$(EXEEXT) + $(AM_V_CCLD)$(ad_gpo_tests_LINK) $(ad_gpo_tests_OBJECTS) $(ad_gpo_tests_LDADD) $(LIBS) +src/providers/ldap/ad_ldap_opt_tests-ldap_opts.$(OBJEXT): \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/ad_ldap_opt_tests-ad_opts.$(OBJEXT): \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/ad_ldap_opt_tests-krb5_opts.$(OBJEXT): \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/tests/ad_ldap_opt_tests-ad_ldap_opt-tests.$(OBJEXT): \ + src/tests/$(am__dirstamp) src/tests/$(DEPDIR)/$(am__dirstamp) + +ad_ldap_opt-tests$(EXEEXT): $(ad_ldap_opt_tests_OBJECTS) $(ad_ldap_opt_tests_DEPENDENCIES) $(EXTRA_ad_ldap_opt_tests_DEPENDENCIES) + @rm -f ad_ldap_opt-tests$(EXEEXT) + $(AM_V_CCLD)$(ad_ldap_opt_tests_LINK) $(ad_ldap_opt_tests_OBJECTS) $(ad_ldap_opt_tests_LDADD) $(LIBS) +src/tests/auth_tests-auth-tests.$(OBJEXT): src/tests/$(am__dirstamp) \ + src/tests/$(DEPDIR)/$(am__dirstamp) + +auth-tests$(EXEEXT): $(auth_tests_OBJECTS) $(auth_tests_DEPENDENCIES) $(EXTRA_auth_tests_DEPENDENCIES) + @rm -f auth-tests$(EXEEXT) + $(AM_V_CCLD)$(auth_tests_LINK) $(auth_tests_OBJECTS) $(auth_tests_LDADD) $(LIBS) +src/sss_client/autofs/autofs_test_client-autofs_test_client.$(OBJEXT): \ + src/sss_client/autofs/$(am__dirstamp) \ + src/sss_client/autofs/$(DEPDIR)/$(am__dirstamp) +src/sss_client/autofs/autofs_test_client-sss_autofs.$(OBJEXT): \ + src/sss_client/autofs/$(am__dirstamp) \ + src/sss_client/autofs/$(DEPDIR)/$(am__dirstamp) +src/sss_client/autofs_test_client-common.$(OBJEXT): \ + src/sss_client/$(am__dirstamp) \ + src/sss_client/$(DEPDIR)/$(am__dirstamp) + +autofs_test_client$(EXEEXT): $(autofs_test_client_OBJECTS) $(autofs_test_client_DEPENDENCIES) $(EXTRA_autofs_test_client_DEPENDENCIES) + @rm -f autofs_test_client$(EXEEXT) + $(AM_V_CCLD)$(autofs_test_client_LINK) $(autofs_test_client_OBJECTS) $(autofs_test_client_LDADD) $(LIBS) +src/tests/check_and_open_tests-check_and_open-tests.$(OBJEXT): \ + src/tests/$(am__dirstamp) src/tests/$(DEPDIR)/$(am__dirstamp) +src/util/check_and_open_tests-check_and_open.$(OBJEXT): \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) + +check_and_open-tests$(EXEEXT): $(check_and_open_tests_OBJECTS) $(check_and_open_tests_DEPENDENCIES) $(EXTRA_check_and_open_tests_DEPENDENCIES) + @rm -f check_and_open-tests$(EXEEXT) + $(AM_V_CCLD)$(check_and_open_tests_LINK) $(check_and_open_tests_OBJECTS) $(check_and_open_tests_LDADD) $(LIBS) +src/tests/cmocka/config_check_tests-test_config_check.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) + +config_check-tests$(EXEEXT): $(config_check_tests_OBJECTS) $(config_check_tests_DEPENDENCIES) $(EXTRA_config_check_tests_DEPENDENCIES) + @rm -f config_check-tests$(EXEEXT) + $(AM_V_CCLD)$(config_check_tests_LINK) $(config_check_tests_OBJECTS) $(config_check_tests_LDADD) $(LIBS) +src/tests/crypto_tests-crypto-tests.$(OBJEXT): \ + src/tests/$(am__dirstamp) src/tests/$(DEPDIR)/$(am__dirstamp) + +crypto-tests$(EXEEXT): $(crypto_tests_OBJECTS) $(crypto_tests_DEPENDENCIES) $(EXTRA_crypto_tests_DEPENDENCIES) + @rm -f crypto-tests$(EXEEXT) + $(AM_V_CCLD)$(crypto_tests_LINK) $(crypto_tests_OBJECTS) $(crypto_tests_LDADD) $(LIBS) +src/tests/debug_tests-debug-tests.$(OBJEXT): \ + src/tests/$(am__dirstamp) src/tests/$(DEPDIR)/$(am__dirstamp) +src/tests/debug_tests-common.$(OBJEXT): src/tests/$(am__dirstamp) \ + src/tests/$(DEPDIR)/$(am__dirstamp) + +debug-tests$(EXEEXT): $(debug_tests_OBJECTS) $(debug_tests_DEPENDENCIES) $(EXTRA_debug_tests_DEPENDENCIES) + @rm -f debug-tests$(EXEEXT) + $(AM_V_CCLD)$(debug_tests_LINK) $(debug_tests_OBJECTS) $(debug_tests_LDADD) $(LIBS) +src/tests/cmocka/deskprofile_utils_tests-test_deskprofile_utils.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/deskprofile_utils_tests-ipa_deskprofile_rules_util.$(OBJEXT): \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/deskprofile_utils_tests-ipa_rules_common.$(OBJEXT): \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) + +deskprofile_utils-tests$(EXEEXT): $(deskprofile_utils_tests_OBJECTS) $(deskprofile_utils_tests_DEPENDENCIES) $(EXTRA_deskprofile_utils_tests_DEPENDENCIES) + @rm -f deskprofile_utils-tests$(EXEEXT) + $(AM_V_CCLD)$(deskprofile_utils_tests_LINK) $(deskprofile_utils_tests_OBJECTS) $(deskprofile_utils_tests_LDADD) $(LIBS) +src/tests/dlopen_tests-dlopen-tests.$(OBJEXT): \ + src/tests/$(am__dirstamp) src/tests/$(DEPDIR)/$(am__dirstamp) + +dlopen-tests$(EXEEXT): $(dlopen_tests_OBJECTS) $(dlopen_tests_DEPENDENCIES) $(EXTRA_dlopen_tests_DEPENDENCIES) + @rm -f dlopen-tests$(EXEEXT) + $(AM_V_CCLD)$(dlopen_tests_LINK) $(dlopen_tests_OBJECTS) $(dlopen_tests_LDADD) $(LIBS) +src/tests/cmocka/domain_resolution_order_tests-test_domain_resolution_order.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/$(am__dirstamp): + @$(MKDIR_P) src/responder/common/cache_req + @: > src/responder/common/cache_req/$(am__dirstamp) +src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/responder/common/cache_req/$(DEPDIR) + @: > src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/domain_resolution_order_tests-cache_req_domain.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) + +domain_resolution_order-tests$(EXEEXT): $(domain_resolution_order_tests_OBJECTS) $(domain_resolution_order_tests_DEPENDENCIES) $(EXTRA_domain_resolution_order_tests_DEPENDENCIES) + @rm -f domain_resolution_order-tests$(EXEEXT) + $(AM_V_CCLD)$(domain_resolution_order_tests_LINK) $(domain_resolution_order_tests_OBJECTS) $(domain_resolution_order_tests_LDADD) $(LIBS) +src/providers/dp_opt_tests-data_provider_opts.$(OBJEXT): \ + src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/dp_opt_tests-test_dp_opts.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) + +dp_opt_tests$(EXEEXT): $(dp_opt_tests_OBJECTS) $(dp_opt_tests_DEPENDENCIES) $(EXTRA_dp_opt_tests_DEPENDENCIES) + @rm -f dp_opt_tests$(EXEEXT) + $(AM_V_CCLD)$(dp_opt_tests_LINK) $(dp_opt_tests_OBJECTS) $(dp_opt_tests_LDADD) $(LIBS) +src/tests/cmocka/dummy_child.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) + +dummy-child$(EXEEXT): $(dummy_child_OBJECTS) $(dummy_child_DEPENDENCIES) $(EXTRA_dummy_child_DEPENDENCIES) + @rm -f dummy-child$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(dummy_child_OBJECTS) $(dummy_child_LDADD) $(LIBS) +src/resolv/dyndns_tests-async_resolv.$(OBJEXT): \ + src/resolv/$(am__dirstamp) \ + src/resolv/$(DEPDIR)/$(am__dirstamp) +src/resolv/dyndns_tests-async_resolv_utils.$(OBJEXT): \ + src/resolv/$(am__dirstamp) \ + src/resolv/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/dyndns_tests-common_mock_be.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/dyndns_tests-test_dyndns.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/providers/dyndns_tests-data_provider_opts.$(OBJEXT): \ + src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) + +dyndns-tests$(EXEEXT): $(dyndns_tests_OBJECTS) $(dyndns_tests_DEPENDENCIES) $(EXTRA_dyndns_tests_DEPENDENCIES) + @rm -f dyndns-tests$(EXEEXT) + $(AM_V_CCLD)$(dyndns_tests_LINK) $(dyndns_tests_OBJECTS) $(dyndns_tests_LDADD) $(LIBS) +src/tests/fail_over_tests-fail_over-tests.$(OBJEXT): \ + src/tests/$(am__dirstamp) src/tests/$(DEPDIR)/$(am__dirstamp) +src/providers/fail_over_tests-fail_over.$(OBJEXT): \ + src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/providers/fail_over_tests-fail_over_srv.$(OBJEXT): \ + src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/resolv/fail_over_tests-async_resolv.$(OBJEXT): \ + src/resolv/$(am__dirstamp) \ + src/resolv/$(DEPDIR)/$(am__dirstamp) +src/resolv/fail_over_tests-async_resolv_utils.$(OBJEXT): \ + src/resolv/$(am__dirstamp) \ + src/resolv/$(DEPDIR)/$(am__dirstamp) + +fail_over-tests$(EXEEXT): $(fail_over_tests_OBJECTS) $(fail_over_tests_DEPENDENCIES) $(EXTRA_fail_over_tests_DEPENDENCIES) + @rm -f fail_over-tests$(EXEEXT) + $(AM_V_CCLD)$(fail_over_tests_LINK) $(fail_over_tests_OBJECTS) $(fail_over_tests_LDADD) $(LIBS) +src/tests/files_tests-files-tests.$(OBJEXT): \ + src/tests/$(am__dirstamp) src/tests/$(DEPDIR)/$(am__dirstamp) +src/util/files_tests-check_and_open.$(OBJEXT): \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) +src/util/files_tests-atomic_io.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/files_tests-selinux.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/files_tests-files.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) + +files-tests$(EXEEXT): $(files_tests_OBJECTS) $(files_tests_DEPENDENCIES) $(EXTRA_files_tests_DEPENDENCIES) + @rm -f files-tests$(EXEEXT) + $(AM_V_CCLD)$(files_tests_LINK) $(files_tests_OBJECTS) $(files_tests_LDADD) $(LIBS) +src/tests/find_uid_tests-find_uid-tests.$(OBJEXT): \ + src/tests/$(am__dirstamp) src/tests/$(DEPDIR)/$(am__dirstamp) +src/util/find_uid_tests-find_uid.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/find_uid_tests-atomic_io.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/find_uid_tests-strtonum.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) + +find_uid-tests$(EXEEXT): $(find_uid_tests_OBJECTS) $(find_uid_tests_DEPENDENCIES) $(EXTRA_find_uid_tests_DEPENDENCIES) + @rm -f find_uid-tests$(EXEEXT) + $(AM_V_CCLD)$(find_uid_tests_LINK) $(find_uid_tests_OBJECTS) $(find_uid_tests_LDADD) $(LIBS) +src/tests/cmocka/fqnames_tests-test_fqnames.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) + +fqnames-tests$(EXEEXT): $(fqnames_tests_OBJECTS) $(fqnames_tests_DEPENDENCIES) $(EXTRA_fqnames_tests_DEPENDENCIES) + @rm -f fqnames-tests$(EXEEXT) + $(AM_V_CCLD)$(fqnames_tests_LINK) $(fqnames_tests_OBJECTS) $(fqnames_tests_LDADD) $(LIBS) +src/providers/ad/gpo_child-ad_gpo_child.$(OBJEXT): \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/util/gpo_child-atomic_io.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/gpo_child-util.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/gpo_child-util_ext.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/gpo_child-signal.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) + +gpo_child$(EXEEXT): $(gpo_child_OBJECTS) $(gpo_child_DEPENDENCIES) $(EXTRA_gpo_child_DEPENDENCIES) + @rm -f gpo_child$(EXEEXT) + $(AM_V_CCLD)$(gpo_child_LINK) $(gpo_child_OBJECTS) $(gpo_child_LDADD) $(LIBS) +src/tests/cmocka/ifp_tests-common_mock_resp.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/ifp_tests-common_mock_resp_dp.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/responder/common/$(am__dirstamp): + @$(MKDIR_P) src/responder/common + @: > src/responder/common/$(am__dirstamp) +src/responder/common/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/responder/common/$(DEPDIR) + @: > src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/ifp_tests-responder_packet.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/ifp_tests-responder_cmd.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/ifp_tests-negcache_files.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/ifp_tests-negcache.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/ifp_tests-responder_common.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/data_provider/$(am__dirstamp): + @$(MKDIR_P) src/responder/common/data_provider + @: > src/responder/common/data_provider/$(am__dirstamp) +src/responder/common/data_provider/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/responder/common/data_provider/$(DEPDIR) + @: > src/responder/common/data_provider/$(DEPDIR)/$(am__dirstamp) +src/responder/common/data_provider/ifp_tests-rdp_message.$(OBJEXT): \ + src/responder/common/data_provider/$(am__dirstamp) \ + src/responder/common/data_provider/$(DEPDIR)/$(am__dirstamp) +src/responder/common/data_provider/ifp_tests-rdp_client.$(OBJEXT): \ + src/responder/common/data_provider/$(am__dirstamp) \ + src/responder/common/data_provider/$(DEPDIR)/$(am__dirstamp) +src/responder/common/ifp_tests-responder_utils.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/util/ifp_tests-session_recording.$(OBJEXT): \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/ifp_tests-cache_req.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/ifp_tests-cache_req_result.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/ifp_tests-cache_req_search.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/ifp_tests-cache_req_data.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/ifp_tests-cache_req_domain.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/ifp_tests-cache_req_sr_overlay.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/$(am__dirstamp): + @$(MKDIR_P) src/responder/common/cache_req/plugins + @: > src/responder/common/cache_req/plugins/$(am__dirstamp) +src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/responder/common/cache_req/plugins/$(DEPDIR) + @: > src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/ifp_tests-cache_req_common.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/ifp_tests-cache_req_enum_users.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/ifp_tests-cache_req_enum_groups.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/ifp_tests-cache_req_enum_svc.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_upn.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_id.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_filter.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_cert.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/ifp_tests-cache_req_group_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/ifp_tests-cache_req_group_by_id.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/ifp_tests-cache_req_group_by_filter.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/ifp_tests-cache_req_initgroups_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/ifp_tests-cache_req_initgroups_by_upn.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/ifp_tests-cache_req_object_by_sid.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/ifp_tests-cache_req_object_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/ifp_tests-cache_req_object_by_id.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/ifp_tests-cache_req_svc_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/ifp_tests-cache_req_svc_by_port.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/ifp_tests-cache_req_netgroup_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/ifp_tests-cache_req_host_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/$(am__dirstamp): + @$(MKDIR_P) src/responder/common/iface + @: > src/responder/common/iface/$(am__dirstamp) +src/responder/common/iface/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/responder/common/iface/$(DEPDIR) + @: > src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/ifp_tests-responder_iface.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/ifp_tests-responder_domain.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/ifp_tests-responder_ncache.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/ifp_tests-responder_iface_generated.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/ifp_tests-test_ifp.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/responder/ifp/$(am__dirstamp): + @$(MKDIR_P) src/responder/ifp + @: > src/responder/ifp/$(am__dirstamp) +src/responder/ifp/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/responder/ifp/$(DEPDIR) + @: > src/responder/ifp/$(DEPDIR)/$(am__dirstamp) +src/responder/ifp/ifp_tests-ifpsrv_cmd.$(OBJEXT): \ + src/responder/ifp/$(am__dirstamp) \ + src/responder/ifp/$(DEPDIR)/$(am__dirstamp) +src/responder/ifp/ifp_tests-ifp_iface_generated.$(OBJEXT): \ + src/responder/ifp/$(am__dirstamp) \ + src/responder/ifp/$(DEPDIR)/$(am__dirstamp) +src/responder/ifp/ifp_tests-ifpsrv_util.$(OBJEXT): \ + src/responder/ifp/$(am__dirstamp) \ + src/responder/ifp/$(DEPDIR)/$(am__dirstamp) + +ifp_tests$(EXEEXT): $(ifp_tests_OBJECTS) $(ifp_tests_DEPENDENCIES) $(EXTRA_ifp_tests_DEPENDENCIES) + @rm -f ifp_tests$(EXEEXT) + $(AM_V_CCLD)$(ifp_tests_LINK) $(ifp_tests_OBJECTS) $(ifp_tests_LDADD) $(LIBS) +src/tests/ipa_hbac_tests-ipa_hbac-tests.$(OBJEXT): \ + src/tests/$(am__dirstamp) src/tests/$(DEPDIR)/$(am__dirstamp) + +ipa_hbac-tests$(EXEEXT): $(ipa_hbac_tests_OBJECTS) $(ipa_hbac_tests_DEPENDENCIES) $(EXTRA_ipa_hbac_tests_DEPENDENCIES) + @rm -f ipa_hbac-tests$(EXEEXT) + $(AM_V_CCLD)$(ipa_hbac_tests_LINK) $(ipa_hbac_tests_OBJECTS) $(ipa_hbac_tests_LDADD) $(LIBS) +src/providers/ipa_ldap_opt_tests-data_provider_opts.$(OBJEXT): \ + src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/ipa_ldap_opt_tests-sdap.$(OBJEXT): \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/ipa_ldap_opt_tests-sdap_range.$(OBJEXT): \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/ipa_ldap_opt_tests-sdap_domain.$(OBJEXT): \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/ipa_ldap_opt_tests-ldap_opts.$(OBJEXT): \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/ipa_ldap_opt_tests-ad_opts.$(OBJEXT): \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/ipa_ldap_opt_tests-ipa_opts.$(OBJEXT): \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/ipa_ldap_opt_tests-krb5_opts.$(OBJEXT): \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/util/ipa_ldap_opt_tests-sss_sockets.$(OBJEXT): \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) +src/util/ipa_ldap_opt_tests-sss_ldap.$(OBJEXT): \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) +src/tests/ipa_ldap_opt_tests-ipa_ldap_opt-tests.$(OBJEXT): \ + src/tests/$(am__dirstamp) src/tests/$(DEPDIR)/$(am__dirstamp) + +ipa_ldap_opt-tests$(EXEEXT): $(ipa_ldap_opt_tests_OBJECTS) $(ipa_ldap_opt_tests_DEPENDENCIES) $(EXTRA_ipa_ldap_opt_tests_DEPENDENCIES) + @rm -f ipa_ldap_opt-tests$(EXEEXT) + $(AM_V_CCLD)$(ipa_ldap_opt_tests_LINK) $(ipa_ldap_opt_tests_OBJECTS) $(ipa_ldap_opt_tests_LDADD) $(LIBS) +src/tests/krb5_child_test-krb5_child-test.$(OBJEXT): \ + src/tests/$(am__dirstamp) src/tests/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/krb5_child_test-krb5_utils.$(OBJEXT): \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/krb5_child_test-krb5_ccache.$(OBJEXT): \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/krb5_child_test-krb5_child_handler.$(OBJEXT): \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/krb5_child_test-krb5_common.$(OBJEXT): \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/krb5_child_test-krb5_opts.$(OBJEXT): \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/util/krb5_child_test-sss_krb5.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/krb5_child_test-sss_iobuf.$(OBJEXT): \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5_child_test-data_provider_fo.$(OBJEXT): \ + src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5_child_test-data_provider_opts.$(OBJEXT): \ + src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5_child_test-data_provider_callbacks.$(OBJEXT): \ + src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/util/krb5_child_test-become_user.$(OBJEXT): \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5_child_test-fail_over.$(OBJEXT): \ + src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5_child_test-fail_over_srv.$(OBJEXT): \ + src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/resolv/krb5_child_test-async_resolv.$(OBJEXT): \ + src/resolv/$(am__dirstamp) \ + src/resolv/$(DEPDIR)/$(am__dirstamp) +src/resolv/krb5_child_test-async_resolv_utils.$(OBJEXT): \ + src/resolv/$(am__dirstamp) \ + src/resolv/$(DEPDIR)/$(am__dirstamp) + +krb5-child-test$(EXEEXT): $(krb5_child_test_OBJECTS) $(krb5_child_test_DEPENDENCIES) $(EXTRA_krb5_child_test_DEPENDENCIES) + @rm -f krb5-child-test$(EXEEXT) + $(AM_V_CCLD)$(krb5_child_test_LINK) $(krb5_child_test_OBJECTS) $(krb5_child_test_LDADD) $(LIBS) +src/tests/krb5_utils_tests-krb5_utils-tests.$(OBJEXT): \ + src/tests/$(am__dirstamp) src/tests/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/krb5_utils_tests-krb5_utils.$(OBJEXT): \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/krb5_utils_tests-krb5_ccache.$(OBJEXT): \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/krb5_utils_tests-krb5_common.$(OBJEXT): \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/krb5_utils_tests-krb5_opts.$(OBJEXT): \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/util/krb5_utils_tests-sss_krb5.$(OBJEXT): \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) +src/util/krb5_utils_tests-sss_iobuf.$(OBJEXT): \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5_utils_tests-data_provider_fo.$(OBJEXT): \ + src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5_utils_tests-data_provider_opts.$(OBJEXT): \ + src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5_utils_tests-data_provider_callbacks.$(OBJEXT): \ + src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/util/krb5_utils_tests-become_user.$(OBJEXT): \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5_utils_tests-fail_over.$(OBJEXT): \ + src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5_utils_tests-fail_over_srv.$(OBJEXT): \ + src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/resolv/krb5_utils_tests-async_resolv.$(OBJEXT): \ + src/resolv/$(am__dirstamp) \ + src/resolv/$(DEPDIR)/$(am__dirstamp) +src/resolv/krb5_utils_tests-async_resolv_utils.$(OBJEXT): \ + src/resolv/$(am__dirstamp) \ + src/resolv/$(DEPDIR)/$(am__dirstamp) + +krb5-utils-tests$(EXEEXT): $(krb5_utils_tests_OBJECTS) $(krb5_utils_tests_DEPENDENCIES) $(EXTRA_krb5_utils_tests_DEPENDENCIES) + @rm -f krb5-utils-tests$(EXEEXT) + $(AM_V_CCLD)$(krb5_utils_tests_LINK) $(krb5_utils_tests_OBJECTS) $(krb5_utils_tests_LDADD) $(LIBS) +src/providers/krb5/krb5_child-krb5_child.$(OBJEXT): \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/krb5_child-krb5_ccache.$(OBJEXT): \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/krb5_child-krb5_keytab.$(OBJEXT): \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5_child-dp_pam_data_util.$(OBJEXT): \ + src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/util/krb5_child-user_info_msg.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/krb5_child-sss_krb5.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/krb5_child-sss_iobuf.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/krb5_child-find_uid.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/krb5_child-atomic_io.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/krb5_child-authtok.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/krb5_child-authtok-utils.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/krb5_child-util.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/krb5_child-util_ext.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/krb5_child-signal.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/krb5_child-strtonum.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/krb5_child-become_user.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/krb5_child-util_errors.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/sss_client/krb5_child-common.$(OBJEXT): \ + src/sss_client/$(am__dirstamp) \ + src/sss_client/$(DEPDIR)/$(am__dirstamp) + +krb5_child$(EXEEXT): $(krb5_child_OBJECTS) $(krb5_child_DEPENDENCIES) $(EXTRA_krb5_child_DEPENDENCIES) + @rm -f krb5_child$(EXEEXT) + $(AM_V_CCLD)$(krb5_child_LINK) $(krb5_child_OBJECTS) $(krb5_child_LDADD) $(LIBS) +src/tests/cmocka/krb5_common_test-test_krb5_common.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) + +krb5_common_test$(EXEEXT): $(krb5_common_test_OBJECTS) $(krb5_common_test_DEPENDENCIES) $(EXTRA_krb5_common_test_DEPENDENCIES) + @rm -f krb5_common_test$(EXEEXT) + $(AM_V_CCLD)$(krb5_common_test_LINK) $(krb5_common_test_OBJECTS) $(krb5_common_test_LDADD) $(LIBS) +src/providers/ldap/ldap_child-ldap_child.$(OBJEXT): \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/ldap_child-krb5_keytab.$(OBJEXT): \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/util/ldap_child-sss_krb5.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/ldap_child-sss_iobuf.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/ldap_child-atomic_io.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/ldap_child-authtok.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/ldap_child-authtok-utils.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/ldap_child-util.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/ldap_child-util_ext.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/ldap_child-signal.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/ldap_child-become_user.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) + +ldap_child$(EXEEXT): $(ldap_child_OBJECTS) $(ldap_child_DEPENDENCIES) $(EXTRA_ldap_child_DEPENDENCIES) + @rm -f ldap_child$(EXEEXT) + $(AM_V_CCLD)$(ldap_child_LINK) $(ldap_child_OBJECTS) $(ldap_child_LDADD) $(LIBS) +src/util/nestedgroups_tests-sss_sockets.$(OBJEXT): \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) +src/util/nestedgroups_tests-sss_ldap.$(OBJEXT): \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) +src/providers/nestedgroups_tests-data_provider_opts.$(OBJEXT): \ + src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/nestedgroups_tests-ldap_opts.$(OBJEXT): \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/nestedgroups_tests-ldap_options.$(OBJEXT): \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/nestedgroups_tests-sdap_domain.$(OBJEXT): \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/nestedgroups_tests-sdap.$(OBJEXT): \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/nestedgroups_tests-sdap_utils.$(OBJEXT): \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/nestedgroups_tests-sdap_range.$(OBJEXT): \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/nestedgroups_tests-common_mock_sdap.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/nestedgroups_tests-common_mock_sysdb_objects.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/nestedgroups_tests-sdap_idmap.$(OBJEXT): \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/nestedgroups_tests-test_nested_groups.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/nestedgroups_tests-common_mock_be.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/nestedgroups_tests-sdap_async_nested_groups.$(OBJEXT): \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/nestedgroups_tests-sdap_ad_groups.$(OBJEXT): \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/nestedgroups_tests-ipa_dn.$(OBJEXT): \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) + +nestedgroups-tests$(EXEEXT): $(nestedgroups_tests_OBJECTS) $(nestedgroups_tests_DEPENDENCIES) $(EXTRA_nestedgroups_tests_DEPENDENCIES) + @rm -f nestedgroups-tests$(EXEEXT) + $(AM_V_CCLD)$(nestedgroups_tests_LINK) $(nestedgroups_tests_OBJECTS) $(nestedgroups_tests_LDADD) $(LIBS) +src/tests/cmocka/nss_srv_tests-common_mock_resp.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/nss_srv_tests-common_mock_resp_dp.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/responder/common/nss_srv_tests-responder_packet.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/nss_srv_tests-responder_cmd.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/nss_srv_tests-negcache_files.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/nss_srv_tests-negcache.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/nss_srv_tests-responder_common.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/data_provider/nss_srv_tests-rdp_message.$(OBJEXT): \ + src/responder/common/data_provider/$(am__dirstamp) \ + src/responder/common/data_provider/$(DEPDIR)/$(am__dirstamp) +src/responder/common/data_provider/nss_srv_tests-rdp_client.$(OBJEXT): \ + src/responder/common/data_provider/$(am__dirstamp) \ + src/responder/common/data_provider/$(DEPDIR)/$(am__dirstamp) +src/responder/common/nss_srv_tests-responder_utils.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/util/nss_srv_tests-session_recording.$(OBJEXT): \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/nss_srv_tests-cache_req.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/nss_srv_tests-cache_req_result.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/nss_srv_tests-cache_req_search.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/nss_srv_tests-cache_req_data.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/nss_srv_tests-cache_req_domain.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/nss_srv_tests-cache_req_sr_overlay.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_common.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_enum_users.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_enum_groups.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_enum_svc.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_upn.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_id.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_filter.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_cert.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_group_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_group_by_id.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_group_by_filter.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_initgroups_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_initgroups_by_upn.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_object_by_sid.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_object_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_object_by_id.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_svc_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_svc_by_port.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_netgroup_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_host_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/nss_srv_tests-responder_iface.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/nss_srv_tests-responder_domain.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/nss_srv_tests-responder_ncache.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/nss_srv_tests-responder_iface_generated.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/nss_srv_tests-test_nss_srv.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/responder/nss/$(am__dirstamp): + @$(MKDIR_P) src/responder/nss + @: > src/responder/nss/$(am__dirstamp) +src/responder/nss/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/responder/nss/$(DEPDIR) + @: > src/responder/nss/$(DEPDIR)/$(am__dirstamp) +src/responder/nss/nss_srv_tests-nss_cmd.$(OBJEXT): \ + src/responder/nss/$(am__dirstamp) \ + src/responder/nss/$(DEPDIR)/$(am__dirstamp) +src/responder/nss/nss_srv_tests-nss_enum.$(OBJEXT): \ + src/responder/nss/$(am__dirstamp) \ + src/responder/nss/$(DEPDIR)/$(am__dirstamp) +src/responder/nss/nss_srv_tests-nss_get_object.$(OBJEXT): \ + src/responder/nss/$(am__dirstamp) \ + src/responder/nss/$(DEPDIR)/$(am__dirstamp) +src/responder/nss/nss_srv_tests-nss_protocol.$(OBJEXT): \ + src/responder/nss/$(am__dirstamp) \ + src/responder/nss/$(DEPDIR)/$(am__dirstamp) +src/responder/nss/nss_srv_tests-nss_protocol_pwent.$(OBJEXT): \ + src/responder/nss/$(am__dirstamp) \ + src/responder/nss/$(DEPDIR)/$(am__dirstamp) +src/responder/nss/nss_srv_tests-nss_protocol_grent.$(OBJEXT): \ + src/responder/nss/$(am__dirstamp) \ + src/responder/nss/$(DEPDIR)/$(am__dirstamp) +src/responder/nss/nss_srv_tests-nss_protocol_netgr.$(OBJEXT): \ + src/responder/nss/$(am__dirstamp) \ + src/responder/nss/$(DEPDIR)/$(am__dirstamp) +src/responder/nss/nss_srv_tests-nss_protocol_svcent.$(OBJEXT): \ + src/responder/nss/$(am__dirstamp) \ + src/responder/nss/$(DEPDIR)/$(am__dirstamp) +src/responder/nss/nss_srv_tests-nss_protocol_sid.$(OBJEXT): \ + src/responder/nss/$(am__dirstamp) \ + src/responder/nss/$(DEPDIR)/$(am__dirstamp) +src/responder/nss/nss_srv_tests-nss_utils.$(OBJEXT): \ + src/responder/nss/$(am__dirstamp) \ + src/responder/nss/$(DEPDIR)/$(am__dirstamp) +src/responder/nss/nss_srv_tests-nsssrv_mmap_cache.$(OBJEXT): \ + src/responder/nss/$(am__dirstamp) \ + src/responder/nss/$(DEPDIR)/$(am__dirstamp) + +nss-srv-tests$(EXEEXT): $(nss_srv_tests_OBJECTS) $(nss_srv_tests_DEPENDENCIES) $(EXTRA_nss_srv_tests_DEPENDENCIES) + @rm -f nss-srv-tests$(EXEEXT) + $(AM_V_CCLD)$(nss_srv_tests_LINK) $(nss_srv_tests_OBJECTS) $(nss_srv_tests_LDADD) $(LIBS) +src/p11_child/$(am__dirstamp): + @$(MKDIR_P) src/p11_child + @: > src/p11_child/$(am__dirstamp) +src/p11_child/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/p11_child/$(DEPDIR) + @: > src/p11_child/$(DEPDIR)/$(am__dirstamp) +src/p11_child/p11_child-p11_child_common.$(OBJEXT): \ + src/p11_child/$(am__dirstamp) \ + src/p11_child/$(DEPDIR)/$(am__dirstamp) +src/util/p11_child-atomic_io.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/p11_child-util.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/p11_child-util_ext.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/p11_child/p11_child-p11_child_nss.$(OBJEXT): \ + src/p11_child/$(am__dirstamp) \ + src/p11_child/$(DEPDIR)/$(am__dirstamp) +src/p11_child/p11_child-p11_child_openssl.$(OBJEXT): \ + src/p11_child/$(am__dirstamp) \ + src/p11_child/$(DEPDIR)/$(am__dirstamp) + +p11_child$(EXEEXT): $(p11_child_OBJECTS) $(p11_child_DEPENDENCIES) $(EXTRA_p11_child_DEPENDENCIES) + @rm -f p11_child$(EXEEXT) + $(AM_V_CCLD)$(p11_child_LINK) $(p11_child_OBJECTS) $(p11_child_LDADD) $(LIBS) +src/tests/cmocka/pam_srv_tests-common_mock_resp.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/pam_srv_tests-common_mock_resp_dp.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/responder/common/pam_srv_tests-responder_packet.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/pam_srv_tests-responder_cmd.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/pam_srv_tests-negcache_files.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/pam_srv_tests-negcache.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/pam_srv_tests-responder_common.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/data_provider/pam_srv_tests-rdp_message.$(OBJEXT): \ + src/responder/common/data_provider/$(am__dirstamp) \ + src/responder/common/data_provider/$(DEPDIR)/$(am__dirstamp) +src/responder/common/data_provider/pam_srv_tests-rdp_client.$(OBJEXT): \ + src/responder/common/data_provider/$(am__dirstamp) \ + src/responder/common/data_provider/$(DEPDIR)/$(am__dirstamp) +src/responder/common/pam_srv_tests-responder_utils.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/util/pam_srv_tests-session_recording.$(OBJEXT): \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/pam_srv_tests-cache_req.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/pam_srv_tests-cache_req_result.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/pam_srv_tests-cache_req_search.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/pam_srv_tests-cache_req_data.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/pam_srv_tests-cache_req_domain.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/pam_srv_tests-cache_req_sr_overlay.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_common.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_enum_users.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_enum_groups.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_enum_svc.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_upn.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_id.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_filter.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_cert.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_group_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_group_by_id.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_group_by_filter.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_initgroups_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_initgroups_by_upn.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_object_by_sid.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_object_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_object_by_id.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_svc_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_svc_by_port.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_netgroup_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_host_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/pam_srv_tests-responder_iface.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/pam_srv_tests-responder_domain.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/pam_srv_tests-responder_ncache.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/pam_srv_tests-responder_iface_generated.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/pam_srv_tests-test_pam_srv.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/sss_client/pam_srv_tests-pam_message.$(OBJEXT): \ + src/sss_client/$(am__dirstamp) \ + src/sss_client/$(DEPDIR)/$(am__dirstamp) +src/responder/pam/$(am__dirstamp): + @$(MKDIR_P) src/responder/pam + @: > src/responder/pam/$(am__dirstamp) +src/responder/pam/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/responder/pam/$(DEPDIR) + @: > src/responder/pam/$(DEPDIR)/$(am__dirstamp) +src/responder/pam/pam_srv_tests-pamsrv_cmd.$(OBJEXT): \ + src/responder/pam/$(am__dirstamp) \ + src/responder/pam/$(DEPDIR)/$(am__dirstamp) +src/responder/pam/pam_srv_tests-pamsrv_p11.$(OBJEXT): \ + src/responder/pam/$(am__dirstamp) \ + src/responder/pam/$(DEPDIR)/$(am__dirstamp) +src/responder/pam/pam_srv_tests-pam_helpers.$(OBJEXT): \ + src/responder/pam/$(am__dirstamp) \ + src/responder/pam/$(DEPDIR)/$(am__dirstamp) +src/responder/pam/pam_srv_tests-pamsrv_dp.$(OBJEXT): \ + src/responder/pam/$(am__dirstamp) \ + src/responder/pam/$(DEPDIR)/$(am__dirstamp) +src/responder/pam/pam_srv_tests-pam_LOCAL_domain.$(OBJEXT): \ + src/responder/pam/$(am__dirstamp) \ + src/responder/pam/$(DEPDIR)/$(am__dirstamp) + +pam-srv-tests$(EXEEXT): $(pam_srv_tests_OBJECTS) $(pam_srv_tests_DEPENDENCIES) $(EXTRA_pam_srv_tests_DEPENDENCIES) + @rm -f pam-srv-tests$(EXEEXT) + $(AM_V_CCLD)$(pam_srv_tests_LINK) $(pam_srv_tests_OBJECTS) $(pam_srv_tests_LDADD) $(LIBS) +src/providers/proxy/proxy_child-proxy_child.$(OBJEXT): \ + src/providers/proxy/$(am__dirstamp) \ + src/providers/proxy/$(DEPDIR)/$(am__dirstamp) +src/providers/proxy/proxy_child-proxy_iface_generated.$(OBJEXT): \ + src/providers/proxy/$(am__dirstamp) \ + src/providers/proxy/$(DEPDIR)/$(am__dirstamp) + +proxy_child$(EXEEXT): $(proxy_child_OBJECTS) $(proxy_child_DEPENDENCIES) $(EXTRA_proxy_child_DEPENDENCIES) + @rm -f proxy_child$(EXEEXT) + $(AM_V_CCLD)$(proxy_child_LINK) $(proxy_child_OBJECTS) $(proxy_child_LDADD) $(LIBS) +src/tests/refcount_tests-refcount-tests.$(OBJEXT): \ + src/tests/$(am__dirstamp) src/tests/$(DEPDIR)/$(am__dirstamp) + +refcount-tests$(EXEEXT): $(refcount_tests_OBJECTS) $(refcount_tests_DEPENDENCIES) $(EXTRA_refcount_tests_DEPENDENCIES) + @rm -f refcount-tests$(EXEEXT) + $(AM_V_CCLD)$(refcount_tests_LINK) $(refcount_tests_OBJECTS) $(refcount_tests_LDADD) $(LIBS) +src/tests/resolv_tests-resolv-tests.$(OBJEXT): \ + src/tests/$(am__dirstamp) src/tests/$(DEPDIR)/$(am__dirstamp) +src/tests/resolv_tests-common.$(OBJEXT): src/tests/$(am__dirstamp) \ + src/tests/$(DEPDIR)/$(am__dirstamp) +src/resolv/resolv_tests-async_resolv.$(OBJEXT): \ + src/resolv/$(am__dirstamp) \ + src/resolv/$(DEPDIR)/$(am__dirstamp) +src/resolv/resolv_tests-async_resolv_utils.$(OBJEXT): \ + src/resolv/$(am__dirstamp) \ + src/resolv/$(DEPDIR)/$(am__dirstamp) + +resolv-tests$(EXEEXT): $(resolv_tests_OBJECTS) $(resolv_tests_DEPENDENCIES) $(EXTRA_resolv_tests_DEPENDENCIES) + @rm -f resolv-tests$(EXEEXT) + $(AM_V_CCLD)$(resolv_tests_LINK) $(resolv_tests_OBJECTS) $(resolv_tests_LDADD) $(LIBS) +src/responder/common/responder_get_domains_tests-negcache_files.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/responder_get_domains_tests-negcache.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/responder_get_domains_tests-responder_cmd.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/responder_get_domains_tests-responder_common.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/responder_get_domains_tests-responder_dp.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/responder_get_domains_tests-responder_dp_ssh.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/responder_get_domains_tests-responder_packet.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/responder_get_domains_tests-responder_get_domains.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/responder_get_domains_tests-responder_utils.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/data_provider/responder_get_domains_tests-rdp_message.$(OBJEXT): \ + src/responder/common/data_provider/$(am__dirstamp) \ + src/responder/common/data_provider/$(DEPDIR)/$(am__dirstamp) +src/responder/common/data_provider/responder_get_domains_tests-rdp_client.$(OBJEXT): \ + src/responder/common/data_provider/$(am__dirstamp) \ + src/responder/common/data_provider/$(DEPDIR)/$(am__dirstamp) +src/monitor/responder_get_domains_tests-monitor_iface_generated.$(OBJEXT): \ + src/monitor/$(am__dirstamp) \ + src/monitor/$(DEPDIR)/$(am__dirstamp) +src/providers/responder_get_domains_tests-data_provider_req.$(OBJEXT): \ + src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/util/responder_get_domains_tests-session_recording.$(OBJEXT): \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/responder_get_domains_tests-responder_iface.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/responder_get_domains_tests-responder_domain.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/responder_get_domains_tests-responder_ncache.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/responder_get_domains_tests-responder_iface_generated.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/responder_get_domains_tests-cache_req.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/responder_get_domains_tests-cache_req_result.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/responder_get_domains_tests-cache_req_search.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/responder_get_domains_tests-cache_req_data.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/responder_get_domains_tests-cache_req_domain.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/responder_get_domains_tests-cache_req_sr_overlay.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_common.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_enum_users.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_enum_groups.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_enum_svc.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_upn.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_id.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_filter.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_cert.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_group_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_group_by_id.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_group_by_filter.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_initgroups_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_initgroups_by_upn.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_object_by_sid.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_object_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_object_by_id.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_svc_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_svc_by_port.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_netgroup_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_host_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/responder_get_domains_tests-test_responder_common.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/responder_get_domains_tests-common_mock_resp.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) + +responder-get-domains-tests$(EXEEXT): $(responder_get_domains_tests_OBJECTS) $(responder_get_domains_tests_DEPENDENCIES) $(EXTRA_responder_get_domains_tests_DEPENDENCIES) + @rm -f responder-get-domains-tests$(EXEEXT) + $(AM_V_CCLD)$(responder_get_domains_tests_LINK) $(responder_get_domains_tests_OBJECTS) $(responder_get_domains_tests_LDADD) $(LIBS) +src/tests/cmocka/responder_cache_req_tests-common_mock_resp.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/responder_cache_req_tests-common_mock_resp_dp.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/responder/common/responder_cache_req_tests-responder_packet.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/responder_cache_req_tests-responder_cmd.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/responder_cache_req_tests-negcache_files.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/responder_cache_req_tests-negcache.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/responder_cache_req_tests-responder_common.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/data_provider/responder_cache_req_tests-rdp_message.$(OBJEXT): \ + src/responder/common/data_provider/$(am__dirstamp) \ + src/responder/common/data_provider/$(DEPDIR)/$(am__dirstamp) +src/responder/common/data_provider/responder_cache_req_tests-rdp_client.$(OBJEXT): \ + src/responder/common/data_provider/$(am__dirstamp) \ + src/responder/common/data_provider/$(DEPDIR)/$(am__dirstamp) +src/responder/common/responder_cache_req_tests-responder_utils.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/util/responder_cache_req_tests-session_recording.$(OBJEXT): \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/responder_cache_req_tests-cache_req.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/responder_cache_req_tests-cache_req_result.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/responder_cache_req_tests-cache_req_search.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/responder_cache_req_tests-cache_req_data.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/responder_cache_req_tests-cache_req_domain.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/responder_cache_req_tests-cache_req_sr_overlay.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_common.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_enum_users.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_enum_groups.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_enum_svc.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_upn.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_id.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_filter.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_cert.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_group_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_group_by_id.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_group_by_filter.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_initgroups_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_initgroups_by_upn.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_object_by_sid.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_object_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_object_by_id.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_svc_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_svc_by_port.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_netgroup_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_host_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/responder_cache_req_tests-responder_iface.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/responder_cache_req_tests-responder_domain.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/responder_cache_req_tests-responder_ncache.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/responder_cache_req_tests-responder_iface_generated.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/responder_cache_req_tests-test_responder_cache_req.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) + +responder_cache_req-tests$(EXEEXT): $(responder_cache_req_tests_OBJECTS) $(responder_cache_req_tests_DEPENDENCIES) $(EXTRA_responder_cache_req_tests_DEPENDENCIES) + @rm -f responder_cache_req-tests$(EXEEXT) + $(AM_V_CCLD)$(responder_cache_req_tests_LINK) $(responder_cache_req_tests_OBJECTS) $(responder_cache_req_tests_LDADD) $(LIBS) +src/tests/responder_socket_access_tests-responder_socket_access-tests.$(OBJEXT): \ + src/tests/$(am__dirstamp) src/tests/$(DEPDIR)/$(am__dirstamp) +src/responder/common/responder_socket_access_tests-negcache_files.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/responder_socket_access_tests-negcache.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/responder_socket_access_tests-responder_common.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/responder_socket_access_tests-responder_packet.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/responder_socket_access_tests-responder_cmd.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/responder_socket_access_tests-cache_req_domain.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/data_provider/responder_socket_access_tests-rdp_message.$(OBJEXT): \ + src/responder/common/data_provider/$(am__dirstamp) \ + src/responder/common/data_provider/$(DEPDIR)/$(am__dirstamp) +src/responder/common/data_provider/responder_socket_access_tests-rdp_client.$(OBJEXT): \ + src/responder/common/data_provider/$(am__dirstamp) \ + src/responder/common/data_provider/$(DEPDIR)/$(am__dirstamp) +src/util/responder_socket_access_tests-session_recording.$(OBJEXT): \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/responder_socket_access_tests-responder_iface.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/responder_socket_access_tests-responder_domain.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/responder_socket_access_tests-responder_ncache.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/responder_socket_access_tests-responder_iface_generated.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) + +responder_socket_access-tests$(EXEEXT): $(responder_socket_access_tests_OBJECTS) $(responder_socket_access_tests_DEPENDENCIES) $(EXTRA_responder_socket_access_tests_DEPENDENCIES) + @rm -f responder_socket_access-tests$(EXEEXT) + $(AM_V_CCLD)$(responder_socket_access_tests_LINK) $(responder_socket_access_tests_OBJECTS) $(responder_socket_access_tests_LDADD) $(LIBS) +src/tests/safe_format_tests-safe-format-tests.$(OBJEXT): \ + src/tests/$(am__dirstamp) src/tests/$(DEPDIR)/$(am__dirstamp) + +safe-format-tests$(EXEEXT): $(safe_format_tests_OBJECTS) $(safe_format_tests_DEPENDENCIES) $(EXTRA_safe_format_tests_DEPENDENCIES) + @rm -f safe-format-tests$(EXEEXT) + $(AM_V_CCLD)$(safe_format_tests_LINK) $(safe_format_tests_OBJECTS) $(safe_format_tests_LDADD) $(LIBS) +src/tests/cmocka/sbus_internal_tests-sbus_internal_tests.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/sbus/sbus_internal_tests-sssd_dbus_request.$(OBJEXT): \ + src/sbus/$(am__dirstamp) src/sbus/$(DEPDIR)/$(am__dirstamp) + +sbus-internal-tests$(EXEEXT): $(sbus_internal_tests_OBJECTS) $(sbus_internal_tests_DEPENDENCIES) $(EXTRA_sbus_internal_tests_DEPENDENCIES) + @rm -f sbus-internal-tests$(EXEEXT) + $(AM_V_CCLD)$(sbus_internal_tests_LINK) $(sbus_internal_tests_OBJECTS) $(sbus_internal_tests_LDADD) $(LIBS) +src/tests/sbus_codegen_tests-common_dbus.$(OBJEXT): \ + src/tests/$(am__dirstamp) src/tests/$(DEPDIR)/$(am__dirstamp) +src/tests/sbus_codegen_tests-sbus_codegen_tests.$(OBJEXT): \ + src/tests/$(am__dirstamp) src/tests/$(DEPDIR)/$(am__dirstamp) +src/tests/sbus_codegen_tests-sbus_codegen_tests_generated.$(OBJEXT): \ + src/tests/$(am__dirstamp) src/tests/$(DEPDIR)/$(am__dirstamp) + +sbus_codegen_tests$(EXEEXT): $(sbus_codegen_tests_OBJECTS) $(sbus_codegen_tests_DEPENDENCIES) $(EXTRA_sbus_codegen_tests_DEPENDENCIES) + @rm -f sbus_codegen_tests$(EXEEXT) + $(AM_V_CCLD)$(sbus_codegen_tests_LINK) $(sbus_codegen_tests_OBJECTS) $(sbus_codegen_tests_LDADD) $(LIBS) +src/tests/sbus_tests-common_dbus.$(OBJEXT): src/tests/$(am__dirstamp) \ + src/tests/$(DEPDIR)/$(am__dirstamp) +src/tests/sbus_tests-sbus_tests.$(OBJEXT): src/tests/$(am__dirstamp) \ + src/tests/$(DEPDIR)/$(am__dirstamp) + +sbus_tests$(EXEEXT): $(sbus_tests_OBJECTS) $(sbus_tests_DEPENDENCIES) $(EXTRA_sbus_tests_DEPENDENCIES) + @rm -f sbus_tests$(EXEEXT) + $(AM_V_CCLD)$(sbus_tests_LINK) $(sbus_tests_OBJECTS) $(sbus_tests_LDADD) $(LIBS) +src/providers/sdap_tests-data_provider_opts.$(OBJEXT): \ + src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/sdap_tests-sdap_domain.$(OBJEXT): \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/sdap_tests-sdap.$(OBJEXT): \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/sdap_tests-sdap_range.$(OBJEXT): \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/sdap_tests-ldap_opts.$(OBJEXT): \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/sdap_tests-ipa_opts.$(OBJEXT): \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/util/sdap_tests-sss_sockets.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/sdap_tests-sss_ldap.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/sdap_tests-test_sdap.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) + +sdap-tests$(EXEEXT): $(sdap_tests_OBJECTS) $(sdap_tests_DEPENDENCIES) $(EXTRA_sdap_tests_DEPENDENCIES) + @rm -f sdap-tests$(EXEEXT) + $(AM_V_CCLD)$(sdap_tests_LINK) $(sdap_tests_OBJECTS) $(sdap_tests_LDADD) $(LIBS) +src/providers/ipa/selinux_child-selinux_child.$(OBJEXT): \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/util/selinux_child-sss_semanage.$(OBJEXT): \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) +src/util/selinux_child-atomic_io.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/selinux_child-util.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/selinux_child-util_ext.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/selinux_child-util_errors.$(OBJEXT): \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) + +selinux_child$(EXEEXT): $(selinux_child_OBJECTS) $(selinux_child_DEPENDENCIES) $(EXTRA_selinux_child_DEPENDENCIES) + @rm -f selinux_child$(EXEEXT) + $(AM_V_CCLD)$(selinux_child_LINK) $(selinux_child_OBJECTS) $(selinux_child_LDADD) $(LIBS) +src/tests/cmocka/simple_access_tests-test_simple_access.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/simple_access_tests-common_mock_be.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/providers/simple/simple_access_tests-simple_access.$(OBJEXT): \ + src/providers/simple/$(am__dirstamp) \ + src/providers/simple/$(DEPDIR)/$(am__dirstamp) +src/providers/simple/simple_access_tests-simple_access_check.$(OBJEXT): \ + src/providers/simple/$(am__dirstamp) \ + src/providers/simple/$(DEPDIR)/$(am__dirstamp) + +simple-access-tests$(EXEEXT): $(simple_access_tests_OBJECTS) $(simple_access_tests_DEPENDENCIES) $(EXTRA_simple_access_tests_DEPENDENCIES) + @rm -f simple-access-tests$(EXEEXT) + $(AM_V_CCLD)$(simple_access_tests_LINK) $(simple_access_tests_OBJECTS) $(simple_access_tests_LDADD) $(LIBS) +src/tests/cmocka/ssh_srv_tests-common_mock_resp.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/ssh_srv_tests-common_mock_resp_dp.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/responder/common/ssh_srv_tests-responder_packet.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/ssh_srv_tests-responder_cmd.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/ssh_srv_tests-negcache_files.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/ssh_srv_tests-negcache.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/ssh_srv_tests-responder_common.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/data_provider/ssh_srv_tests-rdp_message.$(OBJEXT): \ + src/responder/common/data_provider/$(am__dirstamp) \ + src/responder/common/data_provider/$(DEPDIR)/$(am__dirstamp) +src/responder/common/data_provider/ssh_srv_tests-rdp_client.$(OBJEXT): \ + src/responder/common/data_provider/$(am__dirstamp) \ + src/responder/common/data_provider/$(DEPDIR)/$(am__dirstamp) +src/responder/common/ssh_srv_tests-responder_utils.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/util/ssh_srv_tests-session_recording.$(OBJEXT): \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/ssh_srv_tests-cache_req.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/ssh_srv_tests-cache_req_result.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/ssh_srv_tests-cache_req_search.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/ssh_srv_tests-cache_req_data.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/ssh_srv_tests-cache_req_domain.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/ssh_srv_tests-cache_req_sr_overlay.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_common.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_enum_users.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_enum_groups.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_enum_svc.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_upn.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_id.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_filter.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_cert.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_group_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_group_by_id.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_group_by_filter.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_initgroups_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_initgroups_by_upn.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_object_by_sid.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_object_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_object_by_id.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_svc_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_svc_by_port.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_netgroup_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_host_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/ssh_srv_tests-responder_iface.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/ssh_srv_tests-responder_domain.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/ssh_srv_tests-responder_ncache.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/ssh_srv_tests-responder_iface_generated.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/ssh_srv_tests-test_ssh_srv.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/responder/ssh/$(am__dirstamp): + @$(MKDIR_P) src/responder/ssh + @: > src/responder/ssh/$(am__dirstamp) +src/responder/ssh/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/responder/ssh/$(DEPDIR) + @: > src/responder/ssh/$(DEPDIR)/$(am__dirstamp) +src/responder/ssh/ssh_srv_tests-ssh_cmd.$(OBJEXT): \ + src/responder/ssh/$(am__dirstamp) \ + src/responder/ssh/$(DEPDIR)/$(am__dirstamp) +src/responder/ssh/ssh_srv_tests-ssh_known_hosts.$(OBJEXT): \ + src/responder/ssh/$(am__dirstamp) \ + src/responder/ssh/$(DEPDIR)/$(am__dirstamp) +src/responder/ssh/ssh_srv_tests-ssh_protocol.$(OBJEXT): \ + src/responder/ssh/$(am__dirstamp) \ + src/responder/ssh/$(DEPDIR)/$(am__dirstamp) +src/responder/ssh/ssh_srv_tests-ssh_reply.$(OBJEXT): \ + src/responder/ssh/$(am__dirstamp) \ + src/responder/ssh/$(DEPDIR)/$(am__dirstamp) +src/util/cert/ssh_srv_tests-cert_common_p11_child.$(OBJEXT): \ + src/util/cert/$(am__dirstamp) \ + src/util/cert/$(DEPDIR)/$(am__dirstamp) + +ssh-srv-tests$(EXEEXT): $(ssh_srv_tests_OBJECTS) $(ssh_srv_tests_DEPENDENCIES) $(EXTRA_ssh_srv_tests_DEPENDENCIES) + @rm -f ssh-srv-tests$(EXEEXT) + $(AM_V_CCLD)$(ssh_srv_tests_LINK) $(ssh_srv_tests_OBJECTS) $(ssh_srv_tests_LDADD) $(LIBS) +src/tools/sss_cache-sss_cache.$(OBJEXT): src/tools/$(am__dirstamp) \ + src/tools/$(DEPDIR)/$(am__dirstamp) +src/sss_client/sss_cache-common.$(OBJEXT): \ + src/sss_client/$(am__dirstamp) \ + src/sss_client/$(DEPDIR)/$(am__dirstamp) +src/tools/sss_cache-tools_mc_util.$(OBJEXT): \ + src/tools/$(am__dirstamp) src/tools/$(DEPDIR)/$(am__dirstamp) +src/tools/sss_cache-sss_sync_ops.$(OBJEXT): src/tools/$(am__dirstamp) \ + src/tools/$(DEPDIR)/$(am__dirstamp) +src/tools/sss_cache-tools_util.$(OBJEXT): src/tools/$(am__dirstamp) \ + src/tools/$(DEPDIR)/$(am__dirstamp) +src/tools/common/sss_cache-sss_tools.$(OBJEXT): \ + src/tools/common/$(am__dirstamp) \ + src/tools/common/$(DEPDIR)/$(am__dirstamp) +src/tools/common/sss_cache-sss_process.$(OBJEXT): \ + src/tools/common/$(am__dirstamp) \ + src/tools/common/$(DEPDIR)/$(am__dirstamp) +src/confdb/sss_cache-confdb_setup.$(OBJEXT): \ + src/confdb/$(am__dirstamp) \ + src/confdb/$(DEPDIR)/$(am__dirstamp) +src/util/sss_cache-nscd.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) + +sss_cache$(EXEEXT): $(sss_cache_OBJECTS) $(sss_cache_DEPENDENCIES) $(EXTRA_sss_cache_DEPENDENCIES) + @rm -f sss_cache$(EXEEXT) + $(AM_V_CCLD)$(sss_cache_LINK) $(sss_cache_OBJECTS) $(sss_cache_LDADD) $(LIBS) +src/tests/cmocka/sss_certmap_test-test_certmap.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/lib/certmap/sss_certmap_test-sss_certmap_attr_names.$(OBJEXT): \ + src/lib/certmap/$(am__dirstamp) \ + src/lib/certmap/$(DEPDIR)/$(am__dirstamp) + +sss_certmap_test$(EXEEXT): $(sss_certmap_test_OBJECTS) $(sss_certmap_test_DEPENDENCIES) $(EXTRA_sss_certmap_test_DEPENDENCIES) + @rm -f sss_certmap_test$(EXEEXT) + $(AM_V_CCLD)$(sss_certmap_test_LINK) $(sss_certmap_test_OBJECTS) $(sss_certmap_test_LDADD) $(LIBS) +src/tools/sss_groupadd.$(OBJEXT): src/tools/$(am__dirstamp) \ + src/tools/$(DEPDIR)/$(am__dirstamp) +src/tools/sss_sync_ops.$(OBJEXT): src/tools/$(am__dirstamp) \ + src/tools/$(DEPDIR)/$(am__dirstamp) +src/tools/tools_util.$(OBJEXT): src/tools/$(am__dirstamp) \ + src/tools/$(DEPDIR)/$(am__dirstamp) +src/tools/common/sss_tools.$(OBJEXT): \ + src/tools/common/$(am__dirstamp) \ + src/tools/common/$(DEPDIR)/$(am__dirstamp) +src/tools/common/sss_process.$(OBJEXT): \ + src/tools/common/$(am__dirstamp) \ + src/tools/common/$(DEPDIR)/$(am__dirstamp) +src/confdb/confdb_setup.$(OBJEXT): src/confdb/$(am__dirstamp) \ + src/confdb/$(DEPDIR)/$(am__dirstamp) +src/util/nscd.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) + +sss_groupadd$(EXEEXT): $(sss_groupadd_OBJECTS) $(sss_groupadd_DEPENDENCIES) $(EXTRA_sss_groupadd_DEPENDENCIES) + @rm -f sss_groupadd$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(sss_groupadd_OBJECTS) $(sss_groupadd_LDADD) $(LIBS) +src/tools/sss_groupdel-sss_groupdel.$(OBJEXT): \ + src/tools/$(am__dirstamp) src/tools/$(DEPDIR)/$(am__dirstamp) +src/sss_client/sss_groupdel-common.$(OBJEXT): \ + src/sss_client/$(am__dirstamp) \ + src/sss_client/$(DEPDIR)/$(am__dirstamp) +src/tools/sss_groupdel-tools_mc_util.$(OBJEXT): \ + src/tools/$(am__dirstamp) src/tools/$(DEPDIR)/$(am__dirstamp) +src/tools/sss_groupdel-sss_sync_ops.$(OBJEXT): \ + src/tools/$(am__dirstamp) src/tools/$(DEPDIR)/$(am__dirstamp) +src/tools/sss_groupdel-tools_util.$(OBJEXT): \ + src/tools/$(am__dirstamp) src/tools/$(DEPDIR)/$(am__dirstamp) +src/tools/common/sss_groupdel-sss_tools.$(OBJEXT): \ + src/tools/common/$(am__dirstamp) \ + src/tools/common/$(DEPDIR)/$(am__dirstamp) +src/tools/common/sss_groupdel-sss_process.$(OBJEXT): \ + src/tools/common/$(am__dirstamp) \ + src/tools/common/$(DEPDIR)/$(am__dirstamp) +src/confdb/sss_groupdel-confdb_setup.$(OBJEXT): \ + src/confdb/$(am__dirstamp) \ + src/confdb/$(DEPDIR)/$(am__dirstamp) +src/util/sss_groupdel-nscd.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) + +sss_groupdel$(EXEEXT): $(sss_groupdel_OBJECTS) $(sss_groupdel_DEPENDENCIES) $(EXTRA_sss_groupdel_DEPENDENCIES) + @rm -f sss_groupdel$(EXEEXT) + $(AM_V_CCLD)$(sss_groupdel_LINK) $(sss_groupdel_OBJECTS) $(sss_groupdel_LDADD) $(LIBS) +src/tools/sss_groupmod-sss_groupmod.$(OBJEXT): \ + src/tools/$(am__dirstamp) src/tools/$(DEPDIR)/$(am__dirstamp) +src/sss_client/sss_groupmod-common.$(OBJEXT): \ + src/sss_client/$(am__dirstamp) \ + src/sss_client/$(DEPDIR)/$(am__dirstamp) +src/tools/sss_groupmod-tools_mc_util.$(OBJEXT): \ + src/tools/$(am__dirstamp) src/tools/$(DEPDIR)/$(am__dirstamp) +src/tools/sss_groupmod-sss_sync_ops.$(OBJEXT): \ + src/tools/$(am__dirstamp) src/tools/$(DEPDIR)/$(am__dirstamp) +src/tools/sss_groupmod-tools_util.$(OBJEXT): \ + src/tools/$(am__dirstamp) src/tools/$(DEPDIR)/$(am__dirstamp) +src/tools/common/sss_groupmod-sss_tools.$(OBJEXT): \ + src/tools/common/$(am__dirstamp) \ + src/tools/common/$(DEPDIR)/$(am__dirstamp) +src/tools/common/sss_groupmod-sss_process.$(OBJEXT): \ + src/tools/common/$(am__dirstamp) \ + src/tools/common/$(DEPDIR)/$(am__dirstamp) +src/confdb/sss_groupmod-confdb_setup.$(OBJEXT): \ + src/confdb/$(am__dirstamp) \ + src/confdb/$(DEPDIR)/$(am__dirstamp) +src/util/sss_groupmod-nscd.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) + +sss_groupmod$(EXEEXT): $(sss_groupmod_OBJECTS) $(sss_groupmod_DEPENDENCIES) $(EXTRA_sss_groupmod_DEPENDENCIES) + @rm -f sss_groupmod$(EXEEXT) + $(AM_V_CCLD)$(sss_groupmod_LINK) $(sss_groupmod_OBJECTS) $(sss_groupmod_LDADD) $(LIBS) +src/tools/sss_groupshow.$(OBJEXT): src/tools/$(am__dirstamp) \ + src/tools/$(DEPDIR)/$(am__dirstamp) + +sss_groupshow$(EXEEXT): $(sss_groupshow_OBJECTS) $(sss_groupshow_DEPENDENCIES) $(EXTRA_sss_groupshow_DEPENDENCIES) + @rm -f sss_groupshow$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(sss_groupshow_OBJECTS) $(sss_groupshow_LDADD) $(LIBS) +src/tests/sss_idmap_tests-sss_idmap-tests.$(OBJEXT): \ + src/tests/$(am__dirstamp) src/tests/$(DEPDIR)/$(am__dirstamp) + +sss_idmap-tests$(EXEEXT): $(sss_idmap_tests_OBJECTS) $(sss_idmap_tests_DEPENDENCIES) $(EXTRA_sss_idmap_tests_DEPENDENCIES) + @rm -f sss_idmap-tests$(EXEEXT) + $(AM_V_CCLD)$(sss_idmap_tests_LINK) $(sss_idmap_tests_OBJECTS) $(sss_idmap_tests_LDADD) $(LIBS) +src/tests/cmocka/sss_nss_idmap_tests-sss_nss_idmap-tests.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) + +sss_nss_idmap-tests$(EXEEXT): $(sss_nss_idmap_tests_OBJECTS) $(sss_nss_idmap_tests_DEPENDENCIES) $(EXTRA_sss_nss_idmap_tests_DEPENDENCIES) + @rm -f sss_nss_idmap-tests$(EXEEXT) + $(AM_V_CCLD)$(sss_nss_idmap_tests_LINK) $(sss_nss_idmap_tests_OBJECTS) $(sss_nss_idmap_tests_LDADD) $(LIBS) +src/tools/sss_override-sss_override.$(OBJEXT): \ + src/tools/$(am__dirstamp) src/tools/$(DEPDIR)/$(am__dirstamp) +src/tools/common/sss_override-sss_colondb.$(OBJEXT): \ + src/tools/common/$(am__dirstamp) \ + src/tools/common/$(DEPDIR)/$(am__dirstamp) +src/tools/sss_override-sss_sync_ops.$(OBJEXT): \ + src/tools/$(am__dirstamp) src/tools/$(DEPDIR)/$(am__dirstamp) +src/tools/sss_override-tools_util.$(OBJEXT): \ + src/tools/$(am__dirstamp) src/tools/$(DEPDIR)/$(am__dirstamp) +src/tools/common/sss_override-sss_tools.$(OBJEXT): \ + src/tools/common/$(am__dirstamp) \ + src/tools/common/$(DEPDIR)/$(am__dirstamp) +src/tools/common/sss_override-sss_process.$(OBJEXT): \ + src/tools/common/$(am__dirstamp) \ + src/tools/common/$(DEPDIR)/$(am__dirstamp) +src/confdb/sss_override-confdb_setup.$(OBJEXT): \ + src/confdb/$(am__dirstamp) \ + src/confdb/$(DEPDIR)/$(am__dirstamp) +src/util/sss_override-nscd.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) + +sss_override$(EXEEXT): $(sss_override_OBJECTS) $(sss_override_DEPENDENCIES) $(EXTRA_sss_override_DEPENDENCIES) + @rm -f sss_override$(EXEEXT) + $(AM_V_CCLD)$(sss_override_LINK) $(sss_override_OBJECTS) $(sss_override_LDADD) $(LIBS) +src/tools/sss_seed.$(OBJEXT): src/tools/$(am__dirstamp) \ + src/tools/$(DEPDIR)/$(am__dirstamp) + +sss_seed$(EXEEXT): $(sss_seed_OBJECTS) $(sss_seed_DEPENDENCIES) $(EXTRA_sss_seed_DEPENDENCIES) + @rm -f sss_seed$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(sss_seed_OBJECTS) $(sss_seed_LDADD) $(LIBS) +src/tests/cmocka/sss_sifp_tests-test_sss_sifp.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/lib/sifp/sss_sifp_tests-sss_sifp_attrs.$(OBJEXT): \ + src/lib/sifp/$(am__dirstamp) \ + src/lib/sifp/$(DEPDIR)/$(am__dirstamp) +src/lib/sifp/sss_sifp_tests-sss_sifp_common.$(OBJEXT): \ + src/lib/sifp/$(am__dirstamp) \ + src/lib/sifp/$(DEPDIR)/$(am__dirstamp) +src/lib/sifp/sss_sifp_tests-sss_sifp_parser.$(OBJEXT): \ + src/lib/sifp/$(am__dirstamp) \ + src/lib/sifp/$(DEPDIR)/$(am__dirstamp) +src/lib/sifp/sss_sifp_tests-sss_sifp_utils.$(OBJEXT): \ + src/lib/sifp/$(am__dirstamp) \ + src/lib/sifp/$(DEPDIR)/$(am__dirstamp) +src/lib/sifp/sss_sifp_tests-sss_sifp_dbus.$(OBJEXT): \ + src/lib/sifp/$(am__dirstamp) \ + src/lib/sifp/$(DEPDIR)/$(am__dirstamp) +src/lib/sifp/sss_sifp_tests-sss_sifp.$(OBJEXT): \ + src/lib/sifp/$(am__dirstamp) \ + src/lib/sifp/$(DEPDIR)/$(am__dirstamp) + +sss_sifp-tests$(EXEEXT): $(sss_sifp_tests_OBJECTS) $(sss_sifp_tests_DEPENDENCIES) $(EXTRA_sss_sifp_tests_DEPENDENCIES) + @rm -f sss_sifp-tests$(EXEEXT) + $(AM_V_CCLD)$(sss_sifp_tests_LINK) $(sss_sifp_tests_OBJECTS) $(sss_sifp_tests_LDADD) $(LIBS) +src/tools/sss_signal.$(OBJEXT): src/tools/$(am__dirstamp) \ + src/tools/$(DEPDIR)/$(am__dirstamp) + +sss_signal$(EXEEXT): $(sss_signal_OBJECTS) $(sss_signal_DEPENDENCIES) $(EXTRA_sss_signal_DEPENDENCIES) + @rm -f sss_signal$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(sss_signal_OBJECTS) $(sss_signal_LDADD) $(LIBS) +src/sss_client/sss_ssh_authorizedkeys-common.$(OBJEXT): \ + src/sss_client/$(am__dirstamp) \ + src/sss_client/$(DEPDIR)/$(am__dirstamp) +src/sss_client/ssh/$(am__dirstamp): + @$(MKDIR_P) src/sss_client/ssh + @: > src/sss_client/ssh/$(am__dirstamp) +src/sss_client/ssh/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/sss_client/ssh/$(DEPDIR) + @: > src/sss_client/ssh/$(DEPDIR)/$(am__dirstamp) +src/sss_client/ssh/sss_ssh_authorizedkeys-sss_ssh_client.$(OBJEXT): \ + src/sss_client/ssh/$(am__dirstamp) \ + src/sss_client/ssh/$(DEPDIR)/$(am__dirstamp) +src/sss_client/ssh/sss_ssh_authorizedkeys-sss_ssh_authorizedkeys.$(OBJEXT): \ + src/sss_client/ssh/$(am__dirstamp) \ + src/sss_client/ssh/$(DEPDIR)/$(am__dirstamp) + +sss_ssh_authorizedkeys$(EXEEXT): $(sss_ssh_authorizedkeys_OBJECTS) $(sss_ssh_authorizedkeys_DEPENDENCIES) $(EXTRA_sss_ssh_authorizedkeys_DEPENDENCIES) + @rm -f sss_ssh_authorizedkeys$(EXEEXT) + $(AM_V_CCLD)$(sss_ssh_authorizedkeys_LINK) $(sss_ssh_authorizedkeys_OBJECTS) $(sss_ssh_authorizedkeys_LDADD) $(LIBS) +src/sss_client/sss_ssh_knownhostsproxy-common.$(OBJEXT): \ + src/sss_client/$(am__dirstamp) \ + src/sss_client/$(DEPDIR)/$(am__dirstamp) +src/sss_client/ssh/sss_ssh_knownhostsproxy-sss_ssh_client.$(OBJEXT): \ + src/sss_client/ssh/$(am__dirstamp) \ + src/sss_client/ssh/$(DEPDIR)/$(am__dirstamp) +src/sss_client/ssh/sss_ssh_knownhostsproxy-sss_ssh_knownhostsproxy.$(OBJEXT): \ + src/sss_client/ssh/$(am__dirstamp) \ + src/sss_client/ssh/$(DEPDIR)/$(am__dirstamp) + +sss_ssh_knownhostsproxy$(EXEEXT): $(sss_ssh_knownhostsproxy_OBJECTS) $(sss_ssh_knownhostsproxy_DEPENDENCIES) $(EXTRA_sss_ssh_knownhostsproxy_DEPENDENCIES) + @rm -f sss_ssh_knownhostsproxy$(EXEEXT) + $(AM_V_CCLD)$(sss_ssh_knownhostsproxy_LINK) $(sss_ssh_knownhostsproxy_OBJECTS) $(sss_ssh_knownhostsproxy_LDADD) $(LIBS) +src/sss_client/sss_sudo_cli-common.$(OBJEXT): \ + src/sss_client/$(am__dirstamp) \ + src/sss_client/$(DEPDIR)/$(am__dirstamp) +src/sss_client/sudo/sss_sudo_cli-sss_sudo.$(OBJEXT): \ + src/sss_client/sudo/$(am__dirstamp) \ + src/sss_client/sudo/$(DEPDIR)/$(am__dirstamp) +src/sss_client/sudo/sss_sudo_cli-sss_sudo_response.$(OBJEXT): \ + src/sss_client/sudo/$(am__dirstamp) \ + src/sss_client/sudo/$(DEPDIR)/$(am__dirstamp) +src/sss_client/sudo_testcli/$(am__dirstamp): + @$(MKDIR_P) src/sss_client/sudo_testcli + @: > src/sss_client/sudo_testcli/$(am__dirstamp) +src/sss_client/sudo_testcli/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/sss_client/sudo_testcli/$(DEPDIR) + @: > src/sss_client/sudo_testcli/$(DEPDIR)/$(am__dirstamp) +src/sss_client/sudo_testcli/sss_sudo_cli-sudo_testcli.$(OBJEXT): \ + src/sss_client/sudo_testcli/$(am__dirstamp) \ + src/sss_client/sudo_testcli/$(DEPDIR)/$(am__dirstamp) + +sss_sudo_cli$(EXEEXT): $(sss_sudo_cli_OBJECTS) $(sss_sudo_cli_DEPENDENCIES) $(EXTRA_sss_sudo_cli_DEPENDENCIES) + @rm -f sss_sudo_cli$(EXEEXT) + $(AM_V_CCLD)$(sss_sudo_cli_LINK) $(sss_sudo_cli_OBJECTS) $(sss_sudo_cli_LDADD) $(LIBS) +src/tools/sss_useradd.$(OBJEXT): src/tools/$(am__dirstamp) \ + src/tools/$(DEPDIR)/$(am__dirstamp) + +sss_useradd$(EXEEXT): $(sss_useradd_OBJECTS) $(sss_useradd_DEPENDENCIES) $(EXTRA_sss_useradd_DEPENDENCIES) + @rm -f sss_useradd$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(sss_useradd_OBJECTS) $(sss_useradd_LDADD) $(LIBS) +src/tools/sss_userdel-sss_userdel.$(OBJEXT): \ + src/tools/$(am__dirstamp) src/tools/$(DEPDIR)/$(am__dirstamp) +src/sss_client/sss_userdel-common.$(OBJEXT): \ + src/sss_client/$(am__dirstamp) \ + src/sss_client/$(DEPDIR)/$(am__dirstamp) +src/tools/sss_userdel-tools_mc_util.$(OBJEXT): \ + src/tools/$(am__dirstamp) src/tools/$(DEPDIR)/$(am__dirstamp) +src/tools/sss_userdel-sss_sync_ops.$(OBJEXT): \ + src/tools/$(am__dirstamp) src/tools/$(DEPDIR)/$(am__dirstamp) +src/tools/sss_userdel-tools_util.$(OBJEXT): src/tools/$(am__dirstamp) \ + src/tools/$(DEPDIR)/$(am__dirstamp) +src/tools/common/sss_userdel-sss_tools.$(OBJEXT): \ + src/tools/common/$(am__dirstamp) \ + src/tools/common/$(DEPDIR)/$(am__dirstamp) +src/tools/common/sss_userdel-sss_process.$(OBJEXT): \ + src/tools/common/$(am__dirstamp) \ + src/tools/common/$(DEPDIR)/$(am__dirstamp) +src/confdb/sss_userdel-confdb_setup.$(OBJEXT): \ + src/confdb/$(am__dirstamp) \ + src/confdb/$(DEPDIR)/$(am__dirstamp) +src/util/sss_userdel-nscd.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) + +sss_userdel$(EXEEXT): $(sss_userdel_OBJECTS) $(sss_userdel_DEPENDENCIES) $(EXTRA_sss_userdel_DEPENDENCIES) + @rm -f sss_userdel$(EXEEXT) + $(AM_V_CCLD)$(sss_userdel_LINK) $(sss_userdel_OBJECTS) $(sss_userdel_LDADD) $(LIBS) +src/tools/sss_usermod-sss_usermod.$(OBJEXT): \ + src/tools/$(am__dirstamp) src/tools/$(DEPDIR)/$(am__dirstamp) +src/sss_client/sss_usermod-common.$(OBJEXT): \ + src/sss_client/$(am__dirstamp) \ + src/sss_client/$(DEPDIR)/$(am__dirstamp) +src/tools/sss_usermod-tools_mc_util.$(OBJEXT): \ + src/tools/$(am__dirstamp) src/tools/$(DEPDIR)/$(am__dirstamp) +src/tools/sss_usermod-sss_sync_ops.$(OBJEXT): \ + src/tools/$(am__dirstamp) src/tools/$(DEPDIR)/$(am__dirstamp) +src/tools/sss_usermod-tools_util.$(OBJEXT): src/tools/$(am__dirstamp) \ + src/tools/$(DEPDIR)/$(am__dirstamp) +src/tools/common/sss_usermod-sss_tools.$(OBJEXT): \ + src/tools/common/$(am__dirstamp) \ + src/tools/common/$(DEPDIR)/$(am__dirstamp) +src/tools/common/sss_usermod-sss_process.$(OBJEXT): \ + src/tools/common/$(am__dirstamp) \ + src/tools/common/$(DEPDIR)/$(am__dirstamp) +src/confdb/sss_usermod-confdb_setup.$(OBJEXT): \ + src/confdb/$(am__dirstamp) \ + src/confdb/$(DEPDIR)/$(am__dirstamp) +src/util/sss_usermod-nscd.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) + +sss_usermod$(EXEEXT): $(sss_usermod_OBJECTS) $(sss_usermod_DEPENDENCIES) $(EXTRA_sss_usermod_DEPENDENCIES) + @rm -f sss_usermod$(EXEEXT) + $(AM_V_CCLD)$(sss_usermod_LINK) $(sss_usermod_OBJECTS) $(sss_usermod_LDADD) $(LIBS) +src/tools/sssctl/$(am__dirstamp): + @$(MKDIR_P) src/tools/sssctl + @: > src/tools/sssctl/$(am__dirstamp) +src/tools/sssctl/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/tools/sssctl/$(DEPDIR) + @: > src/tools/sssctl/$(DEPDIR)/$(am__dirstamp) +src/tools/sssctl/sssctl-sssctl.$(OBJEXT): \ + src/tools/sssctl/$(am__dirstamp) \ + src/tools/sssctl/$(DEPDIR)/$(am__dirstamp) +src/tools/sssctl/sssctl-sssctl_systemd.$(OBJEXT): \ + src/tools/sssctl/$(am__dirstamp) \ + src/tools/sssctl/$(DEPDIR)/$(am__dirstamp) +src/tools/sssctl/sssctl-sssctl_cache.$(OBJEXT): \ + src/tools/sssctl/$(am__dirstamp) \ + src/tools/sssctl/$(DEPDIR)/$(am__dirstamp) +src/tools/sssctl/sssctl-sssctl_data.$(OBJEXT): \ + src/tools/sssctl/$(am__dirstamp) \ + src/tools/sssctl/$(DEPDIR)/$(am__dirstamp) +src/tools/sssctl/sssctl-sssctl_logs.$(OBJEXT): \ + src/tools/sssctl/$(am__dirstamp) \ + src/tools/sssctl/$(DEPDIR)/$(am__dirstamp) +src/tools/sssctl/sssctl-sssctl_domains.$(OBJEXT): \ + src/tools/sssctl/$(am__dirstamp) \ + src/tools/sssctl/$(DEPDIR)/$(am__dirstamp) +src/tools/sssctl/sssctl-sssctl_sifp.$(OBJEXT): \ + src/tools/sssctl/$(am__dirstamp) \ + src/tools/sssctl/$(DEPDIR)/$(am__dirstamp) +src/tools/sssctl/sssctl-sssctl_config.$(OBJEXT): \ + src/tools/sssctl/$(am__dirstamp) \ + src/tools/sssctl/$(DEPDIR)/$(am__dirstamp) +src/tools/sssctl/sssctl-sssctl_user_checks.$(OBJEXT): \ + src/tools/sssctl/$(am__dirstamp) \ + src/tools/sssctl/$(DEPDIR)/$(am__dirstamp) +src/tools/sssctl/sssctl-sssctl_access_report.$(OBJEXT): \ + src/tools/sssctl/$(am__dirstamp) \ + src/tools/sssctl/$(DEPDIR)/$(am__dirstamp) +src/tools/sssctl-sss_sync_ops.$(OBJEXT): src/tools/$(am__dirstamp) \ + src/tools/$(DEPDIR)/$(am__dirstamp) +src/tools/sssctl-tools_util.$(OBJEXT): src/tools/$(am__dirstamp) \ + src/tools/$(DEPDIR)/$(am__dirstamp) +src/tools/common/sssctl-sss_tools.$(OBJEXT): \ + src/tools/common/$(am__dirstamp) \ + src/tools/common/$(DEPDIR)/$(am__dirstamp) +src/tools/common/sssctl-sss_process.$(OBJEXT): \ + src/tools/common/$(am__dirstamp) \ + src/tools/common/$(DEPDIR)/$(am__dirstamp) +src/confdb/sssctl-confdb_setup.$(OBJEXT): src/confdb/$(am__dirstamp) \ + src/confdb/$(DEPDIR)/$(am__dirstamp) +src/util/sssctl-nscd.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) + +sssctl$(EXEEXT): $(sssctl_OBJECTS) $(sssctl_DEPENDENCIES) $(EXTRA_sssctl_DEPENDENCIES) + @rm -f sssctl$(EXEEXT) + $(AM_V_CCLD)$(sssctl_LINK) $(sssctl_OBJECTS) $(sssctl_LDADD) $(LIBS) +src/monitor/monitor.$(OBJEXT): src/monitor/$(am__dirstamp) \ + src/monitor/$(DEPDIR)/$(am__dirstamp) +src/monitor/monitor_netlink.$(OBJEXT): src/monitor/$(am__dirstamp) \ + src/monitor/$(DEPDIR)/$(am__dirstamp) +src/monitor/monitor_iface_generated.$(OBJEXT): \ + src/monitor/$(am__dirstamp) \ + src/monitor/$(DEPDIR)/$(am__dirstamp) +src/util/inotify.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) + +sssd$(EXEEXT): $(sssd_OBJECTS) $(sssd_DEPENDENCIES) $(EXTRA_sssd_DEPENDENCIES) + @rm -f sssd$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(sssd_OBJECTS) $(sssd_LDADD) $(LIBS) +src/responder/autofs/$(am__dirstamp): + @$(MKDIR_P) src/responder/autofs + @: > src/responder/autofs/$(am__dirstamp) +src/responder/autofs/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/responder/autofs/$(DEPDIR) + @: > src/responder/autofs/$(DEPDIR)/$(am__dirstamp) +src/responder/autofs/autofssrv.$(OBJEXT): \ + src/responder/autofs/$(am__dirstamp) \ + src/responder/autofs/$(DEPDIR)/$(am__dirstamp) +src/responder/autofs/autofssrv_cmd.$(OBJEXT): \ + src/responder/autofs/$(am__dirstamp) \ + src/responder/autofs/$(DEPDIR)/$(am__dirstamp) +src/responder/autofs/autofssrv_dp.$(OBJEXT): \ + src/responder/autofs/$(am__dirstamp) \ + src/responder/autofs/$(DEPDIR)/$(am__dirstamp) +src/responder/common/negcache_files.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/negcache.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/responder_cmd.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/responder_common.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/responder_dp.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/responder_dp_ssh.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/responder_packet.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/responder_get_domains.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/responder_utils.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/data_provider/rdp_message.$(OBJEXT): \ + src/responder/common/data_provider/$(am__dirstamp) \ + src/responder/common/data_provider/$(DEPDIR)/$(am__dirstamp) +src/responder/common/data_provider/rdp_client.$(OBJEXT): \ + src/responder/common/data_provider/$(am__dirstamp) \ + src/responder/common/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider_req.$(OBJEXT): \ + src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/util/session_recording.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/responder_iface.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/responder_domain.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/responder_ncache.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/responder_iface_generated.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/cache_req.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/cache_req_result.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/cache_req_search.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/cache_req_data.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/cache_req_domain.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/cache_req_sr_overlay.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/cache_req_common.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/cache_req_enum_users.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/cache_req_enum_groups.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/cache_req_enum_svc.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/cache_req_user_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/cache_req_user_by_upn.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/cache_req_user_by_id.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/cache_req_user_by_filter.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/cache_req_user_by_cert.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/cache_req_group_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/cache_req_group_by_id.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/cache_req_group_by_filter.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/cache_req_object_by_sid.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/cache_req_object_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/cache_req_object_by_id.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/cache_req_svc_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/cache_req_svc_by_port.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/cache_req_host_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) + +sssd_autofs$(EXEEXT): $(sssd_autofs_OBJECTS) $(sssd_autofs_DEPENDENCIES) $(EXTRA_sssd_autofs_DEPENDENCIES) + @rm -f sssd_autofs$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(sssd_autofs_OBJECTS) $(sssd_autofs_LDADD) $(LIBS) +src/providers/data_provider_be.$(OBJEXT): \ + src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider_fo.$(OBJEXT): \ + src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider_opts.$(OBJEXT): \ + src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider_callbacks.$(OBJEXT): \ + src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/providers/be_dyndns.$(OBJEXT): src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/providers/be_ptask.$(OBJEXT): src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/providers/be_refresh.$(OBJEXT): src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/dp.$(OBJEXT): \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/dp_modules.$(OBJEXT): \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/dp_targets.$(OBJEXT): \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/dp_methods.$(OBJEXT): \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/dp_builtin.$(OBJEXT): \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/dp_iface.$(OBJEXT): \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/dp_iface_backend.$(OBJEXT): \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/dp_iface_failover.$(OBJEXT): \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/dp_client.$(OBJEXT): \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/dp_resp_client.$(OBJEXT): \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/dp_iface_generated.$(OBJEXT): \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/dp_request.$(OBJEXT): \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/dp_request_reply.$(OBJEXT): \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/dp_request_table.$(OBJEXT): \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/dp_reply_std.$(OBJEXT): \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/dp_target_sudo.$(OBJEXT): \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/dp_target_hostid.$(OBJEXT): \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/dp_target_autofs.$(OBJEXT): \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/dp_target_subdomains.$(OBJEXT): \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/dp_target_id.$(OBJEXT): \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/dp_target_auth.$(OBJEXT): \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/fail_over.$(OBJEXT): src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/providers/fail_over_srv.$(OBJEXT): src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/resolv/async_resolv.$(OBJEXT): src/resolv/$(am__dirstamp) \ + src/resolv/$(DEPDIR)/$(am__dirstamp) +src/resolv/async_resolv_utils.$(OBJEXT): src/resolv/$(am__dirstamp) \ + src/resolv/$(DEPDIR)/$(am__dirstamp) + +sssd_be$(EXEEXT): $(sssd_be_OBJECTS) $(sssd_be_DEPENDENCIES) $(EXTRA_sssd_be_DEPENDENCIES) + @rm -f sssd_be$(EXEEXT) + $(AM_V_CCLD)$(sssd_be_LINK) $(sssd_be_OBJECTS) $(sssd_be_LDADD) $(LIBS) +src/tools/sssd_check_socket_activated_responders-sssd_check_socket_activated_responders.$(OBJEXT): \ + src/tools/$(am__dirstamp) src/tools/$(DEPDIR)/$(am__dirstamp) + +sssd_check_socket_activated_responders$(EXEEXT): $(sssd_check_socket_activated_responders_OBJECTS) $(sssd_check_socket_activated_responders_DEPENDENCIES) $(EXTRA_sssd_check_socket_activated_responders_DEPENDENCIES) + @rm -f sssd_check_socket_activated_responders$(EXEEXT) + $(AM_V_CCLD)$(sssd_check_socket_activated_responders_LINK) $(sssd_check_socket_activated_responders_OBJECTS) $(sssd_check_socket_activated_responders_LDADD) $(LIBS) +src/responder/ifp/sssd_ifp-ifpsrv.$(OBJEXT): \ + src/responder/ifp/$(am__dirstamp) \ + src/responder/ifp/$(DEPDIR)/$(am__dirstamp) +src/responder/ifp/sssd_ifp-ifpsrv_cmd.$(OBJEXT): \ + src/responder/ifp/$(am__dirstamp) \ + src/responder/ifp/$(DEPDIR)/$(am__dirstamp) +src/responder/ifp/sssd_ifp-ifp_iface_generated.$(OBJEXT): \ + src/responder/ifp/$(am__dirstamp) \ + src/responder/ifp/$(DEPDIR)/$(am__dirstamp) +src/responder/ifp/sssd_ifp-ifp_iface.$(OBJEXT): \ + src/responder/ifp/$(am__dirstamp) \ + src/responder/ifp/$(DEPDIR)/$(am__dirstamp) +src/responder/ifp/sssd_ifp-ifp_iface_nodes.$(OBJEXT): \ + src/responder/ifp/$(am__dirstamp) \ + src/responder/ifp/$(DEPDIR)/$(am__dirstamp) +src/responder/ifp/sssd_ifp-ifpsrv_util.$(OBJEXT): \ + src/responder/ifp/$(am__dirstamp) \ + src/responder/ifp/$(DEPDIR)/$(am__dirstamp) +src/responder/ifp/sssd_ifp-ifp_domains.$(OBJEXT): \ + src/responder/ifp/$(am__dirstamp) \ + src/responder/ifp/$(DEPDIR)/$(am__dirstamp) +src/responder/ifp/sssd_ifp-ifp_components.$(OBJEXT): \ + src/responder/ifp/$(am__dirstamp) \ + src/responder/ifp/$(DEPDIR)/$(am__dirstamp) +src/responder/ifp/sssd_ifp-ifp_users.$(OBJEXT): \ + src/responder/ifp/$(am__dirstamp) \ + src/responder/ifp/$(DEPDIR)/$(am__dirstamp) +src/responder/ifp/sssd_ifp-ifp_groups.$(OBJEXT): \ + src/responder/ifp/$(am__dirstamp) \ + src/responder/ifp/$(DEPDIR)/$(am__dirstamp) +src/responder/ifp/sssd_ifp-ifp_cache.$(OBJEXT): \ + src/responder/ifp/$(am__dirstamp) \ + src/responder/ifp/$(DEPDIR)/$(am__dirstamp) +src/responder/common/sssd_ifp-negcache_files.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/sssd_ifp-negcache.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/sssd_ifp-responder_cmd.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/sssd_ifp-responder_common.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/sssd_ifp-responder_dp.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/sssd_ifp-responder_dp_ssh.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/sssd_ifp-responder_packet.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/sssd_ifp-responder_get_domains.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/sssd_ifp-responder_utils.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/data_provider/sssd_ifp-rdp_message.$(OBJEXT): \ + src/responder/common/data_provider/$(am__dirstamp) \ + src/responder/common/data_provider/$(DEPDIR)/$(am__dirstamp) +src/responder/common/data_provider/sssd_ifp-rdp_client.$(OBJEXT): \ + src/responder/common/data_provider/$(am__dirstamp) \ + src/responder/common/data_provider/$(DEPDIR)/$(am__dirstamp) +src/monitor/sssd_ifp-monitor_iface_generated.$(OBJEXT): \ + src/monitor/$(am__dirstamp) \ + src/monitor/$(DEPDIR)/$(am__dirstamp) +src/providers/sssd_ifp-data_provider_req.$(OBJEXT): \ + src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/util/sssd_ifp-session_recording.$(OBJEXT): \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/sssd_ifp-responder_iface.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/sssd_ifp-responder_domain.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/sssd_ifp-responder_ncache.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/sssd_ifp-responder_iface_generated.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/sssd_ifp-cache_req.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/sssd_ifp-cache_req_result.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/sssd_ifp-cache_req_search.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/sssd_ifp-cache_req_data.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/sssd_ifp-cache_req_domain.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/sssd_ifp-cache_req_sr_overlay.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_common.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_enum_users.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_enum_groups.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_enum_svc.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_upn.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_id.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_filter.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_cert.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_group_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_group_by_id.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_group_by_filter.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_initgroups_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_initgroups_by_upn.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_object_by_sid.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_object_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_object_by_id.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_svc_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_svc_by_port.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_netgroup_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_host_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) + +sssd_ifp$(EXEEXT): $(sssd_ifp_OBJECTS) $(sssd_ifp_DEPENDENCIES) $(EXTRA_sssd_ifp_DEPENDENCIES) + @rm -f sssd_ifp$(EXEEXT) + $(AM_V_CCLD)$(sssd_ifp_LINK) $(sssd_ifp_OBJECTS) $(sssd_ifp_LDADD) $(LIBS) +src/responder/kcm/$(am__dirstamp): + @$(MKDIR_P) src/responder/kcm + @: > src/responder/kcm/$(am__dirstamp) +src/responder/kcm/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/responder/kcm/$(DEPDIR) + @: > src/responder/kcm/$(DEPDIR)/$(am__dirstamp) +src/responder/kcm/sssd_kcm-kcm.$(OBJEXT): \ + src/responder/kcm/$(am__dirstamp) \ + src/responder/kcm/$(DEPDIR)/$(am__dirstamp) +src/responder/kcm/sssd_kcm-kcmsrv_cmd.$(OBJEXT): \ + src/responder/kcm/$(am__dirstamp) \ + src/responder/kcm/$(DEPDIR)/$(am__dirstamp) +src/responder/kcm/sssd_kcm-kcmsrv_ccache.$(OBJEXT): \ + src/responder/kcm/$(am__dirstamp) \ + src/responder/kcm/$(DEPDIR)/$(am__dirstamp) +src/responder/kcm/sssd_kcm-kcmsrv_ccache_mem.$(OBJEXT): \ + src/responder/kcm/$(am__dirstamp) \ + src/responder/kcm/$(DEPDIR)/$(am__dirstamp) +src/responder/kcm/sssd_kcm-kcmsrv_ccache_json.$(OBJEXT): \ + src/responder/kcm/$(am__dirstamp) \ + src/responder/kcm/$(DEPDIR)/$(am__dirstamp) +src/responder/kcm/sssd_kcm-kcmsrv_ccache_secrets.$(OBJEXT): \ + src/responder/kcm/$(am__dirstamp) \ + src/responder/kcm/$(DEPDIR)/$(am__dirstamp) +src/responder/kcm/sssd_kcm-kcmsrv_ops.$(OBJEXT): \ + src/responder/kcm/$(am__dirstamp) \ + src/responder/kcm/$(DEPDIR)/$(am__dirstamp) +src/responder/kcm/sssd_kcm-kcmsrv_op_queue.$(OBJEXT): \ + src/responder/kcm/$(am__dirstamp) \ + src/responder/kcm/$(DEPDIR)/$(am__dirstamp) +src/util/sssd_kcm-sss_sockets.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/sssd_kcm-sss_krb5.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/sssd_kcm-sss_iobuf.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/sssd_kcm-tev_curl.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/responder/common/sssd_kcm-negcache_files.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/sssd_kcm-negcache.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/sssd_kcm-responder_cmd.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/sssd_kcm-responder_common.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/sssd_kcm-responder_dp.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/sssd_kcm-responder_dp_ssh.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/sssd_kcm-responder_packet.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/sssd_kcm-responder_get_domains.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/sssd_kcm-responder_utils.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/data_provider/sssd_kcm-rdp_message.$(OBJEXT): \ + src/responder/common/data_provider/$(am__dirstamp) \ + src/responder/common/data_provider/$(DEPDIR)/$(am__dirstamp) +src/responder/common/data_provider/sssd_kcm-rdp_client.$(OBJEXT): \ + src/responder/common/data_provider/$(am__dirstamp) \ + src/responder/common/data_provider/$(DEPDIR)/$(am__dirstamp) +src/monitor/sssd_kcm-monitor_iface_generated.$(OBJEXT): \ + src/monitor/$(am__dirstamp) \ + src/monitor/$(DEPDIR)/$(am__dirstamp) +src/providers/sssd_kcm-data_provider_req.$(OBJEXT): \ + src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/util/sssd_kcm-session_recording.$(OBJEXT): \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/sssd_kcm-responder_iface.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/sssd_kcm-responder_domain.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/sssd_kcm-responder_ncache.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/sssd_kcm-responder_iface_generated.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/sssd_kcm-cache_req.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/sssd_kcm-cache_req_result.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/sssd_kcm-cache_req_search.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/sssd_kcm-cache_req_data.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/sssd_kcm-cache_req_domain.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/sssd_kcm-cache_req_sr_overlay.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_common.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_enum_users.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_enum_groups.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_enum_svc.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_upn.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_id.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_filter.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_cert.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_group_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_group_by_id.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_group_by_filter.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_initgroups_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_initgroups_by_upn.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_object_by_sid.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_object_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_object_by_id.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_svc_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_svc_by_port.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_netgroup_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_host_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) + +sssd_kcm$(EXEEXT): $(sssd_kcm_OBJECTS) $(sssd_kcm_DEPENDENCIES) $(EXTRA_sssd_kcm_DEPENDENCIES) + @rm -f sssd_kcm$(EXEEXT) + $(AM_V_CCLD)$(sssd_kcm_LINK) $(sssd_kcm_OBJECTS) $(sssd_kcm_LDADD) $(LIBS) +src/responder/nss/nsssrv.$(OBJEXT): src/responder/nss/$(am__dirstamp) \ + src/responder/nss/$(DEPDIR)/$(am__dirstamp) +src/responder/nss/nss_cmd.$(OBJEXT): \ + src/responder/nss/$(am__dirstamp) \ + src/responder/nss/$(DEPDIR)/$(am__dirstamp) +src/responder/nss/nss_enum.$(OBJEXT): \ + src/responder/nss/$(am__dirstamp) \ + src/responder/nss/$(DEPDIR)/$(am__dirstamp) +src/responder/nss/nss_get_object.$(OBJEXT): \ + src/responder/nss/$(am__dirstamp) \ + src/responder/nss/$(DEPDIR)/$(am__dirstamp) +src/responder/nss/nss_protocol.$(OBJEXT): \ + src/responder/nss/$(am__dirstamp) \ + src/responder/nss/$(DEPDIR)/$(am__dirstamp) +src/responder/nss/nss_protocol_pwent.$(OBJEXT): \ + src/responder/nss/$(am__dirstamp) \ + src/responder/nss/$(DEPDIR)/$(am__dirstamp) +src/responder/nss/nss_protocol_grent.$(OBJEXT): \ + src/responder/nss/$(am__dirstamp) \ + src/responder/nss/$(DEPDIR)/$(am__dirstamp) +src/responder/nss/nss_protocol_netgr.$(OBJEXT): \ + src/responder/nss/$(am__dirstamp) \ + src/responder/nss/$(DEPDIR)/$(am__dirstamp) +src/responder/nss/nss_protocol_svcent.$(OBJEXT): \ + src/responder/nss/$(am__dirstamp) \ + src/responder/nss/$(DEPDIR)/$(am__dirstamp) +src/responder/nss/nss_protocol_sid.$(OBJEXT): \ + src/responder/nss/$(am__dirstamp) \ + src/responder/nss/$(DEPDIR)/$(am__dirstamp) +src/responder/nss/nss_utils.$(OBJEXT): \ + src/responder/nss/$(am__dirstamp) \ + src/responder/nss/$(DEPDIR)/$(am__dirstamp) +src/responder/nss/nss_iface_generated.$(OBJEXT): \ + src/responder/nss/$(am__dirstamp) \ + src/responder/nss/$(DEPDIR)/$(am__dirstamp) +src/responder/nss/nss_iface.$(OBJEXT): \ + src/responder/nss/$(am__dirstamp) \ + src/responder/nss/$(DEPDIR)/$(am__dirstamp) +src/responder/nss/nsssrv_mmap_cache.$(OBJEXT): \ + src/responder/nss/$(am__dirstamp) \ + src/responder/nss/$(DEPDIR)/$(am__dirstamp) + +sssd_nss$(EXEEXT): $(sssd_nss_OBJECTS) $(sssd_nss_DEPENDENCIES) $(EXTRA_sssd_nss_DEPENDENCIES) + @rm -f sssd_nss$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(sssd_nss_OBJECTS) $(sssd_nss_LDADD) $(LIBS) +src/responder/pac/$(am__dirstamp): + @$(MKDIR_P) src/responder/pac + @: > src/responder/pac/$(am__dirstamp) +src/responder/pac/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/responder/pac/$(DEPDIR) + @: > src/responder/pac/$(DEPDIR)/$(am__dirstamp) +src/responder/pac/sssd_pac-pacsrv.$(OBJEXT): \ + src/responder/pac/$(am__dirstamp) \ + src/responder/pac/$(DEPDIR)/$(am__dirstamp) +src/responder/pac/sssd_pac-pacsrv_cmd.$(OBJEXT): \ + src/responder/pac/$(am__dirstamp) \ + src/responder/pac/$(DEPDIR)/$(am__dirstamp) +src/providers/ad/sssd_pac-ad_pac_common.$(OBJEXT): \ + src/providers/ad/$(am__dirstamp) \ + src/providers/ad/$(DEPDIR)/$(am__dirstamp) +src/responder/common/sssd_pac-negcache_files.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/sssd_pac-negcache.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/sssd_pac-responder_cmd.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/sssd_pac-responder_common.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/sssd_pac-responder_dp.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/sssd_pac-responder_dp_ssh.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/sssd_pac-responder_packet.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/sssd_pac-responder_get_domains.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/sssd_pac-responder_utils.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/data_provider/sssd_pac-rdp_message.$(OBJEXT): \ + src/responder/common/data_provider/$(am__dirstamp) \ + src/responder/common/data_provider/$(DEPDIR)/$(am__dirstamp) +src/responder/common/data_provider/sssd_pac-rdp_client.$(OBJEXT): \ + src/responder/common/data_provider/$(am__dirstamp) \ + src/responder/common/data_provider/$(DEPDIR)/$(am__dirstamp) +src/monitor/sssd_pac-monitor_iface_generated.$(OBJEXT): \ + src/monitor/$(am__dirstamp) \ + src/monitor/$(DEPDIR)/$(am__dirstamp) +src/providers/sssd_pac-data_provider_req.$(OBJEXT): \ + src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/util/sssd_pac-session_recording.$(OBJEXT): \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/sssd_pac-responder_iface.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/sssd_pac-responder_domain.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/sssd_pac-responder_ncache.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/sssd_pac-responder_iface_generated.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/sssd_pac-cache_req.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/sssd_pac-cache_req_result.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/sssd_pac-cache_req_search.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/sssd_pac-cache_req_data.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/sssd_pac-cache_req_domain.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/sssd_pac-cache_req_sr_overlay.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_pac-cache_req_common.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_pac-cache_req_enum_users.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_pac-cache_req_enum_groups.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_pac-cache_req_enum_svc.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_upn.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_id.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_filter.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_cert.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_pac-cache_req_group_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_pac-cache_req_group_by_id.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_pac-cache_req_group_by_filter.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_pac-cache_req_initgroups_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_pac-cache_req_initgroups_by_upn.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_pac-cache_req_object_by_sid.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_pac-cache_req_object_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_pac-cache_req_object_by_id.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_pac-cache_req_svc_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_pac-cache_req_svc_by_port.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_pac-cache_req_netgroup_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/sssd_pac-cache_req_host_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) + +sssd_pac$(EXEEXT): $(sssd_pac_OBJECTS) $(sssd_pac_DEPENDENCIES) $(EXTRA_sssd_pac_DEPENDENCIES) + @rm -f sssd_pac$(EXEEXT) + $(AM_V_CCLD)$(sssd_pac_LINK) $(sssd_pac_OBJECTS) $(sssd_pac_LDADD) $(LIBS) +src/sss_client/sssd_pac_test_client-sss_pac_responder_client.$(OBJEXT): \ + src/sss_client/$(am__dirstamp) \ + src/sss_client/$(DEPDIR)/$(am__dirstamp) +src/sss_client/sssd_pac_test_client-common.$(OBJEXT): \ + src/sss_client/$(am__dirstamp) \ + src/sss_client/$(DEPDIR)/$(am__dirstamp) +src/util/sssd_pac_test_client-strtonum.$(OBJEXT): \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) + +sssd_pac_test_client$(EXEEXT): $(sssd_pac_test_client_OBJECTS) $(sssd_pac_test_client_DEPENDENCIES) $(EXTRA_sssd_pac_test_client_DEPENDENCIES) + @rm -f sssd_pac_test_client$(EXEEXT) + $(AM_V_CCLD)$(sssd_pac_test_client_LINK) $(sssd_pac_test_client_OBJECTS) $(sssd_pac_test_client_LDADD) $(LIBS) +src/responder/pam/pam_LOCAL_domain.$(OBJEXT): \ + src/responder/pam/$(am__dirstamp) \ + src/responder/pam/$(DEPDIR)/$(am__dirstamp) +src/responder/pam/pamsrv.$(OBJEXT): src/responder/pam/$(am__dirstamp) \ + src/responder/pam/$(DEPDIR)/$(am__dirstamp) +src/responder/pam/pamsrv_cmd.$(OBJEXT): \ + src/responder/pam/$(am__dirstamp) \ + src/responder/pam/$(DEPDIR)/$(am__dirstamp) +src/responder/pam/pamsrv_p11.$(OBJEXT): \ + src/responder/pam/$(am__dirstamp) \ + src/responder/pam/$(DEPDIR)/$(am__dirstamp) +src/responder/pam/pamsrv_dp.$(OBJEXT): \ + src/responder/pam/$(am__dirstamp) \ + src/responder/pam/$(DEPDIR)/$(am__dirstamp) +src/responder/pam/pam_helpers.$(OBJEXT): \ + src/responder/pam/$(am__dirstamp) \ + src/responder/pam/$(DEPDIR)/$(am__dirstamp) + +sssd_pam$(EXEEXT): $(sssd_pam_OBJECTS) $(sssd_pam_DEPENDENCIES) $(EXTRA_sssd_pam_DEPENDENCIES) + @rm -f sssd_pam$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(sssd_pam_OBJECTS) $(sssd_pam_LDADD) $(LIBS) +src/responder/secrets/$(am__dirstamp): + @$(MKDIR_P) src/responder/secrets + @: > src/responder/secrets/$(am__dirstamp) +src/responder/secrets/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/responder/secrets/$(DEPDIR) + @: > src/responder/secrets/$(DEPDIR)/$(am__dirstamp) +src/responder/secrets/secsrv.$(OBJEXT): \ + src/responder/secrets/$(am__dirstamp) \ + src/responder/secrets/$(DEPDIR)/$(am__dirstamp) +src/responder/secrets/secsrv_cmd.$(OBJEXT): \ + src/responder/secrets/$(am__dirstamp) \ + src/responder/secrets/$(DEPDIR)/$(am__dirstamp) +src/responder/secrets/providers.$(OBJEXT): \ + src/responder/secrets/$(am__dirstamp) \ + src/responder/secrets/$(DEPDIR)/$(am__dirstamp) +src/responder/secrets/local.$(OBJEXT): \ + src/responder/secrets/$(am__dirstamp) \ + src/responder/secrets/$(DEPDIR)/$(am__dirstamp) +src/responder/secrets/proxy.$(OBJEXT): \ + src/responder/secrets/$(am__dirstamp) \ + src/responder/secrets/$(DEPDIR)/$(am__dirstamp) +src/util/sss_sockets.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/sss_iobuf.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/tev_curl.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) + +sssd_secrets$(EXEEXT): $(sssd_secrets_OBJECTS) $(sssd_secrets_DEPENDENCIES) $(EXTRA_sssd_secrets_DEPENDENCIES) + @rm -f sssd_secrets$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(sssd_secrets_OBJECTS) $(sssd_secrets_LDADD) $(LIBS) +src/responder/ssh/sshsrv.$(OBJEXT): src/responder/ssh/$(am__dirstamp) \ + src/responder/ssh/$(DEPDIR)/$(am__dirstamp) +src/responder/ssh/ssh_cmd.$(OBJEXT): \ + src/responder/ssh/$(am__dirstamp) \ + src/responder/ssh/$(DEPDIR)/$(am__dirstamp) +src/responder/ssh/ssh_known_hosts.$(OBJEXT): \ + src/responder/ssh/$(am__dirstamp) \ + src/responder/ssh/$(DEPDIR)/$(am__dirstamp) +src/responder/ssh/ssh_protocol.$(OBJEXT): \ + src/responder/ssh/$(am__dirstamp) \ + src/responder/ssh/$(DEPDIR)/$(am__dirstamp) +src/responder/ssh/ssh_reply.$(OBJEXT): \ + src/responder/ssh/$(am__dirstamp) \ + src/responder/ssh/$(DEPDIR)/$(am__dirstamp) + +sssd_ssh$(EXEEXT): $(sssd_ssh_OBJECTS) $(sssd_ssh_DEPENDENCIES) $(EXTRA_sssd_ssh_DEPENDENCIES) + @rm -f sssd_ssh$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(sssd_ssh_OBJECTS) $(sssd_ssh_LDADD) $(LIBS) +src/responder/sudo/$(am__dirstamp): + @$(MKDIR_P) src/responder/sudo + @: > src/responder/sudo/$(am__dirstamp) +src/responder/sudo/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/responder/sudo/$(DEPDIR) + @: > src/responder/sudo/$(DEPDIR)/$(am__dirstamp) +src/responder/sudo/sudosrv.$(OBJEXT): \ + src/responder/sudo/$(am__dirstamp) \ + src/responder/sudo/$(DEPDIR)/$(am__dirstamp) +src/responder/sudo/sudosrv_cmd.$(OBJEXT): \ + src/responder/sudo/$(am__dirstamp) \ + src/responder/sudo/$(DEPDIR)/$(am__dirstamp) +src/responder/sudo/sudosrv_get_sudorules.$(OBJEXT): \ + src/responder/sudo/$(am__dirstamp) \ + src/responder/sudo/$(DEPDIR)/$(am__dirstamp) +src/responder/sudo/sudosrv_query.$(OBJEXT): \ + src/responder/sudo/$(am__dirstamp) \ + src/responder/sudo/$(DEPDIR)/$(am__dirstamp) +src/responder/sudo/sudosrv_dp.$(OBJEXT): \ + src/responder/sudo/$(am__dirstamp) \ + src/responder/sudo/$(DEPDIR)/$(am__dirstamp) + +sssd_sudo$(EXEEXT): $(sssd_sudo_OBJECTS) $(sssd_sudo_DEPENDENCIES) $(EXTRA_sssd_sudo_DEPENDENCIES) + @rm -f sssd_sudo$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(sssd_sudo_OBJECTS) $(sssd_sudo_LDADD) $(LIBS) +src/tests/stress-tests.$(OBJEXT): src/tests/$(am__dirstamp) \ + src/tests/$(DEPDIR)/$(am__dirstamp) + +stress-tests$(EXEEXT): $(stress_tests_OBJECTS) $(stress_tests_DEPENDENCIES) $(EXTRA_stress_tests_DEPENDENCIES) + @rm -f stress-tests$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(stress_tests_OBJECTS) $(stress_tests_LDADD) $(LIBS) +src/tests/strtonum_tests-strtonum-tests.$(OBJEXT): \ + src/tests/$(am__dirstamp) src/tests/$(DEPDIR)/$(am__dirstamp) +src/util/strtonum_tests-strtonum.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) + +strtonum-tests$(EXEEXT): $(strtonum_tests_OBJECTS) $(strtonum_tests_DEPENDENCIES) $(EXTRA_strtonum_tests_DEPENDENCIES) + @rm -f strtonum-tests$(EXEEXT) + $(AM_V_CCLD)$(strtonum_tests_LINK) $(strtonum_tests_OBJECTS) $(strtonum_tests_LDADD) $(LIBS) +src/tests/sysdb_tests-sysdb-tests.$(OBJEXT): \ + src/tests/$(am__dirstamp) src/tests/$(DEPDIR)/$(am__dirstamp) + +sysdb-tests$(EXEEXT): $(sysdb_tests_OBJECTS) $(sysdb_tests_DEPENDENCIES) $(EXTRA_sysdb_tests_DEPENDENCIES) + @rm -f sysdb-tests$(EXEEXT) + $(AM_V_CCLD)$(sysdb_tests_LINK) $(sysdb_tests_OBJECTS) $(sysdb_tests_LDADD) $(LIBS) +src/tests/sysdb_ssh_tests-sysdb_ssh-tests.$(OBJEXT): \ + src/tests/$(am__dirstamp) src/tests/$(DEPDIR)/$(am__dirstamp) + +sysdb_ssh-tests$(EXEEXT): $(sysdb_ssh_tests_OBJECTS) $(sysdb_ssh_tests_DEPENDENCIES) $(EXTRA_sysdb_ssh_tests_DEPENDENCIES) + @rm -f sysdb_ssh-tests$(EXEEXT) + $(AM_V_CCLD)$(sysdb_ssh_tests_LINK) $(sysdb_ssh_tests_OBJECTS) $(sysdb_ssh_tests_LDADD) $(LIBS) +src/tests/tcurl_test_tool-tcurl_test_tool.$(OBJEXT): \ + src/tests/$(am__dirstamp) src/tests/$(DEPDIR)/$(am__dirstamp) +src/util/tcurl_test_tool-tev_curl.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/tcurl_test_tool-sss_iobuf.$(OBJEXT): \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) + +tcurl-test-tool$(EXEEXT): $(tcurl_test_tool_OBJECTS) $(tcurl_test_tool_DEPENDENCIES) $(EXTRA_tcurl_test_tool_DEPENDENCIES) + @rm -f tcurl-test-tool$(EXEEXT) + $(AM_V_CCLD)$(tcurl_test_tool_LINK) $(tcurl_test_tool_OBJECTS) $(tcurl_test_tool_LDADD) $(LIBS) +src/tests/cmocka/test_authtok-test_authtok.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/util/test_authtok-authtok.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/test_authtok-authtok-utils.$(OBJEXT): \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) +src/util/test_authtok-util.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/test_authtok-util_ext.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) + +test-authtok$(EXEEXT): $(test_authtok_OBJECTS) $(test_authtok_DEPENDENCIES) $(EXTRA_test_authtok_DEPENDENCIES) + @rm -f test-authtok$(EXEEXT) + $(AM_V_CCLD)$(test_authtok_LINK) $(test_authtok_OBJECTS) $(test_authtok_LDADD) $(LIBS) +src/tests/cmocka/test_find_uid-test_find_uid.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/util/test_find_uid-find_uid.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/test_find_uid-atomic_io.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/test_find_uid-strtonum.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) + +test-find-uid$(EXEEXT): $(test_find_uid_OBJECTS) $(test_find_uid_DEPENDENCIES) $(EXTRA_test_find_uid_DEPENDENCIES) + @rm -f test-find-uid$(EXEEXT) + $(AM_V_CCLD)$(test_find_uid_LINK) $(test_find_uid_OBJECTS) $(test_find_uid_LDADD) $(LIBS) +src/tests/cmocka/test_io-test_io.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/util/test_io-io.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/tests/test_io-common.$(OBJEXT): src/tests/$(am__dirstamp) \ + src/tests/$(DEPDIR)/$(am__dirstamp) + +test-io$(EXEEXT): $(test_io_OBJECTS) $(test_io_DEPENDENCIES) $(EXTRA_test_io_DEPENDENCIES) + @rm -f test-io$(EXEEXT) + $(AM_V_CCLD)$(test_io_LINK) $(test_io_OBJECTS) $(test_io_LDADD) $(LIBS) +src/responder/common/test_negcache-negcache_files.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/test_negcache-negcache.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/test_negcache-responder_cmd.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/test_negcache-responder_common.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/test_negcache-responder_dp.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/test_negcache-responder_dp_ssh.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/test_negcache-responder_packet.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/test_negcache-responder_get_domains.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/test_negcache-responder_utils.$(OBJEXT): \ + src/responder/common/$(am__dirstamp) \ + src/responder/common/$(DEPDIR)/$(am__dirstamp) +src/responder/common/data_provider/test_negcache-rdp_message.$(OBJEXT): \ + src/responder/common/data_provider/$(am__dirstamp) \ + src/responder/common/data_provider/$(DEPDIR)/$(am__dirstamp) +src/responder/common/data_provider/test_negcache-rdp_client.$(OBJEXT): \ + src/responder/common/data_provider/$(am__dirstamp) \ + src/responder/common/data_provider/$(DEPDIR)/$(am__dirstamp) +src/monitor/test_negcache-monitor_iface_generated.$(OBJEXT): \ + src/monitor/$(am__dirstamp) \ + src/monitor/$(DEPDIR)/$(am__dirstamp) +src/providers/test_negcache-data_provider_req.$(OBJEXT): \ + src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/util/test_negcache-session_recording.$(OBJEXT): \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/test_negcache-responder_iface.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/test_negcache-responder_domain.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/test_negcache-responder_ncache.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/responder/common/iface/test_negcache-responder_iface_generated.$(OBJEXT): \ + src/responder/common/iface/$(am__dirstamp) \ + src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/test_negcache-cache_req.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/test_negcache-cache_req_result.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/test_negcache-cache_req_search.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/test_negcache-cache_req_data.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/test_negcache-cache_req_domain.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/test_negcache-cache_req_sr_overlay.$(OBJEXT): \ + src/responder/common/cache_req/$(am__dirstamp) \ + src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/test_negcache-cache_req_common.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/test_negcache-cache_req_enum_users.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/test_negcache-cache_req_enum_groups.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/test_negcache-cache_req_enum_svc.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_upn.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_id.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_filter.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_cert.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/test_negcache-cache_req_group_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/test_negcache-cache_req_group_by_id.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/test_negcache-cache_req_group_by_filter.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/test_negcache-cache_req_initgroups_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/test_negcache-cache_req_initgroups_by_upn.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/test_negcache-cache_req_object_by_sid.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/test_negcache-cache_req_object_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/test_negcache-cache_req_object_by_id.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/test_negcache-cache_req_svc_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/test_negcache-cache_req_svc_by_port.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/test_negcache-cache_req_netgroup_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/responder/common/cache_req/plugins/test_negcache-cache_req_host_by_name.$(OBJEXT): \ + src/responder/common/cache_req/plugins/$(am__dirstamp) \ + src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/test_negcache-common_mock_resp.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/test_negcache-test_negcache.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) + +test-negcache$(EXEEXT): $(test_negcache_OBJECTS) $(test_negcache_DEPENDENCIES) $(EXTRA_test_negcache_DEPENDENCIES) + @rm -f test-negcache$(EXEEXT) + $(AM_V_CCLD)$(test_negcache_LINK) $(test_negcache_OBJECTS) $(test_negcache_LDADD) $(LIBS) +src/tests/cmocka/test_ad_subdom-test_ad_subdomains.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) + +test_ad_subdom$(EXEEXT): $(test_ad_subdom_OBJECTS) $(test_ad_subdom_DEPENDENCIES) $(EXTRA_test_ad_subdom_DEPENDENCIES) + @rm -f test_ad_subdom$(EXEEXT) + $(AM_V_CCLD)$(test_ad_subdom_LINK) $(test_ad_subdom_OBJECTS) $(test_ad_subdom_LDADD) $(LIBS) +src/tests/cmocka/test_be_ptask-common_mock_be.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/test_be_ptask-test_be_ptask.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/providers/test_be_ptask-be_ptask.$(OBJEXT): \ + src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) + +test_be_ptask$(EXEEXT): $(test_be_ptask_OBJECTS) $(test_be_ptask_DEPENDENCIES) $(EXTRA_test_be_ptask_DEPENDENCIES) + @rm -f test_be_ptask$(EXEEXT) + $(AM_V_CCLD)$(test_be_ptask_LINK) $(test_be_ptask_OBJECTS) $(test_be_ptask_LDADD) $(LIBS) +src/tests/cmocka/test_cert_utils-test_cert_utils.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/util/cert/test_cert_utils-cert_common_p11_child.$(OBJEXT): \ + src/util/cert/$(am__dirstamp) \ + src/util/cert/$(DEPDIR)/$(am__dirstamp) + +test_cert_utils$(EXEEXT): $(test_cert_utils_OBJECTS) $(test_cert_utils_DEPENDENCIES) $(EXTRA_test_cert_utils_DEPENDENCIES) + @rm -f test_cert_utils$(EXEEXT) + $(AM_V_CCLD)$(test_cert_utils_LINK) $(test_cert_utils_OBJECTS) $(test_cert_utils_LDADD) $(LIBS) +src/tests/cmocka/test_child_common-test_child_common.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/util/test_child_common-child_common.$(OBJEXT): \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) +src/util/test_child_common-signal.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/test_child_common-atomic_io.$(OBJEXT): \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) +src/util/test_child_common-util_errors.$(OBJEXT): \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) +src/util/test_child_common-util.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/test_child_common-util_ext.$(OBJEXT): \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) + +test_child_common$(EXEEXT): $(test_child_common_OBJECTS) $(test_child_common_DEPENDENCIES) $(EXTRA_test_child_common_DEPENDENCIES) + @rm -f test_child_common$(EXEEXT) + $(AM_V_CCLD)$(test_child_common_LINK) $(test_child_common_OBJECTS) $(test_child_common_LDADD) $(LIBS) +src/tests/cmocka/test_copy_ccache-test_copy_ccache.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/test_copy_ccache-krb5_ccache.$(OBJEXT): \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/util/test_copy_ccache-sss_krb5.$(OBJEXT): \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) +src/util/test_copy_ccache-sss_iobuf.$(OBJEXT): \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) + +test_copy_ccache$(EXEEXT): $(test_copy_ccache_OBJECTS) $(test_copy_ccache_DEPENDENCIES) $(EXTRA_test_copy_ccache_DEPENDENCIES) + @rm -f test_copy_ccache$(EXEEXT) + $(AM_V_CCLD)$(test_copy_ccache_LINK) $(test_copy_ccache_OBJECTS) $(test_copy_ccache_LDADD) $(LIBS) +src/tests/cmocka/test_copy_keytab-common_mock_krb5.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/test_copy_keytab-test_copy_keytab.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/test_copy_keytab-krb5_keytab.$(OBJEXT): \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/util/test_copy_keytab-sss_krb5.$(OBJEXT): \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) +src/util/test_copy_keytab-sss_iobuf.$(OBJEXT): \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) + +test_copy_keytab$(EXEEXT): $(test_copy_keytab_OBJECTS) $(test_copy_keytab_DEPENDENCIES) $(EXTRA_test_copy_keytab_DEPENDENCIES) + @rm -f test_copy_keytab$(EXEEXT) + $(AM_V_CCLD)$(test_copy_keytab_LINK) $(test_copy_keytab_OBJECTS) $(test_copy_keytab_LDADD) $(LIBS) +src/providers/test_data_provider_be-data_provider_be.$(OBJEXT): \ + src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/test_data_provider_be-test_data_provider_be.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/test_data_provider_be-common_mock_be.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) + +test_data_provider_be$(EXEEXT): $(test_data_provider_be_OBJECTS) $(test_data_provider_be_DEPENDENCIES) $(EXTRA_test_data_provider_be_DEPENDENCIES) + @rm -f test_data_provider_be$(EXEEXT) + $(AM_V_CCLD)$(test_data_provider_be_LINK) $(test_data_provider_be_OBJECTS) $(test_data_provider_be_LDADD) $(LIBS) +src/providers/data_provider/test_dp_builtin-dp_modules.$(OBJEXT): \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/test_dp_builtin-dp_targets.$(OBJEXT): \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/test_dp_builtin-dp_methods.$(OBJEXT): \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/test_dp_builtin-dp_builtin.$(OBJEXT): \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/data_provider/$(am__dirstamp): + @$(MKDIR_P) src/tests/cmocka/data_provider + @: > src/tests/cmocka/data_provider/$(am__dirstamp) +src/tests/cmocka/data_provider/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) src/tests/cmocka/data_provider/$(DEPDIR) + @: > src/tests/cmocka/data_provider/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/data_provider/test_dp_builtin-mock_dp.$(OBJEXT): \ + src/tests/cmocka/data_provider/$(am__dirstamp) \ + src/tests/cmocka/data_provider/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/data_provider/test_dp_builtin-test_dp_builtin.$(OBJEXT): \ + src/tests/cmocka/data_provider/$(am__dirstamp) \ + src/tests/cmocka/data_provider/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/test_dp_builtin-common_mock_be.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) + +test_dp_builtin$(EXEEXT): $(test_dp_builtin_OBJECTS) $(test_dp_builtin_DEPENDENCIES) $(EXTRA_test_dp_builtin_DEPENDENCIES) + @rm -f test_dp_builtin$(EXEEXT) + $(AM_V_CCLD)$(test_dp_builtin_LINK) $(test_dp_builtin_OBJECTS) $(test_dp_builtin_LDADD) $(LIBS) +src/providers/data_provider/test_dp_request-dp_request.$(OBJEXT): \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/test_dp_request-dp_modules.$(OBJEXT): \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/test_dp_request-dp_targets.$(OBJEXT): \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/test_dp_request-dp_methods.$(OBJEXT): \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/providers/data_provider/test_dp_request-dp_builtin.$(OBJEXT): \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/data_provider/test_dp_request-mock_dp.$(OBJEXT): \ + src/tests/cmocka/data_provider/$(am__dirstamp) \ + src/tests/cmocka/data_provider/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/data_provider/test_dp_request-test_dp_request.$(OBJEXT): \ + src/tests/cmocka/data_provider/$(am__dirstamp) \ + src/tests/cmocka/data_provider/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/test_dp_request-common_mock_be.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) + +test_dp_request$(EXEEXT): $(test_dp_request_OBJECTS) $(test_dp_request_DEPENDENCIES) $(EXTRA_test_dp_request_DEPENDENCIES) + @rm -f test_dp_request$(EXEEXT) + $(AM_V_CCLD)$(test_dp_request_LINK) $(test_dp_request_OBJECTS) $(test_dp_request_LDADD) $(LIBS) +src/providers/data_provider/test_dp_request_table-dp_request_table.$(OBJEXT): \ + src/providers/data_provider/$(am__dirstamp) \ + src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/data_provider/test_dp_request_table-test_dp_request_table.$(OBJEXT): \ + src/tests/cmocka/data_provider/$(am__dirstamp) \ + src/tests/cmocka/data_provider/$(DEPDIR)/$(am__dirstamp) + +test_dp_request_table$(EXEEXT): $(test_dp_request_table_OBJECTS) $(test_dp_request_table_DEPENDENCIES) $(EXTRA_test_dp_request_table_DEPENDENCIES) + @rm -f test_dp_request_table$(EXEEXT) + $(AM_V_CCLD)$(test_dp_request_table_LINK) $(test_dp_request_table_OBJECTS) $(test_dp_request_table_LDADD) $(LIBS) +src/tests/cmocka/test_fo_srv-test_fo_srv.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/providers/test_fo_srv-fail_over.$(OBJEXT): \ + src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) +src/providers/test_fo_srv-fail_over_srv.$(OBJEXT): \ + src/providers/$(am__dirstamp) \ + src/providers/$(DEPDIR)/$(am__dirstamp) + +test_fo_srv$(EXEEXT): $(test_fo_srv_OBJECTS) $(test_fo_srv_DEPENDENCIES) $(EXTRA_test_fo_srv_DEPENDENCIES) + @rm -f test_fo_srv$(EXEEXT) + $(AM_V_CCLD)$(test_fo_srv_LINK) $(test_fo_srv_OBJECTS) $(test_fo_srv_LDADD) $(LIBS) +src/util/test_inotify-inotify.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/test_inotify-test_inotify.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) + +test_inotify$(EXEEXT): $(test_inotify_OBJECTS) $(test_inotify_DEPENDENCIES) $(EXTRA_test_inotify_DEPENDENCIES) + @rm -f test_inotify$(EXEEXT) + $(AM_V_CCLD)$(test_inotify_LINK) $(test_inotify_OBJECTS) $(test_inotify_LDADD) $(LIBS) +src/util/test_iobuf-sss_iobuf.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/test_iobuf-test_iobuf.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) + +test_iobuf$(EXEEXT): $(test_iobuf_OBJECTS) $(test_iobuf_DEPENDENCIES) $(EXTRA_test_iobuf_DEPENDENCIES) + @rm -f test_iobuf$(EXEEXT) + $(AM_V_CCLD)$(test_iobuf_LINK) $(test_iobuf_OBJECTS) $(test_iobuf_LDADD) $(LIBS) +src/providers/ipa/ipa_dn.$(OBJEXT): src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/test_ipa_dn.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) + +test_ipa_dn$(EXEEXT): $(test_ipa_dn_OBJECTS) $(test_ipa_dn_DEPENDENCIES) $(EXTRA_test_ipa_dn_DEPENDENCIES) + @rm -f test_ipa_dn$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(test_ipa_dn_OBJECTS) $(test_ipa_dn_LDADD) $(LIBS) +src/tests/cmocka/test_ipa_idmap-test_ipa_idmap.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/test_ipa_idmap-ipa_idmap.$(OBJEXT): \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) + +test_ipa_idmap$(EXEEXT): $(test_ipa_idmap_OBJECTS) $(test_ipa_idmap_DEPENDENCIES) $(EXTRA_test_ipa_idmap_DEPENDENCIES) + @rm -f test_ipa_idmap$(EXEEXT) + $(AM_V_CCLD)$(test_ipa_idmap_LINK) $(test_ipa_idmap_OBJECTS) $(test_ipa_idmap_LDADD) $(LIBS) +src/providers/krb5/test_ipa_subdom_server-krb5_utils.$(OBJEXT): \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/test_ipa_subdom_server-krb5_delayed_online_authentication.$(OBJEXT): \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/test_ipa_subdom_server-krb5_renew_tgt.$(OBJEXT): \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/test_ipa_subdom_server-krb5_wait_queue.$(OBJEXT): \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/test_ipa_subdom_server-krb5_common.$(OBJEXT): \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/test_ipa_subdom_server-krb5_opts.$(OBJEXT): \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/test_ipa_subdom_server-krb5_auth.$(OBJEXT): \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/test_ipa_subdom_server-krb5_access.$(OBJEXT): \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/test_ipa_subdom_server-krb5_child_handler.$(OBJEXT): \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/test_ipa_subdom_server-krb5_init_shared.$(OBJEXT): \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/test_ipa_subdom_server-krb5_ccache.$(OBJEXT): \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) +src/util/test_ipa_subdom_server-sss_krb5.$(OBJEXT): \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) +src/util/test_ipa_subdom_server-sss_iobuf.$(OBJEXT): \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) +src/util/test_ipa_subdom_server-become_user.$(OBJEXT): \ + src/util/$(am__dirstamp) src/util/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/test_ipa_subdom_server-common_mock_sdap.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/test_ipa_subdom_server-common_mock_be.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/test_ipa_subdom_server-common_mock_krb5.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/test_ipa_subdom_server-test_ipa_subdomains_server.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/test_ipa_subdom_server-ipa_subdomains_server.$(OBJEXT): \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/test_ipa_subdom_server-ipa_subdomains_utils.$(OBJEXT): \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/test_ipa_subdom_server-ipa_opts.$(OBJEXT): \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) + +test_ipa_subdom_server$(EXEEXT): $(test_ipa_subdom_server_OBJECTS) $(test_ipa_subdom_server_DEPENDENCIES) $(EXTRA_test_ipa_subdom_server_DEPENDENCIES) + @rm -f test_ipa_subdom_server$(EXEEXT) + $(AM_V_CCLD)$(test_ipa_subdom_server_LINK) $(test_ipa_subdom_server_OBJECTS) $(test_ipa_subdom_server_LDADD) $(LIBS) +src/tests/cmocka/test_ipa_subdom_util-test_ipa_subdomains_utils.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/test_ipa_subdom_util-ipa_subdomains_utils.$(OBJEXT): \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) + +test_ipa_subdom_util$(EXEEXT): $(test_ipa_subdom_util_OBJECTS) $(test_ipa_subdom_util_DEPENDENCIES) $(EXTRA_test_ipa_subdom_util_DEPENDENCIES) + @rm -f test_ipa_subdom_util$(EXEEXT) + $(AM_V_CCLD)$(test_ipa_subdom_util_LINK) $(test_ipa_subdom_util_OBJECTS) $(test_ipa_subdom_util_LDADD) $(LIBS) +src/tests/cmocka/test_kcm_json-test_kcm_json_marshalling.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/responder/kcm/test_kcm_json-kcmsrv_ccache_json.$(OBJEXT): \ + src/responder/kcm/$(am__dirstamp) \ + src/responder/kcm/$(DEPDIR)/$(am__dirstamp) +src/responder/kcm/test_kcm_json-kcmsrv_ccache.$(OBJEXT): \ + src/responder/kcm/$(am__dirstamp) \ + src/responder/kcm/$(DEPDIR)/$(am__dirstamp) +src/util/test_kcm_json-sss_krb5.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) +src/util/test_kcm_json-sss_iobuf.$(OBJEXT): src/util/$(am__dirstamp) \ + src/util/$(DEPDIR)/$(am__dirstamp) + +test_kcm_json$(EXEEXT): $(test_kcm_json_OBJECTS) $(test_kcm_json_DEPENDENCIES) $(EXTRA_test_kcm_json_DEPENDENCIES) + @rm -f test_kcm_json$(EXEEXT) + $(AM_V_CCLD)$(test_kcm_json_LINK) $(test_kcm_json_OBJECTS) $(test_kcm_json_LDADD) $(LIBS) +src/tests/cmocka/test_kcm_queue-test_kcm_queue.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/responder/kcm/test_kcm_queue-kcmsrv_op_queue.$(OBJEXT): \ + src/responder/kcm/$(am__dirstamp) \ + src/responder/kcm/$(DEPDIR)/$(am__dirstamp) + +test_kcm_queue$(EXEEXT): $(test_kcm_queue_OBJECTS) $(test_kcm_queue_DEPENDENCIES) $(EXTRA_test_kcm_queue_DEPENDENCIES) + @rm -f test_kcm_queue$(EXEEXT) + $(AM_V_CCLD)$(test_kcm_queue_LINK) $(test_kcm_queue_OBJECTS) $(test_kcm_queue_LDADD) $(LIBS) +src/tests/cmocka/test_krb5_wait_queue-common_mock_be.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/test_krb5_wait_queue-test_krb5_wait_queue.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/providers/krb5/test_krb5_wait_queue-krb5_wait_queue.$(OBJEXT): \ + src/providers/krb5/$(am__dirstamp) \ + src/providers/krb5/$(DEPDIR)/$(am__dirstamp) + +test_krb5_wait_queue$(EXEEXT): $(test_krb5_wait_queue_OBJECTS) $(test_krb5_wait_queue_DEPENDENCIES) $(EXTRA_test_krb5_wait_queue_DEPENDENCIES) + @rm -f test_krb5_wait_queue$(EXEEXT) + $(AM_V_CCLD)$(test_krb5_wait_queue_LINK) $(test_krb5_wait_queue_OBJECTS) $(test_krb5_wait_queue_LDADD) $(LIBS) +src/tests/cmocka/test_ldap_auth.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/test_expire_common.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) + +test_ldap_auth$(EXEEXT): $(test_ldap_auth_OBJECTS) $(test_ldap_auth_DEPENDENCIES) $(EXTRA_test_ldap_auth_DEPENDENCIES) + @rm -f test_ldap_auth$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(test_ldap_auth_OBJECTS) $(test_ldap_auth_LDADD) $(LIBS) +src/tests/cmocka/test_ldap_id_cleanup.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) + +test_ldap_id_cleanup$(EXEEXT): $(test_ldap_id_cleanup_OBJECTS) $(test_ldap_id_cleanup_DEPENDENCIES) $(EXTRA_test_ldap_id_cleanup_DEPENDENCIES) + @rm -f test_ldap_id_cleanup$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(test_ldap_id_cleanup_OBJECTS) $(test_ldap_id_cleanup_LDADD) $(LIBS) +src/tests/cmocka/test_resolv_fake-test_resolv_fake.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/resolv/test_resolv_fake-async_resolv.$(OBJEXT): \ + src/resolv/$(am__dirstamp) \ + src/resolv/$(DEPDIR)/$(am__dirstamp) + +test_resolv_fake$(EXEEXT): $(test_resolv_fake_OBJECTS) $(test_resolv_fake_DEPENDENCIES) $(EXTRA_test_resolv_fake_DEPENDENCIES) + @rm -f test_resolv_fake$(EXEEXT) + $(AM_V_CCLD)$(test_resolv_fake_LINK) $(test_resolv_fake_OBJECTS) $(test_resolv_fake_LDADD) $(LIBS) +src/tests/cmocka/test_sbus_opath-test_sbus_opath.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) + +test_sbus_opath$(EXEEXT): $(test_sbus_opath_OBJECTS) $(test_sbus_opath_DEPENDENCIES) $(EXTRA_test_sbus_opath_DEPENDENCIES) + @rm -f test_sbus_opath$(EXEEXT) + $(AM_V_CCLD)$(test_sbus_opath_LINK) $(test_sbus_opath_OBJECTS) $(test_sbus_opath_LDADD) $(LIBS) +src/tests/cmocka/test_sdap_access.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) + +test_sdap_access$(EXEEXT): $(test_sdap_access_OBJECTS) $(test_sdap_access_DEPENDENCIES) $(EXTRA_test_sdap_access_DEPENDENCIES) + @rm -f test_sdap_access$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(test_sdap_access_OBJECTS) $(test_sdap_access_LDADD) $(LIBS) +src/tests/cmocka/test_sdap_certmap-test_sdap_certmap.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/providers/ldap/test_sdap_certmap-sdap_certmap.$(OBJEXT): \ + src/providers/ldap/$(am__dirstamp) \ + src/providers/ldap/$(DEPDIR)/$(am__dirstamp) + +test_sdap_certmap$(EXEEXT): $(test_sdap_certmap_OBJECTS) $(test_sdap_certmap_DEPENDENCIES) $(EXTRA_test_sdap_certmap_DEPENDENCIES) + @rm -f test_sdap_certmap$(EXEEXT) + $(AM_V_CCLD)$(test_sdap_certmap_LINK) $(test_sdap_certmap_OBJECTS) $(test_sdap_certmap_LDADD) $(LIBS) +src/tests/cmocka/test_sdap_initgr-common_mock_sdap.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/test_sdap_initgr-common_mock_sysdb_objects.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/test_sdap_initgr-test_sdap_initgr.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) + +test_sdap_initgr$(EXEEXT): $(test_sdap_initgr_OBJECTS) $(test_sdap_initgr_DEPENDENCIES) $(EXTRA_test_sdap_initgr_DEPENDENCIES) + @rm -f test_sdap_initgr$(EXEEXT) + $(AM_V_CCLD)$(test_sdap_initgr_LINK) $(test_sdap_initgr_OBJECTS) $(test_sdap_initgr_LDADD) $(LIBS) +src/tests/cmocka/test_search_bases.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) + +test_search_bases$(EXEEXT): $(test_search_bases_OBJECTS) $(test_search_bases_DEPENDENCIES) $(EXTRA_test_search_bases_DEPENDENCIES) + @rm -f test_search_bases$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(test_search_bases_OBJECTS) $(test_search_bases_LDADD) $(LIBS) +src/tests/test_ssh_client-test_ssh_client.$(OBJEXT): \ + src/tests/$(am__dirstamp) src/tests/$(DEPDIR)/$(am__dirstamp) + +test_ssh_client$(EXEEXT): $(test_ssh_client_OBJECTS) $(test_ssh_client_DEPENDENCIES) $(EXTRA_test_ssh_client_DEPENDENCIES) + @rm -f test_ssh_client$(EXEEXT) + $(AM_V_CCLD)$(test_ssh_client_LINK) $(test_ssh_client_OBJECTS) $(test_ssh_client_LDADD) $(LIBS) +src/tests/cmocka/test_sss_idmap-test_sss_idmap.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) + +test_sss_idmap$(EXEEXT): $(test_sss_idmap_OBJECTS) $(test_sss_idmap_DEPENDENCIES) $(EXTRA_test_sss_idmap_DEPENDENCIES) + @rm -f test_sss_idmap$(EXEEXT) + $(AM_V_CCLD)$(test_sss_idmap_LINK) $(test_sss_idmap_OBJECTS) $(test_sss_idmap_LDADD) $(LIBS) +src/tests/cmocka/test_sssd_krb5_localauth_plugin-test_sssd_krb5_localauth_plugin.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/krb5_plugin/test_sssd_krb5_localauth_plugin-sssd_krb5_localauth_plugin.$(OBJEXT): \ + src/krb5_plugin/$(am__dirstamp) \ + src/krb5_plugin/$(DEPDIR)/$(am__dirstamp) + +test_sssd_krb5_localauth_plugin$(EXEEXT): $(test_sssd_krb5_localauth_plugin_OBJECTS) $(test_sssd_krb5_localauth_plugin_DEPENDENCIES) $(EXTRA_test_sssd_krb5_localauth_plugin_DEPENDENCIES) + @rm -f test_sssd_krb5_localauth_plugin$(EXEEXT) + $(AM_V_CCLD)$(test_sssd_krb5_localauth_plugin_LINK) $(test_sssd_krb5_localauth_plugin_OBJECTS) $(test_sssd_krb5_localauth_plugin_LDADD) $(LIBS) +src/tests/cmocka/test_sssd_krb5_locator_plugin-test_sssd_krb5_locator_plugin.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/krb5_plugin/test_sssd_krb5_locator_plugin-sssd_krb5_locator_plugin.$(OBJEXT): \ + src/krb5_plugin/$(am__dirstamp) \ + src/krb5_plugin/$(DEPDIR)/$(am__dirstamp) + +test_sssd_krb5_locator_plugin$(EXEEXT): $(test_sssd_krb5_locator_plugin_OBJECTS) $(test_sssd_krb5_locator_plugin_DEPENDENCIES) $(EXTRA_test_sssd_krb5_locator_plugin_DEPENDENCIES) + @rm -f test_sssd_krb5_locator_plugin$(EXEEXT) + $(AM_V_CCLD)$(test_sssd_krb5_locator_plugin_LINK) $(test_sssd_krb5_locator_plugin_OBJECTS) $(test_sssd_krb5_locator_plugin_LDADD) $(LIBS) +src/tests/cmocka/test_sysdb_certmap-test_sysdb_certmap.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) + +test_sysdb_certmap$(EXEEXT): $(test_sysdb_certmap_OBJECTS) $(test_sysdb_certmap_DEPENDENCIES) $(EXTRA_test_sysdb_certmap_DEPENDENCIES) + @rm -f test_sysdb_certmap$(EXEEXT) + $(AM_V_CCLD)$(test_sysdb_certmap_LINK) $(test_sysdb_certmap_OBJECTS) $(test_sysdb_certmap_LDADD) $(LIBS) +src/tests/cmocka/test_sysdb_domain_resolution_order-test_sysdb_domain_resolution_order.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) + +test_sysdb_domain_resolution_order$(EXEEXT): $(test_sysdb_domain_resolution_order_OBJECTS) $(test_sysdb_domain_resolution_order_DEPENDENCIES) $(EXTRA_test_sysdb_domain_resolution_order_DEPENDENCIES) + @rm -f test_sysdb_domain_resolution_order$(EXEEXT) + $(AM_V_CCLD)$(test_sysdb_domain_resolution_order_LINK) $(test_sysdb_domain_resolution_order_OBJECTS) $(test_sysdb_domain_resolution_order_LDADD) $(LIBS) +src/tests/cmocka/test_sysdb_subdomains-test_sysdb_subdomains.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) + +test_sysdb_subdomains$(EXEEXT): $(test_sysdb_subdomains_OBJECTS) $(test_sysdb_subdomains_DEPENDENCIES) $(EXTRA_test_sysdb_subdomains_DEPENDENCIES) + @rm -f test_sysdb_subdomains$(EXEEXT) + $(AM_V_CCLD)$(test_sysdb_subdomains_LINK) $(test_sysdb_subdomains_OBJECTS) $(test_sysdb_subdomains_LDADD) $(LIBS) +src/tests/cmocka/test_sysdb_sudo-test_sysdb_sudo.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) + +test_sysdb_sudo$(EXEEXT): $(test_sysdb_sudo_OBJECTS) $(test_sysdb_sudo_DEPENDENCIES) $(EXTRA_test_sysdb_sudo_DEPENDENCIES) + @rm -f test_sysdb_sudo$(EXEEXT) + $(AM_V_CCLD)$(test_sysdb_sudo_LINK) $(test_sysdb_sudo_OBJECTS) $(test_sysdb_sudo_LDADD) $(LIBS) +src/tests/cmocka/test_sysdb_ts_cache-test_sysdb_ts_cache.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/test_sysdb_ts_cache-ipa_utils.$(OBJEXT): \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) + +test_sysdb_ts_cache$(EXEEXT): $(test_sysdb_ts_cache_OBJECTS) $(test_sysdb_ts_cache_DEPENDENCIES) $(EXTRA_test_sysdb_ts_cache_DEPENDENCIES) + @rm -f test_sysdb_ts_cache$(EXEEXT) + $(AM_V_CCLD)$(test_sysdb_ts_cache_LINK) $(test_sysdb_ts_cache_OBJECTS) $(test_sysdb_ts_cache_LDADD) $(LIBS) +src/tests/cmocka/test_sysdb_utils-test_sysdb_utils.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) + +test_sysdb_utils$(EXEEXT): $(test_sysdb_utils_OBJECTS) $(test_sysdb_utils_DEPENDENCIES) $(EXTRA_test_sysdb_utils_DEPENDENCIES) + @rm -f test_sysdb_utils$(EXEEXT) + $(AM_V_CCLD)$(test_sysdb_utils_LINK) $(test_sysdb_utils_OBJECTS) $(test_sysdb_utils_LDADD) $(LIBS) +src/tests/cmocka/test_sysdb_views-test_sysdb_views.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/providers/ipa/test_sysdb_views-ipa_utils.$(OBJEXT): \ + src/providers/ipa/$(am__dirstamp) \ + src/providers/ipa/$(DEPDIR)/$(am__dirstamp) + +test_sysdb_views$(EXEEXT): $(test_sysdb_views_OBJECTS) $(test_sysdb_views_DEPENDENCIES) $(EXTRA_test_sysdb_views_DEPENDENCIES) + @rm -f test_sysdb_views$(EXEEXT) + $(AM_V_CCLD)$(test_sysdb_views_LINK) $(test_sysdb_views_OBJECTS) $(test_sysdb_views_LDADD) $(LIBS) +src/tests/cmocka/test_tools_colondb-test_tools_colondb.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/tools/common/test_tools_colondb-sss_colondb.$(OBJEXT): \ + src/tools/common/$(am__dirstamp) \ + src/tools/common/$(DEPDIR)/$(am__dirstamp) + +test_tools_colondb$(EXEEXT): $(test_tools_colondb_OBJECTS) $(test_tools_colondb_DEPENDENCIES) $(EXTRA_test_tools_colondb_DEPENDENCIES) + @rm -f test_tools_colondb$(EXEEXT) + $(AM_V_CCLD)$(test_tools_colondb_LINK) $(test_tools_colondb_OBJECTS) $(test_tools_colondb_LDADD) $(LIBS) +src/tests/cmocka/test_utils-test_utils.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/test_utils-test_string_utils.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/tests/cmocka/test_utils-test_sss_ssh.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) + +test_utils$(EXEEXT): $(test_utils_OBJECTS) $(test_utils_DEPENDENCIES) $(EXTRA_test_utils_DEPENDENCIES) + @rm -f test_utils$(EXEEXT) + $(AM_V_CCLD)$(test_utils_LINK) $(test_utils_OBJECTS) $(test_utils_LDADD) $(LIBS) +src/tests/cmocka/test_wbc_calls-test_wbc_calls.$(OBJEXT): \ + src/tests/cmocka/$(am__dirstamp) \ + src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +src/sss_client/libwbclient/test_wbc_calls-wbc_sid_sssd.$(OBJEXT): \ + src/sss_client/libwbclient/$(am__dirstamp) \ + src/sss_client/libwbclient/$(DEPDIR)/$(am__dirstamp) +src/sss_client/libwbclient/test_wbc_calls-wbclient_common.$(OBJEXT): \ + src/sss_client/libwbclient/$(am__dirstamp) \ + src/sss_client/libwbclient/$(DEPDIR)/$(am__dirstamp) +src/sss_client/libwbclient/test_wbc_calls-wbc_sid_common.$(OBJEXT): \ + src/sss_client/libwbclient/$(am__dirstamp) \ + src/sss_client/libwbclient/$(DEPDIR)/$(am__dirstamp) +src/sss_client/test_wbc_calls-common.$(OBJEXT): \ + src/sss_client/$(am__dirstamp) \ + src/sss_client/$(DEPDIR)/$(am__dirstamp) + +test_wbc_calls$(EXEEXT): $(test_wbc_calls_OBJECTS) $(test_wbc_calls_DEPENDENCIES) $(EXTRA_test_wbc_calls_DEPENDENCIES) + @rm -f test_wbc_calls$(EXEEXT) + $(AM_V_CCLD)$(test_wbc_calls_LINK) $(test_wbc_calls_OBJECTS) $(test_wbc_calls_LDADD) $(LIBS) +src/tests/util_tests-util-tests.$(OBJEXT): src/tests/$(am__dirstamp) \ + src/tests/$(DEPDIR)/$(am__dirstamp) + +util-tests$(EXEEXT): $(util_tests_OBJECTS) $(util_tests_DEPENDENCIES) $(EXTRA_util_tests_DEPENDENCIES) + @rm -f util-tests$(EXEEXT) + $(AM_V_CCLD)$(util_tests_LINK) $(util_tests_OBJECTS) $(util_tests_LDADD) $(LIBS) +install-dist_sss_obfuscate_pythonSCRIPTS: $(dist_sss_obfuscate_python_SCRIPTS) + @$(NORMAL_INSTALL) + @list='$(dist_sss_obfuscate_python_SCRIPTS)'; test -n "$(sss_obfuscate_pythondir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(sss_obfuscate_pythondir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(sss_obfuscate_pythondir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + if test -f "$$d$$p"; then echo "$$d$$p"; echo "$$p"; else :; fi; \ + done | \ + sed -e 'p;s,.*/,,;n' \ + -e 'h;s|.*|.|' \ + -e 'p;x;s,.*/,,;$(transform)' | sed 'N;N;N;s,\n, ,g' | \ + $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1; } \ + { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ + if ($$2 == $$4) { files[d] = files[d] " " $$1; \ + if (++n[d] == $(am__install_max)) { \ + print "f", d, files[d]; n[d] = 0; files[d] = "" } } \ + else { print "f", d "/" $$4, $$1 } } \ + END { for (d in files) print "f", d, files[d] }' | \ + while read type dir files; do \ + if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ + test -z "$$files" || { \ + echo " $(INSTALL_SCRIPT) $$files '$(DESTDIR)$(sss_obfuscate_pythondir)$$dir'"; \ + $(INSTALL_SCRIPT) $$files "$(DESTDIR)$(sss_obfuscate_pythondir)$$dir" || exit $$?; \ + } \ + ; done + +uninstall-dist_sss_obfuscate_pythonSCRIPTS: + @$(NORMAL_UNINSTALL) + @list='$(dist_sss_obfuscate_python_SCRIPTS)'; test -n "$(sss_obfuscate_pythondir)" || exit 0; \ + files=`for p in $$list; do echo "$$p"; done | \ + sed -e 's,.*/,,;$(transform)'`; \ + dir='$(DESTDIR)$(sss_obfuscate_pythondir)'; $(am__uninstall_files_from_dir) +install-initSCRIPTS: $(init_SCRIPTS) + @$(NORMAL_INSTALL) + @list='$(init_SCRIPTS)'; test -n "$(initdir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(initdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(initdir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + if test -f "$$d$$p"; then echo "$$d$$p"; echo "$$p"; else :; fi; \ + done | \ + sed -e 'p;s,.*/,,;n' \ + -e 'h;s|.*|.|' \ + -e 'p;x;s,.*/,,;$(transform)' | sed 'N;N;N;s,\n, ,g' | \ + $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1; } \ + { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ + if ($$2 == $$4) { files[d] = files[d] " " $$1; \ + if (++n[d] == $(am__install_max)) { \ + print "f", d, files[d]; n[d] = 0; files[d] = "" } } \ + else { print "f", d "/" $$4, $$1 } } \ + END { for (d in files) print "f", d, files[d] }' | \ + while read type dir files; do \ + if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ + test -z "$$files" || { \ + echo " $(INSTALL_SCRIPT) $$files '$(DESTDIR)$(initdir)$$dir'"; \ + $(INSTALL_SCRIPT) $$files "$(DESTDIR)$(initdir)$$dir" || exit $$?; \ + } \ + ; done + +uninstall-initSCRIPTS: + @$(NORMAL_UNINSTALL) + @list='$(init_SCRIPTS)'; test -n "$(initdir)" || exit 0; \ + files=`for p in $$list; do echo "$$p"; done | \ + sed -e 's,.*/,,;$(transform)'`; \ + dir='$(DESTDIR)$(initdir)'; $(am__uninstall_files_from_dir) +install-sbinSCRIPTS: $(sbin_SCRIPTS) + @$(NORMAL_INSTALL) + @list='$(sbin_SCRIPTS)'; test -n "$(sbindir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(sbindir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(sbindir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + if test -f "$$d$$p"; then echo "$$d$$p"; echo "$$p"; else :; fi; \ + done | \ + sed -e 'p;s,.*/,,;n' \ + -e 'h;s|.*|.|' \ + -e 'p;x;s,.*/,,;$(transform)' | sed 'N;N;N;s,\n, ,g' | \ + $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1; } \ + { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ + if ($$2 == $$4) { files[d] = files[d] " " $$1; \ + if (++n[d] == $(am__install_max)) { \ + print "f", d, files[d]; n[d] = 0; files[d] = "" } } \ + else { print "f", d "/" $$4, $$1 } } \ + END { for (d in files) print "f", d, files[d] }' | \ + while read type dir files; do \ + if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ + test -z "$$files" || { \ + echo " $(INSTALL_SCRIPT) $$files '$(DESTDIR)$(sbindir)$$dir'"; \ + $(INSTALL_SCRIPT) $$files "$(DESTDIR)$(sbindir)$$dir" || exit $$?; \ + } \ + ; done + +uninstall-sbinSCRIPTS: + @$(NORMAL_UNINSTALL) + @list='$(sbin_SCRIPTS)'; test -n "$(sbindir)" || exit 0; \ + files=`for p in $$list; do echo "$$p"; done | \ + sed -e 's,.*/,,;$(transform)'`; \ + dir='$(DESTDIR)$(sbindir)'; $(am__uninstall_files_from_dir) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + -rm -f src/confdb/*.$(OBJEXT) + -rm -f src/confdb/*.lo + -rm -f src/db/*.$(OBJEXT) + -rm -f src/db/*.lo + -rm -f src/krb5_plugin/*.$(OBJEXT) + -rm -f src/krb5_plugin/*.lo + -rm -f src/ldb_modules/*.$(OBJEXT) + -rm -f src/ldb_modules/*.lo + -rm -f src/lib/certmap/*.$(OBJEXT) + -rm -f src/lib/certmap/*.lo + -rm -f src/lib/cifs_idmap_sss/*.$(OBJEXT) + -rm -f src/lib/cifs_idmap_sss/*.lo + -rm -f src/lib/idmap/*.$(OBJEXT) + -rm -f src/lib/idmap/*.lo + -rm -f src/lib/ipa_hbac/*.$(OBJEXT) + -rm -f src/lib/ipa_hbac/*.lo + -rm -f src/lib/sifp/*.$(OBJEXT) + -rm -f src/lib/sifp/*.lo + -rm -f src/lib/winbind_idmap_sss/*.$(OBJEXT) + -rm -f src/lib/winbind_idmap_sss/*.lo + -rm -f src/monitor/*.$(OBJEXT) + -rm -f src/monitor/*.lo + -rm -f src/p11_child/*.$(OBJEXT) + -rm -f src/providers/*.$(OBJEXT) + -rm -f src/providers/*.lo + -rm -f src/providers/ad/*.$(OBJEXT) + -rm -f src/providers/ad/*.lo + -rm -f src/providers/data_provider/*.$(OBJEXT) + -rm -f src/providers/data_provider/*.lo + -rm -f src/providers/files/*.$(OBJEXT) + -rm -f src/providers/files/*.lo + -rm -f src/providers/ipa/*.$(OBJEXT) + -rm -f src/providers/ipa/*.lo + -rm -f src/providers/krb5/*.$(OBJEXT) + -rm -f src/providers/krb5/*.lo + -rm -f src/providers/ldap/*.$(OBJEXT) + -rm -f src/providers/ldap/*.lo + -rm -f src/providers/proxy/*.$(OBJEXT) + -rm -f src/providers/proxy/*.lo + -rm -f src/providers/simple/*.$(OBJEXT) + -rm -f src/providers/simple/*.lo + -rm -f src/python/*.$(OBJEXT) + -rm -f src/python/*.lo + -rm -f src/resolv/*.$(OBJEXT) + -rm -f src/resolv/*.lo + -rm -f src/responder/autofs/*.$(OBJEXT) + -rm -f src/responder/common/*.$(OBJEXT) + -rm -f src/responder/common/cache_req/*.$(OBJEXT) + -rm -f src/responder/common/cache_req/plugins/*.$(OBJEXT) + -rm -f src/responder/common/data_provider/*.$(OBJEXT) + -rm -f src/responder/common/iface/*.$(OBJEXT) + -rm -f src/responder/ifp/*.$(OBJEXT) + -rm -f src/responder/kcm/*.$(OBJEXT) + -rm -f src/responder/nss/*.$(OBJEXT) + -rm -f src/responder/pac/*.$(OBJEXT) + -rm -f src/responder/pam/*.$(OBJEXT) + -rm -f src/responder/secrets/*.$(OBJEXT) + -rm -f src/responder/ssh/*.$(OBJEXT) + -rm -f src/responder/sudo/*.$(OBJEXT) + -rm -f src/sbus/*.$(OBJEXT) + -rm -f src/sbus/*.lo + -rm -f src/sss_client/*.$(OBJEXT) + -rm -f src/sss_client/*.lo + -rm -f src/sss_client/autofs/*.$(OBJEXT) + -rm -f src/sss_client/autofs/*.lo + -rm -f src/sss_client/idmap/*.$(OBJEXT) + -rm -f src/sss_client/idmap/*.lo + -rm -f src/sss_client/libwbclient/*.$(OBJEXT) + -rm -f src/sss_client/libwbclient/*.lo + -rm -f src/sss_client/nfs/*.$(OBJEXT) + -rm -f src/sss_client/nfs/*.lo + -rm -f src/sss_client/ssh/*.$(OBJEXT) + -rm -f src/sss_client/sudo/*.$(OBJEXT) + -rm -f src/sss_client/sudo/*.lo + -rm -f src/sss_client/sudo_testcli/*.$(OBJEXT) + -rm -f src/tests/*.$(OBJEXT) + -rm -f src/tests/*.lo + -rm -f src/tests/cmocka/*.$(OBJEXT) + -rm -f src/tests/cmocka/*.lo + -rm -f src/tests/cmocka/data_provider/*.$(OBJEXT) + -rm -f src/tools/*.$(OBJEXT) + -rm -f src/tools/*.lo + -rm -f src/tools/common/*.$(OBJEXT) + -rm -f src/tools/common/*.lo + -rm -f src/tools/sssctl/*.$(OBJEXT) + -rm -f src/util/*.$(OBJEXT) + -rm -f src/util/*.lo + -rm -f src/util/cert/*.$(OBJEXT) + -rm -f src/util/cert/*.lo + -rm -f src/util/cert/libcrypto/*.$(OBJEXT) + -rm -f src/util/cert/libcrypto/*.lo + -rm -f src/util/cert/nss/*.$(OBJEXT) + -rm -f src/util/cert/nss/*.lo + -rm -f src/util/crypto/*.$(OBJEXT) + -rm -f src/util/crypto/*.lo + -rm -f src/util/crypto/libcrypto/*.$(OBJEXT) + -rm -f src/util/crypto/libcrypto/*.lo + -rm -f src/util/crypto/nss/*.$(OBJEXT) + -rm -f src/util/crypto/nss/*.lo + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@src/confdb/$(DEPDIR)/_py2sss_la-confdb_setup.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/confdb/$(DEPDIR)/_py3sss_la-confdb_setup.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/confdb/$(DEPDIR)/confdb_setup.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/confdb/$(DEPDIR)/libsss_util_la-confdb.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/confdb/$(DEPDIR)/sss_cache-confdb_setup.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/confdb/$(DEPDIR)/sss_groupdel-confdb_setup.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/confdb/$(DEPDIR)/sss_groupmod-confdb_setup.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/confdb/$(DEPDIR)/sss_override-confdb_setup.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/confdb/$(DEPDIR)/sss_userdel-confdb_setup.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/confdb/$(DEPDIR)/sss_usermod-confdb_setup.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/confdb/$(DEPDIR)/sssctl-confdb_setup.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/db/$(DEPDIR)/libsss_util_la-sysdb.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/db/$(DEPDIR)/libsss_util_la-sysdb_autofs.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/db/$(DEPDIR)/libsss_util_la-sysdb_certmap.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/db/$(DEPDIR)/libsss_util_la-sysdb_domain_resolution_order.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/db/$(DEPDIR)/libsss_util_la-sysdb_gpo.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/db/$(DEPDIR)/libsss_util_la-sysdb_idmap.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/db/$(DEPDIR)/libsss_util_la-sysdb_init.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/db/$(DEPDIR)/libsss_util_la-sysdb_ops.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/db/$(DEPDIR)/libsss_util_la-sysdb_ranges.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/db/$(DEPDIR)/libsss_util_la-sysdb_search.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/db/$(DEPDIR)/libsss_util_la-sysdb_selinux.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/db/$(DEPDIR)/libsss_util_la-sysdb_services.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/db/$(DEPDIR)/libsss_util_la-sysdb_ssh.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/db/$(DEPDIR)/libsss_util_la-sysdb_subdomains.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/db/$(DEPDIR)/libsss_util_la-sysdb_sudo.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/db/$(DEPDIR)/libsss_util_la-sysdb_upgrade.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/db/$(DEPDIR)/libsss_util_la-sysdb_views.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/krb5_plugin/$(DEPDIR)/sssd_krb5_localauth_plugin_la-sssd_krb5_localauth_plugin.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/krb5_plugin/$(DEPDIR)/sssd_krb5_locator_plugin_la-sssd_krb5_locator_plugin.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/krb5_plugin/$(DEPDIR)/test_sssd_krb5_localauth_plugin-sssd_krb5_localauth_plugin.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/krb5_plugin/$(DEPDIR)/test_sssd_krb5_locator_plugin-sssd_krb5_locator_plugin.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/ldb_modules/$(DEPDIR)/memberof_la-memberof.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/lib/certmap/$(DEPDIR)/libsss_certmap_la-sss_cert_content_common.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/lib/certmap/$(DEPDIR)/libsss_certmap_la-sss_cert_content_crypto.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/lib/certmap/$(DEPDIR)/libsss_certmap_la-sss_cert_content_nss.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/lib/certmap/$(DEPDIR)/libsss_certmap_la-sss_certmap.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/lib/certmap/$(DEPDIR)/libsss_certmap_la-sss_certmap_attr_names.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/lib/certmap/$(DEPDIR)/libsss_certmap_la-sss_certmap_krb5_match.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/lib/certmap/$(DEPDIR)/libsss_certmap_la-sss_certmap_ldap_mapping.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/lib/certmap/$(DEPDIR)/sss_certmap_test-sss_certmap_attr_names.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/lib/cifs_idmap_sss/$(DEPDIR)/cifs_idmap_sss_la-cifs_idmap_sss.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/lib/idmap/$(DEPDIR)/sss_idmap.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/lib/idmap/$(DEPDIR)/sss_idmap_conv.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/lib/ipa_hbac/$(DEPDIR)/libipa_hbac_la-hbac_evaluator.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/lib/sifp/$(DEPDIR)/libsss_simpleifp_la-sss_sifp.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/lib/sifp/$(DEPDIR)/libsss_simpleifp_la-sss_sifp_attrs.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/lib/sifp/$(DEPDIR)/libsss_simpleifp_la-sss_sifp_common.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/lib/sifp/$(DEPDIR)/libsss_simpleifp_la-sss_sifp_dbus.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/lib/sifp/$(DEPDIR)/libsss_simpleifp_la-sss_sifp_parser.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/lib/sifp/$(DEPDIR)/libsss_simpleifp_la-sss_sifp_utils.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/lib/sifp/$(DEPDIR)/sss_sifp_tests-sss_sifp.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/lib/sifp/$(DEPDIR)/sss_sifp_tests-sss_sifp_attrs.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/lib/sifp/$(DEPDIR)/sss_sifp_tests-sss_sifp_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/lib/sifp/$(DEPDIR)/sss_sifp_tests-sss_sifp_dbus.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/lib/sifp/$(DEPDIR)/sss_sifp_tests-sss_sifp_parser.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/lib/sifp/$(DEPDIR)/sss_sifp_tests-sss_sifp_utils.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/lib/winbind_idmap_sss/$(DEPDIR)/libdlopen_test_winbind_idmap_la-libdlopen-test-winbind-idmap.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/lib/winbind_idmap_sss/$(DEPDIR)/winbind_idmap_sss_la-winbind_idmap_sss.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/monitor/$(DEPDIR)/libdlopen_test_providers_la-monitor_iface_generated.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/monitor/$(DEPDIR)/libsss_util_la-monitor_sbus.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/monitor/$(DEPDIR)/monitor.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/monitor/$(DEPDIR)/monitor_iface_generated.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/monitor/$(DEPDIR)/monitor_netlink.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/monitor/$(DEPDIR)/responder_get_domains_tests-monitor_iface_generated.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/monitor/$(DEPDIR)/sssd_ifp-monitor_iface_generated.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/monitor/$(DEPDIR)/sssd_kcm-monitor_iface_generated.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/monitor/$(DEPDIR)/sssd_pac-monitor_iface_generated.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/monitor/$(DEPDIR)/test_negcache-monitor_iface_generated.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/p11_child/$(DEPDIR)/p11_child-p11_child_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/p11_child/$(DEPDIR)/p11_child-p11_child_nss.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/p11_child/$(DEPDIR)/p11_child-p11_child_openssl.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/be_dyndns.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/be_ptask.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/be_refresh.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/data_provider_be.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/data_provider_callbacks.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/data_provider_fo.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/data_provider_opts.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/data_provider_req.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/dp_opt_tests-data_provider_opts.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/dyndns_tests-data_provider_opts.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/fail_over.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/fail_over_srv.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/fail_over_tests-fail_over.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/fail_over_tests-fail_over_srv.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/ipa_ldap_opt_tests-data_provider_opts.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/krb5_child-dp_pam_data_util.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/krb5_child_test-data_provider_callbacks.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/krb5_child_test-data_provider_fo.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/krb5_child_test-data_provider_opts.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/krb5_child_test-fail_over.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/krb5_child_test-fail_over_srv.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/krb5_utils_tests-data_provider_callbacks.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/krb5_utils_tests-data_provider_fo.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/krb5_utils_tests-data_provider_opts.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/krb5_utils_tests-fail_over.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/krb5_utils_tests-fail_over_srv.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/libdlopen_test_providers_la-be_dyndns.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/libdlopen_test_providers_la-be_ptask.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/libdlopen_test_providers_la-be_refresh.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/libdlopen_test_providers_la-data_provider_be.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/libdlopen_test_providers_la-data_provider_callbacks.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/libdlopen_test_providers_la-data_provider_fo.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/libdlopen_test_providers_la-data_provider_opts.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/libdlopen_test_providers_la-data_provider_req.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/libdlopen_test_providers_la-fail_over.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/libdlopen_test_providers_la-fail_over_srv.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/libsss_util_la-dp_auth_util.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/libsss_util_la-dp_pam_data_util.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/nestedgroups_tests-data_provider_opts.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/responder_get_domains_tests-data_provider_req.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/sdap_tests-data_provider_opts.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/sssd_ifp-data_provider_req.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/sssd_kcm-data_provider_req.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/sssd_pac-data_provider_req.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/test_be_ptask-be_ptask.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/test_data_provider_be-data_provider_be.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/test_fo_srv-fail_over.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/test_fo_srv-fail_over_srv.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/$(DEPDIR)/test_negcache-data_provider_req.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/ad_common_tests-ad_domain_info.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/ad_common_tests-ad_opts.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/ad_common_tests-ad_pac.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/ad_common_tests-ad_pac_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/ad_ldap_opt_tests-ad_opts.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/gpo_child-ad_gpo_child.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/ipa_ldap_opt_tests-ad_opts.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_access.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_autofs.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_common.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_domain_info.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_dyndns.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_gpo.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_gpo_ndr.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_id.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_init.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_machine_pw_renewal.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_opts.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_pac.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_pac_common.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_srv.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_subdomains.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_sudo.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_access.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_autofs.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_common.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_domain_info.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_dyndns.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_gpo.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_gpo_ndr.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_id.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_init.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_machine_pw_renewal.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_opts.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_pac.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_pac_common.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_srv.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_subdomains.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_sudo.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/libsss_ipa_la-ad_common.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/libsss_ipa_la-ad_domain_info.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/libsss_ipa_la-ad_dyndns.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/libsss_ipa_la-ad_id.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/libsss_ipa_la-ad_opts.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/libsss_ipa_la-ad_pac.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/libsss_ipa_la-ad_pac_common.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/libsss_ipa_la-ad_srv.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ad/$(DEPDIR)/sssd_pac-ad_pac_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/dp.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/dp_builtin.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/dp_client.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/dp_iface.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/dp_iface_backend.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/dp_iface_failover.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/dp_iface_generated.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/dp_methods.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/dp_modules.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/dp_reply_std.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/dp_request.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/dp_request_reply.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/dp_request_table.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/dp_resp_client.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/dp_target_auth.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/dp_target_autofs.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/dp_target_hostid.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/dp_target_id.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/dp_target_subdomains.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/dp_target_sudo.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/dp_targets.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_builtin.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_client.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_iface.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_iface_backend.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_iface_failover.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_iface_generated.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_methods.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_modules.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_reply_std.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_request.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_request_reply.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_request_table.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_resp_client.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_target_auth.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_target_autofs.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_target_hostid.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_target_id.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_target_subdomains.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_target_sudo.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_targets.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/libsss_util_la-dp_sbus.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/test_dp_builtin-dp_builtin.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/test_dp_builtin-dp_methods.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/test_dp_builtin-dp_modules.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/test_dp_builtin-dp_targets.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/test_dp_request-dp_builtin.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/test_dp_request-dp_methods.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/test_dp_request-dp_modules.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/test_dp_request-dp_request.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/test_dp_request-dp_targets.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/data_provider/$(DEPDIR)/test_dp_request_table-dp_request_table.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/files/$(DEPDIR)/libsss_files_la-files_id.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/files/$(DEPDIR)/libsss_files_la-files_init.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/files/$(DEPDIR)/libsss_files_la-files_ops.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/deskprofile_utils_tests-ipa_deskprofile_rules_util.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/deskprofile_utils_tests-ipa_rules_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/ipa_dn.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/ipa_ldap_opt_tests-ipa_opts.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_access.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_auth.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_autofs.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_common.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_config.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_deskprofile_config.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_deskprofile_rules.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_deskprofile_rules_util.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_dn.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_dyndns.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_hbac_common.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_hbac_hosts.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_hbac_rules.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_hbac_services.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_hbac_users.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_hostid.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_hosts.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_id.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_idmap.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_init.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_netgroups.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_opts.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_rules_common.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_s2n_exop.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_selinux.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_selinux_maps.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_session.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_srv.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_subdomains.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_subdomains_ext_groups.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_subdomains_id.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_subdomains_server.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_subdomains_utils.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_sudo.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_sudo_async.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_sudo_conversion.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_sudo_refresh.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_utils.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_views.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/libsss_ldap_common_la-ipa_dn.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/nestedgroups_tests-ipa_dn.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/sdap_tests-ipa_opts.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/selinux_child-selinux_child.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/test_ipa_idmap-ipa_idmap.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/test_ipa_subdom_server-ipa_opts.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/test_ipa_subdom_server-ipa_subdomains_server.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/test_ipa_subdom_server-ipa_subdomains_utils.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/test_ipa_subdom_util-ipa_subdomains_utils.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/test_sysdb_ts_cache-ipa_utils.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ipa/$(DEPDIR)/test_sysdb_views-ipa_utils.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_access.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_auth.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_ccache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_child_handler.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_delayed_online_authentication.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_init_shared.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_opts.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_renew_tgt.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_utils.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_wait_queue.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/ad_ldap_opt_tests-krb5_opts.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/ipa_ldap_opt_tests-krb5_opts.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/krb5_child-krb5_ccache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/krb5_child-krb5_child.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/krb5_child-krb5_keytab.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/krb5_child_test-krb5_ccache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/krb5_child_test-krb5_child_handler.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/krb5_child_test-krb5_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/krb5_child_test-krb5_opts.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/krb5_child_test-krb5_utils.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/krb5_utils_tests-krb5_ccache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/krb5_utils_tests-krb5_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/krb5_utils_tests-krb5_opts.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/krb5_utils_tests-krb5_utils.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/ldap_child-krb5_keytab.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/libsss_krb5_common_la-krb5_access.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/libsss_krb5_common_la-krb5_auth.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/libsss_krb5_common_la-krb5_ccache.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/libsss_krb5_common_la-krb5_child_handler.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/libsss_krb5_common_la-krb5_common.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/libsss_krb5_common_la-krb5_delayed_online_authentication.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/libsss_krb5_common_la-krb5_init_shared.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/libsss_krb5_common_la-krb5_opts.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/libsss_krb5_common_la-krb5_renew_tgt.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/libsss_krb5_common_la-krb5_utils.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/libsss_krb5_common_la-krb5_wait_queue.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/libsss_krb5_la-krb5_init.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/test_copy_ccache-krb5_ccache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/test_copy_keytab-krb5_keytab.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_access.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_auth.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_ccache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_child_handler.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_delayed_online_authentication.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_init_shared.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_opts.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_renew_tgt.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_utils.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_wait_queue.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/krb5/$(DEPDIR)/test_krb5_wait_queue-krb5_wait_queue.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/ad_common_tests-sdap_async_initgroups_ad.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/ad_ldap_opt_tests-ldap_opts.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/ipa_ldap_opt_tests-ldap_opts.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/ipa_ldap_opt_tests-sdap.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/ipa_ldap_opt_tests-sdap_domain.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/ipa_ldap_opt_tests-sdap_range.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/ldap_child-ldap_child.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-ldap_auth.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-ldap_common.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-ldap_id.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-ldap_id_cleanup.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-ldap_id_enum.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-ldap_id_netgroup.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-ldap_id_services.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-ldap_options.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-ldap_opts.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_access.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_ad_groups.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_autofs.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_connection.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_enum.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_groups.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_groups_ad.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_hosts.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_initgroups.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_initgroups_ad.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_nested_groups.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_netgroups.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_services.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_sudo.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_sudo_hostinfo.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_users.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_autofs.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_certmap.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_child_helpers.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_domain.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_dyndns.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_fd_events.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_hostid.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_id_op.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_idmap.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_online_check.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_ops.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_range.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_refresh.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_reinit.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_sudo.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_sudo_refresh.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_sudo_shared.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_utils.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_la-ldap_access.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/libsss_ldap_la-ldap_init.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/nestedgroups_tests-ldap_options.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/nestedgroups_tests-ldap_opts.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap_ad_groups.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap_async_nested_groups.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap_domain.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap_idmap.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap_range.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap_utils.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/sdap_tests-ldap_opts.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/sdap_tests-sdap.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/sdap_tests-sdap_domain.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/sdap_tests-sdap_range.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/ldap/$(DEPDIR)/test_sdap_certmap-sdap_certmap.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/proxy/$(DEPDIR)/libsss_proxy_la-proxy_auth.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/proxy/$(DEPDIR)/libsss_proxy_la-proxy_client.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/proxy/$(DEPDIR)/libsss_proxy_la-proxy_id.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/proxy/$(DEPDIR)/libsss_proxy_la-proxy_iface_generated.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/proxy/$(DEPDIR)/libsss_proxy_la-proxy_init.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/proxy/$(DEPDIR)/libsss_proxy_la-proxy_netgroup.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/proxy/$(DEPDIR)/libsss_proxy_la-proxy_services.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/proxy/$(DEPDIR)/proxy_child-proxy_child.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/proxy/$(DEPDIR)/proxy_child-proxy_iface_generated.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/simple/$(DEPDIR)/libsss_simple_la-simple_access.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/simple/$(DEPDIR)/libsss_simple_la-simple_access_check.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/simple/$(DEPDIR)/simple_access_tests-simple_access.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/providers/simple/$(DEPDIR)/simple_access_tests-simple_access_check.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/python/$(DEPDIR)/_py2hbac_la-pyhbac.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/python/$(DEPDIR)/_py2sss_la-pysss.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/python/$(DEPDIR)/_py2sss_murmur_la-pysss_murmur.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/python/$(DEPDIR)/_py2sss_nss_idmap_la-pysss_nss_idmap.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/python/$(DEPDIR)/_py3hbac_la-pyhbac.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/python/$(DEPDIR)/_py3sss_la-pysss.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/python/$(DEPDIR)/_py3sss_murmur_la-pysss_murmur.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/python/$(DEPDIR)/_py3sss_nss_idmap_la-pysss_nss_idmap.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/resolv/$(DEPDIR)/async_resolv.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/resolv/$(DEPDIR)/async_resolv_utils.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/resolv/$(DEPDIR)/dyndns_tests-async_resolv.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/resolv/$(DEPDIR)/dyndns_tests-async_resolv_utils.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/resolv/$(DEPDIR)/fail_over_tests-async_resolv.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/resolv/$(DEPDIR)/fail_over_tests-async_resolv_utils.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/resolv/$(DEPDIR)/krb5_child_test-async_resolv.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/resolv/$(DEPDIR)/krb5_child_test-async_resolv_utils.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/resolv/$(DEPDIR)/krb5_utils_tests-async_resolv.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/resolv/$(DEPDIR)/krb5_utils_tests-async_resolv_utils.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/resolv/$(DEPDIR)/libdlopen_test_providers_la-async_resolv.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/resolv/$(DEPDIR)/libdlopen_test_providers_la-async_resolv_utils.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/resolv/$(DEPDIR)/resolv_tests-async_resolv.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/resolv/$(DEPDIR)/resolv_tests-async_resolv_utils.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/resolv/$(DEPDIR)/test_resolv_fake-async_resolv.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/autofs/$(DEPDIR)/autofssrv.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/autofs/$(DEPDIR)/autofssrv_cmd.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/autofs/$(DEPDIR)/autofssrv_dp.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/ifp_tests-negcache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/ifp_tests-negcache_files.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/ifp_tests-responder_cmd.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/ifp_tests-responder_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/ifp_tests-responder_packet.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/ifp_tests-responder_utils.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/negcache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/negcache_files.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/nss_srv_tests-negcache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/nss_srv_tests-negcache_files.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/nss_srv_tests-responder_cmd.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/nss_srv_tests-responder_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/nss_srv_tests-responder_packet.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/nss_srv_tests-responder_utils.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/pam_srv_tests-negcache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/pam_srv_tests-negcache_files.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/pam_srv_tests-responder_cmd.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/pam_srv_tests-responder_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/pam_srv_tests-responder_packet.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/pam_srv_tests-responder_utils.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/responder_cache_req_tests-negcache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/responder_cache_req_tests-negcache_files.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/responder_cache_req_tests-responder_cmd.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/responder_cache_req_tests-responder_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/responder_cache_req_tests-responder_packet.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/responder_cache_req_tests-responder_utils.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/responder_cmd.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/responder_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/responder_dp.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/responder_dp_ssh.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/responder_get_domains.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/responder_get_domains_tests-negcache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/responder_get_domains_tests-negcache_files.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_cmd.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_dp.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_dp_ssh.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_get_domains.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_packet.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_utils.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/responder_packet.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/responder_socket_access_tests-negcache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/responder_socket_access_tests-negcache_files.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/responder_socket_access_tests-responder_cmd.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/responder_socket_access_tests-responder_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/responder_socket_access_tests-responder_packet.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/responder_utils.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/ssh_srv_tests-negcache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/ssh_srv_tests-negcache_files.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/ssh_srv_tests-responder_cmd.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/ssh_srv_tests-responder_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/ssh_srv_tests-responder_packet.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/ssh_srv_tests-responder_utils.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/sssd_ifp-negcache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/sssd_ifp-negcache_files.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/sssd_ifp-responder_cmd.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/sssd_ifp-responder_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/sssd_ifp-responder_dp.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/sssd_ifp-responder_dp_ssh.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/sssd_ifp-responder_get_domains.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/sssd_ifp-responder_packet.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/sssd_ifp-responder_utils.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/sssd_kcm-negcache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/sssd_kcm-negcache_files.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/sssd_kcm-responder_cmd.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/sssd_kcm-responder_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/sssd_kcm-responder_dp.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/sssd_kcm-responder_dp_ssh.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/sssd_kcm-responder_get_domains.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/sssd_kcm-responder_packet.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/sssd_kcm-responder_utils.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/sssd_pac-negcache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/sssd_pac-negcache_files.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/sssd_pac-responder_cmd.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/sssd_pac-responder_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/sssd_pac-responder_dp.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/sssd_pac-responder_dp_ssh.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/sssd_pac-responder_get_domains.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/sssd_pac-responder_packet.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/sssd_pac-responder_utils.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/test_negcache-negcache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/test_negcache-negcache_files.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/test_negcache-responder_cmd.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/test_negcache-responder_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/test_negcache-responder_dp.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/test_negcache-responder_dp_ssh.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/test_negcache-responder_get_domains.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/test_negcache-responder_packet.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/$(DEPDIR)/test_negcache-responder_utils.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/cache_req.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/cache_req_data.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/cache_req_domain.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/cache_req_result.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/cache_req_search.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/cache_req_sr_overlay.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/domain_resolution_order_tests-cache_req_domain.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/ifp_tests-cache_req.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/ifp_tests-cache_req_data.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/ifp_tests-cache_req_domain.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/ifp_tests-cache_req_result.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/ifp_tests-cache_req_search.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/ifp_tests-cache_req_sr_overlay.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/nss_srv_tests-cache_req.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/nss_srv_tests-cache_req_data.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/nss_srv_tests-cache_req_domain.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/nss_srv_tests-cache_req_result.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/nss_srv_tests-cache_req_search.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/nss_srv_tests-cache_req_sr_overlay.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/pam_srv_tests-cache_req.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/pam_srv_tests-cache_req_data.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/pam_srv_tests-cache_req_domain.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/pam_srv_tests-cache_req_result.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/pam_srv_tests-cache_req_search.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/pam_srv_tests-cache_req_sr_overlay.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/responder_cache_req_tests-cache_req.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/responder_cache_req_tests-cache_req_data.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/responder_cache_req_tests-cache_req_domain.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/responder_cache_req_tests-cache_req_result.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/responder_cache_req_tests-cache_req_search.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/responder_cache_req_tests-cache_req_sr_overlay.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/responder_get_domains_tests-cache_req.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/responder_get_domains_tests-cache_req_data.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/responder_get_domains_tests-cache_req_domain.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/responder_get_domains_tests-cache_req_result.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/responder_get_domains_tests-cache_req_search.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/responder_get_domains_tests-cache_req_sr_overlay.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/responder_socket_access_tests-cache_req_domain.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/ssh_srv_tests-cache_req.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/ssh_srv_tests-cache_req_data.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/ssh_srv_tests-cache_req_domain.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/ssh_srv_tests-cache_req_result.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/ssh_srv_tests-cache_req_search.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/ssh_srv_tests-cache_req_sr_overlay.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/sssd_ifp-cache_req.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/sssd_ifp-cache_req_data.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/sssd_ifp-cache_req_domain.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/sssd_ifp-cache_req_result.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/sssd_ifp-cache_req_search.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/sssd_ifp-cache_req_sr_overlay.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/sssd_kcm-cache_req.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/sssd_kcm-cache_req_data.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/sssd_kcm-cache_req_domain.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/sssd_kcm-cache_req_result.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/sssd_kcm-cache_req_search.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/sssd_kcm-cache_req_sr_overlay.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/sssd_pac-cache_req.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/sssd_pac-cache_req_data.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/sssd_pac-cache_req_domain.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/sssd_pac-cache_req_result.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/sssd_pac-cache_req_search.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/sssd_pac-cache_req_sr_overlay.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/test_negcache-cache_req.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/test_negcache-cache_req_data.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/test_negcache-cache_req_domain.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/test_negcache-cache_req_result.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/test_negcache-cache_req_search.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/$(DEPDIR)/test_negcache-cache_req_sr_overlay.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/cache_req_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/cache_req_enum_groups.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/cache_req_enum_svc.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/cache_req_enum_users.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/cache_req_group_by_filter.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/cache_req_group_by_id.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/cache_req_group_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/cache_req_host_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/cache_req_initgroups_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/cache_req_initgroups_by_upn.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/cache_req_netgroup_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/cache_req_object_by_id.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/cache_req_object_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/cache_req_object_by_sid.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/cache_req_svc_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/cache_req_svc_by_port.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/cache_req_user_by_cert.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/cache_req_user_by_filter.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/cache_req_user_by_id.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/cache_req_user_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/cache_req_user_by_upn.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_enum_groups.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_enum_svc.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_enum_users.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_group_by_filter.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_group_by_id.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_group_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_host_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_initgroups_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_initgroups_by_upn.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_netgroup_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_object_by_id.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_object_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_object_by_sid.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_svc_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_svc_by_port.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_user_by_cert.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_user_by_filter.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_user_by_id.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_user_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_user_by_upn.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_enum_groups.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_enum_svc.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_enum_users.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_group_by_filter.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_group_by_id.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_group_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_host_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_initgroups_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_initgroups_by_upn.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_netgroup_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_object_by_id.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_object_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_object_by_sid.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_svc_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_svc_by_port.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_user_by_cert.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_user_by_filter.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_user_by_id.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_user_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_user_by_upn.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_enum_groups.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_enum_svc.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_enum_users.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_group_by_filter.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_group_by_id.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_group_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_host_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_initgroups_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_initgroups_by_upn.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_netgroup_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_object_by_id.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_object_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_object_by_sid.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_svc_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_svc_by_port.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_user_by_cert.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_user_by_filter.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_user_by_id.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_user_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_user_by_upn.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_enum_groups.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_enum_svc.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_enum_users.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_group_by_filter.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_group_by_id.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_group_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_host_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_initgroups_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_initgroups_by_upn.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_netgroup_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_object_by_id.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_object_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_object_by_sid.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_svc_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_svc_by_port.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_user_by_cert.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_user_by_filter.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_user_by_id.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_user_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_user_by_upn.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_enum_groups.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_enum_svc.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_enum_users.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_group_by_filter.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_group_by_id.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_group_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_host_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_initgroups_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_initgroups_by_upn.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_netgroup_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_object_by_id.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_object_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_object_by_sid.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_svc_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_svc_by_port.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_user_by_cert.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_user_by_filter.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_user_by_id.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_user_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_user_by_upn.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_enum_groups.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_enum_svc.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_enum_users.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_group_by_filter.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_group_by_id.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_group_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_host_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_initgroups_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_initgroups_by_upn.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_netgroup_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_object_by_id.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_object_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_object_by_sid.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_svc_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_svc_by_port.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_user_by_cert.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_user_by_filter.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_user_by_id.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_user_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_user_by_upn.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_enum_groups.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_enum_svc.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_enum_users.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_group_by_filter.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_group_by_id.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_group_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_host_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_initgroups_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_initgroups_by_upn.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_netgroup_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_object_by_id.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_object_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_object_by_sid.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_svc_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_svc_by_port.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_user_by_cert.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_user_by_filter.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_user_by_id.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_user_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_user_by_upn.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_enum_groups.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_enum_svc.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_enum_users.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_group_by_filter.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_group_by_id.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_group_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_host_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_initgroups_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_initgroups_by_upn.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_netgroup_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_object_by_id.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_object_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_object_by_sid.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_svc_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_svc_by_port.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_user_by_cert.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_user_by_filter.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_user_by_id.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_user_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_user_by_upn.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_enum_groups.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_enum_svc.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_enum_users.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_group_by_filter.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_group_by_id.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_group_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_host_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_initgroups_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_initgroups_by_upn.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_netgroup_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_object_by_id.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_object_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_object_by_sid.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_svc_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_svc_by_port.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_user_by_cert.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_user_by_filter.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_user_by_id.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_user_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_user_by_upn.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_enum_groups.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_enum_svc.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_enum_users.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_group_by_filter.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_group_by_id.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_group_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_host_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_initgroups_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_initgroups_by_upn.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_netgroup_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_object_by_id.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_object_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_object_by_sid.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_svc_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_svc_by_port.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_user_by_cert.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_user_by_filter.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_user_by_id.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_user_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_user_by_upn.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/data_provider/$(DEPDIR)/ifp_tests-rdp_client.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/data_provider/$(DEPDIR)/ifp_tests-rdp_message.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/data_provider/$(DEPDIR)/nss_srv_tests-rdp_client.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/data_provider/$(DEPDIR)/nss_srv_tests-rdp_message.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/data_provider/$(DEPDIR)/pam_srv_tests-rdp_client.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/data_provider/$(DEPDIR)/pam_srv_tests-rdp_message.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/data_provider/$(DEPDIR)/rdp_client.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/data_provider/$(DEPDIR)/rdp_message.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/data_provider/$(DEPDIR)/responder_cache_req_tests-rdp_client.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/data_provider/$(DEPDIR)/responder_cache_req_tests-rdp_message.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/data_provider/$(DEPDIR)/responder_get_domains_tests-rdp_client.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/data_provider/$(DEPDIR)/responder_get_domains_tests-rdp_message.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/data_provider/$(DEPDIR)/responder_socket_access_tests-rdp_client.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/data_provider/$(DEPDIR)/responder_socket_access_tests-rdp_message.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/data_provider/$(DEPDIR)/ssh_srv_tests-rdp_client.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/data_provider/$(DEPDIR)/ssh_srv_tests-rdp_message.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/data_provider/$(DEPDIR)/sssd_ifp-rdp_client.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/data_provider/$(DEPDIR)/sssd_ifp-rdp_message.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/data_provider/$(DEPDIR)/sssd_kcm-rdp_client.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/data_provider/$(DEPDIR)/sssd_kcm-rdp_message.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/data_provider/$(DEPDIR)/sssd_pac-rdp_client.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/data_provider/$(DEPDIR)/sssd_pac-rdp_message.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/data_provider/$(DEPDIR)/test_negcache-rdp_client.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/data_provider/$(DEPDIR)/test_negcache-rdp_message.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/ifp_tests-responder_domain.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/ifp_tests-responder_iface.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/ifp_tests-responder_iface_generated.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/ifp_tests-responder_ncache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/nss_srv_tests-responder_domain.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/nss_srv_tests-responder_iface.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/nss_srv_tests-responder_iface_generated.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/nss_srv_tests-responder_ncache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/pam_srv_tests-responder_domain.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/pam_srv_tests-responder_iface.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/pam_srv_tests-responder_iface_generated.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/pam_srv_tests-responder_ncache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/responder_cache_req_tests-responder_domain.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/responder_cache_req_tests-responder_iface.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/responder_cache_req_tests-responder_iface_generated.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/responder_cache_req_tests-responder_ncache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/responder_domain.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/responder_get_domains_tests-responder_domain.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/responder_get_domains_tests-responder_iface.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/responder_get_domains_tests-responder_iface_generated.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/responder_get_domains_tests-responder_ncache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/responder_iface.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/responder_iface_generated.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/responder_ncache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/responder_socket_access_tests-responder_domain.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/responder_socket_access_tests-responder_iface.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/responder_socket_access_tests-responder_iface_generated.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/responder_socket_access_tests-responder_ncache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/ssh_srv_tests-responder_domain.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/ssh_srv_tests-responder_iface.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/ssh_srv_tests-responder_iface_generated.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/ssh_srv_tests-responder_ncache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/sssd_ifp-responder_domain.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/sssd_ifp-responder_iface.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/sssd_ifp-responder_iface_generated.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/sssd_ifp-responder_ncache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/sssd_kcm-responder_domain.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/sssd_kcm-responder_iface.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/sssd_kcm-responder_iface_generated.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/sssd_kcm-responder_ncache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/sssd_pac-responder_domain.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/sssd_pac-responder_iface.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/sssd_pac-responder_iface_generated.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/sssd_pac-responder_ncache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/test_negcache-responder_domain.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/test_negcache-responder_iface.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/test_negcache-responder_iface_generated.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/common/iface/$(DEPDIR)/test_negcache-responder_ncache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/ifp/$(DEPDIR)/ifp_tests-ifp_iface_generated.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/ifp/$(DEPDIR)/ifp_tests-ifpsrv_cmd.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/ifp/$(DEPDIR)/ifp_tests-ifpsrv_util.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_cache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_components.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_domains.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_groups.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_iface.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_iface_generated.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_iface_nodes.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_users.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/ifp/$(DEPDIR)/sssd_ifp-ifpsrv.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/ifp/$(DEPDIR)/sssd_ifp-ifpsrv_cmd.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/ifp/$(DEPDIR)/sssd_ifp-ifpsrv_util.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/kcm/$(DEPDIR)/sssd_kcm-kcm.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_ccache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_ccache_json.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_ccache_mem.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_ccache_secrets.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_cmd.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_op_queue.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_ops.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/kcm/$(DEPDIR)/test_kcm_json-kcmsrv_ccache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/kcm/$(DEPDIR)/test_kcm_json-kcmsrv_ccache_json.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/kcm/$(DEPDIR)/test_kcm_queue-kcmsrv_op_queue.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/nss/$(DEPDIR)/nss_cmd.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/nss/$(DEPDIR)/nss_enum.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/nss/$(DEPDIR)/nss_get_object.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/nss/$(DEPDIR)/nss_iface.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/nss/$(DEPDIR)/nss_iface_generated.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/nss/$(DEPDIR)/nss_protocol.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/nss/$(DEPDIR)/nss_protocol_grent.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/nss/$(DEPDIR)/nss_protocol_netgr.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/nss/$(DEPDIR)/nss_protocol_pwent.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/nss/$(DEPDIR)/nss_protocol_sid.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/nss/$(DEPDIR)/nss_protocol_svcent.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_cmd.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_enum.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_get_object.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_protocol.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_protocol_grent.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_protocol_netgr.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_protocol_pwent.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_protocol_sid.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_protocol_svcent.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_utils.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/nss/$(DEPDIR)/nss_srv_tests-nsssrv_mmap_cache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/nss/$(DEPDIR)/nss_utils.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/nss/$(DEPDIR)/nsssrv.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/nss/$(DEPDIR)/nsssrv_mmap_cache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/pac/$(DEPDIR)/sssd_pac-pacsrv.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/pac/$(DEPDIR)/sssd_pac-pacsrv_cmd.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/pam/$(DEPDIR)/pam_LOCAL_domain.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/pam/$(DEPDIR)/pam_helpers.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/pam/$(DEPDIR)/pam_srv_tests-pam_LOCAL_domain.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/pam/$(DEPDIR)/pam_srv_tests-pam_helpers.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/pam/$(DEPDIR)/pam_srv_tests-pamsrv_cmd.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/pam/$(DEPDIR)/pam_srv_tests-pamsrv_dp.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/pam/$(DEPDIR)/pam_srv_tests-pamsrv_p11.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/pam/$(DEPDIR)/pamsrv.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/pam/$(DEPDIR)/pamsrv_cmd.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/pam/$(DEPDIR)/pamsrv_dp.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/pam/$(DEPDIR)/pamsrv_p11.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/secrets/$(DEPDIR)/local.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/secrets/$(DEPDIR)/providers.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/secrets/$(DEPDIR)/proxy.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/secrets/$(DEPDIR)/secsrv.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/secrets/$(DEPDIR)/secsrv_cmd.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/ssh/$(DEPDIR)/ssh_cmd.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/ssh/$(DEPDIR)/ssh_known_hosts.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/ssh/$(DEPDIR)/ssh_protocol.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/ssh/$(DEPDIR)/ssh_reply.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/ssh/$(DEPDIR)/ssh_srv_tests-ssh_cmd.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/ssh/$(DEPDIR)/ssh_srv_tests-ssh_known_hosts.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/ssh/$(DEPDIR)/ssh_srv_tests-ssh_protocol.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/ssh/$(DEPDIR)/ssh_srv_tests-ssh_reply.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/ssh/$(DEPDIR)/sshsrv.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/sudo/$(DEPDIR)/sudosrv.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/sudo/$(DEPDIR)/sudosrv_cmd.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/sudo/$(DEPDIR)/sudosrv_dp.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/sudo/$(DEPDIR)/sudosrv_get_sudorules.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/responder/sudo/$(DEPDIR)/sudosrv_query.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sbus/$(DEPDIR)/libsss_util_la-sbus_client.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_common.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_common_signals.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_connection.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_interface.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_introspect.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_invokers.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_meta.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_properties.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_request.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_server.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_signals.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_utils.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sbus/$(DEPDIR)/sbus_internal_tests-sssd_dbus_request.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/$(DEPDIR)/autofs_test_client-common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/$(DEPDIR)/common.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/$(DEPDIR)/krb5_child-common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/$(DEPDIR)/nss_group.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/$(DEPDIR)/nss_mc_common.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/$(DEPDIR)/nss_mc_group.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/$(DEPDIR)/nss_mc_initgr.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/$(DEPDIR)/nss_mc_passwd.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/$(DEPDIR)/nss_netgroup.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/$(DEPDIR)/nss_passwd.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/$(DEPDIR)/nss_services.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/$(DEPDIR)/pam_message.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/$(DEPDIR)/pam_srv_tests-pam_message.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/$(DEPDIR)/pam_sss.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/$(DEPDIR)/sss_cache-common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/$(DEPDIR)/sss_groupdel-common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/$(DEPDIR)/sss_groupmod-common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/$(DEPDIR)/sss_la-common.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/$(DEPDIR)/sss_la-nss_mc_common.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/$(DEPDIR)/sss_la-nss_mc_group.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/$(DEPDIR)/sss_la-nss_mc_passwd.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/$(DEPDIR)/sss_ssh_authorizedkeys-common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/$(DEPDIR)/sss_ssh_knownhostsproxy-common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/$(DEPDIR)/sss_sudo_cli-common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/$(DEPDIR)/sss_userdel-common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/$(DEPDIR)/sss_usermod-common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/$(DEPDIR)/sssd_krb5_localauth_plugin_la-common.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/$(DEPDIR)/sssd_krb5_localauth_plugin_la-nss_mc_common.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/$(DEPDIR)/sssd_krb5_localauth_plugin_la-nss_mc_passwd.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/$(DEPDIR)/sssd_krb5_localauth_plugin_la-nss_passwd.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/$(DEPDIR)/sssd_pac_plugin_la-common.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/$(DEPDIR)/sssd_pac_plugin_la-sssd_pac.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/$(DEPDIR)/sssd_pac_test_client-common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/$(DEPDIR)/sssd_pac_test_client-sss_pac_responder_client.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/$(DEPDIR)/test_wbc_calls-common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/autofs/$(DEPDIR)/autofs_test_client-autofs_test_client.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/autofs/$(DEPDIR)/autofs_test_client-sss_autofs.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/autofs/$(DEPDIR)/sss_autofs.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/idmap/$(DEPDIR)/common_ex.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/idmap/$(DEPDIR)/sss_nss_ex.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/idmap/$(DEPDIR)/sss_nss_idmap.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/libwbclient/$(DEPDIR)/test_wbc_calls-wbc_sid_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/libwbclient/$(DEPDIR)/test_wbc_calls-wbc_sid_sssd.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/libwbclient/$(DEPDIR)/test_wbc_calls-wbclient_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/libwbclient/$(DEPDIR)/wbc_ctx_sssd.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/libwbclient/$(DEPDIR)/wbc_guid.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/libwbclient/$(DEPDIR)/wbc_idmap_common.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/libwbclient/$(DEPDIR)/wbc_idmap_sssd.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/libwbclient/$(DEPDIR)/wbc_pam_sssd.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/libwbclient/$(DEPDIR)/wbc_pwd_sssd.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/libwbclient/$(DEPDIR)/wbc_sid_common.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/libwbclient/$(DEPDIR)/wbc_sid_sssd.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/libwbclient/$(DEPDIR)/wbc_util_common.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/libwbclient/$(DEPDIR)/wbc_util_sssd.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/libwbclient/$(DEPDIR)/wbclient_common.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/libwbclient/$(DEPDIR)/wbclient_sssd.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/nfs/$(DEPDIR)/sss_la-sss_nfs_client.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/ssh/$(DEPDIR)/sss_ssh_authorizedkeys-sss_ssh_authorizedkeys.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/ssh/$(DEPDIR)/sss_ssh_authorizedkeys-sss_ssh_client.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/ssh/$(DEPDIR)/sss_ssh_knownhostsproxy-sss_ssh_client.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/ssh/$(DEPDIR)/sss_ssh_knownhostsproxy-sss_ssh_knownhostsproxy.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/sudo/$(DEPDIR)/sss_sudo.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/sudo/$(DEPDIR)/sss_sudo_cli-sss_sudo.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/sudo/$(DEPDIR)/sss_sudo_cli-sss_sudo_response.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/sudo/$(DEPDIR)/sss_sudo_response.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/sss_client/sudo_testcli/$(DEPDIR)/sss_sudo_cli-sudo_testcli.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/$(DEPDIR)/ad_ldap_opt_tests-ad_ldap_opt-tests.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/$(DEPDIR)/auth_tests-auth-tests.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/$(DEPDIR)/check_and_open_tests-check_and_open-tests.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/$(DEPDIR)/common.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/$(DEPDIR)/common_check.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/$(DEPDIR)/common_dom.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/$(DEPDIR)/common_tev.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/$(DEPDIR)/crypto_tests-crypto-tests.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/$(DEPDIR)/debug_tests-common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/$(DEPDIR)/debug_tests-debug-tests.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/$(DEPDIR)/dlopen_tests-dlopen-tests.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/$(DEPDIR)/fail_over_tests-fail_over-tests.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/$(DEPDIR)/files_tests-files-tests.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/$(DEPDIR)/find_uid_tests-find_uid-tests.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/$(DEPDIR)/ipa_hbac_tests-ipa_hbac-tests.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/$(DEPDIR)/ipa_ldap_opt_tests-ipa_ldap_opt-tests.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/$(DEPDIR)/krb5_child_test-krb5_child-test.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/$(DEPDIR)/krb5_utils_tests-krb5_utils-tests.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/$(DEPDIR)/leak_check.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/$(DEPDIR)/refcount_tests-refcount-tests.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/$(DEPDIR)/resolv_tests-common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/$(DEPDIR)/resolv_tests-resolv-tests.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/$(DEPDIR)/responder_socket_access_tests-responder_socket_access-tests.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/$(DEPDIR)/safe_format_tests-safe-format-tests.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/$(DEPDIR)/sbus_codegen_tests-common_dbus.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/$(DEPDIR)/sbus_codegen_tests-sbus_codegen_tests.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/$(DEPDIR)/sbus_codegen_tests-sbus_codegen_tests_generated.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/$(DEPDIR)/sbus_tests-common_dbus.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/$(DEPDIR)/sbus_tests-sbus_tests.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/$(DEPDIR)/sss_idmap_tests-sss_idmap-tests.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/$(DEPDIR)/stress-tests.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/$(DEPDIR)/strtonum_tests-strtonum-tests.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/$(DEPDIR)/sysdb_ssh_tests-sysdb_ssh-tests.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/$(DEPDIR)/sysdb_tests-sysdb-tests.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/$(DEPDIR)/tcurl_test_tool-tcurl_test_tool.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/$(DEPDIR)/test_io-common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/$(DEPDIR)/test_ssh_client-test_ssh_client.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/$(DEPDIR)/util_tests-util-tests.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/ad_common_tests-common_mock_krb5.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/ad_common_tests-test_ad_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/ad_gpo_tests-test_ad_gpo.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/config_check_tests-test_config_check.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/deskprofile_utils_tests-test_deskprofile_utils.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/domain_resolution_order_tests-test_domain_resolution_order.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/dp_opt_tests-test_dp_opts.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/dummy_child.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/dyndns_tests-common_mock_be.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/dyndns_tests-test_dyndns.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/fqnames_tests-test_fqnames.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/ifp_tests-common_mock_resp.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/ifp_tests-common_mock_resp_dp.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/ifp_tests-test_ifp.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/krb5_common_test-test_krb5_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/libdlopen_test_providers_la-wrap_sss_nss_make_request_timeout.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/nestedgroups_tests-common_mock_be.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/nestedgroups_tests-common_mock_sdap.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/nestedgroups_tests-common_mock_sysdb_objects.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/nestedgroups_tests-test_nested_groups.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/nss_srv_tests-common_mock_resp.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/nss_srv_tests-common_mock_resp_dp.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/nss_srv_tests-test_nss_srv.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/pam_srv_tests-common_mock_resp.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/pam_srv_tests-common_mock_resp_dp.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/pam_srv_tests-test_pam_srv.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/responder_cache_req_tests-common_mock_resp.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/responder_cache_req_tests-common_mock_resp_dp.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/responder_cache_req_tests-test_responder_cache_req.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/responder_get_domains_tests-common_mock_resp.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/responder_get_domains_tests-test_responder_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/sbus_internal_tests-sbus_internal_tests.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/sdap_tests-test_sdap.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/simple_access_tests-common_mock_be.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/simple_access_tests-test_simple_access.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/ssh_srv_tests-common_mock_resp.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/ssh_srv_tests-common_mock_resp_dp.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/ssh_srv_tests-test_ssh_srv.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/sss_certmap_test-test_certmap.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/sss_nss_idmap_tests-sss_nss_idmap-tests.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/sss_sifp_tests-test_sss_sifp.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_ad_access_filter.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_ad_subdom-test_ad_subdomains.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_authtok-test_authtok.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_be_ptask-common_mock_be.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_be_ptask-test_be_ptask.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_cert_utils-test_cert_utils.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_child_common-test_child_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_copy_ccache-test_copy_ccache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_copy_keytab-common_mock_krb5.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_copy_keytab-test_copy_keytab.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_data_provider_be-common_mock_be.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_data_provider_be-test_data_provider_be.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_dp_builtin-common_mock_be.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_dp_request-common_mock_be.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_expire_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_find_uid-test_find_uid.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_fo_srv-test_fo_srv.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_inotify-test_inotify.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_io-test_io.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_iobuf-test_iobuf.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_ipa_dn.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_ipa_idmap-test_ipa_idmap.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_ipa_subdom_server-common_mock_be.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_ipa_subdom_server-common_mock_krb5.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_ipa_subdom_server-common_mock_sdap.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_ipa_subdom_server-test_ipa_subdomains_server.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_ipa_subdom_util-test_ipa_subdomains_utils.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_kcm_json-test_kcm_json_marshalling.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_kcm_queue-test_kcm_queue.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_krb5_wait_queue-common_mock_be.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_krb5_wait_queue-test_krb5_wait_queue.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_ldap_auth.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_ldap_id_cleanup.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_negcache-common_mock_resp.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_negcache-test_negcache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_resolv_fake-test_resolv_fake.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_sbus_opath-test_sbus_opath.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_sdap_access.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_sdap_certmap-test_sdap_certmap.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_sdap_initgr-common_mock_sdap.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_sdap_initgr-common_mock_sysdb_objects.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_sdap_initgr-test_sdap_initgr.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_search_bases.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_sss_idmap-test_sss_idmap.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_sssd_krb5_localauth_plugin-test_sssd_krb5_localauth_plugin.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_sssd_krb5_locator_plugin-test_sssd_krb5_locator_plugin.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_sysdb_certmap-test_sysdb_certmap.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_sysdb_domain_resolution_order-test_sysdb_domain_resolution_order.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_sysdb_subdomains-test_sysdb_subdomains.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_sysdb_sudo-test_sysdb_sudo.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_sysdb_ts_cache-test_sysdb_ts_cache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_sysdb_utils-test_sysdb_utils.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_sysdb_views-test_sysdb_views.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_tools_colondb-test_tools_colondb.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_utils-test_sss_ssh.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_utils-test_string_utils.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_utils-test_utils.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/$(DEPDIR)/test_wbc_calls-test_wbc_calls.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/data_provider/$(DEPDIR)/test_dp_builtin-mock_dp.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/data_provider/$(DEPDIR)/test_dp_builtin-test_dp_builtin.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/data_provider/$(DEPDIR)/test_dp_request-mock_dp.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/data_provider/$(DEPDIR)/test_dp_request-test_dp_request.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tests/cmocka/data_provider/$(DEPDIR)/test_dp_request_table-test_dp_request_table.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/$(DEPDIR)/_py2sss_la-sss_sync_ops.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/$(DEPDIR)/_py2sss_la-tools_util.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/$(DEPDIR)/_py3sss_la-sss_sync_ops.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/$(DEPDIR)/_py3sss_la-tools_util.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/$(DEPDIR)/sss_cache-sss_cache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/$(DEPDIR)/sss_cache-sss_sync_ops.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/$(DEPDIR)/sss_cache-tools_mc_util.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/$(DEPDIR)/sss_cache-tools_util.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/$(DEPDIR)/sss_groupadd.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/$(DEPDIR)/sss_groupdel-sss_groupdel.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/$(DEPDIR)/sss_groupdel-sss_sync_ops.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/$(DEPDIR)/sss_groupdel-tools_mc_util.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/$(DEPDIR)/sss_groupdel-tools_util.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/$(DEPDIR)/sss_groupmod-sss_groupmod.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/$(DEPDIR)/sss_groupmod-sss_sync_ops.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/$(DEPDIR)/sss_groupmod-tools_mc_util.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/$(DEPDIR)/sss_groupmod-tools_util.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/$(DEPDIR)/sss_groupshow.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/$(DEPDIR)/sss_override-sss_override.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/$(DEPDIR)/sss_override-sss_sync_ops.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/$(DEPDIR)/sss_override-tools_util.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/$(DEPDIR)/sss_seed.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/$(DEPDIR)/sss_signal.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/$(DEPDIR)/sss_sync_ops.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/$(DEPDIR)/sss_useradd.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/$(DEPDIR)/sss_userdel-sss_sync_ops.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/$(DEPDIR)/sss_userdel-sss_userdel.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/$(DEPDIR)/sss_userdel-tools_mc_util.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/$(DEPDIR)/sss_userdel-tools_util.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/$(DEPDIR)/sss_usermod-sss_sync_ops.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/$(DEPDIR)/sss_usermod-sss_usermod.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/$(DEPDIR)/sss_usermod-tools_mc_util.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/$(DEPDIR)/sss_usermod-tools_util.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/$(DEPDIR)/sssctl-sss_sync_ops.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/$(DEPDIR)/sssctl-tools_util.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/$(DEPDIR)/sssd_check_socket_activated_responders-sssd_check_socket_activated_responders.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/$(DEPDIR)/tools_util.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/common/$(DEPDIR)/_py2sss_la-sss_process.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/common/$(DEPDIR)/_py2sss_la-sss_tools.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/common/$(DEPDIR)/_py3sss_la-sss_process.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/common/$(DEPDIR)/_py3sss_la-sss_tools.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/common/$(DEPDIR)/sss_cache-sss_process.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/common/$(DEPDIR)/sss_cache-sss_tools.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/common/$(DEPDIR)/sss_groupdel-sss_process.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/common/$(DEPDIR)/sss_groupdel-sss_tools.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/common/$(DEPDIR)/sss_groupmod-sss_process.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/common/$(DEPDIR)/sss_groupmod-sss_tools.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/common/$(DEPDIR)/sss_override-sss_colondb.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/common/$(DEPDIR)/sss_override-sss_process.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/common/$(DEPDIR)/sss_override-sss_tools.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/common/$(DEPDIR)/sss_process.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/common/$(DEPDIR)/sss_tools.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/common/$(DEPDIR)/sss_userdel-sss_process.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/common/$(DEPDIR)/sss_userdel-sss_tools.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/common/$(DEPDIR)/sss_usermod-sss_process.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/common/$(DEPDIR)/sss_usermod-sss_tools.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/common/$(DEPDIR)/sssctl-sss_process.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/common/$(DEPDIR)/sssctl-sss_tools.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/common/$(DEPDIR)/test_tools_colondb-sss_colondb.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/sssctl/$(DEPDIR)/sssctl-sssctl.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_access_report.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_cache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_config.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_data.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_domains.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_logs.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_sifp.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_systemd.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_user_checks.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/_py2hbac_la-sss_python.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/_py2sss_la-nscd.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/_py2sss_murmur_la-murmurhash3.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/_py3hbac_la-sss_python.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/_py3sss_la-nscd.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/_py3sss_murmur_la-murmurhash3.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/ad_common_tests-become_user.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/ad_common_tests-sss_iobuf.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/ad_common_tests-sss_krb5.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/atomic_io.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/authtok-utils.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/check_and_open_tests-check_and_open.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/child_common.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/debug.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/files_tests-atomic_io.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/files_tests-check_and_open.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/files_tests-files.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/files_tests-selinux.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/find_uid_tests-atomic_io.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/find_uid_tests-find_uid.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/find_uid_tests-strtonum.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/gpo_child-atomic_io.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/gpo_child-signal.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/gpo_child-util.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/gpo_child-util_ext.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/ifp_tests-session_recording.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/inotify.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/io.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/ipa_ldap_opt_tests-sss_ldap.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/ipa_ldap_opt_tests-sss_sockets.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/krb5_child-atomic_io.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/krb5_child-authtok-utils.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/krb5_child-authtok.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/krb5_child-become_user.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/krb5_child-find_uid.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/krb5_child-signal.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/krb5_child-sss_iobuf.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/krb5_child-sss_krb5.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/krb5_child-strtonum.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/krb5_child-user_info_msg.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/krb5_child-util.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/krb5_child-util_errors.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/krb5_child-util_ext.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/krb5_child_test-become_user.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/krb5_child_test-sss_iobuf.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/krb5_child_test-sss_krb5.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/krb5_utils_tests-become_user.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/krb5_utils_tests-sss_iobuf.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/krb5_utils_tests-sss_krb5.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/ldap_child-atomic_io.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/ldap_child-authtok-utils.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/ldap_child-authtok.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/ldap_child-become_user.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/ldap_child-signal.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/ldap_child-sss_iobuf.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/ldap_child-sss_krb5.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/ldap_child-util.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/ldap_child-util_ext.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libdlopen_test_providers_la-session_recording.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libipa_hbac_la-sss_utf8.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_certmap_la-util_ext.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_crypt_la-atomic_io.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_files_la-inotify.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_krb5_common_la-become_user.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_krb5_common_la-sss_iobuf.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_krb5_common_la-sss_krb5.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_ldap_common_la-sss_ldap.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_ldap_common_la-sss_sockets.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_ldap_common_la-user_info_msg.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_semanage_la-sss_semanage.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_util_la-atomic_io.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_util_la-authtok-utils.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_util_la-authtok.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_util_la-backup_file.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_util_la-become_user.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_util_la-check_and_open.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_util_la-domain_info_utils.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_util_la-files.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_util_la-find_uid.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_util_la-io.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_util_la-memory.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_util_la-murmurhash3.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_util_la-refcount.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_util_la-safe-format-string.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_util_la-selinux.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_util_la-server.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_util_la-signal.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_util_la-sss_ini.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_util_la-sss_nss.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_util_la-sss_ptr_hash.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_util_la-sss_selinux.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_util_la-sss_ssh.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_util_la-sss_tc_utf8.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_util_la-sss_utf8.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_util_la-string_utils.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_util_la-strtonum.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_util_la-usertools.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_util_la-util.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_util_la-util_errors.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_util_la-util_ext.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_util_la-util_lock.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_util_la-util_preauth.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_util_la-util_sss_idmap.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_util_la-util_watchdog.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/libsss_util_la-well_known_sids.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/memberof_la-util.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/memberof_la-util_ext.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/murmurhash3.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/nestedgroups_tests-sss_ldap.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/nestedgroups_tests-sss_sockets.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/nscd.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/nss_srv_tests-session_recording.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/p11_child-atomic_io.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/p11_child-util.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/p11_child-util_ext.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/pam_srv_tests-session_recording.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/responder_cache_req_tests-session_recording.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/responder_get_domains_tests-session_recording.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/responder_socket_access_tests-session_recording.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/sdap_tests-sss_ldap.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/sdap_tests-sss_sockets.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/selinux_child-atomic_io.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/selinux_child-sss_semanage.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/selinux_child-util.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/selinux_child-util_errors.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/selinux_child-util_ext.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/session_recording.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/ssh_srv_tests-session_recording.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/sss_cache-nscd.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/sss_cli_cmd.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/sss_groupdel-nscd.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/sss_groupmod-nscd.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/sss_iobuf.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/sss_la-io.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/sss_la-murmurhash3.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/sss_log.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/sss_override-nscd.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/sss_sockets.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/sss_userdel-nscd.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/sss_usermod-nscd.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/sssctl-nscd.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/sssd_ifp-session_recording.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/sssd_kcm-session_recording.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/sssd_kcm-sss_iobuf.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/sssd_kcm-sss_krb5.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/sssd_kcm-sss_sockets.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/sssd_kcm-tev_curl.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/sssd_krb5_localauth_plugin_la-io.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/sssd_krb5_localauth_plugin_la-murmurhash3.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/sssd_krb5_locator_plugin_la-atomic_io.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/sssd_pac-session_recording.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/sssd_pac_test_client-strtonum.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/strtonum.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/strtonum_tests-strtonum.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/tcurl_test_tool-sss_iobuf.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/tcurl_test_tool-tev_curl.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/test_authtok-authtok-utils.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/test_authtok-authtok.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/test_authtok-util.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/test_authtok-util_ext.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/test_child_common-atomic_io.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/test_child_common-child_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/test_child_common-signal.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/test_child_common-util.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/test_child_common-util_errors.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/test_child_common-util_ext.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/test_copy_ccache-sss_iobuf.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/test_copy_ccache-sss_krb5.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/test_copy_keytab-sss_iobuf.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/test_copy_keytab-sss_krb5.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/test_find_uid-atomic_io.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/test_find_uid-find_uid.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/test_find_uid-strtonum.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/test_inotify-inotify.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/test_io-io.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/test_iobuf-sss_iobuf.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/test_ipa_subdom_server-become_user.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/test_ipa_subdom_server-sss_iobuf.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/test_ipa_subdom_server-sss_krb5.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/test_kcm_json-sss_iobuf.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/test_kcm_json-sss_krb5.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/test_negcache-session_recording.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/tev_curl.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/$(DEPDIR)/winbind_idmap_sss_la-util_sss_idmap.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/cert/$(DEPDIR)/libsss_cert_la-cert_common.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/cert/$(DEPDIR)/libsss_cert_la-cert_common_p11_child.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/cert/$(DEPDIR)/libsss_certmap_la-cert_common.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/cert/$(DEPDIR)/ssh_srv_tests-cert_common_p11_child.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/cert/$(DEPDIR)/test_cert_utils-cert_common_p11_child.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/cert/libcrypto/$(DEPDIR)/libsss_cert_la-cert.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/cert/libcrypto/$(DEPDIR)/libsss_certmap_la-cert.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/cert/nss/$(DEPDIR)/libsss_cert_la-cert.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/cert/nss/$(DEPDIR)/libsss_certmap_la-cert.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/crypto/$(DEPDIR)/libsss_crypt_la-sss_crypto.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/crypto/libcrypto/$(DEPDIR)/libsss_certmap_la-crypto_base64.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/crypto/libcrypto/$(DEPDIR)/libsss_crypt_la-crypto_base64.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/crypto/libcrypto/$(DEPDIR)/libsss_crypt_la-crypto_hmac_sha1.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/crypto/libcrypto/$(DEPDIR)/libsss_crypt_la-crypto_nite.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/crypto/libcrypto/$(DEPDIR)/libsss_crypt_la-crypto_obfuscate.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/crypto/libcrypto/$(DEPDIR)/libsss_crypt_la-crypto_sha512crypt.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/crypto/nss/$(DEPDIR)/libsss_certmap_la-nss_base64.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/crypto/nss/$(DEPDIR)/libsss_certmap_la-nss_util.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/crypto/nss/$(DEPDIR)/libsss_crypt_la-nss_base64.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/crypto/nss/$(DEPDIR)/libsss_crypt_la-nss_hmac_sha1.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/crypto/nss/$(DEPDIR)/libsss_crypt_la-nss_nite.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/crypto/nss/$(DEPDIR)/libsss_crypt_la-nss_obfuscate.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/crypto/nss/$(DEPDIR)/libsss_crypt_la-nss_sha512crypt.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@src/util/crypto/nss/$(DEPDIR)/libsss_crypt_la-nss_util.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< + +.c.obj: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\ +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< + +src/python/_py2hbac_la-pyhbac.lo: src/python/pyhbac.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py2hbac_la_CFLAGS) $(CFLAGS) -MT src/python/_py2hbac_la-pyhbac.lo -MD -MP -MF src/python/$(DEPDIR)/_py2hbac_la-pyhbac.Tpo -c -o src/python/_py2hbac_la-pyhbac.lo `test -f 'src/python/pyhbac.c' || echo '$(srcdir)/'`src/python/pyhbac.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/python/$(DEPDIR)/_py2hbac_la-pyhbac.Tpo src/python/$(DEPDIR)/_py2hbac_la-pyhbac.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/python/pyhbac.c' object='src/python/_py2hbac_la-pyhbac.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py2hbac_la_CFLAGS) $(CFLAGS) -c -o src/python/_py2hbac_la-pyhbac.lo `test -f 'src/python/pyhbac.c' || echo '$(srcdir)/'`src/python/pyhbac.c + +src/util/_py2hbac_la-sss_python.lo: src/util/sss_python.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py2hbac_la_CFLAGS) $(CFLAGS) -MT src/util/_py2hbac_la-sss_python.lo -MD -MP -MF src/util/$(DEPDIR)/_py2hbac_la-sss_python.Tpo -c -o src/util/_py2hbac_la-sss_python.lo `test -f 'src/util/sss_python.c' || echo '$(srcdir)/'`src/util/sss_python.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/_py2hbac_la-sss_python.Tpo src/util/$(DEPDIR)/_py2hbac_la-sss_python.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_python.c' object='src/util/_py2hbac_la-sss_python.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py2hbac_la_CFLAGS) $(CFLAGS) -c -o src/util/_py2hbac_la-sss_python.lo `test -f 'src/util/sss_python.c' || echo '$(srcdir)/'`src/util/sss_python.c + +src/tools/_py2sss_la-sss_sync_ops.lo: src/tools/sss_sync_ops.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py2sss_la_CFLAGS) $(CFLAGS) -MT src/tools/_py2sss_la-sss_sync_ops.lo -MD -MP -MF src/tools/$(DEPDIR)/_py2sss_la-sss_sync_ops.Tpo -c -o src/tools/_py2sss_la-sss_sync_ops.lo `test -f 'src/tools/sss_sync_ops.c' || echo '$(srcdir)/'`src/tools/sss_sync_ops.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/_py2sss_la-sss_sync_ops.Tpo src/tools/$(DEPDIR)/_py2sss_la-sss_sync_ops.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sss_sync_ops.c' object='src/tools/_py2sss_la-sss_sync_ops.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py2sss_la_CFLAGS) $(CFLAGS) -c -o src/tools/_py2sss_la-sss_sync_ops.lo `test -f 'src/tools/sss_sync_ops.c' || echo '$(srcdir)/'`src/tools/sss_sync_ops.c + +src/tools/_py2sss_la-tools_util.lo: src/tools/tools_util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py2sss_la_CFLAGS) $(CFLAGS) -MT src/tools/_py2sss_la-tools_util.lo -MD -MP -MF src/tools/$(DEPDIR)/_py2sss_la-tools_util.Tpo -c -o src/tools/_py2sss_la-tools_util.lo `test -f 'src/tools/tools_util.c' || echo '$(srcdir)/'`src/tools/tools_util.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/_py2sss_la-tools_util.Tpo src/tools/$(DEPDIR)/_py2sss_la-tools_util.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/tools_util.c' object='src/tools/_py2sss_la-tools_util.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py2sss_la_CFLAGS) $(CFLAGS) -c -o src/tools/_py2sss_la-tools_util.lo `test -f 'src/tools/tools_util.c' || echo '$(srcdir)/'`src/tools/tools_util.c + +src/tools/common/_py2sss_la-sss_tools.lo: src/tools/common/sss_tools.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py2sss_la_CFLAGS) $(CFLAGS) -MT src/tools/common/_py2sss_la-sss_tools.lo -MD -MP -MF src/tools/common/$(DEPDIR)/_py2sss_la-sss_tools.Tpo -c -o src/tools/common/_py2sss_la-sss_tools.lo `test -f 'src/tools/common/sss_tools.c' || echo '$(srcdir)/'`src/tools/common/sss_tools.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/common/$(DEPDIR)/_py2sss_la-sss_tools.Tpo src/tools/common/$(DEPDIR)/_py2sss_la-sss_tools.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/common/sss_tools.c' object='src/tools/common/_py2sss_la-sss_tools.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py2sss_la_CFLAGS) $(CFLAGS) -c -o src/tools/common/_py2sss_la-sss_tools.lo `test -f 'src/tools/common/sss_tools.c' || echo '$(srcdir)/'`src/tools/common/sss_tools.c + +src/tools/common/_py2sss_la-sss_process.lo: src/tools/common/sss_process.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py2sss_la_CFLAGS) $(CFLAGS) -MT src/tools/common/_py2sss_la-sss_process.lo -MD -MP -MF src/tools/common/$(DEPDIR)/_py2sss_la-sss_process.Tpo -c -o src/tools/common/_py2sss_la-sss_process.lo `test -f 'src/tools/common/sss_process.c' || echo '$(srcdir)/'`src/tools/common/sss_process.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/common/$(DEPDIR)/_py2sss_la-sss_process.Tpo src/tools/common/$(DEPDIR)/_py2sss_la-sss_process.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/common/sss_process.c' object='src/tools/common/_py2sss_la-sss_process.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py2sss_la_CFLAGS) $(CFLAGS) -c -o src/tools/common/_py2sss_la-sss_process.lo `test -f 'src/tools/common/sss_process.c' || echo '$(srcdir)/'`src/tools/common/sss_process.c + +src/confdb/_py2sss_la-confdb_setup.lo: src/confdb/confdb_setup.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py2sss_la_CFLAGS) $(CFLAGS) -MT src/confdb/_py2sss_la-confdb_setup.lo -MD -MP -MF src/confdb/$(DEPDIR)/_py2sss_la-confdb_setup.Tpo -c -o src/confdb/_py2sss_la-confdb_setup.lo `test -f 'src/confdb/confdb_setup.c' || echo '$(srcdir)/'`src/confdb/confdb_setup.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/confdb/$(DEPDIR)/_py2sss_la-confdb_setup.Tpo src/confdb/$(DEPDIR)/_py2sss_la-confdb_setup.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/confdb/confdb_setup.c' object='src/confdb/_py2sss_la-confdb_setup.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py2sss_la_CFLAGS) $(CFLAGS) -c -o src/confdb/_py2sss_la-confdb_setup.lo `test -f 'src/confdb/confdb_setup.c' || echo '$(srcdir)/'`src/confdb/confdb_setup.c + +src/util/_py2sss_la-nscd.lo: src/util/nscd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py2sss_la_CFLAGS) $(CFLAGS) -MT src/util/_py2sss_la-nscd.lo -MD -MP -MF src/util/$(DEPDIR)/_py2sss_la-nscd.Tpo -c -o src/util/_py2sss_la-nscd.lo `test -f 'src/util/nscd.c' || echo '$(srcdir)/'`src/util/nscd.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/_py2sss_la-nscd.Tpo src/util/$(DEPDIR)/_py2sss_la-nscd.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/nscd.c' object='src/util/_py2sss_la-nscd.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py2sss_la_CFLAGS) $(CFLAGS) -c -o src/util/_py2sss_la-nscd.lo `test -f 'src/util/nscd.c' || echo '$(srcdir)/'`src/util/nscd.c + +src/python/_py2sss_la-pysss.lo: src/python/pysss.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py2sss_la_CFLAGS) $(CFLAGS) -MT src/python/_py2sss_la-pysss.lo -MD -MP -MF src/python/$(DEPDIR)/_py2sss_la-pysss.Tpo -c -o src/python/_py2sss_la-pysss.lo `test -f 'src/python/pysss.c' || echo '$(srcdir)/'`src/python/pysss.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/python/$(DEPDIR)/_py2sss_la-pysss.Tpo src/python/$(DEPDIR)/_py2sss_la-pysss.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/python/pysss.c' object='src/python/_py2sss_la-pysss.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py2sss_la_CFLAGS) $(CFLAGS) -c -o src/python/_py2sss_la-pysss.lo `test -f 'src/python/pysss.c' || echo '$(srcdir)/'`src/python/pysss.c + +src/python/_py2sss_murmur_la-pysss_murmur.lo: src/python/pysss_murmur.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py2sss_murmur_la_CFLAGS) $(CFLAGS) -MT src/python/_py2sss_murmur_la-pysss_murmur.lo -MD -MP -MF src/python/$(DEPDIR)/_py2sss_murmur_la-pysss_murmur.Tpo -c -o src/python/_py2sss_murmur_la-pysss_murmur.lo `test -f 'src/python/pysss_murmur.c' || echo '$(srcdir)/'`src/python/pysss_murmur.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/python/$(DEPDIR)/_py2sss_murmur_la-pysss_murmur.Tpo src/python/$(DEPDIR)/_py2sss_murmur_la-pysss_murmur.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/python/pysss_murmur.c' object='src/python/_py2sss_murmur_la-pysss_murmur.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py2sss_murmur_la_CFLAGS) $(CFLAGS) -c -o src/python/_py2sss_murmur_la-pysss_murmur.lo `test -f 'src/python/pysss_murmur.c' || echo '$(srcdir)/'`src/python/pysss_murmur.c + +src/util/_py2sss_murmur_la-murmurhash3.lo: src/util/murmurhash3.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py2sss_murmur_la_CFLAGS) $(CFLAGS) -MT src/util/_py2sss_murmur_la-murmurhash3.lo -MD -MP -MF src/util/$(DEPDIR)/_py2sss_murmur_la-murmurhash3.Tpo -c -o src/util/_py2sss_murmur_la-murmurhash3.lo `test -f 'src/util/murmurhash3.c' || echo '$(srcdir)/'`src/util/murmurhash3.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/_py2sss_murmur_la-murmurhash3.Tpo src/util/$(DEPDIR)/_py2sss_murmur_la-murmurhash3.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/murmurhash3.c' object='src/util/_py2sss_murmur_la-murmurhash3.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py2sss_murmur_la_CFLAGS) $(CFLAGS) -c -o src/util/_py2sss_murmur_la-murmurhash3.lo `test -f 'src/util/murmurhash3.c' || echo '$(srcdir)/'`src/util/murmurhash3.c + +src/python/_py2sss_nss_idmap_la-pysss_nss_idmap.lo: src/python/pysss_nss_idmap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py2sss_nss_idmap_la_CFLAGS) $(CFLAGS) -MT src/python/_py2sss_nss_idmap_la-pysss_nss_idmap.lo -MD -MP -MF src/python/$(DEPDIR)/_py2sss_nss_idmap_la-pysss_nss_idmap.Tpo -c -o src/python/_py2sss_nss_idmap_la-pysss_nss_idmap.lo `test -f 'src/python/pysss_nss_idmap.c' || echo '$(srcdir)/'`src/python/pysss_nss_idmap.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/python/$(DEPDIR)/_py2sss_nss_idmap_la-pysss_nss_idmap.Tpo src/python/$(DEPDIR)/_py2sss_nss_idmap_la-pysss_nss_idmap.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/python/pysss_nss_idmap.c' object='src/python/_py2sss_nss_idmap_la-pysss_nss_idmap.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py2sss_nss_idmap_la_CFLAGS) $(CFLAGS) -c -o src/python/_py2sss_nss_idmap_la-pysss_nss_idmap.lo `test -f 'src/python/pysss_nss_idmap.c' || echo '$(srcdir)/'`src/python/pysss_nss_idmap.c + +src/python/_py3hbac_la-pyhbac.lo: src/python/pyhbac.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py3hbac_la_CFLAGS) $(CFLAGS) -MT src/python/_py3hbac_la-pyhbac.lo -MD -MP -MF src/python/$(DEPDIR)/_py3hbac_la-pyhbac.Tpo -c -o src/python/_py3hbac_la-pyhbac.lo `test -f 'src/python/pyhbac.c' || echo '$(srcdir)/'`src/python/pyhbac.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/python/$(DEPDIR)/_py3hbac_la-pyhbac.Tpo src/python/$(DEPDIR)/_py3hbac_la-pyhbac.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/python/pyhbac.c' object='src/python/_py3hbac_la-pyhbac.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py3hbac_la_CFLAGS) $(CFLAGS) -c -o src/python/_py3hbac_la-pyhbac.lo `test -f 'src/python/pyhbac.c' || echo '$(srcdir)/'`src/python/pyhbac.c + +src/util/_py3hbac_la-sss_python.lo: src/util/sss_python.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py3hbac_la_CFLAGS) $(CFLAGS) -MT src/util/_py3hbac_la-sss_python.lo -MD -MP -MF src/util/$(DEPDIR)/_py3hbac_la-sss_python.Tpo -c -o src/util/_py3hbac_la-sss_python.lo `test -f 'src/util/sss_python.c' || echo '$(srcdir)/'`src/util/sss_python.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/_py3hbac_la-sss_python.Tpo src/util/$(DEPDIR)/_py3hbac_la-sss_python.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_python.c' object='src/util/_py3hbac_la-sss_python.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py3hbac_la_CFLAGS) $(CFLAGS) -c -o src/util/_py3hbac_la-sss_python.lo `test -f 'src/util/sss_python.c' || echo '$(srcdir)/'`src/util/sss_python.c + +src/tools/_py3sss_la-sss_sync_ops.lo: src/tools/sss_sync_ops.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py3sss_la_CFLAGS) $(CFLAGS) -MT src/tools/_py3sss_la-sss_sync_ops.lo -MD -MP -MF src/tools/$(DEPDIR)/_py3sss_la-sss_sync_ops.Tpo -c -o src/tools/_py3sss_la-sss_sync_ops.lo `test -f 'src/tools/sss_sync_ops.c' || echo '$(srcdir)/'`src/tools/sss_sync_ops.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/_py3sss_la-sss_sync_ops.Tpo src/tools/$(DEPDIR)/_py3sss_la-sss_sync_ops.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sss_sync_ops.c' object='src/tools/_py3sss_la-sss_sync_ops.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py3sss_la_CFLAGS) $(CFLAGS) -c -o src/tools/_py3sss_la-sss_sync_ops.lo `test -f 'src/tools/sss_sync_ops.c' || echo '$(srcdir)/'`src/tools/sss_sync_ops.c + +src/tools/_py3sss_la-tools_util.lo: src/tools/tools_util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py3sss_la_CFLAGS) $(CFLAGS) -MT src/tools/_py3sss_la-tools_util.lo -MD -MP -MF src/tools/$(DEPDIR)/_py3sss_la-tools_util.Tpo -c -o src/tools/_py3sss_la-tools_util.lo `test -f 'src/tools/tools_util.c' || echo '$(srcdir)/'`src/tools/tools_util.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/_py3sss_la-tools_util.Tpo src/tools/$(DEPDIR)/_py3sss_la-tools_util.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/tools_util.c' object='src/tools/_py3sss_la-tools_util.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py3sss_la_CFLAGS) $(CFLAGS) -c -o src/tools/_py3sss_la-tools_util.lo `test -f 'src/tools/tools_util.c' || echo '$(srcdir)/'`src/tools/tools_util.c + +src/tools/common/_py3sss_la-sss_tools.lo: src/tools/common/sss_tools.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py3sss_la_CFLAGS) $(CFLAGS) -MT src/tools/common/_py3sss_la-sss_tools.lo -MD -MP -MF src/tools/common/$(DEPDIR)/_py3sss_la-sss_tools.Tpo -c -o src/tools/common/_py3sss_la-sss_tools.lo `test -f 'src/tools/common/sss_tools.c' || echo '$(srcdir)/'`src/tools/common/sss_tools.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/common/$(DEPDIR)/_py3sss_la-sss_tools.Tpo src/tools/common/$(DEPDIR)/_py3sss_la-sss_tools.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/common/sss_tools.c' object='src/tools/common/_py3sss_la-sss_tools.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py3sss_la_CFLAGS) $(CFLAGS) -c -o src/tools/common/_py3sss_la-sss_tools.lo `test -f 'src/tools/common/sss_tools.c' || echo '$(srcdir)/'`src/tools/common/sss_tools.c + +src/tools/common/_py3sss_la-sss_process.lo: src/tools/common/sss_process.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py3sss_la_CFLAGS) $(CFLAGS) -MT src/tools/common/_py3sss_la-sss_process.lo -MD -MP -MF src/tools/common/$(DEPDIR)/_py3sss_la-sss_process.Tpo -c -o src/tools/common/_py3sss_la-sss_process.lo `test -f 'src/tools/common/sss_process.c' || echo '$(srcdir)/'`src/tools/common/sss_process.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/common/$(DEPDIR)/_py3sss_la-sss_process.Tpo src/tools/common/$(DEPDIR)/_py3sss_la-sss_process.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/common/sss_process.c' object='src/tools/common/_py3sss_la-sss_process.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py3sss_la_CFLAGS) $(CFLAGS) -c -o src/tools/common/_py3sss_la-sss_process.lo `test -f 'src/tools/common/sss_process.c' || echo '$(srcdir)/'`src/tools/common/sss_process.c + +src/confdb/_py3sss_la-confdb_setup.lo: src/confdb/confdb_setup.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py3sss_la_CFLAGS) $(CFLAGS) -MT src/confdb/_py3sss_la-confdb_setup.lo -MD -MP -MF src/confdb/$(DEPDIR)/_py3sss_la-confdb_setup.Tpo -c -o src/confdb/_py3sss_la-confdb_setup.lo `test -f 'src/confdb/confdb_setup.c' || echo '$(srcdir)/'`src/confdb/confdb_setup.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/confdb/$(DEPDIR)/_py3sss_la-confdb_setup.Tpo src/confdb/$(DEPDIR)/_py3sss_la-confdb_setup.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/confdb/confdb_setup.c' object='src/confdb/_py3sss_la-confdb_setup.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py3sss_la_CFLAGS) $(CFLAGS) -c -o src/confdb/_py3sss_la-confdb_setup.lo `test -f 'src/confdb/confdb_setup.c' || echo '$(srcdir)/'`src/confdb/confdb_setup.c + +src/util/_py3sss_la-nscd.lo: src/util/nscd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py3sss_la_CFLAGS) $(CFLAGS) -MT src/util/_py3sss_la-nscd.lo -MD -MP -MF src/util/$(DEPDIR)/_py3sss_la-nscd.Tpo -c -o src/util/_py3sss_la-nscd.lo `test -f 'src/util/nscd.c' || echo '$(srcdir)/'`src/util/nscd.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/_py3sss_la-nscd.Tpo src/util/$(DEPDIR)/_py3sss_la-nscd.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/nscd.c' object='src/util/_py3sss_la-nscd.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py3sss_la_CFLAGS) $(CFLAGS) -c -o src/util/_py3sss_la-nscd.lo `test -f 'src/util/nscd.c' || echo '$(srcdir)/'`src/util/nscd.c + +src/python/_py3sss_la-pysss.lo: src/python/pysss.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py3sss_la_CFLAGS) $(CFLAGS) -MT src/python/_py3sss_la-pysss.lo -MD -MP -MF src/python/$(DEPDIR)/_py3sss_la-pysss.Tpo -c -o src/python/_py3sss_la-pysss.lo `test -f 'src/python/pysss.c' || echo '$(srcdir)/'`src/python/pysss.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/python/$(DEPDIR)/_py3sss_la-pysss.Tpo src/python/$(DEPDIR)/_py3sss_la-pysss.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/python/pysss.c' object='src/python/_py3sss_la-pysss.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py3sss_la_CFLAGS) $(CFLAGS) -c -o src/python/_py3sss_la-pysss.lo `test -f 'src/python/pysss.c' || echo '$(srcdir)/'`src/python/pysss.c + +src/python/_py3sss_murmur_la-pysss_murmur.lo: src/python/pysss_murmur.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py3sss_murmur_la_CFLAGS) $(CFLAGS) -MT src/python/_py3sss_murmur_la-pysss_murmur.lo -MD -MP -MF src/python/$(DEPDIR)/_py3sss_murmur_la-pysss_murmur.Tpo -c -o src/python/_py3sss_murmur_la-pysss_murmur.lo `test -f 'src/python/pysss_murmur.c' || echo '$(srcdir)/'`src/python/pysss_murmur.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/python/$(DEPDIR)/_py3sss_murmur_la-pysss_murmur.Tpo src/python/$(DEPDIR)/_py3sss_murmur_la-pysss_murmur.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/python/pysss_murmur.c' object='src/python/_py3sss_murmur_la-pysss_murmur.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py3sss_murmur_la_CFLAGS) $(CFLAGS) -c -o src/python/_py3sss_murmur_la-pysss_murmur.lo `test -f 'src/python/pysss_murmur.c' || echo '$(srcdir)/'`src/python/pysss_murmur.c + +src/util/_py3sss_murmur_la-murmurhash3.lo: src/util/murmurhash3.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py3sss_murmur_la_CFLAGS) $(CFLAGS) -MT src/util/_py3sss_murmur_la-murmurhash3.lo -MD -MP -MF src/util/$(DEPDIR)/_py3sss_murmur_la-murmurhash3.Tpo -c -o src/util/_py3sss_murmur_la-murmurhash3.lo `test -f 'src/util/murmurhash3.c' || echo '$(srcdir)/'`src/util/murmurhash3.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/_py3sss_murmur_la-murmurhash3.Tpo src/util/$(DEPDIR)/_py3sss_murmur_la-murmurhash3.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/murmurhash3.c' object='src/util/_py3sss_murmur_la-murmurhash3.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py3sss_murmur_la_CFLAGS) $(CFLAGS) -c -o src/util/_py3sss_murmur_la-murmurhash3.lo `test -f 'src/util/murmurhash3.c' || echo '$(srcdir)/'`src/util/murmurhash3.c + +src/python/_py3sss_nss_idmap_la-pysss_nss_idmap.lo: src/python/pysss_nss_idmap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py3sss_nss_idmap_la_CFLAGS) $(CFLAGS) -MT src/python/_py3sss_nss_idmap_la-pysss_nss_idmap.lo -MD -MP -MF src/python/$(DEPDIR)/_py3sss_nss_idmap_la-pysss_nss_idmap.Tpo -c -o src/python/_py3sss_nss_idmap_la-pysss_nss_idmap.lo `test -f 'src/python/pysss_nss_idmap.c' || echo '$(srcdir)/'`src/python/pysss_nss_idmap.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/python/$(DEPDIR)/_py3sss_nss_idmap_la-pysss_nss_idmap.Tpo src/python/$(DEPDIR)/_py3sss_nss_idmap_la-pysss_nss_idmap.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/python/pysss_nss_idmap.c' object='src/python/_py3sss_nss_idmap_la-pysss_nss_idmap.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(_py3sss_nss_idmap_la_CFLAGS) $(CFLAGS) -c -o src/python/_py3sss_nss_idmap_la-pysss_nss_idmap.lo `test -f 'src/python/pysss_nss_idmap.c' || echo '$(srcdir)/'`src/python/pysss_nss_idmap.c + +src/lib/cifs_idmap_sss/cifs_idmap_sss_la-cifs_idmap_sss.lo: src/lib/cifs_idmap_sss/cifs_idmap_sss.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(cifs_idmap_sss_la_CFLAGS) $(CFLAGS) -MT src/lib/cifs_idmap_sss/cifs_idmap_sss_la-cifs_idmap_sss.lo -MD -MP -MF src/lib/cifs_idmap_sss/$(DEPDIR)/cifs_idmap_sss_la-cifs_idmap_sss.Tpo -c -o src/lib/cifs_idmap_sss/cifs_idmap_sss_la-cifs_idmap_sss.lo `test -f 'src/lib/cifs_idmap_sss/cifs_idmap_sss.c' || echo '$(srcdir)/'`src/lib/cifs_idmap_sss/cifs_idmap_sss.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/lib/cifs_idmap_sss/$(DEPDIR)/cifs_idmap_sss_la-cifs_idmap_sss.Tpo src/lib/cifs_idmap_sss/$(DEPDIR)/cifs_idmap_sss_la-cifs_idmap_sss.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/lib/cifs_idmap_sss/cifs_idmap_sss.c' object='src/lib/cifs_idmap_sss/cifs_idmap_sss_la-cifs_idmap_sss.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(cifs_idmap_sss_la_CFLAGS) $(CFLAGS) -c -o src/lib/cifs_idmap_sss/cifs_idmap_sss_la-cifs_idmap_sss.lo `test -f 'src/lib/cifs_idmap_sss/cifs_idmap_sss.c' || echo '$(srcdir)/'`src/lib/cifs_idmap_sss/cifs_idmap_sss.c + +src/providers/libdlopen_test_providers_la-data_provider_be.lo: src/providers/data_provider_be.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -MT src/providers/libdlopen_test_providers_la-data_provider_be.lo -MD -MP -MF src/providers/$(DEPDIR)/libdlopen_test_providers_la-data_provider_be.Tpo -c -o src/providers/libdlopen_test_providers_la-data_provider_be.lo `test -f 'src/providers/data_provider_be.c' || echo '$(srcdir)/'`src/providers/data_provider_be.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/libdlopen_test_providers_la-data_provider_be.Tpo src/providers/$(DEPDIR)/libdlopen_test_providers_la-data_provider_be.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider_be.c' object='src/providers/libdlopen_test_providers_la-data_provider_be.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -c -o src/providers/libdlopen_test_providers_la-data_provider_be.lo `test -f 'src/providers/data_provider_be.c' || echo '$(srcdir)/'`src/providers/data_provider_be.c + +src/providers/libdlopen_test_providers_la-data_provider_req.lo: src/providers/data_provider_req.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -MT src/providers/libdlopen_test_providers_la-data_provider_req.lo -MD -MP -MF src/providers/$(DEPDIR)/libdlopen_test_providers_la-data_provider_req.Tpo -c -o src/providers/libdlopen_test_providers_la-data_provider_req.lo `test -f 'src/providers/data_provider_req.c' || echo '$(srcdir)/'`src/providers/data_provider_req.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/libdlopen_test_providers_la-data_provider_req.Tpo src/providers/$(DEPDIR)/libdlopen_test_providers_la-data_provider_req.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider_req.c' object='src/providers/libdlopen_test_providers_la-data_provider_req.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -c -o src/providers/libdlopen_test_providers_la-data_provider_req.lo `test -f 'src/providers/data_provider_req.c' || echo '$(srcdir)/'`src/providers/data_provider_req.c + +src/providers/libdlopen_test_providers_la-data_provider_fo.lo: src/providers/data_provider_fo.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -MT src/providers/libdlopen_test_providers_la-data_provider_fo.lo -MD -MP -MF src/providers/$(DEPDIR)/libdlopen_test_providers_la-data_provider_fo.Tpo -c -o src/providers/libdlopen_test_providers_la-data_provider_fo.lo `test -f 'src/providers/data_provider_fo.c' || echo '$(srcdir)/'`src/providers/data_provider_fo.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/libdlopen_test_providers_la-data_provider_fo.Tpo src/providers/$(DEPDIR)/libdlopen_test_providers_la-data_provider_fo.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider_fo.c' object='src/providers/libdlopen_test_providers_la-data_provider_fo.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -c -o src/providers/libdlopen_test_providers_la-data_provider_fo.lo `test -f 'src/providers/data_provider_fo.c' || echo '$(srcdir)/'`src/providers/data_provider_fo.c + +src/providers/libdlopen_test_providers_la-data_provider_opts.lo: src/providers/data_provider_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -MT src/providers/libdlopen_test_providers_la-data_provider_opts.lo -MD -MP -MF src/providers/$(DEPDIR)/libdlopen_test_providers_la-data_provider_opts.Tpo -c -o src/providers/libdlopen_test_providers_la-data_provider_opts.lo `test -f 'src/providers/data_provider_opts.c' || echo '$(srcdir)/'`src/providers/data_provider_opts.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/libdlopen_test_providers_la-data_provider_opts.Tpo src/providers/$(DEPDIR)/libdlopen_test_providers_la-data_provider_opts.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider_opts.c' object='src/providers/libdlopen_test_providers_la-data_provider_opts.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -c -o src/providers/libdlopen_test_providers_la-data_provider_opts.lo `test -f 'src/providers/data_provider_opts.c' || echo '$(srcdir)/'`src/providers/data_provider_opts.c + +src/providers/libdlopen_test_providers_la-data_provider_callbacks.lo: src/providers/data_provider_callbacks.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -MT src/providers/libdlopen_test_providers_la-data_provider_callbacks.lo -MD -MP -MF src/providers/$(DEPDIR)/libdlopen_test_providers_la-data_provider_callbacks.Tpo -c -o src/providers/libdlopen_test_providers_la-data_provider_callbacks.lo `test -f 'src/providers/data_provider_callbacks.c' || echo '$(srcdir)/'`src/providers/data_provider_callbacks.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/libdlopen_test_providers_la-data_provider_callbacks.Tpo src/providers/$(DEPDIR)/libdlopen_test_providers_la-data_provider_callbacks.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider_callbacks.c' object='src/providers/libdlopen_test_providers_la-data_provider_callbacks.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -c -o src/providers/libdlopen_test_providers_la-data_provider_callbacks.lo `test -f 'src/providers/data_provider_callbacks.c' || echo '$(srcdir)/'`src/providers/data_provider_callbacks.c + +src/providers/libdlopen_test_providers_la-be_dyndns.lo: src/providers/be_dyndns.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -MT src/providers/libdlopen_test_providers_la-be_dyndns.lo -MD -MP -MF src/providers/$(DEPDIR)/libdlopen_test_providers_la-be_dyndns.Tpo -c -o src/providers/libdlopen_test_providers_la-be_dyndns.lo `test -f 'src/providers/be_dyndns.c' || echo '$(srcdir)/'`src/providers/be_dyndns.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/libdlopen_test_providers_la-be_dyndns.Tpo src/providers/$(DEPDIR)/libdlopen_test_providers_la-be_dyndns.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/be_dyndns.c' object='src/providers/libdlopen_test_providers_la-be_dyndns.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -c -o src/providers/libdlopen_test_providers_la-be_dyndns.lo `test -f 'src/providers/be_dyndns.c' || echo '$(srcdir)/'`src/providers/be_dyndns.c + +src/providers/libdlopen_test_providers_la-be_ptask.lo: src/providers/be_ptask.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -MT src/providers/libdlopen_test_providers_la-be_ptask.lo -MD -MP -MF src/providers/$(DEPDIR)/libdlopen_test_providers_la-be_ptask.Tpo -c -o src/providers/libdlopen_test_providers_la-be_ptask.lo `test -f 'src/providers/be_ptask.c' || echo '$(srcdir)/'`src/providers/be_ptask.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/libdlopen_test_providers_la-be_ptask.Tpo src/providers/$(DEPDIR)/libdlopen_test_providers_la-be_ptask.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/be_ptask.c' object='src/providers/libdlopen_test_providers_la-be_ptask.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -c -o src/providers/libdlopen_test_providers_la-be_ptask.lo `test -f 'src/providers/be_ptask.c' || echo '$(srcdir)/'`src/providers/be_ptask.c + +src/providers/libdlopen_test_providers_la-be_refresh.lo: src/providers/be_refresh.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -MT src/providers/libdlopen_test_providers_la-be_refresh.lo -MD -MP -MF src/providers/$(DEPDIR)/libdlopen_test_providers_la-be_refresh.Tpo -c -o src/providers/libdlopen_test_providers_la-be_refresh.lo `test -f 'src/providers/be_refresh.c' || echo '$(srcdir)/'`src/providers/be_refresh.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/libdlopen_test_providers_la-be_refresh.Tpo src/providers/$(DEPDIR)/libdlopen_test_providers_la-be_refresh.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/be_refresh.c' object='src/providers/libdlopen_test_providers_la-be_refresh.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -c -o src/providers/libdlopen_test_providers_la-be_refresh.lo `test -f 'src/providers/be_refresh.c' || echo '$(srcdir)/'`src/providers/be_refresh.c + +src/monitor/libdlopen_test_providers_la-monitor_iface_generated.lo: src/monitor/monitor_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -MT src/monitor/libdlopen_test_providers_la-monitor_iface_generated.lo -MD -MP -MF src/monitor/$(DEPDIR)/libdlopen_test_providers_la-monitor_iface_generated.Tpo -c -o src/monitor/libdlopen_test_providers_la-monitor_iface_generated.lo `test -f 'src/monitor/monitor_iface_generated.c' || echo '$(srcdir)/'`src/monitor/monitor_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/monitor/$(DEPDIR)/libdlopen_test_providers_la-monitor_iface_generated.Tpo src/monitor/$(DEPDIR)/libdlopen_test_providers_la-monitor_iface_generated.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/monitor/monitor_iface_generated.c' object='src/monitor/libdlopen_test_providers_la-monitor_iface_generated.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -c -o src/monitor/libdlopen_test_providers_la-monitor_iface_generated.lo `test -f 'src/monitor/monitor_iface_generated.c' || echo '$(srcdir)/'`src/monitor/monitor_iface_generated.c + +src/providers/data_provider/libdlopen_test_providers_la-dp.lo: src/providers/data_provider/dp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -MT src/providers/data_provider/libdlopen_test_providers_la-dp.lo -MD -MP -MF src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp.Tpo -c -o src/providers/data_provider/libdlopen_test_providers_la-dp.lo `test -f 'src/providers/data_provider/dp.c' || echo '$(srcdir)/'`src/providers/data_provider/dp.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp.Tpo src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider/dp.c' object='src/providers/data_provider/libdlopen_test_providers_la-dp.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -c -o src/providers/data_provider/libdlopen_test_providers_la-dp.lo `test -f 'src/providers/data_provider/dp.c' || echo '$(srcdir)/'`src/providers/data_provider/dp.c + +src/providers/data_provider/libdlopen_test_providers_la-dp_modules.lo: src/providers/data_provider/dp_modules.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -MT src/providers/data_provider/libdlopen_test_providers_la-dp_modules.lo -MD -MP -MF src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_modules.Tpo -c -o src/providers/data_provider/libdlopen_test_providers_la-dp_modules.lo `test -f 'src/providers/data_provider/dp_modules.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_modules.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_modules.Tpo src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_modules.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider/dp_modules.c' object='src/providers/data_provider/libdlopen_test_providers_la-dp_modules.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -c -o src/providers/data_provider/libdlopen_test_providers_la-dp_modules.lo `test -f 'src/providers/data_provider/dp_modules.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_modules.c + +src/providers/data_provider/libdlopen_test_providers_la-dp_targets.lo: src/providers/data_provider/dp_targets.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -MT src/providers/data_provider/libdlopen_test_providers_la-dp_targets.lo -MD -MP -MF src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_targets.Tpo -c -o src/providers/data_provider/libdlopen_test_providers_la-dp_targets.lo `test -f 'src/providers/data_provider/dp_targets.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_targets.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_targets.Tpo src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_targets.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider/dp_targets.c' object='src/providers/data_provider/libdlopen_test_providers_la-dp_targets.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -c -o src/providers/data_provider/libdlopen_test_providers_la-dp_targets.lo `test -f 'src/providers/data_provider/dp_targets.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_targets.c + +src/providers/data_provider/libdlopen_test_providers_la-dp_methods.lo: src/providers/data_provider/dp_methods.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -MT src/providers/data_provider/libdlopen_test_providers_la-dp_methods.lo -MD -MP -MF src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_methods.Tpo -c -o src/providers/data_provider/libdlopen_test_providers_la-dp_methods.lo `test -f 'src/providers/data_provider/dp_methods.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_methods.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_methods.Tpo src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_methods.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider/dp_methods.c' object='src/providers/data_provider/libdlopen_test_providers_la-dp_methods.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -c -o src/providers/data_provider/libdlopen_test_providers_la-dp_methods.lo `test -f 'src/providers/data_provider/dp_methods.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_methods.c + +src/providers/data_provider/libdlopen_test_providers_la-dp_builtin.lo: src/providers/data_provider/dp_builtin.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -MT src/providers/data_provider/libdlopen_test_providers_la-dp_builtin.lo -MD -MP -MF src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_builtin.Tpo -c -o src/providers/data_provider/libdlopen_test_providers_la-dp_builtin.lo `test -f 'src/providers/data_provider/dp_builtin.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_builtin.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_builtin.Tpo src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_builtin.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider/dp_builtin.c' object='src/providers/data_provider/libdlopen_test_providers_la-dp_builtin.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -c -o src/providers/data_provider/libdlopen_test_providers_la-dp_builtin.lo `test -f 'src/providers/data_provider/dp_builtin.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_builtin.c + +src/providers/data_provider/libdlopen_test_providers_la-dp_iface.lo: src/providers/data_provider/dp_iface.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -MT src/providers/data_provider/libdlopen_test_providers_la-dp_iface.lo -MD -MP -MF src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_iface.Tpo -c -o src/providers/data_provider/libdlopen_test_providers_la-dp_iface.lo `test -f 'src/providers/data_provider/dp_iface.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_iface.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_iface.Tpo src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_iface.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider/dp_iface.c' object='src/providers/data_provider/libdlopen_test_providers_la-dp_iface.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -c -o src/providers/data_provider/libdlopen_test_providers_la-dp_iface.lo `test -f 'src/providers/data_provider/dp_iface.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_iface.c + +src/providers/data_provider/libdlopen_test_providers_la-dp_iface_backend.lo: src/providers/data_provider/dp_iface_backend.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -MT src/providers/data_provider/libdlopen_test_providers_la-dp_iface_backend.lo -MD -MP -MF src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_iface_backend.Tpo -c -o src/providers/data_provider/libdlopen_test_providers_la-dp_iface_backend.lo `test -f 'src/providers/data_provider/dp_iface_backend.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_iface_backend.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_iface_backend.Tpo src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_iface_backend.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider/dp_iface_backend.c' object='src/providers/data_provider/libdlopen_test_providers_la-dp_iface_backend.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -c -o src/providers/data_provider/libdlopen_test_providers_la-dp_iface_backend.lo `test -f 'src/providers/data_provider/dp_iface_backend.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_iface_backend.c + +src/providers/data_provider/libdlopen_test_providers_la-dp_iface_failover.lo: src/providers/data_provider/dp_iface_failover.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -MT src/providers/data_provider/libdlopen_test_providers_la-dp_iface_failover.lo -MD -MP -MF src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_iface_failover.Tpo -c -o src/providers/data_provider/libdlopen_test_providers_la-dp_iface_failover.lo `test -f 'src/providers/data_provider/dp_iface_failover.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_iface_failover.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_iface_failover.Tpo src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_iface_failover.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider/dp_iface_failover.c' object='src/providers/data_provider/libdlopen_test_providers_la-dp_iface_failover.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -c -o src/providers/data_provider/libdlopen_test_providers_la-dp_iface_failover.lo `test -f 'src/providers/data_provider/dp_iface_failover.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_iface_failover.c + +src/providers/data_provider/libdlopen_test_providers_la-dp_client.lo: src/providers/data_provider/dp_client.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -MT src/providers/data_provider/libdlopen_test_providers_la-dp_client.lo -MD -MP -MF src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_client.Tpo -c -o src/providers/data_provider/libdlopen_test_providers_la-dp_client.lo `test -f 'src/providers/data_provider/dp_client.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_client.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_client.Tpo src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_client.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider/dp_client.c' object='src/providers/data_provider/libdlopen_test_providers_la-dp_client.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -c -o src/providers/data_provider/libdlopen_test_providers_la-dp_client.lo `test -f 'src/providers/data_provider/dp_client.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_client.c + +src/providers/data_provider/libdlopen_test_providers_la-dp_resp_client.lo: src/providers/data_provider/dp_resp_client.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -MT src/providers/data_provider/libdlopen_test_providers_la-dp_resp_client.lo -MD -MP -MF src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_resp_client.Tpo -c -o src/providers/data_provider/libdlopen_test_providers_la-dp_resp_client.lo `test -f 'src/providers/data_provider/dp_resp_client.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_resp_client.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_resp_client.Tpo src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_resp_client.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider/dp_resp_client.c' object='src/providers/data_provider/libdlopen_test_providers_la-dp_resp_client.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -c -o src/providers/data_provider/libdlopen_test_providers_la-dp_resp_client.lo `test -f 'src/providers/data_provider/dp_resp_client.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_resp_client.c + +src/providers/data_provider/libdlopen_test_providers_la-dp_iface_generated.lo: src/providers/data_provider/dp_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -MT src/providers/data_provider/libdlopen_test_providers_la-dp_iface_generated.lo -MD -MP -MF src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_iface_generated.Tpo -c -o src/providers/data_provider/libdlopen_test_providers_la-dp_iface_generated.lo `test -f 'src/providers/data_provider/dp_iface_generated.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_iface_generated.Tpo src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_iface_generated.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider/dp_iface_generated.c' object='src/providers/data_provider/libdlopen_test_providers_la-dp_iface_generated.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -c -o src/providers/data_provider/libdlopen_test_providers_la-dp_iface_generated.lo `test -f 'src/providers/data_provider/dp_iface_generated.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_iface_generated.c + +src/providers/data_provider/libdlopen_test_providers_la-dp_request.lo: src/providers/data_provider/dp_request.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -MT src/providers/data_provider/libdlopen_test_providers_la-dp_request.lo -MD -MP -MF src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_request.Tpo -c -o src/providers/data_provider/libdlopen_test_providers_la-dp_request.lo `test -f 'src/providers/data_provider/dp_request.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_request.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_request.Tpo src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_request.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider/dp_request.c' object='src/providers/data_provider/libdlopen_test_providers_la-dp_request.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -c -o src/providers/data_provider/libdlopen_test_providers_la-dp_request.lo `test -f 'src/providers/data_provider/dp_request.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_request.c + +src/providers/data_provider/libdlopen_test_providers_la-dp_request_reply.lo: src/providers/data_provider/dp_request_reply.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -MT src/providers/data_provider/libdlopen_test_providers_la-dp_request_reply.lo -MD -MP -MF src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_request_reply.Tpo -c -o src/providers/data_provider/libdlopen_test_providers_la-dp_request_reply.lo `test -f 'src/providers/data_provider/dp_request_reply.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_request_reply.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_request_reply.Tpo src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_request_reply.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider/dp_request_reply.c' object='src/providers/data_provider/libdlopen_test_providers_la-dp_request_reply.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -c -o src/providers/data_provider/libdlopen_test_providers_la-dp_request_reply.lo `test -f 'src/providers/data_provider/dp_request_reply.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_request_reply.c + +src/providers/data_provider/libdlopen_test_providers_la-dp_request_table.lo: src/providers/data_provider/dp_request_table.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -MT src/providers/data_provider/libdlopen_test_providers_la-dp_request_table.lo -MD -MP -MF src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_request_table.Tpo -c -o src/providers/data_provider/libdlopen_test_providers_la-dp_request_table.lo `test -f 'src/providers/data_provider/dp_request_table.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_request_table.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_request_table.Tpo src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_request_table.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider/dp_request_table.c' object='src/providers/data_provider/libdlopen_test_providers_la-dp_request_table.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -c -o src/providers/data_provider/libdlopen_test_providers_la-dp_request_table.lo `test -f 'src/providers/data_provider/dp_request_table.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_request_table.c + +src/providers/data_provider/libdlopen_test_providers_la-dp_reply_std.lo: src/providers/data_provider/dp_reply_std.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -MT src/providers/data_provider/libdlopen_test_providers_la-dp_reply_std.lo -MD -MP -MF src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_reply_std.Tpo -c -o src/providers/data_provider/libdlopen_test_providers_la-dp_reply_std.lo `test -f 'src/providers/data_provider/dp_reply_std.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_reply_std.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_reply_std.Tpo src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_reply_std.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider/dp_reply_std.c' object='src/providers/data_provider/libdlopen_test_providers_la-dp_reply_std.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -c -o src/providers/data_provider/libdlopen_test_providers_la-dp_reply_std.lo `test -f 'src/providers/data_provider/dp_reply_std.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_reply_std.c + +src/providers/data_provider/libdlopen_test_providers_la-dp_target_sudo.lo: src/providers/data_provider/dp_target_sudo.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -MT src/providers/data_provider/libdlopen_test_providers_la-dp_target_sudo.lo -MD -MP -MF src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_target_sudo.Tpo -c -o src/providers/data_provider/libdlopen_test_providers_la-dp_target_sudo.lo `test -f 'src/providers/data_provider/dp_target_sudo.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_target_sudo.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_target_sudo.Tpo src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_target_sudo.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider/dp_target_sudo.c' object='src/providers/data_provider/libdlopen_test_providers_la-dp_target_sudo.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -c -o src/providers/data_provider/libdlopen_test_providers_la-dp_target_sudo.lo `test -f 'src/providers/data_provider/dp_target_sudo.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_target_sudo.c + +src/providers/data_provider/libdlopen_test_providers_la-dp_target_hostid.lo: src/providers/data_provider/dp_target_hostid.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -MT src/providers/data_provider/libdlopen_test_providers_la-dp_target_hostid.lo -MD -MP -MF src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_target_hostid.Tpo -c -o src/providers/data_provider/libdlopen_test_providers_la-dp_target_hostid.lo `test -f 'src/providers/data_provider/dp_target_hostid.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_target_hostid.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_target_hostid.Tpo src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_target_hostid.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider/dp_target_hostid.c' object='src/providers/data_provider/libdlopen_test_providers_la-dp_target_hostid.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -c -o src/providers/data_provider/libdlopen_test_providers_la-dp_target_hostid.lo `test -f 'src/providers/data_provider/dp_target_hostid.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_target_hostid.c + +src/providers/data_provider/libdlopen_test_providers_la-dp_target_autofs.lo: src/providers/data_provider/dp_target_autofs.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -MT src/providers/data_provider/libdlopen_test_providers_la-dp_target_autofs.lo -MD -MP -MF src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_target_autofs.Tpo -c -o src/providers/data_provider/libdlopen_test_providers_la-dp_target_autofs.lo `test -f 'src/providers/data_provider/dp_target_autofs.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_target_autofs.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_target_autofs.Tpo src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_target_autofs.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider/dp_target_autofs.c' object='src/providers/data_provider/libdlopen_test_providers_la-dp_target_autofs.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -c -o src/providers/data_provider/libdlopen_test_providers_la-dp_target_autofs.lo `test -f 'src/providers/data_provider/dp_target_autofs.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_target_autofs.c + +src/providers/data_provider/libdlopen_test_providers_la-dp_target_subdomains.lo: src/providers/data_provider/dp_target_subdomains.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -MT src/providers/data_provider/libdlopen_test_providers_la-dp_target_subdomains.lo -MD -MP -MF src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_target_subdomains.Tpo -c -o src/providers/data_provider/libdlopen_test_providers_la-dp_target_subdomains.lo `test -f 'src/providers/data_provider/dp_target_subdomains.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_target_subdomains.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_target_subdomains.Tpo src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_target_subdomains.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider/dp_target_subdomains.c' object='src/providers/data_provider/libdlopen_test_providers_la-dp_target_subdomains.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -c -o src/providers/data_provider/libdlopen_test_providers_la-dp_target_subdomains.lo `test -f 'src/providers/data_provider/dp_target_subdomains.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_target_subdomains.c + +src/providers/data_provider/libdlopen_test_providers_la-dp_target_id.lo: src/providers/data_provider/dp_target_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -MT src/providers/data_provider/libdlopen_test_providers_la-dp_target_id.lo -MD -MP -MF src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_target_id.Tpo -c -o src/providers/data_provider/libdlopen_test_providers_la-dp_target_id.lo `test -f 'src/providers/data_provider/dp_target_id.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_target_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_target_id.Tpo src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_target_id.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider/dp_target_id.c' object='src/providers/data_provider/libdlopen_test_providers_la-dp_target_id.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -c -o src/providers/data_provider/libdlopen_test_providers_la-dp_target_id.lo `test -f 'src/providers/data_provider/dp_target_id.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_target_id.c + +src/providers/data_provider/libdlopen_test_providers_la-dp_target_auth.lo: src/providers/data_provider/dp_target_auth.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -MT src/providers/data_provider/libdlopen_test_providers_la-dp_target_auth.lo -MD -MP -MF src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_target_auth.Tpo -c -o src/providers/data_provider/libdlopen_test_providers_la-dp_target_auth.lo `test -f 'src/providers/data_provider/dp_target_auth.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_target_auth.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_target_auth.Tpo src/providers/data_provider/$(DEPDIR)/libdlopen_test_providers_la-dp_target_auth.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider/dp_target_auth.c' object='src/providers/data_provider/libdlopen_test_providers_la-dp_target_auth.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -c -o src/providers/data_provider/libdlopen_test_providers_la-dp_target_auth.lo `test -f 'src/providers/data_provider/dp_target_auth.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_target_auth.c + +src/util/libdlopen_test_providers_la-session_recording.lo: src/util/session_recording.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -MT src/util/libdlopen_test_providers_la-session_recording.lo -MD -MP -MF src/util/$(DEPDIR)/libdlopen_test_providers_la-session_recording.Tpo -c -o src/util/libdlopen_test_providers_la-session_recording.lo `test -f 'src/util/session_recording.c' || echo '$(srcdir)/'`src/util/session_recording.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libdlopen_test_providers_la-session_recording.Tpo src/util/$(DEPDIR)/libdlopen_test_providers_la-session_recording.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/session_recording.c' object='src/util/libdlopen_test_providers_la-session_recording.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -c -o src/util/libdlopen_test_providers_la-session_recording.lo `test -f 'src/util/session_recording.c' || echo '$(srcdir)/'`src/util/session_recording.c + +src/providers/libdlopen_test_providers_la-fail_over.lo: src/providers/fail_over.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -MT src/providers/libdlopen_test_providers_la-fail_over.lo -MD -MP -MF src/providers/$(DEPDIR)/libdlopen_test_providers_la-fail_over.Tpo -c -o src/providers/libdlopen_test_providers_la-fail_over.lo `test -f 'src/providers/fail_over.c' || echo '$(srcdir)/'`src/providers/fail_over.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/libdlopen_test_providers_la-fail_over.Tpo src/providers/$(DEPDIR)/libdlopen_test_providers_la-fail_over.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/fail_over.c' object='src/providers/libdlopen_test_providers_la-fail_over.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -c -o src/providers/libdlopen_test_providers_la-fail_over.lo `test -f 'src/providers/fail_over.c' || echo '$(srcdir)/'`src/providers/fail_over.c + +src/providers/libdlopen_test_providers_la-fail_over_srv.lo: src/providers/fail_over_srv.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -MT src/providers/libdlopen_test_providers_la-fail_over_srv.lo -MD -MP -MF src/providers/$(DEPDIR)/libdlopen_test_providers_la-fail_over_srv.Tpo -c -o src/providers/libdlopen_test_providers_la-fail_over_srv.lo `test -f 'src/providers/fail_over_srv.c' || echo '$(srcdir)/'`src/providers/fail_over_srv.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/libdlopen_test_providers_la-fail_over_srv.Tpo src/providers/$(DEPDIR)/libdlopen_test_providers_la-fail_over_srv.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/fail_over_srv.c' object='src/providers/libdlopen_test_providers_la-fail_over_srv.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -c -o src/providers/libdlopen_test_providers_la-fail_over_srv.lo `test -f 'src/providers/fail_over_srv.c' || echo '$(srcdir)/'`src/providers/fail_over_srv.c + +src/resolv/libdlopen_test_providers_la-async_resolv.lo: src/resolv/async_resolv.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -MT src/resolv/libdlopen_test_providers_la-async_resolv.lo -MD -MP -MF src/resolv/$(DEPDIR)/libdlopen_test_providers_la-async_resolv.Tpo -c -o src/resolv/libdlopen_test_providers_la-async_resolv.lo `test -f 'src/resolv/async_resolv.c' || echo '$(srcdir)/'`src/resolv/async_resolv.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/resolv/$(DEPDIR)/libdlopen_test_providers_la-async_resolv.Tpo src/resolv/$(DEPDIR)/libdlopen_test_providers_la-async_resolv.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/resolv/async_resolv.c' object='src/resolv/libdlopen_test_providers_la-async_resolv.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -c -o src/resolv/libdlopen_test_providers_la-async_resolv.lo `test -f 'src/resolv/async_resolv.c' || echo '$(srcdir)/'`src/resolv/async_resolv.c + +src/resolv/libdlopen_test_providers_la-async_resolv_utils.lo: src/resolv/async_resolv_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -MT src/resolv/libdlopen_test_providers_la-async_resolv_utils.lo -MD -MP -MF src/resolv/$(DEPDIR)/libdlopen_test_providers_la-async_resolv_utils.Tpo -c -o src/resolv/libdlopen_test_providers_la-async_resolv_utils.lo `test -f 'src/resolv/async_resolv_utils.c' || echo '$(srcdir)/'`src/resolv/async_resolv_utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/resolv/$(DEPDIR)/libdlopen_test_providers_la-async_resolv_utils.Tpo src/resolv/$(DEPDIR)/libdlopen_test_providers_la-async_resolv_utils.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/resolv/async_resolv_utils.c' object='src/resolv/libdlopen_test_providers_la-async_resolv_utils.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -c -o src/resolv/libdlopen_test_providers_la-async_resolv_utils.lo `test -f 'src/resolv/async_resolv_utils.c' || echo '$(srcdir)/'`src/resolv/async_resolv_utils.c + +src/tests/cmocka/libdlopen_test_providers_la-wrap_sss_nss_make_request_timeout.lo: src/tests/cmocka/wrap_sss_nss_make_request_timeout.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/libdlopen_test_providers_la-wrap_sss_nss_make_request_timeout.lo -MD -MP -MF src/tests/cmocka/$(DEPDIR)/libdlopen_test_providers_la-wrap_sss_nss_make_request_timeout.Tpo -c -o src/tests/cmocka/libdlopen_test_providers_la-wrap_sss_nss_make_request_timeout.lo `test -f 'src/tests/cmocka/wrap_sss_nss_make_request_timeout.c' || echo '$(srcdir)/'`src/tests/cmocka/wrap_sss_nss_make_request_timeout.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/libdlopen_test_providers_la-wrap_sss_nss_make_request_timeout.Tpo src/tests/cmocka/$(DEPDIR)/libdlopen_test_providers_la-wrap_sss_nss_make_request_timeout.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/wrap_sss_nss_make_request_timeout.c' object='src/tests/cmocka/libdlopen_test_providers_la-wrap_sss_nss_make_request_timeout.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_providers_la_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/libdlopen_test_providers_la-wrap_sss_nss_make_request_timeout.lo `test -f 'src/tests/cmocka/wrap_sss_nss_make_request_timeout.c' || echo '$(srcdir)/'`src/tests/cmocka/wrap_sss_nss_make_request_timeout.c + +src/lib/winbind_idmap_sss/libdlopen_test_winbind_idmap_la-libdlopen-test-winbind-idmap.lo: src/lib/winbind_idmap_sss/libdlopen-test-winbind-idmap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_winbind_idmap_la_CFLAGS) $(CFLAGS) -MT src/lib/winbind_idmap_sss/libdlopen_test_winbind_idmap_la-libdlopen-test-winbind-idmap.lo -MD -MP -MF src/lib/winbind_idmap_sss/$(DEPDIR)/libdlopen_test_winbind_idmap_la-libdlopen-test-winbind-idmap.Tpo -c -o src/lib/winbind_idmap_sss/libdlopen_test_winbind_idmap_la-libdlopen-test-winbind-idmap.lo `test -f 'src/lib/winbind_idmap_sss/libdlopen-test-winbind-idmap.c' || echo '$(srcdir)/'`src/lib/winbind_idmap_sss/libdlopen-test-winbind-idmap.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/lib/winbind_idmap_sss/$(DEPDIR)/libdlopen_test_winbind_idmap_la-libdlopen-test-winbind-idmap.Tpo src/lib/winbind_idmap_sss/$(DEPDIR)/libdlopen_test_winbind_idmap_la-libdlopen-test-winbind-idmap.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/lib/winbind_idmap_sss/libdlopen-test-winbind-idmap.c' object='src/lib/winbind_idmap_sss/libdlopen_test_winbind_idmap_la-libdlopen-test-winbind-idmap.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdlopen_test_winbind_idmap_la_CFLAGS) $(CFLAGS) -c -o src/lib/winbind_idmap_sss/libdlopen_test_winbind_idmap_la-libdlopen-test-winbind-idmap.lo `test -f 'src/lib/winbind_idmap_sss/libdlopen-test-winbind-idmap.c' || echo '$(srcdir)/'`src/lib/winbind_idmap_sss/libdlopen-test-winbind-idmap.c + +src/lib/ipa_hbac/libipa_hbac_la-hbac_evaluator.lo: src/lib/ipa_hbac/hbac_evaluator.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libipa_hbac_la_CFLAGS) $(CFLAGS) -MT src/lib/ipa_hbac/libipa_hbac_la-hbac_evaluator.lo -MD -MP -MF src/lib/ipa_hbac/$(DEPDIR)/libipa_hbac_la-hbac_evaluator.Tpo -c -o src/lib/ipa_hbac/libipa_hbac_la-hbac_evaluator.lo `test -f 'src/lib/ipa_hbac/hbac_evaluator.c' || echo '$(srcdir)/'`src/lib/ipa_hbac/hbac_evaluator.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/lib/ipa_hbac/$(DEPDIR)/libipa_hbac_la-hbac_evaluator.Tpo src/lib/ipa_hbac/$(DEPDIR)/libipa_hbac_la-hbac_evaluator.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/lib/ipa_hbac/hbac_evaluator.c' object='src/lib/ipa_hbac/libipa_hbac_la-hbac_evaluator.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libipa_hbac_la_CFLAGS) $(CFLAGS) -c -o src/lib/ipa_hbac/libipa_hbac_la-hbac_evaluator.lo `test -f 'src/lib/ipa_hbac/hbac_evaluator.c' || echo '$(srcdir)/'`src/lib/ipa_hbac/hbac_evaluator.c + +src/util/libipa_hbac_la-sss_utf8.lo: src/util/sss_utf8.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libipa_hbac_la_CFLAGS) $(CFLAGS) -MT src/util/libipa_hbac_la-sss_utf8.lo -MD -MP -MF src/util/$(DEPDIR)/libipa_hbac_la-sss_utf8.Tpo -c -o src/util/libipa_hbac_la-sss_utf8.lo `test -f 'src/util/sss_utf8.c' || echo '$(srcdir)/'`src/util/sss_utf8.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libipa_hbac_la-sss_utf8.Tpo src/util/$(DEPDIR)/libipa_hbac_la-sss_utf8.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_utf8.c' object='src/util/libipa_hbac_la-sss_utf8.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libipa_hbac_la_CFLAGS) $(CFLAGS) -c -o src/util/libipa_hbac_la-sss_utf8.lo `test -f 'src/util/sss_utf8.c' || echo '$(srcdir)/'`src/util/sss_utf8.c + +src/providers/ad/libsss_ad_la-ad_opts.lo: src/providers/ad/ad_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_la_CFLAGS) $(CFLAGS) -MT src/providers/ad/libsss_ad_la-ad_opts.lo -MD -MP -MF src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_opts.Tpo -c -o src/providers/ad/libsss_ad_la-ad_opts.lo `test -f 'src/providers/ad/ad_opts.c' || echo '$(srcdir)/'`src/providers/ad/ad_opts.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_opts.Tpo src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_opts.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_opts.c' object='src/providers/ad/libsss_ad_la-ad_opts.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_la_CFLAGS) $(CFLAGS) -c -o src/providers/ad/libsss_ad_la-ad_opts.lo `test -f 'src/providers/ad/ad_opts.c' || echo '$(srcdir)/'`src/providers/ad/ad_opts.c + +src/providers/ad/libsss_ad_la-ad_common.lo: src/providers/ad/ad_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_la_CFLAGS) $(CFLAGS) -MT src/providers/ad/libsss_ad_la-ad_common.lo -MD -MP -MF src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_common.Tpo -c -o src/providers/ad/libsss_ad_la-ad_common.lo `test -f 'src/providers/ad/ad_common.c' || echo '$(srcdir)/'`src/providers/ad/ad_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_common.Tpo src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_common.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_common.c' object='src/providers/ad/libsss_ad_la-ad_common.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_la_CFLAGS) $(CFLAGS) -c -o src/providers/ad/libsss_ad_la-ad_common.lo `test -f 'src/providers/ad/ad_common.c' || echo '$(srcdir)/'`src/providers/ad/ad_common.c + +src/providers/ad/libsss_ad_la-ad_init.lo: src/providers/ad/ad_init.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_la_CFLAGS) $(CFLAGS) -MT src/providers/ad/libsss_ad_la-ad_init.lo -MD -MP -MF src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_init.Tpo -c -o src/providers/ad/libsss_ad_la-ad_init.lo `test -f 'src/providers/ad/ad_init.c' || echo '$(srcdir)/'`src/providers/ad/ad_init.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_init.Tpo src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_init.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_init.c' object='src/providers/ad/libsss_ad_la-ad_init.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_la_CFLAGS) $(CFLAGS) -c -o src/providers/ad/libsss_ad_la-ad_init.lo `test -f 'src/providers/ad/ad_init.c' || echo '$(srcdir)/'`src/providers/ad/ad_init.c + +src/providers/ad/libsss_ad_la-ad_dyndns.lo: src/providers/ad/ad_dyndns.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_la_CFLAGS) $(CFLAGS) -MT src/providers/ad/libsss_ad_la-ad_dyndns.lo -MD -MP -MF src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_dyndns.Tpo -c -o src/providers/ad/libsss_ad_la-ad_dyndns.lo `test -f 'src/providers/ad/ad_dyndns.c' || echo '$(srcdir)/'`src/providers/ad/ad_dyndns.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_dyndns.Tpo src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_dyndns.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_dyndns.c' object='src/providers/ad/libsss_ad_la-ad_dyndns.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_la_CFLAGS) $(CFLAGS) -c -o src/providers/ad/libsss_ad_la-ad_dyndns.lo `test -f 'src/providers/ad/ad_dyndns.c' || echo '$(srcdir)/'`src/providers/ad/ad_dyndns.c + +src/providers/ad/libsss_ad_la-ad_machine_pw_renewal.lo: src/providers/ad/ad_machine_pw_renewal.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_la_CFLAGS) $(CFLAGS) -MT src/providers/ad/libsss_ad_la-ad_machine_pw_renewal.lo -MD -MP -MF src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_machine_pw_renewal.Tpo -c -o src/providers/ad/libsss_ad_la-ad_machine_pw_renewal.lo `test -f 'src/providers/ad/ad_machine_pw_renewal.c' || echo '$(srcdir)/'`src/providers/ad/ad_machine_pw_renewal.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_machine_pw_renewal.Tpo src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_machine_pw_renewal.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_machine_pw_renewal.c' object='src/providers/ad/libsss_ad_la-ad_machine_pw_renewal.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_la_CFLAGS) $(CFLAGS) -c -o src/providers/ad/libsss_ad_la-ad_machine_pw_renewal.lo `test -f 'src/providers/ad/ad_machine_pw_renewal.c' || echo '$(srcdir)/'`src/providers/ad/ad_machine_pw_renewal.c + +src/providers/ad/libsss_ad_la-ad_id.lo: src/providers/ad/ad_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_la_CFLAGS) $(CFLAGS) -MT src/providers/ad/libsss_ad_la-ad_id.lo -MD -MP -MF src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_id.Tpo -c -o src/providers/ad/libsss_ad_la-ad_id.lo `test -f 'src/providers/ad/ad_id.c' || echo '$(srcdir)/'`src/providers/ad/ad_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_id.Tpo src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_id.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_id.c' object='src/providers/ad/libsss_ad_la-ad_id.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_la_CFLAGS) $(CFLAGS) -c -o src/providers/ad/libsss_ad_la-ad_id.lo `test -f 'src/providers/ad/ad_id.c' || echo '$(srcdir)/'`src/providers/ad/ad_id.c + +src/providers/ad/libsss_ad_la-ad_pac.lo: src/providers/ad/ad_pac.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_la_CFLAGS) $(CFLAGS) -MT src/providers/ad/libsss_ad_la-ad_pac.lo -MD -MP -MF src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_pac.Tpo -c -o src/providers/ad/libsss_ad_la-ad_pac.lo `test -f 'src/providers/ad/ad_pac.c' || echo '$(srcdir)/'`src/providers/ad/ad_pac.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_pac.Tpo src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_pac.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_pac.c' object='src/providers/ad/libsss_ad_la-ad_pac.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_la_CFLAGS) $(CFLAGS) -c -o src/providers/ad/libsss_ad_la-ad_pac.lo `test -f 'src/providers/ad/ad_pac.c' || echo '$(srcdir)/'`src/providers/ad/ad_pac.c + +src/providers/ad/libsss_ad_la-ad_pac_common.lo: src/providers/ad/ad_pac_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_la_CFLAGS) $(CFLAGS) -MT src/providers/ad/libsss_ad_la-ad_pac_common.lo -MD -MP -MF src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_pac_common.Tpo -c -o src/providers/ad/libsss_ad_la-ad_pac_common.lo `test -f 'src/providers/ad/ad_pac_common.c' || echo '$(srcdir)/'`src/providers/ad/ad_pac_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_pac_common.Tpo src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_pac_common.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_pac_common.c' object='src/providers/ad/libsss_ad_la-ad_pac_common.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_la_CFLAGS) $(CFLAGS) -c -o src/providers/ad/libsss_ad_la-ad_pac_common.lo `test -f 'src/providers/ad/ad_pac_common.c' || echo '$(srcdir)/'`src/providers/ad/ad_pac_common.c + +src/providers/ad/libsss_ad_la-ad_access.lo: src/providers/ad/ad_access.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_la_CFLAGS) $(CFLAGS) -MT src/providers/ad/libsss_ad_la-ad_access.lo -MD -MP -MF src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_access.Tpo -c -o src/providers/ad/libsss_ad_la-ad_access.lo `test -f 'src/providers/ad/ad_access.c' || echo '$(srcdir)/'`src/providers/ad/ad_access.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_access.Tpo src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_access.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_access.c' object='src/providers/ad/libsss_ad_la-ad_access.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_la_CFLAGS) $(CFLAGS) -c -o src/providers/ad/libsss_ad_la-ad_access.lo `test -f 'src/providers/ad/ad_access.c' || echo '$(srcdir)/'`src/providers/ad/ad_access.c + +src/providers/ad/libsss_ad_la-ad_gpo.lo: src/providers/ad/ad_gpo.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_la_CFLAGS) $(CFLAGS) -MT src/providers/ad/libsss_ad_la-ad_gpo.lo -MD -MP -MF src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_gpo.Tpo -c -o src/providers/ad/libsss_ad_la-ad_gpo.lo `test -f 'src/providers/ad/ad_gpo.c' || echo '$(srcdir)/'`src/providers/ad/ad_gpo.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_gpo.Tpo src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_gpo.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_gpo.c' object='src/providers/ad/libsss_ad_la-ad_gpo.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_la_CFLAGS) $(CFLAGS) -c -o src/providers/ad/libsss_ad_la-ad_gpo.lo `test -f 'src/providers/ad/ad_gpo.c' || echo '$(srcdir)/'`src/providers/ad/ad_gpo.c + +src/providers/ad/libsss_ad_la-ad_gpo_ndr.lo: src/providers/ad/ad_gpo_ndr.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_la_CFLAGS) $(CFLAGS) -MT src/providers/ad/libsss_ad_la-ad_gpo_ndr.lo -MD -MP -MF src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_gpo_ndr.Tpo -c -o src/providers/ad/libsss_ad_la-ad_gpo_ndr.lo `test -f 'src/providers/ad/ad_gpo_ndr.c' || echo '$(srcdir)/'`src/providers/ad/ad_gpo_ndr.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_gpo_ndr.Tpo src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_gpo_ndr.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_gpo_ndr.c' object='src/providers/ad/libsss_ad_la-ad_gpo_ndr.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_la_CFLAGS) $(CFLAGS) -c -o src/providers/ad/libsss_ad_la-ad_gpo_ndr.lo `test -f 'src/providers/ad/ad_gpo_ndr.c' || echo '$(srcdir)/'`src/providers/ad/ad_gpo_ndr.c + +src/providers/ad/libsss_ad_la-ad_srv.lo: src/providers/ad/ad_srv.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_la_CFLAGS) $(CFLAGS) -MT src/providers/ad/libsss_ad_la-ad_srv.lo -MD -MP -MF src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_srv.Tpo -c -o src/providers/ad/libsss_ad_la-ad_srv.lo `test -f 'src/providers/ad/ad_srv.c' || echo '$(srcdir)/'`src/providers/ad/ad_srv.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_srv.Tpo src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_srv.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_srv.c' object='src/providers/ad/libsss_ad_la-ad_srv.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_la_CFLAGS) $(CFLAGS) -c -o src/providers/ad/libsss_ad_la-ad_srv.lo `test -f 'src/providers/ad/ad_srv.c' || echo '$(srcdir)/'`src/providers/ad/ad_srv.c + +src/providers/ad/libsss_ad_la-ad_subdomains.lo: src/providers/ad/ad_subdomains.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_la_CFLAGS) $(CFLAGS) -MT src/providers/ad/libsss_ad_la-ad_subdomains.lo -MD -MP -MF src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_subdomains.Tpo -c -o src/providers/ad/libsss_ad_la-ad_subdomains.lo `test -f 'src/providers/ad/ad_subdomains.c' || echo '$(srcdir)/'`src/providers/ad/ad_subdomains.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_subdomains.Tpo src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_subdomains.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_subdomains.c' object='src/providers/ad/libsss_ad_la-ad_subdomains.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_la_CFLAGS) $(CFLAGS) -c -o src/providers/ad/libsss_ad_la-ad_subdomains.lo `test -f 'src/providers/ad/ad_subdomains.c' || echo '$(srcdir)/'`src/providers/ad/ad_subdomains.c + +src/providers/ad/libsss_ad_la-ad_domain_info.lo: src/providers/ad/ad_domain_info.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_la_CFLAGS) $(CFLAGS) -MT src/providers/ad/libsss_ad_la-ad_domain_info.lo -MD -MP -MF src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_domain_info.Tpo -c -o src/providers/ad/libsss_ad_la-ad_domain_info.lo `test -f 'src/providers/ad/ad_domain_info.c' || echo '$(srcdir)/'`src/providers/ad/ad_domain_info.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_domain_info.Tpo src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_domain_info.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_domain_info.c' object='src/providers/ad/libsss_ad_la-ad_domain_info.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_la_CFLAGS) $(CFLAGS) -c -o src/providers/ad/libsss_ad_la-ad_domain_info.lo `test -f 'src/providers/ad/ad_domain_info.c' || echo '$(srcdir)/'`src/providers/ad/ad_domain_info.c + +src/providers/ad/libsss_ad_la-ad_sudo.lo: src/providers/ad/ad_sudo.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_la_CFLAGS) $(CFLAGS) -MT src/providers/ad/libsss_ad_la-ad_sudo.lo -MD -MP -MF src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_sudo.Tpo -c -o src/providers/ad/libsss_ad_la-ad_sudo.lo `test -f 'src/providers/ad/ad_sudo.c' || echo '$(srcdir)/'`src/providers/ad/ad_sudo.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_sudo.Tpo src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_sudo.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_sudo.c' object='src/providers/ad/libsss_ad_la-ad_sudo.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_la_CFLAGS) $(CFLAGS) -c -o src/providers/ad/libsss_ad_la-ad_sudo.lo `test -f 'src/providers/ad/ad_sudo.c' || echo '$(srcdir)/'`src/providers/ad/ad_sudo.c + +src/providers/ad/libsss_ad_la-ad_autofs.lo: src/providers/ad/ad_autofs.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_la_CFLAGS) $(CFLAGS) -MT src/providers/ad/libsss_ad_la-ad_autofs.lo -MD -MP -MF src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_autofs.Tpo -c -o src/providers/ad/libsss_ad_la-ad_autofs.lo `test -f 'src/providers/ad/ad_autofs.c' || echo '$(srcdir)/'`src/providers/ad/ad_autofs.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_autofs.Tpo src/providers/ad/$(DEPDIR)/libsss_ad_la-ad_autofs.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_autofs.c' object='src/providers/ad/libsss_ad_la-ad_autofs.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_la_CFLAGS) $(CFLAGS) -c -o src/providers/ad/libsss_ad_la-ad_autofs.lo `test -f 'src/providers/ad/ad_autofs.c' || echo '$(srcdir)/'`src/providers/ad/ad_autofs.c + +src/providers/ad/libsss_ad_tests_la-ad_opts.lo: src/providers/ad/ad_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_tests_la_CFLAGS) $(CFLAGS) -MT src/providers/ad/libsss_ad_tests_la-ad_opts.lo -MD -MP -MF src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_opts.Tpo -c -o src/providers/ad/libsss_ad_tests_la-ad_opts.lo `test -f 'src/providers/ad/ad_opts.c' || echo '$(srcdir)/'`src/providers/ad/ad_opts.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_opts.Tpo src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_opts.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_opts.c' object='src/providers/ad/libsss_ad_tests_la-ad_opts.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_tests_la_CFLAGS) $(CFLAGS) -c -o src/providers/ad/libsss_ad_tests_la-ad_opts.lo `test -f 'src/providers/ad/ad_opts.c' || echo '$(srcdir)/'`src/providers/ad/ad_opts.c + +src/providers/ad/libsss_ad_tests_la-ad_common.lo: src/providers/ad/ad_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_tests_la_CFLAGS) $(CFLAGS) -MT src/providers/ad/libsss_ad_tests_la-ad_common.lo -MD -MP -MF src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_common.Tpo -c -o src/providers/ad/libsss_ad_tests_la-ad_common.lo `test -f 'src/providers/ad/ad_common.c' || echo '$(srcdir)/'`src/providers/ad/ad_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_common.Tpo src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_common.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_common.c' object='src/providers/ad/libsss_ad_tests_la-ad_common.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_tests_la_CFLAGS) $(CFLAGS) -c -o src/providers/ad/libsss_ad_tests_la-ad_common.lo `test -f 'src/providers/ad/ad_common.c' || echo '$(srcdir)/'`src/providers/ad/ad_common.c + +src/providers/ad/libsss_ad_tests_la-ad_init.lo: src/providers/ad/ad_init.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_tests_la_CFLAGS) $(CFLAGS) -MT src/providers/ad/libsss_ad_tests_la-ad_init.lo -MD -MP -MF src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_init.Tpo -c -o src/providers/ad/libsss_ad_tests_la-ad_init.lo `test -f 'src/providers/ad/ad_init.c' || echo '$(srcdir)/'`src/providers/ad/ad_init.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_init.Tpo src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_init.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_init.c' object='src/providers/ad/libsss_ad_tests_la-ad_init.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_tests_la_CFLAGS) $(CFLAGS) -c -o src/providers/ad/libsss_ad_tests_la-ad_init.lo `test -f 'src/providers/ad/ad_init.c' || echo '$(srcdir)/'`src/providers/ad/ad_init.c + +src/providers/ad/libsss_ad_tests_la-ad_dyndns.lo: src/providers/ad/ad_dyndns.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_tests_la_CFLAGS) $(CFLAGS) -MT src/providers/ad/libsss_ad_tests_la-ad_dyndns.lo -MD -MP -MF src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_dyndns.Tpo -c -o src/providers/ad/libsss_ad_tests_la-ad_dyndns.lo `test -f 'src/providers/ad/ad_dyndns.c' || echo '$(srcdir)/'`src/providers/ad/ad_dyndns.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_dyndns.Tpo src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_dyndns.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_dyndns.c' object='src/providers/ad/libsss_ad_tests_la-ad_dyndns.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_tests_la_CFLAGS) $(CFLAGS) -c -o src/providers/ad/libsss_ad_tests_la-ad_dyndns.lo `test -f 'src/providers/ad/ad_dyndns.c' || echo '$(srcdir)/'`src/providers/ad/ad_dyndns.c + +src/providers/ad/libsss_ad_tests_la-ad_machine_pw_renewal.lo: src/providers/ad/ad_machine_pw_renewal.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_tests_la_CFLAGS) $(CFLAGS) -MT src/providers/ad/libsss_ad_tests_la-ad_machine_pw_renewal.lo -MD -MP -MF src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_machine_pw_renewal.Tpo -c -o src/providers/ad/libsss_ad_tests_la-ad_machine_pw_renewal.lo `test -f 'src/providers/ad/ad_machine_pw_renewal.c' || echo '$(srcdir)/'`src/providers/ad/ad_machine_pw_renewal.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_machine_pw_renewal.Tpo src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_machine_pw_renewal.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_machine_pw_renewal.c' object='src/providers/ad/libsss_ad_tests_la-ad_machine_pw_renewal.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_tests_la_CFLAGS) $(CFLAGS) -c -o src/providers/ad/libsss_ad_tests_la-ad_machine_pw_renewal.lo `test -f 'src/providers/ad/ad_machine_pw_renewal.c' || echo '$(srcdir)/'`src/providers/ad/ad_machine_pw_renewal.c + +src/providers/ad/libsss_ad_tests_la-ad_id.lo: src/providers/ad/ad_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_tests_la_CFLAGS) $(CFLAGS) -MT src/providers/ad/libsss_ad_tests_la-ad_id.lo -MD -MP -MF src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_id.Tpo -c -o src/providers/ad/libsss_ad_tests_la-ad_id.lo `test -f 'src/providers/ad/ad_id.c' || echo '$(srcdir)/'`src/providers/ad/ad_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_id.Tpo src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_id.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_id.c' object='src/providers/ad/libsss_ad_tests_la-ad_id.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_tests_la_CFLAGS) $(CFLAGS) -c -o src/providers/ad/libsss_ad_tests_la-ad_id.lo `test -f 'src/providers/ad/ad_id.c' || echo '$(srcdir)/'`src/providers/ad/ad_id.c + +src/providers/ad/libsss_ad_tests_la-ad_pac.lo: src/providers/ad/ad_pac.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_tests_la_CFLAGS) $(CFLAGS) -MT src/providers/ad/libsss_ad_tests_la-ad_pac.lo -MD -MP -MF src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_pac.Tpo -c -o src/providers/ad/libsss_ad_tests_la-ad_pac.lo `test -f 'src/providers/ad/ad_pac.c' || echo '$(srcdir)/'`src/providers/ad/ad_pac.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_pac.Tpo src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_pac.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_pac.c' object='src/providers/ad/libsss_ad_tests_la-ad_pac.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_tests_la_CFLAGS) $(CFLAGS) -c -o src/providers/ad/libsss_ad_tests_la-ad_pac.lo `test -f 'src/providers/ad/ad_pac.c' || echo '$(srcdir)/'`src/providers/ad/ad_pac.c + +src/providers/ad/libsss_ad_tests_la-ad_pac_common.lo: src/providers/ad/ad_pac_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_tests_la_CFLAGS) $(CFLAGS) -MT src/providers/ad/libsss_ad_tests_la-ad_pac_common.lo -MD -MP -MF src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_pac_common.Tpo -c -o src/providers/ad/libsss_ad_tests_la-ad_pac_common.lo `test -f 'src/providers/ad/ad_pac_common.c' || echo '$(srcdir)/'`src/providers/ad/ad_pac_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_pac_common.Tpo src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_pac_common.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_pac_common.c' object='src/providers/ad/libsss_ad_tests_la-ad_pac_common.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_tests_la_CFLAGS) $(CFLAGS) -c -o src/providers/ad/libsss_ad_tests_la-ad_pac_common.lo `test -f 'src/providers/ad/ad_pac_common.c' || echo '$(srcdir)/'`src/providers/ad/ad_pac_common.c + +src/providers/ad/libsss_ad_tests_la-ad_access.lo: src/providers/ad/ad_access.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_tests_la_CFLAGS) $(CFLAGS) -MT src/providers/ad/libsss_ad_tests_la-ad_access.lo -MD -MP -MF src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_access.Tpo -c -o src/providers/ad/libsss_ad_tests_la-ad_access.lo `test -f 'src/providers/ad/ad_access.c' || echo '$(srcdir)/'`src/providers/ad/ad_access.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_access.Tpo src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_access.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_access.c' object='src/providers/ad/libsss_ad_tests_la-ad_access.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_tests_la_CFLAGS) $(CFLAGS) -c -o src/providers/ad/libsss_ad_tests_la-ad_access.lo `test -f 'src/providers/ad/ad_access.c' || echo '$(srcdir)/'`src/providers/ad/ad_access.c + +src/providers/ad/libsss_ad_tests_la-ad_gpo.lo: src/providers/ad/ad_gpo.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_tests_la_CFLAGS) $(CFLAGS) -MT src/providers/ad/libsss_ad_tests_la-ad_gpo.lo -MD -MP -MF src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_gpo.Tpo -c -o src/providers/ad/libsss_ad_tests_la-ad_gpo.lo `test -f 'src/providers/ad/ad_gpo.c' || echo '$(srcdir)/'`src/providers/ad/ad_gpo.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_gpo.Tpo src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_gpo.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_gpo.c' object='src/providers/ad/libsss_ad_tests_la-ad_gpo.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_tests_la_CFLAGS) $(CFLAGS) -c -o src/providers/ad/libsss_ad_tests_la-ad_gpo.lo `test -f 'src/providers/ad/ad_gpo.c' || echo '$(srcdir)/'`src/providers/ad/ad_gpo.c + +src/providers/ad/libsss_ad_tests_la-ad_gpo_ndr.lo: src/providers/ad/ad_gpo_ndr.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_tests_la_CFLAGS) $(CFLAGS) -MT src/providers/ad/libsss_ad_tests_la-ad_gpo_ndr.lo -MD -MP -MF src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_gpo_ndr.Tpo -c -o src/providers/ad/libsss_ad_tests_la-ad_gpo_ndr.lo `test -f 'src/providers/ad/ad_gpo_ndr.c' || echo '$(srcdir)/'`src/providers/ad/ad_gpo_ndr.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_gpo_ndr.Tpo src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_gpo_ndr.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_gpo_ndr.c' object='src/providers/ad/libsss_ad_tests_la-ad_gpo_ndr.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_tests_la_CFLAGS) $(CFLAGS) -c -o src/providers/ad/libsss_ad_tests_la-ad_gpo_ndr.lo `test -f 'src/providers/ad/ad_gpo_ndr.c' || echo '$(srcdir)/'`src/providers/ad/ad_gpo_ndr.c + +src/providers/ad/libsss_ad_tests_la-ad_srv.lo: src/providers/ad/ad_srv.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_tests_la_CFLAGS) $(CFLAGS) -MT src/providers/ad/libsss_ad_tests_la-ad_srv.lo -MD -MP -MF src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_srv.Tpo -c -o src/providers/ad/libsss_ad_tests_la-ad_srv.lo `test -f 'src/providers/ad/ad_srv.c' || echo '$(srcdir)/'`src/providers/ad/ad_srv.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_srv.Tpo src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_srv.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_srv.c' object='src/providers/ad/libsss_ad_tests_la-ad_srv.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_tests_la_CFLAGS) $(CFLAGS) -c -o src/providers/ad/libsss_ad_tests_la-ad_srv.lo `test -f 'src/providers/ad/ad_srv.c' || echo '$(srcdir)/'`src/providers/ad/ad_srv.c + +src/providers/ad/libsss_ad_tests_la-ad_subdomains.lo: src/providers/ad/ad_subdomains.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_tests_la_CFLAGS) $(CFLAGS) -MT src/providers/ad/libsss_ad_tests_la-ad_subdomains.lo -MD -MP -MF src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_subdomains.Tpo -c -o src/providers/ad/libsss_ad_tests_la-ad_subdomains.lo `test -f 'src/providers/ad/ad_subdomains.c' || echo '$(srcdir)/'`src/providers/ad/ad_subdomains.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_subdomains.Tpo src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_subdomains.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_subdomains.c' object='src/providers/ad/libsss_ad_tests_la-ad_subdomains.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_tests_la_CFLAGS) $(CFLAGS) -c -o src/providers/ad/libsss_ad_tests_la-ad_subdomains.lo `test -f 'src/providers/ad/ad_subdomains.c' || echo '$(srcdir)/'`src/providers/ad/ad_subdomains.c + +src/providers/ad/libsss_ad_tests_la-ad_domain_info.lo: src/providers/ad/ad_domain_info.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_tests_la_CFLAGS) $(CFLAGS) -MT src/providers/ad/libsss_ad_tests_la-ad_domain_info.lo -MD -MP -MF src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_domain_info.Tpo -c -o src/providers/ad/libsss_ad_tests_la-ad_domain_info.lo `test -f 'src/providers/ad/ad_domain_info.c' || echo '$(srcdir)/'`src/providers/ad/ad_domain_info.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_domain_info.Tpo src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_domain_info.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_domain_info.c' object='src/providers/ad/libsss_ad_tests_la-ad_domain_info.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_tests_la_CFLAGS) $(CFLAGS) -c -o src/providers/ad/libsss_ad_tests_la-ad_domain_info.lo `test -f 'src/providers/ad/ad_domain_info.c' || echo '$(srcdir)/'`src/providers/ad/ad_domain_info.c + +src/providers/ad/libsss_ad_tests_la-ad_sudo.lo: src/providers/ad/ad_sudo.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_tests_la_CFLAGS) $(CFLAGS) -MT src/providers/ad/libsss_ad_tests_la-ad_sudo.lo -MD -MP -MF src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_sudo.Tpo -c -o src/providers/ad/libsss_ad_tests_la-ad_sudo.lo `test -f 'src/providers/ad/ad_sudo.c' || echo '$(srcdir)/'`src/providers/ad/ad_sudo.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_sudo.Tpo src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_sudo.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_sudo.c' object='src/providers/ad/libsss_ad_tests_la-ad_sudo.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_tests_la_CFLAGS) $(CFLAGS) -c -o src/providers/ad/libsss_ad_tests_la-ad_sudo.lo `test -f 'src/providers/ad/ad_sudo.c' || echo '$(srcdir)/'`src/providers/ad/ad_sudo.c + +src/providers/ad/libsss_ad_tests_la-ad_autofs.lo: src/providers/ad/ad_autofs.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_tests_la_CFLAGS) $(CFLAGS) -MT src/providers/ad/libsss_ad_tests_la-ad_autofs.lo -MD -MP -MF src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_autofs.Tpo -c -o src/providers/ad/libsss_ad_tests_la-ad_autofs.lo `test -f 'src/providers/ad/ad_autofs.c' || echo '$(srcdir)/'`src/providers/ad/ad_autofs.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_autofs.Tpo src/providers/ad/$(DEPDIR)/libsss_ad_tests_la-ad_autofs.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_autofs.c' object='src/providers/ad/libsss_ad_tests_la-ad_autofs.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ad_tests_la_CFLAGS) $(CFLAGS) -c -o src/providers/ad/libsss_ad_tests_la-ad_autofs.lo `test -f 'src/providers/ad/ad_autofs.c' || echo '$(srcdir)/'`src/providers/ad/ad_autofs.c + +src/util/cert/libsss_cert_la-cert_common.lo: src/util/cert/cert_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_cert_la_CFLAGS) $(CFLAGS) -MT src/util/cert/libsss_cert_la-cert_common.lo -MD -MP -MF src/util/cert/$(DEPDIR)/libsss_cert_la-cert_common.Tpo -c -o src/util/cert/libsss_cert_la-cert_common.lo `test -f 'src/util/cert/cert_common.c' || echo '$(srcdir)/'`src/util/cert/cert_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/cert/$(DEPDIR)/libsss_cert_la-cert_common.Tpo src/util/cert/$(DEPDIR)/libsss_cert_la-cert_common.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/cert/cert_common.c' object='src/util/cert/libsss_cert_la-cert_common.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_cert_la_CFLAGS) $(CFLAGS) -c -o src/util/cert/libsss_cert_la-cert_common.lo `test -f 'src/util/cert/cert_common.c' || echo '$(srcdir)/'`src/util/cert/cert_common.c + +src/util/cert/libsss_cert_la-cert_common_p11_child.lo: src/util/cert/cert_common_p11_child.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_cert_la_CFLAGS) $(CFLAGS) -MT src/util/cert/libsss_cert_la-cert_common_p11_child.lo -MD -MP -MF src/util/cert/$(DEPDIR)/libsss_cert_la-cert_common_p11_child.Tpo -c -o src/util/cert/libsss_cert_la-cert_common_p11_child.lo `test -f 'src/util/cert/cert_common_p11_child.c' || echo '$(srcdir)/'`src/util/cert/cert_common_p11_child.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/cert/$(DEPDIR)/libsss_cert_la-cert_common_p11_child.Tpo src/util/cert/$(DEPDIR)/libsss_cert_la-cert_common_p11_child.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/cert/cert_common_p11_child.c' object='src/util/cert/libsss_cert_la-cert_common_p11_child.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_cert_la_CFLAGS) $(CFLAGS) -c -o src/util/cert/libsss_cert_la-cert_common_p11_child.lo `test -f 'src/util/cert/cert_common_p11_child.c' || echo '$(srcdir)/'`src/util/cert/cert_common_p11_child.c + +src/util/cert/libcrypto/libsss_cert_la-cert.lo: src/util/cert/libcrypto/cert.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_cert_la_CFLAGS) $(CFLAGS) -MT src/util/cert/libcrypto/libsss_cert_la-cert.lo -MD -MP -MF src/util/cert/libcrypto/$(DEPDIR)/libsss_cert_la-cert.Tpo -c -o src/util/cert/libcrypto/libsss_cert_la-cert.lo `test -f 'src/util/cert/libcrypto/cert.c' || echo '$(srcdir)/'`src/util/cert/libcrypto/cert.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/cert/libcrypto/$(DEPDIR)/libsss_cert_la-cert.Tpo src/util/cert/libcrypto/$(DEPDIR)/libsss_cert_la-cert.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/cert/libcrypto/cert.c' object='src/util/cert/libcrypto/libsss_cert_la-cert.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_cert_la_CFLAGS) $(CFLAGS) -c -o src/util/cert/libcrypto/libsss_cert_la-cert.lo `test -f 'src/util/cert/libcrypto/cert.c' || echo '$(srcdir)/'`src/util/cert/libcrypto/cert.c + +src/util/cert/nss/libsss_cert_la-cert.lo: src/util/cert/nss/cert.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_cert_la_CFLAGS) $(CFLAGS) -MT src/util/cert/nss/libsss_cert_la-cert.lo -MD -MP -MF src/util/cert/nss/$(DEPDIR)/libsss_cert_la-cert.Tpo -c -o src/util/cert/nss/libsss_cert_la-cert.lo `test -f 'src/util/cert/nss/cert.c' || echo '$(srcdir)/'`src/util/cert/nss/cert.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/cert/nss/$(DEPDIR)/libsss_cert_la-cert.Tpo src/util/cert/nss/$(DEPDIR)/libsss_cert_la-cert.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/cert/nss/cert.c' object='src/util/cert/nss/libsss_cert_la-cert.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_cert_la_CFLAGS) $(CFLAGS) -c -o src/util/cert/nss/libsss_cert_la-cert.lo `test -f 'src/util/cert/nss/cert.c' || echo '$(srcdir)/'`src/util/cert/nss/cert.c + +src/lib/certmap/libsss_certmap_la-sss_certmap.lo: src/lib/certmap/sss_certmap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_certmap_la_CFLAGS) $(CFLAGS) -MT src/lib/certmap/libsss_certmap_la-sss_certmap.lo -MD -MP -MF src/lib/certmap/$(DEPDIR)/libsss_certmap_la-sss_certmap.Tpo -c -o src/lib/certmap/libsss_certmap_la-sss_certmap.lo `test -f 'src/lib/certmap/sss_certmap.c' || echo '$(srcdir)/'`src/lib/certmap/sss_certmap.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/lib/certmap/$(DEPDIR)/libsss_certmap_la-sss_certmap.Tpo src/lib/certmap/$(DEPDIR)/libsss_certmap_la-sss_certmap.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/lib/certmap/sss_certmap.c' object='src/lib/certmap/libsss_certmap_la-sss_certmap.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_certmap_la_CFLAGS) $(CFLAGS) -c -o src/lib/certmap/libsss_certmap_la-sss_certmap.lo `test -f 'src/lib/certmap/sss_certmap.c' || echo '$(srcdir)/'`src/lib/certmap/sss_certmap.c + +src/lib/certmap/libsss_certmap_la-sss_certmap_attr_names.lo: src/lib/certmap/sss_certmap_attr_names.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_certmap_la_CFLAGS) $(CFLAGS) -MT src/lib/certmap/libsss_certmap_la-sss_certmap_attr_names.lo -MD -MP -MF src/lib/certmap/$(DEPDIR)/libsss_certmap_la-sss_certmap_attr_names.Tpo -c -o src/lib/certmap/libsss_certmap_la-sss_certmap_attr_names.lo `test -f 'src/lib/certmap/sss_certmap_attr_names.c' || echo '$(srcdir)/'`src/lib/certmap/sss_certmap_attr_names.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/lib/certmap/$(DEPDIR)/libsss_certmap_la-sss_certmap_attr_names.Tpo src/lib/certmap/$(DEPDIR)/libsss_certmap_la-sss_certmap_attr_names.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/lib/certmap/sss_certmap_attr_names.c' object='src/lib/certmap/libsss_certmap_la-sss_certmap_attr_names.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_certmap_la_CFLAGS) $(CFLAGS) -c -o src/lib/certmap/libsss_certmap_la-sss_certmap_attr_names.lo `test -f 'src/lib/certmap/sss_certmap_attr_names.c' || echo '$(srcdir)/'`src/lib/certmap/sss_certmap_attr_names.c + +src/lib/certmap/libsss_certmap_la-sss_certmap_krb5_match.lo: src/lib/certmap/sss_certmap_krb5_match.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_certmap_la_CFLAGS) $(CFLAGS) -MT src/lib/certmap/libsss_certmap_la-sss_certmap_krb5_match.lo -MD -MP -MF src/lib/certmap/$(DEPDIR)/libsss_certmap_la-sss_certmap_krb5_match.Tpo -c -o src/lib/certmap/libsss_certmap_la-sss_certmap_krb5_match.lo `test -f 'src/lib/certmap/sss_certmap_krb5_match.c' || echo '$(srcdir)/'`src/lib/certmap/sss_certmap_krb5_match.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/lib/certmap/$(DEPDIR)/libsss_certmap_la-sss_certmap_krb5_match.Tpo src/lib/certmap/$(DEPDIR)/libsss_certmap_la-sss_certmap_krb5_match.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/lib/certmap/sss_certmap_krb5_match.c' object='src/lib/certmap/libsss_certmap_la-sss_certmap_krb5_match.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_certmap_la_CFLAGS) $(CFLAGS) -c -o src/lib/certmap/libsss_certmap_la-sss_certmap_krb5_match.lo `test -f 'src/lib/certmap/sss_certmap_krb5_match.c' || echo '$(srcdir)/'`src/lib/certmap/sss_certmap_krb5_match.c + +src/lib/certmap/libsss_certmap_la-sss_certmap_ldap_mapping.lo: src/lib/certmap/sss_certmap_ldap_mapping.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_certmap_la_CFLAGS) $(CFLAGS) -MT src/lib/certmap/libsss_certmap_la-sss_certmap_ldap_mapping.lo -MD -MP -MF src/lib/certmap/$(DEPDIR)/libsss_certmap_la-sss_certmap_ldap_mapping.Tpo -c -o src/lib/certmap/libsss_certmap_la-sss_certmap_ldap_mapping.lo `test -f 'src/lib/certmap/sss_certmap_ldap_mapping.c' || echo '$(srcdir)/'`src/lib/certmap/sss_certmap_ldap_mapping.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/lib/certmap/$(DEPDIR)/libsss_certmap_la-sss_certmap_ldap_mapping.Tpo src/lib/certmap/$(DEPDIR)/libsss_certmap_la-sss_certmap_ldap_mapping.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/lib/certmap/sss_certmap_ldap_mapping.c' object='src/lib/certmap/libsss_certmap_la-sss_certmap_ldap_mapping.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_certmap_la_CFLAGS) $(CFLAGS) -c -o src/lib/certmap/libsss_certmap_la-sss_certmap_ldap_mapping.lo `test -f 'src/lib/certmap/sss_certmap_ldap_mapping.c' || echo '$(srcdir)/'`src/lib/certmap/sss_certmap_ldap_mapping.c + +src/lib/certmap/libsss_certmap_la-sss_cert_content_common.lo: src/lib/certmap/sss_cert_content_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_certmap_la_CFLAGS) $(CFLAGS) -MT src/lib/certmap/libsss_certmap_la-sss_cert_content_common.lo -MD -MP -MF src/lib/certmap/$(DEPDIR)/libsss_certmap_la-sss_cert_content_common.Tpo -c -o src/lib/certmap/libsss_certmap_la-sss_cert_content_common.lo `test -f 'src/lib/certmap/sss_cert_content_common.c' || echo '$(srcdir)/'`src/lib/certmap/sss_cert_content_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/lib/certmap/$(DEPDIR)/libsss_certmap_la-sss_cert_content_common.Tpo src/lib/certmap/$(DEPDIR)/libsss_certmap_la-sss_cert_content_common.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/lib/certmap/sss_cert_content_common.c' object='src/lib/certmap/libsss_certmap_la-sss_cert_content_common.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_certmap_la_CFLAGS) $(CFLAGS) -c -o src/lib/certmap/libsss_certmap_la-sss_cert_content_common.lo `test -f 'src/lib/certmap/sss_cert_content_common.c' || echo '$(srcdir)/'`src/lib/certmap/sss_cert_content_common.c + +src/util/libsss_certmap_la-util_ext.lo: src/util/util_ext.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_certmap_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_certmap_la-util_ext.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_certmap_la-util_ext.Tpo -c -o src/util/libsss_certmap_la-util_ext.lo `test -f 'src/util/util_ext.c' || echo '$(srcdir)/'`src/util/util_ext.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_certmap_la-util_ext.Tpo src/util/$(DEPDIR)/libsss_certmap_la-util_ext.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util_ext.c' object='src/util/libsss_certmap_la-util_ext.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_certmap_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_certmap_la-util_ext.lo `test -f 'src/util/util_ext.c' || echo '$(srcdir)/'`src/util/util_ext.c + +src/util/cert/libsss_certmap_la-cert_common.lo: src/util/cert/cert_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_certmap_la_CFLAGS) $(CFLAGS) -MT src/util/cert/libsss_certmap_la-cert_common.lo -MD -MP -MF src/util/cert/$(DEPDIR)/libsss_certmap_la-cert_common.Tpo -c -o src/util/cert/libsss_certmap_la-cert_common.lo `test -f 'src/util/cert/cert_common.c' || echo '$(srcdir)/'`src/util/cert/cert_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/cert/$(DEPDIR)/libsss_certmap_la-cert_common.Tpo src/util/cert/$(DEPDIR)/libsss_certmap_la-cert_common.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/cert/cert_common.c' object='src/util/cert/libsss_certmap_la-cert_common.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_certmap_la_CFLAGS) $(CFLAGS) -c -o src/util/cert/libsss_certmap_la-cert_common.lo `test -f 'src/util/cert/cert_common.c' || echo '$(srcdir)/'`src/util/cert/cert_common.c + +src/lib/certmap/libsss_certmap_la-sss_cert_content_nss.lo: src/lib/certmap/sss_cert_content_nss.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_certmap_la_CFLAGS) $(CFLAGS) -MT src/lib/certmap/libsss_certmap_la-sss_cert_content_nss.lo -MD -MP -MF src/lib/certmap/$(DEPDIR)/libsss_certmap_la-sss_cert_content_nss.Tpo -c -o src/lib/certmap/libsss_certmap_la-sss_cert_content_nss.lo `test -f 'src/lib/certmap/sss_cert_content_nss.c' || echo '$(srcdir)/'`src/lib/certmap/sss_cert_content_nss.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/lib/certmap/$(DEPDIR)/libsss_certmap_la-sss_cert_content_nss.Tpo src/lib/certmap/$(DEPDIR)/libsss_certmap_la-sss_cert_content_nss.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/lib/certmap/sss_cert_content_nss.c' object='src/lib/certmap/libsss_certmap_la-sss_cert_content_nss.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_certmap_la_CFLAGS) $(CFLAGS) -c -o src/lib/certmap/libsss_certmap_la-sss_cert_content_nss.lo `test -f 'src/lib/certmap/sss_cert_content_nss.c' || echo '$(srcdir)/'`src/lib/certmap/sss_cert_content_nss.c + +src/util/crypto/nss/libsss_certmap_la-nss_base64.lo: src/util/crypto/nss/nss_base64.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_certmap_la_CFLAGS) $(CFLAGS) -MT src/util/crypto/nss/libsss_certmap_la-nss_base64.lo -MD -MP -MF src/util/crypto/nss/$(DEPDIR)/libsss_certmap_la-nss_base64.Tpo -c -o src/util/crypto/nss/libsss_certmap_la-nss_base64.lo `test -f 'src/util/crypto/nss/nss_base64.c' || echo '$(srcdir)/'`src/util/crypto/nss/nss_base64.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/crypto/nss/$(DEPDIR)/libsss_certmap_la-nss_base64.Tpo src/util/crypto/nss/$(DEPDIR)/libsss_certmap_la-nss_base64.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/crypto/nss/nss_base64.c' object='src/util/crypto/nss/libsss_certmap_la-nss_base64.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_certmap_la_CFLAGS) $(CFLAGS) -c -o src/util/crypto/nss/libsss_certmap_la-nss_base64.lo `test -f 'src/util/crypto/nss/nss_base64.c' || echo '$(srcdir)/'`src/util/crypto/nss/nss_base64.c + +src/util/cert/nss/libsss_certmap_la-cert.lo: src/util/cert/nss/cert.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_certmap_la_CFLAGS) $(CFLAGS) -MT src/util/cert/nss/libsss_certmap_la-cert.lo -MD -MP -MF src/util/cert/nss/$(DEPDIR)/libsss_certmap_la-cert.Tpo -c -o src/util/cert/nss/libsss_certmap_la-cert.lo `test -f 'src/util/cert/nss/cert.c' || echo '$(srcdir)/'`src/util/cert/nss/cert.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/cert/nss/$(DEPDIR)/libsss_certmap_la-cert.Tpo src/util/cert/nss/$(DEPDIR)/libsss_certmap_la-cert.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/cert/nss/cert.c' object='src/util/cert/nss/libsss_certmap_la-cert.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_certmap_la_CFLAGS) $(CFLAGS) -c -o src/util/cert/nss/libsss_certmap_la-cert.lo `test -f 'src/util/cert/nss/cert.c' || echo '$(srcdir)/'`src/util/cert/nss/cert.c + +src/util/crypto/nss/libsss_certmap_la-nss_util.lo: src/util/crypto/nss/nss_util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_certmap_la_CFLAGS) $(CFLAGS) -MT src/util/crypto/nss/libsss_certmap_la-nss_util.lo -MD -MP -MF src/util/crypto/nss/$(DEPDIR)/libsss_certmap_la-nss_util.Tpo -c -o src/util/crypto/nss/libsss_certmap_la-nss_util.lo `test -f 'src/util/crypto/nss/nss_util.c' || echo '$(srcdir)/'`src/util/crypto/nss/nss_util.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/crypto/nss/$(DEPDIR)/libsss_certmap_la-nss_util.Tpo src/util/crypto/nss/$(DEPDIR)/libsss_certmap_la-nss_util.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/crypto/nss/nss_util.c' object='src/util/crypto/nss/libsss_certmap_la-nss_util.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_certmap_la_CFLAGS) $(CFLAGS) -c -o src/util/crypto/nss/libsss_certmap_la-nss_util.lo `test -f 'src/util/crypto/nss/nss_util.c' || echo '$(srcdir)/'`src/util/crypto/nss/nss_util.c + +src/lib/certmap/libsss_certmap_la-sss_cert_content_crypto.lo: src/lib/certmap/sss_cert_content_crypto.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_certmap_la_CFLAGS) $(CFLAGS) -MT src/lib/certmap/libsss_certmap_la-sss_cert_content_crypto.lo -MD -MP -MF src/lib/certmap/$(DEPDIR)/libsss_certmap_la-sss_cert_content_crypto.Tpo -c -o src/lib/certmap/libsss_certmap_la-sss_cert_content_crypto.lo `test -f 'src/lib/certmap/sss_cert_content_crypto.c' || echo '$(srcdir)/'`src/lib/certmap/sss_cert_content_crypto.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/lib/certmap/$(DEPDIR)/libsss_certmap_la-sss_cert_content_crypto.Tpo src/lib/certmap/$(DEPDIR)/libsss_certmap_la-sss_cert_content_crypto.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/lib/certmap/sss_cert_content_crypto.c' object='src/lib/certmap/libsss_certmap_la-sss_cert_content_crypto.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_certmap_la_CFLAGS) $(CFLAGS) -c -o src/lib/certmap/libsss_certmap_la-sss_cert_content_crypto.lo `test -f 'src/lib/certmap/sss_cert_content_crypto.c' || echo '$(srcdir)/'`src/lib/certmap/sss_cert_content_crypto.c + +src/util/crypto/libcrypto/libsss_certmap_la-crypto_base64.lo: src/util/crypto/libcrypto/crypto_base64.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_certmap_la_CFLAGS) $(CFLAGS) -MT src/util/crypto/libcrypto/libsss_certmap_la-crypto_base64.lo -MD -MP -MF src/util/crypto/libcrypto/$(DEPDIR)/libsss_certmap_la-crypto_base64.Tpo -c -o src/util/crypto/libcrypto/libsss_certmap_la-crypto_base64.lo `test -f 'src/util/crypto/libcrypto/crypto_base64.c' || echo '$(srcdir)/'`src/util/crypto/libcrypto/crypto_base64.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/crypto/libcrypto/$(DEPDIR)/libsss_certmap_la-crypto_base64.Tpo src/util/crypto/libcrypto/$(DEPDIR)/libsss_certmap_la-crypto_base64.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/crypto/libcrypto/crypto_base64.c' object='src/util/crypto/libcrypto/libsss_certmap_la-crypto_base64.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_certmap_la_CFLAGS) $(CFLAGS) -c -o src/util/crypto/libcrypto/libsss_certmap_la-crypto_base64.lo `test -f 'src/util/crypto/libcrypto/crypto_base64.c' || echo '$(srcdir)/'`src/util/crypto/libcrypto/crypto_base64.c + +src/util/cert/libcrypto/libsss_certmap_la-cert.lo: src/util/cert/libcrypto/cert.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_certmap_la_CFLAGS) $(CFLAGS) -MT src/util/cert/libcrypto/libsss_certmap_la-cert.lo -MD -MP -MF src/util/cert/libcrypto/$(DEPDIR)/libsss_certmap_la-cert.Tpo -c -o src/util/cert/libcrypto/libsss_certmap_la-cert.lo `test -f 'src/util/cert/libcrypto/cert.c' || echo '$(srcdir)/'`src/util/cert/libcrypto/cert.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/cert/libcrypto/$(DEPDIR)/libsss_certmap_la-cert.Tpo src/util/cert/libcrypto/$(DEPDIR)/libsss_certmap_la-cert.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/cert/libcrypto/cert.c' object='src/util/cert/libcrypto/libsss_certmap_la-cert.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_certmap_la_CFLAGS) $(CFLAGS) -c -o src/util/cert/libcrypto/libsss_certmap_la-cert.lo `test -f 'src/util/cert/libcrypto/cert.c' || echo '$(srcdir)/'`src/util/cert/libcrypto/cert.c + +src/util/crypto/libcrypto/libsss_crypt_la-crypto_base64.lo: src/util/crypto/libcrypto/crypto_base64.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_crypt_la_CFLAGS) $(CFLAGS) -MT src/util/crypto/libcrypto/libsss_crypt_la-crypto_base64.lo -MD -MP -MF src/util/crypto/libcrypto/$(DEPDIR)/libsss_crypt_la-crypto_base64.Tpo -c -o src/util/crypto/libcrypto/libsss_crypt_la-crypto_base64.lo `test -f 'src/util/crypto/libcrypto/crypto_base64.c' || echo '$(srcdir)/'`src/util/crypto/libcrypto/crypto_base64.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/crypto/libcrypto/$(DEPDIR)/libsss_crypt_la-crypto_base64.Tpo src/util/crypto/libcrypto/$(DEPDIR)/libsss_crypt_la-crypto_base64.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/crypto/libcrypto/crypto_base64.c' object='src/util/crypto/libcrypto/libsss_crypt_la-crypto_base64.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_crypt_la_CFLAGS) $(CFLAGS) -c -o src/util/crypto/libcrypto/libsss_crypt_la-crypto_base64.lo `test -f 'src/util/crypto/libcrypto/crypto_base64.c' || echo '$(srcdir)/'`src/util/crypto/libcrypto/crypto_base64.c + +src/util/crypto/libcrypto/libsss_crypt_la-crypto_hmac_sha1.lo: src/util/crypto/libcrypto/crypto_hmac_sha1.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_crypt_la_CFLAGS) $(CFLAGS) -MT src/util/crypto/libcrypto/libsss_crypt_la-crypto_hmac_sha1.lo -MD -MP -MF src/util/crypto/libcrypto/$(DEPDIR)/libsss_crypt_la-crypto_hmac_sha1.Tpo -c -o src/util/crypto/libcrypto/libsss_crypt_la-crypto_hmac_sha1.lo `test -f 'src/util/crypto/libcrypto/crypto_hmac_sha1.c' || echo '$(srcdir)/'`src/util/crypto/libcrypto/crypto_hmac_sha1.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/crypto/libcrypto/$(DEPDIR)/libsss_crypt_la-crypto_hmac_sha1.Tpo src/util/crypto/libcrypto/$(DEPDIR)/libsss_crypt_la-crypto_hmac_sha1.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/crypto/libcrypto/crypto_hmac_sha1.c' object='src/util/crypto/libcrypto/libsss_crypt_la-crypto_hmac_sha1.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_crypt_la_CFLAGS) $(CFLAGS) -c -o src/util/crypto/libcrypto/libsss_crypt_la-crypto_hmac_sha1.lo `test -f 'src/util/crypto/libcrypto/crypto_hmac_sha1.c' || echo '$(srcdir)/'`src/util/crypto/libcrypto/crypto_hmac_sha1.c + +src/util/crypto/libcrypto/libsss_crypt_la-crypto_sha512crypt.lo: src/util/crypto/libcrypto/crypto_sha512crypt.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_crypt_la_CFLAGS) $(CFLAGS) -MT src/util/crypto/libcrypto/libsss_crypt_la-crypto_sha512crypt.lo -MD -MP -MF src/util/crypto/libcrypto/$(DEPDIR)/libsss_crypt_la-crypto_sha512crypt.Tpo -c -o src/util/crypto/libcrypto/libsss_crypt_la-crypto_sha512crypt.lo `test -f 'src/util/crypto/libcrypto/crypto_sha512crypt.c' || echo '$(srcdir)/'`src/util/crypto/libcrypto/crypto_sha512crypt.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/crypto/libcrypto/$(DEPDIR)/libsss_crypt_la-crypto_sha512crypt.Tpo src/util/crypto/libcrypto/$(DEPDIR)/libsss_crypt_la-crypto_sha512crypt.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/crypto/libcrypto/crypto_sha512crypt.c' object='src/util/crypto/libcrypto/libsss_crypt_la-crypto_sha512crypt.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_crypt_la_CFLAGS) $(CFLAGS) -c -o src/util/crypto/libcrypto/libsss_crypt_la-crypto_sha512crypt.lo `test -f 'src/util/crypto/libcrypto/crypto_sha512crypt.c' || echo '$(srcdir)/'`src/util/crypto/libcrypto/crypto_sha512crypt.c + +src/util/crypto/libcrypto/libsss_crypt_la-crypto_obfuscate.lo: src/util/crypto/libcrypto/crypto_obfuscate.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_crypt_la_CFLAGS) $(CFLAGS) -MT src/util/crypto/libcrypto/libsss_crypt_la-crypto_obfuscate.lo -MD -MP -MF src/util/crypto/libcrypto/$(DEPDIR)/libsss_crypt_la-crypto_obfuscate.Tpo -c -o src/util/crypto/libcrypto/libsss_crypt_la-crypto_obfuscate.lo `test -f 'src/util/crypto/libcrypto/crypto_obfuscate.c' || echo '$(srcdir)/'`src/util/crypto/libcrypto/crypto_obfuscate.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/crypto/libcrypto/$(DEPDIR)/libsss_crypt_la-crypto_obfuscate.Tpo src/util/crypto/libcrypto/$(DEPDIR)/libsss_crypt_la-crypto_obfuscate.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/crypto/libcrypto/crypto_obfuscate.c' object='src/util/crypto/libcrypto/libsss_crypt_la-crypto_obfuscate.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_crypt_la_CFLAGS) $(CFLAGS) -c -o src/util/crypto/libcrypto/libsss_crypt_la-crypto_obfuscate.lo `test -f 'src/util/crypto/libcrypto/crypto_obfuscate.c' || echo '$(srcdir)/'`src/util/crypto/libcrypto/crypto_obfuscate.c + +src/util/crypto/libcrypto/libsss_crypt_la-crypto_nite.lo: src/util/crypto/libcrypto/crypto_nite.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_crypt_la_CFLAGS) $(CFLAGS) -MT src/util/crypto/libcrypto/libsss_crypt_la-crypto_nite.lo -MD -MP -MF src/util/crypto/libcrypto/$(DEPDIR)/libsss_crypt_la-crypto_nite.Tpo -c -o src/util/crypto/libcrypto/libsss_crypt_la-crypto_nite.lo `test -f 'src/util/crypto/libcrypto/crypto_nite.c' || echo '$(srcdir)/'`src/util/crypto/libcrypto/crypto_nite.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/crypto/libcrypto/$(DEPDIR)/libsss_crypt_la-crypto_nite.Tpo src/util/crypto/libcrypto/$(DEPDIR)/libsss_crypt_la-crypto_nite.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/crypto/libcrypto/crypto_nite.c' object='src/util/crypto/libcrypto/libsss_crypt_la-crypto_nite.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_crypt_la_CFLAGS) $(CFLAGS) -c -o src/util/crypto/libcrypto/libsss_crypt_la-crypto_nite.lo `test -f 'src/util/crypto/libcrypto/crypto_nite.c' || echo '$(srcdir)/'`src/util/crypto/libcrypto/crypto_nite.c + +src/util/crypto/libsss_crypt_la-sss_crypto.lo: src/util/crypto/sss_crypto.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_crypt_la_CFLAGS) $(CFLAGS) -MT src/util/crypto/libsss_crypt_la-sss_crypto.lo -MD -MP -MF src/util/crypto/$(DEPDIR)/libsss_crypt_la-sss_crypto.Tpo -c -o src/util/crypto/libsss_crypt_la-sss_crypto.lo `test -f 'src/util/crypto/sss_crypto.c' || echo '$(srcdir)/'`src/util/crypto/sss_crypto.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/crypto/$(DEPDIR)/libsss_crypt_la-sss_crypto.Tpo src/util/crypto/$(DEPDIR)/libsss_crypt_la-sss_crypto.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/crypto/sss_crypto.c' object='src/util/crypto/libsss_crypt_la-sss_crypto.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_crypt_la_CFLAGS) $(CFLAGS) -c -o src/util/crypto/libsss_crypt_la-sss_crypto.lo `test -f 'src/util/crypto/sss_crypto.c' || echo '$(srcdir)/'`src/util/crypto/sss_crypto.c + +src/util/libsss_crypt_la-atomic_io.lo: src/util/atomic_io.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_crypt_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_crypt_la-atomic_io.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_crypt_la-atomic_io.Tpo -c -o src/util/libsss_crypt_la-atomic_io.lo `test -f 'src/util/atomic_io.c' || echo '$(srcdir)/'`src/util/atomic_io.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_crypt_la-atomic_io.Tpo src/util/$(DEPDIR)/libsss_crypt_la-atomic_io.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/atomic_io.c' object='src/util/libsss_crypt_la-atomic_io.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_crypt_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_crypt_la-atomic_io.lo `test -f 'src/util/atomic_io.c' || echo '$(srcdir)/'`src/util/atomic_io.c + +src/util/crypto/nss/libsss_crypt_la-nss_base64.lo: src/util/crypto/nss/nss_base64.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_crypt_la_CFLAGS) $(CFLAGS) -MT src/util/crypto/nss/libsss_crypt_la-nss_base64.lo -MD -MP -MF src/util/crypto/nss/$(DEPDIR)/libsss_crypt_la-nss_base64.Tpo -c -o src/util/crypto/nss/libsss_crypt_la-nss_base64.lo `test -f 'src/util/crypto/nss/nss_base64.c' || echo '$(srcdir)/'`src/util/crypto/nss/nss_base64.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/crypto/nss/$(DEPDIR)/libsss_crypt_la-nss_base64.Tpo src/util/crypto/nss/$(DEPDIR)/libsss_crypt_la-nss_base64.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/crypto/nss/nss_base64.c' object='src/util/crypto/nss/libsss_crypt_la-nss_base64.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_crypt_la_CFLAGS) $(CFLAGS) -c -o src/util/crypto/nss/libsss_crypt_la-nss_base64.lo `test -f 'src/util/crypto/nss/nss_base64.c' || echo '$(srcdir)/'`src/util/crypto/nss/nss_base64.c + +src/util/crypto/nss/libsss_crypt_la-nss_hmac_sha1.lo: src/util/crypto/nss/nss_hmac_sha1.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_crypt_la_CFLAGS) $(CFLAGS) -MT src/util/crypto/nss/libsss_crypt_la-nss_hmac_sha1.lo -MD -MP -MF src/util/crypto/nss/$(DEPDIR)/libsss_crypt_la-nss_hmac_sha1.Tpo -c -o src/util/crypto/nss/libsss_crypt_la-nss_hmac_sha1.lo `test -f 'src/util/crypto/nss/nss_hmac_sha1.c' || echo '$(srcdir)/'`src/util/crypto/nss/nss_hmac_sha1.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/crypto/nss/$(DEPDIR)/libsss_crypt_la-nss_hmac_sha1.Tpo src/util/crypto/nss/$(DEPDIR)/libsss_crypt_la-nss_hmac_sha1.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/crypto/nss/nss_hmac_sha1.c' object='src/util/crypto/nss/libsss_crypt_la-nss_hmac_sha1.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_crypt_la_CFLAGS) $(CFLAGS) -c -o src/util/crypto/nss/libsss_crypt_la-nss_hmac_sha1.lo `test -f 'src/util/crypto/nss/nss_hmac_sha1.c' || echo '$(srcdir)/'`src/util/crypto/nss/nss_hmac_sha1.c + +src/util/crypto/nss/libsss_crypt_la-nss_sha512crypt.lo: src/util/crypto/nss/nss_sha512crypt.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_crypt_la_CFLAGS) $(CFLAGS) -MT src/util/crypto/nss/libsss_crypt_la-nss_sha512crypt.lo -MD -MP -MF src/util/crypto/nss/$(DEPDIR)/libsss_crypt_la-nss_sha512crypt.Tpo -c -o src/util/crypto/nss/libsss_crypt_la-nss_sha512crypt.lo `test -f 'src/util/crypto/nss/nss_sha512crypt.c' || echo '$(srcdir)/'`src/util/crypto/nss/nss_sha512crypt.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/crypto/nss/$(DEPDIR)/libsss_crypt_la-nss_sha512crypt.Tpo src/util/crypto/nss/$(DEPDIR)/libsss_crypt_la-nss_sha512crypt.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/crypto/nss/nss_sha512crypt.c' object='src/util/crypto/nss/libsss_crypt_la-nss_sha512crypt.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_crypt_la_CFLAGS) $(CFLAGS) -c -o src/util/crypto/nss/libsss_crypt_la-nss_sha512crypt.lo `test -f 'src/util/crypto/nss/nss_sha512crypt.c' || echo '$(srcdir)/'`src/util/crypto/nss/nss_sha512crypt.c + +src/util/crypto/nss/libsss_crypt_la-nss_obfuscate.lo: src/util/crypto/nss/nss_obfuscate.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_crypt_la_CFLAGS) $(CFLAGS) -MT src/util/crypto/nss/libsss_crypt_la-nss_obfuscate.lo -MD -MP -MF src/util/crypto/nss/$(DEPDIR)/libsss_crypt_la-nss_obfuscate.Tpo -c -o src/util/crypto/nss/libsss_crypt_la-nss_obfuscate.lo `test -f 'src/util/crypto/nss/nss_obfuscate.c' || echo '$(srcdir)/'`src/util/crypto/nss/nss_obfuscate.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/crypto/nss/$(DEPDIR)/libsss_crypt_la-nss_obfuscate.Tpo src/util/crypto/nss/$(DEPDIR)/libsss_crypt_la-nss_obfuscate.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/crypto/nss/nss_obfuscate.c' object='src/util/crypto/nss/libsss_crypt_la-nss_obfuscate.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_crypt_la_CFLAGS) $(CFLAGS) -c -o src/util/crypto/nss/libsss_crypt_la-nss_obfuscate.lo `test -f 'src/util/crypto/nss/nss_obfuscate.c' || echo '$(srcdir)/'`src/util/crypto/nss/nss_obfuscate.c + +src/util/crypto/nss/libsss_crypt_la-nss_nite.lo: src/util/crypto/nss/nss_nite.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_crypt_la_CFLAGS) $(CFLAGS) -MT src/util/crypto/nss/libsss_crypt_la-nss_nite.lo -MD -MP -MF src/util/crypto/nss/$(DEPDIR)/libsss_crypt_la-nss_nite.Tpo -c -o src/util/crypto/nss/libsss_crypt_la-nss_nite.lo `test -f 'src/util/crypto/nss/nss_nite.c' || echo '$(srcdir)/'`src/util/crypto/nss/nss_nite.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/crypto/nss/$(DEPDIR)/libsss_crypt_la-nss_nite.Tpo src/util/crypto/nss/$(DEPDIR)/libsss_crypt_la-nss_nite.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/crypto/nss/nss_nite.c' object='src/util/crypto/nss/libsss_crypt_la-nss_nite.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_crypt_la_CFLAGS) $(CFLAGS) -c -o src/util/crypto/nss/libsss_crypt_la-nss_nite.lo `test -f 'src/util/crypto/nss/nss_nite.c' || echo '$(srcdir)/'`src/util/crypto/nss/nss_nite.c + +src/util/crypto/nss/libsss_crypt_la-nss_util.lo: src/util/crypto/nss/nss_util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_crypt_la_CFLAGS) $(CFLAGS) -MT src/util/crypto/nss/libsss_crypt_la-nss_util.lo -MD -MP -MF src/util/crypto/nss/$(DEPDIR)/libsss_crypt_la-nss_util.Tpo -c -o src/util/crypto/nss/libsss_crypt_la-nss_util.lo `test -f 'src/util/crypto/nss/nss_util.c' || echo '$(srcdir)/'`src/util/crypto/nss/nss_util.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/crypto/nss/$(DEPDIR)/libsss_crypt_la-nss_util.Tpo src/util/crypto/nss/$(DEPDIR)/libsss_crypt_la-nss_util.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/crypto/nss/nss_util.c' object='src/util/crypto/nss/libsss_crypt_la-nss_util.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_crypt_la_CFLAGS) $(CFLAGS) -c -o src/util/crypto/nss/libsss_crypt_la-nss_util.lo `test -f 'src/util/crypto/nss/nss_util.c' || echo '$(srcdir)/'`src/util/crypto/nss/nss_util.c + +src/providers/files/libsss_files_la-files_init.lo: src/providers/files/files_init.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_files_la_CFLAGS) $(CFLAGS) -MT src/providers/files/libsss_files_la-files_init.lo -MD -MP -MF src/providers/files/$(DEPDIR)/libsss_files_la-files_init.Tpo -c -o src/providers/files/libsss_files_la-files_init.lo `test -f 'src/providers/files/files_init.c' || echo '$(srcdir)/'`src/providers/files/files_init.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/files/$(DEPDIR)/libsss_files_la-files_init.Tpo src/providers/files/$(DEPDIR)/libsss_files_la-files_init.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/files/files_init.c' object='src/providers/files/libsss_files_la-files_init.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_files_la_CFLAGS) $(CFLAGS) -c -o src/providers/files/libsss_files_la-files_init.lo `test -f 'src/providers/files/files_init.c' || echo '$(srcdir)/'`src/providers/files/files_init.c + +src/providers/files/libsss_files_la-files_id.lo: src/providers/files/files_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_files_la_CFLAGS) $(CFLAGS) -MT src/providers/files/libsss_files_la-files_id.lo -MD -MP -MF src/providers/files/$(DEPDIR)/libsss_files_la-files_id.Tpo -c -o src/providers/files/libsss_files_la-files_id.lo `test -f 'src/providers/files/files_id.c' || echo '$(srcdir)/'`src/providers/files/files_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/files/$(DEPDIR)/libsss_files_la-files_id.Tpo src/providers/files/$(DEPDIR)/libsss_files_la-files_id.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/files/files_id.c' object='src/providers/files/libsss_files_la-files_id.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_files_la_CFLAGS) $(CFLAGS) -c -o src/providers/files/libsss_files_la-files_id.lo `test -f 'src/providers/files/files_id.c' || echo '$(srcdir)/'`src/providers/files/files_id.c + +src/providers/files/libsss_files_la-files_ops.lo: src/providers/files/files_ops.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_files_la_CFLAGS) $(CFLAGS) -MT src/providers/files/libsss_files_la-files_ops.lo -MD -MP -MF src/providers/files/$(DEPDIR)/libsss_files_la-files_ops.Tpo -c -o src/providers/files/libsss_files_la-files_ops.lo `test -f 'src/providers/files/files_ops.c' || echo '$(srcdir)/'`src/providers/files/files_ops.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/files/$(DEPDIR)/libsss_files_la-files_ops.Tpo src/providers/files/$(DEPDIR)/libsss_files_la-files_ops.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/files/files_ops.c' object='src/providers/files/libsss_files_la-files_ops.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_files_la_CFLAGS) $(CFLAGS) -c -o src/providers/files/libsss_files_la-files_ops.lo `test -f 'src/providers/files/files_ops.c' || echo '$(srcdir)/'`src/providers/files/files_ops.c + +src/util/libsss_files_la-inotify.lo: src/util/inotify.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_files_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_files_la-inotify.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_files_la-inotify.Tpo -c -o src/util/libsss_files_la-inotify.lo `test -f 'src/util/inotify.c' || echo '$(srcdir)/'`src/util/inotify.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_files_la-inotify.Tpo src/util/$(DEPDIR)/libsss_files_la-inotify.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/inotify.c' object='src/util/libsss_files_la-inotify.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_files_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_files_la-inotify.lo `test -f 'src/util/inotify.c' || echo '$(srcdir)/'`src/util/inotify.c + +src/providers/ipa/libsss_ipa_la-ipa_init.lo: src/providers/ipa/ipa_init.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ipa/libsss_ipa_la-ipa_init.lo -MD -MP -MF src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_init.Tpo -c -o src/providers/ipa/libsss_ipa_la-ipa_init.lo `test -f 'src/providers/ipa/ipa_init.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_init.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_init.Tpo src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_init.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_init.c' object='src/providers/ipa/libsss_ipa_la-ipa_init.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/libsss_ipa_la-ipa_init.lo `test -f 'src/providers/ipa/ipa_init.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_init.c + +src/providers/ipa/libsss_ipa_la-ipa_opts.lo: src/providers/ipa/ipa_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ipa/libsss_ipa_la-ipa_opts.lo -MD -MP -MF src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_opts.Tpo -c -o src/providers/ipa/libsss_ipa_la-ipa_opts.lo `test -f 'src/providers/ipa/ipa_opts.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_opts.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_opts.Tpo src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_opts.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_opts.c' object='src/providers/ipa/libsss_ipa_la-ipa_opts.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/libsss_ipa_la-ipa_opts.lo `test -f 'src/providers/ipa/ipa_opts.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_opts.c + +src/providers/ipa/libsss_ipa_la-ipa_common.lo: src/providers/ipa/ipa_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ipa/libsss_ipa_la-ipa_common.lo -MD -MP -MF src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_common.Tpo -c -o src/providers/ipa/libsss_ipa_la-ipa_common.lo `test -f 'src/providers/ipa/ipa_common.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_common.Tpo src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_common.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_common.c' object='src/providers/ipa/libsss_ipa_la-ipa_common.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/libsss_ipa_la-ipa_common.lo `test -f 'src/providers/ipa/ipa_common.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_common.c + +src/providers/ipa/libsss_ipa_la-ipa_config.lo: src/providers/ipa/ipa_config.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ipa/libsss_ipa_la-ipa_config.lo -MD -MP -MF src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_config.Tpo -c -o src/providers/ipa/libsss_ipa_la-ipa_config.lo `test -f 'src/providers/ipa/ipa_config.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_config.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_config.Tpo src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_config.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_config.c' object='src/providers/ipa/libsss_ipa_la-ipa_config.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/libsss_ipa_la-ipa_config.lo `test -f 'src/providers/ipa/ipa_config.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_config.c + +src/providers/ipa/libsss_ipa_la-ipa_id.lo: src/providers/ipa/ipa_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ipa/libsss_ipa_la-ipa_id.lo -MD -MP -MF src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_id.Tpo -c -o src/providers/ipa/libsss_ipa_la-ipa_id.lo `test -f 'src/providers/ipa/ipa_id.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_id.Tpo src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_id.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_id.c' object='src/providers/ipa/libsss_ipa_la-ipa_id.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/libsss_ipa_la-ipa_id.lo `test -f 'src/providers/ipa/ipa_id.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_id.c + +src/providers/ipa/libsss_ipa_la-ipa_netgroups.lo: src/providers/ipa/ipa_netgroups.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ipa/libsss_ipa_la-ipa_netgroups.lo -MD -MP -MF src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_netgroups.Tpo -c -o src/providers/ipa/libsss_ipa_la-ipa_netgroups.lo `test -f 'src/providers/ipa/ipa_netgroups.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_netgroups.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_netgroups.Tpo src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_netgroups.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_netgroups.c' object='src/providers/ipa/libsss_ipa_la-ipa_netgroups.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/libsss_ipa_la-ipa_netgroups.lo `test -f 'src/providers/ipa/ipa_netgroups.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_netgroups.c + +src/providers/ipa/libsss_ipa_la-ipa_auth.lo: src/providers/ipa/ipa_auth.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ipa/libsss_ipa_la-ipa_auth.lo -MD -MP -MF src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_auth.Tpo -c -o src/providers/ipa/libsss_ipa_la-ipa_auth.lo `test -f 'src/providers/ipa/ipa_auth.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_auth.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_auth.Tpo src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_auth.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_auth.c' object='src/providers/ipa/libsss_ipa_la-ipa_auth.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/libsss_ipa_la-ipa_auth.lo `test -f 'src/providers/ipa/ipa_auth.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_auth.c + +src/providers/ipa/libsss_ipa_la-ipa_access.lo: src/providers/ipa/ipa_access.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ipa/libsss_ipa_la-ipa_access.lo -MD -MP -MF src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_access.Tpo -c -o src/providers/ipa/libsss_ipa_la-ipa_access.lo `test -f 'src/providers/ipa/ipa_access.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_access.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_access.Tpo src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_access.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_access.c' object='src/providers/ipa/libsss_ipa_la-ipa_access.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/libsss_ipa_la-ipa_access.lo `test -f 'src/providers/ipa/ipa_access.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_access.c + +src/providers/ipa/libsss_ipa_la-ipa_dyndns.lo: src/providers/ipa/ipa_dyndns.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ipa/libsss_ipa_la-ipa_dyndns.lo -MD -MP -MF src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_dyndns.Tpo -c -o src/providers/ipa/libsss_ipa_la-ipa_dyndns.lo `test -f 'src/providers/ipa/ipa_dyndns.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_dyndns.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_dyndns.Tpo src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_dyndns.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_dyndns.c' object='src/providers/ipa/libsss_ipa_la-ipa_dyndns.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/libsss_ipa_la-ipa_dyndns.lo `test -f 'src/providers/ipa/ipa_dyndns.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_dyndns.c + +src/providers/ipa/libsss_ipa_la-ipa_hosts.lo: src/providers/ipa/ipa_hosts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ipa/libsss_ipa_la-ipa_hosts.lo -MD -MP -MF src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_hosts.Tpo -c -o src/providers/ipa/libsss_ipa_la-ipa_hosts.lo `test -f 'src/providers/ipa/ipa_hosts.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_hosts.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_hosts.Tpo src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_hosts.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_hosts.c' object='src/providers/ipa/libsss_ipa_la-ipa_hosts.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/libsss_ipa_la-ipa_hosts.lo `test -f 'src/providers/ipa/ipa_hosts.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_hosts.c + +src/providers/ipa/libsss_ipa_la-ipa_subdomains.lo: src/providers/ipa/ipa_subdomains.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ipa/libsss_ipa_la-ipa_subdomains.lo -MD -MP -MF src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_subdomains.Tpo -c -o src/providers/ipa/libsss_ipa_la-ipa_subdomains.lo `test -f 'src/providers/ipa/ipa_subdomains.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_subdomains.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_subdomains.Tpo src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_subdomains.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_subdomains.c' object='src/providers/ipa/libsss_ipa_la-ipa_subdomains.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/libsss_ipa_la-ipa_subdomains.lo `test -f 'src/providers/ipa/ipa_subdomains.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_subdomains.c + +src/providers/ipa/libsss_ipa_la-ipa_subdomains_id.lo: src/providers/ipa/ipa_subdomains_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ipa/libsss_ipa_la-ipa_subdomains_id.lo -MD -MP -MF src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_subdomains_id.Tpo -c -o src/providers/ipa/libsss_ipa_la-ipa_subdomains_id.lo `test -f 'src/providers/ipa/ipa_subdomains_id.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_subdomains_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_subdomains_id.Tpo src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_subdomains_id.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_subdomains_id.c' object='src/providers/ipa/libsss_ipa_la-ipa_subdomains_id.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/libsss_ipa_la-ipa_subdomains_id.lo `test -f 'src/providers/ipa/ipa_subdomains_id.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_subdomains_id.c + +src/providers/ipa/libsss_ipa_la-ipa_subdomains_server.lo: src/providers/ipa/ipa_subdomains_server.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ipa/libsss_ipa_la-ipa_subdomains_server.lo -MD -MP -MF src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_subdomains_server.Tpo -c -o src/providers/ipa/libsss_ipa_la-ipa_subdomains_server.lo `test -f 'src/providers/ipa/ipa_subdomains_server.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_subdomains_server.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_subdomains_server.Tpo src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_subdomains_server.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_subdomains_server.c' object='src/providers/ipa/libsss_ipa_la-ipa_subdomains_server.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/libsss_ipa_la-ipa_subdomains_server.lo `test -f 'src/providers/ipa/ipa_subdomains_server.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_subdomains_server.c + +src/providers/ipa/libsss_ipa_la-ipa_subdomains_utils.lo: src/providers/ipa/ipa_subdomains_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ipa/libsss_ipa_la-ipa_subdomains_utils.lo -MD -MP -MF src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_subdomains_utils.Tpo -c -o src/providers/ipa/libsss_ipa_la-ipa_subdomains_utils.lo `test -f 'src/providers/ipa/ipa_subdomains_utils.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_subdomains_utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_subdomains_utils.Tpo src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_subdomains_utils.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_subdomains_utils.c' object='src/providers/ipa/libsss_ipa_la-ipa_subdomains_utils.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/libsss_ipa_la-ipa_subdomains_utils.lo `test -f 'src/providers/ipa/ipa_subdomains_utils.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_subdomains_utils.c + +src/providers/ipa/libsss_ipa_la-ipa_subdomains_ext_groups.lo: src/providers/ipa/ipa_subdomains_ext_groups.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ipa/libsss_ipa_la-ipa_subdomains_ext_groups.lo -MD -MP -MF src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_subdomains_ext_groups.Tpo -c -o src/providers/ipa/libsss_ipa_la-ipa_subdomains_ext_groups.lo `test -f 'src/providers/ipa/ipa_subdomains_ext_groups.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_subdomains_ext_groups.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_subdomains_ext_groups.Tpo src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_subdomains_ext_groups.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_subdomains_ext_groups.c' object='src/providers/ipa/libsss_ipa_la-ipa_subdomains_ext_groups.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/libsss_ipa_la-ipa_subdomains_ext_groups.lo `test -f 'src/providers/ipa/ipa_subdomains_ext_groups.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_subdomains_ext_groups.c + +src/providers/ipa/libsss_ipa_la-ipa_views.lo: src/providers/ipa/ipa_views.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ipa/libsss_ipa_la-ipa_views.lo -MD -MP -MF src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_views.Tpo -c -o src/providers/ipa/libsss_ipa_la-ipa_views.lo `test -f 'src/providers/ipa/ipa_views.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_views.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_views.Tpo src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_views.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_views.c' object='src/providers/ipa/libsss_ipa_la-ipa_views.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/libsss_ipa_la-ipa_views.lo `test -f 'src/providers/ipa/ipa_views.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_views.c + +src/providers/ipa/libsss_ipa_la-ipa_utils.lo: src/providers/ipa/ipa_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ipa/libsss_ipa_la-ipa_utils.lo -MD -MP -MF src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_utils.Tpo -c -o src/providers/ipa/libsss_ipa_la-ipa_utils.lo `test -f 'src/providers/ipa/ipa_utils.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_utils.Tpo src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_utils.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_utils.c' object='src/providers/ipa/libsss_ipa_la-ipa_utils.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/libsss_ipa_la-ipa_utils.lo `test -f 'src/providers/ipa/ipa_utils.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_utils.c + +src/providers/ipa/libsss_ipa_la-ipa_s2n_exop.lo: src/providers/ipa/ipa_s2n_exop.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ipa/libsss_ipa_la-ipa_s2n_exop.lo -MD -MP -MF src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_s2n_exop.Tpo -c -o src/providers/ipa/libsss_ipa_la-ipa_s2n_exop.lo `test -f 'src/providers/ipa/ipa_s2n_exop.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_s2n_exop.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_s2n_exop.Tpo src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_s2n_exop.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_s2n_exop.c' object='src/providers/ipa/libsss_ipa_la-ipa_s2n_exop.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/libsss_ipa_la-ipa_s2n_exop.lo `test -f 'src/providers/ipa/ipa_s2n_exop.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_s2n_exop.c + +src/providers/ipa/libsss_ipa_la-ipa_hbac_hosts.lo: src/providers/ipa/ipa_hbac_hosts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ipa/libsss_ipa_la-ipa_hbac_hosts.lo -MD -MP -MF src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_hbac_hosts.Tpo -c -o src/providers/ipa/libsss_ipa_la-ipa_hbac_hosts.lo `test -f 'src/providers/ipa/ipa_hbac_hosts.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_hbac_hosts.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_hbac_hosts.Tpo src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_hbac_hosts.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_hbac_hosts.c' object='src/providers/ipa/libsss_ipa_la-ipa_hbac_hosts.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/libsss_ipa_la-ipa_hbac_hosts.lo `test -f 'src/providers/ipa/ipa_hbac_hosts.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_hbac_hosts.c + +src/providers/ipa/libsss_ipa_la-ipa_hbac_rules.lo: src/providers/ipa/ipa_hbac_rules.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ipa/libsss_ipa_la-ipa_hbac_rules.lo -MD -MP -MF src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_hbac_rules.Tpo -c -o src/providers/ipa/libsss_ipa_la-ipa_hbac_rules.lo `test -f 'src/providers/ipa/ipa_hbac_rules.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_hbac_rules.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_hbac_rules.Tpo src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_hbac_rules.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_hbac_rules.c' object='src/providers/ipa/libsss_ipa_la-ipa_hbac_rules.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/libsss_ipa_la-ipa_hbac_rules.lo `test -f 'src/providers/ipa/ipa_hbac_rules.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_hbac_rules.c + +src/providers/ipa/libsss_ipa_la-ipa_hbac_services.lo: src/providers/ipa/ipa_hbac_services.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ipa/libsss_ipa_la-ipa_hbac_services.lo -MD -MP -MF src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_hbac_services.Tpo -c -o src/providers/ipa/libsss_ipa_la-ipa_hbac_services.lo `test -f 'src/providers/ipa/ipa_hbac_services.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_hbac_services.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_hbac_services.Tpo src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_hbac_services.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_hbac_services.c' object='src/providers/ipa/libsss_ipa_la-ipa_hbac_services.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/libsss_ipa_la-ipa_hbac_services.lo `test -f 'src/providers/ipa/ipa_hbac_services.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_hbac_services.c + +src/providers/ipa/libsss_ipa_la-ipa_hbac_users.lo: src/providers/ipa/ipa_hbac_users.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ipa/libsss_ipa_la-ipa_hbac_users.lo -MD -MP -MF src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_hbac_users.Tpo -c -o src/providers/ipa/libsss_ipa_la-ipa_hbac_users.lo `test -f 'src/providers/ipa/ipa_hbac_users.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_hbac_users.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_hbac_users.Tpo src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_hbac_users.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_hbac_users.c' object='src/providers/ipa/libsss_ipa_la-ipa_hbac_users.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/libsss_ipa_la-ipa_hbac_users.lo `test -f 'src/providers/ipa/ipa_hbac_users.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_hbac_users.c + +src/providers/ipa/libsss_ipa_la-ipa_hbac_common.lo: src/providers/ipa/ipa_hbac_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ipa/libsss_ipa_la-ipa_hbac_common.lo -MD -MP -MF src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_hbac_common.Tpo -c -o src/providers/ipa/libsss_ipa_la-ipa_hbac_common.lo `test -f 'src/providers/ipa/ipa_hbac_common.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_hbac_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_hbac_common.Tpo src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_hbac_common.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_hbac_common.c' object='src/providers/ipa/libsss_ipa_la-ipa_hbac_common.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/libsss_ipa_la-ipa_hbac_common.lo `test -f 'src/providers/ipa/ipa_hbac_common.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_hbac_common.c + +src/providers/ipa/libsss_ipa_la-ipa_rules_common.lo: src/providers/ipa/ipa_rules_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ipa/libsss_ipa_la-ipa_rules_common.lo -MD -MP -MF src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_rules_common.Tpo -c -o src/providers/ipa/libsss_ipa_la-ipa_rules_common.lo `test -f 'src/providers/ipa/ipa_rules_common.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_rules_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_rules_common.Tpo src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_rules_common.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_rules_common.c' object='src/providers/ipa/libsss_ipa_la-ipa_rules_common.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/libsss_ipa_la-ipa_rules_common.lo `test -f 'src/providers/ipa/ipa_rules_common.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_rules_common.c + +src/providers/ipa/libsss_ipa_la-ipa_session.lo: src/providers/ipa/ipa_session.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ipa/libsss_ipa_la-ipa_session.lo -MD -MP -MF src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_session.Tpo -c -o src/providers/ipa/libsss_ipa_la-ipa_session.lo `test -f 'src/providers/ipa/ipa_session.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_session.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_session.Tpo src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_session.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_session.c' object='src/providers/ipa/libsss_ipa_la-ipa_session.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/libsss_ipa_la-ipa_session.lo `test -f 'src/providers/ipa/ipa_session.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_session.c + +src/providers/ipa/libsss_ipa_la-ipa_deskprofile_config.lo: src/providers/ipa/ipa_deskprofile_config.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ipa/libsss_ipa_la-ipa_deskprofile_config.lo -MD -MP -MF src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_deskprofile_config.Tpo -c -o src/providers/ipa/libsss_ipa_la-ipa_deskprofile_config.lo `test -f 'src/providers/ipa/ipa_deskprofile_config.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_deskprofile_config.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_deskprofile_config.Tpo src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_deskprofile_config.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_deskprofile_config.c' object='src/providers/ipa/libsss_ipa_la-ipa_deskprofile_config.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/libsss_ipa_la-ipa_deskprofile_config.lo `test -f 'src/providers/ipa/ipa_deskprofile_config.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_deskprofile_config.c + +src/providers/ipa/libsss_ipa_la-ipa_deskprofile_rules.lo: src/providers/ipa/ipa_deskprofile_rules.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ipa/libsss_ipa_la-ipa_deskprofile_rules.lo -MD -MP -MF src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_deskprofile_rules.Tpo -c -o src/providers/ipa/libsss_ipa_la-ipa_deskprofile_rules.lo `test -f 'src/providers/ipa/ipa_deskprofile_rules.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_deskprofile_rules.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_deskprofile_rules.Tpo src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_deskprofile_rules.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_deskprofile_rules.c' object='src/providers/ipa/libsss_ipa_la-ipa_deskprofile_rules.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/libsss_ipa_la-ipa_deskprofile_rules.lo `test -f 'src/providers/ipa/ipa_deskprofile_rules.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_deskprofile_rules.c + +src/providers/ipa/libsss_ipa_la-ipa_deskprofile_rules_util.lo: src/providers/ipa/ipa_deskprofile_rules_util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ipa/libsss_ipa_la-ipa_deskprofile_rules_util.lo -MD -MP -MF src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_deskprofile_rules_util.Tpo -c -o src/providers/ipa/libsss_ipa_la-ipa_deskprofile_rules_util.lo `test -f 'src/providers/ipa/ipa_deskprofile_rules_util.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_deskprofile_rules_util.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_deskprofile_rules_util.Tpo src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_deskprofile_rules_util.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_deskprofile_rules_util.c' object='src/providers/ipa/libsss_ipa_la-ipa_deskprofile_rules_util.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/libsss_ipa_la-ipa_deskprofile_rules_util.lo `test -f 'src/providers/ipa/ipa_deskprofile_rules_util.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_deskprofile_rules_util.c + +src/providers/ipa/libsss_ipa_la-ipa_srv.lo: src/providers/ipa/ipa_srv.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ipa/libsss_ipa_la-ipa_srv.lo -MD -MP -MF src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_srv.Tpo -c -o src/providers/ipa/libsss_ipa_la-ipa_srv.lo `test -f 'src/providers/ipa/ipa_srv.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_srv.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_srv.Tpo src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_srv.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_srv.c' object='src/providers/ipa/libsss_ipa_la-ipa_srv.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/libsss_ipa_la-ipa_srv.lo `test -f 'src/providers/ipa/ipa_srv.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_srv.c + +src/providers/ipa/libsss_ipa_la-ipa_idmap.lo: src/providers/ipa/ipa_idmap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ipa/libsss_ipa_la-ipa_idmap.lo -MD -MP -MF src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_idmap.Tpo -c -o src/providers/ipa/libsss_ipa_la-ipa_idmap.lo `test -f 'src/providers/ipa/ipa_idmap.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_idmap.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_idmap.Tpo src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_idmap.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_idmap.c' object='src/providers/ipa/libsss_ipa_la-ipa_idmap.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/libsss_ipa_la-ipa_idmap.lo `test -f 'src/providers/ipa/ipa_idmap.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_idmap.c + +src/providers/ipa/libsss_ipa_la-ipa_dn.lo: src/providers/ipa/ipa_dn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ipa/libsss_ipa_la-ipa_dn.lo -MD -MP -MF src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_dn.Tpo -c -o src/providers/ipa/libsss_ipa_la-ipa_dn.lo `test -f 'src/providers/ipa/ipa_dn.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_dn.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_dn.Tpo src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_dn.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_dn.c' object='src/providers/ipa/libsss_ipa_la-ipa_dn.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/libsss_ipa_la-ipa_dn.lo `test -f 'src/providers/ipa/ipa_dn.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_dn.c + +src/providers/ad/libsss_ipa_la-ad_opts.lo: src/providers/ad/ad_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ad/libsss_ipa_la-ad_opts.lo -MD -MP -MF src/providers/ad/$(DEPDIR)/libsss_ipa_la-ad_opts.Tpo -c -o src/providers/ad/libsss_ipa_la-ad_opts.lo `test -f 'src/providers/ad/ad_opts.c' || echo '$(srcdir)/'`src/providers/ad/ad_opts.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/libsss_ipa_la-ad_opts.Tpo src/providers/ad/$(DEPDIR)/libsss_ipa_la-ad_opts.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_opts.c' object='src/providers/ad/libsss_ipa_la-ad_opts.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ad/libsss_ipa_la-ad_opts.lo `test -f 'src/providers/ad/ad_opts.c' || echo '$(srcdir)/'`src/providers/ad/ad_opts.c + +src/providers/ad/libsss_ipa_la-ad_common.lo: src/providers/ad/ad_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ad/libsss_ipa_la-ad_common.lo -MD -MP -MF src/providers/ad/$(DEPDIR)/libsss_ipa_la-ad_common.Tpo -c -o src/providers/ad/libsss_ipa_la-ad_common.lo `test -f 'src/providers/ad/ad_common.c' || echo '$(srcdir)/'`src/providers/ad/ad_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/libsss_ipa_la-ad_common.Tpo src/providers/ad/$(DEPDIR)/libsss_ipa_la-ad_common.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_common.c' object='src/providers/ad/libsss_ipa_la-ad_common.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ad/libsss_ipa_la-ad_common.lo `test -f 'src/providers/ad/ad_common.c' || echo '$(srcdir)/'`src/providers/ad/ad_common.c + +src/providers/ad/libsss_ipa_la-ad_dyndns.lo: src/providers/ad/ad_dyndns.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ad/libsss_ipa_la-ad_dyndns.lo -MD -MP -MF src/providers/ad/$(DEPDIR)/libsss_ipa_la-ad_dyndns.Tpo -c -o src/providers/ad/libsss_ipa_la-ad_dyndns.lo `test -f 'src/providers/ad/ad_dyndns.c' || echo '$(srcdir)/'`src/providers/ad/ad_dyndns.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/libsss_ipa_la-ad_dyndns.Tpo src/providers/ad/$(DEPDIR)/libsss_ipa_la-ad_dyndns.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_dyndns.c' object='src/providers/ad/libsss_ipa_la-ad_dyndns.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ad/libsss_ipa_la-ad_dyndns.lo `test -f 'src/providers/ad/ad_dyndns.c' || echo '$(srcdir)/'`src/providers/ad/ad_dyndns.c + +src/providers/ad/libsss_ipa_la-ad_id.lo: src/providers/ad/ad_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ad/libsss_ipa_la-ad_id.lo -MD -MP -MF src/providers/ad/$(DEPDIR)/libsss_ipa_la-ad_id.Tpo -c -o src/providers/ad/libsss_ipa_la-ad_id.lo `test -f 'src/providers/ad/ad_id.c' || echo '$(srcdir)/'`src/providers/ad/ad_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/libsss_ipa_la-ad_id.Tpo src/providers/ad/$(DEPDIR)/libsss_ipa_la-ad_id.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_id.c' object='src/providers/ad/libsss_ipa_la-ad_id.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ad/libsss_ipa_la-ad_id.lo `test -f 'src/providers/ad/ad_id.c' || echo '$(srcdir)/'`src/providers/ad/ad_id.c + +src/providers/ad/libsss_ipa_la-ad_pac.lo: src/providers/ad/ad_pac.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ad/libsss_ipa_la-ad_pac.lo -MD -MP -MF src/providers/ad/$(DEPDIR)/libsss_ipa_la-ad_pac.Tpo -c -o src/providers/ad/libsss_ipa_la-ad_pac.lo `test -f 'src/providers/ad/ad_pac.c' || echo '$(srcdir)/'`src/providers/ad/ad_pac.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/libsss_ipa_la-ad_pac.Tpo src/providers/ad/$(DEPDIR)/libsss_ipa_la-ad_pac.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_pac.c' object='src/providers/ad/libsss_ipa_la-ad_pac.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ad/libsss_ipa_la-ad_pac.lo `test -f 'src/providers/ad/ad_pac.c' || echo '$(srcdir)/'`src/providers/ad/ad_pac.c + +src/providers/ad/libsss_ipa_la-ad_pac_common.lo: src/providers/ad/ad_pac_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ad/libsss_ipa_la-ad_pac_common.lo -MD -MP -MF src/providers/ad/$(DEPDIR)/libsss_ipa_la-ad_pac_common.Tpo -c -o src/providers/ad/libsss_ipa_la-ad_pac_common.lo `test -f 'src/providers/ad/ad_pac_common.c' || echo '$(srcdir)/'`src/providers/ad/ad_pac_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/libsss_ipa_la-ad_pac_common.Tpo src/providers/ad/$(DEPDIR)/libsss_ipa_la-ad_pac_common.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_pac_common.c' object='src/providers/ad/libsss_ipa_la-ad_pac_common.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ad/libsss_ipa_la-ad_pac_common.lo `test -f 'src/providers/ad/ad_pac_common.c' || echo '$(srcdir)/'`src/providers/ad/ad_pac_common.c + +src/providers/ad/libsss_ipa_la-ad_srv.lo: src/providers/ad/ad_srv.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ad/libsss_ipa_la-ad_srv.lo -MD -MP -MF src/providers/ad/$(DEPDIR)/libsss_ipa_la-ad_srv.Tpo -c -o src/providers/ad/libsss_ipa_la-ad_srv.lo `test -f 'src/providers/ad/ad_srv.c' || echo '$(srcdir)/'`src/providers/ad/ad_srv.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/libsss_ipa_la-ad_srv.Tpo src/providers/ad/$(DEPDIR)/libsss_ipa_la-ad_srv.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_srv.c' object='src/providers/ad/libsss_ipa_la-ad_srv.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ad/libsss_ipa_la-ad_srv.lo `test -f 'src/providers/ad/ad_srv.c' || echo '$(srcdir)/'`src/providers/ad/ad_srv.c + +src/providers/ad/libsss_ipa_la-ad_domain_info.lo: src/providers/ad/ad_domain_info.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ad/libsss_ipa_la-ad_domain_info.lo -MD -MP -MF src/providers/ad/$(DEPDIR)/libsss_ipa_la-ad_domain_info.Tpo -c -o src/providers/ad/libsss_ipa_la-ad_domain_info.lo `test -f 'src/providers/ad/ad_domain_info.c' || echo '$(srcdir)/'`src/providers/ad/ad_domain_info.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/libsss_ipa_la-ad_domain_info.Tpo src/providers/ad/$(DEPDIR)/libsss_ipa_la-ad_domain_info.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_domain_info.c' object='src/providers/ad/libsss_ipa_la-ad_domain_info.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ad/libsss_ipa_la-ad_domain_info.lo `test -f 'src/providers/ad/ad_domain_info.c' || echo '$(srcdir)/'`src/providers/ad/ad_domain_info.c + +src/providers/ipa/libsss_ipa_la-ipa_autofs.lo: src/providers/ipa/ipa_autofs.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ipa/libsss_ipa_la-ipa_autofs.lo -MD -MP -MF src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_autofs.Tpo -c -o src/providers/ipa/libsss_ipa_la-ipa_autofs.lo `test -f 'src/providers/ipa/ipa_autofs.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_autofs.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_autofs.Tpo src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_autofs.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_autofs.c' object='src/providers/ipa/libsss_ipa_la-ipa_autofs.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/libsss_ipa_la-ipa_autofs.lo `test -f 'src/providers/ipa/ipa_autofs.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_autofs.c + +src/providers/ipa/libsss_ipa_la-ipa_sudo.lo: src/providers/ipa/ipa_sudo.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ipa/libsss_ipa_la-ipa_sudo.lo -MD -MP -MF src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_sudo.Tpo -c -o src/providers/ipa/libsss_ipa_la-ipa_sudo.lo `test -f 'src/providers/ipa/ipa_sudo.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_sudo.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_sudo.Tpo src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_sudo.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_sudo.c' object='src/providers/ipa/libsss_ipa_la-ipa_sudo.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/libsss_ipa_la-ipa_sudo.lo `test -f 'src/providers/ipa/ipa_sudo.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_sudo.c + +src/providers/ipa/libsss_ipa_la-ipa_sudo_refresh.lo: src/providers/ipa/ipa_sudo_refresh.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ipa/libsss_ipa_la-ipa_sudo_refresh.lo -MD -MP -MF src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_sudo_refresh.Tpo -c -o src/providers/ipa/libsss_ipa_la-ipa_sudo_refresh.lo `test -f 'src/providers/ipa/ipa_sudo_refresh.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_sudo_refresh.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_sudo_refresh.Tpo src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_sudo_refresh.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_sudo_refresh.c' object='src/providers/ipa/libsss_ipa_la-ipa_sudo_refresh.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/libsss_ipa_la-ipa_sudo_refresh.lo `test -f 'src/providers/ipa/ipa_sudo_refresh.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_sudo_refresh.c + +src/providers/ipa/libsss_ipa_la-ipa_sudo_conversion.lo: src/providers/ipa/ipa_sudo_conversion.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ipa/libsss_ipa_la-ipa_sudo_conversion.lo -MD -MP -MF src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_sudo_conversion.Tpo -c -o src/providers/ipa/libsss_ipa_la-ipa_sudo_conversion.lo `test -f 'src/providers/ipa/ipa_sudo_conversion.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_sudo_conversion.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_sudo_conversion.Tpo src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_sudo_conversion.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_sudo_conversion.c' object='src/providers/ipa/libsss_ipa_la-ipa_sudo_conversion.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/libsss_ipa_la-ipa_sudo_conversion.lo `test -f 'src/providers/ipa/ipa_sudo_conversion.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_sudo_conversion.c + +src/providers/ipa/libsss_ipa_la-ipa_sudo_async.lo: src/providers/ipa/ipa_sudo_async.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ipa/libsss_ipa_la-ipa_sudo_async.lo -MD -MP -MF src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_sudo_async.Tpo -c -o src/providers/ipa/libsss_ipa_la-ipa_sudo_async.lo `test -f 'src/providers/ipa/ipa_sudo_async.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_sudo_async.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_sudo_async.Tpo src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_sudo_async.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_sudo_async.c' object='src/providers/ipa/libsss_ipa_la-ipa_sudo_async.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/libsss_ipa_la-ipa_sudo_async.lo `test -f 'src/providers/ipa/ipa_sudo_async.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_sudo_async.c + +src/providers/ipa/libsss_ipa_la-ipa_selinux.lo: src/providers/ipa/ipa_selinux.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ipa/libsss_ipa_la-ipa_selinux.lo -MD -MP -MF src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_selinux.Tpo -c -o src/providers/ipa/libsss_ipa_la-ipa_selinux.lo `test -f 'src/providers/ipa/ipa_selinux.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_selinux.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_selinux.Tpo src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_selinux.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_selinux.c' object='src/providers/ipa/libsss_ipa_la-ipa_selinux.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/libsss_ipa_la-ipa_selinux.lo `test -f 'src/providers/ipa/ipa_selinux.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_selinux.c + +src/providers/ipa/libsss_ipa_la-ipa_selinux_maps.lo: src/providers/ipa/ipa_selinux_maps.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ipa/libsss_ipa_la-ipa_selinux_maps.lo -MD -MP -MF src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_selinux_maps.Tpo -c -o src/providers/ipa/libsss_ipa_la-ipa_selinux_maps.lo `test -f 'src/providers/ipa/ipa_selinux_maps.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_selinux_maps.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_selinux_maps.Tpo src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_selinux_maps.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_selinux_maps.c' object='src/providers/ipa/libsss_ipa_la-ipa_selinux_maps.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/libsss_ipa_la-ipa_selinux_maps.lo `test -f 'src/providers/ipa/ipa_selinux_maps.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_selinux_maps.c + +src/providers/ipa/libsss_ipa_la-ipa_hostid.lo: src/providers/ipa/ipa_hostid.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -MT src/providers/ipa/libsss_ipa_la-ipa_hostid.lo -MD -MP -MF src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_hostid.Tpo -c -o src/providers/ipa/libsss_ipa_la-ipa_hostid.lo `test -f 'src/providers/ipa/ipa_hostid.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_hostid.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_hostid.Tpo src/providers/ipa/$(DEPDIR)/libsss_ipa_la-ipa_hostid.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_hostid.c' object='src/providers/ipa/libsss_ipa_la-ipa_hostid.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ipa_la_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/libsss_ipa_la-ipa_hostid.lo `test -f 'src/providers/ipa/ipa_hostid.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_hostid.c + +src/providers/krb5/libsss_krb5_la-krb5_init.lo: src/providers/krb5/krb5_init.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_krb5_la_CFLAGS) $(CFLAGS) -MT src/providers/krb5/libsss_krb5_la-krb5_init.lo -MD -MP -MF src/providers/krb5/$(DEPDIR)/libsss_krb5_la-krb5_init.Tpo -c -o src/providers/krb5/libsss_krb5_la-krb5_init.lo `test -f 'src/providers/krb5/krb5_init.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_init.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/libsss_krb5_la-krb5_init.Tpo src/providers/krb5/$(DEPDIR)/libsss_krb5_la-krb5_init.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_init.c' object='src/providers/krb5/libsss_krb5_la-krb5_init.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_krb5_la_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/libsss_krb5_la-krb5_init.lo `test -f 'src/providers/krb5/krb5_init.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_init.c + +src/providers/krb5/libsss_krb5_common_la-krb5_utils.lo: src/providers/krb5/krb5_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_krb5_common_la_CFLAGS) $(CFLAGS) -MT src/providers/krb5/libsss_krb5_common_la-krb5_utils.lo -MD -MP -MF src/providers/krb5/$(DEPDIR)/libsss_krb5_common_la-krb5_utils.Tpo -c -o src/providers/krb5/libsss_krb5_common_la-krb5_utils.lo `test -f 'src/providers/krb5/krb5_utils.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/libsss_krb5_common_la-krb5_utils.Tpo src/providers/krb5/$(DEPDIR)/libsss_krb5_common_la-krb5_utils.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_utils.c' object='src/providers/krb5/libsss_krb5_common_la-krb5_utils.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_krb5_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/libsss_krb5_common_la-krb5_utils.lo `test -f 'src/providers/krb5/krb5_utils.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_utils.c + +src/providers/krb5/libsss_krb5_common_la-krb5_delayed_online_authentication.lo: src/providers/krb5/krb5_delayed_online_authentication.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_krb5_common_la_CFLAGS) $(CFLAGS) -MT src/providers/krb5/libsss_krb5_common_la-krb5_delayed_online_authentication.lo -MD -MP -MF src/providers/krb5/$(DEPDIR)/libsss_krb5_common_la-krb5_delayed_online_authentication.Tpo -c -o src/providers/krb5/libsss_krb5_common_la-krb5_delayed_online_authentication.lo `test -f 'src/providers/krb5/krb5_delayed_online_authentication.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_delayed_online_authentication.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/libsss_krb5_common_la-krb5_delayed_online_authentication.Tpo src/providers/krb5/$(DEPDIR)/libsss_krb5_common_la-krb5_delayed_online_authentication.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_delayed_online_authentication.c' object='src/providers/krb5/libsss_krb5_common_la-krb5_delayed_online_authentication.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_krb5_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/libsss_krb5_common_la-krb5_delayed_online_authentication.lo `test -f 'src/providers/krb5/krb5_delayed_online_authentication.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_delayed_online_authentication.c + +src/providers/krb5/libsss_krb5_common_la-krb5_renew_tgt.lo: src/providers/krb5/krb5_renew_tgt.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_krb5_common_la_CFLAGS) $(CFLAGS) -MT src/providers/krb5/libsss_krb5_common_la-krb5_renew_tgt.lo -MD -MP -MF src/providers/krb5/$(DEPDIR)/libsss_krb5_common_la-krb5_renew_tgt.Tpo -c -o src/providers/krb5/libsss_krb5_common_la-krb5_renew_tgt.lo `test -f 'src/providers/krb5/krb5_renew_tgt.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_renew_tgt.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/libsss_krb5_common_la-krb5_renew_tgt.Tpo src/providers/krb5/$(DEPDIR)/libsss_krb5_common_la-krb5_renew_tgt.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_renew_tgt.c' object='src/providers/krb5/libsss_krb5_common_la-krb5_renew_tgt.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_krb5_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/libsss_krb5_common_la-krb5_renew_tgt.lo `test -f 'src/providers/krb5/krb5_renew_tgt.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_renew_tgt.c + +src/providers/krb5/libsss_krb5_common_la-krb5_wait_queue.lo: src/providers/krb5/krb5_wait_queue.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_krb5_common_la_CFLAGS) $(CFLAGS) -MT src/providers/krb5/libsss_krb5_common_la-krb5_wait_queue.lo -MD -MP -MF src/providers/krb5/$(DEPDIR)/libsss_krb5_common_la-krb5_wait_queue.Tpo -c -o src/providers/krb5/libsss_krb5_common_la-krb5_wait_queue.lo `test -f 'src/providers/krb5/krb5_wait_queue.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_wait_queue.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/libsss_krb5_common_la-krb5_wait_queue.Tpo src/providers/krb5/$(DEPDIR)/libsss_krb5_common_la-krb5_wait_queue.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_wait_queue.c' object='src/providers/krb5/libsss_krb5_common_la-krb5_wait_queue.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_krb5_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/libsss_krb5_common_la-krb5_wait_queue.lo `test -f 'src/providers/krb5/krb5_wait_queue.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_wait_queue.c + +src/providers/krb5/libsss_krb5_common_la-krb5_common.lo: src/providers/krb5/krb5_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_krb5_common_la_CFLAGS) $(CFLAGS) -MT src/providers/krb5/libsss_krb5_common_la-krb5_common.lo -MD -MP -MF src/providers/krb5/$(DEPDIR)/libsss_krb5_common_la-krb5_common.Tpo -c -o src/providers/krb5/libsss_krb5_common_la-krb5_common.lo `test -f 'src/providers/krb5/krb5_common.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/libsss_krb5_common_la-krb5_common.Tpo src/providers/krb5/$(DEPDIR)/libsss_krb5_common_la-krb5_common.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_common.c' object='src/providers/krb5/libsss_krb5_common_la-krb5_common.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_krb5_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/libsss_krb5_common_la-krb5_common.lo `test -f 'src/providers/krb5/krb5_common.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_common.c + +src/providers/krb5/libsss_krb5_common_la-krb5_opts.lo: src/providers/krb5/krb5_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_krb5_common_la_CFLAGS) $(CFLAGS) -MT src/providers/krb5/libsss_krb5_common_la-krb5_opts.lo -MD -MP -MF src/providers/krb5/$(DEPDIR)/libsss_krb5_common_la-krb5_opts.Tpo -c -o src/providers/krb5/libsss_krb5_common_la-krb5_opts.lo `test -f 'src/providers/krb5/krb5_opts.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_opts.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/libsss_krb5_common_la-krb5_opts.Tpo src/providers/krb5/$(DEPDIR)/libsss_krb5_common_la-krb5_opts.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_opts.c' object='src/providers/krb5/libsss_krb5_common_la-krb5_opts.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_krb5_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/libsss_krb5_common_la-krb5_opts.lo `test -f 'src/providers/krb5/krb5_opts.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_opts.c + +src/providers/krb5/libsss_krb5_common_la-krb5_auth.lo: src/providers/krb5/krb5_auth.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_krb5_common_la_CFLAGS) $(CFLAGS) -MT src/providers/krb5/libsss_krb5_common_la-krb5_auth.lo -MD -MP -MF src/providers/krb5/$(DEPDIR)/libsss_krb5_common_la-krb5_auth.Tpo -c -o src/providers/krb5/libsss_krb5_common_la-krb5_auth.lo `test -f 'src/providers/krb5/krb5_auth.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_auth.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/libsss_krb5_common_la-krb5_auth.Tpo src/providers/krb5/$(DEPDIR)/libsss_krb5_common_la-krb5_auth.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_auth.c' object='src/providers/krb5/libsss_krb5_common_la-krb5_auth.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_krb5_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/libsss_krb5_common_la-krb5_auth.lo `test -f 'src/providers/krb5/krb5_auth.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_auth.c + +src/providers/krb5/libsss_krb5_common_la-krb5_access.lo: src/providers/krb5/krb5_access.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_krb5_common_la_CFLAGS) $(CFLAGS) -MT src/providers/krb5/libsss_krb5_common_la-krb5_access.lo -MD -MP -MF src/providers/krb5/$(DEPDIR)/libsss_krb5_common_la-krb5_access.Tpo -c -o src/providers/krb5/libsss_krb5_common_la-krb5_access.lo `test -f 'src/providers/krb5/krb5_access.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_access.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/libsss_krb5_common_la-krb5_access.Tpo src/providers/krb5/$(DEPDIR)/libsss_krb5_common_la-krb5_access.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_access.c' object='src/providers/krb5/libsss_krb5_common_la-krb5_access.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_krb5_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/libsss_krb5_common_la-krb5_access.lo `test -f 'src/providers/krb5/krb5_access.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_access.c + +src/providers/krb5/libsss_krb5_common_la-krb5_child_handler.lo: src/providers/krb5/krb5_child_handler.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_krb5_common_la_CFLAGS) $(CFLAGS) -MT src/providers/krb5/libsss_krb5_common_la-krb5_child_handler.lo -MD -MP -MF src/providers/krb5/$(DEPDIR)/libsss_krb5_common_la-krb5_child_handler.Tpo -c -o src/providers/krb5/libsss_krb5_common_la-krb5_child_handler.lo `test -f 'src/providers/krb5/krb5_child_handler.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_child_handler.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/libsss_krb5_common_la-krb5_child_handler.Tpo src/providers/krb5/$(DEPDIR)/libsss_krb5_common_la-krb5_child_handler.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_child_handler.c' object='src/providers/krb5/libsss_krb5_common_la-krb5_child_handler.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_krb5_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/libsss_krb5_common_la-krb5_child_handler.lo `test -f 'src/providers/krb5/krb5_child_handler.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_child_handler.c + +src/providers/krb5/libsss_krb5_common_la-krb5_init_shared.lo: src/providers/krb5/krb5_init_shared.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_krb5_common_la_CFLAGS) $(CFLAGS) -MT src/providers/krb5/libsss_krb5_common_la-krb5_init_shared.lo -MD -MP -MF src/providers/krb5/$(DEPDIR)/libsss_krb5_common_la-krb5_init_shared.Tpo -c -o src/providers/krb5/libsss_krb5_common_la-krb5_init_shared.lo `test -f 'src/providers/krb5/krb5_init_shared.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_init_shared.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/libsss_krb5_common_la-krb5_init_shared.Tpo src/providers/krb5/$(DEPDIR)/libsss_krb5_common_la-krb5_init_shared.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_init_shared.c' object='src/providers/krb5/libsss_krb5_common_la-krb5_init_shared.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_krb5_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/libsss_krb5_common_la-krb5_init_shared.lo `test -f 'src/providers/krb5/krb5_init_shared.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_init_shared.c + +src/providers/krb5/libsss_krb5_common_la-krb5_ccache.lo: src/providers/krb5/krb5_ccache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_krb5_common_la_CFLAGS) $(CFLAGS) -MT src/providers/krb5/libsss_krb5_common_la-krb5_ccache.lo -MD -MP -MF src/providers/krb5/$(DEPDIR)/libsss_krb5_common_la-krb5_ccache.Tpo -c -o src/providers/krb5/libsss_krb5_common_la-krb5_ccache.lo `test -f 'src/providers/krb5/krb5_ccache.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_ccache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/libsss_krb5_common_la-krb5_ccache.Tpo src/providers/krb5/$(DEPDIR)/libsss_krb5_common_la-krb5_ccache.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_ccache.c' object='src/providers/krb5/libsss_krb5_common_la-krb5_ccache.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_krb5_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/libsss_krb5_common_la-krb5_ccache.lo `test -f 'src/providers/krb5/krb5_ccache.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_ccache.c + +src/util/libsss_krb5_common_la-sss_krb5.lo: src/util/sss_krb5.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_krb5_common_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_krb5_common_la-sss_krb5.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_krb5_common_la-sss_krb5.Tpo -c -o src/util/libsss_krb5_common_la-sss_krb5.lo `test -f 'src/util/sss_krb5.c' || echo '$(srcdir)/'`src/util/sss_krb5.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_krb5_common_la-sss_krb5.Tpo src/util/$(DEPDIR)/libsss_krb5_common_la-sss_krb5.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_krb5.c' object='src/util/libsss_krb5_common_la-sss_krb5.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_krb5_common_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_krb5_common_la-sss_krb5.lo `test -f 'src/util/sss_krb5.c' || echo '$(srcdir)/'`src/util/sss_krb5.c + +src/util/libsss_krb5_common_la-sss_iobuf.lo: src/util/sss_iobuf.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_krb5_common_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_krb5_common_la-sss_iobuf.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_krb5_common_la-sss_iobuf.Tpo -c -o src/util/libsss_krb5_common_la-sss_iobuf.lo `test -f 'src/util/sss_iobuf.c' || echo '$(srcdir)/'`src/util/sss_iobuf.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_krb5_common_la-sss_iobuf.Tpo src/util/$(DEPDIR)/libsss_krb5_common_la-sss_iobuf.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_iobuf.c' object='src/util/libsss_krb5_common_la-sss_iobuf.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_krb5_common_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_krb5_common_la-sss_iobuf.lo `test -f 'src/util/sss_iobuf.c' || echo '$(srcdir)/'`src/util/sss_iobuf.c + +src/util/libsss_krb5_common_la-become_user.lo: src/util/become_user.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_krb5_common_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_krb5_common_la-become_user.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_krb5_common_la-become_user.Tpo -c -o src/util/libsss_krb5_common_la-become_user.lo `test -f 'src/util/become_user.c' || echo '$(srcdir)/'`src/util/become_user.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_krb5_common_la-become_user.Tpo src/util/$(DEPDIR)/libsss_krb5_common_la-become_user.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/become_user.c' object='src/util/libsss_krb5_common_la-become_user.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_krb5_common_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_krb5_common_la-become_user.lo `test -f 'src/util/become_user.c' || echo '$(srcdir)/'`src/util/become_user.c + +src/providers/ldap/libsss_ldap_la-ldap_init.lo: src/providers/ldap/ldap_init.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_la-ldap_init.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_la-ldap_init.Tpo -c -o src/providers/ldap/libsss_ldap_la-ldap_init.lo `test -f 'src/providers/ldap/ldap_init.c' || echo '$(srcdir)/'`src/providers/ldap/ldap_init.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_la-ldap_init.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_la-ldap_init.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/ldap_init.c' object='src/providers/ldap/libsss_ldap_la-ldap_init.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_la-ldap_init.lo `test -f 'src/providers/ldap/ldap_init.c' || echo '$(srcdir)/'`src/providers/ldap/ldap_init.c + +src/providers/ldap/libsss_ldap_la-ldap_access.lo: src/providers/ldap/ldap_access.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_la-ldap_access.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_la-ldap_access.Tpo -c -o src/providers/ldap/libsss_ldap_la-ldap_access.lo `test -f 'src/providers/ldap/ldap_access.c' || echo '$(srcdir)/'`src/providers/ldap/ldap_access.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_la-ldap_access.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_la-ldap_access.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/ldap_access.c' object='src/providers/ldap/libsss_ldap_la-ldap_access.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_la-ldap_access.lo `test -f 'src/providers/ldap/ldap_access.c' || echo '$(srcdir)/'`src/providers/ldap/ldap_access.c + +src/providers/ldap/libsss_ldap_common_la-ldap_id.lo: src/providers/ldap/ldap_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-ldap_id.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-ldap_id.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-ldap_id.lo `test -f 'src/providers/ldap/ldap_id.c' || echo '$(srcdir)/'`src/providers/ldap/ldap_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-ldap_id.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-ldap_id.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/ldap_id.c' object='src/providers/ldap/libsss_ldap_common_la-ldap_id.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-ldap_id.lo `test -f 'src/providers/ldap/ldap_id.c' || echo '$(srcdir)/'`src/providers/ldap/ldap_id.c + +src/providers/ldap/libsss_ldap_common_la-ldap_id_enum.lo: src/providers/ldap/ldap_id_enum.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-ldap_id_enum.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-ldap_id_enum.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-ldap_id_enum.lo `test -f 'src/providers/ldap/ldap_id_enum.c' || echo '$(srcdir)/'`src/providers/ldap/ldap_id_enum.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-ldap_id_enum.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-ldap_id_enum.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/ldap_id_enum.c' object='src/providers/ldap/libsss_ldap_common_la-ldap_id_enum.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-ldap_id_enum.lo `test -f 'src/providers/ldap/ldap_id_enum.c' || echo '$(srcdir)/'`src/providers/ldap/ldap_id_enum.c + +src/providers/ldap/libsss_ldap_common_la-sdap_async_enum.lo: src/providers/ldap/sdap_async_enum.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-sdap_async_enum.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_enum.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-sdap_async_enum.lo `test -f 'src/providers/ldap/sdap_async_enum.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_async_enum.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_enum.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_enum.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_async_enum.c' object='src/providers/ldap/libsss_ldap_common_la-sdap_async_enum.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-sdap_async_enum.lo `test -f 'src/providers/ldap/sdap_async_enum.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_async_enum.c + +src/providers/ldap/libsss_ldap_common_la-ldap_id_cleanup.lo: src/providers/ldap/ldap_id_cleanup.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-ldap_id_cleanup.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-ldap_id_cleanup.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-ldap_id_cleanup.lo `test -f 'src/providers/ldap/ldap_id_cleanup.c' || echo '$(srcdir)/'`src/providers/ldap/ldap_id_cleanup.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-ldap_id_cleanup.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-ldap_id_cleanup.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/ldap_id_cleanup.c' object='src/providers/ldap/libsss_ldap_common_la-ldap_id_cleanup.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-ldap_id_cleanup.lo `test -f 'src/providers/ldap/ldap_id_cleanup.c' || echo '$(srcdir)/'`src/providers/ldap/ldap_id_cleanup.c + +src/providers/ldap/libsss_ldap_common_la-ldap_id_netgroup.lo: src/providers/ldap/ldap_id_netgroup.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-ldap_id_netgroup.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-ldap_id_netgroup.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-ldap_id_netgroup.lo `test -f 'src/providers/ldap/ldap_id_netgroup.c' || echo '$(srcdir)/'`src/providers/ldap/ldap_id_netgroup.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-ldap_id_netgroup.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-ldap_id_netgroup.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/ldap_id_netgroup.c' object='src/providers/ldap/libsss_ldap_common_la-ldap_id_netgroup.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-ldap_id_netgroup.lo `test -f 'src/providers/ldap/ldap_id_netgroup.c' || echo '$(srcdir)/'`src/providers/ldap/ldap_id_netgroup.c + +src/providers/ldap/libsss_ldap_common_la-ldap_id_services.lo: src/providers/ldap/ldap_id_services.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-ldap_id_services.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-ldap_id_services.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-ldap_id_services.lo `test -f 'src/providers/ldap/ldap_id_services.c' || echo '$(srcdir)/'`src/providers/ldap/ldap_id_services.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-ldap_id_services.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-ldap_id_services.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/ldap_id_services.c' object='src/providers/ldap/libsss_ldap_common_la-ldap_id_services.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-ldap_id_services.lo `test -f 'src/providers/ldap/ldap_id_services.c' || echo '$(srcdir)/'`src/providers/ldap/ldap_id_services.c + +src/providers/ldap/libsss_ldap_common_la-ldap_auth.lo: src/providers/ldap/ldap_auth.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-ldap_auth.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-ldap_auth.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-ldap_auth.lo `test -f 'src/providers/ldap/ldap_auth.c' || echo '$(srcdir)/'`src/providers/ldap/ldap_auth.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-ldap_auth.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-ldap_auth.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/ldap_auth.c' object='src/providers/ldap/libsss_ldap_common_la-ldap_auth.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-ldap_auth.lo `test -f 'src/providers/ldap/ldap_auth.c' || echo '$(srcdir)/'`src/providers/ldap/ldap_auth.c + +src/providers/ldap/libsss_ldap_common_la-ldap_common.lo: src/providers/ldap/ldap_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-ldap_common.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-ldap_common.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-ldap_common.lo `test -f 'src/providers/ldap/ldap_common.c' || echo '$(srcdir)/'`src/providers/ldap/ldap_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-ldap_common.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-ldap_common.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/ldap_common.c' object='src/providers/ldap/libsss_ldap_common_la-ldap_common.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-ldap_common.lo `test -f 'src/providers/ldap/ldap_common.c' || echo '$(srcdir)/'`src/providers/ldap/ldap_common.c + +src/providers/ldap/libsss_ldap_common_la-ldap_options.lo: src/providers/ldap/ldap_options.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-ldap_options.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-ldap_options.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-ldap_options.lo `test -f 'src/providers/ldap/ldap_options.c' || echo '$(srcdir)/'`src/providers/ldap/ldap_options.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-ldap_options.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-ldap_options.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/ldap_options.c' object='src/providers/ldap/libsss_ldap_common_la-ldap_options.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-ldap_options.lo `test -f 'src/providers/ldap/ldap_options.c' || echo '$(srcdir)/'`src/providers/ldap/ldap_options.c + +src/providers/ldap/libsss_ldap_common_la-ldap_opts.lo: src/providers/ldap/ldap_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-ldap_opts.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-ldap_opts.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-ldap_opts.lo `test -f 'src/providers/ldap/ldap_opts.c' || echo '$(srcdir)/'`src/providers/ldap/ldap_opts.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-ldap_opts.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-ldap_opts.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/ldap_opts.c' object='src/providers/ldap/libsss_ldap_common_la-ldap_opts.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-ldap_opts.lo `test -f 'src/providers/ldap/ldap_opts.c' || echo '$(srcdir)/'`src/providers/ldap/ldap_opts.c + +src/providers/ldap/libsss_ldap_common_la-sdap_access.lo: src/providers/ldap/sdap_access.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-sdap_access.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_access.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-sdap_access.lo `test -f 'src/providers/ldap/sdap_access.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_access.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_access.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_access.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_access.c' object='src/providers/ldap/libsss_ldap_common_la-sdap_access.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-sdap_access.lo `test -f 'src/providers/ldap/sdap_access.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_access.c + +src/providers/ldap/libsss_ldap_common_la-sdap_async.lo: src/providers/ldap/sdap_async.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-sdap_async.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-sdap_async.lo `test -f 'src/providers/ldap/sdap_async.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_async.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_async.c' object='src/providers/ldap/libsss_ldap_common_la-sdap_async.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-sdap_async.lo `test -f 'src/providers/ldap/sdap_async.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_async.c + +src/providers/ldap/libsss_ldap_common_la-sdap_async_users.lo: src/providers/ldap/sdap_async_users.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-sdap_async_users.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_users.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-sdap_async_users.lo `test -f 'src/providers/ldap/sdap_async_users.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_async_users.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_users.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_users.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_async_users.c' object='src/providers/ldap/libsss_ldap_common_la-sdap_async_users.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-sdap_async_users.lo `test -f 'src/providers/ldap/sdap_async_users.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_async_users.c + +src/providers/ldap/libsss_ldap_common_la-sdap_async_groups.lo: src/providers/ldap/sdap_async_groups.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-sdap_async_groups.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_groups.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-sdap_async_groups.lo `test -f 'src/providers/ldap/sdap_async_groups.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_async_groups.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_groups.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_groups.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_async_groups.c' object='src/providers/ldap/libsss_ldap_common_la-sdap_async_groups.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-sdap_async_groups.lo `test -f 'src/providers/ldap/sdap_async_groups.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_async_groups.c + +src/providers/ldap/libsss_ldap_common_la-sdap_async_nested_groups.lo: src/providers/ldap/sdap_async_nested_groups.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-sdap_async_nested_groups.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_nested_groups.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-sdap_async_nested_groups.lo `test -f 'src/providers/ldap/sdap_async_nested_groups.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_async_nested_groups.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_nested_groups.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_nested_groups.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_async_nested_groups.c' object='src/providers/ldap/libsss_ldap_common_la-sdap_async_nested_groups.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-sdap_async_nested_groups.lo `test -f 'src/providers/ldap/sdap_async_nested_groups.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_async_nested_groups.c + +src/providers/ldap/libsss_ldap_common_la-sdap_async_groups_ad.lo: src/providers/ldap/sdap_async_groups_ad.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-sdap_async_groups_ad.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_groups_ad.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-sdap_async_groups_ad.lo `test -f 'src/providers/ldap/sdap_async_groups_ad.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_async_groups_ad.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_groups_ad.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_groups_ad.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_async_groups_ad.c' object='src/providers/ldap/libsss_ldap_common_la-sdap_async_groups_ad.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-sdap_async_groups_ad.lo `test -f 'src/providers/ldap/sdap_async_groups_ad.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_async_groups_ad.c + +src/providers/ldap/libsss_ldap_common_la-sdap_async_initgroups.lo: src/providers/ldap/sdap_async_initgroups.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-sdap_async_initgroups.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_initgroups.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-sdap_async_initgroups.lo `test -f 'src/providers/ldap/sdap_async_initgroups.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_async_initgroups.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_initgroups.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_initgroups.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_async_initgroups.c' object='src/providers/ldap/libsss_ldap_common_la-sdap_async_initgroups.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-sdap_async_initgroups.lo `test -f 'src/providers/ldap/sdap_async_initgroups.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_async_initgroups.c + +src/providers/ldap/libsss_ldap_common_la-sdap_async_initgroups_ad.lo: src/providers/ldap/sdap_async_initgroups_ad.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-sdap_async_initgroups_ad.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_initgroups_ad.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-sdap_async_initgroups_ad.lo `test -f 'src/providers/ldap/sdap_async_initgroups_ad.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_async_initgroups_ad.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_initgroups_ad.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_initgroups_ad.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_async_initgroups_ad.c' object='src/providers/ldap/libsss_ldap_common_la-sdap_async_initgroups_ad.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-sdap_async_initgroups_ad.lo `test -f 'src/providers/ldap/sdap_async_initgroups_ad.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_async_initgroups_ad.c + +src/providers/ldap/libsss_ldap_common_la-sdap_async_connection.lo: src/providers/ldap/sdap_async_connection.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-sdap_async_connection.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_connection.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-sdap_async_connection.lo `test -f 'src/providers/ldap/sdap_async_connection.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_async_connection.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_connection.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_connection.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_async_connection.c' object='src/providers/ldap/libsss_ldap_common_la-sdap_async_connection.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-sdap_async_connection.lo `test -f 'src/providers/ldap/sdap_async_connection.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_async_connection.c + +src/providers/ldap/libsss_ldap_common_la-sdap_async_netgroups.lo: src/providers/ldap/sdap_async_netgroups.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-sdap_async_netgroups.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_netgroups.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-sdap_async_netgroups.lo `test -f 'src/providers/ldap/sdap_async_netgroups.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_async_netgroups.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_netgroups.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_netgroups.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_async_netgroups.c' object='src/providers/ldap/libsss_ldap_common_la-sdap_async_netgroups.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-sdap_async_netgroups.lo `test -f 'src/providers/ldap/sdap_async_netgroups.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_async_netgroups.c + +src/providers/ldap/libsss_ldap_common_la-sdap_async_hosts.lo: src/providers/ldap/sdap_async_hosts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-sdap_async_hosts.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_hosts.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-sdap_async_hosts.lo `test -f 'src/providers/ldap/sdap_async_hosts.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_async_hosts.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_hosts.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_hosts.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_async_hosts.c' object='src/providers/ldap/libsss_ldap_common_la-sdap_async_hosts.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-sdap_async_hosts.lo `test -f 'src/providers/ldap/sdap_async_hosts.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_async_hosts.c + +src/providers/ldap/libsss_ldap_common_la-sdap_async_services.lo: src/providers/ldap/sdap_async_services.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-sdap_async_services.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_services.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-sdap_async_services.lo `test -f 'src/providers/ldap/sdap_async_services.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_async_services.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_services.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_services.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_async_services.c' object='src/providers/ldap/libsss_ldap_common_la-sdap_async_services.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-sdap_async_services.lo `test -f 'src/providers/ldap/sdap_async_services.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_async_services.c + +src/providers/ldap/libsss_ldap_common_la-sdap_online_check.lo: src/providers/ldap/sdap_online_check.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-sdap_online_check.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_online_check.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-sdap_online_check.lo `test -f 'src/providers/ldap/sdap_online_check.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_online_check.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_online_check.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_online_check.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_online_check.c' object='src/providers/ldap/libsss_ldap_common_la-sdap_online_check.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-sdap_online_check.lo `test -f 'src/providers/ldap/sdap_online_check.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_online_check.c + +src/providers/ldap/libsss_ldap_common_la-sdap_ad_groups.lo: src/providers/ldap/sdap_ad_groups.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-sdap_ad_groups.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_ad_groups.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-sdap_ad_groups.lo `test -f 'src/providers/ldap/sdap_ad_groups.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_ad_groups.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_ad_groups.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_ad_groups.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_ad_groups.c' object='src/providers/ldap/libsss_ldap_common_la-sdap_ad_groups.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-sdap_ad_groups.lo `test -f 'src/providers/ldap/sdap_ad_groups.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_ad_groups.c + +src/providers/ldap/libsss_ldap_common_la-sdap_child_helpers.lo: src/providers/ldap/sdap_child_helpers.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-sdap_child_helpers.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_child_helpers.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-sdap_child_helpers.lo `test -f 'src/providers/ldap/sdap_child_helpers.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_child_helpers.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_child_helpers.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_child_helpers.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_child_helpers.c' object='src/providers/ldap/libsss_ldap_common_la-sdap_child_helpers.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-sdap_child_helpers.lo `test -f 'src/providers/ldap/sdap_child_helpers.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_child_helpers.c + +src/providers/ldap/libsss_ldap_common_la-sdap_fd_events.lo: src/providers/ldap/sdap_fd_events.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-sdap_fd_events.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_fd_events.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-sdap_fd_events.lo `test -f 'src/providers/ldap/sdap_fd_events.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_fd_events.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_fd_events.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_fd_events.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_fd_events.c' object='src/providers/ldap/libsss_ldap_common_la-sdap_fd_events.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-sdap_fd_events.lo `test -f 'src/providers/ldap/sdap_fd_events.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_fd_events.c + +src/providers/ldap/libsss_ldap_common_la-sdap_id_op.lo: src/providers/ldap/sdap_id_op.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-sdap_id_op.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_id_op.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-sdap_id_op.lo `test -f 'src/providers/ldap/sdap_id_op.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_id_op.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_id_op.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_id_op.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_id_op.c' object='src/providers/ldap/libsss_ldap_common_la-sdap_id_op.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-sdap_id_op.lo `test -f 'src/providers/ldap/sdap_id_op.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_id_op.c + +src/providers/ldap/libsss_ldap_common_la-sdap_certmap.lo: src/providers/ldap/sdap_certmap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-sdap_certmap.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_certmap.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-sdap_certmap.lo `test -f 'src/providers/ldap/sdap_certmap.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_certmap.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_certmap.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_certmap.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_certmap.c' object='src/providers/ldap/libsss_ldap_common_la-sdap_certmap.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-sdap_certmap.lo `test -f 'src/providers/ldap/sdap_certmap.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_certmap.c + +src/providers/ldap/libsss_ldap_common_la-sdap_idmap.lo: src/providers/ldap/sdap_idmap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-sdap_idmap.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_idmap.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-sdap_idmap.lo `test -f 'src/providers/ldap/sdap_idmap.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_idmap.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_idmap.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_idmap.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_idmap.c' object='src/providers/ldap/libsss_ldap_common_la-sdap_idmap.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-sdap_idmap.lo `test -f 'src/providers/ldap/sdap_idmap.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_idmap.c + +src/providers/ldap/libsss_ldap_common_la-sdap_range.lo: src/providers/ldap/sdap_range.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-sdap_range.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_range.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-sdap_range.lo `test -f 'src/providers/ldap/sdap_range.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_range.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_range.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_range.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_range.c' object='src/providers/ldap/libsss_ldap_common_la-sdap_range.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-sdap_range.lo `test -f 'src/providers/ldap/sdap_range.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_range.c + +src/providers/ldap/libsss_ldap_common_la-sdap_reinit.lo: src/providers/ldap/sdap_reinit.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-sdap_reinit.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_reinit.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-sdap_reinit.lo `test -f 'src/providers/ldap/sdap_reinit.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_reinit.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_reinit.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_reinit.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_reinit.c' object='src/providers/ldap/libsss_ldap_common_la-sdap_reinit.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-sdap_reinit.lo `test -f 'src/providers/ldap/sdap_reinit.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_reinit.c + +src/providers/ldap/libsss_ldap_common_la-sdap_dyndns.lo: src/providers/ldap/sdap_dyndns.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-sdap_dyndns.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_dyndns.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-sdap_dyndns.lo `test -f 'src/providers/ldap/sdap_dyndns.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_dyndns.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_dyndns.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_dyndns.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_dyndns.c' object='src/providers/ldap/libsss_ldap_common_la-sdap_dyndns.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-sdap_dyndns.lo `test -f 'src/providers/ldap/sdap_dyndns.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_dyndns.c + +src/providers/ldap/libsss_ldap_common_la-sdap_refresh.lo: src/providers/ldap/sdap_refresh.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-sdap_refresh.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_refresh.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-sdap_refresh.lo `test -f 'src/providers/ldap/sdap_refresh.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_refresh.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_refresh.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_refresh.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_refresh.c' object='src/providers/ldap/libsss_ldap_common_la-sdap_refresh.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-sdap_refresh.lo `test -f 'src/providers/ldap/sdap_refresh.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_refresh.c + +src/providers/ldap/libsss_ldap_common_la-sdap_utils.lo: src/providers/ldap/sdap_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-sdap_utils.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_utils.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-sdap_utils.lo `test -f 'src/providers/ldap/sdap_utils.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_utils.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_utils.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_utils.c' object='src/providers/ldap/libsss_ldap_common_la-sdap_utils.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-sdap_utils.lo `test -f 'src/providers/ldap/sdap_utils.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_utils.c + +src/providers/ldap/libsss_ldap_common_la-sdap_domain.lo: src/providers/ldap/sdap_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-sdap_domain.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_domain.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-sdap_domain.lo `test -f 'src/providers/ldap/sdap_domain.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_domain.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_domain.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_domain.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_domain.c' object='src/providers/ldap/libsss_ldap_common_la-sdap_domain.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-sdap_domain.lo `test -f 'src/providers/ldap/sdap_domain.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_domain.c + +src/providers/ldap/libsss_ldap_common_la-sdap_ops.lo: src/providers/ldap/sdap_ops.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-sdap_ops.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_ops.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-sdap_ops.lo `test -f 'src/providers/ldap/sdap_ops.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_ops.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_ops.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_ops.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_ops.c' object='src/providers/ldap/libsss_ldap_common_la-sdap_ops.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-sdap_ops.lo `test -f 'src/providers/ldap/sdap_ops.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_ops.c + +src/providers/ldap/libsss_ldap_common_la-sdap.lo: src/providers/ldap/sdap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-sdap.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-sdap.lo `test -f 'src/providers/ldap/sdap.c' || echo '$(srcdir)/'`src/providers/ldap/sdap.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap.c' object='src/providers/ldap/libsss_ldap_common_la-sdap.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-sdap.lo `test -f 'src/providers/ldap/sdap.c' || echo '$(srcdir)/'`src/providers/ldap/sdap.c + +src/providers/ipa/libsss_ldap_common_la-ipa_dn.lo: src/providers/ipa/ipa_dn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ipa/libsss_ldap_common_la-ipa_dn.lo -MD -MP -MF src/providers/ipa/$(DEPDIR)/libsss_ldap_common_la-ipa_dn.Tpo -c -o src/providers/ipa/libsss_ldap_common_la-ipa_dn.lo `test -f 'src/providers/ipa/ipa_dn.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_dn.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/libsss_ldap_common_la-ipa_dn.Tpo src/providers/ipa/$(DEPDIR)/libsss_ldap_common_la-ipa_dn.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_dn.c' object='src/providers/ipa/libsss_ldap_common_la-ipa_dn.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/libsss_ldap_common_la-ipa_dn.lo `test -f 'src/providers/ipa/ipa_dn.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_dn.c + +src/util/libsss_ldap_common_la-user_info_msg.lo: src/util/user_info_msg.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_ldap_common_la-user_info_msg.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_ldap_common_la-user_info_msg.Tpo -c -o src/util/libsss_ldap_common_la-user_info_msg.lo `test -f 'src/util/user_info_msg.c' || echo '$(srcdir)/'`src/util/user_info_msg.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_ldap_common_la-user_info_msg.Tpo src/util/$(DEPDIR)/libsss_ldap_common_la-user_info_msg.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/user_info_msg.c' object='src/util/libsss_ldap_common_la-user_info_msg.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_ldap_common_la-user_info_msg.lo `test -f 'src/util/user_info_msg.c' || echo '$(srcdir)/'`src/util/user_info_msg.c + +src/util/libsss_ldap_common_la-sss_sockets.lo: src/util/sss_sockets.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_ldap_common_la-sss_sockets.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_ldap_common_la-sss_sockets.Tpo -c -o src/util/libsss_ldap_common_la-sss_sockets.lo `test -f 'src/util/sss_sockets.c' || echo '$(srcdir)/'`src/util/sss_sockets.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_ldap_common_la-sss_sockets.Tpo src/util/$(DEPDIR)/libsss_ldap_common_la-sss_sockets.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_sockets.c' object='src/util/libsss_ldap_common_la-sss_sockets.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_ldap_common_la-sss_sockets.lo `test -f 'src/util/sss_sockets.c' || echo '$(srcdir)/'`src/util/sss_sockets.c + +src/util/libsss_ldap_common_la-sss_ldap.lo: src/util/sss_ldap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_ldap_common_la-sss_ldap.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_ldap_common_la-sss_ldap.Tpo -c -o src/util/libsss_ldap_common_la-sss_ldap.lo `test -f 'src/util/sss_ldap.c' || echo '$(srcdir)/'`src/util/sss_ldap.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_ldap_common_la-sss_ldap.Tpo src/util/$(DEPDIR)/libsss_ldap_common_la-sss_ldap.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_ldap.c' object='src/util/libsss_ldap_common_la-sss_ldap.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_ldap_common_la-sss_ldap.lo `test -f 'src/util/sss_ldap.c' || echo '$(srcdir)/'`src/util/sss_ldap.c + +src/providers/ldap/libsss_ldap_common_la-sdap_hostid.lo: src/providers/ldap/sdap_hostid.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-sdap_hostid.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_hostid.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-sdap_hostid.lo `test -f 'src/providers/ldap/sdap_hostid.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_hostid.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_hostid.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_hostid.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_hostid.c' object='src/providers/ldap/libsss_ldap_common_la-sdap_hostid.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-sdap_hostid.lo `test -f 'src/providers/ldap/sdap_hostid.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_hostid.c + +src/providers/ldap/libsss_ldap_common_la-sdap_async_sudo.lo: src/providers/ldap/sdap_async_sudo.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-sdap_async_sudo.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_sudo.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-sdap_async_sudo.lo `test -f 'src/providers/ldap/sdap_async_sudo.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_async_sudo.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_sudo.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_sudo.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_async_sudo.c' object='src/providers/ldap/libsss_ldap_common_la-sdap_async_sudo.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-sdap_async_sudo.lo `test -f 'src/providers/ldap/sdap_async_sudo.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_async_sudo.c + +src/providers/ldap/libsss_ldap_common_la-sdap_async_sudo_hostinfo.lo: src/providers/ldap/sdap_async_sudo_hostinfo.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-sdap_async_sudo_hostinfo.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_sudo_hostinfo.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-sdap_async_sudo_hostinfo.lo `test -f 'src/providers/ldap/sdap_async_sudo_hostinfo.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_async_sudo_hostinfo.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_sudo_hostinfo.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_sudo_hostinfo.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_async_sudo_hostinfo.c' object='src/providers/ldap/libsss_ldap_common_la-sdap_async_sudo_hostinfo.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-sdap_async_sudo_hostinfo.lo `test -f 'src/providers/ldap/sdap_async_sudo_hostinfo.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_async_sudo_hostinfo.c + +src/providers/ldap/libsss_ldap_common_la-sdap_sudo_refresh.lo: src/providers/ldap/sdap_sudo_refresh.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-sdap_sudo_refresh.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_sudo_refresh.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-sdap_sudo_refresh.lo `test -f 'src/providers/ldap/sdap_sudo_refresh.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_sudo_refresh.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_sudo_refresh.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_sudo_refresh.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_sudo_refresh.c' object='src/providers/ldap/libsss_ldap_common_la-sdap_sudo_refresh.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-sdap_sudo_refresh.lo `test -f 'src/providers/ldap/sdap_sudo_refresh.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_sudo_refresh.c + +src/providers/ldap/libsss_ldap_common_la-sdap_sudo_shared.lo: src/providers/ldap/sdap_sudo_shared.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-sdap_sudo_shared.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_sudo_shared.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-sdap_sudo_shared.lo `test -f 'src/providers/ldap/sdap_sudo_shared.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_sudo_shared.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_sudo_shared.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_sudo_shared.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_sudo_shared.c' object='src/providers/ldap/libsss_ldap_common_la-sdap_sudo_shared.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-sdap_sudo_shared.lo `test -f 'src/providers/ldap/sdap_sudo_shared.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_sudo_shared.c + +src/providers/ldap/libsss_ldap_common_la-sdap_sudo.lo: src/providers/ldap/sdap_sudo.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-sdap_sudo.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_sudo.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-sdap_sudo.lo `test -f 'src/providers/ldap/sdap_sudo.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_sudo.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_sudo.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_sudo.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_sudo.c' object='src/providers/ldap/libsss_ldap_common_la-sdap_sudo.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-sdap_sudo.lo `test -f 'src/providers/ldap/sdap_sudo.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_sudo.c + +src/providers/ldap/libsss_ldap_common_la-sdap_autofs.lo: src/providers/ldap/sdap_autofs.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-sdap_autofs.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_autofs.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-sdap_autofs.lo `test -f 'src/providers/ldap/sdap_autofs.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_autofs.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_autofs.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_autofs.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_autofs.c' object='src/providers/ldap/libsss_ldap_common_la-sdap_autofs.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-sdap_autofs.lo `test -f 'src/providers/ldap/sdap_autofs.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_autofs.c + +src/providers/ldap/libsss_ldap_common_la-sdap_async_autofs.lo: src/providers/ldap/sdap_async_autofs.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -MT src/providers/ldap/libsss_ldap_common_la-sdap_async_autofs.lo -MD -MP -MF src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_autofs.Tpo -c -o src/providers/ldap/libsss_ldap_common_la-sdap_async_autofs.lo `test -f 'src/providers/ldap/sdap_async_autofs.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_async_autofs.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_autofs.Tpo src/providers/ldap/$(DEPDIR)/libsss_ldap_common_la-sdap_async_autofs.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_async_autofs.c' object='src/providers/ldap/libsss_ldap_common_la-sdap_async_autofs.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_ldap_common_la_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/libsss_ldap_common_la-sdap_async_autofs.lo `test -f 'src/providers/ldap/sdap_async_autofs.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_async_autofs.c + +src/providers/proxy/libsss_proxy_la-proxy_init.lo: src/providers/proxy/proxy_init.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_proxy_la_CFLAGS) $(CFLAGS) -MT src/providers/proxy/libsss_proxy_la-proxy_init.lo -MD -MP -MF src/providers/proxy/$(DEPDIR)/libsss_proxy_la-proxy_init.Tpo -c -o src/providers/proxy/libsss_proxy_la-proxy_init.lo `test -f 'src/providers/proxy/proxy_init.c' || echo '$(srcdir)/'`src/providers/proxy/proxy_init.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/proxy/$(DEPDIR)/libsss_proxy_la-proxy_init.Tpo src/providers/proxy/$(DEPDIR)/libsss_proxy_la-proxy_init.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/proxy/proxy_init.c' object='src/providers/proxy/libsss_proxy_la-proxy_init.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_proxy_la_CFLAGS) $(CFLAGS) -c -o src/providers/proxy/libsss_proxy_la-proxy_init.lo `test -f 'src/providers/proxy/proxy_init.c' || echo '$(srcdir)/'`src/providers/proxy/proxy_init.c + +src/providers/proxy/libsss_proxy_la-proxy_client.lo: src/providers/proxy/proxy_client.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_proxy_la_CFLAGS) $(CFLAGS) -MT src/providers/proxy/libsss_proxy_la-proxy_client.lo -MD -MP -MF src/providers/proxy/$(DEPDIR)/libsss_proxy_la-proxy_client.Tpo -c -o src/providers/proxy/libsss_proxy_la-proxy_client.lo `test -f 'src/providers/proxy/proxy_client.c' || echo '$(srcdir)/'`src/providers/proxy/proxy_client.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/proxy/$(DEPDIR)/libsss_proxy_la-proxy_client.Tpo src/providers/proxy/$(DEPDIR)/libsss_proxy_la-proxy_client.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/proxy/proxy_client.c' object='src/providers/proxy/libsss_proxy_la-proxy_client.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_proxy_la_CFLAGS) $(CFLAGS) -c -o src/providers/proxy/libsss_proxy_la-proxy_client.lo `test -f 'src/providers/proxy/proxy_client.c' || echo '$(srcdir)/'`src/providers/proxy/proxy_client.c + +src/providers/proxy/libsss_proxy_la-proxy_id.lo: src/providers/proxy/proxy_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_proxy_la_CFLAGS) $(CFLAGS) -MT src/providers/proxy/libsss_proxy_la-proxy_id.lo -MD -MP -MF src/providers/proxy/$(DEPDIR)/libsss_proxy_la-proxy_id.Tpo -c -o src/providers/proxy/libsss_proxy_la-proxy_id.lo `test -f 'src/providers/proxy/proxy_id.c' || echo '$(srcdir)/'`src/providers/proxy/proxy_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/proxy/$(DEPDIR)/libsss_proxy_la-proxy_id.Tpo src/providers/proxy/$(DEPDIR)/libsss_proxy_la-proxy_id.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/proxy/proxy_id.c' object='src/providers/proxy/libsss_proxy_la-proxy_id.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_proxy_la_CFLAGS) $(CFLAGS) -c -o src/providers/proxy/libsss_proxy_la-proxy_id.lo `test -f 'src/providers/proxy/proxy_id.c' || echo '$(srcdir)/'`src/providers/proxy/proxy_id.c + +src/providers/proxy/libsss_proxy_la-proxy_netgroup.lo: src/providers/proxy/proxy_netgroup.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_proxy_la_CFLAGS) $(CFLAGS) -MT src/providers/proxy/libsss_proxy_la-proxy_netgroup.lo -MD -MP -MF src/providers/proxy/$(DEPDIR)/libsss_proxy_la-proxy_netgroup.Tpo -c -o src/providers/proxy/libsss_proxy_la-proxy_netgroup.lo `test -f 'src/providers/proxy/proxy_netgroup.c' || echo '$(srcdir)/'`src/providers/proxy/proxy_netgroup.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/proxy/$(DEPDIR)/libsss_proxy_la-proxy_netgroup.Tpo src/providers/proxy/$(DEPDIR)/libsss_proxy_la-proxy_netgroup.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/proxy/proxy_netgroup.c' object='src/providers/proxy/libsss_proxy_la-proxy_netgroup.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_proxy_la_CFLAGS) $(CFLAGS) -c -o src/providers/proxy/libsss_proxy_la-proxy_netgroup.lo `test -f 'src/providers/proxy/proxy_netgroup.c' || echo '$(srcdir)/'`src/providers/proxy/proxy_netgroup.c + +src/providers/proxy/libsss_proxy_la-proxy_services.lo: src/providers/proxy/proxy_services.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_proxy_la_CFLAGS) $(CFLAGS) -MT src/providers/proxy/libsss_proxy_la-proxy_services.lo -MD -MP -MF src/providers/proxy/$(DEPDIR)/libsss_proxy_la-proxy_services.Tpo -c -o src/providers/proxy/libsss_proxy_la-proxy_services.lo `test -f 'src/providers/proxy/proxy_services.c' || echo '$(srcdir)/'`src/providers/proxy/proxy_services.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/proxy/$(DEPDIR)/libsss_proxy_la-proxy_services.Tpo src/providers/proxy/$(DEPDIR)/libsss_proxy_la-proxy_services.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/proxy/proxy_services.c' object='src/providers/proxy/libsss_proxy_la-proxy_services.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_proxy_la_CFLAGS) $(CFLAGS) -c -o src/providers/proxy/libsss_proxy_la-proxy_services.lo `test -f 'src/providers/proxy/proxy_services.c' || echo '$(srcdir)/'`src/providers/proxy/proxy_services.c + +src/providers/proxy/libsss_proxy_la-proxy_auth.lo: src/providers/proxy/proxy_auth.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_proxy_la_CFLAGS) $(CFLAGS) -MT src/providers/proxy/libsss_proxy_la-proxy_auth.lo -MD -MP -MF src/providers/proxy/$(DEPDIR)/libsss_proxy_la-proxy_auth.Tpo -c -o src/providers/proxy/libsss_proxy_la-proxy_auth.lo `test -f 'src/providers/proxy/proxy_auth.c' || echo '$(srcdir)/'`src/providers/proxy/proxy_auth.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/proxy/$(DEPDIR)/libsss_proxy_la-proxy_auth.Tpo src/providers/proxy/$(DEPDIR)/libsss_proxy_la-proxy_auth.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/proxy/proxy_auth.c' object='src/providers/proxy/libsss_proxy_la-proxy_auth.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_proxy_la_CFLAGS) $(CFLAGS) -c -o src/providers/proxy/libsss_proxy_la-proxy_auth.lo `test -f 'src/providers/proxy/proxy_auth.c' || echo '$(srcdir)/'`src/providers/proxy/proxy_auth.c + +src/providers/proxy/libsss_proxy_la-proxy_iface_generated.lo: src/providers/proxy/proxy_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_proxy_la_CFLAGS) $(CFLAGS) -MT src/providers/proxy/libsss_proxy_la-proxy_iface_generated.lo -MD -MP -MF src/providers/proxy/$(DEPDIR)/libsss_proxy_la-proxy_iface_generated.Tpo -c -o src/providers/proxy/libsss_proxy_la-proxy_iface_generated.lo `test -f 'src/providers/proxy/proxy_iface_generated.c' || echo '$(srcdir)/'`src/providers/proxy/proxy_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/proxy/$(DEPDIR)/libsss_proxy_la-proxy_iface_generated.Tpo src/providers/proxy/$(DEPDIR)/libsss_proxy_la-proxy_iface_generated.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/proxy/proxy_iface_generated.c' object='src/providers/proxy/libsss_proxy_la-proxy_iface_generated.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_proxy_la_CFLAGS) $(CFLAGS) -c -o src/providers/proxy/libsss_proxy_la-proxy_iface_generated.lo `test -f 'src/providers/proxy/proxy_iface_generated.c' || echo '$(srcdir)/'`src/providers/proxy/proxy_iface_generated.c + +src/util/libsss_semanage_la-sss_semanage.lo: src/util/sss_semanage.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_semanage_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_semanage_la-sss_semanage.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_semanage_la-sss_semanage.Tpo -c -o src/util/libsss_semanage_la-sss_semanage.lo `test -f 'src/util/sss_semanage.c' || echo '$(srcdir)/'`src/util/sss_semanage.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_semanage_la-sss_semanage.Tpo src/util/$(DEPDIR)/libsss_semanage_la-sss_semanage.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_semanage.c' object='src/util/libsss_semanage_la-sss_semanage.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_semanage_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_semanage_la-sss_semanage.lo `test -f 'src/util/sss_semanage.c' || echo '$(srcdir)/'`src/util/sss_semanage.c + +src/providers/simple/libsss_simple_la-simple_access_check.lo: src/providers/simple/simple_access_check.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_simple_la_CFLAGS) $(CFLAGS) -MT src/providers/simple/libsss_simple_la-simple_access_check.lo -MD -MP -MF src/providers/simple/$(DEPDIR)/libsss_simple_la-simple_access_check.Tpo -c -o src/providers/simple/libsss_simple_la-simple_access_check.lo `test -f 'src/providers/simple/simple_access_check.c' || echo '$(srcdir)/'`src/providers/simple/simple_access_check.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/simple/$(DEPDIR)/libsss_simple_la-simple_access_check.Tpo src/providers/simple/$(DEPDIR)/libsss_simple_la-simple_access_check.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/simple/simple_access_check.c' object='src/providers/simple/libsss_simple_la-simple_access_check.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_simple_la_CFLAGS) $(CFLAGS) -c -o src/providers/simple/libsss_simple_la-simple_access_check.lo `test -f 'src/providers/simple/simple_access_check.c' || echo '$(srcdir)/'`src/providers/simple/simple_access_check.c + +src/providers/simple/libsss_simple_la-simple_access.lo: src/providers/simple/simple_access.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_simple_la_CFLAGS) $(CFLAGS) -MT src/providers/simple/libsss_simple_la-simple_access.lo -MD -MP -MF src/providers/simple/$(DEPDIR)/libsss_simple_la-simple_access.Tpo -c -o src/providers/simple/libsss_simple_la-simple_access.lo `test -f 'src/providers/simple/simple_access.c' || echo '$(srcdir)/'`src/providers/simple/simple_access.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/simple/$(DEPDIR)/libsss_simple_la-simple_access.Tpo src/providers/simple/$(DEPDIR)/libsss_simple_la-simple_access.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/simple/simple_access.c' object='src/providers/simple/libsss_simple_la-simple_access.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_simple_la_CFLAGS) $(CFLAGS) -c -o src/providers/simple/libsss_simple_la-simple_access.lo `test -f 'src/providers/simple/simple_access.c' || echo '$(srcdir)/'`src/providers/simple/simple_access.c + +src/lib/sifp/libsss_simpleifp_la-sss_sifp.lo: src/lib/sifp/sss_sifp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_simpleifp_la_CFLAGS) $(CFLAGS) -MT src/lib/sifp/libsss_simpleifp_la-sss_sifp.lo -MD -MP -MF src/lib/sifp/$(DEPDIR)/libsss_simpleifp_la-sss_sifp.Tpo -c -o src/lib/sifp/libsss_simpleifp_la-sss_sifp.lo `test -f 'src/lib/sifp/sss_sifp.c' || echo '$(srcdir)/'`src/lib/sifp/sss_sifp.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/lib/sifp/$(DEPDIR)/libsss_simpleifp_la-sss_sifp.Tpo src/lib/sifp/$(DEPDIR)/libsss_simpleifp_la-sss_sifp.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/lib/sifp/sss_sifp.c' object='src/lib/sifp/libsss_simpleifp_la-sss_sifp.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_simpleifp_la_CFLAGS) $(CFLAGS) -c -o src/lib/sifp/libsss_simpleifp_la-sss_sifp.lo `test -f 'src/lib/sifp/sss_sifp.c' || echo '$(srcdir)/'`src/lib/sifp/sss_sifp.c + +src/lib/sifp/libsss_simpleifp_la-sss_sifp_dbus.lo: src/lib/sifp/sss_sifp_dbus.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_simpleifp_la_CFLAGS) $(CFLAGS) -MT src/lib/sifp/libsss_simpleifp_la-sss_sifp_dbus.lo -MD -MP -MF src/lib/sifp/$(DEPDIR)/libsss_simpleifp_la-sss_sifp_dbus.Tpo -c -o src/lib/sifp/libsss_simpleifp_la-sss_sifp_dbus.lo `test -f 'src/lib/sifp/sss_sifp_dbus.c' || echo '$(srcdir)/'`src/lib/sifp/sss_sifp_dbus.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/lib/sifp/$(DEPDIR)/libsss_simpleifp_la-sss_sifp_dbus.Tpo src/lib/sifp/$(DEPDIR)/libsss_simpleifp_la-sss_sifp_dbus.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/lib/sifp/sss_sifp_dbus.c' object='src/lib/sifp/libsss_simpleifp_la-sss_sifp_dbus.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_simpleifp_la_CFLAGS) $(CFLAGS) -c -o src/lib/sifp/libsss_simpleifp_la-sss_sifp_dbus.lo `test -f 'src/lib/sifp/sss_sifp_dbus.c' || echo '$(srcdir)/'`src/lib/sifp/sss_sifp_dbus.c + +src/lib/sifp/libsss_simpleifp_la-sss_sifp_attrs.lo: src/lib/sifp/sss_sifp_attrs.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_simpleifp_la_CFLAGS) $(CFLAGS) -MT src/lib/sifp/libsss_simpleifp_la-sss_sifp_attrs.lo -MD -MP -MF src/lib/sifp/$(DEPDIR)/libsss_simpleifp_la-sss_sifp_attrs.Tpo -c -o src/lib/sifp/libsss_simpleifp_la-sss_sifp_attrs.lo `test -f 'src/lib/sifp/sss_sifp_attrs.c' || echo '$(srcdir)/'`src/lib/sifp/sss_sifp_attrs.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/lib/sifp/$(DEPDIR)/libsss_simpleifp_la-sss_sifp_attrs.Tpo src/lib/sifp/$(DEPDIR)/libsss_simpleifp_la-sss_sifp_attrs.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/lib/sifp/sss_sifp_attrs.c' object='src/lib/sifp/libsss_simpleifp_la-sss_sifp_attrs.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_simpleifp_la_CFLAGS) $(CFLAGS) -c -o src/lib/sifp/libsss_simpleifp_la-sss_sifp_attrs.lo `test -f 'src/lib/sifp/sss_sifp_attrs.c' || echo '$(srcdir)/'`src/lib/sifp/sss_sifp_attrs.c + +src/lib/sifp/libsss_simpleifp_la-sss_sifp_common.lo: src/lib/sifp/sss_sifp_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_simpleifp_la_CFLAGS) $(CFLAGS) -MT src/lib/sifp/libsss_simpleifp_la-sss_sifp_common.lo -MD -MP -MF src/lib/sifp/$(DEPDIR)/libsss_simpleifp_la-sss_sifp_common.Tpo -c -o src/lib/sifp/libsss_simpleifp_la-sss_sifp_common.lo `test -f 'src/lib/sifp/sss_sifp_common.c' || echo '$(srcdir)/'`src/lib/sifp/sss_sifp_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/lib/sifp/$(DEPDIR)/libsss_simpleifp_la-sss_sifp_common.Tpo src/lib/sifp/$(DEPDIR)/libsss_simpleifp_la-sss_sifp_common.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/lib/sifp/sss_sifp_common.c' object='src/lib/sifp/libsss_simpleifp_la-sss_sifp_common.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_simpleifp_la_CFLAGS) $(CFLAGS) -c -o src/lib/sifp/libsss_simpleifp_la-sss_sifp_common.lo `test -f 'src/lib/sifp/sss_sifp_common.c' || echo '$(srcdir)/'`src/lib/sifp/sss_sifp_common.c + +src/lib/sifp/libsss_simpleifp_la-sss_sifp_parser.lo: src/lib/sifp/sss_sifp_parser.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_simpleifp_la_CFLAGS) $(CFLAGS) -MT src/lib/sifp/libsss_simpleifp_la-sss_sifp_parser.lo -MD -MP -MF src/lib/sifp/$(DEPDIR)/libsss_simpleifp_la-sss_sifp_parser.Tpo -c -o src/lib/sifp/libsss_simpleifp_la-sss_sifp_parser.lo `test -f 'src/lib/sifp/sss_sifp_parser.c' || echo '$(srcdir)/'`src/lib/sifp/sss_sifp_parser.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/lib/sifp/$(DEPDIR)/libsss_simpleifp_la-sss_sifp_parser.Tpo src/lib/sifp/$(DEPDIR)/libsss_simpleifp_la-sss_sifp_parser.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/lib/sifp/sss_sifp_parser.c' object='src/lib/sifp/libsss_simpleifp_la-sss_sifp_parser.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_simpleifp_la_CFLAGS) $(CFLAGS) -c -o src/lib/sifp/libsss_simpleifp_la-sss_sifp_parser.lo `test -f 'src/lib/sifp/sss_sifp_parser.c' || echo '$(srcdir)/'`src/lib/sifp/sss_sifp_parser.c + +src/lib/sifp/libsss_simpleifp_la-sss_sifp_utils.lo: src/lib/sifp/sss_sifp_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_simpleifp_la_CFLAGS) $(CFLAGS) -MT src/lib/sifp/libsss_simpleifp_la-sss_sifp_utils.lo -MD -MP -MF src/lib/sifp/$(DEPDIR)/libsss_simpleifp_la-sss_sifp_utils.Tpo -c -o src/lib/sifp/libsss_simpleifp_la-sss_sifp_utils.lo `test -f 'src/lib/sifp/sss_sifp_utils.c' || echo '$(srcdir)/'`src/lib/sifp/sss_sifp_utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/lib/sifp/$(DEPDIR)/libsss_simpleifp_la-sss_sifp_utils.Tpo src/lib/sifp/$(DEPDIR)/libsss_simpleifp_la-sss_sifp_utils.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/lib/sifp/sss_sifp_utils.c' object='src/lib/sifp/libsss_simpleifp_la-sss_sifp_utils.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_simpleifp_la_CFLAGS) $(CFLAGS) -c -o src/lib/sifp/libsss_simpleifp_la-sss_sifp_utils.lo `test -f 'src/lib/sifp/sss_sifp_utils.c' || echo '$(srcdir)/'`src/lib/sifp/sss_sifp_utils.c + +src/confdb/libsss_util_la-confdb.lo: src/confdb/confdb.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/confdb/libsss_util_la-confdb.lo -MD -MP -MF src/confdb/$(DEPDIR)/libsss_util_la-confdb.Tpo -c -o src/confdb/libsss_util_la-confdb.lo `test -f 'src/confdb/confdb.c' || echo '$(srcdir)/'`src/confdb/confdb.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/confdb/$(DEPDIR)/libsss_util_la-confdb.Tpo src/confdb/$(DEPDIR)/libsss_util_la-confdb.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/confdb/confdb.c' object='src/confdb/libsss_util_la-confdb.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/confdb/libsss_util_la-confdb.lo `test -f 'src/confdb/confdb.c' || echo '$(srcdir)/'`src/confdb/confdb.c + +src/db/libsss_util_la-sysdb.lo: src/db/sysdb.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/db/libsss_util_la-sysdb.lo -MD -MP -MF src/db/$(DEPDIR)/libsss_util_la-sysdb.Tpo -c -o src/db/libsss_util_la-sysdb.lo `test -f 'src/db/sysdb.c' || echo '$(srcdir)/'`src/db/sysdb.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/db/$(DEPDIR)/libsss_util_la-sysdb.Tpo src/db/$(DEPDIR)/libsss_util_la-sysdb.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/db/sysdb.c' object='src/db/libsss_util_la-sysdb.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/db/libsss_util_la-sysdb.lo `test -f 'src/db/sysdb.c' || echo '$(srcdir)/'`src/db/sysdb.c + +src/db/libsss_util_la-sysdb_ops.lo: src/db/sysdb_ops.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/db/libsss_util_la-sysdb_ops.lo -MD -MP -MF src/db/$(DEPDIR)/libsss_util_la-sysdb_ops.Tpo -c -o src/db/libsss_util_la-sysdb_ops.lo `test -f 'src/db/sysdb_ops.c' || echo '$(srcdir)/'`src/db/sysdb_ops.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/db/$(DEPDIR)/libsss_util_la-sysdb_ops.Tpo src/db/$(DEPDIR)/libsss_util_la-sysdb_ops.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/db/sysdb_ops.c' object='src/db/libsss_util_la-sysdb_ops.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/db/libsss_util_la-sysdb_ops.lo `test -f 'src/db/sysdb_ops.c' || echo '$(srcdir)/'`src/db/sysdb_ops.c + +src/db/libsss_util_la-sysdb_search.lo: src/db/sysdb_search.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/db/libsss_util_la-sysdb_search.lo -MD -MP -MF src/db/$(DEPDIR)/libsss_util_la-sysdb_search.Tpo -c -o src/db/libsss_util_la-sysdb_search.lo `test -f 'src/db/sysdb_search.c' || echo '$(srcdir)/'`src/db/sysdb_search.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/db/$(DEPDIR)/libsss_util_la-sysdb_search.Tpo src/db/$(DEPDIR)/libsss_util_la-sysdb_search.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/db/sysdb_search.c' object='src/db/libsss_util_la-sysdb_search.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/db/libsss_util_la-sysdb_search.lo `test -f 'src/db/sysdb_search.c' || echo '$(srcdir)/'`src/db/sysdb_search.c + +src/db/libsss_util_la-sysdb_selinux.lo: src/db/sysdb_selinux.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/db/libsss_util_la-sysdb_selinux.lo -MD -MP -MF src/db/$(DEPDIR)/libsss_util_la-sysdb_selinux.Tpo -c -o src/db/libsss_util_la-sysdb_selinux.lo `test -f 'src/db/sysdb_selinux.c' || echo '$(srcdir)/'`src/db/sysdb_selinux.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/db/$(DEPDIR)/libsss_util_la-sysdb_selinux.Tpo src/db/$(DEPDIR)/libsss_util_la-sysdb_selinux.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/db/sysdb_selinux.c' object='src/db/libsss_util_la-sysdb_selinux.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/db/libsss_util_la-sysdb_selinux.lo `test -f 'src/db/sysdb_selinux.c' || echo '$(srcdir)/'`src/db/sysdb_selinux.c + +src/db/libsss_util_la-sysdb_upgrade.lo: src/db/sysdb_upgrade.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/db/libsss_util_la-sysdb_upgrade.lo -MD -MP -MF src/db/$(DEPDIR)/libsss_util_la-sysdb_upgrade.Tpo -c -o src/db/libsss_util_la-sysdb_upgrade.lo `test -f 'src/db/sysdb_upgrade.c' || echo '$(srcdir)/'`src/db/sysdb_upgrade.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/db/$(DEPDIR)/libsss_util_la-sysdb_upgrade.Tpo src/db/$(DEPDIR)/libsss_util_la-sysdb_upgrade.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/db/sysdb_upgrade.c' object='src/db/libsss_util_la-sysdb_upgrade.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/db/libsss_util_la-sysdb_upgrade.lo `test -f 'src/db/sysdb_upgrade.c' || echo '$(srcdir)/'`src/db/sysdb_upgrade.c + +src/db/libsss_util_la-sysdb_init.lo: src/db/sysdb_init.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/db/libsss_util_la-sysdb_init.lo -MD -MP -MF src/db/$(DEPDIR)/libsss_util_la-sysdb_init.Tpo -c -o src/db/libsss_util_la-sysdb_init.lo `test -f 'src/db/sysdb_init.c' || echo '$(srcdir)/'`src/db/sysdb_init.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/db/$(DEPDIR)/libsss_util_la-sysdb_init.Tpo src/db/$(DEPDIR)/libsss_util_la-sysdb_init.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/db/sysdb_init.c' object='src/db/libsss_util_la-sysdb_init.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/db/libsss_util_la-sysdb_init.lo `test -f 'src/db/sysdb_init.c' || echo '$(srcdir)/'`src/db/sysdb_init.c + +src/db/libsss_util_la-sysdb_services.lo: src/db/sysdb_services.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/db/libsss_util_la-sysdb_services.lo -MD -MP -MF src/db/$(DEPDIR)/libsss_util_la-sysdb_services.Tpo -c -o src/db/libsss_util_la-sysdb_services.lo `test -f 'src/db/sysdb_services.c' || echo '$(srcdir)/'`src/db/sysdb_services.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/db/$(DEPDIR)/libsss_util_la-sysdb_services.Tpo src/db/$(DEPDIR)/libsss_util_la-sysdb_services.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/db/sysdb_services.c' object='src/db/libsss_util_la-sysdb_services.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/db/libsss_util_la-sysdb_services.lo `test -f 'src/db/sysdb_services.c' || echo '$(srcdir)/'`src/db/sysdb_services.c + +src/db/libsss_util_la-sysdb_autofs.lo: src/db/sysdb_autofs.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/db/libsss_util_la-sysdb_autofs.lo -MD -MP -MF src/db/$(DEPDIR)/libsss_util_la-sysdb_autofs.Tpo -c -o src/db/libsss_util_la-sysdb_autofs.lo `test -f 'src/db/sysdb_autofs.c' || echo '$(srcdir)/'`src/db/sysdb_autofs.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/db/$(DEPDIR)/libsss_util_la-sysdb_autofs.Tpo src/db/$(DEPDIR)/libsss_util_la-sysdb_autofs.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/db/sysdb_autofs.c' object='src/db/libsss_util_la-sysdb_autofs.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/db/libsss_util_la-sysdb_autofs.lo `test -f 'src/db/sysdb_autofs.c' || echo '$(srcdir)/'`src/db/sysdb_autofs.c + +src/db/libsss_util_la-sysdb_subdomains.lo: src/db/sysdb_subdomains.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/db/libsss_util_la-sysdb_subdomains.lo -MD -MP -MF src/db/$(DEPDIR)/libsss_util_la-sysdb_subdomains.Tpo -c -o src/db/libsss_util_la-sysdb_subdomains.lo `test -f 'src/db/sysdb_subdomains.c' || echo '$(srcdir)/'`src/db/sysdb_subdomains.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/db/$(DEPDIR)/libsss_util_la-sysdb_subdomains.Tpo src/db/$(DEPDIR)/libsss_util_la-sysdb_subdomains.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/db/sysdb_subdomains.c' object='src/db/libsss_util_la-sysdb_subdomains.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/db/libsss_util_la-sysdb_subdomains.lo `test -f 'src/db/sysdb_subdomains.c' || echo '$(srcdir)/'`src/db/sysdb_subdomains.c + +src/db/libsss_util_la-sysdb_views.lo: src/db/sysdb_views.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/db/libsss_util_la-sysdb_views.lo -MD -MP -MF src/db/$(DEPDIR)/libsss_util_la-sysdb_views.Tpo -c -o src/db/libsss_util_la-sysdb_views.lo `test -f 'src/db/sysdb_views.c' || echo '$(srcdir)/'`src/db/sysdb_views.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/db/$(DEPDIR)/libsss_util_la-sysdb_views.Tpo src/db/$(DEPDIR)/libsss_util_la-sysdb_views.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/db/sysdb_views.c' object='src/db/libsss_util_la-sysdb_views.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/db/libsss_util_la-sysdb_views.lo `test -f 'src/db/sysdb_views.c' || echo '$(srcdir)/'`src/db/sysdb_views.c + +src/db/libsss_util_la-sysdb_ranges.lo: src/db/sysdb_ranges.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/db/libsss_util_la-sysdb_ranges.lo -MD -MP -MF src/db/$(DEPDIR)/libsss_util_la-sysdb_ranges.Tpo -c -o src/db/libsss_util_la-sysdb_ranges.lo `test -f 'src/db/sysdb_ranges.c' || echo '$(srcdir)/'`src/db/sysdb_ranges.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/db/$(DEPDIR)/libsss_util_la-sysdb_ranges.Tpo src/db/$(DEPDIR)/libsss_util_la-sysdb_ranges.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/db/sysdb_ranges.c' object='src/db/libsss_util_la-sysdb_ranges.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/db/libsss_util_la-sysdb_ranges.lo `test -f 'src/db/sysdb_ranges.c' || echo '$(srcdir)/'`src/db/sysdb_ranges.c + +src/db/libsss_util_la-sysdb_idmap.lo: src/db/sysdb_idmap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/db/libsss_util_la-sysdb_idmap.lo -MD -MP -MF src/db/$(DEPDIR)/libsss_util_la-sysdb_idmap.Tpo -c -o src/db/libsss_util_la-sysdb_idmap.lo `test -f 'src/db/sysdb_idmap.c' || echo '$(srcdir)/'`src/db/sysdb_idmap.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/db/$(DEPDIR)/libsss_util_la-sysdb_idmap.Tpo src/db/$(DEPDIR)/libsss_util_la-sysdb_idmap.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/db/sysdb_idmap.c' object='src/db/libsss_util_la-sysdb_idmap.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/db/libsss_util_la-sysdb_idmap.lo `test -f 'src/db/sysdb_idmap.c' || echo '$(srcdir)/'`src/db/sysdb_idmap.c + +src/db/libsss_util_la-sysdb_gpo.lo: src/db/sysdb_gpo.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/db/libsss_util_la-sysdb_gpo.lo -MD -MP -MF src/db/$(DEPDIR)/libsss_util_la-sysdb_gpo.Tpo -c -o src/db/libsss_util_la-sysdb_gpo.lo `test -f 'src/db/sysdb_gpo.c' || echo '$(srcdir)/'`src/db/sysdb_gpo.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/db/$(DEPDIR)/libsss_util_la-sysdb_gpo.Tpo src/db/$(DEPDIR)/libsss_util_la-sysdb_gpo.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/db/sysdb_gpo.c' object='src/db/libsss_util_la-sysdb_gpo.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/db/libsss_util_la-sysdb_gpo.lo `test -f 'src/db/sysdb_gpo.c' || echo '$(srcdir)/'`src/db/sysdb_gpo.c + +src/db/libsss_util_la-sysdb_certmap.lo: src/db/sysdb_certmap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/db/libsss_util_la-sysdb_certmap.lo -MD -MP -MF src/db/$(DEPDIR)/libsss_util_la-sysdb_certmap.Tpo -c -o src/db/libsss_util_la-sysdb_certmap.lo `test -f 'src/db/sysdb_certmap.c' || echo '$(srcdir)/'`src/db/sysdb_certmap.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/db/$(DEPDIR)/libsss_util_la-sysdb_certmap.Tpo src/db/$(DEPDIR)/libsss_util_la-sysdb_certmap.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/db/sysdb_certmap.c' object='src/db/libsss_util_la-sysdb_certmap.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/db/libsss_util_la-sysdb_certmap.lo `test -f 'src/db/sysdb_certmap.c' || echo '$(srcdir)/'`src/db/sysdb_certmap.c + +src/db/libsss_util_la-sysdb_domain_resolution_order.lo: src/db/sysdb_domain_resolution_order.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/db/libsss_util_la-sysdb_domain_resolution_order.lo -MD -MP -MF src/db/$(DEPDIR)/libsss_util_la-sysdb_domain_resolution_order.Tpo -c -o src/db/libsss_util_la-sysdb_domain_resolution_order.lo `test -f 'src/db/sysdb_domain_resolution_order.c' || echo '$(srcdir)/'`src/db/sysdb_domain_resolution_order.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/db/$(DEPDIR)/libsss_util_la-sysdb_domain_resolution_order.Tpo src/db/$(DEPDIR)/libsss_util_la-sysdb_domain_resolution_order.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/db/sysdb_domain_resolution_order.c' object='src/db/libsss_util_la-sysdb_domain_resolution_order.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/db/libsss_util_la-sysdb_domain_resolution_order.lo `test -f 'src/db/sysdb_domain_resolution_order.c' || echo '$(srcdir)/'`src/db/sysdb_domain_resolution_order.c + +src/monitor/libsss_util_la-monitor_sbus.lo: src/monitor/monitor_sbus.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/monitor/libsss_util_la-monitor_sbus.lo -MD -MP -MF src/monitor/$(DEPDIR)/libsss_util_la-monitor_sbus.Tpo -c -o src/monitor/libsss_util_la-monitor_sbus.lo `test -f 'src/monitor/monitor_sbus.c' || echo '$(srcdir)/'`src/monitor/monitor_sbus.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/monitor/$(DEPDIR)/libsss_util_la-monitor_sbus.Tpo src/monitor/$(DEPDIR)/libsss_util_la-monitor_sbus.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/monitor/monitor_sbus.c' object='src/monitor/libsss_util_la-monitor_sbus.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/monitor/libsss_util_la-monitor_sbus.lo `test -f 'src/monitor/monitor_sbus.c' || echo '$(srcdir)/'`src/monitor/monitor_sbus.c + +src/providers/libsss_util_la-dp_auth_util.lo: src/providers/dp_auth_util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/providers/libsss_util_la-dp_auth_util.lo -MD -MP -MF src/providers/$(DEPDIR)/libsss_util_la-dp_auth_util.Tpo -c -o src/providers/libsss_util_la-dp_auth_util.lo `test -f 'src/providers/dp_auth_util.c' || echo '$(srcdir)/'`src/providers/dp_auth_util.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/libsss_util_la-dp_auth_util.Tpo src/providers/$(DEPDIR)/libsss_util_la-dp_auth_util.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/dp_auth_util.c' object='src/providers/libsss_util_la-dp_auth_util.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/providers/libsss_util_la-dp_auth_util.lo `test -f 'src/providers/dp_auth_util.c' || echo '$(srcdir)/'`src/providers/dp_auth_util.c + +src/providers/libsss_util_la-dp_pam_data_util.lo: src/providers/dp_pam_data_util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/providers/libsss_util_la-dp_pam_data_util.lo -MD -MP -MF src/providers/$(DEPDIR)/libsss_util_la-dp_pam_data_util.Tpo -c -o src/providers/libsss_util_la-dp_pam_data_util.lo `test -f 'src/providers/dp_pam_data_util.c' || echo '$(srcdir)/'`src/providers/dp_pam_data_util.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/libsss_util_la-dp_pam_data_util.Tpo src/providers/$(DEPDIR)/libsss_util_la-dp_pam_data_util.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/dp_pam_data_util.c' object='src/providers/libsss_util_la-dp_pam_data_util.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/providers/libsss_util_la-dp_pam_data_util.lo `test -f 'src/providers/dp_pam_data_util.c' || echo '$(srcdir)/'`src/providers/dp_pam_data_util.c + +src/providers/data_provider/libsss_util_la-dp_sbus.lo: src/providers/data_provider/dp_sbus.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/providers/data_provider/libsss_util_la-dp_sbus.lo -MD -MP -MF src/providers/data_provider/$(DEPDIR)/libsss_util_la-dp_sbus.Tpo -c -o src/providers/data_provider/libsss_util_la-dp_sbus.lo `test -f 'src/providers/data_provider/dp_sbus.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_sbus.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/data_provider/$(DEPDIR)/libsss_util_la-dp_sbus.Tpo src/providers/data_provider/$(DEPDIR)/libsss_util_la-dp_sbus.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider/dp_sbus.c' object='src/providers/data_provider/libsss_util_la-dp_sbus.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/providers/data_provider/libsss_util_la-dp_sbus.lo `test -f 'src/providers/data_provider/dp_sbus.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_sbus.c + +src/sbus/libsss_util_la-sbus_client.lo: src/sbus/sbus_client.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/sbus/libsss_util_la-sbus_client.lo -MD -MP -MF src/sbus/$(DEPDIR)/libsss_util_la-sbus_client.Tpo -c -o src/sbus/libsss_util_la-sbus_client.lo `test -f 'src/sbus/sbus_client.c' || echo '$(srcdir)/'`src/sbus/sbus_client.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sbus/$(DEPDIR)/libsss_util_la-sbus_client.Tpo src/sbus/$(DEPDIR)/libsss_util_la-sbus_client.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sbus/sbus_client.c' object='src/sbus/libsss_util_la-sbus_client.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/sbus/libsss_util_la-sbus_client.lo `test -f 'src/sbus/sbus_client.c' || echo '$(srcdir)/'`src/sbus/sbus_client.c + +src/sbus/libsss_util_la-sssd_dbus_common.lo: src/sbus/sssd_dbus_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/sbus/libsss_util_la-sssd_dbus_common.lo -MD -MP -MF src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_common.Tpo -c -o src/sbus/libsss_util_la-sssd_dbus_common.lo `test -f 'src/sbus/sssd_dbus_common.c' || echo '$(srcdir)/'`src/sbus/sssd_dbus_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_common.Tpo src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_common.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sbus/sssd_dbus_common.c' object='src/sbus/libsss_util_la-sssd_dbus_common.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/sbus/libsss_util_la-sssd_dbus_common.lo `test -f 'src/sbus/sssd_dbus_common.c' || echo '$(srcdir)/'`src/sbus/sssd_dbus_common.c + +src/sbus/libsss_util_la-sssd_dbus_connection.lo: src/sbus/sssd_dbus_connection.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/sbus/libsss_util_la-sssd_dbus_connection.lo -MD -MP -MF src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_connection.Tpo -c -o src/sbus/libsss_util_la-sssd_dbus_connection.lo `test -f 'src/sbus/sssd_dbus_connection.c' || echo '$(srcdir)/'`src/sbus/sssd_dbus_connection.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_connection.Tpo src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_connection.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sbus/sssd_dbus_connection.c' object='src/sbus/libsss_util_la-sssd_dbus_connection.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/sbus/libsss_util_la-sssd_dbus_connection.lo `test -f 'src/sbus/sssd_dbus_connection.c' || echo '$(srcdir)/'`src/sbus/sssd_dbus_connection.c + +src/sbus/libsss_util_la-sssd_dbus_meta.lo: src/sbus/sssd_dbus_meta.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/sbus/libsss_util_la-sssd_dbus_meta.lo -MD -MP -MF src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_meta.Tpo -c -o src/sbus/libsss_util_la-sssd_dbus_meta.lo `test -f 'src/sbus/sssd_dbus_meta.c' || echo '$(srcdir)/'`src/sbus/sssd_dbus_meta.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_meta.Tpo src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_meta.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sbus/sssd_dbus_meta.c' object='src/sbus/libsss_util_la-sssd_dbus_meta.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/sbus/libsss_util_la-sssd_dbus_meta.lo `test -f 'src/sbus/sssd_dbus_meta.c' || echo '$(srcdir)/'`src/sbus/sssd_dbus_meta.c + +src/sbus/libsss_util_la-sssd_dbus_interface.lo: src/sbus/sssd_dbus_interface.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/sbus/libsss_util_la-sssd_dbus_interface.lo -MD -MP -MF src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_interface.Tpo -c -o src/sbus/libsss_util_la-sssd_dbus_interface.lo `test -f 'src/sbus/sssd_dbus_interface.c' || echo '$(srcdir)/'`src/sbus/sssd_dbus_interface.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_interface.Tpo src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_interface.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sbus/sssd_dbus_interface.c' object='src/sbus/libsss_util_la-sssd_dbus_interface.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/sbus/libsss_util_la-sssd_dbus_interface.lo `test -f 'src/sbus/sssd_dbus_interface.c' || echo '$(srcdir)/'`src/sbus/sssd_dbus_interface.c + +src/sbus/libsss_util_la-sssd_dbus_introspect.lo: src/sbus/sssd_dbus_introspect.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/sbus/libsss_util_la-sssd_dbus_introspect.lo -MD -MP -MF src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_introspect.Tpo -c -o src/sbus/libsss_util_la-sssd_dbus_introspect.lo `test -f 'src/sbus/sssd_dbus_introspect.c' || echo '$(srcdir)/'`src/sbus/sssd_dbus_introspect.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_introspect.Tpo src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_introspect.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sbus/sssd_dbus_introspect.c' object='src/sbus/libsss_util_la-sssd_dbus_introspect.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/sbus/libsss_util_la-sssd_dbus_introspect.lo `test -f 'src/sbus/sssd_dbus_introspect.c' || echo '$(srcdir)/'`src/sbus/sssd_dbus_introspect.c + +src/sbus/libsss_util_la-sssd_dbus_invokers.lo: src/sbus/sssd_dbus_invokers.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/sbus/libsss_util_la-sssd_dbus_invokers.lo -MD -MP -MF src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_invokers.Tpo -c -o src/sbus/libsss_util_la-sssd_dbus_invokers.lo `test -f 'src/sbus/sssd_dbus_invokers.c' || echo '$(srcdir)/'`src/sbus/sssd_dbus_invokers.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_invokers.Tpo src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_invokers.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sbus/sssd_dbus_invokers.c' object='src/sbus/libsss_util_la-sssd_dbus_invokers.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/sbus/libsss_util_la-sssd_dbus_invokers.lo `test -f 'src/sbus/sssd_dbus_invokers.c' || echo '$(srcdir)/'`src/sbus/sssd_dbus_invokers.c + +src/sbus/libsss_util_la-sssd_dbus_properties.lo: src/sbus/sssd_dbus_properties.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/sbus/libsss_util_la-sssd_dbus_properties.lo -MD -MP -MF src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_properties.Tpo -c -o src/sbus/libsss_util_la-sssd_dbus_properties.lo `test -f 'src/sbus/sssd_dbus_properties.c' || echo '$(srcdir)/'`src/sbus/sssd_dbus_properties.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_properties.Tpo src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_properties.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sbus/sssd_dbus_properties.c' object='src/sbus/libsss_util_la-sssd_dbus_properties.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/sbus/libsss_util_la-sssd_dbus_properties.lo `test -f 'src/sbus/sssd_dbus_properties.c' || echo '$(srcdir)/'`src/sbus/sssd_dbus_properties.c + +src/sbus/libsss_util_la-sssd_dbus_request.lo: src/sbus/sssd_dbus_request.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/sbus/libsss_util_la-sssd_dbus_request.lo -MD -MP -MF src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_request.Tpo -c -o src/sbus/libsss_util_la-sssd_dbus_request.lo `test -f 'src/sbus/sssd_dbus_request.c' || echo '$(srcdir)/'`src/sbus/sssd_dbus_request.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_request.Tpo src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_request.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sbus/sssd_dbus_request.c' object='src/sbus/libsss_util_la-sssd_dbus_request.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/sbus/libsss_util_la-sssd_dbus_request.lo `test -f 'src/sbus/sssd_dbus_request.c' || echo '$(srcdir)/'`src/sbus/sssd_dbus_request.c + +src/sbus/libsss_util_la-sssd_dbus_server.lo: src/sbus/sssd_dbus_server.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/sbus/libsss_util_la-sssd_dbus_server.lo -MD -MP -MF src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_server.Tpo -c -o src/sbus/libsss_util_la-sssd_dbus_server.lo `test -f 'src/sbus/sssd_dbus_server.c' || echo '$(srcdir)/'`src/sbus/sssd_dbus_server.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_server.Tpo src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_server.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sbus/sssd_dbus_server.c' object='src/sbus/libsss_util_la-sssd_dbus_server.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/sbus/libsss_util_la-sssd_dbus_server.lo `test -f 'src/sbus/sssd_dbus_server.c' || echo '$(srcdir)/'`src/sbus/sssd_dbus_server.c + +src/sbus/libsss_util_la-sssd_dbus_signals.lo: src/sbus/sssd_dbus_signals.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/sbus/libsss_util_la-sssd_dbus_signals.lo -MD -MP -MF src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_signals.Tpo -c -o src/sbus/libsss_util_la-sssd_dbus_signals.lo `test -f 'src/sbus/sssd_dbus_signals.c' || echo '$(srcdir)/'`src/sbus/sssd_dbus_signals.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_signals.Tpo src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_signals.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sbus/sssd_dbus_signals.c' object='src/sbus/libsss_util_la-sssd_dbus_signals.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/sbus/libsss_util_la-sssd_dbus_signals.lo `test -f 'src/sbus/sssd_dbus_signals.c' || echo '$(srcdir)/'`src/sbus/sssd_dbus_signals.c + +src/sbus/libsss_util_la-sssd_dbus_common_signals.lo: src/sbus/sssd_dbus_common_signals.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/sbus/libsss_util_la-sssd_dbus_common_signals.lo -MD -MP -MF src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_common_signals.Tpo -c -o src/sbus/libsss_util_la-sssd_dbus_common_signals.lo `test -f 'src/sbus/sssd_dbus_common_signals.c' || echo '$(srcdir)/'`src/sbus/sssd_dbus_common_signals.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_common_signals.Tpo src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_common_signals.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sbus/sssd_dbus_common_signals.c' object='src/sbus/libsss_util_la-sssd_dbus_common_signals.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/sbus/libsss_util_la-sssd_dbus_common_signals.lo `test -f 'src/sbus/sssd_dbus_common_signals.c' || echo '$(srcdir)/'`src/sbus/sssd_dbus_common_signals.c + +src/sbus/libsss_util_la-sssd_dbus_utils.lo: src/sbus/sssd_dbus_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/sbus/libsss_util_la-sssd_dbus_utils.lo -MD -MP -MF src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_utils.Tpo -c -o src/sbus/libsss_util_la-sssd_dbus_utils.lo `test -f 'src/sbus/sssd_dbus_utils.c' || echo '$(srcdir)/'`src/sbus/sssd_dbus_utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_utils.Tpo src/sbus/$(DEPDIR)/libsss_util_la-sssd_dbus_utils.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sbus/sssd_dbus_utils.c' object='src/sbus/libsss_util_la-sssd_dbus_utils.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/sbus/libsss_util_la-sssd_dbus_utils.lo `test -f 'src/sbus/sssd_dbus_utils.c' || echo '$(srcdir)/'`src/sbus/sssd_dbus_utils.c + +src/util/libsss_util_la-util.lo: src/util/util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_util_la-util.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_util_la-util.Tpo -c -o src/util/libsss_util_la-util.lo `test -f 'src/util/util.c' || echo '$(srcdir)/'`src/util/util.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_util_la-util.Tpo src/util/$(DEPDIR)/libsss_util_la-util.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util.c' object='src/util/libsss_util_la-util.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_util_la-util.lo `test -f 'src/util/util.c' || echo '$(srcdir)/'`src/util/util.c + +src/util/libsss_util_la-util_ext.lo: src/util/util_ext.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_util_la-util_ext.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_util_la-util_ext.Tpo -c -o src/util/libsss_util_la-util_ext.lo `test -f 'src/util/util_ext.c' || echo '$(srcdir)/'`src/util/util_ext.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_util_la-util_ext.Tpo src/util/$(DEPDIR)/libsss_util_la-util_ext.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util_ext.c' object='src/util/libsss_util_la-util_ext.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_util_la-util_ext.lo `test -f 'src/util/util_ext.c' || echo '$(srcdir)/'`src/util/util_ext.c + +src/util/libsss_util_la-util_preauth.lo: src/util/util_preauth.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_util_la-util_preauth.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_util_la-util_preauth.Tpo -c -o src/util/libsss_util_la-util_preauth.lo `test -f 'src/util/util_preauth.c' || echo '$(srcdir)/'`src/util/util_preauth.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_util_la-util_preauth.Tpo src/util/$(DEPDIR)/libsss_util_la-util_preauth.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util_preauth.c' object='src/util/libsss_util_la-util_preauth.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_util_la-util_preauth.lo `test -f 'src/util/util_preauth.c' || echo '$(srcdir)/'`src/util/util_preauth.c + +src/util/libsss_util_la-memory.lo: src/util/memory.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_util_la-memory.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_util_la-memory.Tpo -c -o src/util/libsss_util_la-memory.lo `test -f 'src/util/memory.c' || echo '$(srcdir)/'`src/util/memory.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_util_la-memory.Tpo src/util/$(DEPDIR)/libsss_util_la-memory.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/memory.c' object='src/util/libsss_util_la-memory.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_util_la-memory.lo `test -f 'src/util/memory.c' || echo '$(srcdir)/'`src/util/memory.c + +src/util/libsss_util_la-safe-format-string.lo: src/util/safe-format-string.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_util_la-safe-format-string.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_util_la-safe-format-string.Tpo -c -o src/util/libsss_util_la-safe-format-string.lo `test -f 'src/util/safe-format-string.c' || echo '$(srcdir)/'`src/util/safe-format-string.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_util_la-safe-format-string.Tpo src/util/$(DEPDIR)/libsss_util_la-safe-format-string.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/safe-format-string.c' object='src/util/libsss_util_la-safe-format-string.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_util_la-safe-format-string.lo `test -f 'src/util/safe-format-string.c' || echo '$(srcdir)/'`src/util/safe-format-string.c + +src/util/libsss_util_la-server.lo: src/util/server.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_util_la-server.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_util_la-server.Tpo -c -o src/util/libsss_util_la-server.lo `test -f 'src/util/server.c' || echo '$(srcdir)/'`src/util/server.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_util_la-server.Tpo src/util/$(DEPDIR)/libsss_util_la-server.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/server.c' object='src/util/libsss_util_la-server.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_util_la-server.lo `test -f 'src/util/server.c' || echo '$(srcdir)/'`src/util/server.c + +src/util/libsss_util_la-signal.lo: src/util/signal.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_util_la-signal.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_util_la-signal.Tpo -c -o src/util/libsss_util_la-signal.lo `test -f 'src/util/signal.c' || echo '$(srcdir)/'`src/util/signal.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_util_la-signal.Tpo src/util/$(DEPDIR)/libsss_util_la-signal.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/signal.c' object='src/util/libsss_util_la-signal.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_util_la-signal.lo `test -f 'src/util/signal.c' || echo '$(srcdir)/'`src/util/signal.c + +src/util/libsss_util_la-usertools.lo: src/util/usertools.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_util_la-usertools.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_util_la-usertools.Tpo -c -o src/util/libsss_util_la-usertools.lo `test -f 'src/util/usertools.c' || echo '$(srcdir)/'`src/util/usertools.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_util_la-usertools.Tpo src/util/$(DEPDIR)/libsss_util_la-usertools.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/usertools.c' object='src/util/libsss_util_la-usertools.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_util_la-usertools.lo `test -f 'src/util/usertools.c' || echo '$(srcdir)/'`src/util/usertools.c + +src/util/libsss_util_la-backup_file.lo: src/util/backup_file.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_util_la-backup_file.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_util_la-backup_file.Tpo -c -o src/util/libsss_util_la-backup_file.lo `test -f 'src/util/backup_file.c' || echo '$(srcdir)/'`src/util/backup_file.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_util_la-backup_file.Tpo src/util/$(DEPDIR)/libsss_util_la-backup_file.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/backup_file.c' object='src/util/libsss_util_la-backup_file.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_util_la-backup_file.lo `test -f 'src/util/backup_file.c' || echo '$(srcdir)/'`src/util/backup_file.c + +src/util/libsss_util_la-strtonum.lo: src/util/strtonum.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_util_la-strtonum.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_util_la-strtonum.Tpo -c -o src/util/libsss_util_la-strtonum.lo `test -f 'src/util/strtonum.c' || echo '$(srcdir)/'`src/util/strtonum.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_util_la-strtonum.Tpo src/util/$(DEPDIR)/libsss_util_la-strtonum.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/strtonum.c' object='src/util/libsss_util_la-strtonum.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_util_la-strtonum.lo `test -f 'src/util/strtonum.c' || echo '$(srcdir)/'`src/util/strtonum.c + +src/util/libsss_util_la-check_and_open.lo: src/util/check_and_open.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_util_la-check_and_open.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_util_la-check_and_open.Tpo -c -o src/util/libsss_util_la-check_and_open.lo `test -f 'src/util/check_and_open.c' || echo '$(srcdir)/'`src/util/check_and_open.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_util_la-check_and_open.Tpo src/util/$(DEPDIR)/libsss_util_la-check_and_open.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/check_and_open.c' object='src/util/libsss_util_la-check_and_open.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_util_la-check_and_open.lo `test -f 'src/util/check_and_open.c' || echo '$(srcdir)/'`src/util/check_and_open.c + +src/util/libsss_util_la-refcount.lo: src/util/refcount.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_util_la-refcount.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_util_la-refcount.Tpo -c -o src/util/libsss_util_la-refcount.lo `test -f 'src/util/refcount.c' || echo '$(srcdir)/'`src/util/refcount.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_util_la-refcount.Tpo src/util/$(DEPDIR)/libsss_util_la-refcount.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/refcount.c' object='src/util/libsss_util_la-refcount.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_util_la-refcount.lo `test -f 'src/util/refcount.c' || echo '$(srcdir)/'`src/util/refcount.c + +src/util/libsss_util_la-sss_nss.lo: src/util/sss_nss.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_util_la-sss_nss.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_util_la-sss_nss.Tpo -c -o src/util/libsss_util_la-sss_nss.lo `test -f 'src/util/sss_nss.c' || echo '$(srcdir)/'`src/util/sss_nss.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_util_la-sss_nss.Tpo src/util/$(DEPDIR)/libsss_util_la-sss_nss.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_nss.c' object='src/util/libsss_util_la-sss_nss.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_util_la-sss_nss.lo `test -f 'src/util/sss_nss.c' || echo '$(srcdir)/'`src/util/sss_nss.c + +src/util/libsss_util_la-sss_utf8.lo: src/util/sss_utf8.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_util_la-sss_utf8.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_util_la-sss_utf8.Tpo -c -o src/util/libsss_util_la-sss_utf8.lo `test -f 'src/util/sss_utf8.c' || echo '$(srcdir)/'`src/util/sss_utf8.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_util_la-sss_utf8.Tpo src/util/$(DEPDIR)/libsss_util_la-sss_utf8.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_utf8.c' object='src/util/libsss_util_la-sss_utf8.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_util_la-sss_utf8.lo `test -f 'src/util/sss_utf8.c' || echo '$(srcdir)/'`src/util/sss_utf8.c + +src/util/libsss_util_la-sss_tc_utf8.lo: src/util/sss_tc_utf8.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_util_la-sss_tc_utf8.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_util_la-sss_tc_utf8.Tpo -c -o src/util/libsss_util_la-sss_tc_utf8.lo `test -f 'src/util/sss_tc_utf8.c' || echo '$(srcdir)/'`src/util/sss_tc_utf8.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_util_la-sss_tc_utf8.Tpo src/util/$(DEPDIR)/libsss_util_la-sss_tc_utf8.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_tc_utf8.c' object='src/util/libsss_util_la-sss_tc_utf8.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_util_la-sss_tc_utf8.lo `test -f 'src/util/sss_tc_utf8.c' || echo '$(srcdir)/'`src/util/sss_tc_utf8.c + +src/util/libsss_util_la-murmurhash3.lo: src/util/murmurhash3.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_util_la-murmurhash3.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_util_la-murmurhash3.Tpo -c -o src/util/libsss_util_la-murmurhash3.lo `test -f 'src/util/murmurhash3.c' || echo '$(srcdir)/'`src/util/murmurhash3.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_util_la-murmurhash3.Tpo src/util/$(DEPDIR)/libsss_util_la-murmurhash3.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/murmurhash3.c' object='src/util/libsss_util_la-murmurhash3.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_util_la-murmurhash3.lo `test -f 'src/util/murmurhash3.c' || echo '$(srcdir)/'`src/util/murmurhash3.c + +src/util/libsss_util_la-atomic_io.lo: src/util/atomic_io.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_util_la-atomic_io.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_util_la-atomic_io.Tpo -c -o src/util/libsss_util_la-atomic_io.lo `test -f 'src/util/atomic_io.c' || echo '$(srcdir)/'`src/util/atomic_io.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_util_la-atomic_io.Tpo src/util/$(DEPDIR)/libsss_util_la-atomic_io.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/atomic_io.c' object='src/util/libsss_util_la-atomic_io.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_util_la-atomic_io.lo `test -f 'src/util/atomic_io.c' || echo '$(srcdir)/'`src/util/atomic_io.c + +src/util/libsss_util_la-authtok.lo: src/util/authtok.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_util_la-authtok.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_util_la-authtok.Tpo -c -o src/util/libsss_util_la-authtok.lo `test -f 'src/util/authtok.c' || echo '$(srcdir)/'`src/util/authtok.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_util_la-authtok.Tpo src/util/$(DEPDIR)/libsss_util_la-authtok.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/authtok.c' object='src/util/libsss_util_la-authtok.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_util_la-authtok.lo `test -f 'src/util/authtok.c' || echo '$(srcdir)/'`src/util/authtok.c + +src/util/libsss_util_la-authtok-utils.lo: src/util/authtok-utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_util_la-authtok-utils.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_util_la-authtok-utils.Tpo -c -o src/util/libsss_util_la-authtok-utils.lo `test -f 'src/util/authtok-utils.c' || echo '$(srcdir)/'`src/util/authtok-utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_util_la-authtok-utils.Tpo src/util/$(DEPDIR)/libsss_util_la-authtok-utils.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/authtok-utils.c' object='src/util/libsss_util_la-authtok-utils.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_util_la-authtok-utils.lo `test -f 'src/util/authtok-utils.c' || echo '$(srcdir)/'`src/util/authtok-utils.c + +src/util/libsss_util_la-sss_selinux.lo: src/util/sss_selinux.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_util_la-sss_selinux.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_util_la-sss_selinux.Tpo -c -o src/util/libsss_util_la-sss_selinux.lo `test -f 'src/util/sss_selinux.c' || echo '$(srcdir)/'`src/util/sss_selinux.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_util_la-sss_selinux.Tpo src/util/$(DEPDIR)/libsss_util_la-sss_selinux.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_selinux.c' object='src/util/libsss_util_la-sss_selinux.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_util_la-sss_selinux.lo `test -f 'src/util/sss_selinux.c' || echo '$(srcdir)/'`src/util/sss_selinux.c + +src/util/libsss_util_la-domain_info_utils.lo: src/util/domain_info_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_util_la-domain_info_utils.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_util_la-domain_info_utils.Tpo -c -o src/util/libsss_util_la-domain_info_utils.lo `test -f 'src/util/domain_info_utils.c' || echo '$(srcdir)/'`src/util/domain_info_utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_util_la-domain_info_utils.Tpo src/util/$(DEPDIR)/libsss_util_la-domain_info_utils.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/domain_info_utils.c' object='src/util/libsss_util_la-domain_info_utils.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_util_la-domain_info_utils.lo `test -f 'src/util/domain_info_utils.c' || echo '$(srcdir)/'`src/util/domain_info_utils.c + +src/util/libsss_util_la-util_lock.lo: src/util/util_lock.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_util_la-util_lock.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_util_la-util_lock.Tpo -c -o src/util/libsss_util_la-util_lock.lo `test -f 'src/util/util_lock.c' || echo '$(srcdir)/'`src/util/util_lock.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_util_la-util_lock.Tpo src/util/$(DEPDIR)/libsss_util_la-util_lock.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util_lock.c' object='src/util/libsss_util_la-util_lock.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_util_la-util_lock.lo `test -f 'src/util/util_lock.c' || echo '$(srcdir)/'`src/util/util_lock.c + +src/util/libsss_util_la-util_errors.lo: src/util/util_errors.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_util_la-util_errors.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_util_la-util_errors.Tpo -c -o src/util/libsss_util_la-util_errors.lo `test -f 'src/util/util_errors.c' || echo '$(srcdir)/'`src/util/util_errors.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_util_la-util_errors.Tpo src/util/$(DEPDIR)/libsss_util_la-util_errors.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util_errors.c' object='src/util/libsss_util_la-util_errors.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_util_la-util_errors.lo `test -f 'src/util/util_errors.c' || echo '$(srcdir)/'`src/util/util_errors.c + +src/util/libsss_util_la-find_uid.lo: src/util/find_uid.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_util_la-find_uid.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_util_la-find_uid.Tpo -c -o src/util/libsss_util_la-find_uid.lo `test -f 'src/util/find_uid.c' || echo '$(srcdir)/'`src/util/find_uid.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_util_la-find_uid.Tpo src/util/$(DEPDIR)/libsss_util_la-find_uid.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/find_uid.c' object='src/util/libsss_util_la-find_uid.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_util_la-find_uid.lo `test -f 'src/util/find_uid.c' || echo '$(srcdir)/'`src/util/find_uid.c + +src/util/libsss_util_la-sss_ini.lo: src/util/sss_ini.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_util_la-sss_ini.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_util_la-sss_ini.Tpo -c -o src/util/libsss_util_la-sss_ini.lo `test -f 'src/util/sss_ini.c' || echo '$(srcdir)/'`src/util/sss_ini.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_util_la-sss_ini.Tpo src/util/$(DEPDIR)/libsss_util_la-sss_ini.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_ini.c' object='src/util/libsss_util_la-sss_ini.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_util_la-sss_ini.lo `test -f 'src/util/sss_ini.c' || echo '$(srcdir)/'`src/util/sss_ini.c + +src/util/libsss_util_la-io.lo: src/util/io.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_util_la-io.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_util_la-io.Tpo -c -o src/util/libsss_util_la-io.lo `test -f 'src/util/io.c' || echo '$(srcdir)/'`src/util/io.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_util_la-io.Tpo src/util/$(DEPDIR)/libsss_util_la-io.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/io.c' object='src/util/libsss_util_la-io.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_util_la-io.lo `test -f 'src/util/io.c' || echo '$(srcdir)/'`src/util/io.c + +src/util/libsss_util_la-util_sss_idmap.lo: src/util/util_sss_idmap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_util_la-util_sss_idmap.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_util_la-util_sss_idmap.Tpo -c -o src/util/libsss_util_la-util_sss_idmap.lo `test -f 'src/util/util_sss_idmap.c' || echo '$(srcdir)/'`src/util/util_sss_idmap.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_util_la-util_sss_idmap.Tpo src/util/$(DEPDIR)/libsss_util_la-util_sss_idmap.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util_sss_idmap.c' object='src/util/libsss_util_la-util_sss_idmap.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_util_la-util_sss_idmap.lo `test -f 'src/util/util_sss_idmap.c' || echo '$(srcdir)/'`src/util/util_sss_idmap.c + +src/util/libsss_util_la-well_known_sids.lo: src/util/well_known_sids.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_util_la-well_known_sids.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_util_la-well_known_sids.Tpo -c -o src/util/libsss_util_la-well_known_sids.lo `test -f 'src/util/well_known_sids.c' || echo '$(srcdir)/'`src/util/well_known_sids.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_util_la-well_known_sids.Tpo src/util/$(DEPDIR)/libsss_util_la-well_known_sids.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/well_known_sids.c' object='src/util/libsss_util_la-well_known_sids.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_util_la-well_known_sids.lo `test -f 'src/util/well_known_sids.c' || echo '$(srcdir)/'`src/util/well_known_sids.c + +src/util/libsss_util_la-string_utils.lo: src/util/string_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_util_la-string_utils.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_util_la-string_utils.Tpo -c -o src/util/libsss_util_la-string_utils.lo `test -f 'src/util/string_utils.c' || echo '$(srcdir)/'`src/util/string_utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_util_la-string_utils.Tpo src/util/$(DEPDIR)/libsss_util_la-string_utils.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/string_utils.c' object='src/util/libsss_util_la-string_utils.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_util_la-string_utils.lo `test -f 'src/util/string_utils.c' || echo '$(srcdir)/'`src/util/string_utils.c + +src/util/libsss_util_la-become_user.lo: src/util/become_user.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_util_la-become_user.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_util_la-become_user.Tpo -c -o src/util/libsss_util_la-become_user.lo `test -f 'src/util/become_user.c' || echo '$(srcdir)/'`src/util/become_user.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_util_la-become_user.Tpo src/util/$(DEPDIR)/libsss_util_la-become_user.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/become_user.c' object='src/util/libsss_util_la-become_user.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_util_la-become_user.lo `test -f 'src/util/become_user.c' || echo '$(srcdir)/'`src/util/become_user.c + +src/util/libsss_util_la-util_watchdog.lo: src/util/util_watchdog.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_util_la-util_watchdog.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_util_la-util_watchdog.Tpo -c -o src/util/libsss_util_la-util_watchdog.lo `test -f 'src/util/util_watchdog.c' || echo '$(srcdir)/'`src/util/util_watchdog.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_util_la-util_watchdog.Tpo src/util/$(DEPDIR)/libsss_util_la-util_watchdog.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util_watchdog.c' object='src/util/libsss_util_la-util_watchdog.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_util_la-util_watchdog.lo `test -f 'src/util/util_watchdog.c' || echo '$(srcdir)/'`src/util/util_watchdog.c + +src/util/libsss_util_la-sss_ptr_hash.lo: src/util/sss_ptr_hash.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_util_la-sss_ptr_hash.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_util_la-sss_ptr_hash.Tpo -c -o src/util/libsss_util_la-sss_ptr_hash.lo `test -f 'src/util/sss_ptr_hash.c' || echo '$(srcdir)/'`src/util/sss_ptr_hash.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_util_la-sss_ptr_hash.Tpo src/util/$(DEPDIR)/libsss_util_la-sss_ptr_hash.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_ptr_hash.c' object='src/util/libsss_util_la-sss_ptr_hash.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_util_la-sss_ptr_hash.lo `test -f 'src/util/sss_ptr_hash.c' || echo '$(srcdir)/'`src/util/sss_ptr_hash.c + +src/util/libsss_util_la-files.lo: src/util/files.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_util_la-files.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_util_la-files.Tpo -c -o src/util/libsss_util_la-files.lo `test -f 'src/util/files.c' || echo '$(srcdir)/'`src/util/files.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_util_la-files.Tpo src/util/$(DEPDIR)/libsss_util_la-files.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/files.c' object='src/util/libsss_util_la-files.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_util_la-files.lo `test -f 'src/util/files.c' || echo '$(srcdir)/'`src/util/files.c + +src/util/libsss_util_la-selinux.lo: src/util/selinux.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_util_la-selinux.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_util_la-selinux.Tpo -c -o src/util/libsss_util_la-selinux.lo `test -f 'src/util/selinux.c' || echo '$(srcdir)/'`src/util/selinux.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_util_la-selinux.Tpo src/util/$(DEPDIR)/libsss_util_la-selinux.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/selinux.c' object='src/util/libsss_util_la-selinux.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_util_la-selinux.lo `test -f 'src/util/selinux.c' || echo '$(srcdir)/'`src/util/selinux.c + +src/db/libsss_util_la-sysdb_sudo.lo: src/db/sysdb_sudo.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/db/libsss_util_la-sysdb_sudo.lo -MD -MP -MF src/db/$(DEPDIR)/libsss_util_la-sysdb_sudo.Tpo -c -o src/db/libsss_util_la-sysdb_sudo.lo `test -f 'src/db/sysdb_sudo.c' || echo '$(srcdir)/'`src/db/sysdb_sudo.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/db/$(DEPDIR)/libsss_util_la-sysdb_sudo.Tpo src/db/$(DEPDIR)/libsss_util_la-sysdb_sudo.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/db/sysdb_sudo.c' object='src/db/libsss_util_la-sysdb_sudo.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/db/libsss_util_la-sysdb_sudo.lo `test -f 'src/db/sysdb_sudo.c' || echo '$(srcdir)/'`src/db/sysdb_sudo.c + +src/db/libsss_util_la-sysdb_ssh.lo: src/db/sysdb_ssh.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/db/libsss_util_la-sysdb_ssh.lo -MD -MP -MF src/db/$(DEPDIR)/libsss_util_la-sysdb_ssh.Tpo -c -o src/db/libsss_util_la-sysdb_ssh.lo `test -f 'src/db/sysdb_ssh.c' || echo '$(srcdir)/'`src/db/sysdb_ssh.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/db/$(DEPDIR)/libsss_util_la-sysdb_ssh.Tpo src/db/$(DEPDIR)/libsss_util_la-sysdb_ssh.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/db/sysdb_ssh.c' object='src/db/libsss_util_la-sysdb_ssh.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/db/libsss_util_la-sysdb_ssh.lo `test -f 'src/db/sysdb_ssh.c' || echo '$(srcdir)/'`src/db/sysdb_ssh.c + +src/util/libsss_util_la-sss_ssh.lo: src/util/sss_ssh.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -MT src/util/libsss_util_la-sss_ssh.lo -MD -MP -MF src/util/$(DEPDIR)/libsss_util_la-sss_ssh.Tpo -c -o src/util/libsss_util_la-sss_ssh.lo `test -f 'src/util/sss_ssh.c' || echo '$(srcdir)/'`src/util/sss_ssh.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/libsss_util_la-sss_ssh.Tpo src/util/$(DEPDIR)/libsss_util_la-sss_ssh.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_ssh.c' object='src/util/libsss_util_la-sss_ssh.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libsss_util_la_CFLAGS) $(CFLAGS) -c -o src/util/libsss_util_la-sss_ssh.lo `test -f 'src/util/sss_ssh.c' || echo '$(srcdir)/'`src/util/sss_ssh.c + +src/ldb_modules/memberof_la-memberof.lo: src/ldb_modules/memberof.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(memberof_la_CFLAGS) $(CFLAGS) -MT src/ldb_modules/memberof_la-memberof.lo -MD -MP -MF src/ldb_modules/$(DEPDIR)/memberof_la-memberof.Tpo -c -o src/ldb_modules/memberof_la-memberof.lo `test -f 'src/ldb_modules/memberof.c' || echo '$(srcdir)/'`src/ldb_modules/memberof.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/ldb_modules/$(DEPDIR)/memberof_la-memberof.Tpo src/ldb_modules/$(DEPDIR)/memberof_la-memberof.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/ldb_modules/memberof.c' object='src/ldb_modules/memberof_la-memberof.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(memberof_la_CFLAGS) $(CFLAGS) -c -o src/ldb_modules/memberof_la-memberof.lo `test -f 'src/ldb_modules/memberof.c' || echo '$(srcdir)/'`src/ldb_modules/memberof.c + +src/util/memberof_la-util.lo: src/util/util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(memberof_la_CFLAGS) $(CFLAGS) -MT src/util/memberof_la-util.lo -MD -MP -MF src/util/$(DEPDIR)/memberof_la-util.Tpo -c -o src/util/memberof_la-util.lo `test -f 'src/util/util.c' || echo '$(srcdir)/'`src/util/util.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/memberof_la-util.Tpo src/util/$(DEPDIR)/memberof_la-util.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util.c' object='src/util/memberof_la-util.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(memberof_la_CFLAGS) $(CFLAGS) -c -o src/util/memberof_la-util.lo `test -f 'src/util/util.c' || echo '$(srcdir)/'`src/util/util.c + +src/util/memberof_la-util_ext.lo: src/util/util_ext.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(memberof_la_CFLAGS) $(CFLAGS) -MT src/util/memberof_la-util_ext.lo -MD -MP -MF src/util/$(DEPDIR)/memberof_la-util_ext.Tpo -c -o src/util/memberof_la-util_ext.lo `test -f 'src/util/util_ext.c' || echo '$(srcdir)/'`src/util/util_ext.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/memberof_la-util_ext.Tpo src/util/$(DEPDIR)/memberof_la-util_ext.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util_ext.c' object='src/util/memberof_la-util_ext.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(memberof_la_CFLAGS) $(CFLAGS) -c -o src/util/memberof_la-util_ext.lo `test -f 'src/util/util_ext.c' || echo '$(srcdir)/'`src/util/util_ext.c + +src/sss_client/sss_la-common.lo: src/sss_client/common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_la_CFLAGS) $(CFLAGS) -MT src/sss_client/sss_la-common.lo -MD -MP -MF src/sss_client/$(DEPDIR)/sss_la-common.Tpo -c -o src/sss_client/sss_la-common.lo `test -f 'src/sss_client/common.c' || echo '$(srcdir)/'`src/sss_client/common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/$(DEPDIR)/sss_la-common.Tpo src/sss_client/$(DEPDIR)/sss_la-common.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/common.c' object='src/sss_client/sss_la-common.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_la_CFLAGS) $(CFLAGS) -c -o src/sss_client/sss_la-common.lo `test -f 'src/sss_client/common.c' || echo '$(srcdir)/'`src/sss_client/common.c + +src/sss_client/sss_la-nss_mc_common.lo: src/sss_client/nss_mc_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_la_CFLAGS) $(CFLAGS) -MT src/sss_client/sss_la-nss_mc_common.lo -MD -MP -MF src/sss_client/$(DEPDIR)/sss_la-nss_mc_common.Tpo -c -o src/sss_client/sss_la-nss_mc_common.lo `test -f 'src/sss_client/nss_mc_common.c' || echo '$(srcdir)/'`src/sss_client/nss_mc_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/$(DEPDIR)/sss_la-nss_mc_common.Tpo src/sss_client/$(DEPDIR)/sss_la-nss_mc_common.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/nss_mc_common.c' object='src/sss_client/sss_la-nss_mc_common.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_la_CFLAGS) $(CFLAGS) -c -o src/sss_client/sss_la-nss_mc_common.lo `test -f 'src/sss_client/nss_mc_common.c' || echo '$(srcdir)/'`src/sss_client/nss_mc_common.c + +src/util/sss_la-io.lo: src/util/io.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_la_CFLAGS) $(CFLAGS) -MT src/util/sss_la-io.lo -MD -MP -MF src/util/$(DEPDIR)/sss_la-io.Tpo -c -o src/util/sss_la-io.lo `test -f 'src/util/io.c' || echo '$(srcdir)/'`src/util/io.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/sss_la-io.Tpo src/util/$(DEPDIR)/sss_la-io.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/io.c' object='src/util/sss_la-io.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_la_CFLAGS) $(CFLAGS) -c -o src/util/sss_la-io.lo `test -f 'src/util/io.c' || echo '$(srcdir)/'`src/util/io.c + +src/util/sss_la-murmurhash3.lo: src/util/murmurhash3.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_la_CFLAGS) $(CFLAGS) -MT src/util/sss_la-murmurhash3.lo -MD -MP -MF src/util/$(DEPDIR)/sss_la-murmurhash3.Tpo -c -o src/util/sss_la-murmurhash3.lo `test -f 'src/util/murmurhash3.c' || echo '$(srcdir)/'`src/util/murmurhash3.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/sss_la-murmurhash3.Tpo src/util/$(DEPDIR)/sss_la-murmurhash3.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/murmurhash3.c' object='src/util/sss_la-murmurhash3.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_la_CFLAGS) $(CFLAGS) -c -o src/util/sss_la-murmurhash3.lo `test -f 'src/util/murmurhash3.c' || echo '$(srcdir)/'`src/util/murmurhash3.c + +src/sss_client/sss_la-nss_mc_passwd.lo: src/sss_client/nss_mc_passwd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_la_CFLAGS) $(CFLAGS) -MT src/sss_client/sss_la-nss_mc_passwd.lo -MD -MP -MF src/sss_client/$(DEPDIR)/sss_la-nss_mc_passwd.Tpo -c -o src/sss_client/sss_la-nss_mc_passwd.lo `test -f 'src/sss_client/nss_mc_passwd.c' || echo '$(srcdir)/'`src/sss_client/nss_mc_passwd.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/$(DEPDIR)/sss_la-nss_mc_passwd.Tpo src/sss_client/$(DEPDIR)/sss_la-nss_mc_passwd.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/nss_mc_passwd.c' object='src/sss_client/sss_la-nss_mc_passwd.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_la_CFLAGS) $(CFLAGS) -c -o src/sss_client/sss_la-nss_mc_passwd.lo `test -f 'src/sss_client/nss_mc_passwd.c' || echo '$(srcdir)/'`src/sss_client/nss_mc_passwd.c + +src/sss_client/sss_la-nss_mc_group.lo: src/sss_client/nss_mc_group.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_la_CFLAGS) $(CFLAGS) -MT src/sss_client/sss_la-nss_mc_group.lo -MD -MP -MF src/sss_client/$(DEPDIR)/sss_la-nss_mc_group.Tpo -c -o src/sss_client/sss_la-nss_mc_group.lo `test -f 'src/sss_client/nss_mc_group.c' || echo '$(srcdir)/'`src/sss_client/nss_mc_group.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/$(DEPDIR)/sss_la-nss_mc_group.Tpo src/sss_client/$(DEPDIR)/sss_la-nss_mc_group.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/nss_mc_group.c' object='src/sss_client/sss_la-nss_mc_group.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_la_CFLAGS) $(CFLAGS) -c -o src/sss_client/sss_la-nss_mc_group.lo `test -f 'src/sss_client/nss_mc_group.c' || echo '$(srcdir)/'`src/sss_client/nss_mc_group.c + +src/sss_client/nfs/sss_la-sss_nfs_client.lo: src/sss_client/nfs/sss_nfs_client.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_la_CFLAGS) $(CFLAGS) -MT src/sss_client/nfs/sss_la-sss_nfs_client.lo -MD -MP -MF src/sss_client/nfs/$(DEPDIR)/sss_la-sss_nfs_client.Tpo -c -o src/sss_client/nfs/sss_la-sss_nfs_client.lo `test -f 'src/sss_client/nfs/sss_nfs_client.c' || echo '$(srcdir)/'`src/sss_client/nfs/sss_nfs_client.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/nfs/$(DEPDIR)/sss_la-sss_nfs_client.Tpo src/sss_client/nfs/$(DEPDIR)/sss_la-sss_nfs_client.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/nfs/sss_nfs_client.c' object='src/sss_client/nfs/sss_la-sss_nfs_client.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_la_CFLAGS) $(CFLAGS) -c -o src/sss_client/nfs/sss_la-sss_nfs_client.lo `test -f 'src/sss_client/nfs/sss_nfs_client.c' || echo '$(srcdir)/'`src/sss_client/nfs/sss_nfs_client.c + +src/krb5_plugin/sssd_krb5_localauth_plugin_la-sssd_krb5_localauth_plugin.lo: src/krb5_plugin/sssd_krb5_localauth_plugin.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_krb5_localauth_plugin_la_CFLAGS) $(CFLAGS) -MT src/krb5_plugin/sssd_krb5_localauth_plugin_la-sssd_krb5_localauth_plugin.lo -MD -MP -MF src/krb5_plugin/$(DEPDIR)/sssd_krb5_localauth_plugin_la-sssd_krb5_localauth_plugin.Tpo -c -o src/krb5_plugin/sssd_krb5_localauth_plugin_la-sssd_krb5_localauth_plugin.lo `test -f 'src/krb5_plugin/sssd_krb5_localauth_plugin.c' || echo '$(srcdir)/'`src/krb5_plugin/sssd_krb5_localauth_plugin.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/krb5_plugin/$(DEPDIR)/sssd_krb5_localauth_plugin_la-sssd_krb5_localauth_plugin.Tpo src/krb5_plugin/$(DEPDIR)/sssd_krb5_localauth_plugin_la-sssd_krb5_localauth_plugin.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/krb5_plugin/sssd_krb5_localauth_plugin.c' object='src/krb5_plugin/sssd_krb5_localauth_plugin_la-sssd_krb5_localauth_plugin.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_krb5_localauth_plugin_la_CFLAGS) $(CFLAGS) -c -o src/krb5_plugin/sssd_krb5_localauth_plugin_la-sssd_krb5_localauth_plugin.lo `test -f 'src/krb5_plugin/sssd_krb5_localauth_plugin.c' || echo '$(srcdir)/'`src/krb5_plugin/sssd_krb5_localauth_plugin.c + +src/util/sssd_krb5_localauth_plugin_la-murmurhash3.lo: src/util/murmurhash3.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_krb5_localauth_plugin_la_CFLAGS) $(CFLAGS) -MT src/util/sssd_krb5_localauth_plugin_la-murmurhash3.lo -MD -MP -MF src/util/$(DEPDIR)/sssd_krb5_localauth_plugin_la-murmurhash3.Tpo -c -o src/util/sssd_krb5_localauth_plugin_la-murmurhash3.lo `test -f 'src/util/murmurhash3.c' || echo '$(srcdir)/'`src/util/murmurhash3.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/sssd_krb5_localauth_plugin_la-murmurhash3.Tpo src/util/$(DEPDIR)/sssd_krb5_localauth_plugin_la-murmurhash3.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/murmurhash3.c' object='src/util/sssd_krb5_localauth_plugin_la-murmurhash3.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_krb5_localauth_plugin_la_CFLAGS) $(CFLAGS) -c -o src/util/sssd_krb5_localauth_plugin_la-murmurhash3.lo `test -f 'src/util/murmurhash3.c' || echo '$(srcdir)/'`src/util/murmurhash3.c + +src/util/sssd_krb5_localauth_plugin_la-io.lo: src/util/io.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_krb5_localauth_plugin_la_CFLAGS) $(CFLAGS) -MT src/util/sssd_krb5_localauth_plugin_la-io.lo -MD -MP -MF src/util/$(DEPDIR)/sssd_krb5_localauth_plugin_la-io.Tpo -c -o src/util/sssd_krb5_localauth_plugin_la-io.lo `test -f 'src/util/io.c' || echo '$(srcdir)/'`src/util/io.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/sssd_krb5_localauth_plugin_la-io.Tpo src/util/$(DEPDIR)/sssd_krb5_localauth_plugin_la-io.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/io.c' object='src/util/sssd_krb5_localauth_plugin_la-io.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_krb5_localauth_plugin_la_CFLAGS) $(CFLAGS) -c -o src/util/sssd_krb5_localauth_plugin_la-io.lo `test -f 'src/util/io.c' || echo '$(srcdir)/'`src/util/io.c + +src/sss_client/sssd_krb5_localauth_plugin_la-common.lo: src/sss_client/common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_krb5_localauth_plugin_la_CFLAGS) $(CFLAGS) -MT src/sss_client/sssd_krb5_localauth_plugin_la-common.lo -MD -MP -MF src/sss_client/$(DEPDIR)/sssd_krb5_localauth_plugin_la-common.Tpo -c -o src/sss_client/sssd_krb5_localauth_plugin_la-common.lo `test -f 'src/sss_client/common.c' || echo '$(srcdir)/'`src/sss_client/common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/$(DEPDIR)/sssd_krb5_localauth_plugin_la-common.Tpo src/sss_client/$(DEPDIR)/sssd_krb5_localauth_plugin_la-common.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/common.c' object='src/sss_client/sssd_krb5_localauth_plugin_la-common.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_krb5_localauth_plugin_la_CFLAGS) $(CFLAGS) -c -o src/sss_client/sssd_krb5_localauth_plugin_la-common.lo `test -f 'src/sss_client/common.c' || echo '$(srcdir)/'`src/sss_client/common.c + +src/sss_client/sssd_krb5_localauth_plugin_la-nss_mc_common.lo: src/sss_client/nss_mc_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_krb5_localauth_plugin_la_CFLAGS) $(CFLAGS) -MT src/sss_client/sssd_krb5_localauth_plugin_la-nss_mc_common.lo -MD -MP -MF src/sss_client/$(DEPDIR)/sssd_krb5_localauth_plugin_la-nss_mc_common.Tpo -c -o src/sss_client/sssd_krb5_localauth_plugin_la-nss_mc_common.lo `test -f 'src/sss_client/nss_mc_common.c' || echo '$(srcdir)/'`src/sss_client/nss_mc_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/$(DEPDIR)/sssd_krb5_localauth_plugin_la-nss_mc_common.Tpo src/sss_client/$(DEPDIR)/sssd_krb5_localauth_plugin_la-nss_mc_common.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/nss_mc_common.c' object='src/sss_client/sssd_krb5_localauth_plugin_la-nss_mc_common.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_krb5_localauth_plugin_la_CFLAGS) $(CFLAGS) -c -o src/sss_client/sssd_krb5_localauth_plugin_la-nss_mc_common.lo `test -f 'src/sss_client/nss_mc_common.c' || echo '$(srcdir)/'`src/sss_client/nss_mc_common.c + +src/sss_client/sssd_krb5_localauth_plugin_la-nss_mc_passwd.lo: src/sss_client/nss_mc_passwd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_krb5_localauth_plugin_la_CFLAGS) $(CFLAGS) -MT src/sss_client/sssd_krb5_localauth_plugin_la-nss_mc_passwd.lo -MD -MP -MF src/sss_client/$(DEPDIR)/sssd_krb5_localauth_plugin_la-nss_mc_passwd.Tpo -c -o src/sss_client/sssd_krb5_localauth_plugin_la-nss_mc_passwd.lo `test -f 'src/sss_client/nss_mc_passwd.c' || echo '$(srcdir)/'`src/sss_client/nss_mc_passwd.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/$(DEPDIR)/sssd_krb5_localauth_plugin_la-nss_mc_passwd.Tpo src/sss_client/$(DEPDIR)/sssd_krb5_localauth_plugin_la-nss_mc_passwd.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/nss_mc_passwd.c' object='src/sss_client/sssd_krb5_localauth_plugin_la-nss_mc_passwd.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_krb5_localauth_plugin_la_CFLAGS) $(CFLAGS) -c -o src/sss_client/sssd_krb5_localauth_plugin_la-nss_mc_passwd.lo `test -f 'src/sss_client/nss_mc_passwd.c' || echo '$(srcdir)/'`src/sss_client/nss_mc_passwd.c + +src/sss_client/sssd_krb5_localauth_plugin_la-nss_passwd.lo: src/sss_client/nss_passwd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_krb5_localauth_plugin_la_CFLAGS) $(CFLAGS) -MT src/sss_client/sssd_krb5_localauth_plugin_la-nss_passwd.lo -MD -MP -MF src/sss_client/$(DEPDIR)/sssd_krb5_localauth_plugin_la-nss_passwd.Tpo -c -o src/sss_client/sssd_krb5_localauth_plugin_la-nss_passwd.lo `test -f 'src/sss_client/nss_passwd.c' || echo '$(srcdir)/'`src/sss_client/nss_passwd.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/$(DEPDIR)/sssd_krb5_localauth_plugin_la-nss_passwd.Tpo src/sss_client/$(DEPDIR)/sssd_krb5_localauth_plugin_la-nss_passwd.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/nss_passwd.c' object='src/sss_client/sssd_krb5_localauth_plugin_la-nss_passwd.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_krb5_localauth_plugin_la_CFLAGS) $(CFLAGS) -c -o src/sss_client/sssd_krb5_localauth_plugin_la-nss_passwd.lo `test -f 'src/sss_client/nss_passwd.c' || echo '$(srcdir)/'`src/sss_client/nss_passwd.c + +src/krb5_plugin/sssd_krb5_locator_plugin_la-sssd_krb5_locator_plugin.lo: src/krb5_plugin/sssd_krb5_locator_plugin.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_krb5_locator_plugin_la_CFLAGS) $(CFLAGS) -MT src/krb5_plugin/sssd_krb5_locator_plugin_la-sssd_krb5_locator_plugin.lo -MD -MP -MF src/krb5_plugin/$(DEPDIR)/sssd_krb5_locator_plugin_la-sssd_krb5_locator_plugin.Tpo -c -o src/krb5_plugin/sssd_krb5_locator_plugin_la-sssd_krb5_locator_plugin.lo `test -f 'src/krb5_plugin/sssd_krb5_locator_plugin.c' || echo '$(srcdir)/'`src/krb5_plugin/sssd_krb5_locator_plugin.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/krb5_plugin/$(DEPDIR)/sssd_krb5_locator_plugin_la-sssd_krb5_locator_plugin.Tpo src/krb5_plugin/$(DEPDIR)/sssd_krb5_locator_plugin_la-sssd_krb5_locator_plugin.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/krb5_plugin/sssd_krb5_locator_plugin.c' object='src/krb5_plugin/sssd_krb5_locator_plugin_la-sssd_krb5_locator_plugin.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_krb5_locator_plugin_la_CFLAGS) $(CFLAGS) -c -o src/krb5_plugin/sssd_krb5_locator_plugin_la-sssd_krb5_locator_plugin.lo `test -f 'src/krb5_plugin/sssd_krb5_locator_plugin.c' || echo '$(srcdir)/'`src/krb5_plugin/sssd_krb5_locator_plugin.c + +src/util/sssd_krb5_locator_plugin_la-atomic_io.lo: src/util/atomic_io.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_krb5_locator_plugin_la_CFLAGS) $(CFLAGS) -MT src/util/sssd_krb5_locator_plugin_la-atomic_io.lo -MD -MP -MF src/util/$(DEPDIR)/sssd_krb5_locator_plugin_la-atomic_io.Tpo -c -o src/util/sssd_krb5_locator_plugin_la-atomic_io.lo `test -f 'src/util/atomic_io.c' || echo '$(srcdir)/'`src/util/atomic_io.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/sssd_krb5_locator_plugin_la-atomic_io.Tpo src/util/$(DEPDIR)/sssd_krb5_locator_plugin_la-atomic_io.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/atomic_io.c' object='src/util/sssd_krb5_locator_plugin_la-atomic_io.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_krb5_locator_plugin_la_CFLAGS) $(CFLAGS) -c -o src/util/sssd_krb5_locator_plugin_la-atomic_io.lo `test -f 'src/util/atomic_io.c' || echo '$(srcdir)/'`src/util/atomic_io.c + +src/sss_client/sssd_pac_plugin_la-sssd_pac.lo: src/sss_client/sssd_pac.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_plugin_la_CFLAGS) $(CFLAGS) -MT src/sss_client/sssd_pac_plugin_la-sssd_pac.lo -MD -MP -MF src/sss_client/$(DEPDIR)/sssd_pac_plugin_la-sssd_pac.Tpo -c -o src/sss_client/sssd_pac_plugin_la-sssd_pac.lo `test -f 'src/sss_client/sssd_pac.c' || echo '$(srcdir)/'`src/sss_client/sssd_pac.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/$(DEPDIR)/sssd_pac_plugin_la-sssd_pac.Tpo src/sss_client/$(DEPDIR)/sssd_pac_plugin_la-sssd_pac.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/sssd_pac.c' object='src/sss_client/sssd_pac_plugin_la-sssd_pac.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_plugin_la_CFLAGS) $(CFLAGS) -c -o src/sss_client/sssd_pac_plugin_la-sssd_pac.lo `test -f 'src/sss_client/sssd_pac.c' || echo '$(srcdir)/'`src/sss_client/sssd_pac.c + +src/sss_client/sssd_pac_plugin_la-common.lo: src/sss_client/common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_plugin_la_CFLAGS) $(CFLAGS) -MT src/sss_client/sssd_pac_plugin_la-common.lo -MD -MP -MF src/sss_client/$(DEPDIR)/sssd_pac_plugin_la-common.Tpo -c -o src/sss_client/sssd_pac_plugin_la-common.lo `test -f 'src/sss_client/common.c' || echo '$(srcdir)/'`src/sss_client/common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/$(DEPDIR)/sssd_pac_plugin_la-common.Tpo src/sss_client/$(DEPDIR)/sssd_pac_plugin_la-common.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/common.c' object='src/sss_client/sssd_pac_plugin_la-common.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_plugin_la_CFLAGS) $(CFLAGS) -c -o src/sss_client/sssd_pac_plugin_la-common.lo `test -f 'src/sss_client/common.c' || echo '$(srcdir)/'`src/sss_client/common.c + +src/lib/winbind_idmap_sss/winbind_idmap_sss_la-winbind_idmap_sss.lo: src/lib/winbind_idmap_sss/winbind_idmap_sss.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(winbind_idmap_sss_la_CFLAGS) $(CFLAGS) -MT src/lib/winbind_idmap_sss/winbind_idmap_sss_la-winbind_idmap_sss.lo -MD -MP -MF src/lib/winbind_idmap_sss/$(DEPDIR)/winbind_idmap_sss_la-winbind_idmap_sss.Tpo -c -o src/lib/winbind_idmap_sss/winbind_idmap_sss_la-winbind_idmap_sss.lo `test -f 'src/lib/winbind_idmap_sss/winbind_idmap_sss.c' || echo '$(srcdir)/'`src/lib/winbind_idmap_sss/winbind_idmap_sss.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/lib/winbind_idmap_sss/$(DEPDIR)/winbind_idmap_sss_la-winbind_idmap_sss.Tpo src/lib/winbind_idmap_sss/$(DEPDIR)/winbind_idmap_sss_la-winbind_idmap_sss.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/lib/winbind_idmap_sss/winbind_idmap_sss.c' object='src/lib/winbind_idmap_sss/winbind_idmap_sss_la-winbind_idmap_sss.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(winbind_idmap_sss_la_CFLAGS) $(CFLAGS) -c -o src/lib/winbind_idmap_sss/winbind_idmap_sss_la-winbind_idmap_sss.lo `test -f 'src/lib/winbind_idmap_sss/winbind_idmap_sss.c' || echo '$(srcdir)/'`src/lib/winbind_idmap_sss/winbind_idmap_sss.c + +src/util/winbind_idmap_sss_la-util_sss_idmap.lo: src/util/util_sss_idmap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(winbind_idmap_sss_la_CFLAGS) $(CFLAGS) -MT src/util/winbind_idmap_sss_la-util_sss_idmap.lo -MD -MP -MF src/util/$(DEPDIR)/winbind_idmap_sss_la-util_sss_idmap.Tpo -c -o src/util/winbind_idmap_sss_la-util_sss_idmap.lo `test -f 'src/util/util_sss_idmap.c' || echo '$(srcdir)/'`src/util/util_sss_idmap.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/winbind_idmap_sss_la-util_sss_idmap.Tpo src/util/$(DEPDIR)/winbind_idmap_sss_la-util_sss_idmap.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util_sss_idmap.c' object='src/util/winbind_idmap_sss_la-util_sss_idmap.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(winbind_idmap_sss_la_CFLAGS) $(CFLAGS) -c -o src/util/winbind_idmap_sss_la-util_sss_idmap.lo `test -f 'src/util/util_sss_idmap.c' || echo '$(srcdir)/'`src/util/util_sss_idmap.c + +src/providers/krb5/ad_common_tests-krb5_utils.o: src/providers/krb5/krb5_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -MT src/providers/krb5/ad_common_tests-krb5_utils.o -MD -MP -MF src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_utils.Tpo -c -o src/providers/krb5/ad_common_tests-krb5_utils.o `test -f 'src/providers/krb5/krb5_utils.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_utils.Tpo src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_utils.c' object='src/providers/krb5/ad_common_tests-krb5_utils.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/ad_common_tests-krb5_utils.o `test -f 'src/providers/krb5/krb5_utils.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_utils.c + +src/providers/krb5/ad_common_tests-krb5_utils.obj: src/providers/krb5/krb5_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -MT src/providers/krb5/ad_common_tests-krb5_utils.obj -MD -MP -MF src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_utils.Tpo -c -o src/providers/krb5/ad_common_tests-krb5_utils.obj `if test -f 'src/providers/krb5/krb5_utils.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_utils.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_utils.Tpo src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_utils.c' object='src/providers/krb5/ad_common_tests-krb5_utils.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/ad_common_tests-krb5_utils.obj `if test -f 'src/providers/krb5/krb5_utils.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_utils.c'; fi` + +src/providers/krb5/ad_common_tests-krb5_delayed_online_authentication.o: src/providers/krb5/krb5_delayed_online_authentication.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -MT src/providers/krb5/ad_common_tests-krb5_delayed_online_authentication.o -MD -MP -MF src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_delayed_online_authentication.Tpo -c -o src/providers/krb5/ad_common_tests-krb5_delayed_online_authentication.o `test -f 'src/providers/krb5/krb5_delayed_online_authentication.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_delayed_online_authentication.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_delayed_online_authentication.Tpo src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_delayed_online_authentication.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_delayed_online_authentication.c' object='src/providers/krb5/ad_common_tests-krb5_delayed_online_authentication.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/ad_common_tests-krb5_delayed_online_authentication.o `test -f 'src/providers/krb5/krb5_delayed_online_authentication.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_delayed_online_authentication.c + +src/providers/krb5/ad_common_tests-krb5_delayed_online_authentication.obj: src/providers/krb5/krb5_delayed_online_authentication.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -MT src/providers/krb5/ad_common_tests-krb5_delayed_online_authentication.obj -MD -MP -MF src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_delayed_online_authentication.Tpo -c -o src/providers/krb5/ad_common_tests-krb5_delayed_online_authentication.obj `if test -f 'src/providers/krb5/krb5_delayed_online_authentication.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_delayed_online_authentication.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_delayed_online_authentication.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_delayed_online_authentication.Tpo src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_delayed_online_authentication.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_delayed_online_authentication.c' object='src/providers/krb5/ad_common_tests-krb5_delayed_online_authentication.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/ad_common_tests-krb5_delayed_online_authentication.obj `if test -f 'src/providers/krb5/krb5_delayed_online_authentication.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_delayed_online_authentication.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_delayed_online_authentication.c'; fi` + +src/providers/krb5/ad_common_tests-krb5_renew_tgt.o: src/providers/krb5/krb5_renew_tgt.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -MT src/providers/krb5/ad_common_tests-krb5_renew_tgt.o -MD -MP -MF src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_renew_tgt.Tpo -c -o src/providers/krb5/ad_common_tests-krb5_renew_tgt.o `test -f 'src/providers/krb5/krb5_renew_tgt.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_renew_tgt.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_renew_tgt.Tpo src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_renew_tgt.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_renew_tgt.c' object='src/providers/krb5/ad_common_tests-krb5_renew_tgt.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/ad_common_tests-krb5_renew_tgt.o `test -f 'src/providers/krb5/krb5_renew_tgt.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_renew_tgt.c + +src/providers/krb5/ad_common_tests-krb5_renew_tgt.obj: src/providers/krb5/krb5_renew_tgt.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -MT src/providers/krb5/ad_common_tests-krb5_renew_tgt.obj -MD -MP -MF src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_renew_tgt.Tpo -c -o src/providers/krb5/ad_common_tests-krb5_renew_tgt.obj `if test -f 'src/providers/krb5/krb5_renew_tgt.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_renew_tgt.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_renew_tgt.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_renew_tgt.Tpo src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_renew_tgt.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_renew_tgt.c' object='src/providers/krb5/ad_common_tests-krb5_renew_tgt.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/ad_common_tests-krb5_renew_tgt.obj `if test -f 'src/providers/krb5/krb5_renew_tgt.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_renew_tgt.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_renew_tgt.c'; fi` + +src/providers/krb5/ad_common_tests-krb5_wait_queue.o: src/providers/krb5/krb5_wait_queue.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -MT src/providers/krb5/ad_common_tests-krb5_wait_queue.o -MD -MP -MF src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_wait_queue.Tpo -c -o src/providers/krb5/ad_common_tests-krb5_wait_queue.o `test -f 'src/providers/krb5/krb5_wait_queue.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_wait_queue.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_wait_queue.Tpo src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_wait_queue.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_wait_queue.c' object='src/providers/krb5/ad_common_tests-krb5_wait_queue.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/ad_common_tests-krb5_wait_queue.o `test -f 'src/providers/krb5/krb5_wait_queue.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_wait_queue.c + +src/providers/krb5/ad_common_tests-krb5_wait_queue.obj: src/providers/krb5/krb5_wait_queue.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -MT src/providers/krb5/ad_common_tests-krb5_wait_queue.obj -MD -MP -MF src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_wait_queue.Tpo -c -o src/providers/krb5/ad_common_tests-krb5_wait_queue.obj `if test -f 'src/providers/krb5/krb5_wait_queue.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_wait_queue.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_wait_queue.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_wait_queue.Tpo src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_wait_queue.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_wait_queue.c' object='src/providers/krb5/ad_common_tests-krb5_wait_queue.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/ad_common_tests-krb5_wait_queue.obj `if test -f 'src/providers/krb5/krb5_wait_queue.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_wait_queue.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_wait_queue.c'; fi` + +src/providers/krb5/ad_common_tests-krb5_common.o: src/providers/krb5/krb5_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -MT src/providers/krb5/ad_common_tests-krb5_common.o -MD -MP -MF src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_common.Tpo -c -o src/providers/krb5/ad_common_tests-krb5_common.o `test -f 'src/providers/krb5/krb5_common.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_common.Tpo src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_common.c' object='src/providers/krb5/ad_common_tests-krb5_common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/ad_common_tests-krb5_common.o `test -f 'src/providers/krb5/krb5_common.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_common.c + +src/providers/krb5/ad_common_tests-krb5_common.obj: src/providers/krb5/krb5_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -MT src/providers/krb5/ad_common_tests-krb5_common.obj -MD -MP -MF src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_common.Tpo -c -o src/providers/krb5/ad_common_tests-krb5_common.obj `if test -f 'src/providers/krb5/krb5_common.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_common.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_common.Tpo src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_common.c' object='src/providers/krb5/ad_common_tests-krb5_common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/ad_common_tests-krb5_common.obj `if test -f 'src/providers/krb5/krb5_common.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_common.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_common.c'; fi` + +src/providers/krb5/ad_common_tests-krb5_opts.o: src/providers/krb5/krb5_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -MT src/providers/krb5/ad_common_tests-krb5_opts.o -MD -MP -MF src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_opts.Tpo -c -o src/providers/krb5/ad_common_tests-krb5_opts.o `test -f 'src/providers/krb5/krb5_opts.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_opts.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_opts.Tpo src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_opts.c' object='src/providers/krb5/ad_common_tests-krb5_opts.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/ad_common_tests-krb5_opts.o `test -f 'src/providers/krb5/krb5_opts.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_opts.c + +src/providers/krb5/ad_common_tests-krb5_opts.obj: src/providers/krb5/krb5_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -MT src/providers/krb5/ad_common_tests-krb5_opts.obj -MD -MP -MF src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_opts.Tpo -c -o src/providers/krb5/ad_common_tests-krb5_opts.obj `if test -f 'src/providers/krb5/krb5_opts.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_opts.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_opts.Tpo src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_opts.c' object='src/providers/krb5/ad_common_tests-krb5_opts.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/ad_common_tests-krb5_opts.obj `if test -f 'src/providers/krb5/krb5_opts.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_opts.c'; fi` + +src/providers/krb5/ad_common_tests-krb5_auth.o: src/providers/krb5/krb5_auth.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -MT src/providers/krb5/ad_common_tests-krb5_auth.o -MD -MP -MF src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_auth.Tpo -c -o src/providers/krb5/ad_common_tests-krb5_auth.o `test -f 'src/providers/krb5/krb5_auth.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_auth.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_auth.Tpo src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_auth.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_auth.c' object='src/providers/krb5/ad_common_tests-krb5_auth.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/ad_common_tests-krb5_auth.o `test -f 'src/providers/krb5/krb5_auth.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_auth.c + +src/providers/krb5/ad_common_tests-krb5_auth.obj: src/providers/krb5/krb5_auth.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -MT src/providers/krb5/ad_common_tests-krb5_auth.obj -MD -MP -MF src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_auth.Tpo -c -o src/providers/krb5/ad_common_tests-krb5_auth.obj `if test -f 'src/providers/krb5/krb5_auth.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_auth.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_auth.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_auth.Tpo src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_auth.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_auth.c' object='src/providers/krb5/ad_common_tests-krb5_auth.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/ad_common_tests-krb5_auth.obj `if test -f 'src/providers/krb5/krb5_auth.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_auth.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_auth.c'; fi` + +src/providers/krb5/ad_common_tests-krb5_access.o: src/providers/krb5/krb5_access.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -MT src/providers/krb5/ad_common_tests-krb5_access.o -MD -MP -MF src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_access.Tpo -c -o src/providers/krb5/ad_common_tests-krb5_access.o `test -f 'src/providers/krb5/krb5_access.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_access.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_access.Tpo src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_access.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_access.c' object='src/providers/krb5/ad_common_tests-krb5_access.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/ad_common_tests-krb5_access.o `test -f 'src/providers/krb5/krb5_access.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_access.c + +src/providers/krb5/ad_common_tests-krb5_access.obj: src/providers/krb5/krb5_access.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -MT src/providers/krb5/ad_common_tests-krb5_access.obj -MD -MP -MF src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_access.Tpo -c -o src/providers/krb5/ad_common_tests-krb5_access.obj `if test -f 'src/providers/krb5/krb5_access.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_access.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_access.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_access.Tpo src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_access.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_access.c' object='src/providers/krb5/ad_common_tests-krb5_access.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/ad_common_tests-krb5_access.obj `if test -f 'src/providers/krb5/krb5_access.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_access.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_access.c'; fi` + +src/providers/krb5/ad_common_tests-krb5_child_handler.o: src/providers/krb5/krb5_child_handler.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -MT src/providers/krb5/ad_common_tests-krb5_child_handler.o -MD -MP -MF src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_child_handler.Tpo -c -o src/providers/krb5/ad_common_tests-krb5_child_handler.o `test -f 'src/providers/krb5/krb5_child_handler.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_child_handler.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_child_handler.Tpo src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_child_handler.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_child_handler.c' object='src/providers/krb5/ad_common_tests-krb5_child_handler.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/ad_common_tests-krb5_child_handler.o `test -f 'src/providers/krb5/krb5_child_handler.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_child_handler.c + +src/providers/krb5/ad_common_tests-krb5_child_handler.obj: src/providers/krb5/krb5_child_handler.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -MT src/providers/krb5/ad_common_tests-krb5_child_handler.obj -MD -MP -MF src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_child_handler.Tpo -c -o src/providers/krb5/ad_common_tests-krb5_child_handler.obj `if test -f 'src/providers/krb5/krb5_child_handler.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_child_handler.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_child_handler.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_child_handler.Tpo src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_child_handler.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_child_handler.c' object='src/providers/krb5/ad_common_tests-krb5_child_handler.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/ad_common_tests-krb5_child_handler.obj `if test -f 'src/providers/krb5/krb5_child_handler.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_child_handler.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_child_handler.c'; fi` + +src/providers/krb5/ad_common_tests-krb5_init_shared.o: src/providers/krb5/krb5_init_shared.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -MT src/providers/krb5/ad_common_tests-krb5_init_shared.o -MD -MP -MF src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_init_shared.Tpo -c -o src/providers/krb5/ad_common_tests-krb5_init_shared.o `test -f 'src/providers/krb5/krb5_init_shared.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_init_shared.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_init_shared.Tpo src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_init_shared.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_init_shared.c' object='src/providers/krb5/ad_common_tests-krb5_init_shared.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/ad_common_tests-krb5_init_shared.o `test -f 'src/providers/krb5/krb5_init_shared.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_init_shared.c + +src/providers/krb5/ad_common_tests-krb5_init_shared.obj: src/providers/krb5/krb5_init_shared.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -MT src/providers/krb5/ad_common_tests-krb5_init_shared.obj -MD -MP -MF src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_init_shared.Tpo -c -o src/providers/krb5/ad_common_tests-krb5_init_shared.obj `if test -f 'src/providers/krb5/krb5_init_shared.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_init_shared.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_init_shared.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_init_shared.Tpo src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_init_shared.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_init_shared.c' object='src/providers/krb5/ad_common_tests-krb5_init_shared.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/ad_common_tests-krb5_init_shared.obj `if test -f 'src/providers/krb5/krb5_init_shared.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_init_shared.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_init_shared.c'; fi` + +src/providers/krb5/ad_common_tests-krb5_ccache.o: src/providers/krb5/krb5_ccache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -MT src/providers/krb5/ad_common_tests-krb5_ccache.o -MD -MP -MF src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_ccache.Tpo -c -o src/providers/krb5/ad_common_tests-krb5_ccache.o `test -f 'src/providers/krb5/krb5_ccache.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_ccache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_ccache.Tpo src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_ccache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_ccache.c' object='src/providers/krb5/ad_common_tests-krb5_ccache.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/ad_common_tests-krb5_ccache.o `test -f 'src/providers/krb5/krb5_ccache.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_ccache.c + +src/providers/krb5/ad_common_tests-krb5_ccache.obj: src/providers/krb5/krb5_ccache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -MT src/providers/krb5/ad_common_tests-krb5_ccache.obj -MD -MP -MF src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_ccache.Tpo -c -o src/providers/krb5/ad_common_tests-krb5_ccache.obj `if test -f 'src/providers/krb5/krb5_ccache.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_ccache.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_ccache.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_ccache.Tpo src/providers/krb5/$(DEPDIR)/ad_common_tests-krb5_ccache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_ccache.c' object='src/providers/krb5/ad_common_tests-krb5_ccache.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/ad_common_tests-krb5_ccache.obj `if test -f 'src/providers/krb5/krb5_ccache.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_ccache.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_ccache.c'; fi` + +src/util/ad_common_tests-sss_krb5.o: src/util/sss_krb5.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -MT src/util/ad_common_tests-sss_krb5.o -MD -MP -MF src/util/$(DEPDIR)/ad_common_tests-sss_krb5.Tpo -c -o src/util/ad_common_tests-sss_krb5.o `test -f 'src/util/sss_krb5.c' || echo '$(srcdir)/'`src/util/sss_krb5.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/ad_common_tests-sss_krb5.Tpo src/util/$(DEPDIR)/ad_common_tests-sss_krb5.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_krb5.c' object='src/util/ad_common_tests-sss_krb5.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -c -o src/util/ad_common_tests-sss_krb5.o `test -f 'src/util/sss_krb5.c' || echo '$(srcdir)/'`src/util/sss_krb5.c + +src/util/ad_common_tests-sss_krb5.obj: src/util/sss_krb5.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -MT src/util/ad_common_tests-sss_krb5.obj -MD -MP -MF src/util/$(DEPDIR)/ad_common_tests-sss_krb5.Tpo -c -o src/util/ad_common_tests-sss_krb5.obj `if test -f 'src/util/sss_krb5.c'; then $(CYGPATH_W) 'src/util/sss_krb5.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_krb5.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/ad_common_tests-sss_krb5.Tpo src/util/$(DEPDIR)/ad_common_tests-sss_krb5.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_krb5.c' object='src/util/ad_common_tests-sss_krb5.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -c -o src/util/ad_common_tests-sss_krb5.obj `if test -f 'src/util/sss_krb5.c'; then $(CYGPATH_W) 'src/util/sss_krb5.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_krb5.c'; fi` + +src/util/ad_common_tests-sss_iobuf.o: src/util/sss_iobuf.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -MT src/util/ad_common_tests-sss_iobuf.o -MD -MP -MF src/util/$(DEPDIR)/ad_common_tests-sss_iobuf.Tpo -c -o src/util/ad_common_tests-sss_iobuf.o `test -f 'src/util/sss_iobuf.c' || echo '$(srcdir)/'`src/util/sss_iobuf.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/ad_common_tests-sss_iobuf.Tpo src/util/$(DEPDIR)/ad_common_tests-sss_iobuf.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_iobuf.c' object='src/util/ad_common_tests-sss_iobuf.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -c -o src/util/ad_common_tests-sss_iobuf.o `test -f 'src/util/sss_iobuf.c' || echo '$(srcdir)/'`src/util/sss_iobuf.c + +src/util/ad_common_tests-sss_iobuf.obj: src/util/sss_iobuf.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -MT src/util/ad_common_tests-sss_iobuf.obj -MD -MP -MF src/util/$(DEPDIR)/ad_common_tests-sss_iobuf.Tpo -c -o src/util/ad_common_tests-sss_iobuf.obj `if test -f 'src/util/sss_iobuf.c'; then $(CYGPATH_W) 'src/util/sss_iobuf.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_iobuf.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/ad_common_tests-sss_iobuf.Tpo src/util/$(DEPDIR)/ad_common_tests-sss_iobuf.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_iobuf.c' object='src/util/ad_common_tests-sss_iobuf.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -c -o src/util/ad_common_tests-sss_iobuf.obj `if test -f 'src/util/sss_iobuf.c'; then $(CYGPATH_W) 'src/util/sss_iobuf.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_iobuf.c'; fi` + +src/util/ad_common_tests-become_user.o: src/util/become_user.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -MT src/util/ad_common_tests-become_user.o -MD -MP -MF src/util/$(DEPDIR)/ad_common_tests-become_user.Tpo -c -o src/util/ad_common_tests-become_user.o `test -f 'src/util/become_user.c' || echo '$(srcdir)/'`src/util/become_user.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/ad_common_tests-become_user.Tpo src/util/$(DEPDIR)/ad_common_tests-become_user.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/become_user.c' object='src/util/ad_common_tests-become_user.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -c -o src/util/ad_common_tests-become_user.o `test -f 'src/util/become_user.c' || echo '$(srcdir)/'`src/util/become_user.c + +src/util/ad_common_tests-become_user.obj: src/util/become_user.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -MT src/util/ad_common_tests-become_user.obj -MD -MP -MF src/util/$(DEPDIR)/ad_common_tests-become_user.Tpo -c -o src/util/ad_common_tests-become_user.obj `if test -f 'src/util/become_user.c'; then $(CYGPATH_W) 'src/util/become_user.c'; else $(CYGPATH_W) '$(srcdir)/src/util/become_user.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/ad_common_tests-become_user.Tpo src/util/$(DEPDIR)/ad_common_tests-become_user.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/become_user.c' object='src/util/ad_common_tests-become_user.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -c -o src/util/ad_common_tests-become_user.obj `if test -f 'src/util/become_user.c'; then $(CYGPATH_W) 'src/util/become_user.c'; else $(CYGPATH_W) '$(srcdir)/src/util/become_user.c'; fi` + +src/tests/cmocka/ad_common_tests-common_mock_krb5.o: src/tests/cmocka/common_mock_krb5.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/ad_common_tests-common_mock_krb5.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/ad_common_tests-common_mock_krb5.Tpo -c -o src/tests/cmocka/ad_common_tests-common_mock_krb5.o `test -f 'src/tests/cmocka/common_mock_krb5.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_krb5.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/ad_common_tests-common_mock_krb5.Tpo src/tests/cmocka/$(DEPDIR)/ad_common_tests-common_mock_krb5.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_krb5.c' object='src/tests/cmocka/ad_common_tests-common_mock_krb5.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/ad_common_tests-common_mock_krb5.o `test -f 'src/tests/cmocka/common_mock_krb5.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_krb5.c + +src/tests/cmocka/ad_common_tests-common_mock_krb5.obj: src/tests/cmocka/common_mock_krb5.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/ad_common_tests-common_mock_krb5.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/ad_common_tests-common_mock_krb5.Tpo -c -o src/tests/cmocka/ad_common_tests-common_mock_krb5.obj `if test -f 'src/tests/cmocka/common_mock_krb5.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_krb5.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_krb5.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/ad_common_tests-common_mock_krb5.Tpo src/tests/cmocka/$(DEPDIR)/ad_common_tests-common_mock_krb5.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_krb5.c' object='src/tests/cmocka/ad_common_tests-common_mock_krb5.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/ad_common_tests-common_mock_krb5.obj `if test -f 'src/tests/cmocka/common_mock_krb5.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_krb5.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_krb5.c'; fi` + +src/tests/cmocka/ad_common_tests-test_ad_common.o: src/tests/cmocka/test_ad_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/ad_common_tests-test_ad_common.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/ad_common_tests-test_ad_common.Tpo -c -o src/tests/cmocka/ad_common_tests-test_ad_common.o `test -f 'src/tests/cmocka/test_ad_common.c' || echo '$(srcdir)/'`src/tests/cmocka/test_ad_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/ad_common_tests-test_ad_common.Tpo src/tests/cmocka/$(DEPDIR)/ad_common_tests-test_ad_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_ad_common.c' object='src/tests/cmocka/ad_common_tests-test_ad_common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/ad_common_tests-test_ad_common.o `test -f 'src/tests/cmocka/test_ad_common.c' || echo '$(srcdir)/'`src/tests/cmocka/test_ad_common.c + +src/tests/cmocka/ad_common_tests-test_ad_common.obj: src/tests/cmocka/test_ad_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/ad_common_tests-test_ad_common.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/ad_common_tests-test_ad_common.Tpo -c -o src/tests/cmocka/ad_common_tests-test_ad_common.obj `if test -f 'src/tests/cmocka/test_ad_common.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_ad_common.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_ad_common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/ad_common_tests-test_ad_common.Tpo src/tests/cmocka/$(DEPDIR)/ad_common_tests-test_ad_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_ad_common.c' object='src/tests/cmocka/ad_common_tests-test_ad_common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/ad_common_tests-test_ad_common.obj `if test -f 'src/tests/cmocka/test_ad_common.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_ad_common.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_ad_common.c'; fi` + +src/providers/ad/ad_common_tests-ad_opts.o: src/providers/ad/ad_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -MT src/providers/ad/ad_common_tests-ad_opts.o -MD -MP -MF src/providers/ad/$(DEPDIR)/ad_common_tests-ad_opts.Tpo -c -o src/providers/ad/ad_common_tests-ad_opts.o `test -f 'src/providers/ad/ad_opts.c' || echo '$(srcdir)/'`src/providers/ad/ad_opts.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/ad_common_tests-ad_opts.Tpo src/providers/ad/$(DEPDIR)/ad_common_tests-ad_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_opts.c' object='src/providers/ad/ad_common_tests-ad_opts.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ad/ad_common_tests-ad_opts.o `test -f 'src/providers/ad/ad_opts.c' || echo '$(srcdir)/'`src/providers/ad/ad_opts.c + +src/providers/ad/ad_common_tests-ad_opts.obj: src/providers/ad/ad_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -MT src/providers/ad/ad_common_tests-ad_opts.obj -MD -MP -MF src/providers/ad/$(DEPDIR)/ad_common_tests-ad_opts.Tpo -c -o src/providers/ad/ad_common_tests-ad_opts.obj `if test -f 'src/providers/ad/ad_opts.c'; then $(CYGPATH_W) 'src/providers/ad/ad_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ad/ad_opts.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/ad_common_tests-ad_opts.Tpo src/providers/ad/$(DEPDIR)/ad_common_tests-ad_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_opts.c' object='src/providers/ad/ad_common_tests-ad_opts.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ad/ad_common_tests-ad_opts.obj `if test -f 'src/providers/ad/ad_opts.c'; then $(CYGPATH_W) 'src/providers/ad/ad_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ad/ad_opts.c'; fi` + +src/providers/ad/ad_common_tests-ad_pac.o: src/providers/ad/ad_pac.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -MT src/providers/ad/ad_common_tests-ad_pac.o -MD -MP -MF src/providers/ad/$(DEPDIR)/ad_common_tests-ad_pac.Tpo -c -o src/providers/ad/ad_common_tests-ad_pac.o `test -f 'src/providers/ad/ad_pac.c' || echo '$(srcdir)/'`src/providers/ad/ad_pac.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/ad_common_tests-ad_pac.Tpo src/providers/ad/$(DEPDIR)/ad_common_tests-ad_pac.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_pac.c' object='src/providers/ad/ad_common_tests-ad_pac.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ad/ad_common_tests-ad_pac.o `test -f 'src/providers/ad/ad_pac.c' || echo '$(srcdir)/'`src/providers/ad/ad_pac.c + +src/providers/ad/ad_common_tests-ad_pac.obj: src/providers/ad/ad_pac.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -MT src/providers/ad/ad_common_tests-ad_pac.obj -MD -MP -MF src/providers/ad/$(DEPDIR)/ad_common_tests-ad_pac.Tpo -c -o src/providers/ad/ad_common_tests-ad_pac.obj `if test -f 'src/providers/ad/ad_pac.c'; then $(CYGPATH_W) 'src/providers/ad/ad_pac.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ad/ad_pac.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/ad_common_tests-ad_pac.Tpo src/providers/ad/$(DEPDIR)/ad_common_tests-ad_pac.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_pac.c' object='src/providers/ad/ad_common_tests-ad_pac.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ad/ad_common_tests-ad_pac.obj `if test -f 'src/providers/ad/ad_pac.c'; then $(CYGPATH_W) 'src/providers/ad/ad_pac.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ad/ad_pac.c'; fi` + +src/providers/ad/ad_common_tests-ad_pac_common.o: src/providers/ad/ad_pac_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -MT src/providers/ad/ad_common_tests-ad_pac_common.o -MD -MP -MF src/providers/ad/$(DEPDIR)/ad_common_tests-ad_pac_common.Tpo -c -o src/providers/ad/ad_common_tests-ad_pac_common.o `test -f 'src/providers/ad/ad_pac_common.c' || echo '$(srcdir)/'`src/providers/ad/ad_pac_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/ad_common_tests-ad_pac_common.Tpo src/providers/ad/$(DEPDIR)/ad_common_tests-ad_pac_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_pac_common.c' object='src/providers/ad/ad_common_tests-ad_pac_common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ad/ad_common_tests-ad_pac_common.o `test -f 'src/providers/ad/ad_pac_common.c' || echo '$(srcdir)/'`src/providers/ad/ad_pac_common.c + +src/providers/ad/ad_common_tests-ad_pac_common.obj: src/providers/ad/ad_pac_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -MT src/providers/ad/ad_common_tests-ad_pac_common.obj -MD -MP -MF src/providers/ad/$(DEPDIR)/ad_common_tests-ad_pac_common.Tpo -c -o src/providers/ad/ad_common_tests-ad_pac_common.obj `if test -f 'src/providers/ad/ad_pac_common.c'; then $(CYGPATH_W) 'src/providers/ad/ad_pac_common.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ad/ad_pac_common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/ad_common_tests-ad_pac_common.Tpo src/providers/ad/$(DEPDIR)/ad_common_tests-ad_pac_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_pac_common.c' object='src/providers/ad/ad_common_tests-ad_pac_common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ad/ad_common_tests-ad_pac_common.obj `if test -f 'src/providers/ad/ad_pac_common.c'; then $(CYGPATH_W) 'src/providers/ad/ad_pac_common.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ad/ad_pac_common.c'; fi` + +src/providers/ad/ad_common_tests-ad_domain_info.o: src/providers/ad/ad_domain_info.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -MT src/providers/ad/ad_common_tests-ad_domain_info.o -MD -MP -MF src/providers/ad/$(DEPDIR)/ad_common_tests-ad_domain_info.Tpo -c -o src/providers/ad/ad_common_tests-ad_domain_info.o `test -f 'src/providers/ad/ad_domain_info.c' || echo '$(srcdir)/'`src/providers/ad/ad_domain_info.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/ad_common_tests-ad_domain_info.Tpo src/providers/ad/$(DEPDIR)/ad_common_tests-ad_domain_info.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_domain_info.c' object='src/providers/ad/ad_common_tests-ad_domain_info.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ad/ad_common_tests-ad_domain_info.o `test -f 'src/providers/ad/ad_domain_info.c' || echo '$(srcdir)/'`src/providers/ad/ad_domain_info.c + +src/providers/ad/ad_common_tests-ad_domain_info.obj: src/providers/ad/ad_domain_info.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -MT src/providers/ad/ad_common_tests-ad_domain_info.obj -MD -MP -MF src/providers/ad/$(DEPDIR)/ad_common_tests-ad_domain_info.Tpo -c -o src/providers/ad/ad_common_tests-ad_domain_info.obj `if test -f 'src/providers/ad/ad_domain_info.c'; then $(CYGPATH_W) 'src/providers/ad/ad_domain_info.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ad/ad_domain_info.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/ad_common_tests-ad_domain_info.Tpo src/providers/ad/$(DEPDIR)/ad_common_tests-ad_domain_info.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_domain_info.c' object='src/providers/ad/ad_common_tests-ad_domain_info.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ad/ad_common_tests-ad_domain_info.obj `if test -f 'src/providers/ad/ad_domain_info.c'; then $(CYGPATH_W) 'src/providers/ad/ad_domain_info.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ad/ad_domain_info.c'; fi` + +src/providers/ldap/ad_common_tests-sdap_async_initgroups_ad.o: src/providers/ldap/sdap_async_initgroups_ad.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -MT src/providers/ldap/ad_common_tests-sdap_async_initgroups_ad.o -MD -MP -MF src/providers/ldap/$(DEPDIR)/ad_common_tests-sdap_async_initgroups_ad.Tpo -c -o src/providers/ldap/ad_common_tests-sdap_async_initgroups_ad.o `test -f 'src/providers/ldap/sdap_async_initgroups_ad.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_async_initgroups_ad.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/ad_common_tests-sdap_async_initgroups_ad.Tpo src/providers/ldap/$(DEPDIR)/ad_common_tests-sdap_async_initgroups_ad.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_async_initgroups_ad.c' object='src/providers/ldap/ad_common_tests-sdap_async_initgroups_ad.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/ad_common_tests-sdap_async_initgroups_ad.o `test -f 'src/providers/ldap/sdap_async_initgroups_ad.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_async_initgroups_ad.c + +src/providers/ldap/ad_common_tests-sdap_async_initgroups_ad.obj: src/providers/ldap/sdap_async_initgroups_ad.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -MT src/providers/ldap/ad_common_tests-sdap_async_initgroups_ad.obj -MD -MP -MF src/providers/ldap/$(DEPDIR)/ad_common_tests-sdap_async_initgroups_ad.Tpo -c -o src/providers/ldap/ad_common_tests-sdap_async_initgroups_ad.obj `if test -f 'src/providers/ldap/sdap_async_initgroups_ad.c'; then $(CYGPATH_W) 'src/providers/ldap/sdap_async_initgroups_ad.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ldap/sdap_async_initgroups_ad.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/ad_common_tests-sdap_async_initgroups_ad.Tpo src/providers/ldap/$(DEPDIR)/ad_common_tests-sdap_async_initgroups_ad.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_async_initgroups_ad.c' object='src/providers/ldap/ad_common_tests-sdap_async_initgroups_ad.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_common_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/ad_common_tests-sdap_async_initgroups_ad.obj `if test -f 'src/providers/ldap/sdap_async_initgroups_ad.c'; then $(CYGPATH_W) 'src/providers/ldap/sdap_async_initgroups_ad.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ldap/sdap_async_initgroups_ad.c'; fi` + +src/tests/cmocka/ad_gpo_tests-test_ad_gpo.o: src/tests/cmocka/test_ad_gpo.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_gpo_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/ad_gpo_tests-test_ad_gpo.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/ad_gpo_tests-test_ad_gpo.Tpo -c -o src/tests/cmocka/ad_gpo_tests-test_ad_gpo.o `test -f 'src/tests/cmocka/test_ad_gpo.c' || echo '$(srcdir)/'`src/tests/cmocka/test_ad_gpo.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/ad_gpo_tests-test_ad_gpo.Tpo src/tests/cmocka/$(DEPDIR)/ad_gpo_tests-test_ad_gpo.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_ad_gpo.c' object='src/tests/cmocka/ad_gpo_tests-test_ad_gpo.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_gpo_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/ad_gpo_tests-test_ad_gpo.o `test -f 'src/tests/cmocka/test_ad_gpo.c' || echo '$(srcdir)/'`src/tests/cmocka/test_ad_gpo.c + +src/tests/cmocka/ad_gpo_tests-test_ad_gpo.obj: src/tests/cmocka/test_ad_gpo.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_gpo_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/ad_gpo_tests-test_ad_gpo.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/ad_gpo_tests-test_ad_gpo.Tpo -c -o src/tests/cmocka/ad_gpo_tests-test_ad_gpo.obj `if test -f 'src/tests/cmocka/test_ad_gpo.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_ad_gpo.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_ad_gpo.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/ad_gpo_tests-test_ad_gpo.Tpo src/tests/cmocka/$(DEPDIR)/ad_gpo_tests-test_ad_gpo.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_ad_gpo.c' object='src/tests/cmocka/ad_gpo_tests-test_ad_gpo.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_gpo_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/ad_gpo_tests-test_ad_gpo.obj `if test -f 'src/tests/cmocka/test_ad_gpo.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_ad_gpo.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_ad_gpo.c'; fi` + +src/providers/ldap/ad_ldap_opt_tests-ldap_opts.o: src/providers/ldap/ldap_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_ldap_opt_tests_CFLAGS) $(CFLAGS) -MT src/providers/ldap/ad_ldap_opt_tests-ldap_opts.o -MD -MP -MF src/providers/ldap/$(DEPDIR)/ad_ldap_opt_tests-ldap_opts.Tpo -c -o src/providers/ldap/ad_ldap_opt_tests-ldap_opts.o `test -f 'src/providers/ldap/ldap_opts.c' || echo '$(srcdir)/'`src/providers/ldap/ldap_opts.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/ad_ldap_opt_tests-ldap_opts.Tpo src/providers/ldap/$(DEPDIR)/ad_ldap_opt_tests-ldap_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/ldap_opts.c' object='src/providers/ldap/ad_ldap_opt_tests-ldap_opts.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_ldap_opt_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/ad_ldap_opt_tests-ldap_opts.o `test -f 'src/providers/ldap/ldap_opts.c' || echo '$(srcdir)/'`src/providers/ldap/ldap_opts.c + +src/providers/ldap/ad_ldap_opt_tests-ldap_opts.obj: src/providers/ldap/ldap_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_ldap_opt_tests_CFLAGS) $(CFLAGS) -MT src/providers/ldap/ad_ldap_opt_tests-ldap_opts.obj -MD -MP -MF src/providers/ldap/$(DEPDIR)/ad_ldap_opt_tests-ldap_opts.Tpo -c -o src/providers/ldap/ad_ldap_opt_tests-ldap_opts.obj `if test -f 'src/providers/ldap/ldap_opts.c'; then $(CYGPATH_W) 'src/providers/ldap/ldap_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ldap/ldap_opts.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/ad_ldap_opt_tests-ldap_opts.Tpo src/providers/ldap/$(DEPDIR)/ad_ldap_opt_tests-ldap_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/ldap_opts.c' object='src/providers/ldap/ad_ldap_opt_tests-ldap_opts.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_ldap_opt_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/ad_ldap_opt_tests-ldap_opts.obj `if test -f 'src/providers/ldap/ldap_opts.c'; then $(CYGPATH_W) 'src/providers/ldap/ldap_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ldap/ldap_opts.c'; fi` + +src/providers/ad/ad_ldap_opt_tests-ad_opts.o: src/providers/ad/ad_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_ldap_opt_tests_CFLAGS) $(CFLAGS) -MT src/providers/ad/ad_ldap_opt_tests-ad_opts.o -MD -MP -MF src/providers/ad/$(DEPDIR)/ad_ldap_opt_tests-ad_opts.Tpo -c -o src/providers/ad/ad_ldap_opt_tests-ad_opts.o `test -f 'src/providers/ad/ad_opts.c' || echo '$(srcdir)/'`src/providers/ad/ad_opts.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/ad_ldap_opt_tests-ad_opts.Tpo src/providers/ad/$(DEPDIR)/ad_ldap_opt_tests-ad_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_opts.c' object='src/providers/ad/ad_ldap_opt_tests-ad_opts.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_ldap_opt_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ad/ad_ldap_opt_tests-ad_opts.o `test -f 'src/providers/ad/ad_opts.c' || echo '$(srcdir)/'`src/providers/ad/ad_opts.c + +src/providers/ad/ad_ldap_opt_tests-ad_opts.obj: src/providers/ad/ad_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_ldap_opt_tests_CFLAGS) $(CFLAGS) -MT src/providers/ad/ad_ldap_opt_tests-ad_opts.obj -MD -MP -MF src/providers/ad/$(DEPDIR)/ad_ldap_opt_tests-ad_opts.Tpo -c -o src/providers/ad/ad_ldap_opt_tests-ad_opts.obj `if test -f 'src/providers/ad/ad_opts.c'; then $(CYGPATH_W) 'src/providers/ad/ad_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ad/ad_opts.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/ad_ldap_opt_tests-ad_opts.Tpo src/providers/ad/$(DEPDIR)/ad_ldap_opt_tests-ad_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_opts.c' object='src/providers/ad/ad_ldap_opt_tests-ad_opts.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_ldap_opt_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ad/ad_ldap_opt_tests-ad_opts.obj `if test -f 'src/providers/ad/ad_opts.c'; then $(CYGPATH_W) 'src/providers/ad/ad_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ad/ad_opts.c'; fi` + +src/providers/krb5/ad_ldap_opt_tests-krb5_opts.o: src/providers/krb5/krb5_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_ldap_opt_tests_CFLAGS) $(CFLAGS) -MT src/providers/krb5/ad_ldap_opt_tests-krb5_opts.o -MD -MP -MF src/providers/krb5/$(DEPDIR)/ad_ldap_opt_tests-krb5_opts.Tpo -c -o src/providers/krb5/ad_ldap_opt_tests-krb5_opts.o `test -f 'src/providers/krb5/krb5_opts.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_opts.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/ad_ldap_opt_tests-krb5_opts.Tpo src/providers/krb5/$(DEPDIR)/ad_ldap_opt_tests-krb5_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_opts.c' object='src/providers/krb5/ad_ldap_opt_tests-krb5_opts.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_ldap_opt_tests_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/ad_ldap_opt_tests-krb5_opts.o `test -f 'src/providers/krb5/krb5_opts.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_opts.c + +src/providers/krb5/ad_ldap_opt_tests-krb5_opts.obj: src/providers/krb5/krb5_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_ldap_opt_tests_CFLAGS) $(CFLAGS) -MT src/providers/krb5/ad_ldap_opt_tests-krb5_opts.obj -MD -MP -MF src/providers/krb5/$(DEPDIR)/ad_ldap_opt_tests-krb5_opts.Tpo -c -o src/providers/krb5/ad_ldap_opt_tests-krb5_opts.obj `if test -f 'src/providers/krb5/krb5_opts.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_opts.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/ad_ldap_opt_tests-krb5_opts.Tpo src/providers/krb5/$(DEPDIR)/ad_ldap_opt_tests-krb5_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_opts.c' object='src/providers/krb5/ad_ldap_opt_tests-krb5_opts.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_ldap_opt_tests_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/ad_ldap_opt_tests-krb5_opts.obj `if test -f 'src/providers/krb5/krb5_opts.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_opts.c'; fi` + +src/tests/ad_ldap_opt_tests-ad_ldap_opt-tests.o: src/tests/ad_ldap_opt-tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_ldap_opt_tests_CFLAGS) $(CFLAGS) -MT src/tests/ad_ldap_opt_tests-ad_ldap_opt-tests.o -MD -MP -MF src/tests/$(DEPDIR)/ad_ldap_opt_tests-ad_ldap_opt-tests.Tpo -c -o src/tests/ad_ldap_opt_tests-ad_ldap_opt-tests.o `test -f 'src/tests/ad_ldap_opt-tests.c' || echo '$(srcdir)/'`src/tests/ad_ldap_opt-tests.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/ad_ldap_opt_tests-ad_ldap_opt-tests.Tpo src/tests/$(DEPDIR)/ad_ldap_opt_tests-ad_ldap_opt-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/ad_ldap_opt-tests.c' object='src/tests/ad_ldap_opt_tests-ad_ldap_opt-tests.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_ldap_opt_tests_CFLAGS) $(CFLAGS) -c -o src/tests/ad_ldap_opt_tests-ad_ldap_opt-tests.o `test -f 'src/tests/ad_ldap_opt-tests.c' || echo '$(srcdir)/'`src/tests/ad_ldap_opt-tests.c + +src/tests/ad_ldap_opt_tests-ad_ldap_opt-tests.obj: src/tests/ad_ldap_opt-tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_ldap_opt_tests_CFLAGS) $(CFLAGS) -MT src/tests/ad_ldap_opt_tests-ad_ldap_opt-tests.obj -MD -MP -MF src/tests/$(DEPDIR)/ad_ldap_opt_tests-ad_ldap_opt-tests.Tpo -c -o src/tests/ad_ldap_opt_tests-ad_ldap_opt-tests.obj `if test -f 'src/tests/ad_ldap_opt-tests.c'; then $(CYGPATH_W) 'src/tests/ad_ldap_opt-tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/ad_ldap_opt-tests.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/ad_ldap_opt_tests-ad_ldap_opt-tests.Tpo src/tests/$(DEPDIR)/ad_ldap_opt_tests-ad_ldap_opt-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/ad_ldap_opt-tests.c' object='src/tests/ad_ldap_opt_tests-ad_ldap_opt-tests.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ad_ldap_opt_tests_CFLAGS) $(CFLAGS) -c -o src/tests/ad_ldap_opt_tests-ad_ldap_opt-tests.obj `if test -f 'src/tests/ad_ldap_opt-tests.c'; then $(CYGPATH_W) 'src/tests/ad_ldap_opt-tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/ad_ldap_opt-tests.c'; fi` + +src/tests/auth_tests-auth-tests.o: src/tests/auth-tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(auth_tests_CFLAGS) $(CFLAGS) -MT src/tests/auth_tests-auth-tests.o -MD -MP -MF src/tests/$(DEPDIR)/auth_tests-auth-tests.Tpo -c -o src/tests/auth_tests-auth-tests.o `test -f 'src/tests/auth-tests.c' || echo '$(srcdir)/'`src/tests/auth-tests.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/auth_tests-auth-tests.Tpo src/tests/$(DEPDIR)/auth_tests-auth-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/auth-tests.c' object='src/tests/auth_tests-auth-tests.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(auth_tests_CFLAGS) $(CFLAGS) -c -o src/tests/auth_tests-auth-tests.o `test -f 'src/tests/auth-tests.c' || echo '$(srcdir)/'`src/tests/auth-tests.c + +src/tests/auth_tests-auth-tests.obj: src/tests/auth-tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(auth_tests_CFLAGS) $(CFLAGS) -MT src/tests/auth_tests-auth-tests.obj -MD -MP -MF src/tests/$(DEPDIR)/auth_tests-auth-tests.Tpo -c -o src/tests/auth_tests-auth-tests.obj `if test -f 'src/tests/auth-tests.c'; then $(CYGPATH_W) 'src/tests/auth-tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/auth-tests.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/auth_tests-auth-tests.Tpo src/tests/$(DEPDIR)/auth_tests-auth-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/auth-tests.c' object='src/tests/auth_tests-auth-tests.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(auth_tests_CFLAGS) $(CFLAGS) -c -o src/tests/auth_tests-auth-tests.obj `if test -f 'src/tests/auth-tests.c'; then $(CYGPATH_W) 'src/tests/auth-tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/auth-tests.c'; fi` + +src/sss_client/autofs/autofs_test_client-autofs_test_client.o: src/sss_client/autofs/autofs_test_client.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(autofs_test_client_CFLAGS) $(CFLAGS) -MT src/sss_client/autofs/autofs_test_client-autofs_test_client.o -MD -MP -MF src/sss_client/autofs/$(DEPDIR)/autofs_test_client-autofs_test_client.Tpo -c -o src/sss_client/autofs/autofs_test_client-autofs_test_client.o `test -f 'src/sss_client/autofs/autofs_test_client.c' || echo '$(srcdir)/'`src/sss_client/autofs/autofs_test_client.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/autofs/$(DEPDIR)/autofs_test_client-autofs_test_client.Tpo src/sss_client/autofs/$(DEPDIR)/autofs_test_client-autofs_test_client.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/autofs/autofs_test_client.c' object='src/sss_client/autofs/autofs_test_client-autofs_test_client.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(autofs_test_client_CFLAGS) $(CFLAGS) -c -o src/sss_client/autofs/autofs_test_client-autofs_test_client.o `test -f 'src/sss_client/autofs/autofs_test_client.c' || echo '$(srcdir)/'`src/sss_client/autofs/autofs_test_client.c + +src/sss_client/autofs/autofs_test_client-autofs_test_client.obj: src/sss_client/autofs/autofs_test_client.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(autofs_test_client_CFLAGS) $(CFLAGS) -MT src/sss_client/autofs/autofs_test_client-autofs_test_client.obj -MD -MP -MF src/sss_client/autofs/$(DEPDIR)/autofs_test_client-autofs_test_client.Tpo -c -o src/sss_client/autofs/autofs_test_client-autofs_test_client.obj `if test -f 'src/sss_client/autofs/autofs_test_client.c'; then $(CYGPATH_W) 'src/sss_client/autofs/autofs_test_client.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/autofs/autofs_test_client.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/autofs/$(DEPDIR)/autofs_test_client-autofs_test_client.Tpo src/sss_client/autofs/$(DEPDIR)/autofs_test_client-autofs_test_client.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/autofs/autofs_test_client.c' object='src/sss_client/autofs/autofs_test_client-autofs_test_client.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(autofs_test_client_CFLAGS) $(CFLAGS) -c -o src/sss_client/autofs/autofs_test_client-autofs_test_client.obj `if test -f 'src/sss_client/autofs/autofs_test_client.c'; then $(CYGPATH_W) 'src/sss_client/autofs/autofs_test_client.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/autofs/autofs_test_client.c'; fi` + +src/sss_client/autofs/autofs_test_client-sss_autofs.o: src/sss_client/autofs/sss_autofs.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(autofs_test_client_CFLAGS) $(CFLAGS) -MT src/sss_client/autofs/autofs_test_client-sss_autofs.o -MD -MP -MF src/sss_client/autofs/$(DEPDIR)/autofs_test_client-sss_autofs.Tpo -c -o src/sss_client/autofs/autofs_test_client-sss_autofs.o `test -f 'src/sss_client/autofs/sss_autofs.c' || echo '$(srcdir)/'`src/sss_client/autofs/sss_autofs.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/autofs/$(DEPDIR)/autofs_test_client-sss_autofs.Tpo src/sss_client/autofs/$(DEPDIR)/autofs_test_client-sss_autofs.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/autofs/sss_autofs.c' object='src/sss_client/autofs/autofs_test_client-sss_autofs.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(autofs_test_client_CFLAGS) $(CFLAGS) -c -o src/sss_client/autofs/autofs_test_client-sss_autofs.o `test -f 'src/sss_client/autofs/sss_autofs.c' || echo '$(srcdir)/'`src/sss_client/autofs/sss_autofs.c + +src/sss_client/autofs/autofs_test_client-sss_autofs.obj: src/sss_client/autofs/sss_autofs.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(autofs_test_client_CFLAGS) $(CFLAGS) -MT src/sss_client/autofs/autofs_test_client-sss_autofs.obj -MD -MP -MF src/sss_client/autofs/$(DEPDIR)/autofs_test_client-sss_autofs.Tpo -c -o src/sss_client/autofs/autofs_test_client-sss_autofs.obj `if test -f 'src/sss_client/autofs/sss_autofs.c'; then $(CYGPATH_W) 'src/sss_client/autofs/sss_autofs.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/autofs/sss_autofs.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/autofs/$(DEPDIR)/autofs_test_client-sss_autofs.Tpo src/sss_client/autofs/$(DEPDIR)/autofs_test_client-sss_autofs.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/autofs/sss_autofs.c' object='src/sss_client/autofs/autofs_test_client-sss_autofs.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(autofs_test_client_CFLAGS) $(CFLAGS) -c -o src/sss_client/autofs/autofs_test_client-sss_autofs.obj `if test -f 'src/sss_client/autofs/sss_autofs.c'; then $(CYGPATH_W) 'src/sss_client/autofs/sss_autofs.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/autofs/sss_autofs.c'; fi` + +src/sss_client/autofs_test_client-common.o: src/sss_client/common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(autofs_test_client_CFLAGS) $(CFLAGS) -MT src/sss_client/autofs_test_client-common.o -MD -MP -MF src/sss_client/$(DEPDIR)/autofs_test_client-common.Tpo -c -o src/sss_client/autofs_test_client-common.o `test -f 'src/sss_client/common.c' || echo '$(srcdir)/'`src/sss_client/common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/$(DEPDIR)/autofs_test_client-common.Tpo src/sss_client/$(DEPDIR)/autofs_test_client-common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/common.c' object='src/sss_client/autofs_test_client-common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(autofs_test_client_CFLAGS) $(CFLAGS) -c -o src/sss_client/autofs_test_client-common.o `test -f 'src/sss_client/common.c' || echo '$(srcdir)/'`src/sss_client/common.c + +src/sss_client/autofs_test_client-common.obj: src/sss_client/common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(autofs_test_client_CFLAGS) $(CFLAGS) -MT src/sss_client/autofs_test_client-common.obj -MD -MP -MF src/sss_client/$(DEPDIR)/autofs_test_client-common.Tpo -c -o src/sss_client/autofs_test_client-common.obj `if test -f 'src/sss_client/common.c'; then $(CYGPATH_W) 'src/sss_client/common.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/$(DEPDIR)/autofs_test_client-common.Tpo src/sss_client/$(DEPDIR)/autofs_test_client-common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/common.c' object='src/sss_client/autofs_test_client-common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(autofs_test_client_CFLAGS) $(CFLAGS) -c -o src/sss_client/autofs_test_client-common.obj `if test -f 'src/sss_client/common.c'; then $(CYGPATH_W) 'src/sss_client/common.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/common.c'; fi` + +src/tests/check_and_open_tests-check_and_open-tests.o: src/tests/check_and_open-tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(check_and_open_tests_CFLAGS) $(CFLAGS) -MT src/tests/check_and_open_tests-check_and_open-tests.o -MD -MP -MF src/tests/$(DEPDIR)/check_and_open_tests-check_and_open-tests.Tpo -c -o src/tests/check_and_open_tests-check_and_open-tests.o `test -f 'src/tests/check_and_open-tests.c' || echo '$(srcdir)/'`src/tests/check_and_open-tests.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/check_and_open_tests-check_and_open-tests.Tpo src/tests/$(DEPDIR)/check_and_open_tests-check_and_open-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/check_and_open-tests.c' object='src/tests/check_and_open_tests-check_and_open-tests.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(check_and_open_tests_CFLAGS) $(CFLAGS) -c -o src/tests/check_and_open_tests-check_and_open-tests.o `test -f 'src/tests/check_and_open-tests.c' || echo '$(srcdir)/'`src/tests/check_and_open-tests.c + +src/tests/check_and_open_tests-check_and_open-tests.obj: src/tests/check_and_open-tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(check_and_open_tests_CFLAGS) $(CFLAGS) -MT src/tests/check_and_open_tests-check_and_open-tests.obj -MD -MP -MF src/tests/$(DEPDIR)/check_and_open_tests-check_and_open-tests.Tpo -c -o src/tests/check_and_open_tests-check_and_open-tests.obj `if test -f 'src/tests/check_and_open-tests.c'; then $(CYGPATH_W) 'src/tests/check_and_open-tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/check_and_open-tests.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/check_and_open_tests-check_and_open-tests.Tpo src/tests/$(DEPDIR)/check_and_open_tests-check_and_open-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/check_and_open-tests.c' object='src/tests/check_and_open_tests-check_and_open-tests.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(check_and_open_tests_CFLAGS) $(CFLAGS) -c -o src/tests/check_and_open_tests-check_and_open-tests.obj `if test -f 'src/tests/check_and_open-tests.c'; then $(CYGPATH_W) 'src/tests/check_and_open-tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/check_and_open-tests.c'; fi` + +src/util/check_and_open_tests-check_and_open.o: src/util/check_and_open.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(check_and_open_tests_CFLAGS) $(CFLAGS) -MT src/util/check_and_open_tests-check_and_open.o -MD -MP -MF src/util/$(DEPDIR)/check_and_open_tests-check_and_open.Tpo -c -o src/util/check_and_open_tests-check_and_open.o `test -f 'src/util/check_and_open.c' || echo '$(srcdir)/'`src/util/check_and_open.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/check_and_open_tests-check_and_open.Tpo src/util/$(DEPDIR)/check_and_open_tests-check_and_open.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/check_and_open.c' object='src/util/check_and_open_tests-check_and_open.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(check_and_open_tests_CFLAGS) $(CFLAGS) -c -o src/util/check_and_open_tests-check_and_open.o `test -f 'src/util/check_and_open.c' || echo '$(srcdir)/'`src/util/check_and_open.c + +src/util/check_and_open_tests-check_and_open.obj: src/util/check_and_open.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(check_and_open_tests_CFLAGS) $(CFLAGS) -MT src/util/check_and_open_tests-check_and_open.obj -MD -MP -MF src/util/$(DEPDIR)/check_and_open_tests-check_and_open.Tpo -c -o src/util/check_and_open_tests-check_and_open.obj `if test -f 'src/util/check_and_open.c'; then $(CYGPATH_W) 'src/util/check_and_open.c'; else $(CYGPATH_W) '$(srcdir)/src/util/check_and_open.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/check_and_open_tests-check_and_open.Tpo src/util/$(DEPDIR)/check_and_open_tests-check_and_open.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/check_and_open.c' object='src/util/check_and_open_tests-check_and_open.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(check_and_open_tests_CFLAGS) $(CFLAGS) -c -o src/util/check_and_open_tests-check_and_open.obj `if test -f 'src/util/check_and_open.c'; then $(CYGPATH_W) 'src/util/check_and_open.c'; else $(CYGPATH_W) '$(srcdir)/src/util/check_and_open.c'; fi` + +src/tests/cmocka/config_check_tests-test_config_check.o: src/tests/cmocka/test_config_check.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(config_check_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/config_check_tests-test_config_check.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/config_check_tests-test_config_check.Tpo -c -o src/tests/cmocka/config_check_tests-test_config_check.o `test -f 'src/tests/cmocka/test_config_check.c' || echo '$(srcdir)/'`src/tests/cmocka/test_config_check.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/config_check_tests-test_config_check.Tpo src/tests/cmocka/$(DEPDIR)/config_check_tests-test_config_check.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_config_check.c' object='src/tests/cmocka/config_check_tests-test_config_check.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(config_check_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/config_check_tests-test_config_check.o `test -f 'src/tests/cmocka/test_config_check.c' || echo '$(srcdir)/'`src/tests/cmocka/test_config_check.c + +src/tests/cmocka/config_check_tests-test_config_check.obj: src/tests/cmocka/test_config_check.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(config_check_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/config_check_tests-test_config_check.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/config_check_tests-test_config_check.Tpo -c -o src/tests/cmocka/config_check_tests-test_config_check.obj `if test -f 'src/tests/cmocka/test_config_check.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_config_check.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_config_check.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/config_check_tests-test_config_check.Tpo src/tests/cmocka/$(DEPDIR)/config_check_tests-test_config_check.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_config_check.c' object='src/tests/cmocka/config_check_tests-test_config_check.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(config_check_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/config_check_tests-test_config_check.obj `if test -f 'src/tests/cmocka/test_config_check.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_config_check.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_config_check.c'; fi` + +src/tests/crypto_tests-crypto-tests.o: src/tests/crypto-tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(crypto_tests_CFLAGS) $(CFLAGS) -MT src/tests/crypto_tests-crypto-tests.o -MD -MP -MF src/tests/$(DEPDIR)/crypto_tests-crypto-tests.Tpo -c -o src/tests/crypto_tests-crypto-tests.o `test -f 'src/tests/crypto-tests.c' || echo '$(srcdir)/'`src/tests/crypto-tests.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/crypto_tests-crypto-tests.Tpo src/tests/$(DEPDIR)/crypto_tests-crypto-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/crypto-tests.c' object='src/tests/crypto_tests-crypto-tests.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(crypto_tests_CFLAGS) $(CFLAGS) -c -o src/tests/crypto_tests-crypto-tests.o `test -f 'src/tests/crypto-tests.c' || echo '$(srcdir)/'`src/tests/crypto-tests.c + +src/tests/crypto_tests-crypto-tests.obj: src/tests/crypto-tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(crypto_tests_CFLAGS) $(CFLAGS) -MT src/tests/crypto_tests-crypto-tests.obj -MD -MP -MF src/tests/$(DEPDIR)/crypto_tests-crypto-tests.Tpo -c -o src/tests/crypto_tests-crypto-tests.obj `if test -f 'src/tests/crypto-tests.c'; then $(CYGPATH_W) 'src/tests/crypto-tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/crypto-tests.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/crypto_tests-crypto-tests.Tpo src/tests/$(DEPDIR)/crypto_tests-crypto-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/crypto-tests.c' object='src/tests/crypto_tests-crypto-tests.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(crypto_tests_CFLAGS) $(CFLAGS) -c -o src/tests/crypto_tests-crypto-tests.obj `if test -f 'src/tests/crypto-tests.c'; then $(CYGPATH_W) 'src/tests/crypto-tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/crypto-tests.c'; fi` + +src/tests/debug_tests-debug-tests.o: src/tests/debug-tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(debug_tests_CFLAGS) $(CFLAGS) -MT src/tests/debug_tests-debug-tests.o -MD -MP -MF src/tests/$(DEPDIR)/debug_tests-debug-tests.Tpo -c -o src/tests/debug_tests-debug-tests.o `test -f 'src/tests/debug-tests.c' || echo '$(srcdir)/'`src/tests/debug-tests.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/debug_tests-debug-tests.Tpo src/tests/$(DEPDIR)/debug_tests-debug-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/debug-tests.c' object='src/tests/debug_tests-debug-tests.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(debug_tests_CFLAGS) $(CFLAGS) -c -o src/tests/debug_tests-debug-tests.o `test -f 'src/tests/debug-tests.c' || echo '$(srcdir)/'`src/tests/debug-tests.c + +src/tests/debug_tests-debug-tests.obj: src/tests/debug-tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(debug_tests_CFLAGS) $(CFLAGS) -MT src/tests/debug_tests-debug-tests.obj -MD -MP -MF src/tests/$(DEPDIR)/debug_tests-debug-tests.Tpo -c -o src/tests/debug_tests-debug-tests.obj `if test -f 'src/tests/debug-tests.c'; then $(CYGPATH_W) 'src/tests/debug-tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/debug-tests.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/debug_tests-debug-tests.Tpo src/tests/$(DEPDIR)/debug_tests-debug-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/debug-tests.c' object='src/tests/debug_tests-debug-tests.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(debug_tests_CFLAGS) $(CFLAGS) -c -o src/tests/debug_tests-debug-tests.obj `if test -f 'src/tests/debug-tests.c'; then $(CYGPATH_W) 'src/tests/debug-tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/debug-tests.c'; fi` + +src/tests/debug_tests-common.o: src/tests/common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(debug_tests_CFLAGS) $(CFLAGS) -MT src/tests/debug_tests-common.o -MD -MP -MF src/tests/$(DEPDIR)/debug_tests-common.Tpo -c -o src/tests/debug_tests-common.o `test -f 'src/tests/common.c' || echo '$(srcdir)/'`src/tests/common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/debug_tests-common.Tpo src/tests/$(DEPDIR)/debug_tests-common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/common.c' object='src/tests/debug_tests-common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(debug_tests_CFLAGS) $(CFLAGS) -c -o src/tests/debug_tests-common.o `test -f 'src/tests/common.c' || echo '$(srcdir)/'`src/tests/common.c + +src/tests/debug_tests-common.obj: src/tests/common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(debug_tests_CFLAGS) $(CFLAGS) -MT src/tests/debug_tests-common.obj -MD -MP -MF src/tests/$(DEPDIR)/debug_tests-common.Tpo -c -o src/tests/debug_tests-common.obj `if test -f 'src/tests/common.c'; then $(CYGPATH_W) 'src/tests/common.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/debug_tests-common.Tpo src/tests/$(DEPDIR)/debug_tests-common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/common.c' object='src/tests/debug_tests-common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(debug_tests_CFLAGS) $(CFLAGS) -c -o src/tests/debug_tests-common.obj `if test -f 'src/tests/common.c'; then $(CYGPATH_W) 'src/tests/common.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/common.c'; fi` + +src/tests/cmocka/deskprofile_utils_tests-test_deskprofile_utils.o: src/tests/cmocka/test_deskprofile_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(deskprofile_utils_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/deskprofile_utils_tests-test_deskprofile_utils.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/deskprofile_utils_tests-test_deskprofile_utils.Tpo -c -o src/tests/cmocka/deskprofile_utils_tests-test_deskprofile_utils.o `test -f 'src/tests/cmocka/test_deskprofile_utils.c' || echo '$(srcdir)/'`src/tests/cmocka/test_deskprofile_utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/deskprofile_utils_tests-test_deskprofile_utils.Tpo src/tests/cmocka/$(DEPDIR)/deskprofile_utils_tests-test_deskprofile_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_deskprofile_utils.c' object='src/tests/cmocka/deskprofile_utils_tests-test_deskprofile_utils.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(deskprofile_utils_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/deskprofile_utils_tests-test_deskprofile_utils.o `test -f 'src/tests/cmocka/test_deskprofile_utils.c' || echo '$(srcdir)/'`src/tests/cmocka/test_deskprofile_utils.c + +src/tests/cmocka/deskprofile_utils_tests-test_deskprofile_utils.obj: src/tests/cmocka/test_deskprofile_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(deskprofile_utils_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/deskprofile_utils_tests-test_deskprofile_utils.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/deskprofile_utils_tests-test_deskprofile_utils.Tpo -c -o src/tests/cmocka/deskprofile_utils_tests-test_deskprofile_utils.obj `if test -f 'src/tests/cmocka/test_deskprofile_utils.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_deskprofile_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_deskprofile_utils.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/deskprofile_utils_tests-test_deskprofile_utils.Tpo src/tests/cmocka/$(DEPDIR)/deskprofile_utils_tests-test_deskprofile_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_deskprofile_utils.c' object='src/tests/cmocka/deskprofile_utils_tests-test_deskprofile_utils.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(deskprofile_utils_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/deskprofile_utils_tests-test_deskprofile_utils.obj `if test -f 'src/tests/cmocka/test_deskprofile_utils.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_deskprofile_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_deskprofile_utils.c'; fi` + +src/providers/ipa/deskprofile_utils_tests-ipa_deskprofile_rules_util.o: src/providers/ipa/ipa_deskprofile_rules_util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(deskprofile_utils_tests_CFLAGS) $(CFLAGS) -MT src/providers/ipa/deskprofile_utils_tests-ipa_deskprofile_rules_util.o -MD -MP -MF src/providers/ipa/$(DEPDIR)/deskprofile_utils_tests-ipa_deskprofile_rules_util.Tpo -c -o src/providers/ipa/deskprofile_utils_tests-ipa_deskprofile_rules_util.o `test -f 'src/providers/ipa/ipa_deskprofile_rules_util.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_deskprofile_rules_util.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/deskprofile_utils_tests-ipa_deskprofile_rules_util.Tpo src/providers/ipa/$(DEPDIR)/deskprofile_utils_tests-ipa_deskprofile_rules_util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_deskprofile_rules_util.c' object='src/providers/ipa/deskprofile_utils_tests-ipa_deskprofile_rules_util.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(deskprofile_utils_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/deskprofile_utils_tests-ipa_deskprofile_rules_util.o `test -f 'src/providers/ipa/ipa_deskprofile_rules_util.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_deskprofile_rules_util.c + +src/providers/ipa/deskprofile_utils_tests-ipa_deskprofile_rules_util.obj: src/providers/ipa/ipa_deskprofile_rules_util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(deskprofile_utils_tests_CFLAGS) $(CFLAGS) -MT src/providers/ipa/deskprofile_utils_tests-ipa_deskprofile_rules_util.obj -MD -MP -MF src/providers/ipa/$(DEPDIR)/deskprofile_utils_tests-ipa_deskprofile_rules_util.Tpo -c -o src/providers/ipa/deskprofile_utils_tests-ipa_deskprofile_rules_util.obj `if test -f 'src/providers/ipa/ipa_deskprofile_rules_util.c'; then $(CYGPATH_W) 'src/providers/ipa/ipa_deskprofile_rules_util.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ipa/ipa_deskprofile_rules_util.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/deskprofile_utils_tests-ipa_deskprofile_rules_util.Tpo src/providers/ipa/$(DEPDIR)/deskprofile_utils_tests-ipa_deskprofile_rules_util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_deskprofile_rules_util.c' object='src/providers/ipa/deskprofile_utils_tests-ipa_deskprofile_rules_util.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(deskprofile_utils_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/deskprofile_utils_tests-ipa_deskprofile_rules_util.obj `if test -f 'src/providers/ipa/ipa_deskprofile_rules_util.c'; then $(CYGPATH_W) 'src/providers/ipa/ipa_deskprofile_rules_util.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ipa/ipa_deskprofile_rules_util.c'; fi` + +src/providers/ipa/deskprofile_utils_tests-ipa_rules_common.o: src/providers/ipa/ipa_rules_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(deskprofile_utils_tests_CFLAGS) $(CFLAGS) -MT src/providers/ipa/deskprofile_utils_tests-ipa_rules_common.o -MD -MP -MF src/providers/ipa/$(DEPDIR)/deskprofile_utils_tests-ipa_rules_common.Tpo -c -o src/providers/ipa/deskprofile_utils_tests-ipa_rules_common.o `test -f 'src/providers/ipa/ipa_rules_common.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_rules_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/deskprofile_utils_tests-ipa_rules_common.Tpo src/providers/ipa/$(DEPDIR)/deskprofile_utils_tests-ipa_rules_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_rules_common.c' object='src/providers/ipa/deskprofile_utils_tests-ipa_rules_common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(deskprofile_utils_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/deskprofile_utils_tests-ipa_rules_common.o `test -f 'src/providers/ipa/ipa_rules_common.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_rules_common.c + +src/providers/ipa/deskprofile_utils_tests-ipa_rules_common.obj: src/providers/ipa/ipa_rules_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(deskprofile_utils_tests_CFLAGS) $(CFLAGS) -MT src/providers/ipa/deskprofile_utils_tests-ipa_rules_common.obj -MD -MP -MF src/providers/ipa/$(DEPDIR)/deskprofile_utils_tests-ipa_rules_common.Tpo -c -o src/providers/ipa/deskprofile_utils_tests-ipa_rules_common.obj `if test -f 'src/providers/ipa/ipa_rules_common.c'; then $(CYGPATH_W) 'src/providers/ipa/ipa_rules_common.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ipa/ipa_rules_common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/deskprofile_utils_tests-ipa_rules_common.Tpo src/providers/ipa/$(DEPDIR)/deskprofile_utils_tests-ipa_rules_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_rules_common.c' object='src/providers/ipa/deskprofile_utils_tests-ipa_rules_common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(deskprofile_utils_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/deskprofile_utils_tests-ipa_rules_common.obj `if test -f 'src/providers/ipa/ipa_rules_common.c'; then $(CYGPATH_W) 'src/providers/ipa/ipa_rules_common.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ipa/ipa_rules_common.c'; fi` + +src/tests/dlopen_tests-dlopen-tests.o: src/tests/dlopen-tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dlopen_tests_CFLAGS) $(CFLAGS) -MT src/tests/dlopen_tests-dlopen-tests.o -MD -MP -MF src/tests/$(DEPDIR)/dlopen_tests-dlopen-tests.Tpo -c -o src/tests/dlopen_tests-dlopen-tests.o `test -f 'src/tests/dlopen-tests.c' || echo '$(srcdir)/'`src/tests/dlopen-tests.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/dlopen_tests-dlopen-tests.Tpo src/tests/$(DEPDIR)/dlopen_tests-dlopen-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/dlopen-tests.c' object='src/tests/dlopen_tests-dlopen-tests.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dlopen_tests_CFLAGS) $(CFLAGS) -c -o src/tests/dlopen_tests-dlopen-tests.o `test -f 'src/tests/dlopen-tests.c' || echo '$(srcdir)/'`src/tests/dlopen-tests.c + +src/tests/dlopen_tests-dlopen-tests.obj: src/tests/dlopen-tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dlopen_tests_CFLAGS) $(CFLAGS) -MT src/tests/dlopen_tests-dlopen-tests.obj -MD -MP -MF src/tests/$(DEPDIR)/dlopen_tests-dlopen-tests.Tpo -c -o src/tests/dlopen_tests-dlopen-tests.obj `if test -f 'src/tests/dlopen-tests.c'; then $(CYGPATH_W) 'src/tests/dlopen-tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/dlopen-tests.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/dlopen_tests-dlopen-tests.Tpo src/tests/$(DEPDIR)/dlopen_tests-dlopen-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/dlopen-tests.c' object='src/tests/dlopen_tests-dlopen-tests.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dlopen_tests_CFLAGS) $(CFLAGS) -c -o src/tests/dlopen_tests-dlopen-tests.obj `if test -f 'src/tests/dlopen-tests.c'; then $(CYGPATH_W) 'src/tests/dlopen-tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/dlopen-tests.c'; fi` + +src/tests/cmocka/domain_resolution_order_tests-test_domain_resolution_order.o: src/tests/cmocka/test_domain_resolution_order.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(domain_resolution_order_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/domain_resolution_order_tests-test_domain_resolution_order.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/domain_resolution_order_tests-test_domain_resolution_order.Tpo -c -o src/tests/cmocka/domain_resolution_order_tests-test_domain_resolution_order.o `test -f 'src/tests/cmocka/test_domain_resolution_order.c' || echo '$(srcdir)/'`src/tests/cmocka/test_domain_resolution_order.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/domain_resolution_order_tests-test_domain_resolution_order.Tpo src/tests/cmocka/$(DEPDIR)/domain_resolution_order_tests-test_domain_resolution_order.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_domain_resolution_order.c' object='src/tests/cmocka/domain_resolution_order_tests-test_domain_resolution_order.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(domain_resolution_order_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/domain_resolution_order_tests-test_domain_resolution_order.o `test -f 'src/tests/cmocka/test_domain_resolution_order.c' || echo '$(srcdir)/'`src/tests/cmocka/test_domain_resolution_order.c + +src/tests/cmocka/domain_resolution_order_tests-test_domain_resolution_order.obj: src/tests/cmocka/test_domain_resolution_order.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(domain_resolution_order_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/domain_resolution_order_tests-test_domain_resolution_order.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/domain_resolution_order_tests-test_domain_resolution_order.Tpo -c -o src/tests/cmocka/domain_resolution_order_tests-test_domain_resolution_order.obj `if test -f 'src/tests/cmocka/test_domain_resolution_order.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_domain_resolution_order.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_domain_resolution_order.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/domain_resolution_order_tests-test_domain_resolution_order.Tpo src/tests/cmocka/$(DEPDIR)/domain_resolution_order_tests-test_domain_resolution_order.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_domain_resolution_order.c' object='src/tests/cmocka/domain_resolution_order_tests-test_domain_resolution_order.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(domain_resolution_order_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/domain_resolution_order_tests-test_domain_resolution_order.obj `if test -f 'src/tests/cmocka/test_domain_resolution_order.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_domain_resolution_order.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_domain_resolution_order.c'; fi` + +src/responder/common/cache_req/domain_resolution_order_tests-cache_req_domain.o: src/responder/common/cache_req/cache_req_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(domain_resolution_order_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/domain_resolution_order_tests-cache_req_domain.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/domain_resolution_order_tests-cache_req_domain.Tpo -c -o src/responder/common/cache_req/domain_resolution_order_tests-cache_req_domain.o `test -f 'src/responder/common/cache_req/cache_req_domain.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_domain.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/domain_resolution_order_tests-cache_req_domain.Tpo src/responder/common/cache_req/$(DEPDIR)/domain_resolution_order_tests-cache_req_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_domain.c' object='src/responder/common/cache_req/domain_resolution_order_tests-cache_req_domain.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(domain_resolution_order_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/domain_resolution_order_tests-cache_req_domain.o `test -f 'src/responder/common/cache_req/cache_req_domain.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_domain.c + +src/responder/common/cache_req/domain_resolution_order_tests-cache_req_domain.obj: src/responder/common/cache_req/cache_req_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(domain_resolution_order_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/domain_resolution_order_tests-cache_req_domain.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/domain_resolution_order_tests-cache_req_domain.Tpo -c -o src/responder/common/cache_req/domain_resolution_order_tests-cache_req_domain.obj `if test -f 'src/responder/common/cache_req/cache_req_domain.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_domain.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/domain_resolution_order_tests-cache_req_domain.Tpo src/responder/common/cache_req/$(DEPDIR)/domain_resolution_order_tests-cache_req_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_domain.c' object='src/responder/common/cache_req/domain_resolution_order_tests-cache_req_domain.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(domain_resolution_order_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/domain_resolution_order_tests-cache_req_domain.obj `if test -f 'src/responder/common/cache_req/cache_req_domain.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_domain.c'; fi` + +src/providers/dp_opt_tests-data_provider_opts.o: src/providers/data_provider_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dp_opt_tests_CFLAGS) $(CFLAGS) -MT src/providers/dp_opt_tests-data_provider_opts.o -MD -MP -MF src/providers/$(DEPDIR)/dp_opt_tests-data_provider_opts.Tpo -c -o src/providers/dp_opt_tests-data_provider_opts.o `test -f 'src/providers/data_provider_opts.c' || echo '$(srcdir)/'`src/providers/data_provider_opts.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/dp_opt_tests-data_provider_opts.Tpo src/providers/$(DEPDIR)/dp_opt_tests-data_provider_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider_opts.c' object='src/providers/dp_opt_tests-data_provider_opts.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dp_opt_tests_CFLAGS) $(CFLAGS) -c -o src/providers/dp_opt_tests-data_provider_opts.o `test -f 'src/providers/data_provider_opts.c' || echo '$(srcdir)/'`src/providers/data_provider_opts.c + +src/providers/dp_opt_tests-data_provider_opts.obj: src/providers/data_provider_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dp_opt_tests_CFLAGS) $(CFLAGS) -MT src/providers/dp_opt_tests-data_provider_opts.obj -MD -MP -MF src/providers/$(DEPDIR)/dp_opt_tests-data_provider_opts.Tpo -c -o src/providers/dp_opt_tests-data_provider_opts.obj `if test -f 'src/providers/data_provider_opts.c'; then $(CYGPATH_W) 'src/providers/data_provider_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider_opts.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/dp_opt_tests-data_provider_opts.Tpo src/providers/$(DEPDIR)/dp_opt_tests-data_provider_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider_opts.c' object='src/providers/dp_opt_tests-data_provider_opts.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dp_opt_tests_CFLAGS) $(CFLAGS) -c -o src/providers/dp_opt_tests-data_provider_opts.obj `if test -f 'src/providers/data_provider_opts.c'; then $(CYGPATH_W) 'src/providers/data_provider_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider_opts.c'; fi` + +src/tests/cmocka/dp_opt_tests-test_dp_opts.o: src/tests/cmocka/test_dp_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dp_opt_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/dp_opt_tests-test_dp_opts.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/dp_opt_tests-test_dp_opts.Tpo -c -o src/tests/cmocka/dp_opt_tests-test_dp_opts.o `test -f 'src/tests/cmocka/test_dp_opts.c' || echo '$(srcdir)/'`src/tests/cmocka/test_dp_opts.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/dp_opt_tests-test_dp_opts.Tpo src/tests/cmocka/$(DEPDIR)/dp_opt_tests-test_dp_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_dp_opts.c' object='src/tests/cmocka/dp_opt_tests-test_dp_opts.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dp_opt_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/dp_opt_tests-test_dp_opts.o `test -f 'src/tests/cmocka/test_dp_opts.c' || echo '$(srcdir)/'`src/tests/cmocka/test_dp_opts.c + +src/tests/cmocka/dp_opt_tests-test_dp_opts.obj: src/tests/cmocka/test_dp_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dp_opt_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/dp_opt_tests-test_dp_opts.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/dp_opt_tests-test_dp_opts.Tpo -c -o src/tests/cmocka/dp_opt_tests-test_dp_opts.obj `if test -f 'src/tests/cmocka/test_dp_opts.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_dp_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_dp_opts.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/dp_opt_tests-test_dp_opts.Tpo src/tests/cmocka/$(DEPDIR)/dp_opt_tests-test_dp_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_dp_opts.c' object='src/tests/cmocka/dp_opt_tests-test_dp_opts.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dp_opt_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/dp_opt_tests-test_dp_opts.obj `if test -f 'src/tests/cmocka/test_dp_opts.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_dp_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_dp_opts.c'; fi` + +src/resolv/dyndns_tests-async_resolv.o: src/resolv/async_resolv.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dyndns_tests_CFLAGS) $(CFLAGS) -MT src/resolv/dyndns_tests-async_resolv.o -MD -MP -MF src/resolv/$(DEPDIR)/dyndns_tests-async_resolv.Tpo -c -o src/resolv/dyndns_tests-async_resolv.o `test -f 'src/resolv/async_resolv.c' || echo '$(srcdir)/'`src/resolv/async_resolv.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/resolv/$(DEPDIR)/dyndns_tests-async_resolv.Tpo src/resolv/$(DEPDIR)/dyndns_tests-async_resolv.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/resolv/async_resolv.c' object='src/resolv/dyndns_tests-async_resolv.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dyndns_tests_CFLAGS) $(CFLAGS) -c -o src/resolv/dyndns_tests-async_resolv.o `test -f 'src/resolv/async_resolv.c' || echo '$(srcdir)/'`src/resolv/async_resolv.c + +src/resolv/dyndns_tests-async_resolv.obj: src/resolv/async_resolv.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dyndns_tests_CFLAGS) $(CFLAGS) -MT src/resolv/dyndns_tests-async_resolv.obj -MD -MP -MF src/resolv/$(DEPDIR)/dyndns_tests-async_resolv.Tpo -c -o src/resolv/dyndns_tests-async_resolv.obj `if test -f 'src/resolv/async_resolv.c'; then $(CYGPATH_W) 'src/resolv/async_resolv.c'; else $(CYGPATH_W) '$(srcdir)/src/resolv/async_resolv.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/resolv/$(DEPDIR)/dyndns_tests-async_resolv.Tpo src/resolv/$(DEPDIR)/dyndns_tests-async_resolv.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/resolv/async_resolv.c' object='src/resolv/dyndns_tests-async_resolv.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dyndns_tests_CFLAGS) $(CFLAGS) -c -o src/resolv/dyndns_tests-async_resolv.obj `if test -f 'src/resolv/async_resolv.c'; then $(CYGPATH_W) 'src/resolv/async_resolv.c'; else $(CYGPATH_W) '$(srcdir)/src/resolv/async_resolv.c'; fi` + +src/resolv/dyndns_tests-async_resolv_utils.o: src/resolv/async_resolv_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dyndns_tests_CFLAGS) $(CFLAGS) -MT src/resolv/dyndns_tests-async_resolv_utils.o -MD -MP -MF src/resolv/$(DEPDIR)/dyndns_tests-async_resolv_utils.Tpo -c -o src/resolv/dyndns_tests-async_resolv_utils.o `test -f 'src/resolv/async_resolv_utils.c' || echo '$(srcdir)/'`src/resolv/async_resolv_utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/resolv/$(DEPDIR)/dyndns_tests-async_resolv_utils.Tpo src/resolv/$(DEPDIR)/dyndns_tests-async_resolv_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/resolv/async_resolv_utils.c' object='src/resolv/dyndns_tests-async_resolv_utils.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dyndns_tests_CFLAGS) $(CFLAGS) -c -o src/resolv/dyndns_tests-async_resolv_utils.o `test -f 'src/resolv/async_resolv_utils.c' || echo '$(srcdir)/'`src/resolv/async_resolv_utils.c + +src/resolv/dyndns_tests-async_resolv_utils.obj: src/resolv/async_resolv_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dyndns_tests_CFLAGS) $(CFLAGS) -MT src/resolv/dyndns_tests-async_resolv_utils.obj -MD -MP -MF src/resolv/$(DEPDIR)/dyndns_tests-async_resolv_utils.Tpo -c -o src/resolv/dyndns_tests-async_resolv_utils.obj `if test -f 'src/resolv/async_resolv_utils.c'; then $(CYGPATH_W) 'src/resolv/async_resolv_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/resolv/async_resolv_utils.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/resolv/$(DEPDIR)/dyndns_tests-async_resolv_utils.Tpo src/resolv/$(DEPDIR)/dyndns_tests-async_resolv_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/resolv/async_resolv_utils.c' object='src/resolv/dyndns_tests-async_resolv_utils.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dyndns_tests_CFLAGS) $(CFLAGS) -c -o src/resolv/dyndns_tests-async_resolv_utils.obj `if test -f 'src/resolv/async_resolv_utils.c'; then $(CYGPATH_W) 'src/resolv/async_resolv_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/resolv/async_resolv_utils.c'; fi` + +src/tests/cmocka/dyndns_tests-common_mock_be.o: src/tests/cmocka/common_mock_be.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dyndns_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/dyndns_tests-common_mock_be.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/dyndns_tests-common_mock_be.Tpo -c -o src/tests/cmocka/dyndns_tests-common_mock_be.o `test -f 'src/tests/cmocka/common_mock_be.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_be.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/dyndns_tests-common_mock_be.Tpo src/tests/cmocka/$(DEPDIR)/dyndns_tests-common_mock_be.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_be.c' object='src/tests/cmocka/dyndns_tests-common_mock_be.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dyndns_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/dyndns_tests-common_mock_be.o `test -f 'src/tests/cmocka/common_mock_be.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_be.c + +src/tests/cmocka/dyndns_tests-common_mock_be.obj: src/tests/cmocka/common_mock_be.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dyndns_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/dyndns_tests-common_mock_be.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/dyndns_tests-common_mock_be.Tpo -c -o src/tests/cmocka/dyndns_tests-common_mock_be.obj `if test -f 'src/tests/cmocka/common_mock_be.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_be.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_be.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/dyndns_tests-common_mock_be.Tpo src/tests/cmocka/$(DEPDIR)/dyndns_tests-common_mock_be.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_be.c' object='src/tests/cmocka/dyndns_tests-common_mock_be.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dyndns_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/dyndns_tests-common_mock_be.obj `if test -f 'src/tests/cmocka/common_mock_be.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_be.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_be.c'; fi` + +src/tests/cmocka/dyndns_tests-test_dyndns.o: src/tests/cmocka/test_dyndns.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dyndns_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/dyndns_tests-test_dyndns.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/dyndns_tests-test_dyndns.Tpo -c -o src/tests/cmocka/dyndns_tests-test_dyndns.o `test -f 'src/tests/cmocka/test_dyndns.c' || echo '$(srcdir)/'`src/tests/cmocka/test_dyndns.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/dyndns_tests-test_dyndns.Tpo src/tests/cmocka/$(DEPDIR)/dyndns_tests-test_dyndns.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_dyndns.c' object='src/tests/cmocka/dyndns_tests-test_dyndns.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dyndns_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/dyndns_tests-test_dyndns.o `test -f 'src/tests/cmocka/test_dyndns.c' || echo '$(srcdir)/'`src/tests/cmocka/test_dyndns.c + +src/tests/cmocka/dyndns_tests-test_dyndns.obj: src/tests/cmocka/test_dyndns.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dyndns_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/dyndns_tests-test_dyndns.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/dyndns_tests-test_dyndns.Tpo -c -o src/tests/cmocka/dyndns_tests-test_dyndns.obj `if test -f 'src/tests/cmocka/test_dyndns.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_dyndns.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_dyndns.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/dyndns_tests-test_dyndns.Tpo src/tests/cmocka/$(DEPDIR)/dyndns_tests-test_dyndns.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_dyndns.c' object='src/tests/cmocka/dyndns_tests-test_dyndns.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dyndns_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/dyndns_tests-test_dyndns.obj `if test -f 'src/tests/cmocka/test_dyndns.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_dyndns.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_dyndns.c'; fi` + +src/providers/dyndns_tests-data_provider_opts.o: src/providers/data_provider_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dyndns_tests_CFLAGS) $(CFLAGS) -MT src/providers/dyndns_tests-data_provider_opts.o -MD -MP -MF src/providers/$(DEPDIR)/dyndns_tests-data_provider_opts.Tpo -c -o src/providers/dyndns_tests-data_provider_opts.o `test -f 'src/providers/data_provider_opts.c' || echo '$(srcdir)/'`src/providers/data_provider_opts.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/dyndns_tests-data_provider_opts.Tpo src/providers/$(DEPDIR)/dyndns_tests-data_provider_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider_opts.c' object='src/providers/dyndns_tests-data_provider_opts.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dyndns_tests_CFLAGS) $(CFLAGS) -c -o src/providers/dyndns_tests-data_provider_opts.o `test -f 'src/providers/data_provider_opts.c' || echo '$(srcdir)/'`src/providers/data_provider_opts.c + +src/providers/dyndns_tests-data_provider_opts.obj: src/providers/data_provider_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dyndns_tests_CFLAGS) $(CFLAGS) -MT src/providers/dyndns_tests-data_provider_opts.obj -MD -MP -MF src/providers/$(DEPDIR)/dyndns_tests-data_provider_opts.Tpo -c -o src/providers/dyndns_tests-data_provider_opts.obj `if test -f 'src/providers/data_provider_opts.c'; then $(CYGPATH_W) 'src/providers/data_provider_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider_opts.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/dyndns_tests-data_provider_opts.Tpo src/providers/$(DEPDIR)/dyndns_tests-data_provider_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider_opts.c' object='src/providers/dyndns_tests-data_provider_opts.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dyndns_tests_CFLAGS) $(CFLAGS) -c -o src/providers/dyndns_tests-data_provider_opts.obj `if test -f 'src/providers/data_provider_opts.c'; then $(CYGPATH_W) 'src/providers/data_provider_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider_opts.c'; fi` + +src/tests/fail_over_tests-fail_over-tests.o: src/tests/fail_over-tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(fail_over_tests_CFLAGS) $(CFLAGS) -MT src/tests/fail_over_tests-fail_over-tests.o -MD -MP -MF src/tests/$(DEPDIR)/fail_over_tests-fail_over-tests.Tpo -c -o src/tests/fail_over_tests-fail_over-tests.o `test -f 'src/tests/fail_over-tests.c' || echo '$(srcdir)/'`src/tests/fail_over-tests.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/fail_over_tests-fail_over-tests.Tpo src/tests/$(DEPDIR)/fail_over_tests-fail_over-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/fail_over-tests.c' object='src/tests/fail_over_tests-fail_over-tests.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(fail_over_tests_CFLAGS) $(CFLAGS) -c -o src/tests/fail_over_tests-fail_over-tests.o `test -f 'src/tests/fail_over-tests.c' || echo '$(srcdir)/'`src/tests/fail_over-tests.c + +src/tests/fail_over_tests-fail_over-tests.obj: src/tests/fail_over-tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(fail_over_tests_CFLAGS) $(CFLAGS) -MT src/tests/fail_over_tests-fail_over-tests.obj -MD -MP -MF src/tests/$(DEPDIR)/fail_over_tests-fail_over-tests.Tpo -c -o src/tests/fail_over_tests-fail_over-tests.obj `if test -f 'src/tests/fail_over-tests.c'; then $(CYGPATH_W) 'src/tests/fail_over-tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/fail_over-tests.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/fail_over_tests-fail_over-tests.Tpo src/tests/$(DEPDIR)/fail_over_tests-fail_over-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/fail_over-tests.c' object='src/tests/fail_over_tests-fail_over-tests.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(fail_over_tests_CFLAGS) $(CFLAGS) -c -o src/tests/fail_over_tests-fail_over-tests.obj `if test -f 'src/tests/fail_over-tests.c'; then $(CYGPATH_W) 'src/tests/fail_over-tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/fail_over-tests.c'; fi` + +src/providers/fail_over_tests-fail_over.o: src/providers/fail_over.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(fail_over_tests_CFLAGS) $(CFLAGS) -MT src/providers/fail_over_tests-fail_over.o -MD -MP -MF src/providers/$(DEPDIR)/fail_over_tests-fail_over.Tpo -c -o src/providers/fail_over_tests-fail_over.o `test -f 'src/providers/fail_over.c' || echo '$(srcdir)/'`src/providers/fail_over.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/fail_over_tests-fail_over.Tpo src/providers/$(DEPDIR)/fail_over_tests-fail_over.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/fail_over.c' object='src/providers/fail_over_tests-fail_over.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(fail_over_tests_CFLAGS) $(CFLAGS) -c -o src/providers/fail_over_tests-fail_over.o `test -f 'src/providers/fail_over.c' || echo '$(srcdir)/'`src/providers/fail_over.c + +src/providers/fail_over_tests-fail_over.obj: src/providers/fail_over.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(fail_over_tests_CFLAGS) $(CFLAGS) -MT src/providers/fail_over_tests-fail_over.obj -MD -MP -MF src/providers/$(DEPDIR)/fail_over_tests-fail_over.Tpo -c -o src/providers/fail_over_tests-fail_over.obj `if test -f 'src/providers/fail_over.c'; then $(CYGPATH_W) 'src/providers/fail_over.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/fail_over.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/fail_over_tests-fail_over.Tpo src/providers/$(DEPDIR)/fail_over_tests-fail_over.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/fail_over.c' object='src/providers/fail_over_tests-fail_over.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(fail_over_tests_CFLAGS) $(CFLAGS) -c -o src/providers/fail_over_tests-fail_over.obj `if test -f 'src/providers/fail_over.c'; then $(CYGPATH_W) 'src/providers/fail_over.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/fail_over.c'; fi` + +src/providers/fail_over_tests-fail_over_srv.o: src/providers/fail_over_srv.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(fail_over_tests_CFLAGS) $(CFLAGS) -MT src/providers/fail_over_tests-fail_over_srv.o -MD -MP -MF src/providers/$(DEPDIR)/fail_over_tests-fail_over_srv.Tpo -c -o src/providers/fail_over_tests-fail_over_srv.o `test -f 'src/providers/fail_over_srv.c' || echo '$(srcdir)/'`src/providers/fail_over_srv.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/fail_over_tests-fail_over_srv.Tpo src/providers/$(DEPDIR)/fail_over_tests-fail_over_srv.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/fail_over_srv.c' object='src/providers/fail_over_tests-fail_over_srv.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(fail_over_tests_CFLAGS) $(CFLAGS) -c -o src/providers/fail_over_tests-fail_over_srv.o `test -f 'src/providers/fail_over_srv.c' || echo '$(srcdir)/'`src/providers/fail_over_srv.c + +src/providers/fail_over_tests-fail_over_srv.obj: src/providers/fail_over_srv.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(fail_over_tests_CFLAGS) $(CFLAGS) -MT src/providers/fail_over_tests-fail_over_srv.obj -MD -MP -MF src/providers/$(DEPDIR)/fail_over_tests-fail_over_srv.Tpo -c -o src/providers/fail_over_tests-fail_over_srv.obj `if test -f 'src/providers/fail_over_srv.c'; then $(CYGPATH_W) 'src/providers/fail_over_srv.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/fail_over_srv.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/fail_over_tests-fail_over_srv.Tpo src/providers/$(DEPDIR)/fail_over_tests-fail_over_srv.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/fail_over_srv.c' object='src/providers/fail_over_tests-fail_over_srv.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(fail_over_tests_CFLAGS) $(CFLAGS) -c -o src/providers/fail_over_tests-fail_over_srv.obj `if test -f 'src/providers/fail_over_srv.c'; then $(CYGPATH_W) 'src/providers/fail_over_srv.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/fail_over_srv.c'; fi` + +src/resolv/fail_over_tests-async_resolv.o: src/resolv/async_resolv.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(fail_over_tests_CFLAGS) $(CFLAGS) -MT src/resolv/fail_over_tests-async_resolv.o -MD -MP -MF src/resolv/$(DEPDIR)/fail_over_tests-async_resolv.Tpo -c -o src/resolv/fail_over_tests-async_resolv.o `test -f 'src/resolv/async_resolv.c' || echo '$(srcdir)/'`src/resolv/async_resolv.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/resolv/$(DEPDIR)/fail_over_tests-async_resolv.Tpo src/resolv/$(DEPDIR)/fail_over_tests-async_resolv.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/resolv/async_resolv.c' object='src/resolv/fail_over_tests-async_resolv.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(fail_over_tests_CFLAGS) $(CFLAGS) -c -o src/resolv/fail_over_tests-async_resolv.o `test -f 'src/resolv/async_resolv.c' || echo '$(srcdir)/'`src/resolv/async_resolv.c + +src/resolv/fail_over_tests-async_resolv.obj: src/resolv/async_resolv.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(fail_over_tests_CFLAGS) $(CFLAGS) -MT src/resolv/fail_over_tests-async_resolv.obj -MD -MP -MF src/resolv/$(DEPDIR)/fail_over_tests-async_resolv.Tpo -c -o src/resolv/fail_over_tests-async_resolv.obj `if test -f 'src/resolv/async_resolv.c'; then $(CYGPATH_W) 'src/resolv/async_resolv.c'; else $(CYGPATH_W) '$(srcdir)/src/resolv/async_resolv.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/resolv/$(DEPDIR)/fail_over_tests-async_resolv.Tpo src/resolv/$(DEPDIR)/fail_over_tests-async_resolv.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/resolv/async_resolv.c' object='src/resolv/fail_over_tests-async_resolv.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(fail_over_tests_CFLAGS) $(CFLAGS) -c -o src/resolv/fail_over_tests-async_resolv.obj `if test -f 'src/resolv/async_resolv.c'; then $(CYGPATH_W) 'src/resolv/async_resolv.c'; else $(CYGPATH_W) '$(srcdir)/src/resolv/async_resolv.c'; fi` + +src/resolv/fail_over_tests-async_resolv_utils.o: src/resolv/async_resolv_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(fail_over_tests_CFLAGS) $(CFLAGS) -MT src/resolv/fail_over_tests-async_resolv_utils.o -MD -MP -MF src/resolv/$(DEPDIR)/fail_over_tests-async_resolv_utils.Tpo -c -o src/resolv/fail_over_tests-async_resolv_utils.o `test -f 'src/resolv/async_resolv_utils.c' || echo '$(srcdir)/'`src/resolv/async_resolv_utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/resolv/$(DEPDIR)/fail_over_tests-async_resolv_utils.Tpo src/resolv/$(DEPDIR)/fail_over_tests-async_resolv_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/resolv/async_resolv_utils.c' object='src/resolv/fail_over_tests-async_resolv_utils.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(fail_over_tests_CFLAGS) $(CFLAGS) -c -o src/resolv/fail_over_tests-async_resolv_utils.o `test -f 'src/resolv/async_resolv_utils.c' || echo '$(srcdir)/'`src/resolv/async_resolv_utils.c + +src/resolv/fail_over_tests-async_resolv_utils.obj: src/resolv/async_resolv_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(fail_over_tests_CFLAGS) $(CFLAGS) -MT src/resolv/fail_over_tests-async_resolv_utils.obj -MD -MP -MF src/resolv/$(DEPDIR)/fail_over_tests-async_resolv_utils.Tpo -c -o src/resolv/fail_over_tests-async_resolv_utils.obj `if test -f 'src/resolv/async_resolv_utils.c'; then $(CYGPATH_W) 'src/resolv/async_resolv_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/resolv/async_resolv_utils.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/resolv/$(DEPDIR)/fail_over_tests-async_resolv_utils.Tpo src/resolv/$(DEPDIR)/fail_over_tests-async_resolv_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/resolv/async_resolv_utils.c' object='src/resolv/fail_over_tests-async_resolv_utils.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(fail_over_tests_CFLAGS) $(CFLAGS) -c -o src/resolv/fail_over_tests-async_resolv_utils.obj `if test -f 'src/resolv/async_resolv_utils.c'; then $(CYGPATH_W) 'src/resolv/async_resolv_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/resolv/async_resolv_utils.c'; fi` + +src/tests/files_tests-files-tests.o: src/tests/files-tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(files_tests_CFLAGS) $(CFLAGS) -MT src/tests/files_tests-files-tests.o -MD -MP -MF src/tests/$(DEPDIR)/files_tests-files-tests.Tpo -c -o src/tests/files_tests-files-tests.o `test -f 'src/tests/files-tests.c' || echo '$(srcdir)/'`src/tests/files-tests.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/files_tests-files-tests.Tpo src/tests/$(DEPDIR)/files_tests-files-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/files-tests.c' object='src/tests/files_tests-files-tests.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(files_tests_CFLAGS) $(CFLAGS) -c -o src/tests/files_tests-files-tests.o `test -f 'src/tests/files-tests.c' || echo '$(srcdir)/'`src/tests/files-tests.c + +src/tests/files_tests-files-tests.obj: src/tests/files-tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(files_tests_CFLAGS) $(CFLAGS) -MT src/tests/files_tests-files-tests.obj -MD -MP -MF src/tests/$(DEPDIR)/files_tests-files-tests.Tpo -c -o src/tests/files_tests-files-tests.obj `if test -f 'src/tests/files-tests.c'; then $(CYGPATH_W) 'src/tests/files-tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/files-tests.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/files_tests-files-tests.Tpo src/tests/$(DEPDIR)/files_tests-files-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/files-tests.c' object='src/tests/files_tests-files-tests.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(files_tests_CFLAGS) $(CFLAGS) -c -o src/tests/files_tests-files-tests.obj `if test -f 'src/tests/files-tests.c'; then $(CYGPATH_W) 'src/tests/files-tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/files-tests.c'; fi` + +src/util/files_tests-check_and_open.o: src/util/check_and_open.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(files_tests_CFLAGS) $(CFLAGS) -MT src/util/files_tests-check_and_open.o -MD -MP -MF src/util/$(DEPDIR)/files_tests-check_and_open.Tpo -c -o src/util/files_tests-check_and_open.o `test -f 'src/util/check_and_open.c' || echo '$(srcdir)/'`src/util/check_and_open.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/files_tests-check_and_open.Tpo src/util/$(DEPDIR)/files_tests-check_and_open.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/check_and_open.c' object='src/util/files_tests-check_and_open.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(files_tests_CFLAGS) $(CFLAGS) -c -o src/util/files_tests-check_and_open.o `test -f 'src/util/check_and_open.c' || echo '$(srcdir)/'`src/util/check_and_open.c + +src/util/files_tests-check_and_open.obj: src/util/check_and_open.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(files_tests_CFLAGS) $(CFLAGS) -MT src/util/files_tests-check_and_open.obj -MD -MP -MF src/util/$(DEPDIR)/files_tests-check_and_open.Tpo -c -o src/util/files_tests-check_and_open.obj `if test -f 'src/util/check_and_open.c'; then $(CYGPATH_W) 'src/util/check_and_open.c'; else $(CYGPATH_W) '$(srcdir)/src/util/check_and_open.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/files_tests-check_and_open.Tpo src/util/$(DEPDIR)/files_tests-check_and_open.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/check_and_open.c' object='src/util/files_tests-check_and_open.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(files_tests_CFLAGS) $(CFLAGS) -c -o src/util/files_tests-check_and_open.obj `if test -f 'src/util/check_and_open.c'; then $(CYGPATH_W) 'src/util/check_and_open.c'; else $(CYGPATH_W) '$(srcdir)/src/util/check_and_open.c'; fi` + +src/util/files_tests-atomic_io.o: src/util/atomic_io.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(files_tests_CFLAGS) $(CFLAGS) -MT src/util/files_tests-atomic_io.o -MD -MP -MF src/util/$(DEPDIR)/files_tests-atomic_io.Tpo -c -o src/util/files_tests-atomic_io.o `test -f 'src/util/atomic_io.c' || echo '$(srcdir)/'`src/util/atomic_io.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/files_tests-atomic_io.Tpo src/util/$(DEPDIR)/files_tests-atomic_io.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/atomic_io.c' object='src/util/files_tests-atomic_io.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(files_tests_CFLAGS) $(CFLAGS) -c -o src/util/files_tests-atomic_io.o `test -f 'src/util/atomic_io.c' || echo '$(srcdir)/'`src/util/atomic_io.c + +src/util/files_tests-atomic_io.obj: src/util/atomic_io.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(files_tests_CFLAGS) $(CFLAGS) -MT src/util/files_tests-atomic_io.obj -MD -MP -MF src/util/$(DEPDIR)/files_tests-atomic_io.Tpo -c -o src/util/files_tests-atomic_io.obj `if test -f 'src/util/atomic_io.c'; then $(CYGPATH_W) 'src/util/atomic_io.c'; else $(CYGPATH_W) '$(srcdir)/src/util/atomic_io.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/files_tests-atomic_io.Tpo src/util/$(DEPDIR)/files_tests-atomic_io.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/atomic_io.c' object='src/util/files_tests-atomic_io.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(files_tests_CFLAGS) $(CFLAGS) -c -o src/util/files_tests-atomic_io.obj `if test -f 'src/util/atomic_io.c'; then $(CYGPATH_W) 'src/util/atomic_io.c'; else $(CYGPATH_W) '$(srcdir)/src/util/atomic_io.c'; fi` + +src/util/files_tests-selinux.o: src/util/selinux.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(files_tests_CFLAGS) $(CFLAGS) -MT src/util/files_tests-selinux.o -MD -MP -MF src/util/$(DEPDIR)/files_tests-selinux.Tpo -c -o src/util/files_tests-selinux.o `test -f 'src/util/selinux.c' || echo '$(srcdir)/'`src/util/selinux.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/files_tests-selinux.Tpo src/util/$(DEPDIR)/files_tests-selinux.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/selinux.c' object='src/util/files_tests-selinux.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(files_tests_CFLAGS) $(CFLAGS) -c -o src/util/files_tests-selinux.o `test -f 'src/util/selinux.c' || echo '$(srcdir)/'`src/util/selinux.c + +src/util/files_tests-selinux.obj: src/util/selinux.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(files_tests_CFLAGS) $(CFLAGS) -MT src/util/files_tests-selinux.obj -MD -MP -MF src/util/$(DEPDIR)/files_tests-selinux.Tpo -c -o src/util/files_tests-selinux.obj `if test -f 'src/util/selinux.c'; then $(CYGPATH_W) 'src/util/selinux.c'; else $(CYGPATH_W) '$(srcdir)/src/util/selinux.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/files_tests-selinux.Tpo src/util/$(DEPDIR)/files_tests-selinux.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/selinux.c' object='src/util/files_tests-selinux.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(files_tests_CFLAGS) $(CFLAGS) -c -o src/util/files_tests-selinux.obj `if test -f 'src/util/selinux.c'; then $(CYGPATH_W) 'src/util/selinux.c'; else $(CYGPATH_W) '$(srcdir)/src/util/selinux.c'; fi` + +src/util/files_tests-files.o: src/util/files.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(files_tests_CFLAGS) $(CFLAGS) -MT src/util/files_tests-files.o -MD -MP -MF src/util/$(DEPDIR)/files_tests-files.Tpo -c -o src/util/files_tests-files.o `test -f 'src/util/files.c' || echo '$(srcdir)/'`src/util/files.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/files_tests-files.Tpo src/util/$(DEPDIR)/files_tests-files.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/files.c' object='src/util/files_tests-files.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(files_tests_CFLAGS) $(CFLAGS) -c -o src/util/files_tests-files.o `test -f 'src/util/files.c' || echo '$(srcdir)/'`src/util/files.c + +src/util/files_tests-files.obj: src/util/files.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(files_tests_CFLAGS) $(CFLAGS) -MT src/util/files_tests-files.obj -MD -MP -MF src/util/$(DEPDIR)/files_tests-files.Tpo -c -o src/util/files_tests-files.obj `if test -f 'src/util/files.c'; then $(CYGPATH_W) 'src/util/files.c'; else $(CYGPATH_W) '$(srcdir)/src/util/files.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/files_tests-files.Tpo src/util/$(DEPDIR)/files_tests-files.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/files.c' object='src/util/files_tests-files.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(files_tests_CFLAGS) $(CFLAGS) -c -o src/util/files_tests-files.obj `if test -f 'src/util/files.c'; then $(CYGPATH_W) 'src/util/files.c'; else $(CYGPATH_W) '$(srcdir)/src/util/files.c'; fi` + +src/tests/find_uid_tests-find_uid-tests.o: src/tests/find_uid-tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(find_uid_tests_CFLAGS) $(CFLAGS) -MT src/tests/find_uid_tests-find_uid-tests.o -MD -MP -MF src/tests/$(DEPDIR)/find_uid_tests-find_uid-tests.Tpo -c -o src/tests/find_uid_tests-find_uid-tests.o `test -f 'src/tests/find_uid-tests.c' || echo '$(srcdir)/'`src/tests/find_uid-tests.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/find_uid_tests-find_uid-tests.Tpo src/tests/$(DEPDIR)/find_uid_tests-find_uid-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/find_uid-tests.c' object='src/tests/find_uid_tests-find_uid-tests.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(find_uid_tests_CFLAGS) $(CFLAGS) -c -o src/tests/find_uid_tests-find_uid-tests.o `test -f 'src/tests/find_uid-tests.c' || echo '$(srcdir)/'`src/tests/find_uid-tests.c + +src/tests/find_uid_tests-find_uid-tests.obj: src/tests/find_uid-tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(find_uid_tests_CFLAGS) $(CFLAGS) -MT src/tests/find_uid_tests-find_uid-tests.obj -MD -MP -MF src/tests/$(DEPDIR)/find_uid_tests-find_uid-tests.Tpo -c -o src/tests/find_uid_tests-find_uid-tests.obj `if test -f 'src/tests/find_uid-tests.c'; then $(CYGPATH_W) 'src/tests/find_uid-tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/find_uid-tests.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/find_uid_tests-find_uid-tests.Tpo src/tests/$(DEPDIR)/find_uid_tests-find_uid-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/find_uid-tests.c' object='src/tests/find_uid_tests-find_uid-tests.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(find_uid_tests_CFLAGS) $(CFLAGS) -c -o src/tests/find_uid_tests-find_uid-tests.obj `if test -f 'src/tests/find_uid-tests.c'; then $(CYGPATH_W) 'src/tests/find_uid-tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/find_uid-tests.c'; fi` + +src/util/find_uid_tests-find_uid.o: src/util/find_uid.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(find_uid_tests_CFLAGS) $(CFLAGS) -MT src/util/find_uid_tests-find_uid.o -MD -MP -MF src/util/$(DEPDIR)/find_uid_tests-find_uid.Tpo -c -o src/util/find_uid_tests-find_uid.o `test -f 'src/util/find_uid.c' || echo '$(srcdir)/'`src/util/find_uid.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/find_uid_tests-find_uid.Tpo src/util/$(DEPDIR)/find_uid_tests-find_uid.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/find_uid.c' object='src/util/find_uid_tests-find_uid.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(find_uid_tests_CFLAGS) $(CFLAGS) -c -o src/util/find_uid_tests-find_uid.o `test -f 'src/util/find_uid.c' || echo '$(srcdir)/'`src/util/find_uid.c + +src/util/find_uid_tests-find_uid.obj: src/util/find_uid.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(find_uid_tests_CFLAGS) $(CFLAGS) -MT src/util/find_uid_tests-find_uid.obj -MD -MP -MF src/util/$(DEPDIR)/find_uid_tests-find_uid.Tpo -c -o src/util/find_uid_tests-find_uid.obj `if test -f 'src/util/find_uid.c'; then $(CYGPATH_W) 'src/util/find_uid.c'; else $(CYGPATH_W) '$(srcdir)/src/util/find_uid.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/find_uid_tests-find_uid.Tpo src/util/$(DEPDIR)/find_uid_tests-find_uid.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/find_uid.c' object='src/util/find_uid_tests-find_uid.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(find_uid_tests_CFLAGS) $(CFLAGS) -c -o src/util/find_uid_tests-find_uid.obj `if test -f 'src/util/find_uid.c'; then $(CYGPATH_W) 'src/util/find_uid.c'; else $(CYGPATH_W) '$(srcdir)/src/util/find_uid.c'; fi` + +src/util/find_uid_tests-atomic_io.o: src/util/atomic_io.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(find_uid_tests_CFLAGS) $(CFLAGS) -MT src/util/find_uid_tests-atomic_io.o -MD -MP -MF src/util/$(DEPDIR)/find_uid_tests-atomic_io.Tpo -c -o src/util/find_uid_tests-atomic_io.o `test -f 'src/util/atomic_io.c' || echo '$(srcdir)/'`src/util/atomic_io.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/find_uid_tests-atomic_io.Tpo src/util/$(DEPDIR)/find_uid_tests-atomic_io.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/atomic_io.c' object='src/util/find_uid_tests-atomic_io.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(find_uid_tests_CFLAGS) $(CFLAGS) -c -o src/util/find_uid_tests-atomic_io.o `test -f 'src/util/atomic_io.c' || echo '$(srcdir)/'`src/util/atomic_io.c + +src/util/find_uid_tests-atomic_io.obj: src/util/atomic_io.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(find_uid_tests_CFLAGS) $(CFLAGS) -MT src/util/find_uid_tests-atomic_io.obj -MD -MP -MF src/util/$(DEPDIR)/find_uid_tests-atomic_io.Tpo -c -o src/util/find_uid_tests-atomic_io.obj `if test -f 'src/util/atomic_io.c'; then $(CYGPATH_W) 'src/util/atomic_io.c'; else $(CYGPATH_W) '$(srcdir)/src/util/atomic_io.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/find_uid_tests-atomic_io.Tpo src/util/$(DEPDIR)/find_uid_tests-atomic_io.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/atomic_io.c' object='src/util/find_uid_tests-atomic_io.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(find_uid_tests_CFLAGS) $(CFLAGS) -c -o src/util/find_uid_tests-atomic_io.obj `if test -f 'src/util/atomic_io.c'; then $(CYGPATH_W) 'src/util/atomic_io.c'; else $(CYGPATH_W) '$(srcdir)/src/util/atomic_io.c'; fi` + +src/util/find_uid_tests-strtonum.o: src/util/strtonum.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(find_uid_tests_CFLAGS) $(CFLAGS) -MT src/util/find_uid_tests-strtonum.o -MD -MP -MF src/util/$(DEPDIR)/find_uid_tests-strtonum.Tpo -c -o src/util/find_uid_tests-strtonum.o `test -f 'src/util/strtonum.c' || echo '$(srcdir)/'`src/util/strtonum.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/find_uid_tests-strtonum.Tpo src/util/$(DEPDIR)/find_uid_tests-strtonum.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/strtonum.c' object='src/util/find_uid_tests-strtonum.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(find_uid_tests_CFLAGS) $(CFLAGS) -c -o src/util/find_uid_tests-strtonum.o `test -f 'src/util/strtonum.c' || echo '$(srcdir)/'`src/util/strtonum.c + +src/util/find_uid_tests-strtonum.obj: src/util/strtonum.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(find_uid_tests_CFLAGS) $(CFLAGS) -MT src/util/find_uid_tests-strtonum.obj -MD -MP -MF src/util/$(DEPDIR)/find_uid_tests-strtonum.Tpo -c -o src/util/find_uid_tests-strtonum.obj `if test -f 'src/util/strtonum.c'; then $(CYGPATH_W) 'src/util/strtonum.c'; else $(CYGPATH_W) '$(srcdir)/src/util/strtonum.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/find_uid_tests-strtonum.Tpo src/util/$(DEPDIR)/find_uid_tests-strtonum.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/strtonum.c' object='src/util/find_uid_tests-strtonum.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(find_uid_tests_CFLAGS) $(CFLAGS) -c -o src/util/find_uid_tests-strtonum.obj `if test -f 'src/util/strtonum.c'; then $(CYGPATH_W) 'src/util/strtonum.c'; else $(CYGPATH_W) '$(srcdir)/src/util/strtonum.c'; fi` + +src/tests/cmocka/fqnames_tests-test_fqnames.o: src/tests/cmocka/test_fqnames.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(fqnames_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/fqnames_tests-test_fqnames.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/fqnames_tests-test_fqnames.Tpo -c -o src/tests/cmocka/fqnames_tests-test_fqnames.o `test -f 'src/tests/cmocka/test_fqnames.c' || echo '$(srcdir)/'`src/tests/cmocka/test_fqnames.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/fqnames_tests-test_fqnames.Tpo src/tests/cmocka/$(DEPDIR)/fqnames_tests-test_fqnames.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_fqnames.c' object='src/tests/cmocka/fqnames_tests-test_fqnames.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(fqnames_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/fqnames_tests-test_fqnames.o `test -f 'src/tests/cmocka/test_fqnames.c' || echo '$(srcdir)/'`src/tests/cmocka/test_fqnames.c + +src/tests/cmocka/fqnames_tests-test_fqnames.obj: src/tests/cmocka/test_fqnames.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(fqnames_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/fqnames_tests-test_fqnames.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/fqnames_tests-test_fqnames.Tpo -c -o src/tests/cmocka/fqnames_tests-test_fqnames.obj `if test -f 'src/tests/cmocka/test_fqnames.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_fqnames.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_fqnames.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/fqnames_tests-test_fqnames.Tpo src/tests/cmocka/$(DEPDIR)/fqnames_tests-test_fqnames.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_fqnames.c' object='src/tests/cmocka/fqnames_tests-test_fqnames.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(fqnames_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/fqnames_tests-test_fqnames.obj `if test -f 'src/tests/cmocka/test_fqnames.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_fqnames.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_fqnames.c'; fi` + +src/providers/ad/gpo_child-ad_gpo_child.o: src/providers/ad/ad_gpo_child.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gpo_child_CFLAGS) $(CFLAGS) -MT src/providers/ad/gpo_child-ad_gpo_child.o -MD -MP -MF src/providers/ad/$(DEPDIR)/gpo_child-ad_gpo_child.Tpo -c -o src/providers/ad/gpo_child-ad_gpo_child.o `test -f 'src/providers/ad/ad_gpo_child.c' || echo '$(srcdir)/'`src/providers/ad/ad_gpo_child.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/gpo_child-ad_gpo_child.Tpo src/providers/ad/$(DEPDIR)/gpo_child-ad_gpo_child.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_gpo_child.c' object='src/providers/ad/gpo_child-ad_gpo_child.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gpo_child_CFLAGS) $(CFLAGS) -c -o src/providers/ad/gpo_child-ad_gpo_child.o `test -f 'src/providers/ad/ad_gpo_child.c' || echo '$(srcdir)/'`src/providers/ad/ad_gpo_child.c + +src/providers/ad/gpo_child-ad_gpo_child.obj: src/providers/ad/ad_gpo_child.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gpo_child_CFLAGS) $(CFLAGS) -MT src/providers/ad/gpo_child-ad_gpo_child.obj -MD -MP -MF src/providers/ad/$(DEPDIR)/gpo_child-ad_gpo_child.Tpo -c -o src/providers/ad/gpo_child-ad_gpo_child.obj `if test -f 'src/providers/ad/ad_gpo_child.c'; then $(CYGPATH_W) 'src/providers/ad/ad_gpo_child.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ad/ad_gpo_child.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/gpo_child-ad_gpo_child.Tpo src/providers/ad/$(DEPDIR)/gpo_child-ad_gpo_child.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_gpo_child.c' object='src/providers/ad/gpo_child-ad_gpo_child.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gpo_child_CFLAGS) $(CFLAGS) -c -o src/providers/ad/gpo_child-ad_gpo_child.obj `if test -f 'src/providers/ad/ad_gpo_child.c'; then $(CYGPATH_W) 'src/providers/ad/ad_gpo_child.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ad/ad_gpo_child.c'; fi` + +src/util/gpo_child-atomic_io.o: src/util/atomic_io.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gpo_child_CFLAGS) $(CFLAGS) -MT src/util/gpo_child-atomic_io.o -MD -MP -MF src/util/$(DEPDIR)/gpo_child-atomic_io.Tpo -c -o src/util/gpo_child-atomic_io.o `test -f 'src/util/atomic_io.c' || echo '$(srcdir)/'`src/util/atomic_io.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/gpo_child-atomic_io.Tpo src/util/$(DEPDIR)/gpo_child-atomic_io.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/atomic_io.c' object='src/util/gpo_child-atomic_io.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gpo_child_CFLAGS) $(CFLAGS) -c -o src/util/gpo_child-atomic_io.o `test -f 'src/util/atomic_io.c' || echo '$(srcdir)/'`src/util/atomic_io.c + +src/util/gpo_child-atomic_io.obj: src/util/atomic_io.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gpo_child_CFLAGS) $(CFLAGS) -MT src/util/gpo_child-atomic_io.obj -MD -MP -MF src/util/$(DEPDIR)/gpo_child-atomic_io.Tpo -c -o src/util/gpo_child-atomic_io.obj `if test -f 'src/util/atomic_io.c'; then $(CYGPATH_W) 'src/util/atomic_io.c'; else $(CYGPATH_W) '$(srcdir)/src/util/atomic_io.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/gpo_child-atomic_io.Tpo src/util/$(DEPDIR)/gpo_child-atomic_io.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/atomic_io.c' object='src/util/gpo_child-atomic_io.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gpo_child_CFLAGS) $(CFLAGS) -c -o src/util/gpo_child-atomic_io.obj `if test -f 'src/util/atomic_io.c'; then $(CYGPATH_W) 'src/util/atomic_io.c'; else $(CYGPATH_W) '$(srcdir)/src/util/atomic_io.c'; fi` + +src/util/gpo_child-util.o: src/util/util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gpo_child_CFLAGS) $(CFLAGS) -MT src/util/gpo_child-util.o -MD -MP -MF src/util/$(DEPDIR)/gpo_child-util.Tpo -c -o src/util/gpo_child-util.o `test -f 'src/util/util.c' || echo '$(srcdir)/'`src/util/util.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/gpo_child-util.Tpo src/util/$(DEPDIR)/gpo_child-util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util.c' object='src/util/gpo_child-util.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gpo_child_CFLAGS) $(CFLAGS) -c -o src/util/gpo_child-util.o `test -f 'src/util/util.c' || echo '$(srcdir)/'`src/util/util.c + +src/util/gpo_child-util.obj: src/util/util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gpo_child_CFLAGS) $(CFLAGS) -MT src/util/gpo_child-util.obj -MD -MP -MF src/util/$(DEPDIR)/gpo_child-util.Tpo -c -o src/util/gpo_child-util.obj `if test -f 'src/util/util.c'; then $(CYGPATH_W) 'src/util/util.c'; else $(CYGPATH_W) '$(srcdir)/src/util/util.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/gpo_child-util.Tpo src/util/$(DEPDIR)/gpo_child-util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util.c' object='src/util/gpo_child-util.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gpo_child_CFLAGS) $(CFLAGS) -c -o src/util/gpo_child-util.obj `if test -f 'src/util/util.c'; then $(CYGPATH_W) 'src/util/util.c'; else $(CYGPATH_W) '$(srcdir)/src/util/util.c'; fi` + +src/util/gpo_child-util_ext.o: src/util/util_ext.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gpo_child_CFLAGS) $(CFLAGS) -MT src/util/gpo_child-util_ext.o -MD -MP -MF src/util/$(DEPDIR)/gpo_child-util_ext.Tpo -c -o src/util/gpo_child-util_ext.o `test -f 'src/util/util_ext.c' || echo '$(srcdir)/'`src/util/util_ext.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/gpo_child-util_ext.Tpo src/util/$(DEPDIR)/gpo_child-util_ext.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util_ext.c' object='src/util/gpo_child-util_ext.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gpo_child_CFLAGS) $(CFLAGS) -c -o src/util/gpo_child-util_ext.o `test -f 'src/util/util_ext.c' || echo '$(srcdir)/'`src/util/util_ext.c + +src/util/gpo_child-util_ext.obj: src/util/util_ext.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gpo_child_CFLAGS) $(CFLAGS) -MT src/util/gpo_child-util_ext.obj -MD -MP -MF src/util/$(DEPDIR)/gpo_child-util_ext.Tpo -c -o src/util/gpo_child-util_ext.obj `if test -f 'src/util/util_ext.c'; then $(CYGPATH_W) 'src/util/util_ext.c'; else $(CYGPATH_W) '$(srcdir)/src/util/util_ext.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/gpo_child-util_ext.Tpo src/util/$(DEPDIR)/gpo_child-util_ext.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util_ext.c' object='src/util/gpo_child-util_ext.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gpo_child_CFLAGS) $(CFLAGS) -c -o src/util/gpo_child-util_ext.obj `if test -f 'src/util/util_ext.c'; then $(CYGPATH_W) 'src/util/util_ext.c'; else $(CYGPATH_W) '$(srcdir)/src/util/util_ext.c'; fi` + +src/util/gpo_child-signal.o: src/util/signal.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gpo_child_CFLAGS) $(CFLAGS) -MT src/util/gpo_child-signal.o -MD -MP -MF src/util/$(DEPDIR)/gpo_child-signal.Tpo -c -o src/util/gpo_child-signal.o `test -f 'src/util/signal.c' || echo '$(srcdir)/'`src/util/signal.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/gpo_child-signal.Tpo src/util/$(DEPDIR)/gpo_child-signal.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/signal.c' object='src/util/gpo_child-signal.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gpo_child_CFLAGS) $(CFLAGS) -c -o src/util/gpo_child-signal.o `test -f 'src/util/signal.c' || echo '$(srcdir)/'`src/util/signal.c + +src/util/gpo_child-signal.obj: src/util/signal.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gpo_child_CFLAGS) $(CFLAGS) -MT src/util/gpo_child-signal.obj -MD -MP -MF src/util/$(DEPDIR)/gpo_child-signal.Tpo -c -o src/util/gpo_child-signal.obj `if test -f 'src/util/signal.c'; then $(CYGPATH_W) 'src/util/signal.c'; else $(CYGPATH_W) '$(srcdir)/src/util/signal.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/gpo_child-signal.Tpo src/util/$(DEPDIR)/gpo_child-signal.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/signal.c' object='src/util/gpo_child-signal.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gpo_child_CFLAGS) $(CFLAGS) -c -o src/util/gpo_child-signal.obj `if test -f 'src/util/signal.c'; then $(CYGPATH_W) 'src/util/signal.c'; else $(CYGPATH_W) '$(srcdir)/src/util/signal.c'; fi` + +src/tests/cmocka/ifp_tests-common_mock_resp.o: src/tests/cmocka/common_mock_resp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/ifp_tests-common_mock_resp.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/ifp_tests-common_mock_resp.Tpo -c -o src/tests/cmocka/ifp_tests-common_mock_resp.o `test -f 'src/tests/cmocka/common_mock_resp.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_resp.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/ifp_tests-common_mock_resp.Tpo src/tests/cmocka/$(DEPDIR)/ifp_tests-common_mock_resp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_resp.c' object='src/tests/cmocka/ifp_tests-common_mock_resp.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/ifp_tests-common_mock_resp.o `test -f 'src/tests/cmocka/common_mock_resp.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_resp.c + +src/tests/cmocka/ifp_tests-common_mock_resp.obj: src/tests/cmocka/common_mock_resp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/ifp_tests-common_mock_resp.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/ifp_tests-common_mock_resp.Tpo -c -o src/tests/cmocka/ifp_tests-common_mock_resp.obj `if test -f 'src/tests/cmocka/common_mock_resp.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_resp.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_resp.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/ifp_tests-common_mock_resp.Tpo src/tests/cmocka/$(DEPDIR)/ifp_tests-common_mock_resp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_resp.c' object='src/tests/cmocka/ifp_tests-common_mock_resp.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/ifp_tests-common_mock_resp.obj `if test -f 'src/tests/cmocka/common_mock_resp.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_resp.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_resp.c'; fi` + +src/tests/cmocka/ifp_tests-common_mock_resp_dp.o: src/tests/cmocka/common_mock_resp_dp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/ifp_tests-common_mock_resp_dp.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/ifp_tests-common_mock_resp_dp.Tpo -c -o src/tests/cmocka/ifp_tests-common_mock_resp_dp.o `test -f 'src/tests/cmocka/common_mock_resp_dp.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_resp_dp.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/ifp_tests-common_mock_resp_dp.Tpo src/tests/cmocka/$(DEPDIR)/ifp_tests-common_mock_resp_dp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_resp_dp.c' object='src/tests/cmocka/ifp_tests-common_mock_resp_dp.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/ifp_tests-common_mock_resp_dp.o `test -f 'src/tests/cmocka/common_mock_resp_dp.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_resp_dp.c + +src/tests/cmocka/ifp_tests-common_mock_resp_dp.obj: src/tests/cmocka/common_mock_resp_dp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/ifp_tests-common_mock_resp_dp.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/ifp_tests-common_mock_resp_dp.Tpo -c -o src/tests/cmocka/ifp_tests-common_mock_resp_dp.obj `if test -f 'src/tests/cmocka/common_mock_resp_dp.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_resp_dp.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_resp_dp.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/ifp_tests-common_mock_resp_dp.Tpo src/tests/cmocka/$(DEPDIR)/ifp_tests-common_mock_resp_dp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_resp_dp.c' object='src/tests/cmocka/ifp_tests-common_mock_resp_dp.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/ifp_tests-common_mock_resp_dp.obj `if test -f 'src/tests/cmocka/common_mock_resp_dp.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_resp_dp.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_resp_dp.c'; fi` + +src/responder/common/ifp_tests-responder_packet.o: src/responder/common/responder_packet.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/ifp_tests-responder_packet.o -MD -MP -MF src/responder/common/$(DEPDIR)/ifp_tests-responder_packet.Tpo -c -o src/responder/common/ifp_tests-responder_packet.o `test -f 'src/responder/common/responder_packet.c' || echo '$(srcdir)/'`src/responder/common/responder_packet.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/ifp_tests-responder_packet.Tpo src/responder/common/$(DEPDIR)/ifp_tests-responder_packet.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_packet.c' object='src/responder/common/ifp_tests-responder_packet.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/ifp_tests-responder_packet.o `test -f 'src/responder/common/responder_packet.c' || echo '$(srcdir)/'`src/responder/common/responder_packet.c + +src/responder/common/ifp_tests-responder_packet.obj: src/responder/common/responder_packet.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/ifp_tests-responder_packet.obj -MD -MP -MF src/responder/common/$(DEPDIR)/ifp_tests-responder_packet.Tpo -c -o src/responder/common/ifp_tests-responder_packet.obj `if test -f 'src/responder/common/responder_packet.c'; then $(CYGPATH_W) 'src/responder/common/responder_packet.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_packet.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/ifp_tests-responder_packet.Tpo src/responder/common/$(DEPDIR)/ifp_tests-responder_packet.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_packet.c' object='src/responder/common/ifp_tests-responder_packet.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/ifp_tests-responder_packet.obj `if test -f 'src/responder/common/responder_packet.c'; then $(CYGPATH_W) 'src/responder/common/responder_packet.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_packet.c'; fi` + +src/responder/common/ifp_tests-responder_cmd.o: src/responder/common/responder_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/ifp_tests-responder_cmd.o -MD -MP -MF src/responder/common/$(DEPDIR)/ifp_tests-responder_cmd.Tpo -c -o src/responder/common/ifp_tests-responder_cmd.o `test -f 'src/responder/common/responder_cmd.c' || echo '$(srcdir)/'`src/responder/common/responder_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/ifp_tests-responder_cmd.Tpo src/responder/common/$(DEPDIR)/ifp_tests-responder_cmd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_cmd.c' object='src/responder/common/ifp_tests-responder_cmd.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/ifp_tests-responder_cmd.o `test -f 'src/responder/common/responder_cmd.c' || echo '$(srcdir)/'`src/responder/common/responder_cmd.c + +src/responder/common/ifp_tests-responder_cmd.obj: src/responder/common/responder_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/ifp_tests-responder_cmd.obj -MD -MP -MF src/responder/common/$(DEPDIR)/ifp_tests-responder_cmd.Tpo -c -o src/responder/common/ifp_tests-responder_cmd.obj `if test -f 'src/responder/common/responder_cmd.c'; then $(CYGPATH_W) 'src/responder/common/responder_cmd.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_cmd.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/ifp_tests-responder_cmd.Tpo src/responder/common/$(DEPDIR)/ifp_tests-responder_cmd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_cmd.c' object='src/responder/common/ifp_tests-responder_cmd.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/ifp_tests-responder_cmd.obj `if test -f 'src/responder/common/responder_cmd.c'; then $(CYGPATH_W) 'src/responder/common/responder_cmd.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_cmd.c'; fi` + +src/responder/common/ifp_tests-negcache_files.o: src/responder/common/negcache_files.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/ifp_tests-negcache_files.o -MD -MP -MF src/responder/common/$(DEPDIR)/ifp_tests-negcache_files.Tpo -c -o src/responder/common/ifp_tests-negcache_files.o `test -f 'src/responder/common/negcache_files.c' || echo '$(srcdir)/'`src/responder/common/negcache_files.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/ifp_tests-negcache_files.Tpo src/responder/common/$(DEPDIR)/ifp_tests-negcache_files.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/negcache_files.c' object='src/responder/common/ifp_tests-negcache_files.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/ifp_tests-negcache_files.o `test -f 'src/responder/common/negcache_files.c' || echo '$(srcdir)/'`src/responder/common/negcache_files.c + +src/responder/common/ifp_tests-negcache_files.obj: src/responder/common/negcache_files.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/ifp_tests-negcache_files.obj -MD -MP -MF src/responder/common/$(DEPDIR)/ifp_tests-negcache_files.Tpo -c -o src/responder/common/ifp_tests-negcache_files.obj `if test -f 'src/responder/common/negcache_files.c'; then $(CYGPATH_W) 'src/responder/common/negcache_files.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/negcache_files.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/ifp_tests-negcache_files.Tpo src/responder/common/$(DEPDIR)/ifp_tests-negcache_files.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/negcache_files.c' object='src/responder/common/ifp_tests-negcache_files.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/ifp_tests-negcache_files.obj `if test -f 'src/responder/common/negcache_files.c'; then $(CYGPATH_W) 'src/responder/common/negcache_files.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/negcache_files.c'; fi` + +src/responder/common/ifp_tests-negcache.o: src/responder/common/negcache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/ifp_tests-negcache.o -MD -MP -MF src/responder/common/$(DEPDIR)/ifp_tests-negcache.Tpo -c -o src/responder/common/ifp_tests-negcache.o `test -f 'src/responder/common/negcache.c' || echo '$(srcdir)/'`src/responder/common/negcache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/ifp_tests-negcache.Tpo src/responder/common/$(DEPDIR)/ifp_tests-negcache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/negcache.c' object='src/responder/common/ifp_tests-negcache.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/ifp_tests-negcache.o `test -f 'src/responder/common/negcache.c' || echo '$(srcdir)/'`src/responder/common/negcache.c + +src/responder/common/ifp_tests-negcache.obj: src/responder/common/negcache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/ifp_tests-negcache.obj -MD -MP -MF src/responder/common/$(DEPDIR)/ifp_tests-negcache.Tpo -c -o src/responder/common/ifp_tests-negcache.obj `if test -f 'src/responder/common/negcache.c'; then $(CYGPATH_W) 'src/responder/common/negcache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/negcache.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/ifp_tests-negcache.Tpo src/responder/common/$(DEPDIR)/ifp_tests-negcache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/negcache.c' object='src/responder/common/ifp_tests-negcache.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/ifp_tests-negcache.obj `if test -f 'src/responder/common/negcache.c'; then $(CYGPATH_W) 'src/responder/common/negcache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/negcache.c'; fi` + +src/responder/common/ifp_tests-responder_common.o: src/responder/common/responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/ifp_tests-responder_common.o -MD -MP -MF src/responder/common/$(DEPDIR)/ifp_tests-responder_common.Tpo -c -o src/responder/common/ifp_tests-responder_common.o `test -f 'src/responder/common/responder_common.c' || echo '$(srcdir)/'`src/responder/common/responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/ifp_tests-responder_common.Tpo src/responder/common/$(DEPDIR)/ifp_tests-responder_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_common.c' object='src/responder/common/ifp_tests-responder_common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/ifp_tests-responder_common.o `test -f 'src/responder/common/responder_common.c' || echo '$(srcdir)/'`src/responder/common/responder_common.c + +src/responder/common/ifp_tests-responder_common.obj: src/responder/common/responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/ifp_tests-responder_common.obj -MD -MP -MF src/responder/common/$(DEPDIR)/ifp_tests-responder_common.Tpo -c -o src/responder/common/ifp_tests-responder_common.obj `if test -f 'src/responder/common/responder_common.c'; then $(CYGPATH_W) 'src/responder/common/responder_common.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/ifp_tests-responder_common.Tpo src/responder/common/$(DEPDIR)/ifp_tests-responder_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_common.c' object='src/responder/common/ifp_tests-responder_common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/ifp_tests-responder_common.obj `if test -f 'src/responder/common/responder_common.c'; then $(CYGPATH_W) 'src/responder/common/responder_common.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_common.c'; fi` + +src/responder/common/data_provider/ifp_tests-rdp_message.o: src/responder/common/data_provider/rdp_message.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/data_provider/ifp_tests-rdp_message.o -MD -MP -MF src/responder/common/data_provider/$(DEPDIR)/ifp_tests-rdp_message.Tpo -c -o src/responder/common/data_provider/ifp_tests-rdp_message.o `test -f 'src/responder/common/data_provider/rdp_message.c' || echo '$(srcdir)/'`src/responder/common/data_provider/rdp_message.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/data_provider/$(DEPDIR)/ifp_tests-rdp_message.Tpo src/responder/common/data_provider/$(DEPDIR)/ifp_tests-rdp_message.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/data_provider/rdp_message.c' object='src/responder/common/data_provider/ifp_tests-rdp_message.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/data_provider/ifp_tests-rdp_message.o `test -f 'src/responder/common/data_provider/rdp_message.c' || echo '$(srcdir)/'`src/responder/common/data_provider/rdp_message.c + +src/responder/common/data_provider/ifp_tests-rdp_message.obj: src/responder/common/data_provider/rdp_message.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/data_provider/ifp_tests-rdp_message.obj -MD -MP -MF src/responder/common/data_provider/$(DEPDIR)/ifp_tests-rdp_message.Tpo -c -o src/responder/common/data_provider/ifp_tests-rdp_message.obj `if test -f 'src/responder/common/data_provider/rdp_message.c'; then $(CYGPATH_W) 'src/responder/common/data_provider/rdp_message.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/data_provider/rdp_message.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/data_provider/$(DEPDIR)/ifp_tests-rdp_message.Tpo src/responder/common/data_provider/$(DEPDIR)/ifp_tests-rdp_message.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/data_provider/rdp_message.c' object='src/responder/common/data_provider/ifp_tests-rdp_message.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/data_provider/ifp_tests-rdp_message.obj `if test -f 'src/responder/common/data_provider/rdp_message.c'; then $(CYGPATH_W) 'src/responder/common/data_provider/rdp_message.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/data_provider/rdp_message.c'; fi` + +src/responder/common/data_provider/ifp_tests-rdp_client.o: src/responder/common/data_provider/rdp_client.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/data_provider/ifp_tests-rdp_client.o -MD -MP -MF src/responder/common/data_provider/$(DEPDIR)/ifp_tests-rdp_client.Tpo -c -o src/responder/common/data_provider/ifp_tests-rdp_client.o `test -f 'src/responder/common/data_provider/rdp_client.c' || echo '$(srcdir)/'`src/responder/common/data_provider/rdp_client.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/data_provider/$(DEPDIR)/ifp_tests-rdp_client.Tpo src/responder/common/data_provider/$(DEPDIR)/ifp_tests-rdp_client.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/data_provider/rdp_client.c' object='src/responder/common/data_provider/ifp_tests-rdp_client.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/data_provider/ifp_tests-rdp_client.o `test -f 'src/responder/common/data_provider/rdp_client.c' || echo '$(srcdir)/'`src/responder/common/data_provider/rdp_client.c + +src/responder/common/data_provider/ifp_tests-rdp_client.obj: src/responder/common/data_provider/rdp_client.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/data_provider/ifp_tests-rdp_client.obj -MD -MP -MF src/responder/common/data_provider/$(DEPDIR)/ifp_tests-rdp_client.Tpo -c -o src/responder/common/data_provider/ifp_tests-rdp_client.obj `if test -f 'src/responder/common/data_provider/rdp_client.c'; then $(CYGPATH_W) 'src/responder/common/data_provider/rdp_client.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/data_provider/rdp_client.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/data_provider/$(DEPDIR)/ifp_tests-rdp_client.Tpo src/responder/common/data_provider/$(DEPDIR)/ifp_tests-rdp_client.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/data_provider/rdp_client.c' object='src/responder/common/data_provider/ifp_tests-rdp_client.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/data_provider/ifp_tests-rdp_client.obj `if test -f 'src/responder/common/data_provider/rdp_client.c'; then $(CYGPATH_W) 'src/responder/common/data_provider/rdp_client.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/data_provider/rdp_client.c'; fi` + +src/responder/common/ifp_tests-responder_utils.o: src/responder/common/responder_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/ifp_tests-responder_utils.o -MD -MP -MF src/responder/common/$(DEPDIR)/ifp_tests-responder_utils.Tpo -c -o src/responder/common/ifp_tests-responder_utils.o `test -f 'src/responder/common/responder_utils.c' || echo '$(srcdir)/'`src/responder/common/responder_utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/ifp_tests-responder_utils.Tpo src/responder/common/$(DEPDIR)/ifp_tests-responder_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_utils.c' object='src/responder/common/ifp_tests-responder_utils.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/ifp_tests-responder_utils.o `test -f 'src/responder/common/responder_utils.c' || echo '$(srcdir)/'`src/responder/common/responder_utils.c + +src/responder/common/ifp_tests-responder_utils.obj: src/responder/common/responder_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/ifp_tests-responder_utils.obj -MD -MP -MF src/responder/common/$(DEPDIR)/ifp_tests-responder_utils.Tpo -c -o src/responder/common/ifp_tests-responder_utils.obj `if test -f 'src/responder/common/responder_utils.c'; then $(CYGPATH_W) 'src/responder/common/responder_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_utils.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/ifp_tests-responder_utils.Tpo src/responder/common/$(DEPDIR)/ifp_tests-responder_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_utils.c' object='src/responder/common/ifp_tests-responder_utils.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/ifp_tests-responder_utils.obj `if test -f 'src/responder/common/responder_utils.c'; then $(CYGPATH_W) 'src/responder/common/responder_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_utils.c'; fi` + +src/util/ifp_tests-session_recording.o: src/util/session_recording.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/util/ifp_tests-session_recording.o -MD -MP -MF src/util/$(DEPDIR)/ifp_tests-session_recording.Tpo -c -o src/util/ifp_tests-session_recording.o `test -f 'src/util/session_recording.c' || echo '$(srcdir)/'`src/util/session_recording.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/ifp_tests-session_recording.Tpo src/util/$(DEPDIR)/ifp_tests-session_recording.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/session_recording.c' object='src/util/ifp_tests-session_recording.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/util/ifp_tests-session_recording.o `test -f 'src/util/session_recording.c' || echo '$(srcdir)/'`src/util/session_recording.c + +src/util/ifp_tests-session_recording.obj: src/util/session_recording.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/util/ifp_tests-session_recording.obj -MD -MP -MF src/util/$(DEPDIR)/ifp_tests-session_recording.Tpo -c -o src/util/ifp_tests-session_recording.obj `if test -f 'src/util/session_recording.c'; then $(CYGPATH_W) 'src/util/session_recording.c'; else $(CYGPATH_W) '$(srcdir)/src/util/session_recording.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/ifp_tests-session_recording.Tpo src/util/$(DEPDIR)/ifp_tests-session_recording.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/session_recording.c' object='src/util/ifp_tests-session_recording.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/util/ifp_tests-session_recording.obj `if test -f 'src/util/session_recording.c'; then $(CYGPATH_W) 'src/util/session_recording.c'; else $(CYGPATH_W) '$(srcdir)/src/util/session_recording.c'; fi` + +src/responder/common/cache_req/ifp_tests-cache_req.o: src/responder/common/cache_req/cache_req.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/ifp_tests-cache_req.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/ifp_tests-cache_req.Tpo -c -o src/responder/common/cache_req/ifp_tests-cache_req.o `test -f 'src/responder/common/cache_req/cache_req.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/ifp_tests-cache_req.Tpo src/responder/common/cache_req/$(DEPDIR)/ifp_tests-cache_req.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req.c' object='src/responder/common/cache_req/ifp_tests-cache_req.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/ifp_tests-cache_req.o `test -f 'src/responder/common/cache_req/cache_req.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req.c + +src/responder/common/cache_req/ifp_tests-cache_req.obj: src/responder/common/cache_req/cache_req.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/ifp_tests-cache_req.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/ifp_tests-cache_req.Tpo -c -o src/responder/common/cache_req/ifp_tests-cache_req.obj `if test -f 'src/responder/common/cache_req/cache_req.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/ifp_tests-cache_req.Tpo src/responder/common/cache_req/$(DEPDIR)/ifp_tests-cache_req.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req.c' object='src/responder/common/cache_req/ifp_tests-cache_req.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/ifp_tests-cache_req.obj `if test -f 'src/responder/common/cache_req/cache_req.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req.c'; fi` + +src/responder/common/cache_req/ifp_tests-cache_req_result.o: src/responder/common/cache_req/cache_req_result.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/ifp_tests-cache_req_result.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/ifp_tests-cache_req_result.Tpo -c -o src/responder/common/cache_req/ifp_tests-cache_req_result.o `test -f 'src/responder/common/cache_req/cache_req_result.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_result.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/ifp_tests-cache_req_result.Tpo src/responder/common/cache_req/$(DEPDIR)/ifp_tests-cache_req_result.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_result.c' object='src/responder/common/cache_req/ifp_tests-cache_req_result.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/ifp_tests-cache_req_result.o `test -f 'src/responder/common/cache_req/cache_req_result.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_result.c + +src/responder/common/cache_req/ifp_tests-cache_req_result.obj: src/responder/common/cache_req/cache_req_result.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/ifp_tests-cache_req_result.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/ifp_tests-cache_req_result.Tpo -c -o src/responder/common/cache_req/ifp_tests-cache_req_result.obj `if test -f 'src/responder/common/cache_req/cache_req_result.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_result.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_result.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/ifp_tests-cache_req_result.Tpo src/responder/common/cache_req/$(DEPDIR)/ifp_tests-cache_req_result.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_result.c' object='src/responder/common/cache_req/ifp_tests-cache_req_result.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/ifp_tests-cache_req_result.obj `if test -f 'src/responder/common/cache_req/cache_req_result.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_result.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_result.c'; fi` + +src/responder/common/cache_req/ifp_tests-cache_req_search.o: src/responder/common/cache_req/cache_req_search.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/ifp_tests-cache_req_search.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/ifp_tests-cache_req_search.Tpo -c -o src/responder/common/cache_req/ifp_tests-cache_req_search.o `test -f 'src/responder/common/cache_req/cache_req_search.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_search.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/ifp_tests-cache_req_search.Tpo src/responder/common/cache_req/$(DEPDIR)/ifp_tests-cache_req_search.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_search.c' object='src/responder/common/cache_req/ifp_tests-cache_req_search.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/ifp_tests-cache_req_search.o `test -f 'src/responder/common/cache_req/cache_req_search.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_search.c + +src/responder/common/cache_req/ifp_tests-cache_req_search.obj: src/responder/common/cache_req/cache_req_search.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/ifp_tests-cache_req_search.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/ifp_tests-cache_req_search.Tpo -c -o src/responder/common/cache_req/ifp_tests-cache_req_search.obj `if test -f 'src/responder/common/cache_req/cache_req_search.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_search.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_search.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/ifp_tests-cache_req_search.Tpo src/responder/common/cache_req/$(DEPDIR)/ifp_tests-cache_req_search.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_search.c' object='src/responder/common/cache_req/ifp_tests-cache_req_search.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/ifp_tests-cache_req_search.obj `if test -f 'src/responder/common/cache_req/cache_req_search.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_search.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_search.c'; fi` + +src/responder/common/cache_req/ifp_tests-cache_req_data.o: src/responder/common/cache_req/cache_req_data.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/ifp_tests-cache_req_data.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/ifp_tests-cache_req_data.Tpo -c -o src/responder/common/cache_req/ifp_tests-cache_req_data.o `test -f 'src/responder/common/cache_req/cache_req_data.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_data.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/ifp_tests-cache_req_data.Tpo src/responder/common/cache_req/$(DEPDIR)/ifp_tests-cache_req_data.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_data.c' object='src/responder/common/cache_req/ifp_tests-cache_req_data.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/ifp_tests-cache_req_data.o `test -f 'src/responder/common/cache_req/cache_req_data.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_data.c + +src/responder/common/cache_req/ifp_tests-cache_req_data.obj: src/responder/common/cache_req/cache_req_data.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/ifp_tests-cache_req_data.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/ifp_tests-cache_req_data.Tpo -c -o src/responder/common/cache_req/ifp_tests-cache_req_data.obj `if test -f 'src/responder/common/cache_req/cache_req_data.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_data.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_data.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/ifp_tests-cache_req_data.Tpo src/responder/common/cache_req/$(DEPDIR)/ifp_tests-cache_req_data.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_data.c' object='src/responder/common/cache_req/ifp_tests-cache_req_data.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/ifp_tests-cache_req_data.obj `if test -f 'src/responder/common/cache_req/cache_req_data.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_data.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_data.c'; fi` + +src/responder/common/cache_req/ifp_tests-cache_req_domain.o: src/responder/common/cache_req/cache_req_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/ifp_tests-cache_req_domain.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/ifp_tests-cache_req_domain.Tpo -c -o src/responder/common/cache_req/ifp_tests-cache_req_domain.o `test -f 'src/responder/common/cache_req/cache_req_domain.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_domain.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/ifp_tests-cache_req_domain.Tpo src/responder/common/cache_req/$(DEPDIR)/ifp_tests-cache_req_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_domain.c' object='src/responder/common/cache_req/ifp_tests-cache_req_domain.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/ifp_tests-cache_req_domain.o `test -f 'src/responder/common/cache_req/cache_req_domain.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_domain.c + +src/responder/common/cache_req/ifp_tests-cache_req_domain.obj: src/responder/common/cache_req/cache_req_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/ifp_tests-cache_req_domain.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/ifp_tests-cache_req_domain.Tpo -c -o src/responder/common/cache_req/ifp_tests-cache_req_domain.obj `if test -f 'src/responder/common/cache_req/cache_req_domain.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_domain.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/ifp_tests-cache_req_domain.Tpo src/responder/common/cache_req/$(DEPDIR)/ifp_tests-cache_req_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_domain.c' object='src/responder/common/cache_req/ifp_tests-cache_req_domain.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/ifp_tests-cache_req_domain.obj `if test -f 'src/responder/common/cache_req/cache_req_domain.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_domain.c'; fi` + +src/responder/common/cache_req/ifp_tests-cache_req_sr_overlay.o: src/responder/common/cache_req/cache_req_sr_overlay.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/ifp_tests-cache_req_sr_overlay.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/ifp_tests-cache_req_sr_overlay.Tpo -c -o src/responder/common/cache_req/ifp_tests-cache_req_sr_overlay.o `test -f 'src/responder/common/cache_req/cache_req_sr_overlay.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_sr_overlay.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/ifp_tests-cache_req_sr_overlay.Tpo src/responder/common/cache_req/$(DEPDIR)/ifp_tests-cache_req_sr_overlay.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_sr_overlay.c' object='src/responder/common/cache_req/ifp_tests-cache_req_sr_overlay.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/ifp_tests-cache_req_sr_overlay.o `test -f 'src/responder/common/cache_req/cache_req_sr_overlay.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_sr_overlay.c + +src/responder/common/cache_req/ifp_tests-cache_req_sr_overlay.obj: src/responder/common/cache_req/cache_req_sr_overlay.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/ifp_tests-cache_req_sr_overlay.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/ifp_tests-cache_req_sr_overlay.Tpo -c -o src/responder/common/cache_req/ifp_tests-cache_req_sr_overlay.obj `if test -f 'src/responder/common/cache_req/cache_req_sr_overlay.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_sr_overlay.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_sr_overlay.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/ifp_tests-cache_req_sr_overlay.Tpo src/responder/common/cache_req/$(DEPDIR)/ifp_tests-cache_req_sr_overlay.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_sr_overlay.c' object='src/responder/common/cache_req/ifp_tests-cache_req_sr_overlay.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/ifp_tests-cache_req_sr_overlay.obj `if test -f 'src/responder/common/cache_req/cache_req_sr_overlay.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_sr_overlay.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_sr_overlay.c'; fi` + +src/responder/common/cache_req/plugins/ifp_tests-cache_req_common.o: src/responder/common/cache_req/plugins/cache_req_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ifp_tests-cache_req_common.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_common.Tpo -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_common.o `test -f 'src/responder/common/cache_req/plugins/cache_req_common.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_common.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_common.c' object='src/responder/common/cache_req/plugins/ifp_tests-cache_req_common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_common.o `test -f 'src/responder/common/cache_req/plugins/cache_req_common.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_common.c + +src/responder/common/cache_req/plugins/ifp_tests-cache_req_common.obj: src/responder/common/cache_req/plugins/cache_req_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ifp_tests-cache_req_common.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_common.Tpo -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_common.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_common.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_common.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_common.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_common.c' object='src/responder/common/cache_req/plugins/ifp_tests-cache_req_common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_common.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_common.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_common.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_common.c'; fi` + +src/responder/common/cache_req/plugins/ifp_tests-cache_req_enum_users.o: src/responder/common/cache_req/plugins/cache_req_enum_users.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ifp_tests-cache_req_enum_users.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_enum_users.Tpo -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_enum_users.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_users.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_users.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_enum_users.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_enum_users.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_users.c' object='src/responder/common/cache_req/plugins/ifp_tests-cache_req_enum_users.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_enum_users.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_users.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_users.c + +src/responder/common/cache_req/plugins/ifp_tests-cache_req_enum_users.obj: src/responder/common/cache_req/plugins/cache_req_enum_users.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ifp_tests-cache_req_enum_users.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_enum_users.Tpo -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_enum_users.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_users.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_users.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_users.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_enum_users.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_enum_users.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_users.c' object='src/responder/common/cache_req/plugins/ifp_tests-cache_req_enum_users.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_enum_users.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_users.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_users.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_users.c'; fi` + +src/responder/common/cache_req/plugins/ifp_tests-cache_req_enum_groups.o: src/responder/common/cache_req/plugins/cache_req_enum_groups.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ifp_tests-cache_req_enum_groups.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_enum_groups.Tpo -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_enum_groups.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_groups.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_enum_groups.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_enum_groups.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_groups.c' object='src/responder/common/cache_req/plugins/ifp_tests-cache_req_enum_groups.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_enum_groups.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_groups.c + +src/responder/common/cache_req/plugins/ifp_tests-cache_req_enum_groups.obj: src/responder/common/cache_req/plugins/cache_req_enum_groups.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ifp_tests-cache_req_enum_groups.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_enum_groups.Tpo -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_enum_groups.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_enum_groups.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_enum_groups.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_groups.c' object='src/responder/common/cache_req/plugins/ifp_tests-cache_req_enum_groups.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_enum_groups.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; fi` + +src/responder/common/cache_req/plugins/ifp_tests-cache_req_enum_svc.o: src/responder/common/cache_req/plugins/cache_req_enum_svc.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ifp_tests-cache_req_enum_svc.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_enum_svc.Tpo -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_enum_svc.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_svc.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_enum_svc.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_enum_svc.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_svc.c' object='src/responder/common/cache_req/plugins/ifp_tests-cache_req_enum_svc.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_enum_svc.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_svc.c + +src/responder/common/cache_req/plugins/ifp_tests-cache_req_enum_svc.obj: src/responder/common/cache_req/plugins/cache_req_enum_svc.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ifp_tests-cache_req_enum_svc.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_enum_svc.Tpo -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_enum_svc.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_enum_svc.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_enum_svc.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_svc.c' object='src/responder/common/cache_req/plugins/ifp_tests-cache_req_enum_svc.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_enum_svc.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; fi` + +src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_name.o: src/responder/common/cache_req/plugins/cache_req_user_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_user_by_name.Tpo -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_user_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_user_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_name.c' object='src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_name.c + +src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_name.obj: src/responder/common/cache_req/plugins/cache_req_user_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_user_by_name.Tpo -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_user_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_user_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_name.c' object='src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; fi` + +src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_upn.o: src/responder/common/cache_req/plugins/cache_req_user_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_upn.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_user_by_upn.Tpo -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_upn.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_user_by_upn.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_user_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' object='src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_upn.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_upn.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_upn.c + +src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_upn.obj: src/responder/common/cache_req/plugins/cache_req_user_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_upn.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_user_by_upn.Tpo -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_upn.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_user_by_upn.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_user_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' object='src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_upn.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_upn.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; fi` + +src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_id.o: src/responder/common/cache_req/plugins/cache_req_user_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_id.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_user_by_id.Tpo -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_user_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_user_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_id.c' object='src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_id.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_id.c + +src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_id.obj: src/responder/common/cache_req/plugins/cache_req_user_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_id.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_user_by_id.Tpo -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_user_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_user_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_id.c' object='src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_id.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; fi` + +src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_filter.o: src/responder/common/cache_req/plugins/cache_req_user_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_filter.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_user_by_filter.Tpo -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_filter.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_user_by_filter.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_user_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' object='src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_filter.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_filter.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_filter.c + +src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_filter.obj: src/responder/common/cache_req/plugins/cache_req_user_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_filter.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_user_by_filter.Tpo -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_filter.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_user_by_filter.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_user_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' object='src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_filter.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_filter.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; fi` + +src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_cert.o: src/responder/common/cache_req/plugins/cache_req_user_by_cert.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_cert.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_user_by_cert.Tpo -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_cert.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_cert.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_user_by_cert.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_user_by_cert.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' object='src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_cert.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_cert.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_cert.c + +src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_cert.obj: src/responder/common/cache_req/plugins/cache_req_user_by_cert.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_cert.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_user_by_cert.Tpo -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_cert.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_user_by_cert.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_user_by_cert.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' object='src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_cert.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_user_by_cert.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; fi` + +src/responder/common/cache_req/plugins/ifp_tests-cache_req_group_by_name.o: src/responder/common/cache_req/plugins/cache_req_group_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ifp_tests-cache_req_group_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_group_by_name.Tpo -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_group_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_group_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_group_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_name.c' object='src/responder/common/cache_req/plugins/ifp_tests-cache_req_group_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_group_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_name.c + +src/responder/common/cache_req/plugins/ifp_tests-cache_req_group_by_name.obj: src/responder/common/cache_req/plugins/cache_req_group_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ifp_tests-cache_req_group_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_group_by_name.Tpo -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_group_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_group_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_group_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_name.c' object='src/responder/common/cache_req/plugins/ifp_tests-cache_req_group_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_group_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; fi` + +src/responder/common/cache_req/plugins/ifp_tests-cache_req_group_by_id.o: src/responder/common/cache_req/plugins/cache_req_group_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ifp_tests-cache_req_group_by_id.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_group_by_id.Tpo -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_group_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_group_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_group_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_id.c' object='src/responder/common/cache_req/plugins/ifp_tests-cache_req_group_by_id.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_group_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_id.c + +src/responder/common/cache_req/plugins/ifp_tests-cache_req_group_by_id.obj: src/responder/common/cache_req/plugins/cache_req_group_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ifp_tests-cache_req_group_by_id.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_group_by_id.Tpo -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_group_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_group_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_group_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_id.c' object='src/responder/common/cache_req/plugins/ifp_tests-cache_req_group_by_id.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_group_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; fi` + +src/responder/common/cache_req/plugins/ifp_tests-cache_req_group_by_filter.o: src/responder/common/cache_req/plugins/cache_req_group_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ifp_tests-cache_req_group_by_filter.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_group_by_filter.Tpo -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_group_by_filter.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_group_by_filter.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_group_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' object='src/responder/common/cache_req/plugins/ifp_tests-cache_req_group_by_filter.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_group_by_filter.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_filter.c + +src/responder/common/cache_req/plugins/ifp_tests-cache_req_group_by_filter.obj: src/responder/common/cache_req/plugins/cache_req_group_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ifp_tests-cache_req_group_by_filter.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_group_by_filter.Tpo -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_group_by_filter.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_group_by_filter.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_group_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' object='src/responder/common/cache_req/plugins/ifp_tests-cache_req_group_by_filter.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_group_by_filter.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; fi` + +src/responder/common/cache_req/plugins/ifp_tests-cache_req_initgroups_by_name.o: src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ifp_tests-cache_req_initgroups_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_initgroups_by_name.Tpo -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_initgroups_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_initgroups_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_initgroups_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' object='src/responder/common/cache_req/plugins/ifp_tests-cache_req_initgroups_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_initgroups_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c + +src/responder/common/cache_req/plugins/ifp_tests-cache_req_initgroups_by_name.obj: src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ifp_tests-cache_req_initgroups_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_initgroups_by_name.Tpo -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_initgroups_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_initgroups_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_initgroups_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' object='src/responder/common/cache_req/plugins/ifp_tests-cache_req_initgroups_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_initgroups_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; fi` + +src/responder/common/cache_req/plugins/ifp_tests-cache_req_initgroups_by_upn.o: src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ifp_tests-cache_req_initgroups_by_upn.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_initgroups_by_upn.Tpo -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_initgroups_by_upn.o `test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_initgroups_by_upn.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_initgroups_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' object='src/responder/common/cache_req/plugins/ifp_tests-cache_req_initgroups_by_upn.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_initgroups_by_upn.o `test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c + +src/responder/common/cache_req/plugins/ifp_tests-cache_req_initgroups_by_upn.obj: src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ifp_tests-cache_req_initgroups_by_upn.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_initgroups_by_upn.Tpo -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_initgroups_by_upn.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_initgroups_by_upn.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_initgroups_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' object='src/responder/common/cache_req/plugins/ifp_tests-cache_req_initgroups_by_upn.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_initgroups_by_upn.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; fi` + +src/responder/common/cache_req/plugins/ifp_tests-cache_req_object_by_sid.o: src/responder/common/cache_req/plugins/cache_req_object_by_sid.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ifp_tests-cache_req_object_by_sid.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_object_by_sid.Tpo -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_object_by_sid.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_sid.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_object_by_sid.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_object_by_sid.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' object='src/responder/common/cache_req/plugins/ifp_tests-cache_req_object_by_sid.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_object_by_sid.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_sid.c + +src/responder/common/cache_req/plugins/ifp_tests-cache_req_object_by_sid.obj: src/responder/common/cache_req/plugins/cache_req_object_by_sid.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ifp_tests-cache_req_object_by_sid.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_object_by_sid.Tpo -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_object_by_sid.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_object_by_sid.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_object_by_sid.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' object='src/responder/common/cache_req/plugins/ifp_tests-cache_req_object_by_sid.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_object_by_sid.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; fi` + +src/responder/common/cache_req/plugins/ifp_tests-cache_req_object_by_name.o: src/responder/common/cache_req/plugins/cache_req_object_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ifp_tests-cache_req_object_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_object_by_name.Tpo -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_object_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_object_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_object_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_name.c' object='src/responder/common/cache_req/plugins/ifp_tests-cache_req_object_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_object_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_name.c + +src/responder/common/cache_req/plugins/ifp_tests-cache_req_object_by_name.obj: src/responder/common/cache_req/plugins/cache_req_object_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ifp_tests-cache_req_object_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_object_by_name.Tpo -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_object_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_object_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_object_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_name.c' object='src/responder/common/cache_req/plugins/ifp_tests-cache_req_object_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_object_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; fi` + +src/responder/common/cache_req/plugins/ifp_tests-cache_req_object_by_id.o: src/responder/common/cache_req/plugins/cache_req_object_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ifp_tests-cache_req_object_by_id.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_object_by_id.Tpo -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_object_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_object_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_object_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_id.c' object='src/responder/common/cache_req/plugins/ifp_tests-cache_req_object_by_id.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_object_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_id.c + +src/responder/common/cache_req/plugins/ifp_tests-cache_req_object_by_id.obj: src/responder/common/cache_req/plugins/cache_req_object_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ifp_tests-cache_req_object_by_id.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_object_by_id.Tpo -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_object_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_object_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_object_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_id.c' object='src/responder/common/cache_req/plugins/ifp_tests-cache_req_object_by_id.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_object_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; fi` + +src/responder/common/cache_req/plugins/ifp_tests-cache_req_svc_by_name.o: src/responder/common/cache_req/plugins/cache_req_svc_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ifp_tests-cache_req_svc_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_svc_by_name.Tpo -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_svc_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_svc_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_svc_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_svc_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' object='src/responder/common/cache_req/plugins/ifp_tests-cache_req_svc_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_svc_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_svc_by_name.c + +src/responder/common/cache_req/plugins/ifp_tests-cache_req_svc_by_name.obj: src/responder/common/cache_req/plugins/cache_req_svc_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ifp_tests-cache_req_svc_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_svc_by_name.Tpo -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_svc_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_svc_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_svc_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' object='src/responder/common/cache_req/plugins/ifp_tests-cache_req_svc_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_svc_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; fi` + +src/responder/common/cache_req/plugins/ifp_tests-cache_req_svc_by_port.o: src/responder/common/cache_req/plugins/cache_req_svc_by_port.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ifp_tests-cache_req_svc_by_port.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_svc_by_port.Tpo -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_svc_by_port.o `test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_svc_by_port.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_svc_by_port.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_svc_by_port.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' object='src/responder/common/cache_req/plugins/ifp_tests-cache_req_svc_by_port.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_svc_by_port.o `test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_svc_by_port.c + +src/responder/common/cache_req/plugins/ifp_tests-cache_req_svc_by_port.obj: src/responder/common/cache_req/plugins/cache_req_svc_by_port.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ifp_tests-cache_req_svc_by_port.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_svc_by_port.Tpo -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_svc_by_port.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_svc_by_port.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_svc_by_port.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' object='src/responder/common/cache_req/plugins/ifp_tests-cache_req_svc_by_port.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_svc_by_port.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; fi` + +src/responder/common/cache_req/plugins/ifp_tests-cache_req_netgroup_by_name.o: src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ifp_tests-cache_req_netgroup_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_netgroup_by_name.Tpo -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_netgroup_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_netgroup_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_netgroup_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' object='src/responder/common/cache_req/plugins/ifp_tests-cache_req_netgroup_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_netgroup_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c + +src/responder/common/cache_req/plugins/ifp_tests-cache_req_netgroup_by_name.obj: src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ifp_tests-cache_req_netgroup_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_netgroup_by_name.Tpo -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_netgroup_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_netgroup_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_netgroup_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' object='src/responder/common/cache_req/plugins/ifp_tests-cache_req_netgroup_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_netgroup_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; fi` + +src/responder/common/cache_req/plugins/ifp_tests-cache_req_host_by_name.o: src/responder/common/cache_req/plugins/cache_req_host_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ifp_tests-cache_req_host_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_host_by_name.Tpo -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_host_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_host_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_host_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_host_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_host_by_name.c' object='src/responder/common/cache_req/plugins/ifp_tests-cache_req_host_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_host_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_host_by_name.c + +src/responder/common/cache_req/plugins/ifp_tests-cache_req_host_by_name.obj: src/responder/common/cache_req/plugins/cache_req_host_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ifp_tests-cache_req_host_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_host_by_name.Tpo -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_host_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_host_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ifp_tests-cache_req_host_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_host_by_name.c' object='src/responder/common/cache_req/plugins/ifp_tests-cache_req_host_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ifp_tests-cache_req_host_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; fi` + +src/responder/common/iface/ifp_tests-responder_iface.o: src/responder/common/iface/responder_iface.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/ifp_tests-responder_iface.o -MD -MP -MF src/responder/common/iface/$(DEPDIR)/ifp_tests-responder_iface.Tpo -c -o src/responder/common/iface/ifp_tests-responder_iface.o `test -f 'src/responder/common/iface/responder_iface.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_iface.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/ifp_tests-responder_iface.Tpo src/responder/common/iface/$(DEPDIR)/ifp_tests-responder_iface.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_iface.c' object='src/responder/common/iface/ifp_tests-responder_iface.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/ifp_tests-responder_iface.o `test -f 'src/responder/common/iface/responder_iface.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_iface.c + +src/responder/common/iface/ifp_tests-responder_iface.obj: src/responder/common/iface/responder_iface.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/ifp_tests-responder_iface.obj -MD -MP -MF src/responder/common/iface/$(DEPDIR)/ifp_tests-responder_iface.Tpo -c -o src/responder/common/iface/ifp_tests-responder_iface.obj `if test -f 'src/responder/common/iface/responder_iface.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_iface.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_iface.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/ifp_tests-responder_iface.Tpo src/responder/common/iface/$(DEPDIR)/ifp_tests-responder_iface.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_iface.c' object='src/responder/common/iface/ifp_tests-responder_iface.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/ifp_tests-responder_iface.obj `if test -f 'src/responder/common/iface/responder_iface.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_iface.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_iface.c'; fi` + +src/responder/common/iface/ifp_tests-responder_domain.o: src/responder/common/iface/responder_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/ifp_tests-responder_domain.o -MD -MP -MF src/responder/common/iface/$(DEPDIR)/ifp_tests-responder_domain.Tpo -c -o src/responder/common/iface/ifp_tests-responder_domain.o `test -f 'src/responder/common/iface/responder_domain.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_domain.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/ifp_tests-responder_domain.Tpo src/responder/common/iface/$(DEPDIR)/ifp_tests-responder_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_domain.c' object='src/responder/common/iface/ifp_tests-responder_domain.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/ifp_tests-responder_domain.o `test -f 'src/responder/common/iface/responder_domain.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_domain.c + +src/responder/common/iface/ifp_tests-responder_domain.obj: src/responder/common/iface/responder_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/ifp_tests-responder_domain.obj -MD -MP -MF src/responder/common/iface/$(DEPDIR)/ifp_tests-responder_domain.Tpo -c -o src/responder/common/iface/ifp_tests-responder_domain.obj `if test -f 'src/responder/common/iface/responder_domain.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_domain.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/ifp_tests-responder_domain.Tpo src/responder/common/iface/$(DEPDIR)/ifp_tests-responder_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_domain.c' object='src/responder/common/iface/ifp_tests-responder_domain.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/ifp_tests-responder_domain.obj `if test -f 'src/responder/common/iface/responder_domain.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_domain.c'; fi` + +src/responder/common/iface/ifp_tests-responder_ncache.o: src/responder/common/iface/responder_ncache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/ifp_tests-responder_ncache.o -MD -MP -MF src/responder/common/iface/$(DEPDIR)/ifp_tests-responder_ncache.Tpo -c -o src/responder/common/iface/ifp_tests-responder_ncache.o `test -f 'src/responder/common/iface/responder_ncache.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_ncache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/ifp_tests-responder_ncache.Tpo src/responder/common/iface/$(DEPDIR)/ifp_tests-responder_ncache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_ncache.c' object='src/responder/common/iface/ifp_tests-responder_ncache.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/ifp_tests-responder_ncache.o `test -f 'src/responder/common/iface/responder_ncache.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_ncache.c + +src/responder/common/iface/ifp_tests-responder_ncache.obj: src/responder/common/iface/responder_ncache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/ifp_tests-responder_ncache.obj -MD -MP -MF src/responder/common/iface/$(DEPDIR)/ifp_tests-responder_ncache.Tpo -c -o src/responder/common/iface/ifp_tests-responder_ncache.obj `if test -f 'src/responder/common/iface/responder_ncache.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_ncache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_ncache.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/ifp_tests-responder_ncache.Tpo src/responder/common/iface/$(DEPDIR)/ifp_tests-responder_ncache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_ncache.c' object='src/responder/common/iface/ifp_tests-responder_ncache.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/ifp_tests-responder_ncache.obj `if test -f 'src/responder/common/iface/responder_ncache.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_ncache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_ncache.c'; fi` + +src/responder/common/iface/ifp_tests-responder_iface_generated.o: src/responder/common/iface/responder_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/ifp_tests-responder_iface_generated.o -MD -MP -MF src/responder/common/iface/$(DEPDIR)/ifp_tests-responder_iface_generated.Tpo -c -o src/responder/common/iface/ifp_tests-responder_iface_generated.o `test -f 'src/responder/common/iface/responder_iface_generated.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/ifp_tests-responder_iface_generated.Tpo src/responder/common/iface/$(DEPDIR)/ifp_tests-responder_iface_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_iface_generated.c' object='src/responder/common/iface/ifp_tests-responder_iface_generated.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/ifp_tests-responder_iface_generated.o `test -f 'src/responder/common/iface/responder_iface_generated.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_iface_generated.c + +src/responder/common/iface/ifp_tests-responder_iface_generated.obj: src/responder/common/iface/responder_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/ifp_tests-responder_iface_generated.obj -MD -MP -MF src/responder/common/iface/$(DEPDIR)/ifp_tests-responder_iface_generated.Tpo -c -o src/responder/common/iface/ifp_tests-responder_iface_generated.obj `if test -f 'src/responder/common/iface/responder_iface_generated.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_iface_generated.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_iface_generated.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/ifp_tests-responder_iface_generated.Tpo src/responder/common/iface/$(DEPDIR)/ifp_tests-responder_iface_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_iface_generated.c' object='src/responder/common/iface/ifp_tests-responder_iface_generated.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/ifp_tests-responder_iface_generated.obj `if test -f 'src/responder/common/iface/responder_iface_generated.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_iface_generated.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_iface_generated.c'; fi` + +src/tests/cmocka/ifp_tests-test_ifp.o: src/tests/cmocka/test_ifp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/ifp_tests-test_ifp.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/ifp_tests-test_ifp.Tpo -c -o src/tests/cmocka/ifp_tests-test_ifp.o `test -f 'src/tests/cmocka/test_ifp.c' || echo '$(srcdir)/'`src/tests/cmocka/test_ifp.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/ifp_tests-test_ifp.Tpo src/tests/cmocka/$(DEPDIR)/ifp_tests-test_ifp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_ifp.c' object='src/tests/cmocka/ifp_tests-test_ifp.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/ifp_tests-test_ifp.o `test -f 'src/tests/cmocka/test_ifp.c' || echo '$(srcdir)/'`src/tests/cmocka/test_ifp.c + +src/tests/cmocka/ifp_tests-test_ifp.obj: src/tests/cmocka/test_ifp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/ifp_tests-test_ifp.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/ifp_tests-test_ifp.Tpo -c -o src/tests/cmocka/ifp_tests-test_ifp.obj `if test -f 'src/tests/cmocka/test_ifp.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_ifp.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_ifp.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/ifp_tests-test_ifp.Tpo src/tests/cmocka/$(DEPDIR)/ifp_tests-test_ifp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_ifp.c' object='src/tests/cmocka/ifp_tests-test_ifp.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/ifp_tests-test_ifp.obj `if test -f 'src/tests/cmocka/test_ifp.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_ifp.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_ifp.c'; fi` + +src/responder/ifp/ifp_tests-ifpsrv_cmd.o: src/responder/ifp/ifpsrv_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/ifp/ifp_tests-ifpsrv_cmd.o -MD -MP -MF src/responder/ifp/$(DEPDIR)/ifp_tests-ifpsrv_cmd.Tpo -c -o src/responder/ifp/ifp_tests-ifpsrv_cmd.o `test -f 'src/responder/ifp/ifpsrv_cmd.c' || echo '$(srcdir)/'`src/responder/ifp/ifpsrv_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/ifp/$(DEPDIR)/ifp_tests-ifpsrv_cmd.Tpo src/responder/ifp/$(DEPDIR)/ifp_tests-ifpsrv_cmd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/ifp/ifpsrv_cmd.c' object='src/responder/ifp/ifp_tests-ifpsrv_cmd.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/ifp/ifp_tests-ifpsrv_cmd.o `test -f 'src/responder/ifp/ifpsrv_cmd.c' || echo '$(srcdir)/'`src/responder/ifp/ifpsrv_cmd.c + +src/responder/ifp/ifp_tests-ifpsrv_cmd.obj: src/responder/ifp/ifpsrv_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/ifp/ifp_tests-ifpsrv_cmd.obj -MD -MP -MF src/responder/ifp/$(DEPDIR)/ifp_tests-ifpsrv_cmd.Tpo -c -o src/responder/ifp/ifp_tests-ifpsrv_cmd.obj `if test -f 'src/responder/ifp/ifpsrv_cmd.c'; then $(CYGPATH_W) 'src/responder/ifp/ifpsrv_cmd.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/ifp/ifpsrv_cmd.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/ifp/$(DEPDIR)/ifp_tests-ifpsrv_cmd.Tpo src/responder/ifp/$(DEPDIR)/ifp_tests-ifpsrv_cmd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/ifp/ifpsrv_cmd.c' object='src/responder/ifp/ifp_tests-ifpsrv_cmd.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/ifp/ifp_tests-ifpsrv_cmd.obj `if test -f 'src/responder/ifp/ifpsrv_cmd.c'; then $(CYGPATH_W) 'src/responder/ifp/ifpsrv_cmd.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/ifp/ifpsrv_cmd.c'; fi` + +src/responder/ifp/ifp_tests-ifp_iface_generated.o: src/responder/ifp/ifp_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/ifp/ifp_tests-ifp_iface_generated.o -MD -MP -MF src/responder/ifp/$(DEPDIR)/ifp_tests-ifp_iface_generated.Tpo -c -o src/responder/ifp/ifp_tests-ifp_iface_generated.o `test -f 'src/responder/ifp/ifp_iface_generated.c' || echo '$(srcdir)/'`src/responder/ifp/ifp_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/ifp/$(DEPDIR)/ifp_tests-ifp_iface_generated.Tpo src/responder/ifp/$(DEPDIR)/ifp_tests-ifp_iface_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/ifp/ifp_iface_generated.c' object='src/responder/ifp/ifp_tests-ifp_iface_generated.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/ifp/ifp_tests-ifp_iface_generated.o `test -f 'src/responder/ifp/ifp_iface_generated.c' || echo '$(srcdir)/'`src/responder/ifp/ifp_iface_generated.c + +src/responder/ifp/ifp_tests-ifp_iface_generated.obj: src/responder/ifp/ifp_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/ifp/ifp_tests-ifp_iface_generated.obj -MD -MP -MF src/responder/ifp/$(DEPDIR)/ifp_tests-ifp_iface_generated.Tpo -c -o src/responder/ifp/ifp_tests-ifp_iface_generated.obj `if test -f 'src/responder/ifp/ifp_iface_generated.c'; then $(CYGPATH_W) 'src/responder/ifp/ifp_iface_generated.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/ifp/ifp_iface_generated.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/ifp/$(DEPDIR)/ifp_tests-ifp_iface_generated.Tpo src/responder/ifp/$(DEPDIR)/ifp_tests-ifp_iface_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/ifp/ifp_iface_generated.c' object='src/responder/ifp/ifp_tests-ifp_iface_generated.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/ifp/ifp_tests-ifp_iface_generated.obj `if test -f 'src/responder/ifp/ifp_iface_generated.c'; then $(CYGPATH_W) 'src/responder/ifp/ifp_iface_generated.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/ifp/ifp_iface_generated.c'; fi` + +src/responder/ifp/ifp_tests-ifpsrv_util.o: src/responder/ifp/ifpsrv_util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/ifp/ifp_tests-ifpsrv_util.o -MD -MP -MF src/responder/ifp/$(DEPDIR)/ifp_tests-ifpsrv_util.Tpo -c -o src/responder/ifp/ifp_tests-ifpsrv_util.o `test -f 'src/responder/ifp/ifpsrv_util.c' || echo '$(srcdir)/'`src/responder/ifp/ifpsrv_util.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/ifp/$(DEPDIR)/ifp_tests-ifpsrv_util.Tpo src/responder/ifp/$(DEPDIR)/ifp_tests-ifpsrv_util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/ifp/ifpsrv_util.c' object='src/responder/ifp/ifp_tests-ifpsrv_util.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/ifp/ifp_tests-ifpsrv_util.o `test -f 'src/responder/ifp/ifpsrv_util.c' || echo '$(srcdir)/'`src/responder/ifp/ifpsrv_util.c + +src/responder/ifp/ifp_tests-ifpsrv_util.obj: src/responder/ifp/ifpsrv_util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -MT src/responder/ifp/ifp_tests-ifpsrv_util.obj -MD -MP -MF src/responder/ifp/$(DEPDIR)/ifp_tests-ifpsrv_util.Tpo -c -o src/responder/ifp/ifp_tests-ifpsrv_util.obj `if test -f 'src/responder/ifp/ifpsrv_util.c'; then $(CYGPATH_W) 'src/responder/ifp/ifpsrv_util.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/ifp/ifpsrv_util.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/ifp/$(DEPDIR)/ifp_tests-ifpsrv_util.Tpo src/responder/ifp/$(DEPDIR)/ifp_tests-ifpsrv_util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/ifp/ifpsrv_util.c' object='src/responder/ifp/ifp_tests-ifpsrv_util.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ifp_tests_CFLAGS) $(CFLAGS) -c -o src/responder/ifp/ifp_tests-ifpsrv_util.obj `if test -f 'src/responder/ifp/ifpsrv_util.c'; then $(CYGPATH_W) 'src/responder/ifp/ifpsrv_util.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/ifp/ifpsrv_util.c'; fi` + +src/tests/ipa_hbac_tests-ipa_hbac-tests.o: src/tests/ipa_hbac-tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_hbac_tests_CFLAGS) $(CFLAGS) -MT src/tests/ipa_hbac_tests-ipa_hbac-tests.o -MD -MP -MF src/tests/$(DEPDIR)/ipa_hbac_tests-ipa_hbac-tests.Tpo -c -o src/tests/ipa_hbac_tests-ipa_hbac-tests.o `test -f 'src/tests/ipa_hbac-tests.c' || echo '$(srcdir)/'`src/tests/ipa_hbac-tests.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/ipa_hbac_tests-ipa_hbac-tests.Tpo src/tests/$(DEPDIR)/ipa_hbac_tests-ipa_hbac-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/ipa_hbac-tests.c' object='src/tests/ipa_hbac_tests-ipa_hbac-tests.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_hbac_tests_CFLAGS) $(CFLAGS) -c -o src/tests/ipa_hbac_tests-ipa_hbac-tests.o `test -f 'src/tests/ipa_hbac-tests.c' || echo '$(srcdir)/'`src/tests/ipa_hbac-tests.c + +src/tests/ipa_hbac_tests-ipa_hbac-tests.obj: src/tests/ipa_hbac-tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_hbac_tests_CFLAGS) $(CFLAGS) -MT src/tests/ipa_hbac_tests-ipa_hbac-tests.obj -MD -MP -MF src/tests/$(DEPDIR)/ipa_hbac_tests-ipa_hbac-tests.Tpo -c -o src/tests/ipa_hbac_tests-ipa_hbac-tests.obj `if test -f 'src/tests/ipa_hbac-tests.c'; then $(CYGPATH_W) 'src/tests/ipa_hbac-tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/ipa_hbac-tests.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/ipa_hbac_tests-ipa_hbac-tests.Tpo src/tests/$(DEPDIR)/ipa_hbac_tests-ipa_hbac-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/ipa_hbac-tests.c' object='src/tests/ipa_hbac_tests-ipa_hbac-tests.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_hbac_tests_CFLAGS) $(CFLAGS) -c -o src/tests/ipa_hbac_tests-ipa_hbac-tests.obj `if test -f 'src/tests/ipa_hbac-tests.c'; then $(CYGPATH_W) 'src/tests/ipa_hbac-tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/ipa_hbac-tests.c'; fi` + +src/providers/ipa_ldap_opt_tests-data_provider_opts.o: src/providers/data_provider_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) -MT src/providers/ipa_ldap_opt_tests-data_provider_opts.o -MD -MP -MF src/providers/$(DEPDIR)/ipa_ldap_opt_tests-data_provider_opts.Tpo -c -o src/providers/ipa_ldap_opt_tests-data_provider_opts.o `test -f 'src/providers/data_provider_opts.c' || echo '$(srcdir)/'`src/providers/data_provider_opts.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/ipa_ldap_opt_tests-data_provider_opts.Tpo src/providers/$(DEPDIR)/ipa_ldap_opt_tests-data_provider_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider_opts.c' object='src/providers/ipa_ldap_opt_tests-data_provider_opts.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ipa_ldap_opt_tests-data_provider_opts.o `test -f 'src/providers/data_provider_opts.c' || echo '$(srcdir)/'`src/providers/data_provider_opts.c + +src/providers/ipa_ldap_opt_tests-data_provider_opts.obj: src/providers/data_provider_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) -MT src/providers/ipa_ldap_opt_tests-data_provider_opts.obj -MD -MP -MF src/providers/$(DEPDIR)/ipa_ldap_opt_tests-data_provider_opts.Tpo -c -o src/providers/ipa_ldap_opt_tests-data_provider_opts.obj `if test -f 'src/providers/data_provider_opts.c'; then $(CYGPATH_W) 'src/providers/data_provider_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider_opts.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/ipa_ldap_opt_tests-data_provider_opts.Tpo src/providers/$(DEPDIR)/ipa_ldap_opt_tests-data_provider_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider_opts.c' object='src/providers/ipa_ldap_opt_tests-data_provider_opts.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ipa_ldap_opt_tests-data_provider_opts.obj `if test -f 'src/providers/data_provider_opts.c'; then $(CYGPATH_W) 'src/providers/data_provider_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider_opts.c'; fi` + +src/providers/ldap/ipa_ldap_opt_tests-sdap.o: src/providers/ldap/sdap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) -MT src/providers/ldap/ipa_ldap_opt_tests-sdap.o -MD -MP -MF src/providers/ldap/$(DEPDIR)/ipa_ldap_opt_tests-sdap.Tpo -c -o src/providers/ldap/ipa_ldap_opt_tests-sdap.o `test -f 'src/providers/ldap/sdap.c' || echo '$(srcdir)/'`src/providers/ldap/sdap.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/ipa_ldap_opt_tests-sdap.Tpo src/providers/ldap/$(DEPDIR)/ipa_ldap_opt_tests-sdap.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap.c' object='src/providers/ldap/ipa_ldap_opt_tests-sdap.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/ipa_ldap_opt_tests-sdap.o `test -f 'src/providers/ldap/sdap.c' || echo '$(srcdir)/'`src/providers/ldap/sdap.c + +src/providers/ldap/ipa_ldap_opt_tests-sdap.obj: src/providers/ldap/sdap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) -MT src/providers/ldap/ipa_ldap_opt_tests-sdap.obj -MD -MP -MF src/providers/ldap/$(DEPDIR)/ipa_ldap_opt_tests-sdap.Tpo -c -o src/providers/ldap/ipa_ldap_opt_tests-sdap.obj `if test -f 'src/providers/ldap/sdap.c'; then $(CYGPATH_W) 'src/providers/ldap/sdap.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ldap/sdap.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/ipa_ldap_opt_tests-sdap.Tpo src/providers/ldap/$(DEPDIR)/ipa_ldap_opt_tests-sdap.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap.c' object='src/providers/ldap/ipa_ldap_opt_tests-sdap.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/ipa_ldap_opt_tests-sdap.obj `if test -f 'src/providers/ldap/sdap.c'; then $(CYGPATH_W) 'src/providers/ldap/sdap.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ldap/sdap.c'; fi` + +src/providers/ldap/ipa_ldap_opt_tests-sdap_range.o: src/providers/ldap/sdap_range.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) -MT src/providers/ldap/ipa_ldap_opt_tests-sdap_range.o -MD -MP -MF src/providers/ldap/$(DEPDIR)/ipa_ldap_opt_tests-sdap_range.Tpo -c -o src/providers/ldap/ipa_ldap_opt_tests-sdap_range.o `test -f 'src/providers/ldap/sdap_range.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_range.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/ipa_ldap_opt_tests-sdap_range.Tpo src/providers/ldap/$(DEPDIR)/ipa_ldap_opt_tests-sdap_range.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_range.c' object='src/providers/ldap/ipa_ldap_opt_tests-sdap_range.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/ipa_ldap_opt_tests-sdap_range.o `test -f 'src/providers/ldap/sdap_range.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_range.c + +src/providers/ldap/ipa_ldap_opt_tests-sdap_range.obj: src/providers/ldap/sdap_range.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) -MT src/providers/ldap/ipa_ldap_opt_tests-sdap_range.obj -MD -MP -MF src/providers/ldap/$(DEPDIR)/ipa_ldap_opt_tests-sdap_range.Tpo -c -o src/providers/ldap/ipa_ldap_opt_tests-sdap_range.obj `if test -f 'src/providers/ldap/sdap_range.c'; then $(CYGPATH_W) 'src/providers/ldap/sdap_range.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ldap/sdap_range.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/ipa_ldap_opt_tests-sdap_range.Tpo src/providers/ldap/$(DEPDIR)/ipa_ldap_opt_tests-sdap_range.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_range.c' object='src/providers/ldap/ipa_ldap_opt_tests-sdap_range.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/ipa_ldap_opt_tests-sdap_range.obj `if test -f 'src/providers/ldap/sdap_range.c'; then $(CYGPATH_W) 'src/providers/ldap/sdap_range.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ldap/sdap_range.c'; fi` + +src/providers/ldap/ipa_ldap_opt_tests-sdap_domain.o: src/providers/ldap/sdap_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) -MT src/providers/ldap/ipa_ldap_opt_tests-sdap_domain.o -MD -MP -MF src/providers/ldap/$(DEPDIR)/ipa_ldap_opt_tests-sdap_domain.Tpo -c -o src/providers/ldap/ipa_ldap_opt_tests-sdap_domain.o `test -f 'src/providers/ldap/sdap_domain.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_domain.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/ipa_ldap_opt_tests-sdap_domain.Tpo src/providers/ldap/$(DEPDIR)/ipa_ldap_opt_tests-sdap_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_domain.c' object='src/providers/ldap/ipa_ldap_opt_tests-sdap_domain.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/ipa_ldap_opt_tests-sdap_domain.o `test -f 'src/providers/ldap/sdap_domain.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_domain.c + +src/providers/ldap/ipa_ldap_opt_tests-sdap_domain.obj: src/providers/ldap/sdap_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) -MT src/providers/ldap/ipa_ldap_opt_tests-sdap_domain.obj -MD -MP -MF src/providers/ldap/$(DEPDIR)/ipa_ldap_opt_tests-sdap_domain.Tpo -c -o src/providers/ldap/ipa_ldap_opt_tests-sdap_domain.obj `if test -f 'src/providers/ldap/sdap_domain.c'; then $(CYGPATH_W) 'src/providers/ldap/sdap_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ldap/sdap_domain.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/ipa_ldap_opt_tests-sdap_domain.Tpo src/providers/ldap/$(DEPDIR)/ipa_ldap_opt_tests-sdap_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_domain.c' object='src/providers/ldap/ipa_ldap_opt_tests-sdap_domain.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/ipa_ldap_opt_tests-sdap_domain.obj `if test -f 'src/providers/ldap/sdap_domain.c'; then $(CYGPATH_W) 'src/providers/ldap/sdap_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ldap/sdap_domain.c'; fi` + +src/providers/ldap/ipa_ldap_opt_tests-ldap_opts.o: src/providers/ldap/ldap_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) -MT src/providers/ldap/ipa_ldap_opt_tests-ldap_opts.o -MD -MP -MF src/providers/ldap/$(DEPDIR)/ipa_ldap_opt_tests-ldap_opts.Tpo -c -o src/providers/ldap/ipa_ldap_opt_tests-ldap_opts.o `test -f 'src/providers/ldap/ldap_opts.c' || echo '$(srcdir)/'`src/providers/ldap/ldap_opts.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/ipa_ldap_opt_tests-ldap_opts.Tpo src/providers/ldap/$(DEPDIR)/ipa_ldap_opt_tests-ldap_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/ldap_opts.c' object='src/providers/ldap/ipa_ldap_opt_tests-ldap_opts.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/ipa_ldap_opt_tests-ldap_opts.o `test -f 'src/providers/ldap/ldap_opts.c' || echo '$(srcdir)/'`src/providers/ldap/ldap_opts.c + +src/providers/ldap/ipa_ldap_opt_tests-ldap_opts.obj: src/providers/ldap/ldap_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) -MT src/providers/ldap/ipa_ldap_opt_tests-ldap_opts.obj -MD -MP -MF src/providers/ldap/$(DEPDIR)/ipa_ldap_opt_tests-ldap_opts.Tpo -c -o src/providers/ldap/ipa_ldap_opt_tests-ldap_opts.obj `if test -f 'src/providers/ldap/ldap_opts.c'; then $(CYGPATH_W) 'src/providers/ldap/ldap_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ldap/ldap_opts.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/ipa_ldap_opt_tests-ldap_opts.Tpo src/providers/ldap/$(DEPDIR)/ipa_ldap_opt_tests-ldap_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/ldap_opts.c' object='src/providers/ldap/ipa_ldap_opt_tests-ldap_opts.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/ipa_ldap_opt_tests-ldap_opts.obj `if test -f 'src/providers/ldap/ldap_opts.c'; then $(CYGPATH_W) 'src/providers/ldap/ldap_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ldap/ldap_opts.c'; fi` + +src/providers/ad/ipa_ldap_opt_tests-ad_opts.o: src/providers/ad/ad_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) -MT src/providers/ad/ipa_ldap_opt_tests-ad_opts.o -MD -MP -MF src/providers/ad/$(DEPDIR)/ipa_ldap_opt_tests-ad_opts.Tpo -c -o src/providers/ad/ipa_ldap_opt_tests-ad_opts.o `test -f 'src/providers/ad/ad_opts.c' || echo '$(srcdir)/'`src/providers/ad/ad_opts.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/ipa_ldap_opt_tests-ad_opts.Tpo src/providers/ad/$(DEPDIR)/ipa_ldap_opt_tests-ad_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_opts.c' object='src/providers/ad/ipa_ldap_opt_tests-ad_opts.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ad/ipa_ldap_opt_tests-ad_opts.o `test -f 'src/providers/ad/ad_opts.c' || echo '$(srcdir)/'`src/providers/ad/ad_opts.c + +src/providers/ad/ipa_ldap_opt_tests-ad_opts.obj: src/providers/ad/ad_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) -MT src/providers/ad/ipa_ldap_opt_tests-ad_opts.obj -MD -MP -MF src/providers/ad/$(DEPDIR)/ipa_ldap_opt_tests-ad_opts.Tpo -c -o src/providers/ad/ipa_ldap_opt_tests-ad_opts.obj `if test -f 'src/providers/ad/ad_opts.c'; then $(CYGPATH_W) 'src/providers/ad/ad_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ad/ad_opts.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/ipa_ldap_opt_tests-ad_opts.Tpo src/providers/ad/$(DEPDIR)/ipa_ldap_opt_tests-ad_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_opts.c' object='src/providers/ad/ipa_ldap_opt_tests-ad_opts.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ad/ipa_ldap_opt_tests-ad_opts.obj `if test -f 'src/providers/ad/ad_opts.c'; then $(CYGPATH_W) 'src/providers/ad/ad_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ad/ad_opts.c'; fi` + +src/providers/ipa/ipa_ldap_opt_tests-ipa_opts.o: src/providers/ipa/ipa_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) -MT src/providers/ipa/ipa_ldap_opt_tests-ipa_opts.o -MD -MP -MF src/providers/ipa/$(DEPDIR)/ipa_ldap_opt_tests-ipa_opts.Tpo -c -o src/providers/ipa/ipa_ldap_opt_tests-ipa_opts.o `test -f 'src/providers/ipa/ipa_opts.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_opts.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/ipa_ldap_opt_tests-ipa_opts.Tpo src/providers/ipa/$(DEPDIR)/ipa_ldap_opt_tests-ipa_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_opts.c' object='src/providers/ipa/ipa_ldap_opt_tests-ipa_opts.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/ipa_ldap_opt_tests-ipa_opts.o `test -f 'src/providers/ipa/ipa_opts.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_opts.c + +src/providers/ipa/ipa_ldap_opt_tests-ipa_opts.obj: src/providers/ipa/ipa_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) -MT src/providers/ipa/ipa_ldap_opt_tests-ipa_opts.obj -MD -MP -MF src/providers/ipa/$(DEPDIR)/ipa_ldap_opt_tests-ipa_opts.Tpo -c -o src/providers/ipa/ipa_ldap_opt_tests-ipa_opts.obj `if test -f 'src/providers/ipa/ipa_opts.c'; then $(CYGPATH_W) 'src/providers/ipa/ipa_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ipa/ipa_opts.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/ipa_ldap_opt_tests-ipa_opts.Tpo src/providers/ipa/$(DEPDIR)/ipa_ldap_opt_tests-ipa_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_opts.c' object='src/providers/ipa/ipa_ldap_opt_tests-ipa_opts.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/ipa_ldap_opt_tests-ipa_opts.obj `if test -f 'src/providers/ipa/ipa_opts.c'; then $(CYGPATH_W) 'src/providers/ipa/ipa_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ipa/ipa_opts.c'; fi` + +src/providers/krb5/ipa_ldap_opt_tests-krb5_opts.o: src/providers/krb5/krb5_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) -MT src/providers/krb5/ipa_ldap_opt_tests-krb5_opts.o -MD -MP -MF src/providers/krb5/$(DEPDIR)/ipa_ldap_opt_tests-krb5_opts.Tpo -c -o src/providers/krb5/ipa_ldap_opt_tests-krb5_opts.o `test -f 'src/providers/krb5/krb5_opts.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_opts.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/ipa_ldap_opt_tests-krb5_opts.Tpo src/providers/krb5/$(DEPDIR)/ipa_ldap_opt_tests-krb5_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_opts.c' object='src/providers/krb5/ipa_ldap_opt_tests-krb5_opts.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/ipa_ldap_opt_tests-krb5_opts.o `test -f 'src/providers/krb5/krb5_opts.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_opts.c + +src/providers/krb5/ipa_ldap_opt_tests-krb5_opts.obj: src/providers/krb5/krb5_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) -MT src/providers/krb5/ipa_ldap_opt_tests-krb5_opts.obj -MD -MP -MF src/providers/krb5/$(DEPDIR)/ipa_ldap_opt_tests-krb5_opts.Tpo -c -o src/providers/krb5/ipa_ldap_opt_tests-krb5_opts.obj `if test -f 'src/providers/krb5/krb5_opts.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_opts.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/ipa_ldap_opt_tests-krb5_opts.Tpo src/providers/krb5/$(DEPDIR)/ipa_ldap_opt_tests-krb5_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_opts.c' object='src/providers/krb5/ipa_ldap_opt_tests-krb5_opts.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/ipa_ldap_opt_tests-krb5_opts.obj `if test -f 'src/providers/krb5/krb5_opts.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_opts.c'; fi` + +src/util/ipa_ldap_opt_tests-sss_sockets.o: src/util/sss_sockets.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) -MT src/util/ipa_ldap_opt_tests-sss_sockets.o -MD -MP -MF src/util/$(DEPDIR)/ipa_ldap_opt_tests-sss_sockets.Tpo -c -o src/util/ipa_ldap_opt_tests-sss_sockets.o `test -f 'src/util/sss_sockets.c' || echo '$(srcdir)/'`src/util/sss_sockets.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/ipa_ldap_opt_tests-sss_sockets.Tpo src/util/$(DEPDIR)/ipa_ldap_opt_tests-sss_sockets.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_sockets.c' object='src/util/ipa_ldap_opt_tests-sss_sockets.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) -c -o src/util/ipa_ldap_opt_tests-sss_sockets.o `test -f 'src/util/sss_sockets.c' || echo '$(srcdir)/'`src/util/sss_sockets.c + +src/util/ipa_ldap_opt_tests-sss_sockets.obj: src/util/sss_sockets.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) -MT src/util/ipa_ldap_opt_tests-sss_sockets.obj -MD -MP -MF src/util/$(DEPDIR)/ipa_ldap_opt_tests-sss_sockets.Tpo -c -o src/util/ipa_ldap_opt_tests-sss_sockets.obj `if test -f 'src/util/sss_sockets.c'; then $(CYGPATH_W) 'src/util/sss_sockets.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_sockets.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/ipa_ldap_opt_tests-sss_sockets.Tpo src/util/$(DEPDIR)/ipa_ldap_opt_tests-sss_sockets.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_sockets.c' object='src/util/ipa_ldap_opt_tests-sss_sockets.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) -c -o src/util/ipa_ldap_opt_tests-sss_sockets.obj `if test -f 'src/util/sss_sockets.c'; then $(CYGPATH_W) 'src/util/sss_sockets.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_sockets.c'; fi` + +src/util/ipa_ldap_opt_tests-sss_ldap.o: src/util/sss_ldap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) -MT src/util/ipa_ldap_opt_tests-sss_ldap.o -MD -MP -MF src/util/$(DEPDIR)/ipa_ldap_opt_tests-sss_ldap.Tpo -c -o src/util/ipa_ldap_opt_tests-sss_ldap.o `test -f 'src/util/sss_ldap.c' || echo '$(srcdir)/'`src/util/sss_ldap.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/ipa_ldap_opt_tests-sss_ldap.Tpo src/util/$(DEPDIR)/ipa_ldap_opt_tests-sss_ldap.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_ldap.c' object='src/util/ipa_ldap_opt_tests-sss_ldap.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) -c -o src/util/ipa_ldap_opt_tests-sss_ldap.o `test -f 'src/util/sss_ldap.c' || echo '$(srcdir)/'`src/util/sss_ldap.c + +src/util/ipa_ldap_opt_tests-sss_ldap.obj: src/util/sss_ldap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) -MT src/util/ipa_ldap_opt_tests-sss_ldap.obj -MD -MP -MF src/util/$(DEPDIR)/ipa_ldap_opt_tests-sss_ldap.Tpo -c -o src/util/ipa_ldap_opt_tests-sss_ldap.obj `if test -f 'src/util/sss_ldap.c'; then $(CYGPATH_W) 'src/util/sss_ldap.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_ldap.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/ipa_ldap_opt_tests-sss_ldap.Tpo src/util/$(DEPDIR)/ipa_ldap_opt_tests-sss_ldap.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_ldap.c' object='src/util/ipa_ldap_opt_tests-sss_ldap.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) -c -o src/util/ipa_ldap_opt_tests-sss_ldap.obj `if test -f 'src/util/sss_ldap.c'; then $(CYGPATH_W) 'src/util/sss_ldap.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_ldap.c'; fi` + +src/tests/ipa_ldap_opt_tests-ipa_ldap_opt-tests.o: src/tests/ipa_ldap_opt-tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) -MT src/tests/ipa_ldap_opt_tests-ipa_ldap_opt-tests.o -MD -MP -MF src/tests/$(DEPDIR)/ipa_ldap_opt_tests-ipa_ldap_opt-tests.Tpo -c -o src/tests/ipa_ldap_opt_tests-ipa_ldap_opt-tests.o `test -f 'src/tests/ipa_ldap_opt-tests.c' || echo '$(srcdir)/'`src/tests/ipa_ldap_opt-tests.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/ipa_ldap_opt_tests-ipa_ldap_opt-tests.Tpo src/tests/$(DEPDIR)/ipa_ldap_opt_tests-ipa_ldap_opt-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/ipa_ldap_opt-tests.c' object='src/tests/ipa_ldap_opt_tests-ipa_ldap_opt-tests.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) -c -o src/tests/ipa_ldap_opt_tests-ipa_ldap_opt-tests.o `test -f 'src/tests/ipa_ldap_opt-tests.c' || echo '$(srcdir)/'`src/tests/ipa_ldap_opt-tests.c + +src/tests/ipa_ldap_opt_tests-ipa_ldap_opt-tests.obj: src/tests/ipa_ldap_opt-tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) -MT src/tests/ipa_ldap_opt_tests-ipa_ldap_opt-tests.obj -MD -MP -MF src/tests/$(DEPDIR)/ipa_ldap_opt_tests-ipa_ldap_opt-tests.Tpo -c -o src/tests/ipa_ldap_opt_tests-ipa_ldap_opt-tests.obj `if test -f 'src/tests/ipa_ldap_opt-tests.c'; then $(CYGPATH_W) 'src/tests/ipa_ldap_opt-tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/ipa_ldap_opt-tests.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/ipa_ldap_opt_tests-ipa_ldap_opt-tests.Tpo src/tests/$(DEPDIR)/ipa_ldap_opt_tests-ipa_ldap_opt-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/ipa_ldap_opt-tests.c' object='src/tests/ipa_ldap_opt_tests-ipa_ldap_opt-tests.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ipa_ldap_opt_tests_CFLAGS) $(CFLAGS) -c -o src/tests/ipa_ldap_opt_tests-ipa_ldap_opt-tests.obj `if test -f 'src/tests/ipa_ldap_opt-tests.c'; then $(CYGPATH_W) 'src/tests/ipa_ldap_opt-tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/ipa_ldap_opt-tests.c'; fi` + +src/tests/krb5_child_test-krb5_child-test.o: src/tests/krb5_child-test.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -MT src/tests/krb5_child_test-krb5_child-test.o -MD -MP -MF src/tests/$(DEPDIR)/krb5_child_test-krb5_child-test.Tpo -c -o src/tests/krb5_child_test-krb5_child-test.o `test -f 'src/tests/krb5_child-test.c' || echo '$(srcdir)/'`src/tests/krb5_child-test.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/krb5_child_test-krb5_child-test.Tpo src/tests/$(DEPDIR)/krb5_child_test-krb5_child-test.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/krb5_child-test.c' object='src/tests/krb5_child_test-krb5_child-test.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -c -o src/tests/krb5_child_test-krb5_child-test.o `test -f 'src/tests/krb5_child-test.c' || echo '$(srcdir)/'`src/tests/krb5_child-test.c + +src/tests/krb5_child_test-krb5_child-test.obj: src/tests/krb5_child-test.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -MT src/tests/krb5_child_test-krb5_child-test.obj -MD -MP -MF src/tests/$(DEPDIR)/krb5_child_test-krb5_child-test.Tpo -c -o src/tests/krb5_child_test-krb5_child-test.obj `if test -f 'src/tests/krb5_child-test.c'; then $(CYGPATH_W) 'src/tests/krb5_child-test.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/krb5_child-test.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/krb5_child_test-krb5_child-test.Tpo src/tests/$(DEPDIR)/krb5_child_test-krb5_child-test.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/krb5_child-test.c' object='src/tests/krb5_child_test-krb5_child-test.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -c -o src/tests/krb5_child_test-krb5_child-test.obj `if test -f 'src/tests/krb5_child-test.c'; then $(CYGPATH_W) 'src/tests/krb5_child-test.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/krb5_child-test.c'; fi` + +src/providers/krb5/krb5_child_test-krb5_utils.o: src/providers/krb5/krb5_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -MT src/providers/krb5/krb5_child_test-krb5_utils.o -MD -MP -MF src/providers/krb5/$(DEPDIR)/krb5_child_test-krb5_utils.Tpo -c -o src/providers/krb5/krb5_child_test-krb5_utils.o `test -f 'src/providers/krb5/krb5_utils.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/krb5_child_test-krb5_utils.Tpo src/providers/krb5/$(DEPDIR)/krb5_child_test-krb5_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_utils.c' object='src/providers/krb5/krb5_child_test-krb5_utils.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/krb5_child_test-krb5_utils.o `test -f 'src/providers/krb5/krb5_utils.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_utils.c + +src/providers/krb5/krb5_child_test-krb5_utils.obj: src/providers/krb5/krb5_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -MT src/providers/krb5/krb5_child_test-krb5_utils.obj -MD -MP -MF src/providers/krb5/$(DEPDIR)/krb5_child_test-krb5_utils.Tpo -c -o src/providers/krb5/krb5_child_test-krb5_utils.obj `if test -f 'src/providers/krb5/krb5_utils.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_utils.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/krb5_child_test-krb5_utils.Tpo src/providers/krb5/$(DEPDIR)/krb5_child_test-krb5_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_utils.c' object='src/providers/krb5/krb5_child_test-krb5_utils.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/krb5_child_test-krb5_utils.obj `if test -f 'src/providers/krb5/krb5_utils.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_utils.c'; fi` + +src/providers/krb5/krb5_child_test-krb5_ccache.o: src/providers/krb5/krb5_ccache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -MT src/providers/krb5/krb5_child_test-krb5_ccache.o -MD -MP -MF src/providers/krb5/$(DEPDIR)/krb5_child_test-krb5_ccache.Tpo -c -o src/providers/krb5/krb5_child_test-krb5_ccache.o `test -f 'src/providers/krb5/krb5_ccache.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_ccache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/krb5_child_test-krb5_ccache.Tpo src/providers/krb5/$(DEPDIR)/krb5_child_test-krb5_ccache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_ccache.c' object='src/providers/krb5/krb5_child_test-krb5_ccache.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/krb5_child_test-krb5_ccache.o `test -f 'src/providers/krb5/krb5_ccache.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_ccache.c + +src/providers/krb5/krb5_child_test-krb5_ccache.obj: src/providers/krb5/krb5_ccache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -MT src/providers/krb5/krb5_child_test-krb5_ccache.obj -MD -MP -MF src/providers/krb5/$(DEPDIR)/krb5_child_test-krb5_ccache.Tpo -c -o src/providers/krb5/krb5_child_test-krb5_ccache.obj `if test -f 'src/providers/krb5/krb5_ccache.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_ccache.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_ccache.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/krb5_child_test-krb5_ccache.Tpo src/providers/krb5/$(DEPDIR)/krb5_child_test-krb5_ccache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_ccache.c' object='src/providers/krb5/krb5_child_test-krb5_ccache.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/krb5_child_test-krb5_ccache.obj `if test -f 'src/providers/krb5/krb5_ccache.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_ccache.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_ccache.c'; fi` + +src/providers/krb5/krb5_child_test-krb5_child_handler.o: src/providers/krb5/krb5_child_handler.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -MT src/providers/krb5/krb5_child_test-krb5_child_handler.o -MD -MP -MF src/providers/krb5/$(DEPDIR)/krb5_child_test-krb5_child_handler.Tpo -c -o src/providers/krb5/krb5_child_test-krb5_child_handler.o `test -f 'src/providers/krb5/krb5_child_handler.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_child_handler.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/krb5_child_test-krb5_child_handler.Tpo src/providers/krb5/$(DEPDIR)/krb5_child_test-krb5_child_handler.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_child_handler.c' object='src/providers/krb5/krb5_child_test-krb5_child_handler.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/krb5_child_test-krb5_child_handler.o `test -f 'src/providers/krb5/krb5_child_handler.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_child_handler.c + +src/providers/krb5/krb5_child_test-krb5_child_handler.obj: src/providers/krb5/krb5_child_handler.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -MT src/providers/krb5/krb5_child_test-krb5_child_handler.obj -MD -MP -MF src/providers/krb5/$(DEPDIR)/krb5_child_test-krb5_child_handler.Tpo -c -o src/providers/krb5/krb5_child_test-krb5_child_handler.obj `if test -f 'src/providers/krb5/krb5_child_handler.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_child_handler.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_child_handler.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/krb5_child_test-krb5_child_handler.Tpo src/providers/krb5/$(DEPDIR)/krb5_child_test-krb5_child_handler.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_child_handler.c' object='src/providers/krb5/krb5_child_test-krb5_child_handler.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/krb5_child_test-krb5_child_handler.obj `if test -f 'src/providers/krb5/krb5_child_handler.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_child_handler.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_child_handler.c'; fi` + +src/providers/krb5/krb5_child_test-krb5_common.o: src/providers/krb5/krb5_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -MT src/providers/krb5/krb5_child_test-krb5_common.o -MD -MP -MF src/providers/krb5/$(DEPDIR)/krb5_child_test-krb5_common.Tpo -c -o src/providers/krb5/krb5_child_test-krb5_common.o `test -f 'src/providers/krb5/krb5_common.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/krb5_child_test-krb5_common.Tpo src/providers/krb5/$(DEPDIR)/krb5_child_test-krb5_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_common.c' object='src/providers/krb5/krb5_child_test-krb5_common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/krb5_child_test-krb5_common.o `test -f 'src/providers/krb5/krb5_common.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_common.c + +src/providers/krb5/krb5_child_test-krb5_common.obj: src/providers/krb5/krb5_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -MT src/providers/krb5/krb5_child_test-krb5_common.obj -MD -MP -MF src/providers/krb5/$(DEPDIR)/krb5_child_test-krb5_common.Tpo -c -o src/providers/krb5/krb5_child_test-krb5_common.obj `if test -f 'src/providers/krb5/krb5_common.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_common.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/krb5_child_test-krb5_common.Tpo src/providers/krb5/$(DEPDIR)/krb5_child_test-krb5_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_common.c' object='src/providers/krb5/krb5_child_test-krb5_common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/krb5_child_test-krb5_common.obj `if test -f 'src/providers/krb5/krb5_common.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_common.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_common.c'; fi` + +src/providers/krb5/krb5_child_test-krb5_opts.o: src/providers/krb5/krb5_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -MT src/providers/krb5/krb5_child_test-krb5_opts.o -MD -MP -MF src/providers/krb5/$(DEPDIR)/krb5_child_test-krb5_opts.Tpo -c -o src/providers/krb5/krb5_child_test-krb5_opts.o `test -f 'src/providers/krb5/krb5_opts.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_opts.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/krb5_child_test-krb5_opts.Tpo src/providers/krb5/$(DEPDIR)/krb5_child_test-krb5_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_opts.c' object='src/providers/krb5/krb5_child_test-krb5_opts.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/krb5_child_test-krb5_opts.o `test -f 'src/providers/krb5/krb5_opts.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_opts.c + +src/providers/krb5/krb5_child_test-krb5_opts.obj: src/providers/krb5/krb5_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -MT src/providers/krb5/krb5_child_test-krb5_opts.obj -MD -MP -MF src/providers/krb5/$(DEPDIR)/krb5_child_test-krb5_opts.Tpo -c -o src/providers/krb5/krb5_child_test-krb5_opts.obj `if test -f 'src/providers/krb5/krb5_opts.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_opts.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/krb5_child_test-krb5_opts.Tpo src/providers/krb5/$(DEPDIR)/krb5_child_test-krb5_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_opts.c' object='src/providers/krb5/krb5_child_test-krb5_opts.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/krb5_child_test-krb5_opts.obj `if test -f 'src/providers/krb5/krb5_opts.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_opts.c'; fi` + +src/util/krb5_child_test-sss_krb5.o: src/util/sss_krb5.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -MT src/util/krb5_child_test-sss_krb5.o -MD -MP -MF src/util/$(DEPDIR)/krb5_child_test-sss_krb5.Tpo -c -o src/util/krb5_child_test-sss_krb5.o `test -f 'src/util/sss_krb5.c' || echo '$(srcdir)/'`src/util/sss_krb5.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/krb5_child_test-sss_krb5.Tpo src/util/$(DEPDIR)/krb5_child_test-sss_krb5.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_krb5.c' object='src/util/krb5_child_test-sss_krb5.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -c -o src/util/krb5_child_test-sss_krb5.o `test -f 'src/util/sss_krb5.c' || echo '$(srcdir)/'`src/util/sss_krb5.c + +src/util/krb5_child_test-sss_krb5.obj: src/util/sss_krb5.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -MT src/util/krb5_child_test-sss_krb5.obj -MD -MP -MF src/util/$(DEPDIR)/krb5_child_test-sss_krb5.Tpo -c -o src/util/krb5_child_test-sss_krb5.obj `if test -f 'src/util/sss_krb5.c'; then $(CYGPATH_W) 'src/util/sss_krb5.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_krb5.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/krb5_child_test-sss_krb5.Tpo src/util/$(DEPDIR)/krb5_child_test-sss_krb5.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_krb5.c' object='src/util/krb5_child_test-sss_krb5.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -c -o src/util/krb5_child_test-sss_krb5.obj `if test -f 'src/util/sss_krb5.c'; then $(CYGPATH_W) 'src/util/sss_krb5.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_krb5.c'; fi` + +src/util/krb5_child_test-sss_iobuf.o: src/util/sss_iobuf.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -MT src/util/krb5_child_test-sss_iobuf.o -MD -MP -MF src/util/$(DEPDIR)/krb5_child_test-sss_iobuf.Tpo -c -o src/util/krb5_child_test-sss_iobuf.o `test -f 'src/util/sss_iobuf.c' || echo '$(srcdir)/'`src/util/sss_iobuf.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/krb5_child_test-sss_iobuf.Tpo src/util/$(DEPDIR)/krb5_child_test-sss_iobuf.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_iobuf.c' object='src/util/krb5_child_test-sss_iobuf.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -c -o src/util/krb5_child_test-sss_iobuf.o `test -f 'src/util/sss_iobuf.c' || echo '$(srcdir)/'`src/util/sss_iobuf.c + +src/util/krb5_child_test-sss_iobuf.obj: src/util/sss_iobuf.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -MT src/util/krb5_child_test-sss_iobuf.obj -MD -MP -MF src/util/$(DEPDIR)/krb5_child_test-sss_iobuf.Tpo -c -o src/util/krb5_child_test-sss_iobuf.obj `if test -f 'src/util/sss_iobuf.c'; then $(CYGPATH_W) 'src/util/sss_iobuf.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_iobuf.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/krb5_child_test-sss_iobuf.Tpo src/util/$(DEPDIR)/krb5_child_test-sss_iobuf.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_iobuf.c' object='src/util/krb5_child_test-sss_iobuf.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -c -o src/util/krb5_child_test-sss_iobuf.obj `if test -f 'src/util/sss_iobuf.c'; then $(CYGPATH_W) 'src/util/sss_iobuf.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_iobuf.c'; fi` + +src/providers/krb5_child_test-data_provider_fo.o: src/providers/data_provider_fo.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -MT src/providers/krb5_child_test-data_provider_fo.o -MD -MP -MF src/providers/$(DEPDIR)/krb5_child_test-data_provider_fo.Tpo -c -o src/providers/krb5_child_test-data_provider_fo.o `test -f 'src/providers/data_provider_fo.c' || echo '$(srcdir)/'`src/providers/data_provider_fo.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/krb5_child_test-data_provider_fo.Tpo src/providers/$(DEPDIR)/krb5_child_test-data_provider_fo.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider_fo.c' object='src/providers/krb5_child_test-data_provider_fo.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -c -o src/providers/krb5_child_test-data_provider_fo.o `test -f 'src/providers/data_provider_fo.c' || echo '$(srcdir)/'`src/providers/data_provider_fo.c + +src/providers/krb5_child_test-data_provider_fo.obj: src/providers/data_provider_fo.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -MT src/providers/krb5_child_test-data_provider_fo.obj -MD -MP -MF src/providers/$(DEPDIR)/krb5_child_test-data_provider_fo.Tpo -c -o src/providers/krb5_child_test-data_provider_fo.obj `if test -f 'src/providers/data_provider_fo.c'; then $(CYGPATH_W) 'src/providers/data_provider_fo.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider_fo.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/krb5_child_test-data_provider_fo.Tpo src/providers/$(DEPDIR)/krb5_child_test-data_provider_fo.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider_fo.c' object='src/providers/krb5_child_test-data_provider_fo.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -c -o src/providers/krb5_child_test-data_provider_fo.obj `if test -f 'src/providers/data_provider_fo.c'; then $(CYGPATH_W) 'src/providers/data_provider_fo.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider_fo.c'; fi` + +src/providers/krb5_child_test-data_provider_opts.o: src/providers/data_provider_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -MT src/providers/krb5_child_test-data_provider_opts.o -MD -MP -MF src/providers/$(DEPDIR)/krb5_child_test-data_provider_opts.Tpo -c -o src/providers/krb5_child_test-data_provider_opts.o `test -f 'src/providers/data_provider_opts.c' || echo '$(srcdir)/'`src/providers/data_provider_opts.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/krb5_child_test-data_provider_opts.Tpo src/providers/$(DEPDIR)/krb5_child_test-data_provider_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider_opts.c' object='src/providers/krb5_child_test-data_provider_opts.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -c -o src/providers/krb5_child_test-data_provider_opts.o `test -f 'src/providers/data_provider_opts.c' || echo '$(srcdir)/'`src/providers/data_provider_opts.c + +src/providers/krb5_child_test-data_provider_opts.obj: src/providers/data_provider_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -MT src/providers/krb5_child_test-data_provider_opts.obj -MD -MP -MF src/providers/$(DEPDIR)/krb5_child_test-data_provider_opts.Tpo -c -o src/providers/krb5_child_test-data_provider_opts.obj `if test -f 'src/providers/data_provider_opts.c'; then $(CYGPATH_W) 'src/providers/data_provider_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider_opts.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/krb5_child_test-data_provider_opts.Tpo src/providers/$(DEPDIR)/krb5_child_test-data_provider_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider_opts.c' object='src/providers/krb5_child_test-data_provider_opts.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -c -o src/providers/krb5_child_test-data_provider_opts.obj `if test -f 'src/providers/data_provider_opts.c'; then $(CYGPATH_W) 'src/providers/data_provider_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider_opts.c'; fi` + +src/providers/krb5_child_test-data_provider_callbacks.o: src/providers/data_provider_callbacks.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -MT src/providers/krb5_child_test-data_provider_callbacks.o -MD -MP -MF src/providers/$(DEPDIR)/krb5_child_test-data_provider_callbacks.Tpo -c -o src/providers/krb5_child_test-data_provider_callbacks.o `test -f 'src/providers/data_provider_callbacks.c' || echo '$(srcdir)/'`src/providers/data_provider_callbacks.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/krb5_child_test-data_provider_callbacks.Tpo src/providers/$(DEPDIR)/krb5_child_test-data_provider_callbacks.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider_callbacks.c' object='src/providers/krb5_child_test-data_provider_callbacks.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -c -o src/providers/krb5_child_test-data_provider_callbacks.o `test -f 'src/providers/data_provider_callbacks.c' || echo '$(srcdir)/'`src/providers/data_provider_callbacks.c + +src/providers/krb5_child_test-data_provider_callbacks.obj: src/providers/data_provider_callbacks.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -MT src/providers/krb5_child_test-data_provider_callbacks.obj -MD -MP -MF src/providers/$(DEPDIR)/krb5_child_test-data_provider_callbacks.Tpo -c -o src/providers/krb5_child_test-data_provider_callbacks.obj `if test -f 'src/providers/data_provider_callbacks.c'; then $(CYGPATH_W) 'src/providers/data_provider_callbacks.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider_callbacks.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/krb5_child_test-data_provider_callbacks.Tpo src/providers/$(DEPDIR)/krb5_child_test-data_provider_callbacks.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider_callbacks.c' object='src/providers/krb5_child_test-data_provider_callbacks.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -c -o src/providers/krb5_child_test-data_provider_callbacks.obj `if test -f 'src/providers/data_provider_callbacks.c'; then $(CYGPATH_W) 'src/providers/data_provider_callbacks.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider_callbacks.c'; fi` + +src/util/krb5_child_test-become_user.o: src/util/become_user.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -MT src/util/krb5_child_test-become_user.o -MD -MP -MF src/util/$(DEPDIR)/krb5_child_test-become_user.Tpo -c -o src/util/krb5_child_test-become_user.o `test -f 'src/util/become_user.c' || echo '$(srcdir)/'`src/util/become_user.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/krb5_child_test-become_user.Tpo src/util/$(DEPDIR)/krb5_child_test-become_user.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/become_user.c' object='src/util/krb5_child_test-become_user.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -c -o src/util/krb5_child_test-become_user.o `test -f 'src/util/become_user.c' || echo '$(srcdir)/'`src/util/become_user.c + +src/util/krb5_child_test-become_user.obj: src/util/become_user.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -MT src/util/krb5_child_test-become_user.obj -MD -MP -MF src/util/$(DEPDIR)/krb5_child_test-become_user.Tpo -c -o src/util/krb5_child_test-become_user.obj `if test -f 'src/util/become_user.c'; then $(CYGPATH_W) 'src/util/become_user.c'; else $(CYGPATH_W) '$(srcdir)/src/util/become_user.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/krb5_child_test-become_user.Tpo src/util/$(DEPDIR)/krb5_child_test-become_user.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/become_user.c' object='src/util/krb5_child_test-become_user.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -c -o src/util/krb5_child_test-become_user.obj `if test -f 'src/util/become_user.c'; then $(CYGPATH_W) 'src/util/become_user.c'; else $(CYGPATH_W) '$(srcdir)/src/util/become_user.c'; fi` + +src/providers/krb5_child_test-fail_over.o: src/providers/fail_over.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -MT src/providers/krb5_child_test-fail_over.o -MD -MP -MF src/providers/$(DEPDIR)/krb5_child_test-fail_over.Tpo -c -o src/providers/krb5_child_test-fail_over.o `test -f 'src/providers/fail_over.c' || echo '$(srcdir)/'`src/providers/fail_over.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/krb5_child_test-fail_over.Tpo src/providers/$(DEPDIR)/krb5_child_test-fail_over.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/fail_over.c' object='src/providers/krb5_child_test-fail_over.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -c -o src/providers/krb5_child_test-fail_over.o `test -f 'src/providers/fail_over.c' || echo '$(srcdir)/'`src/providers/fail_over.c + +src/providers/krb5_child_test-fail_over.obj: src/providers/fail_over.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -MT src/providers/krb5_child_test-fail_over.obj -MD -MP -MF src/providers/$(DEPDIR)/krb5_child_test-fail_over.Tpo -c -o src/providers/krb5_child_test-fail_over.obj `if test -f 'src/providers/fail_over.c'; then $(CYGPATH_W) 'src/providers/fail_over.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/fail_over.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/krb5_child_test-fail_over.Tpo src/providers/$(DEPDIR)/krb5_child_test-fail_over.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/fail_over.c' object='src/providers/krb5_child_test-fail_over.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -c -o src/providers/krb5_child_test-fail_over.obj `if test -f 'src/providers/fail_over.c'; then $(CYGPATH_W) 'src/providers/fail_over.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/fail_over.c'; fi` + +src/providers/krb5_child_test-fail_over_srv.o: src/providers/fail_over_srv.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -MT src/providers/krb5_child_test-fail_over_srv.o -MD -MP -MF src/providers/$(DEPDIR)/krb5_child_test-fail_over_srv.Tpo -c -o src/providers/krb5_child_test-fail_over_srv.o `test -f 'src/providers/fail_over_srv.c' || echo '$(srcdir)/'`src/providers/fail_over_srv.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/krb5_child_test-fail_over_srv.Tpo src/providers/$(DEPDIR)/krb5_child_test-fail_over_srv.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/fail_over_srv.c' object='src/providers/krb5_child_test-fail_over_srv.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -c -o src/providers/krb5_child_test-fail_over_srv.o `test -f 'src/providers/fail_over_srv.c' || echo '$(srcdir)/'`src/providers/fail_over_srv.c + +src/providers/krb5_child_test-fail_over_srv.obj: src/providers/fail_over_srv.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -MT src/providers/krb5_child_test-fail_over_srv.obj -MD -MP -MF src/providers/$(DEPDIR)/krb5_child_test-fail_over_srv.Tpo -c -o src/providers/krb5_child_test-fail_over_srv.obj `if test -f 'src/providers/fail_over_srv.c'; then $(CYGPATH_W) 'src/providers/fail_over_srv.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/fail_over_srv.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/krb5_child_test-fail_over_srv.Tpo src/providers/$(DEPDIR)/krb5_child_test-fail_over_srv.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/fail_over_srv.c' object='src/providers/krb5_child_test-fail_over_srv.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -c -o src/providers/krb5_child_test-fail_over_srv.obj `if test -f 'src/providers/fail_over_srv.c'; then $(CYGPATH_W) 'src/providers/fail_over_srv.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/fail_over_srv.c'; fi` + +src/resolv/krb5_child_test-async_resolv.o: src/resolv/async_resolv.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -MT src/resolv/krb5_child_test-async_resolv.o -MD -MP -MF src/resolv/$(DEPDIR)/krb5_child_test-async_resolv.Tpo -c -o src/resolv/krb5_child_test-async_resolv.o `test -f 'src/resolv/async_resolv.c' || echo '$(srcdir)/'`src/resolv/async_resolv.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/resolv/$(DEPDIR)/krb5_child_test-async_resolv.Tpo src/resolv/$(DEPDIR)/krb5_child_test-async_resolv.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/resolv/async_resolv.c' object='src/resolv/krb5_child_test-async_resolv.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -c -o src/resolv/krb5_child_test-async_resolv.o `test -f 'src/resolv/async_resolv.c' || echo '$(srcdir)/'`src/resolv/async_resolv.c + +src/resolv/krb5_child_test-async_resolv.obj: src/resolv/async_resolv.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -MT src/resolv/krb5_child_test-async_resolv.obj -MD -MP -MF src/resolv/$(DEPDIR)/krb5_child_test-async_resolv.Tpo -c -o src/resolv/krb5_child_test-async_resolv.obj `if test -f 'src/resolv/async_resolv.c'; then $(CYGPATH_W) 'src/resolv/async_resolv.c'; else $(CYGPATH_W) '$(srcdir)/src/resolv/async_resolv.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/resolv/$(DEPDIR)/krb5_child_test-async_resolv.Tpo src/resolv/$(DEPDIR)/krb5_child_test-async_resolv.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/resolv/async_resolv.c' object='src/resolv/krb5_child_test-async_resolv.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -c -o src/resolv/krb5_child_test-async_resolv.obj `if test -f 'src/resolv/async_resolv.c'; then $(CYGPATH_W) 'src/resolv/async_resolv.c'; else $(CYGPATH_W) '$(srcdir)/src/resolv/async_resolv.c'; fi` + +src/resolv/krb5_child_test-async_resolv_utils.o: src/resolv/async_resolv_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -MT src/resolv/krb5_child_test-async_resolv_utils.o -MD -MP -MF src/resolv/$(DEPDIR)/krb5_child_test-async_resolv_utils.Tpo -c -o src/resolv/krb5_child_test-async_resolv_utils.o `test -f 'src/resolv/async_resolv_utils.c' || echo '$(srcdir)/'`src/resolv/async_resolv_utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/resolv/$(DEPDIR)/krb5_child_test-async_resolv_utils.Tpo src/resolv/$(DEPDIR)/krb5_child_test-async_resolv_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/resolv/async_resolv_utils.c' object='src/resolv/krb5_child_test-async_resolv_utils.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -c -o src/resolv/krb5_child_test-async_resolv_utils.o `test -f 'src/resolv/async_resolv_utils.c' || echo '$(srcdir)/'`src/resolv/async_resolv_utils.c + +src/resolv/krb5_child_test-async_resolv_utils.obj: src/resolv/async_resolv_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -MT src/resolv/krb5_child_test-async_resolv_utils.obj -MD -MP -MF src/resolv/$(DEPDIR)/krb5_child_test-async_resolv_utils.Tpo -c -o src/resolv/krb5_child_test-async_resolv_utils.obj `if test -f 'src/resolv/async_resolv_utils.c'; then $(CYGPATH_W) 'src/resolv/async_resolv_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/resolv/async_resolv_utils.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/resolv/$(DEPDIR)/krb5_child_test-async_resolv_utils.Tpo src/resolv/$(DEPDIR)/krb5_child_test-async_resolv_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/resolv/async_resolv_utils.c' object='src/resolv/krb5_child_test-async_resolv_utils.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_test_CFLAGS) $(CFLAGS) -c -o src/resolv/krb5_child_test-async_resolv_utils.obj `if test -f 'src/resolv/async_resolv_utils.c'; then $(CYGPATH_W) 'src/resolv/async_resolv_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/resolv/async_resolv_utils.c'; fi` + +src/tests/krb5_utils_tests-krb5_utils-tests.o: src/tests/krb5_utils-tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -MT src/tests/krb5_utils_tests-krb5_utils-tests.o -MD -MP -MF src/tests/$(DEPDIR)/krb5_utils_tests-krb5_utils-tests.Tpo -c -o src/tests/krb5_utils_tests-krb5_utils-tests.o `test -f 'src/tests/krb5_utils-tests.c' || echo '$(srcdir)/'`src/tests/krb5_utils-tests.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/krb5_utils_tests-krb5_utils-tests.Tpo src/tests/$(DEPDIR)/krb5_utils_tests-krb5_utils-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/krb5_utils-tests.c' object='src/tests/krb5_utils_tests-krb5_utils-tests.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -c -o src/tests/krb5_utils_tests-krb5_utils-tests.o `test -f 'src/tests/krb5_utils-tests.c' || echo '$(srcdir)/'`src/tests/krb5_utils-tests.c + +src/tests/krb5_utils_tests-krb5_utils-tests.obj: src/tests/krb5_utils-tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -MT src/tests/krb5_utils_tests-krb5_utils-tests.obj -MD -MP -MF src/tests/$(DEPDIR)/krb5_utils_tests-krb5_utils-tests.Tpo -c -o src/tests/krb5_utils_tests-krb5_utils-tests.obj `if test -f 'src/tests/krb5_utils-tests.c'; then $(CYGPATH_W) 'src/tests/krb5_utils-tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/krb5_utils-tests.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/krb5_utils_tests-krb5_utils-tests.Tpo src/tests/$(DEPDIR)/krb5_utils_tests-krb5_utils-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/krb5_utils-tests.c' object='src/tests/krb5_utils_tests-krb5_utils-tests.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -c -o src/tests/krb5_utils_tests-krb5_utils-tests.obj `if test -f 'src/tests/krb5_utils-tests.c'; then $(CYGPATH_W) 'src/tests/krb5_utils-tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/krb5_utils-tests.c'; fi` + +src/providers/krb5/krb5_utils_tests-krb5_utils.o: src/providers/krb5/krb5_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -MT src/providers/krb5/krb5_utils_tests-krb5_utils.o -MD -MP -MF src/providers/krb5/$(DEPDIR)/krb5_utils_tests-krb5_utils.Tpo -c -o src/providers/krb5/krb5_utils_tests-krb5_utils.o `test -f 'src/providers/krb5/krb5_utils.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/krb5_utils_tests-krb5_utils.Tpo src/providers/krb5/$(DEPDIR)/krb5_utils_tests-krb5_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_utils.c' object='src/providers/krb5/krb5_utils_tests-krb5_utils.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/krb5_utils_tests-krb5_utils.o `test -f 'src/providers/krb5/krb5_utils.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_utils.c + +src/providers/krb5/krb5_utils_tests-krb5_utils.obj: src/providers/krb5/krb5_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -MT src/providers/krb5/krb5_utils_tests-krb5_utils.obj -MD -MP -MF src/providers/krb5/$(DEPDIR)/krb5_utils_tests-krb5_utils.Tpo -c -o src/providers/krb5/krb5_utils_tests-krb5_utils.obj `if test -f 'src/providers/krb5/krb5_utils.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_utils.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/krb5_utils_tests-krb5_utils.Tpo src/providers/krb5/$(DEPDIR)/krb5_utils_tests-krb5_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_utils.c' object='src/providers/krb5/krb5_utils_tests-krb5_utils.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/krb5_utils_tests-krb5_utils.obj `if test -f 'src/providers/krb5/krb5_utils.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_utils.c'; fi` + +src/providers/krb5/krb5_utils_tests-krb5_ccache.o: src/providers/krb5/krb5_ccache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -MT src/providers/krb5/krb5_utils_tests-krb5_ccache.o -MD -MP -MF src/providers/krb5/$(DEPDIR)/krb5_utils_tests-krb5_ccache.Tpo -c -o src/providers/krb5/krb5_utils_tests-krb5_ccache.o `test -f 'src/providers/krb5/krb5_ccache.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_ccache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/krb5_utils_tests-krb5_ccache.Tpo src/providers/krb5/$(DEPDIR)/krb5_utils_tests-krb5_ccache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_ccache.c' object='src/providers/krb5/krb5_utils_tests-krb5_ccache.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/krb5_utils_tests-krb5_ccache.o `test -f 'src/providers/krb5/krb5_ccache.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_ccache.c + +src/providers/krb5/krb5_utils_tests-krb5_ccache.obj: src/providers/krb5/krb5_ccache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -MT src/providers/krb5/krb5_utils_tests-krb5_ccache.obj -MD -MP -MF src/providers/krb5/$(DEPDIR)/krb5_utils_tests-krb5_ccache.Tpo -c -o src/providers/krb5/krb5_utils_tests-krb5_ccache.obj `if test -f 'src/providers/krb5/krb5_ccache.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_ccache.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_ccache.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/krb5_utils_tests-krb5_ccache.Tpo src/providers/krb5/$(DEPDIR)/krb5_utils_tests-krb5_ccache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_ccache.c' object='src/providers/krb5/krb5_utils_tests-krb5_ccache.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/krb5_utils_tests-krb5_ccache.obj `if test -f 'src/providers/krb5/krb5_ccache.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_ccache.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_ccache.c'; fi` + +src/providers/krb5/krb5_utils_tests-krb5_common.o: src/providers/krb5/krb5_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -MT src/providers/krb5/krb5_utils_tests-krb5_common.o -MD -MP -MF src/providers/krb5/$(DEPDIR)/krb5_utils_tests-krb5_common.Tpo -c -o src/providers/krb5/krb5_utils_tests-krb5_common.o `test -f 'src/providers/krb5/krb5_common.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/krb5_utils_tests-krb5_common.Tpo src/providers/krb5/$(DEPDIR)/krb5_utils_tests-krb5_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_common.c' object='src/providers/krb5/krb5_utils_tests-krb5_common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/krb5_utils_tests-krb5_common.o `test -f 'src/providers/krb5/krb5_common.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_common.c + +src/providers/krb5/krb5_utils_tests-krb5_common.obj: src/providers/krb5/krb5_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -MT src/providers/krb5/krb5_utils_tests-krb5_common.obj -MD -MP -MF src/providers/krb5/$(DEPDIR)/krb5_utils_tests-krb5_common.Tpo -c -o src/providers/krb5/krb5_utils_tests-krb5_common.obj `if test -f 'src/providers/krb5/krb5_common.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_common.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/krb5_utils_tests-krb5_common.Tpo src/providers/krb5/$(DEPDIR)/krb5_utils_tests-krb5_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_common.c' object='src/providers/krb5/krb5_utils_tests-krb5_common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/krb5_utils_tests-krb5_common.obj `if test -f 'src/providers/krb5/krb5_common.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_common.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_common.c'; fi` + +src/providers/krb5/krb5_utils_tests-krb5_opts.o: src/providers/krb5/krb5_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -MT src/providers/krb5/krb5_utils_tests-krb5_opts.o -MD -MP -MF src/providers/krb5/$(DEPDIR)/krb5_utils_tests-krb5_opts.Tpo -c -o src/providers/krb5/krb5_utils_tests-krb5_opts.o `test -f 'src/providers/krb5/krb5_opts.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_opts.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/krb5_utils_tests-krb5_opts.Tpo src/providers/krb5/$(DEPDIR)/krb5_utils_tests-krb5_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_opts.c' object='src/providers/krb5/krb5_utils_tests-krb5_opts.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/krb5_utils_tests-krb5_opts.o `test -f 'src/providers/krb5/krb5_opts.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_opts.c + +src/providers/krb5/krb5_utils_tests-krb5_opts.obj: src/providers/krb5/krb5_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -MT src/providers/krb5/krb5_utils_tests-krb5_opts.obj -MD -MP -MF src/providers/krb5/$(DEPDIR)/krb5_utils_tests-krb5_opts.Tpo -c -o src/providers/krb5/krb5_utils_tests-krb5_opts.obj `if test -f 'src/providers/krb5/krb5_opts.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_opts.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/krb5_utils_tests-krb5_opts.Tpo src/providers/krb5/$(DEPDIR)/krb5_utils_tests-krb5_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_opts.c' object='src/providers/krb5/krb5_utils_tests-krb5_opts.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/krb5_utils_tests-krb5_opts.obj `if test -f 'src/providers/krb5/krb5_opts.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_opts.c'; fi` + +src/util/krb5_utils_tests-sss_krb5.o: src/util/sss_krb5.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -MT src/util/krb5_utils_tests-sss_krb5.o -MD -MP -MF src/util/$(DEPDIR)/krb5_utils_tests-sss_krb5.Tpo -c -o src/util/krb5_utils_tests-sss_krb5.o `test -f 'src/util/sss_krb5.c' || echo '$(srcdir)/'`src/util/sss_krb5.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/krb5_utils_tests-sss_krb5.Tpo src/util/$(DEPDIR)/krb5_utils_tests-sss_krb5.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_krb5.c' object='src/util/krb5_utils_tests-sss_krb5.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -c -o src/util/krb5_utils_tests-sss_krb5.o `test -f 'src/util/sss_krb5.c' || echo '$(srcdir)/'`src/util/sss_krb5.c + +src/util/krb5_utils_tests-sss_krb5.obj: src/util/sss_krb5.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -MT src/util/krb5_utils_tests-sss_krb5.obj -MD -MP -MF src/util/$(DEPDIR)/krb5_utils_tests-sss_krb5.Tpo -c -o src/util/krb5_utils_tests-sss_krb5.obj `if test -f 'src/util/sss_krb5.c'; then $(CYGPATH_W) 'src/util/sss_krb5.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_krb5.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/krb5_utils_tests-sss_krb5.Tpo src/util/$(DEPDIR)/krb5_utils_tests-sss_krb5.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_krb5.c' object='src/util/krb5_utils_tests-sss_krb5.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -c -o src/util/krb5_utils_tests-sss_krb5.obj `if test -f 'src/util/sss_krb5.c'; then $(CYGPATH_W) 'src/util/sss_krb5.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_krb5.c'; fi` + +src/util/krb5_utils_tests-sss_iobuf.o: src/util/sss_iobuf.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -MT src/util/krb5_utils_tests-sss_iobuf.o -MD -MP -MF src/util/$(DEPDIR)/krb5_utils_tests-sss_iobuf.Tpo -c -o src/util/krb5_utils_tests-sss_iobuf.o `test -f 'src/util/sss_iobuf.c' || echo '$(srcdir)/'`src/util/sss_iobuf.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/krb5_utils_tests-sss_iobuf.Tpo src/util/$(DEPDIR)/krb5_utils_tests-sss_iobuf.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_iobuf.c' object='src/util/krb5_utils_tests-sss_iobuf.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -c -o src/util/krb5_utils_tests-sss_iobuf.o `test -f 'src/util/sss_iobuf.c' || echo '$(srcdir)/'`src/util/sss_iobuf.c + +src/util/krb5_utils_tests-sss_iobuf.obj: src/util/sss_iobuf.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -MT src/util/krb5_utils_tests-sss_iobuf.obj -MD -MP -MF src/util/$(DEPDIR)/krb5_utils_tests-sss_iobuf.Tpo -c -o src/util/krb5_utils_tests-sss_iobuf.obj `if test -f 'src/util/sss_iobuf.c'; then $(CYGPATH_W) 'src/util/sss_iobuf.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_iobuf.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/krb5_utils_tests-sss_iobuf.Tpo src/util/$(DEPDIR)/krb5_utils_tests-sss_iobuf.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_iobuf.c' object='src/util/krb5_utils_tests-sss_iobuf.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -c -o src/util/krb5_utils_tests-sss_iobuf.obj `if test -f 'src/util/sss_iobuf.c'; then $(CYGPATH_W) 'src/util/sss_iobuf.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_iobuf.c'; fi` + +src/providers/krb5_utils_tests-data_provider_fo.o: src/providers/data_provider_fo.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -MT src/providers/krb5_utils_tests-data_provider_fo.o -MD -MP -MF src/providers/$(DEPDIR)/krb5_utils_tests-data_provider_fo.Tpo -c -o src/providers/krb5_utils_tests-data_provider_fo.o `test -f 'src/providers/data_provider_fo.c' || echo '$(srcdir)/'`src/providers/data_provider_fo.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/krb5_utils_tests-data_provider_fo.Tpo src/providers/$(DEPDIR)/krb5_utils_tests-data_provider_fo.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider_fo.c' object='src/providers/krb5_utils_tests-data_provider_fo.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -c -o src/providers/krb5_utils_tests-data_provider_fo.o `test -f 'src/providers/data_provider_fo.c' || echo '$(srcdir)/'`src/providers/data_provider_fo.c + +src/providers/krb5_utils_tests-data_provider_fo.obj: src/providers/data_provider_fo.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -MT src/providers/krb5_utils_tests-data_provider_fo.obj -MD -MP -MF src/providers/$(DEPDIR)/krb5_utils_tests-data_provider_fo.Tpo -c -o src/providers/krb5_utils_tests-data_provider_fo.obj `if test -f 'src/providers/data_provider_fo.c'; then $(CYGPATH_W) 'src/providers/data_provider_fo.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider_fo.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/krb5_utils_tests-data_provider_fo.Tpo src/providers/$(DEPDIR)/krb5_utils_tests-data_provider_fo.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider_fo.c' object='src/providers/krb5_utils_tests-data_provider_fo.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -c -o src/providers/krb5_utils_tests-data_provider_fo.obj `if test -f 'src/providers/data_provider_fo.c'; then $(CYGPATH_W) 'src/providers/data_provider_fo.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider_fo.c'; fi` + +src/providers/krb5_utils_tests-data_provider_opts.o: src/providers/data_provider_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -MT src/providers/krb5_utils_tests-data_provider_opts.o -MD -MP -MF src/providers/$(DEPDIR)/krb5_utils_tests-data_provider_opts.Tpo -c -o src/providers/krb5_utils_tests-data_provider_opts.o `test -f 'src/providers/data_provider_opts.c' || echo '$(srcdir)/'`src/providers/data_provider_opts.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/krb5_utils_tests-data_provider_opts.Tpo src/providers/$(DEPDIR)/krb5_utils_tests-data_provider_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider_opts.c' object='src/providers/krb5_utils_tests-data_provider_opts.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -c -o src/providers/krb5_utils_tests-data_provider_opts.o `test -f 'src/providers/data_provider_opts.c' || echo '$(srcdir)/'`src/providers/data_provider_opts.c + +src/providers/krb5_utils_tests-data_provider_opts.obj: src/providers/data_provider_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -MT src/providers/krb5_utils_tests-data_provider_opts.obj -MD -MP -MF src/providers/$(DEPDIR)/krb5_utils_tests-data_provider_opts.Tpo -c -o src/providers/krb5_utils_tests-data_provider_opts.obj `if test -f 'src/providers/data_provider_opts.c'; then $(CYGPATH_W) 'src/providers/data_provider_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider_opts.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/krb5_utils_tests-data_provider_opts.Tpo src/providers/$(DEPDIR)/krb5_utils_tests-data_provider_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider_opts.c' object='src/providers/krb5_utils_tests-data_provider_opts.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -c -o src/providers/krb5_utils_tests-data_provider_opts.obj `if test -f 'src/providers/data_provider_opts.c'; then $(CYGPATH_W) 'src/providers/data_provider_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider_opts.c'; fi` + +src/providers/krb5_utils_tests-data_provider_callbacks.o: src/providers/data_provider_callbacks.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -MT src/providers/krb5_utils_tests-data_provider_callbacks.o -MD -MP -MF src/providers/$(DEPDIR)/krb5_utils_tests-data_provider_callbacks.Tpo -c -o src/providers/krb5_utils_tests-data_provider_callbacks.o `test -f 'src/providers/data_provider_callbacks.c' || echo '$(srcdir)/'`src/providers/data_provider_callbacks.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/krb5_utils_tests-data_provider_callbacks.Tpo src/providers/$(DEPDIR)/krb5_utils_tests-data_provider_callbacks.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider_callbacks.c' object='src/providers/krb5_utils_tests-data_provider_callbacks.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -c -o src/providers/krb5_utils_tests-data_provider_callbacks.o `test -f 'src/providers/data_provider_callbacks.c' || echo '$(srcdir)/'`src/providers/data_provider_callbacks.c + +src/providers/krb5_utils_tests-data_provider_callbacks.obj: src/providers/data_provider_callbacks.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -MT src/providers/krb5_utils_tests-data_provider_callbacks.obj -MD -MP -MF src/providers/$(DEPDIR)/krb5_utils_tests-data_provider_callbacks.Tpo -c -o src/providers/krb5_utils_tests-data_provider_callbacks.obj `if test -f 'src/providers/data_provider_callbacks.c'; then $(CYGPATH_W) 'src/providers/data_provider_callbacks.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider_callbacks.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/krb5_utils_tests-data_provider_callbacks.Tpo src/providers/$(DEPDIR)/krb5_utils_tests-data_provider_callbacks.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider_callbacks.c' object='src/providers/krb5_utils_tests-data_provider_callbacks.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -c -o src/providers/krb5_utils_tests-data_provider_callbacks.obj `if test -f 'src/providers/data_provider_callbacks.c'; then $(CYGPATH_W) 'src/providers/data_provider_callbacks.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider_callbacks.c'; fi` + +src/util/krb5_utils_tests-become_user.o: src/util/become_user.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -MT src/util/krb5_utils_tests-become_user.o -MD -MP -MF src/util/$(DEPDIR)/krb5_utils_tests-become_user.Tpo -c -o src/util/krb5_utils_tests-become_user.o `test -f 'src/util/become_user.c' || echo '$(srcdir)/'`src/util/become_user.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/krb5_utils_tests-become_user.Tpo src/util/$(DEPDIR)/krb5_utils_tests-become_user.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/become_user.c' object='src/util/krb5_utils_tests-become_user.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -c -o src/util/krb5_utils_tests-become_user.o `test -f 'src/util/become_user.c' || echo '$(srcdir)/'`src/util/become_user.c + +src/util/krb5_utils_tests-become_user.obj: src/util/become_user.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -MT src/util/krb5_utils_tests-become_user.obj -MD -MP -MF src/util/$(DEPDIR)/krb5_utils_tests-become_user.Tpo -c -o src/util/krb5_utils_tests-become_user.obj `if test -f 'src/util/become_user.c'; then $(CYGPATH_W) 'src/util/become_user.c'; else $(CYGPATH_W) '$(srcdir)/src/util/become_user.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/krb5_utils_tests-become_user.Tpo src/util/$(DEPDIR)/krb5_utils_tests-become_user.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/become_user.c' object='src/util/krb5_utils_tests-become_user.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -c -o src/util/krb5_utils_tests-become_user.obj `if test -f 'src/util/become_user.c'; then $(CYGPATH_W) 'src/util/become_user.c'; else $(CYGPATH_W) '$(srcdir)/src/util/become_user.c'; fi` + +src/providers/krb5_utils_tests-fail_over.o: src/providers/fail_over.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -MT src/providers/krb5_utils_tests-fail_over.o -MD -MP -MF src/providers/$(DEPDIR)/krb5_utils_tests-fail_over.Tpo -c -o src/providers/krb5_utils_tests-fail_over.o `test -f 'src/providers/fail_over.c' || echo '$(srcdir)/'`src/providers/fail_over.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/krb5_utils_tests-fail_over.Tpo src/providers/$(DEPDIR)/krb5_utils_tests-fail_over.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/fail_over.c' object='src/providers/krb5_utils_tests-fail_over.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -c -o src/providers/krb5_utils_tests-fail_over.o `test -f 'src/providers/fail_over.c' || echo '$(srcdir)/'`src/providers/fail_over.c + +src/providers/krb5_utils_tests-fail_over.obj: src/providers/fail_over.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -MT src/providers/krb5_utils_tests-fail_over.obj -MD -MP -MF src/providers/$(DEPDIR)/krb5_utils_tests-fail_over.Tpo -c -o src/providers/krb5_utils_tests-fail_over.obj `if test -f 'src/providers/fail_over.c'; then $(CYGPATH_W) 'src/providers/fail_over.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/fail_over.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/krb5_utils_tests-fail_over.Tpo src/providers/$(DEPDIR)/krb5_utils_tests-fail_over.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/fail_over.c' object='src/providers/krb5_utils_tests-fail_over.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -c -o src/providers/krb5_utils_tests-fail_over.obj `if test -f 'src/providers/fail_over.c'; then $(CYGPATH_W) 'src/providers/fail_over.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/fail_over.c'; fi` + +src/providers/krb5_utils_tests-fail_over_srv.o: src/providers/fail_over_srv.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -MT src/providers/krb5_utils_tests-fail_over_srv.o -MD -MP -MF src/providers/$(DEPDIR)/krb5_utils_tests-fail_over_srv.Tpo -c -o src/providers/krb5_utils_tests-fail_over_srv.o `test -f 'src/providers/fail_over_srv.c' || echo '$(srcdir)/'`src/providers/fail_over_srv.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/krb5_utils_tests-fail_over_srv.Tpo src/providers/$(DEPDIR)/krb5_utils_tests-fail_over_srv.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/fail_over_srv.c' object='src/providers/krb5_utils_tests-fail_over_srv.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -c -o src/providers/krb5_utils_tests-fail_over_srv.o `test -f 'src/providers/fail_over_srv.c' || echo '$(srcdir)/'`src/providers/fail_over_srv.c + +src/providers/krb5_utils_tests-fail_over_srv.obj: src/providers/fail_over_srv.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -MT src/providers/krb5_utils_tests-fail_over_srv.obj -MD -MP -MF src/providers/$(DEPDIR)/krb5_utils_tests-fail_over_srv.Tpo -c -o src/providers/krb5_utils_tests-fail_over_srv.obj `if test -f 'src/providers/fail_over_srv.c'; then $(CYGPATH_W) 'src/providers/fail_over_srv.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/fail_over_srv.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/krb5_utils_tests-fail_over_srv.Tpo src/providers/$(DEPDIR)/krb5_utils_tests-fail_over_srv.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/fail_over_srv.c' object='src/providers/krb5_utils_tests-fail_over_srv.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -c -o src/providers/krb5_utils_tests-fail_over_srv.obj `if test -f 'src/providers/fail_over_srv.c'; then $(CYGPATH_W) 'src/providers/fail_over_srv.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/fail_over_srv.c'; fi` + +src/resolv/krb5_utils_tests-async_resolv.o: src/resolv/async_resolv.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -MT src/resolv/krb5_utils_tests-async_resolv.o -MD -MP -MF src/resolv/$(DEPDIR)/krb5_utils_tests-async_resolv.Tpo -c -o src/resolv/krb5_utils_tests-async_resolv.o `test -f 'src/resolv/async_resolv.c' || echo '$(srcdir)/'`src/resolv/async_resolv.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/resolv/$(DEPDIR)/krb5_utils_tests-async_resolv.Tpo src/resolv/$(DEPDIR)/krb5_utils_tests-async_resolv.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/resolv/async_resolv.c' object='src/resolv/krb5_utils_tests-async_resolv.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -c -o src/resolv/krb5_utils_tests-async_resolv.o `test -f 'src/resolv/async_resolv.c' || echo '$(srcdir)/'`src/resolv/async_resolv.c + +src/resolv/krb5_utils_tests-async_resolv.obj: src/resolv/async_resolv.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -MT src/resolv/krb5_utils_tests-async_resolv.obj -MD -MP -MF src/resolv/$(DEPDIR)/krb5_utils_tests-async_resolv.Tpo -c -o src/resolv/krb5_utils_tests-async_resolv.obj `if test -f 'src/resolv/async_resolv.c'; then $(CYGPATH_W) 'src/resolv/async_resolv.c'; else $(CYGPATH_W) '$(srcdir)/src/resolv/async_resolv.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/resolv/$(DEPDIR)/krb5_utils_tests-async_resolv.Tpo src/resolv/$(DEPDIR)/krb5_utils_tests-async_resolv.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/resolv/async_resolv.c' object='src/resolv/krb5_utils_tests-async_resolv.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -c -o src/resolv/krb5_utils_tests-async_resolv.obj `if test -f 'src/resolv/async_resolv.c'; then $(CYGPATH_W) 'src/resolv/async_resolv.c'; else $(CYGPATH_W) '$(srcdir)/src/resolv/async_resolv.c'; fi` + +src/resolv/krb5_utils_tests-async_resolv_utils.o: src/resolv/async_resolv_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -MT src/resolv/krb5_utils_tests-async_resolv_utils.o -MD -MP -MF src/resolv/$(DEPDIR)/krb5_utils_tests-async_resolv_utils.Tpo -c -o src/resolv/krb5_utils_tests-async_resolv_utils.o `test -f 'src/resolv/async_resolv_utils.c' || echo '$(srcdir)/'`src/resolv/async_resolv_utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/resolv/$(DEPDIR)/krb5_utils_tests-async_resolv_utils.Tpo src/resolv/$(DEPDIR)/krb5_utils_tests-async_resolv_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/resolv/async_resolv_utils.c' object='src/resolv/krb5_utils_tests-async_resolv_utils.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -c -o src/resolv/krb5_utils_tests-async_resolv_utils.o `test -f 'src/resolv/async_resolv_utils.c' || echo '$(srcdir)/'`src/resolv/async_resolv_utils.c + +src/resolv/krb5_utils_tests-async_resolv_utils.obj: src/resolv/async_resolv_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -MT src/resolv/krb5_utils_tests-async_resolv_utils.obj -MD -MP -MF src/resolv/$(DEPDIR)/krb5_utils_tests-async_resolv_utils.Tpo -c -o src/resolv/krb5_utils_tests-async_resolv_utils.obj `if test -f 'src/resolv/async_resolv_utils.c'; then $(CYGPATH_W) 'src/resolv/async_resolv_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/resolv/async_resolv_utils.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/resolv/$(DEPDIR)/krb5_utils_tests-async_resolv_utils.Tpo src/resolv/$(DEPDIR)/krb5_utils_tests-async_resolv_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/resolv/async_resolv_utils.c' object='src/resolv/krb5_utils_tests-async_resolv_utils.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_utils_tests_CFLAGS) $(CFLAGS) -c -o src/resolv/krb5_utils_tests-async_resolv_utils.obj `if test -f 'src/resolv/async_resolv_utils.c'; then $(CYGPATH_W) 'src/resolv/async_resolv_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/resolv/async_resolv_utils.c'; fi` + +src/providers/krb5/krb5_child-krb5_child.o: src/providers/krb5/krb5_child.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -MT src/providers/krb5/krb5_child-krb5_child.o -MD -MP -MF src/providers/krb5/$(DEPDIR)/krb5_child-krb5_child.Tpo -c -o src/providers/krb5/krb5_child-krb5_child.o `test -f 'src/providers/krb5/krb5_child.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_child.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/krb5_child-krb5_child.Tpo src/providers/krb5/$(DEPDIR)/krb5_child-krb5_child.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_child.c' object='src/providers/krb5/krb5_child-krb5_child.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/krb5_child-krb5_child.o `test -f 'src/providers/krb5/krb5_child.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_child.c + +src/providers/krb5/krb5_child-krb5_child.obj: src/providers/krb5/krb5_child.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -MT src/providers/krb5/krb5_child-krb5_child.obj -MD -MP -MF src/providers/krb5/$(DEPDIR)/krb5_child-krb5_child.Tpo -c -o src/providers/krb5/krb5_child-krb5_child.obj `if test -f 'src/providers/krb5/krb5_child.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_child.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_child.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/krb5_child-krb5_child.Tpo src/providers/krb5/$(DEPDIR)/krb5_child-krb5_child.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_child.c' object='src/providers/krb5/krb5_child-krb5_child.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/krb5_child-krb5_child.obj `if test -f 'src/providers/krb5/krb5_child.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_child.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_child.c'; fi` + +src/providers/krb5/krb5_child-krb5_ccache.o: src/providers/krb5/krb5_ccache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -MT src/providers/krb5/krb5_child-krb5_ccache.o -MD -MP -MF src/providers/krb5/$(DEPDIR)/krb5_child-krb5_ccache.Tpo -c -o src/providers/krb5/krb5_child-krb5_ccache.o `test -f 'src/providers/krb5/krb5_ccache.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_ccache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/krb5_child-krb5_ccache.Tpo src/providers/krb5/$(DEPDIR)/krb5_child-krb5_ccache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_ccache.c' object='src/providers/krb5/krb5_child-krb5_ccache.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/krb5_child-krb5_ccache.o `test -f 'src/providers/krb5/krb5_ccache.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_ccache.c + +src/providers/krb5/krb5_child-krb5_ccache.obj: src/providers/krb5/krb5_ccache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -MT src/providers/krb5/krb5_child-krb5_ccache.obj -MD -MP -MF src/providers/krb5/$(DEPDIR)/krb5_child-krb5_ccache.Tpo -c -o src/providers/krb5/krb5_child-krb5_ccache.obj `if test -f 'src/providers/krb5/krb5_ccache.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_ccache.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_ccache.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/krb5_child-krb5_ccache.Tpo src/providers/krb5/$(DEPDIR)/krb5_child-krb5_ccache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_ccache.c' object='src/providers/krb5/krb5_child-krb5_ccache.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/krb5_child-krb5_ccache.obj `if test -f 'src/providers/krb5/krb5_ccache.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_ccache.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_ccache.c'; fi` + +src/providers/krb5/krb5_child-krb5_keytab.o: src/providers/krb5/krb5_keytab.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -MT src/providers/krb5/krb5_child-krb5_keytab.o -MD -MP -MF src/providers/krb5/$(DEPDIR)/krb5_child-krb5_keytab.Tpo -c -o src/providers/krb5/krb5_child-krb5_keytab.o `test -f 'src/providers/krb5/krb5_keytab.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_keytab.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/krb5_child-krb5_keytab.Tpo src/providers/krb5/$(DEPDIR)/krb5_child-krb5_keytab.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_keytab.c' object='src/providers/krb5/krb5_child-krb5_keytab.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/krb5_child-krb5_keytab.o `test -f 'src/providers/krb5/krb5_keytab.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_keytab.c + +src/providers/krb5/krb5_child-krb5_keytab.obj: src/providers/krb5/krb5_keytab.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -MT src/providers/krb5/krb5_child-krb5_keytab.obj -MD -MP -MF src/providers/krb5/$(DEPDIR)/krb5_child-krb5_keytab.Tpo -c -o src/providers/krb5/krb5_child-krb5_keytab.obj `if test -f 'src/providers/krb5/krb5_keytab.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_keytab.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_keytab.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/krb5_child-krb5_keytab.Tpo src/providers/krb5/$(DEPDIR)/krb5_child-krb5_keytab.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_keytab.c' object='src/providers/krb5/krb5_child-krb5_keytab.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/krb5_child-krb5_keytab.obj `if test -f 'src/providers/krb5/krb5_keytab.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_keytab.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_keytab.c'; fi` + +src/providers/krb5_child-dp_pam_data_util.o: src/providers/dp_pam_data_util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -MT src/providers/krb5_child-dp_pam_data_util.o -MD -MP -MF src/providers/$(DEPDIR)/krb5_child-dp_pam_data_util.Tpo -c -o src/providers/krb5_child-dp_pam_data_util.o `test -f 'src/providers/dp_pam_data_util.c' || echo '$(srcdir)/'`src/providers/dp_pam_data_util.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/krb5_child-dp_pam_data_util.Tpo src/providers/$(DEPDIR)/krb5_child-dp_pam_data_util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/dp_pam_data_util.c' object='src/providers/krb5_child-dp_pam_data_util.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -c -o src/providers/krb5_child-dp_pam_data_util.o `test -f 'src/providers/dp_pam_data_util.c' || echo '$(srcdir)/'`src/providers/dp_pam_data_util.c + +src/providers/krb5_child-dp_pam_data_util.obj: src/providers/dp_pam_data_util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -MT src/providers/krb5_child-dp_pam_data_util.obj -MD -MP -MF src/providers/$(DEPDIR)/krb5_child-dp_pam_data_util.Tpo -c -o src/providers/krb5_child-dp_pam_data_util.obj `if test -f 'src/providers/dp_pam_data_util.c'; then $(CYGPATH_W) 'src/providers/dp_pam_data_util.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/dp_pam_data_util.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/krb5_child-dp_pam_data_util.Tpo src/providers/$(DEPDIR)/krb5_child-dp_pam_data_util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/dp_pam_data_util.c' object='src/providers/krb5_child-dp_pam_data_util.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -c -o src/providers/krb5_child-dp_pam_data_util.obj `if test -f 'src/providers/dp_pam_data_util.c'; then $(CYGPATH_W) 'src/providers/dp_pam_data_util.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/dp_pam_data_util.c'; fi` + +src/util/krb5_child-user_info_msg.o: src/util/user_info_msg.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -MT src/util/krb5_child-user_info_msg.o -MD -MP -MF src/util/$(DEPDIR)/krb5_child-user_info_msg.Tpo -c -o src/util/krb5_child-user_info_msg.o `test -f 'src/util/user_info_msg.c' || echo '$(srcdir)/'`src/util/user_info_msg.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/krb5_child-user_info_msg.Tpo src/util/$(DEPDIR)/krb5_child-user_info_msg.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/user_info_msg.c' object='src/util/krb5_child-user_info_msg.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -c -o src/util/krb5_child-user_info_msg.o `test -f 'src/util/user_info_msg.c' || echo '$(srcdir)/'`src/util/user_info_msg.c + +src/util/krb5_child-user_info_msg.obj: src/util/user_info_msg.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -MT src/util/krb5_child-user_info_msg.obj -MD -MP -MF src/util/$(DEPDIR)/krb5_child-user_info_msg.Tpo -c -o src/util/krb5_child-user_info_msg.obj `if test -f 'src/util/user_info_msg.c'; then $(CYGPATH_W) 'src/util/user_info_msg.c'; else $(CYGPATH_W) '$(srcdir)/src/util/user_info_msg.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/krb5_child-user_info_msg.Tpo src/util/$(DEPDIR)/krb5_child-user_info_msg.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/user_info_msg.c' object='src/util/krb5_child-user_info_msg.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -c -o src/util/krb5_child-user_info_msg.obj `if test -f 'src/util/user_info_msg.c'; then $(CYGPATH_W) 'src/util/user_info_msg.c'; else $(CYGPATH_W) '$(srcdir)/src/util/user_info_msg.c'; fi` + +src/util/krb5_child-sss_krb5.o: src/util/sss_krb5.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -MT src/util/krb5_child-sss_krb5.o -MD -MP -MF src/util/$(DEPDIR)/krb5_child-sss_krb5.Tpo -c -o src/util/krb5_child-sss_krb5.o `test -f 'src/util/sss_krb5.c' || echo '$(srcdir)/'`src/util/sss_krb5.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/krb5_child-sss_krb5.Tpo src/util/$(DEPDIR)/krb5_child-sss_krb5.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_krb5.c' object='src/util/krb5_child-sss_krb5.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -c -o src/util/krb5_child-sss_krb5.o `test -f 'src/util/sss_krb5.c' || echo '$(srcdir)/'`src/util/sss_krb5.c + +src/util/krb5_child-sss_krb5.obj: src/util/sss_krb5.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -MT src/util/krb5_child-sss_krb5.obj -MD -MP -MF src/util/$(DEPDIR)/krb5_child-sss_krb5.Tpo -c -o src/util/krb5_child-sss_krb5.obj `if test -f 'src/util/sss_krb5.c'; then $(CYGPATH_W) 'src/util/sss_krb5.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_krb5.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/krb5_child-sss_krb5.Tpo src/util/$(DEPDIR)/krb5_child-sss_krb5.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_krb5.c' object='src/util/krb5_child-sss_krb5.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -c -o src/util/krb5_child-sss_krb5.obj `if test -f 'src/util/sss_krb5.c'; then $(CYGPATH_W) 'src/util/sss_krb5.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_krb5.c'; fi` + +src/util/krb5_child-sss_iobuf.o: src/util/sss_iobuf.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -MT src/util/krb5_child-sss_iobuf.o -MD -MP -MF src/util/$(DEPDIR)/krb5_child-sss_iobuf.Tpo -c -o src/util/krb5_child-sss_iobuf.o `test -f 'src/util/sss_iobuf.c' || echo '$(srcdir)/'`src/util/sss_iobuf.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/krb5_child-sss_iobuf.Tpo src/util/$(DEPDIR)/krb5_child-sss_iobuf.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_iobuf.c' object='src/util/krb5_child-sss_iobuf.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -c -o src/util/krb5_child-sss_iobuf.o `test -f 'src/util/sss_iobuf.c' || echo '$(srcdir)/'`src/util/sss_iobuf.c + +src/util/krb5_child-sss_iobuf.obj: src/util/sss_iobuf.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -MT src/util/krb5_child-sss_iobuf.obj -MD -MP -MF src/util/$(DEPDIR)/krb5_child-sss_iobuf.Tpo -c -o src/util/krb5_child-sss_iobuf.obj `if test -f 'src/util/sss_iobuf.c'; then $(CYGPATH_W) 'src/util/sss_iobuf.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_iobuf.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/krb5_child-sss_iobuf.Tpo src/util/$(DEPDIR)/krb5_child-sss_iobuf.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_iobuf.c' object='src/util/krb5_child-sss_iobuf.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -c -o src/util/krb5_child-sss_iobuf.obj `if test -f 'src/util/sss_iobuf.c'; then $(CYGPATH_W) 'src/util/sss_iobuf.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_iobuf.c'; fi` + +src/util/krb5_child-find_uid.o: src/util/find_uid.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -MT src/util/krb5_child-find_uid.o -MD -MP -MF src/util/$(DEPDIR)/krb5_child-find_uid.Tpo -c -o src/util/krb5_child-find_uid.o `test -f 'src/util/find_uid.c' || echo '$(srcdir)/'`src/util/find_uid.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/krb5_child-find_uid.Tpo src/util/$(DEPDIR)/krb5_child-find_uid.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/find_uid.c' object='src/util/krb5_child-find_uid.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -c -o src/util/krb5_child-find_uid.o `test -f 'src/util/find_uid.c' || echo '$(srcdir)/'`src/util/find_uid.c + +src/util/krb5_child-find_uid.obj: src/util/find_uid.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -MT src/util/krb5_child-find_uid.obj -MD -MP -MF src/util/$(DEPDIR)/krb5_child-find_uid.Tpo -c -o src/util/krb5_child-find_uid.obj `if test -f 'src/util/find_uid.c'; then $(CYGPATH_W) 'src/util/find_uid.c'; else $(CYGPATH_W) '$(srcdir)/src/util/find_uid.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/krb5_child-find_uid.Tpo src/util/$(DEPDIR)/krb5_child-find_uid.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/find_uid.c' object='src/util/krb5_child-find_uid.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -c -o src/util/krb5_child-find_uid.obj `if test -f 'src/util/find_uid.c'; then $(CYGPATH_W) 'src/util/find_uid.c'; else $(CYGPATH_W) '$(srcdir)/src/util/find_uid.c'; fi` + +src/util/krb5_child-atomic_io.o: src/util/atomic_io.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -MT src/util/krb5_child-atomic_io.o -MD -MP -MF src/util/$(DEPDIR)/krb5_child-atomic_io.Tpo -c -o src/util/krb5_child-atomic_io.o `test -f 'src/util/atomic_io.c' || echo '$(srcdir)/'`src/util/atomic_io.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/krb5_child-atomic_io.Tpo src/util/$(DEPDIR)/krb5_child-atomic_io.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/atomic_io.c' object='src/util/krb5_child-atomic_io.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -c -o src/util/krb5_child-atomic_io.o `test -f 'src/util/atomic_io.c' || echo '$(srcdir)/'`src/util/atomic_io.c + +src/util/krb5_child-atomic_io.obj: src/util/atomic_io.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -MT src/util/krb5_child-atomic_io.obj -MD -MP -MF src/util/$(DEPDIR)/krb5_child-atomic_io.Tpo -c -o src/util/krb5_child-atomic_io.obj `if test -f 'src/util/atomic_io.c'; then $(CYGPATH_W) 'src/util/atomic_io.c'; else $(CYGPATH_W) '$(srcdir)/src/util/atomic_io.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/krb5_child-atomic_io.Tpo src/util/$(DEPDIR)/krb5_child-atomic_io.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/atomic_io.c' object='src/util/krb5_child-atomic_io.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -c -o src/util/krb5_child-atomic_io.obj `if test -f 'src/util/atomic_io.c'; then $(CYGPATH_W) 'src/util/atomic_io.c'; else $(CYGPATH_W) '$(srcdir)/src/util/atomic_io.c'; fi` + +src/util/krb5_child-authtok.o: src/util/authtok.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -MT src/util/krb5_child-authtok.o -MD -MP -MF src/util/$(DEPDIR)/krb5_child-authtok.Tpo -c -o src/util/krb5_child-authtok.o `test -f 'src/util/authtok.c' || echo '$(srcdir)/'`src/util/authtok.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/krb5_child-authtok.Tpo src/util/$(DEPDIR)/krb5_child-authtok.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/authtok.c' object='src/util/krb5_child-authtok.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -c -o src/util/krb5_child-authtok.o `test -f 'src/util/authtok.c' || echo '$(srcdir)/'`src/util/authtok.c + +src/util/krb5_child-authtok.obj: src/util/authtok.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -MT src/util/krb5_child-authtok.obj -MD -MP -MF src/util/$(DEPDIR)/krb5_child-authtok.Tpo -c -o src/util/krb5_child-authtok.obj `if test -f 'src/util/authtok.c'; then $(CYGPATH_W) 'src/util/authtok.c'; else $(CYGPATH_W) '$(srcdir)/src/util/authtok.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/krb5_child-authtok.Tpo src/util/$(DEPDIR)/krb5_child-authtok.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/authtok.c' object='src/util/krb5_child-authtok.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -c -o src/util/krb5_child-authtok.obj `if test -f 'src/util/authtok.c'; then $(CYGPATH_W) 'src/util/authtok.c'; else $(CYGPATH_W) '$(srcdir)/src/util/authtok.c'; fi` + +src/util/krb5_child-authtok-utils.o: src/util/authtok-utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -MT src/util/krb5_child-authtok-utils.o -MD -MP -MF src/util/$(DEPDIR)/krb5_child-authtok-utils.Tpo -c -o src/util/krb5_child-authtok-utils.o `test -f 'src/util/authtok-utils.c' || echo '$(srcdir)/'`src/util/authtok-utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/krb5_child-authtok-utils.Tpo src/util/$(DEPDIR)/krb5_child-authtok-utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/authtok-utils.c' object='src/util/krb5_child-authtok-utils.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -c -o src/util/krb5_child-authtok-utils.o `test -f 'src/util/authtok-utils.c' || echo '$(srcdir)/'`src/util/authtok-utils.c + +src/util/krb5_child-authtok-utils.obj: src/util/authtok-utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -MT src/util/krb5_child-authtok-utils.obj -MD -MP -MF src/util/$(DEPDIR)/krb5_child-authtok-utils.Tpo -c -o src/util/krb5_child-authtok-utils.obj `if test -f 'src/util/authtok-utils.c'; then $(CYGPATH_W) 'src/util/authtok-utils.c'; else $(CYGPATH_W) '$(srcdir)/src/util/authtok-utils.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/krb5_child-authtok-utils.Tpo src/util/$(DEPDIR)/krb5_child-authtok-utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/authtok-utils.c' object='src/util/krb5_child-authtok-utils.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -c -o src/util/krb5_child-authtok-utils.obj `if test -f 'src/util/authtok-utils.c'; then $(CYGPATH_W) 'src/util/authtok-utils.c'; else $(CYGPATH_W) '$(srcdir)/src/util/authtok-utils.c'; fi` + +src/util/krb5_child-util.o: src/util/util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -MT src/util/krb5_child-util.o -MD -MP -MF src/util/$(DEPDIR)/krb5_child-util.Tpo -c -o src/util/krb5_child-util.o `test -f 'src/util/util.c' || echo '$(srcdir)/'`src/util/util.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/krb5_child-util.Tpo src/util/$(DEPDIR)/krb5_child-util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util.c' object='src/util/krb5_child-util.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -c -o src/util/krb5_child-util.o `test -f 'src/util/util.c' || echo '$(srcdir)/'`src/util/util.c + +src/util/krb5_child-util.obj: src/util/util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -MT src/util/krb5_child-util.obj -MD -MP -MF src/util/$(DEPDIR)/krb5_child-util.Tpo -c -o src/util/krb5_child-util.obj `if test -f 'src/util/util.c'; then $(CYGPATH_W) 'src/util/util.c'; else $(CYGPATH_W) '$(srcdir)/src/util/util.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/krb5_child-util.Tpo src/util/$(DEPDIR)/krb5_child-util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util.c' object='src/util/krb5_child-util.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -c -o src/util/krb5_child-util.obj `if test -f 'src/util/util.c'; then $(CYGPATH_W) 'src/util/util.c'; else $(CYGPATH_W) '$(srcdir)/src/util/util.c'; fi` + +src/util/krb5_child-util_ext.o: src/util/util_ext.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -MT src/util/krb5_child-util_ext.o -MD -MP -MF src/util/$(DEPDIR)/krb5_child-util_ext.Tpo -c -o src/util/krb5_child-util_ext.o `test -f 'src/util/util_ext.c' || echo '$(srcdir)/'`src/util/util_ext.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/krb5_child-util_ext.Tpo src/util/$(DEPDIR)/krb5_child-util_ext.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util_ext.c' object='src/util/krb5_child-util_ext.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -c -o src/util/krb5_child-util_ext.o `test -f 'src/util/util_ext.c' || echo '$(srcdir)/'`src/util/util_ext.c + +src/util/krb5_child-util_ext.obj: src/util/util_ext.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -MT src/util/krb5_child-util_ext.obj -MD -MP -MF src/util/$(DEPDIR)/krb5_child-util_ext.Tpo -c -o src/util/krb5_child-util_ext.obj `if test -f 'src/util/util_ext.c'; then $(CYGPATH_W) 'src/util/util_ext.c'; else $(CYGPATH_W) '$(srcdir)/src/util/util_ext.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/krb5_child-util_ext.Tpo src/util/$(DEPDIR)/krb5_child-util_ext.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util_ext.c' object='src/util/krb5_child-util_ext.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -c -o src/util/krb5_child-util_ext.obj `if test -f 'src/util/util_ext.c'; then $(CYGPATH_W) 'src/util/util_ext.c'; else $(CYGPATH_W) '$(srcdir)/src/util/util_ext.c'; fi` + +src/util/krb5_child-signal.o: src/util/signal.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -MT src/util/krb5_child-signal.o -MD -MP -MF src/util/$(DEPDIR)/krb5_child-signal.Tpo -c -o src/util/krb5_child-signal.o `test -f 'src/util/signal.c' || echo '$(srcdir)/'`src/util/signal.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/krb5_child-signal.Tpo src/util/$(DEPDIR)/krb5_child-signal.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/signal.c' object='src/util/krb5_child-signal.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -c -o src/util/krb5_child-signal.o `test -f 'src/util/signal.c' || echo '$(srcdir)/'`src/util/signal.c + +src/util/krb5_child-signal.obj: src/util/signal.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -MT src/util/krb5_child-signal.obj -MD -MP -MF src/util/$(DEPDIR)/krb5_child-signal.Tpo -c -o src/util/krb5_child-signal.obj `if test -f 'src/util/signal.c'; then $(CYGPATH_W) 'src/util/signal.c'; else $(CYGPATH_W) '$(srcdir)/src/util/signal.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/krb5_child-signal.Tpo src/util/$(DEPDIR)/krb5_child-signal.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/signal.c' object='src/util/krb5_child-signal.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -c -o src/util/krb5_child-signal.obj `if test -f 'src/util/signal.c'; then $(CYGPATH_W) 'src/util/signal.c'; else $(CYGPATH_W) '$(srcdir)/src/util/signal.c'; fi` + +src/util/krb5_child-strtonum.o: src/util/strtonum.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -MT src/util/krb5_child-strtonum.o -MD -MP -MF src/util/$(DEPDIR)/krb5_child-strtonum.Tpo -c -o src/util/krb5_child-strtonum.o `test -f 'src/util/strtonum.c' || echo '$(srcdir)/'`src/util/strtonum.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/krb5_child-strtonum.Tpo src/util/$(DEPDIR)/krb5_child-strtonum.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/strtonum.c' object='src/util/krb5_child-strtonum.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -c -o src/util/krb5_child-strtonum.o `test -f 'src/util/strtonum.c' || echo '$(srcdir)/'`src/util/strtonum.c + +src/util/krb5_child-strtonum.obj: src/util/strtonum.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -MT src/util/krb5_child-strtonum.obj -MD -MP -MF src/util/$(DEPDIR)/krb5_child-strtonum.Tpo -c -o src/util/krb5_child-strtonum.obj `if test -f 'src/util/strtonum.c'; then $(CYGPATH_W) 'src/util/strtonum.c'; else $(CYGPATH_W) '$(srcdir)/src/util/strtonum.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/krb5_child-strtonum.Tpo src/util/$(DEPDIR)/krb5_child-strtonum.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/strtonum.c' object='src/util/krb5_child-strtonum.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -c -o src/util/krb5_child-strtonum.obj `if test -f 'src/util/strtonum.c'; then $(CYGPATH_W) 'src/util/strtonum.c'; else $(CYGPATH_W) '$(srcdir)/src/util/strtonum.c'; fi` + +src/util/krb5_child-become_user.o: src/util/become_user.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -MT src/util/krb5_child-become_user.o -MD -MP -MF src/util/$(DEPDIR)/krb5_child-become_user.Tpo -c -o src/util/krb5_child-become_user.o `test -f 'src/util/become_user.c' || echo '$(srcdir)/'`src/util/become_user.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/krb5_child-become_user.Tpo src/util/$(DEPDIR)/krb5_child-become_user.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/become_user.c' object='src/util/krb5_child-become_user.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -c -o src/util/krb5_child-become_user.o `test -f 'src/util/become_user.c' || echo '$(srcdir)/'`src/util/become_user.c + +src/util/krb5_child-become_user.obj: src/util/become_user.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -MT src/util/krb5_child-become_user.obj -MD -MP -MF src/util/$(DEPDIR)/krb5_child-become_user.Tpo -c -o src/util/krb5_child-become_user.obj `if test -f 'src/util/become_user.c'; then $(CYGPATH_W) 'src/util/become_user.c'; else $(CYGPATH_W) '$(srcdir)/src/util/become_user.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/krb5_child-become_user.Tpo src/util/$(DEPDIR)/krb5_child-become_user.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/become_user.c' object='src/util/krb5_child-become_user.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -c -o src/util/krb5_child-become_user.obj `if test -f 'src/util/become_user.c'; then $(CYGPATH_W) 'src/util/become_user.c'; else $(CYGPATH_W) '$(srcdir)/src/util/become_user.c'; fi` + +src/util/krb5_child-util_errors.o: src/util/util_errors.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -MT src/util/krb5_child-util_errors.o -MD -MP -MF src/util/$(DEPDIR)/krb5_child-util_errors.Tpo -c -o src/util/krb5_child-util_errors.o `test -f 'src/util/util_errors.c' || echo '$(srcdir)/'`src/util/util_errors.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/krb5_child-util_errors.Tpo src/util/$(DEPDIR)/krb5_child-util_errors.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util_errors.c' object='src/util/krb5_child-util_errors.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -c -o src/util/krb5_child-util_errors.o `test -f 'src/util/util_errors.c' || echo '$(srcdir)/'`src/util/util_errors.c + +src/util/krb5_child-util_errors.obj: src/util/util_errors.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -MT src/util/krb5_child-util_errors.obj -MD -MP -MF src/util/$(DEPDIR)/krb5_child-util_errors.Tpo -c -o src/util/krb5_child-util_errors.obj `if test -f 'src/util/util_errors.c'; then $(CYGPATH_W) 'src/util/util_errors.c'; else $(CYGPATH_W) '$(srcdir)/src/util/util_errors.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/krb5_child-util_errors.Tpo src/util/$(DEPDIR)/krb5_child-util_errors.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util_errors.c' object='src/util/krb5_child-util_errors.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -c -o src/util/krb5_child-util_errors.obj `if test -f 'src/util/util_errors.c'; then $(CYGPATH_W) 'src/util/util_errors.c'; else $(CYGPATH_W) '$(srcdir)/src/util/util_errors.c'; fi` + +src/sss_client/krb5_child-common.o: src/sss_client/common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -MT src/sss_client/krb5_child-common.o -MD -MP -MF src/sss_client/$(DEPDIR)/krb5_child-common.Tpo -c -o src/sss_client/krb5_child-common.o `test -f 'src/sss_client/common.c' || echo '$(srcdir)/'`src/sss_client/common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/$(DEPDIR)/krb5_child-common.Tpo src/sss_client/$(DEPDIR)/krb5_child-common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/common.c' object='src/sss_client/krb5_child-common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -c -o src/sss_client/krb5_child-common.o `test -f 'src/sss_client/common.c' || echo '$(srcdir)/'`src/sss_client/common.c + +src/sss_client/krb5_child-common.obj: src/sss_client/common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -MT src/sss_client/krb5_child-common.obj -MD -MP -MF src/sss_client/$(DEPDIR)/krb5_child-common.Tpo -c -o src/sss_client/krb5_child-common.obj `if test -f 'src/sss_client/common.c'; then $(CYGPATH_W) 'src/sss_client/common.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/$(DEPDIR)/krb5_child-common.Tpo src/sss_client/$(DEPDIR)/krb5_child-common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/common.c' object='src/sss_client/krb5_child-common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_child_CFLAGS) $(CFLAGS) -c -o src/sss_client/krb5_child-common.obj `if test -f 'src/sss_client/common.c'; then $(CYGPATH_W) 'src/sss_client/common.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/common.c'; fi` + +src/tests/cmocka/krb5_common_test-test_krb5_common.o: src/tests/cmocka/test_krb5_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_common_test_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/krb5_common_test-test_krb5_common.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/krb5_common_test-test_krb5_common.Tpo -c -o src/tests/cmocka/krb5_common_test-test_krb5_common.o `test -f 'src/tests/cmocka/test_krb5_common.c' || echo '$(srcdir)/'`src/tests/cmocka/test_krb5_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/krb5_common_test-test_krb5_common.Tpo src/tests/cmocka/$(DEPDIR)/krb5_common_test-test_krb5_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_krb5_common.c' object='src/tests/cmocka/krb5_common_test-test_krb5_common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_common_test_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/krb5_common_test-test_krb5_common.o `test -f 'src/tests/cmocka/test_krb5_common.c' || echo '$(srcdir)/'`src/tests/cmocka/test_krb5_common.c + +src/tests/cmocka/krb5_common_test-test_krb5_common.obj: src/tests/cmocka/test_krb5_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_common_test_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/krb5_common_test-test_krb5_common.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/krb5_common_test-test_krb5_common.Tpo -c -o src/tests/cmocka/krb5_common_test-test_krb5_common.obj `if test -f 'src/tests/cmocka/test_krb5_common.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_krb5_common.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_krb5_common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/krb5_common_test-test_krb5_common.Tpo src/tests/cmocka/$(DEPDIR)/krb5_common_test-test_krb5_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_krb5_common.c' object='src/tests/cmocka/krb5_common_test-test_krb5_common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(krb5_common_test_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/krb5_common_test-test_krb5_common.obj `if test -f 'src/tests/cmocka/test_krb5_common.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_krb5_common.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_krb5_common.c'; fi` + +src/providers/ldap/ldap_child-ldap_child.o: src/providers/ldap/ldap_child.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ldap_child_CFLAGS) $(CFLAGS) -MT src/providers/ldap/ldap_child-ldap_child.o -MD -MP -MF src/providers/ldap/$(DEPDIR)/ldap_child-ldap_child.Tpo -c -o src/providers/ldap/ldap_child-ldap_child.o `test -f 'src/providers/ldap/ldap_child.c' || echo '$(srcdir)/'`src/providers/ldap/ldap_child.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/ldap_child-ldap_child.Tpo src/providers/ldap/$(DEPDIR)/ldap_child-ldap_child.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/ldap_child.c' object='src/providers/ldap/ldap_child-ldap_child.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ldap_child_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/ldap_child-ldap_child.o `test -f 'src/providers/ldap/ldap_child.c' || echo '$(srcdir)/'`src/providers/ldap/ldap_child.c + +src/providers/ldap/ldap_child-ldap_child.obj: src/providers/ldap/ldap_child.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ldap_child_CFLAGS) $(CFLAGS) -MT src/providers/ldap/ldap_child-ldap_child.obj -MD -MP -MF src/providers/ldap/$(DEPDIR)/ldap_child-ldap_child.Tpo -c -o src/providers/ldap/ldap_child-ldap_child.obj `if test -f 'src/providers/ldap/ldap_child.c'; then $(CYGPATH_W) 'src/providers/ldap/ldap_child.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ldap/ldap_child.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/ldap_child-ldap_child.Tpo src/providers/ldap/$(DEPDIR)/ldap_child-ldap_child.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/ldap_child.c' object='src/providers/ldap/ldap_child-ldap_child.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ldap_child_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/ldap_child-ldap_child.obj `if test -f 'src/providers/ldap/ldap_child.c'; then $(CYGPATH_W) 'src/providers/ldap/ldap_child.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ldap/ldap_child.c'; fi` + +src/providers/krb5/ldap_child-krb5_keytab.o: src/providers/krb5/krb5_keytab.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ldap_child_CFLAGS) $(CFLAGS) -MT src/providers/krb5/ldap_child-krb5_keytab.o -MD -MP -MF src/providers/krb5/$(DEPDIR)/ldap_child-krb5_keytab.Tpo -c -o src/providers/krb5/ldap_child-krb5_keytab.o `test -f 'src/providers/krb5/krb5_keytab.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_keytab.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/ldap_child-krb5_keytab.Tpo src/providers/krb5/$(DEPDIR)/ldap_child-krb5_keytab.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_keytab.c' object='src/providers/krb5/ldap_child-krb5_keytab.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ldap_child_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/ldap_child-krb5_keytab.o `test -f 'src/providers/krb5/krb5_keytab.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_keytab.c + +src/providers/krb5/ldap_child-krb5_keytab.obj: src/providers/krb5/krb5_keytab.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ldap_child_CFLAGS) $(CFLAGS) -MT src/providers/krb5/ldap_child-krb5_keytab.obj -MD -MP -MF src/providers/krb5/$(DEPDIR)/ldap_child-krb5_keytab.Tpo -c -o src/providers/krb5/ldap_child-krb5_keytab.obj `if test -f 'src/providers/krb5/krb5_keytab.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_keytab.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_keytab.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/ldap_child-krb5_keytab.Tpo src/providers/krb5/$(DEPDIR)/ldap_child-krb5_keytab.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_keytab.c' object='src/providers/krb5/ldap_child-krb5_keytab.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ldap_child_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/ldap_child-krb5_keytab.obj `if test -f 'src/providers/krb5/krb5_keytab.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_keytab.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_keytab.c'; fi` + +src/util/ldap_child-sss_krb5.o: src/util/sss_krb5.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ldap_child_CFLAGS) $(CFLAGS) -MT src/util/ldap_child-sss_krb5.o -MD -MP -MF src/util/$(DEPDIR)/ldap_child-sss_krb5.Tpo -c -o src/util/ldap_child-sss_krb5.o `test -f 'src/util/sss_krb5.c' || echo '$(srcdir)/'`src/util/sss_krb5.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/ldap_child-sss_krb5.Tpo src/util/$(DEPDIR)/ldap_child-sss_krb5.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_krb5.c' object='src/util/ldap_child-sss_krb5.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ldap_child_CFLAGS) $(CFLAGS) -c -o src/util/ldap_child-sss_krb5.o `test -f 'src/util/sss_krb5.c' || echo '$(srcdir)/'`src/util/sss_krb5.c + +src/util/ldap_child-sss_krb5.obj: src/util/sss_krb5.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ldap_child_CFLAGS) $(CFLAGS) -MT src/util/ldap_child-sss_krb5.obj -MD -MP -MF src/util/$(DEPDIR)/ldap_child-sss_krb5.Tpo -c -o src/util/ldap_child-sss_krb5.obj `if test -f 'src/util/sss_krb5.c'; then $(CYGPATH_W) 'src/util/sss_krb5.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_krb5.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/ldap_child-sss_krb5.Tpo src/util/$(DEPDIR)/ldap_child-sss_krb5.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_krb5.c' object='src/util/ldap_child-sss_krb5.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ldap_child_CFLAGS) $(CFLAGS) -c -o src/util/ldap_child-sss_krb5.obj `if test -f 'src/util/sss_krb5.c'; then $(CYGPATH_W) 'src/util/sss_krb5.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_krb5.c'; fi` + +src/util/ldap_child-sss_iobuf.o: src/util/sss_iobuf.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ldap_child_CFLAGS) $(CFLAGS) -MT src/util/ldap_child-sss_iobuf.o -MD -MP -MF src/util/$(DEPDIR)/ldap_child-sss_iobuf.Tpo -c -o src/util/ldap_child-sss_iobuf.o `test -f 'src/util/sss_iobuf.c' || echo '$(srcdir)/'`src/util/sss_iobuf.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/ldap_child-sss_iobuf.Tpo src/util/$(DEPDIR)/ldap_child-sss_iobuf.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_iobuf.c' object='src/util/ldap_child-sss_iobuf.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ldap_child_CFLAGS) $(CFLAGS) -c -o src/util/ldap_child-sss_iobuf.o `test -f 'src/util/sss_iobuf.c' || echo '$(srcdir)/'`src/util/sss_iobuf.c + +src/util/ldap_child-sss_iobuf.obj: src/util/sss_iobuf.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ldap_child_CFLAGS) $(CFLAGS) -MT src/util/ldap_child-sss_iobuf.obj -MD -MP -MF src/util/$(DEPDIR)/ldap_child-sss_iobuf.Tpo -c -o src/util/ldap_child-sss_iobuf.obj `if test -f 'src/util/sss_iobuf.c'; then $(CYGPATH_W) 'src/util/sss_iobuf.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_iobuf.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/ldap_child-sss_iobuf.Tpo src/util/$(DEPDIR)/ldap_child-sss_iobuf.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_iobuf.c' object='src/util/ldap_child-sss_iobuf.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ldap_child_CFLAGS) $(CFLAGS) -c -o src/util/ldap_child-sss_iobuf.obj `if test -f 'src/util/sss_iobuf.c'; then $(CYGPATH_W) 'src/util/sss_iobuf.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_iobuf.c'; fi` + +src/util/ldap_child-atomic_io.o: src/util/atomic_io.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ldap_child_CFLAGS) $(CFLAGS) -MT src/util/ldap_child-atomic_io.o -MD -MP -MF src/util/$(DEPDIR)/ldap_child-atomic_io.Tpo -c -o src/util/ldap_child-atomic_io.o `test -f 'src/util/atomic_io.c' || echo '$(srcdir)/'`src/util/atomic_io.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/ldap_child-atomic_io.Tpo src/util/$(DEPDIR)/ldap_child-atomic_io.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/atomic_io.c' object='src/util/ldap_child-atomic_io.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ldap_child_CFLAGS) $(CFLAGS) -c -o src/util/ldap_child-atomic_io.o `test -f 'src/util/atomic_io.c' || echo '$(srcdir)/'`src/util/atomic_io.c + +src/util/ldap_child-atomic_io.obj: src/util/atomic_io.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ldap_child_CFLAGS) $(CFLAGS) -MT src/util/ldap_child-atomic_io.obj -MD -MP -MF src/util/$(DEPDIR)/ldap_child-atomic_io.Tpo -c -o src/util/ldap_child-atomic_io.obj `if test -f 'src/util/atomic_io.c'; then $(CYGPATH_W) 'src/util/atomic_io.c'; else $(CYGPATH_W) '$(srcdir)/src/util/atomic_io.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/ldap_child-atomic_io.Tpo src/util/$(DEPDIR)/ldap_child-atomic_io.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/atomic_io.c' object='src/util/ldap_child-atomic_io.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ldap_child_CFLAGS) $(CFLAGS) -c -o src/util/ldap_child-atomic_io.obj `if test -f 'src/util/atomic_io.c'; then $(CYGPATH_W) 'src/util/atomic_io.c'; else $(CYGPATH_W) '$(srcdir)/src/util/atomic_io.c'; fi` + +src/util/ldap_child-authtok.o: src/util/authtok.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ldap_child_CFLAGS) $(CFLAGS) -MT src/util/ldap_child-authtok.o -MD -MP -MF src/util/$(DEPDIR)/ldap_child-authtok.Tpo -c -o src/util/ldap_child-authtok.o `test -f 'src/util/authtok.c' || echo '$(srcdir)/'`src/util/authtok.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/ldap_child-authtok.Tpo src/util/$(DEPDIR)/ldap_child-authtok.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/authtok.c' object='src/util/ldap_child-authtok.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ldap_child_CFLAGS) $(CFLAGS) -c -o src/util/ldap_child-authtok.o `test -f 'src/util/authtok.c' || echo '$(srcdir)/'`src/util/authtok.c + +src/util/ldap_child-authtok.obj: src/util/authtok.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ldap_child_CFLAGS) $(CFLAGS) -MT src/util/ldap_child-authtok.obj -MD -MP -MF src/util/$(DEPDIR)/ldap_child-authtok.Tpo -c -o src/util/ldap_child-authtok.obj `if test -f 'src/util/authtok.c'; then $(CYGPATH_W) 'src/util/authtok.c'; else $(CYGPATH_W) '$(srcdir)/src/util/authtok.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/ldap_child-authtok.Tpo src/util/$(DEPDIR)/ldap_child-authtok.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/authtok.c' object='src/util/ldap_child-authtok.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ldap_child_CFLAGS) $(CFLAGS) -c -o src/util/ldap_child-authtok.obj `if test -f 'src/util/authtok.c'; then $(CYGPATH_W) 'src/util/authtok.c'; else $(CYGPATH_W) '$(srcdir)/src/util/authtok.c'; fi` + +src/util/ldap_child-authtok-utils.o: src/util/authtok-utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ldap_child_CFLAGS) $(CFLAGS) -MT src/util/ldap_child-authtok-utils.o -MD -MP -MF src/util/$(DEPDIR)/ldap_child-authtok-utils.Tpo -c -o src/util/ldap_child-authtok-utils.o `test -f 'src/util/authtok-utils.c' || echo '$(srcdir)/'`src/util/authtok-utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/ldap_child-authtok-utils.Tpo src/util/$(DEPDIR)/ldap_child-authtok-utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/authtok-utils.c' object='src/util/ldap_child-authtok-utils.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ldap_child_CFLAGS) $(CFLAGS) -c -o src/util/ldap_child-authtok-utils.o `test -f 'src/util/authtok-utils.c' || echo '$(srcdir)/'`src/util/authtok-utils.c + +src/util/ldap_child-authtok-utils.obj: src/util/authtok-utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ldap_child_CFLAGS) $(CFLAGS) -MT src/util/ldap_child-authtok-utils.obj -MD -MP -MF src/util/$(DEPDIR)/ldap_child-authtok-utils.Tpo -c -o src/util/ldap_child-authtok-utils.obj `if test -f 'src/util/authtok-utils.c'; then $(CYGPATH_W) 'src/util/authtok-utils.c'; else $(CYGPATH_W) '$(srcdir)/src/util/authtok-utils.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/ldap_child-authtok-utils.Tpo src/util/$(DEPDIR)/ldap_child-authtok-utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/authtok-utils.c' object='src/util/ldap_child-authtok-utils.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ldap_child_CFLAGS) $(CFLAGS) -c -o src/util/ldap_child-authtok-utils.obj `if test -f 'src/util/authtok-utils.c'; then $(CYGPATH_W) 'src/util/authtok-utils.c'; else $(CYGPATH_W) '$(srcdir)/src/util/authtok-utils.c'; fi` + +src/util/ldap_child-util.o: src/util/util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ldap_child_CFLAGS) $(CFLAGS) -MT src/util/ldap_child-util.o -MD -MP -MF src/util/$(DEPDIR)/ldap_child-util.Tpo -c -o src/util/ldap_child-util.o `test -f 'src/util/util.c' || echo '$(srcdir)/'`src/util/util.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/ldap_child-util.Tpo src/util/$(DEPDIR)/ldap_child-util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util.c' object='src/util/ldap_child-util.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ldap_child_CFLAGS) $(CFLAGS) -c -o src/util/ldap_child-util.o `test -f 'src/util/util.c' || echo '$(srcdir)/'`src/util/util.c + +src/util/ldap_child-util.obj: src/util/util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ldap_child_CFLAGS) $(CFLAGS) -MT src/util/ldap_child-util.obj -MD -MP -MF src/util/$(DEPDIR)/ldap_child-util.Tpo -c -o src/util/ldap_child-util.obj `if test -f 'src/util/util.c'; then $(CYGPATH_W) 'src/util/util.c'; else $(CYGPATH_W) '$(srcdir)/src/util/util.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/ldap_child-util.Tpo src/util/$(DEPDIR)/ldap_child-util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util.c' object='src/util/ldap_child-util.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ldap_child_CFLAGS) $(CFLAGS) -c -o src/util/ldap_child-util.obj `if test -f 'src/util/util.c'; then $(CYGPATH_W) 'src/util/util.c'; else $(CYGPATH_W) '$(srcdir)/src/util/util.c'; fi` + +src/util/ldap_child-util_ext.o: src/util/util_ext.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ldap_child_CFLAGS) $(CFLAGS) -MT src/util/ldap_child-util_ext.o -MD -MP -MF src/util/$(DEPDIR)/ldap_child-util_ext.Tpo -c -o src/util/ldap_child-util_ext.o `test -f 'src/util/util_ext.c' || echo '$(srcdir)/'`src/util/util_ext.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/ldap_child-util_ext.Tpo src/util/$(DEPDIR)/ldap_child-util_ext.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util_ext.c' object='src/util/ldap_child-util_ext.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ldap_child_CFLAGS) $(CFLAGS) -c -o src/util/ldap_child-util_ext.o `test -f 'src/util/util_ext.c' || echo '$(srcdir)/'`src/util/util_ext.c + +src/util/ldap_child-util_ext.obj: src/util/util_ext.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ldap_child_CFLAGS) $(CFLAGS) -MT src/util/ldap_child-util_ext.obj -MD -MP -MF src/util/$(DEPDIR)/ldap_child-util_ext.Tpo -c -o src/util/ldap_child-util_ext.obj `if test -f 'src/util/util_ext.c'; then $(CYGPATH_W) 'src/util/util_ext.c'; else $(CYGPATH_W) '$(srcdir)/src/util/util_ext.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/ldap_child-util_ext.Tpo src/util/$(DEPDIR)/ldap_child-util_ext.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util_ext.c' object='src/util/ldap_child-util_ext.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ldap_child_CFLAGS) $(CFLAGS) -c -o src/util/ldap_child-util_ext.obj `if test -f 'src/util/util_ext.c'; then $(CYGPATH_W) 'src/util/util_ext.c'; else $(CYGPATH_W) '$(srcdir)/src/util/util_ext.c'; fi` + +src/util/ldap_child-signal.o: src/util/signal.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ldap_child_CFLAGS) $(CFLAGS) -MT src/util/ldap_child-signal.o -MD -MP -MF src/util/$(DEPDIR)/ldap_child-signal.Tpo -c -o src/util/ldap_child-signal.o `test -f 'src/util/signal.c' || echo '$(srcdir)/'`src/util/signal.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/ldap_child-signal.Tpo src/util/$(DEPDIR)/ldap_child-signal.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/signal.c' object='src/util/ldap_child-signal.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ldap_child_CFLAGS) $(CFLAGS) -c -o src/util/ldap_child-signal.o `test -f 'src/util/signal.c' || echo '$(srcdir)/'`src/util/signal.c + +src/util/ldap_child-signal.obj: src/util/signal.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ldap_child_CFLAGS) $(CFLAGS) -MT src/util/ldap_child-signal.obj -MD -MP -MF src/util/$(DEPDIR)/ldap_child-signal.Tpo -c -o src/util/ldap_child-signal.obj `if test -f 'src/util/signal.c'; then $(CYGPATH_W) 'src/util/signal.c'; else $(CYGPATH_W) '$(srcdir)/src/util/signal.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/ldap_child-signal.Tpo src/util/$(DEPDIR)/ldap_child-signal.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/signal.c' object='src/util/ldap_child-signal.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ldap_child_CFLAGS) $(CFLAGS) -c -o src/util/ldap_child-signal.obj `if test -f 'src/util/signal.c'; then $(CYGPATH_W) 'src/util/signal.c'; else $(CYGPATH_W) '$(srcdir)/src/util/signal.c'; fi` + +src/util/ldap_child-become_user.o: src/util/become_user.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ldap_child_CFLAGS) $(CFLAGS) -MT src/util/ldap_child-become_user.o -MD -MP -MF src/util/$(DEPDIR)/ldap_child-become_user.Tpo -c -o src/util/ldap_child-become_user.o `test -f 'src/util/become_user.c' || echo '$(srcdir)/'`src/util/become_user.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/ldap_child-become_user.Tpo src/util/$(DEPDIR)/ldap_child-become_user.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/become_user.c' object='src/util/ldap_child-become_user.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ldap_child_CFLAGS) $(CFLAGS) -c -o src/util/ldap_child-become_user.o `test -f 'src/util/become_user.c' || echo '$(srcdir)/'`src/util/become_user.c + +src/util/ldap_child-become_user.obj: src/util/become_user.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ldap_child_CFLAGS) $(CFLAGS) -MT src/util/ldap_child-become_user.obj -MD -MP -MF src/util/$(DEPDIR)/ldap_child-become_user.Tpo -c -o src/util/ldap_child-become_user.obj `if test -f 'src/util/become_user.c'; then $(CYGPATH_W) 'src/util/become_user.c'; else $(CYGPATH_W) '$(srcdir)/src/util/become_user.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/ldap_child-become_user.Tpo src/util/$(DEPDIR)/ldap_child-become_user.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/become_user.c' object='src/util/ldap_child-become_user.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ldap_child_CFLAGS) $(CFLAGS) -c -o src/util/ldap_child-become_user.obj `if test -f 'src/util/become_user.c'; then $(CYGPATH_W) 'src/util/become_user.c'; else $(CYGPATH_W) '$(srcdir)/src/util/become_user.c'; fi` + +src/util/nestedgroups_tests-sss_sockets.o: src/util/sss_sockets.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -MT src/util/nestedgroups_tests-sss_sockets.o -MD -MP -MF src/util/$(DEPDIR)/nestedgroups_tests-sss_sockets.Tpo -c -o src/util/nestedgroups_tests-sss_sockets.o `test -f 'src/util/sss_sockets.c' || echo '$(srcdir)/'`src/util/sss_sockets.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/nestedgroups_tests-sss_sockets.Tpo src/util/$(DEPDIR)/nestedgroups_tests-sss_sockets.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_sockets.c' object='src/util/nestedgroups_tests-sss_sockets.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -c -o src/util/nestedgroups_tests-sss_sockets.o `test -f 'src/util/sss_sockets.c' || echo '$(srcdir)/'`src/util/sss_sockets.c + +src/util/nestedgroups_tests-sss_sockets.obj: src/util/sss_sockets.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -MT src/util/nestedgroups_tests-sss_sockets.obj -MD -MP -MF src/util/$(DEPDIR)/nestedgroups_tests-sss_sockets.Tpo -c -o src/util/nestedgroups_tests-sss_sockets.obj `if test -f 'src/util/sss_sockets.c'; then $(CYGPATH_W) 'src/util/sss_sockets.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_sockets.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/nestedgroups_tests-sss_sockets.Tpo src/util/$(DEPDIR)/nestedgroups_tests-sss_sockets.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_sockets.c' object='src/util/nestedgroups_tests-sss_sockets.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -c -o src/util/nestedgroups_tests-sss_sockets.obj `if test -f 'src/util/sss_sockets.c'; then $(CYGPATH_W) 'src/util/sss_sockets.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_sockets.c'; fi` + +src/util/nestedgroups_tests-sss_ldap.o: src/util/sss_ldap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -MT src/util/nestedgroups_tests-sss_ldap.o -MD -MP -MF src/util/$(DEPDIR)/nestedgroups_tests-sss_ldap.Tpo -c -o src/util/nestedgroups_tests-sss_ldap.o `test -f 'src/util/sss_ldap.c' || echo '$(srcdir)/'`src/util/sss_ldap.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/nestedgroups_tests-sss_ldap.Tpo src/util/$(DEPDIR)/nestedgroups_tests-sss_ldap.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_ldap.c' object='src/util/nestedgroups_tests-sss_ldap.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -c -o src/util/nestedgroups_tests-sss_ldap.o `test -f 'src/util/sss_ldap.c' || echo '$(srcdir)/'`src/util/sss_ldap.c + +src/util/nestedgroups_tests-sss_ldap.obj: src/util/sss_ldap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -MT src/util/nestedgroups_tests-sss_ldap.obj -MD -MP -MF src/util/$(DEPDIR)/nestedgroups_tests-sss_ldap.Tpo -c -o src/util/nestedgroups_tests-sss_ldap.obj `if test -f 'src/util/sss_ldap.c'; then $(CYGPATH_W) 'src/util/sss_ldap.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_ldap.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/nestedgroups_tests-sss_ldap.Tpo src/util/$(DEPDIR)/nestedgroups_tests-sss_ldap.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_ldap.c' object='src/util/nestedgroups_tests-sss_ldap.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -c -o src/util/nestedgroups_tests-sss_ldap.obj `if test -f 'src/util/sss_ldap.c'; then $(CYGPATH_W) 'src/util/sss_ldap.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_ldap.c'; fi` + +src/providers/nestedgroups_tests-data_provider_opts.o: src/providers/data_provider_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -MT src/providers/nestedgroups_tests-data_provider_opts.o -MD -MP -MF src/providers/$(DEPDIR)/nestedgroups_tests-data_provider_opts.Tpo -c -o src/providers/nestedgroups_tests-data_provider_opts.o `test -f 'src/providers/data_provider_opts.c' || echo '$(srcdir)/'`src/providers/data_provider_opts.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/nestedgroups_tests-data_provider_opts.Tpo src/providers/$(DEPDIR)/nestedgroups_tests-data_provider_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider_opts.c' object='src/providers/nestedgroups_tests-data_provider_opts.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -c -o src/providers/nestedgroups_tests-data_provider_opts.o `test -f 'src/providers/data_provider_opts.c' || echo '$(srcdir)/'`src/providers/data_provider_opts.c + +src/providers/nestedgroups_tests-data_provider_opts.obj: src/providers/data_provider_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -MT src/providers/nestedgroups_tests-data_provider_opts.obj -MD -MP -MF src/providers/$(DEPDIR)/nestedgroups_tests-data_provider_opts.Tpo -c -o src/providers/nestedgroups_tests-data_provider_opts.obj `if test -f 'src/providers/data_provider_opts.c'; then $(CYGPATH_W) 'src/providers/data_provider_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider_opts.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/nestedgroups_tests-data_provider_opts.Tpo src/providers/$(DEPDIR)/nestedgroups_tests-data_provider_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider_opts.c' object='src/providers/nestedgroups_tests-data_provider_opts.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -c -o src/providers/nestedgroups_tests-data_provider_opts.obj `if test -f 'src/providers/data_provider_opts.c'; then $(CYGPATH_W) 'src/providers/data_provider_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider_opts.c'; fi` + +src/providers/ldap/nestedgroups_tests-ldap_opts.o: src/providers/ldap/ldap_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -MT src/providers/ldap/nestedgroups_tests-ldap_opts.o -MD -MP -MF src/providers/ldap/$(DEPDIR)/nestedgroups_tests-ldap_opts.Tpo -c -o src/providers/ldap/nestedgroups_tests-ldap_opts.o `test -f 'src/providers/ldap/ldap_opts.c' || echo '$(srcdir)/'`src/providers/ldap/ldap_opts.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/nestedgroups_tests-ldap_opts.Tpo src/providers/ldap/$(DEPDIR)/nestedgroups_tests-ldap_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/ldap_opts.c' object='src/providers/ldap/nestedgroups_tests-ldap_opts.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/nestedgroups_tests-ldap_opts.o `test -f 'src/providers/ldap/ldap_opts.c' || echo '$(srcdir)/'`src/providers/ldap/ldap_opts.c + +src/providers/ldap/nestedgroups_tests-ldap_opts.obj: src/providers/ldap/ldap_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -MT src/providers/ldap/nestedgroups_tests-ldap_opts.obj -MD -MP -MF src/providers/ldap/$(DEPDIR)/nestedgroups_tests-ldap_opts.Tpo -c -o src/providers/ldap/nestedgroups_tests-ldap_opts.obj `if test -f 'src/providers/ldap/ldap_opts.c'; then $(CYGPATH_W) 'src/providers/ldap/ldap_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ldap/ldap_opts.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/nestedgroups_tests-ldap_opts.Tpo src/providers/ldap/$(DEPDIR)/nestedgroups_tests-ldap_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/ldap_opts.c' object='src/providers/ldap/nestedgroups_tests-ldap_opts.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/nestedgroups_tests-ldap_opts.obj `if test -f 'src/providers/ldap/ldap_opts.c'; then $(CYGPATH_W) 'src/providers/ldap/ldap_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ldap/ldap_opts.c'; fi` + +src/providers/ldap/nestedgroups_tests-ldap_options.o: src/providers/ldap/ldap_options.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -MT src/providers/ldap/nestedgroups_tests-ldap_options.o -MD -MP -MF src/providers/ldap/$(DEPDIR)/nestedgroups_tests-ldap_options.Tpo -c -o src/providers/ldap/nestedgroups_tests-ldap_options.o `test -f 'src/providers/ldap/ldap_options.c' || echo '$(srcdir)/'`src/providers/ldap/ldap_options.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/nestedgroups_tests-ldap_options.Tpo src/providers/ldap/$(DEPDIR)/nestedgroups_tests-ldap_options.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/ldap_options.c' object='src/providers/ldap/nestedgroups_tests-ldap_options.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/nestedgroups_tests-ldap_options.o `test -f 'src/providers/ldap/ldap_options.c' || echo '$(srcdir)/'`src/providers/ldap/ldap_options.c + +src/providers/ldap/nestedgroups_tests-ldap_options.obj: src/providers/ldap/ldap_options.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -MT src/providers/ldap/nestedgroups_tests-ldap_options.obj -MD -MP -MF src/providers/ldap/$(DEPDIR)/nestedgroups_tests-ldap_options.Tpo -c -o src/providers/ldap/nestedgroups_tests-ldap_options.obj `if test -f 'src/providers/ldap/ldap_options.c'; then $(CYGPATH_W) 'src/providers/ldap/ldap_options.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ldap/ldap_options.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/nestedgroups_tests-ldap_options.Tpo src/providers/ldap/$(DEPDIR)/nestedgroups_tests-ldap_options.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/ldap_options.c' object='src/providers/ldap/nestedgroups_tests-ldap_options.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/nestedgroups_tests-ldap_options.obj `if test -f 'src/providers/ldap/ldap_options.c'; then $(CYGPATH_W) 'src/providers/ldap/ldap_options.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ldap/ldap_options.c'; fi` + +src/providers/ldap/nestedgroups_tests-sdap_domain.o: src/providers/ldap/sdap_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -MT src/providers/ldap/nestedgroups_tests-sdap_domain.o -MD -MP -MF src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap_domain.Tpo -c -o src/providers/ldap/nestedgroups_tests-sdap_domain.o `test -f 'src/providers/ldap/sdap_domain.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_domain.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap_domain.Tpo src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_domain.c' object='src/providers/ldap/nestedgroups_tests-sdap_domain.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/nestedgroups_tests-sdap_domain.o `test -f 'src/providers/ldap/sdap_domain.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_domain.c + +src/providers/ldap/nestedgroups_tests-sdap_domain.obj: src/providers/ldap/sdap_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -MT src/providers/ldap/nestedgroups_tests-sdap_domain.obj -MD -MP -MF src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap_domain.Tpo -c -o src/providers/ldap/nestedgroups_tests-sdap_domain.obj `if test -f 'src/providers/ldap/sdap_domain.c'; then $(CYGPATH_W) 'src/providers/ldap/sdap_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ldap/sdap_domain.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap_domain.Tpo src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_domain.c' object='src/providers/ldap/nestedgroups_tests-sdap_domain.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/nestedgroups_tests-sdap_domain.obj `if test -f 'src/providers/ldap/sdap_domain.c'; then $(CYGPATH_W) 'src/providers/ldap/sdap_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ldap/sdap_domain.c'; fi` + +src/providers/ldap/nestedgroups_tests-sdap.o: src/providers/ldap/sdap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -MT src/providers/ldap/nestedgroups_tests-sdap.o -MD -MP -MF src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap.Tpo -c -o src/providers/ldap/nestedgroups_tests-sdap.o `test -f 'src/providers/ldap/sdap.c' || echo '$(srcdir)/'`src/providers/ldap/sdap.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap.Tpo src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap.c' object='src/providers/ldap/nestedgroups_tests-sdap.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/nestedgroups_tests-sdap.o `test -f 'src/providers/ldap/sdap.c' || echo '$(srcdir)/'`src/providers/ldap/sdap.c + +src/providers/ldap/nestedgroups_tests-sdap.obj: src/providers/ldap/sdap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -MT src/providers/ldap/nestedgroups_tests-sdap.obj -MD -MP -MF src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap.Tpo -c -o src/providers/ldap/nestedgroups_tests-sdap.obj `if test -f 'src/providers/ldap/sdap.c'; then $(CYGPATH_W) 'src/providers/ldap/sdap.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ldap/sdap.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap.Tpo src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap.c' object='src/providers/ldap/nestedgroups_tests-sdap.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/nestedgroups_tests-sdap.obj `if test -f 'src/providers/ldap/sdap.c'; then $(CYGPATH_W) 'src/providers/ldap/sdap.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ldap/sdap.c'; fi` + +src/providers/ldap/nestedgroups_tests-sdap_utils.o: src/providers/ldap/sdap_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -MT src/providers/ldap/nestedgroups_tests-sdap_utils.o -MD -MP -MF src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap_utils.Tpo -c -o src/providers/ldap/nestedgroups_tests-sdap_utils.o `test -f 'src/providers/ldap/sdap_utils.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap_utils.Tpo src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_utils.c' object='src/providers/ldap/nestedgroups_tests-sdap_utils.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/nestedgroups_tests-sdap_utils.o `test -f 'src/providers/ldap/sdap_utils.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_utils.c + +src/providers/ldap/nestedgroups_tests-sdap_utils.obj: src/providers/ldap/sdap_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -MT src/providers/ldap/nestedgroups_tests-sdap_utils.obj -MD -MP -MF src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap_utils.Tpo -c -o src/providers/ldap/nestedgroups_tests-sdap_utils.obj `if test -f 'src/providers/ldap/sdap_utils.c'; then $(CYGPATH_W) 'src/providers/ldap/sdap_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ldap/sdap_utils.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap_utils.Tpo src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_utils.c' object='src/providers/ldap/nestedgroups_tests-sdap_utils.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/nestedgroups_tests-sdap_utils.obj `if test -f 'src/providers/ldap/sdap_utils.c'; then $(CYGPATH_W) 'src/providers/ldap/sdap_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ldap/sdap_utils.c'; fi` + +src/providers/ldap/nestedgroups_tests-sdap_range.o: src/providers/ldap/sdap_range.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -MT src/providers/ldap/nestedgroups_tests-sdap_range.o -MD -MP -MF src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap_range.Tpo -c -o src/providers/ldap/nestedgroups_tests-sdap_range.o `test -f 'src/providers/ldap/sdap_range.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_range.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap_range.Tpo src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap_range.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_range.c' object='src/providers/ldap/nestedgroups_tests-sdap_range.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/nestedgroups_tests-sdap_range.o `test -f 'src/providers/ldap/sdap_range.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_range.c + +src/providers/ldap/nestedgroups_tests-sdap_range.obj: src/providers/ldap/sdap_range.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -MT src/providers/ldap/nestedgroups_tests-sdap_range.obj -MD -MP -MF src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap_range.Tpo -c -o src/providers/ldap/nestedgroups_tests-sdap_range.obj `if test -f 'src/providers/ldap/sdap_range.c'; then $(CYGPATH_W) 'src/providers/ldap/sdap_range.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ldap/sdap_range.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap_range.Tpo src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap_range.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_range.c' object='src/providers/ldap/nestedgroups_tests-sdap_range.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/nestedgroups_tests-sdap_range.obj `if test -f 'src/providers/ldap/sdap_range.c'; then $(CYGPATH_W) 'src/providers/ldap/sdap_range.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ldap/sdap_range.c'; fi` + +src/tests/cmocka/nestedgroups_tests-common_mock_sdap.o: src/tests/cmocka/common_mock_sdap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/nestedgroups_tests-common_mock_sdap.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/nestedgroups_tests-common_mock_sdap.Tpo -c -o src/tests/cmocka/nestedgroups_tests-common_mock_sdap.o `test -f 'src/tests/cmocka/common_mock_sdap.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_sdap.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/nestedgroups_tests-common_mock_sdap.Tpo src/tests/cmocka/$(DEPDIR)/nestedgroups_tests-common_mock_sdap.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_sdap.c' object='src/tests/cmocka/nestedgroups_tests-common_mock_sdap.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/nestedgroups_tests-common_mock_sdap.o `test -f 'src/tests/cmocka/common_mock_sdap.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_sdap.c + +src/tests/cmocka/nestedgroups_tests-common_mock_sdap.obj: src/tests/cmocka/common_mock_sdap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/nestedgroups_tests-common_mock_sdap.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/nestedgroups_tests-common_mock_sdap.Tpo -c -o src/tests/cmocka/nestedgroups_tests-common_mock_sdap.obj `if test -f 'src/tests/cmocka/common_mock_sdap.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_sdap.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_sdap.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/nestedgroups_tests-common_mock_sdap.Tpo src/tests/cmocka/$(DEPDIR)/nestedgroups_tests-common_mock_sdap.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_sdap.c' object='src/tests/cmocka/nestedgroups_tests-common_mock_sdap.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/nestedgroups_tests-common_mock_sdap.obj `if test -f 'src/tests/cmocka/common_mock_sdap.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_sdap.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_sdap.c'; fi` + +src/tests/cmocka/nestedgroups_tests-common_mock_sysdb_objects.o: src/tests/cmocka/common_mock_sysdb_objects.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/nestedgroups_tests-common_mock_sysdb_objects.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/nestedgroups_tests-common_mock_sysdb_objects.Tpo -c -o src/tests/cmocka/nestedgroups_tests-common_mock_sysdb_objects.o `test -f 'src/tests/cmocka/common_mock_sysdb_objects.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_sysdb_objects.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/nestedgroups_tests-common_mock_sysdb_objects.Tpo src/tests/cmocka/$(DEPDIR)/nestedgroups_tests-common_mock_sysdb_objects.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_sysdb_objects.c' object='src/tests/cmocka/nestedgroups_tests-common_mock_sysdb_objects.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/nestedgroups_tests-common_mock_sysdb_objects.o `test -f 'src/tests/cmocka/common_mock_sysdb_objects.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_sysdb_objects.c + +src/tests/cmocka/nestedgroups_tests-common_mock_sysdb_objects.obj: src/tests/cmocka/common_mock_sysdb_objects.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/nestedgroups_tests-common_mock_sysdb_objects.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/nestedgroups_tests-common_mock_sysdb_objects.Tpo -c -o src/tests/cmocka/nestedgroups_tests-common_mock_sysdb_objects.obj `if test -f 'src/tests/cmocka/common_mock_sysdb_objects.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_sysdb_objects.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_sysdb_objects.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/nestedgroups_tests-common_mock_sysdb_objects.Tpo src/tests/cmocka/$(DEPDIR)/nestedgroups_tests-common_mock_sysdb_objects.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_sysdb_objects.c' object='src/tests/cmocka/nestedgroups_tests-common_mock_sysdb_objects.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/nestedgroups_tests-common_mock_sysdb_objects.obj `if test -f 'src/tests/cmocka/common_mock_sysdb_objects.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_sysdb_objects.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_sysdb_objects.c'; fi` + +src/providers/ldap/nestedgroups_tests-sdap_idmap.o: src/providers/ldap/sdap_idmap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -MT src/providers/ldap/nestedgroups_tests-sdap_idmap.o -MD -MP -MF src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap_idmap.Tpo -c -o src/providers/ldap/nestedgroups_tests-sdap_idmap.o `test -f 'src/providers/ldap/sdap_idmap.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_idmap.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap_idmap.Tpo src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap_idmap.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_idmap.c' object='src/providers/ldap/nestedgroups_tests-sdap_idmap.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/nestedgroups_tests-sdap_idmap.o `test -f 'src/providers/ldap/sdap_idmap.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_idmap.c + +src/providers/ldap/nestedgroups_tests-sdap_idmap.obj: src/providers/ldap/sdap_idmap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -MT src/providers/ldap/nestedgroups_tests-sdap_idmap.obj -MD -MP -MF src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap_idmap.Tpo -c -o src/providers/ldap/nestedgroups_tests-sdap_idmap.obj `if test -f 'src/providers/ldap/sdap_idmap.c'; then $(CYGPATH_W) 'src/providers/ldap/sdap_idmap.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ldap/sdap_idmap.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap_idmap.Tpo src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap_idmap.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_idmap.c' object='src/providers/ldap/nestedgroups_tests-sdap_idmap.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/nestedgroups_tests-sdap_idmap.obj `if test -f 'src/providers/ldap/sdap_idmap.c'; then $(CYGPATH_W) 'src/providers/ldap/sdap_idmap.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ldap/sdap_idmap.c'; fi` + +src/tests/cmocka/nestedgroups_tests-test_nested_groups.o: src/tests/cmocka/test_nested_groups.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/nestedgroups_tests-test_nested_groups.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/nestedgroups_tests-test_nested_groups.Tpo -c -o src/tests/cmocka/nestedgroups_tests-test_nested_groups.o `test -f 'src/tests/cmocka/test_nested_groups.c' || echo '$(srcdir)/'`src/tests/cmocka/test_nested_groups.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/nestedgroups_tests-test_nested_groups.Tpo src/tests/cmocka/$(DEPDIR)/nestedgroups_tests-test_nested_groups.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_nested_groups.c' object='src/tests/cmocka/nestedgroups_tests-test_nested_groups.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/nestedgroups_tests-test_nested_groups.o `test -f 'src/tests/cmocka/test_nested_groups.c' || echo '$(srcdir)/'`src/tests/cmocka/test_nested_groups.c + +src/tests/cmocka/nestedgroups_tests-test_nested_groups.obj: src/tests/cmocka/test_nested_groups.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/nestedgroups_tests-test_nested_groups.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/nestedgroups_tests-test_nested_groups.Tpo -c -o src/tests/cmocka/nestedgroups_tests-test_nested_groups.obj `if test -f 'src/tests/cmocka/test_nested_groups.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_nested_groups.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_nested_groups.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/nestedgroups_tests-test_nested_groups.Tpo src/tests/cmocka/$(DEPDIR)/nestedgroups_tests-test_nested_groups.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_nested_groups.c' object='src/tests/cmocka/nestedgroups_tests-test_nested_groups.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/nestedgroups_tests-test_nested_groups.obj `if test -f 'src/tests/cmocka/test_nested_groups.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_nested_groups.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_nested_groups.c'; fi` + +src/tests/cmocka/nestedgroups_tests-common_mock_be.o: src/tests/cmocka/common_mock_be.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/nestedgroups_tests-common_mock_be.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/nestedgroups_tests-common_mock_be.Tpo -c -o src/tests/cmocka/nestedgroups_tests-common_mock_be.o `test -f 'src/tests/cmocka/common_mock_be.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_be.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/nestedgroups_tests-common_mock_be.Tpo src/tests/cmocka/$(DEPDIR)/nestedgroups_tests-common_mock_be.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_be.c' object='src/tests/cmocka/nestedgroups_tests-common_mock_be.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/nestedgroups_tests-common_mock_be.o `test -f 'src/tests/cmocka/common_mock_be.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_be.c + +src/tests/cmocka/nestedgroups_tests-common_mock_be.obj: src/tests/cmocka/common_mock_be.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/nestedgroups_tests-common_mock_be.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/nestedgroups_tests-common_mock_be.Tpo -c -o src/tests/cmocka/nestedgroups_tests-common_mock_be.obj `if test -f 'src/tests/cmocka/common_mock_be.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_be.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_be.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/nestedgroups_tests-common_mock_be.Tpo src/tests/cmocka/$(DEPDIR)/nestedgroups_tests-common_mock_be.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_be.c' object='src/tests/cmocka/nestedgroups_tests-common_mock_be.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/nestedgroups_tests-common_mock_be.obj `if test -f 'src/tests/cmocka/common_mock_be.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_be.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_be.c'; fi` + +src/providers/ldap/nestedgroups_tests-sdap_async_nested_groups.o: src/providers/ldap/sdap_async_nested_groups.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -MT src/providers/ldap/nestedgroups_tests-sdap_async_nested_groups.o -MD -MP -MF src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap_async_nested_groups.Tpo -c -o src/providers/ldap/nestedgroups_tests-sdap_async_nested_groups.o `test -f 'src/providers/ldap/sdap_async_nested_groups.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_async_nested_groups.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap_async_nested_groups.Tpo src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap_async_nested_groups.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_async_nested_groups.c' object='src/providers/ldap/nestedgroups_tests-sdap_async_nested_groups.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/nestedgroups_tests-sdap_async_nested_groups.o `test -f 'src/providers/ldap/sdap_async_nested_groups.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_async_nested_groups.c + +src/providers/ldap/nestedgroups_tests-sdap_async_nested_groups.obj: src/providers/ldap/sdap_async_nested_groups.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -MT src/providers/ldap/nestedgroups_tests-sdap_async_nested_groups.obj -MD -MP -MF src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap_async_nested_groups.Tpo -c -o src/providers/ldap/nestedgroups_tests-sdap_async_nested_groups.obj `if test -f 'src/providers/ldap/sdap_async_nested_groups.c'; then $(CYGPATH_W) 'src/providers/ldap/sdap_async_nested_groups.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ldap/sdap_async_nested_groups.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap_async_nested_groups.Tpo src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap_async_nested_groups.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_async_nested_groups.c' object='src/providers/ldap/nestedgroups_tests-sdap_async_nested_groups.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/nestedgroups_tests-sdap_async_nested_groups.obj `if test -f 'src/providers/ldap/sdap_async_nested_groups.c'; then $(CYGPATH_W) 'src/providers/ldap/sdap_async_nested_groups.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ldap/sdap_async_nested_groups.c'; fi` + +src/providers/ldap/nestedgroups_tests-sdap_ad_groups.o: src/providers/ldap/sdap_ad_groups.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -MT src/providers/ldap/nestedgroups_tests-sdap_ad_groups.o -MD -MP -MF src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap_ad_groups.Tpo -c -o src/providers/ldap/nestedgroups_tests-sdap_ad_groups.o `test -f 'src/providers/ldap/sdap_ad_groups.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_ad_groups.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap_ad_groups.Tpo src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap_ad_groups.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_ad_groups.c' object='src/providers/ldap/nestedgroups_tests-sdap_ad_groups.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/nestedgroups_tests-sdap_ad_groups.o `test -f 'src/providers/ldap/sdap_ad_groups.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_ad_groups.c + +src/providers/ldap/nestedgroups_tests-sdap_ad_groups.obj: src/providers/ldap/sdap_ad_groups.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -MT src/providers/ldap/nestedgroups_tests-sdap_ad_groups.obj -MD -MP -MF src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap_ad_groups.Tpo -c -o src/providers/ldap/nestedgroups_tests-sdap_ad_groups.obj `if test -f 'src/providers/ldap/sdap_ad_groups.c'; then $(CYGPATH_W) 'src/providers/ldap/sdap_ad_groups.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ldap/sdap_ad_groups.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap_ad_groups.Tpo src/providers/ldap/$(DEPDIR)/nestedgroups_tests-sdap_ad_groups.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_ad_groups.c' object='src/providers/ldap/nestedgroups_tests-sdap_ad_groups.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/nestedgroups_tests-sdap_ad_groups.obj `if test -f 'src/providers/ldap/sdap_ad_groups.c'; then $(CYGPATH_W) 'src/providers/ldap/sdap_ad_groups.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ldap/sdap_ad_groups.c'; fi` + +src/providers/ipa/nestedgroups_tests-ipa_dn.o: src/providers/ipa/ipa_dn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -MT src/providers/ipa/nestedgroups_tests-ipa_dn.o -MD -MP -MF src/providers/ipa/$(DEPDIR)/nestedgroups_tests-ipa_dn.Tpo -c -o src/providers/ipa/nestedgroups_tests-ipa_dn.o `test -f 'src/providers/ipa/ipa_dn.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_dn.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/nestedgroups_tests-ipa_dn.Tpo src/providers/ipa/$(DEPDIR)/nestedgroups_tests-ipa_dn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_dn.c' object='src/providers/ipa/nestedgroups_tests-ipa_dn.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/nestedgroups_tests-ipa_dn.o `test -f 'src/providers/ipa/ipa_dn.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_dn.c + +src/providers/ipa/nestedgroups_tests-ipa_dn.obj: src/providers/ipa/ipa_dn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -MT src/providers/ipa/nestedgroups_tests-ipa_dn.obj -MD -MP -MF src/providers/ipa/$(DEPDIR)/nestedgroups_tests-ipa_dn.Tpo -c -o src/providers/ipa/nestedgroups_tests-ipa_dn.obj `if test -f 'src/providers/ipa/ipa_dn.c'; then $(CYGPATH_W) 'src/providers/ipa/ipa_dn.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ipa/ipa_dn.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/nestedgroups_tests-ipa_dn.Tpo src/providers/ipa/$(DEPDIR)/nestedgroups_tests-ipa_dn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_dn.c' object='src/providers/ipa/nestedgroups_tests-ipa_dn.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nestedgroups_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/nestedgroups_tests-ipa_dn.obj `if test -f 'src/providers/ipa/ipa_dn.c'; then $(CYGPATH_W) 'src/providers/ipa/ipa_dn.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ipa/ipa_dn.c'; fi` + +src/tests/cmocka/nss_srv_tests-common_mock_resp.o: src/tests/cmocka/common_mock_resp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/nss_srv_tests-common_mock_resp.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/nss_srv_tests-common_mock_resp.Tpo -c -o src/tests/cmocka/nss_srv_tests-common_mock_resp.o `test -f 'src/tests/cmocka/common_mock_resp.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_resp.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/nss_srv_tests-common_mock_resp.Tpo src/tests/cmocka/$(DEPDIR)/nss_srv_tests-common_mock_resp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_resp.c' object='src/tests/cmocka/nss_srv_tests-common_mock_resp.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/nss_srv_tests-common_mock_resp.o `test -f 'src/tests/cmocka/common_mock_resp.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_resp.c + +src/tests/cmocka/nss_srv_tests-common_mock_resp.obj: src/tests/cmocka/common_mock_resp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/nss_srv_tests-common_mock_resp.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/nss_srv_tests-common_mock_resp.Tpo -c -o src/tests/cmocka/nss_srv_tests-common_mock_resp.obj `if test -f 'src/tests/cmocka/common_mock_resp.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_resp.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_resp.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/nss_srv_tests-common_mock_resp.Tpo src/tests/cmocka/$(DEPDIR)/nss_srv_tests-common_mock_resp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_resp.c' object='src/tests/cmocka/nss_srv_tests-common_mock_resp.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/nss_srv_tests-common_mock_resp.obj `if test -f 'src/tests/cmocka/common_mock_resp.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_resp.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_resp.c'; fi` + +src/tests/cmocka/nss_srv_tests-common_mock_resp_dp.o: src/tests/cmocka/common_mock_resp_dp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/nss_srv_tests-common_mock_resp_dp.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/nss_srv_tests-common_mock_resp_dp.Tpo -c -o src/tests/cmocka/nss_srv_tests-common_mock_resp_dp.o `test -f 'src/tests/cmocka/common_mock_resp_dp.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_resp_dp.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/nss_srv_tests-common_mock_resp_dp.Tpo src/tests/cmocka/$(DEPDIR)/nss_srv_tests-common_mock_resp_dp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_resp_dp.c' object='src/tests/cmocka/nss_srv_tests-common_mock_resp_dp.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/nss_srv_tests-common_mock_resp_dp.o `test -f 'src/tests/cmocka/common_mock_resp_dp.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_resp_dp.c + +src/tests/cmocka/nss_srv_tests-common_mock_resp_dp.obj: src/tests/cmocka/common_mock_resp_dp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/nss_srv_tests-common_mock_resp_dp.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/nss_srv_tests-common_mock_resp_dp.Tpo -c -o src/tests/cmocka/nss_srv_tests-common_mock_resp_dp.obj `if test -f 'src/tests/cmocka/common_mock_resp_dp.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_resp_dp.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_resp_dp.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/nss_srv_tests-common_mock_resp_dp.Tpo src/tests/cmocka/$(DEPDIR)/nss_srv_tests-common_mock_resp_dp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_resp_dp.c' object='src/tests/cmocka/nss_srv_tests-common_mock_resp_dp.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/nss_srv_tests-common_mock_resp_dp.obj `if test -f 'src/tests/cmocka/common_mock_resp_dp.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_resp_dp.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_resp_dp.c'; fi` + +src/responder/common/nss_srv_tests-responder_packet.o: src/responder/common/responder_packet.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/nss_srv_tests-responder_packet.o -MD -MP -MF src/responder/common/$(DEPDIR)/nss_srv_tests-responder_packet.Tpo -c -o src/responder/common/nss_srv_tests-responder_packet.o `test -f 'src/responder/common/responder_packet.c' || echo '$(srcdir)/'`src/responder/common/responder_packet.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/nss_srv_tests-responder_packet.Tpo src/responder/common/$(DEPDIR)/nss_srv_tests-responder_packet.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_packet.c' object='src/responder/common/nss_srv_tests-responder_packet.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/nss_srv_tests-responder_packet.o `test -f 'src/responder/common/responder_packet.c' || echo '$(srcdir)/'`src/responder/common/responder_packet.c + +src/responder/common/nss_srv_tests-responder_packet.obj: src/responder/common/responder_packet.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/nss_srv_tests-responder_packet.obj -MD -MP -MF src/responder/common/$(DEPDIR)/nss_srv_tests-responder_packet.Tpo -c -o src/responder/common/nss_srv_tests-responder_packet.obj `if test -f 'src/responder/common/responder_packet.c'; then $(CYGPATH_W) 'src/responder/common/responder_packet.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_packet.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/nss_srv_tests-responder_packet.Tpo src/responder/common/$(DEPDIR)/nss_srv_tests-responder_packet.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_packet.c' object='src/responder/common/nss_srv_tests-responder_packet.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/nss_srv_tests-responder_packet.obj `if test -f 'src/responder/common/responder_packet.c'; then $(CYGPATH_W) 'src/responder/common/responder_packet.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_packet.c'; fi` + +src/responder/common/nss_srv_tests-responder_cmd.o: src/responder/common/responder_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/nss_srv_tests-responder_cmd.o -MD -MP -MF src/responder/common/$(DEPDIR)/nss_srv_tests-responder_cmd.Tpo -c -o src/responder/common/nss_srv_tests-responder_cmd.o `test -f 'src/responder/common/responder_cmd.c' || echo '$(srcdir)/'`src/responder/common/responder_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/nss_srv_tests-responder_cmd.Tpo src/responder/common/$(DEPDIR)/nss_srv_tests-responder_cmd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_cmd.c' object='src/responder/common/nss_srv_tests-responder_cmd.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/nss_srv_tests-responder_cmd.o `test -f 'src/responder/common/responder_cmd.c' || echo '$(srcdir)/'`src/responder/common/responder_cmd.c + +src/responder/common/nss_srv_tests-responder_cmd.obj: src/responder/common/responder_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/nss_srv_tests-responder_cmd.obj -MD -MP -MF src/responder/common/$(DEPDIR)/nss_srv_tests-responder_cmd.Tpo -c -o src/responder/common/nss_srv_tests-responder_cmd.obj `if test -f 'src/responder/common/responder_cmd.c'; then $(CYGPATH_W) 'src/responder/common/responder_cmd.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_cmd.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/nss_srv_tests-responder_cmd.Tpo src/responder/common/$(DEPDIR)/nss_srv_tests-responder_cmd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_cmd.c' object='src/responder/common/nss_srv_tests-responder_cmd.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/nss_srv_tests-responder_cmd.obj `if test -f 'src/responder/common/responder_cmd.c'; then $(CYGPATH_W) 'src/responder/common/responder_cmd.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_cmd.c'; fi` + +src/responder/common/nss_srv_tests-negcache_files.o: src/responder/common/negcache_files.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/nss_srv_tests-negcache_files.o -MD -MP -MF src/responder/common/$(DEPDIR)/nss_srv_tests-negcache_files.Tpo -c -o src/responder/common/nss_srv_tests-negcache_files.o `test -f 'src/responder/common/negcache_files.c' || echo '$(srcdir)/'`src/responder/common/negcache_files.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/nss_srv_tests-negcache_files.Tpo src/responder/common/$(DEPDIR)/nss_srv_tests-negcache_files.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/negcache_files.c' object='src/responder/common/nss_srv_tests-negcache_files.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/nss_srv_tests-negcache_files.o `test -f 'src/responder/common/negcache_files.c' || echo '$(srcdir)/'`src/responder/common/negcache_files.c + +src/responder/common/nss_srv_tests-negcache_files.obj: src/responder/common/negcache_files.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/nss_srv_tests-negcache_files.obj -MD -MP -MF src/responder/common/$(DEPDIR)/nss_srv_tests-negcache_files.Tpo -c -o src/responder/common/nss_srv_tests-negcache_files.obj `if test -f 'src/responder/common/negcache_files.c'; then $(CYGPATH_W) 'src/responder/common/negcache_files.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/negcache_files.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/nss_srv_tests-negcache_files.Tpo src/responder/common/$(DEPDIR)/nss_srv_tests-negcache_files.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/negcache_files.c' object='src/responder/common/nss_srv_tests-negcache_files.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/nss_srv_tests-negcache_files.obj `if test -f 'src/responder/common/negcache_files.c'; then $(CYGPATH_W) 'src/responder/common/negcache_files.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/negcache_files.c'; fi` + +src/responder/common/nss_srv_tests-negcache.o: src/responder/common/negcache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/nss_srv_tests-negcache.o -MD -MP -MF src/responder/common/$(DEPDIR)/nss_srv_tests-negcache.Tpo -c -o src/responder/common/nss_srv_tests-negcache.o `test -f 'src/responder/common/negcache.c' || echo '$(srcdir)/'`src/responder/common/negcache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/nss_srv_tests-negcache.Tpo src/responder/common/$(DEPDIR)/nss_srv_tests-negcache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/negcache.c' object='src/responder/common/nss_srv_tests-negcache.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/nss_srv_tests-negcache.o `test -f 'src/responder/common/negcache.c' || echo '$(srcdir)/'`src/responder/common/negcache.c + +src/responder/common/nss_srv_tests-negcache.obj: src/responder/common/negcache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/nss_srv_tests-negcache.obj -MD -MP -MF src/responder/common/$(DEPDIR)/nss_srv_tests-negcache.Tpo -c -o src/responder/common/nss_srv_tests-negcache.obj `if test -f 'src/responder/common/negcache.c'; then $(CYGPATH_W) 'src/responder/common/negcache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/negcache.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/nss_srv_tests-negcache.Tpo src/responder/common/$(DEPDIR)/nss_srv_tests-negcache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/negcache.c' object='src/responder/common/nss_srv_tests-negcache.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/nss_srv_tests-negcache.obj `if test -f 'src/responder/common/negcache.c'; then $(CYGPATH_W) 'src/responder/common/negcache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/negcache.c'; fi` + +src/responder/common/nss_srv_tests-responder_common.o: src/responder/common/responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/nss_srv_tests-responder_common.o -MD -MP -MF src/responder/common/$(DEPDIR)/nss_srv_tests-responder_common.Tpo -c -o src/responder/common/nss_srv_tests-responder_common.o `test -f 'src/responder/common/responder_common.c' || echo '$(srcdir)/'`src/responder/common/responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/nss_srv_tests-responder_common.Tpo src/responder/common/$(DEPDIR)/nss_srv_tests-responder_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_common.c' object='src/responder/common/nss_srv_tests-responder_common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/nss_srv_tests-responder_common.o `test -f 'src/responder/common/responder_common.c' || echo '$(srcdir)/'`src/responder/common/responder_common.c + +src/responder/common/nss_srv_tests-responder_common.obj: src/responder/common/responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/nss_srv_tests-responder_common.obj -MD -MP -MF src/responder/common/$(DEPDIR)/nss_srv_tests-responder_common.Tpo -c -o src/responder/common/nss_srv_tests-responder_common.obj `if test -f 'src/responder/common/responder_common.c'; then $(CYGPATH_W) 'src/responder/common/responder_common.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/nss_srv_tests-responder_common.Tpo src/responder/common/$(DEPDIR)/nss_srv_tests-responder_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_common.c' object='src/responder/common/nss_srv_tests-responder_common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/nss_srv_tests-responder_common.obj `if test -f 'src/responder/common/responder_common.c'; then $(CYGPATH_W) 'src/responder/common/responder_common.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_common.c'; fi` + +src/responder/common/data_provider/nss_srv_tests-rdp_message.o: src/responder/common/data_provider/rdp_message.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/data_provider/nss_srv_tests-rdp_message.o -MD -MP -MF src/responder/common/data_provider/$(DEPDIR)/nss_srv_tests-rdp_message.Tpo -c -o src/responder/common/data_provider/nss_srv_tests-rdp_message.o `test -f 'src/responder/common/data_provider/rdp_message.c' || echo '$(srcdir)/'`src/responder/common/data_provider/rdp_message.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/data_provider/$(DEPDIR)/nss_srv_tests-rdp_message.Tpo src/responder/common/data_provider/$(DEPDIR)/nss_srv_tests-rdp_message.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/data_provider/rdp_message.c' object='src/responder/common/data_provider/nss_srv_tests-rdp_message.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/data_provider/nss_srv_tests-rdp_message.o `test -f 'src/responder/common/data_provider/rdp_message.c' || echo '$(srcdir)/'`src/responder/common/data_provider/rdp_message.c + +src/responder/common/data_provider/nss_srv_tests-rdp_message.obj: src/responder/common/data_provider/rdp_message.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/data_provider/nss_srv_tests-rdp_message.obj -MD -MP -MF src/responder/common/data_provider/$(DEPDIR)/nss_srv_tests-rdp_message.Tpo -c -o src/responder/common/data_provider/nss_srv_tests-rdp_message.obj `if test -f 'src/responder/common/data_provider/rdp_message.c'; then $(CYGPATH_W) 'src/responder/common/data_provider/rdp_message.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/data_provider/rdp_message.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/data_provider/$(DEPDIR)/nss_srv_tests-rdp_message.Tpo src/responder/common/data_provider/$(DEPDIR)/nss_srv_tests-rdp_message.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/data_provider/rdp_message.c' object='src/responder/common/data_provider/nss_srv_tests-rdp_message.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/data_provider/nss_srv_tests-rdp_message.obj `if test -f 'src/responder/common/data_provider/rdp_message.c'; then $(CYGPATH_W) 'src/responder/common/data_provider/rdp_message.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/data_provider/rdp_message.c'; fi` + +src/responder/common/data_provider/nss_srv_tests-rdp_client.o: src/responder/common/data_provider/rdp_client.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/data_provider/nss_srv_tests-rdp_client.o -MD -MP -MF src/responder/common/data_provider/$(DEPDIR)/nss_srv_tests-rdp_client.Tpo -c -o src/responder/common/data_provider/nss_srv_tests-rdp_client.o `test -f 'src/responder/common/data_provider/rdp_client.c' || echo '$(srcdir)/'`src/responder/common/data_provider/rdp_client.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/data_provider/$(DEPDIR)/nss_srv_tests-rdp_client.Tpo src/responder/common/data_provider/$(DEPDIR)/nss_srv_tests-rdp_client.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/data_provider/rdp_client.c' object='src/responder/common/data_provider/nss_srv_tests-rdp_client.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/data_provider/nss_srv_tests-rdp_client.o `test -f 'src/responder/common/data_provider/rdp_client.c' || echo '$(srcdir)/'`src/responder/common/data_provider/rdp_client.c + +src/responder/common/data_provider/nss_srv_tests-rdp_client.obj: src/responder/common/data_provider/rdp_client.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/data_provider/nss_srv_tests-rdp_client.obj -MD -MP -MF src/responder/common/data_provider/$(DEPDIR)/nss_srv_tests-rdp_client.Tpo -c -o src/responder/common/data_provider/nss_srv_tests-rdp_client.obj `if test -f 'src/responder/common/data_provider/rdp_client.c'; then $(CYGPATH_W) 'src/responder/common/data_provider/rdp_client.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/data_provider/rdp_client.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/data_provider/$(DEPDIR)/nss_srv_tests-rdp_client.Tpo src/responder/common/data_provider/$(DEPDIR)/nss_srv_tests-rdp_client.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/data_provider/rdp_client.c' object='src/responder/common/data_provider/nss_srv_tests-rdp_client.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/data_provider/nss_srv_tests-rdp_client.obj `if test -f 'src/responder/common/data_provider/rdp_client.c'; then $(CYGPATH_W) 'src/responder/common/data_provider/rdp_client.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/data_provider/rdp_client.c'; fi` + +src/responder/common/nss_srv_tests-responder_utils.o: src/responder/common/responder_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/nss_srv_tests-responder_utils.o -MD -MP -MF src/responder/common/$(DEPDIR)/nss_srv_tests-responder_utils.Tpo -c -o src/responder/common/nss_srv_tests-responder_utils.o `test -f 'src/responder/common/responder_utils.c' || echo '$(srcdir)/'`src/responder/common/responder_utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/nss_srv_tests-responder_utils.Tpo src/responder/common/$(DEPDIR)/nss_srv_tests-responder_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_utils.c' object='src/responder/common/nss_srv_tests-responder_utils.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/nss_srv_tests-responder_utils.o `test -f 'src/responder/common/responder_utils.c' || echo '$(srcdir)/'`src/responder/common/responder_utils.c + +src/responder/common/nss_srv_tests-responder_utils.obj: src/responder/common/responder_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/nss_srv_tests-responder_utils.obj -MD -MP -MF src/responder/common/$(DEPDIR)/nss_srv_tests-responder_utils.Tpo -c -o src/responder/common/nss_srv_tests-responder_utils.obj `if test -f 'src/responder/common/responder_utils.c'; then $(CYGPATH_W) 'src/responder/common/responder_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_utils.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/nss_srv_tests-responder_utils.Tpo src/responder/common/$(DEPDIR)/nss_srv_tests-responder_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_utils.c' object='src/responder/common/nss_srv_tests-responder_utils.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/nss_srv_tests-responder_utils.obj `if test -f 'src/responder/common/responder_utils.c'; then $(CYGPATH_W) 'src/responder/common/responder_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_utils.c'; fi` + +src/util/nss_srv_tests-session_recording.o: src/util/session_recording.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/util/nss_srv_tests-session_recording.o -MD -MP -MF src/util/$(DEPDIR)/nss_srv_tests-session_recording.Tpo -c -o src/util/nss_srv_tests-session_recording.o `test -f 'src/util/session_recording.c' || echo '$(srcdir)/'`src/util/session_recording.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/nss_srv_tests-session_recording.Tpo src/util/$(DEPDIR)/nss_srv_tests-session_recording.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/session_recording.c' object='src/util/nss_srv_tests-session_recording.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/util/nss_srv_tests-session_recording.o `test -f 'src/util/session_recording.c' || echo '$(srcdir)/'`src/util/session_recording.c + +src/util/nss_srv_tests-session_recording.obj: src/util/session_recording.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/util/nss_srv_tests-session_recording.obj -MD -MP -MF src/util/$(DEPDIR)/nss_srv_tests-session_recording.Tpo -c -o src/util/nss_srv_tests-session_recording.obj `if test -f 'src/util/session_recording.c'; then $(CYGPATH_W) 'src/util/session_recording.c'; else $(CYGPATH_W) '$(srcdir)/src/util/session_recording.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/nss_srv_tests-session_recording.Tpo src/util/$(DEPDIR)/nss_srv_tests-session_recording.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/session_recording.c' object='src/util/nss_srv_tests-session_recording.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/util/nss_srv_tests-session_recording.obj `if test -f 'src/util/session_recording.c'; then $(CYGPATH_W) 'src/util/session_recording.c'; else $(CYGPATH_W) '$(srcdir)/src/util/session_recording.c'; fi` + +src/responder/common/cache_req/nss_srv_tests-cache_req.o: src/responder/common/cache_req/cache_req.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/nss_srv_tests-cache_req.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/nss_srv_tests-cache_req.Tpo -c -o src/responder/common/cache_req/nss_srv_tests-cache_req.o `test -f 'src/responder/common/cache_req/cache_req.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/nss_srv_tests-cache_req.Tpo src/responder/common/cache_req/$(DEPDIR)/nss_srv_tests-cache_req.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req.c' object='src/responder/common/cache_req/nss_srv_tests-cache_req.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/nss_srv_tests-cache_req.o `test -f 'src/responder/common/cache_req/cache_req.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req.c + +src/responder/common/cache_req/nss_srv_tests-cache_req.obj: src/responder/common/cache_req/cache_req.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/nss_srv_tests-cache_req.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/nss_srv_tests-cache_req.Tpo -c -o src/responder/common/cache_req/nss_srv_tests-cache_req.obj `if test -f 'src/responder/common/cache_req/cache_req.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/nss_srv_tests-cache_req.Tpo src/responder/common/cache_req/$(DEPDIR)/nss_srv_tests-cache_req.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req.c' object='src/responder/common/cache_req/nss_srv_tests-cache_req.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/nss_srv_tests-cache_req.obj `if test -f 'src/responder/common/cache_req/cache_req.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req.c'; fi` + +src/responder/common/cache_req/nss_srv_tests-cache_req_result.o: src/responder/common/cache_req/cache_req_result.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/nss_srv_tests-cache_req_result.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/nss_srv_tests-cache_req_result.Tpo -c -o src/responder/common/cache_req/nss_srv_tests-cache_req_result.o `test -f 'src/responder/common/cache_req/cache_req_result.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_result.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/nss_srv_tests-cache_req_result.Tpo src/responder/common/cache_req/$(DEPDIR)/nss_srv_tests-cache_req_result.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_result.c' object='src/responder/common/cache_req/nss_srv_tests-cache_req_result.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/nss_srv_tests-cache_req_result.o `test -f 'src/responder/common/cache_req/cache_req_result.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_result.c + +src/responder/common/cache_req/nss_srv_tests-cache_req_result.obj: src/responder/common/cache_req/cache_req_result.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/nss_srv_tests-cache_req_result.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/nss_srv_tests-cache_req_result.Tpo -c -o src/responder/common/cache_req/nss_srv_tests-cache_req_result.obj `if test -f 'src/responder/common/cache_req/cache_req_result.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_result.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_result.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/nss_srv_tests-cache_req_result.Tpo src/responder/common/cache_req/$(DEPDIR)/nss_srv_tests-cache_req_result.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_result.c' object='src/responder/common/cache_req/nss_srv_tests-cache_req_result.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/nss_srv_tests-cache_req_result.obj `if test -f 'src/responder/common/cache_req/cache_req_result.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_result.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_result.c'; fi` + +src/responder/common/cache_req/nss_srv_tests-cache_req_search.o: src/responder/common/cache_req/cache_req_search.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/nss_srv_tests-cache_req_search.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/nss_srv_tests-cache_req_search.Tpo -c -o src/responder/common/cache_req/nss_srv_tests-cache_req_search.o `test -f 'src/responder/common/cache_req/cache_req_search.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_search.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/nss_srv_tests-cache_req_search.Tpo src/responder/common/cache_req/$(DEPDIR)/nss_srv_tests-cache_req_search.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_search.c' object='src/responder/common/cache_req/nss_srv_tests-cache_req_search.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/nss_srv_tests-cache_req_search.o `test -f 'src/responder/common/cache_req/cache_req_search.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_search.c + +src/responder/common/cache_req/nss_srv_tests-cache_req_search.obj: src/responder/common/cache_req/cache_req_search.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/nss_srv_tests-cache_req_search.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/nss_srv_tests-cache_req_search.Tpo -c -o src/responder/common/cache_req/nss_srv_tests-cache_req_search.obj `if test -f 'src/responder/common/cache_req/cache_req_search.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_search.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_search.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/nss_srv_tests-cache_req_search.Tpo src/responder/common/cache_req/$(DEPDIR)/nss_srv_tests-cache_req_search.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_search.c' object='src/responder/common/cache_req/nss_srv_tests-cache_req_search.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/nss_srv_tests-cache_req_search.obj `if test -f 'src/responder/common/cache_req/cache_req_search.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_search.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_search.c'; fi` + +src/responder/common/cache_req/nss_srv_tests-cache_req_data.o: src/responder/common/cache_req/cache_req_data.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/nss_srv_tests-cache_req_data.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/nss_srv_tests-cache_req_data.Tpo -c -o src/responder/common/cache_req/nss_srv_tests-cache_req_data.o `test -f 'src/responder/common/cache_req/cache_req_data.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_data.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/nss_srv_tests-cache_req_data.Tpo src/responder/common/cache_req/$(DEPDIR)/nss_srv_tests-cache_req_data.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_data.c' object='src/responder/common/cache_req/nss_srv_tests-cache_req_data.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/nss_srv_tests-cache_req_data.o `test -f 'src/responder/common/cache_req/cache_req_data.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_data.c + +src/responder/common/cache_req/nss_srv_tests-cache_req_data.obj: src/responder/common/cache_req/cache_req_data.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/nss_srv_tests-cache_req_data.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/nss_srv_tests-cache_req_data.Tpo -c -o src/responder/common/cache_req/nss_srv_tests-cache_req_data.obj `if test -f 'src/responder/common/cache_req/cache_req_data.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_data.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_data.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/nss_srv_tests-cache_req_data.Tpo src/responder/common/cache_req/$(DEPDIR)/nss_srv_tests-cache_req_data.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_data.c' object='src/responder/common/cache_req/nss_srv_tests-cache_req_data.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/nss_srv_tests-cache_req_data.obj `if test -f 'src/responder/common/cache_req/cache_req_data.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_data.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_data.c'; fi` + +src/responder/common/cache_req/nss_srv_tests-cache_req_domain.o: src/responder/common/cache_req/cache_req_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/nss_srv_tests-cache_req_domain.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/nss_srv_tests-cache_req_domain.Tpo -c -o src/responder/common/cache_req/nss_srv_tests-cache_req_domain.o `test -f 'src/responder/common/cache_req/cache_req_domain.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_domain.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/nss_srv_tests-cache_req_domain.Tpo src/responder/common/cache_req/$(DEPDIR)/nss_srv_tests-cache_req_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_domain.c' object='src/responder/common/cache_req/nss_srv_tests-cache_req_domain.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/nss_srv_tests-cache_req_domain.o `test -f 'src/responder/common/cache_req/cache_req_domain.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_domain.c + +src/responder/common/cache_req/nss_srv_tests-cache_req_domain.obj: src/responder/common/cache_req/cache_req_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/nss_srv_tests-cache_req_domain.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/nss_srv_tests-cache_req_domain.Tpo -c -o src/responder/common/cache_req/nss_srv_tests-cache_req_domain.obj `if test -f 'src/responder/common/cache_req/cache_req_domain.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_domain.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/nss_srv_tests-cache_req_domain.Tpo src/responder/common/cache_req/$(DEPDIR)/nss_srv_tests-cache_req_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_domain.c' object='src/responder/common/cache_req/nss_srv_tests-cache_req_domain.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/nss_srv_tests-cache_req_domain.obj `if test -f 'src/responder/common/cache_req/cache_req_domain.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_domain.c'; fi` + +src/responder/common/cache_req/nss_srv_tests-cache_req_sr_overlay.o: src/responder/common/cache_req/cache_req_sr_overlay.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/nss_srv_tests-cache_req_sr_overlay.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/nss_srv_tests-cache_req_sr_overlay.Tpo -c -o src/responder/common/cache_req/nss_srv_tests-cache_req_sr_overlay.o `test -f 'src/responder/common/cache_req/cache_req_sr_overlay.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_sr_overlay.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/nss_srv_tests-cache_req_sr_overlay.Tpo src/responder/common/cache_req/$(DEPDIR)/nss_srv_tests-cache_req_sr_overlay.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_sr_overlay.c' object='src/responder/common/cache_req/nss_srv_tests-cache_req_sr_overlay.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/nss_srv_tests-cache_req_sr_overlay.o `test -f 'src/responder/common/cache_req/cache_req_sr_overlay.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_sr_overlay.c + +src/responder/common/cache_req/nss_srv_tests-cache_req_sr_overlay.obj: src/responder/common/cache_req/cache_req_sr_overlay.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/nss_srv_tests-cache_req_sr_overlay.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/nss_srv_tests-cache_req_sr_overlay.Tpo -c -o src/responder/common/cache_req/nss_srv_tests-cache_req_sr_overlay.obj `if test -f 'src/responder/common/cache_req/cache_req_sr_overlay.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_sr_overlay.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_sr_overlay.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/nss_srv_tests-cache_req_sr_overlay.Tpo src/responder/common/cache_req/$(DEPDIR)/nss_srv_tests-cache_req_sr_overlay.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_sr_overlay.c' object='src/responder/common/cache_req/nss_srv_tests-cache_req_sr_overlay.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/nss_srv_tests-cache_req_sr_overlay.obj `if test -f 'src/responder/common/cache_req/cache_req_sr_overlay.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_sr_overlay.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_sr_overlay.c'; fi` + +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_common.o: src/responder/common/cache_req/plugins/cache_req_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_common.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_common.Tpo -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_common.o `test -f 'src/responder/common/cache_req/plugins/cache_req_common.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_common.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_common.c' object='src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_common.o `test -f 'src/responder/common/cache_req/plugins/cache_req_common.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_common.c + +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_common.obj: src/responder/common/cache_req/plugins/cache_req_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_common.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_common.Tpo -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_common.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_common.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_common.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_common.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_common.c' object='src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_common.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_common.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_common.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_common.c'; fi` + +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_enum_users.o: src/responder/common/cache_req/plugins/cache_req_enum_users.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_enum_users.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_enum_users.Tpo -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_enum_users.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_users.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_users.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_enum_users.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_enum_users.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_users.c' object='src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_enum_users.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_enum_users.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_users.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_users.c + +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_enum_users.obj: src/responder/common/cache_req/plugins/cache_req_enum_users.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_enum_users.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_enum_users.Tpo -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_enum_users.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_users.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_users.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_users.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_enum_users.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_enum_users.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_users.c' object='src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_enum_users.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_enum_users.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_users.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_users.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_users.c'; fi` + +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_enum_groups.o: src/responder/common/cache_req/plugins/cache_req_enum_groups.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_enum_groups.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_enum_groups.Tpo -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_enum_groups.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_groups.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_enum_groups.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_enum_groups.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_groups.c' object='src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_enum_groups.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_enum_groups.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_groups.c + +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_enum_groups.obj: src/responder/common/cache_req/plugins/cache_req_enum_groups.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_enum_groups.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_enum_groups.Tpo -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_enum_groups.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_enum_groups.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_enum_groups.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_groups.c' object='src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_enum_groups.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_enum_groups.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; fi` + +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_enum_svc.o: src/responder/common/cache_req/plugins/cache_req_enum_svc.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_enum_svc.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_enum_svc.Tpo -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_enum_svc.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_svc.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_enum_svc.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_enum_svc.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_svc.c' object='src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_enum_svc.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_enum_svc.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_svc.c + +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_enum_svc.obj: src/responder/common/cache_req/plugins/cache_req_enum_svc.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_enum_svc.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_enum_svc.Tpo -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_enum_svc.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_enum_svc.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_enum_svc.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_svc.c' object='src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_enum_svc.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_enum_svc.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; fi` + +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_name.o: src/responder/common/cache_req/plugins/cache_req_user_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_user_by_name.Tpo -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_user_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_user_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_name.c' object='src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_name.c + +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_name.obj: src/responder/common/cache_req/plugins/cache_req_user_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_user_by_name.Tpo -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_user_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_user_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_name.c' object='src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; fi` + +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_upn.o: src/responder/common/cache_req/plugins/cache_req_user_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_upn.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_user_by_upn.Tpo -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_upn.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_user_by_upn.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_user_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' object='src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_upn.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_upn.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_upn.c + +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_upn.obj: src/responder/common/cache_req/plugins/cache_req_user_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_upn.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_user_by_upn.Tpo -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_upn.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_user_by_upn.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_user_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' object='src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_upn.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_upn.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; fi` + +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_id.o: src/responder/common/cache_req/plugins/cache_req_user_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_id.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_user_by_id.Tpo -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_user_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_user_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_id.c' object='src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_id.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_id.c + +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_id.obj: src/responder/common/cache_req/plugins/cache_req_user_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_id.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_user_by_id.Tpo -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_user_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_user_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_id.c' object='src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_id.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; fi` + +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_filter.o: src/responder/common/cache_req/plugins/cache_req_user_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_filter.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_user_by_filter.Tpo -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_filter.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_user_by_filter.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_user_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' object='src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_filter.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_filter.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_filter.c + +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_filter.obj: src/responder/common/cache_req/plugins/cache_req_user_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_filter.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_user_by_filter.Tpo -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_filter.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_user_by_filter.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_user_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' object='src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_filter.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_filter.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; fi` + +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_cert.o: src/responder/common/cache_req/plugins/cache_req_user_by_cert.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_cert.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_user_by_cert.Tpo -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_cert.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_cert.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_user_by_cert.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_user_by_cert.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' object='src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_cert.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_cert.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_cert.c + +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_cert.obj: src/responder/common/cache_req/plugins/cache_req_user_by_cert.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_cert.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_user_by_cert.Tpo -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_cert.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_user_by_cert.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_user_by_cert.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' object='src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_cert.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_user_by_cert.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; fi` + +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_group_by_name.o: src/responder/common/cache_req/plugins/cache_req_group_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_group_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_group_by_name.Tpo -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_group_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_group_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_group_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_name.c' object='src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_group_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_group_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_name.c + +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_group_by_name.obj: src/responder/common/cache_req/plugins/cache_req_group_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_group_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_group_by_name.Tpo -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_group_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_group_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_group_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_name.c' object='src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_group_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_group_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; fi` + +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_group_by_id.o: src/responder/common/cache_req/plugins/cache_req_group_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_group_by_id.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_group_by_id.Tpo -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_group_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_group_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_group_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_id.c' object='src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_group_by_id.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_group_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_id.c + +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_group_by_id.obj: src/responder/common/cache_req/plugins/cache_req_group_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_group_by_id.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_group_by_id.Tpo -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_group_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_group_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_group_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_id.c' object='src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_group_by_id.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_group_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; fi` + +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_group_by_filter.o: src/responder/common/cache_req/plugins/cache_req_group_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_group_by_filter.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_group_by_filter.Tpo -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_group_by_filter.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_group_by_filter.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_group_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' object='src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_group_by_filter.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_group_by_filter.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_filter.c + +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_group_by_filter.obj: src/responder/common/cache_req/plugins/cache_req_group_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_group_by_filter.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_group_by_filter.Tpo -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_group_by_filter.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_group_by_filter.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_group_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' object='src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_group_by_filter.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_group_by_filter.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; fi` + +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_initgroups_by_name.o: src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_initgroups_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_initgroups_by_name.Tpo -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_initgroups_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_initgroups_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_initgroups_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' object='src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_initgroups_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_initgroups_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c + +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_initgroups_by_name.obj: src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_initgroups_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_initgroups_by_name.Tpo -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_initgroups_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_initgroups_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_initgroups_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' object='src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_initgroups_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_initgroups_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; fi` + +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_initgroups_by_upn.o: src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_initgroups_by_upn.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_initgroups_by_upn.Tpo -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_initgroups_by_upn.o `test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_initgroups_by_upn.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_initgroups_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' object='src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_initgroups_by_upn.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_initgroups_by_upn.o `test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c + +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_initgroups_by_upn.obj: src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_initgroups_by_upn.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_initgroups_by_upn.Tpo -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_initgroups_by_upn.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_initgroups_by_upn.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_initgroups_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' object='src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_initgroups_by_upn.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_initgroups_by_upn.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; fi` + +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_object_by_sid.o: src/responder/common/cache_req/plugins/cache_req_object_by_sid.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_object_by_sid.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_object_by_sid.Tpo -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_object_by_sid.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_sid.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_object_by_sid.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_object_by_sid.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' object='src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_object_by_sid.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_object_by_sid.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_sid.c + +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_object_by_sid.obj: src/responder/common/cache_req/plugins/cache_req_object_by_sid.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_object_by_sid.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_object_by_sid.Tpo -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_object_by_sid.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_object_by_sid.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_object_by_sid.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' object='src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_object_by_sid.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_object_by_sid.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; fi` + +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_object_by_name.o: src/responder/common/cache_req/plugins/cache_req_object_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_object_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_object_by_name.Tpo -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_object_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_object_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_object_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_name.c' object='src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_object_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_object_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_name.c + +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_object_by_name.obj: src/responder/common/cache_req/plugins/cache_req_object_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_object_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_object_by_name.Tpo -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_object_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_object_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_object_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_name.c' object='src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_object_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_object_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; fi` + +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_object_by_id.o: src/responder/common/cache_req/plugins/cache_req_object_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_object_by_id.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_object_by_id.Tpo -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_object_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_object_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_object_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_id.c' object='src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_object_by_id.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_object_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_id.c + +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_object_by_id.obj: src/responder/common/cache_req/plugins/cache_req_object_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_object_by_id.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_object_by_id.Tpo -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_object_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_object_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_object_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_id.c' object='src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_object_by_id.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_object_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; fi` + +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_svc_by_name.o: src/responder/common/cache_req/plugins/cache_req_svc_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_svc_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_svc_by_name.Tpo -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_svc_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_svc_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_svc_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_svc_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' object='src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_svc_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_svc_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_svc_by_name.c + +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_svc_by_name.obj: src/responder/common/cache_req/plugins/cache_req_svc_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_svc_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_svc_by_name.Tpo -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_svc_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_svc_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_svc_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' object='src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_svc_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_svc_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; fi` + +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_svc_by_port.o: src/responder/common/cache_req/plugins/cache_req_svc_by_port.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_svc_by_port.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_svc_by_port.Tpo -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_svc_by_port.o `test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_svc_by_port.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_svc_by_port.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_svc_by_port.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' object='src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_svc_by_port.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_svc_by_port.o `test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_svc_by_port.c + +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_svc_by_port.obj: src/responder/common/cache_req/plugins/cache_req_svc_by_port.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_svc_by_port.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_svc_by_port.Tpo -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_svc_by_port.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_svc_by_port.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_svc_by_port.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' object='src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_svc_by_port.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_svc_by_port.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; fi` + +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_netgroup_by_name.o: src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_netgroup_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_netgroup_by_name.Tpo -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_netgroup_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_netgroup_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_netgroup_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' object='src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_netgroup_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_netgroup_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c + +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_netgroup_by_name.obj: src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_netgroup_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_netgroup_by_name.Tpo -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_netgroup_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_netgroup_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_netgroup_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' object='src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_netgroup_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_netgroup_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; fi` + +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_host_by_name.o: src/responder/common/cache_req/plugins/cache_req_host_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_host_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_host_by_name.Tpo -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_host_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_host_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_host_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_host_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_host_by_name.c' object='src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_host_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_host_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_host_by_name.c + +src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_host_by_name.obj: src/responder/common/cache_req/plugins/cache_req_host_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_host_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_host_by_name.Tpo -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_host_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_host_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/nss_srv_tests-cache_req_host_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_host_by_name.c' object='src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_host_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/nss_srv_tests-cache_req_host_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; fi` + +src/responder/common/iface/nss_srv_tests-responder_iface.o: src/responder/common/iface/responder_iface.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/nss_srv_tests-responder_iface.o -MD -MP -MF src/responder/common/iface/$(DEPDIR)/nss_srv_tests-responder_iface.Tpo -c -o src/responder/common/iface/nss_srv_tests-responder_iface.o `test -f 'src/responder/common/iface/responder_iface.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_iface.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/nss_srv_tests-responder_iface.Tpo src/responder/common/iface/$(DEPDIR)/nss_srv_tests-responder_iface.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_iface.c' object='src/responder/common/iface/nss_srv_tests-responder_iface.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/nss_srv_tests-responder_iface.o `test -f 'src/responder/common/iface/responder_iface.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_iface.c + +src/responder/common/iface/nss_srv_tests-responder_iface.obj: src/responder/common/iface/responder_iface.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/nss_srv_tests-responder_iface.obj -MD -MP -MF src/responder/common/iface/$(DEPDIR)/nss_srv_tests-responder_iface.Tpo -c -o src/responder/common/iface/nss_srv_tests-responder_iface.obj `if test -f 'src/responder/common/iface/responder_iface.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_iface.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_iface.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/nss_srv_tests-responder_iface.Tpo src/responder/common/iface/$(DEPDIR)/nss_srv_tests-responder_iface.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_iface.c' object='src/responder/common/iface/nss_srv_tests-responder_iface.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/nss_srv_tests-responder_iface.obj `if test -f 'src/responder/common/iface/responder_iface.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_iface.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_iface.c'; fi` + +src/responder/common/iface/nss_srv_tests-responder_domain.o: src/responder/common/iface/responder_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/nss_srv_tests-responder_domain.o -MD -MP -MF src/responder/common/iface/$(DEPDIR)/nss_srv_tests-responder_domain.Tpo -c -o src/responder/common/iface/nss_srv_tests-responder_domain.o `test -f 'src/responder/common/iface/responder_domain.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_domain.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/nss_srv_tests-responder_domain.Tpo src/responder/common/iface/$(DEPDIR)/nss_srv_tests-responder_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_domain.c' object='src/responder/common/iface/nss_srv_tests-responder_domain.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/nss_srv_tests-responder_domain.o `test -f 'src/responder/common/iface/responder_domain.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_domain.c + +src/responder/common/iface/nss_srv_tests-responder_domain.obj: src/responder/common/iface/responder_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/nss_srv_tests-responder_domain.obj -MD -MP -MF src/responder/common/iface/$(DEPDIR)/nss_srv_tests-responder_domain.Tpo -c -o src/responder/common/iface/nss_srv_tests-responder_domain.obj `if test -f 'src/responder/common/iface/responder_domain.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_domain.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/nss_srv_tests-responder_domain.Tpo src/responder/common/iface/$(DEPDIR)/nss_srv_tests-responder_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_domain.c' object='src/responder/common/iface/nss_srv_tests-responder_domain.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/nss_srv_tests-responder_domain.obj `if test -f 'src/responder/common/iface/responder_domain.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_domain.c'; fi` + +src/responder/common/iface/nss_srv_tests-responder_ncache.o: src/responder/common/iface/responder_ncache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/nss_srv_tests-responder_ncache.o -MD -MP -MF src/responder/common/iface/$(DEPDIR)/nss_srv_tests-responder_ncache.Tpo -c -o src/responder/common/iface/nss_srv_tests-responder_ncache.o `test -f 'src/responder/common/iface/responder_ncache.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_ncache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/nss_srv_tests-responder_ncache.Tpo src/responder/common/iface/$(DEPDIR)/nss_srv_tests-responder_ncache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_ncache.c' object='src/responder/common/iface/nss_srv_tests-responder_ncache.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/nss_srv_tests-responder_ncache.o `test -f 'src/responder/common/iface/responder_ncache.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_ncache.c + +src/responder/common/iface/nss_srv_tests-responder_ncache.obj: src/responder/common/iface/responder_ncache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/nss_srv_tests-responder_ncache.obj -MD -MP -MF src/responder/common/iface/$(DEPDIR)/nss_srv_tests-responder_ncache.Tpo -c -o src/responder/common/iface/nss_srv_tests-responder_ncache.obj `if test -f 'src/responder/common/iface/responder_ncache.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_ncache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_ncache.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/nss_srv_tests-responder_ncache.Tpo src/responder/common/iface/$(DEPDIR)/nss_srv_tests-responder_ncache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_ncache.c' object='src/responder/common/iface/nss_srv_tests-responder_ncache.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/nss_srv_tests-responder_ncache.obj `if test -f 'src/responder/common/iface/responder_ncache.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_ncache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_ncache.c'; fi` + +src/responder/common/iface/nss_srv_tests-responder_iface_generated.o: src/responder/common/iface/responder_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/nss_srv_tests-responder_iface_generated.o -MD -MP -MF src/responder/common/iface/$(DEPDIR)/nss_srv_tests-responder_iface_generated.Tpo -c -o src/responder/common/iface/nss_srv_tests-responder_iface_generated.o `test -f 'src/responder/common/iface/responder_iface_generated.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/nss_srv_tests-responder_iface_generated.Tpo src/responder/common/iface/$(DEPDIR)/nss_srv_tests-responder_iface_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_iface_generated.c' object='src/responder/common/iface/nss_srv_tests-responder_iface_generated.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/nss_srv_tests-responder_iface_generated.o `test -f 'src/responder/common/iface/responder_iface_generated.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_iface_generated.c + +src/responder/common/iface/nss_srv_tests-responder_iface_generated.obj: src/responder/common/iface/responder_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/nss_srv_tests-responder_iface_generated.obj -MD -MP -MF src/responder/common/iface/$(DEPDIR)/nss_srv_tests-responder_iface_generated.Tpo -c -o src/responder/common/iface/nss_srv_tests-responder_iface_generated.obj `if test -f 'src/responder/common/iface/responder_iface_generated.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_iface_generated.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_iface_generated.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/nss_srv_tests-responder_iface_generated.Tpo src/responder/common/iface/$(DEPDIR)/nss_srv_tests-responder_iface_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_iface_generated.c' object='src/responder/common/iface/nss_srv_tests-responder_iface_generated.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/nss_srv_tests-responder_iface_generated.obj `if test -f 'src/responder/common/iface/responder_iface_generated.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_iface_generated.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_iface_generated.c'; fi` + +src/tests/cmocka/nss_srv_tests-test_nss_srv.o: src/tests/cmocka/test_nss_srv.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/nss_srv_tests-test_nss_srv.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/nss_srv_tests-test_nss_srv.Tpo -c -o src/tests/cmocka/nss_srv_tests-test_nss_srv.o `test -f 'src/tests/cmocka/test_nss_srv.c' || echo '$(srcdir)/'`src/tests/cmocka/test_nss_srv.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/nss_srv_tests-test_nss_srv.Tpo src/tests/cmocka/$(DEPDIR)/nss_srv_tests-test_nss_srv.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_nss_srv.c' object='src/tests/cmocka/nss_srv_tests-test_nss_srv.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/nss_srv_tests-test_nss_srv.o `test -f 'src/tests/cmocka/test_nss_srv.c' || echo '$(srcdir)/'`src/tests/cmocka/test_nss_srv.c + +src/tests/cmocka/nss_srv_tests-test_nss_srv.obj: src/tests/cmocka/test_nss_srv.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/nss_srv_tests-test_nss_srv.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/nss_srv_tests-test_nss_srv.Tpo -c -o src/tests/cmocka/nss_srv_tests-test_nss_srv.obj `if test -f 'src/tests/cmocka/test_nss_srv.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_nss_srv.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_nss_srv.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/nss_srv_tests-test_nss_srv.Tpo src/tests/cmocka/$(DEPDIR)/nss_srv_tests-test_nss_srv.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_nss_srv.c' object='src/tests/cmocka/nss_srv_tests-test_nss_srv.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/nss_srv_tests-test_nss_srv.obj `if test -f 'src/tests/cmocka/test_nss_srv.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_nss_srv.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_nss_srv.c'; fi` + +src/responder/nss/nss_srv_tests-nss_cmd.o: src/responder/nss/nss_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/nss/nss_srv_tests-nss_cmd.o -MD -MP -MF src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_cmd.Tpo -c -o src/responder/nss/nss_srv_tests-nss_cmd.o `test -f 'src/responder/nss/nss_cmd.c' || echo '$(srcdir)/'`src/responder/nss/nss_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_cmd.Tpo src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_cmd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/nss/nss_cmd.c' object='src/responder/nss/nss_srv_tests-nss_cmd.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/nss/nss_srv_tests-nss_cmd.o `test -f 'src/responder/nss/nss_cmd.c' || echo '$(srcdir)/'`src/responder/nss/nss_cmd.c + +src/responder/nss/nss_srv_tests-nss_cmd.obj: src/responder/nss/nss_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/nss/nss_srv_tests-nss_cmd.obj -MD -MP -MF src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_cmd.Tpo -c -o src/responder/nss/nss_srv_tests-nss_cmd.obj `if test -f 'src/responder/nss/nss_cmd.c'; then $(CYGPATH_W) 'src/responder/nss/nss_cmd.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/nss/nss_cmd.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_cmd.Tpo src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_cmd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/nss/nss_cmd.c' object='src/responder/nss/nss_srv_tests-nss_cmd.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/nss/nss_srv_tests-nss_cmd.obj `if test -f 'src/responder/nss/nss_cmd.c'; then $(CYGPATH_W) 'src/responder/nss/nss_cmd.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/nss/nss_cmd.c'; fi` + +src/responder/nss/nss_srv_tests-nss_enum.o: src/responder/nss/nss_enum.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/nss/nss_srv_tests-nss_enum.o -MD -MP -MF src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_enum.Tpo -c -o src/responder/nss/nss_srv_tests-nss_enum.o `test -f 'src/responder/nss/nss_enum.c' || echo '$(srcdir)/'`src/responder/nss/nss_enum.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_enum.Tpo src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_enum.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/nss/nss_enum.c' object='src/responder/nss/nss_srv_tests-nss_enum.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/nss/nss_srv_tests-nss_enum.o `test -f 'src/responder/nss/nss_enum.c' || echo '$(srcdir)/'`src/responder/nss/nss_enum.c + +src/responder/nss/nss_srv_tests-nss_enum.obj: src/responder/nss/nss_enum.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/nss/nss_srv_tests-nss_enum.obj -MD -MP -MF src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_enum.Tpo -c -o src/responder/nss/nss_srv_tests-nss_enum.obj `if test -f 'src/responder/nss/nss_enum.c'; then $(CYGPATH_W) 'src/responder/nss/nss_enum.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/nss/nss_enum.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_enum.Tpo src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_enum.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/nss/nss_enum.c' object='src/responder/nss/nss_srv_tests-nss_enum.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/nss/nss_srv_tests-nss_enum.obj `if test -f 'src/responder/nss/nss_enum.c'; then $(CYGPATH_W) 'src/responder/nss/nss_enum.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/nss/nss_enum.c'; fi` + +src/responder/nss/nss_srv_tests-nss_get_object.o: src/responder/nss/nss_get_object.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/nss/nss_srv_tests-nss_get_object.o -MD -MP -MF src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_get_object.Tpo -c -o src/responder/nss/nss_srv_tests-nss_get_object.o `test -f 'src/responder/nss/nss_get_object.c' || echo '$(srcdir)/'`src/responder/nss/nss_get_object.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_get_object.Tpo src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_get_object.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/nss/nss_get_object.c' object='src/responder/nss/nss_srv_tests-nss_get_object.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/nss/nss_srv_tests-nss_get_object.o `test -f 'src/responder/nss/nss_get_object.c' || echo '$(srcdir)/'`src/responder/nss/nss_get_object.c + +src/responder/nss/nss_srv_tests-nss_get_object.obj: src/responder/nss/nss_get_object.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/nss/nss_srv_tests-nss_get_object.obj -MD -MP -MF src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_get_object.Tpo -c -o src/responder/nss/nss_srv_tests-nss_get_object.obj `if test -f 'src/responder/nss/nss_get_object.c'; then $(CYGPATH_W) 'src/responder/nss/nss_get_object.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/nss/nss_get_object.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_get_object.Tpo src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_get_object.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/nss/nss_get_object.c' object='src/responder/nss/nss_srv_tests-nss_get_object.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/nss/nss_srv_tests-nss_get_object.obj `if test -f 'src/responder/nss/nss_get_object.c'; then $(CYGPATH_W) 'src/responder/nss/nss_get_object.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/nss/nss_get_object.c'; fi` + +src/responder/nss/nss_srv_tests-nss_protocol.o: src/responder/nss/nss_protocol.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/nss/nss_srv_tests-nss_protocol.o -MD -MP -MF src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_protocol.Tpo -c -o src/responder/nss/nss_srv_tests-nss_protocol.o `test -f 'src/responder/nss/nss_protocol.c' || echo '$(srcdir)/'`src/responder/nss/nss_protocol.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_protocol.Tpo src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_protocol.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/nss/nss_protocol.c' object='src/responder/nss/nss_srv_tests-nss_protocol.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/nss/nss_srv_tests-nss_protocol.o `test -f 'src/responder/nss/nss_protocol.c' || echo '$(srcdir)/'`src/responder/nss/nss_protocol.c + +src/responder/nss/nss_srv_tests-nss_protocol.obj: src/responder/nss/nss_protocol.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/nss/nss_srv_tests-nss_protocol.obj -MD -MP -MF src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_protocol.Tpo -c -o src/responder/nss/nss_srv_tests-nss_protocol.obj `if test -f 'src/responder/nss/nss_protocol.c'; then $(CYGPATH_W) 'src/responder/nss/nss_protocol.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/nss/nss_protocol.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_protocol.Tpo src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_protocol.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/nss/nss_protocol.c' object='src/responder/nss/nss_srv_tests-nss_protocol.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/nss/nss_srv_tests-nss_protocol.obj `if test -f 'src/responder/nss/nss_protocol.c'; then $(CYGPATH_W) 'src/responder/nss/nss_protocol.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/nss/nss_protocol.c'; fi` + +src/responder/nss/nss_srv_tests-nss_protocol_pwent.o: src/responder/nss/nss_protocol_pwent.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/nss/nss_srv_tests-nss_protocol_pwent.o -MD -MP -MF src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_protocol_pwent.Tpo -c -o src/responder/nss/nss_srv_tests-nss_protocol_pwent.o `test -f 'src/responder/nss/nss_protocol_pwent.c' || echo '$(srcdir)/'`src/responder/nss/nss_protocol_pwent.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_protocol_pwent.Tpo src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_protocol_pwent.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/nss/nss_protocol_pwent.c' object='src/responder/nss/nss_srv_tests-nss_protocol_pwent.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/nss/nss_srv_tests-nss_protocol_pwent.o `test -f 'src/responder/nss/nss_protocol_pwent.c' || echo '$(srcdir)/'`src/responder/nss/nss_protocol_pwent.c + +src/responder/nss/nss_srv_tests-nss_protocol_pwent.obj: src/responder/nss/nss_protocol_pwent.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/nss/nss_srv_tests-nss_protocol_pwent.obj -MD -MP -MF src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_protocol_pwent.Tpo -c -o src/responder/nss/nss_srv_tests-nss_protocol_pwent.obj `if test -f 'src/responder/nss/nss_protocol_pwent.c'; then $(CYGPATH_W) 'src/responder/nss/nss_protocol_pwent.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/nss/nss_protocol_pwent.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_protocol_pwent.Tpo src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_protocol_pwent.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/nss/nss_protocol_pwent.c' object='src/responder/nss/nss_srv_tests-nss_protocol_pwent.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/nss/nss_srv_tests-nss_protocol_pwent.obj `if test -f 'src/responder/nss/nss_protocol_pwent.c'; then $(CYGPATH_W) 'src/responder/nss/nss_protocol_pwent.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/nss/nss_protocol_pwent.c'; fi` + +src/responder/nss/nss_srv_tests-nss_protocol_grent.o: src/responder/nss/nss_protocol_grent.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/nss/nss_srv_tests-nss_protocol_grent.o -MD -MP -MF src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_protocol_grent.Tpo -c -o src/responder/nss/nss_srv_tests-nss_protocol_grent.o `test -f 'src/responder/nss/nss_protocol_grent.c' || echo '$(srcdir)/'`src/responder/nss/nss_protocol_grent.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_protocol_grent.Tpo src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_protocol_grent.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/nss/nss_protocol_grent.c' object='src/responder/nss/nss_srv_tests-nss_protocol_grent.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/nss/nss_srv_tests-nss_protocol_grent.o `test -f 'src/responder/nss/nss_protocol_grent.c' || echo '$(srcdir)/'`src/responder/nss/nss_protocol_grent.c + +src/responder/nss/nss_srv_tests-nss_protocol_grent.obj: src/responder/nss/nss_protocol_grent.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/nss/nss_srv_tests-nss_protocol_grent.obj -MD -MP -MF src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_protocol_grent.Tpo -c -o src/responder/nss/nss_srv_tests-nss_protocol_grent.obj `if test -f 'src/responder/nss/nss_protocol_grent.c'; then $(CYGPATH_W) 'src/responder/nss/nss_protocol_grent.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/nss/nss_protocol_grent.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_protocol_grent.Tpo src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_protocol_grent.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/nss/nss_protocol_grent.c' object='src/responder/nss/nss_srv_tests-nss_protocol_grent.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/nss/nss_srv_tests-nss_protocol_grent.obj `if test -f 'src/responder/nss/nss_protocol_grent.c'; then $(CYGPATH_W) 'src/responder/nss/nss_protocol_grent.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/nss/nss_protocol_grent.c'; fi` + +src/responder/nss/nss_srv_tests-nss_protocol_netgr.o: src/responder/nss/nss_protocol_netgr.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/nss/nss_srv_tests-nss_protocol_netgr.o -MD -MP -MF src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_protocol_netgr.Tpo -c -o src/responder/nss/nss_srv_tests-nss_protocol_netgr.o `test -f 'src/responder/nss/nss_protocol_netgr.c' || echo '$(srcdir)/'`src/responder/nss/nss_protocol_netgr.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_protocol_netgr.Tpo src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_protocol_netgr.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/nss/nss_protocol_netgr.c' object='src/responder/nss/nss_srv_tests-nss_protocol_netgr.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/nss/nss_srv_tests-nss_protocol_netgr.o `test -f 'src/responder/nss/nss_protocol_netgr.c' || echo '$(srcdir)/'`src/responder/nss/nss_protocol_netgr.c + +src/responder/nss/nss_srv_tests-nss_protocol_netgr.obj: src/responder/nss/nss_protocol_netgr.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/nss/nss_srv_tests-nss_protocol_netgr.obj -MD -MP -MF src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_protocol_netgr.Tpo -c -o src/responder/nss/nss_srv_tests-nss_protocol_netgr.obj `if test -f 'src/responder/nss/nss_protocol_netgr.c'; then $(CYGPATH_W) 'src/responder/nss/nss_protocol_netgr.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/nss/nss_protocol_netgr.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_protocol_netgr.Tpo src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_protocol_netgr.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/nss/nss_protocol_netgr.c' object='src/responder/nss/nss_srv_tests-nss_protocol_netgr.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/nss/nss_srv_tests-nss_protocol_netgr.obj `if test -f 'src/responder/nss/nss_protocol_netgr.c'; then $(CYGPATH_W) 'src/responder/nss/nss_protocol_netgr.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/nss/nss_protocol_netgr.c'; fi` + +src/responder/nss/nss_srv_tests-nss_protocol_svcent.o: src/responder/nss/nss_protocol_svcent.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/nss/nss_srv_tests-nss_protocol_svcent.o -MD -MP -MF src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_protocol_svcent.Tpo -c -o src/responder/nss/nss_srv_tests-nss_protocol_svcent.o `test -f 'src/responder/nss/nss_protocol_svcent.c' || echo '$(srcdir)/'`src/responder/nss/nss_protocol_svcent.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_protocol_svcent.Tpo src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_protocol_svcent.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/nss/nss_protocol_svcent.c' object='src/responder/nss/nss_srv_tests-nss_protocol_svcent.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/nss/nss_srv_tests-nss_protocol_svcent.o `test -f 'src/responder/nss/nss_protocol_svcent.c' || echo '$(srcdir)/'`src/responder/nss/nss_protocol_svcent.c + +src/responder/nss/nss_srv_tests-nss_protocol_svcent.obj: src/responder/nss/nss_protocol_svcent.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/nss/nss_srv_tests-nss_protocol_svcent.obj -MD -MP -MF src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_protocol_svcent.Tpo -c -o src/responder/nss/nss_srv_tests-nss_protocol_svcent.obj `if test -f 'src/responder/nss/nss_protocol_svcent.c'; then $(CYGPATH_W) 'src/responder/nss/nss_protocol_svcent.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/nss/nss_protocol_svcent.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_protocol_svcent.Tpo src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_protocol_svcent.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/nss/nss_protocol_svcent.c' object='src/responder/nss/nss_srv_tests-nss_protocol_svcent.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/nss/nss_srv_tests-nss_protocol_svcent.obj `if test -f 'src/responder/nss/nss_protocol_svcent.c'; then $(CYGPATH_W) 'src/responder/nss/nss_protocol_svcent.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/nss/nss_protocol_svcent.c'; fi` + +src/responder/nss/nss_srv_tests-nss_protocol_sid.o: src/responder/nss/nss_protocol_sid.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/nss/nss_srv_tests-nss_protocol_sid.o -MD -MP -MF src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_protocol_sid.Tpo -c -o src/responder/nss/nss_srv_tests-nss_protocol_sid.o `test -f 'src/responder/nss/nss_protocol_sid.c' || echo '$(srcdir)/'`src/responder/nss/nss_protocol_sid.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_protocol_sid.Tpo src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_protocol_sid.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/nss/nss_protocol_sid.c' object='src/responder/nss/nss_srv_tests-nss_protocol_sid.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/nss/nss_srv_tests-nss_protocol_sid.o `test -f 'src/responder/nss/nss_protocol_sid.c' || echo '$(srcdir)/'`src/responder/nss/nss_protocol_sid.c + +src/responder/nss/nss_srv_tests-nss_protocol_sid.obj: src/responder/nss/nss_protocol_sid.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/nss/nss_srv_tests-nss_protocol_sid.obj -MD -MP -MF src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_protocol_sid.Tpo -c -o src/responder/nss/nss_srv_tests-nss_protocol_sid.obj `if test -f 'src/responder/nss/nss_protocol_sid.c'; then $(CYGPATH_W) 'src/responder/nss/nss_protocol_sid.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/nss/nss_protocol_sid.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_protocol_sid.Tpo src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_protocol_sid.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/nss/nss_protocol_sid.c' object='src/responder/nss/nss_srv_tests-nss_protocol_sid.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/nss/nss_srv_tests-nss_protocol_sid.obj `if test -f 'src/responder/nss/nss_protocol_sid.c'; then $(CYGPATH_W) 'src/responder/nss/nss_protocol_sid.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/nss/nss_protocol_sid.c'; fi` + +src/responder/nss/nss_srv_tests-nss_utils.o: src/responder/nss/nss_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/nss/nss_srv_tests-nss_utils.o -MD -MP -MF src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_utils.Tpo -c -o src/responder/nss/nss_srv_tests-nss_utils.o `test -f 'src/responder/nss/nss_utils.c' || echo '$(srcdir)/'`src/responder/nss/nss_utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_utils.Tpo src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/nss/nss_utils.c' object='src/responder/nss/nss_srv_tests-nss_utils.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/nss/nss_srv_tests-nss_utils.o `test -f 'src/responder/nss/nss_utils.c' || echo '$(srcdir)/'`src/responder/nss/nss_utils.c + +src/responder/nss/nss_srv_tests-nss_utils.obj: src/responder/nss/nss_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/nss/nss_srv_tests-nss_utils.obj -MD -MP -MF src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_utils.Tpo -c -o src/responder/nss/nss_srv_tests-nss_utils.obj `if test -f 'src/responder/nss/nss_utils.c'; then $(CYGPATH_W) 'src/responder/nss/nss_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/nss/nss_utils.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_utils.Tpo src/responder/nss/$(DEPDIR)/nss_srv_tests-nss_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/nss/nss_utils.c' object='src/responder/nss/nss_srv_tests-nss_utils.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/nss/nss_srv_tests-nss_utils.obj `if test -f 'src/responder/nss/nss_utils.c'; then $(CYGPATH_W) 'src/responder/nss/nss_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/nss/nss_utils.c'; fi` + +src/responder/nss/nss_srv_tests-nsssrv_mmap_cache.o: src/responder/nss/nsssrv_mmap_cache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/nss/nss_srv_tests-nsssrv_mmap_cache.o -MD -MP -MF src/responder/nss/$(DEPDIR)/nss_srv_tests-nsssrv_mmap_cache.Tpo -c -o src/responder/nss/nss_srv_tests-nsssrv_mmap_cache.o `test -f 'src/responder/nss/nsssrv_mmap_cache.c' || echo '$(srcdir)/'`src/responder/nss/nsssrv_mmap_cache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/nss/$(DEPDIR)/nss_srv_tests-nsssrv_mmap_cache.Tpo src/responder/nss/$(DEPDIR)/nss_srv_tests-nsssrv_mmap_cache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/nss/nsssrv_mmap_cache.c' object='src/responder/nss/nss_srv_tests-nsssrv_mmap_cache.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/nss/nss_srv_tests-nsssrv_mmap_cache.o `test -f 'src/responder/nss/nsssrv_mmap_cache.c' || echo '$(srcdir)/'`src/responder/nss/nsssrv_mmap_cache.c + +src/responder/nss/nss_srv_tests-nsssrv_mmap_cache.obj: src/responder/nss/nsssrv_mmap_cache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/nss/nss_srv_tests-nsssrv_mmap_cache.obj -MD -MP -MF src/responder/nss/$(DEPDIR)/nss_srv_tests-nsssrv_mmap_cache.Tpo -c -o src/responder/nss/nss_srv_tests-nsssrv_mmap_cache.obj `if test -f 'src/responder/nss/nsssrv_mmap_cache.c'; then $(CYGPATH_W) 'src/responder/nss/nsssrv_mmap_cache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/nss/nsssrv_mmap_cache.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/nss/$(DEPDIR)/nss_srv_tests-nsssrv_mmap_cache.Tpo src/responder/nss/$(DEPDIR)/nss_srv_tests-nsssrv_mmap_cache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/nss/nsssrv_mmap_cache.c' object='src/responder/nss/nss_srv_tests-nsssrv_mmap_cache.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(nss_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/nss/nss_srv_tests-nsssrv_mmap_cache.obj `if test -f 'src/responder/nss/nsssrv_mmap_cache.c'; then $(CYGPATH_W) 'src/responder/nss/nsssrv_mmap_cache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/nss/nsssrv_mmap_cache.c'; fi` + +src/p11_child/p11_child-p11_child_common.o: src/p11_child/p11_child_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(p11_child_CFLAGS) $(CFLAGS) -MT src/p11_child/p11_child-p11_child_common.o -MD -MP -MF src/p11_child/$(DEPDIR)/p11_child-p11_child_common.Tpo -c -o src/p11_child/p11_child-p11_child_common.o `test -f 'src/p11_child/p11_child_common.c' || echo '$(srcdir)/'`src/p11_child/p11_child_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/p11_child/$(DEPDIR)/p11_child-p11_child_common.Tpo src/p11_child/$(DEPDIR)/p11_child-p11_child_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/p11_child/p11_child_common.c' object='src/p11_child/p11_child-p11_child_common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(p11_child_CFLAGS) $(CFLAGS) -c -o src/p11_child/p11_child-p11_child_common.o `test -f 'src/p11_child/p11_child_common.c' || echo '$(srcdir)/'`src/p11_child/p11_child_common.c + +src/p11_child/p11_child-p11_child_common.obj: src/p11_child/p11_child_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(p11_child_CFLAGS) $(CFLAGS) -MT src/p11_child/p11_child-p11_child_common.obj -MD -MP -MF src/p11_child/$(DEPDIR)/p11_child-p11_child_common.Tpo -c -o src/p11_child/p11_child-p11_child_common.obj `if test -f 'src/p11_child/p11_child_common.c'; then $(CYGPATH_W) 'src/p11_child/p11_child_common.c'; else $(CYGPATH_W) '$(srcdir)/src/p11_child/p11_child_common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/p11_child/$(DEPDIR)/p11_child-p11_child_common.Tpo src/p11_child/$(DEPDIR)/p11_child-p11_child_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/p11_child/p11_child_common.c' object='src/p11_child/p11_child-p11_child_common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(p11_child_CFLAGS) $(CFLAGS) -c -o src/p11_child/p11_child-p11_child_common.obj `if test -f 'src/p11_child/p11_child_common.c'; then $(CYGPATH_W) 'src/p11_child/p11_child_common.c'; else $(CYGPATH_W) '$(srcdir)/src/p11_child/p11_child_common.c'; fi` + +src/util/p11_child-atomic_io.o: src/util/atomic_io.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(p11_child_CFLAGS) $(CFLAGS) -MT src/util/p11_child-atomic_io.o -MD -MP -MF src/util/$(DEPDIR)/p11_child-atomic_io.Tpo -c -o src/util/p11_child-atomic_io.o `test -f 'src/util/atomic_io.c' || echo '$(srcdir)/'`src/util/atomic_io.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/p11_child-atomic_io.Tpo src/util/$(DEPDIR)/p11_child-atomic_io.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/atomic_io.c' object='src/util/p11_child-atomic_io.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(p11_child_CFLAGS) $(CFLAGS) -c -o src/util/p11_child-atomic_io.o `test -f 'src/util/atomic_io.c' || echo '$(srcdir)/'`src/util/atomic_io.c + +src/util/p11_child-atomic_io.obj: src/util/atomic_io.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(p11_child_CFLAGS) $(CFLAGS) -MT src/util/p11_child-atomic_io.obj -MD -MP -MF src/util/$(DEPDIR)/p11_child-atomic_io.Tpo -c -o src/util/p11_child-atomic_io.obj `if test -f 'src/util/atomic_io.c'; then $(CYGPATH_W) 'src/util/atomic_io.c'; else $(CYGPATH_W) '$(srcdir)/src/util/atomic_io.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/p11_child-atomic_io.Tpo src/util/$(DEPDIR)/p11_child-atomic_io.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/atomic_io.c' object='src/util/p11_child-atomic_io.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(p11_child_CFLAGS) $(CFLAGS) -c -o src/util/p11_child-atomic_io.obj `if test -f 'src/util/atomic_io.c'; then $(CYGPATH_W) 'src/util/atomic_io.c'; else $(CYGPATH_W) '$(srcdir)/src/util/atomic_io.c'; fi` + +src/util/p11_child-util.o: src/util/util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(p11_child_CFLAGS) $(CFLAGS) -MT src/util/p11_child-util.o -MD -MP -MF src/util/$(DEPDIR)/p11_child-util.Tpo -c -o src/util/p11_child-util.o `test -f 'src/util/util.c' || echo '$(srcdir)/'`src/util/util.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/p11_child-util.Tpo src/util/$(DEPDIR)/p11_child-util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util.c' object='src/util/p11_child-util.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(p11_child_CFLAGS) $(CFLAGS) -c -o src/util/p11_child-util.o `test -f 'src/util/util.c' || echo '$(srcdir)/'`src/util/util.c + +src/util/p11_child-util.obj: src/util/util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(p11_child_CFLAGS) $(CFLAGS) -MT src/util/p11_child-util.obj -MD -MP -MF src/util/$(DEPDIR)/p11_child-util.Tpo -c -o src/util/p11_child-util.obj `if test -f 'src/util/util.c'; then $(CYGPATH_W) 'src/util/util.c'; else $(CYGPATH_W) '$(srcdir)/src/util/util.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/p11_child-util.Tpo src/util/$(DEPDIR)/p11_child-util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util.c' object='src/util/p11_child-util.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(p11_child_CFLAGS) $(CFLAGS) -c -o src/util/p11_child-util.obj `if test -f 'src/util/util.c'; then $(CYGPATH_W) 'src/util/util.c'; else $(CYGPATH_W) '$(srcdir)/src/util/util.c'; fi` + +src/util/p11_child-util_ext.o: src/util/util_ext.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(p11_child_CFLAGS) $(CFLAGS) -MT src/util/p11_child-util_ext.o -MD -MP -MF src/util/$(DEPDIR)/p11_child-util_ext.Tpo -c -o src/util/p11_child-util_ext.o `test -f 'src/util/util_ext.c' || echo '$(srcdir)/'`src/util/util_ext.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/p11_child-util_ext.Tpo src/util/$(DEPDIR)/p11_child-util_ext.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util_ext.c' object='src/util/p11_child-util_ext.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(p11_child_CFLAGS) $(CFLAGS) -c -o src/util/p11_child-util_ext.o `test -f 'src/util/util_ext.c' || echo '$(srcdir)/'`src/util/util_ext.c + +src/util/p11_child-util_ext.obj: src/util/util_ext.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(p11_child_CFLAGS) $(CFLAGS) -MT src/util/p11_child-util_ext.obj -MD -MP -MF src/util/$(DEPDIR)/p11_child-util_ext.Tpo -c -o src/util/p11_child-util_ext.obj `if test -f 'src/util/util_ext.c'; then $(CYGPATH_W) 'src/util/util_ext.c'; else $(CYGPATH_W) '$(srcdir)/src/util/util_ext.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/p11_child-util_ext.Tpo src/util/$(DEPDIR)/p11_child-util_ext.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util_ext.c' object='src/util/p11_child-util_ext.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(p11_child_CFLAGS) $(CFLAGS) -c -o src/util/p11_child-util_ext.obj `if test -f 'src/util/util_ext.c'; then $(CYGPATH_W) 'src/util/util_ext.c'; else $(CYGPATH_W) '$(srcdir)/src/util/util_ext.c'; fi` + +src/p11_child/p11_child-p11_child_nss.o: src/p11_child/p11_child_nss.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(p11_child_CFLAGS) $(CFLAGS) -MT src/p11_child/p11_child-p11_child_nss.o -MD -MP -MF src/p11_child/$(DEPDIR)/p11_child-p11_child_nss.Tpo -c -o src/p11_child/p11_child-p11_child_nss.o `test -f 'src/p11_child/p11_child_nss.c' || echo '$(srcdir)/'`src/p11_child/p11_child_nss.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/p11_child/$(DEPDIR)/p11_child-p11_child_nss.Tpo src/p11_child/$(DEPDIR)/p11_child-p11_child_nss.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/p11_child/p11_child_nss.c' object='src/p11_child/p11_child-p11_child_nss.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(p11_child_CFLAGS) $(CFLAGS) -c -o src/p11_child/p11_child-p11_child_nss.o `test -f 'src/p11_child/p11_child_nss.c' || echo '$(srcdir)/'`src/p11_child/p11_child_nss.c + +src/p11_child/p11_child-p11_child_nss.obj: src/p11_child/p11_child_nss.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(p11_child_CFLAGS) $(CFLAGS) -MT src/p11_child/p11_child-p11_child_nss.obj -MD -MP -MF src/p11_child/$(DEPDIR)/p11_child-p11_child_nss.Tpo -c -o src/p11_child/p11_child-p11_child_nss.obj `if test -f 'src/p11_child/p11_child_nss.c'; then $(CYGPATH_W) 'src/p11_child/p11_child_nss.c'; else $(CYGPATH_W) '$(srcdir)/src/p11_child/p11_child_nss.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/p11_child/$(DEPDIR)/p11_child-p11_child_nss.Tpo src/p11_child/$(DEPDIR)/p11_child-p11_child_nss.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/p11_child/p11_child_nss.c' object='src/p11_child/p11_child-p11_child_nss.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(p11_child_CFLAGS) $(CFLAGS) -c -o src/p11_child/p11_child-p11_child_nss.obj `if test -f 'src/p11_child/p11_child_nss.c'; then $(CYGPATH_W) 'src/p11_child/p11_child_nss.c'; else $(CYGPATH_W) '$(srcdir)/src/p11_child/p11_child_nss.c'; fi` + +src/p11_child/p11_child-p11_child_openssl.o: src/p11_child/p11_child_openssl.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(p11_child_CFLAGS) $(CFLAGS) -MT src/p11_child/p11_child-p11_child_openssl.o -MD -MP -MF src/p11_child/$(DEPDIR)/p11_child-p11_child_openssl.Tpo -c -o src/p11_child/p11_child-p11_child_openssl.o `test -f 'src/p11_child/p11_child_openssl.c' || echo '$(srcdir)/'`src/p11_child/p11_child_openssl.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/p11_child/$(DEPDIR)/p11_child-p11_child_openssl.Tpo src/p11_child/$(DEPDIR)/p11_child-p11_child_openssl.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/p11_child/p11_child_openssl.c' object='src/p11_child/p11_child-p11_child_openssl.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(p11_child_CFLAGS) $(CFLAGS) -c -o src/p11_child/p11_child-p11_child_openssl.o `test -f 'src/p11_child/p11_child_openssl.c' || echo '$(srcdir)/'`src/p11_child/p11_child_openssl.c + +src/p11_child/p11_child-p11_child_openssl.obj: src/p11_child/p11_child_openssl.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(p11_child_CFLAGS) $(CFLAGS) -MT src/p11_child/p11_child-p11_child_openssl.obj -MD -MP -MF src/p11_child/$(DEPDIR)/p11_child-p11_child_openssl.Tpo -c -o src/p11_child/p11_child-p11_child_openssl.obj `if test -f 'src/p11_child/p11_child_openssl.c'; then $(CYGPATH_W) 'src/p11_child/p11_child_openssl.c'; else $(CYGPATH_W) '$(srcdir)/src/p11_child/p11_child_openssl.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/p11_child/$(DEPDIR)/p11_child-p11_child_openssl.Tpo src/p11_child/$(DEPDIR)/p11_child-p11_child_openssl.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/p11_child/p11_child_openssl.c' object='src/p11_child/p11_child-p11_child_openssl.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(p11_child_CFLAGS) $(CFLAGS) -c -o src/p11_child/p11_child-p11_child_openssl.obj `if test -f 'src/p11_child/p11_child_openssl.c'; then $(CYGPATH_W) 'src/p11_child/p11_child_openssl.c'; else $(CYGPATH_W) '$(srcdir)/src/p11_child/p11_child_openssl.c'; fi` + +src/tests/cmocka/pam_srv_tests-common_mock_resp.o: src/tests/cmocka/common_mock_resp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/pam_srv_tests-common_mock_resp.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/pam_srv_tests-common_mock_resp.Tpo -c -o src/tests/cmocka/pam_srv_tests-common_mock_resp.o `test -f 'src/tests/cmocka/common_mock_resp.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_resp.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/pam_srv_tests-common_mock_resp.Tpo src/tests/cmocka/$(DEPDIR)/pam_srv_tests-common_mock_resp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_resp.c' object='src/tests/cmocka/pam_srv_tests-common_mock_resp.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/pam_srv_tests-common_mock_resp.o `test -f 'src/tests/cmocka/common_mock_resp.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_resp.c + +src/tests/cmocka/pam_srv_tests-common_mock_resp.obj: src/tests/cmocka/common_mock_resp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/pam_srv_tests-common_mock_resp.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/pam_srv_tests-common_mock_resp.Tpo -c -o src/tests/cmocka/pam_srv_tests-common_mock_resp.obj `if test -f 'src/tests/cmocka/common_mock_resp.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_resp.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_resp.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/pam_srv_tests-common_mock_resp.Tpo src/tests/cmocka/$(DEPDIR)/pam_srv_tests-common_mock_resp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_resp.c' object='src/tests/cmocka/pam_srv_tests-common_mock_resp.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/pam_srv_tests-common_mock_resp.obj `if test -f 'src/tests/cmocka/common_mock_resp.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_resp.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_resp.c'; fi` + +src/tests/cmocka/pam_srv_tests-common_mock_resp_dp.o: src/tests/cmocka/common_mock_resp_dp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/pam_srv_tests-common_mock_resp_dp.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/pam_srv_tests-common_mock_resp_dp.Tpo -c -o src/tests/cmocka/pam_srv_tests-common_mock_resp_dp.o `test -f 'src/tests/cmocka/common_mock_resp_dp.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_resp_dp.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/pam_srv_tests-common_mock_resp_dp.Tpo src/tests/cmocka/$(DEPDIR)/pam_srv_tests-common_mock_resp_dp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_resp_dp.c' object='src/tests/cmocka/pam_srv_tests-common_mock_resp_dp.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/pam_srv_tests-common_mock_resp_dp.o `test -f 'src/tests/cmocka/common_mock_resp_dp.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_resp_dp.c + +src/tests/cmocka/pam_srv_tests-common_mock_resp_dp.obj: src/tests/cmocka/common_mock_resp_dp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/pam_srv_tests-common_mock_resp_dp.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/pam_srv_tests-common_mock_resp_dp.Tpo -c -o src/tests/cmocka/pam_srv_tests-common_mock_resp_dp.obj `if test -f 'src/tests/cmocka/common_mock_resp_dp.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_resp_dp.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_resp_dp.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/pam_srv_tests-common_mock_resp_dp.Tpo src/tests/cmocka/$(DEPDIR)/pam_srv_tests-common_mock_resp_dp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_resp_dp.c' object='src/tests/cmocka/pam_srv_tests-common_mock_resp_dp.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/pam_srv_tests-common_mock_resp_dp.obj `if test -f 'src/tests/cmocka/common_mock_resp_dp.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_resp_dp.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_resp_dp.c'; fi` + +src/responder/common/pam_srv_tests-responder_packet.o: src/responder/common/responder_packet.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/pam_srv_tests-responder_packet.o -MD -MP -MF src/responder/common/$(DEPDIR)/pam_srv_tests-responder_packet.Tpo -c -o src/responder/common/pam_srv_tests-responder_packet.o `test -f 'src/responder/common/responder_packet.c' || echo '$(srcdir)/'`src/responder/common/responder_packet.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/pam_srv_tests-responder_packet.Tpo src/responder/common/$(DEPDIR)/pam_srv_tests-responder_packet.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_packet.c' object='src/responder/common/pam_srv_tests-responder_packet.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/pam_srv_tests-responder_packet.o `test -f 'src/responder/common/responder_packet.c' || echo '$(srcdir)/'`src/responder/common/responder_packet.c + +src/responder/common/pam_srv_tests-responder_packet.obj: src/responder/common/responder_packet.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/pam_srv_tests-responder_packet.obj -MD -MP -MF src/responder/common/$(DEPDIR)/pam_srv_tests-responder_packet.Tpo -c -o src/responder/common/pam_srv_tests-responder_packet.obj `if test -f 'src/responder/common/responder_packet.c'; then $(CYGPATH_W) 'src/responder/common/responder_packet.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_packet.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/pam_srv_tests-responder_packet.Tpo src/responder/common/$(DEPDIR)/pam_srv_tests-responder_packet.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_packet.c' object='src/responder/common/pam_srv_tests-responder_packet.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/pam_srv_tests-responder_packet.obj `if test -f 'src/responder/common/responder_packet.c'; then $(CYGPATH_W) 'src/responder/common/responder_packet.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_packet.c'; fi` + +src/responder/common/pam_srv_tests-responder_cmd.o: src/responder/common/responder_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/pam_srv_tests-responder_cmd.o -MD -MP -MF src/responder/common/$(DEPDIR)/pam_srv_tests-responder_cmd.Tpo -c -o src/responder/common/pam_srv_tests-responder_cmd.o `test -f 'src/responder/common/responder_cmd.c' || echo '$(srcdir)/'`src/responder/common/responder_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/pam_srv_tests-responder_cmd.Tpo src/responder/common/$(DEPDIR)/pam_srv_tests-responder_cmd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_cmd.c' object='src/responder/common/pam_srv_tests-responder_cmd.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/pam_srv_tests-responder_cmd.o `test -f 'src/responder/common/responder_cmd.c' || echo '$(srcdir)/'`src/responder/common/responder_cmd.c + +src/responder/common/pam_srv_tests-responder_cmd.obj: src/responder/common/responder_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/pam_srv_tests-responder_cmd.obj -MD -MP -MF src/responder/common/$(DEPDIR)/pam_srv_tests-responder_cmd.Tpo -c -o src/responder/common/pam_srv_tests-responder_cmd.obj `if test -f 'src/responder/common/responder_cmd.c'; then $(CYGPATH_W) 'src/responder/common/responder_cmd.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_cmd.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/pam_srv_tests-responder_cmd.Tpo src/responder/common/$(DEPDIR)/pam_srv_tests-responder_cmd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_cmd.c' object='src/responder/common/pam_srv_tests-responder_cmd.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/pam_srv_tests-responder_cmd.obj `if test -f 'src/responder/common/responder_cmd.c'; then $(CYGPATH_W) 'src/responder/common/responder_cmd.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_cmd.c'; fi` + +src/responder/common/pam_srv_tests-negcache_files.o: src/responder/common/negcache_files.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/pam_srv_tests-negcache_files.o -MD -MP -MF src/responder/common/$(DEPDIR)/pam_srv_tests-negcache_files.Tpo -c -o src/responder/common/pam_srv_tests-negcache_files.o `test -f 'src/responder/common/negcache_files.c' || echo '$(srcdir)/'`src/responder/common/negcache_files.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/pam_srv_tests-negcache_files.Tpo src/responder/common/$(DEPDIR)/pam_srv_tests-negcache_files.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/negcache_files.c' object='src/responder/common/pam_srv_tests-negcache_files.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/pam_srv_tests-negcache_files.o `test -f 'src/responder/common/negcache_files.c' || echo '$(srcdir)/'`src/responder/common/negcache_files.c + +src/responder/common/pam_srv_tests-negcache_files.obj: src/responder/common/negcache_files.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/pam_srv_tests-negcache_files.obj -MD -MP -MF src/responder/common/$(DEPDIR)/pam_srv_tests-negcache_files.Tpo -c -o src/responder/common/pam_srv_tests-negcache_files.obj `if test -f 'src/responder/common/negcache_files.c'; then $(CYGPATH_W) 'src/responder/common/negcache_files.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/negcache_files.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/pam_srv_tests-negcache_files.Tpo src/responder/common/$(DEPDIR)/pam_srv_tests-negcache_files.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/negcache_files.c' object='src/responder/common/pam_srv_tests-negcache_files.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/pam_srv_tests-negcache_files.obj `if test -f 'src/responder/common/negcache_files.c'; then $(CYGPATH_W) 'src/responder/common/negcache_files.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/negcache_files.c'; fi` + +src/responder/common/pam_srv_tests-negcache.o: src/responder/common/negcache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/pam_srv_tests-negcache.o -MD -MP -MF src/responder/common/$(DEPDIR)/pam_srv_tests-negcache.Tpo -c -o src/responder/common/pam_srv_tests-negcache.o `test -f 'src/responder/common/negcache.c' || echo '$(srcdir)/'`src/responder/common/negcache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/pam_srv_tests-negcache.Tpo src/responder/common/$(DEPDIR)/pam_srv_tests-negcache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/negcache.c' object='src/responder/common/pam_srv_tests-negcache.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/pam_srv_tests-negcache.o `test -f 'src/responder/common/negcache.c' || echo '$(srcdir)/'`src/responder/common/negcache.c + +src/responder/common/pam_srv_tests-negcache.obj: src/responder/common/negcache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/pam_srv_tests-negcache.obj -MD -MP -MF src/responder/common/$(DEPDIR)/pam_srv_tests-negcache.Tpo -c -o src/responder/common/pam_srv_tests-negcache.obj `if test -f 'src/responder/common/negcache.c'; then $(CYGPATH_W) 'src/responder/common/negcache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/negcache.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/pam_srv_tests-negcache.Tpo src/responder/common/$(DEPDIR)/pam_srv_tests-negcache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/negcache.c' object='src/responder/common/pam_srv_tests-negcache.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/pam_srv_tests-negcache.obj `if test -f 'src/responder/common/negcache.c'; then $(CYGPATH_W) 'src/responder/common/negcache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/negcache.c'; fi` + +src/responder/common/pam_srv_tests-responder_common.o: src/responder/common/responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/pam_srv_tests-responder_common.o -MD -MP -MF src/responder/common/$(DEPDIR)/pam_srv_tests-responder_common.Tpo -c -o src/responder/common/pam_srv_tests-responder_common.o `test -f 'src/responder/common/responder_common.c' || echo '$(srcdir)/'`src/responder/common/responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/pam_srv_tests-responder_common.Tpo src/responder/common/$(DEPDIR)/pam_srv_tests-responder_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_common.c' object='src/responder/common/pam_srv_tests-responder_common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/pam_srv_tests-responder_common.o `test -f 'src/responder/common/responder_common.c' || echo '$(srcdir)/'`src/responder/common/responder_common.c + +src/responder/common/pam_srv_tests-responder_common.obj: src/responder/common/responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/pam_srv_tests-responder_common.obj -MD -MP -MF src/responder/common/$(DEPDIR)/pam_srv_tests-responder_common.Tpo -c -o src/responder/common/pam_srv_tests-responder_common.obj `if test -f 'src/responder/common/responder_common.c'; then $(CYGPATH_W) 'src/responder/common/responder_common.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/pam_srv_tests-responder_common.Tpo src/responder/common/$(DEPDIR)/pam_srv_tests-responder_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_common.c' object='src/responder/common/pam_srv_tests-responder_common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/pam_srv_tests-responder_common.obj `if test -f 'src/responder/common/responder_common.c'; then $(CYGPATH_W) 'src/responder/common/responder_common.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_common.c'; fi` + +src/responder/common/data_provider/pam_srv_tests-rdp_message.o: src/responder/common/data_provider/rdp_message.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/data_provider/pam_srv_tests-rdp_message.o -MD -MP -MF src/responder/common/data_provider/$(DEPDIR)/pam_srv_tests-rdp_message.Tpo -c -o src/responder/common/data_provider/pam_srv_tests-rdp_message.o `test -f 'src/responder/common/data_provider/rdp_message.c' || echo '$(srcdir)/'`src/responder/common/data_provider/rdp_message.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/data_provider/$(DEPDIR)/pam_srv_tests-rdp_message.Tpo src/responder/common/data_provider/$(DEPDIR)/pam_srv_tests-rdp_message.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/data_provider/rdp_message.c' object='src/responder/common/data_provider/pam_srv_tests-rdp_message.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/data_provider/pam_srv_tests-rdp_message.o `test -f 'src/responder/common/data_provider/rdp_message.c' || echo '$(srcdir)/'`src/responder/common/data_provider/rdp_message.c + +src/responder/common/data_provider/pam_srv_tests-rdp_message.obj: src/responder/common/data_provider/rdp_message.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/data_provider/pam_srv_tests-rdp_message.obj -MD -MP -MF src/responder/common/data_provider/$(DEPDIR)/pam_srv_tests-rdp_message.Tpo -c -o src/responder/common/data_provider/pam_srv_tests-rdp_message.obj `if test -f 'src/responder/common/data_provider/rdp_message.c'; then $(CYGPATH_W) 'src/responder/common/data_provider/rdp_message.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/data_provider/rdp_message.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/data_provider/$(DEPDIR)/pam_srv_tests-rdp_message.Tpo src/responder/common/data_provider/$(DEPDIR)/pam_srv_tests-rdp_message.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/data_provider/rdp_message.c' object='src/responder/common/data_provider/pam_srv_tests-rdp_message.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/data_provider/pam_srv_tests-rdp_message.obj `if test -f 'src/responder/common/data_provider/rdp_message.c'; then $(CYGPATH_W) 'src/responder/common/data_provider/rdp_message.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/data_provider/rdp_message.c'; fi` + +src/responder/common/data_provider/pam_srv_tests-rdp_client.o: src/responder/common/data_provider/rdp_client.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/data_provider/pam_srv_tests-rdp_client.o -MD -MP -MF src/responder/common/data_provider/$(DEPDIR)/pam_srv_tests-rdp_client.Tpo -c -o src/responder/common/data_provider/pam_srv_tests-rdp_client.o `test -f 'src/responder/common/data_provider/rdp_client.c' || echo '$(srcdir)/'`src/responder/common/data_provider/rdp_client.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/data_provider/$(DEPDIR)/pam_srv_tests-rdp_client.Tpo src/responder/common/data_provider/$(DEPDIR)/pam_srv_tests-rdp_client.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/data_provider/rdp_client.c' object='src/responder/common/data_provider/pam_srv_tests-rdp_client.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/data_provider/pam_srv_tests-rdp_client.o `test -f 'src/responder/common/data_provider/rdp_client.c' || echo '$(srcdir)/'`src/responder/common/data_provider/rdp_client.c + +src/responder/common/data_provider/pam_srv_tests-rdp_client.obj: src/responder/common/data_provider/rdp_client.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/data_provider/pam_srv_tests-rdp_client.obj -MD -MP -MF src/responder/common/data_provider/$(DEPDIR)/pam_srv_tests-rdp_client.Tpo -c -o src/responder/common/data_provider/pam_srv_tests-rdp_client.obj `if test -f 'src/responder/common/data_provider/rdp_client.c'; then $(CYGPATH_W) 'src/responder/common/data_provider/rdp_client.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/data_provider/rdp_client.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/data_provider/$(DEPDIR)/pam_srv_tests-rdp_client.Tpo src/responder/common/data_provider/$(DEPDIR)/pam_srv_tests-rdp_client.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/data_provider/rdp_client.c' object='src/responder/common/data_provider/pam_srv_tests-rdp_client.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/data_provider/pam_srv_tests-rdp_client.obj `if test -f 'src/responder/common/data_provider/rdp_client.c'; then $(CYGPATH_W) 'src/responder/common/data_provider/rdp_client.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/data_provider/rdp_client.c'; fi` + +src/responder/common/pam_srv_tests-responder_utils.o: src/responder/common/responder_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/pam_srv_tests-responder_utils.o -MD -MP -MF src/responder/common/$(DEPDIR)/pam_srv_tests-responder_utils.Tpo -c -o src/responder/common/pam_srv_tests-responder_utils.o `test -f 'src/responder/common/responder_utils.c' || echo '$(srcdir)/'`src/responder/common/responder_utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/pam_srv_tests-responder_utils.Tpo src/responder/common/$(DEPDIR)/pam_srv_tests-responder_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_utils.c' object='src/responder/common/pam_srv_tests-responder_utils.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/pam_srv_tests-responder_utils.o `test -f 'src/responder/common/responder_utils.c' || echo '$(srcdir)/'`src/responder/common/responder_utils.c + +src/responder/common/pam_srv_tests-responder_utils.obj: src/responder/common/responder_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/pam_srv_tests-responder_utils.obj -MD -MP -MF src/responder/common/$(DEPDIR)/pam_srv_tests-responder_utils.Tpo -c -o src/responder/common/pam_srv_tests-responder_utils.obj `if test -f 'src/responder/common/responder_utils.c'; then $(CYGPATH_W) 'src/responder/common/responder_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_utils.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/pam_srv_tests-responder_utils.Tpo src/responder/common/$(DEPDIR)/pam_srv_tests-responder_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_utils.c' object='src/responder/common/pam_srv_tests-responder_utils.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/pam_srv_tests-responder_utils.obj `if test -f 'src/responder/common/responder_utils.c'; then $(CYGPATH_W) 'src/responder/common/responder_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_utils.c'; fi` + +src/util/pam_srv_tests-session_recording.o: src/util/session_recording.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/util/pam_srv_tests-session_recording.o -MD -MP -MF src/util/$(DEPDIR)/pam_srv_tests-session_recording.Tpo -c -o src/util/pam_srv_tests-session_recording.o `test -f 'src/util/session_recording.c' || echo '$(srcdir)/'`src/util/session_recording.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/pam_srv_tests-session_recording.Tpo src/util/$(DEPDIR)/pam_srv_tests-session_recording.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/session_recording.c' object='src/util/pam_srv_tests-session_recording.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/util/pam_srv_tests-session_recording.o `test -f 'src/util/session_recording.c' || echo '$(srcdir)/'`src/util/session_recording.c + +src/util/pam_srv_tests-session_recording.obj: src/util/session_recording.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/util/pam_srv_tests-session_recording.obj -MD -MP -MF src/util/$(DEPDIR)/pam_srv_tests-session_recording.Tpo -c -o src/util/pam_srv_tests-session_recording.obj `if test -f 'src/util/session_recording.c'; then $(CYGPATH_W) 'src/util/session_recording.c'; else $(CYGPATH_W) '$(srcdir)/src/util/session_recording.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/pam_srv_tests-session_recording.Tpo src/util/$(DEPDIR)/pam_srv_tests-session_recording.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/session_recording.c' object='src/util/pam_srv_tests-session_recording.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/util/pam_srv_tests-session_recording.obj `if test -f 'src/util/session_recording.c'; then $(CYGPATH_W) 'src/util/session_recording.c'; else $(CYGPATH_W) '$(srcdir)/src/util/session_recording.c'; fi` + +src/responder/common/cache_req/pam_srv_tests-cache_req.o: src/responder/common/cache_req/cache_req.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/pam_srv_tests-cache_req.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/pam_srv_tests-cache_req.Tpo -c -o src/responder/common/cache_req/pam_srv_tests-cache_req.o `test -f 'src/responder/common/cache_req/cache_req.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/pam_srv_tests-cache_req.Tpo src/responder/common/cache_req/$(DEPDIR)/pam_srv_tests-cache_req.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req.c' object='src/responder/common/cache_req/pam_srv_tests-cache_req.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/pam_srv_tests-cache_req.o `test -f 'src/responder/common/cache_req/cache_req.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req.c + +src/responder/common/cache_req/pam_srv_tests-cache_req.obj: src/responder/common/cache_req/cache_req.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/pam_srv_tests-cache_req.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/pam_srv_tests-cache_req.Tpo -c -o src/responder/common/cache_req/pam_srv_tests-cache_req.obj `if test -f 'src/responder/common/cache_req/cache_req.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/pam_srv_tests-cache_req.Tpo src/responder/common/cache_req/$(DEPDIR)/pam_srv_tests-cache_req.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req.c' object='src/responder/common/cache_req/pam_srv_tests-cache_req.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/pam_srv_tests-cache_req.obj `if test -f 'src/responder/common/cache_req/cache_req.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req.c'; fi` + +src/responder/common/cache_req/pam_srv_tests-cache_req_result.o: src/responder/common/cache_req/cache_req_result.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/pam_srv_tests-cache_req_result.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/pam_srv_tests-cache_req_result.Tpo -c -o src/responder/common/cache_req/pam_srv_tests-cache_req_result.o `test -f 'src/responder/common/cache_req/cache_req_result.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_result.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/pam_srv_tests-cache_req_result.Tpo src/responder/common/cache_req/$(DEPDIR)/pam_srv_tests-cache_req_result.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_result.c' object='src/responder/common/cache_req/pam_srv_tests-cache_req_result.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/pam_srv_tests-cache_req_result.o `test -f 'src/responder/common/cache_req/cache_req_result.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_result.c + +src/responder/common/cache_req/pam_srv_tests-cache_req_result.obj: src/responder/common/cache_req/cache_req_result.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/pam_srv_tests-cache_req_result.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/pam_srv_tests-cache_req_result.Tpo -c -o src/responder/common/cache_req/pam_srv_tests-cache_req_result.obj `if test -f 'src/responder/common/cache_req/cache_req_result.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_result.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_result.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/pam_srv_tests-cache_req_result.Tpo src/responder/common/cache_req/$(DEPDIR)/pam_srv_tests-cache_req_result.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_result.c' object='src/responder/common/cache_req/pam_srv_tests-cache_req_result.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/pam_srv_tests-cache_req_result.obj `if test -f 'src/responder/common/cache_req/cache_req_result.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_result.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_result.c'; fi` + +src/responder/common/cache_req/pam_srv_tests-cache_req_search.o: src/responder/common/cache_req/cache_req_search.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/pam_srv_tests-cache_req_search.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/pam_srv_tests-cache_req_search.Tpo -c -o src/responder/common/cache_req/pam_srv_tests-cache_req_search.o `test -f 'src/responder/common/cache_req/cache_req_search.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_search.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/pam_srv_tests-cache_req_search.Tpo src/responder/common/cache_req/$(DEPDIR)/pam_srv_tests-cache_req_search.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_search.c' object='src/responder/common/cache_req/pam_srv_tests-cache_req_search.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/pam_srv_tests-cache_req_search.o `test -f 'src/responder/common/cache_req/cache_req_search.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_search.c + +src/responder/common/cache_req/pam_srv_tests-cache_req_search.obj: src/responder/common/cache_req/cache_req_search.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/pam_srv_tests-cache_req_search.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/pam_srv_tests-cache_req_search.Tpo -c -o src/responder/common/cache_req/pam_srv_tests-cache_req_search.obj `if test -f 'src/responder/common/cache_req/cache_req_search.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_search.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_search.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/pam_srv_tests-cache_req_search.Tpo src/responder/common/cache_req/$(DEPDIR)/pam_srv_tests-cache_req_search.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_search.c' object='src/responder/common/cache_req/pam_srv_tests-cache_req_search.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/pam_srv_tests-cache_req_search.obj `if test -f 'src/responder/common/cache_req/cache_req_search.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_search.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_search.c'; fi` + +src/responder/common/cache_req/pam_srv_tests-cache_req_data.o: src/responder/common/cache_req/cache_req_data.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/pam_srv_tests-cache_req_data.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/pam_srv_tests-cache_req_data.Tpo -c -o src/responder/common/cache_req/pam_srv_tests-cache_req_data.o `test -f 'src/responder/common/cache_req/cache_req_data.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_data.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/pam_srv_tests-cache_req_data.Tpo src/responder/common/cache_req/$(DEPDIR)/pam_srv_tests-cache_req_data.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_data.c' object='src/responder/common/cache_req/pam_srv_tests-cache_req_data.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/pam_srv_tests-cache_req_data.o `test -f 'src/responder/common/cache_req/cache_req_data.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_data.c + +src/responder/common/cache_req/pam_srv_tests-cache_req_data.obj: src/responder/common/cache_req/cache_req_data.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/pam_srv_tests-cache_req_data.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/pam_srv_tests-cache_req_data.Tpo -c -o src/responder/common/cache_req/pam_srv_tests-cache_req_data.obj `if test -f 'src/responder/common/cache_req/cache_req_data.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_data.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_data.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/pam_srv_tests-cache_req_data.Tpo src/responder/common/cache_req/$(DEPDIR)/pam_srv_tests-cache_req_data.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_data.c' object='src/responder/common/cache_req/pam_srv_tests-cache_req_data.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/pam_srv_tests-cache_req_data.obj `if test -f 'src/responder/common/cache_req/cache_req_data.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_data.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_data.c'; fi` + +src/responder/common/cache_req/pam_srv_tests-cache_req_domain.o: src/responder/common/cache_req/cache_req_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/pam_srv_tests-cache_req_domain.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/pam_srv_tests-cache_req_domain.Tpo -c -o src/responder/common/cache_req/pam_srv_tests-cache_req_domain.o `test -f 'src/responder/common/cache_req/cache_req_domain.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_domain.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/pam_srv_tests-cache_req_domain.Tpo src/responder/common/cache_req/$(DEPDIR)/pam_srv_tests-cache_req_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_domain.c' object='src/responder/common/cache_req/pam_srv_tests-cache_req_domain.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/pam_srv_tests-cache_req_domain.o `test -f 'src/responder/common/cache_req/cache_req_domain.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_domain.c + +src/responder/common/cache_req/pam_srv_tests-cache_req_domain.obj: src/responder/common/cache_req/cache_req_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/pam_srv_tests-cache_req_domain.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/pam_srv_tests-cache_req_domain.Tpo -c -o src/responder/common/cache_req/pam_srv_tests-cache_req_domain.obj `if test -f 'src/responder/common/cache_req/cache_req_domain.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_domain.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/pam_srv_tests-cache_req_domain.Tpo src/responder/common/cache_req/$(DEPDIR)/pam_srv_tests-cache_req_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_domain.c' object='src/responder/common/cache_req/pam_srv_tests-cache_req_domain.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/pam_srv_tests-cache_req_domain.obj `if test -f 'src/responder/common/cache_req/cache_req_domain.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_domain.c'; fi` + +src/responder/common/cache_req/pam_srv_tests-cache_req_sr_overlay.o: src/responder/common/cache_req/cache_req_sr_overlay.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/pam_srv_tests-cache_req_sr_overlay.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/pam_srv_tests-cache_req_sr_overlay.Tpo -c -o src/responder/common/cache_req/pam_srv_tests-cache_req_sr_overlay.o `test -f 'src/responder/common/cache_req/cache_req_sr_overlay.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_sr_overlay.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/pam_srv_tests-cache_req_sr_overlay.Tpo src/responder/common/cache_req/$(DEPDIR)/pam_srv_tests-cache_req_sr_overlay.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_sr_overlay.c' object='src/responder/common/cache_req/pam_srv_tests-cache_req_sr_overlay.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/pam_srv_tests-cache_req_sr_overlay.o `test -f 'src/responder/common/cache_req/cache_req_sr_overlay.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_sr_overlay.c + +src/responder/common/cache_req/pam_srv_tests-cache_req_sr_overlay.obj: src/responder/common/cache_req/cache_req_sr_overlay.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/pam_srv_tests-cache_req_sr_overlay.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/pam_srv_tests-cache_req_sr_overlay.Tpo -c -o src/responder/common/cache_req/pam_srv_tests-cache_req_sr_overlay.obj `if test -f 'src/responder/common/cache_req/cache_req_sr_overlay.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_sr_overlay.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_sr_overlay.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/pam_srv_tests-cache_req_sr_overlay.Tpo src/responder/common/cache_req/$(DEPDIR)/pam_srv_tests-cache_req_sr_overlay.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_sr_overlay.c' object='src/responder/common/cache_req/pam_srv_tests-cache_req_sr_overlay.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/pam_srv_tests-cache_req_sr_overlay.obj `if test -f 'src/responder/common/cache_req/cache_req_sr_overlay.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_sr_overlay.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_sr_overlay.c'; fi` + +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_common.o: src/responder/common/cache_req/plugins/cache_req_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_common.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_common.Tpo -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_common.o `test -f 'src/responder/common/cache_req/plugins/cache_req_common.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_common.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_common.c' object='src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_common.o `test -f 'src/responder/common/cache_req/plugins/cache_req_common.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_common.c + +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_common.obj: src/responder/common/cache_req/plugins/cache_req_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_common.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_common.Tpo -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_common.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_common.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_common.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_common.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_common.c' object='src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_common.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_common.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_common.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_common.c'; fi` + +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_enum_users.o: src/responder/common/cache_req/plugins/cache_req_enum_users.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_enum_users.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_enum_users.Tpo -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_enum_users.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_users.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_users.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_enum_users.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_enum_users.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_users.c' object='src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_enum_users.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_enum_users.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_users.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_users.c + +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_enum_users.obj: src/responder/common/cache_req/plugins/cache_req_enum_users.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_enum_users.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_enum_users.Tpo -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_enum_users.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_users.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_users.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_users.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_enum_users.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_enum_users.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_users.c' object='src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_enum_users.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_enum_users.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_users.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_users.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_users.c'; fi` + +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_enum_groups.o: src/responder/common/cache_req/plugins/cache_req_enum_groups.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_enum_groups.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_enum_groups.Tpo -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_enum_groups.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_groups.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_enum_groups.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_enum_groups.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_groups.c' object='src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_enum_groups.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_enum_groups.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_groups.c + +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_enum_groups.obj: src/responder/common/cache_req/plugins/cache_req_enum_groups.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_enum_groups.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_enum_groups.Tpo -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_enum_groups.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_enum_groups.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_enum_groups.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_groups.c' object='src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_enum_groups.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_enum_groups.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; fi` + +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_enum_svc.o: src/responder/common/cache_req/plugins/cache_req_enum_svc.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_enum_svc.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_enum_svc.Tpo -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_enum_svc.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_svc.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_enum_svc.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_enum_svc.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_svc.c' object='src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_enum_svc.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_enum_svc.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_svc.c + +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_enum_svc.obj: src/responder/common/cache_req/plugins/cache_req_enum_svc.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_enum_svc.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_enum_svc.Tpo -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_enum_svc.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_enum_svc.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_enum_svc.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_svc.c' object='src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_enum_svc.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_enum_svc.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; fi` + +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_name.o: src/responder/common/cache_req/plugins/cache_req_user_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_user_by_name.Tpo -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_user_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_user_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_name.c' object='src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_name.c + +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_name.obj: src/responder/common/cache_req/plugins/cache_req_user_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_user_by_name.Tpo -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_user_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_user_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_name.c' object='src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; fi` + +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_upn.o: src/responder/common/cache_req/plugins/cache_req_user_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_upn.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_user_by_upn.Tpo -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_upn.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_user_by_upn.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_user_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' object='src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_upn.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_upn.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_upn.c + +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_upn.obj: src/responder/common/cache_req/plugins/cache_req_user_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_upn.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_user_by_upn.Tpo -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_upn.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_user_by_upn.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_user_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' object='src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_upn.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_upn.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; fi` + +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_id.o: src/responder/common/cache_req/plugins/cache_req_user_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_id.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_user_by_id.Tpo -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_user_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_user_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_id.c' object='src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_id.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_id.c + +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_id.obj: src/responder/common/cache_req/plugins/cache_req_user_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_id.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_user_by_id.Tpo -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_user_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_user_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_id.c' object='src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_id.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; fi` + +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_filter.o: src/responder/common/cache_req/plugins/cache_req_user_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_filter.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_user_by_filter.Tpo -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_filter.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_user_by_filter.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_user_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' object='src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_filter.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_filter.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_filter.c + +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_filter.obj: src/responder/common/cache_req/plugins/cache_req_user_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_filter.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_user_by_filter.Tpo -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_filter.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_user_by_filter.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_user_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' object='src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_filter.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_filter.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; fi` + +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_cert.o: src/responder/common/cache_req/plugins/cache_req_user_by_cert.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_cert.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_user_by_cert.Tpo -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_cert.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_cert.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_user_by_cert.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_user_by_cert.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' object='src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_cert.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_cert.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_cert.c + +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_cert.obj: src/responder/common/cache_req/plugins/cache_req_user_by_cert.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_cert.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_user_by_cert.Tpo -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_cert.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_user_by_cert.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_user_by_cert.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' object='src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_cert.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_user_by_cert.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; fi` + +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_group_by_name.o: src/responder/common/cache_req/plugins/cache_req_group_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_group_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_group_by_name.Tpo -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_group_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_group_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_group_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_name.c' object='src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_group_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_group_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_name.c + +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_group_by_name.obj: src/responder/common/cache_req/plugins/cache_req_group_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_group_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_group_by_name.Tpo -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_group_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_group_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_group_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_name.c' object='src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_group_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_group_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; fi` + +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_group_by_id.o: src/responder/common/cache_req/plugins/cache_req_group_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_group_by_id.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_group_by_id.Tpo -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_group_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_group_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_group_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_id.c' object='src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_group_by_id.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_group_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_id.c + +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_group_by_id.obj: src/responder/common/cache_req/plugins/cache_req_group_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_group_by_id.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_group_by_id.Tpo -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_group_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_group_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_group_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_id.c' object='src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_group_by_id.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_group_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; fi` + +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_group_by_filter.o: src/responder/common/cache_req/plugins/cache_req_group_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_group_by_filter.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_group_by_filter.Tpo -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_group_by_filter.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_group_by_filter.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_group_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' object='src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_group_by_filter.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_group_by_filter.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_filter.c + +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_group_by_filter.obj: src/responder/common/cache_req/plugins/cache_req_group_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_group_by_filter.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_group_by_filter.Tpo -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_group_by_filter.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_group_by_filter.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_group_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' object='src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_group_by_filter.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_group_by_filter.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; fi` + +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_initgroups_by_name.o: src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_initgroups_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_initgroups_by_name.Tpo -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_initgroups_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_initgroups_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_initgroups_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' object='src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_initgroups_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_initgroups_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c + +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_initgroups_by_name.obj: src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_initgroups_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_initgroups_by_name.Tpo -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_initgroups_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_initgroups_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_initgroups_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' object='src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_initgroups_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_initgroups_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; fi` + +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_initgroups_by_upn.o: src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_initgroups_by_upn.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_initgroups_by_upn.Tpo -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_initgroups_by_upn.o `test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_initgroups_by_upn.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_initgroups_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' object='src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_initgroups_by_upn.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_initgroups_by_upn.o `test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c + +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_initgroups_by_upn.obj: src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_initgroups_by_upn.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_initgroups_by_upn.Tpo -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_initgroups_by_upn.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_initgroups_by_upn.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_initgroups_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' object='src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_initgroups_by_upn.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_initgroups_by_upn.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; fi` + +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_object_by_sid.o: src/responder/common/cache_req/plugins/cache_req_object_by_sid.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_object_by_sid.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_object_by_sid.Tpo -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_object_by_sid.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_sid.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_object_by_sid.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_object_by_sid.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' object='src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_object_by_sid.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_object_by_sid.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_sid.c + +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_object_by_sid.obj: src/responder/common/cache_req/plugins/cache_req_object_by_sid.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_object_by_sid.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_object_by_sid.Tpo -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_object_by_sid.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_object_by_sid.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_object_by_sid.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' object='src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_object_by_sid.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_object_by_sid.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; fi` + +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_object_by_name.o: src/responder/common/cache_req/plugins/cache_req_object_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_object_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_object_by_name.Tpo -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_object_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_object_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_object_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_name.c' object='src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_object_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_object_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_name.c + +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_object_by_name.obj: src/responder/common/cache_req/plugins/cache_req_object_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_object_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_object_by_name.Tpo -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_object_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_object_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_object_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_name.c' object='src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_object_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_object_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; fi` + +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_object_by_id.o: src/responder/common/cache_req/plugins/cache_req_object_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_object_by_id.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_object_by_id.Tpo -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_object_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_object_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_object_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_id.c' object='src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_object_by_id.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_object_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_id.c + +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_object_by_id.obj: src/responder/common/cache_req/plugins/cache_req_object_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_object_by_id.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_object_by_id.Tpo -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_object_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_object_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_object_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_id.c' object='src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_object_by_id.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_object_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; fi` + +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_svc_by_name.o: src/responder/common/cache_req/plugins/cache_req_svc_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_svc_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_svc_by_name.Tpo -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_svc_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_svc_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_svc_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_svc_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' object='src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_svc_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_svc_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_svc_by_name.c + +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_svc_by_name.obj: src/responder/common/cache_req/plugins/cache_req_svc_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_svc_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_svc_by_name.Tpo -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_svc_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_svc_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_svc_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' object='src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_svc_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_svc_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; fi` + +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_svc_by_port.o: src/responder/common/cache_req/plugins/cache_req_svc_by_port.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_svc_by_port.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_svc_by_port.Tpo -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_svc_by_port.o `test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_svc_by_port.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_svc_by_port.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_svc_by_port.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' object='src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_svc_by_port.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_svc_by_port.o `test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_svc_by_port.c + +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_svc_by_port.obj: src/responder/common/cache_req/plugins/cache_req_svc_by_port.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_svc_by_port.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_svc_by_port.Tpo -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_svc_by_port.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_svc_by_port.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_svc_by_port.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' object='src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_svc_by_port.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_svc_by_port.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; fi` + +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_netgroup_by_name.o: src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_netgroup_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_netgroup_by_name.Tpo -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_netgroup_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_netgroup_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_netgroup_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' object='src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_netgroup_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_netgroup_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c + +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_netgroup_by_name.obj: src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_netgroup_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_netgroup_by_name.Tpo -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_netgroup_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_netgroup_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_netgroup_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' object='src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_netgroup_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_netgroup_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; fi` + +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_host_by_name.o: src/responder/common/cache_req/plugins/cache_req_host_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_host_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_host_by_name.Tpo -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_host_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_host_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_host_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_host_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_host_by_name.c' object='src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_host_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_host_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_host_by_name.c + +src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_host_by_name.obj: src/responder/common/cache_req/plugins/cache_req_host_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_host_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_host_by_name.Tpo -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_host_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_host_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/pam_srv_tests-cache_req_host_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_host_by_name.c' object='src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_host_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/pam_srv_tests-cache_req_host_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; fi` + +src/responder/common/iface/pam_srv_tests-responder_iface.o: src/responder/common/iface/responder_iface.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/pam_srv_tests-responder_iface.o -MD -MP -MF src/responder/common/iface/$(DEPDIR)/pam_srv_tests-responder_iface.Tpo -c -o src/responder/common/iface/pam_srv_tests-responder_iface.o `test -f 'src/responder/common/iface/responder_iface.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_iface.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/pam_srv_tests-responder_iface.Tpo src/responder/common/iface/$(DEPDIR)/pam_srv_tests-responder_iface.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_iface.c' object='src/responder/common/iface/pam_srv_tests-responder_iface.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/pam_srv_tests-responder_iface.o `test -f 'src/responder/common/iface/responder_iface.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_iface.c + +src/responder/common/iface/pam_srv_tests-responder_iface.obj: src/responder/common/iface/responder_iface.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/pam_srv_tests-responder_iface.obj -MD -MP -MF src/responder/common/iface/$(DEPDIR)/pam_srv_tests-responder_iface.Tpo -c -o src/responder/common/iface/pam_srv_tests-responder_iface.obj `if test -f 'src/responder/common/iface/responder_iface.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_iface.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_iface.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/pam_srv_tests-responder_iface.Tpo src/responder/common/iface/$(DEPDIR)/pam_srv_tests-responder_iface.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_iface.c' object='src/responder/common/iface/pam_srv_tests-responder_iface.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/pam_srv_tests-responder_iface.obj `if test -f 'src/responder/common/iface/responder_iface.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_iface.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_iface.c'; fi` + +src/responder/common/iface/pam_srv_tests-responder_domain.o: src/responder/common/iface/responder_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/pam_srv_tests-responder_domain.o -MD -MP -MF src/responder/common/iface/$(DEPDIR)/pam_srv_tests-responder_domain.Tpo -c -o src/responder/common/iface/pam_srv_tests-responder_domain.o `test -f 'src/responder/common/iface/responder_domain.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_domain.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/pam_srv_tests-responder_domain.Tpo src/responder/common/iface/$(DEPDIR)/pam_srv_tests-responder_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_domain.c' object='src/responder/common/iface/pam_srv_tests-responder_domain.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/pam_srv_tests-responder_domain.o `test -f 'src/responder/common/iface/responder_domain.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_domain.c + +src/responder/common/iface/pam_srv_tests-responder_domain.obj: src/responder/common/iface/responder_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/pam_srv_tests-responder_domain.obj -MD -MP -MF src/responder/common/iface/$(DEPDIR)/pam_srv_tests-responder_domain.Tpo -c -o src/responder/common/iface/pam_srv_tests-responder_domain.obj `if test -f 'src/responder/common/iface/responder_domain.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_domain.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/pam_srv_tests-responder_domain.Tpo src/responder/common/iface/$(DEPDIR)/pam_srv_tests-responder_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_domain.c' object='src/responder/common/iface/pam_srv_tests-responder_domain.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/pam_srv_tests-responder_domain.obj `if test -f 'src/responder/common/iface/responder_domain.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_domain.c'; fi` + +src/responder/common/iface/pam_srv_tests-responder_ncache.o: src/responder/common/iface/responder_ncache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/pam_srv_tests-responder_ncache.o -MD -MP -MF src/responder/common/iface/$(DEPDIR)/pam_srv_tests-responder_ncache.Tpo -c -o src/responder/common/iface/pam_srv_tests-responder_ncache.o `test -f 'src/responder/common/iface/responder_ncache.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_ncache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/pam_srv_tests-responder_ncache.Tpo src/responder/common/iface/$(DEPDIR)/pam_srv_tests-responder_ncache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_ncache.c' object='src/responder/common/iface/pam_srv_tests-responder_ncache.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/pam_srv_tests-responder_ncache.o `test -f 'src/responder/common/iface/responder_ncache.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_ncache.c + +src/responder/common/iface/pam_srv_tests-responder_ncache.obj: src/responder/common/iface/responder_ncache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/pam_srv_tests-responder_ncache.obj -MD -MP -MF src/responder/common/iface/$(DEPDIR)/pam_srv_tests-responder_ncache.Tpo -c -o src/responder/common/iface/pam_srv_tests-responder_ncache.obj `if test -f 'src/responder/common/iface/responder_ncache.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_ncache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_ncache.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/pam_srv_tests-responder_ncache.Tpo src/responder/common/iface/$(DEPDIR)/pam_srv_tests-responder_ncache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_ncache.c' object='src/responder/common/iface/pam_srv_tests-responder_ncache.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/pam_srv_tests-responder_ncache.obj `if test -f 'src/responder/common/iface/responder_ncache.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_ncache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_ncache.c'; fi` + +src/responder/common/iface/pam_srv_tests-responder_iface_generated.o: src/responder/common/iface/responder_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/pam_srv_tests-responder_iface_generated.o -MD -MP -MF src/responder/common/iface/$(DEPDIR)/pam_srv_tests-responder_iface_generated.Tpo -c -o src/responder/common/iface/pam_srv_tests-responder_iface_generated.o `test -f 'src/responder/common/iface/responder_iface_generated.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/pam_srv_tests-responder_iface_generated.Tpo src/responder/common/iface/$(DEPDIR)/pam_srv_tests-responder_iface_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_iface_generated.c' object='src/responder/common/iface/pam_srv_tests-responder_iface_generated.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/pam_srv_tests-responder_iface_generated.o `test -f 'src/responder/common/iface/responder_iface_generated.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_iface_generated.c + +src/responder/common/iface/pam_srv_tests-responder_iface_generated.obj: src/responder/common/iface/responder_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/pam_srv_tests-responder_iface_generated.obj -MD -MP -MF src/responder/common/iface/$(DEPDIR)/pam_srv_tests-responder_iface_generated.Tpo -c -o src/responder/common/iface/pam_srv_tests-responder_iface_generated.obj `if test -f 'src/responder/common/iface/responder_iface_generated.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_iface_generated.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_iface_generated.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/pam_srv_tests-responder_iface_generated.Tpo src/responder/common/iface/$(DEPDIR)/pam_srv_tests-responder_iface_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_iface_generated.c' object='src/responder/common/iface/pam_srv_tests-responder_iface_generated.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/pam_srv_tests-responder_iface_generated.obj `if test -f 'src/responder/common/iface/responder_iface_generated.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_iface_generated.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_iface_generated.c'; fi` + +src/tests/cmocka/pam_srv_tests-test_pam_srv.o: src/tests/cmocka/test_pam_srv.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/pam_srv_tests-test_pam_srv.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/pam_srv_tests-test_pam_srv.Tpo -c -o src/tests/cmocka/pam_srv_tests-test_pam_srv.o `test -f 'src/tests/cmocka/test_pam_srv.c' || echo '$(srcdir)/'`src/tests/cmocka/test_pam_srv.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/pam_srv_tests-test_pam_srv.Tpo src/tests/cmocka/$(DEPDIR)/pam_srv_tests-test_pam_srv.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_pam_srv.c' object='src/tests/cmocka/pam_srv_tests-test_pam_srv.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/pam_srv_tests-test_pam_srv.o `test -f 'src/tests/cmocka/test_pam_srv.c' || echo '$(srcdir)/'`src/tests/cmocka/test_pam_srv.c + +src/tests/cmocka/pam_srv_tests-test_pam_srv.obj: src/tests/cmocka/test_pam_srv.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/pam_srv_tests-test_pam_srv.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/pam_srv_tests-test_pam_srv.Tpo -c -o src/tests/cmocka/pam_srv_tests-test_pam_srv.obj `if test -f 'src/tests/cmocka/test_pam_srv.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_pam_srv.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_pam_srv.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/pam_srv_tests-test_pam_srv.Tpo src/tests/cmocka/$(DEPDIR)/pam_srv_tests-test_pam_srv.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_pam_srv.c' object='src/tests/cmocka/pam_srv_tests-test_pam_srv.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/pam_srv_tests-test_pam_srv.obj `if test -f 'src/tests/cmocka/test_pam_srv.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_pam_srv.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_pam_srv.c'; fi` + +src/sss_client/pam_srv_tests-pam_message.o: src/sss_client/pam_message.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/sss_client/pam_srv_tests-pam_message.o -MD -MP -MF src/sss_client/$(DEPDIR)/pam_srv_tests-pam_message.Tpo -c -o src/sss_client/pam_srv_tests-pam_message.o `test -f 'src/sss_client/pam_message.c' || echo '$(srcdir)/'`src/sss_client/pam_message.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/$(DEPDIR)/pam_srv_tests-pam_message.Tpo src/sss_client/$(DEPDIR)/pam_srv_tests-pam_message.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/pam_message.c' object='src/sss_client/pam_srv_tests-pam_message.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/sss_client/pam_srv_tests-pam_message.o `test -f 'src/sss_client/pam_message.c' || echo '$(srcdir)/'`src/sss_client/pam_message.c + +src/sss_client/pam_srv_tests-pam_message.obj: src/sss_client/pam_message.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/sss_client/pam_srv_tests-pam_message.obj -MD -MP -MF src/sss_client/$(DEPDIR)/pam_srv_tests-pam_message.Tpo -c -o src/sss_client/pam_srv_tests-pam_message.obj `if test -f 'src/sss_client/pam_message.c'; then $(CYGPATH_W) 'src/sss_client/pam_message.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/pam_message.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/$(DEPDIR)/pam_srv_tests-pam_message.Tpo src/sss_client/$(DEPDIR)/pam_srv_tests-pam_message.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/pam_message.c' object='src/sss_client/pam_srv_tests-pam_message.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/sss_client/pam_srv_tests-pam_message.obj `if test -f 'src/sss_client/pam_message.c'; then $(CYGPATH_W) 'src/sss_client/pam_message.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/pam_message.c'; fi` + +src/responder/pam/pam_srv_tests-pamsrv_cmd.o: src/responder/pam/pamsrv_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/pam/pam_srv_tests-pamsrv_cmd.o -MD -MP -MF src/responder/pam/$(DEPDIR)/pam_srv_tests-pamsrv_cmd.Tpo -c -o src/responder/pam/pam_srv_tests-pamsrv_cmd.o `test -f 'src/responder/pam/pamsrv_cmd.c' || echo '$(srcdir)/'`src/responder/pam/pamsrv_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/pam/$(DEPDIR)/pam_srv_tests-pamsrv_cmd.Tpo src/responder/pam/$(DEPDIR)/pam_srv_tests-pamsrv_cmd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/pam/pamsrv_cmd.c' object='src/responder/pam/pam_srv_tests-pamsrv_cmd.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/pam/pam_srv_tests-pamsrv_cmd.o `test -f 'src/responder/pam/pamsrv_cmd.c' || echo '$(srcdir)/'`src/responder/pam/pamsrv_cmd.c + +src/responder/pam/pam_srv_tests-pamsrv_cmd.obj: src/responder/pam/pamsrv_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/pam/pam_srv_tests-pamsrv_cmd.obj -MD -MP -MF src/responder/pam/$(DEPDIR)/pam_srv_tests-pamsrv_cmd.Tpo -c -o src/responder/pam/pam_srv_tests-pamsrv_cmd.obj `if test -f 'src/responder/pam/pamsrv_cmd.c'; then $(CYGPATH_W) 'src/responder/pam/pamsrv_cmd.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/pam/pamsrv_cmd.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/pam/$(DEPDIR)/pam_srv_tests-pamsrv_cmd.Tpo src/responder/pam/$(DEPDIR)/pam_srv_tests-pamsrv_cmd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/pam/pamsrv_cmd.c' object='src/responder/pam/pam_srv_tests-pamsrv_cmd.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/pam/pam_srv_tests-pamsrv_cmd.obj `if test -f 'src/responder/pam/pamsrv_cmd.c'; then $(CYGPATH_W) 'src/responder/pam/pamsrv_cmd.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/pam/pamsrv_cmd.c'; fi` + +src/responder/pam/pam_srv_tests-pamsrv_p11.o: src/responder/pam/pamsrv_p11.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/pam/pam_srv_tests-pamsrv_p11.o -MD -MP -MF src/responder/pam/$(DEPDIR)/pam_srv_tests-pamsrv_p11.Tpo -c -o src/responder/pam/pam_srv_tests-pamsrv_p11.o `test -f 'src/responder/pam/pamsrv_p11.c' || echo '$(srcdir)/'`src/responder/pam/pamsrv_p11.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/pam/$(DEPDIR)/pam_srv_tests-pamsrv_p11.Tpo src/responder/pam/$(DEPDIR)/pam_srv_tests-pamsrv_p11.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/pam/pamsrv_p11.c' object='src/responder/pam/pam_srv_tests-pamsrv_p11.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/pam/pam_srv_tests-pamsrv_p11.o `test -f 'src/responder/pam/pamsrv_p11.c' || echo '$(srcdir)/'`src/responder/pam/pamsrv_p11.c + +src/responder/pam/pam_srv_tests-pamsrv_p11.obj: src/responder/pam/pamsrv_p11.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/pam/pam_srv_tests-pamsrv_p11.obj -MD -MP -MF src/responder/pam/$(DEPDIR)/pam_srv_tests-pamsrv_p11.Tpo -c -o src/responder/pam/pam_srv_tests-pamsrv_p11.obj `if test -f 'src/responder/pam/pamsrv_p11.c'; then $(CYGPATH_W) 'src/responder/pam/pamsrv_p11.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/pam/pamsrv_p11.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/pam/$(DEPDIR)/pam_srv_tests-pamsrv_p11.Tpo src/responder/pam/$(DEPDIR)/pam_srv_tests-pamsrv_p11.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/pam/pamsrv_p11.c' object='src/responder/pam/pam_srv_tests-pamsrv_p11.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/pam/pam_srv_tests-pamsrv_p11.obj `if test -f 'src/responder/pam/pamsrv_p11.c'; then $(CYGPATH_W) 'src/responder/pam/pamsrv_p11.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/pam/pamsrv_p11.c'; fi` + +src/responder/pam/pam_srv_tests-pam_helpers.o: src/responder/pam/pam_helpers.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/pam/pam_srv_tests-pam_helpers.o -MD -MP -MF src/responder/pam/$(DEPDIR)/pam_srv_tests-pam_helpers.Tpo -c -o src/responder/pam/pam_srv_tests-pam_helpers.o `test -f 'src/responder/pam/pam_helpers.c' || echo '$(srcdir)/'`src/responder/pam/pam_helpers.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/pam/$(DEPDIR)/pam_srv_tests-pam_helpers.Tpo src/responder/pam/$(DEPDIR)/pam_srv_tests-pam_helpers.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/pam/pam_helpers.c' object='src/responder/pam/pam_srv_tests-pam_helpers.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/pam/pam_srv_tests-pam_helpers.o `test -f 'src/responder/pam/pam_helpers.c' || echo '$(srcdir)/'`src/responder/pam/pam_helpers.c + +src/responder/pam/pam_srv_tests-pam_helpers.obj: src/responder/pam/pam_helpers.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/pam/pam_srv_tests-pam_helpers.obj -MD -MP -MF src/responder/pam/$(DEPDIR)/pam_srv_tests-pam_helpers.Tpo -c -o src/responder/pam/pam_srv_tests-pam_helpers.obj `if test -f 'src/responder/pam/pam_helpers.c'; then $(CYGPATH_W) 'src/responder/pam/pam_helpers.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/pam/pam_helpers.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/pam/$(DEPDIR)/pam_srv_tests-pam_helpers.Tpo src/responder/pam/$(DEPDIR)/pam_srv_tests-pam_helpers.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/pam/pam_helpers.c' object='src/responder/pam/pam_srv_tests-pam_helpers.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/pam/pam_srv_tests-pam_helpers.obj `if test -f 'src/responder/pam/pam_helpers.c'; then $(CYGPATH_W) 'src/responder/pam/pam_helpers.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/pam/pam_helpers.c'; fi` + +src/responder/pam/pam_srv_tests-pamsrv_dp.o: src/responder/pam/pamsrv_dp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/pam/pam_srv_tests-pamsrv_dp.o -MD -MP -MF src/responder/pam/$(DEPDIR)/pam_srv_tests-pamsrv_dp.Tpo -c -o src/responder/pam/pam_srv_tests-pamsrv_dp.o `test -f 'src/responder/pam/pamsrv_dp.c' || echo '$(srcdir)/'`src/responder/pam/pamsrv_dp.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/pam/$(DEPDIR)/pam_srv_tests-pamsrv_dp.Tpo src/responder/pam/$(DEPDIR)/pam_srv_tests-pamsrv_dp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/pam/pamsrv_dp.c' object='src/responder/pam/pam_srv_tests-pamsrv_dp.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/pam/pam_srv_tests-pamsrv_dp.o `test -f 'src/responder/pam/pamsrv_dp.c' || echo '$(srcdir)/'`src/responder/pam/pamsrv_dp.c + +src/responder/pam/pam_srv_tests-pamsrv_dp.obj: src/responder/pam/pamsrv_dp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/pam/pam_srv_tests-pamsrv_dp.obj -MD -MP -MF src/responder/pam/$(DEPDIR)/pam_srv_tests-pamsrv_dp.Tpo -c -o src/responder/pam/pam_srv_tests-pamsrv_dp.obj `if test -f 'src/responder/pam/pamsrv_dp.c'; then $(CYGPATH_W) 'src/responder/pam/pamsrv_dp.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/pam/pamsrv_dp.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/pam/$(DEPDIR)/pam_srv_tests-pamsrv_dp.Tpo src/responder/pam/$(DEPDIR)/pam_srv_tests-pamsrv_dp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/pam/pamsrv_dp.c' object='src/responder/pam/pam_srv_tests-pamsrv_dp.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/pam/pam_srv_tests-pamsrv_dp.obj `if test -f 'src/responder/pam/pamsrv_dp.c'; then $(CYGPATH_W) 'src/responder/pam/pamsrv_dp.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/pam/pamsrv_dp.c'; fi` + +src/responder/pam/pam_srv_tests-pam_LOCAL_domain.o: src/responder/pam/pam_LOCAL_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/pam/pam_srv_tests-pam_LOCAL_domain.o -MD -MP -MF src/responder/pam/$(DEPDIR)/pam_srv_tests-pam_LOCAL_domain.Tpo -c -o src/responder/pam/pam_srv_tests-pam_LOCAL_domain.o `test -f 'src/responder/pam/pam_LOCAL_domain.c' || echo '$(srcdir)/'`src/responder/pam/pam_LOCAL_domain.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/pam/$(DEPDIR)/pam_srv_tests-pam_LOCAL_domain.Tpo src/responder/pam/$(DEPDIR)/pam_srv_tests-pam_LOCAL_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/pam/pam_LOCAL_domain.c' object='src/responder/pam/pam_srv_tests-pam_LOCAL_domain.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/pam/pam_srv_tests-pam_LOCAL_domain.o `test -f 'src/responder/pam/pam_LOCAL_domain.c' || echo '$(srcdir)/'`src/responder/pam/pam_LOCAL_domain.c + +src/responder/pam/pam_srv_tests-pam_LOCAL_domain.obj: src/responder/pam/pam_LOCAL_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/pam/pam_srv_tests-pam_LOCAL_domain.obj -MD -MP -MF src/responder/pam/$(DEPDIR)/pam_srv_tests-pam_LOCAL_domain.Tpo -c -o src/responder/pam/pam_srv_tests-pam_LOCAL_domain.obj `if test -f 'src/responder/pam/pam_LOCAL_domain.c'; then $(CYGPATH_W) 'src/responder/pam/pam_LOCAL_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/pam/pam_LOCAL_domain.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/pam/$(DEPDIR)/pam_srv_tests-pam_LOCAL_domain.Tpo src/responder/pam/$(DEPDIR)/pam_srv_tests-pam_LOCAL_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/pam/pam_LOCAL_domain.c' object='src/responder/pam/pam_srv_tests-pam_LOCAL_domain.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/pam/pam_srv_tests-pam_LOCAL_domain.obj `if test -f 'src/responder/pam/pam_LOCAL_domain.c'; then $(CYGPATH_W) 'src/responder/pam/pam_LOCAL_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/pam/pam_LOCAL_domain.c'; fi` + +src/providers/proxy/proxy_child-proxy_child.o: src/providers/proxy/proxy_child.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(proxy_child_CFLAGS) $(CFLAGS) -MT src/providers/proxy/proxy_child-proxy_child.o -MD -MP -MF src/providers/proxy/$(DEPDIR)/proxy_child-proxy_child.Tpo -c -o src/providers/proxy/proxy_child-proxy_child.o `test -f 'src/providers/proxy/proxy_child.c' || echo '$(srcdir)/'`src/providers/proxy/proxy_child.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/proxy/$(DEPDIR)/proxy_child-proxy_child.Tpo src/providers/proxy/$(DEPDIR)/proxy_child-proxy_child.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/proxy/proxy_child.c' object='src/providers/proxy/proxy_child-proxy_child.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(proxy_child_CFLAGS) $(CFLAGS) -c -o src/providers/proxy/proxy_child-proxy_child.o `test -f 'src/providers/proxy/proxy_child.c' || echo '$(srcdir)/'`src/providers/proxy/proxy_child.c + +src/providers/proxy/proxy_child-proxy_child.obj: src/providers/proxy/proxy_child.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(proxy_child_CFLAGS) $(CFLAGS) -MT src/providers/proxy/proxy_child-proxy_child.obj -MD -MP -MF src/providers/proxy/$(DEPDIR)/proxy_child-proxy_child.Tpo -c -o src/providers/proxy/proxy_child-proxy_child.obj `if test -f 'src/providers/proxy/proxy_child.c'; then $(CYGPATH_W) 'src/providers/proxy/proxy_child.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/proxy/proxy_child.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/proxy/$(DEPDIR)/proxy_child-proxy_child.Tpo src/providers/proxy/$(DEPDIR)/proxy_child-proxy_child.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/proxy/proxy_child.c' object='src/providers/proxy/proxy_child-proxy_child.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(proxy_child_CFLAGS) $(CFLAGS) -c -o src/providers/proxy/proxy_child-proxy_child.obj `if test -f 'src/providers/proxy/proxy_child.c'; then $(CYGPATH_W) 'src/providers/proxy/proxy_child.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/proxy/proxy_child.c'; fi` + +src/providers/proxy/proxy_child-proxy_iface_generated.o: src/providers/proxy/proxy_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(proxy_child_CFLAGS) $(CFLAGS) -MT src/providers/proxy/proxy_child-proxy_iface_generated.o -MD -MP -MF src/providers/proxy/$(DEPDIR)/proxy_child-proxy_iface_generated.Tpo -c -o src/providers/proxy/proxy_child-proxy_iface_generated.o `test -f 'src/providers/proxy/proxy_iface_generated.c' || echo '$(srcdir)/'`src/providers/proxy/proxy_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/proxy/$(DEPDIR)/proxy_child-proxy_iface_generated.Tpo src/providers/proxy/$(DEPDIR)/proxy_child-proxy_iface_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/proxy/proxy_iface_generated.c' object='src/providers/proxy/proxy_child-proxy_iface_generated.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(proxy_child_CFLAGS) $(CFLAGS) -c -o src/providers/proxy/proxy_child-proxy_iface_generated.o `test -f 'src/providers/proxy/proxy_iface_generated.c' || echo '$(srcdir)/'`src/providers/proxy/proxy_iface_generated.c + +src/providers/proxy/proxy_child-proxy_iface_generated.obj: src/providers/proxy/proxy_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(proxy_child_CFLAGS) $(CFLAGS) -MT src/providers/proxy/proxy_child-proxy_iface_generated.obj -MD -MP -MF src/providers/proxy/$(DEPDIR)/proxy_child-proxy_iface_generated.Tpo -c -o src/providers/proxy/proxy_child-proxy_iface_generated.obj `if test -f 'src/providers/proxy/proxy_iface_generated.c'; then $(CYGPATH_W) 'src/providers/proxy/proxy_iface_generated.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/proxy/proxy_iface_generated.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/proxy/$(DEPDIR)/proxy_child-proxy_iface_generated.Tpo src/providers/proxy/$(DEPDIR)/proxy_child-proxy_iface_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/proxy/proxy_iface_generated.c' object='src/providers/proxy/proxy_child-proxy_iface_generated.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(proxy_child_CFLAGS) $(CFLAGS) -c -o src/providers/proxy/proxy_child-proxy_iface_generated.obj `if test -f 'src/providers/proxy/proxy_iface_generated.c'; then $(CYGPATH_W) 'src/providers/proxy/proxy_iface_generated.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/proxy/proxy_iface_generated.c'; fi` + +src/tests/refcount_tests-refcount-tests.o: src/tests/refcount-tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(refcount_tests_CFLAGS) $(CFLAGS) -MT src/tests/refcount_tests-refcount-tests.o -MD -MP -MF src/tests/$(DEPDIR)/refcount_tests-refcount-tests.Tpo -c -o src/tests/refcount_tests-refcount-tests.o `test -f 'src/tests/refcount-tests.c' || echo '$(srcdir)/'`src/tests/refcount-tests.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/refcount_tests-refcount-tests.Tpo src/tests/$(DEPDIR)/refcount_tests-refcount-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/refcount-tests.c' object='src/tests/refcount_tests-refcount-tests.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(refcount_tests_CFLAGS) $(CFLAGS) -c -o src/tests/refcount_tests-refcount-tests.o `test -f 'src/tests/refcount-tests.c' || echo '$(srcdir)/'`src/tests/refcount-tests.c + +src/tests/refcount_tests-refcount-tests.obj: src/tests/refcount-tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(refcount_tests_CFLAGS) $(CFLAGS) -MT src/tests/refcount_tests-refcount-tests.obj -MD -MP -MF src/tests/$(DEPDIR)/refcount_tests-refcount-tests.Tpo -c -o src/tests/refcount_tests-refcount-tests.obj `if test -f 'src/tests/refcount-tests.c'; then $(CYGPATH_W) 'src/tests/refcount-tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/refcount-tests.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/refcount_tests-refcount-tests.Tpo src/tests/$(DEPDIR)/refcount_tests-refcount-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/refcount-tests.c' object='src/tests/refcount_tests-refcount-tests.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(refcount_tests_CFLAGS) $(CFLAGS) -c -o src/tests/refcount_tests-refcount-tests.obj `if test -f 'src/tests/refcount-tests.c'; then $(CYGPATH_W) 'src/tests/refcount-tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/refcount-tests.c'; fi` + +src/tests/resolv_tests-resolv-tests.o: src/tests/resolv-tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(resolv_tests_CFLAGS) $(CFLAGS) -MT src/tests/resolv_tests-resolv-tests.o -MD -MP -MF src/tests/$(DEPDIR)/resolv_tests-resolv-tests.Tpo -c -o src/tests/resolv_tests-resolv-tests.o `test -f 'src/tests/resolv-tests.c' || echo '$(srcdir)/'`src/tests/resolv-tests.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/resolv_tests-resolv-tests.Tpo src/tests/$(DEPDIR)/resolv_tests-resolv-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/resolv-tests.c' object='src/tests/resolv_tests-resolv-tests.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(resolv_tests_CFLAGS) $(CFLAGS) -c -o src/tests/resolv_tests-resolv-tests.o `test -f 'src/tests/resolv-tests.c' || echo '$(srcdir)/'`src/tests/resolv-tests.c + +src/tests/resolv_tests-resolv-tests.obj: src/tests/resolv-tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(resolv_tests_CFLAGS) $(CFLAGS) -MT src/tests/resolv_tests-resolv-tests.obj -MD -MP -MF src/tests/$(DEPDIR)/resolv_tests-resolv-tests.Tpo -c -o src/tests/resolv_tests-resolv-tests.obj `if test -f 'src/tests/resolv-tests.c'; then $(CYGPATH_W) 'src/tests/resolv-tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/resolv-tests.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/resolv_tests-resolv-tests.Tpo src/tests/$(DEPDIR)/resolv_tests-resolv-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/resolv-tests.c' object='src/tests/resolv_tests-resolv-tests.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(resolv_tests_CFLAGS) $(CFLAGS) -c -o src/tests/resolv_tests-resolv-tests.obj `if test -f 'src/tests/resolv-tests.c'; then $(CYGPATH_W) 'src/tests/resolv-tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/resolv-tests.c'; fi` + +src/tests/resolv_tests-common.o: src/tests/common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(resolv_tests_CFLAGS) $(CFLAGS) -MT src/tests/resolv_tests-common.o -MD -MP -MF src/tests/$(DEPDIR)/resolv_tests-common.Tpo -c -o src/tests/resolv_tests-common.o `test -f 'src/tests/common.c' || echo '$(srcdir)/'`src/tests/common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/resolv_tests-common.Tpo src/tests/$(DEPDIR)/resolv_tests-common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/common.c' object='src/tests/resolv_tests-common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(resolv_tests_CFLAGS) $(CFLAGS) -c -o src/tests/resolv_tests-common.o `test -f 'src/tests/common.c' || echo '$(srcdir)/'`src/tests/common.c + +src/tests/resolv_tests-common.obj: src/tests/common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(resolv_tests_CFLAGS) $(CFLAGS) -MT src/tests/resolv_tests-common.obj -MD -MP -MF src/tests/$(DEPDIR)/resolv_tests-common.Tpo -c -o src/tests/resolv_tests-common.obj `if test -f 'src/tests/common.c'; then $(CYGPATH_W) 'src/tests/common.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/resolv_tests-common.Tpo src/tests/$(DEPDIR)/resolv_tests-common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/common.c' object='src/tests/resolv_tests-common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(resolv_tests_CFLAGS) $(CFLAGS) -c -o src/tests/resolv_tests-common.obj `if test -f 'src/tests/common.c'; then $(CYGPATH_W) 'src/tests/common.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/common.c'; fi` + +src/resolv/resolv_tests-async_resolv.o: src/resolv/async_resolv.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(resolv_tests_CFLAGS) $(CFLAGS) -MT src/resolv/resolv_tests-async_resolv.o -MD -MP -MF src/resolv/$(DEPDIR)/resolv_tests-async_resolv.Tpo -c -o src/resolv/resolv_tests-async_resolv.o `test -f 'src/resolv/async_resolv.c' || echo '$(srcdir)/'`src/resolv/async_resolv.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/resolv/$(DEPDIR)/resolv_tests-async_resolv.Tpo src/resolv/$(DEPDIR)/resolv_tests-async_resolv.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/resolv/async_resolv.c' object='src/resolv/resolv_tests-async_resolv.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(resolv_tests_CFLAGS) $(CFLAGS) -c -o src/resolv/resolv_tests-async_resolv.o `test -f 'src/resolv/async_resolv.c' || echo '$(srcdir)/'`src/resolv/async_resolv.c + +src/resolv/resolv_tests-async_resolv.obj: src/resolv/async_resolv.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(resolv_tests_CFLAGS) $(CFLAGS) -MT src/resolv/resolv_tests-async_resolv.obj -MD -MP -MF src/resolv/$(DEPDIR)/resolv_tests-async_resolv.Tpo -c -o src/resolv/resolv_tests-async_resolv.obj `if test -f 'src/resolv/async_resolv.c'; then $(CYGPATH_W) 'src/resolv/async_resolv.c'; else $(CYGPATH_W) '$(srcdir)/src/resolv/async_resolv.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/resolv/$(DEPDIR)/resolv_tests-async_resolv.Tpo src/resolv/$(DEPDIR)/resolv_tests-async_resolv.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/resolv/async_resolv.c' object='src/resolv/resolv_tests-async_resolv.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(resolv_tests_CFLAGS) $(CFLAGS) -c -o src/resolv/resolv_tests-async_resolv.obj `if test -f 'src/resolv/async_resolv.c'; then $(CYGPATH_W) 'src/resolv/async_resolv.c'; else $(CYGPATH_W) '$(srcdir)/src/resolv/async_resolv.c'; fi` + +src/resolv/resolv_tests-async_resolv_utils.o: src/resolv/async_resolv_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(resolv_tests_CFLAGS) $(CFLAGS) -MT src/resolv/resolv_tests-async_resolv_utils.o -MD -MP -MF src/resolv/$(DEPDIR)/resolv_tests-async_resolv_utils.Tpo -c -o src/resolv/resolv_tests-async_resolv_utils.o `test -f 'src/resolv/async_resolv_utils.c' || echo '$(srcdir)/'`src/resolv/async_resolv_utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/resolv/$(DEPDIR)/resolv_tests-async_resolv_utils.Tpo src/resolv/$(DEPDIR)/resolv_tests-async_resolv_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/resolv/async_resolv_utils.c' object='src/resolv/resolv_tests-async_resolv_utils.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(resolv_tests_CFLAGS) $(CFLAGS) -c -o src/resolv/resolv_tests-async_resolv_utils.o `test -f 'src/resolv/async_resolv_utils.c' || echo '$(srcdir)/'`src/resolv/async_resolv_utils.c + +src/resolv/resolv_tests-async_resolv_utils.obj: src/resolv/async_resolv_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(resolv_tests_CFLAGS) $(CFLAGS) -MT src/resolv/resolv_tests-async_resolv_utils.obj -MD -MP -MF src/resolv/$(DEPDIR)/resolv_tests-async_resolv_utils.Tpo -c -o src/resolv/resolv_tests-async_resolv_utils.obj `if test -f 'src/resolv/async_resolv_utils.c'; then $(CYGPATH_W) 'src/resolv/async_resolv_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/resolv/async_resolv_utils.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/resolv/$(DEPDIR)/resolv_tests-async_resolv_utils.Tpo src/resolv/$(DEPDIR)/resolv_tests-async_resolv_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/resolv/async_resolv_utils.c' object='src/resolv/resolv_tests-async_resolv_utils.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(resolv_tests_CFLAGS) $(CFLAGS) -c -o src/resolv/resolv_tests-async_resolv_utils.obj `if test -f 'src/resolv/async_resolv_utils.c'; then $(CYGPATH_W) 'src/resolv/async_resolv_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/resolv/async_resolv_utils.c'; fi` + +src/responder/common/responder_get_domains_tests-negcache_files.o: src/responder/common/negcache_files.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/responder_get_domains_tests-negcache_files.o -MD -MP -MF src/responder/common/$(DEPDIR)/responder_get_domains_tests-negcache_files.Tpo -c -o src/responder/common/responder_get_domains_tests-negcache_files.o `test -f 'src/responder/common/negcache_files.c' || echo '$(srcdir)/'`src/responder/common/negcache_files.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/responder_get_domains_tests-negcache_files.Tpo src/responder/common/$(DEPDIR)/responder_get_domains_tests-negcache_files.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/negcache_files.c' object='src/responder/common/responder_get_domains_tests-negcache_files.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/responder_get_domains_tests-negcache_files.o `test -f 'src/responder/common/negcache_files.c' || echo '$(srcdir)/'`src/responder/common/negcache_files.c + +src/responder/common/responder_get_domains_tests-negcache_files.obj: src/responder/common/negcache_files.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/responder_get_domains_tests-negcache_files.obj -MD -MP -MF src/responder/common/$(DEPDIR)/responder_get_domains_tests-negcache_files.Tpo -c -o src/responder/common/responder_get_domains_tests-negcache_files.obj `if test -f 'src/responder/common/negcache_files.c'; then $(CYGPATH_W) 'src/responder/common/negcache_files.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/negcache_files.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/responder_get_domains_tests-negcache_files.Tpo src/responder/common/$(DEPDIR)/responder_get_domains_tests-negcache_files.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/negcache_files.c' object='src/responder/common/responder_get_domains_tests-negcache_files.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/responder_get_domains_tests-negcache_files.obj `if test -f 'src/responder/common/negcache_files.c'; then $(CYGPATH_W) 'src/responder/common/negcache_files.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/negcache_files.c'; fi` + +src/responder/common/responder_get_domains_tests-negcache.o: src/responder/common/negcache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/responder_get_domains_tests-negcache.o -MD -MP -MF src/responder/common/$(DEPDIR)/responder_get_domains_tests-negcache.Tpo -c -o src/responder/common/responder_get_domains_tests-negcache.o `test -f 'src/responder/common/negcache.c' || echo '$(srcdir)/'`src/responder/common/negcache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/responder_get_domains_tests-negcache.Tpo src/responder/common/$(DEPDIR)/responder_get_domains_tests-negcache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/negcache.c' object='src/responder/common/responder_get_domains_tests-negcache.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/responder_get_domains_tests-negcache.o `test -f 'src/responder/common/negcache.c' || echo '$(srcdir)/'`src/responder/common/negcache.c + +src/responder/common/responder_get_domains_tests-negcache.obj: src/responder/common/negcache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/responder_get_domains_tests-negcache.obj -MD -MP -MF src/responder/common/$(DEPDIR)/responder_get_domains_tests-negcache.Tpo -c -o src/responder/common/responder_get_domains_tests-negcache.obj `if test -f 'src/responder/common/negcache.c'; then $(CYGPATH_W) 'src/responder/common/negcache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/negcache.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/responder_get_domains_tests-negcache.Tpo src/responder/common/$(DEPDIR)/responder_get_domains_tests-negcache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/negcache.c' object='src/responder/common/responder_get_domains_tests-negcache.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/responder_get_domains_tests-negcache.obj `if test -f 'src/responder/common/negcache.c'; then $(CYGPATH_W) 'src/responder/common/negcache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/negcache.c'; fi` + +src/responder/common/responder_get_domains_tests-responder_cmd.o: src/responder/common/responder_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/responder_get_domains_tests-responder_cmd.o -MD -MP -MF src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_cmd.Tpo -c -o src/responder/common/responder_get_domains_tests-responder_cmd.o `test -f 'src/responder/common/responder_cmd.c' || echo '$(srcdir)/'`src/responder/common/responder_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_cmd.Tpo src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_cmd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_cmd.c' object='src/responder/common/responder_get_domains_tests-responder_cmd.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/responder_get_domains_tests-responder_cmd.o `test -f 'src/responder/common/responder_cmd.c' || echo '$(srcdir)/'`src/responder/common/responder_cmd.c + +src/responder/common/responder_get_domains_tests-responder_cmd.obj: src/responder/common/responder_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/responder_get_domains_tests-responder_cmd.obj -MD -MP -MF src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_cmd.Tpo -c -o src/responder/common/responder_get_domains_tests-responder_cmd.obj `if test -f 'src/responder/common/responder_cmd.c'; then $(CYGPATH_W) 'src/responder/common/responder_cmd.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_cmd.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_cmd.Tpo src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_cmd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_cmd.c' object='src/responder/common/responder_get_domains_tests-responder_cmd.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/responder_get_domains_tests-responder_cmd.obj `if test -f 'src/responder/common/responder_cmd.c'; then $(CYGPATH_W) 'src/responder/common/responder_cmd.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_cmd.c'; fi` + +src/responder/common/responder_get_domains_tests-responder_common.o: src/responder/common/responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/responder_get_domains_tests-responder_common.o -MD -MP -MF src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_common.Tpo -c -o src/responder/common/responder_get_domains_tests-responder_common.o `test -f 'src/responder/common/responder_common.c' || echo '$(srcdir)/'`src/responder/common/responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_common.Tpo src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_common.c' object='src/responder/common/responder_get_domains_tests-responder_common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/responder_get_domains_tests-responder_common.o `test -f 'src/responder/common/responder_common.c' || echo '$(srcdir)/'`src/responder/common/responder_common.c + +src/responder/common/responder_get_domains_tests-responder_common.obj: src/responder/common/responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/responder_get_domains_tests-responder_common.obj -MD -MP -MF src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_common.Tpo -c -o src/responder/common/responder_get_domains_tests-responder_common.obj `if test -f 'src/responder/common/responder_common.c'; then $(CYGPATH_W) 'src/responder/common/responder_common.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_common.Tpo src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_common.c' object='src/responder/common/responder_get_domains_tests-responder_common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/responder_get_domains_tests-responder_common.obj `if test -f 'src/responder/common/responder_common.c'; then $(CYGPATH_W) 'src/responder/common/responder_common.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_common.c'; fi` + +src/responder/common/responder_get_domains_tests-responder_dp.o: src/responder/common/responder_dp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/responder_get_domains_tests-responder_dp.o -MD -MP -MF src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_dp.Tpo -c -o src/responder/common/responder_get_domains_tests-responder_dp.o `test -f 'src/responder/common/responder_dp.c' || echo '$(srcdir)/'`src/responder/common/responder_dp.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_dp.Tpo src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_dp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_dp.c' object='src/responder/common/responder_get_domains_tests-responder_dp.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/responder_get_domains_tests-responder_dp.o `test -f 'src/responder/common/responder_dp.c' || echo '$(srcdir)/'`src/responder/common/responder_dp.c + +src/responder/common/responder_get_domains_tests-responder_dp.obj: src/responder/common/responder_dp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/responder_get_domains_tests-responder_dp.obj -MD -MP -MF src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_dp.Tpo -c -o src/responder/common/responder_get_domains_tests-responder_dp.obj `if test -f 'src/responder/common/responder_dp.c'; then $(CYGPATH_W) 'src/responder/common/responder_dp.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_dp.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_dp.Tpo src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_dp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_dp.c' object='src/responder/common/responder_get_domains_tests-responder_dp.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/responder_get_domains_tests-responder_dp.obj `if test -f 'src/responder/common/responder_dp.c'; then $(CYGPATH_W) 'src/responder/common/responder_dp.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_dp.c'; fi` + +src/responder/common/responder_get_domains_tests-responder_dp_ssh.o: src/responder/common/responder_dp_ssh.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/responder_get_domains_tests-responder_dp_ssh.o -MD -MP -MF src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_dp_ssh.Tpo -c -o src/responder/common/responder_get_domains_tests-responder_dp_ssh.o `test -f 'src/responder/common/responder_dp_ssh.c' || echo '$(srcdir)/'`src/responder/common/responder_dp_ssh.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_dp_ssh.Tpo src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_dp_ssh.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_dp_ssh.c' object='src/responder/common/responder_get_domains_tests-responder_dp_ssh.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/responder_get_domains_tests-responder_dp_ssh.o `test -f 'src/responder/common/responder_dp_ssh.c' || echo '$(srcdir)/'`src/responder/common/responder_dp_ssh.c + +src/responder/common/responder_get_domains_tests-responder_dp_ssh.obj: src/responder/common/responder_dp_ssh.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/responder_get_domains_tests-responder_dp_ssh.obj -MD -MP -MF src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_dp_ssh.Tpo -c -o src/responder/common/responder_get_domains_tests-responder_dp_ssh.obj `if test -f 'src/responder/common/responder_dp_ssh.c'; then $(CYGPATH_W) 'src/responder/common/responder_dp_ssh.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_dp_ssh.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_dp_ssh.Tpo src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_dp_ssh.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_dp_ssh.c' object='src/responder/common/responder_get_domains_tests-responder_dp_ssh.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/responder_get_domains_tests-responder_dp_ssh.obj `if test -f 'src/responder/common/responder_dp_ssh.c'; then $(CYGPATH_W) 'src/responder/common/responder_dp_ssh.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_dp_ssh.c'; fi` + +src/responder/common/responder_get_domains_tests-responder_packet.o: src/responder/common/responder_packet.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/responder_get_domains_tests-responder_packet.o -MD -MP -MF src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_packet.Tpo -c -o src/responder/common/responder_get_domains_tests-responder_packet.o `test -f 'src/responder/common/responder_packet.c' || echo '$(srcdir)/'`src/responder/common/responder_packet.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_packet.Tpo src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_packet.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_packet.c' object='src/responder/common/responder_get_domains_tests-responder_packet.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/responder_get_domains_tests-responder_packet.o `test -f 'src/responder/common/responder_packet.c' || echo '$(srcdir)/'`src/responder/common/responder_packet.c + +src/responder/common/responder_get_domains_tests-responder_packet.obj: src/responder/common/responder_packet.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/responder_get_domains_tests-responder_packet.obj -MD -MP -MF src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_packet.Tpo -c -o src/responder/common/responder_get_domains_tests-responder_packet.obj `if test -f 'src/responder/common/responder_packet.c'; then $(CYGPATH_W) 'src/responder/common/responder_packet.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_packet.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_packet.Tpo src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_packet.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_packet.c' object='src/responder/common/responder_get_domains_tests-responder_packet.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/responder_get_domains_tests-responder_packet.obj `if test -f 'src/responder/common/responder_packet.c'; then $(CYGPATH_W) 'src/responder/common/responder_packet.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_packet.c'; fi` + +src/responder/common/responder_get_domains_tests-responder_get_domains.o: src/responder/common/responder_get_domains.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/responder_get_domains_tests-responder_get_domains.o -MD -MP -MF src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_get_domains.Tpo -c -o src/responder/common/responder_get_domains_tests-responder_get_domains.o `test -f 'src/responder/common/responder_get_domains.c' || echo '$(srcdir)/'`src/responder/common/responder_get_domains.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_get_domains.Tpo src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_get_domains.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_get_domains.c' object='src/responder/common/responder_get_domains_tests-responder_get_domains.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/responder_get_domains_tests-responder_get_domains.o `test -f 'src/responder/common/responder_get_domains.c' || echo '$(srcdir)/'`src/responder/common/responder_get_domains.c + +src/responder/common/responder_get_domains_tests-responder_get_domains.obj: src/responder/common/responder_get_domains.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/responder_get_domains_tests-responder_get_domains.obj -MD -MP -MF src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_get_domains.Tpo -c -o src/responder/common/responder_get_domains_tests-responder_get_domains.obj `if test -f 'src/responder/common/responder_get_domains.c'; then $(CYGPATH_W) 'src/responder/common/responder_get_domains.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_get_domains.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_get_domains.Tpo src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_get_domains.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_get_domains.c' object='src/responder/common/responder_get_domains_tests-responder_get_domains.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/responder_get_domains_tests-responder_get_domains.obj `if test -f 'src/responder/common/responder_get_domains.c'; then $(CYGPATH_W) 'src/responder/common/responder_get_domains.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_get_domains.c'; fi` + +src/responder/common/responder_get_domains_tests-responder_utils.o: src/responder/common/responder_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/responder_get_domains_tests-responder_utils.o -MD -MP -MF src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_utils.Tpo -c -o src/responder/common/responder_get_domains_tests-responder_utils.o `test -f 'src/responder/common/responder_utils.c' || echo '$(srcdir)/'`src/responder/common/responder_utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_utils.Tpo src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_utils.c' object='src/responder/common/responder_get_domains_tests-responder_utils.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/responder_get_domains_tests-responder_utils.o `test -f 'src/responder/common/responder_utils.c' || echo '$(srcdir)/'`src/responder/common/responder_utils.c + +src/responder/common/responder_get_domains_tests-responder_utils.obj: src/responder/common/responder_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/responder_get_domains_tests-responder_utils.obj -MD -MP -MF src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_utils.Tpo -c -o src/responder/common/responder_get_domains_tests-responder_utils.obj `if test -f 'src/responder/common/responder_utils.c'; then $(CYGPATH_W) 'src/responder/common/responder_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_utils.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_utils.Tpo src/responder/common/$(DEPDIR)/responder_get_domains_tests-responder_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_utils.c' object='src/responder/common/responder_get_domains_tests-responder_utils.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/responder_get_domains_tests-responder_utils.obj `if test -f 'src/responder/common/responder_utils.c'; then $(CYGPATH_W) 'src/responder/common/responder_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_utils.c'; fi` + +src/responder/common/data_provider/responder_get_domains_tests-rdp_message.o: src/responder/common/data_provider/rdp_message.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/data_provider/responder_get_domains_tests-rdp_message.o -MD -MP -MF src/responder/common/data_provider/$(DEPDIR)/responder_get_domains_tests-rdp_message.Tpo -c -o src/responder/common/data_provider/responder_get_domains_tests-rdp_message.o `test -f 'src/responder/common/data_provider/rdp_message.c' || echo '$(srcdir)/'`src/responder/common/data_provider/rdp_message.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/data_provider/$(DEPDIR)/responder_get_domains_tests-rdp_message.Tpo src/responder/common/data_provider/$(DEPDIR)/responder_get_domains_tests-rdp_message.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/data_provider/rdp_message.c' object='src/responder/common/data_provider/responder_get_domains_tests-rdp_message.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/data_provider/responder_get_domains_tests-rdp_message.o `test -f 'src/responder/common/data_provider/rdp_message.c' || echo '$(srcdir)/'`src/responder/common/data_provider/rdp_message.c + +src/responder/common/data_provider/responder_get_domains_tests-rdp_message.obj: src/responder/common/data_provider/rdp_message.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/data_provider/responder_get_domains_tests-rdp_message.obj -MD -MP -MF src/responder/common/data_provider/$(DEPDIR)/responder_get_domains_tests-rdp_message.Tpo -c -o src/responder/common/data_provider/responder_get_domains_tests-rdp_message.obj `if test -f 'src/responder/common/data_provider/rdp_message.c'; then $(CYGPATH_W) 'src/responder/common/data_provider/rdp_message.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/data_provider/rdp_message.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/data_provider/$(DEPDIR)/responder_get_domains_tests-rdp_message.Tpo src/responder/common/data_provider/$(DEPDIR)/responder_get_domains_tests-rdp_message.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/data_provider/rdp_message.c' object='src/responder/common/data_provider/responder_get_domains_tests-rdp_message.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/data_provider/responder_get_domains_tests-rdp_message.obj `if test -f 'src/responder/common/data_provider/rdp_message.c'; then $(CYGPATH_W) 'src/responder/common/data_provider/rdp_message.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/data_provider/rdp_message.c'; fi` + +src/responder/common/data_provider/responder_get_domains_tests-rdp_client.o: src/responder/common/data_provider/rdp_client.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/data_provider/responder_get_domains_tests-rdp_client.o -MD -MP -MF src/responder/common/data_provider/$(DEPDIR)/responder_get_domains_tests-rdp_client.Tpo -c -o src/responder/common/data_provider/responder_get_domains_tests-rdp_client.o `test -f 'src/responder/common/data_provider/rdp_client.c' || echo '$(srcdir)/'`src/responder/common/data_provider/rdp_client.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/data_provider/$(DEPDIR)/responder_get_domains_tests-rdp_client.Tpo src/responder/common/data_provider/$(DEPDIR)/responder_get_domains_tests-rdp_client.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/data_provider/rdp_client.c' object='src/responder/common/data_provider/responder_get_domains_tests-rdp_client.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/data_provider/responder_get_domains_tests-rdp_client.o `test -f 'src/responder/common/data_provider/rdp_client.c' || echo '$(srcdir)/'`src/responder/common/data_provider/rdp_client.c + +src/responder/common/data_provider/responder_get_domains_tests-rdp_client.obj: src/responder/common/data_provider/rdp_client.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/data_provider/responder_get_domains_tests-rdp_client.obj -MD -MP -MF src/responder/common/data_provider/$(DEPDIR)/responder_get_domains_tests-rdp_client.Tpo -c -o src/responder/common/data_provider/responder_get_domains_tests-rdp_client.obj `if test -f 'src/responder/common/data_provider/rdp_client.c'; then $(CYGPATH_W) 'src/responder/common/data_provider/rdp_client.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/data_provider/rdp_client.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/data_provider/$(DEPDIR)/responder_get_domains_tests-rdp_client.Tpo src/responder/common/data_provider/$(DEPDIR)/responder_get_domains_tests-rdp_client.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/data_provider/rdp_client.c' object='src/responder/common/data_provider/responder_get_domains_tests-rdp_client.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/data_provider/responder_get_domains_tests-rdp_client.obj `if test -f 'src/responder/common/data_provider/rdp_client.c'; then $(CYGPATH_W) 'src/responder/common/data_provider/rdp_client.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/data_provider/rdp_client.c'; fi` + +src/monitor/responder_get_domains_tests-monitor_iface_generated.o: src/monitor/monitor_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/monitor/responder_get_domains_tests-monitor_iface_generated.o -MD -MP -MF src/monitor/$(DEPDIR)/responder_get_domains_tests-monitor_iface_generated.Tpo -c -o src/monitor/responder_get_domains_tests-monitor_iface_generated.o `test -f 'src/monitor/monitor_iface_generated.c' || echo '$(srcdir)/'`src/monitor/monitor_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/monitor/$(DEPDIR)/responder_get_domains_tests-monitor_iface_generated.Tpo src/monitor/$(DEPDIR)/responder_get_domains_tests-monitor_iface_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/monitor/monitor_iface_generated.c' object='src/monitor/responder_get_domains_tests-monitor_iface_generated.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/monitor/responder_get_domains_tests-monitor_iface_generated.o `test -f 'src/monitor/monitor_iface_generated.c' || echo '$(srcdir)/'`src/monitor/monitor_iface_generated.c + +src/monitor/responder_get_domains_tests-monitor_iface_generated.obj: src/monitor/monitor_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/monitor/responder_get_domains_tests-monitor_iface_generated.obj -MD -MP -MF src/monitor/$(DEPDIR)/responder_get_domains_tests-monitor_iface_generated.Tpo -c -o src/monitor/responder_get_domains_tests-monitor_iface_generated.obj `if test -f 'src/monitor/monitor_iface_generated.c'; then $(CYGPATH_W) 'src/monitor/monitor_iface_generated.c'; else $(CYGPATH_W) '$(srcdir)/src/monitor/monitor_iface_generated.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/monitor/$(DEPDIR)/responder_get_domains_tests-monitor_iface_generated.Tpo src/monitor/$(DEPDIR)/responder_get_domains_tests-monitor_iface_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/monitor/monitor_iface_generated.c' object='src/monitor/responder_get_domains_tests-monitor_iface_generated.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/monitor/responder_get_domains_tests-monitor_iface_generated.obj `if test -f 'src/monitor/monitor_iface_generated.c'; then $(CYGPATH_W) 'src/monitor/monitor_iface_generated.c'; else $(CYGPATH_W) '$(srcdir)/src/monitor/monitor_iface_generated.c'; fi` + +src/providers/responder_get_domains_tests-data_provider_req.o: src/providers/data_provider_req.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/providers/responder_get_domains_tests-data_provider_req.o -MD -MP -MF src/providers/$(DEPDIR)/responder_get_domains_tests-data_provider_req.Tpo -c -o src/providers/responder_get_domains_tests-data_provider_req.o `test -f 'src/providers/data_provider_req.c' || echo '$(srcdir)/'`src/providers/data_provider_req.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/responder_get_domains_tests-data_provider_req.Tpo src/providers/$(DEPDIR)/responder_get_domains_tests-data_provider_req.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider_req.c' object='src/providers/responder_get_domains_tests-data_provider_req.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/providers/responder_get_domains_tests-data_provider_req.o `test -f 'src/providers/data_provider_req.c' || echo '$(srcdir)/'`src/providers/data_provider_req.c + +src/providers/responder_get_domains_tests-data_provider_req.obj: src/providers/data_provider_req.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/providers/responder_get_domains_tests-data_provider_req.obj -MD -MP -MF src/providers/$(DEPDIR)/responder_get_domains_tests-data_provider_req.Tpo -c -o src/providers/responder_get_domains_tests-data_provider_req.obj `if test -f 'src/providers/data_provider_req.c'; then $(CYGPATH_W) 'src/providers/data_provider_req.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider_req.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/responder_get_domains_tests-data_provider_req.Tpo src/providers/$(DEPDIR)/responder_get_domains_tests-data_provider_req.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider_req.c' object='src/providers/responder_get_domains_tests-data_provider_req.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/providers/responder_get_domains_tests-data_provider_req.obj `if test -f 'src/providers/data_provider_req.c'; then $(CYGPATH_W) 'src/providers/data_provider_req.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider_req.c'; fi` + +src/util/responder_get_domains_tests-session_recording.o: src/util/session_recording.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/util/responder_get_domains_tests-session_recording.o -MD -MP -MF src/util/$(DEPDIR)/responder_get_domains_tests-session_recording.Tpo -c -o src/util/responder_get_domains_tests-session_recording.o `test -f 'src/util/session_recording.c' || echo '$(srcdir)/'`src/util/session_recording.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/responder_get_domains_tests-session_recording.Tpo src/util/$(DEPDIR)/responder_get_domains_tests-session_recording.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/session_recording.c' object='src/util/responder_get_domains_tests-session_recording.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/util/responder_get_domains_tests-session_recording.o `test -f 'src/util/session_recording.c' || echo '$(srcdir)/'`src/util/session_recording.c + +src/util/responder_get_domains_tests-session_recording.obj: src/util/session_recording.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/util/responder_get_domains_tests-session_recording.obj -MD -MP -MF src/util/$(DEPDIR)/responder_get_domains_tests-session_recording.Tpo -c -o src/util/responder_get_domains_tests-session_recording.obj `if test -f 'src/util/session_recording.c'; then $(CYGPATH_W) 'src/util/session_recording.c'; else $(CYGPATH_W) '$(srcdir)/src/util/session_recording.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/responder_get_domains_tests-session_recording.Tpo src/util/$(DEPDIR)/responder_get_domains_tests-session_recording.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/session_recording.c' object='src/util/responder_get_domains_tests-session_recording.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/util/responder_get_domains_tests-session_recording.obj `if test -f 'src/util/session_recording.c'; then $(CYGPATH_W) 'src/util/session_recording.c'; else $(CYGPATH_W) '$(srcdir)/src/util/session_recording.c'; fi` + +src/responder/common/iface/responder_get_domains_tests-responder_iface.o: src/responder/common/iface/responder_iface.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/responder_get_domains_tests-responder_iface.o -MD -MP -MF src/responder/common/iface/$(DEPDIR)/responder_get_domains_tests-responder_iface.Tpo -c -o src/responder/common/iface/responder_get_domains_tests-responder_iface.o `test -f 'src/responder/common/iface/responder_iface.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_iface.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/responder_get_domains_tests-responder_iface.Tpo src/responder/common/iface/$(DEPDIR)/responder_get_domains_tests-responder_iface.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_iface.c' object='src/responder/common/iface/responder_get_domains_tests-responder_iface.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/responder_get_domains_tests-responder_iface.o `test -f 'src/responder/common/iface/responder_iface.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_iface.c + +src/responder/common/iface/responder_get_domains_tests-responder_iface.obj: src/responder/common/iface/responder_iface.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/responder_get_domains_tests-responder_iface.obj -MD -MP -MF src/responder/common/iface/$(DEPDIR)/responder_get_domains_tests-responder_iface.Tpo -c -o src/responder/common/iface/responder_get_domains_tests-responder_iface.obj `if test -f 'src/responder/common/iface/responder_iface.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_iface.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_iface.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/responder_get_domains_tests-responder_iface.Tpo src/responder/common/iface/$(DEPDIR)/responder_get_domains_tests-responder_iface.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_iface.c' object='src/responder/common/iface/responder_get_domains_tests-responder_iface.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/responder_get_domains_tests-responder_iface.obj `if test -f 'src/responder/common/iface/responder_iface.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_iface.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_iface.c'; fi` + +src/responder/common/iface/responder_get_domains_tests-responder_domain.o: src/responder/common/iface/responder_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/responder_get_domains_tests-responder_domain.o -MD -MP -MF src/responder/common/iface/$(DEPDIR)/responder_get_domains_tests-responder_domain.Tpo -c -o src/responder/common/iface/responder_get_domains_tests-responder_domain.o `test -f 'src/responder/common/iface/responder_domain.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_domain.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/responder_get_domains_tests-responder_domain.Tpo src/responder/common/iface/$(DEPDIR)/responder_get_domains_tests-responder_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_domain.c' object='src/responder/common/iface/responder_get_domains_tests-responder_domain.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/responder_get_domains_tests-responder_domain.o `test -f 'src/responder/common/iface/responder_domain.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_domain.c + +src/responder/common/iface/responder_get_domains_tests-responder_domain.obj: src/responder/common/iface/responder_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/responder_get_domains_tests-responder_domain.obj -MD -MP -MF src/responder/common/iface/$(DEPDIR)/responder_get_domains_tests-responder_domain.Tpo -c -o src/responder/common/iface/responder_get_domains_tests-responder_domain.obj `if test -f 'src/responder/common/iface/responder_domain.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_domain.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/responder_get_domains_tests-responder_domain.Tpo src/responder/common/iface/$(DEPDIR)/responder_get_domains_tests-responder_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_domain.c' object='src/responder/common/iface/responder_get_domains_tests-responder_domain.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/responder_get_domains_tests-responder_domain.obj `if test -f 'src/responder/common/iface/responder_domain.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_domain.c'; fi` + +src/responder/common/iface/responder_get_domains_tests-responder_ncache.o: src/responder/common/iface/responder_ncache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/responder_get_domains_tests-responder_ncache.o -MD -MP -MF src/responder/common/iface/$(DEPDIR)/responder_get_domains_tests-responder_ncache.Tpo -c -o src/responder/common/iface/responder_get_domains_tests-responder_ncache.o `test -f 'src/responder/common/iface/responder_ncache.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_ncache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/responder_get_domains_tests-responder_ncache.Tpo src/responder/common/iface/$(DEPDIR)/responder_get_domains_tests-responder_ncache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_ncache.c' object='src/responder/common/iface/responder_get_domains_tests-responder_ncache.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/responder_get_domains_tests-responder_ncache.o `test -f 'src/responder/common/iface/responder_ncache.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_ncache.c + +src/responder/common/iface/responder_get_domains_tests-responder_ncache.obj: src/responder/common/iface/responder_ncache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/responder_get_domains_tests-responder_ncache.obj -MD -MP -MF src/responder/common/iface/$(DEPDIR)/responder_get_domains_tests-responder_ncache.Tpo -c -o src/responder/common/iface/responder_get_domains_tests-responder_ncache.obj `if test -f 'src/responder/common/iface/responder_ncache.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_ncache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_ncache.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/responder_get_domains_tests-responder_ncache.Tpo src/responder/common/iface/$(DEPDIR)/responder_get_domains_tests-responder_ncache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_ncache.c' object='src/responder/common/iface/responder_get_domains_tests-responder_ncache.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/responder_get_domains_tests-responder_ncache.obj `if test -f 'src/responder/common/iface/responder_ncache.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_ncache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_ncache.c'; fi` + +src/responder/common/iface/responder_get_domains_tests-responder_iface_generated.o: src/responder/common/iface/responder_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/responder_get_domains_tests-responder_iface_generated.o -MD -MP -MF src/responder/common/iface/$(DEPDIR)/responder_get_domains_tests-responder_iface_generated.Tpo -c -o src/responder/common/iface/responder_get_domains_tests-responder_iface_generated.o `test -f 'src/responder/common/iface/responder_iface_generated.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/responder_get_domains_tests-responder_iface_generated.Tpo src/responder/common/iface/$(DEPDIR)/responder_get_domains_tests-responder_iface_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_iface_generated.c' object='src/responder/common/iface/responder_get_domains_tests-responder_iface_generated.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/responder_get_domains_tests-responder_iface_generated.o `test -f 'src/responder/common/iface/responder_iface_generated.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_iface_generated.c + +src/responder/common/iface/responder_get_domains_tests-responder_iface_generated.obj: src/responder/common/iface/responder_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/responder_get_domains_tests-responder_iface_generated.obj -MD -MP -MF src/responder/common/iface/$(DEPDIR)/responder_get_domains_tests-responder_iface_generated.Tpo -c -o src/responder/common/iface/responder_get_domains_tests-responder_iface_generated.obj `if test -f 'src/responder/common/iface/responder_iface_generated.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_iface_generated.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_iface_generated.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/responder_get_domains_tests-responder_iface_generated.Tpo src/responder/common/iface/$(DEPDIR)/responder_get_domains_tests-responder_iface_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_iface_generated.c' object='src/responder/common/iface/responder_get_domains_tests-responder_iface_generated.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/responder_get_domains_tests-responder_iface_generated.obj `if test -f 'src/responder/common/iface/responder_iface_generated.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_iface_generated.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_iface_generated.c'; fi` + +src/responder/common/cache_req/responder_get_domains_tests-cache_req.o: src/responder/common/cache_req/cache_req.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/responder_get_domains_tests-cache_req.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/responder_get_domains_tests-cache_req.Tpo -c -o src/responder/common/cache_req/responder_get_domains_tests-cache_req.o `test -f 'src/responder/common/cache_req/cache_req.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/responder_get_domains_tests-cache_req.Tpo src/responder/common/cache_req/$(DEPDIR)/responder_get_domains_tests-cache_req.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req.c' object='src/responder/common/cache_req/responder_get_domains_tests-cache_req.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/responder_get_domains_tests-cache_req.o `test -f 'src/responder/common/cache_req/cache_req.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req.c + +src/responder/common/cache_req/responder_get_domains_tests-cache_req.obj: src/responder/common/cache_req/cache_req.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/responder_get_domains_tests-cache_req.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/responder_get_domains_tests-cache_req.Tpo -c -o src/responder/common/cache_req/responder_get_domains_tests-cache_req.obj `if test -f 'src/responder/common/cache_req/cache_req.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/responder_get_domains_tests-cache_req.Tpo src/responder/common/cache_req/$(DEPDIR)/responder_get_domains_tests-cache_req.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req.c' object='src/responder/common/cache_req/responder_get_domains_tests-cache_req.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/responder_get_domains_tests-cache_req.obj `if test -f 'src/responder/common/cache_req/cache_req.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req.c'; fi` + +src/responder/common/cache_req/responder_get_domains_tests-cache_req_result.o: src/responder/common/cache_req/cache_req_result.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/responder_get_domains_tests-cache_req_result.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/responder_get_domains_tests-cache_req_result.Tpo -c -o src/responder/common/cache_req/responder_get_domains_tests-cache_req_result.o `test -f 'src/responder/common/cache_req/cache_req_result.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_result.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/responder_get_domains_tests-cache_req_result.Tpo src/responder/common/cache_req/$(DEPDIR)/responder_get_domains_tests-cache_req_result.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_result.c' object='src/responder/common/cache_req/responder_get_domains_tests-cache_req_result.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/responder_get_domains_tests-cache_req_result.o `test -f 'src/responder/common/cache_req/cache_req_result.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_result.c + +src/responder/common/cache_req/responder_get_domains_tests-cache_req_result.obj: src/responder/common/cache_req/cache_req_result.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/responder_get_domains_tests-cache_req_result.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/responder_get_domains_tests-cache_req_result.Tpo -c -o src/responder/common/cache_req/responder_get_domains_tests-cache_req_result.obj `if test -f 'src/responder/common/cache_req/cache_req_result.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_result.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_result.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/responder_get_domains_tests-cache_req_result.Tpo src/responder/common/cache_req/$(DEPDIR)/responder_get_domains_tests-cache_req_result.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_result.c' object='src/responder/common/cache_req/responder_get_domains_tests-cache_req_result.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/responder_get_domains_tests-cache_req_result.obj `if test -f 'src/responder/common/cache_req/cache_req_result.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_result.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_result.c'; fi` + +src/responder/common/cache_req/responder_get_domains_tests-cache_req_search.o: src/responder/common/cache_req/cache_req_search.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/responder_get_domains_tests-cache_req_search.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/responder_get_domains_tests-cache_req_search.Tpo -c -o src/responder/common/cache_req/responder_get_domains_tests-cache_req_search.o `test -f 'src/responder/common/cache_req/cache_req_search.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_search.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/responder_get_domains_tests-cache_req_search.Tpo src/responder/common/cache_req/$(DEPDIR)/responder_get_domains_tests-cache_req_search.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_search.c' object='src/responder/common/cache_req/responder_get_domains_tests-cache_req_search.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/responder_get_domains_tests-cache_req_search.o `test -f 'src/responder/common/cache_req/cache_req_search.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_search.c + +src/responder/common/cache_req/responder_get_domains_tests-cache_req_search.obj: src/responder/common/cache_req/cache_req_search.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/responder_get_domains_tests-cache_req_search.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/responder_get_domains_tests-cache_req_search.Tpo -c -o src/responder/common/cache_req/responder_get_domains_tests-cache_req_search.obj `if test -f 'src/responder/common/cache_req/cache_req_search.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_search.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_search.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/responder_get_domains_tests-cache_req_search.Tpo src/responder/common/cache_req/$(DEPDIR)/responder_get_domains_tests-cache_req_search.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_search.c' object='src/responder/common/cache_req/responder_get_domains_tests-cache_req_search.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/responder_get_domains_tests-cache_req_search.obj `if test -f 'src/responder/common/cache_req/cache_req_search.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_search.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_search.c'; fi` + +src/responder/common/cache_req/responder_get_domains_tests-cache_req_data.o: src/responder/common/cache_req/cache_req_data.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/responder_get_domains_tests-cache_req_data.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/responder_get_domains_tests-cache_req_data.Tpo -c -o src/responder/common/cache_req/responder_get_domains_tests-cache_req_data.o `test -f 'src/responder/common/cache_req/cache_req_data.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_data.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/responder_get_domains_tests-cache_req_data.Tpo src/responder/common/cache_req/$(DEPDIR)/responder_get_domains_tests-cache_req_data.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_data.c' object='src/responder/common/cache_req/responder_get_domains_tests-cache_req_data.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/responder_get_domains_tests-cache_req_data.o `test -f 'src/responder/common/cache_req/cache_req_data.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_data.c + +src/responder/common/cache_req/responder_get_domains_tests-cache_req_data.obj: src/responder/common/cache_req/cache_req_data.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/responder_get_domains_tests-cache_req_data.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/responder_get_domains_tests-cache_req_data.Tpo -c -o src/responder/common/cache_req/responder_get_domains_tests-cache_req_data.obj `if test -f 'src/responder/common/cache_req/cache_req_data.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_data.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_data.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/responder_get_domains_tests-cache_req_data.Tpo src/responder/common/cache_req/$(DEPDIR)/responder_get_domains_tests-cache_req_data.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_data.c' object='src/responder/common/cache_req/responder_get_domains_tests-cache_req_data.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/responder_get_domains_tests-cache_req_data.obj `if test -f 'src/responder/common/cache_req/cache_req_data.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_data.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_data.c'; fi` + +src/responder/common/cache_req/responder_get_domains_tests-cache_req_domain.o: src/responder/common/cache_req/cache_req_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/responder_get_domains_tests-cache_req_domain.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/responder_get_domains_tests-cache_req_domain.Tpo -c -o src/responder/common/cache_req/responder_get_domains_tests-cache_req_domain.o `test -f 'src/responder/common/cache_req/cache_req_domain.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_domain.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/responder_get_domains_tests-cache_req_domain.Tpo src/responder/common/cache_req/$(DEPDIR)/responder_get_domains_tests-cache_req_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_domain.c' object='src/responder/common/cache_req/responder_get_domains_tests-cache_req_domain.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/responder_get_domains_tests-cache_req_domain.o `test -f 'src/responder/common/cache_req/cache_req_domain.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_domain.c + +src/responder/common/cache_req/responder_get_domains_tests-cache_req_domain.obj: src/responder/common/cache_req/cache_req_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/responder_get_domains_tests-cache_req_domain.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/responder_get_domains_tests-cache_req_domain.Tpo -c -o src/responder/common/cache_req/responder_get_domains_tests-cache_req_domain.obj `if test -f 'src/responder/common/cache_req/cache_req_domain.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_domain.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/responder_get_domains_tests-cache_req_domain.Tpo src/responder/common/cache_req/$(DEPDIR)/responder_get_domains_tests-cache_req_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_domain.c' object='src/responder/common/cache_req/responder_get_domains_tests-cache_req_domain.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/responder_get_domains_tests-cache_req_domain.obj `if test -f 'src/responder/common/cache_req/cache_req_domain.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_domain.c'; fi` + +src/responder/common/cache_req/responder_get_domains_tests-cache_req_sr_overlay.o: src/responder/common/cache_req/cache_req_sr_overlay.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/responder_get_domains_tests-cache_req_sr_overlay.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/responder_get_domains_tests-cache_req_sr_overlay.Tpo -c -o src/responder/common/cache_req/responder_get_domains_tests-cache_req_sr_overlay.o `test -f 'src/responder/common/cache_req/cache_req_sr_overlay.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_sr_overlay.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/responder_get_domains_tests-cache_req_sr_overlay.Tpo src/responder/common/cache_req/$(DEPDIR)/responder_get_domains_tests-cache_req_sr_overlay.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_sr_overlay.c' object='src/responder/common/cache_req/responder_get_domains_tests-cache_req_sr_overlay.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/responder_get_domains_tests-cache_req_sr_overlay.o `test -f 'src/responder/common/cache_req/cache_req_sr_overlay.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_sr_overlay.c + +src/responder/common/cache_req/responder_get_domains_tests-cache_req_sr_overlay.obj: src/responder/common/cache_req/cache_req_sr_overlay.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/responder_get_domains_tests-cache_req_sr_overlay.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/responder_get_domains_tests-cache_req_sr_overlay.Tpo -c -o src/responder/common/cache_req/responder_get_domains_tests-cache_req_sr_overlay.obj `if test -f 'src/responder/common/cache_req/cache_req_sr_overlay.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_sr_overlay.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_sr_overlay.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/responder_get_domains_tests-cache_req_sr_overlay.Tpo src/responder/common/cache_req/$(DEPDIR)/responder_get_domains_tests-cache_req_sr_overlay.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_sr_overlay.c' object='src/responder/common/cache_req/responder_get_domains_tests-cache_req_sr_overlay.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/responder_get_domains_tests-cache_req_sr_overlay.obj `if test -f 'src/responder/common/cache_req/cache_req_sr_overlay.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_sr_overlay.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_sr_overlay.c'; fi` + +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_common.o: src/responder/common/cache_req/plugins/cache_req_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_common.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_common.Tpo -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_common.o `test -f 'src/responder/common/cache_req/plugins/cache_req_common.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_common.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_common.c' object='src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_common.o `test -f 'src/responder/common/cache_req/plugins/cache_req_common.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_common.c + +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_common.obj: src/responder/common/cache_req/plugins/cache_req_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_common.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_common.Tpo -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_common.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_common.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_common.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_common.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_common.c' object='src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_common.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_common.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_common.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_common.c'; fi` + +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_enum_users.o: src/responder/common/cache_req/plugins/cache_req_enum_users.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_enum_users.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_enum_users.Tpo -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_enum_users.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_users.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_users.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_enum_users.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_enum_users.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_users.c' object='src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_enum_users.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_enum_users.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_users.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_users.c + +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_enum_users.obj: src/responder/common/cache_req/plugins/cache_req_enum_users.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_enum_users.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_enum_users.Tpo -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_enum_users.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_users.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_users.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_users.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_enum_users.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_enum_users.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_users.c' object='src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_enum_users.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_enum_users.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_users.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_users.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_users.c'; fi` + +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_enum_groups.o: src/responder/common/cache_req/plugins/cache_req_enum_groups.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_enum_groups.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_enum_groups.Tpo -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_enum_groups.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_groups.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_enum_groups.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_enum_groups.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_groups.c' object='src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_enum_groups.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_enum_groups.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_groups.c + +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_enum_groups.obj: src/responder/common/cache_req/plugins/cache_req_enum_groups.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_enum_groups.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_enum_groups.Tpo -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_enum_groups.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_enum_groups.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_enum_groups.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_groups.c' object='src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_enum_groups.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_enum_groups.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; fi` + +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_enum_svc.o: src/responder/common/cache_req/plugins/cache_req_enum_svc.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_enum_svc.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_enum_svc.Tpo -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_enum_svc.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_svc.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_enum_svc.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_enum_svc.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_svc.c' object='src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_enum_svc.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_enum_svc.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_svc.c + +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_enum_svc.obj: src/responder/common/cache_req/plugins/cache_req_enum_svc.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_enum_svc.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_enum_svc.Tpo -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_enum_svc.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_enum_svc.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_enum_svc.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_svc.c' object='src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_enum_svc.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_enum_svc.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; fi` + +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_name.o: src/responder/common/cache_req/plugins/cache_req_user_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_user_by_name.Tpo -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_user_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_user_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_name.c' object='src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_name.c + +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_name.obj: src/responder/common/cache_req/plugins/cache_req_user_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_user_by_name.Tpo -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_user_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_user_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_name.c' object='src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; fi` + +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_upn.o: src/responder/common/cache_req/plugins/cache_req_user_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_upn.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_user_by_upn.Tpo -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_upn.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_user_by_upn.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_user_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' object='src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_upn.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_upn.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_upn.c + +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_upn.obj: src/responder/common/cache_req/plugins/cache_req_user_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_upn.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_user_by_upn.Tpo -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_upn.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_user_by_upn.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_user_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' object='src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_upn.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_upn.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; fi` + +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_id.o: src/responder/common/cache_req/plugins/cache_req_user_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_id.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_user_by_id.Tpo -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_user_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_user_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_id.c' object='src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_id.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_id.c + +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_id.obj: src/responder/common/cache_req/plugins/cache_req_user_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_id.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_user_by_id.Tpo -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_user_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_user_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_id.c' object='src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_id.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; fi` + +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_filter.o: src/responder/common/cache_req/plugins/cache_req_user_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_filter.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_user_by_filter.Tpo -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_filter.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_user_by_filter.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_user_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' object='src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_filter.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_filter.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_filter.c + +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_filter.obj: src/responder/common/cache_req/plugins/cache_req_user_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_filter.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_user_by_filter.Tpo -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_filter.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_user_by_filter.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_user_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' object='src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_filter.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_filter.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; fi` + +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_cert.o: src/responder/common/cache_req/plugins/cache_req_user_by_cert.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_cert.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_user_by_cert.Tpo -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_cert.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_cert.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_user_by_cert.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_user_by_cert.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' object='src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_cert.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_cert.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_cert.c + +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_cert.obj: src/responder/common/cache_req/plugins/cache_req_user_by_cert.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_cert.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_user_by_cert.Tpo -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_cert.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_user_by_cert.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_user_by_cert.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' object='src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_cert.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_user_by_cert.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; fi` + +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_group_by_name.o: src/responder/common/cache_req/plugins/cache_req_group_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_group_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_group_by_name.Tpo -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_group_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_group_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_group_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_name.c' object='src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_group_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_group_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_name.c + +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_group_by_name.obj: src/responder/common/cache_req/plugins/cache_req_group_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_group_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_group_by_name.Tpo -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_group_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_group_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_group_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_name.c' object='src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_group_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_group_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; fi` + +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_group_by_id.o: src/responder/common/cache_req/plugins/cache_req_group_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_group_by_id.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_group_by_id.Tpo -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_group_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_group_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_group_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_id.c' object='src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_group_by_id.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_group_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_id.c + +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_group_by_id.obj: src/responder/common/cache_req/plugins/cache_req_group_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_group_by_id.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_group_by_id.Tpo -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_group_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_group_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_group_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_id.c' object='src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_group_by_id.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_group_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; fi` + +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_group_by_filter.o: src/responder/common/cache_req/plugins/cache_req_group_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_group_by_filter.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_group_by_filter.Tpo -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_group_by_filter.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_group_by_filter.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_group_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' object='src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_group_by_filter.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_group_by_filter.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_filter.c + +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_group_by_filter.obj: src/responder/common/cache_req/plugins/cache_req_group_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_group_by_filter.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_group_by_filter.Tpo -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_group_by_filter.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_group_by_filter.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_group_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' object='src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_group_by_filter.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_group_by_filter.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; fi` + +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_initgroups_by_name.o: src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_initgroups_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_initgroups_by_name.Tpo -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_initgroups_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_initgroups_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_initgroups_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' object='src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_initgroups_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_initgroups_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c + +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_initgroups_by_name.obj: src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_initgroups_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_initgroups_by_name.Tpo -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_initgroups_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_initgroups_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_initgroups_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' object='src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_initgroups_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_initgroups_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; fi` + +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_initgroups_by_upn.o: src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_initgroups_by_upn.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_initgroups_by_upn.Tpo -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_initgroups_by_upn.o `test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_initgroups_by_upn.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_initgroups_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' object='src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_initgroups_by_upn.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_initgroups_by_upn.o `test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c + +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_initgroups_by_upn.obj: src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_initgroups_by_upn.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_initgroups_by_upn.Tpo -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_initgroups_by_upn.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_initgroups_by_upn.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_initgroups_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' object='src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_initgroups_by_upn.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_initgroups_by_upn.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; fi` + +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_object_by_sid.o: src/responder/common/cache_req/plugins/cache_req_object_by_sid.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_object_by_sid.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_object_by_sid.Tpo -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_object_by_sid.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_sid.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_object_by_sid.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_object_by_sid.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' object='src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_object_by_sid.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_object_by_sid.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_sid.c + +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_object_by_sid.obj: src/responder/common/cache_req/plugins/cache_req_object_by_sid.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_object_by_sid.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_object_by_sid.Tpo -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_object_by_sid.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_object_by_sid.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_object_by_sid.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' object='src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_object_by_sid.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_object_by_sid.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; fi` + +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_object_by_name.o: src/responder/common/cache_req/plugins/cache_req_object_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_object_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_object_by_name.Tpo -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_object_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_object_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_object_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_name.c' object='src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_object_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_object_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_name.c + +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_object_by_name.obj: src/responder/common/cache_req/plugins/cache_req_object_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_object_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_object_by_name.Tpo -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_object_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_object_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_object_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_name.c' object='src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_object_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_object_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; fi` + +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_object_by_id.o: src/responder/common/cache_req/plugins/cache_req_object_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_object_by_id.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_object_by_id.Tpo -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_object_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_object_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_object_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_id.c' object='src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_object_by_id.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_object_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_id.c + +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_object_by_id.obj: src/responder/common/cache_req/plugins/cache_req_object_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_object_by_id.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_object_by_id.Tpo -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_object_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_object_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_object_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_id.c' object='src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_object_by_id.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_object_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; fi` + +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_svc_by_name.o: src/responder/common/cache_req/plugins/cache_req_svc_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_svc_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_svc_by_name.Tpo -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_svc_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_svc_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_svc_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_svc_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' object='src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_svc_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_svc_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_svc_by_name.c + +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_svc_by_name.obj: src/responder/common/cache_req/plugins/cache_req_svc_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_svc_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_svc_by_name.Tpo -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_svc_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_svc_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_svc_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' object='src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_svc_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_svc_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; fi` + +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_svc_by_port.o: src/responder/common/cache_req/plugins/cache_req_svc_by_port.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_svc_by_port.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_svc_by_port.Tpo -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_svc_by_port.o `test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_svc_by_port.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_svc_by_port.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_svc_by_port.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' object='src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_svc_by_port.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_svc_by_port.o `test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_svc_by_port.c + +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_svc_by_port.obj: src/responder/common/cache_req/plugins/cache_req_svc_by_port.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_svc_by_port.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_svc_by_port.Tpo -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_svc_by_port.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_svc_by_port.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_svc_by_port.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' object='src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_svc_by_port.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_svc_by_port.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; fi` + +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_netgroup_by_name.o: src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_netgroup_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_netgroup_by_name.Tpo -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_netgroup_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_netgroup_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_netgroup_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' object='src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_netgroup_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_netgroup_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c + +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_netgroup_by_name.obj: src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_netgroup_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_netgroup_by_name.Tpo -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_netgroup_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_netgroup_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_netgroup_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' object='src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_netgroup_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_netgroup_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; fi` + +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_host_by_name.o: src/responder/common/cache_req/plugins/cache_req_host_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_host_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_host_by_name.Tpo -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_host_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_host_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_host_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_host_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_host_by_name.c' object='src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_host_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_host_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_host_by_name.c + +src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_host_by_name.obj: src/responder/common/cache_req/plugins/cache_req_host_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_host_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_host_by_name.Tpo -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_host_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_host_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_get_domains_tests-cache_req_host_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_host_by_name.c' object='src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_host_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_get_domains_tests-cache_req_host_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; fi` + +src/tests/cmocka/responder_get_domains_tests-test_responder_common.o: src/tests/cmocka/test_responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/responder_get_domains_tests-test_responder_common.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/responder_get_domains_tests-test_responder_common.Tpo -c -o src/tests/cmocka/responder_get_domains_tests-test_responder_common.o `test -f 'src/tests/cmocka/test_responder_common.c' || echo '$(srcdir)/'`src/tests/cmocka/test_responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/responder_get_domains_tests-test_responder_common.Tpo src/tests/cmocka/$(DEPDIR)/responder_get_domains_tests-test_responder_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_responder_common.c' object='src/tests/cmocka/responder_get_domains_tests-test_responder_common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/responder_get_domains_tests-test_responder_common.o `test -f 'src/tests/cmocka/test_responder_common.c' || echo '$(srcdir)/'`src/tests/cmocka/test_responder_common.c + +src/tests/cmocka/responder_get_domains_tests-test_responder_common.obj: src/tests/cmocka/test_responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/responder_get_domains_tests-test_responder_common.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/responder_get_domains_tests-test_responder_common.Tpo -c -o src/tests/cmocka/responder_get_domains_tests-test_responder_common.obj `if test -f 'src/tests/cmocka/test_responder_common.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_responder_common.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_responder_common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/responder_get_domains_tests-test_responder_common.Tpo src/tests/cmocka/$(DEPDIR)/responder_get_domains_tests-test_responder_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_responder_common.c' object='src/tests/cmocka/responder_get_domains_tests-test_responder_common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/responder_get_domains_tests-test_responder_common.obj `if test -f 'src/tests/cmocka/test_responder_common.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_responder_common.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_responder_common.c'; fi` + +src/tests/cmocka/responder_get_domains_tests-common_mock_resp.o: src/tests/cmocka/common_mock_resp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/responder_get_domains_tests-common_mock_resp.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/responder_get_domains_tests-common_mock_resp.Tpo -c -o src/tests/cmocka/responder_get_domains_tests-common_mock_resp.o `test -f 'src/tests/cmocka/common_mock_resp.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_resp.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/responder_get_domains_tests-common_mock_resp.Tpo src/tests/cmocka/$(DEPDIR)/responder_get_domains_tests-common_mock_resp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_resp.c' object='src/tests/cmocka/responder_get_domains_tests-common_mock_resp.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/responder_get_domains_tests-common_mock_resp.o `test -f 'src/tests/cmocka/common_mock_resp.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_resp.c + +src/tests/cmocka/responder_get_domains_tests-common_mock_resp.obj: src/tests/cmocka/common_mock_resp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/responder_get_domains_tests-common_mock_resp.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/responder_get_domains_tests-common_mock_resp.Tpo -c -o src/tests/cmocka/responder_get_domains_tests-common_mock_resp.obj `if test -f 'src/tests/cmocka/common_mock_resp.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_resp.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_resp.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/responder_get_domains_tests-common_mock_resp.Tpo src/tests/cmocka/$(DEPDIR)/responder_get_domains_tests-common_mock_resp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_resp.c' object='src/tests/cmocka/responder_get_domains_tests-common_mock_resp.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_get_domains_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/responder_get_domains_tests-common_mock_resp.obj `if test -f 'src/tests/cmocka/common_mock_resp.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_resp.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_resp.c'; fi` + +src/tests/cmocka/responder_cache_req_tests-common_mock_resp.o: src/tests/cmocka/common_mock_resp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/responder_cache_req_tests-common_mock_resp.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/responder_cache_req_tests-common_mock_resp.Tpo -c -o src/tests/cmocka/responder_cache_req_tests-common_mock_resp.o `test -f 'src/tests/cmocka/common_mock_resp.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_resp.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/responder_cache_req_tests-common_mock_resp.Tpo src/tests/cmocka/$(DEPDIR)/responder_cache_req_tests-common_mock_resp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_resp.c' object='src/tests/cmocka/responder_cache_req_tests-common_mock_resp.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/responder_cache_req_tests-common_mock_resp.o `test -f 'src/tests/cmocka/common_mock_resp.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_resp.c + +src/tests/cmocka/responder_cache_req_tests-common_mock_resp.obj: src/tests/cmocka/common_mock_resp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/responder_cache_req_tests-common_mock_resp.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/responder_cache_req_tests-common_mock_resp.Tpo -c -o src/tests/cmocka/responder_cache_req_tests-common_mock_resp.obj `if test -f 'src/tests/cmocka/common_mock_resp.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_resp.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_resp.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/responder_cache_req_tests-common_mock_resp.Tpo src/tests/cmocka/$(DEPDIR)/responder_cache_req_tests-common_mock_resp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_resp.c' object='src/tests/cmocka/responder_cache_req_tests-common_mock_resp.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/responder_cache_req_tests-common_mock_resp.obj `if test -f 'src/tests/cmocka/common_mock_resp.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_resp.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_resp.c'; fi` + +src/tests/cmocka/responder_cache_req_tests-common_mock_resp_dp.o: src/tests/cmocka/common_mock_resp_dp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/responder_cache_req_tests-common_mock_resp_dp.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/responder_cache_req_tests-common_mock_resp_dp.Tpo -c -o src/tests/cmocka/responder_cache_req_tests-common_mock_resp_dp.o `test -f 'src/tests/cmocka/common_mock_resp_dp.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_resp_dp.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/responder_cache_req_tests-common_mock_resp_dp.Tpo src/tests/cmocka/$(DEPDIR)/responder_cache_req_tests-common_mock_resp_dp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_resp_dp.c' object='src/tests/cmocka/responder_cache_req_tests-common_mock_resp_dp.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/responder_cache_req_tests-common_mock_resp_dp.o `test -f 'src/tests/cmocka/common_mock_resp_dp.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_resp_dp.c + +src/tests/cmocka/responder_cache_req_tests-common_mock_resp_dp.obj: src/tests/cmocka/common_mock_resp_dp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/responder_cache_req_tests-common_mock_resp_dp.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/responder_cache_req_tests-common_mock_resp_dp.Tpo -c -o src/tests/cmocka/responder_cache_req_tests-common_mock_resp_dp.obj `if test -f 'src/tests/cmocka/common_mock_resp_dp.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_resp_dp.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_resp_dp.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/responder_cache_req_tests-common_mock_resp_dp.Tpo src/tests/cmocka/$(DEPDIR)/responder_cache_req_tests-common_mock_resp_dp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_resp_dp.c' object='src/tests/cmocka/responder_cache_req_tests-common_mock_resp_dp.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/responder_cache_req_tests-common_mock_resp_dp.obj `if test -f 'src/tests/cmocka/common_mock_resp_dp.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_resp_dp.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_resp_dp.c'; fi` + +src/responder/common/responder_cache_req_tests-responder_packet.o: src/responder/common/responder_packet.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/responder_cache_req_tests-responder_packet.o -MD -MP -MF src/responder/common/$(DEPDIR)/responder_cache_req_tests-responder_packet.Tpo -c -o src/responder/common/responder_cache_req_tests-responder_packet.o `test -f 'src/responder/common/responder_packet.c' || echo '$(srcdir)/'`src/responder/common/responder_packet.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/responder_cache_req_tests-responder_packet.Tpo src/responder/common/$(DEPDIR)/responder_cache_req_tests-responder_packet.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_packet.c' object='src/responder/common/responder_cache_req_tests-responder_packet.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/responder_cache_req_tests-responder_packet.o `test -f 'src/responder/common/responder_packet.c' || echo '$(srcdir)/'`src/responder/common/responder_packet.c + +src/responder/common/responder_cache_req_tests-responder_packet.obj: src/responder/common/responder_packet.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/responder_cache_req_tests-responder_packet.obj -MD -MP -MF src/responder/common/$(DEPDIR)/responder_cache_req_tests-responder_packet.Tpo -c -o src/responder/common/responder_cache_req_tests-responder_packet.obj `if test -f 'src/responder/common/responder_packet.c'; then $(CYGPATH_W) 'src/responder/common/responder_packet.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_packet.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/responder_cache_req_tests-responder_packet.Tpo src/responder/common/$(DEPDIR)/responder_cache_req_tests-responder_packet.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_packet.c' object='src/responder/common/responder_cache_req_tests-responder_packet.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/responder_cache_req_tests-responder_packet.obj `if test -f 'src/responder/common/responder_packet.c'; then $(CYGPATH_W) 'src/responder/common/responder_packet.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_packet.c'; fi` + +src/responder/common/responder_cache_req_tests-responder_cmd.o: src/responder/common/responder_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/responder_cache_req_tests-responder_cmd.o -MD -MP -MF src/responder/common/$(DEPDIR)/responder_cache_req_tests-responder_cmd.Tpo -c -o src/responder/common/responder_cache_req_tests-responder_cmd.o `test -f 'src/responder/common/responder_cmd.c' || echo '$(srcdir)/'`src/responder/common/responder_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/responder_cache_req_tests-responder_cmd.Tpo src/responder/common/$(DEPDIR)/responder_cache_req_tests-responder_cmd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_cmd.c' object='src/responder/common/responder_cache_req_tests-responder_cmd.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/responder_cache_req_tests-responder_cmd.o `test -f 'src/responder/common/responder_cmd.c' || echo '$(srcdir)/'`src/responder/common/responder_cmd.c + +src/responder/common/responder_cache_req_tests-responder_cmd.obj: src/responder/common/responder_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/responder_cache_req_tests-responder_cmd.obj -MD -MP -MF src/responder/common/$(DEPDIR)/responder_cache_req_tests-responder_cmd.Tpo -c -o src/responder/common/responder_cache_req_tests-responder_cmd.obj `if test -f 'src/responder/common/responder_cmd.c'; then $(CYGPATH_W) 'src/responder/common/responder_cmd.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_cmd.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/responder_cache_req_tests-responder_cmd.Tpo src/responder/common/$(DEPDIR)/responder_cache_req_tests-responder_cmd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_cmd.c' object='src/responder/common/responder_cache_req_tests-responder_cmd.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/responder_cache_req_tests-responder_cmd.obj `if test -f 'src/responder/common/responder_cmd.c'; then $(CYGPATH_W) 'src/responder/common/responder_cmd.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_cmd.c'; fi` + +src/responder/common/responder_cache_req_tests-negcache_files.o: src/responder/common/negcache_files.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/responder_cache_req_tests-negcache_files.o -MD -MP -MF src/responder/common/$(DEPDIR)/responder_cache_req_tests-negcache_files.Tpo -c -o src/responder/common/responder_cache_req_tests-negcache_files.o `test -f 'src/responder/common/negcache_files.c' || echo '$(srcdir)/'`src/responder/common/negcache_files.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/responder_cache_req_tests-negcache_files.Tpo src/responder/common/$(DEPDIR)/responder_cache_req_tests-negcache_files.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/negcache_files.c' object='src/responder/common/responder_cache_req_tests-negcache_files.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/responder_cache_req_tests-negcache_files.o `test -f 'src/responder/common/negcache_files.c' || echo '$(srcdir)/'`src/responder/common/negcache_files.c + +src/responder/common/responder_cache_req_tests-negcache_files.obj: src/responder/common/negcache_files.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/responder_cache_req_tests-negcache_files.obj -MD -MP -MF src/responder/common/$(DEPDIR)/responder_cache_req_tests-negcache_files.Tpo -c -o src/responder/common/responder_cache_req_tests-negcache_files.obj `if test -f 'src/responder/common/negcache_files.c'; then $(CYGPATH_W) 'src/responder/common/negcache_files.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/negcache_files.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/responder_cache_req_tests-negcache_files.Tpo src/responder/common/$(DEPDIR)/responder_cache_req_tests-negcache_files.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/negcache_files.c' object='src/responder/common/responder_cache_req_tests-negcache_files.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/responder_cache_req_tests-negcache_files.obj `if test -f 'src/responder/common/negcache_files.c'; then $(CYGPATH_W) 'src/responder/common/negcache_files.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/negcache_files.c'; fi` + +src/responder/common/responder_cache_req_tests-negcache.o: src/responder/common/negcache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/responder_cache_req_tests-negcache.o -MD -MP -MF src/responder/common/$(DEPDIR)/responder_cache_req_tests-negcache.Tpo -c -o src/responder/common/responder_cache_req_tests-negcache.o `test -f 'src/responder/common/negcache.c' || echo '$(srcdir)/'`src/responder/common/negcache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/responder_cache_req_tests-negcache.Tpo src/responder/common/$(DEPDIR)/responder_cache_req_tests-negcache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/negcache.c' object='src/responder/common/responder_cache_req_tests-negcache.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/responder_cache_req_tests-negcache.o `test -f 'src/responder/common/negcache.c' || echo '$(srcdir)/'`src/responder/common/negcache.c + +src/responder/common/responder_cache_req_tests-negcache.obj: src/responder/common/negcache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/responder_cache_req_tests-negcache.obj -MD -MP -MF src/responder/common/$(DEPDIR)/responder_cache_req_tests-negcache.Tpo -c -o src/responder/common/responder_cache_req_tests-negcache.obj `if test -f 'src/responder/common/negcache.c'; then $(CYGPATH_W) 'src/responder/common/negcache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/negcache.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/responder_cache_req_tests-negcache.Tpo src/responder/common/$(DEPDIR)/responder_cache_req_tests-negcache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/negcache.c' object='src/responder/common/responder_cache_req_tests-negcache.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/responder_cache_req_tests-negcache.obj `if test -f 'src/responder/common/negcache.c'; then $(CYGPATH_W) 'src/responder/common/negcache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/negcache.c'; fi` + +src/responder/common/responder_cache_req_tests-responder_common.o: src/responder/common/responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/responder_cache_req_tests-responder_common.o -MD -MP -MF src/responder/common/$(DEPDIR)/responder_cache_req_tests-responder_common.Tpo -c -o src/responder/common/responder_cache_req_tests-responder_common.o `test -f 'src/responder/common/responder_common.c' || echo '$(srcdir)/'`src/responder/common/responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/responder_cache_req_tests-responder_common.Tpo src/responder/common/$(DEPDIR)/responder_cache_req_tests-responder_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_common.c' object='src/responder/common/responder_cache_req_tests-responder_common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/responder_cache_req_tests-responder_common.o `test -f 'src/responder/common/responder_common.c' || echo '$(srcdir)/'`src/responder/common/responder_common.c + +src/responder/common/responder_cache_req_tests-responder_common.obj: src/responder/common/responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/responder_cache_req_tests-responder_common.obj -MD -MP -MF src/responder/common/$(DEPDIR)/responder_cache_req_tests-responder_common.Tpo -c -o src/responder/common/responder_cache_req_tests-responder_common.obj `if test -f 'src/responder/common/responder_common.c'; then $(CYGPATH_W) 'src/responder/common/responder_common.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/responder_cache_req_tests-responder_common.Tpo src/responder/common/$(DEPDIR)/responder_cache_req_tests-responder_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_common.c' object='src/responder/common/responder_cache_req_tests-responder_common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/responder_cache_req_tests-responder_common.obj `if test -f 'src/responder/common/responder_common.c'; then $(CYGPATH_W) 'src/responder/common/responder_common.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_common.c'; fi` + +src/responder/common/data_provider/responder_cache_req_tests-rdp_message.o: src/responder/common/data_provider/rdp_message.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/data_provider/responder_cache_req_tests-rdp_message.o -MD -MP -MF src/responder/common/data_provider/$(DEPDIR)/responder_cache_req_tests-rdp_message.Tpo -c -o src/responder/common/data_provider/responder_cache_req_tests-rdp_message.o `test -f 'src/responder/common/data_provider/rdp_message.c' || echo '$(srcdir)/'`src/responder/common/data_provider/rdp_message.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/data_provider/$(DEPDIR)/responder_cache_req_tests-rdp_message.Tpo src/responder/common/data_provider/$(DEPDIR)/responder_cache_req_tests-rdp_message.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/data_provider/rdp_message.c' object='src/responder/common/data_provider/responder_cache_req_tests-rdp_message.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/data_provider/responder_cache_req_tests-rdp_message.o `test -f 'src/responder/common/data_provider/rdp_message.c' || echo '$(srcdir)/'`src/responder/common/data_provider/rdp_message.c + +src/responder/common/data_provider/responder_cache_req_tests-rdp_message.obj: src/responder/common/data_provider/rdp_message.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/data_provider/responder_cache_req_tests-rdp_message.obj -MD -MP -MF src/responder/common/data_provider/$(DEPDIR)/responder_cache_req_tests-rdp_message.Tpo -c -o src/responder/common/data_provider/responder_cache_req_tests-rdp_message.obj `if test -f 'src/responder/common/data_provider/rdp_message.c'; then $(CYGPATH_W) 'src/responder/common/data_provider/rdp_message.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/data_provider/rdp_message.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/data_provider/$(DEPDIR)/responder_cache_req_tests-rdp_message.Tpo src/responder/common/data_provider/$(DEPDIR)/responder_cache_req_tests-rdp_message.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/data_provider/rdp_message.c' object='src/responder/common/data_provider/responder_cache_req_tests-rdp_message.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/data_provider/responder_cache_req_tests-rdp_message.obj `if test -f 'src/responder/common/data_provider/rdp_message.c'; then $(CYGPATH_W) 'src/responder/common/data_provider/rdp_message.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/data_provider/rdp_message.c'; fi` + +src/responder/common/data_provider/responder_cache_req_tests-rdp_client.o: src/responder/common/data_provider/rdp_client.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/data_provider/responder_cache_req_tests-rdp_client.o -MD -MP -MF src/responder/common/data_provider/$(DEPDIR)/responder_cache_req_tests-rdp_client.Tpo -c -o src/responder/common/data_provider/responder_cache_req_tests-rdp_client.o `test -f 'src/responder/common/data_provider/rdp_client.c' || echo '$(srcdir)/'`src/responder/common/data_provider/rdp_client.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/data_provider/$(DEPDIR)/responder_cache_req_tests-rdp_client.Tpo src/responder/common/data_provider/$(DEPDIR)/responder_cache_req_tests-rdp_client.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/data_provider/rdp_client.c' object='src/responder/common/data_provider/responder_cache_req_tests-rdp_client.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/data_provider/responder_cache_req_tests-rdp_client.o `test -f 'src/responder/common/data_provider/rdp_client.c' || echo '$(srcdir)/'`src/responder/common/data_provider/rdp_client.c + +src/responder/common/data_provider/responder_cache_req_tests-rdp_client.obj: src/responder/common/data_provider/rdp_client.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/data_provider/responder_cache_req_tests-rdp_client.obj -MD -MP -MF src/responder/common/data_provider/$(DEPDIR)/responder_cache_req_tests-rdp_client.Tpo -c -o src/responder/common/data_provider/responder_cache_req_tests-rdp_client.obj `if test -f 'src/responder/common/data_provider/rdp_client.c'; then $(CYGPATH_W) 'src/responder/common/data_provider/rdp_client.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/data_provider/rdp_client.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/data_provider/$(DEPDIR)/responder_cache_req_tests-rdp_client.Tpo src/responder/common/data_provider/$(DEPDIR)/responder_cache_req_tests-rdp_client.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/data_provider/rdp_client.c' object='src/responder/common/data_provider/responder_cache_req_tests-rdp_client.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/data_provider/responder_cache_req_tests-rdp_client.obj `if test -f 'src/responder/common/data_provider/rdp_client.c'; then $(CYGPATH_W) 'src/responder/common/data_provider/rdp_client.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/data_provider/rdp_client.c'; fi` + +src/responder/common/responder_cache_req_tests-responder_utils.o: src/responder/common/responder_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/responder_cache_req_tests-responder_utils.o -MD -MP -MF src/responder/common/$(DEPDIR)/responder_cache_req_tests-responder_utils.Tpo -c -o src/responder/common/responder_cache_req_tests-responder_utils.o `test -f 'src/responder/common/responder_utils.c' || echo '$(srcdir)/'`src/responder/common/responder_utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/responder_cache_req_tests-responder_utils.Tpo src/responder/common/$(DEPDIR)/responder_cache_req_tests-responder_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_utils.c' object='src/responder/common/responder_cache_req_tests-responder_utils.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/responder_cache_req_tests-responder_utils.o `test -f 'src/responder/common/responder_utils.c' || echo '$(srcdir)/'`src/responder/common/responder_utils.c + +src/responder/common/responder_cache_req_tests-responder_utils.obj: src/responder/common/responder_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/responder_cache_req_tests-responder_utils.obj -MD -MP -MF src/responder/common/$(DEPDIR)/responder_cache_req_tests-responder_utils.Tpo -c -o src/responder/common/responder_cache_req_tests-responder_utils.obj `if test -f 'src/responder/common/responder_utils.c'; then $(CYGPATH_W) 'src/responder/common/responder_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_utils.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/responder_cache_req_tests-responder_utils.Tpo src/responder/common/$(DEPDIR)/responder_cache_req_tests-responder_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_utils.c' object='src/responder/common/responder_cache_req_tests-responder_utils.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/responder_cache_req_tests-responder_utils.obj `if test -f 'src/responder/common/responder_utils.c'; then $(CYGPATH_W) 'src/responder/common/responder_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_utils.c'; fi` + +src/util/responder_cache_req_tests-session_recording.o: src/util/session_recording.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/util/responder_cache_req_tests-session_recording.o -MD -MP -MF src/util/$(DEPDIR)/responder_cache_req_tests-session_recording.Tpo -c -o src/util/responder_cache_req_tests-session_recording.o `test -f 'src/util/session_recording.c' || echo '$(srcdir)/'`src/util/session_recording.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/responder_cache_req_tests-session_recording.Tpo src/util/$(DEPDIR)/responder_cache_req_tests-session_recording.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/session_recording.c' object='src/util/responder_cache_req_tests-session_recording.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/util/responder_cache_req_tests-session_recording.o `test -f 'src/util/session_recording.c' || echo '$(srcdir)/'`src/util/session_recording.c + +src/util/responder_cache_req_tests-session_recording.obj: src/util/session_recording.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/util/responder_cache_req_tests-session_recording.obj -MD -MP -MF src/util/$(DEPDIR)/responder_cache_req_tests-session_recording.Tpo -c -o src/util/responder_cache_req_tests-session_recording.obj `if test -f 'src/util/session_recording.c'; then $(CYGPATH_W) 'src/util/session_recording.c'; else $(CYGPATH_W) '$(srcdir)/src/util/session_recording.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/responder_cache_req_tests-session_recording.Tpo src/util/$(DEPDIR)/responder_cache_req_tests-session_recording.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/session_recording.c' object='src/util/responder_cache_req_tests-session_recording.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/util/responder_cache_req_tests-session_recording.obj `if test -f 'src/util/session_recording.c'; then $(CYGPATH_W) 'src/util/session_recording.c'; else $(CYGPATH_W) '$(srcdir)/src/util/session_recording.c'; fi` + +src/responder/common/cache_req/responder_cache_req_tests-cache_req.o: src/responder/common/cache_req/cache_req.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/responder_cache_req_tests-cache_req.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/responder_cache_req_tests-cache_req.Tpo -c -o src/responder/common/cache_req/responder_cache_req_tests-cache_req.o `test -f 'src/responder/common/cache_req/cache_req.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/responder_cache_req_tests-cache_req.Tpo src/responder/common/cache_req/$(DEPDIR)/responder_cache_req_tests-cache_req.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req.c' object='src/responder/common/cache_req/responder_cache_req_tests-cache_req.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/responder_cache_req_tests-cache_req.o `test -f 'src/responder/common/cache_req/cache_req.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req.c + +src/responder/common/cache_req/responder_cache_req_tests-cache_req.obj: src/responder/common/cache_req/cache_req.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/responder_cache_req_tests-cache_req.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/responder_cache_req_tests-cache_req.Tpo -c -o src/responder/common/cache_req/responder_cache_req_tests-cache_req.obj `if test -f 'src/responder/common/cache_req/cache_req.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/responder_cache_req_tests-cache_req.Tpo src/responder/common/cache_req/$(DEPDIR)/responder_cache_req_tests-cache_req.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req.c' object='src/responder/common/cache_req/responder_cache_req_tests-cache_req.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/responder_cache_req_tests-cache_req.obj `if test -f 'src/responder/common/cache_req/cache_req.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req.c'; fi` + +src/responder/common/cache_req/responder_cache_req_tests-cache_req_result.o: src/responder/common/cache_req/cache_req_result.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/responder_cache_req_tests-cache_req_result.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/responder_cache_req_tests-cache_req_result.Tpo -c -o src/responder/common/cache_req/responder_cache_req_tests-cache_req_result.o `test -f 'src/responder/common/cache_req/cache_req_result.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_result.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/responder_cache_req_tests-cache_req_result.Tpo src/responder/common/cache_req/$(DEPDIR)/responder_cache_req_tests-cache_req_result.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_result.c' object='src/responder/common/cache_req/responder_cache_req_tests-cache_req_result.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/responder_cache_req_tests-cache_req_result.o `test -f 'src/responder/common/cache_req/cache_req_result.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_result.c + +src/responder/common/cache_req/responder_cache_req_tests-cache_req_result.obj: src/responder/common/cache_req/cache_req_result.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/responder_cache_req_tests-cache_req_result.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/responder_cache_req_tests-cache_req_result.Tpo -c -o src/responder/common/cache_req/responder_cache_req_tests-cache_req_result.obj `if test -f 'src/responder/common/cache_req/cache_req_result.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_result.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_result.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/responder_cache_req_tests-cache_req_result.Tpo src/responder/common/cache_req/$(DEPDIR)/responder_cache_req_tests-cache_req_result.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_result.c' object='src/responder/common/cache_req/responder_cache_req_tests-cache_req_result.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/responder_cache_req_tests-cache_req_result.obj `if test -f 'src/responder/common/cache_req/cache_req_result.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_result.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_result.c'; fi` + +src/responder/common/cache_req/responder_cache_req_tests-cache_req_search.o: src/responder/common/cache_req/cache_req_search.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/responder_cache_req_tests-cache_req_search.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/responder_cache_req_tests-cache_req_search.Tpo -c -o src/responder/common/cache_req/responder_cache_req_tests-cache_req_search.o `test -f 'src/responder/common/cache_req/cache_req_search.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_search.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/responder_cache_req_tests-cache_req_search.Tpo src/responder/common/cache_req/$(DEPDIR)/responder_cache_req_tests-cache_req_search.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_search.c' object='src/responder/common/cache_req/responder_cache_req_tests-cache_req_search.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/responder_cache_req_tests-cache_req_search.o `test -f 'src/responder/common/cache_req/cache_req_search.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_search.c + +src/responder/common/cache_req/responder_cache_req_tests-cache_req_search.obj: src/responder/common/cache_req/cache_req_search.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/responder_cache_req_tests-cache_req_search.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/responder_cache_req_tests-cache_req_search.Tpo -c -o src/responder/common/cache_req/responder_cache_req_tests-cache_req_search.obj `if test -f 'src/responder/common/cache_req/cache_req_search.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_search.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_search.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/responder_cache_req_tests-cache_req_search.Tpo src/responder/common/cache_req/$(DEPDIR)/responder_cache_req_tests-cache_req_search.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_search.c' object='src/responder/common/cache_req/responder_cache_req_tests-cache_req_search.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/responder_cache_req_tests-cache_req_search.obj `if test -f 'src/responder/common/cache_req/cache_req_search.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_search.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_search.c'; fi` + +src/responder/common/cache_req/responder_cache_req_tests-cache_req_data.o: src/responder/common/cache_req/cache_req_data.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/responder_cache_req_tests-cache_req_data.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/responder_cache_req_tests-cache_req_data.Tpo -c -o src/responder/common/cache_req/responder_cache_req_tests-cache_req_data.o `test -f 'src/responder/common/cache_req/cache_req_data.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_data.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/responder_cache_req_tests-cache_req_data.Tpo src/responder/common/cache_req/$(DEPDIR)/responder_cache_req_tests-cache_req_data.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_data.c' object='src/responder/common/cache_req/responder_cache_req_tests-cache_req_data.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/responder_cache_req_tests-cache_req_data.o `test -f 'src/responder/common/cache_req/cache_req_data.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_data.c + +src/responder/common/cache_req/responder_cache_req_tests-cache_req_data.obj: src/responder/common/cache_req/cache_req_data.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/responder_cache_req_tests-cache_req_data.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/responder_cache_req_tests-cache_req_data.Tpo -c -o src/responder/common/cache_req/responder_cache_req_tests-cache_req_data.obj `if test -f 'src/responder/common/cache_req/cache_req_data.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_data.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_data.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/responder_cache_req_tests-cache_req_data.Tpo src/responder/common/cache_req/$(DEPDIR)/responder_cache_req_tests-cache_req_data.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_data.c' object='src/responder/common/cache_req/responder_cache_req_tests-cache_req_data.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/responder_cache_req_tests-cache_req_data.obj `if test -f 'src/responder/common/cache_req/cache_req_data.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_data.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_data.c'; fi` + +src/responder/common/cache_req/responder_cache_req_tests-cache_req_domain.o: src/responder/common/cache_req/cache_req_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/responder_cache_req_tests-cache_req_domain.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/responder_cache_req_tests-cache_req_domain.Tpo -c -o src/responder/common/cache_req/responder_cache_req_tests-cache_req_domain.o `test -f 'src/responder/common/cache_req/cache_req_domain.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_domain.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/responder_cache_req_tests-cache_req_domain.Tpo src/responder/common/cache_req/$(DEPDIR)/responder_cache_req_tests-cache_req_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_domain.c' object='src/responder/common/cache_req/responder_cache_req_tests-cache_req_domain.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/responder_cache_req_tests-cache_req_domain.o `test -f 'src/responder/common/cache_req/cache_req_domain.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_domain.c + +src/responder/common/cache_req/responder_cache_req_tests-cache_req_domain.obj: src/responder/common/cache_req/cache_req_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/responder_cache_req_tests-cache_req_domain.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/responder_cache_req_tests-cache_req_domain.Tpo -c -o src/responder/common/cache_req/responder_cache_req_tests-cache_req_domain.obj `if test -f 'src/responder/common/cache_req/cache_req_domain.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_domain.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/responder_cache_req_tests-cache_req_domain.Tpo src/responder/common/cache_req/$(DEPDIR)/responder_cache_req_tests-cache_req_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_domain.c' object='src/responder/common/cache_req/responder_cache_req_tests-cache_req_domain.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/responder_cache_req_tests-cache_req_domain.obj `if test -f 'src/responder/common/cache_req/cache_req_domain.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_domain.c'; fi` + +src/responder/common/cache_req/responder_cache_req_tests-cache_req_sr_overlay.o: src/responder/common/cache_req/cache_req_sr_overlay.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/responder_cache_req_tests-cache_req_sr_overlay.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/responder_cache_req_tests-cache_req_sr_overlay.Tpo -c -o src/responder/common/cache_req/responder_cache_req_tests-cache_req_sr_overlay.o `test -f 'src/responder/common/cache_req/cache_req_sr_overlay.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_sr_overlay.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/responder_cache_req_tests-cache_req_sr_overlay.Tpo src/responder/common/cache_req/$(DEPDIR)/responder_cache_req_tests-cache_req_sr_overlay.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_sr_overlay.c' object='src/responder/common/cache_req/responder_cache_req_tests-cache_req_sr_overlay.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/responder_cache_req_tests-cache_req_sr_overlay.o `test -f 'src/responder/common/cache_req/cache_req_sr_overlay.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_sr_overlay.c + +src/responder/common/cache_req/responder_cache_req_tests-cache_req_sr_overlay.obj: src/responder/common/cache_req/cache_req_sr_overlay.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/responder_cache_req_tests-cache_req_sr_overlay.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/responder_cache_req_tests-cache_req_sr_overlay.Tpo -c -o src/responder/common/cache_req/responder_cache_req_tests-cache_req_sr_overlay.obj `if test -f 'src/responder/common/cache_req/cache_req_sr_overlay.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_sr_overlay.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_sr_overlay.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/responder_cache_req_tests-cache_req_sr_overlay.Tpo src/responder/common/cache_req/$(DEPDIR)/responder_cache_req_tests-cache_req_sr_overlay.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_sr_overlay.c' object='src/responder/common/cache_req/responder_cache_req_tests-cache_req_sr_overlay.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/responder_cache_req_tests-cache_req_sr_overlay.obj `if test -f 'src/responder/common/cache_req/cache_req_sr_overlay.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_sr_overlay.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_sr_overlay.c'; fi` + +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_common.o: src/responder/common/cache_req/plugins/cache_req_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_common.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_common.Tpo -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_common.o `test -f 'src/responder/common/cache_req/plugins/cache_req_common.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_common.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_common.c' object='src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_common.o `test -f 'src/responder/common/cache_req/plugins/cache_req_common.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_common.c + +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_common.obj: src/responder/common/cache_req/plugins/cache_req_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_common.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_common.Tpo -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_common.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_common.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_common.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_common.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_common.c' object='src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_common.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_common.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_common.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_common.c'; fi` + +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_enum_users.o: src/responder/common/cache_req/plugins/cache_req_enum_users.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_enum_users.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_enum_users.Tpo -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_enum_users.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_users.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_users.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_enum_users.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_enum_users.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_users.c' object='src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_enum_users.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_enum_users.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_users.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_users.c + +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_enum_users.obj: src/responder/common/cache_req/plugins/cache_req_enum_users.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_enum_users.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_enum_users.Tpo -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_enum_users.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_users.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_users.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_users.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_enum_users.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_enum_users.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_users.c' object='src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_enum_users.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_enum_users.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_users.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_users.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_users.c'; fi` + +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_enum_groups.o: src/responder/common/cache_req/plugins/cache_req_enum_groups.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_enum_groups.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_enum_groups.Tpo -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_enum_groups.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_groups.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_enum_groups.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_enum_groups.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_groups.c' object='src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_enum_groups.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_enum_groups.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_groups.c + +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_enum_groups.obj: src/responder/common/cache_req/plugins/cache_req_enum_groups.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_enum_groups.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_enum_groups.Tpo -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_enum_groups.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_enum_groups.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_enum_groups.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_groups.c' object='src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_enum_groups.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_enum_groups.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; fi` + +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_enum_svc.o: src/responder/common/cache_req/plugins/cache_req_enum_svc.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_enum_svc.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_enum_svc.Tpo -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_enum_svc.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_svc.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_enum_svc.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_enum_svc.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_svc.c' object='src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_enum_svc.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_enum_svc.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_svc.c + +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_enum_svc.obj: src/responder/common/cache_req/plugins/cache_req_enum_svc.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_enum_svc.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_enum_svc.Tpo -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_enum_svc.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_enum_svc.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_enum_svc.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_svc.c' object='src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_enum_svc.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_enum_svc.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; fi` + +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_name.o: src/responder/common/cache_req/plugins/cache_req_user_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_user_by_name.Tpo -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_user_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_user_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_name.c' object='src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_name.c + +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_name.obj: src/responder/common/cache_req/plugins/cache_req_user_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_user_by_name.Tpo -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_user_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_user_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_name.c' object='src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; fi` + +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_upn.o: src/responder/common/cache_req/plugins/cache_req_user_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_upn.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_user_by_upn.Tpo -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_upn.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_user_by_upn.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_user_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' object='src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_upn.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_upn.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_upn.c + +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_upn.obj: src/responder/common/cache_req/plugins/cache_req_user_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_upn.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_user_by_upn.Tpo -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_upn.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_user_by_upn.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_user_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' object='src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_upn.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_upn.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; fi` + +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_id.o: src/responder/common/cache_req/plugins/cache_req_user_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_id.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_user_by_id.Tpo -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_user_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_user_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_id.c' object='src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_id.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_id.c + +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_id.obj: src/responder/common/cache_req/plugins/cache_req_user_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_id.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_user_by_id.Tpo -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_user_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_user_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_id.c' object='src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_id.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; fi` + +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_filter.o: src/responder/common/cache_req/plugins/cache_req_user_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_filter.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_user_by_filter.Tpo -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_filter.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_user_by_filter.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_user_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' object='src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_filter.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_filter.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_filter.c + +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_filter.obj: src/responder/common/cache_req/plugins/cache_req_user_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_filter.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_user_by_filter.Tpo -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_filter.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_user_by_filter.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_user_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' object='src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_filter.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_filter.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; fi` + +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_cert.o: src/responder/common/cache_req/plugins/cache_req_user_by_cert.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_cert.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_user_by_cert.Tpo -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_cert.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_cert.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_user_by_cert.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_user_by_cert.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' object='src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_cert.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_cert.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_cert.c + +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_cert.obj: src/responder/common/cache_req/plugins/cache_req_user_by_cert.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_cert.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_user_by_cert.Tpo -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_cert.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_user_by_cert.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_user_by_cert.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' object='src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_cert.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_user_by_cert.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; fi` + +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_group_by_name.o: src/responder/common/cache_req/plugins/cache_req_group_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_group_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_group_by_name.Tpo -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_group_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_group_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_group_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_name.c' object='src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_group_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_group_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_name.c + +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_group_by_name.obj: src/responder/common/cache_req/plugins/cache_req_group_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_group_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_group_by_name.Tpo -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_group_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_group_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_group_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_name.c' object='src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_group_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_group_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; fi` + +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_group_by_id.o: src/responder/common/cache_req/plugins/cache_req_group_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_group_by_id.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_group_by_id.Tpo -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_group_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_group_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_group_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_id.c' object='src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_group_by_id.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_group_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_id.c + +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_group_by_id.obj: src/responder/common/cache_req/plugins/cache_req_group_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_group_by_id.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_group_by_id.Tpo -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_group_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_group_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_group_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_id.c' object='src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_group_by_id.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_group_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; fi` + +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_group_by_filter.o: src/responder/common/cache_req/plugins/cache_req_group_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_group_by_filter.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_group_by_filter.Tpo -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_group_by_filter.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_group_by_filter.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_group_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' object='src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_group_by_filter.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_group_by_filter.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_filter.c + +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_group_by_filter.obj: src/responder/common/cache_req/plugins/cache_req_group_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_group_by_filter.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_group_by_filter.Tpo -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_group_by_filter.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_group_by_filter.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_group_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' object='src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_group_by_filter.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_group_by_filter.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; fi` + +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_initgroups_by_name.o: src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_initgroups_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_initgroups_by_name.Tpo -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_initgroups_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_initgroups_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_initgroups_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' object='src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_initgroups_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_initgroups_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c + +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_initgroups_by_name.obj: src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_initgroups_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_initgroups_by_name.Tpo -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_initgroups_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_initgroups_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_initgroups_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' object='src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_initgroups_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_initgroups_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; fi` + +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_initgroups_by_upn.o: src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_initgroups_by_upn.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_initgroups_by_upn.Tpo -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_initgroups_by_upn.o `test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_initgroups_by_upn.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_initgroups_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' object='src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_initgroups_by_upn.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_initgroups_by_upn.o `test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c + +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_initgroups_by_upn.obj: src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_initgroups_by_upn.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_initgroups_by_upn.Tpo -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_initgroups_by_upn.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_initgroups_by_upn.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_initgroups_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' object='src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_initgroups_by_upn.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_initgroups_by_upn.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; fi` + +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_object_by_sid.o: src/responder/common/cache_req/plugins/cache_req_object_by_sid.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_object_by_sid.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_object_by_sid.Tpo -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_object_by_sid.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_sid.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_object_by_sid.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_object_by_sid.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' object='src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_object_by_sid.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_object_by_sid.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_sid.c + +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_object_by_sid.obj: src/responder/common/cache_req/plugins/cache_req_object_by_sid.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_object_by_sid.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_object_by_sid.Tpo -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_object_by_sid.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_object_by_sid.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_object_by_sid.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' object='src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_object_by_sid.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_object_by_sid.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; fi` + +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_object_by_name.o: src/responder/common/cache_req/plugins/cache_req_object_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_object_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_object_by_name.Tpo -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_object_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_object_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_object_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_name.c' object='src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_object_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_object_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_name.c + +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_object_by_name.obj: src/responder/common/cache_req/plugins/cache_req_object_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_object_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_object_by_name.Tpo -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_object_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_object_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_object_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_name.c' object='src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_object_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_object_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; fi` + +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_object_by_id.o: src/responder/common/cache_req/plugins/cache_req_object_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_object_by_id.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_object_by_id.Tpo -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_object_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_object_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_object_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_id.c' object='src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_object_by_id.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_object_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_id.c + +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_object_by_id.obj: src/responder/common/cache_req/plugins/cache_req_object_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_object_by_id.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_object_by_id.Tpo -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_object_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_object_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_object_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_id.c' object='src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_object_by_id.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_object_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; fi` + +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_svc_by_name.o: src/responder/common/cache_req/plugins/cache_req_svc_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_svc_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_svc_by_name.Tpo -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_svc_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_svc_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_svc_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_svc_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' object='src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_svc_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_svc_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_svc_by_name.c + +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_svc_by_name.obj: src/responder/common/cache_req/plugins/cache_req_svc_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_svc_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_svc_by_name.Tpo -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_svc_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_svc_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_svc_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' object='src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_svc_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_svc_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; fi` + +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_svc_by_port.o: src/responder/common/cache_req/plugins/cache_req_svc_by_port.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_svc_by_port.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_svc_by_port.Tpo -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_svc_by_port.o `test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_svc_by_port.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_svc_by_port.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_svc_by_port.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' object='src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_svc_by_port.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_svc_by_port.o `test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_svc_by_port.c + +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_svc_by_port.obj: src/responder/common/cache_req/plugins/cache_req_svc_by_port.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_svc_by_port.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_svc_by_port.Tpo -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_svc_by_port.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_svc_by_port.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_svc_by_port.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' object='src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_svc_by_port.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_svc_by_port.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; fi` + +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_netgroup_by_name.o: src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_netgroup_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_netgroup_by_name.Tpo -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_netgroup_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_netgroup_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_netgroup_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' object='src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_netgroup_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_netgroup_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c + +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_netgroup_by_name.obj: src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_netgroup_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_netgroup_by_name.Tpo -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_netgroup_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_netgroup_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_netgroup_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' object='src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_netgroup_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_netgroup_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; fi` + +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_host_by_name.o: src/responder/common/cache_req/plugins/cache_req_host_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_host_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_host_by_name.Tpo -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_host_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_host_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_host_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_host_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_host_by_name.c' object='src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_host_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_host_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_host_by_name.c + +src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_host_by_name.obj: src/responder/common/cache_req/plugins/cache_req_host_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_host_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_host_by_name.Tpo -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_host_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_host_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/responder_cache_req_tests-cache_req_host_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_host_by_name.c' object='src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_host_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/responder_cache_req_tests-cache_req_host_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; fi` + +src/responder/common/iface/responder_cache_req_tests-responder_iface.o: src/responder/common/iface/responder_iface.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/responder_cache_req_tests-responder_iface.o -MD -MP -MF src/responder/common/iface/$(DEPDIR)/responder_cache_req_tests-responder_iface.Tpo -c -o src/responder/common/iface/responder_cache_req_tests-responder_iface.o `test -f 'src/responder/common/iface/responder_iface.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_iface.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/responder_cache_req_tests-responder_iface.Tpo src/responder/common/iface/$(DEPDIR)/responder_cache_req_tests-responder_iface.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_iface.c' object='src/responder/common/iface/responder_cache_req_tests-responder_iface.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/responder_cache_req_tests-responder_iface.o `test -f 'src/responder/common/iface/responder_iface.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_iface.c + +src/responder/common/iface/responder_cache_req_tests-responder_iface.obj: src/responder/common/iface/responder_iface.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/responder_cache_req_tests-responder_iface.obj -MD -MP -MF src/responder/common/iface/$(DEPDIR)/responder_cache_req_tests-responder_iface.Tpo -c -o src/responder/common/iface/responder_cache_req_tests-responder_iface.obj `if test -f 'src/responder/common/iface/responder_iface.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_iface.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_iface.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/responder_cache_req_tests-responder_iface.Tpo src/responder/common/iface/$(DEPDIR)/responder_cache_req_tests-responder_iface.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_iface.c' object='src/responder/common/iface/responder_cache_req_tests-responder_iface.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/responder_cache_req_tests-responder_iface.obj `if test -f 'src/responder/common/iface/responder_iface.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_iface.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_iface.c'; fi` + +src/responder/common/iface/responder_cache_req_tests-responder_domain.o: src/responder/common/iface/responder_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/responder_cache_req_tests-responder_domain.o -MD -MP -MF src/responder/common/iface/$(DEPDIR)/responder_cache_req_tests-responder_domain.Tpo -c -o src/responder/common/iface/responder_cache_req_tests-responder_domain.o `test -f 'src/responder/common/iface/responder_domain.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_domain.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/responder_cache_req_tests-responder_domain.Tpo src/responder/common/iface/$(DEPDIR)/responder_cache_req_tests-responder_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_domain.c' object='src/responder/common/iface/responder_cache_req_tests-responder_domain.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/responder_cache_req_tests-responder_domain.o `test -f 'src/responder/common/iface/responder_domain.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_domain.c + +src/responder/common/iface/responder_cache_req_tests-responder_domain.obj: src/responder/common/iface/responder_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/responder_cache_req_tests-responder_domain.obj -MD -MP -MF src/responder/common/iface/$(DEPDIR)/responder_cache_req_tests-responder_domain.Tpo -c -o src/responder/common/iface/responder_cache_req_tests-responder_domain.obj `if test -f 'src/responder/common/iface/responder_domain.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_domain.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/responder_cache_req_tests-responder_domain.Tpo src/responder/common/iface/$(DEPDIR)/responder_cache_req_tests-responder_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_domain.c' object='src/responder/common/iface/responder_cache_req_tests-responder_domain.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/responder_cache_req_tests-responder_domain.obj `if test -f 'src/responder/common/iface/responder_domain.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_domain.c'; fi` + +src/responder/common/iface/responder_cache_req_tests-responder_ncache.o: src/responder/common/iface/responder_ncache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/responder_cache_req_tests-responder_ncache.o -MD -MP -MF src/responder/common/iface/$(DEPDIR)/responder_cache_req_tests-responder_ncache.Tpo -c -o src/responder/common/iface/responder_cache_req_tests-responder_ncache.o `test -f 'src/responder/common/iface/responder_ncache.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_ncache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/responder_cache_req_tests-responder_ncache.Tpo src/responder/common/iface/$(DEPDIR)/responder_cache_req_tests-responder_ncache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_ncache.c' object='src/responder/common/iface/responder_cache_req_tests-responder_ncache.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/responder_cache_req_tests-responder_ncache.o `test -f 'src/responder/common/iface/responder_ncache.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_ncache.c + +src/responder/common/iface/responder_cache_req_tests-responder_ncache.obj: src/responder/common/iface/responder_ncache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/responder_cache_req_tests-responder_ncache.obj -MD -MP -MF src/responder/common/iface/$(DEPDIR)/responder_cache_req_tests-responder_ncache.Tpo -c -o src/responder/common/iface/responder_cache_req_tests-responder_ncache.obj `if test -f 'src/responder/common/iface/responder_ncache.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_ncache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_ncache.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/responder_cache_req_tests-responder_ncache.Tpo src/responder/common/iface/$(DEPDIR)/responder_cache_req_tests-responder_ncache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_ncache.c' object='src/responder/common/iface/responder_cache_req_tests-responder_ncache.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/responder_cache_req_tests-responder_ncache.obj `if test -f 'src/responder/common/iface/responder_ncache.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_ncache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_ncache.c'; fi` + +src/responder/common/iface/responder_cache_req_tests-responder_iface_generated.o: src/responder/common/iface/responder_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/responder_cache_req_tests-responder_iface_generated.o -MD -MP -MF src/responder/common/iface/$(DEPDIR)/responder_cache_req_tests-responder_iface_generated.Tpo -c -o src/responder/common/iface/responder_cache_req_tests-responder_iface_generated.o `test -f 'src/responder/common/iface/responder_iface_generated.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/responder_cache_req_tests-responder_iface_generated.Tpo src/responder/common/iface/$(DEPDIR)/responder_cache_req_tests-responder_iface_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_iface_generated.c' object='src/responder/common/iface/responder_cache_req_tests-responder_iface_generated.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/responder_cache_req_tests-responder_iface_generated.o `test -f 'src/responder/common/iface/responder_iface_generated.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_iface_generated.c + +src/responder/common/iface/responder_cache_req_tests-responder_iface_generated.obj: src/responder/common/iface/responder_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/responder_cache_req_tests-responder_iface_generated.obj -MD -MP -MF src/responder/common/iface/$(DEPDIR)/responder_cache_req_tests-responder_iface_generated.Tpo -c -o src/responder/common/iface/responder_cache_req_tests-responder_iface_generated.obj `if test -f 'src/responder/common/iface/responder_iface_generated.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_iface_generated.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_iface_generated.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/responder_cache_req_tests-responder_iface_generated.Tpo src/responder/common/iface/$(DEPDIR)/responder_cache_req_tests-responder_iface_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_iface_generated.c' object='src/responder/common/iface/responder_cache_req_tests-responder_iface_generated.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/responder_cache_req_tests-responder_iface_generated.obj `if test -f 'src/responder/common/iface/responder_iface_generated.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_iface_generated.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_iface_generated.c'; fi` + +src/tests/cmocka/responder_cache_req_tests-test_responder_cache_req.o: src/tests/cmocka/test_responder_cache_req.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/responder_cache_req_tests-test_responder_cache_req.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/responder_cache_req_tests-test_responder_cache_req.Tpo -c -o src/tests/cmocka/responder_cache_req_tests-test_responder_cache_req.o `test -f 'src/tests/cmocka/test_responder_cache_req.c' || echo '$(srcdir)/'`src/tests/cmocka/test_responder_cache_req.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/responder_cache_req_tests-test_responder_cache_req.Tpo src/tests/cmocka/$(DEPDIR)/responder_cache_req_tests-test_responder_cache_req.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_responder_cache_req.c' object='src/tests/cmocka/responder_cache_req_tests-test_responder_cache_req.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/responder_cache_req_tests-test_responder_cache_req.o `test -f 'src/tests/cmocka/test_responder_cache_req.c' || echo '$(srcdir)/'`src/tests/cmocka/test_responder_cache_req.c + +src/tests/cmocka/responder_cache_req_tests-test_responder_cache_req.obj: src/tests/cmocka/test_responder_cache_req.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/responder_cache_req_tests-test_responder_cache_req.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/responder_cache_req_tests-test_responder_cache_req.Tpo -c -o src/tests/cmocka/responder_cache_req_tests-test_responder_cache_req.obj `if test -f 'src/tests/cmocka/test_responder_cache_req.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_responder_cache_req.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_responder_cache_req.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/responder_cache_req_tests-test_responder_cache_req.Tpo src/tests/cmocka/$(DEPDIR)/responder_cache_req_tests-test_responder_cache_req.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_responder_cache_req.c' object='src/tests/cmocka/responder_cache_req_tests-test_responder_cache_req.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_cache_req_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/responder_cache_req_tests-test_responder_cache_req.obj `if test -f 'src/tests/cmocka/test_responder_cache_req.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_responder_cache_req.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_responder_cache_req.c'; fi` + +src/tests/responder_socket_access_tests-responder_socket_access-tests.o: src/tests/responder_socket_access-tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -MT src/tests/responder_socket_access_tests-responder_socket_access-tests.o -MD -MP -MF src/tests/$(DEPDIR)/responder_socket_access_tests-responder_socket_access-tests.Tpo -c -o src/tests/responder_socket_access_tests-responder_socket_access-tests.o `test -f 'src/tests/responder_socket_access-tests.c' || echo '$(srcdir)/'`src/tests/responder_socket_access-tests.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/responder_socket_access_tests-responder_socket_access-tests.Tpo src/tests/$(DEPDIR)/responder_socket_access_tests-responder_socket_access-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/responder_socket_access-tests.c' object='src/tests/responder_socket_access_tests-responder_socket_access-tests.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -c -o src/tests/responder_socket_access_tests-responder_socket_access-tests.o `test -f 'src/tests/responder_socket_access-tests.c' || echo '$(srcdir)/'`src/tests/responder_socket_access-tests.c + +src/tests/responder_socket_access_tests-responder_socket_access-tests.obj: src/tests/responder_socket_access-tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -MT src/tests/responder_socket_access_tests-responder_socket_access-tests.obj -MD -MP -MF src/tests/$(DEPDIR)/responder_socket_access_tests-responder_socket_access-tests.Tpo -c -o src/tests/responder_socket_access_tests-responder_socket_access-tests.obj `if test -f 'src/tests/responder_socket_access-tests.c'; then $(CYGPATH_W) 'src/tests/responder_socket_access-tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/responder_socket_access-tests.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/responder_socket_access_tests-responder_socket_access-tests.Tpo src/tests/$(DEPDIR)/responder_socket_access_tests-responder_socket_access-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/responder_socket_access-tests.c' object='src/tests/responder_socket_access_tests-responder_socket_access-tests.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -c -o src/tests/responder_socket_access_tests-responder_socket_access-tests.obj `if test -f 'src/tests/responder_socket_access-tests.c'; then $(CYGPATH_W) 'src/tests/responder_socket_access-tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/responder_socket_access-tests.c'; fi` + +src/responder/common/responder_socket_access_tests-negcache_files.o: src/responder/common/negcache_files.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/responder_socket_access_tests-negcache_files.o -MD -MP -MF src/responder/common/$(DEPDIR)/responder_socket_access_tests-negcache_files.Tpo -c -o src/responder/common/responder_socket_access_tests-negcache_files.o `test -f 'src/responder/common/negcache_files.c' || echo '$(srcdir)/'`src/responder/common/negcache_files.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/responder_socket_access_tests-negcache_files.Tpo src/responder/common/$(DEPDIR)/responder_socket_access_tests-negcache_files.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/negcache_files.c' object='src/responder/common/responder_socket_access_tests-negcache_files.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/responder_socket_access_tests-negcache_files.o `test -f 'src/responder/common/negcache_files.c' || echo '$(srcdir)/'`src/responder/common/negcache_files.c + +src/responder/common/responder_socket_access_tests-negcache_files.obj: src/responder/common/negcache_files.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/responder_socket_access_tests-negcache_files.obj -MD -MP -MF src/responder/common/$(DEPDIR)/responder_socket_access_tests-negcache_files.Tpo -c -o src/responder/common/responder_socket_access_tests-negcache_files.obj `if test -f 'src/responder/common/negcache_files.c'; then $(CYGPATH_W) 'src/responder/common/negcache_files.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/negcache_files.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/responder_socket_access_tests-negcache_files.Tpo src/responder/common/$(DEPDIR)/responder_socket_access_tests-negcache_files.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/negcache_files.c' object='src/responder/common/responder_socket_access_tests-negcache_files.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/responder_socket_access_tests-negcache_files.obj `if test -f 'src/responder/common/negcache_files.c'; then $(CYGPATH_W) 'src/responder/common/negcache_files.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/negcache_files.c'; fi` + +src/responder/common/responder_socket_access_tests-negcache.o: src/responder/common/negcache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/responder_socket_access_tests-negcache.o -MD -MP -MF src/responder/common/$(DEPDIR)/responder_socket_access_tests-negcache.Tpo -c -o src/responder/common/responder_socket_access_tests-negcache.o `test -f 'src/responder/common/negcache.c' || echo '$(srcdir)/'`src/responder/common/negcache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/responder_socket_access_tests-negcache.Tpo src/responder/common/$(DEPDIR)/responder_socket_access_tests-negcache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/negcache.c' object='src/responder/common/responder_socket_access_tests-negcache.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/responder_socket_access_tests-negcache.o `test -f 'src/responder/common/negcache.c' || echo '$(srcdir)/'`src/responder/common/negcache.c + +src/responder/common/responder_socket_access_tests-negcache.obj: src/responder/common/negcache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/responder_socket_access_tests-negcache.obj -MD -MP -MF src/responder/common/$(DEPDIR)/responder_socket_access_tests-negcache.Tpo -c -o src/responder/common/responder_socket_access_tests-negcache.obj `if test -f 'src/responder/common/negcache.c'; then $(CYGPATH_W) 'src/responder/common/negcache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/negcache.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/responder_socket_access_tests-negcache.Tpo src/responder/common/$(DEPDIR)/responder_socket_access_tests-negcache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/negcache.c' object='src/responder/common/responder_socket_access_tests-negcache.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/responder_socket_access_tests-negcache.obj `if test -f 'src/responder/common/negcache.c'; then $(CYGPATH_W) 'src/responder/common/negcache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/negcache.c'; fi` + +src/responder/common/responder_socket_access_tests-responder_common.o: src/responder/common/responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/responder_socket_access_tests-responder_common.o -MD -MP -MF src/responder/common/$(DEPDIR)/responder_socket_access_tests-responder_common.Tpo -c -o src/responder/common/responder_socket_access_tests-responder_common.o `test -f 'src/responder/common/responder_common.c' || echo '$(srcdir)/'`src/responder/common/responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/responder_socket_access_tests-responder_common.Tpo src/responder/common/$(DEPDIR)/responder_socket_access_tests-responder_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_common.c' object='src/responder/common/responder_socket_access_tests-responder_common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/responder_socket_access_tests-responder_common.o `test -f 'src/responder/common/responder_common.c' || echo '$(srcdir)/'`src/responder/common/responder_common.c + +src/responder/common/responder_socket_access_tests-responder_common.obj: src/responder/common/responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/responder_socket_access_tests-responder_common.obj -MD -MP -MF src/responder/common/$(DEPDIR)/responder_socket_access_tests-responder_common.Tpo -c -o src/responder/common/responder_socket_access_tests-responder_common.obj `if test -f 'src/responder/common/responder_common.c'; then $(CYGPATH_W) 'src/responder/common/responder_common.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/responder_socket_access_tests-responder_common.Tpo src/responder/common/$(DEPDIR)/responder_socket_access_tests-responder_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_common.c' object='src/responder/common/responder_socket_access_tests-responder_common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/responder_socket_access_tests-responder_common.obj `if test -f 'src/responder/common/responder_common.c'; then $(CYGPATH_W) 'src/responder/common/responder_common.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_common.c'; fi` + +src/responder/common/responder_socket_access_tests-responder_packet.o: src/responder/common/responder_packet.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/responder_socket_access_tests-responder_packet.o -MD -MP -MF src/responder/common/$(DEPDIR)/responder_socket_access_tests-responder_packet.Tpo -c -o src/responder/common/responder_socket_access_tests-responder_packet.o `test -f 'src/responder/common/responder_packet.c' || echo '$(srcdir)/'`src/responder/common/responder_packet.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/responder_socket_access_tests-responder_packet.Tpo src/responder/common/$(DEPDIR)/responder_socket_access_tests-responder_packet.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_packet.c' object='src/responder/common/responder_socket_access_tests-responder_packet.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/responder_socket_access_tests-responder_packet.o `test -f 'src/responder/common/responder_packet.c' || echo '$(srcdir)/'`src/responder/common/responder_packet.c + +src/responder/common/responder_socket_access_tests-responder_packet.obj: src/responder/common/responder_packet.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/responder_socket_access_tests-responder_packet.obj -MD -MP -MF src/responder/common/$(DEPDIR)/responder_socket_access_tests-responder_packet.Tpo -c -o src/responder/common/responder_socket_access_tests-responder_packet.obj `if test -f 'src/responder/common/responder_packet.c'; then $(CYGPATH_W) 'src/responder/common/responder_packet.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_packet.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/responder_socket_access_tests-responder_packet.Tpo src/responder/common/$(DEPDIR)/responder_socket_access_tests-responder_packet.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_packet.c' object='src/responder/common/responder_socket_access_tests-responder_packet.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/responder_socket_access_tests-responder_packet.obj `if test -f 'src/responder/common/responder_packet.c'; then $(CYGPATH_W) 'src/responder/common/responder_packet.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_packet.c'; fi` + +src/responder/common/responder_socket_access_tests-responder_cmd.o: src/responder/common/responder_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/responder_socket_access_tests-responder_cmd.o -MD -MP -MF src/responder/common/$(DEPDIR)/responder_socket_access_tests-responder_cmd.Tpo -c -o src/responder/common/responder_socket_access_tests-responder_cmd.o `test -f 'src/responder/common/responder_cmd.c' || echo '$(srcdir)/'`src/responder/common/responder_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/responder_socket_access_tests-responder_cmd.Tpo src/responder/common/$(DEPDIR)/responder_socket_access_tests-responder_cmd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_cmd.c' object='src/responder/common/responder_socket_access_tests-responder_cmd.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/responder_socket_access_tests-responder_cmd.o `test -f 'src/responder/common/responder_cmd.c' || echo '$(srcdir)/'`src/responder/common/responder_cmd.c + +src/responder/common/responder_socket_access_tests-responder_cmd.obj: src/responder/common/responder_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/responder_socket_access_tests-responder_cmd.obj -MD -MP -MF src/responder/common/$(DEPDIR)/responder_socket_access_tests-responder_cmd.Tpo -c -o src/responder/common/responder_socket_access_tests-responder_cmd.obj `if test -f 'src/responder/common/responder_cmd.c'; then $(CYGPATH_W) 'src/responder/common/responder_cmd.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_cmd.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/responder_socket_access_tests-responder_cmd.Tpo src/responder/common/$(DEPDIR)/responder_socket_access_tests-responder_cmd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_cmd.c' object='src/responder/common/responder_socket_access_tests-responder_cmd.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/responder_socket_access_tests-responder_cmd.obj `if test -f 'src/responder/common/responder_cmd.c'; then $(CYGPATH_W) 'src/responder/common/responder_cmd.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_cmd.c'; fi` + +src/responder/common/cache_req/responder_socket_access_tests-cache_req_domain.o: src/responder/common/cache_req/cache_req_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/responder_socket_access_tests-cache_req_domain.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/responder_socket_access_tests-cache_req_domain.Tpo -c -o src/responder/common/cache_req/responder_socket_access_tests-cache_req_domain.o `test -f 'src/responder/common/cache_req/cache_req_domain.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_domain.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/responder_socket_access_tests-cache_req_domain.Tpo src/responder/common/cache_req/$(DEPDIR)/responder_socket_access_tests-cache_req_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_domain.c' object='src/responder/common/cache_req/responder_socket_access_tests-cache_req_domain.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/responder_socket_access_tests-cache_req_domain.o `test -f 'src/responder/common/cache_req/cache_req_domain.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_domain.c + +src/responder/common/cache_req/responder_socket_access_tests-cache_req_domain.obj: src/responder/common/cache_req/cache_req_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/responder_socket_access_tests-cache_req_domain.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/responder_socket_access_tests-cache_req_domain.Tpo -c -o src/responder/common/cache_req/responder_socket_access_tests-cache_req_domain.obj `if test -f 'src/responder/common/cache_req/cache_req_domain.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_domain.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/responder_socket_access_tests-cache_req_domain.Tpo src/responder/common/cache_req/$(DEPDIR)/responder_socket_access_tests-cache_req_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_domain.c' object='src/responder/common/cache_req/responder_socket_access_tests-cache_req_domain.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/responder_socket_access_tests-cache_req_domain.obj `if test -f 'src/responder/common/cache_req/cache_req_domain.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_domain.c'; fi` + +src/responder/common/data_provider/responder_socket_access_tests-rdp_message.o: src/responder/common/data_provider/rdp_message.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/data_provider/responder_socket_access_tests-rdp_message.o -MD -MP -MF src/responder/common/data_provider/$(DEPDIR)/responder_socket_access_tests-rdp_message.Tpo -c -o src/responder/common/data_provider/responder_socket_access_tests-rdp_message.o `test -f 'src/responder/common/data_provider/rdp_message.c' || echo '$(srcdir)/'`src/responder/common/data_provider/rdp_message.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/data_provider/$(DEPDIR)/responder_socket_access_tests-rdp_message.Tpo src/responder/common/data_provider/$(DEPDIR)/responder_socket_access_tests-rdp_message.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/data_provider/rdp_message.c' object='src/responder/common/data_provider/responder_socket_access_tests-rdp_message.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/data_provider/responder_socket_access_tests-rdp_message.o `test -f 'src/responder/common/data_provider/rdp_message.c' || echo '$(srcdir)/'`src/responder/common/data_provider/rdp_message.c + +src/responder/common/data_provider/responder_socket_access_tests-rdp_message.obj: src/responder/common/data_provider/rdp_message.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/data_provider/responder_socket_access_tests-rdp_message.obj -MD -MP -MF src/responder/common/data_provider/$(DEPDIR)/responder_socket_access_tests-rdp_message.Tpo -c -o src/responder/common/data_provider/responder_socket_access_tests-rdp_message.obj `if test -f 'src/responder/common/data_provider/rdp_message.c'; then $(CYGPATH_W) 'src/responder/common/data_provider/rdp_message.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/data_provider/rdp_message.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/data_provider/$(DEPDIR)/responder_socket_access_tests-rdp_message.Tpo src/responder/common/data_provider/$(DEPDIR)/responder_socket_access_tests-rdp_message.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/data_provider/rdp_message.c' object='src/responder/common/data_provider/responder_socket_access_tests-rdp_message.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/data_provider/responder_socket_access_tests-rdp_message.obj `if test -f 'src/responder/common/data_provider/rdp_message.c'; then $(CYGPATH_W) 'src/responder/common/data_provider/rdp_message.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/data_provider/rdp_message.c'; fi` + +src/responder/common/data_provider/responder_socket_access_tests-rdp_client.o: src/responder/common/data_provider/rdp_client.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/data_provider/responder_socket_access_tests-rdp_client.o -MD -MP -MF src/responder/common/data_provider/$(DEPDIR)/responder_socket_access_tests-rdp_client.Tpo -c -o src/responder/common/data_provider/responder_socket_access_tests-rdp_client.o `test -f 'src/responder/common/data_provider/rdp_client.c' || echo '$(srcdir)/'`src/responder/common/data_provider/rdp_client.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/data_provider/$(DEPDIR)/responder_socket_access_tests-rdp_client.Tpo src/responder/common/data_provider/$(DEPDIR)/responder_socket_access_tests-rdp_client.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/data_provider/rdp_client.c' object='src/responder/common/data_provider/responder_socket_access_tests-rdp_client.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/data_provider/responder_socket_access_tests-rdp_client.o `test -f 'src/responder/common/data_provider/rdp_client.c' || echo '$(srcdir)/'`src/responder/common/data_provider/rdp_client.c + +src/responder/common/data_provider/responder_socket_access_tests-rdp_client.obj: src/responder/common/data_provider/rdp_client.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/data_provider/responder_socket_access_tests-rdp_client.obj -MD -MP -MF src/responder/common/data_provider/$(DEPDIR)/responder_socket_access_tests-rdp_client.Tpo -c -o src/responder/common/data_provider/responder_socket_access_tests-rdp_client.obj `if test -f 'src/responder/common/data_provider/rdp_client.c'; then $(CYGPATH_W) 'src/responder/common/data_provider/rdp_client.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/data_provider/rdp_client.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/data_provider/$(DEPDIR)/responder_socket_access_tests-rdp_client.Tpo src/responder/common/data_provider/$(DEPDIR)/responder_socket_access_tests-rdp_client.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/data_provider/rdp_client.c' object='src/responder/common/data_provider/responder_socket_access_tests-rdp_client.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/data_provider/responder_socket_access_tests-rdp_client.obj `if test -f 'src/responder/common/data_provider/rdp_client.c'; then $(CYGPATH_W) 'src/responder/common/data_provider/rdp_client.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/data_provider/rdp_client.c'; fi` + +src/util/responder_socket_access_tests-session_recording.o: src/util/session_recording.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -MT src/util/responder_socket_access_tests-session_recording.o -MD -MP -MF src/util/$(DEPDIR)/responder_socket_access_tests-session_recording.Tpo -c -o src/util/responder_socket_access_tests-session_recording.o `test -f 'src/util/session_recording.c' || echo '$(srcdir)/'`src/util/session_recording.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/responder_socket_access_tests-session_recording.Tpo src/util/$(DEPDIR)/responder_socket_access_tests-session_recording.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/session_recording.c' object='src/util/responder_socket_access_tests-session_recording.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -c -o src/util/responder_socket_access_tests-session_recording.o `test -f 'src/util/session_recording.c' || echo '$(srcdir)/'`src/util/session_recording.c + +src/util/responder_socket_access_tests-session_recording.obj: src/util/session_recording.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -MT src/util/responder_socket_access_tests-session_recording.obj -MD -MP -MF src/util/$(DEPDIR)/responder_socket_access_tests-session_recording.Tpo -c -o src/util/responder_socket_access_tests-session_recording.obj `if test -f 'src/util/session_recording.c'; then $(CYGPATH_W) 'src/util/session_recording.c'; else $(CYGPATH_W) '$(srcdir)/src/util/session_recording.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/responder_socket_access_tests-session_recording.Tpo src/util/$(DEPDIR)/responder_socket_access_tests-session_recording.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/session_recording.c' object='src/util/responder_socket_access_tests-session_recording.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -c -o src/util/responder_socket_access_tests-session_recording.obj `if test -f 'src/util/session_recording.c'; then $(CYGPATH_W) 'src/util/session_recording.c'; else $(CYGPATH_W) '$(srcdir)/src/util/session_recording.c'; fi` + +src/responder/common/iface/responder_socket_access_tests-responder_iface.o: src/responder/common/iface/responder_iface.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/responder_socket_access_tests-responder_iface.o -MD -MP -MF src/responder/common/iface/$(DEPDIR)/responder_socket_access_tests-responder_iface.Tpo -c -o src/responder/common/iface/responder_socket_access_tests-responder_iface.o `test -f 'src/responder/common/iface/responder_iface.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_iface.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/responder_socket_access_tests-responder_iface.Tpo src/responder/common/iface/$(DEPDIR)/responder_socket_access_tests-responder_iface.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_iface.c' object='src/responder/common/iface/responder_socket_access_tests-responder_iface.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/responder_socket_access_tests-responder_iface.o `test -f 'src/responder/common/iface/responder_iface.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_iface.c + +src/responder/common/iface/responder_socket_access_tests-responder_iface.obj: src/responder/common/iface/responder_iface.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/responder_socket_access_tests-responder_iface.obj -MD -MP -MF src/responder/common/iface/$(DEPDIR)/responder_socket_access_tests-responder_iface.Tpo -c -o src/responder/common/iface/responder_socket_access_tests-responder_iface.obj `if test -f 'src/responder/common/iface/responder_iface.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_iface.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_iface.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/responder_socket_access_tests-responder_iface.Tpo src/responder/common/iface/$(DEPDIR)/responder_socket_access_tests-responder_iface.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_iface.c' object='src/responder/common/iface/responder_socket_access_tests-responder_iface.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/responder_socket_access_tests-responder_iface.obj `if test -f 'src/responder/common/iface/responder_iface.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_iface.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_iface.c'; fi` + +src/responder/common/iface/responder_socket_access_tests-responder_domain.o: src/responder/common/iface/responder_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/responder_socket_access_tests-responder_domain.o -MD -MP -MF src/responder/common/iface/$(DEPDIR)/responder_socket_access_tests-responder_domain.Tpo -c -o src/responder/common/iface/responder_socket_access_tests-responder_domain.o `test -f 'src/responder/common/iface/responder_domain.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_domain.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/responder_socket_access_tests-responder_domain.Tpo src/responder/common/iface/$(DEPDIR)/responder_socket_access_tests-responder_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_domain.c' object='src/responder/common/iface/responder_socket_access_tests-responder_domain.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/responder_socket_access_tests-responder_domain.o `test -f 'src/responder/common/iface/responder_domain.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_domain.c + +src/responder/common/iface/responder_socket_access_tests-responder_domain.obj: src/responder/common/iface/responder_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/responder_socket_access_tests-responder_domain.obj -MD -MP -MF src/responder/common/iface/$(DEPDIR)/responder_socket_access_tests-responder_domain.Tpo -c -o src/responder/common/iface/responder_socket_access_tests-responder_domain.obj `if test -f 'src/responder/common/iface/responder_domain.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_domain.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/responder_socket_access_tests-responder_domain.Tpo src/responder/common/iface/$(DEPDIR)/responder_socket_access_tests-responder_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_domain.c' object='src/responder/common/iface/responder_socket_access_tests-responder_domain.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/responder_socket_access_tests-responder_domain.obj `if test -f 'src/responder/common/iface/responder_domain.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_domain.c'; fi` + +src/responder/common/iface/responder_socket_access_tests-responder_ncache.o: src/responder/common/iface/responder_ncache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/responder_socket_access_tests-responder_ncache.o -MD -MP -MF src/responder/common/iface/$(DEPDIR)/responder_socket_access_tests-responder_ncache.Tpo -c -o src/responder/common/iface/responder_socket_access_tests-responder_ncache.o `test -f 'src/responder/common/iface/responder_ncache.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_ncache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/responder_socket_access_tests-responder_ncache.Tpo src/responder/common/iface/$(DEPDIR)/responder_socket_access_tests-responder_ncache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_ncache.c' object='src/responder/common/iface/responder_socket_access_tests-responder_ncache.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/responder_socket_access_tests-responder_ncache.o `test -f 'src/responder/common/iface/responder_ncache.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_ncache.c + +src/responder/common/iface/responder_socket_access_tests-responder_ncache.obj: src/responder/common/iface/responder_ncache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/responder_socket_access_tests-responder_ncache.obj -MD -MP -MF src/responder/common/iface/$(DEPDIR)/responder_socket_access_tests-responder_ncache.Tpo -c -o src/responder/common/iface/responder_socket_access_tests-responder_ncache.obj `if test -f 'src/responder/common/iface/responder_ncache.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_ncache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_ncache.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/responder_socket_access_tests-responder_ncache.Tpo src/responder/common/iface/$(DEPDIR)/responder_socket_access_tests-responder_ncache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_ncache.c' object='src/responder/common/iface/responder_socket_access_tests-responder_ncache.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/responder_socket_access_tests-responder_ncache.obj `if test -f 'src/responder/common/iface/responder_ncache.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_ncache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_ncache.c'; fi` + +src/responder/common/iface/responder_socket_access_tests-responder_iface_generated.o: src/responder/common/iface/responder_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/responder_socket_access_tests-responder_iface_generated.o -MD -MP -MF src/responder/common/iface/$(DEPDIR)/responder_socket_access_tests-responder_iface_generated.Tpo -c -o src/responder/common/iface/responder_socket_access_tests-responder_iface_generated.o `test -f 'src/responder/common/iface/responder_iface_generated.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/responder_socket_access_tests-responder_iface_generated.Tpo src/responder/common/iface/$(DEPDIR)/responder_socket_access_tests-responder_iface_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_iface_generated.c' object='src/responder/common/iface/responder_socket_access_tests-responder_iface_generated.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/responder_socket_access_tests-responder_iface_generated.o `test -f 'src/responder/common/iface/responder_iface_generated.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_iface_generated.c + +src/responder/common/iface/responder_socket_access_tests-responder_iface_generated.obj: src/responder/common/iface/responder_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/responder_socket_access_tests-responder_iface_generated.obj -MD -MP -MF src/responder/common/iface/$(DEPDIR)/responder_socket_access_tests-responder_iface_generated.Tpo -c -o src/responder/common/iface/responder_socket_access_tests-responder_iface_generated.obj `if test -f 'src/responder/common/iface/responder_iface_generated.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_iface_generated.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_iface_generated.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/responder_socket_access_tests-responder_iface_generated.Tpo src/responder/common/iface/$(DEPDIR)/responder_socket_access_tests-responder_iface_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_iface_generated.c' object='src/responder/common/iface/responder_socket_access_tests-responder_iface_generated.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_socket_access_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/responder_socket_access_tests-responder_iface_generated.obj `if test -f 'src/responder/common/iface/responder_iface_generated.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_iface_generated.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_iface_generated.c'; fi` + +src/tests/safe_format_tests-safe-format-tests.o: src/tests/safe-format-tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(safe_format_tests_CFLAGS) $(CFLAGS) -MT src/tests/safe_format_tests-safe-format-tests.o -MD -MP -MF src/tests/$(DEPDIR)/safe_format_tests-safe-format-tests.Tpo -c -o src/tests/safe_format_tests-safe-format-tests.o `test -f 'src/tests/safe-format-tests.c' || echo '$(srcdir)/'`src/tests/safe-format-tests.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/safe_format_tests-safe-format-tests.Tpo src/tests/$(DEPDIR)/safe_format_tests-safe-format-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/safe-format-tests.c' object='src/tests/safe_format_tests-safe-format-tests.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(safe_format_tests_CFLAGS) $(CFLAGS) -c -o src/tests/safe_format_tests-safe-format-tests.o `test -f 'src/tests/safe-format-tests.c' || echo '$(srcdir)/'`src/tests/safe-format-tests.c + +src/tests/safe_format_tests-safe-format-tests.obj: src/tests/safe-format-tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(safe_format_tests_CFLAGS) $(CFLAGS) -MT src/tests/safe_format_tests-safe-format-tests.obj -MD -MP -MF src/tests/$(DEPDIR)/safe_format_tests-safe-format-tests.Tpo -c -o src/tests/safe_format_tests-safe-format-tests.obj `if test -f 'src/tests/safe-format-tests.c'; then $(CYGPATH_W) 'src/tests/safe-format-tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/safe-format-tests.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/safe_format_tests-safe-format-tests.Tpo src/tests/$(DEPDIR)/safe_format_tests-safe-format-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/safe-format-tests.c' object='src/tests/safe_format_tests-safe-format-tests.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(safe_format_tests_CFLAGS) $(CFLAGS) -c -o src/tests/safe_format_tests-safe-format-tests.obj `if test -f 'src/tests/safe-format-tests.c'; then $(CYGPATH_W) 'src/tests/safe-format-tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/safe-format-tests.c'; fi` + +src/tests/cmocka/sbus_internal_tests-sbus_internal_tests.o: src/tests/cmocka/sbus_internal_tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sbus_internal_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/sbus_internal_tests-sbus_internal_tests.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/sbus_internal_tests-sbus_internal_tests.Tpo -c -o src/tests/cmocka/sbus_internal_tests-sbus_internal_tests.o `test -f 'src/tests/cmocka/sbus_internal_tests.c' || echo '$(srcdir)/'`src/tests/cmocka/sbus_internal_tests.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/sbus_internal_tests-sbus_internal_tests.Tpo src/tests/cmocka/$(DEPDIR)/sbus_internal_tests-sbus_internal_tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/sbus_internal_tests.c' object='src/tests/cmocka/sbus_internal_tests-sbus_internal_tests.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sbus_internal_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/sbus_internal_tests-sbus_internal_tests.o `test -f 'src/tests/cmocka/sbus_internal_tests.c' || echo '$(srcdir)/'`src/tests/cmocka/sbus_internal_tests.c + +src/tests/cmocka/sbus_internal_tests-sbus_internal_tests.obj: src/tests/cmocka/sbus_internal_tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sbus_internal_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/sbus_internal_tests-sbus_internal_tests.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/sbus_internal_tests-sbus_internal_tests.Tpo -c -o src/tests/cmocka/sbus_internal_tests-sbus_internal_tests.obj `if test -f 'src/tests/cmocka/sbus_internal_tests.c'; then $(CYGPATH_W) 'src/tests/cmocka/sbus_internal_tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/sbus_internal_tests.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/sbus_internal_tests-sbus_internal_tests.Tpo src/tests/cmocka/$(DEPDIR)/sbus_internal_tests-sbus_internal_tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/sbus_internal_tests.c' object='src/tests/cmocka/sbus_internal_tests-sbus_internal_tests.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sbus_internal_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/sbus_internal_tests-sbus_internal_tests.obj `if test -f 'src/tests/cmocka/sbus_internal_tests.c'; then $(CYGPATH_W) 'src/tests/cmocka/sbus_internal_tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/sbus_internal_tests.c'; fi` + +src/sbus/sbus_internal_tests-sssd_dbus_request.o: src/sbus/sssd_dbus_request.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sbus_internal_tests_CFLAGS) $(CFLAGS) -MT src/sbus/sbus_internal_tests-sssd_dbus_request.o -MD -MP -MF src/sbus/$(DEPDIR)/sbus_internal_tests-sssd_dbus_request.Tpo -c -o src/sbus/sbus_internal_tests-sssd_dbus_request.o `test -f 'src/sbus/sssd_dbus_request.c' || echo '$(srcdir)/'`src/sbus/sssd_dbus_request.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sbus/$(DEPDIR)/sbus_internal_tests-sssd_dbus_request.Tpo src/sbus/$(DEPDIR)/sbus_internal_tests-sssd_dbus_request.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sbus/sssd_dbus_request.c' object='src/sbus/sbus_internal_tests-sssd_dbus_request.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sbus_internal_tests_CFLAGS) $(CFLAGS) -c -o src/sbus/sbus_internal_tests-sssd_dbus_request.o `test -f 'src/sbus/sssd_dbus_request.c' || echo '$(srcdir)/'`src/sbus/sssd_dbus_request.c + +src/sbus/sbus_internal_tests-sssd_dbus_request.obj: src/sbus/sssd_dbus_request.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sbus_internal_tests_CFLAGS) $(CFLAGS) -MT src/sbus/sbus_internal_tests-sssd_dbus_request.obj -MD -MP -MF src/sbus/$(DEPDIR)/sbus_internal_tests-sssd_dbus_request.Tpo -c -o src/sbus/sbus_internal_tests-sssd_dbus_request.obj `if test -f 'src/sbus/sssd_dbus_request.c'; then $(CYGPATH_W) 'src/sbus/sssd_dbus_request.c'; else $(CYGPATH_W) '$(srcdir)/src/sbus/sssd_dbus_request.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sbus/$(DEPDIR)/sbus_internal_tests-sssd_dbus_request.Tpo src/sbus/$(DEPDIR)/sbus_internal_tests-sssd_dbus_request.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sbus/sssd_dbus_request.c' object='src/sbus/sbus_internal_tests-sssd_dbus_request.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sbus_internal_tests_CFLAGS) $(CFLAGS) -c -o src/sbus/sbus_internal_tests-sssd_dbus_request.obj `if test -f 'src/sbus/sssd_dbus_request.c'; then $(CYGPATH_W) 'src/sbus/sssd_dbus_request.c'; else $(CYGPATH_W) '$(srcdir)/src/sbus/sssd_dbus_request.c'; fi` + +src/tests/sbus_codegen_tests-common_dbus.o: src/tests/common_dbus.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sbus_codegen_tests_CFLAGS) $(CFLAGS) -MT src/tests/sbus_codegen_tests-common_dbus.o -MD -MP -MF src/tests/$(DEPDIR)/sbus_codegen_tests-common_dbus.Tpo -c -o src/tests/sbus_codegen_tests-common_dbus.o `test -f 'src/tests/common_dbus.c' || echo '$(srcdir)/'`src/tests/common_dbus.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/sbus_codegen_tests-common_dbus.Tpo src/tests/$(DEPDIR)/sbus_codegen_tests-common_dbus.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/common_dbus.c' object='src/tests/sbus_codegen_tests-common_dbus.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sbus_codegen_tests_CFLAGS) $(CFLAGS) -c -o src/tests/sbus_codegen_tests-common_dbus.o `test -f 'src/tests/common_dbus.c' || echo '$(srcdir)/'`src/tests/common_dbus.c + +src/tests/sbus_codegen_tests-common_dbus.obj: src/tests/common_dbus.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sbus_codegen_tests_CFLAGS) $(CFLAGS) -MT src/tests/sbus_codegen_tests-common_dbus.obj -MD -MP -MF src/tests/$(DEPDIR)/sbus_codegen_tests-common_dbus.Tpo -c -o src/tests/sbus_codegen_tests-common_dbus.obj `if test -f 'src/tests/common_dbus.c'; then $(CYGPATH_W) 'src/tests/common_dbus.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/common_dbus.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/sbus_codegen_tests-common_dbus.Tpo src/tests/$(DEPDIR)/sbus_codegen_tests-common_dbus.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/common_dbus.c' object='src/tests/sbus_codegen_tests-common_dbus.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sbus_codegen_tests_CFLAGS) $(CFLAGS) -c -o src/tests/sbus_codegen_tests-common_dbus.obj `if test -f 'src/tests/common_dbus.c'; then $(CYGPATH_W) 'src/tests/common_dbus.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/common_dbus.c'; fi` + +src/tests/sbus_codegen_tests-sbus_codegen_tests.o: src/tests/sbus_codegen_tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sbus_codegen_tests_CFLAGS) $(CFLAGS) -MT src/tests/sbus_codegen_tests-sbus_codegen_tests.o -MD -MP -MF src/tests/$(DEPDIR)/sbus_codegen_tests-sbus_codegen_tests.Tpo -c -o src/tests/sbus_codegen_tests-sbus_codegen_tests.o `test -f 'src/tests/sbus_codegen_tests.c' || echo '$(srcdir)/'`src/tests/sbus_codegen_tests.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/sbus_codegen_tests-sbus_codegen_tests.Tpo src/tests/$(DEPDIR)/sbus_codegen_tests-sbus_codegen_tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/sbus_codegen_tests.c' object='src/tests/sbus_codegen_tests-sbus_codegen_tests.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sbus_codegen_tests_CFLAGS) $(CFLAGS) -c -o src/tests/sbus_codegen_tests-sbus_codegen_tests.o `test -f 'src/tests/sbus_codegen_tests.c' || echo '$(srcdir)/'`src/tests/sbus_codegen_tests.c + +src/tests/sbus_codegen_tests-sbus_codegen_tests.obj: src/tests/sbus_codegen_tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sbus_codegen_tests_CFLAGS) $(CFLAGS) -MT src/tests/sbus_codegen_tests-sbus_codegen_tests.obj -MD -MP -MF src/tests/$(DEPDIR)/sbus_codegen_tests-sbus_codegen_tests.Tpo -c -o src/tests/sbus_codegen_tests-sbus_codegen_tests.obj `if test -f 'src/tests/sbus_codegen_tests.c'; then $(CYGPATH_W) 'src/tests/sbus_codegen_tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/sbus_codegen_tests.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/sbus_codegen_tests-sbus_codegen_tests.Tpo src/tests/$(DEPDIR)/sbus_codegen_tests-sbus_codegen_tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/sbus_codegen_tests.c' object='src/tests/sbus_codegen_tests-sbus_codegen_tests.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sbus_codegen_tests_CFLAGS) $(CFLAGS) -c -o src/tests/sbus_codegen_tests-sbus_codegen_tests.obj `if test -f 'src/tests/sbus_codegen_tests.c'; then $(CYGPATH_W) 'src/tests/sbus_codegen_tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/sbus_codegen_tests.c'; fi` + +src/tests/sbus_codegen_tests-sbus_codegen_tests_generated.o: src/tests/sbus_codegen_tests_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sbus_codegen_tests_CFLAGS) $(CFLAGS) -MT src/tests/sbus_codegen_tests-sbus_codegen_tests_generated.o -MD -MP -MF src/tests/$(DEPDIR)/sbus_codegen_tests-sbus_codegen_tests_generated.Tpo -c -o src/tests/sbus_codegen_tests-sbus_codegen_tests_generated.o `test -f 'src/tests/sbus_codegen_tests_generated.c' || echo '$(srcdir)/'`src/tests/sbus_codegen_tests_generated.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/sbus_codegen_tests-sbus_codegen_tests_generated.Tpo src/tests/$(DEPDIR)/sbus_codegen_tests-sbus_codegen_tests_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/sbus_codegen_tests_generated.c' object='src/tests/sbus_codegen_tests-sbus_codegen_tests_generated.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sbus_codegen_tests_CFLAGS) $(CFLAGS) -c -o src/tests/sbus_codegen_tests-sbus_codegen_tests_generated.o `test -f 'src/tests/sbus_codegen_tests_generated.c' || echo '$(srcdir)/'`src/tests/sbus_codegen_tests_generated.c + +src/tests/sbus_codegen_tests-sbus_codegen_tests_generated.obj: src/tests/sbus_codegen_tests_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sbus_codegen_tests_CFLAGS) $(CFLAGS) -MT src/tests/sbus_codegen_tests-sbus_codegen_tests_generated.obj -MD -MP -MF src/tests/$(DEPDIR)/sbus_codegen_tests-sbus_codegen_tests_generated.Tpo -c -o src/tests/sbus_codegen_tests-sbus_codegen_tests_generated.obj `if test -f 'src/tests/sbus_codegen_tests_generated.c'; then $(CYGPATH_W) 'src/tests/sbus_codegen_tests_generated.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/sbus_codegen_tests_generated.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/sbus_codegen_tests-sbus_codegen_tests_generated.Tpo src/tests/$(DEPDIR)/sbus_codegen_tests-sbus_codegen_tests_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/sbus_codegen_tests_generated.c' object='src/tests/sbus_codegen_tests-sbus_codegen_tests_generated.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sbus_codegen_tests_CFLAGS) $(CFLAGS) -c -o src/tests/sbus_codegen_tests-sbus_codegen_tests_generated.obj `if test -f 'src/tests/sbus_codegen_tests_generated.c'; then $(CYGPATH_W) 'src/tests/sbus_codegen_tests_generated.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/sbus_codegen_tests_generated.c'; fi` + +src/tests/sbus_tests-common_dbus.o: src/tests/common_dbus.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sbus_tests_CFLAGS) $(CFLAGS) -MT src/tests/sbus_tests-common_dbus.o -MD -MP -MF src/tests/$(DEPDIR)/sbus_tests-common_dbus.Tpo -c -o src/tests/sbus_tests-common_dbus.o `test -f 'src/tests/common_dbus.c' || echo '$(srcdir)/'`src/tests/common_dbus.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/sbus_tests-common_dbus.Tpo src/tests/$(DEPDIR)/sbus_tests-common_dbus.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/common_dbus.c' object='src/tests/sbus_tests-common_dbus.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sbus_tests_CFLAGS) $(CFLAGS) -c -o src/tests/sbus_tests-common_dbus.o `test -f 'src/tests/common_dbus.c' || echo '$(srcdir)/'`src/tests/common_dbus.c + +src/tests/sbus_tests-common_dbus.obj: src/tests/common_dbus.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sbus_tests_CFLAGS) $(CFLAGS) -MT src/tests/sbus_tests-common_dbus.obj -MD -MP -MF src/tests/$(DEPDIR)/sbus_tests-common_dbus.Tpo -c -o src/tests/sbus_tests-common_dbus.obj `if test -f 'src/tests/common_dbus.c'; then $(CYGPATH_W) 'src/tests/common_dbus.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/common_dbus.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/sbus_tests-common_dbus.Tpo src/tests/$(DEPDIR)/sbus_tests-common_dbus.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/common_dbus.c' object='src/tests/sbus_tests-common_dbus.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sbus_tests_CFLAGS) $(CFLAGS) -c -o src/tests/sbus_tests-common_dbus.obj `if test -f 'src/tests/common_dbus.c'; then $(CYGPATH_W) 'src/tests/common_dbus.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/common_dbus.c'; fi` + +src/tests/sbus_tests-sbus_tests.o: src/tests/sbus_tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sbus_tests_CFLAGS) $(CFLAGS) -MT src/tests/sbus_tests-sbus_tests.o -MD -MP -MF src/tests/$(DEPDIR)/sbus_tests-sbus_tests.Tpo -c -o src/tests/sbus_tests-sbus_tests.o `test -f 'src/tests/sbus_tests.c' || echo '$(srcdir)/'`src/tests/sbus_tests.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/sbus_tests-sbus_tests.Tpo src/tests/$(DEPDIR)/sbus_tests-sbus_tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/sbus_tests.c' object='src/tests/sbus_tests-sbus_tests.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sbus_tests_CFLAGS) $(CFLAGS) -c -o src/tests/sbus_tests-sbus_tests.o `test -f 'src/tests/sbus_tests.c' || echo '$(srcdir)/'`src/tests/sbus_tests.c + +src/tests/sbus_tests-sbus_tests.obj: src/tests/sbus_tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sbus_tests_CFLAGS) $(CFLAGS) -MT src/tests/sbus_tests-sbus_tests.obj -MD -MP -MF src/tests/$(DEPDIR)/sbus_tests-sbus_tests.Tpo -c -o src/tests/sbus_tests-sbus_tests.obj `if test -f 'src/tests/sbus_tests.c'; then $(CYGPATH_W) 'src/tests/sbus_tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/sbus_tests.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/sbus_tests-sbus_tests.Tpo src/tests/$(DEPDIR)/sbus_tests-sbus_tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/sbus_tests.c' object='src/tests/sbus_tests-sbus_tests.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sbus_tests_CFLAGS) $(CFLAGS) -c -o src/tests/sbus_tests-sbus_tests.obj `if test -f 'src/tests/sbus_tests.c'; then $(CYGPATH_W) 'src/tests/sbus_tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/sbus_tests.c'; fi` + +src/providers/sdap_tests-data_provider_opts.o: src/providers/data_provider_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sdap_tests_CFLAGS) $(CFLAGS) -MT src/providers/sdap_tests-data_provider_opts.o -MD -MP -MF src/providers/$(DEPDIR)/sdap_tests-data_provider_opts.Tpo -c -o src/providers/sdap_tests-data_provider_opts.o `test -f 'src/providers/data_provider_opts.c' || echo '$(srcdir)/'`src/providers/data_provider_opts.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/sdap_tests-data_provider_opts.Tpo src/providers/$(DEPDIR)/sdap_tests-data_provider_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider_opts.c' object='src/providers/sdap_tests-data_provider_opts.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sdap_tests_CFLAGS) $(CFLAGS) -c -o src/providers/sdap_tests-data_provider_opts.o `test -f 'src/providers/data_provider_opts.c' || echo '$(srcdir)/'`src/providers/data_provider_opts.c + +src/providers/sdap_tests-data_provider_opts.obj: src/providers/data_provider_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sdap_tests_CFLAGS) $(CFLAGS) -MT src/providers/sdap_tests-data_provider_opts.obj -MD -MP -MF src/providers/$(DEPDIR)/sdap_tests-data_provider_opts.Tpo -c -o src/providers/sdap_tests-data_provider_opts.obj `if test -f 'src/providers/data_provider_opts.c'; then $(CYGPATH_W) 'src/providers/data_provider_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider_opts.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/sdap_tests-data_provider_opts.Tpo src/providers/$(DEPDIR)/sdap_tests-data_provider_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider_opts.c' object='src/providers/sdap_tests-data_provider_opts.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sdap_tests_CFLAGS) $(CFLAGS) -c -o src/providers/sdap_tests-data_provider_opts.obj `if test -f 'src/providers/data_provider_opts.c'; then $(CYGPATH_W) 'src/providers/data_provider_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider_opts.c'; fi` + +src/providers/ldap/sdap_tests-sdap_domain.o: src/providers/ldap/sdap_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sdap_tests_CFLAGS) $(CFLAGS) -MT src/providers/ldap/sdap_tests-sdap_domain.o -MD -MP -MF src/providers/ldap/$(DEPDIR)/sdap_tests-sdap_domain.Tpo -c -o src/providers/ldap/sdap_tests-sdap_domain.o `test -f 'src/providers/ldap/sdap_domain.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_domain.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/sdap_tests-sdap_domain.Tpo src/providers/ldap/$(DEPDIR)/sdap_tests-sdap_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_domain.c' object='src/providers/ldap/sdap_tests-sdap_domain.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sdap_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/sdap_tests-sdap_domain.o `test -f 'src/providers/ldap/sdap_domain.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_domain.c + +src/providers/ldap/sdap_tests-sdap_domain.obj: src/providers/ldap/sdap_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sdap_tests_CFLAGS) $(CFLAGS) -MT src/providers/ldap/sdap_tests-sdap_domain.obj -MD -MP -MF src/providers/ldap/$(DEPDIR)/sdap_tests-sdap_domain.Tpo -c -o src/providers/ldap/sdap_tests-sdap_domain.obj `if test -f 'src/providers/ldap/sdap_domain.c'; then $(CYGPATH_W) 'src/providers/ldap/sdap_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ldap/sdap_domain.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/sdap_tests-sdap_domain.Tpo src/providers/ldap/$(DEPDIR)/sdap_tests-sdap_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_domain.c' object='src/providers/ldap/sdap_tests-sdap_domain.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sdap_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/sdap_tests-sdap_domain.obj `if test -f 'src/providers/ldap/sdap_domain.c'; then $(CYGPATH_W) 'src/providers/ldap/sdap_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ldap/sdap_domain.c'; fi` + +src/providers/ldap/sdap_tests-sdap.o: src/providers/ldap/sdap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sdap_tests_CFLAGS) $(CFLAGS) -MT src/providers/ldap/sdap_tests-sdap.o -MD -MP -MF src/providers/ldap/$(DEPDIR)/sdap_tests-sdap.Tpo -c -o src/providers/ldap/sdap_tests-sdap.o `test -f 'src/providers/ldap/sdap.c' || echo '$(srcdir)/'`src/providers/ldap/sdap.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/sdap_tests-sdap.Tpo src/providers/ldap/$(DEPDIR)/sdap_tests-sdap.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap.c' object='src/providers/ldap/sdap_tests-sdap.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sdap_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/sdap_tests-sdap.o `test -f 'src/providers/ldap/sdap.c' || echo '$(srcdir)/'`src/providers/ldap/sdap.c + +src/providers/ldap/sdap_tests-sdap.obj: src/providers/ldap/sdap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sdap_tests_CFLAGS) $(CFLAGS) -MT src/providers/ldap/sdap_tests-sdap.obj -MD -MP -MF src/providers/ldap/$(DEPDIR)/sdap_tests-sdap.Tpo -c -o src/providers/ldap/sdap_tests-sdap.obj `if test -f 'src/providers/ldap/sdap.c'; then $(CYGPATH_W) 'src/providers/ldap/sdap.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ldap/sdap.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/sdap_tests-sdap.Tpo src/providers/ldap/$(DEPDIR)/sdap_tests-sdap.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap.c' object='src/providers/ldap/sdap_tests-sdap.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sdap_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/sdap_tests-sdap.obj `if test -f 'src/providers/ldap/sdap.c'; then $(CYGPATH_W) 'src/providers/ldap/sdap.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ldap/sdap.c'; fi` + +src/providers/ldap/sdap_tests-sdap_range.o: src/providers/ldap/sdap_range.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sdap_tests_CFLAGS) $(CFLAGS) -MT src/providers/ldap/sdap_tests-sdap_range.o -MD -MP -MF src/providers/ldap/$(DEPDIR)/sdap_tests-sdap_range.Tpo -c -o src/providers/ldap/sdap_tests-sdap_range.o `test -f 'src/providers/ldap/sdap_range.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_range.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/sdap_tests-sdap_range.Tpo src/providers/ldap/$(DEPDIR)/sdap_tests-sdap_range.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_range.c' object='src/providers/ldap/sdap_tests-sdap_range.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sdap_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/sdap_tests-sdap_range.o `test -f 'src/providers/ldap/sdap_range.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_range.c + +src/providers/ldap/sdap_tests-sdap_range.obj: src/providers/ldap/sdap_range.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sdap_tests_CFLAGS) $(CFLAGS) -MT src/providers/ldap/sdap_tests-sdap_range.obj -MD -MP -MF src/providers/ldap/$(DEPDIR)/sdap_tests-sdap_range.Tpo -c -o src/providers/ldap/sdap_tests-sdap_range.obj `if test -f 'src/providers/ldap/sdap_range.c'; then $(CYGPATH_W) 'src/providers/ldap/sdap_range.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ldap/sdap_range.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/sdap_tests-sdap_range.Tpo src/providers/ldap/$(DEPDIR)/sdap_tests-sdap_range.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_range.c' object='src/providers/ldap/sdap_tests-sdap_range.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sdap_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/sdap_tests-sdap_range.obj `if test -f 'src/providers/ldap/sdap_range.c'; then $(CYGPATH_W) 'src/providers/ldap/sdap_range.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ldap/sdap_range.c'; fi` + +src/providers/ldap/sdap_tests-ldap_opts.o: src/providers/ldap/ldap_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sdap_tests_CFLAGS) $(CFLAGS) -MT src/providers/ldap/sdap_tests-ldap_opts.o -MD -MP -MF src/providers/ldap/$(DEPDIR)/sdap_tests-ldap_opts.Tpo -c -o src/providers/ldap/sdap_tests-ldap_opts.o `test -f 'src/providers/ldap/ldap_opts.c' || echo '$(srcdir)/'`src/providers/ldap/ldap_opts.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/sdap_tests-ldap_opts.Tpo src/providers/ldap/$(DEPDIR)/sdap_tests-ldap_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/ldap_opts.c' object='src/providers/ldap/sdap_tests-ldap_opts.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sdap_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/sdap_tests-ldap_opts.o `test -f 'src/providers/ldap/ldap_opts.c' || echo '$(srcdir)/'`src/providers/ldap/ldap_opts.c + +src/providers/ldap/sdap_tests-ldap_opts.obj: src/providers/ldap/ldap_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sdap_tests_CFLAGS) $(CFLAGS) -MT src/providers/ldap/sdap_tests-ldap_opts.obj -MD -MP -MF src/providers/ldap/$(DEPDIR)/sdap_tests-ldap_opts.Tpo -c -o src/providers/ldap/sdap_tests-ldap_opts.obj `if test -f 'src/providers/ldap/ldap_opts.c'; then $(CYGPATH_W) 'src/providers/ldap/ldap_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ldap/ldap_opts.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/sdap_tests-ldap_opts.Tpo src/providers/ldap/$(DEPDIR)/sdap_tests-ldap_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/ldap_opts.c' object='src/providers/ldap/sdap_tests-ldap_opts.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sdap_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/sdap_tests-ldap_opts.obj `if test -f 'src/providers/ldap/ldap_opts.c'; then $(CYGPATH_W) 'src/providers/ldap/ldap_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ldap/ldap_opts.c'; fi` + +src/providers/ipa/sdap_tests-ipa_opts.o: src/providers/ipa/ipa_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sdap_tests_CFLAGS) $(CFLAGS) -MT src/providers/ipa/sdap_tests-ipa_opts.o -MD -MP -MF src/providers/ipa/$(DEPDIR)/sdap_tests-ipa_opts.Tpo -c -o src/providers/ipa/sdap_tests-ipa_opts.o `test -f 'src/providers/ipa/ipa_opts.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_opts.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/sdap_tests-ipa_opts.Tpo src/providers/ipa/$(DEPDIR)/sdap_tests-ipa_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_opts.c' object='src/providers/ipa/sdap_tests-ipa_opts.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sdap_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/sdap_tests-ipa_opts.o `test -f 'src/providers/ipa/ipa_opts.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_opts.c + +src/providers/ipa/sdap_tests-ipa_opts.obj: src/providers/ipa/ipa_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sdap_tests_CFLAGS) $(CFLAGS) -MT src/providers/ipa/sdap_tests-ipa_opts.obj -MD -MP -MF src/providers/ipa/$(DEPDIR)/sdap_tests-ipa_opts.Tpo -c -o src/providers/ipa/sdap_tests-ipa_opts.obj `if test -f 'src/providers/ipa/ipa_opts.c'; then $(CYGPATH_W) 'src/providers/ipa/ipa_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ipa/ipa_opts.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/sdap_tests-ipa_opts.Tpo src/providers/ipa/$(DEPDIR)/sdap_tests-ipa_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_opts.c' object='src/providers/ipa/sdap_tests-ipa_opts.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sdap_tests_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/sdap_tests-ipa_opts.obj `if test -f 'src/providers/ipa/ipa_opts.c'; then $(CYGPATH_W) 'src/providers/ipa/ipa_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ipa/ipa_opts.c'; fi` + +src/util/sdap_tests-sss_sockets.o: src/util/sss_sockets.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sdap_tests_CFLAGS) $(CFLAGS) -MT src/util/sdap_tests-sss_sockets.o -MD -MP -MF src/util/$(DEPDIR)/sdap_tests-sss_sockets.Tpo -c -o src/util/sdap_tests-sss_sockets.o `test -f 'src/util/sss_sockets.c' || echo '$(srcdir)/'`src/util/sss_sockets.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/sdap_tests-sss_sockets.Tpo src/util/$(DEPDIR)/sdap_tests-sss_sockets.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_sockets.c' object='src/util/sdap_tests-sss_sockets.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sdap_tests_CFLAGS) $(CFLAGS) -c -o src/util/sdap_tests-sss_sockets.o `test -f 'src/util/sss_sockets.c' || echo '$(srcdir)/'`src/util/sss_sockets.c + +src/util/sdap_tests-sss_sockets.obj: src/util/sss_sockets.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sdap_tests_CFLAGS) $(CFLAGS) -MT src/util/sdap_tests-sss_sockets.obj -MD -MP -MF src/util/$(DEPDIR)/sdap_tests-sss_sockets.Tpo -c -o src/util/sdap_tests-sss_sockets.obj `if test -f 'src/util/sss_sockets.c'; then $(CYGPATH_W) 'src/util/sss_sockets.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_sockets.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/sdap_tests-sss_sockets.Tpo src/util/$(DEPDIR)/sdap_tests-sss_sockets.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_sockets.c' object='src/util/sdap_tests-sss_sockets.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sdap_tests_CFLAGS) $(CFLAGS) -c -o src/util/sdap_tests-sss_sockets.obj `if test -f 'src/util/sss_sockets.c'; then $(CYGPATH_W) 'src/util/sss_sockets.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_sockets.c'; fi` + +src/util/sdap_tests-sss_ldap.o: src/util/sss_ldap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sdap_tests_CFLAGS) $(CFLAGS) -MT src/util/sdap_tests-sss_ldap.o -MD -MP -MF src/util/$(DEPDIR)/sdap_tests-sss_ldap.Tpo -c -o src/util/sdap_tests-sss_ldap.o `test -f 'src/util/sss_ldap.c' || echo '$(srcdir)/'`src/util/sss_ldap.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/sdap_tests-sss_ldap.Tpo src/util/$(DEPDIR)/sdap_tests-sss_ldap.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_ldap.c' object='src/util/sdap_tests-sss_ldap.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sdap_tests_CFLAGS) $(CFLAGS) -c -o src/util/sdap_tests-sss_ldap.o `test -f 'src/util/sss_ldap.c' || echo '$(srcdir)/'`src/util/sss_ldap.c + +src/util/sdap_tests-sss_ldap.obj: src/util/sss_ldap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sdap_tests_CFLAGS) $(CFLAGS) -MT src/util/sdap_tests-sss_ldap.obj -MD -MP -MF src/util/$(DEPDIR)/sdap_tests-sss_ldap.Tpo -c -o src/util/sdap_tests-sss_ldap.obj `if test -f 'src/util/sss_ldap.c'; then $(CYGPATH_W) 'src/util/sss_ldap.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_ldap.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/sdap_tests-sss_ldap.Tpo src/util/$(DEPDIR)/sdap_tests-sss_ldap.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_ldap.c' object='src/util/sdap_tests-sss_ldap.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sdap_tests_CFLAGS) $(CFLAGS) -c -o src/util/sdap_tests-sss_ldap.obj `if test -f 'src/util/sss_ldap.c'; then $(CYGPATH_W) 'src/util/sss_ldap.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_ldap.c'; fi` + +src/tests/cmocka/sdap_tests-test_sdap.o: src/tests/cmocka/test_sdap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sdap_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/sdap_tests-test_sdap.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/sdap_tests-test_sdap.Tpo -c -o src/tests/cmocka/sdap_tests-test_sdap.o `test -f 'src/tests/cmocka/test_sdap.c' || echo '$(srcdir)/'`src/tests/cmocka/test_sdap.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/sdap_tests-test_sdap.Tpo src/tests/cmocka/$(DEPDIR)/sdap_tests-test_sdap.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_sdap.c' object='src/tests/cmocka/sdap_tests-test_sdap.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sdap_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/sdap_tests-test_sdap.o `test -f 'src/tests/cmocka/test_sdap.c' || echo '$(srcdir)/'`src/tests/cmocka/test_sdap.c + +src/tests/cmocka/sdap_tests-test_sdap.obj: src/tests/cmocka/test_sdap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sdap_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/sdap_tests-test_sdap.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/sdap_tests-test_sdap.Tpo -c -o src/tests/cmocka/sdap_tests-test_sdap.obj `if test -f 'src/tests/cmocka/test_sdap.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_sdap.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_sdap.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/sdap_tests-test_sdap.Tpo src/tests/cmocka/$(DEPDIR)/sdap_tests-test_sdap.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_sdap.c' object='src/tests/cmocka/sdap_tests-test_sdap.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sdap_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/sdap_tests-test_sdap.obj `if test -f 'src/tests/cmocka/test_sdap.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_sdap.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_sdap.c'; fi` + +src/providers/ipa/selinux_child-selinux_child.o: src/providers/ipa/selinux_child.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(selinux_child_CFLAGS) $(CFLAGS) -MT src/providers/ipa/selinux_child-selinux_child.o -MD -MP -MF src/providers/ipa/$(DEPDIR)/selinux_child-selinux_child.Tpo -c -o src/providers/ipa/selinux_child-selinux_child.o `test -f 'src/providers/ipa/selinux_child.c' || echo '$(srcdir)/'`src/providers/ipa/selinux_child.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/selinux_child-selinux_child.Tpo src/providers/ipa/$(DEPDIR)/selinux_child-selinux_child.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/selinux_child.c' object='src/providers/ipa/selinux_child-selinux_child.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(selinux_child_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/selinux_child-selinux_child.o `test -f 'src/providers/ipa/selinux_child.c' || echo '$(srcdir)/'`src/providers/ipa/selinux_child.c + +src/providers/ipa/selinux_child-selinux_child.obj: src/providers/ipa/selinux_child.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(selinux_child_CFLAGS) $(CFLAGS) -MT src/providers/ipa/selinux_child-selinux_child.obj -MD -MP -MF src/providers/ipa/$(DEPDIR)/selinux_child-selinux_child.Tpo -c -o src/providers/ipa/selinux_child-selinux_child.obj `if test -f 'src/providers/ipa/selinux_child.c'; then $(CYGPATH_W) 'src/providers/ipa/selinux_child.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ipa/selinux_child.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/selinux_child-selinux_child.Tpo src/providers/ipa/$(DEPDIR)/selinux_child-selinux_child.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/selinux_child.c' object='src/providers/ipa/selinux_child-selinux_child.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(selinux_child_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/selinux_child-selinux_child.obj `if test -f 'src/providers/ipa/selinux_child.c'; then $(CYGPATH_W) 'src/providers/ipa/selinux_child.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ipa/selinux_child.c'; fi` + +src/util/selinux_child-sss_semanage.o: src/util/sss_semanage.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(selinux_child_CFLAGS) $(CFLAGS) -MT src/util/selinux_child-sss_semanage.o -MD -MP -MF src/util/$(DEPDIR)/selinux_child-sss_semanage.Tpo -c -o src/util/selinux_child-sss_semanage.o `test -f 'src/util/sss_semanage.c' || echo '$(srcdir)/'`src/util/sss_semanage.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/selinux_child-sss_semanage.Tpo src/util/$(DEPDIR)/selinux_child-sss_semanage.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_semanage.c' object='src/util/selinux_child-sss_semanage.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(selinux_child_CFLAGS) $(CFLAGS) -c -o src/util/selinux_child-sss_semanage.o `test -f 'src/util/sss_semanage.c' || echo '$(srcdir)/'`src/util/sss_semanage.c + +src/util/selinux_child-sss_semanage.obj: src/util/sss_semanage.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(selinux_child_CFLAGS) $(CFLAGS) -MT src/util/selinux_child-sss_semanage.obj -MD -MP -MF src/util/$(DEPDIR)/selinux_child-sss_semanage.Tpo -c -o src/util/selinux_child-sss_semanage.obj `if test -f 'src/util/sss_semanage.c'; then $(CYGPATH_W) 'src/util/sss_semanage.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_semanage.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/selinux_child-sss_semanage.Tpo src/util/$(DEPDIR)/selinux_child-sss_semanage.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_semanage.c' object='src/util/selinux_child-sss_semanage.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(selinux_child_CFLAGS) $(CFLAGS) -c -o src/util/selinux_child-sss_semanage.obj `if test -f 'src/util/sss_semanage.c'; then $(CYGPATH_W) 'src/util/sss_semanage.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_semanage.c'; fi` + +src/util/selinux_child-atomic_io.o: src/util/atomic_io.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(selinux_child_CFLAGS) $(CFLAGS) -MT src/util/selinux_child-atomic_io.o -MD -MP -MF src/util/$(DEPDIR)/selinux_child-atomic_io.Tpo -c -o src/util/selinux_child-atomic_io.o `test -f 'src/util/atomic_io.c' || echo '$(srcdir)/'`src/util/atomic_io.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/selinux_child-atomic_io.Tpo src/util/$(DEPDIR)/selinux_child-atomic_io.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/atomic_io.c' object='src/util/selinux_child-atomic_io.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(selinux_child_CFLAGS) $(CFLAGS) -c -o src/util/selinux_child-atomic_io.o `test -f 'src/util/atomic_io.c' || echo '$(srcdir)/'`src/util/atomic_io.c + +src/util/selinux_child-atomic_io.obj: src/util/atomic_io.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(selinux_child_CFLAGS) $(CFLAGS) -MT src/util/selinux_child-atomic_io.obj -MD -MP -MF src/util/$(DEPDIR)/selinux_child-atomic_io.Tpo -c -o src/util/selinux_child-atomic_io.obj `if test -f 'src/util/atomic_io.c'; then $(CYGPATH_W) 'src/util/atomic_io.c'; else $(CYGPATH_W) '$(srcdir)/src/util/atomic_io.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/selinux_child-atomic_io.Tpo src/util/$(DEPDIR)/selinux_child-atomic_io.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/atomic_io.c' object='src/util/selinux_child-atomic_io.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(selinux_child_CFLAGS) $(CFLAGS) -c -o src/util/selinux_child-atomic_io.obj `if test -f 'src/util/atomic_io.c'; then $(CYGPATH_W) 'src/util/atomic_io.c'; else $(CYGPATH_W) '$(srcdir)/src/util/atomic_io.c'; fi` + +src/util/selinux_child-util.o: src/util/util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(selinux_child_CFLAGS) $(CFLAGS) -MT src/util/selinux_child-util.o -MD -MP -MF src/util/$(DEPDIR)/selinux_child-util.Tpo -c -o src/util/selinux_child-util.o `test -f 'src/util/util.c' || echo '$(srcdir)/'`src/util/util.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/selinux_child-util.Tpo src/util/$(DEPDIR)/selinux_child-util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util.c' object='src/util/selinux_child-util.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(selinux_child_CFLAGS) $(CFLAGS) -c -o src/util/selinux_child-util.o `test -f 'src/util/util.c' || echo '$(srcdir)/'`src/util/util.c + +src/util/selinux_child-util.obj: src/util/util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(selinux_child_CFLAGS) $(CFLAGS) -MT src/util/selinux_child-util.obj -MD -MP -MF src/util/$(DEPDIR)/selinux_child-util.Tpo -c -o src/util/selinux_child-util.obj `if test -f 'src/util/util.c'; then $(CYGPATH_W) 'src/util/util.c'; else $(CYGPATH_W) '$(srcdir)/src/util/util.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/selinux_child-util.Tpo src/util/$(DEPDIR)/selinux_child-util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util.c' object='src/util/selinux_child-util.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(selinux_child_CFLAGS) $(CFLAGS) -c -o src/util/selinux_child-util.obj `if test -f 'src/util/util.c'; then $(CYGPATH_W) 'src/util/util.c'; else $(CYGPATH_W) '$(srcdir)/src/util/util.c'; fi` + +src/util/selinux_child-util_ext.o: src/util/util_ext.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(selinux_child_CFLAGS) $(CFLAGS) -MT src/util/selinux_child-util_ext.o -MD -MP -MF src/util/$(DEPDIR)/selinux_child-util_ext.Tpo -c -o src/util/selinux_child-util_ext.o `test -f 'src/util/util_ext.c' || echo '$(srcdir)/'`src/util/util_ext.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/selinux_child-util_ext.Tpo src/util/$(DEPDIR)/selinux_child-util_ext.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util_ext.c' object='src/util/selinux_child-util_ext.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(selinux_child_CFLAGS) $(CFLAGS) -c -o src/util/selinux_child-util_ext.o `test -f 'src/util/util_ext.c' || echo '$(srcdir)/'`src/util/util_ext.c + +src/util/selinux_child-util_ext.obj: src/util/util_ext.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(selinux_child_CFLAGS) $(CFLAGS) -MT src/util/selinux_child-util_ext.obj -MD -MP -MF src/util/$(DEPDIR)/selinux_child-util_ext.Tpo -c -o src/util/selinux_child-util_ext.obj `if test -f 'src/util/util_ext.c'; then $(CYGPATH_W) 'src/util/util_ext.c'; else $(CYGPATH_W) '$(srcdir)/src/util/util_ext.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/selinux_child-util_ext.Tpo src/util/$(DEPDIR)/selinux_child-util_ext.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util_ext.c' object='src/util/selinux_child-util_ext.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(selinux_child_CFLAGS) $(CFLAGS) -c -o src/util/selinux_child-util_ext.obj `if test -f 'src/util/util_ext.c'; then $(CYGPATH_W) 'src/util/util_ext.c'; else $(CYGPATH_W) '$(srcdir)/src/util/util_ext.c'; fi` + +src/util/selinux_child-util_errors.o: src/util/util_errors.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(selinux_child_CFLAGS) $(CFLAGS) -MT src/util/selinux_child-util_errors.o -MD -MP -MF src/util/$(DEPDIR)/selinux_child-util_errors.Tpo -c -o src/util/selinux_child-util_errors.o `test -f 'src/util/util_errors.c' || echo '$(srcdir)/'`src/util/util_errors.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/selinux_child-util_errors.Tpo src/util/$(DEPDIR)/selinux_child-util_errors.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util_errors.c' object='src/util/selinux_child-util_errors.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(selinux_child_CFLAGS) $(CFLAGS) -c -o src/util/selinux_child-util_errors.o `test -f 'src/util/util_errors.c' || echo '$(srcdir)/'`src/util/util_errors.c + +src/util/selinux_child-util_errors.obj: src/util/util_errors.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(selinux_child_CFLAGS) $(CFLAGS) -MT src/util/selinux_child-util_errors.obj -MD -MP -MF src/util/$(DEPDIR)/selinux_child-util_errors.Tpo -c -o src/util/selinux_child-util_errors.obj `if test -f 'src/util/util_errors.c'; then $(CYGPATH_W) 'src/util/util_errors.c'; else $(CYGPATH_W) '$(srcdir)/src/util/util_errors.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/selinux_child-util_errors.Tpo src/util/$(DEPDIR)/selinux_child-util_errors.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util_errors.c' object='src/util/selinux_child-util_errors.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(selinux_child_CFLAGS) $(CFLAGS) -c -o src/util/selinux_child-util_errors.obj `if test -f 'src/util/util_errors.c'; then $(CYGPATH_W) 'src/util/util_errors.c'; else $(CYGPATH_W) '$(srcdir)/src/util/util_errors.c'; fi` + +src/tests/cmocka/simple_access_tests-test_simple_access.o: src/tests/cmocka/test_simple_access.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(simple_access_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/simple_access_tests-test_simple_access.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/simple_access_tests-test_simple_access.Tpo -c -o src/tests/cmocka/simple_access_tests-test_simple_access.o `test -f 'src/tests/cmocka/test_simple_access.c' || echo '$(srcdir)/'`src/tests/cmocka/test_simple_access.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/simple_access_tests-test_simple_access.Tpo src/tests/cmocka/$(DEPDIR)/simple_access_tests-test_simple_access.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_simple_access.c' object='src/tests/cmocka/simple_access_tests-test_simple_access.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(simple_access_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/simple_access_tests-test_simple_access.o `test -f 'src/tests/cmocka/test_simple_access.c' || echo '$(srcdir)/'`src/tests/cmocka/test_simple_access.c + +src/tests/cmocka/simple_access_tests-test_simple_access.obj: src/tests/cmocka/test_simple_access.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(simple_access_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/simple_access_tests-test_simple_access.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/simple_access_tests-test_simple_access.Tpo -c -o src/tests/cmocka/simple_access_tests-test_simple_access.obj `if test -f 'src/tests/cmocka/test_simple_access.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_simple_access.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_simple_access.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/simple_access_tests-test_simple_access.Tpo src/tests/cmocka/$(DEPDIR)/simple_access_tests-test_simple_access.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_simple_access.c' object='src/tests/cmocka/simple_access_tests-test_simple_access.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(simple_access_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/simple_access_tests-test_simple_access.obj `if test -f 'src/tests/cmocka/test_simple_access.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_simple_access.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_simple_access.c'; fi` + +src/tests/cmocka/simple_access_tests-common_mock_be.o: src/tests/cmocka/common_mock_be.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(simple_access_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/simple_access_tests-common_mock_be.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/simple_access_tests-common_mock_be.Tpo -c -o src/tests/cmocka/simple_access_tests-common_mock_be.o `test -f 'src/tests/cmocka/common_mock_be.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_be.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/simple_access_tests-common_mock_be.Tpo src/tests/cmocka/$(DEPDIR)/simple_access_tests-common_mock_be.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_be.c' object='src/tests/cmocka/simple_access_tests-common_mock_be.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(simple_access_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/simple_access_tests-common_mock_be.o `test -f 'src/tests/cmocka/common_mock_be.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_be.c + +src/tests/cmocka/simple_access_tests-common_mock_be.obj: src/tests/cmocka/common_mock_be.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(simple_access_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/simple_access_tests-common_mock_be.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/simple_access_tests-common_mock_be.Tpo -c -o src/tests/cmocka/simple_access_tests-common_mock_be.obj `if test -f 'src/tests/cmocka/common_mock_be.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_be.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_be.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/simple_access_tests-common_mock_be.Tpo src/tests/cmocka/$(DEPDIR)/simple_access_tests-common_mock_be.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_be.c' object='src/tests/cmocka/simple_access_tests-common_mock_be.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(simple_access_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/simple_access_tests-common_mock_be.obj `if test -f 'src/tests/cmocka/common_mock_be.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_be.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_be.c'; fi` + +src/providers/simple/simple_access_tests-simple_access.o: src/providers/simple/simple_access.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(simple_access_tests_CFLAGS) $(CFLAGS) -MT src/providers/simple/simple_access_tests-simple_access.o -MD -MP -MF src/providers/simple/$(DEPDIR)/simple_access_tests-simple_access.Tpo -c -o src/providers/simple/simple_access_tests-simple_access.o `test -f 'src/providers/simple/simple_access.c' || echo '$(srcdir)/'`src/providers/simple/simple_access.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/simple/$(DEPDIR)/simple_access_tests-simple_access.Tpo src/providers/simple/$(DEPDIR)/simple_access_tests-simple_access.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/simple/simple_access.c' object='src/providers/simple/simple_access_tests-simple_access.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(simple_access_tests_CFLAGS) $(CFLAGS) -c -o src/providers/simple/simple_access_tests-simple_access.o `test -f 'src/providers/simple/simple_access.c' || echo '$(srcdir)/'`src/providers/simple/simple_access.c + +src/providers/simple/simple_access_tests-simple_access.obj: src/providers/simple/simple_access.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(simple_access_tests_CFLAGS) $(CFLAGS) -MT src/providers/simple/simple_access_tests-simple_access.obj -MD -MP -MF src/providers/simple/$(DEPDIR)/simple_access_tests-simple_access.Tpo -c -o src/providers/simple/simple_access_tests-simple_access.obj `if test -f 'src/providers/simple/simple_access.c'; then $(CYGPATH_W) 'src/providers/simple/simple_access.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/simple/simple_access.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/simple/$(DEPDIR)/simple_access_tests-simple_access.Tpo src/providers/simple/$(DEPDIR)/simple_access_tests-simple_access.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/simple/simple_access.c' object='src/providers/simple/simple_access_tests-simple_access.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(simple_access_tests_CFLAGS) $(CFLAGS) -c -o src/providers/simple/simple_access_tests-simple_access.obj `if test -f 'src/providers/simple/simple_access.c'; then $(CYGPATH_W) 'src/providers/simple/simple_access.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/simple/simple_access.c'; fi` + +src/providers/simple/simple_access_tests-simple_access_check.o: src/providers/simple/simple_access_check.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(simple_access_tests_CFLAGS) $(CFLAGS) -MT src/providers/simple/simple_access_tests-simple_access_check.o -MD -MP -MF src/providers/simple/$(DEPDIR)/simple_access_tests-simple_access_check.Tpo -c -o src/providers/simple/simple_access_tests-simple_access_check.o `test -f 'src/providers/simple/simple_access_check.c' || echo '$(srcdir)/'`src/providers/simple/simple_access_check.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/simple/$(DEPDIR)/simple_access_tests-simple_access_check.Tpo src/providers/simple/$(DEPDIR)/simple_access_tests-simple_access_check.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/simple/simple_access_check.c' object='src/providers/simple/simple_access_tests-simple_access_check.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(simple_access_tests_CFLAGS) $(CFLAGS) -c -o src/providers/simple/simple_access_tests-simple_access_check.o `test -f 'src/providers/simple/simple_access_check.c' || echo '$(srcdir)/'`src/providers/simple/simple_access_check.c + +src/providers/simple/simple_access_tests-simple_access_check.obj: src/providers/simple/simple_access_check.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(simple_access_tests_CFLAGS) $(CFLAGS) -MT src/providers/simple/simple_access_tests-simple_access_check.obj -MD -MP -MF src/providers/simple/$(DEPDIR)/simple_access_tests-simple_access_check.Tpo -c -o src/providers/simple/simple_access_tests-simple_access_check.obj `if test -f 'src/providers/simple/simple_access_check.c'; then $(CYGPATH_W) 'src/providers/simple/simple_access_check.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/simple/simple_access_check.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/simple/$(DEPDIR)/simple_access_tests-simple_access_check.Tpo src/providers/simple/$(DEPDIR)/simple_access_tests-simple_access_check.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/simple/simple_access_check.c' object='src/providers/simple/simple_access_tests-simple_access_check.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(simple_access_tests_CFLAGS) $(CFLAGS) -c -o src/providers/simple/simple_access_tests-simple_access_check.obj `if test -f 'src/providers/simple/simple_access_check.c'; then $(CYGPATH_W) 'src/providers/simple/simple_access_check.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/simple/simple_access_check.c'; fi` + +src/tests/cmocka/ssh_srv_tests-common_mock_resp.o: src/tests/cmocka/common_mock_resp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/ssh_srv_tests-common_mock_resp.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/ssh_srv_tests-common_mock_resp.Tpo -c -o src/tests/cmocka/ssh_srv_tests-common_mock_resp.o `test -f 'src/tests/cmocka/common_mock_resp.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_resp.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/ssh_srv_tests-common_mock_resp.Tpo src/tests/cmocka/$(DEPDIR)/ssh_srv_tests-common_mock_resp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_resp.c' object='src/tests/cmocka/ssh_srv_tests-common_mock_resp.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/ssh_srv_tests-common_mock_resp.o `test -f 'src/tests/cmocka/common_mock_resp.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_resp.c + +src/tests/cmocka/ssh_srv_tests-common_mock_resp.obj: src/tests/cmocka/common_mock_resp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/ssh_srv_tests-common_mock_resp.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/ssh_srv_tests-common_mock_resp.Tpo -c -o src/tests/cmocka/ssh_srv_tests-common_mock_resp.obj `if test -f 'src/tests/cmocka/common_mock_resp.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_resp.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_resp.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/ssh_srv_tests-common_mock_resp.Tpo src/tests/cmocka/$(DEPDIR)/ssh_srv_tests-common_mock_resp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_resp.c' object='src/tests/cmocka/ssh_srv_tests-common_mock_resp.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/ssh_srv_tests-common_mock_resp.obj `if test -f 'src/tests/cmocka/common_mock_resp.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_resp.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_resp.c'; fi` + +src/tests/cmocka/ssh_srv_tests-common_mock_resp_dp.o: src/tests/cmocka/common_mock_resp_dp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/ssh_srv_tests-common_mock_resp_dp.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/ssh_srv_tests-common_mock_resp_dp.Tpo -c -o src/tests/cmocka/ssh_srv_tests-common_mock_resp_dp.o `test -f 'src/tests/cmocka/common_mock_resp_dp.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_resp_dp.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/ssh_srv_tests-common_mock_resp_dp.Tpo src/tests/cmocka/$(DEPDIR)/ssh_srv_tests-common_mock_resp_dp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_resp_dp.c' object='src/tests/cmocka/ssh_srv_tests-common_mock_resp_dp.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/ssh_srv_tests-common_mock_resp_dp.o `test -f 'src/tests/cmocka/common_mock_resp_dp.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_resp_dp.c + +src/tests/cmocka/ssh_srv_tests-common_mock_resp_dp.obj: src/tests/cmocka/common_mock_resp_dp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/ssh_srv_tests-common_mock_resp_dp.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/ssh_srv_tests-common_mock_resp_dp.Tpo -c -o src/tests/cmocka/ssh_srv_tests-common_mock_resp_dp.obj `if test -f 'src/tests/cmocka/common_mock_resp_dp.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_resp_dp.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_resp_dp.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/ssh_srv_tests-common_mock_resp_dp.Tpo src/tests/cmocka/$(DEPDIR)/ssh_srv_tests-common_mock_resp_dp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_resp_dp.c' object='src/tests/cmocka/ssh_srv_tests-common_mock_resp_dp.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/ssh_srv_tests-common_mock_resp_dp.obj `if test -f 'src/tests/cmocka/common_mock_resp_dp.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_resp_dp.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_resp_dp.c'; fi` + +src/responder/common/ssh_srv_tests-responder_packet.o: src/responder/common/responder_packet.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/ssh_srv_tests-responder_packet.o -MD -MP -MF src/responder/common/$(DEPDIR)/ssh_srv_tests-responder_packet.Tpo -c -o src/responder/common/ssh_srv_tests-responder_packet.o `test -f 'src/responder/common/responder_packet.c' || echo '$(srcdir)/'`src/responder/common/responder_packet.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/ssh_srv_tests-responder_packet.Tpo src/responder/common/$(DEPDIR)/ssh_srv_tests-responder_packet.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_packet.c' object='src/responder/common/ssh_srv_tests-responder_packet.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/ssh_srv_tests-responder_packet.o `test -f 'src/responder/common/responder_packet.c' || echo '$(srcdir)/'`src/responder/common/responder_packet.c + +src/responder/common/ssh_srv_tests-responder_packet.obj: src/responder/common/responder_packet.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/ssh_srv_tests-responder_packet.obj -MD -MP -MF src/responder/common/$(DEPDIR)/ssh_srv_tests-responder_packet.Tpo -c -o src/responder/common/ssh_srv_tests-responder_packet.obj `if test -f 'src/responder/common/responder_packet.c'; then $(CYGPATH_W) 'src/responder/common/responder_packet.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_packet.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/ssh_srv_tests-responder_packet.Tpo src/responder/common/$(DEPDIR)/ssh_srv_tests-responder_packet.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_packet.c' object='src/responder/common/ssh_srv_tests-responder_packet.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/ssh_srv_tests-responder_packet.obj `if test -f 'src/responder/common/responder_packet.c'; then $(CYGPATH_W) 'src/responder/common/responder_packet.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_packet.c'; fi` + +src/responder/common/ssh_srv_tests-responder_cmd.o: src/responder/common/responder_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/ssh_srv_tests-responder_cmd.o -MD -MP -MF src/responder/common/$(DEPDIR)/ssh_srv_tests-responder_cmd.Tpo -c -o src/responder/common/ssh_srv_tests-responder_cmd.o `test -f 'src/responder/common/responder_cmd.c' || echo '$(srcdir)/'`src/responder/common/responder_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/ssh_srv_tests-responder_cmd.Tpo src/responder/common/$(DEPDIR)/ssh_srv_tests-responder_cmd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_cmd.c' object='src/responder/common/ssh_srv_tests-responder_cmd.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/ssh_srv_tests-responder_cmd.o `test -f 'src/responder/common/responder_cmd.c' || echo '$(srcdir)/'`src/responder/common/responder_cmd.c + +src/responder/common/ssh_srv_tests-responder_cmd.obj: src/responder/common/responder_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/ssh_srv_tests-responder_cmd.obj -MD -MP -MF src/responder/common/$(DEPDIR)/ssh_srv_tests-responder_cmd.Tpo -c -o src/responder/common/ssh_srv_tests-responder_cmd.obj `if test -f 'src/responder/common/responder_cmd.c'; then $(CYGPATH_W) 'src/responder/common/responder_cmd.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_cmd.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/ssh_srv_tests-responder_cmd.Tpo src/responder/common/$(DEPDIR)/ssh_srv_tests-responder_cmd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_cmd.c' object='src/responder/common/ssh_srv_tests-responder_cmd.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/ssh_srv_tests-responder_cmd.obj `if test -f 'src/responder/common/responder_cmd.c'; then $(CYGPATH_W) 'src/responder/common/responder_cmd.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_cmd.c'; fi` + +src/responder/common/ssh_srv_tests-negcache_files.o: src/responder/common/negcache_files.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/ssh_srv_tests-negcache_files.o -MD -MP -MF src/responder/common/$(DEPDIR)/ssh_srv_tests-negcache_files.Tpo -c -o src/responder/common/ssh_srv_tests-negcache_files.o `test -f 'src/responder/common/negcache_files.c' || echo '$(srcdir)/'`src/responder/common/negcache_files.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/ssh_srv_tests-negcache_files.Tpo src/responder/common/$(DEPDIR)/ssh_srv_tests-negcache_files.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/negcache_files.c' object='src/responder/common/ssh_srv_tests-negcache_files.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/ssh_srv_tests-negcache_files.o `test -f 'src/responder/common/negcache_files.c' || echo '$(srcdir)/'`src/responder/common/negcache_files.c + +src/responder/common/ssh_srv_tests-negcache_files.obj: src/responder/common/negcache_files.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/ssh_srv_tests-negcache_files.obj -MD -MP -MF src/responder/common/$(DEPDIR)/ssh_srv_tests-negcache_files.Tpo -c -o src/responder/common/ssh_srv_tests-negcache_files.obj `if test -f 'src/responder/common/negcache_files.c'; then $(CYGPATH_W) 'src/responder/common/negcache_files.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/negcache_files.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/ssh_srv_tests-negcache_files.Tpo src/responder/common/$(DEPDIR)/ssh_srv_tests-negcache_files.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/negcache_files.c' object='src/responder/common/ssh_srv_tests-negcache_files.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/ssh_srv_tests-negcache_files.obj `if test -f 'src/responder/common/negcache_files.c'; then $(CYGPATH_W) 'src/responder/common/negcache_files.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/negcache_files.c'; fi` + +src/responder/common/ssh_srv_tests-negcache.o: src/responder/common/negcache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/ssh_srv_tests-negcache.o -MD -MP -MF src/responder/common/$(DEPDIR)/ssh_srv_tests-negcache.Tpo -c -o src/responder/common/ssh_srv_tests-negcache.o `test -f 'src/responder/common/negcache.c' || echo '$(srcdir)/'`src/responder/common/negcache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/ssh_srv_tests-negcache.Tpo src/responder/common/$(DEPDIR)/ssh_srv_tests-negcache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/negcache.c' object='src/responder/common/ssh_srv_tests-negcache.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/ssh_srv_tests-negcache.o `test -f 'src/responder/common/negcache.c' || echo '$(srcdir)/'`src/responder/common/negcache.c + +src/responder/common/ssh_srv_tests-negcache.obj: src/responder/common/negcache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/ssh_srv_tests-negcache.obj -MD -MP -MF src/responder/common/$(DEPDIR)/ssh_srv_tests-negcache.Tpo -c -o src/responder/common/ssh_srv_tests-negcache.obj `if test -f 'src/responder/common/negcache.c'; then $(CYGPATH_W) 'src/responder/common/negcache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/negcache.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/ssh_srv_tests-negcache.Tpo src/responder/common/$(DEPDIR)/ssh_srv_tests-negcache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/negcache.c' object='src/responder/common/ssh_srv_tests-negcache.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/ssh_srv_tests-negcache.obj `if test -f 'src/responder/common/negcache.c'; then $(CYGPATH_W) 'src/responder/common/negcache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/negcache.c'; fi` + +src/responder/common/ssh_srv_tests-responder_common.o: src/responder/common/responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/ssh_srv_tests-responder_common.o -MD -MP -MF src/responder/common/$(DEPDIR)/ssh_srv_tests-responder_common.Tpo -c -o src/responder/common/ssh_srv_tests-responder_common.o `test -f 'src/responder/common/responder_common.c' || echo '$(srcdir)/'`src/responder/common/responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/ssh_srv_tests-responder_common.Tpo src/responder/common/$(DEPDIR)/ssh_srv_tests-responder_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_common.c' object='src/responder/common/ssh_srv_tests-responder_common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/ssh_srv_tests-responder_common.o `test -f 'src/responder/common/responder_common.c' || echo '$(srcdir)/'`src/responder/common/responder_common.c + +src/responder/common/ssh_srv_tests-responder_common.obj: src/responder/common/responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/ssh_srv_tests-responder_common.obj -MD -MP -MF src/responder/common/$(DEPDIR)/ssh_srv_tests-responder_common.Tpo -c -o src/responder/common/ssh_srv_tests-responder_common.obj `if test -f 'src/responder/common/responder_common.c'; then $(CYGPATH_W) 'src/responder/common/responder_common.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/ssh_srv_tests-responder_common.Tpo src/responder/common/$(DEPDIR)/ssh_srv_tests-responder_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_common.c' object='src/responder/common/ssh_srv_tests-responder_common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/ssh_srv_tests-responder_common.obj `if test -f 'src/responder/common/responder_common.c'; then $(CYGPATH_W) 'src/responder/common/responder_common.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_common.c'; fi` + +src/responder/common/data_provider/ssh_srv_tests-rdp_message.o: src/responder/common/data_provider/rdp_message.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/data_provider/ssh_srv_tests-rdp_message.o -MD -MP -MF src/responder/common/data_provider/$(DEPDIR)/ssh_srv_tests-rdp_message.Tpo -c -o src/responder/common/data_provider/ssh_srv_tests-rdp_message.o `test -f 'src/responder/common/data_provider/rdp_message.c' || echo '$(srcdir)/'`src/responder/common/data_provider/rdp_message.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/data_provider/$(DEPDIR)/ssh_srv_tests-rdp_message.Tpo src/responder/common/data_provider/$(DEPDIR)/ssh_srv_tests-rdp_message.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/data_provider/rdp_message.c' object='src/responder/common/data_provider/ssh_srv_tests-rdp_message.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/data_provider/ssh_srv_tests-rdp_message.o `test -f 'src/responder/common/data_provider/rdp_message.c' || echo '$(srcdir)/'`src/responder/common/data_provider/rdp_message.c + +src/responder/common/data_provider/ssh_srv_tests-rdp_message.obj: src/responder/common/data_provider/rdp_message.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/data_provider/ssh_srv_tests-rdp_message.obj -MD -MP -MF src/responder/common/data_provider/$(DEPDIR)/ssh_srv_tests-rdp_message.Tpo -c -o src/responder/common/data_provider/ssh_srv_tests-rdp_message.obj `if test -f 'src/responder/common/data_provider/rdp_message.c'; then $(CYGPATH_W) 'src/responder/common/data_provider/rdp_message.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/data_provider/rdp_message.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/data_provider/$(DEPDIR)/ssh_srv_tests-rdp_message.Tpo src/responder/common/data_provider/$(DEPDIR)/ssh_srv_tests-rdp_message.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/data_provider/rdp_message.c' object='src/responder/common/data_provider/ssh_srv_tests-rdp_message.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/data_provider/ssh_srv_tests-rdp_message.obj `if test -f 'src/responder/common/data_provider/rdp_message.c'; then $(CYGPATH_W) 'src/responder/common/data_provider/rdp_message.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/data_provider/rdp_message.c'; fi` + +src/responder/common/data_provider/ssh_srv_tests-rdp_client.o: src/responder/common/data_provider/rdp_client.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/data_provider/ssh_srv_tests-rdp_client.o -MD -MP -MF src/responder/common/data_provider/$(DEPDIR)/ssh_srv_tests-rdp_client.Tpo -c -o src/responder/common/data_provider/ssh_srv_tests-rdp_client.o `test -f 'src/responder/common/data_provider/rdp_client.c' || echo '$(srcdir)/'`src/responder/common/data_provider/rdp_client.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/data_provider/$(DEPDIR)/ssh_srv_tests-rdp_client.Tpo src/responder/common/data_provider/$(DEPDIR)/ssh_srv_tests-rdp_client.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/data_provider/rdp_client.c' object='src/responder/common/data_provider/ssh_srv_tests-rdp_client.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/data_provider/ssh_srv_tests-rdp_client.o `test -f 'src/responder/common/data_provider/rdp_client.c' || echo '$(srcdir)/'`src/responder/common/data_provider/rdp_client.c + +src/responder/common/data_provider/ssh_srv_tests-rdp_client.obj: src/responder/common/data_provider/rdp_client.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/data_provider/ssh_srv_tests-rdp_client.obj -MD -MP -MF src/responder/common/data_provider/$(DEPDIR)/ssh_srv_tests-rdp_client.Tpo -c -o src/responder/common/data_provider/ssh_srv_tests-rdp_client.obj `if test -f 'src/responder/common/data_provider/rdp_client.c'; then $(CYGPATH_W) 'src/responder/common/data_provider/rdp_client.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/data_provider/rdp_client.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/data_provider/$(DEPDIR)/ssh_srv_tests-rdp_client.Tpo src/responder/common/data_provider/$(DEPDIR)/ssh_srv_tests-rdp_client.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/data_provider/rdp_client.c' object='src/responder/common/data_provider/ssh_srv_tests-rdp_client.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/data_provider/ssh_srv_tests-rdp_client.obj `if test -f 'src/responder/common/data_provider/rdp_client.c'; then $(CYGPATH_W) 'src/responder/common/data_provider/rdp_client.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/data_provider/rdp_client.c'; fi` + +src/responder/common/ssh_srv_tests-responder_utils.o: src/responder/common/responder_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/ssh_srv_tests-responder_utils.o -MD -MP -MF src/responder/common/$(DEPDIR)/ssh_srv_tests-responder_utils.Tpo -c -o src/responder/common/ssh_srv_tests-responder_utils.o `test -f 'src/responder/common/responder_utils.c' || echo '$(srcdir)/'`src/responder/common/responder_utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/ssh_srv_tests-responder_utils.Tpo src/responder/common/$(DEPDIR)/ssh_srv_tests-responder_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_utils.c' object='src/responder/common/ssh_srv_tests-responder_utils.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/ssh_srv_tests-responder_utils.o `test -f 'src/responder/common/responder_utils.c' || echo '$(srcdir)/'`src/responder/common/responder_utils.c + +src/responder/common/ssh_srv_tests-responder_utils.obj: src/responder/common/responder_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/ssh_srv_tests-responder_utils.obj -MD -MP -MF src/responder/common/$(DEPDIR)/ssh_srv_tests-responder_utils.Tpo -c -o src/responder/common/ssh_srv_tests-responder_utils.obj `if test -f 'src/responder/common/responder_utils.c'; then $(CYGPATH_W) 'src/responder/common/responder_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_utils.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/ssh_srv_tests-responder_utils.Tpo src/responder/common/$(DEPDIR)/ssh_srv_tests-responder_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_utils.c' object='src/responder/common/ssh_srv_tests-responder_utils.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/ssh_srv_tests-responder_utils.obj `if test -f 'src/responder/common/responder_utils.c'; then $(CYGPATH_W) 'src/responder/common/responder_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_utils.c'; fi` + +src/util/ssh_srv_tests-session_recording.o: src/util/session_recording.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/util/ssh_srv_tests-session_recording.o -MD -MP -MF src/util/$(DEPDIR)/ssh_srv_tests-session_recording.Tpo -c -o src/util/ssh_srv_tests-session_recording.o `test -f 'src/util/session_recording.c' || echo '$(srcdir)/'`src/util/session_recording.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/ssh_srv_tests-session_recording.Tpo src/util/$(DEPDIR)/ssh_srv_tests-session_recording.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/session_recording.c' object='src/util/ssh_srv_tests-session_recording.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/util/ssh_srv_tests-session_recording.o `test -f 'src/util/session_recording.c' || echo '$(srcdir)/'`src/util/session_recording.c + +src/util/ssh_srv_tests-session_recording.obj: src/util/session_recording.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/util/ssh_srv_tests-session_recording.obj -MD -MP -MF src/util/$(DEPDIR)/ssh_srv_tests-session_recording.Tpo -c -o src/util/ssh_srv_tests-session_recording.obj `if test -f 'src/util/session_recording.c'; then $(CYGPATH_W) 'src/util/session_recording.c'; else $(CYGPATH_W) '$(srcdir)/src/util/session_recording.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/ssh_srv_tests-session_recording.Tpo src/util/$(DEPDIR)/ssh_srv_tests-session_recording.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/session_recording.c' object='src/util/ssh_srv_tests-session_recording.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/util/ssh_srv_tests-session_recording.obj `if test -f 'src/util/session_recording.c'; then $(CYGPATH_W) 'src/util/session_recording.c'; else $(CYGPATH_W) '$(srcdir)/src/util/session_recording.c'; fi` + +src/responder/common/cache_req/ssh_srv_tests-cache_req.o: src/responder/common/cache_req/cache_req.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/ssh_srv_tests-cache_req.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/ssh_srv_tests-cache_req.Tpo -c -o src/responder/common/cache_req/ssh_srv_tests-cache_req.o `test -f 'src/responder/common/cache_req/cache_req.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/ssh_srv_tests-cache_req.Tpo src/responder/common/cache_req/$(DEPDIR)/ssh_srv_tests-cache_req.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req.c' object='src/responder/common/cache_req/ssh_srv_tests-cache_req.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/ssh_srv_tests-cache_req.o `test -f 'src/responder/common/cache_req/cache_req.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req.c + +src/responder/common/cache_req/ssh_srv_tests-cache_req.obj: src/responder/common/cache_req/cache_req.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/ssh_srv_tests-cache_req.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/ssh_srv_tests-cache_req.Tpo -c -o src/responder/common/cache_req/ssh_srv_tests-cache_req.obj `if test -f 'src/responder/common/cache_req/cache_req.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/ssh_srv_tests-cache_req.Tpo src/responder/common/cache_req/$(DEPDIR)/ssh_srv_tests-cache_req.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req.c' object='src/responder/common/cache_req/ssh_srv_tests-cache_req.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/ssh_srv_tests-cache_req.obj `if test -f 'src/responder/common/cache_req/cache_req.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req.c'; fi` + +src/responder/common/cache_req/ssh_srv_tests-cache_req_result.o: src/responder/common/cache_req/cache_req_result.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/ssh_srv_tests-cache_req_result.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/ssh_srv_tests-cache_req_result.Tpo -c -o src/responder/common/cache_req/ssh_srv_tests-cache_req_result.o `test -f 'src/responder/common/cache_req/cache_req_result.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_result.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/ssh_srv_tests-cache_req_result.Tpo src/responder/common/cache_req/$(DEPDIR)/ssh_srv_tests-cache_req_result.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_result.c' object='src/responder/common/cache_req/ssh_srv_tests-cache_req_result.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/ssh_srv_tests-cache_req_result.o `test -f 'src/responder/common/cache_req/cache_req_result.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_result.c + +src/responder/common/cache_req/ssh_srv_tests-cache_req_result.obj: src/responder/common/cache_req/cache_req_result.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/ssh_srv_tests-cache_req_result.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/ssh_srv_tests-cache_req_result.Tpo -c -o src/responder/common/cache_req/ssh_srv_tests-cache_req_result.obj `if test -f 'src/responder/common/cache_req/cache_req_result.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_result.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_result.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/ssh_srv_tests-cache_req_result.Tpo src/responder/common/cache_req/$(DEPDIR)/ssh_srv_tests-cache_req_result.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_result.c' object='src/responder/common/cache_req/ssh_srv_tests-cache_req_result.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/ssh_srv_tests-cache_req_result.obj `if test -f 'src/responder/common/cache_req/cache_req_result.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_result.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_result.c'; fi` + +src/responder/common/cache_req/ssh_srv_tests-cache_req_search.o: src/responder/common/cache_req/cache_req_search.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/ssh_srv_tests-cache_req_search.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/ssh_srv_tests-cache_req_search.Tpo -c -o src/responder/common/cache_req/ssh_srv_tests-cache_req_search.o `test -f 'src/responder/common/cache_req/cache_req_search.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_search.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/ssh_srv_tests-cache_req_search.Tpo src/responder/common/cache_req/$(DEPDIR)/ssh_srv_tests-cache_req_search.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_search.c' object='src/responder/common/cache_req/ssh_srv_tests-cache_req_search.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/ssh_srv_tests-cache_req_search.o `test -f 'src/responder/common/cache_req/cache_req_search.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_search.c + +src/responder/common/cache_req/ssh_srv_tests-cache_req_search.obj: src/responder/common/cache_req/cache_req_search.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/ssh_srv_tests-cache_req_search.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/ssh_srv_tests-cache_req_search.Tpo -c -o src/responder/common/cache_req/ssh_srv_tests-cache_req_search.obj `if test -f 'src/responder/common/cache_req/cache_req_search.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_search.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_search.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/ssh_srv_tests-cache_req_search.Tpo src/responder/common/cache_req/$(DEPDIR)/ssh_srv_tests-cache_req_search.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_search.c' object='src/responder/common/cache_req/ssh_srv_tests-cache_req_search.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/ssh_srv_tests-cache_req_search.obj `if test -f 'src/responder/common/cache_req/cache_req_search.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_search.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_search.c'; fi` + +src/responder/common/cache_req/ssh_srv_tests-cache_req_data.o: src/responder/common/cache_req/cache_req_data.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/ssh_srv_tests-cache_req_data.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/ssh_srv_tests-cache_req_data.Tpo -c -o src/responder/common/cache_req/ssh_srv_tests-cache_req_data.o `test -f 'src/responder/common/cache_req/cache_req_data.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_data.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/ssh_srv_tests-cache_req_data.Tpo src/responder/common/cache_req/$(DEPDIR)/ssh_srv_tests-cache_req_data.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_data.c' object='src/responder/common/cache_req/ssh_srv_tests-cache_req_data.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/ssh_srv_tests-cache_req_data.o `test -f 'src/responder/common/cache_req/cache_req_data.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_data.c + +src/responder/common/cache_req/ssh_srv_tests-cache_req_data.obj: src/responder/common/cache_req/cache_req_data.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/ssh_srv_tests-cache_req_data.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/ssh_srv_tests-cache_req_data.Tpo -c -o src/responder/common/cache_req/ssh_srv_tests-cache_req_data.obj `if test -f 'src/responder/common/cache_req/cache_req_data.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_data.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_data.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/ssh_srv_tests-cache_req_data.Tpo src/responder/common/cache_req/$(DEPDIR)/ssh_srv_tests-cache_req_data.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_data.c' object='src/responder/common/cache_req/ssh_srv_tests-cache_req_data.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/ssh_srv_tests-cache_req_data.obj `if test -f 'src/responder/common/cache_req/cache_req_data.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_data.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_data.c'; fi` + +src/responder/common/cache_req/ssh_srv_tests-cache_req_domain.o: src/responder/common/cache_req/cache_req_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/ssh_srv_tests-cache_req_domain.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/ssh_srv_tests-cache_req_domain.Tpo -c -o src/responder/common/cache_req/ssh_srv_tests-cache_req_domain.o `test -f 'src/responder/common/cache_req/cache_req_domain.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_domain.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/ssh_srv_tests-cache_req_domain.Tpo src/responder/common/cache_req/$(DEPDIR)/ssh_srv_tests-cache_req_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_domain.c' object='src/responder/common/cache_req/ssh_srv_tests-cache_req_domain.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/ssh_srv_tests-cache_req_domain.o `test -f 'src/responder/common/cache_req/cache_req_domain.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_domain.c + +src/responder/common/cache_req/ssh_srv_tests-cache_req_domain.obj: src/responder/common/cache_req/cache_req_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/ssh_srv_tests-cache_req_domain.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/ssh_srv_tests-cache_req_domain.Tpo -c -o src/responder/common/cache_req/ssh_srv_tests-cache_req_domain.obj `if test -f 'src/responder/common/cache_req/cache_req_domain.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_domain.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/ssh_srv_tests-cache_req_domain.Tpo src/responder/common/cache_req/$(DEPDIR)/ssh_srv_tests-cache_req_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_domain.c' object='src/responder/common/cache_req/ssh_srv_tests-cache_req_domain.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/ssh_srv_tests-cache_req_domain.obj `if test -f 'src/responder/common/cache_req/cache_req_domain.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_domain.c'; fi` + +src/responder/common/cache_req/ssh_srv_tests-cache_req_sr_overlay.o: src/responder/common/cache_req/cache_req_sr_overlay.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/ssh_srv_tests-cache_req_sr_overlay.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/ssh_srv_tests-cache_req_sr_overlay.Tpo -c -o src/responder/common/cache_req/ssh_srv_tests-cache_req_sr_overlay.o `test -f 'src/responder/common/cache_req/cache_req_sr_overlay.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_sr_overlay.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/ssh_srv_tests-cache_req_sr_overlay.Tpo src/responder/common/cache_req/$(DEPDIR)/ssh_srv_tests-cache_req_sr_overlay.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_sr_overlay.c' object='src/responder/common/cache_req/ssh_srv_tests-cache_req_sr_overlay.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/ssh_srv_tests-cache_req_sr_overlay.o `test -f 'src/responder/common/cache_req/cache_req_sr_overlay.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_sr_overlay.c + +src/responder/common/cache_req/ssh_srv_tests-cache_req_sr_overlay.obj: src/responder/common/cache_req/cache_req_sr_overlay.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/ssh_srv_tests-cache_req_sr_overlay.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/ssh_srv_tests-cache_req_sr_overlay.Tpo -c -o src/responder/common/cache_req/ssh_srv_tests-cache_req_sr_overlay.obj `if test -f 'src/responder/common/cache_req/cache_req_sr_overlay.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_sr_overlay.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_sr_overlay.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/ssh_srv_tests-cache_req_sr_overlay.Tpo src/responder/common/cache_req/$(DEPDIR)/ssh_srv_tests-cache_req_sr_overlay.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_sr_overlay.c' object='src/responder/common/cache_req/ssh_srv_tests-cache_req_sr_overlay.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/ssh_srv_tests-cache_req_sr_overlay.obj `if test -f 'src/responder/common/cache_req/cache_req_sr_overlay.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_sr_overlay.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_sr_overlay.c'; fi` + +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_common.o: src/responder/common/cache_req/plugins/cache_req_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_common.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_common.Tpo -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_common.o `test -f 'src/responder/common/cache_req/plugins/cache_req_common.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_common.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_common.c' object='src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_common.o `test -f 'src/responder/common/cache_req/plugins/cache_req_common.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_common.c + +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_common.obj: src/responder/common/cache_req/plugins/cache_req_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_common.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_common.Tpo -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_common.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_common.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_common.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_common.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_common.c' object='src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_common.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_common.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_common.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_common.c'; fi` + +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_enum_users.o: src/responder/common/cache_req/plugins/cache_req_enum_users.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_enum_users.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_enum_users.Tpo -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_enum_users.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_users.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_users.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_enum_users.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_enum_users.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_users.c' object='src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_enum_users.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_enum_users.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_users.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_users.c + +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_enum_users.obj: src/responder/common/cache_req/plugins/cache_req_enum_users.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_enum_users.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_enum_users.Tpo -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_enum_users.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_users.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_users.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_users.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_enum_users.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_enum_users.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_users.c' object='src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_enum_users.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_enum_users.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_users.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_users.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_users.c'; fi` + +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_enum_groups.o: src/responder/common/cache_req/plugins/cache_req_enum_groups.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_enum_groups.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_enum_groups.Tpo -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_enum_groups.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_groups.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_enum_groups.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_enum_groups.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_groups.c' object='src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_enum_groups.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_enum_groups.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_groups.c + +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_enum_groups.obj: src/responder/common/cache_req/plugins/cache_req_enum_groups.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_enum_groups.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_enum_groups.Tpo -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_enum_groups.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_enum_groups.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_enum_groups.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_groups.c' object='src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_enum_groups.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_enum_groups.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; fi` + +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_enum_svc.o: src/responder/common/cache_req/plugins/cache_req_enum_svc.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_enum_svc.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_enum_svc.Tpo -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_enum_svc.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_svc.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_enum_svc.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_enum_svc.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_svc.c' object='src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_enum_svc.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_enum_svc.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_svc.c + +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_enum_svc.obj: src/responder/common/cache_req/plugins/cache_req_enum_svc.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_enum_svc.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_enum_svc.Tpo -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_enum_svc.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_enum_svc.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_enum_svc.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_svc.c' object='src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_enum_svc.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_enum_svc.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; fi` + +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_name.o: src/responder/common/cache_req/plugins/cache_req_user_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_user_by_name.Tpo -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_user_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_user_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_name.c' object='src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_name.c + +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_name.obj: src/responder/common/cache_req/plugins/cache_req_user_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_user_by_name.Tpo -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_user_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_user_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_name.c' object='src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; fi` + +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_upn.o: src/responder/common/cache_req/plugins/cache_req_user_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_upn.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_user_by_upn.Tpo -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_upn.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_user_by_upn.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_user_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' object='src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_upn.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_upn.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_upn.c + +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_upn.obj: src/responder/common/cache_req/plugins/cache_req_user_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_upn.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_user_by_upn.Tpo -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_upn.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_user_by_upn.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_user_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' object='src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_upn.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_upn.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; fi` + +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_id.o: src/responder/common/cache_req/plugins/cache_req_user_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_id.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_user_by_id.Tpo -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_user_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_user_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_id.c' object='src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_id.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_id.c + +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_id.obj: src/responder/common/cache_req/plugins/cache_req_user_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_id.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_user_by_id.Tpo -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_user_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_user_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_id.c' object='src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_id.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; fi` + +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_filter.o: src/responder/common/cache_req/plugins/cache_req_user_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_filter.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_user_by_filter.Tpo -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_filter.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_user_by_filter.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_user_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' object='src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_filter.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_filter.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_filter.c + +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_filter.obj: src/responder/common/cache_req/plugins/cache_req_user_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_filter.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_user_by_filter.Tpo -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_filter.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_user_by_filter.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_user_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' object='src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_filter.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_filter.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; fi` + +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_cert.o: src/responder/common/cache_req/plugins/cache_req_user_by_cert.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_cert.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_user_by_cert.Tpo -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_cert.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_cert.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_user_by_cert.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_user_by_cert.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' object='src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_cert.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_cert.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_cert.c + +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_cert.obj: src/responder/common/cache_req/plugins/cache_req_user_by_cert.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_cert.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_user_by_cert.Tpo -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_cert.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_user_by_cert.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_user_by_cert.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' object='src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_cert.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_user_by_cert.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; fi` + +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_group_by_name.o: src/responder/common/cache_req/plugins/cache_req_group_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_group_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_group_by_name.Tpo -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_group_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_group_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_group_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_name.c' object='src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_group_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_group_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_name.c + +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_group_by_name.obj: src/responder/common/cache_req/plugins/cache_req_group_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_group_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_group_by_name.Tpo -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_group_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_group_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_group_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_name.c' object='src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_group_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_group_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; fi` + +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_group_by_id.o: src/responder/common/cache_req/plugins/cache_req_group_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_group_by_id.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_group_by_id.Tpo -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_group_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_group_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_group_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_id.c' object='src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_group_by_id.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_group_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_id.c + +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_group_by_id.obj: src/responder/common/cache_req/plugins/cache_req_group_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_group_by_id.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_group_by_id.Tpo -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_group_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_group_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_group_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_id.c' object='src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_group_by_id.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_group_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; fi` + +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_group_by_filter.o: src/responder/common/cache_req/plugins/cache_req_group_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_group_by_filter.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_group_by_filter.Tpo -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_group_by_filter.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_group_by_filter.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_group_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' object='src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_group_by_filter.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_group_by_filter.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_filter.c + +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_group_by_filter.obj: src/responder/common/cache_req/plugins/cache_req_group_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_group_by_filter.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_group_by_filter.Tpo -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_group_by_filter.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_group_by_filter.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_group_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' object='src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_group_by_filter.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_group_by_filter.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; fi` + +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_initgroups_by_name.o: src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_initgroups_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_initgroups_by_name.Tpo -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_initgroups_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_initgroups_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_initgroups_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' object='src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_initgroups_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_initgroups_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c + +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_initgroups_by_name.obj: src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_initgroups_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_initgroups_by_name.Tpo -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_initgroups_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_initgroups_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_initgroups_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' object='src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_initgroups_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_initgroups_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; fi` + +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_initgroups_by_upn.o: src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_initgroups_by_upn.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_initgroups_by_upn.Tpo -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_initgroups_by_upn.o `test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_initgroups_by_upn.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_initgroups_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' object='src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_initgroups_by_upn.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_initgroups_by_upn.o `test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c + +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_initgroups_by_upn.obj: src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_initgroups_by_upn.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_initgroups_by_upn.Tpo -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_initgroups_by_upn.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_initgroups_by_upn.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_initgroups_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' object='src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_initgroups_by_upn.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_initgroups_by_upn.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; fi` + +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_object_by_sid.o: src/responder/common/cache_req/plugins/cache_req_object_by_sid.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_object_by_sid.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_object_by_sid.Tpo -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_object_by_sid.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_sid.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_object_by_sid.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_object_by_sid.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' object='src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_object_by_sid.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_object_by_sid.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_sid.c + +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_object_by_sid.obj: src/responder/common/cache_req/plugins/cache_req_object_by_sid.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_object_by_sid.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_object_by_sid.Tpo -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_object_by_sid.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_object_by_sid.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_object_by_sid.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' object='src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_object_by_sid.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_object_by_sid.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; fi` + +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_object_by_name.o: src/responder/common/cache_req/plugins/cache_req_object_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_object_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_object_by_name.Tpo -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_object_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_object_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_object_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_name.c' object='src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_object_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_object_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_name.c + +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_object_by_name.obj: src/responder/common/cache_req/plugins/cache_req_object_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_object_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_object_by_name.Tpo -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_object_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_object_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_object_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_name.c' object='src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_object_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_object_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; fi` + +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_object_by_id.o: src/responder/common/cache_req/plugins/cache_req_object_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_object_by_id.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_object_by_id.Tpo -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_object_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_object_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_object_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_id.c' object='src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_object_by_id.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_object_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_id.c + +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_object_by_id.obj: src/responder/common/cache_req/plugins/cache_req_object_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_object_by_id.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_object_by_id.Tpo -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_object_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_object_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_object_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_id.c' object='src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_object_by_id.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_object_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; fi` + +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_svc_by_name.o: src/responder/common/cache_req/plugins/cache_req_svc_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_svc_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_svc_by_name.Tpo -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_svc_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_svc_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_svc_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_svc_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' object='src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_svc_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_svc_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_svc_by_name.c + +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_svc_by_name.obj: src/responder/common/cache_req/plugins/cache_req_svc_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_svc_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_svc_by_name.Tpo -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_svc_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_svc_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_svc_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' object='src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_svc_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_svc_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; fi` + +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_svc_by_port.o: src/responder/common/cache_req/plugins/cache_req_svc_by_port.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_svc_by_port.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_svc_by_port.Tpo -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_svc_by_port.o `test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_svc_by_port.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_svc_by_port.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_svc_by_port.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' object='src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_svc_by_port.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_svc_by_port.o `test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_svc_by_port.c + +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_svc_by_port.obj: src/responder/common/cache_req/plugins/cache_req_svc_by_port.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_svc_by_port.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_svc_by_port.Tpo -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_svc_by_port.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_svc_by_port.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_svc_by_port.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' object='src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_svc_by_port.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_svc_by_port.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; fi` + +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_netgroup_by_name.o: src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_netgroup_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_netgroup_by_name.Tpo -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_netgroup_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_netgroup_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_netgroup_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' object='src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_netgroup_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_netgroup_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c + +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_netgroup_by_name.obj: src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_netgroup_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_netgroup_by_name.Tpo -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_netgroup_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_netgroup_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_netgroup_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' object='src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_netgroup_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_netgroup_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; fi` + +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_host_by_name.o: src/responder/common/cache_req/plugins/cache_req_host_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_host_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_host_by_name.Tpo -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_host_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_host_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_host_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_host_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_host_by_name.c' object='src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_host_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_host_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_host_by_name.c + +src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_host_by_name.obj: src/responder/common/cache_req/plugins/cache_req_host_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_host_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_host_by_name.Tpo -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_host_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_host_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/ssh_srv_tests-cache_req_host_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_host_by_name.c' object='src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_host_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/ssh_srv_tests-cache_req_host_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; fi` + +src/responder/common/iface/ssh_srv_tests-responder_iface.o: src/responder/common/iface/responder_iface.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/ssh_srv_tests-responder_iface.o -MD -MP -MF src/responder/common/iface/$(DEPDIR)/ssh_srv_tests-responder_iface.Tpo -c -o src/responder/common/iface/ssh_srv_tests-responder_iface.o `test -f 'src/responder/common/iface/responder_iface.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_iface.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/ssh_srv_tests-responder_iface.Tpo src/responder/common/iface/$(DEPDIR)/ssh_srv_tests-responder_iface.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_iface.c' object='src/responder/common/iface/ssh_srv_tests-responder_iface.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/ssh_srv_tests-responder_iface.o `test -f 'src/responder/common/iface/responder_iface.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_iface.c + +src/responder/common/iface/ssh_srv_tests-responder_iface.obj: src/responder/common/iface/responder_iface.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/ssh_srv_tests-responder_iface.obj -MD -MP -MF src/responder/common/iface/$(DEPDIR)/ssh_srv_tests-responder_iface.Tpo -c -o src/responder/common/iface/ssh_srv_tests-responder_iface.obj `if test -f 'src/responder/common/iface/responder_iface.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_iface.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_iface.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/ssh_srv_tests-responder_iface.Tpo src/responder/common/iface/$(DEPDIR)/ssh_srv_tests-responder_iface.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_iface.c' object='src/responder/common/iface/ssh_srv_tests-responder_iface.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/ssh_srv_tests-responder_iface.obj `if test -f 'src/responder/common/iface/responder_iface.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_iface.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_iface.c'; fi` + +src/responder/common/iface/ssh_srv_tests-responder_domain.o: src/responder/common/iface/responder_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/ssh_srv_tests-responder_domain.o -MD -MP -MF src/responder/common/iface/$(DEPDIR)/ssh_srv_tests-responder_domain.Tpo -c -o src/responder/common/iface/ssh_srv_tests-responder_domain.o `test -f 'src/responder/common/iface/responder_domain.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_domain.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/ssh_srv_tests-responder_domain.Tpo src/responder/common/iface/$(DEPDIR)/ssh_srv_tests-responder_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_domain.c' object='src/responder/common/iface/ssh_srv_tests-responder_domain.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/ssh_srv_tests-responder_domain.o `test -f 'src/responder/common/iface/responder_domain.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_domain.c + +src/responder/common/iface/ssh_srv_tests-responder_domain.obj: src/responder/common/iface/responder_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/ssh_srv_tests-responder_domain.obj -MD -MP -MF src/responder/common/iface/$(DEPDIR)/ssh_srv_tests-responder_domain.Tpo -c -o src/responder/common/iface/ssh_srv_tests-responder_domain.obj `if test -f 'src/responder/common/iface/responder_domain.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_domain.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/ssh_srv_tests-responder_domain.Tpo src/responder/common/iface/$(DEPDIR)/ssh_srv_tests-responder_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_domain.c' object='src/responder/common/iface/ssh_srv_tests-responder_domain.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/ssh_srv_tests-responder_domain.obj `if test -f 'src/responder/common/iface/responder_domain.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_domain.c'; fi` + +src/responder/common/iface/ssh_srv_tests-responder_ncache.o: src/responder/common/iface/responder_ncache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/ssh_srv_tests-responder_ncache.o -MD -MP -MF src/responder/common/iface/$(DEPDIR)/ssh_srv_tests-responder_ncache.Tpo -c -o src/responder/common/iface/ssh_srv_tests-responder_ncache.o `test -f 'src/responder/common/iface/responder_ncache.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_ncache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/ssh_srv_tests-responder_ncache.Tpo src/responder/common/iface/$(DEPDIR)/ssh_srv_tests-responder_ncache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_ncache.c' object='src/responder/common/iface/ssh_srv_tests-responder_ncache.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/ssh_srv_tests-responder_ncache.o `test -f 'src/responder/common/iface/responder_ncache.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_ncache.c + +src/responder/common/iface/ssh_srv_tests-responder_ncache.obj: src/responder/common/iface/responder_ncache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/ssh_srv_tests-responder_ncache.obj -MD -MP -MF src/responder/common/iface/$(DEPDIR)/ssh_srv_tests-responder_ncache.Tpo -c -o src/responder/common/iface/ssh_srv_tests-responder_ncache.obj `if test -f 'src/responder/common/iface/responder_ncache.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_ncache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_ncache.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/ssh_srv_tests-responder_ncache.Tpo src/responder/common/iface/$(DEPDIR)/ssh_srv_tests-responder_ncache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_ncache.c' object='src/responder/common/iface/ssh_srv_tests-responder_ncache.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/ssh_srv_tests-responder_ncache.obj `if test -f 'src/responder/common/iface/responder_ncache.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_ncache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_ncache.c'; fi` + +src/responder/common/iface/ssh_srv_tests-responder_iface_generated.o: src/responder/common/iface/responder_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/ssh_srv_tests-responder_iface_generated.o -MD -MP -MF src/responder/common/iface/$(DEPDIR)/ssh_srv_tests-responder_iface_generated.Tpo -c -o src/responder/common/iface/ssh_srv_tests-responder_iface_generated.o `test -f 'src/responder/common/iface/responder_iface_generated.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/ssh_srv_tests-responder_iface_generated.Tpo src/responder/common/iface/$(DEPDIR)/ssh_srv_tests-responder_iface_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_iface_generated.c' object='src/responder/common/iface/ssh_srv_tests-responder_iface_generated.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/ssh_srv_tests-responder_iface_generated.o `test -f 'src/responder/common/iface/responder_iface_generated.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_iface_generated.c + +src/responder/common/iface/ssh_srv_tests-responder_iface_generated.obj: src/responder/common/iface/responder_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/ssh_srv_tests-responder_iface_generated.obj -MD -MP -MF src/responder/common/iface/$(DEPDIR)/ssh_srv_tests-responder_iface_generated.Tpo -c -o src/responder/common/iface/ssh_srv_tests-responder_iface_generated.obj `if test -f 'src/responder/common/iface/responder_iface_generated.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_iface_generated.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_iface_generated.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/ssh_srv_tests-responder_iface_generated.Tpo src/responder/common/iface/$(DEPDIR)/ssh_srv_tests-responder_iface_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_iface_generated.c' object='src/responder/common/iface/ssh_srv_tests-responder_iface_generated.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/ssh_srv_tests-responder_iface_generated.obj `if test -f 'src/responder/common/iface/responder_iface_generated.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_iface_generated.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_iface_generated.c'; fi` + +src/tests/cmocka/ssh_srv_tests-test_ssh_srv.o: src/tests/cmocka/test_ssh_srv.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/ssh_srv_tests-test_ssh_srv.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/ssh_srv_tests-test_ssh_srv.Tpo -c -o src/tests/cmocka/ssh_srv_tests-test_ssh_srv.o `test -f 'src/tests/cmocka/test_ssh_srv.c' || echo '$(srcdir)/'`src/tests/cmocka/test_ssh_srv.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/ssh_srv_tests-test_ssh_srv.Tpo src/tests/cmocka/$(DEPDIR)/ssh_srv_tests-test_ssh_srv.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_ssh_srv.c' object='src/tests/cmocka/ssh_srv_tests-test_ssh_srv.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/ssh_srv_tests-test_ssh_srv.o `test -f 'src/tests/cmocka/test_ssh_srv.c' || echo '$(srcdir)/'`src/tests/cmocka/test_ssh_srv.c + +src/tests/cmocka/ssh_srv_tests-test_ssh_srv.obj: src/tests/cmocka/test_ssh_srv.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/ssh_srv_tests-test_ssh_srv.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/ssh_srv_tests-test_ssh_srv.Tpo -c -o src/tests/cmocka/ssh_srv_tests-test_ssh_srv.obj `if test -f 'src/tests/cmocka/test_ssh_srv.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_ssh_srv.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_ssh_srv.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/ssh_srv_tests-test_ssh_srv.Tpo src/tests/cmocka/$(DEPDIR)/ssh_srv_tests-test_ssh_srv.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_ssh_srv.c' object='src/tests/cmocka/ssh_srv_tests-test_ssh_srv.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/ssh_srv_tests-test_ssh_srv.obj `if test -f 'src/tests/cmocka/test_ssh_srv.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_ssh_srv.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_ssh_srv.c'; fi` + +src/responder/ssh/ssh_srv_tests-ssh_cmd.o: src/responder/ssh/ssh_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/ssh/ssh_srv_tests-ssh_cmd.o -MD -MP -MF src/responder/ssh/$(DEPDIR)/ssh_srv_tests-ssh_cmd.Tpo -c -o src/responder/ssh/ssh_srv_tests-ssh_cmd.o `test -f 'src/responder/ssh/ssh_cmd.c' || echo '$(srcdir)/'`src/responder/ssh/ssh_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/ssh/$(DEPDIR)/ssh_srv_tests-ssh_cmd.Tpo src/responder/ssh/$(DEPDIR)/ssh_srv_tests-ssh_cmd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/ssh/ssh_cmd.c' object='src/responder/ssh/ssh_srv_tests-ssh_cmd.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/ssh/ssh_srv_tests-ssh_cmd.o `test -f 'src/responder/ssh/ssh_cmd.c' || echo '$(srcdir)/'`src/responder/ssh/ssh_cmd.c + +src/responder/ssh/ssh_srv_tests-ssh_cmd.obj: src/responder/ssh/ssh_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/ssh/ssh_srv_tests-ssh_cmd.obj -MD -MP -MF src/responder/ssh/$(DEPDIR)/ssh_srv_tests-ssh_cmd.Tpo -c -o src/responder/ssh/ssh_srv_tests-ssh_cmd.obj `if test -f 'src/responder/ssh/ssh_cmd.c'; then $(CYGPATH_W) 'src/responder/ssh/ssh_cmd.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/ssh/ssh_cmd.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/ssh/$(DEPDIR)/ssh_srv_tests-ssh_cmd.Tpo src/responder/ssh/$(DEPDIR)/ssh_srv_tests-ssh_cmd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/ssh/ssh_cmd.c' object='src/responder/ssh/ssh_srv_tests-ssh_cmd.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/ssh/ssh_srv_tests-ssh_cmd.obj `if test -f 'src/responder/ssh/ssh_cmd.c'; then $(CYGPATH_W) 'src/responder/ssh/ssh_cmd.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/ssh/ssh_cmd.c'; fi` + +src/responder/ssh/ssh_srv_tests-ssh_known_hosts.o: src/responder/ssh/ssh_known_hosts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/ssh/ssh_srv_tests-ssh_known_hosts.o -MD -MP -MF src/responder/ssh/$(DEPDIR)/ssh_srv_tests-ssh_known_hosts.Tpo -c -o src/responder/ssh/ssh_srv_tests-ssh_known_hosts.o `test -f 'src/responder/ssh/ssh_known_hosts.c' || echo '$(srcdir)/'`src/responder/ssh/ssh_known_hosts.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/ssh/$(DEPDIR)/ssh_srv_tests-ssh_known_hosts.Tpo src/responder/ssh/$(DEPDIR)/ssh_srv_tests-ssh_known_hosts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/ssh/ssh_known_hosts.c' object='src/responder/ssh/ssh_srv_tests-ssh_known_hosts.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/ssh/ssh_srv_tests-ssh_known_hosts.o `test -f 'src/responder/ssh/ssh_known_hosts.c' || echo '$(srcdir)/'`src/responder/ssh/ssh_known_hosts.c + +src/responder/ssh/ssh_srv_tests-ssh_known_hosts.obj: src/responder/ssh/ssh_known_hosts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/ssh/ssh_srv_tests-ssh_known_hosts.obj -MD -MP -MF src/responder/ssh/$(DEPDIR)/ssh_srv_tests-ssh_known_hosts.Tpo -c -o src/responder/ssh/ssh_srv_tests-ssh_known_hosts.obj `if test -f 'src/responder/ssh/ssh_known_hosts.c'; then $(CYGPATH_W) 'src/responder/ssh/ssh_known_hosts.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/ssh/ssh_known_hosts.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/ssh/$(DEPDIR)/ssh_srv_tests-ssh_known_hosts.Tpo src/responder/ssh/$(DEPDIR)/ssh_srv_tests-ssh_known_hosts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/ssh/ssh_known_hosts.c' object='src/responder/ssh/ssh_srv_tests-ssh_known_hosts.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/ssh/ssh_srv_tests-ssh_known_hosts.obj `if test -f 'src/responder/ssh/ssh_known_hosts.c'; then $(CYGPATH_W) 'src/responder/ssh/ssh_known_hosts.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/ssh/ssh_known_hosts.c'; fi` + +src/responder/ssh/ssh_srv_tests-ssh_protocol.o: src/responder/ssh/ssh_protocol.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/ssh/ssh_srv_tests-ssh_protocol.o -MD -MP -MF src/responder/ssh/$(DEPDIR)/ssh_srv_tests-ssh_protocol.Tpo -c -o src/responder/ssh/ssh_srv_tests-ssh_protocol.o `test -f 'src/responder/ssh/ssh_protocol.c' || echo '$(srcdir)/'`src/responder/ssh/ssh_protocol.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/ssh/$(DEPDIR)/ssh_srv_tests-ssh_protocol.Tpo src/responder/ssh/$(DEPDIR)/ssh_srv_tests-ssh_protocol.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/ssh/ssh_protocol.c' object='src/responder/ssh/ssh_srv_tests-ssh_protocol.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/ssh/ssh_srv_tests-ssh_protocol.o `test -f 'src/responder/ssh/ssh_protocol.c' || echo '$(srcdir)/'`src/responder/ssh/ssh_protocol.c + +src/responder/ssh/ssh_srv_tests-ssh_protocol.obj: src/responder/ssh/ssh_protocol.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/ssh/ssh_srv_tests-ssh_protocol.obj -MD -MP -MF src/responder/ssh/$(DEPDIR)/ssh_srv_tests-ssh_protocol.Tpo -c -o src/responder/ssh/ssh_srv_tests-ssh_protocol.obj `if test -f 'src/responder/ssh/ssh_protocol.c'; then $(CYGPATH_W) 'src/responder/ssh/ssh_protocol.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/ssh/ssh_protocol.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/ssh/$(DEPDIR)/ssh_srv_tests-ssh_protocol.Tpo src/responder/ssh/$(DEPDIR)/ssh_srv_tests-ssh_protocol.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/ssh/ssh_protocol.c' object='src/responder/ssh/ssh_srv_tests-ssh_protocol.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/ssh/ssh_srv_tests-ssh_protocol.obj `if test -f 'src/responder/ssh/ssh_protocol.c'; then $(CYGPATH_W) 'src/responder/ssh/ssh_protocol.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/ssh/ssh_protocol.c'; fi` + +src/responder/ssh/ssh_srv_tests-ssh_reply.o: src/responder/ssh/ssh_reply.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/ssh/ssh_srv_tests-ssh_reply.o -MD -MP -MF src/responder/ssh/$(DEPDIR)/ssh_srv_tests-ssh_reply.Tpo -c -o src/responder/ssh/ssh_srv_tests-ssh_reply.o `test -f 'src/responder/ssh/ssh_reply.c' || echo '$(srcdir)/'`src/responder/ssh/ssh_reply.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/ssh/$(DEPDIR)/ssh_srv_tests-ssh_reply.Tpo src/responder/ssh/$(DEPDIR)/ssh_srv_tests-ssh_reply.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/ssh/ssh_reply.c' object='src/responder/ssh/ssh_srv_tests-ssh_reply.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/ssh/ssh_srv_tests-ssh_reply.o `test -f 'src/responder/ssh/ssh_reply.c' || echo '$(srcdir)/'`src/responder/ssh/ssh_reply.c + +src/responder/ssh/ssh_srv_tests-ssh_reply.obj: src/responder/ssh/ssh_reply.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/responder/ssh/ssh_srv_tests-ssh_reply.obj -MD -MP -MF src/responder/ssh/$(DEPDIR)/ssh_srv_tests-ssh_reply.Tpo -c -o src/responder/ssh/ssh_srv_tests-ssh_reply.obj `if test -f 'src/responder/ssh/ssh_reply.c'; then $(CYGPATH_W) 'src/responder/ssh/ssh_reply.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/ssh/ssh_reply.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/ssh/$(DEPDIR)/ssh_srv_tests-ssh_reply.Tpo src/responder/ssh/$(DEPDIR)/ssh_srv_tests-ssh_reply.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/ssh/ssh_reply.c' object='src/responder/ssh/ssh_srv_tests-ssh_reply.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/responder/ssh/ssh_srv_tests-ssh_reply.obj `if test -f 'src/responder/ssh/ssh_reply.c'; then $(CYGPATH_W) 'src/responder/ssh/ssh_reply.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/ssh/ssh_reply.c'; fi` + +src/util/cert/ssh_srv_tests-cert_common_p11_child.o: src/util/cert/cert_common_p11_child.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/util/cert/ssh_srv_tests-cert_common_p11_child.o -MD -MP -MF src/util/cert/$(DEPDIR)/ssh_srv_tests-cert_common_p11_child.Tpo -c -o src/util/cert/ssh_srv_tests-cert_common_p11_child.o `test -f 'src/util/cert/cert_common_p11_child.c' || echo '$(srcdir)/'`src/util/cert/cert_common_p11_child.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/cert/$(DEPDIR)/ssh_srv_tests-cert_common_p11_child.Tpo src/util/cert/$(DEPDIR)/ssh_srv_tests-cert_common_p11_child.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/cert/cert_common_p11_child.c' object='src/util/cert/ssh_srv_tests-cert_common_p11_child.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/util/cert/ssh_srv_tests-cert_common_p11_child.o `test -f 'src/util/cert/cert_common_p11_child.c' || echo '$(srcdir)/'`src/util/cert/cert_common_p11_child.c + +src/util/cert/ssh_srv_tests-cert_common_p11_child.obj: src/util/cert/cert_common_p11_child.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -MT src/util/cert/ssh_srv_tests-cert_common_p11_child.obj -MD -MP -MF src/util/cert/$(DEPDIR)/ssh_srv_tests-cert_common_p11_child.Tpo -c -o src/util/cert/ssh_srv_tests-cert_common_p11_child.obj `if test -f 'src/util/cert/cert_common_p11_child.c'; then $(CYGPATH_W) 'src/util/cert/cert_common_p11_child.c'; else $(CYGPATH_W) '$(srcdir)/src/util/cert/cert_common_p11_child.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/cert/$(DEPDIR)/ssh_srv_tests-cert_common_p11_child.Tpo src/util/cert/$(DEPDIR)/ssh_srv_tests-cert_common_p11_child.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/cert/cert_common_p11_child.c' object='src/util/cert/ssh_srv_tests-cert_common_p11_child.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(ssh_srv_tests_CFLAGS) $(CFLAGS) -c -o src/util/cert/ssh_srv_tests-cert_common_p11_child.obj `if test -f 'src/util/cert/cert_common_p11_child.c'; then $(CYGPATH_W) 'src/util/cert/cert_common_p11_child.c'; else $(CYGPATH_W) '$(srcdir)/src/util/cert/cert_common_p11_child.c'; fi` + +src/tools/sss_cache-sss_cache.o: src/tools/sss_cache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_cache_CFLAGS) $(CFLAGS) -MT src/tools/sss_cache-sss_cache.o -MD -MP -MF src/tools/$(DEPDIR)/sss_cache-sss_cache.Tpo -c -o src/tools/sss_cache-sss_cache.o `test -f 'src/tools/sss_cache.c' || echo '$(srcdir)/'`src/tools/sss_cache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_cache-sss_cache.Tpo src/tools/$(DEPDIR)/sss_cache-sss_cache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sss_cache.c' object='src/tools/sss_cache-sss_cache.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_cache_CFLAGS) $(CFLAGS) -c -o src/tools/sss_cache-sss_cache.o `test -f 'src/tools/sss_cache.c' || echo '$(srcdir)/'`src/tools/sss_cache.c + +src/tools/sss_cache-sss_cache.obj: src/tools/sss_cache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_cache_CFLAGS) $(CFLAGS) -MT src/tools/sss_cache-sss_cache.obj -MD -MP -MF src/tools/$(DEPDIR)/sss_cache-sss_cache.Tpo -c -o src/tools/sss_cache-sss_cache.obj `if test -f 'src/tools/sss_cache.c'; then $(CYGPATH_W) 'src/tools/sss_cache.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sss_cache.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_cache-sss_cache.Tpo src/tools/$(DEPDIR)/sss_cache-sss_cache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sss_cache.c' object='src/tools/sss_cache-sss_cache.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_cache_CFLAGS) $(CFLAGS) -c -o src/tools/sss_cache-sss_cache.obj `if test -f 'src/tools/sss_cache.c'; then $(CYGPATH_W) 'src/tools/sss_cache.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sss_cache.c'; fi` + +src/sss_client/sss_cache-common.o: src/sss_client/common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_cache_CFLAGS) $(CFLAGS) -MT src/sss_client/sss_cache-common.o -MD -MP -MF src/sss_client/$(DEPDIR)/sss_cache-common.Tpo -c -o src/sss_client/sss_cache-common.o `test -f 'src/sss_client/common.c' || echo '$(srcdir)/'`src/sss_client/common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/$(DEPDIR)/sss_cache-common.Tpo src/sss_client/$(DEPDIR)/sss_cache-common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/common.c' object='src/sss_client/sss_cache-common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_cache_CFLAGS) $(CFLAGS) -c -o src/sss_client/sss_cache-common.o `test -f 'src/sss_client/common.c' || echo '$(srcdir)/'`src/sss_client/common.c + +src/sss_client/sss_cache-common.obj: src/sss_client/common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_cache_CFLAGS) $(CFLAGS) -MT src/sss_client/sss_cache-common.obj -MD -MP -MF src/sss_client/$(DEPDIR)/sss_cache-common.Tpo -c -o src/sss_client/sss_cache-common.obj `if test -f 'src/sss_client/common.c'; then $(CYGPATH_W) 'src/sss_client/common.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/$(DEPDIR)/sss_cache-common.Tpo src/sss_client/$(DEPDIR)/sss_cache-common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/common.c' object='src/sss_client/sss_cache-common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_cache_CFLAGS) $(CFLAGS) -c -o src/sss_client/sss_cache-common.obj `if test -f 'src/sss_client/common.c'; then $(CYGPATH_W) 'src/sss_client/common.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/common.c'; fi` + +src/tools/sss_cache-tools_mc_util.o: src/tools/tools_mc_util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_cache_CFLAGS) $(CFLAGS) -MT src/tools/sss_cache-tools_mc_util.o -MD -MP -MF src/tools/$(DEPDIR)/sss_cache-tools_mc_util.Tpo -c -o src/tools/sss_cache-tools_mc_util.o `test -f 'src/tools/tools_mc_util.c' || echo '$(srcdir)/'`src/tools/tools_mc_util.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_cache-tools_mc_util.Tpo src/tools/$(DEPDIR)/sss_cache-tools_mc_util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/tools_mc_util.c' object='src/tools/sss_cache-tools_mc_util.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_cache_CFLAGS) $(CFLAGS) -c -o src/tools/sss_cache-tools_mc_util.o `test -f 'src/tools/tools_mc_util.c' || echo '$(srcdir)/'`src/tools/tools_mc_util.c + +src/tools/sss_cache-tools_mc_util.obj: src/tools/tools_mc_util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_cache_CFLAGS) $(CFLAGS) -MT src/tools/sss_cache-tools_mc_util.obj -MD -MP -MF src/tools/$(DEPDIR)/sss_cache-tools_mc_util.Tpo -c -o src/tools/sss_cache-tools_mc_util.obj `if test -f 'src/tools/tools_mc_util.c'; then $(CYGPATH_W) 'src/tools/tools_mc_util.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/tools_mc_util.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_cache-tools_mc_util.Tpo src/tools/$(DEPDIR)/sss_cache-tools_mc_util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/tools_mc_util.c' object='src/tools/sss_cache-tools_mc_util.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_cache_CFLAGS) $(CFLAGS) -c -o src/tools/sss_cache-tools_mc_util.obj `if test -f 'src/tools/tools_mc_util.c'; then $(CYGPATH_W) 'src/tools/tools_mc_util.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/tools_mc_util.c'; fi` + +src/tools/sss_cache-sss_sync_ops.o: src/tools/sss_sync_ops.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_cache_CFLAGS) $(CFLAGS) -MT src/tools/sss_cache-sss_sync_ops.o -MD -MP -MF src/tools/$(DEPDIR)/sss_cache-sss_sync_ops.Tpo -c -o src/tools/sss_cache-sss_sync_ops.o `test -f 'src/tools/sss_sync_ops.c' || echo '$(srcdir)/'`src/tools/sss_sync_ops.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_cache-sss_sync_ops.Tpo src/tools/$(DEPDIR)/sss_cache-sss_sync_ops.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sss_sync_ops.c' object='src/tools/sss_cache-sss_sync_ops.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_cache_CFLAGS) $(CFLAGS) -c -o src/tools/sss_cache-sss_sync_ops.o `test -f 'src/tools/sss_sync_ops.c' || echo '$(srcdir)/'`src/tools/sss_sync_ops.c + +src/tools/sss_cache-sss_sync_ops.obj: src/tools/sss_sync_ops.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_cache_CFLAGS) $(CFLAGS) -MT src/tools/sss_cache-sss_sync_ops.obj -MD -MP -MF src/tools/$(DEPDIR)/sss_cache-sss_sync_ops.Tpo -c -o src/tools/sss_cache-sss_sync_ops.obj `if test -f 'src/tools/sss_sync_ops.c'; then $(CYGPATH_W) 'src/tools/sss_sync_ops.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sss_sync_ops.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_cache-sss_sync_ops.Tpo src/tools/$(DEPDIR)/sss_cache-sss_sync_ops.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sss_sync_ops.c' object='src/tools/sss_cache-sss_sync_ops.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_cache_CFLAGS) $(CFLAGS) -c -o src/tools/sss_cache-sss_sync_ops.obj `if test -f 'src/tools/sss_sync_ops.c'; then $(CYGPATH_W) 'src/tools/sss_sync_ops.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sss_sync_ops.c'; fi` + +src/tools/sss_cache-tools_util.o: src/tools/tools_util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_cache_CFLAGS) $(CFLAGS) -MT src/tools/sss_cache-tools_util.o -MD -MP -MF src/tools/$(DEPDIR)/sss_cache-tools_util.Tpo -c -o src/tools/sss_cache-tools_util.o `test -f 'src/tools/tools_util.c' || echo '$(srcdir)/'`src/tools/tools_util.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_cache-tools_util.Tpo src/tools/$(DEPDIR)/sss_cache-tools_util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/tools_util.c' object='src/tools/sss_cache-tools_util.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_cache_CFLAGS) $(CFLAGS) -c -o src/tools/sss_cache-tools_util.o `test -f 'src/tools/tools_util.c' || echo '$(srcdir)/'`src/tools/tools_util.c + +src/tools/sss_cache-tools_util.obj: src/tools/tools_util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_cache_CFLAGS) $(CFLAGS) -MT src/tools/sss_cache-tools_util.obj -MD -MP -MF src/tools/$(DEPDIR)/sss_cache-tools_util.Tpo -c -o src/tools/sss_cache-tools_util.obj `if test -f 'src/tools/tools_util.c'; then $(CYGPATH_W) 'src/tools/tools_util.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/tools_util.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_cache-tools_util.Tpo src/tools/$(DEPDIR)/sss_cache-tools_util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/tools_util.c' object='src/tools/sss_cache-tools_util.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_cache_CFLAGS) $(CFLAGS) -c -o src/tools/sss_cache-tools_util.obj `if test -f 'src/tools/tools_util.c'; then $(CYGPATH_W) 'src/tools/tools_util.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/tools_util.c'; fi` + +src/tools/common/sss_cache-sss_tools.o: src/tools/common/sss_tools.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_cache_CFLAGS) $(CFLAGS) -MT src/tools/common/sss_cache-sss_tools.o -MD -MP -MF src/tools/common/$(DEPDIR)/sss_cache-sss_tools.Tpo -c -o src/tools/common/sss_cache-sss_tools.o `test -f 'src/tools/common/sss_tools.c' || echo '$(srcdir)/'`src/tools/common/sss_tools.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/common/$(DEPDIR)/sss_cache-sss_tools.Tpo src/tools/common/$(DEPDIR)/sss_cache-sss_tools.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/common/sss_tools.c' object='src/tools/common/sss_cache-sss_tools.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_cache_CFLAGS) $(CFLAGS) -c -o src/tools/common/sss_cache-sss_tools.o `test -f 'src/tools/common/sss_tools.c' || echo '$(srcdir)/'`src/tools/common/sss_tools.c + +src/tools/common/sss_cache-sss_tools.obj: src/tools/common/sss_tools.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_cache_CFLAGS) $(CFLAGS) -MT src/tools/common/sss_cache-sss_tools.obj -MD -MP -MF src/tools/common/$(DEPDIR)/sss_cache-sss_tools.Tpo -c -o src/tools/common/sss_cache-sss_tools.obj `if test -f 'src/tools/common/sss_tools.c'; then $(CYGPATH_W) 'src/tools/common/sss_tools.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/common/sss_tools.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/common/$(DEPDIR)/sss_cache-sss_tools.Tpo src/tools/common/$(DEPDIR)/sss_cache-sss_tools.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/common/sss_tools.c' object='src/tools/common/sss_cache-sss_tools.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_cache_CFLAGS) $(CFLAGS) -c -o src/tools/common/sss_cache-sss_tools.obj `if test -f 'src/tools/common/sss_tools.c'; then $(CYGPATH_W) 'src/tools/common/sss_tools.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/common/sss_tools.c'; fi` + +src/tools/common/sss_cache-sss_process.o: src/tools/common/sss_process.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_cache_CFLAGS) $(CFLAGS) -MT src/tools/common/sss_cache-sss_process.o -MD -MP -MF src/tools/common/$(DEPDIR)/sss_cache-sss_process.Tpo -c -o src/tools/common/sss_cache-sss_process.o `test -f 'src/tools/common/sss_process.c' || echo '$(srcdir)/'`src/tools/common/sss_process.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/common/$(DEPDIR)/sss_cache-sss_process.Tpo src/tools/common/$(DEPDIR)/sss_cache-sss_process.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/common/sss_process.c' object='src/tools/common/sss_cache-sss_process.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_cache_CFLAGS) $(CFLAGS) -c -o src/tools/common/sss_cache-sss_process.o `test -f 'src/tools/common/sss_process.c' || echo '$(srcdir)/'`src/tools/common/sss_process.c + +src/tools/common/sss_cache-sss_process.obj: src/tools/common/sss_process.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_cache_CFLAGS) $(CFLAGS) -MT src/tools/common/sss_cache-sss_process.obj -MD -MP -MF src/tools/common/$(DEPDIR)/sss_cache-sss_process.Tpo -c -o src/tools/common/sss_cache-sss_process.obj `if test -f 'src/tools/common/sss_process.c'; then $(CYGPATH_W) 'src/tools/common/sss_process.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/common/sss_process.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/common/$(DEPDIR)/sss_cache-sss_process.Tpo src/tools/common/$(DEPDIR)/sss_cache-sss_process.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/common/sss_process.c' object='src/tools/common/sss_cache-sss_process.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_cache_CFLAGS) $(CFLAGS) -c -o src/tools/common/sss_cache-sss_process.obj `if test -f 'src/tools/common/sss_process.c'; then $(CYGPATH_W) 'src/tools/common/sss_process.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/common/sss_process.c'; fi` + +src/confdb/sss_cache-confdb_setup.o: src/confdb/confdb_setup.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_cache_CFLAGS) $(CFLAGS) -MT src/confdb/sss_cache-confdb_setup.o -MD -MP -MF src/confdb/$(DEPDIR)/sss_cache-confdb_setup.Tpo -c -o src/confdb/sss_cache-confdb_setup.o `test -f 'src/confdb/confdb_setup.c' || echo '$(srcdir)/'`src/confdb/confdb_setup.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/confdb/$(DEPDIR)/sss_cache-confdb_setup.Tpo src/confdb/$(DEPDIR)/sss_cache-confdb_setup.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/confdb/confdb_setup.c' object='src/confdb/sss_cache-confdb_setup.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_cache_CFLAGS) $(CFLAGS) -c -o src/confdb/sss_cache-confdb_setup.o `test -f 'src/confdb/confdb_setup.c' || echo '$(srcdir)/'`src/confdb/confdb_setup.c + +src/confdb/sss_cache-confdb_setup.obj: src/confdb/confdb_setup.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_cache_CFLAGS) $(CFLAGS) -MT src/confdb/sss_cache-confdb_setup.obj -MD -MP -MF src/confdb/$(DEPDIR)/sss_cache-confdb_setup.Tpo -c -o src/confdb/sss_cache-confdb_setup.obj `if test -f 'src/confdb/confdb_setup.c'; then $(CYGPATH_W) 'src/confdb/confdb_setup.c'; else $(CYGPATH_W) '$(srcdir)/src/confdb/confdb_setup.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/confdb/$(DEPDIR)/sss_cache-confdb_setup.Tpo src/confdb/$(DEPDIR)/sss_cache-confdb_setup.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/confdb/confdb_setup.c' object='src/confdb/sss_cache-confdb_setup.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_cache_CFLAGS) $(CFLAGS) -c -o src/confdb/sss_cache-confdb_setup.obj `if test -f 'src/confdb/confdb_setup.c'; then $(CYGPATH_W) 'src/confdb/confdb_setup.c'; else $(CYGPATH_W) '$(srcdir)/src/confdb/confdb_setup.c'; fi` + +src/util/sss_cache-nscd.o: src/util/nscd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_cache_CFLAGS) $(CFLAGS) -MT src/util/sss_cache-nscd.o -MD -MP -MF src/util/$(DEPDIR)/sss_cache-nscd.Tpo -c -o src/util/sss_cache-nscd.o `test -f 'src/util/nscd.c' || echo '$(srcdir)/'`src/util/nscd.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/sss_cache-nscd.Tpo src/util/$(DEPDIR)/sss_cache-nscd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/nscd.c' object='src/util/sss_cache-nscd.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_cache_CFLAGS) $(CFLAGS) -c -o src/util/sss_cache-nscd.o `test -f 'src/util/nscd.c' || echo '$(srcdir)/'`src/util/nscd.c + +src/util/sss_cache-nscd.obj: src/util/nscd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_cache_CFLAGS) $(CFLAGS) -MT src/util/sss_cache-nscd.obj -MD -MP -MF src/util/$(DEPDIR)/sss_cache-nscd.Tpo -c -o src/util/sss_cache-nscd.obj `if test -f 'src/util/nscd.c'; then $(CYGPATH_W) 'src/util/nscd.c'; else $(CYGPATH_W) '$(srcdir)/src/util/nscd.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/sss_cache-nscd.Tpo src/util/$(DEPDIR)/sss_cache-nscd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/nscd.c' object='src/util/sss_cache-nscd.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_cache_CFLAGS) $(CFLAGS) -c -o src/util/sss_cache-nscd.obj `if test -f 'src/util/nscd.c'; then $(CYGPATH_W) 'src/util/nscd.c'; else $(CYGPATH_W) '$(srcdir)/src/util/nscd.c'; fi` + +src/tests/cmocka/sss_certmap_test-test_certmap.o: src/tests/cmocka/test_certmap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_certmap_test_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/sss_certmap_test-test_certmap.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/sss_certmap_test-test_certmap.Tpo -c -o src/tests/cmocka/sss_certmap_test-test_certmap.o `test -f 'src/tests/cmocka/test_certmap.c' || echo '$(srcdir)/'`src/tests/cmocka/test_certmap.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/sss_certmap_test-test_certmap.Tpo src/tests/cmocka/$(DEPDIR)/sss_certmap_test-test_certmap.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_certmap.c' object='src/tests/cmocka/sss_certmap_test-test_certmap.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_certmap_test_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/sss_certmap_test-test_certmap.o `test -f 'src/tests/cmocka/test_certmap.c' || echo '$(srcdir)/'`src/tests/cmocka/test_certmap.c + +src/tests/cmocka/sss_certmap_test-test_certmap.obj: src/tests/cmocka/test_certmap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_certmap_test_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/sss_certmap_test-test_certmap.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/sss_certmap_test-test_certmap.Tpo -c -o src/tests/cmocka/sss_certmap_test-test_certmap.obj `if test -f 'src/tests/cmocka/test_certmap.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_certmap.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_certmap.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/sss_certmap_test-test_certmap.Tpo src/tests/cmocka/$(DEPDIR)/sss_certmap_test-test_certmap.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_certmap.c' object='src/tests/cmocka/sss_certmap_test-test_certmap.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_certmap_test_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/sss_certmap_test-test_certmap.obj `if test -f 'src/tests/cmocka/test_certmap.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_certmap.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_certmap.c'; fi` + +src/lib/certmap/sss_certmap_test-sss_certmap_attr_names.o: src/lib/certmap/sss_certmap_attr_names.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_certmap_test_CFLAGS) $(CFLAGS) -MT src/lib/certmap/sss_certmap_test-sss_certmap_attr_names.o -MD -MP -MF src/lib/certmap/$(DEPDIR)/sss_certmap_test-sss_certmap_attr_names.Tpo -c -o src/lib/certmap/sss_certmap_test-sss_certmap_attr_names.o `test -f 'src/lib/certmap/sss_certmap_attr_names.c' || echo '$(srcdir)/'`src/lib/certmap/sss_certmap_attr_names.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/lib/certmap/$(DEPDIR)/sss_certmap_test-sss_certmap_attr_names.Tpo src/lib/certmap/$(DEPDIR)/sss_certmap_test-sss_certmap_attr_names.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/lib/certmap/sss_certmap_attr_names.c' object='src/lib/certmap/sss_certmap_test-sss_certmap_attr_names.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_certmap_test_CFLAGS) $(CFLAGS) -c -o src/lib/certmap/sss_certmap_test-sss_certmap_attr_names.o `test -f 'src/lib/certmap/sss_certmap_attr_names.c' || echo '$(srcdir)/'`src/lib/certmap/sss_certmap_attr_names.c + +src/lib/certmap/sss_certmap_test-sss_certmap_attr_names.obj: src/lib/certmap/sss_certmap_attr_names.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_certmap_test_CFLAGS) $(CFLAGS) -MT src/lib/certmap/sss_certmap_test-sss_certmap_attr_names.obj -MD -MP -MF src/lib/certmap/$(DEPDIR)/sss_certmap_test-sss_certmap_attr_names.Tpo -c -o src/lib/certmap/sss_certmap_test-sss_certmap_attr_names.obj `if test -f 'src/lib/certmap/sss_certmap_attr_names.c'; then $(CYGPATH_W) 'src/lib/certmap/sss_certmap_attr_names.c'; else $(CYGPATH_W) '$(srcdir)/src/lib/certmap/sss_certmap_attr_names.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/lib/certmap/$(DEPDIR)/sss_certmap_test-sss_certmap_attr_names.Tpo src/lib/certmap/$(DEPDIR)/sss_certmap_test-sss_certmap_attr_names.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/lib/certmap/sss_certmap_attr_names.c' object='src/lib/certmap/sss_certmap_test-sss_certmap_attr_names.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_certmap_test_CFLAGS) $(CFLAGS) -c -o src/lib/certmap/sss_certmap_test-sss_certmap_attr_names.obj `if test -f 'src/lib/certmap/sss_certmap_attr_names.c'; then $(CYGPATH_W) 'src/lib/certmap/sss_certmap_attr_names.c'; else $(CYGPATH_W) '$(srcdir)/src/lib/certmap/sss_certmap_attr_names.c'; fi` + +src/tools/sss_groupdel-sss_groupdel.o: src/tools/sss_groupdel.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupdel_CFLAGS) $(CFLAGS) -MT src/tools/sss_groupdel-sss_groupdel.o -MD -MP -MF src/tools/$(DEPDIR)/sss_groupdel-sss_groupdel.Tpo -c -o src/tools/sss_groupdel-sss_groupdel.o `test -f 'src/tools/sss_groupdel.c' || echo '$(srcdir)/'`src/tools/sss_groupdel.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_groupdel-sss_groupdel.Tpo src/tools/$(DEPDIR)/sss_groupdel-sss_groupdel.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sss_groupdel.c' object='src/tools/sss_groupdel-sss_groupdel.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupdel_CFLAGS) $(CFLAGS) -c -o src/tools/sss_groupdel-sss_groupdel.o `test -f 'src/tools/sss_groupdel.c' || echo '$(srcdir)/'`src/tools/sss_groupdel.c + +src/tools/sss_groupdel-sss_groupdel.obj: src/tools/sss_groupdel.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupdel_CFLAGS) $(CFLAGS) -MT src/tools/sss_groupdel-sss_groupdel.obj -MD -MP -MF src/tools/$(DEPDIR)/sss_groupdel-sss_groupdel.Tpo -c -o src/tools/sss_groupdel-sss_groupdel.obj `if test -f 'src/tools/sss_groupdel.c'; then $(CYGPATH_W) 'src/tools/sss_groupdel.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sss_groupdel.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_groupdel-sss_groupdel.Tpo src/tools/$(DEPDIR)/sss_groupdel-sss_groupdel.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sss_groupdel.c' object='src/tools/sss_groupdel-sss_groupdel.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupdel_CFLAGS) $(CFLAGS) -c -o src/tools/sss_groupdel-sss_groupdel.obj `if test -f 'src/tools/sss_groupdel.c'; then $(CYGPATH_W) 'src/tools/sss_groupdel.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sss_groupdel.c'; fi` + +src/sss_client/sss_groupdel-common.o: src/sss_client/common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupdel_CFLAGS) $(CFLAGS) -MT src/sss_client/sss_groupdel-common.o -MD -MP -MF src/sss_client/$(DEPDIR)/sss_groupdel-common.Tpo -c -o src/sss_client/sss_groupdel-common.o `test -f 'src/sss_client/common.c' || echo '$(srcdir)/'`src/sss_client/common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/$(DEPDIR)/sss_groupdel-common.Tpo src/sss_client/$(DEPDIR)/sss_groupdel-common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/common.c' object='src/sss_client/sss_groupdel-common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupdel_CFLAGS) $(CFLAGS) -c -o src/sss_client/sss_groupdel-common.o `test -f 'src/sss_client/common.c' || echo '$(srcdir)/'`src/sss_client/common.c + +src/sss_client/sss_groupdel-common.obj: src/sss_client/common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupdel_CFLAGS) $(CFLAGS) -MT src/sss_client/sss_groupdel-common.obj -MD -MP -MF src/sss_client/$(DEPDIR)/sss_groupdel-common.Tpo -c -o src/sss_client/sss_groupdel-common.obj `if test -f 'src/sss_client/common.c'; then $(CYGPATH_W) 'src/sss_client/common.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/$(DEPDIR)/sss_groupdel-common.Tpo src/sss_client/$(DEPDIR)/sss_groupdel-common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/common.c' object='src/sss_client/sss_groupdel-common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupdel_CFLAGS) $(CFLAGS) -c -o src/sss_client/sss_groupdel-common.obj `if test -f 'src/sss_client/common.c'; then $(CYGPATH_W) 'src/sss_client/common.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/common.c'; fi` + +src/tools/sss_groupdel-tools_mc_util.o: src/tools/tools_mc_util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupdel_CFLAGS) $(CFLAGS) -MT src/tools/sss_groupdel-tools_mc_util.o -MD -MP -MF src/tools/$(DEPDIR)/sss_groupdel-tools_mc_util.Tpo -c -o src/tools/sss_groupdel-tools_mc_util.o `test -f 'src/tools/tools_mc_util.c' || echo '$(srcdir)/'`src/tools/tools_mc_util.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_groupdel-tools_mc_util.Tpo src/tools/$(DEPDIR)/sss_groupdel-tools_mc_util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/tools_mc_util.c' object='src/tools/sss_groupdel-tools_mc_util.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupdel_CFLAGS) $(CFLAGS) -c -o src/tools/sss_groupdel-tools_mc_util.o `test -f 'src/tools/tools_mc_util.c' || echo '$(srcdir)/'`src/tools/tools_mc_util.c + +src/tools/sss_groupdel-tools_mc_util.obj: src/tools/tools_mc_util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupdel_CFLAGS) $(CFLAGS) -MT src/tools/sss_groupdel-tools_mc_util.obj -MD -MP -MF src/tools/$(DEPDIR)/sss_groupdel-tools_mc_util.Tpo -c -o src/tools/sss_groupdel-tools_mc_util.obj `if test -f 'src/tools/tools_mc_util.c'; then $(CYGPATH_W) 'src/tools/tools_mc_util.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/tools_mc_util.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_groupdel-tools_mc_util.Tpo src/tools/$(DEPDIR)/sss_groupdel-tools_mc_util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/tools_mc_util.c' object='src/tools/sss_groupdel-tools_mc_util.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupdel_CFLAGS) $(CFLAGS) -c -o src/tools/sss_groupdel-tools_mc_util.obj `if test -f 'src/tools/tools_mc_util.c'; then $(CYGPATH_W) 'src/tools/tools_mc_util.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/tools_mc_util.c'; fi` + +src/tools/sss_groupdel-sss_sync_ops.o: src/tools/sss_sync_ops.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupdel_CFLAGS) $(CFLAGS) -MT src/tools/sss_groupdel-sss_sync_ops.o -MD -MP -MF src/tools/$(DEPDIR)/sss_groupdel-sss_sync_ops.Tpo -c -o src/tools/sss_groupdel-sss_sync_ops.o `test -f 'src/tools/sss_sync_ops.c' || echo '$(srcdir)/'`src/tools/sss_sync_ops.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_groupdel-sss_sync_ops.Tpo src/tools/$(DEPDIR)/sss_groupdel-sss_sync_ops.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sss_sync_ops.c' object='src/tools/sss_groupdel-sss_sync_ops.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupdel_CFLAGS) $(CFLAGS) -c -o src/tools/sss_groupdel-sss_sync_ops.o `test -f 'src/tools/sss_sync_ops.c' || echo '$(srcdir)/'`src/tools/sss_sync_ops.c + +src/tools/sss_groupdel-sss_sync_ops.obj: src/tools/sss_sync_ops.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupdel_CFLAGS) $(CFLAGS) -MT src/tools/sss_groupdel-sss_sync_ops.obj -MD -MP -MF src/tools/$(DEPDIR)/sss_groupdel-sss_sync_ops.Tpo -c -o src/tools/sss_groupdel-sss_sync_ops.obj `if test -f 'src/tools/sss_sync_ops.c'; then $(CYGPATH_W) 'src/tools/sss_sync_ops.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sss_sync_ops.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_groupdel-sss_sync_ops.Tpo src/tools/$(DEPDIR)/sss_groupdel-sss_sync_ops.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sss_sync_ops.c' object='src/tools/sss_groupdel-sss_sync_ops.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupdel_CFLAGS) $(CFLAGS) -c -o src/tools/sss_groupdel-sss_sync_ops.obj `if test -f 'src/tools/sss_sync_ops.c'; then $(CYGPATH_W) 'src/tools/sss_sync_ops.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sss_sync_ops.c'; fi` + +src/tools/sss_groupdel-tools_util.o: src/tools/tools_util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupdel_CFLAGS) $(CFLAGS) -MT src/tools/sss_groupdel-tools_util.o -MD -MP -MF src/tools/$(DEPDIR)/sss_groupdel-tools_util.Tpo -c -o src/tools/sss_groupdel-tools_util.o `test -f 'src/tools/tools_util.c' || echo '$(srcdir)/'`src/tools/tools_util.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_groupdel-tools_util.Tpo src/tools/$(DEPDIR)/sss_groupdel-tools_util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/tools_util.c' object='src/tools/sss_groupdel-tools_util.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupdel_CFLAGS) $(CFLAGS) -c -o src/tools/sss_groupdel-tools_util.o `test -f 'src/tools/tools_util.c' || echo '$(srcdir)/'`src/tools/tools_util.c + +src/tools/sss_groupdel-tools_util.obj: src/tools/tools_util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupdel_CFLAGS) $(CFLAGS) -MT src/tools/sss_groupdel-tools_util.obj -MD -MP -MF src/tools/$(DEPDIR)/sss_groupdel-tools_util.Tpo -c -o src/tools/sss_groupdel-tools_util.obj `if test -f 'src/tools/tools_util.c'; then $(CYGPATH_W) 'src/tools/tools_util.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/tools_util.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_groupdel-tools_util.Tpo src/tools/$(DEPDIR)/sss_groupdel-tools_util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/tools_util.c' object='src/tools/sss_groupdel-tools_util.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupdel_CFLAGS) $(CFLAGS) -c -o src/tools/sss_groupdel-tools_util.obj `if test -f 'src/tools/tools_util.c'; then $(CYGPATH_W) 'src/tools/tools_util.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/tools_util.c'; fi` + +src/tools/common/sss_groupdel-sss_tools.o: src/tools/common/sss_tools.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupdel_CFLAGS) $(CFLAGS) -MT src/tools/common/sss_groupdel-sss_tools.o -MD -MP -MF src/tools/common/$(DEPDIR)/sss_groupdel-sss_tools.Tpo -c -o src/tools/common/sss_groupdel-sss_tools.o `test -f 'src/tools/common/sss_tools.c' || echo '$(srcdir)/'`src/tools/common/sss_tools.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/common/$(DEPDIR)/sss_groupdel-sss_tools.Tpo src/tools/common/$(DEPDIR)/sss_groupdel-sss_tools.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/common/sss_tools.c' object='src/tools/common/sss_groupdel-sss_tools.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupdel_CFLAGS) $(CFLAGS) -c -o src/tools/common/sss_groupdel-sss_tools.o `test -f 'src/tools/common/sss_tools.c' || echo '$(srcdir)/'`src/tools/common/sss_tools.c + +src/tools/common/sss_groupdel-sss_tools.obj: src/tools/common/sss_tools.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupdel_CFLAGS) $(CFLAGS) -MT src/tools/common/sss_groupdel-sss_tools.obj -MD -MP -MF src/tools/common/$(DEPDIR)/sss_groupdel-sss_tools.Tpo -c -o src/tools/common/sss_groupdel-sss_tools.obj `if test -f 'src/tools/common/sss_tools.c'; then $(CYGPATH_W) 'src/tools/common/sss_tools.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/common/sss_tools.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/common/$(DEPDIR)/sss_groupdel-sss_tools.Tpo src/tools/common/$(DEPDIR)/sss_groupdel-sss_tools.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/common/sss_tools.c' object='src/tools/common/sss_groupdel-sss_tools.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupdel_CFLAGS) $(CFLAGS) -c -o src/tools/common/sss_groupdel-sss_tools.obj `if test -f 'src/tools/common/sss_tools.c'; then $(CYGPATH_W) 'src/tools/common/sss_tools.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/common/sss_tools.c'; fi` + +src/tools/common/sss_groupdel-sss_process.o: src/tools/common/sss_process.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupdel_CFLAGS) $(CFLAGS) -MT src/tools/common/sss_groupdel-sss_process.o -MD -MP -MF src/tools/common/$(DEPDIR)/sss_groupdel-sss_process.Tpo -c -o src/tools/common/sss_groupdel-sss_process.o `test -f 'src/tools/common/sss_process.c' || echo '$(srcdir)/'`src/tools/common/sss_process.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/common/$(DEPDIR)/sss_groupdel-sss_process.Tpo src/tools/common/$(DEPDIR)/sss_groupdel-sss_process.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/common/sss_process.c' object='src/tools/common/sss_groupdel-sss_process.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupdel_CFLAGS) $(CFLAGS) -c -o src/tools/common/sss_groupdel-sss_process.o `test -f 'src/tools/common/sss_process.c' || echo '$(srcdir)/'`src/tools/common/sss_process.c + +src/tools/common/sss_groupdel-sss_process.obj: src/tools/common/sss_process.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupdel_CFLAGS) $(CFLAGS) -MT src/tools/common/sss_groupdel-sss_process.obj -MD -MP -MF src/tools/common/$(DEPDIR)/sss_groupdel-sss_process.Tpo -c -o src/tools/common/sss_groupdel-sss_process.obj `if test -f 'src/tools/common/sss_process.c'; then $(CYGPATH_W) 'src/tools/common/sss_process.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/common/sss_process.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/common/$(DEPDIR)/sss_groupdel-sss_process.Tpo src/tools/common/$(DEPDIR)/sss_groupdel-sss_process.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/common/sss_process.c' object='src/tools/common/sss_groupdel-sss_process.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupdel_CFLAGS) $(CFLAGS) -c -o src/tools/common/sss_groupdel-sss_process.obj `if test -f 'src/tools/common/sss_process.c'; then $(CYGPATH_W) 'src/tools/common/sss_process.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/common/sss_process.c'; fi` + +src/confdb/sss_groupdel-confdb_setup.o: src/confdb/confdb_setup.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupdel_CFLAGS) $(CFLAGS) -MT src/confdb/sss_groupdel-confdb_setup.o -MD -MP -MF src/confdb/$(DEPDIR)/sss_groupdel-confdb_setup.Tpo -c -o src/confdb/sss_groupdel-confdb_setup.o `test -f 'src/confdb/confdb_setup.c' || echo '$(srcdir)/'`src/confdb/confdb_setup.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/confdb/$(DEPDIR)/sss_groupdel-confdb_setup.Tpo src/confdb/$(DEPDIR)/sss_groupdel-confdb_setup.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/confdb/confdb_setup.c' object='src/confdb/sss_groupdel-confdb_setup.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupdel_CFLAGS) $(CFLAGS) -c -o src/confdb/sss_groupdel-confdb_setup.o `test -f 'src/confdb/confdb_setup.c' || echo '$(srcdir)/'`src/confdb/confdb_setup.c + +src/confdb/sss_groupdel-confdb_setup.obj: src/confdb/confdb_setup.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupdel_CFLAGS) $(CFLAGS) -MT src/confdb/sss_groupdel-confdb_setup.obj -MD -MP -MF src/confdb/$(DEPDIR)/sss_groupdel-confdb_setup.Tpo -c -o src/confdb/sss_groupdel-confdb_setup.obj `if test -f 'src/confdb/confdb_setup.c'; then $(CYGPATH_W) 'src/confdb/confdb_setup.c'; else $(CYGPATH_W) '$(srcdir)/src/confdb/confdb_setup.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/confdb/$(DEPDIR)/sss_groupdel-confdb_setup.Tpo src/confdb/$(DEPDIR)/sss_groupdel-confdb_setup.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/confdb/confdb_setup.c' object='src/confdb/sss_groupdel-confdb_setup.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupdel_CFLAGS) $(CFLAGS) -c -o src/confdb/sss_groupdel-confdb_setup.obj `if test -f 'src/confdb/confdb_setup.c'; then $(CYGPATH_W) 'src/confdb/confdb_setup.c'; else $(CYGPATH_W) '$(srcdir)/src/confdb/confdb_setup.c'; fi` + +src/util/sss_groupdel-nscd.o: src/util/nscd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupdel_CFLAGS) $(CFLAGS) -MT src/util/sss_groupdel-nscd.o -MD -MP -MF src/util/$(DEPDIR)/sss_groupdel-nscd.Tpo -c -o src/util/sss_groupdel-nscd.o `test -f 'src/util/nscd.c' || echo '$(srcdir)/'`src/util/nscd.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/sss_groupdel-nscd.Tpo src/util/$(DEPDIR)/sss_groupdel-nscd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/nscd.c' object='src/util/sss_groupdel-nscd.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupdel_CFLAGS) $(CFLAGS) -c -o src/util/sss_groupdel-nscd.o `test -f 'src/util/nscd.c' || echo '$(srcdir)/'`src/util/nscd.c + +src/util/sss_groupdel-nscd.obj: src/util/nscd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupdel_CFLAGS) $(CFLAGS) -MT src/util/sss_groupdel-nscd.obj -MD -MP -MF src/util/$(DEPDIR)/sss_groupdel-nscd.Tpo -c -o src/util/sss_groupdel-nscd.obj `if test -f 'src/util/nscd.c'; then $(CYGPATH_W) 'src/util/nscd.c'; else $(CYGPATH_W) '$(srcdir)/src/util/nscd.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/sss_groupdel-nscd.Tpo src/util/$(DEPDIR)/sss_groupdel-nscd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/nscd.c' object='src/util/sss_groupdel-nscd.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupdel_CFLAGS) $(CFLAGS) -c -o src/util/sss_groupdel-nscd.obj `if test -f 'src/util/nscd.c'; then $(CYGPATH_W) 'src/util/nscd.c'; else $(CYGPATH_W) '$(srcdir)/src/util/nscd.c'; fi` + +src/tools/sss_groupmod-sss_groupmod.o: src/tools/sss_groupmod.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupmod_CFLAGS) $(CFLAGS) -MT src/tools/sss_groupmod-sss_groupmod.o -MD -MP -MF src/tools/$(DEPDIR)/sss_groupmod-sss_groupmod.Tpo -c -o src/tools/sss_groupmod-sss_groupmod.o `test -f 'src/tools/sss_groupmod.c' || echo '$(srcdir)/'`src/tools/sss_groupmod.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_groupmod-sss_groupmod.Tpo src/tools/$(DEPDIR)/sss_groupmod-sss_groupmod.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sss_groupmod.c' object='src/tools/sss_groupmod-sss_groupmod.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupmod_CFLAGS) $(CFLAGS) -c -o src/tools/sss_groupmod-sss_groupmod.o `test -f 'src/tools/sss_groupmod.c' || echo '$(srcdir)/'`src/tools/sss_groupmod.c + +src/tools/sss_groupmod-sss_groupmod.obj: src/tools/sss_groupmod.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupmod_CFLAGS) $(CFLAGS) -MT src/tools/sss_groupmod-sss_groupmod.obj -MD -MP -MF src/tools/$(DEPDIR)/sss_groupmod-sss_groupmod.Tpo -c -o src/tools/sss_groupmod-sss_groupmod.obj `if test -f 'src/tools/sss_groupmod.c'; then $(CYGPATH_W) 'src/tools/sss_groupmod.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sss_groupmod.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_groupmod-sss_groupmod.Tpo src/tools/$(DEPDIR)/sss_groupmod-sss_groupmod.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sss_groupmod.c' object='src/tools/sss_groupmod-sss_groupmod.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupmod_CFLAGS) $(CFLAGS) -c -o src/tools/sss_groupmod-sss_groupmod.obj `if test -f 'src/tools/sss_groupmod.c'; then $(CYGPATH_W) 'src/tools/sss_groupmod.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sss_groupmod.c'; fi` + +src/sss_client/sss_groupmod-common.o: src/sss_client/common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupmod_CFLAGS) $(CFLAGS) -MT src/sss_client/sss_groupmod-common.o -MD -MP -MF src/sss_client/$(DEPDIR)/sss_groupmod-common.Tpo -c -o src/sss_client/sss_groupmod-common.o `test -f 'src/sss_client/common.c' || echo '$(srcdir)/'`src/sss_client/common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/$(DEPDIR)/sss_groupmod-common.Tpo src/sss_client/$(DEPDIR)/sss_groupmod-common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/common.c' object='src/sss_client/sss_groupmod-common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupmod_CFLAGS) $(CFLAGS) -c -o src/sss_client/sss_groupmod-common.o `test -f 'src/sss_client/common.c' || echo '$(srcdir)/'`src/sss_client/common.c + +src/sss_client/sss_groupmod-common.obj: src/sss_client/common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupmod_CFLAGS) $(CFLAGS) -MT src/sss_client/sss_groupmod-common.obj -MD -MP -MF src/sss_client/$(DEPDIR)/sss_groupmod-common.Tpo -c -o src/sss_client/sss_groupmod-common.obj `if test -f 'src/sss_client/common.c'; then $(CYGPATH_W) 'src/sss_client/common.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/$(DEPDIR)/sss_groupmod-common.Tpo src/sss_client/$(DEPDIR)/sss_groupmod-common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/common.c' object='src/sss_client/sss_groupmod-common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupmod_CFLAGS) $(CFLAGS) -c -o src/sss_client/sss_groupmod-common.obj `if test -f 'src/sss_client/common.c'; then $(CYGPATH_W) 'src/sss_client/common.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/common.c'; fi` + +src/tools/sss_groupmod-tools_mc_util.o: src/tools/tools_mc_util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupmod_CFLAGS) $(CFLAGS) -MT src/tools/sss_groupmod-tools_mc_util.o -MD -MP -MF src/tools/$(DEPDIR)/sss_groupmod-tools_mc_util.Tpo -c -o src/tools/sss_groupmod-tools_mc_util.o `test -f 'src/tools/tools_mc_util.c' || echo '$(srcdir)/'`src/tools/tools_mc_util.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_groupmod-tools_mc_util.Tpo src/tools/$(DEPDIR)/sss_groupmod-tools_mc_util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/tools_mc_util.c' object='src/tools/sss_groupmod-tools_mc_util.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupmod_CFLAGS) $(CFLAGS) -c -o src/tools/sss_groupmod-tools_mc_util.o `test -f 'src/tools/tools_mc_util.c' || echo '$(srcdir)/'`src/tools/tools_mc_util.c + +src/tools/sss_groupmod-tools_mc_util.obj: src/tools/tools_mc_util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupmod_CFLAGS) $(CFLAGS) -MT src/tools/sss_groupmod-tools_mc_util.obj -MD -MP -MF src/tools/$(DEPDIR)/sss_groupmod-tools_mc_util.Tpo -c -o src/tools/sss_groupmod-tools_mc_util.obj `if test -f 'src/tools/tools_mc_util.c'; then $(CYGPATH_W) 'src/tools/tools_mc_util.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/tools_mc_util.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_groupmod-tools_mc_util.Tpo src/tools/$(DEPDIR)/sss_groupmod-tools_mc_util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/tools_mc_util.c' object='src/tools/sss_groupmod-tools_mc_util.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupmod_CFLAGS) $(CFLAGS) -c -o src/tools/sss_groupmod-tools_mc_util.obj `if test -f 'src/tools/tools_mc_util.c'; then $(CYGPATH_W) 'src/tools/tools_mc_util.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/tools_mc_util.c'; fi` + +src/tools/sss_groupmod-sss_sync_ops.o: src/tools/sss_sync_ops.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupmod_CFLAGS) $(CFLAGS) -MT src/tools/sss_groupmod-sss_sync_ops.o -MD -MP -MF src/tools/$(DEPDIR)/sss_groupmod-sss_sync_ops.Tpo -c -o src/tools/sss_groupmod-sss_sync_ops.o `test -f 'src/tools/sss_sync_ops.c' || echo '$(srcdir)/'`src/tools/sss_sync_ops.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_groupmod-sss_sync_ops.Tpo src/tools/$(DEPDIR)/sss_groupmod-sss_sync_ops.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sss_sync_ops.c' object='src/tools/sss_groupmod-sss_sync_ops.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupmod_CFLAGS) $(CFLAGS) -c -o src/tools/sss_groupmod-sss_sync_ops.o `test -f 'src/tools/sss_sync_ops.c' || echo '$(srcdir)/'`src/tools/sss_sync_ops.c + +src/tools/sss_groupmod-sss_sync_ops.obj: src/tools/sss_sync_ops.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupmod_CFLAGS) $(CFLAGS) -MT src/tools/sss_groupmod-sss_sync_ops.obj -MD -MP -MF src/tools/$(DEPDIR)/sss_groupmod-sss_sync_ops.Tpo -c -o src/tools/sss_groupmod-sss_sync_ops.obj `if test -f 'src/tools/sss_sync_ops.c'; then $(CYGPATH_W) 'src/tools/sss_sync_ops.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sss_sync_ops.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_groupmod-sss_sync_ops.Tpo src/tools/$(DEPDIR)/sss_groupmod-sss_sync_ops.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sss_sync_ops.c' object='src/tools/sss_groupmod-sss_sync_ops.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupmod_CFLAGS) $(CFLAGS) -c -o src/tools/sss_groupmod-sss_sync_ops.obj `if test -f 'src/tools/sss_sync_ops.c'; then $(CYGPATH_W) 'src/tools/sss_sync_ops.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sss_sync_ops.c'; fi` + +src/tools/sss_groupmod-tools_util.o: src/tools/tools_util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupmod_CFLAGS) $(CFLAGS) -MT src/tools/sss_groupmod-tools_util.o -MD -MP -MF src/tools/$(DEPDIR)/sss_groupmod-tools_util.Tpo -c -o src/tools/sss_groupmod-tools_util.o `test -f 'src/tools/tools_util.c' || echo '$(srcdir)/'`src/tools/tools_util.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_groupmod-tools_util.Tpo src/tools/$(DEPDIR)/sss_groupmod-tools_util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/tools_util.c' object='src/tools/sss_groupmod-tools_util.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupmod_CFLAGS) $(CFLAGS) -c -o src/tools/sss_groupmod-tools_util.o `test -f 'src/tools/tools_util.c' || echo '$(srcdir)/'`src/tools/tools_util.c + +src/tools/sss_groupmod-tools_util.obj: src/tools/tools_util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupmod_CFLAGS) $(CFLAGS) -MT src/tools/sss_groupmod-tools_util.obj -MD -MP -MF src/tools/$(DEPDIR)/sss_groupmod-tools_util.Tpo -c -o src/tools/sss_groupmod-tools_util.obj `if test -f 'src/tools/tools_util.c'; then $(CYGPATH_W) 'src/tools/tools_util.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/tools_util.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_groupmod-tools_util.Tpo src/tools/$(DEPDIR)/sss_groupmod-tools_util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/tools_util.c' object='src/tools/sss_groupmod-tools_util.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupmod_CFLAGS) $(CFLAGS) -c -o src/tools/sss_groupmod-tools_util.obj `if test -f 'src/tools/tools_util.c'; then $(CYGPATH_W) 'src/tools/tools_util.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/tools_util.c'; fi` + +src/tools/common/sss_groupmod-sss_tools.o: src/tools/common/sss_tools.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupmod_CFLAGS) $(CFLAGS) -MT src/tools/common/sss_groupmod-sss_tools.o -MD -MP -MF src/tools/common/$(DEPDIR)/sss_groupmod-sss_tools.Tpo -c -o src/tools/common/sss_groupmod-sss_tools.o `test -f 'src/tools/common/sss_tools.c' || echo '$(srcdir)/'`src/tools/common/sss_tools.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/common/$(DEPDIR)/sss_groupmod-sss_tools.Tpo src/tools/common/$(DEPDIR)/sss_groupmod-sss_tools.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/common/sss_tools.c' object='src/tools/common/sss_groupmod-sss_tools.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupmod_CFLAGS) $(CFLAGS) -c -o src/tools/common/sss_groupmod-sss_tools.o `test -f 'src/tools/common/sss_tools.c' || echo '$(srcdir)/'`src/tools/common/sss_tools.c + +src/tools/common/sss_groupmod-sss_tools.obj: src/tools/common/sss_tools.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupmod_CFLAGS) $(CFLAGS) -MT src/tools/common/sss_groupmod-sss_tools.obj -MD -MP -MF src/tools/common/$(DEPDIR)/sss_groupmod-sss_tools.Tpo -c -o src/tools/common/sss_groupmod-sss_tools.obj `if test -f 'src/tools/common/sss_tools.c'; then $(CYGPATH_W) 'src/tools/common/sss_tools.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/common/sss_tools.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/common/$(DEPDIR)/sss_groupmod-sss_tools.Tpo src/tools/common/$(DEPDIR)/sss_groupmod-sss_tools.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/common/sss_tools.c' object='src/tools/common/sss_groupmod-sss_tools.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupmod_CFLAGS) $(CFLAGS) -c -o src/tools/common/sss_groupmod-sss_tools.obj `if test -f 'src/tools/common/sss_tools.c'; then $(CYGPATH_W) 'src/tools/common/sss_tools.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/common/sss_tools.c'; fi` + +src/tools/common/sss_groupmod-sss_process.o: src/tools/common/sss_process.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupmod_CFLAGS) $(CFLAGS) -MT src/tools/common/sss_groupmod-sss_process.o -MD -MP -MF src/tools/common/$(DEPDIR)/sss_groupmod-sss_process.Tpo -c -o src/tools/common/sss_groupmod-sss_process.o `test -f 'src/tools/common/sss_process.c' || echo '$(srcdir)/'`src/tools/common/sss_process.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/common/$(DEPDIR)/sss_groupmod-sss_process.Tpo src/tools/common/$(DEPDIR)/sss_groupmod-sss_process.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/common/sss_process.c' object='src/tools/common/sss_groupmod-sss_process.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupmod_CFLAGS) $(CFLAGS) -c -o src/tools/common/sss_groupmod-sss_process.o `test -f 'src/tools/common/sss_process.c' || echo '$(srcdir)/'`src/tools/common/sss_process.c + +src/tools/common/sss_groupmod-sss_process.obj: src/tools/common/sss_process.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupmod_CFLAGS) $(CFLAGS) -MT src/tools/common/sss_groupmod-sss_process.obj -MD -MP -MF src/tools/common/$(DEPDIR)/sss_groupmod-sss_process.Tpo -c -o src/tools/common/sss_groupmod-sss_process.obj `if test -f 'src/tools/common/sss_process.c'; then $(CYGPATH_W) 'src/tools/common/sss_process.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/common/sss_process.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/common/$(DEPDIR)/sss_groupmod-sss_process.Tpo src/tools/common/$(DEPDIR)/sss_groupmod-sss_process.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/common/sss_process.c' object='src/tools/common/sss_groupmod-sss_process.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupmod_CFLAGS) $(CFLAGS) -c -o src/tools/common/sss_groupmod-sss_process.obj `if test -f 'src/tools/common/sss_process.c'; then $(CYGPATH_W) 'src/tools/common/sss_process.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/common/sss_process.c'; fi` + +src/confdb/sss_groupmod-confdb_setup.o: src/confdb/confdb_setup.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupmod_CFLAGS) $(CFLAGS) -MT src/confdb/sss_groupmod-confdb_setup.o -MD -MP -MF src/confdb/$(DEPDIR)/sss_groupmod-confdb_setup.Tpo -c -o src/confdb/sss_groupmod-confdb_setup.o `test -f 'src/confdb/confdb_setup.c' || echo '$(srcdir)/'`src/confdb/confdb_setup.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/confdb/$(DEPDIR)/sss_groupmod-confdb_setup.Tpo src/confdb/$(DEPDIR)/sss_groupmod-confdb_setup.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/confdb/confdb_setup.c' object='src/confdb/sss_groupmod-confdb_setup.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupmod_CFLAGS) $(CFLAGS) -c -o src/confdb/sss_groupmod-confdb_setup.o `test -f 'src/confdb/confdb_setup.c' || echo '$(srcdir)/'`src/confdb/confdb_setup.c + +src/confdb/sss_groupmod-confdb_setup.obj: src/confdb/confdb_setup.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupmod_CFLAGS) $(CFLAGS) -MT src/confdb/sss_groupmod-confdb_setup.obj -MD -MP -MF src/confdb/$(DEPDIR)/sss_groupmod-confdb_setup.Tpo -c -o src/confdb/sss_groupmod-confdb_setup.obj `if test -f 'src/confdb/confdb_setup.c'; then $(CYGPATH_W) 'src/confdb/confdb_setup.c'; else $(CYGPATH_W) '$(srcdir)/src/confdb/confdb_setup.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/confdb/$(DEPDIR)/sss_groupmod-confdb_setup.Tpo src/confdb/$(DEPDIR)/sss_groupmod-confdb_setup.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/confdb/confdb_setup.c' object='src/confdb/sss_groupmod-confdb_setup.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupmod_CFLAGS) $(CFLAGS) -c -o src/confdb/sss_groupmod-confdb_setup.obj `if test -f 'src/confdb/confdb_setup.c'; then $(CYGPATH_W) 'src/confdb/confdb_setup.c'; else $(CYGPATH_W) '$(srcdir)/src/confdb/confdb_setup.c'; fi` + +src/util/sss_groupmod-nscd.o: src/util/nscd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupmod_CFLAGS) $(CFLAGS) -MT src/util/sss_groupmod-nscd.o -MD -MP -MF src/util/$(DEPDIR)/sss_groupmod-nscd.Tpo -c -o src/util/sss_groupmod-nscd.o `test -f 'src/util/nscd.c' || echo '$(srcdir)/'`src/util/nscd.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/sss_groupmod-nscd.Tpo src/util/$(DEPDIR)/sss_groupmod-nscd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/nscd.c' object='src/util/sss_groupmod-nscd.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupmod_CFLAGS) $(CFLAGS) -c -o src/util/sss_groupmod-nscd.o `test -f 'src/util/nscd.c' || echo '$(srcdir)/'`src/util/nscd.c + +src/util/sss_groupmod-nscd.obj: src/util/nscd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupmod_CFLAGS) $(CFLAGS) -MT src/util/sss_groupmod-nscd.obj -MD -MP -MF src/util/$(DEPDIR)/sss_groupmod-nscd.Tpo -c -o src/util/sss_groupmod-nscd.obj `if test -f 'src/util/nscd.c'; then $(CYGPATH_W) 'src/util/nscd.c'; else $(CYGPATH_W) '$(srcdir)/src/util/nscd.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/sss_groupmod-nscd.Tpo src/util/$(DEPDIR)/sss_groupmod-nscd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/nscd.c' object='src/util/sss_groupmod-nscd.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_groupmod_CFLAGS) $(CFLAGS) -c -o src/util/sss_groupmod-nscd.obj `if test -f 'src/util/nscd.c'; then $(CYGPATH_W) 'src/util/nscd.c'; else $(CYGPATH_W) '$(srcdir)/src/util/nscd.c'; fi` + +src/tests/sss_idmap_tests-sss_idmap-tests.o: src/tests/sss_idmap-tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_idmap_tests_CFLAGS) $(CFLAGS) -MT src/tests/sss_idmap_tests-sss_idmap-tests.o -MD -MP -MF src/tests/$(DEPDIR)/sss_idmap_tests-sss_idmap-tests.Tpo -c -o src/tests/sss_idmap_tests-sss_idmap-tests.o `test -f 'src/tests/sss_idmap-tests.c' || echo '$(srcdir)/'`src/tests/sss_idmap-tests.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/sss_idmap_tests-sss_idmap-tests.Tpo src/tests/$(DEPDIR)/sss_idmap_tests-sss_idmap-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/sss_idmap-tests.c' object='src/tests/sss_idmap_tests-sss_idmap-tests.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_idmap_tests_CFLAGS) $(CFLAGS) -c -o src/tests/sss_idmap_tests-sss_idmap-tests.o `test -f 'src/tests/sss_idmap-tests.c' || echo '$(srcdir)/'`src/tests/sss_idmap-tests.c + +src/tests/sss_idmap_tests-sss_idmap-tests.obj: src/tests/sss_idmap-tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_idmap_tests_CFLAGS) $(CFLAGS) -MT src/tests/sss_idmap_tests-sss_idmap-tests.obj -MD -MP -MF src/tests/$(DEPDIR)/sss_idmap_tests-sss_idmap-tests.Tpo -c -o src/tests/sss_idmap_tests-sss_idmap-tests.obj `if test -f 'src/tests/sss_idmap-tests.c'; then $(CYGPATH_W) 'src/tests/sss_idmap-tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/sss_idmap-tests.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/sss_idmap_tests-sss_idmap-tests.Tpo src/tests/$(DEPDIR)/sss_idmap_tests-sss_idmap-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/sss_idmap-tests.c' object='src/tests/sss_idmap_tests-sss_idmap-tests.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_idmap_tests_CFLAGS) $(CFLAGS) -c -o src/tests/sss_idmap_tests-sss_idmap-tests.obj `if test -f 'src/tests/sss_idmap-tests.c'; then $(CYGPATH_W) 'src/tests/sss_idmap-tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/sss_idmap-tests.c'; fi` + +src/tests/cmocka/sss_nss_idmap_tests-sss_nss_idmap-tests.o: src/tests/cmocka/sss_nss_idmap-tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_nss_idmap_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/sss_nss_idmap_tests-sss_nss_idmap-tests.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/sss_nss_idmap_tests-sss_nss_idmap-tests.Tpo -c -o src/tests/cmocka/sss_nss_idmap_tests-sss_nss_idmap-tests.o `test -f 'src/tests/cmocka/sss_nss_idmap-tests.c' || echo '$(srcdir)/'`src/tests/cmocka/sss_nss_idmap-tests.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/sss_nss_idmap_tests-sss_nss_idmap-tests.Tpo src/tests/cmocka/$(DEPDIR)/sss_nss_idmap_tests-sss_nss_idmap-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/sss_nss_idmap-tests.c' object='src/tests/cmocka/sss_nss_idmap_tests-sss_nss_idmap-tests.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_nss_idmap_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/sss_nss_idmap_tests-sss_nss_idmap-tests.o `test -f 'src/tests/cmocka/sss_nss_idmap-tests.c' || echo '$(srcdir)/'`src/tests/cmocka/sss_nss_idmap-tests.c + +src/tests/cmocka/sss_nss_idmap_tests-sss_nss_idmap-tests.obj: src/tests/cmocka/sss_nss_idmap-tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_nss_idmap_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/sss_nss_idmap_tests-sss_nss_idmap-tests.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/sss_nss_idmap_tests-sss_nss_idmap-tests.Tpo -c -o src/tests/cmocka/sss_nss_idmap_tests-sss_nss_idmap-tests.obj `if test -f 'src/tests/cmocka/sss_nss_idmap-tests.c'; then $(CYGPATH_W) 'src/tests/cmocka/sss_nss_idmap-tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/sss_nss_idmap-tests.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/sss_nss_idmap_tests-sss_nss_idmap-tests.Tpo src/tests/cmocka/$(DEPDIR)/sss_nss_idmap_tests-sss_nss_idmap-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/sss_nss_idmap-tests.c' object='src/tests/cmocka/sss_nss_idmap_tests-sss_nss_idmap-tests.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_nss_idmap_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/sss_nss_idmap_tests-sss_nss_idmap-tests.obj `if test -f 'src/tests/cmocka/sss_nss_idmap-tests.c'; then $(CYGPATH_W) 'src/tests/cmocka/sss_nss_idmap-tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/sss_nss_idmap-tests.c'; fi` + +src/tools/sss_override-sss_override.o: src/tools/sss_override.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_override_CFLAGS) $(CFLAGS) -MT src/tools/sss_override-sss_override.o -MD -MP -MF src/tools/$(DEPDIR)/sss_override-sss_override.Tpo -c -o src/tools/sss_override-sss_override.o `test -f 'src/tools/sss_override.c' || echo '$(srcdir)/'`src/tools/sss_override.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_override-sss_override.Tpo src/tools/$(DEPDIR)/sss_override-sss_override.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sss_override.c' object='src/tools/sss_override-sss_override.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_override_CFLAGS) $(CFLAGS) -c -o src/tools/sss_override-sss_override.o `test -f 'src/tools/sss_override.c' || echo '$(srcdir)/'`src/tools/sss_override.c + +src/tools/sss_override-sss_override.obj: src/tools/sss_override.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_override_CFLAGS) $(CFLAGS) -MT src/tools/sss_override-sss_override.obj -MD -MP -MF src/tools/$(DEPDIR)/sss_override-sss_override.Tpo -c -o src/tools/sss_override-sss_override.obj `if test -f 'src/tools/sss_override.c'; then $(CYGPATH_W) 'src/tools/sss_override.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sss_override.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_override-sss_override.Tpo src/tools/$(DEPDIR)/sss_override-sss_override.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sss_override.c' object='src/tools/sss_override-sss_override.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_override_CFLAGS) $(CFLAGS) -c -o src/tools/sss_override-sss_override.obj `if test -f 'src/tools/sss_override.c'; then $(CYGPATH_W) 'src/tools/sss_override.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sss_override.c'; fi` + +src/tools/common/sss_override-sss_colondb.o: src/tools/common/sss_colondb.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_override_CFLAGS) $(CFLAGS) -MT src/tools/common/sss_override-sss_colondb.o -MD -MP -MF src/tools/common/$(DEPDIR)/sss_override-sss_colondb.Tpo -c -o src/tools/common/sss_override-sss_colondb.o `test -f 'src/tools/common/sss_colondb.c' || echo '$(srcdir)/'`src/tools/common/sss_colondb.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/common/$(DEPDIR)/sss_override-sss_colondb.Tpo src/tools/common/$(DEPDIR)/sss_override-sss_colondb.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/common/sss_colondb.c' object='src/tools/common/sss_override-sss_colondb.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_override_CFLAGS) $(CFLAGS) -c -o src/tools/common/sss_override-sss_colondb.o `test -f 'src/tools/common/sss_colondb.c' || echo '$(srcdir)/'`src/tools/common/sss_colondb.c + +src/tools/common/sss_override-sss_colondb.obj: src/tools/common/sss_colondb.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_override_CFLAGS) $(CFLAGS) -MT src/tools/common/sss_override-sss_colondb.obj -MD -MP -MF src/tools/common/$(DEPDIR)/sss_override-sss_colondb.Tpo -c -o src/tools/common/sss_override-sss_colondb.obj `if test -f 'src/tools/common/sss_colondb.c'; then $(CYGPATH_W) 'src/tools/common/sss_colondb.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/common/sss_colondb.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/common/$(DEPDIR)/sss_override-sss_colondb.Tpo src/tools/common/$(DEPDIR)/sss_override-sss_colondb.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/common/sss_colondb.c' object='src/tools/common/sss_override-sss_colondb.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_override_CFLAGS) $(CFLAGS) -c -o src/tools/common/sss_override-sss_colondb.obj `if test -f 'src/tools/common/sss_colondb.c'; then $(CYGPATH_W) 'src/tools/common/sss_colondb.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/common/sss_colondb.c'; fi` + +src/tools/sss_override-sss_sync_ops.o: src/tools/sss_sync_ops.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_override_CFLAGS) $(CFLAGS) -MT src/tools/sss_override-sss_sync_ops.o -MD -MP -MF src/tools/$(DEPDIR)/sss_override-sss_sync_ops.Tpo -c -o src/tools/sss_override-sss_sync_ops.o `test -f 'src/tools/sss_sync_ops.c' || echo '$(srcdir)/'`src/tools/sss_sync_ops.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_override-sss_sync_ops.Tpo src/tools/$(DEPDIR)/sss_override-sss_sync_ops.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sss_sync_ops.c' object='src/tools/sss_override-sss_sync_ops.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_override_CFLAGS) $(CFLAGS) -c -o src/tools/sss_override-sss_sync_ops.o `test -f 'src/tools/sss_sync_ops.c' || echo '$(srcdir)/'`src/tools/sss_sync_ops.c + +src/tools/sss_override-sss_sync_ops.obj: src/tools/sss_sync_ops.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_override_CFLAGS) $(CFLAGS) -MT src/tools/sss_override-sss_sync_ops.obj -MD -MP -MF src/tools/$(DEPDIR)/sss_override-sss_sync_ops.Tpo -c -o src/tools/sss_override-sss_sync_ops.obj `if test -f 'src/tools/sss_sync_ops.c'; then $(CYGPATH_W) 'src/tools/sss_sync_ops.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sss_sync_ops.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_override-sss_sync_ops.Tpo src/tools/$(DEPDIR)/sss_override-sss_sync_ops.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sss_sync_ops.c' object='src/tools/sss_override-sss_sync_ops.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_override_CFLAGS) $(CFLAGS) -c -o src/tools/sss_override-sss_sync_ops.obj `if test -f 'src/tools/sss_sync_ops.c'; then $(CYGPATH_W) 'src/tools/sss_sync_ops.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sss_sync_ops.c'; fi` + +src/tools/sss_override-tools_util.o: src/tools/tools_util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_override_CFLAGS) $(CFLAGS) -MT src/tools/sss_override-tools_util.o -MD -MP -MF src/tools/$(DEPDIR)/sss_override-tools_util.Tpo -c -o src/tools/sss_override-tools_util.o `test -f 'src/tools/tools_util.c' || echo '$(srcdir)/'`src/tools/tools_util.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_override-tools_util.Tpo src/tools/$(DEPDIR)/sss_override-tools_util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/tools_util.c' object='src/tools/sss_override-tools_util.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_override_CFLAGS) $(CFLAGS) -c -o src/tools/sss_override-tools_util.o `test -f 'src/tools/tools_util.c' || echo '$(srcdir)/'`src/tools/tools_util.c + +src/tools/sss_override-tools_util.obj: src/tools/tools_util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_override_CFLAGS) $(CFLAGS) -MT src/tools/sss_override-tools_util.obj -MD -MP -MF src/tools/$(DEPDIR)/sss_override-tools_util.Tpo -c -o src/tools/sss_override-tools_util.obj `if test -f 'src/tools/tools_util.c'; then $(CYGPATH_W) 'src/tools/tools_util.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/tools_util.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_override-tools_util.Tpo src/tools/$(DEPDIR)/sss_override-tools_util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/tools_util.c' object='src/tools/sss_override-tools_util.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_override_CFLAGS) $(CFLAGS) -c -o src/tools/sss_override-tools_util.obj `if test -f 'src/tools/tools_util.c'; then $(CYGPATH_W) 'src/tools/tools_util.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/tools_util.c'; fi` + +src/tools/common/sss_override-sss_tools.o: src/tools/common/sss_tools.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_override_CFLAGS) $(CFLAGS) -MT src/tools/common/sss_override-sss_tools.o -MD -MP -MF src/tools/common/$(DEPDIR)/sss_override-sss_tools.Tpo -c -o src/tools/common/sss_override-sss_tools.o `test -f 'src/tools/common/sss_tools.c' || echo '$(srcdir)/'`src/tools/common/sss_tools.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/common/$(DEPDIR)/sss_override-sss_tools.Tpo src/tools/common/$(DEPDIR)/sss_override-sss_tools.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/common/sss_tools.c' object='src/tools/common/sss_override-sss_tools.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_override_CFLAGS) $(CFLAGS) -c -o src/tools/common/sss_override-sss_tools.o `test -f 'src/tools/common/sss_tools.c' || echo '$(srcdir)/'`src/tools/common/sss_tools.c + +src/tools/common/sss_override-sss_tools.obj: src/tools/common/sss_tools.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_override_CFLAGS) $(CFLAGS) -MT src/tools/common/sss_override-sss_tools.obj -MD -MP -MF src/tools/common/$(DEPDIR)/sss_override-sss_tools.Tpo -c -o src/tools/common/sss_override-sss_tools.obj `if test -f 'src/tools/common/sss_tools.c'; then $(CYGPATH_W) 'src/tools/common/sss_tools.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/common/sss_tools.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/common/$(DEPDIR)/sss_override-sss_tools.Tpo src/tools/common/$(DEPDIR)/sss_override-sss_tools.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/common/sss_tools.c' object='src/tools/common/sss_override-sss_tools.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_override_CFLAGS) $(CFLAGS) -c -o src/tools/common/sss_override-sss_tools.obj `if test -f 'src/tools/common/sss_tools.c'; then $(CYGPATH_W) 'src/tools/common/sss_tools.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/common/sss_tools.c'; fi` + +src/tools/common/sss_override-sss_process.o: src/tools/common/sss_process.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_override_CFLAGS) $(CFLAGS) -MT src/tools/common/sss_override-sss_process.o -MD -MP -MF src/tools/common/$(DEPDIR)/sss_override-sss_process.Tpo -c -o src/tools/common/sss_override-sss_process.o `test -f 'src/tools/common/sss_process.c' || echo '$(srcdir)/'`src/tools/common/sss_process.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/common/$(DEPDIR)/sss_override-sss_process.Tpo src/tools/common/$(DEPDIR)/sss_override-sss_process.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/common/sss_process.c' object='src/tools/common/sss_override-sss_process.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_override_CFLAGS) $(CFLAGS) -c -o src/tools/common/sss_override-sss_process.o `test -f 'src/tools/common/sss_process.c' || echo '$(srcdir)/'`src/tools/common/sss_process.c + +src/tools/common/sss_override-sss_process.obj: src/tools/common/sss_process.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_override_CFLAGS) $(CFLAGS) -MT src/tools/common/sss_override-sss_process.obj -MD -MP -MF src/tools/common/$(DEPDIR)/sss_override-sss_process.Tpo -c -o src/tools/common/sss_override-sss_process.obj `if test -f 'src/tools/common/sss_process.c'; then $(CYGPATH_W) 'src/tools/common/sss_process.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/common/sss_process.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/common/$(DEPDIR)/sss_override-sss_process.Tpo src/tools/common/$(DEPDIR)/sss_override-sss_process.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/common/sss_process.c' object='src/tools/common/sss_override-sss_process.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_override_CFLAGS) $(CFLAGS) -c -o src/tools/common/sss_override-sss_process.obj `if test -f 'src/tools/common/sss_process.c'; then $(CYGPATH_W) 'src/tools/common/sss_process.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/common/sss_process.c'; fi` + +src/confdb/sss_override-confdb_setup.o: src/confdb/confdb_setup.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_override_CFLAGS) $(CFLAGS) -MT src/confdb/sss_override-confdb_setup.o -MD -MP -MF src/confdb/$(DEPDIR)/sss_override-confdb_setup.Tpo -c -o src/confdb/sss_override-confdb_setup.o `test -f 'src/confdb/confdb_setup.c' || echo '$(srcdir)/'`src/confdb/confdb_setup.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/confdb/$(DEPDIR)/sss_override-confdb_setup.Tpo src/confdb/$(DEPDIR)/sss_override-confdb_setup.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/confdb/confdb_setup.c' object='src/confdb/sss_override-confdb_setup.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_override_CFLAGS) $(CFLAGS) -c -o src/confdb/sss_override-confdb_setup.o `test -f 'src/confdb/confdb_setup.c' || echo '$(srcdir)/'`src/confdb/confdb_setup.c + +src/confdb/sss_override-confdb_setup.obj: src/confdb/confdb_setup.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_override_CFLAGS) $(CFLAGS) -MT src/confdb/sss_override-confdb_setup.obj -MD -MP -MF src/confdb/$(DEPDIR)/sss_override-confdb_setup.Tpo -c -o src/confdb/sss_override-confdb_setup.obj `if test -f 'src/confdb/confdb_setup.c'; then $(CYGPATH_W) 'src/confdb/confdb_setup.c'; else $(CYGPATH_W) '$(srcdir)/src/confdb/confdb_setup.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/confdb/$(DEPDIR)/sss_override-confdb_setup.Tpo src/confdb/$(DEPDIR)/sss_override-confdb_setup.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/confdb/confdb_setup.c' object='src/confdb/sss_override-confdb_setup.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_override_CFLAGS) $(CFLAGS) -c -o src/confdb/sss_override-confdb_setup.obj `if test -f 'src/confdb/confdb_setup.c'; then $(CYGPATH_W) 'src/confdb/confdb_setup.c'; else $(CYGPATH_W) '$(srcdir)/src/confdb/confdb_setup.c'; fi` + +src/util/sss_override-nscd.o: src/util/nscd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_override_CFLAGS) $(CFLAGS) -MT src/util/sss_override-nscd.o -MD -MP -MF src/util/$(DEPDIR)/sss_override-nscd.Tpo -c -o src/util/sss_override-nscd.o `test -f 'src/util/nscd.c' || echo '$(srcdir)/'`src/util/nscd.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/sss_override-nscd.Tpo src/util/$(DEPDIR)/sss_override-nscd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/nscd.c' object='src/util/sss_override-nscd.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_override_CFLAGS) $(CFLAGS) -c -o src/util/sss_override-nscd.o `test -f 'src/util/nscd.c' || echo '$(srcdir)/'`src/util/nscd.c + +src/util/sss_override-nscd.obj: src/util/nscd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_override_CFLAGS) $(CFLAGS) -MT src/util/sss_override-nscd.obj -MD -MP -MF src/util/$(DEPDIR)/sss_override-nscd.Tpo -c -o src/util/sss_override-nscd.obj `if test -f 'src/util/nscd.c'; then $(CYGPATH_W) 'src/util/nscd.c'; else $(CYGPATH_W) '$(srcdir)/src/util/nscd.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/sss_override-nscd.Tpo src/util/$(DEPDIR)/sss_override-nscd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/nscd.c' object='src/util/sss_override-nscd.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_override_CFLAGS) $(CFLAGS) -c -o src/util/sss_override-nscd.obj `if test -f 'src/util/nscd.c'; then $(CYGPATH_W) 'src/util/nscd.c'; else $(CYGPATH_W) '$(srcdir)/src/util/nscd.c'; fi` + +src/tests/cmocka/sss_sifp_tests-test_sss_sifp.o: src/tests/cmocka/test_sss_sifp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_sifp_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/sss_sifp_tests-test_sss_sifp.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/sss_sifp_tests-test_sss_sifp.Tpo -c -o src/tests/cmocka/sss_sifp_tests-test_sss_sifp.o `test -f 'src/tests/cmocka/test_sss_sifp.c' || echo '$(srcdir)/'`src/tests/cmocka/test_sss_sifp.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/sss_sifp_tests-test_sss_sifp.Tpo src/tests/cmocka/$(DEPDIR)/sss_sifp_tests-test_sss_sifp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_sss_sifp.c' object='src/tests/cmocka/sss_sifp_tests-test_sss_sifp.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_sifp_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/sss_sifp_tests-test_sss_sifp.o `test -f 'src/tests/cmocka/test_sss_sifp.c' || echo '$(srcdir)/'`src/tests/cmocka/test_sss_sifp.c + +src/tests/cmocka/sss_sifp_tests-test_sss_sifp.obj: src/tests/cmocka/test_sss_sifp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_sifp_tests_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/sss_sifp_tests-test_sss_sifp.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/sss_sifp_tests-test_sss_sifp.Tpo -c -o src/tests/cmocka/sss_sifp_tests-test_sss_sifp.obj `if test -f 'src/tests/cmocka/test_sss_sifp.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_sss_sifp.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_sss_sifp.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/sss_sifp_tests-test_sss_sifp.Tpo src/tests/cmocka/$(DEPDIR)/sss_sifp_tests-test_sss_sifp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_sss_sifp.c' object='src/tests/cmocka/sss_sifp_tests-test_sss_sifp.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_sifp_tests_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/sss_sifp_tests-test_sss_sifp.obj `if test -f 'src/tests/cmocka/test_sss_sifp.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_sss_sifp.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_sss_sifp.c'; fi` + +src/lib/sifp/sss_sifp_tests-sss_sifp_attrs.o: src/lib/sifp/sss_sifp_attrs.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_sifp_tests_CFLAGS) $(CFLAGS) -MT src/lib/sifp/sss_sifp_tests-sss_sifp_attrs.o -MD -MP -MF src/lib/sifp/$(DEPDIR)/sss_sifp_tests-sss_sifp_attrs.Tpo -c -o src/lib/sifp/sss_sifp_tests-sss_sifp_attrs.o `test -f 'src/lib/sifp/sss_sifp_attrs.c' || echo '$(srcdir)/'`src/lib/sifp/sss_sifp_attrs.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/lib/sifp/$(DEPDIR)/sss_sifp_tests-sss_sifp_attrs.Tpo src/lib/sifp/$(DEPDIR)/sss_sifp_tests-sss_sifp_attrs.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/lib/sifp/sss_sifp_attrs.c' object='src/lib/sifp/sss_sifp_tests-sss_sifp_attrs.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_sifp_tests_CFLAGS) $(CFLAGS) -c -o src/lib/sifp/sss_sifp_tests-sss_sifp_attrs.o `test -f 'src/lib/sifp/sss_sifp_attrs.c' || echo '$(srcdir)/'`src/lib/sifp/sss_sifp_attrs.c + +src/lib/sifp/sss_sifp_tests-sss_sifp_attrs.obj: src/lib/sifp/sss_sifp_attrs.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_sifp_tests_CFLAGS) $(CFLAGS) -MT src/lib/sifp/sss_sifp_tests-sss_sifp_attrs.obj -MD -MP -MF src/lib/sifp/$(DEPDIR)/sss_sifp_tests-sss_sifp_attrs.Tpo -c -o src/lib/sifp/sss_sifp_tests-sss_sifp_attrs.obj `if test -f 'src/lib/sifp/sss_sifp_attrs.c'; then $(CYGPATH_W) 'src/lib/sifp/sss_sifp_attrs.c'; else $(CYGPATH_W) '$(srcdir)/src/lib/sifp/sss_sifp_attrs.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/lib/sifp/$(DEPDIR)/sss_sifp_tests-sss_sifp_attrs.Tpo src/lib/sifp/$(DEPDIR)/sss_sifp_tests-sss_sifp_attrs.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/lib/sifp/sss_sifp_attrs.c' object='src/lib/sifp/sss_sifp_tests-sss_sifp_attrs.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_sifp_tests_CFLAGS) $(CFLAGS) -c -o src/lib/sifp/sss_sifp_tests-sss_sifp_attrs.obj `if test -f 'src/lib/sifp/sss_sifp_attrs.c'; then $(CYGPATH_W) 'src/lib/sifp/sss_sifp_attrs.c'; else $(CYGPATH_W) '$(srcdir)/src/lib/sifp/sss_sifp_attrs.c'; fi` + +src/lib/sifp/sss_sifp_tests-sss_sifp_common.o: src/lib/sifp/sss_sifp_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_sifp_tests_CFLAGS) $(CFLAGS) -MT src/lib/sifp/sss_sifp_tests-sss_sifp_common.o -MD -MP -MF src/lib/sifp/$(DEPDIR)/sss_sifp_tests-sss_sifp_common.Tpo -c -o src/lib/sifp/sss_sifp_tests-sss_sifp_common.o `test -f 'src/lib/sifp/sss_sifp_common.c' || echo '$(srcdir)/'`src/lib/sifp/sss_sifp_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/lib/sifp/$(DEPDIR)/sss_sifp_tests-sss_sifp_common.Tpo src/lib/sifp/$(DEPDIR)/sss_sifp_tests-sss_sifp_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/lib/sifp/sss_sifp_common.c' object='src/lib/sifp/sss_sifp_tests-sss_sifp_common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_sifp_tests_CFLAGS) $(CFLAGS) -c -o src/lib/sifp/sss_sifp_tests-sss_sifp_common.o `test -f 'src/lib/sifp/sss_sifp_common.c' || echo '$(srcdir)/'`src/lib/sifp/sss_sifp_common.c + +src/lib/sifp/sss_sifp_tests-sss_sifp_common.obj: src/lib/sifp/sss_sifp_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_sifp_tests_CFLAGS) $(CFLAGS) -MT src/lib/sifp/sss_sifp_tests-sss_sifp_common.obj -MD -MP -MF src/lib/sifp/$(DEPDIR)/sss_sifp_tests-sss_sifp_common.Tpo -c -o src/lib/sifp/sss_sifp_tests-sss_sifp_common.obj `if test -f 'src/lib/sifp/sss_sifp_common.c'; then $(CYGPATH_W) 'src/lib/sifp/sss_sifp_common.c'; else $(CYGPATH_W) '$(srcdir)/src/lib/sifp/sss_sifp_common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/lib/sifp/$(DEPDIR)/sss_sifp_tests-sss_sifp_common.Tpo src/lib/sifp/$(DEPDIR)/sss_sifp_tests-sss_sifp_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/lib/sifp/sss_sifp_common.c' object='src/lib/sifp/sss_sifp_tests-sss_sifp_common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_sifp_tests_CFLAGS) $(CFLAGS) -c -o src/lib/sifp/sss_sifp_tests-sss_sifp_common.obj `if test -f 'src/lib/sifp/sss_sifp_common.c'; then $(CYGPATH_W) 'src/lib/sifp/sss_sifp_common.c'; else $(CYGPATH_W) '$(srcdir)/src/lib/sifp/sss_sifp_common.c'; fi` + +src/lib/sifp/sss_sifp_tests-sss_sifp_parser.o: src/lib/sifp/sss_sifp_parser.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_sifp_tests_CFLAGS) $(CFLAGS) -MT src/lib/sifp/sss_sifp_tests-sss_sifp_parser.o -MD -MP -MF src/lib/sifp/$(DEPDIR)/sss_sifp_tests-sss_sifp_parser.Tpo -c -o src/lib/sifp/sss_sifp_tests-sss_sifp_parser.o `test -f 'src/lib/sifp/sss_sifp_parser.c' || echo '$(srcdir)/'`src/lib/sifp/sss_sifp_parser.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/lib/sifp/$(DEPDIR)/sss_sifp_tests-sss_sifp_parser.Tpo src/lib/sifp/$(DEPDIR)/sss_sifp_tests-sss_sifp_parser.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/lib/sifp/sss_sifp_parser.c' object='src/lib/sifp/sss_sifp_tests-sss_sifp_parser.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_sifp_tests_CFLAGS) $(CFLAGS) -c -o src/lib/sifp/sss_sifp_tests-sss_sifp_parser.o `test -f 'src/lib/sifp/sss_sifp_parser.c' || echo '$(srcdir)/'`src/lib/sifp/sss_sifp_parser.c + +src/lib/sifp/sss_sifp_tests-sss_sifp_parser.obj: src/lib/sifp/sss_sifp_parser.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_sifp_tests_CFLAGS) $(CFLAGS) -MT src/lib/sifp/sss_sifp_tests-sss_sifp_parser.obj -MD -MP -MF src/lib/sifp/$(DEPDIR)/sss_sifp_tests-sss_sifp_parser.Tpo -c -o src/lib/sifp/sss_sifp_tests-sss_sifp_parser.obj `if test -f 'src/lib/sifp/sss_sifp_parser.c'; then $(CYGPATH_W) 'src/lib/sifp/sss_sifp_parser.c'; else $(CYGPATH_W) '$(srcdir)/src/lib/sifp/sss_sifp_parser.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/lib/sifp/$(DEPDIR)/sss_sifp_tests-sss_sifp_parser.Tpo src/lib/sifp/$(DEPDIR)/sss_sifp_tests-sss_sifp_parser.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/lib/sifp/sss_sifp_parser.c' object='src/lib/sifp/sss_sifp_tests-sss_sifp_parser.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_sifp_tests_CFLAGS) $(CFLAGS) -c -o src/lib/sifp/sss_sifp_tests-sss_sifp_parser.obj `if test -f 'src/lib/sifp/sss_sifp_parser.c'; then $(CYGPATH_W) 'src/lib/sifp/sss_sifp_parser.c'; else $(CYGPATH_W) '$(srcdir)/src/lib/sifp/sss_sifp_parser.c'; fi` + +src/lib/sifp/sss_sifp_tests-sss_sifp_utils.o: src/lib/sifp/sss_sifp_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_sifp_tests_CFLAGS) $(CFLAGS) -MT src/lib/sifp/sss_sifp_tests-sss_sifp_utils.o -MD -MP -MF src/lib/sifp/$(DEPDIR)/sss_sifp_tests-sss_sifp_utils.Tpo -c -o src/lib/sifp/sss_sifp_tests-sss_sifp_utils.o `test -f 'src/lib/sifp/sss_sifp_utils.c' || echo '$(srcdir)/'`src/lib/sifp/sss_sifp_utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/lib/sifp/$(DEPDIR)/sss_sifp_tests-sss_sifp_utils.Tpo src/lib/sifp/$(DEPDIR)/sss_sifp_tests-sss_sifp_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/lib/sifp/sss_sifp_utils.c' object='src/lib/sifp/sss_sifp_tests-sss_sifp_utils.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_sifp_tests_CFLAGS) $(CFLAGS) -c -o src/lib/sifp/sss_sifp_tests-sss_sifp_utils.o `test -f 'src/lib/sifp/sss_sifp_utils.c' || echo '$(srcdir)/'`src/lib/sifp/sss_sifp_utils.c + +src/lib/sifp/sss_sifp_tests-sss_sifp_utils.obj: src/lib/sifp/sss_sifp_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_sifp_tests_CFLAGS) $(CFLAGS) -MT src/lib/sifp/sss_sifp_tests-sss_sifp_utils.obj -MD -MP -MF src/lib/sifp/$(DEPDIR)/sss_sifp_tests-sss_sifp_utils.Tpo -c -o src/lib/sifp/sss_sifp_tests-sss_sifp_utils.obj `if test -f 'src/lib/sifp/sss_sifp_utils.c'; then $(CYGPATH_W) 'src/lib/sifp/sss_sifp_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/lib/sifp/sss_sifp_utils.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/lib/sifp/$(DEPDIR)/sss_sifp_tests-sss_sifp_utils.Tpo src/lib/sifp/$(DEPDIR)/sss_sifp_tests-sss_sifp_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/lib/sifp/sss_sifp_utils.c' object='src/lib/sifp/sss_sifp_tests-sss_sifp_utils.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_sifp_tests_CFLAGS) $(CFLAGS) -c -o src/lib/sifp/sss_sifp_tests-sss_sifp_utils.obj `if test -f 'src/lib/sifp/sss_sifp_utils.c'; then $(CYGPATH_W) 'src/lib/sifp/sss_sifp_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/lib/sifp/sss_sifp_utils.c'; fi` + +src/lib/sifp/sss_sifp_tests-sss_sifp_dbus.o: src/lib/sifp/sss_sifp_dbus.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_sifp_tests_CFLAGS) $(CFLAGS) -MT src/lib/sifp/sss_sifp_tests-sss_sifp_dbus.o -MD -MP -MF src/lib/sifp/$(DEPDIR)/sss_sifp_tests-sss_sifp_dbus.Tpo -c -o src/lib/sifp/sss_sifp_tests-sss_sifp_dbus.o `test -f 'src/lib/sifp/sss_sifp_dbus.c' || echo '$(srcdir)/'`src/lib/sifp/sss_sifp_dbus.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/lib/sifp/$(DEPDIR)/sss_sifp_tests-sss_sifp_dbus.Tpo src/lib/sifp/$(DEPDIR)/sss_sifp_tests-sss_sifp_dbus.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/lib/sifp/sss_sifp_dbus.c' object='src/lib/sifp/sss_sifp_tests-sss_sifp_dbus.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_sifp_tests_CFLAGS) $(CFLAGS) -c -o src/lib/sifp/sss_sifp_tests-sss_sifp_dbus.o `test -f 'src/lib/sifp/sss_sifp_dbus.c' || echo '$(srcdir)/'`src/lib/sifp/sss_sifp_dbus.c + +src/lib/sifp/sss_sifp_tests-sss_sifp_dbus.obj: src/lib/sifp/sss_sifp_dbus.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_sifp_tests_CFLAGS) $(CFLAGS) -MT src/lib/sifp/sss_sifp_tests-sss_sifp_dbus.obj -MD -MP -MF src/lib/sifp/$(DEPDIR)/sss_sifp_tests-sss_sifp_dbus.Tpo -c -o src/lib/sifp/sss_sifp_tests-sss_sifp_dbus.obj `if test -f 'src/lib/sifp/sss_sifp_dbus.c'; then $(CYGPATH_W) 'src/lib/sifp/sss_sifp_dbus.c'; else $(CYGPATH_W) '$(srcdir)/src/lib/sifp/sss_sifp_dbus.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/lib/sifp/$(DEPDIR)/sss_sifp_tests-sss_sifp_dbus.Tpo src/lib/sifp/$(DEPDIR)/sss_sifp_tests-sss_sifp_dbus.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/lib/sifp/sss_sifp_dbus.c' object='src/lib/sifp/sss_sifp_tests-sss_sifp_dbus.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_sifp_tests_CFLAGS) $(CFLAGS) -c -o src/lib/sifp/sss_sifp_tests-sss_sifp_dbus.obj `if test -f 'src/lib/sifp/sss_sifp_dbus.c'; then $(CYGPATH_W) 'src/lib/sifp/sss_sifp_dbus.c'; else $(CYGPATH_W) '$(srcdir)/src/lib/sifp/sss_sifp_dbus.c'; fi` + +src/lib/sifp/sss_sifp_tests-sss_sifp.o: src/lib/sifp/sss_sifp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_sifp_tests_CFLAGS) $(CFLAGS) -MT src/lib/sifp/sss_sifp_tests-sss_sifp.o -MD -MP -MF src/lib/sifp/$(DEPDIR)/sss_sifp_tests-sss_sifp.Tpo -c -o src/lib/sifp/sss_sifp_tests-sss_sifp.o `test -f 'src/lib/sifp/sss_sifp.c' || echo '$(srcdir)/'`src/lib/sifp/sss_sifp.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/lib/sifp/$(DEPDIR)/sss_sifp_tests-sss_sifp.Tpo src/lib/sifp/$(DEPDIR)/sss_sifp_tests-sss_sifp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/lib/sifp/sss_sifp.c' object='src/lib/sifp/sss_sifp_tests-sss_sifp.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_sifp_tests_CFLAGS) $(CFLAGS) -c -o src/lib/sifp/sss_sifp_tests-sss_sifp.o `test -f 'src/lib/sifp/sss_sifp.c' || echo '$(srcdir)/'`src/lib/sifp/sss_sifp.c + +src/lib/sifp/sss_sifp_tests-sss_sifp.obj: src/lib/sifp/sss_sifp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_sifp_tests_CFLAGS) $(CFLAGS) -MT src/lib/sifp/sss_sifp_tests-sss_sifp.obj -MD -MP -MF src/lib/sifp/$(DEPDIR)/sss_sifp_tests-sss_sifp.Tpo -c -o src/lib/sifp/sss_sifp_tests-sss_sifp.obj `if test -f 'src/lib/sifp/sss_sifp.c'; then $(CYGPATH_W) 'src/lib/sifp/sss_sifp.c'; else $(CYGPATH_W) '$(srcdir)/src/lib/sifp/sss_sifp.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/lib/sifp/$(DEPDIR)/sss_sifp_tests-sss_sifp.Tpo src/lib/sifp/$(DEPDIR)/sss_sifp_tests-sss_sifp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/lib/sifp/sss_sifp.c' object='src/lib/sifp/sss_sifp_tests-sss_sifp.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_sifp_tests_CFLAGS) $(CFLAGS) -c -o src/lib/sifp/sss_sifp_tests-sss_sifp.obj `if test -f 'src/lib/sifp/sss_sifp.c'; then $(CYGPATH_W) 'src/lib/sifp/sss_sifp.c'; else $(CYGPATH_W) '$(srcdir)/src/lib/sifp/sss_sifp.c'; fi` + +src/sss_client/sss_ssh_authorizedkeys-common.o: src/sss_client/common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_ssh_authorizedkeys_CFLAGS) $(CFLAGS) -MT src/sss_client/sss_ssh_authorizedkeys-common.o -MD -MP -MF src/sss_client/$(DEPDIR)/sss_ssh_authorizedkeys-common.Tpo -c -o src/sss_client/sss_ssh_authorizedkeys-common.o `test -f 'src/sss_client/common.c' || echo '$(srcdir)/'`src/sss_client/common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/$(DEPDIR)/sss_ssh_authorizedkeys-common.Tpo src/sss_client/$(DEPDIR)/sss_ssh_authorizedkeys-common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/common.c' object='src/sss_client/sss_ssh_authorizedkeys-common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_ssh_authorizedkeys_CFLAGS) $(CFLAGS) -c -o src/sss_client/sss_ssh_authorizedkeys-common.o `test -f 'src/sss_client/common.c' || echo '$(srcdir)/'`src/sss_client/common.c + +src/sss_client/sss_ssh_authorizedkeys-common.obj: src/sss_client/common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_ssh_authorizedkeys_CFLAGS) $(CFLAGS) -MT src/sss_client/sss_ssh_authorizedkeys-common.obj -MD -MP -MF src/sss_client/$(DEPDIR)/sss_ssh_authorizedkeys-common.Tpo -c -o src/sss_client/sss_ssh_authorizedkeys-common.obj `if test -f 'src/sss_client/common.c'; then $(CYGPATH_W) 'src/sss_client/common.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/$(DEPDIR)/sss_ssh_authorizedkeys-common.Tpo src/sss_client/$(DEPDIR)/sss_ssh_authorizedkeys-common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/common.c' object='src/sss_client/sss_ssh_authorizedkeys-common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_ssh_authorizedkeys_CFLAGS) $(CFLAGS) -c -o src/sss_client/sss_ssh_authorizedkeys-common.obj `if test -f 'src/sss_client/common.c'; then $(CYGPATH_W) 'src/sss_client/common.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/common.c'; fi` + +src/sss_client/ssh/sss_ssh_authorizedkeys-sss_ssh_client.o: src/sss_client/ssh/sss_ssh_client.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_ssh_authorizedkeys_CFLAGS) $(CFLAGS) -MT src/sss_client/ssh/sss_ssh_authorizedkeys-sss_ssh_client.o -MD -MP -MF src/sss_client/ssh/$(DEPDIR)/sss_ssh_authorizedkeys-sss_ssh_client.Tpo -c -o src/sss_client/ssh/sss_ssh_authorizedkeys-sss_ssh_client.o `test -f 'src/sss_client/ssh/sss_ssh_client.c' || echo '$(srcdir)/'`src/sss_client/ssh/sss_ssh_client.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/ssh/$(DEPDIR)/sss_ssh_authorizedkeys-sss_ssh_client.Tpo src/sss_client/ssh/$(DEPDIR)/sss_ssh_authorizedkeys-sss_ssh_client.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/ssh/sss_ssh_client.c' object='src/sss_client/ssh/sss_ssh_authorizedkeys-sss_ssh_client.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_ssh_authorizedkeys_CFLAGS) $(CFLAGS) -c -o src/sss_client/ssh/sss_ssh_authorizedkeys-sss_ssh_client.o `test -f 'src/sss_client/ssh/sss_ssh_client.c' || echo '$(srcdir)/'`src/sss_client/ssh/sss_ssh_client.c + +src/sss_client/ssh/sss_ssh_authorizedkeys-sss_ssh_client.obj: src/sss_client/ssh/sss_ssh_client.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_ssh_authorizedkeys_CFLAGS) $(CFLAGS) -MT src/sss_client/ssh/sss_ssh_authorizedkeys-sss_ssh_client.obj -MD -MP -MF src/sss_client/ssh/$(DEPDIR)/sss_ssh_authorizedkeys-sss_ssh_client.Tpo -c -o src/sss_client/ssh/sss_ssh_authorizedkeys-sss_ssh_client.obj `if test -f 'src/sss_client/ssh/sss_ssh_client.c'; then $(CYGPATH_W) 'src/sss_client/ssh/sss_ssh_client.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/ssh/sss_ssh_client.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/ssh/$(DEPDIR)/sss_ssh_authorizedkeys-sss_ssh_client.Tpo src/sss_client/ssh/$(DEPDIR)/sss_ssh_authorizedkeys-sss_ssh_client.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/ssh/sss_ssh_client.c' object='src/sss_client/ssh/sss_ssh_authorizedkeys-sss_ssh_client.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_ssh_authorizedkeys_CFLAGS) $(CFLAGS) -c -o src/sss_client/ssh/sss_ssh_authorizedkeys-sss_ssh_client.obj `if test -f 'src/sss_client/ssh/sss_ssh_client.c'; then $(CYGPATH_W) 'src/sss_client/ssh/sss_ssh_client.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/ssh/sss_ssh_client.c'; fi` + +src/sss_client/ssh/sss_ssh_authorizedkeys-sss_ssh_authorizedkeys.o: src/sss_client/ssh/sss_ssh_authorizedkeys.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_ssh_authorizedkeys_CFLAGS) $(CFLAGS) -MT src/sss_client/ssh/sss_ssh_authorizedkeys-sss_ssh_authorizedkeys.o -MD -MP -MF src/sss_client/ssh/$(DEPDIR)/sss_ssh_authorizedkeys-sss_ssh_authorizedkeys.Tpo -c -o src/sss_client/ssh/sss_ssh_authorizedkeys-sss_ssh_authorizedkeys.o `test -f 'src/sss_client/ssh/sss_ssh_authorizedkeys.c' || echo '$(srcdir)/'`src/sss_client/ssh/sss_ssh_authorizedkeys.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/ssh/$(DEPDIR)/sss_ssh_authorizedkeys-sss_ssh_authorizedkeys.Tpo src/sss_client/ssh/$(DEPDIR)/sss_ssh_authorizedkeys-sss_ssh_authorizedkeys.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/ssh/sss_ssh_authorizedkeys.c' object='src/sss_client/ssh/sss_ssh_authorizedkeys-sss_ssh_authorizedkeys.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_ssh_authorizedkeys_CFLAGS) $(CFLAGS) -c -o src/sss_client/ssh/sss_ssh_authorizedkeys-sss_ssh_authorizedkeys.o `test -f 'src/sss_client/ssh/sss_ssh_authorizedkeys.c' || echo '$(srcdir)/'`src/sss_client/ssh/sss_ssh_authorizedkeys.c + +src/sss_client/ssh/sss_ssh_authorizedkeys-sss_ssh_authorizedkeys.obj: src/sss_client/ssh/sss_ssh_authorizedkeys.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_ssh_authorizedkeys_CFLAGS) $(CFLAGS) -MT src/sss_client/ssh/sss_ssh_authorizedkeys-sss_ssh_authorizedkeys.obj -MD -MP -MF src/sss_client/ssh/$(DEPDIR)/sss_ssh_authorizedkeys-sss_ssh_authorizedkeys.Tpo -c -o src/sss_client/ssh/sss_ssh_authorizedkeys-sss_ssh_authorizedkeys.obj `if test -f 'src/sss_client/ssh/sss_ssh_authorizedkeys.c'; then $(CYGPATH_W) 'src/sss_client/ssh/sss_ssh_authorizedkeys.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/ssh/sss_ssh_authorizedkeys.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/ssh/$(DEPDIR)/sss_ssh_authorizedkeys-sss_ssh_authorizedkeys.Tpo src/sss_client/ssh/$(DEPDIR)/sss_ssh_authorizedkeys-sss_ssh_authorizedkeys.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/ssh/sss_ssh_authorizedkeys.c' object='src/sss_client/ssh/sss_ssh_authorizedkeys-sss_ssh_authorizedkeys.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_ssh_authorizedkeys_CFLAGS) $(CFLAGS) -c -o src/sss_client/ssh/sss_ssh_authorizedkeys-sss_ssh_authorizedkeys.obj `if test -f 'src/sss_client/ssh/sss_ssh_authorizedkeys.c'; then $(CYGPATH_W) 'src/sss_client/ssh/sss_ssh_authorizedkeys.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/ssh/sss_ssh_authorizedkeys.c'; fi` + +src/sss_client/sss_ssh_knownhostsproxy-common.o: src/sss_client/common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_ssh_knownhostsproxy_CFLAGS) $(CFLAGS) -MT src/sss_client/sss_ssh_knownhostsproxy-common.o -MD -MP -MF src/sss_client/$(DEPDIR)/sss_ssh_knownhostsproxy-common.Tpo -c -o src/sss_client/sss_ssh_knownhostsproxy-common.o `test -f 'src/sss_client/common.c' || echo '$(srcdir)/'`src/sss_client/common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/$(DEPDIR)/sss_ssh_knownhostsproxy-common.Tpo src/sss_client/$(DEPDIR)/sss_ssh_knownhostsproxy-common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/common.c' object='src/sss_client/sss_ssh_knownhostsproxy-common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_ssh_knownhostsproxy_CFLAGS) $(CFLAGS) -c -o src/sss_client/sss_ssh_knownhostsproxy-common.o `test -f 'src/sss_client/common.c' || echo '$(srcdir)/'`src/sss_client/common.c + +src/sss_client/sss_ssh_knownhostsproxy-common.obj: src/sss_client/common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_ssh_knownhostsproxy_CFLAGS) $(CFLAGS) -MT src/sss_client/sss_ssh_knownhostsproxy-common.obj -MD -MP -MF src/sss_client/$(DEPDIR)/sss_ssh_knownhostsproxy-common.Tpo -c -o src/sss_client/sss_ssh_knownhostsproxy-common.obj `if test -f 'src/sss_client/common.c'; then $(CYGPATH_W) 'src/sss_client/common.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/$(DEPDIR)/sss_ssh_knownhostsproxy-common.Tpo src/sss_client/$(DEPDIR)/sss_ssh_knownhostsproxy-common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/common.c' object='src/sss_client/sss_ssh_knownhostsproxy-common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_ssh_knownhostsproxy_CFLAGS) $(CFLAGS) -c -o src/sss_client/sss_ssh_knownhostsproxy-common.obj `if test -f 'src/sss_client/common.c'; then $(CYGPATH_W) 'src/sss_client/common.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/common.c'; fi` + +src/sss_client/ssh/sss_ssh_knownhostsproxy-sss_ssh_client.o: src/sss_client/ssh/sss_ssh_client.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_ssh_knownhostsproxy_CFLAGS) $(CFLAGS) -MT src/sss_client/ssh/sss_ssh_knownhostsproxy-sss_ssh_client.o -MD -MP -MF src/sss_client/ssh/$(DEPDIR)/sss_ssh_knownhostsproxy-sss_ssh_client.Tpo -c -o src/sss_client/ssh/sss_ssh_knownhostsproxy-sss_ssh_client.o `test -f 'src/sss_client/ssh/sss_ssh_client.c' || echo '$(srcdir)/'`src/sss_client/ssh/sss_ssh_client.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/ssh/$(DEPDIR)/sss_ssh_knownhostsproxy-sss_ssh_client.Tpo src/sss_client/ssh/$(DEPDIR)/sss_ssh_knownhostsproxy-sss_ssh_client.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/ssh/sss_ssh_client.c' object='src/sss_client/ssh/sss_ssh_knownhostsproxy-sss_ssh_client.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_ssh_knownhostsproxy_CFLAGS) $(CFLAGS) -c -o src/sss_client/ssh/sss_ssh_knownhostsproxy-sss_ssh_client.o `test -f 'src/sss_client/ssh/sss_ssh_client.c' || echo '$(srcdir)/'`src/sss_client/ssh/sss_ssh_client.c + +src/sss_client/ssh/sss_ssh_knownhostsproxy-sss_ssh_client.obj: src/sss_client/ssh/sss_ssh_client.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_ssh_knownhostsproxy_CFLAGS) $(CFLAGS) -MT src/sss_client/ssh/sss_ssh_knownhostsproxy-sss_ssh_client.obj -MD -MP -MF src/sss_client/ssh/$(DEPDIR)/sss_ssh_knownhostsproxy-sss_ssh_client.Tpo -c -o src/sss_client/ssh/sss_ssh_knownhostsproxy-sss_ssh_client.obj `if test -f 'src/sss_client/ssh/sss_ssh_client.c'; then $(CYGPATH_W) 'src/sss_client/ssh/sss_ssh_client.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/ssh/sss_ssh_client.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/ssh/$(DEPDIR)/sss_ssh_knownhostsproxy-sss_ssh_client.Tpo src/sss_client/ssh/$(DEPDIR)/sss_ssh_knownhostsproxy-sss_ssh_client.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/ssh/sss_ssh_client.c' object='src/sss_client/ssh/sss_ssh_knownhostsproxy-sss_ssh_client.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_ssh_knownhostsproxy_CFLAGS) $(CFLAGS) -c -o src/sss_client/ssh/sss_ssh_knownhostsproxy-sss_ssh_client.obj `if test -f 'src/sss_client/ssh/sss_ssh_client.c'; then $(CYGPATH_W) 'src/sss_client/ssh/sss_ssh_client.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/ssh/sss_ssh_client.c'; fi` + +src/sss_client/ssh/sss_ssh_knownhostsproxy-sss_ssh_knownhostsproxy.o: src/sss_client/ssh/sss_ssh_knownhostsproxy.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_ssh_knownhostsproxy_CFLAGS) $(CFLAGS) -MT src/sss_client/ssh/sss_ssh_knownhostsproxy-sss_ssh_knownhostsproxy.o -MD -MP -MF src/sss_client/ssh/$(DEPDIR)/sss_ssh_knownhostsproxy-sss_ssh_knownhostsproxy.Tpo -c -o src/sss_client/ssh/sss_ssh_knownhostsproxy-sss_ssh_knownhostsproxy.o `test -f 'src/sss_client/ssh/sss_ssh_knownhostsproxy.c' || echo '$(srcdir)/'`src/sss_client/ssh/sss_ssh_knownhostsproxy.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/ssh/$(DEPDIR)/sss_ssh_knownhostsproxy-sss_ssh_knownhostsproxy.Tpo src/sss_client/ssh/$(DEPDIR)/sss_ssh_knownhostsproxy-sss_ssh_knownhostsproxy.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/ssh/sss_ssh_knownhostsproxy.c' object='src/sss_client/ssh/sss_ssh_knownhostsproxy-sss_ssh_knownhostsproxy.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_ssh_knownhostsproxy_CFLAGS) $(CFLAGS) -c -o src/sss_client/ssh/sss_ssh_knownhostsproxy-sss_ssh_knownhostsproxy.o `test -f 'src/sss_client/ssh/sss_ssh_knownhostsproxy.c' || echo '$(srcdir)/'`src/sss_client/ssh/sss_ssh_knownhostsproxy.c + +src/sss_client/ssh/sss_ssh_knownhostsproxy-sss_ssh_knownhostsproxy.obj: src/sss_client/ssh/sss_ssh_knownhostsproxy.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_ssh_knownhostsproxy_CFLAGS) $(CFLAGS) -MT src/sss_client/ssh/sss_ssh_knownhostsproxy-sss_ssh_knownhostsproxy.obj -MD -MP -MF src/sss_client/ssh/$(DEPDIR)/sss_ssh_knownhostsproxy-sss_ssh_knownhostsproxy.Tpo -c -o src/sss_client/ssh/sss_ssh_knownhostsproxy-sss_ssh_knownhostsproxy.obj `if test -f 'src/sss_client/ssh/sss_ssh_knownhostsproxy.c'; then $(CYGPATH_W) 'src/sss_client/ssh/sss_ssh_knownhostsproxy.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/ssh/sss_ssh_knownhostsproxy.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/ssh/$(DEPDIR)/sss_ssh_knownhostsproxy-sss_ssh_knownhostsproxy.Tpo src/sss_client/ssh/$(DEPDIR)/sss_ssh_knownhostsproxy-sss_ssh_knownhostsproxy.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/ssh/sss_ssh_knownhostsproxy.c' object='src/sss_client/ssh/sss_ssh_knownhostsproxy-sss_ssh_knownhostsproxy.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_ssh_knownhostsproxy_CFLAGS) $(CFLAGS) -c -o src/sss_client/ssh/sss_ssh_knownhostsproxy-sss_ssh_knownhostsproxy.obj `if test -f 'src/sss_client/ssh/sss_ssh_knownhostsproxy.c'; then $(CYGPATH_W) 'src/sss_client/ssh/sss_ssh_knownhostsproxy.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/ssh/sss_ssh_knownhostsproxy.c'; fi` + +src/sss_client/sss_sudo_cli-common.o: src/sss_client/common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_sudo_cli_CFLAGS) $(CFLAGS) -MT src/sss_client/sss_sudo_cli-common.o -MD -MP -MF src/sss_client/$(DEPDIR)/sss_sudo_cli-common.Tpo -c -o src/sss_client/sss_sudo_cli-common.o `test -f 'src/sss_client/common.c' || echo '$(srcdir)/'`src/sss_client/common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/$(DEPDIR)/sss_sudo_cli-common.Tpo src/sss_client/$(DEPDIR)/sss_sudo_cli-common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/common.c' object='src/sss_client/sss_sudo_cli-common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_sudo_cli_CFLAGS) $(CFLAGS) -c -o src/sss_client/sss_sudo_cli-common.o `test -f 'src/sss_client/common.c' || echo '$(srcdir)/'`src/sss_client/common.c + +src/sss_client/sss_sudo_cli-common.obj: src/sss_client/common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_sudo_cli_CFLAGS) $(CFLAGS) -MT src/sss_client/sss_sudo_cli-common.obj -MD -MP -MF src/sss_client/$(DEPDIR)/sss_sudo_cli-common.Tpo -c -o src/sss_client/sss_sudo_cli-common.obj `if test -f 'src/sss_client/common.c'; then $(CYGPATH_W) 'src/sss_client/common.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/$(DEPDIR)/sss_sudo_cli-common.Tpo src/sss_client/$(DEPDIR)/sss_sudo_cli-common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/common.c' object='src/sss_client/sss_sudo_cli-common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_sudo_cli_CFLAGS) $(CFLAGS) -c -o src/sss_client/sss_sudo_cli-common.obj `if test -f 'src/sss_client/common.c'; then $(CYGPATH_W) 'src/sss_client/common.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/common.c'; fi` + +src/sss_client/sudo/sss_sudo_cli-sss_sudo.o: src/sss_client/sudo/sss_sudo.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_sudo_cli_CFLAGS) $(CFLAGS) -MT src/sss_client/sudo/sss_sudo_cli-sss_sudo.o -MD -MP -MF src/sss_client/sudo/$(DEPDIR)/sss_sudo_cli-sss_sudo.Tpo -c -o src/sss_client/sudo/sss_sudo_cli-sss_sudo.o `test -f 'src/sss_client/sudo/sss_sudo.c' || echo '$(srcdir)/'`src/sss_client/sudo/sss_sudo.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/sudo/$(DEPDIR)/sss_sudo_cli-sss_sudo.Tpo src/sss_client/sudo/$(DEPDIR)/sss_sudo_cli-sss_sudo.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/sudo/sss_sudo.c' object='src/sss_client/sudo/sss_sudo_cli-sss_sudo.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_sudo_cli_CFLAGS) $(CFLAGS) -c -o src/sss_client/sudo/sss_sudo_cli-sss_sudo.o `test -f 'src/sss_client/sudo/sss_sudo.c' || echo '$(srcdir)/'`src/sss_client/sudo/sss_sudo.c + +src/sss_client/sudo/sss_sudo_cli-sss_sudo.obj: src/sss_client/sudo/sss_sudo.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_sudo_cli_CFLAGS) $(CFLAGS) -MT src/sss_client/sudo/sss_sudo_cli-sss_sudo.obj -MD -MP -MF src/sss_client/sudo/$(DEPDIR)/sss_sudo_cli-sss_sudo.Tpo -c -o src/sss_client/sudo/sss_sudo_cli-sss_sudo.obj `if test -f 'src/sss_client/sudo/sss_sudo.c'; then $(CYGPATH_W) 'src/sss_client/sudo/sss_sudo.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/sudo/sss_sudo.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/sudo/$(DEPDIR)/sss_sudo_cli-sss_sudo.Tpo src/sss_client/sudo/$(DEPDIR)/sss_sudo_cli-sss_sudo.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/sudo/sss_sudo.c' object='src/sss_client/sudo/sss_sudo_cli-sss_sudo.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_sudo_cli_CFLAGS) $(CFLAGS) -c -o src/sss_client/sudo/sss_sudo_cli-sss_sudo.obj `if test -f 'src/sss_client/sudo/sss_sudo.c'; then $(CYGPATH_W) 'src/sss_client/sudo/sss_sudo.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/sudo/sss_sudo.c'; fi` + +src/sss_client/sudo/sss_sudo_cli-sss_sudo_response.o: src/sss_client/sudo/sss_sudo_response.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_sudo_cli_CFLAGS) $(CFLAGS) -MT src/sss_client/sudo/sss_sudo_cli-sss_sudo_response.o -MD -MP -MF src/sss_client/sudo/$(DEPDIR)/sss_sudo_cli-sss_sudo_response.Tpo -c -o src/sss_client/sudo/sss_sudo_cli-sss_sudo_response.o `test -f 'src/sss_client/sudo/sss_sudo_response.c' || echo '$(srcdir)/'`src/sss_client/sudo/sss_sudo_response.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/sudo/$(DEPDIR)/sss_sudo_cli-sss_sudo_response.Tpo src/sss_client/sudo/$(DEPDIR)/sss_sudo_cli-sss_sudo_response.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/sudo/sss_sudo_response.c' object='src/sss_client/sudo/sss_sudo_cli-sss_sudo_response.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_sudo_cli_CFLAGS) $(CFLAGS) -c -o src/sss_client/sudo/sss_sudo_cli-sss_sudo_response.o `test -f 'src/sss_client/sudo/sss_sudo_response.c' || echo '$(srcdir)/'`src/sss_client/sudo/sss_sudo_response.c + +src/sss_client/sudo/sss_sudo_cli-sss_sudo_response.obj: src/sss_client/sudo/sss_sudo_response.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_sudo_cli_CFLAGS) $(CFLAGS) -MT src/sss_client/sudo/sss_sudo_cli-sss_sudo_response.obj -MD -MP -MF src/sss_client/sudo/$(DEPDIR)/sss_sudo_cli-sss_sudo_response.Tpo -c -o src/sss_client/sudo/sss_sudo_cli-sss_sudo_response.obj `if test -f 'src/sss_client/sudo/sss_sudo_response.c'; then $(CYGPATH_W) 'src/sss_client/sudo/sss_sudo_response.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/sudo/sss_sudo_response.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/sudo/$(DEPDIR)/sss_sudo_cli-sss_sudo_response.Tpo src/sss_client/sudo/$(DEPDIR)/sss_sudo_cli-sss_sudo_response.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/sudo/sss_sudo_response.c' object='src/sss_client/sudo/sss_sudo_cli-sss_sudo_response.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_sudo_cli_CFLAGS) $(CFLAGS) -c -o src/sss_client/sudo/sss_sudo_cli-sss_sudo_response.obj `if test -f 'src/sss_client/sudo/sss_sudo_response.c'; then $(CYGPATH_W) 'src/sss_client/sudo/sss_sudo_response.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/sudo/sss_sudo_response.c'; fi` + +src/sss_client/sudo_testcli/sss_sudo_cli-sudo_testcli.o: src/sss_client/sudo_testcli/sudo_testcli.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_sudo_cli_CFLAGS) $(CFLAGS) -MT src/sss_client/sudo_testcli/sss_sudo_cli-sudo_testcli.o -MD -MP -MF src/sss_client/sudo_testcli/$(DEPDIR)/sss_sudo_cli-sudo_testcli.Tpo -c -o src/sss_client/sudo_testcli/sss_sudo_cli-sudo_testcli.o `test -f 'src/sss_client/sudo_testcli/sudo_testcli.c' || echo '$(srcdir)/'`src/sss_client/sudo_testcli/sudo_testcli.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/sudo_testcli/$(DEPDIR)/sss_sudo_cli-sudo_testcli.Tpo src/sss_client/sudo_testcli/$(DEPDIR)/sss_sudo_cli-sudo_testcli.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/sudo_testcli/sudo_testcli.c' object='src/sss_client/sudo_testcli/sss_sudo_cli-sudo_testcli.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_sudo_cli_CFLAGS) $(CFLAGS) -c -o src/sss_client/sudo_testcli/sss_sudo_cli-sudo_testcli.o `test -f 'src/sss_client/sudo_testcli/sudo_testcli.c' || echo '$(srcdir)/'`src/sss_client/sudo_testcli/sudo_testcli.c + +src/sss_client/sudo_testcli/sss_sudo_cli-sudo_testcli.obj: src/sss_client/sudo_testcli/sudo_testcli.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_sudo_cli_CFLAGS) $(CFLAGS) -MT src/sss_client/sudo_testcli/sss_sudo_cli-sudo_testcli.obj -MD -MP -MF src/sss_client/sudo_testcli/$(DEPDIR)/sss_sudo_cli-sudo_testcli.Tpo -c -o src/sss_client/sudo_testcli/sss_sudo_cli-sudo_testcli.obj `if test -f 'src/sss_client/sudo_testcli/sudo_testcli.c'; then $(CYGPATH_W) 'src/sss_client/sudo_testcli/sudo_testcli.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/sudo_testcli/sudo_testcli.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/sudo_testcli/$(DEPDIR)/sss_sudo_cli-sudo_testcli.Tpo src/sss_client/sudo_testcli/$(DEPDIR)/sss_sudo_cli-sudo_testcli.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/sudo_testcli/sudo_testcli.c' object='src/sss_client/sudo_testcli/sss_sudo_cli-sudo_testcli.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_sudo_cli_CFLAGS) $(CFLAGS) -c -o src/sss_client/sudo_testcli/sss_sudo_cli-sudo_testcli.obj `if test -f 'src/sss_client/sudo_testcli/sudo_testcli.c'; then $(CYGPATH_W) 'src/sss_client/sudo_testcli/sudo_testcli.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/sudo_testcli/sudo_testcli.c'; fi` + +src/tools/sss_userdel-sss_userdel.o: src/tools/sss_userdel.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_userdel_CFLAGS) $(CFLAGS) -MT src/tools/sss_userdel-sss_userdel.o -MD -MP -MF src/tools/$(DEPDIR)/sss_userdel-sss_userdel.Tpo -c -o src/tools/sss_userdel-sss_userdel.o `test -f 'src/tools/sss_userdel.c' || echo '$(srcdir)/'`src/tools/sss_userdel.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_userdel-sss_userdel.Tpo src/tools/$(DEPDIR)/sss_userdel-sss_userdel.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sss_userdel.c' object='src/tools/sss_userdel-sss_userdel.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_userdel_CFLAGS) $(CFLAGS) -c -o src/tools/sss_userdel-sss_userdel.o `test -f 'src/tools/sss_userdel.c' || echo '$(srcdir)/'`src/tools/sss_userdel.c + +src/tools/sss_userdel-sss_userdel.obj: src/tools/sss_userdel.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_userdel_CFLAGS) $(CFLAGS) -MT src/tools/sss_userdel-sss_userdel.obj -MD -MP -MF src/tools/$(DEPDIR)/sss_userdel-sss_userdel.Tpo -c -o src/tools/sss_userdel-sss_userdel.obj `if test -f 'src/tools/sss_userdel.c'; then $(CYGPATH_W) 'src/tools/sss_userdel.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sss_userdel.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_userdel-sss_userdel.Tpo src/tools/$(DEPDIR)/sss_userdel-sss_userdel.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sss_userdel.c' object='src/tools/sss_userdel-sss_userdel.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_userdel_CFLAGS) $(CFLAGS) -c -o src/tools/sss_userdel-sss_userdel.obj `if test -f 'src/tools/sss_userdel.c'; then $(CYGPATH_W) 'src/tools/sss_userdel.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sss_userdel.c'; fi` + +src/sss_client/sss_userdel-common.o: src/sss_client/common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_userdel_CFLAGS) $(CFLAGS) -MT src/sss_client/sss_userdel-common.o -MD -MP -MF src/sss_client/$(DEPDIR)/sss_userdel-common.Tpo -c -o src/sss_client/sss_userdel-common.o `test -f 'src/sss_client/common.c' || echo '$(srcdir)/'`src/sss_client/common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/$(DEPDIR)/sss_userdel-common.Tpo src/sss_client/$(DEPDIR)/sss_userdel-common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/common.c' object='src/sss_client/sss_userdel-common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_userdel_CFLAGS) $(CFLAGS) -c -o src/sss_client/sss_userdel-common.o `test -f 'src/sss_client/common.c' || echo '$(srcdir)/'`src/sss_client/common.c + +src/sss_client/sss_userdel-common.obj: src/sss_client/common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_userdel_CFLAGS) $(CFLAGS) -MT src/sss_client/sss_userdel-common.obj -MD -MP -MF src/sss_client/$(DEPDIR)/sss_userdel-common.Tpo -c -o src/sss_client/sss_userdel-common.obj `if test -f 'src/sss_client/common.c'; then $(CYGPATH_W) 'src/sss_client/common.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/$(DEPDIR)/sss_userdel-common.Tpo src/sss_client/$(DEPDIR)/sss_userdel-common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/common.c' object='src/sss_client/sss_userdel-common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_userdel_CFLAGS) $(CFLAGS) -c -o src/sss_client/sss_userdel-common.obj `if test -f 'src/sss_client/common.c'; then $(CYGPATH_W) 'src/sss_client/common.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/common.c'; fi` + +src/tools/sss_userdel-tools_mc_util.o: src/tools/tools_mc_util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_userdel_CFLAGS) $(CFLAGS) -MT src/tools/sss_userdel-tools_mc_util.o -MD -MP -MF src/tools/$(DEPDIR)/sss_userdel-tools_mc_util.Tpo -c -o src/tools/sss_userdel-tools_mc_util.o `test -f 'src/tools/tools_mc_util.c' || echo '$(srcdir)/'`src/tools/tools_mc_util.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_userdel-tools_mc_util.Tpo src/tools/$(DEPDIR)/sss_userdel-tools_mc_util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/tools_mc_util.c' object='src/tools/sss_userdel-tools_mc_util.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_userdel_CFLAGS) $(CFLAGS) -c -o src/tools/sss_userdel-tools_mc_util.o `test -f 'src/tools/tools_mc_util.c' || echo '$(srcdir)/'`src/tools/tools_mc_util.c + +src/tools/sss_userdel-tools_mc_util.obj: src/tools/tools_mc_util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_userdel_CFLAGS) $(CFLAGS) -MT src/tools/sss_userdel-tools_mc_util.obj -MD -MP -MF src/tools/$(DEPDIR)/sss_userdel-tools_mc_util.Tpo -c -o src/tools/sss_userdel-tools_mc_util.obj `if test -f 'src/tools/tools_mc_util.c'; then $(CYGPATH_W) 'src/tools/tools_mc_util.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/tools_mc_util.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_userdel-tools_mc_util.Tpo src/tools/$(DEPDIR)/sss_userdel-tools_mc_util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/tools_mc_util.c' object='src/tools/sss_userdel-tools_mc_util.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_userdel_CFLAGS) $(CFLAGS) -c -o src/tools/sss_userdel-tools_mc_util.obj `if test -f 'src/tools/tools_mc_util.c'; then $(CYGPATH_W) 'src/tools/tools_mc_util.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/tools_mc_util.c'; fi` + +src/tools/sss_userdel-sss_sync_ops.o: src/tools/sss_sync_ops.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_userdel_CFLAGS) $(CFLAGS) -MT src/tools/sss_userdel-sss_sync_ops.o -MD -MP -MF src/tools/$(DEPDIR)/sss_userdel-sss_sync_ops.Tpo -c -o src/tools/sss_userdel-sss_sync_ops.o `test -f 'src/tools/sss_sync_ops.c' || echo '$(srcdir)/'`src/tools/sss_sync_ops.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_userdel-sss_sync_ops.Tpo src/tools/$(DEPDIR)/sss_userdel-sss_sync_ops.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sss_sync_ops.c' object='src/tools/sss_userdel-sss_sync_ops.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_userdel_CFLAGS) $(CFLAGS) -c -o src/tools/sss_userdel-sss_sync_ops.o `test -f 'src/tools/sss_sync_ops.c' || echo '$(srcdir)/'`src/tools/sss_sync_ops.c + +src/tools/sss_userdel-sss_sync_ops.obj: src/tools/sss_sync_ops.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_userdel_CFLAGS) $(CFLAGS) -MT src/tools/sss_userdel-sss_sync_ops.obj -MD -MP -MF src/tools/$(DEPDIR)/sss_userdel-sss_sync_ops.Tpo -c -o src/tools/sss_userdel-sss_sync_ops.obj `if test -f 'src/tools/sss_sync_ops.c'; then $(CYGPATH_W) 'src/tools/sss_sync_ops.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sss_sync_ops.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_userdel-sss_sync_ops.Tpo src/tools/$(DEPDIR)/sss_userdel-sss_sync_ops.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sss_sync_ops.c' object='src/tools/sss_userdel-sss_sync_ops.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_userdel_CFLAGS) $(CFLAGS) -c -o src/tools/sss_userdel-sss_sync_ops.obj `if test -f 'src/tools/sss_sync_ops.c'; then $(CYGPATH_W) 'src/tools/sss_sync_ops.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sss_sync_ops.c'; fi` + +src/tools/sss_userdel-tools_util.o: src/tools/tools_util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_userdel_CFLAGS) $(CFLAGS) -MT src/tools/sss_userdel-tools_util.o -MD -MP -MF src/tools/$(DEPDIR)/sss_userdel-tools_util.Tpo -c -o src/tools/sss_userdel-tools_util.o `test -f 'src/tools/tools_util.c' || echo '$(srcdir)/'`src/tools/tools_util.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_userdel-tools_util.Tpo src/tools/$(DEPDIR)/sss_userdel-tools_util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/tools_util.c' object='src/tools/sss_userdel-tools_util.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_userdel_CFLAGS) $(CFLAGS) -c -o src/tools/sss_userdel-tools_util.o `test -f 'src/tools/tools_util.c' || echo '$(srcdir)/'`src/tools/tools_util.c + +src/tools/sss_userdel-tools_util.obj: src/tools/tools_util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_userdel_CFLAGS) $(CFLAGS) -MT src/tools/sss_userdel-tools_util.obj -MD -MP -MF src/tools/$(DEPDIR)/sss_userdel-tools_util.Tpo -c -o src/tools/sss_userdel-tools_util.obj `if test -f 'src/tools/tools_util.c'; then $(CYGPATH_W) 'src/tools/tools_util.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/tools_util.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_userdel-tools_util.Tpo src/tools/$(DEPDIR)/sss_userdel-tools_util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/tools_util.c' object='src/tools/sss_userdel-tools_util.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_userdel_CFLAGS) $(CFLAGS) -c -o src/tools/sss_userdel-tools_util.obj `if test -f 'src/tools/tools_util.c'; then $(CYGPATH_W) 'src/tools/tools_util.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/tools_util.c'; fi` + +src/tools/common/sss_userdel-sss_tools.o: src/tools/common/sss_tools.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_userdel_CFLAGS) $(CFLAGS) -MT src/tools/common/sss_userdel-sss_tools.o -MD -MP -MF src/tools/common/$(DEPDIR)/sss_userdel-sss_tools.Tpo -c -o src/tools/common/sss_userdel-sss_tools.o `test -f 'src/tools/common/sss_tools.c' || echo '$(srcdir)/'`src/tools/common/sss_tools.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/common/$(DEPDIR)/sss_userdel-sss_tools.Tpo src/tools/common/$(DEPDIR)/sss_userdel-sss_tools.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/common/sss_tools.c' object='src/tools/common/sss_userdel-sss_tools.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_userdel_CFLAGS) $(CFLAGS) -c -o src/tools/common/sss_userdel-sss_tools.o `test -f 'src/tools/common/sss_tools.c' || echo '$(srcdir)/'`src/tools/common/sss_tools.c + +src/tools/common/sss_userdel-sss_tools.obj: src/tools/common/sss_tools.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_userdel_CFLAGS) $(CFLAGS) -MT src/tools/common/sss_userdel-sss_tools.obj -MD -MP -MF src/tools/common/$(DEPDIR)/sss_userdel-sss_tools.Tpo -c -o src/tools/common/sss_userdel-sss_tools.obj `if test -f 'src/tools/common/sss_tools.c'; then $(CYGPATH_W) 'src/tools/common/sss_tools.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/common/sss_tools.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/common/$(DEPDIR)/sss_userdel-sss_tools.Tpo src/tools/common/$(DEPDIR)/sss_userdel-sss_tools.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/common/sss_tools.c' object='src/tools/common/sss_userdel-sss_tools.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_userdel_CFLAGS) $(CFLAGS) -c -o src/tools/common/sss_userdel-sss_tools.obj `if test -f 'src/tools/common/sss_tools.c'; then $(CYGPATH_W) 'src/tools/common/sss_tools.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/common/sss_tools.c'; fi` + +src/tools/common/sss_userdel-sss_process.o: src/tools/common/sss_process.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_userdel_CFLAGS) $(CFLAGS) -MT src/tools/common/sss_userdel-sss_process.o -MD -MP -MF src/tools/common/$(DEPDIR)/sss_userdel-sss_process.Tpo -c -o src/tools/common/sss_userdel-sss_process.o `test -f 'src/tools/common/sss_process.c' || echo '$(srcdir)/'`src/tools/common/sss_process.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/common/$(DEPDIR)/sss_userdel-sss_process.Tpo src/tools/common/$(DEPDIR)/sss_userdel-sss_process.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/common/sss_process.c' object='src/tools/common/sss_userdel-sss_process.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_userdel_CFLAGS) $(CFLAGS) -c -o src/tools/common/sss_userdel-sss_process.o `test -f 'src/tools/common/sss_process.c' || echo '$(srcdir)/'`src/tools/common/sss_process.c + +src/tools/common/sss_userdel-sss_process.obj: src/tools/common/sss_process.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_userdel_CFLAGS) $(CFLAGS) -MT src/tools/common/sss_userdel-sss_process.obj -MD -MP -MF src/tools/common/$(DEPDIR)/sss_userdel-sss_process.Tpo -c -o src/tools/common/sss_userdel-sss_process.obj `if test -f 'src/tools/common/sss_process.c'; then $(CYGPATH_W) 'src/tools/common/sss_process.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/common/sss_process.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/common/$(DEPDIR)/sss_userdel-sss_process.Tpo src/tools/common/$(DEPDIR)/sss_userdel-sss_process.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/common/sss_process.c' object='src/tools/common/sss_userdel-sss_process.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_userdel_CFLAGS) $(CFLAGS) -c -o src/tools/common/sss_userdel-sss_process.obj `if test -f 'src/tools/common/sss_process.c'; then $(CYGPATH_W) 'src/tools/common/sss_process.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/common/sss_process.c'; fi` + +src/confdb/sss_userdel-confdb_setup.o: src/confdb/confdb_setup.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_userdel_CFLAGS) $(CFLAGS) -MT src/confdb/sss_userdel-confdb_setup.o -MD -MP -MF src/confdb/$(DEPDIR)/sss_userdel-confdb_setup.Tpo -c -o src/confdb/sss_userdel-confdb_setup.o `test -f 'src/confdb/confdb_setup.c' || echo '$(srcdir)/'`src/confdb/confdb_setup.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/confdb/$(DEPDIR)/sss_userdel-confdb_setup.Tpo src/confdb/$(DEPDIR)/sss_userdel-confdb_setup.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/confdb/confdb_setup.c' object='src/confdb/sss_userdel-confdb_setup.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_userdel_CFLAGS) $(CFLAGS) -c -o src/confdb/sss_userdel-confdb_setup.o `test -f 'src/confdb/confdb_setup.c' || echo '$(srcdir)/'`src/confdb/confdb_setup.c + +src/confdb/sss_userdel-confdb_setup.obj: src/confdb/confdb_setup.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_userdel_CFLAGS) $(CFLAGS) -MT src/confdb/sss_userdel-confdb_setup.obj -MD -MP -MF src/confdb/$(DEPDIR)/sss_userdel-confdb_setup.Tpo -c -o src/confdb/sss_userdel-confdb_setup.obj `if test -f 'src/confdb/confdb_setup.c'; then $(CYGPATH_W) 'src/confdb/confdb_setup.c'; else $(CYGPATH_W) '$(srcdir)/src/confdb/confdb_setup.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/confdb/$(DEPDIR)/sss_userdel-confdb_setup.Tpo src/confdb/$(DEPDIR)/sss_userdel-confdb_setup.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/confdb/confdb_setup.c' object='src/confdb/sss_userdel-confdb_setup.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_userdel_CFLAGS) $(CFLAGS) -c -o src/confdb/sss_userdel-confdb_setup.obj `if test -f 'src/confdb/confdb_setup.c'; then $(CYGPATH_W) 'src/confdb/confdb_setup.c'; else $(CYGPATH_W) '$(srcdir)/src/confdb/confdb_setup.c'; fi` + +src/util/sss_userdel-nscd.o: src/util/nscd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_userdel_CFLAGS) $(CFLAGS) -MT src/util/sss_userdel-nscd.o -MD -MP -MF src/util/$(DEPDIR)/sss_userdel-nscd.Tpo -c -o src/util/sss_userdel-nscd.o `test -f 'src/util/nscd.c' || echo '$(srcdir)/'`src/util/nscd.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/sss_userdel-nscd.Tpo src/util/$(DEPDIR)/sss_userdel-nscd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/nscd.c' object='src/util/sss_userdel-nscd.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_userdel_CFLAGS) $(CFLAGS) -c -o src/util/sss_userdel-nscd.o `test -f 'src/util/nscd.c' || echo '$(srcdir)/'`src/util/nscd.c + +src/util/sss_userdel-nscd.obj: src/util/nscd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_userdel_CFLAGS) $(CFLAGS) -MT src/util/sss_userdel-nscd.obj -MD -MP -MF src/util/$(DEPDIR)/sss_userdel-nscd.Tpo -c -o src/util/sss_userdel-nscd.obj `if test -f 'src/util/nscd.c'; then $(CYGPATH_W) 'src/util/nscd.c'; else $(CYGPATH_W) '$(srcdir)/src/util/nscd.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/sss_userdel-nscd.Tpo src/util/$(DEPDIR)/sss_userdel-nscd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/nscd.c' object='src/util/sss_userdel-nscd.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_userdel_CFLAGS) $(CFLAGS) -c -o src/util/sss_userdel-nscd.obj `if test -f 'src/util/nscd.c'; then $(CYGPATH_W) 'src/util/nscd.c'; else $(CYGPATH_W) '$(srcdir)/src/util/nscd.c'; fi` + +src/tools/sss_usermod-sss_usermod.o: src/tools/sss_usermod.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_usermod_CFLAGS) $(CFLAGS) -MT src/tools/sss_usermod-sss_usermod.o -MD -MP -MF src/tools/$(DEPDIR)/sss_usermod-sss_usermod.Tpo -c -o src/tools/sss_usermod-sss_usermod.o `test -f 'src/tools/sss_usermod.c' || echo '$(srcdir)/'`src/tools/sss_usermod.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_usermod-sss_usermod.Tpo src/tools/$(DEPDIR)/sss_usermod-sss_usermod.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sss_usermod.c' object='src/tools/sss_usermod-sss_usermod.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_usermod_CFLAGS) $(CFLAGS) -c -o src/tools/sss_usermod-sss_usermod.o `test -f 'src/tools/sss_usermod.c' || echo '$(srcdir)/'`src/tools/sss_usermod.c + +src/tools/sss_usermod-sss_usermod.obj: src/tools/sss_usermod.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_usermod_CFLAGS) $(CFLAGS) -MT src/tools/sss_usermod-sss_usermod.obj -MD -MP -MF src/tools/$(DEPDIR)/sss_usermod-sss_usermod.Tpo -c -o src/tools/sss_usermod-sss_usermod.obj `if test -f 'src/tools/sss_usermod.c'; then $(CYGPATH_W) 'src/tools/sss_usermod.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sss_usermod.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_usermod-sss_usermod.Tpo src/tools/$(DEPDIR)/sss_usermod-sss_usermod.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sss_usermod.c' object='src/tools/sss_usermod-sss_usermod.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_usermod_CFLAGS) $(CFLAGS) -c -o src/tools/sss_usermod-sss_usermod.obj `if test -f 'src/tools/sss_usermod.c'; then $(CYGPATH_W) 'src/tools/sss_usermod.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sss_usermod.c'; fi` + +src/sss_client/sss_usermod-common.o: src/sss_client/common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_usermod_CFLAGS) $(CFLAGS) -MT src/sss_client/sss_usermod-common.o -MD -MP -MF src/sss_client/$(DEPDIR)/sss_usermod-common.Tpo -c -o src/sss_client/sss_usermod-common.o `test -f 'src/sss_client/common.c' || echo '$(srcdir)/'`src/sss_client/common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/$(DEPDIR)/sss_usermod-common.Tpo src/sss_client/$(DEPDIR)/sss_usermod-common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/common.c' object='src/sss_client/sss_usermod-common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_usermod_CFLAGS) $(CFLAGS) -c -o src/sss_client/sss_usermod-common.o `test -f 'src/sss_client/common.c' || echo '$(srcdir)/'`src/sss_client/common.c + +src/sss_client/sss_usermod-common.obj: src/sss_client/common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_usermod_CFLAGS) $(CFLAGS) -MT src/sss_client/sss_usermod-common.obj -MD -MP -MF src/sss_client/$(DEPDIR)/sss_usermod-common.Tpo -c -o src/sss_client/sss_usermod-common.obj `if test -f 'src/sss_client/common.c'; then $(CYGPATH_W) 'src/sss_client/common.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/$(DEPDIR)/sss_usermod-common.Tpo src/sss_client/$(DEPDIR)/sss_usermod-common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/common.c' object='src/sss_client/sss_usermod-common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_usermod_CFLAGS) $(CFLAGS) -c -o src/sss_client/sss_usermod-common.obj `if test -f 'src/sss_client/common.c'; then $(CYGPATH_W) 'src/sss_client/common.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/common.c'; fi` + +src/tools/sss_usermod-tools_mc_util.o: src/tools/tools_mc_util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_usermod_CFLAGS) $(CFLAGS) -MT src/tools/sss_usermod-tools_mc_util.o -MD -MP -MF src/tools/$(DEPDIR)/sss_usermod-tools_mc_util.Tpo -c -o src/tools/sss_usermod-tools_mc_util.o `test -f 'src/tools/tools_mc_util.c' || echo '$(srcdir)/'`src/tools/tools_mc_util.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_usermod-tools_mc_util.Tpo src/tools/$(DEPDIR)/sss_usermod-tools_mc_util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/tools_mc_util.c' object='src/tools/sss_usermod-tools_mc_util.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_usermod_CFLAGS) $(CFLAGS) -c -o src/tools/sss_usermod-tools_mc_util.o `test -f 'src/tools/tools_mc_util.c' || echo '$(srcdir)/'`src/tools/tools_mc_util.c + +src/tools/sss_usermod-tools_mc_util.obj: src/tools/tools_mc_util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_usermod_CFLAGS) $(CFLAGS) -MT src/tools/sss_usermod-tools_mc_util.obj -MD -MP -MF src/tools/$(DEPDIR)/sss_usermod-tools_mc_util.Tpo -c -o src/tools/sss_usermod-tools_mc_util.obj `if test -f 'src/tools/tools_mc_util.c'; then $(CYGPATH_W) 'src/tools/tools_mc_util.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/tools_mc_util.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_usermod-tools_mc_util.Tpo src/tools/$(DEPDIR)/sss_usermod-tools_mc_util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/tools_mc_util.c' object='src/tools/sss_usermod-tools_mc_util.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_usermod_CFLAGS) $(CFLAGS) -c -o src/tools/sss_usermod-tools_mc_util.obj `if test -f 'src/tools/tools_mc_util.c'; then $(CYGPATH_W) 'src/tools/tools_mc_util.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/tools_mc_util.c'; fi` + +src/tools/sss_usermod-sss_sync_ops.o: src/tools/sss_sync_ops.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_usermod_CFLAGS) $(CFLAGS) -MT src/tools/sss_usermod-sss_sync_ops.o -MD -MP -MF src/tools/$(DEPDIR)/sss_usermod-sss_sync_ops.Tpo -c -o src/tools/sss_usermod-sss_sync_ops.o `test -f 'src/tools/sss_sync_ops.c' || echo '$(srcdir)/'`src/tools/sss_sync_ops.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_usermod-sss_sync_ops.Tpo src/tools/$(DEPDIR)/sss_usermod-sss_sync_ops.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sss_sync_ops.c' object='src/tools/sss_usermod-sss_sync_ops.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_usermod_CFLAGS) $(CFLAGS) -c -o src/tools/sss_usermod-sss_sync_ops.o `test -f 'src/tools/sss_sync_ops.c' || echo '$(srcdir)/'`src/tools/sss_sync_ops.c + +src/tools/sss_usermod-sss_sync_ops.obj: src/tools/sss_sync_ops.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_usermod_CFLAGS) $(CFLAGS) -MT src/tools/sss_usermod-sss_sync_ops.obj -MD -MP -MF src/tools/$(DEPDIR)/sss_usermod-sss_sync_ops.Tpo -c -o src/tools/sss_usermod-sss_sync_ops.obj `if test -f 'src/tools/sss_sync_ops.c'; then $(CYGPATH_W) 'src/tools/sss_sync_ops.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sss_sync_ops.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_usermod-sss_sync_ops.Tpo src/tools/$(DEPDIR)/sss_usermod-sss_sync_ops.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sss_sync_ops.c' object='src/tools/sss_usermod-sss_sync_ops.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_usermod_CFLAGS) $(CFLAGS) -c -o src/tools/sss_usermod-sss_sync_ops.obj `if test -f 'src/tools/sss_sync_ops.c'; then $(CYGPATH_W) 'src/tools/sss_sync_ops.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sss_sync_ops.c'; fi` + +src/tools/sss_usermod-tools_util.o: src/tools/tools_util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_usermod_CFLAGS) $(CFLAGS) -MT src/tools/sss_usermod-tools_util.o -MD -MP -MF src/tools/$(DEPDIR)/sss_usermod-tools_util.Tpo -c -o src/tools/sss_usermod-tools_util.o `test -f 'src/tools/tools_util.c' || echo '$(srcdir)/'`src/tools/tools_util.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_usermod-tools_util.Tpo src/tools/$(DEPDIR)/sss_usermod-tools_util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/tools_util.c' object='src/tools/sss_usermod-tools_util.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_usermod_CFLAGS) $(CFLAGS) -c -o src/tools/sss_usermod-tools_util.o `test -f 'src/tools/tools_util.c' || echo '$(srcdir)/'`src/tools/tools_util.c + +src/tools/sss_usermod-tools_util.obj: src/tools/tools_util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_usermod_CFLAGS) $(CFLAGS) -MT src/tools/sss_usermod-tools_util.obj -MD -MP -MF src/tools/$(DEPDIR)/sss_usermod-tools_util.Tpo -c -o src/tools/sss_usermod-tools_util.obj `if test -f 'src/tools/tools_util.c'; then $(CYGPATH_W) 'src/tools/tools_util.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/tools_util.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sss_usermod-tools_util.Tpo src/tools/$(DEPDIR)/sss_usermod-tools_util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/tools_util.c' object='src/tools/sss_usermod-tools_util.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_usermod_CFLAGS) $(CFLAGS) -c -o src/tools/sss_usermod-tools_util.obj `if test -f 'src/tools/tools_util.c'; then $(CYGPATH_W) 'src/tools/tools_util.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/tools_util.c'; fi` + +src/tools/common/sss_usermod-sss_tools.o: src/tools/common/sss_tools.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_usermod_CFLAGS) $(CFLAGS) -MT src/tools/common/sss_usermod-sss_tools.o -MD -MP -MF src/tools/common/$(DEPDIR)/sss_usermod-sss_tools.Tpo -c -o src/tools/common/sss_usermod-sss_tools.o `test -f 'src/tools/common/sss_tools.c' || echo '$(srcdir)/'`src/tools/common/sss_tools.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/common/$(DEPDIR)/sss_usermod-sss_tools.Tpo src/tools/common/$(DEPDIR)/sss_usermod-sss_tools.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/common/sss_tools.c' object='src/tools/common/sss_usermod-sss_tools.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_usermod_CFLAGS) $(CFLAGS) -c -o src/tools/common/sss_usermod-sss_tools.o `test -f 'src/tools/common/sss_tools.c' || echo '$(srcdir)/'`src/tools/common/sss_tools.c + +src/tools/common/sss_usermod-sss_tools.obj: src/tools/common/sss_tools.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_usermod_CFLAGS) $(CFLAGS) -MT src/tools/common/sss_usermod-sss_tools.obj -MD -MP -MF src/tools/common/$(DEPDIR)/sss_usermod-sss_tools.Tpo -c -o src/tools/common/sss_usermod-sss_tools.obj `if test -f 'src/tools/common/sss_tools.c'; then $(CYGPATH_W) 'src/tools/common/sss_tools.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/common/sss_tools.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/common/$(DEPDIR)/sss_usermod-sss_tools.Tpo src/tools/common/$(DEPDIR)/sss_usermod-sss_tools.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/common/sss_tools.c' object='src/tools/common/sss_usermod-sss_tools.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_usermod_CFLAGS) $(CFLAGS) -c -o src/tools/common/sss_usermod-sss_tools.obj `if test -f 'src/tools/common/sss_tools.c'; then $(CYGPATH_W) 'src/tools/common/sss_tools.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/common/sss_tools.c'; fi` + +src/tools/common/sss_usermod-sss_process.o: src/tools/common/sss_process.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_usermod_CFLAGS) $(CFLAGS) -MT src/tools/common/sss_usermod-sss_process.o -MD -MP -MF src/tools/common/$(DEPDIR)/sss_usermod-sss_process.Tpo -c -o src/tools/common/sss_usermod-sss_process.o `test -f 'src/tools/common/sss_process.c' || echo '$(srcdir)/'`src/tools/common/sss_process.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/common/$(DEPDIR)/sss_usermod-sss_process.Tpo src/tools/common/$(DEPDIR)/sss_usermod-sss_process.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/common/sss_process.c' object='src/tools/common/sss_usermod-sss_process.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_usermod_CFLAGS) $(CFLAGS) -c -o src/tools/common/sss_usermod-sss_process.o `test -f 'src/tools/common/sss_process.c' || echo '$(srcdir)/'`src/tools/common/sss_process.c + +src/tools/common/sss_usermod-sss_process.obj: src/tools/common/sss_process.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_usermod_CFLAGS) $(CFLAGS) -MT src/tools/common/sss_usermod-sss_process.obj -MD -MP -MF src/tools/common/$(DEPDIR)/sss_usermod-sss_process.Tpo -c -o src/tools/common/sss_usermod-sss_process.obj `if test -f 'src/tools/common/sss_process.c'; then $(CYGPATH_W) 'src/tools/common/sss_process.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/common/sss_process.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/common/$(DEPDIR)/sss_usermod-sss_process.Tpo src/tools/common/$(DEPDIR)/sss_usermod-sss_process.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/common/sss_process.c' object='src/tools/common/sss_usermod-sss_process.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_usermod_CFLAGS) $(CFLAGS) -c -o src/tools/common/sss_usermod-sss_process.obj `if test -f 'src/tools/common/sss_process.c'; then $(CYGPATH_W) 'src/tools/common/sss_process.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/common/sss_process.c'; fi` + +src/confdb/sss_usermod-confdb_setup.o: src/confdb/confdb_setup.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_usermod_CFLAGS) $(CFLAGS) -MT src/confdb/sss_usermod-confdb_setup.o -MD -MP -MF src/confdb/$(DEPDIR)/sss_usermod-confdb_setup.Tpo -c -o src/confdb/sss_usermod-confdb_setup.o `test -f 'src/confdb/confdb_setup.c' || echo '$(srcdir)/'`src/confdb/confdb_setup.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/confdb/$(DEPDIR)/sss_usermod-confdb_setup.Tpo src/confdb/$(DEPDIR)/sss_usermod-confdb_setup.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/confdb/confdb_setup.c' object='src/confdb/sss_usermod-confdb_setup.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_usermod_CFLAGS) $(CFLAGS) -c -o src/confdb/sss_usermod-confdb_setup.o `test -f 'src/confdb/confdb_setup.c' || echo '$(srcdir)/'`src/confdb/confdb_setup.c + +src/confdb/sss_usermod-confdb_setup.obj: src/confdb/confdb_setup.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_usermod_CFLAGS) $(CFLAGS) -MT src/confdb/sss_usermod-confdb_setup.obj -MD -MP -MF src/confdb/$(DEPDIR)/sss_usermod-confdb_setup.Tpo -c -o src/confdb/sss_usermod-confdb_setup.obj `if test -f 'src/confdb/confdb_setup.c'; then $(CYGPATH_W) 'src/confdb/confdb_setup.c'; else $(CYGPATH_W) '$(srcdir)/src/confdb/confdb_setup.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/confdb/$(DEPDIR)/sss_usermod-confdb_setup.Tpo src/confdb/$(DEPDIR)/sss_usermod-confdb_setup.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/confdb/confdb_setup.c' object='src/confdb/sss_usermod-confdb_setup.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_usermod_CFLAGS) $(CFLAGS) -c -o src/confdb/sss_usermod-confdb_setup.obj `if test -f 'src/confdb/confdb_setup.c'; then $(CYGPATH_W) 'src/confdb/confdb_setup.c'; else $(CYGPATH_W) '$(srcdir)/src/confdb/confdb_setup.c'; fi` + +src/util/sss_usermod-nscd.o: src/util/nscd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_usermod_CFLAGS) $(CFLAGS) -MT src/util/sss_usermod-nscd.o -MD -MP -MF src/util/$(DEPDIR)/sss_usermod-nscd.Tpo -c -o src/util/sss_usermod-nscd.o `test -f 'src/util/nscd.c' || echo '$(srcdir)/'`src/util/nscd.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/sss_usermod-nscd.Tpo src/util/$(DEPDIR)/sss_usermod-nscd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/nscd.c' object='src/util/sss_usermod-nscd.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_usermod_CFLAGS) $(CFLAGS) -c -o src/util/sss_usermod-nscd.o `test -f 'src/util/nscd.c' || echo '$(srcdir)/'`src/util/nscd.c + +src/util/sss_usermod-nscd.obj: src/util/nscd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_usermod_CFLAGS) $(CFLAGS) -MT src/util/sss_usermod-nscd.obj -MD -MP -MF src/util/$(DEPDIR)/sss_usermod-nscd.Tpo -c -o src/util/sss_usermod-nscd.obj `if test -f 'src/util/nscd.c'; then $(CYGPATH_W) 'src/util/nscd.c'; else $(CYGPATH_W) '$(srcdir)/src/util/nscd.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/sss_usermod-nscd.Tpo src/util/$(DEPDIR)/sss_usermod-nscd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/nscd.c' object='src/util/sss_usermod-nscd.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sss_usermod_CFLAGS) $(CFLAGS) -c -o src/util/sss_usermod-nscd.obj `if test -f 'src/util/nscd.c'; then $(CYGPATH_W) 'src/util/nscd.c'; else $(CYGPATH_W) '$(srcdir)/src/util/nscd.c'; fi` + +src/tools/sssctl/sssctl-sssctl.o: src/tools/sssctl/sssctl.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -MT src/tools/sssctl/sssctl-sssctl.o -MD -MP -MF src/tools/sssctl/$(DEPDIR)/sssctl-sssctl.Tpo -c -o src/tools/sssctl/sssctl-sssctl.o `test -f 'src/tools/sssctl/sssctl.c' || echo '$(srcdir)/'`src/tools/sssctl/sssctl.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/sssctl/$(DEPDIR)/sssctl-sssctl.Tpo src/tools/sssctl/$(DEPDIR)/sssctl-sssctl.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sssctl/sssctl.c' object='src/tools/sssctl/sssctl-sssctl.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -c -o src/tools/sssctl/sssctl-sssctl.o `test -f 'src/tools/sssctl/sssctl.c' || echo '$(srcdir)/'`src/tools/sssctl/sssctl.c + +src/tools/sssctl/sssctl-sssctl.obj: src/tools/sssctl/sssctl.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -MT src/tools/sssctl/sssctl-sssctl.obj -MD -MP -MF src/tools/sssctl/$(DEPDIR)/sssctl-sssctl.Tpo -c -o src/tools/sssctl/sssctl-sssctl.obj `if test -f 'src/tools/sssctl/sssctl.c'; then $(CYGPATH_W) 'src/tools/sssctl/sssctl.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sssctl/sssctl.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/sssctl/$(DEPDIR)/sssctl-sssctl.Tpo src/tools/sssctl/$(DEPDIR)/sssctl-sssctl.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sssctl/sssctl.c' object='src/tools/sssctl/sssctl-sssctl.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -c -o src/tools/sssctl/sssctl-sssctl.obj `if test -f 'src/tools/sssctl/sssctl.c'; then $(CYGPATH_W) 'src/tools/sssctl/sssctl.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sssctl/sssctl.c'; fi` + +src/tools/sssctl/sssctl-sssctl_systemd.o: src/tools/sssctl/sssctl_systemd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -MT src/tools/sssctl/sssctl-sssctl_systemd.o -MD -MP -MF src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_systemd.Tpo -c -o src/tools/sssctl/sssctl-sssctl_systemd.o `test -f 'src/tools/sssctl/sssctl_systemd.c' || echo '$(srcdir)/'`src/tools/sssctl/sssctl_systemd.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_systemd.Tpo src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_systemd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sssctl/sssctl_systemd.c' object='src/tools/sssctl/sssctl-sssctl_systemd.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -c -o src/tools/sssctl/sssctl-sssctl_systemd.o `test -f 'src/tools/sssctl/sssctl_systemd.c' || echo '$(srcdir)/'`src/tools/sssctl/sssctl_systemd.c + +src/tools/sssctl/sssctl-sssctl_systemd.obj: src/tools/sssctl/sssctl_systemd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -MT src/tools/sssctl/sssctl-sssctl_systemd.obj -MD -MP -MF src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_systemd.Tpo -c -o src/tools/sssctl/sssctl-sssctl_systemd.obj `if test -f 'src/tools/sssctl/sssctl_systemd.c'; then $(CYGPATH_W) 'src/tools/sssctl/sssctl_systemd.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sssctl/sssctl_systemd.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_systemd.Tpo src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_systemd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sssctl/sssctl_systemd.c' object='src/tools/sssctl/sssctl-sssctl_systemd.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -c -o src/tools/sssctl/sssctl-sssctl_systemd.obj `if test -f 'src/tools/sssctl/sssctl_systemd.c'; then $(CYGPATH_W) 'src/tools/sssctl/sssctl_systemd.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sssctl/sssctl_systemd.c'; fi` + +src/tools/sssctl/sssctl-sssctl_cache.o: src/tools/sssctl/sssctl_cache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -MT src/tools/sssctl/sssctl-sssctl_cache.o -MD -MP -MF src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_cache.Tpo -c -o src/tools/sssctl/sssctl-sssctl_cache.o `test -f 'src/tools/sssctl/sssctl_cache.c' || echo '$(srcdir)/'`src/tools/sssctl/sssctl_cache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_cache.Tpo src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_cache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sssctl/sssctl_cache.c' object='src/tools/sssctl/sssctl-sssctl_cache.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -c -o src/tools/sssctl/sssctl-sssctl_cache.o `test -f 'src/tools/sssctl/sssctl_cache.c' || echo '$(srcdir)/'`src/tools/sssctl/sssctl_cache.c + +src/tools/sssctl/sssctl-sssctl_cache.obj: src/tools/sssctl/sssctl_cache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -MT src/tools/sssctl/sssctl-sssctl_cache.obj -MD -MP -MF src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_cache.Tpo -c -o src/tools/sssctl/sssctl-sssctl_cache.obj `if test -f 'src/tools/sssctl/sssctl_cache.c'; then $(CYGPATH_W) 'src/tools/sssctl/sssctl_cache.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sssctl/sssctl_cache.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_cache.Tpo src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_cache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sssctl/sssctl_cache.c' object='src/tools/sssctl/sssctl-sssctl_cache.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -c -o src/tools/sssctl/sssctl-sssctl_cache.obj `if test -f 'src/tools/sssctl/sssctl_cache.c'; then $(CYGPATH_W) 'src/tools/sssctl/sssctl_cache.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sssctl/sssctl_cache.c'; fi` + +src/tools/sssctl/sssctl-sssctl_data.o: src/tools/sssctl/sssctl_data.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -MT src/tools/sssctl/sssctl-sssctl_data.o -MD -MP -MF src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_data.Tpo -c -o src/tools/sssctl/sssctl-sssctl_data.o `test -f 'src/tools/sssctl/sssctl_data.c' || echo '$(srcdir)/'`src/tools/sssctl/sssctl_data.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_data.Tpo src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_data.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sssctl/sssctl_data.c' object='src/tools/sssctl/sssctl-sssctl_data.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -c -o src/tools/sssctl/sssctl-sssctl_data.o `test -f 'src/tools/sssctl/sssctl_data.c' || echo '$(srcdir)/'`src/tools/sssctl/sssctl_data.c + +src/tools/sssctl/sssctl-sssctl_data.obj: src/tools/sssctl/sssctl_data.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -MT src/tools/sssctl/sssctl-sssctl_data.obj -MD -MP -MF src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_data.Tpo -c -o src/tools/sssctl/sssctl-sssctl_data.obj `if test -f 'src/tools/sssctl/sssctl_data.c'; then $(CYGPATH_W) 'src/tools/sssctl/sssctl_data.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sssctl/sssctl_data.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_data.Tpo src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_data.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sssctl/sssctl_data.c' object='src/tools/sssctl/sssctl-sssctl_data.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -c -o src/tools/sssctl/sssctl-sssctl_data.obj `if test -f 'src/tools/sssctl/sssctl_data.c'; then $(CYGPATH_W) 'src/tools/sssctl/sssctl_data.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sssctl/sssctl_data.c'; fi` + +src/tools/sssctl/sssctl-sssctl_logs.o: src/tools/sssctl/sssctl_logs.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -MT src/tools/sssctl/sssctl-sssctl_logs.o -MD -MP -MF src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_logs.Tpo -c -o src/tools/sssctl/sssctl-sssctl_logs.o `test -f 'src/tools/sssctl/sssctl_logs.c' || echo '$(srcdir)/'`src/tools/sssctl/sssctl_logs.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_logs.Tpo src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_logs.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sssctl/sssctl_logs.c' object='src/tools/sssctl/sssctl-sssctl_logs.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -c -o src/tools/sssctl/sssctl-sssctl_logs.o `test -f 'src/tools/sssctl/sssctl_logs.c' || echo '$(srcdir)/'`src/tools/sssctl/sssctl_logs.c + +src/tools/sssctl/sssctl-sssctl_logs.obj: src/tools/sssctl/sssctl_logs.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -MT src/tools/sssctl/sssctl-sssctl_logs.obj -MD -MP -MF src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_logs.Tpo -c -o src/tools/sssctl/sssctl-sssctl_logs.obj `if test -f 'src/tools/sssctl/sssctl_logs.c'; then $(CYGPATH_W) 'src/tools/sssctl/sssctl_logs.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sssctl/sssctl_logs.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_logs.Tpo src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_logs.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sssctl/sssctl_logs.c' object='src/tools/sssctl/sssctl-sssctl_logs.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -c -o src/tools/sssctl/sssctl-sssctl_logs.obj `if test -f 'src/tools/sssctl/sssctl_logs.c'; then $(CYGPATH_W) 'src/tools/sssctl/sssctl_logs.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sssctl/sssctl_logs.c'; fi` + +src/tools/sssctl/sssctl-sssctl_domains.o: src/tools/sssctl/sssctl_domains.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -MT src/tools/sssctl/sssctl-sssctl_domains.o -MD -MP -MF src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_domains.Tpo -c -o src/tools/sssctl/sssctl-sssctl_domains.o `test -f 'src/tools/sssctl/sssctl_domains.c' || echo '$(srcdir)/'`src/tools/sssctl/sssctl_domains.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_domains.Tpo src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_domains.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sssctl/sssctl_domains.c' object='src/tools/sssctl/sssctl-sssctl_domains.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -c -o src/tools/sssctl/sssctl-sssctl_domains.o `test -f 'src/tools/sssctl/sssctl_domains.c' || echo '$(srcdir)/'`src/tools/sssctl/sssctl_domains.c + +src/tools/sssctl/sssctl-sssctl_domains.obj: src/tools/sssctl/sssctl_domains.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -MT src/tools/sssctl/sssctl-sssctl_domains.obj -MD -MP -MF src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_domains.Tpo -c -o src/tools/sssctl/sssctl-sssctl_domains.obj `if test -f 'src/tools/sssctl/sssctl_domains.c'; then $(CYGPATH_W) 'src/tools/sssctl/sssctl_domains.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sssctl/sssctl_domains.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_domains.Tpo src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_domains.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sssctl/sssctl_domains.c' object='src/tools/sssctl/sssctl-sssctl_domains.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -c -o src/tools/sssctl/sssctl-sssctl_domains.obj `if test -f 'src/tools/sssctl/sssctl_domains.c'; then $(CYGPATH_W) 'src/tools/sssctl/sssctl_domains.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sssctl/sssctl_domains.c'; fi` + +src/tools/sssctl/sssctl-sssctl_sifp.o: src/tools/sssctl/sssctl_sifp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -MT src/tools/sssctl/sssctl-sssctl_sifp.o -MD -MP -MF src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_sifp.Tpo -c -o src/tools/sssctl/sssctl-sssctl_sifp.o `test -f 'src/tools/sssctl/sssctl_sifp.c' || echo '$(srcdir)/'`src/tools/sssctl/sssctl_sifp.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_sifp.Tpo src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_sifp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sssctl/sssctl_sifp.c' object='src/tools/sssctl/sssctl-sssctl_sifp.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -c -o src/tools/sssctl/sssctl-sssctl_sifp.o `test -f 'src/tools/sssctl/sssctl_sifp.c' || echo '$(srcdir)/'`src/tools/sssctl/sssctl_sifp.c + +src/tools/sssctl/sssctl-sssctl_sifp.obj: src/tools/sssctl/sssctl_sifp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -MT src/tools/sssctl/sssctl-sssctl_sifp.obj -MD -MP -MF src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_sifp.Tpo -c -o src/tools/sssctl/sssctl-sssctl_sifp.obj `if test -f 'src/tools/sssctl/sssctl_sifp.c'; then $(CYGPATH_W) 'src/tools/sssctl/sssctl_sifp.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sssctl/sssctl_sifp.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_sifp.Tpo src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_sifp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sssctl/sssctl_sifp.c' object='src/tools/sssctl/sssctl-sssctl_sifp.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -c -o src/tools/sssctl/sssctl-sssctl_sifp.obj `if test -f 'src/tools/sssctl/sssctl_sifp.c'; then $(CYGPATH_W) 'src/tools/sssctl/sssctl_sifp.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sssctl/sssctl_sifp.c'; fi` + +src/tools/sssctl/sssctl-sssctl_config.o: src/tools/sssctl/sssctl_config.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -MT src/tools/sssctl/sssctl-sssctl_config.o -MD -MP -MF src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_config.Tpo -c -o src/tools/sssctl/sssctl-sssctl_config.o `test -f 'src/tools/sssctl/sssctl_config.c' || echo '$(srcdir)/'`src/tools/sssctl/sssctl_config.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_config.Tpo src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_config.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sssctl/sssctl_config.c' object='src/tools/sssctl/sssctl-sssctl_config.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -c -o src/tools/sssctl/sssctl-sssctl_config.o `test -f 'src/tools/sssctl/sssctl_config.c' || echo '$(srcdir)/'`src/tools/sssctl/sssctl_config.c + +src/tools/sssctl/sssctl-sssctl_config.obj: src/tools/sssctl/sssctl_config.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -MT src/tools/sssctl/sssctl-sssctl_config.obj -MD -MP -MF src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_config.Tpo -c -o src/tools/sssctl/sssctl-sssctl_config.obj `if test -f 'src/tools/sssctl/sssctl_config.c'; then $(CYGPATH_W) 'src/tools/sssctl/sssctl_config.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sssctl/sssctl_config.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_config.Tpo src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_config.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sssctl/sssctl_config.c' object='src/tools/sssctl/sssctl-sssctl_config.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -c -o src/tools/sssctl/sssctl-sssctl_config.obj `if test -f 'src/tools/sssctl/sssctl_config.c'; then $(CYGPATH_W) 'src/tools/sssctl/sssctl_config.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sssctl/sssctl_config.c'; fi` + +src/tools/sssctl/sssctl-sssctl_user_checks.o: src/tools/sssctl/sssctl_user_checks.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -MT src/tools/sssctl/sssctl-sssctl_user_checks.o -MD -MP -MF src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_user_checks.Tpo -c -o src/tools/sssctl/sssctl-sssctl_user_checks.o `test -f 'src/tools/sssctl/sssctl_user_checks.c' || echo '$(srcdir)/'`src/tools/sssctl/sssctl_user_checks.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_user_checks.Tpo src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_user_checks.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sssctl/sssctl_user_checks.c' object='src/tools/sssctl/sssctl-sssctl_user_checks.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -c -o src/tools/sssctl/sssctl-sssctl_user_checks.o `test -f 'src/tools/sssctl/sssctl_user_checks.c' || echo '$(srcdir)/'`src/tools/sssctl/sssctl_user_checks.c + +src/tools/sssctl/sssctl-sssctl_user_checks.obj: src/tools/sssctl/sssctl_user_checks.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -MT src/tools/sssctl/sssctl-sssctl_user_checks.obj -MD -MP -MF src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_user_checks.Tpo -c -o src/tools/sssctl/sssctl-sssctl_user_checks.obj `if test -f 'src/tools/sssctl/sssctl_user_checks.c'; then $(CYGPATH_W) 'src/tools/sssctl/sssctl_user_checks.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sssctl/sssctl_user_checks.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_user_checks.Tpo src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_user_checks.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sssctl/sssctl_user_checks.c' object='src/tools/sssctl/sssctl-sssctl_user_checks.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -c -o src/tools/sssctl/sssctl-sssctl_user_checks.obj `if test -f 'src/tools/sssctl/sssctl_user_checks.c'; then $(CYGPATH_W) 'src/tools/sssctl/sssctl_user_checks.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sssctl/sssctl_user_checks.c'; fi` + +src/tools/sssctl/sssctl-sssctl_access_report.o: src/tools/sssctl/sssctl_access_report.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -MT src/tools/sssctl/sssctl-sssctl_access_report.o -MD -MP -MF src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_access_report.Tpo -c -o src/tools/sssctl/sssctl-sssctl_access_report.o `test -f 'src/tools/sssctl/sssctl_access_report.c' || echo '$(srcdir)/'`src/tools/sssctl/sssctl_access_report.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_access_report.Tpo src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_access_report.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sssctl/sssctl_access_report.c' object='src/tools/sssctl/sssctl-sssctl_access_report.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -c -o src/tools/sssctl/sssctl-sssctl_access_report.o `test -f 'src/tools/sssctl/sssctl_access_report.c' || echo '$(srcdir)/'`src/tools/sssctl/sssctl_access_report.c + +src/tools/sssctl/sssctl-sssctl_access_report.obj: src/tools/sssctl/sssctl_access_report.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -MT src/tools/sssctl/sssctl-sssctl_access_report.obj -MD -MP -MF src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_access_report.Tpo -c -o src/tools/sssctl/sssctl-sssctl_access_report.obj `if test -f 'src/tools/sssctl/sssctl_access_report.c'; then $(CYGPATH_W) 'src/tools/sssctl/sssctl_access_report.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sssctl/sssctl_access_report.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_access_report.Tpo src/tools/sssctl/$(DEPDIR)/sssctl-sssctl_access_report.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sssctl/sssctl_access_report.c' object='src/tools/sssctl/sssctl-sssctl_access_report.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -c -o src/tools/sssctl/sssctl-sssctl_access_report.obj `if test -f 'src/tools/sssctl/sssctl_access_report.c'; then $(CYGPATH_W) 'src/tools/sssctl/sssctl_access_report.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sssctl/sssctl_access_report.c'; fi` + +src/tools/sssctl-sss_sync_ops.o: src/tools/sss_sync_ops.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -MT src/tools/sssctl-sss_sync_ops.o -MD -MP -MF src/tools/$(DEPDIR)/sssctl-sss_sync_ops.Tpo -c -o src/tools/sssctl-sss_sync_ops.o `test -f 'src/tools/sss_sync_ops.c' || echo '$(srcdir)/'`src/tools/sss_sync_ops.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sssctl-sss_sync_ops.Tpo src/tools/$(DEPDIR)/sssctl-sss_sync_ops.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sss_sync_ops.c' object='src/tools/sssctl-sss_sync_ops.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -c -o src/tools/sssctl-sss_sync_ops.o `test -f 'src/tools/sss_sync_ops.c' || echo '$(srcdir)/'`src/tools/sss_sync_ops.c + +src/tools/sssctl-sss_sync_ops.obj: src/tools/sss_sync_ops.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -MT src/tools/sssctl-sss_sync_ops.obj -MD -MP -MF src/tools/$(DEPDIR)/sssctl-sss_sync_ops.Tpo -c -o src/tools/sssctl-sss_sync_ops.obj `if test -f 'src/tools/sss_sync_ops.c'; then $(CYGPATH_W) 'src/tools/sss_sync_ops.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sss_sync_ops.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sssctl-sss_sync_ops.Tpo src/tools/$(DEPDIR)/sssctl-sss_sync_ops.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sss_sync_ops.c' object='src/tools/sssctl-sss_sync_ops.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -c -o src/tools/sssctl-sss_sync_ops.obj `if test -f 'src/tools/sss_sync_ops.c'; then $(CYGPATH_W) 'src/tools/sss_sync_ops.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sss_sync_ops.c'; fi` + +src/tools/sssctl-tools_util.o: src/tools/tools_util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -MT src/tools/sssctl-tools_util.o -MD -MP -MF src/tools/$(DEPDIR)/sssctl-tools_util.Tpo -c -o src/tools/sssctl-tools_util.o `test -f 'src/tools/tools_util.c' || echo '$(srcdir)/'`src/tools/tools_util.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sssctl-tools_util.Tpo src/tools/$(DEPDIR)/sssctl-tools_util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/tools_util.c' object='src/tools/sssctl-tools_util.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -c -o src/tools/sssctl-tools_util.o `test -f 'src/tools/tools_util.c' || echo '$(srcdir)/'`src/tools/tools_util.c + +src/tools/sssctl-tools_util.obj: src/tools/tools_util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -MT src/tools/sssctl-tools_util.obj -MD -MP -MF src/tools/$(DEPDIR)/sssctl-tools_util.Tpo -c -o src/tools/sssctl-tools_util.obj `if test -f 'src/tools/tools_util.c'; then $(CYGPATH_W) 'src/tools/tools_util.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/tools_util.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sssctl-tools_util.Tpo src/tools/$(DEPDIR)/sssctl-tools_util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/tools_util.c' object='src/tools/sssctl-tools_util.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -c -o src/tools/sssctl-tools_util.obj `if test -f 'src/tools/tools_util.c'; then $(CYGPATH_W) 'src/tools/tools_util.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/tools_util.c'; fi` + +src/tools/common/sssctl-sss_tools.o: src/tools/common/sss_tools.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -MT src/tools/common/sssctl-sss_tools.o -MD -MP -MF src/tools/common/$(DEPDIR)/sssctl-sss_tools.Tpo -c -o src/tools/common/sssctl-sss_tools.o `test -f 'src/tools/common/sss_tools.c' || echo '$(srcdir)/'`src/tools/common/sss_tools.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/common/$(DEPDIR)/sssctl-sss_tools.Tpo src/tools/common/$(DEPDIR)/sssctl-sss_tools.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/common/sss_tools.c' object='src/tools/common/sssctl-sss_tools.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -c -o src/tools/common/sssctl-sss_tools.o `test -f 'src/tools/common/sss_tools.c' || echo '$(srcdir)/'`src/tools/common/sss_tools.c + +src/tools/common/sssctl-sss_tools.obj: src/tools/common/sss_tools.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -MT src/tools/common/sssctl-sss_tools.obj -MD -MP -MF src/tools/common/$(DEPDIR)/sssctl-sss_tools.Tpo -c -o src/tools/common/sssctl-sss_tools.obj `if test -f 'src/tools/common/sss_tools.c'; then $(CYGPATH_W) 'src/tools/common/sss_tools.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/common/sss_tools.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/common/$(DEPDIR)/sssctl-sss_tools.Tpo src/tools/common/$(DEPDIR)/sssctl-sss_tools.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/common/sss_tools.c' object='src/tools/common/sssctl-sss_tools.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -c -o src/tools/common/sssctl-sss_tools.obj `if test -f 'src/tools/common/sss_tools.c'; then $(CYGPATH_W) 'src/tools/common/sss_tools.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/common/sss_tools.c'; fi` + +src/tools/common/sssctl-sss_process.o: src/tools/common/sss_process.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -MT src/tools/common/sssctl-sss_process.o -MD -MP -MF src/tools/common/$(DEPDIR)/sssctl-sss_process.Tpo -c -o src/tools/common/sssctl-sss_process.o `test -f 'src/tools/common/sss_process.c' || echo '$(srcdir)/'`src/tools/common/sss_process.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/common/$(DEPDIR)/sssctl-sss_process.Tpo src/tools/common/$(DEPDIR)/sssctl-sss_process.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/common/sss_process.c' object='src/tools/common/sssctl-sss_process.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -c -o src/tools/common/sssctl-sss_process.o `test -f 'src/tools/common/sss_process.c' || echo '$(srcdir)/'`src/tools/common/sss_process.c + +src/tools/common/sssctl-sss_process.obj: src/tools/common/sss_process.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -MT src/tools/common/sssctl-sss_process.obj -MD -MP -MF src/tools/common/$(DEPDIR)/sssctl-sss_process.Tpo -c -o src/tools/common/sssctl-sss_process.obj `if test -f 'src/tools/common/sss_process.c'; then $(CYGPATH_W) 'src/tools/common/sss_process.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/common/sss_process.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/common/$(DEPDIR)/sssctl-sss_process.Tpo src/tools/common/$(DEPDIR)/sssctl-sss_process.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/common/sss_process.c' object='src/tools/common/sssctl-sss_process.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -c -o src/tools/common/sssctl-sss_process.obj `if test -f 'src/tools/common/sss_process.c'; then $(CYGPATH_W) 'src/tools/common/sss_process.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/common/sss_process.c'; fi` + +src/confdb/sssctl-confdb_setup.o: src/confdb/confdb_setup.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -MT src/confdb/sssctl-confdb_setup.o -MD -MP -MF src/confdb/$(DEPDIR)/sssctl-confdb_setup.Tpo -c -o src/confdb/sssctl-confdb_setup.o `test -f 'src/confdb/confdb_setup.c' || echo '$(srcdir)/'`src/confdb/confdb_setup.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/confdb/$(DEPDIR)/sssctl-confdb_setup.Tpo src/confdb/$(DEPDIR)/sssctl-confdb_setup.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/confdb/confdb_setup.c' object='src/confdb/sssctl-confdb_setup.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -c -o src/confdb/sssctl-confdb_setup.o `test -f 'src/confdb/confdb_setup.c' || echo '$(srcdir)/'`src/confdb/confdb_setup.c + +src/confdb/sssctl-confdb_setup.obj: src/confdb/confdb_setup.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -MT src/confdb/sssctl-confdb_setup.obj -MD -MP -MF src/confdb/$(DEPDIR)/sssctl-confdb_setup.Tpo -c -o src/confdb/sssctl-confdb_setup.obj `if test -f 'src/confdb/confdb_setup.c'; then $(CYGPATH_W) 'src/confdb/confdb_setup.c'; else $(CYGPATH_W) '$(srcdir)/src/confdb/confdb_setup.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/confdb/$(DEPDIR)/sssctl-confdb_setup.Tpo src/confdb/$(DEPDIR)/sssctl-confdb_setup.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/confdb/confdb_setup.c' object='src/confdb/sssctl-confdb_setup.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -c -o src/confdb/sssctl-confdb_setup.obj `if test -f 'src/confdb/confdb_setup.c'; then $(CYGPATH_W) 'src/confdb/confdb_setup.c'; else $(CYGPATH_W) '$(srcdir)/src/confdb/confdb_setup.c'; fi` + +src/util/sssctl-nscd.o: src/util/nscd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -MT src/util/sssctl-nscd.o -MD -MP -MF src/util/$(DEPDIR)/sssctl-nscd.Tpo -c -o src/util/sssctl-nscd.o `test -f 'src/util/nscd.c' || echo '$(srcdir)/'`src/util/nscd.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/sssctl-nscd.Tpo src/util/$(DEPDIR)/sssctl-nscd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/nscd.c' object='src/util/sssctl-nscd.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -c -o src/util/sssctl-nscd.o `test -f 'src/util/nscd.c' || echo '$(srcdir)/'`src/util/nscd.c + +src/util/sssctl-nscd.obj: src/util/nscd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -MT src/util/sssctl-nscd.obj -MD -MP -MF src/util/$(DEPDIR)/sssctl-nscd.Tpo -c -o src/util/sssctl-nscd.obj `if test -f 'src/util/nscd.c'; then $(CYGPATH_W) 'src/util/nscd.c'; else $(CYGPATH_W) '$(srcdir)/src/util/nscd.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/sssctl-nscd.Tpo src/util/$(DEPDIR)/sssctl-nscd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/nscd.c' object='src/util/sssctl-nscd.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssctl_CFLAGS) $(CFLAGS) -c -o src/util/sssctl-nscd.obj `if test -f 'src/util/nscd.c'; then $(CYGPATH_W) 'src/util/nscd.c'; else $(CYGPATH_W) '$(srcdir)/src/util/nscd.c'; fi` + +src/tools/sssd_check_socket_activated_responders-sssd_check_socket_activated_responders.o: src/tools/sssd_check_socket_activated_responders.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_check_socket_activated_responders_CFLAGS) $(CFLAGS) -MT src/tools/sssd_check_socket_activated_responders-sssd_check_socket_activated_responders.o -MD -MP -MF src/tools/$(DEPDIR)/sssd_check_socket_activated_responders-sssd_check_socket_activated_responders.Tpo -c -o src/tools/sssd_check_socket_activated_responders-sssd_check_socket_activated_responders.o `test -f 'src/tools/sssd_check_socket_activated_responders.c' || echo '$(srcdir)/'`src/tools/sssd_check_socket_activated_responders.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sssd_check_socket_activated_responders-sssd_check_socket_activated_responders.Tpo src/tools/$(DEPDIR)/sssd_check_socket_activated_responders-sssd_check_socket_activated_responders.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sssd_check_socket_activated_responders.c' object='src/tools/sssd_check_socket_activated_responders-sssd_check_socket_activated_responders.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_check_socket_activated_responders_CFLAGS) $(CFLAGS) -c -o src/tools/sssd_check_socket_activated_responders-sssd_check_socket_activated_responders.o `test -f 'src/tools/sssd_check_socket_activated_responders.c' || echo '$(srcdir)/'`src/tools/sssd_check_socket_activated_responders.c + +src/tools/sssd_check_socket_activated_responders-sssd_check_socket_activated_responders.obj: src/tools/sssd_check_socket_activated_responders.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_check_socket_activated_responders_CFLAGS) $(CFLAGS) -MT src/tools/sssd_check_socket_activated_responders-sssd_check_socket_activated_responders.obj -MD -MP -MF src/tools/$(DEPDIR)/sssd_check_socket_activated_responders-sssd_check_socket_activated_responders.Tpo -c -o src/tools/sssd_check_socket_activated_responders-sssd_check_socket_activated_responders.obj `if test -f 'src/tools/sssd_check_socket_activated_responders.c'; then $(CYGPATH_W) 'src/tools/sssd_check_socket_activated_responders.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sssd_check_socket_activated_responders.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/$(DEPDIR)/sssd_check_socket_activated_responders-sssd_check_socket_activated_responders.Tpo src/tools/$(DEPDIR)/sssd_check_socket_activated_responders-sssd_check_socket_activated_responders.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/sssd_check_socket_activated_responders.c' object='src/tools/sssd_check_socket_activated_responders-sssd_check_socket_activated_responders.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_check_socket_activated_responders_CFLAGS) $(CFLAGS) -c -o src/tools/sssd_check_socket_activated_responders-sssd_check_socket_activated_responders.obj `if test -f 'src/tools/sssd_check_socket_activated_responders.c'; then $(CYGPATH_W) 'src/tools/sssd_check_socket_activated_responders.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/sssd_check_socket_activated_responders.c'; fi` + +src/responder/ifp/sssd_ifp-ifpsrv.o: src/responder/ifp/ifpsrv.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/ifp/sssd_ifp-ifpsrv.o -MD -MP -MF src/responder/ifp/$(DEPDIR)/sssd_ifp-ifpsrv.Tpo -c -o src/responder/ifp/sssd_ifp-ifpsrv.o `test -f 'src/responder/ifp/ifpsrv.c' || echo '$(srcdir)/'`src/responder/ifp/ifpsrv.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/ifp/$(DEPDIR)/sssd_ifp-ifpsrv.Tpo src/responder/ifp/$(DEPDIR)/sssd_ifp-ifpsrv.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/ifp/ifpsrv.c' object='src/responder/ifp/sssd_ifp-ifpsrv.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/ifp/sssd_ifp-ifpsrv.o `test -f 'src/responder/ifp/ifpsrv.c' || echo '$(srcdir)/'`src/responder/ifp/ifpsrv.c + +src/responder/ifp/sssd_ifp-ifpsrv.obj: src/responder/ifp/ifpsrv.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/ifp/sssd_ifp-ifpsrv.obj -MD -MP -MF src/responder/ifp/$(DEPDIR)/sssd_ifp-ifpsrv.Tpo -c -o src/responder/ifp/sssd_ifp-ifpsrv.obj `if test -f 'src/responder/ifp/ifpsrv.c'; then $(CYGPATH_W) 'src/responder/ifp/ifpsrv.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/ifp/ifpsrv.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/ifp/$(DEPDIR)/sssd_ifp-ifpsrv.Tpo src/responder/ifp/$(DEPDIR)/sssd_ifp-ifpsrv.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/ifp/ifpsrv.c' object='src/responder/ifp/sssd_ifp-ifpsrv.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/ifp/sssd_ifp-ifpsrv.obj `if test -f 'src/responder/ifp/ifpsrv.c'; then $(CYGPATH_W) 'src/responder/ifp/ifpsrv.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/ifp/ifpsrv.c'; fi` + +src/responder/ifp/sssd_ifp-ifpsrv_cmd.o: src/responder/ifp/ifpsrv_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/ifp/sssd_ifp-ifpsrv_cmd.o -MD -MP -MF src/responder/ifp/$(DEPDIR)/sssd_ifp-ifpsrv_cmd.Tpo -c -o src/responder/ifp/sssd_ifp-ifpsrv_cmd.o `test -f 'src/responder/ifp/ifpsrv_cmd.c' || echo '$(srcdir)/'`src/responder/ifp/ifpsrv_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/ifp/$(DEPDIR)/sssd_ifp-ifpsrv_cmd.Tpo src/responder/ifp/$(DEPDIR)/sssd_ifp-ifpsrv_cmd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/ifp/ifpsrv_cmd.c' object='src/responder/ifp/sssd_ifp-ifpsrv_cmd.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/ifp/sssd_ifp-ifpsrv_cmd.o `test -f 'src/responder/ifp/ifpsrv_cmd.c' || echo '$(srcdir)/'`src/responder/ifp/ifpsrv_cmd.c + +src/responder/ifp/sssd_ifp-ifpsrv_cmd.obj: src/responder/ifp/ifpsrv_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/ifp/sssd_ifp-ifpsrv_cmd.obj -MD -MP -MF src/responder/ifp/$(DEPDIR)/sssd_ifp-ifpsrv_cmd.Tpo -c -o src/responder/ifp/sssd_ifp-ifpsrv_cmd.obj `if test -f 'src/responder/ifp/ifpsrv_cmd.c'; then $(CYGPATH_W) 'src/responder/ifp/ifpsrv_cmd.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/ifp/ifpsrv_cmd.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/ifp/$(DEPDIR)/sssd_ifp-ifpsrv_cmd.Tpo src/responder/ifp/$(DEPDIR)/sssd_ifp-ifpsrv_cmd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/ifp/ifpsrv_cmd.c' object='src/responder/ifp/sssd_ifp-ifpsrv_cmd.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/ifp/sssd_ifp-ifpsrv_cmd.obj `if test -f 'src/responder/ifp/ifpsrv_cmd.c'; then $(CYGPATH_W) 'src/responder/ifp/ifpsrv_cmd.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/ifp/ifpsrv_cmd.c'; fi` + +src/responder/ifp/sssd_ifp-ifp_iface_generated.o: src/responder/ifp/ifp_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/ifp/sssd_ifp-ifp_iface_generated.o -MD -MP -MF src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_iface_generated.Tpo -c -o src/responder/ifp/sssd_ifp-ifp_iface_generated.o `test -f 'src/responder/ifp/ifp_iface_generated.c' || echo '$(srcdir)/'`src/responder/ifp/ifp_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_iface_generated.Tpo src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_iface_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/ifp/ifp_iface_generated.c' object='src/responder/ifp/sssd_ifp-ifp_iface_generated.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/ifp/sssd_ifp-ifp_iface_generated.o `test -f 'src/responder/ifp/ifp_iface_generated.c' || echo '$(srcdir)/'`src/responder/ifp/ifp_iface_generated.c + +src/responder/ifp/sssd_ifp-ifp_iface_generated.obj: src/responder/ifp/ifp_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/ifp/sssd_ifp-ifp_iface_generated.obj -MD -MP -MF src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_iface_generated.Tpo -c -o src/responder/ifp/sssd_ifp-ifp_iface_generated.obj `if test -f 'src/responder/ifp/ifp_iface_generated.c'; then $(CYGPATH_W) 'src/responder/ifp/ifp_iface_generated.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/ifp/ifp_iface_generated.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_iface_generated.Tpo src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_iface_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/ifp/ifp_iface_generated.c' object='src/responder/ifp/sssd_ifp-ifp_iface_generated.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/ifp/sssd_ifp-ifp_iface_generated.obj `if test -f 'src/responder/ifp/ifp_iface_generated.c'; then $(CYGPATH_W) 'src/responder/ifp/ifp_iface_generated.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/ifp/ifp_iface_generated.c'; fi` + +src/responder/ifp/sssd_ifp-ifp_iface.o: src/responder/ifp/ifp_iface.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/ifp/sssd_ifp-ifp_iface.o -MD -MP -MF src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_iface.Tpo -c -o src/responder/ifp/sssd_ifp-ifp_iface.o `test -f 'src/responder/ifp/ifp_iface.c' || echo '$(srcdir)/'`src/responder/ifp/ifp_iface.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_iface.Tpo src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_iface.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/ifp/ifp_iface.c' object='src/responder/ifp/sssd_ifp-ifp_iface.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/ifp/sssd_ifp-ifp_iface.o `test -f 'src/responder/ifp/ifp_iface.c' || echo '$(srcdir)/'`src/responder/ifp/ifp_iface.c + +src/responder/ifp/sssd_ifp-ifp_iface.obj: src/responder/ifp/ifp_iface.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/ifp/sssd_ifp-ifp_iface.obj -MD -MP -MF src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_iface.Tpo -c -o src/responder/ifp/sssd_ifp-ifp_iface.obj `if test -f 'src/responder/ifp/ifp_iface.c'; then $(CYGPATH_W) 'src/responder/ifp/ifp_iface.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/ifp/ifp_iface.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_iface.Tpo src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_iface.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/ifp/ifp_iface.c' object='src/responder/ifp/sssd_ifp-ifp_iface.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/ifp/sssd_ifp-ifp_iface.obj `if test -f 'src/responder/ifp/ifp_iface.c'; then $(CYGPATH_W) 'src/responder/ifp/ifp_iface.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/ifp/ifp_iface.c'; fi` + +src/responder/ifp/sssd_ifp-ifp_iface_nodes.o: src/responder/ifp/ifp_iface_nodes.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/ifp/sssd_ifp-ifp_iface_nodes.o -MD -MP -MF src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_iface_nodes.Tpo -c -o src/responder/ifp/sssd_ifp-ifp_iface_nodes.o `test -f 'src/responder/ifp/ifp_iface_nodes.c' || echo '$(srcdir)/'`src/responder/ifp/ifp_iface_nodes.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_iface_nodes.Tpo src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_iface_nodes.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/ifp/ifp_iface_nodes.c' object='src/responder/ifp/sssd_ifp-ifp_iface_nodes.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/ifp/sssd_ifp-ifp_iface_nodes.o `test -f 'src/responder/ifp/ifp_iface_nodes.c' || echo '$(srcdir)/'`src/responder/ifp/ifp_iface_nodes.c + +src/responder/ifp/sssd_ifp-ifp_iface_nodes.obj: src/responder/ifp/ifp_iface_nodes.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/ifp/sssd_ifp-ifp_iface_nodes.obj -MD -MP -MF src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_iface_nodes.Tpo -c -o src/responder/ifp/sssd_ifp-ifp_iface_nodes.obj `if test -f 'src/responder/ifp/ifp_iface_nodes.c'; then $(CYGPATH_W) 'src/responder/ifp/ifp_iface_nodes.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/ifp/ifp_iface_nodes.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_iface_nodes.Tpo src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_iface_nodes.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/ifp/ifp_iface_nodes.c' object='src/responder/ifp/sssd_ifp-ifp_iface_nodes.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/ifp/sssd_ifp-ifp_iface_nodes.obj `if test -f 'src/responder/ifp/ifp_iface_nodes.c'; then $(CYGPATH_W) 'src/responder/ifp/ifp_iface_nodes.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/ifp/ifp_iface_nodes.c'; fi` + +src/responder/ifp/sssd_ifp-ifpsrv_util.o: src/responder/ifp/ifpsrv_util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/ifp/sssd_ifp-ifpsrv_util.o -MD -MP -MF src/responder/ifp/$(DEPDIR)/sssd_ifp-ifpsrv_util.Tpo -c -o src/responder/ifp/sssd_ifp-ifpsrv_util.o `test -f 'src/responder/ifp/ifpsrv_util.c' || echo '$(srcdir)/'`src/responder/ifp/ifpsrv_util.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/ifp/$(DEPDIR)/sssd_ifp-ifpsrv_util.Tpo src/responder/ifp/$(DEPDIR)/sssd_ifp-ifpsrv_util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/ifp/ifpsrv_util.c' object='src/responder/ifp/sssd_ifp-ifpsrv_util.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/ifp/sssd_ifp-ifpsrv_util.o `test -f 'src/responder/ifp/ifpsrv_util.c' || echo '$(srcdir)/'`src/responder/ifp/ifpsrv_util.c + +src/responder/ifp/sssd_ifp-ifpsrv_util.obj: src/responder/ifp/ifpsrv_util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/ifp/sssd_ifp-ifpsrv_util.obj -MD -MP -MF src/responder/ifp/$(DEPDIR)/sssd_ifp-ifpsrv_util.Tpo -c -o src/responder/ifp/sssd_ifp-ifpsrv_util.obj `if test -f 'src/responder/ifp/ifpsrv_util.c'; then $(CYGPATH_W) 'src/responder/ifp/ifpsrv_util.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/ifp/ifpsrv_util.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/ifp/$(DEPDIR)/sssd_ifp-ifpsrv_util.Tpo src/responder/ifp/$(DEPDIR)/sssd_ifp-ifpsrv_util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/ifp/ifpsrv_util.c' object='src/responder/ifp/sssd_ifp-ifpsrv_util.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/ifp/sssd_ifp-ifpsrv_util.obj `if test -f 'src/responder/ifp/ifpsrv_util.c'; then $(CYGPATH_W) 'src/responder/ifp/ifpsrv_util.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/ifp/ifpsrv_util.c'; fi` + +src/responder/ifp/sssd_ifp-ifp_domains.o: src/responder/ifp/ifp_domains.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/ifp/sssd_ifp-ifp_domains.o -MD -MP -MF src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_domains.Tpo -c -o src/responder/ifp/sssd_ifp-ifp_domains.o `test -f 'src/responder/ifp/ifp_domains.c' || echo '$(srcdir)/'`src/responder/ifp/ifp_domains.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_domains.Tpo src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_domains.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/ifp/ifp_domains.c' object='src/responder/ifp/sssd_ifp-ifp_domains.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/ifp/sssd_ifp-ifp_domains.o `test -f 'src/responder/ifp/ifp_domains.c' || echo '$(srcdir)/'`src/responder/ifp/ifp_domains.c + +src/responder/ifp/sssd_ifp-ifp_domains.obj: src/responder/ifp/ifp_domains.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/ifp/sssd_ifp-ifp_domains.obj -MD -MP -MF src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_domains.Tpo -c -o src/responder/ifp/sssd_ifp-ifp_domains.obj `if test -f 'src/responder/ifp/ifp_domains.c'; then $(CYGPATH_W) 'src/responder/ifp/ifp_domains.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/ifp/ifp_domains.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_domains.Tpo src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_domains.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/ifp/ifp_domains.c' object='src/responder/ifp/sssd_ifp-ifp_domains.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/ifp/sssd_ifp-ifp_domains.obj `if test -f 'src/responder/ifp/ifp_domains.c'; then $(CYGPATH_W) 'src/responder/ifp/ifp_domains.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/ifp/ifp_domains.c'; fi` + +src/responder/ifp/sssd_ifp-ifp_components.o: src/responder/ifp/ifp_components.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/ifp/sssd_ifp-ifp_components.o -MD -MP -MF src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_components.Tpo -c -o src/responder/ifp/sssd_ifp-ifp_components.o `test -f 'src/responder/ifp/ifp_components.c' || echo '$(srcdir)/'`src/responder/ifp/ifp_components.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_components.Tpo src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_components.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/ifp/ifp_components.c' object='src/responder/ifp/sssd_ifp-ifp_components.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/ifp/sssd_ifp-ifp_components.o `test -f 'src/responder/ifp/ifp_components.c' || echo '$(srcdir)/'`src/responder/ifp/ifp_components.c + +src/responder/ifp/sssd_ifp-ifp_components.obj: src/responder/ifp/ifp_components.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/ifp/sssd_ifp-ifp_components.obj -MD -MP -MF src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_components.Tpo -c -o src/responder/ifp/sssd_ifp-ifp_components.obj `if test -f 'src/responder/ifp/ifp_components.c'; then $(CYGPATH_W) 'src/responder/ifp/ifp_components.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/ifp/ifp_components.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_components.Tpo src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_components.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/ifp/ifp_components.c' object='src/responder/ifp/sssd_ifp-ifp_components.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/ifp/sssd_ifp-ifp_components.obj `if test -f 'src/responder/ifp/ifp_components.c'; then $(CYGPATH_W) 'src/responder/ifp/ifp_components.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/ifp/ifp_components.c'; fi` + +src/responder/ifp/sssd_ifp-ifp_users.o: src/responder/ifp/ifp_users.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/ifp/sssd_ifp-ifp_users.o -MD -MP -MF src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_users.Tpo -c -o src/responder/ifp/sssd_ifp-ifp_users.o `test -f 'src/responder/ifp/ifp_users.c' || echo '$(srcdir)/'`src/responder/ifp/ifp_users.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_users.Tpo src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_users.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/ifp/ifp_users.c' object='src/responder/ifp/sssd_ifp-ifp_users.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/ifp/sssd_ifp-ifp_users.o `test -f 'src/responder/ifp/ifp_users.c' || echo '$(srcdir)/'`src/responder/ifp/ifp_users.c + +src/responder/ifp/sssd_ifp-ifp_users.obj: src/responder/ifp/ifp_users.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/ifp/sssd_ifp-ifp_users.obj -MD -MP -MF src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_users.Tpo -c -o src/responder/ifp/sssd_ifp-ifp_users.obj `if test -f 'src/responder/ifp/ifp_users.c'; then $(CYGPATH_W) 'src/responder/ifp/ifp_users.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/ifp/ifp_users.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_users.Tpo src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_users.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/ifp/ifp_users.c' object='src/responder/ifp/sssd_ifp-ifp_users.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/ifp/sssd_ifp-ifp_users.obj `if test -f 'src/responder/ifp/ifp_users.c'; then $(CYGPATH_W) 'src/responder/ifp/ifp_users.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/ifp/ifp_users.c'; fi` + +src/responder/ifp/sssd_ifp-ifp_groups.o: src/responder/ifp/ifp_groups.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/ifp/sssd_ifp-ifp_groups.o -MD -MP -MF src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_groups.Tpo -c -o src/responder/ifp/sssd_ifp-ifp_groups.o `test -f 'src/responder/ifp/ifp_groups.c' || echo '$(srcdir)/'`src/responder/ifp/ifp_groups.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_groups.Tpo src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_groups.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/ifp/ifp_groups.c' object='src/responder/ifp/sssd_ifp-ifp_groups.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/ifp/sssd_ifp-ifp_groups.o `test -f 'src/responder/ifp/ifp_groups.c' || echo '$(srcdir)/'`src/responder/ifp/ifp_groups.c + +src/responder/ifp/sssd_ifp-ifp_groups.obj: src/responder/ifp/ifp_groups.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/ifp/sssd_ifp-ifp_groups.obj -MD -MP -MF src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_groups.Tpo -c -o src/responder/ifp/sssd_ifp-ifp_groups.obj `if test -f 'src/responder/ifp/ifp_groups.c'; then $(CYGPATH_W) 'src/responder/ifp/ifp_groups.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/ifp/ifp_groups.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_groups.Tpo src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_groups.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/ifp/ifp_groups.c' object='src/responder/ifp/sssd_ifp-ifp_groups.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/ifp/sssd_ifp-ifp_groups.obj `if test -f 'src/responder/ifp/ifp_groups.c'; then $(CYGPATH_W) 'src/responder/ifp/ifp_groups.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/ifp/ifp_groups.c'; fi` + +src/responder/ifp/sssd_ifp-ifp_cache.o: src/responder/ifp/ifp_cache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/ifp/sssd_ifp-ifp_cache.o -MD -MP -MF src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_cache.Tpo -c -o src/responder/ifp/sssd_ifp-ifp_cache.o `test -f 'src/responder/ifp/ifp_cache.c' || echo '$(srcdir)/'`src/responder/ifp/ifp_cache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_cache.Tpo src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_cache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/ifp/ifp_cache.c' object='src/responder/ifp/sssd_ifp-ifp_cache.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/ifp/sssd_ifp-ifp_cache.o `test -f 'src/responder/ifp/ifp_cache.c' || echo '$(srcdir)/'`src/responder/ifp/ifp_cache.c + +src/responder/ifp/sssd_ifp-ifp_cache.obj: src/responder/ifp/ifp_cache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/ifp/sssd_ifp-ifp_cache.obj -MD -MP -MF src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_cache.Tpo -c -o src/responder/ifp/sssd_ifp-ifp_cache.obj `if test -f 'src/responder/ifp/ifp_cache.c'; then $(CYGPATH_W) 'src/responder/ifp/ifp_cache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/ifp/ifp_cache.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_cache.Tpo src/responder/ifp/$(DEPDIR)/sssd_ifp-ifp_cache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/ifp/ifp_cache.c' object='src/responder/ifp/sssd_ifp-ifp_cache.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/ifp/sssd_ifp-ifp_cache.obj `if test -f 'src/responder/ifp/ifp_cache.c'; then $(CYGPATH_W) 'src/responder/ifp/ifp_cache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/ifp/ifp_cache.c'; fi` + +src/responder/common/sssd_ifp-negcache_files.o: src/responder/common/negcache_files.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_ifp-negcache_files.o -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_ifp-negcache_files.Tpo -c -o src/responder/common/sssd_ifp-negcache_files.o `test -f 'src/responder/common/negcache_files.c' || echo '$(srcdir)/'`src/responder/common/negcache_files.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_ifp-negcache_files.Tpo src/responder/common/$(DEPDIR)/sssd_ifp-negcache_files.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/negcache_files.c' object='src/responder/common/sssd_ifp-negcache_files.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_ifp-negcache_files.o `test -f 'src/responder/common/negcache_files.c' || echo '$(srcdir)/'`src/responder/common/negcache_files.c + +src/responder/common/sssd_ifp-negcache_files.obj: src/responder/common/negcache_files.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_ifp-negcache_files.obj -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_ifp-negcache_files.Tpo -c -o src/responder/common/sssd_ifp-negcache_files.obj `if test -f 'src/responder/common/negcache_files.c'; then $(CYGPATH_W) 'src/responder/common/negcache_files.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/negcache_files.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_ifp-negcache_files.Tpo src/responder/common/$(DEPDIR)/sssd_ifp-negcache_files.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/negcache_files.c' object='src/responder/common/sssd_ifp-negcache_files.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_ifp-negcache_files.obj `if test -f 'src/responder/common/negcache_files.c'; then $(CYGPATH_W) 'src/responder/common/negcache_files.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/negcache_files.c'; fi` + +src/responder/common/sssd_ifp-negcache.o: src/responder/common/negcache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_ifp-negcache.o -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_ifp-negcache.Tpo -c -o src/responder/common/sssd_ifp-negcache.o `test -f 'src/responder/common/negcache.c' || echo '$(srcdir)/'`src/responder/common/negcache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_ifp-negcache.Tpo src/responder/common/$(DEPDIR)/sssd_ifp-negcache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/negcache.c' object='src/responder/common/sssd_ifp-negcache.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_ifp-negcache.o `test -f 'src/responder/common/negcache.c' || echo '$(srcdir)/'`src/responder/common/negcache.c + +src/responder/common/sssd_ifp-negcache.obj: src/responder/common/negcache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_ifp-negcache.obj -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_ifp-negcache.Tpo -c -o src/responder/common/sssd_ifp-negcache.obj `if test -f 'src/responder/common/negcache.c'; then $(CYGPATH_W) 'src/responder/common/negcache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/negcache.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_ifp-negcache.Tpo src/responder/common/$(DEPDIR)/sssd_ifp-negcache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/negcache.c' object='src/responder/common/sssd_ifp-negcache.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_ifp-negcache.obj `if test -f 'src/responder/common/negcache.c'; then $(CYGPATH_W) 'src/responder/common/negcache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/negcache.c'; fi` + +src/responder/common/sssd_ifp-responder_cmd.o: src/responder/common/responder_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_ifp-responder_cmd.o -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_ifp-responder_cmd.Tpo -c -o src/responder/common/sssd_ifp-responder_cmd.o `test -f 'src/responder/common/responder_cmd.c' || echo '$(srcdir)/'`src/responder/common/responder_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_ifp-responder_cmd.Tpo src/responder/common/$(DEPDIR)/sssd_ifp-responder_cmd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_cmd.c' object='src/responder/common/sssd_ifp-responder_cmd.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_ifp-responder_cmd.o `test -f 'src/responder/common/responder_cmd.c' || echo '$(srcdir)/'`src/responder/common/responder_cmd.c + +src/responder/common/sssd_ifp-responder_cmd.obj: src/responder/common/responder_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_ifp-responder_cmd.obj -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_ifp-responder_cmd.Tpo -c -o src/responder/common/sssd_ifp-responder_cmd.obj `if test -f 'src/responder/common/responder_cmd.c'; then $(CYGPATH_W) 'src/responder/common/responder_cmd.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_cmd.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_ifp-responder_cmd.Tpo src/responder/common/$(DEPDIR)/sssd_ifp-responder_cmd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_cmd.c' object='src/responder/common/sssd_ifp-responder_cmd.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_ifp-responder_cmd.obj `if test -f 'src/responder/common/responder_cmd.c'; then $(CYGPATH_W) 'src/responder/common/responder_cmd.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_cmd.c'; fi` + +src/responder/common/sssd_ifp-responder_common.o: src/responder/common/responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_ifp-responder_common.o -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_ifp-responder_common.Tpo -c -o src/responder/common/sssd_ifp-responder_common.o `test -f 'src/responder/common/responder_common.c' || echo '$(srcdir)/'`src/responder/common/responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_ifp-responder_common.Tpo src/responder/common/$(DEPDIR)/sssd_ifp-responder_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_common.c' object='src/responder/common/sssd_ifp-responder_common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_ifp-responder_common.o `test -f 'src/responder/common/responder_common.c' || echo '$(srcdir)/'`src/responder/common/responder_common.c + +src/responder/common/sssd_ifp-responder_common.obj: src/responder/common/responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_ifp-responder_common.obj -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_ifp-responder_common.Tpo -c -o src/responder/common/sssd_ifp-responder_common.obj `if test -f 'src/responder/common/responder_common.c'; then $(CYGPATH_W) 'src/responder/common/responder_common.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_ifp-responder_common.Tpo src/responder/common/$(DEPDIR)/sssd_ifp-responder_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_common.c' object='src/responder/common/sssd_ifp-responder_common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_ifp-responder_common.obj `if test -f 'src/responder/common/responder_common.c'; then $(CYGPATH_W) 'src/responder/common/responder_common.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_common.c'; fi` + +src/responder/common/sssd_ifp-responder_dp.o: src/responder/common/responder_dp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_ifp-responder_dp.o -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_ifp-responder_dp.Tpo -c -o src/responder/common/sssd_ifp-responder_dp.o `test -f 'src/responder/common/responder_dp.c' || echo '$(srcdir)/'`src/responder/common/responder_dp.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_ifp-responder_dp.Tpo src/responder/common/$(DEPDIR)/sssd_ifp-responder_dp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_dp.c' object='src/responder/common/sssd_ifp-responder_dp.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_ifp-responder_dp.o `test -f 'src/responder/common/responder_dp.c' || echo '$(srcdir)/'`src/responder/common/responder_dp.c + +src/responder/common/sssd_ifp-responder_dp.obj: src/responder/common/responder_dp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_ifp-responder_dp.obj -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_ifp-responder_dp.Tpo -c -o src/responder/common/sssd_ifp-responder_dp.obj `if test -f 'src/responder/common/responder_dp.c'; then $(CYGPATH_W) 'src/responder/common/responder_dp.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_dp.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_ifp-responder_dp.Tpo src/responder/common/$(DEPDIR)/sssd_ifp-responder_dp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_dp.c' object='src/responder/common/sssd_ifp-responder_dp.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_ifp-responder_dp.obj `if test -f 'src/responder/common/responder_dp.c'; then $(CYGPATH_W) 'src/responder/common/responder_dp.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_dp.c'; fi` + +src/responder/common/sssd_ifp-responder_dp_ssh.o: src/responder/common/responder_dp_ssh.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_ifp-responder_dp_ssh.o -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_ifp-responder_dp_ssh.Tpo -c -o src/responder/common/sssd_ifp-responder_dp_ssh.o `test -f 'src/responder/common/responder_dp_ssh.c' || echo '$(srcdir)/'`src/responder/common/responder_dp_ssh.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_ifp-responder_dp_ssh.Tpo src/responder/common/$(DEPDIR)/sssd_ifp-responder_dp_ssh.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_dp_ssh.c' object='src/responder/common/sssd_ifp-responder_dp_ssh.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_ifp-responder_dp_ssh.o `test -f 'src/responder/common/responder_dp_ssh.c' || echo '$(srcdir)/'`src/responder/common/responder_dp_ssh.c + +src/responder/common/sssd_ifp-responder_dp_ssh.obj: src/responder/common/responder_dp_ssh.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_ifp-responder_dp_ssh.obj -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_ifp-responder_dp_ssh.Tpo -c -o src/responder/common/sssd_ifp-responder_dp_ssh.obj `if test -f 'src/responder/common/responder_dp_ssh.c'; then $(CYGPATH_W) 'src/responder/common/responder_dp_ssh.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_dp_ssh.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_ifp-responder_dp_ssh.Tpo src/responder/common/$(DEPDIR)/sssd_ifp-responder_dp_ssh.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_dp_ssh.c' object='src/responder/common/sssd_ifp-responder_dp_ssh.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_ifp-responder_dp_ssh.obj `if test -f 'src/responder/common/responder_dp_ssh.c'; then $(CYGPATH_W) 'src/responder/common/responder_dp_ssh.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_dp_ssh.c'; fi` + +src/responder/common/sssd_ifp-responder_packet.o: src/responder/common/responder_packet.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_ifp-responder_packet.o -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_ifp-responder_packet.Tpo -c -o src/responder/common/sssd_ifp-responder_packet.o `test -f 'src/responder/common/responder_packet.c' || echo '$(srcdir)/'`src/responder/common/responder_packet.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_ifp-responder_packet.Tpo src/responder/common/$(DEPDIR)/sssd_ifp-responder_packet.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_packet.c' object='src/responder/common/sssd_ifp-responder_packet.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_ifp-responder_packet.o `test -f 'src/responder/common/responder_packet.c' || echo '$(srcdir)/'`src/responder/common/responder_packet.c + +src/responder/common/sssd_ifp-responder_packet.obj: src/responder/common/responder_packet.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_ifp-responder_packet.obj -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_ifp-responder_packet.Tpo -c -o src/responder/common/sssd_ifp-responder_packet.obj `if test -f 'src/responder/common/responder_packet.c'; then $(CYGPATH_W) 'src/responder/common/responder_packet.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_packet.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_ifp-responder_packet.Tpo src/responder/common/$(DEPDIR)/sssd_ifp-responder_packet.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_packet.c' object='src/responder/common/sssd_ifp-responder_packet.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_ifp-responder_packet.obj `if test -f 'src/responder/common/responder_packet.c'; then $(CYGPATH_W) 'src/responder/common/responder_packet.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_packet.c'; fi` + +src/responder/common/sssd_ifp-responder_get_domains.o: src/responder/common/responder_get_domains.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_ifp-responder_get_domains.o -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_ifp-responder_get_domains.Tpo -c -o src/responder/common/sssd_ifp-responder_get_domains.o `test -f 'src/responder/common/responder_get_domains.c' || echo '$(srcdir)/'`src/responder/common/responder_get_domains.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_ifp-responder_get_domains.Tpo src/responder/common/$(DEPDIR)/sssd_ifp-responder_get_domains.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_get_domains.c' object='src/responder/common/sssd_ifp-responder_get_domains.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_ifp-responder_get_domains.o `test -f 'src/responder/common/responder_get_domains.c' || echo '$(srcdir)/'`src/responder/common/responder_get_domains.c + +src/responder/common/sssd_ifp-responder_get_domains.obj: src/responder/common/responder_get_domains.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_ifp-responder_get_domains.obj -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_ifp-responder_get_domains.Tpo -c -o src/responder/common/sssd_ifp-responder_get_domains.obj `if test -f 'src/responder/common/responder_get_domains.c'; then $(CYGPATH_W) 'src/responder/common/responder_get_domains.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_get_domains.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_ifp-responder_get_domains.Tpo src/responder/common/$(DEPDIR)/sssd_ifp-responder_get_domains.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_get_domains.c' object='src/responder/common/sssd_ifp-responder_get_domains.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_ifp-responder_get_domains.obj `if test -f 'src/responder/common/responder_get_domains.c'; then $(CYGPATH_W) 'src/responder/common/responder_get_domains.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_get_domains.c'; fi` + +src/responder/common/sssd_ifp-responder_utils.o: src/responder/common/responder_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_ifp-responder_utils.o -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_ifp-responder_utils.Tpo -c -o src/responder/common/sssd_ifp-responder_utils.o `test -f 'src/responder/common/responder_utils.c' || echo '$(srcdir)/'`src/responder/common/responder_utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_ifp-responder_utils.Tpo src/responder/common/$(DEPDIR)/sssd_ifp-responder_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_utils.c' object='src/responder/common/sssd_ifp-responder_utils.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_ifp-responder_utils.o `test -f 'src/responder/common/responder_utils.c' || echo '$(srcdir)/'`src/responder/common/responder_utils.c + +src/responder/common/sssd_ifp-responder_utils.obj: src/responder/common/responder_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_ifp-responder_utils.obj -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_ifp-responder_utils.Tpo -c -o src/responder/common/sssd_ifp-responder_utils.obj `if test -f 'src/responder/common/responder_utils.c'; then $(CYGPATH_W) 'src/responder/common/responder_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_utils.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_ifp-responder_utils.Tpo src/responder/common/$(DEPDIR)/sssd_ifp-responder_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_utils.c' object='src/responder/common/sssd_ifp-responder_utils.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_ifp-responder_utils.obj `if test -f 'src/responder/common/responder_utils.c'; then $(CYGPATH_W) 'src/responder/common/responder_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_utils.c'; fi` + +src/responder/common/data_provider/sssd_ifp-rdp_message.o: src/responder/common/data_provider/rdp_message.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/data_provider/sssd_ifp-rdp_message.o -MD -MP -MF src/responder/common/data_provider/$(DEPDIR)/sssd_ifp-rdp_message.Tpo -c -o src/responder/common/data_provider/sssd_ifp-rdp_message.o `test -f 'src/responder/common/data_provider/rdp_message.c' || echo '$(srcdir)/'`src/responder/common/data_provider/rdp_message.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/data_provider/$(DEPDIR)/sssd_ifp-rdp_message.Tpo src/responder/common/data_provider/$(DEPDIR)/sssd_ifp-rdp_message.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/data_provider/rdp_message.c' object='src/responder/common/data_provider/sssd_ifp-rdp_message.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/data_provider/sssd_ifp-rdp_message.o `test -f 'src/responder/common/data_provider/rdp_message.c' || echo '$(srcdir)/'`src/responder/common/data_provider/rdp_message.c + +src/responder/common/data_provider/sssd_ifp-rdp_message.obj: src/responder/common/data_provider/rdp_message.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/data_provider/sssd_ifp-rdp_message.obj -MD -MP -MF src/responder/common/data_provider/$(DEPDIR)/sssd_ifp-rdp_message.Tpo -c -o src/responder/common/data_provider/sssd_ifp-rdp_message.obj `if test -f 'src/responder/common/data_provider/rdp_message.c'; then $(CYGPATH_W) 'src/responder/common/data_provider/rdp_message.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/data_provider/rdp_message.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/data_provider/$(DEPDIR)/sssd_ifp-rdp_message.Tpo src/responder/common/data_provider/$(DEPDIR)/sssd_ifp-rdp_message.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/data_provider/rdp_message.c' object='src/responder/common/data_provider/sssd_ifp-rdp_message.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/data_provider/sssd_ifp-rdp_message.obj `if test -f 'src/responder/common/data_provider/rdp_message.c'; then $(CYGPATH_W) 'src/responder/common/data_provider/rdp_message.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/data_provider/rdp_message.c'; fi` + +src/responder/common/data_provider/sssd_ifp-rdp_client.o: src/responder/common/data_provider/rdp_client.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/data_provider/sssd_ifp-rdp_client.o -MD -MP -MF src/responder/common/data_provider/$(DEPDIR)/sssd_ifp-rdp_client.Tpo -c -o src/responder/common/data_provider/sssd_ifp-rdp_client.o `test -f 'src/responder/common/data_provider/rdp_client.c' || echo '$(srcdir)/'`src/responder/common/data_provider/rdp_client.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/data_provider/$(DEPDIR)/sssd_ifp-rdp_client.Tpo src/responder/common/data_provider/$(DEPDIR)/sssd_ifp-rdp_client.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/data_provider/rdp_client.c' object='src/responder/common/data_provider/sssd_ifp-rdp_client.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/data_provider/sssd_ifp-rdp_client.o `test -f 'src/responder/common/data_provider/rdp_client.c' || echo '$(srcdir)/'`src/responder/common/data_provider/rdp_client.c + +src/responder/common/data_provider/sssd_ifp-rdp_client.obj: src/responder/common/data_provider/rdp_client.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/data_provider/sssd_ifp-rdp_client.obj -MD -MP -MF src/responder/common/data_provider/$(DEPDIR)/sssd_ifp-rdp_client.Tpo -c -o src/responder/common/data_provider/sssd_ifp-rdp_client.obj `if test -f 'src/responder/common/data_provider/rdp_client.c'; then $(CYGPATH_W) 'src/responder/common/data_provider/rdp_client.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/data_provider/rdp_client.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/data_provider/$(DEPDIR)/sssd_ifp-rdp_client.Tpo src/responder/common/data_provider/$(DEPDIR)/sssd_ifp-rdp_client.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/data_provider/rdp_client.c' object='src/responder/common/data_provider/sssd_ifp-rdp_client.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/data_provider/sssd_ifp-rdp_client.obj `if test -f 'src/responder/common/data_provider/rdp_client.c'; then $(CYGPATH_W) 'src/responder/common/data_provider/rdp_client.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/data_provider/rdp_client.c'; fi` + +src/monitor/sssd_ifp-monitor_iface_generated.o: src/monitor/monitor_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/monitor/sssd_ifp-monitor_iface_generated.o -MD -MP -MF src/monitor/$(DEPDIR)/sssd_ifp-monitor_iface_generated.Tpo -c -o src/monitor/sssd_ifp-monitor_iface_generated.o `test -f 'src/monitor/monitor_iface_generated.c' || echo '$(srcdir)/'`src/monitor/monitor_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/monitor/$(DEPDIR)/sssd_ifp-monitor_iface_generated.Tpo src/monitor/$(DEPDIR)/sssd_ifp-monitor_iface_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/monitor/monitor_iface_generated.c' object='src/monitor/sssd_ifp-monitor_iface_generated.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/monitor/sssd_ifp-monitor_iface_generated.o `test -f 'src/monitor/monitor_iface_generated.c' || echo '$(srcdir)/'`src/monitor/monitor_iface_generated.c + +src/monitor/sssd_ifp-monitor_iface_generated.obj: src/monitor/monitor_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/monitor/sssd_ifp-monitor_iface_generated.obj -MD -MP -MF src/monitor/$(DEPDIR)/sssd_ifp-monitor_iface_generated.Tpo -c -o src/monitor/sssd_ifp-monitor_iface_generated.obj `if test -f 'src/monitor/monitor_iface_generated.c'; then $(CYGPATH_W) 'src/monitor/monitor_iface_generated.c'; else $(CYGPATH_W) '$(srcdir)/src/monitor/monitor_iface_generated.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/monitor/$(DEPDIR)/sssd_ifp-monitor_iface_generated.Tpo src/monitor/$(DEPDIR)/sssd_ifp-monitor_iface_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/monitor/monitor_iface_generated.c' object='src/monitor/sssd_ifp-monitor_iface_generated.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/monitor/sssd_ifp-monitor_iface_generated.obj `if test -f 'src/monitor/monitor_iface_generated.c'; then $(CYGPATH_W) 'src/monitor/monitor_iface_generated.c'; else $(CYGPATH_W) '$(srcdir)/src/monitor/monitor_iface_generated.c'; fi` + +src/providers/sssd_ifp-data_provider_req.o: src/providers/data_provider_req.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/providers/sssd_ifp-data_provider_req.o -MD -MP -MF src/providers/$(DEPDIR)/sssd_ifp-data_provider_req.Tpo -c -o src/providers/sssd_ifp-data_provider_req.o `test -f 'src/providers/data_provider_req.c' || echo '$(srcdir)/'`src/providers/data_provider_req.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/sssd_ifp-data_provider_req.Tpo src/providers/$(DEPDIR)/sssd_ifp-data_provider_req.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider_req.c' object='src/providers/sssd_ifp-data_provider_req.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/providers/sssd_ifp-data_provider_req.o `test -f 'src/providers/data_provider_req.c' || echo '$(srcdir)/'`src/providers/data_provider_req.c + +src/providers/sssd_ifp-data_provider_req.obj: src/providers/data_provider_req.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/providers/sssd_ifp-data_provider_req.obj -MD -MP -MF src/providers/$(DEPDIR)/sssd_ifp-data_provider_req.Tpo -c -o src/providers/sssd_ifp-data_provider_req.obj `if test -f 'src/providers/data_provider_req.c'; then $(CYGPATH_W) 'src/providers/data_provider_req.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider_req.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/sssd_ifp-data_provider_req.Tpo src/providers/$(DEPDIR)/sssd_ifp-data_provider_req.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider_req.c' object='src/providers/sssd_ifp-data_provider_req.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/providers/sssd_ifp-data_provider_req.obj `if test -f 'src/providers/data_provider_req.c'; then $(CYGPATH_W) 'src/providers/data_provider_req.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider_req.c'; fi` + +src/util/sssd_ifp-session_recording.o: src/util/session_recording.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/util/sssd_ifp-session_recording.o -MD -MP -MF src/util/$(DEPDIR)/sssd_ifp-session_recording.Tpo -c -o src/util/sssd_ifp-session_recording.o `test -f 'src/util/session_recording.c' || echo '$(srcdir)/'`src/util/session_recording.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/sssd_ifp-session_recording.Tpo src/util/$(DEPDIR)/sssd_ifp-session_recording.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/session_recording.c' object='src/util/sssd_ifp-session_recording.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/util/sssd_ifp-session_recording.o `test -f 'src/util/session_recording.c' || echo '$(srcdir)/'`src/util/session_recording.c + +src/util/sssd_ifp-session_recording.obj: src/util/session_recording.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/util/sssd_ifp-session_recording.obj -MD -MP -MF src/util/$(DEPDIR)/sssd_ifp-session_recording.Tpo -c -o src/util/sssd_ifp-session_recording.obj `if test -f 'src/util/session_recording.c'; then $(CYGPATH_W) 'src/util/session_recording.c'; else $(CYGPATH_W) '$(srcdir)/src/util/session_recording.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/sssd_ifp-session_recording.Tpo src/util/$(DEPDIR)/sssd_ifp-session_recording.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/session_recording.c' object='src/util/sssd_ifp-session_recording.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/util/sssd_ifp-session_recording.obj `if test -f 'src/util/session_recording.c'; then $(CYGPATH_W) 'src/util/session_recording.c'; else $(CYGPATH_W) '$(srcdir)/src/util/session_recording.c'; fi` + +src/responder/common/iface/sssd_ifp-responder_iface.o: src/responder/common/iface/responder_iface.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/sssd_ifp-responder_iface.o -MD -MP -MF src/responder/common/iface/$(DEPDIR)/sssd_ifp-responder_iface.Tpo -c -o src/responder/common/iface/sssd_ifp-responder_iface.o `test -f 'src/responder/common/iface/responder_iface.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_iface.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/sssd_ifp-responder_iface.Tpo src/responder/common/iface/$(DEPDIR)/sssd_ifp-responder_iface.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_iface.c' object='src/responder/common/iface/sssd_ifp-responder_iface.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/sssd_ifp-responder_iface.o `test -f 'src/responder/common/iface/responder_iface.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_iface.c + +src/responder/common/iface/sssd_ifp-responder_iface.obj: src/responder/common/iface/responder_iface.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/sssd_ifp-responder_iface.obj -MD -MP -MF src/responder/common/iface/$(DEPDIR)/sssd_ifp-responder_iface.Tpo -c -o src/responder/common/iface/sssd_ifp-responder_iface.obj `if test -f 'src/responder/common/iface/responder_iface.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_iface.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_iface.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/sssd_ifp-responder_iface.Tpo src/responder/common/iface/$(DEPDIR)/sssd_ifp-responder_iface.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_iface.c' object='src/responder/common/iface/sssd_ifp-responder_iface.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/sssd_ifp-responder_iface.obj `if test -f 'src/responder/common/iface/responder_iface.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_iface.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_iface.c'; fi` + +src/responder/common/iface/sssd_ifp-responder_domain.o: src/responder/common/iface/responder_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/sssd_ifp-responder_domain.o -MD -MP -MF src/responder/common/iface/$(DEPDIR)/sssd_ifp-responder_domain.Tpo -c -o src/responder/common/iface/sssd_ifp-responder_domain.o `test -f 'src/responder/common/iface/responder_domain.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_domain.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/sssd_ifp-responder_domain.Tpo src/responder/common/iface/$(DEPDIR)/sssd_ifp-responder_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_domain.c' object='src/responder/common/iface/sssd_ifp-responder_domain.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/sssd_ifp-responder_domain.o `test -f 'src/responder/common/iface/responder_domain.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_domain.c + +src/responder/common/iface/sssd_ifp-responder_domain.obj: src/responder/common/iface/responder_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/sssd_ifp-responder_domain.obj -MD -MP -MF src/responder/common/iface/$(DEPDIR)/sssd_ifp-responder_domain.Tpo -c -o src/responder/common/iface/sssd_ifp-responder_domain.obj `if test -f 'src/responder/common/iface/responder_domain.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_domain.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/sssd_ifp-responder_domain.Tpo src/responder/common/iface/$(DEPDIR)/sssd_ifp-responder_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_domain.c' object='src/responder/common/iface/sssd_ifp-responder_domain.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/sssd_ifp-responder_domain.obj `if test -f 'src/responder/common/iface/responder_domain.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_domain.c'; fi` + +src/responder/common/iface/sssd_ifp-responder_ncache.o: src/responder/common/iface/responder_ncache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/sssd_ifp-responder_ncache.o -MD -MP -MF src/responder/common/iface/$(DEPDIR)/sssd_ifp-responder_ncache.Tpo -c -o src/responder/common/iface/sssd_ifp-responder_ncache.o `test -f 'src/responder/common/iface/responder_ncache.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_ncache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/sssd_ifp-responder_ncache.Tpo src/responder/common/iface/$(DEPDIR)/sssd_ifp-responder_ncache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_ncache.c' object='src/responder/common/iface/sssd_ifp-responder_ncache.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/sssd_ifp-responder_ncache.o `test -f 'src/responder/common/iface/responder_ncache.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_ncache.c + +src/responder/common/iface/sssd_ifp-responder_ncache.obj: src/responder/common/iface/responder_ncache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/sssd_ifp-responder_ncache.obj -MD -MP -MF src/responder/common/iface/$(DEPDIR)/sssd_ifp-responder_ncache.Tpo -c -o src/responder/common/iface/sssd_ifp-responder_ncache.obj `if test -f 'src/responder/common/iface/responder_ncache.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_ncache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_ncache.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/sssd_ifp-responder_ncache.Tpo src/responder/common/iface/$(DEPDIR)/sssd_ifp-responder_ncache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_ncache.c' object='src/responder/common/iface/sssd_ifp-responder_ncache.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/sssd_ifp-responder_ncache.obj `if test -f 'src/responder/common/iface/responder_ncache.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_ncache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_ncache.c'; fi` + +src/responder/common/iface/sssd_ifp-responder_iface_generated.o: src/responder/common/iface/responder_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/sssd_ifp-responder_iface_generated.o -MD -MP -MF src/responder/common/iface/$(DEPDIR)/sssd_ifp-responder_iface_generated.Tpo -c -o src/responder/common/iface/sssd_ifp-responder_iface_generated.o `test -f 'src/responder/common/iface/responder_iface_generated.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/sssd_ifp-responder_iface_generated.Tpo src/responder/common/iface/$(DEPDIR)/sssd_ifp-responder_iface_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_iface_generated.c' object='src/responder/common/iface/sssd_ifp-responder_iface_generated.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/sssd_ifp-responder_iface_generated.o `test -f 'src/responder/common/iface/responder_iface_generated.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_iface_generated.c + +src/responder/common/iface/sssd_ifp-responder_iface_generated.obj: src/responder/common/iface/responder_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/sssd_ifp-responder_iface_generated.obj -MD -MP -MF src/responder/common/iface/$(DEPDIR)/sssd_ifp-responder_iface_generated.Tpo -c -o src/responder/common/iface/sssd_ifp-responder_iface_generated.obj `if test -f 'src/responder/common/iface/responder_iface_generated.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_iface_generated.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_iface_generated.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/sssd_ifp-responder_iface_generated.Tpo src/responder/common/iface/$(DEPDIR)/sssd_ifp-responder_iface_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_iface_generated.c' object='src/responder/common/iface/sssd_ifp-responder_iface_generated.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/sssd_ifp-responder_iface_generated.obj `if test -f 'src/responder/common/iface/responder_iface_generated.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_iface_generated.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_iface_generated.c'; fi` + +src/responder/common/cache_req/sssd_ifp-cache_req.o: src/responder/common/cache_req/cache_req.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/sssd_ifp-cache_req.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/sssd_ifp-cache_req.Tpo -c -o src/responder/common/cache_req/sssd_ifp-cache_req.o `test -f 'src/responder/common/cache_req/cache_req.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/sssd_ifp-cache_req.Tpo src/responder/common/cache_req/$(DEPDIR)/sssd_ifp-cache_req.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req.c' object='src/responder/common/cache_req/sssd_ifp-cache_req.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/sssd_ifp-cache_req.o `test -f 'src/responder/common/cache_req/cache_req.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req.c + +src/responder/common/cache_req/sssd_ifp-cache_req.obj: src/responder/common/cache_req/cache_req.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/sssd_ifp-cache_req.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/sssd_ifp-cache_req.Tpo -c -o src/responder/common/cache_req/sssd_ifp-cache_req.obj `if test -f 'src/responder/common/cache_req/cache_req.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/sssd_ifp-cache_req.Tpo src/responder/common/cache_req/$(DEPDIR)/sssd_ifp-cache_req.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req.c' object='src/responder/common/cache_req/sssd_ifp-cache_req.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/sssd_ifp-cache_req.obj `if test -f 'src/responder/common/cache_req/cache_req.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req.c'; fi` + +src/responder/common/cache_req/sssd_ifp-cache_req_result.o: src/responder/common/cache_req/cache_req_result.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/sssd_ifp-cache_req_result.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/sssd_ifp-cache_req_result.Tpo -c -o src/responder/common/cache_req/sssd_ifp-cache_req_result.o `test -f 'src/responder/common/cache_req/cache_req_result.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_result.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/sssd_ifp-cache_req_result.Tpo src/responder/common/cache_req/$(DEPDIR)/sssd_ifp-cache_req_result.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_result.c' object='src/responder/common/cache_req/sssd_ifp-cache_req_result.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/sssd_ifp-cache_req_result.o `test -f 'src/responder/common/cache_req/cache_req_result.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_result.c + +src/responder/common/cache_req/sssd_ifp-cache_req_result.obj: src/responder/common/cache_req/cache_req_result.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/sssd_ifp-cache_req_result.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/sssd_ifp-cache_req_result.Tpo -c -o src/responder/common/cache_req/sssd_ifp-cache_req_result.obj `if test -f 'src/responder/common/cache_req/cache_req_result.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_result.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_result.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/sssd_ifp-cache_req_result.Tpo src/responder/common/cache_req/$(DEPDIR)/sssd_ifp-cache_req_result.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_result.c' object='src/responder/common/cache_req/sssd_ifp-cache_req_result.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/sssd_ifp-cache_req_result.obj `if test -f 'src/responder/common/cache_req/cache_req_result.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_result.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_result.c'; fi` + +src/responder/common/cache_req/sssd_ifp-cache_req_search.o: src/responder/common/cache_req/cache_req_search.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/sssd_ifp-cache_req_search.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/sssd_ifp-cache_req_search.Tpo -c -o src/responder/common/cache_req/sssd_ifp-cache_req_search.o `test -f 'src/responder/common/cache_req/cache_req_search.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_search.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/sssd_ifp-cache_req_search.Tpo src/responder/common/cache_req/$(DEPDIR)/sssd_ifp-cache_req_search.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_search.c' object='src/responder/common/cache_req/sssd_ifp-cache_req_search.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/sssd_ifp-cache_req_search.o `test -f 'src/responder/common/cache_req/cache_req_search.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_search.c + +src/responder/common/cache_req/sssd_ifp-cache_req_search.obj: src/responder/common/cache_req/cache_req_search.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/sssd_ifp-cache_req_search.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/sssd_ifp-cache_req_search.Tpo -c -o src/responder/common/cache_req/sssd_ifp-cache_req_search.obj `if test -f 'src/responder/common/cache_req/cache_req_search.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_search.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_search.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/sssd_ifp-cache_req_search.Tpo src/responder/common/cache_req/$(DEPDIR)/sssd_ifp-cache_req_search.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_search.c' object='src/responder/common/cache_req/sssd_ifp-cache_req_search.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/sssd_ifp-cache_req_search.obj `if test -f 'src/responder/common/cache_req/cache_req_search.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_search.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_search.c'; fi` + +src/responder/common/cache_req/sssd_ifp-cache_req_data.o: src/responder/common/cache_req/cache_req_data.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/sssd_ifp-cache_req_data.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/sssd_ifp-cache_req_data.Tpo -c -o src/responder/common/cache_req/sssd_ifp-cache_req_data.o `test -f 'src/responder/common/cache_req/cache_req_data.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_data.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/sssd_ifp-cache_req_data.Tpo src/responder/common/cache_req/$(DEPDIR)/sssd_ifp-cache_req_data.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_data.c' object='src/responder/common/cache_req/sssd_ifp-cache_req_data.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/sssd_ifp-cache_req_data.o `test -f 'src/responder/common/cache_req/cache_req_data.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_data.c + +src/responder/common/cache_req/sssd_ifp-cache_req_data.obj: src/responder/common/cache_req/cache_req_data.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/sssd_ifp-cache_req_data.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/sssd_ifp-cache_req_data.Tpo -c -o src/responder/common/cache_req/sssd_ifp-cache_req_data.obj `if test -f 'src/responder/common/cache_req/cache_req_data.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_data.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_data.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/sssd_ifp-cache_req_data.Tpo src/responder/common/cache_req/$(DEPDIR)/sssd_ifp-cache_req_data.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_data.c' object='src/responder/common/cache_req/sssd_ifp-cache_req_data.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/sssd_ifp-cache_req_data.obj `if test -f 'src/responder/common/cache_req/cache_req_data.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_data.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_data.c'; fi` + +src/responder/common/cache_req/sssd_ifp-cache_req_domain.o: src/responder/common/cache_req/cache_req_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/sssd_ifp-cache_req_domain.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/sssd_ifp-cache_req_domain.Tpo -c -o src/responder/common/cache_req/sssd_ifp-cache_req_domain.o `test -f 'src/responder/common/cache_req/cache_req_domain.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_domain.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/sssd_ifp-cache_req_domain.Tpo src/responder/common/cache_req/$(DEPDIR)/sssd_ifp-cache_req_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_domain.c' object='src/responder/common/cache_req/sssd_ifp-cache_req_domain.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/sssd_ifp-cache_req_domain.o `test -f 'src/responder/common/cache_req/cache_req_domain.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_domain.c + +src/responder/common/cache_req/sssd_ifp-cache_req_domain.obj: src/responder/common/cache_req/cache_req_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/sssd_ifp-cache_req_domain.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/sssd_ifp-cache_req_domain.Tpo -c -o src/responder/common/cache_req/sssd_ifp-cache_req_domain.obj `if test -f 'src/responder/common/cache_req/cache_req_domain.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_domain.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/sssd_ifp-cache_req_domain.Tpo src/responder/common/cache_req/$(DEPDIR)/sssd_ifp-cache_req_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_domain.c' object='src/responder/common/cache_req/sssd_ifp-cache_req_domain.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/sssd_ifp-cache_req_domain.obj `if test -f 'src/responder/common/cache_req/cache_req_domain.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_domain.c'; fi` + +src/responder/common/cache_req/sssd_ifp-cache_req_sr_overlay.o: src/responder/common/cache_req/cache_req_sr_overlay.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/sssd_ifp-cache_req_sr_overlay.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/sssd_ifp-cache_req_sr_overlay.Tpo -c -o src/responder/common/cache_req/sssd_ifp-cache_req_sr_overlay.o `test -f 'src/responder/common/cache_req/cache_req_sr_overlay.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_sr_overlay.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/sssd_ifp-cache_req_sr_overlay.Tpo src/responder/common/cache_req/$(DEPDIR)/sssd_ifp-cache_req_sr_overlay.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_sr_overlay.c' object='src/responder/common/cache_req/sssd_ifp-cache_req_sr_overlay.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/sssd_ifp-cache_req_sr_overlay.o `test -f 'src/responder/common/cache_req/cache_req_sr_overlay.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_sr_overlay.c + +src/responder/common/cache_req/sssd_ifp-cache_req_sr_overlay.obj: src/responder/common/cache_req/cache_req_sr_overlay.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/sssd_ifp-cache_req_sr_overlay.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/sssd_ifp-cache_req_sr_overlay.Tpo -c -o src/responder/common/cache_req/sssd_ifp-cache_req_sr_overlay.obj `if test -f 'src/responder/common/cache_req/cache_req_sr_overlay.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_sr_overlay.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_sr_overlay.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/sssd_ifp-cache_req_sr_overlay.Tpo src/responder/common/cache_req/$(DEPDIR)/sssd_ifp-cache_req_sr_overlay.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_sr_overlay.c' object='src/responder/common/cache_req/sssd_ifp-cache_req_sr_overlay.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/sssd_ifp-cache_req_sr_overlay.obj `if test -f 'src/responder/common/cache_req/cache_req_sr_overlay.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_sr_overlay.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_sr_overlay.c'; fi` + +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_common.o: src/responder/common/cache_req/plugins/cache_req_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_ifp-cache_req_common.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_common.Tpo -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_common.o `test -f 'src/responder/common/cache_req/plugins/cache_req_common.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_common.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_common.c' object='src/responder/common/cache_req/plugins/sssd_ifp-cache_req_common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_common.o `test -f 'src/responder/common/cache_req/plugins/cache_req_common.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_common.c + +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_common.obj: src/responder/common/cache_req/plugins/cache_req_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_ifp-cache_req_common.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_common.Tpo -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_common.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_common.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_common.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_common.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_common.c' object='src/responder/common/cache_req/plugins/sssd_ifp-cache_req_common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_common.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_common.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_common.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_common.c'; fi` + +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_enum_users.o: src/responder/common/cache_req/plugins/cache_req_enum_users.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_ifp-cache_req_enum_users.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_enum_users.Tpo -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_enum_users.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_users.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_users.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_enum_users.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_enum_users.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_users.c' object='src/responder/common/cache_req/plugins/sssd_ifp-cache_req_enum_users.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_enum_users.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_users.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_users.c + +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_enum_users.obj: src/responder/common/cache_req/plugins/cache_req_enum_users.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_ifp-cache_req_enum_users.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_enum_users.Tpo -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_enum_users.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_users.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_users.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_users.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_enum_users.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_enum_users.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_users.c' object='src/responder/common/cache_req/plugins/sssd_ifp-cache_req_enum_users.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_enum_users.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_users.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_users.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_users.c'; fi` + +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_enum_groups.o: src/responder/common/cache_req/plugins/cache_req_enum_groups.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_ifp-cache_req_enum_groups.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_enum_groups.Tpo -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_enum_groups.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_groups.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_enum_groups.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_enum_groups.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_groups.c' object='src/responder/common/cache_req/plugins/sssd_ifp-cache_req_enum_groups.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_enum_groups.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_groups.c + +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_enum_groups.obj: src/responder/common/cache_req/plugins/cache_req_enum_groups.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_ifp-cache_req_enum_groups.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_enum_groups.Tpo -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_enum_groups.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_enum_groups.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_enum_groups.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_groups.c' object='src/responder/common/cache_req/plugins/sssd_ifp-cache_req_enum_groups.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_enum_groups.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; fi` + +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_enum_svc.o: src/responder/common/cache_req/plugins/cache_req_enum_svc.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_ifp-cache_req_enum_svc.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_enum_svc.Tpo -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_enum_svc.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_svc.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_enum_svc.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_enum_svc.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_svc.c' object='src/responder/common/cache_req/plugins/sssd_ifp-cache_req_enum_svc.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_enum_svc.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_svc.c + +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_enum_svc.obj: src/responder/common/cache_req/plugins/cache_req_enum_svc.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_ifp-cache_req_enum_svc.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_enum_svc.Tpo -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_enum_svc.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_enum_svc.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_enum_svc.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_svc.c' object='src/responder/common/cache_req/plugins/sssd_ifp-cache_req_enum_svc.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_enum_svc.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; fi` + +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_name.o: src/responder/common/cache_req/plugins/cache_req_user_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_user_by_name.Tpo -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_user_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_user_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_name.c' object='src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_name.c + +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_name.obj: src/responder/common/cache_req/plugins/cache_req_user_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_user_by_name.Tpo -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_user_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_user_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_name.c' object='src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; fi` + +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_upn.o: src/responder/common/cache_req/plugins/cache_req_user_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_upn.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_user_by_upn.Tpo -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_upn.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_user_by_upn.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_user_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' object='src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_upn.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_upn.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_upn.c + +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_upn.obj: src/responder/common/cache_req/plugins/cache_req_user_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_upn.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_user_by_upn.Tpo -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_upn.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_user_by_upn.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_user_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' object='src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_upn.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_upn.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; fi` + +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_id.o: src/responder/common/cache_req/plugins/cache_req_user_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_id.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_user_by_id.Tpo -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_user_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_user_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_id.c' object='src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_id.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_id.c + +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_id.obj: src/responder/common/cache_req/plugins/cache_req_user_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_id.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_user_by_id.Tpo -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_user_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_user_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_id.c' object='src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_id.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; fi` + +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_filter.o: src/responder/common/cache_req/plugins/cache_req_user_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_filter.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_user_by_filter.Tpo -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_filter.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_user_by_filter.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_user_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' object='src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_filter.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_filter.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_filter.c + +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_filter.obj: src/responder/common/cache_req/plugins/cache_req_user_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_filter.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_user_by_filter.Tpo -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_filter.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_user_by_filter.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_user_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' object='src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_filter.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_filter.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; fi` + +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_cert.o: src/responder/common/cache_req/plugins/cache_req_user_by_cert.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_cert.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_user_by_cert.Tpo -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_cert.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_cert.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_user_by_cert.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_user_by_cert.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' object='src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_cert.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_cert.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_cert.c + +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_cert.obj: src/responder/common/cache_req/plugins/cache_req_user_by_cert.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_cert.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_user_by_cert.Tpo -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_cert.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_user_by_cert.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_user_by_cert.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' object='src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_cert.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_user_by_cert.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; fi` + +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_group_by_name.o: src/responder/common/cache_req/plugins/cache_req_group_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_ifp-cache_req_group_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_group_by_name.Tpo -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_group_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_group_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_group_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_name.c' object='src/responder/common/cache_req/plugins/sssd_ifp-cache_req_group_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_group_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_name.c + +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_group_by_name.obj: src/responder/common/cache_req/plugins/cache_req_group_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_ifp-cache_req_group_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_group_by_name.Tpo -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_group_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_group_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_group_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_name.c' object='src/responder/common/cache_req/plugins/sssd_ifp-cache_req_group_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_group_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; fi` + +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_group_by_id.o: src/responder/common/cache_req/plugins/cache_req_group_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_ifp-cache_req_group_by_id.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_group_by_id.Tpo -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_group_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_group_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_group_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_id.c' object='src/responder/common/cache_req/plugins/sssd_ifp-cache_req_group_by_id.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_group_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_id.c + +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_group_by_id.obj: src/responder/common/cache_req/plugins/cache_req_group_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_ifp-cache_req_group_by_id.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_group_by_id.Tpo -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_group_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_group_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_group_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_id.c' object='src/responder/common/cache_req/plugins/sssd_ifp-cache_req_group_by_id.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_group_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; fi` + +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_group_by_filter.o: src/responder/common/cache_req/plugins/cache_req_group_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_ifp-cache_req_group_by_filter.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_group_by_filter.Tpo -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_group_by_filter.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_group_by_filter.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_group_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' object='src/responder/common/cache_req/plugins/sssd_ifp-cache_req_group_by_filter.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_group_by_filter.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_filter.c + +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_group_by_filter.obj: src/responder/common/cache_req/plugins/cache_req_group_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_ifp-cache_req_group_by_filter.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_group_by_filter.Tpo -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_group_by_filter.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_group_by_filter.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_group_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' object='src/responder/common/cache_req/plugins/sssd_ifp-cache_req_group_by_filter.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_group_by_filter.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; fi` + +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_initgroups_by_name.o: src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_ifp-cache_req_initgroups_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_initgroups_by_name.Tpo -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_initgroups_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_initgroups_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_initgroups_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' object='src/responder/common/cache_req/plugins/sssd_ifp-cache_req_initgroups_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_initgroups_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c + +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_initgroups_by_name.obj: src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_ifp-cache_req_initgroups_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_initgroups_by_name.Tpo -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_initgroups_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_initgroups_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_initgroups_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' object='src/responder/common/cache_req/plugins/sssd_ifp-cache_req_initgroups_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_initgroups_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; fi` + +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_initgroups_by_upn.o: src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_ifp-cache_req_initgroups_by_upn.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_initgroups_by_upn.Tpo -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_initgroups_by_upn.o `test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_initgroups_by_upn.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_initgroups_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' object='src/responder/common/cache_req/plugins/sssd_ifp-cache_req_initgroups_by_upn.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_initgroups_by_upn.o `test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c + +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_initgroups_by_upn.obj: src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_ifp-cache_req_initgroups_by_upn.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_initgroups_by_upn.Tpo -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_initgroups_by_upn.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_initgroups_by_upn.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_initgroups_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' object='src/responder/common/cache_req/plugins/sssd_ifp-cache_req_initgroups_by_upn.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_initgroups_by_upn.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; fi` + +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_object_by_sid.o: src/responder/common/cache_req/plugins/cache_req_object_by_sid.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_ifp-cache_req_object_by_sid.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_object_by_sid.Tpo -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_object_by_sid.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_sid.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_object_by_sid.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_object_by_sid.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' object='src/responder/common/cache_req/plugins/sssd_ifp-cache_req_object_by_sid.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_object_by_sid.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_sid.c + +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_object_by_sid.obj: src/responder/common/cache_req/plugins/cache_req_object_by_sid.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_ifp-cache_req_object_by_sid.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_object_by_sid.Tpo -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_object_by_sid.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_object_by_sid.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_object_by_sid.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' object='src/responder/common/cache_req/plugins/sssd_ifp-cache_req_object_by_sid.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_object_by_sid.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; fi` + +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_object_by_name.o: src/responder/common/cache_req/plugins/cache_req_object_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_ifp-cache_req_object_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_object_by_name.Tpo -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_object_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_object_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_object_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_name.c' object='src/responder/common/cache_req/plugins/sssd_ifp-cache_req_object_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_object_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_name.c + +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_object_by_name.obj: src/responder/common/cache_req/plugins/cache_req_object_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_ifp-cache_req_object_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_object_by_name.Tpo -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_object_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_object_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_object_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_name.c' object='src/responder/common/cache_req/plugins/sssd_ifp-cache_req_object_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_object_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; fi` + +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_object_by_id.o: src/responder/common/cache_req/plugins/cache_req_object_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_ifp-cache_req_object_by_id.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_object_by_id.Tpo -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_object_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_object_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_object_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_id.c' object='src/responder/common/cache_req/plugins/sssd_ifp-cache_req_object_by_id.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_object_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_id.c + +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_object_by_id.obj: src/responder/common/cache_req/plugins/cache_req_object_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_ifp-cache_req_object_by_id.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_object_by_id.Tpo -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_object_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_object_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_object_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_id.c' object='src/responder/common/cache_req/plugins/sssd_ifp-cache_req_object_by_id.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_object_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; fi` + +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_svc_by_name.o: src/responder/common/cache_req/plugins/cache_req_svc_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_ifp-cache_req_svc_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_svc_by_name.Tpo -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_svc_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_svc_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_svc_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_svc_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' object='src/responder/common/cache_req/plugins/sssd_ifp-cache_req_svc_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_svc_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_svc_by_name.c + +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_svc_by_name.obj: src/responder/common/cache_req/plugins/cache_req_svc_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_ifp-cache_req_svc_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_svc_by_name.Tpo -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_svc_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_svc_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_svc_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' object='src/responder/common/cache_req/plugins/sssd_ifp-cache_req_svc_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_svc_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; fi` + +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_svc_by_port.o: src/responder/common/cache_req/plugins/cache_req_svc_by_port.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_ifp-cache_req_svc_by_port.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_svc_by_port.Tpo -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_svc_by_port.o `test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_svc_by_port.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_svc_by_port.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_svc_by_port.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' object='src/responder/common/cache_req/plugins/sssd_ifp-cache_req_svc_by_port.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_svc_by_port.o `test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_svc_by_port.c + +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_svc_by_port.obj: src/responder/common/cache_req/plugins/cache_req_svc_by_port.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_ifp-cache_req_svc_by_port.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_svc_by_port.Tpo -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_svc_by_port.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_svc_by_port.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_svc_by_port.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' object='src/responder/common/cache_req/plugins/sssd_ifp-cache_req_svc_by_port.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_svc_by_port.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; fi` + +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_netgroup_by_name.o: src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_ifp-cache_req_netgroup_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_netgroup_by_name.Tpo -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_netgroup_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_netgroup_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_netgroup_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' object='src/responder/common/cache_req/plugins/sssd_ifp-cache_req_netgroup_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_netgroup_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c + +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_netgroup_by_name.obj: src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_ifp-cache_req_netgroup_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_netgroup_by_name.Tpo -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_netgroup_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_netgroup_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_netgroup_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' object='src/responder/common/cache_req/plugins/sssd_ifp-cache_req_netgroup_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_netgroup_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; fi` + +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_host_by_name.o: src/responder/common/cache_req/plugins/cache_req_host_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_ifp-cache_req_host_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_host_by_name.Tpo -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_host_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_host_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_host_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_host_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_host_by_name.c' object='src/responder/common/cache_req/plugins/sssd_ifp-cache_req_host_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_host_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_host_by_name.c + +src/responder/common/cache_req/plugins/sssd_ifp-cache_req_host_by_name.obj: src/responder/common/cache_req/plugins/cache_req_host_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_ifp-cache_req_host_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_host_by_name.Tpo -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_host_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_host_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_ifp-cache_req_host_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_host_by_name.c' object='src/responder/common/cache_req/plugins/sssd_ifp-cache_req_host_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_ifp_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_ifp-cache_req_host_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; fi` + +src/responder/kcm/sssd_kcm-kcm.o: src/responder/kcm/kcm.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/kcm/sssd_kcm-kcm.o -MD -MP -MF src/responder/kcm/$(DEPDIR)/sssd_kcm-kcm.Tpo -c -o src/responder/kcm/sssd_kcm-kcm.o `test -f 'src/responder/kcm/kcm.c' || echo '$(srcdir)/'`src/responder/kcm/kcm.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/kcm/$(DEPDIR)/sssd_kcm-kcm.Tpo src/responder/kcm/$(DEPDIR)/sssd_kcm-kcm.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/kcm/kcm.c' object='src/responder/kcm/sssd_kcm-kcm.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/kcm/sssd_kcm-kcm.o `test -f 'src/responder/kcm/kcm.c' || echo '$(srcdir)/'`src/responder/kcm/kcm.c + +src/responder/kcm/sssd_kcm-kcm.obj: src/responder/kcm/kcm.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/kcm/sssd_kcm-kcm.obj -MD -MP -MF src/responder/kcm/$(DEPDIR)/sssd_kcm-kcm.Tpo -c -o src/responder/kcm/sssd_kcm-kcm.obj `if test -f 'src/responder/kcm/kcm.c'; then $(CYGPATH_W) 'src/responder/kcm/kcm.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/kcm/kcm.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/kcm/$(DEPDIR)/sssd_kcm-kcm.Tpo src/responder/kcm/$(DEPDIR)/sssd_kcm-kcm.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/kcm/kcm.c' object='src/responder/kcm/sssd_kcm-kcm.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/kcm/sssd_kcm-kcm.obj `if test -f 'src/responder/kcm/kcm.c'; then $(CYGPATH_W) 'src/responder/kcm/kcm.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/kcm/kcm.c'; fi` + +src/responder/kcm/sssd_kcm-kcmsrv_cmd.o: src/responder/kcm/kcmsrv_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/kcm/sssd_kcm-kcmsrv_cmd.o -MD -MP -MF src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_cmd.Tpo -c -o src/responder/kcm/sssd_kcm-kcmsrv_cmd.o `test -f 'src/responder/kcm/kcmsrv_cmd.c' || echo '$(srcdir)/'`src/responder/kcm/kcmsrv_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_cmd.Tpo src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_cmd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/kcm/kcmsrv_cmd.c' object='src/responder/kcm/sssd_kcm-kcmsrv_cmd.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/kcm/sssd_kcm-kcmsrv_cmd.o `test -f 'src/responder/kcm/kcmsrv_cmd.c' || echo '$(srcdir)/'`src/responder/kcm/kcmsrv_cmd.c + +src/responder/kcm/sssd_kcm-kcmsrv_cmd.obj: src/responder/kcm/kcmsrv_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/kcm/sssd_kcm-kcmsrv_cmd.obj -MD -MP -MF src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_cmd.Tpo -c -o src/responder/kcm/sssd_kcm-kcmsrv_cmd.obj `if test -f 'src/responder/kcm/kcmsrv_cmd.c'; then $(CYGPATH_W) 'src/responder/kcm/kcmsrv_cmd.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/kcm/kcmsrv_cmd.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_cmd.Tpo src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_cmd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/kcm/kcmsrv_cmd.c' object='src/responder/kcm/sssd_kcm-kcmsrv_cmd.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/kcm/sssd_kcm-kcmsrv_cmd.obj `if test -f 'src/responder/kcm/kcmsrv_cmd.c'; then $(CYGPATH_W) 'src/responder/kcm/kcmsrv_cmd.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/kcm/kcmsrv_cmd.c'; fi` + +src/responder/kcm/sssd_kcm-kcmsrv_ccache.o: src/responder/kcm/kcmsrv_ccache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/kcm/sssd_kcm-kcmsrv_ccache.o -MD -MP -MF src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_ccache.Tpo -c -o src/responder/kcm/sssd_kcm-kcmsrv_ccache.o `test -f 'src/responder/kcm/kcmsrv_ccache.c' || echo '$(srcdir)/'`src/responder/kcm/kcmsrv_ccache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_ccache.Tpo src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_ccache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/kcm/kcmsrv_ccache.c' object='src/responder/kcm/sssd_kcm-kcmsrv_ccache.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/kcm/sssd_kcm-kcmsrv_ccache.o `test -f 'src/responder/kcm/kcmsrv_ccache.c' || echo '$(srcdir)/'`src/responder/kcm/kcmsrv_ccache.c + +src/responder/kcm/sssd_kcm-kcmsrv_ccache.obj: src/responder/kcm/kcmsrv_ccache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/kcm/sssd_kcm-kcmsrv_ccache.obj -MD -MP -MF src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_ccache.Tpo -c -o src/responder/kcm/sssd_kcm-kcmsrv_ccache.obj `if test -f 'src/responder/kcm/kcmsrv_ccache.c'; then $(CYGPATH_W) 'src/responder/kcm/kcmsrv_ccache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/kcm/kcmsrv_ccache.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_ccache.Tpo src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_ccache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/kcm/kcmsrv_ccache.c' object='src/responder/kcm/sssd_kcm-kcmsrv_ccache.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/kcm/sssd_kcm-kcmsrv_ccache.obj `if test -f 'src/responder/kcm/kcmsrv_ccache.c'; then $(CYGPATH_W) 'src/responder/kcm/kcmsrv_ccache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/kcm/kcmsrv_ccache.c'; fi` + +src/responder/kcm/sssd_kcm-kcmsrv_ccache_mem.o: src/responder/kcm/kcmsrv_ccache_mem.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/kcm/sssd_kcm-kcmsrv_ccache_mem.o -MD -MP -MF src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_ccache_mem.Tpo -c -o src/responder/kcm/sssd_kcm-kcmsrv_ccache_mem.o `test -f 'src/responder/kcm/kcmsrv_ccache_mem.c' || echo '$(srcdir)/'`src/responder/kcm/kcmsrv_ccache_mem.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_ccache_mem.Tpo src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_ccache_mem.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/kcm/kcmsrv_ccache_mem.c' object='src/responder/kcm/sssd_kcm-kcmsrv_ccache_mem.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/kcm/sssd_kcm-kcmsrv_ccache_mem.o `test -f 'src/responder/kcm/kcmsrv_ccache_mem.c' || echo '$(srcdir)/'`src/responder/kcm/kcmsrv_ccache_mem.c + +src/responder/kcm/sssd_kcm-kcmsrv_ccache_mem.obj: src/responder/kcm/kcmsrv_ccache_mem.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/kcm/sssd_kcm-kcmsrv_ccache_mem.obj -MD -MP -MF src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_ccache_mem.Tpo -c -o src/responder/kcm/sssd_kcm-kcmsrv_ccache_mem.obj `if test -f 'src/responder/kcm/kcmsrv_ccache_mem.c'; then $(CYGPATH_W) 'src/responder/kcm/kcmsrv_ccache_mem.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/kcm/kcmsrv_ccache_mem.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_ccache_mem.Tpo src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_ccache_mem.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/kcm/kcmsrv_ccache_mem.c' object='src/responder/kcm/sssd_kcm-kcmsrv_ccache_mem.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/kcm/sssd_kcm-kcmsrv_ccache_mem.obj `if test -f 'src/responder/kcm/kcmsrv_ccache_mem.c'; then $(CYGPATH_W) 'src/responder/kcm/kcmsrv_ccache_mem.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/kcm/kcmsrv_ccache_mem.c'; fi` + +src/responder/kcm/sssd_kcm-kcmsrv_ccache_json.o: src/responder/kcm/kcmsrv_ccache_json.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/kcm/sssd_kcm-kcmsrv_ccache_json.o -MD -MP -MF src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_ccache_json.Tpo -c -o src/responder/kcm/sssd_kcm-kcmsrv_ccache_json.o `test -f 'src/responder/kcm/kcmsrv_ccache_json.c' || echo '$(srcdir)/'`src/responder/kcm/kcmsrv_ccache_json.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_ccache_json.Tpo src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_ccache_json.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/kcm/kcmsrv_ccache_json.c' object='src/responder/kcm/sssd_kcm-kcmsrv_ccache_json.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/kcm/sssd_kcm-kcmsrv_ccache_json.o `test -f 'src/responder/kcm/kcmsrv_ccache_json.c' || echo '$(srcdir)/'`src/responder/kcm/kcmsrv_ccache_json.c + +src/responder/kcm/sssd_kcm-kcmsrv_ccache_json.obj: src/responder/kcm/kcmsrv_ccache_json.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/kcm/sssd_kcm-kcmsrv_ccache_json.obj -MD -MP -MF src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_ccache_json.Tpo -c -o src/responder/kcm/sssd_kcm-kcmsrv_ccache_json.obj `if test -f 'src/responder/kcm/kcmsrv_ccache_json.c'; then $(CYGPATH_W) 'src/responder/kcm/kcmsrv_ccache_json.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/kcm/kcmsrv_ccache_json.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_ccache_json.Tpo src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_ccache_json.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/kcm/kcmsrv_ccache_json.c' object='src/responder/kcm/sssd_kcm-kcmsrv_ccache_json.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/kcm/sssd_kcm-kcmsrv_ccache_json.obj `if test -f 'src/responder/kcm/kcmsrv_ccache_json.c'; then $(CYGPATH_W) 'src/responder/kcm/kcmsrv_ccache_json.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/kcm/kcmsrv_ccache_json.c'; fi` + +src/responder/kcm/sssd_kcm-kcmsrv_ccache_secrets.o: src/responder/kcm/kcmsrv_ccache_secrets.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/kcm/sssd_kcm-kcmsrv_ccache_secrets.o -MD -MP -MF src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_ccache_secrets.Tpo -c -o src/responder/kcm/sssd_kcm-kcmsrv_ccache_secrets.o `test -f 'src/responder/kcm/kcmsrv_ccache_secrets.c' || echo '$(srcdir)/'`src/responder/kcm/kcmsrv_ccache_secrets.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_ccache_secrets.Tpo src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_ccache_secrets.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/kcm/kcmsrv_ccache_secrets.c' object='src/responder/kcm/sssd_kcm-kcmsrv_ccache_secrets.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/kcm/sssd_kcm-kcmsrv_ccache_secrets.o `test -f 'src/responder/kcm/kcmsrv_ccache_secrets.c' || echo '$(srcdir)/'`src/responder/kcm/kcmsrv_ccache_secrets.c + +src/responder/kcm/sssd_kcm-kcmsrv_ccache_secrets.obj: src/responder/kcm/kcmsrv_ccache_secrets.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/kcm/sssd_kcm-kcmsrv_ccache_secrets.obj -MD -MP -MF src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_ccache_secrets.Tpo -c -o src/responder/kcm/sssd_kcm-kcmsrv_ccache_secrets.obj `if test -f 'src/responder/kcm/kcmsrv_ccache_secrets.c'; then $(CYGPATH_W) 'src/responder/kcm/kcmsrv_ccache_secrets.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/kcm/kcmsrv_ccache_secrets.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_ccache_secrets.Tpo src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_ccache_secrets.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/kcm/kcmsrv_ccache_secrets.c' object='src/responder/kcm/sssd_kcm-kcmsrv_ccache_secrets.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/kcm/sssd_kcm-kcmsrv_ccache_secrets.obj `if test -f 'src/responder/kcm/kcmsrv_ccache_secrets.c'; then $(CYGPATH_W) 'src/responder/kcm/kcmsrv_ccache_secrets.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/kcm/kcmsrv_ccache_secrets.c'; fi` + +src/responder/kcm/sssd_kcm-kcmsrv_ops.o: src/responder/kcm/kcmsrv_ops.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/kcm/sssd_kcm-kcmsrv_ops.o -MD -MP -MF src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_ops.Tpo -c -o src/responder/kcm/sssd_kcm-kcmsrv_ops.o `test -f 'src/responder/kcm/kcmsrv_ops.c' || echo '$(srcdir)/'`src/responder/kcm/kcmsrv_ops.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_ops.Tpo src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_ops.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/kcm/kcmsrv_ops.c' object='src/responder/kcm/sssd_kcm-kcmsrv_ops.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/kcm/sssd_kcm-kcmsrv_ops.o `test -f 'src/responder/kcm/kcmsrv_ops.c' || echo '$(srcdir)/'`src/responder/kcm/kcmsrv_ops.c + +src/responder/kcm/sssd_kcm-kcmsrv_ops.obj: src/responder/kcm/kcmsrv_ops.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/kcm/sssd_kcm-kcmsrv_ops.obj -MD -MP -MF src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_ops.Tpo -c -o src/responder/kcm/sssd_kcm-kcmsrv_ops.obj `if test -f 'src/responder/kcm/kcmsrv_ops.c'; then $(CYGPATH_W) 'src/responder/kcm/kcmsrv_ops.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/kcm/kcmsrv_ops.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_ops.Tpo src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_ops.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/kcm/kcmsrv_ops.c' object='src/responder/kcm/sssd_kcm-kcmsrv_ops.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/kcm/sssd_kcm-kcmsrv_ops.obj `if test -f 'src/responder/kcm/kcmsrv_ops.c'; then $(CYGPATH_W) 'src/responder/kcm/kcmsrv_ops.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/kcm/kcmsrv_ops.c'; fi` + +src/responder/kcm/sssd_kcm-kcmsrv_op_queue.o: src/responder/kcm/kcmsrv_op_queue.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/kcm/sssd_kcm-kcmsrv_op_queue.o -MD -MP -MF src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_op_queue.Tpo -c -o src/responder/kcm/sssd_kcm-kcmsrv_op_queue.o `test -f 'src/responder/kcm/kcmsrv_op_queue.c' || echo '$(srcdir)/'`src/responder/kcm/kcmsrv_op_queue.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_op_queue.Tpo src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_op_queue.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/kcm/kcmsrv_op_queue.c' object='src/responder/kcm/sssd_kcm-kcmsrv_op_queue.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/kcm/sssd_kcm-kcmsrv_op_queue.o `test -f 'src/responder/kcm/kcmsrv_op_queue.c' || echo '$(srcdir)/'`src/responder/kcm/kcmsrv_op_queue.c + +src/responder/kcm/sssd_kcm-kcmsrv_op_queue.obj: src/responder/kcm/kcmsrv_op_queue.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/kcm/sssd_kcm-kcmsrv_op_queue.obj -MD -MP -MF src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_op_queue.Tpo -c -o src/responder/kcm/sssd_kcm-kcmsrv_op_queue.obj `if test -f 'src/responder/kcm/kcmsrv_op_queue.c'; then $(CYGPATH_W) 'src/responder/kcm/kcmsrv_op_queue.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/kcm/kcmsrv_op_queue.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_op_queue.Tpo src/responder/kcm/$(DEPDIR)/sssd_kcm-kcmsrv_op_queue.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/kcm/kcmsrv_op_queue.c' object='src/responder/kcm/sssd_kcm-kcmsrv_op_queue.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/kcm/sssd_kcm-kcmsrv_op_queue.obj `if test -f 'src/responder/kcm/kcmsrv_op_queue.c'; then $(CYGPATH_W) 'src/responder/kcm/kcmsrv_op_queue.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/kcm/kcmsrv_op_queue.c'; fi` + +src/util/sssd_kcm-sss_sockets.o: src/util/sss_sockets.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/util/sssd_kcm-sss_sockets.o -MD -MP -MF src/util/$(DEPDIR)/sssd_kcm-sss_sockets.Tpo -c -o src/util/sssd_kcm-sss_sockets.o `test -f 'src/util/sss_sockets.c' || echo '$(srcdir)/'`src/util/sss_sockets.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/sssd_kcm-sss_sockets.Tpo src/util/$(DEPDIR)/sssd_kcm-sss_sockets.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_sockets.c' object='src/util/sssd_kcm-sss_sockets.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/util/sssd_kcm-sss_sockets.o `test -f 'src/util/sss_sockets.c' || echo '$(srcdir)/'`src/util/sss_sockets.c + +src/util/sssd_kcm-sss_sockets.obj: src/util/sss_sockets.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/util/sssd_kcm-sss_sockets.obj -MD -MP -MF src/util/$(DEPDIR)/sssd_kcm-sss_sockets.Tpo -c -o src/util/sssd_kcm-sss_sockets.obj `if test -f 'src/util/sss_sockets.c'; then $(CYGPATH_W) 'src/util/sss_sockets.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_sockets.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/sssd_kcm-sss_sockets.Tpo src/util/$(DEPDIR)/sssd_kcm-sss_sockets.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_sockets.c' object='src/util/sssd_kcm-sss_sockets.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/util/sssd_kcm-sss_sockets.obj `if test -f 'src/util/sss_sockets.c'; then $(CYGPATH_W) 'src/util/sss_sockets.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_sockets.c'; fi` + +src/util/sssd_kcm-sss_krb5.o: src/util/sss_krb5.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/util/sssd_kcm-sss_krb5.o -MD -MP -MF src/util/$(DEPDIR)/sssd_kcm-sss_krb5.Tpo -c -o src/util/sssd_kcm-sss_krb5.o `test -f 'src/util/sss_krb5.c' || echo '$(srcdir)/'`src/util/sss_krb5.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/sssd_kcm-sss_krb5.Tpo src/util/$(DEPDIR)/sssd_kcm-sss_krb5.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_krb5.c' object='src/util/sssd_kcm-sss_krb5.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/util/sssd_kcm-sss_krb5.o `test -f 'src/util/sss_krb5.c' || echo '$(srcdir)/'`src/util/sss_krb5.c + +src/util/sssd_kcm-sss_krb5.obj: src/util/sss_krb5.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/util/sssd_kcm-sss_krb5.obj -MD -MP -MF src/util/$(DEPDIR)/sssd_kcm-sss_krb5.Tpo -c -o src/util/sssd_kcm-sss_krb5.obj `if test -f 'src/util/sss_krb5.c'; then $(CYGPATH_W) 'src/util/sss_krb5.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_krb5.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/sssd_kcm-sss_krb5.Tpo src/util/$(DEPDIR)/sssd_kcm-sss_krb5.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_krb5.c' object='src/util/sssd_kcm-sss_krb5.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/util/sssd_kcm-sss_krb5.obj `if test -f 'src/util/sss_krb5.c'; then $(CYGPATH_W) 'src/util/sss_krb5.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_krb5.c'; fi` + +src/util/sssd_kcm-sss_iobuf.o: src/util/sss_iobuf.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/util/sssd_kcm-sss_iobuf.o -MD -MP -MF src/util/$(DEPDIR)/sssd_kcm-sss_iobuf.Tpo -c -o src/util/sssd_kcm-sss_iobuf.o `test -f 'src/util/sss_iobuf.c' || echo '$(srcdir)/'`src/util/sss_iobuf.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/sssd_kcm-sss_iobuf.Tpo src/util/$(DEPDIR)/sssd_kcm-sss_iobuf.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_iobuf.c' object='src/util/sssd_kcm-sss_iobuf.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/util/sssd_kcm-sss_iobuf.o `test -f 'src/util/sss_iobuf.c' || echo '$(srcdir)/'`src/util/sss_iobuf.c + +src/util/sssd_kcm-sss_iobuf.obj: src/util/sss_iobuf.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/util/sssd_kcm-sss_iobuf.obj -MD -MP -MF src/util/$(DEPDIR)/sssd_kcm-sss_iobuf.Tpo -c -o src/util/sssd_kcm-sss_iobuf.obj `if test -f 'src/util/sss_iobuf.c'; then $(CYGPATH_W) 'src/util/sss_iobuf.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_iobuf.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/sssd_kcm-sss_iobuf.Tpo src/util/$(DEPDIR)/sssd_kcm-sss_iobuf.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_iobuf.c' object='src/util/sssd_kcm-sss_iobuf.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/util/sssd_kcm-sss_iobuf.obj `if test -f 'src/util/sss_iobuf.c'; then $(CYGPATH_W) 'src/util/sss_iobuf.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_iobuf.c'; fi` + +src/util/sssd_kcm-tev_curl.o: src/util/tev_curl.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/util/sssd_kcm-tev_curl.o -MD -MP -MF src/util/$(DEPDIR)/sssd_kcm-tev_curl.Tpo -c -o src/util/sssd_kcm-tev_curl.o `test -f 'src/util/tev_curl.c' || echo '$(srcdir)/'`src/util/tev_curl.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/sssd_kcm-tev_curl.Tpo src/util/$(DEPDIR)/sssd_kcm-tev_curl.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/tev_curl.c' object='src/util/sssd_kcm-tev_curl.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/util/sssd_kcm-tev_curl.o `test -f 'src/util/tev_curl.c' || echo '$(srcdir)/'`src/util/tev_curl.c + +src/util/sssd_kcm-tev_curl.obj: src/util/tev_curl.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/util/sssd_kcm-tev_curl.obj -MD -MP -MF src/util/$(DEPDIR)/sssd_kcm-tev_curl.Tpo -c -o src/util/sssd_kcm-tev_curl.obj `if test -f 'src/util/tev_curl.c'; then $(CYGPATH_W) 'src/util/tev_curl.c'; else $(CYGPATH_W) '$(srcdir)/src/util/tev_curl.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/sssd_kcm-tev_curl.Tpo src/util/$(DEPDIR)/sssd_kcm-tev_curl.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/tev_curl.c' object='src/util/sssd_kcm-tev_curl.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/util/sssd_kcm-tev_curl.obj `if test -f 'src/util/tev_curl.c'; then $(CYGPATH_W) 'src/util/tev_curl.c'; else $(CYGPATH_W) '$(srcdir)/src/util/tev_curl.c'; fi` + +src/responder/common/sssd_kcm-negcache_files.o: src/responder/common/negcache_files.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_kcm-negcache_files.o -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_kcm-negcache_files.Tpo -c -o src/responder/common/sssd_kcm-negcache_files.o `test -f 'src/responder/common/negcache_files.c' || echo '$(srcdir)/'`src/responder/common/negcache_files.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_kcm-negcache_files.Tpo src/responder/common/$(DEPDIR)/sssd_kcm-negcache_files.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/negcache_files.c' object='src/responder/common/sssd_kcm-negcache_files.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_kcm-negcache_files.o `test -f 'src/responder/common/negcache_files.c' || echo '$(srcdir)/'`src/responder/common/negcache_files.c + +src/responder/common/sssd_kcm-negcache_files.obj: src/responder/common/negcache_files.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_kcm-negcache_files.obj -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_kcm-negcache_files.Tpo -c -o src/responder/common/sssd_kcm-negcache_files.obj `if test -f 'src/responder/common/negcache_files.c'; then $(CYGPATH_W) 'src/responder/common/negcache_files.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/negcache_files.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_kcm-negcache_files.Tpo src/responder/common/$(DEPDIR)/sssd_kcm-negcache_files.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/negcache_files.c' object='src/responder/common/sssd_kcm-negcache_files.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_kcm-negcache_files.obj `if test -f 'src/responder/common/negcache_files.c'; then $(CYGPATH_W) 'src/responder/common/negcache_files.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/negcache_files.c'; fi` + +src/responder/common/sssd_kcm-negcache.o: src/responder/common/negcache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_kcm-negcache.o -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_kcm-negcache.Tpo -c -o src/responder/common/sssd_kcm-negcache.o `test -f 'src/responder/common/negcache.c' || echo '$(srcdir)/'`src/responder/common/negcache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_kcm-negcache.Tpo src/responder/common/$(DEPDIR)/sssd_kcm-negcache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/negcache.c' object='src/responder/common/sssd_kcm-negcache.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_kcm-negcache.o `test -f 'src/responder/common/negcache.c' || echo '$(srcdir)/'`src/responder/common/negcache.c + +src/responder/common/sssd_kcm-negcache.obj: src/responder/common/negcache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_kcm-negcache.obj -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_kcm-negcache.Tpo -c -o src/responder/common/sssd_kcm-negcache.obj `if test -f 'src/responder/common/negcache.c'; then $(CYGPATH_W) 'src/responder/common/negcache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/negcache.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_kcm-negcache.Tpo src/responder/common/$(DEPDIR)/sssd_kcm-negcache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/negcache.c' object='src/responder/common/sssd_kcm-negcache.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_kcm-negcache.obj `if test -f 'src/responder/common/negcache.c'; then $(CYGPATH_W) 'src/responder/common/negcache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/negcache.c'; fi` + +src/responder/common/sssd_kcm-responder_cmd.o: src/responder/common/responder_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_kcm-responder_cmd.o -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_kcm-responder_cmd.Tpo -c -o src/responder/common/sssd_kcm-responder_cmd.o `test -f 'src/responder/common/responder_cmd.c' || echo '$(srcdir)/'`src/responder/common/responder_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_kcm-responder_cmd.Tpo src/responder/common/$(DEPDIR)/sssd_kcm-responder_cmd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_cmd.c' object='src/responder/common/sssd_kcm-responder_cmd.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_kcm-responder_cmd.o `test -f 'src/responder/common/responder_cmd.c' || echo '$(srcdir)/'`src/responder/common/responder_cmd.c + +src/responder/common/sssd_kcm-responder_cmd.obj: src/responder/common/responder_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_kcm-responder_cmd.obj -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_kcm-responder_cmd.Tpo -c -o src/responder/common/sssd_kcm-responder_cmd.obj `if test -f 'src/responder/common/responder_cmd.c'; then $(CYGPATH_W) 'src/responder/common/responder_cmd.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_cmd.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_kcm-responder_cmd.Tpo src/responder/common/$(DEPDIR)/sssd_kcm-responder_cmd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_cmd.c' object='src/responder/common/sssd_kcm-responder_cmd.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_kcm-responder_cmd.obj `if test -f 'src/responder/common/responder_cmd.c'; then $(CYGPATH_W) 'src/responder/common/responder_cmd.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_cmd.c'; fi` + +src/responder/common/sssd_kcm-responder_common.o: src/responder/common/responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_kcm-responder_common.o -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_kcm-responder_common.Tpo -c -o src/responder/common/sssd_kcm-responder_common.o `test -f 'src/responder/common/responder_common.c' || echo '$(srcdir)/'`src/responder/common/responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_kcm-responder_common.Tpo src/responder/common/$(DEPDIR)/sssd_kcm-responder_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_common.c' object='src/responder/common/sssd_kcm-responder_common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_kcm-responder_common.o `test -f 'src/responder/common/responder_common.c' || echo '$(srcdir)/'`src/responder/common/responder_common.c + +src/responder/common/sssd_kcm-responder_common.obj: src/responder/common/responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_kcm-responder_common.obj -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_kcm-responder_common.Tpo -c -o src/responder/common/sssd_kcm-responder_common.obj `if test -f 'src/responder/common/responder_common.c'; then $(CYGPATH_W) 'src/responder/common/responder_common.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_kcm-responder_common.Tpo src/responder/common/$(DEPDIR)/sssd_kcm-responder_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_common.c' object='src/responder/common/sssd_kcm-responder_common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_kcm-responder_common.obj `if test -f 'src/responder/common/responder_common.c'; then $(CYGPATH_W) 'src/responder/common/responder_common.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_common.c'; fi` + +src/responder/common/sssd_kcm-responder_dp.o: src/responder/common/responder_dp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_kcm-responder_dp.o -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_kcm-responder_dp.Tpo -c -o src/responder/common/sssd_kcm-responder_dp.o `test -f 'src/responder/common/responder_dp.c' || echo '$(srcdir)/'`src/responder/common/responder_dp.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_kcm-responder_dp.Tpo src/responder/common/$(DEPDIR)/sssd_kcm-responder_dp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_dp.c' object='src/responder/common/sssd_kcm-responder_dp.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_kcm-responder_dp.o `test -f 'src/responder/common/responder_dp.c' || echo '$(srcdir)/'`src/responder/common/responder_dp.c + +src/responder/common/sssd_kcm-responder_dp.obj: src/responder/common/responder_dp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_kcm-responder_dp.obj -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_kcm-responder_dp.Tpo -c -o src/responder/common/sssd_kcm-responder_dp.obj `if test -f 'src/responder/common/responder_dp.c'; then $(CYGPATH_W) 'src/responder/common/responder_dp.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_dp.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_kcm-responder_dp.Tpo src/responder/common/$(DEPDIR)/sssd_kcm-responder_dp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_dp.c' object='src/responder/common/sssd_kcm-responder_dp.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_kcm-responder_dp.obj `if test -f 'src/responder/common/responder_dp.c'; then $(CYGPATH_W) 'src/responder/common/responder_dp.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_dp.c'; fi` + +src/responder/common/sssd_kcm-responder_dp_ssh.o: src/responder/common/responder_dp_ssh.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_kcm-responder_dp_ssh.o -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_kcm-responder_dp_ssh.Tpo -c -o src/responder/common/sssd_kcm-responder_dp_ssh.o `test -f 'src/responder/common/responder_dp_ssh.c' || echo '$(srcdir)/'`src/responder/common/responder_dp_ssh.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_kcm-responder_dp_ssh.Tpo src/responder/common/$(DEPDIR)/sssd_kcm-responder_dp_ssh.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_dp_ssh.c' object='src/responder/common/sssd_kcm-responder_dp_ssh.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_kcm-responder_dp_ssh.o `test -f 'src/responder/common/responder_dp_ssh.c' || echo '$(srcdir)/'`src/responder/common/responder_dp_ssh.c + +src/responder/common/sssd_kcm-responder_dp_ssh.obj: src/responder/common/responder_dp_ssh.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_kcm-responder_dp_ssh.obj -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_kcm-responder_dp_ssh.Tpo -c -o src/responder/common/sssd_kcm-responder_dp_ssh.obj `if test -f 'src/responder/common/responder_dp_ssh.c'; then $(CYGPATH_W) 'src/responder/common/responder_dp_ssh.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_dp_ssh.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_kcm-responder_dp_ssh.Tpo src/responder/common/$(DEPDIR)/sssd_kcm-responder_dp_ssh.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_dp_ssh.c' object='src/responder/common/sssd_kcm-responder_dp_ssh.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_kcm-responder_dp_ssh.obj `if test -f 'src/responder/common/responder_dp_ssh.c'; then $(CYGPATH_W) 'src/responder/common/responder_dp_ssh.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_dp_ssh.c'; fi` + +src/responder/common/sssd_kcm-responder_packet.o: src/responder/common/responder_packet.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_kcm-responder_packet.o -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_kcm-responder_packet.Tpo -c -o src/responder/common/sssd_kcm-responder_packet.o `test -f 'src/responder/common/responder_packet.c' || echo '$(srcdir)/'`src/responder/common/responder_packet.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_kcm-responder_packet.Tpo src/responder/common/$(DEPDIR)/sssd_kcm-responder_packet.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_packet.c' object='src/responder/common/sssd_kcm-responder_packet.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_kcm-responder_packet.o `test -f 'src/responder/common/responder_packet.c' || echo '$(srcdir)/'`src/responder/common/responder_packet.c + +src/responder/common/sssd_kcm-responder_packet.obj: src/responder/common/responder_packet.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_kcm-responder_packet.obj -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_kcm-responder_packet.Tpo -c -o src/responder/common/sssd_kcm-responder_packet.obj `if test -f 'src/responder/common/responder_packet.c'; then $(CYGPATH_W) 'src/responder/common/responder_packet.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_packet.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_kcm-responder_packet.Tpo src/responder/common/$(DEPDIR)/sssd_kcm-responder_packet.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_packet.c' object='src/responder/common/sssd_kcm-responder_packet.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_kcm-responder_packet.obj `if test -f 'src/responder/common/responder_packet.c'; then $(CYGPATH_W) 'src/responder/common/responder_packet.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_packet.c'; fi` + +src/responder/common/sssd_kcm-responder_get_domains.o: src/responder/common/responder_get_domains.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_kcm-responder_get_domains.o -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_kcm-responder_get_domains.Tpo -c -o src/responder/common/sssd_kcm-responder_get_domains.o `test -f 'src/responder/common/responder_get_domains.c' || echo '$(srcdir)/'`src/responder/common/responder_get_domains.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_kcm-responder_get_domains.Tpo src/responder/common/$(DEPDIR)/sssd_kcm-responder_get_domains.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_get_domains.c' object='src/responder/common/sssd_kcm-responder_get_domains.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_kcm-responder_get_domains.o `test -f 'src/responder/common/responder_get_domains.c' || echo '$(srcdir)/'`src/responder/common/responder_get_domains.c + +src/responder/common/sssd_kcm-responder_get_domains.obj: src/responder/common/responder_get_domains.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_kcm-responder_get_domains.obj -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_kcm-responder_get_domains.Tpo -c -o src/responder/common/sssd_kcm-responder_get_domains.obj `if test -f 'src/responder/common/responder_get_domains.c'; then $(CYGPATH_W) 'src/responder/common/responder_get_domains.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_get_domains.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_kcm-responder_get_domains.Tpo src/responder/common/$(DEPDIR)/sssd_kcm-responder_get_domains.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_get_domains.c' object='src/responder/common/sssd_kcm-responder_get_domains.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_kcm-responder_get_domains.obj `if test -f 'src/responder/common/responder_get_domains.c'; then $(CYGPATH_W) 'src/responder/common/responder_get_domains.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_get_domains.c'; fi` + +src/responder/common/sssd_kcm-responder_utils.o: src/responder/common/responder_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_kcm-responder_utils.o -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_kcm-responder_utils.Tpo -c -o src/responder/common/sssd_kcm-responder_utils.o `test -f 'src/responder/common/responder_utils.c' || echo '$(srcdir)/'`src/responder/common/responder_utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_kcm-responder_utils.Tpo src/responder/common/$(DEPDIR)/sssd_kcm-responder_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_utils.c' object='src/responder/common/sssd_kcm-responder_utils.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_kcm-responder_utils.o `test -f 'src/responder/common/responder_utils.c' || echo '$(srcdir)/'`src/responder/common/responder_utils.c + +src/responder/common/sssd_kcm-responder_utils.obj: src/responder/common/responder_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_kcm-responder_utils.obj -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_kcm-responder_utils.Tpo -c -o src/responder/common/sssd_kcm-responder_utils.obj `if test -f 'src/responder/common/responder_utils.c'; then $(CYGPATH_W) 'src/responder/common/responder_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_utils.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_kcm-responder_utils.Tpo src/responder/common/$(DEPDIR)/sssd_kcm-responder_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_utils.c' object='src/responder/common/sssd_kcm-responder_utils.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_kcm-responder_utils.obj `if test -f 'src/responder/common/responder_utils.c'; then $(CYGPATH_W) 'src/responder/common/responder_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_utils.c'; fi` + +src/responder/common/data_provider/sssd_kcm-rdp_message.o: src/responder/common/data_provider/rdp_message.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/data_provider/sssd_kcm-rdp_message.o -MD -MP -MF src/responder/common/data_provider/$(DEPDIR)/sssd_kcm-rdp_message.Tpo -c -o src/responder/common/data_provider/sssd_kcm-rdp_message.o `test -f 'src/responder/common/data_provider/rdp_message.c' || echo '$(srcdir)/'`src/responder/common/data_provider/rdp_message.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/data_provider/$(DEPDIR)/sssd_kcm-rdp_message.Tpo src/responder/common/data_provider/$(DEPDIR)/sssd_kcm-rdp_message.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/data_provider/rdp_message.c' object='src/responder/common/data_provider/sssd_kcm-rdp_message.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/data_provider/sssd_kcm-rdp_message.o `test -f 'src/responder/common/data_provider/rdp_message.c' || echo '$(srcdir)/'`src/responder/common/data_provider/rdp_message.c + +src/responder/common/data_provider/sssd_kcm-rdp_message.obj: src/responder/common/data_provider/rdp_message.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/data_provider/sssd_kcm-rdp_message.obj -MD -MP -MF src/responder/common/data_provider/$(DEPDIR)/sssd_kcm-rdp_message.Tpo -c -o src/responder/common/data_provider/sssd_kcm-rdp_message.obj `if test -f 'src/responder/common/data_provider/rdp_message.c'; then $(CYGPATH_W) 'src/responder/common/data_provider/rdp_message.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/data_provider/rdp_message.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/data_provider/$(DEPDIR)/sssd_kcm-rdp_message.Tpo src/responder/common/data_provider/$(DEPDIR)/sssd_kcm-rdp_message.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/data_provider/rdp_message.c' object='src/responder/common/data_provider/sssd_kcm-rdp_message.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/data_provider/sssd_kcm-rdp_message.obj `if test -f 'src/responder/common/data_provider/rdp_message.c'; then $(CYGPATH_W) 'src/responder/common/data_provider/rdp_message.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/data_provider/rdp_message.c'; fi` + +src/responder/common/data_provider/sssd_kcm-rdp_client.o: src/responder/common/data_provider/rdp_client.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/data_provider/sssd_kcm-rdp_client.o -MD -MP -MF src/responder/common/data_provider/$(DEPDIR)/sssd_kcm-rdp_client.Tpo -c -o src/responder/common/data_provider/sssd_kcm-rdp_client.o `test -f 'src/responder/common/data_provider/rdp_client.c' || echo '$(srcdir)/'`src/responder/common/data_provider/rdp_client.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/data_provider/$(DEPDIR)/sssd_kcm-rdp_client.Tpo src/responder/common/data_provider/$(DEPDIR)/sssd_kcm-rdp_client.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/data_provider/rdp_client.c' object='src/responder/common/data_provider/sssd_kcm-rdp_client.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/data_provider/sssd_kcm-rdp_client.o `test -f 'src/responder/common/data_provider/rdp_client.c' || echo '$(srcdir)/'`src/responder/common/data_provider/rdp_client.c + +src/responder/common/data_provider/sssd_kcm-rdp_client.obj: src/responder/common/data_provider/rdp_client.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/data_provider/sssd_kcm-rdp_client.obj -MD -MP -MF src/responder/common/data_provider/$(DEPDIR)/sssd_kcm-rdp_client.Tpo -c -o src/responder/common/data_provider/sssd_kcm-rdp_client.obj `if test -f 'src/responder/common/data_provider/rdp_client.c'; then $(CYGPATH_W) 'src/responder/common/data_provider/rdp_client.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/data_provider/rdp_client.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/data_provider/$(DEPDIR)/sssd_kcm-rdp_client.Tpo src/responder/common/data_provider/$(DEPDIR)/sssd_kcm-rdp_client.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/data_provider/rdp_client.c' object='src/responder/common/data_provider/sssd_kcm-rdp_client.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/data_provider/sssd_kcm-rdp_client.obj `if test -f 'src/responder/common/data_provider/rdp_client.c'; then $(CYGPATH_W) 'src/responder/common/data_provider/rdp_client.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/data_provider/rdp_client.c'; fi` + +src/monitor/sssd_kcm-monitor_iface_generated.o: src/monitor/monitor_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/monitor/sssd_kcm-monitor_iface_generated.o -MD -MP -MF src/monitor/$(DEPDIR)/sssd_kcm-monitor_iface_generated.Tpo -c -o src/monitor/sssd_kcm-monitor_iface_generated.o `test -f 'src/monitor/monitor_iface_generated.c' || echo '$(srcdir)/'`src/monitor/monitor_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/monitor/$(DEPDIR)/sssd_kcm-monitor_iface_generated.Tpo src/monitor/$(DEPDIR)/sssd_kcm-monitor_iface_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/monitor/monitor_iface_generated.c' object='src/monitor/sssd_kcm-monitor_iface_generated.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/monitor/sssd_kcm-monitor_iface_generated.o `test -f 'src/monitor/monitor_iface_generated.c' || echo '$(srcdir)/'`src/monitor/monitor_iface_generated.c + +src/monitor/sssd_kcm-monitor_iface_generated.obj: src/monitor/monitor_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/monitor/sssd_kcm-monitor_iface_generated.obj -MD -MP -MF src/monitor/$(DEPDIR)/sssd_kcm-monitor_iface_generated.Tpo -c -o src/monitor/sssd_kcm-monitor_iface_generated.obj `if test -f 'src/monitor/monitor_iface_generated.c'; then $(CYGPATH_W) 'src/monitor/monitor_iface_generated.c'; else $(CYGPATH_W) '$(srcdir)/src/monitor/monitor_iface_generated.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/monitor/$(DEPDIR)/sssd_kcm-monitor_iface_generated.Tpo src/monitor/$(DEPDIR)/sssd_kcm-monitor_iface_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/monitor/monitor_iface_generated.c' object='src/monitor/sssd_kcm-monitor_iface_generated.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/monitor/sssd_kcm-monitor_iface_generated.obj `if test -f 'src/monitor/monitor_iface_generated.c'; then $(CYGPATH_W) 'src/monitor/monitor_iface_generated.c'; else $(CYGPATH_W) '$(srcdir)/src/monitor/monitor_iface_generated.c'; fi` + +src/providers/sssd_kcm-data_provider_req.o: src/providers/data_provider_req.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/providers/sssd_kcm-data_provider_req.o -MD -MP -MF src/providers/$(DEPDIR)/sssd_kcm-data_provider_req.Tpo -c -o src/providers/sssd_kcm-data_provider_req.o `test -f 'src/providers/data_provider_req.c' || echo '$(srcdir)/'`src/providers/data_provider_req.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/sssd_kcm-data_provider_req.Tpo src/providers/$(DEPDIR)/sssd_kcm-data_provider_req.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider_req.c' object='src/providers/sssd_kcm-data_provider_req.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/providers/sssd_kcm-data_provider_req.o `test -f 'src/providers/data_provider_req.c' || echo '$(srcdir)/'`src/providers/data_provider_req.c + +src/providers/sssd_kcm-data_provider_req.obj: src/providers/data_provider_req.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/providers/sssd_kcm-data_provider_req.obj -MD -MP -MF src/providers/$(DEPDIR)/sssd_kcm-data_provider_req.Tpo -c -o src/providers/sssd_kcm-data_provider_req.obj `if test -f 'src/providers/data_provider_req.c'; then $(CYGPATH_W) 'src/providers/data_provider_req.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider_req.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/sssd_kcm-data_provider_req.Tpo src/providers/$(DEPDIR)/sssd_kcm-data_provider_req.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider_req.c' object='src/providers/sssd_kcm-data_provider_req.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/providers/sssd_kcm-data_provider_req.obj `if test -f 'src/providers/data_provider_req.c'; then $(CYGPATH_W) 'src/providers/data_provider_req.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider_req.c'; fi` + +src/util/sssd_kcm-session_recording.o: src/util/session_recording.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/util/sssd_kcm-session_recording.o -MD -MP -MF src/util/$(DEPDIR)/sssd_kcm-session_recording.Tpo -c -o src/util/sssd_kcm-session_recording.o `test -f 'src/util/session_recording.c' || echo '$(srcdir)/'`src/util/session_recording.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/sssd_kcm-session_recording.Tpo src/util/$(DEPDIR)/sssd_kcm-session_recording.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/session_recording.c' object='src/util/sssd_kcm-session_recording.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/util/sssd_kcm-session_recording.o `test -f 'src/util/session_recording.c' || echo '$(srcdir)/'`src/util/session_recording.c + +src/util/sssd_kcm-session_recording.obj: src/util/session_recording.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/util/sssd_kcm-session_recording.obj -MD -MP -MF src/util/$(DEPDIR)/sssd_kcm-session_recording.Tpo -c -o src/util/sssd_kcm-session_recording.obj `if test -f 'src/util/session_recording.c'; then $(CYGPATH_W) 'src/util/session_recording.c'; else $(CYGPATH_W) '$(srcdir)/src/util/session_recording.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/sssd_kcm-session_recording.Tpo src/util/$(DEPDIR)/sssd_kcm-session_recording.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/session_recording.c' object='src/util/sssd_kcm-session_recording.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/util/sssd_kcm-session_recording.obj `if test -f 'src/util/session_recording.c'; then $(CYGPATH_W) 'src/util/session_recording.c'; else $(CYGPATH_W) '$(srcdir)/src/util/session_recording.c'; fi` + +src/responder/common/iface/sssd_kcm-responder_iface.o: src/responder/common/iface/responder_iface.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/sssd_kcm-responder_iface.o -MD -MP -MF src/responder/common/iface/$(DEPDIR)/sssd_kcm-responder_iface.Tpo -c -o src/responder/common/iface/sssd_kcm-responder_iface.o `test -f 'src/responder/common/iface/responder_iface.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_iface.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/sssd_kcm-responder_iface.Tpo src/responder/common/iface/$(DEPDIR)/sssd_kcm-responder_iface.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_iface.c' object='src/responder/common/iface/sssd_kcm-responder_iface.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/sssd_kcm-responder_iface.o `test -f 'src/responder/common/iface/responder_iface.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_iface.c + +src/responder/common/iface/sssd_kcm-responder_iface.obj: src/responder/common/iface/responder_iface.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/sssd_kcm-responder_iface.obj -MD -MP -MF src/responder/common/iface/$(DEPDIR)/sssd_kcm-responder_iface.Tpo -c -o src/responder/common/iface/sssd_kcm-responder_iface.obj `if test -f 'src/responder/common/iface/responder_iface.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_iface.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_iface.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/sssd_kcm-responder_iface.Tpo src/responder/common/iface/$(DEPDIR)/sssd_kcm-responder_iface.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_iface.c' object='src/responder/common/iface/sssd_kcm-responder_iface.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/sssd_kcm-responder_iface.obj `if test -f 'src/responder/common/iface/responder_iface.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_iface.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_iface.c'; fi` + +src/responder/common/iface/sssd_kcm-responder_domain.o: src/responder/common/iface/responder_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/sssd_kcm-responder_domain.o -MD -MP -MF src/responder/common/iface/$(DEPDIR)/sssd_kcm-responder_domain.Tpo -c -o src/responder/common/iface/sssd_kcm-responder_domain.o `test -f 'src/responder/common/iface/responder_domain.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_domain.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/sssd_kcm-responder_domain.Tpo src/responder/common/iface/$(DEPDIR)/sssd_kcm-responder_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_domain.c' object='src/responder/common/iface/sssd_kcm-responder_domain.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/sssd_kcm-responder_domain.o `test -f 'src/responder/common/iface/responder_domain.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_domain.c + +src/responder/common/iface/sssd_kcm-responder_domain.obj: src/responder/common/iface/responder_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/sssd_kcm-responder_domain.obj -MD -MP -MF src/responder/common/iface/$(DEPDIR)/sssd_kcm-responder_domain.Tpo -c -o src/responder/common/iface/sssd_kcm-responder_domain.obj `if test -f 'src/responder/common/iface/responder_domain.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_domain.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/sssd_kcm-responder_domain.Tpo src/responder/common/iface/$(DEPDIR)/sssd_kcm-responder_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_domain.c' object='src/responder/common/iface/sssd_kcm-responder_domain.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/sssd_kcm-responder_domain.obj `if test -f 'src/responder/common/iface/responder_domain.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_domain.c'; fi` + +src/responder/common/iface/sssd_kcm-responder_ncache.o: src/responder/common/iface/responder_ncache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/sssd_kcm-responder_ncache.o -MD -MP -MF src/responder/common/iface/$(DEPDIR)/sssd_kcm-responder_ncache.Tpo -c -o src/responder/common/iface/sssd_kcm-responder_ncache.o `test -f 'src/responder/common/iface/responder_ncache.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_ncache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/sssd_kcm-responder_ncache.Tpo src/responder/common/iface/$(DEPDIR)/sssd_kcm-responder_ncache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_ncache.c' object='src/responder/common/iface/sssd_kcm-responder_ncache.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/sssd_kcm-responder_ncache.o `test -f 'src/responder/common/iface/responder_ncache.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_ncache.c + +src/responder/common/iface/sssd_kcm-responder_ncache.obj: src/responder/common/iface/responder_ncache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/sssd_kcm-responder_ncache.obj -MD -MP -MF src/responder/common/iface/$(DEPDIR)/sssd_kcm-responder_ncache.Tpo -c -o src/responder/common/iface/sssd_kcm-responder_ncache.obj `if test -f 'src/responder/common/iface/responder_ncache.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_ncache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_ncache.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/sssd_kcm-responder_ncache.Tpo src/responder/common/iface/$(DEPDIR)/sssd_kcm-responder_ncache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_ncache.c' object='src/responder/common/iface/sssd_kcm-responder_ncache.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/sssd_kcm-responder_ncache.obj `if test -f 'src/responder/common/iface/responder_ncache.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_ncache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_ncache.c'; fi` + +src/responder/common/iface/sssd_kcm-responder_iface_generated.o: src/responder/common/iface/responder_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/sssd_kcm-responder_iface_generated.o -MD -MP -MF src/responder/common/iface/$(DEPDIR)/sssd_kcm-responder_iface_generated.Tpo -c -o src/responder/common/iface/sssd_kcm-responder_iface_generated.o `test -f 'src/responder/common/iface/responder_iface_generated.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/sssd_kcm-responder_iface_generated.Tpo src/responder/common/iface/$(DEPDIR)/sssd_kcm-responder_iface_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_iface_generated.c' object='src/responder/common/iface/sssd_kcm-responder_iface_generated.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/sssd_kcm-responder_iface_generated.o `test -f 'src/responder/common/iface/responder_iface_generated.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_iface_generated.c + +src/responder/common/iface/sssd_kcm-responder_iface_generated.obj: src/responder/common/iface/responder_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/sssd_kcm-responder_iface_generated.obj -MD -MP -MF src/responder/common/iface/$(DEPDIR)/sssd_kcm-responder_iface_generated.Tpo -c -o src/responder/common/iface/sssd_kcm-responder_iface_generated.obj `if test -f 'src/responder/common/iface/responder_iface_generated.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_iface_generated.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_iface_generated.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/sssd_kcm-responder_iface_generated.Tpo src/responder/common/iface/$(DEPDIR)/sssd_kcm-responder_iface_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_iface_generated.c' object='src/responder/common/iface/sssd_kcm-responder_iface_generated.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/sssd_kcm-responder_iface_generated.obj `if test -f 'src/responder/common/iface/responder_iface_generated.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_iface_generated.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_iface_generated.c'; fi` + +src/responder/common/cache_req/sssd_kcm-cache_req.o: src/responder/common/cache_req/cache_req.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/sssd_kcm-cache_req.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/sssd_kcm-cache_req.Tpo -c -o src/responder/common/cache_req/sssd_kcm-cache_req.o `test -f 'src/responder/common/cache_req/cache_req.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/sssd_kcm-cache_req.Tpo src/responder/common/cache_req/$(DEPDIR)/sssd_kcm-cache_req.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req.c' object='src/responder/common/cache_req/sssd_kcm-cache_req.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/sssd_kcm-cache_req.o `test -f 'src/responder/common/cache_req/cache_req.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req.c + +src/responder/common/cache_req/sssd_kcm-cache_req.obj: src/responder/common/cache_req/cache_req.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/sssd_kcm-cache_req.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/sssd_kcm-cache_req.Tpo -c -o src/responder/common/cache_req/sssd_kcm-cache_req.obj `if test -f 'src/responder/common/cache_req/cache_req.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/sssd_kcm-cache_req.Tpo src/responder/common/cache_req/$(DEPDIR)/sssd_kcm-cache_req.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req.c' object='src/responder/common/cache_req/sssd_kcm-cache_req.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/sssd_kcm-cache_req.obj `if test -f 'src/responder/common/cache_req/cache_req.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req.c'; fi` + +src/responder/common/cache_req/sssd_kcm-cache_req_result.o: src/responder/common/cache_req/cache_req_result.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/sssd_kcm-cache_req_result.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/sssd_kcm-cache_req_result.Tpo -c -o src/responder/common/cache_req/sssd_kcm-cache_req_result.o `test -f 'src/responder/common/cache_req/cache_req_result.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_result.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/sssd_kcm-cache_req_result.Tpo src/responder/common/cache_req/$(DEPDIR)/sssd_kcm-cache_req_result.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_result.c' object='src/responder/common/cache_req/sssd_kcm-cache_req_result.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/sssd_kcm-cache_req_result.o `test -f 'src/responder/common/cache_req/cache_req_result.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_result.c + +src/responder/common/cache_req/sssd_kcm-cache_req_result.obj: src/responder/common/cache_req/cache_req_result.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/sssd_kcm-cache_req_result.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/sssd_kcm-cache_req_result.Tpo -c -o src/responder/common/cache_req/sssd_kcm-cache_req_result.obj `if test -f 'src/responder/common/cache_req/cache_req_result.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_result.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_result.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/sssd_kcm-cache_req_result.Tpo src/responder/common/cache_req/$(DEPDIR)/sssd_kcm-cache_req_result.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_result.c' object='src/responder/common/cache_req/sssd_kcm-cache_req_result.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/sssd_kcm-cache_req_result.obj `if test -f 'src/responder/common/cache_req/cache_req_result.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_result.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_result.c'; fi` + +src/responder/common/cache_req/sssd_kcm-cache_req_search.o: src/responder/common/cache_req/cache_req_search.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/sssd_kcm-cache_req_search.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/sssd_kcm-cache_req_search.Tpo -c -o src/responder/common/cache_req/sssd_kcm-cache_req_search.o `test -f 'src/responder/common/cache_req/cache_req_search.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_search.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/sssd_kcm-cache_req_search.Tpo src/responder/common/cache_req/$(DEPDIR)/sssd_kcm-cache_req_search.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_search.c' object='src/responder/common/cache_req/sssd_kcm-cache_req_search.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/sssd_kcm-cache_req_search.o `test -f 'src/responder/common/cache_req/cache_req_search.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_search.c + +src/responder/common/cache_req/sssd_kcm-cache_req_search.obj: src/responder/common/cache_req/cache_req_search.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/sssd_kcm-cache_req_search.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/sssd_kcm-cache_req_search.Tpo -c -o src/responder/common/cache_req/sssd_kcm-cache_req_search.obj `if test -f 'src/responder/common/cache_req/cache_req_search.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_search.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_search.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/sssd_kcm-cache_req_search.Tpo src/responder/common/cache_req/$(DEPDIR)/sssd_kcm-cache_req_search.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_search.c' object='src/responder/common/cache_req/sssd_kcm-cache_req_search.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/sssd_kcm-cache_req_search.obj `if test -f 'src/responder/common/cache_req/cache_req_search.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_search.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_search.c'; fi` + +src/responder/common/cache_req/sssd_kcm-cache_req_data.o: src/responder/common/cache_req/cache_req_data.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/sssd_kcm-cache_req_data.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/sssd_kcm-cache_req_data.Tpo -c -o src/responder/common/cache_req/sssd_kcm-cache_req_data.o `test -f 'src/responder/common/cache_req/cache_req_data.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_data.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/sssd_kcm-cache_req_data.Tpo src/responder/common/cache_req/$(DEPDIR)/sssd_kcm-cache_req_data.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_data.c' object='src/responder/common/cache_req/sssd_kcm-cache_req_data.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/sssd_kcm-cache_req_data.o `test -f 'src/responder/common/cache_req/cache_req_data.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_data.c + +src/responder/common/cache_req/sssd_kcm-cache_req_data.obj: src/responder/common/cache_req/cache_req_data.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/sssd_kcm-cache_req_data.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/sssd_kcm-cache_req_data.Tpo -c -o src/responder/common/cache_req/sssd_kcm-cache_req_data.obj `if test -f 'src/responder/common/cache_req/cache_req_data.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_data.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_data.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/sssd_kcm-cache_req_data.Tpo src/responder/common/cache_req/$(DEPDIR)/sssd_kcm-cache_req_data.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_data.c' object='src/responder/common/cache_req/sssd_kcm-cache_req_data.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/sssd_kcm-cache_req_data.obj `if test -f 'src/responder/common/cache_req/cache_req_data.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_data.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_data.c'; fi` + +src/responder/common/cache_req/sssd_kcm-cache_req_domain.o: src/responder/common/cache_req/cache_req_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/sssd_kcm-cache_req_domain.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/sssd_kcm-cache_req_domain.Tpo -c -o src/responder/common/cache_req/sssd_kcm-cache_req_domain.o `test -f 'src/responder/common/cache_req/cache_req_domain.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_domain.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/sssd_kcm-cache_req_domain.Tpo src/responder/common/cache_req/$(DEPDIR)/sssd_kcm-cache_req_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_domain.c' object='src/responder/common/cache_req/sssd_kcm-cache_req_domain.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/sssd_kcm-cache_req_domain.o `test -f 'src/responder/common/cache_req/cache_req_domain.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_domain.c + +src/responder/common/cache_req/sssd_kcm-cache_req_domain.obj: src/responder/common/cache_req/cache_req_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/sssd_kcm-cache_req_domain.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/sssd_kcm-cache_req_domain.Tpo -c -o src/responder/common/cache_req/sssd_kcm-cache_req_domain.obj `if test -f 'src/responder/common/cache_req/cache_req_domain.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_domain.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/sssd_kcm-cache_req_domain.Tpo src/responder/common/cache_req/$(DEPDIR)/sssd_kcm-cache_req_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_domain.c' object='src/responder/common/cache_req/sssd_kcm-cache_req_domain.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/sssd_kcm-cache_req_domain.obj `if test -f 'src/responder/common/cache_req/cache_req_domain.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_domain.c'; fi` + +src/responder/common/cache_req/sssd_kcm-cache_req_sr_overlay.o: src/responder/common/cache_req/cache_req_sr_overlay.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/sssd_kcm-cache_req_sr_overlay.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/sssd_kcm-cache_req_sr_overlay.Tpo -c -o src/responder/common/cache_req/sssd_kcm-cache_req_sr_overlay.o `test -f 'src/responder/common/cache_req/cache_req_sr_overlay.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_sr_overlay.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/sssd_kcm-cache_req_sr_overlay.Tpo src/responder/common/cache_req/$(DEPDIR)/sssd_kcm-cache_req_sr_overlay.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_sr_overlay.c' object='src/responder/common/cache_req/sssd_kcm-cache_req_sr_overlay.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/sssd_kcm-cache_req_sr_overlay.o `test -f 'src/responder/common/cache_req/cache_req_sr_overlay.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_sr_overlay.c + +src/responder/common/cache_req/sssd_kcm-cache_req_sr_overlay.obj: src/responder/common/cache_req/cache_req_sr_overlay.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/sssd_kcm-cache_req_sr_overlay.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/sssd_kcm-cache_req_sr_overlay.Tpo -c -o src/responder/common/cache_req/sssd_kcm-cache_req_sr_overlay.obj `if test -f 'src/responder/common/cache_req/cache_req_sr_overlay.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_sr_overlay.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_sr_overlay.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/sssd_kcm-cache_req_sr_overlay.Tpo src/responder/common/cache_req/$(DEPDIR)/sssd_kcm-cache_req_sr_overlay.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_sr_overlay.c' object='src/responder/common/cache_req/sssd_kcm-cache_req_sr_overlay.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/sssd_kcm-cache_req_sr_overlay.obj `if test -f 'src/responder/common/cache_req/cache_req_sr_overlay.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_sr_overlay.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_sr_overlay.c'; fi` + +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_common.o: src/responder/common/cache_req/plugins/cache_req_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_kcm-cache_req_common.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_common.Tpo -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_common.o `test -f 'src/responder/common/cache_req/plugins/cache_req_common.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_common.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_common.c' object='src/responder/common/cache_req/plugins/sssd_kcm-cache_req_common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_common.o `test -f 'src/responder/common/cache_req/plugins/cache_req_common.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_common.c + +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_common.obj: src/responder/common/cache_req/plugins/cache_req_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_kcm-cache_req_common.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_common.Tpo -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_common.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_common.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_common.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_common.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_common.c' object='src/responder/common/cache_req/plugins/sssd_kcm-cache_req_common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_common.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_common.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_common.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_common.c'; fi` + +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_enum_users.o: src/responder/common/cache_req/plugins/cache_req_enum_users.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_kcm-cache_req_enum_users.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_enum_users.Tpo -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_enum_users.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_users.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_users.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_enum_users.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_enum_users.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_users.c' object='src/responder/common/cache_req/plugins/sssd_kcm-cache_req_enum_users.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_enum_users.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_users.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_users.c + +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_enum_users.obj: src/responder/common/cache_req/plugins/cache_req_enum_users.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_kcm-cache_req_enum_users.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_enum_users.Tpo -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_enum_users.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_users.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_users.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_users.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_enum_users.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_enum_users.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_users.c' object='src/responder/common/cache_req/plugins/sssd_kcm-cache_req_enum_users.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_enum_users.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_users.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_users.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_users.c'; fi` + +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_enum_groups.o: src/responder/common/cache_req/plugins/cache_req_enum_groups.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_kcm-cache_req_enum_groups.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_enum_groups.Tpo -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_enum_groups.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_groups.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_enum_groups.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_enum_groups.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_groups.c' object='src/responder/common/cache_req/plugins/sssd_kcm-cache_req_enum_groups.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_enum_groups.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_groups.c + +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_enum_groups.obj: src/responder/common/cache_req/plugins/cache_req_enum_groups.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_kcm-cache_req_enum_groups.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_enum_groups.Tpo -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_enum_groups.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_enum_groups.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_enum_groups.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_groups.c' object='src/responder/common/cache_req/plugins/sssd_kcm-cache_req_enum_groups.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_enum_groups.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; fi` + +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_enum_svc.o: src/responder/common/cache_req/plugins/cache_req_enum_svc.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_kcm-cache_req_enum_svc.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_enum_svc.Tpo -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_enum_svc.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_svc.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_enum_svc.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_enum_svc.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_svc.c' object='src/responder/common/cache_req/plugins/sssd_kcm-cache_req_enum_svc.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_enum_svc.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_svc.c + +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_enum_svc.obj: src/responder/common/cache_req/plugins/cache_req_enum_svc.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_kcm-cache_req_enum_svc.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_enum_svc.Tpo -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_enum_svc.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_enum_svc.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_enum_svc.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_svc.c' object='src/responder/common/cache_req/plugins/sssd_kcm-cache_req_enum_svc.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_enum_svc.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; fi` + +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_name.o: src/responder/common/cache_req/plugins/cache_req_user_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_user_by_name.Tpo -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_user_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_user_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_name.c' object='src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_name.c + +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_name.obj: src/responder/common/cache_req/plugins/cache_req_user_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_user_by_name.Tpo -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_user_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_user_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_name.c' object='src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; fi` + +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_upn.o: src/responder/common/cache_req/plugins/cache_req_user_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_upn.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_user_by_upn.Tpo -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_upn.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_user_by_upn.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_user_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' object='src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_upn.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_upn.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_upn.c + +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_upn.obj: src/responder/common/cache_req/plugins/cache_req_user_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_upn.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_user_by_upn.Tpo -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_upn.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_user_by_upn.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_user_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' object='src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_upn.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_upn.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; fi` + +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_id.o: src/responder/common/cache_req/plugins/cache_req_user_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_id.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_user_by_id.Tpo -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_user_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_user_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_id.c' object='src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_id.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_id.c + +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_id.obj: src/responder/common/cache_req/plugins/cache_req_user_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_id.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_user_by_id.Tpo -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_user_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_user_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_id.c' object='src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_id.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; fi` + +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_filter.o: src/responder/common/cache_req/plugins/cache_req_user_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_filter.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_user_by_filter.Tpo -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_filter.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_user_by_filter.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_user_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' object='src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_filter.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_filter.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_filter.c + +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_filter.obj: src/responder/common/cache_req/plugins/cache_req_user_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_filter.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_user_by_filter.Tpo -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_filter.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_user_by_filter.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_user_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' object='src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_filter.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_filter.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; fi` + +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_cert.o: src/responder/common/cache_req/plugins/cache_req_user_by_cert.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_cert.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_user_by_cert.Tpo -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_cert.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_cert.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_user_by_cert.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_user_by_cert.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' object='src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_cert.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_cert.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_cert.c + +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_cert.obj: src/responder/common/cache_req/plugins/cache_req_user_by_cert.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_cert.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_user_by_cert.Tpo -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_cert.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_user_by_cert.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_user_by_cert.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' object='src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_cert.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_user_by_cert.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; fi` + +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_group_by_name.o: src/responder/common/cache_req/plugins/cache_req_group_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_kcm-cache_req_group_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_group_by_name.Tpo -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_group_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_group_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_group_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_name.c' object='src/responder/common/cache_req/plugins/sssd_kcm-cache_req_group_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_group_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_name.c + +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_group_by_name.obj: src/responder/common/cache_req/plugins/cache_req_group_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_kcm-cache_req_group_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_group_by_name.Tpo -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_group_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_group_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_group_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_name.c' object='src/responder/common/cache_req/plugins/sssd_kcm-cache_req_group_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_group_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; fi` + +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_group_by_id.o: src/responder/common/cache_req/plugins/cache_req_group_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_kcm-cache_req_group_by_id.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_group_by_id.Tpo -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_group_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_group_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_group_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_id.c' object='src/responder/common/cache_req/plugins/sssd_kcm-cache_req_group_by_id.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_group_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_id.c + +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_group_by_id.obj: src/responder/common/cache_req/plugins/cache_req_group_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_kcm-cache_req_group_by_id.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_group_by_id.Tpo -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_group_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_group_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_group_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_id.c' object='src/responder/common/cache_req/plugins/sssd_kcm-cache_req_group_by_id.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_group_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; fi` + +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_group_by_filter.o: src/responder/common/cache_req/plugins/cache_req_group_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_kcm-cache_req_group_by_filter.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_group_by_filter.Tpo -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_group_by_filter.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_group_by_filter.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_group_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' object='src/responder/common/cache_req/plugins/sssd_kcm-cache_req_group_by_filter.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_group_by_filter.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_filter.c + +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_group_by_filter.obj: src/responder/common/cache_req/plugins/cache_req_group_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_kcm-cache_req_group_by_filter.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_group_by_filter.Tpo -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_group_by_filter.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_group_by_filter.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_group_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' object='src/responder/common/cache_req/plugins/sssd_kcm-cache_req_group_by_filter.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_group_by_filter.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; fi` + +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_initgroups_by_name.o: src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_kcm-cache_req_initgroups_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_initgroups_by_name.Tpo -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_initgroups_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_initgroups_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_initgroups_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' object='src/responder/common/cache_req/plugins/sssd_kcm-cache_req_initgroups_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_initgroups_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c + +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_initgroups_by_name.obj: src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_kcm-cache_req_initgroups_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_initgroups_by_name.Tpo -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_initgroups_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_initgroups_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_initgroups_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' object='src/responder/common/cache_req/plugins/sssd_kcm-cache_req_initgroups_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_initgroups_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; fi` + +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_initgroups_by_upn.o: src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_kcm-cache_req_initgroups_by_upn.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_initgroups_by_upn.Tpo -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_initgroups_by_upn.o `test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_initgroups_by_upn.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_initgroups_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' object='src/responder/common/cache_req/plugins/sssd_kcm-cache_req_initgroups_by_upn.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_initgroups_by_upn.o `test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c + +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_initgroups_by_upn.obj: src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_kcm-cache_req_initgroups_by_upn.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_initgroups_by_upn.Tpo -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_initgroups_by_upn.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_initgroups_by_upn.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_initgroups_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' object='src/responder/common/cache_req/plugins/sssd_kcm-cache_req_initgroups_by_upn.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_initgroups_by_upn.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; fi` + +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_object_by_sid.o: src/responder/common/cache_req/plugins/cache_req_object_by_sid.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_kcm-cache_req_object_by_sid.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_object_by_sid.Tpo -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_object_by_sid.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_sid.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_object_by_sid.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_object_by_sid.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' object='src/responder/common/cache_req/plugins/sssd_kcm-cache_req_object_by_sid.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_object_by_sid.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_sid.c + +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_object_by_sid.obj: src/responder/common/cache_req/plugins/cache_req_object_by_sid.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_kcm-cache_req_object_by_sid.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_object_by_sid.Tpo -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_object_by_sid.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_object_by_sid.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_object_by_sid.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' object='src/responder/common/cache_req/plugins/sssd_kcm-cache_req_object_by_sid.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_object_by_sid.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; fi` + +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_object_by_name.o: src/responder/common/cache_req/plugins/cache_req_object_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_kcm-cache_req_object_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_object_by_name.Tpo -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_object_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_object_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_object_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_name.c' object='src/responder/common/cache_req/plugins/sssd_kcm-cache_req_object_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_object_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_name.c + +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_object_by_name.obj: src/responder/common/cache_req/plugins/cache_req_object_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_kcm-cache_req_object_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_object_by_name.Tpo -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_object_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_object_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_object_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_name.c' object='src/responder/common/cache_req/plugins/sssd_kcm-cache_req_object_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_object_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; fi` + +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_object_by_id.o: src/responder/common/cache_req/plugins/cache_req_object_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_kcm-cache_req_object_by_id.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_object_by_id.Tpo -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_object_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_object_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_object_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_id.c' object='src/responder/common/cache_req/plugins/sssd_kcm-cache_req_object_by_id.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_object_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_id.c + +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_object_by_id.obj: src/responder/common/cache_req/plugins/cache_req_object_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_kcm-cache_req_object_by_id.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_object_by_id.Tpo -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_object_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_object_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_object_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_id.c' object='src/responder/common/cache_req/plugins/sssd_kcm-cache_req_object_by_id.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_object_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; fi` + +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_svc_by_name.o: src/responder/common/cache_req/plugins/cache_req_svc_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_kcm-cache_req_svc_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_svc_by_name.Tpo -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_svc_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_svc_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_svc_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_svc_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' object='src/responder/common/cache_req/plugins/sssd_kcm-cache_req_svc_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_svc_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_svc_by_name.c + +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_svc_by_name.obj: src/responder/common/cache_req/plugins/cache_req_svc_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_kcm-cache_req_svc_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_svc_by_name.Tpo -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_svc_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_svc_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_svc_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' object='src/responder/common/cache_req/plugins/sssd_kcm-cache_req_svc_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_svc_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; fi` + +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_svc_by_port.o: src/responder/common/cache_req/plugins/cache_req_svc_by_port.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_kcm-cache_req_svc_by_port.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_svc_by_port.Tpo -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_svc_by_port.o `test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_svc_by_port.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_svc_by_port.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_svc_by_port.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' object='src/responder/common/cache_req/plugins/sssd_kcm-cache_req_svc_by_port.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_svc_by_port.o `test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_svc_by_port.c + +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_svc_by_port.obj: src/responder/common/cache_req/plugins/cache_req_svc_by_port.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_kcm-cache_req_svc_by_port.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_svc_by_port.Tpo -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_svc_by_port.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_svc_by_port.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_svc_by_port.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' object='src/responder/common/cache_req/plugins/sssd_kcm-cache_req_svc_by_port.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_svc_by_port.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; fi` + +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_netgroup_by_name.o: src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_kcm-cache_req_netgroup_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_netgroup_by_name.Tpo -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_netgroup_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_netgroup_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_netgroup_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' object='src/responder/common/cache_req/plugins/sssd_kcm-cache_req_netgroup_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_netgroup_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c + +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_netgroup_by_name.obj: src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_kcm-cache_req_netgroup_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_netgroup_by_name.Tpo -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_netgroup_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_netgroup_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_netgroup_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' object='src/responder/common/cache_req/plugins/sssd_kcm-cache_req_netgroup_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_netgroup_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; fi` + +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_host_by_name.o: src/responder/common/cache_req/plugins/cache_req_host_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_kcm-cache_req_host_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_host_by_name.Tpo -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_host_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_host_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_host_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_host_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_host_by_name.c' object='src/responder/common/cache_req/plugins/sssd_kcm-cache_req_host_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_host_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_host_by_name.c + +src/responder/common/cache_req/plugins/sssd_kcm-cache_req_host_by_name.obj: src/responder/common/cache_req/plugins/cache_req_host_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_kcm-cache_req_host_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_host_by_name.Tpo -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_host_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_host_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_kcm-cache_req_host_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_host_by_name.c' object='src/responder/common/cache_req/plugins/sssd_kcm-cache_req_host_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_kcm_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_kcm-cache_req_host_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; fi` + +src/responder/pac/sssd_pac-pacsrv.o: src/responder/pac/pacsrv.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/pac/sssd_pac-pacsrv.o -MD -MP -MF src/responder/pac/$(DEPDIR)/sssd_pac-pacsrv.Tpo -c -o src/responder/pac/sssd_pac-pacsrv.o `test -f 'src/responder/pac/pacsrv.c' || echo '$(srcdir)/'`src/responder/pac/pacsrv.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/pac/$(DEPDIR)/sssd_pac-pacsrv.Tpo src/responder/pac/$(DEPDIR)/sssd_pac-pacsrv.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/pac/pacsrv.c' object='src/responder/pac/sssd_pac-pacsrv.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/pac/sssd_pac-pacsrv.o `test -f 'src/responder/pac/pacsrv.c' || echo '$(srcdir)/'`src/responder/pac/pacsrv.c + +src/responder/pac/sssd_pac-pacsrv.obj: src/responder/pac/pacsrv.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/pac/sssd_pac-pacsrv.obj -MD -MP -MF src/responder/pac/$(DEPDIR)/sssd_pac-pacsrv.Tpo -c -o src/responder/pac/sssd_pac-pacsrv.obj `if test -f 'src/responder/pac/pacsrv.c'; then $(CYGPATH_W) 'src/responder/pac/pacsrv.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/pac/pacsrv.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/pac/$(DEPDIR)/sssd_pac-pacsrv.Tpo src/responder/pac/$(DEPDIR)/sssd_pac-pacsrv.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/pac/pacsrv.c' object='src/responder/pac/sssd_pac-pacsrv.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/pac/sssd_pac-pacsrv.obj `if test -f 'src/responder/pac/pacsrv.c'; then $(CYGPATH_W) 'src/responder/pac/pacsrv.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/pac/pacsrv.c'; fi` + +src/responder/pac/sssd_pac-pacsrv_cmd.o: src/responder/pac/pacsrv_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/pac/sssd_pac-pacsrv_cmd.o -MD -MP -MF src/responder/pac/$(DEPDIR)/sssd_pac-pacsrv_cmd.Tpo -c -o src/responder/pac/sssd_pac-pacsrv_cmd.o `test -f 'src/responder/pac/pacsrv_cmd.c' || echo '$(srcdir)/'`src/responder/pac/pacsrv_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/pac/$(DEPDIR)/sssd_pac-pacsrv_cmd.Tpo src/responder/pac/$(DEPDIR)/sssd_pac-pacsrv_cmd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/pac/pacsrv_cmd.c' object='src/responder/pac/sssd_pac-pacsrv_cmd.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/pac/sssd_pac-pacsrv_cmd.o `test -f 'src/responder/pac/pacsrv_cmd.c' || echo '$(srcdir)/'`src/responder/pac/pacsrv_cmd.c + +src/responder/pac/sssd_pac-pacsrv_cmd.obj: src/responder/pac/pacsrv_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/pac/sssd_pac-pacsrv_cmd.obj -MD -MP -MF src/responder/pac/$(DEPDIR)/sssd_pac-pacsrv_cmd.Tpo -c -o src/responder/pac/sssd_pac-pacsrv_cmd.obj `if test -f 'src/responder/pac/pacsrv_cmd.c'; then $(CYGPATH_W) 'src/responder/pac/pacsrv_cmd.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/pac/pacsrv_cmd.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/pac/$(DEPDIR)/sssd_pac-pacsrv_cmd.Tpo src/responder/pac/$(DEPDIR)/sssd_pac-pacsrv_cmd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/pac/pacsrv_cmd.c' object='src/responder/pac/sssd_pac-pacsrv_cmd.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/pac/sssd_pac-pacsrv_cmd.obj `if test -f 'src/responder/pac/pacsrv_cmd.c'; then $(CYGPATH_W) 'src/responder/pac/pacsrv_cmd.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/pac/pacsrv_cmd.c'; fi` + +src/providers/ad/sssd_pac-ad_pac_common.o: src/providers/ad/ad_pac_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/providers/ad/sssd_pac-ad_pac_common.o -MD -MP -MF src/providers/ad/$(DEPDIR)/sssd_pac-ad_pac_common.Tpo -c -o src/providers/ad/sssd_pac-ad_pac_common.o `test -f 'src/providers/ad/ad_pac_common.c' || echo '$(srcdir)/'`src/providers/ad/ad_pac_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/sssd_pac-ad_pac_common.Tpo src/providers/ad/$(DEPDIR)/sssd_pac-ad_pac_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_pac_common.c' object='src/providers/ad/sssd_pac-ad_pac_common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/providers/ad/sssd_pac-ad_pac_common.o `test -f 'src/providers/ad/ad_pac_common.c' || echo '$(srcdir)/'`src/providers/ad/ad_pac_common.c + +src/providers/ad/sssd_pac-ad_pac_common.obj: src/providers/ad/ad_pac_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/providers/ad/sssd_pac-ad_pac_common.obj -MD -MP -MF src/providers/ad/$(DEPDIR)/sssd_pac-ad_pac_common.Tpo -c -o src/providers/ad/sssd_pac-ad_pac_common.obj `if test -f 'src/providers/ad/ad_pac_common.c'; then $(CYGPATH_W) 'src/providers/ad/ad_pac_common.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ad/ad_pac_common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ad/$(DEPDIR)/sssd_pac-ad_pac_common.Tpo src/providers/ad/$(DEPDIR)/sssd_pac-ad_pac_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ad/ad_pac_common.c' object='src/providers/ad/sssd_pac-ad_pac_common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/providers/ad/sssd_pac-ad_pac_common.obj `if test -f 'src/providers/ad/ad_pac_common.c'; then $(CYGPATH_W) 'src/providers/ad/ad_pac_common.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ad/ad_pac_common.c'; fi` + +src/responder/common/sssd_pac-negcache_files.o: src/responder/common/negcache_files.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_pac-negcache_files.o -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_pac-negcache_files.Tpo -c -o src/responder/common/sssd_pac-negcache_files.o `test -f 'src/responder/common/negcache_files.c' || echo '$(srcdir)/'`src/responder/common/negcache_files.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_pac-negcache_files.Tpo src/responder/common/$(DEPDIR)/sssd_pac-negcache_files.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/negcache_files.c' object='src/responder/common/sssd_pac-negcache_files.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_pac-negcache_files.o `test -f 'src/responder/common/negcache_files.c' || echo '$(srcdir)/'`src/responder/common/negcache_files.c + +src/responder/common/sssd_pac-negcache_files.obj: src/responder/common/negcache_files.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_pac-negcache_files.obj -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_pac-negcache_files.Tpo -c -o src/responder/common/sssd_pac-negcache_files.obj `if test -f 'src/responder/common/negcache_files.c'; then $(CYGPATH_W) 'src/responder/common/negcache_files.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/negcache_files.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_pac-negcache_files.Tpo src/responder/common/$(DEPDIR)/sssd_pac-negcache_files.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/negcache_files.c' object='src/responder/common/sssd_pac-negcache_files.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_pac-negcache_files.obj `if test -f 'src/responder/common/negcache_files.c'; then $(CYGPATH_W) 'src/responder/common/negcache_files.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/negcache_files.c'; fi` + +src/responder/common/sssd_pac-negcache.o: src/responder/common/negcache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_pac-negcache.o -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_pac-negcache.Tpo -c -o src/responder/common/sssd_pac-negcache.o `test -f 'src/responder/common/negcache.c' || echo '$(srcdir)/'`src/responder/common/negcache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_pac-negcache.Tpo src/responder/common/$(DEPDIR)/sssd_pac-negcache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/negcache.c' object='src/responder/common/sssd_pac-negcache.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_pac-negcache.o `test -f 'src/responder/common/negcache.c' || echo '$(srcdir)/'`src/responder/common/negcache.c + +src/responder/common/sssd_pac-negcache.obj: src/responder/common/negcache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_pac-negcache.obj -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_pac-negcache.Tpo -c -o src/responder/common/sssd_pac-negcache.obj `if test -f 'src/responder/common/negcache.c'; then $(CYGPATH_W) 'src/responder/common/negcache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/negcache.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_pac-negcache.Tpo src/responder/common/$(DEPDIR)/sssd_pac-negcache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/negcache.c' object='src/responder/common/sssd_pac-negcache.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_pac-negcache.obj `if test -f 'src/responder/common/negcache.c'; then $(CYGPATH_W) 'src/responder/common/negcache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/negcache.c'; fi` + +src/responder/common/sssd_pac-responder_cmd.o: src/responder/common/responder_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_pac-responder_cmd.o -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_pac-responder_cmd.Tpo -c -o src/responder/common/sssd_pac-responder_cmd.o `test -f 'src/responder/common/responder_cmd.c' || echo '$(srcdir)/'`src/responder/common/responder_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_pac-responder_cmd.Tpo src/responder/common/$(DEPDIR)/sssd_pac-responder_cmd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_cmd.c' object='src/responder/common/sssd_pac-responder_cmd.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_pac-responder_cmd.o `test -f 'src/responder/common/responder_cmd.c' || echo '$(srcdir)/'`src/responder/common/responder_cmd.c + +src/responder/common/sssd_pac-responder_cmd.obj: src/responder/common/responder_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_pac-responder_cmd.obj -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_pac-responder_cmd.Tpo -c -o src/responder/common/sssd_pac-responder_cmd.obj `if test -f 'src/responder/common/responder_cmd.c'; then $(CYGPATH_W) 'src/responder/common/responder_cmd.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_cmd.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_pac-responder_cmd.Tpo src/responder/common/$(DEPDIR)/sssd_pac-responder_cmd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_cmd.c' object='src/responder/common/sssd_pac-responder_cmd.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_pac-responder_cmd.obj `if test -f 'src/responder/common/responder_cmd.c'; then $(CYGPATH_W) 'src/responder/common/responder_cmd.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_cmd.c'; fi` + +src/responder/common/sssd_pac-responder_common.o: src/responder/common/responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_pac-responder_common.o -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_pac-responder_common.Tpo -c -o src/responder/common/sssd_pac-responder_common.o `test -f 'src/responder/common/responder_common.c' || echo '$(srcdir)/'`src/responder/common/responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_pac-responder_common.Tpo src/responder/common/$(DEPDIR)/sssd_pac-responder_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_common.c' object='src/responder/common/sssd_pac-responder_common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_pac-responder_common.o `test -f 'src/responder/common/responder_common.c' || echo '$(srcdir)/'`src/responder/common/responder_common.c + +src/responder/common/sssd_pac-responder_common.obj: src/responder/common/responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_pac-responder_common.obj -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_pac-responder_common.Tpo -c -o src/responder/common/sssd_pac-responder_common.obj `if test -f 'src/responder/common/responder_common.c'; then $(CYGPATH_W) 'src/responder/common/responder_common.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_pac-responder_common.Tpo src/responder/common/$(DEPDIR)/sssd_pac-responder_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_common.c' object='src/responder/common/sssd_pac-responder_common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_pac-responder_common.obj `if test -f 'src/responder/common/responder_common.c'; then $(CYGPATH_W) 'src/responder/common/responder_common.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_common.c'; fi` + +src/responder/common/sssd_pac-responder_dp.o: src/responder/common/responder_dp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_pac-responder_dp.o -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_pac-responder_dp.Tpo -c -o src/responder/common/sssd_pac-responder_dp.o `test -f 'src/responder/common/responder_dp.c' || echo '$(srcdir)/'`src/responder/common/responder_dp.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_pac-responder_dp.Tpo src/responder/common/$(DEPDIR)/sssd_pac-responder_dp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_dp.c' object='src/responder/common/sssd_pac-responder_dp.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_pac-responder_dp.o `test -f 'src/responder/common/responder_dp.c' || echo '$(srcdir)/'`src/responder/common/responder_dp.c + +src/responder/common/sssd_pac-responder_dp.obj: src/responder/common/responder_dp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_pac-responder_dp.obj -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_pac-responder_dp.Tpo -c -o src/responder/common/sssd_pac-responder_dp.obj `if test -f 'src/responder/common/responder_dp.c'; then $(CYGPATH_W) 'src/responder/common/responder_dp.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_dp.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_pac-responder_dp.Tpo src/responder/common/$(DEPDIR)/sssd_pac-responder_dp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_dp.c' object='src/responder/common/sssd_pac-responder_dp.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_pac-responder_dp.obj `if test -f 'src/responder/common/responder_dp.c'; then $(CYGPATH_W) 'src/responder/common/responder_dp.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_dp.c'; fi` + +src/responder/common/sssd_pac-responder_dp_ssh.o: src/responder/common/responder_dp_ssh.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_pac-responder_dp_ssh.o -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_pac-responder_dp_ssh.Tpo -c -o src/responder/common/sssd_pac-responder_dp_ssh.o `test -f 'src/responder/common/responder_dp_ssh.c' || echo '$(srcdir)/'`src/responder/common/responder_dp_ssh.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_pac-responder_dp_ssh.Tpo src/responder/common/$(DEPDIR)/sssd_pac-responder_dp_ssh.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_dp_ssh.c' object='src/responder/common/sssd_pac-responder_dp_ssh.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_pac-responder_dp_ssh.o `test -f 'src/responder/common/responder_dp_ssh.c' || echo '$(srcdir)/'`src/responder/common/responder_dp_ssh.c + +src/responder/common/sssd_pac-responder_dp_ssh.obj: src/responder/common/responder_dp_ssh.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_pac-responder_dp_ssh.obj -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_pac-responder_dp_ssh.Tpo -c -o src/responder/common/sssd_pac-responder_dp_ssh.obj `if test -f 'src/responder/common/responder_dp_ssh.c'; then $(CYGPATH_W) 'src/responder/common/responder_dp_ssh.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_dp_ssh.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_pac-responder_dp_ssh.Tpo src/responder/common/$(DEPDIR)/sssd_pac-responder_dp_ssh.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_dp_ssh.c' object='src/responder/common/sssd_pac-responder_dp_ssh.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_pac-responder_dp_ssh.obj `if test -f 'src/responder/common/responder_dp_ssh.c'; then $(CYGPATH_W) 'src/responder/common/responder_dp_ssh.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_dp_ssh.c'; fi` + +src/responder/common/sssd_pac-responder_packet.o: src/responder/common/responder_packet.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_pac-responder_packet.o -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_pac-responder_packet.Tpo -c -o src/responder/common/sssd_pac-responder_packet.o `test -f 'src/responder/common/responder_packet.c' || echo '$(srcdir)/'`src/responder/common/responder_packet.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_pac-responder_packet.Tpo src/responder/common/$(DEPDIR)/sssd_pac-responder_packet.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_packet.c' object='src/responder/common/sssd_pac-responder_packet.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_pac-responder_packet.o `test -f 'src/responder/common/responder_packet.c' || echo '$(srcdir)/'`src/responder/common/responder_packet.c + +src/responder/common/sssd_pac-responder_packet.obj: src/responder/common/responder_packet.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_pac-responder_packet.obj -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_pac-responder_packet.Tpo -c -o src/responder/common/sssd_pac-responder_packet.obj `if test -f 'src/responder/common/responder_packet.c'; then $(CYGPATH_W) 'src/responder/common/responder_packet.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_packet.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_pac-responder_packet.Tpo src/responder/common/$(DEPDIR)/sssd_pac-responder_packet.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_packet.c' object='src/responder/common/sssd_pac-responder_packet.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_pac-responder_packet.obj `if test -f 'src/responder/common/responder_packet.c'; then $(CYGPATH_W) 'src/responder/common/responder_packet.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_packet.c'; fi` + +src/responder/common/sssd_pac-responder_get_domains.o: src/responder/common/responder_get_domains.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_pac-responder_get_domains.o -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_pac-responder_get_domains.Tpo -c -o src/responder/common/sssd_pac-responder_get_domains.o `test -f 'src/responder/common/responder_get_domains.c' || echo '$(srcdir)/'`src/responder/common/responder_get_domains.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_pac-responder_get_domains.Tpo src/responder/common/$(DEPDIR)/sssd_pac-responder_get_domains.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_get_domains.c' object='src/responder/common/sssd_pac-responder_get_domains.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_pac-responder_get_domains.o `test -f 'src/responder/common/responder_get_domains.c' || echo '$(srcdir)/'`src/responder/common/responder_get_domains.c + +src/responder/common/sssd_pac-responder_get_domains.obj: src/responder/common/responder_get_domains.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_pac-responder_get_domains.obj -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_pac-responder_get_domains.Tpo -c -o src/responder/common/sssd_pac-responder_get_domains.obj `if test -f 'src/responder/common/responder_get_domains.c'; then $(CYGPATH_W) 'src/responder/common/responder_get_domains.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_get_domains.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_pac-responder_get_domains.Tpo src/responder/common/$(DEPDIR)/sssd_pac-responder_get_domains.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_get_domains.c' object='src/responder/common/sssd_pac-responder_get_domains.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_pac-responder_get_domains.obj `if test -f 'src/responder/common/responder_get_domains.c'; then $(CYGPATH_W) 'src/responder/common/responder_get_domains.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_get_domains.c'; fi` + +src/responder/common/sssd_pac-responder_utils.o: src/responder/common/responder_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_pac-responder_utils.o -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_pac-responder_utils.Tpo -c -o src/responder/common/sssd_pac-responder_utils.o `test -f 'src/responder/common/responder_utils.c' || echo '$(srcdir)/'`src/responder/common/responder_utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_pac-responder_utils.Tpo src/responder/common/$(DEPDIR)/sssd_pac-responder_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_utils.c' object='src/responder/common/sssd_pac-responder_utils.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_pac-responder_utils.o `test -f 'src/responder/common/responder_utils.c' || echo '$(srcdir)/'`src/responder/common/responder_utils.c + +src/responder/common/sssd_pac-responder_utils.obj: src/responder/common/responder_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/sssd_pac-responder_utils.obj -MD -MP -MF src/responder/common/$(DEPDIR)/sssd_pac-responder_utils.Tpo -c -o src/responder/common/sssd_pac-responder_utils.obj `if test -f 'src/responder/common/responder_utils.c'; then $(CYGPATH_W) 'src/responder/common/responder_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_utils.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/sssd_pac-responder_utils.Tpo src/responder/common/$(DEPDIR)/sssd_pac-responder_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_utils.c' object='src/responder/common/sssd_pac-responder_utils.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/sssd_pac-responder_utils.obj `if test -f 'src/responder/common/responder_utils.c'; then $(CYGPATH_W) 'src/responder/common/responder_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_utils.c'; fi` + +src/responder/common/data_provider/sssd_pac-rdp_message.o: src/responder/common/data_provider/rdp_message.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/data_provider/sssd_pac-rdp_message.o -MD -MP -MF src/responder/common/data_provider/$(DEPDIR)/sssd_pac-rdp_message.Tpo -c -o src/responder/common/data_provider/sssd_pac-rdp_message.o `test -f 'src/responder/common/data_provider/rdp_message.c' || echo '$(srcdir)/'`src/responder/common/data_provider/rdp_message.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/data_provider/$(DEPDIR)/sssd_pac-rdp_message.Tpo src/responder/common/data_provider/$(DEPDIR)/sssd_pac-rdp_message.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/data_provider/rdp_message.c' object='src/responder/common/data_provider/sssd_pac-rdp_message.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/data_provider/sssd_pac-rdp_message.o `test -f 'src/responder/common/data_provider/rdp_message.c' || echo '$(srcdir)/'`src/responder/common/data_provider/rdp_message.c + +src/responder/common/data_provider/sssd_pac-rdp_message.obj: src/responder/common/data_provider/rdp_message.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/data_provider/sssd_pac-rdp_message.obj -MD -MP -MF src/responder/common/data_provider/$(DEPDIR)/sssd_pac-rdp_message.Tpo -c -o src/responder/common/data_provider/sssd_pac-rdp_message.obj `if test -f 'src/responder/common/data_provider/rdp_message.c'; then $(CYGPATH_W) 'src/responder/common/data_provider/rdp_message.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/data_provider/rdp_message.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/data_provider/$(DEPDIR)/sssd_pac-rdp_message.Tpo src/responder/common/data_provider/$(DEPDIR)/sssd_pac-rdp_message.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/data_provider/rdp_message.c' object='src/responder/common/data_provider/sssd_pac-rdp_message.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/data_provider/sssd_pac-rdp_message.obj `if test -f 'src/responder/common/data_provider/rdp_message.c'; then $(CYGPATH_W) 'src/responder/common/data_provider/rdp_message.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/data_provider/rdp_message.c'; fi` + +src/responder/common/data_provider/sssd_pac-rdp_client.o: src/responder/common/data_provider/rdp_client.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/data_provider/sssd_pac-rdp_client.o -MD -MP -MF src/responder/common/data_provider/$(DEPDIR)/sssd_pac-rdp_client.Tpo -c -o src/responder/common/data_provider/sssd_pac-rdp_client.o `test -f 'src/responder/common/data_provider/rdp_client.c' || echo '$(srcdir)/'`src/responder/common/data_provider/rdp_client.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/data_provider/$(DEPDIR)/sssd_pac-rdp_client.Tpo src/responder/common/data_provider/$(DEPDIR)/sssd_pac-rdp_client.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/data_provider/rdp_client.c' object='src/responder/common/data_provider/sssd_pac-rdp_client.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/data_provider/sssd_pac-rdp_client.o `test -f 'src/responder/common/data_provider/rdp_client.c' || echo '$(srcdir)/'`src/responder/common/data_provider/rdp_client.c + +src/responder/common/data_provider/sssd_pac-rdp_client.obj: src/responder/common/data_provider/rdp_client.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/data_provider/sssd_pac-rdp_client.obj -MD -MP -MF src/responder/common/data_provider/$(DEPDIR)/sssd_pac-rdp_client.Tpo -c -o src/responder/common/data_provider/sssd_pac-rdp_client.obj `if test -f 'src/responder/common/data_provider/rdp_client.c'; then $(CYGPATH_W) 'src/responder/common/data_provider/rdp_client.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/data_provider/rdp_client.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/data_provider/$(DEPDIR)/sssd_pac-rdp_client.Tpo src/responder/common/data_provider/$(DEPDIR)/sssd_pac-rdp_client.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/data_provider/rdp_client.c' object='src/responder/common/data_provider/sssd_pac-rdp_client.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/data_provider/sssd_pac-rdp_client.obj `if test -f 'src/responder/common/data_provider/rdp_client.c'; then $(CYGPATH_W) 'src/responder/common/data_provider/rdp_client.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/data_provider/rdp_client.c'; fi` + +src/monitor/sssd_pac-monitor_iface_generated.o: src/monitor/monitor_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/monitor/sssd_pac-monitor_iface_generated.o -MD -MP -MF src/monitor/$(DEPDIR)/sssd_pac-monitor_iface_generated.Tpo -c -o src/monitor/sssd_pac-monitor_iface_generated.o `test -f 'src/monitor/monitor_iface_generated.c' || echo '$(srcdir)/'`src/monitor/monitor_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/monitor/$(DEPDIR)/sssd_pac-monitor_iface_generated.Tpo src/monitor/$(DEPDIR)/sssd_pac-monitor_iface_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/monitor/monitor_iface_generated.c' object='src/monitor/sssd_pac-monitor_iface_generated.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/monitor/sssd_pac-monitor_iface_generated.o `test -f 'src/monitor/monitor_iface_generated.c' || echo '$(srcdir)/'`src/monitor/monitor_iface_generated.c + +src/monitor/sssd_pac-monitor_iface_generated.obj: src/monitor/monitor_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/monitor/sssd_pac-monitor_iface_generated.obj -MD -MP -MF src/monitor/$(DEPDIR)/sssd_pac-monitor_iface_generated.Tpo -c -o src/monitor/sssd_pac-monitor_iface_generated.obj `if test -f 'src/monitor/monitor_iface_generated.c'; then $(CYGPATH_W) 'src/monitor/monitor_iface_generated.c'; else $(CYGPATH_W) '$(srcdir)/src/monitor/monitor_iface_generated.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/monitor/$(DEPDIR)/sssd_pac-monitor_iface_generated.Tpo src/monitor/$(DEPDIR)/sssd_pac-monitor_iface_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/monitor/monitor_iface_generated.c' object='src/monitor/sssd_pac-monitor_iface_generated.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/monitor/sssd_pac-monitor_iface_generated.obj `if test -f 'src/monitor/monitor_iface_generated.c'; then $(CYGPATH_W) 'src/monitor/monitor_iface_generated.c'; else $(CYGPATH_W) '$(srcdir)/src/monitor/monitor_iface_generated.c'; fi` + +src/providers/sssd_pac-data_provider_req.o: src/providers/data_provider_req.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/providers/sssd_pac-data_provider_req.o -MD -MP -MF src/providers/$(DEPDIR)/sssd_pac-data_provider_req.Tpo -c -o src/providers/sssd_pac-data_provider_req.o `test -f 'src/providers/data_provider_req.c' || echo '$(srcdir)/'`src/providers/data_provider_req.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/sssd_pac-data_provider_req.Tpo src/providers/$(DEPDIR)/sssd_pac-data_provider_req.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider_req.c' object='src/providers/sssd_pac-data_provider_req.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/providers/sssd_pac-data_provider_req.o `test -f 'src/providers/data_provider_req.c' || echo '$(srcdir)/'`src/providers/data_provider_req.c + +src/providers/sssd_pac-data_provider_req.obj: src/providers/data_provider_req.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/providers/sssd_pac-data_provider_req.obj -MD -MP -MF src/providers/$(DEPDIR)/sssd_pac-data_provider_req.Tpo -c -o src/providers/sssd_pac-data_provider_req.obj `if test -f 'src/providers/data_provider_req.c'; then $(CYGPATH_W) 'src/providers/data_provider_req.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider_req.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/sssd_pac-data_provider_req.Tpo src/providers/$(DEPDIR)/sssd_pac-data_provider_req.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider_req.c' object='src/providers/sssd_pac-data_provider_req.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/providers/sssd_pac-data_provider_req.obj `if test -f 'src/providers/data_provider_req.c'; then $(CYGPATH_W) 'src/providers/data_provider_req.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider_req.c'; fi` + +src/util/sssd_pac-session_recording.o: src/util/session_recording.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/util/sssd_pac-session_recording.o -MD -MP -MF src/util/$(DEPDIR)/sssd_pac-session_recording.Tpo -c -o src/util/sssd_pac-session_recording.o `test -f 'src/util/session_recording.c' || echo '$(srcdir)/'`src/util/session_recording.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/sssd_pac-session_recording.Tpo src/util/$(DEPDIR)/sssd_pac-session_recording.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/session_recording.c' object='src/util/sssd_pac-session_recording.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/util/sssd_pac-session_recording.o `test -f 'src/util/session_recording.c' || echo '$(srcdir)/'`src/util/session_recording.c + +src/util/sssd_pac-session_recording.obj: src/util/session_recording.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/util/sssd_pac-session_recording.obj -MD -MP -MF src/util/$(DEPDIR)/sssd_pac-session_recording.Tpo -c -o src/util/sssd_pac-session_recording.obj `if test -f 'src/util/session_recording.c'; then $(CYGPATH_W) 'src/util/session_recording.c'; else $(CYGPATH_W) '$(srcdir)/src/util/session_recording.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/sssd_pac-session_recording.Tpo src/util/$(DEPDIR)/sssd_pac-session_recording.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/session_recording.c' object='src/util/sssd_pac-session_recording.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/util/sssd_pac-session_recording.obj `if test -f 'src/util/session_recording.c'; then $(CYGPATH_W) 'src/util/session_recording.c'; else $(CYGPATH_W) '$(srcdir)/src/util/session_recording.c'; fi` + +src/responder/common/iface/sssd_pac-responder_iface.o: src/responder/common/iface/responder_iface.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/sssd_pac-responder_iface.o -MD -MP -MF src/responder/common/iface/$(DEPDIR)/sssd_pac-responder_iface.Tpo -c -o src/responder/common/iface/sssd_pac-responder_iface.o `test -f 'src/responder/common/iface/responder_iface.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_iface.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/sssd_pac-responder_iface.Tpo src/responder/common/iface/$(DEPDIR)/sssd_pac-responder_iface.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_iface.c' object='src/responder/common/iface/sssd_pac-responder_iface.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/sssd_pac-responder_iface.o `test -f 'src/responder/common/iface/responder_iface.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_iface.c + +src/responder/common/iface/sssd_pac-responder_iface.obj: src/responder/common/iface/responder_iface.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/sssd_pac-responder_iface.obj -MD -MP -MF src/responder/common/iface/$(DEPDIR)/sssd_pac-responder_iface.Tpo -c -o src/responder/common/iface/sssd_pac-responder_iface.obj `if test -f 'src/responder/common/iface/responder_iface.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_iface.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_iface.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/sssd_pac-responder_iface.Tpo src/responder/common/iface/$(DEPDIR)/sssd_pac-responder_iface.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_iface.c' object='src/responder/common/iface/sssd_pac-responder_iface.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/sssd_pac-responder_iface.obj `if test -f 'src/responder/common/iface/responder_iface.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_iface.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_iface.c'; fi` + +src/responder/common/iface/sssd_pac-responder_domain.o: src/responder/common/iface/responder_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/sssd_pac-responder_domain.o -MD -MP -MF src/responder/common/iface/$(DEPDIR)/sssd_pac-responder_domain.Tpo -c -o src/responder/common/iface/sssd_pac-responder_domain.o `test -f 'src/responder/common/iface/responder_domain.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_domain.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/sssd_pac-responder_domain.Tpo src/responder/common/iface/$(DEPDIR)/sssd_pac-responder_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_domain.c' object='src/responder/common/iface/sssd_pac-responder_domain.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/sssd_pac-responder_domain.o `test -f 'src/responder/common/iface/responder_domain.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_domain.c + +src/responder/common/iface/sssd_pac-responder_domain.obj: src/responder/common/iface/responder_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/sssd_pac-responder_domain.obj -MD -MP -MF src/responder/common/iface/$(DEPDIR)/sssd_pac-responder_domain.Tpo -c -o src/responder/common/iface/sssd_pac-responder_domain.obj `if test -f 'src/responder/common/iface/responder_domain.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_domain.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/sssd_pac-responder_domain.Tpo src/responder/common/iface/$(DEPDIR)/sssd_pac-responder_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_domain.c' object='src/responder/common/iface/sssd_pac-responder_domain.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/sssd_pac-responder_domain.obj `if test -f 'src/responder/common/iface/responder_domain.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_domain.c'; fi` + +src/responder/common/iface/sssd_pac-responder_ncache.o: src/responder/common/iface/responder_ncache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/sssd_pac-responder_ncache.o -MD -MP -MF src/responder/common/iface/$(DEPDIR)/sssd_pac-responder_ncache.Tpo -c -o src/responder/common/iface/sssd_pac-responder_ncache.o `test -f 'src/responder/common/iface/responder_ncache.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_ncache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/sssd_pac-responder_ncache.Tpo src/responder/common/iface/$(DEPDIR)/sssd_pac-responder_ncache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_ncache.c' object='src/responder/common/iface/sssd_pac-responder_ncache.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/sssd_pac-responder_ncache.o `test -f 'src/responder/common/iface/responder_ncache.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_ncache.c + +src/responder/common/iface/sssd_pac-responder_ncache.obj: src/responder/common/iface/responder_ncache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/sssd_pac-responder_ncache.obj -MD -MP -MF src/responder/common/iface/$(DEPDIR)/sssd_pac-responder_ncache.Tpo -c -o src/responder/common/iface/sssd_pac-responder_ncache.obj `if test -f 'src/responder/common/iface/responder_ncache.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_ncache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_ncache.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/sssd_pac-responder_ncache.Tpo src/responder/common/iface/$(DEPDIR)/sssd_pac-responder_ncache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_ncache.c' object='src/responder/common/iface/sssd_pac-responder_ncache.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/sssd_pac-responder_ncache.obj `if test -f 'src/responder/common/iface/responder_ncache.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_ncache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_ncache.c'; fi` + +src/responder/common/iface/sssd_pac-responder_iface_generated.o: src/responder/common/iface/responder_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/sssd_pac-responder_iface_generated.o -MD -MP -MF src/responder/common/iface/$(DEPDIR)/sssd_pac-responder_iface_generated.Tpo -c -o src/responder/common/iface/sssd_pac-responder_iface_generated.o `test -f 'src/responder/common/iface/responder_iface_generated.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/sssd_pac-responder_iface_generated.Tpo src/responder/common/iface/$(DEPDIR)/sssd_pac-responder_iface_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_iface_generated.c' object='src/responder/common/iface/sssd_pac-responder_iface_generated.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/sssd_pac-responder_iface_generated.o `test -f 'src/responder/common/iface/responder_iface_generated.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_iface_generated.c + +src/responder/common/iface/sssd_pac-responder_iface_generated.obj: src/responder/common/iface/responder_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/sssd_pac-responder_iface_generated.obj -MD -MP -MF src/responder/common/iface/$(DEPDIR)/sssd_pac-responder_iface_generated.Tpo -c -o src/responder/common/iface/sssd_pac-responder_iface_generated.obj `if test -f 'src/responder/common/iface/responder_iface_generated.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_iface_generated.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_iface_generated.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/sssd_pac-responder_iface_generated.Tpo src/responder/common/iface/$(DEPDIR)/sssd_pac-responder_iface_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_iface_generated.c' object='src/responder/common/iface/sssd_pac-responder_iface_generated.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/sssd_pac-responder_iface_generated.obj `if test -f 'src/responder/common/iface/responder_iface_generated.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_iface_generated.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_iface_generated.c'; fi` + +src/responder/common/cache_req/sssd_pac-cache_req.o: src/responder/common/cache_req/cache_req.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/sssd_pac-cache_req.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/sssd_pac-cache_req.Tpo -c -o src/responder/common/cache_req/sssd_pac-cache_req.o `test -f 'src/responder/common/cache_req/cache_req.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/sssd_pac-cache_req.Tpo src/responder/common/cache_req/$(DEPDIR)/sssd_pac-cache_req.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req.c' object='src/responder/common/cache_req/sssd_pac-cache_req.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/sssd_pac-cache_req.o `test -f 'src/responder/common/cache_req/cache_req.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req.c + +src/responder/common/cache_req/sssd_pac-cache_req.obj: src/responder/common/cache_req/cache_req.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/sssd_pac-cache_req.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/sssd_pac-cache_req.Tpo -c -o src/responder/common/cache_req/sssd_pac-cache_req.obj `if test -f 'src/responder/common/cache_req/cache_req.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/sssd_pac-cache_req.Tpo src/responder/common/cache_req/$(DEPDIR)/sssd_pac-cache_req.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req.c' object='src/responder/common/cache_req/sssd_pac-cache_req.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/sssd_pac-cache_req.obj `if test -f 'src/responder/common/cache_req/cache_req.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req.c'; fi` + +src/responder/common/cache_req/sssd_pac-cache_req_result.o: src/responder/common/cache_req/cache_req_result.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/sssd_pac-cache_req_result.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/sssd_pac-cache_req_result.Tpo -c -o src/responder/common/cache_req/sssd_pac-cache_req_result.o `test -f 'src/responder/common/cache_req/cache_req_result.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_result.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/sssd_pac-cache_req_result.Tpo src/responder/common/cache_req/$(DEPDIR)/sssd_pac-cache_req_result.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_result.c' object='src/responder/common/cache_req/sssd_pac-cache_req_result.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/sssd_pac-cache_req_result.o `test -f 'src/responder/common/cache_req/cache_req_result.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_result.c + +src/responder/common/cache_req/sssd_pac-cache_req_result.obj: src/responder/common/cache_req/cache_req_result.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/sssd_pac-cache_req_result.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/sssd_pac-cache_req_result.Tpo -c -o src/responder/common/cache_req/sssd_pac-cache_req_result.obj `if test -f 'src/responder/common/cache_req/cache_req_result.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_result.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_result.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/sssd_pac-cache_req_result.Tpo src/responder/common/cache_req/$(DEPDIR)/sssd_pac-cache_req_result.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_result.c' object='src/responder/common/cache_req/sssd_pac-cache_req_result.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/sssd_pac-cache_req_result.obj `if test -f 'src/responder/common/cache_req/cache_req_result.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_result.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_result.c'; fi` + +src/responder/common/cache_req/sssd_pac-cache_req_search.o: src/responder/common/cache_req/cache_req_search.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/sssd_pac-cache_req_search.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/sssd_pac-cache_req_search.Tpo -c -o src/responder/common/cache_req/sssd_pac-cache_req_search.o `test -f 'src/responder/common/cache_req/cache_req_search.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_search.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/sssd_pac-cache_req_search.Tpo src/responder/common/cache_req/$(DEPDIR)/sssd_pac-cache_req_search.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_search.c' object='src/responder/common/cache_req/sssd_pac-cache_req_search.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/sssd_pac-cache_req_search.o `test -f 'src/responder/common/cache_req/cache_req_search.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_search.c + +src/responder/common/cache_req/sssd_pac-cache_req_search.obj: src/responder/common/cache_req/cache_req_search.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/sssd_pac-cache_req_search.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/sssd_pac-cache_req_search.Tpo -c -o src/responder/common/cache_req/sssd_pac-cache_req_search.obj `if test -f 'src/responder/common/cache_req/cache_req_search.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_search.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_search.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/sssd_pac-cache_req_search.Tpo src/responder/common/cache_req/$(DEPDIR)/sssd_pac-cache_req_search.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_search.c' object='src/responder/common/cache_req/sssd_pac-cache_req_search.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/sssd_pac-cache_req_search.obj `if test -f 'src/responder/common/cache_req/cache_req_search.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_search.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_search.c'; fi` + +src/responder/common/cache_req/sssd_pac-cache_req_data.o: src/responder/common/cache_req/cache_req_data.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/sssd_pac-cache_req_data.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/sssd_pac-cache_req_data.Tpo -c -o src/responder/common/cache_req/sssd_pac-cache_req_data.o `test -f 'src/responder/common/cache_req/cache_req_data.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_data.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/sssd_pac-cache_req_data.Tpo src/responder/common/cache_req/$(DEPDIR)/sssd_pac-cache_req_data.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_data.c' object='src/responder/common/cache_req/sssd_pac-cache_req_data.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/sssd_pac-cache_req_data.o `test -f 'src/responder/common/cache_req/cache_req_data.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_data.c + +src/responder/common/cache_req/sssd_pac-cache_req_data.obj: src/responder/common/cache_req/cache_req_data.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/sssd_pac-cache_req_data.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/sssd_pac-cache_req_data.Tpo -c -o src/responder/common/cache_req/sssd_pac-cache_req_data.obj `if test -f 'src/responder/common/cache_req/cache_req_data.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_data.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_data.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/sssd_pac-cache_req_data.Tpo src/responder/common/cache_req/$(DEPDIR)/sssd_pac-cache_req_data.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_data.c' object='src/responder/common/cache_req/sssd_pac-cache_req_data.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/sssd_pac-cache_req_data.obj `if test -f 'src/responder/common/cache_req/cache_req_data.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_data.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_data.c'; fi` + +src/responder/common/cache_req/sssd_pac-cache_req_domain.o: src/responder/common/cache_req/cache_req_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/sssd_pac-cache_req_domain.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/sssd_pac-cache_req_domain.Tpo -c -o src/responder/common/cache_req/sssd_pac-cache_req_domain.o `test -f 'src/responder/common/cache_req/cache_req_domain.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_domain.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/sssd_pac-cache_req_domain.Tpo src/responder/common/cache_req/$(DEPDIR)/sssd_pac-cache_req_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_domain.c' object='src/responder/common/cache_req/sssd_pac-cache_req_domain.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/sssd_pac-cache_req_domain.o `test -f 'src/responder/common/cache_req/cache_req_domain.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_domain.c + +src/responder/common/cache_req/sssd_pac-cache_req_domain.obj: src/responder/common/cache_req/cache_req_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/sssd_pac-cache_req_domain.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/sssd_pac-cache_req_domain.Tpo -c -o src/responder/common/cache_req/sssd_pac-cache_req_domain.obj `if test -f 'src/responder/common/cache_req/cache_req_domain.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_domain.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/sssd_pac-cache_req_domain.Tpo src/responder/common/cache_req/$(DEPDIR)/sssd_pac-cache_req_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_domain.c' object='src/responder/common/cache_req/sssd_pac-cache_req_domain.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/sssd_pac-cache_req_domain.obj `if test -f 'src/responder/common/cache_req/cache_req_domain.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_domain.c'; fi` + +src/responder/common/cache_req/sssd_pac-cache_req_sr_overlay.o: src/responder/common/cache_req/cache_req_sr_overlay.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/sssd_pac-cache_req_sr_overlay.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/sssd_pac-cache_req_sr_overlay.Tpo -c -o src/responder/common/cache_req/sssd_pac-cache_req_sr_overlay.o `test -f 'src/responder/common/cache_req/cache_req_sr_overlay.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_sr_overlay.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/sssd_pac-cache_req_sr_overlay.Tpo src/responder/common/cache_req/$(DEPDIR)/sssd_pac-cache_req_sr_overlay.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_sr_overlay.c' object='src/responder/common/cache_req/sssd_pac-cache_req_sr_overlay.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/sssd_pac-cache_req_sr_overlay.o `test -f 'src/responder/common/cache_req/cache_req_sr_overlay.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_sr_overlay.c + +src/responder/common/cache_req/sssd_pac-cache_req_sr_overlay.obj: src/responder/common/cache_req/cache_req_sr_overlay.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/sssd_pac-cache_req_sr_overlay.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/sssd_pac-cache_req_sr_overlay.Tpo -c -o src/responder/common/cache_req/sssd_pac-cache_req_sr_overlay.obj `if test -f 'src/responder/common/cache_req/cache_req_sr_overlay.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_sr_overlay.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_sr_overlay.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/sssd_pac-cache_req_sr_overlay.Tpo src/responder/common/cache_req/$(DEPDIR)/sssd_pac-cache_req_sr_overlay.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_sr_overlay.c' object='src/responder/common/cache_req/sssd_pac-cache_req_sr_overlay.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/sssd_pac-cache_req_sr_overlay.obj `if test -f 'src/responder/common/cache_req/cache_req_sr_overlay.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_sr_overlay.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_sr_overlay.c'; fi` + +src/responder/common/cache_req/plugins/sssd_pac-cache_req_common.o: src/responder/common/cache_req/plugins/cache_req_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_pac-cache_req_common.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_common.Tpo -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_common.o `test -f 'src/responder/common/cache_req/plugins/cache_req_common.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_common.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_common.c' object='src/responder/common/cache_req/plugins/sssd_pac-cache_req_common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_common.o `test -f 'src/responder/common/cache_req/plugins/cache_req_common.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_common.c + +src/responder/common/cache_req/plugins/sssd_pac-cache_req_common.obj: src/responder/common/cache_req/plugins/cache_req_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_pac-cache_req_common.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_common.Tpo -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_common.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_common.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_common.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_common.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_common.c' object='src/responder/common/cache_req/plugins/sssd_pac-cache_req_common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_common.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_common.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_common.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_common.c'; fi` + +src/responder/common/cache_req/plugins/sssd_pac-cache_req_enum_users.o: src/responder/common/cache_req/plugins/cache_req_enum_users.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_pac-cache_req_enum_users.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_enum_users.Tpo -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_enum_users.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_users.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_users.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_enum_users.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_enum_users.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_users.c' object='src/responder/common/cache_req/plugins/sssd_pac-cache_req_enum_users.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_enum_users.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_users.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_users.c + +src/responder/common/cache_req/plugins/sssd_pac-cache_req_enum_users.obj: src/responder/common/cache_req/plugins/cache_req_enum_users.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_pac-cache_req_enum_users.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_enum_users.Tpo -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_enum_users.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_users.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_users.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_users.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_enum_users.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_enum_users.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_users.c' object='src/responder/common/cache_req/plugins/sssd_pac-cache_req_enum_users.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_enum_users.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_users.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_users.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_users.c'; fi` + +src/responder/common/cache_req/plugins/sssd_pac-cache_req_enum_groups.o: src/responder/common/cache_req/plugins/cache_req_enum_groups.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_pac-cache_req_enum_groups.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_enum_groups.Tpo -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_enum_groups.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_groups.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_enum_groups.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_enum_groups.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_groups.c' object='src/responder/common/cache_req/plugins/sssd_pac-cache_req_enum_groups.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_enum_groups.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_groups.c + +src/responder/common/cache_req/plugins/sssd_pac-cache_req_enum_groups.obj: src/responder/common/cache_req/plugins/cache_req_enum_groups.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_pac-cache_req_enum_groups.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_enum_groups.Tpo -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_enum_groups.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_enum_groups.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_enum_groups.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_groups.c' object='src/responder/common/cache_req/plugins/sssd_pac-cache_req_enum_groups.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_enum_groups.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; fi` + +src/responder/common/cache_req/plugins/sssd_pac-cache_req_enum_svc.o: src/responder/common/cache_req/plugins/cache_req_enum_svc.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_pac-cache_req_enum_svc.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_enum_svc.Tpo -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_enum_svc.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_svc.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_enum_svc.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_enum_svc.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_svc.c' object='src/responder/common/cache_req/plugins/sssd_pac-cache_req_enum_svc.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_enum_svc.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_svc.c + +src/responder/common/cache_req/plugins/sssd_pac-cache_req_enum_svc.obj: src/responder/common/cache_req/plugins/cache_req_enum_svc.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_pac-cache_req_enum_svc.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_enum_svc.Tpo -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_enum_svc.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_enum_svc.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_enum_svc.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_svc.c' object='src/responder/common/cache_req/plugins/sssd_pac-cache_req_enum_svc.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_enum_svc.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; fi` + +src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_name.o: src/responder/common/cache_req/plugins/cache_req_user_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_user_by_name.Tpo -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_user_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_user_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_name.c' object='src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_name.c + +src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_name.obj: src/responder/common/cache_req/plugins/cache_req_user_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_user_by_name.Tpo -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_user_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_user_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_name.c' object='src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; fi` + +src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_upn.o: src/responder/common/cache_req/plugins/cache_req_user_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_upn.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_user_by_upn.Tpo -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_upn.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_user_by_upn.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_user_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' object='src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_upn.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_upn.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_upn.c + +src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_upn.obj: src/responder/common/cache_req/plugins/cache_req_user_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_upn.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_user_by_upn.Tpo -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_upn.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_user_by_upn.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_user_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' object='src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_upn.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_upn.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; fi` + +src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_id.o: src/responder/common/cache_req/plugins/cache_req_user_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_id.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_user_by_id.Tpo -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_user_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_user_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_id.c' object='src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_id.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_id.c + +src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_id.obj: src/responder/common/cache_req/plugins/cache_req_user_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_id.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_user_by_id.Tpo -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_user_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_user_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_id.c' object='src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_id.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; fi` + +src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_filter.o: src/responder/common/cache_req/plugins/cache_req_user_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_filter.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_user_by_filter.Tpo -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_filter.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_user_by_filter.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_user_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' object='src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_filter.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_filter.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_filter.c + +src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_filter.obj: src/responder/common/cache_req/plugins/cache_req_user_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_filter.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_user_by_filter.Tpo -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_filter.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_user_by_filter.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_user_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' object='src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_filter.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_filter.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; fi` + +src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_cert.o: src/responder/common/cache_req/plugins/cache_req_user_by_cert.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_cert.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_user_by_cert.Tpo -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_cert.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_cert.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_user_by_cert.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_user_by_cert.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' object='src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_cert.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_cert.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_cert.c + +src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_cert.obj: src/responder/common/cache_req/plugins/cache_req_user_by_cert.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_cert.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_user_by_cert.Tpo -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_cert.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_user_by_cert.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_user_by_cert.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' object='src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_cert.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_user_by_cert.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; fi` + +src/responder/common/cache_req/plugins/sssd_pac-cache_req_group_by_name.o: src/responder/common/cache_req/plugins/cache_req_group_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_pac-cache_req_group_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_group_by_name.Tpo -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_group_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_group_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_group_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_name.c' object='src/responder/common/cache_req/plugins/sssd_pac-cache_req_group_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_group_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_name.c + +src/responder/common/cache_req/plugins/sssd_pac-cache_req_group_by_name.obj: src/responder/common/cache_req/plugins/cache_req_group_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_pac-cache_req_group_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_group_by_name.Tpo -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_group_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_group_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_group_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_name.c' object='src/responder/common/cache_req/plugins/sssd_pac-cache_req_group_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_group_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; fi` + +src/responder/common/cache_req/plugins/sssd_pac-cache_req_group_by_id.o: src/responder/common/cache_req/plugins/cache_req_group_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_pac-cache_req_group_by_id.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_group_by_id.Tpo -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_group_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_group_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_group_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_id.c' object='src/responder/common/cache_req/plugins/sssd_pac-cache_req_group_by_id.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_group_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_id.c + +src/responder/common/cache_req/plugins/sssd_pac-cache_req_group_by_id.obj: src/responder/common/cache_req/plugins/cache_req_group_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_pac-cache_req_group_by_id.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_group_by_id.Tpo -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_group_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_group_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_group_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_id.c' object='src/responder/common/cache_req/plugins/sssd_pac-cache_req_group_by_id.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_group_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; fi` + +src/responder/common/cache_req/plugins/sssd_pac-cache_req_group_by_filter.o: src/responder/common/cache_req/plugins/cache_req_group_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_pac-cache_req_group_by_filter.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_group_by_filter.Tpo -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_group_by_filter.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_group_by_filter.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_group_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' object='src/responder/common/cache_req/plugins/sssd_pac-cache_req_group_by_filter.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_group_by_filter.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_filter.c + +src/responder/common/cache_req/plugins/sssd_pac-cache_req_group_by_filter.obj: src/responder/common/cache_req/plugins/cache_req_group_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_pac-cache_req_group_by_filter.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_group_by_filter.Tpo -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_group_by_filter.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_group_by_filter.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_group_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' object='src/responder/common/cache_req/plugins/sssd_pac-cache_req_group_by_filter.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_group_by_filter.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; fi` + +src/responder/common/cache_req/plugins/sssd_pac-cache_req_initgroups_by_name.o: src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_pac-cache_req_initgroups_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_initgroups_by_name.Tpo -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_initgroups_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_initgroups_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_initgroups_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' object='src/responder/common/cache_req/plugins/sssd_pac-cache_req_initgroups_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_initgroups_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c + +src/responder/common/cache_req/plugins/sssd_pac-cache_req_initgroups_by_name.obj: src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_pac-cache_req_initgroups_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_initgroups_by_name.Tpo -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_initgroups_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_initgroups_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_initgroups_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' object='src/responder/common/cache_req/plugins/sssd_pac-cache_req_initgroups_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_initgroups_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; fi` + +src/responder/common/cache_req/plugins/sssd_pac-cache_req_initgroups_by_upn.o: src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_pac-cache_req_initgroups_by_upn.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_initgroups_by_upn.Tpo -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_initgroups_by_upn.o `test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_initgroups_by_upn.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_initgroups_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' object='src/responder/common/cache_req/plugins/sssd_pac-cache_req_initgroups_by_upn.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_initgroups_by_upn.o `test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c + +src/responder/common/cache_req/plugins/sssd_pac-cache_req_initgroups_by_upn.obj: src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_pac-cache_req_initgroups_by_upn.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_initgroups_by_upn.Tpo -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_initgroups_by_upn.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_initgroups_by_upn.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_initgroups_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' object='src/responder/common/cache_req/plugins/sssd_pac-cache_req_initgroups_by_upn.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_initgroups_by_upn.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; fi` + +src/responder/common/cache_req/plugins/sssd_pac-cache_req_object_by_sid.o: src/responder/common/cache_req/plugins/cache_req_object_by_sid.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_pac-cache_req_object_by_sid.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_object_by_sid.Tpo -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_object_by_sid.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_sid.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_object_by_sid.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_object_by_sid.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' object='src/responder/common/cache_req/plugins/sssd_pac-cache_req_object_by_sid.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_object_by_sid.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_sid.c + +src/responder/common/cache_req/plugins/sssd_pac-cache_req_object_by_sid.obj: src/responder/common/cache_req/plugins/cache_req_object_by_sid.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_pac-cache_req_object_by_sid.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_object_by_sid.Tpo -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_object_by_sid.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_object_by_sid.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_object_by_sid.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' object='src/responder/common/cache_req/plugins/sssd_pac-cache_req_object_by_sid.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_object_by_sid.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; fi` + +src/responder/common/cache_req/plugins/sssd_pac-cache_req_object_by_name.o: src/responder/common/cache_req/plugins/cache_req_object_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_pac-cache_req_object_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_object_by_name.Tpo -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_object_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_object_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_object_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_name.c' object='src/responder/common/cache_req/plugins/sssd_pac-cache_req_object_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_object_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_name.c + +src/responder/common/cache_req/plugins/sssd_pac-cache_req_object_by_name.obj: src/responder/common/cache_req/plugins/cache_req_object_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_pac-cache_req_object_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_object_by_name.Tpo -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_object_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_object_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_object_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_name.c' object='src/responder/common/cache_req/plugins/sssd_pac-cache_req_object_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_object_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; fi` + +src/responder/common/cache_req/plugins/sssd_pac-cache_req_object_by_id.o: src/responder/common/cache_req/plugins/cache_req_object_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_pac-cache_req_object_by_id.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_object_by_id.Tpo -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_object_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_object_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_object_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_id.c' object='src/responder/common/cache_req/plugins/sssd_pac-cache_req_object_by_id.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_object_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_id.c + +src/responder/common/cache_req/plugins/sssd_pac-cache_req_object_by_id.obj: src/responder/common/cache_req/plugins/cache_req_object_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_pac-cache_req_object_by_id.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_object_by_id.Tpo -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_object_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_object_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_object_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_id.c' object='src/responder/common/cache_req/plugins/sssd_pac-cache_req_object_by_id.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_object_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; fi` + +src/responder/common/cache_req/plugins/sssd_pac-cache_req_svc_by_name.o: src/responder/common/cache_req/plugins/cache_req_svc_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_pac-cache_req_svc_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_svc_by_name.Tpo -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_svc_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_svc_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_svc_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_svc_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' object='src/responder/common/cache_req/plugins/sssd_pac-cache_req_svc_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_svc_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_svc_by_name.c + +src/responder/common/cache_req/plugins/sssd_pac-cache_req_svc_by_name.obj: src/responder/common/cache_req/plugins/cache_req_svc_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_pac-cache_req_svc_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_svc_by_name.Tpo -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_svc_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_svc_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_svc_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' object='src/responder/common/cache_req/plugins/sssd_pac-cache_req_svc_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_svc_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; fi` + +src/responder/common/cache_req/plugins/sssd_pac-cache_req_svc_by_port.o: src/responder/common/cache_req/plugins/cache_req_svc_by_port.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_pac-cache_req_svc_by_port.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_svc_by_port.Tpo -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_svc_by_port.o `test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_svc_by_port.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_svc_by_port.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_svc_by_port.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' object='src/responder/common/cache_req/plugins/sssd_pac-cache_req_svc_by_port.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_svc_by_port.o `test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_svc_by_port.c + +src/responder/common/cache_req/plugins/sssd_pac-cache_req_svc_by_port.obj: src/responder/common/cache_req/plugins/cache_req_svc_by_port.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_pac-cache_req_svc_by_port.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_svc_by_port.Tpo -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_svc_by_port.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_svc_by_port.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_svc_by_port.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' object='src/responder/common/cache_req/plugins/sssd_pac-cache_req_svc_by_port.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_svc_by_port.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; fi` + +src/responder/common/cache_req/plugins/sssd_pac-cache_req_netgroup_by_name.o: src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_pac-cache_req_netgroup_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_netgroup_by_name.Tpo -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_netgroup_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_netgroup_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_netgroup_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' object='src/responder/common/cache_req/plugins/sssd_pac-cache_req_netgroup_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_netgroup_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c + +src/responder/common/cache_req/plugins/sssd_pac-cache_req_netgroup_by_name.obj: src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_pac-cache_req_netgroup_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_netgroup_by_name.Tpo -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_netgroup_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_netgroup_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_netgroup_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' object='src/responder/common/cache_req/plugins/sssd_pac-cache_req_netgroup_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_netgroup_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; fi` + +src/responder/common/cache_req/plugins/sssd_pac-cache_req_host_by_name.o: src/responder/common/cache_req/plugins/cache_req_host_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_pac-cache_req_host_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_host_by_name.Tpo -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_host_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_host_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_host_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_host_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_host_by_name.c' object='src/responder/common/cache_req/plugins/sssd_pac-cache_req_host_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_host_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_host_by_name.c + +src/responder/common/cache_req/plugins/sssd_pac-cache_req_host_by_name.obj: src/responder/common/cache_req/plugins/cache_req_host_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/sssd_pac-cache_req_host_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_host_by_name.Tpo -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_host_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_host_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/sssd_pac-cache_req_host_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_host_by_name.c' object='src/responder/common/cache_req/plugins/sssd_pac-cache_req_host_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/sssd_pac-cache_req_host_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; fi` + +src/sss_client/sssd_pac_test_client-sss_pac_responder_client.o: src/sss_client/sss_pac_responder_client.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_test_client_CFLAGS) $(CFLAGS) -MT src/sss_client/sssd_pac_test_client-sss_pac_responder_client.o -MD -MP -MF src/sss_client/$(DEPDIR)/sssd_pac_test_client-sss_pac_responder_client.Tpo -c -o src/sss_client/sssd_pac_test_client-sss_pac_responder_client.o `test -f 'src/sss_client/sss_pac_responder_client.c' || echo '$(srcdir)/'`src/sss_client/sss_pac_responder_client.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/$(DEPDIR)/sssd_pac_test_client-sss_pac_responder_client.Tpo src/sss_client/$(DEPDIR)/sssd_pac_test_client-sss_pac_responder_client.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/sss_pac_responder_client.c' object='src/sss_client/sssd_pac_test_client-sss_pac_responder_client.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_test_client_CFLAGS) $(CFLAGS) -c -o src/sss_client/sssd_pac_test_client-sss_pac_responder_client.o `test -f 'src/sss_client/sss_pac_responder_client.c' || echo '$(srcdir)/'`src/sss_client/sss_pac_responder_client.c + +src/sss_client/sssd_pac_test_client-sss_pac_responder_client.obj: src/sss_client/sss_pac_responder_client.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_test_client_CFLAGS) $(CFLAGS) -MT src/sss_client/sssd_pac_test_client-sss_pac_responder_client.obj -MD -MP -MF src/sss_client/$(DEPDIR)/sssd_pac_test_client-sss_pac_responder_client.Tpo -c -o src/sss_client/sssd_pac_test_client-sss_pac_responder_client.obj `if test -f 'src/sss_client/sss_pac_responder_client.c'; then $(CYGPATH_W) 'src/sss_client/sss_pac_responder_client.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/sss_pac_responder_client.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/$(DEPDIR)/sssd_pac_test_client-sss_pac_responder_client.Tpo src/sss_client/$(DEPDIR)/sssd_pac_test_client-sss_pac_responder_client.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/sss_pac_responder_client.c' object='src/sss_client/sssd_pac_test_client-sss_pac_responder_client.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_test_client_CFLAGS) $(CFLAGS) -c -o src/sss_client/sssd_pac_test_client-sss_pac_responder_client.obj `if test -f 'src/sss_client/sss_pac_responder_client.c'; then $(CYGPATH_W) 'src/sss_client/sss_pac_responder_client.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/sss_pac_responder_client.c'; fi` + +src/sss_client/sssd_pac_test_client-common.o: src/sss_client/common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_test_client_CFLAGS) $(CFLAGS) -MT src/sss_client/sssd_pac_test_client-common.o -MD -MP -MF src/sss_client/$(DEPDIR)/sssd_pac_test_client-common.Tpo -c -o src/sss_client/sssd_pac_test_client-common.o `test -f 'src/sss_client/common.c' || echo '$(srcdir)/'`src/sss_client/common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/$(DEPDIR)/sssd_pac_test_client-common.Tpo src/sss_client/$(DEPDIR)/sssd_pac_test_client-common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/common.c' object='src/sss_client/sssd_pac_test_client-common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_test_client_CFLAGS) $(CFLAGS) -c -o src/sss_client/sssd_pac_test_client-common.o `test -f 'src/sss_client/common.c' || echo '$(srcdir)/'`src/sss_client/common.c + +src/sss_client/sssd_pac_test_client-common.obj: src/sss_client/common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_test_client_CFLAGS) $(CFLAGS) -MT src/sss_client/sssd_pac_test_client-common.obj -MD -MP -MF src/sss_client/$(DEPDIR)/sssd_pac_test_client-common.Tpo -c -o src/sss_client/sssd_pac_test_client-common.obj `if test -f 'src/sss_client/common.c'; then $(CYGPATH_W) 'src/sss_client/common.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/$(DEPDIR)/sssd_pac_test_client-common.Tpo src/sss_client/$(DEPDIR)/sssd_pac_test_client-common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/common.c' object='src/sss_client/sssd_pac_test_client-common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_test_client_CFLAGS) $(CFLAGS) -c -o src/sss_client/sssd_pac_test_client-common.obj `if test -f 'src/sss_client/common.c'; then $(CYGPATH_W) 'src/sss_client/common.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/common.c'; fi` + +src/util/sssd_pac_test_client-strtonum.o: src/util/strtonum.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_test_client_CFLAGS) $(CFLAGS) -MT src/util/sssd_pac_test_client-strtonum.o -MD -MP -MF src/util/$(DEPDIR)/sssd_pac_test_client-strtonum.Tpo -c -o src/util/sssd_pac_test_client-strtonum.o `test -f 'src/util/strtonum.c' || echo '$(srcdir)/'`src/util/strtonum.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/sssd_pac_test_client-strtonum.Tpo src/util/$(DEPDIR)/sssd_pac_test_client-strtonum.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/strtonum.c' object='src/util/sssd_pac_test_client-strtonum.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_test_client_CFLAGS) $(CFLAGS) -c -o src/util/sssd_pac_test_client-strtonum.o `test -f 'src/util/strtonum.c' || echo '$(srcdir)/'`src/util/strtonum.c + +src/util/sssd_pac_test_client-strtonum.obj: src/util/strtonum.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_test_client_CFLAGS) $(CFLAGS) -MT src/util/sssd_pac_test_client-strtonum.obj -MD -MP -MF src/util/$(DEPDIR)/sssd_pac_test_client-strtonum.Tpo -c -o src/util/sssd_pac_test_client-strtonum.obj `if test -f 'src/util/strtonum.c'; then $(CYGPATH_W) 'src/util/strtonum.c'; else $(CYGPATH_W) '$(srcdir)/src/util/strtonum.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/sssd_pac_test_client-strtonum.Tpo src/util/$(DEPDIR)/sssd_pac_test_client-strtonum.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/strtonum.c' object='src/util/sssd_pac_test_client-strtonum.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sssd_pac_test_client_CFLAGS) $(CFLAGS) -c -o src/util/sssd_pac_test_client-strtonum.obj `if test -f 'src/util/strtonum.c'; then $(CYGPATH_W) 'src/util/strtonum.c'; else $(CYGPATH_W) '$(srcdir)/src/util/strtonum.c'; fi` + +src/tests/strtonum_tests-strtonum-tests.o: src/tests/strtonum-tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(strtonum_tests_CFLAGS) $(CFLAGS) -MT src/tests/strtonum_tests-strtonum-tests.o -MD -MP -MF src/tests/$(DEPDIR)/strtonum_tests-strtonum-tests.Tpo -c -o src/tests/strtonum_tests-strtonum-tests.o `test -f 'src/tests/strtonum-tests.c' || echo '$(srcdir)/'`src/tests/strtonum-tests.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/strtonum_tests-strtonum-tests.Tpo src/tests/$(DEPDIR)/strtonum_tests-strtonum-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/strtonum-tests.c' object='src/tests/strtonum_tests-strtonum-tests.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(strtonum_tests_CFLAGS) $(CFLAGS) -c -o src/tests/strtonum_tests-strtonum-tests.o `test -f 'src/tests/strtonum-tests.c' || echo '$(srcdir)/'`src/tests/strtonum-tests.c + +src/tests/strtonum_tests-strtonum-tests.obj: src/tests/strtonum-tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(strtonum_tests_CFLAGS) $(CFLAGS) -MT src/tests/strtonum_tests-strtonum-tests.obj -MD -MP -MF src/tests/$(DEPDIR)/strtonum_tests-strtonum-tests.Tpo -c -o src/tests/strtonum_tests-strtonum-tests.obj `if test -f 'src/tests/strtonum-tests.c'; then $(CYGPATH_W) 'src/tests/strtonum-tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/strtonum-tests.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/strtonum_tests-strtonum-tests.Tpo src/tests/$(DEPDIR)/strtonum_tests-strtonum-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/strtonum-tests.c' object='src/tests/strtonum_tests-strtonum-tests.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(strtonum_tests_CFLAGS) $(CFLAGS) -c -o src/tests/strtonum_tests-strtonum-tests.obj `if test -f 'src/tests/strtonum-tests.c'; then $(CYGPATH_W) 'src/tests/strtonum-tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/strtonum-tests.c'; fi` + +src/util/strtonum_tests-strtonum.o: src/util/strtonum.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(strtonum_tests_CFLAGS) $(CFLAGS) -MT src/util/strtonum_tests-strtonum.o -MD -MP -MF src/util/$(DEPDIR)/strtonum_tests-strtonum.Tpo -c -o src/util/strtonum_tests-strtonum.o `test -f 'src/util/strtonum.c' || echo '$(srcdir)/'`src/util/strtonum.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/strtonum_tests-strtonum.Tpo src/util/$(DEPDIR)/strtonum_tests-strtonum.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/strtonum.c' object='src/util/strtonum_tests-strtonum.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(strtonum_tests_CFLAGS) $(CFLAGS) -c -o src/util/strtonum_tests-strtonum.o `test -f 'src/util/strtonum.c' || echo '$(srcdir)/'`src/util/strtonum.c + +src/util/strtonum_tests-strtonum.obj: src/util/strtonum.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(strtonum_tests_CFLAGS) $(CFLAGS) -MT src/util/strtonum_tests-strtonum.obj -MD -MP -MF src/util/$(DEPDIR)/strtonum_tests-strtonum.Tpo -c -o src/util/strtonum_tests-strtonum.obj `if test -f 'src/util/strtonum.c'; then $(CYGPATH_W) 'src/util/strtonum.c'; else $(CYGPATH_W) '$(srcdir)/src/util/strtonum.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/strtonum_tests-strtonum.Tpo src/util/$(DEPDIR)/strtonum_tests-strtonum.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/strtonum.c' object='src/util/strtonum_tests-strtonum.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(strtonum_tests_CFLAGS) $(CFLAGS) -c -o src/util/strtonum_tests-strtonum.obj `if test -f 'src/util/strtonum.c'; then $(CYGPATH_W) 'src/util/strtonum.c'; else $(CYGPATH_W) '$(srcdir)/src/util/strtonum.c'; fi` + +src/tests/sysdb_tests-sysdb-tests.o: src/tests/sysdb-tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sysdb_tests_CFLAGS) $(CFLAGS) -MT src/tests/sysdb_tests-sysdb-tests.o -MD -MP -MF src/tests/$(DEPDIR)/sysdb_tests-sysdb-tests.Tpo -c -o src/tests/sysdb_tests-sysdb-tests.o `test -f 'src/tests/sysdb-tests.c' || echo '$(srcdir)/'`src/tests/sysdb-tests.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/sysdb_tests-sysdb-tests.Tpo src/tests/$(DEPDIR)/sysdb_tests-sysdb-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/sysdb-tests.c' object='src/tests/sysdb_tests-sysdb-tests.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sysdb_tests_CFLAGS) $(CFLAGS) -c -o src/tests/sysdb_tests-sysdb-tests.o `test -f 'src/tests/sysdb-tests.c' || echo '$(srcdir)/'`src/tests/sysdb-tests.c + +src/tests/sysdb_tests-sysdb-tests.obj: src/tests/sysdb-tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sysdb_tests_CFLAGS) $(CFLAGS) -MT src/tests/sysdb_tests-sysdb-tests.obj -MD -MP -MF src/tests/$(DEPDIR)/sysdb_tests-sysdb-tests.Tpo -c -o src/tests/sysdb_tests-sysdb-tests.obj `if test -f 'src/tests/sysdb-tests.c'; then $(CYGPATH_W) 'src/tests/sysdb-tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/sysdb-tests.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/sysdb_tests-sysdb-tests.Tpo src/tests/$(DEPDIR)/sysdb_tests-sysdb-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/sysdb-tests.c' object='src/tests/sysdb_tests-sysdb-tests.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sysdb_tests_CFLAGS) $(CFLAGS) -c -o src/tests/sysdb_tests-sysdb-tests.obj `if test -f 'src/tests/sysdb-tests.c'; then $(CYGPATH_W) 'src/tests/sysdb-tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/sysdb-tests.c'; fi` + +src/tests/sysdb_ssh_tests-sysdb_ssh-tests.o: src/tests/sysdb_ssh-tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sysdb_ssh_tests_CFLAGS) $(CFLAGS) -MT src/tests/sysdb_ssh_tests-sysdb_ssh-tests.o -MD -MP -MF src/tests/$(DEPDIR)/sysdb_ssh_tests-sysdb_ssh-tests.Tpo -c -o src/tests/sysdb_ssh_tests-sysdb_ssh-tests.o `test -f 'src/tests/sysdb_ssh-tests.c' || echo '$(srcdir)/'`src/tests/sysdb_ssh-tests.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/sysdb_ssh_tests-sysdb_ssh-tests.Tpo src/tests/$(DEPDIR)/sysdb_ssh_tests-sysdb_ssh-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/sysdb_ssh-tests.c' object='src/tests/sysdb_ssh_tests-sysdb_ssh-tests.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sysdb_ssh_tests_CFLAGS) $(CFLAGS) -c -o src/tests/sysdb_ssh_tests-sysdb_ssh-tests.o `test -f 'src/tests/sysdb_ssh-tests.c' || echo '$(srcdir)/'`src/tests/sysdb_ssh-tests.c + +src/tests/sysdb_ssh_tests-sysdb_ssh-tests.obj: src/tests/sysdb_ssh-tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sysdb_ssh_tests_CFLAGS) $(CFLAGS) -MT src/tests/sysdb_ssh_tests-sysdb_ssh-tests.obj -MD -MP -MF src/tests/$(DEPDIR)/sysdb_ssh_tests-sysdb_ssh-tests.Tpo -c -o src/tests/sysdb_ssh_tests-sysdb_ssh-tests.obj `if test -f 'src/tests/sysdb_ssh-tests.c'; then $(CYGPATH_W) 'src/tests/sysdb_ssh-tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/sysdb_ssh-tests.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/sysdb_ssh_tests-sysdb_ssh-tests.Tpo src/tests/$(DEPDIR)/sysdb_ssh_tests-sysdb_ssh-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/sysdb_ssh-tests.c' object='src/tests/sysdb_ssh_tests-sysdb_ssh-tests.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(sysdb_ssh_tests_CFLAGS) $(CFLAGS) -c -o src/tests/sysdb_ssh_tests-sysdb_ssh-tests.obj `if test -f 'src/tests/sysdb_ssh-tests.c'; then $(CYGPATH_W) 'src/tests/sysdb_ssh-tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/sysdb_ssh-tests.c'; fi` + +src/tests/tcurl_test_tool-tcurl_test_tool.o: src/tests/tcurl_test_tool.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tcurl_test_tool_CFLAGS) $(CFLAGS) -MT src/tests/tcurl_test_tool-tcurl_test_tool.o -MD -MP -MF src/tests/$(DEPDIR)/tcurl_test_tool-tcurl_test_tool.Tpo -c -o src/tests/tcurl_test_tool-tcurl_test_tool.o `test -f 'src/tests/tcurl_test_tool.c' || echo '$(srcdir)/'`src/tests/tcurl_test_tool.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/tcurl_test_tool-tcurl_test_tool.Tpo src/tests/$(DEPDIR)/tcurl_test_tool-tcurl_test_tool.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/tcurl_test_tool.c' object='src/tests/tcurl_test_tool-tcurl_test_tool.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tcurl_test_tool_CFLAGS) $(CFLAGS) -c -o src/tests/tcurl_test_tool-tcurl_test_tool.o `test -f 'src/tests/tcurl_test_tool.c' || echo '$(srcdir)/'`src/tests/tcurl_test_tool.c + +src/tests/tcurl_test_tool-tcurl_test_tool.obj: src/tests/tcurl_test_tool.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tcurl_test_tool_CFLAGS) $(CFLAGS) -MT src/tests/tcurl_test_tool-tcurl_test_tool.obj -MD -MP -MF src/tests/$(DEPDIR)/tcurl_test_tool-tcurl_test_tool.Tpo -c -o src/tests/tcurl_test_tool-tcurl_test_tool.obj `if test -f 'src/tests/tcurl_test_tool.c'; then $(CYGPATH_W) 'src/tests/tcurl_test_tool.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/tcurl_test_tool.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/tcurl_test_tool-tcurl_test_tool.Tpo src/tests/$(DEPDIR)/tcurl_test_tool-tcurl_test_tool.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/tcurl_test_tool.c' object='src/tests/tcurl_test_tool-tcurl_test_tool.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tcurl_test_tool_CFLAGS) $(CFLAGS) -c -o src/tests/tcurl_test_tool-tcurl_test_tool.obj `if test -f 'src/tests/tcurl_test_tool.c'; then $(CYGPATH_W) 'src/tests/tcurl_test_tool.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/tcurl_test_tool.c'; fi` + +src/util/tcurl_test_tool-tev_curl.o: src/util/tev_curl.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tcurl_test_tool_CFLAGS) $(CFLAGS) -MT src/util/tcurl_test_tool-tev_curl.o -MD -MP -MF src/util/$(DEPDIR)/tcurl_test_tool-tev_curl.Tpo -c -o src/util/tcurl_test_tool-tev_curl.o `test -f 'src/util/tev_curl.c' || echo '$(srcdir)/'`src/util/tev_curl.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/tcurl_test_tool-tev_curl.Tpo src/util/$(DEPDIR)/tcurl_test_tool-tev_curl.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/tev_curl.c' object='src/util/tcurl_test_tool-tev_curl.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tcurl_test_tool_CFLAGS) $(CFLAGS) -c -o src/util/tcurl_test_tool-tev_curl.o `test -f 'src/util/tev_curl.c' || echo '$(srcdir)/'`src/util/tev_curl.c + +src/util/tcurl_test_tool-tev_curl.obj: src/util/tev_curl.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tcurl_test_tool_CFLAGS) $(CFLAGS) -MT src/util/tcurl_test_tool-tev_curl.obj -MD -MP -MF src/util/$(DEPDIR)/tcurl_test_tool-tev_curl.Tpo -c -o src/util/tcurl_test_tool-tev_curl.obj `if test -f 'src/util/tev_curl.c'; then $(CYGPATH_W) 'src/util/tev_curl.c'; else $(CYGPATH_W) '$(srcdir)/src/util/tev_curl.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/tcurl_test_tool-tev_curl.Tpo src/util/$(DEPDIR)/tcurl_test_tool-tev_curl.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/tev_curl.c' object='src/util/tcurl_test_tool-tev_curl.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tcurl_test_tool_CFLAGS) $(CFLAGS) -c -o src/util/tcurl_test_tool-tev_curl.obj `if test -f 'src/util/tev_curl.c'; then $(CYGPATH_W) 'src/util/tev_curl.c'; else $(CYGPATH_W) '$(srcdir)/src/util/tev_curl.c'; fi` + +src/util/tcurl_test_tool-sss_iobuf.o: src/util/sss_iobuf.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tcurl_test_tool_CFLAGS) $(CFLAGS) -MT src/util/tcurl_test_tool-sss_iobuf.o -MD -MP -MF src/util/$(DEPDIR)/tcurl_test_tool-sss_iobuf.Tpo -c -o src/util/tcurl_test_tool-sss_iobuf.o `test -f 'src/util/sss_iobuf.c' || echo '$(srcdir)/'`src/util/sss_iobuf.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/tcurl_test_tool-sss_iobuf.Tpo src/util/$(DEPDIR)/tcurl_test_tool-sss_iobuf.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_iobuf.c' object='src/util/tcurl_test_tool-sss_iobuf.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tcurl_test_tool_CFLAGS) $(CFLAGS) -c -o src/util/tcurl_test_tool-sss_iobuf.o `test -f 'src/util/sss_iobuf.c' || echo '$(srcdir)/'`src/util/sss_iobuf.c + +src/util/tcurl_test_tool-sss_iobuf.obj: src/util/sss_iobuf.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tcurl_test_tool_CFLAGS) $(CFLAGS) -MT src/util/tcurl_test_tool-sss_iobuf.obj -MD -MP -MF src/util/$(DEPDIR)/tcurl_test_tool-sss_iobuf.Tpo -c -o src/util/tcurl_test_tool-sss_iobuf.obj `if test -f 'src/util/sss_iobuf.c'; then $(CYGPATH_W) 'src/util/sss_iobuf.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_iobuf.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/tcurl_test_tool-sss_iobuf.Tpo src/util/$(DEPDIR)/tcurl_test_tool-sss_iobuf.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_iobuf.c' object='src/util/tcurl_test_tool-sss_iobuf.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tcurl_test_tool_CFLAGS) $(CFLAGS) -c -o src/util/tcurl_test_tool-sss_iobuf.obj `if test -f 'src/util/sss_iobuf.c'; then $(CYGPATH_W) 'src/util/sss_iobuf.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_iobuf.c'; fi` + +src/tests/cmocka/test_authtok-test_authtok.o: src/tests/cmocka/test_authtok.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_authtok_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_authtok-test_authtok.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_authtok-test_authtok.Tpo -c -o src/tests/cmocka/test_authtok-test_authtok.o `test -f 'src/tests/cmocka/test_authtok.c' || echo '$(srcdir)/'`src/tests/cmocka/test_authtok.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_authtok-test_authtok.Tpo src/tests/cmocka/$(DEPDIR)/test_authtok-test_authtok.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_authtok.c' object='src/tests/cmocka/test_authtok-test_authtok.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_authtok_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_authtok-test_authtok.o `test -f 'src/tests/cmocka/test_authtok.c' || echo '$(srcdir)/'`src/tests/cmocka/test_authtok.c + +src/tests/cmocka/test_authtok-test_authtok.obj: src/tests/cmocka/test_authtok.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_authtok_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_authtok-test_authtok.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_authtok-test_authtok.Tpo -c -o src/tests/cmocka/test_authtok-test_authtok.obj `if test -f 'src/tests/cmocka/test_authtok.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_authtok.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_authtok.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_authtok-test_authtok.Tpo src/tests/cmocka/$(DEPDIR)/test_authtok-test_authtok.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_authtok.c' object='src/tests/cmocka/test_authtok-test_authtok.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_authtok_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_authtok-test_authtok.obj `if test -f 'src/tests/cmocka/test_authtok.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_authtok.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_authtok.c'; fi` + +src/util/test_authtok-authtok.o: src/util/authtok.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_authtok_CFLAGS) $(CFLAGS) -MT src/util/test_authtok-authtok.o -MD -MP -MF src/util/$(DEPDIR)/test_authtok-authtok.Tpo -c -o src/util/test_authtok-authtok.o `test -f 'src/util/authtok.c' || echo '$(srcdir)/'`src/util/authtok.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_authtok-authtok.Tpo src/util/$(DEPDIR)/test_authtok-authtok.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/authtok.c' object='src/util/test_authtok-authtok.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_authtok_CFLAGS) $(CFLAGS) -c -o src/util/test_authtok-authtok.o `test -f 'src/util/authtok.c' || echo '$(srcdir)/'`src/util/authtok.c + +src/util/test_authtok-authtok.obj: src/util/authtok.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_authtok_CFLAGS) $(CFLAGS) -MT src/util/test_authtok-authtok.obj -MD -MP -MF src/util/$(DEPDIR)/test_authtok-authtok.Tpo -c -o src/util/test_authtok-authtok.obj `if test -f 'src/util/authtok.c'; then $(CYGPATH_W) 'src/util/authtok.c'; else $(CYGPATH_W) '$(srcdir)/src/util/authtok.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_authtok-authtok.Tpo src/util/$(DEPDIR)/test_authtok-authtok.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/authtok.c' object='src/util/test_authtok-authtok.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_authtok_CFLAGS) $(CFLAGS) -c -o src/util/test_authtok-authtok.obj `if test -f 'src/util/authtok.c'; then $(CYGPATH_W) 'src/util/authtok.c'; else $(CYGPATH_W) '$(srcdir)/src/util/authtok.c'; fi` + +src/util/test_authtok-authtok-utils.o: src/util/authtok-utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_authtok_CFLAGS) $(CFLAGS) -MT src/util/test_authtok-authtok-utils.o -MD -MP -MF src/util/$(DEPDIR)/test_authtok-authtok-utils.Tpo -c -o src/util/test_authtok-authtok-utils.o `test -f 'src/util/authtok-utils.c' || echo '$(srcdir)/'`src/util/authtok-utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_authtok-authtok-utils.Tpo src/util/$(DEPDIR)/test_authtok-authtok-utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/authtok-utils.c' object='src/util/test_authtok-authtok-utils.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_authtok_CFLAGS) $(CFLAGS) -c -o src/util/test_authtok-authtok-utils.o `test -f 'src/util/authtok-utils.c' || echo '$(srcdir)/'`src/util/authtok-utils.c + +src/util/test_authtok-authtok-utils.obj: src/util/authtok-utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_authtok_CFLAGS) $(CFLAGS) -MT src/util/test_authtok-authtok-utils.obj -MD -MP -MF src/util/$(DEPDIR)/test_authtok-authtok-utils.Tpo -c -o src/util/test_authtok-authtok-utils.obj `if test -f 'src/util/authtok-utils.c'; then $(CYGPATH_W) 'src/util/authtok-utils.c'; else $(CYGPATH_W) '$(srcdir)/src/util/authtok-utils.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_authtok-authtok-utils.Tpo src/util/$(DEPDIR)/test_authtok-authtok-utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/authtok-utils.c' object='src/util/test_authtok-authtok-utils.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_authtok_CFLAGS) $(CFLAGS) -c -o src/util/test_authtok-authtok-utils.obj `if test -f 'src/util/authtok-utils.c'; then $(CYGPATH_W) 'src/util/authtok-utils.c'; else $(CYGPATH_W) '$(srcdir)/src/util/authtok-utils.c'; fi` + +src/util/test_authtok-util.o: src/util/util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_authtok_CFLAGS) $(CFLAGS) -MT src/util/test_authtok-util.o -MD -MP -MF src/util/$(DEPDIR)/test_authtok-util.Tpo -c -o src/util/test_authtok-util.o `test -f 'src/util/util.c' || echo '$(srcdir)/'`src/util/util.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_authtok-util.Tpo src/util/$(DEPDIR)/test_authtok-util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util.c' object='src/util/test_authtok-util.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_authtok_CFLAGS) $(CFLAGS) -c -o src/util/test_authtok-util.o `test -f 'src/util/util.c' || echo '$(srcdir)/'`src/util/util.c + +src/util/test_authtok-util.obj: src/util/util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_authtok_CFLAGS) $(CFLAGS) -MT src/util/test_authtok-util.obj -MD -MP -MF src/util/$(DEPDIR)/test_authtok-util.Tpo -c -o src/util/test_authtok-util.obj `if test -f 'src/util/util.c'; then $(CYGPATH_W) 'src/util/util.c'; else $(CYGPATH_W) '$(srcdir)/src/util/util.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_authtok-util.Tpo src/util/$(DEPDIR)/test_authtok-util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util.c' object='src/util/test_authtok-util.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_authtok_CFLAGS) $(CFLAGS) -c -o src/util/test_authtok-util.obj `if test -f 'src/util/util.c'; then $(CYGPATH_W) 'src/util/util.c'; else $(CYGPATH_W) '$(srcdir)/src/util/util.c'; fi` + +src/util/test_authtok-util_ext.o: src/util/util_ext.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_authtok_CFLAGS) $(CFLAGS) -MT src/util/test_authtok-util_ext.o -MD -MP -MF src/util/$(DEPDIR)/test_authtok-util_ext.Tpo -c -o src/util/test_authtok-util_ext.o `test -f 'src/util/util_ext.c' || echo '$(srcdir)/'`src/util/util_ext.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_authtok-util_ext.Tpo src/util/$(DEPDIR)/test_authtok-util_ext.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util_ext.c' object='src/util/test_authtok-util_ext.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_authtok_CFLAGS) $(CFLAGS) -c -o src/util/test_authtok-util_ext.o `test -f 'src/util/util_ext.c' || echo '$(srcdir)/'`src/util/util_ext.c + +src/util/test_authtok-util_ext.obj: src/util/util_ext.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_authtok_CFLAGS) $(CFLAGS) -MT src/util/test_authtok-util_ext.obj -MD -MP -MF src/util/$(DEPDIR)/test_authtok-util_ext.Tpo -c -o src/util/test_authtok-util_ext.obj `if test -f 'src/util/util_ext.c'; then $(CYGPATH_W) 'src/util/util_ext.c'; else $(CYGPATH_W) '$(srcdir)/src/util/util_ext.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_authtok-util_ext.Tpo src/util/$(DEPDIR)/test_authtok-util_ext.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util_ext.c' object='src/util/test_authtok-util_ext.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_authtok_CFLAGS) $(CFLAGS) -c -o src/util/test_authtok-util_ext.obj `if test -f 'src/util/util_ext.c'; then $(CYGPATH_W) 'src/util/util_ext.c'; else $(CYGPATH_W) '$(srcdir)/src/util/util_ext.c'; fi` + +src/tests/cmocka/test_find_uid-test_find_uid.o: src/tests/cmocka/test_find_uid.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_find_uid_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_find_uid-test_find_uid.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_find_uid-test_find_uid.Tpo -c -o src/tests/cmocka/test_find_uid-test_find_uid.o `test -f 'src/tests/cmocka/test_find_uid.c' || echo '$(srcdir)/'`src/tests/cmocka/test_find_uid.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_find_uid-test_find_uid.Tpo src/tests/cmocka/$(DEPDIR)/test_find_uid-test_find_uid.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_find_uid.c' object='src/tests/cmocka/test_find_uid-test_find_uid.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_find_uid_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_find_uid-test_find_uid.o `test -f 'src/tests/cmocka/test_find_uid.c' || echo '$(srcdir)/'`src/tests/cmocka/test_find_uid.c + +src/tests/cmocka/test_find_uid-test_find_uid.obj: src/tests/cmocka/test_find_uid.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_find_uid_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_find_uid-test_find_uid.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_find_uid-test_find_uid.Tpo -c -o src/tests/cmocka/test_find_uid-test_find_uid.obj `if test -f 'src/tests/cmocka/test_find_uid.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_find_uid.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_find_uid.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_find_uid-test_find_uid.Tpo src/tests/cmocka/$(DEPDIR)/test_find_uid-test_find_uid.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_find_uid.c' object='src/tests/cmocka/test_find_uid-test_find_uid.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_find_uid_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_find_uid-test_find_uid.obj `if test -f 'src/tests/cmocka/test_find_uid.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_find_uid.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_find_uid.c'; fi` + +src/util/test_find_uid-find_uid.o: src/util/find_uid.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_find_uid_CFLAGS) $(CFLAGS) -MT src/util/test_find_uid-find_uid.o -MD -MP -MF src/util/$(DEPDIR)/test_find_uid-find_uid.Tpo -c -o src/util/test_find_uid-find_uid.o `test -f 'src/util/find_uid.c' || echo '$(srcdir)/'`src/util/find_uid.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_find_uid-find_uid.Tpo src/util/$(DEPDIR)/test_find_uid-find_uid.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/find_uid.c' object='src/util/test_find_uid-find_uid.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_find_uid_CFLAGS) $(CFLAGS) -c -o src/util/test_find_uid-find_uid.o `test -f 'src/util/find_uid.c' || echo '$(srcdir)/'`src/util/find_uid.c + +src/util/test_find_uid-find_uid.obj: src/util/find_uid.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_find_uid_CFLAGS) $(CFLAGS) -MT src/util/test_find_uid-find_uid.obj -MD -MP -MF src/util/$(DEPDIR)/test_find_uid-find_uid.Tpo -c -o src/util/test_find_uid-find_uid.obj `if test -f 'src/util/find_uid.c'; then $(CYGPATH_W) 'src/util/find_uid.c'; else $(CYGPATH_W) '$(srcdir)/src/util/find_uid.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_find_uid-find_uid.Tpo src/util/$(DEPDIR)/test_find_uid-find_uid.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/find_uid.c' object='src/util/test_find_uid-find_uid.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_find_uid_CFLAGS) $(CFLAGS) -c -o src/util/test_find_uid-find_uid.obj `if test -f 'src/util/find_uid.c'; then $(CYGPATH_W) 'src/util/find_uid.c'; else $(CYGPATH_W) '$(srcdir)/src/util/find_uid.c'; fi` + +src/util/test_find_uid-atomic_io.o: src/util/atomic_io.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_find_uid_CFLAGS) $(CFLAGS) -MT src/util/test_find_uid-atomic_io.o -MD -MP -MF src/util/$(DEPDIR)/test_find_uid-atomic_io.Tpo -c -o src/util/test_find_uid-atomic_io.o `test -f 'src/util/atomic_io.c' || echo '$(srcdir)/'`src/util/atomic_io.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_find_uid-atomic_io.Tpo src/util/$(DEPDIR)/test_find_uid-atomic_io.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/atomic_io.c' object='src/util/test_find_uid-atomic_io.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_find_uid_CFLAGS) $(CFLAGS) -c -o src/util/test_find_uid-atomic_io.o `test -f 'src/util/atomic_io.c' || echo '$(srcdir)/'`src/util/atomic_io.c + +src/util/test_find_uid-atomic_io.obj: src/util/atomic_io.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_find_uid_CFLAGS) $(CFLAGS) -MT src/util/test_find_uid-atomic_io.obj -MD -MP -MF src/util/$(DEPDIR)/test_find_uid-atomic_io.Tpo -c -o src/util/test_find_uid-atomic_io.obj `if test -f 'src/util/atomic_io.c'; then $(CYGPATH_W) 'src/util/atomic_io.c'; else $(CYGPATH_W) '$(srcdir)/src/util/atomic_io.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_find_uid-atomic_io.Tpo src/util/$(DEPDIR)/test_find_uid-atomic_io.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/atomic_io.c' object='src/util/test_find_uid-atomic_io.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_find_uid_CFLAGS) $(CFLAGS) -c -o src/util/test_find_uid-atomic_io.obj `if test -f 'src/util/atomic_io.c'; then $(CYGPATH_W) 'src/util/atomic_io.c'; else $(CYGPATH_W) '$(srcdir)/src/util/atomic_io.c'; fi` + +src/util/test_find_uid-strtonum.o: src/util/strtonum.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_find_uid_CFLAGS) $(CFLAGS) -MT src/util/test_find_uid-strtonum.o -MD -MP -MF src/util/$(DEPDIR)/test_find_uid-strtonum.Tpo -c -o src/util/test_find_uid-strtonum.o `test -f 'src/util/strtonum.c' || echo '$(srcdir)/'`src/util/strtonum.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_find_uid-strtonum.Tpo src/util/$(DEPDIR)/test_find_uid-strtonum.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/strtonum.c' object='src/util/test_find_uid-strtonum.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_find_uid_CFLAGS) $(CFLAGS) -c -o src/util/test_find_uid-strtonum.o `test -f 'src/util/strtonum.c' || echo '$(srcdir)/'`src/util/strtonum.c + +src/util/test_find_uid-strtonum.obj: src/util/strtonum.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_find_uid_CFLAGS) $(CFLAGS) -MT src/util/test_find_uid-strtonum.obj -MD -MP -MF src/util/$(DEPDIR)/test_find_uid-strtonum.Tpo -c -o src/util/test_find_uid-strtonum.obj `if test -f 'src/util/strtonum.c'; then $(CYGPATH_W) 'src/util/strtonum.c'; else $(CYGPATH_W) '$(srcdir)/src/util/strtonum.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_find_uid-strtonum.Tpo src/util/$(DEPDIR)/test_find_uid-strtonum.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/strtonum.c' object='src/util/test_find_uid-strtonum.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_find_uid_CFLAGS) $(CFLAGS) -c -o src/util/test_find_uid-strtonum.obj `if test -f 'src/util/strtonum.c'; then $(CYGPATH_W) 'src/util/strtonum.c'; else $(CYGPATH_W) '$(srcdir)/src/util/strtonum.c'; fi` + +src/tests/cmocka/test_io-test_io.o: src/tests/cmocka/test_io.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_io_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_io-test_io.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_io-test_io.Tpo -c -o src/tests/cmocka/test_io-test_io.o `test -f 'src/tests/cmocka/test_io.c' || echo '$(srcdir)/'`src/tests/cmocka/test_io.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_io-test_io.Tpo src/tests/cmocka/$(DEPDIR)/test_io-test_io.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_io.c' object='src/tests/cmocka/test_io-test_io.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_io_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_io-test_io.o `test -f 'src/tests/cmocka/test_io.c' || echo '$(srcdir)/'`src/tests/cmocka/test_io.c + +src/tests/cmocka/test_io-test_io.obj: src/tests/cmocka/test_io.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_io_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_io-test_io.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_io-test_io.Tpo -c -o src/tests/cmocka/test_io-test_io.obj `if test -f 'src/tests/cmocka/test_io.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_io.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_io.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_io-test_io.Tpo src/tests/cmocka/$(DEPDIR)/test_io-test_io.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_io.c' object='src/tests/cmocka/test_io-test_io.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_io_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_io-test_io.obj `if test -f 'src/tests/cmocka/test_io.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_io.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_io.c'; fi` + +src/util/test_io-io.o: src/util/io.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_io_CFLAGS) $(CFLAGS) -MT src/util/test_io-io.o -MD -MP -MF src/util/$(DEPDIR)/test_io-io.Tpo -c -o src/util/test_io-io.o `test -f 'src/util/io.c' || echo '$(srcdir)/'`src/util/io.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_io-io.Tpo src/util/$(DEPDIR)/test_io-io.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/io.c' object='src/util/test_io-io.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_io_CFLAGS) $(CFLAGS) -c -o src/util/test_io-io.o `test -f 'src/util/io.c' || echo '$(srcdir)/'`src/util/io.c + +src/util/test_io-io.obj: src/util/io.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_io_CFLAGS) $(CFLAGS) -MT src/util/test_io-io.obj -MD -MP -MF src/util/$(DEPDIR)/test_io-io.Tpo -c -o src/util/test_io-io.obj `if test -f 'src/util/io.c'; then $(CYGPATH_W) 'src/util/io.c'; else $(CYGPATH_W) '$(srcdir)/src/util/io.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_io-io.Tpo src/util/$(DEPDIR)/test_io-io.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/io.c' object='src/util/test_io-io.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_io_CFLAGS) $(CFLAGS) -c -o src/util/test_io-io.obj `if test -f 'src/util/io.c'; then $(CYGPATH_W) 'src/util/io.c'; else $(CYGPATH_W) '$(srcdir)/src/util/io.c'; fi` + +src/tests/test_io-common.o: src/tests/common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_io_CFLAGS) $(CFLAGS) -MT src/tests/test_io-common.o -MD -MP -MF src/tests/$(DEPDIR)/test_io-common.Tpo -c -o src/tests/test_io-common.o `test -f 'src/tests/common.c' || echo '$(srcdir)/'`src/tests/common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/test_io-common.Tpo src/tests/$(DEPDIR)/test_io-common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/common.c' object='src/tests/test_io-common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_io_CFLAGS) $(CFLAGS) -c -o src/tests/test_io-common.o `test -f 'src/tests/common.c' || echo '$(srcdir)/'`src/tests/common.c + +src/tests/test_io-common.obj: src/tests/common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_io_CFLAGS) $(CFLAGS) -MT src/tests/test_io-common.obj -MD -MP -MF src/tests/$(DEPDIR)/test_io-common.Tpo -c -o src/tests/test_io-common.obj `if test -f 'src/tests/common.c'; then $(CYGPATH_W) 'src/tests/common.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/test_io-common.Tpo src/tests/$(DEPDIR)/test_io-common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/common.c' object='src/tests/test_io-common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_io_CFLAGS) $(CFLAGS) -c -o src/tests/test_io-common.obj `if test -f 'src/tests/common.c'; then $(CYGPATH_W) 'src/tests/common.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/common.c'; fi` + +src/responder/common/test_negcache-negcache_files.o: src/responder/common/negcache_files.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/test_negcache-negcache_files.o -MD -MP -MF src/responder/common/$(DEPDIR)/test_negcache-negcache_files.Tpo -c -o src/responder/common/test_negcache-negcache_files.o `test -f 'src/responder/common/negcache_files.c' || echo '$(srcdir)/'`src/responder/common/negcache_files.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/test_negcache-negcache_files.Tpo src/responder/common/$(DEPDIR)/test_negcache-negcache_files.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/negcache_files.c' object='src/responder/common/test_negcache-negcache_files.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/test_negcache-negcache_files.o `test -f 'src/responder/common/negcache_files.c' || echo '$(srcdir)/'`src/responder/common/negcache_files.c + +src/responder/common/test_negcache-negcache_files.obj: src/responder/common/negcache_files.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/test_negcache-negcache_files.obj -MD -MP -MF src/responder/common/$(DEPDIR)/test_negcache-negcache_files.Tpo -c -o src/responder/common/test_negcache-negcache_files.obj `if test -f 'src/responder/common/negcache_files.c'; then $(CYGPATH_W) 'src/responder/common/negcache_files.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/negcache_files.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/test_negcache-negcache_files.Tpo src/responder/common/$(DEPDIR)/test_negcache-negcache_files.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/negcache_files.c' object='src/responder/common/test_negcache-negcache_files.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/test_negcache-negcache_files.obj `if test -f 'src/responder/common/negcache_files.c'; then $(CYGPATH_W) 'src/responder/common/negcache_files.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/negcache_files.c'; fi` + +src/responder/common/test_negcache-negcache.o: src/responder/common/negcache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/test_negcache-negcache.o -MD -MP -MF src/responder/common/$(DEPDIR)/test_negcache-negcache.Tpo -c -o src/responder/common/test_negcache-negcache.o `test -f 'src/responder/common/negcache.c' || echo '$(srcdir)/'`src/responder/common/negcache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/test_negcache-negcache.Tpo src/responder/common/$(DEPDIR)/test_negcache-negcache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/negcache.c' object='src/responder/common/test_negcache-negcache.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/test_negcache-negcache.o `test -f 'src/responder/common/negcache.c' || echo '$(srcdir)/'`src/responder/common/negcache.c + +src/responder/common/test_negcache-negcache.obj: src/responder/common/negcache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/test_negcache-negcache.obj -MD -MP -MF src/responder/common/$(DEPDIR)/test_negcache-negcache.Tpo -c -o src/responder/common/test_negcache-negcache.obj `if test -f 'src/responder/common/negcache.c'; then $(CYGPATH_W) 'src/responder/common/negcache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/negcache.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/test_negcache-negcache.Tpo src/responder/common/$(DEPDIR)/test_negcache-negcache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/negcache.c' object='src/responder/common/test_negcache-negcache.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/test_negcache-negcache.obj `if test -f 'src/responder/common/negcache.c'; then $(CYGPATH_W) 'src/responder/common/negcache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/negcache.c'; fi` + +src/responder/common/test_negcache-responder_cmd.o: src/responder/common/responder_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/test_negcache-responder_cmd.o -MD -MP -MF src/responder/common/$(DEPDIR)/test_negcache-responder_cmd.Tpo -c -o src/responder/common/test_negcache-responder_cmd.o `test -f 'src/responder/common/responder_cmd.c' || echo '$(srcdir)/'`src/responder/common/responder_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/test_negcache-responder_cmd.Tpo src/responder/common/$(DEPDIR)/test_negcache-responder_cmd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_cmd.c' object='src/responder/common/test_negcache-responder_cmd.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/test_negcache-responder_cmd.o `test -f 'src/responder/common/responder_cmd.c' || echo '$(srcdir)/'`src/responder/common/responder_cmd.c + +src/responder/common/test_negcache-responder_cmd.obj: src/responder/common/responder_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/test_negcache-responder_cmd.obj -MD -MP -MF src/responder/common/$(DEPDIR)/test_negcache-responder_cmd.Tpo -c -o src/responder/common/test_negcache-responder_cmd.obj `if test -f 'src/responder/common/responder_cmd.c'; then $(CYGPATH_W) 'src/responder/common/responder_cmd.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_cmd.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/test_negcache-responder_cmd.Tpo src/responder/common/$(DEPDIR)/test_negcache-responder_cmd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_cmd.c' object='src/responder/common/test_negcache-responder_cmd.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/test_negcache-responder_cmd.obj `if test -f 'src/responder/common/responder_cmd.c'; then $(CYGPATH_W) 'src/responder/common/responder_cmd.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_cmd.c'; fi` + +src/responder/common/test_negcache-responder_common.o: src/responder/common/responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/test_negcache-responder_common.o -MD -MP -MF src/responder/common/$(DEPDIR)/test_negcache-responder_common.Tpo -c -o src/responder/common/test_negcache-responder_common.o `test -f 'src/responder/common/responder_common.c' || echo '$(srcdir)/'`src/responder/common/responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/test_negcache-responder_common.Tpo src/responder/common/$(DEPDIR)/test_negcache-responder_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_common.c' object='src/responder/common/test_negcache-responder_common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/test_negcache-responder_common.o `test -f 'src/responder/common/responder_common.c' || echo '$(srcdir)/'`src/responder/common/responder_common.c + +src/responder/common/test_negcache-responder_common.obj: src/responder/common/responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/test_negcache-responder_common.obj -MD -MP -MF src/responder/common/$(DEPDIR)/test_negcache-responder_common.Tpo -c -o src/responder/common/test_negcache-responder_common.obj `if test -f 'src/responder/common/responder_common.c'; then $(CYGPATH_W) 'src/responder/common/responder_common.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/test_negcache-responder_common.Tpo src/responder/common/$(DEPDIR)/test_negcache-responder_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_common.c' object='src/responder/common/test_negcache-responder_common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/test_negcache-responder_common.obj `if test -f 'src/responder/common/responder_common.c'; then $(CYGPATH_W) 'src/responder/common/responder_common.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_common.c'; fi` + +src/responder/common/test_negcache-responder_dp.o: src/responder/common/responder_dp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/test_negcache-responder_dp.o -MD -MP -MF src/responder/common/$(DEPDIR)/test_negcache-responder_dp.Tpo -c -o src/responder/common/test_negcache-responder_dp.o `test -f 'src/responder/common/responder_dp.c' || echo '$(srcdir)/'`src/responder/common/responder_dp.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/test_negcache-responder_dp.Tpo src/responder/common/$(DEPDIR)/test_negcache-responder_dp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_dp.c' object='src/responder/common/test_negcache-responder_dp.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/test_negcache-responder_dp.o `test -f 'src/responder/common/responder_dp.c' || echo '$(srcdir)/'`src/responder/common/responder_dp.c + +src/responder/common/test_negcache-responder_dp.obj: src/responder/common/responder_dp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/test_negcache-responder_dp.obj -MD -MP -MF src/responder/common/$(DEPDIR)/test_negcache-responder_dp.Tpo -c -o src/responder/common/test_negcache-responder_dp.obj `if test -f 'src/responder/common/responder_dp.c'; then $(CYGPATH_W) 'src/responder/common/responder_dp.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_dp.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/test_negcache-responder_dp.Tpo src/responder/common/$(DEPDIR)/test_negcache-responder_dp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_dp.c' object='src/responder/common/test_negcache-responder_dp.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/test_negcache-responder_dp.obj `if test -f 'src/responder/common/responder_dp.c'; then $(CYGPATH_W) 'src/responder/common/responder_dp.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_dp.c'; fi` + +src/responder/common/test_negcache-responder_dp_ssh.o: src/responder/common/responder_dp_ssh.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/test_negcache-responder_dp_ssh.o -MD -MP -MF src/responder/common/$(DEPDIR)/test_negcache-responder_dp_ssh.Tpo -c -o src/responder/common/test_negcache-responder_dp_ssh.o `test -f 'src/responder/common/responder_dp_ssh.c' || echo '$(srcdir)/'`src/responder/common/responder_dp_ssh.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/test_negcache-responder_dp_ssh.Tpo src/responder/common/$(DEPDIR)/test_negcache-responder_dp_ssh.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_dp_ssh.c' object='src/responder/common/test_negcache-responder_dp_ssh.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/test_negcache-responder_dp_ssh.o `test -f 'src/responder/common/responder_dp_ssh.c' || echo '$(srcdir)/'`src/responder/common/responder_dp_ssh.c + +src/responder/common/test_negcache-responder_dp_ssh.obj: src/responder/common/responder_dp_ssh.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/test_negcache-responder_dp_ssh.obj -MD -MP -MF src/responder/common/$(DEPDIR)/test_negcache-responder_dp_ssh.Tpo -c -o src/responder/common/test_negcache-responder_dp_ssh.obj `if test -f 'src/responder/common/responder_dp_ssh.c'; then $(CYGPATH_W) 'src/responder/common/responder_dp_ssh.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_dp_ssh.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/test_negcache-responder_dp_ssh.Tpo src/responder/common/$(DEPDIR)/test_negcache-responder_dp_ssh.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_dp_ssh.c' object='src/responder/common/test_negcache-responder_dp_ssh.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/test_negcache-responder_dp_ssh.obj `if test -f 'src/responder/common/responder_dp_ssh.c'; then $(CYGPATH_W) 'src/responder/common/responder_dp_ssh.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_dp_ssh.c'; fi` + +src/responder/common/test_negcache-responder_packet.o: src/responder/common/responder_packet.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/test_negcache-responder_packet.o -MD -MP -MF src/responder/common/$(DEPDIR)/test_negcache-responder_packet.Tpo -c -o src/responder/common/test_negcache-responder_packet.o `test -f 'src/responder/common/responder_packet.c' || echo '$(srcdir)/'`src/responder/common/responder_packet.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/test_negcache-responder_packet.Tpo src/responder/common/$(DEPDIR)/test_negcache-responder_packet.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_packet.c' object='src/responder/common/test_negcache-responder_packet.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/test_negcache-responder_packet.o `test -f 'src/responder/common/responder_packet.c' || echo '$(srcdir)/'`src/responder/common/responder_packet.c + +src/responder/common/test_negcache-responder_packet.obj: src/responder/common/responder_packet.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/test_negcache-responder_packet.obj -MD -MP -MF src/responder/common/$(DEPDIR)/test_negcache-responder_packet.Tpo -c -o src/responder/common/test_negcache-responder_packet.obj `if test -f 'src/responder/common/responder_packet.c'; then $(CYGPATH_W) 'src/responder/common/responder_packet.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_packet.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/test_negcache-responder_packet.Tpo src/responder/common/$(DEPDIR)/test_negcache-responder_packet.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_packet.c' object='src/responder/common/test_negcache-responder_packet.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/test_negcache-responder_packet.obj `if test -f 'src/responder/common/responder_packet.c'; then $(CYGPATH_W) 'src/responder/common/responder_packet.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_packet.c'; fi` + +src/responder/common/test_negcache-responder_get_domains.o: src/responder/common/responder_get_domains.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/test_negcache-responder_get_domains.o -MD -MP -MF src/responder/common/$(DEPDIR)/test_negcache-responder_get_domains.Tpo -c -o src/responder/common/test_negcache-responder_get_domains.o `test -f 'src/responder/common/responder_get_domains.c' || echo '$(srcdir)/'`src/responder/common/responder_get_domains.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/test_negcache-responder_get_domains.Tpo src/responder/common/$(DEPDIR)/test_negcache-responder_get_domains.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_get_domains.c' object='src/responder/common/test_negcache-responder_get_domains.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/test_negcache-responder_get_domains.o `test -f 'src/responder/common/responder_get_domains.c' || echo '$(srcdir)/'`src/responder/common/responder_get_domains.c + +src/responder/common/test_negcache-responder_get_domains.obj: src/responder/common/responder_get_domains.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/test_negcache-responder_get_domains.obj -MD -MP -MF src/responder/common/$(DEPDIR)/test_negcache-responder_get_domains.Tpo -c -o src/responder/common/test_negcache-responder_get_domains.obj `if test -f 'src/responder/common/responder_get_domains.c'; then $(CYGPATH_W) 'src/responder/common/responder_get_domains.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_get_domains.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/test_negcache-responder_get_domains.Tpo src/responder/common/$(DEPDIR)/test_negcache-responder_get_domains.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_get_domains.c' object='src/responder/common/test_negcache-responder_get_domains.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/test_negcache-responder_get_domains.obj `if test -f 'src/responder/common/responder_get_domains.c'; then $(CYGPATH_W) 'src/responder/common/responder_get_domains.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_get_domains.c'; fi` + +src/responder/common/test_negcache-responder_utils.o: src/responder/common/responder_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/test_negcache-responder_utils.o -MD -MP -MF src/responder/common/$(DEPDIR)/test_negcache-responder_utils.Tpo -c -o src/responder/common/test_negcache-responder_utils.o `test -f 'src/responder/common/responder_utils.c' || echo '$(srcdir)/'`src/responder/common/responder_utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/test_negcache-responder_utils.Tpo src/responder/common/$(DEPDIR)/test_negcache-responder_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_utils.c' object='src/responder/common/test_negcache-responder_utils.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/test_negcache-responder_utils.o `test -f 'src/responder/common/responder_utils.c' || echo '$(srcdir)/'`src/responder/common/responder_utils.c + +src/responder/common/test_negcache-responder_utils.obj: src/responder/common/responder_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/test_negcache-responder_utils.obj -MD -MP -MF src/responder/common/$(DEPDIR)/test_negcache-responder_utils.Tpo -c -o src/responder/common/test_negcache-responder_utils.obj `if test -f 'src/responder/common/responder_utils.c'; then $(CYGPATH_W) 'src/responder/common/responder_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_utils.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/$(DEPDIR)/test_negcache-responder_utils.Tpo src/responder/common/$(DEPDIR)/test_negcache-responder_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/responder_utils.c' object='src/responder/common/test_negcache-responder_utils.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/test_negcache-responder_utils.obj `if test -f 'src/responder/common/responder_utils.c'; then $(CYGPATH_W) 'src/responder/common/responder_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/responder_utils.c'; fi` + +src/responder/common/data_provider/test_negcache-rdp_message.o: src/responder/common/data_provider/rdp_message.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/data_provider/test_negcache-rdp_message.o -MD -MP -MF src/responder/common/data_provider/$(DEPDIR)/test_negcache-rdp_message.Tpo -c -o src/responder/common/data_provider/test_negcache-rdp_message.o `test -f 'src/responder/common/data_provider/rdp_message.c' || echo '$(srcdir)/'`src/responder/common/data_provider/rdp_message.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/data_provider/$(DEPDIR)/test_negcache-rdp_message.Tpo src/responder/common/data_provider/$(DEPDIR)/test_negcache-rdp_message.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/data_provider/rdp_message.c' object='src/responder/common/data_provider/test_negcache-rdp_message.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/data_provider/test_negcache-rdp_message.o `test -f 'src/responder/common/data_provider/rdp_message.c' || echo '$(srcdir)/'`src/responder/common/data_provider/rdp_message.c + +src/responder/common/data_provider/test_negcache-rdp_message.obj: src/responder/common/data_provider/rdp_message.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/data_provider/test_negcache-rdp_message.obj -MD -MP -MF src/responder/common/data_provider/$(DEPDIR)/test_negcache-rdp_message.Tpo -c -o src/responder/common/data_provider/test_negcache-rdp_message.obj `if test -f 'src/responder/common/data_provider/rdp_message.c'; then $(CYGPATH_W) 'src/responder/common/data_provider/rdp_message.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/data_provider/rdp_message.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/data_provider/$(DEPDIR)/test_negcache-rdp_message.Tpo src/responder/common/data_provider/$(DEPDIR)/test_negcache-rdp_message.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/data_provider/rdp_message.c' object='src/responder/common/data_provider/test_negcache-rdp_message.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/data_provider/test_negcache-rdp_message.obj `if test -f 'src/responder/common/data_provider/rdp_message.c'; then $(CYGPATH_W) 'src/responder/common/data_provider/rdp_message.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/data_provider/rdp_message.c'; fi` + +src/responder/common/data_provider/test_negcache-rdp_client.o: src/responder/common/data_provider/rdp_client.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/data_provider/test_negcache-rdp_client.o -MD -MP -MF src/responder/common/data_provider/$(DEPDIR)/test_negcache-rdp_client.Tpo -c -o src/responder/common/data_provider/test_negcache-rdp_client.o `test -f 'src/responder/common/data_provider/rdp_client.c' || echo '$(srcdir)/'`src/responder/common/data_provider/rdp_client.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/data_provider/$(DEPDIR)/test_negcache-rdp_client.Tpo src/responder/common/data_provider/$(DEPDIR)/test_negcache-rdp_client.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/data_provider/rdp_client.c' object='src/responder/common/data_provider/test_negcache-rdp_client.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/data_provider/test_negcache-rdp_client.o `test -f 'src/responder/common/data_provider/rdp_client.c' || echo '$(srcdir)/'`src/responder/common/data_provider/rdp_client.c + +src/responder/common/data_provider/test_negcache-rdp_client.obj: src/responder/common/data_provider/rdp_client.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/data_provider/test_negcache-rdp_client.obj -MD -MP -MF src/responder/common/data_provider/$(DEPDIR)/test_negcache-rdp_client.Tpo -c -o src/responder/common/data_provider/test_negcache-rdp_client.obj `if test -f 'src/responder/common/data_provider/rdp_client.c'; then $(CYGPATH_W) 'src/responder/common/data_provider/rdp_client.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/data_provider/rdp_client.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/data_provider/$(DEPDIR)/test_negcache-rdp_client.Tpo src/responder/common/data_provider/$(DEPDIR)/test_negcache-rdp_client.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/data_provider/rdp_client.c' object='src/responder/common/data_provider/test_negcache-rdp_client.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/data_provider/test_negcache-rdp_client.obj `if test -f 'src/responder/common/data_provider/rdp_client.c'; then $(CYGPATH_W) 'src/responder/common/data_provider/rdp_client.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/data_provider/rdp_client.c'; fi` + +src/monitor/test_negcache-monitor_iface_generated.o: src/monitor/monitor_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/monitor/test_negcache-monitor_iface_generated.o -MD -MP -MF src/monitor/$(DEPDIR)/test_negcache-monitor_iface_generated.Tpo -c -o src/monitor/test_negcache-monitor_iface_generated.o `test -f 'src/monitor/monitor_iface_generated.c' || echo '$(srcdir)/'`src/monitor/monitor_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/monitor/$(DEPDIR)/test_negcache-monitor_iface_generated.Tpo src/monitor/$(DEPDIR)/test_negcache-monitor_iface_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/monitor/monitor_iface_generated.c' object='src/monitor/test_negcache-monitor_iface_generated.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/monitor/test_negcache-monitor_iface_generated.o `test -f 'src/monitor/monitor_iface_generated.c' || echo '$(srcdir)/'`src/monitor/monitor_iface_generated.c + +src/monitor/test_negcache-monitor_iface_generated.obj: src/monitor/monitor_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/monitor/test_negcache-monitor_iface_generated.obj -MD -MP -MF src/monitor/$(DEPDIR)/test_negcache-monitor_iface_generated.Tpo -c -o src/monitor/test_negcache-monitor_iface_generated.obj `if test -f 'src/monitor/monitor_iface_generated.c'; then $(CYGPATH_W) 'src/monitor/monitor_iface_generated.c'; else $(CYGPATH_W) '$(srcdir)/src/monitor/monitor_iface_generated.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/monitor/$(DEPDIR)/test_negcache-monitor_iface_generated.Tpo src/monitor/$(DEPDIR)/test_negcache-monitor_iface_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/monitor/monitor_iface_generated.c' object='src/monitor/test_negcache-monitor_iface_generated.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/monitor/test_negcache-monitor_iface_generated.obj `if test -f 'src/monitor/monitor_iface_generated.c'; then $(CYGPATH_W) 'src/monitor/monitor_iface_generated.c'; else $(CYGPATH_W) '$(srcdir)/src/monitor/monitor_iface_generated.c'; fi` + +src/providers/test_negcache-data_provider_req.o: src/providers/data_provider_req.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/providers/test_negcache-data_provider_req.o -MD -MP -MF src/providers/$(DEPDIR)/test_negcache-data_provider_req.Tpo -c -o src/providers/test_negcache-data_provider_req.o `test -f 'src/providers/data_provider_req.c' || echo '$(srcdir)/'`src/providers/data_provider_req.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/test_negcache-data_provider_req.Tpo src/providers/$(DEPDIR)/test_negcache-data_provider_req.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider_req.c' object='src/providers/test_negcache-data_provider_req.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/providers/test_negcache-data_provider_req.o `test -f 'src/providers/data_provider_req.c' || echo '$(srcdir)/'`src/providers/data_provider_req.c + +src/providers/test_negcache-data_provider_req.obj: src/providers/data_provider_req.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/providers/test_negcache-data_provider_req.obj -MD -MP -MF src/providers/$(DEPDIR)/test_negcache-data_provider_req.Tpo -c -o src/providers/test_negcache-data_provider_req.obj `if test -f 'src/providers/data_provider_req.c'; then $(CYGPATH_W) 'src/providers/data_provider_req.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider_req.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/test_negcache-data_provider_req.Tpo src/providers/$(DEPDIR)/test_negcache-data_provider_req.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider_req.c' object='src/providers/test_negcache-data_provider_req.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/providers/test_negcache-data_provider_req.obj `if test -f 'src/providers/data_provider_req.c'; then $(CYGPATH_W) 'src/providers/data_provider_req.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider_req.c'; fi` + +src/util/test_negcache-session_recording.o: src/util/session_recording.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/util/test_negcache-session_recording.o -MD -MP -MF src/util/$(DEPDIR)/test_negcache-session_recording.Tpo -c -o src/util/test_negcache-session_recording.o `test -f 'src/util/session_recording.c' || echo '$(srcdir)/'`src/util/session_recording.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_negcache-session_recording.Tpo src/util/$(DEPDIR)/test_negcache-session_recording.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/session_recording.c' object='src/util/test_negcache-session_recording.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/util/test_negcache-session_recording.o `test -f 'src/util/session_recording.c' || echo '$(srcdir)/'`src/util/session_recording.c + +src/util/test_negcache-session_recording.obj: src/util/session_recording.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/util/test_negcache-session_recording.obj -MD -MP -MF src/util/$(DEPDIR)/test_negcache-session_recording.Tpo -c -o src/util/test_negcache-session_recording.obj `if test -f 'src/util/session_recording.c'; then $(CYGPATH_W) 'src/util/session_recording.c'; else $(CYGPATH_W) '$(srcdir)/src/util/session_recording.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_negcache-session_recording.Tpo src/util/$(DEPDIR)/test_negcache-session_recording.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/session_recording.c' object='src/util/test_negcache-session_recording.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/util/test_negcache-session_recording.obj `if test -f 'src/util/session_recording.c'; then $(CYGPATH_W) 'src/util/session_recording.c'; else $(CYGPATH_W) '$(srcdir)/src/util/session_recording.c'; fi` + +src/responder/common/iface/test_negcache-responder_iface.o: src/responder/common/iface/responder_iface.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/test_negcache-responder_iface.o -MD -MP -MF src/responder/common/iface/$(DEPDIR)/test_negcache-responder_iface.Tpo -c -o src/responder/common/iface/test_negcache-responder_iface.o `test -f 'src/responder/common/iface/responder_iface.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_iface.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/test_negcache-responder_iface.Tpo src/responder/common/iface/$(DEPDIR)/test_negcache-responder_iface.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_iface.c' object='src/responder/common/iface/test_negcache-responder_iface.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/test_negcache-responder_iface.o `test -f 'src/responder/common/iface/responder_iface.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_iface.c + +src/responder/common/iface/test_negcache-responder_iface.obj: src/responder/common/iface/responder_iface.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/test_negcache-responder_iface.obj -MD -MP -MF src/responder/common/iface/$(DEPDIR)/test_negcache-responder_iface.Tpo -c -o src/responder/common/iface/test_negcache-responder_iface.obj `if test -f 'src/responder/common/iface/responder_iface.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_iface.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_iface.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/test_negcache-responder_iface.Tpo src/responder/common/iface/$(DEPDIR)/test_negcache-responder_iface.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_iface.c' object='src/responder/common/iface/test_negcache-responder_iface.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/test_negcache-responder_iface.obj `if test -f 'src/responder/common/iface/responder_iface.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_iface.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_iface.c'; fi` + +src/responder/common/iface/test_negcache-responder_domain.o: src/responder/common/iface/responder_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/test_negcache-responder_domain.o -MD -MP -MF src/responder/common/iface/$(DEPDIR)/test_negcache-responder_domain.Tpo -c -o src/responder/common/iface/test_negcache-responder_domain.o `test -f 'src/responder/common/iface/responder_domain.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_domain.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/test_negcache-responder_domain.Tpo src/responder/common/iface/$(DEPDIR)/test_negcache-responder_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_domain.c' object='src/responder/common/iface/test_negcache-responder_domain.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/test_negcache-responder_domain.o `test -f 'src/responder/common/iface/responder_domain.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_domain.c + +src/responder/common/iface/test_negcache-responder_domain.obj: src/responder/common/iface/responder_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/test_negcache-responder_domain.obj -MD -MP -MF src/responder/common/iface/$(DEPDIR)/test_negcache-responder_domain.Tpo -c -o src/responder/common/iface/test_negcache-responder_domain.obj `if test -f 'src/responder/common/iface/responder_domain.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_domain.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/test_negcache-responder_domain.Tpo src/responder/common/iface/$(DEPDIR)/test_negcache-responder_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_domain.c' object='src/responder/common/iface/test_negcache-responder_domain.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/test_negcache-responder_domain.obj `if test -f 'src/responder/common/iface/responder_domain.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_domain.c'; fi` + +src/responder/common/iface/test_negcache-responder_ncache.o: src/responder/common/iface/responder_ncache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/test_negcache-responder_ncache.o -MD -MP -MF src/responder/common/iface/$(DEPDIR)/test_negcache-responder_ncache.Tpo -c -o src/responder/common/iface/test_negcache-responder_ncache.o `test -f 'src/responder/common/iface/responder_ncache.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_ncache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/test_negcache-responder_ncache.Tpo src/responder/common/iface/$(DEPDIR)/test_negcache-responder_ncache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_ncache.c' object='src/responder/common/iface/test_negcache-responder_ncache.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/test_negcache-responder_ncache.o `test -f 'src/responder/common/iface/responder_ncache.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_ncache.c + +src/responder/common/iface/test_negcache-responder_ncache.obj: src/responder/common/iface/responder_ncache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/test_negcache-responder_ncache.obj -MD -MP -MF src/responder/common/iface/$(DEPDIR)/test_negcache-responder_ncache.Tpo -c -o src/responder/common/iface/test_negcache-responder_ncache.obj `if test -f 'src/responder/common/iface/responder_ncache.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_ncache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_ncache.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/test_negcache-responder_ncache.Tpo src/responder/common/iface/$(DEPDIR)/test_negcache-responder_ncache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_ncache.c' object='src/responder/common/iface/test_negcache-responder_ncache.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/test_negcache-responder_ncache.obj `if test -f 'src/responder/common/iface/responder_ncache.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_ncache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_ncache.c'; fi` + +src/responder/common/iface/test_negcache-responder_iface_generated.o: src/responder/common/iface/responder_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/test_negcache-responder_iface_generated.o -MD -MP -MF src/responder/common/iface/$(DEPDIR)/test_negcache-responder_iface_generated.Tpo -c -o src/responder/common/iface/test_negcache-responder_iface_generated.o `test -f 'src/responder/common/iface/responder_iface_generated.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/test_negcache-responder_iface_generated.Tpo src/responder/common/iface/$(DEPDIR)/test_negcache-responder_iface_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_iface_generated.c' object='src/responder/common/iface/test_negcache-responder_iface_generated.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/test_negcache-responder_iface_generated.o `test -f 'src/responder/common/iface/responder_iface_generated.c' || echo '$(srcdir)/'`src/responder/common/iface/responder_iface_generated.c + +src/responder/common/iface/test_negcache-responder_iface_generated.obj: src/responder/common/iface/responder_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/iface/test_negcache-responder_iface_generated.obj -MD -MP -MF src/responder/common/iface/$(DEPDIR)/test_negcache-responder_iface_generated.Tpo -c -o src/responder/common/iface/test_negcache-responder_iface_generated.obj `if test -f 'src/responder/common/iface/responder_iface_generated.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_iface_generated.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_iface_generated.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/iface/$(DEPDIR)/test_negcache-responder_iface_generated.Tpo src/responder/common/iface/$(DEPDIR)/test_negcache-responder_iface_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/iface/responder_iface_generated.c' object='src/responder/common/iface/test_negcache-responder_iface_generated.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/iface/test_negcache-responder_iface_generated.obj `if test -f 'src/responder/common/iface/responder_iface_generated.c'; then $(CYGPATH_W) 'src/responder/common/iface/responder_iface_generated.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/iface/responder_iface_generated.c'; fi` + +src/responder/common/cache_req/test_negcache-cache_req.o: src/responder/common/cache_req/cache_req.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/test_negcache-cache_req.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/test_negcache-cache_req.Tpo -c -o src/responder/common/cache_req/test_negcache-cache_req.o `test -f 'src/responder/common/cache_req/cache_req.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/test_negcache-cache_req.Tpo src/responder/common/cache_req/$(DEPDIR)/test_negcache-cache_req.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req.c' object='src/responder/common/cache_req/test_negcache-cache_req.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/test_negcache-cache_req.o `test -f 'src/responder/common/cache_req/cache_req.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req.c + +src/responder/common/cache_req/test_negcache-cache_req.obj: src/responder/common/cache_req/cache_req.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/test_negcache-cache_req.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/test_negcache-cache_req.Tpo -c -o src/responder/common/cache_req/test_negcache-cache_req.obj `if test -f 'src/responder/common/cache_req/cache_req.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/test_negcache-cache_req.Tpo src/responder/common/cache_req/$(DEPDIR)/test_negcache-cache_req.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req.c' object='src/responder/common/cache_req/test_negcache-cache_req.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/test_negcache-cache_req.obj `if test -f 'src/responder/common/cache_req/cache_req.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req.c'; fi` + +src/responder/common/cache_req/test_negcache-cache_req_result.o: src/responder/common/cache_req/cache_req_result.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/test_negcache-cache_req_result.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/test_negcache-cache_req_result.Tpo -c -o src/responder/common/cache_req/test_negcache-cache_req_result.o `test -f 'src/responder/common/cache_req/cache_req_result.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_result.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/test_negcache-cache_req_result.Tpo src/responder/common/cache_req/$(DEPDIR)/test_negcache-cache_req_result.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_result.c' object='src/responder/common/cache_req/test_negcache-cache_req_result.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/test_negcache-cache_req_result.o `test -f 'src/responder/common/cache_req/cache_req_result.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_result.c + +src/responder/common/cache_req/test_negcache-cache_req_result.obj: src/responder/common/cache_req/cache_req_result.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/test_negcache-cache_req_result.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/test_negcache-cache_req_result.Tpo -c -o src/responder/common/cache_req/test_negcache-cache_req_result.obj `if test -f 'src/responder/common/cache_req/cache_req_result.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_result.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_result.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/test_negcache-cache_req_result.Tpo src/responder/common/cache_req/$(DEPDIR)/test_negcache-cache_req_result.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_result.c' object='src/responder/common/cache_req/test_negcache-cache_req_result.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/test_negcache-cache_req_result.obj `if test -f 'src/responder/common/cache_req/cache_req_result.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_result.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_result.c'; fi` + +src/responder/common/cache_req/test_negcache-cache_req_search.o: src/responder/common/cache_req/cache_req_search.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/test_negcache-cache_req_search.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/test_negcache-cache_req_search.Tpo -c -o src/responder/common/cache_req/test_negcache-cache_req_search.o `test -f 'src/responder/common/cache_req/cache_req_search.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_search.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/test_negcache-cache_req_search.Tpo src/responder/common/cache_req/$(DEPDIR)/test_negcache-cache_req_search.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_search.c' object='src/responder/common/cache_req/test_negcache-cache_req_search.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/test_negcache-cache_req_search.o `test -f 'src/responder/common/cache_req/cache_req_search.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_search.c + +src/responder/common/cache_req/test_negcache-cache_req_search.obj: src/responder/common/cache_req/cache_req_search.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/test_negcache-cache_req_search.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/test_negcache-cache_req_search.Tpo -c -o src/responder/common/cache_req/test_negcache-cache_req_search.obj `if test -f 'src/responder/common/cache_req/cache_req_search.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_search.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_search.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/test_negcache-cache_req_search.Tpo src/responder/common/cache_req/$(DEPDIR)/test_negcache-cache_req_search.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_search.c' object='src/responder/common/cache_req/test_negcache-cache_req_search.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/test_negcache-cache_req_search.obj `if test -f 'src/responder/common/cache_req/cache_req_search.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_search.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_search.c'; fi` + +src/responder/common/cache_req/test_negcache-cache_req_data.o: src/responder/common/cache_req/cache_req_data.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/test_negcache-cache_req_data.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/test_negcache-cache_req_data.Tpo -c -o src/responder/common/cache_req/test_negcache-cache_req_data.o `test -f 'src/responder/common/cache_req/cache_req_data.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_data.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/test_negcache-cache_req_data.Tpo src/responder/common/cache_req/$(DEPDIR)/test_negcache-cache_req_data.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_data.c' object='src/responder/common/cache_req/test_negcache-cache_req_data.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/test_negcache-cache_req_data.o `test -f 'src/responder/common/cache_req/cache_req_data.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_data.c + +src/responder/common/cache_req/test_negcache-cache_req_data.obj: src/responder/common/cache_req/cache_req_data.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/test_negcache-cache_req_data.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/test_negcache-cache_req_data.Tpo -c -o src/responder/common/cache_req/test_negcache-cache_req_data.obj `if test -f 'src/responder/common/cache_req/cache_req_data.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_data.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_data.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/test_negcache-cache_req_data.Tpo src/responder/common/cache_req/$(DEPDIR)/test_negcache-cache_req_data.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_data.c' object='src/responder/common/cache_req/test_negcache-cache_req_data.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/test_negcache-cache_req_data.obj `if test -f 'src/responder/common/cache_req/cache_req_data.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_data.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_data.c'; fi` + +src/responder/common/cache_req/test_negcache-cache_req_domain.o: src/responder/common/cache_req/cache_req_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/test_negcache-cache_req_domain.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/test_negcache-cache_req_domain.Tpo -c -o src/responder/common/cache_req/test_negcache-cache_req_domain.o `test -f 'src/responder/common/cache_req/cache_req_domain.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_domain.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/test_negcache-cache_req_domain.Tpo src/responder/common/cache_req/$(DEPDIR)/test_negcache-cache_req_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_domain.c' object='src/responder/common/cache_req/test_negcache-cache_req_domain.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/test_negcache-cache_req_domain.o `test -f 'src/responder/common/cache_req/cache_req_domain.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_domain.c + +src/responder/common/cache_req/test_negcache-cache_req_domain.obj: src/responder/common/cache_req/cache_req_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/test_negcache-cache_req_domain.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/test_negcache-cache_req_domain.Tpo -c -o src/responder/common/cache_req/test_negcache-cache_req_domain.obj `if test -f 'src/responder/common/cache_req/cache_req_domain.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_domain.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/test_negcache-cache_req_domain.Tpo src/responder/common/cache_req/$(DEPDIR)/test_negcache-cache_req_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_domain.c' object='src/responder/common/cache_req/test_negcache-cache_req_domain.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/test_negcache-cache_req_domain.obj `if test -f 'src/responder/common/cache_req/cache_req_domain.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_domain.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_domain.c'; fi` + +src/responder/common/cache_req/test_negcache-cache_req_sr_overlay.o: src/responder/common/cache_req/cache_req_sr_overlay.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/test_negcache-cache_req_sr_overlay.o -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/test_negcache-cache_req_sr_overlay.Tpo -c -o src/responder/common/cache_req/test_negcache-cache_req_sr_overlay.o `test -f 'src/responder/common/cache_req/cache_req_sr_overlay.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_sr_overlay.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/test_negcache-cache_req_sr_overlay.Tpo src/responder/common/cache_req/$(DEPDIR)/test_negcache-cache_req_sr_overlay.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_sr_overlay.c' object='src/responder/common/cache_req/test_negcache-cache_req_sr_overlay.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/test_negcache-cache_req_sr_overlay.o `test -f 'src/responder/common/cache_req/cache_req_sr_overlay.c' || echo '$(srcdir)/'`src/responder/common/cache_req/cache_req_sr_overlay.c + +src/responder/common/cache_req/test_negcache-cache_req_sr_overlay.obj: src/responder/common/cache_req/cache_req_sr_overlay.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/test_negcache-cache_req_sr_overlay.obj -MD -MP -MF src/responder/common/cache_req/$(DEPDIR)/test_negcache-cache_req_sr_overlay.Tpo -c -o src/responder/common/cache_req/test_negcache-cache_req_sr_overlay.obj `if test -f 'src/responder/common/cache_req/cache_req_sr_overlay.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_sr_overlay.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_sr_overlay.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/$(DEPDIR)/test_negcache-cache_req_sr_overlay.Tpo src/responder/common/cache_req/$(DEPDIR)/test_negcache-cache_req_sr_overlay.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/cache_req_sr_overlay.c' object='src/responder/common/cache_req/test_negcache-cache_req_sr_overlay.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/test_negcache-cache_req_sr_overlay.obj `if test -f 'src/responder/common/cache_req/cache_req_sr_overlay.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/cache_req_sr_overlay.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/cache_req_sr_overlay.c'; fi` + +src/responder/common/cache_req/plugins/test_negcache-cache_req_common.o: src/responder/common/cache_req/plugins/cache_req_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/test_negcache-cache_req_common.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_common.Tpo -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_common.o `test -f 'src/responder/common/cache_req/plugins/cache_req_common.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_common.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_common.c' object='src/responder/common/cache_req/plugins/test_negcache-cache_req_common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_common.o `test -f 'src/responder/common/cache_req/plugins/cache_req_common.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_common.c + +src/responder/common/cache_req/plugins/test_negcache-cache_req_common.obj: src/responder/common/cache_req/plugins/cache_req_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/test_negcache-cache_req_common.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_common.Tpo -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_common.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_common.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_common.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_common.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_common.c' object='src/responder/common/cache_req/plugins/test_negcache-cache_req_common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_common.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_common.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_common.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_common.c'; fi` + +src/responder/common/cache_req/plugins/test_negcache-cache_req_enum_users.o: src/responder/common/cache_req/plugins/cache_req_enum_users.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/test_negcache-cache_req_enum_users.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_enum_users.Tpo -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_enum_users.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_users.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_users.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_enum_users.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_enum_users.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_users.c' object='src/responder/common/cache_req/plugins/test_negcache-cache_req_enum_users.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_enum_users.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_users.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_users.c + +src/responder/common/cache_req/plugins/test_negcache-cache_req_enum_users.obj: src/responder/common/cache_req/plugins/cache_req_enum_users.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/test_negcache-cache_req_enum_users.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_enum_users.Tpo -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_enum_users.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_users.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_users.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_users.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_enum_users.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_enum_users.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_users.c' object='src/responder/common/cache_req/plugins/test_negcache-cache_req_enum_users.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_enum_users.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_users.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_users.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_users.c'; fi` + +src/responder/common/cache_req/plugins/test_negcache-cache_req_enum_groups.o: src/responder/common/cache_req/plugins/cache_req_enum_groups.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/test_negcache-cache_req_enum_groups.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_enum_groups.Tpo -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_enum_groups.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_groups.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_enum_groups.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_enum_groups.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_groups.c' object='src/responder/common/cache_req/plugins/test_negcache-cache_req_enum_groups.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_enum_groups.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_groups.c + +src/responder/common/cache_req/plugins/test_negcache-cache_req_enum_groups.obj: src/responder/common/cache_req/plugins/cache_req_enum_groups.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/test_negcache-cache_req_enum_groups.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_enum_groups.Tpo -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_enum_groups.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_enum_groups.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_enum_groups.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_groups.c' object='src/responder/common/cache_req/plugins/test_negcache-cache_req_enum_groups.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_enum_groups.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; fi` + +src/responder/common/cache_req/plugins/test_negcache-cache_req_enum_svc.o: src/responder/common/cache_req/plugins/cache_req_enum_svc.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/test_negcache-cache_req_enum_svc.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_enum_svc.Tpo -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_enum_svc.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_svc.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_enum_svc.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_enum_svc.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_svc.c' object='src/responder/common/cache_req/plugins/test_negcache-cache_req_enum_svc.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_enum_svc.o `test -f 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_enum_svc.c + +src/responder/common/cache_req/plugins/test_negcache-cache_req_enum_svc.obj: src/responder/common/cache_req/plugins/cache_req_enum_svc.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/test_negcache-cache_req_enum_svc.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_enum_svc.Tpo -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_enum_svc.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_enum_svc.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_enum_svc.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_enum_svc.c' object='src/responder/common/cache_req/plugins/test_negcache-cache_req_enum_svc.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_enum_svc.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; fi` + +src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_name.o: src/responder/common/cache_req/plugins/cache_req_user_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_user_by_name.Tpo -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_user_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_user_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_name.c' object='src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_name.c + +src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_name.obj: src/responder/common/cache_req/plugins/cache_req_user_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_user_by_name.Tpo -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_user_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_user_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_name.c' object='src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; fi` + +src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_upn.o: src/responder/common/cache_req/plugins/cache_req_user_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_upn.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_user_by_upn.Tpo -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_upn.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_user_by_upn.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_user_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' object='src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_upn.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_upn.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_upn.c + +src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_upn.obj: src/responder/common/cache_req/plugins/cache_req_user_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_upn.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_user_by_upn.Tpo -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_upn.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_user_by_upn.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_user_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' object='src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_upn.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_upn.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; fi` + +src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_id.o: src/responder/common/cache_req/plugins/cache_req_user_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_id.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_user_by_id.Tpo -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_user_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_user_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_id.c' object='src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_id.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_id.c + +src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_id.obj: src/responder/common/cache_req/plugins/cache_req_user_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_id.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_user_by_id.Tpo -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_user_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_user_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_id.c' object='src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_id.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; fi` + +src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_filter.o: src/responder/common/cache_req/plugins/cache_req_user_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_filter.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_user_by_filter.Tpo -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_filter.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_user_by_filter.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_user_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' object='src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_filter.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_filter.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_filter.c + +src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_filter.obj: src/responder/common/cache_req/plugins/cache_req_user_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_filter.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_user_by_filter.Tpo -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_filter.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_user_by_filter.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_user_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' object='src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_filter.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_filter.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; fi` + +src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_cert.o: src/responder/common/cache_req/plugins/cache_req_user_by_cert.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_cert.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_user_by_cert.Tpo -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_cert.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_cert.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_user_by_cert.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_user_by_cert.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' object='src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_cert.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_cert.o `test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_user_by_cert.c + +src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_cert.obj: src/responder/common/cache_req/plugins/cache_req_user_by_cert.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_cert.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_user_by_cert.Tpo -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_cert.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_user_by_cert.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_user_by_cert.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' object='src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_cert.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_user_by_cert.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; fi` + +src/responder/common/cache_req/plugins/test_negcache-cache_req_group_by_name.o: src/responder/common/cache_req/plugins/cache_req_group_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/test_negcache-cache_req_group_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_group_by_name.Tpo -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_group_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_group_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_group_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_name.c' object='src/responder/common/cache_req/plugins/test_negcache-cache_req_group_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_group_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_name.c + +src/responder/common/cache_req/plugins/test_negcache-cache_req_group_by_name.obj: src/responder/common/cache_req/plugins/cache_req_group_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/test_negcache-cache_req_group_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_group_by_name.Tpo -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_group_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_group_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_group_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_name.c' object='src/responder/common/cache_req/plugins/test_negcache-cache_req_group_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_group_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; fi` + +src/responder/common/cache_req/plugins/test_negcache-cache_req_group_by_id.o: src/responder/common/cache_req/plugins/cache_req_group_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/test_negcache-cache_req_group_by_id.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_group_by_id.Tpo -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_group_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_group_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_group_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_id.c' object='src/responder/common/cache_req/plugins/test_negcache-cache_req_group_by_id.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_group_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_id.c + +src/responder/common/cache_req/plugins/test_negcache-cache_req_group_by_id.obj: src/responder/common/cache_req/plugins/cache_req_group_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/test_negcache-cache_req_group_by_id.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_group_by_id.Tpo -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_group_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_group_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_group_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_id.c' object='src/responder/common/cache_req/plugins/test_negcache-cache_req_group_by_id.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_group_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; fi` + +src/responder/common/cache_req/plugins/test_negcache-cache_req_group_by_filter.o: src/responder/common/cache_req/plugins/cache_req_group_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/test_negcache-cache_req_group_by_filter.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_group_by_filter.Tpo -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_group_by_filter.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_group_by_filter.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_group_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' object='src/responder/common/cache_req/plugins/test_negcache-cache_req_group_by_filter.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_group_by_filter.o `test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_group_by_filter.c + +src/responder/common/cache_req/plugins/test_negcache-cache_req_group_by_filter.obj: src/responder/common/cache_req/plugins/cache_req_group_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/test_negcache-cache_req_group_by_filter.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_group_by_filter.Tpo -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_group_by_filter.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_group_by_filter.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_group_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' object='src/responder/common/cache_req/plugins/test_negcache-cache_req_group_by_filter.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_group_by_filter.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; fi` + +src/responder/common/cache_req/plugins/test_negcache-cache_req_initgroups_by_name.o: src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/test_negcache-cache_req_initgroups_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_initgroups_by_name.Tpo -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_initgroups_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_initgroups_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_initgroups_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' object='src/responder/common/cache_req/plugins/test_negcache-cache_req_initgroups_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_initgroups_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c + +src/responder/common/cache_req/plugins/test_negcache-cache_req_initgroups_by_name.obj: src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/test_negcache-cache_req_initgroups_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_initgroups_by_name.Tpo -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_initgroups_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_initgroups_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_initgroups_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' object='src/responder/common/cache_req/plugins/test_negcache-cache_req_initgroups_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_initgroups_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; fi` + +src/responder/common/cache_req/plugins/test_negcache-cache_req_initgroups_by_upn.o: src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/test_negcache-cache_req_initgroups_by_upn.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_initgroups_by_upn.Tpo -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_initgroups_by_upn.o `test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_initgroups_by_upn.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_initgroups_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' object='src/responder/common/cache_req/plugins/test_negcache-cache_req_initgroups_by_upn.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_initgroups_by_upn.o `test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c + +src/responder/common/cache_req/plugins/test_negcache-cache_req_initgroups_by_upn.obj: src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/test_negcache-cache_req_initgroups_by_upn.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_initgroups_by_upn.Tpo -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_initgroups_by_upn.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_initgroups_by_upn.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_initgroups_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' object='src/responder/common/cache_req/plugins/test_negcache-cache_req_initgroups_by_upn.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_initgroups_by_upn.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; fi` + +src/responder/common/cache_req/plugins/test_negcache-cache_req_object_by_sid.o: src/responder/common/cache_req/plugins/cache_req_object_by_sid.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/test_negcache-cache_req_object_by_sid.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_object_by_sid.Tpo -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_object_by_sid.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_sid.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_object_by_sid.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_object_by_sid.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' object='src/responder/common/cache_req/plugins/test_negcache-cache_req_object_by_sid.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_object_by_sid.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_sid.c + +src/responder/common/cache_req/plugins/test_negcache-cache_req_object_by_sid.obj: src/responder/common/cache_req/plugins/cache_req_object_by_sid.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/test_negcache-cache_req_object_by_sid.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_object_by_sid.Tpo -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_object_by_sid.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_object_by_sid.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_object_by_sid.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' object='src/responder/common/cache_req/plugins/test_negcache-cache_req_object_by_sid.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_object_by_sid.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; fi` + +src/responder/common/cache_req/plugins/test_negcache-cache_req_object_by_name.o: src/responder/common/cache_req/plugins/cache_req_object_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/test_negcache-cache_req_object_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_object_by_name.Tpo -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_object_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_object_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_object_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_name.c' object='src/responder/common/cache_req/plugins/test_negcache-cache_req_object_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_object_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_name.c + +src/responder/common/cache_req/plugins/test_negcache-cache_req_object_by_name.obj: src/responder/common/cache_req/plugins/cache_req_object_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/test_negcache-cache_req_object_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_object_by_name.Tpo -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_object_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_object_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_object_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_name.c' object='src/responder/common/cache_req/plugins/test_negcache-cache_req_object_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_object_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; fi` + +src/responder/common/cache_req/plugins/test_negcache-cache_req_object_by_id.o: src/responder/common/cache_req/plugins/cache_req_object_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/test_negcache-cache_req_object_by_id.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_object_by_id.Tpo -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_object_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_object_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_object_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_id.c' object='src/responder/common/cache_req/plugins/test_negcache-cache_req_object_by_id.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_object_by_id.o `test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_object_by_id.c + +src/responder/common/cache_req/plugins/test_negcache-cache_req_object_by_id.obj: src/responder/common/cache_req/plugins/cache_req_object_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/test_negcache-cache_req_object_by_id.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_object_by_id.Tpo -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_object_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_object_by_id.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_object_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_object_by_id.c' object='src/responder/common/cache_req/plugins/test_negcache-cache_req_object_by_id.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_object_by_id.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; fi` + +src/responder/common/cache_req/plugins/test_negcache-cache_req_svc_by_name.o: src/responder/common/cache_req/plugins/cache_req_svc_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/test_negcache-cache_req_svc_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_svc_by_name.Tpo -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_svc_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_svc_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_svc_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_svc_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' object='src/responder/common/cache_req/plugins/test_negcache-cache_req_svc_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_svc_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_svc_by_name.c + +src/responder/common/cache_req/plugins/test_negcache-cache_req_svc_by_name.obj: src/responder/common/cache_req/plugins/cache_req_svc_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/test_negcache-cache_req_svc_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_svc_by_name.Tpo -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_svc_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_svc_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_svc_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' object='src/responder/common/cache_req/plugins/test_negcache-cache_req_svc_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_svc_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; fi` + +src/responder/common/cache_req/plugins/test_negcache-cache_req_svc_by_port.o: src/responder/common/cache_req/plugins/cache_req_svc_by_port.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/test_negcache-cache_req_svc_by_port.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_svc_by_port.Tpo -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_svc_by_port.o `test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_svc_by_port.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_svc_by_port.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_svc_by_port.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' object='src/responder/common/cache_req/plugins/test_negcache-cache_req_svc_by_port.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_svc_by_port.o `test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_svc_by_port.c + +src/responder/common/cache_req/plugins/test_negcache-cache_req_svc_by_port.obj: src/responder/common/cache_req/plugins/cache_req_svc_by_port.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/test_negcache-cache_req_svc_by_port.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_svc_by_port.Tpo -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_svc_by_port.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_svc_by_port.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_svc_by_port.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' object='src/responder/common/cache_req/plugins/test_negcache-cache_req_svc_by_port.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_svc_by_port.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; fi` + +src/responder/common/cache_req/plugins/test_negcache-cache_req_netgroup_by_name.o: src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/test_negcache-cache_req_netgroup_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_netgroup_by_name.Tpo -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_netgroup_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_netgroup_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_netgroup_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' object='src/responder/common/cache_req/plugins/test_negcache-cache_req_netgroup_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_netgroup_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c + +src/responder/common/cache_req/plugins/test_negcache-cache_req_netgroup_by_name.obj: src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/test_negcache-cache_req_netgroup_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_netgroup_by_name.Tpo -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_netgroup_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_netgroup_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_netgroup_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' object='src/responder/common/cache_req/plugins/test_negcache-cache_req_netgroup_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_netgroup_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; fi` + +src/responder/common/cache_req/plugins/test_negcache-cache_req_host_by_name.o: src/responder/common/cache_req/plugins/cache_req_host_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/test_negcache-cache_req_host_by_name.o -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_host_by_name.Tpo -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_host_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_host_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_host_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_host_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_host_by_name.c' object='src/responder/common/cache_req/plugins/test_negcache-cache_req_host_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_host_by_name.o `test -f 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c' || echo '$(srcdir)/'`src/responder/common/cache_req/plugins/cache_req_host_by_name.c + +src/responder/common/cache_req/plugins/test_negcache-cache_req_host_by_name.obj: src/responder/common/cache_req/plugins/cache_req_host_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/responder/common/cache_req/plugins/test_negcache-cache_req_host_by_name.obj -MD -MP -MF src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_host_by_name.Tpo -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_host_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_host_by_name.Tpo src/responder/common/cache_req/plugins/$(DEPDIR)/test_negcache-cache_req_host_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/common/cache_req/plugins/cache_req_host_by_name.c' object='src/responder/common/cache_req/plugins/test_negcache-cache_req_host_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/responder/common/cache_req/plugins/test_negcache-cache_req_host_by_name.obj `if test -f 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; then $(CYGPATH_W) 'src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; fi` + +src/tests/cmocka/test_negcache-common_mock_resp.o: src/tests/cmocka/common_mock_resp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_negcache-common_mock_resp.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_negcache-common_mock_resp.Tpo -c -o src/tests/cmocka/test_negcache-common_mock_resp.o `test -f 'src/tests/cmocka/common_mock_resp.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_resp.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_negcache-common_mock_resp.Tpo src/tests/cmocka/$(DEPDIR)/test_negcache-common_mock_resp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_resp.c' object='src/tests/cmocka/test_negcache-common_mock_resp.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_negcache-common_mock_resp.o `test -f 'src/tests/cmocka/common_mock_resp.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_resp.c + +src/tests/cmocka/test_negcache-common_mock_resp.obj: src/tests/cmocka/common_mock_resp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_negcache-common_mock_resp.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_negcache-common_mock_resp.Tpo -c -o src/tests/cmocka/test_negcache-common_mock_resp.obj `if test -f 'src/tests/cmocka/common_mock_resp.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_resp.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_resp.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_negcache-common_mock_resp.Tpo src/tests/cmocka/$(DEPDIR)/test_negcache-common_mock_resp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_resp.c' object='src/tests/cmocka/test_negcache-common_mock_resp.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_negcache-common_mock_resp.obj `if test -f 'src/tests/cmocka/common_mock_resp.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_resp.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_resp.c'; fi` + +src/tests/cmocka/test_negcache-test_negcache.o: src/tests/cmocka/test_negcache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_negcache-test_negcache.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_negcache-test_negcache.Tpo -c -o src/tests/cmocka/test_negcache-test_negcache.o `test -f 'src/tests/cmocka/test_negcache.c' || echo '$(srcdir)/'`src/tests/cmocka/test_negcache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_negcache-test_negcache.Tpo src/tests/cmocka/$(DEPDIR)/test_negcache-test_negcache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_negcache.c' object='src/tests/cmocka/test_negcache-test_negcache.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_negcache-test_negcache.o `test -f 'src/tests/cmocka/test_negcache.c' || echo '$(srcdir)/'`src/tests/cmocka/test_negcache.c + +src/tests/cmocka/test_negcache-test_negcache.obj: src/tests/cmocka/test_negcache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_negcache-test_negcache.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_negcache-test_negcache.Tpo -c -o src/tests/cmocka/test_negcache-test_negcache.obj `if test -f 'src/tests/cmocka/test_negcache.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_negcache.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_negcache.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_negcache-test_negcache.Tpo src/tests/cmocka/$(DEPDIR)/test_negcache-test_negcache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_negcache.c' object='src/tests/cmocka/test_negcache-test_negcache.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_negcache_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_negcache-test_negcache.obj `if test -f 'src/tests/cmocka/test_negcache.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_negcache.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_negcache.c'; fi` + +src/tests/cmocka/test_ad_subdom-test_ad_subdomains.o: src/tests/cmocka/test_ad_subdomains.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ad_subdom_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_ad_subdom-test_ad_subdomains.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_ad_subdom-test_ad_subdomains.Tpo -c -o src/tests/cmocka/test_ad_subdom-test_ad_subdomains.o `test -f 'src/tests/cmocka/test_ad_subdomains.c' || echo '$(srcdir)/'`src/tests/cmocka/test_ad_subdomains.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_ad_subdom-test_ad_subdomains.Tpo src/tests/cmocka/$(DEPDIR)/test_ad_subdom-test_ad_subdomains.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_ad_subdomains.c' object='src/tests/cmocka/test_ad_subdom-test_ad_subdomains.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ad_subdom_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_ad_subdom-test_ad_subdomains.o `test -f 'src/tests/cmocka/test_ad_subdomains.c' || echo '$(srcdir)/'`src/tests/cmocka/test_ad_subdomains.c + +src/tests/cmocka/test_ad_subdom-test_ad_subdomains.obj: src/tests/cmocka/test_ad_subdomains.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ad_subdom_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_ad_subdom-test_ad_subdomains.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_ad_subdom-test_ad_subdomains.Tpo -c -o src/tests/cmocka/test_ad_subdom-test_ad_subdomains.obj `if test -f 'src/tests/cmocka/test_ad_subdomains.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_ad_subdomains.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_ad_subdomains.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_ad_subdom-test_ad_subdomains.Tpo src/tests/cmocka/$(DEPDIR)/test_ad_subdom-test_ad_subdomains.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_ad_subdomains.c' object='src/tests/cmocka/test_ad_subdom-test_ad_subdomains.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ad_subdom_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_ad_subdom-test_ad_subdomains.obj `if test -f 'src/tests/cmocka/test_ad_subdomains.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_ad_subdomains.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_ad_subdomains.c'; fi` + +src/tests/cmocka/test_be_ptask-common_mock_be.o: src/tests/cmocka/common_mock_be.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_be_ptask_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_be_ptask-common_mock_be.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_be_ptask-common_mock_be.Tpo -c -o src/tests/cmocka/test_be_ptask-common_mock_be.o `test -f 'src/tests/cmocka/common_mock_be.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_be.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_be_ptask-common_mock_be.Tpo src/tests/cmocka/$(DEPDIR)/test_be_ptask-common_mock_be.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_be.c' object='src/tests/cmocka/test_be_ptask-common_mock_be.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_be_ptask_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_be_ptask-common_mock_be.o `test -f 'src/tests/cmocka/common_mock_be.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_be.c + +src/tests/cmocka/test_be_ptask-common_mock_be.obj: src/tests/cmocka/common_mock_be.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_be_ptask_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_be_ptask-common_mock_be.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_be_ptask-common_mock_be.Tpo -c -o src/tests/cmocka/test_be_ptask-common_mock_be.obj `if test -f 'src/tests/cmocka/common_mock_be.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_be.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_be.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_be_ptask-common_mock_be.Tpo src/tests/cmocka/$(DEPDIR)/test_be_ptask-common_mock_be.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_be.c' object='src/tests/cmocka/test_be_ptask-common_mock_be.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_be_ptask_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_be_ptask-common_mock_be.obj `if test -f 'src/tests/cmocka/common_mock_be.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_be.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_be.c'; fi` + +src/tests/cmocka/test_be_ptask-test_be_ptask.o: src/tests/cmocka/test_be_ptask.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_be_ptask_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_be_ptask-test_be_ptask.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_be_ptask-test_be_ptask.Tpo -c -o src/tests/cmocka/test_be_ptask-test_be_ptask.o `test -f 'src/tests/cmocka/test_be_ptask.c' || echo '$(srcdir)/'`src/tests/cmocka/test_be_ptask.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_be_ptask-test_be_ptask.Tpo src/tests/cmocka/$(DEPDIR)/test_be_ptask-test_be_ptask.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_be_ptask.c' object='src/tests/cmocka/test_be_ptask-test_be_ptask.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_be_ptask_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_be_ptask-test_be_ptask.o `test -f 'src/tests/cmocka/test_be_ptask.c' || echo '$(srcdir)/'`src/tests/cmocka/test_be_ptask.c + +src/tests/cmocka/test_be_ptask-test_be_ptask.obj: src/tests/cmocka/test_be_ptask.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_be_ptask_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_be_ptask-test_be_ptask.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_be_ptask-test_be_ptask.Tpo -c -o src/tests/cmocka/test_be_ptask-test_be_ptask.obj `if test -f 'src/tests/cmocka/test_be_ptask.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_be_ptask.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_be_ptask.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_be_ptask-test_be_ptask.Tpo src/tests/cmocka/$(DEPDIR)/test_be_ptask-test_be_ptask.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_be_ptask.c' object='src/tests/cmocka/test_be_ptask-test_be_ptask.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_be_ptask_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_be_ptask-test_be_ptask.obj `if test -f 'src/tests/cmocka/test_be_ptask.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_be_ptask.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_be_ptask.c'; fi` + +src/providers/test_be_ptask-be_ptask.o: src/providers/be_ptask.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_be_ptask_CFLAGS) $(CFLAGS) -MT src/providers/test_be_ptask-be_ptask.o -MD -MP -MF src/providers/$(DEPDIR)/test_be_ptask-be_ptask.Tpo -c -o src/providers/test_be_ptask-be_ptask.o `test -f 'src/providers/be_ptask.c' || echo '$(srcdir)/'`src/providers/be_ptask.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/test_be_ptask-be_ptask.Tpo src/providers/$(DEPDIR)/test_be_ptask-be_ptask.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/be_ptask.c' object='src/providers/test_be_ptask-be_ptask.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_be_ptask_CFLAGS) $(CFLAGS) -c -o src/providers/test_be_ptask-be_ptask.o `test -f 'src/providers/be_ptask.c' || echo '$(srcdir)/'`src/providers/be_ptask.c + +src/providers/test_be_ptask-be_ptask.obj: src/providers/be_ptask.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_be_ptask_CFLAGS) $(CFLAGS) -MT src/providers/test_be_ptask-be_ptask.obj -MD -MP -MF src/providers/$(DEPDIR)/test_be_ptask-be_ptask.Tpo -c -o src/providers/test_be_ptask-be_ptask.obj `if test -f 'src/providers/be_ptask.c'; then $(CYGPATH_W) 'src/providers/be_ptask.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/be_ptask.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/test_be_ptask-be_ptask.Tpo src/providers/$(DEPDIR)/test_be_ptask-be_ptask.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/be_ptask.c' object='src/providers/test_be_ptask-be_ptask.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_be_ptask_CFLAGS) $(CFLAGS) -c -o src/providers/test_be_ptask-be_ptask.obj `if test -f 'src/providers/be_ptask.c'; then $(CYGPATH_W) 'src/providers/be_ptask.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/be_ptask.c'; fi` + +src/tests/cmocka/test_cert_utils-test_cert_utils.o: src/tests/cmocka/test_cert_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_cert_utils_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_cert_utils-test_cert_utils.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_cert_utils-test_cert_utils.Tpo -c -o src/tests/cmocka/test_cert_utils-test_cert_utils.o `test -f 'src/tests/cmocka/test_cert_utils.c' || echo '$(srcdir)/'`src/tests/cmocka/test_cert_utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_cert_utils-test_cert_utils.Tpo src/tests/cmocka/$(DEPDIR)/test_cert_utils-test_cert_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_cert_utils.c' object='src/tests/cmocka/test_cert_utils-test_cert_utils.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_cert_utils_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_cert_utils-test_cert_utils.o `test -f 'src/tests/cmocka/test_cert_utils.c' || echo '$(srcdir)/'`src/tests/cmocka/test_cert_utils.c + +src/tests/cmocka/test_cert_utils-test_cert_utils.obj: src/tests/cmocka/test_cert_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_cert_utils_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_cert_utils-test_cert_utils.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_cert_utils-test_cert_utils.Tpo -c -o src/tests/cmocka/test_cert_utils-test_cert_utils.obj `if test -f 'src/tests/cmocka/test_cert_utils.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_cert_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_cert_utils.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_cert_utils-test_cert_utils.Tpo src/tests/cmocka/$(DEPDIR)/test_cert_utils-test_cert_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_cert_utils.c' object='src/tests/cmocka/test_cert_utils-test_cert_utils.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_cert_utils_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_cert_utils-test_cert_utils.obj `if test -f 'src/tests/cmocka/test_cert_utils.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_cert_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_cert_utils.c'; fi` + +src/util/cert/test_cert_utils-cert_common_p11_child.o: src/util/cert/cert_common_p11_child.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_cert_utils_CFLAGS) $(CFLAGS) -MT src/util/cert/test_cert_utils-cert_common_p11_child.o -MD -MP -MF src/util/cert/$(DEPDIR)/test_cert_utils-cert_common_p11_child.Tpo -c -o src/util/cert/test_cert_utils-cert_common_p11_child.o `test -f 'src/util/cert/cert_common_p11_child.c' || echo '$(srcdir)/'`src/util/cert/cert_common_p11_child.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/cert/$(DEPDIR)/test_cert_utils-cert_common_p11_child.Tpo src/util/cert/$(DEPDIR)/test_cert_utils-cert_common_p11_child.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/cert/cert_common_p11_child.c' object='src/util/cert/test_cert_utils-cert_common_p11_child.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_cert_utils_CFLAGS) $(CFLAGS) -c -o src/util/cert/test_cert_utils-cert_common_p11_child.o `test -f 'src/util/cert/cert_common_p11_child.c' || echo '$(srcdir)/'`src/util/cert/cert_common_p11_child.c + +src/util/cert/test_cert_utils-cert_common_p11_child.obj: src/util/cert/cert_common_p11_child.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_cert_utils_CFLAGS) $(CFLAGS) -MT src/util/cert/test_cert_utils-cert_common_p11_child.obj -MD -MP -MF src/util/cert/$(DEPDIR)/test_cert_utils-cert_common_p11_child.Tpo -c -o src/util/cert/test_cert_utils-cert_common_p11_child.obj `if test -f 'src/util/cert/cert_common_p11_child.c'; then $(CYGPATH_W) 'src/util/cert/cert_common_p11_child.c'; else $(CYGPATH_W) '$(srcdir)/src/util/cert/cert_common_p11_child.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/cert/$(DEPDIR)/test_cert_utils-cert_common_p11_child.Tpo src/util/cert/$(DEPDIR)/test_cert_utils-cert_common_p11_child.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/cert/cert_common_p11_child.c' object='src/util/cert/test_cert_utils-cert_common_p11_child.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_cert_utils_CFLAGS) $(CFLAGS) -c -o src/util/cert/test_cert_utils-cert_common_p11_child.obj `if test -f 'src/util/cert/cert_common_p11_child.c'; then $(CYGPATH_W) 'src/util/cert/cert_common_p11_child.c'; else $(CYGPATH_W) '$(srcdir)/src/util/cert/cert_common_p11_child.c'; fi` + +src/tests/cmocka/test_child_common-test_child_common.o: src/tests/cmocka/test_child_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_child_common_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_child_common-test_child_common.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_child_common-test_child_common.Tpo -c -o src/tests/cmocka/test_child_common-test_child_common.o `test -f 'src/tests/cmocka/test_child_common.c' || echo '$(srcdir)/'`src/tests/cmocka/test_child_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_child_common-test_child_common.Tpo src/tests/cmocka/$(DEPDIR)/test_child_common-test_child_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_child_common.c' object='src/tests/cmocka/test_child_common-test_child_common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_child_common_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_child_common-test_child_common.o `test -f 'src/tests/cmocka/test_child_common.c' || echo '$(srcdir)/'`src/tests/cmocka/test_child_common.c + +src/tests/cmocka/test_child_common-test_child_common.obj: src/tests/cmocka/test_child_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_child_common_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_child_common-test_child_common.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_child_common-test_child_common.Tpo -c -o src/tests/cmocka/test_child_common-test_child_common.obj `if test -f 'src/tests/cmocka/test_child_common.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_child_common.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_child_common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_child_common-test_child_common.Tpo src/tests/cmocka/$(DEPDIR)/test_child_common-test_child_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_child_common.c' object='src/tests/cmocka/test_child_common-test_child_common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_child_common_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_child_common-test_child_common.obj `if test -f 'src/tests/cmocka/test_child_common.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_child_common.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_child_common.c'; fi` + +src/util/test_child_common-child_common.o: src/util/child_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_child_common_CFLAGS) $(CFLAGS) -MT src/util/test_child_common-child_common.o -MD -MP -MF src/util/$(DEPDIR)/test_child_common-child_common.Tpo -c -o src/util/test_child_common-child_common.o `test -f 'src/util/child_common.c' || echo '$(srcdir)/'`src/util/child_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_child_common-child_common.Tpo src/util/$(DEPDIR)/test_child_common-child_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/child_common.c' object='src/util/test_child_common-child_common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_child_common_CFLAGS) $(CFLAGS) -c -o src/util/test_child_common-child_common.o `test -f 'src/util/child_common.c' || echo '$(srcdir)/'`src/util/child_common.c + +src/util/test_child_common-child_common.obj: src/util/child_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_child_common_CFLAGS) $(CFLAGS) -MT src/util/test_child_common-child_common.obj -MD -MP -MF src/util/$(DEPDIR)/test_child_common-child_common.Tpo -c -o src/util/test_child_common-child_common.obj `if test -f 'src/util/child_common.c'; then $(CYGPATH_W) 'src/util/child_common.c'; else $(CYGPATH_W) '$(srcdir)/src/util/child_common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_child_common-child_common.Tpo src/util/$(DEPDIR)/test_child_common-child_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/child_common.c' object='src/util/test_child_common-child_common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_child_common_CFLAGS) $(CFLAGS) -c -o src/util/test_child_common-child_common.obj `if test -f 'src/util/child_common.c'; then $(CYGPATH_W) 'src/util/child_common.c'; else $(CYGPATH_W) '$(srcdir)/src/util/child_common.c'; fi` + +src/util/test_child_common-signal.o: src/util/signal.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_child_common_CFLAGS) $(CFLAGS) -MT src/util/test_child_common-signal.o -MD -MP -MF src/util/$(DEPDIR)/test_child_common-signal.Tpo -c -o src/util/test_child_common-signal.o `test -f 'src/util/signal.c' || echo '$(srcdir)/'`src/util/signal.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_child_common-signal.Tpo src/util/$(DEPDIR)/test_child_common-signal.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/signal.c' object='src/util/test_child_common-signal.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_child_common_CFLAGS) $(CFLAGS) -c -o src/util/test_child_common-signal.o `test -f 'src/util/signal.c' || echo '$(srcdir)/'`src/util/signal.c + +src/util/test_child_common-signal.obj: src/util/signal.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_child_common_CFLAGS) $(CFLAGS) -MT src/util/test_child_common-signal.obj -MD -MP -MF src/util/$(DEPDIR)/test_child_common-signal.Tpo -c -o src/util/test_child_common-signal.obj `if test -f 'src/util/signal.c'; then $(CYGPATH_W) 'src/util/signal.c'; else $(CYGPATH_W) '$(srcdir)/src/util/signal.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_child_common-signal.Tpo src/util/$(DEPDIR)/test_child_common-signal.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/signal.c' object='src/util/test_child_common-signal.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_child_common_CFLAGS) $(CFLAGS) -c -o src/util/test_child_common-signal.obj `if test -f 'src/util/signal.c'; then $(CYGPATH_W) 'src/util/signal.c'; else $(CYGPATH_W) '$(srcdir)/src/util/signal.c'; fi` + +src/util/test_child_common-atomic_io.o: src/util/atomic_io.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_child_common_CFLAGS) $(CFLAGS) -MT src/util/test_child_common-atomic_io.o -MD -MP -MF src/util/$(DEPDIR)/test_child_common-atomic_io.Tpo -c -o src/util/test_child_common-atomic_io.o `test -f 'src/util/atomic_io.c' || echo '$(srcdir)/'`src/util/atomic_io.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_child_common-atomic_io.Tpo src/util/$(DEPDIR)/test_child_common-atomic_io.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/atomic_io.c' object='src/util/test_child_common-atomic_io.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_child_common_CFLAGS) $(CFLAGS) -c -o src/util/test_child_common-atomic_io.o `test -f 'src/util/atomic_io.c' || echo '$(srcdir)/'`src/util/atomic_io.c + +src/util/test_child_common-atomic_io.obj: src/util/atomic_io.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_child_common_CFLAGS) $(CFLAGS) -MT src/util/test_child_common-atomic_io.obj -MD -MP -MF src/util/$(DEPDIR)/test_child_common-atomic_io.Tpo -c -o src/util/test_child_common-atomic_io.obj `if test -f 'src/util/atomic_io.c'; then $(CYGPATH_W) 'src/util/atomic_io.c'; else $(CYGPATH_W) '$(srcdir)/src/util/atomic_io.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_child_common-atomic_io.Tpo src/util/$(DEPDIR)/test_child_common-atomic_io.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/atomic_io.c' object='src/util/test_child_common-atomic_io.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_child_common_CFLAGS) $(CFLAGS) -c -o src/util/test_child_common-atomic_io.obj `if test -f 'src/util/atomic_io.c'; then $(CYGPATH_W) 'src/util/atomic_io.c'; else $(CYGPATH_W) '$(srcdir)/src/util/atomic_io.c'; fi` + +src/util/test_child_common-util_errors.o: src/util/util_errors.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_child_common_CFLAGS) $(CFLAGS) -MT src/util/test_child_common-util_errors.o -MD -MP -MF src/util/$(DEPDIR)/test_child_common-util_errors.Tpo -c -o src/util/test_child_common-util_errors.o `test -f 'src/util/util_errors.c' || echo '$(srcdir)/'`src/util/util_errors.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_child_common-util_errors.Tpo src/util/$(DEPDIR)/test_child_common-util_errors.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util_errors.c' object='src/util/test_child_common-util_errors.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_child_common_CFLAGS) $(CFLAGS) -c -o src/util/test_child_common-util_errors.o `test -f 'src/util/util_errors.c' || echo '$(srcdir)/'`src/util/util_errors.c + +src/util/test_child_common-util_errors.obj: src/util/util_errors.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_child_common_CFLAGS) $(CFLAGS) -MT src/util/test_child_common-util_errors.obj -MD -MP -MF src/util/$(DEPDIR)/test_child_common-util_errors.Tpo -c -o src/util/test_child_common-util_errors.obj `if test -f 'src/util/util_errors.c'; then $(CYGPATH_W) 'src/util/util_errors.c'; else $(CYGPATH_W) '$(srcdir)/src/util/util_errors.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_child_common-util_errors.Tpo src/util/$(DEPDIR)/test_child_common-util_errors.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util_errors.c' object='src/util/test_child_common-util_errors.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_child_common_CFLAGS) $(CFLAGS) -c -o src/util/test_child_common-util_errors.obj `if test -f 'src/util/util_errors.c'; then $(CYGPATH_W) 'src/util/util_errors.c'; else $(CYGPATH_W) '$(srcdir)/src/util/util_errors.c'; fi` + +src/util/test_child_common-util.o: src/util/util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_child_common_CFLAGS) $(CFLAGS) -MT src/util/test_child_common-util.o -MD -MP -MF src/util/$(DEPDIR)/test_child_common-util.Tpo -c -o src/util/test_child_common-util.o `test -f 'src/util/util.c' || echo '$(srcdir)/'`src/util/util.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_child_common-util.Tpo src/util/$(DEPDIR)/test_child_common-util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util.c' object='src/util/test_child_common-util.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_child_common_CFLAGS) $(CFLAGS) -c -o src/util/test_child_common-util.o `test -f 'src/util/util.c' || echo '$(srcdir)/'`src/util/util.c + +src/util/test_child_common-util.obj: src/util/util.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_child_common_CFLAGS) $(CFLAGS) -MT src/util/test_child_common-util.obj -MD -MP -MF src/util/$(DEPDIR)/test_child_common-util.Tpo -c -o src/util/test_child_common-util.obj `if test -f 'src/util/util.c'; then $(CYGPATH_W) 'src/util/util.c'; else $(CYGPATH_W) '$(srcdir)/src/util/util.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_child_common-util.Tpo src/util/$(DEPDIR)/test_child_common-util.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util.c' object='src/util/test_child_common-util.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_child_common_CFLAGS) $(CFLAGS) -c -o src/util/test_child_common-util.obj `if test -f 'src/util/util.c'; then $(CYGPATH_W) 'src/util/util.c'; else $(CYGPATH_W) '$(srcdir)/src/util/util.c'; fi` + +src/util/test_child_common-util_ext.o: src/util/util_ext.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_child_common_CFLAGS) $(CFLAGS) -MT src/util/test_child_common-util_ext.o -MD -MP -MF src/util/$(DEPDIR)/test_child_common-util_ext.Tpo -c -o src/util/test_child_common-util_ext.o `test -f 'src/util/util_ext.c' || echo '$(srcdir)/'`src/util/util_ext.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_child_common-util_ext.Tpo src/util/$(DEPDIR)/test_child_common-util_ext.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util_ext.c' object='src/util/test_child_common-util_ext.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_child_common_CFLAGS) $(CFLAGS) -c -o src/util/test_child_common-util_ext.o `test -f 'src/util/util_ext.c' || echo '$(srcdir)/'`src/util/util_ext.c + +src/util/test_child_common-util_ext.obj: src/util/util_ext.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_child_common_CFLAGS) $(CFLAGS) -MT src/util/test_child_common-util_ext.obj -MD -MP -MF src/util/$(DEPDIR)/test_child_common-util_ext.Tpo -c -o src/util/test_child_common-util_ext.obj `if test -f 'src/util/util_ext.c'; then $(CYGPATH_W) 'src/util/util_ext.c'; else $(CYGPATH_W) '$(srcdir)/src/util/util_ext.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_child_common-util_ext.Tpo src/util/$(DEPDIR)/test_child_common-util_ext.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/util_ext.c' object='src/util/test_child_common-util_ext.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_child_common_CFLAGS) $(CFLAGS) -c -o src/util/test_child_common-util_ext.obj `if test -f 'src/util/util_ext.c'; then $(CYGPATH_W) 'src/util/util_ext.c'; else $(CYGPATH_W) '$(srcdir)/src/util/util_ext.c'; fi` + +src/tests/cmocka/test_copy_ccache-test_copy_ccache.o: src/tests/cmocka/test_copy_ccache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_copy_ccache_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_copy_ccache-test_copy_ccache.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_copy_ccache-test_copy_ccache.Tpo -c -o src/tests/cmocka/test_copy_ccache-test_copy_ccache.o `test -f 'src/tests/cmocka/test_copy_ccache.c' || echo '$(srcdir)/'`src/tests/cmocka/test_copy_ccache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_copy_ccache-test_copy_ccache.Tpo src/tests/cmocka/$(DEPDIR)/test_copy_ccache-test_copy_ccache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_copy_ccache.c' object='src/tests/cmocka/test_copy_ccache-test_copy_ccache.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_copy_ccache_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_copy_ccache-test_copy_ccache.o `test -f 'src/tests/cmocka/test_copy_ccache.c' || echo '$(srcdir)/'`src/tests/cmocka/test_copy_ccache.c + +src/tests/cmocka/test_copy_ccache-test_copy_ccache.obj: src/tests/cmocka/test_copy_ccache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_copy_ccache_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_copy_ccache-test_copy_ccache.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_copy_ccache-test_copy_ccache.Tpo -c -o src/tests/cmocka/test_copy_ccache-test_copy_ccache.obj `if test -f 'src/tests/cmocka/test_copy_ccache.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_copy_ccache.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_copy_ccache.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_copy_ccache-test_copy_ccache.Tpo src/tests/cmocka/$(DEPDIR)/test_copy_ccache-test_copy_ccache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_copy_ccache.c' object='src/tests/cmocka/test_copy_ccache-test_copy_ccache.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_copy_ccache_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_copy_ccache-test_copy_ccache.obj `if test -f 'src/tests/cmocka/test_copy_ccache.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_copy_ccache.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_copy_ccache.c'; fi` + +src/providers/krb5/test_copy_ccache-krb5_ccache.o: src/providers/krb5/krb5_ccache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_copy_ccache_CFLAGS) $(CFLAGS) -MT src/providers/krb5/test_copy_ccache-krb5_ccache.o -MD -MP -MF src/providers/krb5/$(DEPDIR)/test_copy_ccache-krb5_ccache.Tpo -c -o src/providers/krb5/test_copy_ccache-krb5_ccache.o `test -f 'src/providers/krb5/krb5_ccache.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_ccache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/test_copy_ccache-krb5_ccache.Tpo src/providers/krb5/$(DEPDIR)/test_copy_ccache-krb5_ccache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_ccache.c' object='src/providers/krb5/test_copy_ccache-krb5_ccache.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_copy_ccache_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/test_copy_ccache-krb5_ccache.o `test -f 'src/providers/krb5/krb5_ccache.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_ccache.c + +src/providers/krb5/test_copy_ccache-krb5_ccache.obj: src/providers/krb5/krb5_ccache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_copy_ccache_CFLAGS) $(CFLAGS) -MT src/providers/krb5/test_copy_ccache-krb5_ccache.obj -MD -MP -MF src/providers/krb5/$(DEPDIR)/test_copy_ccache-krb5_ccache.Tpo -c -o src/providers/krb5/test_copy_ccache-krb5_ccache.obj `if test -f 'src/providers/krb5/krb5_ccache.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_ccache.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_ccache.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/test_copy_ccache-krb5_ccache.Tpo src/providers/krb5/$(DEPDIR)/test_copy_ccache-krb5_ccache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_ccache.c' object='src/providers/krb5/test_copy_ccache-krb5_ccache.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_copy_ccache_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/test_copy_ccache-krb5_ccache.obj `if test -f 'src/providers/krb5/krb5_ccache.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_ccache.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_ccache.c'; fi` + +src/util/test_copy_ccache-sss_krb5.o: src/util/sss_krb5.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_copy_ccache_CFLAGS) $(CFLAGS) -MT src/util/test_copy_ccache-sss_krb5.o -MD -MP -MF src/util/$(DEPDIR)/test_copy_ccache-sss_krb5.Tpo -c -o src/util/test_copy_ccache-sss_krb5.o `test -f 'src/util/sss_krb5.c' || echo '$(srcdir)/'`src/util/sss_krb5.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_copy_ccache-sss_krb5.Tpo src/util/$(DEPDIR)/test_copy_ccache-sss_krb5.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_krb5.c' object='src/util/test_copy_ccache-sss_krb5.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_copy_ccache_CFLAGS) $(CFLAGS) -c -o src/util/test_copy_ccache-sss_krb5.o `test -f 'src/util/sss_krb5.c' || echo '$(srcdir)/'`src/util/sss_krb5.c + +src/util/test_copy_ccache-sss_krb5.obj: src/util/sss_krb5.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_copy_ccache_CFLAGS) $(CFLAGS) -MT src/util/test_copy_ccache-sss_krb5.obj -MD -MP -MF src/util/$(DEPDIR)/test_copy_ccache-sss_krb5.Tpo -c -o src/util/test_copy_ccache-sss_krb5.obj `if test -f 'src/util/sss_krb5.c'; then $(CYGPATH_W) 'src/util/sss_krb5.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_krb5.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_copy_ccache-sss_krb5.Tpo src/util/$(DEPDIR)/test_copy_ccache-sss_krb5.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_krb5.c' object='src/util/test_copy_ccache-sss_krb5.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_copy_ccache_CFLAGS) $(CFLAGS) -c -o src/util/test_copy_ccache-sss_krb5.obj `if test -f 'src/util/sss_krb5.c'; then $(CYGPATH_W) 'src/util/sss_krb5.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_krb5.c'; fi` + +src/util/test_copy_ccache-sss_iobuf.o: src/util/sss_iobuf.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_copy_ccache_CFLAGS) $(CFLAGS) -MT src/util/test_copy_ccache-sss_iobuf.o -MD -MP -MF src/util/$(DEPDIR)/test_copy_ccache-sss_iobuf.Tpo -c -o src/util/test_copy_ccache-sss_iobuf.o `test -f 'src/util/sss_iobuf.c' || echo '$(srcdir)/'`src/util/sss_iobuf.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_copy_ccache-sss_iobuf.Tpo src/util/$(DEPDIR)/test_copy_ccache-sss_iobuf.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_iobuf.c' object='src/util/test_copy_ccache-sss_iobuf.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_copy_ccache_CFLAGS) $(CFLAGS) -c -o src/util/test_copy_ccache-sss_iobuf.o `test -f 'src/util/sss_iobuf.c' || echo '$(srcdir)/'`src/util/sss_iobuf.c + +src/util/test_copy_ccache-sss_iobuf.obj: src/util/sss_iobuf.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_copy_ccache_CFLAGS) $(CFLAGS) -MT src/util/test_copy_ccache-sss_iobuf.obj -MD -MP -MF src/util/$(DEPDIR)/test_copy_ccache-sss_iobuf.Tpo -c -o src/util/test_copy_ccache-sss_iobuf.obj `if test -f 'src/util/sss_iobuf.c'; then $(CYGPATH_W) 'src/util/sss_iobuf.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_iobuf.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_copy_ccache-sss_iobuf.Tpo src/util/$(DEPDIR)/test_copy_ccache-sss_iobuf.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_iobuf.c' object='src/util/test_copy_ccache-sss_iobuf.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_copy_ccache_CFLAGS) $(CFLAGS) -c -o src/util/test_copy_ccache-sss_iobuf.obj `if test -f 'src/util/sss_iobuf.c'; then $(CYGPATH_W) 'src/util/sss_iobuf.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_iobuf.c'; fi` + +src/tests/cmocka/test_copy_keytab-common_mock_krb5.o: src/tests/cmocka/common_mock_krb5.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_copy_keytab_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_copy_keytab-common_mock_krb5.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_copy_keytab-common_mock_krb5.Tpo -c -o src/tests/cmocka/test_copy_keytab-common_mock_krb5.o `test -f 'src/tests/cmocka/common_mock_krb5.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_krb5.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_copy_keytab-common_mock_krb5.Tpo src/tests/cmocka/$(DEPDIR)/test_copy_keytab-common_mock_krb5.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_krb5.c' object='src/tests/cmocka/test_copy_keytab-common_mock_krb5.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_copy_keytab_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_copy_keytab-common_mock_krb5.o `test -f 'src/tests/cmocka/common_mock_krb5.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_krb5.c + +src/tests/cmocka/test_copy_keytab-common_mock_krb5.obj: src/tests/cmocka/common_mock_krb5.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_copy_keytab_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_copy_keytab-common_mock_krb5.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_copy_keytab-common_mock_krb5.Tpo -c -o src/tests/cmocka/test_copy_keytab-common_mock_krb5.obj `if test -f 'src/tests/cmocka/common_mock_krb5.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_krb5.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_krb5.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_copy_keytab-common_mock_krb5.Tpo src/tests/cmocka/$(DEPDIR)/test_copy_keytab-common_mock_krb5.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_krb5.c' object='src/tests/cmocka/test_copy_keytab-common_mock_krb5.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_copy_keytab_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_copy_keytab-common_mock_krb5.obj `if test -f 'src/tests/cmocka/common_mock_krb5.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_krb5.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_krb5.c'; fi` + +src/tests/cmocka/test_copy_keytab-test_copy_keytab.o: src/tests/cmocka/test_copy_keytab.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_copy_keytab_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_copy_keytab-test_copy_keytab.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_copy_keytab-test_copy_keytab.Tpo -c -o src/tests/cmocka/test_copy_keytab-test_copy_keytab.o `test -f 'src/tests/cmocka/test_copy_keytab.c' || echo '$(srcdir)/'`src/tests/cmocka/test_copy_keytab.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_copy_keytab-test_copy_keytab.Tpo src/tests/cmocka/$(DEPDIR)/test_copy_keytab-test_copy_keytab.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_copy_keytab.c' object='src/tests/cmocka/test_copy_keytab-test_copy_keytab.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_copy_keytab_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_copy_keytab-test_copy_keytab.o `test -f 'src/tests/cmocka/test_copy_keytab.c' || echo '$(srcdir)/'`src/tests/cmocka/test_copy_keytab.c + +src/tests/cmocka/test_copy_keytab-test_copy_keytab.obj: src/tests/cmocka/test_copy_keytab.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_copy_keytab_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_copy_keytab-test_copy_keytab.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_copy_keytab-test_copy_keytab.Tpo -c -o src/tests/cmocka/test_copy_keytab-test_copy_keytab.obj `if test -f 'src/tests/cmocka/test_copy_keytab.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_copy_keytab.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_copy_keytab.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_copy_keytab-test_copy_keytab.Tpo src/tests/cmocka/$(DEPDIR)/test_copy_keytab-test_copy_keytab.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_copy_keytab.c' object='src/tests/cmocka/test_copy_keytab-test_copy_keytab.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_copy_keytab_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_copy_keytab-test_copy_keytab.obj `if test -f 'src/tests/cmocka/test_copy_keytab.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_copy_keytab.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_copy_keytab.c'; fi` + +src/providers/krb5/test_copy_keytab-krb5_keytab.o: src/providers/krb5/krb5_keytab.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_copy_keytab_CFLAGS) $(CFLAGS) -MT src/providers/krb5/test_copy_keytab-krb5_keytab.o -MD -MP -MF src/providers/krb5/$(DEPDIR)/test_copy_keytab-krb5_keytab.Tpo -c -o src/providers/krb5/test_copy_keytab-krb5_keytab.o `test -f 'src/providers/krb5/krb5_keytab.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_keytab.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/test_copy_keytab-krb5_keytab.Tpo src/providers/krb5/$(DEPDIR)/test_copy_keytab-krb5_keytab.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_keytab.c' object='src/providers/krb5/test_copy_keytab-krb5_keytab.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_copy_keytab_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/test_copy_keytab-krb5_keytab.o `test -f 'src/providers/krb5/krb5_keytab.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_keytab.c + +src/providers/krb5/test_copy_keytab-krb5_keytab.obj: src/providers/krb5/krb5_keytab.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_copy_keytab_CFLAGS) $(CFLAGS) -MT src/providers/krb5/test_copy_keytab-krb5_keytab.obj -MD -MP -MF src/providers/krb5/$(DEPDIR)/test_copy_keytab-krb5_keytab.Tpo -c -o src/providers/krb5/test_copy_keytab-krb5_keytab.obj `if test -f 'src/providers/krb5/krb5_keytab.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_keytab.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_keytab.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/test_copy_keytab-krb5_keytab.Tpo src/providers/krb5/$(DEPDIR)/test_copy_keytab-krb5_keytab.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_keytab.c' object='src/providers/krb5/test_copy_keytab-krb5_keytab.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_copy_keytab_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/test_copy_keytab-krb5_keytab.obj `if test -f 'src/providers/krb5/krb5_keytab.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_keytab.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_keytab.c'; fi` + +src/util/test_copy_keytab-sss_krb5.o: src/util/sss_krb5.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_copy_keytab_CFLAGS) $(CFLAGS) -MT src/util/test_copy_keytab-sss_krb5.o -MD -MP -MF src/util/$(DEPDIR)/test_copy_keytab-sss_krb5.Tpo -c -o src/util/test_copy_keytab-sss_krb5.o `test -f 'src/util/sss_krb5.c' || echo '$(srcdir)/'`src/util/sss_krb5.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_copy_keytab-sss_krb5.Tpo src/util/$(DEPDIR)/test_copy_keytab-sss_krb5.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_krb5.c' object='src/util/test_copy_keytab-sss_krb5.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_copy_keytab_CFLAGS) $(CFLAGS) -c -o src/util/test_copy_keytab-sss_krb5.o `test -f 'src/util/sss_krb5.c' || echo '$(srcdir)/'`src/util/sss_krb5.c + +src/util/test_copy_keytab-sss_krb5.obj: src/util/sss_krb5.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_copy_keytab_CFLAGS) $(CFLAGS) -MT src/util/test_copy_keytab-sss_krb5.obj -MD -MP -MF src/util/$(DEPDIR)/test_copy_keytab-sss_krb5.Tpo -c -o src/util/test_copy_keytab-sss_krb5.obj `if test -f 'src/util/sss_krb5.c'; then $(CYGPATH_W) 'src/util/sss_krb5.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_krb5.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_copy_keytab-sss_krb5.Tpo src/util/$(DEPDIR)/test_copy_keytab-sss_krb5.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_krb5.c' object='src/util/test_copy_keytab-sss_krb5.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_copy_keytab_CFLAGS) $(CFLAGS) -c -o src/util/test_copy_keytab-sss_krb5.obj `if test -f 'src/util/sss_krb5.c'; then $(CYGPATH_W) 'src/util/sss_krb5.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_krb5.c'; fi` + +src/util/test_copy_keytab-sss_iobuf.o: src/util/sss_iobuf.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_copy_keytab_CFLAGS) $(CFLAGS) -MT src/util/test_copy_keytab-sss_iobuf.o -MD -MP -MF src/util/$(DEPDIR)/test_copy_keytab-sss_iobuf.Tpo -c -o src/util/test_copy_keytab-sss_iobuf.o `test -f 'src/util/sss_iobuf.c' || echo '$(srcdir)/'`src/util/sss_iobuf.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_copy_keytab-sss_iobuf.Tpo src/util/$(DEPDIR)/test_copy_keytab-sss_iobuf.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_iobuf.c' object='src/util/test_copy_keytab-sss_iobuf.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_copy_keytab_CFLAGS) $(CFLAGS) -c -o src/util/test_copy_keytab-sss_iobuf.o `test -f 'src/util/sss_iobuf.c' || echo '$(srcdir)/'`src/util/sss_iobuf.c + +src/util/test_copy_keytab-sss_iobuf.obj: src/util/sss_iobuf.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_copy_keytab_CFLAGS) $(CFLAGS) -MT src/util/test_copy_keytab-sss_iobuf.obj -MD -MP -MF src/util/$(DEPDIR)/test_copy_keytab-sss_iobuf.Tpo -c -o src/util/test_copy_keytab-sss_iobuf.obj `if test -f 'src/util/sss_iobuf.c'; then $(CYGPATH_W) 'src/util/sss_iobuf.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_iobuf.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_copy_keytab-sss_iobuf.Tpo src/util/$(DEPDIR)/test_copy_keytab-sss_iobuf.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_iobuf.c' object='src/util/test_copy_keytab-sss_iobuf.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_copy_keytab_CFLAGS) $(CFLAGS) -c -o src/util/test_copy_keytab-sss_iobuf.obj `if test -f 'src/util/sss_iobuf.c'; then $(CYGPATH_W) 'src/util/sss_iobuf.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_iobuf.c'; fi` + +src/providers/test_data_provider_be-data_provider_be.o: src/providers/data_provider_be.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_data_provider_be_CFLAGS) $(CFLAGS) -MT src/providers/test_data_provider_be-data_provider_be.o -MD -MP -MF src/providers/$(DEPDIR)/test_data_provider_be-data_provider_be.Tpo -c -o src/providers/test_data_provider_be-data_provider_be.o `test -f 'src/providers/data_provider_be.c' || echo '$(srcdir)/'`src/providers/data_provider_be.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/test_data_provider_be-data_provider_be.Tpo src/providers/$(DEPDIR)/test_data_provider_be-data_provider_be.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider_be.c' object='src/providers/test_data_provider_be-data_provider_be.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_data_provider_be_CFLAGS) $(CFLAGS) -c -o src/providers/test_data_provider_be-data_provider_be.o `test -f 'src/providers/data_provider_be.c' || echo '$(srcdir)/'`src/providers/data_provider_be.c + +src/providers/test_data_provider_be-data_provider_be.obj: src/providers/data_provider_be.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_data_provider_be_CFLAGS) $(CFLAGS) -MT src/providers/test_data_provider_be-data_provider_be.obj -MD -MP -MF src/providers/$(DEPDIR)/test_data_provider_be-data_provider_be.Tpo -c -o src/providers/test_data_provider_be-data_provider_be.obj `if test -f 'src/providers/data_provider_be.c'; then $(CYGPATH_W) 'src/providers/data_provider_be.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider_be.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/test_data_provider_be-data_provider_be.Tpo src/providers/$(DEPDIR)/test_data_provider_be-data_provider_be.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider_be.c' object='src/providers/test_data_provider_be-data_provider_be.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_data_provider_be_CFLAGS) $(CFLAGS) -c -o src/providers/test_data_provider_be-data_provider_be.obj `if test -f 'src/providers/data_provider_be.c'; then $(CYGPATH_W) 'src/providers/data_provider_be.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider_be.c'; fi` + +src/tests/cmocka/test_data_provider_be-test_data_provider_be.o: src/tests/cmocka/test_data_provider_be.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_data_provider_be_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_data_provider_be-test_data_provider_be.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_data_provider_be-test_data_provider_be.Tpo -c -o src/tests/cmocka/test_data_provider_be-test_data_provider_be.o `test -f 'src/tests/cmocka/test_data_provider_be.c' || echo '$(srcdir)/'`src/tests/cmocka/test_data_provider_be.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_data_provider_be-test_data_provider_be.Tpo src/tests/cmocka/$(DEPDIR)/test_data_provider_be-test_data_provider_be.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_data_provider_be.c' object='src/tests/cmocka/test_data_provider_be-test_data_provider_be.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_data_provider_be_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_data_provider_be-test_data_provider_be.o `test -f 'src/tests/cmocka/test_data_provider_be.c' || echo '$(srcdir)/'`src/tests/cmocka/test_data_provider_be.c + +src/tests/cmocka/test_data_provider_be-test_data_provider_be.obj: src/tests/cmocka/test_data_provider_be.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_data_provider_be_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_data_provider_be-test_data_provider_be.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_data_provider_be-test_data_provider_be.Tpo -c -o src/tests/cmocka/test_data_provider_be-test_data_provider_be.obj `if test -f 'src/tests/cmocka/test_data_provider_be.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_data_provider_be.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_data_provider_be.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_data_provider_be-test_data_provider_be.Tpo src/tests/cmocka/$(DEPDIR)/test_data_provider_be-test_data_provider_be.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_data_provider_be.c' object='src/tests/cmocka/test_data_provider_be-test_data_provider_be.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_data_provider_be_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_data_provider_be-test_data_provider_be.obj `if test -f 'src/tests/cmocka/test_data_provider_be.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_data_provider_be.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_data_provider_be.c'; fi` + +src/tests/cmocka/test_data_provider_be-common_mock_be.o: src/tests/cmocka/common_mock_be.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_data_provider_be_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_data_provider_be-common_mock_be.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_data_provider_be-common_mock_be.Tpo -c -o src/tests/cmocka/test_data_provider_be-common_mock_be.o `test -f 'src/tests/cmocka/common_mock_be.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_be.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_data_provider_be-common_mock_be.Tpo src/tests/cmocka/$(DEPDIR)/test_data_provider_be-common_mock_be.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_be.c' object='src/tests/cmocka/test_data_provider_be-common_mock_be.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_data_provider_be_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_data_provider_be-common_mock_be.o `test -f 'src/tests/cmocka/common_mock_be.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_be.c + +src/tests/cmocka/test_data_provider_be-common_mock_be.obj: src/tests/cmocka/common_mock_be.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_data_provider_be_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_data_provider_be-common_mock_be.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_data_provider_be-common_mock_be.Tpo -c -o src/tests/cmocka/test_data_provider_be-common_mock_be.obj `if test -f 'src/tests/cmocka/common_mock_be.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_be.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_be.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_data_provider_be-common_mock_be.Tpo src/tests/cmocka/$(DEPDIR)/test_data_provider_be-common_mock_be.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_be.c' object='src/tests/cmocka/test_data_provider_be-common_mock_be.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_data_provider_be_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_data_provider_be-common_mock_be.obj `if test -f 'src/tests/cmocka/common_mock_be.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_be.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_be.c'; fi` + +src/providers/data_provider/test_dp_builtin-dp_modules.o: src/providers/data_provider/dp_modules.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_builtin_CFLAGS) $(CFLAGS) -MT src/providers/data_provider/test_dp_builtin-dp_modules.o -MD -MP -MF src/providers/data_provider/$(DEPDIR)/test_dp_builtin-dp_modules.Tpo -c -o src/providers/data_provider/test_dp_builtin-dp_modules.o `test -f 'src/providers/data_provider/dp_modules.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_modules.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/data_provider/$(DEPDIR)/test_dp_builtin-dp_modules.Tpo src/providers/data_provider/$(DEPDIR)/test_dp_builtin-dp_modules.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider/dp_modules.c' object='src/providers/data_provider/test_dp_builtin-dp_modules.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_builtin_CFLAGS) $(CFLAGS) -c -o src/providers/data_provider/test_dp_builtin-dp_modules.o `test -f 'src/providers/data_provider/dp_modules.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_modules.c + +src/providers/data_provider/test_dp_builtin-dp_modules.obj: src/providers/data_provider/dp_modules.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_builtin_CFLAGS) $(CFLAGS) -MT src/providers/data_provider/test_dp_builtin-dp_modules.obj -MD -MP -MF src/providers/data_provider/$(DEPDIR)/test_dp_builtin-dp_modules.Tpo -c -o src/providers/data_provider/test_dp_builtin-dp_modules.obj `if test -f 'src/providers/data_provider/dp_modules.c'; then $(CYGPATH_W) 'src/providers/data_provider/dp_modules.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider/dp_modules.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/data_provider/$(DEPDIR)/test_dp_builtin-dp_modules.Tpo src/providers/data_provider/$(DEPDIR)/test_dp_builtin-dp_modules.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider/dp_modules.c' object='src/providers/data_provider/test_dp_builtin-dp_modules.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_builtin_CFLAGS) $(CFLAGS) -c -o src/providers/data_provider/test_dp_builtin-dp_modules.obj `if test -f 'src/providers/data_provider/dp_modules.c'; then $(CYGPATH_W) 'src/providers/data_provider/dp_modules.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider/dp_modules.c'; fi` + +src/providers/data_provider/test_dp_builtin-dp_targets.o: src/providers/data_provider/dp_targets.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_builtin_CFLAGS) $(CFLAGS) -MT src/providers/data_provider/test_dp_builtin-dp_targets.o -MD -MP -MF src/providers/data_provider/$(DEPDIR)/test_dp_builtin-dp_targets.Tpo -c -o src/providers/data_provider/test_dp_builtin-dp_targets.o `test -f 'src/providers/data_provider/dp_targets.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_targets.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/data_provider/$(DEPDIR)/test_dp_builtin-dp_targets.Tpo src/providers/data_provider/$(DEPDIR)/test_dp_builtin-dp_targets.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider/dp_targets.c' object='src/providers/data_provider/test_dp_builtin-dp_targets.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_builtin_CFLAGS) $(CFLAGS) -c -o src/providers/data_provider/test_dp_builtin-dp_targets.o `test -f 'src/providers/data_provider/dp_targets.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_targets.c + +src/providers/data_provider/test_dp_builtin-dp_targets.obj: src/providers/data_provider/dp_targets.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_builtin_CFLAGS) $(CFLAGS) -MT src/providers/data_provider/test_dp_builtin-dp_targets.obj -MD -MP -MF src/providers/data_provider/$(DEPDIR)/test_dp_builtin-dp_targets.Tpo -c -o src/providers/data_provider/test_dp_builtin-dp_targets.obj `if test -f 'src/providers/data_provider/dp_targets.c'; then $(CYGPATH_W) 'src/providers/data_provider/dp_targets.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider/dp_targets.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/data_provider/$(DEPDIR)/test_dp_builtin-dp_targets.Tpo src/providers/data_provider/$(DEPDIR)/test_dp_builtin-dp_targets.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider/dp_targets.c' object='src/providers/data_provider/test_dp_builtin-dp_targets.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_builtin_CFLAGS) $(CFLAGS) -c -o src/providers/data_provider/test_dp_builtin-dp_targets.obj `if test -f 'src/providers/data_provider/dp_targets.c'; then $(CYGPATH_W) 'src/providers/data_provider/dp_targets.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider/dp_targets.c'; fi` + +src/providers/data_provider/test_dp_builtin-dp_methods.o: src/providers/data_provider/dp_methods.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_builtin_CFLAGS) $(CFLAGS) -MT src/providers/data_provider/test_dp_builtin-dp_methods.o -MD -MP -MF src/providers/data_provider/$(DEPDIR)/test_dp_builtin-dp_methods.Tpo -c -o src/providers/data_provider/test_dp_builtin-dp_methods.o `test -f 'src/providers/data_provider/dp_methods.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_methods.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/data_provider/$(DEPDIR)/test_dp_builtin-dp_methods.Tpo src/providers/data_provider/$(DEPDIR)/test_dp_builtin-dp_methods.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider/dp_methods.c' object='src/providers/data_provider/test_dp_builtin-dp_methods.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_builtin_CFLAGS) $(CFLAGS) -c -o src/providers/data_provider/test_dp_builtin-dp_methods.o `test -f 'src/providers/data_provider/dp_methods.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_methods.c + +src/providers/data_provider/test_dp_builtin-dp_methods.obj: src/providers/data_provider/dp_methods.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_builtin_CFLAGS) $(CFLAGS) -MT src/providers/data_provider/test_dp_builtin-dp_methods.obj -MD -MP -MF src/providers/data_provider/$(DEPDIR)/test_dp_builtin-dp_methods.Tpo -c -o src/providers/data_provider/test_dp_builtin-dp_methods.obj `if test -f 'src/providers/data_provider/dp_methods.c'; then $(CYGPATH_W) 'src/providers/data_provider/dp_methods.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider/dp_methods.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/data_provider/$(DEPDIR)/test_dp_builtin-dp_methods.Tpo src/providers/data_provider/$(DEPDIR)/test_dp_builtin-dp_methods.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider/dp_methods.c' object='src/providers/data_provider/test_dp_builtin-dp_methods.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_builtin_CFLAGS) $(CFLAGS) -c -o src/providers/data_provider/test_dp_builtin-dp_methods.obj `if test -f 'src/providers/data_provider/dp_methods.c'; then $(CYGPATH_W) 'src/providers/data_provider/dp_methods.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider/dp_methods.c'; fi` + +src/providers/data_provider/test_dp_builtin-dp_builtin.o: src/providers/data_provider/dp_builtin.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_builtin_CFLAGS) $(CFLAGS) -MT src/providers/data_provider/test_dp_builtin-dp_builtin.o -MD -MP -MF src/providers/data_provider/$(DEPDIR)/test_dp_builtin-dp_builtin.Tpo -c -o src/providers/data_provider/test_dp_builtin-dp_builtin.o `test -f 'src/providers/data_provider/dp_builtin.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_builtin.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/data_provider/$(DEPDIR)/test_dp_builtin-dp_builtin.Tpo src/providers/data_provider/$(DEPDIR)/test_dp_builtin-dp_builtin.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider/dp_builtin.c' object='src/providers/data_provider/test_dp_builtin-dp_builtin.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_builtin_CFLAGS) $(CFLAGS) -c -o src/providers/data_provider/test_dp_builtin-dp_builtin.o `test -f 'src/providers/data_provider/dp_builtin.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_builtin.c + +src/providers/data_provider/test_dp_builtin-dp_builtin.obj: src/providers/data_provider/dp_builtin.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_builtin_CFLAGS) $(CFLAGS) -MT src/providers/data_provider/test_dp_builtin-dp_builtin.obj -MD -MP -MF src/providers/data_provider/$(DEPDIR)/test_dp_builtin-dp_builtin.Tpo -c -o src/providers/data_provider/test_dp_builtin-dp_builtin.obj `if test -f 'src/providers/data_provider/dp_builtin.c'; then $(CYGPATH_W) 'src/providers/data_provider/dp_builtin.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider/dp_builtin.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/data_provider/$(DEPDIR)/test_dp_builtin-dp_builtin.Tpo src/providers/data_provider/$(DEPDIR)/test_dp_builtin-dp_builtin.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider/dp_builtin.c' object='src/providers/data_provider/test_dp_builtin-dp_builtin.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_builtin_CFLAGS) $(CFLAGS) -c -o src/providers/data_provider/test_dp_builtin-dp_builtin.obj `if test -f 'src/providers/data_provider/dp_builtin.c'; then $(CYGPATH_W) 'src/providers/data_provider/dp_builtin.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider/dp_builtin.c'; fi` + +src/tests/cmocka/data_provider/test_dp_builtin-mock_dp.o: src/tests/cmocka/data_provider/mock_dp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_builtin_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/data_provider/test_dp_builtin-mock_dp.o -MD -MP -MF src/tests/cmocka/data_provider/$(DEPDIR)/test_dp_builtin-mock_dp.Tpo -c -o src/tests/cmocka/data_provider/test_dp_builtin-mock_dp.o `test -f 'src/tests/cmocka/data_provider/mock_dp.c' || echo '$(srcdir)/'`src/tests/cmocka/data_provider/mock_dp.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/data_provider/$(DEPDIR)/test_dp_builtin-mock_dp.Tpo src/tests/cmocka/data_provider/$(DEPDIR)/test_dp_builtin-mock_dp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/data_provider/mock_dp.c' object='src/tests/cmocka/data_provider/test_dp_builtin-mock_dp.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_builtin_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/data_provider/test_dp_builtin-mock_dp.o `test -f 'src/tests/cmocka/data_provider/mock_dp.c' || echo '$(srcdir)/'`src/tests/cmocka/data_provider/mock_dp.c + +src/tests/cmocka/data_provider/test_dp_builtin-mock_dp.obj: src/tests/cmocka/data_provider/mock_dp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_builtin_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/data_provider/test_dp_builtin-mock_dp.obj -MD -MP -MF src/tests/cmocka/data_provider/$(DEPDIR)/test_dp_builtin-mock_dp.Tpo -c -o src/tests/cmocka/data_provider/test_dp_builtin-mock_dp.obj `if test -f 'src/tests/cmocka/data_provider/mock_dp.c'; then $(CYGPATH_W) 'src/tests/cmocka/data_provider/mock_dp.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/data_provider/mock_dp.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/data_provider/$(DEPDIR)/test_dp_builtin-mock_dp.Tpo src/tests/cmocka/data_provider/$(DEPDIR)/test_dp_builtin-mock_dp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/data_provider/mock_dp.c' object='src/tests/cmocka/data_provider/test_dp_builtin-mock_dp.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_builtin_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/data_provider/test_dp_builtin-mock_dp.obj `if test -f 'src/tests/cmocka/data_provider/mock_dp.c'; then $(CYGPATH_W) 'src/tests/cmocka/data_provider/mock_dp.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/data_provider/mock_dp.c'; fi` + +src/tests/cmocka/data_provider/test_dp_builtin-test_dp_builtin.o: src/tests/cmocka/data_provider/test_dp_builtin.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_builtin_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/data_provider/test_dp_builtin-test_dp_builtin.o -MD -MP -MF src/tests/cmocka/data_provider/$(DEPDIR)/test_dp_builtin-test_dp_builtin.Tpo -c -o src/tests/cmocka/data_provider/test_dp_builtin-test_dp_builtin.o `test -f 'src/tests/cmocka/data_provider/test_dp_builtin.c' || echo '$(srcdir)/'`src/tests/cmocka/data_provider/test_dp_builtin.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/data_provider/$(DEPDIR)/test_dp_builtin-test_dp_builtin.Tpo src/tests/cmocka/data_provider/$(DEPDIR)/test_dp_builtin-test_dp_builtin.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/data_provider/test_dp_builtin.c' object='src/tests/cmocka/data_provider/test_dp_builtin-test_dp_builtin.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_builtin_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/data_provider/test_dp_builtin-test_dp_builtin.o `test -f 'src/tests/cmocka/data_provider/test_dp_builtin.c' || echo '$(srcdir)/'`src/tests/cmocka/data_provider/test_dp_builtin.c + +src/tests/cmocka/data_provider/test_dp_builtin-test_dp_builtin.obj: src/tests/cmocka/data_provider/test_dp_builtin.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_builtin_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/data_provider/test_dp_builtin-test_dp_builtin.obj -MD -MP -MF src/tests/cmocka/data_provider/$(DEPDIR)/test_dp_builtin-test_dp_builtin.Tpo -c -o src/tests/cmocka/data_provider/test_dp_builtin-test_dp_builtin.obj `if test -f 'src/tests/cmocka/data_provider/test_dp_builtin.c'; then $(CYGPATH_W) 'src/tests/cmocka/data_provider/test_dp_builtin.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/data_provider/test_dp_builtin.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/data_provider/$(DEPDIR)/test_dp_builtin-test_dp_builtin.Tpo src/tests/cmocka/data_provider/$(DEPDIR)/test_dp_builtin-test_dp_builtin.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/data_provider/test_dp_builtin.c' object='src/tests/cmocka/data_provider/test_dp_builtin-test_dp_builtin.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_builtin_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/data_provider/test_dp_builtin-test_dp_builtin.obj `if test -f 'src/tests/cmocka/data_provider/test_dp_builtin.c'; then $(CYGPATH_W) 'src/tests/cmocka/data_provider/test_dp_builtin.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/data_provider/test_dp_builtin.c'; fi` + +src/tests/cmocka/test_dp_builtin-common_mock_be.o: src/tests/cmocka/common_mock_be.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_builtin_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_dp_builtin-common_mock_be.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_dp_builtin-common_mock_be.Tpo -c -o src/tests/cmocka/test_dp_builtin-common_mock_be.o `test -f 'src/tests/cmocka/common_mock_be.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_be.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_dp_builtin-common_mock_be.Tpo src/tests/cmocka/$(DEPDIR)/test_dp_builtin-common_mock_be.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_be.c' object='src/tests/cmocka/test_dp_builtin-common_mock_be.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_builtin_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_dp_builtin-common_mock_be.o `test -f 'src/tests/cmocka/common_mock_be.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_be.c + +src/tests/cmocka/test_dp_builtin-common_mock_be.obj: src/tests/cmocka/common_mock_be.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_builtin_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_dp_builtin-common_mock_be.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_dp_builtin-common_mock_be.Tpo -c -o src/tests/cmocka/test_dp_builtin-common_mock_be.obj `if test -f 'src/tests/cmocka/common_mock_be.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_be.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_be.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_dp_builtin-common_mock_be.Tpo src/tests/cmocka/$(DEPDIR)/test_dp_builtin-common_mock_be.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_be.c' object='src/tests/cmocka/test_dp_builtin-common_mock_be.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_builtin_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_dp_builtin-common_mock_be.obj `if test -f 'src/tests/cmocka/common_mock_be.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_be.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_be.c'; fi` + +src/providers/data_provider/test_dp_request-dp_request.o: src/providers/data_provider/dp_request.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_request_CFLAGS) $(CFLAGS) -MT src/providers/data_provider/test_dp_request-dp_request.o -MD -MP -MF src/providers/data_provider/$(DEPDIR)/test_dp_request-dp_request.Tpo -c -o src/providers/data_provider/test_dp_request-dp_request.o `test -f 'src/providers/data_provider/dp_request.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_request.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/data_provider/$(DEPDIR)/test_dp_request-dp_request.Tpo src/providers/data_provider/$(DEPDIR)/test_dp_request-dp_request.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider/dp_request.c' object='src/providers/data_provider/test_dp_request-dp_request.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_request_CFLAGS) $(CFLAGS) -c -o src/providers/data_provider/test_dp_request-dp_request.o `test -f 'src/providers/data_provider/dp_request.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_request.c + +src/providers/data_provider/test_dp_request-dp_request.obj: src/providers/data_provider/dp_request.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_request_CFLAGS) $(CFLAGS) -MT src/providers/data_provider/test_dp_request-dp_request.obj -MD -MP -MF src/providers/data_provider/$(DEPDIR)/test_dp_request-dp_request.Tpo -c -o src/providers/data_provider/test_dp_request-dp_request.obj `if test -f 'src/providers/data_provider/dp_request.c'; then $(CYGPATH_W) 'src/providers/data_provider/dp_request.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider/dp_request.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/data_provider/$(DEPDIR)/test_dp_request-dp_request.Tpo src/providers/data_provider/$(DEPDIR)/test_dp_request-dp_request.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider/dp_request.c' object='src/providers/data_provider/test_dp_request-dp_request.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_request_CFLAGS) $(CFLAGS) -c -o src/providers/data_provider/test_dp_request-dp_request.obj `if test -f 'src/providers/data_provider/dp_request.c'; then $(CYGPATH_W) 'src/providers/data_provider/dp_request.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider/dp_request.c'; fi` + +src/providers/data_provider/test_dp_request-dp_modules.o: src/providers/data_provider/dp_modules.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_request_CFLAGS) $(CFLAGS) -MT src/providers/data_provider/test_dp_request-dp_modules.o -MD -MP -MF src/providers/data_provider/$(DEPDIR)/test_dp_request-dp_modules.Tpo -c -o src/providers/data_provider/test_dp_request-dp_modules.o `test -f 'src/providers/data_provider/dp_modules.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_modules.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/data_provider/$(DEPDIR)/test_dp_request-dp_modules.Tpo src/providers/data_provider/$(DEPDIR)/test_dp_request-dp_modules.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider/dp_modules.c' object='src/providers/data_provider/test_dp_request-dp_modules.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_request_CFLAGS) $(CFLAGS) -c -o src/providers/data_provider/test_dp_request-dp_modules.o `test -f 'src/providers/data_provider/dp_modules.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_modules.c + +src/providers/data_provider/test_dp_request-dp_modules.obj: src/providers/data_provider/dp_modules.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_request_CFLAGS) $(CFLAGS) -MT src/providers/data_provider/test_dp_request-dp_modules.obj -MD -MP -MF src/providers/data_provider/$(DEPDIR)/test_dp_request-dp_modules.Tpo -c -o src/providers/data_provider/test_dp_request-dp_modules.obj `if test -f 'src/providers/data_provider/dp_modules.c'; then $(CYGPATH_W) 'src/providers/data_provider/dp_modules.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider/dp_modules.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/data_provider/$(DEPDIR)/test_dp_request-dp_modules.Tpo src/providers/data_provider/$(DEPDIR)/test_dp_request-dp_modules.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider/dp_modules.c' object='src/providers/data_provider/test_dp_request-dp_modules.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_request_CFLAGS) $(CFLAGS) -c -o src/providers/data_provider/test_dp_request-dp_modules.obj `if test -f 'src/providers/data_provider/dp_modules.c'; then $(CYGPATH_W) 'src/providers/data_provider/dp_modules.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider/dp_modules.c'; fi` + +src/providers/data_provider/test_dp_request-dp_targets.o: src/providers/data_provider/dp_targets.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_request_CFLAGS) $(CFLAGS) -MT src/providers/data_provider/test_dp_request-dp_targets.o -MD -MP -MF src/providers/data_provider/$(DEPDIR)/test_dp_request-dp_targets.Tpo -c -o src/providers/data_provider/test_dp_request-dp_targets.o `test -f 'src/providers/data_provider/dp_targets.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_targets.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/data_provider/$(DEPDIR)/test_dp_request-dp_targets.Tpo src/providers/data_provider/$(DEPDIR)/test_dp_request-dp_targets.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider/dp_targets.c' object='src/providers/data_provider/test_dp_request-dp_targets.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_request_CFLAGS) $(CFLAGS) -c -o src/providers/data_provider/test_dp_request-dp_targets.o `test -f 'src/providers/data_provider/dp_targets.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_targets.c + +src/providers/data_provider/test_dp_request-dp_targets.obj: src/providers/data_provider/dp_targets.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_request_CFLAGS) $(CFLAGS) -MT src/providers/data_provider/test_dp_request-dp_targets.obj -MD -MP -MF src/providers/data_provider/$(DEPDIR)/test_dp_request-dp_targets.Tpo -c -o src/providers/data_provider/test_dp_request-dp_targets.obj `if test -f 'src/providers/data_provider/dp_targets.c'; then $(CYGPATH_W) 'src/providers/data_provider/dp_targets.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider/dp_targets.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/data_provider/$(DEPDIR)/test_dp_request-dp_targets.Tpo src/providers/data_provider/$(DEPDIR)/test_dp_request-dp_targets.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider/dp_targets.c' object='src/providers/data_provider/test_dp_request-dp_targets.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_request_CFLAGS) $(CFLAGS) -c -o src/providers/data_provider/test_dp_request-dp_targets.obj `if test -f 'src/providers/data_provider/dp_targets.c'; then $(CYGPATH_W) 'src/providers/data_provider/dp_targets.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider/dp_targets.c'; fi` + +src/providers/data_provider/test_dp_request-dp_methods.o: src/providers/data_provider/dp_methods.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_request_CFLAGS) $(CFLAGS) -MT src/providers/data_provider/test_dp_request-dp_methods.o -MD -MP -MF src/providers/data_provider/$(DEPDIR)/test_dp_request-dp_methods.Tpo -c -o src/providers/data_provider/test_dp_request-dp_methods.o `test -f 'src/providers/data_provider/dp_methods.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_methods.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/data_provider/$(DEPDIR)/test_dp_request-dp_methods.Tpo src/providers/data_provider/$(DEPDIR)/test_dp_request-dp_methods.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider/dp_methods.c' object='src/providers/data_provider/test_dp_request-dp_methods.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_request_CFLAGS) $(CFLAGS) -c -o src/providers/data_provider/test_dp_request-dp_methods.o `test -f 'src/providers/data_provider/dp_methods.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_methods.c + +src/providers/data_provider/test_dp_request-dp_methods.obj: src/providers/data_provider/dp_methods.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_request_CFLAGS) $(CFLAGS) -MT src/providers/data_provider/test_dp_request-dp_methods.obj -MD -MP -MF src/providers/data_provider/$(DEPDIR)/test_dp_request-dp_methods.Tpo -c -o src/providers/data_provider/test_dp_request-dp_methods.obj `if test -f 'src/providers/data_provider/dp_methods.c'; then $(CYGPATH_W) 'src/providers/data_provider/dp_methods.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider/dp_methods.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/data_provider/$(DEPDIR)/test_dp_request-dp_methods.Tpo src/providers/data_provider/$(DEPDIR)/test_dp_request-dp_methods.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider/dp_methods.c' object='src/providers/data_provider/test_dp_request-dp_methods.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_request_CFLAGS) $(CFLAGS) -c -o src/providers/data_provider/test_dp_request-dp_methods.obj `if test -f 'src/providers/data_provider/dp_methods.c'; then $(CYGPATH_W) 'src/providers/data_provider/dp_methods.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider/dp_methods.c'; fi` + +src/providers/data_provider/test_dp_request-dp_builtin.o: src/providers/data_provider/dp_builtin.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_request_CFLAGS) $(CFLAGS) -MT src/providers/data_provider/test_dp_request-dp_builtin.o -MD -MP -MF src/providers/data_provider/$(DEPDIR)/test_dp_request-dp_builtin.Tpo -c -o src/providers/data_provider/test_dp_request-dp_builtin.o `test -f 'src/providers/data_provider/dp_builtin.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_builtin.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/data_provider/$(DEPDIR)/test_dp_request-dp_builtin.Tpo src/providers/data_provider/$(DEPDIR)/test_dp_request-dp_builtin.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider/dp_builtin.c' object='src/providers/data_provider/test_dp_request-dp_builtin.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_request_CFLAGS) $(CFLAGS) -c -o src/providers/data_provider/test_dp_request-dp_builtin.o `test -f 'src/providers/data_provider/dp_builtin.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_builtin.c + +src/providers/data_provider/test_dp_request-dp_builtin.obj: src/providers/data_provider/dp_builtin.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_request_CFLAGS) $(CFLAGS) -MT src/providers/data_provider/test_dp_request-dp_builtin.obj -MD -MP -MF src/providers/data_provider/$(DEPDIR)/test_dp_request-dp_builtin.Tpo -c -o src/providers/data_provider/test_dp_request-dp_builtin.obj `if test -f 'src/providers/data_provider/dp_builtin.c'; then $(CYGPATH_W) 'src/providers/data_provider/dp_builtin.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider/dp_builtin.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/data_provider/$(DEPDIR)/test_dp_request-dp_builtin.Tpo src/providers/data_provider/$(DEPDIR)/test_dp_request-dp_builtin.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider/dp_builtin.c' object='src/providers/data_provider/test_dp_request-dp_builtin.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_request_CFLAGS) $(CFLAGS) -c -o src/providers/data_provider/test_dp_request-dp_builtin.obj `if test -f 'src/providers/data_provider/dp_builtin.c'; then $(CYGPATH_W) 'src/providers/data_provider/dp_builtin.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider/dp_builtin.c'; fi` + +src/tests/cmocka/data_provider/test_dp_request-mock_dp.o: src/tests/cmocka/data_provider/mock_dp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_request_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/data_provider/test_dp_request-mock_dp.o -MD -MP -MF src/tests/cmocka/data_provider/$(DEPDIR)/test_dp_request-mock_dp.Tpo -c -o src/tests/cmocka/data_provider/test_dp_request-mock_dp.o `test -f 'src/tests/cmocka/data_provider/mock_dp.c' || echo '$(srcdir)/'`src/tests/cmocka/data_provider/mock_dp.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/data_provider/$(DEPDIR)/test_dp_request-mock_dp.Tpo src/tests/cmocka/data_provider/$(DEPDIR)/test_dp_request-mock_dp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/data_provider/mock_dp.c' object='src/tests/cmocka/data_provider/test_dp_request-mock_dp.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_request_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/data_provider/test_dp_request-mock_dp.o `test -f 'src/tests/cmocka/data_provider/mock_dp.c' || echo '$(srcdir)/'`src/tests/cmocka/data_provider/mock_dp.c + +src/tests/cmocka/data_provider/test_dp_request-mock_dp.obj: src/tests/cmocka/data_provider/mock_dp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_request_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/data_provider/test_dp_request-mock_dp.obj -MD -MP -MF src/tests/cmocka/data_provider/$(DEPDIR)/test_dp_request-mock_dp.Tpo -c -o src/tests/cmocka/data_provider/test_dp_request-mock_dp.obj `if test -f 'src/tests/cmocka/data_provider/mock_dp.c'; then $(CYGPATH_W) 'src/tests/cmocka/data_provider/mock_dp.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/data_provider/mock_dp.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/data_provider/$(DEPDIR)/test_dp_request-mock_dp.Tpo src/tests/cmocka/data_provider/$(DEPDIR)/test_dp_request-mock_dp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/data_provider/mock_dp.c' object='src/tests/cmocka/data_provider/test_dp_request-mock_dp.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_request_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/data_provider/test_dp_request-mock_dp.obj `if test -f 'src/tests/cmocka/data_provider/mock_dp.c'; then $(CYGPATH_W) 'src/tests/cmocka/data_provider/mock_dp.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/data_provider/mock_dp.c'; fi` + +src/tests/cmocka/data_provider/test_dp_request-test_dp_request.o: src/tests/cmocka/data_provider/test_dp_request.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_request_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/data_provider/test_dp_request-test_dp_request.o -MD -MP -MF src/tests/cmocka/data_provider/$(DEPDIR)/test_dp_request-test_dp_request.Tpo -c -o src/tests/cmocka/data_provider/test_dp_request-test_dp_request.o `test -f 'src/tests/cmocka/data_provider/test_dp_request.c' || echo '$(srcdir)/'`src/tests/cmocka/data_provider/test_dp_request.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/data_provider/$(DEPDIR)/test_dp_request-test_dp_request.Tpo src/tests/cmocka/data_provider/$(DEPDIR)/test_dp_request-test_dp_request.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/data_provider/test_dp_request.c' object='src/tests/cmocka/data_provider/test_dp_request-test_dp_request.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_request_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/data_provider/test_dp_request-test_dp_request.o `test -f 'src/tests/cmocka/data_provider/test_dp_request.c' || echo '$(srcdir)/'`src/tests/cmocka/data_provider/test_dp_request.c + +src/tests/cmocka/data_provider/test_dp_request-test_dp_request.obj: src/tests/cmocka/data_provider/test_dp_request.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_request_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/data_provider/test_dp_request-test_dp_request.obj -MD -MP -MF src/tests/cmocka/data_provider/$(DEPDIR)/test_dp_request-test_dp_request.Tpo -c -o src/tests/cmocka/data_provider/test_dp_request-test_dp_request.obj `if test -f 'src/tests/cmocka/data_provider/test_dp_request.c'; then $(CYGPATH_W) 'src/tests/cmocka/data_provider/test_dp_request.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/data_provider/test_dp_request.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/data_provider/$(DEPDIR)/test_dp_request-test_dp_request.Tpo src/tests/cmocka/data_provider/$(DEPDIR)/test_dp_request-test_dp_request.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/data_provider/test_dp_request.c' object='src/tests/cmocka/data_provider/test_dp_request-test_dp_request.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_request_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/data_provider/test_dp_request-test_dp_request.obj `if test -f 'src/tests/cmocka/data_provider/test_dp_request.c'; then $(CYGPATH_W) 'src/tests/cmocka/data_provider/test_dp_request.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/data_provider/test_dp_request.c'; fi` + +src/tests/cmocka/test_dp_request-common_mock_be.o: src/tests/cmocka/common_mock_be.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_request_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_dp_request-common_mock_be.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_dp_request-common_mock_be.Tpo -c -o src/tests/cmocka/test_dp_request-common_mock_be.o `test -f 'src/tests/cmocka/common_mock_be.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_be.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_dp_request-common_mock_be.Tpo src/tests/cmocka/$(DEPDIR)/test_dp_request-common_mock_be.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_be.c' object='src/tests/cmocka/test_dp_request-common_mock_be.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_request_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_dp_request-common_mock_be.o `test -f 'src/tests/cmocka/common_mock_be.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_be.c + +src/tests/cmocka/test_dp_request-common_mock_be.obj: src/tests/cmocka/common_mock_be.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_request_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_dp_request-common_mock_be.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_dp_request-common_mock_be.Tpo -c -o src/tests/cmocka/test_dp_request-common_mock_be.obj `if test -f 'src/tests/cmocka/common_mock_be.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_be.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_be.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_dp_request-common_mock_be.Tpo src/tests/cmocka/$(DEPDIR)/test_dp_request-common_mock_be.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_be.c' object='src/tests/cmocka/test_dp_request-common_mock_be.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_request_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_dp_request-common_mock_be.obj `if test -f 'src/tests/cmocka/common_mock_be.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_be.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_be.c'; fi` + +src/providers/data_provider/test_dp_request_table-dp_request_table.o: src/providers/data_provider/dp_request_table.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_request_table_CFLAGS) $(CFLAGS) -MT src/providers/data_provider/test_dp_request_table-dp_request_table.o -MD -MP -MF src/providers/data_provider/$(DEPDIR)/test_dp_request_table-dp_request_table.Tpo -c -o src/providers/data_provider/test_dp_request_table-dp_request_table.o `test -f 'src/providers/data_provider/dp_request_table.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_request_table.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/data_provider/$(DEPDIR)/test_dp_request_table-dp_request_table.Tpo src/providers/data_provider/$(DEPDIR)/test_dp_request_table-dp_request_table.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider/dp_request_table.c' object='src/providers/data_provider/test_dp_request_table-dp_request_table.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_request_table_CFLAGS) $(CFLAGS) -c -o src/providers/data_provider/test_dp_request_table-dp_request_table.o `test -f 'src/providers/data_provider/dp_request_table.c' || echo '$(srcdir)/'`src/providers/data_provider/dp_request_table.c + +src/providers/data_provider/test_dp_request_table-dp_request_table.obj: src/providers/data_provider/dp_request_table.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_request_table_CFLAGS) $(CFLAGS) -MT src/providers/data_provider/test_dp_request_table-dp_request_table.obj -MD -MP -MF src/providers/data_provider/$(DEPDIR)/test_dp_request_table-dp_request_table.Tpo -c -o src/providers/data_provider/test_dp_request_table-dp_request_table.obj `if test -f 'src/providers/data_provider/dp_request_table.c'; then $(CYGPATH_W) 'src/providers/data_provider/dp_request_table.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider/dp_request_table.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/data_provider/$(DEPDIR)/test_dp_request_table-dp_request_table.Tpo src/providers/data_provider/$(DEPDIR)/test_dp_request_table-dp_request_table.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/data_provider/dp_request_table.c' object='src/providers/data_provider/test_dp_request_table-dp_request_table.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_request_table_CFLAGS) $(CFLAGS) -c -o src/providers/data_provider/test_dp_request_table-dp_request_table.obj `if test -f 'src/providers/data_provider/dp_request_table.c'; then $(CYGPATH_W) 'src/providers/data_provider/dp_request_table.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/data_provider/dp_request_table.c'; fi` + +src/tests/cmocka/data_provider/test_dp_request_table-test_dp_request_table.o: src/tests/cmocka/data_provider/test_dp_request_table.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_request_table_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/data_provider/test_dp_request_table-test_dp_request_table.o -MD -MP -MF src/tests/cmocka/data_provider/$(DEPDIR)/test_dp_request_table-test_dp_request_table.Tpo -c -o src/tests/cmocka/data_provider/test_dp_request_table-test_dp_request_table.o `test -f 'src/tests/cmocka/data_provider/test_dp_request_table.c' || echo '$(srcdir)/'`src/tests/cmocka/data_provider/test_dp_request_table.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/data_provider/$(DEPDIR)/test_dp_request_table-test_dp_request_table.Tpo src/tests/cmocka/data_provider/$(DEPDIR)/test_dp_request_table-test_dp_request_table.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/data_provider/test_dp_request_table.c' object='src/tests/cmocka/data_provider/test_dp_request_table-test_dp_request_table.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_request_table_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/data_provider/test_dp_request_table-test_dp_request_table.o `test -f 'src/tests/cmocka/data_provider/test_dp_request_table.c' || echo '$(srcdir)/'`src/tests/cmocka/data_provider/test_dp_request_table.c + +src/tests/cmocka/data_provider/test_dp_request_table-test_dp_request_table.obj: src/tests/cmocka/data_provider/test_dp_request_table.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_request_table_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/data_provider/test_dp_request_table-test_dp_request_table.obj -MD -MP -MF src/tests/cmocka/data_provider/$(DEPDIR)/test_dp_request_table-test_dp_request_table.Tpo -c -o src/tests/cmocka/data_provider/test_dp_request_table-test_dp_request_table.obj `if test -f 'src/tests/cmocka/data_provider/test_dp_request_table.c'; then $(CYGPATH_W) 'src/tests/cmocka/data_provider/test_dp_request_table.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/data_provider/test_dp_request_table.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/data_provider/$(DEPDIR)/test_dp_request_table-test_dp_request_table.Tpo src/tests/cmocka/data_provider/$(DEPDIR)/test_dp_request_table-test_dp_request_table.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/data_provider/test_dp_request_table.c' object='src/tests/cmocka/data_provider/test_dp_request_table-test_dp_request_table.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_dp_request_table_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/data_provider/test_dp_request_table-test_dp_request_table.obj `if test -f 'src/tests/cmocka/data_provider/test_dp_request_table.c'; then $(CYGPATH_W) 'src/tests/cmocka/data_provider/test_dp_request_table.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/data_provider/test_dp_request_table.c'; fi` + +src/tests/cmocka/test_fo_srv-test_fo_srv.o: src/tests/cmocka/test_fo_srv.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_fo_srv_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_fo_srv-test_fo_srv.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_fo_srv-test_fo_srv.Tpo -c -o src/tests/cmocka/test_fo_srv-test_fo_srv.o `test -f 'src/tests/cmocka/test_fo_srv.c' || echo '$(srcdir)/'`src/tests/cmocka/test_fo_srv.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_fo_srv-test_fo_srv.Tpo src/tests/cmocka/$(DEPDIR)/test_fo_srv-test_fo_srv.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_fo_srv.c' object='src/tests/cmocka/test_fo_srv-test_fo_srv.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_fo_srv_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_fo_srv-test_fo_srv.o `test -f 'src/tests/cmocka/test_fo_srv.c' || echo '$(srcdir)/'`src/tests/cmocka/test_fo_srv.c + +src/tests/cmocka/test_fo_srv-test_fo_srv.obj: src/tests/cmocka/test_fo_srv.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_fo_srv_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_fo_srv-test_fo_srv.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_fo_srv-test_fo_srv.Tpo -c -o src/tests/cmocka/test_fo_srv-test_fo_srv.obj `if test -f 'src/tests/cmocka/test_fo_srv.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_fo_srv.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_fo_srv.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_fo_srv-test_fo_srv.Tpo src/tests/cmocka/$(DEPDIR)/test_fo_srv-test_fo_srv.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_fo_srv.c' object='src/tests/cmocka/test_fo_srv-test_fo_srv.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_fo_srv_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_fo_srv-test_fo_srv.obj `if test -f 'src/tests/cmocka/test_fo_srv.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_fo_srv.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_fo_srv.c'; fi` + +src/providers/test_fo_srv-fail_over.o: src/providers/fail_over.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_fo_srv_CFLAGS) $(CFLAGS) -MT src/providers/test_fo_srv-fail_over.o -MD -MP -MF src/providers/$(DEPDIR)/test_fo_srv-fail_over.Tpo -c -o src/providers/test_fo_srv-fail_over.o `test -f 'src/providers/fail_over.c' || echo '$(srcdir)/'`src/providers/fail_over.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/test_fo_srv-fail_over.Tpo src/providers/$(DEPDIR)/test_fo_srv-fail_over.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/fail_over.c' object='src/providers/test_fo_srv-fail_over.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_fo_srv_CFLAGS) $(CFLAGS) -c -o src/providers/test_fo_srv-fail_over.o `test -f 'src/providers/fail_over.c' || echo '$(srcdir)/'`src/providers/fail_over.c + +src/providers/test_fo_srv-fail_over.obj: src/providers/fail_over.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_fo_srv_CFLAGS) $(CFLAGS) -MT src/providers/test_fo_srv-fail_over.obj -MD -MP -MF src/providers/$(DEPDIR)/test_fo_srv-fail_over.Tpo -c -o src/providers/test_fo_srv-fail_over.obj `if test -f 'src/providers/fail_over.c'; then $(CYGPATH_W) 'src/providers/fail_over.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/fail_over.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/test_fo_srv-fail_over.Tpo src/providers/$(DEPDIR)/test_fo_srv-fail_over.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/fail_over.c' object='src/providers/test_fo_srv-fail_over.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_fo_srv_CFLAGS) $(CFLAGS) -c -o src/providers/test_fo_srv-fail_over.obj `if test -f 'src/providers/fail_over.c'; then $(CYGPATH_W) 'src/providers/fail_over.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/fail_over.c'; fi` + +src/providers/test_fo_srv-fail_over_srv.o: src/providers/fail_over_srv.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_fo_srv_CFLAGS) $(CFLAGS) -MT src/providers/test_fo_srv-fail_over_srv.o -MD -MP -MF src/providers/$(DEPDIR)/test_fo_srv-fail_over_srv.Tpo -c -o src/providers/test_fo_srv-fail_over_srv.o `test -f 'src/providers/fail_over_srv.c' || echo '$(srcdir)/'`src/providers/fail_over_srv.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/test_fo_srv-fail_over_srv.Tpo src/providers/$(DEPDIR)/test_fo_srv-fail_over_srv.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/fail_over_srv.c' object='src/providers/test_fo_srv-fail_over_srv.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_fo_srv_CFLAGS) $(CFLAGS) -c -o src/providers/test_fo_srv-fail_over_srv.o `test -f 'src/providers/fail_over_srv.c' || echo '$(srcdir)/'`src/providers/fail_over_srv.c + +src/providers/test_fo_srv-fail_over_srv.obj: src/providers/fail_over_srv.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_fo_srv_CFLAGS) $(CFLAGS) -MT src/providers/test_fo_srv-fail_over_srv.obj -MD -MP -MF src/providers/$(DEPDIR)/test_fo_srv-fail_over_srv.Tpo -c -o src/providers/test_fo_srv-fail_over_srv.obj `if test -f 'src/providers/fail_over_srv.c'; then $(CYGPATH_W) 'src/providers/fail_over_srv.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/fail_over_srv.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/$(DEPDIR)/test_fo_srv-fail_over_srv.Tpo src/providers/$(DEPDIR)/test_fo_srv-fail_over_srv.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/fail_over_srv.c' object='src/providers/test_fo_srv-fail_over_srv.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_fo_srv_CFLAGS) $(CFLAGS) -c -o src/providers/test_fo_srv-fail_over_srv.obj `if test -f 'src/providers/fail_over_srv.c'; then $(CYGPATH_W) 'src/providers/fail_over_srv.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/fail_over_srv.c'; fi` + +src/util/test_inotify-inotify.o: src/util/inotify.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_inotify_CFLAGS) $(CFLAGS) -MT src/util/test_inotify-inotify.o -MD -MP -MF src/util/$(DEPDIR)/test_inotify-inotify.Tpo -c -o src/util/test_inotify-inotify.o `test -f 'src/util/inotify.c' || echo '$(srcdir)/'`src/util/inotify.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_inotify-inotify.Tpo src/util/$(DEPDIR)/test_inotify-inotify.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/inotify.c' object='src/util/test_inotify-inotify.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_inotify_CFLAGS) $(CFLAGS) -c -o src/util/test_inotify-inotify.o `test -f 'src/util/inotify.c' || echo '$(srcdir)/'`src/util/inotify.c + +src/util/test_inotify-inotify.obj: src/util/inotify.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_inotify_CFLAGS) $(CFLAGS) -MT src/util/test_inotify-inotify.obj -MD -MP -MF src/util/$(DEPDIR)/test_inotify-inotify.Tpo -c -o src/util/test_inotify-inotify.obj `if test -f 'src/util/inotify.c'; then $(CYGPATH_W) 'src/util/inotify.c'; else $(CYGPATH_W) '$(srcdir)/src/util/inotify.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_inotify-inotify.Tpo src/util/$(DEPDIR)/test_inotify-inotify.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/inotify.c' object='src/util/test_inotify-inotify.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_inotify_CFLAGS) $(CFLAGS) -c -o src/util/test_inotify-inotify.obj `if test -f 'src/util/inotify.c'; then $(CYGPATH_W) 'src/util/inotify.c'; else $(CYGPATH_W) '$(srcdir)/src/util/inotify.c'; fi` + +src/tests/cmocka/test_inotify-test_inotify.o: src/tests/cmocka/test_inotify.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_inotify_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_inotify-test_inotify.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_inotify-test_inotify.Tpo -c -o src/tests/cmocka/test_inotify-test_inotify.o `test -f 'src/tests/cmocka/test_inotify.c' || echo '$(srcdir)/'`src/tests/cmocka/test_inotify.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_inotify-test_inotify.Tpo src/tests/cmocka/$(DEPDIR)/test_inotify-test_inotify.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_inotify.c' object='src/tests/cmocka/test_inotify-test_inotify.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_inotify_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_inotify-test_inotify.o `test -f 'src/tests/cmocka/test_inotify.c' || echo '$(srcdir)/'`src/tests/cmocka/test_inotify.c + +src/tests/cmocka/test_inotify-test_inotify.obj: src/tests/cmocka/test_inotify.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_inotify_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_inotify-test_inotify.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_inotify-test_inotify.Tpo -c -o src/tests/cmocka/test_inotify-test_inotify.obj `if test -f 'src/tests/cmocka/test_inotify.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_inotify.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_inotify.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_inotify-test_inotify.Tpo src/tests/cmocka/$(DEPDIR)/test_inotify-test_inotify.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_inotify.c' object='src/tests/cmocka/test_inotify-test_inotify.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_inotify_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_inotify-test_inotify.obj `if test -f 'src/tests/cmocka/test_inotify.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_inotify.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_inotify.c'; fi` + +src/util/test_iobuf-sss_iobuf.o: src/util/sss_iobuf.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_iobuf_CFLAGS) $(CFLAGS) -MT src/util/test_iobuf-sss_iobuf.o -MD -MP -MF src/util/$(DEPDIR)/test_iobuf-sss_iobuf.Tpo -c -o src/util/test_iobuf-sss_iobuf.o `test -f 'src/util/sss_iobuf.c' || echo '$(srcdir)/'`src/util/sss_iobuf.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_iobuf-sss_iobuf.Tpo src/util/$(DEPDIR)/test_iobuf-sss_iobuf.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_iobuf.c' object='src/util/test_iobuf-sss_iobuf.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_iobuf_CFLAGS) $(CFLAGS) -c -o src/util/test_iobuf-sss_iobuf.o `test -f 'src/util/sss_iobuf.c' || echo '$(srcdir)/'`src/util/sss_iobuf.c + +src/util/test_iobuf-sss_iobuf.obj: src/util/sss_iobuf.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_iobuf_CFLAGS) $(CFLAGS) -MT src/util/test_iobuf-sss_iobuf.obj -MD -MP -MF src/util/$(DEPDIR)/test_iobuf-sss_iobuf.Tpo -c -o src/util/test_iobuf-sss_iobuf.obj `if test -f 'src/util/sss_iobuf.c'; then $(CYGPATH_W) 'src/util/sss_iobuf.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_iobuf.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_iobuf-sss_iobuf.Tpo src/util/$(DEPDIR)/test_iobuf-sss_iobuf.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_iobuf.c' object='src/util/test_iobuf-sss_iobuf.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_iobuf_CFLAGS) $(CFLAGS) -c -o src/util/test_iobuf-sss_iobuf.obj `if test -f 'src/util/sss_iobuf.c'; then $(CYGPATH_W) 'src/util/sss_iobuf.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_iobuf.c'; fi` + +src/tests/cmocka/test_iobuf-test_iobuf.o: src/tests/cmocka/test_iobuf.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_iobuf_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_iobuf-test_iobuf.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_iobuf-test_iobuf.Tpo -c -o src/tests/cmocka/test_iobuf-test_iobuf.o `test -f 'src/tests/cmocka/test_iobuf.c' || echo '$(srcdir)/'`src/tests/cmocka/test_iobuf.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_iobuf-test_iobuf.Tpo src/tests/cmocka/$(DEPDIR)/test_iobuf-test_iobuf.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_iobuf.c' object='src/tests/cmocka/test_iobuf-test_iobuf.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_iobuf_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_iobuf-test_iobuf.o `test -f 'src/tests/cmocka/test_iobuf.c' || echo '$(srcdir)/'`src/tests/cmocka/test_iobuf.c + +src/tests/cmocka/test_iobuf-test_iobuf.obj: src/tests/cmocka/test_iobuf.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_iobuf_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_iobuf-test_iobuf.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_iobuf-test_iobuf.Tpo -c -o src/tests/cmocka/test_iobuf-test_iobuf.obj `if test -f 'src/tests/cmocka/test_iobuf.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_iobuf.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_iobuf.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_iobuf-test_iobuf.Tpo src/tests/cmocka/$(DEPDIR)/test_iobuf-test_iobuf.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_iobuf.c' object='src/tests/cmocka/test_iobuf-test_iobuf.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_iobuf_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_iobuf-test_iobuf.obj `if test -f 'src/tests/cmocka/test_iobuf.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_iobuf.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_iobuf.c'; fi` + +src/tests/cmocka/test_ipa_idmap-test_ipa_idmap.o: src/tests/cmocka/test_ipa_idmap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_idmap_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_ipa_idmap-test_ipa_idmap.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_ipa_idmap-test_ipa_idmap.Tpo -c -o src/tests/cmocka/test_ipa_idmap-test_ipa_idmap.o `test -f 'src/tests/cmocka/test_ipa_idmap.c' || echo '$(srcdir)/'`src/tests/cmocka/test_ipa_idmap.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_ipa_idmap-test_ipa_idmap.Tpo src/tests/cmocka/$(DEPDIR)/test_ipa_idmap-test_ipa_idmap.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_ipa_idmap.c' object='src/tests/cmocka/test_ipa_idmap-test_ipa_idmap.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_idmap_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_ipa_idmap-test_ipa_idmap.o `test -f 'src/tests/cmocka/test_ipa_idmap.c' || echo '$(srcdir)/'`src/tests/cmocka/test_ipa_idmap.c + +src/tests/cmocka/test_ipa_idmap-test_ipa_idmap.obj: src/tests/cmocka/test_ipa_idmap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_idmap_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_ipa_idmap-test_ipa_idmap.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_ipa_idmap-test_ipa_idmap.Tpo -c -o src/tests/cmocka/test_ipa_idmap-test_ipa_idmap.obj `if test -f 'src/tests/cmocka/test_ipa_idmap.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_ipa_idmap.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_ipa_idmap.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_ipa_idmap-test_ipa_idmap.Tpo src/tests/cmocka/$(DEPDIR)/test_ipa_idmap-test_ipa_idmap.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_ipa_idmap.c' object='src/tests/cmocka/test_ipa_idmap-test_ipa_idmap.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_idmap_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_ipa_idmap-test_ipa_idmap.obj `if test -f 'src/tests/cmocka/test_ipa_idmap.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_ipa_idmap.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_ipa_idmap.c'; fi` + +src/providers/ipa/test_ipa_idmap-ipa_idmap.o: src/providers/ipa/ipa_idmap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_idmap_CFLAGS) $(CFLAGS) -MT src/providers/ipa/test_ipa_idmap-ipa_idmap.o -MD -MP -MF src/providers/ipa/$(DEPDIR)/test_ipa_idmap-ipa_idmap.Tpo -c -o src/providers/ipa/test_ipa_idmap-ipa_idmap.o `test -f 'src/providers/ipa/ipa_idmap.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_idmap.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/test_ipa_idmap-ipa_idmap.Tpo src/providers/ipa/$(DEPDIR)/test_ipa_idmap-ipa_idmap.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_idmap.c' object='src/providers/ipa/test_ipa_idmap-ipa_idmap.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_idmap_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/test_ipa_idmap-ipa_idmap.o `test -f 'src/providers/ipa/ipa_idmap.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_idmap.c + +src/providers/ipa/test_ipa_idmap-ipa_idmap.obj: src/providers/ipa/ipa_idmap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_idmap_CFLAGS) $(CFLAGS) -MT src/providers/ipa/test_ipa_idmap-ipa_idmap.obj -MD -MP -MF src/providers/ipa/$(DEPDIR)/test_ipa_idmap-ipa_idmap.Tpo -c -o src/providers/ipa/test_ipa_idmap-ipa_idmap.obj `if test -f 'src/providers/ipa/ipa_idmap.c'; then $(CYGPATH_W) 'src/providers/ipa/ipa_idmap.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ipa/ipa_idmap.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/test_ipa_idmap-ipa_idmap.Tpo src/providers/ipa/$(DEPDIR)/test_ipa_idmap-ipa_idmap.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_idmap.c' object='src/providers/ipa/test_ipa_idmap-ipa_idmap.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_idmap_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/test_ipa_idmap-ipa_idmap.obj `if test -f 'src/providers/ipa/ipa_idmap.c'; then $(CYGPATH_W) 'src/providers/ipa/ipa_idmap.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ipa/ipa_idmap.c'; fi` + +src/providers/krb5/test_ipa_subdom_server-krb5_utils.o: src/providers/krb5/krb5_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -MT src/providers/krb5/test_ipa_subdom_server-krb5_utils.o -MD -MP -MF src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_utils.Tpo -c -o src/providers/krb5/test_ipa_subdom_server-krb5_utils.o `test -f 'src/providers/krb5/krb5_utils.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_utils.Tpo src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_utils.c' object='src/providers/krb5/test_ipa_subdom_server-krb5_utils.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/test_ipa_subdom_server-krb5_utils.o `test -f 'src/providers/krb5/krb5_utils.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_utils.c + +src/providers/krb5/test_ipa_subdom_server-krb5_utils.obj: src/providers/krb5/krb5_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -MT src/providers/krb5/test_ipa_subdom_server-krb5_utils.obj -MD -MP -MF src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_utils.Tpo -c -o src/providers/krb5/test_ipa_subdom_server-krb5_utils.obj `if test -f 'src/providers/krb5/krb5_utils.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_utils.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_utils.Tpo src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_utils.c' object='src/providers/krb5/test_ipa_subdom_server-krb5_utils.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/test_ipa_subdom_server-krb5_utils.obj `if test -f 'src/providers/krb5/krb5_utils.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_utils.c'; fi` + +src/providers/krb5/test_ipa_subdom_server-krb5_delayed_online_authentication.o: src/providers/krb5/krb5_delayed_online_authentication.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -MT src/providers/krb5/test_ipa_subdom_server-krb5_delayed_online_authentication.o -MD -MP -MF src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_delayed_online_authentication.Tpo -c -o src/providers/krb5/test_ipa_subdom_server-krb5_delayed_online_authentication.o `test -f 'src/providers/krb5/krb5_delayed_online_authentication.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_delayed_online_authentication.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_delayed_online_authentication.Tpo src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_delayed_online_authentication.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_delayed_online_authentication.c' object='src/providers/krb5/test_ipa_subdom_server-krb5_delayed_online_authentication.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/test_ipa_subdom_server-krb5_delayed_online_authentication.o `test -f 'src/providers/krb5/krb5_delayed_online_authentication.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_delayed_online_authentication.c + +src/providers/krb5/test_ipa_subdom_server-krb5_delayed_online_authentication.obj: src/providers/krb5/krb5_delayed_online_authentication.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -MT src/providers/krb5/test_ipa_subdom_server-krb5_delayed_online_authentication.obj -MD -MP -MF src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_delayed_online_authentication.Tpo -c -o src/providers/krb5/test_ipa_subdom_server-krb5_delayed_online_authentication.obj `if test -f 'src/providers/krb5/krb5_delayed_online_authentication.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_delayed_online_authentication.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_delayed_online_authentication.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_delayed_online_authentication.Tpo src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_delayed_online_authentication.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_delayed_online_authentication.c' object='src/providers/krb5/test_ipa_subdom_server-krb5_delayed_online_authentication.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/test_ipa_subdom_server-krb5_delayed_online_authentication.obj `if test -f 'src/providers/krb5/krb5_delayed_online_authentication.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_delayed_online_authentication.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_delayed_online_authentication.c'; fi` + +src/providers/krb5/test_ipa_subdom_server-krb5_renew_tgt.o: src/providers/krb5/krb5_renew_tgt.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -MT src/providers/krb5/test_ipa_subdom_server-krb5_renew_tgt.o -MD -MP -MF src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_renew_tgt.Tpo -c -o src/providers/krb5/test_ipa_subdom_server-krb5_renew_tgt.o `test -f 'src/providers/krb5/krb5_renew_tgt.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_renew_tgt.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_renew_tgt.Tpo src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_renew_tgt.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_renew_tgt.c' object='src/providers/krb5/test_ipa_subdom_server-krb5_renew_tgt.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/test_ipa_subdom_server-krb5_renew_tgt.o `test -f 'src/providers/krb5/krb5_renew_tgt.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_renew_tgt.c + +src/providers/krb5/test_ipa_subdom_server-krb5_renew_tgt.obj: src/providers/krb5/krb5_renew_tgt.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -MT src/providers/krb5/test_ipa_subdom_server-krb5_renew_tgt.obj -MD -MP -MF src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_renew_tgt.Tpo -c -o src/providers/krb5/test_ipa_subdom_server-krb5_renew_tgt.obj `if test -f 'src/providers/krb5/krb5_renew_tgt.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_renew_tgt.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_renew_tgt.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_renew_tgt.Tpo src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_renew_tgt.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_renew_tgt.c' object='src/providers/krb5/test_ipa_subdom_server-krb5_renew_tgt.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/test_ipa_subdom_server-krb5_renew_tgt.obj `if test -f 'src/providers/krb5/krb5_renew_tgt.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_renew_tgt.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_renew_tgt.c'; fi` + +src/providers/krb5/test_ipa_subdom_server-krb5_wait_queue.o: src/providers/krb5/krb5_wait_queue.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -MT src/providers/krb5/test_ipa_subdom_server-krb5_wait_queue.o -MD -MP -MF src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_wait_queue.Tpo -c -o src/providers/krb5/test_ipa_subdom_server-krb5_wait_queue.o `test -f 'src/providers/krb5/krb5_wait_queue.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_wait_queue.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_wait_queue.Tpo src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_wait_queue.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_wait_queue.c' object='src/providers/krb5/test_ipa_subdom_server-krb5_wait_queue.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/test_ipa_subdom_server-krb5_wait_queue.o `test -f 'src/providers/krb5/krb5_wait_queue.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_wait_queue.c + +src/providers/krb5/test_ipa_subdom_server-krb5_wait_queue.obj: src/providers/krb5/krb5_wait_queue.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -MT src/providers/krb5/test_ipa_subdom_server-krb5_wait_queue.obj -MD -MP -MF src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_wait_queue.Tpo -c -o src/providers/krb5/test_ipa_subdom_server-krb5_wait_queue.obj `if test -f 'src/providers/krb5/krb5_wait_queue.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_wait_queue.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_wait_queue.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_wait_queue.Tpo src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_wait_queue.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_wait_queue.c' object='src/providers/krb5/test_ipa_subdom_server-krb5_wait_queue.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/test_ipa_subdom_server-krb5_wait_queue.obj `if test -f 'src/providers/krb5/krb5_wait_queue.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_wait_queue.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_wait_queue.c'; fi` + +src/providers/krb5/test_ipa_subdom_server-krb5_common.o: src/providers/krb5/krb5_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -MT src/providers/krb5/test_ipa_subdom_server-krb5_common.o -MD -MP -MF src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_common.Tpo -c -o src/providers/krb5/test_ipa_subdom_server-krb5_common.o `test -f 'src/providers/krb5/krb5_common.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_common.Tpo src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_common.c' object='src/providers/krb5/test_ipa_subdom_server-krb5_common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/test_ipa_subdom_server-krb5_common.o `test -f 'src/providers/krb5/krb5_common.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_common.c + +src/providers/krb5/test_ipa_subdom_server-krb5_common.obj: src/providers/krb5/krb5_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -MT src/providers/krb5/test_ipa_subdom_server-krb5_common.obj -MD -MP -MF src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_common.Tpo -c -o src/providers/krb5/test_ipa_subdom_server-krb5_common.obj `if test -f 'src/providers/krb5/krb5_common.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_common.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_common.Tpo src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_common.c' object='src/providers/krb5/test_ipa_subdom_server-krb5_common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/test_ipa_subdom_server-krb5_common.obj `if test -f 'src/providers/krb5/krb5_common.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_common.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_common.c'; fi` + +src/providers/krb5/test_ipa_subdom_server-krb5_opts.o: src/providers/krb5/krb5_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -MT src/providers/krb5/test_ipa_subdom_server-krb5_opts.o -MD -MP -MF src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_opts.Tpo -c -o src/providers/krb5/test_ipa_subdom_server-krb5_opts.o `test -f 'src/providers/krb5/krb5_opts.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_opts.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_opts.Tpo src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_opts.c' object='src/providers/krb5/test_ipa_subdom_server-krb5_opts.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/test_ipa_subdom_server-krb5_opts.o `test -f 'src/providers/krb5/krb5_opts.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_opts.c + +src/providers/krb5/test_ipa_subdom_server-krb5_opts.obj: src/providers/krb5/krb5_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -MT src/providers/krb5/test_ipa_subdom_server-krb5_opts.obj -MD -MP -MF src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_opts.Tpo -c -o src/providers/krb5/test_ipa_subdom_server-krb5_opts.obj `if test -f 'src/providers/krb5/krb5_opts.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_opts.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_opts.Tpo src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_opts.c' object='src/providers/krb5/test_ipa_subdom_server-krb5_opts.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/test_ipa_subdom_server-krb5_opts.obj `if test -f 'src/providers/krb5/krb5_opts.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_opts.c'; fi` + +src/providers/krb5/test_ipa_subdom_server-krb5_auth.o: src/providers/krb5/krb5_auth.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -MT src/providers/krb5/test_ipa_subdom_server-krb5_auth.o -MD -MP -MF src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_auth.Tpo -c -o src/providers/krb5/test_ipa_subdom_server-krb5_auth.o `test -f 'src/providers/krb5/krb5_auth.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_auth.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_auth.Tpo src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_auth.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_auth.c' object='src/providers/krb5/test_ipa_subdom_server-krb5_auth.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/test_ipa_subdom_server-krb5_auth.o `test -f 'src/providers/krb5/krb5_auth.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_auth.c + +src/providers/krb5/test_ipa_subdom_server-krb5_auth.obj: src/providers/krb5/krb5_auth.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -MT src/providers/krb5/test_ipa_subdom_server-krb5_auth.obj -MD -MP -MF src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_auth.Tpo -c -o src/providers/krb5/test_ipa_subdom_server-krb5_auth.obj `if test -f 'src/providers/krb5/krb5_auth.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_auth.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_auth.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_auth.Tpo src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_auth.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_auth.c' object='src/providers/krb5/test_ipa_subdom_server-krb5_auth.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/test_ipa_subdom_server-krb5_auth.obj `if test -f 'src/providers/krb5/krb5_auth.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_auth.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_auth.c'; fi` + +src/providers/krb5/test_ipa_subdom_server-krb5_access.o: src/providers/krb5/krb5_access.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -MT src/providers/krb5/test_ipa_subdom_server-krb5_access.o -MD -MP -MF src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_access.Tpo -c -o src/providers/krb5/test_ipa_subdom_server-krb5_access.o `test -f 'src/providers/krb5/krb5_access.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_access.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_access.Tpo src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_access.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_access.c' object='src/providers/krb5/test_ipa_subdom_server-krb5_access.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/test_ipa_subdom_server-krb5_access.o `test -f 'src/providers/krb5/krb5_access.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_access.c + +src/providers/krb5/test_ipa_subdom_server-krb5_access.obj: src/providers/krb5/krb5_access.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -MT src/providers/krb5/test_ipa_subdom_server-krb5_access.obj -MD -MP -MF src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_access.Tpo -c -o src/providers/krb5/test_ipa_subdom_server-krb5_access.obj `if test -f 'src/providers/krb5/krb5_access.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_access.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_access.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_access.Tpo src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_access.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_access.c' object='src/providers/krb5/test_ipa_subdom_server-krb5_access.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/test_ipa_subdom_server-krb5_access.obj `if test -f 'src/providers/krb5/krb5_access.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_access.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_access.c'; fi` + +src/providers/krb5/test_ipa_subdom_server-krb5_child_handler.o: src/providers/krb5/krb5_child_handler.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -MT src/providers/krb5/test_ipa_subdom_server-krb5_child_handler.o -MD -MP -MF src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_child_handler.Tpo -c -o src/providers/krb5/test_ipa_subdom_server-krb5_child_handler.o `test -f 'src/providers/krb5/krb5_child_handler.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_child_handler.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_child_handler.Tpo src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_child_handler.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_child_handler.c' object='src/providers/krb5/test_ipa_subdom_server-krb5_child_handler.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/test_ipa_subdom_server-krb5_child_handler.o `test -f 'src/providers/krb5/krb5_child_handler.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_child_handler.c + +src/providers/krb5/test_ipa_subdom_server-krb5_child_handler.obj: src/providers/krb5/krb5_child_handler.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -MT src/providers/krb5/test_ipa_subdom_server-krb5_child_handler.obj -MD -MP -MF src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_child_handler.Tpo -c -o src/providers/krb5/test_ipa_subdom_server-krb5_child_handler.obj `if test -f 'src/providers/krb5/krb5_child_handler.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_child_handler.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_child_handler.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_child_handler.Tpo src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_child_handler.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_child_handler.c' object='src/providers/krb5/test_ipa_subdom_server-krb5_child_handler.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/test_ipa_subdom_server-krb5_child_handler.obj `if test -f 'src/providers/krb5/krb5_child_handler.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_child_handler.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_child_handler.c'; fi` + +src/providers/krb5/test_ipa_subdom_server-krb5_init_shared.o: src/providers/krb5/krb5_init_shared.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -MT src/providers/krb5/test_ipa_subdom_server-krb5_init_shared.o -MD -MP -MF src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_init_shared.Tpo -c -o src/providers/krb5/test_ipa_subdom_server-krb5_init_shared.o `test -f 'src/providers/krb5/krb5_init_shared.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_init_shared.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_init_shared.Tpo src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_init_shared.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_init_shared.c' object='src/providers/krb5/test_ipa_subdom_server-krb5_init_shared.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/test_ipa_subdom_server-krb5_init_shared.o `test -f 'src/providers/krb5/krb5_init_shared.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_init_shared.c + +src/providers/krb5/test_ipa_subdom_server-krb5_init_shared.obj: src/providers/krb5/krb5_init_shared.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -MT src/providers/krb5/test_ipa_subdom_server-krb5_init_shared.obj -MD -MP -MF src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_init_shared.Tpo -c -o src/providers/krb5/test_ipa_subdom_server-krb5_init_shared.obj `if test -f 'src/providers/krb5/krb5_init_shared.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_init_shared.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_init_shared.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_init_shared.Tpo src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_init_shared.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_init_shared.c' object='src/providers/krb5/test_ipa_subdom_server-krb5_init_shared.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/test_ipa_subdom_server-krb5_init_shared.obj `if test -f 'src/providers/krb5/krb5_init_shared.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_init_shared.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_init_shared.c'; fi` + +src/providers/krb5/test_ipa_subdom_server-krb5_ccache.o: src/providers/krb5/krb5_ccache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -MT src/providers/krb5/test_ipa_subdom_server-krb5_ccache.o -MD -MP -MF src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_ccache.Tpo -c -o src/providers/krb5/test_ipa_subdom_server-krb5_ccache.o `test -f 'src/providers/krb5/krb5_ccache.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_ccache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_ccache.Tpo src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_ccache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_ccache.c' object='src/providers/krb5/test_ipa_subdom_server-krb5_ccache.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/test_ipa_subdom_server-krb5_ccache.o `test -f 'src/providers/krb5/krb5_ccache.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_ccache.c + +src/providers/krb5/test_ipa_subdom_server-krb5_ccache.obj: src/providers/krb5/krb5_ccache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -MT src/providers/krb5/test_ipa_subdom_server-krb5_ccache.obj -MD -MP -MF src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_ccache.Tpo -c -o src/providers/krb5/test_ipa_subdom_server-krb5_ccache.obj `if test -f 'src/providers/krb5/krb5_ccache.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_ccache.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_ccache.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_ccache.Tpo src/providers/krb5/$(DEPDIR)/test_ipa_subdom_server-krb5_ccache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_ccache.c' object='src/providers/krb5/test_ipa_subdom_server-krb5_ccache.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/test_ipa_subdom_server-krb5_ccache.obj `if test -f 'src/providers/krb5/krb5_ccache.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_ccache.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_ccache.c'; fi` + +src/util/test_ipa_subdom_server-sss_krb5.o: src/util/sss_krb5.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -MT src/util/test_ipa_subdom_server-sss_krb5.o -MD -MP -MF src/util/$(DEPDIR)/test_ipa_subdom_server-sss_krb5.Tpo -c -o src/util/test_ipa_subdom_server-sss_krb5.o `test -f 'src/util/sss_krb5.c' || echo '$(srcdir)/'`src/util/sss_krb5.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_ipa_subdom_server-sss_krb5.Tpo src/util/$(DEPDIR)/test_ipa_subdom_server-sss_krb5.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_krb5.c' object='src/util/test_ipa_subdom_server-sss_krb5.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -c -o src/util/test_ipa_subdom_server-sss_krb5.o `test -f 'src/util/sss_krb5.c' || echo '$(srcdir)/'`src/util/sss_krb5.c + +src/util/test_ipa_subdom_server-sss_krb5.obj: src/util/sss_krb5.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -MT src/util/test_ipa_subdom_server-sss_krb5.obj -MD -MP -MF src/util/$(DEPDIR)/test_ipa_subdom_server-sss_krb5.Tpo -c -o src/util/test_ipa_subdom_server-sss_krb5.obj `if test -f 'src/util/sss_krb5.c'; then $(CYGPATH_W) 'src/util/sss_krb5.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_krb5.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_ipa_subdom_server-sss_krb5.Tpo src/util/$(DEPDIR)/test_ipa_subdom_server-sss_krb5.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_krb5.c' object='src/util/test_ipa_subdom_server-sss_krb5.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -c -o src/util/test_ipa_subdom_server-sss_krb5.obj `if test -f 'src/util/sss_krb5.c'; then $(CYGPATH_W) 'src/util/sss_krb5.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_krb5.c'; fi` + +src/util/test_ipa_subdom_server-sss_iobuf.o: src/util/sss_iobuf.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -MT src/util/test_ipa_subdom_server-sss_iobuf.o -MD -MP -MF src/util/$(DEPDIR)/test_ipa_subdom_server-sss_iobuf.Tpo -c -o src/util/test_ipa_subdom_server-sss_iobuf.o `test -f 'src/util/sss_iobuf.c' || echo '$(srcdir)/'`src/util/sss_iobuf.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_ipa_subdom_server-sss_iobuf.Tpo src/util/$(DEPDIR)/test_ipa_subdom_server-sss_iobuf.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_iobuf.c' object='src/util/test_ipa_subdom_server-sss_iobuf.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -c -o src/util/test_ipa_subdom_server-sss_iobuf.o `test -f 'src/util/sss_iobuf.c' || echo '$(srcdir)/'`src/util/sss_iobuf.c + +src/util/test_ipa_subdom_server-sss_iobuf.obj: src/util/sss_iobuf.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -MT src/util/test_ipa_subdom_server-sss_iobuf.obj -MD -MP -MF src/util/$(DEPDIR)/test_ipa_subdom_server-sss_iobuf.Tpo -c -o src/util/test_ipa_subdom_server-sss_iobuf.obj `if test -f 'src/util/sss_iobuf.c'; then $(CYGPATH_W) 'src/util/sss_iobuf.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_iobuf.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_ipa_subdom_server-sss_iobuf.Tpo src/util/$(DEPDIR)/test_ipa_subdom_server-sss_iobuf.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_iobuf.c' object='src/util/test_ipa_subdom_server-sss_iobuf.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -c -o src/util/test_ipa_subdom_server-sss_iobuf.obj `if test -f 'src/util/sss_iobuf.c'; then $(CYGPATH_W) 'src/util/sss_iobuf.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_iobuf.c'; fi` + +src/util/test_ipa_subdom_server-become_user.o: src/util/become_user.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -MT src/util/test_ipa_subdom_server-become_user.o -MD -MP -MF src/util/$(DEPDIR)/test_ipa_subdom_server-become_user.Tpo -c -o src/util/test_ipa_subdom_server-become_user.o `test -f 'src/util/become_user.c' || echo '$(srcdir)/'`src/util/become_user.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_ipa_subdom_server-become_user.Tpo src/util/$(DEPDIR)/test_ipa_subdom_server-become_user.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/become_user.c' object='src/util/test_ipa_subdom_server-become_user.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -c -o src/util/test_ipa_subdom_server-become_user.o `test -f 'src/util/become_user.c' || echo '$(srcdir)/'`src/util/become_user.c + +src/util/test_ipa_subdom_server-become_user.obj: src/util/become_user.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -MT src/util/test_ipa_subdom_server-become_user.obj -MD -MP -MF src/util/$(DEPDIR)/test_ipa_subdom_server-become_user.Tpo -c -o src/util/test_ipa_subdom_server-become_user.obj `if test -f 'src/util/become_user.c'; then $(CYGPATH_W) 'src/util/become_user.c'; else $(CYGPATH_W) '$(srcdir)/src/util/become_user.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_ipa_subdom_server-become_user.Tpo src/util/$(DEPDIR)/test_ipa_subdom_server-become_user.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/become_user.c' object='src/util/test_ipa_subdom_server-become_user.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -c -o src/util/test_ipa_subdom_server-become_user.obj `if test -f 'src/util/become_user.c'; then $(CYGPATH_W) 'src/util/become_user.c'; else $(CYGPATH_W) '$(srcdir)/src/util/become_user.c'; fi` + +src/tests/cmocka/test_ipa_subdom_server-common_mock_sdap.o: src/tests/cmocka/common_mock_sdap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_ipa_subdom_server-common_mock_sdap.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_ipa_subdom_server-common_mock_sdap.Tpo -c -o src/tests/cmocka/test_ipa_subdom_server-common_mock_sdap.o `test -f 'src/tests/cmocka/common_mock_sdap.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_sdap.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_ipa_subdom_server-common_mock_sdap.Tpo src/tests/cmocka/$(DEPDIR)/test_ipa_subdom_server-common_mock_sdap.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_sdap.c' object='src/tests/cmocka/test_ipa_subdom_server-common_mock_sdap.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_ipa_subdom_server-common_mock_sdap.o `test -f 'src/tests/cmocka/common_mock_sdap.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_sdap.c + +src/tests/cmocka/test_ipa_subdom_server-common_mock_sdap.obj: src/tests/cmocka/common_mock_sdap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_ipa_subdom_server-common_mock_sdap.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_ipa_subdom_server-common_mock_sdap.Tpo -c -o src/tests/cmocka/test_ipa_subdom_server-common_mock_sdap.obj `if test -f 'src/tests/cmocka/common_mock_sdap.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_sdap.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_sdap.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_ipa_subdom_server-common_mock_sdap.Tpo src/tests/cmocka/$(DEPDIR)/test_ipa_subdom_server-common_mock_sdap.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_sdap.c' object='src/tests/cmocka/test_ipa_subdom_server-common_mock_sdap.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_ipa_subdom_server-common_mock_sdap.obj `if test -f 'src/tests/cmocka/common_mock_sdap.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_sdap.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_sdap.c'; fi` + +src/tests/cmocka/test_ipa_subdom_server-common_mock_be.o: src/tests/cmocka/common_mock_be.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_ipa_subdom_server-common_mock_be.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_ipa_subdom_server-common_mock_be.Tpo -c -o src/tests/cmocka/test_ipa_subdom_server-common_mock_be.o `test -f 'src/tests/cmocka/common_mock_be.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_be.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_ipa_subdom_server-common_mock_be.Tpo src/tests/cmocka/$(DEPDIR)/test_ipa_subdom_server-common_mock_be.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_be.c' object='src/tests/cmocka/test_ipa_subdom_server-common_mock_be.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_ipa_subdom_server-common_mock_be.o `test -f 'src/tests/cmocka/common_mock_be.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_be.c + +src/tests/cmocka/test_ipa_subdom_server-common_mock_be.obj: src/tests/cmocka/common_mock_be.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_ipa_subdom_server-common_mock_be.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_ipa_subdom_server-common_mock_be.Tpo -c -o src/tests/cmocka/test_ipa_subdom_server-common_mock_be.obj `if test -f 'src/tests/cmocka/common_mock_be.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_be.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_be.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_ipa_subdom_server-common_mock_be.Tpo src/tests/cmocka/$(DEPDIR)/test_ipa_subdom_server-common_mock_be.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_be.c' object='src/tests/cmocka/test_ipa_subdom_server-common_mock_be.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_ipa_subdom_server-common_mock_be.obj `if test -f 'src/tests/cmocka/common_mock_be.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_be.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_be.c'; fi` + +src/tests/cmocka/test_ipa_subdom_server-common_mock_krb5.o: src/tests/cmocka/common_mock_krb5.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_ipa_subdom_server-common_mock_krb5.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_ipa_subdom_server-common_mock_krb5.Tpo -c -o src/tests/cmocka/test_ipa_subdom_server-common_mock_krb5.o `test -f 'src/tests/cmocka/common_mock_krb5.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_krb5.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_ipa_subdom_server-common_mock_krb5.Tpo src/tests/cmocka/$(DEPDIR)/test_ipa_subdom_server-common_mock_krb5.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_krb5.c' object='src/tests/cmocka/test_ipa_subdom_server-common_mock_krb5.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_ipa_subdom_server-common_mock_krb5.o `test -f 'src/tests/cmocka/common_mock_krb5.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_krb5.c + +src/tests/cmocka/test_ipa_subdom_server-common_mock_krb5.obj: src/tests/cmocka/common_mock_krb5.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_ipa_subdom_server-common_mock_krb5.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_ipa_subdom_server-common_mock_krb5.Tpo -c -o src/tests/cmocka/test_ipa_subdom_server-common_mock_krb5.obj `if test -f 'src/tests/cmocka/common_mock_krb5.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_krb5.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_krb5.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_ipa_subdom_server-common_mock_krb5.Tpo src/tests/cmocka/$(DEPDIR)/test_ipa_subdom_server-common_mock_krb5.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_krb5.c' object='src/tests/cmocka/test_ipa_subdom_server-common_mock_krb5.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_ipa_subdom_server-common_mock_krb5.obj `if test -f 'src/tests/cmocka/common_mock_krb5.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_krb5.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_krb5.c'; fi` + +src/tests/cmocka/test_ipa_subdom_server-test_ipa_subdomains_server.o: src/tests/cmocka/test_ipa_subdomains_server.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_ipa_subdom_server-test_ipa_subdomains_server.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_ipa_subdom_server-test_ipa_subdomains_server.Tpo -c -o src/tests/cmocka/test_ipa_subdom_server-test_ipa_subdomains_server.o `test -f 'src/tests/cmocka/test_ipa_subdomains_server.c' || echo '$(srcdir)/'`src/tests/cmocka/test_ipa_subdomains_server.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_ipa_subdom_server-test_ipa_subdomains_server.Tpo src/tests/cmocka/$(DEPDIR)/test_ipa_subdom_server-test_ipa_subdomains_server.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_ipa_subdomains_server.c' object='src/tests/cmocka/test_ipa_subdom_server-test_ipa_subdomains_server.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_ipa_subdom_server-test_ipa_subdomains_server.o `test -f 'src/tests/cmocka/test_ipa_subdomains_server.c' || echo '$(srcdir)/'`src/tests/cmocka/test_ipa_subdomains_server.c + +src/tests/cmocka/test_ipa_subdom_server-test_ipa_subdomains_server.obj: src/tests/cmocka/test_ipa_subdomains_server.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_ipa_subdom_server-test_ipa_subdomains_server.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_ipa_subdom_server-test_ipa_subdomains_server.Tpo -c -o src/tests/cmocka/test_ipa_subdom_server-test_ipa_subdomains_server.obj `if test -f 'src/tests/cmocka/test_ipa_subdomains_server.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_ipa_subdomains_server.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_ipa_subdomains_server.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_ipa_subdom_server-test_ipa_subdomains_server.Tpo src/tests/cmocka/$(DEPDIR)/test_ipa_subdom_server-test_ipa_subdomains_server.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_ipa_subdomains_server.c' object='src/tests/cmocka/test_ipa_subdom_server-test_ipa_subdomains_server.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_ipa_subdom_server-test_ipa_subdomains_server.obj `if test -f 'src/tests/cmocka/test_ipa_subdomains_server.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_ipa_subdomains_server.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_ipa_subdomains_server.c'; fi` + +src/providers/ipa/test_ipa_subdom_server-ipa_subdomains_server.o: src/providers/ipa/ipa_subdomains_server.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -MT src/providers/ipa/test_ipa_subdom_server-ipa_subdomains_server.o -MD -MP -MF src/providers/ipa/$(DEPDIR)/test_ipa_subdom_server-ipa_subdomains_server.Tpo -c -o src/providers/ipa/test_ipa_subdom_server-ipa_subdomains_server.o `test -f 'src/providers/ipa/ipa_subdomains_server.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_subdomains_server.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/test_ipa_subdom_server-ipa_subdomains_server.Tpo src/providers/ipa/$(DEPDIR)/test_ipa_subdom_server-ipa_subdomains_server.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_subdomains_server.c' object='src/providers/ipa/test_ipa_subdom_server-ipa_subdomains_server.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/test_ipa_subdom_server-ipa_subdomains_server.o `test -f 'src/providers/ipa/ipa_subdomains_server.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_subdomains_server.c + +src/providers/ipa/test_ipa_subdom_server-ipa_subdomains_server.obj: src/providers/ipa/ipa_subdomains_server.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -MT src/providers/ipa/test_ipa_subdom_server-ipa_subdomains_server.obj -MD -MP -MF src/providers/ipa/$(DEPDIR)/test_ipa_subdom_server-ipa_subdomains_server.Tpo -c -o src/providers/ipa/test_ipa_subdom_server-ipa_subdomains_server.obj `if test -f 'src/providers/ipa/ipa_subdomains_server.c'; then $(CYGPATH_W) 'src/providers/ipa/ipa_subdomains_server.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ipa/ipa_subdomains_server.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/test_ipa_subdom_server-ipa_subdomains_server.Tpo src/providers/ipa/$(DEPDIR)/test_ipa_subdom_server-ipa_subdomains_server.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_subdomains_server.c' object='src/providers/ipa/test_ipa_subdom_server-ipa_subdomains_server.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/test_ipa_subdom_server-ipa_subdomains_server.obj `if test -f 'src/providers/ipa/ipa_subdomains_server.c'; then $(CYGPATH_W) 'src/providers/ipa/ipa_subdomains_server.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ipa/ipa_subdomains_server.c'; fi` + +src/providers/ipa/test_ipa_subdom_server-ipa_subdomains_utils.o: src/providers/ipa/ipa_subdomains_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -MT src/providers/ipa/test_ipa_subdom_server-ipa_subdomains_utils.o -MD -MP -MF src/providers/ipa/$(DEPDIR)/test_ipa_subdom_server-ipa_subdomains_utils.Tpo -c -o src/providers/ipa/test_ipa_subdom_server-ipa_subdomains_utils.o `test -f 'src/providers/ipa/ipa_subdomains_utils.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_subdomains_utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/test_ipa_subdom_server-ipa_subdomains_utils.Tpo src/providers/ipa/$(DEPDIR)/test_ipa_subdom_server-ipa_subdomains_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_subdomains_utils.c' object='src/providers/ipa/test_ipa_subdom_server-ipa_subdomains_utils.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/test_ipa_subdom_server-ipa_subdomains_utils.o `test -f 'src/providers/ipa/ipa_subdomains_utils.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_subdomains_utils.c + +src/providers/ipa/test_ipa_subdom_server-ipa_subdomains_utils.obj: src/providers/ipa/ipa_subdomains_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -MT src/providers/ipa/test_ipa_subdom_server-ipa_subdomains_utils.obj -MD -MP -MF src/providers/ipa/$(DEPDIR)/test_ipa_subdom_server-ipa_subdomains_utils.Tpo -c -o src/providers/ipa/test_ipa_subdom_server-ipa_subdomains_utils.obj `if test -f 'src/providers/ipa/ipa_subdomains_utils.c'; then $(CYGPATH_W) 'src/providers/ipa/ipa_subdomains_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ipa/ipa_subdomains_utils.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/test_ipa_subdom_server-ipa_subdomains_utils.Tpo src/providers/ipa/$(DEPDIR)/test_ipa_subdom_server-ipa_subdomains_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_subdomains_utils.c' object='src/providers/ipa/test_ipa_subdom_server-ipa_subdomains_utils.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/test_ipa_subdom_server-ipa_subdomains_utils.obj `if test -f 'src/providers/ipa/ipa_subdomains_utils.c'; then $(CYGPATH_W) 'src/providers/ipa/ipa_subdomains_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ipa/ipa_subdomains_utils.c'; fi` + +src/providers/ipa/test_ipa_subdom_server-ipa_opts.o: src/providers/ipa/ipa_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -MT src/providers/ipa/test_ipa_subdom_server-ipa_opts.o -MD -MP -MF src/providers/ipa/$(DEPDIR)/test_ipa_subdom_server-ipa_opts.Tpo -c -o src/providers/ipa/test_ipa_subdom_server-ipa_opts.o `test -f 'src/providers/ipa/ipa_opts.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_opts.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/test_ipa_subdom_server-ipa_opts.Tpo src/providers/ipa/$(DEPDIR)/test_ipa_subdom_server-ipa_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_opts.c' object='src/providers/ipa/test_ipa_subdom_server-ipa_opts.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/test_ipa_subdom_server-ipa_opts.o `test -f 'src/providers/ipa/ipa_opts.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_opts.c + +src/providers/ipa/test_ipa_subdom_server-ipa_opts.obj: src/providers/ipa/ipa_opts.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -MT src/providers/ipa/test_ipa_subdom_server-ipa_opts.obj -MD -MP -MF src/providers/ipa/$(DEPDIR)/test_ipa_subdom_server-ipa_opts.Tpo -c -o src/providers/ipa/test_ipa_subdom_server-ipa_opts.obj `if test -f 'src/providers/ipa/ipa_opts.c'; then $(CYGPATH_W) 'src/providers/ipa/ipa_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ipa/ipa_opts.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/test_ipa_subdom_server-ipa_opts.Tpo src/providers/ipa/$(DEPDIR)/test_ipa_subdom_server-ipa_opts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_opts.c' object='src/providers/ipa/test_ipa_subdom_server-ipa_opts.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_server_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/test_ipa_subdom_server-ipa_opts.obj `if test -f 'src/providers/ipa/ipa_opts.c'; then $(CYGPATH_W) 'src/providers/ipa/ipa_opts.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ipa/ipa_opts.c'; fi` + +src/tests/cmocka/test_ipa_subdom_util-test_ipa_subdomains_utils.o: src/tests/cmocka/test_ipa_subdomains_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_util_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_ipa_subdom_util-test_ipa_subdomains_utils.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_ipa_subdom_util-test_ipa_subdomains_utils.Tpo -c -o src/tests/cmocka/test_ipa_subdom_util-test_ipa_subdomains_utils.o `test -f 'src/tests/cmocka/test_ipa_subdomains_utils.c' || echo '$(srcdir)/'`src/tests/cmocka/test_ipa_subdomains_utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_ipa_subdom_util-test_ipa_subdomains_utils.Tpo src/tests/cmocka/$(DEPDIR)/test_ipa_subdom_util-test_ipa_subdomains_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_ipa_subdomains_utils.c' object='src/tests/cmocka/test_ipa_subdom_util-test_ipa_subdomains_utils.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_util_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_ipa_subdom_util-test_ipa_subdomains_utils.o `test -f 'src/tests/cmocka/test_ipa_subdomains_utils.c' || echo '$(srcdir)/'`src/tests/cmocka/test_ipa_subdomains_utils.c + +src/tests/cmocka/test_ipa_subdom_util-test_ipa_subdomains_utils.obj: src/tests/cmocka/test_ipa_subdomains_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_util_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_ipa_subdom_util-test_ipa_subdomains_utils.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_ipa_subdom_util-test_ipa_subdomains_utils.Tpo -c -o src/tests/cmocka/test_ipa_subdom_util-test_ipa_subdomains_utils.obj `if test -f 'src/tests/cmocka/test_ipa_subdomains_utils.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_ipa_subdomains_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_ipa_subdomains_utils.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_ipa_subdom_util-test_ipa_subdomains_utils.Tpo src/tests/cmocka/$(DEPDIR)/test_ipa_subdom_util-test_ipa_subdomains_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_ipa_subdomains_utils.c' object='src/tests/cmocka/test_ipa_subdom_util-test_ipa_subdomains_utils.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_util_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_ipa_subdom_util-test_ipa_subdomains_utils.obj `if test -f 'src/tests/cmocka/test_ipa_subdomains_utils.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_ipa_subdomains_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_ipa_subdomains_utils.c'; fi` + +src/providers/ipa/test_ipa_subdom_util-ipa_subdomains_utils.o: src/providers/ipa/ipa_subdomains_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_util_CFLAGS) $(CFLAGS) -MT src/providers/ipa/test_ipa_subdom_util-ipa_subdomains_utils.o -MD -MP -MF src/providers/ipa/$(DEPDIR)/test_ipa_subdom_util-ipa_subdomains_utils.Tpo -c -o src/providers/ipa/test_ipa_subdom_util-ipa_subdomains_utils.o `test -f 'src/providers/ipa/ipa_subdomains_utils.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_subdomains_utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/test_ipa_subdom_util-ipa_subdomains_utils.Tpo src/providers/ipa/$(DEPDIR)/test_ipa_subdom_util-ipa_subdomains_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_subdomains_utils.c' object='src/providers/ipa/test_ipa_subdom_util-ipa_subdomains_utils.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_util_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/test_ipa_subdom_util-ipa_subdomains_utils.o `test -f 'src/providers/ipa/ipa_subdomains_utils.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_subdomains_utils.c + +src/providers/ipa/test_ipa_subdom_util-ipa_subdomains_utils.obj: src/providers/ipa/ipa_subdomains_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_util_CFLAGS) $(CFLAGS) -MT src/providers/ipa/test_ipa_subdom_util-ipa_subdomains_utils.obj -MD -MP -MF src/providers/ipa/$(DEPDIR)/test_ipa_subdom_util-ipa_subdomains_utils.Tpo -c -o src/providers/ipa/test_ipa_subdom_util-ipa_subdomains_utils.obj `if test -f 'src/providers/ipa/ipa_subdomains_utils.c'; then $(CYGPATH_W) 'src/providers/ipa/ipa_subdomains_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ipa/ipa_subdomains_utils.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/test_ipa_subdom_util-ipa_subdomains_utils.Tpo src/providers/ipa/$(DEPDIR)/test_ipa_subdom_util-ipa_subdomains_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_subdomains_utils.c' object='src/providers/ipa/test_ipa_subdom_util-ipa_subdomains_utils.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ipa_subdom_util_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/test_ipa_subdom_util-ipa_subdomains_utils.obj `if test -f 'src/providers/ipa/ipa_subdomains_utils.c'; then $(CYGPATH_W) 'src/providers/ipa/ipa_subdomains_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ipa/ipa_subdomains_utils.c'; fi` + +src/tests/cmocka/test_kcm_json-test_kcm_json_marshalling.o: src/tests/cmocka/test_kcm_json_marshalling.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_kcm_json_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_kcm_json-test_kcm_json_marshalling.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_kcm_json-test_kcm_json_marshalling.Tpo -c -o src/tests/cmocka/test_kcm_json-test_kcm_json_marshalling.o `test -f 'src/tests/cmocka/test_kcm_json_marshalling.c' || echo '$(srcdir)/'`src/tests/cmocka/test_kcm_json_marshalling.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_kcm_json-test_kcm_json_marshalling.Tpo src/tests/cmocka/$(DEPDIR)/test_kcm_json-test_kcm_json_marshalling.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_kcm_json_marshalling.c' object='src/tests/cmocka/test_kcm_json-test_kcm_json_marshalling.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_kcm_json_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_kcm_json-test_kcm_json_marshalling.o `test -f 'src/tests/cmocka/test_kcm_json_marshalling.c' || echo '$(srcdir)/'`src/tests/cmocka/test_kcm_json_marshalling.c + +src/tests/cmocka/test_kcm_json-test_kcm_json_marshalling.obj: src/tests/cmocka/test_kcm_json_marshalling.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_kcm_json_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_kcm_json-test_kcm_json_marshalling.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_kcm_json-test_kcm_json_marshalling.Tpo -c -o src/tests/cmocka/test_kcm_json-test_kcm_json_marshalling.obj `if test -f 'src/tests/cmocka/test_kcm_json_marshalling.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_kcm_json_marshalling.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_kcm_json_marshalling.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_kcm_json-test_kcm_json_marshalling.Tpo src/tests/cmocka/$(DEPDIR)/test_kcm_json-test_kcm_json_marshalling.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_kcm_json_marshalling.c' object='src/tests/cmocka/test_kcm_json-test_kcm_json_marshalling.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_kcm_json_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_kcm_json-test_kcm_json_marshalling.obj `if test -f 'src/tests/cmocka/test_kcm_json_marshalling.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_kcm_json_marshalling.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_kcm_json_marshalling.c'; fi` + +src/responder/kcm/test_kcm_json-kcmsrv_ccache_json.o: src/responder/kcm/kcmsrv_ccache_json.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_kcm_json_CFLAGS) $(CFLAGS) -MT src/responder/kcm/test_kcm_json-kcmsrv_ccache_json.o -MD -MP -MF src/responder/kcm/$(DEPDIR)/test_kcm_json-kcmsrv_ccache_json.Tpo -c -o src/responder/kcm/test_kcm_json-kcmsrv_ccache_json.o `test -f 'src/responder/kcm/kcmsrv_ccache_json.c' || echo '$(srcdir)/'`src/responder/kcm/kcmsrv_ccache_json.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/kcm/$(DEPDIR)/test_kcm_json-kcmsrv_ccache_json.Tpo src/responder/kcm/$(DEPDIR)/test_kcm_json-kcmsrv_ccache_json.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/kcm/kcmsrv_ccache_json.c' object='src/responder/kcm/test_kcm_json-kcmsrv_ccache_json.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_kcm_json_CFLAGS) $(CFLAGS) -c -o src/responder/kcm/test_kcm_json-kcmsrv_ccache_json.o `test -f 'src/responder/kcm/kcmsrv_ccache_json.c' || echo '$(srcdir)/'`src/responder/kcm/kcmsrv_ccache_json.c + +src/responder/kcm/test_kcm_json-kcmsrv_ccache_json.obj: src/responder/kcm/kcmsrv_ccache_json.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_kcm_json_CFLAGS) $(CFLAGS) -MT src/responder/kcm/test_kcm_json-kcmsrv_ccache_json.obj -MD -MP -MF src/responder/kcm/$(DEPDIR)/test_kcm_json-kcmsrv_ccache_json.Tpo -c -o src/responder/kcm/test_kcm_json-kcmsrv_ccache_json.obj `if test -f 'src/responder/kcm/kcmsrv_ccache_json.c'; then $(CYGPATH_W) 'src/responder/kcm/kcmsrv_ccache_json.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/kcm/kcmsrv_ccache_json.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/kcm/$(DEPDIR)/test_kcm_json-kcmsrv_ccache_json.Tpo src/responder/kcm/$(DEPDIR)/test_kcm_json-kcmsrv_ccache_json.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/kcm/kcmsrv_ccache_json.c' object='src/responder/kcm/test_kcm_json-kcmsrv_ccache_json.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_kcm_json_CFLAGS) $(CFLAGS) -c -o src/responder/kcm/test_kcm_json-kcmsrv_ccache_json.obj `if test -f 'src/responder/kcm/kcmsrv_ccache_json.c'; then $(CYGPATH_W) 'src/responder/kcm/kcmsrv_ccache_json.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/kcm/kcmsrv_ccache_json.c'; fi` + +src/responder/kcm/test_kcm_json-kcmsrv_ccache.o: src/responder/kcm/kcmsrv_ccache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_kcm_json_CFLAGS) $(CFLAGS) -MT src/responder/kcm/test_kcm_json-kcmsrv_ccache.o -MD -MP -MF src/responder/kcm/$(DEPDIR)/test_kcm_json-kcmsrv_ccache.Tpo -c -o src/responder/kcm/test_kcm_json-kcmsrv_ccache.o `test -f 'src/responder/kcm/kcmsrv_ccache.c' || echo '$(srcdir)/'`src/responder/kcm/kcmsrv_ccache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/kcm/$(DEPDIR)/test_kcm_json-kcmsrv_ccache.Tpo src/responder/kcm/$(DEPDIR)/test_kcm_json-kcmsrv_ccache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/kcm/kcmsrv_ccache.c' object='src/responder/kcm/test_kcm_json-kcmsrv_ccache.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_kcm_json_CFLAGS) $(CFLAGS) -c -o src/responder/kcm/test_kcm_json-kcmsrv_ccache.o `test -f 'src/responder/kcm/kcmsrv_ccache.c' || echo '$(srcdir)/'`src/responder/kcm/kcmsrv_ccache.c + +src/responder/kcm/test_kcm_json-kcmsrv_ccache.obj: src/responder/kcm/kcmsrv_ccache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_kcm_json_CFLAGS) $(CFLAGS) -MT src/responder/kcm/test_kcm_json-kcmsrv_ccache.obj -MD -MP -MF src/responder/kcm/$(DEPDIR)/test_kcm_json-kcmsrv_ccache.Tpo -c -o src/responder/kcm/test_kcm_json-kcmsrv_ccache.obj `if test -f 'src/responder/kcm/kcmsrv_ccache.c'; then $(CYGPATH_W) 'src/responder/kcm/kcmsrv_ccache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/kcm/kcmsrv_ccache.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/kcm/$(DEPDIR)/test_kcm_json-kcmsrv_ccache.Tpo src/responder/kcm/$(DEPDIR)/test_kcm_json-kcmsrv_ccache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/kcm/kcmsrv_ccache.c' object='src/responder/kcm/test_kcm_json-kcmsrv_ccache.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_kcm_json_CFLAGS) $(CFLAGS) -c -o src/responder/kcm/test_kcm_json-kcmsrv_ccache.obj `if test -f 'src/responder/kcm/kcmsrv_ccache.c'; then $(CYGPATH_W) 'src/responder/kcm/kcmsrv_ccache.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/kcm/kcmsrv_ccache.c'; fi` + +src/util/test_kcm_json-sss_krb5.o: src/util/sss_krb5.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_kcm_json_CFLAGS) $(CFLAGS) -MT src/util/test_kcm_json-sss_krb5.o -MD -MP -MF src/util/$(DEPDIR)/test_kcm_json-sss_krb5.Tpo -c -o src/util/test_kcm_json-sss_krb5.o `test -f 'src/util/sss_krb5.c' || echo '$(srcdir)/'`src/util/sss_krb5.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_kcm_json-sss_krb5.Tpo src/util/$(DEPDIR)/test_kcm_json-sss_krb5.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_krb5.c' object='src/util/test_kcm_json-sss_krb5.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_kcm_json_CFLAGS) $(CFLAGS) -c -o src/util/test_kcm_json-sss_krb5.o `test -f 'src/util/sss_krb5.c' || echo '$(srcdir)/'`src/util/sss_krb5.c + +src/util/test_kcm_json-sss_krb5.obj: src/util/sss_krb5.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_kcm_json_CFLAGS) $(CFLAGS) -MT src/util/test_kcm_json-sss_krb5.obj -MD -MP -MF src/util/$(DEPDIR)/test_kcm_json-sss_krb5.Tpo -c -o src/util/test_kcm_json-sss_krb5.obj `if test -f 'src/util/sss_krb5.c'; then $(CYGPATH_W) 'src/util/sss_krb5.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_krb5.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_kcm_json-sss_krb5.Tpo src/util/$(DEPDIR)/test_kcm_json-sss_krb5.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_krb5.c' object='src/util/test_kcm_json-sss_krb5.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_kcm_json_CFLAGS) $(CFLAGS) -c -o src/util/test_kcm_json-sss_krb5.obj `if test -f 'src/util/sss_krb5.c'; then $(CYGPATH_W) 'src/util/sss_krb5.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_krb5.c'; fi` + +src/util/test_kcm_json-sss_iobuf.o: src/util/sss_iobuf.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_kcm_json_CFLAGS) $(CFLAGS) -MT src/util/test_kcm_json-sss_iobuf.o -MD -MP -MF src/util/$(DEPDIR)/test_kcm_json-sss_iobuf.Tpo -c -o src/util/test_kcm_json-sss_iobuf.o `test -f 'src/util/sss_iobuf.c' || echo '$(srcdir)/'`src/util/sss_iobuf.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_kcm_json-sss_iobuf.Tpo src/util/$(DEPDIR)/test_kcm_json-sss_iobuf.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_iobuf.c' object='src/util/test_kcm_json-sss_iobuf.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_kcm_json_CFLAGS) $(CFLAGS) -c -o src/util/test_kcm_json-sss_iobuf.o `test -f 'src/util/sss_iobuf.c' || echo '$(srcdir)/'`src/util/sss_iobuf.c + +src/util/test_kcm_json-sss_iobuf.obj: src/util/sss_iobuf.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_kcm_json_CFLAGS) $(CFLAGS) -MT src/util/test_kcm_json-sss_iobuf.obj -MD -MP -MF src/util/$(DEPDIR)/test_kcm_json-sss_iobuf.Tpo -c -o src/util/test_kcm_json-sss_iobuf.obj `if test -f 'src/util/sss_iobuf.c'; then $(CYGPATH_W) 'src/util/sss_iobuf.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_iobuf.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/util/$(DEPDIR)/test_kcm_json-sss_iobuf.Tpo src/util/$(DEPDIR)/test_kcm_json-sss_iobuf.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/util/sss_iobuf.c' object='src/util/test_kcm_json-sss_iobuf.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_kcm_json_CFLAGS) $(CFLAGS) -c -o src/util/test_kcm_json-sss_iobuf.obj `if test -f 'src/util/sss_iobuf.c'; then $(CYGPATH_W) 'src/util/sss_iobuf.c'; else $(CYGPATH_W) '$(srcdir)/src/util/sss_iobuf.c'; fi` + +src/tests/cmocka/test_kcm_queue-test_kcm_queue.o: src/tests/cmocka/test_kcm_queue.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_kcm_queue_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_kcm_queue-test_kcm_queue.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_kcm_queue-test_kcm_queue.Tpo -c -o src/tests/cmocka/test_kcm_queue-test_kcm_queue.o `test -f 'src/tests/cmocka/test_kcm_queue.c' || echo '$(srcdir)/'`src/tests/cmocka/test_kcm_queue.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_kcm_queue-test_kcm_queue.Tpo src/tests/cmocka/$(DEPDIR)/test_kcm_queue-test_kcm_queue.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_kcm_queue.c' object='src/tests/cmocka/test_kcm_queue-test_kcm_queue.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_kcm_queue_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_kcm_queue-test_kcm_queue.o `test -f 'src/tests/cmocka/test_kcm_queue.c' || echo '$(srcdir)/'`src/tests/cmocka/test_kcm_queue.c + +src/tests/cmocka/test_kcm_queue-test_kcm_queue.obj: src/tests/cmocka/test_kcm_queue.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_kcm_queue_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_kcm_queue-test_kcm_queue.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_kcm_queue-test_kcm_queue.Tpo -c -o src/tests/cmocka/test_kcm_queue-test_kcm_queue.obj `if test -f 'src/tests/cmocka/test_kcm_queue.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_kcm_queue.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_kcm_queue.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_kcm_queue-test_kcm_queue.Tpo src/tests/cmocka/$(DEPDIR)/test_kcm_queue-test_kcm_queue.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_kcm_queue.c' object='src/tests/cmocka/test_kcm_queue-test_kcm_queue.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_kcm_queue_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_kcm_queue-test_kcm_queue.obj `if test -f 'src/tests/cmocka/test_kcm_queue.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_kcm_queue.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_kcm_queue.c'; fi` + +src/responder/kcm/test_kcm_queue-kcmsrv_op_queue.o: src/responder/kcm/kcmsrv_op_queue.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_kcm_queue_CFLAGS) $(CFLAGS) -MT src/responder/kcm/test_kcm_queue-kcmsrv_op_queue.o -MD -MP -MF src/responder/kcm/$(DEPDIR)/test_kcm_queue-kcmsrv_op_queue.Tpo -c -o src/responder/kcm/test_kcm_queue-kcmsrv_op_queue.o `test -f 'src/responder/kcm/kcmsrv_op_queue.c' || echo '$(srcdir)/'`src/responder/kcm/kcmsrv_op_queue.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/kcm/$(DEPDIR)/test_kcm_queue-kcmsrv_op_queue.Tpo src/responder/kcm/$(DEPDIR)/test_kcm_queue-kcmsrv_op_queue.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/kcm/kcmsrv_op_queue.c' object='src/responder/kcm/test_kcm_queue-kcmsrv_op_queue.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_kcm_queue_CFLAGS) $(CFLAGS) -c -o src/responder/kcm/test_kcm_queue-kcmsrv_op_queue.o `test -f 'src/responder/kcm/kcmsrv_op_queue.c' || echo '$(srcdir)/'`src/responder/kcm/kcmsrv_op_queue.c + +src/responder/kcm/test_kcm_queue-kcmsrv_op_queue.obj: src/responder/kcm/kcmsrv_op_queue.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_kcm_queue_CFLAGS) $(CFLAGS) -MT src/responder/kcm/test_kcm_queue-kcmsrv_op_queue.obj -MD -MP -MF src/responder/kcm/$(DEPDIR)/test_kcm_queue-kcmsrv_op_queue.Tpo -c -o src/responder/kcm/test_kcm_queue-kcmsrv_op_queue.obj `if test -f 'src/responder/kcm/kcmsrv_op_queue.c'; then $(CYGPATH_W) 'src/responder/kcm/kcmsrv_op_queue.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/kcm/kcmsrv_op_queue.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/responder/kcm/$(DEPDIR)/test_kcm_queue-kcmsrv_op_queue.Tpo src/responder/kcm/$(DEPDIR)/test_kcm_queue-kcmsrv_op_queue.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/responder/kcm/kcmsrv_op_queue.c' object='src/responder/kcm/test_kcm_queue-kcmsrv_op_queue.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_kcm_queue_CFLAGS) $(CFLAGS) -c -o src/responder/kcm/test_kcm_queue-kcmsrv_op_queue.obj `if test -f 'src/responder/kcm/kcmsrv_op_queue.c'; then $(CYGPATH_W) 'src/responder/kcm/kcmsrv_op_queue.c'; else $(CYGPATH_W) '$(srcdir)/src/responder/kcm/kcmsrv_op_queue.c'; fi` + +src/tests/cmocka/test_krb5_wait_queue-common_mock_be.o: src/tests/cmocka/common_mock_be.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_krb5_wait_queue_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_krb5_wait_queue-common_mock_be.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_krb5_wait_queue-common_mock_be.Tpo -c -o src/tests/cmocka/test_krb5_wait_queue-common_mock_be.o `test -f 'src/tests/cmocka/common_mock_be.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_be.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_krb5_wait_queue-common_mock_be.Tpo src/tests/cmocka/$(DEPDIR)/test_krb5_wait_queue-common_mock_be.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_be.c' object='src/tests/cmocka/test_krb5_wait_queue-common_mock_be.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_krb5_wait_queue_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_krb5_wait_queue-common_mock_be.o `test -f 'src/tests/cmocka/common_mock_be.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_be.c + +src/tests/cmocka/test_krb5_wait_queue-common_mock_be.obj: src/tests/cmocka/common_mock_be.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_krb5_wait_queue_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_krb5_wait_queue-common_mock_be.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_krb5_wait_queue-common_mock_be.Tpo -c -o src/tests/cmocka/test_krb5_wait_queue-common_mock_be.obj `if test -f 'src/tests/cmocka/common_mock_be.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_be.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_be.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_krb5_wait_queue-common_mock_be.Tpo src/tests/cmocka/$(DEPDIR)/test_krb5_wait_queue-common_mock_be.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_be.c' object='src/tests/cmocka/test_krb5_wait_queue-common_mock_be.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_krb5_wait_queue_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_krb5_wait_queue-common_mock_be.obj `if test -f 'src/tests/cmocka/common_mock_be.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_be.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_be.c'; fi` + +src/tests/cmocka/test_krb5_wait_queue-test_krb5_wait_queue.o: src/tests/cmocka/test_krb5_wait_queue.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_krb5_wait_queue_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_krb5_wait_queue-test_krb5_wait_queue.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_krb5_wait_queue-test_krb5_wait_queue.Tpo -c -o src/tests/cmocka/test_krb5_wait_queue-test_krb5_wait_queue.o `test -f 'src/tests/cmocka/test_krb5_wait_queue.c' || echo '$(srcdir)/'`src/tests/cmocka/test_krb5_wait_queue.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_krb5_wait_queue-test_krb5_wait_queue.Tpo src/tests/cmocka/$(DEPDIR)/test_krb5_wait_queue-test_krb5_wait_queue.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_krb5_wait_queue.c' object='src/tests/cmocka/test_krb5_wait_queue-test_krb5_wait_queue.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_krb5_wait_queue_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_krb5_wait_queue-test_krb5_wait_queue.o `test -f 'src/tests/cmocka/test_krb5_wait_queue.c' || echo '$(srcdir)/'`src/tests/cmocka/test_krb5_wait_queue.c + +src/tests/cmocka/test_krb5_wait_queue-test_krb5_wait_queue.obj: src/tests/cmocka/test_krb5_wait_queue.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_krb5_wait_queue_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_krb5_wait_queue-test_krb5_wait_queue.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_krb5_wait_queue-test_krb5_wait_queue.Tpo -c -o src/tests/cmocka/test_krb5_wait_queue-test_krb5_wait_queue.obj `if test -f 'src/tests/cmocka/test_krb5_wait_queue.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_krb5_wait_queue.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_krb5_wait_queue.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_krb5_wait_queue-test_krb5_wait_queue.Tpo src/tests/cmocka/$(DEPDIR)/test_krb5_wait_queue-test_krb5_wait_queue.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_krb5_wait_queue.c' object='src/tests/cmocka/test_krb5_wait_queue-test_krb5_wait_queue.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_krb5_wait_queue_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_krb5_wait_queue-test_krb5_wait_queue.obj `if test -f 'src/tests/cmocka/test_krb5_wait_queue.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_krb5_wait_queue.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_krb5_wait_queue.c'; fi` + +src/providers/krb5/test_krb5_wait_queue-krb5_wait_queue.o: src/providers/krb5/krb5_wait_queue.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_krb5_wait_queue_CFLAGS) $(CFLAGS) -MT src/providers/krb5/test_krb5_wait_queue-krb5_wait_queue.o -MD -MP -MF src/providers/krb5/$(DEPDIR)/test_krb5_wait_queue-krb5_wait_queue.Tpo -c -o src/providers/krb5/test_krb5_wait_queue-krb5_wait_queue.o `test -f 'src/providers/krb5/krb5_wait_queue.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_wait_queue.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/test_krb5_wait_queue-krb5_wait_queue.Tpo src/providers/krb5/$(DEPDIR)/test_krb5_wait_queue-krb5_wait_queue.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_wait_queue.c' object='src/providers/krb5/test_krb5_wait_queue-krb5_wait_queue.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_krb5_wait_queue_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/test_krb5_wait_queue-krb5_wait_queue.o `test -f 'src/providers/krb5/krb5_wait_queue.c' || echo '$(srcdir)/'`src/providers/krb5/krb5_wait_queue.c + +src/providers/krb5/test_krb5_wait_queue-krb5_wait_queue.obj: src/providers/krb5/krb5_wait_queue.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_krb5_wait_queue_CFLAGS) $(CFLAGS) -MT src/providers/krb5/test_krb5_wait_queue-krb5_wait_queue.obj -MD -MP -MF src/providers/krb5/$(DEPDIR)/test_krb5_wait_queue-krb5_wait_queue.Tpo -c -o src/providers/krb5/test_krb5_wait_queue-krb5_wait_queue.obj `if test -f 'src/providers/krb5/krb5_wait_queue.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_wait_queue.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_wait_queue.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/krb5/$(DEPDIR)/test_krb5_wait_queue-krb5_wait_queue.Tpo src/providers/krb5/$(DEPDIR)/test_krb5_wait_queue-krb5_wait_queue.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/krb5/krb5_wait_queue.c' object='src/providers/krb5/test_krb5_wait_queue-krb5_wait_queue.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_krb5_wait_queue_CFLAGS) $(CFLAGS) -c -o src/providers/krb5/test_krb5_wait_queue-krb5_wait_queue.obj `if test -f 'src/providers/krb5/krb5_wait_queue.c'; then $(CYGPATH_W) 'src/providers/krb5/krb5_wait_queue.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/krb5/krb5_wait_queue.c'; fi` + +src/tests/cmocka/test_resolv_fake-test_resolv_fake.o: src/tests/cmocka/test_resolv_fake.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_resolv_fake_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_resolv_fake-test_resolv_fake.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_resolv_fake-test_resolv_fake.Tpo -c -o src/tests/cmocka/test_resolv_fake-test_resolv_fake.o `test -f 'src/tests/cmocka/test_resolv_fake.c' || echo '$(srcdir)/'`src/tests/cmocka/test_resolv_fake.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_resolv_fake-test_resolv_fake.Tpo src/tests/cmocka/$(DEPDIR)/test_resolv_fake-test_resolv_fake.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_resolv_fake.c' object='src/tests/cmocka/test_resolv_fake-test_resolv_fake.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_resolv_fake_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_resolv_fake-test_resolv_fake.o `test -f 'src/tests/cmocka/test_resolv_fake.c' || echo '$(srcdir)/'`src/tests/cmocka/test_resolv_fake.c + +src/tests/cmocka/test_resolv_fake-test_resolv_fake.obj: src/tests/cmocka/test_resolv_fake.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_resolv_fake_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_resolv_fake-test_resolv_fake.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_resolv_fake-test_resolv_fake.Tpo -c -o src/tests/cmocka/test_resolv_fake-test_resolv_fake.obj `if test -f 'src/tests/cmocka/test_resolv_fake.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_resolv_fake.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_resolv_fake.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_resolv_fake-test_resolv_fake.Tpo src/tests/cmocka/$(DEPDIR)/test_resolv_fake-test_resolv_fake.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_resolv_fake.c' object='src/tests/cmocka/test_resolv_fake-test_resolv_fake.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_resolv_fake_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_resolv_fake-test_resolv_fake.obj `if test -f 'src/tests/cmocka/test_resolv_fake.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_resolv_fake.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_resolv_fake.c'; fi` + +src/resolv/test_resolv_fake-async_resolv.o: src/resolv/async_resolv.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_resolv_fake_CFLAGS) $(CFLAGS) -MT src/resolv/test_resolv_fake-async_resolv.o -MD -MP -MF src/resolv/$(DEPDIR)/test_resolv_fake-async_resolv.Tpo -c -o src/resolv/test_resolv_fake-async_resolv.o `test -f 'src/resolv/async_resolv.c' || echo '$(srcdir)/'`src/resolv/async_resolv.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/resolv/$(DEPDIR)/test_resolv_fake-async_resolv.Tpo src/resolv/$(DEPDIR)/test_resolv_fake-async_resolv.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/resolv/async_resolv.c' object='src/resolv/test_resolv_fake-async_resolv.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_resolv_fake_CFLAGS) $(CFLAGS) -c -o src/resolv/test_resolv_fake-async_resolv.o `test -f 'src/resolv/async_resolv.c' || echo '$(srcdir)/'`src/resolv/async_resolv.c + +src/resolv/test_resolv_fake-async_resolv.obj: src/resolv/async_resolv.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_resolv_fake_CFLAGS) $(CFLAGS) -MT src/resolv/test_resolv_fake-async_resolv.obj -MD -MP -MF src/resolv/$(DEPDIR)/test_resolv_fake-async_resolv.Tpo -c -o src/resolv/test_resolv_fake-async_resolv.obj `if test -f 'src/resolv/async_resolv.c'; then $(CYGPATH_W) 'src/resolv/async_resolv.c'; else $(CYGPATH_W) '$(srcdir)/src/resolv/async_resolv.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/resolv/$(DEPDIR)/test_resolv_fake-async_resolv.Tpo src/resolv/$(DEPDIR)/test_resolv_fake-async_resolv.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/resolv/async_resolv.c' object='src/resolv/test_resolv_fake-async_resolv.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_resolv_fake_CFLAGS) $(CFLAGS) -c -o src/resolv/test_resolv_fake-async_resolv.obj `if test -f 'src/resolv/async_resolv.c'; then $(CYGPATH_W) 'src/resolv/async_resolv.c'; else $(CYGPATH_W) '$(srcdir)/src/resolv/async_resolv.c'; fi` + +src/tests/cmocka/test_sbus_opath-test_sbus_opath.o: src/tests/cmocka/test_sbus_opath.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sbus_opath_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_sbus_opath-test_sbus_opath.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_sbus_opath-test_sbus_opath.Tpo -c -o src/tests/cmocka/test_sbus_opath-test_sbus_opath.o `test -f 'src/tests/cmocka/test_sbus_opath.c' || echo '$(srcdir)/'`src/tests/cmocka/test_sbus_opath.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_sbus_opath-test_sbus_opath.Tpo src/tests/cmocka/$(DEPDIR)/test_sbus_opath-test_sbus_opath.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_sbus_opath.c' object='src/tests/cmocka/test_sbus_opath-test_sbus_opath.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sbus_opath_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_sbus_opath-test_sbus_opath.o `test -f 'src/tests/cmocka/test_sbus_opath.c' || echo '$(srcdir)/'`src/tests/cmocka/test_sbus_opath.c + +src/tests/cmocka/test_sbus_opath-test_sbus_opath.obj: src/tests/cmocka/test_sbus_opath.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sbus_opath_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_sbus_opath-test_sbus_opath.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_sbus_opath-test_sbus_opath.Tpo -c -o src/tests/cmocka/test_sbus_opath-test_sbus_opath.obj `if test -f 'src/tests/cmocka/test_sbus_opath.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_sbus_opath.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_sbus_opath.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_sbus_opath-test_sbus_opath.Tpo src/tests/cmocka/$(DEPDIR)/test_sbus_opath-test_sbus_opath.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_sbus_opath.c' object='src/tests/cmocka/test_sbus_opath-test_sbus_opath.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sbus_opath_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_sbus_opath-test_sbus_opath.obj `if test -f 'src/tests/cmocka/test_sbus_opath.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_sbus_opath.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_sbus_opath.c'; fi` + +src/tests/cmocka/test_sdap_certmap-test_sdap_certmap.o: src/tests/cmocka/test_sdap_certmap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sdap_certmap_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_sdap_certmap-test_sdap_certmap.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_sdap_certmap-test_sdap_certmap.Tpo -c -o src/tests/cmocka/test_sdap_certmap-test_sdap_certmap.o `test -f 'src/tests/cmocka/test_sdap_certmap.c' || echo '$(srcdir)/'`src/tests/cmocka/test_sdap_certmap.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_sdap_certmap-test_sdap_certmap.Tpo src/tests/cmocka/$(DEPDIR)/test_sdap_certmap-test_sdap_certmap.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_sdap_certmap.c' object='src/tests/cmocka/test_sdap_certmap-test_sdap_certmap.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sdap_certmap_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_sdap_certmap-test_sdap_certmap.o `test -f 'src/tests/cmocka/test_sdap_certmap.c' || echo '$(srcdir)/'`src/tests/cmocka/test_sdap_certmap.c + +src/tests/cmocka/test_sdap_certmap-test_sdap_certmap.obj: src/tests/cmocka/test_sdap_certmap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sdap_certmap_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_sdap_certmap-test_sdap_certmap.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_sdap_certmap-test_sdap_certmap.Tpo -c -o src/tests/cmocka/test_sdap_certmap-test_sdap_certmap.obj `if test -f 'src/tests/cmocka/test_sdap_certmap.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_sdap_certmap.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_sdap_certmap.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_sdap_certmap-test_sdap_certmap.Tpo src/tests/cmocka/$(DEPDIR)/test_sdap_certmap-test_sdap_certmap.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_sdap_certmap.c' object='src/tests/cmocka/test_sdap_certmap-test_sdap_certmap.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sdap_certmap_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_sdap_certmap-test_sdap_certmap.obj `if test -f 'src/tests/cmocka/test_sdap_certmap.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_sdap_certmap.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_sdap_certmap.c'; fi` + +src/providers/ldap/test_sdap_certmap-sdap_certmap.o: src/providers/ldap/sdap_certmap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sdap_certmap_CFLAGS) $(CFLAGS) -MT src/providers/ldap/test_sdap_certmap-sdap_certmap.o -MD -MP -MF src/providers/ldap/$(DEPDIR)/test_sdap_certmap-sdap_certmap.Tpo -c -o src/providers/ldap/test_sdap_certmap-sdap_certmap.o `test -f 'src/providers/ldap/sdap_certmap.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_certmap.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/test_sdap_certmap-sdap_certmap.Tpo src/providers/ldap/$(DEPDIR)/test_sdap_certmap-sdap_certmap.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_certmap.c' object='src/providers/ldap/test_sdap_certmap-sdap_certmap.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sdap_certmap_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/test_sdap_certmap-sdap_certmap.o `test -f 'src/providers/ldap/sdap_certmap.c' || echo '$(srcdir)/'`src/providers/ldap/sdap_certmap.c + +src/providers/ldap/test_sdap_certmap-sdap_certmap.obj: src/providers/ldap/sdap_certmap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sdap_certmap_CFLAGS) $(CFLAGS) -MT src/providers/ldap/test_sdap_certmap-sdap_certmap.obj -MD -MP -MF src/providers/ldap/$(DEPDIR)/test_sdap_certmap-sdap_certmap.Tpo -c -o src/providers/ldap/test_sdap_certmap-sdap_certmap.obj `if test -f 'src/providers/ldap/sdap_certmap.c'; then $(CYGPATH_W) 'src/providers/ldap/sdap_certmap.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ldap/sdap_certmap.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ldap/$(DEPDIR)/test_sdap_certmap-sdap_certmap.Tpo src/providers/ldap/$(DEPDIR)/test_sdap_certmap-sdap_certmap.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ldap/sdap_certmap.c' object='src/providers/ldap/test_sdap_certmap-sdap_certmap.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sdap_certmap_CFLAGS) $(CFLAGS) -c -o src/providers/ldap/test_sdap_certmap-sdap_certmap.obj `if test -f 'src/providers/ldap/sdap_certmap.c'; then $(CYGPATH_W) 'src/providers/ldap/sdap_certmap.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ldap/sdap_certmap.c'; fi` + +src/tests/cmocka/test_sdap_initgr-common_mock_sdap.o: src/tests/cmocka/common_mock_sdap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sdap_initgr_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_sdap_initgr-common_mock_sdap.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_sdap_initgr-common_mock_sdap.Tpo -c -o src/tests/cmocka/test_sdap_initgr-common_mock_sdap.o `test -f 'src/tests/cmocka/common_mock_sdap.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_sdap.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_sdap_initgr-common_mock_sdap.Tpo src/tests/cmocka/$(DEPDIR)/test_sdap_initgr-common_mock_sdap.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_sdap.c' object='src/tests/cmocka/test_sdap_initgr-common_mock_sdap.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sdap_initgr_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_sdap_initgr-common_mock_sdap.o `test -f 'src/tests/cmocka/common_mock_sdap.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_sdap.c + +src/tests/cmocka/test_sdap_initgr-common_mock_sdap.obj: src/tests/cmocka/common_mock_sdap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sdap_initgr_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_sdap_initgr-common_mock_sdap.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_sdap_initgr-common_mock_sdap.Tpo -c -o src/tests/cmocka/test_sdap_initgr-common_mock_sdap.obj `if test -f 'src/tests/cmocka/common_mock_sdap.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_sdap.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_sdap.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_sdap_initgr-common_mock_sdap.Tpo src/tests/cmocka/$(DEPDIR)/test_sdap_initgr-common_mock_sdap.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_sdap.c' object='src/tests/cmocka/test_sdap_initgr-common_mock_sdap.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sdap_initgr_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_sdap_initgr-common_mock_sdap.obj `if test -f 'src/tests/cmocka/common_mock_sdap.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_sdap.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_sdap.c'; fi` + +src/tests/cmocka/test_sdap_initgr-common_mock_sysdb_objects.o: src/tests/cmocka/common_mock_sysdb_objects.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sdap_initgr_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_sdap_initgr-common_mock_sysdb_objects.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_sdap_initgr-common_mock_sysdb_objects.Tpo -c -o src/tests/cmocka/test_sdap_initgr-common_mock_sysdb_objects.o `test -f 'src/tests/cmocka/common_mock_sysdb_objects.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_sysdb_objects.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_sdap_initgr-common_mock_sysdb_objects.Tpo src/tests/cmocka/$(DEPDIR)/test_sdap_initgr-common_mock_sysdb_objects.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_sysdb_objects.c' object='src/tests/cmocka/test_sdap_initgr-common_mock_sysdb_objects.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sdap_initgr_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_sdap_initgr-common_mock_sysdb_objects.o `test -f 'src/tests/cmocka/common_mock_sysdb_objects.c' || echo '$(srcdir)/'`src/tests/cmocka/common_mock_sysdb_objects.c + +src/tests/cmocka/test_sdap_initgr-common_mock_sysdb_objects.obj: src/tests/cmocka/common_mock_sysdb_objects.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sdap_initgr_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_sdap_initgr-common_mock_sysdb_objects.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_sdap_initgr-common_mock_sysdb_objects.Tpo -c -o src/tests/cmocka/test_sdap_initgr-common_mock_sysdb_objects.obj `if test -f 'src/tests/cmocka/common_mock_sysdb_objects.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_sysdb_objects.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_sysdb_objects.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_sdap_initgr-common_mock_sysdb_objects.Tpo src/tests/cmocka/$(DEPDIR)/test_sdap_initgr-common_mock_sysdb_objects.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/common_mock_sysdb_objects.c' object='src/tests/cmocka/test_sdap_initgr-common_mock_sysdb_objects.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sdap_initgr_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_sdap_initgr-common_mock_sysdb_objects.obj `if test -f 'src/tests/cmocka/common_mock_sysdb_objects.c'; then $(CYGPATH_W) 'src/tests/cmocka/common_mock_sysdb_objects.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/common_mock_sysdb_objects.c'; fi` + +src/tests/cmocka/test_sdap_initgr-test_sdap_initgr.o: src/tests/cmocka/test_sdap_initgr.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sdap_initgr_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_sdap_initgr-test_sdap_initgr.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_sdap_initgr-test_sdap_initgr.Tpo -c -o src/tests/cmocka/test_sdap_initgr-test_sdap_initgr.o `test -f 'src/tests/cmocka/test_sdap_initgr.c' || echo '$(srcdir)/'`src/tests/cmocka/test_sdap_initgr.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_sdap_initgr-test_sdap_initgr.Tpo src/tests/cmocka/$(DEPDIR)/test_sdap_initgr-test_sdap_initgr.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_sdap_initgr.c' object='src/tests/cmocka/test_sdap_initgr-test_sdap_initgr.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sdap_initgr_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_sdap_initgr-test_sdap_initgr.o `test -f 'src/tests/cmocka/test_sdap_initgr.c' || echo '$(srcdir)/'`src/tests/cmocka/test_sdap_initgr.c + +src/tests/cmocka/test_sdap_initgr-test_sdap_initgr.obj: src/tests/cmocka/test_sdap_initgr.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sdap_initgr_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_sdap_initgr-test_sdap_initgr.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_sdap_initgr-test_sdap_initgr.Tpo -c -o src/tests/cmocka/test_sdap_initgr-test_sdap_initgr.obj `if test -f 'src/tests/cmocka/test_sdap_initgr.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_sdap_initgr.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_sdap_initgr.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_sdap_initgr-test_sdap_initgr.Tpo src/tests/cmocka/$(DEPDIR)/test_sdap_initgr-test_sdap_initgr.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_sdap_initgr.c' object='src/tests/cmocka/test_sdap_initgr-test_sdap_initgr.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sdap_initgr_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_sdap_initgr-test_sdap_initgr.obj `if test -f 'src/tests/cmocka/test_sdap_initgr.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_sdap_initgr.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_sdap_initgr.c'; fi` + +src/tests/test_ssh_client-test_ssh_client.o: src/tests/test_ssh_client.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ssh_client_CFLAGS) $(CFLAGS) -MT src/tests/test_ssh_client-test_ssh_client.o -MD -MP -MF src/tests/$(DEPDIR)/test_ssh_client-test_ssh_client.Tpo -c -o src/tests/test_ssh_client-test_ssh_client.o `test -f 'src/tests/test_ssh_client.c' || echo '$(srcdir)/'`src/tests/test_ssh_client.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/test_ssh_client-test_ssh_client.Tpo src/tests/$(DEPDIR)/test_ssh_client-test_ssh_client.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/test_ssh_client.c' object='src/tests/test_ssh_client-test_ssh_client.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ssh_client_CFLAGS) $(CFLAGS) -c -o src/tests/test_ssh_client-test_ssh_client.o `test -f 'src/tests/test_ssh_client.c' || echo '$(srcdir)/'`src/tests/test_ssh_client.c + +src/tests/test_ssh_client-test_ssh_client.obj: src/tests/test_ssh_client.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ssh_client_CFLAGS) $(CFLAGS) -MT src/tests/test_ssh_client-test_ssh_client.obj -MD -MP -MF src/tests/$(DEPDIR)/test_ssh_client-test_ssh_client.Tpo -c -o src/tests/test_ssh_client-test_ssh_client.obj `if test -f 'src/tests/test_ssh_client.c'; then $(CYGPATH_W) 'src/tests/test_ssh_client.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/test_ssh_client.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/test_ssh_client-test_ssh_client.Tpo src/tests/$(DEPDIR)/test_ssh_client-test_ssh_client.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/test_ssh_client.c' object='src/tests/test_ssh_client-test_ssh_client.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_ssh_client_CFLAGS) $(CFLAGS) -c -o src/tests/test_ssh_client-test_ssh_client.obj `if test -f 'src/tests/test_ssh_client.c'; then $(CYGPATH_W) 'src/tests/test_ssh_client.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/test_ssh_client.c'; fi` + +src/tests/cmocka/test_sss_idmap-test_sss_idmap.o: src/tests/cmocka/test_sss_idmap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sss_idmap_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_sss_idmap-test_sss_idmap.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_sss_idmap-test_sss_idmap.Tpo -c -o src/tests/cmocka/test_sss_idmap-test_sss_idmap.o `test -f 'src/tests/cmocka/test_sss_idmap.c' || echo '$(srcdir)/'`src/tests/cmocka/test_sss_idmap.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_sss_idmap-test_sss_idmap.Tpo src/tests/cmocka/$(DEPDIR)/test_sss_idmap-test_sss_idmap.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_sss_idmap.c' object='src/tests/cmocka/test_sss_idmap-test_sss_idmap.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sss_idmap_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_sss_idmap-test_sss_idmap.o `test -f 'src/tests/cmocka/test_sss_idmap.c' || echo '$(srcdir)/'`src/tests/cmocka/test_sss_idmap.c + +src/tests/cmocka/test_sss_idmap-test_sss_idmap.obj: src/tests/cmocka/test_sss_idmap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sss_idmap_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_sss_idmap-test_sss_idmap.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_sss_idmap-test_sss_idmap.Tpo -c -o src/tests/cmocka/test_sss_idmap-test_sss_idmap.obj `if test -f 'src/tests/cmocka/test_sss_idmap.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_sss_idmap.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_sss_idmap.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_sss_idmap-test_sss_idmap.Tpo src/tests/cmocka/$(DEPDIR)/test_sss_idmap-test_sss_idmap.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_sss_idmap.c' object='src/tests/cmocka/test_sss_idmap-test_sss_idmap.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sss_idmap_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_sss_idmap-test_sss_idmap.obj `if test -f 'src/tests/cmocka/test_sss_idmap.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_sss_idmap.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_sss_idmap.c'; fi` + +src/tests/cmocka/test_sssd_krb5_localauth_plugin-test_sssd_krb5_localauth_plugin.o: src/tests/cmocka/test_sssd_krb5_localauth_plugin.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sssd_krb5_localauth_plugin_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_sssd_krb5_localauth_plugin-test_sssd_krb5_localauth_plugin.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_sssd_krb5_localauth_plugin-test_sssd_krb5_localauth_plugin.Tpo -c -o src/tests/cmocka/test_sssd_krb5_localauth_plugin-test_sssd_krb5_localauth_plugin.o `test -f 'src/tests/cmocka/test_sssd_krb5_localauth_plugin.c' || echo '$(srcdir)/'`src/tests/cmocka/test_sssd_krb5_localauth_plugin.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_sssd_krb5_localauth_plugin-test_sssd_krb5_localauth_plugin.Tpo src/tests/cmocka/$(DEPDIR)/test_sssd_krb5_localauth_plugin-test_sssd_krb5_localauth_plugin.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_sssd_krb5_localauth_plugin.c' object='src/tests/cmocka/test_sssd_krb5_localauth_plugin-test_sssd_krb5_localauth_plugin.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sssd_krb5_localauth_plugin_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_sssd_krb5_localauth_plugin-test_sssd_krb5_localauth_plugin.o `test -f 'src/tests/cmocka/test_sssd_krb5_localauth_plugin.c' || echo '$(srcdir)/'`src/tests/cmocka/test_sssd_krb5_localauth_plugin.c + +src/tests/cmocka/test_sssd_krb5_localauth_plugin-test_sssd_krb5_localauth_plugin.obj: src/tests/cmocka/test_sssd_krb5_localauth_plugin.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sssd_krb5_localauth_plugin_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_sssd_krb5_localauth_plugin-test_sssd_krb5_localauth_plugin.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_sssd_krb5_localauth_plugin-test_sssd_krb5_localauth_plugin.Tpo -c -o src/tests/cmocka/test_sssd_krb5_localauth_plugin-test_sssd_krb5_localauth_plugin.obj `if test -f 'src/tests/cmocka/test_sssd_krb5_localauth_plugin.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_sssd_krb5_localauth_plugin.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_sssd_krb5_localauth_plugin.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_sssd_krb5_localauth_plugin-test_sssd_krb5_localauth_plugin.Tpo src/tests/cmocka/$(DEPDIR)/test_sssd_krb5_localauth_plugin-test_sssd_krb5_localauth_plugin.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_sssd_krb5_localauth_plugin.c' object='src/tests/cmocka/test_sssd_krb5_localauth_plugin-test_sssd_krb5_localauth_plugin.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sssd_krb5_localauth_plugin_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_sssd_krb5_localauth_plugin-test_sssd_krb5_localauth_plugin.obj `if test -f 'src/tests/cmocka/test_sssd_krb5_localauth_plugin.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_sssd_krb5_localauth_plugin.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_sssd_krb5_localauth_plugin.c'; fi` + +src/krb5_plugin/test_sssd_krb5_localauth_plugin-sssd_krb5_localauth_plugin.o: src/krb5_plugin/sssd_krb5_localauth_plugin.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sssd_krb5_localauth_plugin_CFLAGS) $(CFLAGS) -MT src/krb5_plugin/test_sssd_krb5_localauth_plugin-sssd_krb5_localauth_plugin.o -MD -MP -MF src/krb5_plugin/$(DEPDIR)/test_sssd_krb5_localauth_plugin-sssd_krb5_localauth_plugin.Tpo -c -o src/krb5_plugin/test_sssd_krb5_localauth_plugin-sssd_krb5_localauth_plugin.o `test -f 'src/krb5_plugin/sssd_krb5_localauth_plugin.c' || echo '$(srcdir)/'`src/krb5_plugin/sssd_krb5_localauth_plugin.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/krb5_plugin/$(DEPDIR)/test_sssd_krb5_localauth_plugin-sssd_krb5_localauth_plugin.Tpo src/krb5_plugin/$(DEPDIR)/test_sssd_krb5_localauth_plugin-sssd_krb5_localauth_plugin.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/krb5_plugin/sssd_krb5_localauth_plugin.c' object='src/krb5_plugin/test_sssd_krb5_localauth_plugin-sssd_krb5_localauth_plugin.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sssd_krb5_localauth_plugin_CFLAGS) $(CFLAGS) -c -o src/krb5_plugin/test_sssd_krb5_localauth_plugin-sssd_krb5_localauth_plugin.o `test -f 'src/krb5_plugin/sssd_krb5_localauth_plugin.c' || echo '$(srcdir)/'`src/krb5_plugin/sssd_krb5_localauth_plugin.c + +src/krb5_plugin/test_sssd_krb5_localauth_plugin-sssd_krb5_localauth_plugin.obj: src/krb5_plugin/sssd_krb5_localauth_plugin.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sssd_krb5_localauth_plugin_CFLAGS) $(CFLAGS) -MT src/krb5_plugin/test_sssd_krb5_localauth_plugin-sssd_krb5_localauth_plugin.obj -MD -MP -MF src/krb5_plugin/$(DEPDIR)/test_sssd_krb5_localauth_plugin-sssd_krb5_localauth_plugin.Tpo -c -o src/krb5_plugin/test_sssd_krb5_localauth_plugin-sssd_krb5_localauth_plugin.obj `if test -f 'src/krb5_plugin/sssd_krb5_localauth_plugin.c'; then $(CYGPATH_W) 'src/krb5_plugin/sssd_krb5_localauth_plugin.c'; else $(CYGPATH_W) '$(srcdir)/src/krb5_plugin/sssd_krb5_localauth_plugin.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/krb5_plugin/$(DEPDIR)/test_sssd_krb5_localauth_plugin-sssd_krb5_localauth_plugin.Tpo src/krb5_plugin/$(DEPDIR)/test_sssd_krb5_localauth_plugin-sssd_krb5_localauth_plugin.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/krb5_plugin/sssd_krb5_localauth_plugin.c' object='src/krb5_plugin/test_sssd_krb5_localauth_plugin-sssd_krb5_localauth_plugin.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sssd_krb5_localauth_plugin_CFLAGS) $(CFLAGS) -c -o src/krb5_plugin/test_sssd_krb5_localauth_plugin-sssd_krb5_localauth_plugin.obj `if test -f 'src/krb5_plugin/sssd_krb5_localauth_plugin.c'; then $(CYGPATH_W) 'src/krb5_plugin/sssd_krb5_localauth_plugin.c'; else $(CYGPATH_W) '$(srcdir)/src/krb5_plugin/sssd_krb5_localauth_plugin.c'; fi` + +src/tests/cmocka/test_sssd_krb5_locator_plugin-test_sssd_krb5_locator_plugin.o: src/tests/cmocka/test_sssd_krb5_locator_plugin.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sssd_krb5_locator_plugin_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_sssd_krb5_locator_plugin-test_sssd_krb5_locator_plugin.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_sssd_krb5_locator_plugin-test_sssd_krb5_locator_plugin.Tpo -c -o src/tests/cmocka/test_sssd_krb5_locator_plugin-test_sssd_krb5_locator_plugin.o `test -f 'src/tests/cmocka/test_sssd_krb5_locator_plugin.c' || echo '$(srcdir)/'`src/tests/cmocka/test_sssd_krb5_locator_plugin.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_sssd_krb5_locator_plugin-test_sssd_krb5_locator_plugin.Tpo src/tests/cmocka/$(DEPDIR)/test_sssd_krb5_locator_plugin-test_sssd_krb5_locator_plugin.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_sssd_krb5_locator_plugin.c' object='src/tests/cmocka/test_sssd_krb5_locator_plugin-test_sssd_krb5_locator_plugin.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sssd_krb5_locator_plugin_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_sssd_krb5_locator_plugin-test_sssd_krb5_locator_plugin.o `test -f 'src/tests/cmocka/test_sssd_krb5_locator_plugin.c' || echo '$(srcdir)/'`src/tests/cmocka/test_sssd_krb5_locator_plugin.c + +src/tests/cmocka/test_sssd_krb5_locator_plugin-test_sssd_krb5_locator_plugin.obj: src/tests/cmocka/test_sssd_krb5_locator_plugin.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sssd_krb5_locator_plugin_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_sssd_krb5_locator_plugin-test_sssd_krb5_locator_plugin.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_sssd_krb5_locator_plugin-test_sssd_krb5_locator_plugin.Tpo -c -o src/tests/cmocka/test_sssd_krb5_locator_plugin-test_sssd_krb5_locator_plugin.obj `if test -f 'src/tests/cmocka/test_sssd_krb5_locator_plugin.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_sssd_krb5_locator_plugin.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_sssd_krb5_locator_plugin.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_sssd_krb5_locator_plugin-test_sssd_krb5_locator_plugin.Tpo src/tests/cmocka/$(DEPDIR)/test_sssd_krb5_locator_plugin-test_sssd_krb5_locator_plugin.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_sssd_krb5_locator_plugin.c' object='src/tests/cmocka/test_sssd_krb5_locator_plugin-test_sssd_krb5_locator_plugin.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sssd_krb5_locator_plugin_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_sssd_krb5_locator_plugin-test_sssd_krb5_locator_plugin.obj `if test -f 'src/tests/cmocka/test_sssd_krb5_locator_plugin.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_sssd_krb5_locator_plugin.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_sssd_krb5_locator_plugin.c'; fi` + +src/krb5_plugin/test_sssd_krb5_locator_plugin-sssd_krb5_locator_plugin.o: src/krb5_plugin/sssd_krb5_locator_plugin.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sssd_krb5_locator_plugin_CFLAGS) $(CFLAGS) -MT src/krb5_plugin/test_sssd_krb5_locator_plugin-sssd_krb5_locator_plugin.o -MD -MP -MF src/krb5_plugin/$(DEPDIR)/test_sssd_krb5_locator_plugin-sssd_krb5_locator_plugin.Tpo -c -o src/krb5_plugin/test_sssd_krb5_locator_plugin-sssd_krb5_locator_plugin.o `test -f 'src/krb5_plugin/sssd_krb5_locator_plugin.c' || echo '$(srcdir)/'`src/krb5_plugin/sssd_krb5_locator_plugin.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/krb5_plugin/$(DEPDIR)/test_sssd_krb5_locator_plugin-sssd_krb5_locator_plugin.Tpo src/krb5_plugin/$(DEPDIR)/test_sssd_krb5_locator_plugin-sssd_krb5_locator_plugin.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/krb5_plugin/sssd_krb5_locator_plugin.c' object='src/krb5_plugin/test_sssd_krb5_locator_plugin-sssd_krb5_locator_plugin.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sssd_krb5_locator_plugin_CFLAGS) $(CFLAGS) -c -o src/krb5_plugin/test_sssd_krb5_locator_plugin-sssd_krb5_locator_plugin.o `test -f 'src/krb5_plugin/sssd_krb5_locator_plugin.c' || echo '$(srcdir)/'`src/krb5_plugin/sssd_krb5_locator_plugin.c + +src/krb5_plugin/test_sssd_krb5_locator_plugin-sssd_krb5_locator_plugin.obj: src/krb5_plugin/sssd_krb5_locator_plugin.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sssd_krb5_locator_plugin_CFLAGS) $(CFLAGS) -MT src/krb5_plugin/test_sssd_krb5_locator_plugin-sssd_krb5_locator_plugin.obj -MD -MP -MF src/krb5_plugin/$(DEPDIR)/test_sssd_krb5_locator_plugin-sssd_krb5_locator_plugin.Tpo -c -o src/krb5_plugin/test_sssd_krb5_locator_plugin-sssd_krb5_locator_plugin.obj `if test -f 'src/krb5_plugin/sssd_krb5_locator_plugin.c'; then $(CYGPATH_W) 'src/krb5_plugin/sssd_krb5_locator_plugin.c'; else $(CYGPATH_W) '$(srcdir)/src/krb5_plugin/sssd_krb5_locator_plugin.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/krb5_plugin/$(DEPDIR)/test_sssd_krb5_locator_plugin-sssd_krb5_locator_plugin.Tpo src/krb5_plugin/$(DEPDIR)/test_sssd_krb5_locator_plugin-sssd_krb5_locator_plugin.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/krb5_plugin/sssd_krb5_locator_plugin.c' object='src/krb5_plugin/test_sssd_krb5_locator_plugin-sssd_krb5_locator_plugin.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sssd_krb5_locator_plugin_CFLAGS) $(CFLAGS) -c -o src/krb5_plugin/test_sssd_krb5_locator_plugin-sssd_krb5_locator_plugin.obj `if test -f 'src/krb5_plugin/sssd_krb5_locator_plugin.c'; then $(CYGPATH_W) 'src/krb5_plugin/sssd_krb5_locator_plugin.c'; else $(CYGPATH_W) '$(srcdir)/src/krb5_plugin/sssd_krb5_locator_plugin.c'; fi` + +src/tests/cmocka/test_sysdb_certmap-test_sysdb_certmap.o: src/tests/cmocka/test_sysdb_certmap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sysdb_certmap_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_sysdb_certmap-test_sysdb_certmap.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_sysdb_certmap-test_sysdb_certmap.Tpo -c -o src/tests/cmocka/test_sysdb_certmap-test_sysdb_certmap.o `test -f 'src/tests/cmocka/test_sysdb_certmap.c' || echo '$(srcdir)/'`src/tests/cmocka/test_sysdb_certmap.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_sysdb_certmap-test_sysdb_certmap.Tpo src/tests/cmocka/$(DEPDIR)/test_sysdb_certmap-test_sysdb_certmap.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_sysdb_certmap.c' object='src/tests/cmocka/test_sysdb_certmap-test_sysdb_certmap.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sysdb_certmap_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_sysdb_certmap-test_sysdb_certmap.o `test -f 'src/tests/cmocka/test_sysdb_certmap.c' || echo '$(srcdir)/'`src/tests/cmocka/test_sysdb_certmap.c + +src/tests/cmocka/test_sysdb_certmap-test_sysdb_certmap.obj: src/tests/cmocka/test_sysdb_certmap.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sysdb_certmap_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_sysdb_certmap-test_sysdb_certmap.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_sysdb_certmap-test_sysdb_certmap.Tpo -c -o src/tests/cmocka/test_sysdb_certmap-test_sysdb_certmap.obj `if test -f 'src/tests/cmocka/test_sysdb_certmap.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_sysdb_certmap.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_sysdb_certmap.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_sysdb_certmap-test_sysdb_certmap.Tpo src/tests/cmocka/$(DEPDIR)/test_sysdb_certmap-test_sysdb_certmap.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_sysdb_certmap.c' object='src/tests/cmocka/test_sysdb_certmap-test_sysdb_certmap.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sysdb_certmap_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_sysdb_certmap-test_sysdb_certmap.obj `if test -f 'src/tests/cmocka/test_sysdb_certmap.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_sysdb_certmap.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_sysdb_certmap.c'; fi` + +src/tests/cmocka/test_sysdb_domain_resolution_order-test_sysdb_domain_resolution_order.o: src/tests/cmocka/test_sysdb_domain_resolution_order.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sysdb_domain_resolution_order_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_sysdb_domain_resolution_order-test_sysdb_domain_resolution_order.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_sysdb_domain_resolution_order-test_sysdb_domain_resolution_order.Tpo -c -o src/tests/cmocka/test_sysdb_domain_resolution_order-test_sysdb_domain_resolution_order.o `test -f 'src/tests/cmocka/test_sysdb_domain_resolution_order.c' || echo '$(srcdir)/'`src/tests/cmocka/test_sysdb_domain_resolution_order.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_sysdb_domain_resolution_order-test_sysdb_domain_resolution_order.Tpo src/tests/cmocka/$(DEPDIR)/test_sysdb_domain_resolution_order-test_sysdb_domain_resolution_order.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_sysdb_domain_resolution_order.c' object='src/tests/cmocka/test_sysdb_domain_resolution_order-test_sysdb_domain_resolution_order.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sysdb_domain_resolution_order_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_sysdb_domain_resolution_order-test_sysdb_domain_resolution_order.o `test -f 'src/tests/cmocka/test_sysdb_domain_resolution_order.c' || echo '$(srcdir)/'`src/tests/cmocka/test_sysdb_domain_resolution_order.c + +src/tests/cmocka/test_sysdb_domain_resolution_order-test_sysdb_domain_resolution_order.obj: src/tests/cmocka/test_sysdb_domain_resolution_order.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sysdb_domain_resolution_order_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_sysdb_domain_resolution_order-test_sysdb_domain_resolution_order.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_sysdb_domain_resolution_order-test_sysdb_domain_resolution_order.Tpo -c -o src/tests/cmocka/test_sysdb_domain_resolution_order-test_sysdb_domain_resolution_order.obj `if test -f 'src/tests/cmocka/test_sysdb_domain_resolution_order.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_sysdb_domain_resolution_order.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_sysdb_domain_resolution_order.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_sysdb_domain_resolution_order-test_sysdb_domain_resolution_order.Tpo src/tests/cmocka/$(DEPDIR)/test_sysdb_domain_resolution_order-test_sysdb_domain_resolution_order.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_sysdb_domain_resolution_order.c' object='src/tests/cmocka/test_sysdb_domain_resolution_order-test_sysdb_domain_resolution_order.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sysdb_domain_resolution_order_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_sysdb_domain_resolution_order-test_sysdb_domain_resolution_order.obj `if test -f 'src/tests/cmocka/test_sysdb_domain_resolution_order.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_sysdb_domain_resolution_order.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_sysdb_domain_resolution_order.c'; fi` + +src/tests/cmocka/test_sysdb_subdomains-test_sysdb_subdomains.o: src/tests/cmocka/test_sysdb_subdomains.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sysdb_subdomains_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_sysdb_subdomains-test_sysdb_subdomains.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_sysdb_subdomains-test_sysdb_subdomains.Tpo -c -o src/tests/cmocka/test_sysdb_subdomains-test_sysdb_subdomains.o `test -f 'src/tests/cmocka/test_sysdb_subdomains.c' || echo '$(srcdir)/'`src/tests/cmocka/test_sysdb_subdomains.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_sysdb_subdomains-test_sysdb_subdomains.Tpo src/tests/cmocka/$(DEPDIR)/test_sysdb_subdomains-test_sysdb_subdomains.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_sysdb_subdomains.c' object='src/tests/cmocka/test_sysdb_subdomains-test_sysdb_subdomains.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sysdb_subdomains_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_sysdb_subdomains-test_sysdb_subdomains.o `test -f 'src/tests/cmocka/test_sysdb_subdomains.c' || echo '$(srcdir)/'`src/tests/cmocka/test_sysdb_subdomains.c + +src/tests/cmocka/test_sysdb_subdomains-test_sysdb_subdomains.obj: src/tests/cmocka/test_sysdb_subdomains.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sysdb_subdomains_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_sysdb_subdomains-test_sysdb_subdomains.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_sysdb_subdomains-test_sysdb_subdomains.Tpo -c -o src/tests/cmocka/test_sysdb_subdomains-test_sysdb_subdomains.obj `if test -f 'src/tests/cmocka/test_sysdb_subdomains.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_sysdb_subdomains.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_sysdb_subdomains.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_sysdb_subdomains-test_sysdb_subdomains.Tpo src/tests/cmocka/$(DEPDIR)/test_sysdb_subdomains-test_sysdb_subdomains.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_sysdb_subdomains.c' object='src/tests/cmocka/test_sysdb_subdomains-test_sysdb_subdomains.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sysdb_subdomains_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_sysdb_subdomains-test_sysdb_subdomains.obj `if test -f 'src/tests/cmocka/test_sysdb_subdomains.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_sysdb_subdomains.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_sysdb_subdomains.c'; fi` + +src/tests/cmocka/test_sysdb_sudo-test_sysdb_sudo.o: src/tests/cmocka/test_sysdb_sudo.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sysdb_sudo_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_sysdb_sudo-test_sysdb_sudo.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_sysdb_sudo-test_sysdb_sudo.Tpo -c -o src/tests/cmocka/test_sysdb_sudo-test_sysdb_sudo.o `test -f 'src/tests/cmocka/test_sysdb_sudo.c' || echo '$(srcdir)/'`src/tests/cmocka/test_sysdb_sudo.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_sysdb_sudo-test_sysdb_sudo.Tpo src/tests/cmocka/$(DEPDIR)/test_sysdb_sudo-test_sysdb_sudo.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_sysdb_sudo.c' object='src/tests/cmocka/test_sysdb_sudo-test_sysdb_sudo.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sysdb_sudo_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_sysdb_sudo-test_sysdb_sudo.o `test -f 'src/tests/cmocka/test_sysdb_sudo.c' || echo '$(srcdir)/'`src/tests/cmocka/test_sysdb_sudo.c + +src/tests/cmocka/test_sysdb_sudo-test_sysdb_sudo.obj: src/tests/cmocka/test_sysdb_sudo.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sysdb_sudo_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_sysdb_sudo-test_sysdb_sudo.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_sysdb_sudo-test_sysdb_sudo.Tpo -c -o src/tests/cmocka/test_sysdb_sudo-test_sysdb_sudo.obj `if test -f 'src/tests/cmocka/test_sysdb_sudo.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_sysdb_sudo.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_sysdb_sudo.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_sysdb_sudo-test_sysdb_sudo.Tpo src/tests/cmocka/$(DEPDIR)/test_sysdb_sudo-test_sysdb_sudo.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_sysdb_sudo.c' object='src/tests/cmocka/test_sysdb_sudo-test_sysdb_sudo.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sysdb_sudo_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_sysdb_sudo-test_sysdb_sudo.obj `if test -f 'src/tests/cmocka/test_sysdb_sudo.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_sysdb_sudo.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_sysdb_sudo.c'; fi` + +src/tests/cmocka/test_sysdb_ts_cache-test_sysdb_ts_cache.o: src/tests/cmocka/test_sysdb_ts_cache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sysdb_ts_cache_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_sysdb_ts_cache-test_sysdb_ts_cache.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_sysdb_ts_cache-test_sysdb_ts_cache.Tpo -c -o src/tests/cmocka/test_sysdb_ts_cache-test_sysdb_ts_cache.o `test -f 'src/tests/cmocka/test_sysdb_ts_cache.c' || echo '$(srcdir)/'`src/tests/cmocka/test_sysdb_ts_cache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_sysdb_ts_cache-test_sysdb_ts_cache.Tpo src/tests/cmocka/$(DEPDIR)/test_sysdb_ts_cache-test_sysdb_ts_cache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_sysdb_ts_cache.c' object='src/tests/cmocka/test_sysdb_ts_cache-test_sysdb_ts_cache.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sysdb_ts_cache_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_sysdb_ts_cache-test_sysdb_ts_cache.o `test -f 'src/tests/cmocka/test_sysdb_ts_cache.c' || echo '$(srcdir)/'`src/tests/cmocka/test_sysdb_ts_cache.c + +src/tests/cmocka/test_sysdb_ts_cache-test_sysdb_ts_cache.obj: src/tests/cmocka/test_sysdb_ts_cache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sysdb_ts_cache_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_sysdb_ts_cache-test_sysdb_ts_cache.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_sysdb_ts_cache-test_sysdb_ts_cache.Tpo -c -o src/tests/cmocka/test_sysdb_ts_cache-test_sysdb_ts_cache.obj `if test -f 'src/tests/cmocka/test_sysdb_ts_cache.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_sysdb_ts_cache.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_sysdb_ts_cache.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_sysdb_ts_cache-test_sysdb_ts_cache.Tpo src/tests/cmocka/$(DEPDIR)/test_sysdb_ts_cache-test_sysdb_ts_cache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_sysdb_ts_cache.c' object='src/tests/cmocka/test_sysdb_ts_cache-test_sysdb_ts_cache.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sysdb_ts_cache_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_sysdb_ts_cache-test_sysdb_ts_cache.obj `if test -f 'src/tests/cmocka/test_sysdb_ts_cache.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_sysdb_ts_cache.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_sysdb_ts_cache.c'; fi` + +src/providers/ipa/test_sysdb_ts_cache-ipa_utils.o: src/providers/ipa/ipa_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sysdb_ts_cache_CFLAGS) $(CFLAGS) -MT src/providers/ipa/test_sysdb_ts_cache-ipa_utils.o -MD -MP -MF src/providers/ipa/$(DEPDIR)/test_sysdb_ts_cache-ipa_utils.Tpo -c -o src/providers/ipa/test_sysdb_ts_cache-ipa_utils.o `test -f 'src/providers/ipa/ipa_utils.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/test_sysdb_ts_cache-ipa_utils.Tpo src/providers/ipa/$(DEPDIR)/test_sysdb_ts_cache-ipa_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_utils.c' object='src/providers/ipa/test_sysdb_ts_cache-ipa_utils.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sysdb_ts_cache_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/test_sysdb_ts_cache-ipa_utils.o `test -f 'src/providers/ipa/ipa_utils.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_utils.c + +src/providers/ipa/test_sysdb_ts_cache-ipa_utils.obj: src/providers/ipa/ipa_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sysdb_ts_cache_CFLAGS) $(CFLAGS) -MT src/providers/ipa/test_sysdb_ts_cache-ipa_utils.obj -MD -MP -MF src/providers/ipa/$(DEPDIR)/test_sysdb_ts_cache-ipa_utils.Tpo -c -o src/providers/ipa/test_sysdb_ts_cache-ipa_utils.obj `if test -f 'src/providers/ipa/ipa_utils.c'; then $(CYGPATH_W) 'src/providers/ipa/ipa_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ipa/ipa_utils.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/test_sysdb_ts_cache-ipa_utils.Tpo src/providers/ipa/$(DEPDIR)/test_sysdb_ts_cache-ipa_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_utils.c' object='src/providers/ipa/test_sysdb_ts_cache-ipa_utils.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sysdb_ts_cache_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/test_sysdb_ts_cache-ipa_utils.obj `if test -f 'src/providers/ipa/ipa_utils.c'; then $(CYGPATH_W) 'src/providers/ipa/ipa_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ipa/ipa_utils.c'; fi` + +src/tests/cmocka/test_sysdb_utils-test_sysdb_utils.o: src/tests/cmocka/test_sysdb_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sysdb_utils_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_sysdb_utils-test_sysdb_utils.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_sysdb_utils-test_sysdb_utils.Tpo -c -o src/tests/cmocka/test_sysdb_utils-test_sysdb_utils.o `test -f 'src/tests/cmocka/test_sysdb_utils.c' || echo '$(srcdir)/'`src/tests/cmocka/test_sysdb_utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_sysdb_utils-test_sysdb_utils.Tpo src/tests/cmocka/$(DEPDIR)/test_sysdb_utils-test_sysdb_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_sysdb_utils.c' object='src/tests/cmocka/test_sysdb_utils-test_sysdb_utils.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sysdb_utils_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_sysdb_utils-test_sysdb_utils.o `test -f 'src/tests/cmocka/test_sysdb_utils.c' || echo '$(srcdir)/'`src/tests/cmocka/test_sysdb_utils.c + +src/tests/cmocka/test_sysdb_utils-test_sysdb_utils.obj: src/tests/cmocka/test_sysdb_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sysdb_utils_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_sysdb_utils-test_sysdb_utils.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_sysdb_utils-test_sysdb_utils.Tpo -c -o src/tests/cmocka/test_sysdb_utils-test_sysdb_utils.obj `if test -f 'src/tests/cmocka/test_sysdb_utils.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_sysdb_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_sysdb_utils.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_sysdb_utils-test_sysdb_utils.Tpo src/tests/cmocka/$(DEPDIR)/test_sysdb_utils-test_sysdb_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_sysdb_utils.c' object='src/tests/cmocka/test_sysdb_utils-test_sysdb_utils.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sysdb_utils_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_sysdb_utils-test_sysdb_utils.obj `if test -f 'src/tests/cmocka/test_sysdb_utils.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_sysdb_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_sysdb_utils.c'; fi` + +src/tests/cmocka/test_sysdb_views-test_sysdb_views.o: src/tests/cmocka/test_sysdb_views.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sysdb_views_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_sysdb_views-test_sysdb_views.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_sysdb_views-test_sysdb_views.Tpo -c -o src/tests/cmocka/test_sysdb_views-test_sysdb_views.o `test -f 'src/tests/cmocka/test_sysdb_views.c' || echo '$(srcdir)/'`src/tests/cmocka/test_sysdb_views.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_sysdb_views-test_sysdb_views.Tpo src/tests/cmocka/$(DEPDIR)/test_sysdb_views-test_sysdb_views.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_sysdb_views.c' object='src/tests/cmocka/test_sysdb_views-test_sysdb_views.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sysdb_views_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_sysdb_views-test_sysdb_views.o `test -f 'src/tests/cmocka/test_sysdb_views.c' || echo '$(srcdir)/'`src/tests/cmocka/test_sysdb_views.c + +src/tests/cmocka/test_sysdb_views-test_sysdb_views.obj: src/tests/cmocka/test_sysdb_views.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sysdb_views_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_sysdb_views-test_sysdb_views.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_sysdb_views-test_sysdb_views.Tpo -c -o src/tests/cmocka/test_sysdb_views-test_sysdb_views.obj `if test -f 'src/tests/cmocka/test_sysdb_views.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_sysdb_views.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_sysdb_views.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_sysdb_views-test_sysdb_views.Tpo src/tests/cmocka/$(DEPDIR)/test_sysdb_views-test_sysdb_views.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_sysdb_views.c' object='src/tests/cmocka/test_sysdb_views-test_sysdb_views.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sysdb_views_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_sysdb_views-test_sysdb_views.obj `if test -f 'src/tests/cmocka/test_sysdb_views.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_sysdb_views.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_sysdb_views.c'; fi` + +src/providers/ipa/test_sysdb_views-ipa_utils.o: src/providers/ipa/ipa_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sysdb_views_CFLAGS) $(CFLAGS) -MT src/providers/ipa/test_sysdb_views-ipa_utils.o -MD -MP -MF src/providers/ipa/$(DEPDIR)/test_sysdb_views-ipa_utils.Tpo -c -o src/providers/ipa/test_sysdb_views-ipa_utils.o `test -f 'src/providers/ipa/ipa_utils.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/test_sysdb_views-ipa_utils.Tpo src/providers/ipa/$(DEPDIR)/test_sysdb_views-ipa_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_utils.c' object='src/providers/ipa/test_sysdb_views-ipa_utils.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sysdb_views_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/test_sysdb_views-ipa_utils.o `test -f 'src/providers/ipa/ipa_utils.c' || echo '$(srcdir)/'`src/providers/ipa/ipa_utils.c + +src/providers/ipa/test_sysdb_views-ipa_utils.obj: src/providers/ipa/ipa_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sysdb_views_CFLAGS) $(CFLAGS) -MT src/providers/ipa/test_sysdb_views-ipa_utils.obj -MD -MP -MF src/providers/ipa/$(DEPDIR)/test_sysdb_views-ipa_utils.Tpo -c -o src/providers/ipa/test_sysdb_views-ipa_utils.obj `if test -f 'src/providers/ipa/ipa_utils.c'; then $(CYGPATH_W) 'src/providers/ipa/ipa_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ipa/ipa_utils.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/providers/ipa/$(DEPDIR)/test_sysdb_views-ipa_utils.Tpo src/providers/ipa/$(DEPDIR)/test_sysdb_views-ipa_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/providers/ipa/ipa_utils.c' object='src/providers/ipa/test_sysdb_views-ipa_utils.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_sysdb_views_CFLAGS) $(CFLAGS) -c -o src/providers/ipa/test_sysdb_views-ipa_utils.obj `if test -f 'src/providers/ipa/ipa_utils.c'; then $(CYGPATH_W) 'src/providers/ipa/ipa_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/providers/ipa/ipa_utils.c'; fi` + +src/tests/cmocka/test_tools_colondb-test_tools_colondb.o: src/tests/cmocka/test_tools_colondb.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_tools_colondb_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_tools_colondb-test_tools_colondb.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_tools_colondb-test_tools_colondb.Tpo -c -o src/tests/cmocka/test_tools_colondb-test_tools_colondb.o `test -f 'src/tests/cmocka/test_tools_colondb.c' || echo '$(srcdir)/'`src/tests/cmocka/test_tools_colondb.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_tools_colondb-test_tools_colondb.Tpo src/tests/cmocka/$(DEPDIR)/test_tools_colondb-test_tools_colondb.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_tools_colondb.c' object='src/tests/cmocka/test_tools_colondb-test_tools_colondb.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_tools_colondb_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_tools_colondb-test_tools_colondb.o `test -f 'src/tests/cmocka/test_tools_colondb.c' || echo '$(srcdir)/'`src/tests/cmocka/test_tools_colondb.c + +src/tests/cmocka/test_tools_colondb-test_tools_colondb.obj: src/tests/cmocka/test_tools_colondb.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_tools_colondb_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_tools_colondb-test_tools_colondb.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_tools_colondb-test_tools_colondb.Tpo -c -o src/tests/cmocka/test_tools_colondb-test_tools_colondb.obj `if test -f 'src/tests/cmocka/test_tools_colondb.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_tools_colondb.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_tools_colondb.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_tools_colondb-test_tools_colondb.Tpo src/tests/cmocka/$(DEPDIR)/test_tools_colondb-test_tools_colondb.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_tools_colondb.c' object='src/tests/cmocka/test_tools_colondb-test_tools_colondb.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_tools_colondb_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_tools_colondb-test_tools_colondb.obj `if test -f 'src/tests/cmocka/test_tools_colondb.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_tools_colondb.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_tools_colondb.c'; fi` + +src/tools/common/test_tools_colondb-sss_colondb.o: src/tools/common/sss_colondb.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_tools_colondb_CFLAGS) $(CFLAGS) -MT src/tools/common/test_tools_colondb-sss_colondb.o -MD -MP -MF src/tools/common/$(DEPDIR)/test_tools_colondb-sss_colondb.Tpo -c -o src/tools/common/test_tools_colondb-sss_colondb.o `test -f 'src/tools/common/sss_colondb.c' || echo '$(srcdir)/'`src/tools/common/sss_colondb.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/common/$(DEPDIR)/test_tools_colondb-sss_colondb.Tpo src/tools/common/$(DEPDIR)/test_tools_colondb-sss_colondb.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/common/sss_colondb.c' object='src/tools/common/test_tools_colondb-sss_colondb.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_tools_colondb_CFLAGS) $(CFLAGS) -c -o src/tools/common/test_tools_colondb-sss_colondb.o `test -f 'src/tools/common/sss_colondb.c' || echo '$(srcdir)/'`src/tools/common/sss_colondb.c + +src/tools/common/test_tools_colondb-sss_colondb.obj: src/tools/common/sss_colondb.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_tools_colondb_CFLAGS) $(CFLAGS) -MT src/tools/common/test_tools_colondb-sss_colondb.obj -MD -MP -MF src/tools/common/$(DEPDIR)/test_tools_colondb-sss_colondb.Tpo -c -o src/tools/common/test_tools_colondb-sss_colondb.obj `if test -f 'src/tools/common/sss_colondb.c'; then $(CYGPATH_W) 'src/tools/common/sss_colondb.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/common/sss_colondb.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tools/common/$(DEPDIR)/test_tools_colondb-sss_colondb.Tpo src/tools/common/$(DEPDIR)/test_tools_colondb-sss_colondb.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tools/common/sss_colondb.c' object='src/tools/common/test_tools_colondb-sss_colondb.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_tools_colondb_CFLAGS) $(CFLAGS) -c -o src/tools/common/test_tools_colondb-sss_colondb.obj `if test -f 'src/tools/common/sss_colondb.c'; then $(CYGPATH_W) 'src/tools/common/sss_colondb.c'; else $(CYGPATH_W) '$(srcdir)/src/tools/common/sss_colondb.c'; fi` + +src/tests/cmocka/test_utils-test_utils.o: src/tests/cmocka/test_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_utils_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_utils-test_utils.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_utils-test_utils.Tpo -c -o src/tests/cmocka/test_utils-test_utils.o `test -f 'src/tests/cmocka/test_utils.c' || echo '$(srcdir)/'`src/tests/cmocka/test_utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_utils-test_utils.Tpo src/tests/cmocka/$(DEPDIR)/test_utils-test_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_utils.c' object='src/tests/cmocka/test_utils-test_utils.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_utils_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_utils-test_utils.o `test -f 'src/tests/cmocka/test_utils.c' || echo '$(srcdir)/'`src/tests/cmocka/test_utils.c + +src/tests/cmocka/test_utils-test_utils.obj: src/tests/cmocka/test_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_utils_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_utils-test_utils.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_utils-test_utils.Tpo -c -o src/tests/cmocka/test_utils-test_utils.obj `if test -f 'src/tests/cmocka/test_utils.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_utils.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_utils-test_utils.Tpo src/tests/cmocka/$(DEPDIR)/test_utils-test_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_utils.c' object='src/tests/cmocka/test_utils-test_utils.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_utils_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_utils-test_utils.obj `if test -f 'src/tests/cmocka/test_utils.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_utils.c'; fi` + +src/tests/cmocka/test_utils-test_string_utils.o: src/tests/cmocka/test_string_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_utils_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_utils-test_string_utils.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_utils-test_string_utils.Tpo -c -o src/tests/cmocka/test_utils-test_string_utils.o `test -f 'src/tests/cmocka/test_string_utils.c' || echo '$(srcdir)/'`src/tests/cmocka/test_string_utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_utils-test_string_utils.Tpo src/tests/cmocka/$(DEPDIR)/test_utils-test_string_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_string_utils.c' object='src/tests/cmocka/test_utils-test_string_utils.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_utils_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_utils-test_string_utils.o `test -f 'src/tests/cmocka/test_string_utils.c' || echo '$(srcdir)/'`src/tests/cmocka/test_string_utils.c + +src/tests/cmocka/test_utils-test_string_utils.obj: src/tests/cmocka/test_string_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_utils_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_utils-test_string_utils.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_utils-test_string_utils.Tpo -c -o src/tests/cmocka/test_utils-test_string_utils.obj `if test -f 'src/tests/cmocka/test_string_utils.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_string_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_string_utils.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_utils-test_string_utils.Tpo src/tests/cmocka/$(DEPDIR)/test_utils-test_string_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_string_utils.c' object='src/tests/cmocka/test_utils-test_string_utils.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_utils_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_utils-test_string_utils.obj `if test -f 'src/tests/cmocka/test_string_utils.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_string_utils.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_string_utils.c'; fi` + +src/tests/cmocka/test_utils-test_sss_ssh.o: src/tests/cmocka/test_sss_ssh.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_utils_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_utils-test_sss_ssh.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_utils-test_sss_ssh.Tpo -c -o src/tests/cmocka/test_utils-test_sss_ssh.o `test -f 'src/tests/cmocka/test_sss_ssh.c' || echo '$(srcdir)/'`src/tests/cmocka/test_sss_ssh.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_utils-test_sss_ssh.Tpo src/tests/cmocka/$(DEPDIR)/test_utils-test_sss_ssh.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_sss_ssh.c' object='src/tests/cmocka/test_utils-test_sss_ssh.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_utils_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_utils-test_sss_ssh.o `test -f 'src/tests/cmocka/test_sss_ssh.c' || echo '$(srcdir)/'`src/tests/cmocka/test_sss_ssh.c + +src/tests/cmocka/test_utils-test_sss_ssh.obj: src/tests/cmocka/test_sss_ssh.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_utils_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_utils-test_sss_ssh.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_utils-test_sss_ssh.Tpo -c -o src/tests/cmocka/test_utils-test_sss_ssh.obj `if test -f 'src/tests/cmocka/test_sss_ssh.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_sss_ssh.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_sss_ssh.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_utils-test_sss_ssh.Tpo src/tests/cmocka/$(DEPDIR)/test_utils-test_sss_ssh.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_sss_ssh.c' object='src/tests/cmocka/test_utils-test_sss_ssh.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_utils_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_utils-test_sss_ssh.obj `if test -f 'src/tests/cmocka/test_sss_ssh.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_sss_ssh.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_sss_ssh.c'; fi` + +src/tests/cmocka/test_wbc_calls-test_wbc_calls.o: src/tests/cmocka/test_wbc_calls.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_wbc_calls_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_wbc_calls-test_wbc_calls.o -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_wbc_calls-test_wbc_calls.Tpo -c -o src/tests/cmocka/test_wbc_calls-test_wbc_calls.o `test -f 'src/tests/cmocka/test_wbc_calls.c' || echo '$(srcdir)/'`src/tests/cmocka/test_wbc_calls.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_wbc_calls-test_wbc_calls.Tpo src/tests/cmocka/$(DEPDIR)/test_wbc_calls-test_wbc_calls.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_wbc_calls.c' object='src/tests/cmocka/test_wbc_calls-test_wbc_calls.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_wbc_calls_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_wbc_calls-test_wbc_calls.o `test -f 'src/tests/cmocka/test_wbc_calls.c' || echo '$(srcdir)/'`src/tests/cmocka/test_wbc_calls.c + +src/tests/cmocka/test_wbc_calls-test_wbc_calls.obj: src/tests/cmocka/test_wbc_calls.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_wbc_calls_CFLAGS) $(CFLAGS) -MT src/tests/cmocka/test_wbc_calls-test_wbc_calls.obj -MD -MP -MF src/tests/cmocka/$(DEPDIR)/test_wbc_calls-test_wbc_calls.Tpo -c -o src/tests/cmocka/test_wbc_calls-test_wbc_calls.obj `if test -f 'src/tests/cmocka/test_wbc_calls.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_wbc_calls.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_wbc_calls.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/cmocka/$(DEPDIR)/test_wbc_calls-test_wbc_calls.Tpo src/tests/cmocka/$(DEPDIR)/test_wbc_calls-test_wbc_calls.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/cmocka/test_wbc_calls.c' object='src/tests/cmocka/test_wbc_calls-test_wbc_calls.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_wbc_calls_CFLAGS) $(CFLAGS) -c -o src/tests/cmocka/test_wbc_calls-test_wbc_calls.obj `if test -f 'src/tests/cmocka/test_wbc_calls.c'; then $(CYGPATH_W) 'src/tests/cmocka/test_wbc_calls.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/cmocka/test_wbc_calls.c'; fi` + +src/sss_client/libwbclient/test_wbc_calls-wbc_sid_sssd.o: src/sss_client/libwbclient/wbc_sid_sssd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_wbc_calls_CFLAGS) $(CFLAGS) -MT src/sss_client/libwbclient/test_wbc_calls-wbc_sid_sssd.o -MD -MP -MF src/sss_client/libwbclient/$(DEPDIR)/test_wbc_calls-wbc_sid_sssd.Tpo -c -o src/sss_client/libwbclient/test_wbc_calls-wbc_sid_sssd.o `test -f 'src/sss_client/libwbclient/wbc_sid_sssd.c' || echo '$(srcdir)/'`src/sss_client/libwbclient/wbc_sid_sssd.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/libwbclient/$(DEPDIR)/test_wbc_calls-wbc_sid_sssd.Tpo src/sss_client/libwbclient/$(DEPDIR)/test_wbc_calls-wbc_sid_sssd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/libwbclient/wbc_sid_sssd.c' object='src/sss_client/libwbclient/test_wbc_calls-wbc_sid_sssd.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_wbc_calls_CFLAGS) $(CFLAGS) -c -o src/sss_client/libwbclient/test_wbc_calls-wbc_sid_sssd.o `test -f 'src/sss_client/libwbclient/wbc_sid_sssd.c' || echo '$(srcdir)/'`src/sss_client/libwbclient/wbc_sid_sssd.c + +src/sss_client/libwbclient/test_wbc_calls-wbc_sid_sssd.obj: src/sss_client/libwbclient/wbc_sid_sssd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_wbc_calls_CFLAGS) $(CFLAGS) -MT src/sss_client/libwbclient/test_wbc_calls-wbc_sid_sssd.obj -MD -MP -MF src/sss_client/libwbclient/$(DEPDIR)/test_wbc_calls-wbc_sid_sssd.Tpo -c -o src/sss_client/libwbclient/test_wbc_calls-wbc_sid_sssd.obj `if test -f 'src/sss_client/libwbclient/wbc_sid_sssd.c'; then $(CYGPATH_W) 'src/sss_client/libwbclient/wbc_sid_sssd.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/libwbclient/wbc_sid_sssd.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/libwbclient/$(DEPDIR)/test_wbc_calls-wbc_sid_sssd.Tpo src/sss_client/libwbclient/$(DEPDIR)/test_wbc_calls-wbc_sid_sssd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/libwbclient/wbc_sid_sssd.c' object='src/sss_client/libwbclient/test_wbc_calls-wbc_sid_sssd.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_wbc_calls_CFLAGS) $(CFLAGS) -c -o src/sss_client/libwbclient/test_wbc_calls-wbc_sid_sssd.obj `if test -f 'src/sss_client/libwbclient/wbc_sid_sssd.c'; then $(CYGPATH_W) 'src/sss_client/libwbclient/wbc_sid_sssd.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/libwbclient/wbc_sid_sssd.c'; fi` + +src/sss_client/libwbclient/test_wbc_calls-wbclient_common.o: src/sss_client/libwbclient/wbclient_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_wbc_calls_CFLAGS) $(CFLAGS) -MT src/sss_client/libwbclient/test_wbc_calls-wbclient_common.o -MD -MP -MF src/sss_client/libwbclient/$(DEPDIR)/test_wbc_calls-wbclient_common.Tpo -c -o src/sss_client/libwbclient/test_wbc_calls-wbclient_common.o `test -f 'src/sss_client/libwbclient/wbclient_common.c' || echo '$(srcdir)/'`src/sss_client/libwbclient/wbclient_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/libwbclient/$(DEPDIR)/test_wbc_calls-wbclient_common.Tpo src/sss_client/libwbclient/$(DEPDIR)/test_wbc_calls-wbclient_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/libwbclient/wbclient_common.c' object='src/sss_client/libwbclient/test_wbc_calls-wbclient_common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_wbc_calls_CFLAGS) $(CFLAGS) -c -o src/sss_client/libwbclient/test_wbc_calls-wbclient_common.o `test -f 'src/sss_client/libwbclient/wbclient_common.c' || echo '$(srcdir)/'`src/sss_client/libwbclient/wbclient_common.c + +src/sss_client/libwbclient/test_wbc_calls-wbclient_common.obj: src/sss_client/libwbclient/wbclient_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_wbc_calls_CFLAGS) $(CFLAGS) -MT src/sss_client/libwbclient/test_wbc_calls-wbclient_common.obj -MD -MP -MF src/sss_client/libwbclient/$(DEPDIR)/test_wbc_calls-wbclient_common.Tpo -c -o src/sss_client/libwbclient/test_wbc_calls-wbclient_common.obj `if test -f 'src/sss_client/libwbclient/wbclient_common.c'; then $(CYGPATH_W) 'src/sss_client/libwbclient/wbclient_common.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/libwbclient/wbclient_common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/libwbclient/$(DEPDIR)/test_wbc_calls-wbclient_common.Tpo src/sss_client/libwbclient/$(DEPDIR)/test_wbc_calls-wbclient_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/libwbclient/wbclient_common.c' object='src/sss_client/libwbclient/test_wbc_calls-wbclient_common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_wbc_calls_CFLAGS) $(CFLAGS) -c -o src/sss_client/libwbclient/test_wbc_calls-wbclient_common.obj `if test -f 'src/sss_client/libwbclient/wbclient_common.c'; then $(CYGPATH_W) 'src/sss_client/libwbclient/wbclient_common.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/libwbclient/wbclient_common.c'; fi` + +src/sss_client/libwbclient/test_wbc_calls-wbc_sid_common.o: src/sss_client/libwbclient/wbc_sid_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_wbc_calls_CFLAGS) $(CFLAGS) -MT src/sss_client/libwbclient/test_wbc_calls-wbc_sid_common.o -MD -MP -MF src/sss_client/libwbclient/$(DEPDIR)/test_wbc_calls-wbc_sid_common.Tpo -c -o src/sss_client/libwbclient/test_wbc_calls-wbc_sid_common.o `test -f 'src/sss_client/libwbclient/wbc_sid_common.c' || echo '$(srcdir)/'`src/sss_client/libwbclient/wbc_sid_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/libwbclient/$(DEPDIR)/test_wbc_calls-wbc_sid_common.Tpo src/sss_client/libwbclient/$(DEPDIR)/test_wbc_calls-wbc_sid_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/libwbclient/wbc_sid_common.c' object='src/sss_client/libwbclient/test_wbc_calls-wbc_sid_common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_wbc_calls_CFLAGS) $(CFLAGS) -c -o src/sss_client/libwbclient/test_wbc_calls-wbc_sid_common.o `test -f 'src/sss_client/libwbclient/wbc_sid_common.c' || echo '$(srcdir)/'`src/sss_client/libwbclient/wbc_sid_common.c + +src/sss_client/libwbclient/test_wbc_calls-wbc_sid_common.obj: src/sss_client/libwbclient/wbc_sid_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_wbc_calls_CFLAGS) $(CFLAGS) -MT src/sss_client/libwbclient/test_wbc_calls-wbc_sid_common.obj -MD -MP -MF src/sss_client/libwbclient/$(DEPDIR)/test_wbc_calls-wbc_sid_common.Tpo -c -o src/sss_client/libwbclient/test_wbc_calls-wbc_sid_common.obj `if test -f 'src/sss_client/libwbclient/wbc_sid_common.c'; then $(CYGPATH_W) 'src/sss_client/libwbclient/wbc_sid_common.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/libwbclient/wbc_sid_common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/libwbclient/$(DEPDIR)/test_wbc_calls-wbc_sid_common.Tpo src/sss_client/libwbclient/$(DEPDIR)/test_wbc_calls-wbc_sid_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/libwbclient/wbc_sid_common.c' object='src/sss_client/libwbclient/test_wbc_calls-wbc_sid_common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_wbc_calls_CFLAGS) $(CFLAGS) -c -o src/sss_client/libwbclient/test_wbc_calls-wbc_sid_common.obj `if test -f 'src/sss_client/libwbclient/wbc_sid_common.c'; then $(CYGPATH_W) 'src/sss_client/libwbclient/wbc_sid_common.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/libwbclient/wbc_sid_common.c'; fi` + +src/sss_client/test_wbc_calls-common.o: src/sss_client/common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_wbc_calls_CFLAGS) $(CFLAGS) -MT src/sss_client/test_wbc_calls-common.o -MD -MP -MF src/sss_client/$(DEPDIR)/test_wbc_calls-common.Tpo -c -o src/sss_client/test_wbc_calls-common.o `test -f 'src/sss_client/common.c' || echo '$(srcdir)/'`src/sss_client/common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/$(DEPDIR)/test_wbc_calls-common.Tpo src/sss_client/$(DEPDIR)/test_wbc_calls-common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/common.c' object='src/sss_client/test_wbc_calls-common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_wbc_calls_CFLAGS) $(CFLAGS) -c -o src/sss_client/test_wbc_calls-common.o `test -f 'src/sss_client/common.c' || echo '$(srcdir)/'`src/sss_client/common.c + +src/sss_client/test_wbc_calls-common.obj: src/sss_client/common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_wbc_calls_CFLAGS) $(CFLAGS) -MT src/sss_client/test_wbc_calls-common.obj -MD -MP -MF src/sss_client/$(DEPDIR)/test_wbc_calls-common.Tpo -c -o src/sss_client/test_wbc_calls-common.obj `if test -f 'src/sss_client/common.c'; then $(CYGPATH_W) 'src/sss_client/common.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/sss_client/$(DEPDIR)/test_wbc_calls-common.Tpo src/sss_client/$(DEPDIR)/test_wbc_calls-common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/sss_client/common.c' object='src/sss_client/test_wbc_calls-common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(test_wbc_calls_CFLAGS) $(CFLAGS) -c -o src/sss_client/test_wbc_calls-common.obj `if test -f 'src/sss_client/common.c'; then $(CYGPATH_W) 'src/sss_client/common.c'; else $(CYGPATH_W) '$(srcdir)/src/sss_client/common.c'; fi` + +src/tests/util_tests-util-tests.o: src/tests/util-tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(util_tests_CFLAGS) $(CFLAGS) -MT src/tests/util_tests-util-tests.o -MD -MP -MF src/tests/$(DEPDIR)/util_tests-util-tests.Tpo -c -o src/tests/util_tests-util-tests.o `test -f 'src/tests/util-tests.c' || echo '$(srcdir)/'`src/tests/util-tests.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/util_tests-util-tests.Tpo src/tests/$(DEPDIR)/util_tests-util-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/util-tests.c' object='src/tests/util_tests-util-tests.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(util_tests_CFLAGS) $(CFLAGS) -c -o src/tests/util_tests-util-tests.o `test -f 'src/tests/util-tests.c' || echo '$(srcdir)/'`src/tests/util-tests.c + +src/tests/util_tests-util-tests.obj: src/tests/util-tests.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(util_tests_CFLAGS) $(CFLAGS) -MT src/tests/util_tests-util-tests.obj -MD -MP -MF src/tests/$(DEPDIR)/util_tests-util-tests.Tpo -c -o src/tests/util_tests-util-tests.obj `if test -f 'src/tests/util-tests.c'; then $(CYGPATH_W) 'src/tests/util-tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/util-tests.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) src/tests/$(DEPDIR)/util_tests-util-tests.Tpo src/tests/$(DEPDIR)/util_tests-util-tests.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='src/tests/util-tests.c' object='src/tests/util_tests-util-tests.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(util_tests_CFLAGS) $(CFLAGS) -c -o src/tests/util_tests-util-tests.obj `if test -f 'src/tests/util-tests.c'; then $(CYGPATH_W) 'src/tests/util-tests.c'; else $(CYGPATH_W) '$(srcdir)/src/tests/util-tests.c'; fi` + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + -rm -rf src/confdb/.libs src/confdb/_libs + -rm -rf src/db/.libs src/db/_libs + -rm -rf src/krb5_plugin/.libs src/krb5_plugin/_libs + -rm -rf src/ldb_modules/.libs src/ldb_modules/_libs + -rm -rf src/lib/certmap/.libs src/lib/certmap/_libs + -rm -rf src/lib/cifs_idmap_sss/.libs src/lib/cifs_idmap_sss/_libs + -rm -rf src/lib/idmap/.libs src/lib/idmap/_libs + -rm -rf src/lib/ipa_hbac/.libs src/lib/ipa_hbac/_libs + -rm -rf src/lib/sifp/.libs src/lib/sifp/_libs + -rm -rf src/lib/winbind_idmap_sss/.libs src/lib/winbind_idmap_sss/_libs + -rm -rf src/monitor/.libs src/monitor/_libs + -rm -rf src/providers/.libs src/providers/_libs + -rm -rf src/providers/ad/.libs src/providers/ad/_libs + -rm -rf src/providers/data_provider/.libs src/providers/data_provider/_libs + -rm -rf src/providers/files/.libs src/providers/files/_libs + -rm -rf src/providers/ipa/.libs src/providers/ipa/_libs + -rm -rf src/providers/krb5/.libs src/providers/krb5/_libs + -rm -rf src/providers/ldap/.libs src/providers/ldap/_libs + -rm -rf src/providers/proxy/.libs src/providers/proxy/_libs + -rm -rf src/providers/simple/.libs src/providers/simple/_libs + -rm -rf src/python/.libs src/python/_libs + -rm -rf src/resolv/.libs src/resolv/_libs + -rm -rf src/sbus/.libs src/sbus/_libs + -rm -rf src/sss_client/.libs src/sss_client/_libs + -rm -rf src/sss_client/autofs/.libs src/sss_client/autofs/_libs + -rm -rf src/sss_client/idmap/.libs src/sss_client/idmap/_libs + -rm -rf src/sss_client/libwbclient/.libs src/sss_client/libwbclient/_libs + -rm -rf src/sss_client/nfs/.libs src/sss_client/nfs/_libs + -rm -rf src/sss_client/sudo/.libs src/sss_client/sudo/_libs + -rm -rf src/tests/.libs src/tests/_libs + -rm -rf src/tests/cmocka/.libs src/tests/cmocka/_libs + -rm -rf src/tools/.libs src/tools/_libs + -rm -rf src/tools/common/.libs src/tools/common/_libs + -rm -rf src/util/.libs src/util/_libs + -rm -rf src/util/cert/.libs src/util/cert/_libs + -rm -rf src/util/cert/libcrypto/.libs src/util/cert/libcrypto/_libs + -rm -rf src/util/cert/nss/.libs src/util/cert/nss/_libs + -rm -rf src/util/crypto/.libs src/util/crypto/_libs + -rm -rf src/util/crypto/libcrypto/.libs src/util/crypto/libcrypto/_libs + -rm -rf src/util/crypto/nss/.libs src/util/crypto/nss/_libs + +distclean-libtool: + -rm -f libtool config.lt +install-dist_dbuspolicyDATA: $(dist_dbuspolicy_DATA) + @$(NORMAL_INSTALL) + @list='$(dist_dbuspolicy_DATA)'; test -n "$(dbuspolicydir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(dbuspolicydir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(dbuspolicydir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(dbuspolicydir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(dbuspolicydir)" || exit $$?; \ + done + +uninstall-dist_dbuspolicyDATA: + @$(NORMAL_UNINSTALL) + @list='$(dist_dbuspolicy_DATA)'; test -n "$(dbuspolicydir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(dbuspolicydir)'; $(am__uninstall_files_from_dir) +install-dist_dbusserviceDATA: $(dist_dbusservice_DATA) + @$(NORMAL_INSTALL) + @list='$(dist_dbusservice_DATA)'; test -n "$(dbusservicedir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(dbusservicedir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(dbusservicedir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(dbusservicedir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(dbusservicedir)" || exit $$?; \ + done + +uninstall-dist_dbusserviceDATA: + @$(NORMAL_UNINSTALL) + @list='$(dist_dbusservice_DATA)'; test -n "$(dbusservicedir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(dbusservicedir)'; $(am__uninstall_files_from_dir) +install-dist_pamconfDATA: $(dist_pamconf_DATA) + @$(NORMAL_INSTALL) + @list='$(dist_pamconf_DATA)'; test -n "$(pamconfdir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(pamconfdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(pamconfdir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(pamconfdir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(pamconfdir)" || exit $$?; \ + done + +uninstall-dist_pamconfDATA: + @$(NORMAL_UNINSTALL) + @list='$(dist_pamconf_DATA)'; test -n "$(pamconfdir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(pamconfdir)'; $(am__uninstall_files_from_dir) +install-dist_polkit_rulesDATA: $(dist_polkit_rules_DATA) + @$(NORMAL_INSTALL) + @list='$(dist_polkit_rules_DATA)'; test -n "$(polkit_rulesdir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(polkit_rulesdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(polkit_rulesdir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(polkit_rulesdir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(polkit_rulesdir)" || exit $$?; \ + done + +uninstall-dist_polkit_rulesDATA: + @$(NORMAL_UNINSTALL) + @list='$(dist_polkit_rules_DATA)'; test -n "$(polkit_rulesdir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(polkit_rulesdir)'; $(am__uninstall_files_from_dir) +install-dist_sssdapipluginDATA: $(dist_sssdapiplugin_DATA) + @$(NORMAL_INSTALL) + @list='$(dist_sssdapiplugin_DATA)'; test -n "$(sssdapiplugindir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(sssdapiplugindir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(sssdapiplugindir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(sssdapiplugindir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(sssdapiplugindir)" || exit $$?; \ + done + +uninstall-dist_sssdapipluginDATA: + @$(NORMAL_UNINSTALL) + @list='$(dist_sssdapiplugin_DATA)'; test -n "$(sssdapiplugindir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(sssdapiplugindir)'; $(am__uninstall_files_from_dir) +install-dist_sssddataDATA: $(dist_sssddata_DATA) + @$(NORMAL_INSTALL) + @list='$(dist_sssddata_DATA)'; test -n "$(sssddatadir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(sssddatadir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(sssddatadir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(sssddatadir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(sssddatadir)" || exit $$?; \ + done + +uninstall-dist_sssddataDATA: + @$(NORMAL_UNINSTALL) + @list='$(dist_sssddata_DATA)'; test -n "$(sssddatadir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(sssddatadir)'; $(am__uninstall_files_from_dir) +install-dist_sssddefaultconfDATA: $(dist_sssddefaultconf_DATA) + @$(NORMAL_INSTALL) + @list='$(dist_sssddefaultconf_DATA)'; test -n "$(sssddefaultconfdir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(sssddefaultconfdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(sssddefaultconfdir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(sssddefaultconfdir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(sssddefaultconfdir)" || exit $$?; \ + done + +uninstall-dist_sssddefaultconfDATA: + @$(NORMAL_UNINSTALL) + @list='$(dist_sssddefaultconf_DATA)'; test -n "$(sssddefaultconfdir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(sssddefaultconfdir)'; $(am__uninstall_files_from_dir) +install-dist_sssdkcmdataDATA: $(dist_sssdkcmdata_DATA) + @$(NORMAL_INSTALL) + @list='$(dist_sssdkcmdata_DATA)'; test -n "$(sssdkcmdatadir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(sssdkcmdatadir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(sssdkcmdatadir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(sssdkcmdatadir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(sssdkcmdatadir)" || exit $$?; \ + done + +uninstall-dist_sssdkcmdataDATA: + @$(NORMAL_UNINSTALL) + @list='$(dist_sssdkcmdata_DATA)'; test -n "$(sssdkcmdatadir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(sssdkcmdatadir)'; $(am__uninstall_files_from_dir) +install-dist_sssdtapscriptDATA: $(dist_sssdtapscript_DATA) + @$(NORMAL_INSTALL) + @list='$(dist_sssdtapscript_DATA)'; test -n "$(sssdtapscriptdir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(sssdtapscriptdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(sssdtapscriptdir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(sssdtapscriptdir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(sssdtapscriptdir)" || exit $$?; \ + done + +uninstall-dist_sssdtapscriptDATA: + @$(NORMAL_UNINSTALL) + @list='$(dist_sssdtapscript_DATA)'; test -n "$(sssdtapscriptdir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(sssdtapscriptdir)'; $(am__uninstall_files_from_dir) +install-dist_systemtap_tapDATA: $(dist_systemtap_tap_DATA) + @$(NORMAL_INSTALL) + @list='$(dist_systemtap_tap_DATA)'; test -n "$(systemtap_tapdir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(systemtap_tapdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(systemtap_tapdir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(systemtap_tapdir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(systemtap_tapdir)" || exit $$?; \ + done + +uninstall-dist_systemtap_tapDATA: + @$(NORMAL_UNINSTALL) + @list='$(dist_systemtap_tap_DATA)'; test -n "$(systemtap_tapdir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(systemtap_tapdir)'; $(am__uninstall_files_from_dir) +install-pkgconfigDATA: $(pkgconfig_DATA) + @$(NORMAL_INSTALL) + @list='$(pkgconfig_DATA)'; test -n "$(pkgconfigdir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(pkgconfigdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(pkgconfigdir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(pkgconfigdir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(pkgconfigdir)" || exit $$?; \ + done + +uninstall-pkgconfigDATA: + @$(NORMAL_UNINSTALL) + @list='$(pkgconfig_DATA)'; test -n "$(pkgconfigdir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(pkgconfigdir)'; $(am__uninstall_files_from_dir) +install-systemdconfDATA: $(systemdconf_DATA) + @$(NORMAL_INSTALL) + @list='$(systemdconf_DATA)'; test -n "$(systemdconfdir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(systemdconfdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(systemdconfdir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(systemdconfdir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(systemdconfdir)" || exit $$?; \ + done + +uninstall-systemdconfDATA: + @$(NORMAL_UNINSTALL) + @list='$(systemdconf_DATA)'; test -n "$(systemdconfdir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(systemdconfdir)'; $(am__uninstall_files_from_dir) +install-systemdunitDATA: $(systemdunit_DATA) + @$(NORMAL_INSTALL) + @list='$(systemdunit_DATA)'; test -n "$(systemdunitdir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(systemdunitdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(systemdunitdir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(systemdunitdir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(systemdunitdir)" || exit $$?; \ + done + +uninstall-systemdunitDATA: + @$(NORMAL_UNINSTALL) + @list='$(systemdunit_DATA)'; test -n "$(systemdunitdir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(systemdunitdir)'; $(am__uninstall_files_from_dir) +install-systemtap_tapDATA: $(systemtap_tap_DATA) + @$(NORMAL_INSTALL) + @list='$(systemtap_tap_DATA)'; test -n "$(systemtap_tapdir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(systemtap_tapdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(systemtap_tapdir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(systemtap_tapdir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(systemtap_tapdir)" || exit $$?; \ + done + +uninstall-systemtap_tapDATA: + @$(NORMAL_UNINSTALL) + @list='$(systemtap_tap_DATA)'; test -n "$(systemtap_tapdir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(systemtap_tapdir)'; $(am__uninstall_files_from_dir) +install-includeHEADERS: $(include_HEADERS) + @$(NORMAL_INSTALL) + @list='$(include_HEADERS)'; test -n "$(includedir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(includedir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(includedir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_HEADER) $$files '$(DESTDIR)$(includedir)'"; \ + $(INSTALL_HEADER) $$files "$(DESTDIR)$(includedir)" || exit $$?; \ + done + +uninstall-includeHEADERS: + @$(NORMAL_UNINSTALL) + @list='$(include_HEADERS)'; test -n "$(includedir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(includedir)'; $(am__uninstall_files_from_dir) + +# This directory's subdirectories are mostly independent; you can cd +# into them and run 'make' without going through this Makefile. +# To change the values of 'make' variables: instead of editing Makefiles, +# (1) if the variable is set in 'config.status', edit 'config.status' +# (which will cause the Makefiles to be regenerated when you run 'make'); +# (2) otherwise, pass the desired values on the 'make' command line. +$(am__recursive_targets): + @fail=; \ + if $(am__make_keepgoing); then \ + failcom='fail=yes'; \ + else \ + failcom='exit 1'; \ + fi; \ + dot_seen=no; \ + target=`echo $@ | sed s/-recursive//`; \ + case "$@" in \ + distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \ + *) list='$(SUBDIRS)' ;; \ + esac; \ + for subdir in $$list; do \ + echo "Making $$target in $$subdir"; \ + if test "$$subdir" = "."; then \ + dot_seen=yes; \ + local_target="$$target-am"; \ + else \ + local_target="$$target"; \ + fi; \ + ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ + || eval $$failcom; \ + done; \ + if test "$$dot_seen" = "no"; then \ + $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \ + fi; test -z "$$fail" + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-recursive +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \ + include_option=--etags-include; \ + empty_fix=.; \ + else \ + include_option=--include; \ + empty_fix=; \ + fi; \ + list='$(SUBDIRS)'; for subdir in $$list; do \ + if test "$$subdir" = .; then :; else \ + test ! -f $$subdir/TAGS || \ + set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \ + fi; \ + done; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-recursive + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscope: cscope.files + test ! -s cscope.files \ + || $(CSCOPE) -b -q $(AM_CSCOPEFLAGS) $(CSCOPEFLAGS) -i cscope.files $(CSCOPE_ARGS) +clean-cscope: + -rm -f cscope.files +cscope.files: clean-cscope cscopelist +cscopelist: cscopelist-recursive + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + -rm -f cscope.out cscope.in.out cscope.po.out cscope.files + +# Recover from deleted '.trs' file; this should ensure that +# "rm -f foo.log; make foo.trs" re-run 'foo.test', and re-create +# both 'foo.log' and 'foo.trs'. Break the recipe in two subshells +# to avoid problems with "make -n". +.log.trs: + rm -f $< $@ + $(MAKE) $(AM_MAKEFLAGS) $< + +# Leading 'am--fnord' is there to ensure the list of targets does not +# expand to empty, as could happen e.g. with make check TESTS=''. +am--fnord $(TEST_LOGS) $(TEST_LOGS:.log=.trs): $(am__force_recheck) +am--force-recheck: + @: + +$(TEST_SUITE_LOG): $(TEST_LOGS) + @$(am__set_TESTS_bases); \ + am__f_ok () { test -f "$$1" && test -r "$$1"; }; \ + redo_bases=`for i in $$bases; do \ + am__f_ok $$i.trs && am__f_ok $$i.log || echo $$i; \ + done`; \ + if test -n "$$redo_bases"; then \ + redo_logs=`for i in $$redo_bases; do echo $$i.log; done`; \ + redo_results=`for i in $$redo_bases; do echo $$i.trs; done`; \ + if $(am__make_dryrun); then :; else \ + rm -f $$redo_logs && rm -f $$redo_results || exit 1; \ + fi; \ + fi; \ + if test -n "$$am__remaking_logs"; then \ + echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ + "recursion detected" >&2; \ + elif test -n "$$redo_logs"; then \ + am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ + fi; \ + if $(am__make_dryrun); then :; else \ + st=0; \ + errmsg="fatal: making $(TEST_SUITE_LOG): failed to create"; \ + for i in $$redo_bases; do \ + test -f $$i.trs && test -r $$i.trs \ + || { echo "$$errmsg $$i.trs" >&2; st=1; }; \ + test -f $$i.log && test -r $$i.log \ + || { echo "$$errmsg $$i.log" >&2; st=1; }; \ + done; \ + test $$st -eq 0 || exit 1; \ + fi + @$(am__sh_e_setup); $(am__tty_colors); $(am__set_TESTS_bases); \ + ws='[ ]'; \ + results=`for b in $$bases; do echo $$b.trs; done`; \ + test -n "$$results" || results=/dev/null; \ + all=` grep "^$$ws*:test-result:" $$results | wc -l`; \ + pass=` grep "^$$ws*:test-result:$$ws*PASS" $$results | wc -l`; \ + fail=` grep "^$$ws*:test-result:$$ws*FAIL" $$results | wc -l`; \ + skip=` grep "^$$ws*:test-result:$$ws*SKIP" $$results | wc -l`; \ + xfail=`grep "^$$ws*:test-result:$$ws*XFAIL" $$results | wc -l`; \ + xpass=`grep "^$$ws*:test-result:$$ws*XPASS" $$results | wc -l`; \ + error=`grep "^$$ws*:test-result:$$ws*ERROR" $$results | wc -l`; \ + if test `expr $$fail + $$xpass + $$error` -eq 0; then \ + success=true; \ + else \ + success=false; \ + fi; \ + br='==================='; br=$$br$$br$$br$$br; \ + result_count () \ + { \ + if test x"$$1" = x"--maybe-color"; then \ + maybe_colorize=yes; \ + elif test x"$$1" = x"--no-color"; then \ + maybe_colorize=no; \ + else \ + echo "$@: invalid 'result_count' usage" >&2; exit 4; \ + fi; \ + shift; \ + desc=$$1 count=$$2; \ + if test $$maybe_colorize = yes && test $$count -gt 0; then \ + color_start=$$3 color_end=$$std; \ + else \ + color_start= color_end=; \ + fi; \ + echo "$${color_start}# $$desc $$count$${color_end}"; \ + }; \ + create_testsuite_report () \ + { \ + result_count $$1 "TOTAL:" $$all "$$brg"; \ + result_count $$1 "PASS: " $$pass "$$grn"; \ + result_count $$1 "SKIP: " $$skip "$$blu"; \ + result_count $$1 "XFAIL:" $$xfail "$$lgn"; \ + result_count $$1 "FAIL: " $$fail "$$red"; \ + result_count $$1 "XPASS:" $$xpass "$$red"; \ + result_count $$1 "ERROR:" $$error "$$mgn"; \ + }; \ + { \ + echo "$(PACKAGE_STRING): $(subdir)/$(TEST_SUITE_LOG)" | \ + $(am__rst_title); \ + create_testsuite_report --no-color; \ + echo; \ + echo ".. contents:: :depth: 2"; \ + echo; \ + for b in $$bases; do echo $$b; done \ + | $(am__create_global_log); \ + } >$(TEST_SUITE_LOG).tmp || exit 1; \ + mv $(TEST_SUITE_LOG).tmp $(TEST_SUITE_LOG); \ + if $$success; then \ + col="$$grn"; \ + else \ + col="$$red"; \ + test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ + fi; \ + echo "$${col}$$br$${std}"; \ + echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}$$br$${std}"; \ + create_testsuite_report --maybe-color; \ + echo "$$col$$br$$std"; \ + if $$success; then :; else \ + echo "$${col}See $(subdir)/$(TEST_SUITE_LOG)$${std}"; \ + if test -n "$(PACKAGE_BUGREPORT)"; then \ + echo "$${col}Please report to $(PACKAGE_BUGREPORT)$${std}"; \ + fi; \ + echo "$$col$$br$$std"; \ + fi; \ + $$success || exit 1 + +check-TESTS: + @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list + @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list + @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) + @set +e; $(am__set_TESTS_bases); \ + log_list=`for i in $$bases; do echo $$i.log; done`; \ + trs_list=`for i in $$bases; do echo $$i.trs; done`; \ + log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ + $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ + exit $$?; +recheck: all $(check_LTLIBRARIES) $(check_PROGRAMS) + @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) + @set +e; $(am__set_TESTS_bases); \ + bases=`for i in $$bases; do echo $$i; done \ + | $(am__list_recheck_tests)` || exit 1; \ + log_list=`for i in $$bases; do echo $$i.log; done`; \ + log_list=`echo $$log_list`; \ + $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) \ + am__force_recheck=am--force-recheck \ + TEST_LOGS="$$log_list"; \ + exit $$? +nss-srv-tests.log: nss-srv-tests$(EXEEXT) + @p='nss-srv-tests$(EXEEXT)'; \ + b='nss-srv-tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test-find-uid.log: test-find-uid$(EXEEXT) + @p='test-find-uid$(EXEEXT)'; \ + b='test-find-uid'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test-io.log: test-io$(EXEEXT) + @p='test-io$(EXEEXT)'; \ + b='test-io'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test-negcache.log: test-negcache$(EXEEXT) + @p='test-negcache$(EXEEXT)'; \ + b='test-negcache'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test-authtok.log: test-authtok$(EXEEXT) + @p='test-authtok$(EXEEXT)'; \ + b='test-authtok'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +sss_nss_idmap-tests.log: sss_nss_idmap-tests$(EXEEXT) + @p='sss_nss_idmap-tests$(EXEEXT)'; \ + b='sss_nss_idmap-tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +deskprofile_utils-tests.log: deskprofile_utils-tests$(EXEEXT) + @p='deskprofile_utils-tests$(EXEEXT)'; \ + b='deskprofile_utils-tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +dyndns-tests.log: dyndns-tests$(EXEEXT) + @p='dyndns-tests$(EXEEXT)'; \ + b='dyndns-tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +domain_resolution_order-tests.log: domain_resolution_order-tests$(EXEEXT) + @p='domain_resolution_order-tests$(EXEEXT)'; \ + b='domain_resolution_order-tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +fqnames-tests.log: fqnames-tests$(EXEEXT) + @p='fqnames-tests$(EXEEXT)'; \ + b='fqnames-tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +nestedgroups-tests.log: nestedgroups-tests$(EXEEXT) + @p='nestedgroups-tests$(EXEEXT)'; \ + b='nestedgroups-tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test_sss_idmap.log: test_sss_idmap$(EXEEXT) + @p='test_sss_idmap$(EXEEXT)'; \ + b='test_sss_idmap'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test_ipa_idmap.log: test_ipa_idmap$(EXEEXT) + @p='test_ipa_idmap$(EXEEXT)'; \ + b='test_ipa_idmap'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test_utils.log: test_utils$(EXEEXT) + @p='test_utils$(EXEEXT)'; \ + b='test_utils'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +dp_opt_tests.log: dp_opt_tests$(EXEEXT) + @p='dp_opt_tests$(EXEEXT)'; \ + b='dp_opt_tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +responder-get-domains-tests.log: responder-get-domains-tests$(EXEEXT) + @p='responder-get-domains-tests$(EXEEXT)'; \ + b='responder-get-domains-tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +sbus-internal-tests.log: sbus-internal-tests$(EXEEXT) + @p='sbus-internal-tests$(EXEEXT)'; \ + b='sbus-internal-tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +config_check-tests.log: config_check-tests$(EXEEXT) + @p='config_check-tests$(EXEEXT)'; \ + b='config_check-tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +sss_sifp-tests.log: sss_sifp-tests$(EXEEXT) + @p='sss_sifp-tests$(EXEEXT)'; \ + b='sss_sifp-tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test_search_bases.log: test_search_bases$(EXEEXT) + @p='test_search_bases$(EXEEXT)'; \ + b='test_search_bases'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test_ldap_auth.log: test_ldap_auth$(EXEEXT) + @p='test_ldap_auth$(EXEEXT)'; \ + b='test_ldap_auth'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test_sdap_access.log: test_sdap_access$(EXEEXT) + @p='test_sdap_access$(EXEEXT)'; \ + b='test_sdap_access'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test_sdap_certmap.log: test_sdap_certmap$(EXEEXT) + @p='test_sdap_certmap$(EXEEXT)'; \ + b='test_sdap_certmap'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +sdap-tests.log: sdap-tests$(EXEEXT) + @p='sdap-tests$(EXEEXT)'; \ + b='sdap-tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test_sysdb_ts_cache.log: test_sysdb_ts_cache$(EXEEXT) + @p='test_sysdb_ts_cache$(EXEEXT)'; \ + b='test_sysdb_ts_cache'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test_sysdb_views.log: test_sysdb_views$(EXEEXT) + @p='test_sysdb_views$(EXEEXT)'; \ + b='test_sysdb_views'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test_sysdb_subdomains.log: test_sysdb_subdomains$(EXEEXT) + @p='test_sysdb_subdomains$(EXEEXT)'; \ + b='test_sysdb_subdomains'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test_sysdb_certmap.log: test_sysdb_certmap$(EXEEXT) + @p='test_sysdb_certmap$(EXEEXT)'; \ + b='test_sysdb_certmap'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test_sysdb_sudo.log: test_sysdb_sudo$(EXEEXT) + @p='test_sysdb_sudo$(EXEEXT)'; \ + b='test_sysdb_sudo'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test_sysdb_utils.log: test_sysdb_utils$(EXEEXT) + @p='test_sysdb_utils$(EXEEXT)'; \ + b='test_sysdb_utils'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test_sysdb_domain_resolution_order.log: test_sysdb_domain_resolution_order$(EXEEXT) + @p='test_sysdb_domain_resolution_order$(EXEEXT)'; \ + b='test_sysdb_domain_resolution_order'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test_wbc_calls.log: test_wbc_calls$(EXEEXT) + @p='test_wbc_calls$(EXEEXT)'; \ + b='test_wbc_calls'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test_be_ptask.log: test_be_ptask$(EXEEXT) + @p='test_be_ptask$(EXEEXT)'; \ + b='test_be_ptask'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test_copy_ccache.log: test_copy_ccache$(EXEEXT) + @p='test_copy_ccache$(EXEEXT)'; \ + b='test_copy_ccache'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test_copy_keytab.log: test_copy_keytab$(EXEEXT) + @p='test_copy_keytab$(EXEEXT)'; \ + b='test_copy_keytab'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test_child_common.log: test_child_common$(EXEEXT) + @p='test_child_common$(EXEEXT)'; \ + b='test_child_common'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +responder_cache_req-tests.log: responder_cache_req-tests$(EXEEXT) + @p='responder_cache_req-tests$(EXEEXT)'; \ + b='responder_cache_req-tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test_sbus_opath.log: test_sbus_opath$(EXEEXT) + @p='test_sbus_opath$(EXEEXT)'; \ + b='test_sbus_opath'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test_fo_srv.log: test_fo_srv$(EXEEXT) + @p='test_fo_srv$(EXEEXT)'; \ + b='test_fo_srv'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +pam-srv-tests.log: pam-srv-tests$(EXEEXT) + @p='pam-srv-tests$(EXEEXT)'; \ + b='pam-srv-tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +ssh-srv-tests.log: ssh-srv-tests$(EXEEXT) + @p='ssh-srv-tests$(EXEEXT)'; \ + b='ssh-srv-tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test_ipa_subdom_util.log: test_ipa_subdom_util$(EXEEXT) + @p='test_ipa_subdom_util$(EXEEXT)'; \ + b='test_ipa_subdom_util'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test_tools_colondb.log: test_tools_colondb$(EXEEXT) + @p='test_tools_colondb$(EXEEXT)'; \ + b='test_tools_colondb'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test_krb5_wait_queue.log: test_krb5_wait_queue$(EXEEXT) + @p='test_krb5_wait_queue$(EXEEXT)'; \ + b='test_krb5_wait_queue'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test_cert_utils.log: test_cert_utils$(EXEEXT) + @p='test_cert_utils$(EXEEXT)'; \ + b='test_cert_utils'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test_ldap_id_cleanup.log: test_ldap_id_cleanup$(EXEEXT) + @p='test_ldap_id_cleanup$(EXEEXT)'; \ + b='test_ldap_id_cleanup'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test_data_provider_be.log: test_data_provider_be$(EXEEXT) + @p='test_data_provider_be$(EXEEXT)'; \ + b='test_data_provider_be'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test_dp_request_table.log: test_dp_request_table$(EXEEXT) + @p='test_dp_request_table$(EXEEXT)'; \ + b='test_dp_request_table'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test_dp_request.log: test_dp_request$(EXEEXT) + @p='test_dp_request$(EXEEXT)'; \ + b='test_dp_request'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test_dp_builtin.log: test_dp_builtin$(EXEEXT) + @p='test_dp_builtin$(EXEEXT)'; \ + b='test_dp_builtin'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test_ipa_dn.log: test_ipa_dn$(EXEEXT) + @p='test_ipa_dn$(EXEEXT)'; \ + b='test_ipa_dn'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +simple-access-tests.log: simple-access-tests$(EXEEXT) + @p='simple-access-tests$(EXEEXT)'; \ + b='simple-access-tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +krb5_common_test.log: krb5_common_test$(EXEEXT) + @p='krb5_common_test$(EXEEXT)'; \ + b='krb5_common_test'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test_iobuf.log: test_iobuf$(EXEEXT) + @p='test_iobuf$(EXEEXT)'; \ + b='test_iobuf'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +sss_certmap_test.log: sss_certmap_test$(EXEEXT) + @p='sss_certmap_test$(EXEEXT)'; \ + b='sss_certmap_test'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test_sssd_krb5_locator_plugin.log: test_sssd_krb5_locator_plugin$(EXEEXT) + @p='test_sssd_krb5_locator_plugin$(EXEEXT)'; \ + b='test_sssd_krb5_locator_plugin'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test_resolv_fake.log: test_resolv_fake$(EXEEXT) + @p='test_resolv_fake$(EXEEXT)'; \ + b='test_resolv_fake'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +ifp_tests.log: ifp_tests$(EXEEXT) + @p='ifp_tests$(EXEEXT)'; \ + b='ifp_tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test_inotify.log: test_inotify$(EXEEXT) + @p='test_inotify$(EXEEXT)'; \ + b='test_inotify'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test_kcm_json.log: test_kcm_json$(EXEEXT) + @p='test_kcm_json$(EXEEXT)'; \ + b='test_kcm_json'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test_kcm_queue.log: test_kcm_queue$(EXEEXT) + @p='test_kcm_queue$(EXEEXT)'; \ + b='test_kcm_queue'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +ad_access_filter_tests.log: ad_access_filter_tests$(EXEEXT) + @p='ad_access_filter_tests$(EXEEXT)'; \ + b='ad_access_filter_tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +ad_gpo_tests.log: ad_gpo_tests$(EXEEXT) + @p='ad_gpo_tests$(EXEEXT)'; \ + b='ad_gpo_tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +ad_common_tests.log: ad_common_tests$(EXEEXT) + @p='ad_common_tests$(EXEEXT)'; \ + b='ad_common_tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test_sdap_initgr.log: test_sdap_initgr$(EXEEXT) + @p='test_sdap_initgr$(EXEEXT)'; \ + b='test_sdap_initgr'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test_ad_subdom.log: test_ad_subdom$(EXEEXT) + @p='test_ad_subdom$(EXEEXT)'; \ + b='test_ad_subdom'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test_ipa_subdom_server.log: test_ipa_subdom_server$(EXEEXT) + @p='test_ipa_subdom_server$(EXEEXT)'; \ + b='test_ipa_subdom_server'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +test_sssd_krb5_localauth_plugin.log: test_sssd_krb5_localauth_plugin$(EXEEXT) + @p='test_sssd_krb5_localauth_plugin$(EXEEXT)'; \ + b='test_sssd_krb5_localauth_plugin'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +dlopen-tests.log: dlopen-tests$(EXEEXT) + @p='dlopen-tests$(EXEEXT)'; \ + b='dlopen-tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +sysdb-tests.log: sysdb-tests$(EXEEXT) + @p='sysdb-tests$(EXEEXT)'; \ + b='sysdb-tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +strtonum-tests.log: strtonum-tests$(EXEEXT) + @p='strtonum-tests$(EXEEXT)'; \ + b='strtonum-tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +resolv-tests.log: resolv-tests$(EXEEXT) + @p='resolv-tests$(EXEEXT)'; \ + b='resolv-tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +krb5-utils-tests.log: krb5-utils-tests$(EXEEXT) + @p='krb5-utils-tests$(EXEEXT)'; \ + b='krb5-utils-tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +check_and_open-tests.log: check_and_open-tests$(EXEEXT) + @p='check_and_open-tests$(EXEEXT)'; \ + b='check_and_open-tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +files-tests.log: files-tests$(EXEEXT) + @p='files-tests$(EXEEXT)'; \ + b='files-tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +refcount-tests.log: refcount-tests$(EXEEXT) + @p='refcount-tests$(EXEEXT)'; \ + b='refcount-tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +fail_over-tests.log: fail_over-tests$(EXEEXT) + @p='fail_over-tests$(EXEEXT)'; \ + b='fail_over-tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +find_uid-tests.log: find_uid-tests$(EXEEXT) + @p='find_uid-tests$(EXEEXT)'; \ + b='find_uid-tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +auth-tests.log: auth-tests$(EXEEXT) + @p='auth-tests$(EXEEXT)'; \ + b='auth-tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +ipa_ldap_opt-tests.log: ipa_ldap_opt-tests$(EXEEXT) + @p='ipa_ldap_opt-tests$(EXEEXT)'; \ + b='ipa_ldap_opt-tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +ad_ldap_opt-tests.log: ad_ldap_opt-tests$(EXEEXT) + @p='ad_ldap_opt-tests$(EXEEXT)'; \ + b='ad_ldap_opt-tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +crypto-tests.log: crypto-tests$(EXEEXT) + @p='crypto-tests$(EXEEXT)'; \ + b='crypto-tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +util-tests.log: util-tests$(EXEEXT) + @p='util-tests$(EXEEXT)'; \ + b='util-tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +debug-tests.log: debug-tests$(EXEEXT) + @p='debug-tests$(EXEEXT)'; \ + b='debug-tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +ipa_hbac-tests.log: ipa_hbac-tests$(EXEEXT) + @p='ipa_hbac-tests$(EXEEXT)'; \ + b='ipa_hbac-tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +sss_idmap-tests.log: sss_idmap-tests$(EXEEXT) + @p='sss_idmap-tests$(EXEEXT)'; \ + b='sss_idmap-tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +responder_socket_access-tests.log: responder_socket_access-tests$(EXEEXT) + @p='responder_socket_access-tests$(EXEEXT)'; \ + b='responder_socket_access-tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +safe-format-tests.log: safe-format-tests$(EXEEXT) + @p='safe-format-tests$(EXEEXT)'; \ + b='safe-format-tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +sysdb_ssh-tests.log: sysdb_ssh-tests$(EXEEXT) + @p='sysdb_ssh-tests$(EXEEXT)'; \ + b='sysdb_ssh-tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +sbus_tests.log: sbus_tests$(EXEEXT) + @p='sbus_tests$(EXEEXT)'; \ + b='sbus_tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +sbus_codegen_tests.log: sbus_codegen_tests$(EXEEXT) + @p='sbus_codegen_tests$(EXEEXT)'; \ + b='sbus_codegen_tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +src/tests/whitespace_test.log: src/tests/whitespace_test + @p='src/tests/whitespace_test'; \ + b='src/tests/whitespace_test'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +src/tests/double_semicolon_test.log: src/tests/double_semicolon_test + @p='src/tests/double_semicolon_test'; \ + b='src/tests/double_semicolon_test'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +.sh.log: + @p='$<'; \ + $(am__set_b); \ + $(am__check_pre) $(SH_LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_SH_LOG_DRIVER_FLAGS) $(SH_LOG_DRIVER_FLAGS) -- $(SH_LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +@am__EXEEXT_TRUE@.sh$(EXEEXT).log: +@am__EXEEXT_TRUE@ @p='$<'; \ +@am__EXEEXT_TRUE@ $(am__set_b); \ +@am__EXEEXT_TRUE@ $(am__check_pre) $(SH_LOG_DRIVER) --test-name "$$f" \ +@am__EXEEXT_TRUE@ --log-file $$b.log --trs-file $$b.trs \ +@am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_SH_LOG_DRIVER_FLAGS) $(SH_LOG_DRIVER_FLAGS) -- $(SH_LOG_COMPILE) \ +@am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) + +distdir: $(DISTFILES) + $(am__remove_distdir) + test -d "$(distdir)" || mkdir "$(distdir)" + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done + @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ + if test "$$subdir" = .; then :; else \ + $(am__make_dryrun) \ + || test -d "$(distdir)/$$subdir" \ + || $(MKDIR_P) "$(distdir)/$$subdir" \ + || exit 1; \ + dir1=$$subdir; dir2="$(distdir)/$$subdir"; \ + $(am__relativize); \ + new_distdir=$$reldir; \ + dir1=$$subdir; dir2="$(top_distdir)"; \ + $(am__relativize); \ + new_top_distdir=$$reldir; \ + echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \ + echo " am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \ + ($(am__cd) $$subdir && \ + $(MAKE) $(AM_MAKEFLAGS) \ + top_distdir="$$new_top_distdir" \ + distdir="$$new_distdir" \ + am__remove_distdir=: \ + am__skip_length_check=: \ + am__skip_mode_fix=: \ + distdir) \ + || exit 1; \ + fi; \ + done + -test -n "$(am__skip_mode_fix)" \ + || find "$(distdir)" -type d ! -perm -755 \ + -exec chmod u+rwx,go+rx {} \; -o \ + ! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \ + ! -type d ! -perm -400 -exec chmod a+r {} \; -o \ + ! -type d ! -perm -444 -exec $(install_sh) -c -m a+r {} {} \; \ + || chmod -R a+r "$(distdir)" +dist-gzip: distdir + tardir=$(distdir) && $(am__tar) | eval GZIP= gzip $(GZIP_ENV) -c >$(distdir).tar.gz + $(am__post_remove_distdir) + +dist-bzip2: distdir + tardir=$(distdir) && $(am__tar) | BZIP2=$${BZIP2--9} bzip2 -c >$(distdir).tar.bz2 + $(am__post_remove_distdir) + +dist-lzip: distdir + tardir=$(distdir) && $(am__tar) | lzip -c $${LZIP_OPT--9} >$(distdir).tar.lz + $(am__post_remove_distdir) + +dist-xz: distdir + tardir=$(distdir) && $(am__tar) | XZ_OPT=$${XZ_OPT--e} xz -c >$(distdir).tar.xz + $(am__post_remove_distdir) + +dist-tarZ: distdir + @echo WARNING: "Support for distribution archives compressed with" \ + "legacy program 'compress' is deprecated." >&2 + @echo WARNING: "It will be removed altogether in Automake 2.0" >&2 + tardir=$(distdir) && $(am__tar) | compress -c >$(distdir).tar.Z + $(am__post_remove_distdir) + +dist-shar: distdir + @echo WARNING: "Support for shar distribution archives is" \ + "deprecated." >&2 + @echo WARNING: "It will be removed altogether in Automake 2.0" >&2 + shar $(distdir) | eval GZIP= gzip $(GZIP_ENV) -c >$(distdir).shar.gz + $(am__post_remove_distdir) + +dist-zip: distdir + -rm -f $(distdir).zip + zip -rq $(distdir).zip $(distdir) + $(am__post_remove_distdir) + +dist dist-all: + $(MAKE) $(AM_MAKEFLAGS) $(DIST_TARGETS) am__post_remove_distdir='@:' + $(am__post_remove_distdir) + +# This target untars the dist file and tries a VPATH configuration. Then +# it guarantees that the distribution is self-contained by making another +# tarfile. +distcheck: dist + case '$(DIST_ARCHIVES)' in \ + *.tar.gz*) \ + eval GZIP= gzip $(GZIP_ENV) -dc $(distdir).tar.gz | $(am__untar) ;;\ + *.tar.bz2*) \ + bzip2 -dc $(distdir).tar.bz2 | $(am__untar) ;;\ + *.tar.lz*) \ + lzip -dc $(distdir).tar.lz | $(am__untar) ;;\ + *.tar.xz*) \ + xz -dc $(distdir).tar.xz | $(am__untar) ;;\ + *.tar.Z*) \ + uncompress -c $(distdir).tar.Z | $(am__untar) ;;\ + *.shar.gz*) \ + eval GZIP= gzip $(GZIP_ENV) -dc $(distdir).shar.gz | unshar ;;\ + *.zip*) \ + unzip $(distdir).zip ;;\ + esac + chmod -R a-w $(distdir) + chmod u+w $(distdir) + mkdir $(distdir)/_build $(distdir)/_build/sub $(distdir)/_inst + chmod a-w $(distdir) + test -d $(distdir)/_build || exit 0; \ + dc_install_base=`$(am__cd) $(distdir)/_inst && pwd | sed -e 's,^[^:\\/]:[\\/],/,'` \ + && dc_destdir="$${TMPDIR-/tmp}/am-dc-$$$$/" \ + && am__cwd=`pwd` \ + && $(am__cd) $(distdir)/_build/sub \ + && ../../configure \ + $(AM_DISTCHECK_CONFIGURE_FLAGS) \ + $(DISTCHECK_CONFIGURE_FLAGS) \ + --srcdir=../.. --prefix="$$dc_install_base" \ + && $(MAKE) $(AM_MAKEFLAGS) \ + && $(MAKE) $(AM_MAKEFLAGS) dvi \ + && $(MAKE) $(AM_MAKEFLAGS) check \ + && $(MAKE) $(AM_MAKEFLAGS) install \ + && $(MAKE) $(AM_MAKEFLAGS) installcheck \ + && $(MAKE) $(AM_MAKEFLAGS) uninstall \ + && $(MAKE) $(AM_MAKEFLAGS) distuninstallcheck_dir="$$dc_install_base" \ + distuninstallcheck \ + && chmod -R a-w "$$dc_install_base" \ + && ({ \ + (cd ../.. && umask 077 && mkdir "$$dc_destdir") \ + && $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" install \ + && $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" uninstall \ + && $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" \ + distuninstallcheck_dir="$$dc_destdir" distuninstallcheck; \ + } || { rm -rf "$$dc_destdir"; exit 1; }) \ + && rm -rf "$$dc_destdir" \ + && $(MAKE) $(AM_MAKEFLAGS) dist \ + && rm -rf $(DIST_ARCHIVES) \ + && $(MAKE) $(AM_MAKEFLAGS) distcleancheck \ + && cd "$$am__cwd" \ + || exit 1 + $(am__post_remove_distdir) + @(echo "$(distdir) archives ready for distribution: "; \ + list='$(DIST_ARCHIVES)'; for i in $$list; do echo $$i; done) | \ + sed -e 1h -e 1s/./=/g -e 1p -e 1x -e '$$p' -e '$$x' +distuninstallcheck: + @test -n '$(distuninstallcheck_dir)' || { \ + echo 'ERROR: trying to run $@ with an empty' \ + '$$(distuninstallcheck_dir)' >&2; \ + exit 1; \ + }; \ + $(am__cd) '$(distuninstallcheck_dir)' || { \ + echo 'ERROR: cannot chdir into $(distuninstallcheck_dir)' >&2; \ + exit 1; \ + }; \ + test `$(am__distuninstallcheck_listfiles) | wc -l` -eq 0 \ + || { echo "ERROR: files left after uninstall:" ; \ + if test -n "$(DESTDIR)"; then \ + echo " (check DESTDIR support)"; \ + fi ; \ + $(distuninstallcheck_listfiles) ; \ + exit 1; } >&2 +distcleancheck: distclean + @if test '$(srcdir)' = . ; then \ + echo "ERROR: distcleancheck can only run from a VPATH build" ; \ + exit 1 ; \ + fi + @test `$(distcleancheck_listfiles) | wc -l` -eq 0 \ + || { echo "ERROR: files left in build directory after distclean:" ; \ + $(distcleancheck_listfiles) ; \ + exit 1; } >&2 +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(check_LTLIBRARIES) $(check_PROGRAMS) + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) check-recursive +all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(SCRIPTS) $(DATA) \ + $(HEADERS) config.h all-local +install-binPROGRAMS: install-libLTLIBRARIES + +installdirs: installdirs-recursive +installdirs-am: + for dir in "$(DESTDIR)$(autofslibdir)" "$(DESTDIR)$(cifsplugindir)" "$(DESTDIR)$(krb5authdata_plugindir)" "$(DESTDIR)$(krb5localauth_plugindir)" "$(DESTDIR)$(krb5plugindir)" "$(DESTDIR)$(ldblibdir)" "$(DESTDIR)$(libdir)" "$(DESTDIR)$(libwbclientdir)" "$(DESTDIR)$(nfslibdir)" "$(DESTDIR)$(nsslibdir)" "$(DESTDIR)$(pamlibdir)" "$(DESTDIR)$(pkglibdir)" "$(DESTDIR)$(py2execdir)" "$(DESTDIR)$(py3execdir)" "$(DESTDIR)$(sssdlibdir)" "$(DESTDIR)$(sudolibdir)" "$(DESTDIR)$(winbindplugindir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(sssdlibexecdir)" "$(DESTDIR)$(sss_obfuscate_pythondir)" "$(DESTDIR)$(initdir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(dbuspolicydir)" "$(DESTDIR)$(dbusservicedir)" "$(DESTDIR)$(pamconfdir)" "$(DESTDIR)$(polkit_rulesdir)" "$(DESTDIR)$(sssdapiplugindir)" "$(DESTDIR)$(sssddatadir)" "$(DESTDIR)$(sssddefaultconfdir)" "$(DESTDIR)$(sssdkcmdatadir)" "$(DESTDIR)$(sssdtapscriptdir)" "$(DESTDIR)$(systemtap_tapdir)" "$(DESTDIR)$(pkgconfigdir)" "$(DESTDIR)$(systemdconfdir)" "$(DESTDIR)$(systemdunitdir)" "$(DESTDIR)$(systemtap_tapdir)" "$(DESTDIR)$(includedir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) install-recursive +install-exec: install-exec-recursive +install-data: install-data-recursive +uninstall: uninstall-recursive + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-recursive +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + -test -z "$(TEST_LOGS)" || rm -f $(TEST_LOGS) + -test -z "$(TEST_LOGS:.log=.trs)" || rm -f $(TEST_LOGS:.log=.trs) + -test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + -rm -f src/confdb/$(DEPDIR)/$(am__dirstamp) + -rm -f src/confdb/$(am__dirstamp) + -rm -f src/db/$(DEPDIR)/$(am__dirstamp) + -rm -f src/db/$(am__dirstamp) + -rm -f src/krb5_plugin/$(DEPDIR)/$(am__dirstamp) + -rm -f src/krb5_plugin/$(am__dirstamp) + -rm -f src/ldb_modules/$(DEPDIR)/$(am__dirstamp) + -rm -f src/ldb_modules/$(am__dirstamp) + -rm -f src/lib/certmap/$(DEPDIR)/$(am__dirstamp) + -rm -f src/lib/certmap/$(am__dirstamp) + -rm -f src/lib/cifs_idmap_sss/$(DEPDIR)/$(am__dirstamp) + -rm -f src/lib/cifs_idmap_sss/$(am__dirstamp) + -rm -f src/lib/idmap/$(DEPDIR)/$(am__dirstamp) + -rm -f src/lib/idmap/$(am__dirstamp) + -rm -f src/lib/ipa_hbac/$(DEPDIR)/$(am__dirstamp) + -rm -f src/lib/ipa_hbac/$(am__dirstamp) + -rm -f src/lib/sifp/$(DEPDIR)/$(am__dirstamp) + -rm -f src/lib/sifp/$(am__dirstamp) + -rm -f src/lib/winbind_idmap_sss/$(DEPDIR)/$(am__dirstamp) + -rm -f src/lib/winbind_idmap_sss/$(am__dirstamp) + -rm -f src/monitor/$(DEPDIR)/$(am__dirstamp) + -rm -f src/monitor/$(am__dirstamp) + -rm -f src/p11_child/$(DEPDIR)/$(am__dirstamp) + -rm -f src/p11_child/$(am__dirstamp) + -rm -f src/providers/$(DEPDIR)/$(am__dirstamp) + -rm -f src/providers/$(am__dirstamp) + -rm -f src/providers/ad/$(DEPDIR)/$(am__dirstamp) + -rm -f src/providers/ad/$(am__dirstamp) + -rm -f src/providers/data_provider/$(DEPDIR)/$(am__dirstamp) + -rm -f src/providers/data_provider/$(am__dirstamp) + -rm -f src/providers/files/$(DEPDIR)/$(am__dirstamp) + -rm -f src/providers/files/$(am__dirstamp) + -rm -f src/providers/ipa/$(DEPDIR)/$(am__dirstamp) + -rm -f src/providers/ipa/$(am__dirstamp) + -rm -f src/providers/krb5/$(DEPDIR)/$(am__dirstamp) + -rm -f src/providers/krb5/$(am__dirstamp) + -rm -f src/providers/ldap/$(DEPDIR)/$(am__dirstamp) + -rm -f src/providers/ldap/$(am__dirstamp) + -rm -f src/providers/proxy/$(DEPDIR)/$(am__dirstamp) + -rm -f src/providers/proxy/$(am__dirstamp) + -rm -f src/providers/simple/$(DEPDIR)/$(am__dirstamp) + -rm -f src/providers/simple/$(am__dirstamp) + -rm -f src/python/$(DEPDIR)/$(am__dirstamp) + -rm -f src/python/$(am__dirstamp) + -rm -f src/resolv/$(DEPDIR)/$(am__dirstamp) + -rm -f src/resolv/$(am__dirstamp) + -rm -f src/responder/autofs/$(DEPDIR)/$(am__dirstamp) + -rm -f src/responder/autofs/$(am__dirstamp) + -rm -f src/responder/common/$(DEPDIR)/$(am__dirstamp) + -rm -f src/responder/common/$(am__dirstamp) + -rm -f src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) + -rm -f src/responder/common/cache_req/$(am__dirstamp) + -rm -f src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) + -rm -f src/responder/common/cache_req/plugins/$(am__dirstamp) + -rm -f src/responder/common/data_provider/$(DEPDIR)/$(am__dirstamp) + -rm -f src/responder/common/data_provider/$(am__dirstamp) + -rm -f src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) + -rm -f src/responder/common/iface/$(am__dirstamp) + -rm -f src/responder/ifp/$(DEPDIR)/$(am__dirstamp) + -rm -f src/responder/ifp/$(am__dirstamp) + -rm -f src/responder/kcm/$(DEPDIR)/$(am__dirstamp) + -rm -f src/responder/kcm/$(am__dirstamp) + -rm -f src/responder/nss/$(DEPDIR)/$(am__dirstamp) + -rm -f src/responder/nss/$(am__dirstamp) + -rm -f src/responder/pac/$(DEPDIR)/$(am__dirstamp) + -rm -f src/responder/pac/$(am__dirstamp) + -rm -f src/responder/pam/$(DEPDIR)/$(am__dirstamp) + -rm -f src/responder/pam/$(am__dirstamp) + -rm -f src/responder/secrets/$(DEPDIR)/$(am__dirstamp) + -rm -f src/responder/secrets/$(am__dirstamp) + -rm -f src/responder/ssh/$(DEPDIR)/$(am__dirstamp) + -rm -f src/responder/ssh/$(am__dirstamp) + -rm -f src/responder/sudo/$(DEPDIR)/$(am__dirstamp) + -rm -f src/responder/sudo/$(am__dirstamp) + -rm -f src/sbus/$(DEPDIR)/$(am__dirstamp) + -rm -f src/sbus/$(am__dirstamp) + -rm -f src/sss_client/$(DEPDIR)/$(am__dirstamp) + -rm -f src/sss_client/$(am__dirstamp) + -rm -f src/sss_client/autofs/$(DEPDIR)/$(am__dirstamp) + -rm -f src/sss_client/autofs/$(am__dirstamp) + -rm -f src/sss_client/idmap/$(DEPDIR)/$(am__dirstamp) + -rm -f src/sss_client/idmap/$(am__dirstamp) + -rm -f src/sss_client/libwbclient/$(DEPDIR)/$(am__dirstamp) + -rm -f src/sss_client/libwbclient/$(am__dirstamp) + -rm -f src/sss_client/nfs/$(DEPDIR)/$(am__dirstamp) + -rm -f src/sss_client/nfs/$(am__dirstamp) + -rm -f src/sss_client/ssh/$(DEPDIR)/$(am__dirstamp) + -rm -f src/sss_client/ssh/$(am__dirstamp) + -rm -f src/sss_client/sudo/$(DEPDIR)/$(am__dirstamp) + -rm -f src/sss_client/sudo/$(am__dirstamp) + -rm -f src/sss_client/sudo_testcli/$(DEPDIR)/$(am__dirstamp) + -rm -f src/sss_client/sudo_testcli/$(am__dirstamp) + -rm -f src/tests/$(DEPDIR)/$(am__dirstamp) + -rm -f src/tests/$(am__dirstamp) + -rm -f src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) + -rm -f src/tests/cmocka/$(am__dirstamp) + -rm -f src/tests/cmocka/data_provider/$(DEPDIR)/$(am__dirstamp) + -rm -f src/tests/cmocka/data_provider/$(am__dirstamp) + -rm -f src/tools/$(DEPDIR)/$(am__dirstamp) + -rm -f src/tools/$(am__dirstamp) + -rm -f src/tools/common/$(DEPDIR)/$(am__dirstamp) + -rm -f src/tools/common/$(am__dirstamp) + -rm -f src/tools/sssctl/$(DEPDIR)/$(am__dirstamp) + -rm -f src/tools/sssctl/$(am__dirstamp) + -rm -f src/util/$(DEPDIR)/$(am__dirstamp) + -rm -f src/util/$(am__dirstamp) + -rm -f src/util/cert/$(DEPDIR)/$(am__dirstamp) + -rm -f src/util/cert/$(am__dirstamp) + -rm -f src/util/cert/libcrypto/$(DEPDIR)/$(am__dirstamp) + -rm -f src/util/cert/libcrypto/$(am__dirstamp) + -rm -f src/util/cert/nss/$(DEPDIR)/$(am__dirstamp) + -rm -f src/util/cert/nss/$(am__dirstamp) + -rm -f src/util/crypto/$(DEPDIR)/$(am__dirstamp) + -rm -f src/util/crypto/$(am__dirstamp) + -rm -f src/util/crypto/libcrypto/$(DEPDIR)/$(am__dirstamp) + -rm -f src/util/crypto/libcrypto/$(am__dirstamp) + -rm -f src/util/crypto/nss/$(DEPDIR)/$(am__dirstamp) + -rm -f src/util/crypto/nss/$(am__dirstamp) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." + -test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES) +clean: clean-recursive + +clean-am: clean-autofslibLTLIBRARIES clean-binPROGRAMS \ + clean-checkLTLIBRARIES clean-checkPROGRAMS \ + clean-cifspluginLTLIBRARIES clean-generic \ + clean-krb5authdata_pluginLTLIBRARIES \ + clean-krb5localauth_pluginLTLIBRARIES \ + clean-krb5pluginLTLIBRARIES clean-ldblibLTLIBRARIES \ + clean-libLTLIBRARIES clean-libtool \ + clean-libwbclientLTLIBRARIES clean-local \ + clean-nfslibLTLIBRARIES clean-noinstLTLIBRARIES \ + clean-noinstPROGRAMS clean-nsslibLTLIBRARIES \ + clean-pamlibLTLIBRARIES clean-pkglibLTLIBRARIES \ + clean-py2execLTLIBRARIES clean-py3execLTLIBRARIES \ + clean-sbinPROGRAMS clean-sssdlibLTLIBRARIES \ + clean-sssdlibexecPROGRAMS clean-sudolibLTLIBRARIES \ + clean-winbindpluginLTLIBRARIES mostlyclean-am + +distclean: distclean-recursive + -rm -f $(am__CONFIG_DISTCLEAN_FILES) + -rm -rf src/confdb/$(DEPDIR) src/db/$(DEPDIR) src/krb5_plugin/$(DEPDIR) src/ldb_modules/$(DEPDIR) src/lib/certmap/$(DEPDIR) src/lib/cifs_idmap_sss/$(DEPDIR) src/lib/idmap/$(DEPDIR) src/lib/ipa_hbac/$(DEPDIR) src/lib/sifp/$(DEPDIR) src/lib/winbind_idmap_sss/$(DEPDIR) src/monitor/$(DEPDIR) src/p11_child/$(DEPDIR) src/providers/$(DEPDIR) src/providers/ad/$(DEPDIR) src/providers/data_provider/$(DEPDIR) src/providers/files/$(DEPDIR) src/providers/ipa/$(DEPDIR) src/providers/krb5/$(DEPDIR) src/providers/ldap/$(DEPDIR) src/providers/proxy/$(DEPDIR) src/providers/simple/$(DEPDIR) src/python/$(DEPDIR) src/resolv/$(DEPDIR) src/responder/autofs/$(DEPDIR) src/responder/common/$(DEPDIR) src/responder/common/cache_req/$(DEPDIR) src/responder/common/cache_req/plugins/$(DEPDIR) src/responder/common/data_provider/$(DEPDIR) src/responder/common/iface/$(DEPDIR) src/responder/ifp/$(DEPDIR) src/responder/kcm/$(DEPDIR) src/responder/nss/$(DEPDIR) src/responder/pac/$(DEPDIR) src/responder/pam/$(DEPDIR) src/responder/secrets/$(DEPDIR) src/responder/ssh/$(DEPDIR) src/responder/sudo/$(DEPDIR) src/sbus/$(DEPDIR) src/sss_client/$(DEPDIR) src/sss_client/autofs/$(DEPDIR) src/sss_client/idmap/$(DEPDIR) src/sss_client/libwbclient/$(DEPDIR) src/sss_client/nfs/$(DEPDIR) src/sss_client/ssh/$(DEPDIR) src/sss_client/sudo/$(DEPDIR) src/sss_client/sudo_testcli/$(DEPDIR) src/tests/$(DEPDIR) src/tests/cmocka/$(DEPDIR) src/tests/cmocka/data_provider/$(DEPDIR) src/tools/$(DEPDIR) src/tools/common/$(DEPDIR) src/tools/sssctl/$(DEPDIR) src/util/$(DEPDIR) src/util/cert/$(DEPDIR) src/util/cert/libcrypto/$(DEPDIR) src/util/cert/nss/$(DEPDIR) src/util/crypto/$(DEPDIR) src/util/crypto/libcrypto/$(DEPDIR) src/util/crypto/nss/$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-hdr distclean-libtool distclean-tags + +dvi: dvi-recursive + +dvi-am: + +html: html-recursive + +html-am: + +info: info-recursive + +info-am: + +install-data-am: install-autofslibLTLIBRARIES \ + install-cifspluginLTLIBRARIES install-dist_dbuspolicyDATA \ + install-dist_dbusserviceDATA install-dist_pamconfDATA \ + install-dist_polkit_rulesDATA \ + install-dist_sss_obfuscate_pythonSCRIPTS \ + install-dist_sssdapipluginDATA install-dist_sssddataDATA \ + install-dist_sssddefaultconfDATA install-dist_sssdkcmdataDATA \ + install-dist_sssdtapscriptDATA install-dist_systemtap_tapDATA \ + install-includeHEADERS install-initSCRIPTS \ + install-krb5authdata_pluginLTLIBRARIES \ + install-krb5localauth_pluginLTLIBRARIES \ + install-krb5pluginLTLIBRARIES install-ldblibLTLIBRARIES \ + install-libwbclientLTLIBRARIES install-nfslibLTLIBRARIES \ + install-nsslibLTLIBRARIES install-pamlibLTLIBRARIES \ + install-pkgconfigDATA install-sssdlibLTLIBRARIES \ + install-sudolibLTLIBRARIES install-systemdconfDATA \ + install-systemdunitDATA install-systemtap_tapDATA \ + install-winbindpluginLTLIBRARIES + @$(NORMAL_INSTALL) + $(MAKE) $(AM_MAKEFLAGS) install-data-hook +install-dvi: install-dvi-recursive + +install-dvi-am: + +install-exec-am: install-binPROGRAMS install-libLTLIBRARIES \ + install-pkglibLTLIBRARIES install-py2execLTLIBRARIES \ + install-py3execLTLIBRARIES install-sbinPROGRAMS \ + install-sbinSCRIPTS install-sssdlibexecPROGRAMS + @$(NORMAL_INSTALL) + $(MAKE) $(AM_MAKEFLAGS) install-exec-hook +install-html: install-html-recursive + +install-html-am: + +install-info: install-info-recursive + +install-info-am: + +install-man: + +install-pdf: install-pdf-recursive + +install-pdf-am: + +install-ps: install-ps-recursive + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-recursive + -rm -f $(am__CONFIG_DISTCLEAN_FILES) + -rm -rf $(top_srcdir)/autom4te.cache + -rm -rf src/confdb/$(DEPDIR) src/db/$(DEPDIR) src/krb5_plugin/$(DEPDIR) src/ldb_modules/$(DEPDIR) src/lib/certmap/$(DEPDIR) src/lib/cifs_idmap_sss/$(DEPDIR) src/lib/idmap/$(DEPDIR) src/lib/ipa_hbac/$(DEPDIR) src/lib/sifp/$(DEPDIR) src/lib/winbind_idmap_sss/$(DEPDIR) src/monitor/$(DEPDIR) src/p11_child/$(DEPDIR) src/providers/$(DEPDIR) src/providers/ad/$(DEPDIR) src/providers/data_provider/$(DEPDIR) src/providers/files/$(DEPDIR) src/providers/ipa/$(DEPDIR) src/providers/krb5/$(DEPDIR) src/providers/ldap/$(DEPDIR) src/providers/proxy/$(DEPDIR) src/providers/simple/$(DEPDIR) src/python/$(DEPDIR) src/resolv/$(DEPDIR) src/responder/autofs/$(DEPDIR) src/responder/common/$(DEPDIR) src/responder/common/cache_req/$(DEPDIR) src/responder/common/cache_req/plugins/$(DEPDIR) src/responder/common/data_provider/$(DEPDIR) src/responder/common/iface/$(DEPDIR) src/responder/ifp/$(DEPDIR) src/responder/kcm/$(DEPDIR) src/responder/nss/$(DEPDIR) src/responder/pac/$(DEPDIR) src/responder/pam/$(DEPDIR) src/responder/secrets/$(DEPDIR) src/responder/ssh/$(DEPDIR) src/responder/sudo/$(DEPDIR) src/sbus/$(DEPDIR) src/sss_client/$(DEPDIR) src/sss_client/autofs/$(DEPDIR) src/sss_client/idmap/$(DEPDIR) src/sss_client/libwbclient/$(DEPDIR) src/sss_client/nfs/$(DEPDIR) src/sss_client/ssh/$(DEPDIR) src/sss_client/sudo/$(DEPDIR) src/sss_client/sudo_testcli/$(DEPDIR) src/tests/$(DEPDIR) src/tests/cmocka/$(DEPDIR) src/tests/cmocka/data_provider/$(DEPDIR) src/tools/$(DEPDIR) src/tools/common/$(DEPDIR) src/tools/sssctl/$(DEPDIR) src/util/$(DEPDIR) src/util/cert/$(DEPDIR) src/util/cert/libcrypto/$(DEPDIR) src/util/cert/nss/$(DEPDIR) src/util/crypto/$(DEPDIR) src/util/crypto/libcrypto/$(DEPDIR) src/util/crypto/nss/$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-recursive + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-recursive + +pdf-am: + +ps: ps-recursive + +ps-am: + +uninstall-am: uninstall-autofslibLTLIBRARIES uninstall-binPROGRAMS \ + uninstall-cifspluginLTLIBRARIES uninstall-dist_dbuspolicyDATA \ + uninstall-dist_dbusserviceDATA uninstall-dist_pamconfDATA \ + uninstall-dist_polkit_rulesDATA \ + uninstall-dist_sss_obfuscate_pythonSCRIPTS \ + uninstall-dist_sssdapipluginDATA uninstall-dist_sssddataDATA \ + uninstall-dist_sssddefaultconfDATA \ + uninstall-dist_sssdkcmdataDATA \ + uninstall-dist_sssdtapscriptDATA \ + uninstall-dist_systemtap_tapDATA uninstall-includeHEADERS \ + uninstall-initSCRIPTS uninstall-krb5authdata_pluginLTLIBRARIES \ + uninstall-krb5localauth_pluginLTLIBRARIES \ + uninstall-krb5pluginLTLIBRARIES uninstall-ldblibLTLIBRARIES \ + uninstall-libLTLIBRARIES uninstall-libwbclientLTLIBRARIES \ + uninstall-nfslibLTLIBRARIES uninstall-nsslibLTLIBRARIES \ + uninstall-pamlibLTLIBRARIES uninstall-pkgconfigDATA \ + uninstall-pkglibLTLIBRARIES uninstall-py2execLTLIBRARIES \ + uninstall-py3execLTLIBRARIES uninstall-sbinPROGRAMS \ + uninstall-sbinSCRIPTS uninstall-sssdlibLTLIBRARIES \ + uninstall-sssdlibexecPROGRAMS uninstall-sudolibLTLIBRARIES \ + uninstall-systemdconfDATA uninstall-systemdunitDATA \ + uninstall-systemtap_tapDATA uninstall-winbindpluginLTLIBRARIES + @$(NORMAL_INSTALL) + $(MAKE) $(AM_MAKEFLAGS) uninstall-hook +.MAKE: $(am__recursive_targets) all check check-am install install-am \ + install-data-am install-exec-am install-strip uninstall-am + +.PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am all-local \ + am--refresh check check-TESTS check-am clean \ + clean-autofslibLTLIBRARIES clean-binPROGRAMS \ + clean-checkLTLIBRARIES clean-checkPROGRAMS \ + clean-cifspluginLTLIBRARIES clean-cscope clean-generic \ + clean-krb5authdata_pluginLTLIBRARIES \ + clean-krb5localauth_pluginLTLIBRARIES \ + clean-krb5pluginLTLIBRARIES clean-ldblibLTLIBRARIES \ + clean-libLTLIBRARIES clean-libtool \ + clean-libwbclientLTLIBRARIES clean-local \ + clean-nfslibLTLIBRARIES clean-noinstLTLIBRARIES \ + clean-noinstPROGRAMS clean-nsslibLTLIBRARIES \ + clean-pamlibLTLIBRARIES clean-pkglibLTLIBRARIES \ + clean-py2execLTLIBRARIES clean-py3execLTLIBRARIES \ + clean-sbinPROGRAMS clean-sssdlibLTLIBRARIES \ + clean-sssdlibexecPROGRAMS clean-sudolibLTLIBRARIES \ + clean-winbindpluginLTLIBRARIES cscope cscopelist-am ctags \ + ctags-am dist dist-all dist-bzip2 dist-gzip dist-lzip \ + dist-shar dist-tarZ dist-xz dist-zip distcheck distclean \ + distclean-compile distclean-generic distclean-hdr \ + distclean-libtool distclean-tags distcleancheck distdir \ + distuninstallcheck dvi dvi-am html html-am info info-am \ + install install-am install-autofslibLTLIBRARIES \ + install-binPROGRAMS install-cifspluginLTLIBRARIES install-data \ + install-data-am install-data-hook install-dist_dbuspolicyDATA \ + install-dist_dbusserviceDATA install-dist_pamconfDATA \ + install-dist_polkit_rulesDATA \ + install-dist_sss_obfuscate_pythonSCRIPTS \ + install-dist_sssdapipluginDATA install-dist_sssddataDATA \ + install-dist_sssddefaultconfDATA install-dist_sssdkcmdataDATA \ + install-dist_sssdtapscriptDATA install-dist_systemtap_tapDATA \ + install-dvi install-dvi-am install-exec install-exec-am \ + install-exec-hook install-html install-html-am \ + install-includeHEADERS install-info install-info-am \ + install-initSCRIPTS install-krb5authdata_pluginLTLIBRARIES \ + install-krb5localauth_pluginLTLIBRARIES \ + install-krb5pluginLTLIBRARIES install-ldblibLTLIBRARIES \ + install-libLTLIBRARIES install-libwbclientLTLIBRARIES \ + install-man install-nfslibLTLIBRARIES \ + install-nsslibLTLIBRARIES install-pamlibLTLIBRARIES \ + install-pdf install-pdf-am install-pkgconfigDATA \ + install-pkglibLTLIBRARIES install-ps install-ps-am \ + install-py2execLTLIBRARIES install-py3execLTLIBRARIES \ + install-sbinPROGRAMS install-sbinSCRIPTS \ + install-sssdlibLTLIBRARIES install-sssdlibexecPROGRAMS \ + install-strip install-sudolibLTLIBRARIES \ + install-systemdconfDATA install-systemdunitDATA \ + install-systemtap_tapDATA install-winbindpluginLTLIBRARIES \ + installcheck installcheck-am installdirs installdirs-am \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am recheck tags tags-am uninstall \ + uninstall-am uninstall-autofslibLTLIBRARIES \ + uninstall-binPROGRAMS uninstall-cifspluginLTLIBRARIES \ + uninstall-dist_dbuspolicyDATA uninstall-dist_dbusserviceDATA \ + uninstall-dist_pamconfDATA uninstall-dist_polkit_rulesDATA \ + uninstall-dist_sss_obfuscate_pythonSCRIPTS \ + uninstall-dist_sssdapipluginDATA uninstall-dist_sssddataDATA \ + uninstall-dist_sssddefaultconfDATA \ + uninstall-dist_sssdkcmdataDATA \ + uninstall-dist_sssdtapscriptDATA \ + uninstall-dist_systemtap_tapDATA uninstall-hook \ + uninstall-includeHEADERS uninstall-initSCRIPTS \ + uninstall-krb5authdata_pluginLTLIBRARIES \ + uninstall-krb5localauth_pluginLTLIBRARIES \ + uninstall-krb5pluginLTLIBRARIES uninstall-ldblibLTLIBRARIES \ + uninstall-libLTLIBRARIES uninstall-libwbclientLTLIBRARIES \ + uninstall-nfslibLTLIBRARIES uninstall-nsslibLTLIBRARIES \ + uninstall-pamlibLTLIBRARIES uninstall-pkgconfigDATA \ + uninstall-pkglibLTLIBRARIES uninstall-py2execLTLIBRARIES \ + uninstall-py3execLTLIBRARIES uninstall-sbinPROGRAMS \ + uninstall-sbinSCRIPTS uninstall-sssdlibLTLIBRARIES \ + uninstall-sssdlibexecPROGRAMS uninstall-sudolibLTLIBRARIES \ + uninstall-systemdconfDATA uninstall-systemdunitDATA \ + uninstall-systemtap_tapDATA uninstall-winbindpluginLTLIBRARIES + +.PRECIOUS: Makefile + + +# Some old versions of automake don't define builddir +builddir ?= . + +@BUILD_SYSTEMTAP_TRUE@stap_generated_probes.h: $(srcdir)/src/systemtap/sssd_probes.d +@BUILD_SYSTEMTAP_TRUE@ $(AM_V_GEN)$(DTRACE) -C -h -s $< -o $@ + +@BUILD_SYSTEMTAP_TRUE@stap_generated_probes.o: $(srcdir)/src/systemtap/sssd_probes.d stap_generated_probes.h +@BUILD_SYSTEMTAP_TRUE@ $(AM_V_GEN)$(DTRACE) -C -G -s $< -o $@ + +@BUILD_SYSTEMTAP_TRUE@stap_generated_probes.lo: stap_generated_probes.o +@BUILD_SYSTEMTAP_TRUE@ $(AM_V_GEN)printf %s\\n \ +@BUILD_SYSTEMTAP_TRUE@ '# $@ - a libtool object file' \ +@BUILD_SYSTEMTAP_TRUE@ '# Generated by libtool (GNU libtool) 2.4' \ +@BUILD_SYSTEMTAP_TRUE@ '# Actually generated by Makefile.am, in order to shut up libtool' \ +@BUILD_SYSTEMTAP_TRUE@ "pic_object='$<'" \ +@BUILD_SYSTEMTAP_TRUE@ "non_pic_object='$<'" \ +@BUILD_SYSTEMTAP_TRUE@ > $@ + +.xml_generated.h: + $(srcdir)/$(SBUS_CODEGEN) --mode=header --output=$@ $< +.xml_generated.c: + $(srcdir)/$(SBUS_CODEGEN) --mode=source --include=$(@:.c=.h) --output=$@ $< + +$(CODEGEN_CODE): $(SBUS_CODEGEN) + +@BUILD_IFP_TRUE@src/responder/ifp/org.freedesktop.sssd.infopipe.service: src/responder/ifp/org.freedesktop.sssd.infopipe.service.in Makefile +@BUILD_IFP_TRUE@ $(ifp_replace_script) + $(NULL) + $(NULL) + +ldb_mod_test_dir: memberof.la + $(MKDIR_P) $(builddir)/ldb_mod_test_dir + cp $(builddir)/.libs/memberof.so $(builddir)/ldb_mod_test_dir + +##################### +# Integration tests # +##################### + +intgcheck-prepare: + set -e; \ + rm -Rf intg; \ + $(MKDIR_P) intg/bld; \ + : Use /hopefully/ short prefix to keep D-Bus socket path short; \ + prefix=`mktemp --dry-run --tmpdir --directory sssd-intg.XXXXXXXX`; \ + prefix=`echo $$prefix | tr '[:upper:]' '[:lower:]'`; \ + mkdir -p $$prefix; \ + $(LN_S) "$$prefix" intg/pfx; \ + cd intg/bld; \ + $(abs_top_srcdir)/configure \ + --prefix="$$prefix" \ + --with-ldb-lib-dir="$$prefix"/lib/ldb \ + --enable-intgcheck-reqs \ + --without-semanage \ + --with-session-recording-shell=/bin/false \ + $(INTGCHECK_CONFIGURE_FLAGS) \ + CFLAGS="-O2 -g $$CFLAGS -DKCM_PEER_UID=$$(id -u)"; \ + $(MAKE) $(AM_MAKEFLAGS) ; \ + $(MAKE) $(AM_MAKEFLAGS) test_ssh_client; \ + : Force single-thread install to workaround concurrency issues; \ + $(MAKE) $(AM_MAKEFLAGS) -j1 install; \ + : Remove .la files from LDB module directory to avoid loader warnings; \ + rm "$$prefix"/lib/ldb/*.la; \ + cd ../.. + +intgcheck-run: + set -e; \ + if [ ! -d intg/pfx ]; then $(MAKE) intgcheck-prepare; fi; \ + cd intg/bld; \ + $(MAKE) $(AM_MAKEFLAGS) -C src/tests/intg intgcheck-installed; \ + cd ../.. + +intgcheck-clean: + set -e; \ + prefix=`readlink -e intg/pfx`; \ + rm -Rf "$$prefix" intg + +intgcheck: + $(MAKE) intgcheck-prepare + $(MAKE) intgcheck-run + $(MAKE) intgcheck-clean +@BUILD_SEMANAGE_TRUE@ $(NULL) +@BUILD_SAMBA_TRUE@ $(NULL) + +################ +# TRANSLATIONS # +################ +update-po: +@HAVE_MANPAGES_TRUE@ $(MAKE) -C src/man update-po + $(MAKE) -C po update-po + +src/sysv/systemd/sssd.service: src/sysv/systemd/sssd.service.in Makefile + @$(MKDIR_P) src/sysv/systemd/ + $(replace_script) + +src/sysv/systemd/sssd-nss.socket: src/sysv/systemd/sssd-nss.socket.in Makefile + @$(MKDIR_P) src/sysv/systemd/ + $(replace_script) + +src/sysv/systemd/sssd-nss.service: src/sysv/systemd/sssd-nss.service.in Makefile + @$(MKDIR_P) src/sysv/systemd/ + $(replace_script) + +src/sysv/systemd/sssd-pam.socket: src/sysv/systemd/sssd-pam.socket.in Makefile + @$(MKDIR_P) src/sysv/systemd/ + $(replace_script) + +src/sysv/systemd/sssd-pam-priv.socket: src/sysv/systemd/sssd-pam-priv.socket.in Makefile + @$(MKDIR_P) src/sysv/systemd/ + $(replace_script) + +src/sysv/systemd/sssd-pam.service: src/sysv/systemd/sssd-pam.service.in Makefile + @$(MKDIR_P) src/sysv/systemd/ + $(replace_script) + +src/sysv/systemd/sssd-secrets.socket: src/sysv/systemd/sssd-secrets.socket.in Makefile + @$(MKDIR_P) src/sysv/systemd/ + $(replace_script) + +src/sysv/systemd/sssd-secrets.service: src/sysv/systemd/sssd-secrets.service.in Makefile + @$(MKDIR_P) src/sysv/systemd/ + $(replace_script) + +@BUILD_AUTOFS_TRUE@src/sysv/systemd/sssd-autofs.socket: src/sysv/systemd/sssd-autofs.socket.in Makefile +@BUILD_AUTOFS_TRUE@ @$(MKDIR_P) src/sysv/systemd/ +@BUILD_AUTOFS_TRUE@ $(replace_script) + +@BUILD_AUTOFS_TRUE@src/sysv/systemd/sssd-autofs.service: src/sysv/systemd/sssd-autofs.service.in Makefile +@BUILD_AUTOFS_TRUE@ @$(MKDIR_P) src/sysv/systemd/ +@BUILD_AUTOFS_TRUE@ $(replace_script) + +@BUILD_IFP_TRUE@src/sysv/systemd/sssd-ifp.service: src/sysv/systemd/sssd-ifp.service.in Makefile +@BUILD_IFP_TRUE@ @$(MKDIR_P) src/sysv/systemd/ +@BUILD_IFP_TRUE@ $(ifp_replace_script) + +@BUILD_PAC_RESPONDER_TRUE@src/sysv/systemd/sssd-pac.socket: src/sysv/systemd/sssd-pac.socket.in Makefile +@BUILD_PAC_RESPONDER_TRUE@ @$(MKDIR_P) src/sysv/systemd/ +@BUILD_PAC_RESPONDER_TRUE@ $(replace_script) + +@BUILD_PAC_RESPONDER_TRUE@src/sysv/systemd/sssd-pac.service: src/sysv/systemd/sssd-pac.service.in Makefile +@BUILD_PAC_RESPONDER_TRUE@ @$(MKDIR_P) src/sysv/systemd/ +@BUILD_PAC_RESPONDER_TRUE@ $(replace_script) + +@BUILD_SSH_TRUE@src/sysv/systemd/sssd-ssh.socket: src/sysv/systemd/sssd-ssh.socket.in Makefile +@BUILD_SSH_TRUE@ @$(MKDIR_P) src/sysv/systemd/ +@BUILD_SSH_TRUE@ $(replace_script) + +@BUILD_SSH_TRUE@src/sysv/systemd/sssd-ssh.service: src/sysv/systemd/sssd-ssh.service.in Makefile +@BUILD_SSH_TRUE@ @$(MKDIR_P) src/sysv/systemd/ +@BUILD_SSH_TRUE@ $(replace_script) + +@BUILD_SUDO_TRUE@src/sysv/systemd/sssd-sudo.socket: src/sysv/systemd/sssd-sudo.socket.in Makefile +@BUILD_SUDO_TRUE@ @$(MKDIR_P) src/sysv/systemd/ +@BUILD_SUDO_TRUE@ $(replace_script) + +@BUILD_SUDO_TRUE@src/sysv/systemd/sssd-sudo.service: src/sysv/systemd/sssd-sudo.service.in Makefile +@BUILD_SUDO_TRUE@ @$(MKDIR_P) src/sysv/systemd/ +@BUILD_SUDO_TRUE@ $(replace_script) + +@BUILD_KCM_TRUE@src/sysv/systemd/sssd-kcm.socket: src/sysv/systemd/sssd-kcm.socket.in Makefile +@BUILD_KCM_TRUE@ @$(MKDIR_P) src/sysv/systemd/ +@BUILD_KCM_TRUE@ $(replace_script) + +@BUILD_KCM_TRUE@src/sysv/systemd/sssd-kcm.service: src/sysv/systemd/sssd-kcm.service.in Makefile +@BUILD_KCM_TRUE@ @$(MKDIR_P) src/sysv/systemd/ +@BUILD_KCM_TRUE@ $(replace_script) + +src/tools/wrappers/sss_debuglevel: src/tools/wrappers/sss_debuglevel.in Makefile + @$(MKDIR_P) src/tools/wrappers/ + $(replace_script) + +installsssddirs:: + $(MKDIR_P) \ + $(DESTDIR)$(includedir) \ + $(DESTDIR)$(libdir) \ + $(DESTDIR)$(bindir) \ + $(DESTDIR)$(sbindir) \ + $(DESTDIR)$(mandir) \ + $(DESTDIR)$(pidpath) \ + $(DESTDIR)$(pluginpath) \ + $(DESTDIR)$(libdir)/ldb \ + $(DESTDIR)$(dbuspolicydir) \ + $(DESTDIR)$(dbusservicedir) \ + $(DESTDIR)$(sssdlibdir) \ + $(DESTDIR)$(pkglibdir) \ + $(DESTDIR)$(sssddatadir) \ + $(DESTDIR)$(sudolibdir) \ + $(DESTDIR)$(autofslibdir) \ + $(DESTDIR)$(pipepath)/private \ + $(SSSD_USER_DIRS) \ + $(NULL); +@SSSD_USER_TRUE@ -chown $(SSSD_USER):$(SSSD_USER) $(SSSD_USER_DIRS) +@SSSD_USER_TRUE@ -chown $(SSSD_USER) $(DESTDIR)$(pipepath)/private + $(INSTALL) -d -m 0700 $(DESTDIR)$(dbpath) $(DESTDIR)$(logpath) \ + $(DESTDIR)$(keytabdir) \ + $(NULL) + $(INSTALL) -d -m 0750 $(DESTDIR)$(pipepath)/private + $(INSTALL) -d -m 0755 $(DESTDIR)$(mcpath) $(DESTDIR)$(pipepath) \ + $(DESTDIR)$(pubconfpath) \ + $(DESTDIR)$(pubconfpath)/krb5.include.d $(DESTDIR)$(gpocachepath) + $(INSTALL) -d -m 0711 $(DESTDIR)$(sssdconfdir) \ + $(DESTDIR)$(sssdconfdir)/conf.d \ + $(DESTDIR)$(sssdconfdir)/pki +@BUILD_SECRETS_TRUE@ $(MKDIR_P) $(DESTDIR)$(secdbpath) + +@HAVE_DOXYGEN_TRUE@docs: +@HAVE_DOXYGEN_TRUE@ $(DOXYGEN) src/doxy.config +@HAVE_DOXYGEN_TRUE@ $(DOXYGEN) src/lib/ipa_hbac/ipa_hbac.doxy +@HAVE_DOXYGEN_TRUE@ $(DOXYGEN) src/lib/idmap/sss_idmap.doxy +@HAVE_DOXYGEN_TRUE@ $(DOXYGEN) src/sss_client/idmap/sss_nss_idmap.doxy +@HAVE_DOXYGEN_TRUE@ $(DOXYGEN) src/lib/certmap/sss_certmap.doxy +@BUILD_IFP_TRUE@@HAVE_DOXYGEN_TRUE@ $(DOXYGEN) src/lib/sifp/sss_simpleifp.doxy +@HAVE_DOXYGEN_FALSE@docs: +@HAVE_DOXYGEN_FALSE@ @echo "Doxygen not installed, cannot generate documentation" +@HAVE_DOXYGEN_FALSE@ @exit 1 + +@BUILD_PYTHON_BINDINGS_TRUE@$(abs_builddir)/src/config/SSSDConfig/ipachangeconf.py: +@BUILD_PYTHON_BINDINGS_TRUE@ -cp $(srcdir)/src/config/SSSDConfig/ipachangeconf.py $(builddir)/src/config/SSSDConfig/ + +all-local: ldb_mod_test_dir $(SSSDCONFIG_MODULES) +@BUILD_PYTHON2_BINDINGS_TRUE@ cd $(builddir)/src/config; \ +@BUILD_PYTHON2_BINDINGS_TRUE@ $(PYTHON2) setup.py build --build-base $(abs_builddir)/src/config +@BUILD_PYTHON3_BINDINGS_TRUE@ cd $(builddir)/src/config; \ +@BUILD_PYTHON3_BINDINGS_TRUE@ $(PYTHON3) setup.py build --build-base $(abs_builddir)/src/config + +install-exec-hook: installsssddirs +@BUILD_PYTHON2_BINDINGS_TRUE@ if [ "$(DESTDIR)" = "" ]; then \ +@BUILD_PYTHON2_BINDINGS_TRUE@ cd $(builddir)/src/config; \ +@BUILD_PYTHON2_BINDINGS_TRUE@ $(PYTHON2) setup.py build --build-base $(abs_builddir)/src/config \ +@BUILD_PYTHON2_BINDINGS_TRUE@ install $(DISTSETUPOPTS) --prefix=$(PYTHON2_PREFIX) \ +@BUILD_PYTHON2_BINDINGS_TRUE@ --record=$(abs_builddir)/src/config/.files2; \ +@BUILD_PYTHON2_BINDINGS_TRUE@ else \ +@BUILD_PYTHON2_BINDINGS_TRUE@ cd $(builddir)/src/config; \ +@BUILD_PYTHON2_BINDINGS_TRUE@ $(PYTHON2) setup.py build --build-base $(abs_builddir)/src/config \ +@BUILD_PYTHON2_BINDINGS_TRUE@ install $(DISTSETUPOPTS) --prefix=$(PYTHON2_PREFIX) \ +@BUILD_PYTHON2_BINDINGS_TRUE@ --record=$(abs_builddir)/src/config/.files2 --root=$(DESTDIR); \ +@BUILD_PYTHON2_BINDINGS_TRUE@ fi +@BUILD_PYTHON2_BINDINGS_TRUE@ cd $(DESTDIR)$(py2execdir) && \ +@BUILD_PYTHON2_BINDINGS_TRUE@ mv -f _py2sss.so pysss.so ; \ +@BUILD_PYTHON2_BINDINGS_TRUE@ mv -f _py2hbac.so pyhbac.so ; \ +@BUILD_PYTHON2_BINDINGS_TRUE@ mv -f _py2sss_murmur.so pysss_murmur.so ; \ +@BUILD_PYTHON2_BINDINGS_TRUE@ mv -f _py2sss_nss_idmap.so pysss_nss_idmap.so +@BUILD_PYTHON3_BINDINGS_TRUE@ if [ "$(DESTDIR)" = "" ]; then \ +@BUILD_PYTHON3_BINDINGS_TRUE@ cd $(builddir)/src/config; \ +@BUILD_PYTHON3_BINDINGS_TRUE@ $(PYTHON3) setup.py build --build-base $(abs_builddir)/src/config \ +@BUILD_PYTHON3_BINDINGS_TRUE@ install $(DISTSETUPOPTS) --prefix=$(PYTHON3_PREFIX) \ +@BUILD_PYTHON3_BINDINGS_TRUE@ --record=$(abs_builddir)/src/config/.files3; \ +@BUILD_PYTHON3_BINDINGS_TRUE@ else \ +@BUILD_PYTHON3_BINDINGS_TRUE@ cd $(builddir)/src/config; \ +@BUILD_PYTHON3_BINDINGS_TRUE@ $(PYTHON3) setup.py build --build-base $(abs_builddir)/src/config \ +@BUILD_PYTHON3_BINDINGS_TRUE@ install $(DISTSETUPOPTS) --prefix=$(PYTHON3_PREFIX) \ +@BUILD_PYTHON3_BINDINGS_TRUE@ --record=$(abs_builddir)/src/config/.files3 --root=$(DESTDIR); \ +@BUILD_PYTHON3_BINDINGS_TRUE@ fi +@BUILD_PYTHON3_BINDINGS_TRUE@ cd $(DESTDIR)$(py3execdir) && \ +@BUILD_PYTHON3_BINDINGS_TRUE@ mv -f _py3sss.so pysss.so ; \ +@BUILD_PYTHON3_BINDINGS_TRUE@ mv -f _py3hbac.so pyhbac.so ; \ +@BUILD_PYTHON3_BINDINGS_TRUE@ mv -f _py3sss_murmur.so pysss_murmur.so ; \ +@BUILD_PYTHON3_BINDINGS_TRUE@ mv -f _py3sss_nss_idmap.so pysss_nss_idmap.so + for doc in $(SSSD_DOCS); do \ + $(MKDIR_P) $$doc $(DESTDIR)/$(docdir); \ + cp -a $$doc $(DESTDIR)/$(docdir)/; \ + done; + +@HAVE_SYSTEMD_UNIT_TRUE@ $(MKDIR_P) $(DESTDIR)$(systemdunitdir) +@HAVE_SYSTEMD_UNIT_TRUE@ $(MKDIR_P) $(DESTDIR)$(systemdconfdir) +@HAVE_SYSTEMD_UNIT_FALSE@ $(MKDIR_P) $(DESTDIR)$(initdir) + +@SSSD_USER_TRUE@ -chgrp $(SSSD_USER) $(DESTDIR)$(sssdlibexecdir)/ldap_child +@SSSD_USER_TRUE@ chmod 4750 $(DESTDIR)$(sssdlibexecdir)/ldap_child +@SSSD_USER_TRUE@ -chgrp $(SSSD_USER) $(DESTDIR)$(sssdlibexecdir)/krb5_child +@SSSD_USER_TRUE@ chmod 4750 $(DESTDIR)$(sssdlibexecdir)/krb5_child +@SSSD_USER_TRUE@ -chgrp $(SSSD_USER) $(DESTDIR)$(sssdlibexecdir)/proxy_child +@SSSD_USER_TRUE@ chmod 4750 $(DESTDIR)$(sssdlibexecdir)/proxy_child +@BUILD_SEMANAGE_TRUE@@SSSD_USER_TRUE@ -chgrp $(SSSD_USER) $(DESTDIR)$(sssdlibexecdir)/selinux_child +@BUILD_SEMANAGE_TRUE@@SSSD_USER_TRUE@ chmod 4750 $(DESTDIR)$(sssdlibexecdir)/selinux_child + +install-data-hook: + rm $(DESTDIR)/$(nsslibdir)/libnss_sss.so.2 \ + $(DESTDIR)/$(nsslibdir)/libnss_sss.so + mv $(DESTDIR)/$(nsslibdir)/libnss_sss.so.2.0.0 $(DESTDIR)/$(nsslibdir)/libnss_sss.so.2 + if [ ! $(krb5rcachedir) = "__LIBKRB5_DEFAULTS__" ]; then \ + $(MKDIR_P) $(DESTDIR)/$(krb5rcachedir) ; \ + fi +@BUILD_SAMBA_TRUE@ mv $(DESTDIR)/$(winbindplugindir)/winbind_idmap_sss.so $(DESTDIR)/$(winbindplugindir)/sss.so +@BUILD_KCM_TRUE@ $(MKDIR_P) $(DESTDIR)/$(sssdkcmdatadir) + +uninstall-hook: + if [ -f $(abs_builddir)/src/config/.files2 ]; then \ + cat $(abs_builddir)/src/config/.files2 | xargs -iq rm -f $(DESTDIR)/q; \ + rm $(abs_builddir)/src/config/.files2 ; \ + fi + if [ -f $(abs_builddir)/src/config/.files3 ]; then \ + cat $(abs_builddir)/src/config/.files3 | xargs -iq rm -f $(DESTDIR)/q; \ + rm $(abs_builddir)/src/config/.files3 ; \ + fi + for doc in $(SSSD_DOCS); do \ + rm -Rf $(DESTDIR)/$(docdir)/$$doc; \ + done; +@BUILD_PYTHON2_BINDINGS_TRUE@ cd $(DESTDIR)$(py2execdir) && \ +@BUILD_PYTHON2_BINDINGS_TRUE@ rm -f pysss.so pyhbac.so pysss_murmur.so pysss_nss_idmap.so +@BUILD_PYTHON3_BINDINGS_TRUE@ cd $(DESTDIR)$(py3execdir) && \ +@BUILD_PYTHON3_BINDINGS_TRUE@ rm -f pysss.so pyhbac.so pysss_murmur.so pysss_nss_idmap.so +@BUILD_SAMBA_TRUE@ rm $(DESTDIR)/$(winbindplugindir)/sss.so + +clean-local: +@BUILD_PYTHON2_BINDINGS_TRUE@ if [ ! $(srcdir)/src/config/SSSDConfig/ipachangeconf.py -ef $(builddir)/src/config/SSSDConfig/ipachangeconf.py ]; then \ +@BUILD_PYTHON2_BINDINGS_TRUE@ rm -f $(builddir)/src/config/SSSDConfig/ipachangeconf.py ; \ +@BUILD_PYTHON2_BINDINGS_TRUE@ fi + +@BUILD_PYTHON2_BINDINGS_TRUE@ rm -f $(builddir)/src/config/SSSDConfig/*.pyc + +@BUILD_PYTHON2_BINDINGS_TRUE@ cd $(builddir)/src/config; $(PYTHON2) setup.py build --build-base $(abs_builddir)/src/config clean --all +@BUILD_PYTHON3_BINDINGS_TRUE@ if [ ! $(srcdir)/src/config/SSSDConfig/ipachangeconf.py -ef $(builddir)/src/config/SSSDConfig/ipachangeconf.py ]; then \ +@BUILD_PYTHON3_BINDINGS_TRUE@ rm -f $(builddir)/src/config/SSSDConfig/ipachangeconf.py ; \ +@BUILD_PYTHON3_BINDINGS_TRUE@ fi + +@BUILD_PYTHON3_BINDINGS_TRUE@ rm -f $(builddir)/src/config/SSSDConfig/__pycache__/*.pyc + +@BUILD_PYTHON3_BINDINGS_TRUE@ cd $(builddir)/src/config; $(PYTHON3) setup.py build --build-base $(abs_builddir)/src/config clean --all + for doc in $(SSSD_DOCS); do \ + rm -Rf $$doc; \ + done; + rm -Rf ldb_mod_test_dir + rm -f $(builddir)/src/responder/ifp/org.freedesktop.sssd.infopipe.service + rm -f $(builddir)/src/sysv/systemd/sssd.service + rm -f $(builddir)/src/sysv/systemd/sssd-autofs.socket + rm -f $(builddir)/src/sysv/systemd/sssd-autofs.service + rm -f $(builddir)/src/sysv/systemd/sssd-ifp.service + rm -f $(builddir)/src/sysv/systemd/sssd-nss.socket + rm -f $(builddir)/src/sysv/systemd/sssd-nss.service + rm -f $(builddir)/src/sysv/systemd/sssd-pac.socket + rm -f $(builddir)/src/sysv/systemd/sssd-pac.service + rm -f $(builddir)/src/sysv/systemd/sssd-pam.socket + rm -f $(builddir)/src/sysv/systemd/sssd-pam-priv.socket + rm -f $(builddir)/src/sysv/systemd/sssd-pam.service + rm -f $(builddir)/src/sysv/systemd/sssd-ssh.socket + rm -f $(builddir)/src/sysv/systemd/sssd-ssh.service + rm -f $(builddir)/src/sysv/systemd/sssd-sudo.socket + rm -f $(builddir)/src/sysv/systemd/sssd-sudo.service + rm -f $(builddir)/src/sysv/systemd/sssd-secrets.socket + rm -f $(builddir)/src/sysv/systemd/sssd-secrets.service + rm -f $(builddir)/src/sysv/systemd/sssd-kcm.socket + rm -f $(builddir)/src/sysv/systemd/sssd-kcm.service + rm -f $(builddir)/src/tools/wrappers/sss_debuglevel + +test_CA: test_CA.stamp + +test_CA.stamp: $(srcdir)/src/tests/test_CA/* + $(MAKE) -C src/tests/test_CA ca_all + touch $@ + +tests: all $(check_PROGRAMS) + (cd src/tests/cwrap && $(MAKE) $(AM_MAKEFLAGS) $@) || exit 1; + +# RPM-related tasks + +RPMBUILD ?= $(PWD)/rpmbuild + +rpmroot: + $(MKDIR_P) $(RPMBUILD)/BUILD + $(MKDIR_P) $(RPMBUILD)/RPMS + $(MKDIR_P) $(RPMBUILD)/SOURCES + $(MKDIR_P) $(RPMBUILD)/SPECS + $(MKDIR_P) $(RPMBUILD)/SRPMS + +rpmbrprep: dist-gzip rpmroot +# When we're building RPMs from a git checkout, +# we don't want to be bothered with translation +# updates +@GIT_CHECKOUT_TRUE@ git checkout $(srcdir)/po $(srcdir)/src/man/po + cp $(builddir)/contrib/sssd.spec $(RPMBUILD)/SPECS + cp $(distdir).tar.gz $(RPMBUILD)/SOURCES + +rpms: rpmbrprep + cd $(RPMBUILD); \ + rpmbuild --define "_topdir $(RPMBUILD)" -ba SPECS/sssd.spec + +@GIT_CHECKOUT_TRUE@prerelease-rpms: +@GIT_CHECKOUT_TRUE@ cp $(srcdir)/version.m4 $(srcdir)/version.m4.orig +@GIT_CHECKOUT_TRUE@ sed -e "s/$(PR_VERSION_REGEX)/$(PR_VERSION_REPL)/" \ +@GIT_CHECKOUT_TRUE@ < $(srcdir)/version.m4.orig > $(srcdir)/version.m4 +@GIT_CHECKOUT_TRUE@ $(MAKE) rpms +@GIT_CHECKOUT_TRUE@ mv $(srcdir)/version.m4.orig $(srcdir)/version.m4 + +# make srpms will use the old digest algorithm to be compatible +# with RHEL5 +srpm: rpmbrprep + cd $(RPMBUILD); \ + rpmbuild --define "_topdir $(RPMBUILD)" \ + -bs SPECS/sssd.spec + +@GIT_CHECKOUT_TRUE@prerelease-srpm: +@GIT_CHECKOUT_TRUE@ cp $(srcdir)/version.m4 $(srcdir)/version.m4.orig +@GIT_CHECKOUT_TRUE@ sed -e "s/$(PR_VERSION_REGEX)/$(PR_VERSION_REPL)/" \ +@GIT_CHECKOUT_TRUE@ < $(srcdir)/version.m4.orig > $(srcdir)/version.m4 +@GIT_CHECKOUT_TRUE@ $(MAKE) srpm +@GIT_CHECKOUT_TRUE@ mv $(srcdir)/version.m4.orig $(srcdir)/version.m4 + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/aclocal.m4 b/aclocal.m4 new file mode 100644 index 0000000..59ac0fc --- /dev/null +++ b/aclocal.m4 @@ -0,0 +1,2371 @@ +# generated automatically by aclocal 1.15.1 -*- Autoconf -*- + +# Copyright (C) 1996-2017 Free Software Foundation, Inc. + +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +m4_ifndef([AC_CONFIG_MACRO_DIRS], [m4_defun([_AM_CONFIG_MACRO_DIRS], [])m4_defun([AC_CONFIG_MACRO_DIRS], [_AM_CONFIG_MACRO_DIRS($@)])]) +m4_ifndef([AC_AUTOCONF_VERSION], + [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl +m4_if(m4_defn([AC_AUTOCONF_VERSION]), [2.69],, +[m4_warning([this file was generated for autoconf 2.69. +You have another version of autoconf. It may work, but is not guaranteed to. +If you have problems, you may need to regenerate the build system entirely. +To do so, use the procedure documented by the package, typically 'autoreconf'.])]) + +# ltdl.m4 - Configure ltdl for the target system. -*-Autoconf-*- +# +# Copyright (C) 1999-2008, 2011-2015 Free Software Foundation, Inc. +# Written by Thomas Tanner, 1999 +# +# This file is free software; the Free Software Foundation gives +# unlimited permission to copy and/or distribute it, with or without +# modifications, as long as this notice is preserved. + +# serial 20 LTDL_INIT + +# LT_CONFIG_LTDL_DIR(DIRECTORY, [LTDL-MODE]) +# ------------------------------------------ +# DIRECTORY contains the libltdl sources. It is okay to call this +# function multiple times, as long as the same DIRECTORY is always given. +AC_DEFUN([LT_CONFIG_LTDL_DIR], +[AC_BEFORE([$0], [LTDL_INIT]) +_$0($*) +])# LT_CONFIG_LTDL_DIR + +# We break this out into a separate macro, so that we can call it safely +# internally without being caught accidentally by the sed scan in libtoolize. +m4_defun([_LT_CONFIG_LTDL_DIR], +[dnl remove trailing slashes +m4_pushdef([_ARG_DIR], m4_bpatsubst([$1], [/*$])) +m4_case(_LTDL_DIR, + [], [dnl only set lt_ltdl_dir if _ARG_DIR is not simply '.' + m4_if(_ARG_DIR, [.], + [], + [m4_define([_LTDL_DIR], _ARG_DIR) + _LT_SHELL_INIT([lt_ltdl_dir=']_ARG_DIR['])])], + [m4_if(_ARG_DIR, _LTDL_DIR, + [], + [m4_fatal([multiple libltdl directories: ']_LTDL_DIR[', ']_ARG_DIR['])])]) +m4_popdef([_ARG_DIR]) +])# _LT_CONFIG_LTDL_DIR + +# Initialise: +m4_define([_LTDL_DIR], []) + + +# _LT_BUILD_PREFIX +# ---------------- +# If Autoconf is new enough, expand to '$(top_build_prefix)', otherwise +# to '$(top_builddir)/'. +m4_define([_LT_BUILD_PREFIX], +[m4_ifdef([AC_AUTOCONF_VERSION], + [m4_if(m4_version_compare(m4_defn([AC_AUTOCONF_VERSION]), [2.62]), + [-1], [m4_ifdef([_AC_HAVE_TOP_BUILD_PREFIX], + [$(top_build_prefix)], + [$(top_builddir)/])], + [$(top_build_prefix)])], + [$(top_builddir)/])[]dnl +]) + + +# LTDL_CONVENIENCE +# ---------------- +# sets LIBLTDL to the link flags for the libltdl convenience library and +# LTDLINCL to the include flags for the libltdl header and adds +# --enable-ltdl-convenience to the configure arguments. Note that +# AC_CONFIG_SUBDIRS is not called here. LIBLTDL will be prefixed with +# '$(top_build_prefix)' if available, otherwise with '$(top_builddir)/', +# and LTDLINCL will be prefixed with '$(top_srcdir)/' (note the single +# quotes!). If your package is not flat and you're not using automake, +# define top_build_prefix, top_builddir, and top_srcdir appropriately +# in your Makefiles. +AC_DEFUN([LTDL_CONVENIENCE], +[AC_BEFORE([$0], [LTDL_INIT])dnl +dnl Although the argument is deprecated and no longer documented, +dnl LTDL_CONVENIENCE used to take a DIRECTORY orgument, if we have one +dnl here make sure it is the same as any other declaration of libltdl's +dnl location! This also ensures lt_ltdl_dir is set when configure.ac is +dnl not yet using an explicit LT_CONFIG_LTDL_DIR. +m4_ifval([$1], [_LT_CONFIG_LTDL_DIR([$1])])dnl +_$0() +])# LTDL_CONVENIENCE + +# AC_LIBLTDL_CONVENIENCE accepted a directory argument in older libtools, +# now we have LT_CONFIG_LTDL_DIR: +AU_DEFUN([AC_LIBLTDL_CONVENIENCE], +[_LT_CONFIG_LTDL_DIR([m4_default([$1], [libltdl])]) +_LTDL_CONVENIENCE]) + +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_LIBLTDL_CONVENIENCE], []) + + +# _LTDL_CONVENIENCE +# ----------------- +# Code shared by LTDL_CONVENIENCE and LTDL_INIT([convenience]). +m4_defun([_LTDL_CONVENIENCE], +[case $enable_ltdl_convenience in + no) AC_MSG_ERROR([this package needs a convenience libltdl]) ;; + "") enable_ltdl_convenience=yes + ac_configure_args="$ac_configure_args --enable-ltdl-convenience" ;; +esac +LIBLTDL='_LT_BUILD_PREFIX'"${lt_ltdl_dir+$lt_ltdl_dir/}libltdlc.la" +LTDLDEPS=$LIBLTDL +LTDLINCL='-I$(top_srcdir)'"${lt_ltdl_dir+/$lt_ltdl_dir}" + +AC_SUBST([LIBLTDL]) +AC_SUBST([LTDLDEPS]) +AC_SUBST([LTDLINCL]) + +# For backwards non-gettext consistent compatibility... +INCLTDL=$LTDLINCL +AC_SUBST([INCLTDL]) +])# _LTDL_CONVENIENCE + + +# LTDL_INSTALLABLE +# ---------------- +# sets LIBLTDL to the link flags for the libltdl installable library +# and LTDLINCL to the include flags for the libltdl header and adds +# --enable-ltdl-install to the configure arguments. Note that +# AC_CONFIG_SUBDIRS is not called from here. If an installed libltdl +# is not found, LIBLTDL will be prefixed with '$(top_build_prefix)' if +# available, otherwise with '$(top_builddir)/', and LTDLINCL will be +# prefixed with '$(top_srcdir)/' (note the single quotes!). If your +# package is not flat and you're not using automake, define top_build_prefix, +# top_builddir, and top_srcdir appropriately in your Makefiles. +# In the future, this macro may have to be called after LT_INIT. +AC_DEFUN([LTDL_INSTALLABLE], +[AC_BEFORE([$0], [LTDL_INIT])dnl +dnl Although the argument is deprecated and no longer documented, +dnl LTDL_INSTALLABLE used to take a DIRECTORY orgument, if we have one +dnl here make sure it is the same as any other declaration of libltdl's +dnl location! This also ensures lt_ltdl_dir is set when configure.ac is +dnl not yet using an explicit LT_CONFIG_LTDL_DIR. +m4_ifval([$1], [_LT_CONFIG_LTDL_DIR([$1])])dnl +_$0() +])# LTDL_INSTALLABLE + +# AC_LIBLTDL_INSTALLABLE accepted a directory argument in older libtools, +# now we have LT_CONFIG_LTDL_DIR: +AU_DEFUN([AC_LIBLTDL_INSTALLABLE], +[_LT_CONFIG_LTDL_DIR([m4_default([$1], [libltdl])]) +_LTDL_INSTALLABLE]) + +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_LIBLTDL_INSTALLABLE], []) + + +# _LTDL_INSTALLABLE +# ----------------- +# Code shared by LTDL_INSTALLABLE and LTDL_INIT([installable]). +m4_defun([_LTDL_INSTALLABLE], +[if test -f "$prefix/lib/libltdl.la"; then + lt_save_LDFLAGS=$LDFLAGS + LDFLAGS="-L$prefix/lib $LDFLAGS" + AC_CHECK_LIB([ltdl], [lt_dlinit], [lt_lib_ltdl=yes]) + LDFLAGS=$lt_save_LDFLAGS + if test yes = "${lt_lib_ltdl-no}"; then + if test yes != "$enable_ltdl_install"; then + # Don't overwrite $prefix/lib/libltdl.la without --enable-ltdl-install + AC_MSG_WARN([not overwriting libltdl at $prefix, force with '--enable-ltdl-install']) + enable_ltdl_install=no + fi + elif test no = "$enable_ltdl_install"; then + AC_MSG_WARN([libltdl not installed, but installation disabled]) + fi +fi + +# If configure.ac declared an installable ltdl, and the user didn't override +# with --disable-ltdl-install, we will install the shipped libltdl. +case $enable_ltdl_install in + no) ac_configure_args="$ac_configure_args --enable-ltdl-install=no" + LIBLTDL=-lltdl + LTDLDEPS= + LTDLINCL= + ;; + *) enable_ltdl_install=yes + ac_configure_args="$ac_configure_args --enable-ltdl-install" + LIBLTDL='_LT_BUILD_PREFIX'"${lt_ltdl_dir+$lt_ltdl_dir/}libltdl.la" + LTDLDEPS=$LIBLTDL + LTDLINCL='-I$(top_srcdir)'"${lt_ltdl_dir+/$lt_ltdl_dir}" + ;; +esac + +AC_SUBST([LIBLTDL]) +AC_SUBST([LTDLDEPS]) +AC_SUBST([LTDLINCL]) + +# For backwards non-gettext consistent compatibility... +INCLTDL=$LTDLINCL +AC_SUBST([INCLTDL]) +])# LTDL_INSTALLABLE + + +# _LTDL_MODE_DISPATCH +# ------------------- +m4_define([_LTDL_MODE_DISPATCH], +[dnl If _LTDL_DIR is '.', then we are configuring libltdl itself: +m4_if(_LTDL_DIR, [], + [], + dnl if _LTDL_MODE was not set already, the default value is 'subproject': + [m4_case(m4_default(_LTDL_MODE, [subproject]), + [subproject], [AC_CONFIG_SUBDIRS(_LTDL_DIR) + _LT_SHELL_INIT([lt_dlopen_dir=$lt_ltdl_dir])], + [nonrecursive], [_LT_SHELL_INIT([lt_dlopen_dir=$lt_ltdl_dir; lt_libobj_prefix=$lt_ltdl_dir/])], + [recursive], [], + [m4_fatal([unknown libltdl mode: ]_LTDL_MODE)])])dnl +dnl Be careful not to expand twice: +m4_define([$0], []) +])# _LTDL_MODE_DISPATCH + + +# _LT_LIBOBJ(MODULE_NAME) +# ----------------------- +# Like AC_LIBOBJ, except that MODULE_NAME goes into _LT_LIBOBJS instead +# of into LIBOBJS. +AC_DEFUN([_LT_LIBOBJ], [ + m4_pattern_allow([^_LT_LIBOBJS$]) + _LT_LIBOBJS="$_LT_LIBOBJS $1.$ac_objext" +])# _LT_LIBOBJS + + +# LTDL_INIT([OPTIONS]) +# -------------------- +# Clients of libltdl can use this macro to allow the installer to +# choose between a shipped copy of the ltdl sources or a preinstalled +# version of the library. If the shipped ltdl sources are not in a +# subdirectory named libltdl, the directory name must be given by +# LT_CONFIG_LTDL_DIR. +AC_DEFUN([LTDL_INIT], +[dnl Parse OPTIONS +_LT_SET_OPTIONS([$0], [$1]) + +dnl We need to keep our own list of libobjs separate from our parent project, +dnl and the easiest way to do that is redefine the AC_LIBOBJs macro while +dnl we look for our own LIBOBJs. +m4_pushdef([AC_LIBOBJ], m4_defn([_LT_LIBOBJ])) +m4_pushdef([AC_LIBSOURCES]) + +dnl If not otherwise defined, default to the 1.5.x compatible subproject mode: +m4_if(_LTDL_MODE, [], + [m4_define([_LTDL_MODE], m4_default([$2], [subproject])) + m4_if([-1], [m4_bregexp(_LTDL_MODE, [\(subproject\|\(non\)?recursive\)])], + [m4_fatal([unknown libltdl mode: ]_LTDL_MODE)])]) + +AC_ARG_WITH([included_ltdl], + [AS_HELP_STRING([--with-included-ltdl], + [use the GNU ltdl sources included here])]) + +if test yes != "$with_included_ltdl"; then + # We are not being forced to use the included libltdl sources, so + # decide whether there is a useful installed version we can use. + AC_CHECK_HEADER([ltdl.h], + [AC_CHECK_DECL([lt_dlinterface_register], + [AC_CHECK_LIB([ltdl], [lt_dladvise_preload], + [with_included_ltdl=no], + [with_included_ltdl=yes])], + [with_included_ltdl=yes], + [AC_INCLUDES_DEFAULT + #include ])], + [with_included_ltdl=yes], + [AC_INCLUDES_DEFAULT] + ) +fi + +dnl If neither LT_CONFIG_LTDL_DIR, LTDL_CONVENIENCE nor LTDL_INSTALLABLE +dnl was called yet, then for old times' sake, we assume libltdl is in an +dnl eponymous directory: +AC_PROVIDE_IFELSE([LT_CONFIG_LTDL_DIR], [], [_LT_CONFIG_LTDL_DIR([libltdl])]) + +AC_ARG_WITH([ltdl_include], + [AS_HELP_STRING([--with-ltdl-include=DIR], + [use the ltdl headers installed in DIR])]) + +if test -n "$with_ltdl_include"; then + if test -f "$with_ltdl_include/ltdl.h"; then : + else + AC_MSG_ERROR([invalid ltdl include directory: '$with_ltdl_include']) + fi +else + with_ltdl_include=no +fi + +AC_ARG_WITH([ltdl_lib], + [AS_HELP_STRING([--with-ltdl-lib=DIR], + [use the libltdl.la installed in DIR])]) + +if test -n "$with_ltdl_lib"; then + if test -f "$with_ltdl_lib/libltdl.la"; then : + else + AC_MSG_ERROR([invalid ltdl library directory: '$with_ltdl_lib']) + fi +else + with_ltdl_lib=no +fi + +case ,$with_included_ltdl,$with_ltdl_include,$with_ltdl_lib, in + ,yes,no,no,) + m4_case(m4_default(_LTDL_TYPE, [convenience]), + [convenience], [_LTDL_CONVENIENCE], + [installable], [_LTDL_INSTALLABLE], + [m4_fatal([unknown libltdl build type: ]_LTDL_TYPE)]) + ;; + ,no,no,no,) + # If the included ltdl is not to be used, then use the + # preinstalled libltdl we found. + AC_DEFINE([HAVE_LTDL], [1], + [Define this if a modern libltdl is already installed]) + LIBLTDL=-lltdl + LTDLDEPS= + LTDLINCL= + ;; + ,no*,no,*) + AC_MSG_ERROR(['--with-ltdl-include' and '--with-ltdl-lib' options must be used together]) + ;; + *) with_included_ltdl=no + LIBLTDL="-L$with_ltdl_lib -lltdl" + LTDLDEPS= + LTDLINCL=-I$with_ltdl_include + ;; +esac +INCLTDL=$LTDLINCL + +# Report our decision... +AC_MSG_CHECKING([where to find libltdl headers]) +AC_MSG_RESULT([$LTDLINCL]) +AC_MSG_CHECKING([where to find libltdl library]) +AC_MSG_RESULT([$LIBLTDL]) + +_LTDL_SETUP + +dnl restore autoconf definition. +m4_popdef([AC_LIBOBJ]) +m4_popdef([AC_LIBSOURCES]) + +AC_CONFIG_COMMANDS_PRE([ + _ltdl_libobjs= + _ltdl_ltlibobjs= + if test -n "$_LT_LIBOBJS"; then + # Remove the extension. + _lt_sed_drop_objext='s/\.o$//;s/\.obj$//' + for i in `for i in $_LT_LIBOBJS; do echo "$i"; done | sed "$_lt_sed_drop_objext" | sort -u`; do + _ltdl_libobjs="$_ltdl_libobjs $lt_libobj_prefix$i.$ac_objext" + _ltdl_ltlibobjs="$_ltdl_ltlibobjs $lt_libobj_prefix$i.lo" + done + fi + AC_SUBST([ltdl_LIBOBJS], [$_ltdl_libobjs]) + AC_SUBST([ltdl_LTLIBOBJS], [$_ltdl_ltlibobjs]) +]) + +# Only expand once: +m4_define([LTDL_INIT]) +])# LTDL_INIT + +# Old names: +AU_DEFUN([AC_LIB_LTDL], [LTDL_INIT($@)]) +AU_DEFUN([AC_WITH_LTDL], [LTDL_INIT($@)]) +AU_DEFUN([LT_WITH_LTDL], [LTDL_INIT($@)]) +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_LIB_LTDL], []) +dnl AC_DEFUN([AC_WITH_LTDL], []) +dnl AC_DEFUN([LT_WITH_LTDL], []) + + +# _LTDL_SETUP +# ----------- +# Perform all the checks necessary for compilation of the ltdl objects +# -- including compiler checks and header checks. This is a public +# interface mainly for the benefit of libltdl's own configure.ac, most +# other users should call LTDL_INIT instead. +AC_DEFUN([_LTDL_SETUP], +[AC_REQUIRE([AC_PROG_CC])dnl +AC_REQUIRE([LT_SYS_MODULE_EXT])dnl +AC_REQUIRE([LT_SYS_MODULE_PATH])dnl +AC_REQUIRE([LT_SYS_DLSEARCH_PATH])dnl +AC_REQUIRE([LT_LIB_DLLOAD])dnl +AC_REQUIRE([LT_SYS_SYMBOL_USCORE])dnl +AC_REQUIRE([LT_FUNC_DLSYM_USCORE])dnl +AC_REQUIRE([LT_SYS_DLOPEN_DEPLIBS])dnl +AC_REQUIRE([LT_FUNC_ARGZ])dnl + +m4_require([_LT_CHECK_OBJDIR])dnl +m4_require([_LT_HEADER_DLFCN])dnl +m4_require([_LT_CHECK_DLPREOPEN])dnl +m4_require([_LT_DECL_SED])dnl + +dnl Don't require this, or it will be expanded earlier than the code +dnl that sets the variables it relies on: +_LT_ENABLE_INSTALL + +dnl _LTDL_MODE specific code must be called at least once: +_LTDL_MODE_DISPATCH + +# In order that ltdl.c can compile, find out the first AC_CONFIG_HEADERS +# the user used. This is so that ltdl.h can pick up the parent projects +# config.h file, The first file in AC_CONFIG_HEADERS must contain the +# definitions required by ltdl.c. +# FIXME: Remove use of undocumented AC_LIST_HEADERS (2.59 compatibility). +AC_CONFIG_COMMANDS_PRE([dnl +m4_pattern_allow([^LT_CONFIG_H$])dnl +m4_ifset([AH_HEADER], + [LT_CONFIG_H=AH_HEADER], + [m4_ifset([AC_LIST_HEADERS], + [LT_CONFIG_H=`echo "AC_LIST_HEADERS" | $SED 's|^[[ ]]*||;s|[[ :]].*$||'`], + [])])]) +AC_SUBST([LT_CONFIG_H]) + +AC_CHECK_HEADERS([unistd.h dl.h sys/dl.h dld.h mach-o/dyld.h dirent.h], + [], [], [AC_INCLUDES_DEFAULT]) + +AC_CHECK_FUNCS([closedir opendir readdir], [], [AC_LIBOBJ([lt__dirent])]) +AC_CHECK_FUNCS([strlcat strlcpy], [], [AC_LIBOBJ([lt__strl])]) + +m4_pattern_allow([LT_LIBEXT])dnl +AC_DEFINE_UNQUOTED([LT_LIBEXT],["$libext"],[The archive extension]) + +name= +eval "lt_libprefix=\"$libname_spec\"" +m4_pattern_allow([LT_LIBPREFIX])dnl +AC_DEFINE_UNQUOTED([LT_LIBPREFIX],["$lt_libprefix"],[The archive prefix]) + +name=ltdl +eval "LTDLOPEN=\"$libname_spec\"" +AC_SUBST([LTDLOPEN]) +])# _LTDL_SETUP + + +# _LT_ENABLE_INSTALL +# ------------------ +m4_define([_LT_ENABLE_INSTALL], +[AC_ARG_ENABLE([ltdl-install], + [AS_HELP_STRING([--enable-ltdl-install], [install libltdl])]) + +case ,$enable_ltdl_install,$enable_ltdl_convenience in + *yes*) ;; + *) enable_ltdl_convenience=yes ;; +esac + +m4_ifdef([AM_CONDITIONAL], +[AM_CONDITIONAL(INSTALL_LTDL, test no != "${enable_ltdl_install-no}") + AM_CONDITIONAL(CONVENIENCE_LTDL, test no != "${enable_ltdl_convenience-no}")]) +])# _LT_ENABLE_INSTALL + + +# LT_SYS_DLOPEN_DEPLIBS +# --------------------- +AC_DEFUN([LT_SYS_DLOPEN_DEPLIBS], +[AC_REQUIRE([AC_CANONICAL_HOST])dnl +AC_CACHE_CHECK([whether deplibs are loaded by dlopen], + [lt_cv_sys_dlopen_deplibs], + [# PORTME does your system automatically load deplibs for dlopen? + # or its logical equivalent (e.g. shl_load for HP-UX < 11) + # For now, we just catch OSes we know something about -- in the + # future, we'll try test this programmatically. + lt_cv_sys_dlopen_deplibs=unknown + case $host_os in + aix3*|aix4.1.*|aix4.2.*) + # Unknown whether this is true for these versions of AIX, but + # we want this 'case' here to explicitly catch those versions. + lt_cv_sys_dlopen_deplibs=unknown + ;; + aix[[4-9]]*) + lt_cv_sys_dlopen_deplibs=yes + ;; + amigaos*) + case $host_cpu in + powerpc) + lt_cv_sys_dlopen_deplibs=no + ;; + esac + ;; + bitrig*) + lt_cv_sys_dlopen_deplibs=yes + ;; + darwin*) + # Assuming the user has installed a libdl from somewhere, this is true + # If you are looking for one http://www.opendarwin.org/projects/dlcompat + lt_cv_sys_dlopen_deplibs=yes + ;; + freebsd* | dragonfly*) + lt_cv_sys_dlopen_deplibs=yes + ;; + gnu* | linux* | k*bsd*-gnu | kopensolaris*-gnu) + # GNU and its variants, using gnu ld.so (Glibc) + lt_cv_sys_dlopen_deplibs=yes + ;; + hpux10*|hpux11*) + lt_cv_sys_dlopen_deplibs=yes + ;; + interix*) + lt_cv_sys_dlopen_deplibs=yes + ;; + irix[[12345]]*|irix6.[[01]]*) + # Catch all versions of IRIX before 6.2, and indicate that we don't + # know how it worked for any of those versions. + lt_cv_sys_dlopen_deplibs=unknown + ;; + irix*) + # The case above catches anything before 6.2, and it's known that + # at 6.2 and later dlopen does load deplibs. + lt_cv_sys_dlopen_deplibs=yes + ;; + netbsd*) + lt_cv_sys_dlopen_deplibs=yes + ;; + openbsd*) + lt_cv_sys_dlopen_deplibs=yes + ;; + osf[[1234]]*) + # dlopen did load deplibs (at least at 4.x), but until the 5.x series, + # it did *not* use an RPATH in a shared library to find objects the + # library depends on, so we explicitly say 'no'. + lt_cv_sys_dlopen_deplibs=no + ;; + osf5.0|osf5.0a|osf5.1) + # dlopen *does* load deplibs and with the right loader patch applied + # it even uses RPATH in a shared library to search for shared objects + # that the library depends on, but there's no easy way to know if that + # patch is installed. Since this is the case, all we can really + # say is unknown -- it depends on the patch being installed. If + # it is, this changes to 'yes'. Without it, it would be 'no'. + lt_cv_sys_dlopen_deplibs=unknown + ;; + osf*) + # the two cases above should catch all versions of osf <= 5.1. Read + # the comments above for what we know about them. + # At > 5.1, deplibs are loaded *and* any RPATH in a shared library + # is used to find them so we can finally say 'yes'. + lt_cv_sys_dlopen_deplibs=yes + ;; + qnx*) + lt_cv_sys_dlopen_deplibs=yes + ;; + solaris*) + lt_cv_sys_dlopen_deplibs=yes + ;; + sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*) + libltdl_cv_sys_dlopen_deplibs=yes + ;; + esac + ]) +if test yes != "$lt_cv_sys_dlopen_deplibs"; then + AC_DEFINE([LTDL_DLOPEN_DEPLIBS], [1], + [Define if the OS needs help to load dependent libraries for dlopen().]) +fi +])# LT_SYS_DLOPEN_DEPLIBS + +# Old name: +AU_ALIAS([AC_LTDL_SYS_DLOPEN_DEPLIBS], [LT_SYS_DLOPEN_DEPLIBS]) +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_LTDL_SYS_DLOPEN_DEPLIBS], []) + + +# LT_SYS_MODULE_EXT +# ----------------- +AC_DEFUN([LT_SYS_MODULE_EXT], +[m4_require([_LT_SYS_DYNAMIC_LINKER])dnl +AC_CACHE_CHECK([what extension is used for runtime loadable modules], + [libltdl_cv_shlibext], +[ +module=yes +eval libltdl_cv_shlibext=$shrext_cmds +module=no +eval libltdl_cv_shrext=$shrext_cmds + ]) +if test -n "$libltdl_cv_shlibext"; then + m4_pattern_allow([LT_MODULE_EXT])dnl + AC_DEFINE_UNQUOTED([LT_MODULE_EXT], ["$libltdl_cv_shlibext"], + [Define to the extension used for runtime loadable modules, say, ".so".]) +fi +if test "$libltdl_cv_shrext" != "$libltdl_cv_shlibext"; then + m4_pattern_allow([LT_SHARED_EXT])dnl + AC_DEFINE_UNQUOTED([LT_SHARED_EXT], ["$libltdl_cv_shrext"], + [Define to the shared library suffix, say, ".dylib".]) +fi +if test -n "$shared_archive_member_spec"; then + m4_pattern_allow([LT_SHARED_LIB_MEMBER])dnl + AC_DEFINE_UNQUOTED([LT_SHARED_LIB_MEMBER], ["($shared_archive_member_spec.o)"], + [Define to the shared archive member specification, say "(shr.o)".]) +fi +])# LT_SYS_MODULE_EXT + +# Old name: +AU_ALIAS([AC_LTDL_SHLIBEXT], [LT_SYS_MODULE_EXT]) +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_LTDL_SHLIBEXT], []) + + +# LT_SYS_MODULE_PATH +# ------------------ +AC_DEFUN([LT_SYS_MODULE_PATH], +[m4_require([_LT_SYS_DYNAMIC_LINKER])dnl +AC_CACHE_CHECK([what variable specifies run-time module search path], + [lt_cv_module_path_var], [lt_cv_module_path_var=$shlibpath_var]) +if test -n "$lt_cv_module_path_var"; then + m4_pattern_allow([LT_MODULE_PATH_VAR])dnl + AC_DEFINE_UNQUOTED([LT_MODULE_PATH_VAR], ["$lt_cv_module_path_var"], + [Define to the name of the environment variable that determines the run-time module search path.]) +fi +])# LT_SYS_MODULE_PATH + +# Old name: +AU_ALIAS([AC_LTDL_SHLIBPATH], [LT_SYS_MODULE_PATH]) +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_LTDL_SHLIBPATH], []) + + +# LT_SYS_DLSEARCH_PATH +# -------------------- +AC_DEFUN([LT_SYS_DLSEARCH_PATH], +[m4_require([_LT_SYS_DYNAMIC_LINKER])dnl +AC_CACHE_CHECK([for the default library search path], + [lt_cv_sys_dlsearch_path], + [lt_cv_sys_dlsearch_path=$sys_lib_dlsearch_path_spec]) +if test -n "$lt_cv_sys_dlsearch_path"; then + sys_dlsearch_path= + for dir in $lt_cv_sys_dlsearch_path; do + if test -z "$sys_dlsearch_path"; then + sys_dlsearch_path=$dir + else + sys_dlsearch_path=$sys_dlsearch_path$PATH_SEPARATOR$dir + fi + done + m4_pattern_allow([LT_DLSEARCH_PATH])dnl + AC_DEFINE_UNQUOTED([LT_DLSEARCH_PATH], ["$sys_dlsearch_path"], + [Define to the system default library search path.]) +fi +])# LT_SYS_DLSEARCH_PATH + +# Old name: +AU_ALIAS([AC_LTDL_SYSSEARCHPATH], [LT_SYS_DLSEARCH_PATH]) +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_LTDL_SYSSEARCHPATH], []) + + +# _LT_CHECK_DLPREOPEN +# ------------------- +m4_defun([_LT_CHECK_DLPREOPEN], +[m4_require([_LT_CMD_GLOBAL_SYMBOLS])dnl +AC_CACHE_CHECK([whether libtool supports -dlopen/-dlpreopen], + [libltdl_cv_preloaded_symbols], + [if test -n "$lt_cv_sys_global_symbol_pipe"; then + libltdl_cv_preloaded_symbols=yes + else + libltdl_cv_preloaded_symbols=no + fi + ]) +if test yes = "$libltdl_cv_preloaded_symbols"; then + AC_DEFINE([HAVE_PRELOADED_SYMBOLS], [1], + [Define if libtool can extract symbol lists from object files.]) +fi +])# _LT_CHECK_DLPREOPEN + + +# LT_LIB_DLLOAD +# ------------- +AC_DEFUN([LT_LIB_DLLOAD], +[m4_pattern_allow([^LT_DLLOADERS$]) +LT_DLLOADERS= +AC_SUBST([LT_DLLOADERS]) + +AC_LANG_PUSH([C]) +lt_dlload_save_LIBS=$LIBS + +LIBADD_DLOPEN= +AC_SEARCH_LIBS([dlopen], [dl], + [AC_DEFINE([HAVE_LIBDL], [1], + [Define if you have the libdl library or equivalent.]) + if test "$ac_cv_search_dlopen" != "none required"; then + LIBADD_DLOPEN=-ldl + fi + libltdl_cv_lib_dl_dlopen=yes + LT_DLLOADERS="$LT_DLLOADERS ${lt_dlopen_dir+$lt_dlopen_dir/}dlopen.la"], + [AC_LINK_IFELSE([AC_LANG_PROGRAM([[#if HAVE_DLFCN_H +# include +#endif + ]], [[dlopen(0, 0);]])], + [AC_DEFINE([HAVE_LIBDL], [1], + [Define if you have the libdl library or equivalent.]) + libltdl_cv_func_dlopen=yes + LT_DLLOADERS="$LT_DLLOADERS ${lt_dlopen_dir+$lt_dlopen_dir/}dlopen.la"], + [AC_CHECK_LIB([svld], [dlopen], + [AC_DEFINE([HAVE_LIBDL], [1], + [Define if you have the libdl library or equivalent.]) + LIBADD_DLOPEN=-lsvld libltdl_cv_func_dlopen=yes + LT_DLLOADERS="$LT_DLLOADERS ${lt_dlopen_dir+$lt_dlopen_dir/}dlopen.la"])])]) +if test yes = "$libltdl_cv_func_dlopen" || test yes = "$libltdl_cv_lib_dl_dlopen" +then + lt_save_LIBS=$LIBS + LIBS="$LIBS $LIBADD_DLOPEN" + AC_CHECK_FUNCS([dlerror]) + LIBS=$lt_save_LIBS +fi +AC_SUBST([LIBADD_DLOPEN]) + +LIBADD_SHL_LOAD= +AC_CHECK_FUNC([shl_load], + [AC_DEFINE([HAVE_SHL_LOAD], [1], + [Define if you have the shl_load function.]) + LT_DLLOADERS="$LT_DLLOADERS ${lt_dlopen_dir+$lt_dlopen_dir/}shl_load.la"], + [AC_CHECK_LIB([dld], [shl_load], + [AC_DEFINE([HAVE_SHL_LOAD], [1], + [Define if you have the shl_load function.]) + LT_DLLOADERS="$LT_DLLOADERS ${lt_dlopen_dir+$lt_dlopen_dir/}shl_load.la" + LIBADD_SHL_LOAD=-ldld])]) +AC_SUBST([LIBADD_SHL_LOAD]) + +case $host_os in +darwin[[1567]].*) +# We only want this for pre-Mac OS X 10.4. + AC_CHECK_FUNC([_dyld_func_lookup], + [AC_DEFINE([HAVE_DYLD], [1], + [Define if you have the _dyld_func_lookup function.]) + LT_DLLOADERS="$LT_DLLOADERS ${lt_dlopen_dir+$lt_dlopen_dir/}dyld.la"]) + ;; +beos*) + LT_DLLOADERS="$LT_DLLOADERS ${lt_dlopen_dir+$lt_dlopen_dir/}load_add_on.la" + ;; +cygwin* | mingw* | pw32*) + AC_CHECK_DECLS([cygwin_conv_path], [], [], [[#include ]]) + LT_DLLOADERS="$LT_DLLOADERS ${lt_dlopen_dir+$lt_dlopen_dir/}loadlibrary.la" + ;; +esac + +AC_CHECK_LIB([dld], [dld_link], + [AC_DEFINE([HAVE_DLD], [1], + [Define if you have the GNU dld library.]) + LT_DLLOADERS="$LT_DLLOADERS ${lt_dlopen_dir+$lt_dlopen_dir/}dld_link.la"]) +AC_SUBST([LIBADD_DLD_LINK]) + +m4_pattern_allow([^LT_DLPREOPEN$]) +LT_DLPREOPEN= +if test -n "$LT_DLLOADERS" +then + for lt_loader in $LT_DLLOADERS; do + LT_DLPREOPEN="$LT_DLPREOPEN-dlpreopen $lt_loader " + done + AC_DEFINE([HAVE_LIBDLLOADER], [1], + [Define if libdlloader will be built on this platform]) +fi +AC_SUBST([LT_DLPREOPEN]) + +dnl This isn't used anymore, but set it for backwards compatibility +LIBADD_DL="$LIBADD_DLOPEN $LIBADD_SHL_LOAD" +AC_SUBST([LIBADD_DL]) + +LIBS=$lt_dlload_save_LIBS +AC_LANG_POP +])# LT_LIB_DLLOAD + +# Old name: +AU_ALIAS([AC_LTDL_DLLIB], [LT_LIB_DLLOAD]) +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_LTDL_DLLIB], []) + + +# LT_SYS_SYMBOL_USCORE +# -------------------- +# does the compiler prefix global symbols with an underscore? +AC_DEFUN([LT_SYS_SYMBOL_USCORE], +[m4_require([_LT_CMD_GLOBAL_SYMBOLS])dnl +AC_CACHE_CHECK([for _ prefix in compiled symbols], + [lt_cv_sys_symbol_underscore], + [lt_cv_sys_symbol_underscore=no + cat > conftest.$ac_ext <<_LT_EOF +void nm_test_func(){} +int main(){nm_test_func;return 0;} +_LT_EOF + if AC_TRY_EVAL(ac_compile); then + # Now try to grab the symbols. + ac_nlist=conftest.nm + if AC_TRY_EVAL(NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $ac_nlist) && test -s "$ac_nlist"; then + # See whether the symbols have a leading underscore. + if grep '^. _nm_test_func' "$ac_nlist" >/dev/null; then + lt_cv_sys_symbol_underscore=yes + else + if grep '^. nm_test_func ' "$ac_nlist" >/dev/null; then + : + else + echo "configure: cannot find nm_test_func in $ac_nlist" >&AS_MESSAGE_LOG_FD + fi + fi + else + echo "configure: cannot run $lt_cv_sys_global_symbol_pipe" >&AS_MESSAGE_LOG_FD + fi + else + echo "configure: failed program was:" >&AS_MESSAGE_LOG_FD + cat conftest.c >&AS_MESSAGE_LOG_FD + fi + rm -rf conftest* + ]) + sys_symbol_underscore=$lt_cv_sys_symbol_underscore + AC_SUBST([sys_symbol_underscore]) +])# LT_SYS_SYMBOL_USCORE + +# Old name: +AU_ALIAS([AC_LTDL_SYMBOL_USCORE], [LT_SYS_SYMBOL_USCORE]) +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_LTDL_SYMBOL_USCORE], []) + + +# LT_FUNC_DLSYM_USCORE +# -------------------- +AC_DEFUN([LT_FUNC_DLSYM_USCORE], +[AC_REQUIRE([_LT_COMPILER_PIC])dnl for lt_prog_compiler_wl +AC_REQUIRE([LT_SYS_SYMBOL_USCORE])dnl for lt_cv_sys_symbol_underscore +AC_REQUIRE([LT_SYS_MODULE_EXT])dnl for libltdl_cv_shlibext +if test yes = "$lt_cv_sys_symbol_underscore"; then + if test yes = "$libltdl_cv_func_dlopen" || test yes = "$libltdl_cv_lib_dl_dlopen"; then + AC_CACHE_CHECK([whether we have to add an underscore for dlsym], + [libltdl_cv_need_uscore], + [libltdl_cv_need_uscore=unknown + dlsym_uscore_save_LIBS=$LIBS + LIBS="$LIBS $LIBADD_DLOPEN" + libname=conftmod # stay within 8.3 filename limits! + cat >$libname.$ac_ext <<_LT_EOF +[#line $LINENO "configure" +#include "confdefs.h" +/* When -fvisibility=hidden is used, assume the code has been annotated + correspondingly for the symbols needed. */ +#if defined __GNUC__ && (((__GNUC__ == 3) && (__GNUC_MINOR__ >= 3)) || (__GNUC__ > 3)) +int fnord () __attribute__((visibility("default"))); +#endif +int fnord () { return 42; }] +_LT_EOF + + # ltfn_module_cmds module_cmds + # Execute tilde-delimited MODULE_CMDS with environment primed for + # $module_cmds or $archive_cmds type content. + ltfn_module_cmds () + {( # subshell avoids polluting parent global environment + module_cmds_save_ifs=$IFS; IFS='~' + for cmd in @S|@1; do + IFS=$module_cmds_save_ifs + libobjs=$libname.$ac_objext; lib=$libname$libltdl_cv_shlibext + rpath=/not-exists; soname=$libname$libltdl_cv_shlibext; output_objdir=. + major=; versuffix=; verstring=; deplibs= + ECHO=echo; wl=$lt_prog_compiler_wl; allow_undefined_flag= + eval $cmd + done + IFS=$module_cmds_save_ifs + )} + + # Compile a loadable module using libtool macro expansion results. + $CC $pic_flag -c $libname.$ac_ext + ltfn_module_cmds "${module_cmds:-$archive_cmds}" + + # Try to fetch fnord with dlsym(). + libltdl_dlunknown=0; libltdl_dlnouscore=1; libltdl_dluscore=2 + cat >conftest.$ac_ext <<_LT_EOF +[#line $LINENO "configure" +#include "confdefs.h" +#if HAVE_DLFCN_H +#include +#endif +#include +#ifndef RTLD_GLOBAL +# ifdef DL_GLOBAL +# define RTLD_GLOBAL DL_GLOBAL +# else +# define RTLD_GLOBAL 0 +# endif +#endif +#ifndef RTLD_NOW +# ifdef DL_NOW +# define RTLD_NOW DL_NOW +# else +# define RTLD_NOW 0 +# endif +#endif +int main () { + void *handle = dlopen ("`pwd`/$libname$libltdl_cv_shlibext", RTLD_GLOBAL|RTLD_NOW); + int status = $libltdl_dlunknown; + if (handle) { + if (dlsym (handle, "fnord")) + status = $libltdl_dlnouscore; + else { + if (dlsym (handle, "_fnord")) + status = $libltdl_dluscore; + else + puts (dlerror ()); + } + dlclose (handle); + } else + puts (dlerror ()); + return status; +}] +_LT_EOF + if AC_TRY_EVAL(ac_link) && test -s "conftest$ac_exeext" 2>/dev/null; then + (./conftest; exit; ) >&AS_MESSAGE_LOG_FD 2>/dev/null + libltdl_status=$? + case x$libltdl_status in + x$libltdl_dlnouscore) libltdl_cv_need_uscore=no ;; + x$libltdl_dluscore) libltdl_cv_need_uscore=yes ;; + x*) libltdl_cv_need_uscore=unknown ;; + esac + fi + rm -rf conftest* $libname* + LIBS=$dlsym_uscore_save_LIBS + ]) + fi +fi + +if test yes = "$libltdl_cv_need_uscore"; then + AC_DEFINE([NEED_USCORE], [1], + [Define if dlsym() requires a leading underscore in symbol names.]) +fi +])# LT_FUNC_DLSYM_USCORE + +# Old name: +AU_ALIAS([AC_LTDL_DLSYM_USCORE], [LT_FUNC_DLSYM_USCORE]) +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_LTDL_DLSYM_USCORE], []) + +# Copyright (C) 2002-2017 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# AM_AUTOMAKE_VERSION(VERSION) +# ---------------------------- +# Automake X.Y traces this macro to ensure aclocal.m4 has been +# generated from the m4 files accompanying Automake X.Y. +# (This private macro should not be called outside this file.) +AC_DEFUN([AM_AUTOMAKE_VERSION], +[am__api_version='1.15' +dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to +dnl require some minimum version. Point them to the right macro. +m4_if([$1], [1.15.1], [], + [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl +]) + +# _AM_AUTOCONF_VERSION(VERSION) +# ----------------------------- +# aclocal traces this macro to find the Autoconf version. +# This is a private macro too. Using m4_define simplifies +# the logic in aclocal, which can simply ignore this definition. +m4_define([_AM_AUTOCONF_VERSION], []) + +# AM_SET_CURRENT_AUTOMAKE_VERSION +# ------------------------------- +# Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced. +# This function is AC_REQUIREd by AM_INIT_AUTOMAKE. +AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION], +[AM_AUTOMAKE_VERSION([1.15.1])dnl +m4_ifndef([AC_AUTOCONF_VERSION], + [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl +_AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))]) + +# Copyright (C) 2011-2017 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# AM_PROG_AR([ACT-IF-FAIL]) +# ------------------------- +# Try to determine the archiver interface, and trigger the ar-lib wrapper +# if it is needed. If the detection of archiver interface fails, run +# ACT-IF-FAIL (default is to abort configure with a proper error message). +AC_DEFUN([AM_PROG_AR], +[AC_BEFORE([$0], [LT_INIT])dnl +AC_BEFORE([$0], [AC_PROG_LIBTOOL])dnl +AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl +AC_REQUIRE_AUX_FILE([ar-lib])dnl +AC_CHECK_TOOLS([AR], [ar lib "link -lib"], [false]) +: ${AR=ar} + +AC_CACHE_CHECK([the archiver ($AR) interface], [am_cv_ar_interface], + [AC_LANG_PUSH([C]) + am_cv_ar_interface=ar + AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int some_variable = 0;]])], + [am_ar_try='$AR cru libconftest.a conftest.$ac_objext >&AS_MESSAGE_LOG_FD' + AC_TRY_EVAL([am_ar_try]) + if test "$ac_status" -eq 0; then + am_cv_ar_interface=ar + else + am_ar_try='$AR -NOLOGO -OUT:conftest.lib conftest.$ac_objext >&AS_MESSAGE_LOG_FD' + AC_TRY_EVAL([am_ar_try]) + if test "$ac_status" -eq 0; then + am_cv_ar_interface=lib + else + am_cv_ar_interface=unknown + fi + fi + rm -f conftest.lib libconftest.a + ]) + AC_LANG_POP([C])]) + +case $am_cv_ar_interface in +ar) + ;; +lib) + # Microsoft lib, so override with the ar-lib wrapper script. + # FIXME: It is wrong to rewrite AR. + # But if we don't then we get into trouble of one sort or another. + # A longer-term fix would be to have automake use am__AR in this case, + # and then we could set am__AR="$am_aux_dir/ar-lib \$(AR)" or something + # similar. + AR="$am_aux_dir/ar-lib $AR" + ;; +unknown) + m4_default([$1], + [AC_MSG_ERROR([could not determine $AR interface])]) + ;; +esac +AC_SUBST([AR])dnl +]) + +# AM_AUX_DIR_EXPAND -*- Autoconf -*- + +# Copyright (C) 2001-2017 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# For projects using AC_CONFIG_AUX_DIR([foo]), Autoconf sets +# $ac_aux_dir to '$srcdir/foo'. In other projects, it is set to +# '$srcdir', '$srcdir/..', or '$srcdir/../..'. +# +# Of course, Automake must honor this variable whenever it calls a +# tool from the auxiliary directory. The problem is that $srcdir (and +# therefore $ac_aux_dir as well) can be either absolute or relative, +# depending on how configure is run. This is pretty annoying, since +# it makes $ac_aux_dir quite unusable in subdirectories: in the top +# source directory, any form will work fine, but in subdirectories a +# relative path needs to be adjusted first. +# +# $ac_aux_dir/missing +# fails when called from a subdirectory if $ac_aux_dir is relative +# $top_srcdir/$ac_aux_dir/missing +# fails if $ac_aux_dir is absolute, +# fails when called from a subdirectory in a VPATH build with +# a relative $ac_aux_dir +# +# The reason of the latter failure is that $top_srcdir and $ac_aux_dir +# are both prefixed by $srcdir. In an in-source build this is usually +# harmless because $srcdir is '.', but things will broke when you +# start a VPATH build or use an absolute $srcdir. +# +# So we could use something similar to $top_srcdir/$ac_aux_dir/missing, +# iff we strip the leading $srcdir from $ac_aux_dir. That would be: +# am_aux_dir='\$(top_srcdir)/'`expr "$ac_aux_dir" : "$srcdir//*\(.*\)"` +# and then we would define $MISSING as +# MISSING="\${SHELL} $am_aux_dir/missing" +# This will work as long as MISSING is not called from configure, because +# unfortunately $(top_srcdir) has no meaning in configure. +# However there are other variables, like CC, which are often used in +# configure, and could therefore not use this "fixed" $ac_aux_dir. +# +# Another solution, used here, is to always expand $ac_aux_dir to an +# absolute PATH. The drawback is that using absolute paths prevent a +# configured tree to be moved without reconfiguration. + +AC_DEFUN([AM_AUX_DIR_EXPAND], +[AC_REQUIRE([AC_CONFIG_AUX_DIR_DEFAULT])dnl +# Expand $ac_aux_dir to an absolute path. +am_aux_dir=`cd "$ac_aux_dir" && pwd` +]) + +# AM_CONDITIONAL -*- Autoconf -*- + +# Copyright (C) 1997-2017 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# AM_CONDITIONAL(NAME, SHELL-CONDITION) +# ------------------------------------- +# Define a conditional. +AC_DEFUN([AM_CONDITIONAL], +[AC_PREREQ([2.52])dnl + m4_if([$1], [TRUE], [AC_FATAL([$0: invalid condition: $1])], + [$1], [FALSE], [AC_FATAL([$0: invalid condition: $1])])dnl +AC_SUBST([$1_TRUE])dnl +AC_SUBST([$1_FALSE])dnl +_AM_SUBST_NOTMAKE([$1_TRUE])dnl +_AM_SUBST_NOTMAKE([$1_FALSE])dnl +m4_define([_AM_COND_VALUE_$1], [$2])dnl +if $2; then + $1_TRUE= + $1_FALSE='#' +else + $1_TRUE='#' + $1_FALSE= +fi +AC_CONFIG_COMMANDS_PRE( +[if test -z "${$1_TRUE}" && test -z "${$1_FALSE}"; then + AC_MSG_ERROR([[conditional "$1" was never defined. +Usually this means the macro was only invoked conditionally.]]) +fi])]) + +# Copyright (C) 1999-2017 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + + +# There are a few dirty hacks below to avoid letting 'AC_PROG_CC' be +# written in clear, in which case automake, when reading aclocal.m4, +# will think it sees a *use*, and therefore will trigger all it's +# C support machinery. Also note that it means that autoscan, seeing +# CC etc. in the Makefile, will ask for an AC_PROG_CC use... + + +# _AM_DEPENDENCIES(NAME) +# ---------------------- +# See how the compiler implements dependency checking. +# NAME is "CC", "CXX", "OBJC", "OBJCXX", "UPC", or "GJC". +# We try a few techniques and use that to set a single cache variable. +# +# We don't AC_REQUIRE the corresponding AC_PROG_CC since the latter was +# modified to invoke _AM_DEPENDENCIES(CC); we would have a circular +# dependency, and given that the user is not expected to run this macro, +# just rely on AC_PROG_CC. +AC_DEFUN([_AM_DEPENDENCIES], +[AC_REQUIRE([AM_SET_DEPDIR])dnl +AC_REQUIRE([AM_OUTPUT_DEPENDENCY_COMMANDS])dnl +AC_REQUIRE([AM_MAKE_INCLUDE])dnl +AC_REQUIRE([AM_DEP_TRACK])dnl + +m4_if([$1], [CC], [depcc="$CC" am_compiler_list=], + [$1], [CXX], [depcc="$CXX" am_compiler_list=], + [$1], [OBJC], [depcc="$OBJC" am_compiler_list='gcc3 gcc'], + [$1], [OBJCXX], [depcc="$OBJCXX" am_compiler_list='gcc3 gcc'], + [$1], [UPC], [depcc="$UPC" am_compiler_list=], + [$1], [GCJ], [depcc="$GCJ" am_compiler_list='gcc3 gcc'], + [depcc="$$1" am_compiler_list=]) + +AC_CACHE_CHECK([dependency style of $depcc], + [am_cv_$1_dependencies_compiler_type], +[if test -z "$AMDEP_TRUE" && test -f "$am_depcomp"; then + # We make a subdir and do the tests there. Otherwise we can end up + # making bogus files that we don't know about and never remove. For + # instance it was reported that on HP-UX the gcc test will end up + # making a dummy file named 'D' -- because '-MD' means "put the output + # in D". + rm -rf conftest.dir + mkdir conftest.dir + # Copy depcomp to subdir because otherwise we won't find it if we're + # using a relative directory. + cp "$am_depcomp" conftest.dir + cd conftest.dir + # We will build objects and dependencies in a subdirectory because + # it helps to detect inapplicable dependency modes. For instance + # both Tru64's cc and ICC support -MD to output dependencies as a + # side effect of compilation, but ICC will put the dependencies in + # the current directory while Tru64 will put them in the object + # directory. + mkdir sub + + am_cv_$1_dependencies_compiler_type=none + if test "$am_compiler_list" = ""; then + am_compiler_list=`sed -n ['s/^#*\([a-zA-Z0-9]*\))$/\1/p'] < ./depcomp` + fi + am__universal=false + m4_case([$1], [CC], + [case " $depcc " in #( + *\ -arch\ *\ -arch\ *) am__universal=true ;; + esac], + [CXX], + [case " $depcc " in #( + *\ -arch\ *\ -arch\ *) am__universal=true ;; + esac]) + + for depmode in $am_compiler_list; do + # Setup a source with many dependencies, because some compilers + # like to wrap large dependency lists on column 80 (with \), and + # we should not choose a depcomp mode which is confused by this. + # + # We need to recreate these files for each test, as the compiler may + # overwrite some of them when testing with obscure command lines. + # This happens at least with the AIX C compiler. + : > sub/conftest.c + for i in 1 2 3 4 5 6; do + echo '#include "conftst'$i'.h"' >> sub/conftest.c + # Using ": > sub/conftst$i.h" creates only sub/conftst1.h with + # Solaris 10 /bin/sh. + echo '/* dummy */' > sub/conftst$i.h + done + echo "${am__include} ${am__quote}sub/conftest.Po${am__quote}" > confmf + + # We check with '-c' and '-o' for the sake of the "dashmstdout" + # mode. It turns out that the SunPro C++ compiler does not properly + # handle '-M -o', and we need to detect this. Also, some Intel + # versions had trouble with output in subdirs. + am__obj=sub/conftest.${OBJEXT-o} + am__minus_obj="-o $am__obj" + case $depmode in + gcc) + # This depmode causes a compiler race in universal mode. + test "$am__universal" = false || continue + ;; + nosideeffect) + # After this tag, mechanisms are not by side-effect, so they'll + # only be used when explicitly requested. + if test "x$enable_dependency_tracking" = xyes; then + continue + else + break + fi + ;; + msvc7 | msvc7msys | msvisualcpp | msvcmsys) + # This compiler won't grok '-c -o', but also, the minuso test has + # not run yet. These depmodes are late enough in the game, and + # so weak that their functioning should not be impacted. + am__obj=conftest.${OBJEXT-o} + am__minus_obj= + ;; + none) break ;; + esac + if depmode=$depmode \ + source=sub/conftest.c object=$am__obj \ + depfile=sub/conftest.Po tmpdepfile=sub/conftest.TPo \ + $SHELL ./depcomp $depcc -c $am__minus_obj sub/conftest.c \ + >/dev/null 2>conftest.err && + grep sub/conftst1.h sub/conftest.Po > /dev/null 2>&1 && + grep sub/conftst6.h sub/conftest.Po > /dev/null 2>&1 && + grep $am__obj sub/conftest.Po > /dev/null 2>&1 && + ${MAKE-make} -s -f confmf > /dev/null 2>&1; then + # icc doesn't choke on unknown options, it will just issue warnings + # or remarks (even with -Werror). So we grep stderr for any message + # that says an option was ignored or not supported. + # When given -MP, icc 7.0 and 7.1 complain thusly: + # icc: Command line warning: ignoring option '-M'; no argument required + # The diagnosis changed in icc 8.0: + # icc: Command line remark: option '-MP' not supported + if (grep 'ignoring option' conftest.err || + grep 'not supported' conftest.err) >/dev/null 2>&1; then :; else + am_cv_$1_dependencies_compiler_type=$depmode + break + fi + fi + done + + cd .. + rm -rf conftest.dir +else + am_cv_$1_dependencies_compiler_type=none +fi +]) +AC_SUBST([$1DEPMODE], [depmode=$am_cv_$1_dependencies_compiler_type]) +AM_CONDITIONAL([am__fastdep$1], [ + test "x$enable_dependency_tracking" != xno \ + && test "$am_cv_$1_dependencies_compiler_type" = gcc3]) +]) + + +# AM_SET_DEPDIR +# ------------- +# Choose a directory name for dependency files. +# This macro is AC_REQUIREd in _AM_DEPENDENCIES. +AC_DEFUN([AM_SET_DEPDIR], +[AC_REQUIRE([AM_SET_LEADING_DOT])dnl +AC_SUBST([DEPDIR], ["${am__leading_dot}deps"])dnl +]) + + +# AM_DEP_TRACK +# ------------ +AC_DEFUN([AM_DEP_TRACK], +[AC_ARG_ENABLE([dependency-tracking], [dnl +AS_HELP_STRING( + [--enable-dependency-tracking], + [do not reject slow dependency extractors]) +AS_HELP_STRING( + [--disable-dependency-tracking], + [speeds up one-time build])]) +if test "x$enable_dependency_tracking" != xno; then + am_depcomp="$ac_aux_dir/depcomp" + AMDEPBACKSLASH='\' + am__nodep='_no' +fi +AM_CONDITIONAL([AMDEP], [test "x$enable_dependency_tracking" != xno]) +AC_SUBST([AMDEPBACKSLASH])dnl +_AM_SUBST_NOTMAKE([AMDEPBACKSLASH])dnl +AC_SUBST([am__nodep])dnl +_AM_SUBST_NOTMAKE([am__nodep])dnl +]) + +# Generate code to set up dependency tracking. -*- Autoconf -*- + +# Copyright (C) 1999-2017 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + + +# _AM_OUTPUT_DEPENDENCY_COMMANDS +# ------------------------------ +AC_DEFUN([_AM_OUTPUT_DEPENDENCY_COMMANDS], +[{ + # Older Autoconf quotes --file arguments for eval, but not when files + # are listed without --file. Let's play safe and only enable the eval + # if we detect the quoting. + case $CONFIG_FILES in + *\'*) eval set x "$CONFIG_FILES" ;; + *) set x $CONFIG_FILES ;; + esac + shift + for mf + do + # Strip MF so we end up with the name of the file. + mf=`echo "$mf" | sed -e 's/:.*$//'` + # Check whether this is an Automake generated Makefile or not. + # We used to match only the files named 'Makefile.in', but + # some people rename them; so instead we look at the file content. + # Grep'ing the first line is not enough: some people post-process + # each Makefile.in and add a new line on top of each file to say so. + # Grep'ing the whole file is not good either: AIX grep has a line + # limit of 2048, but all sed's we know have understand at least 4000. + if sed -n 's,^#.*generated by automake.*,X,p' "$mf" | grep X >/dev/null 2>&1; then + dirpart=`AS_DIRNAME("$mf")` + else + continue + fi + # Extract the definition of DEPDIR, am__include, and am__quote + # from the Makefile without running 'make'. + DEPDIR=`sed -n 's/^DEPDIR = //p' < "$mf"` + test -z "$DEPDIR" && continue + am__include=`sed -n 's/^am__include = //p' < "$mf"` + test -z "$am__include" && continue + am__quote=`sed -n 's/^am__quote = //p' < "$mf"` + # Find all dependency output files, they are included files with + # $(DEPDIR) in their names. We invoke sed twice because it is the + # simplest approach to changing $(DEPDIR) to its actual value in the + # expansion. + for file in `sed -n " + s/^$am__include $am__quote\(.*(DEPDIR).*\)$am__quote"'$/\1/p' <"$mf" | \ + sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g'`; do + # Make sure the directory exists. + test -f "$dirpart/$file" && continue + fdir=`AS_DIRNAME(["$file"])` + AS_MKDIR_P([$dirpart/$fdir]) + # echo "creating $dirpart/$file" + echo '# dummy' > "$dirpart/$file" + done + done +} +])# _AM_OUTPUT_DEPENDENCY_COMMANDS + + +# AM_OUTPUT_DEPENDENCY_COMMANDS +# ----------------------------- +# This macro should only be invoked once -- use via AC_REQUIRE. +# +# This code is only required when automatic dependency tracking +# is enabled. FIXME. This creates each '.P' file that we will +# need in order to bootstrap the dependency handling code. +AC_DEFUN([AM_OUTPUT_DEPENDENCY_COMMANDS], +[AC_CONFIG_COMMANDS([depfiles], + [test x"$AMDEP_TRUE" != x"" || _AM_OUTPUT_DEPENDENCY_COMMANDS], + [AMDEP_TRUE="$AMDEP_TRUE" ac_aux_dir="$ac_aux_dir"]) +]) + +# Do all the work for Automake. -*- Autoconf -*- + +# Copyright (C) 1996-2017 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This macro actually does too much. Some checks are only needed if +# your package does certain things. But this isn't really a big deal. + +dnl Redefine AC_PROG_CC to automatically invoke _AM_PROG_CC_C_O. +m4_define([AC_PROG_CC], +m4_defn([AC_PROG_CC]) +[_AM_PROG_CC_C_O +]) + +# AM_INIT_AUTOMAKE(PACKAGE, VERSION, [NO-DEFINE]) +# AM_INIT_AUTOMAKE([OPTIONS]) +# ----------------------------------------------- +# The call with PACKAGE and VERSION arguments is the old style +# call (pre autoconf-2.50), which is being phased out. PACKAGE +# and VERSION should now be passed to AC_INIT and removed from +# the call to AM_INIT_AUTOMAKE. +# We support both call styles for the transition. After +# the next Automake release, Autoconf can make the AC_INIT +# arguments mandatory, and then we can depend on a new Autoconf +# release and drop the old call support. +AC_DEFUN([AM_INIT_AUTOMAKE], +[AC_PREREQ([2.65])dnl +dnl Autoconf wants to disallow AM_ names. We explicitly allow +dnl the ones we care about. +m4_pattern_allow([^AM_[A-Z]+FLAGS$])dnl +AC_REQUIRE([AM_SET_CURRENT_AUTOMAKE_VERSION])dnl +AC_REQUIRE([AC_PROG_INSTALL])dnl +if test "`cd $srcdir && pwd`" != "`pwd`"; then + # Use -I$(srcdir) only when $(srcdir) != ., so that make's output + # is not polluted with repeated "-I." + AC_SUBST([am__isrc], [' -I$(srcdir)'])_AM_SUBST_NOTMAKE([am__isrc])dnl + # test to see if srcdir already configured + if test -f $srcdir/config.status; then + AC_MSG_ERROR([source directory already configured; run "make distclean" there first]) + fi +fi + +# test whether we have cygpath +if test -z "$CYGPATH_W"; then + if (cygpath --version) >/dev/null 2>/dev/null; then + CYGPATH_W='cygpath -w' + else + CYGPATH_W=echo + fi +fi +AC_SUBST([CYGPATH_W]) + +# Define the identity of the package. +dnl Distinguish between old-style and new-style calls. +m4_ifval([$2], +[AC_DIAGNOSE([obsolete], + [$0: two- and three-arguments forms are deprecated.]) +m4_ifval([$3], [_AM_SET_OPTION([no-define])])dnl + AC_SUBST([PACKAGE], [$1])dnl + AC_SUBST([VERSION], [$2])], +[_AM_SET_OPTIONS([$1])dnl +dnl Diagnose old-style AC_INIT with new-style AM_AUTOMAKE_INIT. +m4_if( + m4_ifdef([AC_PACKAGE_NAME], [ok]):m4_ifdef([AC_PACKAGE_VERSION], [ok]), + [ok:ok],, + [m4_fatal([AC_INIT should be called with package and version arguments])])dnl + AC_SUBST([PACKAGE], ['AC_PACKAGE_TARNAME'])dnl + AC_SUBST([VERSION], ['AC_PACKAGE_VERSION'])])dnl + +_AM_IF_OPTION([no-define],, +[AC_DEFINE_UNQUOTED([PACKAGE], ["$PACKAGE"], [Name of package]) + AC_DEFINE_UNQUOTED([VERSION], ["$VERSION"], [Version number of package])])dnl + +# Some tools Automake needs. +AC_REQUIRE([AM_SANITY_CHECK])dnl +AC_REQUIRE([AC_ARG_PROGRAM])dnl +AM_MISSING_PROG([ACLOCAL], [aclocal-${am__api_version}]) +AM_MISSING_PROG([AUTOCONF], [autoconf]) +AM_MISSING_PROG([AUTOMAKE], [automake-${am__api_version}]) +AM_MISSING_PROG([AUTOHEADER], [autoheader]) +AM_MISSING_PROG([MAKEINFO], [makeinfo]) +AC_REQUIRE([AM_PROG_INSTALL_SH])dnl +AC_REQUIRE([AM_PROG_INSTALL_STRIP])dnl +AC_REQUIRE([AC_PROG_MKDIR_P])dnl +# For better backward compatibility. To be removed once Automake 1.9.x +# dies out for good. For more background, see: +# +# +AC_SUBST([mkdir_p], ['$(MKDIR_P)']) +# We need awk for the "check" target (and possibly the TAP driver). The +# system "awk" is bad on some platforms. +AC_REQUIRE([AC_PROG_AWK])dnl +AC_REQUIRE([AC_PROG_MAKE_SET])dnl +AC_REQUIRE([AM_SET_LEADING_DOT])dnl +_AM_IF_OPTION([tar-ustar], [_AM_PROG_TAR([ustar])], + [_AM_IF_OPTION([tar-pax], [_AM_PROG_TAR([pax])], + [_AM_PROG_TAR([v7])])]) +_AM_IF_OPTION([no-dependencies],, +[AC_PROVIDE_IFELSE([AC_PROG_CC], + [_AM_DEPENDENCIES([CC])], + [m4_define([AC_PROG_CC], + m4_defn([AC_PROG_CC])[_AM_DEPENDENCIES([CC])])])dnl +AC_PROVIDE_IFELSE([AC_PROG_CXX], + [_AM_DEPENDENCIES([CXX])], + [m4_define([AC_PROG_CXX], + m4_defn([AC_PROG_CXX])[_AM_DEPENDENCIES([CXX])])])dnl +AC_PROVIDE_IFELSE([AC_PROG_OBJC], + [_AM_DEPENDENCIES([OBJC])], + [m4_define([AC_PROG_OBJC], + m4_defn([AC_PROG_OBJC])[_AM_DEPENDENCIES([OBJC])])])dnl +AC_PROVIDE_IFELSE([AC_PROG_OBJCXX], + [_AM_DEPENDENCIES([OBJCXX])], + [m4_define([AC_PROG_OBJCXX], + m4_defn([AC_PROG_OBJCXX])[_AM_DEPENDENCIES([OBJCXX])])])dnl +]) +AC_REQUIRE([AM_SILENT_RULES])dnl +dnl The testsuite driver may need to know about EXEEXT, so add the +dnl 'am__EXEEXT' conditional if _AM_COMPILER_EXEEXT was seen. This +dnl macro is hooked onto _AC_COMPILER_EXEEXT early, see below. +AC_CONFIG_COMMANDS_PRE(dnl +[m4_provide_if([_AM_COMPILER_EXEEXT], + [AM_CONDITIONAL([am__EXEEXT], [test -n "$EXEEXT"])])])dnl + +# POSIX will say in a future version that running "rm -f" with no argument +# is OK; and we want to be able to make that assumption in our Makefile +# recipes. So use an aggressive probe to check that the usage we want is +# actually supported "in the wild" to an acceptable degree. +# See automake bug#10828. +# To make any issue more visible, cause the running configure to be aborted +# by default if the 'rm' program in use doesn't match our expectations; the +# user can still override this though. +if rm -f && rm -fr && rm -rf; then : OK; else + cat >&2 <<'END' +Oops! + +Your 'rm' program seems unable to run without file operands specified +on the command line, even when the '-f' option is present. This is contrary +to the behaviour of most rm programs out there, and not conforming with +the upcoming POSIX standard: + +Please tell bug-automake@gnu.org about your system, including the value +of your $PATH and any error possibly output before this message. This +can help us improve future automake versions. + +END + if test x"$ACCEPT_INFERIOR_RM_PROGRAM" = x"yes"; then + echo 'Configuration will proceed anyway, since you have set the' >&2 + echo 'ACCEPT_INFERIOR_RM_PROGRAM variable to "yes"' >&2 + echo >&2 + else + cat >&2 <<'END' +Aborting the configuration process, to ensure you take notice of the issue. + +You can download and install GNU coreutils to get an 'rm' implementation +that behaves properly: . + +If you want to complete the configuration process using your problematic +'rm' anyway, export the environment variable ACCEPT_INFERIOR_RM_PROGRAM +to "yes", and re-run configure. + +END + AC_MSG_ERROR([Your 'rm' program is bad, sorry.]) + fi +fi +dnl The trailing newline in this macro's definition is deliberate, for +dnl backward compatibility and to allow trailing 'dnl'-style comments +dnl after the AM_INIT_AUTOMAKE invocation. See automake bug#16841. +]) + +dnl Hook into '_AC_COMPILER_EXEEXT' early to learn its expansion. Do not +dnl add the conditional right here, as _AC_COMPILER_EXEEXT may be further +dnl mangled by Autoconf and run in a shell conditional statement. +m4_define([_AC_COMPILER_EXEEXT], +m4_defn([_AC_COMPILER_EXEEXT])[m4_provide([_AM_COMPILER_EXEEXT])]) + +# When config.status generates a header, we must update the stamp-h file. +# This file resides in the same directory as the config header +# that is generated. The stamp files are numbered to have different names. + +# Autoconf calls _AC_AM_CONFIG_HEADER_HOOK (when defined) in the +# loop where config.status creates the headers, so we can generate +# our stamp files there. +AC_DEFUN([_AC_AM_CONFIG_HEADER_HOOK], +[# Compute $1's index in $config_headers. +_am_arg=$1 +_am_stamp_count=1 +for _am_header in $config_headers :; do + case $_am_header in + $_am_arg | $_am_arg:* ) + break ;; + * ) + _am_stamp_count=`expr $_am_stamp_count + 1` ;; + esac +done +echo "timestamp for $_am_arg" >`AS_DIRNAME(["$_am_arg"])`/stamp-h[]$_am_stamp_count]) + +# Copyright (C) 2001-2017 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# AM_PROG_INSTALL_SH +# ------------------ +# Define $install_sh. +AC_DEFUN([AM_PROG_INSTALL_SH], +[AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl +if test x"${install_sh+set}" != xset; then + case $am_aux_dir in + *\ * | *\ *) + install_sh="\${SHELL} '$am_aux_dir/install-sh'" ;; + *) + install_sh="\${SHELL} $am_aux_dir/install-sh" + esac +fi +AC_SUBST([install_sh])]) + +# Copyright (C) 2003-2017 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# Check whether the underlying file-system supports filenames +# with a leading dot. For instance MS-DOS doesn't. +AC_DEFUN([AM_SET_LEADING_DOT], +[rm -rf .tst 2>/dev/null +mkdir .tst 2>/dev/null +if test -d .tst; then + am__leading_dot=. +else + am__leading_dot=_ +fi +rmdir .tst 2>/dev/null +AC_SUBST([am__leading_dot])]) + +# Check to see how 'make' treats includes. -*- Autoconf -*- + +# Copyright (C) 2001-2017 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# AM_MAKE_INCLUDE() +# ----------------- +# Check to see how make treats includes. +AC_DEFUN([AM_MAKE_INCLUDE], +[am_make=${MAKE-make} +cat > confinc << 'END' +am__doit: + @echo this is the am__doit target +.PHONY: am__doit +END +# If we don't find an include directive, just comment out the code. +AC_MSG_CHECKING([for style of include used by $am_make]) +am__include="#" +am__quote= +_am_result=none +# First try GNU make style include. +echo "include confinc" > confmf +# Ignore all kinds of additional output from 'make'. +case `$am_make -s -f confmf 2> /dev/null` in #( +*the\ am__doit\ target*) + am__include=include + am__quote= + _am_result=GNU + ;; +esac +# Now try BSD make style include. +if test "$am__include" = "#"; then + echo '.include "confinc"' > confmf + case `$am_make -s -f confmf 2> /dev/null` in #( + *the\ am__doit\ target*) + am__include=.include + am__quote="\"" + _am_result=BSD + ;; + esac +fi +AC_SUBST([am__include]) +AC_SUBST([am__quote]) +AC_MSG_RESULT([$_am_result]) +rm -f confinc confmf +]) + +# Fake the existence of programs that GNU maintainers use. -*- Autoconf -*- + +# Copyright (C) 1997-2017 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# AM_MISSING_PROG(NAME, PROGRAM) +# ------------------------------ +AC_DEFUN([AM_MISSING_PROG], +[AC_REQUIRE([AM_MISSING_HAS_RUN]) +$1=${$1-"${am_missing_run}$2"} +AC_SUBST($1)]) + +# AM_MISSING_HAS_RUN +# ------------------ +# Define MISSING if not defined so far and test if it is modern enough. +# If it is, set am_missing_run to use it, otherwise, to nothing. +AC_DEFUN([AM_MISSING_HAS_RUN], +[AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl +AC_REQUIRE_AUX_FILE([missing])dnl +if test x"${MISSING+set}" != xset; then + case $am_aux_dir in + *\ * | *\ *) + MISSING="\${SHELL} \"$am_aux_dir/missing\"" ;; + *) + MISSING="\${SHELL} $am_aux_dir/missing" ;; + esac +fi +# Use eval to expand $SHELL +if eval "$MISSING --is-lightweight"; then + am_missing_run="$MISSING " +else + am_missing_run= + AC_MSG_WARN(['missing' script is too old or missing]) +fi +]) + +# Helper functions for option handling. -*- Autoconf -*- + +# Copyright (C) 2001-2017 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# _AM_MANGLE_OPTION(NAME) +# ----------------------- +AC_DEFUN([_AM_MANGLE_OPTION], +[[_AM_OPTION_]m4_bpatsubst($1, [[^a-zA-Z0-9_]], [_])]) + +# _AM_SET_OPTION(NAME) +# -------------------- +# Set option NAME. Presently that only means defining a flag for this option. +AC_DEFUN([_AM_SET_OPTION], +[m4_define(_AM_MANGLE_OPTION([$1]), [1])]) + +# _AM_SET_OPTIONS(OPTIONS) +# ------------------------ +# OPTIONS is a space-separated list of Automake options. +AC_DEFUN([_AM_SET_OPTIONS], +[m4_foreach_w([_AM_Option], [$1], [_AM_SET_OPTION(_AM_Option)])]) + +# _AM_IF_OPTION(OPTION, IF-SET, [IF-NOT-SET]) +# ------------------------------------------- +# Execute IF-SET if OPTION is set, IF-NOT-SET otherwise. +AC_DEFUN([_AM_IF_OPTION], +[m4_ifset(_AM_MANGLE_OPTION([$1]), [$2], [$3])]) + +# Copyright (C) 1999-2017 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# _AM_PROG_CC_C_O +# --------------- +# Like AC_PROG_CC_C_O, but changed for automake. We rewrite AC_PROG_CC +# to automatically call this. +AC_DEFUN([_AM_PROG_CC_C_O], +[AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl +AC_REQUIRE_AUX_FILE([compile])dnl +AC_LANG_PUSH([C])dnl +AC_CACHE_CHECK( + [whether $CC understands -c and -o together], + [am_cv_prog_cc_c_o], + [AC_LANG_CONFTEST([AC_LANG_PROGRAM([])]) + # Make sure it works both with $CC and with simple cc. + # Following AC_PROG_CC_C_O, we do the test twice because some + # compilers refuse to overwrite an existing .o file with -o, + # though they will create one. + am_cv_prog_cc_c_o=yes + for am_i in 1 2; do + if AM_RUN_LOG([$CC -c conftest.$ac_ext -o conftest2.$ac_objext]) \ + && test -f conftest2.$ac_objext; then + : OK + else + am_cv_prog_cc_c_o=no + break + fi + done + rm -f core conftest* + unset am_i]) +if test "$am_cv_prog_cc_c_o" != yes; then + # Losing compiler, so override with the script. + # FIXME: It is wrong to rewrite CC. + # But if we don't then we get into trouble of one sort or another. + # A longer-term fix would be to have automake use am__CC in this case, + # and then we could set am__CC="\$(top_srcdir)/compile \$(CC)" + CC="$am_aux_dir/compile $CC" +fi +AC_LANG_POP([C])]) + +# For backward compatibility. +AC_DEFUN_ONCE([AM_PROG_CC_C_O], [AC_REQUIRE([AC_PROG_CC])]) + +# Copyright (C) 1999-2017 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + + +# AM_PATH_PYTHON([MINIMUM-VERSION], [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND]) +# --------------------------------------------------------------------------- +# Adds support for distributing Python modules and packages. To +# install modules, copy them to $(pythondir), using the python_PYTHON +# automake variable. To install a package with the same name as the +# automake package, install to $(pkgpythondir), or use the +# pkgpython_PYTHON automake variable. +# +# The variables $(pyexecdir) and $(pkgpyexecdir) are provided as +# locations to install python extension modules (shared libraries). +# Another macro is required to find the appropriate flags to compile +# extension modules. +# +# If your package is configured with a different prefix to python, +# users will have to add the install directory to the PYTHONPATH +# environment variable, or create a .pth file (see the python +# documentation for details). +# +# If the MINIMUM-VERSION argument is passed, AM_PATH_PYTHON will +# cause an error if the version of python installed on the system +# doesn't meet the requirement. MINIMUM-VERSION should consist of +# numbers and dots only. +AC_DEFUN([AM_PATH_PYTHON], + [ + dnl Find a Python interpreter. Python versions prior to 2.0 are not + dnl supported. (2.0 was released on October 16, 2000). + dnl FIXME: Remove the need to hard-code Python versions here. + m4_define_default([_AM_PYTHON_INTERPRETER_LIST], +[python python2 python3 python3.5 python3.4 python3.3 python3.2 python3.1 python3.0 python2.7 dnl + python2.6 python2.5 python2.4 python2.3 python2.2 python2.1 python2.0]) + + AC_ARG_VAR([PYTHON], [the Python interpreter]) + + m4_if([$1],[],[ + dnl No version check is needed. + # Find any Python interpreter. + if test -z "$PYTHON"; then + AC_PATH_PROGS([PYTHON], _AM_PYTHON_INTERPRETER_LIST, :) + fi + am_display_PYTHON=python + ], [ + dnl A version check is needed. + if test -n "$PYTHON"; then + # If the user set $PYTHON, use it and don't search something else. + AC_MSG_CHECKING([whether $PYTHON version is >= $1]) + AM_PYTHON_CHECK_VERSION([$PYTHON], [$1], + [AC_MSG_RESULT([yes])], + [AC_MSG_RESULT([no]) + AC_MSG_ERROR([Python interpreter is too old])]) + am_display_PYTHON=$PYTHON + else + # Otherwise, try each interpreter until we find one that satisfies + # VERSION. + AC_CACHE_CHECK([for a Python interpreter with version >= $1], + [am_cv_pathless_PYTHON],[ + for am_cv_pathless_PYTHON in _AM_PYTHON_INTERPRETER_LIST none; do + test "$am_cv_pathless_PYTHON" = none && break + AM_PYTHON_CHECK_VERSION([$am_cv_pathless_PYTHON], [$1], [break]) + done]) + # Set $PYTHON to the absolute path of $am_cv_pathless_PYTHON. + if test "$am_cv_pathless_PYTHON" = none; then + PYTHON=: + else + AC_PATH_PROG([PYTHON], [$am_cv_pathless_PYTHON]) + fi + am_display_PYTHON=$am_cv_pathless_PYTHON + fi + ]) + + if test "$PYTHON" = :; then + dnl Run any user-specified action, or abort. + m4_default([$3], [AC_MSG_ERROR([no suitable Python interpreter found])]) + else + + dnl Query Python for its version number. Getting [:3] seems to be + dnl the best way to do this; it's what "site.py" does in the standard + dnl library. + + AC_CACHE_CHECK([for $am_display_PYTHON version], [am_cv_python_version], + [am_cv_python_version=`$PYTHON -c "import sys; sys.stdout.write(sys.version[[:3]])"`]) + AC_SUBST([PYTHON_VERSION], [$am_cv_python_version]) + + dnl Use the values of $prefix and $exec_prefix for the corresponding + dnl values of PYTHON_PREFIX and PYTHON_EXEC_PREFIX. These are made + dnl distinct variables so they can be overridden if need be. However, + dnl general consensus is that you shouldn't need this ability. + + AC_SUBST([PYTHON_PREFIX], ['${prefix}']) + AC_SUBST([PYTHON_EXEC_PREFIX], ['${exec_prefix}']) + + dnl At times (like when building shared libraries) you may want + dnl to know which OS platform Python thinks this is. + + AC_CACHE_CHECK([for $am_display_PYTHON platform], [am_cv_python_platform], + [am_cv_python_platform=`$PYTHON -c "import sys; sys.stdout.write(sys.platform)"`]) + AC_SUBST([PYTHON_PLATFORM], [$am_cv_python_platform]) + + # Just factor out some code duplication. + am_python_setup_sysconfig="\ +import sys +# Prefer sysconfig over distutils.sysconfig, for better compatibility +# with python 3.x. See automake bug#10227. +try: + import sysconfig +except ImportError: + can_use_sysconfig = 0 +else: + can_use_sysconfig = 1 +# Can't use sysconfig in CPython 2.7, since it's broken in virtualenvs: +# +try: + from platform import python_implementation + if python_implementation() == 'CPython' and sys.version[[:3]] == '2.7': + can_use_sysconfig = 0 +except ImportError: + pass" + + dnl Set up 4 directories: + + dnl pythondir -- where to install python scripts. This is the + dnl site-packages directory, not the python standard library + dnl directory like in previous automake betas. This behavior + dnl is more consistent with lispdir.m4 for example. + dnl Query distutils for this directory. + AC_CACHE_CHECK([for $am_display_PYTHON script directory], + [am_cv_python_pythondir], + [if test "x$prefix" = xNONE + then + am_py_prefix=$ac_default_prefix + else + am_py_prefix=$prefix + fi + am_cv_python_pythondir=`$PYTHON -c " +$am_python_setup_sysconfig +if can_use_sysconfig: + sitedir = sysconfig.get_path('purelib', vars={'base':'$am_py_prefix'}) +else: + from distutils import sysconfig + sitedir = sysconfig.get_python_lib(0, 0, prefix='$am_py_prefix') +sys.stdout.write(sitedir)"` + case $am_cv_python_pythondir in + $am_py_prefix*) + am__strip_prefix=`echo "$am_py_prefix" | sed 's|.|.|g'` + am_cv_python_pythondir=`echo "$am_cv_python_pythondir" | sed "s,^$am__strip_prefix,$PYTHON_PREFIX,"` + ;; + *) + case $am_py_prefix in + /usr|/System*) ;; + *) + am_cv_python_pythondir=$PYTHON_PREFIX/lib/python$PYTHON_VERSION/site-packages + ;; + esac + ;; + esac + ]) + AC_SUBST([pythondir], [$am_cv_python_pythondir]) + + dnl pkgpythondir -- $PACKAGE directory under pythondir. Was + dnl PYTHON_SITE_PACKAGE in previous betas, but this naming is + dnl more consistent with the rest of automake. + + AC_SUBST([pkgpythondir], [\${pythondir}/$PACKAGE]) + + dnl pyexecdir -- directory for installing python extension modules + dnl (shared libraries) + dnl Query distutils for this directory. + AC_CACHE_CHECK([for $am_display_PYTHON extension module directory], + [am_cv_python_pyexecdir], + [if test "x$exec_prefix" = xNONE + then + am_py_exec_prefix=$am_py_prefix + else + am_py_exec_prefix=$exec_prefix + fi + am_cv_python_pyexecdir=`$PYTHON -c " +$am_python_setup_sysconfig +if can_use_sysconfig: + sitedir = sysconfig.get_path('platlib', vars={'platbase':'$am_py_prefix'}) +else: + from distutils import sysconfig + sitedir = sysconfig.get_python_lib(1, 0, prefix='$am_py_prefix') +sys.stdout.write(sitedir)"` + case $am_cv_python_pyexecdir in + $am_py_exec_prefix*) + am__strip_prefix=`echo "$am_py_exec_prefix" | sed 's|.|.|g'` + am_cv_python_pyexecdir=`echo "$am_cv_python_pyexecdir" | sed "s,^$am__strip_prefix,$PYTHON_EXEC_PREFIX,"` + ;; + *) + case $am_py_exec_prefix in + /usr|/System*) ;; + *) + am_cv_python_pyexecdir=$PYTHON_EXEC_PREFIX/lib/python$PYTHON_VERSION/site-packages + ;; + esac + ;; + esac + ]) + AC_SUBST([pyexecdir], [$am_cv_python_pyexecdir]) + + dnl pkgpyexecdir -- $(pyexecdir)/$(PACKAGE) + + AC_SUBST([pkgpyexecdir], [\${pyexecdir}/$PACKAGE]) + + dnl Run any user-specified action. + $2 + fi + +]) + + +# AM_PYTHON_CHECK_VERSION(PROG, VERSION, [ACTION-IF-TRUE], [ACTION-IF-FALSE]) +# --------------------------------------------------------------------------- +# Run ACTION-IF-TRUE if the Python interpreter PROG has version >= VERSION. +# Run ACTION-IF-FALSE otherwise. +# This test uses sys.hexversion instead of the string equivalent (first +# word of sys.version), in order to cope with versions such as 2.2c1. +# This supports Python 2.0 or higher. (2.0 was released on October 16, 2000). +AC_DEFUN([AM_PYTHON_CHECK_VERSION], + [prog="import sys +# split strings by '.' and convert to numeric. Append some zeros +# because we need at least 4 digits for the hex conversion. +# map returns an iterator in Python 3.0 and a list in 2.x +minver = list(map(int, '$2'.split('.'))) + [[0, 0, 0]] +minverhex = 0 +# xrange is not present in Python 3.0 and range returns an iterator +for i in list(range(0, 4)): minverhex = (minverhex << 8) + minver[[i]] +sys.exit(sys.hexversion < minverhex)" + AS_IF([AM_RUN_LOG([$1 -c "$prog"])], [$3], [$4])]) + +# Copyright (C) 2001-2017 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# AM_RUN_LOG(COMMAND) +# ------------------- +# Run COMMAND, save the exit status in ac_status, and log it. +# (This has been adapted from Autoconf's _AC_RUN_LOG macro.) +AC_DEFUN([AM_RUN_LOG], +[{ echo "$as_me:$LINENO: $1" >&AS_MESSAGE_LOG_FD + ($1) >&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&AS_MESSAGE_LOG_FD + (exit $ac_status); }]) + +# Check to make sure that the build environment is sane. -*- Autoconf -*- + +# Copyright (C) 1996-2017 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# AM_SANITY_CHECK +# --------------- +AC_DEFUN([AM_SANITY_CHECK], +[AC_MSG_CHECKING([whether build environment is sane]) +# Reject unsafe characters in $srcdir or the absolute working directory +# name. Accept space and tab only in the latter. +am_lf=' +' +case `pwd` in + *[[\\\"\#\$\&\'\`$am_lf]]*) + AC_MSG_ERROR([unsafe absolute working directory name]);; +esac +case $srcdir in + *[[\\\"\#\$\&\'\`$am_lf\ \ ]]*) + AC_MSG_ERROR([unsafe srcdir value: '$srcdir']);; +esac + +# Do 'set' in a subshell so we don't clobber the current shell's +# arguments. Must try -L first in case configure is actually a +# symlink; some systems play weird games with the mod time of symlinks +# (eg FreeBSD returns the mod time of the symlink's containing +# directory). +if ( + am_has_slept=no + for am_try in 1 2; do + echo "timestamp, slept: $am_has_slept" > conftest.file + set X `ls -Lt "$srcdir/configure" conftest.file 2> /dev/null` + if test "$[*]" = "X"; then + # -L didn't work. + set X `ls -t "$srcdir/configure" conftest.file` + fi + if test "$[*]" != "X $srcdir/configure conftest.file" \ + && test "$[*]" != "X conftest.file $srcdir/configure"; then + + # If neither matched, then we have a broken ls. This can happen + # if, for instance, CONFIG_SHELL is bash and it inherits a + # broken ls alias from the environment. This has actually + # happened. Such a system could not be considered "sane". + AC_MSG_ERROR([ls -t appears to fail. Make sure there is not a broken + alias in your environment]) + fi + if test "$[2]" = conftest.file || test $am_try -eq 2; then + break + fi + # Just in case. + sleep 1 + am_has_slept=yes + done + test "$[2]" = conftest.file + ) +then + # Ok. + : +else + AC_MSG_ERROR([newly created file is older than distributed files! +Check your system clock]) +fi +AC_MSG_RESULT([yes]) +# If we didn't sleep, we still need to ensure time stamps of config.status and +# generated files are strictly newer. +am_sleep_pid= +if grep 'slept: no' conftest.file >/dev/null 2>&1; then + ( sleep 1 ) & + am_sleep_pid=$! +fi +AC_CONFIG_COMMANDS_PRE( + [AC_MSG_CHECKING([that generated files are newer than configure]) + if test -n "$am_sleep_pid"; then + # Hide warnings about reused PIDs. + wait $am_sleep_pid 2>/dev/null + fi + AC_MSG_RESULT([done])]) +rm -f conftest.file +]) + +# Copyright (C) 2009-2017 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# AM_SILENT_RULES([DEFAULT]) +# -------------------------- +# Enable less verbose build rules; with the default set to DEFAULT +# ("yes" being less verbose, "no" or empty being verbose). +AC_DEFUN([AM_SILENT_RULES], +[AC_ARG_ENABLE([silent-rules], [dnl +AS_HELP_STRING( + [--enable-silent-rules], + [less verbose build output (undo: "make V=1")]) +AS_HELP_STRING( + [--disable-silent-rules], + [verbose build output (undo: "make V=0")])dnl +]) +case $enable_silent_rules in @%:@ ((( + yes) AM_DEFAULT_VERBOSITY=0;; + no) AM_DEFAULT_VERBOSITY=1;; + *) AM_DEFAULT_VERBOSITY=m4_if([$1], [yes], [0], [1]);; +esac +dnl +dnl A few 'make' implementations (e.g., NonStop OS and NextStep) +dnl do not support nested variable expansions. +dnl See automake bug#9928 and bug#10237. +am_make=${MAKE-make} +AC_CACHE_CHECK([whether $am_make supports nested variables], + [am_cv_make_support_nested_variables], + [if AS_ECHO([['TRUE=$(BAR$(V)) +BAR0=false +BAR1=true +V=1 +am__doit: + @$(TRUE) +.PHONY: am__doit']]) | $am_make -f - >/dev/null 2>&1; then + am_cv_make_support_nested_variables=yes +else + am_cv_make_support_nested_variables=no +fi]) +if test $am_cv_make_support_nested_variables = yes; then + dnl Using '$V' instead of '$(V)' breaks IRIX make. + AM_V='$(V)' + AM_DEFAULT_V='$(AM_DEFAULT_VERBOSITY)' +else + AM_V=$AM_DEFAULT_VERBOSITY + AM_DEFAULT_V=$AM_DEFAULT_VERBOSITY +fi +AC_SUBST([AM_V])dnl +AM_SUBST_NOTMAKE([AM_V])dnl +AC_SUBST([AM_DEFAULT_V])dnl +AM_SUBST_NOTMAKE([AM_DEFAULT_V])dnl +AC_SUBST([AM_DEFAULT_VERBOSITY])dnl +AM_BACKSLASH='\' +AC_SUBST([AM_BACKSLASH])dnl +_AM_SUBST_NOTMAKE([AM_BACKSLASH])dnl +]) + +# Copyright (C) 2001-2017 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# AM_PROG_INSTALL_STRIP +# --------------------- +# One issue with vendor 'install' (even GNU) is that you can't +# specify the program used to strip binaries. This is especially +# annoying in cross-compiling environments, where the build's strip +# is unlikely to handle the host's binaries. +# Fortunately install-sh will honor a STRIPPROG variable, so we +# always use install-sh in "make install-strip", and initialize +# STRIPPROG with the value of the STRIP variable (set by the user). +AC_DEFUN([AM_PROG_INSTALL_STRIP], +[AC_REQUIRE([AM_PROG_INSTALL_SH])dnl +# Installed binaries are usually stripped using 'strip' when the user +# run "make install-strip". However 'strip' might not be the right +# tool to use in cross-compilation environments, therefore Automake +# will honor the 'STRIP' environment variable to overrule this program. +dnl Don't test for $cross_compiling = yes, because it might be 'maybe'. +if test "$cross_compiling" != no; then + AC_CHECK_TOOL([STRIP], [strip], :) +fi +INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s" +AC_SUBST([INSTALL_STRIP_PROGRAM])]) + +# Copyright (C) 2006-2017 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# _AM_SUBST_NOTMAKE(VARIABLE) +# --------------------------- +# Prevent Automake from outputting VARIABLE = @VARIABLE@ in Makefile.in. +# This macro is traced by Automake. +AC_DEFUN([_AM_SUBST_NOTMAKE]) + +# AM_SUBST_NOTMAKE(VARIABLE) +# -------------------------- +# Public sister of _AM_SUBST_NOTMAKE. +AC_DEFUN([AM_SUBST_NOTMAKE], [_AM_SUBST_NOTMAKE($@)]) + +# Check how to create a tarball. -*- Autoconf -*- + +# Copyright (C) 2004-2017 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# _AM_PROG_TAR(FORMAT) +# -------------------- +# Check how to create a tarball in format FORMAT. +# FORMAT should be one of 'v7', 'ustar', or 'pax'. +# +# Substitute a variable $(am__tar) that is a command +# writing to stdout a FORMAT-tarball containing the directory +# $tardir. +# tardir=directory && $(am__tar) > result.tar +# +# Substitute a variable $(am__untar) that extract such +# a tarball read from stdin. +# $(am__untar) < result.tar +# +AC_DEFUN([_AM_PROG_TAR], +[# Always define AMTAR for backward compatibility. Yes, it's still used +# in the wild :-( We should find a proper way to deprecate it ... +AC_SUBST([AMTAR], ['$${TAR-tar}']) + +# We'll loop over all known methods to create a tar archive until one works. +_am_tools='gnutar m4_if([$1], [ustar], [plaintar]) pax cpio none' + +m4_if([$1], [v7], + [am__tar='$${TAR-tar} chof - "$$tardir"' am__untar='$${TAR-tar} xf -'], + + [m4_case([$1], + [ustar], + [# The POSIX 1988 'ustar' format is defined with fixed-size fields. + # There is notably a 21 bits limit for the UID and the GID. In fact, + # the 'pax' utility can hang on bigger UID/GID (see automake bug#8343 + # and bug#13588). + am_max_uid=2097151 # 2^21 - 1 + am_max_gid=$am_max_uid + # The $UID and $GID variables are not portable, so we need to resort + # to the POSIX-mandated id(1) utility. Errors in the 'id' calls + # below are definitely unexpected, so allow the users to see them + # (that is, avoid stderr redirection). + am_uid=`id -u || echo unknown` + am_gid=`id -g || echo unknown` + AC_MSG_CHECKING([whether UID '$am_uid' is supported by ustar format]) + if test $am_uid -le $am_max_uid; then + AC_MSG_RESULT([yes]) + else + AC_MSG_RESULT([no]) + _am_tools=none + fi + AC_MSG_CHECKING([whether GID '$am_gid' is supported by ustar format]) + if test $am_gid -le $am_max_gid; then + AC_MSG_RESULT([yes]) + else + AC_MSG_RESULT([no]) + _am_tools=none + fi], + + [pax], + [], + + [m4_fatal([Unknown tar format])]) + + AC_MSG_CHECKING([how to create a $1 tar archive]) + + # Go ahead even if we have the value already cached. We do so because we + # need to set the values for the 'am__tar' and 'am__untar' variables. + _am_tools=${am_cv_prog_tar_$1-$_am_tools} + + for _am_tool in $_am_tools; do + case $_am_tool in + gnutar) + for _am_tar in tar gnutar gtar; do + AM_RUN_LOG([$_am_tar --version]) && break + done + am__tar="$_am_tar --format=m4_if([$1], [pax], [posix], [$1]) -chf - "'"$$tardir"' + am__tar_="$_am_tar --format=m4_if([$1], [pax], [posix], [$1]) -chf - "'"$tardir"' + am__untar="$_am_tar -xf -" + ;; + plaintar) + # Must skip GNU tar: if it does not support --format= it doesn't create + # ustar tarball either. + (tar --version) >/dev/null 2>&1 && continue + am__tar='tar chf - "$$tardir"' + am__tar_='tar chf - "$tardir"' + am__untar='tar xf -' + ;; + pax) + am__tar='pax -L -x $1 -w "$$tardir"' + am__tar_='pax -L -x $1 -w "$tardir"' + am__untar='pax -r' + ;; + cpio) + am__tar='find "$$tardir" -print | cpio -o -H $1 -L' + am__tar_='find "$tardir" -print | cpio -o -H $1 -L' + am__untar='cpio -i -H $1 -d' + ;; + none) + am__tar=false + am__tar_=false + am__untar=false + ;; + esac + + # If the value was cached, stop now. We just wanted to have am__tar + # and am__untar set. + test -n "${am_cv_prog_tar_$1}" && break + + # tar/untar a dummy directory, and stop if the command works. + rm -rf conftest.dir + mkdir conftest.dir + echo GrepMe > conftest.dir/file + AM_RUN_LOG([tardir=conftest.dir && eval $am__tar_ >conftest.tar]) + rm -rf conftest.dir + if test -s conftest.tar; then + AM_RUN_LOG([$am__untar /dev/null 2>&1 && break + fi + done + rm -rf conftest.dir + + AC_CACHE_VAL([am_cv_prog_tar_$1], [am_cv_prog_tar_$1=$_am_tool]) + AC_MSG_RESULT([$am_cv_prog_tar_$1])]) + +AC_SUBST([am__tar]) +AC_SUBST([am__untar]) +]) # _AM_PROG_TAR + +m4_include([m4/gettext.m4]) +m4_include([m4/iconv.m4]) +m4_include([m4/lib-ld.m4]) +m4_include([m4/lib-link.m4]) +m4_include([m4/lib-prefix.m4]) +m4_include([m4/libtool.m4]) +m4_include([m4/ltoptions.m4]) +m4_include([m4/ltsugar.m4]) +m4_include([m4/ltversion.m4]) +m4_include([m4/lt~obsolete.m4]) +m4_include([m4/nls.m4]) +m4_include([m4/po.m4]) +m4_include([m4/progtest.m4]) diff --git a/build/ar-lib b/build/ar-lib new file mode 100755 index 0000000..92bbe08 --- /dev/null +++ b/build/ar-lib @@ -0,0 +1,270 @@ +#!/bin/sh +# Wrapper for Microsoft lib.exe + +me=ar-lib +scriptversion=2012-03-01.08; # UTC + +# Copyright (C) 2010-2017 Free Software Foundation, Inc. +# Written by Peter Rosin . +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2, or (at your option) +# any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# As a special exception to the GNU General Public License, if you +# distribute this file as part of a program that contains a +# configuration script generated by Autoconf, you may include it under +# the same distribution terms that you use for the rest of that program. + +# This file is maintained in Automake, please report +# bugs to or send patches to +# . + + +# func_error message +func_error () +{ + echo "$me: $1" 1>&2 + exit 1 +} + +file_conv= + +# func_file_conv build_file +# Convert a $build file to $host form and store it in $file +# Currently only supports Windows hosts. +func_file_conv () +{ + file=$1 + case $file in + / | /[!/]*) # absolute file, and not a UNC file + if test -z "$file_conv"; then + # lazily determine how to convert abs files + case `uname -s` in + MINGW*) + file_conv=mingw + ;; + CYGWIN*) + file_conv=cygwin + ;; + *) + file_conv=wine + ;; + esac + fi + case $file_conv in + mingw) + file=`cmd //C echo "$file " | sed -e 's/"\(.*\) " *$/\1/'` + ;; + cygwin) + file=`cygpath -m "$file" || echo "$file"` + ;; + wine) + file=`winepath -w "$file" || echo "$file"` + ;; + esac + ;; + esac +} + +# func_at_file at_file operation archive +# Iterate over all members in AT_FILE performing OPERATION on ARCHIVE +# for each of them. +# When interpreting the content of the @FILE, do NOT use func_file_conv, +# since the user would need to supply preconverted file names to +# binutils ar, at least for MinGW. +func_at_file () +{ + operation=$2 + archive=$3 + at_file_contents=`cat "$1"` + eval set x "$at_file_contents" + shift + + for member + do + $AR -NOLOGO $operation:"$member" "$archive" || exit $? + done +} + +case $1 in + '') + func_error "no command. Try '$0 --help' for more information." + ;; + -h | --h*) + cat <. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2, or (at your option) +# any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# As a special exception to the GNU General Public License, if you +# distribute this file as part of a program that contains a +# configuration script generated by Autoconf, you may include it under +# the same distribution terms that you use for the rest of that program. + +# This file is maintained in Automake, please report +# bugs to or send patches to +# . + +nl=' +' + +# We need space, tab and new line, in precisely that order. Quoting is +# there to prevent tools from complaining about whitespace usage. +IFS=" "" $nl" + +file_conv= + +# func_file_conv build_file lazy +# Convert a $build file to $host form and store it in $file +# Currently only supports Windows hosts. If the determined conversion +# type is listed in (the comma separated) LAZY, no conversion will +# take place. +func_file_conv () +{ + file=$1 + case $file in + / | /[!/]*) # absolute file, and not a UNC file + if test -z "$file_conv"; then + # lazily determine how to convert abs files + case `uname -s` in + MINGW*) + file_conv=mingw + ;; + CYGWIN*) + file_conv=cygwin + ;; + *) + file_conv=wine + ;; + esac + fi + case $file_conv/,$2, in + *,$file_conv,*) + ;; + mingw/*) + file=`cmd //C echo "$file " | sed -e 's/"\(.*\) " *$/\1/'` + ;; + cygwin/*) + file=`cygpath -m "$file" || echo "$file"` + ;; + wine/*) + file=`winepath -w "$file" || echo "$file"` + ;; + esac + ;; + esac +} + +# func_cl_dashL linkdir +# Make cl look for libraries in LINKDIR +func_cl_dashL () +{ + func_file_conv "$1" + if test -z "$lib_path"; then + lib_path=$file + else + lib_path="$lib_path;$file" + fi + linker_opts="$linker_opts -LIBPATH:$file" +} + +# func_cl_dashl library +# Do a library search-path lookup for cl +func_cl_dashl () +{ + lib=$1 + found=no + save_IFS=$IFS + IFS=';' + for dir in $lib_path $LIB + do + IFS=$save_IFS + if $shared && test -f "$dir/$lib.dll.lib"; then + found=yes + lib=$dir/$lib.dll.lib + break + fi + if test -f "$dir/$lib.lib"; then + found=yes + lib=$dir/$lib.lib + break + fi + if test -f "$dir/lib$lib.a"; then + found=yes + lib=$dir/lib$lib.a + break + fi + done + IFS=$save_IFS + + if test "$found" != yes; then + lib=$lib.lib + fi +} + +# func_cl_wrapper cl arg... +# Adjust compile command to suit cl +func_cl_wrapper () +{ + # Assume a capable shell + lib_path= + shared=: + linker_opts= + for arg + do + if test -n "$eat"; then + eat= + else + case $1 in + -o) + # configure might choose to run compile as 'compile cc -o foo foo.c'. + eat=1 + case $2 in + *.o | *.[oO][bB][jJ]) + func_file_conv "$2" + set x "$@" -Fo"$file" + shift + ;; + *) + func_file_conv "$2" + set x "$@" -Fe"$file" + shift + ;; + esac + ;; + -I) + eat=1 + func_file_conv "$2" mingw + set x "$@" -I"$file" + shift + ;; + -I*) + func_file_conv "${1#-I}" mingw + set x "$@" -I"$file" + shift + ;; + -l) + eat=1 + func_cl_dashl "$2" + set x "$@" "$lib" + shift + ;; + -l*) + func_cl_dashl "${1#-l}" + set x "$@" "$lib" + shift + ;; + -L) + eat=1 + func_cl_dashL "$2" + ;; + -L*) + func_cl_dashL "${1#-L}" + ;; + -static) + shared=false + ;; + -Wl,*) + arg=${1#-Wl,} + save_ifs="$IFS"; IFS=',' + for flag in $arg; do + IFS="$save_ifs" + linker_opts="$linker_opts $flag" + done + IFS="$save_ifs" + ;; + -Xlinker) + eat=1 + linker_opts="$linker_opts $2" + ;; + -*) + set x "$@" "$1" + shift + ;; + *.cc | *.CC | *.cxx | *.CXX | *.[cC]++) + func_file_conv "$1" + set x "$@" -Tp"$file" + shift + ;; + *.c | *.cpp | *.CPP | *.lib | *.LIB | *.Lib | *.OBJ | *.obj | *.[oO]) + func_file_conv "$1" mingw + set x "$@" "$file" + shift + ;; + *) + set x "$@" "$1" + shift + ;; + esac + fi + shift + done + if test -n "$linker_opts"; then + linker_opts="-link$linker_opts" + fi + exec "$@" $linker_opts + exit 1 +} + +eat= + +case $1 in + '') + echo "$0: No command. Try '$0 --help' for more information." 1>&2 + exit 1; + ;; + -h | --h*) + cat <<\EOF +Usage: compile [--help] [--version] PROGRAM [ARGS] + +Wrapper for compilers which do not understand '-c -o'. +Remove '-o dest.o' from ARGS, run PROGRAM with the remaining +arguments, and rename the output as expected. + +If you are trying to build a whole package this is not the +right script to run: please start by reading the file 'INSTALL'. + +Report bugs to . +EOF + exit $? + ;; + -v | --v*) + echo "compile $scriptversion" + exit $? + ;; + cl | *[/\\]cl | cl.exe | *[/\\]cl.exe | \ + icl | *[/\\]icl | icl.exe | *[/\\]icl.exe ) + func_cl_wrapper "$@" # Doesn't return... + ;; +esac + +ofile= +cfile= + +for arg +do + if test -n "$eat"; then + eat= + else + case $1 in + -o) + # configure might choose to run compile as 'compile cc -o foo foo.c'. + # So we strip '-o arg' only if arg is an object. + eat=1 + case $2 in + *.o | *.obj) + ofile=$2 + ;; + *) + set x "$@" -o "$2" + shift + ;; + esac + ;; + *.c) + cfile=$1 + set x "$@" "$1" + shift + ;; + *) + set x "$@" "$1" + shift + ;; + esac + fi + shift +done + +if test -z "$ofile" || test -z "$cfile"; then + # If no '-o' option was seen then we might have been invoked from a + # pattern rule where we don't need one. That is ok -- this is a + # normal compilation that the losing compiler can handle. If no + # '.c' file was seen then we are probably linking. That is also + # ok. + exec "$@" +fi + +# Name of file we expect compiler to create. +cofile=`echo "$cfile" | sed 's|^.*[\\/]||; s|^[a-zA-Z]:||; s/\.c$/.o/'` + +# Create the lock directory. +# Note: use '[/\\:.-]' here to ensure that we don't use the same name +# that we are using for the .o file. Also, base the name on the expected +# object file name, since that is what matters with a parallel build. +lockdir=`echo "$cofile" | sed -e 's|[/\\:.-]|_|g'`.d +while true; do + if mkdir "$lockdir" >/dev/null 2>&1; then + break + fi + sleep 1 +done +# FIXME: race condition here if user kills between mkdir and trap. +trap "rmdir '$lockdir'; exit 1" 1 2 15 + +# Run the compile. +"$@" +ret=$? + +if test -f "$cofile"; then + test "$cofile" = "$ofile" || mv "$cofile" "$ofile" +elif test -f "${cofile}bj"; then + test "${cofile}bj" = "$ofile" || mv "${cofile}bj" "$ofile" +fi + +rmdir "$lockdir" +exit $ret + +# Local Variables: +# mode: shell-script +# sh-indentation: 2 +# eval: (add-hook 'write-file-hooks 'time-stamp) +# time-stamp-start: "scriptversion=" +# time-stamp-format: "%:y-%02m-%02d.%02H" +# time-stamp-time-zone: "UTC0" +# time-stamp-end: "; # UTC" +# End: diff --git a/build/config.guess b/build/config.guess new file mode 100755 index 0000000..717b228 --- /dev/null +++ b/build/config.guess @@ -0,0 +1,1476 @@ +#!/bin/sh +# Attempt to guess a canonical system name. +# Copyright 1992-2017 Free Software Foundation, Inc. + +timestamp='2017-08-08' + +# This file is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see . +# +# As a special exception to the GNU General Public License, if you +# distribute this file as part of a program that contains a +# configuration script generated by Autoconf, you may include it under +# the same distribution terms that you use for the rest of that +# program. This Exception is an additional permission under section 7 +# of the GNU General Public License, version 3 ("GPLv3"). +# +# Originally written by Per Bothner; maintained since 2000 by Ben Elliston. +# +# You can get the latest version of this script from: +# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess +# +# Please send patches to . + + +me=`echo "$0" | sed -e 's,.*/,,'` + +usage="\ +Usage: $0 [OPTION] + +Output the configuration name of the system \`$me' is run on. + +Operation modes: + -h, --help print this help, then exit + -t, --time-stamp print date of last modification, then exit + -v, --version print version number, then exit + +Report bugs and patches to ." + +version="\ +GNU config.guess ($timestamp) + +Originally written by Per Bothner. +Copyright 1992-2017 Free Software Foundation, Inc. + +This is free software; see the source for copying conditions. There is NO +warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." + +help=" +Try \`$me --help' for more information." + +# Parse command line +while test $# -gt 0 ; do + case $1 in + --time-stamp | --time* | -t ) + echo "$timestamp" ; exit ;; + --version | -v ) + echo "$version" ; exit ;; + --help | --h* | -h ) + echo "$usage"; exit ;; + -- ) # Stop option processing + shift; break ;; + - ) # Use stdin as input. + break ;; + -* ) + echo "$me: invalid option $1$help" >&2 + exit 1 ;; + * ) + break ;; + esac +done + +if test $# != 0; then + echo "$me: too many arguments$help" >&2 + exit 1 +fi + +trap 'exit 1' 1 2 15 + +# CC_FOR_BUILD -- compiler used by this script. Note that the use of a +# compiler to aid in system detection is discouraged as it requires +# temporary files to be created and, as you can see below, it is a +# headache to deal with in a portable fashion. + +# Historically, `CC_FOR_BUILD' used to be named `HOST_CC'. We still +# use `HOST_CC' if defined, but it is deprecated. + +# Portable tmp directory creation inspired by the Autoconf team. + +set_cc_for_build=' +trap "exitcode=\$?; (rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null) && exit \$exitcode" 0 ; +trap "rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null; exit 1" 1 2 13 15 ; +: ${TMPDIR=/tmp} ; + { tmp=`(umask 077 && mktemp -d "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } || + { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir $tmp) ; } || + { tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir $tmp) && echo "Warning: creating insecure temp directory" >&2 ; } || + { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } ; +dummy=$tmp/dummy ; +tmpfiles="$dummy.c $dummy.o $dummy.rel $dummy" ; +case $CC_FOR_BUILD,$HOST_CC,$CC in + ,,) echo "int x;" > $dummy.c ; + for c in cc gcc c89 c99 ; do + if ($c -c -o $dummy.o $dummy.c) >/dev/null 2>&1 ; then + CC_FOR_BUILD="$c"; break ; + fi ; + done ; + if test x"$CC_FOR_BUILD" = x ; then + CC_FOR_BUILD=no_compiler_found ; + fi + ;; + ,,*) CC_FOR_BUILD=$CC ;; + ,*,*) CC_FOR_BUILD=$HOST_CC ;; +esac ; set_cc_for_build= ;' + +# This is needed to find uname on a Pyramid OSx when run in the BSD universe. +# (ghazi@noc.rutgers.edu 1994-08-24) +if (test -f /.attbin/uname) >/dev/null 2>&1 ; then + PATH=$PATH:/.attbin ; export PATH +fi + +UNAME_MACHINE=`(uname -m) 2>/dev/null` || UNAME_MACHINE=unknown +UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown +UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown +UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown + +case "${UNAME_SYSTEM}" in +Linux|GNU|GNU/*) + # If the system lacks a compiler, then just pick glibc. + # We could probably try harder. + LIBC=gnu + + eval $set_cc_for_build + cat <<-EOF > $dummy.c + #include + #if defined(__UCLIBC__) + LIBC=uclibc + #elif defined(__dietlibc__) + LIBC=dietlibc + #else + LIBC=gnu + #endif + EOF + eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC' | sed 's, ,,g'` + ;; +esac + +# Note: order is significant - the case branches are not exclusive. + +case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in + *:NetBSD:*:*) + # NetBSD (nbsd) targets should (where applicable) match one or + # more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*, + # *-*-netbsdecoff* and *-*-netbsd*. For targets that recently + # switched to ELF, *-*-netbsd* would select the old + # object file format. This provides both forward + # compatibility and a consistent mechanism for selecting the + # object file format. + # + # Note: NetBSD doesn't particularly care about the vendor + # portion of the name. We always set it to "unknown". + sysctl="sysctl -n hw.machine_arch" + UNAME_MACHINE_ARCH=`(uname -p 2>/dev/null || \ + /sbin/$sysctl 2>/dev/null || \ + /usr/sbin/$sysctl 2>/dev/null || \ + echo unknown)` + case "${UNAME_MACHINE_ARCH}" in + armeb) machine=armeb-unknown ;; + arm*) machine=arm-unknown ;; + sh3el) machine=shl-unknown ;; + sh3eb) machine=sh-unknown ;; + sh5el) machine=sh5le-unknown ;; + earmv*) + arch=`echo ${UNAME_MACHINE_ARCH} | sed -e 's,^e\(armv[0-9]\).*$,\1,'` + endian=`echo ${UNAME_MACHINE_ARCH} | sed -ne 's,^.*\(eb\)$,\1,p'` + machine=${arch}${endian}-unknown + ;; + *) machine=${UNAME_MACHINE_ARCH}-unknown ;; + esac + # The Operating System including object format, if it has switched + # to ELF recently (or will in the future) and ABI. + case "${UNAME_MACHINE_ARCH}" in + earm*) + os=netbsdelf + ;; + arm*|i386|m68k|ns32k|sh3*|sparc|vax) + eval $set_cc_for_build + if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \ + | grep -q __ELF__ + then + # Once all utilities can be ECOFF (netbsdecoff) or a.out (netbsdaout). + # Return netbsd for either. FIX? + os=netbsd + else + os=netbsdelf + fi + ;; + *) + os=netbsd + ;; + esac + # Determine ABI tags. + case "${UNAME_MACHINE_ARCH}" in + earm*) + expr='s/^earmv[0-9]/-eabi/;s/eb$//' + abi=`echo ${UNAME_MACHINE_ARCH} | sed -e "$expr"` + ;; + esac + # The OS release + # Debian GNU/NetBSD machines have a different userland, and + # thus, need a distinct triplet. However, they do not need + # kernel version information, so it can be replaced with a + # suitable tag, in the style of linux-gnu. + case "${UNAME_VERSION}" in + Debian*) + release='-gnu' + ;; + *) + release=`echo ${UNAME_RELEASE} | sed -e 's/[-_].*//' | cut -d. -f1,2` + ;; + esac + # Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM: + # contains redundant information, the shorter form: + # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used. + echo "${machine}-${os}${release}${abi}" + exit ;; + *:Bitrig:*:*) + UNAME_MACHINE_ARCH=`arch | sed 's/Bitrig.//'` + echo ${UNAME_MACHINE_ARCH}-unknown-bitrig${UNAME_RELEASE} + exit ;; + *:OpenBSD:*:*) + UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'` + echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE} + exit ;; + *:LibertyBSD:*:*) + UNAME_MACHINE_ARCH=`arch | sed 's/^.*BSD\.//'` + echo ${UNAME_MACHINE_ARCH}-unknown-libertybsd${UNAME_RELEASE} + exit ;; + *:ekkoBSD:*:*) + echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE} + exit ;; + *:SolidBSD:*:*) + echo ${UNAME_MACHINE}-unknown-solidbsd${UNAME_RELEASE} + exit ;; + macppc:MirBSD:*:*) + echo powerpc-unknown-mirbsd${UNAME_RELEASE} + exit ;; + *:MirBSD:*:*) + echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE} + exit ;; + *:Sortix:*:*) + echo ${UNAME_MACHINE}-unknown-sortix + exit ;; + *:Redox:*:*) + echo ${UNAME_MACHINE}-unknown-redox + exit ;; + alpha:OSF1:*:*) + case $UNAME_RELEASE in + *4.0) + UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'` + ;; + *5.*) + UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'` + ;; + esac + # According to Compaq, /usr/sbin/psrinfo has been available on + # OSF/1 and Tru64 systems produced since 1995. I hope that + # covers most systems running today. This code pipes the CPU + # types through head -n 1, so we only detect the type of CPU 0. + ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^ The alpha \(.*\) processor.*$/\1/p' | head -n 1` + case "$ALPHA_CPU_TYPE" in + "EV4 (21064)") + UNAME_MACHINE=alpha ;; + "EV4.5 (21064)") + UNAME_MACHINE=alpha ;; + "LCA4 (21066/21068)") + UNAME_MACHINE=alpha ;; + "EV5 (21164)") + UNAME_MACHINE=alphaev5 ;; + "EV5.6 (21164A)") + UNAME_MACHINE=alphaev56 ;; + "EV5.6 (21164PC)") + UNAME_MACHINE=alphapca56 ;; + "EV5.7 (21164PC)") + UNAME_MACHINE=alphapca57 ;; + "EV6 (21264)") + UNAME_MACHINE=alphaev6 ;; + "EV6.7 (21264A)") + UNAME_MACHINE=alphaev67 ;; + "EV6.8CB (21264C)") + UNAME_MACHINE=alphaev68 ;; + "EV6.8AL (21264B)") + UNAME_MACHINE=alphaev68 ;; + "EV6.8CX (21264D)") + UNAME_MACHINE=alphaev68 ;; + "EV6.9A (21264/EV69A)") + UNAME_MACHINE=alphaev69 ;; + "EV7 (21364)") + UNAME_MACHINE=alphaev7 ;; + "EV7.9 (21364A)") + UNAME_MACHINE=alphaev79 ;; + esac + # A Pn.n version is a patched version. + # A Vn.n version is a released version. + # A Tn.n version is a released field test version. + # A Xn.n version is an unreleased experimental baselevel. + # 1.2 uses "1.2" for uname -r. + echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz` + # Reset EXIT trap before exiting to avoid spurious non-zero exit code. + exitcode=$? + trap '' 0 + exit $exitcode ;; + Alpha\ *:Windows_NT*:*) + # How do we know it's Interix rather than the generic POSIX subsystem? + # Should we change UNAME_MACHINE based on the output of uname instead + # of the specific Alpha model? + echo alpha-pc-interix + exit ;; + 21064:Windows_NT:50:3) + echo alpha-dec-winnt3.5 + exit ;; + Amiga*:UNIX_System_V:4.0:*) + echo m68k-unknown-sysv4 + exit ;; + *:[Aa]miga[Oo][Ss]:*:*) + echo ${UNAME_MACHINE}-unknown-amigaos + exit ;; + *:[Mm]orph[Oo][Ss]:*:*) + echo ${UNAME_MACHINE}-unknown-morphos + exit ;; + *:OS/390:*:*) + echo i370-ibm-openedition + exit ;; + *:z/VM:*:*) + echo s390-ibm-zvmoe + exit ;; + *:OS400:*:*) + echo powerpc-ibm-os400 + exit ;; + arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*) + echo arm-acorn-riscix${UNAME_RELEASE} + exit ;; + arm*:riscos:*:*|arm*:RISCOS:*:*) + echo arm-unknown-riscos + exit ;; + SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*) + echo hppa1.1-hitachi-hiuxmpp + exit ;; + Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*) + # akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE. + if test "`(/bin/universe) 2>/dev/null`" = att ; then + echo pyramid-pyramid-sysv3 + else + echo pyramid-pyramid-bsd + fi + exit ;; + NILE*:*:*:dcosx) + echo pyramid-pyramid-svr4 + exit ;; + DRS?6000:unix:4.0:6*) + echo sparc-icl-nx6 + exit ;; + DRS?6000:UNIX_SV:4.2*:7* | DRS?6000:isis:4.2*:7*) + case `/usr/bin/uname -p` in + sparc) echo sparc-icl-nx7; exit ;; + esac ;; + s390x:SunOS:*:*) + echo ${UNAME_MACHINE}-ibm-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + exit ;; + sun4H:SunOS:5.*:*) + echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + exit ;; + sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*) + echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + exit ;; + i86pc:AuroraUX:5.*:* | i86xen:AuroraUX:5.*:*) + echo i386-pc-auroraux${UNAME_RELEASE} + exit ;; + i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*) + eval $set_cc_for_build + SUN_ARCH=i386 + # If there is a compiler, see if it is configured for 64-bit objects. + # Note that the Sun cc does not turn __LP64__ into 1 like gcc does. + # This test works for both compilers. + if [ "$CC_FOR_BUILD" != no_compiler_found ]; then + if (echo '#ifdef __amd64'; echo IS_64BIT_ARCH; echo '#endif') | \ + (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ + grep IS_64BIT_ARCH >/dev/null + then + SUN_ARCH=x86_64 + fi + fi + echo ${SUN_ARCH}-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + exit ;; + sun4*:SunOS:6*:*) + # According to config.sub, this is the proper way to canonicalize + # SunOS6. Hard to guess exactly what SunOS6 will be like, but + # it's likely to be more like Solaris than SunOS4. + echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + exit ;; + sun4*:SunOS:*:*) + case "`/usr/bin/arch -k`" in + Series*|S4*) + UNAME_RELEASE=`uname -v` + ;; + esac + # Japanese Language versions have a version number like `4.1.3-JL'. + echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'` + exit ;; + sun3*:SunOS:*:*) + echo m68k-sun-sunos${UNAME_RELEASE} + exit ;; + sun*:*:4.2BSD:*) + UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null` + test "x${UNAME_RELEASE}" = x && UNAME_RELEASE=3 + case "`/bin/arch`" in + sun3) + echo m68k-sun-sunos${UNAME_RELEASE} + ;; + sun4) + echo sparc-sun-sunos${UNAME_RELEASE} + ;; + esac + exit ;; + aushp:SunOS:*:*) + echo sparc-auspex-sunos${UNAME_RELEASE} + exit ;; + # The situation for MiNT is a little confusing. The machine name + # can be virtually everything (everything which is not + # "atarist" or "atariste" at least should have a processor + # > m68000). The system name ranges from "MiNT" over "FreeMiNT" + # to the lowercase version "mint" (or "freemint"). Finally + # the system name "TOS" denotes a system which is actually not + # MiNT. But MiNT is downward compatible to TOS, so this should + # be no problem. + atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*) + echo m68k-atari-mint${UNAME_RELEASE} + exit ;; + atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*) + echo m68k-atari-mint${UNAME_RELEASE} + exit ;; + *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*) + echo m68k-atari-mint${UNAME_RELEASE} + exit ;; + milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*) + echo m68k-milan-mint${UNAME_RELEASE} + exit ;; + hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*) + echo m68k-hades-mint${UNAME_RELEASE} + exit ;; + *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*) + echo m68k-unknown-mint${UNAME_RELEASE} + exit ;; + m68k:machten:*:*) + echo m68k-apple-machten${UNAME_RELEASE} + exit ;; + powerpc:machten:*:*) + echo powerpc-apple-machten${UNAME_RELEASE} + exit ;; + RISC*:Mach:*:*) + echo mips-dec-mach_bsd4.3 + exit ;; + RISC*:ULTRIX:*:*) + echo mips-dec-ultrix${UNAME_RELEASE} + exit ;; + VAX*:ULTRIX*:*:*) + echo vax-dec-ultrix${UNAME_RELEASE} + exit ;; + 2020:CLIX:*:* | 2430:CLIX:*:*) + echo clipper-intergraph-clix${UNAME_RELEASE} + exit ;; + mips:*:*:UMIPS | mips:*:*:RISCos) + eval $set_cc_for_build + sed 's/^ //' << EOF >$dummy.c +#ifdef __cplusplus +#include /* for printf() prototype */ + int main (int argc, char *argv[]) { +#else + int main (argc, argv) int argc; char *argv[]; { +#endif + #if defined (host_mips) && defined (MIPSEB) + #if defined (SYSTYPE_SYSV) + printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0); + #endif + #if defined (SYSTYPE_SVR4) + printf ("mips-mips-riscos%ssvr4\n", argv[1]); exit (0); + #endif + #if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD) + printf ("mips-mips-riscos%sbsd\n", argv[1]); exit (0); + #endif + #endif + exit (-1); + } +EOF + $CC_FOR_BUILD -o $dummy $dummy.c && + dummyarg=`echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` && + SYSTEM_NAME=`$dummy $dummyarg` && + { echo "$SYSTEM_NAME"; exit; } + echo mips-mips-riscos${UNAME_RELEASE} + exit ;; + Motorola:PowerMAX_OS:*:*) + echo powerpc-motorola-powermax + exit ;; + Motorola:*:4.3:PL8-*) + echo powerpc-harris-powermax + exit ;; + Night_Hawk:*:*:PowerMAX_OS | Synergy:PowerMAX_OS:*:*) + echo powerpc-harris-powermax + exit ;; + Night_Hawk:Power_UNIX:*:*) + echo powerpc-harris-powerunix + exit ;; + m88k:CX/UX:7*:*) + echo m88k-harris-cxux7 + exit ;; + m88k:*:4*:R4*) + echo m88k-motorola-sysv4 + exit ;; + m88k:*:3*:R3*) + echo m88k-motorola-sysv3 + exit ;; + AViiON:dgux:*:*) + # DG/UX returns AViiON for all architectures + UNAME_PROCESSOR=`/usr/bin/uname -p` + if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ] + then + if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \ + [ ${TARGET_BINARY_INTERFACE}x = x ] + then + echo m88k-dg-dgux${UNAME_RELEASE} + else + echo m88k-dg-dguxbcs${UNAME_RELEASE} + fi + else + echo i586-dg-dgux${UNAME_RELEASE} + fi + exit ;; + M88*:DolphinOS:*:*) # DolphinOS (SVR3) + echo m88k-dolphin-sysv3 + exit ;; + M88*:*:R3*:*) + # Delta 88k system running SVR3 + echo m88k-motorola-sysv3 + exit ;; + XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3) + echo m88k-tektronix-sysv3 + exit ;; + Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD) + echo m68k-tektronix-bsd + exit ;; + *:IRIX*:*:*) + echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'` + exit ;; + ????????:AIX?:[12].1:2) # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX. + echo romp-ibm-aix # uname -m gives an 8 hex-code CPU id + exit ;; # Note that: echo "'`uname -s`'" gives 'AIX ' + i*86:AIX:*:*) + echo i386-ibm-aix + exit ;; + ia64:AIX:*:*) + if [ -x /usr/bin/oslevel ] ; then + IBM_REV=`/usr/bin/oslevel` + else + IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE} + fi + echo ${UNAME_MACHINE}-ibm-aix${IBM_REV} + exit ;; + *:AIX:2:3) + if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then + eval $set_cc_for_build + sed 's/^ //' << EOF >$dummy.c + #include + + main() + { + if (!__power_pc()) + exit(1); + puts("powerpc-ibm-aix3.2.5"); + exit(0); + } +EOF + if $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy` + then + echo "$SYSTEM_NAME" + else + echo rs6000-ibm-aix3.2.5 + fi + elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then + echo rs6000-ibm-aix3.2.4 + else + echo rs6000-ibm-aix3.2 + fi + exit ;; + *:AIX:*:[4567]) + IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'` + if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then + IBM_ARCH=rs6000 + else + IBM_ARCH=powerpc + fi + if [ -x /usr/bin/lslpp ] ; then + IBM_REV=`/usr/bin/lslpp -Lqc bos.rte.libc | + awk -F: '{ print $3 }' | sed s/[0-9]*$/0/` + else + IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE} + fi + echo ${IBM_ARCH}-ibm-aix${IBM_REV} + exit ;; + *:AIX:*:*) + echo rs6000-ibm-aix + exit ;; + ibmrt:4.4BSD:*|romp-ibm:BSD:*) + echo romp-ibm-bsd4.4 + exit ;; + ibmrt:*BSD:*|romp-ibm:BSD:*) # covers RT/PC BSD and + echo romp-ibm-bsd${UNAME_RELEASE} # 4.3 with uname added to + exit ;; # report: romp-ibm BSD 4.3 + *:BOSX:*:*) + echo rs6000-bull-bosx + exit ;; + DPX/2?00:B.O.S.:*:*) + echo m68k-bull-sysv3 + exit ;; + 9000/[34]??:4.3bsd:1.*:*) + echo m68k-hp-bsd + exit ;; + hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*) + echo m68k-hp-bsd4.4 + exit ;; + 9000/[34678]??:HP-UX:*:*) + HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'` + case "${UNAME_MACHINE}" in + 9000/31? ) HP_ARCH=m68000 ;; + 9000/[34]?? ) HP_ARCH=m68k ;; + 9000/[678][0-9][0-9]) + if [ -x /usr/bin/getconf ]; then + sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null` + sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` + case "${sc_cpu_version}" in + 523) HP_ARCH=hppa1.0 ;; # CPU_PA_RISC1_0 + 528) HP_ARCH=hppa1.1 ;; # CPU_PA_RISC1_1 + 532) # CPU_PA_RISC2_0 + case "${sc_kernel_bits}" in + 32) HP_ARCH=hppa2.0n ;; + 64) HP_ARCH=hppa2.0w ;; + '') HP_ARCH=hppa2.0 ;; # HP-UX 10.20 + esac ;; + esac + fi + if [ "${HP_ARCH}" = "" ]; then + eval $set_cc_for_build + sed 's/^ //' << EOF >$dummy.c + + #define _HPUX_SOURCE + #include + #include + + int main () + { + #if defined(_SC_KERNEL_BITS) + long bits = sysconf(_SC_KERNEL_BITS); + #endif + long cpu = sysconf (_SC_CPU_VERSION); + + switch (cpu) + { + case CPU_PA_RISC1_0: puts ("hppa1.0"); break; + case CPU_PA_RISC1_1: puts ("hppa1.1"); break; + case CPU_PA_RISC2_0: + #if defined(_SC_KERNEL_BITS) + switch (bits) + { + case 64: puts ("hppa2.0w"); break; + case 32: puts ("hppa2.0n"); break; + default: puts ("hppa2.0"); break; + } break; + #else /* !defined(_SC_KERNEL_BITS) */ + puts ("hppa2.0"); break; + #endif + default: puts ("hppa1.0"); break; + } + exit (0); + } +EOF + (CCOPTS="" $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy` + test -z "$HP_ARCH" && HP_ARCH=hppa + fi ;; + esac + if [ ${HP_ARCH} = hppa2.0w ] + then + eval $set_cc_for_build + + # hppa2.0w-hp-hpux* has a 64-bit kernel and a compiler generating + # 32-bit code. hppa64-hp-hpux* has the same kernel and a compiler + # generating 64-bit code. GNU and HP use different nomenclature: + # + # $ CC_FOR_BUILD=cc ./config.guess + # => hppa2.0w-hp-hpux11.23 + # $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess + # => hppa64-hp-hpux11.23 + + if echo __LP64__ | (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | + grep -q __LP64__ + then + HP_ARCH=hppa2.0w + else + HP_ARCH=hppa64 + fi + fi + echo ${HP_ARCH}-hp-hpux${HPUX_REV} + exit ;; + ia64:HP-UX:*:*) + HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'` + echo ia64-hp-hpux${HPUX_REV} + exit ;; + 3050*:HI-UX:*:*) + eval $set_cc_for_build + sed 's/^ //' << EOF >$dummy.c + #include + int + main () + { + long cpu = sysconf (_SC_CPU_VERSION); + /* The order matters, because CPU_IS_HP_MC68K erroneously returns + true for CPU_PA_RISC1_0. CPU_IS_PA_RISC returns correct + results, however. */ + if (CPU_IS_PA_RISC (cpu)) + { + switch (cpu) + { + case CPU_PA_RISC1_0: puts ("hppa1.0-hitachi-hiuxwe2"); break; + case CPU_PA_RISC1_1: puts ("hppa1.1-hitachi-hiuxwe2"); break; + case CPU_PA_RISC2_0: puts ("hppa2.0-hitachi-hiuxwe2"); break; + default: puts ("hppa-hitachi-hiuxwe2"); break; + } + } + else if (CPU_IS_HP_MC68K (cpu)) + puts ("m68k-hitachi-hiuxwe2"); + else puts ("unknown-hitachi-hiuxwe2"); + exit (0); + } +EOF + $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy` && + { echo "$SYSTEM_NAME"; exit; } + echo unknown-hitachi-hiuxwe2 + exit ;; + 9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* ) + echo hppa1.1-hp-bsd + exit ;; + 9000/8??:4.3bsd:*:*) + echo hppa1.0-hp-bsd + exit ;; + *9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*) + echo hppa1.0-hp-mpeix + exit ;; + hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* ) + echo hppa1.1-hp-osf + exit ;; + hp8??:OSF1:*:*) + echo hppa1.0-hp-osf + exit ;; + i*86:OSF1:*:*) + if [ -x /usr/sbin/sysversion ] ; then + echo ${UNAME_MACHINE}-unknown-osf1mk + else + echo ${UNAME_MACHINE}-unknown-osf1 + fi + exit ;; + parisc*:Lites*:*:*) + echo hppa1.1-hp-lites + exit ;; + C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*) + echo c1-convex-bsd + exit ;; + C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*) + if getsysinfo -f scalar_acc + then echo c32-convex-bsd + else echo c2-convex-bsd + fi + exit ;; + C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*) + echo c34-convex-bsd + exit ;; + C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*) + echo c38-convex-bsd + exit ;; + C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*) + echo c4-convex-bsd + exit ;; + CRAY*Y-MP:*:*:*) + echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + exit ;; + CRAY*[A-Z]90:*:*:*) + echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \ + | sed -e 's/CRAY.*\([A-Z]90\)/\1/' \ + -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ \ + -e 's/\.[^.]*$/.X/' + exit ;; + CRAY*TS:*:*:*) + echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + exit ;; + CRAY*T3E:*:*:*) + echo alphaev5-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + exit ;; + CRAY*SV1:*:*:*) + echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + exit ;; + *:UNICOS/mp:*:*) + echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + exit ;; + F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) + FUJITSU_PROC=`uname -m | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz` + FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'` + FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` + echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" + exit ;; + 5000:UNIX_System_V:4.*:*) + FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'` + FUJITSU_REL=`echo ${UNAME_RELEASE} | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/ /_/'` + echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" + exit ;; + i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*) + echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE} + exit ;; + sparc*:BSD/OS:*:*) + echo sparc-unknown-bsdi${UNAME_RELEASE} + exit ;; + *:BSD/OS:*:*) + echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE} + exit ;; + *:FreeBSD:*:*) + UNAME_PROCESSOR=`/usr/bin/uname -p` + case ${UNAME_PROCESSOR} in + amd64) + UNAME_PROCESSOR=x86_64 ;; + i386) + UNAME_PROCESSOR=i586 ;; + esac + echo ${UNAME_PROCESSOR}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` + exit ;; + i*:CYGWIN*:*) + echo ${UNAME_MACHINE}-pc-cygwin + exit ;; + *:MINGW64*:*) + echo ${UNAME_MACHINE}-pc-mingw64 + exit ;; + *:MINGW*:*) + echo ${UNAME_MACHINE}-pc-mingw32 + exit ;; + *:MSYS*:*) + echo ${UNAME_MACHINE}-pc-msys + exit ;; + i*:windows32*:*) + # uname -m includes "-pc" on this system. + echo ${UNAME_MACHINE}-mingw32 + exit ;; + i*:PW*:*) + echo ${UNAME_MACHINE}-pc-pw32 + exit ;; + *:Interix*:*) + case ${UNAME_MACHINE} in + x86) + echo i586-pc-interix${UNAME_RELEASE} + exit ;; + authenticamd | genuineintel | EM64T) + echo x86_64-unknown-interix${UNAME_RELEASE} + exit ;; + IA64) + echo ia64-unknown-interix${UNAME_RELEASE} + exit ;; + esac ;; + [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*) + echo i${UNAME_MACHINE}-pc-mks + exit ;; + 8664:Windows_NT:*) + echo x86_64-pc-mks + exit ;; + i*:Windows_NT*:* | Pentium*:Windows_NT*:*) + # How do we know it's Interix rather than the generic POSIX subsystem? + # It also conflicts with pre-2.0 versions of AT&T UWIN. Should we + # UNAME_MACHINE based on the output of uname instead of i386? + echo i586-pc-interix + exit ;; + i*:UWIN*:*) + echo ${UNAME_MACHINE}-pc-uwin + exit ;; + amd64:CYGWIN*:*:* | x86_64:CYGWIN*:*:*) + echo x86_64-unknown-cygwin + exit ;; + p*:CYGWIN*:*) + echo powerpcle-unknown-cygwin + exit ;; + prep*:SunOS:5.*:*) + echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + exit ;; + *:GNU:*:*) + # the GNU system + echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-${LIBC}`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'` + exit ;; + *:GNU/*:*:*) + # other systems with GNU libc and userland + echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr "[:upper:]" "[:lower:]"``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC} + exit ;; + i*86:Minix:*:*) + echo ${UNAME_MACHINE}-pc-minix + exit ;; + aarch64:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; + aarch64_be:Linux:*:*) + UNAME_MACHINE=aarch64_be + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; + alpha:Linux:*:*) + case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in + EV5) UNAME_MACHINE=alphaev5 ;; + EV56) UNAME_MACHINE=alphaev56 ;; + PCA56) UNAME_MACHINE=alphapca56 ;; + PCA57) UNAME_MACHINE=alphapca56 ;; + EV6) UNAME_MACHINE=alphaev6 ;; + EV67) UNAME_MACHINE=alphaev67 ;; + EV68*) UNAME_MACHINE=alphaev68 ;; + esac + objdump --private-headers /bin/sh | grep -q ld.so.1 + if test "$?" = 0 ; then LIBC=gnulibc1 ; fi + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; + arc:Linux:*:* | arceb:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; + arm*:Linux:*:*) + eval $set_cc_for_build + if echo __ARM_EABI__ | $CC_FOR_BUILD -E - 2>/dev/null \ + | grep -q __ARM_EABI__ + then + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + else + if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \ + | grep -q __ARM_PCS_VFP + then + echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabi + else + echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabihf + fi + fi + exit ;; + avr32*:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; + cris:Linux:*:*) + echo ${UNAME_MACHINE}-axis-linux-${LIBC} + exit ;; + crisv32:Linux:*:*) + echo ${UNAME_MACHINE}-axis-linux-${LIBC} + exit ;; + e2k:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; + frv:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; + hexagon:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; + i*86:Linux:*:*) + echo ${UNAME_MACHINE}-pc-linux-${LIBC} + exit ;; + ia64:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; + k1om:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; + m32r*:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; + m68*:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; + mips:Linux:*:* | mips64:Linux:*:*) + eval $set_cc_for_build + sed 's/^ //' << EOF >$dummy.c + #undef CPU + #undef ${UNAME_MACHINE} + #undef ${UNAME_MACHINE}el + #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL) + CPU=${UNAME_MACHINE}el + #else + #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB) + CPU=${UNAME_MACHINE} + #else + CPU= + #endif + #endif +EOF + eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'` + test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; } + ;; + mips64el:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; + openrisc*:Linux:*:*) + echo or1k-unknown-linux-${LIBC} + exit ;; + or32:Linux:*:* | or1k*:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; + padre:Linux:*:*) + echo sparc-unknown-linux-${LIBC} + exit ;; + parisc64:Linux:*:* | hppa64:Linux:*:*) + echo hppa64-unknown-linux-${LIBC} + exit ;; + parisc:Linux:*:* | hppa:Linux:*:*) + # Look for CPU level + case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in + PA7*) echo hppa1.1-unknown-linux-${LIBC} ;; + PA8*) echo hppa2.0-unknown-linux-${LIBC} ;; + *) echo hppa-unknown-linux-${LIBC} ;; + esac + exit ;; + ppc64:Linux:*:*) + echo powerpc64-unknown-linux-${LIBC} + exit ;; + ppc:Linux:*:*) + echo powerpc-unknown-linux-${LIBC} + exit ;; + ppc64le:Linux:*:*) + echo powerpc64le-unknown-linux-${LIBC} + exit ;; + ppcle:Linux:*:*) + echo powerpcle-unknown-linux-${LIBC} + exit ;; + riscv32:Linux:*:* | riscv64:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; + s390:Linux:*:* | s390x:Linux:*:*) + echo ${UNAME_MACHINE}-ibm-linux-${LIBC} + exit ;; + sh64*:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; + sh*:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; + sparc:Linux:*:* | sparc64:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; + tile*:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; + vax:Linux:*:*) + echo ${UNAME_MACHINE}-dec-linux-${LIBC} + exit ;; + x86_64:Linux:*:*) + echo ${UNAME_MACHINE}-pc-linux-${LIBC} + exit ;; + xtensa*:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + exit ;; + i*86:DYNIX/ptx:4*:*) + # ptx 4.0 does uname -s correctly, with DYNIX/ptx in there. + # earlier versions are messed up and put the nodename in both + # sysname and nodename. + echo i386-sequent-sysv4 + exit ;; + i*86:UNIX_SV:4.2MP:2.*) + # Unixware is an offshoot of SVR4, but it has its own version + # number series starting with 2... + # I am not positive that other SVR4 systems won't match this, + # I just have to hope. -- rms. + # Use sysv4.2uw... so that sysv4* matches it. + echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION} + exit ;; + i*86:OS/2:*:*) + # If we were able to find `uname', then EMX Unix compatibility + # is probably installed. + echo ${UNAME_MACHINE}-pc-os2-emx + exit ;; + i*86:XTS-300:*:STOP) + echo ${UNAME_MACHINE}-unknown-stop + exit ;; + i*86:atheos:*:*) + echo ${UNAME_MACHINE}-unknown-atheos + exit ;; + i*86:syllable:*:*) + echo ${UNAME_MACHINE}-pc-syllable + exit ;; + i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.[02]*:*) + echo i386-unknown-lynxos${UNAME_RELEASE} + exit ;; + i*86:*DOS:*:*) + echo ${UNAME_MACHINE}-pc-msdosdjgpp + exit ;; + i*86:*:4.*:* | i*86:SYSTEM_V:4.*:*) + UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'` + if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then + echo ${UNAME_MACHINE}-univel-sysv${UNAME_REL} + else + echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL} + fi + exit ;; + i*86:*:5:[678]*) + # UnixWare 7.x, OpenUNIX and OpenServer 6. + case `/bin/uname -X | grep "^Machine"` in + *486*) UNAME_MACHINE=i486 ;; + *Pentium) UNAME_MACHINE=i586 ;; + *Pent*|*Celeron) UNAME_MACHINE=i686 ;; + esac + echo ${UNAME_MACHINE}-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION} + exit ;; + i*86:*:3.2:*) + if test -f /usr/options/cb.name; then + UNAME_REL=`sed -n 's/.*Version //p' /dev/null >/dev/null ; then + UNAME_REL=`(/bin/uname -X|grep Release|sed -e 's/.*= //')` + (/bin/uname -X|grep i80486 >/dev/null) && UNAME_MACHINE=i486 + (/bin/uname -X|grep '^Machine.*Pentium' >/dev/null) \ + && UNAME_MACHINE=i586 + (/bin/uname -X|grep '^Machine.*Pent *II' >/dev/null) \ + && UNAME_MACHINE=i686 + (/bin/uname -X|grep '^Machine.*Pentium Pro' >/dev/null) \ + && UNAME_MACHINE=i686 + echo ${UNAME_MACHINE}-pc-sco$UNAME_REL + else + echo ${UNAME_MACHINE}-pc-sysv32 + fi + exit ;; + pc:*:*:*) + # Left here for compatibility: + # uname -m prints for DJGPP always 'pc', but it prints nothing about + # the processor, so we play safe by assuming i586. + # Note: whatever this is, it MUST be the same as what config.sub + # prints for the "djgpp" host, or else GDB configure will decide that + # this is a cross-build. + echo i586-pc-msdosdjgpp + exit ;; + Intel:Mach:3*:*) + echo i386-pc-mach3 + exit ;; + paragon:*:*:*) + echo i860-intel-osf1 + exit ;; + i860:*:4.*:*) # i860-SVR4 + if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then + echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4 + else # Add other i860-SVR4 vendors below as they are discovered. + echo i860-unknown-sysv${UNAME_RELEASE} # Unknown i860-SVR4 + fi + exit ;; + mini*:CTIX:SYS*5:*) + # "miniframe" + echo m68010-convergent-sysv + exit ;; + mc68k:UNIX:SYSTEM5:3.51m) + echo m68k-convergent-sysv + exit ;; + M680?0:D-NIX:5.3:*) + echo m68k-diab-dnix + exit ;; + M68*:*:R3V[5678]*:*) + test -r /sysV68 && { echo 'm68k-motorola-sysv'; exit; } ;; + 3[345]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0 | S7501*:*:4.0:3.0) + OS_REL='' + test -r /etc/.relid \ + && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` + /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ + && { echo i486-ncr-sysv4.3${OS_REL}; exit; } + /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ + && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;; + 3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*) + /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ + && { echo i486-ncr-sysv4; exit; } ;; + NCR*:*:4.2:* | MPRAS*:*:4.2:*) + OS_REL='.3' + test -r /etc/.relid \ + && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` + /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ + && { echo i486-ncr-sysv4.3${OS_REL}; exit; } + /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ + && { echo i586-ncr-sysv4.3${OS_REL}; exit; } + /bin/uname -p 2>/dev/null | /bin/grep pteron >/dev/null \ + && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;; + m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*) + echo m68k-unknown-lynxos${UNAME_RELEASE} + exit ;; + mc68030:UNIX_System_V:4.*:*) + echo m68k-atari-sysv4 + exit ;; + TSUNAMI:LynxOS:2.*:*) + echo sparc-unknown-lynxos${UNAME_RELEASE} + exit ;; + rs6000:LynxOS:2.*:*) + echo rs6000-unknown-lynxos${UNAME_RELEASE} + exit ;; + PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.[02]*:*) + echo powerpc-unknown-lynxos${UNAME_RELEASE} + exit ;; + SM[BE]S:UNIX_SV:*:*) + echo mips-dde-sysv${UNAME_RELEASE} + exit ;; + RM*:ReliantUNIX-*:*:*) + echo mips-sni-sysv4 + exit ;; + RM*:SINIX-*:*:*) + echo mips-sni-sysv4 + exit ;; + *:SINIX-*:*:*) + if uname -p 2>/dev/null >/dev/null ; then + UNAME_MACHINE=`(uname -p) 2>/dev/null` + echo ${UNAME_MACHINE}-sni-sysv4 + else + echo ns32k-sni-sysv + fi + exit ;; + PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort + # says + echo i586-unisys-sysv4 + exit ;; + *:UNIX_System_V:4*:FTX*) + # From Gerald Hewes . + # How about differentiating between stratus architectures? -djm + echo hppa1.1-stratus-sysv4 + exit ;; + *:*:*:FTX*) + # From seanf@swdc.stratus.com. + echo i860-stratus-sysv4 + exit ;; + i*86:VOS:*:*) + # From Paul.Green@stratus.com. + echo ${UNAME_MACHINE}-stratus-vos + exit ;; + *:VOS:*:*) + # From Paul.Green@stratus.com. + echo hppa1.1-stratus-vos + exit ;; + mc68*:A/UX:*:*) + echo m68k-apple-aux${UNAME_RELEASE} + exit ;; + news*:NEWS-OS:6*:*) + echo mips-sony-newsos6 + exit ;; + R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*) + if [ -d /usr/nec ]; then + echo mips-nec-sysv${UNAME_RELEASE} + else + echo mips-unknown-sysv${UNAME_RELEASE} + fi + exit ;; + BeBox:BeOS:*:*) # BeOS running on hardware made by Be, PPC only. + echo powerpc-be-beos + exit ;; + BeMac:BeOS:*:*) # BeOS running on Mac or Mac clone, PPC only. + echo powerpc-apple-beos + exit ;; + BePC:BeOS:*:*) # BeOS running on Intel PC compatible. + echo i586-pc-beos + exit ;; + BePC:Haiku:*:*) # Haiku running on Intel PC compatible. + echo i586-pc-haiku + exit ;; + x86_64:Haiku:*:*) + echo x86_64-unknown-haiku + exit ;; + SX-4:SUPER-UX:*:*) + echo sx4-nec-superux${UNAME_RELEASE} + exit ;; + SX-5:SUPER-UX:*:*) + echo sx5-nec-superux${UNAME_RELEASE} + exit ;; + SX-6:SUPER-UX:*:*) + echo sx6-nec-superux${UNAME_RELEASE} + exit ;; + SX-7:SUPER-UX:*:*) + echo sx7-nec-superux${UNAME_RELEASE} + exit ;; + SX-8:SUPER-UX:*:*) + echo sx8-nec-superux${UNAME_RELEASE} + exit ;; + SX-8R:SUPER-UX:*:*) + echo sx8r-nec-superux${UNAME_RELEASE} + exit ;; + SX-ACE:SUPER-UX:*:*) + echo sxace-nec-superux${UNAME_RELEASE} + exit ;; + Power*:Rhapsody:*:*) + echo powerpc-apple-rhapsody${UNAME_RELEASE} + exit ;; + *:Rhapsody:*:*) + echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE} + exit ;; + *:Darwin:*:*) + UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown + eval $set_cc_for_build + if test "$UNAME_PROCESSOR" = unknown ; then + UNAME_PROCESSOR=powerpc + fi + if test `echo "$UNAME_RELEASE" | sed -e 's/\..*//'` -le 10 ; then + if [ "$CC_FOR_BUILD" != no_compiler_found ]; then + if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ + (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ + grep IS_64BIT_ARCH >/dev/null + then + case $UNAME_PROCESSOR in + i386) UNAME_PROCESSOR=x86_64 ;; + powerpc) UNAME_PROCESSOR=powerpc64 ;; + esac + fi + # On 10.4-10.6 one might compile for PowerPC via gcc -arch ppc + if (echo '#ifdef __POWERPC__'; echo IS_PPC; echo '#endif') | \ + (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ + grep IS_PPC >/dev/null + then + UNAME_PROCESSOR=powerpc + fi + fi + elif test "$UNAME_PROCESSOR" = i386 ; then + # Avoid executing cc on OS X 10.9, as it ships with a stub + # that puts up a graphical alert prompting to install + # developer tools. Any system running Mac OS X 10.7 or + # later (Darwin 11 and later) is required to have a 64-bit + # processor. This is not true of the ARM version of Darwin + # that Apple uses in portable devices. + UNAME_PROCESSOR=x86_64 + fi + echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE} + exit ;; + *:procnto*:*:* | *:QNX:[0123456789]*:*) + UNAME_PROCESSOR=`uname -p` + if test "$UNAME_PROCESSOR" = x86; then + UNAME_PROCESSOR=i386 + UNAME_MACHINE=pc + fi + echo ${UNAME_PROCESSOR}-${UNAME_MACHINE}-nto-qnx${UNAME_RELEASE} + exit ;; + *:QNX:*:4*) + echo i386-pc-qnx + exit ;; + NEO-*:NONSTOP_KERNEL:*:*) + echo neo-tandem-nsk${UNAME_RELEASE} + exit ;; + NSE-*:NONSTOP_KERNEL:*:*) + echo nse-tandem-nsk${UNAME_RELEASE} + exit ;; + NSR-*:NONSTOP_KERNEL:*:*) + echo nsr-tandem-nsk${UNAME_RELEASE} + exit ;; + NSX-*:NONSTOP_KERNEL:*:*) + echo nsx-tandem-nsk${UNAME_RELEASE} + exit ;; + *:NonStop-UX:*:*) + echo mips-compaq-nonstopux + exit ;; + BS2000:POSIX*:*:*) + echo bs2000-siemens-sysv + exit ;; + DS/*:UNIX_System_V:*:*) + echo ${UNAME_MACHINE}-${UNAME_SYSTEM}-${UNAME_RELEASE} + exit ;; + *:Plan9:*:*) + # "uname -m" is not consistent, so use $cputype instead. 386 + # is converted to i386 for consistency with other x86 + # operating systems. + if test "$cputype" = 386; then + UNAME_MACHINE=i386 + else + UNAME_MACHINE="$cputype" + fi + echo ${UNAME_MACHINE}-unknown-plan9 + exit ;; + *:TOPS-10:*:*) + echo pdp10-unknown-tops10 + exit ;; + *:TENEX:*:*) + echo pdp10-unknown-tenex + exit ;; + KS10:TOPS-20:*:* | KL10:TOPS-20:*:* | TYPE4:TOPS-20:*:*) + echo pdp10-dec-tops20 + exit ;; + XKL-1:TOPS-20:*:* | TYPE5:TOPS-20:*:*) + echo pdp10-xkl-tops20 + exit ;; + *:TOPS-20:*:*) + echo pdp10-unknown-tops20 + exit ;; + *:ITS:*:*) + echo pdp10-unknown-its + exit ;; + SEI:*:*:SEIUX) + echo mips-sei-seiux${UNAME_RELEASE} + exit ;; + *:DragonFly:*:*) + echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` + exit ;; + *:*VMS:*:*) + UNAME_MACHINE=`(uname -p) 2>/dev/null` + case "${UNAME_MACHINE}" in + A*) echo alpha-dec-vms ; exit ;; + I*) echo ia64-dec-vms ; exit ;; + V*) echo vax-dec-vms ; exit ;; + esac ;; + *:XENIX:*:SysV) + echo i386-pc-xenix + exit ;; + i*86:skyos:*:*) + echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE} | sed -e 's/ .*$//'` + exit ;; + i*86:rdos:*:*) + echo ${UNAME_MACHINE}-pc-rdos + exit ;; + i*86:AROS:*:*) + echo ${UNAME_MACHINE}-pc-aros + exit ;; + x86_64:VMkernel:*:*) + echo ${UNAME_MACHINE}-unknown-esx + exit ;; + amd64:Isilon\ OneFS:*:*) + echo x86_64-unknown-onefs + exit ;; +esac + +cat >&2 </dev/null || echo unknown` +uname -r = `(uname -r) 2>/dev/null || echo unknown` +uname -s = `(uname -s) 2>/dev/null || echo unknown` +uname -v = `(uname -v) 2>/dev/null || echo unknown` + +/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null` +/bin/uname -X = `(/bin/uname -X) 2>/dev/null` + +hostinfo = `(hostinfo) 2>/dev/null` +/bin/universe = `(/bin/universe) 2>/dev/null` +/usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null` +/bin/arch = `(/bin/arch) 2>/dev/null` +/usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null` +/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null` + +UNAME_MACHINE = ${UNAME_MACHINE} +UNAME_RELEASE = ${UNAME_RELEASE} +UNAME_SYSTEM = ${UNAME_SYSTEM} +UNAME_VERSION = ${UNAME_VERSION} +EOF + +exit 1 + +# Local variables: +# eval: (add-hook 'write-file-hooks 'time-stamp) +# time-stamp-start: "timestamp='" +# time-stamp-format: "%:y-%02m-%02d" +# time-stamp-end: "'" +# End: diff --git a/build/config.rpath b/build/config.rpath new file mode 100755 index 0000000..3f1bef3 --- /dev/null +++ b/build/config.rpath @@ -0,0 +1,571 @@ +#! /bin/sh +# Output a system dependent set of variables, describing how to set the +# run time search path of shared libraries in an executable. +# +# Copyright 1996-2005 Free Software Foundation, Inc. +# Taken from GNU libtool, 2001 +# Originally by Gordon Matzigkeit , 1996 +# +# This file is free software; the Free Software Foundation gives +# unlimited permission to copy and/or distribute it, with or without +# modifications, as long as this notice is preserved. +# +# The first argument passed to this file is the canonical host specification, +# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM +# or +# CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM +# The environment variables CC, GCC, LDFLAGS, LD, with_gnu_ld +# should be set by the caller. +# +# The set of defined variables is at the end of this script. + +# Known limitations: +# - On IRIX 6.5 with CC="cc", the run time search patch must not be longer +# than 256 bytes, otherwise the compiler driver will dump core. The only +# known workaround is to choose shorter directory names for the build +# directory and/or the installation directory. + +# All known linkers require a `.a' archive for static linking (except M$VC, +# which needs '.lib'). +libext=a +shrext=.so + +host="$1" +host_cpu=`echo "$host" | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'` +host_vendor=`echo "$host" | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'` +host_os=`echo "$host" | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'` + +cc_basename=`echo "$CC" | sed -e 's%^.*/%%'` + +# Code taken from libtool.m4's AC_LIBTOOL_PROG_COMPILER_PIC. + +wl= +if test "$GCC" = yes; then + wl='-Wl,' +else + case "$host_os" in + aix*) + wl='-Wl,' + ;; + darwin*) + case "$cc_basename" in + xlc*) + wl='-Wl,' + ;; + esac + ;; + mingw* | pw32* | os2*) + ;; + hpux9* | hpux10* | hpux11*) + wl='-Wl,' + ;; + irix5* | irix6* | nonstopux*) + wl='-Wl,' + ;; + newsos6) + ;; + linux*) + case $cc_basename in + icc* | ecc*) + wl='-Wl,' + ;; + pgcc | pgf77 | pgf90) + wl='-Wl,' + ;; + ccc*) + wl='-Wl,' + ;; + como) + wl='-lopt=' + ;; + esac + ;; + osf3* | osf4* | osf5*) + wl='-Wl,' + ;; + sco3.2v5*) + ;; + solaris*) + wl='-Wl,' + ;; + sunos4*) + wl='-Qoption ld ' + ;; + sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*) + wl='-Wl,' + ;; + sysv4*MP*) + ;; + unicos*) + wl='-Wl,' + ;; + uts4*) + ;; + esac +fi + +# Code taken from libtool.m4's AC_LIBTOOL_PROG_LD_SHLIBS. + +hardcode_libdir_flag_spec= +hardcode_libdir_separator= +hardcode_direct=no +hardcode_minus_L=no + +case "$host_os" in + cygwin* | mingw* | pw32*) + # FIXME: the MSVC++ port hasn't been tested in a loooong time + # When not using gcc, we currently assume that we are using + # Microsoft Visual C++. + if test "$GCC" != yes; then + with_gnu_ld=no + fi + ;; + openbsd*) + with_gnu_ld=no + ;; +esac + +ld_shlibs=yes +if test "$with_gnu_ld" = yes; then + case "$host_os" in + aix3* | aix4* | aix5*) + # On AIX/PPC, the GNU linker is very broken + if test "$host_cpu" != ia64; then + ld_shlibs=no + fi + ;; + amigaos*) + hardcode_libdir_flag_spec='-L$libdir' + hardcode_minus_L=yes + # Samuel A. Falvo II reports + # that the semantics of dynamic libraries on AmigaOS, at least up + # to version 4, is to share data among multiple programs linked + # with the same dynamic library. Since this doesn't match the + # behavior of shared libraries on other platforms, we cannot use + # them. + ld_shlibs=no + ;; + beos*) + if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then + : + else + ld_shlibs=no + fi + ;; + cygwin* | mingw* | pw32*) + # hardcode_libdir_flag_spec is actually meaningless, as there is + # no search path for DLLs. + hardcode_libdir_flag_spec='-L$libdir' + if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then + : + else + ld_shlibs=no + fi + ;; + netbsd*) + ;; + solaris* | sysv5*) + if $LD -v 2>&1 | grep 'BFD 2\.8' > /dev/null; then + ld_shlibs=no + elif $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then + : + else + ld_shlibs=no + fi + ;; + sunos4*) + hardcode_direct=yes + ;; + linux*) + if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then + : + else + ld_shlibs=no + fi + ;; + *) + if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then + : + else + ld_shlibs=no + fi + ;; + esac + if test "$ld_shlibs" = yes; then + # Unlike libtool, we use -rpath here, not --rpath, since the documented + # option of GNU ld is called -rpath, not --rpath. + hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir' + fi +else + case "$host_os" in + aix3*) + # Note: this linker hardcodes the directories in LIBPATH if there + # are no directories specified by -L. + hardcode_minus_L=yes + if test "$GCC" = yes; then + # Neither direct hardcoding nor static linking is supported with a + # broken collect2. + hardcode_direct=unsupported + fi + ;; + aix4* | aix5*) + if test "$host_cpu" = ia64; then + # On IA64, the linker does run time linking by default, so we don't + # have to do anything special. + aix_use_runtimelinking=no + else + aix_use_runtimelinking=no + # Test if we are trying to use run time linking or normal + # AIX style linking. If -brtl is somewhere in LDFLAGS, we + # need to do runtime linking. + case $host_os in aix4.[23]|aix4.[23].*|aix5*) + for ld_flag in $LDFLAGS; do + if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then + aix_use_runtimelinking=yes + break + fi + done + esac + fi + hardcode_direct=yes + hardcode_libdir_separator=':' + if test "$GCC" = yes; then + case $host_os in aix4.[012]|aix4.[012].*) + collect2name=`${CC} -print-prog-name=collect2` + if test -f "$collect2name" && \ + strings "$collect2name" | grep resolve_lib_name >/dev/null + then + # We have reworked collect2 + hardcode_direct=yes + else + # We have old collect2 + hardcode_direct=unsupported + hardcode_minus_L=yes + hardcode_libdir_flag_spec='-L$libdir' + hardcode_libdir_separator= + fi + esac + fi + # Begin _LT_AC_SYS_LIBPATH_AIX. + echo 'int main () { return 0; }' > conftest.c + ${CC} ${LDFLAGS} conftest.c -o conftest + aix_libpath=`dump -H conftest 2>/dev/null | sed -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; } +}'` + if test -z "$aix_libpath"; then + aix_libpath=`dump -HX64 conftest 2>/dev/null | sed -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0 *\(.*\)$/\1/; p; } +}'` + fi + if test -z "$aix_libpath"; then + aix_libpath="/usr/lib:/lib" + fi + rm -f conftest.c conftest + # End _LT_AC_SYS_LIBPATH_AIX. + if test "$aix_use_runtimelinking" = yes; then + hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath" + else + if test "$host_cpu" = ia64; then + hardcode_libdir_flag_spec='${wl}-R $libdir:/usr/lib:/lib' + else + hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath" + fi + fi + ;; + amigaos*) + hardcode_libdir_flag_spec='-L$libdir' + hardcode_minus_L=yes + # see comment about different semantics on the GNU ld section + ld_shlibs=no + ;; + bsdi[45]*) + ;; + cygwin* | mingw* | pw32*) + # When not using gcc, we currently assume that we are using + # Microsoft Visual C++. + # hardcode_libdir_flag_spec is actually meaningless, as there is + # no search path for DLLs. + hardcode_libdir_flag_spec=' ' + libext=lib + ;; + darwin* | rhapsody*) + hardcode_direct=no + if test "$GCC" = yes ; then + : + else + case "$cc_basename" in + xlc*) + ;; + *) + ld_shlibs=no + ;; + esac + fi + ;; + dgux*) + hardcode_libdir_flag_spec='-L$libdir' + ;; + freebsd1*) + ld_shlibs=no + ;; + freebsd2.2*) + hardcode_libdir_flag_spec='-R$libdir' + hardcode_direct=yes + ;; + freebsd2*) + hardcode_direct=yes + hardcode_minus_L=yes + ;; + freebsd* | kfreebsd*-gnu | dragonfly*) + hardcode_libdir_flag_spec='-R$libdir' + hardcode_direct=yes + ;; + hpux9*) + hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir' + hardcode_libdir_separator=: + hardcode_direct=yes + # hardcode_minus_L: Not really in the search PATH, + # but as the default location of the library. + hardcode_minus_L=yes + ;; + hpux10* | hpux11*) + if test "$with_gnu_ld" = no; then + case "$host_cpu" in + hppa*64*) + hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir' + hardcode_libdir_separator=: + hardcode_direct=no + ;; + ia64*) + hardcode_libdir_flag_spec='-L$libdir' + hardcode_direct=no + # hardcode_minus_L: Not really in the search PATH, + # but as the default location of the library. + hardcode_minus_L=yes + ;; + *) + hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir' + hardcode_libdir_separator=: + hardcode_direct=yes + # hardcode_minus_L: Not really in the search PATH, + # but as the default location of the library. + hardcode_minus_L=yes + ;; + esac + fi + ;; + irix5* | irix6* | nonstopux*) + hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir' + hardcode_libdir_separator=: + ;; + netbsd*) + hardcode_libdir_flag_spec='-R$libdir' + hardcode_direct=yes + ;; + newsos6) + hardcode_direct=yes + hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir' + hardcode_libdir_separator=: + ;; + openbsd*) + hardcode_direct=yes + if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then + hardcode_libdir_flag_spec='${wl}-rpath,$libdir' + else + case "$host_os" in + openbsd[01].* | openbsd2.[0-7] | openbsd2.[0-7].*) + hardcode_libdir_flag_spec='-R$libdir' + ;; + *) + hardcode_libdir_flag_spec='${wl}-rpath,$libdir' + ;; + esac + fi + ;; + os2*) + hardcode_libdir_flag_spec='-L$libdir' + hardcode_minus_L=yes + ;; + osf3*) + hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir' + hardcode_libdir_separator=: + ;; + osf4* | osf5*) + if test "$GCC" = yes; then + hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir' + else + # Both cc and cxx compiler support -rpath directly + hardcode_libdir_flag_spec='-rpath $libdir' + fi + hardcode_libdir_separator=: + ;; + sco3.2v5*) + ;; + solaris*) + hardcode_libdir_flag_spec='-R$libdir' + ;; + sunos4*) + hardcode_libdir_flag_spec='-L$libdir' + hardcode_direct=yes + hardcode_minus_L=yes + ;; + sysv4) + case $host_vendor in + sni) + hardcode_direct=yes # is this really true??? + ;; + siemens) + hardcode_direct=no + ;; + motorola) + hardcode_direct=no #Motorola manual says yes, but my tests say they lie + ;; + esac + ;; + sysv4.3*) + ;; + sysv4*MP*) + if test -d /usr/nec; then + ld_shlibs=yes + fi + ;; + sysv4.2uw2*) + hardcode_direct=yes + hardcode_minus_L=no + ;; + sysv5OpenUNIX8* | sysv5UnixWare7* | sysv5uw[78]* | unixware7*) + ;; + sysv5*) + hardcode_libdir_flag_spec= + ;; + uts4*) + hardcode_libdir_flag_spec='-L$libdir' + ;; + *) + ld_shlibs=no + ;; + esac +fi + +# Check dynamic linker characteristics +# Code taken from libtool.m4's AC_LIBTOOL_SYS_DYNAMIC_LINKER. +libname_spec='lib$name' +case "$host_os" in + aix3*) + ;; + aix4* | aix5*) + ;; + amigaos*) + ;; + beos*) + ;; + bsdi[45]*) + ;; + cygwin* | mingw* | pw32*) + shrext=.dll + ;; + darwin* | rhapsody*) + shrext=.dylib + ;; + dgux*) + ;; + freebsd1*) + ;; + kfreebsd*-gnu) + ;; + freebsd*) + ;; + gnu*) + ;; + hpux9* | hpux10* | hpux11*) + case "$host_cpu" in + ia64*) + shrext=.so + ;; + hppa*64*) + shrext=.sl + ;; + *) + shrext=.sl + ;; + esac + ;; + irix5* | irix6* | nonstopux*) + case "$host_os" in + irix5* | nonstopux*) + libsuff= shlibsuff= + ;; + *) + case $LD in + *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ") libsuff= shlibsuff= ;; + *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ") libsuff=32 shlibsuff=N32 ;; + *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ") libsuff=64 shlibsuff=64 ;; + *) libsuff= shlibsuff= ;; + esac + ;; + esac + ;; + linux*oldld* | linux*aout* | linux*coff*) + ;; + linux*) + ;; + knetbsd*-gnu) + ;; + netbsd*) + ;; + newsos6) + ;; + nto-qnx*) + ;; + openbsd*) + ;; + os2*) + libname_spec='$name' + shrext=.dll + ;; + osf3* | osf4* | osf5*) + ;; + sco3.2v5*) + ;; + solaris*) + ;; + sunos4*) + ;; + sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*) + ;; + sysv4*MP*) + ;; + uts4*) + ;; +esac + +sed_quote_subst='s/\(["`$\\]\)/\\\1/g' +escaped_wl=`echo "X$wl" | sed -e 's/^X//' -e "$sed_quote_subst"` +shlibext=`echo "$shrext" | sed -e 's,^\.,,'` +escaped_hardcode_libdir_flag_spec=`echo "X$hardcode_libdir_flag_spec" | sed -e 's/^X//' -e "$sed_quote_subst"` + +LC_ALL=C sed -e 's/^\([a-zA-Z0-9_]*\)=/acl_cv_\1=/' <. +# +# As a special exception to the GNU General Public License, if you +# distribute this file as part of a program that contains a +# configuration script generated by Autoconf, you may include it under +# the same distribution terms that you use for the rest of that +# program. This Exception is an additional permission under section 7 +# of the GNU General Public License, version 3 ("GPLv3"). + + +# Please send patches to . +# +# Configuration subroutine to validate and canonicalize a configuration type. +# Supply the specified configuration type as an argument. +# If it is invalid, we print an error message on stderr and exit with code 1. +# Otherwise, we print the canonical config type on stdout and succeed. + +# You can get the latest version of this script from: +# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub + +# This file is supposed to be the same for all GNU packages +# and recognize all the CPU types, system types and aliases +# that are meaningful with *any* GNU software. +# Each package is responsible for reporting which valid configurations +# it does not support. The user should be able to distinguish +# a failure to support a valid configuration from a meaningless +# configuration. + +# The goal of this file is to map all the various variations of a given +# machine specification into a single specification in the form: +# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM +# or in some cases, the newer four-part form: +# CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM +# It is wrong to echo any other type of specification. + +me=`echo "$0" | sed -e 's,.*/,,'` + +usage="\ +Usage: $0 [OPTION] CPU-MFR-OPSYS or ALIAS + +Canonicalize a configuration name. + +Operation modes: + -h, --help print this help, then exit + -t, --time-stamp print date of last modification, then exit + -v, --version print version number, then exit + +Report bugs and patches to ." + +version="\ +GNU config.sub ($timestamp) + +Copyright 1992-2017 Free Software Foundation, Inc. + +This is free software; see the source for copying conditions. There is NO +warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." + +help=" +Try \`$me --help' for more information." + +# Parse command line +while test $# -gt 0 ; do + case $1 in + --time-stamp | --time* | -t ) + echo "$timestamp" ; exit ;; + --version | -v ) + echo "$version" ; exit ;; + --help | --h* | -h ) + echo "$usage"; exit ;; + -- ) # Stop option processing + shift; break ;; + - ) # Use stdin as input. + break ;; + -* ) + echo "$me: invalid option $1$help" + exit 1 ;; + + *local*) + # First pass through any local machine types. + echo $1 + exit ;; + + * ) + break ;; + esac +done + +case $# in + 0) echo "$me: missing argument$help" >&2 + exit 1;; + 1) ;; + *) echo "$me: too many arguments$help" >&2 + exit 1;; +esac + +# Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any). +# Here we must recognize all the valid KERNEL-OS combinations. +maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'` +case $maybe_os in + nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \ + linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \ + knetbsd*-gnu* | netbsd*-gnu* | netbsd*-eabi* | \ + kopensolaris*-gnu* | cloudabi*-eabi* | \ + storm-chaos* | os2-emx* | rtmk-nova*) + os=-$maybe_os + basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'` + ;; + android-linux) + os=-linux-android + basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`-unknown + ;; + *) + basic_machine=`echo $1 | sed 's/-[^-]*$//'` + if [ $basic_machine != $1 ] + then os=`echo $1 | sed 's/.*-/-/'` + else os=; fi + ;; +esac + +### Let's recognize common machines as not being operating systems so +### that things like config.sub decstation-3100 work. We also +### recognize some manufacturers as not being operating systems, so we +### can provide default operating systems below. +case $os in + -sun*os*) + # Prevent following clause from handling this invalid input. + ;; + -dec* | -mips* | -sequent* | -encore* | -pc532* | -sgi* | -sony* | \ + -att* | -7300* | -3300* | -delta* | -motorola* | -sun[234]* | \ + -unicom* | -ibm* | -next | -hp | -isi* | -apollo | -altos* | \ + -convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\ + -c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \ + -harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \ + -apple | -axis | -knuth | -cray | -microblaze*) + os= + basic_machine=$1 + ;; + -bluegene*) + os=-cnk + ;; + -sim | -cisco | -oki | -wec | -winbond) + os= + basic_machine=$1 + ;; + -scout) + ;; + -wrs) + os=-vxworks + basic_machine=$1 + ;; + -chorusos*) + os=-chorusos + basic_machine=$1 + ;; + -chorusrdb) + os=-chorusrdb + basic_machine=$1 + ;; + -hiux*) + os=-hiuxwe2 + ;; + -sco6) + os=-sco5v6 + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -sco5) + os=-sco3.2v5 + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -sco4) + os=-sco3.2v4 + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -sco3.2.[4-9]*) + os=`echo $os | sed -e 's/sco3.2./sco3.2v/'` + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -sco3.2v[4-9]*) + # Don't forget version if it is 3.2v4 or newer. + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -sco5v6*) + # Don't forget version if it is 3.2v4 or newer. + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -sco*) + os=-sco3.2v2 + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -udk*) + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -isc) + os=-isc2.2 + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -clix*) + basic_machine=clipper-intergraph + ;; + -isc*) + basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` + ;; + -lynx*178) + os=-lynxos178 + ;; + -lynx*5) + os=-lynxos5 + ;; + -lynx*) + os=-lynxos + ;; + -ptx*) + basic_machine=`echo $1 | sed -e 's/86-.*/86-sequent/'` + ;; + -windowsnt*) + os=`echo $os | sed -e 's/windowsnt/winnt/'` + ;; + -psos*) + os=-psos + ;; + -mint | -mint[0-9]*) + basic_machine=m68k-atari + os=-mint + ;; +esac + +# Decode aliases for certain CPU-COMPANY combinations. +case $basic_machine in + # Recognize the basic CPU types without company name. + # Some are omitted here because they have special meanings below. + 1750a | 580 \ + | a29k \ + | aarch64 | aarch64_be \ + | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \ + | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \ + | am33_2.0 \ + | arc | arceb \ + | arm | arm[bl]e | arme[lb] | armv[2-8] | armv[3-8][lb] | armv7[arm] \ + | avr | avr32 \ + | ba \ + | be32 | be64 \ + | bfin \ + | c4x | c8051 | clipper \ + | d10v | d30v | dlx | dsp16xx \ + | e2k | epiphany \ + | fido | fr30 | frv | ft32 \ + | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \ + | hexagon \ + | i370 | i860 | i960 | ia16 | ia64 \ + | ip2k | iq2000 \ + | k1om \ + | le32 | le64 \ + | lm32 \ + | m32c | m32r | m32rle | m68000 | m68k | m88k \ + | maxq | mb | microblaze | microblazeel | mcore | mep | metag \ + | mips | mipsbe | mipseb | mipsel | mipsle \ + | mips16 \ + | mips64 | mips64el \ + | mips64octeon | mips64octeonel \ + | mips64orion | mips64orionel \ + | mips64r5900 | mips64r5900el \ + | mips64vr | mips64vrel \ + | mips64vr4100 | mips64vr4100el \ + | mips64vr4300 | mips64vr4300el \ + | mips64vr5000 | mips64vr5000el \ + | mips64vr5900 | mips64vr5900el \ + | mipsisa32 | mipsisa32el \ + | mipsisa32r2 | mipsisa32r2el \ + | mipsisa32r6 | mipsisa32r6el \ + | mipsisa64 | mipsisa64el \ + | mipsisa64r2 | mipsisa64r2el \ + | mipsisa64r6 | mipsisa64r6el \ + | mipsisa64sb1 | mipsisa64sb1el \ + | mipsisa64sr71k | mipsisa64sr71kel \ + | mipsr5900 | mipsr5900el \ + | mipstx39 | mipstx39el \ + | mn10200 | mn10300 \ + | moxie \ + | mt \ + | msp430 \ + | nds32 | nds32le | nds32be \ + | nios | nios2 | nios2eb | nios2el \ + | ns16k | ns32k \ + | open8 | or1k | or1knd | or32 \ + | pdp10 | pdp11 | pj | pjl \ + | powerpc | powerpc64 | powerpc64le | powerpcle \ + | pru \ + | pyramid \ + | riscv32 | riscv64 \ + | rl78 | rx \ + | score \ + | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[234]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ + | sh64 | sh64le \ + | sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \ + | sparcv8 | sparcv9 | sparcv9b | sparcv9v \ + | spu \ + | tahoe | tic4x | tic54x | tic55x | tic6x | tic80 | tron \ + | ubicom32 \ + | v850 | v850e | v850e1 | v850e2 | v850es | v850e2v3 \ + | visium \ + | wasm32 \ + | we32k \ + | x86 | xc16x | xstormy16 | xtensa \ + | z8k | z80) + basic_machine=$basic_machine-unknown + ;; + c54x) + basic_machine=tic54x-unknown + ;; + c55x) + basic_machine=tic55x-unknown + ;; + c6x) + basic_machine=tic6x-unknown + ;; + leon|leon[3-9]) + basic_machine=sparc-$basic_machine + ;; + m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | nvptx | picochip) + basic_machine=$basic_machine-unknown + os=-none + ;; + m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | v70 | w65 | z8k) + ;; + ms1) + basic_machine=mt-unknown + ;; + + strongarm | thumb | xscale) + basic_machine=arm-unknown + ;; + xgate) + basic_machine=$basic_machine-unknown + os=-none + ;; + xscaleeb) + basic_machine=armeb-unknown + ;; + + xscaleel) + basic_machine=armel-unknown + ;; + + # We use `pc' rather than `unknown' + # because (1) that's what they normally are, and + # (2) the word "unknown" tends to confuse beginning users. + i*86 | x86_64) + basic_machine=$basic_machine-pc + ;; + # Object if more than one company name word. + *-*-*) + echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2 + exit 1 + ;; + # Recognize the basic CPU types with company name. + 580-* \ + | a29k-* \ + | aarch64-* | aarch64_be-* \ + | alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \ + | alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \ + | alphapca5[67]-* | alpha64pca5[67]-* | arc-* | arceb-* \ + | arm-* | armbe-* | armle-* | armeb-* | armv*-* \ + | avr-* | avr32-* \ + | ba-* \ + | be32-* | be64-* \ + | bfin-* | bs2000-* \ + | c[123]* | c30-* | [cjt]90-* | c4x-* \ + | c8051-* | clipper-* | craynv-* | cydra-* \ + | d10v-* | d30v-* | dlx-* \ + | e2k-* | elxsi-* \ + | f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \ + | h8300-* | h8500-* \ + | hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \ + | hexagon-* \ + | i*86-* | i860-* | i960-* | ia16-* | ia64-* \ + | ip2k-* | iq2000-* \ + | k1om-* \ + | le32-* | le64-* \ + | lm32-* \ + | m32c-* | m32r-* | m32rle-* \ + | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \ + | m88110-* | m88k-* | maxq-* | mcore-* | metag-* \ + | microblaze-* | microblazeel-* \ + | mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \ + | mips16-* \ + | mips64-* | mips64el-* \ + | mips64octeon-* | mips64octeonel-* \ + | mips64orion-* | mips64orionel-* \ + | mips64r5900-* | mips64r5900el-* \ + | mips64vr-* | mips64vrel-* \ + | mips64vr4100-* | mips64vr4100el-* \ + | mips64vr4300-* | mips64vr4300el-* \ + | mips64vr5000-* | mips64vr5000el-* \ + | mips64vr5900-* | mips64vr5900el-* \ + | mipsisa32-* | mipsisa32el-* \ + | mipsisa32r2-* | mipsisa32r2el-* \ + | mipsisa32r6-* | mipsisa32r6el-* \ + | mipsisa64-* | mipsisa64el-* \ + | mipsisa64r2-* | mipsisa64r2el-* \ + | mipsisa64r6-* | mipsisa64r6el-* \ + | mipsisa64sb1-* | mipsisa64sb1el-* \ + | mipsisa64sr71k-* | mipsisa64sr71kel-* \ + | mipsr5900-* | mipsr5900el-* \ + | mipstx39-* | mipstx39el-* \ + | mmix-* \ + | mt-* \ + | msp430-* \ + | nds32-* | nds32le-* | nds32be-* \ + | nios-* | nios2-* | nios2eb-* | nios2el-* \ + | none-* | np1-* | ns16k-* | ns32k-* \ + | open8-* \ + | or1k*-* \ + | orion-* \ + | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ + | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \ + | pru-* \ + | pyramid-* \ + | riscv32-* | riscv64-* \ + | rl78-* | romp-* | rs6000-* | rx-* \ + | sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \ + | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \ + | sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \ + | sparclite-* \ + | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx*-* \ + | tahoe-* \ + | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \ + | tile*-* \ + | tron-* \ + | ubicom32-* \ + | v850-* | v850e-* | v850e1-* | v850es-* | v850e2-* | v850e2v3-* \ + | vax-* \ + | visium-* \ + | wasm32-* \ + | we32k-* \ + | x86-* | x86_64-* | xc16x-* | xps100-* \ + | xstormy16-* | xtensa*-* \ + | ymp-* \ + | z8k-* | z80-*) + ;; + # Recognize the basic CPU types without company name, with glob match. + xtensa*) + basic_machine=$basic_machine-unknown + ;; + # Recognize the various machine names and aliases which stand + # for a CPU type and a company and sometimes even an OS. + 386bsd) + basic_machine=i386-unknown + os=-bsd + ;; + 3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc) + basic_machine=m68000-att + ;; + 3b*) + basic_machine=we32k-att + ;; + a29khif) + basic_machine=a29k-amd + os=-udi + ;; + abacus) + basic_machine=abacus-unknown + ;; + adobe68k) + basic_machine=m68010-adobe + os=-scout + ;; + alliant | fx80) + basic_machine=fx80-alliant + ;; + altos | altos3068) + basic_machine=m68k-altos + ;; + am29k) + basic_machine=a29k-none + os=-bsd + ;; + amd64) + basic_machine=x86_64-pc + ;; + amd64-*) + basic_machine=x86_64-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + amdahl) + basic_machine=580-amdahl + os=-sysv + ;; + amiga | amiga-*) + basic_machine=m68k-unknown + ;; + amigaos | amigados) + basic_machine=m68k-unknown + os=-amigaos + ;; + amigaunix | amix) + basic_machine=m68k-unknown + os=-sysv4 + ;; + apollo68) + basic_machine=m68k-apollo + os=-sysv + ;; + apollo68bsd) + basic_machine=m68k-apollo + os=-bsd + ;; + aros) + basic_machine=i386-pc + os=-aros + ;; + asmjs) + basic_machine=asmjs-unknown + ;; + aux) + basic_machine=m68k-apple + os=-aux + ;; + balance) + basic_machine=ns32k-sequent + os=-dynix + ;; + blackfin) + basic_machine=bfin-unknown + os=-linux + ;; + blackfin-*) + basic_machine=bfin-`echo $basic_machine | sed 's/^[^-]*-//'` + os=-linux + ;; + bluegene*) + basic_machine=powerpc-ibm + os=-cnk + ;; + c54x-*) + basic_machine=tic54x-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + c55x-*) + basic_machine=tic55x-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + c6x-*) + basic_machine=tic6x-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + c90) + basic_machine=c90-cray + os=-unicos + ;; + cegcc) + basic_machine=arm-unknown + os=-cegcc + ;; + convex-c1) + basic_machine=c1-convex + os=-bsd + ;; + convex-c2) + basic_machine=c2-convex + os=-bsd + ;; + convex-c32) + basic_machine=c32-convex + os=-bsd + ;; + convex-c34) + basic_machine=c34-convex + os=-bsd + ;; + convex-c38) + basic_machine=c38-convex + os=-bsd + ;; + cray | j90) + basic_machine=j90-cray + os=-unicos + ;; + craynv) + basic_machine=craynv-cray + os=-unicosmp + ;; + cr16 | cr16-*) + basic_machine=cr16-unknown + os=-elf + ;; + crds | unos) + basic_machine=m68k-crds + ;; + crisv32 | crisv32-* | etraxfs*) + basic_machine=crisv32-axis + ;; + cris | cris-* | etrax*) + basic_machine=cris-axis + ;; + crx) + basic_machine=crx-unknown + os=-elf + ;; + da30 | da30-*) + basic_machine=m68k-da30 + ;; + decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn) + basic_machine=mips-dec + ;; + decsystem10* | dec10*) + basic_machine=pdp10-dec + os=-tops10 + ;; + decsystem20* | dec20*) + basic_machine=pdp10-dec + os=-tops20 + ;; + delta | 3300 | motorola-3300 | motorola-delta \ + | 3300-motorola | delta-motorola) + basic_machine=m68k-motorola + ;; + delta88) + basic_machine=m88k-motorola + os=-sysv3 + ;; + dicos) + basic_machine=i686-pc + os=-dicos + ;; + djgpp) + basic_machine=i586-pc + os=-msdosdjgpp + ;; + dpx20 | dpx20-*) + basic_machine=rs6000-bull + os=-bosx + ;; + dpx2* | dpx2*-bull) + basic_machine=m68k-bull + os=-sysv3 + ;; + e500v[12]) + basic_machine=powerpc-unknown + os=$os"spe" + ;; + e500v[12]-*) + basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` + os=$os"spe" + ;; + ebmon29k) + basic_machine=a29k-amd + os=-ebmon + ;; + elxsi) + basic_machine=elxsi-elxsi + os=-bsd + ;; + encore | umax | mmax) + basic_machine=ns32k-encore + ;; + es1800 | OSE68k | ose68k | ose | OSE) + basic_machine=m68k-ericsson + os=-ose + ;; + fx2800) + basic_machine=i860-alliant + ;; + genix) + basic_machine=ns32k-ns + ;; + gmicro) + basic_machine=tron-gmicro + os=-sysv + ;; + go32) + basic_machine=i386-pc + os=-go32 + ;; + h3050r* | hiux*) + basic_machine=hppa1.1-hitachi + os=-hiuxwe2 + ;; + h8300hms) + basic_machine=h8300-hitachi + os=-hms + ;; + h8300xray) + basic_machine=h8300-hitachi + os=-xray + ;; + h8500hms) + basic_machine=h8500-hitachi + os=-hms + ;; + harris) + basic_machine=m88k-harris + os=-sysv3 + ;; + hp300-*) + basic_machine=m68k-hp + ;; + hp300bsd) + basic_machine=m68k-hp + os=-bsd + ;; + hp300hpux) + basic_machine=m68k-hp + os=-hpux + ;; + hp3k9[0-9][0-9] | hp9[0-9][0-9]) + basic_machine=hppa1.0-hp + ;; + hp9k2[0-9][0-9] | hp9k31[0-9]) + basic_machine=m68000-hp + ;; + hp9k3[2-9][0-9]) + basic_machine=m68k-hp + ;; + hp9k6[0-9][0-9] | hp6[0-9][0-9]) + basic_machine=hppa1.0-hp + ;; + hp9k7[0-79][0-9] | hp7[0-79][0-9]) + basic_machine=hppa1.1-hp + ;; + hp9k78[0-9] | hp78[0-9]) + # FIXME: really hppa2.0-hp + basic_machine=hppa1.1-hp + ;; + hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893) + # FIXME: really hppa2.0-hp + basic_machine=hppa1.1-hp + ;; + hp9k8[0-9][13679] | hp8[0-9][13679]) + basic_machine=hppa1.1-hp + ;; + hp9k8[0-9][0-9] | hp8[0-9][0-9]) + basic_machine=hppa1.0-hp + ;; + hppa-next) + os=-nextstep3 + ;; + hppaosf) + basic_machine=hppa1.1-hp + os=-osf + ;; + hppro) + basic_machine=hppa1.1-hp + os=-proelf + ;; + i370-ibm* | ibm*) + basic_machine=i370-ibm + ;; + i*86v32) + basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` + os=-sysv32 + ;; + i*86v4*) + basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` + os=-sysv4 + ;; + i*86v) + basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` + os=-sysv + ;; + i*86sol2) + basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` + os=-solaris2 + ;; + i386mach) + basic_machine=i386-mach + os=-mach + ;; + i386-vsta | vsta) + basic_machine=i386-unknown + os=-vsta + ;; + iris | iris4d) + basic_machine=mips-sgi + case $os in + -irix*) + ;; + *) + os=-irix4 + ;; + esac + ;; + isi68 | isi) + basic_machine=m68k-isi + os=-sysv + ;; + leon-*|leon[3-9]-*) + basic_machine=sparc-`echo $basic_machine | sed 's/-.*//'` + ;; + m68knommu) + basic_machine=m68k-unknown + os=-linux + ;; + m68knommu-*) + basic_machine=m68k-`echo $basic_machine | sed 's/^[^-]*-//'` + os=-linux + ;; + m88k-omron*) + basic_machine=m88k-omron + ;; + magnum | m3230) + basic_machine=mips-mips + os=-sysv + ;; + merlin) + basic_machine=ns32k-utek + os=-sysv + ;; + microblaze*) + basic_machine=microblaze-xilinx + ;; + mingw64) + basic_machine=x86_64-pc + os=-mingw64 + ;; + mingw32) + basic_machine=i686-pc + os=-mingw32 + ;; + mingw32ce) + basic_machine=arm-unknown + os=-mingw32ce + ;; + miniframe) + basic_machine=m68000-convergent + ;; + *mint | -mint[0-9]* | *MiNT | *MiNT[0-9]*) + basic_machine=m68k-atari + os=-mint + ;; + mips3*-*) + basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'` + ;; + mips3*) + basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown + ;; + monitor) + basic_machine=m68k-rom68k + os=-coff + ;; + morphos) + basic_machine=powerpc-unknown + os=-morphos + ;; + moxiebox) + basic_machine=moxie-unknown + os=-moxiebox + ;; + msdos) + basic_machine=i386-pc + os=-msdos + ;; + ms1-*) + basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'` + ;; + msys) + basic_machine=i686-pc + os=-msys + ;; + mvs) + basic_machine=i370-ibm + os=-mvs + ;; + nacl) + basic_machine=le32-unknown + os=-nacl + ;; + ncr3000) + basic_machine=i486-ncr + os=-sysv4 + ;; + netbsd386) + basic_machine=i386-unknown + os=-netbsd + ;; + netwinder) + basic_machine=armv4l-rebel + os=-linux + ;; + news | news700 | news800 | news900) + basic_machine=m68k-sony + os=-newsos + ;; + news1000) + basic_machine=m68030-sony + os=-newsos + ;; + news-3600 | risc-news) + basic_machine=mips-sony + os=-newsos + ;; + necv70) + basic_machine=v70-nec + os=-sysv + ;; + next | m*-next ) + basic_machine=m68k-next + case $os in + -nextstep* ) + ;; + -ns2*) + os=-nextstep2 + ;; + *) + os=-nextstep3 + ;; + esac + ;; + nh3000) + basic_machine=m68k-harris + os=-cxux + ;; + nh[45]000) + basic_machine=m88k-harris + os=-cxux + ;; + nindy960) + basic_machine=i960-intel + os=-nindy + ;; + mon960) + basic_machine=i960-intel + os=-mon960 + ;; + nonstopux) + basic_machine=mips-compaq + os=-nonstopux + ;; + np1) + basic_machine=np1-gould + ;; + neo-tandem) + basic_machine=neo-tandem + ;; + nse-tandem) + basic_machine=nse-tandem + ;; + nsr-tandem) + basic_machine=nsr-tandem + ;; + nsx-tandem) + basic_machine=nsx-tandem + ;; + op50n-* | op60c-*) + basic_machine=hppa1.1-oki + os=-proelf + ;; + openrisc | openrisc-*) + basic_machine=or32-unknown + ;; + os400) + basic_machine=powerpc-ibm + os=-os400 + ;; + OSE68000 | ose68000) + basic_machine=m68000-ericsson + os=-ose + ;; + os68k) + basic_machine=m68k-none + os=-os68k + ;; + pa-hitachi) + basic_machine=hppa1.1-hitachi + os=-hiuxwe2 + ;; + paragon) + basic_machine=i860-intel + os=-osf + ;; + parisc) + basic_machine=hppa-unknown + os=-linux + ;; + parisc-*) + basic_machine=hppa-`echo $basic_machine | sed 's/^[^-]*-//'` + os=-linux + ;; + pbd) + basic_machine=sparc-tti + ;; + pbb) + basic_machine=m68k-tti + ;; + pc532 | pc532-*) + basic_machine=ns32k-pc532 + ;; + pc98) + basic_machine=i386-pc + ;; + pc98-*) + basic_machine=i386-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + pentium | p5 | k5 | k6 | nexgen | viac3) + basic_machine=i586-pc + ;; + pentiumpro | p6 | 6x86 | athlon | athlon_*) + basic_machine=i686-pc + ;; + pentiumii | pentium2 | pentiumiii | pentium3) + basic_machine=i686-pc + ;; + pentium4) + basic_machine=i786-pc + ;; + pentium-* | p5-* | k5-* | k6-* | nexgen-* | viac3-*) + basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + pentiumpro-* | p6-* | 6x86-* | athlon-*) + basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + pentiumii-* | pentium2-* | pentiumiii-* | pentium3-*) + basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + pentium4-*) + basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + pn) + basic_machine=pn-gould + ;; + power) basic_machine=power-ibm + ;; + ppc | ppcbe) basic_machine=powerpc-unknown + ;; + ppc-* | ppcbe-*) + basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + ppcle | powerpclittle) + basic_machine=powerpcle-unknown + ;; + ppcle-* | powerpclittle-*) + basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + ppc64) basic_machine=powerpc64-unknown + ;; + ppc64-* | ppc64p7-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + ppc64le | powerpc64little) + basic_machine=powerpc64le-unknown + ;; + ppc64le-* | powerpc64little-*) + basic_machine=powerpc64le-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + ps2) + basic_machine=i386-ibm + ;; + pw32) + basic_machine=i586-unknown + os=-pw32 + ;; + rdos | rdos64) + basic_machine=x86_64-pc + os=-rdos + ;; + rdos32) + basic_machine=i386-pc + os=-rdos + ;; + rom68k) + basic_machine=m68k-rom68k + os=-coff + ;; + rm[46]00) + basic_machine=mips-siemens + ;; + rtpc | rtpc-*) + basic_machine=romp-ibm + ;; + s390 | s390-*) + basic_machine=s390-ibm + ;; + s390x | s390x-*) + basic_machine=s390x-ibm + ;; + sa29200) + basic_machine=a29k-amd + os=-udi + ;; + sb1) + basic_machine=mipsisa64sb1-unknown + ;; + sb1el) + basic_machine=mipsisa64sb1el-unknown + ;; + sde) + basic_machine=mipsisa32-sde + os=-elf + ;; + sei) + basic_machine=mips-sei + os=-seiux + ;; + sequent) + basic_machine=i386-sequent + ;; + sh) + basic_machine=sh-hitachi + os=-hms + ;; + sh5el) + basic_machine=sh5le-unknown + ;; + sh64) + basic_machine=sh64-unknown + ;; + sparclite-wrs | simso-wrs) + basic_machine=sparclite-wrs + os=-vxworks + ;; + sps7) + basic_machine=m68k-bull + os=-sysv2 + ;; + spur) + basic_machine=spur-unknown + ;; + st2000) + basic_machine=m68k-tandem + ;; + stratus) + basic_machine=i860-stratus + os=-sysv4 + ;; + strongarm-* | thumb-*) + basic_machine=arm-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; + sun2) + basic_machine=m68000-sun + ;; + sun2os3) + basic_machine=m68000-sun + os=-sunos3 + ;; + sun2os4) + basic_machine=m68000-sun + os=-sunos4 + ;; + sun3os3) + basic_machine=m68k-sun + os=-sunos3 + ;; + sun3os4) + basic_machine=m68k-sun + os=-sunos4 + ;; + sun4os3) + basic_machine=sparc-sun + os=-sunos3 + ;; + sun4os4) + basic_machine=sparc-sun + os=-sunos4 + ;; + sun4sol2) + basic_machine=sparc-sun + os=-solaris2 + ;; + sun3 | sun3-*) + basic_machine=m68k-sun + ;; + sun4) + basic_machine=sparc-sun + ;; + sun386 | sun386i | roadrunner) + basic_machine=i386-sun + ;; + sv1) + basic_machine=sv1-cray + os=-unicos + ;; + symmetry) + basic_machine=i386-sequent + os=-dynix + ;; + t3e) + basic_machine=alphaev5-cray + os=-unicos + ;; + t90) + basic_machine=t90-cray + os=-unicos + ;; + tile*) + basic_machine=$basic_machine-unknown + os=-linux-gnu + ;; + tx39) + basic_machine=mipstx39-unknown + ;; + tx39el) + basic_machine=mipstx39el-unknown + ;; + toad1) + basic_machine=pdp10-xkl + os=-tops20 + ;; + tower | tower-32) + basic_machine=m68k-ncr + ;; + tpf) + basic_machine=s390x-ibm + os=-tpf + ;; + udi29k) + basic_machine=a29k-amd + os=-udi + ;; + ultra3) + basic_machine=a29k-nyu + os=-sym1 + ;; + v810 | necv810) + basic_machine=v810-nec + os=-none + ;; + vaxv) + basic_machine=vax-dec + os=-sysv + ;; + vms) + basic_machine=vax-dec + os=-vms + ;; + vpp*|vx|vx-*) + basic_machine=f301-fujitsu + ;; + vxworks960) + basic_machine=i960-wrs + os=-vxworks + ;; + vxworks68) + basic_machine=m68k-wrs + os=-vxworks + ;; + vxworks29k) + basic_machine=a29k-wrs + os=-vxworks + ;; + wasm32) + basic_machine=wasm32-unknown + ;; + w65*) + basic_machine=w65-wdc + os=-none + ;; + w89k-*) + basic_machine=hppa1.1-winbond + os=-proelf + ;; + xbox) + basic_machine=i686-pc + os=-mingw32 + ;; + xps | xps100) + basic_machine=xps100-honeywell + ;; + xscale-* | xscalee[bl]-*) + basic_machine=`echo $basic_machine | sed 's/^xscale/arm/'` + ;; + ymp) + basic_machine=ymp-cray + os=-unicos + ;; + z8k-*-coff) + basic_machine=z8k-unknown + os=-sim + ;; + z80-*-coff) + basic_machine=z80-unknown + os=-sim + ;; + none) + basic_machine=none-none + os=-none + ;; + +# Here we handle the default manufacturer of certain CPU types. It is in +# some cases the only manufacturer, in others, it is the most popular. + w89k) + basic_machine=hppa1.1-winbond + ;; + op50n) + basic_machine=hppa1.1-oki + ;; + op60c) + basic_machine=hppa1.1-oki + ;; + romp) + basic_machine=romp-ibm + ;; + mmix) + basic_machine=mmix-knuth + ;; + rs6000) + basic_machine=rs6000-ibm + ;; + vax) + basic_machine=vax-dec + ;; + pdp10) + # there are many clones, so DEC is not a safe bet + basic_machine=pdp10-unknown + ;; + pdp11) + basic_machine=pdp11-dec + ;; + we32k) + basic_machine=we32k-att + ;; + sh[1234] | sh[24]a | sh[24]aeb | sh[34]eb | sh[1234]le | sh[23]ele) + basic_machine=sh-unknown + ;; + sparc | sparcv8 | sparcv9 | sparcv9b | sparcv9v) + basic_machine=sparc-sun + ;; + cydra) + basic_machine=cydra-cydrome + ;; + orion) + basic_machine=orion-highlevel + ;; + orion105) + basic_machine=clipper-highlevel + ;; + mac | mpw | mac-mpw) + basic_machine=m68k-apple + ;; + pmac | pmac-mpw) + basic_machine=powerpc-apple + ;; + *-unknown) + # Make sure to match an already-canonicalized machine name. + ;; + *) + echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2 + exit 1 + ;; +esac + +# Here we canonicalize certain aliases for manufacturers. +case $basic_machine in + *-digital*) + basic_machine=`echo $basic_machine | sed 's/digital.*/dec/'` + ;; + *-commodore*) + basic_machine=`echo $basic_machine | sed 's/commodore.*/cbm/'` + ;; + *) + ;; +esac + +# Decode manufacturer-specific aliases for certain operating systems. + +if [ x"$os" != x"" ] +then +case $os in + # First match some system type aliases + # that might get confused with valid system types. + # -solaris* is a basic system type, with this one exception. + -auroraux) + os=-auroraux + ;; + -solaris1 | -solaris1.*) + os=`echo $os | sed -e 's|solaris1|sunos4|'` + ;; + -solaris) + os=-solaris2 + ;; + -svr4*) + os=-sysv4 + ;; + -unixware*) + os=-sysv4.2uw + ;; + -gnu/linux*) + os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'` + ;; + # First accept the basic system types. + # The portable systems comes first. + # Each alternative MUST END IN A *, to match a version number. + # -sysv* is not here because it comes later, after sysvr4. + -gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \ + | -*vms* | -sco* | -esix* | -isc* | -aix* | -cnk* | -sunos | -sunos[34]*\ + | -hpux* | -unos* | -osf* | -luna* | -dgux* | -auroraux* | -solaris* \ + | -sym* | -kopensolaris* | -plan9* \ + | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \ + | -aos* | -aros* | -cloudabi* | -sortix* \ + | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ + | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \ + | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \ + | -bitrig* | -openbsd* | -solidbsd* | -libertybsd* \ + | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \ + | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ + | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ + | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \ + | -chorusos* | -chorusrdb* | -cegcc* | -glidix* \ + | -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ + | -midipix* | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \ + | -linux-newlib* | -linux-musl* | -linux-uclibc* \ + | -uxpv* | -beos* | -mpeix* | -udk* | -moxiebox* \ + | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \ + | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \ + | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \ + | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \ + | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \ + | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \ + | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* \ + | -onefs* | -tirtos* | -phoenix* | -fuchsia* | -redox*) + # Remember, each alternative MUST END IN *, to match a version number. + ;; + -qnx*) + case $basic_machine in + x86-* | i*86-*) + ;; + *) + os=-nto$os + ;; + esac + ;; + -nto-qnx*) + ;; + -nto*) + os=`echo $os | sed -e 's|nto|nto-qnx|'` + ;; + -sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \ + | -windows* | -osx | -abug | -netware* | -os9* | -beos* | -haiku* \ + | -macos* | -mpw* | -magic* | -mmixware* | -mon960* | -lnews*) + ;; + -mac*) + os=`echo $os | sed -e 's|mac|macos|'` + ;; + -linux-dietlibc) + os=-linux-dietlibc + ;; + -linux*) + os=`echo $os | sed -e 's|linux|linux-gnu|'` + ;; + -sunos5*) + os=`echo $os | sed -e 's|sunos5|solaris2|'` + ;; + -sunos6*) + os=`echo $os | sed -e 's|sunos6|solaris3|'` + ;; + -opened*) + os=-openedition + ;; + -os400*) + os=-os400 + ;; + -wince*) + os=-wince + ;; + -osfrose*) + os=-osfrose + ;; + -osf*) + os=-osf + ;; + -utek*) + os=-bsd + ;; + -dynix*) + os=-bsd + ;; + -acis*) + os=-aos + ;; + -atheos*) + os=-atheos + ;; + -syllable*) + os=-syllable + ;; + -386bsd) + os=-bsd + ;; + -ctix* | -uts*) + os=-sysv + ;; + -nova*) + os=-rtmk-nova + ;; + -ns2 ) + os=-nextstep2 + ;; + -nsk*) + os=-nsk + ;; + # Preserve the version number of sinix5. + -sinix5.*) + os=`echo $os | sed -e 's|sinix|sysv|'` + ;; + -sinix*) + os=-sysv4 + ;; + -tpf*) + os=-tpf + ;; + -triton*) + os=-sysv3 + ;; + -oss*) + os=-sysv3 + ;; + -svr4) + os=-sysv4 + ;; + -svr3) + os=-sysv3 + ;; + -sysvr4) + os=-sysv4 + ;; + # This must come after -sysvr4. + -sysv*) + ;; + -ose*) + os=-ose + ;; + -es1800*) + os=-ose + ;; + -xenix) + os=-xenix + ;; + -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*) + os=-mint + ;; + -aros*) + os=-aros + ;; + -zvmoe) + os=-zvmoe + ;; + -dicos*) + os=-dicos + ;; + -nacl*) + ;; + -ios) + ;; + -none) + ;; + *) + # Get rid of the `-' at the beginning of $os. + os=`echo $os | sed 's/[^-]*-//'` + echo Invalid configuration \`$1\': system \`$os\' not recognized 1>&2 + exit 1 + ;; +esac +else + +# Here we handle the default operating systems that come with various machines. +# The value should be what the vendor currently ships out the door with their +# machine or put another way, the most popular os provided with the machine. + +# Note that if you're going to try to match "-MANUFACTURER" here (say, +# "-sun"), then you have to tell the case statement up towards the top +# that MANUFACTURER isn't an operating system. Otherwise, code above +# will signal an error saying that MANUFACTURER isn't an operating +# system, and we'll never get to this point. + +case $basic_machine in + score-*) + os=-elf + ;; + spu-*) + os=-elf + ;; + *-acorn) + os=-riscix1.2 + ;; + arm*-rebel) + os=-linux + ;; + arm*-semi) + os=-aout + ;; + c4x-* | tic4x-*) + os=-coff + ;; + c8051-*) + os=-elf + ;; + hexagon-*) + os=-elf + ;; + tic54x-*) + os=-coff + ;; + tic55x-*) + os=-coff + ;; + tic6x-*) + os=-coff + ;; + # This must come before the *-dec entry. + pdp10-*) + os=-tops20 + ;; + pdp11-*) + os=-none + ;; + *-dec | vax-*) + os=-ultrix4.2 + ;; + m68*-apollo) + os=-domain + ;; + i386-sun) + os=-sunos4.0.2 + ;; + m68000-sun) + os=-sunos3 + ;; + m68*-cisco) + os=-aout + ;; + mep-*) + os=-elf + ;; + mips*-cisco) + os=-elf + ;; + mips*-*) + os=-elf + ;; + or32-*) + os=-coff + ;; + *-tti) # must be before sparc entry or we get the wrong os. + os=-sysv3 + ;; + sparc-* | *-sun) + os=-sunos4.1.1 + ;; + pru-*) + os=-elf + ;; + *-be) + os=-beos + ;; + *-haiku) + os=-haiku + ;; + *-ibm) + os=-aix + ;; + *-knuth) + os=-mmixware + ;; + *-wec) + os=-proelf + ;; + *-winbond) + os=-proelf + ;; + *-oki) + os=-proelf + ;; + *-hp) + os=-hpux + ;; + *-hitachi) + os=-hiux + ;; + i860-* | *-att | *-ncr | *-altos | *-motorola | *-convergent) + os=-sysv + ;; + *-cbm) + os=-amigaos + ;; + *-dg) + os=-dgux + ;; + *-dolphin) + os=-sysv3 + ;; + m68k-ccur) + os=-rtu + ;; + m88k-omron*) + os=-luna + ;; + *-next ) + os=-nextstep + ;; + *-sequent) + os=-ptx + ;; + *-crds) + os=-unos + ;; + *-ns) + os=-genix + ;; + i370-*) + os=-mvs + ;; + *-next) + os=-nextstep3 + ;; + *-gould) + os=-sysv + ;; + *-highlevel) + os=-bsd + ;; + *-encore) + os=-bsd + ;; + *-sgi) + os=-irix + ;; + *-siemens) + os=-sysv4 + ;; + *-masscomp) + os=-rtu + ;; + f30[01]-fujitsu | f700-fujitsu) + os=-uxpv + ;; + *-rom68k) + os=-coff + ;; + *-*bug) + os=-coff + ;; + *-apple) + os=-macos + ;; + *-atari*) + os=-mint + ;; + *) + os=-none + ;; +esac +fi + +# Here we handle the case where we know the os, and the CPU type, but not the +# manufacturer. We pick the logical manufacturer. +vendor=unknown +case $basic_machine in + *-unknown) + case $os in + -riscix*) + vendor=acorn + ;; + -sunos*) + vendor=sun + ;; + -cnk*|-aix*) + vendor=ibm + ;; + -beos*) + vendor=be + ;; + -hpux*) + vendor=hp + ;; + -mpeix*) + vendor=hp + ;; + -hiux*) + vendor=hitachi + ;; + -unos*) + vendor=crds + ;; + -dgux*) + vendor=dg + ;; + -luna*) + vendor=omron + ;; + -genix*) + vendor=ns + ;; + -mvs* | -opened*) + vendor=ibm + ;; + -os400*) + vendor=ibm + ;; + -ptx*) + vendor=sequent + ;; + -tpf*) + vendor=ibm + ;; + -vxsim* | -vxworks* | -windiss*) + vendor=wrs + ;; + -aux*) + vendor=apple + ;; + -hms*) + vendor=hitachi + ;; + -mpw* | -macos*) + vendor=apple + ;; + -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*) + vendor=atari + ;; + -vos*) + vendor=stratus + ;; + esac + basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"` + ;; +esac + +echo $basic_machine$os +exit + +# Local variables: +# eval: (add-hook 'write-file-hooks 'time-stamp) +# time-stamp-start: "timestamp='" +# time-stamp-format: "%:y-%02m-%02d" +# time-stamp-end: "'" +# End: diff --git a/build/depcomp b/build/depcomp new file mode 100755 index 0000000..30379e2 --- /dev/null +++ b/build/depcomp @@ -0,0 +1,791 @@ +#!/bin/sh +# depcomp - compile a program generating dependencies as side-effects + +scriptversion=2016-01-11.22; # UTC + +# Copyright (C) 1999-2017 Free Software Foundation, Inc. + +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2, or (at your option) +# any later version. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. + +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# As a special exception to the GNU General Public License, if you +# distribute this file as part of a program that contains a +# configuration script generated by Autoconf, you may include it under +# the same distribution terms that you use for the rest of that program. + +# Originally written by Alexandre Oliva . + +case $1 in + '') + echo "$0: No command. Try '$0 --help' for more information." 1>&2 + exit 1; + ;; + -h | --h*) + cat <<\EOF +Usage: depcomp [--help] [--version] PROGRAM [ARGS] + +Run PROGRAMS ARGS to compile a file, generating dependencies +as side-effects. + +Environment variables: + depmode Dependency tracking mode. + source Source file read by 'PROGRAMS ARGS'. + object Object file output by 'PROGRAMS ARGS'. + DEPDIR directory where to store dependencies. + depfile Dependency file to output. + tmpdepfile Temporary file to use when outputting dependencies. + libtool Whether libtool is used (yes/no). + +Report bugs to . +EOF + exit $? + ;; + -v | --v*) + echo "depcomp $scriptversion" + exit $? + ;; +esac + +# Get the directory component of the given path, and save it in the +# global variables '$dir'. Note that this directory component will +# be either empty or ending with a '/' character. This is deliberate. +set_dir_from () +{ + case $1 in + */*) dir=`echo "$1" | sed -e 's|/[^/]*$|/|'`;; + *) dir=;; + esac +} + +# Get the suffix-stripped basename of the given path, and save it the +# global variable '$base'. +set_base_from () +{ + base=`echo "$1" | sed -e 's|^.*/||' -e 's/\.[^.]*$//'` +} + +# If no dependency file was actually created by the compiler invocation, +# we still have to create a dummy depfile, to avoid errors with the +# Makefile "include basename.Plo" scheme. +make_dummy_depfile () +{ + echo "#dummy" > "$depfile" +} + +# Factor out some common post-processing of the generated depfile. +# Requires the auxiliary global variable '$tmpdepfile' to be set. +aix_post_process_depfile () +{ + # If the compiler actually managed to produce a dependency file, + # post-process it. + if test -f "$tmpdepfile"; then + # Each line is of the form 'foo.o: dependency.h'. + # Do two passes, one to just change these to + # $object: dependency.h + # and one to simply output + # dependency.h: + # which is needed to avoid the deleted-header problem. + { sed -e "s,^.*\.[$lower]*:,$object:," < "$tmpdepfile" + sed -e "s,^.*\.[$lower]*:[$tab ]*,," -e 's,$,:,' < "$tmpdepfile" + } > "$depfile" + rm -f "$tmpdepfile" + else + make_dummy_depfile + fi +} + +# A tabulation character. +tab=' ' +# A newline character. +nl=' +' +# Character ranges might be problematic outside the C locale. +# These definitions help. +upper=ABCDEFGHIJKLMNOPQRSTUVWXYZ +lower=abcdefghijklmnopqrstuvwxyz +digits=0123456789 +alpha=${upper}${lower} + +if test -z "$depmode" || test -z "$source" || test -z "$object"; then + echo "depcomp: Variables source, object and depmode must be set" 1>&2 + exit 1 +fi + +# Dependencies for sub/bar.o or sub/bar.obj go into sub/.deps/bar.Po. +depfile=${depfile-`echo "$object" | + sed 's|[^\\/]*$|'${DEPDIR-.deps}'/&|;s|\.\([^.]*\)$|.P\1|;s|Pobj$|Po|'`} +tmpdepfile=${tmpdepfile-`echo "$depfile" | sed 's/\.\([^.]*\)$/.T\1/'`} + +rm -f "$tmpdepfile" + +# Avoid interferences from the environment. +gccflag= dashmflag= + +# Some modes work just like other modes, but use different flags. We +# parameterize here, but still list the modes in the big case below, +# to make depend.m4 easier to write. Note that we *cannot* use a case +# here, because this file can only contain one case statement. +if test "$depmode" = hp; then + # HP compiler uses -M and no extra arg. + gccflag=-M + depmode=gcc +fi + +if test "$depmode" = dashXmstdout; then + # This is just like dashmstdout with a different argument. + dashmflag=-xM + depmode=dashmstdout +fi + +cygpath_u="cygpath -u -f -" +if test "$depmode" = msvcmsys; then + # This is just like msvisualcpp but w/o cygpath translation. + # Just convert the backslash-escaped backslashes to single forward + # slashes to satisfy depend.m4 + cygpath_u='sed s,\\\\,/,g' + depmode=msvisualcpp +fi + +if test "$depmode" = msvc7msys; then + # This is just like msvc7 but w/o cygpath translation. + # Just convert the backslash-escaped backslashes to single forward + # slashes to satisfy depend.m4 + cygpath_u='sed s,\\\\,/,g' + depmode=msvc7 +fi + +if test "$depmode" = xlc; then + # IBM C/C++ Compilers xlc/xlC can output gcc-like dependency information. + gccflag=-qmakedep=gcc,-MF + depmode=gcc +fi + +case "$depmode" in +gcc3) +## gcc 3 implements dependency tracking that does exactly what +## we want. Yay! Note: for some reason libtool 1.4 doesn't like +## it if -MD -MP comes after the -MF stuff. Hmm. +## Unfortunately, FreeBSD c89 acceptance of flags depends upon +## the command line argument order; so add the flags where they +## appear in depend2.am. Note that the slowdown incurred here +## affects only configure: in makefiles, %FASTDEP% shortcuts this. + for arg + do + case $arg in + -c) set fnord "$@" -MT "$object" -MD -MP -MF "$tmpdepfile" "$arg" ;; + *) set fnord "$@" "$arg" ;; + esac + shift # fnord + shift # $arg + done + "$@" + stat=$? + if test $stat -ne 0; then + rm -f "$tmpdepfile" + exit $stat + fi + mv "$tmpdepfile" "$depfile" + ;; + +gcc) +## Note that this doesn't just cater to obsosete pre-3.x GCC compilers. +## but also to in-use compilers like IMB xlc/xlC and the HP C compiler. +## (see the conditional assignment to $gccflag above). +## There are various ways to get dependency output from gcc. Here's +## why we pick this rather obscure method: +## - Don't want to use -MD because we'd like the dependencies to end +## up in a subdir. Having to rename by hand is ugly. +## (We might end up doing this anyway to support other compilers.) +## - The DEPENDENCIES_OUTPUT environment variable makes gcc act like +## -MM, not -M (despite what the docs say). Also, it might not be +## supported by the other compilers which use the 'gcc' depmode. +## - Using -M directly means running the compiler twice (even worse +## than renaming). + if test -z "$gccflag"; then + gccflag=-MD, + fi + "$@" -Wp,"$gccflag$tmpdepfile" + stat=$? + if test $stat -ne 0; then + rm -f "$tmpdepfile" + exit $stat + fi + rm -f "$depfile" + echo "$object : \\" > "$depfile" + # The second -e expression handles DOS-style file names with drive + # letters. + sed -e 's/^[^:]*: / /' \ + -e 's/^['$alpha']:\/[^:]*: / /' < "$tmpdepfile" >> "$depfile" +## This next piece of magic avoids the "deleted header file" problem. +## The problem is that when a header file which appears in a .P file +## is deleted, the dependency causes make to die (because there is +## typically no way to rebuild the header). We avoid this by adding +## dummy dependencies for each header file. Too bad gcc doesn't do +## this for us directly. +## Some versions of gcc put a space before the ':'. On the theory +## that the space means something, we add a space to the output as +## well. hp depmode also adds that space, but also prefixes the VPATH +## to the object. Take care to not repeat it in the output. +## Some versions of the HPUX 10.20 sed can't process this invocation +## correctly. Breaking it into two sed invocations is a workaround. + tr ' ' "$nl" < "$tmpdepfile" \ + | sed -e 's/^\\$//' -e '/^$/d' -e "s|.*$object$||" -e '/:$/d' \ + | sed -e 's/$/ :/' >> "$depfile" + rm -f "$tmpdepfile" + ;; + +hp) + # This case exists only to let depend.m4 do its work. It works by + # looking at the text of this script. This case will never be run, + # since it is checked for above. + exit 1 + ;; + +sgi) + if test "$libtool" = yes; then + "$@" "-Wp,-MDupdate,$tmpdepfile" + else + "$@" -MDupdate "$tmpdepfile" + fi + stat=$? + if test $stat -ne 0; then + rm -f "$tmpdepfile" + exit $stat + fi + rm -f "$depfile" + + if test -f "$tmpdepfile"; then # yes, the sourcefile depend on other files + echo "$object : \\" > "$depfile" + # Clip off the initial element (the dependent). Don't try to be + # clever and replace this with sed code, as IRIX sed won't handle + # lines with more than a fixed number of characters (4096 in + # IRIX 6.2 sed, 8192 in IRIX 6.5). We also remove comment lines; + # the IRIX cc adds comments like '#:fec' to the end of the + # dependency line. + tr ' ' "$nl" < "$tmpdepfile" \ + | sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' \ + | tr "$nl" ' ' >> "$depfile" + echo >> "$depfile" + # The second pass generates a dummy entry for each header file. + tr ' ' "$nl" < "$tmpdepfile" \ + | sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' -e 's/$/:/' \ + >> "$depfile" + else + make_dummy_depfile + fi + rm -f "$tmpdepfile" + ;; + +xlc) + # This case exists only to let depend.m4 do its work. It works by + # looking at the text of this script. This case will never be run, + # since it is checked for above. + exit 1 + ;; + +aix) + # The C for AIX Compiler uses -M and outputs the dependencies + # in a .u file. In older versions, this file always lives in the + # current directory. Also, the AIX compiler puts '$object:' at the + # start of each line; $object doesn't have directory information. + # Version 6 uses the directory in both cases. + set_dir_from "$object" + set_base_from "$object" + if test "$libtool" = yes; then + tmpdepfile1=$dir$base.u + tmpdepfile2=$base.u + tmpdepfile3=$dir.libs/$base.u + "$@" -Wc,-M + else + tmpdepfile1=$dir$base.u + tmpdepfile2=$dir$base.u + tmpdepfile3=$dir$base.u + "$@" -M + fi + stat=$? + if test $stat -ne 0; then + rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" + exit $stat + fi + + for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" + do + test -f "$tmpdepfile" && break + done + aix_post_process_depfile + ;; + +tcc) + # tcc (Tiny C Compiler) understand '-MD -MF file' since version 0.9.26 + # FIXME: That version still under development at the moment of writing. + # Make that this statement remains true also for stable, released + # versions. + # It will wrap lines (doesn't matter whether long or short) with a + # trailing '\', as in: + # + # foo.o : \ + # foo.c \ + # foo.h \ + # + # It will put a trailing '\' even on the last line, and will use leading + # spaces rather than leading tabs (at least since its commit 0394caf7 + # "Emit spaces for -MD"). + "$@" -MD -MF "$tmpdepfile" + stat=$? + if test $stat -ne 0; then + rm -f "$tmpdepfile" + exit $stat + fi + rm -f "$depfile" + # Each non-empty line is of the form 'foo.o : \' or ' dep.h \'. + # We have to change lines of the first kind to '$object: \'. + sed -e "s|.*:|$object :|" < "$tmpdepfile" > "$depfile" + # And for each line of the second kind, we have to emit a 'dep.h:' + # dummy dependency, to avoid the deleted-header problem. + sed -n -e 's|^ *\(.*\) *\\$|\1:|p' < "$tmpdepfile" >> "$depfile" + rm -f "$tmpdepfile" + ;; + +## The order of this option in the case statement is important, since the +## shell code in configure will try each of these formats in the order +## listed in this file. A plain '-MD' option would be understood by many +## compilers, so we must ensure this comes after the gcc and icc options. +pgcc) + # Portland's C compiler understands '-MD'. + # Will always output deps to 'file.d' where file is the root name of the + # source file under compilation, even if file resides in a subdirectory. + # The object file name does not affect the name of the '.d' file. + # pgcc 10.2 will output + # foo.o: sub/foo.c sub/foo.h + # and will wrap long lines using '\' : + # foo.o: sub/foo.c ... \ + # sub/foo.h ... \ + # ... + set_dir_from "$object" + # Use the source, not the object, to determine the base name, since + # that's sadly what pgcc will do too. + set_base_from "$source" + tmpdepfile=$base.d + + # For projects that build the same source file twice into different object + # files, the pgcc approach of using the *source* file root name can cause + # problems in parallel builds. Use a locking strategy to avoid stomping on + # the same $tmpdepfile. + lockdir=$base.d-lock + trap " + echo '$0: caught signal, cleaning up...' >&2 + rmdir '$lockdir' + exit 1 + " 1 2 13 15 + numtries=100 + i=$numtries + while test $i -gt 0; do + # mkdir is a portable test-and-set. + if mkdir "$lockdir" 2>/dev/null; then + # This process acquired the lock. + "$@" -MD + stat=$? + # Release the lock. + rmdir "$lockdir" + break + else + # If the lock is being held by a different process, wait + # until the winning process is done or we timeout. + while test -d "$lockdir" && test $i -gt 0; do + sleep 1 + i=`expr $i - 1` + done + fi + i=`expr $i - 1` + done + trap - 1 2 13 15 + if test $i -le 0; then + echo "$0: failed to acquire lock after $numtries attempts" >&2 + echo "$0: check lockdir '$lockdir'" >&2 + exit 1 + fi + + if test $stat -ne 0; then + rm -f "$tmpdepfile" + exit $stat + fi + rm -f "$depfile" + # Each line is of the form `foo.o: dependent.h', + # or `foo.o: dep1.h dep2.h \', or ` dep3.h dep4.h \'. + # Do two passes, one to just change these to + # `$object: dependent.h' and one to simply `dependent.h:'. + sed "s,^[^:]*:,$object :," < "$tmpdepfile" > "$depfile" + # Some versions of the HPUX 10.20 sed can't process this invocation + # correctly. Breaking it into two sed invocations is a workaround. + sed 's,^[^:]*: \(.*\)$,\1,;s/^\\$//;/^$/d;/:$/d' < "$tmpdepfile" \ + | sed -e 's/$/ :/' >> "$depfile" + rm -f "$tmpdepfile" + ;; + +hp2) + # The "hp" stanza above does not work with aCC (C++) and HP's ia64 + # compilers, which have integrated preprocessors. The correct option + # to use with these is +Maked; it writes dependencies to a file named + # 'foo.d', which lands next to the object file, wherever that + # happens to be. + # Much of this is similar to the tru64 case; see comments there. + set_dir_from "$object" + set_base_from "$object" + if test "$libtool" = yes; then + tmpdepfile1=$dir$base.d + tmpdepfile2=$dir.libs/$base.d + "$@" -Wc,+Maked + else + tmpdepfile1=$dir$base.d + tmpdepfile2=$dir$base.d + "$@" +Maked + fi + stat=$? + if test $stat -ne 0; then + rm -f "$tmpdepfile1" "$tmpdepfile2" + exit $stat + fi + + for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" + do + test -f "$tmpdepfile" && break + done + if test -f "$tmpdepfile"; then + sed -e "s,^.*\.[$lower]*:,$object:," "$tmpdepfile" > "$depfile" + # Add 'dependent.h:' lines. + sed -ne '2,${ + s/^ *// + s/ \\*$// + s/$/:/ + p + }' "$tmpdepfile" >> "$depfile" + else + make_dummy_depfile + fi + rm -f "$tmpdepfile" "$tmpdepfile2" + ;; + +tru64) + # The Tru64 compiler uses -MD to generate dependencies as a side + # effect. 'cc -MD -o foo.o ...' puts the dependencies into 'foo.o.d'. + # At least on Alpha/Redhat 6.1, Compaq CCC V6.2-504 seems to put + # dependencies in 'foo.d' instead, so we check for that too. + # Subdirectories are respected. + set_dir_from "$object" + set_base_from "$object" + + if test "$libtool" = yes; then + # Libtool generates 2 separate objects for the 2 libraries. These + # two compilations output dependencies in $dir.libs/$base.o.d and + # in $dir$base.o.d. We have to check for both files, because + # one of the two compilations can be disabled. We should prefer + # $dir$base.o.d over $dir.libs/$base.o.d because the latter is + # automatically cleaned when .libs/ is deleted, while ignoring + # the former would cause a distcleancheck panic. + tmpdepfile1=$dir$base.o.d # libtool 1.5 + tmpdepfile2=$dir.libs/$base.o.d # Likewise. + tmpdepfile3=$dir.libs/$base.d # Compaq CCC V6.2-504 + "$@" -Wc,-MD + else + tmpdepfile1=$dir$base.d + tmpdepfile2=$dir$base.d + tmpdepfile3=$dir$base.d + "$@" -MD + fi + + stat=$? + if test $stat -ne 0; then + rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" + exit $stat + fi + + for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" + do + test -f "$tmpdepfile" && break + done + # Same post-processing that is required for AIX mode. + aix_post_process_depfile + ;; + +msvc7) + if test "$libtool" = yes; then + showIncludes=-Wc,-showIncludes + else + showIncludes=-showIncludes + fi + "$@" $showIncludes > "$tmpdepfile" + stat=$? + grep -v '^Note: including file: ' "$tmpdepfile" + if test $stat -ne 0; then + rm -f "$tmpdepfile" + exit $stat + fi + rm -f "$depfile" + echo "$object : \\" > "$depfile" + # The first sed program below extracts the file names and escapes + # backslashes for cygpath. The second sed program outputs the file + # name when reading, but also accumulates all include files in the + # hold buffer in order to output them again at the end. This only + # works with sed implementations that can handle large buffers. + sed < "$tmpdepfile" -n ' +/^Note: including file: *\(.*\)/ { + s//\1/ + s/\\/\\\\/g + p +}' | $cygpath_u | sort -u | sed -n ' +s/ /\\ /g +s/\(.*\)/'"$tab"'\1 \\/p +s/.\(.*\) \\/\1:/ +H +$ { + s/.*/'"$tab"'/ + G + p +}' >> "$depfile" + echo >> "$depfile" # make sure the fragment doesn't end with a backslash + rm -f "$tmpdepfile" + ;; + +msvc7msys) + # This case exists only to let depend.m4 do its work. It works by + # looking at the text of this script. This case will never be run, + # since it is checked for above. + exit 1 + ;; + +#nosideeffect) + # This comment above is used by automake to tell side-effect + # dependency tracking mechanisms from slower ones. + +dashmstdout) + # Important note: in order to support this mode, a compiler *must* + # always write the preprocessed file to stdout, regardless of -o. + "$@" || exit $? + + # Remove the call to Libtool. + if test "$libtool" = yes; then + while test "X$1" != 'X--mode=compile'; do + shift + done + shift + fi + + # Remove '-o $object'. + IFS=" " + for arg + do + case $arg in + -o) + shift + ;; + $object) + shift + ;; + *) + set fnord "$@" "$arg" + shift # fnord + shift # $arg + ;; + esac + done + + test -z "$dashmflag" && dashmflag=-M + # Require at least two characters before searching for ':' + # in the target name. This is to cope with DOS-style filenames: + # a dependency such as 'c:/foo/bar' could be seen as target 'c' otherwise. + "$@" $dashmflag | + sed "s|^[$tab ]*[^:$tab ][^:][^:]*:[$tab ]*|$object: |" > "$tmpdepfile" + rm -f "$depfile" + cat < "$tmpdepfile" > "$depfile" + # Some versions of the HPUX 10.20 sed can't process this sed invocation + # correctly. Breaking it into two sed invocations is a workaround. + tr ' ' "$nl" < "$tmpdepfile" \ + | sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' \ + | sed -e 's/$/ :/' >> "$depfile" + rm -f "$tmpdepfile" + ;; + +dashXmstdout) + # This case only exists to satisfy depend.m4. It is never actually + # run, as this mode is specially recognized in the preamble. + exit 1 + ;; + +makedepend) + "$@" || exit $? + # Remove any Libtool call + if test "$libtool" = yes; then + while test "X$1" != 'X--mode=compile'; do + shift + done + shift + fi + # X makedepend + shift + cleared=no eat=no + for arg + do + case $cleared in + no) + set ""; shift + cleared=yes ;; + esac + if test $eat = yes; then + eat=no + continue + fi + case "$arg" in + -D*|-I*) + set fnord "$@" "$arg"; shift ;; + # Strip any option that makedepend may not understand. Remove + # the object too, otherwise makedepend will parse it as a source file. + -arch) + eat=yes ;; + -*|$object) + ;; + *) + set fnord "$@" "$arg"; shift ;; + esac + done + obj_suffix=`echo "$object" | sed 's/^.*\././'` + touch "$tmpdepfile" + ${MAKEDEPEND-makedepend} -o"$obj_suffix" -f"$tmpdepfile" "$@" + rm -f "$depfile" + # makedepend may prepend the VPATH from the source file name to the object. + # No need to regex-escape $object, excess matching of '.' is harmless. + sed "s|^.*\($object *:\)|\1|" "$tmpdepfile" > "$depfile" + # Some versions of the HPUX 10.20 sed can't process the last invocation + # correctly. Breaking it into two sed invocations is a workaround. + sed '1,2d' "$tmpdepfile" \ + | tr ' ' "$nl" \ + | sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' \ + | sed -e 's/$/ :/' >> "$depfile" + rm -f "$tmpdepfile" "$tmpdepfile".bak + ;; + +cpp) + # Important note: in order to support this mode, a compiler *must* + # always write the preprocessed file to stdout. + "$@" || exit $? + + # Remove the call to Libtool. + if test "$libtool" = yes; then + while test "X$1" != 'X--mode=compile'; do + shift + done + shift + fi + + # Remove '-o $object'. + IFS=" " + for arg + do + case $arg in + -o) + shift + ;; + $object) + shift + ;; + *) + set fnord "$@" "$arg" + shift # fnord + shift # $arg + ;; + esac + done + + "$@" -E \ + | sed -n -e '/^# [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' \ + -e '/^#line [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' \ + | sed '$ s: \\$::' > "$tmpdepfile" + rm -f "$depfile" + echo "$object : \\" > "$depfile" + cat < "$tmpdepfile" >> "$depfile" + sed < "$tmpdepfile" '/^$/d;s/^ //;s/ \\$//;s/$/ :/' >> "$depfile" + rm -f "$tmpdepfile" + ;; + +msvisualcpp) + # Important note: in order to support this mode, a compiler *must* + # always write the preprocessed file to stdout. + "$@" || exit $? + + # Remove the call to Libtool. + if test "$libtool" = yes; then + while test "X$1" != 'X--mode=compile'; do + shift + done + shift + fi + + IFS=" " + for arg + do + case "$arg" in + -o) + shift + ;; + $object) + shift + ;; + "-Gm"|"/Gm"|"-Gi"|"/Gi"|"-ZI"|"/ZI") + set fnord "$@" + shift + shift + ;; + *) + set fnord "$@" "$arg" + shift + shift + ;; + esac + done + "$@" -E 2>/dev/null | + sed -n '/^#line [0-9][0-9]* "\([^"]*\)"/ s::\1:p' | $cygpath_u | sort -u > "$tmpdepfile" + rm -f "$depfile" + echo "$object : \\" > "$depfile" + sed < "$tmpdepfile" -n -e 's% %\\ %g' -e '/^\(.*\)$/ s::'"$tab"'\1 \\:p' >> "$depfile" + echo "$tab" >> "$depfile" + sed < "$tmpdepfile" -n -e 's% %\\ %g' -e '/^\(.*\)$/ s::\1\::p' >> "$depfile" + rm -f "$tmpdepfile" + ;; + +msvcmsys) + # This case exists only to let depend.m4 do its work. It works by + # looking at the text of this script. This case will never be run, + # since it is checked for above. + exit 1 + ;; + +none) + exec "$@" + ;; + +*) + echo "Unknown depmode $depmode" 1>&2 + exit 1 + ;; +esac + +exit 0 + +# Local Variables: +# mode: shell-script +# sh-indentation: 2 +# eval: (add-hook 'write-file-hooks 'time-stamp) +# time-stamp-start: "scriptversion=" +# time-stamp-format: "%:y-%02m-%02d.%02H" +# time-stamp-time-zone: "UTC0" +# time-stamp-end: "; # UTC" +# End: diff --git a/build/install-sh b/build/install-sh new file mode 100755 index 0000000..0360b79 --- /dev/null +++ b/build/install-sh @@ -0,0 +1,501 @@ +#!/bin/sh +# install - install a program, script, or datafile + +scriptversion=2016-01-11.22; # UTC + +# This originates from X11R5 (mit/util/scripts/install.sh), which was +# later released in X11R6 (xc/config/util/install.sh) with the +# following copyright and license. +# +# Copyright (C) 1994 X Consortium +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to +# deal in the Software without restriction, including without limitation the +# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or +# sell copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN +# AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNEC- +# TION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +# +# Except as contained in this notice, the name of the X Consortium shall not +# be used in advertising or otherwise to promote the sale, use or other deal- +# ings in this Software without prior written authorization from the X Consor- +# tium. +# +# +# FSF changes to this file are in the public domain. +# +# Calling this script install-sh is preferred over install.sh, to prevent +# 'make' implicit rules from creating a file called install from it +# when there is no Makefile. +# +# This script is compatible with the BSD install script, but was written +# from scratch. + +tab=' ' +nl=' +' +IFS=" $tab$nl" + +# Set DOITPROG to "echo" to test this script. + +doit=${DOITPROG-} +doit_exec=${doit:-exec} + +# Put in absolute file names if you don't have them in your path; +# or use environment vars. + +chgrpprog=${CHGRPPROG-chgrp} +chmodprog=${CHMODPROG-chmod} +chownprog=${CHOWNPROG-chown} +cmpprog=${CMPPROG-cmp} +cpprog=${CPPROG-cp} +mkdirprog=${MKDIRPROG-mkdir} +mvprog=${MVPROG-mv} +rmprog=${RMPROG-rm} +stripprog=${STRIPPROG-strip} + +posix_mkdir= + +# Desired mode of installed file. +mode=0755 + +chgrpcmd= +chmodcmd=$chmodprog +chowncmd= +mvcmd=$mvprog +rmcmd="$rmprog -f" +stripcmd= + +src= +dst= +dir_arg= +dst_arg= + +copy_on_change=false +is_target_a_directory=possibly + +usage="\ +Usage: $0 [OPTION]... [-T] SRCFILE DSTFILE + or: $0 [OPTION]... SRCFILES... DIRECTORY + or: $0 [OPTION]... -t DIRECTORY SRCFILES... + or: $0 [OPTION]... -d DIRECTORIES... + +In the 1st form, copy SRCFILE to DSTFILE. +In the 2nd and 3rd, copy all SRCFILES to DIRECTORY. +In the 4th, create DIRECTORIES. + +Options: + --help display this help and exit. + --version display version info and exit. + + -c (ignored) + -C install only if different (preserve the last data modification time) + -d create directories instead of installing files. + -g GROUP $chgrpprog installed files to GROUP. + -m MODE $chmodprog installed files to MODE. + -o USER $chownprog installed files to USER. + -s $stripprog installed files. + -t DIRECTORY install into DIRECTORY. + -T report an error if DSTFILE is a directory. + +Environment variables override the default commands: + CHGRPPROG CHMODPROG CHOWNPROG CMPPROG CPPROG MKDIRPROG MVPROG + RMPROG STRIPPROG +" + +while test $# -ne 0; do + case $1 in + -c) ;; + + -C) copy_on_change=true;; + + -d) dir_arg=true;; + + -g) chgrpcmd="$chgrpprog $2" + shift;; + + --help) echo "$usage"; exit $?;; + + -m) mode=$2 + case $mode in + *' '* | *"$tab"* | *"$nl"* | *'*'* | *'?'* | *'['*) + echo "$0: invalid mode: $mode" >&2 + exit 1;; + esac + shift;; + + -o) chowncmd="$chownprog $2" + shift;; + + -s) stripcmd=$stripprog;; + + -t) + is_target_a_directory=always + dst_arg=$2 + # Protect names problematic for 'test' and other utilities. + case $dst_arg in + -* | [=\(\)!]) dst_arg=./$dst_arg;; + esac + shift;; + + -T) is_target_a_directory=never;; + + --version) echo "$0 $scriptversion"; exit $?;; + + --) shift + break;; + + -*) echo "$0: invalid option: $1" >&2 + exit 1;; + + *) break;; + esac + shift +done + +# We allow the use of options -d and -T together, by making -d +# take the precedence; this is for compatibility with GNU install. + +if test -n "$dir_arg"; then + if test -n "$dst_arg"; then + echo "$0: target directory not allowed when installing a directory." >&2 + exit 1 + fi +fi + +if test $# -ne 0 && test -z "$dir_arg$dst_arg"; then + # When -d is used, all remaining arguments are directories to create. + # When -t is used, the destination is already specified. + # Otherwise, the last argument is the destination. Remove it from $@. + for arg + do + if test -n "$dst_arg"; then + # $@ is not empty: it contains at least $arg. + set fnord "$@" "$dst_arg" + shift # fnord + fi + shift # arg + dst_arg=$arg + # Protect names problematic for 'test' and other utilities. + case $dst_arg in + -* | [=\(\)!]) dst_arg=./$dst_arg;; + esac + done +fi + +if test $# -eq 0; then + if test -z "$dir_arg"; then + echo "$0: no input file specified." >&2 + exit 1 + fi + # It's OK to call 'install-sh -d' without argument. + # This can happen when creating conditional directories. + exit 0 +fi + +if test -z "$dir_arg"; then + if test $# -gt 1 || test "$is_target_a_directory" = always; then + if test ! -d "$dst_arg"; then + echo "$0: $dst_arg: Is not a directory." >&2 + exit 1 + fi + fi +fi + +if test -z "$dir_arg"; then + do_exit='(exit $ret); exit $ret' + trap "ret=129; $do_exit" 1 + trap "ret=130; $do_exit" 2 + trap "ret=141; $do_exit" 13 + trap "ret=143; $do_exit" 15 + + # Set umask so as not to create temps with too-generous modes. + # However, 'strip' requires both read and write access to temps. + case $mode in + # Optimize common cases. + *644) cp_umask=133;; + *755) cp_umask=22;; + + *[0-7]) + if test -z "$stripcmd"; then + u_plus_rw= + else + u_plus_rw='% 200' + fi + cp_umask=`expr '(' 777 - $mode % 1000 ')' $u_plus_rw`;; + *) + if test -z "$stripcmd"; then + u_plus_rw= + else + u_plus_rw=,u+rw + fi + cp_umask=$mode$u_plus_rw;; + esac +fi + +for src +do + # Protect names problematic for 'test' and other utilities. + case $src in + -* | [=\(\)!]) src=./$src;; + esac + + if test -n "$dir_arg"; then + dst=$src + dstdir=$dst + test -d "$dstdir" + dstdir_status=$? + else + + # Waiting for this to be detected by the "$cpprog $src $dsttmp" command + # might cause directories to be created, which would be especially bad + # if $src (and thus $dsttmp) contains '*'. + if test ! -f "$src" && test ! -d "$src"; then + echo "$0: $src does not exist." >&2 + exit 1 + fi + + if test -z "$dst_arg"; then + echo "$0: no destination specified." >&2 + exit 1 + fi + dst=$dst_arg + + # If destination is a directory, append the input filename; won't work + # if double slashes aren't ignored. + if test -d "$dst"; then + if test "$is_target_a_directory" = never; then + echo "$0: $dst_arg: Is a directory" >&2 + exit 1 + fi + dstdir=$dst + dst=$dstdir/`basename "$src"` + dstdir_status=0 + else + dstdir=`dirname "$dst"` + test -d "$dstdir" + dstdir_status=$? + fi + fi + + obsolete_mkdir_used=false + + if test $dstdir_status != 0; then + case $posix_mkdir in + '') + # Create intermediate dirs using mode 755 as modified by the umask. + # This is like FreeBSD 'install' as of 1997-10-28. + umask=`umask` + case $stripcmd.$umask in + # Optimize common cases. + *[2367][2367]) mkdir_umask=$umask;; + .*0[02][02] | .[02][02] | .[02]) mkdir_umask=22;; + + *[0-7]) + mkdir_umask=`expr $umask + 22 \ + - $umask % 100 % 40 + $umask % 20 \ + - $umask % 10 % 4 + $umask % 2 + `;; + *) mkdir_umask=$umask,go-w;; + esac + + # With -d, create the new directory with the user-specified mode. + # Otherwise, rely on $mkdir_umask. + if test -n "$dir_arg"; then + mkdir_mode=-m$mode + else + mkdir_mode= + fi + + posix_mkdir=false + case $umask in + *[123567][0-7][0-7]) + # POSIX mkdir -p sets u+wx bits regardless of umask, which + # is incompatible with FreeBSD 'install' when (umask & 300) != 0. + ;; + *) + tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$ + trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit $ret' 0 + + if (umask $mkdir_umask && + exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1 + then + if test -z "$dir_arg" || { + # Check for POSIX incompatibilities with -m. + # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or + # other-writable bit of parent directory when it shouldn't. + # FreeBSD 6.1 mkdir -m -p sets mode of existing directory. + ls_ld_tmpdir=`ls -ld "$tmpdir"` + case $ls_ld_tmpdir in + d????-?r-*) different_mode=700;; + d????-?--*) different_mode=755;; + *) false;; + esac && + $mkdirprog -m$different_mode -p -- "$tmpdir" && { + ls_ld_tmpdir_1=`ls -ld "$tmpdir"` + test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1" + } + } + then posix_mkdir=: + fi + rmdir "$tmpdir/d" "$tmpdir" + else + # Remove any dirs left behind by ancient mkdir implementations. + rmdir ./$mkdir_mode ./-p ./-- 2>/dev/null + fi + trap '' 0;; + esac;; + esac + + if + $posix_mkdir && ( + umask $mkdir_umask && + $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir" + ) + then : + else + + # The umask is ridiculous, or mkdir does not conform to POSIX, + # or it failed possibly due to a race condition. Create the + # directory the slow way, step by step, checking for races as we go. + + case $dstdir in + /*) prefix='/';; + [-=\(\)!]*) prefix='./';; + *) prefix='';; + esac + + oIFS=$IFS + IFS=/ + set -f + set fnord $dstdir + shift + set +f + IFS=$oIFS + + prefixes= + + for d + do + test X"$d" = X && continue + + prefix=$prefix$d + if test -d "$prefix"; then + prefixes= + else + if $posix_mkdir; then + (umask=$mkdir_umask && + $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break + # Don't fail if two instances are running concurrently. + test -d "$prefix" || exit 1 + else + case $prefix in + *\'*) qprefix=`echo "$prefix" | sed "s/'/'\\\\\\\\''/g"`;; + *) qprefix=$prefix;; + esac + prefixes="$prefixes '$qprefix'" + fi + fi + prefix=$prefix/ + done + + if test -n "$prefixes"; then + # Don't fail if two instances are running concurrently. + (umask $mkdir_umask && + eval "\$doit_exec \$mkdirprog $prefixes") || + test -d "$dstdir" || exit 1 + obsolete_mkdir_used=true + fi + fi + fi + + if test -n "$dir_arg"; then + { test -z "$chowncmd" || $doit $chowncmd "$dst"; } && + { test -z "$chgrpcmd" || $doit $chgrpcmd "$dst"; } && + { test "$obsolete_mkdir_used$chowncmd$chgrpcmd" = false || + test -z "$chmodcmd" || $doit $chmodcmd $mode "$dst"; } || exit 1 + else + + # Make a couple of temp file names in the proper directory. + dsttmp=$dstdir/_inst.$$_ + rmtmp=$dstdir/_rm.$$_ + + # Trap to clean up those temp files at exit. + trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0 + + # Copy the file name to the temp name. + (umask $cp_umask && $doit_exec $cpprog "$src" "$dsttmp") && + + # and set any options; do chmod last to preserve setuid bits. + # + # If any of these fail, we abort the whole thing. If we want to + # ignore errors from any of these, just make sure not to ignore + # errors from the above "$doit $cpprog $src $dsttmp" command. + # + { test -z "$chowncmd" || $doit $chowncmd "$dsttmp"; } && + { test -z "$chgrpcmd" || $doit $chgrpcmd "$dsttmp"; } && + { test -z "$stripcmd" || $doit $stripcmd "$dsttmp"; } && + { test -z "$chmodcmd" || $doit $chmodcmd $mode "$dsttmp"; } && + + # If -C, don't bother to copy if it wouldn't change the file. + if $copy_on_change && + old=`LC_ALL=C ls -dlL "$dst" 2>/dev/null` && + new=`LC_ALL=C ls -dlL "$dsttmp" 2>/dev/null` && + set -f && + set X $old && old=:$2:$4:$5:$6 && + set X $new && new=:$2:$4:$5:$6 && + set +f && + test "$old" = "$new" && + $cmpprog "$dst" "$dsttmp" >/dev/null 2>&1 + then + rm -f "$dsttmp" + else + # Rename the file to the real destination. + $doit $mvcmd -f "$dsttmp" "$dst" 2>/dev/null || + + # The rename failed, perhaps because mv can't rename something else + # to itself, or perhaps because mv is so ancient that it does not + # support -f. + { + # Now remove or move aside any old file at destination location. + # We try this two ways since rm can't unlink itself on some + # systems and the destination file might be busy for other + # reasons. In this case, the final cleanup might fail but the new + # file should still install successfully. + { + test ! -f "$dst" || + $doit $rmcmd -f "$dst" 2>/dev/null || + { $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null && + { $doit $rmcmd -f "$rmtmp" 2>/dev/null; :; } + } || + { echo "$0: cannot unlink or rename $dst" >&2 + (exit 1); exit 1 + } + } && + + # Now rename the file to the real destination. + $doit $mvcmd "$dsttmp" "$dst" + } + fi || exit 1 + + trap '' 0 + fi +done + +# Local variables: +# eval: (add-hook 'write-file-hooks 'time-stamp) +# time-stamp-start: "scriptversion=" +# time-stamp-format: "%:y-%02m-%02d.%02H" +# time-stamp-time-zone: "UTC0" +# time-stamp-end: "; # UTC" +# End: diff --git a/build/ltmain.sh b/build/ltmain.sh new file mode 100644 index 0000000..30be9c8 --- /dev/null +++ b/build/ltmain.sh @@ -0,0 +1,11149 @@ +#! /bin/sh +## DO NOT EDIT - This file generated from ./build-aux/ltmain.in +## by inline-source v2014-01-03.01 + +# libtool (GNU libtool) 2.4.6 +# Provide generalized library-building support services. +# Written by Gordon Matzigkeit , 1996 + +# Copyright (C) 1996-2015 Free Software Foundation, Inc. +# This is free software; see the source for copying conditions. There is NO +# warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + +# GNU Libtool is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# As a special exception to the GNU General Public License, +# if you distribute this file as part of a program or library that +# is built using GNU Libtool, you may include this file under the +# same distribution terms that you use for the rest of that program. +# +# GNU Libtool is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + + +PROGRAM=libtool +PACKAGE=libtool +VERSION=2.4.6 +package_revision=2.4.6 + + +## ------ ## +## Usage. ## +## ------ ## + +# Run './libtool --help' for help with using this script from the +# command line. + + +## ------------------------------- ## +## User overridable command paths. ## +## ------------------------------- ## + +# After configure completes, it has a better idea of some of the +# shell tools we need than the defaults used by the functions shared +# with bootstrap, so set those here where they can still be over- +# ridden by the user, but otherwise take precedence. + +: ${AUTOCONF="autoconf"} +: ${AUTOMAKE="automake"} + + +## -------------------------- ## +## Source external libraries. ## +## -------------------------- ## + +# Much of our low-level functionality needs to be sourced from external +# libraries, which are installed to $pkgauxdir. + +# Set a version string for this script. +scriptversion=2015-01-20.17; # UTC + +# General shell script boiler plate, and helper functions. +# Written by Gary V. Vaughan, 2004 + +# Copyright (C) 2004-2015 Free Software Foundation, Inc. +# This is free software; see the source for copying conditions. There is NO +# warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. + +# As a special exception to the GNU General Public License, if you distribute +# this file as part of a program or library that is built using GNU Libtool, +# you may include this file under the same distribution terms that you use +# for the rest of that program. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNES FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. + +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# Please report bugs or propose patches to gary@gnu.org. + + +## ------ ## +## Usage. ## +## ------ ## + +# Evaluate this file near the top of your script to gain access to +# the functions and variables defined here: +# +# . `echo "$0" | ${SED-sed} 's|[^/]*$||'`/build-aux/funclib.sh +# +# If you need to override any of the default environment variable +# settings, do that before evaluating this file. + + +## -------------------- ## +## Shell normalisation. ## +## -------------------- ## + +# Some shells need a little help to be as Bourne compatible as possible. +# Before doing anything else, make sure all that help has been provided! + +DUALCASE=1; export DUALCASE # for MKS sh +if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then : + emulate sh + NULLCMD=: + # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which + # is contrary to our usage. Disable this feature. + alias -g '${1+"$@"}'='"$@"' + setopt NO_GLOB_SUBST +else + case `(set -o) 2>/dev/null` in *posix*) set -o posix ;; esac +fi + +# NLS nuisances: We save the old values in case they are required later. +_G_user_locale= +_G_safe_locale= +for _G_var in LANG LANGUAGE LC_ALL LC_CTYPE LC_COLLATE LC_MESSAGES +do + eval "if test set = \"\${$_G_var+set}\"; then + save_$_G_var=\$$_G_var + $_G_var=C + export $_G_var + _G_user_locale=\"$_G_var=\\\$save_\$_G_var; \$_G_user_locale\" + _G_safe_locale=\"$_G_var=C; \$_G_safe_locale\" + fi" +done + +# CDPATH. +(unset CDPATH) >/dev/null 2>&1 && unset CDPATH + +# Make sure IFS has a sensible default +sp=' ' +nl=' +' +IFS="$sp $nl" + +# There are apparently some retarded systems that use ';' as a PATH separator! +if test "${PATH_SEPARATOR+set}" != set; then + PATH_SEPARATOR=: + (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { + (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || + PATH_SEPARATOR=';' + } +fi + + + +## ------------------------- ## +## Locate command utilities. ## +## ------------------------- ## + + +# func_executable_p FILE +# ---------------------- +# Check that FILE is an executable regular file. +func_executable_p () +{ + test -f "$1" && test -x "$1" +} + + +# func_path_progs PROGS_LIST CHECK_FUNC [PATH] +# -------------------------------------------- +# Search for either a program that responds to --version with output +# containing "GNU", or else returned by CHECK_FUNC otherwise, by +# trying all the directories in PATH with each of the elements of +# PROGS_LIST. +# +# CHECK_FUNC should accept the path to a candidate program, and +# set $func_check_prog_result if it truncates its output less than +# $_G_path_prog_max characters. +func_path_progs () +{ + _G_progs_list=$1 + _G_check_func=$2 + _G_PATH=${3-"$PATH"} + + _G_path_prog_max=0 + _G_path_prog_found=false + _G_save_IFS=$IFS; IFS=${PATH_SEPARATOR-:} + for _G_dir in $_G_PATH; do + IFS=$_G_save_IFS + test -z "$_G_dir" && _G_dir=. + for _G_prog_name in $_G_progs_list; do + for _exeext in '' .EXE; do + _G_path_prog=$_G_dir/$_G_prog_name$_exeext + func_executable_p "$_G_path_prog" || continue + case `"$_G_path_prog" --version 2>&1` in + *GNU*) func_path_progs_result=$_G_path_prog _G_path_prog_found=: ;; + *) $_G_check_func $_G_path_prog + func_path_progs_result=$func_check_prog_result + ;; + esac + $_G_path_prog_found && break 3 + done + done + done + IFS=$_G_save_IFS + test -z "$func_path_progs_result" && { + echo "no acceptable sed could be found in \$PATH" >&2 + exit 1 + } +} + + +# We want to be able to use the functions in this file before configure +# has figured out where the best binaries are kept, which means we have +# to search for them ourselves - except when the results are already set +# where we skip the searches. + +# Unless the user overrides by setting SED, search the path for either GNU +# sed, or the sed that truncates its output the least. +test -z "$SED" && { + _G_sed_script=s/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb/ + for _G_i in 1 2 3 4 5 6 7; do + _G_sed_script=$_G_sed_script$nl$_G_sed_script + done + echo "$_G_sed_script" 2>/dev/null | sed 99q >conftest.sed + _G_sed_script= + + func_check_prog_sed () + { + _G_path_prog=$1 + + _G_count=0 + printf 0123456789 >conftest.in + while : + do + cat conftest.in conftest.in >conftest.tmp + mv conftest.tmp conftest.in + cp conftest.in conftest.nl + echo '' >> conftest.nl + "$_G_path_prog" -f conftest.sed conftest.out 2>/dev/null || break + diff conftest.out conftest.nl >/dev/null 2>&1 || break + _G_count=`expr $_G_count + 1` + if test "$_G_count" -gt "$_G_path_prog_max"; then + # Best one so far, save it but keep looking for a better one + func_check_prog_result=$_G_path_prog + _G_path_prog_max=$_G_count + fi + # 10*(2^10) chars as input seems more than enough + test 10 -lt "$_G_count" && break + done + rm -f conftest.in conftest.tmp conftest.nl conftest.out + } + + func_path_progs "sed gsed" func_check_prog_sed $PATH:/usr/xpg4/bin + rm -f conftest.sed + SED=$func_path_progs_result +} + + +# Unless the user overrides by setting GREP, search the path for either GNU +# grep, or the grep that truncates its output the least. +test -z "$GREP" && { + func_check_prog_grep () + { + _G_path_prog=$1 + + _G_count=0 + _G_path_prog_max=0 + printf 0123456789 >conftest.in + while : + do + cat conftest.in conftest.in >conftest.tmp + mv conftest.tmp conftest.in + cp conftest.in conftest.nl + echo 'GREP' >> conftest.nl + "$_G_path_prog" -e 'GREP$' -e '-(cannot match)-' conftest.out 2>/dev/null || break + diff conftest.out conftest.nl >/dev/null 2>&1 || break + _G_count=`expr $_G_count + 1` + if test "$_G_count" -gt "$_G_path_prog_max"; then + # Best one so far, save it but keep looking for a better one + func_check_prog_result=$_G_path_prog + _G_path_prog_max=$_G_count + fi + # 10*(2^10) chars as input seems more than enough + test 10 -lt "$_G_count" && break + done + rm -f conftest.in conftest.tmp conftest.nl conftest.out + } + + func_path_progs "grep ggrep" func_check_prog_grep $PATH:/usr/xpg4/bin + GREP=$func_path_progs_result +} + + +## ------------------------------- ## +## User overridable command paths. ## +## ------------------------------- ## + +# All uppercase variable names are used for environment variables. These +# variables can be overridden by the user before calling a script that +# uses them if a suitable command of that name is not already available +# in the command search PATH. + +: ${CP="cp -f"} +: ${ECHO="printf %s\n"} +: ${EGREP="$GREP -E"} +: ${FGREP="$GREP -F"} +: ${LN_S="ln -s"} +: ${MAKE="make"} +: ${MKDIR="mkdir"} +: ${MV="mv -f"} +: ${RM="rm -f"} +: ${SHELL="${CONFIG_SHELL-/bin/sh}"} + + +## -------------------- ## +## Useful sed snippets. ## +## -------------------- ## + +sed_dirname='s|/[^/]*$||' +sed_basename='s|^.*/||' + +# Sed substitution that helps us do robust quoting. It backslashifies +# metacharacters that are still active within double-quoted strings. +sed_quote_subst='s|\([`"$\\]\)|\\\1|g' + +# Same as above, but do not quote variable references. +sed_double_quote_subst='s/\(["`\\]\)/\\\1/g' + +# Sed substitution that turns a string into a regex matching for the +# string literally. +sed_make_literal_regex='s|[].[^$\\*\/]|\\&|g' + +# Sed substitution that converts a w32 file name or path +# that contains forward slashes, into one that contains +# (escaped) backslashes. A very naive implementation. +sed_naive_backslashify='s|\\\\*|\\|g;s|/|\\|g;s|\\|\\\\|g' + +# Re-'\' parameter expansions in output of sed_double_quote_subst that +# were '\'-ed in input to the same. If an odd number of '\' preceded a +# '$' in input to sed_double_quote_subst, that '$' was protected from +# expansion. Since each input '\' is now two '\'s, look for any number +# of runs of four '\'s followed by two '\'s and then a '$'. '\' that '$'. +_G_bs='\\' +_G_bs2='\\\\' +_G_bs4='\\\\\\\\' +_G_dollar='\$' +sed_double_backslash="\ + s/$_G_bs4/&\\ +/g + s/^$_G_bs2$_G_dollar/$_G_bs&/ + s/\\([^$_G_bs]\\)$_G_bs2$_G_dollar/\\1$_G_bs2$_G_bs$_G_dollar/g + s/\n//g" + + +## ----------------- ## +## Global variables. ## +## ----------------- ## + +# Except for the global variables explicitly listed below, the following +# functions in the '^func_' namespace, and the '^require_' namespace +# variables initialised in the 'Resource management' section, sourcing +# this file will not pollute your global namespace with anything +# else. There's no portable way to scope variables in Bourne shell +# though, so actually running these functions will sometimes place +# results into a variable named after the function, and often use +# temporary variables in the '^_G_' namespace. If you are careful to +# avoid using those namespaces casually in your sourcing script, things +# should continue to work as you expect. And, of course, you can freely +# overwrite any of the functions or variables defined here before +# calling anything to customize them. + +EXIT_SUCCESS=0 +EXIT_FAILURE=1 +EXIT_MISMATCH=63 # $? = 63 is used to indicate version mismatch to missing. +EXIT_SKIP=77 # $? = 77 is used to indicate a skipped test to automake. + +# Allow overriding, eg assuming that you follow the convention of +# putting '$debug_cmd' at the start of all your functions, you can get +# bash to show function call trace with: +# +# debug_cmd='eval echo "${FUNCNAME[0]} $*" >&2' bash your-script-name +debug_cmd=${debug_cmd-":"} +exit_cmd=: + +# By convention, finish your script with: +# +# exit $exit_status +# +# so that you can set exit_status to non-zero if you want to indicate +# something went wrong during execution without actually bailing out at +# the point of failure. +exit_status=$EXIT_SUCCESS + +# Work around backward compatibility issue on IRIX 6.5. On IRIX 6.4+, sh +# is ksh but when the shell is invoked as "sh" and the current value of +# the _XPG environment variable is not equal to 1 (one), the special +# positional parameter $0, within a function call, is the name of the +# function. +progpath=$0 + +# The name of this program. +progname=`$ECHO "$progpath" |$SED "$sed_basename"` + +# Make sure we have an absolute progpath for reexecution: +case $progpath in + [\\/]*|[A-Za-z]:\\*) ;; + *[\\/]*) + progdir=`$ECHO "$progpath" |$SED "$sed_dirname"` + progdir=`cd "$progdir" && pwd` + progpath=$progdir/$progname + ;; + *) + _G_IFS=$IFS + IFS=${PATH_SEPARATOR-:} + for progdir in $PATH; do + IFS=$_G_IFS + test -x "$progdir/$progname" && break + done + IFS=$_G_IFS + test -n "$progdir" || progdir=`pwd` + progpath=$progdir/$progname + ;; +esac + + +## ----------------- ## +## Standard options. ## +## ----------------- ## + +# The following options affect the operation of the functions defined +# below, and should be set appropriately depending on run-time para- +# meters passed on the command line. + +opt_dry_run=false +opt_quiet=false +opt_verbose=false + +# Categories 'all' and 'none' are always available. Append any others +# you will pass as the first argument to func_warning from your own +# code. +warning_categories= + +# By default, display warnings according to 'opt_warning_types'. Set +# 'warning_func' to ':' to elide all warnings, or func_fatal_error to +# treat the next displayed warning as a fatal error. +warning_func=func_warn_and_continue + +# Set to 'all' to display all warnings, 'none' to suppress all +# warnings, or a space delimited list of some subset of +# 'warning_categories' to display only the listed warnings. +opt_warning_types=all + + +## -------------------- ## +## Resource management. ## +## -------------------- ## + +# This section contains definitions for functions that each ensure a +# particular resource (a file, or a non-empty configuration variable for +# example) is available, and if appropriate to extract default values +# from pertinent package files. Call them using their associated +# 'require_*' variable to ensure that they are executed, at most, once. +# +# It's entirely deliberate that calling these functions can set +# variables that don't obey the namespace limitations obeyed by the rest +# of this file, in order that that they be as useful as possible to +# callers. + + +# require_term_colors +# ------------------- +# Allow display of bold text on terminals that support it. +require_term_colors=func_require_term_colors +func_require_term_colors () +{ + $debug_cmd + + test -t 1 && { + # COLORTERM and USE_ANSI_COLORS environment variables take + # precedence, because most terminfo databases neglect to describe + # whether color sequences are supported. + test -n "${COLORTERM+set}" && : ${USE_ANSI_COLORS="1"} + + if test 1 = "$USE_ANSI_COLORS"; then + # Standard ANSI escape sequences + tc_reset='' + tc_bold=''; tc_standout='' + tc_red=''; tc_green='' + tc_blue=''; tc_cyan='' + else + # Otherwise trust the terminfo database after all. + test -n "`tput sgr0 2>/dev/null`" && { + tc_reset=`tput sgr0` + test -n "`tput bold 2>/dev/null`" && tc_bold=`tput bold` + tc_standout=$tc_bold + test -n "`tput smso 2>/dev/null`" && tc_standout=`tput smso` + test -n "`tput setaf 1 2>/dev/null`" && tc_red=`tput setaf 1` + test -n "`tput setaf 2 2>/dev/null`" && tc_green=`tput setaf 2` + test -n "`tput setaf 4 2>/dev/null`" && tc_blue=`tput setaf 4` + test -n "`tput setaf 5 2>/dev/null`" && tc_cyan=`tput setaf 5` + } + fi + } + + require_term_colors=: +} + + +## ----------------- ## +## Function library. ## +## ----------------- ## + +# This section contains a variety of useful functions to call in your +# scripts. Take note of the portable wrappers for features provided by +# some modern shells, which will fall back to slower equivalents on +# less featureful shells. + + +# func_append VAR VALUE +# --------------------- +# Append VALUE onto the existing contents of VAR. + + # We should try to minimise forks, especially on Windows where they are + # unreasonably slow, so skip the feature probes when bash or zsh are + # being used: + if test set = "${BASH_VERSION+set}${ZSH_VERSION+set}"; then + : ${_G_HAVE_ARITH_OP="yes"} + : ${_G_HAVE_XSI_OPS="yes"} + # The += operator was introduced in bash 3.1 + case $BASH_VERSION in + [12].* | 3.0 | 3.0*) ;; + *) + : ${_G_HAVE_PLUSEQ_OP="yes"} + ;; + esac + fi + + # _G_HAVE_PLUSEQ_OP + # Can be empty, in which case the shell is probed, "yes" if += is + # useable or anything else if it does not work. + test -z "$_G_HAVE_PLUSEQ_OP" \ + && (eval 'x=a; x+=" b"; test "a b" = "$x"') 2>/dev/null \ + && _G_HAVE_PLUSEQ_OP=yes + +if test yes = "$_G_HAVE_PLUSEQ_OP" +then + # This is an XSI compatible shell, allowing a faster implementation... + eval 'func_append () + { + $debug_cmd + + eval "$1+=\$2" + }' +else + # ...otherwise fall back to using expr, which is often a shell builtin. + func_append () + { + $debug_cmd + + eval "$1=\$$1\$2" + } +fi + + +# func_append_quoted VAR VALUE +# ---------------------------- +# Quote VALUE and append to the end of shell variable VAR, separated +# by a space. +if test yes = "$_G_HAVE_PLUSEQ_OP"; then + eval 'func_append_quoted () + { + $debug_cmd + + func_quote_for_eval "$2" + eval "$1+=\\ \$func_quote_for_eval_result" + }' +else + func_append_quoted () + { + $debug_cmd + + func_quote_for_eval "$2" + eval "$1=\$$1\\ \$func_quote_for_eval_result" + } +fi + + +# func_append_uniq VAR VALUE +# -------------------------- +# Append unique VALUE onto the existing contents of VAR, assuming +# entries are delimited by the first character of VALUE. For example: +# +# func_append_uniq options " --another-option option-argument" +# +# will only append to $options if " --another-option option-argument " +# is not already present somewhere in $options already (note spaces at +# each end implied by leading space in second argument). +func_append_uniq () +{ + $debug_cmd + + eval _G_current_value='`$ECHO $'$1'`' + _G_delim=`expr "$2" : '\(.\)'` + + case $_G_delim$_G_current_value$_G_delim in + *"$2$_G_delim"*) ;; + *) func_append "$@" ;; + esac +} + + +# func_arith TERM... +# ------------------ +# Set func_arith_result to the result of evaluating TERMs. + test -z "$_G_HAVE_ARITH_OP" \ + && (eval 'test 2 = $(( 1 + 1 ))') 2>/dev/null \ + && _G_HAVE_ARITH_OP=yes + +if test yes = "$_G_HAVE_ARITH_OP"; then + eval 'func_arith () + { + $debug_cmd + + func_arith_result=$(( $* )) + }' +else + func_arith () + { + $debug_cmd + + func_arith_result=`expr "$@"` + } +fi + + +# func_basename FILE +# ------------------ +# Set func_basename_result to FILE with everything up to and including +# the last / stripped. +if test yes = "$_G_HAVE_XSI_OPS"; then + # If this shell supports suffix pattern removal, then use it to avoid + # forking. Hide the definitions single quotes in case the shell chokes + # on unsupported syntax... + _b='func_basename_result=${1##*/}' + _d='case $1 in + */*) func_dirname_result=${1%/*}$2 ;; + * ) func_dirname_result=$3 ;; + esac' + +else + # ...otherwise fall back to using sed. + _b='func_basename_result=`$ECHO "$1" |$SED "$sed_basename"`' + _d='func_dirname_result=`$ECHO "$1" |$SED "$sed_dirname"` + if test "X$func_dirname_result" = "X$1"; then + func_dirname_result=$3 + else + func_append func_dirname_result "$2" + fi' +fi + +eval 'func_basename () +{ + $debug_cmd + + '"$_b"' +}' + + +# func_dirname FILE APPEND NONDIR_REPLACEMENT +# ------------------------------------------- +# Compute the dirname of FILE. If nonempty, add APPEND to the result, +# otherwise set result to NONDIR_REPLACEMENT. +eval 'func_dirname () +{ + $debug_cmd + + '"$_d"' +}' + + +# func_dirname_and_basename FILE APPEND NONDIR_REPLACEMENT +# -------------------------------------------------------- +# Perform func_basename and func_dirname in a single function +# call: +# dirname: Compute the dirname of FILE. If nonempty, +# add APPEND to the result, otherwise set result +# to NONDIR_REPLACEMENT. +# value returned in "$func_dirname_result" +# basename: Compute filename of FILE. +# value retuned in "$func_basename_result" +# For efficiency, we do not delegate to the functions above but instead +# duplicate the functionality here. +eval 'func_dirname_and_basename () +{ + $debug_cmd + + '"$_b"' + '"$_d"' +}' + + +# func_echo ARG... +# ---------------- +# Echo program name prefixed message. +func_echo () +{ + $debug_cmd + + _G_message=$* + + func_echo_IFS=$IFS + IFS=$nl + for _G_line in $_G_message; do + IFS=$func_echo_IFS + $ECHO "$progname: $_G_line" + done + IFS=$func_echo_IFS +} + + +# func_echo_all ARG... +# -------------------- +# Invoke $ECHO with all args, space-separated. +func_echo_all () +{ + $ECHO "$*" +} + + +# func_echo_infix_1 INFIX ARG... +# ------------------------------ +# Echo program name, followed by INFIX on the first line, with any +# additional lines not showing INFIX. +func_echo_infix_1 () +{ + $debug_cmd + + $require_term_colors + + _G_infix=$1; shift + _G_indent=$_G_infix + _G_prefix="$progname: $_G_infix: " + _G_message=$* + + # Strip color escape sequences before counting printable length + for _G_tc in "$tc_reset" "$tc_bold" "$tc_standout" "$tc_red" "$tc_green" "$tc_blue" "$tc_cyan" + do + test -n "$_G_tc" && { + _G_esc_tc=`$ECHO "$_G_tc" | $SED "$sed_make_literal_regex"` + _G_indent=`$ECHO "$_G_indent" | $SED "s|$_G_esc_tc||g"` + } + done + _G_indent="$progname: "`echo "$_G_indent" | $SED 's|.| |g'`" " ## exclude from sc_prohibit_nested_quotes + + func_echo_infix_1_IFS=$IFS + IFS=$nl + for _G_line in $_G_message; do + IFS=$func_echo_infix_1_IFS + $ECHO "$_G_prefix$tc_bold$_G_line$tc_reset" >&2 + _G_prefix=$_G_indent + done + IFS=$func_echo_infix_1_IFS +} + + +# func_error ARG... +# ----------------- +# Echo program name prefixed message to standard error. +func_error () +{ + $debug_cmd + + $require_term_colors + + func_echo_infix_1 " $tc_standout${tc_red}error$tc_reset" "$*" >&2 +} + + +# func_fatal_error ARG... +# ----------------------- +# Echo program name prefixed message to standard error, and exit. +func_fatal_error () +{ + $debug_cmd + + func_error "$*" + exit $EXIT_FAILURE +} + + +# func_grep EXPRESSION FILENAME +# ----------------------------- +# Check whether EXPRESSION matches any line of FILENAME, without output. +func_grep () +{ + $debug_cmd + + $GREP "$1" "$2" >/dev/null 2>&1 +} + + +# func_len STRING +# --------------- +# Set func_len_result to the length of STRING. STRING may not +# start with a hyphen. + test -z "$_G_HAVE_XSI_OPS" \ + && (eval 'x=a/b/c; + test 5aa/bb/cc = "${#x}${x%%/*}${x%/*}${x#*/}${x##*/}"') 2>/dev/null \ + && _G_HAVE_XSI_OPS=yes + +if test yes = "$_G_HAVE_XSI_OPS"; then + eval 'func_len () + { + $debug_cmd + + func_len_result=${#1} + }' +else + func_len () + { + $debug_cmd + + func_len_result=`expr "$1" : ".*" 2>/dev/null || echo $max_cmd_len` + } +fi + + +# func_mkdir_p DIRECTORY-PATH +# --------------------------- +# Make sure the entire path to DIRECTORY-PATH is available. +func_mkdir_p () +{ + $debug_cmd + + _G_directory_path=$1 + _G_dir_list= + + if test -n "$_G_directory_path" && test : != "$opt_dry_run"; then + + # Protect directory names starting with '-' + case $_G_directory_path in + -*) _G_directory_path=./$_G_directory_path ;; + esac + + # While some portion of DIR does not yet exist... + while test ! -d "$_G_directory_path"; do + # ...make a list in topmost first order. Use a colon delimited + # list incase some portion of path contains whitespace. + _G_dir_list=$_G_directory_path:$_G_dir_list + + # If the last portion added has no slash in it, the list is done + case $_G_directory_path in */*) ;; *) break ;; esac + + # ...otherwise throw away the child directory and loop + _G_directory_path=`$ECHO "$_G_directory_path" | $SED -e "$sed_dirname"` + done + _G_dir_list=`$ECHO "$_G_dir_list" | $SED 's|:*$||'` + + func_mkdir_p_IFS=$IFS; IFS=: + for _G_dir in $_G_dir_list; do + IFS=$func_mkdir_p_IFS + # mkdir can fail with a 'File exist' error if two processes + # try to create one of the directories concurrently. Don't + # stop in that case! + $MKDIR "$_G_dir" 2>/dev/null || : + done + IFS=$func_mkdir_p_IFS + + # Bail out if we (or some other process) failed to create a directory. + test -d "$_G_directory_path" || \ + func_fatal_error "Failed to create '$1'" + fi +} + + +# func_mktempdir [BASENAME] +# ------------------------- +# Make a temporary directory that won't clash with other running +# libtool processes, and avoids race conditions if possible. If +# given, BASENAME is the basename for that directory. +func_mktempdir () +{ + $debug_cmd + + _G_template=${TMPDIR-/tmp}/${1-$progname} + + if test : = "$opt_dry_run"; then + # Return a directory name, but don't create it in dry-run mode + _G_tmpdir=$_G_template-$$ + else + + # If mktemp works, use that first and foremost + _G_tmpdir=`mktemp -d "$_G_template-XXXXXXXX" 2>/dev/null` + + if test ! -d "$_G_tmpdir"; then + # Failing that, at least try and use $RANDOM to avoid a race + _G_tmpdir=$_G_template-${RANDOM-0}$$ + + func_mktempdir_umask=`umask` + umask 0077 + $MKDIR "$_G_tmpdir" + umask $func_mktempdir_umask + fi + + # If we're not in dry-run mode, bomb out on failure + test -d "$_G_tmpdir" || \ + func_fatal_error "cannot create temporary directory '$_G_tmpdir'" + fi + + $ECHO "$_G_tmpdir" +} + + +# func_normal_abspath PATH +# ------------------------ +# Remove doubled-up and trailing slashes, "." path components, +# and cancel out any ".." path components in PATH after making +# it an absolute path. +func_normal_abspath () +{ + $debug_cmd + + # These SED scripts presuppose an absolute path with a trailing slash. + _G_pathcar='s|^/\([^/]*\).*$|\1|' + _G_pathcdr='s|^/[^/]*||' + _G_removedotparts=':dotsl + s|/\./|/|g + t dotsl + s|/\.$|/|' + _G_collapseslashes='s|/\{1,\}|/|g' + _G_finalslash='s|/*$|/|' + + # Start from root dir and reassemble the path. + func_normal_abspath_result= + func_normal_abspath_tpath=$1 + func_normal_abspath_altnamespace= + case $func_normal_abspath_tpath in + "") + # Empty path, that just means $cwd. + func_stripname '' '/' "`pwd`" + func_normal_abspath_result=$func_stripname_result + return + ;; + # The next three entries are used to spot a run of precisely + # two leading slashes without using negated character classes; + # we take advantage of case's first-match behaviour. + ///*) + # Unusual form of absolute path, do nothing. + ;; + //*) + # Not necessarily an ordinary path; POSIX reserves leading '//' + # and for example Cygwin uses it to access remote file shares + # over CIFS/SMB, so we conserve a leading double slash if found. + func_normal_abspath_altnamespace=/ + ;; + /*) + # Absolute path, do nothing. + ;; + *) + # Relative path, prepend $cwd. + func_normal_abspath_tpath=`pwd`/$func_normal_abspath_tpath + ;; + esac + + # Cancel out all the simple stuff to save iterations. We also want + # the path to end with a slash for ease of parsing, so make sure + # there is one (and only one) here. + func_normal_abspath_tpath=`$ECHO "$func_normal_abspath_tpath" | $SED \ + -e "$_G_removedotparts" -e "$_G_collapseslashes" -e "$_G_finalslash"` + while :; do + # Processed it all yet? + if test / = "$func_normal_abspath_tpath"; then + # If we ascended to the root using ".." the result may be empty now. + if test -z "$func_normal_abspath_result"; then + func_normal_abspath_result=/ + fi + break + fi + func_normal_abspath_tcomponent=`$ECHO "$func_normal_abspath_tpath" | $SED \ + -e "$_G_pathcar"` + func_normal_abspath_tpath=`$ECHO "$func_normal_abspath_tpath" | $SED \ + -e "$_G_pathcdr"` + # Figure out what to do with it + case $func_normal_abspath_tcomponent in + "") + # Trailing empty path component, ignore it. + ;; + ..) + # Parent dir; strip last assembled component from result. + func_dirname "$func_normal_abspath_result" + func_normal_abspath_result=$func_dirname_result + ;; + *) + # Actual path component, append it. + func_append func_normal_abspath_result "/$func_normal_abspath_tcomponent" + ;; + esac + done + # Restore leading double-slash if one was found on entry. + func_normal_abspath_result=$func_normal_abspath_altnamespace$func_normal_abspath_result +} + + +# func_notquiet ARG... +# -------------------- +# Echo program name prefixed message only when not in quiet mode. +func_notquiet () +{ + $debug_cmd + + $opt_quiet || func_echo ${1+"$@"} + + # A bug in bash halts the script if the last line of a function + # fails when set -e is in force, so we need another command to + # work around that: + : +} + + +# func_relative_path SRCDIR DSTDIR +# -------------------------------- +# Set func_relative_path_result to the relative path from SRCDIR to DSTDIR. +func_relative_path () +{ + $debug_cmd + + func_relative_path_result= + func_normal_abspath "$1" + func_relative_path_tlibdir=$func_normal_abspath_result + func_normal_abspath "$2" + func_relative_path_tbindir=$func_normal_abspath_result + + # Ascend the tree starting from libdir + while :; do + # check if we have found a prefix of bindir + case $func_relative_path_tbindir in + $func_relative_path_tlibdir) + # found an exact match + func_relative_path_tcancelled= + break + ;; + $func_relative_path_tlibdir*) + # found a matching prefix + func_stripname "$func_relative_path_tlibdir" '' "$func_relative_path_tbindir" + func_relative_path_tcancelled=$func_stripname_result + if test -z "$func_relative_path_result"; then + func_relative_path_result=. + fi + break + ;; + *) + func_dirname $func_relative_path_tlibdir + func_relative_path_tlibdir=$func_dirname_result + if test -z "$func_relative_path_tlibdir"; then + # Have to descend all the way to the root! + func_relative_path_result=../$func_relative_path_result + func_relative_path_tcancelled=$func_relative_path_tbindir + break + fi + func_relative_path_result=../$func_relative_path_result + ;; + esac + done + + # Now calculate path; take care to avoid doubling-up slashes. + func_stripname '' '/' "$func_relative_path_result" + func_relative_path_result=$func_stripname_result + func_stripname '/' '/' "$func_relative_path_tcancelled" + if test -n "$func_stripname_result"; then + func_append func_relative_path_result "/$func_stripname_result" + fi + + # Normalisation. If bindir is libdir, return '.' else relative path. + if test -n "$func_relative_path_result"; then + func_stripname './' '' "$func_relative_path_result" + func_relative_path_result=$func_stripname_result + fi + + test -n "$func_relative_path_result" || func_relative_path_result=. + + : +} + + +# func_quote_for_eval ARG... +# -------------------------- +# Aesthetically quote ARGs to be evaled later. +# This function returns two values: +# i) func_quote_for_eval_result +# double-quoted, suitable for a subsequent eval +# ii) func_quote_for_eval_unquoted_result +# has all characters that are still active within double +# quotes backslashified. +func_quote_for_eval () +{ + $debug_cmd + + func_quote_for_eval_unquoted_result= + func_quote_for_eval_result= + while test 0 -lt $#; do + case $1 in + *[\\\`\"\$]*) + _G_unquoted_arg=`printf '%s\n' "$1" |$SED "$sed_quote_subst"` ;; + *) + _G_unquoted_arg=$1 ;; + esac + if test -n "$func_quote_for_eval_unquoted_result"; then + func_append func_quote_for_eval_unquoted_result " $_G_unquoted_arg" + else + func_append func_quote_for_eval_unquoted_result "$_G_unquoted_arg" + fi + + case $_G_unquoted_arg in + # Double-quote args containing shell metacharacters to delay + # word splitting, command substitution and variable expansion + # for a subsequent eval. + # Many Bourne shells cannot handle close brackets correctly + # in scan sets, so we specify it separately. + *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") + _G_quoted_arg=\"$_G_unquoted_arg\" + ;; + *) + _G_quoted_arg=$_G_unquoted_arg + ;; + esac + + if test -n "$func_quote_for_eval_result"; then + func_append func_quote_for_eval_result " $_G_quoted_arg" + else + func_append func_quote_for_eval_result "$_G_quoted_arg" + fi + shift + done +} + + +# func_quote_for_expand ARG +# ------------------------- +# Aesthetically quote ARG to be evaled later; same as above, +# but do not quote variable references. +func_quote_for_expand () +{ + $debug_cmd + + case $1 in + *[\\\`\"]*) + _G_arg=`$ECHO "$1" | $SED \ + -e "$sed_double_quote_subst" -e "$sed_double_backslash"` ;; + *) + _G_arg=$1 ;; + esac + + case $_G_arg in + # Double-quote args containing shell metacharacters to delay + # word splitting and command substitution for a subsequent eval. + # Many Bourne shells cannot handle close brackets correctly + # in scan sets, so we specify it separately. + *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") + _G_arg=\"$_G_arg\" + ;; + esac + + func_quote_for_expand_result=$_G_arg +} + + +# func_stripname PREFIX SUFFIX NAME +# --------------------------------- +# strip PREFIX and SUFFIX from NAME, and store in func_stripname_result. +# PREFIX and SUFFIX must not contain globbing or regex special +# characters, hashes, percent signs, but SUFFIX may contain a leading +# dot (in which case that matches only a dot). +if test yes = "$_G_HAVE_XSI_OPS"; then + eval 'func_stripname () + { + $debug_cmd + + # pdksh 5.2.14 does not do ${X%$Y} correctly if both X and Y are + # positional parameters, so assign one to ordinary variable first. + func_stripname_result=$3 + func_stripname_result=${func_stripname_result#"$1"} + func_stripname_result=${func_stripname_result%"$2"} + }' +else + func_stripname () + { + $debug_cmd + + case $2 in + .*) func_stripname_result=`$ECHO "$3" | $SED -e "s%^$1%%" -e "s%\\\\$2\$%%"`;; + *) func_stripname_result=`$ECHO "$3" | $SED -e "s%^$1%%" -e "s%$2\$%%"`;; + esac + } +fi + + +# func_show_eval CMD [FAIL_EXP] +# ----------------------------- +# Unless opt_quiet is true, then output CMD. Then, if opt_dryrun is +# not true, evaluate CMD. If the evaluation of CMD fails, and FAIL_EXP +# is given, then evaluate it. +func_show_eval () +{ + $debug_cmd + + _G_cmd=$1 + _G_fail_exp=${2-':'} + + func_quote_for_expand "$_G_cmd" + eval "func_notquiet $func_quote_for_expand_result" + + $opt_dry_run || { + eval "$_G_cmd" + _G_status=$? + if test 0 -ne "$_G_status"; then + eval "(exit $_G_status); $_G_fail_exp" + fi + } +} + + +# func_show_eval_locale CMD [FAIL_EXP] +# ------------------------------------ +# Unless opt_quiet is true, then output CMD. Then, if opt_dryrun is +# not true, evaluate CMD. If the evaluation of CMD fails, and FAIL_EXP +# is given, then evaluate it. Use the saved locale for evaluation. +func_show_eval_locale () +{ + $debug_cmd + + _G_cmd=$1 + _G_fail_exp=${2-':'} + + $opt_quiet || { + func_quote_for_expand "$_G_cmd" + eval "func_echo $func_quote_for_expand_result" + } + + $opt_dry_run || { + eval "$_G_user_locale + $_G_cmd" + _G_status=$? + eval "$_G_safe_locale" + if test 0 -ne "$_G_status"; then + eval "(exit $_G_status); $_G_fail_exp" + fi + } +} + + +# func_tr_sh +# ---------- +# Turn $1 into a string suitable for a shell variable name. +# Result is stored in $func_tr_sh_result. All characters +# not in the set a-zA-Z0-9_ are replaced with '_'. Further, +# if $1 begins with a digit, a '_' is prepended as well. +func_tr_sh () +{ + $debug_cmd + + case $1 in + [0-9]* | *[!a-zA-Z0-9_]*) + func_tr_sh_result=`$ECHO "$1" | $SED -e 's/^\([0-9]\)/_\1/' -e 's/[^a-zA-Z0-9_]/_/g'` + ;; + * ) + func_tr_sh_result=$1 + ;; + esac +} + + +# func_verbose ARG... +# ------------------- +# Echo program name prefixed message in verbose mode only. +func_verbose () +{ + $debug_cmd + + $opt_verbose && func_echo "$*" + + : +} + + +# func_warn_and_continue ARG... +# ----------------------------- +# Echo program name prefixed warning message to standard error. +func_warn_and_continue () +{ + $debug_cmd + + $require_term_colors + + func_echo_infix_1 "${tc_red}warning$tc_reset" "$*" >&2 +} + + +# func_warning CATEGORY ARG... +# ---------------------------- +# Echo program name prefixed warning message to standard error. Warning +# messages can be filtered according to CATEGORY, where this function +# elides messages where CATEGORY is not listed in the global variable +# 'opt_warning_types'. +func_warning () +{ + $debug_cmd + + # CATEGORY must be in the warning_categories list! + case " $warning_categories " in + *" $1 "*) ;; + *) func_internal_error "invalid warning category '$1'" ;; + esac + + _G_category=$1 + shift + + case " $opt_warning_types " in + *" $_G_category "*) $warning_func ${1+"$@"} ;; + esac +} + + +# func_sort_ver VER1 VER2 +# ----------------------- +# 'sort -V' is not generally available. +# Note this deviates from the version comparison in automake +# in that it treats 1.5 < 1.5.0, and treats 1.4.4a < 1.4-p3a +# but this should suffice as we won't be specifying old +# version formats or redundant trailing .0 in bootstrap.conf. +# If we did want full compatibility then we should probably +# use m4_version_compare from autoconf. +func_sort_ver () +{ + $debug_cmd + + printf '%s\n%s\n' "$1" "$2" \ + | sort -t. -k 1,1n -k 2,2n -k 3,3n -k 4,4n -k 5,5n -k 6,6n -k 7,7n -k 8,8n -k 9,9n +} + +# func_lt_ver PREV CURR +# --------------------- +# Return true if PREV and CURR are in the correct order according to +# func_sort_ver, otherwise false. Use it like this: +# +# func_lt_ver "$prev_ver" "$proposed_ver" || func_fatal_error "..." +func_lt_ver () +{ + $debug_cmd + + test "x$1" = x`func_sort_ver "$1" "$2" | $SED 1q` +} + + +# Local variables: +# mode: shell-script +# sh-indentation: 2 +# eval: (add-hook 'before-save-hook 'time-stamp) +# time-stamp-pattern: "10/scriptversion=%:y-%02m-%02d.%02H; # UTC" +# time-stamp-time-zone: "UTC" +# End: +#! /bin/sh + +# Set a version string for this script. +scriptversion=2014-01-07.03; # UTC + +# A portable, pluggable option parser for Bourne shell. +# Written by Gary V. Vaughan, 2010 + +# Copyright (C) 2010-2015 Free Software Foundation, Inc. +# This is free software; see the source for copying conditions. There is NO +# warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. + +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# Please report bugs or propose patches to gary@gnu.org. + + +## ------ ## +## Usage. ## +## ------ ## + +# This file is a library for parsing options in your shell scripts along +# with assorted other useful supporting features that you can make use +# of too. +# +# For the simplest scripts you might need only: +# +# #!/bin/sh +# . relative/path/to/funclib.sh +# . relative/path/to/options-parser +# scriptversion=1.0 +# func_options ${1+"$@"} +# eval set dummy "$func_options_result"; shift +# ...rest of your script... +# +# In order for the '--version' option to work, you will need to have a +# suitably formatted comment like the one at the top of this file +# starting with '# Written by ' and ending with '# warranty; '. +# +# For '-h' and '--help' to work, you will also need a one line +# description of your script's purpose in a comment directly above the +# '# Written by ' line, like the one at the top of this file. +# +# The default options also support '--debug', which will turn on shell +# execution tracing (see the comment above debug_cmd below for another +# use), and '--verbose' and the func_verbose function to allow your script +# to display verbose messages only when your user has specified +# '--verbose'. +# +# After sourcing this file, you can plug processing for additional +# options by amending the variables from the 'Configuration' section +# below, and following the instructions in the 'Option parsing' +# section further down. + +## -------------- ## +## Configuration. ## +## -------------- ## + +# You should override these variables in your script after sourcing this +# file so that they reflect the customisations you have added to the +# option parser. + +# The usage line for option parsing errors and the start of '-h' and +# '--help' output messages. You can embed shell variables for delayed +# expansion at the time the message is displayed, but you will need to +# quote other shell meta-characters carefully to prevent them being +# expanded when the contents are evaled. +usage='$progpath [OPTION]...' + +# Short help message in response to '-h' and '--help'. Add to this or +# override it after sourcing this library to reflect the full set of +# options your script accepts. +usage_message="\ + --debug enable verbose shell tracing + -W, --warnings=CATEGORY + report the warnings falling in CATEGORY [all] + -v, --verbose verbosely report processing + --version print version information and exit + -h, --help print short or long help message and exit +" + +# Additional text appended to 'usage_message' in response to '--help'. +long_help_message=" +Warning categories include: + 'all' show all warnings + 'none' turn off all the warnings + 'error' warnings are treated as fatal errors" + +# Help message printed before fatal option parsing errors. +fatal_help="Try '\$progname --help' for more information." + + + +## ------------------------- ## +## Hook function management. ## +## ------------------------- ## + +# This section contains functions for adding, removing, and running hooks +# to the main code. A hook is just a named list of of function, that can +# be run in order later on. + +# func_hookable FUNC_NAME +# ----------------------- +# Declare that FUNC_NAME will run hooks added with +# 'func_add_hook FUNC_NAME ...'. +func_hookable () +{ + $debug_cmd + + func_append hookable_fns " $1" +} + + +# func_add_hook FUNC_NAME HOOK_FUNC +# --------------------------------- +# Request that FUNC_NAME call HOOK_FUNC before it returns. FUNC_NAME must +# first have been declared "hookable" by a call to 'func_hookable'. +func_add_hook () +{ + $debug_cmd + + case " $hookable_fns " in + *" $1 "*) ;; + *) func_fatal_error "'$1' does not accept hook functions." ;; + esac + + eval func_append ${1}_hooks '" $2"' +} + + +# func_remove_hook FUNC_NAME HOOK_FUNC +# ------------------------------------ +# Remove HOOK_FUNC from the list of functions called by FUNC_NAME. +func_remove_hook () +{ + $debug_cmd + + eval ${1}_hooks='`$ECHO "\$'$1'_hooks" |$SED "s| '$2'||"`' +} + + +# func_run_hooks FUNC_NAME [ARG]... +# --------------------------------- +# Run all hook functions registered to FUNC_NAME. +# It is assumed that the list of hook functions contains nothing more +# than a whitespace-delimited list of legal shell function names, and +# no effort is wasted trying to catch shell meta-characters or preserve +# whitespace. +func_run_hooks () +{ + $debug_cmd + + case " $hookable_fns " in + *" $1 "*) ;; + *) func_fatal_error "'$1' does not support hook funcions.n" ;; + esac + + eval _G_hook_fns=\$$1_hooks; shift + + for _G_hook in $_G_hook_fns; do + eval $_G_hook '"$@"' + + # store returned options list back into positional + # parameters for next 'cmd' execution. + eval _G_hook_result=\$${_G_hook}_result + eval set dummy "$_G_hook_result"; shift + done + + func_quote_for_eval ${1+"$@"} + func_run_hooks_result=$func_quote_for_eval_result +} + + + +## --------------- ## +## Option parsing. ## +## --------------- ## + +# In order to add your own option parsing hooks, you must accept the +# full positional parameter list in your hook function, remove any +# options that you action, and then pass back the remaining unprocessed +# options in '_result', escaped suitably for +# 'eval'. Like this: +# +# my_options_prep () +# { +# $debug_cmd +# +# # Extend the existing usage message. +# usage_message=$usage_message' +# -s, --silent don'\''t print informational messages +# ' +# +# func_quote_for_eval ${1+"$@"} +# my_options_prep_result=$func_quote_for_eval_result +# } +# func_add_hook func_options_prep my_options_prep +# +# +# my_silent_option () +# { +# $debug_cmd +# +# # Note that for efficiency, we parse as many options as we can +# # recognise in a loop before passing the remainder back to the +# # caller on the first unrecognised argument we encounter. +# while test $# -gt 0; do +# opt=$1; shift +# case $opt in +# --silent|-s) opt_silent=: ;; +# # Separate non-argument short options: +# -s*) func_split_short_opt "$_G_opt" +# set dummy "$func_split_short_opt_name" \ +# "-$func_split_short_opt_arg" ${1+"$@"} +# shift +# ;; +# *) set dummy "$_G_opt" "$*"; shift; break ;; +# esac +# done +# +# func_quote_for_eval ${1+"$@"} +# my_silent_option_result=$func_quote_for_eval_result +# } +# func_add_hook func_parse_options my_silent_option +# +# +# my_option_validation () +# { +# $debug_cmd +# +# $opt_silent && $opt_verbose && func_fatal_help "\ +# '--silent' and '--verbose' options are mutually exclusive." +# +# func_quote_for_eval ${1+"$@"} +# my_option_validation_result=$func_quote_for_eval_result +# } +# func_add_hook func_validate_options my_option_validation +# +# You'll alse need to manually amend $usage_message to reflect the extra +# options you parse. It's preferable to append if you can, so that +# multiple option parsing hooks can be added safely. + + +# func_options [ARG]... +# --------------------- +# All the functions called inside func_options are hookable. See the +# individual implementations for details. +func_hookable func_options +func_options () +{ + $debug_cmd + + func_options_prep ${1+"$@"} + eval func_parse_options \ + ${func_options_prep_result+"$func_options_prep_result"} + eval func_validate_options \ + ${func_parse_options_result+"$func_parse_options_result"} + + eval func_run_hooks func_options \ + ${func_validate_options_result+"$func_validate_options_result"} + + # save modified positional parameters for caller + func_options_result=$func_run_hooks_result +} + + +# func_options_prep [ARG]... +# -------------------------- +# All initialisations required before starting the option parse loop. +# Note that when calling hook functions, we pass through the list of +# positional parameters. If a hook function modifies that list, and +# needs to propogate that back to rest of this script, then the complete +# modified list must be put in 'func_run_hooks_result' before +# returning. +func_hookable func_options_prep +func_options_prep () +{ + $debug_cmd + + # Option defaults: + opt_verbose=false + opt_warning_types= + + func_run_hooks func_options_prep ${1+"$@"} + + # save modified positional parameters for caller + func_options_prep_result=$func_run_hooks_result +} + + +# func_parse_options [ARG]... +# --------------------------- +# The main option parsing loop. +func_hookable func_parse_options +func_parse_options () +{ + $debug_cmd + + func_parse_options_result= + + # this just eases exit handling + while test $# -gt 0; do + # Defer to hook functions for initial option parsing, so they + # get priority in the event of reusing an option name. + func_run_hooks func_parse_options ${1+"$@"} + + # Adjust func_parse_options positional parameters to match + eval set dummy "$func_run_hooks_result"; shift + + # Break out of the loop if we already parsed every option. + test $# -gt 0 || break + + _G_opt=$1 + shift + case $_G_opt in + --debug|-x) debug_cmd='set -x' + func_echo "enabling shell trace mode" + $debug_cmd + ;; + + --no-warnings|--no-warning|--no-warn) + set dummy --warnings none ${1+"$@"} + shift + ;; + + --warnings|--warning|-W) + test $# = 0 && func_missing_arg $_G_opt && break + case " $warning_categories $1" in + *" $1 "*) + # trailing space prevents matching last $1 above + func_append_uniq opt_warning_types " $1" + ;; + *all) + opt_warning_types=$warning_categories + ;; + *none) + opt_warning_types=none + warning_func=: + ;; + *error) + opt_warning_types=$warning_categories + warning_func=func_fatal_error + ;; + *) + func_fatal_error \ + "unsupported warning category: '$1'" + ;; + esac + shift + ;; + + --verbose|-v) opt_verbose=: ;; + --version) func_version ;; + -\?|-h) func_usage ;; + --help) func_help ;; + + # Separate optargs to long options (plugins may need this): + --*=*) func_split_equals "$_G_opt" + set dummy "$func_split_equals_lhs" \ + "$func_split_equals_rhs" ${1+"$@"} + shift + ;; + + # Separate optargs to short options: + -W*) + func_split_short_opt "$_G_opt" + set dummy "$func_split_short_opt_name" \ + "$func_split_short_opt_arg" ${1+"$@"} + shift + ;; + + # Separate non-argument short options: + -\?*|-h*|-v*|-x*) + func_split_short_opt "$_G_opt" + set dummy "$func_split_short_opt_name" \ + "-$func_split_short_opt_arg" ${1+"$@"} + shift + ;; + + --) break ;; + -*) func_fatal_help "unrecognised option: '$_G_opt'" ;; + *) set dummy "$_G_opt" ${1+"$@"}; shift; break ;; + esac + done + + # save modified positional parameters for caller + func_quote_for_eval ${1+"$@"} + func_parse_options_result=$func_quote_for_eval_result +} + + +# func_validate_options [ARG]... +# ------------------------------ +# Perform any sanity checks on option settings and/or unconsumed +# arguments. +func_hookable func_validate_options +func_validate_options () +{ + $debug_cmd + + # Display all warnings if -W was not given. + test -n "$opt_warning_types" || opt_warning_types=" $warning_categories" + + func_run_hooks func_validate_options ${1+"$@"} + + # Bail if the options were screwed! + $exit_cmd $EXIT_FAILURE + + # save modified positional parameters for caller + func_validate_options_result=$func_run_hooks_result +} + + + +## ----------------- ## +## Helper functions. ## +## ----------------- ## + +# This section contains the helper functions used by the rest of the +# hookable option parser framework in ascii-betical order. + + +# func_fatal_help ARG... +# ---------------------- +# Echo program name prefixed message to standard error, followed by +# a help hint, and exit. +func_fatal_help () +{ + $debug_cmd + + eval \$ECHO \""Usage: $usage"\" + eval \$ECHO \""$fatal_help"\" + func_error ${1+"$@"} + exit $EXIT_FAILURE +} + + +# func_help +# --------- +# Echo long help message to standard output and exit. +func_help () +{ + $debug_cmd + + func_usage_message + $ECHO "$long_help_message" + exit 0 +} + + +# func_missing_arg ARGNAME +# ------------------------ +# Echo program name prefixed message to standard error and set global +# exit_cmd. +func_missing_arg () +{ + $debug_cmd + + func_error "Missing argument for '$1'." + exit_cmd=exit +} + + +# func_split_equals STRING +# ------------------------ +# Set func_split_equals_lhs and func_split_equals_rhs shell variables after +# splitting STRING at the '=' sign. +test -z "$_G_HAVE_XSI_OPS" \ + && (eval 'x=a/b/c; + test 5aa/bb/cc = "${#x}${x%%/*}${x%/*}${x#*/}${x##*/}"') 2>/dev/null \ + && _G_HAVE_XSI_OPS=yes + +if test yes = "$_G_HAVE_XSI_OPS" +then + # This is an XSI compatible shell, allowing a faster implementation... + eval 'func_split_equals () + { + $debug_cmd + + func_split_equals_lhs=${1%%=*} + func_split_equals_rhs=${1#*=} + test "x$func_split_equals_lhs" = "x$1" \ + && func_split_equals_rhs= + }' +else + # ...otherwise fall back to using expr, which is often a shell builtin. + func_split_equals () + { + $debug_cmd + + func_split_equals_lhs=`expr "x$1" : 'x\([^=]*\)'` + func_split_equals_rhs= + test "x$func_split_equals_lhs" = "x$1" \ + || func_split_equals_rhs=`expr "x$1" : 'x[^=]*=\(.*\)$'` + } +fi #func_split_equals + + +# func_split_short_opt SHORTOPT +# ----------------------------- +# Set func_split_short_opt_name and func_split_short_opt_arg shell +# variables after splitting SHORTOPT after the 2nd character. +if test yes = "$_G_HAVE_XSI_OPS" +then + # This is an XSI compatible shell, allowing a faster implementation... + eval 'func_split_short_opt () + { + $debug_cmd + + func_split_short_opt_arg=${1#??} + func_split_short_opt_name=${1%"$func_split_short_opt_arg"} + }' +else + # ...otherwise fall back to using expr, which is often a shell builtin. + func_split_short_opt () + { + $debug_cmd + + func_split_short_opt_name=`expr "x$1" : 'x-\(.\)'` + func_split_short_opt_arg=`expr "x$1" : 'x-.\(.*\)$'` + } +fi #func_split_short_opt + + +# func_usage +# ---------- +# Echo short help message to standard output and exit. +func_usage () +{ + $debug_cmd + + func_usage_message + $ECHO "Run '$progname --help |${PAGER-more}' for full usage" + exit 0 +} + + +# func_usage_message +# ------------------ +# Echo short help message to standard output. +func_usage_message () +{ + $debug_cmd + + eval \$ECHO \""Usage: $usage"\" + echo + $SED -n 's|^# || + /^Written by/{ + x;p;x + } + h + /^Written by/q' < "$progpath" + echo + eval \$ECHO \""$usage_message"\" +} + + +# func_version +# ------------ +# Echo version message to standard output and exit. +func_version () +{ + $debug_cmd + + printf '%s\n' "$progname $scriptversion" + $SED -n ' + /(C)/!b go + :more + /\./!{ + N + s|\n# | | + b more + } + :go + /^# Written by /,/# warranty; / { + s|^# || + s|^# *$|| + s|\((C)\)[ 0-9,-]*[ ,-]\([1-9][0-9]* \)|\1 \2| + p + } + /^# Written by / { + s|^# || + p + } + /^warranty; /q' < "$progpath" + + exit $? +} + + +# Local variables: +# mode: shell-script +# sh-indentation: 2 +# eval: (add-hook 'before-save-hook 'time-stamp) +# time-stamp-pattern: "10/scriptversion=%:y-%02m-%02d.%02H; # UTC" +# time-stamp-time-zone: "UTC" +# End: + +# Set a version string. +scriptversion='(GNU libtool) 2.4.6' + + +# func_echo ARG... +# ---------------- +# Libtool also displays the current mode in messages, so override +# funclib.sh func_echo with this custom definition. +func_echo () +{ + $debug_cmd + + _G_message=$* + + func_echo_IFS=$IFS + IFS=$nl + for _G_line in $_G_message; do + IFS=$func_echo_IFS + $ECHO "$progname${opt_mode+: $opt_mode}: $_G_line" + done + IFS=$func_echo_IFS +} + + +# func_warning ARG... +# ------------------- +# Libtool warnings are not categorized, so override funclib.sh +# func_warning with this simpler definition. +func_warning () +{ + $debug_cmd + + $warning_func ${1+"$@"} +} + + +## ---------------- ## +## Options parsing. ## +## ---------------- ## + +# Hook in the functions to make sure our own options are parsed during +# the option parsing loop. + +usage='$progpath [OPTION]... [MODE-ARG]...' + +# Short help message in response to '-h'. +usage_message="Options: + --config show all configuration variables + --debug enable verbose shell tracing + -n, --dry-run display commands without modifying any files + --features display basic configuration information and exit + --mode=MODE use operation mode MODE + --no-warnings equivalent to '-Wnone' + --preserve-dup-deps don't remove duplicate dependency libraries + --quiet, --silent don't print informational messages + --tag=TAG use configuration variables from tag TAG + -v, --verbose print more informational messages than default + --version print version information + -W, --warnings=CATEGORY report the warnings falling in CATEGORY [all] + -h, --help, --help-all print short, long, or detailed help message +" + +# Additional text appended to 'usage_message' in response to '--help'. +func_help () +{ + $debug_cmd + + func_usage_message + $ECHO "$long_help_message + +MODE must be one of the following: + + clean remove files from the build directory + compile compile a source file into a libtool object + execute automatically set library path, then run a program + finish complete the installation of libtool libraries + install install libraries or executables + link create a library or an executable + uninstall remove libraries from an installed directory + +MODE-ARGS vary depending on the MODE. When passed as first option, +'--mode=MODE' may be abbreviated as 'MODE' or a unique abbreviation of that. +Try '$progname --help --mode=MODE' for a more detailed description of MODE. + +When reporting a bug, please describe a test case to reproduce it and +include the following information: + + host-triplet: $host + shell: $SHELL + compiler: $LTCC + compiler flags: $LTCFLAGS + linker: $LD (gnu? $with_gnu_ld) + version: $progname (GNU libtool) 2.4.6 + automake: `($AUTOMAKE --version) 2>/dev/null |$SED 1q` + autoconf: `($AUTOCONF --version) 2>/dev/null |$SED 1q` + +Report bugs to . +GNU libtool home page: . +General help using GNU software: ." + exit 0 +} + + +# func_lo2o OBJECT-NAME +# --------------------- +# Transform OBJECT-NAME from a '.lo' suffix to the platform specific +# object suffix. + +lo2o=s/\\.lo\$/.$objext/ +o2lo=s/\\.$objext\$/.lo/ + +if test yes = "$_G_HAVE_XSI_OPS"; then + eval 'func_lo2o () + { + case $1 in + *.lo) func_lo2o_result=${1%.lo}.$objext ;; + * ) func_lo2o_result=$1 ;; + esac + }' + + # func_xform LIBOBJ-OR-SOURCE + # --------------------------- + # Transform LIBOBJ-OR-SOURCE from a '.o' or '.c' (or otherwise) + # suffix to a '.lo' libtool-object suffix. + eval 'func_xform () + { + func_xform_result=${1%.*}.lo + }' +else + # ...otherwise fall back to using sed. + func_lo2o () + { + func_lo2o_result=`$ECHO "$1" | $SED "$lo2o"` + } + + func_xform () + { + func_xform_result=`$ECHO "$1" | $SED 's|\.[^.]*$|.lo|'` + } +fi + + +# func_fatal_configuration ARG... +# ------------------------------- +# Echo program name prefixed message to standard error, followed by +# a configuration failure hint, and exit. +func_fatal_configuration () +{ + func__fatal_error ${1+"$@"} \ + "See the $PACKAGE documentation for more information." \ + "Fatal configuration error." +} + + +# func_config +# ----------- +# Display the configuration for all the tags in this script. +func_config () +{ + re_begincf='^# ### BEGIN LIBTOOL' + re_endcf='^# ### END LIBTOOL' + + # Default configuration. + $SED "1,/$re_begincf CONFIG/d;/$re_endcf CONFIG/,\$d" < "$progpath" + + # Now print the configurations for the tags. + for tagname in $taglist; do + $SED -n "/$re_begincf TAG CONFIG: $tagname\$/,/$re_endcf TAG CONFIG: $tagname\$/p" < "$progpath" + done + + exit $? +} + + +# func_features +# ------------- +# Display the features supported by this script. +func_features () +{ + echo "host: $host" + if test yes = "$build_libtool_libs"; then + echo "enable shared libraries" + else + echo "disable shared libraries" + fi + if test yes = "$build_old_libs"; then + echo "enable static libraries" + else + echo "disable static libraries" + fi + + exit $? +} + + +# func_enable_tag TAGNAME +# ----------------------- +# Verify that TAGNAME is valid, and either flag an error and exit, or +# enable the TAGNAME tag. We also add TAGNAME to the global $taglist +# variable here. +func_enable_tag () +{ + # Global variable: + tagname=$1 + + re_begincf="^# ### BEGIN LIBTOOL TAG CONFIG: $tagname\$" + re_endcf="^# ### END LIBTOOL TAG CONFIG: $tagname\$" + sed_extractcf=/$re_begincf/,/$re_endcf/p + + # Validate tagname. + case $tagname in + *[!-_A-Za-z0-9,/]*) + func_fatal_error "invalid tag name: $tagname" + ;; + esac + + # Don't test for the "default" C tag, as we know it's + # there but not specially marked. + case $tagname in + CC) ;; + *) + if $GREP "$re_begincf" "$progpath" >/dev/null 2>&1; then + taglist="$taglist $tagname" + + # Evaluate the configuration. Be careful to quote the path + # and the sed script, to avoid splitting on whitespace, but + # also don't use non-portable quotes within backquotes within + # quotes we have to do it in 2 steps: + extractedcf=`$SED -n -e "$sed_extractcf" < "$progpath"` + eval "$extractedcf" + else + func_error "ignoring unknown tag $tagname" + fi + ;; + esac +} + + +# func_check_version_match +# ------------------------ +# Ensure that we are using m4 macros, and libtool script from the same +# release of libtool. +func_check_version_match () +{ + if test "$package_revision" != "$macro_revision"; then + if test "$VERSION" != "$macro_version"; then + if test -z "$macro_version"; then + cat >&2 <<_LT_EOF +$progname: Version mismatch error. This is $PACKAGE $VERSION, but the +$progname: definition of this LT_INIT comes from an older release. +$progname: You should recreate aclocal.m4 with macros from $PACKAGE $VERSION +$progname: and run autoconf again. +_LT_EOF + else + cat >&2 <<_LT_EOF +$progname: Version mismatch error. This is $PACKAGE $VERSION, but the +$progname: definition of this LT_INIT comes from $PACKAGE $macro_version. +$progname: You should recreate aclocal.m4 with macros from $PACKAGE $VERSION +$progname: and run autoconf again. +_LT_EOF + fi + else + cat >&2 <<_LT_EOF +$progname: Version mismatch error. This is $PACKAGE $VERSION, revision $package_revision, +$progname: but the definition of this LT_INIT comes from revision $macro_revision. +$progname: You should recreate aclocal.m4 with macros from revision $package_revision +$progname: of $PACKAGE $VERSION and run autoconf again. +_LT_EOF + fi + + exit $EXIT_MISMATCH + fi +} + + +# libtool_options_prep [ARG]... +# ----------------------------- +# Preparation for options parsed by libtool. +libtool_options_prep () +{ + $debug_mode + + # Option defaults: + opt_config=false + opt_dlopen= + opt_dry_run=false + opt_help=false + opt_mode= + opt_preserve_dup_deps=false + opt_quiet=false + + nonopt= + preserve_args= + + # Shorthand for --mode=foo, only valid as the first argument + case $1 in + clean|clea|cle|cl) + shift; set dummy --mode clean ${1+"$@"}; shift + ;; + compile|compil|compi|comp|com|co|c) + shift; set dummy --mode compile ${1+"$@"}; shift + ;; + execute|execut|execu|exec|exe|ex|e) + shift; set dummy --mode execute ${1+"$@"}; shift + ;; + finish|finis|fini|fin|fi|f) + shift; set dummy --mode finish ${1+"$@"}; shift + ;; + install|instal|insta|inst|ins|in|i) + shift; set dummy --mode install ${1+"$@"}; shift + ;; + link|lin|li|l) + shift; set dummy --mode link ${1+"$@"}; shift + ;; + uninstall|uninstal|uninsta|uninst|unins|unin|uni|un|u) + shift; set dummy --mode uninstall ${1+"$@"}; shift + ;; + esac + + # Pass back the list of options. + func_quote_for_eval ${1+"$@"} + libtool_options_prep_result=$func_quote_for_eval_result +} +func_add_hook func_options_prep libtool_options_prep + + +# libtool_parse_options [ARG]... +# --------------------------------- +# Provide handling for libtool specific options. +libtool_parse_options () +{ + $debug_cmd + + # Perform our own loop to consume as many options as possible in + # each iteration. + while test $# -gt 0; do + _G_opt=$1 + shift + case $_G_opt in + --dry-run|--dryrun|-n) + opt_dry_run=: + ;; + + --config) func_config ;; + + --dlopen|-dlopen) + opt_dlopen="${opt_dlopen+$opt_dlopen +}$1" + shift + ;; + + --preserve-dup-deps) + opt_preserve_dup_deps=: ;; + + --features) func_features ;; + + --finish) set dummy --mode finish ${1+"$@"}; shift ;; + + --help) opt_help=: ;; + + --help-all) opt_help=': help-all' ;; + + --mode) test $# = 0 && func_missing_arg $_G_opt && break + opt_mode=$1 + case $1 in + # Valid mode arguments: + clean|compile|execute|finish|install|link|relink|uninstall) ;; + + # Catch anything else as an error + *) func_error "invalid argument for $_G_opt" + exit_cmd=exit + break + ;; + esac + shift + ;; + + --no-silent|--no-quiet) + opt_quiet=false + func_append preserve_args " $_G_opt" + ;; + + --no-warnings|--no-warning|--no-warn) + opt_warning=false + func_append preserve_args " $_G_opt" + ;; + + --no-verbose) + opt_verbose=false + func_append preserve_args " $_G_opt" + ;; + + --silent|--quiet) + opt_quiet=: + opt_verbose=false + func_append preserve_args " $_G_opt" + ;; + + --tag) test $# = 0 && func_missing_arg $_G_opt && break + opt_tag=$1 + func_append preserve_args " $_G_opt $1" + func_enable_tag "$1" + shift + ;; + + --verbose|-v) opt_quiet=false + opt_verbose=: + func_append preserve_args " $_G_opt" + ;; + + # An option not handled by this hook function: + *) set dummy "$_G_opt" ${1+"$@"}; shift; break ;; + esac + done + + + # save modified positional parameters for caller + func_quote_for_eval ${1+"$@"} + libtool_parse_options_result=$func_quote_for_eval_result +} +func_add_hook func_parse_options libtool_parse_options + + + +# libtool_validate_options [ARG]... +# --------------------------------- +# Perform any sanity checks on option settings and/or unconsumed +# arguments. +libtool_validate_options () +{ + # save first non-option argument + if test 0 -lt $#; then + nonopt=$1 + shift + fi + + # preserve --debug + test : = "$debug_cmd" || func_append preserve_args " --debug" + + case $host in + # Solaris2 added to fix http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16452 + # see also: http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59788 + *cygwin* | *mingw* | *pw32* | *cegcc* | *solaris2* | *os2*) + # don't eliminate duplications in $postdeps and $predeps + opt_duplicate_compiler_generated_deps=: + ;; + *) + opt_duplicate_compiler_generated_deps=$opt_preserve_dup_deps + ;; + esac + + $opt_help || { + # Sanity checks first: + func_check_version_match + + test yes != "$build_libtool_libs" \ + && test yes != "$build_old_libs" \ + && func_fatal_configuration "not configured to build any kind of library" + + # Darwin sucks + eval std_shrext=\"$shrext_cmds\" + + # Only execute mode is allowed to have -dlopen flags. + if test -n "$opt_dlopen" && test execute != "$opt_mode"; then + func_error "unrecognized option '-dlopen'" + $ECHO "$help" 1>&2 + exit $EXIT_FAILURE + fi + + # Change the help message to a mode-specific one. + generic_help=$help + help="Try '$progname --help --mode=$opt_mode' for more information." + } + + # Pass back the unparsed argument list + func_quote_for_eval ${1+"$@"} + libtool_validate_options_result=$func_quote_for_eval_result +} +func_add_hook func_validate_options libtool_validate_options + + +# Process options as early as possible so that --help and --version +# can return quickly. +func_options ${1+"$@"} +eval set dummy "$func_options_result"; shift + + + +## ----------- ## +## Main. ## +## ----------- ## + +magic='%%%MAGIC variable%%%' +magic_exe='%%%MAGIC EXE variable%%%' + +# Global variables. +extracted_archives= +extracted_serial=0 + +# If this variable is set in any of the actions, the command in it +# will be execed at the end. This prevents here-documents from being +# left over by shells. +exec_cmd= + + +# A function that is used when there is no print builtin or printf. +func_fallback_echo () +{ + eval 'cat <<_LTECHO_EOF +$1 +_LTECHO_EOF' +} + +# func_generated_by_libtool +# True iff stdin has been generated by Libtool. This function is only +# a basic sanity check; it will hardly flush out determined imposters. +func_generated_by_libtool_p () +{ + $GREP "^# Generated by .*$PACKAGE" > /dev/null 2>&1 +} + +# func_lalib_p file +# True iff FILE is a libtool '.la' library or '.lo' object file. +# This function is only a basic sanity check; it will hardly flush out +# determined imposters. +func_lalib_p () +{ + test -f "$1" && + $SED -e 4q "$1" 2>/dev/null | func_generated_by_libtool_p +} + +# func_lalib_unsafe_p file +# True iff FILE is a libtool '.la' library or '.lo' object file. +# This function implements the same check as func_lalib_p without +# resorting to external programs. To this end, it redirects stdin and +# closes it afterwards, without saving the original file descriptor. +# As a safety measure, use it only where a negative result would be +# fatal anyway. Works if 'file' does not exist. +func_lalib_unsafe_p () +{ + lalib_p=no + if test -f "$1" && test -r "$1" && exec 5<&0 <"$1"; then + for lalib_p_l in 1 2 3 4 + do + read lalib_p_line + case $lalib_p_line in + \#\ Generated\ by\ *$PACKAGE* ) lalib_p=yes; break;; + esac + done + exec 0<&5 5<&- + fi + test yes = "$lalib_p" +} + +# func_ltwrapper_script_p file +# True iff FILE is a libtool wrapper script +# This function is only a basic sanity check; it will hardly flush out +# determined imposters. +func_ltwrapper_script_p () +{ + test -f "$1" && + $lt_truncate_bin < "$1" 2>/dev/null | func_generated_by_libtool_p +} + +# func_ltwrapper_executable_p file +# True iff FILE is a libtool wrapper executable +# This function is only a basic sanity check; it will hardly flush out +# determined imposters. +func_ltwrapper_executable_p () +{ + func_ltwrapper_exec_suffix= + case $1 in + *.exe) ;; + *) func_ltwrapper_exec_suffix=.exe ;; + esac + $GREP "$magic_exe" "$1$func_ltwrapper_exec_suffix" >/dev/null 2>&1 +} + +# func_ltwrapper_scriptname file +# Assumes file is an ltwrapper_executable +# uses $file to determine the appropriate filename for a +# temporary ltwrapper_script. +func_ltwrapper_scriptname () +{ + func_dirname_and_basename "$1" "" "." + func_stripname '' '.exe' "$func_basename_result" + func_ltwrapper_scriptname_result=$func_dirname_result/$objdir/${func_stripname_result}_ltshwrapper +} + +# func_ltwrapper_p file +# True iff FILE is a libtool wrapper script or wrapper executable +# This function is only a basic sanity check; it will hardly flush out +# determined imposters. +func_ltwrapper_p () +{ + func_ltwrapper_script_p "$1" || func_ltwrapper_executable_p "$1" +} + + +# func_execute_cmds commands fail_cmd +# Execute tilde-delimited COMMANDS. +# If FAIL_CMD is given, eval that upon failure. +# FAIL_CMD may read-access the current command in variable CMD! +func_execute_cmds () +{ + $debug_cmd + + save_ifs=$IFS; IFS='~' + for cmd in $1; do + IFS=$sp$nl + eval cmd=\"$cmd\" + IFS=$save_ifs + func_show_eval "$cmd" "${2-:}" + done + IFS=$save_ifs +} + + +# func_source file +# Source FILE, adding directory component if necessary. +# Note that it is not necessary on cygwin/mingw to append a dot to +# FILE even if both FILE and FILE.exe exist: automatic-append-.exe +# behavior happens only for exec(3), not for open(2)! Also, sourcing +# 'FILE.' does not work on cygwin managed mounts. +func_source () +{ + $debug_cmd + + case $1 in + */* | *\\*) . "$1" ;; + *) . "./$1" ;; + esac +} + + +# func_resolve_sysroot PATH +# Replace a leading = in PATH with a sysroot. Store the result into +# func_resolve_sysroot_result +func_resolve_sysroot () +{ + func_resolve_sysroot_result=$1 + case $func_resolve_sysroot_result in + =*) + func_stripname '=' '' "$func_resolve_sysroot_result" + func_resolve_sysroot_result=$lt_sysroot$func_stripname_result + ;; + esac +} + +# func_replace_sysroot PATH +# If PATH begins with the sysroot, replace it with = and +# store the result into func_replace_sysroot_result. +func_replace_sysroot () +{ + case $lt_sysroot:$1 in + ?*:"$lt_sysroot"*) + func_stripname "$lt_sysroot" '' "$1" + func_replace_sysroot_result='='$func_stripname_result + ;; + *) + # Including no sysroot. + func_replace_sysroot_result=$1 + ;; + esac +} + +# func_infer_tag arg +# Infer tagged configuration to use if any are available and +# if one wasn't chosen via the "--tag" command line option. +# Only attempt this if the compiler in the base compile +# command doesn't match the default compiler. +# arg is usually of the form 'gcc ...' +func_infer_tag () +{ + $debug_cmd + + if test -n "$available_tags" && test -z "$tagname"; then + CC_quoted= + for arg in $CC; do + func_append_quoted CC_quoted "$arg" + done + CC_expanded=`func_echo_all $CC` + CC_quoted_expanded=`func_echo_all $CC_quoted` + case $@ in + # Blanks in the command may have been stripped by the calling shell, + # but not from the CC environment variable when configure was run. + " $CC "* | "$CC "* | " $CC_expanded "* | "$CC_expanded "* | \ + " $CC_quoted"* | "$CC_quoted "* | " $CC_quoted_expanded "* | "$CC_quoted_expanded "*) ;; + # Blanks at the start of $base_compile will cause this to fail + # if we don't check for them as well. + *) + for z in $available_tags; do + if $GREP "^# ### BEGIN LIBTOOL TAG CONFIG: $z$" < "$progpath" > /dev/null; then + # Evaluate the configuration. + eval "`$SED -n -e '/^# ### BEGIN LIBTOOL TAG CONFIG: '$z'$/,/^# ### END LIBTOOL TAG CONFIG: '$z'$/p' < $progpath`" + CC_quoted= + for arg in $CC; do + # Double-quote args containing other shell metacharacters. + func_append_quoted CC_quoted "$arg" + done + CC_expanded=`func_echo_all $CC` + CC_quoted_expanded=`func_echo_all $CC_quoted` + case "$@ " in + " $CC "* | "$CC "* | " $CC_expanded "* | "$CC_expanded "* | \ + " $CC_quoted"* | "$CC_quoted "* | " $CC_quoted_expanded "* | "$CC_quoted_expanded "*) + # The compiler in the base compile command matches + # the one in the tagged configuration. + # Assume this is the tagged configuration we want. + tagname=$z + break + ;; + esac + fi + done + # If $tagname still isn't set, then no tagged configuration + # was found and let the user know that the "--tag" command + # line option must be used. + if test -z "$tagname"; then + func_echo "unable to infer tagged configuration" + func_fatal_error "specify a tag with '--tag'" +# else +# func_verbose "using $tagname tagged configuration" + fi + ;; + esac + fi +} + + + +# func_write_libtool_object output_name pic_name nonpic_name +# Create a libtool object file (analogous to a ".la" file), +# but don't create it if we're doing a dry run. +func_write_libtool_object () +{ + write_libobj=$1 + if test yes = "$build_libtool_libs"; then + write_lobj=\'$2\' + else + write_lobj=none + fi + + if test yes = "$build_old_libs"; then + write_oldobj=\'$3\' + else + write_oldobj=none + fi + + $opt_dry_run || { + cat >${write_libobj}T </dev/null` + if test "$?" -eq 0 && test -n "$func_convert_core_file_wine_to_w32_tmp"; then + func_convert_core_file_wine_to_w32_result=`$ECHO "$func_convert_core_file_wine_to_w32_tmp" | + $SED -e "$sed_naive_backslashify"` + else + func_convert_core_file_wine_to_w32_result= + fi + fi +} +# end: func_convert_core_file_wine_to_w32 + + +# func_convert_core_path_wine_to_w32 ARG +# Helper function used by path conversion functions when $build is *nix, and +# $host is mingw, cygwin, or some other w32 environment. Relies on a correctly +# configured wine environment available, with the winepath program in $build's +# $PATH. Assumes ARG has no leading or trailing path separator characters. +# +# ARG is path to be converted from $build format to win32. +# Result is available in $func_convert_core_path_wine_to_w32_result. +# Unconvertible file (directory) names in ARG are skipped; if no directory names +# are convertible, then the result may be empty. +func_convert_core_path_wine_to_w32 () +{ + $debug_cmd + + # unfortunately, winepath doesn't convert paths, only file names + func_convert_core_path_wine_to_w32_result= + if test -n "$1"; then + oldIFS=$IFS + IFS=: + for func_convert_core_path_wine_to_w32_f in $1; do + IFS=$oldIFS + func_convert_core_file_wine_to_w32 "$func_convert_core_path_wine_to_w32_f" + if test -n "$func_convert_core_file_wine_to_w32_result"; then + if test -z "$func_convert_core_path_wine_to_w32_result"; then + func_convert_core_path_wine_to_w32_result=$func_convert_core_file_wine_to_w32_result + else + func_append func_convert_core_path_wine_to_w32_result ";$func_convert_core_file_wine_to_w32_result" + fi + fi + done + IFS=$oldIFS + fi +} +# end: func_convert_core_path_wine_to_w32 + + +# func_cygpath ARGS... +# Wrapper around calling the cygpath program via LT_CYGPATH. This is used when +# when (1) $build is *nix and Cygwin is hosted via a wine environment; or (2) +# $build is MSYS and $host is Cygwin, or (3) $build is Cygwin. In case (1) or +# (2), returns the Cygwin file name or path in func_cygpath_result (input +# file name or path is assumed to be in w32 format, as previously converted +# from $build's *nix or MSYS format). In case (3), returns the w32 file name +# or path in func_cygpath_result (input file name or path is assumed to be in +# Cygwin format). Returns an empty string on error. +# +# ARGS are passed to cygpath, with the last one being the file name or path to +# be converted. +# +# Specify the absolute *nix (or w32) name to cygpath in the LT_CYGPATH +# environment variable; do not put it in $PATH. +func_cygpath () +{ + $debug_cmd + + if test -n "$LT_CYGPATH" && test -f "$LT_CYGPATH"; then + func_cygpath_result=`$LT_CYGPATH "$@" 2>/dev/null` + if test "$?" -ne 0; then + # on failure, ensure result is empty + func_cygpath_result= + fi + else + func_cygpath_result= + func_error "LT_CYGPATH is empty or specifies non-existent file: '$LT_CYGPATH'" + fi +} +#end: func_cygpath + + +# func_convert_core_msys_to_w32 ARG +# Convert file name or path ARG from MSYS format to w32 format. Return +# result in func_convert_core_msys_to_w32_result. +func_convert_core_msys_to_w32 () +{ + $debug_cmd + + # awkward: cmd appends spaces to result + func_convert_core_msys_to_w32_result=`( cmd //c echo "$1" ) 2>/dev/null | + $SED -e 's/[ ]*$//' -e "$sed_naive_backslashify"` +} +#end: func_convert_core_msys_to_w32 + + +# func_convert_file_check ARG1 ARG2 +# Verify that ARG1 (a file name in $build format) was converted to $host +# format in ARG2. Otherwise, emit an error message, but continue (resetting +# func_to_host_file_result to ARG1). +func_convert_file_check () +{ + $debug_cmd + + if test -z "$2" && test -n "$1"; then + func_error "Could not determine host file name corresponding to" + func_error " '$1'" + func_error "Continuing, but uninstalled executables may not work." + # Fallback: + func_to_host_file_result=$1 + fi +} +# end func_convert_file_check + + +# func_convert_path_check FROM_PATHSEP TO_PATHSEP FROM_PATH TO_PATH +# Verify that FROM_PATH (a path in $build format) was converted to $host +# format in TO_PATH. Otherwise, emit an error message, but continue, resetting +# func_to_host_file_result to a simplistic fallback value (see below). +func_convert_path_check () +{ + $debug_cmd + + if test -z "$4" && test -n "$3"; then + func_error "Could not determine the host path corresponding to" + func_error " '$3'" + func_error "Continuing, but uninstalled executables may not work." + # Fallback. This is a deliberately simplistic "conversion" and + # should not be "improved". See libtool.info. + if test "x$1" != "x$2"; then + lt_replace_pathsep_chars="s|$1|$2|g" + func_to_host_path_result=`echo "$3" | + $SED -e "$lt_replace_pathsep_chars"` + else + func_to_host_path_result=$3 + fi + fi +} +# end func_convert_path_check + + +# func_convert_path_front_back_pathsep FRONTPAT BACKPAT REPL ORIG +# Modifies func_to_host_path_result by prepending REPL if ORIG matches FRONTPAT +# and appending REPL if ORIG matches BACKPAT. +func_convert_path_front_back_pathsep () +{ + $debug_cmd + + case $4 in + $1 ) func_to_host_path_result=$3$func_to_host_path_result + ;; + esac + case $4 in + $2 ) func_append func_to_host_path_result "$3" + ;; + esac +} +# end func_convert_path_front_back_pathsep + + +################################################## +# $build to $host FILE NAME CONVERSION FUNCTIONS # +################################################## +# invoked via '$to_host_file_cmd ARG' +# +# In each case, ARG is the path to be converted from $build to $host format. +# Result will be available in $func_to_host_file_result. + + +# func_to_host_file ARG +# Converts the file name ARG from $build format to $host format. Return result +# in func_to_host_file_result. +func_to_host_file () +{ + $debug_cmd + + $to_host_file_cmd "$1" +} +# end func_to_host_file + + +# func_to_tool_file ARG LAZY +# converts the file name ARG from $build format to toolchain format. Return +# result in func_to_tool_file_result. If the conversion in use is listed +# in (the comma separated) LAZY, no conversion takes place. +func_to_tool_file () +{ + $debug_cmd + + case ,$2, in + *,"$to_tool_file_cmd",*) + func_to_tool_file_result=$1 + ;; + *) + $to_tool_file_cmd "$1" + func_to_tool_file_result=$func_to_host_file_result + ;; + esac +} +# end func_to_tool_file + + +# func_convert_file_noop ARG +# Copy ARG to func_to_host_file_result. +func_convert_file_noop () +{ + func_to_host_file_result=$1 +} +# end func_convert_file_noop + + +# func_convert_file_msys_to_w32 ARG +# Convert file name ARG from (mingw) MSYS to (mingw) w32 format; automatic +# conversion to w32 is not available inside the cwrapper. Returns result in +# func_to_host_file_result. +func_convert_file_msys_to_w32 () +{ + $debug_cmd + + func_to_host_file_result=$1 + if test -n "$1"; then + func_convert_core_msys_to_w32 "$1" + func_to_host_file_result=$func_convert_core_msys_to_w32_result + fi + func_convert_file_check "$1" "$func_to_host_file_result" +} +# end func_convert_file_msys_to_w32 + + +# func_convert_file_cygwin_to_w32 ARG +# Convert file name ARG from Cygwin to w32 format. Returns result in +# func_to_host_file_result. +func_convert_file_cygwin_to_w32 () +{ + $debug_cmd + + func_to_host_file_result=$1 + if test -n "$1"; then + # because $build is cygwin, we call "the" cygpath in $PATH; no need to use + # LT_CYGPATH in this case. + func_to_host_file_result=`cygpath -m "$1"` + fi + func_convert_file_check "$1" "$func_to_host_file_result" +} +# end func_convert_file_cygwin_to_w32 + + +# func_convert_file_nix_to_w32 ARG +# Convert file name ARG from *nix to w32 format. Requires a wine environment +# and a working winepath. Returns result in func_to_host_file_result. +func_convert_file_nix_to_w32 () +{ + $debug_cmd + + func_to_host_file_result=$1 + if test -n "$1"; then + func_convert_core_file_wine_to_w32 "$1" + func_to_host_file_result=$func_convert_core_file_wine_to_w32_result + fi + func_convert_file_check "$1" "$func_to_host_file_result" +} +# end func_convert_file_nix_to_w32 + + +# func_convert_file_msys_to_cygwin ARG +# Convert file name ARG from MSYS to Cygwin format. Requires LT_CYGPATH set. +# Returns result in func_to_host_file_result. +func_convert_file_msys_to_cygwin () +{ + $debug_cmd + + func_to_host_file_result=$1 + if test -n "$1"; then + func_convert_core_msys_to_w32 "$1" + func_cygpath -u "$func_convert_core_msys_to_w32_result" + func_to_host_file_result=$func_cygpath_result + fi + func_convert_file_check "$1" "$func_to_host_file_result" +} +# end func_convert_file_msys_to_cygwin + + +# func_convert_file_nix_to_cygwin ARG +# Convert file name ARG from *nix to Cygwin format. Requires Cygwin installed +# in a wine environment, working winepath, and LT_CYGPATH set. Returns result +# in func_to_host_file_result. +func_convert_file_nix_to_cygwin () +{ + $debug_cmd + + func_to_host_file_result=$1 + if test -n "$1"; then + # convert from *nix to w32, then use cygpath to convert from w32 to cygwin. + func_convert_core_file_wine_to_w32 "$1" + func_cygpath -u "$func_convert_core_file_wine_to_w32_result" + func_to_host_file_result=$func_cygpath_result + fi + func_convert_file_check "$1" "$func_to_host_file_result" +} +# end func_convert_file_nix_to_cygwin + + +############################################# +# $build to $host PATH CONVERSION FUNCTIONS # +############################################# +# invoked via '$to_host_path_cmd ARG' +# +# In each case, ARG is the path to be converted from $build to $host format. +# The result will be available in $func_to_host_path_result. +# +# Path separators are also converted from $build format to $host format. If +# ARG begins or ends with a path separator character, it is preserved (but +# converted to $host format) on output. +# +# All path conversion functions are named using the following convention: +# file name conversion function : func_convert_file_X_to_Y () +# path conversion function : func_convert_path_X_to_Y () +# where, for any given $build/$host combination the 'X_to_Y' value is the +# same. If conversion functions are added for new $build/$host combinations, +# the two new functions must follow this pattern, or func_init_to_host_path_cmd +# will break. + + +# func_init_to_host_path_cmd +# Ensures that function "pointer" variable $to_host_path_cmd is set to the +# appropriate value, based on the value of $to_host_file_cmd. +to_host_path_cmd= +func_init_to_host_path_cmd () +{ + $debug_cmd + + if test -z "$to_host_path_cmd"; then + func_stripname 'func_convert_file_' '' "$to_host_file_cmd" + to_host_path_cmd=func_convert_path_$func_stripname_result + fi +} + + +# func_to_host_path ARG +# Converts the path ARG from $build format to $host format. Return result +# in func_to_host_path_result. +func_to_host_path () +{ + $debug_cmd + + func_init_to_host_path_cmd + $to_host_path_cmd "$1" +} +# end func_to_host_path + + +# func_convert_path_noop ARG +# Copy ARG to func_to_host_path_result. +func_convert_path_noop () +{ + func_to_host_path_result=$1 +} +# end func_convert_path_noop + + +# func_convert_path_msys_to_w32 ARG +# Convert path ARG from (mingw) MSYS to (mingw) w32 format; automatic +# conversion to w32 is not available inside the cwrapper. Returns result in +# func_to_host_path_result. +func_convert_path_msys_to_w32 () +{ + $debug_cmd + + func_to_host_path_result=$1 + if test -n "$1"; then + # Remove leading and trailing path separator characters from ARG. MSYS + # behavior is inconsistent here; cygpath turns them into '.;' and ';.'; + # and winepath ignores them completely. + func_stripname : : "$1" + func_to_host_path_tmp1=$func_stripname_result + func_convert_core_msys_to_w32 "$func_to_host_path_tmp1" + func_to_host_path_result=$func_convert_core_msys_to_w32_result + func_convert_path_check : ";" \ + "$func_to_host_path_tmp1" "$func_to_host_path_result" + func_convert_path_front_back_pathsep ":*" "*:" ";" "$1" + fi +} +# end func_convert_path_msys_to_w32 + + +# func_convert_path_cygwin_to_w32 ARG +# Convert path ARG from Cygwin to w32 format. Returns result in +# func_to_host_file_result. +func_convert_path_cygwin_to_w32 () +{ + $debug_cmd + + func_to_host_path_result=$1 + if test -n "$1"; then + # See func_convert_path_msys_to_w32: + func_stripname : : "$1" + func_to_host_path_tmp1=$func_stripname_result + func_to_host_path_result=`cygpath -m -p "$func_to_host_path_tmp1"` + func_convert_path_check : ";" \ + "$func_to_host_path_tmp1" "$func_to_host_path_result" + func_convert_path_front_back_pathsep ":*" "*:" ";" "$1" + fi +} +# end func_convert_path_cygwin_to_w32 + + +# func_convert_path_nix_to_w32 ARG +# Convert path ARG from *nix to w32 format. Requires a wine environment and +# a working winepath. Returns result in func_to_host_file_result. +func_convert_path_nix_to_w32 () +{ + $debug_cmd + + func_to_host_path_result=$1 + if test -n "$1"; then + # See func_convert_path_msys_to_w32: + func_stripname : : "$1" + func_to_host_path_tmp1=$func_stripname_result + func_convert_core_path_wine_to_w32 "$func_to_host_path_tmp1" + func_to_host_path_result=$func_convert_core_path_wine_to_w32_result + func_convert_path_check : ";" \ + "$func_to_host_path_tmp1" "$func_to_host_path_result" + func_convert_path_front_back_pathsep ":*" "*:" ";" "$1" + fi +} +# end func_convert_path_nix_to_w32 + + +# func_convert_path_msys_to_cygwin ARG +# Convert path ARG from MSYS to Cygwin format. Requires LT_CYGPATH set. +# Returns result in func_to_host_file_result. +func_convert_path_msys_to_cygwin () +{ + $debug_cmd + + func_to_host_path_result=$1 + if test -n "$1"; then + # See func_convert_path_msys_to_w32: + func_stripname : : "$1" + func_to_host_path_tmp1=$func_stripname_result + func_convert_core_msys_to_w32 "$func_to_host_path_tmp1" + func_cygpath -u -p "$func_convert_core_msys_to_w32_result" + func_to_host_path_result=$func_cygpath_result + func_convert_path_check : : \ + "$func_to_host_path_tmp1" "$func_to_host_path_result" + func_convert_path_front_back_pathsep ":*" "*:" : "$1" + fi +} +# end func_convert_path_msys_to_cygwin + + +# func_convert_path_nix_to_cygwin ARG +# Convert path ARG from *nix to Cygwin format. Requires Cygwin installed in a +# a wine environment, working winepath, and LT_CYGPATH set. Returns result in +# func_to_host_file_result. +func_convert_path_nix_to_cygwin () +{ + $debug_cmd + + func_to_host_path_result=$1 + if test -n "$1"; then + # Remove leading and trailing path separator characters from + # ARG. msys behavior is inconsistent here, cygpath turns them + # into '.;' and ';.', and winepath ignores them completely. + func_stripname : : "$1" + func_to_host_path_tmp1=$func_stripname_result + func_convert_core_path_wine_to_w32 "$func_to_host_path_tmp1" + func_cygpath -u -p "$func_convert_core_path_wine_to_w32_result" + func_to_host_path_result=$func_cygpath_result + func_convert_path_check : : \ + "$func_to_host_path_tmp1" "$func_to_host_path_result" + func_convert_path_front_back_pathsep ":*" "*:" : "$1" + fi +} +# end func_convert_path_nix_to_cygwin + + +# func_dll_def_p FILE +# True iff FILE is a Windows DLL '.def' file. +# Keep in sync with _LT_DLL_DEF_P in libtool.m4 +func_dll_def_p () +{ + $debug_cmd + + func_dll_def_p_tmp=`$SED -n \ + -e 's/^[ ]*//' \ + -e '/^\(;.*\)*$/d' \ + -e 's/^\(EXPORTS\|LIBRARY\)\([ ].*\)*$/DEF/p' \ + -e q \ + "$1"` + test DEF = "$func_dll_def_p_tmp" +} + + +# func_mode_compile arg... +func_mode_compile () +{ + $debug_cmd + + # Get the compilation command and the source file. + base_compile= + srcfile=$nonopt # always keep a non-empty value in "srcfile" + suppress_opt=yes + suppress_output= + arg_mode=normal + libobj= + later= + pie_flag= + + for arg + do + case $arg_mode in + arg ) + # do not "continue". Instead, add this to base_compile + lastarg=$arg + arg_mode=normal + ;; + + target ) + libobj=$arg + arg_mode=normal + continue + ;; + + normal ) + # Accept any command-line options. + case $arg in + -o) + test -n "$libobj" && \ + func_fatal_error "you cannot specify '-o' more than once" + arg_mode=target + continue + ;; + + -pie | -fpie | -fPIE) + func_append pie_flag " $arg" + continue + ;; + + -shared | -static | -prefer-pic | -prefer-non-pic) + func_append later " $arg" + continue + ;; + + -no-suppress) + suppress_opt=no + continue + ;; + + -Xcompiler) + arg_mode=arg # the next one goes into the "base_compile" arg list + continue # The current "srcfile" will either be retained or + ;; # replaced later. I would guess that would be a bug. + + -Wc,*) + func_stripname '-Wc,' '' "$arg" + args=$func_stripname_result + lastarg= + save_ifs=$IFS; IFS=, + for arg in $args; do + IFS=$save_ifs + func_append_quoted lastarg "$arg" + done + IFS=$save_ifs + func_stripname ' ' '' "$lastarg" + lastarg=$func_stripname_result + + # Add the arguments to base_compile. + func_append base_compile " $lastarg" + continue + ;; + + *) + # Accept the current argument as the source file. + # The previous "srcfile" becomes the current argument. + # + lastarg=$srcfile + srcfile=$arg + ;; + esac # case $arg + ;; + esac # case $arg_mode + + # Aesthetically quote the previous argument. + func_append_quoted base_compile "$lastarg" + done # for arg + + case $arg_mode in + arg) + func_fatal_error "you must specify an argument for -Xcompile" + ;; + target) + func_fatal_error "you must specify a target with '-o'" + ;; + *) + # Get the name of the library object. + test -z "$libobj" && { + func_basename "$srcfile" + libobj=$func_basename_result + } + ;; + esac + + # Recognize several different file suffixes. + # If the user specifies -o file.o, it is replaced with file.lo + case $libobj in + *.[cCFSifmso] | \ + *.ada | *.adb | *.ads | *.asm | \ + *.c++ | *.cc | *.ii | *.class | *.cpp | *.cxx | \ + *.[fF][09]? | *.for | *.java | *.go | *.obj | *.sx | *.cu | *.cup) + func_xform "$libobj" + libobj=$func_xform_result + ;; + esac + + case $libobj in + *.lo) func_lo2o "$libobj"; obj=$func_lo2o_result ;; + *) + func_fatal_error "cannot determine name of library object from '$libobj'" + ;; + esac + + func_infer_tag $base_compile + + for arg in $later; do + case $arg in + -shared) + test yes = "$build_libtool_libs" \ + || func_fatal_configuration "cannot build a shared library" + build_old_libs=no + continue + ;; + + -static) + build_libtool_libs=no + build_old_libs=yes + continue + ;; + + -prefer-pic) + pic_mode=yes + continue + ;; + + -prefer-non-pic) + pic_mode=no + continue + ;; + esac + done + + func_quote_for_eval "$libobj" + test "X$libobj" != "X$func_quote_for_eval_result" \ + && $ECHO "X$libobj" | $GREP '[]~#^*{};<>?"'"'"' &()|`$[]' \ + && func_warning "libobj name '$libobj' may not contain shell special characters." + func_dirname_and_basename "$obj" "/" "" + objname=$func_basename_result + xdir=$func_dirname_result + lobj=$xdir$objdir/$objname + + test -z "$base_compile" && \ + func_fatal_help "you must specify a compilation command" + + # Delete any leftover library objects. + if test yes = "$build_old_libs"; then + removelist="$obj $lobj $libobj ${libobj}T" + else + removelist="$lobj $libobj ${libobj}T" + fi + + # On Cygwin there's no "real" PIC flag so we must build both object types + case $host_os in + cygwin* | mingw* | pw32* | os2* | cegcc*) + pic_mode=default + ;; + esac + if test no = "$pic_mode" && test pass_all != "$deplibs_check_method"; then + # non-PIC code in shared libraries is not supported + pic_mode=default + fi + + # Calculate the filename of the output object if compiler does + # not support -o with -c + if test no = "$compiler_c_o"; then + output_obj=`$ECHO "$srcfile" | $SED 's%^.*/%%; s%\.[^.]*$%%'`.$objext + lockfile=$output_obj.lock + else + output_obj= + need_locks=no + lockfile= + fi + + # Lock this critical section if it is needed + # We use this script file to make the link, it avoids creating a new file + if test yes = "$need_locks"; then + until $opt_dry_run || ln "$progpath" "$lockfile" 2>/dev/null; do + func_echo "Waiting for $lockfile to be removed" + sleep 2 + done + elif test warn = "$need_locks"; then + if test -f "$lockfile"; then + $ECHO "\ +*** ERROR, $lockfile exists and contains: +`cat $lockfile 2>/dev/null` + +This indicates that another process is trying to use the same +temporary object file, and libtool could not work around it because +your compiler does not support '-c' and '-o' together. If you +repeat this compilation, it may succeed, by chance, but you had better +avoid parallel builds (make -j) in this platform, or get a better +compiler." + + $opt_dry_run || $RM $removelist + exit $EXIT_FAILURE + fi + func_append removelist " $output_obj" + $ECHO "$srcfile" > "$lockfile" + fi + + $opt_dry_run || $RM $removelist + func_append removelist " $lockfile" + trap '$opt_dry_run || $RM $removelist; exit $EXIT_FAILURE' 1 2 15 + + func_to_tool_file "$srcfile" func_convert_file_msys_to_w32 + srcfile=$func_to_tool_file_result + func_quote_for_eval "$srcfile" + qsrcfile=$func_quote_for_eval_result + + # Only build a PIC object if we are building libtool libraries. + if test yes = "$build_libtool_libs"; then + # Without this assignment, base_compile gets emptied. + fbsd_hideous_sh_bug=$base_compile + + if test no != "$pic_mode"; then + command="$base_compile $qsrcfile $pic_flag" + else + # Don't build PIC code + command="$base_compile $qsrcfile" + fi + + func_mkdir_p "$xdir$objdir" + + if test -z "$output_obj"; then + # Place PIC objects in $objdir + func_append command " -o $lobj" + fi + + func_show_eval_locale "$command" \ + 'test -n "$output_obj" && $RM $removelist; exit $EXIT_FAILURE' + + if test warn = "$need_locks" && + test "X`cat $lockfile 2>/dev/null`" != "X$srcfile"; then + $ECHO "\ +*** ERROR, $lockfile contains: +`cat $lockfile 2>/dev/null` + +but it should contain: +$srcfile + +This indicates that another process is trying to use the same +temporary object file, and libtool could not work around it because +your compiler does not support '-c' and '-o' together. If you +repeat this compilation, it may succeed, by chance, but you had better +avoid parallel builds (make -j) in this platform, or get a better +compiler." + + $opt_dry_run || $RM $removelist + exit $EXIT_FAILURE + fi + + # Just move the object if needed, then go on to compile the next one + if test -n "$output_obj" && test "X$output_obj" != "X$lobj"; then + func_show_eval '$MV "$output_obj" "$lobj"' \ + 'error=$?; $opt_dry_run || $RM $removelist; exit $error' + fi + + # Allow error messages only from the first compilation. + if test yes = "$suppress_opt"; then + suppress_output=' >/dev/null 2>&1' + fi + fi + + # Only build a position-dependent object if we build old libraries. + if test yes = "$build_old_libs"; then + if test yes != "$pic_mode"; then + # Don't build PIC code + command="$base_compile $qsrcfile$pie_flag" + else + command="$base_compile $qsrcfile $pic_flag" + fi + if test yes = "$compiler_c_o"; then + func_append command " -o $obj" + fi + + # Suppress compiler output if we already did a PIC compilation. + func_append command "$suppress_output" + func_show_eval_locale "$command" \ + '$opt_dry_run || $RM $removelist; exit $EXIT_FAILURE' + + if test warn = "$need_locks" && + test "X`cat $lockfile 2>/dev/null`" != "X$srcfile"; then + $ECHO "\ +*** ERROR, $lockfile contains: +`cat $lockfile 2>/dev/null` + +but it should contain: +$srcfile + +This indicates that another process is trying to use the same +temporary object file, and libtool could not work around it because +your compiler does not support '-c' and '-o' together. If you +repeat this compilation, it may succeed, by chance, but you had better +avoid parallel builds (make -j) in this platform, or get a better +compiler." + + $opt_dry_run || $RM $removelist + exit $EXIT_FAILURE + fi + + # Just move the object if needed + if test -n "$output_obj" && test "X$output_obj" != "X$obj"; then + func_show_eval '$MV "$output_obj" "$obj"' \ + 'error=$?; $opt_dry_run || $RM $removelist; exit $error' + fi + fi + + $opt_dry_run || { + func_write_libtool_object "$libobj" "$objdir/$objname" "$objname" + + # Unlock the critical section if it was locked + if test no != "$need_locks"; then + removelist=$lockfile + $RM "$lockfile" + fi + } + + exit $EXIT_SUCCESS +} + +$opt_help || { + test compile = "$opt_mode" && func_mode_compile ${1+"$@"} +} + +func_mode_help () +{ + # We need to display help for each of the modes. + case $opt_mode in + "") + # Generic help is extracted from the usage comments + # at the start of this file. + func_help + ;; + + clean) + $ECHO \ +"Usage: $progname [OPTION]... --mode=clean RM [RM-OPTION]... FILE... + +Remove files from the build directory. + +RM is the name of the program to use to delete files associated with each FILE +(typically '/bin/rm'). RM-OPTIONS are options (such as '-f') to be passed +to RM. + +If FILE is a libtool library, object or program, all the files associated +with it are deleted. Otherwise, only FILE itself is deleted using RM." + ;; + + compile) + $ECHO \ +"Usage: $progname [OPTION]... --mode=compile COMPILE-COMMAND... SOURCEFILE + +Compile a source file into a libtool library object. + +This mode accepts the following additional options: + + -o OUTPUT-FILE set the output file name to OUTPUT-FILE + -no-suppress do not suppress compiler output for multiple passes + -prefer-pic try to build PIC objects only + -prefer-non-pic try to build non-PIC objects only + -shared do not build a '.o' file suitable for static linking + -static only build a '.o' file suitable for static linking + -Wc,FLAG pass FLAG directly to the compiler + +COMPILE-COMMAND is a command to be used in creating a 'standard' object file +from the given SOURCEFILE. + +The output file name is determined by removing the directory component from +SOURCEFILE, then substituting the C source code suffix '.c' with the +library object suffix, '.lo'." + ;; + + execute) + $ECHO \ +"Usage: $progname [OPTION]... --mode=execute COMMAND [ARGS]... + +Automatically set library path, then run a program. + +This mode accepts the following additional options: + + -dlopen FILE add the directory containing FILE to the library path + +This mode sets the library path environment variable according to '-dlopen' +flags. + +If any of the ARGS are libtool executable wrappers, then they are translated +into their corresponding uninstalled binary, and any of their required library +directories are added to the library path. + +Then, COMMAND is executed, with ARGS as arguments." + ;; + + finish) + $ECHO \ +"Usage: $progname [OPTION]... --mode=finish [LIBDIR]... + +Complete the installation of libtool libraries. + +Each LIBDIR is a directory that contains libtool libraries. + +The commands that this mode executes may require superuser privileges. Use +the '--dry-run' option if you just want to see what would be executed." + ;; + + install) + $ECHO \ +"Usage: $progname [OPTION]... --mode=install INSTALL-COMMAND... + +Install executables or libraries. + +INSTALL-COMMAND is the installation command. The first component should be +either the 'install' or 'cp' program. + +The following components of INSTALL-COMMAND are treated specially: + + -inst-prefix-dir PREFIX-DIR Use PREFIX-DIR as a staging area for installation + +The rest of the components are interpreted as arguments to that command (only +BSD-compatible install options are recognized)." + ;; + + link) + $ECHO \ +"Usage: $progname [OPTION]... --mode=link LINK-COMMAND... + +Link object files or libraries together to form another library, or to +create an executable program. + +LINK-COMMAND is a command using the C compiler that you would use to create +a program from several object files. + +The following components of LINK-COMMAND are treated specially: + + -all-static do not do any dynamic linking at all + -avoid-version do not add a version suffix if possible + -bindir BINDIR specify path to binaries directory (for systems where + libraries must be found in the PATH setting at runtime) + -dlopen FILE '-dlpreopen' FILE if it cannot be dlopened at runtime + -dlpreopen FILE link in FILE and add its symbols to lt_preloaded_symbols + -export-dynamic allow symbols from OUTPUT-FILE to be resolved with dlsym(3) + -export-symbols SYMFILE + try to export only the symbols listed in SYMFILE + -export-symbols-regex REGEX + try to export only the symbols matching REGEX + -LLIBDIR search LIBDIR for required installed libraries + -lNAME OUTPUT-FILE requires the installed library libNAME + -module build a library that can dlopened + -no-fast-install disable the fast-install mode + -no-install link a not-installable executable + -no-undefined declare that a library does not refer to external symbols + -o OUTPUT-FILE create OUTPUT-FILE from the specified objects + -objectlist FILE use a list of object files found in FILE to specify objects + -os2dllname NAME force a short DLL name on OS/2 (no effect on other OSes) + -precious-files-regex REGEX + don't remove output files matching REGEX + -release RELEASE specify package release information + -rpath LIBDIR the created library will eventually be installed in LIBDIR + -R[ ]LIBDIR add LIBDIR to the runtime path of programs and libraries + -shared only do dynamic linking of libtool libraries + -shrext SUFFIX override the standard shared library file extension + -static do not do any dynamic linking of uninstalled libtool libraries + -static-libtool-libs + do not do any dynamic linking of libtool libraries + -version-info CURRENT[:REVISION[:AGE]] + specify library version info [each variable defaults to 0] + -weak LIBNAME declare that the target provides the LIBNAME interface + -Wc,FLAG + -Xcompiler FLAG pass linker-specific FLAG directly to the compiler + -Wl,FLAG + -Xlinker FLAG pass linker-specific FLAG directly to the linker + -XCClinker FLAG pass link-specific FLAG to the compiler driver (CC) + +All other options (arguments beginning with '-') are ignored. + +Every other argument is treated as a filename. Files ending in '.la' are +treated as uninstalled libtool libraries, other files are standard or library +object files. + +If the OUTPUT-FILE ends in '.la', then a libtool library is created, +only library objects ('.lo' files) may be specified, and '-rpath' is +required, except when creating a convenience library. + +If OUTPUT-FILE ends in '.a' or '.lib', then a standard library is created +using 'ar' and 'ranlib', or on Windows using 'lib'. + +If OUTPUT-FILE ends in '.lo' or '.$objext', then a reloadable object file +is created, otherwise an executable program is created." + ;; + + uninstall) + $ECHO \ +"Usage: $progname [OPTION]... --mode=uninstall RM [RM-OPTION]... FILE... + +Remove libraries from an installation directory. + +RM is the name of the program to use to delete files associated with each FILE +(typically '/bin/rm'). RM-OPTIONS are options (such as '-f') to be passed +to RM. + +If FILE is a libtool library, all the files associated with it are deleted. +Otherwise, only FILE itself is deleted using RM." + ;; + + *) + func_fatal_help "invalid operation mode '$opt_mode'" + ;; + esac + + echo + $ECHO "Try '$progname --help' for more information about other modes." +} + +# Now that we've collected a possible --mode arg, show help if necessary +if $opt_help; then + if test : = "$opt_help"; then + func_mode_help + else + { + func_help noexit + for opt_mode in compile link execute install finish uninstall clean; do + func_mode_help + done + } | $SED -n '1p; 2,$s/^Usage:/ or: /p' + { + func_help noexit + for opt_mode in compile link execute install finish uninstall clean; do + echo + func_mode_help + done + } | + $SED '1d + /^When reporting/,/^Report/{ + H + d + } + $x + /information about other modes/d + /more detailed .*MODE/d + s/^Usage:.*--mode=\([^ ]*\) .*/Description of \1 mode:/' + fi + exit $? +fi + + +# func_mode_execute arg... +func_mode_execute () +{ + $debug_cmd + + # The first argument is the command name. + cmd=$nonopt + test -z "$cmd" && \ + func_fatal_help "you must specify a COMMAND" + + # Handle -dlopen flags immediately. + for file in $opt_dlopen; do + test -f "$file" \ + || func_fatal_help "'$file' is not a file" + + dir= + case $file in + *.la) + func_resolve_sysroot "$file" + file=$func_resolve_sysroot_result + + # Check to see that this really is a libtool archive. + func_lalib_unsafe_p "$file" \ + || func_fatal_help "'$lib' is not a valid libtool archive" + + # Read the libtool library. + dlname= + library_names= + func_source "$file" + + # Skip this library if it cannot be dlopened. + if test -z "$dlname"; then + # Warn if it was a shared library. + test -n "$library_names" && \ + func_warning "'$file' was not linked with '-export-dynamic'" + continue + fi + + func_dirname "$file" "" "." + dir=$func_dirname_result + + if test -f "$dir/$objdir/$dlname"; then + func_append dir "/$objdir" + else + if test ! -f "$dir/$dlname"; then + func_fatal_error "cannot find '$dlname' in '$dir' or '$dir/$objdir'" + fi + fi + ;; + + *.lo) + # Just add the directory containing the .lo file. + func_dirname "$file" "" "." + dir=$func_dirname_result + ;; + + *) + func_warning "'-dlopen' is ignored for non-libtool libraries and objects" + continue + ;; + esac + + # Get the absolute pathname. + absdir=`cd "$dir" && pwd` + test -n "$absdir" && dir=$absdir + + # Now add the directory to shlibpath_var. + if eval "test -z \"\$$shlibpath_var\""; then + eval "$shlibpath_var=\"\$dir\"" + else + eval "$shlibpath_var=\"\$dir:\$$shlibpath_var\"" + fi + done + + # This variable tells wrapper scripts just to set shlibpath_var + # rather than running their programs. + libtool_execute_magic=$magic + + # Check if any of the arguments is a wrapper script. + args= + for file + do + case $file in + -* | *.la | *.lo ) ;; + *) + # Do a test to see if this is really a libtool program. + if func_ltwrapper_script_p "$file"; then + func_source "$file" + # Transform arg to wrapped name. + file=$progdir/$program + elif func_ltwrapper_executable_p "$file"; then + func_ltwrapper_scriptname "$file" + func_source "$func_ltwrapper_scriptname_result" + # Transform arg to wrapped name. + file=$progdir/$program + fi + ;; + esac + # Quote arguments (to preserve shell metacharacters). + func_append_quoted args "$file" + done + + if $opt_dry_run; then + # Display what would be done. + if test -n "$shlibpath_var"; then + eval "\$ECHO \"\$shlibpath_var=\$$shlibpath_var\"" + echo "export $shlibpath_var" + fi + $ECHO "$cmd$args" + exit $EXIT_SUCCESS + else + if test -n "$shlibpath_var"; then + # Export the shlibpath_var. + eval "export $shlibpath_var" + fi + + # Restore saved environment variables + for lt_var in LANG LANGUAGE LC_ALL LC_CTYPE LC_COLLATE LC_MESSAGES + do + eval "if test \"\${save_$lt_var+set}\" = set; then + $lt_var=\$save_$lt_var; export $lt_var + else + $lt_unset $lt_var + fi" + done + + # Now prepare to actually exec the command. + exec_cmd=\$cmd$args + fi +} + +test execute = "$opt_mode" && func_mode_execute ${1+"$@"} + + +# func_mode_finish arg... +func_mode_finish () +{ + $debug_cmd + + libs= + libdirs= + admincmds= + + for opt in "$nonopt" ${1+"$@"} + do + if test -d "$opt"; then + func_append libdirs " $opt" + + elif test -f "$opt"; then + if func_lalib_unsafe_p "$opt"; then + func_append libs " $opt" + else + func_warning "'$opt' is not a valid libtool archive" + fi + + else + func_fatal_error "invalid argument '$opt'" + fi + done + + if test -n "$libs"; then + if test -n "$lt_sysroot"; then + sysroot_regex=`$ECHO "$lt_sysroot" | $SED "$sed_make_literal_regex"` + sysroot_cmd="s/\([ ']\)$sysroot_regex/\1/g;" + else + sysroot_cmd= + fi + + # Remove sysroot references + if $opt_dry_run; then + for lib in $libs; do + echo "removing references to $lt_sysroot and '=' prefixes from $lib" + done + else + tmpdir=`func_mktempdir` + for lib in $libs; do + $SED -e "$sysroot_cmd s/\([ ']-[LR]\)=/\1/g; s/\([ ']\)=/\1/g" $lib \ + > $tmpdir/tmp-la + mv -f $tmpdir/tmp-la $lib + done + ${RM}r "$tmpdir" + fi + fi + + if test -n "$finish_cmds$finish_eval" && test -n "$libdirs"; then + for libdir in $libdirs; do + if test -n "$finish_cmds"; then + # Do each command in the finish commands. + func_execute_cmds "$finish_cmds" 'admincmds="$admincmds +'"$cmd"'"' + fi + if test -n "$finish_eval"; then + # Do the single finish_eval. + eval cmds=\"$finish_eval\" + $opt_dry_run || eval "$cmds" || func_append admincmds " + $cmds" + fi + done + fi + + # Exit here if they wanted silent mode. + $opt_quiet && exit $EXIT_SUCCESS + + if test -n "$finish_cmds$finish_eval" && test -n "$libdirs"; then + echo "----------------------------------------------------------------------" + echo "Libraries have been installed in:" + for libdir in $libdirs; do + $ECHO " $libdir" + done + echo + echo "If you ever happen to want to link against installed libraries" + echo "in a given directory, LIBDIR, you must either use libtool, and" + echo "specify the full pathname of the library, or use the '-LLIBDIR'" + echo "flag during linking and do at least one of the following:" + if test -n "$shlibpath_var"; then + echo " - add LIBDIR to the '$shlibpath_var' environment variable" + echo " during execution" + fi + if test -n "$runpath_var"; then + echo " - add LIBDIR to the '$runpath_var' environment variable" + echo " during linking" + fi + if test -n "$hardcode_libdir_flag_spec"; then + libdir=LIBDIR + eval flag=\"$hardcode_libdir_flag_spec\" + + $ECHO " - use the '$flag' linker flag" + fi + if test -n "$admincmds"; then + $ECHO " - have your system administrator run these commands:$admincmds" + fi + if test -f /etc/ld.so.conf; then + echo " - have your system administrator add LIBDIR to '/etc/ld.so.conf'" + fi + echo + + echo "See any operating system documentation about shared libraries for" + case $host in + solaris2.[6789]|solaris2.1[0-9]) + echo "more information, such as the ld(1), crle(1) and ld.so(8) manual" + echo "pages." + ;; + *) + echo "more information, such as the ld(1) and ld.so(8) manual pages." + ;; + esac + echo "----------------------------------------------------------------------" + fi + exit $EXIT_SUCCESS +} + +test finish = "$opt_mode" && func_mode_finish ${1+"$@"} + + +# func_mode_install arg... +func_mode_install () +{ + $debug_cmd + + # There may be an optional sh(1) argument at the beginning of + # install_prog (especially on Windows NT). + if test "$SHELL" = "$nonopt" || test /bin/sh = "$nonopt" || + # Allow the use of GNU shtool's install command. + case $nonopt in *shtool*) :;; *) false;; esac + then + # Aesthetically quote it. + func_quote_for_eval "$nonopt" + install_prog="$func_quote_for_eval_result " + arg=$1 + shift + else + install_prog= + arg=$nonopt + fi + + # The real first argument should be the name of the installation program. + # Aesthetically quote it. + func_quote_for_eval "$arg" + func_append install_prog "$func_quote_for_eval_result" + install_shared_prog=$install_prog + case " $install_prog " in + *[\\\ /]cp\ *) install_cp=: ;; + *) install_cp=false ;; + esac + + # We need to accept at least all the BSD install flags. + dest= + files= + opts= + prev= + install_type= + isdir=false + stripme= + no_mode=: + for arg + do + arg2= + if test -n "$dest"; then + func_append files " $dest" + dest=$arg + continue + fi + + case $arg in + -d) isdir=: ;; + -f) + if $install_cp; then :; else + prev=$arg + fi + ;; + -g | -m | -o) + prev=$arg + ;; + -s) + stripme=" -s" + continue + ;; + -*) + ;; + *) + # If the previous option needed an argument, then skip it. + if test -n "$prev"; then + if test X-m = "X$prev" && test -n "$install_override_mode"; then + arg2=$install_override_mode + no_mode=false + fi + prev= + else + dest=$arg + continue + fi + ;; + esac + + # Aesthetically quote the argument. + func_quote_for_eval "$arg" + func_append install_prog " $func_quote_for_eval_result" + if test -n "$arg2"; then + func_quote_for_eval "$arg2" + fi + func_append install_shared_prog " $func_quote_for_eval_result" + done + + test -z "$install_prog" && \ + func_fatal_help "you must specify an install program" + + test -n "$prev" && \ + func_fatal_help "the '$prev' option requires an argument" + + if test -n "$install_override_mode" && $no_mode; then + if $install_cp; then :; else + func_quote_for_eval "$install_override_mode" + func_append install_shared_prog " -m $func_quote_for_eval_result" + fi + fi + + if test -z "$files"; then + if test -z "$dest"; then + func_fatal_help "no file or destination specified" + else + func_fatal_help "you must specify a destination" + fi + fi + + # Strip any trailing slash from the destination. + func_stripname '' '/' "$dest" + dest=$func_stripname_result + + # Check to see that the destination is a directory. + test -d "$dest" && isdir=: + if $isdir; then + destdir=$dest + destname= + else + func_dirname_and_basename "$dest" "" "." + destdir=$func_dirname_result + destname=$func_basename_result + + # Not a directory, so check to see that there is only one file specified. + set dummy $files; shift + test "$#" -gt 1 && \ + func_fatal_help "'$dest' is not a directory" + fi + case $destdir in + [\\/]* | [A-Za-z]:[\\/]*) ;; + *) + for file in $files; do + case $file in + *.lo) ;; + *) + func_fatal_help "'$destdir' must be an absolute directory name" + ;; + esac + done + ;; + esac + + # This variable tells wrapper scripts just to set variables rather + # than running their programs. + libtool_install_magic=$magic + + staticlibs= + future_libdirs= + current_libdirs= + for file in $files; do + + # Do each installation. + case $file in + *.$libext) + # Do the static libraries later. + func_append staticlibs " $file" + ;; + + *.la) + func_resolve_sysroot "$file" + file=$func_resolve_sysroot_result + + # Check to see that this really is a libtool archive. + func_lalib_unsafe_p "$file" \ + || func_fatal_help "'$file' is not a valid libtool archive" + + library_names= + old_library= + relink_command= + func_source "$file" + + # Add the libdir to current_libdirs if it is the destination. + if test "X$destdir" = "X$libdir"; then + case "$current_libdirs " in + *" $libdir "*) ;; + *) func_append current_libdirs " $libdir" ;; + esac + else + # Note the libdir as a future libdir. + case "$future_libdirs " in + *" $libdir "*) ;; + *) func_append future_libdirs " $libdir" ;; + esac + fi + + func_dirname "$file" "/" "" + dir=$func_dirname_result + func_append dir "$objdir" + + if test -n "$relink_command"; then + # Determine the prefix the user has applied to our future dir. + inst_prefix_dir=`$ECHO "$destdir" | $SED -e "s%$libdir\$%%"` + + # Don't allow the user to place us outside of our expected + # location b/c this prevents finding dependent libraries that + # are installed to the same prefix. + # At present, this check doesn't affect windows .dll's that + # are installed into $libdir/../bin (currently, that works fine) + # but it's something to keep an eye on. + test "$inst_prefix_dir" = "$destdir" && \ + func_fatal_error "error: cannot install '$file' to a directory not ending in $libdir" + + if test -n "$inst_prefix_dir"; then + # Stick the inst_prefix_dir data into the link command. + relink_command=`$ECHO "$relink_command" | $SED "s%@inst_prefix_dir@%-inst-prefix-dir $inst_prefix_dir%"` + else + relink_command=`$ECHO "$relink_command" | $SED "s%@inst_prefix_dir@%%"` + fi + + func_warning "relinking '$file'" + func_show_eval "$relink_command" \ + 'func_fatal_error "error: relink '\''$file'\'' with the above command before installing it"' + fi + + # See the names of the shared library. + set dummy $library_names; shift + if test -n "$1"; then + realname=$1 + shift + + srcname=$realname + test -n "$relink_command" && srcname=${realname}T + + # Install the shared library and build the symlinks. + func_show_eval "$install_shared_prog $dir/$srcname $destdir/$realname" \ + 'exit $?' + tstripme=$stripme + case $host_os in + cygwin* | mingw* | pw32* | cegcc*) + case $realname in + *.dll.a) + tstripme= + ;; + esac + ;; + os2*) + case $realname in + *_dll.a) + tstripme= + ;; + esac + ;; + esac + if test -n "$tstripme" && test -n "$striplib"; then + func_show_eval "$striplib $destdir/$realname" 'exit $?' + fi + + if test "$#" -gt 0; then + # Delete the old symlinks, and create new ones. + # Try 'ln -sf' first, because the 'ln' binary might depend on + # the symlink we replace! Solaris /bin/ln does not understand -f, + # so we also need to try rm && ln -s. + for linkname + do + test "$linkname" != "$realname" \ + && func_show_eval "(cd $destdir && { $LN_S -f $realname $linkname || { $RM $linkname && $LN_S $realname $linkname; }; })" + done + fi + + # Do each command in the postinstall commands. + lib=$destdir/$realname + func_execute_cmds "$postinstall_cmds" 'exit $?' + fi + + # Install the pseudo-library for information purposes. + func_basename "$file" + name=$func_basename_result + instname=$dir/${name}i + func_show_eval "$install_prog $instname $destdir/$name" 'exit $?' + + # Maybe install the static library, too. + test -n "$old_library" && func_append staticlibs " $dir/$old_library" + ;; + + *.lo) + # Install (i.e. copy) a libtool object. + + # Figure out destination file name, if it wasn't already specified. + if test -n "$destname"; then + destfile=$destdir/$destname + else + func_basename "$file" + destfile=$func_basename_result + destfile=$destdir/$destfile + fi + + # Deduce the name of the destination old-style object file. + case $destfile in + *.lo) + func_lo2o "$destfile" + staticdest=$func_lo2o_result + ;; + *.$objext) + staticdest=$destfile + destfile= + ;; + *) + func_fatal_help "cannot copy a libtool object to '$destfile'" + ;; + esac + + # Install the libtool object if requested. + test -n "$destfile" && \ + func_show_eval "$install_prog $file $destfile" 'exit $?' + + # Install the old object if enabled. + if test yes = "$build_old_libs"; then + # Deduce the name of the old-style object file. + func_lo2o "$file" + staticobj=$func_lo2o_result + func_show_eval "$install_prog \$staticobj \$staticdest" 'exit $?' + fi + exit $EXIT_SUCCESS + ;; + + *) + # Figure out destination file name, if it wasn't already specified. + if test -n "$destname"; then + destfile=$destdir/$destname + else + func_basename "$file" + destfile=$func_basename_result + destfile=$destdir/$destfile + fi + + # If the file is missing, and there is a .exe on the end, strip it + # because it is most likely a libtool script we actually want to + # install + stripped_ext= + case $file in + *.exe) + if test ! -f "$file"; then + func_stripname '' '.exe' "$file" + file=$func_stripname_result + stripped_ext=.exe + fi + ;; + esac + + # Do a test to see if this is really a libtool program. + case $host in + *cygwin* | *mingw*) + if func_ltwrapper_executable_p "$file"; then + func_ltwrapper_scriptname "$file" + wrapper=$func_ltwrapper_scriptname_result + else + func_stripname '' '.exe' "$file" + wrapper=$func_stripname_result + fi + ;; + *) + wrapper=$file + ;; + esac + if func_ltwrapper_script_p "$wrapper"; then + notinst_deplibs= + relink_command= + + func_source "$wrapper" + + # Check the variables that should have been set. + test -z "$generated_by_libtool_version" && \ + func_fatal_error "invalid libtool wrapper script '$wrapper'" + + finalize=: + for lib in $notinst_deplibs; do + # Check to see that each library is installed. + libdir= + if test -f "$lib"; then + func_source "$lib" + fi + libfile=$libdir/`$ECHO "$lib" | $SED 's%^.*/%%g'` + if test -n "$libdir" && test ! -f "$libfile"; then + func_warning "'$lib' has not been installed in '$libdir'" + finalize=false + fi + done + + relink_command= + func_source "$wrapper" + + outputname= + if test no = "$fast_install" && test -n "$relink_command"; then + $opt_dry_run || { + if $finalize; then + tmpdir=`func_mktempdir` + func_basename "$file$stripped_ext" + file=$func_basename_result + outputname=$tmpdir/$file + # Replace the output file specification. + relink_command=`$ECHO "$relink_command" | $SED 's%@OUTPUT@%'"$outputname"'%g'` + + $opt_quiet || { + func_quote_for_expand "$relink_command" + eval "func_echo $func_quote_for_expand_result" + } + if eval "$relink_command"; then : + else + func_error "error: relink '$file' with the above command before installing it" + $opt_dry_run || ${RM}r "$tmpdir" + continue + fi + file=$outputname + else + func_warning "cannot relink '$file'" + fi + } + else + # Install the binary that we compiled earlier. + file=`$ECHO "$file$stripped_ext" | $SED "s%\([^/]*\)$%$objdir/\1%"` + fi + fi + + # remove .exe since cygwin /usr/bin/install will append another + # one anyway + case $install_prog,$host in + */usr/bin/install*,*cygwin*) + case $file:$destfile in + *.exe:*.exe) + # this is ok + ;; + *.exe:*) + destfile=$destfile.exe + ;; + *:*.exe) + func_stripname '' '.exe' "$destfile" + destfile=$func_stripname_result + ;; + esac + ;; + esac + func_show_eval "$install_prog\$stripme \$file \$destfile" 'exit $?' + $opt_dry_run || if test -n "$outputname"; then + ${RM}r "$tmpdir" + fi + ;; + esac + done + + for file in $staticlibs; do + func_basename "$file" + name=$func_basename_result + + # Set up the ranlib parameters. + oldlib=$destdir/$name + func_to_tool_file "$oldlib" func_convert_file_msys_to_w32 + tool_oldlib=$func_to_tool_file_result + + func_show_eval "$install_prog \$file \$oldlib" 'exit $?' + + if test -n "$stripme" && test -n "$old_striplib"; then + func_show_eval "$old_striplib $tool_oldlib" 'exit $?' + fi + + # Do each command in the postinstall commands. + func_execute_cmds "$old_postinstall_cmds" 'exit $?' + done + + test -n "$future_libdirs" && \ + func_warning "remember to run '$progname --finish$future_libdirs'" + + if test -n "$current_libdirs"; then + # Maybe just do a dry run. + $opt_dry_run && current_libdirs=" -n$current_libdirs" + exec_cmd='$SHELL "$progpath" $preserve_args --finish$current_libdirs' + else + exit $EXIT_SUCCESS + fi +} + +test install = "$opt_mode" && func_mode_install ${1+"$@"} + + +# func_generate_dlsyms outputname originator pic_p +# Extract symbols from dlprefiles and create ${outputname}S.o with +# a dlpreopen symbol table. +func_generate_dlsyms () +{ + $debug_cmd + + my_outputname=$1 + my_originator=$2 + my_pic_p=${3-false} + my_prefix=`$ECHO "$my_originator" | $SED 's%[^a-zA-Z0-9]%_%g'` + my_dlsyms= + + if test -n "$dlfiles$dlprefiles" || test no != "$dlself"; then + if test -n "$NM" && test -n "$global_symbol_pipe"; then + my_dlsyms=${my_outputname}S.c + else + func_error "not configured to extract global symbols from dlpreopened files" + fi + fi + + if test -n "$my_dlsyms"; then + case $my_dlsyms in + "") ;; + *.c) + # Discover the nlist of each of the dlfiles. + nlist=$output_objdir/$my_outputname.nm + + func_show_eval "$RM $nlist ${nlist}S ${nlist}T" + + # Parse the name list into a source file. + func_verbose "creating $output_objdir/$my_dlsyms" + + $opt_dry_run || $ECHO > "$output_objdir/$my_dlsyms" "\ +/* $my_dlsyms - symbol resolution table for '$my_outputname' dlsym emulation. */ +/* Generated by $PROGRAM (GNU $PACKAGE) $VERSION */ + +#ifdef __cplusplus +extern \"C\" { +#endif + +#if defined __GNUC__ && (((__GNUC__ == 4) && (__GNUC_MINOR__ >= 4)) || (__GNUC__ > 4)) +#pragma GCC diagnostic ignored \"-Wstrict-prototypes\" +#endif + +/* Keep this code in sync between libtool.m4, ltmain, lt_system.h, and tests. */ +#if defined _WIN32 || defined __CYGWIN__ || defined _WIN32_WCE +/* DATA imports from DLLs on WIN32 can't be const, because runtime + relocations are performed -- see ld's documentation on pseudo-relocs. */ +# define LT_DLSYM_CONST +#elif defined __osf__ +/* This system does not cope well with relocations in const data. */ +# define LT_DLSYM_CONST +#else +# define LT_DLSYM_CONST const +#endif + +#define STREQ(s1, s2) (strcmp ((s1), (s2)) == 0) + +/* External symbol declarations for the compiler. */\ +" + + if test yes = "$dlself"; then + func_verbose "generating symbol list for '$output'" + + $opt_dry_run || echo ': @PROGRAM@ ' > "$nlist" + + # Add our own program objects to the symbol list. + progfiles=`$ECHO "$objs$old_deplibs" | $SP2NL | $SED "$lo2o" | $NL2SP` + for progfile in $progfiles; do + func_to_tool_file "$progfile" func_convert_file_msys_to_w32 + func_verbose "extracting global C symbols from '$func_to_tool_file_result'" + $opt_dry_run || eval "$NM $func_to_tool_file_result | $global_symbol_pipe >> '$nlist'" + done + + if test -n "$exclude_expsyms"; then + $opt_dry_run || { + eval '$EGREP -v " ($exclude_expsyms)$" "$nlist" > "$nlist"T' + eval '$MV "$nlist"T "$nlist"' + } + fi + + if test -n "$export_symbols_regex"; then + $opt_dry_run || { + eval '$EGREP -e "$export_symbols_regex" "$nlist" > "$nlist"T' + eval '$MV "$nlist"T "$nlist"' + } + fi + + # Prepare the list of exported symbols + if test -z "$export_symbols"; then + export_symbols=$output_objdir/$outputname.exp + $opt_dry_run || { + $RM $export_symbols + eval "$SED -n -e '/^: @PROGRAM@ $/d' -e 's/^.* \(.*\)$/\1/p' "'< "$nlist" > "$export_symbols"' + case $host in + *cygwin* | *mingw* | *cegcc* ) + eval "echo EXPORTS "'> "$output_objdir/$outputname.def"' + eval 'cat "$export_symbols" >> "$output_objdir/$outputname.def"' + ;; + esac + } + else + $opt_dry_run || { + eval "$SED -e 's/\([].[*^$]\)/\\\\\1/g' -e 's/^/ /' -e 's/$/$/'"' < "$export_symbols" > "$output_objdir/$outputname.exp"' + eval '$GREP -f "$output_objdir/$outputname.exp" < "$nlist" > "$nlist"T' + eval '$MV "$nlist"T "$nlist"' + case $host in + *cygwin* | *mingw* | *cegcc* ) + eval "echo EXPORTS "'> "$output_objdir/$outputname.def"' + eval 'cat "$nlist" >> "$output_objdir/$outputname.def"' + ;; + esac + } + fi + fi + + for dlprefile in $dlprefiles; do + func_verbose "extracting global C symbols from '$dlprefile'" + func_basename "$dlprefile" + name=$func_basename_result + case $host in + *cygwin* | *mingw* | *cegcc* ) + # if an import library, we need to obtain dlname + if func_win32_import_lib_p "$dlprefile"; then + func_tr_sh "$dlprefile" + eval "curr_lafile=\$libfile_$func_tr_sh_result" + dlprefile_dlbasename= + if test -n "$curr_lafile" && func_lalib_p "$curr_lafile"; then + # Use subshell, to avoid clobbering current variable values + dlprefile_dlname=`source "$curr_lafile" && echo "$dlname"` + if test -n "$dlprefile_dlname"; then + func_basename "$dlprefile_dlname" + dlprefile_dlbasename=$func_basename_result + else + # no lafile. user explicitly requested -dlpreopen . + $sharedlib_from_linklib_cmd "$dlprefile" + dlprefile_dlbasename=$sharedlib_from_linklib_result + fi + fi + $opt_dry_run || { + if test -n "$dlprefile_dlbasename"; then + eval '$ECHO ": $dlprefile_dlbasename" >> "$nlist"' + else + func_warning "Could not compute DLL name from $name" + eval '$ECHO ": $name " >> "$nlist"' + fi + func_to_tool_file "$dlprefile" func_convert_file_msys_to_w32 + eval "$NM \"$func_to_tool_file_result\" 2>/dev/null | $global_symbol_pipe | + $SED -e '/I __imp/d' -e 's/I __nm_/D /;s/_nm__//' >> '$nlist'" + } + else # not an import lib + $opt_dry_run || { + eval '$ECHO ": $name " >> "$nlist"' + func_to_tool_file "$dlprefile" func_convert_file_msys_to_w32 + eval "$NM \"$func_to_tool_file_result\" 2>/dev/null | $global_symbol_pipe >> '$nlist'" + } + fi + ;; + *) + $opt_dry_run || { + eval '$ECHO ": $name " >> "$nlist"' + func_to_tool_file "$dlprefile" func_convert_file_msys_to_w32 + eval "$NM \"$func_to_tool_file_result\" 2>/dev/null | $global_symbol_pipe >> '$nlist'" + } + ;; + esac + done + + $opt_dry_run || { + # Make sure we have at least an empty file. + test -f "$nlist" || : > "$nlist" + + if test -n "$exclude_expsyms"; then + $EGREP -v " ($exclude_expsyms)$" "$nlist" > "$nlist"T + $MV "$nlist"T "$nlist" + fi + + # Try sorting and uniquifying the output. + if $GREP -v "^: " < "$nlist" | + if sort -k 3 /dev/null 2>&1; then + sort -k 3 + else + sort +2 + fi | + uniq > "$nlist"S; then + : + else + $GREP -v "^: " < "$nlist" > "$nlist"S + fi + + if test -f "$nlist"S; then + eval "$global_symbol_to_cdecl"' < "$nlist"S >> "$output_objdir/$my_dlsyms"' + else + echo '/* NONE */' >> "$output_objdir/$my_dlsyms" + fi + + func_show_eval '$RM "${nlist}I"' + if test -n "$global_symbol_to_import"; then + eval "$global_symbol_to_import"' < "$nlist"S > "$nlist"I' + fi + + echo >> "$output_objdir/$my_dlsyms" "\ + +/* The mapping between symbol names and symbols. */ +typedef struct { + const char *name; + void *address; +} lt_dlsymlist; +extern LT_DLSYM_CONST lt_dlsymlist +lt_${my_prefix}_LTX_preloaded_symbols[];\ +" + + if test -s "$nlist"I; then + echo >> "$output_objdir/$my_dlsyms" "\ +static void lt_syminit(void) +{ + LT_DLSYM_CONST lt_dlsymlist *symbol = lt_${my_prefix}_LTX_preloaded_symbols; + for (; symbol->name; ++symbol) + {" + $SED 's/.*/ if (STREQ (symbol->name, \"&\")) symbol->address = (void *) \&&;/' < "$nlist"I >> "$output_objdir/$my_dlsyms" + echo >> "$output_objdir/$my_dlsyms" "\ + } +}" + fi + echo >> "$output_objdir/$my_dlsyms" "\ +LT_DLSYM_CONST lt_dlsymlist +lt_${my_prefix}_LTX_preloaded_symbols[] = +{ {\"$my_originator\", (void *) 0}," + + if test -s "$nlist"I; then + echo >> "$output_objdir/$my_dlsyms" "\ + {\"@INIT@\", (void *) <_syminit}," + fi + + case $need_lib_prefix in + no) + eval "$global_symbol_to_c_name_address" < "$nlist" >> "$output_objdir/$my_dlsyms" + ;; + *) + eval "$global_symbol_to_c_name_address_lib_prefix" < "$nlist" >> "$output_objdir/$my_dlsyms" + ;; + esac + echo >> "$output_objdir/$my_dlsyms" "\ + {0, (void *) 0} +}; + +/* This works around a problem in FreeBSD linker */ +#ifdef FREEBSD_WORKAROUND +static const void *lt_preloaded_setup() { + return lt_${my_prefix}_LTX_preloaded_symbols; +} +#endif + +#ifdef __cplusplus +} +#endif\ +" + } # !$opt_dry_run + + pic_flag_for_symtable= + case "$compile_command " in + *" -static "*) ;; + *) + case $host in + # compiling the symbol table file with pic_flag works around + # a FreeBSD bug that causes programs to crash when -lm is + # linked before any other PIC object. But we must not use + # pic_flag when linking with -static. The problem exists in + # FreeBSD 2.2.6 and is fixed in FreeBSD 3.1. + *-*-freebsd2.*|*-*-freebsd3.0*|*-*-freebsdelf3.0*) + pic_flag_for_symtable=" $pic_flag -DFREEBSD_WORKAROUND" ;; + *-*-hpux*) + pic_flag_for_symtable=" $pic_flag" ;; + *) + $my_pic_p && pic_flag_for_symtable=" $pic_flag" + ;; + esac + ;; + esac + symtab_cflags= + for arg in $LTCFLAGS; do + case $arg in + -pie | -fpie | -fPIE) ;; + *) func_append symtab_cflags " $arg" ;; + esac + done + + # Now compile the dynamic symbol file. + func_show_eval '(cd $output_objdir && $LTCC$symtab_cflags -c$no_builtin_flag$pic_flag_for_symtable "$my_dlsyms")' 'exit $?' + + # Clean up the generated files. + func_show_eval '$RM "$output_objdir/$my_dlsyms" "$nlist" "${nlist}S" "${nlist}T" "${nlist}I"' + + # Transform the symbol file into the correct name. + symfileobj=$output_objdir/${my_outputname}S.$objext + case $host in + *cygwin* | *mingw* | *cegcc* ) + if test -f "$output_objdir/$my_outputname.def"; then + compile_command=`$ECHO "$compile_command" | $SED "s%@SYMFILE@%$output_objdir/$my_outputname.def $symfileobj%"` + finalize_command=`$ECHO "$finalize_command" | $SED "s%@SYMFILE@%$output_objdir/$my_outputname.def $symfileobj%"` + else + compile_command=`$ECHO "$compile_command" | $SED "s%@SYMFILE@%$symfileobj%"` + finalize_command=`$ECHO "$finalize_command" | $SED "s%@SYMFILE@%$symfileobj%"` + fi + ;; + *) + compile_command=`$ECHO "$compile_command" | $SED "s%@SYMFILE@%$symfileobj%"` + finalize_command=`$ECHO "$finalize_command" | $SED "s%@SYMFILE@%$symfileobj%"` + ;; + esac + ;; + *) + func_fatal_error "unknown suffix for '$my_dlsyms'" + ;; + esac + else + # We keep going just in case the user didn't refer to + # lt_preloaded_symbols. The linker will fail if global_symbol_pipe + # really was required. + + # Nullify the symbol file. + compile_command=`$ECHO "$compile_command" | $SED "s% @SYMFILE@%%"` + finalize_command=`$ECHO "$finalize_command" | $SED "s% @SYMFILE@%%"` + fi +} + +# func_cygming_gnu_implib_p ARG +# This predicate returns with zero status (TRUE) if +# ARG is a GNU/binutils-style import library. Returns +# with nonzero status (FALSE) otherwise. +func_cygming_gnu_implib_p () +{ + $debug_cmd + + func_to_tool_file "$1" func_convert_file_msys_to_w32 + func_cygming_gnu_implib_tmp=`$NM "$func_to_tool_file_result" | eval "$global_symbol_pipe" | $EGREP ' (_head_[A-Za-z0-9_]+_[ad]l*|[A-Za-z0-9_]+_[ad]l*_iname)$'` + test -n "$func_cygming_gnu_implib_tmp" +} + +# func_cygming_ms_implib_p ARG +# This predicate returns with zero status (TRUE) if +# ARG is an MS-style import library. Returns +# with nonzero status (FALSE) otherwise. +func_cygming_ms_implib_p () +{ + $debug_cmd + + func_to_tool_file "$1" func_convert_file_msys_to_w32 + func_cygming_ms_implib_tmp=`$NM "$func_to_tool_file_result" | eval "$global_symbol_pipe" | $GREP '_NULL_IMPORT_DESCRIPTOR'` + test -n "$func_cygming_ms_implib_tmp" +} + +# func_win32_libid arg +# return the library type of file 'arg' +# +# Need a lot of goo to handle *both* DLLs and import libs +# Has to be a shell function in order to 'eat' the argument +# that is supplied when $file_magic_command is called. +# Despite the name, also deal with 64 bit binaries. +func_win32_libid () +{ + $debug_cmd + + win32_libid_type=unknown + win32_fileres=`file -L $1 2>/dev/null` + case $win32_fileres in + *ar\ archive\ import\ library*) # definitely import + win32_libid_type="x86 archive import" + ;; + *ar\ archive*) # could be an import, or static + # Keep the egrep pattern in sync with the one in _LT_CHECK_MAGIC_METHOD. + if eval $OBJDUMP -f $1 | $SED -e '10q' 2>/dev/null | + $EGREP 'file format (pei*-i386(.*architecture: i386)?|pe-arm-wince|pe-x86-64)' >/dev/null; then + case $nm_interface in + "MS dumpbin") + if func_cygming_ms_implib_p "$1" || + func_cygming_gnu_implib_p "$1" + then + win32_nmres=import + else + win32_nmres= + fi + ;; + *) + func_to_tool_file "$1" func_convert_file_msys_to_w32 + win32_nmres=`eval $NM -f posix -A \"$func_to_tool_file_result\" | + $SED -n -e ' + 1,100{ + / I /{ + s|.*|import| + p + q + } + }'` + ;; + esac + case $win32_nmres in + import*) win32_libid_type="x86 archive import";; + *) win32_libid_type="x86 archive static";; + esac + fi + ;; + *DLL*) + win32_libid_type="x86 DLL" + ;; + *executable*) # but shell scripts are "executable" too... + case $win32_fileres in + *MS\ Windows\ PE\ Intel*) + win32_libid_type="x86 DLL" + ;; + esac + ;; + esac + $ECHO "$win32_libid_type" +} + +# func_cygming_dll_for_implib ARG +# +# Platform-specific function to extract the +# name of the DLL associated with the specified +# import library ARG. +# Invoked by eval'ing the libtool variable +# $sharedlib_from_linklib_cmd +# Result is available in the variable +# $sharedlib_from_linklib_result +func_cygming_dll_for_implib () +{ + $debug_cmd + + sharedlib_from_linklib_result=`$DLLTOOL --identify-strict --identify "$1"` +} + +# func_cygming_dll_for_implib_fallback_core SECTION_NAME LIBNAMEs +# +# The is the core of a fallback implementation of a +# platform-specific function to extract the name of the +# DLL associated with the specified import library LIBNAME. +# +# SECTION_NAME is either .idata$6 or .idata$7, depending +# on the platform and compiler that created the implib. +# +# Echos the name of the DLL associated with the +# specified import library. +func_cygming_dll_for_implib_fallback_core () +{ + $debug_cmd + + match_literal=`$ECHO "$1" | $SED "$sed_make_literal_regex"` + $OBJDUMP -s --section "$1" "$2" 2>/dev/null | + $SED '/^Contents of section '"$match_literal"':/{ + # Place marker at beginning of archive member dllname section + s/.*/====MARK====/ + p + d + } + # These lines can sometimes be longer than 43 characters, but + # are always uninteresting + /:[ ]*file format pe[i]\{,1\}-/d + /^In archive [^:]*:/d + # Ensure marker is printed + /^====MARK====/p + # Remove all lines with less than 43 characters + /^.\{43\}/!d + # From remaining lines, remove first 43 characters + s/^.\{43\}//' | + $SED -n ' + # Join marker and all lines until next marker into a single line + /^====MARK====/ b para + H + $ b para + b + :para + x + s/\n//g + # Remove the marker + s/^====MARK====// + # Remove trailing dots and whitespace + s/[\. \t]*$// + # Print + /./p' | + # we now have a list, one entry per line, of the stringified + # contents of the appropriate section of all members of the + # archive that possess that section. Heuristic: eliminate + # all those that have a first or second character that is + # a '.' (that is, objdump's representation of an unprintable + # character.) This should work for all archives with less than + # 0x302f exports -- but will fail for DLLs whose name actually + # begins with a literal '.' or a single character followed by + # a '.'. + # + # Of those that remain, print the first one. + $SED -e '/^\./d;/^.\./d;q' +} + +# func_cygming_dll_for_implib_fallback ARG +# Platform-specific function to extract the +# name of the DLL associated with the specified +# import library ARG. +# +# This fallback implementation is for use when $DLLTOOL +# does not support the --identify-strict option. +# Invoked by eval'ing the libtool variable +# $sharedlib_from_linklib_cmd +# Result is available in the variable +# $sharedlib_from_linklib_result +func_cygming_dll_for_implib_fallback () +{ + $debug_cmd + + if func_cygming_gnu_implib_p "$1"; then + # binutils import library + sharedlib_from_linklib_result=`func_cygming_dll_for_implib_fallback_core '.idata$7' "$1"` + elif func_cygming_ms_implib_p "$1"; then + # ms-generated import library + sharedlib_from_linklib_result=`func_cygming_dll_for_implib_fallback_core '.idata$6' "$1"` + else + # unknown + sharedlib_from_linklib_result= + fi +} + + +# func_extract_an_archive dir oldlib +func_extract_an_archive () +{ + $debug_cmd + + f_ex_an_ar_dir=$1; shift + f_ex_an_ar_oldlib=$1 + if test yes = "$lock_old_archive_extraction"; then + lockfile=$f_ex_an_ar_oldlib.lock + until $opt_dry_run || ln "$progpath" "$lockfile" 2>/dev/null; do + func_echo "Waiting for $lockfile to be removed" + sleep 2 + done + fi + func_show_eval "(cd \$f_ex_an_ar_dir && $AR x \"\$f_ex_an_ar_oldlib\")" \ + 'stat=$?; rm -f "$lockfile"; exit $stat' + if test yes = "$lock_old_archive_extraction"; then + $opt_dry_run || rm -f "$lockfile" + fi + if ($AR t "$f_ex_an_ar_oldlib" | sort | sort -uc >/dev/null 2>&1); then + : + else + func_fatal_error "object name conflicts in archive: $f_ex_an_ar_dir/$f_ex_an_ar_oldlib" + fi +} + + +# func_extract_archives gentop oldlib ... +func_extract_archives () +{ + $debug_cmd + + my_gentop=$1; shift + my_oldlibs=${1+"$@"} + my_oldobjs= + my_xlib= + my_xabs= + my_xdir= + + for my_xlib in $my_oldlibs; do + # Extract the objects. + case $my_xlib in + [\\/]* | [A-Za-z]:[\\/]*) my_xabs=$my_xlib ;; + *) my_xabs=`pwd`"/$my_xlib" ;; + esac + func_basename "$my_xlib" + my_xlib=$func_basename_result + my_xlib_u=$my_xlib + while :; do + case " $extracted_archives " in + *" $my_xlib_u "*) + func_arith $extracted_serial + 1 + extracted_serial=$func_arith_result + my_xlib_u=lt$extracted_serial-$my_xlib ;; + *) break ;; + esac + done + extracted_archives="$extracted_archives $my_xlib_u" + my_xdir=$my_gentop/$my_xlib_u + + func_mkdir_p "$my_xdir" + + case $host in + *-darwin*) + func_verbose "Extracting $my_xabs" + # Do not bother doing anything if just a dry run + $opt_dry_run || { + darwin_orig_dir=`pwd` + cd $my_xdir || exit $? + darwin_archive=$my_xabs + darwin_curdir=`pwd` + func_basename "$darwin_archive" + darwin_base_archive=$func_basename_result + darwin_arches=`$LIPO -info "$darwin_archive" 2>/dev/null | $GREP Architectures 2>/dev/null || true` + if test -n "$darwin_arches"; then + darwin_arches=`$ECHO "$darwin_arches" | $SED -e 's/.*are://'` + darwin_arch= + func_verbose "$darwin_base_archive has multiple architectures $darwin_arches" + for darwin_arch in $darwin_arches; do + func_mkdir_p "unfat-$$/$darwin_base_archive-$darwin_arch" + $LIPO -thin $darwin_arch -output "unfat-$$/$darwin_base_archive-$darwin_arch/$darwin_base_archive" "$darwin_archive" + cd "unfat-$$/$darwin_base_archive-$darwin_arch" + func_extract_an_archive "`pwd`" "$darwin_base_archive" + cd "$darwin_curdir" + $RM "unfat-$$/$darwin_base_archive-$darwin_arch/$darwin_base_archive" + done # $darwin_arches + ## Okay now we've a bunch of thin objects, gotta fatten them up :) + darwin_filelist=`find unfat-$$ -type f -name \*.o -print -o -name \*.lo -print | $SED -e "$sed_basename" | sort -u` + darwin_file= + darwin_files= + for darwin_file in $darwin_filelist; do + darwin_files=`find unfat-$$ -name $darwin_file -print | sort | $NL2SP` + $LIPO -create -output "$darwin_file" $darwin_files + done # $darwin_filelist + $RM -rf unfat-$$ + cd "$darwin_orig_dir" + else + cd $darwin_orig_dir + func_extract_an_archive "$my_xdir" "$my_xabs" + fi # $darwin_arches + } # !$opt_dry_run + ;; + *) + func_extract_an_archive "$my_xdir" "$my_xabs" + ;; + esac + my_oldobjs="$my_oldobjs "`find $my_xdir -name \*.$objext -print -o -name \*.lo -print | sort | $NL2SP` + done + + func_extract_archives_result=$my_oldobjs +} + + +# func_emit_wrapper [arg=no] +# +# Emit a libtool wrapper script on stdout. +# Don't directly open a file because we may want to +# incorporate the script contents within a cygwin/mingw +# wrapper executable. Must ONLY be called from within +# func_mode_link because it depends on a number of variables +# set therein. +# +# ARG is the value that the WRAPPER_SCRIPT_BELONGS_IN_OBJDIR +# variable will take. If 'yes', then the emitted script +# will assume that the directory where it is stored is +# the $objdir directory. This is a cygwin/mingw-specific +# behavior. +func_emit_wrapper () +{ + func_emit_wrapper_arg1=${1-no} + + $ECHO "\ +#! $SHELL + +# $output - temporary wrapper script for $objdir/$outputname +# Generated by $PROGRAM (GNU $PACKAGE) $VERSION +# +# The $output program cannot be directly executed until all the libtool +# libraries that it depends on are installed. +# +# This wrapper script should never be moved out of the build directory. +# If it is, it will not operate correctly. + +# Sed substitution that helps us do robust quoting. It backslashifies +# metacharacters that are still active within double-quoted strings. +sed_quote_subst='$sed_quote_subst' + +# Be Bourne compatible +if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then + emulate sh + NULLCMD=: + # Zsh 3.x and 4.x performs word splitting on \${1+\"\$@\"}, which + # is contrary to our usage. Disable this feature. + alias -g '\${1+\"\$@\"}'='\"\$@\"' + setopt NO_GLOB_SUBST +else + case \`(set -o) 2>/dev/null\` in *posix*) set -o posix;; esac +fi +BIN_SH=xpg4; export BIN_SH # for Tru64 +DUALCASE=1; export DUALCASE # for MKS sh + +# The HP-UX ksh and POSIX shell print the target directory to stdout +# if CDPATH is set. +(unset CDPATH) >/dev/null 2>&1 && unset CDPATH + +relink_command=\"$relink_command\" + +# This environment variable determines our operation mode. +if test \"\$libtool_install_magic\" = \"$magic\"; then + # install mode needs the following variables: + generated_by_libtool_version='$macro_version' + notinst_deplibs='$notinst_deplibs' +else + # When we are sourced in execute mode, \$file and \$ECHO are already set. + if test \"\$libtool_execute_magic\" != \"$magic\"; then + file=\"\$0\"" + + qECHO=`$ECHO "$ECHO" | $SED "$sed_quote_subst"` + $ECHO "\ + +# A function that is used when there is no print builtin or printf. +func_fallback_echo () +{ + eval 'cat <<_LTECHO_EOF +\$1 +_LTECHO_EOF' +} + ECHO=\"$qECHO\" + fi + +# Very basic option parsing. These options are (a) specific to +# the libtool wrapper, (b) are identical between the wrapper +# /script/ and the wrapper /executable/ that is used only on +# windows platforms, and (c) all begin with the string "--lt-" +# (application programs are unlikely to have options that match +# this pattern). +# +# There are only two supported options: --lt-debug and +# --lt-dump-script. There is, deliberately, no --lt-help. +# +# The first argument to this parsing function should be the +# script's $0 value, followed by "$@". +lt_option_debug= +func_parse_lt_options () +{ + lt_script_arg0=\$0 + shift + for lt_opt + do + case \"\$lt_opt\" in + --lt-debug) lt_option_debug=1 ;; + --lt-dump-script) + lt_dump_D=\`\$ECHO \"X\$lt_script_arg0\" | $SED -e 's/^X//' -e 's%/[^/]*$%%'\` + test \"X\$lt_dump_D\" = \"X\$lt_script_arg0\" && lt_dump_D=. + lt_dump_F=\`\$ECHO \"X\$lt_script_arg0\" | $SED -e 's/^X//' -e 's%^.*/%%'\` + cat \"\$lt_dump_D/\$lt_dump_F\" + exit 0 + ;; + --lt-*) + \$ECHO \"Unrecognized --lt- option: '\$lt_opt'\" 1>&2 + exit 1 + ;; + esac + done + + # Print the debug banner immediately: + if test -n \"\$lt_option_debug\"; then + echo \"$outputname:$output:\$LINENO: libtool wrapper (GNU $PACKAGE) $VERSION\" 1>&2 + fi +} + +# Used when --lt-debug. Prints its arguments to stdout +# (redirection is the responsibility of the caller) +func_lt_dump_args () +{ + lt_dump_args_N=1; + for lt_arg + do + \$ECHO \"$outputname:$output:\$LINENO: newargv[\$lt_dump_args_N]: \$lt_arg\" + lt_dump_args_N=\`expr \$lt_dump_args_N + 1\` + done +} + +# Core function for launching the target application +func_exec_program_core () +{ +" + case $host in + # Backslashes separate directories on plain windows + *-*-mingw | *-*-os2* | *-cegcc*) + $ECHO "\ + if test -n \"\$lt_option_debug\"; then + \$ECHO \"$outputname:$output:\$LINENO: newargv[0]: \$progdir\\\\\$program\" 1>&2 + func_lt_dump_args \${1+\"\$@\"} 1>&2 + fi + exec \"\$progdir\\\\\$program\" \${1+\"\$@\"} +" + ;; + + *) + $ECHO "\ + if test -n \"\$lt_option_debug\"; then + \$ECHO \"$outputname:$output:\$LINENO: newargv[0]: \$progdir/\$program\" 1>&2 + func_lt_dump_args \${1+\"\$@\"} 1>&2 + fi + exec \"\$progdir/\$program\" \${1+\"\$@\"} +" + ;; + esac + $ECHO "\ + \$ECHO \"\$0: cannot exec \$program \$*\" 1>&2 + exit 1 +} + +# A function to encapsulate launching the target application +# Strips options in the --lt-* namespace from \$@ and +# launches target application with the remaining arguments. +func_exec_program () +{ + case \" \$* \" in + *\\ --lt-*) + for lt_wr_arg + do + case \$lt_wr_arg in + --lt-*) ;; + *) set x \"\$@\" \"\$lt_wr_arg\"; shift;; + esac + shift + done ;; + esac + func_exec_program_core \${1+\"\$@\"} +} + + # Parse options + func_parse_lt_options \"\$0\" \${1+\"\$@\"} + + # Find the directory that this script lives in. + thisdir=\`\$ECHO \"\$file\" | $SED 's%/[^/]*$%%'\` + test \"x\$thisdir\" = \"x\$file\" && thisdir=. + + # Follow symbolic links until we get to the real thisdir. + file=\`ls -ld \"\$file\" | $SED -n 's/.*-> //p'\` + while test -n \"\$file\"; do + destdir=\`\$ECHO \"\$file\" | $SED 's%/[^/]*\$%%'\` + + # If there was a directory component, then change thisdir. + if test \"x\$destdir\" != \"x\$file\"; then + case \"\$destdir\" in + [\\\\/]* | [A-Za-z]:[\\\\/]*) thisdir=\"\$destdir\" ;; + *) thisdir=\"\$thisdir/\$destdir\" ;; + esac + fi + + file=\`\$ECHO \"\$file\" | $SED 's%^.*/%%'\` + file=\`ls -ld \"\$thisdir/\$file\" | $SED -n 's/.*-> //p'\` + done + + # Usually 'no', except on cygwin/mingw when embedded into + # the cwrapper. + WRAPPER_SCRIPT_BELONGS_IN_OBJDIR=$func_emit_wrapper_arg1 + if test \"\$WRAPPER_SCRIPT_BELONGS_IN_OBJDIR\" = \"yes\"; then + # special case for '.' + if test \"\$thisdir\" = \".\"; then + thisdir=\`pwd\` + fi + # remove .libs from thisdir + case \"\$thisdir\" in + *[\\\\/]$objdir ) thisdir=\`\$ECHO \"\$thisdir\" | $SED 's%[\\\\/][^\\\\/]*$%%'\` ;; + $objdir ) thisdir=. ;; + esac + fi + + # Try to get the absolute directory name. + absdir=\`cd \"\$thisdir\" && pwd\` + test -n \"\$absdir\" && thisdir=\"\$absdir\" +" + + if test yes = "$fast_install"; then + $ECHO "\ + program=lt-'$outputname'$exeext + progdir=\"\$thisdir/$objdir\" + + if test ! -f \"\$progdir/\$program\" || + { file=\`ls -1dt \"\$progdir/\$program\" \"\$progdir/../\$program\" 2>/dev/null | $SED 1q\`; \\ + test \"X\$file\" != \"X\$progdir/\$program\"; }; then + + file=\"\$\$-\$program\" + + if test ! -d \"\$progdir\"; then + $MKDIR \"\$progdir\" + else + $RM \"\$progdir/\$file\" + fi" + + $ECHO "\ + + # relink executable if necessary + if test -n \"\$relink_command\"; then + if relink_command_output=\`eval \$relink_command 2>&1\`; then : + else + \$ECHO \"\$relink_command_output\" >&2 + $RM \"\$progdir/\$file\" + exit 1 + fi + fi + + $MV \"\$progdir/\$file\" \"\$progdir/\$program\" 2>/dev/null || + { $RM \"\$progdir/\$program\"; + $MV \"\$progdir/\$file\" \"\$progdir/\$program\"; } + $RM \"\$progdir/\$file\" + fi" + else + $ECHO "\ + program='$outputname' + progdir=\"\$thisdir/$objdir\" +" + fi + + $ECHO "\ + + if test -f \"\$progdir/\$program\"; then" + + # fixup the dll searchpath if we need to. + # + # Fix the DLL searchpath if we need to. Do this before prepending + # to shlibpath, because on Windows, both are PATH and uninstalled + # libraries must come first. + if test -n "$dllsearchpath"; then + $ECHO "\ + # Add the dll search path components to the executable PATH + PATH=$dllsearchpath:\$PATH +" + fi + + # Export our shlibpath_var if we have one. + if test yes = "$shlibpath_overrides_runpath" && test -n "$shlibpath_var" && test -n "$temp_rpath"; then + $ECHO "\ + # Add our own library path to $shlibpath_var + $shlibpath_var=\"$temp_rpath\$$shlibpath_var\" + + # Some systems cannot cope with colon-terminated $shlibpath_var + # The second colon is a workaround for a bug in BeOS R4 sed + $shlibpath_var=\`\$ECHO \"\$$shlibpath_var\" | $SED 's/::*\$//'\` + + export $shlibpath_var +" + fi + + $ECHO "\ + if test \"\$libtool_execute_magic\" != \"$magic\"; then + # Run the actual program with our arguments. + func_exec_program \${1+\"\$@\"} + fi + else + # The program doesn't exist. + \$ECHO \"\$0: error: '\$progdir/\$program' does not exist\" 1>&2 + \$ECHO \"This script is just a wrapper for \$program.\" 1>&2 + \$ECHO \"See the $PACKAGE documentation for more information.\" 1>&2 + exit 1 + fi +fi\ +" +} + + +# func_emit_cwrapperexe_src +# emit the source code for a wrapper executable on stdout +# Must ONLY be called from within func_mode_link because +# it depends on a number of variable set therein. +func_emit_cwrapperexe_src () +{ + cat < +#include +#ifdef _MSC_VER +# include +# include +# include +#else +# include +# include +# ifdef __CYGWIN__ +# include +# endif +#endif +#include +#include +#include +#include +#include +#include +#include +#include + +#define STREQ(s1, s2) (strcmp ((s1), (s2)) == 0) + +/* declarations of non-ANSI functions */ +#if defined __MINGW32__ +# ifdef __STRICT_ANSI__ +int _putenv (const char *); +# endif +#elif defined __CYGWIN__ +# ifdef __STRICT_ANSI__ +char *realpath (const char *, char *); +int putenv (char *); +int setenv (const char *, const char *, int); +# endif +/* #elif defined other_platform || defined ... */ +#endif + +/* portability defines, excluding path handling macros */ +#if defined _MSC_VER +# define setmode _setmode +# define stat _stat +# define chmod _chmod +# define getcwd _getcwd +# define putenv _putenv +# define S_IXUSR _S_IEXEC +#elif defined __MINGW32__ +# define setmode _setmode +# define stat _stat +# define chmod _chmod +# define getcwd _getcwd +# define putenv _putenv +#elif defined __CYGWIN__ +# define HAVE_SETENV +# define FOPEN_WB "wb" +/* #elif defined other platforms ... */ +#endif + +#if defined PATH_MAX +# define LT_PATHMAX PATH_MAX +#elif defined MAXPATHLEN +# define LT_PATHMAX MAXPATHLEN +#else +# define LT_PATHMAX 1024 +#endif + +#ifndef S_IXOTH +# define S_IXOTH 0 +#endif +#ifndef S_IXGRP +# define S_IXGRP 0 +#endif + +/* path handling portability macros */ +#ifndef DIR_SEPARATOR +# define DIR_SEPARATOR '/' +# define PATH_SEPARATOR ':' +#endif + +#if defined _WIN32 || defined __MSDOS__ || defined __DJGPP__ || \ + defined __OS2__ +# define HAVE_DOS_BASED_FILE_SYSTEM +# define FOPEN_WB "wb" +# ifndef DIR_SEPARATOR_2 +# define DIR_SEPARATOR_2 '\\' +# endif +# ifndef PATH_SEPARATOR_2 +# define PATH_SEPARATOR_2 ';' +# endif +#endif + +#ifndef DIR_SEPARATOR_2 +# define IS_DIR_SEPARATOR(ch) ((ch) == DIR_SEPARATOR) +#else /* DIR_SEPARATOR_2 */ +# define IS_DIR_SEPARATOR(ch) \ + (((ch) == DIR_SEPARATOR) || ((ch) == DIR_SEPARATOR_2)) +#endif /* DIR_SEPARATOR_2 */ + +#ifndef PATH_SEPARATOR_2 +# define IS_PATH_SEPARATOR(ch) ((ch) == PATH_SEPARATOR) +#else /* PATH_SEPARATOR_2 */ +# define IS_PATH_SEPARATOR(ch) ((ch) == PATH_SEPARATOR_2) +#endif /* PATH_SEPARATOR_2 */ + +#ifndef FOPEN_WB +# define FOPEN_WB "w" +#endif +#ifndef _O_BINARY +# define _O_BINARY 0 +#endif + +#define XMALLOC(type, num) ((type *) xmalloc ((num) * sizeof(type))) +#define XFREE(stale) do { \ + if (stale) { free (stale); stale = 0; } \ +} while (0) + +#if defined LT_DEBUGWRAPPER +static int lt_debug = 1; +#else +static int lt_debug = 0; +#endif + +const char *program_name = "libtool-wrapper"; /* in case xstrdup fails */ + +void *xmalloc (size_t num); +char *xstrdup (const char *string); +const char *base_name (const char *name); +char *find_executable (const char *wrapper); +char *chase_symlinks (const char *pathspec); +int make_executable (const char *path); +int check_executable (const char *path); +char *strendzap (char *str, const char *pat); +void lt_debugprintf (const char *file, int line, const char *fmt, ...); +void lt_fatal (const char *file, int line, const char *message, ...); +static const char *nonnull (const char *s); +static const char *nonempty (const char *s); +void lt_setenv (const char *name, const char *value); +char *lt_extend_str (const char *orig_value, const char *add, int to_end); +void lt_update_exe_path (const char *name, const char *value); +void lt_update_lib_path (const char *name, const char *value); +char **prepare_spawn (char **argv); +void lt_dump_script (FILE *f); +EOF + + cat <= 0) + && (st.st_mode & (S_IXUSR | S_IXGRP | S_IXOTH))) + return 1; + else + return 0; +} + +int +make_executable (const char *path) +{ + int rval = 0; + struct stat st; + + lt_debugprintf (__FILE__, __LINE__, "(make_executable): %s\n", + nonempty (path)); + if ((!path) || (!*path)) + return 0; + + if (stat (path, &st) >= 0) + { + rval = chmod (path, st.st_mode | S_IXOTH | S_IXGRP | S_IXUSR); + } + return rval; +} + +/* Searches for the full path of the wrapper. Returns + newly allocated full path name if found, NULL otherwise + Does not chase symlinks, even on platforms that support them. +*/ +char * +find_executable (const char *wrapper) +{ + int has_slash = 0; + const char *p; + const char *p_next; + /* static buffer for getcwd */ + char tmp[LT_PATHMAX + 1]; + size_t tmp_len; + char *concat_name; + + lt_debugprintf (__FILE__, __LINE__, "(find_executable): %s\n", + nonempty (wrapper)); + + if ((wrapper == NULL) || (*wrapper == '\0')) + return NULL; + + /* Absolute path? */ +#if defined HAVE_DOS_BASED_FILE_SYSTEM + if (isalpha ((unsigned char) wrapper[0]) && wrapper[1] == ':') + { + concat_name = xstrdup (wrapper); + if (check_executable (concat_name)) + return concat_name; + XFREE (concat_name); + } + else + { +#endif + if (IS_DIR_SEPARATOR (wrapper[0])) + { + concat_name = xstrdup (wrapper); + if (check_executable (concat_name)) + return concat_name; + XFREE (concat_name); + } +#if defined HAVE_DOS_BASED_FILE_SYSTEM + } +#endif + + for (p = wrapper; *p; p++) + if (*p == '/') + { + has_slash = 1; + break; + } + if (!has_slash) + { + /* no slashes; search PATH */ + const char *path = getenv ("PATH"); + if (path != NULL) + { + for (p = path; *p; p = p_next) + { + const char *q; + size_t p_len; + for (q = p; *q; q++) + if (IS_PATH_SEPARATOR (*q)) + break; + p_len = (size_t) (q - p); + p_next = (*q == '\0' ? q : q + 1); + if (p_len == 0) + { + /* empty path: current directory */ + if (getcwd (tmp, LT_PATHMAX) == NULL) + lt_fatal (__FILE__, __LINE__, "getcwd failed: %s", + nonnull (strerror (errno))); + tmp_len = strlen (tmp); + concat_name = + XMALLOC (char, tmp_len + 1 + strlen (wrapper) + 1); + memcpy (concat_name, tmp, tmp_len); + concat_name[tmp_len] = '/'; + strcpy (concat_name + tmp_len + 1, wrapper); + } + else + { + concat_name = + XMALLOC (char, p_len + 1 + strlen (wrapper) + 1); + memcpy (concat_name, p, p_len); + concat_name[p_len] = '/'; + strcpy (concat_name + p_len + 1, wrapper); + } + if (check_executable (concat_name)) + return concat_name; + XFREE (concat_name); + } + } + /* not found in PATH; assume curdir */ + } + /* Relative path | not found in path: prepend cwd */ + if (getcwd (tmp, LT_PATHMAX) == NULL) + lt_fatal (__FILE__, __LINE__, "getcwd failed: %s", + nonnull (strerror (errno))); + tmp_len = strlen (tmp); + concat_name = XMALLOC (char, tmp_len + 1 + strlen (wrapper) + 1); + memcpy (concat_name, tmp, tmp_len); + concat_name[tmp_len] = '/'; + strcpy (concat_name + tmp_len + 1, wrapper); + + if (check_executable (concat_name)) + return concat_name; + XFREE (concat_name); + return NULL; +} + +char * +chase_symlinks (const char *pathspec) +{ +#ifndef S_ISLNK + return xstrdup (pathspec); +#else + char buf[LT_PATHMAX]; + struct stat s; + char *tmp_pathspec = xstrdup (pathspec); + char *p; + int has_symlinks = 0; + while (strlen (tmp_pathspec) && !has_symlinks) + { + lt_debugprintf (__FILE__, __LINE__, + "checking path component for symlinks: %s\n", + tmp_pathspec); + if (lstat (tmp_pathspec, &s) == 0) + { + if (S_ISLNK (s.st_mode) != 0) + { + has_symlinks = 1; + break; + } + + /* search backwards for last DIR_SEPARATOR */ + p = tmp_pathspec + strlen (tmp_pathspec) - 1; + while ((p > tmp_pathspec) && (!IS_DIR_SEPARATOR (*p))) + p--; + if ((p == tmp_pathspec) && (!IS_DIR_SEPARATOR (*p))) + { + /* no more DIR_SEPARATORS left */ + break; + } + *p = '\0'; + } + else + { + lt_fatal (__FILE__, __LINE__, + "error accessing file \"%s\": %s", + tmp_pathspec, nonnull (strerror (errno))); + } + } + XFREE (tmp_pathspec); + + if (!has_symlinks) + { + return xstrdup (pathspec); + } + + tmp_pathspec = realpath (pathspec, buf); + if (tmp_pathspec == 0) + { + lt_fatal (__FILE__, __LINE__, + "could not follow symlinks for %s", pathspec); + } + return xstrdup (tmp_pathspec); +#endif +} + +char * +strendzap (char *str, const char *pat) +{ + size_t len, patlen; + + assert (str != NULL); + assert (pat != NULL); + + len = strlen (str); + patlen = strlen (pat); + + if (patlen <= len) + { + str += len - patlen; + if (STREQ (str, pat)) + *str = '\0'; + } + return str; +} + +void +lt_debugprintf (const char *file, int line, const char *fmt, ...) +{ + va_list args; + if (lt_debug) + { + (void) fprintf (stderr, "%s:%s:%d: ", program_name, file, line); + va_start (args, fmt); + (void) vfprintf (stderr, fmt, args); + va_end (args); + } +} + +static void +lt_error_core (int exit_status, const char *file, + int line, const char *mode, + const char *message, va_list ap) +{ + fprintf (stderr, "%s:%s:%d: %s: ", program_name, file, line, mode); + vfprintf (stderr, message, ap); + fprintf (stderr, ".\n"); + + if (exit_status >= 0) + exit (exit_status); +} + +void +lt_fatal (const char *file, int line, const char *message, ...) +{ + va_list ap; + va_start (ap, message); + lt_error_core (EXIT_FAILURE, file, line, "FATAL", message, ap); + va_end (ap); +} + +static const char * +nonnull (const char *s) +{ + return s ? s : "(null)"; +} + +static const char * +nonempty (const char *s) +{ + return (s && !*s) ? "(empty)" : nonnull (s); +} + +void +lt_setenv (const char *name, const char *value) +{ + lt_debugprintf (__FILE__, __LINE__, + "(lt_setenv) setting '%s' to '%s'\n", + nonnull (name), nonnull (value)); + { +#ifdef HAVE_SETENV + /* always make a copy, for consistency with !HAVE_SETENV */ + char *str = xstrdup (value); + setenv (name, str, 1); +#else + size_t len = strlen (name) + 1 + strlen (value) + 1; + char *str = XMALLOC (char, len); + sprintf (str, "%s=%s", name, value); + if (putenv (str) != EXIT_SUCCESS) + { + XFREE (str); + } +#endif + } +} + +char * +lt_extend_str (const char *orig_value, const char *add, int to_end) +{ + char *new_value; + if (orig_value && *orig_value) + { + size_t orig_value_len = strlen (orig_value); + size_t add_len = strlen (add); + new_value = XMALLOC (char, add_len + orig_value_len + 1); + if (to_end) + { + strcpy (new_value, orig_value); + strcpy (new_value + orig_value_len, add); + } + else + { + strcpy (new_value, add); + strcpy (new_value + add_len, orig_value); + } + } + else + { + new_value = xstrdup (add); + } + return new_value; +} + +void +lt_update_exe_path (const char *name, const char *value) +{ + lt_debugprintf (__FILE__, __LINE__, + "(lt_update_exe_path) modifying '%s' by prepending '%s'\n", + nonnull (name), nonnull (value)); + + if (name && *name && value && *value) + { + char *new_value = lt_extend_str (getenv (name), value, 0); + /* some systems can't cope with a ':'-terminated path #' */ + size_t len = strlen (new_value); + while ((len > 0) && IS_PATH_SEPARATOR (new_value[len-1])) + { + new_value[--len] = '\0'; + } + lt_setenv (name, new_value); + XFREE (new_value); + } +} + +void +lt_update_lib_path (const char *name, const char *value) +{ + lt_debugprintf (__FILE__, __LINE__, + "(lt_update_lib_path) modifying '%s' by prepending '%s'\n", + nonnull (name), nonnull (value)); + + if (name && *name && value && *value) + { + char *new_value = lt_extend_str (getenv (name), value, 0); + lt_setenv (name, new_value); + XFREE (new_value); + } +} + +EOF + case $host_os in + mingw*) + cat <<"EOF" + +/* Prepares an argument vector before calling spawn(). + Note that spawn() does not by itself call the command interpreter + (getenv ("COMSPEC") != NULL ? getenv ("COMSPEC") : + ({ OSVERSIONINFO v; v.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); + GetVersionEx(&v); + v.dwPlatformId == VER_PLATFORM_WIN32_NT; + }) ? "cmd.exe" : "command.com"). + Instead it simply concatenates the arguments, separated by ' ', and calls + CreateProcess(). We must quote the arguments since Win32 CreateProcess() + interprets characters like ' ', '\t', '\\', '"' (but not '<' and '>') in a + special way: + - Space and tab are interpreted as delimiters. They are not treated as + delimiters if they are surrounded by double quotes: "...". + - Unescaped double quotes are removed from the input. Their only effect is + that within double quotes, space and tab are treated like normal + characters. + - Backslashes not followed by double quotes are not special. + - But 2*n+1 backslashes followed by a double quote become + n backslashes followed by a double quote (n >= 0): + \" -> " + \\\" -> \" + \\\\\" -> \\" + */ +#define SHELL_SPECIAL_CHARS "\"\\ \001\002\003\004\005\006\007\010\011\012\013\014\015\016\017\020\021\022\023\024\025\026\027\030\031\032\033\034\035\036\037" +#define SHELL_SPACE_CHARS " \001\002\003\004\005\006\007\010\011\012\013\014\015\016\017\020\021\022\023\024\025\026\027\030\031\032\033\034\035\036\037" +char ** +prepare_spawn (char **argv) +{ + size_t argc; + char **new_argv; + size_t i; + + /* Count number of arguments. */ + for (argc = 0; argv[argc] != NULL; argc++) + ; + + /* Allocate new argument vector. */ + new_argv = XMALLOC (char *, argc + 1); + + /* Put quoted arguments into the new argument vector. */ + for (i = 0; i < argc; i++) + { + const char *string = argv[i]; + + if (string[0] == '\0') + new_argv[i] = xstrdup ("\"\""); + else if (strpbrk (string, SHELL_SPECIAL_CHARS) != NULL) + { + int quote_around = (strpbrk (string, SHELL_SPACE_CHARS) != NULL); + size_t length; + unsigned int backslashes; + const char *s; + char *quoted_string; + char *p; + + length = 0; + backslashes = 0; + if (quote_around) + length++; + for (s = string; *s != '\0'; s++) + { + char c = *s; + if (c == '"') + length += backslashes + 1; + length++; + if (c == '\\') + backslashes++; + else + backslashes = 0; + } + if (quote_around) + length += backslashes + 1; + + quoted_string = XMALLOC (char, length + 1); + + p = quoted_string; + backslashes = 0; + if (quote_around) + *p++ = '"'; + for (s = string; *s != '\0'; s++) + { + char c = *s; + if (c == '"') + { + unsigned int j; + for (j = backslashes + 1; j > 0; j--) + *p++ = '\\'; + } + *p++ = c; + if (c == '\\') + backslashes++; + else + backslashes = 0; + } + if (quote_around) + { + unsigned int j; + for (j = backslashes; j > 0; j--) + *p++ = '\\'; + *p++ = '"'; + } + *p = '\0'; + + new_argv[i] = quoted_string; + } + else + new_argv[i] = (char *) string; + } + new_argv[argc] = NULL; + + return new_argv; +} +EOF + ;; + esac + + cat <<"EOF" +void lt_dump_script (FILE* f) +{ +EOF + func_emit_wrapper yes | + $SED -n -e ' +s/^\(.\{79\}\)\(..*\)/\1\ +\2/ +h +s/\([\\"]\)/\\\1/g +s/$/\\n/ +s/\([^\n]*\).*/ fputs ("\1", f);/p +g +D' + cat <<"EOF" +} +EOF +} +# end: func_emit_cwrapperexe_src + +# func_win32_import_lib_p ARG +# True if ARG is an import lib, as indicated by $file_magic_cmd +func_win32_import_lib_p () +{ + $debug_cmd + + case `eval $file_magic_cmd \"\$1\" 2>/dev/null | $SED -e 10q` in + *import*) : ;; + *) false ;; + esac +} + +# func_suncc_cstd_abi +# !!ONLY CALL THIS FOR SUN CC AFTER $compile_command IS FULLY EXPANDED!! +# Several compiler flags select an ABI that is incompatible with the +# Cstd library. Avoid specifying it if any are in CXXFLAGS. +func_suncc_cstd_abi () +{ + $debug_cmd + + case " $compile_command " in + *" -compat=g "*|*\ -std=c++[0-9][0-9]\ *|*" -library=stdcxx4 "*|*" -library=stlport4 "*) + suncc_use_cstd_abi=no + ;; + *) + suncc_use_cstd_abi=yes + ;; + esac +} + +# func_mode_link arg... +func_mode_link () +{ + $debug_cmd + + case $host in + *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-cegcc*) + # It is impossible to link a dll without this setting, and + # we shouldn't force the makefile maintainer to figure out + # what system we are compiling for in order to pass an extra + # flag for every libtool invocation. + # allow_undefined=no + + # FIXME: Unfortunately, there are problems with the above when trying + # to make a dll that has undefined symbols, in which case not + # even a static library is built. For now, we need to specify + # -no-undefined on the libtool link line when we can be certain + # that all symbols are satisfied, otherwise we get a static library. + allow_undefined=yes + ;; + *) + allow_undefined=yes + ;; + esac + libtool_args=$nonopt + base_compile="$nonopt $@" + compile_command=$nonopt + finalize_command=$nonopt + + compile_rpath= + finalize_rpath= + compile_shlibpath= + finalize_shlibpath= + convenience= + old_convenience= + deplibs= + old_deplibs= + compiler_flags= + linker_flags= + dllsearchpath= + lib_search_path=`pwd` + inst_prefix_dir= + new_inherited_linker_flags= + + avoid_version=no + bindir= + dlfiles= + dlprefiles= + dlself=no + export_dynamic=no + export_symbols= + export_symbols_regex= + generated= + libobjs= + ltlibs= + module=no + no_install=no + objs= + os2dllname= + non_pic_objects= + precious_files_regex= + prefer_static_libs=no + preload=false + prev= + prevarg= + release= + rpath= + xrpath= + perm_rpath= + temp_rpath= + thread_safe=no + vinfo= + vinfo_number=no + weak_libs= + single_module=$wl-single_module + func_infer_tag $base_compile + + # We need to know -static, to get the right output filenames. + for arg + do + case $arg in + -shared) + test yes != "$build_libtool_libs" \ + && func_fatal_configuration "cannot build a shared library" + build_old_libs=no + break + ;; + -all-static | -static | -static-libtool-libs) + case $arg in + -all-static) + if test yes = "$build_libtool_libs" && test -z "$link_static_flag"; then + func_warning "complete static linking is impossible in this configuration" + fi + if test -n "$link_static_flag"; then + dlopen_self=$dlopen_self_static + fi + prefer_static_libs=yes + ;; + -static) + if test -z "$pic_flag" && test -n "$link_static_flag"; then + dlopen_self=$dlopen_self_static + fi + prefer_static_libs=built + ;; + -static-libtool-libs) + if test -z "$pic_flag" && test -n "$link_static_flag"; then + dlopen_self=$dlopen_self_static + fi + prefer_static_libs=yes + ;; + esac + build_libtool_libs=no + build_old_libs=yes + break + ;; + esac + done + + # See if our shared archives depend on static archives. + test -n "$old_archive_from_new_cmds" && build_old_libs=yes + + # Go through the arguments, transforming them on the way. + while test "$#" -gt 0; do + arg=$1 + shift + func_quote_for_eval "$arg" + qarg=$func_quote_for_eval_unquoted_result + func_append libtool_args " $func_quote_for_eval_result" + + # If the previous option needs an argument, assign it. + if test -n "$prev"; then + case $prev in + output) + func_append compile_command " @OUTPUT@" + func_append finalize_command " @OUTPUT@" + ;; + esac + + case $prev in + bindir) + bindir=$arg + prev= + continue + ;; + dlfiles|dlprefiles) + $preload || { + # Add the symbol object into the linking commands. + func_append compile_command " @SYMFILE@" + func_append finalize_command " @SYMFILE@" + preload=: + } + case $arg in + *.la | *.lo) ;; # We handle these cases below. + force) + if test no = "$dlself"; then + dlself=needless + export_dynamic=yes + fi + prev= + continue + ;; + self) + if test dlprefiles = "$prev"; then + dlself=yes + elif test dlfiles = "$prev" && test yes != "$dlopen_self"; then + dlself=yes + else + dlself=needless + export_dynamic=yes + fi + prev= + continue + ;; + *) + if test dlfiles = "$prev"; then + func_append dlfiles " $arg" + else + func_append dlprefiles " $arg" + fi + prev= + continue + ;; + esac + ;; + expsyms) + export_symbols=$arg + test -f "$arg" \ + || func_fatal_error "symbol file '$arg' does not exist" + prev= + continue + ;; + expsyms_regex) + export_symbols_regex=$arg + prev= + continue + ;; + framework) + case $host in + *-*-darwin*) + case "$deplibs " in + *" $qarg.ltframework "*) ;; + *) func_append deplibs " $qarg.ltframework" # this is fixed later + ;; + esac + ;; + esac + prev= + continue + ;; + inst_prefix) + inst_prefix_dir=$arg + prev= + continue + ;; + mllvm) + # Clang does not use LLVM to link, so we can simply discard any + # '-mllvm $arg' options when doing the link step. + prev= + continue + ;; + objectlist) + if test -f "$arg"; then + save_arg=$arg + moreargs= + for fil in `cat "$save_arg"` + do +# func_append moreargs " $fil" + arg=$fil + # A libtool-controlled object. + + # Check to see that this really is a libtool object. + if func_lalib_unsafe_p "$arg"; then + pic_object= + non_pic_object= + + # Read the .lo file + func_source "$arg" + + if test -z "$pic_object" || + test -z "$non_pic_object" || + test none = "$pic_object" && + test none = "$non_pic_object"; then + func_fatal_error "cannot find name of object for '$arg'" + fi + + # Extract subdirectory from the argument. + func_dirname "$arg" "/" "" + xdir=$func_dirname_result + + if test none != "$pic_object"; then + # Prepend the subdirectory the object is found in. + pic_object=$xdir$pic_object + + if test dlfiles = "$prev"; then + if test yes = "$build_libtool_libs" && test yes = "$dlopen_support"; then + func_append dlfiles " $pic_object" + prev= + continue + else + # If libtool objects are unsupported, then we need to preload. + prev=dlprefiles + fi + fi + + # CHECK ME: I think I busted this. -Ossama + if test dlprefiles = "$prev"; then + # Preload the old-style object. + func_append dlprefiles " $pic_object" + prev= + fi + + # A PIC object. + func_append libobjs " $pic_object" + arg=$pic_object + fi + + # Non-PIC object. + if test none != "$non_pic_object"; then + # Prepend the subdirectory the object is found in. + non_pic_object=$xdir$non_pic_object + + # A standard non-PIC object + func_append non_pic_objects " $non_pic_object" + if test -z "$pic_object" || test none = "$pic_object"; then + arg=$non_pic_object + fi + else + # If the PIC object exists, use it instead. + # $xdir was prepended to $pic_object above. + non_pic_object=$pic_object + func_append non_pic_objects " $non_pic_object" + fi + else + # Only an error if not doing a dry-run. + if $opt_dry_run; then + # Extract subdirectory from the argument. + func_dirname "$arg" "/" "" + xdir=$func_dirname_result + + func_lo2o "$arg" + pic_object=$xdir$objdir/$func_lo2o_result + non_pic_object=$xdir$func_lo2o_result + func_append libobjs " $pic_object" + func_append non_pic_objects " $non_pic_object" + else + func_fatal_error "'$arg' is not a valid libtool object" + fi + fi + done + else + func_fatal_error "link input file '$arg' does not exist" + fi + arg=$save_arg + prev= + continue + ;; + os2dllname) + os2dllname=$arg + prev= + continue + ;; + precious_regex) + precious_files_regex=$arg + prev= + continue + ;; + release) + release=-$arg + prev= + continue + ;; + rpath | xrpath) + # We need an absolute path. + case $arg in + [\\/]* | [A-Za-z]:[\\/]*) ;; + *) + func_fatal_error "only absolute run-paths are allowed" + ;; + esac + if test rpath = "$prev"; then + case "$rpath " in + *" $arg "*) ;; + *) func_append rpath " $arg" ;; + esac + else + case "$xrpath " in + *" $arg "*) ;; + *) func_append xrpath " $arg" ;; + esac + fi + prev= + continue + ;; + shrext) + shrext_cmds=$arg + prev= + continue + ;; + weak) + func_append weak_libs " $arg" + prev= + continue + ;; + xcclinker) + func_append linker_flags " $qarg" + func_append compiler_flags " $qarg" + prev= + func_append compile_command " $qarg" + func_append finalize_command " $qarg" + continue + ;; + xcompiler) + func_append compiler_flags " $qarg" + prev= + func_append compile_command " $qarg" + func_append finalize_command " $qarg" + continue + ;; + xlinker) + func_append linker_flags " $qarg" + func_append compiler_flags " $wl$qarg" + prev= + func_append compile_command " $wl$qarg" + func_append finalize_command " $wl$qarg" + continue + ;; + *) + eval "$prev=\"\$arg\"" + prev= + continue + ;; + esac + fi # test -n "$prev" + + prevarg=$arg + + case $arg in + -all-static) + if test -n "$link_static_flag"; then + # See comment for -static flag below, for more details. + func_append compile_command " $link_static_flag" + func_append finalize_command " $link_static_flag" + fi + continue + ;; + + -allow-undefined) + # FIXME: remove this flag sometime in the future. + func_fatal_error "'-allow-undefined' must not be used because it is the default" + ;; + + -avoid-version) + avoid_version=yes + continue + ;; + + -bindir) + prev=bindir + continue + ;; + + -dlopen) + prev=dlfiles + continue + ;; + + -dlpreopen) + prev=dlprefiles + continue + ;; + + -export-dynamic) + export_dynamic=yes + continue + ;; + + -export-symbols | -export-symbols-regex) + if test -n "$export_symbols" || test -n "$export_symbols_regex"; then + func_fatal_error "more than one -exported-symbols argument is not allowed" + fi + if test X-export-symbols = "X$arg"; then + prev=expsyms + else + prev=expsyms_regex + fi + continue + ;; + + -framework) + prev=framework + continue + ;; + + -inst-prefix-dir) + prev=inst_prefix + continue + ;; + + # The native IRIX linker understands -LANG:*, -LIST:* and -LNO:* + # so, if we see these flags be careful not to treat them like -L + -L[A-Z][A-Z]*:*) + case $with_gcc/$host in + no/*-*-irix* | /*-*-irix*) + func_append compile_command " $arg" + func_append finalize_command " $arg" + ;; + esac + continue + ;; + + -L*) + func_stripname "-L" '' "$arg" + if test -z "$func_stripname_result"; then + if test "$#" -gt 0; then + func_fatal_error "require no space between '-L' and '$1'" + else + func_fatal_error "need path for '-L' option" + fi + fi + func_resolve_sysroot "$func_stripname_result" + dir=$func_resolve_sysroot_result + # We need an absolute path. + case $dir in + [\\/]* | [A-Za-z]:[\\/]*) ;; + *) + absdir=`cd "$dir" && pwd` + test -z "$absdir" && \ + func_fatal_error "cannot determine absolute directory name of '$dir'" + dir=$absdir + ;; + esac + case "$deplibs " in + *" -L$dir "* | *" $arg "*) + # Will only happen for absolute or sysroot arguments + ;; + *) + # Preserve sysroot, but never include relative directories + case $dir in + [\\/]* | [A-Za-z]:[\\/]* | =*) func_append deplibs " $arg" ;; + *) func_append deplibs " -L$dir" ;; + esac + func_append lib_search_path " $dir" + ;; + esac + case $host in + *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-cegcc*) + testbindir=`$ECHO "$dir" | $SED 's*/lib$*/bin*'` + case :$dllsearchpath: in + *":$dir:"*) ;; + ::) dllsearchpath=$dir;; + *) func_append dllsearchpath ":$dir";; + esac + case :$dllsearchpath: in + *":$testbindir:"*) ;; + ::) dllsearchpath=$testbindir;; + *) func_append dllsearchpath ":$testbindir";; + esac + ;; + esac + continue + ;; + + -l*) + if test X-lc = "X$arg" || test X-lm = "X$arg"; then + case $host in + *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-beos* | *-cegcc* | *-*-haiku*) + # These systems don't actually have a C or math library (as such) + continue + ;; + *-*-os2*) + # These systems don't actually have a C library (as such) + test X-lc = "X$arg" && continue + ;; + *-*-openbsd* | *-*-freebsd* | *-*-dragonfly* | *-*-bitrig*) + # Do not include libc due to us having libc/libc_r. + test X-lc = "X$arg" && continue + ;; + *-*-rhapsody* | *-*-darwin1.[012]) + # Rhapsody C and math libraries are in the System framework + func_append deplibs " System.ltframework" + continue + ;; + *-*-sco3.2v5* | *-*-sco5v6*) + # Causes problems with __ctype + test X-lc = "X$arg" && continue + ;; + *-*-sysv4.2uw2* | *-*-sysv5* | *-*-unixware* | *-*-OpenUNIX*) + # Compiler inserts libc in the correct place for threads to work + test X-lc = "X$arg" && continue + ;; + esac + elif test X-lc_r = "X$arg"; then + case $host in + *-*-openbsd* | *-*-freebsd* | *-*-dragonfly* | *-*-bitrig*) + # Do not include libc_r directly, use -pthread flag. + continue + ;; + esac + fi + func_append deplibs " $arg" + continue + ;; + + -mllvm) + prev=mllvm + continue + ;; + + -module) + module=yes + continue + ;; + + # Tru64 UNIX uses -model [arg] to determine the layout of C++ + # classes, name mangling, and exception handling. + # Darwin uses the -arch flag to determine output architecture. + -model|-arch|-isysroot|--sysroot) + func_append compiler_flags " $arg" + func_append compile_command " $arg" + func_append finalize_command " $arg" + prev=xcompiler + continue + ;; + + -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe \ + |-threads|-fopenmp|-openmp|-mp|-xopenmp|-omp|-qsmp=*) + func_append compiler_flags " $arg" + func_append compile_command " $arg" + func_append finalize_command " $arg" + case "$new_inherited_linker_flags " in + *" $arg "*) ;; + * ) func_append new_inherited_linker_flags " $arg" ;; + esac + continue + ;; + + -multi_module) + single_module=$wl-multi_module + continue + ;; + + -no-fast-install) + fast_install=no + continue + ;; + + -no-install) + case $host in + *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-*-darwin* | *-cegcc*) + # The PATH hackery in wrapper scripts is required on Windows + # and Darwin in order for the loader to find any dlls it needs. + func_warning "'-no-install' is ignored for $host" + func_warning "assuming '-no-fast-install' instead" + fast_install=no + ;; + *) no_install=yes ;; + esac + continue + ;; + + -no-undefined) + allow_undefined=no + continue + ;; + + -objectlist) + prev=objectlist + continue + ;; + + -os2dllname) + prev=os2dllname + continue + ;; + + -o) prev=output ;; + + -precious-files-regex) + prev=precious_regex + continue + ;; + + -release) + prev=release + continue + ;; + + -rpath) + prev=rpath + continue + ;; + + -R) + prev=xrpath + continue + ;; + + -R*) + func_stripname '-R' '' "$arg" + dir=$func_stripname_result + # We need an absolute path. + case $dir in + [\\/]* | [A-Za-z]:[\\/]*) ;; + =*) + func_stripname '=' '' "$dir" + dir=$lt_sysroot$func_stripname_result + ;; + *) + func_fatal_error "only absolute run-paths are allowed" + ;; + esac + case "$xrpath " in + *" $dir "*) ;; + *) func_append xrpath " $dir" ;; + esac + continue + ;; + + -shared) + # The effects of -shared are defined in a previous loop. + continue + ;; + + -shrext) + prev=shrext + continue + ;; + + -static | -static-libtool-libs) + # The effects of -static are defined in a previous loop. + # We used to do the same as -all-static on platforms that + # didn't have a PIC flag, but the assumption that the effects + # would be equivalent was wrong. It would break on at least + # Digital Unix and AIX. + continue + ;; + + -thread-safe) + thread_safe=yes + continue + ;; + + -version-info) + prev=vinfo + continue + ;; + + -version-number) + prev=vinfo + vinfo_number=yes + continue + ;; + + -weak) + prev=weak + continue + ;; + + -Wc,*) + func_stripname '-Wc,' '' "$arg" + args=$func_stripname_result + arg= + save_ifs=$IFS; IFS=, + for flag in $args; do + IFS=$save_ifs + func_quote_for_eval "$flag" + func_append arg " $func_quote_for_eval_result" + func_append compiler_flags " $func_quote_for_eval_result" + done + IFS=$save_ifs + func_stripname ' ' '' "$arg" + arg=$func_stripname_result + ;; + + -Wl,*) + func_stripname '-Wl,' '' "$arg" + args=$func_stripname_result + arg= + save_ifs=$IFS; IFS=, + for flag in $args; do + IFS=$save_ifs + func_quote_for_eval "$flag" + func_append arg " $wl$func_quote_for_eval_result" + func_append compiler_flags " $wl$func_quote_for_eval_result" + func_append linker_flags " $func_quote_for_eval_result" + done + IFS=$save_ifs + func_stripname ' ' '' "$arg" + arg=$func_stripname_result + ;; + + -Xcompiler) + prev=xcompiler + continue + ;; + + -Xlinker) + prev=xlinker + continue + ;; + + -XCClinker) + prev=xcclinker + continue + ;; + + # -msg_* for osf cc + -msg_*) + func_quote_for_eval "$arg" + arg=$func_quote_for_eval_result + ;; + + # Flags to be passed through unchanged, with rationale: + # -64, -mips[0-9] enable 64-bit mode for the SGI compiler + # -r[0-9][0-9]* specify processor for the SGI compiler + # -xarch=*, -xtarget=* enable 64-bit mode for the Sun compiler + # +DA*, +DD* enable 64-bit mode for the HP compiler + # -q* compiler args for the IBM compiler + # -m*, -t[45]*, -txscale* architecture-specific flags for GCC + # -F/path path to uninstalled frameworks, gcc on darwin + # -p, -pg, --coverage, -fprofile-* profiling flags for GCC + # -fstack-protector* stack protector flags for GCC + # @file GCC response files + # -tp=* Portland pgcc target processor selection + # --sysroot=* for sysroot support + # -O*, -g*, -flto*, -fwhopr*, -fuse-linker-plugin GCC link-time optimization + # -specs=* GCC specs files + # -stdlib=* select c++ std lib with clang + -64|-mips[0-9]|-r[0-9][0-9]*|-xarch=*|-xtarget=*|+DA*|+DD*|-q*|-m*| \ + -t[45]*|-txscale*|-p|-pg|--coverage|-fprofile-*|-F*|@*|-tp=*|--sysroot=*| \ + -O*|-g*|-flto*|-fwhopr*|-fuse-linker-plugin|-fstack-protector*|-stdlib=*| \ + -specs=*) + func_quote_for_eval "$arg" + arg=$func_quote_for_eval_result + func_append compile_command " $arg" + func_append finalize_command " $arg" + func_append compiler_flags " $arg" + continue + ;; + + -Z*) + if test os2 = "`expr $host : '.*\(os2\)'`"; then + # OS/2 uses -Zxxx to specify OS/2-specific options + compiler_flags="$compiler_flags $arg" + func_append compile_command " $arg" + func_append finalize_command " $arg" + case $arg in + -Zlinker | -Zstack) + prev=xcompiler + ;; + esac + continue + else + # Otherwise treat like 'Some other compiler flag' below + func_quote_for_eval "$arg" + arg=$func_quote_for_eval_result + fi + ;; + + # Some other compiler flag. + -* | +*) + func_quote_for_eval "$arg" + arg=$func_quote_for_eval_result + ;; + + *.$objext) + # A standard object. + func_append objs " $arg" + ;; + + *.lo) + # A libtool-controlled object. + + # Check to see that this really is a libtool object. + if func_lalib_unsafe_p "$arg"; then + pic_object= + non_pic_object= + + # Read the .lo file + func_source "$arg" + + if test -z "$pic_object" || + test -z "$non_pic_object" || + test none = "$pic_object" && + test none = "$non_pic_object"; then + func_fatal_error "cannot find name of object for '$arg'" + fi + + # Extract subdirectory from the argument. + func_dirname "$arg" "/" "" + xdir=$func_dirname_result + + test none = "$pic_object" || { + # Prepend the subdirectory the object is found in. + pic_object=$xdir$pic_object + + if test dlfiles = "$prev"; then + if test yes = "$build_libtool_libs" && test yes = "$dlopen_support"; then + func_append dlfiles " $pic_object" + prev= + continue + else + # If libtool objects are unsupported, then we need to preload. + prev=dlprefiles + fi + fi + + # CHECK ME: I think I busted this. -Ossama + if test dlprefiles = "$prev"; then + # Preload the old-style object. + func_append dlprefiles " $pic_object" + prev= + fi + + # A PIC object. + func_append libobjs " $pic_object" + arg=$pic_object + } + + # Non-PIC object. + if test none != "$non_pic_object"; then + # Prepend the subdirectory the object is found in. + non_pic_object=$xdir$non_pic_object + + # A standard non-PIC object + func_append non_pic_objects " $non_pic_object" + if test -z "$pic_object" || test none = "$pic_object"; then + arg=$non_pic_object + fi + else + # If the PIC object exists, use it instead. + # $xdir was prepended to $pic_object above. + non_pic_object=$pic_object + func_append non_pic_objects " $non_pic_object" + fi + else + # Only an error if not doing a dry-run. + if $opt_dry_run; then + # Extract subdirectory from the argument. + func_dirname "$arg" "/" "" + xdir=$func_dirname_result + + func_lo2o "$arg" + pic_object=$xdir$objdir/$func_lo2o_result + non_pic_object=$xdir$func_lo2o_result + func_append libobjs " $pic_object" + func_append non_pic_objects " $non_pic_object" + else + func_fatal_error "'$arg' is not a valid libtool object" + fi + fi + ;; + + *.$libext) + # An archive. + func_append deplibs " $arg" + func_append old_deplibs " $arg" + continue + ;; + + *.la) + # A libtool-controlled library. + + func_resolve_sysroot "$arg" + if test dlfiles = "$prev"; then + # This library was specified with -dlopen. + func_append dlfiles " $func_resolve_sysroot_result" + prev= + elif test dlprefiles = "$prev"; then + # The library was specified with -dlpreopen. + func_append dlprefiles " $func_resolve_sysroot_result" + prev= + else + func_append deplibs " $func_resolve_sysroot_result" + fi + continue + ;; + + # Some other compiler argument. + *) + # Unknown arguments in both finalize_command and compile_command need + # to be aesthetically quoted because they are evaled later. + func_quote_for_eval "$arg" + arg=$func_quote_for_eval_result + ;; + esac # arg + + # Now actually substitute the argument into the commands. + if test -n "$arg"; then + func_append compile_command " $arg" + func_append finalize_command " $arg" + fi + done # argument parsing loop + + test -n "$prev" && \ + func_fatal_help "the '$prevarg' option requires an argument" + + if test yes = "$export_dynamic" && test -n "$export_dynamic_flag_spec"; then + eval arg=\"$export_dynamic_flag_spec\" + func_append compile_command " $arg" + func_append finalize_command " $arg" + fi + + oldlibs= + # calculate the name of the file, without its directory + func_basename "$output" + outputname=$func_basename_result + libobjs_save=$libobjs + + if test -n "$shlibpath_var"; then + # get the directories listed in $shlibpath_var + eval shlib_search_path=\`\$ECHO \"\$$shlibpath_var\" \| \$SED \'s/:/ /g\'\` + else + shlib_search_path= + fi + eval sys_lib_search_path=\"$sys_lib_search_path_spec\" + eval sys_lib_dlsearch_path=\"$sys_lib_dlsearch_path_spec\" + + # Definition is injected by LT_CONFIG during libtool generation. + func_munge_path_list sys_lib_dlsearch_path "$LT_SYS_LIBRARY_PATH" + + func_dirname "$output" "/" "" + output_objdir=$func_dirname_result$objdir + func_to_tool_file "$output_objdir/" + tool_output_objdir=$func_to_tool_file_result + # Create the object directory. + func_mkdir_p "$output_objdir" + + # Determine the type of output + case $output in + "") + func_fatal_help "you must specify an output file" + ;; + *.$libext) linkmode=oldlib ;; + *.lo | *.$objext) linkmode=obj ;; + *.la) linkmode=lib ;; + *) linkmode=prog ;; # Anything else should be a program. + esac + + specialdeplibs= + + libs= + # Find all interdependent deplibs by searching for libraries + # that are linked more than once (e.g. -la -lb -la) + for deplib in $deplibs; do + if $opt_preserve_dup_deps; then + case "$libs " in + *" $deplib "*) func_append specialdeplibs " $deplib" ;; + esac + fi + func_append libs " $deplib" + done + + if test lib = "$linkmode"; then + libs="$predeps $libs $compiler_lib_search_path $postdeps" + + # Compute libraries that are listed more than once in $predeps + # $postdeps and mark them as special (i.e., whose duplicates are + # not to be eliminated). + pre_post_deps= + if $opt_duplicate_compiler_generated_deps; then + for pre_post_dep in $predeps $postdeps; do + case "$pre_post_deps " in + *" $pre_post_dep "*) func_append specialdeplibs " $pre_post_deps" ;; + esac + func_append pre_post_deps " $pre_post_dep" + done + fi + pre_post_deps= + fi + + deplibs= + newdependency_libs= + newlib_search_path= + need_relink=no # whether we're linking any uninstalled libtool libraries + notinst_deplibs= # not-installed libtool libraries + notinst_path= # paths that contain not-installed libtool libraries + + case $linkmode in + lib) + passes="conv dlpreopen link" + for file in $dlfiles $dlprefiles; do + case $file in + *.la) ;; + *) + func_fatal_help "libraries can '-dlopen' only libtool libraries: $file" + ;; + esac + done + ;; + prog) + compile_deplibs= + finalize_deplibs= + alldeplibs=false + newdlfiles= + newdlprefiles= + passes="conv scan dlopen dlpreopen link" + ;; + *) passes="conv" + ;; + esac + + for pass in $passes; do + # The preopen pass in lib mode reverses $deplibs; put it back here + # so that -L comes before libs that need it for instance... + if test lib,link = "$linkmode,$pass"; then + ## FIXME: Find the place where the list is rebuilt in the wrong + ## order, and fix it there properly + tmp_deplibs= + for deplib in $deplibs; do + tmp_deplibs="$deplib $tmp_deplibs" + done + deplibs=$tmp_deplibs + fi + + if test lib,link = "$linkmode,$pass" || + test prog,scan = "$linkmode,$pass"; then + libs=$deplibs + deplibs= + fi + if test prog = "$linkmode"; then + case $pass in + dlopen) libs=$dlfiles ;; + dlpreopen) libs=$dlprefiles ;; + link) libs="$deplibs %DEPLIBS% $dependency_libs" ;; + esac + fi + if test lib,dlpreopen = "$linkmode,$pass"; then + # Collect and forward deplibs of preopened libtool libs + for lib in $dlprefiles; do + # Ignore non-libtool-libs + dependency_libs= + func_resolve_sysroot "$lib" + case $lib in + *.la) func_source "$func_resolve_sysroot_result" ;; + esac + + # Collect preopened libtool deplibs, except any this library + # has declared as weak libs + for deplib in $dependency_libs; do + func_basename "$deplib" + deplib_base=$func_basename_result + case " $weak_libs " in + *" $deplib_base "*) ;; + *) func_append deplibs " $deplib" ;; + esac + done + done + libs=$dlprefiles + fi + if test dlopen = "$pass"; then + # Collect dlpreopened libraries + save_deplibs=$deplibs + deplibs= + fi + + for deplib in $libs; do + lib= + found=false + case $deplib in + -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe \ + |-threads|-fopenmp|-openmp|-mp|-xopenmp|-omp|-qsmp=*) + if test prog,link = "$linkmode,$pass"; then + compile_deplibs="$deplib $compile_deplibs" + finalize_deplibs="$deplib $finalize_deplibs" + else + func_append compiler_flags " $deplib" + if test lib = "$linkmode"; then + case "$new_inherited_linker_flags " in + *" $deplib "*) ;; + * ) func_append new_inherited_linker_flags " $deplib" ;; + esac + fi + fi + continue + ;; + -l*) + if test lib != "$linkmode" && test prog != "$linkmode"; then + func_warning "'-l' is ignored for archives/objects" + continue + fi + func_stripname '-l' '' "$deplib" + name=$func_stripname_result + if test lib = "$linkmode"; then + searchdirs="$newlib_search_path $lib_search_path $compiler_lib_search_dirs $sys_lib_search_path $shlib_search_path" + else + searchdirs="$newlib_search_path $lib_search_path $sys_lib_search_path $shlib_search_path" + fi + for searchdir in $searchdirs; do + for search_ext in .la $std_shrext .so .a; do + # Search the libtool library + lib=$searchdir/lib$name$search_ext + if test -f "$lib"; then + if test .la = "$search_ext"; then + found=: + else + found=false + fi + break 2 + fi + done + done + if $found; then + # deplib is a libtool library + # If $allow_libtool_libs_with_static_runtimes && $deplib is a stdlib, + # We need to do some special things here, and not later. + if test yes = "$allow_libtool_libs_with_static_runtimes"; then + case " $predeps $postdeps " in + *" $deplib "*) + if func_lalib_p "$lib"; then + library_names= + old_library= + func_source "$lib" + for l in $old_library $library_names; do + ll=$l + done + if test "X$ll" = "X$old_library"; then # only static version available + found=false + func_dirname "$lib" "" "." + ladir=$func_dirname_result + lib=$ladir/$old_library + if test prog,link = "$linkmode,$pass"; then + compile_deplibs="$deplib $compile_deplibs" + finalize_deplibs="$deplib $finalize_deplibs" + else + deplibs="$deplib $deplibs" + test lib = "$linkmode" && newdependency_libs="$deplib $newdependency_libs" + fi + continue + fi + fi + ;; + *) ;; + esac + fi + else + # deplib doesn't seem to be a libtool library + if test prog,link = "$linkmode,$pass"; then + compile_deplibs="$deplib $compile_deplibs" + finalize_deplibs="$deplib $finalize_deplibs" + else + deplibs="$deplib $deplibs" + test lib = "$linkmode" && newdependency_libs="$deplib $newdependency_libs" + fi + continue + fi + ;; # -l + *.ltframework) + if test prog,link = "$linkmode,$pass"; then + compile_deplibs="$deplib $compile_deplibs" + finalize_deplibs="$deplib $finalize_deplibs" + else + deplibs="$deplib $deplibs" + if test lib = "$linkmode"; then + case "$new_inherited_linker_flags " in + *" $deplib "*) ;; + * ) func_append new_inherited_linker_flags " $deplib" ;; + esac + fi + fi + continue + ;; + -L*) + case $linkmode in + lib) + deplibs="$deplib $deplibs" + test conv = "$pass" && continue + newdependency_libs="$deplib $newdependency_libs" + func_stripname '-L' '' "$deplib" + func_resolve_sysroot "$func_stripname_result" + func_append newlib_search_path " $func_resolve_sysroot_result" + ;; + prog) + if test conv = "$pass"; then + deplibs="$deplib $deplibs" + continue + fi + if test scan = "$pass"; then + deplibs="$deplib $deplibs" + else + compile_deplibs="$deplib $compile_deplibs" + finalize_deplibs="$deplib $finalize_deplibs" + fi + func_stripname '-L' '' "$deplib" + func_resolve_sysroot "$func_stripname_result" + func_append newlib_search_path " $func_resolve_sysroot_result" + ;; + *) + func_warning "'-L' is ignored for archives/objects" + ;; + esac # linkmode + continue + ;; # -L + -R*) + if test link = "$pass"; then + func_stripname '-R' '' "$deplib" + func_resolve_sysroot "$func_stripname_result" + dir=$func_resolve_sysroot_result + # Make sure the xrpath contains only unique directories. + case "$xrpath " in + *" $dir "*) ;; + *) func_append xrpath " $dir" ;; + esac + fi + deplibs="$deplib $deplibs" + continue + ;; + *.la) + func_resolve_sysroot "$deplib" + lib=$func_resolve_sysroot_result + ;; + *.$libext) + if test conv = "$pass"; then + deplibs="$deplib $deplibs" + continue + fi + case $linkmode in + lib) + # Linking convenience modules into shared libraries is allowed, + # but linking other static libraries is non-portable. + case " $dlpreconveniencelibs " in + *" $deplib "*) ;; + *) + valid_a_lib=false + case $deplibs_check_method in + match_pattern*) + set dummy $deplibs_check_method; shift + match_pattern_regex=`expr "$deplibs_check_method" : "$1 \(.*\)"` + if eval "\$ECHO \"$deplib\"" 2>/dev/null | $SED 10q \ + | $EGREP "$match_pattern_regex" > /dev/null; then + valid_a_lib=: + fi + ;; + pass_all) + valid_a_lib=: + ;; + esac + if $valid_a_lib; then + echo + $ECHO "*** Warning: Linking the shared library $output against the" + $ECHO "*** static library $deplib is not portable!" + deplibs="$deplib $deplibs" + else + echo + $ECHO "*** Warning: Trying to link with static lib archive $deplib." + echo "*** I have the capability to make that library automatically link in when" + echo "*** you link to this library. But I can only do this if you have a" + echo "*** shared version of the library, which you do not appear to have" + echo "*** because the file extensions .$libext of this argument makes me believe" + echo "*** that it is just a static archive that I should not use here." + fi + ;; + esac + continue + ;; + prog) + if test link != "$pass"; then + deplibs="$deplib $deplibs" + else + compile_deplibs="$deplib $compile_deplibs" + finalize_deplibs="$deplib $finalize_deplibs" + fi + continue + ;; + esac # linkmode + ;; # *.$libext + *.lo | *.$objext) + if test conv = "$pass"; then + deplibs="$deplib $deplibs" + elif test prog = "$linkmode"; then + if test dlpreopen = "$pass" || test yes != "$dlopen_support" || test no = "$build_libtool_libs"; then + # If there is no dlopen support or we're linking statically, + # we need to preload. + func_append newdlprefiles " $deplib" + compile_deplibs="$deplib $compile_deplibs" + finalize_deplibs="$deplib $finalize_deplibs" + else + func_append newdlfiles " $deplib" + fi + fi + continue + ;; + %DEPLIBS%) + alldeplibs=: + continue + ;; + esac # case $deplib + + $found || test -f "$lib" \ + || func_fatal_error "cannot find the library '$lib' or unhandled argument '$deplib'" + + # Check to see that this really is a libtool archive. + func_lalib_unsafe_p "$lib" \ + || func_fatal_error "'$lib' is not a valid libtool archive" + + func_dirname "$lib" "" "." + ladir=$func_dirname_result + + dlname= + dlopen= + dlpreopen= + libdir= + library_names= + old_library= + inherited_linker_flags= + # If the library was installed with an old release of libtool, + # it will not redefine variables installed, or shouldnotlink + installed=yes + shouldnotlink=no + avoidtemprpath= + + + # Read the .la file + func_source "$lib" + + # Convert "-framework foo" to "foo.ltframework" + if test -n "$inherited_linker_flags"; then + tmp_inherited_linker_flags=`$ECHO "$inherited_linker_flags" | $SED 's/-framework \([^ $]*\)/\1.ltframework/g'` + for tmp_inherited_linker_flag in $tmp_inherited_linker_flags; do + case " $new_inherited_linker_flags " in + *" $tmp_inherited_linker_flag "*) ;; + *) func_append new_inherited_linker_flags " $tmp_inherited_linker_flag";; + esac + done + fi + dependency_libs=`$ECHO " $dependency_libs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'` + if test lib,link = "$linkmode,$pass" || + test prog,scan = "$linkmode,$pass" || + { test prog != "$linkmode" && test lib != "$linkmode"; }; then + test -n "$dlopen" && func_append dlfiles " $dlopen" + test -n "$dlpreopen" && func_append dlprefiles " $dlpreopen" + fi + + if test conv = "$pass"; then + # Only check for convenience libraries + deplibs="$lib $deplibs" + if test -z "$libdir"; then + if test -z "$old_library"; then + func_fatal_error "cannot find name of link library for '$lib'" + fi + # It is a libtool convenience library, so add in its objects. + func_append convenience " $ladir/$objdir/$old_library" + func_append old_convenience " $ladir/$objdir/$old_library" + elif test prog != "$linkmode" && test lib != "$linkmode"; then + func_fatal_error "'$lib' is not a convenience library" + fi + tmp_libs= + for deplib in $dependency_libs; do + deplibs="$deplib $deplibs" + if $opt_preserve_dup_deps; then + case "$tmp_libs " in + *" $deplib "*) func_append specialdeplibs " $deplib" ;; + esac + fi + func_append tmp_libs " $deplib" + done + continue + fi # $pass = conv + + + # Get the name of the library we link against. + linklib= + if test -n "$old_library" && + { test yes = "$prefer_static_libs" || + test built,no = "$prefer_static_libs,$installed"; }; then + linklib=$old_library + else + for l in $old_library $library_names; do + linklib=$l + done + fi + if test -z "$linklib"; then + func_fatal_error "cannot find name of link library for '$lib'" + fi + + # This library was specified with -dlopen. + if test dlopen = "$pass"; then + test -z "$libdir" \ + && func_fatal_error "cannot -dlopen a convenience library: '$lib'" + if test -z "$dlname" || + test yes != "$dlopen_support" || + test no = "$build_libtool_libs" + then + # If there is no dlname, no dlopen support or we're linking + # statically, we need to preload. We also need to preload any + # dependent libraries so libltdl's deplib preloader doesn't + # bomb out in the load deplibs phase. + func_append dlprefiles " $lib $dependency_libs" + else + func_append newdlfiles " $lib" + fi + continue + fi # $pass = dlopen + + # We need an absolute path. + case $ladir in + [\\/]* | [A-Za-z]:[\\/]*) abs_ladir=$ladir ;; + *) + abs_ladir=`cd "$ladir" && pwd` + if test -z "$abs_ladir"; then + func_warning "cannot determine absolute directory name of '$ladir'" + func_warning "passing it literally to the linker, although it might fail" + abs_ladir=$ladir + fi + ;; + esac + func_basename "$lib" + laname=$func_basename_result + + # Find the relevant object directory and library name. + if test yes = "$installed"; then + if test ! -f "$lt_sysroot$libdir/$linklib" && test -f "$abs_ladir/$linklib"; then + func_warning "library '$lib' was moved." + dir=$ladir + absdir=$abs_ladir + libdir=$abs_ladir + else + dir=$lt_sysroot$libdir + absdir=$lt_sysroot$libdir + fi + test yes = "$hardcode_automatic" && avoidtemprpath=yes + else + if test ! -f "$ladir/$objdir/$linklib" && test -f "$abs_ladir/$linklib"; then + dir=$ladir + absdir=$abs_ladir + # Remove this search path later + func_append notinst_path " $abs_ladir" + else + dir=$ladir/$objdir + absdir=$abs_ladir/$objdir + # Remove this search path later + func_append notinst_path " $abs_ladir" + fi + fi # $installed = yes + func_stripname 'lib' '.la' "$laname" + name=$func_stripname_result + + # This library was specified with -dlpreopen. + if test dlpreopen = "$pass"; then + if test -z "$libdir" && test prog = "$linkmode"; then + func_fatal_error "only libraries may -dlpreopen a convenience library: '$lib'" + fi + case $host in + # special handling for platforms with PE-DLLs. + *cygwin* | *mingw* | *cegcc* ) + # Linker will automatically link against shared library if both + # static and shared are present. Therefore, ensure we extract + # symbols from the import library if a shared library is present + # (otherwise, the dlopen module name will be incorrect). We do + # this by putting the import library name into $newdlprefiles. + # We recover the dlopen module name by 'saving' the la file + # name in a special purpose variable, and (later) extracting the + # dlname from the la file. + if test -n "$dlname"; then + func_tr_sh "$dir/$linklib" + eval "libfile_$func_tr_sh_result=\$abs_ladir/\$laname" + func_append newdlprefiles " $dir/$linklib" + else + func_append newdlprefiles " $dir/$old_library" + # Keep a list of preopened convenience libraries to check + # that they are being used correctly in the link pass. + test -z "$libdir" && \ + func_append dlpreconveniencelibs " $dir/$old_library" + fi + ;; + * ) + # Prefer using a static library (so that no silly _DYNAMIC symbols + # are required to link). + if test -n "$old_library"; then + func_append newdlprefiles " $dir/$old_library" + # Keep a list of preopened convenience libraries to check + # that they are being used correctly in the link pass. + test -z "$libdir" && \ + func_append dlpreconveniencelibs " $dir/$old_library" + # Otherwise, use the dlname, so that lt_dlopen finds it. + elif test -n "$dlname"; then + func_append newdlprefiles " $dir/$dlname" + else + func_append newdlprefiles " $dir/$linklib" + fi + ;; + esac + fi # $pass = dlpreopen + + if test -z "$libdir"; then + # Link the convenience library + if test lib = "$linkmode"; then + deplibs="$dir/$old_library $deplibs" + elif test prog,link = "$linkmode,$pass"; then + compile_deplibs="$dir/$old_library $compile_deplibs" + finalize_deplibs="$dir/$old_library $finalize_deplibs" + else + deplibs="$lib $deplibs" # used for prog,scan pass + fi + continue + fi + + + if test prog = "$linkmode" && test link != "$pass"; then + func_append newlib_search_path " $ladir" + deplibs="$lib $deplibs" + + linkalldeplibs=false + if test no != "$link_all_deplibs" || test -z "$library_names" || + test no = "$build_libtool_libs"; then + linkalldeplibs=: + fi + + tmp_libs= + for deplib in $dependency_libs; do + case $deplib in + -L*) func_stripname '-L' '' "$deplib" + func_resolve_sysroot "$func_stripname_result" + func_append newlib_search_path " $func_resolve_sysroot_result" + ;; + esac + # Need to link against all dependency_libs? + if $linkalldeplibs; then + deplibs="$deplib $deplibs" + else + # Need to hardcode shared library paths + # or/and link against static libraries + newdependency_libs="$deplib $newdependency_libs" + fi + if $opt_preserve_dup_deps; then + case "$tmp_libs " in + *" $deplib "*) func_append specialdeplibs " $deplib" ;; + esac + fi + func_append tmp_libs " $deplib" + done # for deplib + continue + fi # $linkmode = prog... + + if test prog,link = "$linkmode,$pass"; then + if test -n "$library_names" && + { { test no = "$prefer_static_libs" || + test built,yes = "$prefer_static_libs,$installed"; } || + test -z "$old_library"; }; then + # We need to hardcode the library path + if test -n "$shlibpath_var" && test -z "$avoidtemprpath"; then + # Make sure the rpath contains only unique directories. + case $temp_rpath: in + *"$absdir:"*) ;; + *) func_append temp_rpath "$absdir:" ;; + esac + fi + + # Hardcode the library path. + # Skip directories that are in the system default run-time + # search path. + case " $sys_lib_dlsearch_path " in + *" $absdir "*) ;; + *) + case "$compile_rpath " in + *" $absdir "*) ;; + *) func_append compile_rpath " $absdir" ;; + esac + ;; + esac + case " $sys_lib_dlsearch_path " in + *" $libdir "*) ;; + *) + case "$finalize_rpath " in + *" $libdir "*) ;; + *) func_append finalize_rpath " $libdir" ;; + esac + ;; + esac + fi # $linkmode,$pass = prog,link... + + if $alldeplibs && + { test pass_all = "$deplibs_check_method" || + { test yes = "$build_libtool_libs" && + test -n "$library_names"; }; }; then + # We only need to search for static libraries + continue + fi + fi + + link_static=no # Whether the deplib will be linked statically + use_static_libs=$prefer_static_libs + if test built = "$use_static_libs" && test yes = "$installed"; then + use_static_libs=no + fi + if test -n "$library_names" && + { test no = "$use_static_libs" || test -z "$old_library"; }; then + case $host in + *cygwin* | *mingw* | *cegcc* | *os2*) + # No point in relinking DLLs because paths are not encoded + func_append notinst_deplibs " $lib" + need_relink=no + ;; + *) + if test no = "$installed"; then + func_append notinst_deplibs " $lib" + need_relink=yes + fi + ;; + esac + # This is a shared library + + # Warn about portability, can't link against -module's on some + # systems (darwin). Don't bleat about dlopened modules though! + dlopenmodule= + for dlpremoduletest in $dlprefiles; do + if test "X$dlpremoduletest" = "X$lib"; then + dlopenmodule=$dlpremoduletest + break + fi + done + if test -z "$dlopenmodule" && test yes = "$shouldnotlink" && test link = "$pass"; then + echo + if test prog = "$linkmode"; then + $ECHO "*** Warning: Linking the executable $output against the loadable module" + else + $ECHO "*** Warning: Linking the shared library $output against the loadable module" + fi + $ECHO "*** $linklib is not portable!" + fi + if test lib = "$linkmode" && + test yes = "$hardcode_into_libs"; then + # Hardcode the library path. + # Skip directories that are in the system default run-time + # search path. + case " $sys_lib_dlsearch_path " in + *" $absdir "*) ;; + *) + case "$compile_rpath " in + *" $absdir "*) ;; + *) func_append compile_rpath " $absdir" ;; + esac + ;; + esac + case " $sys_lib_dlsearch_path " in + *" $libdir "*) ;; + *) + case "$finalize_rpath " in + *" $libdir "*) ;; + *) func_append finalize_rpath " $libdir" ;; + esac + ;; + esac + fi + + if test -n "$old_archive_from_expsyms_cmds"; then + # figure out the soname + set dummy $library_names + shift + realname=$1 + shift + libname=`eval "\\$ECHO \"$libname_spec\""` + # use dlname if we got it. it's perfectly good, no? + if test -n "$dlname"; then + soname=$dlname + elif test -n "$soname_spec"; then + # bleh windows + case $host in + *cygwin* | mingw* | *cegcc* | *os2*) + func_arith $current - $age + major=$func_arith_result + versuffix=-$major + ;; + esac + eval soname=\"$soname_spec\" + else + soname=$realname + fi + + # Make a new name for the extract_expsyms_cmds to use + soroot=$soname + func_basename "$soroot" + soname=$func_basename_result + func_stripname 'lib' '.dll' "$soname" + newlib=libimp-$func_stripname_result.a + + # If the library has no export list, then create one now + if test -f "$output_objdir/$soname-def"; then : + else + func_verbose "extracting exported symbol list from '$soname'" + func_execute_cmds "$extract_expsyms_cmds" 'exit $?' + fi + + # Create $newlib + if test -f "$output_objdir/$newlib"; then :; else + func_verbose "generating import library for '$soname'" + func_execute_cmds "$old_archive_from_expsyms_cmds" 'exit $?' + fi + # make sure the library variables are pointing to the new library + dir=$output_objdir + linklib=$newlib + fi # test -n "$old_archive_from_expsyms_cmds" + + if test prog = "$linkmode" || test relink != "$opt_mode"; then + add_shlibpath= + add_dir= + add= + lib_linked=yes + case $hardcode_action in + immediate | unsupported) + if test no = "$hardcode_direct"; then + add=$dir/$linklib + case $host in + *-*-sco3.2v5.0.[024]*) add_dir=-L$dir ;; + *-*-sysv4*uw2*) add_dir=-L$dir ;; + *-*-sysv5OpenUNIX* | *-*-sysv5UnixWare7.[01].[10]* | \ + *-*-unixware7*) add_dir=-L$dir ;; + *-*-darwin* ) + # if the lib is a (non-dlopened) module then we cannot + # link against it, someone is ignoring the earlier warnings + if /usr/bin/file -L $add 2> /dev/null | + $GREP ": [^:]* bundle" >/dev/null; then + if test "X$dlopenmodule" != "X$lib"; then + $ECHO "*** Warning: lib $linklib is a module, not a shared library" + if test -z "$old_library"; then + echo + echo "*** And there doesn't seem to be a static archive available" + echo "*** The link will probably fail, sorry" + else + add=$dir/$old_library + fi + elif test -n "$old_library"; then + add=$dir/$old_library + fi + fi + esac + elif test no = "$hardcode_minus_L"; then + case $host in + *-*-sunos*) add_shlibpath=$dir ;; + esac + add_dir=-L$dir + add=-l$name + elif test no = "$hardcode_shlibpath_var"; then + add_shlibpath=$dir + add=-l$name + else + lib_linked=no + fi + ;; + relink) + if test yes = "$hardcode_direct" && + test no = "$hardcode_direct_absolute"; then + add=$dir/$linklib + elif test yes = "$hardcode_minus_L"; then + add_dir=-L$absdir + # Try looking first in the location we're being installed to. + if test -n "$inst_prefix_dir"; then + case $libdir in + [\\/]*) + func_append add_dir " -L$inst_prefix_dir$libdir" + ;; + esac + fi + add=-l$name + elif test yes = "$hardcode_shlibpath_var"; then + add_shlibpath=$dir + add=-l$name + else + lib_linked=no + fi + ;; + *) lib_linked=no ;; + esac + + if test yes != "$lib_linked"; then + func_fatal_configuration "unsupported hardcode properties" + fi + + if test -n "$add_shlibpath"; then + case :$compile_shlibpath: in + *":$add_shlibpath:"*) ;; + *) func_append compile_shlibpath "$add_shlibpath:" ;; + esac + fi + if test prog = "$linkmode"; then + test -n "$add_dir" && compile_deplibs="$add_dir $compile_deplibs" + test -n "$add" && compile_deplibs="$add $compile_deplibs" + else + test -n "$add_dir" && deplibs="$add_dir $deplibs" + test -n "$add" && deplibs="$add $deplibs" + if test yes != "$hardcode_direct" && + test yes != "$hardcode_minus_L" && + test yes = "$hardcode_shlibpath_var"; then + case :$finalize_shlibpath: in + *":$libdir:"*) ;; + *) func_append finalize_shlibpath "$libdir:" ;; + esac + fi + fi + fi + + if test prog = "$linkmode" || test relink = "$opt_mode"; then + add_shlibpath= + add_dir= + add= + # Finalize command for both is simple: just hardcode it. + if test yes = "$hardcode_direct" && + test no = "$hardcode_direct_absolute"; then + add=$libdir/$linklib + elif test yes = "$hardcode_minus_L"; then + add_dir=-L$libdir + add=-l$name + elif test yes = "$hardcode_shlibpath_var"; then + case :$finalize_shlibpath: in + *":$libdir:"*) ;; + *) func_append finalize_shlibpath "$libdir:" ;; + esac + add=-l$name + elif test yes = "$hardcode_automatic"; then + if test -n "$inst_prefix_dir" && + test -f "$inst_prefix_dir$libdir/$linklib"; then + add=$inst_prefix_dir$libdir/$linklib + else + add=$libdir/$linklib + fi + else + # We cannot seem to hardcode it, guess we'll fake it. + add_dir=-L$libdir + # Try looking first in the location we're being installed to. + if test -n "$inst_prefix_dir"; then + case $libdir in + [\\/]*) + func_append add_dir " -L$inst_prefix_dir$libdir" + ;; + esac + fi + add=-l$name + fi + + if test prog = "$linkmode"; then + test -n "$add_dir" && finalize_deplibs="$add_dir $finalize_deplibs" + test -n "$add" && finalize_deplibs="$add $finalize_deplibs" + else + test -n "$add_dir" && deplibs="$add_dir $deplibs" + test -n "$add" && deplibs="$add $deplibs" + fi + fi + elif test prog = "$linkmode"; then + # Here we assume that one of hardcode_direct or hardcode_minus_L + # is not unsupported. This is valid on all known static and + # shared platforms. + if test unsupported != "$hardcode_direct"; then + test -n "$old_library" && linklib=$old_library + compile_deplibs="$dir/$linklib $compile_deplibs" + finalize_deplibs="$dir/$linklib $finalize_deplibs" + else + compile_deplibs="-l$name -L$dir $compile_deplibs" + finalize_deplibs="-l$name -L$dir $finalize_deplibs" + fi + elif test yes = "$build_libtool_libs"; then + # Not a shared library + if test pass_all != "$deplibs_check_method"; then + # We're trying link a shared library against a static one + # but the system doesn't support it. + + # Just print a warning and add the library to dependency_libs so + # that the program can be linked against the static library. + echo + $ECHO "*** Warning: This system cannot link to static lib archive $lib." + echo "*** I have the capability to make that library automatically link in when" + echo "*** you link to this library. But I can only do this if you have a" + echo "*** shared version of the library, which you do not appear to have." + if test yes = "$module"; then + echo "*** But as you try to build a module library, libtool will still create " + echo "*** a static module, that should work as long as the dlopening application" + echo "*** is linked with the -dlopen flag to resolve symbols at runtime." + if test -z "$global_symbol_pipe"; then + echo + echo "*** However, this would only work if libtool was able to extract symbol" + echo "*** lists from a program, using 'nm' or equivalent, but libtool could" + echo "*** not find such a program. So, this module is probably useless." + echo "*** 'nm' from GNU binutils and a full rebuild may help." + fi + if test no = "$build_old_libs"; then + build_libtool_libs=module + build_old_libs=yes + else + build_libtool_libs=no + fi + fi + else + deplibs="$dir/$old_library $deplibs" + link_static=yes + fi + fi # link shared/static library? + + if test lib = "$linkmode"; then + if test -n "$dependency_libs" && + { test yes != "$hardcode_into_libs" || + test yes = "$build_old_libs" || + test yes = "$link_static"; }; then + # Extract -R from dependency_libs + temp_deplibs= + for libdir in $dependency_libs; do + case $libdir in + -R*) func_stripname '-R' '' "$libdir" + temp_xrpath=$func_stripname_result + case " $xrpath " in + *" $temp_xrpath "*) ;; + *) func_append xrpath " $temp_xrpath";; + esac;; + *) func_append temp_deplibs " $libdir";; + esac + done + dependency_libs=$temp_deplibs + fi + + func_append newlib_search_path " $absdir" + # Link against this library + test no = "$link_static" && newdependency_libs="$abs_ladir/$laname $newdependency_libs" + # ... and its dependency_libs + tmp_libs= + for deplib in $dependency_libs; do + newdependency_libs="$deplib $newdependency_libs" + case $deplib in + -L*) func_stripname '-L' '' "$deplib" + func_resolve_sysroot "$func_stripname_result";; + *) func_resolve_sysroot "$deplib" ;; + esac + if $opt_preserve_dup_deps; then + case "$tmp_libs " in + *" $func_resolve_sysroot_result "*) + func_append specialdeplibs " $func_resolve_sysroot_result" ;; + esac + fi + func_append tmp_libs " $func_resolve_sysroot_result" + done + + if test no != "$link_all_deplibs"; then + # Add the search paths of all dependency libraries + for deplib in $dependency_libs; do + path= + case $deplib in + -L*) path=$deplib ;; + *.la) + func_resolve_sysroot "$deplib" + deplib=$func_resolve_sysroot_result + func_dirname "$deplib" "" "." + dir=$func_dirname_result + # We need an absolute path. + case $dir in + [\\/]* | [A-Za-z]:[\\/]*) absdir=$dir ;; + *) + absdir=`cd "$dir" && pwd` + if test -z "$absdir"; then + func_warning "cannot determine absolute directory name of '$dir'" + absdir=$dir + fi + ;; + esac + if $GREP "^installed=no" $deplib > /dev/null; then + case $host in + *-*-darwin*) + depdepl= + eval deplibrary_names=`$SED -n -e 's/^library_names=\(.*\)$/\1/p' $deplib` + if test -n "$deplibrary_names"; then + for tmp in $deplibrary_names; do + depdepl=$tmp + done + if test -f "$absdir/$objdir/$depdepl"; then + depdepl=$absdir/$objdir/$depdepl + darwin_install_name=`$OTOOL -L $depdepl | awk '{if (NR == 2) {print $1;exit}}'` + if test -z "$darwin_install_name"; then + darwin_install_name=`$OTOOL64 -L $depdepl | awk '{if (NR == 2) {print $1;exit}}'` + fi + func_append compiler_flags " $wl-dylib_file $wl$darwin_install_name:$depdepl" + func_append linker_flags " -dylib_file $darwin_install_name:$depdepl" + path= + fi + fi + ;; + *) + path=-L$absdir/$objdir + ;; + esac + else + eval libdir=`$SED -n -e 's/^libdir=\(.*\)$/\1/p' $deplib` + test -z "$libdir" && \ + func_fatal_error "'$deplib' is not a valid libtool archive" + test "$absdir" != "$libdir" && \ + func_warning "'$deplib' seems to be moved" + + path=-L$absdir + fi + ;; + esac + case " $deplibs " in + *" $path "*) ;; + *) deplibs="$path $deplibs" ;; + esac + done + fi # link_all_deplibs != no + fi # linkmode = lib + done # for deplib in $libs + if test link = "$pass"; then + if test prog = "$linkmode"; then + compile_deplibs="$new_inherited_linker_flags $compile_deplibs" + finalize_deplibs="$new_inherited_linker_flags $finalize_deplibs" + else + compiler_flags="$compiler_flags "`$ECHO " $new_inherited_linker_flags" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'` + fi + fi + dependency_libs=$newdependency_libs + if test dlpreopen = "$pass"; then + # Link the dlpreopened libraries before other libraries + for deplib in $save_deplibs; do + deplibs="$deplib $deplibs" + done + fi + if test dlopen != "$pass"; then + test conv = "$pass" || { + # Make sure lib_search_path contains only unique directories. + lib_search_path= + for dir in $newlib_search_path; do + case "$lib_search_path " in + *" $dir "*) ;; + *) func_append lib_search_path " $dir" ;; + esac + done + newlib_search_path= + } + + if test prog,link = "$linkmode,$pass"; then + vars="compile_deplibs finalize_deplibs" + else + vars=deplibs + fi + for var in $vars dependency_libs; do + # Add libraries to $var in reverse order + eval tmp_libs=\"\$$var\" + new_libs= + for deplib in $tmp_libs; do + # FIXME: Pedantically, this is the right thing to do, so + # that some nasty dependency loop isn't accidentally + # broken: + #new_libs="$deplib $new_libs" + # Pragmatically, this seems to cause very few problems in + # practice: + case $deplib in + -L*) new_libs="$deplib $new_libs" ;; + -R*) ;; + *) + # And here is the reason: when a library appears more + # than once as an explicit dependence of a library, or + # is implicitly linked in more than once by the + # compiler, it is considered special, and multiple + # occurrences thereof are not removed. Compare this + # with having the same library being listed as a + # dependency of multiple other libraries: in this case, + # we know (pedantically, we assume) the library does not + # need to be listed more than once, so we keep only the + # last copy. This is not always right, but it is rare + # enough that we require users that really mean to play + # such unportable linking tricks to link the library + # using -Wl,-lname, so that libtool does not consider it + # for duplicate removal. + case " $specialdeplibs " in + *" $deplib "*) new_libs="$deplib $new_libs" ;; + *) + case " $new_libs " in + *" $deplib "*) ;; + *) new_libs="$deplib $new_libs" ;; + esac + ;; + esac + ;; + esac + done + tmp_libs= + for deplib in $new_libs; do + case $deplib in + -L*) + case " $tmp_libs " in + *" $deplib "*) ;; + *) func_append tmp_libs " $deplib" ;; + esac + ;; + *) func_append tmp_libs " $deplib" ;; + esac + done + eval $var=\"$tmp_libs\" + done # for var + fi + + # Add Sun CC postdeps if required: + test CXX = "$tagname" && { + case $host_os in + linux*) + case `$CC -V 2>&1 | sed 5q` in + *Sun\ C*) # Sun C++ 5.9 + func_suncc_cstd_abi + + if test no != "$suncc_use_cstd_abi"; then + func_append postdeps ' -library=Cstd -library=Crun' + fi + ;; + esac + ;; + + solaris*) + func_cc_basename "$CC" + case $func_cc_basename_result in + CC* | sunCC*) + func_suncc_cstd_abi + + if test no != "$suncc_use_cstd_abi"; then + func_append postdeps ' -library=Cstd -library=Crun' + fi + ;; + esac + ;; + esac + } + + # Last step: remove runtime libs from dependency_libs + # (they stay in deplibs) + tmp_libs= + for i in $dependency_libs; do + case " $predeps $postdeps $compiler_lib_search_path " in + *" $i "*) + i= + ;; + esac + if test -n "$i"; then + func_append tmp_libs " $i" + fi + done + dependency_libs=$tmp_libs + done # for pass + if test prog = "$linkmode"; then + dlfiles=$newdlfiles + fi + if test prog = "$linkmode" || test lib = "$linkmode"; then + dlprefiles=$newdlprefiles + fi + + case $linkmode in + oldlib) + if test -n "$dlfiles$dlprefiles" || test no != "$dlself"; then + func_warning "'-dlopen' is ignored for archives" + fi + + case " $deplibs" in + *\ -l* | *\ -L*) + func_warning "'-l' and '-L' are ignored for archives" ;; + esac + + test -n "$rpath" && \ + func_warning "'-rpath' is ignored for archives" + + test -n "$xrpath" && \ + func_warning "'-R' is ignored for archives" + + test -n "$vinfo" && \ + func_warning "'-version-info/-version-number' is ignored for archives" + + test -n "$release" && \ + func_warning "'-release' is ignored for archives" + + test -n "$export_symbols$export_symbols_regex" && \ + func_warning "'-export-symbols' is ignored for archives" + + # Now set the variables for building old libraries. + build_libtool_libs=no + oldlibs=$output + func_append objs "$old_deplibs" + ;; + + lib) + # Make sure we only generate libraries of the form 'libNAME.la'. + case $outputname in + lib*) + func_stripname 'lib' '.la' "$outputname" + name=$func_stripname_result + eval shared_ext=\"$shrext_cmds\" + eval libname=\"$libname_spec\" + ;; + *) + test no = "$module" \ + && func_fatal_help "libtool library '$output' must begin with 'lib'" + + if test no != "$need_lib_prefix"; then + # Add the "lib" prefix for modules if required + func_stripname '' '.la' "$outputname" + name=$func_stripname_result + eval shared_ext=\"$shrext_cmds\" + eval libname=\"$libname_spec\" + else + func_stripname '' '.la' "$outputname" + libname=$func_stripname_result + fi + ;; + esac + + if test -n "$objs"; then + if test pass_all != "$deplibs_check_method"; then + func_fatal_error "cannot build libtool library '$output' from non-libtool objects on this host:$objs" + else + echo + $ECHO "*** Warning: Linking the shared library $output against the non-libtool" + $ECHO "*** objects $objs is not portable!" + func_append libobjs " $objs" + fi + fi + + test no = "$dlself" \ + || func_warning "'-dlopen self' is ignored for libtool libraries" + + set dummy $rpath + shift + test 1 -lt "$#" \ + && func_warning "ignoring multiple '-rpath's for a libtool library" + + install_libdir=$1 + + oldlibs= + if test -z "$rpath"; then + if test yes = "$build_libtool_libs"; then + # Building a libtool convenience library. + # Some compilers have problems with a '.al' extension so + # convenience libraries should have the same extension an + # archive normally would. + oldlibs="$output_objdir/$libname.$libext $oldlibs" + build_libtool_libs=convenience + build_old_libs=yes + fi + + test -n "$vinfo" && \ + func_warning "'-version-info/-version-number' is ignored for convenience libraries" + + test -n "$release" && \ + func_warning "'-release' is ignored for convenience libraries" + else + + # Parse the version information argument. + save_ifs=$IFS; IFS=: + set dummy $vinfo 0 0 0 + shift + IFS=$save_ifs + + test -n "$7" && \ + func_fatal_help "too many parameters to '-version-info'" + + # convert absolute version numbers to libtool ages + # this retains compatibility with .la files and attempts + # to make the code below a bit more comprehensible + + case $vinfo_number in + yes) + number_major=$1 + number_minor=$2 + number_revision=$3 + # + # There are really only two kinds -- those that + # use the current revision as the major version + # and those that subtract age and use age as + # a minor version. But, then there is irix + # that has an extra 1 added just for fun + # + case $version_type in + # correct linux to gnu/linux during the next big refactor + darwin|freebsd-elf|linux|osf|windows|none) + func_arith $number_major + $number_minor + current=$func_arith_result + age=$number_minor + revision=$number_revision + ;; + freebsd-aout|qnx|sunos) + current=$number_major + revision=$number_minor + age=0 + ;; + irix|nonstopux) + func_arith $number_major + $number_minor + current=$func_arith_result + age=$number_minor + revision=$number_minor + lt_irix_increment=no + ;; + esac + ;; + no) + current=$1 + revision=$2 + age=$3 + ;; + esac + + # Check that each of the things are valid numbers. + case $current in + 0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;; + *) + func_error "CURRENT '$current' must be a nonnegative integer" + func_fatal_error "'$vinfo' is not valid version information" + ;; + esac + + case $revision in + 0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;; + *) + func_error "REVISION '$revision' must be a nonnegative integer" + func_fatal_error "'$vinfo' is not valid version information" + ;; + esac + + case $age in + 0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;; + *) + func_error "AGE '$age' must be a nonnegative integer" + func_fatal_error "'$vinfo' is not valid version information" + ;; + esac + + if test "$age" -gt "$current"; then + func_error "AGE '$age' is greater than the current interface number '$current'" + func_fatal_error "'$vinfo' is not valid version information" + fi + + # Calculate the version variables. + major= + versuffix= + verstring= + case $version_type in + none) ;; + + darwin) + # Like Linux, but with the current version available in + # verstring for coding it into the library header + func_arith $current - $age + major=.$func_arith_result + versuffix=$major.$age.$revision + # Darwin ld doesn't like 0 for these options... + func_arith $current + 1 + minor_current=$func_arith_result + xlcverstring="$wl-compatibility_version $wl$minor_current $wl-current_version $wl$minor_current.$revision" + verstring="-compatibility_version $minor_current -current_version $minor_current.$revision" + # On Darwin other compilers + case $CC in + nagfor*) + verstring="$wl-compatibility_version $wl$minor_current $wl-current_version $wl$minor_current.$revision" + ;; + *) + verstring="-compatibility_version $minor_current -current_version $minor_current.$revision" + ;; + esac + ;; + + freebsd-aout) + major=.$current + versuffix=.$current.$revision + ;; + + freebsd-elf) + func_arith $current - $age + major=.$func_arith_result + versuffix=$major.$age.$revision + ;; + + irix | nonstopux) + if test no = "$lt_irix_increment"; then + func_arith $current - $age + else + func_arith $current - $age + 1 + fi + major=$func_arith_result + + case $version_type in + nonstopux) verstring_prefix=nonstopux ;; + *) verstring_prefix=sgi ;; + esac + verstring=$verstring_prefix$major.$revision + + # Add in all the interfaces that we are compatible with. + loop=$revision + while test 0 -ne "$loop"; do + func_arith $revision - $loop + iface=$func_arith_result + func_arith $loop - 1 + loop=$func_arith_result + verstring=$verstring_prefix$major.$iface:$verstring + done + + # Before this point, $major must not contain '.'. + major=.$major + versuffix=$major.$revision + ;; + + linux) # correct to gnu/linux during the next big refactor + func_arith $current - $age + major=.$func_arith_result + versuffix=$major.$age.$revision + ;; + + osf) + func_arith $current - $age + major=.$func_arith_result + versuffix=.$current.$age.$revision + verstring=$current.$age.$revision + + # Add in all the interfaces that we are compatible with. + loop=$age + while test 0 -ne "$loop"; do + func_arith $current - $loop + iface=$func_arith_result + func_arith $loop - 1 + loop=$func_arith_result + verstring=$verstring:$iface.0 + done + + # Make executables depend on our current version. + func_append verstring ":$current.0" + ;; + + qnx) + major=.$current + versuffix=.$current + ;; + + sco) + major=.$current + versuffix=.$current + ;; + + sunos) + major=.$current + versuffix=.$current.$revision + ;; + + windows) + # Use '-' rather than '.', since we only want one + # extension on DOS 8.3 file systems. + func_arith $current - $age + major=$func_arith_result + versuffix=-$major + ;; + + *) + func_fatal_configuration "unknown library version type '$version_type'" + ;; + esac + + # Clear the version info if we defaulted, and they specified a release. + if test -z "$vinfo" && test -n "$release"; then + major= + case $version_type in + darwin) + # we can't check for "0.0" in archive_cmds due to quoting + # problems, so we reset it completely + verstring= + ;; + *) + verstring=0.0 + ;; + esac + if test no = "$need_version"; then + versuffix= + else + versuffix=.0.0 + fi + fi + + # Remove version info from name if versioning should be avoided + if test yes,no = "$avoid_version,$need_version"; then + major= + versuffix= + verstring= + fi + + # Check to see if the archive will have undefined symbols. + if test yes = "$allow_undefined"; then + if test unsupported = "$allow_undefined_flag"; then + if test yes = "$build_old_libs"; then + func_warning "undefined symbols not allowed in $host shared libraries; building static only" + build_libtool_libs=no + else + func_fatal_error "can't build $host shared library unless -no-undefined is specified" + fi + fi + else + # Don't allow undefined symbols. + allow_undefined_flag=$no_undefined_flag + fi + + fi + + func_generate_dlsyms "$libname" "$libname" : + func_append libobjs " $symfileobj" + test " " = "$libobjs" && libobjs= + + if test relink != "$opt_mode"; then + # Remove our outputs, but don't remove object files since they + # may have been created when compiling PIC objects. + removelist= + tempremovelist=`$ECHO "$output_objdir/*"` + for p in $tempremovelist; do + case $p in + *.$objext | *.gcno) + ;; + $output_objdir/$outputname | $output_objdir/$libname.* | $output_objdir/$libname$release.*) + if test -n "$precious_files_regex"; then + if $ECHO "$p" | $EGREP -e "$precious_files_regex" >/dev/null 2>&1 + then + continue + fi + fi + func_append removelist " $p" + ;; + *) ;; + esac + done + test -n "$removelist" && \ + func_show_eval "${RM}r \$removelist" + fi + + # Now set the variables for building old libraries. + if test yes = "$build_old_libs" && test convenience != "$build_libtool_libs"; then + func_append oldlibs " $output_objdir/$libname.$libext" + + # Transform .lo files to .o files. + oldobjs="$objs "`$ECHO "$libobjs" | $SP2NL | $SED "/\.$libext$/d; $lo2o" | $NL2SP` + fi + + # Eliminate all temporary directories. + #for path in $notinst_path; do + # lib_search_path=`$ECHO "$lib_search_path " | $SED "s% $path % %g"` + # deplibs=`$ECHO "$deplibs " | $SED "s% -L$path % %g"` + # dependency_libs=`$ECHO "$dependency_libs " | $SED "s% -L$path % %g"` + #done + + if test -n "$xrpath"; then + # If the user specified any rpath flags, then add them. + temp_xrpath= + for libdir in $xrpath; do + func_replace_sysroot "$libdir" + func_append temp_xrpath " -R$func_replace_sysroot_result" + case "$finalize_rpath " in + *" $libdir "*) ;; + *) func_append finalize_rpath " $libdir" ;; + esac + done + if test yes != "$hardcode_into_libs" || test yes = "$build_old_libs"; then + dependency_libs="$temp_xrpath $dependency_libs" + fi + fi + + # Make sure dlfiles contains only unique files that won't be dlpreopened + old_dlfiles=$dlfiles + dlfiles= + for lib in $old_dlfiles; do + case " $dlprefiles $dlfiles " in + *" $lib "*) ;; + *) func_append dlfiles " $lib" ;; + esac + done + + # Make sure dlprefiles contains only unique files + old_dlprefiles=$dlprefiles + dlprefiles= + for lib in $old_dlprefiles; do + case "$dlprefiles " in + *" $lib "*) ;; + *) func_append dlprefiles " $lib" ;; + esac + done + + if test yes = "$build_libtool_libs"; then + if test -n "$rpath"; then + case $host in + *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-*-beos* | *-cegcc* | *-*-haiku*) + # these systems don't actually have a c library (as such)! + ;; + *-*-rhapsody* | *-*-darwin1.[012]) + # Rhapsody C library is in the System framework + func_append deplibs " System.ltframework" + ;; + *-*-netbsd*) + # Don't link with libc until the a.out ld.so is fixed. + ;; + *-*-openbsd* | *-*-freebsd* | *-*-dragonfly*) + # Do not include libc due to us having libc/libc_r. + ;; + *-*-sco3.2v5* | *-*-sco5v6*) + # Causes problems with __ctype + ;; + *-*-sysv4.2uw2* | *-*-sysv5* | *-*-unixware* | *-*-OpenUNIX*) + # Compiler inserts libc in the correct place for threads to work + ;; + *) + # Add libc to deplibs on all other systems if necessary. + if test yes = "$build_libtool_need_lc"; then + func_append deplibs " -lc" + fi + ;; + esac + fi + + # Transform deplibs into only deplibs that can be linked in shared. + name_save=$name + libname_save=$libname + release_save=$release + versuffix_save=$versuffix + major_save=$major + # I'm not sure if I'm treating the release correctly. I think + # release should show up in the -l (ie -lgmp5) so we don't want to + # add it in twice. Is that correct? + release= + versuffix= + major= + newdeplibs= + droppeddeps=no + case $deplibs_check_method in + pass_all) + # Don't check for shared/static. Everything works. + # This might be a little naive. We might want to check + # whether the library exists or not. But this is on + # osf3 & osf4 and I'm not really sure... Just + # implementing what was already the behavior. + newdeplibs=$deplibs + ;; + test_compile) + # This code stresses the "libraries are programs" paradigm to its + # limits. Maybe even breaks it. We compile a program, linking it + # against the deplibs as a proxy for the library. Then we can check + # whether they linked in statically or dynamically with ldd. + $opt_dry_run || $RM conftest.c + cat > conftest.c </dev/null` + $nocaseglob + else + potential_libs=`ls $i/$libnameglob[.-]* 2>/dev/null` + fi + for potent_lib in $potential_libs; do + # Follow soft links. + if ls -lLd "$potent_lib" 2>/dev/null | + $GREP " -> " >/dev/null; then + continue + fi + # The statement above tries to avoid entering an + # endless loop below, in case of cyclic links. + # We might still enter an endless loop, since a link + # loop can be closed while we follow links, + # but so what? + potlib=$potent_lib + while test -h "$potlib" 2>/dev/null; do + potliblink=`ls -ld $potlib | $SED 's/.* -> //'` + case $potliblink in + [\\/]* | [A-Za-z]:[\\/]*) potlib=$potliblink;; + *) potlib=`$ECHO "$potlib" | $SED 's|[^/]*$||'`"$potliblink";; + esac + done + if eval $file_magic_cmd \"\$potlib\" 2>/dev/null | + $SED -e 10q | + $EGREP "$file_magic_regex" > /dev/null; then + func_append newdeplibs " $a_deplib" + a_deplib= + break 2 + fi + done + done + fi + if test -n "$a_deplib"; then + droppeddeps=yes + echo + $ECHO "*** Warning: linker path does not have real file for library $a_deplib." + echo "*** I have the capability to make that library automatically link in when" + echo "*** you link to this library. But I can only do this if you have a" + echo "*** shared version of the library, which you do not appear to have" + echo "*** because I did check the linker path looking for a file starting" + if test -z "$potlib"; then + $ECHO "*** with $libname but no candidates were found. (...for file magic test)" + else + $ECHO "*** with $libname and none of the candidates passed a file format test" + $ECHO "*** using a file magic. Last file checked: $potlib" + fi + fi + ;; + *) + # Add a -L argument. + func_append newdeplibs " $a_deplib" + ;; + esac + done # Gone through all deplibs. + ;; + match_pattern*) + set dummy $deplibs_check_method; shift + match_pattern_regex=`expr "$deplibs_check_method" : "$1 \(.*\)"` + for a_deplib in $deplibs; do + case $a_deplib in + -l*) + func_stripname -l '' "$a_deplib" + name=$func_stripname_result + if test yes = "$allow_libtool_libs_with_static_runtimes"; then + case " $predeps $postdeps " in + *" $a_deplib "*) + func_append newdeplibs " $a_deplib" + a_deplib= + ;; + esac + fi + if test -n "$a_deplib"; then + libname=`eval "\\$ECHO \"$libname_spec\""` + for i in $lib_search_path $sys_lib_search_path $shlib_search_path; do + potential_libs=`ls $i/$libname[.-]* 2>/dev/null` + for potent_lib in $potential_libs; do + potlib=$potent_lib # see symlink-check above in file_magic test + if eval "\$ECHO \"$potent_lib\"" 2>/dev/null | $SED 10q | \ + $EGREP "$match_pattern_regex" > /dev/null; then + func_append newdeplibs " $a_deplib" + a_deplib= + break 2 + fi + done + done + fi + if test -n "$a_deplib"; then + droppeddeps=yes + echo + $ECHO "*** Warning: linker path does not have real file for library $a_deplib." + echo "*** I have the capability to make that library automatically link in when" + echo "*** you link to this library. But I can only do this if you have a" + echo "*** shared version of the library, which you do not appear to have" + echo "*** because I did check the linker path looking for a file starting" + if test -z "$potlib"; then + $ECHO "*** with $libname but no candidates were found. (...for regex pattern test)" + else + $ECHO "*** with $libname and none of the candidates passed a file format test" + $ECHO "*** using a regex pattern. Last file checked: $potlib" + fi + fi + ;; + *) + # Add a -L argument. + func_append newdeplibs " $a_deplib" + ;; + esac + done # Gone through all deplibs. + ;; + none | unknown | *) + newdeplibs= + tmp_deplibs=`$ECHO " $deplibs" | $SED 's/ -lc$//; s/ -[LR][^ ]*//g'` + if test yes = "$allow_libtool_libs_with_static_runtimes"; then + for i in $predeps $postdeps; do + # can't use Xsed below, because $i might contain '/' + tmp_deplibs=`$ECHO " $tmp_deplibs" | $SED "s|$i||"` + done + fi + case $tmp_deplibs in + *[!\ \ ]*) + echo + if test none = "$deplibs_check_method"; then + echo "*** Warning: inter-library dependencies are not supported in this platform." + else + echo "*** Warning: inter-library dependencies are not known to be supported." + fi + echo "*** All declared inter-library dependencies are being dropped." + droppeddeps=yes + ;; + esac + ;; + esac + versuffix=$versuffix_save + major=$major_save + release=$release_save + libname=$libname_save + name=$name_save + + case $host in + *-*-rhapsody* | *-*-darwin1.[012]) + # On Rhapsody replace the C library with the System framework + newdeplibs=`$ECHO " $newdeplibs" | $SED 's/ -lc / System.ltframework /'` + ;; + esac + + if test yes = "$droppeddeps"; then + if test yes = "$module"; then + echo + echo "*** Warning: libtool could not satisfy all declared inter-library" + $ECHO "*** dependencies of module $libname. Therefore, libtool will create" + echo "*** a static module, that should work as long as the dlopening" + echo "*** application is linked with the -dlopen flag." + if test -z "$global_symbol_pipe"; then + echo + echo "*** However, this would only work if libtool was able to extract symbol" + echo "*** lists from a program, using 'nm' or equivalent, but libtool could" + echo "*** not find such a program. So, this module is probably useless." + echo "*** 'nm' from GNU binutils and a full rebuild may help." + fi + if test no = "$build_old_libs"; then + oldlibs=$output_objdir/$libname.$libext + build_libtool_libs=module + build_old_libs=yes + else + build_libtool_libs=no + fi + else + echo "*** The inter-library dependencies that have been dropped here will be" + echo "*** automatically added whenever a program is linked with this library" + echo "*** or is declared to -dlopen it." + + if test no = "$allow_undefined"; then + echo + echo "*** Since this library must not contain undefined symbols," + echo "*** because either the platform does not support them or" + echo "*** it was explicitly requested with -no-undefined," + echo "*** libtool will only create a static version of it." + if test no = "$build_old_libs"; then + oldlibs=$output_objdir/$libname.$libext + build_libtool_libs=module + build_old_libs=yes + else + build_libtool_libs=no + fi + fi + fi + fi + # Done checking deplibs! + deplibs=$newdeplibs + fi + # Time to change all our "foo.ltframework" stuff back to "-framework foo" + case $host in + *-*-darwin*) + newdeplibs=`$ECHO " $newdeplibs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'` + new_inherited_linker_flags=`$ECHO " $new_inherited_linker_flags" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'` + deplibs=`$ECHO " $deplibs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'` + ;; + esac + + # move library search paths that coincide with paths to not yet + # installed libraries to the beginning of the library search list + new_libs= + for path in $notinst_path; do + case " $new_libs " in + *" -L$path/$objdir "*) ;; + *) + case " $deplibs " in + *" -L$path/$objdir "*) + func_append new_libs " -L$path/$objdir" ;; + esac + ;; + esac + done + for deplib in $deplibs; do + case $deplib in + -L*) + case " $new_libs " in + *" $deplib "*) ;; + *) func_append new_libs " $deplib" ;; + esac + ;; + *) func_append new_libs " $deplib" ;; + esac + done + deplibs=$new_libs + + # All the library-specific variables (install_libdir is set above). + library_names= + old_library= + dlname= + + # Test again, we may have decided not to build it any more + if test yes = "$build_libtool_libs"; then + # Remove $wl instances when linking with ld. + # FIXME: should test the right _cmds variable. + case $archive_cmds in + *\$LD\ *) wl= ;; + esac + if test yes = "$hardcode_into_libs"; then + # Hardcode the library paths + hardcode_libdirs= + dep_rpath= + rpath=$finalize_rpath + test relink = "$opt_mode" || rpath=$compile_rpath$rpath + for libdir in $rpath; do + if test -n "$hardcode_libdir_flag_spec"; then + if test -n "$hardcode_libdir_separator"; then + func_replace_sysroot "$libdir" + libdir=$func_replace_sysroot_result + if test -z "$hardcode_libdirs"; then + hardcode_libdirs=$libdir + else + # Just accumulate the unique libdirs. + case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in + *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*) + ;; + *) + func_append hardcode_libdirs "$hardcode_libdir_separator$libdir" + ;; + esac + fi + else + eval flag=\"$hardcode_libdir_flag_spec\" + func_append dep_rpath " $flag" + fi + elif test -n "$runpath_var"; then + case "$perm_rpath " in + *" $libdir "*) ;; + *) func_append perm_rpath " $libdir" ;; + esac + fi + done + # Substitute the hardcoded libdirs into the rpath. + if test -n "$hardcode_libdir_separator" && + test -n "$hardcode_libdirs"; then + libdir=$hardcode_libdirs + eval "dep_rpath=\"$hardcode_libdir_flag_spec\"" + fi + if test -n "$runpath_var" && test -n "$perm_rpath"; then + # We should set the runpath_var. + rpath= + for dir in $perm_rpath; do + func_append rpath "$dir:" + done + eval "$runpath_var='$rpath\$$runpath_var'; export $runpath_var" + fi + test -n "$dep_rpath" && deplibs="$dep_rpath $deplibs" + fi + + shlibpath=$finalize_shlibpath + test relink = "$opt_mode" || shlibpath=$compile_shlibpath$shlibpath + if test -n "$shlibpath"; then + eval "$shlibpath_var='$shlibpath\$$shlibpath_var'; export $shlibpath_var" + fi + + # Get the real and link names of the library. + eval shared_ext=\"$shrext_cmds\" + eval library_names=\"$library_names_spec\" + set dummy $library_names + shift + realname=$1 + shift + + if test -n "$soname_spec"; then + eval soname=\"$soname_spec\" + else + soname=$realname + fi + if test -z "$dlname"; then + dlname=$soname + fi + + lib=$output_objdir/$realname + linknames= + for link + do + func_append linknames " $link" + done + + # Use standard objects if they are pic + test -z "$pic_flag" && libobjs=`$ECHO "$libobjs" | $SP2NL | $SED "$lo2o" | $NL2SP` + test "X$libobjs" = "X " && libobjs= + + delfiles= + if test -n "$export_symbols" && test -n "$include_expsyms"; then + $opt_dry_run || cp "$export_symbols" "$output_objdir/$libname.uexp" + export_symbols=$output_objdir/$libname.uexp + func_append delfiles " $export_symbols" + fi + + orig_export_symbols= + case $host_os in + cygwin* | mingw* | cegcc*) + if test -n "$export_symbols" && test -z "$export_symbols_regex"; then + # exporting using user supplied symfile + func_dll_def_p "$export_symbols" || { + # and it's NOT already a .def file. Must figure out + # which of the given symbols are data symbols and tag + # them as such. So, trigger use of export_symbols_cmds. + # export_symbols gets reassigned inside the "prepare + # the list of exported symbols" if statement, so the + # include_expsyms logic still works. + orig_export_symbols=$export_symbols + export_symbols= + always_export_symbols=yes + } + fi + ;; + esac + + # Prepare the list of exported symbols + if test -z "$export_symbols"; then + if test yes = "$always_export_symbols" || test -n "$export_symbols_regex"; then + func_verbose "generating symbol list for '$libname.la'" + export_symbols=$output_objdir/$libname.exp + $opt_dry_run || $RM $export_symbols + cmds=$export_symbols_cmds + save_ifs=$IFS; IFS='~' + for cmd1 in $cmds; do + IFS=$save_ifs + # Take the normal branch if the nm_file_list_spec branch + # doesn't work or if tool conversion is not needed. + case $nm_file_list_spec~$to_tool_file_cmd in + *~func_convert_file_noop | *~func_convert_file_msys_to_w32 | ~*) + try_normal_branch=yes + eval cmd=\"$cmd1\" + func_len " $cmd" + len=$func_len_result + ;; + *) + try_normal_branch=no + ;; + esac + if test yes = "$try_normal_branch" \ + && { test "$len" -lt "$max_cmd_len" \ + || test "$max_cmd_len" -le -1; } + then + func_show_eval "$cmd" 'exit $?' + skipped_export=false + elif test -n "$nm_file_list_spec"; then + func_basename "$output" + output_la=$func_basename_result + save_libobjs=$libobjs + save_output=$output + output=$output_objdir/$output_la.nm + func_to_tool_file "$output" + libobjs=$nm_file_list_spec$func_to_tool_file_result + func_append delfiles " $output" + func_verbose "creating $NM input file list: $output" + for obj in $save_libobjs; do + func_to_tool_file "$obj" + $ECHO "$func_to_tool_file_result" + done > "$output" + eval cmd=\"$cmd1\" + func_show_eval "$cmd" 'exit $?' + output=$save_output + libobjs=$save_libobjs + skipped_export=false + else + # The command line is too long to execute in one step. + func_verbose "using reloadable object file for export list..." + skipped_export=: + # Break out early, otherwise skipped_export may be + # set to false by a later but shorter cmd. + break + fi + done + IFS=$save_ifs + if test -n "$export_symbols_regex" && test : != "$skipped_export"; then + func_show_eval '$EGREP -e "$export_symbols_regex" "$export_symbols" > "${export_symbols}T"' + func_show_eval '$MV "${export_symbols}T" "$export_symbols"' + fi + fi + fi + + if test -n "$export_symbols" && test -n "$include_expsyms"; then + tmp_export_symbols=$export_symbols + test -n "$orig_export_symbols" && tmp_export_symbols=$orig_export_symbols + $opt_dry_run || eval '$ECHO "$include_expsyms" | $SP2NL >> "$tmp_export_symbols"' + fi + + if test : != "$skipped_export" && test -n "$orig_export_symbols"; then + # The given exports_symbols file has to be filtered, so filter it. + func_verbose "filter symbol list for '$libname.la' to tag DATA exports" + # FIXME: $output_objdir/$libname.filter potentially contains lots of + # 's' commands, which not all seds can handle. GNU sed should be fine + # though. Also, the filter scales superlinearly with the number of + # global variables. join(1) would be nice here, but unfortunately + # isn't a blessed tool. + $opt_dry_run || $SED -e '/[ ,]DATA/!d;s,\(.*\)\([ \,].*\),s|^\1$|\1\2|,' < $export_symbols > $output_objdir/$libname.filter + func_append delfiles " $export_symbols $output_objdir/$libname.filter" + export_symbols=$output_objdir/$libname.def + $opt_dry_run || $SED -f $output_objdir/$libname.filter < $orig_export_symbols > $export_symbols + fi + + tmp_deplibs= + for test_deplib in $deplibs; do + case " $convenience " in + *" $test_deplib "*) ;; + *) + func_append tmp_deplibs " $test_deplib" + ;; + esac + done + deplibs=$tmp_deplibs + + if test -n "$convenience"; then + if test -n "$whole_archive_flag_spec" && + test yes = "$compiler_needs_object" && + test -z "$libobjs"; then + # extract the archives, so we have objects to list. + # TODO: could optimize this to just extract one archive. + whole_archive_flag_spec= + fi + if test -n "$whole_archive_flag_spec"; then + save_libobjs=$libobjs + eval libobjs=\"\$libobjs $whole_archive_flag_spec\" + test "X$libobjs" = "X " && libobjs= + else + gentop=$output_objdir/${outputname}x + func_append generated " $gentop" + + func_extract_archives $gentop $convenience + func_append libobjs " $func_extract_archives_result" + test "X$libobjs" = "X " && libobjs= + fi + fi + + if test yes = "$thread_safe" && test -n "$thread_safe_flag_spec"; then + eval flag=\"$thread_safe_flag_spec\" + func_append linker_flags " $flag" + fi + + # Make a backup of the uninstalled library when relinking + if test relink = "$opt_mode"; then + $opt_dry_run || eval '(cd $output_objdir && $RM ${realname}U && $MV $realname ${realname}U)' || exit $? + fi + + # Do each of the archive commands. + if test yes = "$module" && test -n "$module_cmds"; then + if test -n "$export_symbols" && test -n "$module_expsym_cmds"; then + eval test_cmds=\"$module_expsym_cmds\" + cmds=$module_expsym_cmds + else + eval test_cmds=\"$module_cmds\" + cmds=$module_cmds + fi + else + if test -n "$export_symbols" && test -n "$archive_expsym_cmds"; then + eval test_cmds=\"$archive_expsym_cmds\" + cmds=$archive_expsym_cmds + else + eval test_cmds=\"$archive_cmds\" + cmds=$archive_cmds + fi + fi + + if test : != "$skipped_export" && + func_len " $test_cmds" && + len=$func_len_result && + test "$len" -lt "$max_cmd_len" || test "$max_cmd_len" -le -1; then + : + else + # The command line is too long to link in one step, link piecewise + # or, if using GNU ld and skipped_export is not :, use a linker + # script. + + # Save the value of $output and $libobjs because we want to + # use them later. If we have whole_archive_flag_spec, we + # want to use save_libobjs as it was before + # whole_archive_flag_spec was expanded, because we can't + # assume the linker understands whole_archive_flag_spec. + # This may have to be revisited, in case too many + # convenience libraries get linked in and end up exceeding + # the spec. + if test -z "$convenience" || test -z "$whole_archive_flag_spec"; then + save_libobjs=$libobjs + fi + save_output=$output + func_basename "$output" + output_la=$func_basename_result + + # Clear the reloadable object creation command queue and + # initialize k to one. + test_cmds= + concat_cmds= + objlist= + last_robj= + k=1 + + if test -n "$save_libobjs" && test : != "$skipped_export" && test yes = "$with_gnu_ld"; then + output=$output_objdir/$output_la.lnkscript + func_verbose "creating GNU ld script: $output" + echo 'INPUT (' > $output + for obj in $save_libobjs + do + func_to_tool_file "$obj" + $ECHO "$func_to_tool_file_result" >> $output + done + echo ')' >> $output + func_append delfiles " $output" + func_to_tool_file "$output" + output=$func_to_tool_file_result + elif test -n "$save_libobjs" && test : != "$skipped_export" && test -n "$file_list_spec"; then + output=$output_objdir/$output_la.lnk + func_verbose "creating linker input file list: $output" + : > $output + set x $save_libobjs + shift + firstobj= + if test yes = "$compiler_needs_object"; then + firstobj="$1 " + shift + fi + for obj + do + func_to_tool_file "$obj" + $ECHO "$func_to_tool_file_result" >> $output + done + func_append delfiles " $output" + func_to_tool_file "$output" + output=$firstobj\"$file_list_spec$func_to_tool_file_result\" + else + if test -n "$save_libobjs"; then + func_verbose "creating reloadable object files..." + output=$output_objdir/$output_la-$k.$objext + eval test_cmds=\"$reload_cmds\" + func_len " $test_cmds" + len0=$func_len_result + len=$len0 + + # Loop over the list of objects to be linked. + for obj in $save_libobjs + do + func_len " $obj" + func_arith $len + $func_len_result + len=$func_arith_result + if test -z "$objlist" || + test "$len" -lt "$max_cmd_len"; then + func_append objlist " $obj" + else + # The command $test_cmds is almost too long, add a + # command to the queue. + if test 1 -eq "$k"; then + # The first file doesn't have a previous command to add. + reload_objs=$objlist + eval concat_cmds=\"$reload_cmds\" + else + # All subsequent reloadable object files will link in + # the last one created. + reload_objs="$objlist $last_robj" + eval concat_cmds=\"\$concat_cmds~$reload_cmds~\$RM $last_robj\" + fi + last_robj=$output_objdir/$output_la-$k.$objext + func_arith $k + 1 + k=$func_arith_result + output=$output_objdir/$output_la-$k.$objext + objlist=" $obj" + func_len " $last_robj" + func_arith $len0 + $func_len_result + len=$func_arith_result + fi + done + # Handle the remaining objects by creating one last + # reloadable object file. All subsequent reloadable object + # files will link in the last one created. + test -z "$concat_cmds" || concat_cmds=$concat_cmds~ + reload_objs="$objlist $last_robj" + eval concat_cmds=\"\$concat_cmds$reload_cmds\" + if test -n "$last_robj"; then + eval concat_cmds=\"\$concat_cmds~\$RM $last_robj\" + fi + func_append delfiles " $output" + + else + output= + fi + + ${skipped_export-false} && { + func_verbose "generating symbol list for '$libname.la'" + export_symbols=$output_objdir/$libname.exp + $opt_dry_run || $RM $export_symbols + libobjs=$output + # Append the command to create the export file. + test -z "$concat_cmds" || concat_cmds=$concat_cmds~ + eval concat_cmds=\"\$concat_cmds$export_symbols_cmds\" + if test -n "$last_robj"; then + eval concat_cmds=\"\$concat_cmds~\$RM $last_robj\" + fi + } + + test -n "$save_libobjs" && + func_verbose "creating a temporary reloadable object file: $output" + + # Loop through the commands generated above and execute them. + save_ifs=$IFS; IFS='~' + for cmd in $concat_cmds; do + IFS=$save_ifs + $opt_quiet || { + func_quote_for_expand "$cmd" + eval "func_echo $func_quote_for_expand_result" + } + $opt_dry_run || eval "$cmd" || { + lt_exit=$? + + # Restore the uninstalled library and exit + if test relink = "$opt_mode"; then + ( cd "$output_objdir" && \ + $RM "${realname}T" && \ + $MV "${realname}U" "$realname" ) + fi + + exit $lt_exit + } + done + IFS=$save_ifs + + if test -n "$export_symbols_regex" && ${skipped_export-false}; then + func_show_eval '$EGREP -e "$export_symbols_regex" "$export_symbols" > "${export_symbols}T"' + func_show_eval '$MV "${export_symbols}T" "$export_symbols"' + fi + fi + + ${skipped_export-false} && { + if test -n "$export_symbols" && test -n "$include_expsyms"; then + tmp_export_symbols=$export_symbols + test -n "$orig_export_symbols" && tmp_export_symbols=$orig_export_symbols + $opt_dry_run || eval '$ECHO "$include_expsyms" | $SP2NL >> "$tmp_export_symbols"' + fi + + if test -n "$orig_export_symbols"; then + # The given exports_symbols file has to be filtered, so filter it. + func_verbose "filter symbol list for '$libname.la' to tag DATA exports" + # FIXME: $output_objdir/$libname.filter potentially contains lots of + # 's' commands, which not all seds can handle. GNU sed should be fine + # though. Also, the filter scales superlinearly with the number of + # global variables. join(1) would be nice here, but unfortunately + # isn't a blessed tool. + $opt_dry_run || $SED -e '/[ ,]DATA/!d;s,\(.*\)\([ \,].*\),s|^\1$|\1\2|,' < $export_symbols > $output_objdir/$libname.filter + func_append delfiles " $export_symbols $output_objdir/$libname.filter" + export_symbols=$output_objdir/$libname.def + $opt_dry_run || $SED -f $output_objdir/$libname.filter < $orig_export_symbols > $export_symbols + fi + } + + libobjs=$output + # Restore the value of output. + output=$save_output + + if test -n "$convenience" && test -n "$whole_archive_flag_spec"; then + eval libobjs=\"\$libobjs $whole_archive_flag_spec\" + test "X$libobjs" = "X " && libobjs= + fi + # Expand the library linking commands again to reset the + # value of $libobjs for piecewise linking. + + # Do each of the archive commands. + if test yes = "$module" && test -n "$module_cmds"; then + if test -n "$export_symbols" && test -n "$module_expsym_cmds"; then + cmds=$module_expsym_cmds + else + cmds=$module_cmds + fi + else + if test -n "$export_symbols" && test -n "$archive_expsym_cmds"; then + cmds=$archive_expsym_cmds + else + cmds=$archive_cmds + fi + fi + fi + + if test -n "$delfiles"; then + # Append the command to remove temporary files to $cmds. + eval cmds=\"\$cmds~\$RM $delfiles\" + fi + + # Add any objects from preloaded convenience libraries + if test -n "$dlprefiles"; then + gentop=$output_objdir/${outputname}x + func_append generated " $gentop" + + func_extract_archives $gentop $dlprefiles + func_append libobjs " $func_extract_archives_result" + test "X$libobjs" = "X " && libobjs= + fi + + save_ifs=$IFS; IFS='~' + for cmd in $cmds; do + IFS=$sp$nl + eval cmd=\"$cmd\" + IFS=$save_ifs + $opt_quiet || { + func_quote_for_expand "$cmd" + eval "func_echo $func_quote_for_expand_result" + } + $opt_dry_run || eval "$cmd" || { + lt_exit=$? + + # Restore the uninstalled library and exit + if test relink = "$opt_mode"; then + ( cd "$output_objdir" && \ + $RM "${realname}T" && \ + $MV "${realname}U" "$realname" ) + fi + + exit $lt_exit + } + done + IFS=$save_ifs + + # Restore the uninstalled library and exit + if test relink = "$opt_mode"; then + $opt_dry_run || eval '(cd $output_objdir && $RM ${realname}T && $MV $realname ${realname}T && $MV ${realname}U $realname)' || exit $? + + if test -n "$convenience"; then + if test -z "$whole_archive_flag_spec"; then + func_show_eval '${RM}r "$gentop"' + fi + fi + + exit $EXIT_SUCCESS + fi + + # Create links to the real library. + for linkname in $linknames; do + if test "$realname" != "$linkname"; then + func_show_eval '(cd "$output_objdir" && $RM "$linkname" && $LN_S "$realname" "$linkname")' 'exit $?' + fi + done + + # If -module or -export-dynamic was specified, set the dlname. + if test yes = "$module" || test yes = "$export_dynamic"; then + # On all known operating systems, these are identical. + dlname=$soname + fi + fi + ;; + + obj) + if test -n "$dlfiles$dlprefiles" || test no != "$dlself"; then + func_warning "'-dlopen' is ignored for objects" + fi + + case " $deplibs" in + *\ -l* | *\ -L*) + func_warning "'-l' and '-L' are ignored for objects" ;; + esac + + test -n "$rpath" && \ + func_warning "'-rpath' is ignored for objects" + + test -n "$xrpath" && \ + func_warning "'-R' is ignored for objects" + + test -n "$vinfo" && \ + func_warning "'-version-info' is ignored for objects" + + test -n "$release" && \ + func_warning "'-release' is ignored for objects" + + case $output in + *.lo) + test -n "$objs$old_deplibs" && \ + func_fatal_error "cannot build library object '$output' from non-libtool objects" + + libobj=$output + func_lo2o "$libobj" + obj=$func_lo2o_result + ;; + *) + libobj= + obj=$output + ;; + esac + + # Delete the old objects. + $opt_dry_run || $RM $obj $libobj + + # Objects from convenience libraries. This assumes + # single-version convenience libraries. Whenever we create + # different ones for PIC/non-PIC, this we'll have to duplicate + # the extraction. + reload_conv_objs= + gentop= + # if reload_cmds runs $LD directly, get rid of -Wl from + # whole_archive_flag_spec and hope we can get by with turning comma + # into space. + case $reload_cmds in + *\$LD[\ \$]*) wl= ;; + esac + if test -n "$convenience"; then + if test -n "$whole_archive_flag_spec"; then + eval tmp_whole_archive_flags=\"$whole_archive_flag_spec\" + test -n "$wl" || tmp_whole_archive_flags=`$ECHO "$tmp_whole_archive_flags" | $SED 's|,| |g'` + reload_conv_objs=$reload_objs\ $tmp_whole_archive_flags + else + gentop=$output_objdir/${obj}x + func_append generated " $gentop" + + func_extract_archives $gentop $convenience + reload_conv_objs="$reload_objs $func_extract_archives_result" + fi + fi + + # If we're not building shared, we need to use non_pic_objs + test yes = "$build_libtool_libs" || libobjs=$non_pic_objects + + # Create the old-style object. + reload_objs=$objs$old_deplibs' '`$ECHO "$libobjs" | $SP2NL | $SED "/\.$libext$/d; /\.lib$/d; $lo2o" | $NL2SP`' '$reload_conv_objs + + output=$obj + func_execute_cmds "$reload_cmds" 'exit $?' + + # Exit if we aren't doing a library object file. + if test -z "$libobj"; then + if test -n "$gentop"; then + func_show_eval '${RM}r "$gentop"' + fi + + exit $EXIT_SUCCESS + fi + + test yes = "$build_libtool_libs" || { + if test -n "$gentop"; then + func_show_eval '${RM}r "$gentop"' + fi + + # Create an invalid libtool object if no PIC, so that we don't + # accidentally link it into a program. + # $show "echo timestamp > $libobj" + # $opt_dry_run || eval "echo timestamp > $libobj" || exit $? + exit $EXIT_SUCCESS + } + + if test -n "$pic_flag" || test default != "$pic_mode"; then + # Only do commands if we really have different PIC objects. + reload_objs="$libobjs $reload_conv_objs" + output=$libobj + func_execute_cmds "$reload_cmds" 'exit $?' + fi + + if test -n "$gentop"; then + func_show_eval '${RM}r "$gentop"' + fi + + exit $EXIT_SUCCESS + ;; + + prog) + case $host in + *cygwin*) func_stripname '' '.exe' "$output" + output=$func_stripname_result.exe;; + esac + test -n "$vinfo" && \ + func_warning "'-version-info' is ignored for programs" + + test -n "$release" && \ + func_warning "'-release' is ignored for programs" + + $preload \ + && test unknown,unknown,unknown = "$dlopen_support,$dlopen_self,$dlopen_self_static" \ + && func_warning "'LT_INIT([dlopen])' not used. Assuming no dlopen support." + + case $host in + *-*-rhapsody* | *-*-darwin1.[012]) + # On Rhapsody replace the C library is the System framework + compile_deplibs=`$ECHO " $compile_deplibs" | $SED 's/ -lc / System.ltframework /'` + finalize_deplibs=`$ECHO " $finalize_deplibs" | $SED 's/ -lc / System.ltframework /'` + ;; + esac + + case $host in + *-*-darwin*) + # Don't allow lazy linking, it breaks C++ global constructors + # But is supposedly fixed on 10.4 or later (yay!). + if test CXX = "$tagname"; then + case ${MACOSX_DEPLOYMENT_TARGET-10.0} in + 10.[0123]) + func_append compile_command " $wl-bind_at_load" + func_append finalize_command " $wl-bind_at_load" + ;; + esac + fi + # Time to change all our "foo.ltframework" stuff back to "-framework foo" + compile_deplibs=`$ECHO " $compile_deplibs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'` + finalize_deplibs=`$ECHO " $finalize_deplibs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'` + ;; + esac + + + # move library search paths that coincide with paths to not yet + # installed libraries to the beginning of the library search list + new_libs= + for path in $notinst_path; do + case " $new_libs " in + *" -L$path/$objdir "*) ;; + *) + case " $compile_deplibs " in + *" -L$path/$objdir "*) + func_append new_libs " -L$path/$objdir" ;; + esac + ;; + esac + done + for deplib in $compile_deplibs; do + case $deplib in + -L*) + case " $new_libs " in + *" $deplib "*) ;; + *) func_append new_libs " $deplib" ;; + esac + ;; + *) func_append new_libs " $deplib" ;; + esac + done + compile_deplibs=$new_libs + + + func_append compile_command " $compile_deplibs" + func_append finalize_command " $finalize_deplibs" + + if test -n "$rpath$xrpath"; then + # If the user specified any rpath flags, then add them. + for libdir in $rpath $xrpath; do + # This is the magic to use -rpath. + case "$finalize_rpath " in + *" $libdir "*) ;; + *) func_append finalize_rpath " $libdir" ;; + esac + done + fi + + # Now hardcode the library paths + rpath= + hardcode_libdirs= + for libdir in $compile_rpath $finalize_rpath; do + if test -n "$hardcode_libdir_flag_spec"; then + if test -n "$hardcode_libdir_separator"; then + if test -z "$hardcode_libdirs"; then + hardcode_libdirs=$libdir + else + # Just accumulate the unique libdirs. + case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in + *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*) + ;; + *) + func_append hardcode_libdirs "$hardcode_libdir_separator$libdir" + ;; + esac + fi + else + eval flag=\"$hardcode_libdir_flag_spec\" + func_append rpath " $flag" + fi + elif test -n "$runpath_var"; then + case "$perm_rpath " in + *" $libdir "*) ;; + *) func_append perm_rpath " $libdir" ;; + esac + fi + case $host in + *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-cegcc*) + testbindir=`$ECHO "$libdir" | $SED -e 's*/lib$*/bin*'` + case :$dllsearchpath: in + *":$libdir:"*) ;; + ::) dllsearchpath=$libdir;; + *) func_append dllsearchpath ":$libdir";; + esac + case :$dllsearchpath: in + *":$testbindir:"*) ;; + ::) dllsearchpath=$testbindir;; + *) func_append dllsearchpath ":$testbindir";; + esac + ;; + esac + done + # Substitute the hardcoded libdirs into the rpath. + if test -n "$hardcode_libdir_separator" && + test -n "$hardcode_libdirs"; then + libdir=$hardcode_libdirs + eval rpath=\" $hardcode_libdir_flag_spec\" + fi + compile_rpath=$rpath + + rpath= + hardcode_libdirs= + for libdir in $finalize_rpath; do + if test -n "$hardcode_libdir_flag_spec"; then + if test -n "$hardcode_libdir_separator"; then + if test -z "$hardcode_libdirs"; then + hardcode_libdirs=$libdir + else + # Just accumulate the unique libdirs. + case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in + *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*) + ;; + *) + func_append hardcode_libdirs "$hardcode_libdir_separator$libdir" + ;; + esac + fi + else + eval flag=\"$hardcode_libdir_flag_spec\" + func_append rpath " $flag" + fi + elif test -n "$runpath_var"; then + case "$finalize_perm_rpath " in + *" $libdir "*) ;; + *) func_append finalize_perm_rpath " $libdir" ;; + esac + fi + done + # Substitute the hardcoded libdirs into the rpath. + if test -n "$hardcode_libdir_separator" && + test -n "$hardcode_libdirs"; then + libdir=$hardcode_libdirs + eval rpath=\" $hardcode_libdir_flag_spec\" + fi + finalize_rpath=$rpath + + if test -n "$libobjs" && test yes = "$build_old_libs"; then + # Transform all the library objects into standard objects. + compile_command=`$ECHO "$compile_command" | $SP2NL | $SED "$lo2o" | $NL2SP` + finalize_command=`$ECHO "$finalize_command" | $SP2NL | $SED "$lo2o" | $NL2SP` + fi + + func_generate_dlsyms "$outputname" "@PROGRAM@" false + + # template prelinking step + if test -n "$prelink_cmds"; then + func_execute_cmds "$prelink_cmds" 'exit $?' + fi + + wrappers_required=: + case $host in + *cegcc* | *mingw32ce*) + # Disable wrappers for cegcc and mingw32ce hosts, we are cross compiling anyway. + wrappers_required=false + ;; + *cygwin* | *mingw* ) + test yes = "$build_libtool_libs" || wrappers_required=false + ;; + *) + if test no = "$need_relink" || test yes != "$build_libtool_libs"; then + wrappers_required=false + fi + ;; + esac + $wrappers_required || { + # Replace the output file specification. + compile_command=`$ECHO "$compile_command" | $SED 's%@OUTPUT@%'"$output"'%g'` + link_command=$compile_command$compile_rpath + + # We have no uninstalled library dependencies, so finalize right now. + exit_status=0 + func_show_eval "$link_command" 'exit_status=$?' + + if test -n "$postlink_cmds"; then + func_to_tool_file "$output" + postlink_cmds=`func_echo_all "$postlink_cmds" | $SED -e 's%@OUTPUT@%'"$output"'%g' -e 's%@TOOL_OUTPUT@%'"$func_to_tool_file_result"'%g'` + func_execute_cmds "$postlink_cmds" 'exit $?' + fi + + # Delete the generated files. + if test -f "$output_objdir/${outputname}S.$objext"; then + func_show_eval '$RM "$output_objdir/${outputname}S.$objext"' + fi + + exit $exit_status + } + + if test -n "$compile_shlibpath$finalize_shlibpath"; then + compile_command="$shlibpath_var=\"$compile_shlibpath$finalize_shlibpath\$$shlibpath_var\" $compile_command" + fi + if test -n "$finalize_shlibpath"; then + finalize_command="$shlibpath_var=\"$finalize_shlibpath\$$shlibpath_var\" $finalize_command" + fi + + compile_var= + finalize_var= + if test -n "$runpath_var"; then + if test -n "$perm_rpath"; then + # We should set the runpath_var. + rpath= + for dir in $perm_rpath; do + func_append rpath "$dir:" + done + compile_var="$runpath_var=\"$rpath\$$runpath_var\" " + fi + if test -n "$finalize_perm_rpath"; then + # We should set the runpath_var. + rpath= + for dir in $finalize_perm_rpath; do + func_append rpath "$dir:" + done + finalize_var="$runpath_var=\"$rpath\$$runpath_var\" " + fi + fi + + if test yes = "$no_install"; then + # We don't need to create a wrapper script. + link_command=$compile_var$compile_command$compile_rpath + # Replace the output file specification. + link_command=`$ECHO "$link_command" | $SED 's%@OUTPUT@%'"$output"'%g'` + # Delete the old output file. + $opt_dry_run || $RM $output + # Link the executable and exit + func_show_eval "$link_command" 'exit $?' + + if test -n "$postlink_cmds"; then + func_to_tool_file "$output" + postlink_cmds=`func_echo_all "$postlink_cmds" | $SED -e 's%@OUTPUT@%'"$output"'%g' -e 's%@TOOL_OUTPUT@%'"$func_to_tool_file_result"'%g'` + func_execute_cmds "$postlink_cmds" 'exit $?' + fi + + exit $EXIT_SUCCESS + fi + + case $hardcode_action,$fast_install in + relink,*) + # Fast installation is not supported + link_command=$compile_var$compile_command$compile_rpath + relink_command=$finalize_var$finalize_command$finalize_rpath + + func_warning "this platform does not like uninstalled shared libraries" + func_warning "'$output' will be relinked during installation" + ;; + *,yes) + link_command=$finalize_var$compile_command$finalize_rpath + relink_command=`$ECHO "$compile_var$compile_command$compile_rpath" | $SED 's%@OUTPUT@%\$progdir/\$file%g'` + ;; + *,no) + link_command=$compile_var$compile_command$compile_rpath + relink_command=$finalize_var$finalize_command$finalize_rpath + ;; + *,needless) + link_command=$finalize_var$compile_command$finalize_rpath + relink_command= + ;; + esac + + # Replace the output file specification. + link_command=`$ECHO "$link_command" | $SED 's%@OUTPUT@%'"$output_objdir/$outputname"'%g'` + + # Delete the old output files. + $opt_dry_run || $RM $output $output_objdir/$outputname $output_objdir/lt-$outputname + + func_show_eval "$link_command" 'exit $?' + + if test -n "$postlink_cmds"; then + func_to_tool_file "$output_objdir/$outputname" + postlink_cmds=`func_echo_all "$postlink_cmds" | $SED -e 's%@OUTPUT@%'"$output_objdir/$outputname"'%g' -e 's%@TOOL_OUTPUT@%'"$func_to_tool_file_result"'%g'` + func_execute_cmds "$postlink_cmds" 'exit $?' + fi + + # Now create the wrapper script. + func_verbose "creating $output" + + # Quote the relink command for shipping. + if test -n "$relink_command"; then + # Preserve any variables that may affect compiler behavior + for var in $variables_saved_for_relink; do + if eval test -z \"\${$var+set}\"; then + relink_command="{ test -z \"\${$var+set}\" || $lt_unset $var || { $var=; export $var; }; }; $relink_command" + elif eval var_value=\$$var; test -z "$var_value"; then + relink_command="$var=; export $var; $relink_command" + else + func_quote_for_eval "$var_value" + relink_command="$var=$func_quote_for_eval_result; export $var; $relink_command" + fi + done + relink_command="(cd `pwd`; $relink_command)" + relink_command=`$ECHO "$relink_command" | $SED "$sed_quote_subst"` + fi + + # Only actually do things if not in dry run mode. + $opt_dry_run || { + # win32 will think the script is a binary if it has + # a .exe suffix, so we strip it off here. + case $output in + *.exe) func_stripname '' '.exe' "$output" + output=$func_stripname_result ;; + esac + # test for cygwin because mv fails w/o .exe extensions + case $host in + *cygwin*) + exeext=.exe + func_stripname '' '.exe' "$outputname" + outputname=$func_stripname_result ;; + *) exeext= ;; + esac + case $host in + *cygwin* | *mingw* ) + func_dirname_and_basename "$output" "" "." + output_name=$func_basename_result + output_path=$func_dirname_result + cwrappersource=$output_path/$objdir/lt-$output_name.c + cwrapper=$output_path/$output_name.exe + $RM $cwrappersource $cwrapper + trap "$RM $cwrappersource $cwrapper; exit $EXIT_FAILURE" 1 2 15 + + func_emit_cwrapperexe_src > $cwrappersource + + # The wrapper executable is built using the $host compiler, + # because it contains $host paths and files. If cross- + # compiling, it, like the target executable, must be + # executed on the $host or under an emulation environment. + $opt_dry_run || { + $LTCC $LTCFLAGS -o $cwrapper $cwrappersource + $STRIP $cwrapper + } + + # Now, create the wrapper script for func_source use: + func_ltwrapper_scriptname $cwrapper + $RM $func_ltwrapper_scriptname_result + trap "$RM $func_ltwrapper_scriptname_result; exit $EXIT_FAILURE" 1 2 15 + $opt_dry_run || { + # note: this script will not be executed, so do not chmod. + if test "x$build" = "x$host"; then + $cwrapper --lt-dump-script > $func_ltwrapper_scriptname_result + else + func_emit_wrapper no > $func_ltwrapper_scriptname_result + fi + } + ;; + * ) + $RM $output + trap "$RM $output; exit $EXIT_FAILURE" 1 2 15 + + func_emit_wrapper no > $output + chmod +x $output + ;; + esac + } + exit $EXIT_SUCCESS + ;; + esac + + # See if we need to build an old-fashioned archive. + for oldlib in $oldlibs; do + + case $build_libtool_libs in + convenience) + oldobjs="$libobjs_save $symfileobj" + addlibs=$convenience + build_libtool_libs=no + ;; + module) + oldobjs=$libobjs_save + addlibs=$old_convenience + build_libtool_libs=no + ;; + *) + oldobjs="$old_deplibs $non_pic_objects" + $preload && test -f "$symfileobj" \ + && func_append oldobjs " $symfileobj" + addlibs=$old_convenience + ;; + esac + + if test -n "$addlibs"; then + gentop=$output_objdir/${outputname}x + func_append generated " $gentop" + + func_extract_archives $gentop $addlibs + func_append oldobjs " $func_extract_archives_result" + fi + + # Do each command in the archive commands. + if test -n "$old_archive_from_new_cmds" && test yes = "$build_libtool_libs"; then + cmds=$old_archive_from_new_cmds + else + + # Add any objects from preloaded convenience libraries + if test -n "$dlprefiles"; then + gentop=$output_objdir/${outputname}x + func_append generated " $gentop" + + func_extract_archives $gentop $dlprefiles + func_append oldobjs " $func_extract_archives_result" + fi + + # POSIX demands no paths to be encoded in archives. We have + # to avoid creating archives with duplicate basenames if we + # might have to extract them afterwards, e.g., when creating a + # static archive out of a convenience library, or when linking + # the entirety of a libtool archive into another (currently + # not supported by libtool). + if (for obj in $oldobjs + do + func_basename "$obj" + $ECHO "$func_basename_result" + done | sort | sort -uc >/dev/null 2>&1); then + : + else + echo "copying selected object files to avoid basename conflicts..." + gentop=$output_objdir/${outputname}x + func_append generated " $gentop" + func_mkdir_p "$gentop" + save_oldobjs=$oldobjs + oldobjs= + counter=1 + for obj in $save_oldobjs + do + func_basename "$obj" + objbase=$func_basename_result + case " $oldobjs " in + " ") oldobjs=$obj ;; + *[\ /]"$objbase "*) + while :; do + # Make sure we don't pick an alternate name that also + # overlaps. + newobj=lt$counter-$objbase + func_arith $counter + 1 + counter=$func_arith_result + case " $oldobjs " in + *[\ /]"$newobj "*) ;; + *) if test ! -f "$gentop/$newobj"; then break; fi ;; + esac + done + func_show_eval "ln $obj $gentop/$newobj || cp $obj $gentop/$newobj" + func_append oldobjs " $gentop/$newobj" + ;; + *) func_append oldobjs " $obj" ;; + esac + done + fi + func_to_tool_file "$oldlib" func_convert_file_msys_to_w32 + tool_oldlib=$func_to_tool_file_result + eval cmds=\"$old_archive_cmds\" + + func_len " $cmds" + len=$func_len_result + if test "$len" -lt "$max_cmd_len" || test "$max_cmd_len" -le -1; then + cmds=$old_archive_cmds + elif test -n "$archiver_list_spec"; then + func_verbose "using command file archive linking..." + for obj in $oldobjs + do + func_to_tool_file "$obj" + $ECHO "$func_to_tool_file_result" + done > $output_objdir/$libname.libcmd + func_to_tool_file "$output_objdir/$libname.libcmd" + oldobjs=" $archiver_list_spec$func_to_tool_file_result" + cmds=$old_archive_cmds + else + # the command line is too long to link in one step, link in parts + func_verbose "using piecewise archive linking..." + save_RANLIB=$RANLIB + RANLIB=: + objlist= + concat_cmds= + save_oldobjs=$oldobjs + oldobjs= + # Is there a better way of finding the last object in the list? + for obj in $save_oldobjs + do + last_oldobj=$obj + done + eval test_cmds=\"$old_archive_cmds\" + func_len " $test_cmds" + len0=$func_len_result + len=$len0 + for obj in $save_oldobjs + do + func_len " $obj" + func_arith $len + $func_len_result + len=$func_arith_result + func_append objlist " $obj" + if test "$len" -lt "$max_cmd_len"; then + : + else + # the above command should be used before it gets too long + oldobjs=$objlist + if test "$obj" = "$last_oldobj"; then + RANLIB=$save_RANLIB + fi + test -z "$concat_cmds" || concat_cmds=$concat_cmds~ + eval concat_cmds=\"\$concat_cmds$old_archive_cmds\" + objlist= + len=$len0 + fi + done + RANLIB=$save_RANLIB + oldobjs=$objlist + if test -z "$oldobjs"; then + eval cmds=\"\$concat_cmds\" + else + eval cmds=\"\$concat_cmds~\$old_archive_cmds\" + fi + fi + fi + func_execute_cmds "$cmds" 'exit $?' + done + + test -n "$generated" && \ + func_show_eval "${RM}r$generated" + + # Now create the libtool archive. + case $output in + *.la) + old_library= + test yes = "$build_old_libs" && old_library=$libname.$libext + func_verbose "creating $output" + + # Preserve any variables that may affect compiler behavior + for var in $variables_saved_for_relink; do + if eval test -z \"\${$var+set}\"; then + relink_command="{ test -z \"\${$var+set}\" || $lt_unset $var || { $var=; export $var; }; }; $relink_command" + elif eval var_value=\$$var; test -z "$var_value"; then + relink_command="$var=; export $var; $relink_command" + else + func_quote_for_eval "$var_value" + relink_command="$var=$func_quote_for_eval_result; export $var; $relink_command" + fi + done + # Quote the link command for shipping. + relink_command="(cd `pwd`; $SHELL \"$progpath\" $preserve_args --mode=relink $libtool_args @inst_prefix_dir@)" + relink_command=`$ECHO "$relink_command" | $SED "$sed_quote_subst"` + if test yes = "$hardcode_automatic"; then + relink_command= + fi + + # Only create the output if not a dry run. + $opt_dry_run || { + for installed in no yes; do + if test yes = "$installed"; then + if test -z "$install_libdir"; then + break + fi + output=$output_objdir/${outputname}i + # Replace all uninstalled libtool libraries with the installed ones + newdependency_libs= + for deplib in $dependency_libs; do + case $deplib in + *.la) + func_basename "$deplib" + name=$func_basename_result + func_resolve_sysroot "$deplib" + eval libdir=`$SED -n -e 's/^libdir=\(.*\)$/\1/p' $func_resolve_sysroot_result` + test -z "$libdir" && \ + func_fatal_error "'$deplib' is not a valid libtool archive" + func_append newdependency_libs " ${lt_sysroot:+=}$libdir/$name" + ;; + -L*) + func_stripname -L '' "$deplib" + func_replace_sysroot "$func_stripname_result" + func_append newdependency_libs " -L$func_replace_sysroot_result" + ;; + -R*) + func_stripname -R '' "$deplib" + func_replace_sysroot "$func_stripname_result" + func_append newdependency_libs " -R$func_replace_sysroot_result" + ;; + *) func_append newdependency_libs " $deplib" ;; + esac + done + dependency_libs=$newdependency_libs + newdlfiles= + + for lib in $dlfiles; do + case $lib in + *.la) + func_basename "$lib" + name=$func_basename_result + eval libdir=`$SED -n -e 's/^libdir=\(.*\)$/\1/p' $lib` + test -z "$libdir" && \ + func_fatal_error "'$lib' is not a valid libtool archive" + func_append newdlfiles " ${lt_sysroot:+=}$libdir/$name" + ;; + *) func_append newdlfiles " $lib" ;; + esac + done + dlfiles=$newdlfiles + newdlprefiles= + for lib in $dlprefiles; do + case $lib in + *.la) + # Only pass preopened files to the pseudo-archive (for + # eventual linking with the app. that links it) if we + # didn't already link the preopened objects directly into + # the library: + func_basename "$lib" + name=$func_basename_result + eval libdir=`$SED -n -e 's/^libdir=\(.*\)$/\1/p' $lib` + test -z "$libdir" && \ + func_fatal_error "'$lib' is not a valid libtool archive" + func_append newdlprefiles " ${lt_sysroot:+=}$libdir/$name" + ;; + esac + done + dlprefiles=$newdlprefiles + else + newdlfiles= + for lib in $dlfiles; do + case $lib in + [\\/]* | [A-Za-z]:[\\/]*) abs=$lib ;; + *) abs=`pwd`"/$lib" ;; + esac + func_append newdlfiles " $abs" + done + dlfiles=$newdlfiles + newdlprefiles= + for lib in $dlprefiles; do + case $lib in + [\\/]* | [A-Za-z]:[\\/]*) abs=$lib ;; + *) abs=`pwd`"/$lib" ;; + esac + func_append newdlprefiles " $abs" + done + dlprefiles=$newdlprefiles + fi + $RM $output + # place dlname in correct position for cygwin + # In fact, it would be nice if we could use this code for all target + # systems that can't hard-code library paths into their executables + # and that have no shared library path variable independent of PATH, + # but it turns out we can't easily determine that from inspecting + # libtool variables, so we have to hard-code the OSs to which it + # applies here; at the moment, that means platforms that use the PE + # object format with DLL files. See the long comment at the top of + # tests/bindir.at for full details. + tdlname=$dlname + case $host,$output,$installed,$module,$dlname in + *cygwin*,*lai,yes,no,*.dll | *mingw*,*lai,yes,no,*.dll | *cegcc*,*lai,yes,no,*.dll) + # If a -bindir argument was supplied, place the dll there. + if test -n "$bindir"; then + func_relative_path "$install_libdir" "$bindir" + tdlname=$func_relative_path_result/$dlname + else + # Otherwise fall back on heuristic. + tdlname=../bin/$dlname + fi + ;; + esac + $ECHO > $output "\ +# $outputname - a libtool library file +# Generated by $PROGRAM (GNU $PACKAGE) $VERSION +# +# Please DO NOT delete this file! +# It is necessary for linking the library. + +# The name that we can dlopen(3). +dlname='$tdlname' + +# Names of this library. +library_names='$library_names' + +# The name of the static archive. +old_library='$old_library' + +# Linker flags that cannot go in dependency_libs. +inherited_linker_flags='$new_inherited_linker_flags' + +# Libraries that this one depends upon. +dependency_libs='$dependency_libs' + +# Names of additional weak libraries provided by this library +weak_library_names='$weak_libs' + +# Version information for $libname. +current=$current +age=$age +revision=$revision + +# Is this an already installed library? +installed=$installed + +# Should we warn about portability when linking against -modules? +shouldnotlink=$module + +# Files to dlopen/dlpreopen +dlopen='$dlfiles' +dlpreopen='$dlprefiles' + +# Directory that this library needs to be installed in: +libdir='$install_libdir'" + if test no,yes = "$installed,$need_relink"; then + $ECHO >> $output "\ +relink_command=\"$relink_command\"" + fi + done + } + + # Do a symbolic link so that the libtool archive can be found in + # LD_LIBRARY_PATH before the program is installed. + func_show_eval '( cd "$output_objdir" && $RM "$outputname" && $LN_S "../$outputname" "$outputname" )' 'exit $?' + ;; + esac + exit $EXIT_SUCCESS +} + +if test link = "$opt_mode" || test relink = "$opt_mode"; then + func_mode_link ${1+"$@"} +fi + + +# func_mode_uninstall arg... +func_mode_uninstall () +{ + $debug_cmd + + RM=$nonopt + files= + rmforce=false + exit_status=0 + + # This variable tells wrapper scripts just to set variables rather + # than running their programs. + libtool_install_magic=$magic + + for arg + do + case $arg in + -f) func_append RM " $arg"; rmforce=: ;; + -*) func_append RM " $arg" ;; + *) func_append files " $arg" ;; + esac + done + + test -z "$RM" && \ + func_fatal_help "you must specify an RM program" + + rmdirs= + + for file in $files; do + func_dirname "$file" "" "." + dir=$func_dirname_result + if test . = "$dir"; then + odir=$objdir + else + odir=$dir/$objdir + fi + func_basename "$file" + name=$func_basename_result + test uninstall = "$opt_mode" && odir=$dir + + # Remember odir for removal later, being careful to avoid duplicates + if test clean = "$opt_mode"; then + case " $rmdirs " in + *" $odir "*) ;; + *) func_append rmdirs " $odir" ;; + esac + fi + + # Don't error if the file doesn't exist and rm -f was used. + if { test -L "$file"; } >/dev/null 2>&1 || + { test -h "$file"; } >/dev/null 2>&1 || + test -f "$file"; then + : + elif test -d "$file"; then + exit_status=1 + continue + elif $rmforce; then + continue + fi + + rmfiles=$file + + case $name in + *.la) + # Possibly a libtool archive, so verify it. + if func_lalib_p "$file"; then + func_source $dir/$name + + # Delete the libtool libraries and symlinks. + for n in $library_names; do + func_append rmfiles " $odir/$n" + done + test -n "$old_library" && func_append rmfiles " $odir/$old_library" + + case $opt_mode in + clean) + case " $library_names " in + *" $dlname "*) ;; + *) test -n "$dlname" && func_append rmfiles " $odir/$dlname" ;; + esac + test -n "$libdir" && func_append rmfiles " $odir/$name $odir/${name}i" + ;; + uninstall) + if test -n "$library_names"; then + # Do each command in the postuninstall commands. + func_execute_cmds "$postuninstall_cmds" '$rmforce || exit_status=1' + fi + + if test -n "$old_library"; then + # Do each command in the old_postuninstall commands. + func_execute_cmds "$old_postuninstall_cmds" '$rmforce || exit_status=1' + fi + # FIXME: should reinstall the best remaining shared library. + ;; + esac + fi + ;; + + *.lo) + # Possibly a libtool object, so verify it. + if func_lalib_p "$file"; then + + # Read the .lo file + func_source $dir/$name + + # Add PIC object to the list of files to remove. + if test -n "$pic_object" && test none != "$pic_object"; then + func_append rmfiles " $dir/$pic_object" + fi + + # Add non-PIC object to the list of files to remove. + if test -n "$non_pic_object" && test none != "$non_pic_object"; then + func_append rmfiles " $dir/$non_pic_object" + fi + fi + ;; + + *) + if test clean = "$opt_mode"; then + noexename=$name + case $file in + *.exe) + func_stripname '' '.exe' "$file" + file=$func_stripname_result + func_stripname '' '.exe' "$name" + noexename=$func_stripname_result + # $file with .exe has already been added to rmfiles, + # add $file without .exe + func_append rmfiles " $file" + ;; + esac + # Do a test to see if this is a libtool program. + if func_ltwrapper_p "$file"; then + if func_ltwrapper_executable_p "$file"; then + func_ltwrapper_scriptname "$file" + relink_command= + func_source $func_ltwrapper_scriptname_result + func_append rmfiles " $func_ltwrapper_scriptname_result" + else + relink_command= + func_source $dir/$noexename + fi + + # note $name still contains .exe if it was in $file originally + # as does the version of $file that was added into $rmfiles + func_append rmfiles " $odir/$name $odir/${name}S.$objext" + if test yes = "$fast_install" && test -n "$relink_command"; then + func_append rmfiles " $odir/lt-$name" + fi + if test "X$noexename" != "X$name"; then + func_append rmfiles " $odir/lt-$noexename.c" + fi + fi + fi + ;; + esac + func_show_eval "$RM $rmfiles" 'exit_status=1' + done + + # Try to remove the $objdir's in the directories where we deleted files + for dir in $rmdirs; do + if test -d "$dir"; then + func_show_eval "rmdir $dir >/dev/null 2>&1" + fi + done + + exit $exit_status +} + +if test uninstall = "$opt_mode" || test clean = "$opt_mode"; then + func_mode_uninstall ${1+"$@"} +fi + +test -z "$opt_mode" && { + help=$generic_help + func_fatal_help "you must specify a MODE" +} + +test -z "$exec_cmd" && \ + func_fatal_help "invalid operation mode '$opt_mode'" + +if test -n "$exec_cmd"; then + eval exec "$exec_cmd" + exit $EXIT_FAILURE +fi + +exit $exit_status + + +# The TAGs below are defined such that we never get into a situation +# where we disable both kinds of libraries. Given conflicting +# choices, we go for a static library, that is the most portable, +# since we can't tell whether shared libraries were disabled because +# the user asked for that or because the platform doesn't support +# them. This is particularly important on AIX, because we don't +# support having both static and shared libraries enabled at the same +# time on that platform, so we default to a shared-only configuration. +# If a disable-shared tag is given, we'll fallback to a static-only +# configuration. But we'll never go from static-only to shared-only. + +# ### BEGIN LIBTOOL TAG CONFIG: disable-shared +build_libtool_libs=no +build_old_libs=yes +# ### END LIBTOOL TAG CONFIG: disable-shared + +# ### BEGIN LIBTOOL TAG CONFIG: disable-static +build_old_libs=`case $build_libtool_libs in yes) echo no;; *) echo yes;; esac` +# ### END LIBTOOL TAG CONFIG: disable-static + +# Local Variables: +# mode:shell-script +# sh-indentation:2 +# End: diff --git a/build/missing b/build/missing new file mode 100755 index 0000000..b7e571e --- /dev/null +++ b/build/missing @@ -0,0 +1,215 @@ +#!/bin/sh +# Common wrapper for a few potentially missing GNU programs. + +scriptversion=2016-01-11.22; # UTC + +# Copyright (C) 1996-2017 Free Software Foundation, Inc. +# Originally written by Fran,cois Pinard , 1996. + +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2, or (at your option) +# any later version. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. + +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# As a special exception to the GNU General Public License, if you +# distribute this file as part of a program that contains a +# configuration script generated by Autoconf, you may include it under +# the same distribution terms that you use for the rest of that program. + +if test $# -eq 0; then + echo 1>&2 "Try '$0 --help' for more information" + exit 1 +fi + +case $1 in + + --is-lightweight) + # Used by our autoconf macros to check whether the available missing + # script is modern enough. + exit 0 + ;; + + --run) + # Back-compat with the calling convention used by older automake. + shift + ;; + + -h|--h|--he|--hel|--help) + echo "\ +$0 [OPTION]... PROGRAM [ARGUMENT]... + +Run 'PROGRAM [ARGUMENT]...', returning a proper advice when this fails due +to PROGRAM being missing or too old. + +Options: + -h, --help display this help and exit + -v, --version output version information and exit + +Supported PROGRAM values: + aclocal autoconf autoheader autom4te automake makeinfo + bison yacc flex lex help2man + +Version suffixes to PROGRAM as well as the prefixes 'gnu-', 'gnu', and +'g' are ignored when checking the name. + +Send bug reports to ." + exit $? + ;; + + -v|--v|--ve|--ver|--vers|--versi|--versio|--version) + echo "missing $scriptversion (GNU Automake)" + exit $? + ;; + + -*) + echo 1>&2 "$0: unknown '$1' option" + echo 1>&2 "Try '$0 --help' for more information" + exit 1 + ;; + +esac + +# Run the given program, remember its exit status. +"$@"; st=$? + +# If it succeeded, we are done. +test $st -eq 0 && exit 0 + +# Also exit now if we it failed (or wasn't found), and '--version' was +# passed; such an option is passed most likely to detect whether the +# program is present and works. +case $2 in --version|--help) exit $st;; esac + +# Exit code 63 means version mismatch. This often happens when the user +# tries to use an ancient version of a tool on a file that requires a +# minimum version. +if test $st -eq 63; then + msg="probably too old" +elif test $st -eq 127; then + # Program was missing. + msg="missing on your system" +else + # Program was found and executed, but failed. Give up. + exit $st +fi + +perl_URL=http://www.perl.org/ +flex_URL=http://flex.sourceforge.net/ +gnu_software_URL=http://www.gnu.org/software + +program_details () +{ + case $1 in + aclocal|automake) + echo "The '$1' program is part of the GNU Automake package:" + echo "<$gnu_software_URL/automake>" + echo "It also requires GNU Autoconf, GNU m4 and Perl in order to run:" + echo "<$gnu_software_URL/autoconf>" + echo "<$gnu_software_URL/m4/>" + echo "<$perl_URL>" + ;; + autoconf|autom4te|autoheader) + echo "The '$1' program is part of the GNU Autoconf package:" + echo "<$gnu_software_URL/autoconf/>" + echo "It also requires GNU m4 and Perl in order to run:" + echo "<$gnu_software_URL/m4/>" + echo "<$perl_URL>" + ;; + esac +} + +give_advice () +{ + # Normalize program name to check for. + normalized_program=`echo "$1" | sed ' + s/^gnu-//; t + s/^gnu//; t + s/^g//; t'` + + printf '%s\n' "'$1' is $msg." + + configure_deps="'configure.ac' or m4 files included by 'configure.ac'" + case $normalized_program in + autoconf*) + echo "You should only need it if you modified 'configure.ac'," + echo "or m4 files included by it." + program_details 'autoconf' + ;; + autoheader*) + echo "You should only need it if you modified 'acconfig.h' or" + echo "$configure_deps." + program_details 'autoheader' + ;; + automake*) + echo "You should only need it if you modified 'Makefile.am' or" + echo "$configure_deps." + program_details 'automake' + ;; + aclocal*) + echo "You should only need it if you modified 'acinclude.m4' or" + echo "$configure_deps." + program_details 'aclocal' + ;; + autom4te*) + echo "You might have modified some maintainer files that require" + echo "the 'autom4te' program to be rebuilt." + program_details 'autom4te' + ;; + bison*|yacc*) + echo "You should only need it if you modified a '.y' file." + echo "You may want to install the GNU Bison package:" + echo "<$gnu_software_URL/bison/>" + ;; + lex*|flex*) + echo "You should only need it if you modified a '.l' file." + echo "You may want to install the Fast Lexical Analyzer package:" + echo "<$flex_URL>" + ;; + help2man*) + echo "You should only need it if you modified a dependency" \ + "of a man page." + echo "You may want to install the GNU Help2man package:" + echo "<$gnu_software_URL/help2man/>" + ;; + makeinfo*) + echo "You should only need it if you modified a '.texi' file, or" + echo "any other file indirectly affecting the aspect of the manual." + echo "You might want to install the Texinfo package:" + echo "<$gnu_software_URL/texinfo/>" + echo "The spurious makeinfo call might also be the consequence of" + echo "using a buggy 'make' (AIX, DU, IRIX), in which case you might" + echo "want to install GNU make:" + echo "<$gnu_software_URL/make/>" + ;; + *) + echo "You might have modified some files without having the proper" + echo "tools for further handling them. Check the 'README' file, it" + echo "often tells you about the needed prerequisites for installing" + echo "this package. You may also peek at any GNU archive site, in" + echo "case some other package contains this missing '$1' program." + ;; + esac +} + +give_advice "$1" | sed -e '1s/^/WARNING: /' \ + -e '2,$s/^/ /' >&2 + +# Propagate the correct exit status (expected to be 127 for a program +# not found, 63 for a program that failed due to version mismatch). +exit $st + +# Local variables: +# eval: (add-hook 'write-file-hooks 'time-stamp) +# time-stamp-start: "scriptversion=" +# time-stamp-format: "%:y-%02m-%02d.%02H" +# time-stamp-time-zone: "UTC0" +# time-stamp-end: "; # UTC" +# End: diff --git a/build/mkinstalldirs b/build/mkinstalldirs new file mode 100755 index 0000000..a1c49d4 --- /dev/null +++ b/build/mkinstalldirs @@ -0,0 +1,162 @@ +#!/bin/sh +# mkinstalldirs --- make directory hierarchy + +scriptversion=2016-01-11.22; # UTC + +# Original author: Noah Friedman +# Created: 1993-05-16 +# Public domain. +# +# This file is maintained in Automake, please report +# bugs to or send patches to +# . + +nl=' +' +IFS=" "" $nl" +errstatus=0 +dirmode= + +usage="\ +Usage: mkinstalldirs [-h] [--help] [--version] [-m MODE] DIR ... + +Create each directory DIR (with mode MODE, if specified), including all +leading file name components. + +Report bugs to ." + +# process command line arguments +while test $# -gt 0 ; do + case $1 in + -h | --help | --h*) # -h for help + echo "$usage" + exit $? + ;; + -m) # -m PERM arg + shift + test $# -eq 0 && { echo "$usage" 1>&2; exit 1; } + dirmode=$1 + shift + ;; + --version) + echo "$0 $scriptversion" + exit $? + ;; + --) # stop option processing + shift + break + ;; + -*) # unknown option + echo "$usage" 1>&2 + exit 1 + ;; + *) # first non-opt arg + break + ;; + esac +done + +for file +do + if test -d "$file"; then + shift + else + break + fi +done + +case $# in + 0) exit 0 ;; +esac + +# Solaris 8's mkdir -p isn't thread-safe. If you mkdir -p a/b and +# mkdir -p a/c at the same time, both will detect that a is missing, +# one will create a, then the other will try to create a and die with +# a "File exists" error. This is a problem when calling mkinstalldirs +# from a parallel make. We use --version in the probe to restrict +# ourselves to GNU mkdir, which is thread-safe. +case $dirmode in + '') + if mkdir -p --version . >/dev/null 2>&1 && test ! -d ./--version; then + echo "mkdir -p -- $*" + exec mkdir -p -- "$@" + else + # On NextStep and OpenStep, the 'mkdir' command does not + # recognize any option. It will interpret all options as + # directories to create, and then abort because '.' already + # exists. + test -d ./-p && rmdir ./-p + test -d ./--version && rmdir ./--version + fi + ;; + *) + if mkdir -m "$dirmode" -p --version . >/dev/null 2>&1 && + test ! -d ./--version; then + echo "mkdir -m $dirmode -p -- $*" + exec mkdir -m "$dirmode" -p -- "$@" + else + # Clean up after NextStep and OpenStep mkdir. + for d in ./-m ./-p ./--version "./$dirmode"; + do + test -d $d && rmdir $d + done + fi + ;; +esac + +for file +do + case $file in + /*) pathcomp=/ ;; + *) pathcomp= ;; + esac + oIFS=$IFS + IFS=/ + set fnord $file + shift + IFS=$oIFS + + for d + do + test "x$d" = x && continue + + pathcomp=$pathcomp$d + case $pathcomp in + -*) pathcomp=./$pathcomp ;; + esac + + if test ! -d "$pathcomp"; then + echo "mkdir $pathcomp" + + mkdir "$pathcomp" || lasterr=$? + + if test ! -d "$pathcomp"; then + errstatus=$lasterr + else + if test ! -z "$dirmode"; then + echo "chmod $dirmode $pathcomp" + lasterr= + chmod "$dirmode" "$pathcomp" || lasterr=$? + + if test ! -z "$lasterr"; then + errstatus=$lasterr + fi + fi + fi + fi + + pathcomp=$pathcomp/ + done +done + +exit $errstatus + +# Local Variables: +# mode: shell-script +# sh-indentation: 2 +# eval: (add-hook 'write-file-hooks 'time-stamp) +# time-stamp-start: "scriptversion=" +# time-stamp-format: "%:y-%02m-%02d.%02H" +# time-stamp-time-zone: "UTC0" +# time-stamp-end: "; # UTC" +# End: diff --git a/build/test-driver b/build/test-driver new file mode 100755 index 0000000..de1e61d --- /dev/null +++ b/build/test-driver @@ -0,0 +1,148 @@ +#!/bin/sh +# test-driver - basic testsuite driver script. + +scriptversion=2016-01-11.22; # UTC + +# Copyright (C) 2011-2017 Free Software Foundation, Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2, or (at your option) +# any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# As a special exception to the GNU General Public License, if you +# distribute this file as part of a program that contains a +# configuration script generated by Autoconf, you may include it under +# the same distribution terms that you use for the rest of that program. + +# This file is maintained in Automake, please report +# bugs to or send patches to +# . + +# Make unconditional expansion of undefined variables an error. This +# helps a lot in preventing typo-related bugs. +set -u + +usage_error () +{ + echo "$0: $*" >&2 + print_usage >&2 + exit 2 +} + +print_usage () +{ + cat <$log_file 2>&1 +estatus=$? + +if test $enable_hard_errors = no && test $estatus -eq 99; then + tweaked_estatus=1 +else + tweaked_estatus=$estatus +fi + +case $tweaked_estatus:$expect_failure in + 0:yes) col=$red res=XPASS recheck=yes gcopy=yes;; + 0:*) col=$grn res=PASS recheck=no gcopy=no;; + 77:*) col=$blu res=SKIP recheck=no gcopy=yes;; + 99:*) col=$mgn res=ERROR recheck=yes gcopy=yes;; + *:yes) col=$lgn res=XFAIL recheck=no gcopy=yes;; + *:*) col=$red res=FAIL recheck=yes gcopy=yes;; +esac + +# Report the test outcome and exit status in the logs, so that one can +# know whether the test passed or failed simply by looking at the '.log' +# file, without the need of also peaking into the corresponding '.trs' +# file (automake bug#11814). +echo "$res $test_name (exit status: $estatus)" >>$log_file + +# Report outcome to console. +echo "${col}${res}${std}: $test_name" + +# Register the test result, and other relevant metadata. +echo ":test-result: $res" > $trs_file +echo ":global-test-result: $res" >> $trs_file +echo ":recheck: $recheck" >> $trs_file +echo ":copy-in-global-log: $gcopy" >> $trs_file + +# Local Variables: +# mode: shell-script +# sh-indentation: 2 +# eval: (add-hook 'write-file-hooks 'time-stamp) +# time-stamp-start: "scriptversion=" +# time-stamp-format: "%:y-%02m-%02d.%02H" +# time-stamp-time-zone: "UTC0" +# time-stamp-end: "; # UTC" +# End: diff --git a/config.h.in b/config.h.in new file mode 100644 index 0000000..051ed45 --- /dev/null +++ b/config.h.in @@ -0,0 +1,752 @@ +/* config.h.in. Generated from configure.ac by autoheader. */ + +/* Absolute path to the build directory */ +#undef ABS_BUILD_DIR + +/* Absolute path to the source directory */ +#undef ABS_SRC_DIR + +/* Define if building universal (internal helper macro) */ +#undef AC_APPLE_UNIVERSAL_BUILD + +/* whether to build unconditionally enable files domain */ +#undef ADD_FILES_DOMAIN + +/* "The default enforcing level for AD GPO access-control" */ +#undef AD_GPO_ACCESS_MODE_DEFAULT + +/* Path to the 3rd party modules */ +#undef APP_MODULES_PATH + +/* whether to build with AUTOFS support */ +#undef BUILD_AUTOFS + +/* whether to build with InfoPipe support */ +#undef BUILD_IFP + +/* whether to build with KCM server support */ +#undef BUILD_KCM + +/* whether to build SSSD implementation of libwbclient */ +#undef BUILD_LIBWBCLIENT + +/* whether to build with NFSv4 IDMAP support */ +#undef BUILD_NFS_IDMAP + +/* whether to build with samba support */ +#undef BUILD_SAMBA + +/* whether to build with SECRETS support */ +#undef BUILD_SECRETS + +/* whether to build with SSH support */ +#undef BUILD_SSH + +/* whether to build with SUDO support */ +#undef BUILD_SUDO + +/* Path to the SSSD data provider plugins */ +#undef DATA_PROVIDER_PLUGINS_PATH + +/* Path to the SSSD databases */ +#undef DB_PATH + +/* The default value of krb5_ccachedir */ +#undef DEFAULT_CCACHE_DIR + +/* The default value of krb5_ccname_template */ +#undef DEFAULT_CCNAME_TEMPLATE + +/* Define to 1 if translation of program messages to the user's native + language is requested. */ +#undef ENABLE_NLS + +/* Where to store GPO policy files */ +#undef GPO_CACHE_PATH + +/* Define to 1 if you have the header file. */ +#undef HAVE_ARES_H + +/* whether platform is big endian */ +#undef HAVE_BIG_ENDIAN + +/* Define to 1 if you have the header file. */ +#undef HAVE_BYTESWAP_H + +/* Define to 1 if you have the MacOS X function CFLocaleCopyCurrent in the + CoreFoundation framework. */ +#undef HAVE_CFLOCALECOPYCURRENT + +/* Define to 1 if you have the MacOS X function CFPreferencesCopyAppValue in + the CoreFoundation framework. */ +#undef HAVE_CFPREFERENCESCOPYAPPVALUE + +/* Define to 1 if you have the header file. */ +#undef HAVE_CHECK_H + +/* Build with cifs idmap plugin */ +#undef HAVE_CIFS_IDMAP_PLUGIN + +/* Define to 1 if the system has the type `DBusBasicValue'. */ +#undef HAVE_DBUSBASICVALUE + +/* Define if dbus_watch_get_unix_fd exists */ +#undef HAVE_DBUS_WATCH_GET_UNIX_FD + +/* Define if the GNU dcgettext() function is already present or preinstalled. + */ +#undef HAVE_DCGETTEXT + +/* Define to 1 if you have the declaration of `cygwin_conv_path', and to 0 if + you don't. */ +#undef HAVE_DECL_CYGWIN_CONV_PATH + +/* Define if you have the GNU dld library. */ +#undef HAVE_DLD + +/* Define to 1 if you have the `dlerror' function. */ +#undef HAVE_DLERROR + +/* Define to 1 if you have the header file. */ +#undef HAVE_DLFCN_H + +/* Define if you have the _dyld_func_lookup function. */ +#undef HAVE_DYLD + +/* Define to 1 if you have the header file. */ +#undef HAVE_ENDIAN_H + +/* Define to 1 if the system has the type `errno_t'. */ +#undef HAVE_ERRNO_T + +/* whether compiler supports __attribute__((destructor)) */ +#undef HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR + +/* whether compiler supports __attribute__((format)) */ +#undef HAVE_FUNCTION_ATTRIBUTE_FORMAT + +/* whether compiler supports __attribute__((warn_unused_result)) */ +#undef HAVE_FUNCTION_ATTRIBUTE_WARN_UNUSED_RESULT + +/* Define to 1 if you have the `futimens' function. */ +#undef HAVE_FUTIMENS + +/* Build with gdm-pam-extensions support */ +#undef HAVE_GDM_PAM_EXTENSIONS + +/* Define to 1 if you have the `getpgrp' function. */ +#undef HAVE_GETPGRP + +/* Define if the GNU gettext() function is already present or preinstalled. */ +#undef HAVE_GETTEXT + +/* Using glib2 for unicode */ +#undef HAVE_GLIB2 + +/* Define if g_utf8_validate exists */ +#undef HAVE_G_UTF8_VALIDATE + +/* Define to 1 if you have the header file. */ +#undef HAVE_HTTP_PARSER_H + +/* Define if you have the iconv() function. */ +#undef HAVE_ICONV + +/* Inotify works */ +#undef HAVE_INOTIFY + +/* Define to 1 if the system has the type `intptr_t'. */ +#undef HAVE_INTPTR_T + +/* Define to 1 if you have the header file. */ +#undef HAVE_INTTYPES_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_JANSSON_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_KEYUTILS_H + +/* Define to 1 if you have the `krb5_cc_cache_match' function. */ +#undef HAVE_KRB5_CC_CACHE_MATCH + +/* Define to 1 if you have the `krb5_cc_get_full_name' function. */ +#undef HAVE_KRB5_CC_GET_FULL_NAME + +/* Define to 1 if you have the `krb5_find_authdata' function. */ +#undef HAVE_KRB5_FIND_AUTHDATA + +/* Define to 1 if you have the `krb5_free_keytab_entry_contents' function. */ +#undef HAVE_KRB5_FREE_KEYTAB_ENTRY_CONTENTS + +/* Define to 1 if you have the `krb5_free_unparsed_name' function. */ +#undef HAVE_KRB5_FREE_UNPARSED_NAME + +/* Define to 1 if you have the `krb5_get_error_message' function. */ +#undef HAVE_KRB5_GET_ERROR_MESSAGE + +/* Define to 1 if you have the `krb5_get_init_creds_opt_alloc' function. */ +#undef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC + +/* Define to 1 if you have the `krb5_get_init_creds_opt_set_canonicalize' + function. */ +#undef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE + +/* Define to 1 if you have the + `krb5_get_init_creds_opt_set_change_password_prompt' function. */ +#undef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_CHANGE_PASSWORD_PROMPT + +/* Define to 1 if you have the `krb5_get_init_creds_opt_set_expire_callback' + function. */ +#undef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_EXPIRE_CALLBACK + +/* Define to 1 if you have the `krb5_get_init_creds_opt_set_fast_ccache_name' + function. */ +#undef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_FAST_CCACHE_NAME + +/* Define to 1 if you have the `krb5_get_init_creds_opt_set_fast_flags' + function. */ +#undef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_FAST_FLAGS + +/* Define to 1 if you have the `krb5_get_init_creds_opt_set_responder' + function. */ +#undef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_RESPONDER + +/* Define to 1 if you have the `krb5_get_time_offsets' function. */ +#undef HAVE_KRB5_GET_TIME_OFFSETS + +/* Define to 1 if you have the header file. */ +#undef HAVE_KRB5_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_KRB5_KRB5_H + +/* Define to 1 if you have the `krb5_kt_free_entry' function. */ +#undef HAVE_KRB5_KT_FREE_ENTRY + +/* Define to 1 if you have the `krb5_kt_have_content' function. */ +#undef HAVE_KRB5_KT_HAVE_CONTENT + +/* Build with krb5 localauth plugin */ +#undef HAVE_KRB5_LOCALAUTH_PLUGIN + +/* Build with krb5 locator plugin */ +#undef HAVE_KRB5_LOCATOR_PLUGIN + +/* Define to 1 if you have the `krb5_parse_name_flags' function. */ +#undef HAVE_KRB5_PARSE_NAME_FLAGS + +/* Define to 1 if you have the `krb5_principal_get_realm' function. */ +#undef HAVE_KRB5_PRINCIPAL_GET_REALM + +/* Define to 1 if you have the `krb5_princ_realm' function. */ +#undef HAVE_KRB5_PRINC_REALM + +/* Define to 1 if you have the `krb5_set_trace_callback' function. */ +#undef HAVE_KRB5_SET_TRACE_CALLBACK + +/* Define to 1 if the system has the type `krb5_ticket_times'. */ +#undef HAVE_KRB5_TICKET_TIMES + +/* Define to 1 if the system has the type `krb5_times'. */ +#undef HAVE_KRB5_TIMES + +/* Define to 1 if you have the `krb5_timestamp_to_sfstring' function. */ +#undef HAVE_KRB5_TIMESTAMP_TO_SFSTRING + +/* Define to 1 if the system has the type `krb5_trace_info'. */ +#undef HAVE_KRB5_TRACE_INFO + +/* Define to 1 if you have the `krb5_unparse_name_flags' function. */ +#undef HAVE_KRB5_UNPARSE_NAME_FLAGS + +/* Define if LDAP connection callbacks are available */ +#undef HAVE_LDAP_CONNCB + +/* Define to 1 if you have the `ldap_control_create' function. */ +#undef HAVE_LDAP_CONTROL_CREATE + +/* Define to 1 if you have the `ldap_create_deref_control_value' function. */ +#undef HAVE_LDAP_CREATE_DEREF_CONTROL_VALUE + +/* Define to 1 if you have the `ldap_derefresponse_free' function. */ +#undef HAVE_LDAP_DEREFRESPONSE_FREE + +/* Define to 1 if you have the `ldap_init_fd' function. */ +#undef HAVE_LDAP_INIT_FD + +/* Define to 1 if you have the `ldap_parse_derefresponse_control' function. */ +#undef HAVE_LDAP_PARSE_DEREFRESPONSE_CONTROL + +/* Define to 1 if you have the header file. */ +#undef HAVE_LDB_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_LDB_MODULE_H + +/* Build with libcrypt crypto back end */ +#undef HAVE_LIBCRYPTO + +/* Build with libcurl support */ +#undef HAVE_LIBCURL + +/* Define if you have the libdl library or equivalent. */ +#undef HAVE_LIBDL + +/* Define if libdlloader will be built on this platform */ +#undef HAVE_LIBDLLOADER + +/* libini_config version 0.6.1 or greater */ +#undef HAVE_LIBINI_CONFIG_V0 + +/* libini_config version 1.0.0 or greater */ +#undef HAVE_LIBINI_CONFIG_V1 + +/* libini_config version 1.1.0 or greater */ +#undef HAVE_LIBINI_CONFIG_V1_1 + +/* libini_config version 1.3.0 or greater */ +#undef HAVE_LIBINI_CONFIG_V1_3 + +/* Build with libnetlink support */ +#undef HAVE_LIBNL + +/* Libnetlink version = 1 */ +#undef HAVE_LIBNL1 + +/* Libnetlink version = 3 */ +#undef HAVE_LIBNL3 + +/* Define if libpcre version is less than 7 */ +#undef HAVE_LIBPCRE_LESSER_THAN_7 + +/* Define if you have the librt library or equivalent. */ +#undef HAVE_LIBRT + +/* Using libunistring for unicode */ +#undef HAVE_LIBUNISTRING + +/* whether platform is little endian */ +#undef HAVE_LITTLE_ENDIAN + +/* Define to 1 if the system has the type `long long'. */ +#undef HAVE_LONG_LONG + +/* Define to 1 if you have the header file. */ +#undef HAVE_MEMORY_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_NETLINK_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_NFSIDMAP_PLUGIN_H + +/* Does libnl have nl_set_passcred? */ +#undef HAVE_NL_SET_PASSCRED + +/* Does libnl have nl_socket_add_membership? */ +#undef HAVE_NL_SOCKET_ADD_MEMBERSHIP + +/* Does libnl have nl_socket_modify_cb? */ +#undef HAVE_NL_SOCKET_MODIFY_CB + +/* Does libnl have nl_socket_set_passcred? */ +#undef HAVE_NL_SOCKET_SET_PASSCRED + +/* flush nscd cache after local domain operations */ +#undef HAVE_NSCD + +/* Build with NSS crypto back end */ +#undef HAVE_NSS + +/* Whether to use the 'realm' directive with nsupdate */ +#undef HAVE_NSUPDATE_REALM + +/* Build with the PAC responder */ +#undef HAVE_PAC_RESPONDER + +/* Define to 1 if you have the `pam_modutil_getlogin' function. */ +#undef HAVE_PAM_MODUTIL_GETLOGIN + +/* Define to 1 if you have the `pam_vsyslog' function. */ +#undef HAVE_PAM_VSYSLOG + +/* Define to 1 if you have the header file. */ +#undef HAVE_PCRE_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_POPT_H + +/* Define to 1 if you have the `prctl' function. */ +#undef HAVE_PRCTL + +/* Pthread mutexes available. */ +#undef HAVE_PTHREAD + +/* Build with python2 bindings */ +#undef HAVE_PYTHON2_BINDINGS + +/* Build with python3 bindings */ +#undef HAVE_PYTHON3_BINDINGS + +/* Does libnl have rtnl_route_get_oif? */ +#undef HAVE_RTNL_ROUTE_GET_OIF + +/* Define to 1 if you have the header file. */ +#undef HAVE_SASL_SASL_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_SECURITY_OPENPAM_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_SECURITY_PAM_APPL_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_SECURITY_PAM_EXT_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_SECURITY_PAM_MISC_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_SECURITY_PAM_MODULES_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_SECURITY_PAM_MODUTIL_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_SECURITY__PAM_MACROS_H + +/* Build with SELinux support */ +#undef HAVE_SELINUX + +/* Define to 1 if you have the header file. */ +#undef HAVE_SELINUX_SELINUX_H + +/* Build with SELinux support */ +#undef HAVE_SEMANAGE + +/* Define to 1 if you have the header file. */ +#undef HAVE_SEMANAGE_SEMANAGE_H + +/* Whether the service command is available */ +#undef HAVE_SERVICE + +/* Define to 1 if you have the header file. */ +#undef HAVE_SETJMP_H + +/* Define if you have the shl_load function. */ +#undef HAVE_SHL_LOAD + +/* Define to 1 if you have the `sigaction' function. */ +#undef HAVE_SIGACTION + +/* Define to 1 if you have the `sigblock' function. */ +#undef HAVE_SIGBLOCK + +/* Define to 1 if you have the `sigprocmask' function. */ +#undef HAVE_SIGPROCMASK + +/* Define to 1 if you have the header file. */ +#undef HAVE_STDARG_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_STDDEF_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_STDINT_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_STDLIB_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_STRINGS_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_STRING_H + +/* Define to 1 if `lc_arg' is a member of `struct ldap_conncb'. */ +#undef HAVE_STRUCT_LDAP_CONNCB_LC_ARG + +/* Define to 1 if `resource_groups' is a member of `struct PAC_LOGON_INFO'. */ +#undef HAVE_STRUCT_PAC_LOGON_INFO_RESOURCE_GROUPS + +/* Define to 1 if `gid' is a member of `struct ucred'. */ +#undef HAVE_STRUCT_UCRED_GID + +/* Define to 1 if `pid' is a member of `struct ucred'. */ +#undef HAVE_STRUCT_UCRED_PID + +/* Define to 1 if `uid' is a member of `struct ucred'. */ +#undef HAVE_STRUCT_UCRED_UID + +/* Build with systemd support */ +#undef HAVE_SYSTEMD + +/* Build with $daemon_lib_name support */ +#undef HAVE_SYSTEMD_DAEMON + +/* Build with $login_lib_name support */ +#undef HAVE_SYSTEMD_LOGIN + +/* Define to 1 if systemtap is enabled */ +#undef HAVE_SYSTEMTAP + +/* Define to 1 if you have the header file. */ +#undef HAVE_SYS_ENDIAN_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_SYS_INOTIFY_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_SYS_STAT_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_SYS_TYPES_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_TDB_H + +/* Build with certificates from test CA */ +#undef HAVE_TEST_CA + +/* Define if struct ucred is available */ +#undef HAVE_UCRED + +/* Define to 1 if you have the header file. */ +#undef HAVE_UNICASE_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_UNISTD_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_UNISTR_H + +/* Define to 1 if you have the `utimensat' function. */ +#undef HAVE_UTIMENSAT + +/* Define to 1 if you have the header file. */ +#undef HAVE_UUID_UUID_H + +/* The path to the ipa-getkeytab utility */ +#undef IPA_GETKEYTAB_PATH + +/* KRB5 configuration file */ +#undef KRB5_CONF_PATH + +/* Directory used for storing Kerberos replay caches */ +#undef KRB5_RCACHE_DIR + +/* Where to store log files for the SSSD */ +#undef LOG_PATH + +/* Define to the sub-directory where libtool stores uninstalled libraries. */ +#undef LT_OBJDIR + +/* Where to store mmap cache files for the SSSD interconnects */ +#undef MCACHE_PATH + +/* The shell used to deny access to users */ +#undef NOLOGIN_SHELL + +/* whether to build sssd nss plugin with nonstandard glibc behaviour */ +#undef NONSTANDARD_SSS_NSS_BEHAVIOUR + +/* NSCD configuration file */ +#undef NSCD_CONF_PATH + +/* The path to nscd, if available */ +#undef NSCD_PATH + +/* The path to nsupdate */ +#undef NSUPDATE_PATH + +/* Name of package */ +#undef PACKAGE + +/* Define to the address where bug reports for this package should be sent. */ +#undef PACKAGE_BUGREPORT + +/* Define to the full name of this package. */ +#undef PACKAGE_NAME + +/* Define to the full name and version of this package. */ +#undef PACKAGE_STRING + +/* Define to the one symbol short name of this package. */ +#undef PACKAGE_TARNAME + +/* Define to the home page for this package. */ +#undef PACKAGE_URL + +/* Define to the version of this package. */ +#undef PACKAGE_VERSION + +/* Where to store pid files for the SSSD */ +#undef PID_PATH + +/* Where to store pipe files for the SSSD interconnects */ +#undef PIPE_PATH + +/* Prerelease version number of package */ +#undef PRERELEASE_VERSION + +/* Where to store pubconf files for the SSSD */ +#undef PUBCONF_PATH + +/* Path to the SSSD Secrets databases */ +#undef SECRETS_DB_PATH + +/* The path to service */ +#undef SERVICE_PATH + +/* The shell used to record user sessions */ +#undef SESSION_RECORDING_SHELL + +/* The size of `char', as computed by sizeof. */ +#undef SIZEOF_CHAR + +/* The size of `gid_t', as computed by sizeof. */ +#undef SIZEOF_GID_T + +/* The size of `id_t', as computed by sizeof. */ +#undef SIZEOF_ID_T + +/* The size of `int', as computed by sizeof. */ +#undef SIZEOF_INT + +/* The size of `long', as computed by sizeof. */ +#undef SIZEOF_LONG + +/* The size of `long long', as computed by sizeof. */ +#undef SIZEOF_LONG_LONG + +/* The size of `off_t', as computed by sizeof. */ +#undef SIZEOF_OFF_T + +/* The size of `short', as computed by sizeof. */ +#undef SIZEOF_SHORT + +/* The size of `size_t', as computed by sizeof. */ +#undef SIZEOF_SIZE_T + +/* The size of `ssize_t', as computed by sizeof. */ +#undef SIZEOF_SSIZE_T + +/* The size of `uid_t', as computed by sizeof. */ +#undef SIZEOF_UID_T + +/* Detected version of Samba's idmap plugin interface */ +#undef SMB_IDMAP_INTERFACE_VERSION + +/* Path to softhsm2 PKCS#11 module */ +#undef SOFTHSM2_PATH + +/* "The default user to run SSSD as" */ +#undef SSSD_USER + +/* __attribute__((fallthrough)) if supported */ +#undef SSS_ATTRIBUTE_FALLTHROUGH + +/* Define to 1 if you want ldb version check. */ +#undef SSS_LDB_VERSION_CHECK + +/* Define to 1 if you have the ANSI C header files. */ +#undef STDC_HEADERS + +/* Directory used for 'make check' temporary files */ +#undef TEST_DIR + +/* Define if the keyring should be used */ +#undef USE_KEYRING + +/* Enable extensions on AIX 3, Interix. */ +#ifndef _ALL_SOURCE +# undef _ALL_SOURCE +#endif +/* Enable GNU extensions on systems that have them. */ +#ifndef _GNU_SOURCE +# undef _GNU_SOURCE +#endif +/* Enable threading extensions on Solaris. */ +#ifndef _POSIX_PTHREAD_SEMANTICS +# undef _POSIX_PTHREAD_SEMANTICS +#endif +/* Enable extensions on HP NonStop. */ +#ifndef _TANDEM_SOURCE +# undef _TANDEM_SOURCE +#endif +/* Enable general extensions on Solaris. */ +#ifndef __EXTENSIONS__ +# undef __EXTENSIONS__ +#endif + + +/* Version number of package */ +#undef VERSION + +/* journald is available */ +#undef WITH_JOURNALD + +/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most + significant byte first (like Motorola and SPARC, unlike Intel). */ +#if defined AC_APPLE_UNIVERSAL_BUILD +# if defined __BIG_ENDIAN__ +# define WORDS_BIGENDIAN 1 +# endif +#else +# ifndef WORDS_BIGENDIAN +# undef WORDS_BIGENDIAN +# endif +#endif + +/* Define to 1 if on MINIX. */ +#undef _MINIX + +/* Define to 2 if the system does not provide POSIX.1 features except with + this defined. */ +#undef _POSIX_1_SOURCE + +/* Define to 1 if you need to in order for `stat' and other things to work. */ +#undef _POSIX_SOURCE + +/* Define to `short' if does not define. */ +#undef int16_t + +/* Define to `long' if does not define. */ +#undef int32_t + +/* Define to `long long' if does not define. */ +#undef int64_t + +/* Define to `char' if does not define. */ +#undef int8_t + +/* Define to `long long' if does not define. */ +#undef intptr_t + +/* Define to `unsigned long long' if does not define. */ +#undef ptrdiff_t + +/* Define to `unsigned int' if does not define. */ +#undef size_t + +/* Define to `int' if does not define. */ +#undef ssize_t + +/* Define to `unsigned short' if does not define. */ +#undef uint16_t + +/* Define to `unsigned long' if does not define. */ +#undef uint32_t + +/* Define to `unsigned long long' if does not define. */ +#undef uint64_t + +/* Define to `unsigned char' if does not define. */ +#undef uint8_t + +/* Define to `unsigned int' if does not define. */ +#undef uint_t + +/* Define to `unsigned long long' if does not define. */ +#undef uintptr_t diff --git a/configure b/configure new file mode 100755 index 0000000..2974327 --- /dev/null +++ b/configure @@ -0,0 +1,30464 @@ +#! /bin/sh +# Guess values for system-dependent variables and create Makefiles. +# Generated by GNU Autoconf 2.69 for sssd 1.16.3. +# +# Report bugs to . +# +# +# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. +# +# +# This configure script is free software; the Free Software Foundation +# gives unlimited permission to copy, distribute and modify it. +## -------------------- ## +## M4sh Initialization. ## +## -------------------- ## + +# Be more Bourne compatible +DUALCASE=1; export DUALCASE # for MKS sh +if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then : + emulate sh + NULLCMD=: + # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which + # is contrary to our usage. Disable this feature. + alias -g '${1+"$@"}'='"$@"' + setopt NO_GLOB_SUBST +else + case `(set -o) 2>/dev/null` in #( + *posix*) : + set -o posix ;; #( + *) : + ;; +esac +fi + + +as_nl=' +' +export as_nl +# Printing a long string crashes Solaris 7 /usr/bin/printf. +as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' +as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo +as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo +# Prefer a ksh shell builtin over an external printf program on Solaris, +# but without wasting forks for bash or zsh. +if test -z "$BASH_VERSION$ZSH_VERSION" \ + && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then + as_echo='print -r --' + as_echo_n='print -rn --' +elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then + as_echo='printf %s\n' + as_echo_n='printf %s' +else + if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then + as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"' + as_echo_n='/usr/ucb/echo -n' + else + as_echo_body='eval expr "X$1" : "X\\(.*\\)"' + as_echo_n_body='eval + arg=$1; + case $arg in #( + *"$as_nl"*) + expr "X$arg" : "X\\(.*\\)$as_nl"; + arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;; + esac; + expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl" + ' + export as_echo_n_body + as_echo_n='sh -c $as_echo_n_body as_echo' + fi + export as_echo_body + as_echo='sh -c $as_echo_body as_echo' +fi + +# The user is always right. +if test "${PATH_SEPARATOR+set}" != set; then + PATH_SEPARATOR=: + (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { + (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || + PATH_SEPARATOR=';' + } +fi + + +# IFS +# We need space, tab and new line, in precisely that order. Quoting is +# there to prevent editors from complaining about space-tab. +# (If _AS_PATH_WALK were called with IFS unset, it would disable word +# splitting by setting IFS to empty value.) +IFS=" "" $as_nl" + +# Find who we are. Look in the path if we contain no directory separator. +as_myself= +case $0 in #(( + *[\\/]* ) as_myself=$0 ;; + *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break + done +IFS=$as_save_IFS + + ;; +esac +# We did not find ourselves, most probably we were run as `sh COMMAND' +# in which case we are not to be found in the path. +if test "x$as_myself" = x; then + as_myself=$0 +fi +if test ! -f "$as_myself"; then + $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 + exit 1 +fi + +# Unset variables that we do not need and which cause bugs (e.g. in +# pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1" +# suppresses any "Segmentation fault" message there. '((' could +# trigger a bug in pdksh 5.2.14. +for as_var in BASH_ENV ENV MAIL MAILPATH +do eval test x\${$as_var+set} = xset \ + && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : +done +PS1='$ ' +PS2='> ' +PS4='+ ' + +# NLS nuisances. +LC_ALL=C +export LC_ALL +LANGUAGE=C +export LANGUAGE + +# CDPATH. +(unset CDPATH) >/dev/null 2>&1 && unset CDPATH + +# Use a proper internal environment variable to ensure we don't fall + # into an infinite loop, continuously re-executing ourselves. + if test x"${_as_can_reexec}" != xno && test "x$CONFIG_SHELL" != x; then + _as_can_reexec=no; export _as_can_reexec; + # We cannot yet assume a decent shell, so we have to provide a +# neutralization value for shells without unset; and this also +# works around shells that cannot unset nonexistent variables. +# Preserve -v and -x to the replacement shell. +BASH_ENV=/dev/null +ENV=/dev/null +(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV +case $- in # (((( + *v*x* | *x*v* ) as_opts=-vx ;; + *v* ) as_opts=-v ;; + *x* ) as_opts=-x ;; + * ) as_opts= ;; +esac +exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} +# Admittedly, this is quite paranoid, since all the known shells bail +# out after a failed `exec'. +$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2 +as_fn_exit 255 + fi + # We don't want this to propagate to other subprocesses. + { _as_can_reexec=; unset _as_can_reexec;} +if test "x$CONFIG_SHELL" = x; then + as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then : + emulate sh + NULLCMD=: + # Pre-4.2 versions of Zsh do word splitting on \${1+\"\$@\"}, which + # is contrary to our usage. Disable this feature. + alias -g '\${1+\"\$@\"}'='\"\$@\"' + setopt NO_GLOB_SUBST +else + case \`(set -o) 2>/dev/null\` in #( + *posix*) : + set -o posix ;; #( + *) : + ;; +esac +fi +" + as_required="as_fn_return () { (exit \$1); } +as_fn_success () { as_fn_return 0; } +as_fn_failure () { as_fn_return 1; } +as_fn_ret_success () { return 0; } +as_fn_ret_failure () { return 1; } + +exitcode=0 +as_fn_success || { exitcode=1; echo as_fn_success failed.; } +as_fn_failure && { exitcode=1; echo as_fn_failure succeeded.; } +as_fn_ret_success || { exitcode=1; echo as_fn_ret_success failed.; } +as_fn_ret_failure && { exitcode=1; echo as_fn_ret_failure succeeded.; } +if ( set x; as_fn_ret_success y && test x = \"\$1\" ); then : + +else + exitcode=1; echo positional parameters were not saved. +fi +test x\$exitcode = x0 || exit 1 +test -x / || exit 1" + as_suggested=" as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO + as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO + eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" && + test \"x\`expr \$as_lineno_1'\$as_run' + 1\`\" = \"x\$as_lineno_2'\$as_run'\"' || exit 1 +test \$(( 1 + 1 )) = 2 || exit 1 + + test -n \"\${ZSH_VERSION+set}\${BASH_VERSION+set}\" || ( + ECHO='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' + ECHO=\$ECHO\$ECHO\$ECHO\$ECHO\$ECHO + ECHO=\$ECHO\$ECHO\$ECHO\$ECHO\$ECHO\$ECHO + PATH=/empty FPATH=/empty; export PATH FPATH + test \"X\`printf %s \$ECHO\`\" = \"X\$ECHO\" \\ + || test \"X\`print -r -- \$ECHO\`\" = \"X\$ECHO\" ) || exit 1" + if (eval "$as_required") 2>/dev/null; then : + as_have_required=yes +else + as_have_required=no +fi + if test x$as_have_required = xyes && (eval "$as_suggested") 2>/dev/null; then : + +else + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +as_found=false +for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + as_found=: + case $as_dir in #( + /*) + for as_base in sh bash ksh sh5; do + # Try only shells that exist, to save several forks. + as_shell=$as_dir/$as_base + if { test -f "$as_shell" || test -f "$as_shell.exe"; } && + { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$as_shell"; } 2>/dev/null; then : + CONFIG_SHELL=$as_shell as_have_required=yes + if { $as_echo "$as_bourne_compatible""$as_suggested" | as_run=a "$as_shell"; } 2>/dev/null; then : + break 2 +fi +fi + done;; + esac + as_found=false +done +$as_found || { if { test -f "$SHELL" || test -f "$SHELL.exe"; } && + { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$SHELL"; } 2>/dev/null; then : + CONFIG_SHELL=$SHELL as_have_required=yes +fi; } +IFS=$as_save_IFS + + + if test "x$CONFIG_SHELL" != x; then : + export CONFIG_SHELL + # We cannot yet assume a decent shell, so we have to provide a +# neutralization value for shells without unset; and this also +# works around shells that cannot unset nonexistent variables. +# Preserve -v and -x to the replacement shell. +BASH_ENV=/dev/null +ENV=/dev/null +(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV +case $- in # (((( + *v*x* | *x*v* ) as_opts=-vx ;; + *v* ) as_opts=-v ;; + *x* ) as_opts=-x ;; + * ) as_opts= ;; +esac +exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} +# Admittedly, this is quite paranoid, since all the known shells bail +# out after a failed `exec'. +$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2 +exit 255 +fi + + if test x$as_have_required = xno; then : + $as_echo "$0: This script requires a shell more modern than all" + $as_echo "$0: the shells that I found on your system." + if test x${ZSH_VERSION+set} = xset ; then + $as_echo "$0: In particular, zsh $ZSH_VERSION has bugs and should" + $as_echo "$0: be upgraded to zsh 4.3.4 or later." + else + $as_echo "$0: Please tell bug-autoconf@gnu.org and +$0: sssd-devel@lists.fedorahosted.org about your system, +$0: including any error possibly output before this +$0: message. Then install a modern shell, or manually run +$0: the script under such a shell if you do have one." + fi + exit 1 +fi +fi +fi +SHELL=${CONFIG_SHELL-/bin/sh} +export SHELL +# Unset more variables known to interfere with behavior of common tools. +CLICOLOR_FORCE= GREP_OPTIONS= +unset CLICOLOR_FORCE GREP_OPTIONS + +## --------------------- ## +## M4sh Shell Functions. ## +## --------------------- ## +# as_fn_unset VAR +# --------------- +# Portably unset VAR. +as_fn_unset () +{ + { eval $1=; unset $1;} +} +as_unset=as_fn_unset + +# as_fn_set_status STATUS +# ----------------------- +# Set $? to STATUS, without forking. +as_fn_set_status () +{ + return $1 +} # as_fn_set_status + +# as_fn_exit STATUS +# ----------------- +# Exit the shell with STATUS, even in a "trap 0" or "set -e" context. +as_fn_exit () +{ + set +e + as_fn_set_status $1 + exit $1 +} # as_fn_exit + +# as_fn_mkdir_p +# ------------- +# Create "$as_dir" as a directory, including parents if necessary. +as_fn_mkdir_p () +{ + + case $as_dir in #( + -*) as_dir=./$as_dir;; + esac + test -d "$as_dir" || eval $as_mkdir_p || { + as_dirs= + while :; do + case $as_dir in #( + *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( + *) as_qdir=$as_dir;; + esac + as_dirs="'$as_qdir' $as_dirs" + as_dir=`$as_dirname -- "$as_dir" || +$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$as_dir" : 'X\(//\)[^/]' \| \ + X"$as_dir" : 'X\(//\)$' \| \ + X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X"$as_dir" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ + s//\1/ + q + } + /^X\(\/\/\)[^/].*/{ + s//\1/ + q + } + /^X\(\/\/\)$/{ + s//\1/ + q + } + /^X\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + test -d "$as_dir" && break + done + test -z "$as_dirs" || eval "mkdir $as_dirs" + } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir" + + +} # as_fn_mkdir_p + +# as_fn_executable_p FILE +# ----------------------- +# Test if FILE is an executable regular file. +as_fn_executable_p () +{ + test -f "$1" && test -x "$1" +} # as_fn_executable_p +# as_fn_append VAR VALUE +# ---------------------- +# Append the text in VALUE to the end of the definition contained in VAR. Take +# advantage of any shell optimizations that allow amortized linear growth over +# repeated appends, instead of the typical quadratic growth present in naive +# implementations. +if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then : + eval 'as_fn_append () + { + eval $1+=\$2 + }' +else + as_fn_append () + { + eval $1=\$$1\$2 + } +fi # as_fn_append + +# as_fn_arith ARG... +# ------------------ +# Perform arithmetic evaluation on the ARGs, and store the result in the +# global $as_val. Take advantage of shells that can avoid forks. The arguments +# must be portable across $(()) and expr. +if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then : + eval 'as_fn_arith () + { + as_val=$(( $* )) + }' +else + as_fn_arith () + { + as_val=`expr "$@" || test $? -eq 1` + } +fi # as_fn_arith + + +# as_fn_error STATUS ERROR [LINENO LOG_FD] +# ---------------------------------------- +# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are +# provided, also output the error to LOG_FD, referencing LINENO. Then exit the +# script with STATUS, using 1 if that was 0. +as_fn_error () +{ + as_status=$1; test $as_status -eq 0 && as_status=1 + if test "$4"; then + as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4 + fi + $as_echo "$as_me: error: $2" >&2 + as_fn_exit $as_status +} # as_fn_error + +if expr a : '\(a\)' >/dev/null 2>&1 && + test "X`expr 00001 : '.*\(...\)'`" = X001; then + as_expr=expr +else + as_expr=false +fi + +if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then + as_basename=basename +else + as_basename=false +fi + +if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then + as_dirname=dirname +else + as_dirname=false +fi + +as_me=`$as_basename -- "$0" || +$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ + X"$0" : 'X\(//\)$' \| \ + X"$0" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X/"$0" | + sed '/^.*\/\([^/][^/]*\)\/*$/{ + s//\1/ + q + } + /^X\/\(\/\/\)$/{ + s//\1/ + q + } + /^X\/\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + +# Avoid depending upon Character Ranges. +as_cr_letters='abcdefghijklmnopqrstuvwxyz' +as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' +as_cr_Letters=$as_cr_letters$as_cr_LETTERS +as_cr_digits='0123456789' +as_cr_alnum=$as_cr_Letters$as_cr_digits + + + as_lineno_1=$LINENO as_lineno_1a=$LINENO + as_lineno_2=$LINENO as_lineno_2a=$LINENO + eval 'test "x$as_lineno_1'$as_run'" != "x$as_lineno_2'$as_run'" && + test "x`expr $as_lineno_1'$as_run' + 1`" = "x$as_lineno_2'$as_run'"' || { + # Blame Lee E. McMahon (1931-1989) for sed's syntax. :-) + sed -n ' + p + /[$]LINENO/= + ' <$as_myself | + sed ' + s/[$]LINENO.*/&-/ + t lineno + b + :lineno + N + :loop + s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/ + t loop + s/-\n.*// + ' >$as_me.lineno && + chmod +x "$as_me.lineno" || + { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; } + + # If we had to re-execute with $CONFIG_SHELL, we're ensured to have + # already done that, so ensure we don't try to do so again and fall + # in an infinite loop. This has already happened in practice. + _as_can_reexec=no; export _as_can_reexec + # Don't try to exec as it changes $[0], causing all sort of problems + # (the dirname of $[0] is not the place where we might find the + # original and so on. Autoconf is especially sensitive to this). + . "./$as_me.lineno" + # Exit status is that of the last command. + exit +} + +ECHO_C= ECHO_N= ECHO_T= +case `echo -n x` in #((((( +-n*) + case `echo 'xy\c'` in + *c*) ECHO_T=' ';; # ECHO_T is single tab character. + xy) ECHO_C='\c';; + *) echo `echo ksh88 bug on AIX 6.1` > /dev/null + ECHO_T=' ';; + esac;; +*) + ECHO_N='-n';; +esac + +rm -f conf$$ conf$$.exe conf$$.file +if test -d conf$$.dir; then + rm -f conf$$.dir/conf$$.file +else + rm -f conf$$.dir + mkdir conf$$.dir 2>/dev/null +fi +if (echo >conf$$.file) 2>/dev/null; then + if ln -s conf$$.file conf$$ 2>/dev/null; then + as_ln_s='ln -s' + # ... but there are two gotchas: + # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. + # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. + # In both cases, we have to default to `cp -pR'. + ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || + as_ln_s='cp -pR' + elif ln conf$$.file conf$$ 2>/dev/null; then + as_ln_s=ln + else + as_ln_s='cp -pR' + fi +else + as_ln_s='cp -pR' +fi +rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file +rmdir conf$$.dir 2>/dev/null + +if mkdir -p . 2>/dev/null; then + as_mkdir_p='mkdir -p "$as_dir"' +else + test -d ./-p && rmdir ./-p + as_mkdir_p=false +fi + +as_test_x='test -x' +as_executable_p=as_fn_executable_p + +# Sed expression to map a string onto a valid CPP name. +as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" + +# Sed expression to map a string onto a valid variable name. +as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'" + +SHELL=${CONFIG_SHELL-/bin/sh} + + +test -n "$DJDIR" || exec 7<&0 &1 + +# Name of the host. +# hostname on some systems (SVR3.2, old GNU/Linux) returns a bogus exit status, +# so uname gets run too. +ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q` + +# +# Initializations. +# +ac_default_prefix=/usr/local +ac_clean_files= +ac_config_libobj_dir=. +LIBOBJS= +cross_compiling=no +subdirs= +MFLAGS= +MAKEFLAGS= + +# Identity of this package. +PACKAGE_NAME='sssd' +PACKAGE_TARNAME='sssd' +PACKAGE_VERSION='1.16.3' +PACKAGE_STRING='sssd 1.16.3' +PACKAGE_BUGREPORT='sssd-devel@lists.fedorahosted.org' +PACKAGE_URL='' + +ac_unique_file="BUILD.txt" +# Factoring default headers for most tests. +ac_includes_default="\ +#include +#ifdef HAVE_SYS_TYPES_H +# include +#endif +#ifdef HAVE_SYS_STAT_H +# include +#endif +#ifdef STDC_HEADERS +# include +# include +#else +# ifdef HAVE_STDLIB_H +# include +# endif +#endif +#ifdef HAVE_STRING_H +# if !defined STDC_HEADERS && defined HAVE_MEMORY_H +# include +# endif +# include +#endif +#ifdef HAVE_STRINGS_H +# include +#endif +#ifdef HAVE_INTTYPES_H +# include +#endif +#ifdef HAVE_STDINT_H +# include +#endif +#ifdef HAVE_UNISTD_H +# include +#endif" + +ac_subst_vars='am__EXEEXT_FALSE +am__EXEEXT_TRUE +LTLIBOBJS +LIBOBJS +abs_builddir +HAVE_POLKIT_RULES_D_FALSE +HAVE_POLKIT_RULES_D_TRUE +polkitdir +HAVE_DEVSHM_FALSE +HAVE_DEVSHM_TRUE +BUILD_SYSTEMTAP_FALSE +BUILD_SYSTEMTAP_TRUE +tapset_dir +DTRACE +P11TOOL +SOFTHSM2_UTIL +SOFTHSM2_PATH +BUILD_TEST_CA_FALSE +BUILD_TEST_CA_TRUE +PK12UTIL +CERTUTIL +SSH_KEYGEN +OPENSSL +HAVE_NSS_WRAPPER_FALSE +HAVE_NSS_WRAPPER_TRUE +HAVE_NSS_WRAPPER +HAVE_UID_WRAPPER_FALSE +HAVE_UID_WRAPPER_TRUE +HAVE_UID_WRAPPER +HAVE_CMOCKA_FALSE +HAVE_CMOCKA_TRUE +CMOCKA_LIBS +CMOCKA_CFLAGS +HAVE_CHECK_FALSE +HAVE_CHECK_TRUE +HAVE_DOXYGEN_FALSE +HAVE_DOXYGEN_TRUE +DOXYGEN +CHECK_LIBS +CHECK_CFLAGS +HAVE_INOTIFY_FALSE +HAVE_INOTIFY_TRUE +INOTIFY_LIBS +P11_KIT_LIBS +P11_KIT_CFLAGS +SSL_LIBS +SSL_CFLAGS +CRYPTO_LIBS +CRYPTO_CFLAGS +NSS_LIBS +NSS_CFLAGS +JOURNALD_LIBS +JOURNALD_CFLAGS +SEMANAGE_LIBS +SELINUX_LIBS +BUILD_PYTHON_BINDINGS_FALSE +BUILD_PYTHON_BINDINGS_TRUE +PYTHON3_EXEC_PREFIX +PYTHON3_PREFIX +PYTHON3_VERSION +PYTHON3_INCLUDES +PYTHON3_LIBS +PYTHON3_CFLAGS +python3dir +py3execdir +PYTHON2_EXEC_PREFIX +PYTHON2_PREFIX +PYTHON2_VERSION +PYTHON2_INCLUDES +PYTHON2_LIBS +PYTHON2_CFLAGS +python2dir +py2execdir +PYTHON_CONFIG +pkgpyexecdir +pyexecdir +pkgpythondir +pythondir +PYTHON_PLATFORM +PYTHON_EXEC_PREFIX +PYTHON_PREFIX +PYTHON_VERSION +PYTHON +PYTHON3 +HAVE_PYTHON3 +PYTHON2 +HAVE_PYTHON2 +HAVE_PO4A_FALSE +HAVE_PO4A_TRUE +HAVE_MANPAGES_FALSE +HAVE_MANPAGES_TRUE +HAVE_PROFILE_CATALOGS_FALSE +HAVE_PROFILE_CATALOGS_TRUE +DOCBOOK_XSLT +PO4A +XMLLINT +XSLTPROC +DBUS_LIBS +DBUS_CFLAGS +SERVICE +systemdconfdir +systemdunitdir +HAVE_SYSTEMD_UNIT_FALSE +HAVE_SYSTEMD_UNIT_TRUE +HAVE_SYSV_FALSE +HAVE_SYSV_TRUE +LIBNL1_LIBS +LIBNL1_CFLAGS +LIBNL_LIBS +LIBNL_CFLAGS +LIBNL3_LIBS +LIBNL3_CFLAGS +UNICODE_LIBS +GLIB2_LIBS +GLIB2_CFLAGS +WITH_GLIB_FALSE +WITH_GLIB_TRUE +WITH_LIBUNISTRING_FALSE +WITH_LIBUNISTRING_TRUE +BUILD_WITH_LIBCURL_FALSE +BUILD_WITH_LIBCURL_TRUE +JANSSON_CFLAGS +JANSSON_LIBS +CURL_LIBS +CURL_CFLAGS +UUID_CFLAGS +UUID_LIBS +HTTP_PARSER_CFLAGS +HTTP_PARSER_LIBS +INTG_BUILD_FALSE +INTG_BUILD_TRUE +PYTEST +HAVE_FAKEROOT +HAVE_LIBRESOLV_FALSE +HAVE_LIBRESOLV_TRUE +RESOLV_LIBS +RESOLV_CFLAGS +NFSIDMAP_LIBS +NFSIDMAP_CFLAGS +NFSIDMAP_OBJ +SASL_CFLAGS +SASL_LIBS +NDR_KRB5PAC_LIBS +NDR_KRB5PAC_CFLAGS +SMBCLIENT_LIBS +SMBCLIENT_CFLAGS +NDR_NBT_LIBS +NDR_NBT_CFLAGS +BUILD_CIFS_IDMAP_PLUGIN_FALSE +BUILD_CIFS_IDMAP_PLUGIN_TRUE +BUILD_PAC_RESPONDER_FALSE +BUILD_PAC_RESPONDER_TRUE +SYSTEMD_DAEMON_LIBS +SYSTEMD_DAEMON_CFLAGS +SYSTEMD_LOGIN_LIBS +SYSTEMD_LOGIN_CFLAGS +KEYUTILS_LIBS +NSUPDATE +NSCD +CARES_CFLAGS +CARES_LIBS +BUILD_KRB5_LOCALAUTH_PLUGIN_FALSE +BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE +BUILD_KRB5_LOCATOR_PLUGIN_FALSE +BUILD_KRB5_LOCATOR_PLUGIN_TRUE +KRB5_CONFIG +KRB5_LIBS +KRB5_CFLAGS +PCRE_CFLAGS +PCRE_LIBS +HAVE_LDAPMODIFY +SLAPD +OPENLDAP_CFLAGS +OPENLDAP_LIBS +GDM_PAM_EXTENSIONS_LIBS +GDM_PAM_EXTENSIONS_CFLAGS +PAM_MISC_LIBS +PAM_LIBS +INI_CONFIG_LIBS +INI_CONFIG_CFLAGS +INI_CONFIG_V1_3_LIBS +INI_CONFIG_V1_3_CFLAGS +INI_CONFIG_V1_1_LIBS +INI_CONFIG_V1_1_CFLAGS +INI_CONFIG_V1_LIBS +INI_CONFIG_V1_CFLAGS +INI_CONFIG_V0_LIBS +INI_CONFIG_V0_CFLAGS +COLLECTION_LIBS +COLLECTION_CFLAGS +DHASH_LIBS +DHASH_CFLAGS +ldblibdir +LDB_LIBS +LDB_CFLAGS +TEVENT_LIBS +TEVENT_CFLAGS +TDB_LIBS +TDB_CFLAGS +TALLOC_LIBS +TALLOC_CFLAGS +PKG_CONFIG +POPT_CFLAGS +POPT_LIBS +BUILD_KCM_FALSE +BUILD_KCM_TRUE +secdbpath +BUILD_SECRETS_FALSE +BUILD_SECRETS_TRUE +runstatedir +SSSD_USER_FALSE +SSSD_USER_TRUE +SSSD_USER +BUILD_LIBWBCLIENT_FALSE +BUILD_LIBWBCLIENT_TRUE +libwbclient_version_info +libwbclient_version +nfslibpath +BUILD_NFS_IDMAP_FALSE +BUILD_NFS_IDMAP_TRUE +BUILD_SAMBA_FALSE +BUILD_SAMBA_TRUE +WITH_JOURNALD_FALSE +WITH_JOURNALD_TRUE +HAVE_LIBCRYPTO_FALSE +HAVE_LIBCRYPTO_TRUE +HAVE_NSS_FALSE +HAVE_NSS_TRUE +BUILD_IFP_FALSE +BUILD_IFP_TRUE +BUILD_SSH_FALSE +BUILD_SSH_TRUE +BUILD_AUTOFS_FALSE +BUILD_AUTOFS_TRUE +sudolibpath +BUILD_SUDO_FALSE +BUILD_SUDO_TRUE +appmodpath +session_recording_shell +gpocachepath +GPO_DEFAULT_ENFORCING_FALSE +GPO_DEFAULT_ENFORCING_TRUE +GPO_DEFAULT +BUILD_SEMANAGE_FALSE +BUILD_SEMANAGE_TRUE +HAVE_SEMANAGE +NSCD_PATH +BUILD_SELINUX_FALSE +BUILD_SELINUX_TRUE +HAVE_SELINUX +winbindpluginpath +cifspluginpath +BUILD_PYTHON3_BINDINGS_FALSE +BUILD_PYTHON3_BINDINGS_TRUE +HAVE_PYTHON3_BINDINGS +BUILD_PYTHON2_BINDINGS_FALSE +BUILD_PYTHON2_BINDINGS_TRUE +HAVE_PYTHON2_BINDINGS +krb5authdatapluginpath +krb5rcachedir +krb5pluginpath +SGML_CATALOG_FILES +HAVE_MANPAGES +TEST_DIR +initdir +environment_file +config_def_ccname_template +config_def_ccache_dir +mcpath +pipepath +pubconfpath +logpath +pidpath +pluginpath +dbpath +ADD_FILES_DOMAIN_FALSE +ADD_FILES_DOMAIN_TRUE +BUILD_DBUS_TESTS_FALSE +BUILD_DBUS_TESTS_TRUE +BUILD_MANPAGES_FALSE +BUILD_MANPAGES_TRUE +HAVE_GENTOO_FALSE +HAVE_GENTOO_TRUE +HAVE_DEBIAN_FALSE +HAVE_DEBIAN_TRUE +HAVE_SUSE_FALSE +HAVE_SUSE_TRUE +HAVE_REDHAT_FALSE +HAVE_REDHAT_TRUE +HAVE_FEDORA_FALSE +HAVE_FEDORA_TRUE +nfsidmaplibdir +pammoddir +nsslibdir +LIBCLOCK_GETTIME +LIBADD_TIMER +HAVE_PTHREAD_FALSE +HAVE_PTHREAD_TRUE +sharedbuilddir +WANT_AUX_INFO_FALSE +WANT_AUX_INFO_TRUE +HAVE_GCC_FALSE +HAVE_GCC_TRUE +GIT_CHECKOUT_FALSE +GIT_CHECKOUT_TRUE +PRERELEASE_VERSION +POSUB +LTLIBINTL +LIBINTL +INTLLIBS +LTLIBICONV +LIBICONV +INTL_MACOSX_LIBS +MSGMERGE +XGETTEXT +GMSGFMT +MSGFMT +USE_NLS +MKINSTALLDIRS +LIBADD_DL +LT_DLPREOPEN +LIBADD_DLD_LINK +LIBADD_SHL_LOAD +LIBADD_DLOPEN +LT_DLLOADERS +LT_SYS_LIBRARY_PATH +OTOOL64 +OTOOL +LIPO +NMEDIT +DSYMUTIL +MANIFEST_TOOL +RANLIB +DLLTOOL +OBJDUMP +LN_S +NM +ac_ct_DUMPBIN +DUMPBIN +LD +FGREP +SED +host_os +host_vendor +host_cpu +host +build_os +build_vendor +build_cpu +build +LIBTOOL +ac_ct_AR +AR +AM_BACKSLASH +AM_DEFAULT_VERBOSITY +AM_DEFAULT_V +AM_V +am__fastdepCC_FALSE +am__fastdepCC_TRUE +CCDEPMODE +am__nodep +AMDEPBACKSLASH +AMDEP_FALSE +AMDEP_TRUE +am__quote +am__include +DEPDIR +am__untar +am__tar +AMTAR +am__leading_dot +SET_MAKE +AWK +mkdir_p +MKDIR_P +INSTALL_STRIP_PROGRAM +STRIP +install_sh +MAKEINFO +AUTOHEADER +AUTOMAKE +AUTOCONF +ACLOCAL +VERSION +PACKAGE +CYGPATH_W +am__isrc +INSTALL_DATA +INSTALL_SCRIPT +INSTALL_PROGRAM +EGREP +GREP +CPP +OBJEXT +EXEEXT +ac_ct_CC +CPPFLAGS +LDFLAGS +CFLAGS +CC +target_alias +host_alias +build_alias +LIBS +ECHO_T +ECHO_N +ECHO_C +DEFS +mandir +localedir +libdir +psdir +pdfdir +dvidir +htmldir +infodir +docdir +oldincludedir +includedir +localstatedir +sharedstatedir +sysconfdir +datadir +datarootdir +libexecdir +sbindir +bindir +program_transform_name +prefix +exec_prefix +PACKAGE_URL +PACKAGE_BUGREPORT +PACKAGE_STRING +PACKAGE_VERSION +PACKAGE_TARNAME +PACKAGE_NAME +PATH_SEPARATOR +SHELL' +ac_subst_files='' +ac_user_opts=' +enable_option_checking +enable_dependency_tracking +enable_silent_rules +enable_static +enable_shared +with_pic +enable_fast_install +with_aix_soname +with_gnu_ld +with_sysroot +enable_libtool_lock +enable_nls +enable_rpath +with_libiconv_prefix +with_libintl_prefix +with_shared_build_dir +enable_nsslibdir +enable_pammoddir +enable_nfsidmaplibdir +with_os +enable_all_experimental_features +enable_dbus_tests +enable_sss_default_nss_plugin +enable_files_domain +with_db_path +with_plugin_path +with_pid_path +with_log_path +with_pubconf_path +with_pipe_path +with_mcache_path +with_default_ccache_dir +with_default_ccname_template +with_environment_file +with_init_dir +with_test_dir +with_manpages +with_xml_catalog_path +with_krb5_plugin_path +with_krb5_rcache_dir +with_krb5authdata_plugin_path +with_krb5_conf +with_python2_bindings +with_python3_bindings +with_cifs_plugin_path +with_winbind_plugin_path +with_selinux +with_nscd +with_ipa_getkeytab +with_semanage +with_ad_gpo_default +with_gpo_cache_path +with_nologin_shell +with_session_recording_shell +with_app_libs +with_sudo +with_sudo_lib_path +with_autofs +with_ssh +with_infopipe +with_crypto +with_syslog +with_samba +with_nfsv4_idmapd_plugin +with_nfs_lib_path +with_libwbclient +with_sssd_user +with_secrets +with_secrets_db_path +with_kcm +with_ldb_lib_dir +enable_ldb_version_check +enable_krb5_locator_plugin +enable_pac_responder +enable_cifs_idmap_plugin +with_smb_idmap_interface_version +with_unicode_lib +with_libnl +with_nscd_conf +with_initscript +with_systemdunitdir +with_systemdconfdir +enable_systemtap +with_tapset_install_dir +enable_intgcheck_reqs +enable_polkit_rules_path +' + ac_precious_vars='build_alias +host_alias +target_alias +CC +CFLAGS +LDFLAGS +LIBS +CPPFLAGS +CPP +LT_SYS_LIBRARY_PATH +PKG_CONFIG +POPT_CFLAGS +POPT_LIBS +TALLOC_CFLAGS +TALLOC_LIBS +TDB_CFLAGS +TDB_LIBS +TEVENT_CFLAGS +TEVENT_LIBS +LDB_CFLAGS +LDB_LIBS +DHASH_CFLAGS +DHASH_LIBS +COLLECTION_CFLAGS +COLLECTION_LIBS +INI_CONFIG_V0_CFLAGS +INI_CONFIG_V0_LIBS +INI_CONFIG_V1_CFLAGS +INI_CONFIG_V1_LIBS +INI_CONFIG_V1_1_CFLAGS +INI_CONFIG_V1_1_LIBS +INI_CONFIG_V1_3_CFLAGS +INI_CONFIG_V1_3_LIBS +GDM_PAM_EXTENSIONS_CFLAGS +GDM_PAM_EXTENSIONS_LIBS +PCRE_CFLAGS +PCRE_LIBS +KRB5_CFLAGS +KRB5_LIBS +CARES_CFLAGS +CARES_LIBS +SYSTEMD_LOGIN_CFLAGS +SYSTEMD_LOGIN_LIBS +SYSTEMD_DAEMON_CFLAGS +SYSTEMD_DAEMON_LIBS +NDR_NBT_CFLAGS +NDR_NBT_LIBS +NDR_KRB5PAC_CFLAGS +NDR_KRB5PAC_LIBS +SMBCLIENT_CFLAGS +SMBCLIENT_LIBS +SASL_CFLAGS +SASL_LIBS +NFSIDMAP_CFLAGS +NFSIDMAP_LIBS +HTTP_PARSER_CFLAGS +HTTP_PARSER_LIBS +UUID_CFLAGS +UUID_LIBS +CURL_CFLAGS +CURL_LIBS +JANSSON_CFLAGS +JANSSON_LIBS +GLIB2_CFLAGS +GLIB2_LIBS +LIBNL3_CFLAGS +LIBNL3_LIBS +LIBNL1_CFLAGS +LIBNL1_LIBS +DBUS_CFLAGS +DBUS_LIBS +PYTHON +JOURNALD_CFLAGS +JOURNALD_LIBS +NSS_CFLAGS +NSS_LIBS +CRYPTO_CFLAGS +CRYPTO_LIBS +SSL_CFLAGS +SSL_LIBS +P11_KIT_CFLAGS +P11_KIT_LIBS +CHECK_CFLAGS +CHECK_LIBS +CMOCKA_CFLAGS +CMOCKA_LIBS' + + +# Initialize some variables set by options. +ac_init_help= +ac_init_version=false +ac_unrecognized_opts= +ac_unrecognized_sep= +# The variables have the same names as the options, with +# dashes changed to underlines. +cache_file=/dev/null +exec_prefix=NONE +no_create= +no_recursion= +prefix=NONE +program_prefix=NONE +program_suffix=NONE +program_transform_name=s,x,x, +silent= +site= +srcdir= +verbose= +x_includes=NONE +x_libraries=NONE + +# Installation directory options. +# These are left unexpanded so users can "make install exec_prefix=/foo" +# and all the variables that are supposed to be based on exec_prefix +# by default will actually change. +# Use braces instead of parens because sh, perl, etc. also accept them. +# (The list follows the same order as the GNU Coding Standards.) +bindir='${exec_prefix}/bin' +sbindir='${exec_prefix}/sbin' +libexecdir='${exec_prefix}/libexec' +datarootdir='${prefix}/share' +datadir='${datarootdir}' +sysconfdir='${prefix}/etc' +sharedstatedir='${prefix}/com' +localstatedir='${prefix}/var' +includedir='${prefix}/include' +oldincludedir='/usr/include' +docdir='${datarootdir}/doc/${PACKAGE_TARNAME}' +infodir='${datarootdir}/info' +htmldir='${docdir}' +dvidir='${docdir}' +pdfdir='${docdir}' +psdir='${docdir}' +libdir='${exec_prefix}/lib' +localedir='${datarootdir}/locale' +mandir='${datarootdir}/man' + +ac_prev= +ac_dashdash= +for ac_option +do + # If the previous option needs an argument, assign it. + if test -n "$ac_prev"; then + eval $ac_prev=\$ac_option + ac_prev= + continue + fi + + case $ac_option in + *=?*) ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;; + *=) ac_optarg= ;; + *) ac_optarg=yes ;; + esac + + # Accept the important Cygnus configure options, so we can diagnose typos. + + case $ac_dashdash$ac_option in + --) + ac_dashdash=yes ;; + + -bindir | --bindir | --bindi | --bind | --bin | --bi) + ac_prev=bindir ;; + -bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*) + bindir=$ac_optarg ;; + + -build | --build | --buil | --bui | --bu) + ac_prev=build_alias ;; + -build=* | --build=* | --buil=* | --bui=* | --bu=*) + build_alias=$ac_optarg ;; + + -cache-file | --cache-file | --cache-fil | --cache-fi \ + | --cache-f | --cache- | --cache | --cach | --cac | --ca | --c) + ac_prev=cache_file ;; + -cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \ + | --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*) + cache_file=$ac_optarg ;; + + --config-cache | -C) + cache_file=config.cache ;; + + -datadir | --datadir | --datadi | --datad) + ac_prev=datadir ;; + -datadir=* | --datadir=* | --datadi=* | --datad=*) + datadir=$ac_optarg ;; + + -datarootdir | --datarootdir | --datarootdi | --datarootd | --dataroot \ + | --dataroo | --dataro | --datar) + ac_prev=datarootdir ;; + -datarootdir=* | --datarootdir=* | --datarootdi=* | --datarootd=* \ + | --dataroot=* | --dataroo=* | --dataro=* | --datar=*) + datarootdir=$ac_optarg ;; + + -disable-* | --disable-*) + ac_useropt=`expr "x$ac_option" : 'x-*disable-\(.*\)'` + # Reject names that are not valid shell variable names. + expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && + as_fn_error $? "invalid feature name: $ac_useropt" + ac_useropt_orig=$ac_useropt + ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` + case $ac_user_opts in + *" +"enable_$ac_useropt" +"*) ;; + *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--disable-$ac_useropt_orig" + ac_unrecognized_sep=', ';; + esac + eval enable_$ac_useropt=no ;; + + -docdir | --docdir | --docdi | --doc | --do) + ac_prev=docdir ;; + -docdir=* | --docdir=* | --docdi=* | --doc=* | --do=*) + docdir=$ac_optarg ;; + + -dvidir | --dvidir | --dvidi | --dvid | --dvi | --dv) + ac_prev=dvidir ;; + -dvidir=* | --dvidir=* | --dvidi=* | --dvid=* | --dvi=* | --dv=*) + dvidir=$ac_optarg ;; + + -enable-* | --enable-*) + ac_useropt=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'` + # Reject names that are not valid shell variable names. + expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && + as_fn_error $? "invalid feature name: $ac_useropt" + ac_useropt_orig=$ac_useropt + ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` + case $ac_user_opts in + *" +"enable_$ac_useropt" +"*) ;; + *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--enable-$ac_useropt_orig" + ac_unrecognized_sep=', ';; + esac + eval enable_$ac_useropt=\$ac_optarg ;; + + -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \ + | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \ + | --exec | --exe | --ex) + ac_prev=exec_prefix ;; + -exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \ + | --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \ + | --exec=* | --exe=* | --ex=*) + exec_prefix=$ac_optarg ;; + + -gas | --gas | --ga | --g) + # Obsolete; use --with-gas. + with_gas=yes ;; + + -help | --help | --hel | --he | -h) + ac_init_help=long ;; + -help=r* | --help=r* | --hel=r* | --he=r* | -hr*) + ac_init_help=recursive ;; + -help=s* | --help=s* | --hel=s* | --he=s* | -hs*) + ac_init_help=short ;; + + -host | --host | --hos | --ho) + ac_prev=host_alias ;; + -host=* | --host=* | --hos=* | --ho=*) + host_alias=$ac_optarg ;; + + -htmldir | --htmldir | --htmldi | --htmld | --html | --htm | --ht) + ac_prev=htmldir ;; + -htmldir=* | --htmldir=* | --htmldi=* | --htmld=* | --html=* | --htm=* \ + | --ht=*) + htmldir=$ac_optarg ;; + + -includedir | --includedir | --includedi | --included | --include \ + | --includ | --inclu | --incl | --inc) + ac_prev=includedir ;; + -includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \ + | --includ=* | --inclu=* | --incl=* | --inc=*) + includedir=$ac_optarg ;; + + -infodir | --infodir | --infodi | --infod | --info | --inf) + ac_prev=infodir ;; + -infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*) + infodir=$ac_optarg ;; + + -libdir | --libdir | --libdi | --libd) + ac_prev=libdir ;; + -libdir=* | --libdir=* | --libdi=* | --libd=*) + libdir=$ac_optarg ;; + + -libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \ + | --libexe | --libex | --libe) + ac_prev=libexecdir ;; + -libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \ + | --libexe=* | --libex=* | --libe=*) + libexecdir=$ac_optarg ;; + + -localedir | --localedir | --localedi | --localed | --locale) + ac_prev=localedir ;; + -localedir=* | --localedir=* | --localedi=* | --localed=* | --locale=*) + localedir=$ac_optarg ;; + + -localstatedir | --localstatedir | --localstatedi | --localstated \ + | --localstate | --localstat | --localsta | --localst | --locals) + ac_prev=localstatedir ;; + -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \ + | --localstate=* | --localstat=* | --localsta=* | --localst=* | --locals=*) + localstatedir=$ac_optarg ;; + + -mandir | --mandir | --mandi | --mand | --man | --ma | --m) + ac_prev=mandir ;; + -mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*) + mandir=$ac_optarg ;; + + -nfp | --nfp | --nf) + # Obsolete; use --without-fp. + with_fp=no ;; + + -no-create | --no-create | --no-creat | --no-crea | --no-cre \ + | --no-cr | --no-c | -n) + no_create=yes ;; + + -no-recursion | --no-recursion | --no-recursio | --no-recursi \ + | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r) + no_recursion=yes ;; + + -oldincludedir | --oldincludedir | --oldincludedi | --oldincluded \ + | --oldinclude | --oldinclud | --oldinclu | --oldincl | --oldinc \ + | --oldin | --oldi | --old | --ol | --o) + ac_prev=oldincludedir ;; + -oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \ + | --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \ + | --oldin=* | --oldi=* | --old=* | --ol=* | --o=*) + oldincludedir=$ac_optarg ;; + + -prefix | --prefix | --prefi | --pref | --pre | --pr | --p) + ac_prev=prefix ;; + -prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*) + prefix=$ac_optarg ;; + + -program-prefix | --program-prefix | --program-prefi | --program-pref \ + | --program-pre | --program-pr | --program-p) + ac_prev=program_prefix ;; + -program-prefix=* | --program-prefix=* | --program-prefi=* \ + | --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*) + program_prefix=$ac_optarg ;; + + -program-suffix | --program-suffix | --program-suffi | --program-suff \ + | --program-suf | --program-su | --program-s) + ac_prev=program_suffix ;; + -program-suffix=* | --program-suffix=* | --program-suffi=* \ + | --program-suff=* | --program-suf=* | --program-su=* | --program-s=*) + program_suffix=$ac_optarg ;; + + -program-transform-name | --program-transform-name \ + | --program-transform-nam | --program-transform-na \ + | --program-transform-n | --program-transform- \ + | --program-transform | --program-transfor \ + | --program-transfo | --program-transf \ + | --program-trans | --program-tran \ + | --progr-tra | --program-tr | --program-t) + ac_prev=program_transform_name ;; + -program-transform-name=* | --program-transform-name=* \ + | --program-transform-nam=* | --program-transform-na=* \ + | --program-transform-n=* | --program-transform-=* \ + | --program-transform=* | --program-transfor=* \ + | --program-transfo=* | --program-transf=* \ + | --program-trans=* | --program-tran=* \ + | --progr-tra=* | --program-tr=* | --program-t=*) + program_transform_name=$ac_optarg ;; + + -pdfdir | --pdfdir | --pdfdi | --pdfd | --pdf | --pd) + ac_prev=pdfdir ;; + -pdfdir=* | --pdfdir=* | --pdfdi=* | --pdfd=* | --pdf=* | --pd=*) + pdfdir=$ac_optarg ;; + + -psdir | --psdir | --psdi | --psd | --ps) + ac_prev=psdir ;; + -psdir=* | --psdir=* | --psdi=* | --psd=* | --ps=*) + psdir=$ac_optarg ;; + + -q | -quiet | --quiet | --quie | --qui | --qu | --q \ + | -silent | --silent | --silen | --sile | --sil) + silent=yes ;; + + -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) + ac_prev=sbindir ;; + -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ + | --sbi=* | --sb=*) + sbindir=$ac_optarg ;; + + -sharedstatedir | --sharedstatedir | --sharedstatedi \ + | --sharedstated | --sharedstate | --sharedstat | --sharedsta \ + | --sharedst | --shareds | --shared | --share | --shar \ + | --sha | --sh) + ac_prev=sharedstatedir ;; + -sharedstatedir=* | --sharedstatedir=* | --sharedstatedi=* \ + | --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \ + | --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \ + | --sha=* | --sh=*) + sharedstatedir=$ac_optarg ;; + + -site | --site | --sit) + ac_prev=site ;; + -site=* | --site=* | --sit=*) + site=$ac_optarg ;; + + -srcdir | --srcdir | --srcdi | --srcd | --src | --sr) + ac_prev=srcdir ;; + -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*) + srcdir=$ac_optarg ;; + + -sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \ + | --syscon | --sysco | --sysc | --sys | --sy) + ac_prev=sysconfdir ;; + -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \ + | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*) + sysconfdir=$ac_optarg ;; + + -target | --target | --targe | --targ | --tar | --ta | --t) + ac_prev=target_alias ;; + -target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*) + target_alias=$ac_optarg ;; + + -v | -verbose | --verbose | --verbos | --verbo | --verb) + verbose=yes ;; + + -version | --version | --versio | --versi | --vers | -V) + ac_init_version=: ;; + + -with-* | --with-*) + ac_useropt=`expr "x$ac_option" : 'x-*with-\([^=]*\)'` + # Reject names that are not valid shell variable names. + expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && + as_fn_error $? "invalid package name: $ac_useropt" + ac_useropt_orig=$ac_useropt + ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` + case $ac_user_opts in + *" +"with_$ac_useropt" +"*) ;; + *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--with-$ac_useropt_orig" + ac_unrecognized_sep=', ';; + esac + eval with_$ac_useropt=\$ac_optarg ;; + + -without-* | --without-*) + ac_useropt=`expr "x$ac_option" : 'x-*without-\(.*\)'` + # Reject names that are not valid shell variable names. + expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && + as_fn_error $? "invalid package name: $ac_useropt" + ac_useropt_orig=$ac_useropt + ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` + case $ac_user_opts in + *" +"with_$ac_useropt" +"*) ;; + *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--without-$ac_useropt_orig" + ac_unrecognized_sep=', ';; + esac + eval with_$ac_useropt=no ;; + + --x) + # Obsolete; use --with-x. + with_x=yes ;; + + -x-includes | --x-includes | --x-include | --x-includ | --x-inclu \ + | --x-incl | --x-inc | --x-in | --x-i) + ac_prev=x_includes ;; + -x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \ + | --x-incl=* | --x-inc=* | --x-in=* | --x-i=*) + x_includes=$ac_optarg ;; + + -x-libraries | --x-libraries | --x-librarie | --x-librari \ + | --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l) + ac_prev=x_libraries ;; + -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \ + | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*) + x_libraries=$ac_optarg ;; + + -*) as_fn_error $? "unrecognized option: \`$ac_option' +Try \`$0 --help' for more information" + ;; + + *=*) + ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='` + # Reject names that are not valid shell variable names. + case $ac_envvar in #( + '' | [0-9]* | *[!_$as_cr_alnum]* ) + as_fn_error $? "invalid variable name: \`$ac_envvar'" ;; + esac + eval $ac_envvar=\$ac_optarg + export $ac_envvar ;; + + *) + # FIXME: should be removed in autoconf 3.0. + $as_echo "$as_me: WARNING: you should use --build, --host, --target" >&2 + expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null && + $as_echo "$as_me: WARNING: invalid host type: $ac_option" >&2 + : "${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}" + ;; + + esac +done + +if test -n "$ac_prev"; then + ac_option=--`echo $ac_prev | sed 's/_/-/g'` + as_fn_error $? "missing argument to $ac_option" +fi + +if test -n "$ac_unrecognized_opts"; then + case $enable_option_checking in + no) ;; + fatal) as_fn_error $? "unrecognized options: $ac_unrecognized_opts" ;; + *) $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2 ;; + esac +fi + +# Check all directory arguments for consistency. +for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ + datadir sysconfdir sharedstatedir localstatedir includedir \ + oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ + libdir localedir mandir +do + eval ac_val=\$$ac_var + # Remove trailing slashes. + case $ac_val in + */ ) + ac_val=`expr "X$ac_val" : 'X\(.*[^/]\)' \| "X$ac_val" : 'X\(.*\)'` + eval $ac_var=\$ac_val;; + esac + # Be sure to have absolute directory names. + case $ac_val in + [\\/$]* | ?:[\\/]* ) continue;; + NONE | '' ) case $ac_var in *prefix ) continue;; esac;; + esac + as_fn_error $? "expected an absolute directory name for --$ac_var: $ac_val" +done + +# There might be people who depend on the old broken behavior: `$host' +# used to hold the argument of --host etc. +# FIXME: To remove some day. +build=$build_alias +host=$host_alias +target=$target_alias + +# FIXME: To remove some day. +if test "x$host_alias" != x; then + if test "x$build_alias" = x; then + cross_compiling=maybe + elif test "x$build_alias" != "x$host_alias"; then + cross_compiling=yes + fi +fi + +ac_tool_prefix= +test -n "$host_alias" && ac_tool_prefix=$host_alias- + +test "$silent" = yes && exec 6>/dev/null + + +ac_pwd=`pwd` && test -n "$ac_pwd" && +ac_ls_di=`ls -di .` && +ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` || + as_fn_error $? "working directory cannot be determined" +test "X$ac_ls_di" = "X$ac_pwd_ls_di" || + as_fn_error $? "pwd does not report name of working directory" + + +# Find the source files, if location was not specified. +if test -z "$srcdir"; then + ac_srcdir_defaulted=yes + # Try the directory containing this script, then the parent directory. + ac_confdir=`$as_dirname -- "$as_myself" || +$as_expr X"$as_myself" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$as_myself" : 'X\(//\)[^/]' \| \ + X"$as_myself" : 'X\(//\)$' \| \ + X"$as_myself" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X"$as_myself" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ + s//\1/ + q + } + /^X\(\/\/\)[^/].*/{ + s//\1/ + q + } + /^X\(\/\/\)$/{ + s//\1/ + q + } + /^X\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + srcdir=$ac_confdir + if test ! -r "$srcdir/$ac_unique_file"; then + srcdir=.. + fi +else + ac_srcdir_defaulted=no +fi +if test ! -r "$srcdir/$ac_unique_file"; then + test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .." + as_fn_error $? "cannot find sources ($ac_unique_file) in $srcdir" +fi +ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work" +ac_abs_confdir=`( + cd "$srcdir" && test -r "./$ac_unique_file" || as_fn_error $? "$ac_msg" + pwd)` +# When building in place, set srcdir=. +if test "$ac_abs_confdir" = "$ac_pwd"; then + srcdir=. +fi +# Remove unnecessary trailing slashes from srcdir. +# Double slashes in file names in object file debugging info +# mess up M-x gdb in Emacs. +case $srcdir in +*/) srcdir=`expr "X$srcdir" : 'X\(.*[^/]\)' \| "X$srcdir" : 'X\(.*\)'`;; +esac +for ac_var in $ac_precious_vars; do + eval ac_env_${ac_var}_set=\${${ac_var}+set} + eval ac_env_${ac_var}_value=\$${ac_var} + eval ac_cv_env_${ac_var}_set=\${${ac_var}+set} + eval ac_cv_env_${ac_var}_value=\$${ac_var} +done + +# +# Report the --help message. +# +if test "$ac_init_help" = "long"; then + # Omit some internal or obsolete options to make the list less imposing. + # This message is too long to be a string in the A/UX 3.1 sh. + cat <<_ACEOF +\`configure' configures sssd 1.16.3 to adapt to many kinds of systems. + +Usage: $0 [OPTION]... [VAR=VALUE]... + +To assign environment variables (e.g., CC, CFLAGS...), specify them as +VAR=VALUE. See below for descriptions of some of the useful variables. + +Defaults for the options are specified in brackets. + +Configuration: + -h, --help display this help and exit + --help=short display options specific to this package + --help=recursive display the short help of all the included packages + -V, --version display version information and exit + -q, --quiet, --silent do not print \`checking ...' messages + --cache-file=FILE cache test results in FILE [disabled] + -C, --config-cache alias for \`--cache-file=config.cache' + -n, --no-create do not create output files + --srcdir=DIR find the sources in DIR [configure dir or \`..'] + +Installation directories: + --prefix=PREFIX install architecture-independent files in PREFIX + [$ac_default_prefix] + --exec-prefix=EPREFIX install architecture-dependent files in EPREFIX + [PREFIX] + +By default, \`make install' will install all the files in +\`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc. You can specify +an installation prefix other than \`$ac_default_prefix' using \`--prefix', +for instance \`--prefix=\$HOME'. + +For better control, use the options below. + +Fine tuning of the installation directories: + --bindir=DIR user executables [EPREFIX/bin] + --sbindir=DIR system admin executables [EPREFIX/sbin] + --libexecdir=DIR program executables [EPREFIX/libexec] + --sysconfdir=DIR read-only single-machine data [PREFIX/etc] + --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] + --localstatedir=DIR modifiable single-machine data [PREFIX/var] + --libdir=DIR object code libraries [EPREFIX/lib] + --includedir=DIR C header files [PREFIX/include] + --oldincludedir=DIR C header files for non-gcc [/usr/include] + --datarootdir=DIR read-only arch.-independent data root [PREFIX/share] + --datadir=DIR read-only architecture-independent data [DATAROOTDIR] + --infodir=DIR info documentation [DATAROOTDIR/info] + --localedir=DIR locale-dependent data [DATAROOTDIR/locale] + --mandir=DIR man documentation [DATAROOTDIR/man] + --docdir=DIR documentation root [DATAROOTDIR/doc/sssd] + --htmldir=DIR html documentation [DOCDIR] + --dvidir=DIR dvi documentation [DOCDIR] + --pdfdir=DIR pdf documentation [DOCDIR] + --psdir=DIR ps documentation [DOCDIR] +_ACEOF + + cat <<\_ACEOF + +Program names: + --program-prefix=PREFIX prepend PREFIX to installed program names + --program-suffix=SUFFIX append SUFFIX to installed program names + --program-transform-name=PROGRAM run sed PROGRAM on installed program names + +System types: + --build=BUILD configure for building on BUILD [guessed] + --host=HOST cross-compile to build programs to run on HOST [BUILD] +_ACEOF +fi + +if test -n "$ac_init_help"; then + case $ac_init_help in + short | recursive ) echo "Configuration of sssd 1.16.3:";; + esac + cat <<\_ACEOF + +Optional Features: + --disable-option-checking ignore unrecognized --enable/--with options + --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) + --enable-FEATURE[=ARG] include FEATURE [ARG=yes] + --enable-dependency-tracking + do not reject slow dependency extractors + --disable-dependency-tracking + speeds up one-time build + --enable-silent-rules less verbose build output (undo: "make V=1") + --disable-silent-rules verbose build output (undo: "make V=0") + --enable-static[=PKGS] build static libraries [default=no] + --enable-shared[=PKGS] build shared libraries [default=yes] + --enable-fast-install[=PKGS] + optimize for fast installation [default=yes] + --disable-libtool-lock avoid locking (might break parallel builds) + --disable-nls do not use Native Language Support + --disable-rpath do not hardcode runtime library paths + --enable-nsslibdir Where to install nss libraries ($libdir) + --enable-pammoddir Where to install pam modules ($libdir/security) + --enable-nfsidmaplibdir Where to install libnfsidmap libraries + ($libdir/libnfsidmap) + --enable-all-experimental-features + build all experimental features + --enable-dbus-tests enable running tests using a dbus server instance + [default=yes] + --enable-sss-default-nss-plugin + This option change standard behaviour of sss nss + plugin. If this option is enabled the sss nss plugin + will behave as it was not in nsswitch.conf when sssd + is not running. [default=no] + --enable-files-domain If this feature is enabled, then SSSD always enables + a domain with id_provider=files even if the domain + is not specified in the config file [default=no] + --enable-ldb-version-check + compile with ldb runtime version check [default=no] + --disable-krb5-locator-plugin + do not build Kerberos locator plugin + --enable-pac-responder build pac responder + --disable-cifs-idmap-plugin + do not build CIFS idmap plugin + --enable-systemtap Enable inclusion of systemtap trace support + --enable-intgcheck-reqs enable checking for integration test requirements + [default=no] + --enable-polkit-rules-path=PATH + Path to store polkit rules at. Use --disable to not + install the rules at all. + [/usr/share/polkit-1/rules.d] + + +Optional Packages: + --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] + --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no) + --with-pic[=PKGS] try to use only PIC/non-PIC objects [default=use + both] + --with-aix-soname=aix|svr4|both + shared library versioning (aka "SONAME") variant to + provide on AIX, [default=aix]. + --with-gnu-ld assume the C compiler uses GNU ld [default=no] + --with-sysroot[=DIR] Search for dependent libraries within DIR (or the + compiler's sysroot if not specified). + --with-gnu-ld assume the C compiler uses GNU ld default=no + --with-libiconv-prefix[=DIR] search for libiconv in DIR/include and DIR/lib + --without-libiconv-prefix don't search for libiconv in includedir and libdir + --with-libintl-prefix[=DIR] search for libintl in DIR/include and DIR/lib + --without-libintl-prefix don't search for libintl in includedir and libdir + --with-shared-build-dir=DIR + temporary build directory where libraries are + installed [$srcdir/sharedbuild] + --with-os=OS_TYPE Type of your operation system + (fedora|redhat|suse|gentoo) + + --with-db-path=PATH Path to the SSSD databases [/var/lib/sss/db] + + + --with-plugin-path=PATH Path to the SSSD data provider plugins + [/usr/lib/sssd] + + + --with-pid-path=PATH Where to store pid files for the SSSD [/var/run] + + + --with-log-path=PATH Where to store log files for the SSSD + [/var/log/sssd] + + + --with-pubconf-path=PATH + Where to store pubconf files for the SSSD + [/var/lib/sss/pubconf] + + + --with-pipe-path=PATH Where to store pipe files for the SSSD interconnects + [/var/lib/sss/pipes] + + + --with-mcache-path=PATH Where to store mmap cache files for the SSSD + interconnects [/var/lib/sss/mc] + + + --with-default-ccache-dir=CCACHEDIR + The default value of krb5_ccachedir [/tmp] + + + --with-default-ccname-template=CCACHE + The default fallback value of krb5_ccname_template + [FILE:%d/krb5cc_%U_XXXXXX] + + + --with-environment-file=PATH + Path to environment file [/etc/sysconfig/sssd] + + + --with-init-dir=DIR Where to store init script for sssd + [/etc/rc.d/init.d] + + + --with-test-dir=PATH Directory used for make check temporary files + [$builddir] + + --with-manpages Whether to regenerate man pages from DocBook sources + [yes] + + --with-xml-catalog-path=PATH + Where to look for XML catalog [/etc/xml/catalog] + + + --with-krb5-plugin-path=PATH + Path to Kerberos plugin store + [/usr/lib/krb5/plugins/libkrb5] + + + --with-krb5-rcache-dir=PATH + Path to store Kerberos replay caches + [__LIBKRB5_DEFAULTS__] + + + --with-krb5authdata-plugin-path=PATH + Path to Kerberos authdata plugin store + [/usr/lib/krb5/plugins/authdata] + + + --with-krb5-conf=PATH Path to krb5.conf file [/etc/krb5.conf] + + + --with-python2-bindings Whether to build python2 bindings [yes] + + --with-python3-bindings Whether to build python3 bindings [yes] + + --with-cifs-plugin-path=PATH + Path to cifs-utils plugin store + [/usr/lib/cifs-utils] + + + --with-winbind-plugin-path=PATH + Path to winbind idmap plugin store + [/usr/lib/samba/idmap] + + + --with-selinux Whether to build with SELinux support [yes] + + --with-nscd=PATH Path to nscd binary to attempt to flush nscd cache + after local domain operations [/usr/sbin/nscd] + + + --with-ipa-getkeytab=PATH + Path to ipa_getkeytab binary to retrieve keytabs + from FreeIPA server [/usr/sbin/ipa-getkeytab] + + + --with-semanage Whether to build with SELinux user management + support [yes] + + --with-ad-gpo-default=enforcing|permissive + Default enforcing level for AD GPO access-control + (enforcing) + + + --with-gpo-cache-path=PATH + Where to store GPO policy files + [/var/lib/sss/gpo_cache] + + + --with-nologin-shell=PATH + The shell used to deny access to users + [/sbin/nologin] + + + --with-session-recording-shell=PATH + The shell used to record user sessions + [/usr/bin/tlog-rec-session] + + + --with-app-libs= Path to the 3rd party application plugins + [/usr/lib/sssd/modules] + + + --with-sudo Whether to build with sudo support [yes] + + --with-sudo-lib-path= + Path to the sudo library [/usr/lib/] + + + --with-autofs Whether to build with autofs support [yes] + + --with-ssh Whether to build with SSH support [yes] + + --with-infopipe Whether to build with InfoPipe support [yes] + + --with-crypto=CRYPTO_LIB + The cryptographic library to use (nss|libcrypto). + The default is nss. + + --with-syslog=SYSLOG_TYPE + Type of your system logger (syslog|journald). + [syslog] + + --with-samba Whether to build with samba4 libraries [yes] + + --with-nfsv4-idmapd-plugin + Whether to build with NFSv4 IDMAP support [yes] + + --with-nfs-lib-path= + Path to the NFS library [${libdir}] + + + --with-libwbclient Whether to build SSSD implementation of libwbclient + [yes] + + --with-sssd-user= User for running SSSD (root) + + + --with-secrets Whether to build with secrets support [yes] + + --with-secrets-db-path=PATH + Path to the SSSD databases [/var/lib/sss/secrets] + + + --with-kcm Whether to build with KCM server support [yes] + + --with-ldb-lib-dir=PATH Path to store ldb modules [${libdir}/ldb] + + + --with-smb-idmap-interface-version=5|6 + Idmap interface version of installed Samba + + + --with-unicode-lib= + Which library to use for Unicode processing + (libunistring, glib2) [glib2] + + + --with-libnl Whether to build with libnetlink support (libnl3, + libnl1, no) [auto] + + --with-nscd-conf=PATH Path to nscd.conf file [/etc/nscd.conf] + + + --with-initscript=INITSCRIPT_TYPE + Type of your init script (sysv|systemd). [sysv] + + + --with-systemdunitdir=DIR + Directory for systemd service files [Auto], + + --with-systemdconfdir=DIR + Directory for systemd service file overrides [Auto], + + --with-tapset-install-dir + The absolute path where the tapset dir will be + installed + +Some influential environment variables: + CC C compiler command + CFLAGS C compiler flags + LDFLAGS linker flags, e.g. -L if you have libraries in a + nonstandard directory + LIBS libraries to pass to the linker, e.g. -l + CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I if + you have headers in a nonstandard directory + CPP C preprocessor + LT_SYS_LIBRARY_PATH + User-defined run-time library search path. + PKG_CONFIG path to pkg-config utility + POPT_CFLAGS C compiler flags for POPT, overriding pkg-config + POPT_LIBS linker flags for POPT, overriding pkg-config + TALLOC_CFLAGS + C compiler flags for TALLOC, overriding pkg-config + TALLOC_LIBS linker flags for TALLOC, overriding pkg-config + TDB_CFLAGS C compiler flags for TDB, overriding pkg-config + TDB_LIBS linker flags for TDB, overriding pkg-config + TEVENT_CFLAGS + C compiler flags for TEVENT, overriding pkg-config + TEVENT_LIBS linker flags for TEVENT, overriding pkg-config + LDB_CFLAGS C compiler flags for LDB, overriding pkg-config + LDB_LIBS linker flags for LDB, overriding pkg-config + DHASH_CFLAGS + C compiler flags for DHASH, overriding pkg-config + DHASH_LIBS linker flags for DHASH, overriding pkg-config + COLLECTION_CFLAGS + C compiler flags for COLLECTION, overriding pkg-config + COLLECTION_LIBS + linker flags for COLLECTION, overriding pkg-config + INI_CONFIG_V0_CFLAGS + C compiler flags for INI_CONFIG_V0, overriding pkg-config + INI_CONFIG_V0_LIBS + linker flags for INI_CONFIG_V0, overriding pkg-config + INI_CONFIG_V1_CFLAGS + C compiler flags for INI_CONFIG_V1, overriding pkg-config + INI_CONFIG_V1_LIBS + linker flags for INI_CONFIG_V1, overriding pkg-config + INI_CONFIG_V1_1_CFLAGS + C compiler flags for INI_CONFIG_V1_1, overriding pkg-config + INI_CONFIG_V1_1_LIBS + linker flags for INI_CONFIG_V1_1, overriding pkg-config + INI_CONFIG_V1_3_CFLAGS + C compiler flags for INI_CONFIG_V1_3, overriding pkg-config + INI_CONFIG_V1_3_LIBS + linker flags for INI_CONFIG_V1_3, overriding pkg-config + GDM_PAM_EXTENSIONS_CFLAGS + C compiler flags for GDM_PAM_EXTENSIONS, overriding pkg-config + GDM_PAM_EXTENSIONS_LIBS + linker flags for GDM_PAM_EXTENSIONS, overriding pkg-config + PCRE_CFLAGS C compiler flags for PCRE, overriding pkg-config + PCRE_LIBS linker flags for PCRE, overriding pkg-config + KRB5_CFLAGS C compiler flags for kerberos, overriding krb5-config + KRB5_LIBS linker flags for kerberos, overriding krb5-config + CARES_CFLAGS + C compiler flags for CARES, overriding pkg-config + CARES_LIBS linker flags for CARES, overriding pkg-config + SYSTEMD_LOGIN_CFLAGS + C compiler flags for SYSTEMD_LOGIN, overriding pkg-config + SYSTEMD_LOGIN_LIBS + linker flags for SYSTEMD_LOGIN, overriding pkg-config + SYSTEMD_DAEMON_CFLAGS + C compiler flags for SYSTEMD_DAEMON, overriding pkg-config + SYSTEMD_DAEMON_LIBS + linker flags for SYSTEMD_DAEMON, overriding pkg-config + NDR_NBT_CFLAGS + C compiler flags for NDR_NBT, overriding pkg-config + NDR_NBT_LIBS + linker flags for NDR_NBT, overriding pkg-config + NDR_KRB5PAC_CFLAGS + C compiler flags for NDR_KRB5PAC, overriding pkg-config + NDR_KRB5PAC_LIBS + linker flags for NDR_KRB5PAC, overriding pkg-config + SMBCLIENT_CFLAGS + C compiler flags for SMBCLIENT, overriding pkg-config + SMBCLIENT_LIBS + linker flags for SMBCLIENT, overriding pkg-config + SASL_CFLAGS C compiler flags for SASL, overriding pkg-config + SASL_LIBS linker flags for SASL, overriding pkg-config + NFSIDMAP_CFLAGS + C compiler flags for NFSIDMAP, overriding pkg-config + NFSIDMAP_LIBS + linker flags for NFSIDMAP, overriding pkg-config + HTTP_PARSER_CFLAGS + C compiler flags for HTTP_PARSER, overriding pkg-config + HTTP_PARSER_LIBS + linker flags for HTTP_PARSER, overriding pkg-config + UUID_CFLAGS C compiler flags for UUID, overriding pkg-config + UUID_LIBS linker flags for UUID, overriding pkg-config + CURL_CFLAGS C compiler flags for CURL, overriding pkg-config + CURL_LIBS linker flags for CURL, overriding pkg-config + JANSSON_CFLAGS + C compiler flags for JANSSON, overriding pkg-config + JANSSON_LIBS + linker flags for JANSSON, overriding pkg-config + GLIB2_CFLAGS + C compiler flags for GLIB2, overriding pkg-config + GLIB2_LIBS linker flags for GLIB2, overriding pkg-config + LIBNL3_CFLAGS + C compiler flags for LIBNL3, overriding pkg-config + LIBNL3_LIBS linker flags for LIBNL3, overriding pkg-config + LIBNL1_CFLAGS + C compiler flags for LIBNL1, overriding pkg-config + LIBNL1_LIBS linker flags for LIBNL1, overriding pkg-config + DBUS_CFLAGS C compiler flags for DBUS, overriding pkg-config + DBUS_LIBS linker flags for DBUS, overriding pkg-config + PYTHON the Python interpreter + JOURNALD_CFLAGS + C compiler flags for JOURNALD, overriding pkg-config + JOURNALD_LIBS + linker flags for JOURNALD, overriding pkg-config + NSS_CFLAGS C compiler flags for NSS, overriding pkg-config + NSS_LIBS linker flags for NSS, overriding pkg-config + CRYPTO_CFLAGS + C compiler flags for CRYPTO, overriding pkg-config + CRYPTO_LIBS linker flags for CRYPTO, overriding pkg-config + SSL_CFLAGS C compiler flags for SSL, overriding pkg-config + SSL_LIBS linker flags for SSL, overriding pkg-config + P11_KIT_CFLAGS + C compiler flags for P11_KIT, overriding pkg-config + P11_KIT_LIBS + linker flags for P11_KIT, overriding pkg-config + CHECK_CFLAGS + C compiler flags for CHECK, overriding pkg-config + CHECK_LIBS linker flags for CHECK, overriding pkg-config + CMOCKA_CFLAGS + C compiler flags for CMOCKA, overriding pkg-config + CMOCKA_LIBS linker flags for CMOCKA, overriding pkg-config + +Use these variables to override the choices made by `configure' or to help +it to find libraries and programs with nonstandard names/locations. + +Report bugs to . +_ACEOF +ac_status=$? +fi + +if test "$ac_init_help" = "recursive"; then + # If there are subdirs, report their specific --help. + for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue + test -d "$ac_dir" || + { cd "$srcdir" && ac_pwd=`pwd` && srcdir=. && test -d "$ac_dir"; } || + continue + ac_builddir=. + +case "$ac_dir" in +.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; +*) + ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'` + # A ".." for each directory in $ac_dir_suffix. + ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'` + case $ac_top_builddir_sub in + "") ac_top_builddir_sub=. ac_top_build_prefix= ;; + *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; + esac ;; +esac +ac_abs_top_builddir=$ac_pwd +ac_abs_builddir=$ac_pwd$ac_dir_suffix +# for backward compatibility: +ac_top_builddir=$ac_top_build_prefix + +case $srcdir in + .) # We are building in place. + ac_srcdir=. + ac_top_srcdir=$ac_top_builddir_sub + ac_abs_top_srcdir=$ac_pwd ;; + [\\/]* | ?:[\\/]* ) # Absolute name. + ac_srcdir=$srcdir$ac_dir_suffix; + ac_top_srcdir=$srcdir + ac_abs_top_srcdir=$srcdir ;; + *) # Relative name. + ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix + ac_top_srcdir=$ac_top_build_prefix$srcdir + ac_abs_top_srcdir=$ac_pwd/$srcdir ;; +esac +ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix + + cd "$ac_dir" || { ac_status=$?; continue; } + # Check for guested configure. + if test -f "$ac_srcdir/configure.gnu"; then + echo && + $SHELL "$ac_srcdir/configure.gnu" --help=recursive + elif test -f "$ac_srcdir/configure"; then + echo && + $SHELL "$ac_srcdir/configure" --help=recursive + else + $as_echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2 + fi || ac_status=$? + cd "$ac_pwd" || { ac_status=$?; break; } + done +fi + +test -n "$ac_init_help" && exit $ac_status +if $ac_init_version; then + cat <<\_ACEOF +sssd configure 1.16.3 +generated by GNU Autoconf 2.69 + +Copyright (C) 2012 Free Software Foundation, Inc. +This configure script is free software; the Free Software Foundation +gives unlimited permission to copy, distribute and modify it. +_ACEOF + exit +fi + +## ------------------------ ## +## Autoconf initialization. ## +## ------------------------ ## + +# ac_fn_c_try_compile LINENO +# -------------------------- +# Try to compile conftest.$ac_ext, and return whether this succeeded. +ac_fn_c_try_compile () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + rm -f conftest.$ac_objext + if { { ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_compile") 2>conftest.err + ac_status=$? + if test -s conftest.err; then + grep -v '^ *+' conftest.err >conftest.er1 + cat conftest.er1 >&5 + mv -f conftest.er1 conftest.err + fi + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then : + ac_retval=0 +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_retval=1 +fi + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno + as_fn_set_status $ac_retval + +} # ac_fn_c_try_compile + +# ac_fn_c_try_cpp LINENO +# ---------------------- +# Try to preprocess conftest.$ac_ext, and return whether this succeeded. +ac_fn_c_try_cpp () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + if { { ac_try="$ac_cpp conftest.$ac_ext" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_cpp conftest.$ac_ext") 2>conftest.err + ac_status=$? + if test -s conftest.err; then + grep -v '^ *+' conftest.err >conftest.er1 + cat conftest.er1 >&5 + mv -f conftest.er1 conftest.err + fi + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } > conftest.i && { + test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || + test ! -s conftest.err + }; then : + ac_retval=0 +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_retval=1 +fi + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno + as_fn_set_status $ac_retval + +} # ac_fn_c_try_cpp + +# ac_fn_c_check_header_mongrel LINENO HEADER VAR INCLUDES +# ------------------------------------------------------- +# Tests whether HEADER exists, giving a warning if it cannot be compiled using +# the include files in INCLUDES and setting the cache variable VAR +# accordingly. +ac_fn_c_check_header_mongrel () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + if eval \${$3+:} false; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 +$as_echo_n "checking for $2... " >&6; } +if eval \${$3+:} false; then : + $as_echo_n "(cached) " >&6 +fi +eval ac_res=\$$3 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +else + # Is the header compilable? +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking $2 usability" >&5 +$as_echo_n "checking $2 usability... " >&6; } +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$4 +#include <$2> +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_header_compiler=yes +else + ac_header_compiler=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_header_compiler" >&5 +$as_echo "$ac_header_compiler" >&6; } + +# Is the header present? +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking $2 presence" >&5 +$as_echo_n "checking $2 presence... " >&6; } +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include <$2> +_ACEOF +if ac_fn_c_try_cpp "$LINENO"; then : + ac_header_preproc=yes +else + ac_header_preproc=no +fi +rm -f conftest.err conftest.i conftest.$ac_ext +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_header_preproc" >&5 +$as_echo "$ac_header_preproc" >&6; } + +# So? What about this header? +case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in #(( + yes:no: ) + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: accepted by the compiler, rejected by the preprocessor!" >&5 +$as_echo "$as_me: WARNING: $2: accepted by the compiler, rejected by the preprocessor!" >&2;} + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5 +$as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;} + ;; + no:yes:* ) + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: present but cannot be compiled" >&5 +$as_echo "$as_me: WARNING: $2: present but cannot be compiled" >&2;} + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: check for missing prerequisite headers?" >&5 +$as_echo "$as_me: WARNING: $2: check for missing prerequisite headers?" >&2;} + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: see the Autoconf documentation" >&5 +$as_echo "$as_me: WARNING: $2: see the Autoconf documentation" >&2;} + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: section \"Present But Cannot Be Compiled\"" >&5 +$as_echo "$as_me: WARNING: $2: section \"Present But Cannot Be Compiled\"" >&2;} + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5 +$as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;} +( $as_echo "## ------------------------------------------------ ## +## Report this to sssd-devel@lists.fedorahosted.org ## +## ------------------------------------------------ ##" + ) | sed "s/^/$as_me: WARNING: /" >&2 + ;; +esac + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 +$as_echo_n "checking for $2... " >&6; } +if eval \${$3+:} false; then : + $as_echo_n "(cached) " >&6 +else + eval "$3=\$ac_header_compiler" +fi +eval ac_res=\$$3 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +fi + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno + +} # ac_fn_c_check_header_mongrel + +# ac_fn_c_try_run LINENO +# ---------------------- +# Try to link conftest.$ac_ext, and return whether this succeeded. Assumes +# that executables *can* be run. +ac_fn_c_try_run () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + if { { ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } && { ac_try='./conftest$ac_exeext' + { { case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; }; then : + ac_retval=0 +else + $as_echo "$as_me: program exited with status $ac_status" >&5 + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_retval=$ac_status +fi + rm -rf conftest.dSYM conftest_ipa8_conftest.oo + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno + as_fn_set_status $ac_retval + +} # ac_fn_c_try_run + +# ac_fn_c_check_header_compile LINENO HEADER VAR INCLUDES +# ------------------------------------------------------- +# Tests whether HEADER exists and can be compiled using the include files in +# INCLUDES, setting the cache variable VAR accordingly. +ac_fn_c_check_header_compile () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 +$as_echo_n "checking for $2... " >&6; } +if eval \${$3+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$4 +#include <$2> +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + eval "$3=yes" +else + eval "$3=no" +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +eval ac_res=\$$3 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno + +} # ac_fn_c_check_header_compile + +# ac_fn_c_try_link LINENO +# ----------------------- +# Try to link conftest.$ac_ext, and return whether this succeeded. +ac_fn_c_try_link () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + rm -f conftest.$ac_objext conftest$ac_exeext + if { { ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_link") 2>conftest.err + ac_status=$? + if test -s conftest.err; then + grep -v '^ *+' conftest.err >conftest.er1 + cat conftest.er1 >&5 + mv -f conftest.er1 conftest.err + fi + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + test -x conftest$ac_exeext + }; then : + ac_retval=0 +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_retval=1 +fi + # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information + # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would + # interfere with the next link command; also delete a directory that is + # left behind by Apple's compiler. We do this before executing the actions. + rm -rf conftest.dSYM conftest_ipa8_conftest.oo + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno + as_fn_set_status $ac_retval + +} # ac_fn_c_try_link + +# ac_fn_c_check_func LINENO FUNC VAR +# ---------------------------------- +# Tests whether FUNC exists, setting the cache variable VAR accordingly +ac_fn_c_check_func () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 +$as_echo_n "checking for $2... " >&6; } +if eval \${$3+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +/* Define $2 to an innocuous variant, in case declares $2. + For example, HP-UX 11i declares gettimeofday. */ +#define $2 innocuous_$2 + +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char $2 (); below. + Prefer to if __STDC__ is defined, since + exists even on freestanding compilers. */ + +#ifdef __STDC__ +# include +#else +# include +#endif + +#undef $2 + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char $2 (); +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined __stub_$2 || defined __stub___$2 +choke me +#endif + +int +main () +{ +return $2 (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + eval "$3=yes" +else + eval "$3=no" +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +fi +eval ac_res=\$$3 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno + +} # ac_fn_c_check_func + +# ac_fn_c_check_decl LINENO SYMBOL VAR INCLUDES +# --------------------------------------------- +# Tests whether SYMBOL is declared in INCLUDES, setting cache variable VAR +# accordingly. +ac_fn_c_check_decl () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + as_decl_name=`echo $2|sed 's/ *(.*//'` + as_decl_use=`echo $2|sed -e 's/(/((/' -e 's/)/) 0&/' -e 's/,/) 0& (/g'` + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $as_decl_name is declared" >&5 +$as_echo_n "checking whether $as_decl_name is declared... " >&6; } +if eval \${$3+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$4 +int +main () +{ +#ifndef $as_decl_name +#ifdef __cplusplus + (void) $as_decl_use; +#else + (void) $as_decl_name; +#endif +#endif + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + eval "$3=yes" +else + eval "$3=no" +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +eval ac_res=\$$3 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno + +} # ac_fn_c_check_decl + +# ac_fn_c_check_type LINENO TYPE VAR INCLUDES +# ------------------------------------------- +# Tests whether TYPE exists after having included INCLUDES, setting cache +# variable VAR accordingly. +ac_fn_c_check_type () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 +$as_echo_n "checking for $2... " >&6; } +if eval \${$3+:} false; then : + $as_echo_n "(cached) " >&6 +else + eval "$3=no" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$4 +int +main () +{ +if (sizeof ($2)) + return 0; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$4 +int +main () +{ +if (sizeof (($2))) + return 0; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + +else + eval "$3=yes" +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +eval ac_res=\$$3 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno + +} # ac_fn_c_check_type + +# ac_fn_c_check_member LINENO AGGR MEMBER VAR INCLUDES +# ---------------------------------------------------- +# Tries to find if the field MEMBER exists in type AGGR, after including +# INCLUDES, setting cache variable VAR accordingly. +ac_fn_c_check_member () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2.$3" >&5 +$as_echo_n "checking for $2.$3... " >&6; } +if eval \${$4+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$5 +int +main () +{ +static $2 ac_aggr; +if (ac_aggr.$3) +return 0; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + eval "$4=yes" +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$5 +int +main () +{ +static $2 ac_aggr; +if (sizeof ac_aggr.$3) +return 0; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + eval "$4=yes" +else + eval "$4=no" +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +eval ac_res=\$$4 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno + +} # ac_fn_c_check_member + +# ac_fn_c_compute_int LINENO EXPR VAR INCLUDES +# -------------------------------------------- +# Tries to find the compile-time value of EXPR in a program that includes +# INCLUDES, setting VAR accordingly. Returns whether the value could be +# computed +ac_fn_c_compute_int () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + if test "$cross_compiling" = yes; then + # Depending upon the size, compute the lo and hi bounds. +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$4 +int +main () +{ +static int test_array [1 - 2 * !(($2) >= 0)]; +test_array [0] = 0; +return test_array [0]; + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_lo=0 ac_mid=0 + while :; do + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$4 +int +main () +{ +static int test_array [1 - 2 * !(($2) <= $ac_mid)]; +test_array [0] = 0; +return test_array [0]; + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_hi=$ac_mid; break +else + as_fn_arith $ac_mid + 1 && ac_lo=$as_val + if test $ac_lo -le $ac_mid; then + ac_lo= ac_hi= + break + fi + as_fn_arith 2 '*' $ac_mid + 1 && ac_mid=$as_val +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$4 +int +main () +{ +static int test_array [1 - 2 * !(($2) < 0)]; +test_array [0] = 0; +return test_array [0]; + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_hi=-1 ac_mid=-1 + while :; do + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$4 +int +main () +{ +static int test_array [1 - 2 * !(($2) >= $ac_mid)]; +test_array [0] = 0; +return test_array [0]; + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_lo=$ac_mid; break +else + as_fn_arith '(' $ac_mid ')' - 1 && ac_hi=$as_val + if test $ac_mid -le $ac_hi; then + ac_lo= ac_hi= + break + fi + as_fn_arith 2 '*' $ac_mid && ac_mid=$as_val +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done +else + ac_lo= ac_hi= +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +# Binary search between lo and hi bounds. +while test "x$ac_lo" != "x$ac_hi"; do + as_fn_arith '(' $ac_hi - $ac_lo ')' / 2 + $ac_lo && ac_mid=$as_val + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$4 +int +main () +{ +static int test_array [1 - 2 * !(($2) <= $ac_mid)]; +test_array [0] = 0; +return test_array [0]; + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_hi=$ac_mid +else + as_fn_arith '(' $ac_mid ')' + 1 && ac_lo=$as_val +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +done +case $ac_lo in #(( +?*) eval "$3=\$ac_lo"; ac_retval=0 ;; +'') ac_retval=1 ;; +esac + else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$4 +static long int longval () { return $2; } +static unsigned long int ulongval () { return $2; } +#include +#include +int +main () +{ + + FILE *f = fopen ("conftest.val", "w"); + if (! f) + return 1; + if (($2) < 0) + { + long int i = longval (); + if (i != ($2)) + return 1; + fprintf (f, "%ld", i); + } + else + { + unsigned long int i = ulongval (); + if (i != ($2)) + return 1; + fprintf (f, "%lu", i); + } + /* Do not output a trailing newline, as this causes \r\n confusion + on some platforms. */ + return ferror (f) || fclose (f) != 0; + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + echo >>conftest.val; read $3 config.log <<_ACEOF +This file contains any messages produced by compilers while +running configure, to aid debugging if configure makes a mistake. + +It was created by sssd $as_me 1.16.3, which was +generated by GNU Autoconf 2.69. Invocation command line was + + $ $0 $@ + +_ACEOF +exec 5>>config.log +{ +cat <<_ASUNAME +## --------- ## +## Platform. ## +## --------- ## + +hostname = `(hostname || uname -n) 2>/dev/null | sed 1q` +uname -m = `(uname -m) 2>/dev/null || echo unknown` +uname -r = `(uname -r) 2>/dev/null || echo unknown` +uname -s = `(uname -s) 2>/dev/null || echo unknown` +uname -v = `(uname -v) 2>/dev/null || echo unknown` + +/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null || echo unknown` +/bin/uname -X = `(/bin/uname -X) 2>/dev/null || echo unknown` + +/bin/arch = `(/bin/arch) 2>/dev/null || echo unknown` +/usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null || echo unknown` +/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null || echo unknown` +/usr/bin/hostinfo = `(/usr/bin/hostinfo) 2>/dev/null || echo unknown` +/bin/machine = `(/bin/machine) 2>/dev/null || echo unknown` +/usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null || echo unknown` +/bin/universe = `(/bin/universe) 2>/dev/null || echo unknown` + +_ASUNAME + +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + $as_echo "PATH: $as_dir" + done +IFS=$as_save_IFS + +} >&5 + +cat >&5 <<_ACEOF + + +## ----------- ## +## Core tests. ## +## ----------- ## + +_ACEOF + + +# Keep a trace of the command line. +# Strip out --no-create and --no-recursion so they do not pile up. +# Strip out --silent because we don't want to record it for future runs. +# Also quote any args containing shell meta-characters. +# Make two passes to allow for proper duplicate-argument suppression. +ac_configure_args= +ac_configure_args0= +ac_configure_args1= +ac_must_keep_next=false +for ac_pass in 1 2 +do + for ac_arg + do + case $ac_arg in + -no-create | --no-c* | -n | -no-recursion | --no-r*) continue ;; + -q | -quiet | --quiet | --quie | --qui | --qu | --q \ + | -silent | --silent | --silen | --sile | --sil) + continue ;; + *\'*) + ac_arg=`$as_echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;; + esac + case $ac_pass in + 1) as_fn_append ac_configure_args0 " '$ac_arg'" ;; + 2) + as_fn_append ac_configure_args1 " '$ac_arg'" + if test $ac_must_keep_next = true; then + ac_must_keep_next=false # Got value, back to normal. + else + case $ac_arg in + *=* | --config-cache | -C | -disable-* | --disable-* \ + | -enable-* | --enable-* | -gas | --g* | -nfp | --nf* \ + | -q | -quiet | --q* | -silent | --sil* | -v | -verb* \ + | -with-* | --with-* | -without-* | --without-* | --x) + case "$ac_configure_args0 " in + "$ac_configure_args1"*" '$ac_arg' "* ) continue ;; + esac + ;; + -* ) ac_must_keep_next=true ;; + esac + fi + as_fn_append ac_configure_args " '$ac_arg'" + ;; + esac + done +done +{ ac_configure_args0=; unset ac_configure_args0;} +{ ac_configure_args1=; unset ac_configure_args1;} + +# When interrupted or exit'd, cleanup temporary files, and complete +# config.log. We remove comments because anyway the quotes in there +# would cause problems or look ugly. +# WARNING: Use '\'' to represent an apostrophe within the trap. +# WARNING: Do not start the trap code with a newline, due to a FreeBSD 4.0 bug. +trap 'exit_status=$? + # Save into config.log some information that might help in debugging. + { + echo + + $as_echo "## ---------------- ## +## Cache variables. ## +## ---------------- ##" + echo + # The following way of writing the cache mishandles newlines in values, +( + for ac_var in `(set) 2>&1 | sed -n '\''s/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'\''`; do + eval ac_val=\$$ac_var + case $ac_val in #( + *${as_nl}*) + case $ac_var in #( + *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5 +$as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; + esac + case $ac_var in #( + _ | IFS | as_nl) ;; #( + BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( + *) { eval $ac_var=; unset $ac_var;} ;; + esac ;; + esac + done + (set) 2>&1 | + case $as_nl`(ac_space='\'' '\''; set) 2>&1` in #( + *${as_nl}ac_space=\ *) + sed -n \ + "s/'\''/'\''\\\\'\'''\''/g; + s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\''\\2'\''/p" + ;; #( + *) + sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p" + ;; + esac | + sort +) + echo + + $as_echo "## ----------------- ## +## Output variables. ## +## ----------------- ##" + echo + for ac_var in $ac_subst_vars + do + eval ac_val=\$$ac_var + case $ac_val in + *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; + esac + $as_echo "$ac_var='\''$ac_val'\''" + done | sort + echo + + if test -n "$ac_subst_files"; then + $as_echo "## ------------------- ## +## File substitutions. ## +## ------------------- ##" + echo + for ac_var in $ac_subst_files + do + eval ac_val=\$$ac_var + case $ac_val in + *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; + esac + $as_echo "$ac_var='\''$ac_val'\''" + done | sort + echo + fi + + if test -s confdefs.h; then + $as_echo "## ----------- ## +## confdefs.h. ## +## ----------- ##" + echo + cat confdefs.h + echo + fi + test "$ac_signal" != 0 && + $as_echo "$as_me: caught signal $ac_signal" + $as_echo "$as_me: exit $exit_status" + } >&5 + rm -f core *.core core.conftest.* && + rm -f -r conftest* confdefs* conf$$* $ac_clean_files && + exit $exit_status +' 0 +for ac_signal in 1 2 13 15; do + trap 'ac_signal='$ac_signal'; as_fn_exit 1' $ac_signal +done +ac_signal=0 + +# confdefs.h avoids OS command line length limits that DEFS can exceed. +rm -f -r conftest* confdefs.h + +$as_echo "/* confdefs.h */" > confdefs.h + +# Predefined preprocessor variables. + +cat >>confdefs.h <<_ACEOF +#define PACKAGE_NAME "$PACKAGE_NAME" +_ACEOF + +cat >>confdefs.h <<_ACEOF +#define PACKAGE_TARNAME "$PACKAGE_TARNAME" +_ACEOF + +cat >>confdefs.h <<_ACEOF +#define PACKAGE_VERSION "$PACKAGE_VERSION" +_ACEOF + +cat >>confdefs.h <<_ACEOF +#define PACKAGE_STRING "$PACKAGE_STRING" +_ACEOF + +cat >>confdefs.h <<_ACEOF +#define PACKAGE_BUGREPORT "$PACKAGE_BUGREPORT" +_ACEOF + +cat >>confdefs.h <<_ACEOF +#define PACKAGE_URL "$PACKAGE_URL" +_ACEOF + + +# Let the site file select an alternate cache file if it wants to. +# Prefer an explicitly selected file to automatically selected ones. +ac_site_file1=NONE +ac_site_file2=NONE +if test -n "$CONFIG_SITE"; then + # We do not want a PATH search for config.site. + case $CONFIG_SITE in #(( + -*) ac_site_file1=./$CONFIG_SITE;; + */*) ac_site_file1=$CONFIG_SITE;; + *) ac_site_file1=./$CONFIG_SITE;; + esac +elif test "x$prefix" != xNONE; then + ac_site_file1=$prefix/share/config.site + ac_site_file2=$prefix/etc/config.site +else + ac_site_file1=$ac_default_prefix/share/config.site + ac_site_file2=$ac_default_prefix/etc/config.site +fi +for ac_site_file in "$ac_site_file1" "$ac_site_file2" +do + test "x$ac_site_file" = xNONE && continue + if test /dev/null != "$ac_site_file" && test -r "$ac_site_file"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: loading site script $ac_site_file" >&5 +$as_echo "$as_me: loading site script $ac_site_file" >&6;} + sed 's/^/| /' "$ac_site_file" >&5 + . "$ac_site_file" \ + || { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "failed to load site script $ac_site_file +See \`config.log' for more details" "$LINENO" 5; } + fi +done + +if test -r "$cache_file"; then + # Some versions of bash will fail to source /dev/null (special files + # actually), so we avoid doing that. DJGPP emulates it as a regular file. + if test /dev/null != "$cache_file" && test -f "$cache_file"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: loading cache $cache_file" >&5 +$as_echo "$as_me: loading cache $cache_file" >&6;} + case $cache_file in + [\\/]* | ?:[\\/]* ) . "$cache_file";; + *) . "./$cache_file";; + esac + fi +else + { $as_echo "$as_me:${as_lineno-$LINENO}: creating cache $cache_file" >&5 +$as_echo "$as_me: creating cache $cache_file" >&6;} + >$cache_file +fi + +# Check that the precious variables saved in the cache have kept the same +# value. +ac_cache_corrupted=false +for ac_var in $ac_precious_vars; do + eval ac_old_set=\$ac_cv_env_${ac_var}_set + eval ac_new_set=\$ac_env_${ac_var}_set + eval ac_old_val=\$ac_cv_env_${ac_var}_value + eval ac_new_val=\$ac_env_${ac_var}_value + case $ac_old_set,$ac_new_set in + set,) + { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5 +$as_echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;} + ac_cache_corrupted=: ;; + ,set) + { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was not set in the previous run" >&5 +$as_echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;} + ac_cache_corrupted=: ;; + ,);; + *) + if test "x$ac_old_val" != "x$ac_new_val"; then + # differences in whitespace do not lead to failure. + ac_old_val_w=`echo x $ac_old_val` + ac_new_val_w=`echo x $ac_new_val` + if test "$ac_old_val_w" != "$ac_new_val_w"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' has changed since the previous run:" >&5 +$as_echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;} + ac_cache_corrupted=: + else + { $as_echo "$as_me:${as_lineno-$LINENO}: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&5 +$as_echo "$as_me: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&2;} + eval $ac_var=\$ac_old_val + fi + { $as_echo "$as_me:${as_lineno-$LINENO}: former value: \`$ac_old_val'" >&5 +$as_echo "$as_me: former value: \`$ac_old_val'" >&2;} + { $as_echo "$as_me:${as_lineno-$LINENO}: current value: \`$ac_new_val'" >&5 +$as_echo "$as_me: current value: \`$ac_new_val'" >&2;} + fi;; + esac + # Pass precious variables to config.status. + if test "$ac_new_set" = set; then + case $ac_new_val in + *\'*) ac_arg=$ac_var=`$as_echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;; + *) ac_arg=$ac_var=$ac_new_val ;; + esac + case " $ac_configure_args " in + *" '$ac_arg' "*) ;; # Avoid dups. Use of quotes ensures accuracy. + *) as_fn_append ac_configure_args " '$ac_arg'" ;; + esac + fi +done +if $ac_cache_corrupted; then + { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} + { $as_echo "$as_me:${as_lineno-$LINENO}: error: changes in the environment can compromise the build" >&5 +$as_echo "$as_me: error: changes in the environment can compromise the build" >&2;} + as_fn_error $? "run \`make distclean' and/or \`rm $cache_file' and start over" "$LINENO" 5 +fi +## -------------------- ## +## Main body of script. ## +## -------------------- ## + +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + + + +ac_aux_dir= +for ac_dir in build "$srcdir"/build; do + if test -f "$ac_dir/install-sh"; then + ac_aux_dir=$ac_dir + ac_install_sh="$ac_aux_dir/install-sh -c" + break + elif test -f "$ac_dir/install.sh"; then + ac_aux_dir=$ac_dir + ac_install_sh="$ac_aux_dir/install.sh -c" + break + elif test -f "$ac_dir/shtool"; then + ac_aux_dir=$ac_dir + ac_install_sh="$ac_aux_dir/shtool install -c" + break + fi +done +if test -z "$ac_aux_dir"; then + as_fn_error $? "cannot find install-sh, install.sh, or shtool in build \"$srcdir\"/build" "$LINENO" 5 +fi + +# These three variables are undocumented and unsupported, +# and are intended to be withdrawn in a future Autoconf release. +# They can cause serious problems if a builder's source tree is in a directory +# whose full name contains unusual characters. +ac_config_guess="$SHELL $ac_aux_dir/config.guess" # Please don't use this var. +ac_config_sub="$SHELL $ac_aux_dir/config.sub" # Please don't use this var. +ac_configure="$SHELL $ac_aux_dir/configure" # Please don't use this var. + + + +# Expand $ac_aux_dir to an absolute path. +am_aux_dir=`cd "$ac_aux_dir" && pwd` + +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu +if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args. +set dummy ${ac_tool_prefix}gcc; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_CC+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$CC"; then + ac_cv_prog_CC="$CC" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_CC="${ac_tool_prefix}gcc" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +CC=$ac_cv_prog_CC +if test -n "$CC"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 +$as_echo "$CC" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +fi +if test -z "$ac_cv_prog_CC"; then + ac_ct_CC=$CC + # Extract the first word of "gcc", so it can be a program name with args. +set dummy gcc; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_ac_ct_CC+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$ac_ct_CC"; then + ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_ac_ct_CC="gcc" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +ac_ct_CC=$ac_cv_prog_ac_ct_CC +if test -n "$ac_ct_CC"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 +$as_echo "$ac_ct_CC" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + if test "x$ac_ct_CC" = x; then + CC="" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; +esac + CC=$ac_ct_CC + fi +else + CC="$ac_cv_prog_CC" +fi + +if test -z "$CC"; then + if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args. +set dummy ${ac_tool_prefix}cc; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_CC+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$CC"; then + ac_cv_prog_CC="$CC" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_CC="${ac_tool_prefix}cc" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +CC=$ac_cv_prog_CC +if test -n "$CC"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 +$as_echo "$CC" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + fi +fi +if test -z "$CC"; then + # Extract the first word of "cc", so it can be a program name with args. +set dummy cc; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_CC+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$CC"; then + ac_cv_prog_CC="$CC" # Let the user override the test. +else + ac_prog_rejected=no +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then + ac_prog_rejected=yes + continue + fi + ac_cv_prog_CC="cc" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +if test $ac_prog_rejected = yes; then + # We found a bogon in the path, so make sure we never use it. + set dummy $ac_cv_prog_CC + shift + if test $# != 0; then + # We chose a different compiler from the bogus one. + # However, it has the same basename, so the bogon will be chosen + # first if we set CC to just the basename; use the full file name. + shift + ac_cv_prog_CC="$as_dir/$ac_word${1+' '}$@" + fi +fi +fi +fi +CC=$ac_cv_prog_CC +if test -n "$CC"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 +$as_echo "$CC" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +fi +if test -z "$CC"; then + if test -n "$ac_tool_prefix"; then + for ac_prog in cl.exe + do + # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. +set dummy $ac_tool_prefix$ac_prog; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_CC+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$CC"; then + ac_cv_prog_CC="$CC" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_CC="$ac_tool_prefix$ac_prog" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +CC=$ac_cv_prog_CC +if test -n "$CC"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 +$as_echo "$CC" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + test -n "$CC" && break + done +fi +if test -z "$CC"; then + ac_ct_CC=$CC + for ac_prog in cl.exe +do + # Extract the first word of "$ac_prog", so it can be a program name with args. +set dummy $ac_prog; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_ac_ct_CC+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$ac_ct_CC"; then + ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_ac_ct_CC="$ac_prog" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +ac_ct_CC=$ac_cv_prog_ac_ct_CC +if test -n "$ac_ct_CC"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 +$as_echo "$ac_ct_CC" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + test -n "$ac_ct_CC" && break +done + + if test "x$ac_ct_CC" = x; then + CC="" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; +esac + CC=$ac_ct_CC + fi +fi + +fi + + +test -z "$CC" && { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "no acceptable C compiler found in \$PATH +See \`config.log' for more details" "$LINENO" 5; } + +# Provide some information about the compiler. +$as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler version" >&5 +set X $ac_compile +ac_compiler=$2 +for ac_option in --version -v -V -qversion; do + { { ac_try="$ac_compiler $ac_option >&5" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_compiler $ac_option >&5") 2>conftest.err + ac_status=$? + if test -s conftest.err; then + sed '10a\ +... rest of stderr output deleted ... + 10q' conftest.err >conftest.er1 + cat conftest.er1 >&5 + fi + rm -f conftest.er1 conftest.err + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } +done + +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +ac_clean_files_save=$ac_clean_files +ac_clean_files="$ac_clean_files a.out a.out.dSYM a.exe b.out" +# Try to create an executable without -o first, disregard a.out. +# It will help us diagnose broken compilers, and finding out an intuition +# of exeext. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the C compiler works" >&5 +$as_echo_n "checking whether the C compiler works... " >&6; } +ac_link_default=`$as_echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'` + +# The possible output files: +ac_files="a.out conftest.exe conftest a.exe a_out.exe b.out conftest.*" + +ac_rmfiles= +for ac_file in $ac_files +do + case $ac_file in + *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; + * ) ac_rmfiles="$ac_rmfiles $ac_file";; + esac +done +rm -f $ac_rmfiles + +if { { ac_try="$ac_link_default" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_link_default") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then : + # Autoconf-2.13 could set the ac_cv_exeext variable to `no'. +# So ignore a value of `no', otherwise this would lead to `EXEEXT = no' +# in a Makefile. We should not override ac_cv_exeext if it was cached, +# so that the user can short-circuit this test for compilers unknown to +# Autoconf. +for ac_file in $ac_files '' +do + test -f "$ac_file" || continue + case $ac_file in + *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) + ;; + [ab].out ) + # We found the default executable, but exeext='' is most + # certainly right. + break;; + *.* ) + if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no; + then :; else + ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` + fi + # We set ac_cv_exeext here because the later test for it is not + # safe: cross compilers may not add the suffix if given an `-o' + # argument, so we may need to know it at that point already. + # Even if this section looks crufty: it has the advantage of + # actually working. + break;; + * ) + break;; + esac +done +test "$ac_cv_exeext" = no && ac_cv_exeext= + +else + ac_file='' +fi +if test -z "$ac_file"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +$as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error 77 "C compiler cannot create executables +See \`config.log' for more details" "$LINENO" 5; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler default output file name" >&5 +$as_echo_n "checking for C compiler default output file name... " >&6; } +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_file" >&5 +$as_echo "$ac_file" >&6; } +ac_exeext=$ac_cv_exeext + +rm -f -r a.out a.out.dSYM a.exe conftest$ac_cv_exeext b.out +ac_clean_files=$ac_clean_files_save +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of executables" >&5 +$as_echo_n "checking for suffix of executables... " >&6; } +if { { ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then : + # If both `conftest.exe' and `conftest' are `present' (well, observable) +# catch `conftest.exe'. For instance with Cygwin, `ls conftest' will +# work properly (i.e., refer to `conftest.exe'), while it won't with +# `rm'. +for ac_file in conftest.exe conftest conftest.*; do + test -f "$ac_file" || continue + case $ac_file in + *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; + *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` + break;; + * ) break;; + esac +done +else + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "cannot compute suffix of executables: cannot compile and link +See \`config.log' for more details" "$LINENO" 5; } +fi +rm -f conftest conftest$ac_cv_exeext +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_exeext" >&5 +$as_echo "$ac_cv_exeext" >&6; } + +rm -f conftest.$ac_ext +EXEEXT=$ac_cv_exeext +ac_exeext=$EXEEXT +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +int +main () +{ +FILE *f = fopen ("conftest.out", "w"); + return ferror (f) || fclose (f) != 0; + + ; + return 0; +} +_ACEOF +ac_clean_files="$ac_clean_files conftest.out" +# Check that the compiler produces executables we can run. If not, either +# the compiler is broken, or we cross compile. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are cross compiling" >&5 +$as_echo_n "checking whether we are cross compiling... " >&6; } +if test "$cross_compiling" != yes; then + { { ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + if { ac_try='./conftest$ac_cv_exeext' + { { case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; }; then + cross_compiling=no + else + if test "$cross_compiling" = maybe; then + cross_compiling=yes + else + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "cannot run C compiled programs. +If you meant to cross compile, use \`--host'. +See \`config.log' for more details" "$LINENO" 5; } + fi + fi +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $cross_compiling" >&5 +$as_echo "$cross_compiling" >&6; } + +rm -f conftest.$ac_ext conftest$ac_cv_exeext conftest.out +ac_clean_files=$ac_clean_files_save +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of object files" >&5 +$as_echo_n "checking for suffix of object files... " >&6; } +if ${ac_cv_objext+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +rm -f conftest.o conftest.obj +if { { ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_compile") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then : + for ac_file in conftest.o conftest.obj conftest.*; do + test -f "$ac_file" || continue; + case $ac_file in + *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM ) ;; + *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'` + break;; + esac +done +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "cannot compute suffix of object files: cannot compile +See \`config.log' for more details" "$LINENO" 5; } +fi +rm -f conftest.$ac_cv_objext conftest.$ac_ext +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_objext" >&5 +$as_echo "$ac_cv_objext" >&6; } +OBJEXT=$ac_cv_objext +ac_objext=$OBJEXT +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using the GNU C compiler" >&5 +$as_echo_n "checking whether we are using the GNU C compiler... " >&6; } +if ${ac_cv_c_compiler_gnu+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ +#ifndef __GNUC__ + choke me +#endif + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_compiler_gnu=yes +else + ac_compiler_gnu=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +ac_cv_c_compiler_gnu=$ac_compiler_gnu + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_compiler_gnu" >&5 +$as_echo "$ac_cv_c_compiler_gnu" >&6; } +if test $ac_compiler_gnu = yes; then + GCC=yes +else + GCC= +fi +ac_test_CFLAGS=${CFLAGS+set} +ac_save_CFLAGS=$CFLAGS +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -g" >&5 +$as_echo_n "checking whether $CC accepts -g... " >&6; } +if ${ac_cv_prog_cc_g+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_save_c_werror_flag=$ac_c_werror_flag + ac_c_werror_flag=yes + ac_cv_prog_cc_g=no + CFLAGS="-g" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_prog_cc_g=yes +else + CFLAGS="" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + +else + ac_c_werror_flag=$ac_save_c_werror_flag + CFLAGS="-g" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_prog_cc_g=yes +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + ac_c_werror_flag=$ac_save_c_werror_flag +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_g" >&5 +$as_echo "$ac_cv_prog_cc_g" >&6; } +if test "$ac_test_CFLAGS" = set; then + CFLAGS=$ac_save_CFLAGS +elif test $ac_cv_prog_cc_g = yes; then + if test "$GCC" = yes; then + CFLAGS="-g -O2" + else + CFLAGS="-g" + fi +else + if test "$GCC" = yes; then + CFLAGS="-O2" + else + CFLAGS= + fi +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $CC option to accept ISO C89" >&5 +$as_echo_n "checking for $CC option to accept ISO C89... " >&6; } +if ${ac_cv_prog_cc_c89+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_cv_prog_cc_c89=no +ac_save_CC=$CC +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +#include +struct stat; +/* Most of the following tests are stolen from RCS 5.7's src/conf.sh. */ +struct buf { int x; }; +FILE * (*rcsopen) (struct buf *, struct stat *, int); +static char *e (p, i) + char **p; + int i; +{ + return p[i]; +} +static char *f (char * (*g) (char **, int), char **p, ...) +{ + char *s; + va_list v; + va_start (v,p); + s = g (p, va_arg (v,int)); + va_end (v); + return s; +} + +/* OSF 4.0 Compaq cc is some sort of almost-ANSI by default. It has + function prototypes and stuff, but not '\xHH' hex character constants. + These don't provoke an error unfortunately, instead are silently treated + as 'x'. The following induces an error, until -std is added to get + proper ANSI mode. Curiously '\x00'!='x' always comes out true, for an + array size at least. It's necessary to write '\x00'==0 to get something + that's true only with -std. */ +int osf4_cc_array ['\x00' == 0 ? 1 : -1]; + +/* IBM C 6 for AIX is almost-ANSI by default, but it replaces macro parameters + inside strings and character constants. */ +#define FOO(x) 'x' +int xlc6_cc_array[FOO(a) == 'x' ? 1 : -1]; + +int test (int i, double x); +struct s1 {int (*f) (int a);}; +struct s2 {int (*f) (double a);}; +int pairnames (int, char **, FILE *(*)(struct buf *, struct stat *, int), int, int); +int argc; +char **argv; +int +main () +{ +return f (e, argv, 0) != argv[0] || f (e, argv, 1) != argv[1]; + ; + return 0; +} +_ACEOF +for ac_arg in '' -qlanglvl=extc89 -qlanglvl=ansi -std \ + -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__" +do + CC="$ac_save_CC $ac_arg" + if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_prog_cc_c89=$ac_arg +fi +rm -f core conftest.err conftest.$ac_objext + test "x$ac_cv_prog_cc_c89" != "xno" && break +done +rm -f conftest.$ac_ext +CC=$ac_save_CC + +fi +# AC_CACHE_VAL +case "x$ac_cv_prog_cc_c89" in + x) + { $as_echo "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 +$as_echo "none needed" >&6; } ;; + xno) + { $as_echo "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 +$as_echo "unsupported" >&6; } ;; + *) + CC="$CC $ac_cv_prog_cc_c89" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c89" >&5 +$as_echo "$ac_cv_prog_cc_c89" >&6; } ;; +esac +if test "x$ac_cv_prog_cc_c89" != xno; then : + +fi + +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC understands -c and -o together" >&5 +$as_echo_n "checking whether $CC understands -c and -o together... " >&6; } +if ${am_cv_prog_cc_c_o+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF + # Make sure it works both with $CC and with simple cc. + # Following AC_PROG_CC_C_O, we do the test twice because some + # compilers refuse to overwrite an existing .o file with -o, + # though they will create one. + am_cv_prog_cc_c_o=yes + for am_i in 1 2; do + if { echo "$as_me:$LINENO: $CC -c conftest.$ac_ext -o conftest2.$ac_objext" >&5 + ($CC -c conftest.$ac_ext -o conftest2.$ac_objext) >&5 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } \ + && test -f conftest2.$ac_objext; then + : OK + else + am_cv_prog_cc_c_o=no + break + fi + done + rm -f core conftest* + unset am_i +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_prog_cc_c_o" >&5 +$as_echo "$am_cv_prog_cc_c_o" >&6; } +if test "$am_cv_prog_cc_c_o" != yes; then + # Losing compiler, so override with the script. + # FIXME: It is wrong to rewrite CC. + # But if we don't then we get into trouble of one sort or another. + # A longer-term fix would be to have automake use am__CC in this case, + # and then we could set am__CC="\$(top_srcdir)/compile \$(CC)" + CC="$am_aux_dir/compile $CC" +fi +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + + + +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to run the C preprocessor" >&5 +$as_echo_n "checking how to run the C preprocessor... " >&6; } +# On Suns, sometimes $CPP names a directory. +if test -n "$CPP" && test -d "$CPP"; then + CPP= +fi +if test -z "$CPP"; then + if ${ac_cv_prog_CPP+:} false; then : + $as_echo_n "(cached) " >&6 +else + # Double quotes because CPP needs to be expanded + for CPP in "$CC -E" "$CC -E -traditional-cpp" "/lib/cpp" + do + ac_preproc_ok=false +for ac_c_preproc_warn_flag in '' yes +do + # Use a header file that comes with gcc, so configuring glibc + # with a fresh cross-compiler works. + # Prefer to if __STDC__ is defined, since + # exists even on freestanding compilers. + # On the NeXT, cc -E runs the code through the compiler's parser, + # not just through cpp. "Syntax error" is here to catch this case. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#ifdef __STDC__ +# include +#else +# include +#endif + Syntax error +_ACEOF +if ac_fn_c_try_cpp "$LINENO"; then : + +else + # Broken: fails on valid input. +continue +fi +rm -f conftest.err conftest.i conftest.$ac_ext + + # OK, works on sane cases. Now check whether nonexistent headers + # can be detected and how. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +_ACEOF +if ac_fn_c_try_cpp "$LINENO"; then : + # Broken: success on invalid input. +continue +else + # Passes both tests. +ac_preproc_ok=: +break +fi +rm -f conftest.err conftest.i conftest.$ac_ext + +done +# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. +rm -f conftest.i conftest.err conftest.$ac_ext +if $ac_preproc_ok; then : + break +fi + + done + ac_cv_prog_CPP=$CPP + +fi + CPP=$ac_cv_prog_CPP +else + ac_cv_prog_CPP=$CPP +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $CPP" >&5 +$as_echo "$CPP" >&6; } +ac_preproc_ok=false +for ac_c_preproc_warn_flag in '' yes +do + # Use a header file that comes with gcc, so configuring glibc + # with a fresh cross-compiler works. + # Prefer to if __STDC__ is defined, since + # exists even on freestanding compilers. + # On the NeXT, cc -E runs the code through the compiler's parser, + # not just through cpp. "Syntax error" is here to catch this case. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#ifdef __STDC__ +# include +#else +# include +#endif + Syntax error +_ACEOF +if ac_fn_c_try_cpp "$LINENO"; then : + +else + # Broken: fails on valid input. +continue +fi +rm -f conftest.err conftest.i conftest.$ac_ext + + # OK, works on sane cases. Now check whether nonexistent headers + # can be detected and how. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +_ACEOF +if ac_fn_c_try_cpp "$LINENO"; then : + # Broken: success on invalid input. +continue +else + # Passes both tests. +ac_preproc_ok=: +break +fi +rm -f conftest.err conftest.i conftest.$ac_ext + +done +# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. +rm -f conftest.i conftest.err conftest.$ac_ext +if $ac_preproc_ok; then : + +else + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "C preprocessor \"$CPP\" fails sanity check +See \`config.log' for more details" "$LINENO" 5; } +fi + +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for grep that handles long lines and -e" >&5 +$as_echo_n "checking for grep that handles long lines and -e... " >&6; } +if ${ac_cv_path_GREP+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -z "$GREP"; then + ac_path_GREP_found=false + # Loop through the user's path and test for each of PROGNAME-LIST + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_prog in grep ggrep; do + for ac_exec_ext in '' $ac_executable_extensions; do + ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext" + as_fn_executable_p "$ac_path_GREP" || continue +# Check for GNU ac_path_GREP and select it if it is found. + # Check for GNU $ac_path_GREP +case `"$ac_path_GREP" --version 2>&1` in +*GNU*) + ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_found=:;; +*) + ac_count=0 + $as_echo_n 0123456789 >"conftest.in" + while : + do + cat "conftest.in" "conftest.in" >"conftest.tmp" + mv "conftest.tmp" "conftest.in" + cp "conftest.in" "conftest.nl" + $as_echo 'GREP' >> "conftest.nl" + "$ac_path_GREP" -e 'GREP$' -e '-(cannot match)-' < "conftest.nl" >"conftest.out" 2>/dev/null || break + diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break + as_fn_arith $ac_count + 1 && ac_count=$as_val + if test $ac_count -gt ${ac_path_GREP_max-0}; then + # Best one so far, save it but keep looking for a better one + ac_cv_path_GREP="$ac_path_GREP" + ac_path_GREP_max=$ac_count + fi + # 10*(2^10) chars as input seems more than enough + test $ac_count -gt 10 && break + done + rm -f conftest.in conftest.tmp conftest.nl conftest.out;; +esac + + $ac_path_GREP_found && break 3 + done + done + done +IFS=$as_save_IFS + if test -z "$ac_cv_path_GREP"; then + as_fn_error $? "no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5 + fi +else + ac_cv_path_GREP=$GREP +fi + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_GREP" >&5 +$as_echo "$ac_cv_path_GREP" >&6; } + GREP="$ac_cv_path_GREP" + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for egrep" >&5 +$as_echo_n "checking for egrep... " >&6; } +if ${ac_cv_path_EGREP+:} false; then : + $as_echo_n "(cached) " >&6 +else + if echo a | $GREP -E '(a|b)' >/dev/null 2>&1 + then ac_cv_path_EGREP="$GREP -E" + else + if test -z "$EGREP"; then + ac_path_EGREP_found=false + # Loop through the user's path and test for each of PROGNAME-LIST + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_prog in egrep; do + for ac_exec_ext in '' $ac_executable_extensions; do + ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext" + as_fn_executable_p "$ac_path_EGREP" || continue +# Check for GNU ac_path_EGREP and select it if it is found. + # Check for GNU $ac_path_EGREP +case `"$ac_path_EGREP" --version 2>&1` in +*GNU*) + ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_found=:;; +*) + ac_count=0 + $as_echo_n 0123456789 >"conftest.in" + while : + do + cat "conftest.in" "conftest.in" >"conftest.tmp" + mv "conftest.tmp" "conftest.in" + cp "conftest.in" "conftest.nl" + $as_echo 'EGREP' >> "conftest.nl" + "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break + diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break + as_fn_arith $ac_count + 1 && ac_count=$as_val + if test $ac_count -gt ${ac_path_EGREP_max-0}; then + # Best one so far, save it but keep looking for a better one + ac_cv_path_EGREP="$ac_path_EGREP" + ac_path_EGREP_max=$ac_count + fi + # 10*(2^10) chars as input seems more than enough + test $ac_count -gt 10 && break + done + rm -f conftest.in conftest.tmp conftest.nl conftest.out;; +esac + + $ac_path_EGREP_found && break 3 + done + done + done +IFS=$as_save_IFS + if test -z "$ac_cv_path_EGREP"; then + as_fn_error $? "no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5 + fi +else + ac_cv_path_EGREP=$EGREP +fi + + fi +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_EGREP" >&5 +$as_echo "$ac_cv_path_EGREP" >&6; } + EGREP="$ac_cv_path_EGREP" + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ANSI C header files" >&5 +$as_echo_n "checking for ANSI C header files... " >&6; } +if ${ac_cv_header_stdc+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +#include +#include +#include + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_header_stdc=yes +else + ac_cv_header_stdc=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +if test $ac_cv_header_stdc = yes; then + # SunOS 4.x string.h does not declare mem*, contrary to ANSI. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + +_ACEOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + $EGREP "memchr" >/dev/null 2>&1; then : + +else + ac_cv_header_stdc=no +fi +rm -f conftest* + +fi + +if test $ac_cv_header_stdc = yes; then + # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + +_ACEOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + $EGREP "free" >/dev/null 2>&1; then : + +else + ac_cv_header_stdc=no +fi +rm -f conftest* + +fi + +if test $ac_cv_header_stdc = yes; then + # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi. + if test "$cross_compiling" = yes; then : + : +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +#include +#if ((' ' & 0x0FF) == 0x020) +# define ISLOWER(c) ('a' <= (c) && (c) <= 'z') +# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c)) +#else +# define ISLOWER(c) \ + (('a' <= (c) && (c) <= 'i') \ + || ('j' <= (c) && (c) <= 'r') \ + || ('s' <= (c) && (c) <= 'z')) +# define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c)) +#endif + +#define XOR(e, f) (((e) && !(f)) || (!(e) && (f))) +int +main () +{ + int i; + for (i = 0; i < 256; i++) + if (XOR (islower (i), ISLOWER (i)) + || toupper (i) != TOUPPER (i)) + return 2; + return 0; +} +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + +else + ac_cv_header_stdc=no +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext +fi + +fi +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdc" >&5 +$as_echo "$ac_cv_header_stdc" >&6; } +if test $ac_cv_header_stdc = yes; then + +$as_echo "#define STDC_HEADERS 1" >>confdefs.h + +fi + +# On IRIX 5.3, sys/types and inttypes.h are conflicting. +for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \ + inttypes.h stdint.h unistd.h +do : + as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default +" +if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF + +fi + +done + + + + ac_fn_c_check_header_mongrel "$LINENO" "minix/config.h" "ac_cv_header_minix_config_h" "$ac_includes_default" +if test "x$ac_cv_header_minix_config_h" = xyes; then : + MINIX=yes +else + MINIX= +fi + + + if test "$MINIX" = yes; then + +$as_echo "#define _POSIX_SOURCE 1" >>confdefs.h + + +$as_echo "#define _POSIX_1_SOURCE 2" >>confdefs.h + + +$as_echo "#define _MINIX 1" >>confdefs.h + + fi + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether it is safe to define __EXTENSIONS__" >&5 +$as_echo_n "checking whether it is safe to define __EXTENSIONS__... " >&6; } +if ${ac_cv_safe_to_define___extensions__+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +# define __EXTENSIONS__ 1 + $ac_includes_default +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_safe_to_define___extensions__=yes +else + ac_cv_safe_to_define___extensions__=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_safe_to_define___extensions__" >&5 +$as_echo "$ac_cv_safe_to_define___extensions__" >&6; } + test $ac_cv_safe_to_define___extensions__ = yes && + $as_echo "#define __EXTENSIONS__ 1" >>confdefs.h + + $as_echo "#define _ALL_SOURCE 1" >>confdefs.h + + $as_echo "#define _GNU_SOURCE 1" >>confdefs.h + + $as_echo "#define _POSIX_PTHREAD_SEMANTICS 1" >>confdefs.h + + $as_echo "#define _TANDEM_SOURCE 1" >>confdefs.h + + + +CFLAGS="$CFLAGS -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE" + + +am__api_version='1.15' + +# Find a good install program. We prefer a C program (faster), +# so one script is as good as another. But avoid the broken or +# incompatible versions: +# SysV /etc/install, /usr/sbin/install +# SunOS /usr/etc/install +# IRIX /sbin/install +# AIX /bin/install +# AmigaOS /C/install, which installs bootblocks on floppy discs +# AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag +# AFS /usr/afsws/bin/install, which mishandles nonexistent args +# SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff" +# OS/2's system install, which has a completely different semantic +# ./install, which can be erroneously created by make from ./install.sh. +# Reject install programs that cannot install multiple files. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for a BSD-compatible install" >&5 +$as_echo_n "checking for a BSD-compatible install... " >&6; } +if test -z "$INSTALL"; then +if ${ac_cv_path_install+:} false; then : + $as_echo_n "(cached) " >&6 +else + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + # Account for people who put trailing slashes in PATH elements. +case $as_dir/ in #(( + ./ | .// | /[cC]/* | \ + /etc/* | /usr/sbin/* | /usr/etc/* | /sbin/* | /usr/afsws/bin/* | \ + ?:[\\/]os2[\\/]install[\\/]* | ?:[\\/]OS2[\\/]INSTALL[\\/]* | \ + /usr/ucb/* ) ;; + *) + # OSF1 and SCO ODT 3.0 have their own names for install. + # Don't use installbsd from OSF since it installs stuff as root + # by default. + for ac_prog in ginstall scoinst install; do + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext"; then + if test $ac_prog = install && + grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then + # AIX install. It has an incompatible calling convention. + : + elif test $ac_prog = install && + grep pwplus "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then + # program-specific install script used by HP pwplus--don't use. + : + else + rm -rf conftest.one conftest.two conftest.dir + echo one > conftest.one + echo two > conftest.two + mkdir conftest.dir + if "$as_dir/$ac_prog$ac_exec_ext" -c conftest.one conftest.two "`pwd`/conftest.dir" && + test -s conftest.one && test -s conftest.two && + test -s conftest.dir/conftest.one && + test -s conftest.dir/conftest.two + then + ac_cv_path_install="$as_dir/$ac_prog$ac_exec_ext -c" + break 3 + fi + fi + fi + done + done + ;; +esac + + done +IFS=$as_save_IFS + +rm -rf conftest.one conftest.two conftest.dir + +fi + if test "${ac_cv_path_install+set}" = set; then + INSTALL=$ac_cv_path_install + else + # As a last resort, use the slow shell script. Don't cache a + # value for INSTALL within a source directory, because that will + # break other packages using the cache if that directory is + # removed, or if the value is a relative name. + INSTALL=$ac_install_sh + fi +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $INSTALL" >&5 +$as_echo "$INSTALL" >&6; } + +# Use test -z because SunOS4 sh mishandles braces in ${var-val}. +# It thinks the first close brace ends the variable substitution. +test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}' + +test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL}' + +test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644' + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether build environment is sane" >&5 +$as_echo_n "checking whether build environment is sane... " >&6; } +# Reject unsafe characters in $srcdir or the absolute working directory +# name. Accept space and tab only in the latter. +am_lf=' +' +case `pwd` in + *[\\\"\#\$\&\'\`$am_lf]*) + as_fn_error $? "unsafe absolute working directory name" "$LINENO" 5;; +esac +case $srcdir in + *[\\\"\#\$\&\'\`$am_lf\ \ ]*) + as_fn_error $? "unsafe srcdir value: '$srcdir'" "$LINENO" 5;; +esac + +# Do 'set' in a subshell so we don't clobber the current shell's +# arguments. Must try -L first in case configure is actually a +# symlink; some systems play weird games with the mod time of symlinks +# (eg FreeBSD returns the mod time of the symlink's containing +# directory). +if ( + am_has_slept=no + for am_try in 1 2; do + echo "timestamp, slept: $am_has_slept" > conftest.file + set X `ls -Lt "$srcdir/configure" conftest.file 2> /dev/null` + if test "$*" = "X"; then + # -L didn't work. + set X `ls -t "$srcdir/configure" conftest.file` + fi + if test "$*" != "X $srcdir/configure conftest.file" \ + && test "$*" != "X conftest.file $srcdir/configure"; then + + # If neither matched, then we have a broken ls. This can happen + # if, for instance, CONFIG_SHELL is bash and it inherits a + # broken ls alias from the environment. This has actually + # happened. Such a system could not be considered "sane". + as_fn_error $? "ls -t appears to fail. Make sure there is not a broken + alias in your environment" "$LINENO" 5 + fi + if test "$2" = conftest.file || test $am_try -eq 2; then + break + fi + # Just in case. + sleep 1 + am_has_slept=yes + done + test "$2" = conftest.file + ) +then + # Ok. + : +else + as_fn_error $? "newly created file is older than distributed files! +Check your system clock" "$LINENO" 5 +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +# If we didn't sleep, we still need to ensure time stamps of config.status and +# generated files are strictly newer. +am_sleep_pid= +if grep 'slept: no' conftest.file >/dev/null 2>&1; then + ( sleep 1 ) & + am_sleep_pid=$! +fi + +rm -f conftest.file + +test "$program_prefix" != NONE && + program_transform_name="s&^&$program_prefix&;$program_transform_name" +# Use a double $ so make ignores it. +test "$program_suffix" != NONE && + program_transform_name="s&\$&$program_suffix&;$program_transform_name" +# Double any \ or $. +# By default was `s,x,x', remove it if useless. +ac_script='s/[\\$]/&&/g;s/;s,x,x,$//' +program_transform_name=`$as_echo "$program_transform_name" | sed "$ac_script"` + +if test x"${MISSING+set}" != xset; then + case $am_aux_dir in + *\ * | *\ *) + MISSING="\${SHELL} \"$am_aux_dir/missing\"" ;; + *) + MISSING="\${SHELL} $am_aux_dir/missing" ;; + esac +fi +# Use eval to expand $SHELL +if eval "$MISSING --is-lightweight"; then + am_missing_run="$MISSING " +else + am_missing_run= + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: 'missing' script is too old or missing" >&5 +$as_echo "$as_me: WARNING: 'missing' script is too old or missing" >&2;} +fi + +if test x"${install_sh+set}" != xset; then + case $am_aux_dir in + *\ * | *\ *) + install_sh="\${SHELL} '$am_aux_dir/install-sh'" ;; + *) + install_sh="\${SHELL} $am_aux_dir/install-sh" + esac +fi + +# Installed binaries are usually stripped using 'strip' when the user +# run "make install-strip". However 'strip' might not be the right +# tool to use in cross-compilation environments, therefore Automake +# will honor the 'STRIP' environment variable to overrule this program. +if test "$cross_compiling" != no; then + if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args. +set dummy ${ac_tool_prefix}strip; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_STRIP+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$STRIP"; then + ac_cv_prog_STRIP="$STRIP" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_STRIP="${ac_tool_prefix}strip" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +STRIP=$ac_cv_prog_STRIP +if test -n "$STRIP"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $STRIP" >&5 +$as_echo "$STRIP" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +fi +if test -z "$ac_cv_prog_STRIP"; then + ac_ct_STRIP=$STRIP + # Extract the first word of "strip", so it can be a program name with args. +set dummy strip; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_ac_ct_STRIP+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$ac_ct_STRIP"; then + ac_cv_prog_ac_ct_STRIP="$ac_ct_STRIP" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_ac_ct_STRIP="strip" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +ac_ct_STRIP=$ac_cv_prog_ac_ct_STRIP +if test -n "$ac_ct_STRIP"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_STRIP" >&5 +$as_echo "$ac_ct_STRIP" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + if test "x$ac_ct_STRIP" = x; then + STRIP=":" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; +esac + STRIP=$ac_ct_STRIP + fi +else + STRIP="$ac_cv_prog_STRIP" +fi + +fi +INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s" + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for a thread-safe mkdir -p" >&5 +$as_echo_n "checking for a thread-safe mkdir -p... " >&6; } +if test -z "$MKDIR_P"; then + if ${ac_cv_path_mkdir+:} false; then : + $as_echo_n "(cached) " >&6 +else + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH$PATH_SEPARATOR/opt/sfw/bin +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_prog in mkdir gmkdir; do + for ac_exec_ext in '' $ac_executable_extensions; do + as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext" || continue + case `"$as_dir/$ac_prog$ac_exec_ext" --version 2>&1` in #( + 'mkdir (GNU coreutils) '* | \ + 'mkdir (coreutils) '* | \ + 'mkdir (fileutils) '4.1*) + ac_cv_path_mkdir=$as_dir/$ac_prog$ac_exec_ext + break 3;; + esac + done + done + done +IFS=$as_save_IFS + +fi + + test -d ./--version && rmdir ./--version + if test "${ac_cv_path_mkdir+set}" = set; then + MKDIR_P="$ac_cv_path_mkdir -p" + else + # As a last resort, use the slow shell script. Don't cache a + # value for MKDIR_P within a source directory, because that will + # break other packages using the cache if that directory is + # removed, or if the value is a relative name. + MKDIR_P="$ac_install_sh -d" + fi +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $MKDIR_P" >&5 +$as_echo "$MKDIR_P" >&6; } + +for ac_prog in gawk mawk nawk awk +do + # Extract the first word of "$ac_prog", so it can be a program name with args. +set dummy $ac_prog; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_AWK+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$AWK"; then + ac_cv_prog_AWK="$AWK" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_AWK="$ac_prog" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +AWK=$ac_cv_prog_AWK +if test -n "$AWK"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $AWK" >&5 +$as_echo "$AWK" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + test -n "$AWK" && break +done + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ${MAKE-make} sets \$(MAKE)" >&5 +$as_echo_n "checking whether ${MAKE-make} sets \$(MAKE)... " >&6; } +set x ${MAKE-make} +ac_make=`$as_echo "$2" | sed 's/+/p/g; s/[^a-zA-Z0-9_]/_/g'` +if eval \${ac_cv_prog_make_${ac_make}_set+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat >conftest.make <<\_ACEOF +SHELL = /bin/sh +all: + @echo '@@@%%%=$(MAKE)=@@@%%%' +_ACEOF +# GNU make sometimes prints "make[1]: Entering ...", which would confuse us. +case `${MAKE-make} -f conftest.make 2>/dev/null` in + *@@@%%%=?*=@@@%%%*) + eval ac_cv_prog_make_${ac_make}_set=yes;; + *) + eval ac_cv_prog_make_${ac_make}_set=no;; +esac +rm -f conftest.make +fi +if eval test \$ac_cv_prog_make_${ac_make}_set = yes; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + SET_MAKE= +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + SET_MAKE="MAKE=${MAKE-make}" +fi + +rm -rf .tst 2>/dev/null +mkdir .tst 2>/dev/null +if test -d .tst; then + am__leading_dot=. +else + am__leading_dot=_ +fi +rmdir .tst 2>/dev/null + +DEPDIR="${am__leading_dot}deps" + +ac_config_commands="$ac_config_commands depfiles" + + +am_make=${MAKE-make} +cat > confinc << 'END' +am__doit: + @echo this is the am__doit target +.PHONY: am__doit +END +# If we don't find an include directive, just comment out the code. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for style of include used by $am_make" >&5 +$as_echo_n "checking for style of include used by $am_make... " >&6; } +am__include="#" +am__quote= +_am_result=none +# First try GNU make style include. +echo "include confinc" > confmf +# Ignore all kinds of additional output from 'make'. +case `$am_make -s -f confmf 2> /dev/null` in #( +*the\ am__doit\ target*) + am__include=include + am__quote= + _am_result=GNU + ;; +esac +# Now try BSD make style include. +if test "$am__include" = "#"; then + echo '.include "confinc"' > confmf + case `$am_make -s -f confmf 2> /dev/null` in #( + *the\ am__doit\ target*) + am__include=.include + am__quote="\"" + _am_result=BSD + ;; + esac +fi + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $_am_result" >&5 +$as_echo "$_am_result" >&6; } +rm -f confinc confmf + +# Check whether --enable-dependency-tracking was given. +if test "${enable_dependency_tracking+set}" = set; then : + enableval=$enable_dependency_tracking; +fi + +if test "x$enable_dependency_tracking" != xno; then + am_depcomp="$ac_aux_dir/depcomp" + AMDEPBACKSLASH='\' + am__nodep='_no' +fi + if test "x$enable_dependency_tracking" != xno; then + AMDEP_TRUE= + AMDEP_FALSE='#' +else + AMDEP_TRUE='#' + AMDEP_FALSE= +fi + + +# Check whether --enable-silent-rules was given. +if test "${enable_silent_rules+set}" = set; then : + enableval=$enable_silent_rules; +fi + +case $enable_silent_rules in # ((( + yes) AM_DEFAULT_VERBOSITY=0;; + no) AM_DEFAULT_VERBOSITY=1;; + *) AM_DEFAULT_VERBOSITY=1;; +esac +am_make=${MAKE-make} +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $am_make supports nested variables" >&5 +$as_echo_n "checking whether $am_make supports nested variables... " >&6; } +if ${am_cv_make_support_nested_variables+:} false; then : + $as_echo_n "(cached) " >&6 +else + if $as_echo 'TRUE=$(BAR$(V)) +BAR0=false +BAR1=true +V=1 +am__doit: + @$(TRUE) +.PHONY: am__doit' | $am_make -f - >/dev/null 2>&1; then + am_cv_make_support_nested_variables=yes +else + am_cv_make_support_nested_variables=no +fi +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_make_support_nested_variables" >&5 +$as_echo "$am_cv_make_support_nested_variables" >&6; } +if test $am_cv_make_support_nested_variables = yes; then + AM_V='$(V)' + AM_DEFAULT_V='$(AM_DEFAULT_VERBOSITY)' +else + AM_V=$AM_DEFAULT_VERBOSITY + AM_DEFAULT_V=$AM_DEFAULT_VERBOSITY +fi +AM_BACKSLASH='\' + +if test "`cd $srcdir && pwd`" != "`pwd`"; then + # Use -I$(srcdir) only when $(srcdir) != ., so that make's output + # is not polluted with repeated "-I." + am__isrc=' -I$(srcdir)' + # test to see if srcdir already configured + if test -f $srcdir/config.status; then + as_fn_error $? "source directory already configured; run \"make distclean\" there first" "$LINENO" 5 + fi +fi + +# test whether we have cygpath +if test -z "$CYGPATH_W"; then + if (cygpath --version) >/dev/null 2>/dev/null; then + CYGPATH_W='cygpath -w' + else + CYGPATH_W=echo + fi +fi + + +# Define the identity of the package. + PACKAGE='sssd' + VERSION='1.16.3' + + +cat >>confdefs.h <<_ACEOF +#define PACKAGE "$PACKAGE" +_ACEOF + + +cat >>confdefs.h <<_ACEOF +#define VERSION "$VERSION" +_ACEOF + +# Some tools Automake needs. + +ACLOCAL=${ACLOCAL-"${am_missing_run}aclocal-${am__api_version}"} + + +AUTOCONF=${AUTOCONF-"${am_missing_run}autoconf"} + + +AUTOMAKE=${AUTOMAKE-"${am_missing_run}automake-${am__api_version}"} + + +AUTOHEADER=${AUTOHEADER-"${am_missing_run}autoheader"} + + +MAKEINFO=${MAKEINFO-"${am_missing_run}makeinfo"} + +# For better backward compatibility. To be removed once Automake 1.9.x +# dies out for good. For more background, see: +# +# +mkdir_p='$(MKDIR_P)' + +# We need awk for the "check" target (and possibly the TAP driver). The +# system "awk" is bad on some platforms. +# Always define AMTAR for backward compatibility. Yes, it's still used +# in the wild :-( We should find a proper way to deprecate it ... +AMTAR='$${TAR-tar}' + + +# We'll loop over all known methods to create a tar archive until one works. +_am_tools='gnutar pax cpio none' + + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking how to create a pax tar archive" >&5 +$as_echo_n "checking how to create a pax tar archive... " >&6; } + + # Go ahead even if we have the value already cached. We do so because we + # need to set the values for the 'am__tar' and 'am__untar' variables. + _am_tools=${am_cv_prog_tar_pax-$_am_tools} + + for _am_tool in $_am_tools; do + case $_am_tool in + gnutar) + for _am_tar in tar gnutar gtar; do + { echo "$as_me:$LINENO: $_am_tar --version" >&5 + ($_am_tar --version) >&5 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && break + done + am__tar="$_am_tar --format=posix -chf - "'"$$tardir"' + am__tar_="$_am_tar --format=posix -chf - "'"$tardir"' + am__untar="$_am_tar -xf -" + ;; + plaintar) + # Must skip GNU tar: if it does not support --format= it doesn't create + # ustar tarball either. + (tar --version) >/dev/null 2>&1 && continue + am__tar='tar chf - "$$tardir"' + am__tar_='tar chf - "$tardir"' + am__untar='tar xf -' + ;; + pax) + am__tar='pax -L -x pax -w "$$tardir"' + am__tar_='pax -L -x pax -w "$tardir"' + am__untar='pax -r' + ;; + cpio) + am__tar='find "$$tardir" -print | cpio -o -H pax -L' + am__tar_='find "$tardir" -print | cpio -o -H pax -L' + am__untar='cpio -i -H pax -d' + ;; + none) + am__tar=false + am__tar_=false + am__untar=false + ;; + esac + + # If the value was cached, stop now. We just wanted to have am__tar + # and am__untar set. + test -n "${am_cv_prog_tar_pax}" && break + + # tar/untar a dummy directory, and stop if the command works. + rm -rf conftest.dir + mkdir conftest.dir + echo GrepMe > conftest.dir/file + { echo "$as_me:$LINENO: tardir=conftest.dir && eval $am__tar_ >conftest.tar" >&5 + (tardir=conftest.dir && eval $am__tar_ >conftest.tar) >&5 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } + rm -rf conftest.dir + if test -s conftest.tar; then + { echo "$as_me:$LINENO: $am__untar &5 + ($am__untar &5 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } + { echo "$as_me:$LINENO: cat conftest.dir/file" >&5 + (cat conftest.dir/file) >&5 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } + grep GrepMe conftest.dir/file >/dev/null 2>&1 && break + fi + done + rm -rf conftest.dir + + if ${am_cv_prog_tar_pax+:} false; then : + $as_echo_n "(cached) " >&6 +else + am_cv_prog_tar_pax=$_am_tool +fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_prog_tar_pax" >&5 +$as_echo "$am_cv_prog_tar_pax" >&6; } + + + + + +depcc="$CC" am_compiler_list= + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking dependency style of $depcc" >&5 +$as_echo_n "checking dependency style of $depcc... " >&6; } +if ${am_cv_CC_dependencies_compiler_type+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -z "$AMDEP_TRUE" && test -f "$am_depcomp"; then + # We make a subdir and do the tests there. Otherwise we can end up + # making bogus files that we don't know about and never remove. For + # instance it was reported that on HP-UX the gcc test will end up + # making a dummy file named 'D' -- because '-MD' means "put the output + # in D". + rm -rf conftest.dir + mkdir conftest.dir + # Copy depcomp to subdir because otherwise we won't find it if we're + # using a relative directory. + cp "$am_depcomp" conftest.dir + cd conftest.dir + # We will build objects and dependencies in a subdirectory because + # it helps to detect inapplicable dependency modes. For instance + # both Tru64's cc and ICC support -MD to output dependencies as a + # side effect of compilation, but ICC will put the dependencies in + # the current directory while Tru64 will put them in the object + # directory. + mkdir sub + + am_cv_CC_dependencies_compiler_type=none + if test "$am_compiler_list" = ""; then + am_compiler_list=`sed -n 's/^#*\([a-zA-Z0-9]*\))$/\1/p' < ./depcomp` + fi + am__universal=false + case " $depcc " in #( + *\ -arch\ *\ -arch\ *) am__universal=true ;; + esac + + for depmode in $am_compiler_list; do + # Setup a source with many dependencies, because some compilers + # like to wrap large dependency lists on column 80 (with \), and + # we should not choose a depcomp mode which is confused by this. + # + # We need to recreate these files for each test, as the compiler may + # overwrite some of them when testing with obscure command lines. + # This happens at least with the AIX C compiler. + : > sub/conftest.c + for i in 1 2 3 4 5 6; do + echo '#include "conftst'$i'.h"' >> sub/conftest.c + # Using ": > sub/conftst$i.h" creates only sub/conftst1.h with + # Solaris 10 /bin/sh. + echo '/* dummy */' > sub/conftst$i.h + done + echo "${am__include} ${am__quote}sub/conftest.Po${am__quote}" > confmf + + # We check with '-c' and '-o' for the sake of the "dashmstdout" + # mode. It turns out that the SunPro C++ compiler does not properly + # handle '-M -o', and we need to detect this. Also, some Intel + # versions had trouble with output in subdirs. + am__obj=sub/conftest.${OBJEXT-o} + am__minus_obj="-o $am__obj" + case $depmode in + gcc) + # This depmode causes a compiler race in universal mode. + test "$am__universal" = false || continue + ;; + nosideeffect) + # After this tag, mechanisms are not by side-effect, so they'll + # only be used when explicitly requested. + if test "x$enable_dependency_tracking" = xyes; then + continue + else + break + fi + ;; + msvc7 | msvc7msys | msvisualcpp | msvcmsys) + # This compiler won't grok '-c -o', but also, the minuso test has + # not run yet. These depmodes are late enough in the game, and + # so weak that their functioning should not be impacted. + am__obj=conftest.${OBJEXT-o} + am__minus_obj= + ;; + none) break ;; + esac + if depmode=$depmode \ + source=sub/conftest.c object=$am__obj \ + depfile=sub/conftest.Po tmpdepfile=sub/conftest.TPo \ + $SHELL ./depcomp $depcc -c $am__minus_obj sub/conftest.c \ + >/dev/null 2>conftest.err && + grep sub/conftst1.h sub/conftest.Po > /dev/null 2>&1 && + grep sub/conftst6.h sub/conftest.Po > /dev/null 2>&1 && + grep $am__obj sub/conftest.Po > /dev/null 2>&1 && + ${MAKE-make} -s -f confmf > /dev/null 2>&1; then + # icc doesn't choke on unknown options, it will just issue warnings + # or remarks (even with -Werror). So we grep stderr for any message + # that says an option was ignored or not supported. + # When given -MP, icc 7.0 and 7.1 complain thusly: + # icc: Command line warning: ignoring option '-M'; no argument required + # The diagnosis changed in icc 8.0: + # icc: Command line remark: option '-MP' not supported + if (grep 'ignoring option' conftest.err || + grep 'not supported' conftest.err) >/dev/null 2>&1; then :; else + am_cv_CC_dependencies_compiler_type=$depmode + break + fi + fi + done + + cd .. + rm -rf conftest.dir +else + am_cv_CC_dependencies_compiler_type=none +fi + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_CC_dependencies_compiler_type" >&5 +$as_echo "$am_cv_CC_dependencies_compiler_type" >&6; } +CCDEPMODE=depmode=$am_cv_CC_dependencies_compiler_type + + if + test "x$enable_dependency_tracking" != xno \ + && test "$am_cv_CC_dependencies_compiler_type" = gcc3; then + am__fastdepCC_TRUE= + am__fastdepCC_FALSE='#' +else + am__fastdepCC_TRUE='#' + am__fastdepCC_FALSE= +fi + + + +# POSIX will say in a future version that running "rm -f" with no argument +# is OK; and we want to be able to make that assumption in our Makefile +# recipes. So use an aggressive probe to check that the usage we want is +# actually supported "in the wild" to an acceptable degree. +# See automake bug#10828. +# To make any issue more visible, cause the running configure to be aborted +# by default if the 'rm' program in use doesn't match our expectations; the +# user can still override this though. +if rm -f && rm -fr && rm -rf; then : OK; else + cat >&2 <<'END' +Oops! + +Your 'rm' program seems unable to run without file operands specified +on the command line, even when the '-f' option is present. This is contrary +to the behaviour of most rm programs out there, and not conforming with +the upcoming POSIX standard: + +Please tell bug-automake@gnu.org about your system, including the value +of your $PATH and any error possibly output before this message. This +can help us improve future automake versions. + +END + if test x"$ACCEPT_INFERIOR_RM_PROGRAM" = x"yes"; then + echo 'Configuration will proceed anyway, since you have set the' >&2 + echo 'ACCEPT_INFERIOR_RM_PROGRAM variable to "yes"' >&2 + echo >&2 + else + cat >&2 <<'END' +Aborting the configuration process, to ensure you take notice of the issue. + +You can download and install GNU coreutils to get an 'rm' implementation +that behaves properly: . + +If you want to complete the configuration process using your problematic +'rm' anyway, export the environment variable ACCEPT_INFERIOR_RM_PROGRAM +to "yes", and re-run configure. + +END + as_fn_error $? "Your 'rm' program is bad, sorry." "$LINENO" 5 + fi +fi + + +if test -n "$ac_tool_prefix"; then + for ac_prog in ar lib "link -lib" + do + # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. +set dummy $ac_tool_prefix$ac_prog; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_AR+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$AR"; then + ac_cv_prog_AR="$AR" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_AR="$ac_tool_prefix$ac_prog" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +AR=$ac_cv_prog_AR +if test -n "$AR"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $AR" >&5 +$as_echo "$AR" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + test -n "$AR" && break + done +fi +if test -z "$AR"; then + ac_ct_AR=$AR + for ac_prog in ar lib "link -lib" +do + # Extract the first word of "$ac_prog", so it can be a program name with args. +set dummy $ac_prog; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_ac_ct_AR+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$ac_ct_AR"; then + ac_cv_prog_ac_ct_AR="$ac_ct_AR" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_ac_ct_AR="$ac_prog" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +ac_ct_AR=$ac_cv_prog_ac_ct_AR +if test -n "$ac_ct_AR"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_AR" >&5 +$as_echo "$ac_ct_AR" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + test -n "$ac_ct_AR" && break +done + + if test "x$ac_ct_AR" = x; then + AR="false" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; +esac + AR=$ac_ct_AR + fi +fi + +: ${AR=ar} + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking the archiver ($AR) interface" >&5 +$as_echo_n "checking the archiver ($AR) interface... " >&6; } +if ${am_cv_ar_interface+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + + am_cv_ar_interface=ar + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +int some_variable = 0; +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + am_ar_try='$AR cru libconftest.a conftest.$ac_objext >&5' + { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$am_ar_try\""; } >&5 + (eval $am_ar_try) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + if test "$ac_status" -eq 0; then + am_cv_ar_interface=ar + else + am_ar_try='$AR -NOLOGO -OUT:conftest.lib conftest.$ac_objext >&5' + { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$am_ar_try\""; } >&5 + (eval $am_ar_try) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + if test "$ac_status" -eq 0; then + am_cv_ar_interface=lib + else + am_cv_ar_interface=unknown + fi + fi + rm -f conftest.lib libconftest.a + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_ar_interface" >&5 +$as_echo "$am_cv_ar_interface" >&6; } + +case $am_cv_ar_interface in +ar) + ;; +lib) + # Microsoft lib, so override with the ar-lib wrapper script. + # FIXME: It is wrong to rewrite AR. + # But if we don't then we get into trouble of one sort or another. + # A longer-term fix would be to have automake use am__AR in this case, + # and then we could set am__AR="$am_aux_dir/ar-lib \$(AR)" or something + # similar. + AR="$am_aux_dir/ar-lib $AR" + ;; +unknown) + as_fn_error $? "could not determine $AR interface" "$LINENO" 5 + ;; +esac + +# Check whether --enable-static was given. +if test "${enable_static+set}" = set; then : + enableval=$enable_static; p=${PACKAGE-default} + case $enableval in + yes) enable_static=yes ;; + no) enable_static=no ;; + *) + enable_static=no + # Look at the argument we got. We use all the common list separators. + lt_save_ifs=$IFS; IFS=$IFS$PATH_SEPARATOR, + for pkg in $enableval; do + IFS=$lt_save_ifs + if test "X$pkg" = "X$p"; then + enable_static=yes + fi + done + IFS=$lt_save_ifs + ;; + esac +else + enable_static=no +fi + + + + + + + + + + +case `pwd` in + *\ * | *\ *) + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Libtool does not cope well with whitespace in \`pwd\`" >&5 +$as_echo "$as_me: WARNING: Libtool does not cope well with whitespace in \`pwd\`" >&2;} ;; +esac + + + +macro_version='2.4.6' +macro_revision='2.4.6' + + + + + + + + + + + + + +ltmain=$ac_aux_dir/ltmain.sh + +# Make sure we can run config.sub. +$SHELL "$ac_aux_dir/config.sub" sun4 >/dev/null 2>&1 || + as_fn_error $? "cannot run $SHELL $ac_aux_dir/config.sub" "$LINENO" 5 + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking build system type" >&5 +$as_echo_n "checking build system type... " >&6; } +if ${ac_cv_build+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_build_alias=$build_alias +test "x$ac_build_alias" = x && + ac_build_alias=`$SHELL "$ac_aux_dir/config.guess"` +test "x$ac_build_alias" = x && + as_fn_error $? "cannot guess build type; you must specify one" "$LINENO" 5 +ac_cv_build=`$SHELL "$ac_aux_dir/config.sub" $ac_build_alias` || + as_fn_error $? "$SHELL $ac_aux_dir/config.sub $ac_build_alias failed" "$LINENO" 5 + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_build" >&5 +$as_echo "$ac_cv_build" >&6; } +case $ac_cv_build in +*-*-*) ;; +*) as_fn_error $? "invalid value of canonical build" "$LINENO" 5;; +esac +build=$ac_cv_build +ac_save_IFS=$IFS; IFS='-' +set x $ac_cv_build +shift +build_cpu=$1 +build_vendor=$2 +shift; shift +# Remember, the first character of IFS is used to create $*, +# except with old shells: +build_os=$* +IFS=$ac_save_IFS +case $build_os in *\ *) build_os=`echo "$build_os" | sed 's/ /-/g'`;; esac + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking host system type" >&5 +$as_echo_n "checking host system type... " >&6; } +if ${ac_cv_host+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test "x$host_alias" = x; then + ac_cv_host=$ac_cv_build +else + ac_cv_host=`$SHELL "$ac_aux_dir/config.sub" $host_alias` || + as_fn_error $? "$SHELL $ac_aux_dir/config.sub $host_alias failed" "$LINENO" 5 +fi + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_host" >&5 +$as_echo "$ac_cv_host" >&6; } +case $ac_cv_host in +*-*-*) ;; +*) as_fn_error $? "invalid value of canonical host" "$LINENO" 5;; +esac +host=$ac_cv_host +ac_save_IFS=$IFS; IFS='-' +set x $ac_cv_host +shift +host_cpu=$1 +host_vendor=$2 +shift; shift +# Remember, the first character of IFS is used to create $*, +# except with old shells: +host_os=$* +IFS=$ac_save_IFS +case $host_os in *\ *) host_os=`echo "$host_os" | sed 's/ /-/g'`;; esac + + +# Backslashify metacharacters that are still active within +# double-quoted strings. +sed_quote_subst='s/\(["`$\\]\)/\\\1/g' + +# Same as above, but do not quote variable references. +double_quote_subst='s/\(["`\\]\)/\\\1/g' + +# Sed substitution to delay expansion of an escaped shell variable in a +# double_quote_subst'ed string. +delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g' + +# Sed substitution to delay expansion of an escaped single quote. +delay_single_quote_subst='s/'\''/'\'\\\\\\\'\''/g' + +# Sed substitution to avoid accidental globbing in evaled expressions +no_glob_subst='s/\*/\\\*/g' + +ECHO='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' +ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO +ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO$ECHO + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to print strings" >&5 +$as_echo_n "checking how to print strings... " >&6; } +# Test print first, because it will be a builtin if present. +if test "X`( print -r -- -n ) 2>/dev/null`" = X-n && \ + test "X`print -r -- $ECHO 2>/dev/null`" = "X$ECHO"; then + ECHO='print -r --' +elif test "X`printf %s $ECHO 2>/dev/null`" = "X$ECHO"; then + ECHO='printf %s\n' +else + # Use this function as a fallback that always works. + func_fallback_echo () + { + eval 'cat <<_LTECHO_EOF +$1 +_LTECHO_EOF' + } + ECHO='func_fallback_echo' +fi + +# func_echo_all arg... +# Invoke $ECHO with all args, space-separated. +func_echo_all () +{ + $ECHO "" +} + +case $ECHO in + printf*) { $as_echo "$as_me:${as_lineno-$LINENO}: result: printf" >&5 +$as_echo "printf" >&6; } ;; + print*) { $as_echo "$as_me:${as_lineno-$LINENO}: result: print -r" >&5 +$as_echo "print -r" >&6; } ;; + *) { $as_echo "$as_me:${as_lineno-$LINENO}: result: cat" >&5 +$as_echo "cat" >&6; } ;; +esac + + + + + + + + + + + + + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for a sed that does not truncate output" >&5 +$as_echo_n "checking for a sed that does not truncate output... " >&6; } +if ${ac_cv_path_SED+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_script=s/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb/ + for ac_i in 1 2 3 4 5 6 7; do + ac_script="$ac_script$as_nl$ac_script" + done + echo "$ac_script" 2>/dev/null | sed 99q >conftest.sed + { ac_script=; unset ac_script;} + if test -z "$SED"; then + ac_path_SED_found=false + # Loop through the user's path and test for each of PROGNAME-LIST + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_prog in sed gsed; do + for ac_exec_ext in '' $ac_executable_extensions; do + ac_path_SED="$as_dir/$ac_prog$ac_exec_ext" + as_fn_executable_p "$ac_path_SED" || continue +# Check for GNU ac_path_SED and select it if it is found. + # Check for GNU $ac_path_SED +case `"$ac_path_SED" --version 2>&1` in +*GNU*) + ac_cv_path_SED="$ac_path_SED" ac_path_SED_found=:;; +*) + ac_count=0 + $as_echo_n 0123456789 >"conftest.in" + while : + do + cat "conftest.in" "conftest.in" >"conftest.tmp" + mv "conftest.tmp" "conftest.in" + cp "conftest.in" "conftest.nl" + $as_echo '' >> "conftest.nl" + "$ac_path_SED" -f conftest.sed < "conftest.nl" >"conftest.out" 2>/dev/null || break + diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break + as_fn_arith $ac_count + 1 && ac_count=$as_val + if test $ac_count -gt ${ac_path_SED_max-0}; then + # Best one so far, save it but keep looking for a better one + ac_cv_path_SED="$ac_path_SED" + ac_path_SED_max=$ac_count + fi + # 10*(2^10) chars as input seems more than enough + test $ac_count -gt 10 && break + done + rm -f conftest.in conftest.tmp conftest.nl conftest.out;; +esac + + $ac_path_SED_found && break 3 + done + done + done +IFS=$as_save_IFS + if test -z "$ac_cv_path_SED"; then + as_fn_error $? "no acceptable sed could be found in \$PATH" "$LINENO" 5 + fi +else + ac_cv_path_SED=$SED +fi + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_SED" >&5 +$as_echo "$ac_cv_path_SED" >&6; } + SED="$ac_cv_path_SED" + rm -f conftest.sed + +test -z "$SED" && SED=sed +Xsed="$SED -e 1s/^X//" + + + + + + + + + + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for fgrep" >&5 +$as_echo_n "checking for fgrep... " >&6; } +if ${ac_cv_path_FGREP+:} false; then : + $as_echo_n "(cached) " >&6 +else + if echo 'ab*c' | $GREP -F 'ab*c' >/dev/null 2>&1 + then ac_cv_path_FGREP="$GREP -F" + else + if test -z "$FGREP"; then + ac_path_FGREP_found=false + # Loop through the user's path and test for each of PROGNAME-LIST + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_prog in fgrep; do + for ac_exec_ext in '' $ac_executable_extensions; do + ac_path_FGREP="$as_dir/$ac_prog$ac_exec_ext" + as_fn_executable_p "$ac_path_FGREP" || continue +# Check for GNU ac_path_FGREP and select it if it is found. + # Check for GNU $ac_path_FGREP +case `"$ac_path_FGREP" --version 2>&1` in +*GNU*) + ac_cv_path_FGREP="$ac_path_FGREP" ac_path_FGREP_found=:;; +*) + ac_count=0 + $as_echo_n 0123456789 >"conftest.in" + while : + do + cat "conftest.in" "conftest.in" >"conftest.tmp" + mv "conftest.tmp" "conftest.in" + cp "conftest.in" "conftest.nl" + $as_echo 'FGREP' >> "conftest.nl" + "$ac_path_FGREP" FGREP < "conftest.nl" >"conftest.out" 2>/dev/null || break + diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break + as_fn_arith $ac_count + 1 && ac_count=$as_val + if test $ac_count -gt ${ac_path_FGREP_max-0}; then + # Best one so far, save it but keep looking for a better one + ac_cv_path_FGREP="$ac_path_FGREP" + ac_path_FGREP_max=$ac_count + fi + # 10*(2^10) chars as input seems more than enough + test $ac_count -gt 10 && break + done + rm -f conftest.in conftest.tmp conftest.nl conftest.out;; +esac + + $ac_path_FGREP_found && break 3 + done + done + done +IFS=$as_save_IFS + if test -z "$ac_cv_path_FGREP"; then + as_fn_error $? "no acceptable fgrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5 + fi +else + ac_cv_path_FGREP=$FGREP +fi + + fi +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_FGREP" >&5 +$as_echo "$ac_cv_path_FGREP" >&6; } + FGREP="$ac_cv_path_FGREP" + + +test -z "$GREP" && GREP=grep + + + + + + + + + + + + + + + + + + + +# Check whether --with-gnu-ld was given. +if test "${with_gnu_ld+set}" = set; then : + withval=$with_gnu_ld; test no = "$withval" || with_gnu_ld=yes +else + with_gnu_ld=no +fi + +ac_prog=ld +if test yes = "$GCC"; then + # Check if gcc -print-prog-name=ld gives a path. + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ld used by $CC" >&5 +$as_echo_n "checking for ld used by $CC... " >&6; } + case $host in + *-*-mingw*) + # gcc leaves a trailing carriage return, which upsets mingw + ac_prog=`($CC -print-prog-name=ld) 2>&5 | tr -d '\015'` ;; + *) + ac_prog=`($CC -print-prog-name=ld) 2>&5` ;; + esac + case $ac_prog in + # Accept absolute paths. + [\\/]* | ?:[\\/]*) + re_direlt='/[^/][^/]*/\.\./' + # Canonicalize the pathname of ld + ac_prog=`$ECHO "$ac_prog"| $SED 's%\\\\%/%g'` + while $ECHO "$ac_prog" | $GREP "$re_direlt" > /dev/null 2>&1; do + ac_prog=`$ECHO $ac_prog| $SED "s%$re_direlt%/%"` + done + test -z "$LD" && LD=$ac_prog + ;; + "") + # If it fails, then pretend we aren't using GCC. + ac_prog=ld + ;; + *) + # If it is relative, then search for the first ld in PATH. + with_gnu_ld=unknown + ;; + esac +elif test yes = "$with_gnu_ld"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GNU ld" >&5 +$as_echo_n "checking for GNU ld... " >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for non-GNU ld" >&5 +$as_echo_n "checking for non-GNU ld... " >&6; } +fi +if ${lt_cv_path_LD+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -z "$LD"; then + lt_save_ifs=$IFS; IFS=$PATH_SEPARATOR + for ac_dir in $PATH; do + IFS=$lt_save_ifs + test -z "$ac_dir" && ac_dir=. + if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then + lt_cv_path_LD=$ac_dir/$ac_prog + # Check to see if the program is GNU ld. I'd rather use --version, + # but apparently some variants of GNU ld only accept -v. + # Break only if it was the GNU/non-GNU ld that we prefer. + case `"$lt_cv_path_LD" -v 2>&1 &5 +$as_echo "$LD" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi +test -z "$LD" && as_fn_error $? "no acceptable ld found in \$PATH" "$LINENO" 5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if the linker ($LD) is GNU ld" >&5 +$as_echo_n "checking if the linker ($LD) is GNU ld... " >&6; } +if ${lt_cv_prog_gnu_ld+:} false; then : + $as_echo_n "(cached) " >&6 +else + # I'd rather use --version here, but apparently some GNU lds only accept -v. +case `$LD -v 2>&1 &5 +$as_echo "$lt_cv_prog_gnu_ld" >&6; } +with_gnu_ld=$lt_cv_prog_gnu_ld + + + + + + + + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for BSD- or MS-compatible name lister (nm)" >&5 +$as_echo_n "checking for BSD- or MS-compatible name lister (nm)... " >&6; } +if ${lt_cv_path_NM+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$NM"; then + # Let the user override the test. + lt_cv_path_NM=$NM +else + lt_nm_to_check=${ac_tool_prefix}nm + if test -n "$ac_tool_prefix" && test "$build" = "$host"; then + lt_nm_to_check="$lt_nm_to_check nm" + fi + for lt_tmp_nm in $lt_nm_to_check; do + lt_save_ifs=$IFS; IFS=$PATH_SEPARATOR + for ac_dir in $PATH /usr/ccs/bin/elf /usr/ccs/bin /usr/ucb /bin; do + IFS=$lt_save_ifs + test -z "$ac_dir" && ac_dir=. + tmp_nm=$ac_dir/$lt_tmp_nm + if test -f "$tmp_nm" || test -f "$tmp_nm$ac_exeext"; then + # Check to see if the nm accepts a BSD-compat flag. + # Adding the 'sed 1q' prevents false positives on HP-UX, which says: + # nm: unknown option "B" ignored + # Tru64's nm complains that /dev/null is an invalid object file + # MSYS converts /dev/null to NUL, MinGW nm treats NUL as empty + case $build_os in + mingw*) lt_bad_file=conftest.nm/nofile ;; + *) lt_bad_file=/dev/null ;; + esac + case `"$tmp_nm" -B $lt_bad_file 2>&1 | sed '1q'` in + *$lt_bad_file* | *'Invalid file or object type'*) + lt_cv_path_NM="$tmp_nm -B" + break 2 + ;; + *) + case `"$tmp_nm" -p /dev/null 2>&1 | sed '1q'` in + */dev/null*) + lt_cv_path_NM="$tmp_nm -p" + break 2 + ;; + *) + lt_cv_path_NM=${lt_cv_path_NM="$tmp_nm"} # keep the first match, but + continue # so that we can try to find one that supports BSD flags + ;; + esac + ;; + esac + fi + done + IFS=$lt_save_ifs + done + : ${lt_cv_path_NM=no} +fi +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_path_NM" >&5 +$as_echo "$lt_cv_path_NM" >&6; } +if test no != "$lt_cv_path_NM"; then + NM=$lt_cv_path_NM +else + # Didn't find any BSD compatible name lister, look for dumpbin. + if test -n "$DUMPBIN"; then : + # Let the user override the test. + else + if test -n "$ac_tool_prefix"; then + for ac_prog in dumpbin "link -dump" + do + # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. +set dummy $ac_tool_prefix$ac_prog; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_DUMPBIN+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$DUMPBIN"; then + ac_cv_prog_DUMPBIN="$DUMPBIN" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_DUMPBIN="$ac_tool_prefix$ac_prog" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +DUMPBIN=$ac_cv_prog_DUMPBIN +if test -n "$DUMPBIN"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $DUMPBIN" >&5 +$as_echo "$DUMPBIN" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + test -n "$DUMPBIN" && break + done +fi +if test -z "$DUMPBIN"; then + ac_ct_DUMPBIN=$DUMPBIN + for ac_prog in dumpbin "link -dump" +do + # Extract the first word of "$ac_prog", so it can be a program name with args. +set dummy $ac_prog; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_ac_ct_DUMPBIN+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$ac_ct_DUMPBIN"; then + ac_cv_prog_ac_ct_DUMPBIN="$ac_ct_DUMPBIN" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_ac_ct_DUMPBIN="$ac_prog" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +ac_ct_DUMPBIN=$ac_cv_prog_ac_ct_DUMPBIN +if test -n "$ac_ct_DUMPBIN"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_DUMPBIN" >&5 +$as_echo "$ac_ct_DUMPBIN" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + test -n "$ac_ct_DUMPBIN" && break +done + + if test "x$ac_ct_DUMPBIN" = x; then + DUMPBIN=":" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; +esac + DUMPBIN=$ac_ct_DUMPBIN + fi +fi + + case `$DUMPBIN -symbols -headers /dev/null 2>&1 | sed '1q'` in + *COFF*) + DUMPBIN="$DUMPBIN -symbols -headers" + ;; + *) + DUMPBIN=: + ;; + esac + fi + + if test : != "$DUMPBIN"; then + NM=$DUMPBIN + fi +fi +test -z "$NM" && NM=nm + + + + + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking the name lister ($NM) interface" >&5 +$as_echo_n "checking the name lister ($NM) interface... " >&6; } +if ${lt_cv_nm_interface+:} false; then : + $as_echo_n "(cached) " >&6 +else + lt_cv_nm_interface="BSD nm" + echo "int some_variable = 0;" > conftest.$ac_ext + (eval echo "\"\$as_me:$LINENO: $ac_compile\"" >&5) + (eval "$ac_compile" 2>conftest.err) + cat conftest.err >&5 + (eval echo "\"\$as_me:$LINENO: $NM \\\"conftest.$ac_objext\\\"\"" >&5) + (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out) + cat conftest.err >&5 + (eval echo "\"\$as_me:$LINENO: output\"" >&5) + cat conftest.out >&5 + if $GREP 'External.*some_variable' conftest.out > /dev/null; then + lt_cv_nm_interface="MS dumpbin" + fi + rm -f conftest* +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_nm_interface" >&5 +$as_echo "$lt_cv_nm_interface" >&6; } + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ln -s works" >&5 +$as_echo_n "checking whether ln -s works... " >&6; } +LN_S=$as_ln_s +if test "$LN_S" = "ln -s"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no, using $LN_S" >&5 +$as_echo "no, using $LN_S" >&6; } +fi + +# find the maximum length of command line arguments +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking the maximum length of command line arguments" >&5 +$as_echo_n "checking the maximum length of command line arguments... " >&6; } +if ${lt_cv_sys_max_cmd_len+:} false; then : + $as_echo_n "(cached) " >&6 +else + i=0 + teststring=ABCD + + case $build_os in + msdosdjgpp*) + # On DJGPP, this test can blow up pretty badly due to problems in libc + # (any single argument exceeding 2000 bytes causes a buffer overrun + # during glob expansion). Even if it were fixed, the result of this + # check would be larger than it should be. + lt_cv_sys_max_cmd_len=12288; # 12K is about right + ;; + + gnu*) + # Under GNU Hurd, this test is not required because there is + # no limit to the length of command line arguments. + # Libtool will interpret -1 as no limit whatsoever + lt_cv_sys_max_cmd_len=-1; + ;; + + cygwin* | mingw* | cegcc*) + # On Win9x/ME, this test blows up -- it succeeds, but takes + # about 5 minutes as the teststring grows exponentially. + # Worse, since 9x/ME are not pre-emptively multitasking, + # you end up with a "frozen" computer, even though with patience + # the test eventually succeeds (with a max line length of 256k). + # Instead, let's just punt: use the minimum linelength reported by + # all of the supported platforms: 8192 (on NT/2K/XP). + lt_cv_sys_max_cmd_len=8192; + ;; + + mint*) + # On MiNT this can take a long time and run out of memory. + lt_cv_sys_max_cmd_len=8192; + ;; + + amigaos*) + # On AmigaOS with pdksh, this test takes hours, literally. + # So we just punt and use a minimum line length of 8192. + lt_cv_sys_max_cmd_len=8192; + ;; + + bitrig* | darwin* | dragonfly* | freebsd* | netbsd* | openbsd*) + # This has been around since 386BSD, at least. Likely further. + if test -x /sbin/sysctl; then + lt_cv_sys_max_cmd_len=`/sbin/sysctl -n kern.argmax` + elif test -x /usr/sbin/sysctl; then + lt_cv_sys_max_cmd_len=`/usr/sbin/sysctl -n kern.argmax` + else + lt_cv_sys_max_cmd_len=65536 # usable default for all BSDs + fi + # And add a safety zone + lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4` + lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3` + ;; + + interix*) + # We know the value 262144 and hardcode it with a safety zone (like BSD) + lt_cv_sys_max_cmd_len=196608 + ;; + + os2*) + # The test takes a long time on OS/2. + lt_cv_sys_max_cmd_len=8192 + ;; + + osf*) + # Dr. Hans Ekkehard Plesser reports seeing a kernel panic running configure + # due to this test when exec_disable_arg_limit is 1 on Tru64. It is not + # nice to cause kernel panics so lets avoid the loop below. + # First set a reasonable default. + lt_cv_sys_max_cmd_len=16384 + # + if test -x /sbin/sysconfig; then + case `/sbin/sysconfig -q proc exec_disable_arg_limit` in + *1*) lt_cv_sys_max_cmd_len=-1 ;; + esac + fi + ;; + sco3.2v5*) + lt_cv_sys_max_cmd_len=102400 + ;; + sysv5* | sco5v6* | sysv4.2uw2*) + kargmax=`grep ARG_MAX /etc/conf/cf.d/stune 2>/dev/null` + if test -n "$kargmax"; then + lt_cv_sys_max_cmd_len=`echo $kargmax | sed 's/.*[ ]//'` + else + lt_cv_sys_max_cmd_len=32768 + fi + ;; + *) + lt_cv_sys_max_cmd_len=`(getconf ARG_MAX) 2> /dev/null` + if test -n "$lt_cv_sys_max_cmd_len" && \ + test undefined != "$lt_cv_sys_max_cmd_len"; then + lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4` + lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3` + else + # Make teststring a little bigger before we do anything with it. + # a 1K string should be a reasonable start. + for i in 1 2 3 4 5 6 7 8; do + teststring=$teststring$teststring + done + SHELL=${SHELL-${CONFIG_SHELL-/bin/sh}} + # If test is not a shell built-in, we'll probably end up computing a + # maximum length that is only half of the actual maximum length, but + # we can't tell. + while { test X`env echo "$teststring$teststring" 2>/dev/null` \ + = "X$teststring$teststring"; } >/dev/null 2>&1 && + test 17 != "$i" # 1/2 MB should be enough + do + i=`expr $i + 1` + teststring=$teststring$teststring + done + # Only check the string length outside the loop. + lt_cv_sys_max_cmd_len=`expr "X$teststring" : ".*" 2>&1` + teststring= + # Add a significant safety factor because C++ compilers can tack on + # massive amounts of additional arguments before passing them to the + # linker. It appears as though 1/2 is a usable value. + lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 2` + fi + ;; + esac + +fi + +if test -n "$lt_cv_sys_max_cmd_len"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_sys_max_cmd_len" >&5 +$as_echo "$lt_cv_sys_max_cmd_len" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: none" >&5 +$as_echo "none" >&6; } +fi +max_cmd_len=$lt_cv_sys_max_cmd_len + + + + + + +: ${CP="cp -f"} +: ${MV="mv -f"} +: ${RM="rm -f"} + +if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then + lt_unset=unset +else + lt_unset=false +fi + + + + + +# test EBCDIC or ASCII +case `echo X|tr X '\101'` in + A) # ASCII based system + # \n is not interpreted correctly by Solaris 8 /usr/ucb/tr + lt_SP2NL='tr \040 \012' + lt_NL2SP='tr \015\012 \040\040' + ;; + *) # EBCDIC based system + lt_SP2NL='tr \100 \n' + lt_NL2SP='tr \r\n \100\100' + ;; +esac + + + + + + + + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to convert $build file names to $host format" >&5 +$as_echo_n "checking how to convert $build file names to $host format... " >&6; } +if ${lt_cv_to_host_file_cmd+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $host in + *-*-mingw* ) + case $build in + *-*-mingw* ) # actually msys + lt_cv_to_host_file_cmd=func_convert_file_msys_to_w32 + ;; + *-*-cygwin* ) + lt_cv_to_host_file_cmd=func_convert_file_cygwin_to_w32 + ;; + * ) # otherwise, assume *nix + lt_cv_to_host_file_cmd=func_convert_file_nix_to_w32 + ;; + esac + ;; + *-*-cygwin* ) + case $build in + *-*-mingw* ) # actually msys + lt_cv_to_host_file_cmd=func_convert_file_msys_to_cygwin + ;; + *-*-cygwin* ) + lt_cv_to_host_file_cmd=func_convert_file_noop + ;; + * ) # otherwise, assume *nix + lt_cv_to_host_file_cmd=func_convert_file_nix_to_cygwin + ;; + esac + ;; + * ) # unhandled hosts (and "normal" native builds) + lt_cv_to_host_file_cmd=func_convert_file_noop + ;; +esac + +fi + +to_host_file_cmd=$lt_cv_to_host_file_cmd +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_to_host_file_cmd" >&5 +$as_echo "$lt_cv_to_host_file_cmd" >&6; } + + + + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to convert $build file names to toolchain format" >&5 +$as_echo_n "checking how to convert $build file names to toolchain format... " >&6; } +if ${lt_cv_to_tool_file_cmd+:} false; then : + $as_echo_n "(cached) " >&6 +else + #assume ordinary cross tools, or native build. +lt_cv_to_tool_file_cmd=func_convert_file_noop +case $host in + *-*-mingw* ) + case $build in + *-*-mingw* ) # actually msys + lt_cv_to_tool_file_cmd=func_convert_file_msys_to_w32 + ;; + esac + ;; +esac + +fi + +to_tool_file_cmd=$lt_cv_to_tool_file_cmd +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_to_tool_file_cmd" >&5 +$as_echo "$lt_cv_to_tool_file_cmd" >&6; } + + + + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $LD option to reload object files" >&5 +$as_echo_n "checking for $LD option to reload object files... " >&6; } +if ${lt_cv_ld_reload_flag+:} false; then : + $as_echo_n "(cached) " >&6 +else + lt_cv_ld_reload_flag='-r' +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_ld_reload_flag" >&5 +$as_echo "$lt_cv_ld_reload_flag" >&6; } +reload_flag=$lt_cv_ld_reload_flag +case $reload_flag in +"" | " "*) ;; +*) reload_flag=" $reload_flag" ;; +esac +reload_cmds='$LD$reload_flag -o $output$reload_objs' +case $host_os in + cygwin* | mingw* | pw32* | cegcc*) + if test yes != "$GCC"; then + reload_cmds=false + fi + ;; + darwin*) + if test yes = "$GCC"; then + reload_cmds='$LTCC $LTCFLAGS -nostdlib $wl-r -o $output$reload_objs' + else + reload_cmds='$LD$reload_flag -o $output$reload_objs' + fi + ;; +esac + + + + + + + + + +if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}objdump", so it can be a program name with args. +set dummy ${ac_tool_prefix}objdump; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_OBJDUMP+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$OBJDUMP"; then + ac_cv_prog_OBJDUMP="$OBJDUMP" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_OBJDUMP="${ac_tool_prefix}objdump" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +OBJDUMP=$ac_cv_prog_OBJDUMP +if test -n "$OBJDUMP"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OBJDUMP" >&5 +$as_echo "$OBJDUMP" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +fi +if test -z "$ac_cv_prog_OBJDUMP"; then + ac_ct_OBJDUMP=$OBJDUMP + # Extract the first word of "objdump", so it can be a program name with args. +set dummy objdump; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_ac_ct_OBJDUMP+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$ac_ct_OBJDUMP"; then + ac_cv_prog_ac_ct_OBJDUMP="$ac_ct_OBJDUMP" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_ac_ct_OBJDUMP="objdump" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +ac_ct_OBJDUMP=$ac_cv_prog_ac_ct_OBJDUMP +if test -n "$ac_ct_OBJDUMP"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_OBJDUMP" >&5 +$as_echo "$ac_ct_OBJDUMP" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + if test "x$ac_ct_OBJDUMP" = x; then + OBJDUMP="false" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; +esac + OBJDUMP=$ac_ct_OBJDUMP + fi +else + OBJDUMP="$ac_cv_prog_OBJDUMP" +fi + +test -z "$OBJDUMP" && OBJDUMP=objdump + + + + + + + + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to recognize dependent libraries" >&5 +$as_echo_n "checking how to recognize dependent libraries... " >&6; } +if ${lt_cv_deplibs_check_method+:} false; then : + $as_echo_n "(cached) " >&6 +else + lt_cv_file_magic_cmd='$MAGIC_CMD' +lt_cv_file_magic_test_file= +lt_cv_deplibs_check_method='unknown' +# Need to set the preceding variable on all platforms that support +# interlibrary dependencies. +# 'none' -- dependencies not supported. +# 'unknown' -- same as none, but documents that we really don't know. +# 'pass_all' -- all dependencies passed with no checks. +# 'test_compile' -- check by making test program. +# 'file_magic [[regex]]' -- check by looking for files in library path +# that responds to the $file_magic_cmd with a given extended regex. +# If you have 'file' or equivalent on your system and you're not sure +# whether 'pass_all' will *always* work, you probably want this one. + +case $host_os in +aix[4-9]*) + lt_cv_deplibs_check_method=pass_all + ;; + +beos*) + lt_cv_deplibs_check_method=pass_all + ;; + +bsdi[45]*) + lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (shared object|dynamic lib)' + lt_cv_file_magic_cmd='/usr/bin/file -L' + lt_cv_file_magic_test_file=/shlib/libc.so + ;; + +cygwin*) + # func_win32_libid is a shell function defined in ltmain.sh + lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL' + lt_cv_file_magic_cmd='func_win32_libid' + ;; + +mingw* | pw32*) + # Base MSYS/MinGW do not provide the 'file' command needed by + # func_win32_libid shell function, so use a weaker test based on 'objdump', + # unless we find 'file', for example because we are cross-compiling. + if ( file / ) >/dev/null 2>&1; then + lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL' + lt_cv_file_magic_cmd='func_win32_libid' + else + # Keep this pattern in sync with the one in func_win32_libid. + lt_cv_deplibs_check_method='file_magic file format (pei*-i386(.*architecture: i386)?|pe-arm-wince|pe-x86-64)' + lt_cv_file_magic_cmd='$OBJDUMP -f' + fi + ;; + +cegcc*) + # use the weaker test based on 'objdump'. See mingw*. + lt_cv_deplibs_check_method='file_magic file format pe-arm-.*little(.*architecture: arm)?' + lt_cv_file_magic_cmd='$OBJDUMP -f' + ;; + +darwin* | rhapsody*) + lt_cv_deplibs_check_method=pass_all + ;; + +freebsd* | dragonfly*) + if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then + case $host_cpu in + i*86 ) + # Not sure whether the presence of OpenBSD here was a mistake. + # Let's accept both of them until this is cleared up. + lt_cv_deplibs_check_method='file_magic (FreeBSD|OpenBSD|DragonFly)/i[3-9]86 (compact )?demand paged shared library' + lt_cv_file_magic_cmd=/usr/bin/file + lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*` + ;; + esac + else + lt_cv_deplibs_check_method=pass_all + fi + ;; + +haiku*) + lt_cv_deplibs_check_method=pass_all + ;; + +hpux10.20* | hpux11*) + lt_cv_file_magic_cmd=/usr/bin/file + case $host_cpu in + ia64*) + lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF-[0-9][0-9]) shared object file - IA64' + lt_cv_file_magic_test_file=/usr/lib/hpux32/libc.so + ;; + hppa*64*) + lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF[ -][0-9][0-9])(-bit)?( [LM]SB)? shared object( file)?[, -]* PA-RISC [0-9]\.[0-9]' + lt_cv_file_magic_test_file=/usr/lib/pa20_64/libc.sl + ;; + *) + lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|PA-RISC[0-9]\.[0-9]) shared library' + lt_cv_file_magic_test_file=/usr/lib/libc.sl + ;; + esac + ;; + +interix[3-9]*) + # PIC code is broken on Interix 3.x, that's why |\.a not |_pic\.a here + lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so|\.a)$' + ;; + +irix5* | irix6* | nonstopux*) + case $LD in + *-32|*"-32 ") libmagic=32-bit;; + *-n32|*"-n32 ") libmagic=N32;; + *-64|*"-64 ") libmagic=64-bit;; + *) libmagic=never-match;; + esac + lt_cv_deplibs_check_method=pass_all + ;; + +# This must be glibc/ELF. +linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) + lt_cv_deplibs_check_method=pass_all + ;; + +netbsd*) + if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then + lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|_pic\.a)$' + else + lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so|_pic\.a)$' + fi + ;; + +newos6*) + lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (executable|dynamic lib)' + lt_cv_file_magic_cmd=/usr/bin/file + lt_cv_file_magic_test_file=/usr/lib/libnls.so + ;; + +*nto* | *qnx*) + lt_cv_deplibs_check_method=pass_all + ;; + +openbsd* | bitrig*) + if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`"; then + lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|\.so|_pic\.a)$' + else + lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|_pic\.a)$' + fi + ;; + +osf3* | osf4* | osf5*) + lt_cv_deplibs_check_method=pass_all + ;; + +rdos*) + lt_cv_deplibs_check_method=pass_all + ;; + +solaris*) + lt_cv_deplibs_check_method=pass_all + ;; + +sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*) + lt_cv_deplibs_check_method=pass_all + ;; + +sysv4 | sysv4.3*) + case $host_vendor in + motorola) + lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (shared object|dynamic lib) M[0-9][0-9]* Version [0-9]' + lt_cv_file_magic_test_file=`echo /usr/lib/libc.so*` + ;; + ncr) + lt_cv_deplibs_check_method=pass_all + ;; + sequent) + lt_cv_file_magic_cmd='/bin/file' + lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [LM]SB (shared object|dynamic lib )' + ;; + sni) + lt_cv_file_magic_cmd='/bin/file' + lt_cv_deplibs_check_method="file_magic ELF [0-9][0-9]*-bit [LM]SB dynamic lib" + lt_cv_file_magic_test_file=/lib/libc.so + ;; + siemens) + lt_cv_deplibs_check_method=pass_all + ;; + pc) + lt_cv_deplibs_check_method=pass_all + ;; + esac + ;; + +tpf*) + lt_cv_deplibs_check_method=pass_all + ;; +os2*) + lt_cv_deplibs_check_method=pass_all + ;; +esac + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_deplibs_check_method" >&5 +$as_echo "$lt_cv_deplibs_check_method" >&6; } + +file_magic_glob= +want_nocaseglob=no +if test "$build" = "$host"; then + case $host_os in + mingw* | pw32*) + if ( shopt | grep nocaseglob ) >/dev/null 2>&1; then + want_nocaseglob=yes + else + file_magic_glob=`echo aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ | $SED -e "s/\(..\)/s\/[\1]\/[\1]\/g;/g"` + fi + ;; + esac +fi + +file_magic_cmd=$lt_cv_file_magic_cmd +deplibs_check_method=$lt_cv_deplibs_check_method +test -z "$deplibs_check_method" && deplibs_check_method=unknown + + + + + + + + + + + + + + + + + + + + + + +if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}dlltool", so it can be a program name with args. +set dummy ${ac_tool_prefix}dlltool; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_DLLTOOL+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$DLLTOOL"; then + ac_cv_prog_DLLTOOL="$DLLTOOL" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_DLLTOOL="${ac_tool_prefix}dlltool" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +DLLTOOL=$ac_cv_prog_DLLTOOL +if test -n "$DLLTOOL"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $DLLTOOL" >&5 +$as_echo "$DLLTOOL" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +fi +if test -z "$ac_cv_prog_DLLTOOL"; then + ac_ct_DLLTOOL=$DLLTOOL + # Extract the first word of "dlltool", so it can be a program name with args. +set dummy dlltool; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_ac_ct_DLLTOOL+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$ac_ct_DLLTOOL"; then + ac_cv_prog_ac_ct_DLLTOOL="$ac_ct_DLLTOOL" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_ac_ct_DLLTOOL="dlltool" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +ac_ct_DLLTOOL=$ac_cv_prog_ac_ct_DLLTOOL +if test -n "$ac_ct_DLLTOOL"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_DLLTOOL" >&5 +$as_echo "$ac_ct_DLLTOOL" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + if test "x$ac_ct_DLLTOOL" = x; then + DLLTOOL="false" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; +esac + DLLTOOL=$ac_ct_DLLTOOL + fi +else + DLLTOOL="$ac_cv_prog_DLLTOOL" +fi + +test -z "$DLLTOOL" && DLLTOOL=dlltool + + + + + + + + + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to associate runtime and link libraries" >&5 +$as_echo_n "checking how to associate runtime and link libraries... " >&6; } +if ${lt_cv_sharedlib_from_linklib_cmd+:} false; then : + $as_echo_n "(cached) " >&6 +else + lt_cv_sharedlib_from_linklib_cmd='unknown' + +case $host_os in +cygwin* | mingw* | pw32* | cegcc*) + # two different shell functions defined in ltmain.sh; + # decide which one to use based on capabilities of $DLLTOOL + case `$DLLTOOL --help 2>&1` in + *--identify-strict*) + lt_cv_sharedlib_from_linklib_cmd=func_cygming_dll_for_implib + ;; + *) + lt_cv_sharedlib_from_linklib_cmd=func_cygming_dll_for_implib_fallback + ;; + esac + ;; +*) + # fallback: assume linklib IS sharedlib + lt_cv_sharedlib_from_linklib_cmd=$ECHO + ;; +esac + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_sharedlib_from_linklib_cmd" >&5 +$as_echo "$lt_cv_sharedlib_from_linklib_cmd" >&6; } +sharedlib_from_linklib_cmd=$lt_cv_sharedlib_from_linklib_cmd +test -z "$sharedlib_from_linklib_cmd" && sharedlib_from_linklib_cmd=$ECHO + + + + + + + +if test -n "$ac_tool_prefix"; then + for ac_prog in ar + do + # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. +set dummy $ac_tool_prefix$ac_prog; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_AR+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$AR"; then + ac_cv_prog_AR="$AR" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_AR="$ac_tool_prefix$ac_prog" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +AR=$ac_cv_prog_AR +if test -n "$AR"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $AR" >&5 +$as_echo "$AR" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + test -n "$AR" && break + done +fi +if test -z "$AR"; then + ac_ct_AR=$AR + for ac_prog in ar +do + # Extract the first word of "$ac_prog", so it can be a program name with args. +set dummy $ac_prog; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_ac_ct_AR+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$ac_ct_AR"; then + ac_cv_prog_ac_ct_AR="$ac_ct_AR" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_ac_ct_AR="$ac_prog" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +ac_ct_AR=$ac_cv_prog_ac_ct_AR +if test -n "$ac_ct_AR"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_AR" >&5 +$as_echo "$ac_ct_AR" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + test -n "$ac_ct_AR" && break +done + + if test "x$ac_ct_AR" = x; then + AR="false" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; +esac + AR=$ac_ct_AR + fi +fi + +: ${AR=ar} +: ${AR_FLAGS=cru} + + + + + + + + + + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for archiver @FILE support" >&5 +$as_echo_n "checking for archiver @FILE support... " >&6; } +if ${lt_cv_ar_at_file+:} false; then : + $as_echo_n "(cached) " >&6 +else + lt_cv_ar_at_file=no + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + echo conftest.$ac_objext > conftest.lst + lt_ar_try='$AR $AR_FLAGS libconftest.a @conftest.lst >&5' + { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$lt_ar_try\""; } >&5 + (eval $lt_ar_try) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + if test 0 -eq "$ac_status"; then + # Ensure the archiver fails upon bogus file names. + rm -f conftest.$ac_objext libconftest.a + { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$lt_ar_try\""; } >&5 + (eval $lt_ar_try) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + if test 0 -ne "$ac_status"; then + lt_cv_ar_at_file=@ + fi + fi + rm -f conftest.* libconftest.a + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_ar_at_file" >&5 +$as_echo "$lt_cv_ar_at_file" >&6; } + +if test no = "$lt_cv_ar_at_file"; then + archiver_list_spec= +else + archiver_list_spec=$lt_cv_ar_at_file +fi + + + + + + + +if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args. +set dummy ${ac_tool_prefix}strip; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_STRIP+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$STRIP"; then + ac_cv_prog_STRIP="$STRIP" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_STRIP="${ac_tool_prefix}strip" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +STRIP=$ac_cv_prog_STRIP +if test -n "$STRIP"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $STRIP" >&5 +$as_echo "$STRIP" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +fi +if test -z "$ac_cv_prog_STRIP"; then + ac_ct_STRIP=$STRIP + # Extract the first word of "strip", so it can be a program name with args. +set dummy strip; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_ac_ct_STRIP+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$ac_ct_STRIP"; then + ac_cv_prog_ac_ct_STRIP="$ac_ct_STRIP" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_ac_ct_STRIP="strip" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +ac_ct_STRIP=$ac_cv_prog_ac_ct_STRIP +if test -n "$ac_ct_STRIP"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_STRIP" >&5 +$as_echo "$ac_ct_STRIP" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + if test "x$ac_ct_STRIP" = x; then + STRIP=":" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; +esac + STRIP=$ac_ct_STRIP + fi +else + STRIP="$ac_cv_prog_STRIP" +fi + +test -z "$STRIP" && STRIP=: + + + + + + +if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args. +set dummy ${ac_tool_prefix}ranlib; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_RANLIB+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$RANLIB"; then + ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +RANLIB=$ac_cv_prog_RANLIB +if test -n "$RANLIB"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $RANLIB" >&5 +$as_echo "$RANLIB" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +fi +if test -z "$ac_cv_prog_RANLIB"; then + ac_ct_RANLIB=$RANLIB + # Extract the first word of "ranlib", so it can be a program name with args. +set dummy ranlib; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_ac_ct_RANLIB+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$ac_ct_RANLIB"; then + ac_cv_prog_ac_ct_RANLIB="$ac_ct_RANLIB" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_ac_ct_RANLIB="ranlib" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +ac_ct_RANLIB=$ac_cv_prog_ac_ct_RANLIB +if test -n "$ac_ct_RANLIB"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_RANLIB" >&5 +$as_echo "$ac_ct_RANLIB" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + if test "x$ac_ct_RANLIB" = x; then + RANLIB=":" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; +esac + RANLIB=$ac_ct_RANLIB + fi +else + RANLIB="$ac_cv_prog_RANLIB" +fi + +test -z "$RANLIB" && RANLIB=: + + + + + + +# Determine commands to create old-style static archives. +old_archive_cmds='$AR $AR_FLAGS $oldlib$oldobjs' +old_postinstall_cmds='chmod 644 $oldlib' +old_postuninstall_cmds= + +if test -n "$RANLIB"; then + case $host_os in + bitrig* | openbsd*) + old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$tool_oldlib" + ;; + *) + old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$tool_oldlib" + ;; + esac + old_archive_cmds="$old_archive_cmds~\$RANLIB \$tool_oldlib" +fi + +case $host_os in + darwin*) + lock_old_archive_extraction=yes ;; + *) + lock_old_archive_extraction=no ;; +esac + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +# If no C compiler was specified, use CC. +LTCC=${LTCC-"$CC"} + +# If no C compiler flags were specified, use CFLAGS. +LTCFLAGS=${LTCFLAGS-"$CFLAGS"} + +# Allow CC to be a program name with arguments. +compiler=$CC + + +# Check for command to grab the raw symbol name followed by C symbol from nm. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking command to parse $NM output from $compiler object" >&5 +$as_echo_n "checking command to parse $NM output from $compiler object... " >&6; } +if ${lt_cv_sys_global_symbol_pipe+:} false; then : + $as_echo_n "(cached) " >&6 +else + +# These are sane defaults that work on at least a few old systems. +# [They come from Ultrix. What could be older than Ultrix?!! ;)] + +# Character class describing NM global symbol codes. +symcode='[BCDEGRST]' + +# Regexp to match symbols that can be accessed directly from C. +sympat='\([_A-Za-z][_A-Za-z0-9]*\)' + +# Define system-specific variables. +case $host_os in +aix*) + symcode='[BCDT]' + ;; +cygwin* | mingw* | pw32* | cegcc*) + symcode='[ABCDGISTW]' + ;; +hpux*) + if test ia64 = "$host_cpu"; then + symcode='[ABCDEGRST]' + fi + ;; +irix* | nonstopux*) + symcode='[BCDEGRST]' + ;; +osf*) + symcode='[BCDEGQRST]' + ;; +solaris*) + symcode='[BDRT]' + ;; +sco3.2v5*) + symcode='[DT]' + ;; +sysv4.2uw2*) + symcode='[DT]' + ;; +sysv5* | sco5v6* | unixware* | OpenUNIX*) + symcode='[ABDT]' + ;; +sysv4) + symcode='[DFNSTU]' + ;; +esac + +# If we're using GNU nm, then use its standard symbol codes. +case `$NM -V 2>&1` in +*GNU* | *'with BFD'*) + symcode='[ABCDGIRSTW]' ;; +esac + +if test "$lt_cv_nm_interface" = "MS dumpbin"; then + # Gets list of data symbols to import. + lt_cv_sys_global_symbol_to_import="sed -n -e 's/^I .* \(.*\)$/\1/p'" + # Adjust the below global symbol transforms to fixup imported variables. + lt_cdecl_hook=" -e 's/^I .* \(.*\)$/extern __declspec(dllimport) char \1;/p'" + lt_c_name_hook=" -e 's/^I .* \(.*\)$/ {\"\1\", (void *) 0},/p'" + lt_c_name_lib_hook="\ + -e 's/^I .* \(lib.*\)$/ {\"\1\", (void *) 0},/p'\ + -e 's/^I .* \(.*\)$/ {\"lib\1\", (void *) 0},/p'" +else + # Disable hooks by default. + lt_cv_sys_global_symbol_to_import= + lt_cdecl_hook= + lt_c_name_hook= + lt_c_name_lib_hook= +fi + +# Transform an extracted symbol line into a proper C declaration. +# Some systems (esp. on ia64) link data and code symbols differently, +# so use this general approach. +lt_cv_sys_global_symbol_to_cdecl="sed -n"\ +$lt_cdecl_hook\ +" -e 's/^T .* \(.*\)$/extern int \1();/p'"\ +" -e 's/^$symcode$symcode* .* \(.*\)$/extern char \1;/p'" + +# Transform an extracted symbol line into symbol name and symbol address +lt_cv_sys_global_symbol_to_c_name_address="sed -n"\ +$lt_c_name_hook\ +" -e 's/^: \(.*\) .*$/ {\"\1\", (void *) 0},/p'"\ +" -e 's/^$symcode$symcode* .* \(.*\)$/ {\"\1\", (void *) \&\1},/p'" + +# Transform an extracted symbol line into symbol name with lib prefix and +# symbol address. +lt_cv_sys_global_symbol_to_c_name_address_lib_prefix="sed -n"\ +$lt_c_name_lib_hook\ +" -e 's/^: \(.*\) .*$/ {\"\1\", (void *) 0},/p'"\ +" -e 's/^$symcode$symcode* .* \(lib.*\)$/ {\"\1\", (void *) \&\1},/p'"\ +" -e 's/^$symcode$symcode* .* \(.*\)$/ {\"lib\1\", (void *) \&\1},/p'" + +# Handle CRLF in mingw tool chain +opt_cr= +case $build_os in +mingw*) + opt_cr=`$ECHO 'x\{0,1\}' | tr x '\015'` # option cr in regexp + ;; +esac + +# Try without a prefix underscore, then with it. +for ac_symprfx in "" "_"; do + + # Transform symcode, sympat, and symprfx into a raw symbol and a C symbol. + symxfrm="\\1 $ac_symprfx\\2 \\2" + + # Write the raw and C identifiers. + if test "$lt_cv_nm_interface" = "MS dumpbin"; then + # Fake it for dumpbin and say T for any non-static function, + # D for any global variable and I for any imported variable. + # Also find C++ and __fastcall symbols from MSVC++, + # which start with @ or ?. + lt_cv_sys_global_symbol_pipe="$AWK '"\ +" {last_section=section; section=\$ 3};"\ +" /^COFF SYMBOL TABLE/{for(i in hide) delete hide[i]};"\ +" /Section length .*#relocs.*(pick any)/{hide[last_section]=1};"\ +" /^ *Symbol name *: /{split(\$ 0,sn,\":\"); si=substr(sn[2],2)};"\ +" /^ *Type *: code/{print \"T\",si,substr(si,length(prfx))};"\ +" /^ *Type *: data/{print \"I\",si,substr(si,length(prfx))};"\ +" \$ 0!~/External *\|/{next};"\ +" / 0+ UNDEF /{next}; / UNDEF \([^|]\)*()/{next};"\ +" {if(hide[section]) next};"\ +" {f=\"D\"}; \$ 0~/\(\).*\|/{f=\"T\"};"\ +" {split(\$ 0,a,/\||\r/); split(a[2],s)};"\ +" s[1]~/^[@?]/{print f,s[1],s[1]; next};"\ +" s[1]~prfx {split(s[1],t,\"@\"); print f,t[1],substr(t[1],length(prfx))}"\ +" ' prfx=^$ac_symprfx" + else + lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[ ]\($symcode$symcode*\)[ ][ ]*$ac_symprfx$sympat$opt_cr$/$symxfrm/p'" + fi + lt_cv_sys_global_symbol_pipe="$lt_cv_sys_global_symbol_pipe | sed '/ __gnu_lto/d'" + + # Check to see that the pipe works correctly. + pipe_works=no + + rm -f conftest* + cat > conftest.$ac_ext <<_LT_EOF +#ifdef __cplusplus +extern "C" { +#endif +char nm_test_var; +void nm_test_func(void); +void nm_test_func(void){} +#ifdef __cplusplus +} +#endif +int main(){nm_test_var='a';nm_test_func();return(0);} +_LT_EOF + + if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 + (eval $ac_compile) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + # Now try to grab the symbols. + nlist=conftest.nm + if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist\""; } >&5 + (eval $NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } && test -s "$nlist"; then + # Try sorting and uniquifying the output. + if sort "$nlist" | uniq > "$nlist"T; then + mv -f "$nlist"T "$nlist" + else + rm -f "$nlist"T + fi + + # Make sure that we snagged all the symbols we need. + if $GREP ' nm_test_var$' "$nlist" >/dev/null; then + if $GREP ' nm_test_func$' "$nlist" >/dev/null; then + cat <<_LT_EOF > conftest.$ac_ext +/* Keep this code in sync between libtool.m4, ltmain, lt_system.h, and tests. */ +#if defined _WIN32 || defined __CYGWIN__ || defined _WIN32_WCE +/* DATA imports from DLLs on WIN32 can't be const, because runtime + relocations are performed -- see ld's documentation on pseudo-relocs. */ +# define LT_DLSYM_CONST +#elif defined __osf__ +/* This system does not cope well with relocations in const data. */ +# define LT_DLSYM_CONST +#else +# define LT_DLSYM_CONST const +#endif + +#ifdef __cplusplus +extern "C" { +#endif + +_LT_EOF + # Now generate the symbol file. + eval "$lt_cv_sys_global_symbol_to_cdecl"' < "$nlist" | $GREP -v main >> conftest.$ac_ext' + + cat <<_LT_EOF >> conftest.$ac_ext + +/* The mapping between symbol names and symbols. */ +LT_DLSYM_CONST struct { + const char *name; + void *address; +} +lt__PROGRAM__LTX_preloaded_symbols[] = +{ + { "@PROGRAM@", (void *) 0 }, +_LT_EOF + $SED "s/^$symcode$symcode* .* \(.*\)$/ {\"\1\", (void *) \&\1},/" < "$nlist" | $GREP -v main >> conftest.$ac_ext + cat <<\_LT_EOF >> conftest.$ac_ext + {0, (void *) 0} +}; + +/* This works around a problem in FreeBSD linker */ +#ifdef FREEBSD_WORKAROUND +static const void *lt_preloaded_setup() { + return lt__PROGRAM__LTX_preloaded_symbols; +} +#endif + +#ifdef __cplusplus +} +#endif +_LT_EOF + # Now try linking the two files. + mv conftest.$ac_objext conftstm.$ac_objext + lt_globsym_save_LIBS=$LIBS + lt_globsym_save_CFLAGS=$CFLAGS + LIBS=conftstm.$ac_objext + CFLAGS="$CFLAGS$lt_prog_compiler_no_builtin_flag" + if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_link\""; } >&5 + (eval $ac_link) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } && test -s conftest$ac_exeext; then + pipe_works=yes + fi + LIBS=$lt_globsym_save_LIBS + CFLAGS=$lt_globsym_save_CFLAGS + else + echo "cannot find nm_test_func in $nlist" >&5 + fi + else + echo "cannot find nm_test_var in $nlist" >&5 + fi + else + echo "cannot run $lt_cv_sys_global_symbol_pipe" >&5 + fi + else + echo "$progname: failed program was:" >&5 + cat conftest.$ac_ext >&5 + fi + rm -rf conftest* conftst* + + # Do not use the global_symbol_pipe unless it works. + if test yes = "$pipe_works"; then + break + else + lt_cv_sys_global_symbol_pipe= + fi +done + +fi + +if test -z "$lt_cv_sys_global_symbol_pipe"; then + lt_cv_sys_global_symbol_to_cdecl= +fi +if test -z "$lt_cv_sys_global_symbol_pipe$lt_cv_sys_global_symbol_to_cdecl"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: failed" >&5 +$as_echo "failed" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: ok" >&5 +$as_echo "ok" >&6; } +fi + +# Response file support. +if test "$lt_cv_nm_interface" = "MS dumpbin"; then + nm_file_list_spec='@' +elif $NM --help 2>/dev/null | grep '[@]FILE' >/dev/null; then + nm_file_list_spec='@' +fi + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for sysroot" >&5 +$as_echo_n "checking for sysroot... " >&6; } + +# Check whether --with-sysroot was given. +if test "${with_sysroot+set}" = set; then : + withval=$with_sysroot; +else + with_sysroot=no +fi + + +lt_sysroot= +case $with_sysroot in #( + yes) + if test yes = "$GCC"; then + lt_sysroot=`$CC --print-sysroot 2>/dev/null` + fi + ;; #( + /*) + lt_sysroot=`echo "$with_sysroot" | sed -e "$sed_quote_subst"` + ;; #( + no|'') + ;; #( + *) + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $with_sysroot" >&5 +$as_echo "$with_sysroot" >&6; } + as_fn_error $? "The sysroot must be an absolute path." "$LINENO" 5 + ;; +esac + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: ${lt_sysroot:-no}" >&5 +$as_echo "${lt_sysroot:-no}" >&6; } + + + + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for a working dd" >&5 +$as_echo_n "checking for a working dd... " >&6; } +if ${ac_cv_path_lt_DD+:} false; then : + $as_echo_n "(cached) " >&6 +else + printf 0123456789abcdef0123456789abcdef >conftest.i +cat conftest.i conftest.i >conftest2.i +: ${lt_DD:=$DD} +if test -z "$lt_DD"; then + ac_path_lt_DD_found=false + # Loop through the user's path and test for each of PROGNAME-LIST + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_prog in dd; do + for ac_exec_ext in '' $ac_executable_extensions; do + ac_path_lt_DD="$as_dir/$ac_prog$ac_exec_ext" + as_fn_executable_p "$ac_path_lt_DD" || continue +if "$ac_path_lt_DD" bs=32 count=1 conftest.out 2>/dev/null; then + cmp -s conftest.i conftest.out \ + && ac_cv_path_lt_DD="$ac_path_lt_DD" ac_path_lt_DD_found=: +fi + $ac_path_lt_DD_found && break 3 + done + done + done +IFS=$as_save_IFS + if test -z "$ac_cv_path_lt_DD"; then + : + fi +else + ac_cv_path_lt_DD=$lt_DD +fi + +rm -f conftest.i conftest2.i conftest.out +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_lt_DD" >&5 +$as_echo "$ac_cv_path_lt_DD" >&6; } + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to truncate binary pipes" >&5 +$as_echo_n "checking how to truncate binary pipes... " >&6; } +if ${lt_cv_truncate_bin+:} false; then : + $as_echo_n "(cached) " >&6 +else + printf 0123456789abcdef0123456789abcdef >conftest.i +cat conftest.i conftest.i >conftest2.i +lt_cv_truncate_bin= +if "$ac_cv_path_lt_DD" bs=32 count=1 conftest.out 2>/dev/null; then + cmp -s conftest.i conftest.out \ + && lt_cv_truncate_bin="$ac_cv_path_lt_DD bs=4096 count=1" +fi +rm -f conftest.i conftest2.i conftest.out +test -z "$lt_cv_truncate_bin" && lt_cv_truncate_bin="$SED -e 4q" +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_truncate_bin" >&5 +$as_echo "$lt_cv_truncate_bin" >&6; } + + + + + + + +# Calculate cc_basename. Skip known compiler wrappers and cross-prefix. +func_cc_basename () +{ + for cc_temp in $*""; do + case $cc_temp in + compile | *[\\/]compile | ccache | *[\\/]ccache ) ;; + distcc | *[\\/]distcc | purify | *[\\/]purify ) ;; + \-*) ;; + *) break;; + esac + done + func_cc_basename_result=`$ECHO "$cc_temp" | $SED "s%.*/%%; s%^$host_alias-%%"` +} + +# Check whether --enable-libtool-lock was given. +if test "${enable_libtool_lock+set}" = set; then : + enableval=$enable_libtool_lock; +fi + +test no = "$enable_libtool_lock" || enable_libtool_lock=yes + +# Some flags need to be propagated to the compiler or linker for good +# libtool support. +case $host in +ia64-*-hpux*) + # Find out what ABI is being produced by ac_compile, and set mode + # options accordingly. + echo 'int i;' > conftest.$ac_ext + if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 + (eval $ac_compile) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + case `/usr/bin/file conftest.$ac_objext` in + *ELF-32*) + HPUX_IA64_MODE=32 + ;; + *ELF-64*) + HPUX_IA64_MODE=64 + ;; + esac + fi + rm -rf conftest* + ;; +*-*-irix6*) + # Find out what ABI is being produced by ac_compile, and set linker + # options accordingly. + echo '#line '$LINENO' "configure"' > conftest.$ac_ext + if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 + (eval $ac_compile) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + if test yes = "$lt_cv_prog_gnu_ld"; then + case `/usr/bin/file conftest.$ac_objext` in + *32-bit*) + LD="${LD-ld} -melf32bsmip" + ;; + *N32*) + LD="${LD-ld} -melf32bmipn32" + ;; + *64-bit*) + LD="${LD-ld} -melf64bmip" + ;; + esac + else + case `/usr/bin/file conftest.$ac_objext` in + *32-bit*) + LD="${LD-ld} -32" + ;; + *N32*) + LD="${LD-ld} -n32" + ;; + *64-bit*) + LD="${LD-ld} -64" + ;; + esac + fi + fi + rm -rf conftest* + ;; + +mips64*-*linux*) + # Find out what ABI is being produced by ac_compile, and set linker + # options accordingly. + echo '#line '$LINENO' "configure"' > conftest.$ac_ext + if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 + (eval $ac_compile) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + emul=elf + case `/usr/bin/file conftest.$ac_objext` in + *32-bit*) + emul="${emul}32" + ;; + *64-bit*) + emul="${emul}64" + ;; + esac + case `/usr/bin/file conftest.$ac_objext` in + *MSB*) + emul="${emul}btsmip" + ;; + *LSB*) + emul="${emul}ltsmip" + ;; + esac + case `/usr/bin/file conftest.$ac_objext` in + *N32*) + emul="${emul}n32" + ;; + esac + LD="${LD-ld} -m $emul" + fi + rm -rf conftest* + ;; + +x86_64-*kfreebsd*-gnu|x86_64-*linux*|powerpc*-*linux*| \ +s390*-*linux*|s390*-*tpf*|sparc*-*linux*) + # Find out what ABI is being produced by ac_compile, and set linker + # options accordingly. Note that the listed cases only cover the + # situations where additional linker options are needed (such as when + # doing 32-bit compilation for a host where ld defaults to 64-bit, or + # vice versa); the common cases where no linker options are needed do + # not appear in the list. + echo 'int i;' > conftest.$ac_ext + if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 + (eval $ac_compile) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + case `/usr/bin/file conftest.o` in + *32-bit*) + case $host in + x86_64-*kfreebsd*-gnu) + LD="${LD-ld} -m elf_i386_fbsd" + ;; + x86_64-*linux*) + case `/usr/bin/file conftest.o` in + *x86-64*) + LD="${LD-ld} -m elf32_x86_64" + ;; + *) + LD="${LD-ld} -m elf_i386" + ;; + esac + ;; + powerpc64le-*linux*) + LD="${LD-ld} -m elf32lppclinux" + ;; + powerpc64-*linux*) + LD="${LD-ld} -m elf32ppclinux" + ;; + s390x-*linux*) + LD="${LD-ld} -m elf_s390" + ;; + sparc64-*linux*) + LD="${LD-ld} -m elf32_sparc" + ;; + esac + ;; + *64-bit*) + case $host in + x86_64-*kfreebsd*-gnu) + LD="${LD-ld} -m elf_x86_64_fbsd" + ;; + x86_64-*linux*) + LD="${LD-ld} -m elf_x86_64" + ;; + powerpcle-*linux*) + LD="${LD-ld} -m elf64lppc" + ;; + powerpc-*linux*) + LD="${LD-ld} -m elf64ppc" + ;; + s390*-*linux*|s390*-*tpf*) + LD="${LD-ld} -m elf64_s390" + ;; + sparc*-*linux*) + LD="${LD-ld} -m elf64_sparc" + ;; + esac + ;; + esac + fi + rm -rf conftest* + ;; + +*-*-sco3.2v5*) + # On SCO OpenServer 5, we need -belf to get full-featured binaries. + SAVE_CFLAGS=$CFLAGS + CFLAGS="$CFLAGS -belf" + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the C compiler needs -belf" >&5 +$as_echo_n "checking whether the C compiler needs -belf... " >&6; } +if ${lt_cv_cc_needs_belf+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + lt_cv_cc_needs_belf=yes +else + lt_cv_cc_needs_belf=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_cc_needs_belf" >&5 +$as_echo "$lt_cv_cc_needs_belf" >&6; } + if test yes != "$lt_cv_cc_needs_belf"; then + # this is probably gcc 2.8.0, egcs 1.0 or newer; no need for -belf + CFLAGS=$SAVE_CFLAGS + fi + ;; +*-*solaris*) + # Find out what ABI is being produced by ac_compile, and set linker + # options accordingly. + echo 'int i;' > conftest.$ac_ext + if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 + (eval $ac_compile) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + case `/usr/bin/file conftest.o` in + *64-bit*) + case $lt_cv_prog_gnu_ld in + yes*) + case $host in + i?86-*-solaris*|x86_64-*-solaris*) + LD="${LD-ld} -m elf_x86_64" + ;; + sparc*-*-solaris*) + LD="${LD-ld} -m elf64_sparc" + ;; + esac + # GNU ld 2.21 introduced _sol2 emulations. Use them if available. + if ${LD-ld} -V | grep _sol2 >/dev/null 2>&1; then + LD=${LD-ld}_sol2 + fi + ;; + *) + if ${LD-ld} -64 -r -o conftest2.o conftest.o >/dev/null 2>&1; then + LD="${LD-ld} -64" + fi + ;; + esac + ;; + esac + fi + rm -rf conftest* + ;; +esac + +need_locks=$enable_libtool_lock + +if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}mt", so it can be a program name with args. +set dummy ${ac_tool_prefix}mt; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_MANIFEST_TOOL+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$MANIFEST_TOOL"; then + ac_cv_prog_MANIFEST_TOOL="$MANIFEST_TOOL" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_MANIFEST_TOOL="${ac_tool_prefix}mt" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +MANIFEST_TOOL=$ac_cv_prog_MANIFEST_TOOL +if test -n "$MANIFEST_TOOL"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $MANIFEST_TOOL" >&5 +$as_echo "$MANIFEST_TOOL" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +fi +if test -z "$ac_cv_prog_MANIFEST_TOOL"; then + ac_ct_MANIFEST_TOOL=$MANIFEST_TOOL + # Extract the first word of "mt", so it can be a program name with args. +set dummy mt; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_ac_ct_MANIFEST_TOOL+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$ac_ct_MANIFEST_TOOL"; then + ac_cv_prog_ac_ct_MANIFEST_TOOL="$ac_ct_MANIFEST_TOOL" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_ac_ct_MANIFEST_TOOL="mt" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +ac_ct_MANIFEST_TOOL=$ac_cv_prog_ac_ct_MANIFEST_TOOL +if test -n "$ac_ct_MANIFEST_TOOL"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_MANIFEST_TOOL" >&5 +$as_echo "$ac_ct_MANIFEST_TOOL" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + if test "x$ac_ct_MANIFEST_TOOL" = x; then + MANIFEST_TOOL=":" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; +esac + MANIFEST_TOOL=$ac_ct_MANIFEST_TOOL + fi +else + MANIFEST_TOOL="$ac_cv_prog_MANIFEST_TOOL" +fi + +test -z "$MANIFEST_TOOL" && MANIFEST_TOOL=mt +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if $MANIFEST_TOOL is a manifest tool" >&5 +$as_echo_n "checking if $MANIFEST_TOOL is a manifest tool... " >&6; } +if ${lt_cv_path_mainfest_tool+:} false; then : + $as_echo_n "(cached) " >&6 +else + lt_cv_path_mainfest_tool=no + echo "$as_me:$LINENO: $MANIFEST_TOOL '-?'" >&5 + $MANIFEST_TOOL '-?' 2>conftest.err > conftest.out + cat conftest.err >&5 + if $GREP 'Manifest Tool' conftest.out > /dev/null; then + lt_cv_path_mainfest_tool=yes + fi + rm -f conftest* +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_path_mainfest_tool" >&5 +$as_echo "$lt_cv_path_mainfest_tool" >&6; } +if test yes != "$lt_cv_path_mainfest_tool"; then + MANIFEST_TOOL=: +fi + + + + + + + case $host_os in + rhapsody* | darwin*) + if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}dsymutil", so it can be a program name with args. +set dummy ${ac_tool_prefix}dsymutil; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_DSYMUTIL+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$DSYMUTIL"; then + ac_cv_prog_DSYMUTIL="$DSYMUTIL" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_DSYMUTIL="${ac_tool_prefix}dsymutil" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +DSYMUTIL=$ac_cv_prog_DSYMUTIL +if test -n "$DSYMUTIL"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $DSYMUTIL" >&5 +$as_echo "$DSYMUTIL" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +fi +if test -z "$ac_cv_prog_DSYMUTIL"; then + ac_ct_DSYMUTIL=$DSYMUTIL + # Extract the first word of "dsymutil", so it can be a program name with args. +set dummy dsymutil; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_ac_ct_DSYMUTIL+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$ac_ct_DSYMUTIL"; then + ac_cv_prog_ac_ct_DSYMUTIL="$ac_ct_DSYMUTIL" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_ac_ct_DSYMUTIL="dsymutil" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +ac_ct_DSYMUTIL=$ac_cv_prog_ac_ct_DSYMUTIL +if test -n "$ac_ct_DSYMUTIL"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_DSYMUTIL" >&5 +$as_echo "$ac_ct_DSYMUTIL" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + if test "x$ac_ct_DSYMUTIL" = x; then + DSYMUTIL=":" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; +esac + DSYMUTIL=$ac_ct_DSYMUTIL + fi +else + DSYMUTIL="$ac_cv_prog_DSYMUTIL" +fi + + if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}nmedit", so it can be a program name with args. +set dummy ${ac_tool_prefix}nmedit; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_NMEDIT+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$NMEDIT"; then + ac_cv_prog_NMEDIT="$NMEDIT" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_NMEDIT="${ac_tool_prefix}nmedit" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +NMEDIT=$ac_cv_prog_NMEDIT +if test -n "$NMEDIT"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $NMEDIT" >&5 +$as_echo "$NMEDIT" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +fi +if test -z "$ac_cv_prog_NMEDIT"; then + ac_ct_NMEDIT=$NMEDIT + # Extract the first word of "nmedit", so it can be a program name with args. +set dummy nmedit; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_ac_ct_NMEDIT+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$ac_ct_NMEDIT"; then + ac_cv_prog_ac_ct_NMEDIT="$ac_ct_NMEDIT" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_ac_ct_NMEDIT="nmedit" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +ac_ct_NMEDIT=$ac_cv_prog_ac_ct_NMEDIT +if test -n "$ac_ct_NMEDIT"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_NMEDIT" >&5 +$as_echo "$ac_ct_NMEDIT" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + if test "x$ac_ct_NMEDIT" = x; then + NMEDIT=":" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; +esac + NMEDIT=$ac_ct_NMEDIT + fi +else + NMEDIT="$ac_cv_prog_NMEDIT" +fi + + if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}lipo", so it can be a program name with args. +set dummy ${ac_tool_prefix}lipo; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_LIPO+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$LIPO"; then + ac_cv_prog_LIPO="$LIPO" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_LIPO="${ac_tool_prefix}lipo" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +LIPO=$ac_cv_prog_LIPO +if test -n "$LIPO"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $LIPO" >&5 +$as_echo "$LIPO" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +fi +if test -z "$ac_cv_prog_LIPO"; then + ac_ct_LIPO=$LIPO + # Extract the first word of "lipo", so it can be a program name with args. +set dummy lipo; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_ac_ct_LIPO+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$ac_ct_LIPO"; then + ac_cv_prog_ac_ct_LIPO="$ac_ct_LIPO" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_ac_ct_LIPO="lipo" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +ac_ct_LIPO=$ac_cv_prog_ac_ct_LIPO +if test -n "$ac_ct_LIPO"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_LIPO" >&5 +$as_echo "$ac_ct_LIPO" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + if test "x$ac_ct_LIPO" = x; then + LIPO=":" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; +esac + LIPO=$ac_ct_LIPO + fi +else + LIPO="$ac_cv_prog_LIPO" +fi + + if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}otool", so it can be a program name with args. +set dummy ${ac_tool_prefix}otool; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_OTOOL+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$OTOOL"; then + ac_cv_prog_OTOOL="$OTOOL" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_OTOOL="${ac_tool_prefix}otool" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +OTOOL=$ac_cv_prog_OTOOL +if test -n "$OTOOL"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OTOOL" >&5 +$as_echo "$OTOOL" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +fi +if test -z "$ac_cv_prog_OTOOL"; then + ac_ct_OTOOL=$OTOOL + # Extract the first word of "otool", so it can be a program name with args. +set dummy otool; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_ac_ct_OTOOL+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$ac_ct_OTOOL"; then + ac_cv_prog_ac_ct_OTOOL="$ac_ct_OTOOL" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_ac_ct_OTOOL="otool" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +ac_ct_OTOOL=$ac_cv_prog_ac_ct_OTOOL +if test -n "$ac_ct_OTOOL"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_OTOOL" >&5 +$as_echo "$ac_ct_OTOOL" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + if test "x$ac_ct_OTOOL" = x; then + OTOOL=":" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; +esac + OTOOL=$ac_ct_OTOOL + fi +else + OTOOL="$ac_cv_prog_OTOOL" +fi + + if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}otool64", so it can be a program name with args. +set dummy ${ac_tool_prefix}otool64; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_OTOOL64+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$OTOOL64"; then + ac_cv_prog_OTOOL64="$OTOOL64" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_OTOOL64="${ac_tool_prefix}otool64" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +OTOOL64=$ac_cv_prog_OTOOL64 +if test -n "$OTOOL64"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OTOOL64" >&5 +$as_echo "$OTOOL64" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +fi +if test -z "$ac_cv_prog_OTOOL64"; then + ac_ct_OTOOL64=$OTOOL64 + # Extract the first word of "otool64", so it can be a program name with args. +set dummy otool64; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_ac_ct_OTOOL64+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$ac_ct_OTOOL64"; then + ac_cv_prog_ac_ct_OTOOL64="$ac_ct_OTOOL64" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_ac_ct_OTOOL64="otool64" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +ac_ct_OTOOL64=$ac_cv_prog_ac_ct_OTOOL64 +if test -n "$ac_ct_OTOOL64"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_OTOOL64" >&5 +$as_echo "$ac_ct_OTOOL64" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + if test "x$ac_ct_OTOOL64" = x; then + OTOOL64=":" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; +esac + OTOOL64=$ac_ct_OTOOL64 + fi +else + OTOOL64="$ac_cv_prog_OTOOL64" +fi + + + + + + + + + + + + + + + + + + + + + + + + + + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for -single_module linker flag" >&5 +$as_echo_n "checking for -single_module linker flag... " >&6; } +if ${lt_cv_apple_cc_single_mod+:} false; then : + $as_echo_n "(cached) " >&6 +else + lt_cv_apple_cc_single_mod=no + if test -z "$LT_MULTI_MODULE"; then + # By default we will add the -single_module flag. You can override + # by either setting the environment variable LT_MULTI_MODULE + # non-empty at configure time, or by adding -multi_module to the + # link flags. + rm -rf libconftest.dylib* + echo "int foo(void){return 1;}" > conftest.c + echo "$LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \ +-dynamiclib -Wl,-single_module conftest.c" >&5 + $LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \ + -dynamiclib -Wl,-single_module conftest.c 2>conftest.err + _lt_result=$? + # If there is a non-empty error log, and "single_module" + # appears in it, assume the flag caused a linker warning + if test -s conftest.err && $GREP single_module conftest.err; then + cat conftest.err >&5 + # Otherwise, if the output was created with a 0 exit code from + # the compiler, it worked. + elif test -f libconftest.dylib && test 0 = "$_lt_result"; then + lt_cv_apple_cc_single_mod=yes + else + cat conftest.err >&5 + fi + rm -rf libconftest.dylib* + rm -f conftest.* + fi +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_apple_cc_single_mod" >&5 +$as_echo "$lt_cv_apple_cc_single_mod" >&6; } + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for -exported_symbols_list linker flag" >&5 +$as_echo_n "checking for -exported_symbols_list linker flag... " >&6; } +if ${lt_cv_ld_exported_symbols_list+:} false; then : + $as_echo_n "(cached) " >&6 +else + lt_cv_ld_exported_symbols_list=no + save_LDFLAGS=$LDFLAGS + echo "_main" > conftest.sym + LDFLAGS="$LDFLAGS -Wl,-exported_symbols_list,conftest.sym" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + lt_cv_ld_exported_symbols_list=yes +else + lt_cv_ld_exported_symbols_list=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + LDFLAGS=$save_LDFLAGS + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_ld_exported_symbols_list" >&5 +$as_echo "$lt_cv_ld_exported_symbols_list" >&6; } + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for -force_load linker flag" >&5 +$as_echo_n "checking for -force_load linker flag... " >&6; } +if ${lt_cv_ld_force_load+:} false; then : + $as_echo_n "(cached) " >&6 +else + lt_cv_ld_force_load=no + cat > conftest.c << _LT_EOF +int forced_loaded() { return 2;} +_LT_EOF + echo "$LTCC $LTCFLAGS -c -o conftest.o conftest.c" >&5 + $LTCC $LTCFLAGS -c -o conftest.o conftest.c 2>&5 + echo "$AR cru libconftest.a conftest.o" >&5 + $AR cru libconftest.a conftest.o 2>&5 + echo "$RANLIB libconftest.a" >&5 + $RANLIB libconftest.a 2>&5 + cat > conftest.c << _LT_EOF +int main() { return 0;} +_LT_EOF + echo "$LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a" >&5 + $LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a 2>conftest.err + _lt_result=$? + if test -s conftest.err && $GREP force_load conftest.err; then + cat conftest.err >&5 + elif test -f conftest && test 0 = "$_lt_result" && $GREP forced_load conftest >/dev/null 2>&1; then + lt_cv_ld_force_load=yes + else + cat conftest.err >&5 + fi + rm -f conftest.err libconftest.a conftest conftest.c + rm -rf conftest.dSYM + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_ld_force_load" >&5 +$as_echo "$lt_cv_ld_force_load" >&6; } + case $host_os in + rhapsody* | darwin1.[012]) + _lt_dar_allow_undefined='$wl-undefined ${wl}suppress' ;; + darwin1.*) + _lt_dar_allow_undefined='$wl-flat_namespace $wl-undefined ${wl}suppress' ;; + darwin*) # darwin 5.x on + # if running on 10.5 or later, the deployment target defaults + # to the OS version, if on x86, and 10.4, the deployment + # target defaults to 10.4. Don't you love it? + case ${MACOSX_DEPLOYMENT_TARGET-10.0},$host in + 10.0,*86*-darwin8*|10.0,*-darwin[91]*) + _lt_dar_allow_undefined='$wl-undefined ${wl}dynamic_lookup' ;; + 10.[012][,.]*) + _lt_dar_allow_undefined='$wl-flat_namespace $wl-undefined ${wl}suppress' ;; + 10.*) + _lt_dar_allow_undefined='$wl-undefined ${wl}dynamic_lookup' ;; + esac + ;; + esac + if test yes = "$lt_cv_apple_cc_single_mod"; then + _lt_dar_single_mod='$single_module' + fi + if test yes = "$lt_cv_ld_exported_symbols_list"; then + _lt_dar_export_syms=' $wl-exported_symbols_list,$output_objdir/$libname-symbols.expsym' + else + _lt_dar_export_syms='~$NMEDIT -s $output_objdir/$libname-symbols.expsym $lib' + fi + if test : != "$DSYMUTIL" && test no = "$lt_cv_ld_force_load"; then + _lt_dsymutil='~$DSYMUTIL $lib || :' + else + _lt_dsymutil= + fi + ;; + esac + +# func_munge_path_list VARIABLE PATH +# ----------------------------------- +# VARIABLE is name of variable containing _space_ separated list of +# directories to be munged by the contents of PATH, which is string +# having a format: +# "DIR[:DIR]:" +# string "DIR[ DIR]" will be prepended to VARIABLE +# ":DIR[:DIR]" +# string "DIR[ DIR]" will be appended to VARIABLE +# "DIRP[:DIRP]::[DIRA:]DIRA" +# string "DIRP[ DIRP]" will be prepended to VARIABLE and string +# "DIRA[ DIRA]" will be appended to VARIABLE +# "DIR[:DIR]" +# VARIABLE will be replaced by "DIR[ DIR]" +func_munge_path_list () +{ + case x$2 in + x) + ;; + *:) + eval $1=\"`$ECHO $2 | $SED 's/:/ /g'` \$$1\" + ;; + x:*) + eval $1=\"\$$1 `$ECHO $2 | $SED 's/:/ /g'`\" + ;; + *::*) + eval $1=\"\$$1\ `$ECHO $2 | $SED -e 's/.*:://' -e 's/:/ /g'`\" + eval $1=\"`$ECHO $2 | $SED -e 's/::.*//' -e 's/:/ /g'`\ \$$1\" + ;; + *) + eval $1=\"`$ECHO $2 | $SED 's/:/ /g'`\" + ;; + esac +} + +for ac_header in dlfcn.h +do : + ac_fn_c_check_header_compile "$LINENO" "dlfcn.h" "ac_cv_header_dlfcn_h" "$ac_includes_default +" +if test "x$ac_cv_header_dlfcn_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_DLFCN_H 1 +_ACEOF + +fi + +done + + + + + +# Set options + + + + enable_dlopen=no + + + enable_win32_dll=no + + + # Check whether --enable-shared was given. +if test "${enable_shared+set}" = set; then : + enableval=$enable_shared; p=${PACKAGE-default} + case $enableval in + yes) enable_shared=yes ;; + no) enable_shared=no ;; + *) + enable_shared=no + # Look at the argument we got. We use all the common list separators. + lt_save_ifs=$IFS; IFS=$IFS$PATH_SEPARATOR, + for pkg in $enableval; do + IFS=$lt_save_ifs + if test "X$pkg" = "X$p"; then + enable_shared=yes + fi + done + IFS=$lt_save_ifs + ;; + esac +else + enable_shared=yes +fi + + + + + + + + + + + +# Check whether --with-pic was given. +if test "${with_pic+set}" = set; then : + withval=$with_pic; lt_p=${PACKAGE-default} + case $withval in + yes|no) pic_mode=$withval ;; + *) + pic_mode=default + # Look at the argument we got. We use all the common list separators. + lt_save_ifs=$IFS; IFS=$IFS$PATH_SEPARATOR, + for lt_pkg in $withval; do + IFS=$lt_save_ifs + if test "X$lt_pkg" = "X$lt_p"; then + pic_mode=yes + fi + done + IFS=$lt_save_ifs + ;; + esac +else + pic_mode=default +fi + + + + + + + + + # Check whether --enable-fast-install was given. +if test "${enable_fast_install+set}" = set; then : + enableval=$enable_fast_install; p=${PACKAGE-default} + case $enableval in + yes) enable_fast_install=yes ;; + no) enable_fast_install=no ;; + *) + enable_fast_install=no + # Look at the argument we got. We use all the common list separators. + lt_save_ifs=$IFS; IFS=$IFS$PATH_SEPARATOR, + for pkg in $enableval; do + IFS=$lt_save_ifs + if test "X$pkg" = "X$p"; then + enable_fast_install=yes + fi + done + IFS=$lt_save_ifs + ;; + esac +else + enable_fast_install=yes +fi + + + + + + + + + shared_archive_member_spec= +case $host,$enable_shared in +power*-*-aix[5-9]*,yes) + { $as_echo "$as_me:${as_lineno-$LINENO}: checking which variant of shared library versioning to provide" >&5 +$as_echo_n "checking which variant of shared library versioning to provide... " >&6; } + +# Check whether --with-aix-soname was given. +if test "${with_aix_soname+set}" = set; then : + withval=$with_aix_soname; case $withval in + aix|svr4|both) + ;; + *) + as_fn_error $? "Unknown argument to --with-aix-soname" "$LINENO" 5 + ;; + esac + lt_cv_with_aix_soname=$with_aix_soname +else + if ${lt_cv_with_aix_soname+:} false; then : + $as_echo_n "(cached) " >&6 +else + lt_cv_with_aix_soname=aix +fi + + with_aix_soname=$lt_cv_with_aix_soname +fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $with_aix_soname" >&5 +$as_echo "$with_aix_soname" >&6; } + if test aix != "$with_aix_soname"; then + # For the AIX way of multilib, we name the shared archive member + # based on the bitwidth used, traditionally 'shr.o' or 'shr_64.o', + # and 'shr.imp' or 'shr_64.imp', respectively, for the Import File. + # Even when GNU compilers ignore OBJECT_MODE but need '-maix64' flag, + # the AIX toolchain works better with OBJECT_MODE set (default 32). + if test 64 = "${OBJECT_MODE-32}"; then + shared_archive_member_spec=shr_64 + else + shared_archive_member_spec=shr + fi + fi + ;; +*) + with_aix_soname=aix + ;; +esac + + + + + + + + + + +# This can be used to rebuild libtool when needed +LIBTOOL_DEPS=$ltmain + +# Always use our own libtool. +LIBTOOL='$(SHELL) $(top_builddir)/libtool' + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +test -z "$LN_S" && LN_S="ln -s" + + + + + + + + + + + + + + +if test -n "${ZSH_VERSION+set}"; then + setopt NO_GLOB_SUBST +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for objdir" >&5 +$as_echo_n "checking for objdir... " >&6; } +if ${lt_cv_objdir+:} false; then : + $as_echo_n "(cached) " >&6 +else + rm -f .libs 2>/dev/null +mkdir .libs 2>/dev/null +if test -d .libs; then + lt_cv_objdir=.libs +else + # MS-DOS does not allow filenames that begin with a dot. + lt_cv_objdir=_libs +fi +rmdir .libs 2>/dev/null +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_objdir" >&5 +$as_echo "$lt_cv_objdir" >&6; } +objdir=$lt_cv_objdir + + + + + +cat >>confdefs.h <<_ACEOF +#define LT_OBJDIR "$lt_cv_objdir/" +_ACEOF + + + + +case $host_os in +aix3*) + # AIX sometimes has problems with the GCC collect2 program. For some + # reason, if we set the COLLECT_NAMES environment variable, the problems + # vanish in a puff of smoke. + if test set != "${COLLECT_NAMES+set}"; then + COLLECT_NAMES= + export COLLECT_NAMES + fi + ;; +esac + +# Global variables: +ofile=libtool +can_build_shared=yes + +# All known linkers require a '.a' archive for static linking (except MSVC, +# which needs '.lib'). +libext=a + +with_gnu_ld=$lt_cv_prog_gnu_ld + +old_CC=$CC +old_CFLAGS=$CFLAGS + +# Set sane defaults for various variables +test -z "$CC" && CC=cc +test -z "$LTCC" && LTCC=$CC +test -z "$LTCFLAGS" && LTCFLAGS=$CFLAGS +test -z "$LD" && LD=ld +test -z "$ac_objext" && ac_objext=o + +func_cc_basename $compiler +cc_basename=$func_cc_basename_result + + +# Only perform the check for file, if the check method requires it +test -z "$MAGIC_CMD" && MAGIC_CMD=file +case $deplibs_check_method in +file_magic*) + if test "$file_magic_cmd" = '$MAGIC_CMD'; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ${ac_tool_prefix}file" >&5 +$as_echo_n "checking for ${ac_tool_prefix}file... " >&6; } +if ${lt_cv_path_MAGIC_CMD+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $MAGIC_CMD in +[\\/*] | ?:[\\/]*) + lt_cv_path_MAGIC_CMD=$MAGIC_CMD # Let the user override the test with a path. + ;; +*) + lt_save_MAGIC_CMD=$MAGIC_CMD + lt_save_ifs=$IFS; IFS=$PATH_SEPARATOR + ac_dummy="/usr/bin$PATH_SEPARATOR$PATH" + for ac_dir in $ac_dummy; do + IFS=$lt_save_ifs + test -z "$ac_dir" && ac_dir=. + if test -f "$ac_dir/${ac_tool_prefix}file"; then + lt_cv_path_MAGIC_CMD=$ac_dir/"${ac_tool_prefix}file" + if test -n "$file_magic_test_file"; then + case $deplibs_check_method in + "file_magic "*) + file_magic_regex=`expr "$deplibs_check_method" : "file_magic \(.*\)"` + MAGIC_CMD=$lt_cv_path_MAGIC_CMD + if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null | + $EGREP "$file_magic_regex" > /dev/null; then + : + else + cat <<_LT_EOF 1>&2 + +*** Warning: the command libtool uses to detect shared libraries, +*** $file_magic_cmd, produces output that libtool cannot recognize. +*** The result is that libtool may fail to recognize shared libraries +*** as such. This will affect the creation of libtool libraries that +*** depend on shared libraries, but programs linked with such libtool +*** libraries will work regardless of this problem. Nevertheless, you +*** may want to report the problem to your system manager and/or to +*** bug-libtool@gnu.org + +_LT_EOF + fi ;; + esac + fi + break + fi + done + IFS=$lt_save_ifs + MAGIC_CMD=$lt_save_MAGIC_CMD + ;; +esac +fi + +MAGIC_CMD=$lt_cv_path_MAGIC_CMD +if test -n "$MAGIC_CMD"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $MAGIC_CMD" >&5 +$as_echo "$MAGIC_CMD" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + + + +if test -z "$lt_cv_path_MAGIC_CMD"; then + if test -n "$ac_tool_prefix"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for file" >&5 +$as_echo_n "checking for file... " >&6; } +if ${lt_cv_path_MAGIC_CMD+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $MAGIC_CMD in +[\\/*] | ?:[\\/]*) + lt_cv_path_MAGIC_CMD=$MAGIC_CMD # Let the user override the test with a path. + ;; +*) + lt_save_MAGIC_CMD=$MAGIC_CMD + lt_save_ifs=$IFS; IFS=$PATH_SEPARATOR + ac_dummy="/usr/bin$PATH_SEPARATOR$PATH" + for ac_dir in $ac_dummy; do + IFS=$lt_save_ifs + test -z "$ac_dir" && ac_dir=. + if test -f "$ac_dir/file"; then + lt_cv_path_MAGIC_CMD=$ac_dir/"file" + if test -n "$file_magic_test_file"; then + case $deplibs_check_method in + "file_magic "*) + file_magic_regex=`expr "$deplibs_check_method" : "file_magic \(.*\)"` + MAGIC_CMD=$lt_cv_path_MAGIC_CMD + if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null | + $EGREP "$file_magic_regex" > /dev/null; then + : + else + cat <<_LT_EOF 1>&2 + +*** Warning: the command libtool uses to detect shared libraries, +*** $file_magic_cmd, produces output that libtool cannot recognize. +*** The result is that libtool may fail to recognize shared libraries +*** as such. This will affect the creation of libtool libraries that +*** depend on shared libraries, but programs linked with such libtool +*** libraries will work regardless of this problem. Nevertheless, you +*** may want to report the problem to your system manager and/or to +*** bug-libtool@gnu.org + +_LT_EOF + fi ;; + esac + fi + break + fi + done + IFS=$lt_save_ifs + MAGIC_CMD=$lt_save_MAGIC_CMD + ;; +esac +fi + +MAGIC_CMD=$lt_cv_path_MAGIC_CMD +if test -n "$MAGIC_CMD"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $MAGIC_CMD" >&5 +$as_echo "$MAGIC_CMD" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + else + MAGIC_CMD=: + fi +fi + + fi + ;; +esac + +# Use C for the default configuration in the libtool script + +lt_save_CC=$CC +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + + +# Source file extension for C test sources. +ac_ext=c + +# Object file extension for compiled C test sources. +objext=o +objext=$objext + +# Code to be used in simple compile tests +lt_simple_compile_test_code="int some_variable = 0;" + +# Code to be used in simple link tests +lt_simple_link_test_code='int main(){return(0);}' + + + + + + + +# If no C compiler was specified, use CC. +LTCC=${LTCC-"$CC"} + +# If no C compiler flags were specified, use CFLAGS. +LTCFLAGS=${LTCFLAGS-"$CFLAGS"} + +# Allow CC to be a program name with arguments. +compiler=$CC + +# Save the default compiler, since it gets overwritten when the other +# tags are being tested, and _LT_TAGVAR(compiler, []) is a NOP. +compiler_DEFAULT=$CC + +# save warnings/boilerplate of simple test code +ac_outfile=conftest.$ac_objext +echo "$lt_simple_compile_test_code" >conftest.$ac_ext +eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err +_lt_compiler_boilerplate=`cat conftest.err` +$RM conftest* + +ac_outfile=conftest.$ac_objext +echo "$lt_simple_link_test_code" >conftest.$ac_ext +eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err +_lt_linker_boilerplate=`cat conftest.err` +$RM -r conftest* + + +## CAVEAT EMPTOR: +## There is no encapsulation within the following macros, do not change +## the running order or otherwise move them around unless you know exactly +## what you are doing... +if test -n "$compiler"; then + +lt_prog_compiler_no_builtin_flag= + +if test yes = "$GCC"; then + case $cc_basename in + nvcc*) + lt_prog_compiler_no_builtin_flag=' -Xcompiler -fno-builtin' ;; + *) + lt_prog_compiler_no_builtin_flag=' -fno-builtin' ;; + esac + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler supports -fno-rtti -fno-exceptions" >&5 +$as_echo_n "checking if $compiler supports -fno-rtti -fno-exceptions... " >&6; } +if ${lt_cv_prog_compiler_rtti_exceptions+:} false; then : + $as_echo_n "(cached) " >&6 +else + lt_cv_prog_compiler_rtti_exceptions=no + ac_outfile=conftest.$ac_objext + echo "$lt_simple_compile_test_code" > conftest.$ac_ext + lt_compiler_flag="-fno-rtti -fno-exceptions" ## exclude from sc_useless_quotes_in_assignment + # Insert the option either (1) after the last *FLAGS variable, or + # (2) before a word containing "conftest.", or (3) at the end. + # Note that $ac_compile itself does not contain backslashes and begins + # with a dollar sign (not a hyphen), so the echo should work correctly. + # The option is referenced via a variable to avoid confusing sed. + lt_compile=`echo "$ac_compile" | $SED \ + -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ + -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ + -e 's:$: $lt_compiler_flag:'` + (eval echo "\"\$as_me:$LINENO: $lt_compile\"" >&5) + (eval "$lt_compile" 2>conftest.err) + ac_status=$? + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + if (exit $ac_status) && test -s "$ac_outfile"; then + # The compiler can only warn and ignore the option if not recognized + # So say no if there are warnings other than the usual output. + $ECHO "$_lt_compiler_boilerplate" | $SED '/^$/d' >conftest.exp + $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2 + if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then + lt_cv_prog_compiler_rtti_exceptions=yes + fi + fi + $RM conftest* + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_compiler_rtti_exceptions" >&5 +$as_echo "$lt_cv_prog_compiler_rtti_exceptions" >&6; } + +if test yes = "$lt_cv_prog_compiler_rtti_exceptions"; then + lt_prog_compiler_no_builtin_flag="$lt_prog_compiler_no_builtin_flag -fno-rtti -fno-exceptions" +else + : +fi + +fi + + + + + + + lt_prog_compiler_wl= +lt_prog_compiler_pic= +lt_prog_compiler_static= + + + if test yes = "$GCC"; then + lt_prog_compiler_wl='-Wl,' + lt_prog_compiler_static='-static' + + case $host_os in + aix*) + # All AIX code is PIC. + if test ia64 = "$host_cpu"; then + # AIX 5 now supports IA64 processor + lt_prog_compiler_static='-Bstatic' + fi + lt_prog_compiler_pic='-fPIC' + ;; + + amigaos*) + case $host_cpu in + powerpc) + # see comment about AmigaOS4 .so support + lt_prog_compiler_pic='-fPIC' + ;; + m68k) + # FIXME: we need at least 68020 code to build shared libraries, but + # adding the '-m68020' flag to GCC prevents building anything better, + # like '-m68040'. + lt_prog_compiler_pic='-m68020 -resident32 -malways-restore-a4' + ;; + esac + ;; + + beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*) + # PIC is the default for these OSes. + ;; + + mingw* | cygwin* | pw32* | os2* | cegcc*) + # This hack is so that the source file can tell whether it is being + # built for inclusion in a dll (and should export symbols for example). + # Although the cygwin gcc ignores -fPIC, still need this for old-style + # (--disable-auto-import) libraries + lt_prog_compiler_pic='-DDLL_EXPORT' + case $host_os in + os2*) + lt_prog_compiler_static='$wl-static' + ;; + esac + ;; + + darwin* | rhapsody*) + # PIC is the default on this platform + # Common symbols not allowed in MH_DYLIB files + lt_prog_compiler_pic='-fno-common' + ;; + + haiku*) + # PIC is the default for Haiku. + # The "-static" flag exists, but is broken. + lt_prog_compiler_static= + ;; + + hpux*) + # PIC is the default for 64-bit PA HP-UX, but not for 32-bit + # PA HP-UX. On IA64 HP-UX, PIC is the default but the pic flag + # sets the default TLS model and affects inlining. + case $host_cpu in + hppa*64*) + # +Z the default + ;; + *) + lt_prog_compiler_pic='-fPIC' + ;; + esac + ;; + + interix[3-9]*) + # Interix 3.x gcc -fpic/-fPIC options generate broken code. + # Instead, we relocate shared libraries at runtime. + ;; + + msdosdjgpp*) + # Just because we use GCC doesn't mean we suddenly get shared libraries + # on systems that don't support them. + lt_prog_compiler_can_build_shared=no + enable_shared=no + ;; + + *nto* | *qnx*) + # QNX uses GNU C++, but need to define -shared option too, otherwise + # it will coredump. + lt_prog_compiler_pic='-fPIC -shared' + ;; + + sysv4*MP*) + if test -d /usr/nec; then + lt_prog_compiler_pic=-Kconform_pic + fi + ;; + + *) + lt_prog_compiler_pic='-fPIC' + ;; + esac + + case $cc_basename in + nvcc*) # Cuda Compiler Driver 2.2 + lt_prog_compiler_wl='-Xlinker ' + if test -n "$lt_prog_compiler_pic"; then + lt_prog_compiler_pic="-Xcompiler $lt_prog_compiler_pic" + fi + ;; + esac + else + # PORTME Check for flag to pass linker flags through the system compiler. + case $host_os in + aix*) + lt_prog_compiler_wl='-Wl,' + if test ia64 = "$host_cpu"; then + # AIX 5 now supports IA64 processor + lt_prog_compiler_static='-Bstatic' + else + lt_prog_compiler_static='-bnso -bI:/lib/syscalls.exp' + fi + ;; + + darwin* | rhapsody*) + # PIC is the default on this platform + # Common symbols not allowed in MH_DYLIB files + lt_prog_compiler_pic='-fno-common' + case $cc_basename in + nagfor*) + # NAG Fortran compiler + lt_prog_compiler_wl='-Wl,-Wl,,' + lt_prog_compiler_pic='-PIC' + lt_prog_compiler_static='-Bstatic' + ;; + esac + ;; + + mingw* | cygwin* | pw32* | os2* | cegcc*) + # This hack is so that the source file can tell whether it is being + # built for inclusion in a dll (and should export symbols for example). + lt_prog_compiler_pic='-DDLL_EXPORT' + case $host_os in + os2*) + lt_prog_compiler_static='$wl-static' + ;; + esac + ;; + + hpux9* | hpux10* | hpux11*) + lt_prog_compiler_wl='-Wl,' + # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but + # not for PA HP-UX. + case $host_cpu in + hppa*64*|ia64*) + # +Z the default + ;; + *) + lt_prog_compiler_pic='+Z' + ;; + esac + # Is there a better lt_prog_compiler_static that works with the bundled CC? + lt_prog_compiler_static='$wl-a ${wl}archive' + ;; + + irix5* | irix6* | nonstopux*) + lt_prog_compiler_wl='-Wl,' + # PIC (with -KPIC) is the default. + lt_prog_compiler_static='-non_shared' + ;; + + linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) + case $cc_basename in + # old Intel for x86_64, which still supported -KPIC. + ecc*) + lt_prog_compiler_wl='-Wl,' + lt_prog_compiler_pic='-KPIC' + lt_prog_compiler_static='-static' + ;; + # icc used to be incompatible with GCC. + # ICC 10 doesn't accept -KPIC any more. + icc* | ifort*) + lt_prog_compiler_wl='-Wl,' + lt_prog_compiler_pic='-fPIC' + lt_prog_compiler_static='-static' + ;; + # Lahey Fortran 8.1. + lf95*) + lt_prog_compiler_wl='-Wl,' + lt_prog_compiler_pic='--shared' + lt_prog_compiler_static='--static' + ;; + nagfor*) + # NAG Fortran compiler + lt_prog_compiler_wl='-Wl,-Wl,,' + lt_prog_compiler_pic='-PIC' + lt_prog_compiler_static='-Bstatic' + ;; + tcc*) + # Fabrice Bellard et al's Tiny C Compiler + lt_prog_compiler_wl='-Wl,' + lt_prog_compiler_pic='-fPIC' + lt_prog_compiler_static='-static' + ;; + pgcc* | pgf77* | pgf90* | pgf95* | pgfortran*) + # Portland Group compilers (*not* the Pentium gcc compiler, + # which looks to be a dead project) + lt_prog_compiler_wl='-Wl,' + lt_prog_compiler_pic='-fpic' + lt_prog_compiler_static='-Bstatic' + ;; + ccc*) + lt_prog_compiler_wl='-Wl,' + # All Alpha code is PIC. + lt_prog_compiler_static='-non_shared' + ;; + xl* | bgxl* | bgf* | mpixl*) + # IBM XL C 8.0/Fortran 10.1, 11.1 on PPC and BlueGene + lt_prog_compiler_wl='-Wl,' + lt_prog_compiler_pic='-qpic' + lt_prog_compiler_static='-qstaticlink' + ;; + *) + case `$CC -V 2>&1 | sed 5q` in + *Sun\ Ceres\ Fortran* | *Sun*Fortran*\ [1-7].* | *Sun*Fortran*\ 8.[0-3]*) + # Sun Fortran 8.3 passes all unrecognized flags to the linker + lt_prog_compiler_pic='-KPIC' + lt_prog_compiler_static='-Bstatic' + lt_prog_compiler_wl='' + ;; + *Sun\ F* | *Sun*Fortran*) + lt_prog_compiler_pic='-KPIC' + lt_prog_compiler_static='-Bstatic' + lt_prog_compiler_wl='-Qoption ld ' + ;; + *Sun\ C*) + # Sun C 5.9 + lt_prog_compiler_pic='-KPIC' + lt_prog_compiler_static='-Bstatic' + lt_prog_compiler_wl='-Wl,' + ;; + *Intel*\ [CF]*Compiler*) + lt_prog_compiler_wl='-Wl,' + lt_prog_compiler_pic='-fPIC' + lt_prog_compiler_static='-static' + ;; + *Portland\ Group*) + lt_prog_compiler_wl='-Wl,' + lt_prog_compiler_pic='-fpic' + lt_prog_compiler_static='-Bstatic' + ;; + esac + ;; + esac + ;; + + newsos6) + lt_prog_compiler_pic='-KPIC' + lt_prog_compiler_static='-Bstatic' + ;; + + *nto* | *qnx*) + # QNX uses GNU C++, but need to define -shared option too, otherwise + # it will coredump. + lt_prog_compiler_pic='-fPIC -shared' + ;; + + osf3* | osf4* | osf5*) + lt_prog_compiler_wl='-Wl,' + # All OSF/1 code is PIC. + lt_prog_compiler_static='-non_shared' + ;; + + rdos*) + lt_prog_compiler_static='-non_shared' + ;; + + solaris*) + lt_prog_compiler_pic='-KPIC' + lt_prog_compiler_static='-Bstatic' + case $cc_basename in + f77* | f90* | f95* | sunf77* | sunf90* | sunf95*) + lt_prog_compiler_wl='-Qoption ld ';; + *) + lt_prog_compiler_wl='-Wl,';; + esac + ;; + + sunos4*) + lt_prog_compiler_wl='-Qoption ld ' + lt_prog_compiler_pic='-PIC' + lt_prog_compiler_static='-Bstatic' + ;; + + sysv4 | sysv4.2uw2* | sysv4.3*) + lt_prog_compiler_wl='-Wl,' + lt_prog_compiler_pic='-KPIC' + lt_prog_compiler_static='-Bstatic' + ;; + + sysv4*MP*) + if test -d /usr/nec; then + lt_prog_compiler_pic='-Kconform_pic' + lt_prog_compiler_static='-Bstatic' + fi + ;; + + sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*) + lt_prog_compiler_wl='-Wl,' + lt_prog_compiler_pic='-KPIC' + lt_prog_compiler_static='-Bstatic' + ;; + + unicos*) + lt_prog_compiler_wl='-Wl,' + lt_prog_compiler_can_build_shared=no + ;; + + uts4*) + lt_prog_compiler_pic='-pic' + lt_prog_compiler_static='-Bstatic' + ;; + + *) + lt_prog_compiler_can_build_shared=no + ;; + esac + fi + +case $host_os in + # For platforms that do not support PIC, -DPIC is meaningless: + *djgpp*) + lt_prog_compiler_pic= + ;; + *) + lt_prog_compiler_pic="$lt_prog_compiler_pic -DPIC" + ;; +esac + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $compiler option to produce PIC" >&5 +$as_echo_n "checking for $compiler option to produce PIC... " >&6; } +if ${lt_cv_prog_compiler_pic+:} false; then : + $as_echo_n "(cached) " >&6 +else + lt_cv_prog_compiler_pic=$lt_prog_compiler_pic +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_compiler_pic" >&5 +$as_echo "$lt_cv_prog_compiler_pic" >&6; } +lt_prog_compiler_pic=$lt_cv_prog_compiler_pic + +# +# Check to make sure the PIC flag actually works. +# +if test -n "$lt_prog_compiler_pic"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler PIC flag $lt_prog_compiler_pic works" >&5 +$as_echo_n "checking if $compiler PIC flag $lt_prog_compiler_pic works... " >&6; } +if ${lt_cv_prog_compiler_pic_works+:} false; then : + $as_echo_n "(cached) " >&6 +else + lt_cv_prog_compiler_pic_works=no + ac_outfile=conftest.$ac_objext + echo "$lt_simple_compile_test_code" > conftest.$ac_ext + lt_compiler_flag="$lt_prog_compiler_pic -DPIC" ## exclude from sc_useless_quotes_in_assignment + # Insert the option either (1) after the last *FLAGS variable, or + # (2) before a word containing "conftest.", or (3) at the end. + # Note that $ac_compile itself does not contain backslashes and begins + # with a dollar sign (not a hyphen), so the echo should work correctly. + # The option is referenced via a variable to avoid confusing sed. + lt_compile=`echo "$ac_compile" | $SED \ + -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ + -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ + -e 's:$: $lt_compiler_flag:'` + (eval echo "\"\$as_me:$LINENO: $lt_compile\"" >&5) + (eval "$lt_compile" 2>conftest.err) + ac_status=$? + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + if (exit $ac_status) && test -s "$ac_outfile"; then + # The compiler can only warn and ignore the option if not recognized + # So say no if there are warnings other than the usual output. + $ECHO "$_lt_compiler_boilerplate" | $SED '/^$/d' >conftest.exp + $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2 + if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then + lt_cv_prog_compiler_pic_works=yes + fi + fi + $RM conftest* + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_compiler_pic_works" >&5 +$as_echo "$lt_cv_prog_compiler_pic_works" >&6; } + +if test yes = "$lt_cv_prog_compiler_pic_works"; then + case $lt_prog_compiler_pic in + "" | " "*) ;; + *) lt_prog_compiler_pic=" $lt_prog_compiler_pic" ;; + esac +else + lt_prog_compiler_pic= + lt_prog_compiler_can_build_shared=no +fi + +fi + + + + + + + + + + + +# +# Check to make sure the static flag actually works. +# +wl=$lt_prog_compiler_wl eval lt_tmp_static_flag=\"$lt_prog_compiler_static\" +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler static flag $lt_tmp_static_flag works" >&5 +$as_echo_n "checking if $compiler static flag $lt_tmp_static_flag works... " >&6; } +if ${lt_cv_prog_compiler_static_works+:} false; then : + $as_echo_n "(cached) " >&6 +else + lt_cv_prog_compiler_static_works=no + save_LDFLAGS=$LDFLAGS + LDFLAGS="$LDFLAGS $lt_tmp_static_flag" + echo "$lt_simple_link_test_code" > conftest.$ac_ext + if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then + # The linker can only warn and ignore the option if not recognized + # So say no if there are warnings + if test -s conftest.err; then + # Append any errors to the config.log. + cat conftest.err 1>&5 + $ECHO "$_lt_linker_boilerplate" | $SED '/^$/d' > conftest.exp + $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2 + if diff conftest.exp conftest.er2 >/dev/null; then + lt_cv_prog_compiler_static_works=yes + fi + else + lt_cv_prog_compiler_static_works=yes + fi + fi + $RM -r conftest* + LDFLAGS=$save_LDFLAGS + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_compiler_static_works" >&5 +$as_echo "$lt_cv_prog_compiler_static_works" >&6; } + +if test yes = "$lt_cv_prog_compiler_static_works"; then + : +else + lt_prog_compiler_static= +fi + + + + + + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler supports -c -o file.$ac_objext" >&5 +$as_echo_n "checking if $compiler supports -c -o file.$ac_objext... " >&6; } +if ${lt_cv_prog_compiler_c_o+:} false; then : + $as_echo_n "(cached) " >&6 +else + lt_cv_prog_compiler_c_o=no + $RM -r conftest 2>/dev/null + mkdir conftest + cd conftest + mkdir out + echo "$lt_simple_compile_test_code" > conftest.$ac_ext + + lt_compiler_flag="-o out/conftest2.$ac_objext" + # Insert the option either (1) after the last *FLAGS variable, or + # (2) before a word containing "conftest.", or (3) at the end. + # Note that $ac_compile itself does not contain backslashes and begins + # with a dollar sign (not a hyphen), so the echo should work correctly. + lt_compile=`echo "$ac_compile" | $SED \ + -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ + -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ + -e 's:$: $lt_compiler_flag:'` + (eval echo "\"\$as_me:$LINENO: $lt_compile\"" >&5) + (eval "$lt_compile" 2>out/conftest.err) + ac_status=$? + cat out/conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + if (exit $ac_status) && test -s out/conftest2.$ac_objext + then + # The compiler can only warn and ignore the option if not recognized + # So say no if there are warnings + $ECHO "$_lt_compiler_boilerplate" | $SED '/^$/d' > out/conftest.exp + $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2 + if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then + lt_cv_prog_compiler_c_o=yes + fi + fi + chmod u+w . 2>&5 + $RM conftest* + # SGI C++ compiler will create directory out/ii_files/ for + # template instantiation + test -d out/ii_files && $RM out/ii_files/* && rmdir out/ii_files + $RM out/* && rmdir out + cd .. + $RM -r conftest + $RM conftest* + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_compiler_c_o" >&5 +$as_echo "$lt_cv_prog_compiler_c_o" >&6; } + + + + + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $compiler supports -c -o file.$ac_objext" >&5 +$as_echo_n "checking if $compiler supports -c -o file.$ac_objext... " >&6; } +if ${lt_cv_prog_compiler_c_o+:} false; then : + $as_echo_n "(cached) " >&6 +else + lt_cv_prog_compiler_c_o=no + $RM -r conftest 2>/dev/null + mkdir conftest + cd conftest + mkdir out + echo "$lt_simple_compile_test_code" > conftest.$ac_ext + + lt_compiler_flag="-o out/conftest2.$ac_objext" + # Insert the option either (1) after the last *FLAGS variable, or + # (2) before a word containing "conftest.", or (3) at the end. + # Note that $ac_compile itself does not contain backslashes and begins + # with a dollar sign (not a hyphen), so the echo should work correctly. + lt_compile=`echo "$ac_compile" | $SED \ + -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ + -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ + -e 's:$: $lt_compiler_flag:'` + (eval echo "\"\$as_me:$LINENO: $lt_compile\"" >&5) + (eval "$lt_compile" 2>out/conftest.err) + ac_status=$? + cat out/conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + if (exit $ac_status) && test -s out/conftest2.$ac_objext + then + # The compiler can only warn and ignore the option if not recognized + # So say no if there are warnings + $ECHO "$_lt_compiler_boilerplate" | $SED '/^$/d' > out/conftest.exp + $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2 + if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then + lt_cv_prog_compiler_c_o=yes + fi + fi + chmod u+w . 2>&5 + $RM conftest* + # SGI C++ compiler will create directory out/ii_files/ for + # template instantiation + test -d out/ii_files && $RM out/ii_files/* && rmdir out/ii_files + $RM out/* && rmdir out + cd .. + $RM -r conftest + $RM conftest* + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_compiler_c_o" >&5 +$as_echo "$lt_cv_prog_compiler_c_o" >&6; } + + + + +hard_links=nottested +if test no = "$lt_cv_prog_compiler_c_o" && test no != "$need_locks"; then + # do not overwrite the value of need_locks provided by the user + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if we can lock with hard links" >&5 +$as_echo_n "checking if we can lock with hard links... " >&6; } + hard_links=yes + $RM conftest* + ln conftest.a conftest.b 2>/dev/null && hard_links=no + touch conftest.a + ln conftest.a conftest.b 2>&5 || hard_links=no + ln conftest.a conftest.b 2>/dev/null && hard_links=no + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $hard_links" >&5 +$as_echo "$hard_links" >&6; } + if test no = "$hard_links"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: '$CC' does not support '-c -o', so 'make -j' may be unsafe" >&5 +$as_echo "$as_me: WARNING: '$CC' does not support '-c -o', so 'make -j' may be unsafe" >&2;} + need_locks=warn + fi +else + need_locks=no +fi + + + + + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the $compiler linker ($LD) supports shared libraries" >&5 +$as_echo_n "checking whether the $compiler linker ($LD) supports shared libraries... " >&6; } + + runpath_var= + allow_undefined_flag= + always_export_symbols=no + archive_cmds= + archive_expsym_cmds= + compiler_needs_object=no + enable_shared_with_static_runtimes=no + export_dynamic_flag_spec= + export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols' + hardcode_automatic=no + hardcode_direct=no + hardcode_direct_absolute=no + hardcode_libdir_flag_spec= + hardcode_libdir_separator= + hardcode_minus_L=no + hardcode_shlibpath_var=unsupported + inherit_rpath=no + link_all_deplibs=unknown + module_cmds= + module_expsym_cmds= + old_archive_from_new_cmds= + old_archive_from_expsyms_cmds= + thread_safe_flag_spec= + whole_archive_flag_spec= + # include_expsyms should be a list of space-separated symbols to be *always* + # included in the symbol list + include_expsyms= + # exclude_expsyms can be an extended regexp of symbols to exclude + # it will be wrapped by ' (' and ')$', so one must not match beginning or + # end of line. Example: 'a|bc|.*d.*' will exclude the symbols 'a' and 'bc', + # as well as any symbol that contains 'd'. + exclude_expsyms='_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*' + # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out + # platforms (ab)use it in PIC code, but their linkers get confused if + # the symbol is explicitly referenced. Since portable code cannot + # rely on this symbol name, it's probably fine to never include it in + # preloaded symbol tables. + # Exclude shared library initialization/finalization symbols. + extract_expsyms_cmds= + + case $host_os in + cygwin* | mingw* | pw32* | cegcc*) + # FIXME: the MSVC++ port hasn't been tested in a loooong time + # When not using gcc, we currently assume that we are using + # Microsoft Visual C++. + if test yes != "$GCC"; then + with_gnu_ld=no + fi + ;; + interix*) + # we just hope/assume this is gcc and not c89 (= MSVC++) + with_gnu_ld=yes + ;; + openbsd* | bitrig*) + with_gnu_ld=no + ;; + esac + + ld_shlibs=yes + + # On some targets, GNU ld is compatible enough with the native linker + # that we're better off using the native interface for both. + lt_use_gnu_ld_interface=no + if test yes = "$with_gnu_ld"; then + case $host_os in + aix*) + # The AIX port of GNU ld has always aspired to compatibility + # with the native linker. However, as the warning in the GNU ld + # block says, versions before 2.19.5* couldn't really create working + # shared libraries, regardless of the interface used. + case `$LD -v 2>&1` in + *\ \(GNU\ Binutils\)\ 2.19.5*) ;; + *\ \(GNU\ Binutils\)\ 2.[2-9]*) ;; + *\ \(GNU\ Binutils\)\ [3-9]*) ;; + *) + lt_use_gnu_ld_interface=yes + ;; + esac + ;; + *) + lt_use_gnu_ld_interface=yes + ;; + esac + fi + + if test yes = "$lt_use_gnu_ld_interface"; then + # If archive_cmds runs LD, not CC, wlarc should be empty + wlarc='$wl' + + # Set some defaults for GNU ld with shared library support. These + # are reset later if shared libraries are not supported. Putting them + # here allows them to be overridden if necessary. + runpath_var=LD_RUN_PATH + hardcode_libdir_flag_spec='$wl-rpath $wl$libdir' + export_dynamic_flag_spec='$wl--export-dynamic' + # ancient GNU ld didn't support --whole-archive et. al. + if $LD --help 2>&1 | $GREP 'no-whole-archive' > /dev/null; then + whole_archive_flag_spec=$wlarc'--whole-archive$convenience '$wlarc'--no-whole-archive' + else + whole_archive_flag_spec= + fi + supports_anon_versioning=no + case `$LD -v | $SED -e 's/(^)\+)\s\+//' 2>&1` in + *GNU\ gold*) supports_anon_versioning=yes ;; + *\ [01].* | *\ 2.[0-9].* | *\ 2.10.*) ;; # catch versions < 2.11 + *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ... + *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ... + *\ 2.11.*) ;; # other 2.11 versions + *) supports_anon_versioning=yes ;; + esac + + # See if GNU ld supports shared libraries. + case $host_os in + aix[3-9]*) + # On AIX/PPC, the GNU linker is very broken + if test ia64 != "$host_cpu"; then + ld_shlibs=no + cat <<_LT_EOF 1>&2 + +*** Warning: the GNU linker, at least up to release 2.19, is reported +*** to be unable to reliably create shared libraries on AIX. +*** Therefore, libtool is disabling shared libraries support. If you +*** really care for shared libraries, you may want to install binutils +*** 2.20 or above, or modify your PATH so that a non-GNU linker is found. +*** You will then need to restart the configuration process. + +_LT_EOF + fi + ;; + + amigaos*) + case $host_cpu in + powerpc) + # see comment about AmigaOS4 .so support + archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib' + archive_expsym_cmds='' + ;; + m68k) + archive_cmds='$RM $output_objdir/a2ixlibrary.data~$ECHO "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$ECHO "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$ECHO "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$ECHO "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)' + hardcode_libdir_flag_spec='-L$libdir' + hardcode_minus_L=yes + ;; + esac + ;; + + beos*) + if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then + allow_undefined_flag=unsupported + # Joseph Beckenbach says some releases of gcc + # support --undefined. This deserves some investigation. FIXME + archive_cmds='$CC -nostart $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib' + else + ld_shlibs=no + fi + ;; + + cygwin* | mingw* | pw32* | cegcc*) + # _LT_TAGVAR(hardcode_libdir_flag_spec, ) is actually meaningless, + # as there is no search path for DLLs. + hardcode_libdir_flag_spec='-L$libdir' + export_dynamic_flag_spec='$wl--export-all-symbols' + allow_undefined_flag=unsupported + always_export_symbols=no + enable_shared_with_static_runtimes=yes + export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1 DATA/;s/^.*[ ]__nm__\([^ ]*\)[ ][^ ]*/\1 DATA/;/^I[ ]/d;/^[AITW][ ]/s/.* //'\'' | sort | uniq > $export_symbols' + exclude_expsyms='[_]+GLOBAL_OFFSET_TABLE_|[_]+GLOBAL__[FID]_.*|[_]+head_[A-Za-z0-9_]+_dll|[A-Za-z0-9_]+_dll_iname' + + if $LD --help 2>&1 | $GREP 'auto-import' > /dev/null; then + archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname $wl--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib' + # If the export-symbols file already is a .def file, use it as + # is; otherwise, prepend EXPORTS... + archive_expsym_cmds='if test DEF = "`$SED -n -e '\''s/^[ ]*//'\'' -e '\''/^\(;.*\)*$/d'\'' -e '\''s/^\(EXPORTS\|LIBRARY\)\([ ].*\)*$/DEF/p'\'' -e q $export_symbols`" ; then + cp $export_symbols $output_objdir/$soname.def; + else + echo EXPORTS > $output_objdir/$soname.def; + cat $export_symbols >> $output_objdir/$soname.def; + fi~ + $CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname $wl--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib' + else + ld_shlibs=no + fi + ;; + + haiku*) + archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib' + link_all_deplibs=yes + ;; + + os2*) + hardcode_libdir_flag_spec='-L$libdir' + hardcode_minus_L=yes + allow_undefined_flag=unsupported + shrext_cmds=.dll + archive_cmds='$ECHO "LIBRARY ${soname%$shared_ext} INITINSTANCE TERMINSTANCE" > $output_objdir/$libname.def~ + $ECHO "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~ + $ECHO "DATA MULTIPLE NONSHARED" >> $output_objdir/$libname.def~ + $ECHO EXPORTS >> $output_objdir/$libname.def~ + emxexp $libobjs | $SED /"_DLL_InitTerm"/d >> $output_objdir/$libname.def~ + $CC -Zdll -Zcrtdll -o $output_objdir/$soname $libobjs $deplibs $compiler_flags $output_objdir/$libname.def~ + emximp -o $lib $output_objdir/$libname.def' + archive_expsym_cmds='$ECHO "LIBRARY ${soname%$shared_ext} INITINSTANCE TERMINSTANCE" > $output_objdir/$libname.def~ + $ECHO "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~ + $ECHO "DATA MULTIPLE NONSHARED" >> $output_objdir/$libname.def~ + $ECHO EXPORTS >> $output_objdir/$libname.def~ + prefix_cmds="$SED"~ + if test EXPORTS = "`$SED 1q $export_symbols`"; then + prefix_cmds="$prefix_cmds -e 1d"; + fi~ + prefix_cmds="$prefix_cmds -e \"s/^\(.*\)$/_\1/g\""~ + cat $export_symbols | $prefix_cmds >> $output_objdir/$libname.def~ + $CC -Zdll -Zcrtdll -o $output_objdir/$soname $libobjs $deplibs $compiler_flags $output_objdir/$libname.def~ + emximp -o $lib $output_objdir/$libname.def' + old_archive_From_new_cmds='emximp -o $output_objdir/${libname}_dll.a $output_objdir/$libname.def' + enable_shared_with_static_runtimes=yes + ;; + + interix[3-9]*) + hardcode_direct=no + hardcode_shlibpath_var=no + hardcode_libdir_flag_spec='$wl-rpath,$libdir' + export_dynamic_flag_spec='$wl-E' + # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc. + # Instead, shared libraries are loaded at an image base (0x10000000 by + # default) and relocated if they conflict, which is a slow very memory + # consuming and fragmenting process. To avoid this, we pick a random, + # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link + # time. Moving up from 0x10000000 also allows more sbrk(2) space. + archive_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-h,$soname $wl--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib' + archive_expsym_cmds='sed "s|^|_|" $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-h,$soname $wl--retain-symbols-file,$output_objdir/$soname.expsym $wl--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib' + ;; + + gnu* | linux* | tpf* | k*bsd*-gnu | kopensolaris*-gnu) + tmp_diet=no + if test linux-dietlibc = "$host_os"; then + case $cc_basename in + diet\ *) tmp_diet=yes;; # linux-dietlibc with static linking (!diet-dyn) + esac + fi + if $LD --help 2>&1 | $EGREP ': supported targets:.* elf' > /dev/null \ + && test no = "$tmp_diet" + then + tmp_addflag=' $pic_flag' + tmp_sharedflag='-shared' + case $cc_basename,$host_cpu in + pgcc*) # Portland Group C compiler + whole_archive_flag_spec='$wl--whole-archive`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` $wl--no-whole-archive' + tmp_addflag=' $pic_flag' + ;; + pgf77* | pgf90* | pgf95* | pgfortran*) + # Portland Group f77 and f90 compilers + whole_archive_flag_spec='$wl--whole-archive`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` $wl--no-whole-archive' + tmp_addflag=' $pic_flag -Mnomain' ;; + ecc*,ia64* | icc*,ia64*) # Intel C compiler on ia64 + tmp_addflag=' -i_dynamic' ;; + efc*,ia64* | ifort*,ia64*) # Intel Fortran compiler on ia64 + tmp_addflag=' -i_dynamic -nofor_main' ;; + ifc* | ifort*) # Intel Fortran compiler + tmp_addflag=' -nofor_main' ;; + lf95*) # Lahey Fortran 8.1 + whole_archive_flag_spec= + tmp_sharedflag='--shared' ;; + nagfor*) # NAGFOR 5.3 + tmp_sharedflag='-Wl,-shared' ;; + xl[cC]* | bgxl[cC]* | mpixl[cC]*) # IBM XL C 8.0 on PPC (deal with xlf below) + tmp_sharedflag='-qmkshrobj' + tmp_addflag= ;; + nvcc*) # Cuda Compiler Driver 2.2 + whole_archive_flag_spec='$wl--whole-archive`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` $wl--no-whole-archive' + compiler_needs_object=yes + ;; + esac + case `$CC -V 2>&1 | sed 5q` in + *Sun\ C*) # Sun C 5.9 + whole_archive_flag_spec='$wl--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` $wl--no-whole-archive' + compiler_needs_object=yes + tmp_sharedflag='-G' ;; + *Sun\ F*) # Sun Fortran 8.3 + tmp_sharedflag='-G' ;; + esac + archive_cmds='$CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib' + + if test yes = "$supports_anon_versioning"; then + archive_expsym_cmds='echo "{ global:" > $output_objdir/$libname.ver~ + cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~ + echo "local: *; };" >> $output_objdir/$libname.ver~ + $CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags $wl-soname $wl$soname $wl-version-script $wl$output_objdir/$libname.ver -o $lib' + fi + + case $cc_basename in + tcc*) + export_dynamic_flag_spec='-rdynamic' + ;; + xlf* | bgf* | bgxlf* | mpixlf*) + # IBM XL Fortran 10.1 on PPC cannot create shared libs itself + whole_archive_flag_spec='--whole-archive$convenience --no-whole-archive' + hardcode_libdir_flag_spec='$wl-rpath $wl$libdir' + archive_cmds='$LD -shared $libobjs $deplibs $linker_flags -soname $soname -o $lib' + if test yes = "$supports_anon_versioning"; then + archive_expsym_cmds='echo "{ global:" > $output_objdir/$libname.ver~ + cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~ + echo "local: *; };" >> $output_objdir/$libname.ver~ + $LD -shared $libobjs $deplibs $linker_flags -soname $soname -version-script $output_objdir/$libname.ver -o $lib' + fi + ;; + esac + else + ld_shlibs=no + fi + ;; + + netbsd*) + if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then + archive_cmds='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib' + wlarc= + else + archive_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib' + archive_expsym_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname $wl-retain-symbols-file $wl$export_symbols -o $lib' + fi + ;; + + solaris*) + if $LD -v 2>&1 | $GREP 'BFD 2\.8' > /dev/null; then + ld_shlibs=no + cat <<_LT_EOF 1>&2 + +*** Warning: The releases 2.8.* of the GNU linker cannot reliably +*** create shared libraries on Solaris systems. Therefore, libtool +*** is disabling shared libraries support. We urge you to upgrade GNU +*** binutils to release 2.9.1 or newer. Another option is to modify +*** your PATH or compiler configuration so that the native linker is +*** used, and then restart. + +_LT_EOF + elif $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then + archive_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib' + archive_expsym_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname $wl-retain-symbols-file $wl$export_symbols -o $lib' + else + ld_shlibs=no + fi + ;; + + sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*) + case `$LD -v 2>&1` in + *\ [01].* | *\ 2.[0-9].* | *\ 2.1[0-5].*) + ld_shlibs=no + cat <<_LT_EOF 1>&2 + +*** Warning: Releases of the GNU linker prior to 2.16.91.0.3 cannot +*** reliably create shared libraries on SCO systems. Therefore, libtool +*** is disabling shared libraries support. We urge you to upgrade GNU +*** binutils to release 2.16.91.0.3 or newer. Another option is to modify +*** your PATH or compiler configuration so that the native linker is +*** used, and then restart. + +_LT_EOF + ;; + *) + # For security reasons, it is highly recommended that you always + # use absolute paths for naming shared libraries, and exclude the + # DT_RUNPATH tag from executables and libraries. But doing so + # requires that you compile everything twice, which is a pain. + if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then + hardcode_libdir_flag_spec='$wl-rpath $wl$libdir' + archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib' + archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags $wl-soname $wl$soname $wl-retain-symbols-file $wl$export_symbols -o $lib' + else + ld_shlibs=no + fi + ;; + esac + ;; + + sunos4*) + archive_cmds='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags' + wlarc= + hardcode_direct=yes + hardcode_shlibpath_var=no + ;; + + *) + if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then + archive_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib' + archive_expsym_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname $wl-retain-symbols-file $wl$export_symbols -o $lib' + else + ld_shlibs=no + fi + ;; + esac + + if test no = "$ld_shlibs"; then + runpath_var= + hardcode_libdir_flag_spec= + export_dynamic_flag_spec= + whole_archive_flag_spec= + fi + else + # PORTME fill in a description of your system's linker (not GNU ld) + case $host_os in + aix3*) + allow_undefined_flag=unsupported + always_export_symbols=yes + archive_expsym_cmds='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname' + # Note: this linker hardcodes the directories in LIBPATH if there + # are no directories specified by -L. + hardcode_minus_L=yes + if test yes = "$GCC" && test -z "$lt_prog_compiler_static"; then + # Neither direct hardcoding nor static linking is supported with a + # broken collect2. + hardcode_direct=unsupported + fi + ;; + + aix[4-9]*) + if test ia64 = "$host_cpu"; then + # On IA64, the linker does run time linking by default, so we don't + # have to do anything special. + aix_use_runtimelinking=no + exp_sym_flag='-Bexport' + no_entry_flag= + else + # If we're using GNU nm, then we don't want the "-C" option. + # -C means demangle to GNU nm, but means don't demangle to AIX nm. + # Without the "-l" option, or with the "-B" option, AIX nm treats + # weak defined symbols like other global defined symbols, whereas + # GNU nm marks them as "W". + # While the 'weak' keyword is ignored in the Export File, we need + # it in the Import File for the 'aix-soname' feature, so we have + # to replace the "-B" option with "-P" for AIX nm. + if $NM -V 2>&1 | $GREP 'GNU' > /dev/null; then + export_symbols_cmds='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B") || (\$ 2 == "W")) && (substr(\$ 3,1,1) != ".")) { if (\$ 2 == "W") { print \$ 3 " weak" } else { print \$ 3 } } }'\'' | sort -u > $export_symbols' + else + export_symbols_cmds='`func_echo_all $NM | $SED -e '\''s/B\([^B]*\)$/P\1/'\''` -PCpgl $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B") || (\$ 2 == "W") || (\$ 2 == "V") || (\$ 2 == "Z")) && (substr(\$ 1,1,1) != ".")) { if ((\$ 2 == "W") || (\$ 2 == "V") || (\$ 2 == "Z")) { print \$ 1 " weak" } else { print \$ 1 } } }'\'' | sort -u > $export_symbols' + fi + aix_use_runtimelinking=no + + # Test if we are trying to use run time linking or normal + # AIX style linking. If -brtl is somewhere in LDFLAGS, we + # have runtime linking enabled, and use it for executables. + # For shared libraries, we enable/disable runtime linking + # depending on the kind of the shared library created - + # when "with_aix_soname,aix_use_runtimelinking" is: + # "aix,no" lib.a(lib.so.V) shared, rtl:no, for executables + # "aix,yes" lib.so shared, rtl:yes, for executables + # lib.a static archive + # "both,no" lib.so.V(shr.o) shared, rtl:yes + # lib.a(lib.so.V) shared, rtl:no, for executables + # "both,yes" lib.so.V(shr.o) shared, rtl:yes, for executables + # lib.a(lib.so.V) shared, rtl:no + # "svr4,*" lib.so.V(shr.o) shared, rtl:yes, for executables + # lib.a static archive + case $host_os in aix4.[23]|aix4.[23].*|aix[5-9]*) + for ld_flag in $LDFLAGS; do + if (test x-brtl = "x$ld_flag" || test x-Wl,-brtl = "x$ld_flag"); then + aix_use_runtimelinking=yes + break + fi + done + if test svr4,no = "$with_aix_soname,$aix_use_runtimelinking"; then + # With aix-soname=svr4, we create the lib.so.V shared archives only, + # so we don't have lib.a shared libs to link our executables. + # We have to force runtime linking in this case. + aix_use_runtimelinking=yes + LDFLAGS="$LDFLAGS -Wl,-brtl" + fi + ;; + esac + + exp_sym_flag='-bexport' + no_entry_flag='-bnoentry' + fi + + # When large executables or shared objects are built, AIX ld can + # have problems creating the table of contents. If linking a library + # or program results in "error TOC overflow" add -mminimal-toc to + # CXXFLAGS/CFLAGS for g++/gcc. In the cases where that is not + # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS. + + archive_cmds='' + hardcode_direct=yes + hardcode_direct_absolute=yes + hardcode_libdir_separator=':' + link_all_deplibs=yes + file_list_spec='$wl-f,' + case $with_aix_soname,$aix_use_runtimelinking in + aix,*) ;; # traditional, no import file + svr4,* | *,yes) # use import file + # The Import File defines what to hardcode. + hardcode_direct=no + hardcode_direct_absolute=no + ;; + esac + + if test yes = "$GCC"; then + case $host_os in aix4.[012]|aix4.[012].*) + # We only want to do this on AIX 4.2 and lower, the check + # below for broken collect2 doesn't work under 4.3+ + collect2name=`$CC -print-prog-name=collect2` + if test -f "$collect2name" && + strings "$collect2name" | $GREP resolve_lib_name >/dev/null + then + # We have reworked collect2 + : + else + # We have old collect2 + hardcode_direct=unsupported + # It fails to find uninstalled libraries when the uninstalled + # path is not listed in the libpath. Setting hardcode_minus_L + # to unsupported forces relinking + hardcode_minus_L=yes + hardcode_libdir_flag_spec='-L$libdir' + hardcode_libdir_separator= + fi + ;; + esac + shared_flag='-shared' + if test yes = "$aix_use_runtimelinking"; then + shared_flag="$shared_flag "'$wl-G' + fi + # Need to ensure runtime linking is disabled for the traditional + # shared library, or the linker may eventually find shared libraries + # /with/ Import File - we do not want to mix them. + shared_flag_aix='-shared' + shared_flag_svr4='-shared $wl-G' + else + # not using gcc + if test ia64 = "$host_cpu"; then + # VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release + # chokes on -Wl,-G. The following line is correct: + shared_flag='-G' + else + if test yes = "$aix_use_runtimelinking"; then + shared_flag='$wl-G' + else + shared_flag='$wl-bM:SRE' + fi + shared_flag_aix='$wl-bM:SRE' + shared_flag_svr4='$wl-G' + fi + fi + + export_dynamic_flag_spec='$wl-bexpall' + # It seems that -bexpall does not export symbols beginning with + # underscore (_), so it is better to generate a list of symbols to export. + always_export_symbols=yes + if test aix,yes = "$with_aix_soname,$aix_use_runtimelinking"; then + # Warning - without using the other runtime loading flags (-brtl), + # -berok will link without error, but may produce a broken library. + allow_undefined_flag='-berok' + # Determine the default libpath from the value encoded in an + # empty executable. + if test set = "${lt_cv_aix_libpath+set}"; then + aix_libpath=$lt_cv_aix_libpath +else + if ${lt_cv_aix_libpath_+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + + lt_aix_libpath_sed=' + /Import File Strings/,/^$/ { + /^0/ { + s/^0 *\([^ ]*\) *$/\1/ + p + } + }' + lt_cv_aix_libpath_=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` + # Check for a 64-bit object if we didn't find anything. + if test -z "$lt_cv_aix_libpath_"; then + lt_cv_aix_libpath_=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` + fi +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + if test -z "$lt_cv_aix_libpath_"; then + lt_cv_aix_libpath_=/usr/lib:/lib + fi + +fi + + aix_libpath=$lt_cv_aix_libpath_ +fi + + hardcode_libdir_flag_spec='$wl-blibpath:$libdir:'"$aix_libpath" + archive_expsym_cmds='$CC -o $output_objdir/$soname $libobjs $deplibs $wl'$no_entry_flag' $compiler_flags `if test -n "$allow_undefined_flag"; then func_echo_all "$wl$allow_undefined_flag"; else :; fi` $wl'$exp_sym_flag:\$export_symbols' '$shared_flag + else + if test ia64 = "$host_cpu"; then + hardcode_libdir_flag_spec='$wl-R $libdir:/usr/lib:/lib' + allow_undefined_flag="-z nodefs" + archive_expsym_cmds="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\$wl$no_entry_flag"' $compiler_flags $wl$allow_undefined_flag '"\$wl$exp_sym_flag:\$export_symbols" + else + # Determine the default libpath from the value encoded in an + # empty executable. + if test set = "${lt_cv_aix_libpath+set}"; then + aix_libpath=$lt_cv_aix_libpath +else + if ${lt_cv_aix_libpath_+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + + lt_aix_libpath_sed=' + /Import File Strings/,/^$/ { + /^0/ { + s/^0 *\([^ ]*\) *$/\1/ + p + } + }' + lt_cv_aix_libpath_=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` + # Check for a 64-bit object if we didn't find anything. + if test -z "$lt_cv_aix_libpath_"; then + lt_cv_aix_libpath_=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` + fi +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + if test -z "$lt_cv_aix_libpath_"; then + lt_cv_aix_libpath_=/usr/lib:/lib + fi + +fi + + aix_libpath=$lt_cv_aix_libpath_ +fi + + hardcode_libdir_flag_spec='$wl-blibpath:$libdir:'"$aix_libpath" + # Warning - without using the other run time loading flags, + # -berok will link without error, but may produce a broken library. + no_undefined_flag=' $wl-bernotok' + allow_undefined_flag=' $wl-berok' + if test yes = "$with_gnu_ld"; then + # We only use this code for GNU lds that support --whole-archive. + whole_archive_flag_spec='$wl--whole-archive$convenience $wl--no-whole-archive' + else + # Exported symbols can be pulled into shared objects from archives + whole_archive_flag_spec='$convenience' + fi + archive_cmds_need_lc=yes + archive_expsym_cmds='$RM -r $output_objdir/$realname.d~$MKDIR $output_objdir/$realname.d' + # -brtl affects multiple linker settings, -berok does not and is overridden later + compiler_flags_filtered='`func_echo_all "$compiler_flags " | $SED -e "s%-brtl\\([, ]\\)%-berok\\1%g"`' + if test svr4 != "$with_aix_soname"; then + # This is similar to how AIX traditionally builds its shared libraries. + archive_expsym_cmds="$archive_expsym_cmds"'~$CC '$shared_flag_aix' -o $output_objdir/$realname.d/$soname $libobjs $deplibs $wl-bnoentry '$compiler_flags_filtered'$wl-bE:$export_symbols$allow_undefined_flag~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$realname.d/$soname' + fi + if test aix != "$with_aix_soname"; then + archive_expsym_cmds="$archive_expsym_cmds"'~$CC '$shared_flag_svr4' -o $output_objdir/$realname.d/$shared_archive_member_spec.o $libobjs $deplibs $wl-bnoentry '$compiler_flags_filtered'$wl-bE:$export_symbols$allow_undefined_flag~$STRIP -e $output_objdir/$realname.d/$shared_archive_member_spec.o~( func_echo_all "#! $soname($shared_archive_member_spec.o)"; if test shr_64 = "$shared_archive_member_spec"; then func_echo_all "# 64"; else func_echo_all "# 32"; fi; cat $export_symbols ) > $output_objdir/$realname.d/$shared_archive_member_spec.imp~$AR $AR_FLAGS $output_objdir/$soname $output_objdir/$realname.d/$shared_archive_member_spec.o $output_objdir/$realname.d/$shared_archive_member_spec.imp' + else + # used by -dlpreopen to get the symbols + archive_expsym_cmds="$archive_expsym_cmds"'~$MV $output_objdir/$realname.d/$soname $output_objdir' + fi + archive_expsym_cmds="$archive_expsym_cmds"'~$RM -r $output_objdir/$realname.d' + fi + fi + ;; + + amigaos*) + case $host_cpu in + powerpc) + # see comment about AmigaOS4 .so support + archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib' + archive_expsym_cmds='' + ;; + m68k) + archive_cmds='$RM $output_objdir/a2ixlibrary.data~$ECHO "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$ECHO "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$ECHO "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$ECHO "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)' + hardcode_libdir_flag_spec='-L$libdir' + hardcode_minus_L=yes + ;; + esac + ;; + + bsdi[45]*) + export_dynamic_flag_spec=-rdynamic + ;; + + cygwin* | mingw* | pw32* | cegcc*) + # When not using gcc, we currently assume that we are using + # Microsoft Visual C++. + # hardcode_libdir_flag_spec is actually meaningless, as there is + # no search path for DLLs. + case $cc_basename in + cl*) + # Native MSVC + hardcode_libdir_flag_spec=' ' + allow_undefined_flag=unsupported + always_export_symbols=yes + file_list_spec='@' + # Tell ltmain to make .lib files, not .a files. + libext=lib + # Tell ltmain to make .dll files, not .so files. + shrext_cmds=.dll + # FIXME: Setting linknames here is a bad hack. + archive_cmds='$CC -o $output_objdir/$soname $libobjs $compiler_flags $deplibs -Wl,-DLL,-IMPLIB:"$tool_output_objdir$libname.dll.lib"~linknames=' + archive_expsym_cmds='if test DEF = "`$SED -n -e '\''s/^[ ]*//'\'' -e '\''/^\(;.*\)*$/d'\'' -e '\''s/^\(EXPORTS\|LIBRARY\)\([ ].*\)*$/DEF/p'\'' -e q $export_symbols`" ; then + cp "$export_symbols" "$output_objdir/$soname.def"; + echo "$tool_output_objdir$soname.def" > "$output_objdir/$soname.exp"; + else + $SED -e '\''s/^/-link -EXPORT:/'\'' < $export_symbols > $output_objdir/$soname.exp; + fi~ + $CC -o $tool_output_objdir$soname $libobjs $compiler_flags $deplibs "@$tool_output_objdir$soname.exp" -Wl,-DLL,-IMPLIB:"$tool_output_objdir$libname.dll.lib"~ + linknames=' + # The linker will not automatically build a static lib if we build a DLL. + # _LT_TAGVAR(old_archive_from_new_cmds, )='true' + enable_shared_with_static_runtimes=yes + exclude_expsyms='_NULL_IMPORT_DESCRIPTOR|_IMPORT_DESCRIPTOR_.*' + export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGRS][ ]/s/.*[ ]\([^ ]*\)/\1,DATA/'\'' | $SED -e '\''/^[AITW][ ]/s/.*[ ]//'\'' | sort | uniq > $export_symbols' + # Don't use ranlib + old_postinstall_cmds='chmod 644 $oldlib' + postlink_cmds='lt_outputfile="@OUTPUT@"~ + lt_tool_outputfile="@TOOL_OUTPUT@"~ + case $lt_outputfile in + *.exe|*.EXE) ;; + *) + lt_outputfile=$lt_outputfile.exe + lt_tool_outputfile=$lt_tool_outputfile.exe + ;; + esac~ + if test : != "$MANIFEST_TOOL" && test -f "$lt_outputfile.manifest"; then + $MANIFEST_TOOL -manifest "$lt_tool_outputfile.manifest" -outputresource:"$lt_tool_outputfile" || exit 1; + $RM "$lt_outputfile.manifest"; + fi' + ;; + *) + # Assume MSVC wrapper + hardcode_libdir_flag_spec=' ' + allow_undefined_flag=unsupported + # Tell ltmain to make .lib files, not .a files. + libext=lib + # Tell ltmain to make .dll files, not .so files. + shrext_cmds=.dll + # FIXME: Setting linknames here is a bad hack. + archive_cmds='$CC -o $lib $libobjs $compiler_flags `func_echo_all "$deplibs" | $SED '\''s/ -lc$//'\''` -link -dll~linknames=' + # The linker will automatically build a .lib file if we build a DLL. + old_archive_from_new_cmds='true' + # FIXME: Should let the user specify the lib program. + old_archive_cmds='lib -OUT:$oldlib$oldobjs$old_deplibs' + enable_shared_with_static_runtimes=yes + ;; + esac + ;; + + darwin* | rhapsody*) + + + archive_cmds_need_lc=no + hardcode_direct=no + hardcode_automatic=yes + hardcode_shlibpath_var=unsupported + if test yes = "$lt_cv_ld_force_load"; then + whole_archive_flag_spec='`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience $wl-force_load,$conv\"; done; func_echo_all \"$new_convenience\"`' + + else + whole_archive_flag_spec='' + fi + link_all_deplibs=yes + allow_undefined_flag=$_lt_dar_allow_undefined + case $cc_basename in + ifort*|nagfor*) _lt_dar_can_shared=yes ;; + *) _lt_dar_can_shared=$GCC ;; + esac + if test yes = "$_lt_dar_can_shared"; then + output_verbose_link_cmd=func_echo_all + archive_cmds="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod$_lt_dsymutil" + module_cmds="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags$_lt_dsymutil" + archive_expsym_cmds="sed 's|^|_|' < \$export_symbols > \$output_objdir/\$libname-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod$_lt_dar_export_syms$_lt_dsymutil" + module_expsym_cmds="sed -e 's|^|_|' < \$export_symbols > \$output_objdir/\$libname-symbols.expsym~\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags$_lt_dar_export_syms$_lt_dsymutil" + + else + ld_shlibs=no + fi + + ;; + + dgux*) + archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' + hardcode_libdir_flag_spec='-L$libdir' + hardcode_shlibpath_var=no + ;; + + # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor + # support. Future versions do this automatically, but an explicit c++rt0.o + # does not break anything, and helps significantly (at the cost of a little + # extra space). + freebsd2.2*) + archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o' + hardcode_libdir_flag_spec='-R$libdir' + hardcode_direct=yes + hardcode_shlibpath_var=no + ;; + + # Unfortunately, older versions of FreeBSD 2 do not have this feature. + freebsd2.*) + archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' + hardcode_direct=yes + hardcode_minus_L=yes + hardcode_shlibpath_var=no + ;; + + # FreeBSD 3 and greater uses gcc -shared to do shared libraries. + freebsd* | dragonfly*) + archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' + hardcode_libdir_flag_spec='-R$libdir' + hardcode_direct=yes + hardcode_shlibpath_var=no + ;; + + hpux9*) + if test yes = "$GCC"; then + archive_cmds='$RM $output_objdir/$soname~$CC -shared $pic_flag $wl+b $wl$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test "x$output_objdir/$soname" = "x$lib" || mv $output_objdir/$soname $lib' + else + archive_cmds='$RM $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test "x$output_objdir/$soname" = "x$lib" || mv $output_objdir/$soname $lib' + fi + hardcode_libdir_flag_spec='$wl+b $wl$libdir' + hardcode_libdir_separator=: + hardcode_direct=yes + + # hardcode_minus_L: Not really in the search PATH, + # but as the default location of the library. + hardcode_minus_L=yes + export_dynamic_flag_spec='$wl-E' + ;; + + hpux10*) + if test yes,no = "$GCC,$with_gnu_ld"; then + archive_cmds='$CC -shared $pic_flag $wl+h $wl$soname $wl+b $wl$install_libdir -o $lib $libobjs $deplibs $compiler_flags' + else + archive_cmds='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags' + fi + if test no = "$with_gnu_ld"; then + hardcode_libdir_flag_spec='$wl+b $wl$libdir' + hardcode_libdir_separator=: + hardcode_direct=yes + hardcode_direct_absolute=yes + export_dynamic_flag_spec='$wl-E' + # hardcode_minus_L: Not really in the search PATH, + # but as the default location of the library. + hardcode_minus_L=yes + fi + ;; + + hpux11*) + if test yes,no = "$GCC,$with_gnu_ld"; then + case $host_cpu in + hppa*64*) + archive_cmds='$CC -shared $wl+h $wl$soname -o $lib $libobjs $deplibs $compiler_flags' + ;; + ia64*) + archive_cmds='$CC -shared $pic_flag $wl+h $wl$soname $wl+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags' + ;; + *) + archive_cmds='$CC -shared $pic_flag $wl+h $wl$soname $wl+b $wl$install_libdir -o $lib $libobjs $deplibs $compiler_flags' + ;; + esac + else + case $host_cpu in + hppa*64*) + archive_cmds='$CC -b $wl+h $wl$soname -o $lib $libobjs $deplibs $compiler_flags' + ;; + ia64*) + archive_cmds='$CC -b $wl+h $wl$soname $wl+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags' + ;; + *) + + # Older versions of the 11.00 compiler do not understand -b yet + # (HP92453-01 A.11.01.20 doesn't, HP92453-01 B.11.X.35175-35176.GP does) + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $CC understands -b" >&5 +$as_echo_n "checking if $CC understands -b... " >&6; } +if ${lt_cv_prog_compiler__b+:} false; then : + $as_echo_n "(cached) " >&6 +else + lt_cv_prog_compiler__b=no + save_LDFLAGS=$LDFLAGS + LDFLAGS="$LDFLAGS -b" + echo "$lt_simple_link_test_code" > conftest.$ac_ext + if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then + # The linker can only warn and ignore the option if not recognized + # So say no if there are warnings + if test -s conftest.err; then + # Append any errors to the config.log. + cat conftest.err 1>&5 + $ECHO "$_lt_linker_boilerplate" | $SED '/^$/d' > conftest.exp + $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2 + if diff conftest.exp conftest.er2 >/dev/null; then + lt_cv_prog_compiler__b=yes + fi + else + lt_cv_prog_compiler__b=yes + fi + fi + $RM -r conftest* + LDFLAGS=$save_LDFLAGS + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_prog_compiler__b" >&5 +$as_echo "$lt_cv_prog_compiler__b" >&6; } + +if test yes = "$lt_cv_prog_compiler__b"; then + archive_cmds='$CC -b $wl+h $wl$soname $wl+b $wl$install_libdir -o $lib $libobjs $deplibs $compiler_flags' +else + archive_cmds='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags' +fi + + ;; + esac + fi + if test no = "$with_gnu_ld"; then + hardcode_libdir_flag_spec='$wl+b $wl$libdir' + hardcode_libdir_separator=: + + case $host_cpu in + hppa*64*|ia64*) + hardcode_direct=no + hardcode_shlibpath_var=no + ;; + *) + hardcode_direct=yes + hardcode_direct_absolute=yes + export_dynamic_flag_spec='$wl-E' + + # hardcode_minus_L: Not really in the search PATH, + # but as the default location of the library. + hardcode_minus_L=yes + ;; + esac + fi + ;; + + irix5* | irix6* | nonstopux*) + if test yes = "$GCC"; then + archive_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname `test -n "$verstring" && func_echo_all "$wl-set_version $wl$verstring"` $wl-update_registry $wl$output_objdir/so_locations -o $lib' + # Try to use the -exported_symbol ld option, if it does not + # work, assume that -exports_file does not work either and + # implicitly export all symbols. + # This should be the same for all languages, so no per-tag cache variable. + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the $host_os linker accepts -exported_symbol" >&5 +$as_echo_n "checking whether the $host_os linker accepts -exported_symbol... " >&6; } +if ${lt_cv_irix_exported_symbol+:} false; then : + $as_echo_n "(cached) " >&6 +else + save_LDFLAGS=$LDFLAGS + LDFLAGS="$LDFLAGS -shared $wl-exported_symbol ${wl}foo $wl-update_registry $wl/dev/null" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +int foo (void) { return 0; } +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + lt_cv_irix_exported_symbol=yes +else + lt_cv_irix_exported_symbol=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + LDFLAGS=$save_LDFLAGS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_irix_exported_symbol" >&5 +$as_echo "$lt_cv_irix_exported_symbol" >&6; } + if test yes = "$lt_cv_irix_exported_symbol"; then + archive_expsym_cmds='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname `test -n "$verstring" && func_echo_all "$wl-set_version $wl$verstring"` $wl-update_registry $wl$output_objdir/so_locations $wl-exports_file $wl$export_symbols -o $lib' + fi + else + archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib' + archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -exports_file $export_symbols -o $lib' + fi + archive_cmds_need_lc='no' + hardcode_libdir_flag_spec='$wl-rpath $wl$libdir' + hardcode_libdir_separator=: + inherit_rpath=yes + link_all_deplibs=yes + ;; + + linux*) + case $cc_basename in + tcc*) + # Fabrice Bellard et al's Tiny C Compiler + ld_shlibs=yes + archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' + ;; + esac + ;; + + netbsd*) + if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then + archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' # a.out + else + archive_cmds='$LD -shared -o $lib $libobjs $deplibs $linker_flags' # ELF + fi + hardcode_libdir_flag_spec='-R$libdir' + hardcode_direct=yes + hardcode_shlibpath_var=no + ;; + + newsos6) + archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' + hardcode_direct=yes + hardcode_libdir_flag_spec='$wl-rpath $wl$libdir' + hardcode_libdir_separator=: + hardcode_shlibpath_var=no + ;; + + *nto* | *qnx*) + ;; + + openbsd* | bitrig*) + if test -f /usr/libexec/ld.so; then + hardcode_direct=yes + hardcode_shlibpath_var=no + hardcode_direct_absolute=yes + if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`"; then + archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' + archive_expsym_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags $wl-retain-symbols-file,$export_symbols' + hardcode_libdir_flag_spec='$wl-rpath,$libdir' + export_dynamic_flag_spec='$wl-E' + else + archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' + hardcode_libdir_flag_spec='$wl-rpath,$libdir' + fi + else + ld_shlibs=no + fi + ;; + + os2*) + hardcode_libdir_flag_spec='-L$libdir' + hardcode_minus_L=yes + allow_undefined_flag=unsupported + shrext_cmds=.dll + archive_cmds='$ECHO "LIBRARY ${soname%$shared_ext} INITINSTANCE TERMINSTANCE" > $output_objdir/$libname.def~ + $ECHO "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~ + $ECHO "DATA MULTIPLE NONSHARED" >> $output_objdir/$libname.def~ + $ECHO EXPORTS >> $output_objdir/$libname.def~ + emxexp $libobjs | $SED /"_DLL_InitTerm"/d >> $output_objdir/$libname.def~ + $CC -Zdll -Zcrtdll -o $output_objdir/$soname $libobjs $deplibs $compiler_flags $output_objdir/$libname.def~ + emximp -o $lib $output_objdir/$libname.def' + archive_expsym_cmds='$ECHO "LIBRARY ${soname%$shared_ext} INITINSTANCE TERMINSTANCE" > $output_objdir/$libname.def~ + $ECHO "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~ + $ECHO "DATA MULTIPLE NONSHARED" >> $output_objdir/$libname.def~ + $ECHO EXPORTS >> $output_objdir/$libname.def~ + prefix_cmds="$SED"~ + if test EXPORTS = "`$SED 1q $export_symbols`"; then + prefix_cmds="$prefix_cmds -e 1d"; + fi~ + prefix_cmds="$prefix_cmds -e \"s/^\(.*\)$/_\1/g\""~ + cat $export_symbols | $prefix_cmds >> $output_objdir/$libname.def~ + $CC -Zdll -Zcrtdll -o $output_objdir/$soname $libobjs $deplibs $compiler_flags $output_objdir/$libname.def~ + emximp -o $lib $output_objdir/$libname.def' + old_archive_From_new_cmds='emximp -o $output_objdir/${libname}_dll.a $output_objdir/$libname.def' + enable_shared_with_static_runtimes=yes + ;; + + osf3*) + if test yes = "$GCC"; then + allow_undefined_flag=' $wl-expect_unresolved $wl\*' + archive_cmds='$CC -shared$allow_undefined_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname `test -n "$verstring" && func_echo_all "$wl-set_version $wl$verstring"` $wl-update_registry $wl$output_objdir/so_locations -o $lib' + else + allow_undefined_flag=' -expect_unresolved \*' + archive_cmds='$CC -shared$allow_undefined_flag $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib' + fi + archive_cmds_need_lc='no' + hardcode_libdir_flag_spec='$wl-rpath $wl$libdir' + hardcode_libdir_separator=: + ;; + + osf4* | osf5*) # as osf3* with the addition of -msym flag + if test yes = "$GCC"; then + allow_undefined_flag=' $wl-expect_unresolved $wl\*' + archive_cmds='$CC -shared$allow_undefined_flag $pic_flag $libobjs $deplibs $compiler_flags $wl-msym $wl-soname $wl$soname `test -n "$verstring" && func_echo_all "$wl-set_version $wl$verstring"` $wl-update_registry $wl$output_objdir/so_locations -o $lib' + hardcode_libdir_flag_spec='$wl-rpath $wl$libdir' + else + allow_undefined_flag=' -expect_unresolved \*' + archive_cmds='$CC -shared$allow_undefined_flag $libobjs $deplibs $compiler_flags -msym -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib' + archive_expsym_cmds='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; printf "%s\\n" "-hidden">> $lib.exp~ + $CC -shared$allow_undefined_flag $wl-input $wl$lib.exp $compiler_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && $ECHO "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib~$RM $lib.exp' + + # Both c and cxx compiler support -rpath directly + hardcode_libdir_flag_spec='-rpath $libdir' + fi + archive_cmds_need_lc='no' + hardcode_libdir_separator=: + ;; + + solaris*) + no_undefined_flag=' -z defs' + if test yes = "$GCC"; then + wlarc='$wl' + archive_cmds='$CC -shared $pic_flag $wl-z ${wl}text $wl-h $wl$soname -o $lib $libobjs $deplibs $compiler_flags' + archive_expsym_cmds='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~ + $CC -shared $pic_flag $wl-z ${wl}text $wl-M $wl$lib.exp $wl-h $wl$soname -o $lib $libobjs $deplibs $compiler_flags~$RM $lib.exp' + else + case `$CC -V 2>&1` in + *"Compilers 5.0"*) + wlarc='' + archive_cmds='$LD -G$allow_undefined_flag -h $soname -o $lib $libobjs $deplibs $linker_flags' + archive_expsym_cmds='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~ + $LD -G$allow_undefined_flag -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$RM $lib.exp' + ;; + *) + wlarc='$wl' + archive_cmds='$CC -G$allow_undefined_flag -h $soname -o $lib $libobjs $deplibs $compiler_flags' + archive_expsym_cmds='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~ + $CC -G$allow_undefined_flag -M $lib.exp -h $soname -o $lib $libobjs $deplibs $compiler_flags~$RM $lib.exp' + ;; + esac + fi + hardcode_libdir_flag_spec='-R$libdir' + hardcode_shlibpath_var=no + case $host_os in + solaris2.[0-5] | solaris2.[0-5].*) ;; + *) + # The compiler driver will combine and reorder linker options, + # but understands '-z linker_flag'. GCC discards it without '$wl', + # but is careful enough not to reorder. + # Supported since Solaris 2.6 (maybe 2.5.1?) + if test yes = "$GCC"; then + whole_archive_flag_spec='$wl-z ${wl}allextract$convenience $wl-z ${wl}defaultextract' + else + whole_archive_flag_spec='-z allextract$convenience -z defaultextract' + fi + ;; + esac + link_all_deplibs=yes + ;; + + sunos4*) + if test sequent = "$host_vendor"; then + # Use $CC to link under sequent, because it throws in some extra .o + # files that make .init and .fini sections work. + archive_cmds='$CC -G $wl-h $soname -o $lib $libobjs $deplibs $compiler_flags' + else + archive_cmds='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags' + fi + hardcode_libdir_flag_spec='-L$libdir' + hardcode_direct=yes + hardcode_minus_L=yes + hardcode_shlibpath_var=no + ;; + + sysv4) + case $host_vendor in + sni) + archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' + hardcode_direct=yes # is this really true??? + ;; + siemens) + ## LD is ld it makes a PLAMLIB + ## CC just makes a GrossModule. + archive_cmds='$LD -G -o $lib $libobjs $deplibs $linker_flags' + reload_cmds='$CC -r -o $output$reload_objs' + hardcode_direct=no + ;; + motorola) + archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' + hardcode_direct=no #Motorola manual says yes, but my tests say they lie + ;; + esac + runpath_var='LD_RUN_PATH' + hardcode_shlibpath_var=no + ;; + + sysv4.3*) + archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' + hardcode_shlibpath_var=no + export_dynamic_flag_spec='-Bexport' + ;; + + sysv4*MP*) + if test -d /usr/nec; then + archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' + hardcode_shlibpath_var=no + runpath_var=LD_RUN_PATH + hardcode_runpath_var=yes + ld_shlibs=yes + fi + ;; + + sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[01].[10]* | unixware7* | sco3.2v5.0.[024]*) + no_undefined_flag='$wl-z,text' + archive_cmds_need_lc=no + hardcode_shlibpath_var=no + runpath_var='LD_RUN_PATH' + + if test yes = "$GCC"; then + archive_cmds='$CC -shared $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + archive_expsym_cmds='$CC -shared $wl-Bexport:$export_symbols $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + else + archive_cmds='$CC -G $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + archive_expsym_cmds='$CC -G $wl-Bexport:$export_symbols $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + fi + ;; + + sysv5* | sco3.2v5* | sco5v6*) + # Note: We CANNOT use -z defs as we might desire, because we do not + # link with -lc, and that would cause any symbols used from libc to + # always be unresolved, which means just about no library would + # ever link correctly. If we're not using GNU ld we use -z text + # though, which does catch some bad symbols but isn't as heavy-handed + # as -z defs. + no_undefined_flag='$wl-z,text' + allow_undefined_flag='$wl-z,nodefs' + archive_cmds_need_lc=no + hardcode_shlibpath_var=no + hardcode_libdir_flag_spec='$wl-R,$libdir' + hardcode_libdir_separator=':' + link_all_deplibs=yes + export_dynamic_flag_spec='$wl-Bexport' + runpath_var='LD_RUN_PATH' + + if test yes = "$GCC"; then + archive_cmds='$CC -shared $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + archive_expsym_cmds='$CC -shared $wl-Bexport:$export_symbols $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + else + archive_cmds='$CC -G $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + archive_expsym_cmds='$CC -G $wl-Bexport:$export_symbols $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + fi + ;; + + uts4*) + archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' + hardcode_libdir_flag_spec='-L$libdir' + hardcode_shlibpath_var=no + ;; + + *) + ld_shlibs=no + ;; + esac + + if test sni = "$host_vendor"; then + case $host in + sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*) + export_dynamic_flag_spec='$wl-Blargedynsym' + ;; + esac + fi + fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ld_shlibs" >&5 +$as_echo "$ld_shlibs" >&6; } +test no = "$ld_shlibs" && can_build_shared=no + +with_gnu_ld=$with_gnu_ld + + + + + + + + + + + + + + + +# +# Do we need to explicitly link libc? +# +case "x$archive_cmds_need_lc" in +x|xyes) + # Assume -lc should be added + archive_cmds_need_lc=yes + + if test yes,yes = "$GCC,$enable_shared"; then + case $archive_cmds in + *'~'*) + # FIXME: we may have to deal with multi-command sequences. + ;; + '$CC '*) + # Test whether the compiler implicitly links with -lc since on some + # systems, -lgcc has to come before -lc. If gcc already passes -lc + # to ld, don't add -lc before -lgcc. + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether -lc should be explicitly linked in" >&5 +$as_echo_n "checking whether -lc should be explicitly linked in... " >&6; } +if ${lt_cv_archive_cmds_need_lc+:} false; then : + $as_echo_n "(cached) " >&6 +else + $RM conftest* + echo "$lt_simple_compile_test_code" > conftest.$ac_ext + + if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 + (eval $ac_compile) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } 2>conftest.err; then + soname=conftest + lib=conftest + libobjs=conftest.$ac_objext + deplibs= + wl=$lt_prog_compiler_wl + pic_flag=$lt_prog_compiler_pic + compiler_flags=-v + linker_flags=-v + verstring= + output_objdir=. + libname=conftest + lt_save_allow_undefined_flag=$allow_undefined_flag + allow_undefined_flag= + if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$archive_cmds 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1\""; } >&5 + (eval $archive_cmds 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + then + lt_cv_archive_cmds_need_lc=no + else + lt_cv_archive_cmds_need_lc=yes + fi + allow_undefined_flag=$lt_save_allow_undefined_flag + else + cat conftest.err 1>&5 + fi + $RM conftest* + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_archive_cmds_need_lc" >&5 +$as_echo "$lt_cv_archive_cmds_need_lc" >&6; } + archive_cmds_need_lc=$lt_cv_archive_cmds_need_lc + ;; + esac + fi + ;; +esac + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking dynamic linker characteristics" >&5 +$as_echo_n "checking dynamic linker characteristics... " >&6; } + +if test yes = "$GCC"; then + case $host_os in + darwin*) lt_awk_arg='/^libraries:/,/LR/' ;; + *) lt_awk_arg='/^libraries:/' ;; + esac + case $host_os in + mingw* | cegcc*) lt_sed_strip_eq='s|=\([A-Za-z]:\)|\1|g' ;; + *) lt_sed_strip_eq='s|=/|/|g' ;; + esac + lt_search_path_spec=`$CC -print-search-dirs | awk $lt_awk_arg | $SED -e "s/^libraries://" -e $lt_sed_strip_eq` + case $lt_search_path_spec in + *\;*) + # if the path contains ";" then we assume it to be the separator + # otherwise default to the standard path separator (i.e. ":") - it is + # assumed that no part of a normal pathname contains ";" but that should + # okay in the real world where ";" in dirpaths is itself problematic. + lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED 's/;/ /g'` + ;; + *) + lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED "s/$PATH_SEPARATOR/ /g"` + ;; + esac + # Ok, now we have the path, separated by spaces, we can step through it + # and add multilib dir if necessary... + lt_tmp_lt_search_path_spec= + lt_multi_os_dir=/`$CC $CPPFLAGS $CFLAGS $LDFLAGS -print-multi-os-directory 2>/dev/null` + # ...but if some path component already ends with the multilib dir we assume + # that all is fine and trust -print-search-dirs as is (GCC 4.2? or newer). + case "$lt_multi_os_dir; $lt_search_path_spec " in + "/; "* | "/.; "* | "/./; "* | *"$lt_multi_os_dir "* | *"$lt_multi_os_dir/ "*) + lt_multi_os_dir= + ;; + esac + for lt_sys_path in $lt_search_path_spec; do + if test -d "$lt_sys_path$lt_multi_os_dir"; then + lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path$lt_multi_os_dir" + elif test -n "$lt_multi_os_dir"; then + test -d "$lt_sys_path" && \ + lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path" + fi + done + lt_search_path_spec=`$ECHO "$lt_tmp_lt_search_path_spec" | awk ' +BEGIN {RS = " "; FS = "/|\n";} { + lt_foo = ""; + lt_count = 0; + for (lt_i = NF; lt_i > 0; lt_i--) { + if ($lt_i != "" && $lt_i != ".") { + if ($lt_i == "..") { + lt_count++; + } else { + if (lt_count == 0) { + lt_foo = "/" $lt_i lt_foo; + } else { + lt_count--; + } + } + } + } + if (lt_foo != "") { lt_freq[lt_foo]++; } + if (lt_freq[lt_foo] == 1) { print lt_foo; } +}'` + # AWK program above erroneously prepends '/' to C:/dos/paths + # for these hosts. + case $host_os in + mingw* | cegcc*) lt_search_path_spec=`$ECHO "$lt_search_path_spec" |\ + $SED 's|/\([A-Za-z]:\)|\1|g'` ;; + esac + sys_lib_search_path_spec=`$ECHO "$lt_search_path_spec" | $lt_NL2SP` +else + sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib" +fi +library_names_spec= +libname_spec='lib$name' +soname_spec= +shrext_cmds=.so +postinstall_cmds= +postuninstall_cmds= +finish_cmds= +finish_eval= +shlibpath_var= +shlibpath_overrides_runpath=unknown +version_type=none +dynamic_linker="$host_os ld.so" +sys_lib_dlsearch_path_spec="/lib /usr/lib" +need_lib_prefix=unknown +hardcode_into_libs=no + +# when you set need_version to no, make sure it does not cause -set_version +# flags to be left without arguments +need_version=unknown + + + +case $host_os in +aix3*) + version_type=linux # correct to gnu/linux during the next big refactor + library_names_spec='$libname$release$shared_ext$versuffix $libname.a' + shlibpath_var=LIBPATH + + # AIX 3 has no versioning support, so we append a major version to the name. + soname_spec='$libname$release$shared_ext$major' + ;; + +aix[4-9]*) + version_type=linux # correct to gnu/linux during the next big refactor + need_lib_prefix=no + need_version=no + hardcode_into_libs=yes + if test ia64 = "$host_cpu"; then + # AIX 5 supports IA64 + library_names_spec='$libname$release$shared_ext$major $libname$release$shared_ext$versuffix $libname$shared_ext' + shlibpath_var=LD_LIBRARY_PATH + else + # With GCC up to 2.95.x, collect2 would create an import file + # for dependence libraries. The import file would start with + # the line '#! .'. This would cause the generated library to + # depend on '.', always an invalid library. This was fixed in + # development snapshots of GCC prior to 3.0. + case $host_os in + aix4 | aix4.[01] | aix4.[01].*) + if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)' + echo ' yes ' + echo '#endif'; } | $CC -E - | $GREP yes > /dev/null; then + : + else + can_build_shared=no + fi + ;; + esac + # Using Import Files as archive members, it is possible to support + # filename-based versioning of shared library archives on AIX. While + # this would work for both with and without runtime linking, it will + # prevent static linking of such archives. So we do filename-based + # shared library versioning with .so extension only, which is used + # when both runtime linking and shared linking is enabled. + # Unfortunately, runtime linking may impact performance, so we do + # not want this to be the default eventually. Also, we use the + # versioned .so libs for executables only if there is the -brtl + # linker flag in LDFLAGS as well, or --with-aix-soname=svr4 only. + # To allow for filename-based versioning support, we need to create + # libNAME.so.V as an archive file, containing: + # *) an Import File, referring to the versioned filename of the + # archive as well as the shared archive member, telling the + # bitwidth (32 or 64) of that shared object, and providing the + # list of exported symbols of that shared object, eventually + # decorated with the 'weak' keyword + # *) the shared object with the F_LOADONLY flag set, to really avoid + # it being seen by the linker. + # At run time we better use the real file rather than another symlink, + # but for link time we create the symlink libNAME.so -> libNAME.so.V + + case $with_aix_soname,$aix_use_runtimelinking in + # AIX (on Power*) has no versioning support, so currently we cannot hardcode correct + # soname into executable. Probably we can add versioning support to + # collect2, so additional links can be useful in future. + aix,yes) # traditional libtool + dynamic_linker='AIX unversionable lib.so' + # If using run time linking (on AIX 4.2 or later) use lib.so + # instead of lib.a to let people know that these are not + # typical AIX shared libraries. + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + ;; + aix,no) # traditional AIX only + dynamic_linker='AIX lib.a(lib.so.V)' + # We preserve .a as extension for shared libraries through AIX4.2 + # and later when we are not doing run time linking. + library_names_spec='$libname$release.a $libname.a' + soname_spec='$libname$release$shared_ext$major' + ;; + svr4,*) # full svr4 only + dynamic_linker="AIX lib.so.V($shared_archive_member_spec.o)" + library_names_spec='$libname$release$shared_ext$major $libname$shared_ext' + # We do not specify a path in Import Files, so LIBPATH fires. + shlibpath_overrides_runpath=yes + ;; + *,yes) # both, prefer svr4 + dynamic_linker="AIX lib.so.V($shared_archive_member_spec.o), lib.a(lib.so.V)" + library_names_spec='$libname$release$shared_ext$major $libname$shared_ext' + # unpreferred sharedlib libNAME.a needs extra handling + postinstall_cmds='test -n "$linkname" || linkname="$realname"~func_stripname "" ".so" "$linkname"~$install_shared_prog "$dir/$func_stripname_result.$libext" "$destdir/$func_stripname_result.$libext"~test -z "$tstripme" || test -z "$striplib" || $striplib "$destdir/$func_stripname_result.$libext"' + postuninstall_cmds='for n in $library_names $old_library; do :; done~func_stripname "" ".so" "$n"~test "$func_stripname_result" = "$n" || func_append rmfiles " $odir/$func_stripname_result.$libext"' + # We do not specify a path in Import Files, so LIBPATH fires. + shlibpath_overrides_runpath=yes + ;; + *,no) # both, prefer aix + dynamic_linker="AIX lib.a(lib.so.V), lib.so.V($shared_archive_member_spec.o)" + library_names_spec='$libname$release.a $libname.a' + soname_spec='$libname$release$shared_ext$major' + # unpreferred sharedlib libNAME.so.V and symlink libNAME.so need extra handling + postinstall_cmds='test -z "$dlname" || $install_shared_prog $dir/$dlname $destdir/$dlname~test -z "$tstripme" || test -z "$striplib" || $striplib $destdir/$dlname~test -n "$linkname" || linkname=$realname~func_stripname "" ".a" "$linkname"~(cd "$destdir" && $LN_S -f $dlname $func_stripname_result.so)' + postuninstall_cmds='test -z "$dlname" || func_append rmfiles " $odir/$dlname"~for n in $old_library $library_names; do :; done~func_stripname "" ".a" "$n"~func_append rmfiles " $odir/$func_stripname_result.so"' + ;; + esac + shlibpath_var=LIBPATH + fi + ;; + +amigaos*) + case $host_cpu in + powerpc) + # Since July 2007 AmigaOS4 officially supports .so libraries. + # When compiling the executable, add -use-dynld -Lsobjs: to the compileline. + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + ;; + m68k) + library_names_spec='$libname.ixlibrary $libname.a' + # Create ${libname}_ixlibrary.a entries in /sys/libs. + finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`func_echo_all "$lib" | $SED '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; $RM /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done' + ;; + esac + ;; + +beos*) + library_names_spec='$libname$shared_ext' + dynamic_linker="$host_os ld.so" + shlibpath_var=LIBRARY_PATH + ;; + +bsdi[45]*) + version_type=linux # correct to gnu/linux during the next big refactor + need_version=no + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + soname_spec='$libname$release$shared_ext$major' + finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir' + shlibpath_var=LD_LIBRARY_PATH + sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib" + sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib" + # the default ld.so.conf also contains /usr/contrib/lib and + # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow + # libtool to hard-code these into programs + ;; + +cygwin* | mingw* | pw32* | cegcc*) + version_type=windows + shrext_cmds=.dll + need_version=no + need_lib_prefix=no + + case $GCC,$cc_basename in + yes,*) + # gcc + library_names_spec='$libname.dll.a' + # DLL is installed to $(libdir)/../bin by postinstall_cmds + postinstall_cmds='base_file=`basename \$file`~ + dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\$base_file'\''i; echo \$dlname'\''`~ + dldir=$destdir/`dirname \$dlpath`~ + test -d \$dldir || mkdir -p \$dldir~ + $install_prog $dir/$dlname \$dldir/$dlname~ + chmod a+x \$dldir/$dlname~ + if test -n '\''$stripme'\'' && test -n '\''$striplib'\''; then + eval '\''$striplib \$dldir/$dlname'\'' || exit \$?; + fi' + postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~ + dlpath=$dir/\$dldll~ + $RM \$dlpath' + shlibpath_overrides_runpath=yes + + case $host_os in + cygwin*) + # Cygwin DLLs use 'cyg' prefix rather than 'lib' + soname_spec='`echo $libname | sed -e 's/^lib/cyg/'``echo $release | $SED -e 's/[.]/-/g'`$versuffix$shared_ext' + + sys_lib_search_path_spec="$sys_lib_search_path_spec /usr/lib/w32api" + ;; + mingw* | cegcc*) + # MinGW DLLs use traditional 'lib' prefix + soname_spec='$libname`echo $release | $SED -e 's/[.]/-/g'`$versuffix$shared_ext' + ;; + pw32*) + # pw32 DLLs use 'pw' prefix rather than 'lib' + library_names_spec='`echo $libname | sed -e 's/^lib/pw/'``echo $release | $SED -e 's/[.]/-/g'`$versuffix$shared_ext' + ;; + esac + dynamic_linker='Win32 ld.exe' + ;; + + *,cl*) + # Native MSVC + libname_spec='$name' + soname_spec='$libname`echo $release | $SED -e 's/[.]/-/g'`$versuffix$shared_ext' + library_names_spec='$libname.dll.lib' + + case $build_os in + mingw*) + sys_lib_search_path_spec= + lt_save_ifs=$IFS + IFS=';' + for lt_path in $LIB + do + IFS=$lt_save_ifs + # Let DOS variable expansion print the short 8.3 style file name. + lt_path=`cd "$lt_path" 2>/dev/null && cmd //C "for %i in (".") do @echo %~si"` + sys_lib_search_path_spec="$sys_lib_search_path_spec $lt_path" + done + IFS=$lt_save_ifs + # Convert to MSYS style. + sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | sed -e 's|\\\\|/|g' -e 's| \\([a-zA-Z]\\):| /\\1|g' -e 's|^ ||'` + ;; + cygwin*) + # Convert to unix form, then to dos form, then back to unix form + # but this time dos style (no spaces!) so that the unix form looks + # like /cygdrive/c/PROGRA~1:/cygdr... + sys_lib_search_path_spec=`cygpath --path --unix "$LIB"` + sys_lib_search_path_spec=`cygpath --path --dos "$sys_lib_search_path_spec" 2>/dev/null` + sys_lib_search_path_spec=`cygpath --path --unix "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"` + ;; + *) + sys_lib_search_path_spec=$LIB + if $ECHO "$sys_lib_search_path_spec" | $GREP ';[c-zC-Z]:/' >/dev/null; then + # It is most probably a Windows format PATH. + sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'` + else + sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"` + fi + # FIXME: find the short name or the path components, as spaces are + # common. (e.g. "Program Files" -> "PROGRA~1") + ;; + esac + + # DLL is installed to $(libdir)/../bin by postinstall_cmds + postinstall_cmds='base_file=`basename \$file`~ + dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\$base_file'\''i; echo \$dlname'\''`~ + dldir=$destdir/`dirname \$dlpath`~ + test -d \$dldir || mkdir -p \$dldir~ + $install_prog $dir/$dlname \$dldir/$dlname' + postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~ + dlpath=$dir/\$dldll~ + $RM \$dlpath' + shlibpath_overrides_runpath=yes + dynamic_linker='Win32 link.exe' + ;; + + *) + # Assume MSVC wrapper + library_names_spec='$libname`echo $release | $SED -e 's/[.]/-/g'`$versuffix$shared_ext $libname.lib' + dynamic_linker='Win32 ld.exe' + ;; + esac + # FIXME: first we should search . and the directory the executable is in + shlibpath_var=PATH + ;; + +darwin* | rhapsody*) + dynamic_linker="$host_os dyld" + version_type=darwin + need_lib_prefix=no + need_version=no + library_names_spec='$libname$release$major$shared_ext $libname$shared_ext' + soname_spec='$libname$release$major$shared_ext' + shlibpath_overrides_runpath=yes + shlibpath_var=DYLD_LIBRARY_PATH + shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`' + + sys_lib_search_path_spec="$sys_lib_search_path_spec /usr/local/lib" + sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib' + ;; + +dgux*) + version_type=linux # correct to gnu/linux during the next big refactor + need_lib_prefix=no + need_version=no + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + soname_spec='$libname$release$shared_ext$major' + shlibpath_var=LD_LIBRARY_PATH + ;; + +freebsd* | dragonfly*) + # DragonFly does not have aout. When/if they implement a new + # versioning mechanism, adjust this. + if test -x /usr/bin/objformat; then + objformat=`/usr/bin/objformat` + else + case $host_os in + freebsd[23].*) objformat=aout ;; + *) objformat=elf ;; + esac + fi + version_type=freebsd-$objformat + case $version_type in + freebsd-elf*) + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + soname_spec='$libname$release$shared_ext$major' + need_version=no + need_lib_prefix=no + ;; + freebsd-*) + library_names_spec='$libname$release$shared_ext$versuffix $libname$shared_ext$versuffix' + need_version=yes + ;; + esac + shlibpath_var=LD_LIBRARY_PATH + case $host_os in + freebsd2.*) + shlibpath_overrides_runpath=yes + ;; + freebsd3.[01]* | freebsdelf3.[01]*) + shlibpath_overrides_runpath=yes + hardcode_into_libs=yes + ;; + freebsd3.[2-9]* | freebsdelf3.[2-9]* | \ + freebsd4.[0-5] | freebsdelf4.[0-5] | freebsd4.1.1 | freebsdelf4.1.1) + shlibpath_overrides_runpath=no + hardcode_into_libs=yes + ;; + *) # from 4.6 on, and DragonFly + shlibpath_overrides_runpath=yes + hardcode_into_libs=yes + ;; + esac + ;; + +haiku*) + version_type=linux # correct to gnu/linux during the next big refactor + need_lib_prefix=no + need_version=no + dynamic_linker="$host_os runtime_loader" + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + soname_spec='$libname$release$shared_ext$major' + shlibpath_var=LIBRARY_PATH + shlibpath_overrides_runpath=no + sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib' + hardcode_into_libs=yes + ;; + +hpux9* | hpux10* | hpux11*) + # Give a soname corresponding to the major version so that dld.sl refuses to + # link against other versions. + version_type=sunos + need_lib_prefix=no + need_version=no + case $host_cpu in + ia64*) + shrext_cmds='.so' + hardcode_into_libs=yes + dynamic_linker="$host_os dld.so" + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + soname_spec='$libname$release$shared_ext$major' + if test 32 = "$HPUX_IA64_MODE"; then + sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib" + sys_lib_dlsearch_path_spec=/usr/lib/hpux32 + else + sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64" + sys_lib_dlsearch_path_spec=/usr/lib/hpux64 + fi + ;; + hppa*64*) + shrext_cmds='.sl' + hardcode_into_libs=yes + dynamic_linker="$host_os dld.sl" + shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH + shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + soname_spec='$libname$release$shared_ext$major' + sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64" + sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec + ;; + *) + shrext_cmds='.sl' + dynamic_linker="$host_os dld.sl" + shlibpath_var=SHLIB_PATH + shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + soname_spec='$libname$release$shared_ext$major' + ;; + esac + # HP-UX runs *really* slowly unless shared libraries are mode 555, ... + postinstall_cmds='chmod 555 $lib' + # or fails outright, so override atomically: + install_override_mode=555 + ;; + +interix[3-9]*) + version_type=linux # correct to gnu/linux during the next big refactor + need_lib_prefix=no + need_version=no + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + soname_spec='$libname$release$shared_ext$major' + dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no + hardcode_into_libs=yes + ;; + +irix5* | irix6* | nonstopux*) + case $host_os in + nonstopux*) version_type=nonstopux ;; + *) + if test yes = "$lt_cv_prog_gnu_ld"; then + version_type=linux # correct to gnu/linux during the next big refactor + else + version_type=irix + fi ;; + esac + need_lib_prefix=no + need_version=no + soname_spec='$libname$release$shared_ext$major' + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$release$shared_ext $libname$shared_ext' + case $host_os in + irix5* | nonstopux*) + libsuff= shlibsuff= + ;; + *) + case $LD in # libtool.m4 will add one of these switches to LD + *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ") + libsuff= shlibsuff= libmagic=32-bit;; + *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ") + libsuff=32 shlibsuff=N32 libmagic=N32;; + *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ") + libsuff=64 shlibsuff=64 libmagic=64-bit;; + *) libsuff= shlibsuff= libmagic=never-match;; + esac + ;; + esac + shlibpath_var=LD_LIBRARY${shlibsuff}_PATH + shlibpath_overrides_runpath=no + sys_lib_search_path_spec="/usr/lib$libsuff /lib$libsuff /usr/local/lib$libsuff" + sys_lib_dlsearch_path_spec="/usr/lib$libsuff /lib$libsuff" + hardcode_into_libs=yes + ;; + +# No shared lib support for Linux oldld, aout, or coff. +linux*oldld* | linux*aout* | linux*coff*) + dynamic_linker=no + ;; + +linux*android*) + version_type=none # Android doesn't support versioned libraries. + need_lib_prefix=no + need_version=no + library_names_spec='$libname$release$shared_ext' + soname_spec='$libname$release$shared_ext' + finish_cmds= + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes + + # This implies no fast_install, which is unacceptable. + # Some rework will be needed to allow for fast_install + # before this can be enabled. + hardcode_into_libs=yes + + dynamic_linker='Android linker' + # Don't embed -rpath directories since the linker doesn't support them. + hardcode_libdir_flag_spec='-L$libdir' + ;; + +# This must be glibc/ELF. +linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) + version_type=linux # correct to gnu/linux during the next big refactor + need_lib_prefix=no + need_version=no + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + soname_spec='$libname$release$shared_ext$major' + finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no + + # Some binutils ld are patched to set DT_RUNPATH + if ${lt_cv_shlibpath_overrides_runpath+:} false; then : + $as_echo_n "(cached) " >&6 +else + lt_cv_shlibpath_overrides_runpath=no + save_LDFLAGS=$LDFLAGS + save_libdir=$libdir + eval "libdir=/foo; wl=\"$lt_prog_compiler_wl\"; \ + LDFLAGS=\"\$LDFLAGS $hardcode_libdir_flag_spec\"" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + if ($OBJDUMP -p conftest$ac_exeext) 2>/dev/null | grep "RUNPATH.*$libdir" >/dev/null; then : + lt_cv_shlibpath_overrides_runpath=yes +fi +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + LDFLAGS=$save_LDFLAGS + libdir=$save_libdir + +fi + + shlibpath_overrides_runpath=$lt_cv_shlibpath_overrides_runpath + + # This implies no fast_install, which is unacceptable. + # Some rework will be needed to allow for fast_install + # before this can be enabled. + hardcode_into_libs=yes + + # Add ABI-specific directories to the system library path. + sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib" + + # Ideally, we could use ldconfig to report *all* directores which are + # searched for libraries, however this is still not possible. Aside from not + # being certain /sbin/ldconfig is available, command + # 'ldconfig -N -X -v | grep ^/' on 64bit Fedora does not report /usr/lib64, + # even though it is searched at run-time. Try to do the best guess by + # appending ld.so.conf contents (and includes) to the search path. + if test -f /etc/ld.so.conf; then + lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \$2)); skip = 1; } { if (!skip) print \$0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '` + sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra" + fi + + # We used to test for /lib/ld.so.1 and disable shared libraries on + # powerpc, because MkLinux only supported shared libraries with the + # GNU dynamic linker. Since this was broken with cross compilers, + # most powerpc-linux boxes support dynamic linking these days and + # people can always --disable-shared, the test was removed, and we + # assume the GNU/Linux dynamic linker is in use. + dynamic_linker='GNU/Linux ld.so' + ;; + +netbsd*) + version_type=sunos + need_lib_prefix=no + need_version=no + if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then + library_names_spec='$libname$release$shared_ext$versuffix $libname$shared_ext$versuffix' + finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir' + dynamic_linker='NetBSD (a.out) ld.so' + else + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + soname_spec='$libname$release$shared_ext$major' + dynamic_linker='NetBSD ld.elf_so' + fi + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes + hardcode_into_libs=yes + ;; + +newsos6) + version_type=linux # correct to gnu/linux during the next big refactor + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes + ;; + +*nto* | *qnx*) + version_type=qnx + need_lib_prefix=no + need_version=no + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + soname_spec='$libname$release$shared_ext$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no + hardcode_into_libs=yes + dynamic_linker='ldqnx.so' + ;; + +openbsd* | bitrig*) + version_type=sunos + sys_lib_dlsearch_path_spec=/usr/lib + need_lib_prefix=no + if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`"; then + need_version=no + else + need_version=yes + fi + library_names_spec='$libname$release$shared_ext$versuffix $libname$shared_ext$versuffix' + finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes + ;; + +os2*) + libname_spec='$name' + version_type=windows + shrext_cmds=.dll + need_version=no + need_lib_prefix=no + # OS/2 can only load a DLL with a base name of 8 characters or less. + soname_spec='`test -n "$os2dllname" && libname="$os2dllname"; + v=$($ECHO $release$versuffix | tr -d .-); + n=$($ECHO $libname | cut -b -$((8 - ${#v})) | tr . _); + $ECHO $n$v`$shared_ext' + library_names_spec='${libname}_dll.$libext' + dynamic_linker='OS/2 ld.exe' + shlibpath_var=BEGINLIBPATH + sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib" + sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec + postinstall_cmds='base_file=`basename \$file`~ + dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\$base_file'\''i; $ECHO \$dlname'\''`~ + dldir=$destdir/`dirname \$dlpath`~ + test -d \$dldir || mkdir -p \$dldir~ + $install_prog $dir/$dlname \$dldir/$dlname~ + chmod a+x \$dldir/$dlname~ + if test -n '\''$stripme'\'' && test -n '\''$striplib'\''; then + eval '\''$striplib \$dldir/$dlname'\'' || exit \$?; + fi' + postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; $ECHO \$dlname'\''`~ + dlpath=$dir/\$dldll~ + $RM \$dlpath' + ;; + +osf3* | osf4* | osf5*) + version_type=osf + need_lib_prefix=no + need_version=no + soname_spec='$libname$release$shared_ext$major' + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + shlibpath_var=LD_LIBRARY_PATH + sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib" + sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec + ;; + +rdos*) + dynamic_linker=no + ;; + +solaris*) + version_type=linux # correct to gnu/linux during the next big refactor + need_lib_prefix=no + need_version=no + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + soname_spec='$libname$release$shared_ext$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes + hardcode_into_libs=yes + # ldd complains unless libraries are executable + postinstall_cmds='chmod +x $lib' + ;; + +sunos4*) + version_type=sunos + library_names_spec='$libname$release$shared_ext$versuffix $libname$shared_ext$versuffix' + finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes + if test yes = "$with_gnu_ld"; then + need_lib_prefix=no + fi + need_version=yes + ;; + +sysv4 | sysv4.3*) + version_type=linux # correct to gnu/linux during the next big refactor + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + soname_spec='$libname$release$shared_ext$major' + shlibpath_var=LD_LIBRARY_PATH + case $host_vendor in + sni) + shlibpath_overrides_runpath=no + need_lib_prefix=no + runpath_var=LD_RUN_PATH + ;; + siemens) + need_lib_prefix=no + ;; + motorola) + need_lib_prefix=no + need_version=no + shlibpath_overrides_runpath=no + sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib' + ;; + esac + ;; + +sysv4*MP*) + if test -d /usr/nec; then + version_type=linux # correct to gnu/linux during the next big refactor + library_names_spec='$libname$shared_ext.$versuffix $libname$shared_ext.$major $libname$shared_ext' + soname_spec='$libname$shared_ext.$major' + shlibpath_var=LD_LIBRARY_PATH + fi + ;; + +sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*) + version_type=sco + need_lib_prefix=no + need_version=no + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext $libname$shared_ext' + soname_spec='$libname$release$shared_ext$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes + hardcode_into_libs=yes + if test yes = "$with_gnu_ld"; then + sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib' + else + sys_lib_search_path_spec='/usr/ccs/lib /usr/lib' + case $host_os in + sco3.2v5*) + sys_lib_search_path_spec="$sys_lib_search_path_spec /lib" + ;; + esac + fi + sys_lib_dlsearch_path_spec='/usr/lib' + ;; + +tpf*) + # TPF is a cross-target only. Preferred cross-host = GNU/Linux. + version_type=linux # correct to gnu/linux during the next big refactor + need_lib_prefix=no + need_version=no + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no + hardcode_into_libs=yes + ;; + +uts4*) + version_type=linux # correct to gnu/linux during the next big refactor + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + soname_spec='$libname$release$shared_ext$major' + shlibpath_var=LD_LIBRARY_PATH + ;; + +*) + dynamic_linker=no + ;; +esac +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $dynamic_linker" >&5 +$as_echo "$dynamic_linker" >&6; } +test no = "$dynamic_linker" && can_build_shared=no + +variables_saved_for_relink="PATH $shlibpath_var $runpath_var" +if test yes = "$GCC"; then + variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH" +fi + +if test set = "${lt_cv_sys_lib_search_path_spec+set}"; then + sys_lib_search_path_spec=$lt_cv_sys_lib_search_path_spec +fi + +if test set = "${lt_cv_sys_lib_dlsearch_path_spec+set}"; then + sys_lib_dlsearch_path_spec=$lt_cv_sys_lib_dlsearch_path_spec +fi + +# remember unaugmented sys_lib_dlsearch_path content for libtool script decls... +configure_time_dlsearch_path=$sys_lib_dlsearch_path_spec + +# ... but it needs LT_SYS_LIBRARY_PATH munging for other configure-time code +func_munge_path_list sys_lib_dlsearch_path_spec "$LT_SYS_LIBRARY_PATH" + +# to be used as default LT_SYS_LIBRARY_PATH value in generated libtool +configure_time_lt_sys_library_path=$LT_SYS_LIBRARY_PATH + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking how to hardcode library paths into programs" >&5 +$as_echo_n "checking how to hardcode library paths into programs... " >&6; } +hardcode_action= +if test -n "$hardcode_libdir_flag_spec" || + test -n "$runpath_var" || + test yes = "$hardcode_automatic"; then + + # We can hardcode non-existent directories. + if test no != "$hardcode_direct" && + # If the only mechanism to avoid hardcoding is shlibpath_var, we + # have to relink, otherwise we might link with an installed library + # when we should be linking with a yet-to-be-installed one + ## test no != "$_LT_TAGVAR(hardcode_shlibpath_var, )" && + test no != "$hardcode_minus_L"; then + # Linking always hardcodes the temporary library directory. + hardcode_action=relink + else + # We can link without hardcoding, and we can hardcode nonexisting dirs. + hardcode_action=immediate + fi +else + # We cannot hardcode anything, or else we can only hardcode existing + # directories. + hardcode_action=unsupported +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $hardcode_action" >&5 +$as_echo "$hardcode_action" >&6; } + +if test relink = "$hardcode_action" || + test yes = "$inherit_rpath"; then + # Fast installation is not supported + enable_fast_install=no +elif test yes = "$shlibpath_overrides_runpath" || + test no = "$enable_shared"; then + # Fast installation is not necessary + enable_fast_install=needless +fi + + + + + + + if test yes != "$enable_dlopen"; then + enable_dlopen=unknown + enable_dlopen_self=unknown + enable_dlopen_self_static=unknown +else + lt_cv_dlopen=no + lt_cv_dlopen_libs= + + case $host_os in + beos*) + lt_cv_dlopen=load_add_on + lt_cv_dlopen_libs= + lt_cv_dlopen_self=yes + ;; + + mingw* | pw32* | cegcc*) + lt_cv_dlopen=LoadLibrary + lt_cv_dlopen_libs= + ;; + + cygwin*) + lt_cv_dlopen=dlopen + lt_cv_dlopen_libs= + ;; + + darwin*) + # if libdl is installed we need to link against it + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dlopen in -ldl" >&5 +$as_echo_n "checking for dlopen in -ldl... " >&6; } +if ${ac_cv_lib_dl_dlopen+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-ldl $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char dlopen (); +int +main () +{ +return dlopen (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_dl_dlopen=yes +else + ac_cv_lib_dl_dlopen=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dl_dlopen" >&5 +$as_echo "$ac_cv_lib_dl_dlopen" >&6; } +if test "x$ac_cv_lib_dl_dlopen" = xyes; then : + lt_cv_dlopen=dlopen lt_cv_dlopen_libs=-ldl +else + + lt_cv_dlopen=dyld + lt_cv_dlopen_libs= + lt_cv_dlopen_self=yes + +fi + + ;; + + tpf*) + # Don't try to run any link tests for TPF. We know it's impossible + # because TPF is a cross-compiler, and we know how we open DSOs. + lt_cv_dlopen=dlopen + lt_cv_dlopen_libs= + lt_cv_dlopen_self=no + ;; + + *) + ac_fn_c_check_func "$LINENO" "shl_load" "ac_cv_func_shl_load" +if test "x$ac_cv_func_shl_load" = xyes; then : + lt_cv_dlopen=shl_load +else + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for shl_load in -ldld" >&5 +$as_echo_n "checking for shl_load in -ldld... " >&6; } +if ${ac_cv_lib_dld_shl_load+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-ldld $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char shl_load (); +int +main () +{ +return shl_load (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_dld_shl_load=yes +else + ac_cv_lib_dld_shl_load=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dld_shl_load" >&5 +$as_echo "$ac_cv_lib_dld_shl_load" >&6; } +if test "x$ac_cv_lib_dld_shl_load" = xyes; then : + lt_cv_dlopen=shl_load lt_cv_dlopen_libs=-ldld +else + ac_fn_c_check_func "$LINENO" "dlopen" "ac_cv_func_dlopen" +if test "x$ac_cv_func_dlopen" = xyes; then : + lt_cv_dlopen=dlopen +else + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dlopen in -ldl" >&5 +$as_echo_n "checking for dlopen in -ldl... " >&6; } +if ${ac_cv_lib_dl_dlopen+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-ldl $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char dlopen (); +int +main () +{ +return dlopen (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_dl_dlopen=yes +else + ac_cv_lib_dl_dlopen=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dl_dlopen" >&5 +$as_echo "$ac_cv_lib_dl_dlopen" >&6; } +if test "x$ac_cv_lib_dl_dlopen" = xyes; then : + lt_cv_dlopen=dlopen lt_cv_dlopen_libs=-ldl +else + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dlopen in -lsvld" >&5 +$as_echo_n "checking for dlopen in -lsvld... " >&6; } +if ${ac_cv_lib_svld_dlopen+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lsvld $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char dlopen (); +int +main () +{ +return dlopen (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_svld_dlopen=yes +else + ac_cv_lib_svld_dlopen=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_svld_dlopen" >&5 +$as_echo "$ac_cv_lib_svld_dlopen" >&6; } +if test "x$ac_cv_lib_svld_dlopen" = xyes; then : + lt_cv_dlopen=dlopen lt_cv_dlopen_libs=-lsvld +else + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dld_link in -ldld" >&5 +$as_echo_n "checking for dld_link in -ldld... " >&6; } +if ${ac_cv_lib_dld_dld_link+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-ldld $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char dld_link (); +int +main () +{ +return dld_link (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_dld_dld_link=yes +else + ac_cv_lib_dld_dld_link=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dld_dld_link" >&5 +$as_echo "$ac_cv_lib_dld_dld_link" >&6; } +if test "x$ac_cv_lib_dld_dld_link" = xyes; then : + lt_cv_dlopen=dld_link lt_cv_dlopen_libs=-ldld +fi + + +fi + + +fi + + +fi + + +fi + + +fi + + ;; + esac + + if test no = "$lt_cv_dlopen"; then + enable_dlopen=no + else + enable_dlopen=yes + fi + + case $lt_cv_dlopen in + dlopen) + save_CPPFLAGS=$CPPFLAGS + test yes = "$ac_cv_header_dlfcn_h" && CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H" + + save_LDFLAGS=$LDFLAGS + wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\" + + save_LIBS=$LIBS + LIBS="$lt_cv_dlopen_libs $LIBS" + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether a program can dlopen itself" >&5 +$as_echo_n "checking whether a program can dlopen itself... " >&6; } +if ${lt_cv_dlopen_self+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test yes = "$cross_compiling"; then : + lt_cv_dlopen_self=cross +else + lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 + lt_status=$lt_dlunknown + cat > conftest.$ac_ext <<_LT_EOF +#line $LINENO "configure" +#include "confdefs.h" + +#if HAVE_DLFCN_H +#include +#endif + +#include + +#ifdef RTLD_GLOBAL +# define LT_DLGLOBAL RTLD_GLOBAL +#else +# ifdef DL_GLOBAL +# define LT_DLGLOBAL DL_GLOBAL +# else +# define LT_DLGLOBAL 0 +# endif +#endif + +/* We may have to define LT_DLLAZY_OR_NOW in the command line if we + find out it does not work in some platform. */ +#ifndef LT_DLLAZY_OR_NOW +# ifdef RTLD_LAZY +# define LT_DLLAZY_OR_NOW RTLD_LAZY +# else +# ifdef DL_LAZY +# define LT_DLLAZY_OR_NOW DL_LAZY +# else +# ifdef RTLD_NOW +# define LT_DLLAZY_OR_NOW RTLD_NOW +# else +# ifdef DL_NOW +# define LT_DLLAZY_OR_NOW DL_NOW +# else +# define LT_DLLAZY_OR_NOW 0 +# endif +# endif +# endif +# endif +#endif + +/* When -fvisibility=hidden is used, assume the code has been annotated + correspondingly for the symbols needed. */ +#if defined __GNUC__ && (((__GNUC__ == 3) && (__GNUC_MINOR__ >= 3)) || (__GNUC__ > 3)) +int fnord () __attribute__((visibility("default"))); +#endif + +int fnord () { return 42; } +int main () +{ + void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW); + int status = $lt_dlunknown; + + if (self) + { + if (dlsym (self,"fnord")) status = $lt_dlno_uscore; + else + { + if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore; + else puts (dlerror ()); + } + /* dlclose (self); */ + } + else + puts (dlerror ()); + + return status; +} +_LT_EOF + if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_link\""; } >&5 + (eval $ac_link) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } && test -s "conftest$ac_exeext" 2>/dev/null; then + (./conftest; exit; ) >&5 2>/dev/null + lt_status=$? + case x$lt_status in + x$lt_dlno_uscore) lt_cv_dlopen_self=yes ;; + x$lt_dlneed_uscore) lt_cv_dlopen_self=yes ;; + x$lt_dlunknown|x*) lt_cv_dlopen_self=no ;; + esac + else : + # compilation failed + lt_cv_dlopen_self=no + fi +fi +rm -fr conftest* + + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_dlopen_self" >&5 +$as_echo "$lt_cv_dlopen_self" >&6; } + + if test yes = "$lt_cv_dlopen_self"; then + wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $lt_prog_compiler_static\" + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether a statically linked program can dlopen itself" >&5 +$as_echo_n "checking whether a statically linked program can dlopen itself... " >&6; } +if ${lt_cv_dlopen_self_static+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test yes = "$cross_compiling"; then : + lt_cv_dlopen_self_static=cross +else + lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 + lt_status=$lt_dlunknown + cat > conftest.$ac_ext <<_LT_EOF +#line $LINENO "configure" +#include "confdefs.h" + +#if HAVE_DLFCN_H +#include +#endif + +#include + +#ifdef RTLD_GLOBAL +# define LT_DLGLOBAL RTLD_GLOBAL +#else +# ifdef DL_GLOBAL +# define LT_DLGLOBAL DL_GLOBAL +# else +# define LT_DLGLOBAL 0 +# endif +#endif + +/* We may have to define LT_DLLAZY_OR_NOW in the command line if we + find out it does not work in some platform. */ +#ifndef LT_DLLAZY_OR_NOW +# ifdef RTLD_LAZY +# define LT_DLLAZY_OR_NOW RTLD_LAZY +# else +# ifdef DL_LAZY +# define LT_DLLAZY_OR_NOW DL_LAZY +# else +# ifdef RTLD_NOW +# define LT_DLLAZY_OR_NOW RTLD_NOW +# else +# ifdef DL_NOW +# define LT_DLLAZY_OR_NOW DL_NOW +# else +# define LT_DLLAZY_OR_NOW 0 +# endif +# endif +# endif +# endif +#endif + +/* When -fvisibility=hidden is used, assume the code has been annotated + correspondingly for the symbols needed. */ +#if defined __GNUC__ && (((__GNUC__ == 3) && (__GNUC_MINOR__ >= 3)) || (__GNUC__ > 3)) +int fnord () __attribute__((visibility("default"))); +#endif + +int fnord () { return 42; } +int main () +{ + void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW); + int status = $lt_dlunknown; + + if (self) + { + if (dlsym (self,"fnord")) status = $lt_dlno_uscore; + else + { + if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore; + else puts (dlerror ()); + } + /* dlclose (self); */ + } + else + puts (dlerror ()); + + return status; +} +_LT_EOF + if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_link\""; } >&5 + (eval $ac_link) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } && test -s "conftest$ac_exeext" 2>/dev/null; then + (./conftest; exit; ) >&5 2>/dev/null + lt_status=$? + case x$lt_status in + x$lt_dlno_uscore) lt_cv_dlopen_self_static=yes ;; + x$lt_dlneed_uscore) lt_cv_dlopen_self_static=yes ;; + x$lt_dlunknown|x*) lt_cv_dlopen_self_static=no ;; + esac + else : + # compilation failed + lt_cv_dlopen_self_static=no + fi +fi +rm -fr conftest* + + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $lt_cv_dlopen_self_static" >&5 +$as_echo "$lt_cv_dlopen_self_static" >&6; } + fi + + CPPFLAGS=$save_CPPFLAGS + LDFLAGS=$save_LDFLAGS + LIBS=$save_LIBS + ;; + esac + + case $lt_cv_dlopen_self in + yes|no) enable_dlopen_self=$lt_cv_dlopen_self ;; + *) enable_dlopen_self=unknown ;; + esac + + case $lt_cv_dlopen_self_static in + yes|no) enable_dlopen_self_static=$lt_cv_dlopen_self_static ;; + *) enable_dlopen_self_static=unknown ;; + esac +fi + + + + + + + + + + + + + + + + + +striplib= +old_striplib= +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether stripping libraries is possible" >&5 +$as_echo_n "checking whether stripping libraries is possible... " >&6; } +if test -n "$STRIP" && $STRIP -V 2>&1 | $GREP "GNU strip" >/dev/null; then + test -z "$old_striplib" && old_striplib="$STRIP --strip-debug" + test -z "$striplib" && striplib="$STRIP --strip-unneeded" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +else +# FIXME - insert some real tests, host_os isn't really good enough + case $host_os in + darwin*) + if test -n "$STRIP"; then + striplib="$STRIP -x" + old_striplib="$STRIP -S" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + fi + ;; + *) + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + ;; + esac +fi + + + + + + + + + + + + + # Report what library types will actually be built + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if libtool supports shared libraries" >&5 +$as_echo_n "checking if libtool supports shared libraries... " >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $can_build_shared" >&5 +$as_echo "$can_build_shared" >&6; } + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build shared libraries" >&5 +$as_echo_n "checking whether to build shared libraries... " >&6; } + test no = "$can_build_shared" && enable_shared=no + + # On AIX, shared libraries and static libraries use the same namespace, and + # are all built from PIC. + case $host_os in + aix3*) + test yes = "$enable_shared" && enable_static=no + if test -n "$RANLIB"; then + archive_cmds="$archive_cmds~\$RANLIB \$lib" + postinstall_cmds='$RANLIB $lib' + fi + ;; + + aix[4-9]*) + if test ia64 != "$host_cpu"; then + case $enable_shared,$with_aix_soname,$aix_use_runtimelinking in + yes,aix,yes) ;; # shared object as lib.so file only + yes,svr4,*) ;; # shared object as lib.so archive member only + yes,*) enable_static=no ;; # shared object in lib.a archive as well + esac + fi + ;; + esac + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $enable_shared" >&5 +$as_echo "$enable_shared" >&6; } + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to build static libraries" >&5 +$as_echo_n "checking whether to build static libraries... " >&6; } + # Make sure either enable_shared or enable_static is yes. + test yes = "$enable_shared" || enable_static=yes + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $enable_static" >&5 +$as_echo "$enable_static" >&6; } + + + + +fi +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + +CC=$lt_save_CC + + + + + + + + + + + + + + + + ac_config_commands="$ac_config_commands libtool" + + + + +# Only expand once: + + + + +LT_DLLOADERS= + + +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + +lt_dlload_save_LIBS=$LIBS + +LIBADD_DLOPEN= +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing dlopen" >&5 +$as_echo_n "checking for library containing dlopen... " >&6; } +if ${ac_cv_search_dlopen+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_func_search_save_LIBS=$LIBS +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char dlopen (); +int +main () +{ +return dlopen (); + ; + return 0; +} +_ACEOF +for ac_lib in '' dl; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + if ac_fn_c_try_link "$LINENO"; then : + ac_cv_search_dlopen=$ac_res +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext + if ${ac_cv_search_dlopen+:} false; then : + break +fi +done +if ${ac_cv_search_dlopen+:} false; then : + +else + ac_cv_search_dlopen=no +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_dlopen" >&5 +$as_echo "$ac_cv_search_dlopen" >&6; } +ac_res=$ac_cv_search_dlopen +if test "$ac_res" != no; then : + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + +$as_echo "#define HAVE_LIBDL 1" >>confdefs.h + + if test "$ac_cv_search_dlopen" != "none required"; then + LIBADD_DLOPEN=-ldl + fi + libltdl_cv_lib_dl_dlopen=yes + LT_DLLOADERS="$LT_DLLOADERS ${lt_dlopen_dir+$lt_dlopen_dir/}dlopen.la" +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#if HAVE_DLFCN_H +# include +#endif + +int +main () +{ +dlopen(0, 0); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + +$as_echo "#define HAVE_LIBDL 1" >>confdefs.h + + libltdl_cv_func_dlopen=yes + LT_DLLOADERS="$LT_DLLOADERS ${lt_dlopen_dir+$lt_dlopen_dir/}dlopen.la" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for dlopen in -lsvld" >&5 +$as_echo_n "checking for dlopen in -lsvld... " >&6; } +if ${ac_cv_lib_svld_dlopen+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lsvld $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char dlopen (); +int +main () +{ +return dlopen (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_svld_dlopen=yes +else + ac_cv_lib_svld_dlopen=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_svld_dlopen" >&5 +$as_echo "$ac_cv_lib_svld_dlopen" >&6; } +if test "x$ac_cv_lib_svld_dlopen" = xyes; then : + +$as_echo "#define HAVE_LIBDL 1" >>confdefs.h + + LIBADD_DLOPEN=-lsvld libltdl_cv_func_dlopen=yes + LT_DLLOADERS="$LT_DLLOADERS ${lt_dlopen_dir+$lt_dlopen_dir/}dlopen.la" +fi + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +fi + +if test yes = "$libltdl_cv_func_dlopen" || test yes = "$libltdl_cv_lib_dl_dlopen" +then + lt_save_LIBS=$LIBS + LIBS="$LIBS $LIBADD_DLOPEN" + for ac_func in dlerror +do : + ac_fn_c_check_func "$LINENO" "dlerror" "ac_cv_func_dlerror" +if test "x$ac_cv_func_dlerror" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_DLERROR 1 +_ACEOF + +fi +done + + LIBS=$lt_save_LIBS +fi + + +LIBADD_SHL_LOAD= +ac_fn_c_check_func "$LINENO" "shl_load" "ac_cv_func_shl_load" +if test "x$ac_cv_func_shl_load" = xyes; then : + +$as_echo "#define HAVE_SHL_LOAD 1" >>confdefs.h + + LT_DLLOADERS="$LT_DLLOADERS ${lt_dlopen_dir+$lt_dlopen_dir/}shl_load.la" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for shl_load in -ldld" >&5 +$as_echo_n "checking for shl_load in -ldld... " >&6; } +if ${ac_cv_lib_dld_shl_load+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-ldld $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char shl_load (); +int +main () +{ +return shl_load (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_dld_shl_load=yes +else + ac_cv_lib_dld_shl_load=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dld_shl_load" >&5 +$as_echo "$ac_cv_lib_dld_shl_load" >&6; } +if test "x$ac_cv_lib_dld_shl_load" = xyes; then : + +$as_echo "#define HAVE_SHL_LOAD 1" >>confdefs.h + + LT_DLLOADERS="$LT_DLLOADERS ${lt_dlopen_dir+$lt_dlopen_dir/}shl_load.la" + LIBADD_SHL_LOAD=-ldld +fi + +fi + + + +case $host_os in +darwin[1567].*) +# We only want this for pre-Mac OS X 10.4. + ac_fn_c_check_func "$LINENO" "_dyld_func_lookup" "ac_cv_func__dyld_func_lookup" +if test "x$ac_cv_func__dyld_func_lookup" = xyes; then : + +$as_echo "#define HAVE_DYLD 1" >>confdefs.h + + LT_DLLOADERS="$LT_DLLOADERS ${lt_dlopen_dir+$lt_dlopen_dir/}dyld.la" +fi + + ;; +beos*) + LT_DLLOADERS="$LT_DLLOADERS ${lt_dlopen_dir+$lt_dlopen_dir/}load_add_on.la" + ;; +cygwin* | mingw* | pw32*) + ac_fn_c_check_decl "$LINENO" "cygwin_conv_path" "ac_cv_have_decl_cygwin_conv_path" "#include +" +if test "x$ac_cv_have_decl_cygwin_conv_path" = xyes; then : + ac_have_decl=1 +else + ac_have_decl=0 +fi + +cat >>confdefs.h <<_ACEOF +#define HAVE_DECL_CYGWIN_CONV_PATH $ac_have_decl +_ACEOF + + LT_DLLOADERS="$LT_DLLOADERS ${lt_dlopen_dir+$lt_dlopen_dir/}loadlibrary.la" + ;; +esac + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for dld_link in -ldld" >&5 +$as_echo_n "checking for dld_link in -ldld... " >&6; } +if ${ac_cv_lib_dld_dld_link+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-ldld $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char dld_link (); +int +main () +{ +return dld_link (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_dld_dld_link=yes +else + ac_cv_lib_dld_dld_link=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dld_dld_link" >&5 +$as_echo "$ac_cv_lib_dld_dld_link" >&6; } +if test "x$ac_cv_lib_dld_dld_link" = xyes; then : + +$as_echo "#define HAVE_DLD 1" >>confdefs.h + + LT_DLLOADERS="$LT_DLLOADERS ${lt_dlopen_dir+$lt_dlopen_dir/}dld_link.la" +fi + + + + +LT_DLPREOPEN= +if test -n "$LT_DLLOADERS" +then + for lt_loader in $LT_DLLOADERS; do + LT_DLPREOPEN="$LT_DLPREOPEN-dlpreopen $lt_loader " + done + +$as_echo "#define HAVE_LIBDLLOADER 1" >>confdefs.h + +fi + + +LIBADD_DL="$LIBADD_DLOPEN $LIBADD_SHL_LOAD" + + +LIBS=$lt_dlload_save_LIBS +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + + + + + + MKINSTALLDIRS= + if test -n "$ac_aux_dir"; then + case "$ac_aux_dir" in + /*) MKINSTALLDIRS="$ac_aux_dir/mkinstalldirs" ;; + *) MKINSTALLDIRS="\$(top_builddir)/$ac_aux_dir/mkinstalldirs" ;; + esac + fi + if test -z "$MKINSTALLDIRS"; then + MKINSTALLDIRS="\$(top_srcdir)/mkinstalldirs" + fi + + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether NLS is requested" >&5 +$as_echo_n "checking whether NLS is requested... " >&6; } + # Check whether --enable-nls was given. +if test "${enable_nls+set}" = set; then : + enableval=$enable_nls; USE_NLS=$enableval +else + USE_NLS=yes +fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $USE_NLS" >&5 +$as_echo "$USE_NLS" >&6; } + + + + + + +# Prepare PATH_SEPARATOR. +# The user is always right. +if test "${PATH_SEPARATOR+set}" != set; then + echo "#! /bin/sh" >conf$$.sh + echo "exit 0" >>conf$$.sh + chmod +x conf$$.sh + if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then + PATH_SEPARATOR=';' + else + PATH_SEPARATOR=: + fi + rm -f conf$$.sh +fi + +# Find out how to test for executable files. Don't use a zero-byte file, +# as systems may use methods other than mode bits to determine executability. +cat >conf$$.file <<_ASEOF +#! /bin/sh +exit 0 +_ASEOF +chmod +x conf$$.file +if test -x conf$$.file >/dev/null 2>&1; then + ac_executable_p="test -x" +else + ac_executable_p="test -f" +fi +rm -f conf$$.file + +# Extract the first word of "msgfmt", so it can be a program name with args. +set dummy msgfmt; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_MSGFMT+:} false; then : + $as_echo_n "(cached) " >&6 +else + case "$MSGFMT" in + [\\/]* | ?:[\\/]*) + ac_cv_path_MSGFMT="$MSGFMT" # Let the user override the test with a path. + ;; + *) + ac_save_IFS="$IFS"; IFS=$PATH_SEPARATOR + for ac_dir in $PATH; do + IFS="$ac_save_IFS" + test -z "$ac_dir" && ac_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if $ac_executable_p "$ac_dir/$ac_word$ac_exec_ext"; then + echo "$as_me: trying $ac_dir/$ac_word..." >&5 + if $ac_dir/$ac_word --statistics /dev/null >&5 2>&1 && + (if $ac_dir/$ac_word --statistics /dev/null 2>&1 >/dev/null | grep usage >/dev/null; then exit 1; else exit 0; fi); then + ac_cv_path_MSGFMT="$ac_dir/$ac_word$ac_exec_ext" + break 2 + fi + fi + done + done + IFS="$ac_save_IFS" + test -z "$ac_cv_path_MSGFMT" && ac_cv_path_MSGFMT=":" + ;; +esac +fi +MSGFMT="$ac_cv_path_MSGFMT" +if test "$MSGFMT" != ":"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $MSGFMT" >&5 +$as_echo "$MSGFMT" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + # Extract the first word of "gmsgfmt", so it can be a program name with args. +set dummy gmsgfmt; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_GMSGFMT+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $GMSGFMT in + [\\/]* | ?:[\\/]*) + ac_cv_path_GMSGFMT="$GMSGFMT" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_GMSGFMT="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + test -z "$ac_cv_path_GMSGFMT" && ac_cv_path_GMSGFMT="$MSGFMT" + ;; +esac +fi +GMSGFMT=$ac_cv_path_GMSGFMT +if test -n "$GMSGFMT"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $GMSGFMT" >&5 +$as_echo "$GMSGFMT" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + + +# Prepare PATH_SEPARATOR. +# The user is always right. +if test "${PATH_SEPARATOR+set}" != set; then + echo "#! /bin/sh" >conf$$.sh + echo "exit 0" >>conf$$.sh + chmod +x conf$$.sh + if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then + PATH_SEPARATOR=';' + else + PATH_SEPARATOR=: + fi + rm -f conf$$.sh +fi + +# Find out how to test for executable files. Don't use a zero-byte file, +# as systems may use methods other than mode bits to determine executability. +cat >conf$$.file <<_ASEOF +#! /bin/sh +exit 0 +_ASEOF +chmod +x conf$$.file +if test -x conf$$.file >/dev/null 2>&1; then + ac_executable_p="test -x" +else + ac_executable_p="test -f" +fi +rm -f conf$$.file + +# Extract the first word of "xgettext", so it can be a program name with args. +set dummy xgettext; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_XGETTEXT+:} false; then : + $as_echo_n "(cached) " >&6 +else + case "$XGETTEXT" in + [\\/]* | ?:[\\/]*) + ac_cv_path_XGETTEXT="$XGETTEXT" # Let the user override the test with a path. + ;; + *) + ac_save_IFS="$IFS"; IFS=$PATH_SEPARATOR + for ac_dir in $PATH; do + IFS="$ac_save_IFS" + test -z "$ac_dir" && ac_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if $ac_executable_p "$ac_dir/$ac_word$ac_exec_ext"; then + echo "$as_me: trying $ac_dir/$ac_word..." >&5 + if $ac_dir/$ac_word --omit-header --copyright-holder= --msgid-bugs-address= /dev/null >&5 2>&1 && + (if $ac_dir/$ac_word --omit-header --copyright-holder= --msgid-bugs-address= /dev/null 2>&1 >/dev/null | grep usage >/dev/null; then exit 1; else exit 0; fi); then + ac_cv_path_XGETTEXT="$ac_dir/$ac_word$ac_exec_ext" + break 2 + fi + fi + done + done + IFS="$ac_save_IFS" + test -z "$ac_cv_path_XGETTEXT" && ac_cv_path_XGETTEXT=":" + ;; +esac +fi +XGETTEXT="$ac_cv_path_XGETTEXT" +if test "$XGETTEXT" != ":"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $XGETTEXT" >&5 +$as_echo "$XGETTEXT" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + rm -f messages.po + + +# Prepare PATH_SEPARATOR. +# The user is always right. +if test "${PATH_SEPARATOR+set}" != set; then + echo "#! /bin/sh" >conf$$.sh + echo "exit 0" >>conf$$.sh + chmod +x conf$$.sh + if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then + PATH_SEPARATOR=';' + else + PATH_SEPARATOR=: + fi + rm -f conf$$.sh +fi + +# Find out how to test for executable files. Don't use a zero-byte file, +# as systems may use methods other than mode bits to determine executability. +cat >conf$$.file <<_ASEOF +#! /bin/sh +exit 0 +_ASEOF +chmod +x conf$$.file +if test -x conf$$.file >/dev/null 2>&1; then + ac_executable_p="test -x" +else + ac_executable_p="test -f" +fi +rm -f conf$$.file + +# Extract the first word of "msgmerge", so it can be a program name with args. +set dummy msgmerge; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_MSGMERGE+:} false; then : + $as_echo_n "(cached) " >&6 +else + case "$MSGMERGE" in + [\\/]* | ?:[\\/]*) + ac_cv_path_MSGMERGE="$MSGMERGE" # Let the user override the test with a path. + ;; + *) + ac_save_IFS="$IFS"; IFS=$PATH_SEPARATOR + for ac_dir in $PATH; do + IFS="$ac_save_IFS" + test -z "$ac_dir" && ac_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if $ac_executable_p "$ac_dir/$ac_word$ac_exec_ext"; then + echo "$as_me: trying $ac_dir/$ac_word..." >&5 + if $ac_dir/$ac_word --update -q /dev/null /dev/null >&5 2>&1; then + ac_cv_path_MSGMERGE="$ac_dir/$ac_word$ac_exec_ext" + break 2 + fi + fi + done + done + IFS="$ac_save_IFS" + test -z "$ac_cv_path_MSGMERGE" && ac_cv_path_MSGMERGE=":" + ;; +esac +fi +MSGMERGE="$ac_cv_path_MSGMERGE" +if test "$MSGMERGE" != ":"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $MSGMERGE" >&5 +$as_echo "$MSGMERGE" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + if test "$GMSGFMT" != ":"; then + if $GMSGFMT --statistics /dev/null >/dev/null 2>&1 && + (if $GMSGFMT --statistics /dev/null 2>&1 >/dev/null | grep usage >/dev/null; then exit 1; else exit 0; fi); then + : ; + else + GMSGFMT=`echo "$GMSGFMT" | sed -e 's,^.*/,,'` + { $as_echo "$as_me:${as_lineno-$LINENO}: result: found $GMSGFMT program is not GNU msgfmt; ignore it" >&5 +$as_echo "found $GMSGFMT program is not GNU msgfmt; ignore it" >&6; } + GMSGFMT=":" + fi + fi + + if test "$XGETTEXT" != ":"; then + if $XGETTEXT --omit-header --copyright-holder= --msgid-bugs-address= /dev/null >/dev/null 2>&1 && + (if $XGETTEXT --omit-header --copyright-holder= --msgid-bugs-address= /dev/null 2>&1 >/dev/null | grep usage >/dev/null; then exit 1; else exit 0; fi); then + : ; + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: found xgettext program is not GNU xgettext; ignore it" >&5 +$as_echo "found xgettext program is not GNU xgettext; ignore it" >&6; } + XGETTEXT=":" + fi + rm -f messages.po + fi + + ac_config_commands="$ac_config_commands default-1" + + + + if test "X$prefix" = "XNONE"; then + acl_final_prefix="$ac_default_prefix" + else + acl_final_prefix="$prefix" + fi + if test "X$exec_prefix" = "XNONE"; then + acl_final_exec_prefix='${prefix}' + else + acl_final_exec_prefix="$exec_prefix" + fi + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + eval acl_final_exec_prefix=\"$acl_final_exec_prefix\" + prefix="$acl_save_prefix" + + +# Check whether --with-gnu-ld was given. +if test "${with_gnu_ld+set}" = set; then : + withval=$with_gnu_ld; test "$withval" = no || with_gnu_ld=yes +else + with_gnu_ld=no +fi + +# Prepare PATH_SEPARATOR. +# The user is always right. +if test "${PATH_SEPARATOR+set}" != set; then + echo "#! /bin/sh" >conf$$.sh + echo "exit 0" >>conf$$.sh + chmod +x conf$$.sh + if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then + PATH_SEPARATOR=';' + else + PATH_SEPARATOR=: + fi + rm -f conf$$.sh +fi +ac_prog=ld +if test "$GCC" = yes; then + # Check if gcc -print-prog-name=ld gives a path. + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ld used by GCC" >&5 +$as_echo_n "checking for ld used by GCC... " >&6; } + case $host in + *-*-mingw*) + # gcc leaves a trailing carriage return which upsets mingw + ac_prog=`($CC -print-prog-name=ld) 2>&5 | tr -d '\015'` ;; + *) + ac_prog=`($CC -print-prog-name=ld) 2>&5` ;; + esac + case $ac_prog in + # Accept absolute paths. + [\\/]* | [A-Za-z]:[\\/]*) + re_direlt='/[^/][^/]*/\.\./' + # Canonicalize the path of ld + ac_prog=`echo $ac_prog| sed 's%\\\\%/%g'` + while echo $ac_prog | grep "$re_direlt" > /dev/null 2>&1; do + ac_prog=`echo $ac_prog| sed "s%$re_direlt%/%"` + done + test -z "$LD" && LD="$ac_prog" + ;; + "") + # If it fails, then pretend we aren't using GCC. + ac_prog=ld + ;; + *) + # If it is relative, then search for the first ld in PATH. + with_gnu_ld=unknown + ;; + esac +elif test "$with_gnu_ld" = yes; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GNU ld" >&5 +$as_echo_n "checking for GNU ld... " >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for non-GNU ld" >&5 +$as_echo_n "checking for non-GNU ld... " >&6; } +fi +if ${acl_cv_path_LD+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -z "$LD"; then + IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS="${IFS}${PATH_SEPARATOR-:}" + for ac_dir in $PATH; do + test -z "$ac_dir" && ac_dir=. + if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then + acl_cv_path_LD="$ac_dir/$ac_prog" + # Check to see if the program is GNU ld. I'd rather use --version, + # but apparently some GNU ld's only accept -v. + # Break only if it was the GNU/non-GNU ld that we prefer. + case `"$acl_cv_path_LD" -v 2>&1 < /dev/null` in + *GNU* | *'with BFD'*) + test "$with_gnu_ld" != no && break ;; + *) + test "$with_gnu_ld" != yes && break ;; + esac + fi + done + IFS="$ac_save_ifs" +else + acl_cv_path_LD="$LD" # Let the user override the test with a path. +fi +fi + +LD="$acl_cv_path_LD" +if test -n "$LD"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $LD" >&5 +$as_echo "$LD" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi +test -z "$LD" && as_fn_error $? "no acceptable ld found in \$PATH" "$LINENO" 5 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if the linker ($LD) is GNU ld" >&5 +$as_echo_n "checking if the linker ($LD) is GNU ld... " >&6; } +if ${acl_cv_prog_gnu_ld+:} false; then : + $as_echo_n "(cached) " >&6 +else + # I'd rather use --version here, but apparently some GNU ld's only accept -v. +case `$LD -v 2>&1 &5 +$as_echo "$acl_cv_prog_gnu_ld" >&6; } +with_gnu_ld=$acl_cv_prog_gnu_ld + + + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for shared library run path origin" >&5 +$as_echo_n "checking for shared library run path origin... " >&6; } +if ${acl_cv_rpath+:} false; then : + $as_echo_n "(cached) " >&6 +else + + CC="$CC" GCC="$GCC" LDFLAGS="$LDFLAGS" LD="$LD" with_gnu_ld="$with_gnu_ld" \ + ${CONFIG_SHELL-/bin/sh} "$ac_aux_dir/config.rpath" "$host" > conftest.sh + . ./conftest.sh + rm -f ./conftest.sh + acl_cv_rpath=done + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $acl_cv_rpath" >&5 +$as_echo "$acl_cv_rpath" >&6; } + wl="$acl_cv_wl" + libext="$acl_cv_libext" + shlibext="$acl_cv_shlibext" + hardcode_libdir_flag_spec="$acl_cv_hardcode_libdir_flag_spec" + hardcode_libdir_separator="$acl_cv_hardcode_libdir_separator" + hardcode_direct="$acl_cv_hardcode_direct" + hardcode_minus_L="$acl_cv_hardcode_minus_L" + # Check whether --enable-rpath was given. +if test "${enable_rpath+set}" = set; then : + enableval=$enable_rpath; : +else + enable_rpath=yes +fi + + + + + + + + + use_additional=yes + + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + acl_save_exec_prefix="$exec_prefix" + exec_prefix="$acl_final_exec_prefix" + + eval additional_includedir=\"$includedir\" + eval additional_libdir=\"$libdir\" + + exec_prefix="$acl_save_exec_prefix" + prefix="$acl_save_prefix" + + +# Check whether --with-libiconv-prefix was given. +if test "${with_libiconv_prefix+set}" = set; then : + withval=$with_libiconv_prefix; + if test "X$withval" = "Xno"; then + use_additional=no + else + if test "X$withval" = "X"; then + + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + acl_save_exec_prefix="$exec_prefix" + exec_prefix="$acl_final_exec_prefix" + + eval additional_includedir=\"$includedir\" + eval additional_libdir=\"$libdir\" + + exec_prefix="$acl_save_exec_prefix" + prefix="$acl_save_prefix" + + else + additional_includedir="$withval/include" + additional_libdir="$withval/lib" + fi + fi + +fi + + LIBICONV= + LTLIBICONV= + INCICONV= + rpathdirs= + ltrpathdirs= + names_already_handled= + names_next_round='iconv ' + while test -n "$names_next_round"; do + names_this_round="$names_next_round" + names_next_round= + for name in $names_this_round; do + already_handled= + for n in $names_already_handled; do + if test "$n" = "$name"; then + already_handled=yes + break + fi + done + if test -z "$already_handled"; then + names_already_handled="$names_already_handled $name" + uppername=`echo "$name" | sed -e 'y|abcdefghijklmnopqrstuvwxyz./-|ABCDEFGHIJKLMNOPQRSTUVWXYZ___|'` + eval value=\"\$HAVE_LIB$uppername\" + if test -n "$value"; then + if test "$value" = yes; then + eval value=\"\$LIB$uppername\" + test -z "$value" || LIBICONV="${LIBICONV}${LIBICONV:+ }$value" + eval value=\"\$LTLIB$uppername\" + test -z "$value" || LTLIBICONV="${LTLIBICONV}${LTLIBICONV:+ }$value" + else + : + fi + else + found_dir= + found_la= + found_so= + found_a= + if test $use_additional = yes; then + if test -n "$shlibext" && test -f "$additional_libdir/lib$name.$shlibext"; then + found_dir="$additional_libdir" + found_so="$additional_libdir/lib$name.$shlibext" + if test -f "$additional_libdir/lib$name.la"; then + found_la="$additional_libdir/lib$name.la" + fi + else + if test -f "$additional_libdir/lib$name.$libext"; then + found_dir="$additional_libdir" + found_a="$additional_libdir/lib$name.$libext" + if test -f "$additional_libdir/lib$name.la"; then + found_la="$additional_libdir/lib$name.la" + fi + fi + fi + fi + if test "X$found_dir" = "X"; then + for x in $LDFLAGS $LTLIBICONV; do + + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + acl_save_exec_prefix="$exec_prefix" + exec_prefix="$acl_final_exec_prefix" + eval x=\"$x\" + exec_prefix="$acl_save_exec_prefix" + prefix="$acl_save_prefix" + + case "$x" in + -L*) + dir=`echo "X$x" | sed -e 's/^X-L//'` + if test -n "$shlibext" && test -f "$dir/lib$name.$shlibext"; then + found_dir="$dir" + found_so="$dir/lib$name.$shlibext" + if test -f "$dir/lib$name.la"; then + found_la="$dir/lib$name.la" + fi + else + if test -f "$dir/lib$name.$libext"; then + found_dir="$dir" + found_a="$dir/lib$name.$libext" + if test -f "$dir/lib$name.la"; then + found_la="$dir/lib$name.la" + fi + fi + fi + ;; + esac + if test "X$found_dir" != "X"; then + break + fi + done + fi + if test "X$found_dir" != "X"; then + LTLIBICONV="${LTLIBICONV}${LTLIBICONV:+ }-L$found_dir -l$name" + if test "X$found_so" != "X"; then + if test "$enable_rpath" = no || test "X$found_dir" = "X/usr/lib"; then + LIBICONV="${LIBICONV}${LIBICONV:+ }$found_so" + else + haveit= + for x in $ltrpathdirs; do + if test "X$x" = "X$found_dir"; then + haveit=yes + break + fi + done + if test -z "$haveit"; then + ltrpathdirs="$ltrpathdirs $found_dir" + fi + if test "$hardcode_direct" = yes; then + LIBICONV="${LIBICONV}${LIBICONV:+ }$found_so" + else + if test -n "$hardcode_libdir_flag_spec" && test "$hardcode_minus_L" = no; then + LIBICONV="${LIBICONV}${LIBICONV:+ }$found_so" + haveit= + for x in $rpathdirs; do + if test "X$x" = "X$found_dir"; then + haveit=yes + break + fi + done + if test -z "$haveit"; then + rpathdirs="$rpathdirs $found_dir" + fi + else + haveit= + for x in $LDFLAGS $LIBICONV; do + + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + acl_save_exec_prefix="$exec_prefix" + exec_prefix="$acl_final_exec_prefix" + eval x=\"$x\" + exec_prefix="$acl_save_exec_prefix" + prefix="$acl_save_prefix" + + if test "X$x" = "X-L$found_dir"; then + haveit=yes + break + fi + done + if test -z "$haveit"; then + LIBICONV="${LIBICONV}${LIBICONV:+ }-L$found_dir" + fi + if test "$hardcode_minus_L" != no; then + LIBICONV="${LIBICONV}${LIBICONV:+ }$found_so" + else + LIBICONV="${LIBICONV}${LIBICONV:+ }-l$name" + fi + fi + fi + fi + else + if test "X$found_a" != "X"; then + LIBICONV="${LIBICONV}${LIBICONV:+ }$found_a" + else + LIBICONV="${LIBICONV}${LIBICONV:+ }-L$found_dir -l$name" + fi + fi + additional_includedir= + case "$found_dir" in + */lib | */lib/) + basedir=`echo "X$found_dir" | sed -e 's,^X,,' -e 's,/lib/*$,,'` + additional_includedir="$basedir/include" + ;; + esac + if test "X$additional_includedir" != "X"; then + if test "X$additional_includedir" != "X/usr/include"; then + haveit= + if test "X$additional_includedir" = "X/usr/local/include"; then + if test -n "$GCC"; then + case $host_os in + linux* | gnu* | k*bsd*-gnu) haveit=yes;; + esac + fi + fi + if test -z "$haveit"; then + for x in $CPPFLAGS $INCICONV; do + + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + acl_save_exec_prefix="$exec_prefix" + exec_prefix="$acl_final_exec_prefix" + eval x=\"$x\" + exec_prefix="$acl_save_exec_prefix" + prefix="$acl_save_prefix" + + if test "X$x" = "X-I$additional_includedir"; then + haveit=yes + break + fi + done + if test -z "$haveit"; then + if test -d "$additional_includedir"; then + INCICONV="${INCICONV}${INCICONV:+ }-I$additional_includedir" + fi + fi + fi + fi + fi + if test -n "$found_la"; then + save_libdir="$libdir" + case "$found_la" in + */* | *\\*) . "$found_la" ;; + *) . "./$found_la" ;; + esac + libdir="$save_libdir" + for dep in $dependency_libs; do + case "$dep" in + -L*) + additional_libdir=`echo "X$dep" | sed -e 's/^X-L//'` + if test "X$additional_libdir" != "X/usr/lib"; then + haveit= + if test "X$additional_libdir" = "X/usr/local/lib"; then + if test -n "$GCC"; then + case $host_os in + linux* | gnu* | k*bsd*-gnu) haveit=yes;; + esac + fi + fi + if test -z "$haveit"; then + haveit= + for x in $LDFLAGS $LIBICONV; do + + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + acl_save_exec_prefix="$exec_prefix" + exec_prefix="$acl_final_exec_prefix" + eval x=\"$x\" + exec_prefix="$acl_save_exec_prefix" + prefix="$acl_save_prefix" + + if test "X$x" = "X-L$additional_libdir"; then + haveit=yes + break + fi + done + if test -z "$haveit"; then + if test -d "$additional_libdir"; then + LIBICONV="${LIBICONV}${LIBICONV:+ }-L$additional_libdir" + fi + fi + haveit= + for x in $LDFLAGS $LTLIBICONV; do + + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + acl_save_exec_prefix="$exec_prefix" + exec_prefix="$acl_final_exec_prefix" + eval x=\"$x\" + exec_prefix="$acl_save_exec_prefix" + prefix="$acl_save_prefix" + + if test "X$x" = "X-L$additional_libdir"; then + haveit=yes + break + fi + done + if test -z "$haveit"; then + if test -d "$additional_libdir"; then + LTLIBICONV="${LTLIBICONV}${LTLIBICONV:+ }-L$additional_libdir" + fi + fi + fi + fi + ;; + -R*) + dir=`echo "X$dep" | sed -e 's/^X-R//'` + if test "$enable_rpath" != no; then + haveit= + for x in $rpathdirs; do + if test "X$x" = "X$dir"; then + haveit=yes + break + fi + done + if test -z "$haveit"; then + rpathdirs="$rpathdirs $dir" + fi + haveit= + for x in $ltrpathdirs; do + if test "X$x" = "X$dir"; then + haveit=yes + break + fi + done + if test -z "$haveit"; then + ltrpathdirs="$ltrpathdirs $dir" + fi + fi + ;; + -l*) + names_next_round="$names_next_round "`echo "X$dep" | sed -e 's/^X-l//'` + ;; + *.la) + names_next_round="$names_next_round "`echo "X$dep" | sed -e 's,^X.*/,,' -e 's,^lib,,' -e 's,\.la$,,'` + ;; + *) + LIBICONV="${LIBICONV}${LIBICONV:+ }$dep" + LTLIBICONV="${LTLIBICONV}${LTLIBICONV:+ }$dep" + ;; + esac + done + fi + else + LIBICONV="${LIBICONV}${LIBICONV:+ }-l$name" + LTLIBICONV="${LTLIBICONV}${LTLIBICONV:+ }-l$name" + fi + fi + fi + done + done + if test "X$rpathdirs" != "X"; then + if test -n "$hardcode_libdir_separator"; then + alldirs= + for found_dir in $rpathdirs; do + alldirs="${alldirs}${alldirs:+$hardcode_libdir_separator}$found_dir" + done + acl_save_libdir="$libdir" + libdir="$alldirs" + eval flag=\"$hardcode_libdir_flag_spec\" + libdir="$acl_save_libdir" + LIBICONV="${LIBICONV}${LIBICONV:+ }$flag" + else + for found_dir in $rpathdirs; do + acl_save_libdir="$libdir" + libdir="$found_dir" + eval flag=\"$hardcode_libdir_flag_spec\" + libdir="$acl_save_libdir" + LIBICONV="${LIBICONV}${LIBICONV:+ }$flag" + done + fi + fi + if test "X$ltrpathdirs" != "X"; then + for found_dir in $ltrpathdirs; do + LTLIBICONV="${LTLIBICONV}${LTLIBICONV:+ }-R$found_dir" + done + fi + + + + + + + + + + + + + + + + + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for CFPreferencesCopyAppValue" >&5 +$as_echo_n "checking for CFPreferencesCopyAppValue... " >&6; } +if ${gt_cv_func_CFPreferencesCopyAppValue+:} false; then : + $as_echo_n "(cached) " >&6 +else + gt_save_CPPFLAGS="$CPPFLAGS" + CPPFLAGS="$CPPFLAGS -I/System/Library/Frameworks/CoreFoundation.framework/Headers" + gt_save_LIBS="$LIBS" + LIBS="$LIBS -framework CoreFoundation" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +int +main () +{ +CFPreferencesCopyAppValue(NULL, NULL) + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + gt_cv_func_CFPreferencesCopyAppValue=yes +else + gt_cv_func_CFPreferencesCopyAppValue=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + CPPFLAGS="$gt_save_CPPFLAGS" + LIBS="$gt_save_LIBS" +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $gt_cv_func_CFPreferencesCopyAppValue" >&5 +$as_echo "$gt_cv_func_CFPreferencesCopyAppValue" >&6; } + if test $gt_cv_func_CFPreferencesCopyAppValue = yes; then + +$as_echo "#define HAVE_CFPREFERENCESCOPYAPPVALUE 1" >>confdefs.h + + fi + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for CFLocaleCopyCurrent" >&5 +$as_echo_n "checking for CFLocaleCopyCurrent... " >&6; } +if ${gt_cv_func_CFLocaleCopyCurrent+:} false; then : + $as_echo_n "(cached) " >&6 +else + gt_save_CPPFLAGS="$CPPFLAGS" + CPPFLAGS="$CPPFLAGS -I/System/Library/Frameworks/CoreFoundation.framework/Headers" + gt_save_LIBS="$LIBS" + LIBS="$LIBS -framework CoreFoundation" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +int +main () +{ +CFLocaleCopyCurrent(); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + gt_cv_func_CFLocaleCopyCurrent=yes +else + gt_cv_func_CFLocaleCopyCurrent=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + CPPFLAGS="$gt_save_CPPFLAGS" + LIBS="$gt_save_LIBS" +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $gt_cv_func_CFLocaleCopyCurrent" >&5 +$as_echo "$gt_cv_func_CFLocaleCopyCurrent" >&6; } + if test $gt_cv_func_CFLocaleCopyCurrent = yes; then + +$as_echo "#define HAVE_CFLOCALECOPYCURRENT 1" >>confdefs.h + + fi + INTL_MACOSX_LIBS= + if test $gt_cv_func_CFPreferencesCopyAppValue = yes || test $gt_cv_func_CFLocaleCopyCurrent = yes; then + INTL_MACOSX_LIBS="-Wl,-framework -Wl,CoreFoundation" + fi + + + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether NLS is requested" >&5 +$as_echo_n "checking whether NLS is requested... " >&6; } + # Check whether --enable-nls was given. +if test "${enable_nls+set}" = set; then : + enableval=$enable_nls; USE_NLS=$enableval +else + USE_NLS=yes +fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $USE_NLS" >&5 +$as_echo "$USE_NLS" >&6; } + + + + + LIBINTL= + LTLIBINTL= + POSUB= + + if test "$USE_NLS" = "yes"; then + gt_use_preinstalled_gnugettext=no + + + + + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GNU gettext in libc" >&5 +$as_echo_n "checking for GNU gettext in libc... " >&6; } +if ${gt_cv_func_gnugettext1_libc+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +extern int _nl_msg_cat_cntr; +extern int *_nl_domain_bindings; +int +main () +{ +bindtextdomain ("", ""); +return * gettext ("") + _nl_msg_cat_cntr + *_nl_domain_bindings + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + gt_cv_func_gnugettext1_libc=yes +else + gt_cv_func_gnugettext1_libc=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $gt_cv_func_gnugettext1_libc" >&5 +$as_echo "$gt_cv_func_gnugettext1_libc" >&6; } + + if test "$gt_cv_func_gnugettext1_libc" != "yes"; then + + + + + + am_save_CPPFLAGS="$CPPFLAGS" + + for element in $INCICONV; do + haveit= + for x in $CPPFLAGS; do + + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + acl_save_exec_prefix="$exec_prefix" + exec_prefix="$acl_final_exec_prefix" + eval x=\"$x\" + exec_prefix="$acl_save_exec_prefix" + prefix="$acl_save_prefix" + + if test "X$x" = "X$element"; then + haveit=yes + break + fi + done + if test -z "$haveit"; then + CPPFLAGS="${CPPFLAGS}${CPPFLAGS:+ }$element" + fi + done + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for iconv" >&5 +$as_echo_n "checking for iconv... " >&6; } +if ${am_cv_func_iconv+:} false; then : + $as_echo_n "(cached) " >&6 +else + + am_cv_func_iconv="no, consider installing GNU libiconv" + am_cv_lib_iconv=no + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +#include +int +main () +{ +iconv_t cd = iconv_open("",""); + iconv(cd,NULL,NULL,NULL,NULL); + iconv_close(cd); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + am_cv_func_iconv=yes +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + if test "$am_cv_func_iconv" != yes; then + am_save_LIBS="$LIBS" + LIBS="$LIBS $LIBICONV" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +#include +int +main () +{ +iconv_t cd = iconv_open("",""); + iconv(cd,NULL,NULL,NULL,NULL); + iconv_close(cd); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + am_cv_lib_iconv=yes + am_cv_func_iconv=yes +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + LIBS="$am_save_LIBS" + fi + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_func_iconv" >&5 +$as_echo "$am_cv_func_iconv" >&6; } + if test "$am_cv_func_iconv" = yes; then + +$as_echo "#define HAVE_ICONV 1" >>confdefs.h + + fi + if test "$am_cv_lib_iconv" = yes; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking how to link with libiconv" >&5 +$as_echo_n "checking how to link with libiconv... " >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $LIBICONV" >&5 +$as_echo "$LIBICONV" >&6; } + else + CPPFLAGS="$am_save_CPPFLAGS" + LIBICONV= + LTLIBICONV= + fi + + + + + + + use_additional=yes + + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + acl_save_exec_prefix="$exec_prefix" + exec_prefix="$acl_final_exec_prefix" + + eval additional_includedir=\"$includedir\" + eval additional_libdir=\"$libdir\" + + exec_prefix="$acl_save_exec_prefix" + prefix="$acl_save_prefix" + + +# Check whether --with-libintl-prefix was given. +if test "${with_libintl_prefix+set}" = set; then : + withval=$with_libintl_prefix; + if test "X$withval" = "Xno"; then + use_additional=no + else + if test "X$withval" = "X"; then + + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + acl_save_exec_prefix="$exec_prefix" + exec_prefix="$acl_final_exec_prefix" + + eval additional_includedir=\"$includedir\" + eval additional_libdir=\"$libdir\" + + exec_prefix="$acl_save_exec_prefix" + prefix="$acl_save_prefix" + + else + additional_includedir="$withval/include" + additional_libdir="$withval/lib" + fi + fi + +fi + + LIBINTL= + LTLIBINTL= + INCINTL= + rpathdirs= + ltrpathdirs= + names_already_handled= + names_next_round='intl ' + while test -n "$names_next_round"; do + names_this_round="$names_next_round" + names_next_round= + for name in $names_this_round; do + already_handled= + for n in $names_already_handled; do + if test "$n" = "$name"; then + already_handled=yes + break + fi + done + if test -z "$already_handled"; then + names_already_handled="$names_already_handled $name" + uppername=`echo "$name" | sed -e 'y|abcdefghijklmnopqrstuvwxyz./-|ABCDEFGHIJKLMNOPQRSTUVWXYZ___|'` + eval value=\"\$HAVE_LIB$uppername\" + if test -n "$value"; then + if test "$value" = yes; then + eval value=\"\$LIB$uppername\" + test -z "$value" || LIBINTL="${LIBINTL}${LIBINTL:+ }$value" + eval value=\"\$LTLIB$uppername\" + test -z "$value" || LTLIBINTL="${LTLIBINTL}${LTLIBINTL:+ }$value" + else + : + fi + else + found_dir= + found_la= + found_so= + found_a= + if test $use_additional = yes; then + if test -n "$shlibext" && test -f "$additional_libdir/lib$name.$shlibext"; then + found_dir="$additional_libdir" + found_so="$additional_libdir/lib$name.$shlibext" + if test -f "$additional_libdir/lib$name.la"; then + found_la="$additional_libdir/lib$name.la" + fi + else + if test -f "$additional_libdir/lib$name.$libext"; then + found_dir="$additional_libdir" + found_a="$additional_libdir/lib$name.$libext" + if test -f "$additional_libdir/lib$name.la"; then + found_la="$additional_libdir/lib$name.la" + fi + fi + fi + fi + if test "X$found_dir" = "X"; then + for x in $LDFLAGS $LTLIBINTL; do + + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + acl_save_exec_prefix="$exec_prefix" + exec_prefix="$acl_final_exec_prefix" + eval x=\"$x\" + exec_prefix="$acl_save_exec_prefix" + prefix="$acl_save_prefix" + + case "$x" in + -L*) + dir=`echo "X$x" | sed -e 's/^X-L//'` + if test -n "$shlibext" && test -f "$dir/lib$name.$shlibext"; then + found_dir="$dir" + found_so="$dir/lib$name.$shlibext" + if test -f "$dir/lib$name.la"; then + found_la="$dir/lib$name.la" + fi + else + if test -f "$dir/lib$name.$libext"; then + found_dir="$dir" + found_a="$dir/lib$name.$libext" + if test -f "$dir/lib$name.la"; then + found_la="$dir/lib$name.la" + fi + fi + fi + ;; + esac + if test "X$found_dir" != "X"; then + break + fi + done + fi + if test "X$found_dir" != "X"; then + LTLIBINTL="${LTLIBINTL}${LTLIBINTL:+ }-L$found_dir -l$name" + if test "X$found_so" != "X"; then + if test "$enable_rpath" = no || test "X$found_dir" = "X/usr/lib"; then + LIBINTL="${LIBINTL}${LIBINTL:+ }$found_so" + else + haveit= + for x in $ltrpathdirs; do + if test "X$x" = "X$found_dir"; then + haveit=yes + break + fi + done + if test -z "$haveit"; then + ltrpathdirs="$ltrpathdirs $found_dir" + fi + if test "$hardcode_direct" = yes; then + LIBINTL="${LIBINTL}${LIBINTL:+ }$found_so" + else + if test -n "$hardcode_libdir_flag_spec" && test "$hardcode_minus_L" = no; then + LIBINTL="${LIBINTL}${LIBINTL:+ }$found_so" + haveit= + for x in $rpathdirs; do + if test "X$x" = "X$found_dir"; then + haveit=yes + break + fi + done + if test -z "$haveit"; then + rpathdirs="$rpathdirs $found_dir" + fi + else + haveit= + for x in $LDFLAGS $LIBINTL; do + + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + acl_save_exec_prefix="$exec_prefix" + exec_prefix="$acl_final_exec_prefix" + eval x=\"$x\" + exec_prefix="$acl_save_exec_prefix" + prefix="$acl_save_prefix" + + if test "X$x" = "X-L$found_dir"; then + haveit=yes + break + fi + done + if test -z "$haveit"; then + LIBINTL="${LIBINTL}${LIBINTL:+ }-L$found_dir" + fi + if test "$hardcode_minus_L" != no; then + LIBINTL="${LIBINTL}${LIBINTL:+ }$found_so" + else + LIBINTL="${LIBINTL}${LIBINTL:+ }-l$name" + fi + fi + fi + fi + else + if test "X$found_a" != "X"; then + LIBINTL="${LIBINTL}${LIBINTL:+ }$found_a" + else + LIBINTL="${LIBINTL}${LIBINTL:+ }-L$found_dir -l$name" + fi + fi + additional_includedir= + case "$found_dir" in + */lib | */lib/) + basedir=`echo "X$found_dir" | sed -e 's,^X,,' -e 's,/lib/*$,,'` + additional_includedir="$basedir/include" + ;; + esac + if test "X$additional_includedir" != "X"; then + if test "X$additional_includedir" != "X/usr/include"; then + haveit= + if test "X$additional_includedir" = "X/usr/local/include"; then + if test -n "$GCC"; then + case $host_os in + linux* | gnu* | k*bsd*-gnu) haveit=yes;; + esac + fi + fi + if test -z "$haveit"; then + for x in $CPPFLAGS $INCINTL; do + + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + acl_save_exec_prefix="$exec_prefix" + exec_prefix="$acl_final_exec_prefix" + eval x=\"$x\" + exec_prefix="$acl_save_exec_prefix" + prefix="$acl_save_prefix" + + if test "X$x" = "X-I$additional_includedir"; then + haveit=yes + break + fi + done + if test -z "$haveit"; then + if test -d "$additional_includedir"; then + INCINTL="${INCINTL}${INCINTL:+ }-I$additional_includedir" + fi + fi + fi + fi + fi + if test -n "$found_la"; then + save_libdir="$libdir" + case "$found_la" in + */* | *\\*) . "$found_la" ;; + *) . "./$found_la" ;; + esac + libdir="$save_libdir" + for dep in $dependency_libs; do + case "$dep" in + -L*) + additional_libdir=`echo "X$dep" | sed -e 's/^X-L//'` + if test "X$additional_libdir" != "X/usr/lib"; then + haveit= + if test "X$additional_libdir" = "X/usr/local/lib"; then + if test -n "$GCC"; then + case $host_os in + linux* | gnu* | k*bsd*-gnu) haveit=yes;; + esac + fi + fi + if test -z "$haveit"; then + haveit= + for x in $LDFLAGS $LIBINTL; do + + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + acl_save_exec_prefix="$exec_prefix" + exec_prefix="$acl_final_exec_prefix" + eval x=\"$x\" + exec_prefix="$acl_save_exec_prefix" + prefix="$acl_save_prefix" + + if test "X$x" = "X-L$additional_libdir"; then + haveit=yes + break + fi + done + if test -z "$haveit"; then + if test -d "$additional_libdir"; then + LIBINTL="${LIBINTL}${LIBINTL:+ }-L$additional_libdir" + fi + fi + haveit= + for x in $LDFLAGS $LTLIBINTL; do + + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + acl_save_exec_prefix="$exec_prefix" + exec_prefix="$acl_final_exec_prefix" + eval x=\"$x\" + exec_prefix="$acl_save_exec_prefix" + prefix="$acl_save_prefix" + + if test "X$x" = "X-L$additional_libdir"; then + haveit=yes + break + fi + done + if test -z "$haveit"; then + if test -d "$additional_libdir"; then + LTLIBINTL="${LTLIBINTL}${LTLIBINTL:+ }-L$additional_libdir" + fi + fi + fi + fi + ;; + -R*) + dir=`echo "X$dep" | sed -e 's/^X-R//'` + if test "$enable_rpath" != no; then + haveit= + for x in $rpathdirs; do + if test "X$x" = "X$dir"; then + haveit=yes + break + fi + done + if test -z "$haveit"; then + rpathdirs="$rpathdirs $dir" + fi + haveit= + for x in $ltrpathdirs; do + if test "X$x" = "X$dir"; then + haveit=yes + break + fi + done + if test -z "$haveit"; then + ltrpathdirs="$ltrpathdirs $dir" + fi + fi + ;; + -l*) + names_next_round="$names_next_round "`echo "X$dep" | sed -e 's/^X-l//'` + ;; + *.la) + names_next_round="$names_next_round "`echo "X$dep" | sed -e 's,^X.*/,,' -e 's,^lib,,' -e 's,\.la$,,'` + ;; + *) + LIBINTL="${LIBINTL}${LIBINTL:+ }$dep" + LTLIBINTL="${LTLIBINTL}${LTLIBINTL:+ }$dep" + ;; + esac + done + fi + else + LIBINTL="${LIBINTL}${LIBINTL:+ }-l$name" + LTLIBINTL="${LTLIBINTL}${LTLIBINTL:+ }-l$name" + fi + fi + fi + done + done + if test "X$rpathdirs" != "X"; then + if test -n "$hardcode_libdir_separator"; then + alldirs= + for found_dir in $rpathdirs; do + alldirs="${alldirs}${alldirs:+$hardcode_libdir_separator}$found_dir" + done + acl_save_libdir="$libdir" + libdir="$alldirs" + eval flag=\"$hardcode_libdir_flag_spec\" + libdir="$acl_save_libdir" + LIBINTL="${LIBINTL}${LIBINTL:+ }$flag" + else + for found_dir in $rpathdirs; do + acl_save_libdir="$libdir" + libdir="$found_dir" + eval flag=\"$hardcode_libdir_flag_spec\" + libdir="$acl_save_libdir" + LIBINTL="${LIBINTL}${LIBINTL:+ }$flag" + done + fi + fi + if test "X$ltrpathdirs" != "X"; then + for found_dir in $ltrpathdirs; do + LTLIBINTL="${LTLIBINTL}${LTLIBINTL:+ }-R$found_dir" + done + fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GNU gettext in libintl" >&5 +$as_echo_n "checking for GNU gettext in libintl... " >&6; } +if ${gt_cv_func_gnugettext1_libintl+:} false; then : + $as_echo_n "(cached) " >&6 +else + gt_save_CPPFLAGS="$CPPFLAGS" + CPPFLAGS="$CPPFLAGS $INCINTL" + gt_save_LIBS="$LIBS" + LIBS="$LIBS $LIBINTL" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +extern int _nl_msg_cat_cntr; +extern +#ifdef __cplusplus +"C" +#endif +const char *_nl_expand_alias (const char *); +int +main () +{ +bindtextdomain ("", ""); +return * gettext ("") + _nl_msg_cat_cntr + *_nl_expand_alias ("") + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + gt_cv_func_gnugettext1_libintl=yes +else + gt_cv_func_gnugettext1_libintl=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + if test "$gt_cv_func_gnugettext1_libintl" != yes && test -n "$LIBICONV"; then + LIBS="$LIBS $LIBICONV" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +extern int _nl_msg_cat_cntr; +extern +#ifdef __cplusplus +"C" +#endif +const char *_nl_expand_alias (const char *); +int +main () +{ +bindtextdomain ("", ""); +return * gettext ("") + _nl_msg_cat_cntr + *_nl_expand_alias ("") + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + LIBINTL="$LIBINTL $LIBICONV" + LTLIBINTL="$LTLIBINTL $LTLIBICONV" + gt_cv_func_gnugettext1_libintl=yes + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + fi + CPPFLAGS="$gt_save_CPPFLAGS" + LIBS="$gt_save_LIBS" +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $gt_cv_func_gnugettext1_libintl" >&5 +$as_echo "$gt_cv_func_gnugettext1_libintl" >&6; } + fi + + if test "$gt_cv_func_gnugettext1_libc" = "yes" \ + || { test "$gt_cv_func_gnugettext1_libintl" = "yes" \ + && test "$PACKAGE" != gettext-runtime \ + && test "$PACKAGE" != gettext-tools; }; then + gt_use_preinstalled_gnugettext=yes + else + LIBINTL= + LTLIBINTL= + INCINTL= + fi + + + + if test -n "$INTL_MACOSX_LIBS"; then + if test "$gt_use_preinstalled_gnugettext" = "yes" \ + || test "$nls_cv_use_gnu_gettext" = "yes"; then + LIBINTL="$LIBINTL $INTL_MACOSX_LIBS" + LTLIBINTL="$LTLIBINTL $INTL_MACOSX_LIBS" + fi + fi + + if test "$gt_use_preinstalled_gnugettext" = "yes" \ + || test "$nls_cv_use_gnu_gettext" = "yes"; then + +$as_echo "#define ENABLE_NLS 1" >>confdefs.h + + else + USE_NLS=no + fi + fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to use NLS" >&5 +$as_echo_n "checking whether to use NLS... " >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $USE_NLS" >&5 +$as_echo "$USE_NLS" >&6; } + if test "$USE_NLS" = "yes"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking where the gettext function comes from" >&5 +$as_echo_n "checking where the gettext function comes from... " >&6; } + if test "$gt_use_preinstalled_gnugettext" = "yes"; then + if test "$gt_cv_func_gnugettext1_libintl" = "yes"; then + gt_source="external libintl" + else + gt_source="libc" + fi + else + gt_source="included intl directory" + fi + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $gt_source" >&5 +$as_echo "$gt_source" >&6; } + fi + + if test "$USE_NLS" = "yes"; then + + if test "$gt_use_preinstalled_gnugettext" = "yes"; then + if test "$gt_cv_func_gnugettext1_libintl" = "yes"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking how to link with libintl" >&5 +$as_echo_n "checking how to link with libintl... " >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $LIBINTL" >&5 +$as_echo "$LIBINTL" >&6; } + + for element in $INCINTL; do + haveit= + for x in $CPPFLAGS; do + + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + acl_save_exec_prefix="$exec_prefix" + exec_prefix="$acl_final_exec_prefix" + eval x=\"$x\" + exec_prefix="$acl_save_exec_prefix" + prefix="$acl_save_prefix" + + if test "X$x" = "X$element"; then + haveit=yes + break + fi + done + if test -z "$haveit"; then + CPPFLAGS="${CPPFLAGS}${CPPFLAGS:+ }$element" + fi + done + + fi + + +$as_echo "#define HAVE_GETTEXT 1" >>confdefs.h + + +$as_echo "#define HAVE_DCGETTEXT 1" >>confdefs.h + + fi + + POSUB=po + fi + + + + INTLLIBS="$LIBINTL" + + + + + + + + + + + +$as_echo "#define PRERELEASE_VERSION \"\"" >>confdefs.h + + + if git log -1 >/dev/null 2>&1; then + GIT_CHECKOUT_TRUE= + GIT_CHECKOUT_FALSE='#' +else + GIT_CHECKOUT_TRUE='#' + GIT_CHECKOUT_FALSE= +fi + + +# Check whether --enable-silent-rules was given. +if test "${enable_silent_rules+set}" = set; then : + enableval=$enable_silent_rules; +fi + +case $enable_silent_rules in # ((( + yes) AM_DEFAULT_VERBOSITY=0;; + no) AM_DEFAULT_VERBOSITY=1;; + *) AM_DEFAULT_VERBOSITY=1;; +esac +am_make=${MAKE-make} +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $am_make supports nested variables" >&5 +$as_echo_n "checking whether $am_make supports nested variables... " >&6; } +if ${am_cv_make_support_nested_variables+:} false; then : + $as_echo_n "(cached) " >&6 +else + if $as_echo 'TRUE=$(BAR$(V)) +BAR0=false +BAR1=true +V=1 +am__doit: + @$(TRUE) +.PHONY: am__doit' | $am_make -f - >/dev/null 2>&1; then + am_cv_make_support_nested_variables=yes +else + am_cv_make_support_nested_variables=no +fi +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_make_support_nested_variables" >&5 +$as_echo "$am_cv_make_support_nested_variables" >&6; } +if test $am_cv_make_support_nested_variables = yes; then + AM_V='$(V)' + AM_DEFAULT_V='$(AM_DEFAULT_VERBOSITY)' +else + AM_V=$AM_DEFAULT_VERBOSITY + AM_DEFAULT_V=$AM_DEFAULT_VERBOSITY +fi +AM_BACKSLASH='\' + + + if test "$ac_cv_c_compiler_gnu" = yes; then + HAVE_GCC_TRUE= + HAVE_GCC_FALSE='#' +else + HAVE_GCC_TRUE='#' + HAVE_GCC_FALSE= +fi + + +for ac_header in stdint.h dlfcn.h +do : + as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" +if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF + +fi + +done + +ac_config_headers="$ac_config_headers config.h" + + +ac_fn_c_check_type "$LINENO" "errno_t" "ac_cv_type_errno_t" "#include +" +if test "x$ac_cv_type_errno_t" = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_ERRNO_T 1 +_ACEOF + + +fi + + + + + + if test x$with_aux_info = xyes; then + WANT_AUX_INFO_TRUE= + WANT_AUX_INFO_FALSE='#' +else + WANT_AUX_INFO_TRUE='#' + WANT_AUX_INFO_FALSE= +fi + + + + + + + +# Check whether --with-shared-build-dir was given. +if test "${with_shared_build_dir+set}" = set; then : + withval=$with_shared_build_dir; +fi + + + sharedbuilddir="$srcdir/sharedbuild" + if test x"$with_shared_build_dir" != x; then + sharedbuilddir=$with_shared_build_dir + CFLAGS="$CFLAGS -I$with_shared_build_dir/include" + CPPFLAGS="$CPPFLAGS -I$with_shared_build_dir/include" + LDFLAGS="$LDFLAGS -L$with_shared_build_dir/lib" + fi + + + +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +int +main () +{ +pthread_mutex_t m = PTHREAD_MUTEX_INITIALIZER; + (void) m; /* unused */ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + +$as_echo "#define HAVE_PTHREAD 1" >>confdefs.h + + HAVE_PTHREAD=1 + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Pthread library not found! Clients will not be thread safe..." >&5 +$as_echo "$as_me: WARNING: Pthread library not found! Clients will not be thread safe..." >&2;} +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + + + if test x"$HAVE_PTHREAD" != "x"; then + HAVE_PTHREAD_TRUE= + HAVE_PTHREAD_FALSE='#' +else + HAVE_PTHREAD_TRUE='#' + HAVE_PTHREAD_FALSE= +fi + + +# Check library for the timer_create function +SAVE_LIBS=$LIBS +LIBS= +LIBADD_TIMER= +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing timer_create" >&5 +$as_echo_n "checking for library containing timer_create... " >&6; } +if ${ac_cv_search_timer_create+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_func_search_save_LIBS=$LIBS +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char timer_create (); +int +main () +{ +return timer_create (); + ; + return 0; +} +_ACEOF +for ac_lib in '' rt posix4; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + if ac_fn_c_try_link "$LINENO"; then : + ac_cv_search_timer_create=$ac_res +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext + if ${ac_cv_search_timer_create+:} false; then : + break +fi +done +if ${ac_cv_search_timer_create+:} false; then : + +else + ac_cv_search_timer_create=no +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_timer_create" >&5 +$as_echo "$ac_cv_search_timer_create" >&6; } +ac_res=$ac_cv_search_timer_create +if test "$ac_res" != no; then : + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + +$as_echo "#define HAVE_LIBRT 1" >>confdefs.h + + LIBADD_TIMER="$LIBS" +else + as_fn_error $? "unable to find library fot the timer_create() function" "$LINENO" 5 +fi + + + +LIBS=$SAVE_LIBS + +# Check library for the clock_gettime function +SAVE_LIBS=$LIBS +LIBS= +LIBCLOCK_GETTIME= +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing clock_gettime" >&5 +$as_echo_n "checking for library containing clock_gettime... " >&6; } +if ${ac_cv_search_clock_gettime+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_func_search_save_LIBS=$LIBS +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char clock_gettime (); +int +main () +{ +return clock_gettime (); + ; + return 0; +} +_ACEOF +for ac_lib in '' rt posix4; do + if test -z "$ac_lib"; then + ac_res="none required" + else + ac_res=-l$ac_lib + LIBS="-l$ac_lib $ac_func_search_save_LIBS" + fi + if ac_fn_c_try_link "$LINENO"; then : + ac_cv_search_clock_gettime=$ac_res +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext + if ${ac_cv_search_clock_gettime+:} false; then : + break +fi +done +if ${ac_cv_search_clock_gettime+:} false; then : + +else + ac_cv_search_clock_gettime=no +fi +rm conftest.$ac_ext +LIBS=$ac_func_search_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_clock_gettime" >&5 +$as_echo "$ac_cv_search_clock_gettime" >&6; } +ac_res=$ac_cv_search_clock_gettime +if test "$ac_res" != no; then : + test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" + +$as_echo "#define HAVE_LIBRT 1" >>confdefs.h + + LIBCLOCK_GETTIME="$LIBS" +else + as_fn_error $? "unable to find library for the clock_gettime() function" "$LINENO" 5 +fi + + + +LIBS=$SAVE_LIBS + +# Check for presence of modern functions for setting file timestamps +for ac_func in utimensat \ + futimens +do : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" +if eval test \"x\$"$as_ac_var"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF + +fi +done + + +#Check for endian headers +for ac_header in endian.h sys/endian.h byteswap.h +do : + as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" +if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF + +fi + +done + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether byte ordering is bigendian" >&5 +$as_echo_n "checking whether byte ordering is bigendian... " >&6; } +if ${ac_cv_c_bigendian+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_cv_c_bigendian=unknown + # See if we're dealing with a universal compiler. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#ifndef __APPLE_CC__ + not a universal capable compiler + #endif + typedef int dummy; + +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + + # Check for potential -arch flags. It is not universal unless + # there are at least two -arch flags with different values. + ac_arch= + ac_prev= + for ac_word in $CC $CFLAGS $CPPFLAGS $LDFLAGS; do + if test -n "$ac_prev"; then + case $ac_word in + i?86 | x86_64 | ppc | ppc64) + if test -z "$ac_arch" || test "$ac_arch" = "$ac_word"; then + ac_arch=$ac_word + else + ac_cv_c_bigendian=universal + break + fi + ;; + esac + ac_prev= + elif test "x$ac_word" = "x-arch"; then + ac_prev=arch + fi + done +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + if test $ac_cv_c_bigendian = unknown; then + # See if sys/param.h defines the BYTE_ORDER macro. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + #include + +int +main () +{ +#if ! (defined BYTE_ORDER && defined BIG_ENDIAN \ + && defined LITTLE_ENDIAN && BYTE_ORDER && BIG_ENDIAN \ + && LITTLE_ENDIAN) + bogus endian macros + #endif + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + # It does; now see whether it defined to BIG_ENDIAN or not. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + #include + +int +main () +{ +#if BYTE_ORDER != BIG_ENDIAN + not big endian + #endif + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_c_bigendian=yes +else + ac_cv_c_bigendian=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + fi + if test $ac_cv_c_bigendian = unknown; then + # See if defines _LITTLE_ENDIAN or _BIG_ENDIAN (e.g., Solaris). + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + +int +main () +{ +#if ! (defined _LITTLE_ENDIAN || defined _BIG_ENDIAN) + bogus endian macros + #endif + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + # It does; now see whether it defined to _BIG_ENDIAN or not. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + +int +main () +{ +#ifndef _BIG_ENDIAN + not big endian + #endif + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_c_bigendian=yes +else + ac_cv_c_bigendian=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + fi + if test $ac_cv_c_bigendian = unknown; then + # Compile a test program. + if test "$cross_compiling" = yes; then : + # Try to guess by grepping values from an object file. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +short int ascii_mm[] = + { 0x4249, 0x4765, 0x6E44, 0x6961, 0x6E53, 0x7953, 0 }; + short int ascii_ii[] = + { 0x694C, 0x5454, 0x656C, 0x6E45, 0x6944, 0x6E61, 0 }; + int use_ascii (int i) { + return ascii_mm[i] + ascii_ii[i]; + } + short int ebcdic_ii[] = + { 0x89D3, 0xE3E3, 0x8593, 0x95C5, 0x89C4, 0x9581, 0 }; + short int ebcdic_mm[] = + { 0xC2C9, 0xC785, 0x95C4, 0x8981, 0x95E2, 0xA8E2, 0 }; + int use_ebcdic (int i) { + return ebcdic_mm[i] + ebcdic_ii[i]; + } + extern int foo; + +int +main () +{ +return use_ascii (foo) == use_ebcdic (foo); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + if grep BIGenDianSyS conftest.$ac_objext >/dev/null; then + ac_cv_c_bigendian=yes + fi + if grep LiTTleEnDian conftest.$ac_objext >/dev/null ; then + if test "$ac_cv_c_bigendian" = unknown; then + ac_cv_c_bigendian=no + else + # finding both strings is unlikely to happen, but who knows? + ac_cv_c_bigendian=unknown + fi + fi +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +$ac_includes_default +int +main () +{ + + /* Are we little or big endian? From Harbison&Steele. */ + union + { + long int l; + char c[sizeof (long int)]; + } u; + u.l = 1; + return u.c[sizeof (long int) - 1] == 1; + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + ac_cv_c_bigendian=no +else + ac_cv_c_bigendian=yes +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext +fi + + fi +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_bigendian" >&5 +$as_echo "$ac_cv_c_bigendian" >&6; } + case $ac_cv_c_bigendian in #( + yes) + +$as_echo "#define HAVE_BIG_ENDIAN 1" >>confdefs.h +;; #( + no) + +$as_echo "#define HAVE_LITTLE_ENDIAN 1" >>confdefs.h + ;; #( + universal) + +$as_echo "#define AC_APPLE_UNIVERSAL_BUILD 1" >>confdefs.h + + ;; #( + *) + as_fn_error $? "unknown endianness + presetting ac_cv_c_bigendian=no (or yes) will help" "$LINENO" 5 ;; + esac + + +#Set the NSS library install path +# Check whether --enable-nsslibdir was given. +if test "${enable_nsslibdir+set}" = set; then : + enableval=$enable_nsslibdir; nsslibdir=$enableval +else + nsslibdir=$libdir +fi + + + +#Set the PAM module install path +# Check whether --enable-pammoddir was given. +if test "${enable_pammoddir+set}" = set; then : + enableval=$enable_pammoddir; pammoddir=$enableval +else + pammoddir=$libdir/security +fi + + + +#Set the NFSv4 idmapd library install path +# Check whether --enable-nfsidmaplibdir was given. +if test "${enable_nfsidmaplibdir+set}" = set; then : + enableval=$enable_nfsidmaplibdir; nfsidmaplibdir=$enableval +else + nfsidmaplibdir=$libdir/libnfsidmap +fi + + + +#Include here cause WITH_INIT_DIR requires $osname set in platform.m4 + +# Check whether --with-os was given. +if test "${with_os+set}" = set; then : + withval=$with_os; +fi + +osname="" +if test x"$with_os" != x ; then + if test x"$with_os" = xfedora || \ + test x"$with_os" = xredhat || \ + test x"$with_os" = xsuse || \ + test x"$with_os" = xgentoo || \ + test x"$with_os" = xdebian ; then + osname=$with_os + else + as_fn_error $? "Illegal value -$with_os- for option --with-os" "$LINENO" 5 + fi +fi + +if test x"$osname" = x ; then + if test -f /etc/fedora-release ; then + osname="fedora" + elif test -f /etc/redhat-release ; then + osname="redhat" + elif test -f /etc/SuSE-release ; then + osname="suse" + elif test -f /etc/debian_version ; then + osname="debian" + elif test -f /etc/gentoo-release ; then + osname="gentoo" + fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: Detected operating system type: $osname" >&5 +$as_echo "$as_me: Detected operating system type: $osname" >&6;} +fi + + if test x"$osname" = xfedora; then + HAVE_FEDORA_TRUE= + HAVE_FEDORA_FALSE='#' +else + HAVE_FEDORA_TRUE='#' + HAVE_FEDORA_FALSE= +fi + + if test x"$osname" = xredhat; then + HAVE_REDHAT_TRUE= + HAVE_REDHAT_FALSE='#' +else + HAVE_REDHAT_TRUE='#' + HAVE_REDHAT_FALSE= +fi + + if test x"$osname" = xsuse; then + HAVE_SUSE_TRUE= + HAVE_SUSE_FALSE='#' +else + HAVE_SUSE_TRUE='#' + HAVE_SUSE_FALSE= +fi + + if test x"$osname" = xdebian; then + HAVE_DEBIAN_TRUE= + HAVE_DEBIAN_FALSE='#' +else + HAVE_DEBIAN_TRUE='#' + HAVE_DEBIAN_FALSE= +fi + + if test x"$osname" = xgentoo; then + HAVE_GENTOO_TRUE= + HAVE_GENTOO_FALSE='#' +else + HAVE_GENTOO_TRUE='#' + HAVE_GENTOO_FALSE= +fi + + +ac_fn_c_check_member "$LINENO" "struct ucred" "pid" "ac_cv_member_struct_ucred_pid" "#include +" +if test "x$ac_cv_member_struct_ucred_pid" = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_STRUCT_UCRED_PID 1 +_ACEOF + + +fi +ac_fn_c_check_member "$LINENO" "struct ucred" "uid" "ac_cv_member_struct_ucred_uid" "#include +" +if test "x$ac_cv_member_struct_ucred_uid" = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_STRUCT_UCRED_UID 1 +_ACEOF + + +fi +ac_fn_c_check_member "$LINENO" "struct ucred" "gid" "ac_cv_member_struct_ucred_gid" "#include +" +if test "x$ac_cv_member_struct_ucred_gid" = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_STRUCT_UCRED_GID 1 +_ACEOF + + +fi + + +if test x"$ac_cv_member_struct_ucred_pid" = xyes -a \ + x"$ac_cv_member_struct_ucred_uid" = xyes -a \ + x"$ac_cv_member_struct_ucred_gid" = xyes ; then + +$as_echo "#define HAVE_UCRED 1" >>confdefs.h + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: struct ucred is not available" >&5 +$as_echo "$as_me: WARNING: struct ucred is not available" >&2;} +fi + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + if test x$with_manpages = xyes; then + BUILD_MANPAGES_TRUE= + BUILD_MANPAGES_FALSE='#' +else + BUILD_MANPAGES_TRUE='#' + BUILD_MANPAGES_FALSE= +fi + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +# Check whether --enable-all-experimental-features was given. +if test "${enable_all_experimental_features+set}" = set; then : + enableval=$enable_all_experimental_features; build_all_experimental_features=$enableval +else + build_all_experimental_features=no +fi + + + + + + + + + + + + + + + + + + + + + +# Check whether --enable-dbus-tests was given. +if test "${enable_dbus_tests+set}" = set; then : + enableval=$enable_dbus_tests; build_dbus_tests=$enableval +else + build_dbus_tests=yes +fi + + if test x$build_dbus_tests = xyes; then + BUILD_DBUS_TESTS_TRUE= + BUILD_DBUS_TESTS_FALSE='#' +else + BUILD_DBUS_TESTS_TRUE='#' + BUILD_DBUS_TESTS_FALSE= +fi + + +# Check whether --enable-sss-default-nss-plugin was given. +if test "${enable_sss_default_nss_plugin+set}" = set; then : + enableval=$enable_sss_default_nss_plugin; enable_sss_default_nss_plugin=$enableval +else + enable_sss_default_nss_plugin=no +fi + +if test x$enable_sss_default_nss_plugin = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define NONSTANDARD_SSS_NSS_BEHAVIOUR 1 +_ACEOF + +fi + + + + + + + + + + + + + + + + + + + +# Check whether --enable-files-domain was given. +if test "${enable_files_domain+set}" = set; then : + enableval=$enable_files_domain; enable_files_domain=$enableval +else + enable_files_domain=no +fi + +if test x$enable_files_domain = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define ADD_FILES_DOMAIN 1 +_ACEOF + +fi + if test x$enable_files_domain = xyes; then + ADD_FILES_DOMAIN_TRUE= + ADD_FILES_DOMAIN_FALSE='#' +else + ADD_FILES_DOMAIN_TRUE='#' + ADD_FILES_DOMAIN_FALSE= +fi + + + +# Check whether --with-db-path was given. +if test "${with_db_path+set}" = set; then : + withval=$with_db_path; +fi + + config_dbpath="\"SSS_STATEDIR\"/db" + dbpath="${localstatedir}/lib/sss/db" + if test x"$with_db_path" != x; then + config_dbpath=$with_db_path + dbpath=$with_db_path + fi + + +cat >>confdefs.h <<_ACEOF +#define DB_PATH "$config_dbpath" +_ACEOF + + + +# Check whether --with-plugin-path was given. +if test "${with_plugin_path+set}" = set; then : + withval=$with_plugin_path; +fi + + pluginpath="${libdir}/sssd" + config_pluginpath="\"LIBDIR\"/sssd" + if test x"$with_plugin_path" != x; then + pluginpath=$with_plugin_path + config_pluginpath=$with_plugin_path + fi + + +cat >>confdefs.h <<_ACEOF +#define DATA_PROVIDER_PLUGINS_PATH "$config_pluginpath" +_ACEOF + + + +# Check whether --with-pid-path was given. +if test "${with_pid_path+set}" = set; then : + withval=$with_pid_path; +fi + + config_pidpath="\"VARDIR\"/run" + pidpath="${localstatedir}/run" + if test x"$with_pid_path" != x; then + config_pidpath=$with_pid_path + pidpath=$with_pid_path + fi + + +cat >>confdefs.h <<_ACEOF +#define PID_PATH "$config_pidpath" +_ACEOF + + + +# Check whether --with-log-path was given. +if test "${with_log_path+set}" = set; then : + withval=$with_log_path; +fi + + config_logpath="\"VARDIR\"/log/sssd" + logpath="${localstatedir}/log/sssd" + if test x"$with_log_path" != x; then + config_logpath=$with_log_path + logpath=$with_log_path + fi + + +cat >>confdefs.h <<_ACEOF +#define LOG_PATH "$config_logpath" +_ACEOF + + + +# Check whether --with-pubconf-path was given. +if test "${with_pubconf_path+set}" = set; then : + withval=$with_pubconf_path; +fi + + config_pubconfpath="\"SSS_STATEDIR\"/pubconf" + pubconfpath="${localstatedir}/lib/sss/pubconf" + if test x"$with_pubconf_path" != x; then + config_pubconfpath=$with_pubconf_path + pubconfpath=$with_pubconf_path + fi + + +cat >>confdefs.h <<_ACEOF +#define PUBCONF_PATH "$config_pubconfpath" +_ACEOF + + + +# Check whether --with-pipe-path was given. +if test "${with_pipe_path+set}" = set; then : + withval=$with_pipe_path; +fi + + config_pipepath="\"SSS_STATEDIR\"/pipes" + pipepath="${localstatedir}/lib/sss/pipes" + if test x"$with_pipe_path" != x; then + config_pipepath=$with_pipe_path + pipepath=$with_pipe_path + fi + + +cat >>confdefs.h <<_ACEOF +#define PIPE_PATH "$config_pipepath" +_ACEOF + + + +# Check whether --with-mcache-path was given. +if test "${with_mcache_path+set}" = set; then : + withval=$with_mcache_path; +fi + + config_mcpath="\"SSS_STATEDIR\"/mc" + mcpath="${localstatedir}/lib/sss/mc" + if test x"$with_mcache_path" != x; then + config_mcpath=$with_mcache_path + mcpath=$with_mcache_path + fi + + +cat >>confdefs.h <<_ACEOF +#define MCACHE_PATH "$config_mcpath" +_ACEOF + + + +# Check whether --with-default-ccache-dir was given. +if test "${with_default_ccache_dir+set}" = set; then : + withval=$with_default_ccache_dir; +fi + + config_def_ccache_dir="/tmp" + if test x"$with_default_ccache_dir" != x; then + config_def_ccache_dir=$with_default_ccache_dir + fi + + +cat >>confdefs.h <<_ACEOF +#define DEFAULT_CCACHE_DIR "$config_def_ccache_dir" +_ACEOF + + + +# Check whether --with-default-ccname-template was given. +if test "${with_default_ccname_template+set}" = set; then : + withval=$with_default_ccname_template; +fi + + config_def_ccname_template="FILE:%d/krb5cc_%U_XXXXXX" + if test x"$with_default_ccname_template" != x; then + config_def_ccname_template=$with_default_ccname_template + fi + + +cat >>confdefs.h <<_ACEOF +#define DEFAULT_CCNAME_TEMPLATE "$config_def_ccname_template" +_ACEOF + + + +# Check whether --with-environment_file was given. +if test "${with_environment_file+set}" = set; then : + withval=$with_environment_file; +fi + + + ENVIRONMENT_FILE_PATH="${sysconfdir}/sysconfig/sssd" + if test x"$with_environment_file" != x; then + ENVIRONMENT_FILE_PATH=$with_environment_file + fi + environment_file=$ENVIRONMENT_FILE_PATH + + + +# Check whether --with-init-dir was given. +if test "${with_init_dir+set}" = set; then : + withval=$with_init_dir; +fi + + initdir="${sysconfdir}/rc.d/init.d" + if test x$osname = xgentoo; then + initdir="${sysconfdir}/init.d" + fi + if test x"$with_init_dir" != x; then + initdir=$with_init_dir + fi + + + +# Check whether --with-test-dir was given. +if test "${with_test_dir+set}" = set; then : + withval=$with_test_dir; TEST_DIR=$withval +else + TEST_DIR="." + +fi + + + +cat >>confdefs.h <<_ACEOF +#define TEST_DIR "$TEST_DIR" +_ACEOF + + + +# Check whether --with-manpages was given. +if test "${with_manpages+set}" = set; then : + withval=$with_manpages; +else + with_manpages=yes + +fi + + if test x"$with_manpages" = xyes; then + HAVE_MANPAGES=1 + + fi + + +# Check whether --with-xml-catalog-path was given. +if test "${with_xml_catalog_path+set}" = set; then : + withval=$with_xml_catalog_path; +fi + + SGML_CATALOG_FILES="/etc/xml/catalog" + if test x"$with_xml_catalog_path" != x; then + SGML_CATALOG_FILES="$with_xml_catalog_path" + fi + + + +# Check whether --with-krb5-plugin-path was given. +if test "${with_krb5_plugin_path+set}" = set; then : + withval=$with_krb5_plugin_path; +fi + + krb5pluginpath="${libdir}/krb5/plugins/libkrb5" + if test x"$with_krb5_plugin_path" != x; then + krb5pluginpath=$with_krb5_plugin_path + fi + + + +# Check whether --with-krb5-rcache-dir was given. +if test "${with_krb5_rcache_dir+set}" = set; then : + withval=$with_krb5_rcache_dir; +fi + + krb5rcachedir="__LIBKRB5_DEFAULTS__" + if test x"$with_krb5_rcache_dir" != x; then + krb5rcachedir=$with_krb5_rcache_dir + fi + + +cat >>confdefs.h <<_ACEOF +#define KRB5_RCACHE_DIR "$krb5rcachedir" +_ACEOF + + + +# Check whether --with-krb5authdata-plugin-path was given. +if test "${with_krb5authdata_plugin_path+set}" = set; then : + withval=$with_krb5authdata_plugin_path; +fi + + krb5authdatapluginpath="${libdir}/krb5/plugins/authdata" + if test x"$with_krb5authdata_plugin_path" != x; then + krb5authdatapluginpath=$with_krb5authdata_plugin_path + fi + + + +# Check whether --with-krb5_conf was given. +if test "${with_krb5_conf+set}" = set; then : + withval=$with_krb5_conf; +fi + + + KRB5_CONF_PATH="\"SYSCONFDIR\"/krb5.conf" + if test x"$with_krb5_conf" != x; then + KRB5_CONF_PATH=$with_krb5_conf + fi + +cat >>confdefs.h <<_ACEOF +#define KRB5_CONF_PATH "$KRB5_CONF_PATH" +_ACEOF + + + +# Check whether --with-python2-bindings was given. +if test "${with_python2_bindings+set}" = set; then : + withval=$with_python2_bindings; +else + with_python2_bindings=yes + +fi + + if test x"$with_python2_bindings" = xyes; then + HAVE_PYTHON2_BINDINGS=1 + + +cat >>confdefs.h <<_ACEOF +#define HAVE_PYTHON2_BINDINGS 1 +_ACEOF + + fi + if test x"$with_python2_bindings" = xyes; then + BUILD_PYTHON2_BINDINGS_TRUE= + BUILD_PYTHON2_BINDINGS_FALSE='#' +else + BUILD_PYTHON2_BINDINGS_TRUE='#' + BUILD_PYTHON2_BINDINGS_FALSE= +fi + + + +# Check whether --with-python3-bindings was given. +if test "${with_python3_bindings+set}" = set; then : + withval=$with_python3_bindings; +else + with_python3_bindings=yes + +fi + + if test x"$with_python3_bindings" = xyes; then + HAVE_PYTHON3_BINDINGS=1 + + +cat >>confdefs.h <<_ACEOF +#define HAVE_PYTHON3_BINDINGS 1 +_ACEOF + + fi + if test x"$with_python3_bindings" = xyes; then + BUILD_PYTHON3_BINDINGS_TRUE= + BUILD_PYTHON3_BINDINGS_FALSE='#' +else + BUILD_PYTHON3_BINDINGS_TRUE='#' + BUILD_PYTHON3_BINDINGS_FALSE= +fi + + + +# Check whether --with-cifs-plugin-path was given. +if test "${with_cifs_plugin_path+set}" = set; then : + withval=$with_cifs_plugin_path; +fi + + cifspluginpath="${libdir}/cifs-utils" + if test x"$with_cifs_plugin_path" != x; then + cifspluginpath=$with_cifs_plugin_path + fi + + + +# Check whether --with-winbind-plugin-path was given. +if test "${with_winbind_plugin_path+set}" = set; then : + withval=$with_winbind_plugin_path; +fi + + winbindpluginpath="${libdir}/samba/idmap" + if test x"$with_winbind_plugin_path" != x; then + winbindpluginpath=$with_winbind_plugin_path + fi + + + +# Check whether --with-selinux was given. +if test "${with_selinux+set}" = set; then : + withval=$with_selinux; +else + with_selinux=yes + +fi + + if test x"$with_selinux" = xyes; then + HAVE_SELINUX=1 + + +cat >>confdefs.h <<_ACEOF +#define HAVE_SELINUX 1 +_ACEOF + + fi + if test x"$with_selinux" = xyes; then + BUILD_SELINUX_TRUE= + BUILD_SELINUX_FALSE='#' +else + BUILD_SELINUX_TRUE='#' + BUILD_SELINUX_FALSE= +fi + + + +# Check whether --with-nscd was given. +if test "${with_nscd+set}" = set; then : + withval=$with_nscd; +fi + + NSCD_PATH="/usr/sbin/nscd" + if test x"$with_nscd" != x; then + NSCD_PATH=$with_nscd + + fi + +cat >>confdefs.h <<_ACEOF +#define HAVE_NSCD $NSCD_PATH +_ACEOF + + + +# Check whether --with-ipa_getkeytab was given. +if test "${with_ipa_getkeytab+set}" = set; then : + withval=$with_ipa_getkeytab; +fi + + IPA_GETKEYTAB_PATH="/usr/sbin/ipa-getkeytab" + if test x"$with_ipa_getkeytab" != x; then + IPA_GETKEYTAB_PATH=$with_ipa_getkeytab + fi + +cat >>confdefs.h <<_ACEOF +#define IPA_GETKEYTAB_PATH "$IPA_GETKEYTAB_PATH" +_ACEOF + + + +# Check whether --with-semanage was given. +if test "${with_semanage+set}" = set; then : + withval=$with_semanage; +else + with_semanage=yes + +fi + + if test x"$with_semanage" = xyes; then + HAVE_SEMANAGE=1 + + +cat >>confdefs.h <<_ACEOF +#define HAVE_SEMANAGE 1 +_ACEOF + + fi + if test x"$with_semanage" = xyes; then + BUILD_SEMANAGE_TRUE= + BUILD_SEMANAGE_FALSE='#' +else + BUILD_SEMANAGE_TRUE='#' + BUILD_SEMANAGE_FALSE= +fi + + + +# Check whether --with-ad-gpo-default was given. +if test "${with_ad_gpo_default+set}" = set; then : + withval=$with_ad_gpo_default; +fi + + GPO_DEFAULT=enforcing + + if test x"$with_ad_gpo_default" != x; then + if test ! "$with_ad_gpo_default" = "enforcing" -a ! "$with_ad_gpo_default" = "permissive"; then + as_fn_error $? "\"GPO Default must be either \"enforcing\" or \"permissive\"" "$LINENO" 5 + else + GPO_DEFAULT=$with_ad_gpo_default + fi + fi + + + +cat >>confdefs.h <<_ACEOF +#define AD_GPO_ACCESS_MODE_DEFAULT "$GPO_DEFAULT" +_ACEOF + + if test x"$GPO_DEFAULT" = xenforcing; then + GPO_DEFAULT_ENFORCING_TRUE= + GPO_DEFAULT_ENFORCING_FALSE='#' +else + GPO_DEFAULT_ENFORCING_TRUE='#' + GPO_DEFAULT_ENFORCING_FALSE= +fi + + + +# Check whether --with-gpo-cache-path was given. +if test "${with_gpo_cache_path+set}" = set; then : + withval=$with_gpo_cache_path; +fi + + config_gpocachepath="\"SSS_STATEDIR\"/gpo_cache" + gpocachepath="${localstatedir}/lib/sss/gpo_cache" + if test x"$with_gpo_cache_path" != x; then + config_gpocachepath=$with_gpo_cache_path + gpocachepath=$with_gpo_cache_path + fi + + +cat >>confdefs.h <<_ACEOF +#define GPO_CACHE_PATH "$config_gpocachepath" +_ACEOF + + + +# Check whether --with-nologin-shell was given. +if test "${with_nologin_shell+set}" = set; then : + withval=$with_nologin_shell; +fi + + nologin_shell="/sbin/nologin" + if test x"$with_nologin_shell" != x; then + nologin_shell=$with_nologin_shell + fi + +cat >>confdefs.h <<_ACEOF +#define NOLOGIN_SHELL "$nologin_shell" +_ACEOF + + + +# Check whether --with-session-recording-shell was given. +if test "${with_session_recording_shell+set}" = set; then : + withval=$with_session_recording_shell; +fi + + session_recording_shell="/usr/bin/tlog-rec-session" + if test x"$with_session_recording_shell" != x; then + session_recording_shell=$with_session_recording_shell + fi + + +cat >>confdefs.h <<_ACEOF +#define SESSION_RECORDING_SHELL "$session_recording_shell" +_ACEOF + + + +# Check whether --with-app-libs was given. +if test "${with_app_libs+set}" = set; then : + withval=$with_app_libs; +fi + + appmodpath="${libdir}/sssd/modules" + config_appmodpath="\"LIBDIR\"/sssd/modules" + if test x"$with_app_libs" != x; then + appmodpath=$with_app_libs + config_appmodpath=$with_app_libs + fi + + +cat >>confdefs.h <<_ACEOF +#define APP_MODULES_PATH "$config_appmodpath" +_ACEOF + + + +# Check whether --with-sudo was given. +if test "${with_sudo+set}" = set; then : + withval=$with_sudo; with_sudo=$withval +else + with_sudo=yes + +fi + + + if test x"$with_sudo" = xyes; then + +$as_echo "#define BUILD_SUDO 1" >>confdefs.h + + fi + if test x"$with_sudo" = xyes; then + BUILD_SUDO_TRUE= + BUILD_SUDO_FALSE='#' +else + BUILD_SUDO_TRUE='#' + BUILD_SUDO_FALSE= +fi + + + +# Check whether --with-sudo-lib-path was given. +if test "${with_sudo_lib_path+set}" = set; then : + withval=$with_sudo_lib_path; +fi + + sudolibpath="${libdir}" + if test x"$with_sudo_lib_path" != x; then + sudolibpath=$with_sudo_lib_path + fi + + + +# Check whether --with-autofs was given. +if test "${with_autofs+set}" = set; then : + withval=$with_autofs; with_autofs=$withval +else + with_autofs=yes + +fi + + + if test x"$with_autofs" = xyes; then + +$as_echo "#define BUILD_AUTOFS 1" >>confdefs.h + + fi + if test x"$with_autofs" = xyes; then + BUILD_AUTOFS_TRUE= + BUILD_AUTOFS_FALSE='#' +else + BUILD_AUTOFS_TRUE='#' + BUILD_AUTOFS_FALSE= +fi + + + +# Check whether --with-ssh was given. +if test "${with_ssh+set}" = set; then : + withval=$with_ssh; with_ssh=$withval +else + with_ssh=yes + +fi + + + if test x"$with_ssh" = xyes; then + +$as_echo "#define BUILD_SSH 1" >>confdefs.h + + fi + if test x"$with_ssh" = xyes; then + BUILD_SSH_TRUE= + BUILD_SSH_FALSE='#' +else + BUILD_SSH_TRUE='#' + BUILD_SSH_FALSE= +fi + + + +# Check whether --with-infopipe was given. +if test "${with_infopipe+set}" = set; then : + withval=$with_infopipe; with_infopipe=$withval +else + with_infopipe=yes + +fi + + + if test x"$with_infopipe" = xyes; then + +$as_echo "#define BUILD_IFP 1" >>confdefs.h + + fi + if test x"$with_infopipe" = xyes; then + BUILD_IFP_TRUE= + BUILD_IFP_FALSE='#' +else + BUILD_IFP_TRUE='#' + BUILD_IFP_FALSE= +fi + + + +# Check whether --with-crypto was given. +if test "${with_crypto+set}" = set; then : + withval=$with_crypto; +else + with_crypto=nss + +fi + + + cryptolib="" + if test x"$with_crypto" != x; then + if test x"$with_crypto" = xnss || \ + test x"$with_crypto" = xlibcrypto; then + cryptolib="$with_crypto"; + else + as_fn_error $? "Illegal value -$with_crypto- for option --with-crypto" "$LINENO" 5 + fi + fi + if test x"$cryptolib" = xnss; then + HAVE_NSS_TRUE= + HAVE_NSS_FALSE='#' +else + HAVE_NSS_TRUE='#' + HAVE_NSS_FALSE= +fi + + if test x"$cryptolib" = xlibcrypto; then + HAVE_LIBCRYPTO_TRUE= + HAVE_LIBCRYPTO_FALSE='#' +else + HAVE_LIBCRYPTO_TRUE='#' + HAVE_LIBCRYPTO_FALSE= +fi + + + +# Check whether --with-syslog was given. +if test "${with_syslog+set}" = set; then : + withval=$with_syslog; +else + with_syslog="syslog" + +fi + + + if test x"$with_syslog" = xsyslog || \ + test x"$with_syslog" = xjournald; then + syslog=$with_syslog + else + as_fn_error $? "Unknown syslog type, supported types are syslog and journald" "$LINENO" 5 + fi + + if test x"$syslog" = xjournald; then + WITH_JOURNALD_TRUE= + WITH_JOURNALD_FALSE='#' +else + WITH_JOURNALD_TRUE='#' + WITH_JOURNALD_FALSE= +fi + + + +# Check whether --with-samba was given. +if test "${with_samba+set}" = set; then : + withval=$with_samba; with_samba=$withval +else + with_samba=yes + +fi + + + if test x"$with_samba" = xyes; then + +$as_echo "#define BUILD_SAMBA 1" >>confdefs.h + + fi + if test x"$with_samba" = xyes; then + BUILD_SAMBA_TRUE= + BUILD_SAMBA_FALSE='#' +else + BUILD_SAMBA_TRUE='#' + BUILD_SAMBA_FALSE= +fi + + + +# Check whether --with-nfsv4-idmapd-plugin was given. +if test "${with_nfsv4_idmapd_plugin+set}" = set; then : + withval=$with_nfsv4_idmapd_plugin; with_nfsv4_idmap=$withval +else + with_nfsv4_idmap=yes + +fi + + + if test x"$with_nfsv4_idmap" = xyes; then + +$as_echo "#define BUILD_NFS_IDMAP 1" >>confdefs.h + + fi + if test x"$with_nfsv4_idmap" = xyes; then + BUILD_NFS_IDMAP_TRUE= + BUILD_NFS_IDMAP_FALSE='#' +else + BUILD_NFS_IDMAP_TRUE='#' + BUILD_NFS_IDMAP_FALSE= +fi + + + +# Check whether --with-nfs-lib-path was given. +if test "${with_nfs_lib_path+set}" = set; then : + withval=$with_nfs_lib_path; +fi + + nfslibpath="${libdir}" + if test x"$with_nfs_lib_path" != x; then + nfslibpath=$with_nfs_lib_path + fi + + + +# Check whether --with-libwbclient was given. +if test "${with_libwbclient+set}" = set; then : + withval=$with_libwbclient; with_libwbclient=$withval +else + with_libwbclient=yes + +fi + + + if test x"$with_libwbclient" = xyes; then + +$as_echo "#define BUILD_LIBWBCLIENT 1" >>confdefs.h + + + libwbclient_version="0.14" + + + libwbclient_version_info="14:0:14" + + fi + if test x"$with_libwbclient" = xyes; then + BUILD_LIBWBCLIENT_TRUE= + BUILD_LIBWBCLIENT_FALSE='#' +else + BUILD_LIBWBCLIENT_TRUE='#' + BUILD_LIBWBCLIENT_FALSE= +fi + + + +# Check whether --with-sssd-user was given. +if test "${with_sssd_user+set}" = set; then : + withval=$with_sssd_user; +fi + + + SSSD_USER=root + + if test x"$with_sssd_user" != x; then + SSSD_USER=$with_sssd_user + fi + + + +cat >>confdefs.h <<_ACEOF +#define SSSD_USER "$SSSD_USER" +_ACEOF + + if test x"$with_sssd_user" != x; then + SSSD_USER_TRUE= + SSSD_USER_FALSE='#' +else + SSSD_USER_TRUE='#' + SSSD_USER_FALSE= +fi + + + + if test x"$runstatedir" = x; then + runstatedir="${localstatedir}/run" + + fi + + +# Check whether --with-secrets was given. +if test "${with_secrets+set}" = set; then : + withval=$with_secrets; with_secrets=$withval +else + with_secrets=yes + +fi + + + if test x"$with_secrets" = xyes; then + +$as_echo "#define BUILD_SECRETS 1" >>confdefs.h + + fi + if test x"$with_secrets" = xyes; then + BUILD_SECRETS_TRUE= + BUILD_SECRETS_FALSE='#' +else + BUILD_SECRETS_TRUE='#' + BUILD_SECRETS_FALSE= +fi + + + +# Check whether --with-secrets-db-path was given. +if test "${with_secrets_db_path+set}" = set; then : + withval=$with_secrets_db_path; +fi + + config_secdbpath="\"SSS_STATEDIR\"/secrets" + secdbpath="${localstatedir}/lib/sss/secrets" + if test x"$with_secrets_db_path" != x; then + config_secdbpath=$with_secrets_db_path + secdbpath=$with_secrets_db_path + fi + + +cat >>confdefs.h <<_ACEOF +#define SECRETS_DB_PATH "$config_secdbpath" +_ACEOF + + + +# Check whether --with-kcm was given. +if test "${with_kcm+set}" = set; then : + withval=$with_kcm; with_kcm=$withval +else + with_kcm=yes + +fi + + + if test x"$with_kcm" = xyes; then + +$as_echo "#define BUILD_KCM 1" >>confdefs.h + + fi + if test x"$with_kcm" = xyes; then + BUILD_KCM_TRUE= + BUILD_KCM_FALSE='#' +else + BUILD_KCM_TRUE='#' + BUILD_KCM_FALSE= +fi + + + +# pkg.m4 - Macros to locate and utilise pkg-config. -*- Autoconf -*- +# +# Copyright © 2004 Scott James Remnant . +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see . +# +# As a special exception to the GNU General Public License, if you +# distribute this file as part of a program that contains a +# configuration script generated by Autoconf, you may include it under +# the same distribution terms that you use for the rest of that program. + +# PKG_PROG_PKG_CONFIG([MIN-VERSION]) +# ---------------------------------- +# PKG_PROG_PKG_CONFIG + +# PKG_CHECK_EXISTS(MODULES, [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND]) +# +# Check to see whether a particular set of modules exists. Similar +# to PKG_CHECK_MODULES(), but does not set variables or print errors. +# +# +# Similar to PKG_CHECK_MODULES, make sure that the first instance of +# this or PKG_CHECK_MODULES is called, or make sure to call +# PKG_CHECK_EXISTS manually +# -------------------------------------------------------------- + + + +# _PKG_CONFIG([VARIABLE], [COMMAND], [MODULES]) +# --------------------------------------------- +# _PKG_CONFIG + +# _PKG_SHORT_ERRORS_SUPPORTED +# ----------------------------- +# _PKG_SHORT_ERRORS_SUPPORTED + + +# PKG_CHECK_MODULES(VARIABLE-PREFIX, MODULES, [ACTION-IF-FOUND], +# [ACTION-IF-NOT-FOUND]) +# +# +# Note that if there is a possibility the first call to +# PKG_CHECK_MODULES might not happen, you should be sure to include an +# explicit call to PKG_PROG_PKG_CONFIG in your configure.ac +# +# +# -------------------------------------------------------------- +# PKG_CHECK_MODULES + + + + + + +if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then + if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}pkg-config", so it can be a program name with args. +set dummy ${ac_tool_prefix}pkg-config; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_PKG_CONFIG+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $PKG_CONFIG in + [\\/]* | ?:[\\/]*) + ac_cv_path_PKG_CONFIG="$PKG_CONFIG" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +PKG_CONFIG=$ac_cv_path_PKG_CONFIG +if test -n "$PKG_CONFIG"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PKG_CONFIG" >&5 +$as_echo "$PKG_CONFIG" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +fi +if test -z "$ac_cv_path_PKG_CONFIG"; then + ac_pt_PKG_CONFIG=$PKG_CONFIG + # Extract the first word of "pkg-config", so it can be a program name with args. +set dummy pkg-config; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_ac_pt_PKG_CONFIG+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $ac_pt_PKG_CONFIG in + [\\/]* | ?:[\\/]*) + ac_cv_path_ac_pt_PKG_CONFIG="$ac_pt_PKG_CONFIG" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_ac_pt_PKG_CONFIG="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +ac_pt_PKG_CONFIG=$ac_cv_path_ac_pt_PKG_CONFIG +if test -n "$ac_pt_PKG_CONFIG"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_pt_PKG_CONFIG" >&5 +$as_echo "$ac_pt_PKG_CONFIG" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + if test "x$ac_pt_PKG_CONFIG" = x; then + PKG_CONFIG="" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; +esac + PKG_CONFIG=$ac_pt_PKG_CONFIG + fi +else + PKG_CONFIG="$ac_cv_path_PKG_CONFIG" +fi + +fi +if test -n "$PKG_CONFIG"; then + _pkg_min_version=0.9.0 + { $as_echo "$as_me:${as_lineno-$LINENO}: checking pkg-config is at least version $_pkg_min_version" >&5 +$as_echo_n "checking pkg-config is at least version $_pkg_min_version... " >&6; } + if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + PKG_CONFIG="" + fi + +fi + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for POPT" >&5 +$as_echo_n "checking for POPT... " >&6; } + +if test -n "$PKG_CONFIG"; then + if test -n "$POPT_CFLAGS"; then + pkg_cv_POPT_CFLAGS="$POPT_CFLAGS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"popt\""; } >&5 + ($PKG_CONFIG --exists --print-errors "popt") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_POPT_CFLAGS=`$PKG_CONFIG --cflags "popt" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi +if test -n "$PKG_CONFIG"; then + if test -n "$POPT_LIBS"; then + pkg_cv_POPT_LIBS="$POPT_LIBS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"popt\""; } >&5 + ($PKG_CONFIG --exists --print-errors "popt") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_POPT_LIBS=`$PKG_CONFIG --libs "popt" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + POPT_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "popt"` + else + POPT_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "popt"` + fi + # Put the nasty error message in config.log where it belongs + echo "$POPT_PKG_ERRORS" >&5 + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + found_popt=no +elif test $pkg_failed = untried; then + found_popt=no +else + POPT_CFLAGS=$pkg_cv_POPT_CFLAGS + POPT_LIBS=$pkg_cv_POPT_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + found_popt=yes +fi + + + + + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + acl_save_exec_prefix="$exec_prefix" + exec_prefix="$acl_final_exec_prefix" + + eval additional_libdir=\"$libdir\" + + exec_prefix="$acl_save_exec_prefix" + prefix="$acl_save_prefix" + + sss_extra_libdir="$additional_libdir" + +if test x"$found_popt" != xyes; then : + for ac_header in popt.h +do : + ac_fn_c_check_header_mongrel "$LINENO" "popt.h" "ac_cv_header_popt_h" "$ac_includes_default" +if test "x$ac_cv_header_popt_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_POPT_H 1 +_ACEOF + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for poptGetContext in -lpopt" >&5 +$as_echo_n "checking for poptGetContext in -lpopt... " >&6; } +if ${ac_cv_lib_popt_poptGetContext+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lpopt -L$sss_extra_libdir $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char poptGetContext (); +int +main () +{ +return poptGetContext (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_popt_poptGetContext=yes +else + ac_cv_lib_popt_poptGetContext=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_popt_poptGetContext" >&5 +$as_echo "$ac_cv_lib_popt_poptGetContext" >&6; } +if test "x$ac_cv_lib_popt_poptGetContext" = xyes; then : + POPT_LIBS="-L$sss_extra_libdir -lpopt" +else + as_fn_error $? "POPT library must support poptGetContext" "$LINENO" 5 +fi + +else + as_fn_error $? "POPT header files are not installed" "$LINENO" 5 +fi + +done + + +fi + + + + + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for TALLOC" >&5 +$as_echo_n "checking for TALLOC... " >&6; } + +if test -n "$PKG_CONFIG"; then + if test -n "$TALLOC_CFLAGS"; then + pkg_cv_TALLOC_CFLAGS="$TALLOC_CFLAGS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"talloc\""; } >&5 + ($PKG_CONFIG --exists --print-errors "talloc") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_TALLOC_CFLAGS=`$PKG_CONFIG --cflags "talloc" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi +if test -n "$PKG_CONFIG"; then + if test -n "$TALLOC_LIBS"; then + pkg_cv_TALLOC_LIBS="$TALLOC_LIBS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"talloc\""; } >&5 + ($PKG_CONFIG --exists --print-errors "talloc") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_TALLOC_LIBS=`$PKG_CONFIG --libs "talloc" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + TALLOC_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "talloc"` + else + TALLOC_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "talloc"` + fi + # Put the nasty error message in config.log where it belongs + echo "$TALLOC_PKG_ERRORS" >&5 + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + found_talloc=no +elif test $pkg_failed = untried; then + found_talloc=no +else + TALLOC_CFLAGS=$pkg_cv_TALLOC_CFLAGS + TALLOC_LIBS=$pkg_cv_TALLOC_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + found_talloc=yes +fi + + + + + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + acl_save_exec_prefix="$exec_prefix" + exec_prefix="$acl_final_exec_prefix" + + eval additional_libdir=\"$libdir\" + + exec_prefix="$acl_save_exec_prefix" + prefix="$acl_save_prefix" + + sss_extra_libdir="$additional_libdir" + +if test x"$found_talloc" != xyes; then : + ac_fn_c_check_header_mongrel "$LINENO" "talloc.h" "ac_cv_header_talloc_h" "$ac_includes_default" +if test "x$ac_cv_header_talloc_h" = xyes; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for talloc_init in -ltalloc" >&5 +$as_echo_n "checking for talloc_init in -ltalloc... " >&6; } +if ${ac_cv_lib_talloc_talloc_init+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-ltalloc -L$sss_extra_libdir $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char talloc_init (); +int +main () +{ +return talloc_init (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_talloc_talloc_init=yes +else + ac_cv_lib_talloc_talloc_init=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_talloc_talloc_init" >&5 +$as_echo "$ac_cv_lib_talloc_talloc_init" >&6; } +if test "x$ac_cv_lib_talloc_talloc_init" = xyes; then : + TALLOC_LIBS="-L$sss_extra_libdir -ltalloc" +else + as_fn_error $? "libtalloc missing talloc_init" "$LINENO" 5 +fi + +else + as_fn_error $? "libtalloc header files are not installed" "$LINENO" 5 +fi + + + +fi + + + + + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for TDB" >&5 +$as_echo_n "checking for TDB... " >&6; } + +if test -n "$PKG_CONFIG"; then + if test -n "$TDB_CFLAGS"; then + pkg_cv_TDB_CFLAGS="$TDB_CFLAGS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"tdb >= 1.1.3\""; } >&5 + ($PKG_CONFIG --exists --print-errors "tdb >= 1.1.3") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_TDB_CFLAGS=`$PKG_CONFIG --cflags "tdb >= 1.1.3" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi +if test -n "$PKG_CONFIG"; then + if test -n "$TDB_LIBS"; then + pkg_cv_TDB_LIBS="$TDB_LIBS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"tdb >= 1.1.3\""; } >&5 + ($PKG_CONFIG --exists --print-errors "tdb >= 1.1.3") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_TDB_LIBS=`$PKG_CONFIG --libs "tdb >= 1.1.3" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + TDB_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "tdb >= 1.1.3"` + else + TDB_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "tdb >= 1.1.3"` + fi + # Put the nasty error message in config.log where it belongs + echo "$TDB_PKG_ERRORS" >&5 + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + found_tdb=no +elif test $pkg_failed = untried; then + found_tdb=no +else + TDB_CFLAGS=$pkg_cv_TDB_CFLAGS + TDB_LIBS=$pkg_cv_TDB_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + found_tdb=yes +fi + + + + + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + acl_save_exec_prefix="$exec_prefix" + exec_prefix="$acl_final_exec_prefix" + + eval additional_libdir=\"$libdir\" + + exec_prefix="$acl_save_exec_prefix" + prefix="$acl_save_prefix" + + sss_extra_libdir="$additional_libdir" + +if test x"$found_tdb" != xyes; then : + for ac_header in tdb.h +do : + ac_fn_c_check_header_mongrel "$LINENO" "tdb.h" "ac_cv_header_tdb_h" "$ac_includes_default" +if test "x$ac_cv_header_tdb_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_TDB_H 1 +_ACEOF + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for tdb_repack in -ltdb" >&5 +$as_echo_n "checking for tdb_repack in -ltdb... " >&6; } +if ${ac_cv_lib_tdb_tdb_repack+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-ltdb -L$sss_extra_libdir $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char tdb_repack (); +int +main () +{ +return tdb_repack (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_tdb_tdb_repack=yes +else + ac_cv_lib_tdb_tdb_repack=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_tdb_tdb_repack" >&5 +$as_echo "$ac_cv_lib_tdb_tdb_repack" >&6; } +if test "x$ac_cv_lib_tdb_tdb_repack" = xyes; then : + TDB_LIBS="-L$sss_extra_libdir -ltdb" +else + as_fn_error $? "library TDB must support tdb_repack" "$LINENO" 5 +fi + +else + as_fn_error $? "tdb header files are not installed" "$LINENO" 5 +fi + +done + + +fi + + + + + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for TEVENT" >&5 +$as_echo_n "checking for TEVENT... " >&6; } + +if test -n "$PKG_CONFIG"; then + if test -n "$TEVENT_CFLAGS"; then + pkg_cv_TEVENT_CFLAGS="$TEVENT_CFLAGS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"tevent\""; } >&5 + ($PKG_CONFIG --exists --print-errors "tevent") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_TEVENT_CFLAGS=`$PKG_CONFIG --cflags "tevent" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi +if test -n "$PKG_CONFIG"; then + if test -n "$TEVENT_LIBS"; then + pkg_cv_TEVENT_LIBS="$TEVENT_LIBS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"tevent\""; } >&5 + ($PKG_CONFIG --exists --print-errors "tevent") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_TEVENT_LIBS=`$PKG_CONFIG --libs "tevent" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + TEVENT_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "tevent"` + else + TEVENT_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "tevent"` + fi + # Put the nasty error message in config.log where it belongs + echo "$TEVENT_PKG_ERRORS" >&5 + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + found_tevent=no +elif test $pkg_failed = untried; then + found_tevent=no +else + TEVENT_CFLAGS=$pkg_cv_TEVENT_CFLAGS + TEVENT_LIBS=$pkg_cv_TEVENT_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + found_tevent=yes +fi + + + + + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + acl_save_exec_prefix="$exec_prefix" + exec_prefix="$acl_final_exec_prefix" + + eval additional_libdir=\"$libdir\" + + exec_prefix="$acl_save_exec_prefix" + prefix="$acl_save_prefix" + + sss_extra_libdir="$additional_libdir" + +if test x"$found_tevent" != xyes; then : + ac_fn_c_check_header_mongrel "$LINENO" "tevent.h" "ac_cv_header_tevent_h" "$ac_includes_default" +if test "x$ac_cv_header_tevent_h" = xyes; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for tevent_context_init in -ltevent" >&5 +$as_echo_n "checking for tevent_context_init in -ltevent... " >&6; } +if ${ac_cv_lib_tevent_tevent_context_init+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-ltevent -L$sss_extra_libdir -ltalloc $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char tevent_context_init (); +int +main () +{ +return tevent_context_init (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_tevent_tevent_context_init=yes +else + ac_cv_lib_tevent_tevent_context_init=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_tevent_tevent_context_init" >&5 +$as_echo "$ac_cv_lib_tevent_tevent_context_init" >&6; } +if test "x$ac_cv_lib_tevent_tevent_context_init" = xyes; then : + TEVENT_LIBS="-L$sss_extra_libdir -ltevent -ltalloc" +else + as_fn_error $? "libtevent missing tevent_context_init" "$LINENO" 5 +fi + +else + as_fn_error $? "tevent header files are not installed" "$LINENO" 5 +fi + + + +fi + + + + + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for LDB" >&5 +$as_echo_n "checking for LDB... " >&6; } + +if test -n "$PKG_CONFIG"; then + if test -n "$LDB_CFLAGS"; then + pkg_cv_LDB_CFLAGS="$LDB_CFLAGS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"ldb >= 0.9.2\""; } >&5 + ($PKG_CONFIG --exists --print-errors "ldb >= 0.9.2") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_LDB_CFLAGS=`$PKG_CONFIG --cflags "ldb >= 0.9.2" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi +if test -n "$PKG_CONFIG"; then + if test -n "$LDB_LIBS"; then + pkg_cv_LDB_LIBS="$LDB_LIBS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"ldb >= 0.9.2\""; } >&5 + ($PKG_CONFIG --exists --print-errors "ldb >= 0.9.2") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_LDB_LIBS=`$PKG_CONFIG --libs "ldb >= 0.9.2" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + LDB_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "ldb >= 0.9.2"` + else + LDB_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "ldb >= 0.9.2"` + fi + # Put the nasty error message in config.log where it belongs + echo "$LDB_PKG_ERRORS" >&5 + + as_fn_error $? "Package requirements (ldb >= 0.9.2) were not met: + +$LDB_PKG_ERRORS + +Consider adjusting the PKG_CONFIG_PATH environment variable if you +installed software in a non-standard prefix. + +Alternatively, you may set the environment variables LDB_CFLAGS +and LDB_LIBS to avoid the need to call pkg-config. +See the pkg-config man page for more details. +" "$LINENO" 5 +elif test $pkg_failed = untried; then + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "The pkg-config script could not be found or is too old. Make sure it +is in your PATH or set the PKG_CONFIG environment variable to the full +path to pkg-config. + +Alternatively, you may set the environment variables LDB_CFLAGS +and LDB_LIBS to avoid the need to call pkg-config. +See the pkg-config man page for more details. + +To get pkg-config, see . +See \`config.log' for more details" "$LINENO" 5; } +else + LDB_CFLAGS=$pkg_cv_LDB_CFLAGS + LDB_LIBS=$pkg_cv_LDB_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + : +fi + +for ac_header in ldb.h ldb_module.h +do : + as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" +if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ldb_init in -lldb" >&5 +$as_echo_n "checking for ldb_init in -lldb... " >&6; } +if ${ac_cv_lib_ldb_ldb_init+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lldb -ltevent -ltdb -ldl -lldap $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char ldb_init (); +int +main () +{ +return ldb_init (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_ldb_ldb_init=yes +else + ac_cv_lib_ldb_ldb_init=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ldb_ldb_init" >&5 +$as_echo "$ac_cv_lib_ldb_ldb_init" >&6; } +if test "x$ac_cv_lib_ldb_ldb_init" = xyes; then : + LDB_LIBS="-lldb" +fi + +else + as_fn_error $? "LDB header files are not installed" "$LINENO" 5 + +fi + +done + + + +# Check whether --with-ldb-lib-dir was given. +if test "${with_ldb_lib_dir+set}" = set; then : + withval=$with_ldb_lib_dir; +fi + + +if test x"$with_ldb_lib_dir" != x; then + ldblibdir=$with_ldb_lib_dir +else + ldblibdir="`$PKG_CONFIG --variable=modulesdir ldb`" + if ! test -d $ldblibdir; then + ldblibdir="${libdir}/ldb" + fi +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking feature ldb runtime version check" >&5 +$as_echo_n "checking feature ldb runtime version check... " >&6; } +# Check whether --enable-ldb-version-check was given. +if test "${enable_ldb_version_check+set}" = set; then : + enableval=$enable_ldb_version_check; enable_ldb_version_check="$enableval" +else + enable_ldb_version_check="no" +fi + +if test x"$enable_ldb_version_check" = xyes ; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +$as_echo "#define SSS_LDB_VERSION_CHECK 1" >>confdefs.h + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: ldb lib directory: $ldblibdir" >&5 +$as_echo "$as_me: ldb lib directory: $ldblibdir" >&6;} + + + + + + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for DHASH" >&5 +$as_echo_n "checking for DHASH... " >&6; } + +if test -n "$PKG_CONFIG"; then + if test -n "$DHASH_CFLAGS"; then + pkg_cv_DHASH_CFLAGS="$DHASH_CFLAGS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"dhash >= 0.4.2\""; } >&5 + ($PKG_CONFIG --exists --print-errors "dhash >= 0.4.2") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_DHASH_CFLAGS=`$PKG_CONFIG --cflags "dhash >= 0.4.2" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi +if test -n "$PKG_CONFIG"; then + if test -n "$DHASH_LIBS"; then + pkg_cv_DHASH_LIBS="$DHASH_LIBS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"dhash >= 0.4.2\""; } >&5 + ($PKG_CONFIG --exists --print-errors "dhash >= 0.4.2") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_DHASH_LIBS=`$PKG_CONFIG --libs "dhash >= 0.4.2" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + DHASH_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "dhash >= 0.4.2"` + else + DHASH_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "dhash >= 0.4.2"` + fi + # Put the nasty error message in config.log where it belongs + echo "$DHASH_PKG_ERRORS" >&5 + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + as_fn_error $? "\"Please install libdhash-devel\"" "$LINENO" 5 + +elif test $pkg_failed = untried; then + as_fn_error $? "\"Please install libdhash-devel\"" "$LINENO" 5 + +else + DHASH_CFLAGS=$pkg_cv_DHASH_CFLAGS + DHASH_LIBS=$pkg_cv_DHASH_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + : +fi + + + + + + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for COLLECTION" >&5 +$as_echo_n "checking for COLLECTION... " >&6; } + +if test -n "$PKG_CONFIG"; then + if test -n "$COLLECTION_CFLAGS"; then + pkg_cv_COLLECTION_CFLAGS="$COLLECTION_CFLAGS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"collection >= 0.5.1\""; } >&5 + ($PKG_CONFIG --exists --print-errors "collection >= 0.5.1") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_COLLECTION_CFLAGS=`$PKG_CONFIG --cflags "collection >= 0.5.1" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi +if test -n "$PKG_CONFIG"; then + if test -n "$COLLECTION_LIBS"; then + pkg_cv_COLLECTION_LIBS="$COLLECTION_LIBS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"collection >= 0.5.1\""; } >&5 + ($PKG_CONFIG --exists --print-errors "collection >= 0.5.1") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_COLLECTION_LIBS=`$PKG_CONFIG --libs "collection >= 0.5.1" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + COLLECTION_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "collection >= 0.5.1"` + else + COLLECTION_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "collection >= 0.5.1"` + fi + # Put the nasty error message in config.log where it belongs + echo "$COLLECTION_PKG_ERRORS" >&5 + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + as_fn_error $? "\"Please install libcollection-devel\"" "$LINENO" 5 + +elif test $pkg_failed = untried; then + as_fn_error $? "\"Please install libcollection-devel\"" "$LINENO" 5 + +else + COLLECTION_CFLAGS=$pkg_cv_COLLECTION_CFLAGS + COLLECTION_LIBS=$pkg_cv_COLLECTION_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + : +fi + + + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for INI_CONFIG_V0" >&5 +$as_echo_n "checking for INI_CONFIG_V0... " >&6; } + +if test -n "$PKG_CONFIG"; then + if test -n "$INI_CONFIG_V0_CFLAGS"; then + pkg_cv_INI_CONFIG_V0_CFLAGS="$INI_CONFIG_V0_CFLAGS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \" + ini_config >= 0.6.1\""; } >&5 + ($PKG_CONFIG --exists --print-errors " + ini_config >= 0.6.1") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_INI_CONFIG_V0_CFLAGS=`$PKG_CONFIG --cflags " + ini_config >= 0.6.1" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi +if test -n "$PKG_CONFIG"; then + if test -n "$INI_CONFIG_V0_LIBS"; then + pkg_cv_INI_CONFIG_V0_LIBS="$INI_CONFIG_V0_LIBS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \" + ini_config >= 0.6.1\""; } >&5 + ($PKG_CONFIG --exists --print-errors " + ini_config >= 0.6.1") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_INI_CONFIG_V0_LIBS=`$PKG_CONFIG --libs " + ini_config >= 0.6.1" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + INI_CONFIG_V0_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors " + ini_config >= 0.6.1"` + else + INI_CONFIG_V0_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors " + ini_config >= 0.6.1"` + fi + # Put the nasty error message in config.log where it belongs + echo "$INI_CONFIG_V0_PKG_ERRORS" >&5 + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + + as_fn_error $? "Please install libini_config-devel" "$LINENO" 5 + + +elif test $pkg_failed = untried; then + + as_fn_error $? "Please install libini_config-devel" "$LINENO" 5 + + +else + INI_CONFIG_V0_CFLAGS=$pkg_cv_INI_CONFIG_V0_CFLAGS + INI_CONFIG_V0_LIBS=$pkg_cv_INI_CONFIG_V0_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + + + INI_CONFIG_CFLAGS="$INI_CONFIG_V0_CFLAGS" + INI_CONFIG_LIBS="$INI_CONFIG_V0_LIBS" + HAVE_LIBINI_CONFIG_V0=1 + +cat >>confdefs.h <<_ACEOF +#define HAVE_LIBINI_CONFIG_V0 1 +_ACEOF + + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for INI_CONFIG_V1" >&5 +$as_echo_n "checking for INI_CONFIG_V1... " >&6; } + +if test -n "$PKG_CONFIG"; then + if test -n "$INI_CONFIG_V1_CFLAGS"; then + pkg_cv_INI_CONFIG_V1_CFLAGS="$INI_CONFIG_V1_CFLAGS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \" + ini_config >= 1.0.0\""; } >&5 + ($PKG_CONFIG --exists --print-errors " + ini_config >= 1.0.0") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_INI_CONFIG_V1_CFLAGS=`$PKG_CONFIG --cflags " + ini_config >= 1.0.0" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi +if test -n "$PKG_CONFIG"; then + if test -n "$INI_CONFIG_V1_LIBS"; then + pkg_cv_INI_CONFIG_V1_LIBS="$INI_CONFIG_V1_LIBS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \" + ini_config >= 1.0.0\""; } >&5 + ($PKG_CONFIG --exists --print-errors " + ini_config >= 1.0.0") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_INI_CONFIG_V1_LIBS=`$PKG_CONFIG --libs " + ini_config >= 1.0.0" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + INI_CONFIG_V1_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors " + ini_config >= 1.0.0"` + else + INI_CONFIG_V1_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors " + ini_config >= 1.0.0"` + fi + # Put the nasty error message in config.log where it belongs + echo "$INI_CONFIG_V1_PKG_ERRORS" >&5 + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: libini_config-devel >= 1.0.0 not available, using older version" >&5 +$as_echo "$as_me: WARNING: libini_config-devel >= 1.0.0 not available, using older version" >&2;} + + +elif test $pkg_failed = untried; then + + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: libini_config-devel >= 1.0.0 not available, using older version" >&5 +$as_echo "$as_me: WARNING: libini_config-devel >= 1.0.0 not available, using older version" >&2;} + + +else + INI_CONFIG_V1_CFLAGS=$pkg_cv_INI_CONFIG_V1_CFLAGS + INI_CONFIG_V1_LIBS=$pkg_cv_INI_CONFIG_V1_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + + + INI_CONFIG_CFLAGS="$INI_CONFIG_V1_CFLAGS" + INI_CONFIG_LIBS="$INI_CONFIG_V1_LIBS" + HAVE_LIBINI_CONFIG_V1=1 + +cat >>confdefs.h <<_ACEOF +#define HAVE_LIBINI_CONFIG_V1 1 +_ACEOF + + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for INI_CONFIG_V1_1" >&5 +$as_echo_n "checking for INI_CONFIG_V1_1... " >&6; } + +if test -n "$PKG_CONFIG"; then + if test -n "$INI_CONFIG_V1_1_CFLAGS"; then + pkg_cv_INI_CONFIG_V1_1_CFLAGS="$INI_CONFIG_V1_1_CFLAGS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \" + ini_config >= 1.1.0\""; } >&5 + ($PKG_CONFIG --exists --print-errors " + ini_config >= 1.1.0") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_INI_CONFIG_V1_1_CFLAGS=`$PKG_CONFIG --cflags " + ini_config >= 1.1.0" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi +if test -n "$PKG_CONFIG"; then + if test -n "$INI_CONFIG_V1_1_LIBS"; then + pkg_cv_INI_CONFIG_V1_1_LIBS="$INI_CONFIG_V1_1_LIBS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \" + ini_config >= 1.1.0\""; } >&5 + ($PKG_CONFIG --exists --print-errors " + ini_config >= 1.1.0") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_INI_CONFIG_V1_1_LIBS=`$PKG_CONFIG --libs " + ini_config >= 1.1.0" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + INI_CONFIG_V1_1_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors " + ini_config >= 1.1.0"` + else + INI_CONFIG_V1_1_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors " + ini_config >= 1.1.0"` + fi + # Put the nasty error message in config.log where it belongs + echo "$INI_CONFIG_V1_1_PKG_ERRORS" >&5 + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: libini_config-devel >= 1.1.0 not available, using older version" >&5 +$as_echo "$as_me: WARNING: libini_config-devel >= 1.1.0 not available, using older version" >&2;} + + +elif test $pkg_failed = untried; then + + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: libini_config-devel >= 1.1.0 not available, using older version" >&5 +$as_echo "$as_me: WARNING: libini_config-devel >= 1.1.0 not available, using older version" >&2;} + + +else + INI_CONFIG_V1_1_CFLAGS=$pkg_cv_INI_CONFIG_V1_1_CFLAGS + INI_CONFIG_V1_1_LIBS=$pkg_cv_INI_CONFIG_V1_1_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + + + INI_CONFIG_CFLAGS="$INI_CONFIG_V1_1_CFLAGS" + INI_CONFIG_LIBS="$INI_CONFIG_V1_1_LIBS" + HAVE_LIBINI_CONFIG_V1_1=1 + +cat >>confdefs.h <<_ACEOF +#define HAVE_LIBINI_CONFIG_V1_1 1 +_ACEOF + + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for INI_CONFIG_V1_3" >&5 +$as_echo_n "checking for INI_CONFIG_V1_3... " >&6; } + +if test -n "$PKG_CONFIG"; then + if test -n "$INI_CONFIG_V1_3_CFLAGS"; then + pkg_cv_INI_CONFIG_V1_3_CFLAGS="$INI_CONFIG_V1_3_CFLAGS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \" + ini_config >= 1.3.0\""; } >&5 + ($PKG_CONFIG --exists --print-errors " + ini_config >= 1.3.0") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_INI_CONFIG_V1_3_CFLAGS=`$PKG_CONFIG --cflags " + ini_config >= 1.3.0" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi +if test -n "$PKG_CONFIG"; then + if test -n "$INI_CONFIG_V1_3_LIBS"; then + pkg_cv_INI_CONFIG_V1_3_LIBS="$INI_CONFIG_V1_3_LIBS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \" + ini_config >= 1.3.0\""; } >&5 + ($PKG_CONFIG --exists --print-errors " + ini_config >= 1.3.0") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_INI_CONFIG_V1_3_LIBS=`$PKG_CONFIG --libs " + ini_config >= 1.3.0" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + INI_CONFIG_V1_3_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors " + ini_config >= 1.3.0"` + else + INI_CONFIG_V1_3_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors " + ini_config >= 1.3.0"` + fi + # Put the nasty error message in config.log where it belongs + echo "$INI_CONFIG_V1_3_PKG_ERRORS" >&5 + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: libini_config-devel >= 1.3.0 not available, using older version" >&5 +$as_echo "$as_me: WARNING: libini_config-devel >= 1.3.0 not available, using older version" >&2;} + + +elif test $pkg_failed = untried; then + + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: libini_config-devel >= 1.3.0 not available, using older version" >&5 +$as_echo "$as_me: WARNING: libini_config-devel >= 1.3.0 not available, using older version" >&2;} + + +else + INI_CONFIG_V1_3_CFLAGS=$pkg_cv_INI_CONFIG_V1_3_CFLAGS + INI_CONFIG_V1_3_LIBS=$pkg_cv_INI_CONFIG_V1_3_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + + + INI_CONFIG_CFLAGS="$INI_CONFIG_V1_3_CFLAGS" + INI_CONFIG_LIBS="$INI_CONFIG_V1_3_LIBS" + HAVE_LIBINI_CONFIG_V1_3=1 + +cat >>confdefs.h <<_ACEOF +#define HAVE_LIBINI_CONFIG_V1_3 1 +_ACEOF + + +fi + +fi + +fi + +fi + + + + + + + +for ac_header in security/pam_appl.h security/pam_modules.h +do : + as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" +if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pam_get_item in -lpam" >&5 +$as_echo_n "checking for pam_get_item in -lpam... " >&6; } +if ${ac_cv_lib_pam_pam_get_item+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lpam $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char pam_get_item (); +int +main () +{ +return pam_get_item (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_pam_pam_get_item=yes +else + ac_cv_lib_pam_pam_get_item=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pam_pam_get_item" >&5 +$as_echo "$ac_cv_lib_pam_pam_get_item" >&6; } +if test "x$ac_cv_lib_pam_pam_get_item" = xyes; then : + PAM_LIBS="-lpam" +else + as_fn_error $? "PAM must support pam_get_item" "$LINENO" 5 +fi + +else + as_fn_error $? "PAM development libraries not installed" "$LINENO" 5 + +fi + +done + + +for ac_header in security/pam_ext.h security/pam_modutil.h +do : + as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" +if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF + +fi + +done + +for ac_header in security/pam_misc.h security/_pam_macros.h +do : + as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" +if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF + +fi + +done + +for ac_header in security/openpam.h +do : + ac_fn_c_check_header_compile "$LINENO" "security/openpam.h" "ac_cv_header_security_openpam_h" " + #ifdef HAVE_SECURITY_PAM_APPL_H + #include + #endif + +" +if test "x$ac_cv_header_security_openpam_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_SECURITY_OPENPAM_H 1 +_ACEOF + +fi + +done + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for misc_conv in -lpam_misc" >&5 +$as_echo_n "checking for misc_conv in -lpam_misc... " >&6; } +if ${ac_cv_lib_pam_misc_misc_conv+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lpam_misc $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char misc_conv (); +int +main () +{ +return misc_conv (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_pam_misc_misc_conv=yes +else + ac_cv_lib_pam_misc_misc_conv=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pam_misc_misc_conv" >&5 +$as_echo "$ac_cv_lib_pam_misc_misc_conv" >&6; } +if test "x$ac_cv_lib_pam_misc_misc_conv" = xyes; then : + PAM_MISC_LIBS="-lpam_misc" +fi + + +save_LIBS="$LIBS" +LIBS="$PAM_LIBS" + +for ac_func in pam_modutil_getlogin pam_vsyslog +do : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" +if eval test \"x\$"$as_ac_var"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF + +fi +done + + +LIBS="$save_LIBS" + + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for GDM_PAM_EXTENSIONS" >&5 +$as_echo_n "checking for GDM_PAM_EXTENSIONS... " >&6; } + +if test -n "$PKG_CONFIG"; then + if test -n "$GDM_PAM_EXTENSIONS_CFLAGS"; then + pkg_cv_GDM_PAM_EXTENSIONS_CFLAGS="$GDM_PAM_EXTENSIONS_CFLAGS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"gdm-pam-extensions\""; } >&5 + ($PKG_CONFIG --exists --print-errors "gdm-pam-extensions") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_GDM_PAM_EXTENSIONS_CFLAGS=`$PKG_CONFIG --cflags "gdm-pam-extensions" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi +if test -n "$PKG_CONFIG"; then + if test -n "$GDM_PAM_EXTENSIONS_LIBS"; then + pkg_cv_GDM_PAM_EXTENSIONS_LIBS="$GDM_PAM_EXTENSIONS_LIBS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"gdm-pam-extensions\""; } >&5 + ($PKG_CONFIG --exists --print-errors "gdm-pam-extensions") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_GDM_PAM_EXTENSIONS_LIBS=`$PKG_CONFIG --libs "gdm-pam-extensions" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + GDM_PAM_EXTENSIONS_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "gdm-pam-extensions"` + else + GDM_PAM_EXTENSIONS_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "gdm-pam-extensions"` + fi + # Put the nasty error message in config.log where it belongs + echo "$GDM_PAM_EXTENSIONS_PKG_ERRORS" >&5 + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: gdm-pam-extensions were not found. gdm support +for multiple certificates will not be build. +" >&5 +$as_echo "$as_me: gdm-pam-extensions were not found. gdm support +for multiple certificates will not be build. +" >&6;} +elif test $pkg_failed = untried; then + { $as_echo "$as_me:${as_lineno-$LINENO}: gdm-pam-extensions were not found. gdm support +for multiple certificates will not be build. +" >&5 +$as_echo "$as_me: gdm-pam-extensions were not found. gdm support +for multiple certificates will not be build. +" >&6;} +else + GDM_PAM_EXTENSIONS_CFLAGS=$pkg_cv_GDM_PAM_EXTENSIONS_CFLAGS + GDM_PAM_EXTENSIONS_LIBS=$pkg_cv_GDM_PAM_EXTENSIONS_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + found_gdm_pam_extensions=yes +fi + + + +if test x"$found_gdm_pam_extensions" = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_GDM_PAM_EXTENSIONS 1 +_ACEOF + +fi + + +for p in /usr/include/openldap24 /usr/local/include; do + if test -f "${p}/ldap.h"; then + OPENLDAP_CFLAGS="${OPENLDAP_CFLAGS} -I${p}" + break; + fi +done + +for p in /usr/lib64/openldap24 /usr/lib/openldap24 /usr/local/lib ; do + if test -f "${p}/libldap.so"; then + OPENLDAP_LIBS="${OPENLDAP_LIBS} -L${p}" + break; + fi +done + +SAVE_CFLAGS=$CFLAGS +SAVE_LIBS=$LIBS +CFLAGS="$CFLAGS $OPENLDAP_CFLAGS" +LIBS="$LIBS $OPENLDAP_LIBS" +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ldap_search in -lldap" >&5 +$as_echo_n "checking for ldap_search in -lldap... " >&6; } +if ${ac_cv_lib_ldap_ldap_search+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lldap $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char ldap_search (); +int +main () +{ +return ldap_search (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_ldap_ldap_search=yes +else + ac_cv_lib_ldap_ldap_search=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ldap_ldap_search" >&5 +$as_echo "$ac_cv_lib_ldap_ldap_search" >&6; } +if test "x$ac_cv_lib_ldap_ldap_search" = xyes; then : + with_ldap=yes +fi + +test "$with_ldap" != "yes" && { { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ldap_open in -lldap" >&5 +$as_echo_n "checking for ldap_open in -lldap... " >&6; } +if ${ac_cv_lib_ldap_ldap_open+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lldap -llber $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char ldap_open (); +int +main () +{ +return ldap_open (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_ldap_ldap_open=yes +else + ac_cv_lib_ldap_ldap_open=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ldap_ldap_open" >&5 +$as_echo "$ac_cv_lib_ldap_ldap_open" >&6; } +if test "x$ac_cv_lib_ldap_ldap_open" = xyes; then : + with_ldap=yes with_ldap_lber=yes +fi + } +test "$with_ldap" != "yes" && { { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ldap_open in -lldap" >&5 +$as_echo_n "checking for ldap_open in -lldap... " >&6; } +if ${ac_cv_lib_ldap_ldap_open+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lldap -llber -lkrb $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char ldap_open (); +int +main () +{ +return ldap_open (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_ldap_ldap_open=yes +else + ac_cv_lib_ldap_ldap_open=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ldap_ldap_open" >&5 +$as_echo "$ac_cv_lib_ldap_ldap_open" >&6; } +if test "x$ac_cv_lib_ldap_ldap_open" = xyes; then : + with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes +fi + } +test "$with_ldap" != "yes" && { { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ldap_open in -lldap" >&5 +$as_echo_n "checking for ldap_open in -lldap... " >&6; } +if ${ac_cv_lib_ldap_ldap_open+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lldap -llber -lkrb -ldes $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char ldap_open (); +int +main () +{ +return ldap_open (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_ldap_ldap_open=yes +else + ac_cv_lib_ldap_ldap_open=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ldap_ldap_open" >&5 +$as_echo "$ac_cv_lib_ldap_ldap_open" >&6; } +if test "x$ac_cv_lib_ldap_ldap_open" = xyes; then : + with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes with_ldap_des=yes +fi + } +CFLAGS=$SAVE_CFLAGS +LIBS=$SAVE_LIBS +test "$with_ldap_lber" != "yes" && { { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ber_pvt_opt_on in -llber" >&5 +$as_echo_n "checking for ber_pvt_opt_on in -llber... " >&6; } +if ${ac_cv_lib_lber_ber_pvt_opt_on+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-llber $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char ber_pvt_opt_on (); +int +main () +{ +return ber_pvt_opt_on (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_lber_ber_pvt_opt_on=yes +else + ac_cv_lib_lber_ber_pvt_opt_on=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_lber_ber_pvt_opt_on" >&5 +$as_echo "$ac_cv_lib_lber_ber_pvt_opt_on" >&6; } +if test "x$ac_cv_lib_lber_ber_pvt_opt_on" = xyes; then : + with_ldap_lber=yes +fi + } + +if test "$with_ldap" = "yes"; then + if test "$with_ldap_des" = "yes" ; then + OPENLDAP_LIBS="${OPENLDAP_LIBS} -ldes" + fi + if test "$with_ldap_krb" = "yes" ; then + OPENLDAP_LIBS="${OPENLDAP_LIBS} -lkrb" + fi + if test "$with_ldap_lber" = "yes" ; then + OPENLDAP_LIBS="${OPENLDAP_LIBS} -llber" + fi + OPENLDAP_LIBS="${OPENLDAP_LIBS} -lldap" +else + as_fn_error $? "OpenLDAP not found" "$LINENO" 5 +fi + + + + +SAVE_CFLAGS=$CFLAGS +SAVE_LIBS=$LIBS +CFLAGS="$CFLAGS $OPENLDAP_CFLAGS" +LIBS="$LIBS $OPENLDAP_LIBS" +for ac_func in ldap_control_create ldap_init_fd \ + ldap_create_deref_control_value \ + ldap_parse_derefresponse_control \ + ldap_derefresponse_free +do : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" +if eval test \"x\$"$as_ac_var"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF + +fi +done + +ac_fn_c_check_member "$LINENO" "struct ldap_conncb" "lc_arg" "ac_cv_member_struct_ldap_conncb_lc_arg" "#include +" +if test "x$ac_cv_member_struct_ldap_conncb_lc_arg" = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_STRUCT_LDAP_CONNCB_LC_ARG 1 +_ACEOF + +if test "$cross_compiling" = yes; then : + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "cannot run test program while cross compiling +See \`config.log' for more details" "$LINENO" 5; } +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + #include +int +main () +{ + + struct ldap_conncb cb; + return ldap_set_option(NULL, LDAP_OPT_CONNECT_CB, &cb); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + +$as_echo "#define HAVE_LDAP_CONNCB 1" >>confdefs.h + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Found broken callback implementation" >&5 +$as_echo "$as_me: WARNING: Found broken callback implementation" >&2;} +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext +fi + +fi + + +ac_fn_c_check_type "$LINENO" "LDAPDerefRes" "ac_cv_type_LDAPDerefRes" "#include +" +if test "x$ac_cv_type_LDAPDerefRes" = xyes; then : + +else + as_fn_error $? "The OpenLDAP version found does not contain the required type LDAPDerefRes" "$LINENO" 5 +fi + + +CFLAGS=$SAVE_CFLAGS +LIBS=$SAVE_LIBS + +# Extract the first word of "slapd", so it can be a program name with args. +set dummy slapd; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_SLAPD+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $SLAPD in + [\\/]* | ?:[\\/]*) + ac_cv_path_SLAPD="$SLAPD" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH$PATH_SEPARATOR/usr/sbin$PATH_SEPARATOR +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_SLAPD="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +SLAPD=$ac_cv_path_SLAPD +if test -n "$SLAPD"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $SLAPD" >&5 +$as_echo "$SLAPD" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +if test -n "$SLAPD"; then : + HAVE_SLAPD=yes +else + HAVE_SLAPD=no +fi +# Extract the first word of "ldapmodify", so it can be a program name with args. +set dummy ldapmodify; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_HAVE_LDAPMODIFY+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$HAVE_LDAPMODIFY"; then + ac_cv_prog_HAVE_LDAPMODIFY="$HAVE_LDAPMODIFY" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_HAVE_LDAPMODIFY="yes" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + test -z "$ac_cv_prog_HAVE_LDAPMODIFY" && ac_cv_prog_HAVE_LDAPMODIFY="no" +fi +fi +HAVE_LDAPMODIFY=$ac_cv_prog_HAVE_LDAPMODIFY +if test -n "$HAVE_LDAPMODIFY"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $HAVE_LDAPMODIFY" >&5 +$as_echo "$HAVE_LDAPMODIFY" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + + + + + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for PCRE" >&5 +$as_echo_n "checking for PCRE... " >&6; } + +if test -n "$PKG_CONFIG"; then + if test -n "$PCRE_CFLAGS"; then + pkg_cv_PCRE_CFLAGS="$PCRE_CFLAGS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libpcre\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libpcre") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_PCRE_CFLAGS=`$PKG_CONFIG --cflags "libpcre" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi +if test -n "$PKG_CONFIG"; then + if test -n "$PCRE_LIBS"; then + pkg_cv_PCRE_LIBS="$PCRE_LIBS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libpcre\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libpcre") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_PCRE_LIBS=`$PKG_CONFIG --libs "libpcre" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + PCRE_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "libpcre"` + else + PCRE_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "libpcre"` + fi + # Put the nasty error message in config.log where it belongs + echo "$PCRE_PKG_ERRORS" >&5 + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + found_libpcre=no +elif test $pkg_failed = untried; then + found_libpcre=no +else + PCRE_CFLAGS=$pkg_cv_PCRE_CFLAGS + PCRE_LIBS=$pkg_cv_PCRE_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + found_libpcre=yes +fi +if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libpcre >= 7\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libpcre >= 7") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + { $as_echo "$as_me:${as_lineno-$LINENO}: PCRE version is 7 or higher" >&5 +$as_echo "$as_me: PCRE version is 7 or higher" >&6;} +else + { $as_echo "$as_me:${as_lineno-$LINENO}: PCRE version is below 7" >&5 +$as_echo "$as_me: PCRE version is below 7" >&6;} + +$as_echo "#define HAVE_LIBPCRE_LESSER_THAN_7 1" >>confdefs.h + +fi + + + + + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + acl_save_exec_prefix="$exec_prefix" + exec_prefix="$acl_final_exec_prefix" + + eval additional_libdir=\"$libdir\" + + exec_prefix="$acl_save_exec_prefix" + prefix="$acl_save_prefix" + + sss_extra_libdir="$additional_libdir" + +if test x"$found_libpcre" != xyes; then : + for ac_header in pcre.h +do : + ac_fn_c_check_header_mongrel "$LINENO" "pcre.h" "ac_cv_header_pcre_h" "$ac_includes_default" +if test "x$ac_cv_header_pcre_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_PCRE_H 1 +_ACEOF + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pcre_compile in -lpcre" >&5 +$as_echo_n "checking for pcre_compile in -lpcre... " >&6; } +if ${ac_cv_lib_pcre_pcre_compile+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lpcre -L$sss_extra_libdir $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char pcre_compile (); +int +main () +{ +return pcre_compile (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_pcre_pcre_compile=yes +else + ac_cv_lib_pcre_pcre_compile=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pcre_pcre_compile" >&5 +$as_echo "$ac_cv_lib_pcre_pcre_compile" >&6; } +if test "x$ac_cv_lib_pcre_pcre_compile" = xyes; then : + PCRE_LIBS="-L$sss_extra_libdir -lpcre" +else + as_fn_error $? "No usable PCRE library found" "$LINENO" 5 +fi + +else + as_fn_error $? "pcre header files are not installed" "$LINENO" 5 +fi + +done + + +fi + + + + +if test x$KRB5_LIBS != x; then + KRB5_PASSED_LIBS=$KRB5_LIBS +fi + +if test x$KRB5_CFLAGS != x; then + KRB5_PASSED_CFLAGS=$KRB5_CFLAGS +fi + +if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}krb5-config", so it can be a program name with args. +set dummy ${ac_tool_prefix}krb5-config; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_KRB5_CONFIG+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $KRB5_CONFIG in + [\\/]* | ?:[\\/]*) + ac_cv_path_KRB5_CONFIG="$KRB5_CONFIG" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_KRB5_CONFIG="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +KRB5_CONFIG=$ac_cv_path_KRB5_CONFIG +if test -n "$KRB5_CONFIG"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $KRB5_CONFIG" >&5 +$as_echo "$KRB5_CONFIG" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +fi +if test -z "$ac_cv_path_KRB5_CONFIG"; then + ac_pt_KRB5_CONFIG=$KRB5_CONFIG + # Extract the first word of "krb5-config", so it can be a program name with args. +set dummy krb5-config; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_ac_pt_KRB5_CONFIG+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $ac_pt_KRB5_CONFIG in + [\\/]* | ?:[\\/]*) + ac_cv_path_ac_pt_KRB5_CONFIG="$ac_pt_KRB5_CONFIG" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_ac_pt_KRB5_CONFIG="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +ac_pt_KRB5_CONFIG=$ac_cv_path_ac_pt_KRB5_CONFIG +if test -n "$ac_pt_KRB5_CONFIG"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_pt_KRB5_CONFIG" >&5 +$as_echo "$ac_pt_KRB5_CONFIG" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + if test "x$ac_pt_KRB5_CONFIG" = x; then + KRB5_CONFIG="" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; +esac + KRB5_CONFIG=$ac_pt_KRB5_CONFIG + fi +else + KRB5_CONFIG="$ac_cv_path_KRB5_CONFIG" +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for working krb5-config" >&5 +$as_echo_n "checking for working krb5-config... " >&6; } +if test -x "$KRB5_CONFIG"; then + KRB5_CFLAGS="`$KRB5_CONFIG --cflags`" + KRB5_LIBS="`$KRB5_CONFIG --libs`" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + if test x$KRB5_PASSED_LIBS = x; then + as_fn_error $? "Please install MIT kerberos devel package" "$LINENO" 5 + fi +fi + +if test x$KRB5_PASSED_LIBS != x; then + KRB5_LIBS=$KRB5_PASSED_LIBS +fi + +if test x$KRB5_PASSED_CFLAGS != x; then + KRB5_CFLAGS=$KRB5_PASSED_CFLAGS +fi + + +SAVE_CFLAGS=$CFLAGS +SAVE_LIBS=$LIBS +CFLAGS="$CFLAGS $KRB5_CFLAGS" +LIBS="$LIBS $KRB5_LIBS" +for ac_header in krb5.h krb5/krb5.h +do : + as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" +if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF + +fi + +done + +ac_fn_c_check_type "$LINENO" "krb5_ticket_times" "ac_cv_type_krb5_ticket_times" " #ifdef HAVE_KRB5_KRB5_H + #include + #else + #include + #endif + +" +if test "x$ac_cv_type_krb5_ticket_times" = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_KRB5_TICKET_TIMES 1 +_ACEOF + + +fi +ac_fn_c_check_type "$LINENO" "krb5_times" "ac_cv_type_krb5_times" " #ifdef HAVE_KRB5_KRB5_H + #include + #else + #include + #endif + +" +if test "x$ac_cv_type_krb5_times" = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_KRB5_TIMES 1 +_ACEOF + + +fi +ac_fn_c_check_type "$LINENO" "krb5_trace_info" "ac_cv_type_krb5_trace_info" " #ifdef HAVE_KRB5_KRB5_H + #include + #else + #include + #endif + +" +if test "x$ac_cv_type_krb5_trace_info" = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_KRB5_TRACE_INFO 1 +_ACEOF + + +fi + +for ac_func in krb5_get_init_creds_opt_alloc krb5_get_error_message \ + krb5_free_unparsed_name \ + krb5_get_init_creds_opt_set_expire_callback \ + krb5_get_init_creds_opt_set_fast_ccache_name \ + krb5_get_init_creds_opt_set_fast_flags \ + krb5_get_init_creds_opt_set_canonicalize \ + krb5_get_init_creds_opt_set_responder \ + krb5_parse_name_flags \ + krb5_unparse_name_flags \ + krb5_get_init_creds_opt_set_change_password_prompt \ + krb5_free_keytab_entry_contents \ + krb5_kt_free_entry \ + krb5_princ_realm \ + krb5_get_time_offsets \ + krb5_principal_get_realm \ + krb5_cc_cache_match \ + krb5_timestamp_to_sfstring \ + krb5_set_trace_callback \ + krb5_find_authdata \ + krb5_kt_have_content \ + krb5_cc_get_full_name +do : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" +if eval test \"x\$"$as_ac_var"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF + +fi +done + +CFLAGS=$SAVE_CFLAGS +LIBS=$SAVE_LIBS +CFLAGS="$CFLAGS $KRB5_CFLAGS" +LIBS="$LIBS $KRB5_LIBS" + +if test x$ac_cv_header_krb5_h != xyes -a x$ac_cv_header_krb5_krb5_h != xyes +then + as_fn_error $? "you must have Kerberos 5 header files to build sssd" "$LINENO" 5 +fi + +# Check whether --enable-krb5-locator-plugin was given. +if test "${enable_krb5_locator_plugin+set}" = set; then : + enableval=$enable_krb5_locator_plugin; build_locator=$enableval +else + build_locator=yes +fi + + +ac_fn_c_check_header_compile "$LINENO" "krb5/locate_plugin.h" "ac_cv_header_krb5_locate_plugin_h" " #ifdef HAVE_KRB5_KRB5_H + #include + #else + #include + #endif + +" +if test "x$ac_cv_header_krb5_locate_plugin_h" = xyes; then : + have_locate_plugin=yes +else + have_locate_plugin=no + { $as_echo "$as_me:${as_lineno-$LINENO}: Kerberos locator plugin cannot be built" >&5 +$as_echo "$as_me: Kerberos locator plugin cannot be built" >&6;} +fi + + + if test x$have_locate_plugin = xyes -a x$build_locator = xyes; then + BUILD_KRB5_LOCATOR_PLUGIN_TRUE= + BUILD_KRB5_LOCATOR_PLUGIN_FALSE='#' +else + BUILD_KRB5_LOCATOR_PLUGIN_TRUE='#' + BUILD_KRB5_LOCATOR_PLUGIN_FALSE= +fi + + +if test -z "$BUILD_KRB5_LOCATOR_PLUGIN_TRUE"; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_KRB5_LOCATOR_PLUGIN 1 +_ACEOF + +fi + +ac_fn_c_check_header_compile "$LINENO" "krb5/localauth_plugin.h" "ac_cv_header_krb5_localauth_plugin_h" " #ifdef HAVE_KRB5_KRB5_H + #include + #else + #include + #endif + +" +if test "x$ac_cv_header_krb5_localauth_plugin_h" = xyes; then : + have_localauth_plugin=yes +else + have_localauth_plugin=no + { $as_echo "$as_me:${as_lineno-$LINENO}: Kerberos localauth plugin cannot be built" >&5 +$as_echo "$as_me: Kerberos localauth plugin cannot be built" >&6;} +fi + + + if test x$have_localauth_plugin = xyes; then + BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE= + BUILD_KRB5_LOCALAUTH_PLUGIN_FALSE='#' +else + BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE='#' + BUILD_KRB5_LOCALAUTH_PLUGIN_FALSE= +fi + + +if test -z "$BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE"; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_KRB5_LOCALAUTH_PLUGIN 1 +_ACEOF + +fi + +CFLAGS=$SAVE_CFLAGS +LIBS=$SAVE_LIBS + + + + + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for CARES" >&5 +$as_echo_n "checking for CARES... " >&6; } + +if test -n "$PKG_CONFIG"; then + if test -n "$CARES_CFLAGS"; then + pkg_cv_CARES_CFLAGS="$CARES_CFLAGS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libcares\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libcares") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_CARES_CFLAGS=`$PKG_CONFIG --cflags "libcares" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi +if test -n "$PKG_CONFIG"; then + if test -n "$CARES_LIBS"; then + pkg_cv_CARES_LIBS="$CARES_LIBS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libcares\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libcares") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_CARES_LIBS=`$PKG_CONFIG --libs "libcares" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + CARES_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "libcares"` + else + CARES_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "libcares"` + fi + # Put the nasty error message in config.log where it belongs + echo "$CARES_PKG_ERRORS" >&5 + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + found_libcares=no +elif test $pkg_failed = untried; then + found_libcares=no +else + CARES_CFLAGS=$pkg_cv_CARES_CFLAGS + CARES_LIBS=$pkg_cv_CARES_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + found_libcares=yes +fi + + + + + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + acl_save_exec_prefix="$exec_prefix" + exec_prefix="$acl_final_exec_prefix" + + eval additional_libdir=\"$libdir\" + + exec_prefix="$acl_save_exec_prefix" + prefix="$acl_save_prefix" + + sss_extra_libdir="$additional_libdir" + +if test x"$found_libcares" != xyes; then : + for ac_header in ares.h +do : + ac_fn_c_check_header_mongrel "$LINENO" "ares.h" "ac_cv_header_ares_h" "$ac_includes_default" +if test "x$ac_cv_header_ares_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_ARES_H 1 +_ACEOF + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ares_init in -lcares" >&5 +$as_echo_n "checking for ares_init in -lcares... " >&6; } +if ${ac_cv_lib_cares_ares_init+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lcares -L$sss_extra_libdir $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char ares_init (); +int +main () +{ +return ares_init (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_cares_ares_init=yes +else + ac_cv_lib_cares_ares_init=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_cares_ares_init" >&5 +$as_echo "$ac_cv_lib_cares_ares_init" >&6; } +if test "x$ac_cv_lib_cares_ares_init" = xyes; then : + CARES_LIBS="-L$sss_extra_libdir -lcares" +else + as_fn_error $? "No usable c-ares library found" "$LINENO" 5 +fi + +else + as_fn_error $? "c-ares header files are not installed" "$LINENO" 5 +fi + +done + + +fi + + + + + + + + +# Solaris needs HAVE_LONG_LONG defined +ac_fn_c_check_type "$LINENO" "long long" "ac_cv_type_long_long" "$ac_includes_default" +if test "x$ac_cv_type_long_long" = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_LONG_LONG 1 +_ACEOF + + +fi + + +# The cast to long int works around a bug in the HP C Compiler +# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects +# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. +# This bug is HP SR number 8606223364. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of int" >&5 +$as_echo_n "checking size of int... " >&6; } +if ${ac_cv_sizeof_int+:} false; then : + $as_echo_n "(cached) " >&6 +else + if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (int))" "ac_cv_sizeof_int" "$ac_includes_default"; then : + +else + if test "$ac_cv_type_int" = yes; then + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error 77 "cannot compute sizeof (int) +See \`config.log' for more details" "$LINENO" 5; } + else + ac_cv_sizeof_int=0 + fi +fi + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_int" >&5 +$as_echo "$ac_cv_sizeof_int" >&6; } + + + +cat >>confdefs.h <<_ACEOF +#define SIZEOF_INT $ac_cv_sizeof_int +_ACEOF + + +# The cast to long int works around a bug in the HP C Compiler +# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects +# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. +# This bug is HP SR number 8606223364. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of char" >&5 +$as_echo_n "checking size of char... " >&6; } +if ${ac_cv_sizeof_char+:} false; then : + $as_echo_n "(cached) " >&6 +else + if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (char))" "ac_cv_sizeof_char" "$ac_includes_default"; then : + +else + if test "$ac_cv_type_char" = yes; then + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error 77 "cannot compute sizeof (char) +See \`config.log' for more details" "$LINENO" 5; } + else + ac_cv_sizeof_char=0 + fi +fi + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_char" >&5 +$as_echo "$ac_cv_sizeof_char" >&6; } + + + +cat >>confdefs.h <<_ACEOF +#define SIZEOF_CHAR $ac_cv_sizeof_char +_ACEOF + + +# The cast to long int works around a bug in the HP C Compiler +# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects +# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. +# This bug is HP SR number 8606223364. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of short" >&5 +$as_echo_n "checking size of short... " >&6; } +if ${ac_cv_sizeof_short+:} false; then : + $as_echo_n "(cached) " >&6 +else + if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (short))" "ac_cv_sizeof_short" "$ac_includes_default"; then : + +else + if test "$ac_cv_type_short" = yes; then + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error 77 "cannot compute sizeof (short) +See \`config.log' for more details" "$LINENO" 5; } + else + ac_cv_sizeof_short=0 + fi +fi + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_short" >&5 +$as_echo "$ac_cv_sizeof_short" >&6; } + + + +cat >>confdefs.h <<_ACEOF +#define SIZEOF_SHORT $ac_cv_sizeof_short +_ACEOF + + +# The cast to long int works around a bug in the HP C Compiler +# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects +# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. +# This bug is HP SR number 8606223364. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of long" >&5 +$as_echo_n "checking size of long... " >&6; } +if ${ac_cv_sizeof_long+:} false; then : + $as_echo_n "(cached) " >&6 +else + if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (long))" "ac_cv_sizeof_long" "$ac_includes_default"; then : + +else + if test "$ac_cv_type_long" = yes; then + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error 77 "cannot compute sizeof (long) +See \`config.log' for more details" "$LINENO" 5; } + else + ac_cv_sizeof_long=0 + fi +fi + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_long" >&5 +$as_echo "$ac_cv_sizeof_long" >&6; } + + + +cat >>confdefs.h <<_ACEOF +#define SIZEOF_LONG $ac_cv_sizeof_long +_ACEOF + + +# The cast to long int works around a bug in the HP C Compiler +# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects +# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. +# This bug is HP SR number 8606223364. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of long long" >&5 +$as_echo_n "checking size of long long... " >&6; } +if ${ac_cv_sizeof_long_long+:} false; then : + $as_echo_n "(cached) " >&6 +else + if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (long long))" "ac_cv_sizeof_long_long" "$ac_includes_default"; then : + +else + if test "$ac_cv_type_long_long" = yes; then + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error 77 "cannot compute sizeof (long long) +See \`config.log' for more details" "$LINENO" 5; } + else + ac_cv_sizeof_long_long=0 + fi +fi + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_long_long" >&5 +$as_echo "$ac_cv_sizeof_long_long" >&6; } + + + +cat >>confdefs.h <<_ACEOF +#define SIZEOF_LONG_LONG $ac_cv_sizeof_long_long +_ACEOF + + +# The cast to long int works around a bug in the HP C Compiler +# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects +# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. +# This bug is HP SR number 8606223364. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of uid_t" >&5 +$as_echo_n "checking size of uid_t... " >&6; } +if ${ac_cv_sizeof_uid_t+:} false; then : + $as_echo_n "(cached) " >&6 +else + if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (uid_t))" "ac_cv_sizeof_uid_t" "$ac_includes_default"; then : + +else + if test "$ac_cv_type_uid_t" = yes; then + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error 77 "cannot compute sizeof (uid_t) +See \`config.log' for more details" "$LINENO" 5; } + else + ac_cv_sizeof_uid_t=0 + fi +fi + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_uid_t" >&5 +$as_echo "$ac_cv_sizeof_uid_t" >&6; } + + + +cat >>confdefs.h <<_ACEOF +#define SIZEOF_UID_T $ac_cv_sizeof_uid_t +_ACEOF + + +# The cast to long int works around a bug in the HP C Compiler +# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects +# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. +# This bug is HP SR number 8606223364. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of gid_t" >&5 +$as_echo_n "checking size of gid_t... " >&6; } +if ${ac_cv_sizeof_gid_t+:} false; then : + $as_echo_n "(cached) " >&6 +else + if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (gid_t))" "ac_cv_sizeof_gid_t" "$ac_includes_default"; then : + +else + if test "$ac_cv_type_gid_t" = yes; then + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error 77 "cannot compute sizeof (gid_t) +See \`config.log' for more details" "$LINENO" 5; } + else + ac_cv_sizeof_gid_t=0 + fi +fi + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_gid_t" >&5 +$as_echo "$ac_cv_sizeof_gid_t" >&6; } + + + +cat >>confdefs.h <<_ACEOF +#define SIZEOF_GID_T $ac_cv_sizeof_gid_t +_ACEOF + + +# The cast to long int works around a bug in the HP C Compiler +# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects +# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. +# This bug is HP SR number 8606223364. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of id_t" >&5 +$as_echo_n "checking size of id_t... " >&6; } +if ${ac_cv_sizeof_id_t+:} false; then : + $as_echo_n "(cached) " >&6 +else + if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (id_t))" "ac_cv_sizeof_id_t" "$ac_includes_default"; then : + +else + if test "$ac_cv_type_id_t" = yes; then + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error 77 "cannot compute sizeof (id_t) +See \`config.log' for more details" "$LINENO" 5; } + else + ac_cv_sizeof_id_t=0 + fi +fi + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_id_t" >&5 +$as_echo "$ac_cv_sizeof_id_t" >&6; } + + + +cat >>confdefs.h <<_ACEOF +#define SIZEOF_ID_T $ac_cv_sizeof_id_t +_ACEOF + + + +if test $ac_cv_sizeof_long_long -lt 8 ; then +as_fn_error $? "SSSD requires long long of 64-bits" "$LINENO" 5 +fi + +ac_fn_c_check_type "$LINENO" "uint_t" "ac_cv_type_uint_t" "$ac_includes_default" +if test "x$ac_cv_type_uint_t" = xyes; then : + +else + +cat >>confdefs.h <<_ACEOF +#define uint_t unsigned int +_ACEOF + +fi + +ac_fn_c_check_type "$LINENO" "int8_t" "ac_cv_type_int8_t" "$ac_includes_default" +if test "x$ac_cv_type_int8_t" = xyes; then : + +else + +cat >>confdefs.h <<_ACEOF +#define int8_t char +_ACEOF + +fi + +ac_fn_c_check_type "$LINENO" "uint8_t" "ac_cv_type_uint8_t" "$ac_includes_default" +if test "x$ac_cv_type_uint8_t" = xyes; then : + +else + +cat >>confdefs.h <<_ACEOF +#define uint8_t unsigned char +_ACEOF + +fi + +ac_fn_c_check_type "$LINENO" "int16_t" "ac_cv_type_int16_t" "$ac_includes_default" +if test "x$ac_cv_type_int16_t" = xyes; then : + +else + +cat >>confdefs.h <<_ACEOF +#define int16_t short +_ACEOF + +fi + +ac_fn_c_check_type "$LINENO" "uint16_t" "ac_cv_type_uint16_t" "$ac_includes_default" +if test "x$ac_cv_type_uint16_t" = xyes; then : + +else + +cat >>confdefs.h <<_ACEOF +#define uint16_t unsigned short +_ACEOF + +fi + + +if test $ac_cv_sizeof_int -eq 4 ; then +ac_fn_c_check_type "$LINENO" "int32_t" "ac_cv_type_int32_t" "$ac_includes_default" +if test "x$ac_cv_type_int32_t" = xyes; then : + +else + +cat >>confdefs.h <<_ACEOF +#define int32_t int +_ACEOF + +fi + +ac_fn_c_check_type "$LINENO" "uint32_t" "ac_cv_type_uint32_t" "$ac_includes_default" +if test "x$ac_cv_type_uint32_t" = xyes; then : + +else + +cat >>confdefs.h <<_ACEOF +#define uint32_t unsigned int +_ACEOF + +fi + +elif test $ac_cv_size_long -eq 4 ; then +ac_fn_c_check_type "$LINENO" "int32_t" "ac_cv_type_int32_t" "$ac_includes_default" +if test "x$ac_cv_type_int32_t" = xyes; then : + +else + +cat >>confdefs.h <<_ACEOF +#define int32_t long +_ACEOF + +fi + +ac_fn_c_check_type "$LINENO" "uint32_t" "ac_cv_type_uint32_t" "$ac_includes_default" +if test "x$ac_cv_type_uint32_t" = xyes; then : + +else + +cat >>confdefs.h <<_ACEOF +#define uint32_t unsigned long +_ACEOF + +fi + +else +as_fn_error $? "LIBREPLACE no 32-bit type found" "$LINENO" 5 +fi + +ac_fn_c_check_type "$LINENO" "int64_t" "ac_cv_type_int64_t" "$ac_includes_default" +if test "x$ac_cv_type_int64_t" = xyes; then : + +else + +cat >>confdefs.h <<_ACEOF +#define int64_t long long +_ACEOF + +fi + +ac_fn_c_check_type "$LINENO" "uint64_t" "ac_cv_type_uint64_t" "$ac_includes_default" +if test "x$ac_cv_type_uint64_t" = xyes; then : + +else + +cat >>confdefs.h <<_ACEOF +#define uint64_t unsigned long long +_ACEOF + +fi + + +ac_fn_c_check_type "$LINENO" "size_t" "ac_cv_type_size_t" "$ac_includes_default" +if test "x$ac_cv_type_size_t" = xyes; then : + +else + +cat >>confdefs.h <<_ACEOF +#define size_t unsigned int +_ACEOF + +fi + +ac_fn_c_check_type "$LINENO" "ssize_t" "ac_cv_type_ssize_t" "$ac_includes_default" +if test "x$ac_cv_type_ssize_t" = xyes; then : + +else + +cat >>confdefs.h <<_ACEOF +#define ssize_t int +_ACEOF + +fi + + +# The cast to long int works around a bug in the HP C Compiler +# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects +# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. +# This bug is HP SR number 8606223364. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of off_t" >&5 +$as_echo_n "checking size of off_t... " >&6; } +if ${ac_cv_sizeof_off_t+:} false; then : + $as_echo_n "(cached) " >&6 +else + if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (off_t))" "ac_cv_sizeof_off_t" "$ac_includes_default"; then : + +else + if test "$ac_cv_type_off_t" = yes; then + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error 77 "cannot compute sizeof (off_t) +See \`config.log' for more details" "$LINENO" 5; } + else + ac_cv_sizeof_off_t=0 + fi +fi + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_off_t" >&5 +$as_echo "$ac_cv_sizeof_off_t" >&6; } + + + +cat >>confdefs.h <<_ACEOF +#define SIZEOF_OFF_T $ac_cv_sizeof_off_t +_ACEOF + + +# The cast to long int works around a bug in the HP C Compiler +# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects +# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. +# This bug is HP SR number 8606223364. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of size_t" >&5 +$as_echo_n "checking size of size_t... " >&6; } +if ${ac_cv_sizeof_size_t+:} false; then : + $as_echo_n "(cached) " >&6 +else + if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (size_t))" "ac_cv_sizeof_size_t" "$ac_includes_default"; then : + +else + if test "$ac_cv_type_size_t" = yes; then + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error 77 "cannot compute sizeof (size_t) +See \`config.log' for more details" "$LINENO" 5; } + else + ac_cv_sizeof_size_t=0 + fi +fi + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_size_t" >&5 +$as_echo "$ac_cv_sizeof_size_t" >&6; } + + + +cat >>confdefs.h <<_ACEOF +#define SIZEOF_SIZE_T $ac_cv_sizeof_size_t +_ACEOF + + +# The cast to long int works around a bug in the HP C Compiler +# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects +# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. +# This bug is HP SR number 8606223364. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of ssize_t" >&5 +$as_echo_n "checking size of ssize_t... " >&6; } +if ${ac_cv_sizeof_ssize_t+:} false; then : + $as_echo_n "(cached) " >&6 +else + if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (ssize_t))" "ac_cv_sizeof_ssize_t" "$ac_includes_default"; then : + +else + if test "$ac_cv_type_ssize_t" = yes; then + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error 77 "cannot compute sizeof (ssize_t) +See \`config.log' for more details" "$LINENO" 5; } + else + ac_cv_sizeof_ssize_t=0 + fi +fi + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_ssize_t" >&5 +$as_echo "$ac_cv_sizeof_ssize_t" >&6; } + + + +cat >>confdefs.h <<_ACEOF +#define SIZEOF_SSIZE_T $ac_cv_sizeof_ssize_t +_ACEOF + + + + +ac_fn_c_check_type "$LINENO" "intptr_t" "ac_cv_type_intptr_t" "$ac_includes_default" +if test "x$ac_cv_type_intptr_t" = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_INTPTR_T 1 +_ACEOF + + +else + +cat >>confdefs.h <<_ACEOF +#define intptr_t long long +_ACEOF + +fi + +ac_fn_c_check_type "$LINENO" "uintptr_t" "ac_cv_type_uintptr_t" "$ac_includes_default" +if test "x$ac_cv_type_uintptr_t" = xyes; then : + +else + +cat >>confdefs.h <<_ACEOF +#define uintptr_t unsigned long long +_ACEOF + +fi + +ac_fn_c_check_type "$LINENO" "ptrdiff_t" "ac_cv_type_ptrdiff_t" "$ac_includes_default" +if test "x$ac_cv_type_ptrdiff_t" = xyes; then : + +else + +cat >>confdefs.h <<_ACEOF +#define ptrdiff_t unsigned long long +_ACEOF + +fi + + + + + + + + + + + + + + + + + + + +# Extract the first word of "nscd", so it can be a program name with args. +set dummy nscd; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_NSCD+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $NSCD in + [\\/]* | ?:[\\/]*) + ac_cv_path_NSCD="$NSCD" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_NSCD="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + test -z "$ac_cv_path_NSCD" && ac_cv_path_NSCD="$NSCD_PATH" + ;; +esac +fi +NSCD=$ac_cv_path_NSCD +if test -n "$NSCD"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $NSCD" >&5 +$as_echo "$NSCD" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for nscd" >&5 +$as_echo_n "checking for nscd... " >&6; } + +cat >>confdefs.h <<_ACEOF +#define NSCD_PATH "$NSCD" +_ACEOF + + +if test -x "$NSCD"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: not installed, assuming standard location" >&5 +$as_echo "not installed, assuming standard location" >&6; } +fi + +# Extract the first word of "nsupdate", so it can be a program name with args. +set dummy nsupdate; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_NSUPDATE+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $NSUPDATE in + [\\/]* | ?:[\\/]*) + ac_cv_path_NSUPDATE="$NSUPDATE" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_NSUPDATE="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +NSUPDATE=$ac_cv_path_NSUPDATE +if test -n "$NSUPDATE"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $NSUPDATE" >&5 +$as_echo "$NSUPDATE" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for executable nsupdate" >&5 +$as_echo_n "checking for executable nsupdate... " >&6; } +if test -x "$NSUPDATE"; then + +cat >>confdefs.h <<_ACEOF +#define NSUPDATE_PATH "$NSUPDATE" +_ACEOF + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for nsupdate 'realm' support'" >&5 +$as_echo_n "checking for nsupdate 'realm' support'... " >&6; } + if { { $as_echo "$as_me:${as_lineno-$LINENO}: echo realm |\$NSUPDATE >&2"; } >&5 + (echo realm |$NSUPDATE >&2) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +cat >>confdefs.h <<_ACEOF +#define HAVE_NSUPDATE_REALM 1 +_ACEOF + + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Will build without the 'realm' directive" >&5 +$as_echo "$as_me: WARNING: Will build without the 'realm' directive" >&2;} + fi + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + as_fn_error $? "nsupdate is not available" "$LINENO" 5 +fi + + + +for ac_header in keyutils.h +do : + ac_fn_c_check_header_mongrel "$LINENO" "keyutils.h" "ac_cv_header_keyutils_h" "$ac_includes_default" +if test "x$ac_cv_header_keyutils_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_KEYUTILS_H 1 +_ACEOF + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for add_key in -lkeyutils" >&5 +$as_echo_n "checking for add_key in -lkeyutils... " >&6; } +if ${ac_cv_lib_keyutils_add_key+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lkeyutils $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char add_key (); +int +main () +{ +return add_key (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_keyutils_add_key=yes +else + ac_cv_lib_keyutils_add_key=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_keyutils_add_key" >&5 +$as_echo "$ac_cv_lib_keyutils_add_key" >&6; } +if test "x$ac_cv_lib_keyutils_add_key" = xyes; then : + +$as_echo "#define USE_KEYRING 1" >>confdefs.h + + KEYUTILS_LIBS="-lkeyutils" + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: No usable keyutils library found" >&5 +$as_echo "$as_me: WARNING: No usable keyutils library found" >&2;} + +fi + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: keyutils header files are not available" >&5 +$as_echo "$as_me: WARNING: keyutils header files are not available" >&2;} + +fi + +done + + + + + + + + + +if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"systemd\""; } >&5 + ($PKG_CONFIG --exists --print-errors "systemd") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + HAVE_SYSTEMD=yes +else + HAVE_SYSTEMD=no +fi + +if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libsystemd\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libsystemd") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + HAVE_LIBSYSTEMD=yes +else + HAVE_LIBSYSTEMD=no +fi + +if test x$HAVE_LIBSYSTEMD = xyes; then : + login_lib_name=libsystemd +else + login_lib_name=libsystemd-login +fi + +if test x$HAVE_SYSTEMD = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_SYSTEMD 1 +_ACEOF + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: Build without systemd support" >&5 +$as_echo "$as_me: Build without systemd support" >&6;} +fi + +if test x$HAVE_SYSTEMD = xyes; then : + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SYSTEMD_LOGIN" >&5 +$as_echo_n "checking for SYSTEMD_LOGIN... " >&6; } + +if test -n "$PKG_CONFIG"; then + if test -n "$SYSTEMD_LOGIN_CFLAGS"; then + pkg_cv_SYSTEMD_LOGIN_CFLAGS="$SYSTEMD_LOGIN_CFLAGS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"\$login_lib_name\""; } >&5 + ($PKG_CONFIG --exists --print-errors "$login_lib_name") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_SYSTEMD_LOGIN_CFLAGS=`$PKG_CONFIG --cflags "$login_lib_name" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi +if test -n "$PKG_CONFIG"; then + if test -n "$SYSTEMD_LOGIN_LIBS"; then + pkg_cv_SYSTEMD_LOGIN_LIBS="$SYSTEMD_LOGIN_LIBS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"\$login_lib_name\""; } >&5 + ($PKG_CONFIG --exists --print-errors "$login_lib_name") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_SYSTEMD_LOGIN_LIBS=`$PKG_CONFIG --libs "$login_lib_name" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + SYSTEMD_LOGIN_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "$login_lib_name"` + else + SYSTEMD_LOGIN_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "$login_lib_name"` + fi + # Put the nasty error message in config.log where it belongs + echo "$SYSTEMD_LOGIN_PKG_ERRORS" >&5 + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: Build without $login_lib_name support" >&5 +$as_echo "$as_me: Build without $login_lib_name support" >&6;} +elif test $pkg_failed = untried; then + { $as_echo "$as_me:${as_lineno-$LINENO}: Build without $login_lib_name support" >&5 +$as_echo "$as_me: Build without $login_lib_name support" >&6;} +else + SYSTEMD_LOGIN_CFLAGS=$pkg_cv_SYSTEMD_LOGIN_CFLAGS + SYSTEMD_LOGIN_LIBS=$pkg_cv_SYSTEMD_LOGIN_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +cat >>confdefs.h <<_ACEOF +#define HAVE_SYSTEMD_LOGIN 1 +_ACEOF + +fi +else + { $as_echo "$as_me:${as_lineno-$LINENO}: Build without $login_lib_name support" >&5 +$as_echo "$as_me: Build without $login_lib_name support" >&6;} +fi + +if test x$HAVE_LIBSYSTEMD = xyes; then : + daemon_lib_name=libsystemd +else + daemon_lib_name=libsystemd-daemon +fi + +if test x$HAVE_SYSTEMD = xyes; then : + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SYSTEMD_DAEMON" >&5 +$as_echo_n "checking for SYSTEMD_DAEMON... " >&6; } + +if test -n "$PKG_CONFIG"; then + if test -n "$SYSTEMD_DAEMON_CFLAGS"; then + pkg_cv_SYSTEMD_DAEMON_CFLAGS="$SYSTEMD_DAEMON_CFLAGS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"\$daemon_lib_name\""; } >&5 + ($PKG_CONFIG --exists --print-errors "$daemon_lib_name") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_SYSTEMD_DAEMON_CFLAGS=`$PKG_CONFIG --cflags "$daemon_lib_name" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi +if test -n "$PKG_CONFIG"; then + if test -n "$SYSTEMD_DAEMON_LIBS"; then + pkg_cv_SYSTEMD_DAEMON_LIBS="$SYSTEMD_DAEMON_LIBS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"\$daemon_lib_name\""; } >&5 + ($PKG_CONFIG --exists --print-errors "$daemon_lib_name") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_SYSTEMD_DAEMON_LIBS=`$PKG_CONFIG --libs "$daemon_lib_name" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + SYSTEMD_DAEMON_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "$daemon_lib_name"` + else + SYSTEMD_DAEMON_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "$daemon_lib_name"` + fi + # Put the nasty error message in config.log where it belongs + echo "$SYSTEMD_DAEMON_PKG_ERRORS" >&5 + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: Build without $daemon_lib_name support" >&5 +$as_echo "$as_me: Build without $daemon_lib_name support" >&6;} +elif test $pkg_failed = untried; then + { $as_echo "$as_me:${as_lineno-$LINENO}: Build without $daemon_lib_name support" >&5 +$as_echo "$as_me: Build without $daemon_lib_name support" >&6;} +else + SYSTEMD_DAEMON_CFLAGS=$pkg_cv_SYSTEMD_DAEMON_CFLAGS + SYSTEMD_DAEMON_LIBS=$pkg_cv_SYSTEMD_DAEMON_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +cat >>confdefs.h <<_ACEOF +#define HAVE_SYSTEMD_DAEMON 1 +_ACEOF + +fi +else + { $as_echo "$as_me:${as_lineno-$LINENO}: Build without $daemon_lib_name support" >&5 +$as_echo "$as_me: Build without $daemon_lib_name support" >&6;} +fi + + + +# Check whether --enable-pac-responder was given. +if test "${enable_pac_responder+set}" = set; then : + enableval=$enable_pac_responder; build_pac_responder=$enableval +else + build_pac_responder=yes +fi + + +krb5_version_ok=no +if test x$build_pac_responder = xyes +then + # Extract the first word of "krb5-config", so it can be a program name with args. +set dummy krb5-config; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_KRB5_CONFIG+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $KRB5_CONFIG in + [\\/]* | ?:[\\/]*) + ac_cv_path_KRB5_CONFIG="$KRB5_CONFIG" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_KRB5_CONFIG="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +KRB5_CONFIG=$ac_cv_path_KRB5_CONFIG +if test -n "$KRB5_CONFIG"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $KRB5_CONFIG" >&5 +$as_echo "$KRB5_CONFIG" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for supported MIT krb5 version" >&5 +$as_echo_n "checking for supported MIT krb5 version... " >&6; } + KRB5_VERSION="`$KRB5_CONFIG --version`" + case $KRB5_VERSION in + Kerberos\ 5\ release\ 1.9* | \ + Kerberos\ 5\ release\ 1.10* | \ + Kerberos\ 5\ release\ 1.11* | \ + Kerberos\ 5\ release\ 1.12* | \ + Kerberos\ 5\ release\ 1.13* | \ + Kerberos\ 5\ release\ 1.14* | \ + Kerberos\ 5\ release\ 1.15* | \ + Kerberos\ 5\ release\ 1.16*) + krb5_version_ok=yes + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + ;; + *) + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Cannot build authdata plugin with this version of + MIT Kerberos, please use 1.9.x or later" >&5 +$as_echo "$as_me: WARNING: Cannot build authdata plugin with this version of + MIT Kerberos, please use 1.9.x or later" >&2;} + esac +fi + +if test x$with_samba != xyes +then + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Cannot build PAC responder without Samba" >&5 +$as_echo "$as_me: WARNING: Cannot build PAC responder without Samba" >&2;} +fi + + if test x$build_pac_responder = xyes -a x$with_samba = xyes -a x$krb5_version_ok = xyes ; then + BUILD_PAC_RESPONDER_TRUE= + BUILD_PAC_RESPONDER_FALSE='#' +else + BUILD_PAC_RESPONDER_TRUE='#' + BUILD_PAC_RESPONDER_FALSE= +fi + + +if test -z "$BUILD_PAC_RESPONDER_TRUE"; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_PAC_RESPONDER 1 +_ACEOF + +fi + +# Check whether --enable-cifs-idmap-plugin was given. +if test "${enable_cifs_idmap_plugin+set}" = set; then : + enableval=$enable_cifs_idmap_plugin; build_cifs_idmap_plugin=$enableval +else + build_cifs_idmap_plugin=yes +fi + + +if test x$build_cifs_idmap_plugin = xyes; then : + ac_fn_c_check_header_mongrel "$LINENO" "cifsidmap.h" "ac_cv_header_cifsidmap_h" "$ac_includes_default" +if test "x$ac_cv_header_cifsidmap_h" = xyes; then : + +else + as_fn_error $? " +You must have the cifsidmap header installed to build the idmap plugin. +If you want to build sssd withoud cifsidmap plugin then specify +--disable-cifs-idmap-plugin when running configure." "$LINENO" 5 +fi + + + +fi + + if test x$build_cifs_idmap_plugin = xyes; then + BUILD_CIFS_IDMAP_PLUGIN_TRUE= + BUILD_CIFS_IDMAP_PLUGIN_FALSE='#' +else + BUILD_CIFS_IDMAP_PLUGIN_TRUE='#' + BUILD_CIFS_IDMAP_PLUGIN_FALSE= +fi + + + +if test -z "$BUILD_CIFS_IDMAP_PLUGIN_TRUE"; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_CIFS_IDMAP_PLUGIN 1 +_ACEOF + +fi + +for ac_func in sigprocmask sigblock sigaction getpgrp prctl +do : + as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` +ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" +if eval test \"x\$"$as_ac_var"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF + +fi +done + + + + + + + + + + + +if test x"$with_samba" = xyes; then + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for NDR_NBT" >&5 +$as_echo_n "checking for NDR_NBT... " >&6; } + +if test -n "$PKG_CONFIG"; then + if test -n "$NDR_NBT_CFLAGS"; then + pkg_cv_NDR_NBT_CFLAGS="$NDR_NBT_CFLAGS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"ndr_nbt\""; } >&5 + ($PKG_CONFIG --exists --print-errors "ndr_nbt") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_NDR_NBT_CFLAGS=`$PKG_CONFIG --cflags "ndr_nbt" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi +if test -n "$PKG_CONFIG"; then + if test -n "$NDR_NBT_LIBS"; then + pkg_cv_NDR_NBT_LIBS="$NDR_NBT_LIBS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"ndr_nbt\""; } >&5 + ($PKG_CONFIG --exists --print-errors "ndr_nbt") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_NDR_NBT_LIBS=`$PKG_CONFIG --libs "ndr_nbt" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + NDR_NBT_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "ndr_nbt"` + else + NDR_NBT_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "ndr_nbt"` + fi + # Put the nasty error message in config.log where it belongs + echo "$NDR_NBT_PKG_ERRORS" >&5 + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + as_fn_error $? "Please install Samba 4 NDR NBT development libraries. +Samba 4 libraries are necessary for building ad and ipa provider. +If you do not want to build these providers it is possible to build SSSD +without them. In this case, you will need to execute configure script +with argument --without-samba + " "$LINENO" 5 +elif test $pkg_failed = untried; then + as_fn_error $? "Please install Samba 4 NDR NBT development libraries. +Samba 4 libraries are necessary for building ad and ipa provider. +If you do not want to build these providers it is possible to build SSSD +without them. In this case, you will need to execute configure script +with argument --without-samba + " "$LINENO" 5 +else + NDR_NBT_CFLAGS=$pkg_cv_NDR_NBT_CFLAGS + NDR_NBT_LIBS=$pkg_cv_NDR_NBT_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + : +fi + + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for NDR_KRB5PAC" >&5 +$as_echo_n "checking for NDR_KRB5PAC... " >&6; } + +if test -n "$PKG_CONFIG"; then + if test -n "$NDR_KRB5PAC_CFLAGS"; then + pkg_cv_NDR_KRB5PAC_CFLAGS="$NDR_KRB5PAC_CFLAGS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"ndr_krb5pac\""; } >&5 + ($PKG_CONFIG --exists --print-errors "ndr_krb5pac") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_NDR_KRB5PAC_CFLAGS=`$PKG_CONFIG --cflags "ndr_krb5pac" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi +if test -n "$PKG_CONFIG"; then + if test -n "$NDR_KRB5PAC_LIBS"; then + pkg_cv_NDR_KRB5PAC_LIBS="$NDR_KRB5PAC_LIBS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"ndr_krb5pac\""; } >&5 + ($PKG_CONFIG --exists --print-errors "ndr_krb5pac") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_NDR_KRB5PAC_LIBS=`$PKG_CONFIG --libs "ndr_krb5pac" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + NDR_KRB5PAC_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "ndr_krb5pac"` + else + NDR_KRB5PAC_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "ndr_krb5pac"` + fi + # Put the nasty error message in config.log where it belongs + echo "$NDR_KRB5PAC_PKG_ERRORS" >&5 + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + as_fn_error $? "Please install Samba 4 NDR KRB5PAC development libraries. +Samba 4 libraries are necessary for building ad and ipa provider. +If you do not want to build these providers it is possible to build SSSD +without them. In this case, you will need to execute configure script +with argument --without-samba + " "$LINENO" 5 +elif test $pkg_failed = untried; then + as_fn_error $? "Please install Samba 4 NDR KRB5PAC development libraries. +Samba 4 libraries are necessary for building ad and ipa provider. +If you do not want to build these providers it is possible to build SSSD +without them. In this case, you will need to execute configure script +with argument --without-samba + " "$LINENO" 5 +else + NDR_KRB5PAC_CFLAGS=$pkg_cv_NDR_KRB5PAC_CFLAGS + NDR_KRB5PAC_LIBS=$pkg_cv_NDR_KRB5PAC_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + : +fi + + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SMBCLIENT" >&5 +$as_echo_n "checking for SMBCLIENT... " >&6; } + +if test -n "$PKG_CONFIG"; then + if test -n "$SMBCLIENT_CFLAGS"; then + pkg_cv_SMBCLIENT_CFLAGS="$SMBCLIENT_CFLAGS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"smbclient\""; } >&5 + ($PKG_CONFIG --exists --print-errors "smbclient") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_SMBCLIENT_CFLAGS=`$PKG_CONFIG --cflags "smbclient" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi +if test -n "$PKG_CONFIG"; then + if test -n "$SMBCLIENT_LIBS"; then + pkg_cv_SMBCLIENT_LIBS="$SMBCLIENT_LIBS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"smbclient\""; } >&5 + ($PKG_CONFIG --exists --print-errors "smbclient") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_SMBCLIENT_LIBS=`$PKG_CONFIG --libs "smbclient" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + SMBCLIENT_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "smbclient"` + else + SMBCLIENT_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "smbclient"` + fi + # Put the nasty error message in config.log where it belongs + echo "$SMBCLIENT_PKG_ERRORS" >&5 + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + as_fn_error $? "Please install libsmbclient development libraries. +libsmbclient libraries are necessary for building ad and ipa provider. +If you do not want to build these providers it is possible to build SSSD +without them. In this case, you will need to execute configure script +with argument --without-samba + " "$LINENO" 5 +elif test $pkg_failed = untried; then + as_fn_error $? "Please install libsmbclient development libraries. +libsmbclient libraries are necessary for building ad and ipa provider. +If you do not want to build these providers it is possible to build SSSD +without them. In this case, you will need to execute configure script +with argument --without-samba + " "$LINENO" 5 +else + SMBCLIENT_CFLAGS=$pkg_cv_SMBCLIENT_CFLAGS + SMBCLIENT_LIBS=$pkg_cv_SMBCLIENT_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + : +fi + + if test x"$HAVE_LIBINI_CONFIG_V1_1" != x1; then + as_fn_error $? "Please install libini_config development libraries +v1.1.0, or newer. libini_config libraries are necessary for building ipa +provider, as well as for building gpo-based access control in ad provider. If +you do not want to build these providers it is possible to build SSSD without +them. In this case, you will need to execute configure script with argument +--without-samba + " "$LINENO" 5 + fi + + +# Check whether --with-smb-idmap-interface-version was given. +if test "${with_smb_idmap_interface_version+set}" = set; then : + withval=$with_smb_idmap_interface_version; +fi + + + if test x"$with_smb_idmap_interface_version" != x; then + if test x"$with_smb_idmap_interface_version" = x5 -o x"$with_smb_idmap_interface_version" = x6; then + idmap_test_result=$with_smb_idmap_interface_version + else + as_fn_error $? "Illegal value -$with_smb_idmap_interface_version- for option --with-smb-idmap-interface-version" "$LINENO" 5 + fi + else + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking Samba's idmap plugin interface version" >&5 +$as_echo_n "checking Samba's idmap plugin interface version... " >&6; } + sambalibdir="`$PKG_CONFIG --variable=libdir smbclient`"/samba + SAVE_CFLAGS=$CFLAGS + SAVE_LIBS=$LIBS + CFLAGS="$CFLAGS $SMBCLIENT_CFLAGS $NDR_NBT_CFLAGS $NDR_KRB5PAC_CFLAGS -I/usr/include/samba-4.0" + LIBS="$LIBS -L${sambalibdir} -lidmap-samba4 -Wl,-rpath ${sambalibdir}" + if test "$cross_compiling" = yes; then : + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "cannot run test program while cross compiling +See \`config.log' for more details" "$LINENO" 5; } +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include +#include +#include +#include + +struct winbindd_domain; + +/* overwrite some winbind internal functions */ +struct winbindd_domain *find_domain_from_name(const char *domain_name) +{ + return NULL; +} + +bool get_global_winbindd_state_offline(void) { + return false; +} + +struct tevent_context *winbind_event_context(void) +{ + return NULL; +} + +struct idmap_methods; + +NTSTATUS smb_register_idmap(int version, const char *name, struct idmap_methods *methods); + +int main(void) +{ + int v; + NTSTATUS ret; + + /* Check the versions we know about */ + for (v = 5; v <= 6; v++) { + ret = smb_register_idmap(v, NULL, NULL); + if (!NT_STATUS_EQUAL(ret, NT_STATUS_OBJECT_TYPE_MISMATCH)) { + return v; + } + } + + return -1; +} +_ACEOF +if ac_fn_c_try_run "$LINENO"; then : + as_fn_error $? "idmap version test program is not expected to return 0" "$LINENO" 5 +else + idmap_test_result=$?; { $as_echo "$as_me:${as_lineno-$LINENO}: result: idmap test result is: $idmap_test_result" >&5 +$as_echo "idmap test result is: $idmap_test_result" >&6; } + +fi +rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ + conftest.$ac_objext conftest.beam conftest.$ac_ext +fi + + fi + + CFLAGS=$SAVE_CFLAGS + LIBS=$SAVE_LIBS + + if test $idmap_test_result -eq 5 -o $idmap_test_result -eq 6 ; then + idmap_version=$idmap_test_result + else + as_fn_error $? "Cannot determine Samba's idmap interface version, please use --with-smb-idmap-interface-version" "$LINENO" 5 + fi + { $as_echo "$as_me:${as_lineno-$LINENO}: Samba's idmap interface version: $idmap_version" >&5 +$as_echo "$as_me: Samba's idmap interface version: $idmap_version" >&6;} + +cat >>confdefs.h <<_ACEOF +#define SMB_IDMAP_INTERFACE_VERSION $idmap_version +_ACEOF + +fi + +SAVE_CFLAGS=$CFLAGS +CFLAGS="$CFLAGS $SMBCLIENT_CFLAGS $NDR_NBT_CFLAGS $NDR_KRB5PAC_CFLAGS -I/usr/include/samba-4.0" +ac_fn_c_check_member "$LINENO" "struct PAC_LOGON_INFO" "resource_groups" "ac_cv_member_struct_PAC_LOGON_INFO_resource_groups" " #include + #include + #include +" +if test "x$ac_cv_member_struct_PAC_LOGON_INFO_resource_groups" = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_STRUCT_PAC_LOGON_INFO_RESOURCE_GROUPS 1 +_ACEOF + + +fi + +CFLAGS=$SAVE_CFLAGS + + + + + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SASL" >&5 +$as_echo_n "checking for SASL... " >&6; } + +if test -n "$PKG_CONFIG"; then + if test -n "$SASL_CFLAGS"; then + pkg_cv_SASL_CFLAGS="$SASL_CFLAGS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libsasl2\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libsasl2") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_SASL_CFLAGS=`$PKG_CONFIG --cflags "libsasl2" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi +if test -n "$PKG_CONFIG"; then + if test -n "$SASL_LIBS"; then + pkg_cv_SASL_LIBS="$SASL_LIBS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libsasl2\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libsasl2") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_SASL_LIBS=`$PKG_CONFIG --libs "libsasl2" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + SASL_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "libsasl2"` + else + SASL_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "libsasl2"` + fi + # Put the nasty error message in config.log where it belongs + echo "$SASL_PKG_ERRORS" >&5 + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + found_sasl=no +elif test $pkg_failed = untried; then + found_sasl=no +else + SASL_CFLAGS=$pkg_cv_SASL_CFLAGS + SASL_LIBS=$pkg_cv_SASL_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + found_sasl=yes +fi + + + + + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + acl_save_exec_prefix="$exec_prefix" + exec_prefix="$acl_final_exec_prefix" + + eval additional_libdir=\"$libdir\" + + exec_prefix="$acl_save_exec_prefix" + prefix="$acl_save_prefix" + + sss_extra_libdir="$additional_libdir" + +if test x"$found_sasl" != xyes; then : + for ac_header in sasl/sasl.h +do : + ac_fn_c_check_header_mongrel "$LINENO" "sasl/sasl.h" "ac_cv_header_sasl_sasl_h" "$ac_includes_default" +if test "x$ac_cv_header_sasl_sasl_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_SASL_SASL_H 1 +_ACEOF + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for sasl_client_init in -lsasl2" >&5 +$as_echo_n "checking for sasl_client_init in -lsasl2... " >&6; } +if ${ac_cv_lib_sasl2_sasl_client_init+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lsasl2 -L$sss_extra_libdir $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char sasl_client_init (); +int +main () +{ +return sasl_client_init (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_sasl2_sasl_client_init=yes +else + ac_cv_lib_sasl2_sasl_client_init=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_sasl2_sasl_client_init" >&5 +$as_echo "$ac_cv_lib_sasl2_sasl_client_init" >&6; } +if test "x$ac_cv_lib_sasl2_sasl_client_init" = xyes; then : + SASL_LIBS="-L$sss_extra_libdir -lsasl2" +else + as_fn_error $? "SASL library must support sasl_client_init" "$LINENO" 5 +fi + +else + as_fn_error $? "SASL header files are not installed" "$LINENO" 5 +fi + +done + + +fi + + + + + +if test x"$with_nfsv4_idmap" = xyes; then : + + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for NFSIDMAP" >&5 +$as_echo_n "checking for NFSIDMAP... " >&6; } + +if test -n "$PKG_CONFIG"; then + if test -n "$NFSIDMAP_CFLAGS"; then + pkg_cv_NFSIDMAP_CFLAGS="$NFSIDMAP_CFLAGS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libnfsidmap\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libnfsidmap") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_NFSIDMAP_CFLAGS=`$PKG_CONFIG --cflags "libnfsidmap" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi +if test -n "$PKG_CONFIG"; then + if test -n "$NFSIDMAP_LIBS"; then + pkg_cv_NFSIDMAP_LIBS="$NFSIDMAP_LIBS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libnfsidmap\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libnfsidmap") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_NFSIDMAP_LIBS=`$PKG_CONFIG --libs "libnfsidmap" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + NFSIDMAP_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "libnfsidmap"` + else + NFSIDMAP_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "libnfsidmap"` + fi + # Put the nasty error message in config.log where it belongs + echo "$NFSIDMAP_PKG_ERRORS" >&5 + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + found_nfsidmap=no +elif test $pkg_failed = untried; then + found_nfsidmap=no +else + NFSIDMAP_CFLAGS=$pkg_cv_NFSIDMAP_CFLAGS + NFSIDMAP_LIBS=$pkg_cv_NFSIDMAP_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + found_nfsidmap=yes +fi + + + + + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + acl_save_exec_prefix="$exec_prefix" + exec_prefix="$acl_final_exec_prefix" + + eval additional_libdir=\"$libdir\" + + exec_prefix="$acl_save_exec_prefix" + prefix="$acl_save_prefix" + + sss_extra_libdir="$additional_libdir" + + if test x"$found_nfsidmap" != xyes; then : + ac_fn_c_check_header_mongrel "$LINENO" "nfsidmap.h" "ac_cv_header_nfsidmap_h" "$ac_includes_default" +if test "x$ac_cv_header_nfsidmap_h" = xyes; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for nfs4_init_name_mapping in -lnfsidmap" >&5 +$as_echo_n "checking for nfs4_init_name_mapping in -lnfsidmap... " >&6; } +if ${ac_cv_lib_nfsidmap_nfs4_init_name_mapping+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lnfsidmap -L$sss_extra_libdir $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char nfs4_init_name_mapping (); +int +main () +{ +return nfs4_init_name_mapping (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_nfsidmap_nfs4_init_name_mapping=yes +else + ac_cv_lib_nfsidmap_nfs4_init_name_mapping=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nfsidmap_nfs4_init_name_mapping" >&5 +$as_echo "$ac_cv_lib_nfsidmap_nfs4_init_name_mapping" >&6; } +if test "x$ac_cv_lib_nfsidmap_nfs4_init_name_mapping" = xyes; then : + NFSIDMAP_LIBS="-L$sss_extra_libdir -lnfsidmap" +else + as_fn_error $? "libnfsidmap missing nfs4_init_name_mapping" "$LINENO" 5 +fi + +else + as_fn_error $? "libnfsidmap header files are not installed +If you want to build sssd without nfs idmap pluging then specify +--without-nfsv4-idmapd-plugin when running configure." "$LINENO" 5 +fi + + +fi + + for ac_header in nfsidmap_plugin.h +do : + ac_fn_c_check_header_compile "$LINENO" "nfsidmap_plugin.h" "ac_cv_header_nfsidmap_plugin_h" "#ifdef HAVE_STDLIB_H +# include +#endif +#ifdef HAVE_STDINT_H +# include +#endif +#include +" +if test "x$ac_cv_header_nfsidmap_plugin_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_NFSIDMAP_PLUGIN_H 1 +_ACEOF + +fi + +done + + +fi + + + + + + + + + + +# Some unit tests require libresolv to fake DNS packets + + + + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + acl_save_exec_prefix="$exec_prefix" + exec_prefix="$acl_final_exec_prefix" + + eval additional_libdir=\"$libdir\" + + exec_prefix="$acl_save_exec_prefix" + prefix="$acl_save_prefix" + + sss_extra_libdir="$additional_libdir" + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ns_name_compress in -lresolv" >&5 +$as_echo_n "checking for ns_name_compress in -lresolv... " >&6; } +if ${ac_cv_lib_resolv_ns_name_compress+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lresolv -L$sss_extra_libdir $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char ns_name_compress (); +int +main () +{ +return ns_name_compress (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_resolv_ns_name_compress=yes +else + ac_cv_lib_resolv_ns_name_compress=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_resolv_ns_name_compress" >&5 +$as_echo "$ac_cv_lib_resolv_ns_name_compress" >&6; } +if test "x$ac_cv_lib_resolv_ns_name_compress" = xyes; then : + RESOLV_LIBS="-L$sss_extra_libdir -lresolv" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: No libresolv detected, some tests will not run" >&5 +$as_echo "$as_me: WARNING: No libresolv detected, some tests will not run" >&2;} +fi + + + if test x"$RESOLV_LIBS" != "x"; then + HAVE_LIBRESOLV_TRUE= + HAVE_LIBRESOLV_FALSE='#' +else + HAVE_LIBRESOLV_TRUE='#' + HAVE_LIBRESOLV_FALSE= +fi + + +# Extract the first word of "fakeroot", so it can be a program name with args. +set dummy fakeroot; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_HAVE_FAKEROOT+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$HAVE_FAKEROOT"; then + ac_cv_prog_HAVE_FAKEROOT="$HAVE_FAKEROOT" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_HAVE_FAKEROOT="yes" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + test -z "$ac_cv_prog_HAVE_FAKEROOT" && ac_cv_prog_HAVE_FAKEROOT="no" +fi +fi +HAVE_FAKEROOT=$ac_cv_prog_HAVE_FAKEROOT +if test -n "$HAVE_FAKEROOT"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $HAVE_FAKEROOT" >&5 +$as_echo "$HAVE_FAKEROOT" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + +# Extract the first word of "py.test", so it can be a program name with args. +set dummy py.test; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_PYTEST+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $PYTEST in + [\\/]* | ?:[\\/]*) + ac_cv_path_PYTEST="$PYTEST" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_PYTEST="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +PYTEST=$ac_cv_path_PYTEST +if test -n "$PYTEST"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PYTEST" >&5 +$as_echo "$PYTEST" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +if test -n "$PYTEST"; then : + HAVE_PYTEST=yes +else + HAVE_PYTEST=no +fi + + + + + + + if test x"$enable_intgcheck_reqs" = xyes; then + INTG_BUILD_TRUE= + INTG_BUILD_FALSE='#' +else + INTG_BUILD_TRUE='#' + INTG_BUILD_FALSE= +fi + + + + + + + + + +if test x$with_secrets = xyes; then + + + + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for HTTP_PARSER" >&5 +$as_echo_n "checking for HTTP_PARSER... " >&6; } + +if test -n "$PKG_CONFIG"; then + if test -n "$HTTP_PARSER_CFLAGS"; then + pkg_cv_HTTP_PARSER_CFLAGS="$HTTP_PARSER_CFLAGS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"http_parser\""; } >&5 + ($PKG_CONFIG --exists --print-errors "http_parser") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_HTTP_PARSER_CFLAGS=`$PKG_CONFIG --cflags "http_parser" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi +if test -n "$PKG_CONFIG"; then + if test -n "$HTTP_PARSER_LIBS"; then + pkg_cv_HTTP_PARSER_LIBS="$HTTP_PARSER_LIBS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"http_parser\""; } >&5 + ($PKG_CONFIG --exists --print-errors "http_parser") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_HTTP_PARSER_LIBS=`$PKG_CONFIG --libs "http_parser" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + HTTP_PARSER_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "http_parser"` + else + HTTP_PARSER_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "http_parser"` + fi + # Put the nasty error message in config.log where it belongs + echo "$HTTP_PARSER_PKG_ERRORS" >&5 + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + found_http_parser=no +elif test $pkg_failed = untried; then + found_http_parser=no +else + HTTP_PARSER_CFLAGS=$pkg_cv_HTTP_PARSER_CFLAGS + HTTP_PARSER_LIBS=$pkg_cv_HTTP_PARSER_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + found_http_parser=yes +fi + + + + + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + acl_save_exec_prefix="$exec_prefix" + exec_prefix="$acl_final_exec_prefix" + + eval additional_libdir=\"$libdir\" + + exec_prefix="$acl_save_exec_prefix" + prefix="$acl_save_prefix" + + sss_extra_libdir="$additional_libdir" + +if test x"$found_http_parser" != xyes; then : + for ac_header in http_parser.h +do : + ac_fn_c_check_header_mongrel "$LINENO" "http_parser.h" "ac_cv_header_http_parser_h" "$ac_includes_default" +if test "x$ac_cv_header_http_parser_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_HTTP_PARSER_H 1 +_ACEOF + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for http_parser_init in -lhttp_parser_strict" >&5 +$as_echo_n "checking for http_parser_init in -lhttp_parser_strict... " >&6; } +if ${ac_cv_lib_http_parser_strict_http_parser_init+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lhttp_parser_strict -L$sss_extra_libdir -lhttp_parser_strict $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char http_parser_init (); +int +main () +{ +return http_parser_init (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_http_parser_strict_http_parser_init=yes +else + ac_cv_lib_http_parser_strict_http_parser_init=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_http_parser_strict_http_parser_init" >&5 +$as_echo "$ac_cv_lib_http_parser_strict_http_parser_init" >&6; } +if test "x$ac_cv_lib_http_parser_strict_http_parser_init" = xyes; then : + HTTP_PARSER_LIBS="-L$sss_extra_libdir -lhttp_parser_strict" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for http_parser_init in -lhttp_parser" >&5 +$as_echo_n "checking for http_parser_init in -lhttp_parser... " >&6; } +if ${ac_cv_lib_http_parser_http_parser_init+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lhttp_parser -L$sss_extra_libdir -lhttp_parser $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char http_parser_init (); +int +main () +{ +return http_parser_init (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_http_parser_http_parser_init=yes +else + ac_cv_lib_http_parser_http_parser_init=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_http_parser_http_parser_init" >&5 +$as_echo "$ac_cv_lib_http_parser_http_parser_init" >&6; } +if test "x$ac_cv_lib_http_parser_http_parser_init" = xyes; then : + HTTP_PARSER_LIBS="-L$sss_extra_libdir -lhttp_parser" +else + as_fn_error $? "libhttp_parser missing http_parser_init" "$LINENO" 5 +fi + + +fi + +else + as_fn_error $? " +You must have the header file http_parser.h installed to build sssd +with secrets responder. If you want to build sssd without secret responder +then specify --without-secrets when running configure." "$LINENO" 5 +fi + +done + +fi + +fi + +if test x$with_kcm = xyes; then + + + + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for UUID" >&5 +$as_echo_n "checking for UUID... " >&6; } + +if test -n "$PKG_CONFIG"; then + if test -n "$UUID_CFLAGS"; then + pkg_cv_UUID_CFLAGS="$UUID_CFLAGS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"uuid\""; } >&5 + ($PKG_CONFIG --exists --print-errors "uuid") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_UUID_CFLAGS=`$PKG_CONFIG --cflags "uuid" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi +if test -n "$PKG_CONFIG"; then + if test -n "$UUID_LIBS"; then + pkg_cv_UUID_LIBS="$UUID_LIBS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"uuid\""; } >&5 + ($PKG_CONFIG --exists --print-errors "uuid") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_UUID_LIBS=`$PKG_CONFIG --libs "uuid" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + UUID_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "uuid"` + else + UUID_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "uuid"` + fi + # Put the nasty error message in config.log where it belongs + echo "$UUID_PKG_ERRORS" >&5 + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + found_uuid=no +elif test $pkg_failed = untried; then + found_uuid=no +else + UUID_CFLAGS=$pkg_cv_UUID_CFLAGS + UUID_LIBS=$pkg_cv_UUID_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + found_uuid=yes +fi + + + + + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + acl_save_exec_prefix="$exec_prefix" + exec_prefix="$acl_final_exec_prefix" + + eval additional_libdir=\"$libdir\" + + exec_prefix="$acl_save_exec_prefix" + prefix="$acl_save_prefix" + + sss_extra_libdir="$additional_libdir" + +if test x"$found_uuid" != xyes; then : + for ac_header in uuid/uuid.h +do : + ac_fn_c_check_header_mongrel "$LINENO" "uuid/uuid.h" "ac_cv_header_uuid_uuid_h" "$ac_includes_default" +if test "x$ac_cv_header_uuid_uuid_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_UUID_UUID_H 1 +_ACEOF + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for uuid_generate in -luuid" >&5 +$as_echo_n "checking for uuid_generate in -luuid... " >&6; } +if ${ac_cv_lib_uuid_uuid_generate+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-luuid -L$sss_extra_libdir -luuid $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char uuid_generate (); +int +main () +{ +return uuid_generate (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_uuid_uuid_generate=yes +else + ac_cv_lib_uuid_uuid_generate=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_uuid_uuid_generate" >&5 +$as_echo "$ac_cv_lib_uuid_uuid_generate" >&6; } +if test "x$ac_cv_lib_uuid_uuid_generate" = xyes; then : + UUID_LIBS="-L$sss_extra_libdir -luuid" +else + as_fn_error $? "libuuid missing uuid_generate" "$LINENO" 5 +fi + +else + as_fn_error $? " +You must have the header file uuid.h installed to build sssd +with KCM responder. If you want to build sssd without KCM responder +then specify --without-kcm when running configure." "$LINENO" 5 +fi + +done + +fi + +fi + +if test x$with_kcm = xyes -o x$with_secrets = xyes; then + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for CURL" >&5 +$as_echo_n "checking for CURL... " >&6; } + +if test -n "$PKG_CONFIG"; then + if test -n "$CURL_CFLAGS"; then + pkg_cv_CURL_CFLAGS="$CURL_CFLAGS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libcurl\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libcurl") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_CURL_CFLAGS=`$PKG_CONFIG --cflags "libcurl" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi +if test -n "$PKG_CONFIG"; then + if test -n "$CURL_LIBS"; then + pkg_cv_CURL_LIBS="$CURL_LIBS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libcurl\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libcurl") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_CURL_LIBS=`$PKG_CONFIG --libs "libcurl" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + CURL_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "libcurl"` + else + CURL_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "libcurl"` + fi + # Put the nasty error message in config.log where it belongs + echo "$CURL_PKG_ERRORS" >&5 + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + as_fn_error $? "The libcurl development library was not found. +You must have the header file curl/curl.h installed to build sssd +with secrets and KCM responder. If you want to build sssd without these +responders then specify --without-secrets --without-kcm when running configure. +" "$LINENO" 5 +elif test $pkg_failed = untried; then + as_fn_error $? "The libcurl development library was not found. +You must have the header file curl/curl.h installed to build sssd +with secrets and KCM responder. If you want to build sssd without these +responders then specify --without-secrets --without-kcm when running configure. +" "$LINENO" 5 +else + CURL_CFLAGS=$pkg_cv_CURL_CFLAGS + CURL_LIBS=$pkg_cv_CURL_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + found_libcurl=yes +fi + +if test x"$found_libcurl" = xyes; then : + CFLAGS="$CFLAGS $CURL_CFLAGS" + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking For CURLOPT_UNIX_SOCKET_PATH support in libcurl" >&5 +$as_echo_n "checking For CURLOPT_UNIX_SOCKET_PATH support in libcurl... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include + CURLoption opt = CURLOPT_UNIX_SOCKET_PATH; + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + have_curlopt_unix_sockpath=yes + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +else + have_curlopt_unix_sockpath=no + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no +elif libcurl support will be disabled" >&5 +$as_echo "no; then : + libcurl support will be disabled" >&6; } +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + + CFLAGS=$SAVE_CFLAGS + +fi + + + + + +if test -z "$BUILD_WITH_LIBCURL_TRUE"; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_LIBCURL 1 +_ACEOF + +fi + + + + + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for JANSSON" >&5 +$as_echo_n "checking for JANSSON... " >&6; } + +if test -n "$PKG_CONFIG"; then + if test -n "$JANSSON_CFLAGS"; then + pkg_cv_JANSSON_CFLAGS="$JANSSON_CFLAGS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"jansson\""; } >&5 + ($PKG_CONFIG --exists --print-errors "jansson") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_JANSSON_CFLAGS=`$PKG_CONFIG --cflags "jansson" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi +if test -n "$PKG_CONFIG"; then + if test -n "$JANSSON_LIBS"; then + pkg_cv_JANSSON_LIBS="$JANSSON_LIBS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"jansson\""; } >&5 + ($PKG_CONFIG --exists --print-errors "jansson") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_JANSSON_LIBS=`$PKG_CONFIG --libs "jansson" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + JANSSON_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "jansson"` + else + JANSSON_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "jansson"` + fi + # Put the nasty error message in config.log where it belongs + echo "$JANSSON_PKG_ERRORS" >&5 + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + found_jansson=no +elif test $pkg_failed = untried; then + found_jansson=no +else + JANSSON_CFLAGS=$pkg_cv_JANSSON_CFLAGS + JANSSON_LIBS=$pkg_cv_JANSSON_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + found_jansson=yes +fi + + + + + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + acl_save_exec_prefix="$exec_prefix" + exec_prefix="$acl_final_exec_prefix" + + eval additional_libdir=\"$libdir\" + + exec_prefix="$acl_save_exec_prefix" + prefix="$acl_save_prefix" + + sss_extra_libdir="$additional_libdir" + +if test x"$found_jansson" != xyes; then : + for ac_header in jansson.h +do : + ac_fn_c_check_header_mongrel "$LINENO" "jansson.h" "ac_cv_header_jansson_h" "$ac_includes_default" +if test "x$ac_cv_header_jansson_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_JANSSON_H 1 +_ACEOF + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for jansson_loads in -ljansson" >&5 +$as_echo_n "checking for jansson_loads in -ljansson... " >&6; } +if ${ac_cv_lib_jansson_jansson_loads+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-ljansson -L$sss_extra_libdir -ljanson $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char jansson_loads (); +int +main () +{ +return jansson_loads (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_jansson_jansson_loads=yes +else + ac_cv_lib_jansson_jansson_loads=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_jansson_jansson_loads" >&5 +$as_echo "$ac_cv_lib_jansson_jansson_loads" >&6; } +if test "x$ac_cv_lib_jansson_jansson_loads" = xyes; then : + JANSSON_LIBS="-L$sss_extra_libdir -ljansson" +else + as_fn_error $? "libjansson missing jansson_loads" "$LINENO" 5 +fi + +else + as_fn_error $? " +You must have the header file jansson.h installed to build sssd +with secrets and KCM responder. If you want to build sssd without these +responders then specify --without-secrets --without-kcm when running configure. +" "$LINENO" 5 +fi + +done + +fi + +fi + +# This variable is defined by external/libcurl.m4, but conditionals +# must be always evaluated + if test x"$have_curlopt_unix_sockpath" = xyes; then + BUILD_WITH_LIBCURL_TRUE= + BUILD_WITH_LIBCURL_FALSE='#' +else + BUILD_WITH_LIBCURL_TRUE='#' + BUILD_WITH_LIBCURL_FALSE= +fi + + + +# Check whether --with-unicode-lib was given. +if test "${with_unicode_lib+set}" = set; then : + withval=$with_unicode_lib; +fi + + unicode_lib="glib2" + if test x"$with_unicode_lib" != x; then + unicode_lib=$with_unicode_lib + fi + + if test x"$unicode_lib" != x"libunistring" -a x"$unicode_lib" != x"glib2"; then + as_fn_error $? "Unsupported Unicode library" "$LINENO" 5 + fi + + if test x"$unicode_lib" = x"libunistring"; then + WITH_LIBUNISTRING_TRUE= + WITH_LIBUNISTRING_FALSE='#' +else + WITH_LIBUNISTRING_TRUE='#' + WITH_LIBUNISTRING_FALSE= +fi + + if test x"$unicode_lib" = x"glib2"; then + WITH_GLIB_TRUE= + WITH_GLIB_FALSE='#' +else + WITH_GLIB_TRUE='#' + WITH_GLIB_FALSE= +fi + + +if test x$unicode_lib = xlibunistring; then + + + + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + acl_save_exec_prefix="$exec_prefix" + exec_prefix="$acl_final_exec_prefix" + + eval additional_libdir=\"$libdir\" + + exec_prefix="$acl_save_exec_prefix" + prefix="$acl_save_prefix" + + sss_extra_libdir="$additional_libdir" + + +for ac_header in unistr.h +do : + ac_fn_c_check_header_mongrel "$LINENO" "unistr.h" "ac_cv_header_unistr_h" "$ac_includes_default" +if test "x$ac_cv_header_unistr_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_UNISTR_H 1 +_ACEOF + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for u8_strlen in -lunistring" >&5 +$as_echo_n "checking for u8_strlen in -lunistring... " >&6; } +if ${ac_cv_lib_unistring_u8_strlen+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lunistring -L$sss_extra_libdir $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char u8_strlen (); +int +main () +{ +return u8_strlen (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_unistring_u8_strlen=yes +else + ac_cv_lib_unistring_u8_strlen=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_unistring_u8_strlen" >&5 +$as_echo "$ac_cv_lib_unistring_u8_strlen" >&6; } +if test "x$ac_cv_lib_unistring_u8_strlen" = xyes; then : + UNISTRING_LIBS="-lunistring" +else + as_fn_error $? "No usable libunistring library found" "$LINENO" 5 +fi + +else + as_fn_error $? "libunistring header files are not installed" "$LINENO" 5 + +fi + +done + + +for ac_header in unicase.h +do : + ac_fn_c_check_header_mongrel "$LINENO" "unicase.h" "ac_cv_header_unicase_h" "$ac_includes_default" +if test "x$ac_cv_header_unicase_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_UNICASE_H 1 +_ACEOF + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for u8_casecmp in -lunistring" >&5 +$as_echo_n "checking for u8_casecmp in -lunistring... " >&6; } +if ${ac_cv_lib_unistring_u8_casecmp+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lunistring -L$sss_extra_libdir $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char u8_casecmp (); +int +main () +{ +return u8_casecmp (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_unistring_u8_casecmp=yes +else + ac_cv_lib_unistring_u8_casecmp=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_unistring_u8_casecmp" >&5 +$as_echo "$ac_cv_lib_unistring_u8_casecmp" >&6; } +if test "x$ac_cv_lib_unistring_u8_casecmp" = xyes; then : + UNISTRING_LIBS="-lunistring" +else + as_fn_error $? "No usable libunistring library found" "$LINENO" 5 +fi + +else + as_fn_error $? "libunistring header files are not installed" "$LINENO" 5 + +fi + +done + + +for ac_header in unistr.h +do : + ac_fn_c_check_header_mongrel "$LINENO" "unistr.h" "ac_cv_header_unistr_h" "$ac_includes_default" +if test "x$ac_cv_header_unistr_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_UNISTR_H 1 +_ACEOF + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for u8_check in -lunistring" >&5 +$as_echo_n "checking for u8_check in -lunistring... " >&6; } +if ${ac_cv_lib_unistring_u8_check+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lunistring -L$sss_extra_libdir $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char u8_check (); +int +main () +{ +return u8_check (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_unistring_u8_check=yes +else + ac_cv_lib_unistring_u8_check=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_unistring_u8_check" >&5 +$as_echo "$ac_cv_lib_unistring_u8_check" >&6; } +if test "x$ac_cv_lib_unistring_u8_check" = xyes; then : + UNISTRING_LIBS="-lunistring" +else + as_fn_error $? "No usable libunistring library found" "$LINENO" 5 +fi + +else + as_fn_error $? "libunistring header files are not installed" "$LINENO" 5 + +fi + +done + + + +UNISTRING_LIBS="-L$sss_extra_libdir $UNISTRING_LIBS " + + +cat >>confdefs.h <<_ACEOF +#define HAVE_LIBUNISTRING 1 +_ACEOF + + UNICODE_LIBS=$UNISTRING_LIBS +else + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for GLIB2" >&5 +$as_echo_n "checking for GLIB2... " >&6; } + +if test -n "$PKG_CONFIG"; then + if test -n "$GLIB2_CFLAGS"; then + pkg_cv_GLIB2_CFLAGS="$GLIB2_CFLAGS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"glib-2.0\""; } >&5 + ($PKG_CONFIG --exists --print-errors "glib-2.0") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_GLIB2_CFLAGS=`$PKG_CONFIG --cflags "glib-2.0" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi +if test -n "$PKG_CONFIG"; then + if test -n "$GLIB2_LIBS"; then + pkg_cv_GLIB2_LIBS="$GLIB2_LIBS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"glib-2.0\""; } >&5 + ($PKG_CONFIG --exists --print-errors "glib-2.0") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_GLIB2_LIBS=`$PKG_CONFIG --libs "glib-2.0" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + GLIB2_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "glib-2.0"` + else + GLIB2_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "glib-2.0"` + fi + # Put the nasty error message in config.log where it belongs + echo "$GLIB2_PKG_ERRORS" >&5 + + as_fn_error $? "Package requirements (glib-2.0) were not met: + +$GLIB2_PKG_ERRORS + +Consider adjusting the PKG_CONFIG_PATH environment variable if you +installed software in a non-standard prefix. + +Alternatively, you may set the environment variables GLIB2_CFLAGS +and GLIB2_LIBS to avoid the need to call pkg-config. +See the pkg-config man page for more details. +" "$LINENO" 5 +elif test $pkg_failed = untried; then + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "The pkg-config script could not be found or is too old. Make sure it +is in your PATH or set the PKG_CONFIG environment variable to the full +path to pkg-config. + +Alternatively, you may set the environment variables GLIB2_CFLAGS +and GLIB2_LIBS to avoid the need to call pkg-config. +See the pkg-config man page for more details. + +To get pkg-config, see . +See \`config.log' for more details" "$LINENO" 5; } +else + GLIB2_CFLAGS=$pkg_cv_GLIB2_CFLAGS + GLIB2_LIBS=$pkg_cv_GLIB2_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + : +fi + +if test x$has_glib2 != xno; then + SAFE_LIBS="$LIBS" + LIBS="$GLIB2_LIBS" + + ac_fn_c_check_func "$LINENO" "g_utf8_validate" "ac_cv_func_g_utf8_validate" +if test "x$ac_cv_func_g_utf8_validate" = xyes; then : + +$as_echo "#define HAVE_G_UTF8_VALIDATE 1" >>confdefs.h + +fi + + LIBS="$SAFE_LIBS" +fi + + +cat >>confdefs.h <<_ACEOF +#define HAVE_GLIB2 1 +_ACEOF + + UNICODE_LIBS=$GLIB2_LIBS +fi + + + +# Check whether --with-libnl was given. +if test "${with_libnl+set}" = set; then : + withval=$with_libnl; +else + with_libnl=yes + +fi + + + if test x"$with_libnl" = xyes; then + + + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for LIBNL3" >&5 +$as_echo_n "checking for LIBNL3... " >&6; } + +if test -n "$PKG_CONFIG"; then + if test -n "$LIBNL3_CFLAGS"; then + pkg_cv_LIBNL3_CFLAGS="$LIBNL3_CFLAGS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \" + libnl-3.0 >= 3.0 + libnl-route-3.0 >= 3.0\""; } >&5 + ($PKG_CONFIG --exists --print-errors " + libnl-3.0 >= 3.0 + libnl-route-3.0 >= 3.0") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_LIBNL3_CFLAGS=`$PKG_CONFIG --cflags " + libnl-3.0 >= 3.0 + libnl-route-3.0 >= 3.0" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi +if test -n "$PKG_CONFIG"; then + if test -n "$LIBNL3_LIBS"; then + pkg_cv_LIBNL3_LIBS="$LIBNL3_LIBS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \" + libnl-3.0 >= 3.0 + libnl-route-3.0 >= 3.0\""; } >&5 + ($PKG_CONFIG --exists --print-errors " + libnl-3.0 >= 3.0 + libnl-route-3.0 >= 3.0") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_LIBNL3_LIBS=`$PKG_CONFIG --libs " + libnl-3.0 >= 3.0 + libnl-route-3.0 >= 3.0" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + LIBNL3_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors " + libnl-3.0 >= 3.0 + libnl-route-3.0 >= 3.0"` + else + LIBNL3_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors " + libnl-3.0 >= 3.0 + libnl-route-3.0 >= 3.0"` + fi + # Put the nasty error message in config.log where it belongs + echo "$LIBNL3_PKG_ERRORS" >&5 + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Netlink v3 support unavailable or too old" >&5 +$as_echo "$as_me: WARNING: Netlink v3 support unavailable or too old" >&2;} +elif test $pkg_failed = untried; then + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Netlink v3 support unavailable or too old" >&5 +$as_echo "$as_me: WARNING: Netlink v3 support unavailable or too old" >&2;} +else + LIBNL3_CFLAGS=$pkg_cv_LIBNL3_CFLAGS + LIBNL3_LIBS=$pkg_cv_LIBNL3_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + + + HAVE_LIBNL=1 + HAVE_LIBNL3=1 + + LIBNL_CFLAGS="$LIBNL3_CFLAGS" + LIBNL_LIBS="$LIBNL3_LIBS" + + +cat >>confdefs.h <<_ACEOF +#define HAVE_LIBNL 1 +_ACEOF + + +cat >>confdefs.h <<_ACEOF +#define HAVE_LIBNL3 1 +_ACEOF + + + { $as_echo "$as_me:${as_lineno-$LINENO}: Building with libnl3" >&5 +$as_echo "$as_me: Building with libnl3" >&6;} + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for nl_socket_add_membership in -lnl-3" >&5 +$as_echo_n "checking for nl_socket_add_membership in -lnl-3... " >&6; } +if ${ac_cv_lib_nl_3_nl_socket_add_membership+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lnl-3 $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char nl_socket_add_membership (); +int +main () +{ +return nl_socket_add_membership (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_nl_3_nl_socket_add_membership=yes +else + ac_cv_lib_nl_3_nl_socket_add_membership=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nl_3_nl_socket_add_membership" >&5 +$as_echo "$ac_cv_lib_nl_3_nl_socket_add_membership" >&6; } +if test "x$ac_cv_lib_nl_3_nl_socket_add_membership" = xyes; then : + +$as_echo "#define HAVE_NL_SOCKET_ADD_MEMBERSHIP 1" >>confdefs.h + + +fi + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for nl_socket_modify_cb in -lnl-3" >&5 +$as_echo_n "checking for nl_socket_modify_cb in -lnl-3... " >&6; } +if ${ac_cv_lib_nl_3_nl_socket_modify_cb+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lnl-3 $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char nl_socket_modify_cb (); +int +main () +{ +return nl_socket_modify_cb (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_nl_3_nl_socket_modify_cb=yes +else + ac_cv_lib_nl_3_nl_socket_modify_cb=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nl_3_nl_socket_modify_cb" >&5 +$as_echo "$ac_cv_lib_nl_3_nl_socket_modify_cb" >&6; } +if test "x$ac_cv_lib_nl_3_nl_socket_modify_cb" = xyes; then : + +$as_echo "#define HAVE_NL_SOCKET_MODIFY_CB 1" >>confdefs.h + + +fi + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for rtnl_route_get_oif in -lnl-3" >&5 +$as_echo_n "checking for rtnl_route_get_oif in -lnl-3... " >&6; } +if ${ac_cv_lib_nl_3_rtnl_route_get_oif+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lnl-3 $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char rtnl_route_get_oif (); +int +main () +{ +return rtnl_route_get_oif (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_nl_3_rtnl_route_get_oif=yes +else + ac_cv_lib_nl_3_rtnl_route_get_oif=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nl_3_rtnl_route_get_oif" >&5 +$as_echo "$ac_cv_lib_nl_3_rtnl_route_get_oif" >&6; } +if test "x$ac_cv_lib_nl_3_rtnl_route_get_oif" = xyes; then : + +$as_echo "#define HAVE_RTNL_ROUTE_GET_OIF 1" >>confdefs.h + + +fi + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for nl_set_passcred in -lnl-3" >&5 +$as_echo_n "checking for nl_set_passcred in -lnl-3... " >&6; } +if ${ac_cv_lib_nl_3_nl_set_passcred+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lnl-3 $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char nl_set_passcred (); +int +main () +{ +return nl_set_passcred (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_nl_3_nl_set_passcred=yes +else + ac_cv_lib_nl_3_nl_set_passcred=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nl_3_nl_set_passcred" >&5 +$as_echo "$ac_cv_lib_nl_3_nl_set_passcred" >&6; } +if test "x$ac_cv_lib_nl_3_nl_set_passcred" = xyes; then : + +$as_echo "#define HAVE_NL_SET_PASSCRED 1" >>confdefs.h + + +fi + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for nl_socket_set_passcred in -lnl-3" >&5 +$as_echo_n "checking for nl_socket_set_passcred in -lnl-3... " >&6; } +if ${ac_cv_lib_nl_3_nl_socket_set_passcred+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lnl-3 $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char nl_socket_set_passcred (); +int +main () +{ +return nl_socket_set_passcred (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_nl_3_nl_socket_set_passcred=yes +else + ac_cv_lib_nl_3_nl_socket_set_passcred=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nl_3_nl_socket_set_passcred" >&5 +$as_echo "$ac_cv_lib_nl_3_nl_socket_set_passcred" >&6; } +if test "x$ac_cv_lib_nl_3_nl_socket_set_passcred" = xyes; then : + +$as_echo "#define HAVE_NL_SOCKET_SET_PASSCRED 1" >>confdefs.h + + +fi + + + + +fi + + + + + + if test x"$HAVE_LIBNL" != x1; then + + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for LIBNL1" >&5 +$as_echo_n "checking for LIBNL1... " >&6; } + +if test -n "$PKG_CONFIG"; then + if test -n "$LIBNL1_CFLAGS"; then + pkg_cv_LIBNL1_CFLAGS="$LIBNL1_CFLAGS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libnl-1 >= 1.1\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libnl-1 >= 1.1") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_LIBNL1_CFLAGS=`$PKG_CONFIG --cflags "libnl-1 >= 1.1" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi +if test -n "$PKG_CONFIG"; then + if test -n "$LIBNL1_LIBS"; then + pkg_cv_LIBNL1_LIBS="$LIBNL1_LIBS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libnl-1 >= 1.1\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libnl-1 >= 1.1") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_LIBNL1_LIBS=`$PKG_CONFIG --libs "libnl-1 >= 1.1" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + LIBNL1_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "libnl-1 >= 1.1"` + else + LIBNL1_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "libnl-1 >= 1.1"` + fi + # Put the nasty error message in config.log where it belongs + echo "$LIBNL1_PKG_ERRORS" >&5 + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Netlink v1 support unavailable or too old" >&5 +$as_echo "$as_me: WARNING: Netlink v1 support unavailable or too old" >&2;} +elif test $pkg_failed = untried; then + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Netlink v1 support unavailable or too old" >&5 +$as_echo "$as_me: WARNING: Netlink v1 support unavailable or too old" >&2;} +else + LIBNL1_CFLAGS=$pkg_cv_LIBNL1_CFLAGS + LIBNL1_LIBS=$pkg_cv_LIBNL1_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + + + HAVE_LIBNL=1 + HAVE_LIBNL1=1 + + LIBNL_CFLAGS="$LIBNL1_CFLAGS" + LIBNL_LIBS="$LIBNL1_LIBS" + + +cat >>confdefs.h <<_ACEOF +#define HAVE_LIBNL 1 +_ACEOF + + +cat >>confdefs.h <<_ACEOF +#define HAVE_LIBNL1 1 +_ACEOF + + + { $as_echo "$as_me:${as_lineno-$LINENO}: Building with libnl" >&5 +$as_echo "$as_me: Building with libnl" >&6;} + + for ac_header in netlink.h +do : + ac_fn_c_check_header_mongrel "$LINENO" "netlink.h" "ac_cv_header_netlink_h" "$ac_includes_default" +if test "x$ac_cv_header_netlink_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_NETLINK_H 1 +_ACEOF + +fi + +done + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for nl_connect in -lnl" >&5 +$as_echo_n "checking for nl_connect in -lnl... " >&6; } +if ${ac_cv_lib_nl_nl_connect+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lnl $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char nl_connect (); +int +main () +{ +return nl_connect (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_nl_nl_connect=yes +else + ac_cv_lib_nl_nl_connect=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nl_nl_connect" >&5 +$as_echo "$ac_cv_lib_nl_nl_connect" >&6; } +if test "x$ac_cv_lib_nl_nl_connect" = xyes; then : + LIBNL_LIBS="-lnl" +else + as_fn_error $? "libnl is required" "$LINENO" 5 +fi + + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for nl_socket_add_membership in -lnl" >&5 +$as_echo_n "checking for nl_socket_add_membership in -lnl... " >&6; } +if ${ac_cv_lib_nl_nl_socket_add_membership+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lnl $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char nl_socket_add_membership (); +int +main () +{ +return nl_socket_add_membership (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_nl_nl_socket_add_membership=yes +else + ac_cv_lib_nl_nl_socket_add_membership=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nl_nl_socket_add_membership" >&5 +$as_echo "$ac_cv_lib_nl_nl_socket_add_membership" >&6; } +if test "x$ac_cv_lib_nl_nl_socket_add_membership" = xyes; then : + +$as_echo "#define HAVE_NL_SOCKET_ADD_MEMBERSHIP 1" >>confdefs.h + + +fi + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for nl_socket_modify_cb in -lnl" >&5 +$as_echo_n "checking for nl_socket_modify_cb in -lnl... " >&6; } +if ${ac_cv_lib_nl_nl_socket_modify_cb+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lnl $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char nl_socket_modify_cb (); +int +main () +{ +return nl_socket_modify_cb (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_nl_nl_socket_modify_cb=yes +else + ac_cv_lib_nl_nl_socket_modify_cb=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nl_nl_socket_modify_cb" >&5 +$as_echo "$ac_cv_lib_nl_nl_socket_modify_cb" >&6; } +if test "x$ac_cv_lib_nl_nl_socket_modify_cb" = xyes; then : + +$as_echo "#define HAVE_NL_SOCKET_MODIFY_CB 1" >>confdefs.h + + +fi + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for rtnl_route_get_oif in -lnl" >&5 +$as_echo_n "checking for rtnl_route_get_oif in -lnl... " >&6; } +if ${ac_cv_lib_nl_rtnl_route_get_oif+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lnl $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char rtnl_route_get_oif (); +int +main () +{ +return rtnl_route_get_oif (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_nl_rtnl_route_get_oif=yes +else + ac_cv_lib_nl_rtnl_route_get_oif=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nl_rtnl_route_get_oif" >&5 +$as_echo "$ac_cv_lib_nl_rtnl_route_get_oif" >&6; } +if test "x$ac_cv_lib_nl_rtnl_route_get_oif" = xyes; then : + +$as_echo "#define HAVE_RTNL_ROUTE_GET_OIF 1" >>confdefs.h + + +fi + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for nl_set_passcred in -lnl" >&5 +$as_echo_n "checking for nl_set_passcred in -lnl... " >&6; } +if ${ac_cv_lib_nl_nl_set_passcred+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lnl $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char nl_set_passcred (); +int +main () +{ +return nl_set_passcred (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_nl_nl_set_passcred=yes +else + ac_cv_lib_nl_nl_set_passcred=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nl_nl_set_passcred" >&5 +$as_echo "$ac_cv_lib_nl_nl_set_passcred" >&6; } +if test "x$ac_cv_lib_nl_nl_set_passcred" = xyes; then : + +$as_echo "#define HAVE_NL_SET_PASSCRED 1" >>confdefs.h + + +fi + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for nl_socket_set_passcred in -lnl" >&5 +$as_echo_n "checking for nl_socket_set_passcred in -lnl... " >&6; } +if ${ac_cv_lib_nl_nl_socket_set_passcred+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lnl $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char nl_socket_set_passcred (); +int +main () +{ +return nl_socket_set_passcred (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_nl_nl_socket_set_passcred=yes +else + ac_cv_lib_nl_nl_socket_set_passcred=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nl_nl_socket_set_passcred" >&5 +$as_echo "$ac_cv_lib_nl_nl_socket_set_passcred" >&6; } +if test "x$ac_cv_lib_nl_nl_socket_set_passcred" = xyes; then : + +$as_echo "#define HAVE_NL_SOCKET_SET_PASSCRED 1" >>confdefs.h + + +fi + + + + + +fi + + + + + fi + + if test x"$HAVE_LIBNL" != x1; then + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Building without netlink" >&5 +$as_echo "$as_me: WARNING: Building without netlink" >&2;} + fi + + elif test x"$with_libnl" = xlibnl3; then + + + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for LIBNL3" >&5 +$as_echo_n "checking for LIBNL3... " >&6; } + +if test -n "$PKG_CONFIG"; then + if test -n "$LIBNL3_CFLAGS"; then + pkg_cv_LIBNL3_CFLAGS="$LIBNL3_CFLAGS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \" + libnl-3.0 >= 3.0 + libnl-route-3.0 >= 3.0\""; } >&5 + ($PKG_CONFIG --exists --print-errors " + libnl-3.0 >= 3.0 + libnl-route-3.0 >= 3.0") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_LIBNL3_CFLAGS=`$PKG_CONFIG --cflags " + libnl-3.0 >= 3.0 + libnl-route-3.0 >= 3.0" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi +if test -n "$PKG_CONFIG"; then + if test -n "$LIBNL3_LIBS"; then + pkg_cv_LIBNL3_LIBS="$LIBNL3_LIBS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \" + libnl-3.0 >= 3.0 + libnl-route-3.0 >= 3.0\""; } >&5 + ($PKG_CONFIG --exists --print-errors " + libnl-3.0 >= 3.0 + libnl-route-3.0 >= 3.0") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_LIBNL3_LIBS=`$PKG_CONFIG --libs " + libnl-3.0 >= 3.0 + libnl-route-3.0 >= 3.0" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + LIBNL3_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors " + libnl-3.0 >= 3.0 + libnl-route-3.0 >= 3.0"` + else + LIBNL3_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors " + libnl-3.0 >= 3.0 + libnl-route-3.0 >= 3.0"` + fi + # Put the nasty error message in config.log where it belongs + echo "$LIBNL3_PKG_ERRORS" >&5 + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Netlink v3 support unavailable or too old" >&5 +$as_echo "$as_me: WARNING: Netlink v3 support unavailable or too old" >&2;} +elif test $pkg_failed = untried; then + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Netlink v3 support unavailable or too old" >&5 +$as_echo "$as_me: WARNING: Netlink v3 support unavailable or too old" >&2;} +else + LIBNL3_CFLAGS=$pkg_cv_LIBNL3_CFLAGS + LIBNL3_LIBS=$pkg_cv_LIBNL3_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + + + HAVE_LIBNL=1 + HAVE_LIBNL3=1 + + LIBNL_CFLAGS="$LIBNL3_CFLAGS" + LIBNL_LIBS="$LIBNL3_LIBS" + + +cat >>confdefs.h <<_ACEOF +#define HAVE_LIBNL 1 +_ACEOF + + +cat >>confdefs.h <<_ACEOF +#define HAVE_LIBNL3 1 +_ACEOF + + + { $as_echo "$as_me:${as_lineno-$LINENO}: Building with libnl3" >&5 +$as_echo "$as_me: Building with libnl3" >&6;} + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for nl_socket_add_membership in -lnl-3" >&5 +$as_echo_n "checking for nl_socket_add_membership in -lnl-3... " >&6; } +if ${ac_cv_lib_nl_3_nl_socket_add_membership+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lnl-3 $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char nl_socket_add_membership (); +int +main () +{ +return nl_socket_add_membership (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_nl_3_nl_socket_add_membership=yes +else + ac_cv_lib_nl_3_nl_socket_add_membership=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nl_3_nl_socket_add_membership" >&5 +$as_echo "$ac_cv_lib_nl_3_nl_socket_add_membership" >&6; } +if test "x$ac_cv_lib_nl_3_nl_socket_add_membership" = xyes; then : + +$as_echo "#define HAVE_NL_SOCKET_ADD_MEMBERSHIP 1" >>confdefs.h + + +fi + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for nl_socket_modify_cb in -lnl-3" >&5 +$as_echo_n "checking for nl_socket_modify_cb in -lnl-3... " >&6; } +if ${ac_cv_lib_nl_3_nl_socket_modify_cb+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lnl-3 $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char nl_socket_modify_cb (); +int +main () +{ +return nl_socket_modify_cb (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_nl_3_nl_socket_modify_cb=yes +else + ac_cv_lib_nl_3_nl_socket_modify_cb=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nl_3_nl_socket_modify_cb" >&5 +$as_echo "$ac_cv_lib_nl_3_nl_socket_modify_cb" >&6; } +if test "x$ac_cv_lib_nl_3_nl_socket_modify_cb" = xyes; then : + +$as_echo "#define HAVE_NL_SOCKET_MODIFY_CB 1" >>confdefs.h + + +fi + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for rtnl_route_get_oif in -lnl-3" >&5 +$as_echo_n "checking for rtnl_route_get_oif in -lnl-3... " >&6; } +if ${ac_cv_lib_nl_3_rtnl_route_get_oif+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lnl-3 $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char rtnl_route_get_oif (); +int +main () +{ +return rtnl_route_get_oif (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_nl_3_rtnl_route_get_oif=yes +else + ac_cv_lib_nl_3_rtnl_route_get_oif=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nl_3_rtnl_route_get_oif" >&5 +$as_echo "$ac_cv_lib_nl_3_rtnl_route_get_oif" >&6; } +if test "x$ac_cv_lib_nl_3_rtnl_route_get_oif" = xyes; then : + +$as_echo "#define HAVE_RTNL_ROUTE_GET_OIF 1" >>confdefs.h + + +fi + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for nl_set_passcred in -lnl-3" >&5 +$as_echo_n "checking for nl_set_passcred in -lnl-3... " >&6; } +if ${ac_cv_lib_nl_3_nl_set_passcred+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lnl-3 $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char nl_set_passcred (); +int +main () +{ +return nl_set_passcred (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_nl_3_nl_set_passcred=yes +else + ac_cv_lib_nl_3_nl_set_passcred=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nl_3_nl_set_passcred" >&5 +$as_echo "$ac_cv_lib_nl_3_nl_set_passcred" >&6; } +if test "x$ac_cv_lib_nl_3_nl_set_passcred" = xyes; then : + +$as_echo "#define HAVE_NL_SET_PASSCRED 1" >>confdefs.h + + +fi + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for nl_socket_set_passcred in -lnl-3" >&5 +$as_echo_n "checking for nl_socket_set_passcred in -lnl-3... " >&6; } +if ${ac_cv_lib_nl_3_nl_socket_set_passcred+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lnl-3 $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char nl_socket_set_passcred (); +int +main () +{ +return nl_socket_set_passcred (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_nl_3_nl_socket_set_passcred=yes +else + ac_cv_lib_nl_3_nl_socket_set_passcred=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nl_3_nl_socket_set_passcred" >&5 +$as_echo "$ac_cv_lib_nl_3_nl_socket_set_passcred" >&6; } +if test "x$ac_cv_lib_nl_3_nl_socket_set_passcred" = xyes; then : + +$as_echo "#define HAVE_NL_SOCKET_SET_PASSCRED 1" >>confdefs.h + + +fi + + + + +fi + + + + + + if test x"$HAVE_LIBNL" != x1; then + as_fn_error $? "Libnl3 required, but not available" "$LINENO" 5 + fi + + elif test x"$with_libnl" = xlibnl1; then + + + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for LIBNL1" >&5 +$as_echo_n "checking for LIBNL1... " >&6; } + +if test -n "$PKG_CONFIG"; then + if test -n "$LIBNL1_CFLAGS"; then + pkg_cv_LIBNL1_CFLAGS="$LIBNL1_CFLAGS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libnl-1 >= 1.1\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libnl-1 >= 1.1") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_LIBNL1_CFLAGS=`$PKG_CONFIG --cflags "libnl-1 >= 1.1" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi +if test -n "$PKG_CONFIG"; then + if test -n "$LIBNL1_LIBS"; then + pkg_cv_LIBNL1_LIBS="$LIBNL1_LIBS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libnl-1 >= 1.1\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libnl-1 >= 1.1") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_LIBNL1_LIBS=`$PKG_CONFIG --libs "libnl-1 >= 1.1" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + LIBNL1_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "libnl-1 >= 1.1"` + else + LIBNL1_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "libnl-1 >= 1.1"` + fi + # Put the nasty error message in config.log where it belongs + echo "$LIBNL1_PKG_ERRORS" >&5 + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Netlink v1 support unavailable or too old" >&5 +$as_echo "$as_me: WARNING: Netlink v1 support unavailable or too old" >&2;} +elif test $pkg_failed = untried; then + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Netlink v1 support unavailable or too old" >&5 +$as_echo "$as_me: WARNING: Netlink v1 support unavailable or too old" >&2;} +else + LIBNL1_CFLAGS=$pkg_cv_LIBNL1_CFLAGS + LIBNL1_LIBS=$pkg_cv_LIBNL1_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + + + HAVE_LIBNL=1 + HAVE_LIBNL1=1 + + LIBNL_CFLAGS="$LIBNL1_CFLAGS" + LIBNL_LIBS="$LIBNL1_LIBS" + + +cat >>confdefs.h <<_ACEOF +#define HAVE_LIBNL 1 +_ACEOF + + +cat >>confdefs.h <<_ACEOF +#define HAVE_LIBNL1 1 +_ACEOF + + + { $as_echo "$as_me:${as_lineno-$LINENO}: Building with libnl" >&5 +$as_echo "$as_me: Building with libnl" >&6;} + + for ac_header in netlink.h +do : + ac_fn_c_check_header_mongrel "$LINENO" "netlink.h" "ac_cv_header_netlink_h" "$ac_includes_default" +if test "x$ac_cv_header_netlink_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_NETLINK_H 1 +_ACEOF + +fi + +done + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for nl_connect in -lnl" >&5 +$as_echo_n "checking for nl_connect in -lnl... " >&6; } +if ${ac_cv_lib_nl_nl_connect+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lnl $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char nl_connect (); +int +main () +{ +return nl_connect (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_nl_nl_connect=yes +else + ac_cv_lib_nl_nl_connect=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nl_nl_connect" >&5 +$as_echo "$ac_cv_lib_nl_nl_connect" >&6; } +if test "x$ac_cv_lib_nl_nl_connect" = xyes; then : + LIBNL_LIBS="-lnl" +else + as_fn_error $? "libnl is required" "$LINENO" 5 +fi + + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for nl_socket_add_membership in -lnl" >&5 +$as_echo_n "checking for nl_socket_add_membership in -lnl... " >&6; } +if ${ac_cv_lib_nl_nl_socket_add_membership+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lnl $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char nl_socket_add_membership (); +int +main () +{ +return nl_socket_add_membership (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_nl_nl_socket_add_membership=yes +else + ac_cv_lib_nl_nl_socket_add_membership=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nl_nl_socket_add_membership" >&5 +$as_echo "$ac_cv_lib_nl_nl_socket_add_membership" >&6; } +if test "x$ac_cv_lib_nl_nl_socket_add_membership" = xyes; then : + +$as_echo "#define HAVE_NL_SOCKET_ADD_MEMBERSHIP 1" >>confdefs.h + + +fi + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for nl_socket_modify_cb in -lnl" >&5 +$as_echo_n "checking for nl_socket_modify_cb in -lnl... " >&6; } +if ${ac_cv_lib_nl_nl_socket_modify_cb+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lnl $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char nl_socket_modify_cb (); +int +main () +{ +return nl_socket_modify_cb (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_nl_nl_socket_modify_cb=yes +else + ac_cv_lib_nl_nl_socket_modify_cb=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nl_nl_socket_modify_cb" >&5 +$as_echo "$ac_cv_lib_nl_nl_socket_modify_cb" >&6; } +if test "x$ac_cv_lib_nl_nl_socket_modify_cb" = xyes; then : + +$as_echo "#define HAVE_NL_SOCKET_MODIFY_CB 1" >>confdefs.h + + +fi + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for rtnl_route_get_oif in -lnl" >&5 +$as_echo_n "checking for rtnl_route_get_oif in -lnl... " >&6; } +if ${ac_cv_lib_nl_rtnl_route_get_oif+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lnl $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char rtnl_route_get_oif (); +int +main () +{ +return rtnl_route_get_oif (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_nl_rtnl_route_get_oif=yes +else + ac_cv_lib_nl_rtnl_route_get_oif=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nl_rtnl_route_get_oif" >&5 +$as_echo "$ac_cv_lib_nl_rtnl_route_get_oif" >&6; } +if test "x$ac_cv_lib_nl_rtnl_route_get_oif" = xyes; then : + +$as_echo "#define HAVE_RTNL_ROUTE_GET_OIF 1" >>confdefs.h + + +fi + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for nl_set_passcred in -lnl" >&5 +$as_echo_n "checking for nl_set_passcred in -lnl... " >&6; } +if ${ac_cv_lib_nl_nl_set_passcred+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lnl $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char nl_set_passcred (); +int +main () +{ +return nl_set_passcred (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_nl_nl_set_passcred=yes +else + ac_cv_lib_nl_nl_set_passcred=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nl_nl_set_passcred" >&5 +$as_echo "$ac_cv_lib_nl_nl_set_passcred" >&6; } +if test "x$ac_cv_lib_nl_nl_set_passcred" = xyes; then : + +$as_echo "#define HAVE_NL_SET_PASSCRED 1" >>confdefs.h + + +fi + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for nl_socket_set_passcred in -lnl" >&5 +$as_echo_n "checking for nl_socket_set_passcred in -lnl... " >&6; } +if ${ac_cv_lib_nl_nl_socket_set_passcred+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lnl $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char nl_socket_set_passcred (); +int +main () +{ +return nl_socket_set_passcred (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_nl_nl_socket_set_passcred=yes +else + ac_cv_lib_nl_nl_socket_set_passcred=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nl_nl_socket_set_passcred" >&5 +$as_echo "$ac_cv_lib_nl_nl_socket_set_passcred" >&6; } +if test "x$ac_cv_lib_nl_nl_socket_set_passcred" = xyes; then : + +$as_echo "#define HAVE_NL_SOCKET_SET_PASSCRED 1" >>confdefs.h + + +fi + + + + + +fi + + + + + + if test x"$HAVE_LIBNL" != x1; then + as_fn_error $? "Libnl required, but not available" "$LINENO" 5 + fi + fi + + +if test x$HAVE_NSCD; then + +# Check whether --with-nscd_conf was given. +if test "${with_nscd_conf+set}" = set; then : + withval=$with_nscd_conf; +fi + + + NSCD_CONF_PATH="/etc/nscd.conf" + if test x"$with_nscd_conf" != x; then + NSCD_CONF_PATH=$with_nscd_conf + fi + +cat >>confdefs.h <<_ACEOF +#define NSCD_CONF_PATH "$NSCD_CONF_PATH" +_ACEOF + + +fi + + +# Check whether --with-initscript was given. +if test "${with_initscript+set}" = set; then : + withval=$with_initscript; +fi + + default_initscript=sysv + if test x"$with_initscript" = x; then + with_initscript=$default_initscript + fi + + if test x"$with_initscript" = xsysv || \ + test x"$with_initscript" = xsystemd; then + initscript=$with_initscript + else + as_fn_error $? "Illegal value -$with_initscript- for option --with-initscript" "$LINENO" 5 + fi + + if test x"$initscript" = xsysv; then + HAVE_SYSV_TRUE= + HAVE_SYSV_FALSE='#' +else + HAVE_SYSV_TRUE='#' + HAVE_SYSV_FALSE= +fi + + if test x"$initscript" = xsystemd; then + HAVE_SYSTEMD_UNIT_TRUE= + HAVE_SYSTEMD_UNIT_FALSE='#' +else + HAVE_SYSTEMD_UNIT_TRUE='#' + HAVE_SYSTEMD_UNIT_FALSE= +fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: Will use init script type: $initscript" >&5 +$as_echo "$as_me: Will use init script type: $initscript" >&6;} + +if test x$initscript = xsystemd; then + +# Check whether --with-systemdunitdir was given. +if test "${with_systemdunitdir+set}" = set; then : + withval=$with_systemdunitdir; +fi + + if test x"$with_systemdunitdir" != x; then + systemdunitdir=$with_systemdunitdir + else + systemdunitdir=$($PKG_CONFIG --variable=systemdsystemunitdir systemd) + if test x"$systemdunitdir" = x; then + as_fn_error $? "Could not detect systemd unit directory" "$LINENO" 5 + fi + fi + + + +# Check whether --with-systemdconfdir was given. +if test "${with_systemdconfdir+set}" = set; then : + withval=$with_systemdconfdir; +fi + + if test x"$with_systemdconfdir" != x; then + systemdconfdir=$with_systemdconfdir + else + systemdconfdir=$($PKG_CONFIG --variable=systemdsystemconfdir systemd) + if test x"$systemdconfdir" = x; then + as_fn_error $? "Could not detect systemd config directory" "$LINENO" 5 + fi + fi + systemdconfdir=$systemdconfdir/sssd.service.d + + +else + # Extract the first word of "service", so it can be a program name with args. +set dummy service; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_SERVICE+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $SERVICE in + [\\/]* | ?:[\\/]*) + ac_cv_path_SERVICE="$SERVICE" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +as_dummy="/sbin:/usr/sbin" +for as_dir in $as_dummy +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_SERVICE="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +SERVICE=$ac_cv_path_SERVICE +if test -n "$SERVICE"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $SERVICE" >&5 +$as_echo "$SERVICE" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for the executable \"service\"" >&5 +$as_echo_n "checking for the executable \"service\"... " >&6; } + if test -x "$SERVICE"; then + +$as_echo "#define HAVE_SERVICE 1" >>confdefs.h + + +cat >>confdefs.h <<_ACEOF +#define SERVICE_PATH "$SERVICE" +_ACEOF + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: the service executable is not available" >&5 +$as_echo "$as_me: WARNING: the service executable is not available" >&2;} + fi + + +fi + + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for DBUS" >&5 +$as_echo_n "checking for DBUS... " >&6; } + +if test -n "$PKG_CONFIG"; then + if test -n "$DBUS_CFLAGS"; then + pkg_cv_DBUS_CFLAGS="$DBUS_CFLAGS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"dbus-1\""; } >&5 + ($PKG_CONFIG --exists --print-errors "dbus-1") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_DBUS_CFLAGS=`$PKG_CONFIG --cflags "dbus-1" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi +if test -n "$PKG_CONFIG"; then + if test -n "$DBUS_LIBS"; then + pkg_cv_DBUS_LIBS="$DBUS_LIBS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"dbus-1\""; } >&5 + ($PKG_CONFIG --exists --print-errors "dbus-1") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_DBUS_LIBS=`$PKG_CONFIG --libs "dbus-1" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + DBUS_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "dbus-1"` + else + DBUS_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "dbus-1"` + fi + # Put the nasty error message in config.log where it belongs + echo "$DBUS_PKG_ERRORS" >&5 + + as_fn_error $? "Package requirements (dbus-1) were not met: + +$DBUS_PKG_ERRORS + +Consider adjusting the PKG_CONFIG_PATH environment variable if you +installed software in a non-standard prefix. + +Alternatively, you may set the environment variables DBUS_CFLAGS +and DBUS_LIBS to avoid the need to call pkg-config. +See the pkg-config man page for more details. +" "$LINENO" 5 +elif test $pkg_failed = untried; then + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "The pkg-config script could not be found or is too old. Make sure it +is in your PATH or set the PKG_CONFIG environment variable to the full +path to pkg-config. + +Alternatively, you may set the environment variables DBUS_CFLAGS +and DBUS_LIBS to avoid the need to call pkg-config. +See the pkg-config man page for more details. + +To get pkg-config, see . +See \`config.log' for more details" "$LINENO" 5; } +else + DBUS_CFLAGS=$pkg_cv_DBUS_CFLAGS + DBUS_LIBS=$pkg_cv_DBUS_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + : +fi +if ! $PKG_CONFIG --atleast-version 1.0.0 dbus-1; then + DBUS_CFLAGS="$DBUS_CFLAGS -DDBUS_API_SUBJECT_TO_CHANGE" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: setting -DDBUS_API_SUBJECT_TO_CHANGE" >&5 +$as_echo "setting -DDBUS_API_SUBJECT_TO_CHANGE" >&6; } +fi + +if test x$has_dbus != xno; then + SAFE_LIBS="$LIBS" + LIBS="$DBUS_LIBS" + SAFE_CFLAGS=$CFLAGS + CFLAGS="$CFLAGS $DBUS_CFLAGS" + + ac_fn_c_check_func "$LINENO" "dbus_watch_get_unix_fd" "ac_cv_func_dbus_watch_get_unix_fd" +if test "x$ac_cv_func_dbus_watch_get_unix_fd" = xyes; then : + +$as_echo "#define HAVE_DBUS_WATCH_GET_UNIX_FD 1" >>confdefs.h + +fi + + ac_fn_c_check_type "$LINENO" "DBusBasicValue" "ac_cv_type_DBusBasicValue" " #include +" +if test "x$ac_cv_type_DBusBasicValue" = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_DBUSBASICVALUE 1 +_ACEOF + + +fi + + + LIBS="$SAFE_LIBS" + CFLAGS=$SAFE_CFLAGS +fi + +# work around a bug in cov-build from Coverity +test -n "$XML_CATALOG_FILES" || unset XML_CATALOG_FILES + +if test x$HAVE_MANPAGES != x; then + + # Extract the first word of "xsltproc", so it can be a program name with args. +set dummy xsltproc; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_XSLTPROC+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $XSLTPROC in + [\\/]* | ?:[\\/]*) + ac_cv_path_XSLTPROC="$XSLTPROC" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_XSLTPROC="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +XSLTPROC=$ac_cv_path_XSLTPROC +if test -n "$XSLTPROC"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $XSLTPROC" >&5 +$as_echo "$XSLTPROC" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + if test ! -x "$XSLTPROC"; then + as_fn_error $? "Could not find xsltproc" "$LINENO" 5 + fi + + # Extract the first word of "xmllint", so it can be a program name with args. +set dummy xmllint; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_XMLLINT+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $XMLLINT in + [\\/]* | ?:[\\/]*) + ac_cv_path_XMLLINT="$XMLLINT" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_XMLLINT="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +XMLLINT=$ac_cv_path_XMLLINT +if test -n "$XMLLINT"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $XMLLINT" >&5 +$as_echo "$XMLLINT" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + if test ! -x "$XMLLINT"; then + as_fn_error $? "Could not find xmllint" "$LINENO" 5 + fi + + + DOCBOOK_XSLT=http://docbook.sourceforge.net/release/xsl/current/manpages/profile-docbook.xsl + + as_ac_File=`$as_echo "ac_cv_file_$SGML_CATALOG_FILES" | $as_tr_sh` +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $SGML_CATALOG_FILES" >&5 +$as_echo_n "checking for $SGML_CATALOG_FILES... " >&6; } +if eval \${$as_ac_File+:} false; then : + $as_echo_n "(cached) " >&6 +else + test "$cross_compiling" = yes && + as_fn_error $? "cannot check for file existence when cross compiling" "$LINENO" 5 +if test -r "$SGML_CATALOG_FILES"; then + eval "$as_ac_File=yes" +else + eval "$as_ac_File=no" +fi +fi +eval ac_res=\$$as_ac_File + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +if eval test \"x\$"$as_ac_File"\" = x"yes"; then : + +else + as_fn_error $? "could not find XML catalog" "$LINENO" 5 +fi + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Docbook XSL profiling templates in XML catalog" >&5 +$as_echo_n "checking for Docbook XSL profiling templates in XML catalog... " >&6; } + if { { $as_echo "$as_me:${as_lineno-$LINENO}: \$XSLTPROC --catalogs --nonet --noout \"\$DOCBOOK_XSLT\" >&2"; } >&5 + ($XSLTPROC --catalogs --nonet --noout "$DOCBOOK_XSLT" >&2) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + HAVE_PROFILE_CATALOGS=1 + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Man pages might contain documentation for experimental features" >&5 +$as_echo "$as_me: WARNING: Man pages might contain documentation for experimental features" >&2;} + fi + + + if test x$HAVE_PROFILE_CATALOGS = x; then + DOCBOOK_XSLT=http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl + + as_ac_File=`$as_echo "ac_cv_file_$SGML_CATALOG_FILES" | $as_tr_sh` +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $SGML_CATALOG_FILES" >&5 +$as_echo_n "checking for $SGML_CATALOG_FILES... " >&6; } +if eval \${$as_ac_File+:} false; then : + $as_echo_n "(cached) " >&6 +else + test "$cross_compiling" = yes && + as_fn_error $? "cannot check for file existence when cross compiling" "$LINENO" 5 +if test -r "$SGML_CATALOG_FILES"; then + eval "$as_ac_File=yes" +else + eval "$as_ac_File=no" +fi +fi +eval ac_res=\$$as_ac_File + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 +$as_echo "$ac_res" >&6; } +if eval test \"x\$"$as_ac_File"\" = x"yes"; then : + +else + as_fn_error $? "could not find XML catalog" "$LINENO" 5 +fi + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Docbook XSL templates in XML catalog" >&5 +$as_echo_n "checking for Docbook XSL templates in XML catalog... " >&6; } + if { { $as_echo "$as_me:${as_lineno-$LINENO}: \$XSLTPROC --catalogs --nonet --noout \"\$DOCBOOK_XSLT\" >&2"; } >&5 + ($XSLTPROC --catalogs --nonet --noout "$DOCBOOK_XSLT" >&2) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + : + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + as_fn_error $? "could not find the docbook xsl catalog" "$LINENO" 5 + fi + + fi + + # Extract the first word of "po4a", so it can be a program name with args. +set dummy po4a; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_PO4A+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$PO4A"; then + ac_cv_prog_PO4A="$PO4A" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_PO4A="po4a" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + test -z "$ac_cv_prog_PO4A" && ac_cv_prog_PO4A="no" +fi +fi +PO4A=$ac_cv_prog_PO4A +if test -n "$PO4A"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PO4A" >&5 +$as_echo "$PO4A" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + +fi + if test "x$HAVE_PROFILE_CATALOGS" != "x"; then + HAVE_PROFILE_CATALOGS_TRUE= + HAVE_PROFILE_CATALOGS_FALSE='#' +else + HAVE_PROFILE_CATALOGS_TRUE='#' + HAVE_PROFILE_CATALOGS_FALSE= +fi + + if test "x$HAVE_MANPAGES" != "x"; then + HAVE_MANPAGES_TRUE= + HAVE_MANPAGES_FALSE='#' +else + HAVE_MANPAGES_TRUE='#' + HAVE_MANPAGES_FALSE= +fi + + if test "x$PO4A" != "xno"; then + HAVE_PO4A_TRUE= + HAVE_PO4A_FALSE='#' +else + HAVE_PO4A_TRUE='#' + HAVE_PO4A_FALSE= +fi + + +# Extract the first word of "python2", so it can be a program name with args. +set dummy python2; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_HAVE_PYTHON2+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$HAVE_PYTHON2"; then + ac_cv_prog_HAVE_PYTHON2="$HAVE_PYTHON2" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_HAVE_PYTHON2="yes" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + test -z "$ac_cv_prog_HAVE_PYTHON2" && ac_cv_prog_HAVE_PYTHON2="no" +fi +fi +HAVE_PYTHON2=$ac_cv_prog_HAVE_PYTHON2 +if test -n "$HAVE_PYTHON2"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $HAVE_PYTHON2" >&5 +$as_echo "$HAVE_PYTHON2" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +if test x$HAVE_PYTHON2 = xyes; then : + # Extract the first word of "python2", so it can be a program name with args. +set dummy python2; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_PYTHON2+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $PYTHON2 in + [\\/]* | ?:[\\/]*) + ac_cv_path_PYTHON2="$PYTHON2" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_PYTHON2="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +PYTHON2=$ac_cv_path_PYTHON2 +if test -n "$PYTHON2"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PYTHON2" >&5 +$as_echo "$PYTHON2" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +fi + +# Extract the first word of "python3", so it can be a program name with args. +set dummy python3; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_HAVE_PYTHON3+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$HAVE_PYTHON3"; then + ac_cv_prog_HAVE_PYTHON3="$HAVE_PYTHON3" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_HAVE_PYTHON3="yes" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + test -z "$ac_cv_prog_HAVE_PYTHON3" && ac_cv_prog_HAVE_PYTHON3="no" +fi +fi +HAVE_PYTHON3=$ac_cv_prog_HAVE_PYTHON3 +if test -n "$HAVE_PYTHON3"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $HAVE_PYTHON3" >&5 +$as_echo "$HAVE_PYTHON3" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +if test x$HAVE_PYTHON3 = xyes; then : + # Extract the first word of "python3", so it can be a program name with args. +set dummy python3; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_PYTHON3+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $PYTHON3 in + [\\/]* | ?:[\\/]*) + ac_cv_path_PYTHON3="$PYTHON3" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_PYTHON3="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +PYTHON3=$ac_cv_path_PYTHON3 +if test -n "$PYTHON3"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PYTHON3" >&5 +$as_echo "$PYTHON3" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +fi + +if test x$HAVE_PYTHON2_BINDINGS = x1; then + if test x$HAVE_PYTHON2 != xyes; then : + as_fn_error $? " +The program python2 was not found in search path. +Please ensure that it is installed and its directory is included in the search +path. It is required for building python2 bindings. If you do not want to build +them please use argument --without-python2-bindings when running configure." "$LINENO" 5 +fi + + PYTHON=$PYTHON2 + + + + + + + if test -n "$PYTHON"; then + # If the user set $PYTHON, use it and don't search something else. + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $PYTHON version is >= 2.6" >&5 +$as_echo_n "checking whether $PYTHON version is >= 2.6... " >&6; } + prog="import sys +# split strings by '.' and convert to numeric. Append some zeros +# because we need at least 4 digits for the hex conversion. +# map returns an iterator in Python 3.0 and a list in 2.x +minver = list(map(int, '2.6'.split('.'))) + [0, 0, 0] +minverhex = 0 +# xrange is not present in Python 3.0 and range returns an iterator +for i in list(range(0, 4)): minverhex = (minverhex << 8) + minver[i] +sys.exit(sys.hexversion < minverhex)" + if { echo "$as_me:$LINENO: $PYTHON -c "$prog"" >&5 + ($PYTHON -c "$prog") >&5 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + as_fn_error $? "Python interpreter is too old" "$LINENO" 5 +fi + am_display_PYTHON=$PYTHON + else + # Otherwise, try each interpreter until we find one that satisfies + # VERSION. + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for a Python interpreter with version >= 2.6" >&5 +$as_echo_n "checking for a Python interpreter with version >= 2.6... " >&6; } +if ${am_cv_pathless_PYTHON+:} false; then : + $as_echo_n "(cached) " >&6 +else + + for am_cv_pathless_PYTHON in python python2 python3 python3.5 python3.4 python3.3 python3.2 python3.1 python3.0 python2.7 python2.6 python2.5 python2.4 python2.3 python2.2 python2.1 python2.0 none; do + test "$am_cv_pathless_PYTHON" = none && break + prog="import sys +# split strings by '.' and convert to numeric. Append some zeros +# because we need at least 4 digits for the hex conversion. +# map returns an iterator in Python 3.0 and a list in 2.x +minver = list(map(int, '2.6'.split('.'))) + [0, 0, 0] +minverhex = 0 +# xrange is not present in Python 3.0 and range returns an iterator +for i in list(range(0, 4)): minverhex = (minverhex << 8) + minver[i] +sys.exit(sys.hexversion < minverhex)" + if { echo "$as_me:$LINENO: $am_cv_pathless_PYTHON -c "$prog"" >&5 + ($am_cv_pathless_PYTHON -c "$prog") >&5 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; then : + break +fi + done +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_pathless_PYTHON" >&5 +$as_echo "$am_cv_pathless_PYTHON" >&6; } + # Set $PYTHON to the absolute path of $am_cv_pathless_PYTHON. + if test "$am_cv_pathless_PYTHON" = none; then + PYTHON=: + else + # Extract the first word of "$am_cv_pathless_PYTHON", so it can be a program name with args. +set dummy $am_cv_pathless_PYTHON; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_PYTHON+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $PYTHON in + [\\/]* | ?:[\\/]*) + ac_cv_path_PYTHON="$PYTHON" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_PYTHON="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +PYTHON=$ac_cv_path_PYTHON +if test -n "$PYTHON"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PYTHON" >&5 +$as_echo "$PYTHON" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + fi + am_display_PYTHON=$am_cv_pathless_PYTHON + fi + + + if test "$PYTHON" = :; then + as_fn_error $? "no suitable Python interpreter found" "$LINENO" 5 + else + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $am_display_PYTHON version" >&5 +$as_echo_n "checking for $am_display_PYTHON version... " >&6; } +if ${am_cv_python_version+:} false; then : + $as_echo_n "(cached) " >&6 +else + am_cv_python_version=`$PYTHON -c "import sys; sys.stdout.write(sys.version[:3])"` +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_python_version" >&5 +$as_echo "$am_cv_python_version" >&6; } + PYTHON_VERSION=$am_cv_python_version + + + + PYTHON_PREFIX='${prefix}' + + PYTHON_EXEC_PREFIX='${exec_prefix}' + + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $am_display_PYTHON platform" >&5 +$as_echo_n "checking for $am_display_PYTHON platform... " >&6; } +if ${am_cv_python_platform+:} false; then : + $as_echo_n "(cached) " >&6 +else + am_cv_python_platform=`$PYTHON -c "import sys; sys.stdout.write(sys.platform)"` +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_python_platform" >&5 +$as_echo "$am_cv_python_platform" >&6; } + PYTHON_PLATFORM=$am_cv_python_platform + + + # Just factor out some code duplication. + am_python_setup_sysconfig="\ +import sys +# Prefer sysconfig over distutils.sysconfig, for better compatibility +# with python 3.x. See automake bug#10227. +try: + import sysconfig +except ImportError: + can_use_sysconfig = 0 +else: + can_use_sysconfig = 1 +# Can't use sysconfig in CPython 2.7, since it's broken in virtualenvs: +# +try: + from platform import python_implementation + if python_implementation() == 'CPython' and sys.version[:3] == '2.7': + can_use_sysconfig = 0 +except ImportError: + pass" + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $am_display_PYTHON script directory" >&5 +$as_echo_n "checking for $am_display_PYTHON script directory... " >&6; } +if ${am_cv_python_pythondir+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test "x$prefix" = xNONE + then + am_py_prefix=$ac_default_prefix + else + am_py_prefix=$prefix + fi + am_cv_python_pythondir=`$PYTHON -c " +$am_python_setup_sysconfig +if can_use_sysconfig: + sitedir = sysconfig.get_path('purelib', vars={'base':'$am_py_prefix'}) +else: + from distutils import sysconfig + sitedir = sysconfig.get_python_lib(0, 0, prefix='$am_py_prefix') +sys.stdout.write(sitedir)"` + case $am_cv_python_pythondir in + $am_py_prefix*) + am__strip_prefix=`echo "$am_py_prefix" | sed 's|.|.|g'` + am_cv_python_pythondir=`echo "$am_cv_python_pythondir" | sed "s,^$am__strip_prefix,$PYTHON_PREFIX,"` + ;; + *) + case $am_py_prefix in + /usr|/System*) ;; + *) + am_cv_python_pythondir=$PYTHON_PREFIX/lib/python$PYTHON_VERSION/site-packages + ;; + esac + ;; + esac + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_python_pythondir" >&5 +$as_echo "$am_cv_python_pythondir" >&6; } + pythondir=$am_cv_python_pythondir + + + + pkgpythondir=\${pythondir}/$PACKAGE + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $am_display_PYTHON extension module directory" >&5 +$as_echo_n "checking for $am_display_PYTHON extension module directory... " >&6; } +if ${am_cv_python_pyexecdir+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test "x$exec_prefix" = xNONE + then + am_py_exec_prefix=$am_py_prefix + else + am_py_exec_prefix=$exec_prefix + fi + am_cv_python_pyexecdir=`$PYTHON -c " +$am_python_setup_sysconfig +if can_use_sysconfig: + sitedir = sysconfig.get_path('platlib', vars={'platbase':'$am_py_prefix'}) +else: + from distutils import sysconfig + sitedir = sysconfig.get_python_lib(1, 0, prefix='$am_py_prefix') +sys.stdout.write(sitedir)"` + case $am_cv_python_pyexecdir in + $am_py_exec_prefix*) + am__strip_prefix=`echo "$am_py_exec_prefix" | sed 's|.|.|g'` + am_cv_python_pyexecdir=`echo "$am_cv_python_pyexecdir" | sed "s,^$am__strip_prefix,$PYTHON_EXEC_PREFIX,"` + ;; + *) + case $am_py_exec_prefix in + /usr|/System*) ;; + *) + am_cv_python_pyexecdir=$PYTHON_EXEC_PREFIX/lib/python$PYTHON_VERSION/site-packages + ;; + esac + ;; + esac + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_python_pyexecdir" >&5 +$as_echo "$am_cv_python_pyexecdir" >&6; } + pyexecdir=$am_cv_python_pyexecdir + + + + pkgpyexecdir=\${pyexecdir}/$PACKAGE + + + + fi + + + + # Extract the first word of "python$PYTHON_VERSION-config", so it can be a program name with args. +set dummy python$PYTHON_VERSION-config; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_PYTHON_CONFIG+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $PYTHON_CONFIG in + [\\/]* | ?:[\\/]*) + ac_cv_path_PYTHON_CONFIG="$PYTHON_CONFIG" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_PYTHON_CONFIG="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +PYTHON_CONFIG=$ac_cv_path_PYTHON_CONFIG +if test -n "$PYTHON_CONFIG"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PYTHON_CONFIG" >&5 +$as_echo "$PYTHON_CONFIG" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + if test x"$PYTHON_CONFIG" = x; then : + as_fn_error $? " +The program python$PYTHON_VERSION-config was not found in search path. +Please ensure that it is installed and its directory is included in the search +path. If you want to build sssd without python2 bindings then specify +--without-python2-bindings when running configure." "$LINENO" 5 +fi + + PYTHON_CFLAGS="` $PYTHON_CONFIG --cflags`" + PYTHON_LIBS="` $PYTHON_CONFIG --libs`" + PYTHON_INCLUDES="` $PYTHON_CONFIG --includes`" + + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for headers required to compile python extensions" >&5 +$as_echo_n "checking for headers required to compile python extensions... " >&6; } + + save_CPPFLAGS="$CPPFLAGS" + CPPFLAGS="$CPPFLAGS $PYTHON_INCLUDES" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +_ACEOF +if ac_fn_c_try_cpp "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: found" >&5 +$as_echo "found" >&6; } + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: not found" >&5 +$as_echo "not found" >&6; } + as_fn_error $? "Could not find python2 headers" "$LINENO" 5 +fi +rm -f conftest.err conftest.i conftest.$ac_ext + CPPFLAGS="$save_CPPFLAGS" + + + py2execdir=$pyexecdir + + python2dir=$pythondir + + PYTHON2_CFLAGS=$PYTHON_CFLAGS + + PYTHON2_LIBS=$PYTHON_LIBS + + PYTHON2_INCLUDES=$PYTHON_INCLUDES + + PYTHON2_VERSION=$PYTHON_VERSION + + PYTHON2_PREFIX=$PYTHON_PREFIX + + PYTHON2_EXEC_PREFIX=$PYTHON_EXEC_PREFIX + + + + unset pyexecdir pkgpyexecdir pythondir pgkpythondir + unset PYTHON PYTHON_CFLAGS PYTHON_LIBS PYTHON_INCLUDES + unset PYTHON_PREFIX PYTHON_EXEC_PREFIX PYTHON_VERSION PYTHON_CONFIG + + unset am_cv_pathless_PYTHON ac_cv_path_PYTHON am_cv_python_version + unset am_cv_python_platform am_cv_python_pythondir am_cv_python_pyexecdir + unset ac_cv_path_PYTHON_CONFIG + +fi + +if test x$HAVE_PYTHON3_BINDINGS = x1; then + if test x$HAVE_PYTHON3 != xyes; then : + as_fn_error $? " +The program python3 was not found in search path. +Please ensure that it is installed and its directory is included in the search +path. It is required for building python3 bindings. If you do not want to build +them please use argument --without-python3-bindings when running configure." "$LINENO" 5 +fi + + PYTHON=$PYTHON3 + + + + + + + if test -n "$PYTHON"; then + # If the user set $PYTHON, use it and don't search something else. + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $PYTHON version is >= 3.3" >&5 +$as_echo_n "checking whether $PYTHON version is >= 3.3... " >&6; } + prog="import sys +# split strings by '.' and convert to numeric. Append some zeros +# because we need at least 4 digits for the hex conversion. +# map returns an iterator in Python 3.0 and a list in 2.x +minver = list(map(int, '3.3'.split('.'))) + [0, 0, 0] +minverhex = 0 +# xrange is not present in Python 3.0 and range returns an iterator +for i in list(range(0, 4)): minverhex = (minverhex << 8) + minver[i] +sys.exit(sys.hexversion < minverhex)" + if { echo "$as_me:$LINENO: $PYTHON -c "$prog"" >&5 + ($PYTHON -c "$prog") >&5 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + as_fn_error $? "Python interpreter is too old" "$LINENO" 5 +fi + am_display_PYTHON=$PYTHON + else + # Otherwise, try each interpreter until we find one that satisfies + # VERSION. + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for a Python interpreter with version >= 3.3" >&5 +$as_echo_n "checking for a Python interpreter with version >= 3.3... " >&6; } +if ${am_cv_pathless_PYTHON+:} false; then : + $as_echo_n "(cached) " >&6 +else + + for am_cv_pathless_PYTHON in python python2 python3 python3.5 python3.4 python3.3 python3.2 python3.1 python3.0 python2.7 python2.6 python2.5 python2.4 python2.3 python2.2 python2.1 python2.0 none; do + test "$am_cv_pathless_PYTHON" = none && break + prog="import sys +# split strings by '.' and convert to numeric. Append some zeros +# because we need at least 4 digits for the hex conversion. +# map returns an iterator in Python 3.0 and a list in 2.x +minver = list(map(int, '3.3'.split('.'))) + [0, 0, 0] +minverhex = 0 +# xrange is not present in Python 3.0 and range returns an iterator +for i in list(range(0, 4)): minverhex = (minverhex << 8) + minver[i] +sys.exit(sys.hexversion < minverhex)" + if { echo "$as_me:$LINENO: $am_cv_pathless_PYTHON -c "$prog"" >&5 + ($am_cv_pathless_PYTHON -c "$prog") >&5 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; then : + break +fi + done +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_pathless_PYTHON" >&5 +$as_echo "$am_cv_pathless_PYTHON" >&6; } + # Set $PYTHON to the absolute path of $am_cv_pathless_PYTHON. + if test "$am_cv_pathless_PYTHON" = none; then + PYTHON=: + else + # Extract the first word of "$am_cv_pathless_PYTHON", so it can be a program name with args. +set dummy $am_cv_pathless_PYTHON; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_PYTHON+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $PYTHON in + [\\/]* | ?:[\\/]*) + ac_cv_path_PYTHON="$PYTHON" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_PYTHON="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +PYTHON=$ac_cv_path_PYTHON +if test -n "$PYTHON"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PYTHON" >&5 +$as_echo "$PYTHON" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + fi + am_display_PYTHON=$am_cv_pathless_PYTHON + fi + + + if test "$PYTHON" = :; then + as_fn_error $? "no suitable Python interpreter found" "$LINENO" 5 + else + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $am_display_PYTHON version" >&5 +$as_echo_n "checking for $am_display_PYTHON version... " >&6; } +if ${am_cv_python_version+:} false; then : + $as_echo_n "(cached) " >&6 +else + am_cv_python_version=`$PYTHON -c "import sys; sys.stdout.write(sys.version[:3])"` +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_python_version" >&5 +$as_echo "$am_cv_python_version" >&6; } + PYTHON_VERSION=$am_cv_python_version + + + + PYTHON_PREFIX='${prefix}' + + PYTHON_EXEC_PREFIX='${exec_prefix}' + + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $am_display_PYTHON platform" >&5 +$as_echo_n "checking for $am_display_PYTHON platform... " >&6; } +if ${am_cv_python_platform+:} false; then : + $as_echo_n "(cached) " >&6 +else + am_cv_python_platform=`$PYTHON -c "import sys; sys.stdout.write(sys.platform)"` +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_python_platform" >&5 +$as_echo "$am_cv_python_platform" >&6; } + PYTHON_PLATFORM=$am_cv_python_platform + + + # Just factor out some code duplication. + am_python_setup_sysconfig="\ +import sys +# Prefer sysconfig over distutils.sysconfig, for better compatibility +# with python 3.x. See automake bug#10227. +try: + import sysconfig +except ImportError: + can_use_sysconfig = 0 +else: + can_use_sysconfig = 1 +# Can't use sysconfig in CPython 2.7, since it's broken in virtualenvs: +# +try: + from platform import python_implementation + if python_implementation() == 'CPython' and sys.version[:3] == '2.7': + can_use_sysconfig = 0 +except ImportError: + pass" + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $am_display_PYTHON script directory" >&5 +$as_echo_n "checking for $am_display_PYTHON script directory... " >&6; } +if ${am_cv_python_pythondir+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test "x$prefix" = xNONE + then + am_py_prefix=$ac_default_prefix + else + am_py_prefix=$prefix + fi + am_cv_python_pythondir=`$PYTHON -c " +$am_python_setup_sysconfig +if can_use_sysconfig: + sitedir = sysconfig.get_path('purelib', vars={'base':'$am_py_prefix'}) +else: + from distutils import sysconfig + sitedir = sysconfig.get_python_lib(0, 0, prefix='$am_py_prefix') +sys.stdout.write(sitedir)"` + case $am_cv_python_pythondir in + $am_py_prefix*) + am__strip_prefix=`echo "$am_py_prefix" | sed 's|.|.|g'` + am_cv_python_pythondir=`echo "$am_cv_python_pythondir" | sed "s,^$am__strip_prefix,$PYTHON_PREFIX,"` + ;; + *) + case $am_py_prefix in + /usr|/System*) ;; + *) + am_cv_python_pythondir=$PYTHON_PREFIX/lib/python$PYTHON_VERSION/site-packages + ;; + esac + ;; + esac + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_python_pythondir" >&5 +$as_echo "$am_cv_python_pythondir" >&6; } + pythondir=$am_cv_python_pythondir + + + + pkgpythondir=\${pythondir}/$PACKAGE + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $am_display_PYTHON extension module directory" >&5 +$as_echo_n "checking for $am_display_PYTHON extension module directory... " >&6; } +if ${am_cv_python_pyexecdir+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test "x$exec_prefix" = xNONE + then + am_py_exec_prefix=$am_py_prefix + else + am_py_exec_prefix=$exec_prefix + fi + am_cv_python_pyexecdir=`$PYTHON -c " +$am_python_setup_sysconfig +if can_use_sysconfig: + sitedir = sysconfig.get_path('platlib', vars={'platbase':'$am_py_prefix'}) +else: + from distutils import sysconfig + sitedir = sysconfig.get_python_lib(1, 0, prefix='$am_py_prefix') +sys.stdout.write(sitedir)"` + case $am_cv_python_pyexecdir in + $am_py_exec_prefix*) + am__strip_prefix=`echo "$am_py_exec_prefix" | sed 's|.|.|g'` + am_cv_python_pyexecdir=`echo "$am_cv_python_pyexecdir" | sed "s,^$am__strip_prefix,$PYTHON_EXEC_PREFIX,"` + ;; + *) + case $am_py_exec_prefix in + /usr|/System*) ;; + *) + am_cv_python_pyexecdir=$PYTHON_EXEC_PREFIX/lib/python$PYTHON_VERSION/site-packages + ;; + esac + ;; + esac + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_python_pyexecdir" >&5 +$as_echo "$am_cv_python_pyexecdir" >&6; } + pyexecdir=$am_cv_python_pyexecdir + + + + pkgpyexecdir=\${pyexecdir}/$PACKAGE + + + + fi + + + + # Extract the first word of "python$PYTHON_VERSION-config", so it can be a program name with args. +set dummy python$PYTHON_VERSION-config; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_PYTHON_CONFIG+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $PYTHON_CONFIG in + [\\/]* | ?:[\\/]*) + ac_cv_path_PYTHON_CONFIG="$PYTHON_CONFIG" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_PYTHON_CONFIG="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +PYTHON_CONFIG=$ac_cv_path_PYTHON_CONFIG +if test -n "$PYTHON_CONFIG"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PYTHON_CONFIG" >&5 +$as_echo "$PYTHON_CONFIG" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + if test x"$PYTHON_CONFIG" = x; then : + as_fn_error $? " +The program python$PYTHON_VERSION-config was not found in search path. +Please ensure that it is installed and its directory is included in the search +path. If you want to build sssd without python3 bindings then specify +--without-python3-bindings when running configure." "$LINENO" 5 +fi + + PYTHON_CFLAGS="` $PYTHON_CONFIG --cflags`" + PYTHON_LIBS="` $PYTHON_CONFIG --libs`" + PYTHON_INCLUDES="` $PYTHON_CONFIG --includes`" + + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for headers required to compile python extensions" >&5 +$as_echo_n "checking for headers required to compile python extensions... " >&6; } + + save_CPPFLAGS="$CPPFLAGS" + CPPFLAGS="$CPPFLAGS $PYTHON_INCLUDES" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +_ACEOF +if ac_fn_c_try_cpp "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: found" >&5 +$as_echo "found" >&6; } + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: not found" >&5 +$as_echo "not found" >&6; } + as_fn_error $? "Could not find python3 headers" "$LINENO" 5 +fi +rm -f conftest.err conftest.i conftest.$ac_ext + CPPFLAGS="$save_CPPFLAGS" + + + py3execdir=$pyexecdir + + python3dir=$pythondir + + PYTHON3_CFLAGS=$PYTHON_CFLAGS + + PYTHON3_LIBS=$PYTHON_LIBS + + PYTHON3_INCLUDES=$PYTHON_INCLUDES + + PYTHON3_VERSION=$PYTHON_VERSION + + PYTHON3_PREFIX=$PYTHON_PREFIX + + PYTHON3_EXEC_PREFIX=$PYTHON_EXEC_PREFIX + + + + unset pyexecdir pkgpyexecdir pythondir pgkpythondir + unset PYTHON PYTHON_CFLAGS PYTHON_LIBS PYTHON_INCLUDES + unset PYTHON_PREFIX PYTHON_EXEC_PREFIX PYTHON_VERSION PYTHON_CONFIG + + unset am_cv_pathless_PYTHON ac_cv_path_PYTHON am_cv_python_version + unset am_cv_python_platform am_cv_python_pythondir am_cv_python_pyexecdir + unset ac_cv_path_PYTHON_CONFIG + +fi + + if test x"$with_python2_bindings" = xyes \ + -o x"$with_python3_bindings" = xyes; then + BUILD_PYTHON_BINDINGS_TRUE= + BUILD_PYTHON_BINDINGS_FALSE='#' +else + BUILD_PYTHON_BINDINGS_TRUE='#' + BUILD_PYTHON_BINDINGS_FALSE= +fi + + + + if test x"$PYTHON2" = x; then + if test -n ""; then + as_fn_error $? "cannot look for ldap module: Python 2 not found" "$LINENO" 5 + else + { $as_echo "$as_me:${as_lineno-$LINENO}: cannot look for ldap module: Python 2 not found" >&5 +$as_echo "$as_me: cannot look for ldap module: Python 2 not found" >&6;} + eval HAVE_PY2MOD_LDAP=no + fi + else + { $as_echo "$as_me:${as_lineno-$LINENO}: checking $(basename $PYTHON2) module: ldap" >&5 +$as_echo_n "checking $(basename $PYTHON2) module: ldap... " >&6; } + $PYTHON2 -c "import ldap" 2>/dev/null + if test $? -eq 0; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + eval HAVE_PY2MOD_LDAP=yes + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + eval HAVE_PY2MOD_LDAP=no + # + if test -n "" + then + as_fn_error $? "failed to find required module ldap" "$LINENO" 5 + exit 1 + fi + fi + fi + + +if test x$HAVE_SELINUX != x; then + + for ac_header in selinux/selinux.h +do : + ac_fn_c_check_header_mongrel "$LINENO" "selinux/selinux.h" "ac_cv_header_selinux_selinux_h" "$ac_includes_default" +if test "x$ac_cv_header_selinux_selinux_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_SELINUX_SELINUX_H 1 +_ACEOF + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for is_selinux_enabled in -lselinux" >&5 +$as_echo_n "checking for is_selinux_enabled in -lselinux... " >&6; } +if ${ac_cv_lib_selinux_is_selinux_enabled+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lselinux $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char is_selinux_enabled (); +int +main () +{ +return is_selinux_enabled (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_selinux_is_selinux_enabled=yes +else + ac_cv_lib_selinux_is_selinux_enabled=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_selinux_is_selinux_enabled" >&5 +$as_echo "$ac_cv_lib_selinux_is_selinux_enabled" >&6; } +if test "x$ac_cv_lib_selinux_is_selinux_enabled" = xyes; then : + SELINUX_LIBS="-lselinux" +else + as_fn_error $? "SELinux library is missing" "$LINENO" 5 + +fi + + +else + as_fn_error $? "SELinux headers are missing" "$LINENO" 5 +fi + +done + + + +fi + +if test x$HAVE_SEMANAGE != x -a x$HAVE_SELINUX != x; then + + for ac_header in semanage/semanage.h +do : + ac_fn_c_check_header_mongrel "$LINENO" "semanage/semanage.h" "ac_cv_header_semanage_semanage_h" "$ac_includes_default" +if test "x$ac_cv_header_semanage_semanage_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_SEMANAGE_SEMANAGE_H 1 +_ACEOF + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for semanage_handle_create in -lsemanage" >&5 +$as_echo_n "checking for semanage_handle_create in -lsemanage... " >&6; } +if ${ac_cv_lib_semanage_semanage_handle_create+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lsemanage $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char semanage_handle_create (); +int +main () +{ +return semanage_handle_create (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_semanage_semanage_handle_create=yes +else + ac_cv_lib_semanage_semanage_handle_create=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_semanage_semanage_handle_create" >&5 +$as_echo "$ac_cv_lib_semanage_semanage_handle_create" >&6; } +if test "x$ac_cv_lib_semanage_semanage_handle_create" = xyes; then : + SEMANAGE_LIBS="-lsemanage" +else + as_fn_error $? "libsemanage is missing" "$LINENO" 5 + +fi + + +else + as_fn_error $? "libsemanage is missing" "$LINENO" 5 +fi + +done + + + +fi + +if test x$syslog = xjournald; then + + if test x$HAVE_LIBSYSTEMD = xyes; then : + journal_lib_name=libsystemd +else + journal_lib_name=libsystemd-journal +fi + + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for JOURNALD" >&5 +$as_echo_n "checking for JOURNALD... " >&6; } + +if test -n "$PKG_CONFIG"; then + if test -n "$JOURNALD_CFLAGS"; then + pkg_cv_JOURNALD_CFLAGS="$JOURNALD_CFLAGS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"\$journal_lib_name\""; } >&5 + ($PKG_CONFIG --exists --print-errors "$journal_lib_name") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_JOURNALD_CFLAGS=`$PKG_CONFIG --cflags "$journal_lib_name" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi +if test -n "$PKG_CONFIG"; then + if test -n "$JOURNALD_LIBS"; then + pkg_cv_JOURNALD_LIBS="$JOURNALD_LIBS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"\$journal_lib_name\""; } >&5 + ($PKG_CONFIG --exists --print-errors "$journal_lib_name") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_JOURNALD_LIBS=`$PKG_CONFIG --libs "$journal_lib_name" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + JOURNALD_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "$journal_lib_name"` + else + JOURNALD_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "$journal_lib_name"` + fi + # Put the nasty error message in config.log where it belongs + echo "$JOURNALD_PKG_ERRORS" >&5 + + as_fn_error $? "Package requirements ($journal_lib_name) were not met: + +$JOURNALD_PKG_ERRORS + +Consider adjusting the PKG_CONFIG_PATH environment variable if you +installed software in a non-standard prefix. + +Alternatively, you may set the environment variables JOURNALD_CFLAGS +and JOURNALD_LIBS to avoid the need to call pkg-config. +See the pkg-config man page for more details. +" "$LINENO" 5 +elif test $pkg_failed = untried; then + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "The pkg-config script could not be found or is too old. Make sure it +is in your PATH or set the PKG_CONFIG environment variable to the full +path to pkg-config. + +Alternatively, you may set the environment variables JOURNALD_CFLAGS +and JOURNALD_LIBS to avoid the need to call pkg-config. +See the pkg-config man page for more details. + +To get pkg-config, see . +See \`config.log' for more details" "$LINENO" 5; } +else + JOURNALD_CFLAGS=$pkg_cv_JOURNALD_CFLAGS + JOURNALD_LIBS=$pkg_cv_JOURNALD_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +cat >>confdefs.h <<_ACEOF +#define WITH_JOURNALD 1 +_ACEOF + +fi + + + +fi + +if test x$cryptolib = xnss; then + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for NSS" >&5 +$as_echo_n "checking for NSS... " >&6; } + +if test -n "$PKG_CONFIG"; then + if test -n "$NSS_CFLAGS"; then + pkg_cv_NSS_CFLAGS="$NSS_CFLAGS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"nss\""; } >&5 + ($PKG_CONFIG --exists --print-errors "nss") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_NSS_CFLAGS=`$PKG_CONFIG --cflags "nss" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi +if test -n "$PKG_CONFIG"; then + if test -n "$NSS_LIBS"; then + pkg_cv_NSS_LIBS="$NSS_LIBS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"nss\""; } >&5 + ($PKG_CONFIG --exists --print-errors "nss") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_NSS_LIBS=`$PKG_CONFIG --libs "nss" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + NSS_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "nss"` + else + NSS_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "nss"` + fi + # Put the nasty error message in config.log where it belongs + echo "$NSS_PKG_ERRORS" >&5 + + as_fn_error $? "Package requirements (nss) were not met: + +$NSS_PKG_ERRORS + +Consider adjusting the PKG_CONFIG_PATH environment variable if you +installed software in a non-standard prefix. + +Alternatively, you may set the environment variables NSS_CFLAGS +and NSS_LIBS to avoid the need to call pkg-config. +See the pkg-config man page for more details. +" "$LINENO" 5 +elif test $pkg_failed = untried; then + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "The pkg-config script could not be found or is too old. Make sure it +is in your PATH or set the PKG_CONFIG environment variable to the full +path to pkg-config. + +Alternatively, you may set the environment variables NSS_CFLAGS +and NSS_LIBS to avoid the need to call pkg-config. +See the pkg-config man page for more details. + +To get pkg-config, see . +See \`config.log' for more details" "$LINENO" 5; } +else + NSS_CFLAGS=$pkg_cv_NSS_CFLAGS + NSS_LIBS=$pkg_cv_NSS_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + : +fi + +cat >>confdefs.h <<_ACEOF +#define HAVE_NSS 1 +_ACEOF + + +fi + +if test x$cryptolib = xlibcrypto; then + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for CRYPTO" >&5 +$as_echo_n "checking for CRYPTO... " >&6; } + +if test -n "$PKG_CONFIG"; then + if test -n "$CRYPTO_CFLAGS"; then + pkg_cv_CRYPTO_CFLAGS="$CRYPTO_CFLAGS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libcrypto\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libcrypto") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_CRYPTO_CFLAGS=`$PKG_CONFIG --cflags "libcrypto" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi +if test -n "$PKG_CONFIG"; then + if test -n "$CRYPTO_LIBS"; then + pkg_cv_CRYPTO_LIBS="$CRYPTO_LIBS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libcrypto\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libcrypto") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_CRYPTO_LIBS=`$PKG_CONFIG --libs "libcrypto" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + CRYPTO_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "libcrypto"` + else + CRYPTO_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "libcrypto"` + fi + # Put the nasty error message in config.log where it belongs + echo "$CRYPTO_PKG_ERRORS" >&5 + + as_fn_error $? "Package requirements (libcrypto) were not met: + +$CRYPTO_PKG_ERRORS + +Consider adjusting the PKG_CONFIG_PATH environment variable if you +installed software in a non-standard prefix. + +Alternatively, you may set the environment variables CRYPTO_CFLAGS +and CRYPTO_LIBS to avoid the need to call pkg-config. +See the pkg-config man page for more details. +" "$LINENO" 5 +elif test $pkg_failed = untried; then + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "The pkg-config script could not be found or is too old. Make sure it +is in your PATH or set the PKG_CONFIG environment variable to the full +path to pkg-config. + +Alternatively, you may set the environment variables CRYPTO_CFLAGS +and CRYPTO_LIBS to avoid the need to call pkg-config. +See the pkg-config man page for more details. + +To get pkg-config, see . +See \`config.log' for more details" "$LINENO" 5; } +else + CRYPTO_CFLAGS=$pkg_cv_CRYPTO_CFLAGS + CRYPTO_LIBS=$pkg_cv_CRYPTO_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + : +fi + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL" >&5 +$as_echo_n "checking for SSL... " >&6; } + +if test -n "$PKG_CONFIG"; then + if test -n "$SSL_CFLAGS"; then + pkg_cv_SSL_CFLAGS="$SSL_CFLAGS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libssl\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libssl") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_SSL_CFLAGS=`$PKG_CONFIG --cflags "libssl" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi +if test -n "$PKG_CONFIG"; then + if test -n "$SSL_LIBS"; then + pkg_cv_SSL_LIBS="$SSL_LIBS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libssl\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libssl") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_SSL_LIBS=`$PKG_CONFIG --libs "libssl" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + SSL_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "libssl"` + else + SSL_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "libssl"` + fi + # Put the nasty error message in config.log where it belongs + echo "$SSL_PKG_ERRORS" >&5 + + as_fn_error $? "Package requirements (libssl) were not met: + +$SSL_PKG_ERRORS + +Consider adjusting the PKG_CONFIG_PATH environment variable if you +installed software in a non-standard prefix. + +Alternatively, you may set the environment variables SSL_CFLAGS +and SSL_LIBS to avoid the need to call pkg-config. +See the pkg-config man page for more details. +" "$LINENO" 5 +elif test $pkg_failed = untried; then + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "The pkg-config script could not be found or is too old. Make sure it +is in your PATH or set the PKG_CONFIG environment variable to the full +path to pkg-config. + +Alternatively, you may set the environment variables SSL_CFLAGS +and SSL_LIBS to avoid the need to call pkg-config. +See the pkg-config man page for more details. + +To get pkg-config, see . +See \`config.log' for more details" "$LINENO" 5; } +else + SSL_CFLAGS=$pkg_cv_SSL_CFLAGS + SSL_LIBS=$pkg_cv_SSL_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + : +fi + +cat >>confdefs.h <<_ACEOF +#define HAVE_LIBCRYPTO 1 +_ACEOF + + + + + + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for P11_KIT" >&5 +$as_echo_n "checking for P11_KIT... " >&6; } + +if test -n "$PKG_CONFIG"; then + if test -n "$P11_KIT_CFLAGS"; then + pkg_cv_P11_KIT_CFLAGS="$P11_KIT_CFLAGS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"p11-kit-1\""; } >&5 + ($PKG_CONFIG --exists --print-errors "p11-kit-1") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_P11_KIT_CFLAGS=`$PKG_CONFIG --cflags "p11-kit-1" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi +if test -n "$PKG_CONFIG"; then + if test -n "$P11_KIT_LIBS"; then + pkg_cv_P11_KIT_LIBS="$P11_KIT_LIBS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"p11-kit-1\""; } >&5 + ($PKG_CONFIG --exists --print-errors "p11-kit-1") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_P11_KIT_LIBS=`$PKG_CONFIG --libs "p11-kit-1" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + P11_KIT_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "p11-kit-1"` + else + P11_KIT_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "p11-kit-1"` + fi + # Put the nasty error message in config.log where it belongs + echo "$P11_KIT_PKG_ERRORS" >&5 + + as_fn_error $? "Package requirements (p11-kit-1) were not met: + +$P11_KIT_PKG_ERRORS + +Consider adjusting the PKG_CONFIG_PATH environment variable if you +installed software in a non-standard prefix. + +Alternatively, you may set the environment variables P11_KIT_CFLAGS +and P11_KIT_LIBS to avoid the need to call pkg-config. +See the pkg-config man page for more details. +" "$LINENO" 5 +elif test $pkg_failed = untried; then + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "The pkg-config script could not be found or is too old. Make sure it +is in your PATH or set the PKG_CONFIG environment variable to the full +path to pkg-config. + +Alternatively, you may set the environment variables P11_KIT_CFLAGS +and P11_KIT_LIBS to avoid the need to call pkg-config. +See the pkg-config man page for more details. + +To get pkg-config, see . +See \`config.log' for more details" "$LINENO" 5; } +else + P11_KIT_CFLAGS=$pkg_cv_P11_KIT_CFLAGS + P11_KIT_LIBS=$pkg_cv_P11_KIT_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + : +fi + +fi + + + for ac_header in sys/inotify.h +do : + ac_fn_c_check_header_mongrel "$LINENO" "sys/inotify.h" "ac_cv_header_sys_inotify_h" "$ac_includes_default" +if test "x$ac_cv_header_sys_inotify_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_SYS_INOTIFY_H 1 +_ACEOF + +fi + +done + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether sys/inotify.h actually works" >&5 +$as_echo_n "checking whether sys/inotify.h actually works... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#ifdef HAVE_SYS_INOTIFY_H +#include +#endif +int main () { + return (-1 == inotify_init()); +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; }; inotify_works=yes +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + + + + + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + acl_save_exec_prefix="$exec_prefix" + exec_prefix="$acl_final_exec_prefix" + + eval additional_libdir=\"$libdir\" + + exec_prefix="$acl_save_exec_prefix" + prefix="$acl_save_prefix" + + sss_extra_libdir="$additional_libdir" + + if test x"$inotify_works" != xyes; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for inotify_init in -linotify" >&5 +$as_echo_n "checking for inotify_init in -linotify... " >&6; } +if ${ac_cv_lib_inotify_inotify_init+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-linotify $sss_extra_libdir $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char inotify_init (); +int +main () +{ +return inotify_init (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_inotify_inotify_init=yes +else + ac_cv_lib_inotify_inotify_init=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_inotify_inotify_init" >&5 +$as_echo "$ac_cv_lib_inotify_inotify_init" >&6; } +if test "x$ac_cv_lib_inotify_inotify_init" = xyes; then : + INOTIFY_LIBS="$sss_extra_libdir -linotify" + inotify_works=yes +else + inotify_works=no +fi + + +fi + + if test x"$inotify_works" = xyes; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_INOTIFY 1 +_ACEOF + +fi + + + if test x"$inotify_works" = xyes; then + HAVE_INOTIFY_TRUE= + HAVE_INOTIFY_FALSE='#' +else + HAVE_INOTIFY_TRUE='#' + HAVE_INOTIFY_FALSE= +fi + + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether compiler supports __attribute__((destructor))" >&5 +$as_echo_n "checking whether compiler supports __attribute__((destructor))... " >&6; } +if ${sss_client_cv_attribute_destructor+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +__attribute__((destructor)) static void cleanup(void) { } +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + sss_client_cv_attribute_destructor=yes +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $sss_client_cv_attribute_destructor" >&5 +$as_echo "$sss_client_cv_attribute_destructor" >&6; } + +if test x"$sss_client_cv_attribute_destructor" = xyes ; then + +$as_echo "#define HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR 1" >>confdefs.h + +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether compiler supports __attribute__((format))" >&5 +$as_echo_n "checking whether compiler supports __attribute__((format))... " >&6; } +if ${sss_cv_attribute_format+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +void debug_fn(const char *format, ...) __attribute__ ((format (printf, 1, 2))); + +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + sss_cv_attribute_format=yes +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: compiler does NOT support __attribute__((format))" >&5 +$as_echo "$as_me: WARNING: compiler does NOT support __attribute__((format))" >&2;} + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $sss_cv_attribute_format" >&5 +$as_echo "$sss_cv_attribute_format" >&6; } + +if test x"$sss_cv_attribute_format" = xyes ; then + +$as_echo "#define HAVE_FUNCTION_ATTRIBUTE_FORMAT 1" >>confdefs.h + +fi + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether compiler supports __attribute__((warn_unused_result))" >&5 +$as_echo_n "checking whether compiler supports __attribute__((warn_unused_result))... " >&6; } +if ${sss_cv_attribute_warn_unused_result+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + char _check_leaks(int bytes) __attribute__ ((warn_unused_result)); + +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + sss_cv_attribute_warn_unused_result=yes +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: compiler does NOT support __attribute__((warn_unused_result))" >&5 +$as_echo "$as_me: WARNING: compiler does NOT support __attribute__((warn_unused_result))" >&2;} + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $sss_cv_attribute_warn_unused_result" >&5 +$as_echo "$sss_cv_attribute_warn_unused_result" >&6; } +if test x"$sss_cv_attribute_warn_unused_result" = xyes ; then + +$as_echo "#define HAVE_FUNCTION_ATTRIBUTE_WARN_UNUSED_RESULT 1" >>confdefs.h + +fi + +SAFE_CFLAGS=$CFLAGS +CFLAGS="-Werror" +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether compiler supports __attribute__((fallthrough))" >&5 +$as_echo_n "checking whether compiler supports __attribute__((fallthrough))... " >&6; } +if ${sss_cv_attribute_fallthrough+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + __attribute__ ((fallthrough)); + +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + + sss_cv_attribute_fallthrough=yes + sss_cv_attribute_fallthrough_val="__attribute__ ((fallthrough))" + +else + + sss_cv_attribute_fallthrough=no + sss_cv_attribute_fallthrough_val="((void)0)" + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $sss_cv_attribute_fallthrough" >&5 +$as_echo "$sss_cv_attribute_fallthrough" >&6; } +CFLAGS=$SAFE_CFLAGS + + +cat >>confdefs.h <<_ACEOF +#define SSS_ATTRIBUTE_FALLTHROUGH $sss_cv_attribute_fallthrough_val +_ACEOF + + + + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for CHECK" >&5 +$as_echo_n "checking for CHECK... " >&6; } + +if test -n "$PKG_CONFIG"; then + if test -n "$CHECK_CFLAGS"; then + pkg_cv_CHECK_CFLAGS="$CHECK_CFLAGS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"check >= 0.9.5\""; } >&5 + ($PKG_CONFIG --exists --print-errors "check >= 0.9.5") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_CHECK_CFLAGS=`$PKG_CONFIG --cflags "check >= 0.9.5" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi +if test -n "$PKG_CONFIG"; then + if test -n "$CHECK_LIBS"; then + pkg_cv_CHECK_LIBS="$CHECK_LIBS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"check >= 0.9.5\""; } >&5 + ($PKG_CONFIG --exists --print-errors "check >= 0.9.5") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_CHECK_LIBS=`$PKG_CONFIG --libs "check >= 0.9.5" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + CHECK_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "check >= 0.9.5"` + else + CHECK_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "check >= 0.9.5"` + fi + # Put the nasty error message in config.log where it belongs + echo "$CHECK_PKG_ERRORS" >&5 + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + have_check= +elif test $pkg_failed = untried; then + have_check= +else + CHECK_CFLAGS=$pkg_cv_CHECK_CFLAGS + CHECK_LIBS=$pkg_cv_CHECK_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + have_check=1 +fi +if test x$have_check = x; then + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Without the 'CHECK' libraries, you will be unable to run all tests in the 'make check' suite" >&5 +$as_echo "$as_me: WARNING: Without the 'CHECK' libraries, you will be unable to run all tests in the 'make check' suite" >&2;} +else + for ac_header in check.h +do : + ac_fn_c_check_header_mongrel "$LINENO" "check.h" "ac_cv_header_check_h" "$ac_includes_default" +if test "x$ac_cv_header_check_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_CHECK_H 1 +_ACEOF + +else + as_fn_error $? "Could not find CHECK headers" "$LINENO" 5 +fi + +done + +fi + +# Extract the first word of "doxygen", so it can be a program name with args. +set dummy doxygen; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_DOXYGEN+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $DOXYGEN in + [\\/]* | ?:[\\/]*) + ac_cv_path_DOXYGEN="$DOXYGEN" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_DOXYGEN="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + test -z "$ac_cv_path_DOXYGEN" && ac_cv_path_DOXYGEN="false" + ;; +esac +fi +DOXYGEN=$ac_cv_path_DOXYGEN +if test -n "$DOXYGEN"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $DOXYGEN" >&5 +$as_echo "$DOXYGEN" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + if test x$DOXYGEN != xfalse ; then + HAVE_DOXYGEN_TRUE= + HAVE_DOXYGEN_FALSE='#' +else + HAVE_DOXYGEN_TRUE='#' + HAVE_DOXYGEN_FALSE= +fi + + + if test x$have_check != x; then + HAVE_CHECK_TRUE= + HAVE_CHECK_FALSE='#' +else + HAVE_CHECK_TRUE='#' + HAVE_CHECK_FALSE= +fi + + + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"cmocka >= 1.0.0\""; } >&5 + ($PKG_CONFIG --exists --print-errors "cmocka >= 1.0.0") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + for ac_header in stdarg.h stddef.h setjmp.h +do : + as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" +if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Header files stdarg.h stddef.h setjmp.h are required by cmocka" >&5 +$as_echo "$as_me: WARNING: Header files stdarg.h stddef.h setjmp.h are required by cmocka" >&2;} + cmocka_required_headers="no" + + +fi + +done + + if test x"$cmocka_required_headers" != x"no"; then : + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for CMOCKA" >&5 +$as_echo_n "checking for CMOCKA... " >&6; } + +if test -n "$PKG_CONFIG"; then + if test -n "$CMOCKA_CFLAGS"; then + pkg_cv_CMOCKA_CFLAGS="$CMOCKA_CFLAGS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"cmocka\""; } >&5 + ($PKG_CONFIG --exists --print-errors "cmocka") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_CMOCKA_CFLAGS=`$PKG_CONFIG --cflags "cmocka" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi +if test -n "$PKG_CONFIG"; then + if test -n "$CMOCKA_LIBS"; then + pkg_cv_CMOCKA_LIBS="$CMOCKA_LIBS" + else + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"cmocka\""; } >&5 + ($PKG_CONFIG --exists --print-errors "cmocka") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_CMOCKA_LIBS=`$PKG_CONFIG --libs "cmocka" 2>/dev/null` +else + pkg_failed=yes +fi + fi +else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + CMOCKA_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "cmocka"` + else + CMOCKA_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "cmocka"` + fi + # Put the nasty error message in config.log where it belongs + echo "$CMOCKA_PKG_ERRORS" >&5 + + as_fn_error $? "Package requirements (cmocka) were not met: + +$CMOCKA_PKG_ERRORS + +Consider adjusting the PKG_CONFIG_PATH environment variable if you +installed software in a non-standard prefix. + +Alternatively, you may set the environment variables CMOCKA_CFLAGS +and CMOCKA_LIBS to avoid the need to call pkg-config. +See the pkg-config man page for more details. +" "$LINENO" 5 +elif test $pkg_failed = untried; then + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "The pkg-config script could not be found or is too old. Make sure it +is in your PATH or set the PKG_CONFIG environment variable to the full +path to pkg-config. + +Alternatively, you may set the environment variables CMOCKA_CFLAGS +and CMOCKA_LIBS to avoid the need to call pkg-config. +See the pkg-config man page for more details. + +To get pkg-config, see . +See \`config.log' for more details" "$LINENO" 5; } +else + CMOCKA_CFLAGS=$pkg_cv_CMOCKA_CFLAGS + CMOCKA_LIBS=$pkg_cv_CMOCKA_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + have_cmocka="yes" +fi + +fi +else + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: No libcmocka-1.0.0 or newer library found, cmocka tests will not be built" >&5 +$as_echo "$as_me: WARNING: No libcmocka-1.0.0 or newer library found, cmocka tests will not be built" >&2;} + +fi + if test x$have_cmocka = xyes; then + HAVE_CMOCKA_TRUE= + HAVE_CMOCKA_FALSE='#' +else + HAVE_CMOCKA_TRUE='#' + HAVE_CMOCKA_FALSE= +fi + + + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for uid_wrapper" >&5 +$as_echo_n "checking for uid_wrapper... " >&6; } + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"uid_wrapper\""; } >&5 + ($PKG_CONFIG --exists --print-errors "uid_wrapper") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + HAVE_UID_WRAPPER=yes + + +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + HAVE_UID_WRAPPER=no + + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cwrap library uid_wrapper not found, some tests will not run" >&5 +$as_echo "$as_me: WARNING: cwrap library uid_wrapper not found, some tests will not run" >&2;} + +fi + + if test x$HAVE_UID_WRAPPER = xyes; then + HAVE_UID_WRAPPER_TRUE= + HAVE_UID_WRAPPER_FALSE='#' +else + HAVE_UID_WRAPPER_TRUE='#' + HAVE_UID_WRAPPER_FALSE= +fi + + + + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for nss_wrapper" >&5 +$as_echo_n "checking for nss_wrapper... " >&6; } + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"nss_wrapper\""; } >&5 + ($PKG_CONFIG --exists --print-errors "nss_wrapper") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + HAVE_NSS_WRAPPER=yes + + +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + HAVE_NSS_WRAPPER=no + + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cwrap library nss_wrapper not found, some tests will not run" >&5 +$as_echo "$as_me: WARNING: cwrap library nss_wrapper not found, some tests will not run" >&2;} + +fi + + if test x$HAVE_NSS_WRAPPER = xyes; then + HAVE_NSS_WRAPPER_TRUE= + HAVE_NSS_WRAPPER_FALSE='#' +else + HAVE_NSS_WRAPPER_TRUE='#' + HAVE_NSS_WRAPPER_FALSE= +fi + + + + + # Extract the first word of "openssl", so it can be a program name with args. +set dummy openssl; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_OPENSSL+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $OPENSSL in + [\\/]* | ?:[\\/]*) + ac_cv_path_OPENSSL="$OPENSSL" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_OPENSSL="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +OPENSSL=$ac_cv_path_OPENSSL +if test -n "$OPENSSL"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $OPENSSL" >&5 +$as_echo "$OPENSSL" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + if test ! -x "$OPENSSL"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: Could not find openssl" >&5 +$as_echo "$as_me: Could not find openssl" >&6;} + fi + + # Extract the first word of "ssh-keygen", so it can be a program name with args. +set dummy ssh-keygen; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_SSH_KEYGEN+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $SSH_KEYGEN in + [\\/]* | ?:[\\/]*) + ac_cv_path_SSH_KEYGEN="$SSH_KEYGEN" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_SSH_KEYGEN="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +SSH_KEYGEN=$ac_cv_path_SSH_KEYGEN +if test -n "$SSH_KEYGEN"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $SSH_KEYGEN" >&5 +$as_echo "$SSH_KEYGEN" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + if test ! -x "$SSH_KEYGEN"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: Could not find ssh-keygen" >&5 +$as_echo "$as_me: Could not find ssh-keygen" >&6;} + else + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for -m option of ssh-keygen" >&5 +$as_echo_n "checking for -m option of ssh-keygen... " >&6; } + if { { $as_echo "$as_me:${as_lineno-$LINENO}: \$SSH_KEYGEN --help 2>&1 |grep -- '-m ' > /dev/null"; } >&5 + ($SSH_KEYGEN --help 2>&1 |grep -- '-m ' > /dev/null) 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + else + SSH_KEYGEN="" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + fi + fi + + if test x$cryptolib = xnss; then + # Extract the first word of "certutil", so it can be a program name with args. +set dummy certutil; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_CERTUTIL+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $CERTUTIL in + [\\/]* | ?:[\\/]*) + ac_cv_path_CERTUTIL="$CERTUTIL" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_CERTUTIL="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +CERTUTIL=$ac_cv_path_CERTUTIL +if test -n "$CERTUTIL"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CERTUTIL" >&5 +$as_echo "$CERTUTIL" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + if test ! -x "$CERTUTIL"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: Could not find certutil" >&5 +$as_echo "$as_me: Could not find certutil" >&6;} + fi + + # Extract the first word of "pk12util", so it can be a program name with args. +set dummy pk12util; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_PK12UTIL+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $PK12UTIL in + [\\/]* | ?:[\\/]*) + ac_cv_path_PK12UTIL="$PK12UTIL" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_PK12UTIL="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +PK12UTIL=$ac_cv_path_PK12UTIL +if test -n "$PK12UTIL"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PK12UTIL" >&5 +$as_echo "$PK12UTIL" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + if test ! -x "$PK12UTIL"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: Could not find pk12util" >&5 +$as_echo "$as_me: Could not find pk12util" >&6;} + fi + + if test -x "$OPENSSL" -a -x "$SSH_KEYGEN" -a -x "$CERTUTIL" -a -x "$PK12UTIL"; then + BUILD_TEST_CA_TRUE= + BUILD_TEST_CA_FALSE='#' +else + BUILD_TEST_CA_TRUE='#' + BUILD_TEST_CA_FALSE= +fi + + else + + for p in /usr/lib64/pkcs11/libsofthsm2.so /usr/lib/pkcs11/libsofthsm2.so /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so; do + if test -f "${p}"; then + SOFTHSM2_PATH="${p}" + break; + fi + done + if test -n "$SOFTHSM2_PATH"; then + + +cat >>confdefs.h <<_ACEOF +#define SOFTHSM2_PATH "$SOFTHSM2_PATH" +_ACEOF + + { $as_echo "$as_me:${as_lineno-$LINENO}: Using softhsm2 PKCS11 module: $SOFTHSM2_PATH" >&5 +$as_echo "$as_me: Using softhsm2 PKCS11 module: $SOFTHSM2_PATH" >&6;} + else + { $as_echo "$as_me:${as_lineno-$LINENO}: Could not find softhsm2 PKCS11 module" >&5 +$as_echo "$as_me: Could not find softhsm2 PKCS11 module" >&6;} + fi + + # Extract the first word of "softhsm2-util", so it can be a program name with args. +set dummy softhsm2-util; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_SOFTHSM2_UTIL+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $SOFTHSM2_UTIL in + [\\/]* | ?:[\\/]*) + ac_cv_path_SOFTHSM2_UTIL="$SOFTHSM2_UTIL" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_SOFTHSM2_UTIL="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +SOFTHSM2_UTIL=$ac_cv_path_SOFTHSM2_UTIL +if test -n "$SOFTHSM2_UTIL"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $SOFTHSM2_UTIL" >&5 +$as_echo "$SOFTHSM2_UTIL" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + if test ! -x "$SOFTHSM2_UTIL"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: Could not find softhsm2-util" >&5 +$as_echo "$as_me: Could not find softhsm2-util" >&6;} + fi + + # Extract the first word of "p11tool", so it can be a program name with args. +set dummy p11tool; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_path_P11TOOL+:} false; then : + $as_echo_n "(cached) " >&6 +else + case $P11TOOL in + [\\/]* | ?:[\\/]*) + ac_cv_path_P11TOOL="$P11TOOL" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_P11TOOL="$as_dir/$ac_word$ac_exec_ext" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +P11TOOL=$ac_cv_path_P11TOOL +if test -n "$P11TOOL"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $P11TOOL" >&5 +$as_echo "$P11TOOL" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + if test ! -x "$P11TOOL"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: Could not find p11tool" >&5 +$as_echo "$as_me: Could not find p11tool" >&6;} + fi + + if test -x "$OPENSSL" -a -x "$SSH_KEYGEN" -a -x "$SOFTHSM2_PATH" -a -x "$SOFTHSM2_UTIL" -a -x "$P11TOOL"; then + BUILD_TEST_CA_TRUE= + BUILD_TEST_CA_FALSE='#' +else + BUILD_TEST_CA_TRUE='#' + BUILD_TEST_CA_FALSE= +fi + + fi + + +if test -z "$BUILD_TEST_CA_TRUE"; then : + +cat >>confdefs.h <<_ACEOF +#define HAVE_TEST_CA 1 +_ACEOF + +else +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Test CA cannot be build, skiping some tests" >&5 +$as_echo "$as_me: WARNING: Test CA cannot be build, skiping some tests" >&2;} +fi + + +# Check if the user wants SSSD to be compiled with systemtap probes + + # Check whether --enable-systemtap was given. +if test "${enable_systemtap+set}" = set; then : + enableval=$enable_systemtap; ENABLE_SYSTEMTAP="${enableval}" +else + ENABLE_SYSTEMTAP='no' +fi + + + if test "x${ENABLE_SYSTEMTAP}" = xyes; then + for ac_prog in dtrace +do + # Extract the first word of "$ac_prog", so it can be a program name with args. +set dummy $ac_prog; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_DTRACE+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$DTRACE"; then + ac_cv_prog_DTRACE="$DTRACE" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_DTRACE="$ac_prog" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +DTRACE=$ac_cv_prog_DTRACE +if test -n "$DTRACE"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $DTRACE" >&5 +$as_echo "$DTRACE" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + test -n "$DTRACE" && break +done + + if test -z "$DTRACE"; then + as_fn_error $? "dtrace not found" "$LINENO" 5 + fi + + ac_fn_c_check_header_mongrel "$LINENO" "sys/sdt.h" "ac_cv_header_sys_sdt_h" "$ac_includes_default" +if test "x$ac_cv_header_sys_sdt_h" = xyes; then : + SDT_H_FOUND='yes' +else + SDT_H_FOUND='no'; + as_fn_error $? "systemtap support needs sys/sdt.h header" "$LINENO" 5 +fi + + + + +$as_echo "#define HAVE_SYSTEMTAP 1" >>confdefs.h + + HAVE_SYSTEMTAP=1 + + +# Check whether --with-tapset-install-dir was given. +if test "${with_tapset_install_dir+set}" = set; then : + withval=$with_tapset_install_dir; if test "x${withval}" = x; then + tapset_dir="\$(datadir)/systemtap/tapset" + else + tapset_dir="${withval}" + fi +else + tapset_dir="\$(datadir)/systemtap/tapset" +fi + + + fi + + if test x$HAVE_SYSTEMTAP = x1; then + BUILD_SYSTEMTAP_TRUE= + BUILD_SYSTEMTAP_FALSE='#' +else + BUILD_SYSTEMTAP_TRUE='#' + BUILD_SYSTEMTAP_FALSE= +fi + + + + + # Check whether --enable-intgcheck-reqs was given. +if test "${enable_intgcheck_reqs+set}" = set; then : + enableval=$enable_intgcheck_reqs; enable_intgcheck_reqs="$enableval" +else + enable_intgcheck_reqs="no" +fi + + if test x"$enable_intgcheck_reqs" = xyes; then + + if test x$HAVE_UID_WRAPPER = xyes; then : + +else + + as_fn_error $? "cannot enable integration tests: uid_wrapper not found" "$LINENO" 5 +fi + + + if test x$HAVE_NSS_WRAPPER = xyes; then : + +else + + as_fn_error $? "cannot enable integration tests: nss_wrapper not found" "$LINENO" 5 +fi + + + if test x$HAVE_SLAPD = xyes; then : + +else + + as_fn_error $? "cannot enable integration tests: slapd not found" "$LINENO" 5 +fi + + + if test x$HAVE_LDAPMODIFY = xyes; then : + +else + + as_fn_error $? "cannot enable integration tests: ldapmodify not found" "$LINENO" 5 +fi + + + if test x$HAVE_FAKEROOT = xyes; then : + +else + + as_fn_error $? "cannot enable integration tests: fakeroot not found" "$LINENO" 5 +fi + + + if test x$HAVE_PYTHON2 = xyes; then : + +else + + as_fn_error $? "cannot enable integration tests: python2 not found" "$LINENO" 5 +fi + + + if test x$HAVE_PYTEST = xyes; then : + +else + + as_fn_error $? "cannot enable integration tests: pytest not found" "$LINENO" 5 +fi + + + if test x$HAVE_PY2MOD_LDAP = xyes; then : + +else + + as_fn_error $? "cannot enable integration tests: python-ldap not found" "$LINENO" 5 +fi + + + if test x$HAVE_PY2MOD_LDAP = xyes; then : + +else + + as_fn_error $? "cannot enable integration tests: pyldb not found" "$LINENO" 5 +fi + + fi + + + if test -d /dev/shm; then + HAVE_DEVSHM_TRUE= + HAVE_DEVSHM_FALSE='#' +else + HAVE_DEVSHM_TRUE='#' + HAVE_DEVSHM_FALSE= +fi + + +# Check if we should install polkit rules + + polkitdir="/usr/share/polkit-1/rules.d" + # Check whether --enable-polkit-rules-path was given. +if test "${enable_polkit_rules_path+set}" = set; then : + enableval=$enable_polkit_rules_path; polkitdir=$enableval +fi + + + if test x"$polkitdir" != xno; then + HAVE_POLKIT_RULES_D=1 + + fi + + if test x$HAVE_POLKIT_RULES_D != x; then + HAVE_POLKIT_RULES_D_TRUE= + HAVE_POLKIT_RULES_D_FALSE='#' +else + HAVE_POLKIT_RULES_D_TRUE='#' + HAVE_POLKIT_RULES_D_FALSE= +fi + + + if test x$HAVE_POLKIT_RULES_D != x; then + HAVE_POLKIT_RULES_D_TRUE= + HAVE_POLKIT_RULES_D_FALSE='#' +else + HAVE_POLKIT_RULES_D_TRUE='#' + HAVE_POLKIT_RULES_D_FALSE= +fi + + +abs_build_dir=`pwd` + +cat >>confdefs.h <<_ACEOF +#define ABS_BUILD_DIR "$abs_build_dir" +_ACEOF + +abs_builddir=$abs_build_dir + + +my_srcdir=`readlink -f $srcdir` + +cat >>confdefs.h <<_ACEOF +#define ABS_SRC_DIR "$my_srcdir" +_ACEOF + + +ac_config_files="$ac_config_files Makefile contrib/sssd.spec src/examples/rwtab src/doxy.config contrib/sssd-pcsc.rules src/sysv/sssd src/sysv/gentoo/sssd src/sysv/SUSE/sssd po/Makefile.in src/man/Makefile src/tests/cwrap/Makefile src/tests/intg/Makefile src/tests/test_CA/Makefile src/lib/ipa_hbac/ipa_hbac.pc src/lib/ipa_hbac/ipa_hbac.doxy src/lib/idmap/sss_idmap.pc src/lib/idmap/sss_idmap.doxy src/lib/certmap/sss_certmap.pc src/lib/certmap/sss_certmap.doxy src/sss_client/idmap/sss_nss_idmap.pc src/sss_client/idmap/sss_nss_idmap.doxy src/sss_client/libwbclient/wbclient_sssd.pc src/lib/sifp/sss_simpleifp.pc src/lib/sifp/sss_simpleifp.doxy src/config/setup.py src/systemtap/sssd.stp src/config/SSSDConfig/__init__.py" + +cat >confcache <<\_ACEOF +# This file is a shell script that caches the results of configure +# tests run on this system so they can be shared between configure +# scripts and configure runs, see configure's option --config-cache. +# It is not useful on other systems. If it contains results you don't +# want to keep, you may remove or edit it. +# +# config.status only pays attention to the cache file if you give it +# the --recheck option to rerun configure. +# +# `ac_cv_env_foo' variables (set or unset) will be overridden when +# loading this file, other *unset* `ac_cv_foo' will be assigned the +# following values. + +_ACEOF + +# The following way of writing the cache mishandles newlines in values, +# but we know of no workaround that is simple, portable, and efficient. +# So, we kill variables containing newlines. +# Ultrix sh set writes to stderr and can't be redirected directly, +# and sets the high bit in the cache file unless we assign to the vars. +( + for ac_var in `(set) 2>&1 | sed -n 's/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'`; do + eval ac_val=\$$ac_var + case $ac_val in #( + *${as_nl}*) + case $ac_var in #( + *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5 +$as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; + esac + case $ac_var in #( + _ | IFS | as_nl) ;; #( + BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( + *) { eval $ac_var=; unset $ac_var;} ;; + esac ;; + esac + done + + (set) 2>&1 | + case $as_nl`(ac_space=' '; set) 2>&1` in #( + *${as_nl}ac_space=\ *) + # `set' does not quote correctly, so add quotes: double-quote + # substitution turns \\\\ into \\, and sed turns \\ into \. + sed -n \ + "s/'/'\\\\''/g; + s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p" + ;; #( + *) + # `set' quotes correctly as required by POSIX, so do not add quotes. + sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p" + ;; + esac | + sort +) | + sed ' + /^ac_cv_env_/b end + t clear + :clear + s/^\([^=]*\)=\(.*[{}].*\)$/test "${\1+set}" = set || &/ + t end + s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/ + :end' >>confcache +if diff "$cache_file" confcache >/dev/null 2>&1; then :; else + if test -w "$cache_file"; then + if test "x$cache_file" != "x/dev/null"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: updating cache $cache_file" >&5 +$as_echo "$as_me: updating cache $cache_file" >&6;} + if test ! -f "$cache_file" || test -h "$cache_file"; then + cat confcache >"$cache_file" + else + case $cache_file in #( + */* | ?:*) + mv -f confcache "$cache_file"$$ && + mv -f "$cache_file"$$ "$cache_file" ;; #( + *) + mv -f confcache "$cache_file" ;; + esac + fi + fi + else + { $as_echo "$as_me:${as_lineno-$LINENO}: not updating unwritable cache $cache_file" >&5 +$as_echo "$as_me: not updating unwritable cache $cache_file" >&6;} + fi +fi +rm -f confcache + +test "x$prefix" = xNONE && prefix=$ac_default_prefix +# Let make expand exec_prefix. +test "x$exec_prefix" = xNONE && exec_prefix='${prefix}' + +DEFS=-DHAVE_CONFIG_H + +ac_libobjs= +ac_ltlibobjs= +U= +for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue + # 1. Remove the extension, and $U if already installed. + ac_script='s/\$U\././;s/\.o$//;s/\.obj$//' + ac_i=`$as_echo "$ac_i" | sed "$ac_script"` + # 2. Prepend LIBOBJDIR. When used with automake>=1.10 LIBOBJDIR + # will be set to the directory where LIBOBJS objects are built. + as_fn_append ac_libobjs " \${LIBOBJDIR}$ac_i\$U.$ac_objext" + as_fn_append ac_ltlibobjs " \${LIBOBJDIR}$ac_i"'$U.lo' +done +LIBOBJS=$ac_libobjs + +LTLIBOBJS=$ac_ltlibobjs + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking that generated files are newer than configure" >&5 +$as_echo_n "checking that generated files are newer than configure... " >&6; } + if test -n "$am_sleep_pid"; then + # Hide warnings about reused PIDs. + wait $am_sleep_pid 2>/dev/null + fi + { $as_echo "$as_me:${as_lineno-$LINENO}: result: done" >&5 +$as_echo "done" >&6; } +if test -z "${AMDEP_TRUE}" && test -z "${AMDEP_FALSE}"; then + as_fn_error $? "conditional \"AMDEP\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${am__fastdepCC_TRUE}" && test -z "${am__fastdepCC_FALSE}"; then + as_fn_error $? "conditional \"am__fastdepCC\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi + if test -n "$EXEEXT"; then + am__EXEEXT_TRUE= + am__EXEEXT_FALSE='#' +else + am__EXEEXT_TRUE='#' + am__EXEEXT_FALSE= +fi + +if test -z "${GIT_CHECKOUT_TRUE}" && test -z "${GIT_CHECKOUT_FALSE}"; then + as_fn_error $? "conditional \"GIT_CHECKOUT\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${HAVE_GCC_TRUE}" && test -z "${HAVE_GCC_FALSE}"; then + as_fn_error $? "conditional \"HAVE_GCC\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${WANT_AUX_INFO_TRUE}" && test -z "${WANT_AUX_INFO_FALSE}"; then + as_fn_error $? "conditional \"WANT_AUX_INFO\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${HAVE_PTHREAD_TRUE}" && test -z "${HAVE_PTHREAD_FALSE}"; then + as_fn_error $? "conditional \"HAVE_PTHREAD\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi + +if test -z "${HAVE_FEDORA_TRUE}" && test -z "${HAVE_FEDORA_FALSE}"; then + as_fn_error $? "conditional \"HAVE_FEDORA\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${HAVE_REDHAT_TRUE}" && test -z "${HAVE_REDHAT_FALSE}"; then + as_fn_error $? "conditional \"HAVE_REDHAT\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${HAVE_SUSE_TRUE}" && test -z "${HAVE_SUSE_FALSE}"; then + as_fn_error $? "conditional \"HAVE_SUSE\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${HAVE_DEBIAN_TRUE}" && test -z "${HAVE_DEBIAN_FALSE}"; then + as_fn_error $? "conditional \"HAVE_DEBIAN\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${HAVE_GENTOO_TRUE}" && test -z "${HAVE_GENTOO_FALSE}"; then + as_fn_error $? "conditional \"HAVE_GENTOO\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${BUILD_MANPAGES_TRUE}" && test -z "${BUILD_MANPAGES_FALSE}"; then + as_fn_error $? "conditional \"BUILD_MANPAGES\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${BUILD_DBUS_TESTS_TRUE}" && test -z "${BUILD_DBUS_TESTS_FALSE}"; then + as_fn_error $? "conditional \"BUILD_DBUS_TESTS\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${ADD_FILES_DOMAIN_TRUE}" && test -z "${ADD_FILES_DOMAIN_FALSE}"; then + as_fn_error $? "conditional \"ADD_FILES_DOMAIN\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${BUILD_PYTHON2_BINDINGS_TRUE}" && test -z "${BUILD_PYTHON2_BINDINGS_FALSE}"; then + as_fn_error $? "conditional \"BUILD_PYTHON2_BINDINGS\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${BUILD_PYTHON3_BINDINGS_TRUE}" && test -z "${BUILD_PYTHON3_BINDINGS_FALSE}"; then + as_fn_error $? "conditional \"BUILD_PYTHON3_BINDINGS\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${BUILD_SELINUX_TRUE}" && test -z "${BUILD_SELINUX_FALSE}"; then + as_fn_error $? "conditional \"BUILD_SELINUX\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${BUILD_SEMANAGE_TRUE}" && test -z "${BUILD_SEMANAGE_FALSE}"; then + as_fn_error $? "conditional \"BUILD_SEMANAGE\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${GPO_DEFAULT_ENFORCING_TRUE}" && test -z "${GPO_DEFAULT_ENFORCING_FALSE}"; then + as_fn_error $? "conditional \"GPO_DEFAULT_ENFORCING\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${BUILD_SUDO_TRUE}" && test -z "${BUILD_SUDO_FALSE}"; then + as_fn_error $? "conditional \"BUILD_SUDO\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${BUILD_AUTOFS_TRUE}" && test -z "${BUILD_AUTOFS_FALSE}"; then + as_fn_error $? "conditional \"BUILD_AUTOFS\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${BUILD_SSH_TRUE}" && test -z "${BUILD_SSH_FALSE}"; then + as_fn_error $? "conditional \"BUILD_SSH\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${BUILD_IFP_TRUE}" && test -z "${BUILD_IFP_FALSE}"; then + as_fn_error $? "conditional \"BUILD_IFP\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${HAVE_NSS_TRUE}" && test -z "${HAVE_NSS_FALSE}"; then + as_fn_error $? "conditional \"HAVE_NSS\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${HAVE_LIBCRYPTO_TRUE}" && test -z "${HAVE_LIBCRYPTO_FALSE}"; then + as_fn_error $? "conditional \"HAVE_LIBCRYPTO\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${WITH_JOURNALD_TRUE}" && test -z "${WITH_JOURNALD_FALSE}"; then + as_fn_error $? "conditional \"WITH_JOURNALD\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${BUILD_SAMBA_TRUE}" && test -z "${BUILD_SAMBA_FALSE}"; then + as_fn_error $? "conditional \"BUILD_SAMBA\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${BUILD_NFS_IDMAP_TRUE}" && test -z "${BUILD_NFS_IDMAP_FALSE}"; then + as_fn_error $? "conditional \"BUILD_NFS_IDMAP\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${BUILD_LIBWBCLIENT_TRUE}" && test -z "${BUILD_LIBWBCLIENT_FALSE}"; then + as_fn_error $? "conditional \"BUILD_LIBWBCLIENT\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${SSSD_USER_TRUE}" && test -z "${SSSD_USER_FALSE}"; then + as_fn_error $? "conditional \"SSSD_USER\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${BUILD_SECRETS_TRUE}" && test -z "${BUILD_SECRETS_FALSE}"; then + as_fn_error $? "conditional \"BUILD_SECRETS\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${BUILD_KCM_TRUE}" && test -z "${BUILD_KCM_FALSE}"; then + as_fn_error $? "conditional \"BUILD_KCM\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${BUILD_KRB5_LOCATOR_PLUGIN_TRUE}" && test -z "${BUILD_KRB5_LOCATOR_PLUGIN_FALSE}"; then + as_fn_error $? "conditional \"BUILD_KRB5_LOCATOR_PLUGIN\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${BUILD_KRB5_LOCALAUTH_PLUGIN_TRUE}" && test -z "${BUILD_KRB5_LOCALAUTH_PLUGIN_FALSE}"; then + as_fn_error $? "conditional \"BUILD_KRB5_LOCALAUTH_PLUGIN\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${BUILD_PAC_RESPONDER_TRUE}" && test -z "${BUILD_PAC_RESPONDER_FALSE}"; then + as_fn_error $? "conditional \"BUILD_PAC_RESPONDER\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${BUILD_CIFS_IDMAP_PLUGIN_TRUE}" && test -z "${BUILD_CIFS_IDMAP_PLUGIN_FALSE}"; then + as_fn_error $? "conditional \"BUILD_CIFS_IDMAP_PLUGIN\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${HAVE_LIBRESOLV_TRUE}" && test -z "${HAVE_LIBRESOLV_FALSE}"; then + as_fn_error $? "conditional \"HAVE_LIBRESOLV\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${INTG_BUILD_TRUE}" && test -z "${INTG_BUILD_FALSE}"; then + as_fn_error $? "conditional \"INTG_BUILD\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${BUILD_WITH_LIBCURL_TRUE}" && test -z "${BUILD_WITH_LIBCURL_FALSE}"; then + as_fn_error $? "conditional \"BUILD_WITH_LIBCURL\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${WITH_LIBUNISTRING_TRUE}" && test -z "${WITH_LIBUNISTRING_FALSE}"; then + as_fn_error $? "conditional \"WITH_LIBUNISTRING\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${WITH_GLIB_TRUE}" && test -z "${WITH_GLIB_FALSE}"; then + as_fn_error $? "conditional \"WITH_GLIB\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${HAVE_SYSV_TRUE}" && test -z "${HAVE_SYSV_FALSE}"; then + as_fn_error $? "conditional \"HAVE_SYSV\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${HAVE_SYSTEMD_UNIT_TRUE}" && test -z "${HAVE_SYSTEMD_UNIT_FALSE}"; then + as_fn_error $? "conditional \"HAVE_SYSTEMD_UNIT\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${HAVE_PROFILE_CATALOGS_TRUE}" && test -z "${HAVE_PROFILE_CATALOGS_FALSE}"; then + as_fn_error $? "conditional \"HAVE_PROFILE_CATALOGS\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${HAVE_MANPAGES_TRUE}" && test -z "${HAVE_MANPAGES_FALSE}"; then + as_fn_error $? "conditional \"HAVE_MANPAGES\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${HAVE_PO4A_TRUE}" && test -z "${HAVE_PO4A_FALSE}"; then + as_fn_error $? "conditional \"HAVE_PO4A\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${BUILD_PYTHON_BINDINGS_TRUE}" && test -z "${BUILD_PYTHON_BINDINGS_FALSE}"; then + as_fn_error $? "conditional \"BUILD_PYTHON_BINDINGS\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${HAVE_INOTIFY_TRUE}" && test -z "${HAVE_INOTIFY_FALSE}"; then + as_fn_error $? "conditional \"HAVE_INOTIFY\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${HAVE_DOXYGEN_TRUE}" && test -z "${HAVE_DOXYGEN_FALSE}"; then + as_fn_error $? "conditional \"HAVE_DOXYGEN\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${HAVE_CHECK_TRUE}" && test -z "${HAVE_CHECK_FALSE}"; then + as_fn_error $? "conditional \"HAVE_CHECK\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${HAVE_CMOCKA_TRUE}" && test -z "${HAVE_CMOCKA_FALSE}"; then + as_fn_error $? "conditional \"HAVE_CMOCKA\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${HAVE_UID_WRAPPER_TRUE}" && test -z "${HAVE_UID_WRAPPER_FALSE}"; then + as_fn_error $? "conditional \"HAVE_UID_WRAPPER\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${HAVE_NSS_WRAPPER_TRUE}" && test -z "${HAVE_NSS_WRAPPER_FALSE}"; then + as_fn_error $? "conditional \"HAVE_NSS_WRAPPER\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${BUILD_TEST_CA_TRUE}" && test -z "${BUILD_TEST_CA_FALSE}"; then + as_fn_error $? "conditional \"BUILD_TEST_CA\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${BUILD_TEST_CA_TRUE}" && test -z "${BUILD_TEST_CA_FALSE}"; then + as_fn_error $? "conditional \"BUILD_TEST_CA\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${BUILD_SYSTEMTAP_TRUE}" && test -z "${BUILD_SYSTEMTAP_FALSE}"; then + as_fn_error $? "conditional \"BUILD_SYSTEMTAP\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${HAVE_DEVSHM_TRUE}" && test -z "${HAVE_DEVSHM_FALSE}"; then + as_fn_error $? "conditional \"HAVE_DEVSHM\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${HAVE_POLKIT_RULES_D_TRUE}" && test -z "${HAVE_POLKIT_RULES_D_FALSE}"; then + as_fn_error $? "conditional \"HAVE_POLKIT_RULES_D\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${HAVE_POLKIT_RULES_D_TRUE}" && test -z "${HAVE_POLKIT_RULES_D_FALSE}"; then + as_fn_error $? "conditional \"HAVE_POLKIT_RULES_D\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi + +: "${CONFIG_STATUS=./config.status}" +ac_write_fail=0 +ac_clean_files_save=$ac_clean_files +ac_clean_files="$ac_clean_files $CONFIG_STATUS" +{ $as_echo "$as_me:${as_lineno-$LINENO}: creating $CONFIG_STATUS" >&5 +$as_echo "$as_me: creating $CONFIG_STATUS" >&6;} +as_write_fail=0 +cat >$CONFIG_STATUS <<_ASEOF || as_write_fail=1 +#! $SHELL +# Generated by $as_me. +# Run this file to recreate the current configuration. +# Compiler output produced by configure, useful for debugging +# configure, is in config.log if it exists. + +debug=false +ac_cs_recheck=false +ac_cs_silent=false + +SHELL=\${CONFIG_SHELL-$SHELL} +export SHELL +_ASEOF +cat >>$CONFIG_STATUS <<\_ASEOF || as_write_fail=1 +## -------------------- ## +## M4sh Initialization. ## +## -------------------- ## + +# Be more Bourne compatible +DUALCASE=1; export DUALCASE # for MKS sh +if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then : + emulate sh + NULLCMD=: + # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which + # is contrary to our usage. Disable this feature. + alias -g '${1+"$@"}'='"$@"' + setopt NO_GLOB_SUBST +else + case `(set -o) 2>/dev/null` in #( + *posix*) : + set -o posix ;; #( + *) : + ;; +esac +fi + + +as_nl=' +' +export as_nl +# Printing a long string crashes Solaris 7 /usr/bin/printf. +as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' +as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo +as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo +# Prefer a ksh shell builtin over an external printf program on Solaris, +# but without wasting forks for bash or zsh. +if test -z "$BASH_VERSION$ZSH_VERSION" \ + && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then + as_echo='print -r --' + as_echo_n='print -rn --' +elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then + as_echo='printf %s\n' + as_echo_n='printf %s' +else + if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then + as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"' + as_echo_n='/usr/ucb/echo -n' + else + as_echo_body='eval expr "X$1" : "X\\(.*\\)"' + as_echo_n_body='eval + arg=$1; + case $arg in #( + *"$as_nl"*) + expr "X$arg" : "X\\(.*\\)$as_nl"; + arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;; + esac; + expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl" + ' + export as_echo_n_body + as_echo_n='sh -c $as_echo_n_body as_echo' + fi + export as_echo_body + as_echo='sh -c $as_echo_body as_echo' +fi + +# The user is always right. +if test "${PATH_SEPARATOR+set}" != set; then + PATH_SEPARATOR=: + (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { + (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || + PATH_SEPARATOR=';' + } +fi + + +# IFS +# We need space, tab and new line, in precisely that order. Quoting is +# there to prevent editors from complaining about space-tab. +# (If _AS_PATH_WALK were called with IFS unset, it would disable word +# splitting by setting IFS to empty value.) +IFS=" "" $as_nl" + +# Find who we are. Look in the path if we contain no directory separator. +as_myself= +case $0 in #(( + *[\\/]* ) as_myself=$0 ;; + *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break + done +IFS=$as_save_IFS + + ;; +esac +# We did not find ourselves, most probably we were run as `sh COMMAND' +# in which case we are not to be found in the path. +if test "x$as_myself" = x; then + as_myself=$0 +fi +if test ! -f "$as_myself"; then + $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 + exit 1 +fi + +# Unset variables that we do not need and which cause bugs (e.g. in +# pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1" +# suppresses any "Segmentation fault" message there. '((' could +# trigger a bug in pdksh 5.2.14. +for as_var in BASH_ENV ENV MAIL MAILPATH +do eval test x\${$as_var+set} = xset \ + && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : +done +PS1='$ ' +PS2='> ' +PS4='+ ' + +# NLS nuisances. +LC_ALL=C +export LC_ALL +LANGUAGE=C +export LANGUAGE + +# CDPATH. +(unset CDPATH) >/dev/null 2>&1 && unset CDPATH + + +# as_fn_error STATUS ERROR [LINENO LOG_FD] +# ---------------------------------------- +# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are +# provided, also output the error to LOG_FD, referencing LINENO. Then exit the +# script with STATUS, using 1 if that was 0. +as_fn_error () +{ + as_status=$1; test $as_status -eq 0 && as_status=1 + if test "$4"; then + as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4 + fi + $as_echo "$as_me: error: $2" >&2 + as_fn_exit $as_status +} # as_fn_error + + +# as_fn_set_status STATUS +# ----------------------- +# Set $? to STATUS, without forking. +as_fn_set_status () +{ + return $1 +} # as_fn_set_status + +# as_fn_exit STATUS +# ----------------- +# Exit the shell with STATUS, even in a "trap 0" or "set -e" context. +as_fn_exit () +{ + set +e + as_fn_set_status $1 + exit $1 +} # as_fn_exit + +# as_fn_unset VAR +# --------------- +# Portably unset VAR. +as_fn_unset () +{ + { eval $1=; unset $1;} +} +as_unset=as_fn_unset +# as_fn_append VAR VALUE +# ---------------------- +# Append the text in VALUE to the end of the definition contained in VAR. Take +# advantage of any shell optimizations that allow amortized linear growth over +# repeated appends, instead of the typical quadratic growth present in naive +# implementations. +if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then : + eval 'as_fn_append () + { + eval $1+=\$2 + }' +else + as_fn_append () + { + eval $1=\$$1\$2 + } +fi # as_fn_append + +# as_fn_arith ARG... +# ------------------ +# Perform arithmetic evaluation on the ARGs, and store the result in the +# global $as_val. Take advantage of shells that can avoid forks. The arguments +# must be portable across $(()) and expr. +if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then : + eval 'as_fn_arith () + { + as_val=$(( $* )) + }' +else + as_fn_arith () + { + as_val=`expr "$@" || test $? -eq 1` + } +fi # as_fn_arith + + +if expr a : '\(a\)' >/dev/null 2>&1 && + test "X`expr 00001 : '.*\(...\)'`" = X001; then + as_expr=expr +else + as_expr=false +fi + +if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then + as_basename=basename +else + as_basename=false +fi + +if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then + as_dirname=dirname +else + as_dirname=false +fi + +as_me=`$as_basename -- "$0" || +$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ + X"$0" : 'X\(//\)$' \| \ + X"$0" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X/"$0" | + sed '/^.*\/\([^/][^/]*\)\/*$/{ + s//\1/ + q + } + /^X\/\(\/\/\)$/{ + s//\1/ + q + } + /^X\/\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + +# Avoid depending upon Character Ranges. +as_cr_letters='abcdefghijklmnopqrstuvwxyz' +as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' +as_cr_Letters=$as_cr_letters$as_cr_LETTERS +as_cr_digits='0123456789' +as_cr_alnum=$as_cr_Letters$as_cr_digits + +ECHO_C= ECHO_N= ECHO_T= +case `echo -n x` in #((((( +-n*) + case `echo 'xy\c'` in + *c*) ECHO_T=' ';; # ECHO_T is single tab character. + xy) ECHO_C='\c';; + *) echo `echo ksh88 bug on AIX 6.1` > /dev/null + ECHO_T=' ';; + esac;; +*) + ECHO_N='-n';; +esac + +rm -f conf$$ conf$$.exe conf$$.file +if test -d conf$$.dir; then + rm -f conf$$.dir/conf$$.file +else + rm -f conf$$.dir + mkdir conf$$.dir 2>/dev/null +fi +if (echo >conf$$.file) 2>/dev/null; then + if ln -s conf$$.file conf$$ 2>/dev/null; then + as_ln_s='ln -s' + # ... but there are two gotchas: + # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. + # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. + # In both cases, we have to default to `cp -pR'. + ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || + as_ln_s='cp -pR' + elif ln conf$$.file conf$$ 2>/dev/null; then + as_ln_s=ln + else + as_ln_s='cp -pR' + fi +else + as_ln_s='cp -pR' +fi +rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file +rmdir conf$$.dir 2>/dev/null + + +# as_fn_mkdir_p +# ------------- +# Create "$as_dir" as a directory, including parents if necessary. +as_fn_mkdir_p () +{ + + case $as_dir in #( + -*) as_dir=./$as_dir;; + esac + test -d "$as_dir" || eval $as_mkdir_p || { + as_dirs= + while :; do + case $as_dir in #( + *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( + *) as_qdir=$as_dir;; + esac + as_dirs="'$as_qdir' $as_dirs" + as_dir=`$as_dirname -- "$as_dir" || +$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$as_dir" : 'X\(//\)[^/]' \| \ + X"$as_dir" : 'X\(//\)$' \| \ + X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X"$as_dir" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ + s//\1/ + q + } + /^X\(\/\/\)[^/].*/{ + s//\1/ + q + } + /^X\(\/\/\)$/{ + s//\1/ + q + } + /^X\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + test -d "$as_dir" && break + done + test -z "$as_dirs" || eval "mkdir $as_dirs" + } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir" + + +} # as_fn_mkdir_p +if mkdir -p . 2>/dev/null; then + as_mkdir_p='mkdir -p "$as_dir"' +else + test -d ./-p && rmdir ./-p + as_mkdir_p=false +fi + + +# as_fn_executable_p FILE +# ----------------------- +# Test if FILE is an executable regular file. +as_fn_executable_p () +{ + test -f "$1" && test -x "$1" +} # as_fn_executable_p +as_test_x='test -x' +as_executable_p=as_fn_executable_p + +# Sed expression to map a string onto a valid CPP name. +as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" + +# Sed expression to map a string onto a valid variable name. +as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'" + + +exec 6>&1 +## ----------------------------------- ## +## Main body of $CONFIG_STATUS script. ## +## ----------------------------------- ## +_ASEOF +test $as_write_fail = 0 && chmod +x $CONFIG_STATUS || ac_write_fail=1 + +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +# Save the log message, to keep $0 and so on meaningful, and to +# report actual input values of CONFIG_FILES etc. instead of their +# values after options handling. +ac_log=" +This file was extended by sssd $as_me 1.16.3, which was +generated by GNU Autoconf 2.69. Invocation command line was + + CONFIG_FILES = $CONFIG_FILES + CONFIG_HEADERS = $CONFIG_HEADERS + CONFIG_LINKS = $CONFIG_LINKS + CONFIG_COMMANDS = $CONFIG_COMMANDS + $ $0 $@ + +on `(hostname || uname -n) 2>/dev/null | sed 1q` +" + +_ACEOF + +case $ac_config_files in *" +"*) set x $ac_config_files; shift; ac_config_files=$*;; +esac + +case $ac_config_headers in *" +"*) set x $ac_config_headers; shift; ac_config_headers=$*;; +esac + + +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +# Files that config.status was made for. +config_files="$ac_config_files" +config_headers="$ac_config_headers" +config_commands="$ac_config_commands" + +_ACEOF + +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +ac_cs_usage="\ +\`$as_me' instantiates files and other configuration actions +from templates according to the current configuration. Unless the files +and actions are specified as TAGs, all are instantiated by default. + +Usage: $0 [OPTION]... [TAG]... + + -h, --help print this help, then exit + -V, --version print version number and configuration settings, then exit + --config print configuration, then exit + -q, --quiet, --silent + do not print progress messages + -d, --debug don't remove temporary files + --recheck update $as_me by reconfiguring in the same conditions + --file=FILE[:TEMPLATE] + instantiate the configuration file FILE + --header=FILE[:TEMPLATE] + instantiate the configuration header FILE + +Configuration files: +$config_files + +Configuration headers: +$config_headers + +Configuration commands: +$config_commands + +Report bugs to ." + +_ACEOF +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" +ac_cs_version="\\ +sssd config.status 1.16.3 +configured by $0, generated by GNU Autoconf 2.69, + with options \\"\$ac_cs_config\\" + +Copyright (C) 2012 Free Software Foundation, Inc. +This config.status script is free software; the Free Software Foundation +gives unlimited permission to copy, distribute and modify it." + +ac_pwd='$ac_pwd' +srcdir='$srcdir' +INSTALL='$INSTALL' +MKDIR_P='$MKDIR_P' +AWK='$AWK' +test -n "\$AWK" || AWK=awk +_ACEOF + +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +# The default lists apply if the user does not specify any file. +ac_need_defaults=: +while test $# != 0 +do + case $1 in + --*=?*) + ac_option=`expr "X$1" : 'X\([^=]*\)='` + ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'` + ac_shift=: + ;; + --*=) + ac_option=`expr "X$1" : 'X\([^=]*\)='` + ac_optarg= + ac_shift=: + ;; + *) + ac_option=$1 + ac_optarg=$2 + ac_shift=shift + ;; + esac + + case $ac_option in + # Handling of the options. + -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r) + ac_cs_recheck=: ;; + --version | --versio | --versi | --vers | --ver | --ve | --v | -V ) + $as_echo "$ac_cs_version"; exit ;; + --config | --confi | --conf | --con | --co | --c ) + $as_echo "$ac_cs_config"; exit ;; + --debug | --debu | --deb | --de | --d | -d ) + debug=: ;; + --file | --fil | --fi | --f ) + $ac_shift + case $ac_optarg in + *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;; + '') as_fn_error $? "missing file argument" ;; + esac + as_fn_append CONFIG_FILES " '$ac_optarg'" + ac_need_defaults=false;; + --header | --heade | --head | --hea ) + $ac_shift + case $ac_optarg in + *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;; + esac + as_fn_append CONFIG_HEADERS " '$ac_optarg'" + ac_need_defaults=false;; + --he | --h) + # Conflict between --help and --header + as_fn_error $? "ambiguous option: \`$1' +Try \`$0 --help' for more information.";; + --help | --hel | -h ) + $as_echo "$ac_cs_usage"; exit ;; + -q | -quiet | --quiet | --quie | --qui | --qu | --q \ + | -silent | --silent | --silen | --sile | --sil | --si | --s) + ac_cs_silent=: ;; + + # This is an error. + -*) as_fn_error $? "unrecognized option: \`$1' +Try \`$0 --help' for more information." ;; + + *) as_fn_append ac_config_targets " $1" + ac_need_defaults=false ;; + + esac + shift +done + +ac_configure_extra_args= + +if $ac_cs_silent; then + exec 6>/dev/null + ac_configure_extra_args="$ac_configure_extra_args --silent" +fi + +_ACEOF +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +if \$ac_cs_recheck; then + set X $SHELL '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion + shift + \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6 + CONFIG_SHELL='$SHELL' + export CONFIG_SHELL + exec "\$@" +fi + +_ACEOF +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +exec 5>>config.log +{ + echo + sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX +## Running $as_me. ## +_ASBOX + $as_echo "$ac_log" +} >&5 + +_ACEOF +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +# +# INIT-COMMANDS +# +AMDEP_TRUE="$AMDEP_TRUE" ac_aux_dir="$ac_aux_dir" + + +# The HP-UX ksh and POSIX shell print the target directory to stdout +# if CDPATH is set. +(unset CDPATH) >/dev/null 2>&1 && unset CDPATH + +sed_quote_subst='$sed_quote_subst' +double_quote_subst='$double_quote_subst' +delay_variable_subst='$delay_variable_subst' +enable_static='`$ECHO "$enable_static" | $SED "$delay_single_quote_subst"`' +macro_version='`$ECHO "$macro_version" | $SED "$delay_single_quote_subst"`' +macro_revision='`$ECHO "$macro_revision" | $SED "$delay_single_quote_subst"`' +enable_shared='`$ECHO "$enable_shared" | $SED "$delay_single_quote_subst"`' +pic_mode='`$ECHO "$pic_mode" | $SED "$delay_single_quote_subst"`' +enable_fast_install='`$ECHO "$enable_fast_install" | $SED "$delay_single_quote_subst"`' +shared_archive_member_spec='`$ECHO "$shared_archive_member_spec" | $SED "$delay_single_quote_subst"`' +SHELL='`$ECHO "$SHELL" | $SED "$delay_single_quote_subst"`' +ECHO='`$ECHO "$ECHO" | $SED "$delay_single_quote_subst"`' +PATH_SEPARATOR='`$ECHO "$PATH_SEPARATOR" | $SED "$delay_single_quote_subst"`' +host_alias='`$ECHO "$host_alias" | $SED "$delay_single_quote_subst"`' +host='`$ECHO "$host" | $SED "$delay_single_quote_subst"`' +host_os='`$ECHO "$host_os" | $SED "$delay_single_quote_subst"`' +build_alias='`$ECHO "$build_alias" | $SED "$delay_single_quote_subst"`' +build='`$ECHO "$build" | $SED "$delay_single_quote_subst"`' +build_os='`$ECHO "$build_os" | $SED "$delay_single_quote_subst"`' +SED='`$ECHO "$SED" | $SED "$delay_single_quote_subst"`' +Xsed='`$ECHO "$Xsed" | $SED "$delay_single_quote_subst"`' +GREP='`$ECHO "$GREP" | $SED "$delay_single_quote_subst"`' +EGREP='`$ECHO "$EGREP" | $SED "$delay_single_quote_subst"`' +FGREP='`$ECHO "$FGREP" | $SED "$delay_single_quote_subst"`' +LD='`$ECHO "$LD" | $SED "$delay_single_quote_subst"`' +NM='`$ECHO "$NM" | $SED "$delay_single_quote_subst"`' +LN_S='`$ECHO "$LN_S" | $SED "$delay_single_quote_subst"`' +max_cmd_len='`$ECHO "$max_cmd_len" | $SED "$delay_single_quote_subst"`' +ac_objext='`$ECHO "$ac_objext" | $SED "$delay_single_quote_subst"`' +exeext='`$ECHO "$exeext" | $SED "$delay_single_quote_subst"`' +lt_unset='`$ECHO "$lt_unset" | $SED "$delay_single_quote_subst"`' +lt_SP2NL='`$ECHO "$lt_SP2NL" | $SED "$delay_single_quote_subst"`' +lt_NL2SP='`$ECHO "$lt_NL2SP" | $SED "$delay_single_quote_subst"`' +lt_cv_to_host_file_cmd='`$ECHO "$lt_cv_to_host_file_cmd" | $SED "$delay_single_quote_subst"`' +lt_cv_to_tool_file_cmd='`$ECHO "$lt_cv_to_tool_file_cmd" | $SED "$delay_single_quote_subst"`' +reload_flag='`$ECHO "$reload_flag" | $SED "$delay_single_quote_subst"`' +reload_cmds='`$ECHO "$reload_cmds" | $SED "$delay_single_quote_subst"`' +OBJDUMP='`$ECHO "$OBJDUMP" | $SED "$delay_single_quote_subst"`' +deplibs_check_method='`$ECHO "$deplibs_check_method" | $SED "$delay_single_quote_subst"`' +file_magic_cmd='`$ECHO "$file_magic_cmd" | $SED "$delay_single_quote_subst"`' +file_magic_glob='`$ECHO "$file_magic_glob" | $SED "$delay_single_quote_subst"`' +want_nocaseglob='`$ECHO "$want_nocaseglob" | $SED "$delay_single_quote_subst"`' +DLLTOOL='`$ECHO "$DLLTOOL" | $SED "$delay_single_quote_subst"`' +sharedlib_from_linklib_cmd='`$ECHO "$sharedlib_from_linklib_cmd" | $SED "$delay_single_quote_subst"`' +AR='`$ECHO "$AR" | $SED "$delay_single_quote_subst"`' +AR_FLAGS='`$ECHO "$AR_FLAGS" | $SED "$delay_single_quote_subst"`' +archiver_list_spec='`$ECHO "$archiver_list_spec" | $SED "$delay_single_quote_subst"`' +STRIP='`$ECHO "$STRIP" | $SED "$delay_single_quote_subst"`' +RANLIB='`$ECHO "$RANLIB" | $SED "$delay_single_quote_subst"`' +old_postinstall_cmds='`$ECHO "$old_postinstall_cmds" | $SED "$delay_single_quote_subst"`' +old_postuninstall_cmds='`$ECHO "$old_postuninstall_cmds" | $SED "$delay_single_quote_subst"`' +old_archive_cmds='`$ECHO "$old_archive_cmds" | $SED "$delay_single_quote_subst"`' +lock_old_archive_extraction='`$ECHO "$lock_old_archive_extraction" | $SED "$delay_single_quote_subst"`' +CC='`$ECHO "$CC" | $SED "$delay_single_quote_subst"`' +CFLAGS='`$ECHO "$CFLAGS" | $SED "$delay_single_quote_subst"`' +compiler='`$ECHO "$compiler" | $SED "$delay_single_quote_subst"`' +GCC='`$ECHO "$GCC" | $SED "$delay_single_quote_subst"`' +lt_cv_sys_global_symbol_pipe='`$ECHO "$lt_cv_sys_global_symbol_pipe" | $SED "$delay_single_quote_subst"`' +lt_cv_sys_global_symbol_to_cdecl='`$ECHO "$lt_cv_sys_global_symbol_to_cdecl" | $SED "$delay_single_quote_subst"`' +lt_cv_sys_global_symbol_to_import='`$ECHO "$lt_cv_sys_global_symbol_to_import" | $SED "$delay_single_quote_subst"`' +lt_cv_sys_global_symbol_to_c_name_address='`$ECHO "$lt_cv_sys_global_symbol_to_c_name_address" | $SED "$delay_single_quote_subst"`' +lt_cv_sys_global_symbol_to_c_name_address_lib_prefix='`$ECHO "$lt_cv_sys_global_symbol_to_c_name_address_lib_prefix" | $SED "$delay_single_quote_subst"`' +lt_cv_nm_interface='`$ECHO "$lt_cv_nm_interface" | $SED "$delay_single_quote_subst"`' +nm_file_list_spec='`$ECHO "$nm_file_list_spec" | $SED "$delay_single_quote_subst"`' +lt_sysroot='`$ECHO "$lt_sysroot" | $SED "$delay_single_quote_subst"`' +lt_cv_truncate_bin='`$ECHO "$lt_cv_truncate_bin" | $SED "$delay_single_quote_subst"`' +objdir='`$ECHO "$objdir" | $SED "$delay_single_quote_subst"`' +MAGIC_CMD='`$ECHO "$MAGIC_CMD" | $SED "$delay_single_quote_subst"`' +lt_prog_compiler_no_builtin_flag='`$ECHO "$lt_prog_compiler_no_builtin_flag" | $SED "$delay_single_quote_subst"`' +lt_prog_compiler_pic='`$ECHO "$lt_prog_compiler_pic" | $SED "$delay_single_quote_subst"`' +lt_prog_compiler_wl='`$ECHO "$lt_prog_compiler_wl" | $SED "$delay_single_quote_subst"`' +lt_prog_compiler_static='`$ECHO "$lt_prog_compiler_static" | $SED "$delay_single_quote_subst"`' +lt_cv_prog_compiler_c_o='`$ECHO "$lt_cv_prog_compiler_c_o" | $SED "$delay_single_quote_subst"`' +need_locks='`$ECHO "$need_locks" | $SED "$delay_single_quote_subst"`' +MANIFEST_TOOL='`$ECHO "$MANIFEST_TOOL" | $SED "$delay_single_quote_subst"`' +DSYMUTIL='`$ECHO "$DSYMUTIL" | $SED "$delay_single_quote_subst"`' +NMEDIT='`$ECHO "$NMEDIT" | $SED "$delay_single_quote_subst"`' +LIPO='`$ECHO "$LIPO" | $SED "$delay_single_quote_subst"`' +OTOOL='`$ECHO "$OTOOL" | $SED "$delay_single_quote_subst"`' +OTOOL64='`$ECHO "$OTOOL64" | $SED "$delay_single_quote_subst"`' +libext='`$ECHO "$libext" | $SED "$delay_single_quote_subst"`' +shrext_cmds='`$ECHO "$shrext_cmds" | $SED "$delay_single_quote_subst"`' +extract_expsyms_cmds='`$ECHO "$extract_expsyms_cmds" | $SED "$delay_single_quote_subst"`' +archive_cmds_need_lc='`$ECHO "$archive_cmds_need_lc" | $SED "$delay_single_quote_subst"`' +enable_shared_with_static_runtimes='`$ECHO "$enable_shared_with_static_runtimes" | $SED "$delay_single_quote_subst"`' +export_dynamic_flag_spec='`$ECHO "$export_dynamic_flag_spec" | $SED "$delay_single_quote_subst"`' +whole_archive_flag_spec='`$ECHO "$whole_archive_flag_spec" | $SED "$delay_single_quote_subst"`' +compiler_needs_object='`$ECHO "$compiler_needs_object" | $SED "$delay_single_quote_subst"`' +old_archive_from_new_cmds='`$ECHO "$old_archive_from_new_cmds" | $SED "$delay_single_quote_subst"`' +old_archive_from_expsyms_cmds='`$ECHO "$old_archive_from_expsyms_cmds" | $SED "$delay_single_quote_subst"`' +archive_cmds='`$ECHO "$archive_cmds" | $SED "$delay_single_quote_subst"`' +archive_expsym_cmds='`$ECHO "$archive_expsym_cmds" | $SED "$delay_single_quote_subst"`' +module_cmds='`$ECHO "$module_cmds" | $SED "$delay_single_quote_subst"`' +module_expsym_cmds='`$ECHO "$module_expsym_cmds" | $SED "$delay_single_quote_subst"`' +with_gnu_ld='`$ECHO "$with_gnu_ld" | $SED "$delay_single_quote_subst"`' +allow_undefined_flag='`$ECHO "$allow_undefined_flag" | $SED "$delay_single_quote_subst"`' +no_undefined_flag='`$ECHO "$no_undefined_flag" | $SED "$delay_single_quote_subst"`' +hardcode_libdir_flag_spec='`$ECHO "$hardcode_libdir_flag_spec" | $SED "$delay_single_quote_subst"`' +hardcode_libdir_separator='`$ECHO "$hardcode_libdir_separator" | $SED "$delay_single_quote_subst"`' +hardcode_direct='`$ECHO "$hardcode_direct" | $SED "$delay_single_quote_subst"`' +hardcode_direct_absolute='`$ECHO "$hardcode_direct_absolute" | $SED "$delay_single_quote_subst"`' +hardcode_minus_L='`$ECHO "$hardcode_minus_L" | $SED "$delay_single_quote_subst"`' +hardcode_shlibpath_var='`$ECHO "$hardcode_shlibpath_var" | $SED "$delay_single_quote_subst"`' +hardcode_automatic='`$ECHO "$hardcode_automatic" | $SED "$delay_single_quote_subst"`' +inherit_rpath='`$ECHO "$inherit_rpath" | $SED "$delay_single_quote_subst"`' +link_all_deplibs='`$ECHO "$link_all_deplibs" | $SED "$delay_single_quote_subst"`' +always_export_symbols='`$ECHO "$always_export_symbols" | $SED "$delay_single_quote_subst"`' +export_symbols_cmds='`$ECHO "$export_symbols_cmds" | $SED "$delay_single_quote_subst"`' +exclude_expsyms='`$ECHO "$exclude_expsyms" | $SED "$delay_single_quote_subst"`' +include_expsyms='`$ECHO "$include_expsyms" | $SED "$delay_single_quote_subst"`' +prelink_cmds='`$ECHO "$prelink_cmds" | $SED "$delay_single_quote_subst"`' +postlink_cmds='`$ECHO "$postlink_cmds" | $SED "$delay_single_quote_subst"`' +file_list_spec='`$ECHO "$file_list_spec" | $SED "$delay_single_quote_subst"`' +variables_saved_for_relink='`$ECHO "$variables_saved_for_relink" | $SED "$delay_single_quote_subst"`' +need_lib_prefix='`$ECHO "$need_lib_prefix" | $SED "$delay_single_quote_subst"`' +need_version='`$ECHO "$need_version" | $SED "$delay_single_quote_subst"`' +version_type='`$ECHO "$version_type" | $SED "$delay_single_quote_subst"`' +runpath_var='`$ECHO "$runpath_var" | $SED "$delay_single_quote_subst"`' +shlibpath_var='`$ECHO "$shlibpath_var" | $SED "$delay_single_quote_subst"`' +shlibpath_overrides_runpath='`$ECHO "$shlibpath_overrides_runpath" | $SED "$delay_single_quote_subst"`' +libname_spec='`$ECHO "$libname_spec" | $SED "$delay_single_quote_subst"`' +library_names_spec='`$ECHO "$library_names_spec" | $SED "$delay_single_quote_subst"`' +soname_spec='`$ECHO "$soname_spec" | $SED "$delay_single_quote_subst"`' +install_override_mode='`$ECHO "$install_override_mode" | $SED "$delay_single_quote_subst"`' +postinstall_cmds='`$ECHO "$postinstall_cmds" | $SED "$delay_single_quote_subst"`' +postuninstall_cmds='`$ECHO "$postuninstall_cmds" | $SED "$delay_single_quote_subst"`' +finish_cmds='`$ECHO "$finish_cmds" | $SED "$delay_single_quote_subst"`' +finish_eval='`$ECHO "$finish_eval" | $SED "$delay_single_quote_subst"`' +hardcode_into_libs='`$ECHO "$hardcode_into_libs" | $SED "$delay_single_quote_subst"`' +sys_lib_search_path_spec='`$ECHO "$sys_lib_search_path_spec" | $SED "$delay_single_quote_subst"`' +configure_time_dlsearch_path='`$ECHO "$configure_time_dlsearch_path" | $SED "$delay_single_quote_subst"`' +configure_time_lt_sys_library_path='`$ECHO "$configure_time_lt_sys_library_path" | $SED "$delay_single_quote_subst"`' +hardcode_action='`$ECHO "$hardcode_action" | $SED "$delay_single_quote_subst"`' +enable_dlopen='`$ECHO "$enable_dlopen" | $SED "$delay_single_quote_subst"`' +enable_dlopen_self='`$ECHO "$enable_dlopen_self" | $SED "$delay_single_quote_subst"`' +enable_dlopen_self_static='`$ECHO "$enable_dlopen_self_static" | $SED "$delay_single_quote_subst"`' +old_striplib='`$ECHO "$old_striplib" | $SED "$delay_single_quote_subst"`' +striplib='`$ECHO "$striplib" | $SED "$delay_single_quote_subst"`' + +LTCC='$LTCC' +LTCFLAGS='$LTCFLAGS' +compiler='$compiler_DEFAULT' + +# A function that is used when there is no print builtin or printf. +func_fallback_echo () +{ + eval 'cat <<_LTECHO_EOF +\$1 +_LTECHO_EOF' +} + +# Quote evaled strings. +for var in SHELL \ +ECHO \ +PATH_SEPARATOR \ +SED \ +GREP \ +EGREP \ +FGREP \ +LD \ +NM \ +LN_S \ +lt_SP2NL \ +lt_NL2SP \ +reload_flag \ +OBJDUMP \ +deplibs_check_method \ +file_magic_cmd \ +file_magic_glob \ +want_nocaseglob \ +DLLTOOL \ +sharedlib_from_linklib_cmd \ +AR \ +AR_FLAGS \ +archiver_list_spec \ +STRIP \ +RANLIB \ +CC \ +CFLAGS \ +compiler \ +lt_cv_sys_global_symbol_pipe \ +lt_cv_sys_global_symbol_to_cdecl \ +lt_cv_sys_global_symbol_to_import \ +lt_cv_sys_global_symbol_to_c_name_address \ +lt_cv_sys_global_symbol_to_c_name_address_lib_prefix \ +lt_cv_nm_interface \ +nm_file_list_spec \ +lt_cv_truncate_bin \ +lt_prog_compiler_no_builtin_flag \ +lt_prog_compiler_pic \ +lt_prog_compiler_wl \ +lt_prog_compiler_static \ +lt_cv_prog_compiler_c_o \ +need_locks \ +MANIFEST_TOOL \ +DSYMUTIL \ +NMEDIT \ +LIPO \ +OTOOL \ +OTOOL64 \ +shrext_cmds \ +export_dynamic_flag_spec \ +whole_archive_flag_spec \ +compiler_needs_object \ +with_gnu_ld \ +allow_undefined_flag \ +no_undefined_flag \ +hardcode_libdir_flag_spec \ +hardcode_libdir_separator \ +exclude_expsyms \ +include_expsyms \ +file_list_spec \ +variables_saved_for_relink \ +libname_spec \ +library_names_spec \ +soname_spec \ +install_override_mode \ +finish_eval \ +old_striplib \ +striplib; do + case \`eval \\\\\$ECHO \\\\""\\\\\$\$var"\\\\"\` in + *[\\\\\\\`\\"\\\$]*) + eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"\\\$\$var\\" | \\\$SED \\"\\\$sed_quote_subst\\"\\\`\\\\\\"" ## exclude from sc_prohibit_nested_quotes + ;; + *) + eval "lt_\$var=\\\\\\"\\\$\$var\\\\\\"" + ;; + esac +done + +# Double-quote double-evaled strings. +for var in reload_cmds \ +old_postinstall_cmds \ +old_postuninstall_cmds \ +old_archive_cmds \ +extract_expsyms_cmds \ +old_archive_from_new_cmds \ +old_archive_from_expsyms_cmds \ +archive_cmds \ +archive_expsym_cmds \ +module_cmds \ +module_expsym_cmds \ +export_symbols_cmds \ +prelink_cmds \ +postlink_cmds \ +postinstall_cmds \ +postuninstall_cmds \ +finish_cmds \ +sys_lib_search_path_spec \ +configure_time_dlsearch_path \ +configure_time_lt_sys_library_path; do + case \`eval \\\\\$ECHO \\\\""\\\\\$\$var"\\\\"\` in + *[\\\\\\\`\\"\\\$]*) + eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"\\\$\$var\\" | \\\$SED -e \\"\\\$double_quote_subst\\" -e \\"\\\$sed_quote_subst\\" -e \\"\\\$delay_variable_subst\\"\\\`\\\\\\"" ## exclude from sc_prohibit_nested_quotes + ;; + *) + eval "lt_\$var=\\\\\\"\\\$\$var\\\\\\"" + ;; + esac +done + +ac_aux_dir='$ac_aux_dir' + +# See if we are running on zsh, and set the options that allow our +# commands through without removal of \ escapes INIT. +if test -n "\${ZSH_VERSION+set}"; then + setopt NO_GLOB_SUBST +fi + + + PACKAGE='$PACKAGE' + VERSION='$VERSION' + RM='$RM' + ofile='$ofile' + + + +# Capture the value of obsolete ALL_LINGUAS because we need it to compute + # POFILES, UPDATEPOFILES, DUMMYPOFILES, GMOFILES, CATALOGS. But hide it + # from automake. + eval 'OBSOLETE_ALL_LINGUAS''="$ALL_LINGUAS"' + # Capture the value of LINGUAS because we need it to compute CATALOGS. + LINGUAS="${LINGUAS-%UNSET%}" + + +_ACEOF + +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 + +# Handling of arguments. +for ac_config_target in $ac_config_targets +do + case $ac_config_target in + "depfiles") CONFIG_COMMANDS="$CONFIG_COMMANDS depfiles" ;; + "libtool") CONFIG_COMMANDS="$CONFIG_COMMANDS libtool" ;; + "default-1") CONFIG_COMMANDS="$CONFIG_COMMANDS default-1" ;; + "config.h") CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;; + "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;; + "contrib/sssd.spec") CONFIG_FILES="$CONFIG_FILES contrib/sssd.spec" ;; + "src/examples/rwtab") CONFIG_FILES="$CONFIG_FILES src/examples/rwtab" ;; + "src/doxy.config") CONFIG_FILES="$CONFIG_FILES src/doxy.config" ;; + "contrib/sssd-pcsc.rules") CONFIG_FILES="$CONFIG_FILES contrib/sssd-pcsc.rules" ;; + "src/sysv/sssd") CONFIG_FILES="$CONFIG_FILES src/sysv/sssd" ;; + "src/sysv/gentoo/sssd") CONFIG_FILES="$CONFIG_FILES src/sysv/gentoo/sssd" ;; + "src/sysv/SUSE/sssd") CONFIG_FILES="$CONFIG_FILES src/sysv/SUSE/sssd" ;; + "po/Makefile.in") CONFIG_FILES="$CONFIG_FILES po/Makefile.in" ;; + "src/man/Makefile") CONFIG_FILES="$CONFIG_FILES src/man/Makefile" ;; + "src/tests/cwrap/Makefile") CONFIG_FILES="$CONFIG_FILES src/tests/cwrap/Makefile" ;; + "src/tests/intg/Makefile") CONFIG_FILES="$CONFIG_FILES src/tests/intg/Makefile" ;; + "src/tests/test_CA/Makefile") CONFIG_FILES="$CONFIG_FILES src/tests/test_CA/Makefile" ;; + "src/lib/ipa_hbac/ipa_hbac.pc") CONFIG_FILES="$CONFIG_FILES src/lib/ipa_hbac/ipa_hbac.pc" ;; + "src/lib/ipa_hbac/ipa_hbac.doxy") CONFIG_FILES="$CONFIG_FILES src/lib/ipa_hbac/ipa_hbac.doxy" ;; + "src/lib/idmap/sss_idmap.pc") CONFIG_FILES="$CONFIG_FILES src/lib/idmap/sss_idmap.pc" ;; + "src/lib/idmap/sss_idmap.doxy") CONFIG_FILES="$CONFIG_FILES src/lib/idmap/sss_idmap.doxy" ;; + "src/lib/certmap/sss_certmap.pc") CONFIG_FILES="$CONFIG_FILES src/lib/certmap/sss_certmap.pc" ;; + "src/lib/certmap/sss_certmap.doxy") CONFIG_FILES="$CONFIG_FILES src/lib/certmap/sss_certmap.doxy" ;; + "src/sss_client/idmap/sss_nss_idmap.pc") CONFIG_FILES="$CONFIG_FILES src/sss_client/idmap/sss_nss_idmap.pc" ;; + "src/sss_client/idmap/sss_nss_idmap.doxy") CONFIG_FILES="$CONFIG_FILES src/sss_client/idmap/sss_nss_idmap.doxy" ;; + "src/sss_client/libwbclient/wbclient_sssd.pc") CONFIG_FILES="$CONFIG_FILES src/sss_client/libwbclient/wbclient_sssd.pc" ;; + "src/lib/sifp/sss_simpleifp.pc") CONFIG_FILES="$CONFIG_FILES src/lib/sifp/sss_simpleifp.pc" ;; + "src/lib/sifp/sss_simpleifp.doxy") CONFIG_FILES="$CONFIG_FILES src/lib/sifp/sss_simpleifp.doxy" ;; + "src/config/setup.py") CONFIG_FILES="$CONFIG_FILES src/config/setup.py" ;; + "src/systemtap/sssd.stp") CONFIG_FILES="$CONFIG_FILES src/systemtap/sssd.stp" ;; + "src/config/SSSDConfig/__init__.py") CONFIG_FILES="$CONFIG_FILES src/config/SSSDConfig/__init__.py" ;; + + *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; + esac +done + + +# If the user did not use the arguments to specify the items to instantiate, +# then the envvar interface is used. Set only those that are not. +# We use the long form for the default assignment because of an extremely +# bizarre bug on SunOS 4.1.3. +if $ac_need_defaults; then + test "${CONFIG_FILES+set}" = set || CONFIG_FILES=$config_files + test "${CONFIG_HEADERS+set}" = set || CONFIG_HEADERS=$config_headers + test "${CONFIG_COMMANDS+set}" = set || CONFIG_COMMANDS=$config_commands +fi + +# Have a temporary directory for convenience. Make it in the build tree +# simply because there is no reason against having it here, and in addition, +# creating and moving files from /tmp can sometimes cause problems. +# Hook for its removal unless debugging. +# Note that there is a small window in which the directory will not be cleaned: +# after its creation but before its name has been assigned to `$tmp'. +$debug || +{ + tmp= ac_tmp= + trap 'exit_status=$? + : "${ac_tmp:=$tmp}" + { test ! -d "$ac_tmp" || rm -fr "$ac_tmp"; } && exit $exit_status +' 0 + trap 'as_fn_exit 1' 1 2 13 15 +} +# Create a (secure) tmp directory for tmp files. + +{ + tmp=`(umask 077 && mktemp -d "./confXXXXXX") 2>/dev/null` && + test -d "$tmp" +} || +{ + tmp=./conf$$-$RANDOM + (umask 077 && mkdir "$tmp") +} || as_fn_error $? "cannot create a temporary directory in ." "$LINENO" 5 +ac_tmp=$tmp + +# Set up the scripts for CONFIG_FILES section. +# No need to generate them if there are no CONFIG_FILES. +# This happens for instance with `./config.status config.h'. +if test -n "$CONFIG_FILES"; then + + +ac_cr=`echo X | tr X '\015'` +# On cygwin, bash can eat \r inside `` if the user requested igncr. +# But we know of no other shell where ac_cr would be empty at this +# point, so we can use a bashism as a fallback. +if test "x$ac_cr" = x; then + eval ac_cr=\$\'\\r\' +fi +ac_cs_awk_cr=`$AWK 'BEGIN { print "a\rb" }' /dev/null` +if test "$ac_cs_awk_cr" = "a${ac_cr}b"; then + ac_cs_awk_cr='\\r' +else + ac_cs_awk_cr=$ac_cr +fi + +echo 'BEGIN {' >"$ac_tmp/subs1.awk" && +_ACEOF + + +{ + echo "cat >conf$$subs.awk <<_ACEOF" && + echo "$ac_subst_vars" | sed 's/.*/&!$&$ac_delim/' && + echo "_ACEOF" +} >conf$$subs.sh || + as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 +ac_delim_num=`echo "$ac_subst_vars" | grep -c '^'` +ac_delim='%!_!# ' +for ac_last_try in false false false false false :; do + . ./conf$$subs.sh || + as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 + + ac_delim_n=`sed -n "s/.*$ac_delim\$/X/p" conf$$subs.awk | grep -c X` + if test $ac_delim_n = $ac_delim_num; then + break + elif $ac_last_try; then + as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 + else + ac_delim="$ac_delim!$ac_delim _$ac_delim!! " + fi +done +rm -f conf$$subs.sh + +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +cat >>"\$ac_tmp/subs1.awk" <<\\_ACAWK && +_ACEOF +sed -n ' +h +s/^/S["/; s/!.*/"]=/ +p +g +s/^[^!]*!// +:repl +t repl +s/'"$ac_delim"'$// +t delim +:nl +h +s/\(.\{148\}\)..*/\1/ +t more1 +s/["\\]/\\&/g; s/^/"/; s/$/\\n"\\/ +p +n +b repl +:more1 +s/["\\]/\\&/g; s/^/"/; s/$/"\\/ +p +g +s/.\{148\}// +t nl +:delim +h +s/\(.\{148\}\)..*/\1/ +t more2 +s/["\\]/\\&/g; s/^/"/; s/$/"/ +p +b +:more2 +s/["\\]/\\&/g; s/^/"/; s/$/"\\/ +p +g +s/.\{148\}// +t delim +' >$CONFIG_STATUS || ac_write_fail=1 +rm -f conf$$subs.awk +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +_ACAWK +cat >>"\$ac_tmp/subs1.awk" <<_ACAWK && + for (key in S) S_is_set[key] = 1 + FS = "" + +} +{ + line = $ 0 + nfields = split(line, field, "@") + substed = 0 + len = length(field[1]) + for (i = 2; i < nfields; i++) { + key = field[i] + keylen = length(key) + if (S_is_set[key]) { + value = S[key] + line = substr(line, 1, len) "" value "" substr(line, len + keylen + 3) + len += length(value) + length(field[++i]) + substed = 1 + } else + len += 1 + keylen + } + + print line +} + +_ACAWK +_ACEOF +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +if sed "s/$ac_cr//" < /dev/null > /dev/null 2>&1; then + sed "s/$ac_cr\$//; s/$ac_cr/$ac_cs_awk_cr/g" +else + cat +fi < "$ac_tmp/subs1.awk" > "$ac_tmp/subs.awk" \ + || as_fn_error $? "could not setup config files machinery" "$LINENO" 5 +_ACEOF + +# VPATH may cause trouble with some makes, so we remove sole $(srcdir), +# ${srcdir} and @srcdir@ entries from VPATH if srcdir is ".", strip leading and +# trailing colons and then remove the whole line if VPATH becomes empty +# (actually we leave an empty line to preserve line numbers). +if test "x$srcdir" = x.; then + ac_vpsub='/^[ ]*VPATH[ ]*=[ ]*/{ +h +s/// +s/^/:/ +s/[ ]*$/:/ +s/:\$(srcdir):/:/g +s/:\${srcdir}:/:/g +s/:@srcdir@:/:/g +s/^:*// +s/:*$// +x +s/\(=[ ]*\).*/\1/ +G +s/\n// +s/^[^=]*=[ ]*$// +}' +fi + +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +fi # test -n "$CONFIG_FILES" + +# Set up the scripts for CONFIG_HEADERS section. +# No need to generate them if there are no CONFIG_HEADERS. +# This happens for instance with `./config.status Makefile'. +if test -n "$CONFIG_HEADERS"; then +cat >"$ac_tmp/defines.awk" <<\_ACAWK || +BEGIN { +_ACEOF + +# Transform confdefs.h into an awk script `defines.awk', embedded as +# here-document in config.status, that substitutes the proper values into +# config.h.in to produce config.h. + +# Create a delimiter string that does not exist in confdefs.h, to ease +# handling of long lines. +ac_delim='%!_!# ' +for ac_last_try in false false :; do + ac_tt=`sed -n "/$ac_delim/p" confdefs.h` + if test -z "$ac_tt"; then + break + elif $ac_last_try; then + as_fn_error $? "could not make $CONFIG_HEADERS" "$LINENO" 5 + else + ac_delim="$ac_delim!$ac_delim _$ac_delim!! " + fi +done + +# For the awk script, D is an array of macro values keyed by name, +# likewise P contains macro parameters if any. Preserve backslash +# newline sequences. + +ac_word_re=[_$as_cr_Letters][_$as_cr_alnum]* +sed -n ' +s/.\{148\}/&'"$ac_delim"'/g +t rset +:rset +s/^[ ]*#[ ]*define[ ][ ]*/ / +t def +d +:def +s/\\$// +t bsnl +s/["\\]/\\&/g +s/^ \('"$ac_word_re"'\)\(([^()]*)\)[ ]*\(.*\)/P["\1"]="\2"\ +D["\1"]=" \3"/p +s/^ \('"$ac_word_re"'\)[ ]*\(.*\)/D["\1"]=" \2"/p +d +:bsnl +s/["\\]/\\&/g +s/^ \('"$ac_word_re"'\)\(([^()]*)\)[ ]*\(.*\)/P["\1"]="\2"\ +D["\1"]=" \3\\\\\\n"\\/p +t cont +s/^ \('"$ac_word_re"'\)[ ]*\(.*\)/D["\1"]=" \2\\\\\\n"\\/p +t cont +d +:cont +n +s/.\{148\}/&'"$ac_delim"'/g +t clear +:clear +s/\\$// +t bsnlc +s/["\\]/\\&/g; s/^/"/; s/$/"/p +d +:bsnlc +s/["\\]/\\&/g; s/^/"/; s/$/\\\\\\n"\\/p +b cont +' >$CONFIG_STATUS || ac_write_fail=1 + +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 + for (key in D) D_is_set[key] = 1 + FS = "" +} +/^[\t ]*#[\t ]*(define|undef)[\t ]+$ac_word_re([\t (]|\$)/ { + line = \$ 0 + split(line, arg, " ") + if (arg[1] == "#") { + defundef = arg[2] + mac1 = arg[3] + } else { + defundef = substr(arg[1], 2) + mac1 = arg[2] + } + split(mac1, mac2, "(") #) + macro = mac2[1] + prefix = substr(line, 1, index(line, defundef) - 1) + if (D_is_set[macro]) { + # Preserve the white space surrounding the "#". + print prefix "define", macro P[macro] D[macro] + next + } else { + # Replace #undef with comments. This is necessary, for example, + # in the case of _POSIX_SOURCE, which is predefined and required + # on some systems where configure will not decide to define it. + if (defundef == "undef") { + print "/*", prefix defundef, macro, "*/" + next + } + } +} +{ print } +_ACAWK +_ACEOF +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 + as_fn_error $? "could not setup config headers machinery" "$LINENO" 5 +fi # test -n "$CONFIG_HEADERS" + + +eval set X " :F $CONFIG_FILES :H $CONFIG_HEADERS :C $CONFIG_COMMANDS" +shift +for ac_tag +do + case $ac_tag in + :[FHLC]) ac_mode=$ac_tag; continue;; + esac + case $ac_mode$ac_tag in + :[FHL]*:*);; + :L* | :C*:*) as_fn_error $? "invalid tag \`$ac_tag'" "$LINENO" 5;; + :[FH]-) ac_tag=-:-;; + :[FH]*) ac_tag=$ac_tag:$ac_tag.in;; + esac + ac_save_IFS=$IFS + IFS=: + set x $ac_tag + IFS=$ac_save_IFS + shift + ac_file=$1 + shift + + case $ac_mode in + :L) ac_source=$1;; + :[FH]) + ac_file_inputs= + for ac_f + do + case $ac_f in + -) ac_f="$ac_tmp/stdin";; + *) # Look for the file first in the build tree, then in the source tree + # (if the path is not absolute). The absolute path cannot be DOS-style, + # because $ac_f cannot contain `:'. + test -f "$ac_f" || + case $ac_f in + [\\/$]*) false;; + *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";; + esac || + as_fn_error 1 "cannot find input file: \`$ac_f'" "$LINENO" 5;; + esac + case $ac_f in *\'*) ac_f=`$as_echo "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac + as_fn_append ac_file_inputs " '$ac_f'" + done + + # Let's still pretend it is `configure' which instantiates (i.e., don't + # use $as_me), people would be surprised to read: + # /* config.h. Generated by config.status. */ + configure_input='Generated from '` + $as_echo "$*" | sed 's|^[^:]*/||;s|:[^:]*/|, |g' + `' by configure.' + if test x"$ac_file" != x-; then + configure_input="$ac_file. $configure_input" + { $as_echo "$as_me:${as_lineno-$LINENO}: creating $ac_file" >&5 +$as_echo "$as_me: creating $ac_file" >&6;} + fi + # Neutralize special characters interpreted by sed in replacement strings. + case $configure_input in #( + *\&* | *\|* | *\\* ) + ac_sed_conf_input=`$as_echo "$configure_input" | + sed 's/[\\\\&|]/\\\\&/g'`;; #( + *) ac_sed_conf_input=$configure_input;; + esac + + case $ac_tag in + *:-:* | *:-) cat >"$ac_tmp/stdin" \ + || as_fn_error $? "could not create $ac_file" "$LINENO" 5 ;; + esac + ;; + esac + + ac_dir=`$as_dirname -- "$ac_file" || +$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$ac_file" : 'X\(//\)[^/]' \| \ + X"$ac_file" : 'X\(//\)$' \| \ + X"$ac_file" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X"$ac_file" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ + s//\1/ + q + } + /^X\(\/\/\)[^/].*/{ + s//\1/ + q + } + /^X\(\/\/\)$/{ + s//\1/ + q + } + /^X\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + as_dir="$ac_dir"; as_fn_mkdir_p + ac_builddir=. + +case "$ac_dir" in +.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; +*) + ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'` + # A ".." for each directory in $ac_dir_suffix. + ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'` + case $ac_top_builddir_sub in + "") ac_top_builddir_sub=. ac_top_build_prefix= ;; + *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; + esac ;; +esac +ac_abs_top_builddir=$ac_pwd +ac_abs_builddir=$ac_pwd$ac_dir_suffix +# for backward compatibility: +ac_top_builddir=$ac_top_build_prefix + +case $srcdir in + .) # We are building in place. + ac_srcdir=. + ac_top_srcdir=$ac_top_builddir_sub + ac_abs_top_srcdir=$ac_pwd ;; + [\\/]* | ?:[\\/]* ) # Absolute name. + ac_srcdir=$srcdir$ac_dir_suffix; + ac_top_srcdir=$srcdir + ac_abs_top_srcdir=$srcdir ;; + *) # Relative name. + ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix + ac_top_srcdir=$ac_top_build_prefix$srcdir + ac_abs_top_srcdir=$ac_pwd/$srcdir ;; +esac +ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix + + + case $ac_mode in + :F) + # + # CONFIG_FILE + # + + case $INSTALL in + [\\/$]* | ?:[\\/]* ) ac_INSTALL=$INSTALL ;; + *) ac_INSTALL=$ac_top_build_prefix$INSTALL ;; + esac + ac_MKDIR_P=$MKDIR_P + case $MKDIR_P in + [\\/$]* | ?:[\\/]* ) ;; + */*) ac_MKDIR_P=$ac_top_build_prefix$MKDIR_P ;; + esac +_ACEOF + +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +# If the template does not know about datarootdir, expand it. +# FIXME: This hack should be removed a few years after 2.60. +ac_datarootdir_hack=; ac_datarootdir_seen= +ac_sed_dataroot=' +/datarootdir/ { + p + q +} +/@datadir@/p +/@docdir@/p +/@infodir@/p +/@localedir@/p +/@mandir@/p' +case `eval "sed -n \"\$ac_sed_dataroot\" $ac_file_inputs"` in +*datarootdir*) ac_datarootdir_seen=yes;; +*@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*) + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5 +$as_echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;} +_ACEOF +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 + ac_datarootdir_hack=' + s&@datadir@&$datadir&g + s&@docdir@&$docdir&g + s&@infodir@&$infodir&g + s&@localedir@&$localedir&g + s&@mandir@&$mandir&g + s&\\\${datarootdir}&$datarootdir&g' ;; +esac +_ACEOF + +# Neutralize VPATH when `$srcdir' = `.'. +# Shell code in configure.ac might set extrasub. +# FIXME: do we really want to maintain this feature? +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +ac_sed_extra="$ac_vpsub +$extrasub +_ACEOF +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +:t +/@[a-zA-Z_][a-zA-Z_0-9]*@/!b +s|@configure_input@|$ac_sed_conf_input|;t t +s&@top_builddir@&$ac_top_builddir_sub&;t t +s&@top_build_prefix@&$ac_top_build_prefix&;t t +s&@srcdir@&$ac_srcdir&;t t +s&@abs_srcdir@&$ac_abs_srcdir&;t t +s&@top_srcdir@&$ac_top_srcdir&;t t +s&@abs_top_srcdir@&$ac_abs_top_srcdir&;t t +s&@builddir@&$ac_builddir&;t t +s&@abs_builddir@&$ac_abs_builddir&;t t +s&@abs_top_builddir@&$ac_abs_top_builddir&;t t +s&@INSTALL@&$ac_INSTALL&;t t +s&@MKDIR_P@&$ac_MKDIR_P&;t t +$ac_datarootdir_hack +" +eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$ac_tmp/subs.awk" \ + >$ac_tmp/out || as_fn_error $? "could not create $ac_file" "$LINENO" 5 + +test -z "$ac_datarootdir_hack$ac_datarootdir_seen" && + { ac_out=`sed -n '/\${datarootdir}/p' "$ac_tmp/out"`; test -n "$ac_out"; } && + { ac_out=`sed -n '/^[ ]*datarootdir[ ]*:*=/p' \ + "$ac_tmp/out"`; test -z "$ac_out"; } && + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file contains a reference to the variable \`datarootdir' +which seems to be undefined. Please make sure it is defined" >&5 +$as_echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir' +which seems to be undefined. Please make sure it is defined" >&2;} + + rm -f "$ac_tmp/stdin" + case $ac_file in + -) cat "$ac_tmp/out" && rm -f "$ac_tmp/out";; + *) rm -f "$ac_file" && mv "$ac_tmp/out" "$ac_file";; + esac \ + || as_fn_error $? "could not create $ac_file" "$LINENO" 5 + ;; + :H) + # + # CONFIG_HEADER + # + if test x"$ac_file" != x-; then + { + $as_echo "/* $configure_input */" \ + && eval '$AWK -f "$ac_tmp/defines.awk"' "$ac_file_inputs" + } >"$ac_tmp/config.h" \ + || as_fn_error $? "could not create $ac_file" "$LINENO" 5 + if diff "$ac_file" "$ac_tmp/config.h" >/dev/null 2>&1; then + { $as_echo "$as_me:${as_lineno-$LINENO}: $ac_file is unchanged" >&5 +$as_echo "$as_me: $ac_file is unchanged" >&6;} + else + rm -f "$ac_file" + mv "$ac_tmp/config.h" "$ac_file" \ + || as_fn_error $? "could not create $ac_file" "$LINENO" 5 + fi + else + $as_echo "/* $configure_input */" \ + && eval '$AWK -f "$ac_tmp/defines.awk"' "$ac_file_inputs" \ + || as_fn_error $? "could not create -" "$LINENO" 5 + fi +# Compute "$ac_file"'s index in $config_headers. +_am_arg="$ac_file" +_am_stamp_count=1 +for _am_header in $config_headers :; do + case $_am_header in + $_am_arg | $_am_arg:* ) + break ;; + * ) + _am_stamp_count=`expr $_am_stamp_count + 1` ;; + esac +done +echo "timestamp for $_am_arg" >`$as_dirname -- "$_am_arg" || +$as_expr X"$_am_arg" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$_am_arg" : 'X\(//\)[^/]' \| \ + X"$_am_arg" : 'X\(//\)$' \| \ + X"$_am_arg" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X"$_am_arg" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ + s//\1/ + q + } + /^X\(\/\/\)[^/].*/{ + s//\1/ + q + } + /^X\(\/\/\)$/{ + s//\1/ + q + } + /^X\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'`/stamp-h$_am_stamp_count + ;; + + :C) { $as_echo "$as_me:${as_lineno-$LINENO}: executing $ac_file commands" >&5 +$as_echo "$as_me: executing $ac_file commands" >&6;} + ;; + esac + + + case $ac_file$ac_mode in + "depfiles":C) test x"$AMDEP_TRUE" != x"" || { + # Older Autoconf quotes --file arguments for eval, but not when files + # are listed without --file. Let's play safe and only enable the eval + # if we detect the quoting. + case $CONFIG_FILES in + *\'*) eval set x "$CONFIG_FILES" ;; + *) set x $CONFIG_FILES ;; + esac + shift + for mf + do + # Strip MF so we end up with the name of the file. + mf=`echo "$mf" | sed -e 's/:.*$//'` + # Check whether this is an Automake generated Makefile or not. + # We used to match only the files named 'Makefile.in', but + # some people rename them; so instead we look at the file content. + # Grep'ing the first line is not enough: some people post-process + # each Makefile.in and add a new line on top of each file to say so. + # Grep'ing the whole file is not good either: AIX grep has a line + # limit of 2048, but all sed's we know have understand at least 4000. + if sed -n 's,^#.*generated by automake.*,X,p' "$mf" | grep X >/dev/null 2>&1; then + dirpart=`$as_dirname -- "$mf" || +$as_expr X"$mf" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$mf" : 'X\(//\)[^/]' \| \ + X"$mf" : 'X\(//\)$' \| \ + X"$mf" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X"$mf" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ + s//\1/ + q + } + /^X\(\/\/\)[^/].*/{ + s//\1/ + q + } + /^X\(\/\/\)$/{ + s//\1/ + q + } + /^X\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + else + continue + fi + # Extract the definition of DEPDIR, am__include, and am__quote + # from the Makefile without running 'make'. + DEPDIR=`sed -n 's/^DEPDIR = //p' < "$mf"` + test -z "$DEPDIR" && continue + am__include=`sed -n 's/^am__include = //p' < "$mf"` + test -z "$am__include" && continue + am__quote=`sed -n 's/^am__quote = //p' < "$mf"` + # Find all dependency output files, they are included files with + # $(DEPDIR) in their names. We invoke sed twice because it is the + # simplest approach to changing $(DEPDIR) to its actual value in the + # expansion. + for file in `sed -n " + s/^$am__include $am__quote\(.*(DEPDIR).*\)$am__quote"'$/\1/p' <"$mf" | \ + sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g'`; do + # Make sure the directory exists. + test -f "$dirpart/$file" && continue + fdir=`$as_dirname -- "$file" || +$as_expr X"$file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$file" : 'X\(//\)[^/]' \| \ + X"$file" : 'X\(//\)$' \| \ + X"$file" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X"$file" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ + s//\1/ + q + } + /^X\(\/\/\)[^/].*/{ + s//\1/ + q + } + /^X\(\/\/\)$/{ + s//\1/ + q + } + /^X\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + as_dir=$dirpart/$fdir; as_fn_mkdir_p + # echo "creating $dirpart/$file" + echo '# dummy' > "$dirpart/$file" + done + done +} + ;; + "libtool":C) + + # See if we are running on zsh, and set the options that allow our + # commands through without removal of \ escapes. + if test -n "${ZSH_VERSION+set}"; then + setopt NO_GLOB_SUBST + fi + + cfgfile=${ofile}T + trap "$RM \"$cfgfile\"; exit 1" 1 2 15 + $RM "$cfgfile" + + cat <<_LT_EOF >> "$cfgfile" +#! $SHELL +# Generated automatically by $as_me ($PACKAGE) $VERSION +# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`: +# NOTE: Changes made to this file will be lost: look at ltmain.sh. + +# Provide generalized library-building support services. +# Written by Gordon Matzigkeit, 1996 + +# Copyright (C) 2014 Free Software Foundation, Inc. +# This is free software; see the source for copying conditions. There is NO +# warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + +# GNU Libtool is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of of the License, or +# (at your option) any later version. +# +# As a special exception to the GNU General Public License, if you +# distribute this file as part of a program or library that is built +# using GNU Libtool, you may include this file under the same +# distribution terms that you use for the rest of that program. +# +# GNU Libtool is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + + +# The names of the tagged configurations supported by this script. +available_tags='' + +# Configured defaults for sys_lib_dlsearch_path munging. +: \${LT_SYS_LIBRARY_PATH="$configure_time_lt_sys_library_path"} + +# ### BEGIN LIBTOOL CONFIG + +# Whether or not to build static libraries. +build_old_libs=$enable_static + +# Which release of libtool.m4 was used? +macro_version=$macro_version +macro_revision=$macro_revision + +# Whether or not to build shared libraries. +build_libtool_libs=$enable_shared + +# What type of objects to build. +pic_mode=$pic_mode + +# Whether or not to optimize for fast installation. +fast_install=$enable_fast_install + +# Shared archive member basename,for filename based shared library versioning on AIX. +shared_archive_member_spec=$shared_archive_member_spec + +# Shell to use when invoking shell scripts. +SHELL=$lt_SHELL + +# An echo program that protects backslashes. +ECHO=$lt_ECHO + +# The PATH separator for the build system. +PATH_SEPARATOR=$lt_PATH_SEPARATOR + +# The host system. +host_alias=$host_alias +host=$host +host_os=$host_os + +# The build system. +build_alias=$build_alias +build=$build +build_os=$build_os + +# A sed program that does not truncate output. +SED=$lt_SED + +# Sed that helps us avoid accidentally triggering echo(1) options like -n. +Xsed="\$SED -e 1s/^X//" + +# A grep program that handles long lines. +GREP=$lt_GREP + +# An ERE matcher. +EGREP=$lt_EGREP + +# A literal string matcher. +FGREP=$lt_FGREP + +# A BSD- or MS-compatible name lister. +NM=$lt_NM + +# Whether we need soft or hard links. +LN_S=$lt_LN_S + +# What is the maximum length of a command? +max_cmd_len=$max_cmd_len + +# Object file suffix (normally "o"). +objext=$ac_objext + +# Executable file suffix (normally ""). +exeext=$exeext + +# whether the shell understands "unset". +lt_unset=$lt_unset + +# turn spaces into newlines. +SP2NL=$lt_lt_SP2NL + +# turn newlines into spaces. +NL2SP=$lt_lt_NL2SP + +# convert \$build file names to \$host format. +to_host_file_cmd=$lt_cv_to_host_file_cmd + +# convert \$build files to toolchain format. +to_tool_file_cmd=$lt_cv_to_tool_file_cmd + +# An object symbol dumper. +OBJDUMP=$lt_OBJDUMP + +# Method to check whether dependent libraries are shared objects. +deplibs_check_method=$lt_deplibs_check_method + +# Command to use when deplibs_check_method = "file_magic". +file_magic_cmd=$lt_file_magic_cmd + +# How to find potential files when deplibs_check_method = "file_magic". +file_magic_glob=$lt_file_magic_glob + +# Find potential files using nocaseglob when deplibs_check_method = "file_magic". +want_nocaseglob=$lt_want_nocaseglob + +# DLL creation program. +DLLTOOL=$lt_DLLTOOL + +# Command to associate shared and link libraries. +sharedlib_from_linklib_cmd=$lt_sharedlib_from_linklib_cmd + +# The archiver. +AR=$lt_AR + +# Flags to create an archive. +AR_FLAGS=$lt_AR_FLAGS + +# How to feed a file listing to the archiver. +archiver_list_spec=$lt_archiver_list_spec + +# A symbol stripping program. +STRIP=$lt_STRIP + +# Commands used to install an old-style archive. +RANLIB=$lt_RANLIB +old_postinstall_cmds=$lt_old_postinstall_cmds +old_postuninstall_cmds=$lt_old_postuninstall_cmds + +# Whether to use a lock for old archive extraction. +lock_old_archive_extraction=$lock_old_archive_extraction + +# A C compiler. +LTCC=$lt_CC + +# LTCC compiler flags. +LTCFLAGS=$lt_CFLAGS + +# Take the output of nm and produce a listing of raw symbols and C names. +global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe + +# Transform the output of nm in a proper C declaration. +global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl + +# Transform the output of nm into a list of symbols to manually relocate. +global_symbol_to_import=$lt_lt_cv_sys_global_symbol_to_import + +# Transform the output of nm in a C name address pair. +global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address + +# Transform the output of nm in a C name address pair when lib prefix is needed. +global_symbol_to_c_name_address_lib_prefix=$lt_lt_cv_sys_global_symbol_to_c_name_address_lib_prefix + +# The name lister interface. +nm_interface=$lt_lt_cv_nm_interface + +# Specify filename containing input files for \$NM. +nm_file_list_spec=$lt_nm_file_list_spec + +# The root where to search for dependent libraries,and where our libraries should be installed. +lt_sysroot=$lt_sysroot + +# Command to truncate a binary pipe. +lt_truncate_bin=$lt_lt_cv_truncate_bin + +# The name of the directory that contains temporary libtool files. +objdir=$objdir + +# Used to examine libraries when file_magic_cmd begins with "file". +MAGIC_CMD=$MAGIC_CMD + +# Must we lock files when doing compilation? +need_locks=$lt_need_locks + +# Manifest tool. +MANIFEST_TOOL=$lt_MANIFEST_TOOL + +# Tool to manipulate archived DWARF debug symbol files on Mac OS X. +DSYMUTIL=$lt_DSYMUTIL + +# Tool to change global to local symbols on Mac OS X. +NMEDIT=$lt_NMEDIT + +# Tool to manipulate fat objects and archives on Mac OS X. +LIPO=$lt_LIPO + +# ldd/readelf like tool for Mach-O binaries on Mac OS X. +OTOOL=$lt_OTOOL + +# ldd/readelf like tool for 64 bit Mach-O binaries on Mac OS X 10.4. +OTOOL64=$lt_OTOOL64 + +# Old archive suffix (normally "a"). +libext=$libext + +# Shared library suffix (normally ".so"). +shrext_cmds=$lt_shrext_cmds + +# The commands to extract the exported symbol list from a shared archive. +extract_expsyms_cmds=$lt_extract_expsyms_cmds + +# Variables whose values should be saved in libtool wrapper scripts and +# restored at link time. +variables_saved_for_relink=$lt_variables_saved_for_relink + +# Do we need the "lib" prefix for modules? +need_lib_prefix=$need_lib_prefix + +# Do we need a version for libraries? +need_version=$need_version + +# Library versioning type. +version_type=$version_type + +# Shared library runtime path variable. +runpath_var=$runpath_var + +# Shared library path variable. +shlibpath_var=$shlibpath_var + +# Is shlibpath searched before the hard-coded library search path? +shlibpath_overrides_runpath=$shlibpath_overrides_runpath + +# Format of library name prefix. +libname_spec=$lt_libname_spec + +# List of archive names. First name is the real one, the rest are links. +# The last name is the one that the linker finds with -lNAME +library_names_spec=$lt_library_names_spec + +# The coded name of the library, if different from the real name. +soname_spec=$lt_soname_spec + +# Permission mode override for installation of shared libraries. +install_override_mode=$lt_install_override_mode + +# Command to use after installation of a shared archive. +postinstall_cmds=$lt_postinstall_cmds + +# Command to use after uninstallation of a shared archive. +postuninstall_cmds=$lt_postuninstall_cmds + +# Commands used to finish a libtool library installation in a directory. +finish_cmds=$lt_finish_cmds + +# As "finish_cmds", except a single script fragment to be evaled but +# not shown. +finish_eval=$lt_finish_eval + +# Whether we should hardcode library paths into libraries. +hardcode_into_libs=$hardcode_into_libs + +# Compile-time system search path for libraries. +sys_lib_search_path_spec=$lt_sys_lib_search_path_spec + +# Detected run-time system search path for libraries. +sys_lib_dlsearch_path_spec=$lt_configure_time_dlsearch_path + +# Explicit LT_SYS_LIBRARY_PATH set during ./configure time. +configure_time_lt_sys_library_path=$lt_configure_time_lt_sys_library_path + +# Whether dlopen is supported. +dlopen_support=$enable_dlopen + +# Whether dlopen of programs is supported. +dlopen_self=$enable_dlopen_self + +# Whether dlopen of statically linked programs is supported. +dlopen_self_static=$enable_dlopen_self_static + +# Commands to strip libraries. +old_striplib=$lt_old_striplib +striplib=$lt_striplib + + +# The linker used to build libraries. +LD=$lt_LD + +# How to create reloadable object files. +reload_flag=$lt_reload_flag +reload_cmds=$lt_reload_cmds + +# Commands used to build an old-style archive. +old_archive_cmds=$lt_old_archive_cmds + +# A language specific compiler. +CC=$lt_compiler + +# Is the compiler the GNU compiler? +with_gcc=$GCC + +# Compiler flag to turn off builtin functions. +no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag + +# Additional compiler flags for building library objects. +pic_flag=$lt_lt_prog_compiler_pic + +# How to pass a linker flag through the compiler. +wl=$lt_lt_prog_compiler_wl + +# Compiler flag to prevent dynamic linking. +link_static_flag=$lt_lt_prog_compiler_static + +# Does compiler simultaneously support -c and -o options? +compiler_c_o=$lt_lt_cv_prog_compiler_c_o + +# Whether or not to add -lc for building shared libraries. +build_libtool_need_lc=$archive_cmds_need_lc + +# Whether or not to disallow shared libs when runtime libs are static. +allow_libtool_libs_with_static_runtimes=$enable_shared_with_static_runtimes + +# Compiler flag to allow reflexive dlopens. +export_dynamic_flag_spec=$lt_export_dynamic_flag_spec + +# Compiler flag to generate shared objects directly from archives. +whole_archive_flag_spec=$lt_whole_archive_flag_spec + +# Whether the compiler copes with passing no objects directly. +compiler_needs_object=$lt_compiler_needs_object + +# Create an old-style archive from a shared archive. +old_archive_from_new_cmds=$lt_old_archive_from_new_cmds + +# Create a temporary old-style archive to link instead of a shared archive. +old_archive_from_expsyms_cmds=$lt_old_archive_from_expsyms_cmds + +# Commands used to build a shared archive. +archive_cmds=$lt_archive_cmds +archive_expsym_cmds=$lt_archive_expsym_cmds + +# Commands used to build a loadable module if different from building +# a shared archive. +module_cmds=$lt_module_cmds +module_expsym_cmds=$lt_module_expsym_cmds + +# Whether we are building with GNU ld or not. +with_gnu_ld=$lt_with_gnu_ld + +# Flag that allows shared libraries with undefined symbols to be built. +allow_undefined_flag=$lt_allow_undefined_flag + +# Flag that enforces no undefined symbols. +no_undefined_flag=$lt_no_undefined_flag + +# Flag to hardcode \$libdir into a binary during linking. +# This must work even if \$libdir does not exist +hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec + +# Whether we need a single "-rpath" flag with a separated argument. +hardcode_libdir_separator=$lt_hardcode_libdir_separator + +# Set to "yes" if using DIR/libNAME\$shared_ext during linking hardcodes +# DIR into the resulting binary. +hardcode_direct=$hardcode_direct + +# Set to "yes" if using DIR/libNAME\$shared_ext during linking hardcodes +# DIR into the resulting binary and the resulting library dependency is +# "absolute",i.e impossible to change by setting \$shlibpath_var if the +# library is relocated. +hardcode_direct_absolute=$hardcode_direct_absolute + +# Set to "yes" if using the -LDIR flag during linking hardcodes DIR +# into the resulting binary. +hardcode_minus_L=$hardcode_minus_L + +# Set to "yes" if using SHLIBPATH_VAR=DIR during linking hardcodes DIR +# into the resulting binary. +hardcode_shlibpath_var=$hardcode_shlibpath_var + +# Set to "yes" if building a shared library automatically hardcodes DIR +# into the library and all subsequent libraries and executables linked +# against it. +hardcode_automatic=$hardcode_automatic + +# Set to yes if linker adds runtime paths of dependent libraries +# to runtime path list. +inherit_rpath=$inherit_rpath + +# Whether libtool must link a program against all its dependency libraries. +link_all_deplibs=$link_all_deplibs + +# Set to "yes" if exported symbols are required. +always_export_symbols=$always_export_symbols + +# The commands to list exported symbols. +export_symbols_cmds=$lt_export_symbols_cmds + +# Symbols that should not be listed in the preloaded symbols. +exclude_expsyms=$lt_exclude_expsyms + +# Symbols that must always be exported. +include_expsyms=$lt_include_expsyms + +# Commands necessary for linking programs (against libraries) with templates. +prelink_cmds=$lt_prelink_cmds + +# Commands necessary for finishing linking programs. +postlink_cmds=$lt_postlink_cmds + +# Specify filename containing input files. +file_list_spec=$lt_file_list_spec + +# How to hardcode a shared library path into an executable. +hardcode_action=$hardcode_action + +# ### END LIBTOOL CONFIG + +_LT_EOF + + cat <<'_LT_EOF' >> "$cfgfile" + +# ### BEGIN FUNCTIONS SHARED WITH CONFIGURE + +# func_munge_path_list VARIABLE PATH +# ----------------------------------- +# VARIABLE is name of variable containing _space_ separated list of +# directories to be munged by the contents of PATH, which is string +# having a format: +# "DIR[:DIR]:" +# string "DIR[ DIR]" will be prepended to VARIABLE +# ":DIR[:DIR]" +# string "DIR[ DIR]" will be appended to VARIABLE +# "DIRP[:DIRP]::[DIRA:]DIRA" +# string "DIRP[ DIRP]" will be prepended to VARIABLE and string +# "DIRA[ DIRA]" will be appended to VARIABLE +# "DIR[:DIR]" +# VARIABLE will be replaced by "DIR[ DIR]" +func_munge_path_list () +{ + case x$2 in + x) + ;; + *:) + eval $1=\"`$ECHO $2 | $SED 's/:/ /g'` \$$1\" + ;; + x:*) + eval $1=\"\$$1 `$ECHO $2 | $SED 's/:/ /g'`\" + ;; + *::*) + eval $1=\"\$$1\ `$ECHO $2 | $SED -e 's/.*:://' -e 's/:/ /g'`\" + eval $1=\"`$ECHO $2 | $SED -e 's/::.*//' -e 's/:/ /g'`\ \$$1\" + ;; + *) + eval $1=\"`$ECHO $2 | $SED 's/:/ /g'`\" + ;; + esac +} + + +# Calculate cc_basename. Skip known compiler wrappers and cross-prefix. +func_cc_basename () +{ + for cc_temp in $*""; do + case $cc_temp in + compile | *[\\/]compile | ccache | *[\\/]ccache ) ;; + distcc | *[\\/]distcc | purify | *[\\/]purify ) ;; + \-*) ;; + *) break;; + esac + done + func_cc_basename_result=`$ECHO "$cc_temp" | $SED "s%.*/%%; s%^$host_alias-%%"` +} + + +# ### END FUNCTIONS SHARED WITH CONFIGURE + +_LT_EOF + + case $host_os in + aix3*) + cat <<\_LT_EOF >> "$cfgfile" +# AIX sometimes has problems with the GCC collect2 program. For some +# reason, if we set the COLLECT_NAMES environment variable, the problems +# vanish in a puff of smoke. +if test set != "${COLLECT_NAMES+set}"; then + COLLECT_NAMES= + export COLLECT_NAMES +fi +_LT_EOF + ;; + esac + + +ltmain=$ac_aux_dir/ltmain.sh + + + # We use sed instead of cat because bash on DJGPP gets confused if + # if finds mixed CR/LF and LF-only lines. Since sed operates in + # text mode, it properly converts lines to CR/LF. This bash problem + # is reportedly fixed, but why not run on old versions too? + sed '$q' "$ltmain" >> "$cfgfile" \ + || (rm -f "$cfgfile"; exit 1) + + mv -f "$cfgfile" "$ofile" || + (rm -f "$ofile" && cp "$cfgfile" "$ofile" && rm -f "$cfgfile") + chmod +x "$ofile" + + ;; + "default-1":C) + for ac_file in $CONFIG_FILES; do + # Support "outfile[:infile[:infile...]]" + case "$ac_file" in + *:*) ac_file=`echo "$ac_file"|sed 's%:.*%%'` ;; + esac + # PO directories have a Makefile.in generated from Makefile.in.in. + case "$ac_file" in */Makefile.in) + # Adjust a relative srcdir. + ac_dir=`echo "$ac_file"|sed 's%/[^/][^/]*$%%'` + ac_dir_suffix="/`echo "$ac_dir"|sed 's%^\./%%'`" + ac_dots=`echo "$ac_dir_suffix"|sed 's%/[^/]*%../%g'` + # In autoconf-2.13 it is called $ac_given_srcdir. + # In autoconf-2.50 it is called $srcdir. + test -n "$ac_given_srcdir" || ac_given_srcdir="$srcdir" + case "$ac_given_srcdir" in + .) top_srcdir=`echo $ac_dots|sed 's%/$%%'` ;; + /*) top_srcdir="$ac_given_srcdir" ;; + *) top_srcdir="$ac_dots$ac_given_srcdir" ;; + esac + # Treat a directory as a PO directory if and only if it has a + # POTFILES.in file. This allows packages to have multiple PO + # directories under different names or in different locations. + if test -f "$ac_given_srcdir/$ac_dir/POTFILES.in"; then + rm -f "$ac_dir/POTFILES" + test -n "$as_me" && echo "$as_me: creating $ac_dir/POTFILES" || echo "creating $ac_dir/POTFILES" + cat "$ac_given_srcdir/$ac_dir/POTFILES.in" | sed -e "/^#/d" -e "/^[ ]*\$/d" -e "s,.*, $top_srcdir/& \\\\," | sed -e "\$s/\(.*\) \\\\/\1/" > "$ac_dir/POTFILES" + POMAKEFILEDEPS="POTFILES.in" + # ALL_LINGUAS, POFILES, UPDATEPOFILES, DUMMYPOFILES, GMOFILES depend + # on $ac_dir but don't depend on user-specified configuration + # parameters. + if test -f "$ac_given_srcdir/$ac_dir/LINGUAS"; then + # The LINGUAS file contains the set of available languages. + if test -n "$OBSOLETE_ALL_LINGUAS"; then + test -n "$as_me" && echo "$as_me: setting ALL_LINGUAS in configure.in is obsolete" || echo "setting ALL_LINGUAS in configure.in is obsolete" + fi + ALL_LINGUAS_=`sed -e "/^#/d" -e "s/#.*//" "$ac_given_srcdir/$ac_dir/LINGUAS"` + # Hide the ALL_LINGUAS assigment from automake. + eval 'ALL_LINGUAS''=$ALL_LINGUAS_' + POMAKEFILEDEPS="$POMAKEFILEDEPS LINGUAS" + else + # The set of available languages was given in configure.in. + eval 'ALL_LINGUAS''=$OBSOLETE_ALL_LINGUAS' + fi + # Compute POFILES + # as $(foreach lang, $(ALL_LINGUAS), $(srcdir)/$(lang).po) + # Compute UPDATEPOFILES + # as $(foreach lang, $(ALL_LINGUAS), $(lang).po-update) + # Compute DUMMYPOFILES + # as $(foreach lang, $(ALL_LINGUAS), $(lang).nop) + # Compute GMOFILES + # as $(foreach lang, $(ALL_LINGUAS), $(srcdir)/$(lang).gmo) + case "$ac_given_srcdir" in + .) srcdirpre= ;; + *) srcdirpre='$(srcdir)/' ;; + esac + POFILES= + UPDATEPOFILES= + DUMMYPOFILES= + GMOFILES= + for lang in $ALL_LINGUAS; do + POFILES="$POFILES $srcdirpre$lang.po" + UPDATEPOFILES="$UPDATEPOFILES $lang.po-update" + DUMMYPOFILES="$DUMMYPOFILES $lang.nop" + GMOFILES="$GMOFILES $srcdirpre$lang.gmo" + done + # CATALOGS depends on both $ac_dir and the user's LINGUAS + # environment variable. + INST_LINGUAS= + if test -n "$ALL_LINGUAS"; then + for presentlang in $ALL_LINGUAS; do + useit=no + if test "%UNSET%" != "$LINGUAS"; then + desiredlanguages="$LINGUAS" + else + desiredlanguages="$ALL_LINGUAS" + fi + for desiredlang in $desiredlanguages; do + # Use the presentlang catalog if desiredlang is + # a. equal to presentlang, or + # b. a variant of presentlang (because in this case, + # presentlang can be used as a fallback for messages + # which are not translated in the desiredlang catalog). + case "$desiredlang" in + "$presentlang"*) useit=yes;; + esac + done + if test $useit = yes; then + INST_LINGUAS="$INST_LINGUAS $presentlang" + fi + done + fi + CATALOGS= + if test -n "$INST_LINGUAS"; then + for lang in $INST_LINGUAS; do + CATALOGS="$CATALOGS $lang.gmo" + done + fi + test -n "$as_me" && echo "$as_me: creating $ac_dir/Makefile" || echo "creating $ac_dir/Makefile" + sed -e "/^POTFILES =/r $ac_dir/POTFILES" -e "/^# Makevars/r $ac_given_srcdir/$ac_dir/Makevars" -e "s|@POFILES@|$POFILES|g" -e "s|@UPDATEPOFILES@|$UPDATEPOFILES|g" -e "s|@DUMMYPOFILES@|$DUMMYPOFILES|g" -e "s|@GMOFILES@|$GMOFILES|g" -e "s|@CATALOGS@|$CATALOGS|g" -e "s|@POMAKEFILEDEPS@|$POMAKEFILEDEPS|g" "$ac_dir/Makefile.in" > "$ac_dir/Makefile" + for f in "$ac_given_srcdir/$ac_dir"/Rules-*; do + if test -f "$f"; then + case "$f" in + *.orig | *.bak | *~) ;; + *) cat "$f" >> "$ac_dir/Makefile" ;; + esac + fi + done + fi + ;; + esac + done ;; + + esac +done # for ac_tag + + +as_fn_exit 0 +_ACEOF +ac_clean_files=$ac_clean_files_save + +test $ac_write_fail = 0 || + as_fn_error $? "write failure creating $CONFIG_STATUS" "$LINENO" 5 + + +# configure is writing to config.log, and then calls config.status. +# config.status does its own redirection, appending to config.log. +# Unfortunately, on DOS this fails, as config.log is still kept open +# by configure, so config.status won't be able to write to it; its +# output is simply discarded. So we exec the FD to /dev/null, +# effectively closing config.log, so it can be properly (re)opened and +# appended to by config.status. When coming back to configure, we +# need to make the FD available again. +if test "$no_create" != yes; then + ac_cs_success=: + ac_config_status_args= + test "$silent" = yes && + ac_config_status_args="$ac_config_status_args --quiet" + exec 5>/dev/null + $SHELL $CONFIG_STATUS $ac_config_status_args || ac_cs_success=false + exec 5>>config.log + # Use ||, not &&, to avoid exiting from the if with $? = 1, which + # would make configure fail if this is the last instruction. + $ac_cs_success || as_fn_exit 1 +fi +if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: unrecognized options: $ac_unrecognized_opts" >&5 +$as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;} +fi + diff --git a/configure.ac b/configure.ac new file mode 100644 index 0000000..9df463d --- /dev/null +++ b/configure.ac @@ -0,0 +1,522 @@ +AC_PREREQ(2.59) + +m4_include([version.m4]) +AC_INIT([sssd], + VERSION_NUMBER, + [sssd-devel@lists.fedorahosted.org]) +AC_CONFIG_SRCDIR([BUILD.txt]) +AC_CONFIG_AUX_DIR([build]) + +m4_ifdef([AC_USE_SYSTEM_EXTENSIONS], + [AC_USE_SYSTEM_EXTENSIONS], + [AC_GNU_SOURCE]) + +CFLAGS="$CFLAGS -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE" + + +AM_INIT_AUTOMAKE([-Wall -Wno-portability foreign subdir-objects tar-pax + parallel-tests]) +AM_PROG_CC_C_O +m4_ifdef([AM_PROG_AR], [AM_PROG_AR]) +AC_DISABLE_STATIC +AC_PROG_INSTALL +LT_INIT +m4_ifdef([AC_PROG_MKDIR_P], + [AC_PROG_MKDIR_P], + [AC_SUBST([MKDIR_P], "mkdir -p")]) +LT_LIB_DLLOAD +AC_CONFIG_MACRO_DIR([m4]) +AM_GNU_GETTEXT([external]) +AM_GNU_GETTEXT_VERSION([0.14.4]) + +AC_SUBST([PRERELEASE_VERSION], + PRERELEASE_VERSION_NUMBER) + +AC_DEFINE([PRERELEASE_VERSION], "PRERELEASE_VERSION_NUMBER", + [Prerelease version number of package]) + +AM_CONDITIONAL([GIT_CHECKOUT], [git log -1 >/dev/null 2>&1]) + +m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES]) + +AM_CONDITIONAL([HAVE_GCC], [test "$ac_cv_prog_gcc" = yes]) + +AC_CHECK_HEADERS(stdint.h dlfcn.h) +AC_CONFIG_HEADER(config.h) + +AC_CHECK_TYPES([errno_t], [], [], [[#include ]]) + +m4_include([src/build_macros.m4]) +BUILD_WITH_SHARED_BUILD_DIR + +AC_COMPILE_IFELSE( + [AC_LANG_PROGRAM([[#include ]], + [[pthread_mutex_t m = PTHREAD_MUTEX_INITIALIZER; + (void) m; /* unused */ + ]])], + [AC_DEFINE([HAVE_PTHREAD], [1], [Pthread mutexes available.]) + HAVE_PTHREAD=1 + ], + [AC_MSG_WARN([Pthread library not found! Clients will not be thread safe...])]) + + +AM_CONDITIONAL([HAVE_PTHREAD], [test x"$HAVE_PTHREAD" != "x"]) + +# Check library for the timer_create function +SAVE_LIBS=$LIBS +LIBS= +LIBADD_TIMER= +AC_SEARCH_LIBS([timer_create], [rt posix4], + [AC_DEFINE([HAVE_LIBRT], [1], + [Define if you have the librt library or equivalent.]) + LIBADD_TIMER="$LIBS"], + [AC_MSG_ERROR([unable to find library fot the timer_create() function])]) + +AC_SUBST([LIBADD_TIMER]) +LIBS=$SAVE_LIBS + +# Check library for the clock_gettime function +SAVE_LIBS=$LIBS +LIBS= +LIBCLOCK_GETTIME= +AC_SEARCH_LIBS([clock_gettime], [rt posix4], + [AC_DEFINE([HAVE_LIBRT], [1], + [Define if you have the librt library or equivalent.]) + LIBCLOCK_GETTIME="$LIBS"], + [AC_MSG_ERROR([unable to find library for the clock_gettime() function])]) + +AC_SUBST([LIBCLOCK_GETTIME]) +LIBS=$SAVE_LIBS + +# Check for presence of modern functions for setting file timestamps +AC_CHECK_FUNCS([ utimensat \ + futimens ]) + +#Check for endian headers +AC_CHECK_HEADERS([endian.h sys/endian.h byteswap.h]) + +AC_C_BIGENDIAN([AC_DEFINE(HAVE_BIG_ENDIAN, [1], [whether platform is big endian])], + [AC_DEFINE(HAVE_LITTLE_ENDIAN, [1], [whether platform is little endian])]) + +#Set the NSS library install path +AC_ARG_ENABLE([nsslibdir], [AS_HELP_STRING([--enable-nsslibdir], + [Where to install nss libraries ($libdir)])], + [nsslibdir=$enableval], + [nsslibdir=$libdir]) +AC_SUBST(nsslibdir) + +#Set the PAM module install path +AC_ARG_ENABLE([pammoddir], [AS_HELP_STRING([--enable-pammoddir], + [Where to install pam modules ($libdir/security)])], + [pammoddir=$enableval], + [pammoddir=$libdir/security]) +AC_SUBST(pammoddir) + +#Set the NFSv4 idmapd library install path +AC_ARG_ENABLE([nfsidmaplibdir], [AS_HELP_STRING([--enable-nfsidmaplibdir], + [Where to install libnfsidmap libraries ($libdir/libnfsidmap)])], + [nfsidmaplibdir=$enableval], + [nfsidmaplibdir=$libdir/libnfsidmap]) +AC_SUBST(nfsidmaplibdir) + +#Include here cause WITH_INIT_DIR requires $osname set in platform.m4 +m4_include([src/external/platform.m4]) + +m4_include(src/conf_macros.m4) +WITH_DB_PATH +WITH_PLUGIN_PATH +WITH_PID_PATH +WITH_LOG_PATH +WITH_PUBCONF_PATH +WITH_PIPE_PATH +WITH_MCACHE_PATH +WITH_DEFAULT_CCACHE_DIR +WITH_DEFAULT_CCNAME_TEMPLATE +WITH_ENVIRONMENT_FILE +WITH_INIT_DIR +WITH_TEST_DIR +WITH_MANPAGES +WITH_XML_CATALOG +WITH_KRB5_PLUGIN_PATH +WITH_KRB5_RCACHE_DIR +WITH_KRB5AUTHDATA_PLUGIN_PATH +WITH_KRB5_CONF +WITH_PYTHON2_BINDINGS +WITH_PYTHON3_BINDINGS +WITH_CIFS_PLUGIN_PATH +WITH_WINBIND_PLUGIN_PATH +WITH_SELINUX +WITH_NSCD +WITH_IPA_GETKEYTAB +WITH_SEMANAGE +WITH_AD_GPO_DEFAULT +WITH_GPO_CACHE_PATH +WITH_NOLOGIN_SHELL +WITH_SESSION_RECORDING_SHELL +WITH_APP_LIBS +WITH_SUDO +WITH_SUDO_LIB_PATH +WITH_AUTOFS +WITH_SSH +WITH_IFP +WITH_CRYPTO +WITH_SYSLOG +WITH_SAMBA +WITH_NFS +WITH_NFS_LIB_PATH +WITH_LIBWBCLIENT +WITH_SSSD_USER +SSSD_RUNSTATEDIR +WITH_SECRETS +WITH_SECRETS_DB_PATH +WITH_KCM + +m4_include([src/external/pkg.m4]) +m4_include([src/external/libpopt.m4]) +m4_include([src/external/libtalloc.m4]) +m4_include([src/external/libtdb.m4]) +m4_include([src/external/libtevent.m4]) +m4_include([src/external/libldb.m4]) +m4_include([src/external/libdhash.m4]) +m4_include([src/external/libcollection.m4]) +m4_include([src/external/libini_config.m4]) +m4_include([src/external/pam.m4]) +m4_include([src/external/ldap.m4]) +m4_include([src/external/libpcre.m4]) +m4_include([src/external/krb5.m4]) +m4_include([src/external/libcares.m4]) +m4_include([src/external/libcmocka.m4]) +m4_include([src/external/docbook.m4]) +m4_include([src/external/sizes.m4]) +m4_include([src/external/python.m4]) +m4_include([src/external/selinux.m4]) +m4_include([src/external/crypto.m4]) +m4_include([src/external/nscd.m4]) +m4_include([src/external/nsupdate.m4]) +m4_include([src/external/libkeyutils.m4]) +m4_include([src/external/libnl.m4]) +m4_include([src/external/systemd.m4]) +m4_include([src/external/pac_responder.m4]) +m4_include([src/external/cifsidmap.m4]) +m4_include([src/external/signal.m4]) +m4_include([src/external/inotify.m4]) +m4_include([src/external/samba.m4]) +m4_include([src/external/sasl.m4]) +m4_include([src/external/libnfsidmap.m4]) +m4_include([src/external/cwrap.m4]) +m4_include([src/external/libresolv.m4]) +m4_include([src/external/intgcheck.m4]) +m4_include([src/external/systemtap.m4]) +m4_include([src/external/service.m4]) +m4_include([src/external/test_ca.m4]) + +if test x$with_secrets = xyes; then + m4_include([src/external/libhttp_parser.m4]) +fi + +if test x$with_kcm = xyes; then + m4_include([src/external/libuuid.m4]) +fi + +if test x$with_kcm = xyes -o x$with_secrets = xyes; then + m4_include([src/external/libcurl.m4]) + m4_include([src/external/libjansson.m4]) +fi + +# This variable is defined by external/libcurl.m4, but conditionals +# must be always evaluated +AM_CONDITIONAL([BUILD_WITH_LIBCURL], + [test x"$have_curlopt_unix_sockpath" = xyes]) + +WITH_UNICODE_LIB +if test x$unicode_lib = xlibunistring; then + m4_include([src/external/libunistring.m4]) + AC_DEFINE_UNQUOTED(HAVE_LIBUNISTRING, 1, [Using libunistring for unicode]) + UNICODE_LIBS=$UNISTRING_LIBS +else + m4_include([src/external/glib.m4]) + AC_DEFINE_UNQUOTED(HAVE_GLIB2, 1, [Using glib2 for unicode]) + UNICODE_LIBS=$GLIB2_LIBS +fi +AC_SUBST(UNICODE_LIBS) + +WITH_LIBNL + +if test x$HAVE_NSCD; then + WITH_NSCD_CONF +fi + +WITH_INITSCRIPT +if test x$initscript = xsystemd; then + WITH_SYSTEMD_UNIT_DIR + WITH_SYSTEMD_CONF_DIR +else + CHECK_SERVICE_EXECUTABLE +fi + +PKG_CHECK_MODULES([DBUS],[dbus-1]) +dnl if test -n "`$PKG_CONFIG --modversion dbus-1 | grep '^0\.'`" ; then +if ! $PKG_CONFIG --atleast-version 1.0.0 dbus-1; then + DBUS_CFLAGS="$DBUS_CFLAGS -DDBUS_API_SUBJECT_TO_CHANGE" + AC_MSG_RESULT([setting -DDBUS_API_SUBJECT_TO_CHANGE]) +fi + +if test x$has_dbus != xno; then + SAFE_LIBS="$LIBS" + LIBS="$DBUS_LIBS" + SAFE_CFLAGS=$CFLAGS + CFLAGS="$CFLAGS $DBUS_CFLAGS" + + AC_CHECK_FUNC([dbus_watch_get_unix_fd], + AC_DEFINE([HAVE_DBUS_WATCH_GET_UNIX_FD], [1], + [Define if dbus_watch_get_unix_fd exists])) + AC_CHECK_TYPES([DBusBasicValue], + [], + [], + [ #include ]) + + LIBS="$SAFE_LIBS" + CFLAGS=$SAFE_CFLAGS +fi + +# work around a bug in cov-build from Coverity +test -n "$XML_CATALOG_FILES" || unset XML_CATALOG_FILES + +if test x$HAVE_MANPAGES != x; then + CHECK_XML_TOOLS + + DOCBOOK_XSLT=http://docbook.sourceforge.net/release/xsl/current/manpages/profile-docbook.xsl + CHECK_STYLESHEET([$SGML_CATALOG_FILES], + [$DOCBOOK_XSLT], + [Docbook XSL profiling templates], + [HAVE_PROFILE_CATALOGS=1], + [AC_MSG_WARN([Man pages might contain documentation for experimental features])]) + + if test x$HAVE_PROFILE_CATALOGS = x; then + DOCBOOK_XSLT=http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl + CHECK_STYLESHEET([$SGML_CATALOG_FILES], + [$DOCBOOK_XSLT], + [Docbook XSL templates], + [], + [AC_MSG_ERROR([could not find the docbook xsl catalog])]) + fi + + AC_CHECK_PROG([PO4A],[po4a],[po4a],[no]) + AC_SUBST(DOCBOOK_XSLT) +fi +AM_CONDITIONAL([HAVE_PROFILE_CATALOGS], [test "x$HAVE_PROFILE_CATALOGS" != "x"]) +AM_CONDITIONAL([HAVE_MANPAGES], [test "x$HAVE_MANPAGES" != "x"]) +AM_CONDITIONAL([HAVE_PO4A], [test "x$PO4A" != "xno"]) + +AC_CHECK_PROG(HAVE_PYTHON2, python2, yes, no) +AS_IF([test x$HAVE_PYTHON2 = xyes], + [AC_PATH_PROG(PYTHON2, python2)]) + +AC_CHECK_PROG(HAVE_PYTHON3, python3, yes, no) +AS_IF([test x$HAVE_PYTHON3 = xyes], + [AC_PATH_PROG(PYTHON3, python3)]) + +if test x$HAVE_PYTHON2_BINDINGS = x1; then + AS_IF([test x$HAVE_PYTHON2 != xyes], + [AC_MSG_ERROR([ +The program python2 was not found in search path. +Please ensure that it is installed and its directory is included in the search +path. It is required for building python2 bindings. If you do not want to build +them please use argument --without-python2-bindings when running configure.])]) + + PYTHON=$PYTHON2 + AM_PATH_PYTHON([2.6]) + AM_PYTHON_CONFIG([python2]) + AM_CHECK_PYTHON_HEADERS([], + AC_MSG_ERROR([Could not find python2 headers])) + + AC_SUBST([py2execdir], [$pyexecdir]) + AC_SUBST([python2dir], [$pythondir]) + AC_SUBST([PYTHON2_CFLAGS], [$PYTHON_CFLAGS]) + AC_SUBST([PYTHON2_LIBS], [$PYTHON_LIBS]) + AC_SUBST([PYTHON2_INCLUDES], [$PYTHON_INCLUDES]) + AC_SUBST([PYTHON2_VERSION], [$PYTHON_VERSION]) + AC_SUBST([PYTHON2_PREFIX], [$PYTHON_PREFIX]) + AC_SUBST([PYTHON2_EXEC_PREFIX], [$PYTHON_EXEC_PREFIX]) + + SSS_CLEAN_PYTHON_VARIABLES +fi + +if test x$HAVE_PYTHON3_BINDINGS = x1; then + AS_IF([test x$HAVE_PYTHON3 != xyes], + [AC_MSG_ERROR([ +The program python3 was not found in search path. +Please ensure that it is installed and its directory is included in the search +path. It is required for building python3 bindings. If you do not want to build +them please use argument --without-python3-bindings when running configure.])]) + + PYTHON=$PYTHON3 + AM_PATH_PYTHON([3.3]) + AM_PYTHON_CONFIG([python3]) + AM_CHECK_PYTHON_HEADERS([], + AC_MSG_ERROR([Could not find python3 headers])) + + AC_SUBST([py3execdir], [$pyexecdir]) + AC_SUBST([python3dir], [$pythondir]) + AC_SUBST([PYTHON3_CFLAGS], [$PYTHON_CFLAGS]) + AC_SUBST([PYTHON3_LIBS], [$PYTHON_LIBS]) + AC_SUBST([PYTHON3_INCLUDES], [$PYTHON_INCLUDES]) + AC_SUBST([PYTHON3_VERSION], [$PYTHON_VERSION]) + AC_SUBST([PYTHON3_PREFIX], [$PYTHON_PREFIX]) + AC_SUBST([PYTHON3_EXEC_PREFIX], [$PYTHON_EXEC_PREFIX]) + + SSS_CLEAN_PYTHON_VARIABLES +fi + +AM_CONDITIONAL([BUILD_PYTHON_BINDINGS], + [test x"$with_python2_bindings" = xyes \ + -o x"$with_python3_bindings" = xyes]) + +AM_PYTHON2_MODULE([ldap]) + +if test x$HAVE_SELINUX != x; then + AM_CHECK_SELINUX +fi + +if test x$HAVE_SEMANAGE != x -a x$HAVE_SELINUX != x; then + AM_CHECK_SEMANAGE +fi + +dnl If journald was selected for logging, configure journald +if test x$syslog = xjournald; then + AM_CHECK_JOURNALD +fi + +if test x$cryptolib = xnss; then + AM_CHECK_NSS +fi + +if test x$cryptolib = xlibcrypto; then + AM_CHECK_LIBCRYPTO + m4_include([src/external/p11-kit.m4]) +fi + +AM_CHECK_INOTIFY + +AC_CACHE_CHECK([whether compiler supports __attribute__((destructor))], + sss_client_cv_attribute_destructor, + [AC_COMPILE_IFELSE( + [AC_LANG_SOURCE([__attribute__((destructor)) static void cleanup(void) { }])], + sss_client_cv_attribute_destructor=yes) + ]) + +if test x"$sss_client_cv_attribute_destructor" = xyes ; then + AC_DEFINE(HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR, 1, + [whether compiler supports __attribute__((destructor))]) +fi + +AC_CACHE_CHECK([whether compiler supports __attribute__((format))], + sss_cv_attribute_format, + [AC_COMPILE_IFELSE( + [AC_LANG_SOURCE( + [void debug_fn(const char *format, ...) __attribute__ ((format (printf, 1, 2)));] + )], + [sss_cv_attribute_format=yes], + [ + AC_MSG_RESULT([no]) + AC_MSG_WARN([compiler does NOT support __attribute__((format))]) + ]) + ]) + +if test x"$sss_cv_attribute_format" = xyes ; then + AC_DEFINE(HAVE_FUNCTION_ATTRIBUTE_FORMAT, 1, + [whether compiler supports __attribute__((format))]) +fi + +AC_CACHE_CHECK([whether compiler supports __attribute__((warn_unused_result))], + sss_cv_attribute_warn_unused_result, + [AC_COMPILE_IFELSE( + [AC_LANG_SOURCE( + [ char _check_leaks(int bytes) __attribute__ ((warn_unused_result)); ] + )], + [sss_cv_attribute_warn_unused_result=yes], + [ + AC_MSG_RESULT([no]) + AC_MSG_WARN([compiler does NOT support __attribute__((warn_unused_result))]) + ]) + ]) +if test x"$sss_cv_attribute_warn_unused_result" = xyes ; then + AC_DEFINE(HAVE_FUNCTION_ATTRIBUTE_WARN_UNUSED_RESULT, 1, + [whether compiler supports __attribute__((warn_unused_result))]) +fi + +SAFE_CFLAGS=$CFLAGS +CFLAGS="-Werror" +AC_CACHE_CHECK( + [whether compiler supports __attribute__((fallthrough))], + [sss_cv_attribute_fallthrough], + [AC_COMPILE_IFELSE( + [AC_LANG_SOURCE( + [ __attribute__ ((fallthrough)); ]) + ],[ + sss_cv_attribute_fallthrough=yes + sss_cv_attribute_fallthrough_val="__attribute__ ((fallthrough))" + ],[ + sss_cv_attribute_fallthrough=no + sss_cv_attribute_fallthrough_val="((void)0)" + ]) + ]) +CFLAGS=$SAFE_CFLAGS + +AC_DEFINE_UNQUOTED( + [SSS_ATTRIBUTE_FALLTHROUGH], + [$sss_cv_attribute_fallthrough_val], + [__attribute__((fallthrough)) if supported]) + + +PKG_CHECK_MODULES([CHECK], [check >= 0.9.5], [have_check=1], [have_check=]) +if test x$have_check = x; then + AC_MSG_WARN([Without the 'CHECK' libraries, you will be unable to run all tests in the 'make check' suite]) +else + AC_CHECK_HEADERS([check.h],,AC_MSG_ERROR([Could not find CHECK headers])) +fi + +AC_PATH_PROG([DOXYGEN], [doxygen], [false]) +AM_CONDITIONAL([HAVE_DOXYGEN], [test x$DOXYGEN != xfalse ]) + +AM_CONDITIONAL([HAVE_CHECK], [test x$have_check != x]) +AM_CHECK_CMOCKA +AM_CHECK_UID_WRAPPER +AM_CHECK_NSS_WRAPPER +AM_CHECK_TEST_CA + +# Check if the user wants SSSD to be compiled with systemtap probes +AM_CHECK_SYSTEMTAP + +SSS_ENABLE_INTGCHECK_REQS + +AM_CONDITIONAL([HAVE_DEVSHM], [test -d /dev/shm]) + +# Check if we should install polkit rules +ENABLE_POLKIT_RULES_PATH +AM_CONDITIONAL([HAVE_POLKIT_RULES_D], [test x$HAVE_POLKIT_RULES_D != x]) + +abs_build_dir=`pwd` +AC_DEFINE_UNQUOTED([ABS_BUILD_DIR], ["$abs_build_dir"], [Absolute path to the build directory]) +AC_SUBST([abs_builddir], $abs_build_dir) + +my_srcdir=`readlink -f $srcdir` +AC_DEFINE_UNQUOTED([ABS_SRC_DIR], ["$my_srcdir"], [Absolute path to the source directory]) + +AC_CONFIG_FILES([Makefile contrib/sssd.spec src/examples/rwtab src/doxy.config + contrib/sssd-pcsc.rules + src/sysv/sssd src/sysv/gentoo/sssd src/sysv/SUSE/sssd + po/Makefile.in src/man/Makefile src/tests/cwrap/Makefile + src/tests/intg/Makefile src/tests/test_CA/Makefile + src/lib/ipa_hbac/ipa_hbac.pc src/lib/ipa_hbac/ipa_hbac.doxy + src/lib/idmap/sss_idmap.pc src/lib/idmap/sss_idmap.doxy + src/lib/certmap/sss_certmap.pc src/lib/certmap/sss_certmap.doxy + src/sss_client/idmap/sss_nss_idmap.pc + src/sss_client/idmap/sss_nss_idmap.doxy + src/sss_client/libwbclient/wbclient_sssd.pc + src/lib/sifp/sss_simpleifp.pc + src/lib/sifp/sss_simpleifp.doxy + src/config/setup.py + src/systemtap/sssd.stp + src/config/SSSDConfig/__init__.py]) +AC_OUTPUT diff --git a/contrib/ci/README.md b/contrib/ci/README.md new file mode 100644 index 0000000..986e0c4 --- /dev/null +++ b/contrib/ci/README.md @@ -0,0 +1,73 @@ +Continuous integration +====================== + +The executables and modules in this directory implement continuous integration +(CI) tests, which can be run to verify SSSD code quality and validity. + +Supported host distros are Fedora 20 and later, RHEL 6.5 and later, and Debian +Testing. + +The tests are executed by running `contrib/ci/run` from the source tree root. +It accepts options to choose from three test sets: "essential", "moderate" and +"rigorous" (-e/-m/-r), with the essential set selected by default. + +Essential tests include building everything and running the built-in test +suite under Valgrind, completing in under 5 minutes. + +Moderate tests include essential tests, plus a distcheck target build and mock +package builds for Fedora and RHEL on Red Hat distros. They complete in about +15 minutes. + +Rigorous tests include moderate tests, plus a pass with Clang static analyzer +over the whole build and test execution with code coverage collection and +verification, completing in 30 minutes. Static analyzer failures are ignored +for now. + +Use `contrib/ci/clean` to remove test results from the source tree. + + +Setup +----- + +CI requires `lsb_release` command to be available in order to determine host +distro version. On Red Hat distros it is contained in the `redhat-lsb-core` +package and on Debian in `lsb-release`. + +The rest of the required packages CI will attempt to install itself, using +the distribution's package manager invoked through sudo. + +A sudo rule can be employed to selectively avoid password prompts on RHEL +distros: + + ALL=(ALL:ALL) NOPASSWD: /usr/bin/yum --assumeyes install -- * + +on Fedora distros: + + # With dnf >= 2.0 + ALL=(ALL:ALL) NOPASSWD: /usr/bin/dnf --assumeyes --best --setopt=install_weak_deps=False install -- * + # We need to use yum-deprecated on Fedora because of BZ1215208. + ALL=(ALL:ALL) NOPASSWD: /usr/bin/yum-deprecated --assumeyes install -- * + +and Debian-based distros: + + ALL=(ALL:ALL) NOPASSWD: /usr/bin/apt-get --yes install -- * + +Where `` is the user invoking CI. + +You may also want to allow passing DEBIAN_FRONTEND environment variable to +apt-get on Debian, so CI can request non-interactive package installation: + + Defaults!/usr/bin/apt-get env_keep += "DEBIAN_FRONTEND" + +On Red Hat distros a repository carrying dependencies missing from some +distros needs to be added to yum configuration. See instructions on the +[Copr project page](http://copr-fe.cloud.fedoraproject.org/coprs/lslebodn/sssd-deps/). +That repository is also automatically used by CI during mock builds. + +Package installation can be disabled with the -n/--no-deps option, e.g. for +manual dependency management, or for shaving off a few seconds of execution +time, when dependency changes are not expected. + +On Red Hat distros, where mock builds are ran, it is better to have the +invoking user added to the `mock` group. Otherwise mock builds will be +executed through sudo. diff --git a/contrib/ci/clean b/contrib/ci/clean new file mode 100755 index 0000000..ee18c10 --- /dev/null +++ b/contrib/ci/clean @@ -0,0 +1,25 @@ +#!/bin/bash +# +# Clean source tree after a run of integration tests. +# +# Copyright (C) 2014 Red Hat +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +set -o nounset -o pipefail -o errexit +export PATH=`dirname "\`readlink -f \"\$0\"\`"`:$PATH + +. misc.sh + +rm_rf_ro ci-* diff --git a/contrib/ci/configure.sh b/contrib/ci/configure.sh new file mode 100644 index 0000000..e4fb92c --- /dev/null +++ b/contrib/ci/configure.sh @@ -0,0 +1,80 @@ +# +# Configure argument management. +# +# Copyright (C) 2014 Red Hat +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +if [ -z ${_CONFIGURE_SH+set} ]; then +declare -r _CONFIGURE_SH= + +. distro.sh + +# List of "configure" arguments. +declare -a CONFIGURE_ARG_LIST=( + "--disable-dependency-tracking" + "--disable-rpath" + "--disable-static" + "--enable-ldb-version-check" + "--with-syslog=journald" + "--enable-systemtap" +) + + +if [[ "$DISTRO_BRANCH" == -redhat-redhatenterprise*-6.*- || + "$DISTRO_BRANCH" == -redhat-centos-6.*- ]]; then + CONFIGURE_ARG_LIST+=( + "--with-smb-idmap-interface-version=5" + "--disable-cifs-idmap-plugin" + "--with-syslog=syslog" + "--without-python3-bindings" + "--without-secrets" + "--without-kcm" + ) +fi + +if [[ "$DISTRO_BRANCH" == -redhat-fedora-2[0-2]* ]]; then + CONFIGURE_ARG_LIST+=( + "--without-kcm" + ) +fi + +if [[ "$DISTRO_BRANCH" == -redhat-redhatenterprise*-7.*- || + "$DISTRO_BRANCH" == -redhat-centos-7.*- ]]; then + CONFIGURE_ARG_LIST+=( + "--without-python3-bindings" + ) +fi + +# Different versions of Debian might need different versions here but this is +# sufficient to make the CI work +if [[ "$DISTRO_BRANCH" == -debian-* ]]; then + CONFIGURE_ARG_LIST+=( + "--with-smb-idmap-interface-version=5" + ) +fi + +if [[ "$DISTRO_BRANCH" == -redhat-fedora-29* || + "$DISTRO_BRANCH" == -redhat-fedora-3* || + "$DISTRO_BRANCH" == -debian-* || + "$DISTRO_BRANCH" == -redhat-redhatenterprise*-8.*- || + "$DISTRO_BRANCH" == -redhat-centos-8.*- ]]; then + CONFIGURE_ARG_LIST+=( + "--with-crypto=libcrypto" + ) +fi + +declare -r -a CONFIGURE_ARG_LIST + +fi # _CONFIGURE_SH diff --git a/contrib/ci/deps.sh b/contrib/ci/deps.sh new file mode 100644 index 0000000..5906e53 --- /dev/null +++ b/contrib/ci/deps.sh @@ -0,0 +1,160 @@ +# +# Dependency management. +# +# Copyright (C) 2014 Red Hat +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +if [ -z ${_DEPS_SH+set} ]; then +declare -r _DEPS_SH= + +. distro.sh + +# Dependency list +declare -a DEPS_LIST=( + lcov + valgrind +) + +# "Integration tests dependencies satisfied" flag +declare DEPS_INTGCHECK_SATISFIED=true + +if [[ "$DISTRO_BRANCH" == -redhat-* ]]; then + declare _DEPS_LIST_SPEC + DEPS_LIST+=( + clang-analyzer + fakeroot + libcmocka-devel + mock + nss_wrapper + openldap-clients + openldap-servers + pytest + python-ldap + python-psutil + pyldb + rpm-build + uid_wrapper + python-requests + curl-devel + krb5-server + krb5-workstation + dbus-python + python-pep8 + ) + _DEPS_LIST_SPEC=` + sed -e 's/@PACKAGE_VERSION@/0/g' \ + -e 's/@PACKAGE_NAME@/package-name/g' \ + -e 's/@PRERELEASE_VERSION@//g' contrib/sssd.spec.in | + rpm-spec-builddeps /dev/stdin` + readarray -t -O "${#DEPS_LIST[@]}" DEPS_LIST <<<"$_DEPS_LIST_SPEC" +fi + +if [[ "$DISTRO_BRANCH" == -debian-* ]]; then + DEPS_LIST+=( + autoconf + automake + autopoint + check + cifs-utils + clang + dh-apparmor + dnsutils + docbook-xml + docbook-xsl + gettext + krb5-config + libc-ares-dev + libcmocka-dev + libcollection-dev + libdbus-1-dev + libdhash-dev + libglib2.0-dev + libini-config-dev + libkeyutils-dev + libkrb5-dev + libldap2-dev + libldb-dev + libltdl-dev + libnfsidmap-dev + libnl-3-dev + libnl-route-3-dev + libnspr4-dev + libnss3-dev + libpam0g-dev + libpcre3-dev + libpopt-dev + libsasl2-dev + libselinux1-dev + libsemanage1-dev + libsmbclient-dev + libsystemd-dev + libtalloc-dev + libtdb-dev + libtevent-dev + libtool + libtool-bin + libxml2-utils + make + python-dev + python3-dev + samba-dev + systemd + xml-core + xsltproc + libssl-dev + fakeroot + libnss-wrapper + libuid-wrapper + python-pytest + python-ldap + python-ldb + python-requests + python-psutil + ldap-utils + slapd + systemtap-sdt-dev + libhttp-parser-dev + libjansson-dev + libcurl4-openssl-dev + krb5-kdc + krb5-admin-server + krb5-user + uuid-dev + dbus + python-dbus + pep8 + libssl-dev + gnutls-bin + softhsm2 + libp11-kit-dev + ) + DEPS_INTGCHECK_SATISFIED=true +fi + +declare -a -r DEPS_LIST + +# Install dependencies. +function deps_install() +{ + distro_pkg_install "${DEPS_LIST[@]}" +} + +# Remove dependencies. +function deps_remove() +{ + distro_pkg_remove "${DEPS_LIST[@]}" +} + +fi # _DEPS_SH diff --git a/contrib/ci/distro.sh b/contrib/ci/distro.sh new file mode 100644 index 0000000..8b320b7 --- /dev/null +++ b/contrib/ci/distro.sh @@ -0,0 +1,100 @@ +# +# Distribution version discovery +# +# Copyright (C) 2014 Red Hat +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +if [ -z ${_DISTRO_SH+set} ]; then +declare -r _DISTRO_SH= + +# Distribution family (lowercase) +declare DISTRO_FAMILY= +# Distribution ID (lowercase) +declare DISTRO_ID= +# Distribution release (lowercase) +declare DISTRO_RELEASE= + +if [ -e /etc/redhat-release ]; then + DISTRO_FAMILY=redhat +elif [ -e /etc/debian_version ]; then + DISTRO_FAMILY=debian +else + DISTRO_FAMILY=unknown +fi +declare -r DISTRO_FAMILY + +DISTRO_ID=`lsb_release --id | sed -e 's/^[^:]*:\s*\(.*\)$/\L\1\E/'` +declare -r DISTRO_ID +DISTRO_RELEASE=`lsb_release --release | sed -e 's/^[^:]*:\s*\(.*\)$/\L\1\E/'` +declare -r DISTRO_RELEASE + +# Distribution branch (lowercase) +declare -r DISTRO_BRANCH="-$DISTRO_FAMILY-$DISTRO_ID-$DISTRO_RELEASE-" + + +# Install packages. +# Args: [pkg_name...] +function distro_pkg_install() +{ + declare prompt=$'Need root permissions to install packages.\n' + prompt+="Enter sudo password for $USER: " + if [[ "$DISTRO_BRANCH" == -redhat-fedora-2[2-5]* ]]; then + # TODO switch fedora to DNF once + # https://bugzilla.redhat.com/show_bug.cgi?id=1215208 is fixed + [ $# != 0 ] && sudo -p "$prompt" \ + yum-deprecated --assumeyes install -- "$@" |& + # Pass input to output, fail if a missing package is reported + awk 'BEGIN {s=0} + /^No package .* available.$/ {s=1} + {print} + END {exit s}' + elif [[ "$DISTRO_BRANCH" == -redhat-fedora-* ]]; then + [ $# != 0 ] && sudo -p "$prompt" \ + /usr/bin/dnf --assumeyes --best \ + --setopt=install_weak_deps=False \ + install -- "$@" + elif [[ "$DISTRO_BRANCH" == -redhat-* ]]; then + [ $# != 0 ] && sudo -p "$prompt" yum --assumeyes install -- "$@" |& + # Pass input to output, fail if a missing package is reported + awk 'BEGIN {s=0} + /^No package .* available.$/ {s=1} + {print} + END {exit s}' + elif [[ "$DISTRO_BRANCH" == -debian-* ]]; then + [ $# != 0 ] && DEBIAN_FRONTEND=noninteractive \ + sudo -p "$prompt" apt-get --yes install -- "$@" + else + echo "Cannot install packages on $DISTRO_BRANCH" >&2 + exit 1 + fi +} + +# Remove packages. +# Args: [pkg_name...] +function distro_pkg_remove() +{ + declare prompt=$'Need root permissions to remove packages.\n' + prompt+="Enter sudo password for $USER: " + if [[ "$DISTRO_BRANCH" == -redhat-* ]]; then + [ $# != 0 ] && sudo -p "$prompt" yum --assumeyes remove -- "$@" + elif [[ "$DISTRO_BRANCH" == -debian-* ]]; then + [ $# != 0 ] && sudo -p "$prompt" apt-get --yes remove -- "$@" + else + echo "Cannot remove packages on $DISTRO_BRANCH" >&2 + exit 1 + fi +} + +fi # _DISTRO_SH diff --git a/contrib/ci/misc.sh b/contrib/ci/misc.sh new file mode 100644 index 0000000..642e437 --- /dev/null +++ b/contrib/ci/misc.sh @@ -0,0 +1,73 @@ +# +# Miscellaneous routines. +# +# Copyright (C) 2014 Red Hat +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +if [ -z ${_MISC_SH+set} ]; then +declare -r _MISC_SH= + +# Remove files and directories recursively, forcing write permissions on +# directories. +# Args: path... +function rm_rf_ro() +{ + chmod -Rf u+w -- "$@" || true + rm -Rf -- "$@" +} + +# Extract line and function coverage percentage from a "genhtml" or "lcov +# --summary" output. +# Input: "genhtml" or "lcov --summary" output +# Output: lines funcs +function lcov_summary() +{ + sed -ne 's/^ *\(lines\|functions\)\.*: \([0-9]\+\).*$/ \2/p' | + tr -d '\n' + echo +} + +# Check if a "genhtml" or "lcov --summary" output has a minimum coverage +# percentage of lines and functions. +# Input: "genhtml" or "lcov --summary" output +# Args: min_lines min_funcs +function lcov_check() +{ + declare -r min_lines="$1"; shift + declare -r min_funcs="$1"; shift + declare lines + declare funcs + + read -r lines funcs < <(lcov_summary) + ((lines >= min_lines && funcs >= min_funcs)) && return 0 || return 1 +} + +# Check if the current user belongs to a group. +# Args: group_name +function memberof() +{ + declare -r group_name="$1" + declare group_id + declare id + group_id=`getent group "$group_name" | cut -d: -f3` || return 1 + for id in "${GROUPS[@]}"; do + if [ "$id" == "$group_id" ]; then + return 0 + fi + done + return 1 +} + +fi # _MISC_SH diff --git a/contrib/ci/rpm-spec-builddeps b/contrib/ci/rpm-spec-builddeps new file mode 100755 index 0000000..e1bb2b0 --- /dev/null +++ b/contrib/ci/rpm-spec-builddeps @@ -0,0 +1,38 @@ +#!/usr/bin/env python +# +# Extract build dependencies from an RPM .spec file. +# +# Copyright (C) 2014 Red Hat +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +from __future__ import print_function + +import sys +import re +import rpm + + +def usage(file): + file.write(("Usage: %s SPEC\n" + + "Extract build dependencies from an RPM .spec file.\n") % + re.match(".*?([^/]+)$", sys.argv[0]).group(1)) + +if len(sys.argv) != 2: + usage(sys.stderr) + sys.exit(1) + +spec = rpm.spec(sys.argv[1]) +for d in rpm.ds(spec.sourceHeader, 'requires'): + print(d.DNEVR()[2:]) diff --git a/contrib/ci/run b/contrib/ci/run new file mode 100755 index 0000000..b481419 --- /dev/null +++ b/contrib/ci/run @@ -0,0 +1,409 @@ +#!/bin/bash +# +# Run continuous integration tests. +# +# Copyright (C) 2014 Red Hat +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +set -o nounset -o pipefail -o errexit +declare -r CI_DIR=`dirname "\`readlink -f \"\$0\"\`"` +export PATH=$CI_DIR:$PATH +export LC_ALL=C + +. deps.sh +. distro.sh +. configure.sh +. misc.sh + +declare -r DEBUG_CFLAGS="-g3 -O2" +declare -r COVERAGE_CFLAGS="-g3 -O0 --coverage" +declare -r ARCH=`uname -m` +declare -r CPU_NUM=`getconf _NPROCESSORS_ONLN` +declare -r TITLE_WIDTH=24 +declare -r RESULT_WIDTH=18 + +# Minimum percentage of code lines covered by tests +declare -r COVERAGE_MIN_LINES=15 +# Minimum percentage of code functions covered by tests +declare -r COVERAGE_MIN_FUNCS=0 + +# Those values are a sum up of the default warnings in all our +# supported distros in our CI. +# debian_testing: E121,E123,E126,E226,E24,E704,W503 +# fedora22: +# fedora23: +# fedora24: E121,E123,E126,E226,E24,E704 +# fedora25: E121,E123,E126,E226,E24,E704 +# fedora26: E121,E123,E126,E226,E24,E704 +# fedora27: E121,E123,E126,E226,E24,E704 +# fedora_rawhide: E121,E123,E126,E226,E24,E704 +# rhel6: +# rhel7: +declare PEP8_IGNORE="--ignore=E121,E123,E126,E226,E24,E704,W503" +declare BASE_PFX="" +declare DEPS=true +declare BASE_DIR=`pwd` +declare MODERATE=false +declare RIGOROUS=false + +# Output program usage information. +function usage() +{ + cat < "$log" + + duration=$((end - start)) + + if [ "$status" == 0 ]; then + printf 'success ' + else + printf 'failure ' + fi + printf "%02u:%02u:%02u " \ + $((duration / (60 * 60))) \ + $((duration / 60 % 60)) \ + $((duration % 60)) + disppath "$log" + printf "\n" + + return "$status" +} + +# Execute mock as is, or, if the user is not in the "mock" group, under sudo, +# which has password prompt/input on the console, instead of stderr/stdin. +# Args: [mock_arg...] +function mock_privileged() +{ + if memberof mock; then + mock "$@" + else + declare prompt=$'Not a "mock" group member.\n' + prompt+="To run mock enter sudo password for $USER: " + sudo -p "$prompt" mock "$@" + fi +} + +# Execute mock_privileged with extra chroot configuration added. +# Args: chroot [mock_arg...] +# Input: extra configuration +function mock_privileged_conf() +{ + declare -r chroot="$1"; shift + declare conf_dir + + conf_dir=`mktemp --tmpdir --directory mock-config.XXXXXXXX` + trap 'trap - RETURN; rm -R "$conf_dir";' RETURN + # Preserve timestamps to avoid unnecessary cache rebuilds + cp -r --preserve=timestamps /etc/mock/* "$conf_dir"/ + cat >> "${conf_dir}/${chroot}.cfg" + touch --reference="/etc/mock/${chroot}.cfg" "${conf_dir}/${chroot}.cfg" + mock_privileged --configdir="$conf_dir" --root="$chroot" "$@" +} + +# Execute mock_privileged with dependency package source configuration added. +# Args: chroot [mock_arg...] +function mock_privileged_deps() +{ + declare -r chroot_name="$1"; shift + declare -r config=$(basename $(readlink -f "/etc/mock/${chroot_name}.cfg")) + declare -r chroot="${config%.cfg}" + declare repo + + if [[ "$chroot" == fedora-* ]]; then + repo='fedora-$releasever-$basearch' + elif [[ "$chroot" =~ epel-([0-9]+) ]]; then + repo="epel-${BASH_REMATCH[1]}-\$basearch" + else + echo "Unknown chroot config: $chroot" >&2 + exit 1 + fi + + mock_privileged_conf "$chroot" "$@" <<<" +config_opts['yum.conf'] += ''' +[sssd-deps] +name=Extra SSSD dependencies +baseurl=http://copr-be.cloud.fedoraproject.org/results/lslebodn/sssd-deps/$repo/ +skip_if_unavailable=true +gpgcheck=0 +enabled=1 +''' +" +} + +# Run debug build checks. +function build_debug() +{ + # Extended glob pattern matching tests to run under Valgrind. + # NOTE: The particular pattern below is inverted + declare valgrind_test_pattern="!(*.py|*/whitespace_test|" + declare -r valgrind_test_pattern+="*/double_semicolon_test)" + export CFLAGS="$DEBUG_CFLAGS" + declare test_dir + declare test_dir_distcheck + declare intgcheck_configure_args + declare distcheck_configure_args + declare status + + test_dir=`mktemp --directory /dev/shm/ci-test-dir.XXXXXXXX` + stage configure "$BASE_DIR/configure" \ + "${CONFIGURE_ARG_LIST[@]}" \ + --with-test-dir="$test_dir" + + # Not building "tests" due to https://fedorahosted.org/sssd/ticket/2350 + stage make-tests make -j $CPU_NUM check LOG_COMPILER=true + + status=0 + CK_FORK=no \ + stage make-check-valgrind \ + make -j $CPU_NUM check \ + LOG_COMPILER=libtool \ + LOG_FLAGS="--mode=execute \ + valgrind-condense 99 \ + \"$valgrind_test_pattern\" -- \ + --trace-children=yes \ + --trace-children-skip='*/bin/*,*/sbin/*,./dummy-child' \ + --leak-check=full \ + --gen-suppressions=all \ + --suppressions=\"$CI_DIR/sssd.supp\" \ + --verbose" || + status=$? + mv "$test_dir" ci-test-dir + ((status == 0)) + + if "$MODERATE"; then + if "$DEPS_INTGCHECK_SATISFIED"; then + printf -v intgcheck_configure_args " %q" \ + "${CONFIGURE_ARG_LIST[@]}" + stage make-intgcheck make -j $CPU_NUM intgcheck \ + INTGCHECK_CONFIGURE_FLAGS=" \ + $intgcheck_configure_args" + fi + + test_dir_distcheck=`mktemp --directory /dev/shm/ci-test-dir.XXXXXXXX` + # Single thread due to https://fedorahosted.org/sssd/ticket/2354 + status=0 + printf -v distcheck_configure_args " %q" \ + "${CONFIGURE_ARG_LIST[@]}" \ + "--with-test-dir=$test_dir_distcheck" + stage make-distcheck make distcheck \ + AUX_DISTCHECK_CONFIGURE_FLAGS=" \ + $distcheck_configure_args" || + status=$? + mv "$test_dir_distcheck" ci-test-dir-distcheck + ((status == 0)) + + if [[ "$DISTRO_BRANCH" == -redhat-* ]]; then + stage make-srpm env -u CFLAGS -- make srpm + stage mock-build mock_privileged_deps "default" \ + --resultdir ci-mock-result \ + rpmbuild/SRPMS/*.src.rpm + fi + fi + + unset CFLAGS +} + +# Run coverage build checks. +function build_coverage() +{ + declare -r coverage_report_dir="ci-report-coverage" + declare extra_CFLAGS="" + declare test_dir + declare status + + if [[ "$DISTRO_BRANCH" == -redhat-redhatenterprise*-6.*- || + "$DISTRO_BRANCH" == -redhat-centos-6.*- ]]; then + # enable optimisation to avoid bug in gcc < 4.6.0 + # gcc commit 7959b7e646b493f48a2ea7228fbf1c43f84bedea + # git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@162384 + # 138bc75d-0d04-0410-961f-82ee72b054a4 + extra_CFLAGS=" -O1" + fi + + export CFLAGS="$COVERAGE_CFLAGS $extra_CFLAGS" + + test_dir=`mktemp --directory /dev/shm/ci-test-dir.XXXXXXXX` + stage configure "$BASE_DIR/configure" \ + "${CONFIGURE_ARG_LIST[@]}" \ + --with-test-dir="$test_dir" + + # Build everything, including tests + # Not building "tests" due to https://fedorahosted.org/sssd/ticket/2350 + stage make-tests make -j $CPU_NUM check LOG_COMPILER=true + + stage lcov-pre lcov --capture --initial --directory . \ + --base-directory "$BASE_DIR" \ + --output-file ci-base.info + # Run tests + status=$? + stage make-check make -j $CPU_NUM check || status=$? + mv "$test_dir" ci-test-dir + ((status == 0)) + + stage lcov-post lcov --capture --directory . \ + --base-directory "$BASE_DIR" \ + --output-file ci-check.info + stage lcov-merge lcov --add-tracefile ci-base.info \ + --add-tracefile ci-check.info \ + --output-file ci-dirty.info + stage lcov-clean lcov --remove ci-dirty.info \ + "/usr/*" "src/tests/*" "/tmp/*" \ + "*dtrace-temp.c" \ + --output-file ci.info + stage genhtml eval 'genhtml --output-directory \ + "$coverage_report_dir" \ + --title "sssd" --show-details \ + --legend --prefix "$BASE_DIR" \ + ci.info |& tee ci-genhtml.out' + printf "%-$((TITLE_WIDTH + RESULT_WIDTH))s%s\n" \ + "coverage report:" \ + "`disppath \"\$coverage_report_dir/index.html\"`" + + stage lcov-check eval 'lcov_check "$COVERAGE_MIN_LINES" \ + "$COVERAGE_MIN_FUNCS" \ + < ci-genhtml.out' + + unset CFLAGS +} + +# Run a build inside a sub-directory. +# Args: id cmd [arg...] +function run_build() +{ + declare -r id="$1"; shift + declare -r dir="ci-build-$id" + + mkdir "$dir" + printf "%-$((TITLE_WIDTH + RESULT_WIDTH))s%s\n" \ + "${id^^} BUILD:" "`disppath \"\$dir\"`" + + cd "$dir" + "$@" + cd .. +} + +# +# Main routine +# +declare args_expr +args_expr=`getopt --name \`basename "\$0"\` \ + --options hp:nemrf \ + --longoptions help,prefix:,no-deps \ + --longoptions essential,moderate,rigorous,full \ + -- "$@"` +eval set -- "$args_expr" + +while true; do + case "$1" in + -h|--help) + usage; exit 0;; + -p|--prefix) + BASE_PFX="$2"; shift 2;; + -n|--no-deps) + DEPS=false; shift;; + -e|--essential) + MODERATE=false; RIGOROUS=false; shift;; + -m|--moderate) + MODERATE=true; RIGOROUS=false; shift;; + -r|--rigorous|-f|--full) + MODERATE=true; RIGOROUS=true; shift;; + --) + shift; break;; + *) + echo "Unknown option: $1" >&2 + exit 1;; + esac +done + +if [ $# != 0 ]; then + echo "Positional arguments are not accepted." >&2 + usage >&2 + exit 1 +fi + +trap 'echo FAILURE' EXIT +rm_rf_ro ci-* +export V=1 +if "$DEPS"; then + stage install-deps deps_install +fi +if [[ "$DISTRO_BRANCH" != redhat-* ]]; then + # Ignore "E722 do not use bare except" exceptions + # that are only raised on debian_testing machines. + PEP8_IGNORE+=",E722" +fi +stage pep8 find . -path ./src/config -prune -o \ + -name \*.py -exec pep8 $PEP8_IGNORE {} + +stage autoreconf autoreconf --install --force +run_build debug build_debug +if "$RIGOROUS"; then + run_build coverage build_coverage +fi +unset V +trap - EXIT +echo SUCCESS diff --git a/contrib/ci/sssd.supp b/contrib/ci/sssd.supp new file mode 100644 index 0000000..38254ca --- /dev/null +++ b/contrib/ci/sssd.supp @@ -0,0 +1,223 @@ +# +# Valgrind suppression patterns +# +# See an introduction to suppressions in Valgrind manual: +# http://valgrind.org/docs/manual/manual-core.html#manual-core.suppress +# +# Each suppression name here must start with "sssd-" to differentiate it from +# suppressions maintained elsewhere. +# + +# talloc-involved leaks +{ + sssd-leak-talloc + Memcheck:Leak + ... + fun:talloc_* + ... +} +{ + sssd-leak-_talloc + Memcheck:Leak + ... + fun:_talloc_* + ... +} + +# nss3-involved leaks +{ + sssd-leak-nss3 + Memcheck:Leak + ... + obj:*/libnss3.so + ... +} + +# nspr4-involved leaks +{ + sssd-leak-nspr4 + Memcheck:Leak + ... + obj:*/libnspr4.so + ... +} +{ + sssd-leak-nspr4-arena-allocate + Memcheck:Leak + fun:malloc + fun:PL_ArenaAllocate + ... +} + +# dbus-involved leaks +{ + sssd-leak-dbus + Memcheck:Leak + ... + obj:*/libdbus-1.so.* + ... +} + +# False positive - pcre_free is called in sss_names_ctx_destructor +{ + sssd-leak-sss_names + Memcheck:Leak + fun:malloc + fun:pcre_compile2 + fun:sss_names_init_from_args + ... +} + +# Ignore tests exiting and abandoning cmocka state, concerns dyndns test +{ + sssd-leak-cmocka-exit + Memcheck:Leak + fun:malloc + fun:_test_malloc + fun:_run_tests + fun:main +} + +# Stpncpy false positive on RHEL6: +# https://lists.fedorahosted.org/pipermail/sssd-devel/2014-September/021417.html +# possibly related to: +# https://www.mail-archive.com/valgrind-users@lists.sourceforge.net/msg03832.html +{ + sssd-value8-stpncpy + Memcheck:Value8 + obj:/lib*/libc-2.12.so + fun:sha512_crypt_r + ... +} +{ + sssd-cond-stpncpy + Memcheck:Cond + obj:/lib*/libc-2.12.so + fun:sha512_crypt_r + ... +} + +# False positive leak involving RHEL6 glib memory slices +{ + sssd-leak-glib-slices + Memcheck:Leak + fun:memalign + fun:posix_memalign + obj:/lib*/libglib-2.0.so* + fun:g_slice_alloc + fun:g_string_sized_new + ... + fun:g_utf8_casefold + fun:sss_utf8_case_eq + ... +} + +# uninitialised value in libselinux (fixed in fedora >= 21) +{ + libselinux-jump-or-move-depends-on-uninitialised-value-in-selabel_close + Memcheck:Cond + obj:/usr/lib64/libselinux.so.1 + fun:selabel_close + obj:/usr/lib64/libkrb5support.so.0.1 + fun:_dl_fini + fun:__run_exit_handlers + fun:exit + fun:(below main) +} + +# long-standing memory leak in popt +{ + popt-memleak-from-poptGetNextOpt-malloc + Memcheck:Leak + fun:malloc + ... + fun:poptGetNextOpt + fun:main +} + +# long-standing memory leak in popt +{ + popt-memleak-from-poptGetNextOpt-realloc + Memcheck:Leak + fun:realloc + ... + fun:poptGetNextOpt + fun:main +} + +# popt was not good with read access either. Applies for popt <= 1.13 +{ + popt-suppress-invalid-read + Memcheck:Addr4 + ... + fun:poptGetNextOpt + fun:main +} + +# Some tests initialize c-ares context, then fork a child that just exits +# without a proper teardown, which means the ares destructor is not called. +# Suppress those errors. +{ + c-ares-suppress-leak-from-init + Memcheck:Leak + ... + fun:ares_init_options + fun:recreate_ares_channel + fun:resolv_init + fun:be_res_init + fun:be_init_failover + fun:test_ipa_server_create_trusts_setup + ... + fun:_cmocka_run_group_tests + fun:main +} + +# Leaks in bash if p11_child returns and error because due to libtool the +# p11_child binary is not called directly during the unit tests but with the +# help of a libtool wrapper +{ + bash-calling-p11-child-returning-error + Memcheck:Leak + ... + fun:malloc + fun:xmalloc + ... + fun:execute_command_internal + ... + fun:execute_command_internal + ... +} + +{ + bash-calling-p11-child-returning-error-debian + Memcheck:Free + fun:free + obj:/usr/bin/bash + fun:run_unwind_frame + fun:parse_and_execute + fun:command_substitute + obj:/usr/bin/bash + obj:/usr/bin/bash + ... +} + +# Leak in sqlite3 used by the softhsm2 PKCS#11 module +{ + sqlite3.error + Memcheck:Leak + ... + fun:malloc + obj:/usr/lib64/libsqlite3.so.0.8.6 + ... +} + +# Leak found on debian +{ + set-default-locale-error-debian + Memcheck:Leak + ... + fun:malloc + fun:xmalloc + fun:set_default_locale + fun:main +} diff --git a/contrib/ci/valgrind-condense b/contrib/ci/valgrind-condense new file mode 100755 index 0000000..eb3f322 --- /dev/null +++ b/contrib/ci/valgrind-condense @@ -0,0 +1,135 @@ +#!/bin/bash +# +# Run Valgrind, condensing logged reports into an exit code. +# +# Copyright (C) 2014 Red Hat +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +set -o nounset -o pipefail -o errexit +shopt -s extglob + +function usage() +{ + cat <&2 + usage >&2 + exit 1 +fi + +declare error_exitcode="$1"; shift +declare -a path_pattern_list=() +declare arg +declare collecting_argv +declare -a program_argv=() +declare program_path +declare program_name +declare path_pattern +declare match +declare status=0 + +# Extract path patterns +while [[ $# != 0 ]]; do + arg="$1" + shift + if [[ "$arg" == "--" ]]; then + break + else + path_pattern_list+=("$arg") + fi +done + +# Find program argv list in Valgrind arguments +collecting_argv=false +for arg in "$@"; do + if ! "$collecting_argv" && [[ "$arg" == "--" ]]; then + collecting_argv=true + elif "$collecting_argv" || [[ "$arg" != -* ]]; then + collecting_argv=true + program_argv+=("$arg") + fi +done + +if [[ ${#program_argv[@]} == 0 ]]; then + echo "Program path not specified." >&2 + usage >&2 + exit 1 +fi +program_path="${program_argv[0]}" + +# Match against path patterns, if any +if [[ ${#path_pattern_list[@]} == 0 ]]; then + match=true +else + match=false + for path_pattern in "${path_pattern_list[@]}"; do + if [[ "$program_path" == $path_pattern ]]; then + match=true + fi + done +fi + +# Run the program +if $match; then + # Generate original path from libtool path + program_path=`sed -e 's/^\(.*\/\)\?\.libs\/lt-\([^\/]\+\)$/\1\2/' \ + <<<"$program_path"` + + program_name=`basename -- "$program_path"` + + rm -f -- "$program_name".*.valgrind.log + valgrind --log-file="$program_name.%p.valgrind.log" "$@" || status=$? + + if grep -q '^==[0-9]\+== *ERROR SUMMARY: *[1-9]' -- \ + "$program_name".*.valgrind.log; then + exit "$error_exitcode" + else + exit "$status" + fi +else + "${program_argv[@]}" +fi diff --git a/contrib/fedora/bashrc_sssd b/contrib/fedora/bashrc_sssd new file mode 100644 index 0000000..3796bf8 --- /dev/null +++ b/contrib/fedora/bashrc_sssd @@ -0,0 +1,121 @@ +# For best results, add the following lines to ~/.bashrc: +# if [ -f /path/to/sssd-source/contrib/fedora/bashrc_sssd ]; then +# . /path/to/sssd-source/contrib/fedora/bashrc_sssd +# fi + +# Determine the architecture of the platform we're running on +SSS_ARCH=$(uname -m) + +# Determine the lib and libdir locations +SSS_LIB=$(rpm --eval %{_lib}) +SSS_LIBDIR=$(rpm --eval %{_libdir}) + +# Add the following line to your .bashrc if you want SSSD to throw errors on +# compiler warnings (recommended) +# SSS_WERROR=-Werror + +# Determine the number of available processors on the system for parallel make +# invocation. +PROCESSORS=$(/usr/bin/getconf _NPROCESSORS_ONLN) + +# Configure invocation for use on Fedora systems, based on the %configure RPM +# macro from the redhat-rpm-config package. This function assumes you are +# building in a parallel build directory beneath the source directory. All +# other functions in this script will assume that the location is +# /path/to/sssd-source/$SSS_ARCH +fedconfig() +{ + ../configure \ + --build=$SSS_ARCH-unknown-linux-gnu \ + --host=$SSS_ARCH-unknown-linux-gnu \ + --program-prefix= \ + --prefix=/usr \ + --exec-prefix=/usr \ + --bindir=/usr/bin \ + --sbindir=/usr/sbin \ + --sysconfdir=/etc \ + --datadir=/usr/share \ + --includedir=/usr/include \ + --libdir=$SSS_LIBDIR \ + --libexecdir=/usr/libexec \ + --localstatedir=/var \ + --sharedstatedir=/var/lib \ + --mandir=/usr/share/man \ + --infodir=/usr/share/info \ + --enable-nsslibdir=/$SSS_LIB \ + --enable-pammoddir=/$SSS_LIB/security \ + --with-krb5-rcache-dir=/var/cache/krb5rcache \ + --with-initscript=systemd \ + --with-syslog=journald \ + --with-test-dir=/dev/shm \ + --enable-all-experimental-features \ + --cache-file=/tmp/fedconfig.cache \ + ${SSSD_NO_MANPAGES-} \ + "$@" +} + +# Completely purge the current working directory, then recreate +# and reconfigure it. This is best used when you are making changes to the m4 +# macros or the configure scripts. +reconfig() +{ + autoreconf -if \ + && rm -Rf $SSS_ARCH/ \ + && mkdir $SSS_ARCH/ \ + && cd $SSS_ARCH/ \ + && fedconfig "$@" +} + +# Set the list of warnings that you want to detect (and in the case of remake +# and chmake want to treat as errors) +SSS_WARNINGS='-Wall \ + -Wextra \ + -Wno-unused-parameter \ + -Wno-sign-compare \ + -Wformat-security' + +# Build (or finish building) all objects and then run the build-tests against +# them. This builds with optimizations turned off and GDB debugging symbols. +chmake() +{ + make V=0 \ + CFLAGS+="-ggdb3 $SSS_WARNINGS ${SSS_WERROR-} -O0 -Wp,-U_FORTIFY_SOURCE" \ + -j$PROCESSORS check "$@" +} + +# Clean the build directory and rebuild all objects, then run the build-tests +# against them. This builds with optimizations turned off and GDB debugging +# symbols. +remake() +{ + make clean > /dev/null && chmake "$@" +} + +# Clean the build directory and rebuild all objects, hiding most of the build +# output except for warnings and errors. This builds with default +# optimization and without debugging symbols. +warn() +{ + make clean >/dev/null \ + && make CFLAGS+="$SSS_WARNINGS" -j$PROCESSORS tests > /dev/null "$@" +} + +# Install the built sources to the current system, cleaning up the LDB modules +# and making sure that the NSS and PAM modules have the right SELinux context. +sssinstall() +{ + # Force single-thread install to workaround concurrency issues + sudo make -j1 install \ + && sudo rm -f $SSS_LIBDIR/ldb/modules/ldb/memberof.la \ + && sudo restorecon -v /$SSS_LIB/libnss_sss.so.2 \ + /$SSS_LIB/security/pam_sss.so +} + +# Alias to generate a patch or series of patches that meet SSSD submission +# guidelines. +# Usage: +# genpatch -N (where N is the number of patches to submit) +genpatch() +{ + git format-patch -M -C --patience --full-index "$@" +} diff --git a/contrib/fedora/make_srpm.sh b/contrib/fedora/make_srpm.sh new file mode 100755 index 0000000..cdc9ee5 --- /dev/null +++ b/contrib/fedora/make_srpm.sh @@ -0,0 +1,177 @@ +#!/bin/bash + +# Authors: +# Lukas Slebodnik +# +# Copyright (C) 2013 Red Hat +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +PACKAGE_NAME="sssd" + +usage(){ + echo "$(basename $0) [OPTIONS] [-P|--patches ...]" + echo -e "\t-p, --prerelease Create prerelease SRPM" + echo -e "\t-d, --debug Enable debugging." + echo -e "\t-c, --clean Remove directory rpmbuild and exit." + echo -e "\t-P, --patches Requires list of patches for SRPM." + echo -e "\t-o, --output Moves the created srpm to a specific output directory." + echo -e "\t-h, --help Print this help and exit." + echo -e "\t-?, --usage" + + exit 1 +} + +add_patches(){ + spec_file=$1 + shift + source_dir=$1 + shift + + patches=("${@}") + + # These keep track of our spec file substitutions. + i=1 + prefix="Source0:" + prepprefix="%setup" + + # If no patches exist, just exit. + if [ -z "$patches" ]; then + echo Creating SRPM without extra patches. + return 0 + fi + + # Add the patches to the specfile. + for p in "${patches[@]}"; do + cp "$p" "$source_dir" + p=$(basename $p) + echo "Adding patch to spec file - $p" + sed -i -e "/${prefix}/a Patch${i}: ${p}" \ + -e "/$prepprefix/a %patch${i} -p1" \ + "$spec_file" + + prefix="Patch${i}:" + prepprefix="%patch${i}" + i=$(($i+1)) + done +} + +for i in "$@" +do +case $i in + -p|--prerelease) + PRERELEASE=1 + shift + ;; + -d|--debug) + set -x + shift + ;; + -c|--clean) + CLEAN=1 + shift + ;; + -P|--patches) + shift + patches=("$@") + break + ;; + -o|--output) + shift + OUTPUT=("$@") + break + ;; + -h|--help|-\?|--usage) + usage + ;; + *) + # unknown option + ;; +esac +done + +RPMBUILD="$(pwd)/rpmbuild" +if [ -n "$CLEAN" ]; then + rm -rfv "$RPMBUILD" + exit 0 +fi + +SRC_DIR=$(git rev-parse --show-toplevel) +rc=$? +if [ $rc != 0 ]; then + echo "This script must be run from the $PACKAGE_NAME git repository!" + exit 1; +fi + +if [ "x$SRC_DIR" = x ]; then + echo "Fatal: Could not find source directory!" + exit 1; +fi + +VERSION_FILE="$SRC_DIR/version.m4" +SPEC_TEMPLATE="$SRC_DIR/contrib/$PACKAGE_NAME.spec.in" + +if [ ! -f "$VERSION_FILE" ]; then + echo "Fatal: Could not find file version.m4 in source directory!" + exit 1; +fi + +if [ ! -f "$SPEC_TEMPLATE" ]; then + echo "Fatal: Could not find $PACKAGE_NAME.spec.in in contrib subdirectory!" + exit 1; +fi + +PACKAGE_VERSION=$(grep "\[VERSION_NUMBER\]" $VERSION_FILE \ + | sed -e 's/.*\[//' -e 's/\]).*$//') +if [ "x$PACKAGE_VERSION" = x ]; then + echo "Fatal: Could parse version from file:$VERSION_FILE!" + exit 1; +fi + +PRERELEASE_VERSION="" +if [ -n "$PRERELEASE" ]; then + PRERELEASE_VERSION=.$(date +%Y%m%d.%H%M).git$(git log -1 --pretty=format:%h) +fi + +mkdir -p $RPMBUILD/BUILD +mkdir -p $RPMBUILD/RPMS +mkdir -p $RPMBUILD/SOURCES +mkdir -p $RPMBUILD/SPECS +mkdir -p $RPMBUILD/SRPMS + +sed -e "s/@PACKAGE_NAME@/$PACKAGE_NAME/" \ + -e "s/@PACKAGE_VERSION@/$PACKAGE_VERSION/" \ + -e "s/@PRERELEASE_VERSION@/$PRERELEASE_VERSION/" \ + < "$SPEC_TEMPLATE" \ + > "$RPMBUILD/SPECS/$PACKAGE_NAME.spec" + +NAME="$PACKAGE_NAME-$PACKAGE_VERSION" +git archive --format=tar --prefix="$NAME"/ \ + --remote="file://$SRC_DIR" \ + HEAD \ + | gzip > "$RPMBUILD/SOURCES/$NAME.tar.gz" + +cp "$SRC_DIR"/contrib/*.patch "$RPMBUILD/SOURCES" 2>/dev/null +add_patches "$RPMBUILD/SPECS/$PACKAGE_NAME.spec" \ + "$RPMBUILD/SOURCES" \ + "${patches[@]}" + +cd $RPMBUILD +rpmbuild --define "_topdir $RPMBUILD" \ + -bs SPECS/$PACKAGE_NAME.spec + +if [ -n "$OUTPUT" ]; then + mv "$RPMBUILD/SRPMS/"*.src.rpm "$OUTPUT/" + echo "Package has been moved to the folder: $OUTPUT" +fi diff --git a/contrib/kcm_default_ccache b/contrib/kcm_default_ccache new file mode 100644 index 0000000..4cd5b48 --- /dev/null +++ b/contrib/kcm_default_ccache @@ -0,0 +1,12 @@ +# This file should normally be installed by your distribution into a +# directory that is included from the Kerberos configuration file (/etc/krb5.conf) +# On Fedora/RHEL/CentOS, this is /etc/krb5.conf.d/ +# +# To enable the KCM credential cache enable the KCM socket and the service: +# systemctl enable sssd-secrets.socket sssd-kcm.socket +# systemctl start sssd-kcm.socket +# +# To disable the KCM credential cache, comment out the following lines. + +[libdefaults] + default_ccache_name = KCM: diff --git a/contrib/sssd-pcsc.rules b/contrib/sssd-pcsc.rules new file mode 100644 index 0000000..3720a3c --- /dev/null +++ b/contrib/sssd-pcsc.rules @@ -0,0 +1,15 @@ +// Please put this file in /usr/share/polkit-1/rules.d/ if SSSD is running as +// unprivileged user 'root' to allow access to the Smartcard via pcscd. +polkit.addRule(function(action, subject) { + if (action.id == "org.debian.pcsc-lite.access_card" && + subject.user == "root") { + return polkit.Result.YES; + } +}); + +polkit.addRule(function(action, subject) { + if (action.id == "org.debian.pcsc-lite.access_pcsc" && + subject.user == "root") { + return polkit.Result.YES; + } +}); diff --git a/contrib/sssd-pcsc.rules.in b/contrib/sssd-pcsc.rules.in new file mode 100644 index 0000000..31d2dbe --- /dev/null +++ b/contrib/sssd-pcsc.rules.in @@ -0,0 +1,15 @@ +// Please put this file in /usr/share/polkit-1/rules.d/ if SSSD is running as +// unprivileged user '@SSSD_USER@' to allow access to the Smartcard via pcscd. +polkit.addRule(function(action, subject) { + if (action.id == "org.debian.pcsc-lite.access_card" && + subject.user == "@SSSD_USER@") { + return polkit.Result.YES; + } +}); + +polkit.addRule(function(action, subject) { + if (action.id == "org.debian.pcsc-lite.access_pcsc" && + subject.user == "@SSSD_USER@") { + return polkit.Result.YES; + } +}); diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in new file mode 100644 index 0000000..89e4d75 --- /dev/null +++ b/contrib/sssd.spec.in @@ -0,0 +1,1487 @@ +# SSSD is running as root user by default. +# Set --with sssd_user or bcond_without to run SSSD as non-root user(sssd). +%bcond_with sssd_user + +%global rhel6_minor %(%{__grep} -o "6\\.[0-9]*" /etc/redhat-release |%{__sed} -s 's/6.//') +%global rhel7_minor %(%{__grep} -o "7\\.[0-9]*" /etc/redhat-release |%{__sed} -s 's/7.//') + +%if 0%{?rhel} && 0%{?rhel} <= 6 +%{!?__python2: %global __python2 /usr/bin/python2} +%{!?python2_sitelib: %global python2_sitelib %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")} +%{!?python2_sitearch: %global python2_sitearch %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")} +%endif + +%{!?python_provide: %global need_python_provide 1} +%if 0%{?need_python_provide} +%define python_provide() %{lua: + function string.starts(String, Start) + return string.sub(String, 1, string.len(Start)) == Start + end + package = rpm.expand("%{?1:%{1}}"); + vr = rpm.expand("%{?epoch:%{epoch}:}%{version}-%{release}") + if (string.starts(package, "python2-")) then + if (rpm.expand("%{?buildarch}") ~= "noarch") then + str = "Provides: python-" .. + string.sub(package, 9, string.len(package)) .. + "%{?_isa} = " .. vr; + print(rpm.expand(str)); + end + print("\\nProvides: python-"); + print(string.sub(package, 9, string.len(package))); + print(" = "); + print(vr); + --Obsoleting the previous default python package + if (rpm.expand("%{?buildarch}") ~= "noarch") then + str = "\\nObsoletes: python-" .. + string.sub(package, 9, string.len(package)) .. + "%{?_isa} < " .. vr; + print(rpm.expand(str)); + end + print("\\nObsoletes: python-"); + print(string.sub(package, 9, string.len(package))); + print(" < "); + print(vr); + elseif (string.starts(package, "python3-")) then + --No unversioned provides as python3 is not default + else + print("%python_provide: ERROR: "); + print(package); + print(" not recognized."); + end +} +%endif + +# Fedora and RHEL 6+ +# we don't want to provide private python extension libs +%define __provides_exclude_from %{python2_sitearch}/.*\.so$ +%define __provides_exclude_from %{python3_sitearch}/.*\.so$ + +# workaround for rpm 4.13 +%define _empty_manifest_terminate_build 0 + +%if (0%{?fedora} || 0%{?rhel} >= 7) + %global use_systemd 1 +%endif + +# on Fedora and RHEL7 p11_child needs a polkit config snippet to be allowed to +# talk to pcscd if SSSD runs as unprivileged user +%if (%{with sssd_user} && (0%{?fedora} || 0%{?rhel} >= 7)) + %global install_pcscd_polkit_rule 1 +%else + %global enable_polkit_rules_option --disable-polkit-rules-path +%endif + +%if (0%{?use_systemd} == 1) + %global with_initscript --with-initscript=systemd --with-systemdunitdir=%{_unitdir} + %global with_syslog --with-syslog=journald +%else + %global with_initscript --with-initscript=sysv +%endif + +%if (0%{?fedora} > 28 || 0%{?rhel} > 7) + %global use_openssl 1 +%endif + +%global enable_experimental 1 + +%if (0%{?enable_experimental} == 1) + %global experimental --enable-all-experimental-features +%endif + +# Determine the location of the LDB modules directory +%global ldb_modulesdir %(pkg-config --variable=modulesdir ldb) + +%if (0%{?fedora} || 0%{?rhel} >= 7) +%define _hardened_build 1 +%endif + +%if (0%{?fedora} || 0%{?rhel} >= 7) + %global with_cifs_utils_plugin 1 +%else + %global with_cifs_utils_plugin_option --disable-cifs-idmap-plugin +%endif + +%if (0%{?fedora} || 0%{?rhel} > 7) + %global with_python3 1 +%else + %global with_python3_option --without-python3-bindings +%endif + +%if (0%{?fedora} > 28 || 0%{?rhel} > 7) + %global with_python2_option --without-python2-bindings +%else + %global with_python2 1 +%endif + +%global enable_systemtap 1 +%if (0%{?enable_systemtap} == 1) + %global enable_systemtap_opt --enable-systemtap +%endif + +%if (0%{?fedora} || 0%{?rhel} >= 7) + %global with_secrets 1 +%else + %global with_secret_responder --without-secrets +%endif + +%if (0%{?fedora} >= 23 || 0%{?rhel} >= 7) + %global with_kcm 1 + %global with_kcm_option --with-kcm +%else + %global with_kcm_option --without-kcm +%endif + +%if (0%{?fedora} >= 27 || 0%{?rhel} >= 7) + %global with_gdm_pam_extensions 1 +%else + %global with_gdm_pam_extensions 0 +%endif + +# Do not try to detect the idmap version on RHEL6 to avoid conflicts between +# samba and samba4 package +%if (0%{?fedora} || 0%{?rhel} >= 7) + %global detect_idmap_version 1 +%else + %global with_idmap_version --with-smb-idmap-interface-version=5 +%endif + +Name: @PACKAGE_NAME@ +Version: @PACKAGE_VERSION@ +Release: 0@PRERELEASE_VERSION@%{?dist} +Group: Applications/System +Summary: System Security Services Daemon +License: GPLv3+ +URL: https://pagure.io/SSSD/sssd/ +Source0: %{name}-%{version}.tar.gz +BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) + +### Patches ### + +### Dependencies ### + +Requires: sssd-common = %{version}-%{release} +Requires: sssd-ldap = %{version}-%{release} +Requires: sssd-krb5 = %{version}-%{release} +Requires: sssd-ipa = %{version}-%{release} +Requires: sssd-ad = %{version}-%{release} +Requires: sssd-proxy = %{version}-%{release} +%if (0%{?with_python3} == 1) +Requires: python3-sssdconfig = %{version}-%{release} +%else +Requires: python2-sssdconfig = %{version}-%{release} +%endif + +%global servicename sssd +%global sssdstatedir %{_localstatedir}/lib/sss +%global dbpath %{sssdstatedir}/db +%global keytabdir %{sssdstatedir}/keytabs +%global pipepath %{sssdstatedir}/pipes +%global mcpath %{sssdstatedir}/mc +%global pubconfpath %{sssdstatedir}/pubconf +%global gpocachepath %{sssdstatedir}/gpo_cache +%global secdbpath %{sssdstatedir}/secrets +%global deskprofilepath %{sssdstatedir}/deskprofile + +### Build Dependencies ### + +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: libtool +BuildRequires: m4 +BuildRequires: gcc +BuildRequires: popt-devel +BuildRequires: libtalloc-devel +BuildRequires: libtevent-devel +BuildRequires: libtdb-devel +BuildRequires: libldb-devel +BuildRequires: libdhash-devel >= 0.4.2 +BuildRequires: libcollection-devel +BuildRequires: libini_config-devel >= 1.1 +BuildRequires: dbus-devel +BuildRequires: dbus-libs +BuildRequires: openldap-devel +BuildRequires: pam-devel +%if (0%{?use_openssl} == 1) +BuildRequires: p11-kit-devel +BuildRequires: openssl-devel +%endif +BuildRequires: nss-devel +BuildRequires: nspr-devel +BuildRequires: pcre-devel +BuildRequires: libxslt +BuildRequires: libxml2 +BuildRequires: docbook-style-xsl +BuildRequires: krb5-devel +BuildRequires: c-ares-devel +%if (0%{?with_python2} == 1) +BuildRequires: python2-devel +%endif +%if (0%{?with_python3} == 1) +BuildRequires: python3-devel +%endif +BuildRequires: check-devel +BuildRequires: doxygen +BuildRequires: libselinux-devel +BuildRequires: libsemanage-devel +BuildRequires: bind-utils +BuildRequires: keyutils-libs-devel +BuildRequires: gettext-devel +BuildRequires: pkgconfig +BuildRequires: findutils +BuildRequires: glib2-devel +BuildRequires: selinux-policy-targeted +%if (0%{?fedora} || 0%{?epel}) +BuildRequires: libcmocka-devel >= 1.0.0 +BuildRequires: uid_wrapper +BuildRequires: nss_wrapper + +# Test CA requires openssl independent if SSSD is build with NSS or openssl, +# openssh is needed for ssh-keygen and NSS builds need nss-tools for certutil. +# Currently only cmocka based tests use the test CA. If it is used elsewhere +# you might want to move the following requires out of the if-block. +# If SSSD is build with OpenSSL instead of NSS p11tool from the gnutls-utils +# package and softhsm2-util from the softhsm package are needed to prepare the +# data needed for the p11_child Smartcard tests. Since p11_child only looks at +# slots with are flagged as 'removable' softhsm version 2.1.0 or higher is +# needed. +%if (0%{?use_openssl} == 1) +BuildRequires: gnutls-utils +BuildRequires: softhsm >= 2.1.0 +%endif + +BuildRequires: openssl +BuildRequires: openssh +BuildRequires: nss-tools +%endif +BuildRequires: libnl3-devel +%if (0%{?use_systemd} == 1) +BuildRequires: systemd-devel +BuildRequires: systemd +%endif +%if (0%{?with_cifs_utils_plugin} == 1) +BuildRequires: cifs-utils-devel +%endif +%if (0%{?fedora} || (0%{?rhel} >= 7)) +BuildRequires: libnfsidmap-devel +%else +BuildRequires: nfs-utils-lib-devel +%endif + +BuildRequires: samba4-devel +BuildRequires: libsmbclient-devel +%if (0%{?detect_idmap_version} == 1) +BuildRequires: samba-winbind +%endif + +%if (0%{?enable_systemtap} == 1) +BuildRequires: systemtap-sdt-devel +%endif +%if (0%{?with_secrets} == 1) +BuildRequires: http-parser-devel +%endif +%if (0%{?with_kcm} == 1) +BuildRequires: libuuid-devel +%endif +%if (0%{?with_secrets} == 1 || 0%{?with_kcm} == 1) +BuildRequires: jansson-devel +BuildRequires: libcurl-devel +%endif +%if (0%{?with_gdm_pam_extensions} == 1) +BuildRequires: gdm-pam-extensions-devel +%endif + +%description +Provides a set of daemons to manage access to remote directories and +authentication mechanisms. It provides an NSS and PAM interface toward +the system and a pluggable backend system to connect to multiple different +account sources. It is also the basis to provide client auditing and policy +services for projects like FreeIPA. + +The sssd subpackage is a meta-package that contains the daemon as well as all +the existing back ends. + +%package common +Summary: Common files for the SSSD +Group: Applications/System +License: GPLv3+ +Requires: sssd-client%{?_isa} = %{version}-%{release} +Requires: libsss_sudo = %{version}-%{release} +Requires: libsss_autofs%{?_isa} = %{version}-%{release} +Requires: libsss_idmap = %{version}-%{release} +Conflicts: sssd < %{version}-%{release} +%if (0%{?use_systemd} == 1) +%{?systemd_requires} +%else +Requires(post): initscripts chkconfig +Requires(preun): initscripts chkconfig +Requires(postun): initscripts chkconfig +%endif + +### Provides ### +Provides: libsss_sudo-devel = %{version}-%{release} +Obsoletes: libsss_sudo-devel <= 1.9.93 + +%description common +Common files for the SSSD. The common package includes all the files needed +to run a particular back end, however, the back ends are packaged in separate +subpackages such as sssd-ldap. + +%package client +Summary: SSSD Client libraries for NSS and PAM +Group: Applications/System +License: LGPLv3+ +Requires(post): /sbin/ldconfig +Requires(postun): /sbin/ldconfig + +%description client +Provides the libraries needed by the PAM and NSS stacks to connect to the SSSD +service. + +%package -n libsss_sudo +Summary: A library to allow communication between SUDO and SSSD +Group: Development/Libraries +License: LGPLv3+ +Requires(post): /sbin/ldconfig +Requires(postun): /sbin/ldconfig + +%description -n libsss_sudo +A utility library to allow communication between SUDO and SSSD + +%package -n libsss_autofs +Summary: A library to allow communication between Autofs and SSSD +Group: Development/Libraries +License: LGPLv3+ + +%description -n libsss_autofs +A utility library to allow communication between Autofs and SSSD + +%package tools +Summary: Userspace tools for use with the SSSD +Group: Applications/System +License: GPLv3+ +Requires: sssd-common = %{version}-%{release} +# required by sss_obfuscate +%if (0%{?with_python3} == 1) +Requires: python3-sss = %{version}-%{release} +Requires: python3-sssdconfig = %{version}-%{release} +%else +Requires: python2-sss = %{version}-%{release} +Requires: python2-sssdconfig = %{version}-%{release} +%endif +%if (0%{?use_systemd} == 0) +Requires: /sbin/service +%endif + +%description tools +Provides userspace tools for manipulating users, groups, and nested groups in +SSSD when using id_provider = local in /etc/sssd/sssd.conf. + +Also provides several other administrative tools: + * sss_debuglevel to change the debug level on the fly + * sss_seed which pre-creates a user entry for use in kickstarts + * sss_obfuscate for generating an obfuscated LDAP password + * sssctl -- an sssd status and control utility + +%if (0%{?with_python2} == 1) +%package -n python2-sssdconfig +Summary: SSSD and IPA configuration file manipulation classes and functions +Group: Applications/System +License: GPLv3+ +BuildArch: noarch +%{?python_provide:%python_provide python2-sssdconfig} + +%description -n python2-sssdconfig +Provides python2 files for manipulation SSSD and IPA configuration files. +%endif + +%if (0%{?with_python3} == 1) +%package -n python3-sssdconfig +Summary: SSSD and IPA configuration file manipulation classes and functions +Group: Applications/System +License: GPLv3+ +BuildArch: noarch +%{?python_provide:%python_provide python3-sssdconfig} + +%description -n python3-sssdconfig +Provides python3 files for manipulation SSSD and IPA configuration files. +%endif + +%if (0%{?with_python2} == 1) +%package -n python2-sss +Summary: Python2 bindings for sssd +Group: Development/Libraries +License: LGPLv3+ +Requires: sssd-common = %{version}-%{release} +%{?python_provide:%python_provide python2-sss} + +%description -n python2-sss +Provides python2 module for manipulating users, groups, and nested groups in +SSSD when using id_provider = local in /etc/sssd/sssd.conf. + +Also provides several other useful python2 bindings: + * function for retrieving list of groups user belongs to. + * class for obfuscation of passwords +%endif + +%if (0%{?with_python3} == 1) +%package -n python3-sss +Summary: Python3 bindings for sssd +Group: Development/Libraries +License: LGPLv3+ +Requires: sssd-common = %{version}-%{release} +%{?python_provide:%python_provide python3-sss} + +%description -n python3-sss +Provides python3 module for manipulating users, groups, and nested groups in +SSSD when using id_provider = local in /etc/sssd/sssd.conf. + +Also provides several other useful python3 bindings: + * function for retrieving list of groups user belongs to. + * class for obfuscation of passwords +%endif + +%if (0%{?with_python2} == 1) +%package -n python2-sss-murmur +Summary: Python2 bindings for murmur hash function +Group: Development/Libraries +License: LGPLv3+ +%{?python_provide:%python_provide python2-sss-murmur} + +%description -n python2-sss-murmur +Provides python2 module for calculating the murmur hash version 3 +%endif + +%if (0%{?with_python3} == 1) +%package -n python3-sss-murmur +Summary: Python3 bindings for murmur hash function +Group: Development/Libraries +License: LGPLv3+ +%{?python_provide:%python_provide python3-sss-murmur} + +%description -n python3-sss-murmur +Provides python3 module for calculating the murmur hash version 3 +%endif + +%package ldap +Summary: The LDAP back end of the SSSD +Group: Applications/System +License: GPLv3+ +Conflicts: sssd < %{version}-%{release} +Requires: sssd-common = %{version}-%{release} +Requires: sssd-krb5-common = %{version}-%{release} + +%description ldap +Provides the LDAP back end that the SSSD can utilize to fetch identity data +from and authenticate against an LDAP server. + +%package krb5-common +Summary: SSSD helpers needed for Kerberos and GSSAPI authentication +Group: Applications/System +License: GPLv3+ +Conflicts: sssd < %{version}-%{release} +Requires: cyrus-sasl-gssapi +Requires: sssd-common = %{version}-%{release} + +%description krb5-common +Provides helper processes that the LDAP and Kerberos back ends can use for +Kerberos user or host authentication. + +%package krb5 +Summary: The Kerberos authentication back end for the SSSD +Group: Applications/System +License: GPLv3+ +Conflicts: sssd < %{version}-%{release} +Requires: sssd-common = %{version}-%{release} +Requires: sssd-krb5-common = %{version}-%{release} + +%description krb5 +Provides the Kerberos back end that the SSSD can utilize authenticate +against a Kerberos server. + +%package common-pac +Summary: Common files needed for supporting PAC processing +Group: Applications/System +License: GPLv3+ +Requires: sssd-common = %{version}-%{release} + +%description common-pac +Provides common files needed by SSSD providers such as IPA and Active Directory +for handling Kerberos PACs. + +%package ipa +Summary: The IPA back end of the SSSD +Group: Applications/System +License: GPLv3+ +Conflicts: sssd < %{version}-%{release} +Requires: sssd-common = %{version}-%{release} +Requires: sssd-krb5-common = %{version}-%{release} +Requires: libipa_hbac = %{version}-%{release} +Requires: bind-utils +Requires: sssd-common-pac = %{version}-%{release} + +%description ipa +Provides the IPA back end that the SSSD can utilize to fetch identity data +from and authenticate against an IPA server. + +%package ad +Summary: The AD back end of the SSSD +Group: Applications/System +License: GPLv3+ +Conflicts: sssd < %{version}-%{release} +Requires: sssd-common = %{version}-%{release} +Requires: sssd-krb5-common = %{version}-%{release} +Requires: sssd-common-pac = %{version}-%{release} +Requires: bind-utils + +%description ad +Provides the Active Directory back end that the SSSD can utilize to fetch +identity data from and authenticate against an Active Directory server. + +%package proxy +Summary: The proxy back end of the SSSD +Group: Applications/System +License: GPLv3+ +Conflicts: sssd < %{version}-%{release} +Requires: sssd-common = %{version}-%{release} + +%description proxy +Provides the proxy back end which can be used to wrap an existing NSS and/or +PAM modules to leverage SSSD caching. + +%package -n libsss_idmap +Summary: FreeIPA Idmap library +Group: Development/Libraries +License: LGPLv3+ +Requires(post): /sbin/ldconfig +Requires(postun): /sbin/ldconfig + +%description -n libsss_idmap +Utility library to convert SIDs to UNIX UIDs and GIDs + +%package -n libsss_idmap-devel +Summary: FreeIPA Idmap library +Group: Development/Libraries +License: LGPLv3+ +Requires: libsss_idmap = %{version}-%{release} + +%description -n libsss_idmap-devel +Utility library to SIDs to UNIX UIDs and GIDs + +%package -n libipa_hbac +Summary: FreeIPA HBAC Evaluator library +Group: Development/Libraries +License: LGPLv3+ +Requires(post): /sbin/ldconfig +Requires(postun): /sbin/ldconfig + +%description -n libipa_hbac +Utility library to validate FreeIPA HBAC rules for authorization requests + +%package -n libipa_hbac-devel +Summary: FreeIPA HBAC Evaluator library +Group: Development/Libraries +License: LGPLv3+ +Requires: libipa_hbac = %{version}-%{release} + +%description -n libipa_hbac-devel +Utility library to validate FreeIPA HBAC rules for authorization requests + +%if (0%{?with_python2} == 1) +%package -n python2-libipa_hbac +Summary: Python2 bindings for the FreeIPA HBAC Evaluator library +Group: Development/Libraries +License: LGPLv3+ +Requires: libipa_hbac = %{version}-%{release} +Provides: libipa_hbac-python = %{version}-%{release} +Obsoletes: libipa_hbac-python < 1.12.90 +%{?python_provide:%python_provide python2-libipa_hbac} + +%description -n python2-libipa_hbac +The python2-libipa_hbac contains the bindings so that libipa_hbac can be +used by Python applications. +%endif + +%if (0%{?with_python3} == 1) +%package -n python3-libipa_hbac +Summary: Python3 bindings for the FreeIPA HBAC Evaluator library +Group: Development/Libraries +License: LGPLv3+ +Requires: libipa_hbac = %{version}-%{release} +%{?python_provide:%python_provide python3-libipa_hbac} + +%description -n python3-libipa_hbac +The python3-libipa_hbac contains the bindings so that libipa_hbac can be +used by Python applications. +%endif + +%package -n libsss_nss_idmap +Summary: Library for SID and certificate based lookups +Group: Development/Libraries +License: LGPLv3+ +Requires(post): /sbin/ldconfig +Requires(postun): /sbin/ldconfig + +%description -n libsss_nss_idmap +Utility library for SID and certificate based lookups + +%package -n libsss_nss_idmap-devel +Summary: Library for SID and certificate based lookups +Group: Development/Libraries +License: LGPLv3+ +Requires: libsss_nss_idmap = %{version}-%{release} + +%description -n libsss_nss_idmap-devel +Utility library for SID and certificate based lookups + +%if (0%{?with_python2} == 1) +%package -n python2-libsss_nss_idmap +Summary: Python2 bindings for libsss_nss_idmap +Group: Development/Libraries +License: LGPLv3+ +Requires: libsss_nss_idmap = %{version}-%{release} +Provides: libsss_nss_idmap-python = %{version}-%{release} +Obsoletes: libsss_nss_idmap-python < 1.12.90 +%{?python_provide:%python_provide python2-libsss_nss_idmap} + +%description -n python2-libsss_nss_idmap +The python2-libsss_nss_idmap contains the bindings so that libsss_nss_idmap can +be used by Python applications. +%endif + +%if (0%{?with_python3} == 1) +%package -n python3-libsss_nss_idmap +Summary: Python3 bindings for libsss_nss_idmap +Group: Development/Libraries +License: LGPLv3+ +Requires: libsss_nss_idmap = %{version}-%{release} +%{?python_provide:%python_provide python3-libsss_nss_idmap} + +%description -n python3-libsss_nss_idmap +The python3-libsss_nss_idmap contains the bindings so that libsss_nss_idmap can +be used by Python applications. +%endif + +%package dbus +Summary: The D-Bus responder of the SSSD +Group: Applications/System +License: GPLv3+ +Requires: sssd-common = %{version}-%{release} +%{?systemd_requires} + +%description dbus +Provides the D-Bus responder of the SSSD, called the InfoPipe, that allows +the information from the SSSD to be transmitted over the system bus. + +%if (0%{?install_pcscd_polkit_rule} == 1) +%package polkit-rules +Summary: Rules for polkit integration for SSSD +Group: Applications/System +License: GPLv3+ +Requires: polkit >= 0.106 +Requires: sssd-common = %{version}-%{release} + +%description polkit-rules +Provides rules for polkit integration with SSSD. This is required +for smartcard support. +%endif + +%package -n libsss_simpleifp +Summary: The SSSD D-Bus responder helper library +Group: Development/Libraries +License: GPLv3+ +Requires: sssd-dbus = %{version}-%{release} +Requires(post): /sbin/ldconfig +Requires(postun): /sbin/ldconfig + +%description -n libsss_simpleifp +Provides library that simplifies D-Bus API for the SSSD InfoPipe responder. + +%package -n libsss_simpleifp-devel +Summary: The SSSD D-Bus responder helper library +Group: Development/Libraries +License: GPLv3+ +Requires: dbus-devel +Requires: libsss_simpleifp = %{version}-%{release} + +%description -n libsss_simpleifp-devel +Provides library that simplifies D-Bus API for the SSSD InfoPipe responder. + +%package libwbclient +Summary: The SSSD libwbclient implementation +Group: Applications/System +License: GPLv3+ and LGPLv3+ + +%description libwbclient +The SSSD libwbclient implementation. + +%package libwbclient-devel +Summary: Development libraries for the SSSD libwbclient implementation +Group: Development/Libraries +License: GPLv3+ and LGPLv3+ + +%description libwbclient-devel +Development libraries for the SSSD libwbclient implementation. + +%package winbind-idmap +Summary: SSSD's idmap_sss Backend for Winbind +Group: Applications/System +License: GPLv3+ and LGPLv3+ + +%description winbind-idmap +The idmap_sss module provides a way for Winbind to call SSSD to map UIDs/GIDs +and SIDs. + +%package nfs-idmap +Summary: SSSD plug-in for NFSv4 rpc.idmapd +Group: Applications/System +License: GPLv3+ + +%description nfs-idmap +The libnfsidmap sssd module provides a way for rpc.idmapd to call SSSD to map +UIDs/GIDs to names and vice versa. It can be also used for mapping principal +(user) name to IDs(UID or GID) or to obtain groups which user are member of. + +%package -n libsss_certmap +Summary: SSSD Certficate Mapping Library +Group: Development/Libraries +License: LGPLv3+ +Requires(post): /sbin/ldconfig +Requires(postun): /sbin/ldconfig + +%description -n libsss_certmap +Library to map certificates to users based on rules + +%package -n libsss_certmap-devel +Summary: SSSD Certficate Mapping Library +Group: Development/Libraries +License: LGPLv3+ +Requires: libsss_certmap = %{version}-%{release} + +%description -n libsss_certmap-devel +Library to map certificates to users based on rules + +%if (0%{?with_kcm} == 1) +%package kcm +Summary: An implementation of a Kerberos KCM server +Group: Applications/System +License: GPLv3+ +Requires: sssd-common = %{version}-%{release} +%{?systemd_requires} + +%description kcm +An implementation of a Kerberos KCM server. Use this package if you want to +use the KCM: Kerberos credentials cache. +%endif + +%prep +%setup -q -n %{name}-%{version} + +%build +autoreconf -ivf + +%configure \ + --with-test-dir=/dev/shm \ + --with-db-path=%{dbpath} \ + --with-mcache-path=%{mcpath} \ + --with-pipe-path=%{pipepath} \ + --with-pubconf-path=%{pubconfpath} \ + --with-gpo-cache-path=%{gpocachepath} \ + --with-init-dir=%{_initrddir} \ + --with-krb5-rcache-dir=%{_localstatedir}/cache/krb5rcache \ + --enable-nsslibdir=/%{_lib} \ + --enable-pammoddir=/%{_lib}/security \ + --enable-nfsidmaplibdir=%{_libdir}/libnfsidmap \ + --disable-static \ +%if (0%{?use_openssl} == 1) + --with-crypto=libcrypto \ +%endif + --disable-rpath \ +%if %{with sssd_user} + --with-sssd-user=sssd \ +%endif + %{with_initscript} \ + %{?with_syslog} \ + %{?with_cifs_utils_plugin_option} \ + %{?with_python2_option} \ + %{?with_python3_option} \ + %{?enable_polkit_rules_option} \ + %{?enable_systemtap_opt} \ + %{?with_secret_responder} \ + %{?with_kcm_option} \ + %{?with_idmap_version} \ + %{?experimental} + +make %{?_smp_mflags} all + +make %{?_smp_mflags} docs + +%check +export CK_TIMEOUT_MULTIPLIER=10 +make %{?_smp_mflags} check VERBOSE=yes +unset CK_TIMEOUT_MULTIPLIER + +%install + +%if (0%{?with_python3} == 1) +sed -i -e 's:/usr/bin/python:/usr/bin/python3:' src/tools/sss_obfuscate +%endif + +make install DESTDIR=$RPM_BUILD_ROOT + +# Prepare language files +/usr/lib/rpm/find-lang.sh $RPM_BUILD_ROOT sssd + +# Copy default logrotate file +mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/logrotate.d +install -m644 src/examples/logrotate $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/sssd + +# Make sure SSSD is able to run on read-only root +mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/rwtab.d +install -m644 src/examples/rwtab $RPM_BUILD_ROOT%{_sysconfdir}/rwtab.d/sssd + +%if (0%{?with_cifs_utils_plugin} == 1) +# Create directory for cifs-idmap alternative +# Otherwise this directory could not be owned by sssd-client +mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/cifs-utils +%endif + +# Remove .la files created by libtool +find $RPM_BUILD_ROOT -name "*.la" -exec rm -f {} \; + +# Suppress developer-only documentation +rm -Rf ${RPM_BUILD_ROOT}/%{_docdir}/%{name} + +# Older versions of rpmbuild can only handle one -f option +# So we need to append to the sssd*.lang file +%if (0%{?with_python2} == 1) +for file in `ls $RPM_BUILD_ROOT/%{python2_sitelib}/*.egg-info 2> /dev/null` +do + echo %{python2_sitelib}/`basename $file` >> python2_sssdconfig.lang +done +%endif + +%if (0%{?with_python3} == 1) +for file in `ls $RPM_BUILD_ROOT/%{python3_sitelib}/*.egg-info 2> /dev/null` +do + echo %{python3_sitelib}/`basename $file` >> python3_sssdconfig.lang +done +%endif + +touch sssd.lang +for subpackage in sssd_ldap sssd_krb5 sssd_ipa sssd_ad sssd_proxy sssd_tools \ + sssd_client sssd_dbus sssd_nfs_idmap sssd_winbind_idmap \ + libsss_certmap sssd_kcm +do + touch $subpackage.lang +done + +for man in `find $RPM_BUILD_ROOT/%{_mandir}/??/man?/ -type f | sed -e "s#$RPM_BUILD_ROOT/%{_mandir}/##"` +do + lang=`echo $man | cut -c 1-2` + case `basename $man` in + sss_cache*) + echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd.lang + ;; + sss_ssh*) + echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd.lang + ;; + sss_rpcidmapd*) + echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_nfs_idmap.lang + ;; + sss_*) + echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_tools.lang + ;; + sssctl*) + echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_tools.lang + ;; + sssd_krb5_*) + echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_client.lang + ;; + pam_sss*) + echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_client.lang + ;; + sssd-ldap*) + echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_ldap.lang + ;; + sssd-krb5*) + echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_krb5.lang + ;; + sssd-ipa*) + echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_ipa.lang + ;; + sssd-ad*) + echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_ad.lang + ;; + sssd-proxy*) + echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_proxy.lang + ;; + sssd-ifp*) + echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_dbus.lang + ;; + sssd-kcm*) + echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_kcm.lang + ;; + idmap_sss*) + echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd_winbind_idmap.lang + ;; + sss-certmap*) + echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> libsss_certmap.lang + ;; + *) + echo \%lang\(${lang}\) \%{_mandir}/${man}\* >> sssd.lang + ;; + esac +done + +# Print these to the rpmbuild log +echo "sssd.lang:" +cat sssd.lang + +%if (0%{?with_python2} == 1) +echo "python2_sssdconfig.lang:" +cat python2_sssdconfig.lang +%endif + +%if (0%{?with_python3} == 1) +echo "python3_sssdconfig.lang:" +cat python3_sssdconfig.lang +%endif + +for subpackage in sssd_ldap sssd_krb5 sssd_ipa sssd_ad sssd_proxy sssd_tools \ + sssd_client sssd_dbus sssd_nfs_idmap sssd_winbind_idmap \ + libsss_certmap sssd_kcm +do + echo "$subpackage.lang:" + cat $subpackage.lang +done + +# must be defined after last occurrence of package otherwise +# RPM will overwrite %%license as soon as it parses a License: tag +%if 0%{?rhel} <= 6 +%define license %doc +%endif + +%files +%defattr(-,root,root,-) +%license COPYING + +%files common -f sssd.lang +%defattr(-,root,root,-) +%license COPYING +%doc src/examples/sssd-example.conf +%{_sbindir}/sssd +%if (0%{?use_systemd} == 1) +%{_unitdir}/sssd.service +%{_unitdir}/sssd-autofs.socket +%{_unitdir}/sssd-autofs.service +%{_unitdir}/sssd-nss.socket +%{_unitdir}/sssd-nss.service +%{_unitdir}/sssd-pac.socket +%{_unitdir}/sssd-pac.service +%{_unitdir}/sssd-pam.socket +%{_unitdir}/sssd-pam-priv.socket +%{_unitdir}/sssd-pam.service +%{_unitdir}/sssd-ssh.socket +%{_unitdir}/sssd-ssh.service +%{_unitdir}/sssd-sudo.socket +%{_unitdir}/sssd-sudo.service +%else +%{_initrddir}/%{name} +%endif + +%dir %{_libexecdir}/%{servicename} +%{_libexecdir}/%{servicename}/sssd_be +%{_libexecdir}/%{servicename}/sssd_nss +%{_libexecdir}/%{servicename}/sssd_pam +%{_libexecdir}/%{servicename}/sssd_autofs +%{_libexecdir}/%{servicename}/sssd_ssh +%{_libexecdir}/%{servicename}/sssd_sudo +%{_libexecdir}/%{servicename}/p11_child +%if (0%{?use_systemd} == 1) +%{_libexecdir}/%{servicename}/sssd_check_socket_activated_responders +%endif + +%dir %{_libdir}/%{name} +# The files provider is intentionally packaged in -common +%{_libdir}/%{name}/libsss_files.so +%{_libdir}/%{name}/libsss_simple.so + +#Internal shared libraries +%{_libdir}/%{name}/libsss_child.so +%{_libdir}/%{name}/libsss_crypt.so +%{_libdir}/%{name}/libsss_cert.so +%{_libdir}/%{name}/libsss_debug.so +%{_libdir}/%{name}/libsss_krb5_common.so +%{_libdir}/%{name}/libsss_ldap_common.so +%{_libdir}/%{name}/libsss_util.so +%{_libdir}/%{name}/libsss_semanage.so + +%{ldb_modulesdir}/memberof.so +%{_bindir}/sss_ssh_authorizedkeys +%{_bindir}/sss_ssh_knownhostsproxy +%{_sbindir}/sss_cache +%{_libexecdir}/%{servicename}/sss_signal + +%dir %{sssdstatedir} +%dir %{_localstatedir}/cache/krb5rcache +%attr(700,sssd,sssd) %dir %{dbpath} +%attr(755,sssd,sssd) %dir %{mcpath} +%attr(751,sssd,sssd) %dir %{deskprofilepath} +%ghost %attr(0644,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/passwd +%ghost %attr(0644,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/group +%ghost %attr(0644,sssd,sssd) %verify(not md5 size mtime) %{mcpath}/initgroups +%attr(755,sssd,sssd) %dir %{pipepath} +%attr(750,sssd,root) %dir %{pipepath}/private +%attr(755,sssd,sssd) %dir %{pubconfpath} +%attr(755,sssd,sssd) %dir %{gpocachepath} +%attr(750,sssd,sssd) %dir %{_var}/log/%{name} +%attr(711,sssd,sssd) %dir %{_sysconfdir}/sssd +%attr(711,sssd,sssd) %dir %{_sysconfdir}/sssd/conf.d +%if (0%{?use_openssl} == 1) +%attr(711,sssd,sssd) %dir %{_sysconfdir}/sssd/pki +%endif +%ghost %attr(0600,sssd,sssd) %config(noreplace) %{_sysconfdir}/sssd/sssd.conf +%dir %{_sysconfdir}/logrotate.d +%config(noreplace) %{_sysconfdir}/logrotate.d/sssd +%dir %{_sysconfdir}/rwtab.d +%config(noreplace) %{_sysconfdir}/rwtab.d/sssd +%dir %{_datadir}/sssd +%{_sysconfdir}/pam.d/sssd-shadowutils +%dir %{_libdir}/%{name}/conf +%{_libdir}/%{name}/conf/sssd.conf + +%{_datadir}/sssd/cfg_rules.ini +%{_datadir}/sssd/sssd.api.conf +%{_datadir}/sssd/sssd.api.d +%{_mandir}/man1/sss_ssh_authorizedkeys.1* +%{_mandir}/man1/sss_ssh_knownhostsproxy.1* +%{_mandir}/man5/sssd.conf.5* +%{_mandir}/man5/sssd-files.5* +%{_mandir}/man5/sssd-simple.5* +%{_mandir}/man5/sssd-sudo.5* +%{_mandir}/man5/sssd-session-recording.5* +%{_mandir}/man8/sssd.8* +%{_mandir}/man8/sss_cache.8* +%if (0%{?enable_systemtap} == 1) +%dir %{_datadir}/sssd/systemtap +%{_datadir}/sssd/systemtap/id_perf.stp +%{_datadir}/sssd/systemtap/nested_group_perf.stp +%{_datadir}/sssd/systemtap/dp_request.stp +%dir %{_datadir}/systemtap +%dir %{_datadir}/systemtap/tapset +%{_datadir}/systemtap/tapset/sssd.stp +%{_datadir}/systemtap/tapset/sssd_functions.stp +%{_mandir}/man5/sssd-systemtap.5* +%endif + +%if (0%{?install_pcscd_polkit_rule} == 1) +%files polkit-rules +%{_datadir}/polkit-1/rules.d/* +%endif + +%files ldap -f sssd_ldap.lang +%defattr(-,root,root,-) +%license COPYING +%{_libdir}/%{name}/libsss_ldap.so +%{_mandir}/man5/sssd-ldap.5* + +%files krb5-common +%defattr(-,root,root,-) +%license COPYING +%attr(755,sssd,sssd) %dir %{pubconfpath}/krb5.include.d +%attr(4750,root,sssd) %{_libexecdir}/%{servicename}/ldap_child +%attr(4750,root,sssd) %{_libexecdir}/%{servicename}/krb5_child + +%files krb5 -f sssd_krb5.lang +%defattr(-,root,root,-) +%license COPYING +%{_libdir}/%{name}/libsss_krb5.so +%{_mandir}/man5/sssd-krb5.5* + +%files common-pac +%defattr(-,root,root,-) +%license COPYING +%{_libexecdir}/%{servicename}/sssd_pac + +%files ipa -f sssd_ipa.lang +%defattr(-,root,root,-) +%license COPYING +%attr(700,sssd,sssd) %dir %{keytabdir} +%{_libdir}/%{name}/libsss_ipa.so +%attr(4750,root,sssd) %{_libexecdir}/%{servicename}/selinux_child +%{_mandir}/man5/sssd-ipa.5* + +%files ad -f sssd_ad.lang +%defattr(-,root,root,-) +%license COPYING +%{_libdir}/%{name}/libsss_ad.so +%{_libexecdir}/%{servicename}/gpo_child +%{_mandir}/man5/sssd-ad.5* + +%files proxy +%defattr(-,root,root,-) +%license COPYING +%attr(4750,root,sssd) %{_libexecdir}/%{servicename}/proxy_child +%{_libdir}/%{name}/libsss_proxy.so + +%files dbus -f sssd_dbus.lang +%defattr(-,root,root,-) +%license COPYING +%{_libexecdir}/%{servicename}/sssd_ifp +%{_mandir}/man5/sssd-ifp.5* +%if (0%{?use_systemd} == 1) +%{_unitdir}/sssd-ifp.service +%endif +# InfoPipe DBus plumbing +%{_sysconfdir}/dbus-1/system.d/org.freedesktop.sssd.infopipe.conf +%{_datadir}/dbus-1/system-services/org.freedesktop.sssd.infopipe.service + +%files -n libsss_simpleifp +%defattr(-,root,root,-) +%{_libdir}/libsss_simpleifp.so.* + +%files -n libsss_simpleifp-devel +%defattr(-,root,root,-) +%doc sss_simpleifp_doc/html +%{_includedir}/sss_sifp.h +%{_includedir}/sss_sifp_dbus.h +%{_libdir}/libsss_simpleifp.so +%{_libdir}/pkgconfig/sss_simpleifp.pc + +%files client -f sssd_client.lang +%defattr(-,root,root,-) +%license src/sss_client/COPYING src/sss_client/COPYING.LESSER +/%{_lib}/libnss_sss.so.2 +/%{_lib}/security/pam_sss.so +%{_libdir}/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so +%{_libdir}/krb5/plugins/authdata/sssd_pac_plugin.so +%if (0%{?with_cifs_utils_plugin} == 1) +%dir %{_libdir}/cifs-utils +%{_libdir}/cifs-utils/cifs_idmap_sss.so +%dir %{_sysconfdir}/cifs-utils +%ghost %{_sysconfdir}/cifs-utils/idmap-plugin +%endif +%dir %{_libdir}/%{name} +%dir %{_libdir}/%{name}/modules +%{_libdir}/%{name}/modules/sssd_krb5_localauth_plugin.so +%{_mandir}/man8/pam_sss.8* +%{_mandir}/man8/sssd_krb5_locator_plugin.8* + +%files -n libsss_sudo +%defattr(-,root,root,-) +%license src/sss_client/COPYING +%{_libdir}/libsss_sudo.so* + +%files -n libsss_autofs +%defattr(-,root,root,-) +%license src/sss_client/COPYING src/sss_client/COPYING.LESSER +%dir %{_libdir}/%{name}/modules +%{_libdir}/%{name}/modules/libsss_autofs.so + +%files tools -f sssd_tools.lang +%defattr(-,root,root,-) +%license COPYING +%{_sbindir}/sss_useradd +%{_sbindir}/sss_userdel +%{_sbindir}/sss_usermod +%{_sbindir}/sss_groupadd +%{_sbindir}/sss_groupdel +%{_sbindir}/sss_groupmod +%{_sbindir}/sss_groupshow +%{_sbindir}/sss_obfuscate +%{_sbindir}/sss_override +%{_sbindir}/sss_debuglevel +%{_sbindir}/sss_seed +%{_sbindir}/sssctl +%{_mandir}/man8/sss_groupadd.8* +%{_mandir}/man8/sss_groupdel.8* +%{_mandir}/man8/sss_groupmod.8* +%{_mandir}/man8/sss_groupshow.8* +%{_mandir}/man8/sss_useradd.8* +%{_mandir}/man8/sss_userdel.8* +%{_mandir}/man8/sss_usermod.8* +%{_mandir}/man8/sss_obfuscate.8* +%{_mandir}/man8/sss_override.8* +%{_mandir}/man8/sss_debuglevel.8* +%{_mandir}/man8/sss_seed.8* +%{_mandir}/man8/sssctl.8* + +%if (0%{?with_python2} == 1) +%files -n python2-sssdconfig -f python2_sssdconfig.lang +%defattr(-,root,root,-) +%dir %{python2_sitelib}/SSSDConfig +%{python2_sitelib}/SSSDConfig/*.py* +%endif + +%if (0%{?with_python3} == 1) +%files -n python3-sssdconfig -f python3_sssdconfig.lang +%defattr(-,root,root,-) +%dir %{python3_sitelib}/SSSDConfig +%{python3_sitelib}/SSSDConfig/*.py* +%dir %{python3_sitelib}/SSSDConfig/__pycache__ +%{python3_sitelib}/SSSDConfig/__pycache__/*.py* +%endif + +%if (0%{?with_python2} == 1) +%files -n python2-sss +%defattr(-,root,root,-) +%{python2_sitearch}/pysss.so +%endif + +%if (0%{?with_python3} == 1) +%files -n python3-sss +%defattr(-,root,root,-) +%{python3_sitearch}/pysss.so +%endif + +%if (0%{?with_python2} == 1) +%files -n python2-sss-murmur +%defattr(-,root,root,-) +%{python2_sitearch}/pysss_murmur.so +%endif + +%if (0%{?with_python3} == 1) +%files -n python3-sss-murmur +%defattr(-,root,root,-) +%{python3_sitearch}/pysss_murmur.so +%endif + +%files -n libsss_idmap +%defattr(-,root,root,-) +%license src/sss_client/COPYING src/sss_client/COPYING.LESSER +%{_libdir}/libsss_idmap.so.* + +%files -n libsss_idmap-devel +%defattr(-,root,root,-) +%doc idmap_doc/html +%{_includedir}/sss_idmap.h +%{_libdir}/libsss_idmap.so +%{_libdir}/pkgconfig/sss_idmap.pc + +%files -n libipa_hbac +%defattr(-,root,root,-) +%license src/sss_client/COPYING src/sss_client/COPYING.LESSER +%{_libdir}/libipa_hbac.so.* + +%files -n libipa_hbac-devel +%defattr(-,root,root,-) +%doc hbac_doc/html +%{_includedir}/ipa_hbac.h +%{_libdir}/libipa_hbac.so +%{_libdir}/pkgconfig/ipa_hbac.pc + +%files -n libsss_nss_idmap +%defattr(-,root,root,-) +%license src/sss_client/COPYING src/sss_client/COPYING.LESSER +%{_libdir}/libsss_nss_idmap.so.* + +%files -n libsss_nss_idmap-devel +%defattr(-,root,root,-) +%doc nss_idmap_doc/html +%{_includedir}/sss_nss_idmap.h +%{_libdir}/libsss_nss_idmap.so +%{_libdir}/pkgconfig/sss_nss_idmap.pc + +%if (0%{?with_python2} == 1) +%files -n python2-libsss_nss_idmap +%defattr(-,root,root,-) +%{python2_sitearch}/pysss_nss_idmap.so +%endif + +%if (0%{?with_python3} == 1) +%files -n python3-libsss_nss_idmap +%defattr(-,root,root,-) +%{python3_sitearch}/pysss_nss_idmap.so +%endif + +%if (0%{?with_python2} == 1) +%files -n python2-libipa_hbac +%defattr(-,root,root,-) +%{python2_sitearch}/pyhbac.so +%endif + +%if (0%{?with_python3} == 1) +%files -n python3-libipa_hbac +%defattr(-,root,root,-) +%{python3_sitearch}/pyhbac.so +%endif + +%files libwbclient +%defattr(-,root,root,-) +%dir %{_libdir}/%{name} +%dir %{_libdir}/%{name}/modules +%{_libdir}/%{name}/modules/libwbclient.so.* + +%files libwbclient-devel +%defattr(-,root,root,-) +%{_includedir}/wbclient_sssd.h +%{_libdir}/%{name}/modules/libwbclient.so +%{_libdir}/pkgconfig/wbclient_sssd.pc + +%files winbind-idmap -f sssd_winbind_idmap.lang +%dir %{_libdir}/samba/idmap +%{_libdir}/samba/idmap/sss.so +%{_mandir}/man8/idmap_sss.8* + +%files nfs-idmap -f sssd_nfs_idmap.lang +%{_mandir}/man5/sss_rpcidmapd.5* +%{_libdir}/libnfsidmap/sss.so + +%files -n libsss_certmap -f libsss_certmap.lang +%defattr(-,root,root,-) +%license src/sss_client/COPYING src/sss_client/COPYING.LESSER +%{_libdir}/libsss_certmap.so.* +%{_mandir}/man5/sss-certmap.5* + +%files -n libsss_certmap-devel +%defattr(-,root,root,-) +%doc certmap_doc/html +%{_includedir}/sss_certmap.h +%{_libdir}/libsss_certmap.so +%{_libdir}/pkgconfig/sss_certmap.pc + +%if (0%{?with_kcm} == 1) +%files kcm -f sssd_kcm.lang +%if (0%{?with_secrets} == 1) +%attr(700,root,root) %dir %{secdbpath} +%endif +%{_libexecdir}/%{servicename}/sssd_kcm +%if (0%{?with_secrets} == 1) +%{_libexecdir}/%{servicename}/sssd_secrets +%endif +%dir %{_datadir}/sssd-kcm +%{_datadir}/sssd-kcm/kcm_default_ccache +%{_unitdir}/sssd-kcm.socket +%{_unitdir}/sssd-kcm.service +%{_unitdir}/sssd-secrets.socket +%{_unitdir}/sssd-secrets.service +%{_mandir}/man8/sssd-kcm.8* +%if (0%{?with_secrets} == 1) +%{_mandir}/man5/sssd-secrets.5* +%endif +%endif + +%pre common +getent group sssd >/dev/null || groupadd -r sssd +getent passwd sssd >/dev/null || useradd -r -g sssd -d / -s /sbin/nologin -c "User for sssd" sssd + +%if (0%{?use_systemd} == 1) +# systemd +%post common +%systemd_post sssd.service +%systemd_post sssd-autofs.socket +%systemd_post sssd-nss.socket +%systemd_post sssd-pac.socket +%systemd_post sssd-pam.socket +%systemd_post sssd-pam-priv.socket +%systemd_post sssd-secrets.socket +%systemd_post sssd-ssh.socket +%systemd_post sssd-sudo.socket + +%preun common +%systemd_preun sssd.service +%systemd_preun sssd-autofs.socket +%systemd_preun sssd-nss.socket +%systemd_preun sssd-pac.socket +%systemd_preun sssd-pam.socket +%systemd_preun sssd-pam-priv.socket +%systemd_preun sssd-secrets.socket +%systemd_preun sssd-ssh.socket +%systemd_preun sssd-sudo.socket + +%postun common +%systemd_postun_with_restart sssd.service +%systemd_postun_with_restart sssd-autofs.socket +%systemd_postun_with_restart sssd-autofs.service +%systemd_postun_with_restart sssd-nss.socket +%systemd_postun_with_restart sssd-nss.service +%systemd_postun_with_restart sssd-pac.socket +%systemd_postun_with_restart sssd-pac.service +%systemd_postun_with_restart sssd-pam.socket +%systemd_postun_with_restart sssd-pam-priv.socket +%systemd_postun_with_restart sssd-pam.service +%systemd_postun_with_restart sssd-secrets.socket +%systemd_postun_with_restart sssd-secrets.service +%systemd_postun_with_restart sssd-ssh.socket +%systemd_postun_with_restart sssd-ssh.service +%systemd_postun_with_restart sssd-sudo.socket +%systemd_postun_with_restart sssd-sudo.service + +%post dbus +%systemd_post sssd-ifp.service + +%preun dbus +%systemd_preun sssd-ifp.service + +%postun dbus +%systemd_postun_with_restart sssd-ifp.service + +%if (0%{?with_kcm} == 1) +%post kcm +%systemd_post sssd-kcm.socket + +%preun kcm +%systemd_preun sssd-kcm.socket + +%postun kcm +%systemd_postun_with_restart sssd-kcm.socket +%systemd_postun_with_restart sssd-kcm.service +%endif + +%else +# sysv +%post common +/sbin/chkconfig --add %{servicename} + +%posttrans +/sbin/service %{servicename} condrestart 2>&1 > /dev/null + +%preun common +if [ $1 = 0 ] ; then + /sbin/service %{servicename} stop 2>&1 > /dev/null + /sbin/chkconfig --del %{servicename} +fi +%endif + +%if (0%{?with_cifs_utils_plugin} == 1) +%post client +/sbin/ldconfig +/usr/sbin/alternatives --install /etc/cifs-utils/idmap-plugin cifs-idmap-plugin %{_libdir}/cifs-utils/cifs_idmap_sss.so 20 + +%preun client +if [ $1 -eq 0 ] ; then + /usr/sbin/alternatives --remove cifs-idmap-plugin %{_libdir}/cifs-utils/cifs_idmap_sss.so +fi +%else +%post client -p /sbin/ldconfig +%endif + +%postun client -p /sbin/ldconfig + +%post -n libsss_sudo -p /sbin/ldconfig + +%postun -n libsss_sudo -p /sbin/ldconfig + +%post -n libipa_hbac -p /sbin/ldconfig + +%postun -n libipa_hbac -p /sbin/ldconfig + +%post -n libsss_idmap -p /sbin/ldconfig + +%postun -n libsss_idmap -p /sbin/ldconfig + +%post -n libsss_nss_idmap -p /sbin/ldconfig + +%postun -n libsss_nss_idmap -p /sbin/ldconfig + +%post -n libsss_simpleifp -p /sbin/ldconfig + +%postun -n libsss_simpleifp -p /sbin/ldconfig + +%post -n libsss_certmap -p /sbin/ldconfig + +%postun -n libsss_certmap -p /sbin/ldconfig + +%changelog +* Mon Mar 15 2010 Stephen Gallagher - @PACKAGE_VERSION@-0@PRERELEASE_VERSION@ +- Automated build of the SSSD diff --git a/contrib/systemtap/dp_request.stp b/contrib/systemtap/dp_request.stp new file mode 100644 index 0000000..0fa1082 --- /dev/null +++ b/contrib/systemtap/dp_request.stp @@ -0,0 +1,85 @@ +/* Start Run with: + * stap -v dp_request.stp + * + * Then reproduce slow login or id/getent in another terminal. + * Ctrl-C running stap once login completes. + * + * Probe tapsets are in /usr/share/systemtap/tapset/sssd.stp + */ + + +global num_dp_requests + +global time_in_dp_req +global elapsed_time +global dp_req_send_start +global dp_req_send_end + +/* Used for tracking slowest request as tz_ctime() only converts seconds, not ms */ +global dp_req_send_sec_start +global dp_req_send_sec_end + +global slowest_req_name +global slowest_req_target +global slowest_req_method +global slowest_req_time = 0 +global slowest_req_start_time +global slowest_req_end_time + +function print_report() +{ + printf("\nEnding Systemtap Run - Providing Summary\n") + printf("Total Number of DP requests: [%d]\n", num_dp_requests) + printf("Total time in DP requests: [%s]\n", msecs_to_string(time_in_dp_req)) + printf("Slowest request data:\n") + printf("\tRequest: [%s]\n", slowest_req_name) + printf("\tTarget: [%s]\n", dp_target_str(slowest_req_target)) + printf("\tMethod: [%s]\n", dp_method_str(slowest_req_method)) + printf("\tStart Time: [%s]\n", tz_ctime(slowest_req_start_time)) + printf("\tEnd Time: [%s]\n", tz_ctime(slowest_req_end_time)) + printf("\tDuration: [%s]\n\n", msecs_to_string(slowest_req_time)) +} + +probe dp_req_send +{ + dp_req_send_start = gettimeofday_ms() + dp_req_send_sec_start = gettimeofday_s() + + printf("\t--> DP Request [%s] sent for domain [%s]\n", dp_req_name, dp_req_domain) + printf("\t--> Target: [%s] - Method: [%s]\n", dp_target_str(dp_req_target), dp_method_str(dp_req_method)) + + num_dp_requests++ +} + +probe dp_req_done +{ + dp_req_send_end = gettimeofday_ms() + dp_req_send_sec_end = gettimeofday_s() + elapsed_time = (dp_req_send_end - dp_req_send_start) + + printf("\t\t DP Request [%s] finished with return code [%d]: [%s]\n", + dp_req_name, dp_ret, dp_errorstr) + printf("\t\t Elapsed time [%s]\n\n", msecs_to_string(elapsed_time)) + + /* Track slowest request information */ + if (elapsed_time > slowest_req_time) { + slowest_req_time = elapsed_time + slowest_req_name = dp_req_name + slowest_req_method = dp_req_method + slowest_req_target = slowest_req_target + slowest_req_start_time = dp_req_send_sec_start + slowest_req_end_time = dp_req_send_sec_end + } + + time_in_dp_req += (dp_req_send_end - dp_req_send_start) +} + +probe begin +{ + printf("\t*** Beginning run! ***\n") +} + +probe end +{ + print_report() +} diff --git a/contrib/systemtap/id_perf.stp b/contrib/systemtap/id_perf.stp new file mode 100644 index 0000000..a778975 --- /dev/null +++ b/contrib/systemtap/id_perf.stp @@ -0,0 +1,167 @@ +global in_id + +global runtime_start +global runtime_end + +global num_transactions +global time_in_transactions +global trans_start_time +global trans_end_time + +global time_in_ldb +global ldb_start_time +global ldb_end_time + +global num_ldap_searches +global time_in_ldap +global ldap_start_time +global ldap_end_time + +global acct_req_types +global acct_req_times +global acct_req_rtime + +global bts + +function print_acct_req(req_type) +{ + str_req = acct_req_desc(req_type) + printf("\tNumber of %s requests: %d\n", str_req, acct_req_types[req_type]) + printf("\tTime spent in %s requests: %d\n", str_req, acct_req_times[req_type]) + printf("\n") +} + +function print_report() +{ + max_trans_time = 0 + max_trans_time_bt = "" + + total_time = runtime_end - runtime_start + printf("Total run time of id was: %d ms\n", total_time) + printf("Number of zero-level cache transactions: %d\n", num_transactions) + printf("Time spent in level-0 sysdb transactions: %d ms\n", time_in_transactions) + printf("Time spent writing to LDB: %d ms\n", time_in_ldb) + printf("Number of LDAP searches: %d\n", num_ldap_searches) + printf("Time spent waiting for LDAP: %d ms\n", time_in_ldap) + + printf("LDAP searches breakdown:\n") + foreach (req_type in acct_req_types) { + print_acct_req(req_type) + } + + printf("Unaccounted time: %d ms\n", + total_time - time_in_transactions - time_in_ldap) + + printf("sysdb transaction breakdown:\n") + foreach ([b] in bts) { + printf("%d hits of transaction %s\n", @count(bts[b]), b) + printf("avg:%d min: %d max: %d sum: %d\n\n", + @avg(bts[b]), @min(bts[b]), @max(bts[b]), @sum(bts[b])) + + if (@max(bts[b]) > max_trans_time) { + max_trans_time = @max(bts[b]) + max_trans_time_bt = b + } + } + + if (max_trans_time > 0) { + printf("The most expensive transaction breakdown, per transaction:\n") + print(@hist_linear(bts[max_trans_time_bt], 0, 500, 50)) + } +} + +probe process("/usr/bin/id").begin +{ + in_id = 1 + + num_transactions = 0 + time_in_transactions = 0 + + num_ldap_searches = 0 + time_in_ldap = 0 + time_in_ldb = 0 + + acct_req_types[0x0001] = 0 + acct_req_types[0x0002] = 0 + acct_req_types[0x0003] = 0 + + acct_req_times[0x0001] = 0 + acct_req_times[0x0002] = 0 + acct_req_times[0x0003] = 0 + + acct_req_rtime[0x0001] = 0 + acct_req_rtime[0x0002] = 0 + acct_req_rtime[0x0003] = 0 + + runtime_start = gettimeofday_ms() +} + +probe process("/usr/bin/id").end +{ + in_id = 0 + + runtime_end = gettimeofday_ms() + print_report() + + delete bts +} + +probe sssd_transaction_start +{ + if (nesting == 0 && in_id == 1) { + num_transactions++ + trans_start_time = gettimeofday_ms() + } +} + +probe sssd_transaction_commit_before +{ + if (nesting == 0 && in_id == 1) { + ldb_start_time = gettimeofday_ms() + } +} + +probe sssd_transaction_commit_after +{ + if (nesting == 0 && in_id == 1) { + ldb_end_time = gettimeofday_ms() + time_in_ldb += (ldb_end_time-ldb_start_time) + + trans_end_time = gettimeofday_ms() + time_in_transactions += (trans_end_time-trans_start_time) + + bt = sprint_ubacktrace() + bts[bt] <<< (trans_end_time-trans_start_time) + } +} + +probe sdap_search_send +{ + if (in_id == 1) { + num_ldap_searches++ + ldap_start_time = gettimeofday_ms() + } +} + +probe sdap_search_recv +{ + if (in_id == 1) { + ldap_end_time = gettimeofday_ms() + time_in_ldap += (ldap_end_time-ldap_start_time) + } +} + +probe sdap_acct_req_send +{ + if (in_id == 1) { + acct_req_types[entry_type]++ + acct_req_rtime[entry_type] = gettimeofday_ms() + } +} + +probe sdap_acct_req_recv +{ + if (in_id == 1) { + acct_req_times[entry_type] += (gettimeofday_ms() - acct_req_rtime[entry_type]) + } +} diff --git a/contrib/systemtap/nested_group_perf.stp b/contrib/systemtap/nested_group_perf.stp new file mode 100644 index 0000000..0c7ff03 --- /dev/null +++ b/contrib/systemtap/nested_group_perf.stp @@ -0,0 +1,333 @@ +global time_in_populate +global populate_start_time +global populate_end_time + +global time_in_save +global save_start_time +global save_end_time + +global time_in_groupreq +global groupreq_start +global groupreq_end + +global user_req_index = 0 +global group_req_index = 1 +global unknown_req_index = 2 +global deref_req_index = 3 +global ldap_req_times + +global user_req_start +global user_req_end + +global group_req_start +global group_req_end + +global unknown_req_start +global unknown_req_end + +global deref_req_start +global deref_req_end + +global time_in_deref_nested +global deref_req_nested_start +global deref_req_nested_end + +global time_in_deref_process +global deref_req_process_start +global deref_req_process_end + +global time_in_transactions +global trans_start_time +global trans_end_time + +global time_in_ldb +global ldb_start_time +global ldb_end_time + +global time_in_nested_gr_req +global nested_gr_req_start_time +global nested_gr_req_end_time + +global time_in_nested_gr_process_req +global nested_gr_process_req_start_time +global nested_gr_process_req_end_time + +global time_in_split_members +global split_members_start +global split_members_end + +global time_in_check_cache +global check_cache_start +global check_cache_end + +global time_in_search_users +global search_users_start +global search_users_end + +global time_in_search_groups +global search_groups_start +global search_groups_end + +global time_in_populate_search_users +global populate_search_users_start +global populate_search_users_end + +function print_report() +{ + user_req_total = @sum(ldap_req_times[user_req_index]) + group_req_total = @sum(ldap_req_times[group_req_index]) + unknown_req_total = @sum(ldap_req_times[unknown_req_index]) + deref_req_total = @sum(ldap_req_times[deref_req_index]) + all_req_total = user_req_total + group_req_total + unknown_req_total + deref_req_total + + # systemtap doesn't handle floating point numbers.. + trans_rate = 10000 * time_in_transactions / time_in_groupreq + nested_rate = 10000 * time_in_nested_gr_req / time_in_groupreq + + printf("Time spent in group sssd_be searches: %d\n", time_in_groupreq) + printf("Time spent in sdap_nested_group_send/recv: %d ms (ratio: %d.%02d%%)\n", + time_in_nested_gr_req, nested_rate/100, nested_rate%100) + printf("Time spent in zero-level sysdb transactions: %d ms (ratio: %d.%02d%%)\n", + time_in_transactions, trans_rate/100, trans_rate%100) + printf("\n") + + printf("Breakdown of sdap_nested_group req (total: %d ms)\n", time_in_nested_gr_req); + printf("\tsdap_nested_group_process req: %d\n", time_in_nested_gr_process_req) + printf("\t\tsdap_nested_group_process_split req: %d\n", time_in_split_members) + printf("\t\t\tsdap_nested_group_check_cache: %d\n", time_in_check_cache) + printf("\t\t\t\tsdap_nested_group_sysdb_search_users: %d\n", time_in_search_users) + printf("\t\t\t\tsdap_nested_group_sysdb_search_groups: %d\n", time_in_search_groups) + printf("\t\tldap request breakdown of total %d\n", all_req_total) + printf("\t\t\tsdap_nested_group_deref req: %d\n", time_in_deref_nested) + printf("\t\t\t\tsdap_deref_search_send req %d\n", deref_req_total) + printf("\t\t\t\tprocessing deref results: %d\n", time_in_deref_process) + printf("\t\t\tsdap_nested_group_lookup_user req: %d\n", user_req_total) + printf("\t\t\tsdap_nested_group_lookup_group req: %d\n", group_req_total) + printf("\t\t\tTime spent refreshing unknown members: %d\n", unknown_req_total) + printf("\n") + + printf("Breakdown of results processing (total %d)\n", time_in_transactions); + printf("\tTime spent populating nested members: %d\n", time_in_populate) + printf("\t\tTime spent searching ldb while populating nested members: %d\n", time_in_populate_search_users) + printf("\tTime spent saving nested members: %d\n", time_in_save) + printf("\tTime spent writing to the ldb: %d ms\n", time_in_ldb) + printf("\n") +} + +probe sssd_transaction_start +{ + if (nesting == 0) { + num_transactions++ + trans_start_time = gettimeofday_ms() + } +} + +probe sssd_transaction_commit_before +{ + if (nesting == 0) { + ldb_start_time = gettimeofday_ms() + } +} + +probe sssd_transaction_commit_after +{ + if (nesting == 0) { + trans_end_time = gettimeofday_ms() + time_in_transactions += (trans_end_time-trans_start_time) + + ldb_end_time = gettimeofday_ms() + time_in_ldb += (ldb_end_time - ldb_start_time) + } +} + +probe sdap_deref_send +{ + deref_req_start = gettimeofday_ms() +} + +probe sdap_deref_recv +{ + deref_req_end = gettimeofday_ms() + ldap_req_times[deref_req_index] <<< (deref_req_end - deref_req_start) +} + +probe sdap_nested_group_lookup_user_send +{ + user_req_start = gettimeofday_ms() +} + +probe sdap_nested_group_lookup_user_recv +{ + user_req_end = gettimeofday_ms() + ldap_req_times[user_req_index] <<< (user_req_end - user_req_start) +} + +probe sdap_nested_group_lookup_group_send +{ + group_req_start = gettimeofday_ms() +} + +probe sdap_nested_group_lookup_group_recv +{ + group_req_end = gettimeofday_ms() + ldap_req_times[group_req_index] <<< (group_req_end - group_req_start) +} + +probe sdap_nested_group_lookup_unknown_send +{ + unknown_req_start = gettimeofday_ms() +} + +probe sdap_nested_group_lookup_unknown_recv +{ + unknown_req_end = gettimeofday_ms() + ldap_req_times[unknown_req_index] <<< (unknown_req_end - unknown_req_start) +} + +probe sdap_nested_group_deref_send +{ + deref_req_nested_start = gettimeofday_ms() +} + +probe sdap_nested_group_deref_recv +{ + deref_req_nested_end = gettimeofday_ms() + time_in_deref_nested += (deref_req_nested_end - deref_req_nested_start) +} + +probe sdap_nested_group_deref_process_pre +{ + deref_req_process_start = gettimeofday_ms() +} + +probe sdap_nested_group_deref_process_post +{ + deref_req_process_end = gettimeofday_ms() + time_in_deref_process += (deref_req_process_end - deref_req_process_start) +} + +probe sdap_nested_group_populate_pre +{ + populate_start_time = gettimeofday_ms() +} + +probe sdap_nested_group_populate_post +{ + populate_end_time = gettimeofday_ms() + time_in_populate += (populate_end_time - populate_start_time) +} + +probe sdap_nested_group_save_pre +{ + save_start_time = gettimeofday_ms() +} + +probe sdap_nested_group_save_post +{ + save_end_time = gettimeofday_ms() + time_in_save += (save_end_time - save_start_time) +} + +probe sdap_nested_group_send +{ + nested_gr_req_start_time = gettimeofday_ms() +} + +probe sdap_nested_group_recv +{ + nested_gr_req_end_time = gettimeofday_ms() + time_in_nested_gr_req += (nested_gr_req_end_time - nested_gr_req_start_time) +} + +probe sdap_nested_group_process_send +{ + nested_gr_process_req_start_time = gettimeofday_ms() +} + +probe sdap_nested_group_process_recv +{ + nested_gr_process_req_end_time = gettimeofday_ms() + time_in_nested_gr_process_req += (nested_gr_process_req_end_time - nested_gr_process_req_start_time) +} + +probe sdap_nested_group_process_split_pre +{ + split_members_start = gettimeofday_ms() +} + +probe sdap_nested_group_process_split_post +{ + split_members_end = gettimeofday_ms() + time_in_split_members += (split_members_end - split_members_start) +} + +probe sdap_nested_group_check_cache_pre +{ + check_cache_start = gettimeofday_ms() +} + +probe sdap_nested_group_check_cache_post +{ + check_cache_end = gettimeofday_ms() + time_in_check_cache += (check_cache_end - check_cache_start) +} + +probe sdap_nested_group_sysdb_search_users_pre +{ + search_users_start = gettimeofday_ms() +} + +probe sdap_nested_group_sysdb_search_users_post +{ + search_users_end = gettimeofday_ms() + time_in_search_users += (search_users_end - search_users_start) +} + +probe sdap_nested_group_sysdb_search_groups_pre +{ + search_groups_start = gettimeofday_ms() +} + +probe sdap_nested_group_sysdb_search_groups_post +{ + search_groups_end = gettimeofday_ms() + time_in_search_groups += (search_groups_end - search_groups_start) +} + +probe sdap_nested_group_populate_search_users_pre +{ + populate_search_users_start = gettimeofday_ms() +} + +probe sdap_nested_group_populate_search_users_post +{ + populate_search_users_end = gettimeofday_ms() + time_in_populate_search_users += (populate_search_users_end - populate_search_users_start) +} + +probe sdap_acct_req_send +{ + if (entry_type == 0x0002) { + groupreq_start = gettimeofday_ms() + } +} + +probe sdap_acct_req_recv +{ + if (entry_type == 0x0002) { + groupreq_end = gettimeofday_ms() + time_in_groupreq += (groupreq_end - groupreq_start) + } +} + +probe begin +{ + time_in_populate = 0 + time_in_save = 0 + time_in_transactions = 0 +} + +probe end +{ + print_report() +} diff --git a/m4/.dir b/m4/.dir new file mode 100644 index 0000000..e69de29 diff --git a/m4/codeset.m4 b/m4/codeset.m4 new file mode 100644 index 0000000..a6e67ec --- /dev/null +++ b/m4/codeset.m4 @@ -0,0 +1,21 @@ +# codeset.m4 serial AM1 (gettext-0.10.40) +dnl Copyright (C) 2000-2002 Free Software Foundation, Inc. +dnl This file is free software; the Free Software Foundation +dnl gives unlimited permission to copy and/or distribute it, +dnl with or without modifications, as long as this notice is preserved. + +dnl From Bruno Haible. + +AC_DEFUN([AM_LANGINFO_CODESET], +[ + AC_CACHE_CHECK([for nl_langinfo and CODESET], am_cv_langinfo_codeset, + [AC_TRY_LINK([#include ], + [char* cs = nl_langinfo(CODESET);], + am_cv_langinfo_codeset=yes, + am_cv_langinfo_codeset=no) + ]) + if test $am_cv_langinfo_codeset = yes; then + AC_DEFINE(HAVE_LANGINFO_CODESET, 1, + [Define if you have and nl_langinfo(CODESET).]) + fi +]) diff --git a/m4/gettext.m4 b/m4/gettext.m4 new file mode 100644 index 0000000..624a807 --- /dev/null +++ b/m4/gettext.m4 @@ -0,0 +1,549 @@ +# gettext.m4 serial 37 (gettext-0.14.4) +dnl Copyright (C) 1995-2005 Free Software Foundation, Inc. +dnl This file is free software; the Free Software Foundation +dnl gives unlimited permission to copy and/or distribute it, +dnl with or without modifications, as long as this notice is preserved. +dnl +dnl This file can can be used in projects which are not available under +dnl the GNU General Public License or the GNU Library General Public +dnl License but which still want to provide support for the GNU gettext +dnl functionality. +dnl Please note that the actual code of the GNU gettext library is covered +dnl by the GNU Library General Public License, and the rest of the GNU +dnl gettext package package is covered by the GNU General Public License. +dnl They are *not* in the public domain. + +dnl Authors: +dnl Ulrich Drepper , 1995-2000. +dnl Bruno Haible , 2000-2003. + +dnl Macro to add for using GNU gettext. + +dnl Usage: AM_GNU_GETTEXT([INTLSYMBOL], [NEEDSYMBOL], [INTLDIR]). +dnl INTLSYMBOL can be one of 'external', 'no-libtool', 'use-libtool'. The +dnl default (if it is not specified or empty) is 'no-libtool'. +dnl INTLSYMBOL should be 'external' for packages with no intl directory, +dnl and 'no-libtool' or 'use-libtool' for packages with an intl directory. +dnl If INTLSYMBOL is 'use-libtool', then a libtool library +dnl $(top_builddir)/intl/libintl.la will be created (shared and/or static, +dnl depending on --{enable,disable}-{shared,static} and on the presence of +dnl AM-DISABLE-SHARED). If INTLSYMBOL is 'no-libtool', a static library +dnl $(top_builddir)/intl/libintl.a will be created. +dnl If NEEDSYMBOL is specified and is 'need-ngettext', then GNU gettext +dnl implementations (in libc or libintl) without the ngettext() function +dnl will be ignored. If NEEDSYMBOL is specified and is +dnl 'need-formatstring-macros', then GNU gettext implementations that don't +dnl support the ISO C 99 formatstring macros will be ignored. +dnl INTLDIR is used to find the intl libraries. If empty, +dnl the value `$(top_builddir)/intl/' is used. +dnl +dnl The result of the configuration is one of three cases: +dnl 1) GNU gettext, as included in the intl subdirectory, will be compiled +dnl and used. +dnl Catalog format: GNU --> install in $(datadir) +dnl Catalog extension: .mo after installation, .gmo in source tree +dnl 2) GNU gettext has been found in the system's C library. +dnl Catalog format: GNU --> install in $(datadir) +dnl Catalog extension: .mo after installation, .gmo in source tree +dnl 3) No internationalization, always use English msgid. +dnl Catalog format: none +dnl Catalog extension: none +dnl If INTLSYMBOL is 'external', only cases 2 and 3 can occur. +dnl The use of .gmo is historical (it was needed to avoid overwriting the +dnl GNU format catalogs when building on a platform with an X/Open gettext), +dnl but we keep it in order not to force irrelevant filename changes on the +dnl maintainers. +dnl +AC_DEFUN([AM_GNU_GETTEXT], +[ + dnl Argument checking. + ifelse([$1], [], , [ifelse([$1], [external], , [ifelse([$1], [no-libtool], , [ifelse([$1], [use-libtool], , + [errprint([ERROR: invalid first argument to AM_GNU_GETTEXT +])])])])]) + ifelse([$2], [], , [ifelse([$2], [need-ngettext], , [ifelse([$2], [need-formatstring-macros], , + [errprint([ERROR: invalid second argument to AM_GNU_GETTEXT +])])])]) + define([gt_included_intl], ifelse([$1], [external], [no], [yes])) + define([gt_libtool_suffix_prefix], ifelse([$1], [use-libtool], [l], [])) + + AC_REQUIRE([AM_PO_SUBDIRS])dnl + ifelse(gt_included_intl, yes, [ + AC_REQUIRE([AM_INTL_SUBDIR])dnl + ]) + + dnl Prerequisites of AC_LIB_LINKFLAGS_BODY. + AC_REQUIRE([AC_LIB_PREPARE_PREFIX]) + AC_REQUIRE([AC_LIB_RPATH]) + + dnl Sometimes libintl requires libiconv, so first search for libiconv. + dnl Ideally we would do this search only after the + dnl if test "$USE_NLS" = "yes"; then + dnl if test "$gt_cv_func_gnugettext_libc" != "yes"; then + dnl tests. But if configure.in invokes AM_ICONV after AM_GNU_GETTEXT + dnl the configure script would need to contain the same shell code + dnl again, outside any 'if'. There are two solutions: + dnl - Invoke AM_ICONV_LINKFLAGS_BODY here, outside any 'if'. + dnl - Control the expansions in more detail using AC_PROVIDE_IFELSE. + dnl Since AC_PROVIDE_IFELSE is only in autoconf >= 2.52 and not + dnl documented, we avoid it. + ifelse(gt_included_intl, yes, , [ + AC_REQUIRE([AM_ICONV_LINKFLAGS_BODY]) + ]) + + dnl Sometimes, on MacOS X, libintl requires linking with CoreFoundation. + gt_INTL_MACOSX + + dnl Set USE_NLS. + AM_NLS + + ifelse(gt_included_intl, yes, [ + BUILD_INCLUDED_LIBINTL=no + USE_INCLUDED_LIBINTL=no + ]) + LIBINTL= + LTLIBINTL= + POSUB= + + dnl If we use NLS figure out what method + if test "$USE_NLS" = "yes"; then + gt_use_preinstalled_gnugettext=no + ifelse(gt_included_intl, yes, [ + AC_MSG_CHECKING([whether included gettext is requested]) + AC_ARG_WITH(included-gettext, + [ --with-included-gettext use the GNU gettext library included here], + nls_cv_force_use_gnu_gettext=$withval, + nls_cv_force_use_gnu_gettext=no) + AC_MSG_RESULT($nls_cv_force_use_gnu_gettext) + + nls_cv_use_gnu_gettext="$nls_cv_force_use_gnu_gettext" + if test "$nls_cv_force_use_gnu_gettext" != "yes"; then + ]) + dnl User does not insist on using GNU NLS library. Figure out what + dnl to use. If GNU gettext is available we use this. Else we have + dnl to fall back to GNU NLS library. + + dnl Add a version number to the cache macros. + define([gt_api_version], ifelse([$2], [need-formatstring-macros], 3, ifelse([$2], [need-ngettext], 2, 1))) + define([gt_cv_func_gnugettext_libc], [gt_cv_func_gnugettext]gt_api_version[_libc]) + define([gt_cv_func_gnugettext_libintl], [gt_cv_func_gnugettext]gt_api_version[_libintl]) + + AC_CACHE_CHECK([for GNU gettext in libc], gt_cv_func_gnugettext_libc, + [AC_TRY_LINK([#include +]ifelse([$2], [need-formatstring-macros], +[#ifndef __GNU_GETTEXT_SUPPORTED_REVISION +#define __GNU_GETTEXT_SUPPORTED_REVISION(major) ((major) == 0 ? 0 : -1) +#endif +changequote(,)dnl +typedef int array [2 * (__GNU_GETTEXT_SUPPORTED_REVISION(0) >= 1) - 1]; +changequote([,])dnl +], [])[extern int _nl_msg_cat_cntr; +extern int *_nl_domain_bindings;], + [bindtextdomain ("", ""); +return * gettext ("")]ifelse([$2], [need-ngettext], [ + * ngettext ("", "", 0)], [])[ + _nl_msg_cat_cntr + *_nl_domain_bindings], + gt_cv_func_gnugettext_libc=yes, + gt_cv_func_gnugettext_libc=no)]) + + if test "$gt_cv_func_gnugettext_libc" != "yes"; then + dnl Sometimes libintl requires libiconv, so first search for libiconv. + ifelse(gt_included_intl, yes, , [ + AM_ICONV_LINK + ]) + dnl Search for libintl and define LIBINTL, LTLIBINTL and INCINTL + dnl accordingly. Don't use AC_LIB_LINKFLAGS_BODY([intl],[iconv]) + dnl because that would add "-liconv" to LIBINTL and LTLIBINTL + dnl even if libiconv doesn't exist. + AC_LIB_LINKFLAGS_BODY([intl]) + AC_CACHE_CHECK([for GNU gettext in libintl], + gt_cv_func_gnugettext_libintl, + [gt_save_CPPFLAGS="$CPPFLAGS" + CPPFLAGS="$CPPFLAGS $INCINTL" + gt_save_LIBS="$LIBS" + LIBS="$LIBS $LIBINTL" + dnl Now see whether libintl exists and does not depend on libiconv. + AC_TRY_LINK([#include +]ifelse([$2], [need-formatstring-macros], +[#ifndef __GNU_GETTEXT_SUPPORTED_REVISION +#define __GNU_GETTEXT_SUPPORTED_REVISION(major) ((major) == 0 ? 0 : -1) +#endif +changequote(,)dnl +typedef int array [2 * (__GNU_GETTEXT_SUPPORTED_REVISION(0) >= 1) - 1]; +changequote([,])dnl +], [])[extern int _nl_msg_cat_cntr; +extern +#ifdef __cplusplus +"C" +#endif +const char *_nl_expand_alias (const char *);], + [bindtextdomain ("", ""); +return * gettext ("")]ifelse([$2], [need-ngettext], [ + * ngettext ("", "", 0)], [])[ + _nl_msg_cat_cntr + *_nl_expand_alias ("")], + gt_cv_func_gnugettext_libintl=yes, + gt_cv_func_gnugettext_libintl=no) + dnl Now see whether libintl exists and depends on libiconv. + if test "$gt_cv_func_gnugettext_libintl" != yes && test -n "$LIBICONV"; then + LIBS="$LIBS $LIBICONV" + AC_TRY_LINK([#include +]ifelse([$2], [need-formatstring-macros], +[#ifndef __GNU_GETTEXT_SUPPORTED_REVISION +#define __GNU_GETTEXT_SUPPORTED_REVISION(major) ((major) == 0 ? 0 : -1) +#endif +changequote(,)dnl +typedef int array [2 * (__GNU_GETTEXT_SUPPORTED_REVISION(0) >= 1) - 1]; +changequote([,])dnl +], [])[extern int _nl_msg_cat_cntr; +extern +#ifdef __cplusplus +"C" +#endif +const char *_nl_expand_alias (const char *);], + [bindtextdomain ("", ""); +return * gettext ("")]ifelse([$2], [need-ngettext], [ + * ngettext ("", "", 0)], [])[ + _nl_msg_cat_cntr + *_nl_expand_alias ("")], + [LIBINTL="$LIBINTL $LIBICONV" + LTLIBINTL="$LTLIBINTL $LTLIBICONV" + gt_cv_func_gnugettext_libintl=yes + ]) + fi + CPPFLAGS="$gt_save_CPPFLAGS" + LIBS="$gt_save_LIBS"]) + fi + + dnl If an already present or preinstalled GNU gettext() is found, + dnl use it. But if this macro is used in GNU gettext, and GNU + dnl gettext is already preinstalled in libintl, we update this + dnl libintl. (Cf. the install rule in intl/Makefile.in.) + if test "$gt_cv_func_gnugettext_libc" = "yes" \ + || { test "$gt_cv_func_gnugettext_libintl" = "yes" \ + && test "$PACKAGE" != gettext-runtime \ + && test "$PACKAGE" != gettext-tools; }; then + gt_use_preinstalled_gnugettext=yes + else + dnl Reset the values set by searching for libintl. + LIBINTL= + LTLIBINTL= + INCINTL= + fi + + ifelse(gt_included_intl, yes, [ + if test "$gt_use_preinstalled_gnugettext" != "yes"; then + dnl GNU gettext is not found in the C library. + dnl Fall back on included GNU gettext library. + nls_cv_use_gnu_gettext=yes + fi + fi + + if test "$nls_cv_use_gnu_gettext" = "yes"; then + dnl Mark actions used to generate GNU NLS library. + BUILD_INCLUDED_LIBINTL=yes + USE_INCLUDED_LIBINTL=yes + LIBINTL="ifelse([$3],[],\${top_builddir}/intl,[$3])/libintl.[]gt_libtool_suffix_prefix[]a $LIBICONV" + LTLIBINTL="ifelse([$3],[],\${top_builddir}/intl,[$3])/libintl.[]gt_libtool_suffix_prefix[]a $LTLIBICONV" + LIBS=`echo " $LIBS " | sed -e 's/ -lintl / /' -e 's/^ //' -e 's/ $//'` + fi + + CATOBJEXT= + if test "$gt_use_preinstalled_gnugettext" = "yes" \ + || test "$nls_cv_use_gnu_gettext" = "yes"; then + dnl Mark actions to use GNU gettext tools. + CATOBJEXT=.gmo + fi + ]) + + if test -n "$INTL_MACOSX_LIBS"; then + if test "$gt_use_preinstalled_gnugettext" = "yes" \ + || test "$nls_cv_use_gnu_gettext" = "yes"; then + dnl Some extra flags are needed during linking. + LIBINTL="$LIBINTL $INTL_MACOSX_LIBS" + LTLIBINTL="$LTLIBINTL $INTL_MACOSX_LIBS" + fi + fi + + if test "$gt_use_preinstalled_gnugettext" = "yes" \ + || test "$nls_cv_use_gnu_gettext" = "yes"; then + AC_DEFINE(ENABLE_NLS, 1, + [Define to 1 if translation of program messages to the user's native language + is requested.]) + else + USE_NLS=no + fi + fi + + AC_MSG_CHECKING([whether to use NLS]) + AC_MSG_RESULT([$USE_NLS]) + if test "$USE_NLS" = "yes"; then + AC_MSG_CHECKING([where the gettext function comes from]) + if test "$gt_use_preinstalled_gnugettext" = "yes"; then + if test "$gt_cv_func_gnugettext_libintl" = "yes"; then + gt_source="external libintl" + else + gt_source="libc" + fi + else + gt_source="included intl directory" + fi + AC_MSG_RESULT([$gt_source]) + fi + + if test "$USE_NLS" = "yes"; then + + if test "$gt_use_preinstalled_gnugettext" = "yes"; then + if test "$gt_cv_func_gnugettext_libintl" = "yes"; then + AC_MSG_CHECKING([how to link with libintl]) + AC_MSG_RESULT([$LIBINTL]) + AC_LIB_APPENDTOVAR([CPPFLAGS], [$INCINTL]) + fi + + dnl For backward compatibility. Some packages may be using this. + AC_DEFINE(HAVE_GETTEXT, 1, + [Define if the GNU gettext() function is already present or preinstalled.]) + AC_DEFINE(HAVE_DCGETTEXT, 1, + [Define if the GNU dcgettext() function is already present or preinstalled.]) + fi + + dnl We need to process the po/ directory. + POSUB=po + fi + + ifelse(gt_included_intl, yes, [ + dnl If this is used in GNU gettext we have to set BUILD_INCLUDED_LIBINTL + dnl to 'yes' because some of the testsuite requires it. + if test "$PACKAGE" = gettext-runtime || test "$PACKAGE" = gettext-tools; then + BUILD_INCLUDED_LIBINTL=yes + fi + + dnl Make all variables we use known to autoconf. + AC_SUBST(BUILD_INCLUDED_LIBINTL) + AC_SUBST(USE_INCLUDED_LIBINTL) + AC_SUBST(CATOBJEXT) + + dnl For backward compatibility. Some configure.ins may be using this. + nls_cv_header_intl= + nls_cv_header_libgt= + + dnl For backward compatibility. Some Makefiles may be using this. + DATADIRNAME=share + AC_SUBST(DATADIRNAME) + + dnl For backward compatibility. Some Makefiles may be using this. + INSTOBJEXT=.mo + AC_SUBST(INSTOBJEXT) + + dnl For backward compatibility. Some Makefiles may be using this. + GENCAT=gencat + AC_SUBST(GENCAT) + + dnl For backward compatibility. Some Makefiles may be using this. + INTLOBJS= + if test "$USE_INCLUDED_LIBINTL" = yes; then + INTLOBJS="\$(GETTOBJS)" + fi + AC_SUBST(INTLOBJS) + + dnl Enable libtool support if the surrounding package wishes it. + INTL_LIBTOOL_SUFFIX_PREFIX=gt_libtool_suffix_prefix + AC_SUBST(INTL_LIBTOOL_SUFFIX_PREFIX) + ]) + + dnl For backward compatibility. Some Makefiles may be using this. + INTLLIBS="$LIBINTL" + AC_SUBST(INTLLIBS) + + dnl Make all documented variables known to autoconf. + AC_SUBST(LIBINTL) + AC_SUBST(LTLIBINTL) + AC_SUBST(POSUB) +]) + + +dnl Checks for all prerequisites of the intl subdirectory, +dnl except for INTL_LIBTOOL_SUFFIX_PREFIX (and possibly LIBTOOL), INTLOBJS, +dnl USE_INCLUDED_LIBINTL, BUILD_INCLUDED_LIBINTL. +AC_DEFUN([AM_INTL_SUBDIR], +[ + AC_REQUIRE([AC_PROG_INSTALL])dnl + AC_REQUIRE([AM_MKINSTALLDIRS])dnl + AC_REQUIRE([AC_PROG_CC])dnl + AC_REQUIRE([AC_CANONICAL_HOST])dnl + AC_REQUIRE([gt_GLIBC2])dnl + AC_REQUIRE([AC_PROG_RANLIB])dnl + AC_REQUIRE([AC_ISC_POSIX])dnl + AC_REQUIRE([AC_HEADER_STDC])dnl + AC_REQUIRE([AC_C_CONST])dnl + AC_REQUIRE([bh_C_SIGNED])dnl + AC_REQUIRE([AC_C_INLINE])dnl + AC_REQUIRE([AC_TYPE_OFF_T])dnl + AC_REQUIRE([AC_TYPE_SIZE_T])dnl + AC_REQUIRE([gl_AC_TYPE_LONG_LONG])dnl + AC_REQUIRE([gt_TYPE_LONGDOUBLE])dnl + AC_REQUIRE([gt_TYPE_WCHAR_T])dnl + AC_REQUIRE([gt_TYPE_WINT_T])dnl + AC_REQUIRE([gl_AC_HEADER_INTTYPES_H]) + AC_REQUIRE([gl_AC_HEADER_STDINT_H]) + AC_REQUIRE([gt_TYPE_INTMAX_T]) + AC_REQUIRE([gt_PRINTF_POSIX]) + AC_REQUIRE([AC_FUNC_ALLOCA])dnl + AC_REQUIRE([AC_FUNC_MMAP])dnl + AC_REQUIRE([gl_GLIBC21])dnl + AC_REQUIRE([gt_INTDIV0])dnl + AC_REQUIRE([gl_AC_TYPE_UINTMAX_T])dnl + AC_REQUIRE([gt_HEADER_INTTYPES_H])dnl + AC_REQUIRE([gt_INTTYPES_PRI])dnl + AC_REQUIRE([gl_XSIZE])dnl + AC_REQUIRE([gt_INTL_MACOSX])dnl + + AC_CHECK_TYPE([ptrdiff_t], , + [AC_DEFINE([ptrdiff_t], [long], + [Define as the type of the result of subtracting two pointers, if the system doesn't define it.]) + ]) + AC_CHECK_HEADERS([argz.h limits.h locale.h nl_types.h malloc.h stddef.h \ +stdlib.h string.h unistd.h sys/param.h]) + AC_CHECK_FUNCS([asprintf fwprintf getcwd getegid geteuid getgid getuid \ +mempcpy munmap putenv setenv setlocale snprintf stpcpy strcasecmp strdup \ +strtoul tsearch wcslen __argz_count __argz_stringify __argz_next \ +__fsetlocking]) + + dnl Use the _snprintf function only if it is declared (because on NetBSD it + dnl is defined as a weak alias of snprintf; we prefer to use the latter). + gt_CHECK_DECL(_snprintf, [#include ]) + gt_CHECK_DECL(_snwprintf, [#include ]) + + dnl Use the *_unlocked functions only if they are declared. + dnl (because some of them were defined without being declared in Solaris + dnl 2.5.1 but were removed in Solaris 2.6, whereas we want binaries built + dnl on Solaris 2.5.1 to run on Solaris 2.6). + dnl Don't use AC_CHECK_DECLS because it isn't supported in autoconf-2.13. + gt_CHECK_DECL(feof_unlocked, [#include ]) + gt_CHECK_DECL(fgets_unlocked, [#include ]) + gt_CHECK_DECL(getc_unlocked, [#include ]) + + case $gt_cv_func_printf_posix in + *yes) HAVE_POSIX_PRINTF=1 ;; + *) HAVE_POSIX_PRINTF=0 ;; + esac + AC_SUBST([HAVE_POSIX_PRINTF]) + if test "$ac_cv_func_asprintf" = yes; then + HAVE_ASPRINTF=1 + else + HAVE_ASPRINTF=0 + fi + AC_SUBST([HAVE_ASPRINTF]) + if test "$ac_cv_func_snprintf" = yes; then + HAVE_SNPRINTF=1 + else + HAVE_SNPRINTF=0 + fi + AC_SUBST([HAVE_SNPRINTF]) + if test "$ac_cv_func_wprintf" = yes; then + HAVE_WPRINTF=1 + else + HAVE_WPRINTF=0 + fi + AC_SUBST([HAVE_WPRINTF]) + + AM_ICONV + AM_LANGINFO_CODESET + if test $ac_cv_header_locale_h = yes; then + gt_LC_MESSAGES + fi + + if test -n "$INTL_MACOSX_LIBS"; then + CPPFLAGS="$CPPFLAGS -I/System/Library/Frameworks/CoreFoundation.framework/Headers" + fi + + dnl intl/plural.c is generated from intl/plural.y. It requires bison, + dnl because plural.y uses bison specific features. It requires at least + dnl bison-1.26 because earlier versions generate a plural.c that doesn't + dnl compile. + dnl bison is only needed for the maintainer (who touches plural.y). But in + dnl order to avoid separate Makefiles or --enable-maintainer-mode, we put + dnl the rule in general Makefile. Now, some people carelessly touch the + dnl files or have a broken "make" program, hence the plural.c rule will + dnl sometimes fire. To avoid an error, defines BISON to ":" if it is not + dnl present or too old. + AC_CHECK_PROGS([INTLBISON], [bison]) + if test -z "$INTLBISON"; then + ac_verc_fail=yes + else + dnl Found it, now check the version. + AC_MSG_CHECKING([version of bison]) +changequote(<<,>>)dnl + ac_prog_version=`$INTLBISON --version 2>&1 | sed -n 's/^.*GNU Bison.* \([0-9]*\.[0-9.]*\).*$/\1/p'` + case $ac_prog_version in + '') ac_prog_version="v. ?.??, bad"; ac_verc_fail=yes;; + 1.2[6-9]* | 1.[3-9][0-9]* | [2-9].*) +changequote([,])dnl + ac_prog_version="$ac_prog_version, ok"; ac_verc_fail=no;; + *) ac_prog_version="$ac_prog_version, bad"; ac_verc_fail=yes;; + esac + AC_MSG_RESULT([$ac_prog_version]) + fi + if test $ac_verc_fail = yes; then + INTLBISON=: + fi +]) + + +dnl Checks for special options needed on MacOS X. +dnl Defines INTL_MACOSX_LIBS. +AC_DEFUN([gt_INTL_MACOSX], +[ + dnl Check for API introduced in MacOS X 10.2. + AC_CACHE_CHECK([for CFPreferencesCopyAppValue], + gt_cv_func_CFPreferencesCopyAppValue, + [gt_save_CPPFLAGS="$CPPFLAGS" + CPPFLAGS="$CPPFLAGS -I/System/Library/Frameworks/CoreFoundation.framework/Headers" + gt_save_LIBS="$LIBS" + LIBS="$LIBS -framework CoreFoundation" + AC_TRY_LINK([#include ], + [CFPreferencesCopyAppValue(NULL, NULL)], + [gt_cv_func_CFPreferencesCopyAppValue=yes], + [gt_cv_func_CFPreferencesCopyAppValue=no]) + CPPFLAGS="$gt_save_CPPFLAGS" + LIBS="$gt_save_LIBS"]) + if test $gt_cv_func_CFPreferencesCopyAppValue = yes; then + AC_DEFINE([HAVE_CFPREFERENCESCOPYAPPVALUE], 1, + [Define to 1 if you have the MacOS X function CFPreferencesCopyAppValue in the CoreFoundation framework.]) + fi + dnl Check for API introduced in MacOS X 10.3. + AC_CACHE_CHECK([for CFLocaleCopyCurrent], gt_cv_func_CFLocaleCopyCurrent, + [gt_save_CPPFLAGS="$CPPFLAGS" + CPPFLAGS="$CPPFLAGS -I/System/Library/Frameworks/CoreFoundation.framework/Headers" + gt_save_LIBS="$LIBS" + LIBS="$LIBS -framework CoreFoundation" + AC_TRY_LINK([#include ], [CFLocaleCopyCurrent();], + [gt_cv_func_CFLocaleCopyCurrent=yes], + [gt_cv_func_CFLocaleCopyCurrent=no]) + CPPFLAGS="$gt_save_CPPFLAGS" + LIBS="$gt_save_LIBS"]) + if test $gt_cv_func_CFLocaleCopyCurrent = yes; then + AC_DEFINE([HAVE_CFLOCALECOPYCURRENT], 1, + [Define to 1 if you have the MacOS X function CFLocaleCopyCurrent in the CoreFoundation framework.]) + fi + INTL_MACOSX_LIBS= + if test $gt_cv_func_CFPreferencesCopyAppValue = yes || test $gt_cv_func_CFLocaleCopyCurrent = yes; then + INTL_MACOSX_LIBS="-Wl,-framework -Wl,CoreFoundation" + fi + AC_SUBST([INTL_MACOSX_LIBS]) +]) + + +dnl gt_CHECK_DECL(FUNC, INCLUDES) +dnl Check whether a function is declared. +AC_DEFUN([gt_CHECK_DECL], +[ + AC_CACHE_CHECK([whether $1 is declared], ac_cv_have_decl_$1, + [AC_TRY_COMPILE([$2], [ +#ifndef $1 + char *p = (char *) $1; +#endif +], ac_cv_have_decl_$1=yes, ac_cv_have_decl_$1=no)]) + if test $ac_cv_have_decl_$1 = yes; then + gt_value=1 + else + gt_value=0 + fi + AC_DEFINE_UNQUOTED([HAVE_DECL_]translit($1, [a-z], [A-Z]), [$gt_value], + [Define to 1 if you have the declaration of `$1', and to 0 if you don't.]) +]) + + +dnl Usage: AM_GNU_GETTEXT_VERSION([gettext-version]) +AC_DEFUN([AM_GNU_GETTEXT_VERSION], []) diff --git a/m4/glibc2.m4 b/m4/glibc2.m4 new file mode 100644 index 0000000..e8f5bfe --- /dev/null +++ b/m4/glibc2.m4 @@ -0,0 +1,30 @@ +# glibc2.m4 serial 1 +dnl Copyright (C) 2000-2002, 2004 Free Software Foundation, Inc. +dnl This file is free software; the Free Software Foundation +dnl gives unlimited permission to copy and/or distribute it, +dnl with or without modifications, as long as this notice is preserved. + +# Test for the GNU C Library, version 2.0 or newer. +# From Bruno Haible. + +AC_DEFUN([gt_GLIBC2], + [ + AC_CACHE_CHECK(whether we are using the GNU C Library 2 or newer, + ac_cv_gnu_library_2, + [AC_EGREP_CPP([Lucky GNU user], + [ +#include +#ifdef __GNU_LIBRARY__ + #if (__GLIBC__ >= 2) + Lucky GNU user + #endif +#endif + ], + ac_cv_gnu_library_2=yes, + ac_cv_gnu_library_2=no) + ] + ) + AC_SUBST(GLIBC2) + GLIBC2="$ac_cv_gnu_library_2" + ] +) diff --git a/m4/glibc21.m4 b/m4/glibc21.m4 new file mode 100644 index 0000000..d95fd98 --- /dev/null +++ b/m4/glibc21.m4 @@ -0,0 +1,30 @@ +# glibc21.m4 serial 3 +dnl Copyright (C) 2000-2002, 2004 Free Software Foundation, Inc. +dnl This file is free software; the Free Software Foundation +dnl gives unlimited permission to copy and/or distribute it, +dnl with or without modifications, as long as this notice is preserved. + +# Test for the GNU C Library, version 2.1 or newer. +# From Bruno Haible. + +AC_DEFUN([gl_GLIBC21], + [ + AC_CACHE_CHECK(whether we are using the GNU C Library 2.1 or newer, + ac_cv_gnu_library_2_1, + [AC_EGREP_CPP([Lucky GNU user], + [ +#include +#ifdef __GNU_LIBRARY__ + #if (__GLIBC__ == 2 && __GLIBC_MINOR__ >= 1) || (__GLIBC__ > 2) + Lucky GNU user + #endif +#endif + ], + ac_cv_gnu_library_2_1=yes, + ac_cv_gnu_library_2_1=no) + ] + ) + AC_SUBST(GLIBC21) + GLIBC21="$ac_cv_gnu_library_2_1" + ] +) diff --git a/m4/iconv.m4 b/m4/iconv.m4 new file mode 100644 index 0000000..654c415 --- /dev/null +++ b/m4/iconv.m4 @@ -0,0 +1,101 @@ +# iconv.m4 serial AM4 (gettext-0.11.3) +dnl Copyright (C) 2000-2002 Free Software Foundation, Inc. +dnl This file is free software; the Free Software Foundation +dnl gives unlimited permission to copy and/or distribute it, +dnl with or without modifications, as long as this notice is preserved. + +dnl From Bruno Haible. + +AC_DEFUN([AM_ICONV_LINKFLAGS_BODY], +[ + dnl Prerequisites of AC_LIB_LINKFLAGS_BODY. + AC_REQUIRE([AC_LIB_PREPARE_PREFIX]) + AC_REQUIRE([AC_LIB_RPATH]) + + dnl Search for libiconv and define LIBICONV, LTLIBICONV and INCICONV + dnl accordingly. + AC_LIB_LINKFLAGS_BODY([iconv]) +]) + +AC_DEFUN([AM_ICONV_LINK], +[ + dnl Some systems have iconv in libc, some have it in libiconv (OSF/1 and + dnl those with the standalone portable GNU libiconv installed). + + dnl Search for libiconv and define LIBICONV, LTLIBICONV and INCICONV + dnl accordingly. + AC_REQUIRE([AM_ICONV_LINKFLAGS_BODY]) + + dnl Add $INCICONV to CPPFLAGS before performing the following checks, + dnl because if the user has installed libiconv and not disabled its use + dnl via --without-libiconv-prefix, he wants to use it. The first + dnl AC_TRY_LINK will then fail, the second AC_TRY_LINK will succeed. + am_save_CPPFLAGS="$CPPFLAGS" + AC_LIB_APPENDTOVAR([CPPFLAGS], [$INCICONV]) + + AC_CACHE_CHECK(for iconv, am_cv_func_iconv, [ + am_cv_func_iconv="no, consider installing GNU libiconv" + am_cv_lib_iconv=no + AC_TRY_LINK([#include +#include ], + [iconv_t cd = iconv_open("",""); + iconv(cd,NULL,NULL,NULL,NULL); + iconv_close(cd);], + am_cv_func_iconv=yes) + if test "$am_cv_func_iconv" != yes; then + am_save_LIBS="$LIBS" + LIBS="$LIBS $LIBICONV" + AC_TRY_LINK([#include +#include ], + [iconv_t cd = iconv_open("",""); + iconv(cd,NULL,NULL,NULL,NULL); + iconv_close(cd);], + am_cv_lib_iconv=yes + am_cv_func_iconv=yes) + LIBS="$am_save_LIBS" + fi + ]) + if test "$am_cv_func_iconv" = yes; then + AC_DEFINE(HAVE_ICONV, 1, [Define if you have the iconv() function.]) + fi + if test "$am_cv_lib_iconv" = yes; then + AC_MSG_CHECKING([how to link with libiconv]) + AC_MSG_RESULT([$LIBICONV]) + else + dnl If $LIBICONV didn't lead to a usable library, we don't need $INCICONV + dnl either. + CPPFLAGS="$am_save_CPPFLAGS" + LIBICONV= + LTLIBICONV= + fi + AC_SUBST(LIBICONV) + AC_SUBST(LTLIBICONV) +]) + +AC_DEFUN([AM_ICONV], +[ + AM_ICONV_LINK + if test "$am_cv_func_iconv" = yes; then + AC_MSG_CHECKING([for iconv declaration]) + AC_CACHE_VAL(am_cv_proto_iconv, [ + AC_TRY_COMPILE([ +#include +#include +extern +#ifdef __cplusplus +"C" +#endif +#if defined(__STDC__) || defined(__cplusplus) +size_t iconv (iconv_t cd, char * *inbuf, size_t *inbytesleft, char * *outbuf, size_t *outbytesleft); +#else +size_t iconv(); +#endif +], [], am_cv_proto_iconv_arg1="", am_cv_proto_iconv_arg1="const") + am_cv_proto_iconv="extern size_t iconv (iconv_t cd, $am_cv_proto_iconv_arg1 char * *inbuf, size_t *inbytesleft, char * *outbuf, size_t *outbytesleft);"]) + am_cv_proto_iconv=`echo "[$]am_cv_proto_iconv" | tr -s ' ' | sed -e 's/( /(/'` + AC_MSG_RESULT([$]{ac_t:- + }[$]am_cv_proto_iconv) + AC_DEFINE_UNQUOTED(ICONV_CONST, $am_cv_proto_iconv_arg1, + [Define as const if the declaration of iconv() needs const.]) + fi +]) diff --git a/m4/intdiv0.m4 b/m4/intdiv0.m4 new file mode 100644 index 0000000..b8d7817 --- /dev/null +++ b/m4/intdiv0.m4 @@ -0,0 +1,70 @@ +# intdiv0.m4 serial 1 (gettext-0.11.3) +dnl Copyright (C) 2002 Free Software Foundation, Inc. +dnl This file is free software; the Free Software Foundation +dnl gives unlimited permission to copy and/or distribute it, +dnl with or without modifications, as long as this notice is preserved. + +dnl From Bruno Haible. + +AC_DEFUN([gt_INTDIV0], +[ + AC_REQUIRE([AC_PROG_CC])dnl + AC_REQUIRE([AC_CANONICAL_HOST])dnl + + AC_CACHE_CHECK([whether integer division by zero raises SIGFPE], + gt_cv_int_divbyzero_sigfpe, + [ + AC_TRY_RUN([ +#include +#include + +static void +#ifdef __cplusplus +sigfpe_handler (int sig) +#else +sigfpe_handler (sig) int sig; +#endif +{ + /* Exit with code 0 if SIGFPE, with code 1 if any other signal. */ + exit (sig != SIGFPE); +} + +int x = 1; +int y = 0; +int z; +int nan; + +int main () +{ + signal (SIGFPE, sigfpe_handler); +/* IRIX and AIX (when "xlc -qcheck" is used) yield signal SIGTRAP. */ +#if (defined (__sgi) || defined (_AIX)) && defined (SIGTRAP) + signal (SIGTRAP, sigfpe_handler); +#endif +/* Linux/SPARC yields signal SIGILL. */ +#if defined (__sparc__) && defined (__linux__) + signal (SIGILL, sigfpe_handler); +#endif + + z = x / y; + nan = y / y; + exit (1); +} +], gt_cv_int_divbyzero_sigfpe=yes, gt_cv_int_divbyzero_sigfpe=no, + [ + # Guess based on the CPU. + case "$host_cpu" in + alpha* | i[34567]86 | m68k | s390*) + gt_cv_int_divbyzero_sigfpe="guessing yes";; + *) + gt_cv_int_divbyzero_sigfpe="guessing no";; + esac + ]) + ]) + case "$gt_cv_int_divbyzero_sigfpe" in + *yes) value=1;; + *) value=0;; + esac + AC_DEFINE_UNQUOTED(INTDIV0_RAISES_SIGFPE, $value, + [Define if integer division by zero raises signal SIGFPE.]) +]) diff --git a/m4/intmax.m4 b/m4/intmax.m4 new file mode 100644 index 0000000..d99c999 --- /dev/null +++ b/m4/intmax.m4 @@ -0,0 +1,30 @@ +# intmax.m4 serial 2 (gettext-0.14.2) +dnl Copyright (C) 2002-2005 Free Software Foundation, Inc. +dnl This file is free software; the Free Software Foundation +dnl gives unlimited permission to copy and/or distribute it, +dnl with or without modifications, as long as this notice is preserved. + +dnl From Bruno Haible. +dnl Test whether the system has the 'intmax_t' type, but don't attempt to +dnl find a replacement if it is lacking. + +AC_DEFUN([gt_TYPE_INTMAX_T], +[ + AC_REQUIRE([gl_AC_HEADER_INTTYPES_H]) + AC_REQUIRE([gl_AC_HEADER_STDINT_H]) + AC_CACHE_CHECK(for intmax_t, gt_cv_c_intmax_t, + [AC_TRY_COMPILE([ +#include +#include +#if HAVE_STDINT_H_WITH_UINTMAX +#include +#endif +#if HAVE_INTTYPES_H_WITH_UINTMAX +#include +#endif +], [intmax_t x = -1;], gt_cv_c_intmax_t=yes, gt_cv_c_intmax_t=no)]) + if test $gt_cv_c_intmax_t = yes; then + AC_DEFINE(HAVE_INTMAX_T, 1, + [Define if you have the 'intmax_t' type in or .]) + fi +]) diff --git a/m4/inttypes-pri.m4 b/m4/inttypes-pri.m4 new file mode 100644 index 0000000..4d56a9a --- /dev/null +++ b/m4/inttypes-pri.m4 @@ -0,0 +1,30 @@ +# inttypes-pri.m4 serial 1 (gettext-0.11.4) +dnl Copyright (C) 1997-2002 Free Software Foundation, Inc. +dnl This file is free software; the Free Software Foundation +dnl gives unlimited permission to copy and/or distribute it, +dnl with or without modifications, as long as this notice is preserved. + +dnl From Bruno Haible. + +# Define PRI_MACROS_BROKEN if exists and defines the PRI* +# macros to non-string values. This is the case on AIX 4.3.3. + +AC_DEFUN([gt_INTTYPES_PRI], +[ + AC_REQUIRE([gt_HEADER_INTTYPES_H]) + if test $gt_cv_header_inttypes_h = yes; then + AC_CACHE_CHECK([whether the inttypes.h PRIxNN macros are broken], + gt_cv_inttypes_pri_broken, + [ + AC_TRY_COMPILE([#include +#ifdef PRId32 +char *p = PRId32; +#endif +], [], gt_cv_inttypes_pri_broken=no, gt_cv_inttypes_pri_broken=yes) + ]) + fi + if test "$gt_cv_inttypes_pri_broken" = yes; then + AC_DEFINE_UNQUOTED(PRI_MACROS_BROKEN, 1, + [Define if exists and defines unusable PRI* macros.]) + fi +]) diff --git a/m4/inttypes.m4 b/m4/inttypes.m4 new file mode 100644 index 0000000..779bcea --- /dev/null +++ b/m4/inttypes.m4 @@ -0,0 +1,25 @@ +# inttypes.m4 serial 1 (gettext-0.11.4) +dnl Copyright (C) 1997-2002 Free Software Foundation, Inc. +dnl This file is free software; the Free Software Foundation +dnl gives unlimited permission to copy and/or distribute it, +dnl with or without modifications, as long as this notice is preserved. + +dnl From Paul Eggert. + +# Define HAVE_INTTYPES_H if exists and doesn't clash with +# . + +AC_DEFUN([gt_HEADER_INTTYPES_H], +[ + AC_CACHE_CHECK([for inttypes.h], gt_cv_header_inttypes_h, + [ + AC_TRY_COMPILE( + [#include +#include ], + [], gt_cv_header_inttypes_h=yes, gt_cv_header_inttypes_h=no) + ]) + if test $gt_cv_header_inttypes_h = yes; then + AC_DEFINE_UNQUOTED(HAVE_INTTYPES_H, 1, + [Define if exists and doesn't clash with .]) + fi +]) diff --git a/m4/inttypes_h.m4 b/m4/inttypes_h.m4 new file mode 100644 index 0000000..a5d075d --- /dev/null +++ b/m4/inttypes_h.m4 @@ -0,0 +1,26 @@ +# inttypes_h.m4 serial 6 +dnl Copyright (C) 1997-2004 Free Software Foundation, Inc. +dnl This file is free software; the Free Software Foundation +dnl gives unlimited permission to copy and/or distribute it, +dnl with or without modifications, as long as this notice is preserved. + +dnl From Paul Eggert. + +# Define HAVE_INTTYPES_H_WITH_UINTMAX if exists, +# doesn't clash with , and declares uintmax_t. + +AC_DEFUN([gl_AC_HEADER_INTTYPES_H], +[ + AC_CACHE_CHECK([for inttypes.h], gl_cv_header_inttypes_h, + [AC_TRY_COMPILE( + [#include +#include ], + [uintmax_t i = (uintmax_t) -1;], + gl_cv_header_inttypes_h=yes, + gl_cv_header_inttypes_h=no)]) + if test $gl_cv_header_inttypes_h = yes; then + AC_DEFINE_UNQUOTED(HAVE_INTTYPES_H_WITH_UINTMAX, 1, + [Define if exists, doesn't clash with , + and declares uintmax_t. ]) + fi +]) diff --git a/m4/isc-posix.m4 b/m4/isc-posix.m4 new file mode 100644 index 0000000..74dc8f2 --- /dev/null +++ b/m4/isc-posix.m4 @@ -0,0 +1,24 @@ +# isc-posix.m4 serial 2 (gettext-0.11.2) +dnl Copyright (C) 1995-2002 Free Software Foundation, Inc. +dnl This file is free software; the Free Software Foundation +dnl gives unlimited permission to copy and/or distribute it, +dnl with or without modifications, as long as this notice is preserved. + +# This file is not needed with autoconf-2.53 and newer. Remove it in 2005. + +# This test replaces the one in autoconf. +# Currently this macro should have the same name as the autoconf macro +# because gettext's gettext.m4 (distributed in the automake package) +# still uses it. Otherwise, the use in gettext.m4 makes autoheader +# give these diagnostics: +# configure.in:556: AC_TRY_COMPILE was called before AC_ISC_POSIX +# configure.in:556: AC_TRY_RUN was called before AC_ISC_POSIX + +undefine([AC_ISC_POSIX]) + +AC_DEFUN([AC_ISC_POSIX], + [ + dnl This test replaces the obsolescent AC_ISC_POSIX kludge. + AC_CHECK_LIB(cposix, strerror, [LIBS="$LIBS -lcposix"]) + ] +) diff --git a/m4/lcmessage.m4 b/m4/lcmessage.m4 new file mode 100644 index 0000000..19aa77e --- /dev/null +++ b/m4/lcmessage.m4 @@ -0,0 +1,30 @@ +# lcmessage.m4 serial 4 (gettext-0.14.2) +dnl Copyright (C) 1995-2002, 2004-2005 Free Software Foundation, Inc. +dnl This file is free software; the Free Software Foundation +dnl gives unlimited permission to copy and/or distribute it, +dnl with or without modifications, as long as this notice is preserved. +dnl +dnl This file can can be used in projects which are not available under +dnl the GNU General Public License or the GNU Library General Public +dnl License but which still want to provide support for the GNU gettext +dnl functionality. +dnl Please note that the actual code of the GNU gettext library is covered +dnl by the GNU Library General Public License, and the rest of the GNU +dnl gettext package package is covered by the GNU General Public License. +dnl They are *not* in the public domain. + +dnl Authors: +dnl Ulrich Drepper , 1995. + +# Check whether LC_MESSAGES is available in . + +AC_DEFUN([gt_LC_MESSAGES], +[ + AC_CACHE_CHECK([for LC_MESSAGES], gt_cv_val_LC_MESSAGES, + [AC_TRY_LINK([#include ], [return LC_MESSAGES], + gt_cv_val_LC_MESSAGES=yes, gt_cv_val_LC_MESSAGES=no)]) + if test $gt_cv_val_LC_MESSAGES = yes; then + AC_DEFINE(HAVE_LC_MESSAGES, 1, + [Define if your file defines LC_MESSAGES.]) + fi +]) diff --git a/m4/lib-ld.m4 b/m4/lib-ld.m4 new file mode 100644 index 0000000..96c4e2c --- /dev/null +++ b/m4/lib-ld.m4 @@ -0,0 +1,110 @@ +# lib-ld.m4 serial 3 (gettext-0.13) +dnl Copyright (C) 1996-2003 Free Software Foundation, Inc. +dnl This file is free software; the Free Software Foundation +dnl gives unlimited permission to copy and/or distribute it, +dnl with or without modifications, as long as this notice is preserved. + +dnl Subroutines of libtool.m4, +dnl with replacements s/AC_/AC_LIB/ and s/lt_cv/acl_cv/ to avoid collision +dnl with libtool.m4. + +dnl From libtool-1.4. Sets the variable with_gnu_ld to yes or no. +AC_DEFUN([AC_LIB_PROG_LD_GNU], +[AC_CACHE_CHECK([if the linker ($LD) is GNU ld], acl_cv_prog_gnu_ld, +[# I'd rather use --version here, but apparently some GNU ld's only accept -v. +case `$LD -v 2>&1 conf$$.sh + echo "exit 0" >>conf$$.sh + chmod +x conf$$.sh + if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then + PATH_SEPARATOR=';' + else + PATH_SEPARATOR=: + fi + rm -f conf$$.sh +fi +ac_prog=ld +if test "$GCC" = yes; then + # Check if gcc -print-prog-name=ld gives a path. + AC_MSG_CHECKING([for ld used by GCC]) + case $host in + *-*-mingw*) + # gcc leaves a trailing carriage return which upsets mingw + ac_prog=`($CC -print-prog-name=ld) 2>&5 | tr -d '\015'` ;; + *) + ac_prog=`($CC -print-prog-name=ld) 2>&5` ;; + esac + case $ac_prog in + # Accept absolute paths. + [[\\/]* | [A-Za-z]:[\\/]*)] + [re_direlt='/[^/][^/]*/\.\./'] + # Canonicalize the path of ld + ac_prog=`echo $ac_prog| sed 's%\\\\%/%g'` + while echo $ac_prog | grep "$re_direlt" > /dev/null 2>&1; do + ac_prog=`echo $ac_prog| sed "s%$re_direlt%/%"` + done + test -z "$LD" && LD="$ac_prog" + ;; + "") + # If it fails, then pretend we aren't using GCC. + ac_prog=ld + ;; + *) + # If it is relative, then search for the first ld in PATH. + with_gnu_ld=unknown + ;; + esac +elif test "$with_gnu_ld" = yes; then + AC_MSG_CHECKING([for GNU ld]) +else + AC_MSG_CHECKING([for non-GNU ld]) +fi +AC_CACHE_VAL(acl_cv_path_LD, +[if test -z "$LD"; then + IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS="${IFS}${PATH_SEPARATOR-:}" + for ac_dir in $PATH; do + test -z "$ac_dir" && ac_dir=. + if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then + acl_cv_path_LD="$ac_dir/$ac_prog" + # Check to see if the program is GNU ld. I'd rather use --version, + # but apparently some GNU ld's only accept -v. + # Break only if it was the GNU/non-GNU ld that we prefer. + case `"$acl_cv_path_LD" -v 2>&1 < /dev/null` in + *GNU* | *'with BFD'*) + test "$with_gnu_ld" != no && break ;; + *) + test "$with_gnu_ld" != yes && break ;; + esac + fi + done + IFS="$ac_save_ifs" +else + acl_cv_path_LD="$LD" # Let the user override the test with a path. +fi]) +LD="$acl_cv_path_LD" +if test -n "$LD"; then + AC_MSG_RESULT($LD) +else + AC_MSG_RESULT(no) +fi +test -z "$LD" && AC_MSG_ERROR([no acceptable ld found in \$PATH]) +AC_LIB_PROG_LD_GNU +]) diff --git a/m4/lib-link.m4 b/m4/lib-link.m4 new file mode 100644 index 0000000..ea0b0c4 --- /dev/null +++ b/m4/lib-link.m4 @@ -0,0 +1,553 @@ +# lib-link.m4 serial 6 (gettext-0.14.3) +dnl Copyright (C) 2001-2005 Free Software Foundation, Inc. +dnl This file is free software; the Free Software Foundation +dnl gives unlimited permission to copy and/or distribute it, +dnl with or without modifications, as long as this notice is preserved. + +dnl From Bruno Haible. + +AC_PREREQ(2.50) + +dnl AC_LIB_LINKFLAGS(name [, dependencies]) searches for libname and +dnl the libraries corresponding to explicit and implicit dependencies. +dnl Sets and AC_SUBSTs the LIB${NAME} and LTLIB${NAME} variables and +dnl augments the CPPFLAGS variable. +AC_DEFUN([AC_LIB_LINKFLAGS], +[ + AC_REQUIRE([AC_LIB_PREPARE_PREFIX]) + AC_REQUIRE([AC_LIB_RPATH]) + define([Name],[translit([$1],[./-], [___])]) + define([NAME],[translit([$1],[abcdefghijklmnopqrstuvwxyz./-], + [ABCDEFGHIJKLMNOPQRSTUVWXYZ___])]) + AC_CACHE_CHECK([how to link with lib[]$1], [ac_cv_lib[]Name[]_libs], [ + AC_LIB_LINKFLAGS_BODY([$1], [$2]) + ac_cv_lib[]Name[]_libs="$LIB[]NAME" + ac_cv_lib[]Name[]_ltlibs="$LTLIB[]NAME" + ac_cv_lib[]Name[]_cppflags="$INC[]NAME" + ]) + LIB[]NAME="$ac_cv_lib[]Name[]_libs" + LTLIB[]NAME="$ac_cv_lib[]Name[]_ltlibs" + INC[]NAME="$ac_cv_lib[]Name[]_cppflags" + AC_LIB_APPENDTOVAR([CPPFLAGS], [$INC]NAME) + AC_SUBST([LIB]NAME) + AC_SUBST([LTLIB]NAME) + dnl Also set HAVE_LIB[]NAME so that AC_LIB_HAVE_LINKFLAGS can reuse the + dnl results of this search when this library appears as a dependency. + HAVE_LIB[]NAME=yes + undefine([Name]) + undefine([NAME]) +]) + +dnl AC_LIB_HAVE_LINKFLAGS(name, dependencies, includes, testcode) +dnl searches for libname and the libraries corresponding to explicit and +dnl implicit dependencies, together with the specified include files and +dnl the ability to compile and link the specified testcode. If found, it +dnl sets and AC_SUBSTs HAVE_LIB${NAME}=yes and the LIB${NAME} and +dnl LTLIB${NAME} variables and augments the CPPFLAGS variable, and +dnl #defines HAVE_LIB${NAME} to 1. Otherwise, it sets and AC_SUBSTs +dnl HAVE_LIB${NAME}=no and LIB${NAME} and LTLIB${NAME} to empty. +AC_DEFUN([AC_LIB_HAVE_LINKFLAGS], +[ + AC_REQUIRE([AC_LIB_PREPARE_PREFIX]) + AC_REQUIRE([AC_LIB_RPATH]) + define([Name],[translit([$1],[./-], [___])]) + define([NAME],[translit([$1],[abcdefghijklmnopqrstuvwxyz./-], + [ABCDEFGHIJKLMNOPQRSTUVWXYZ___])]) + + dnl Search for lib[]Name and define LIB[]NAME, LTLIB[]NAME and INC[]NAME + dnl accordingly. + AC_LIB_LINKFLAGS_BODY([$1], [$2]) + + dnl Add $INC[]NAME to CPPFLAGS before performing the following checks, + dnl because if the user has installed lib[]Name and not disabled its use + dnl via --without-lib[]Name-prefix, he wants to use it. + ac_save_CPPFLAGS="$CPPFLAGS" + AC_LIB_APPENDTOVAR([CPPFLAGS], [$INC]NAME) + + AC_CACHE_CHECK([for lib[]$1], [ac_cv_lib[]Name], [ + ac_save_LIBS="$LIBS" + LIBS="$LIBS $LIB[]NAME" + AC_TRY_LINK([$3], [$4], [ac_cv_lib[]Name=yes], [ac_cv_lib[]Name=no]) + LIBS="$ac_save_LIBS" + ]) + if test "$ac_cv_lib[]Name" = yes; then + HAVE_LIB[]NAME=yes + AC_DEFINE([HAVE_LIB]NAME, 1, [Define if you have the $1 library.]) + AC_MSG_CHECKING([how to link with lib[]$1]) + AC_MSG_RESULT([$LIB[]NAME]) + else + HAVE_LIB[]NAME=no + dnl If $LIB[]NAME didn't lead to a usable library, we don't need + dnl $INC[]NAME either. + CPPFLAGS="$ac_save_CPPFLAGS" + LIB[]NAME= + LTLIB[]NAME= + fi + AC_SUBST([HAVE_LIB]NAME) + AC_SUBST([LIB]NAME) + AC_SUBST([LTLIB]NAME) + undefine([Name]) + undefine([NAME]) +]) + +dnl Determine the platform dependent parameters needed to use rpath: +dnl libext, shlibext, hardcode_libdir_flag_spec, hardcode_libdir_separator, +dnl hardcode_direct, hardcode_minus_L. +AC_DEFUN([AC_LIB_RPATH], +[ + dnl Tell automake >= 1.10 to complain if config.rpath is missing. + m4_ifdef([AC_REQUIRE_AUX_FILE], [AC_REQUIRE_AUX_FILE([config.rpath])]) + AC_REQUIRE([AC_PROG_CC]) dnl we use $CC, $GCC, $LDFLAGS + AC_REQUIRE([AC_LIB_PROG_LD]) dnl we use $LD, $with_gnu_ld + AC_REQUIRE([AC_CANONICAL_HOST]) dnl we use $host + AC_REQUIRE([AC_CONFIG_AUX_DIR_DEFAULT]) dnl we use $ac_aux_dir + AC_CACHE_CHECK([for shared library run path origin], acl_cv_rpath, [ + CC="$CC" GCC="$GCC" LDFLAGS="$LDFLAGS" LD="$LD" with_gnu_ld="$with_gnu_ld" \ + ${CONFIG_SHELL-/bin/sh} "$ac_aux_dir/config.rpath" "$host" > conftest.sh + . ./conftest.sh + rm -f ./conftest.sh + acl_cv_rpath=done + ]) + wl="$acl_cv_wl" + libext="$acl_cv_libext" + shlibext="$acl_cv_shlibext" + hardcode_libdir_flag_spec="$acl_cv_hardcode_libdir_flag_spec" + hardcode_libdir_separator="$acl_cv_hardcode_libdir_separator" + hardcode_direct="$acl_cv_hardcode_direct" + hardcode_minus_L="$acl_cv_hardcode_minus_L" + dnl Determine whether the user wants rpath handling at all. + AC_ARG_ENABLE(rpath, + [ --disable-rpath do not hardcode runtime library paths], + :, enable_rpath=yes) +]) + +dnl AC_LIB_LINKFLAGS_BODY(name [, dependencies]) searches for libname and +dnl the libraries corresponding to explicit and implicit dependencies. +dnl Sets the LIB${NAME}, LTLIB${NAME} and INC${NAME} variables. +AC_DEFUN([AC_LIB_LINKFLAGS_BODY], +[ + define([NAME],[translit([$1],[abcdefghijklmnopqrstuvwxyz./-], + [ABCDEFGHIJKLMNOPQRSTUVWXYZ___])]) + dnl By default, look in $includedir and $libdir. + use_additional=yes + AC_LIB_WITH_FINAL_PREFIX([ + eval additional_includedir=\"$includedir\" + eval additional_libdir=\"$libdir\" + ]) + AC_LIB_ARG_WITH([lib$1-prefix], +[ --with-lib$1-prefix[=DIR] search for lib$1 in DIR/include and DIR/lib + --without-lib$1-prefix don't search for lib$1 in includedir and libdir], +[ + if test "X$withval" = "Xno"; then + use_additional=no + else + if test "X$withval" = "X"; then + AC_LIB_WITH_FINAL_PREFIX([ + eval additional_includedir=\"$includedir\" + eval additional_libdir=\"$libdir\" + ]) + else + additional_includedir="$withval/include" + additional_libdir="$withval/lib" + fi + fi +]) + dnl Search the library and its dependencies in $additional_libdir and + dnl $LDFLAGS. Using breadth-first-seach. + LIB[]NAME= + LTLIB[]NAME= + INC[]NAME= + rpathdirs= + ltrpathdirs= + names_already_handled= + names_next_round='$1 $2' + while test -n "$names_next_round"; do + names_this_round="$names_next_round" + names_next_round= + for name in $names_this_round; do + already_handled= + for n in $names_already_handled; do + if test "$n" = "$name"; then + already_handled=yes + break + fi + done + if test -z "$already_handled"; then + names_already_handled="$names_already_handled $name" + dnl See if it was already located by an earlier AC_LIB_LINKFLAGS + dnl or AC_LIB_HAVE_LINKFLAGS call. + uppername=`echo "$name" | sed -e 'y|abcdefghijklmnopqrstuvwxyz./-|ABCDEFGHIJKLMNOPQRSTUVWXYZ___|'` + eval value=\"\$HAVE_LIB$uppername\" + if test -n "$value"; then + if test "$value" = yes; then + eval value=\"\$LIB$uppername\" + test -z "$value" || LIB[]NAME="${LIB[]NAME}${LIB[]NAME:+ }$value" + eval value=\"\$LTLIB$uppername\" + test -z "$value" || LTLIB[]NAME="${LTLIB[]NAME}${LTLIB[]NAME:+ }$value" + else + dnl An earlier call to AC_LIB_HAVE_LINKFLAGS has determined + dnl that this library doesn't exist. So just drop it. + : + fi + else + dnl Search the library lib$name in $additional_libdir and $LDFLAGS + dnl and the already constructed $LIBNAME/$LTLIBNAME. + found_dir= + found_la= + found_so= + found_a= + if test $use_additional = yes; then + if test -n "$shlibext" && test -f "$additional_libdir/lib$name.$shlibext"; then + found_dir="$additional_libdir" + found_so="$additional_libdir/lib$name.$shlibext" + if test -f "$additional_libdir/lib$name.la"; then + found_la="$additional_libdir/lib$name.la" + fi + else + if test -f "$additional_libdir/lib$name.$libext"; then + found_dir="$additional_libdir" + found_a="$additional_libdir/lib$name.$libext" + if test -f "$additional_libdir/lib$name.la"; then + found_la="$additional_libdir/lib$name.la" + fi + fi + fi + fi + if test "X$found_dir" = "X"; then + for x in $LDFLAGS $LTLIB[]NAME; do + AC_LIB_WITH_FINAL_PREFIX([eval x=\"$x\"]) + case "$x" in + -L*) + dir=`echo "X$x" | sed -e 's/^X-L//'` + if test -n "$shlibext" && test -f "$dir/lib$name.$shlibext"; then + found_dir="$dir" + found_so="$dir/lib$name.$shlibext" + if test -f "$dir/lib$name.la"; then + found_la="$dir/lib$name.la" + fi + else + if test -f "$dir/lib$name.$libext"; then + found_dir="$dir" + found_a="$dir/lib$name.$libext" + if test -f "$dir/lib$name.la"; then + found_la="$dir/lib$name.la" + fi + fi + fi + ;; + esac + if test "X$found_dir" != "X"; then + break + fi + done + fi + if test "X$found_dir" != "X"; then + dnl Found the library. + LTLIB[]NAME="${LTLIB[]NAME}${LTLIB[]NAME:+ }-L$found_dir -l$name" + if test "X$found_so" != "X"; then + dnl Linking with a shared library. We attempt to hardcode its + dnl directory into the executable's runpath, unless it's the + dnl standard /usr/lib. + if test "$enable_rpath" = no || test "X$found_dir" = "X/usr/lib"; then + dnl No hardcoding is needed. + LIB[]NAME="${LIB[]NAME}${LIB[]NAME:+ }$found_so" + else + dnl Use an explicit option to hardcode DIR into the resulting + dnl binary. + dnl Potentially add DIR to ltrpathdirs. + dnl The ltrpathdirs will be appended to $LTLIBNAME at the end. + haveit= + for x in $ltrpathdirs; do + if test "X$x" = "X$found_dir"; then + haveit=yes + break + fi + done + if test -z "$haveit"; then + ltrpathdirs="$ltrpathdirs $found_dir" + fi + dnl The hardcoding into $LIBNAME is system dependent. + if test "$hardcode_direct" = yes; then + dnl Using DIR/libNAME.so during linking hardcodes DIR into the + dnl resulting binary. + LIB[]NAME="${LIB[]NAME}${LIB[]NAME:+ }$found_so" + else + if test -n "$hardcode_libdir_flag_spec" && test "$hardcode_minus_L" = no; then + dnl Use an explicit option to hardcode DIR into the resulting + dnl binary. + LIB[]NAME="${LIB[]NAME}${LIB[]NAME:+ }$found_so" + dnl Potentially add DIR to rpathdirs. + dnl The rpathdirs will be appended to $LIBNAME at the end. + haveit= + for x in $rpathdirs; do + if test "X$x" = "X$found_dir"; then + haveit=yes + break + fi + done + if test -z "$haveit"; then + rpathdirs="$rpathdirs $found_dir" + fi + else + dnl Rely on "-L$found_dir". + dnl But don't add it if it's already contained in the LDFLAGS + dnl or the already constructed $LIBNAME + haveit= + for x in $LDFLAGS $LIB[]NAME; do + AC_LIB_WITH_FINAL_PREFIX([eval x=\"$x\"]) + if test "X$x" = "X-L$found_dir"; then + haveit=yes + break + fi + done + if test -z "$haveit"; then + LIB[]NAME="${LIB[]NAME}${LIB[]NAME:+ }-L$found_dir" + fi + if test "$hardcode_minus_L" != no; then + dnl FIXME: Not sure whether we should use + dnl "-L$found_dir -l$name" or "-L$found_dir $found_so" + dnl here. + LIB[]NAME="${LIB[]NAME}${LIB[]NAME:+ }$found_so" + else + dnl We cannot use $hardcode_runpath_var and LD_RUN_PATH + dnl here, because this doesn't fit in flags passed to the + dnl compiler. So give up. No hardcoding. This affects only + dnl very old systems. + dnl FIXME: Not sure whether we should use + dnl "-L$found_dir -l$name" or "-L$found_dir $found_so" + dnl here. + LIB[]NAME="${LIB[]NAME}${LIB[]NAME:+ }-l$name" + fi + fi + fi + fi + else + if test "X$found_a" != "X"; then + dnl Linking with a static library. + LIB[]NAME="${LIB[]NAME}${LIB[]NAME:+ }$found_a" + else + dnl We shouldn't come here, but anyway it's good to have a + dnl fallback. + LIB[]NAME="${LIB[]NAME}${LIB[]NAME:+ }-L$found_dir -l$name" + fi + fi + dnl Assume the include files are nearby. + additional_includedir= + case "$found_dir" in + */lib | */lib/) + basedir=`echo "X$found_dir" | sed -e 's,^X,,' -e 's,/lib/*$,,'` + additional_includedir="$basedir/include" + ;; + esac + if test "X$additional_includedir" != "X"; then + dnl Potentially add $additional_includedir to $INCNAME. + dnl But don't add it + dnl 1. if it's the standard /usr/include, + dnl 2. if it's /usr/local/include and we are using GCC on Linux, + dnl 3. if it's already present in $CPPFLAGS or the already + dnl constructed $INCNAME, + dnl 4. if it doesn't exist as a directory. + if test "X$additional_includedir" != "X/usr/include"; then + haveit= + if test "X$additional_includedir" = "X/usr/local/include"; then + if test -n "$GCC"; then + case $host_os in + linux* | gnu* | k*bsd*-gnu) haveit=yes;; + esac + fi + fi + if test -z "$haveit"; then + for x in $CPPFLAGS $INC[]NAME; do + AC_LIB_WITH_FINAL_PREFIX([eval x=\"$x\"]) + if test "X$x" = "X-I$additional_includedir"; then + haveit=yes + break + fi + done + if test -z "$haveit"; then + if test -d "$additional_includedir"; then + dnl Really add $additional_includedir to $INCNAME. + INC[]NAME="${INC[]NAME}${INC[]NAME:+ }-I$additional_includedir" + fi + fi + fi + fi + fi + dnl Look for dependencies. + if test -n "$found_la"; then + dnl Read the .la file. It defines the variables + dnl dlname, library_names, old_library, dependency_libs, current, + dnl age, revision, installed, dlopen, dlpreopen, libdir. + save_libdir="$libdir" + case "$found_la" in + */* | *\\*) . "$found_la" ;; + *) . "./$found_la" ;; + esac + libdir="$save_libdir" + dnl We use only dependency_libs. + for dep in $dependency_libs; do + case "$dep" in + -L*) + additional_libdir=`echo "X$dep" | sed -e 's/^X-L//'` + dnl Potentially add $additional_libdir to $LIBNAME and $LTLIBNAME. + dnl But don't add it + dnl 1. if it's the standard /usr/lib, + dnl 2. if it's /usr/local/lib and we are using GCC on Linux, + dnl 3. if it's already present in $LDFLAGS or the already + dnl constructed $LIBNAME, + dnl 4. if it doesn't exist as a directory. + if test "X$additional_libdir" != "X/usr/lib"; then + haveit= + if test "X$additional_libdir" = "X/usr/local/lib"; then + if test -n "$GCC"; then + case $host_os in + linux* | gnu* | k*bsd*-gnu) haveit=yes;; + esac + fi + fi + if test -z "$haveit"; then + haveit= + for x in $LDFLAGS $LIB[]NAME; do + AC_LIB_WITH_FINAL_PREFIX([eval x=\"$x\"]) + if test "X$x" = "X-L$additional_libdir"; then + haveit=yes + break + fi + done + if test -z "$haveit"; then + if test -d "$additional_libdir"; then + dnl Really add $additional_libdir to $LIBNAME. + LIB[]NAME="${LIB[]NAME}${LIB[]NAME:+ }-L$additional_libdir" + fi + fi + haveit= + for x in $LDFLAGS $LTLIB[]NAME; do + AC_LIB_WITH_FINAL_PREFIX([eval x=\"$x\"]) + if test "X$x" = "X-L$additional_libdir"; then + haveit=yes + break + fi + done + if test -z "$haveit"; then + if test -d "$additional_libdir"; then + dnl Really add $additional_libdir to $LTLIBNAME. + LTLIB[]NAME="${LTLIB[]NAME}${LTLIB[]NAME:+ }-L$additional_libdir" + fi + fi + fi + fi + ;; + -R*) + dir=`echo "X$dep" | sed -e 's/^X-R//'` + if test "$enable_rpath" != no; then + dnl Potentially add DIR to rpathdirs. + dnl The rpathdirs will be appended to $LIBNAME at the end. + haveit= + for x in $rpathdirs; do + if test "X$x" = "X$dir"; then + haveit=yes + break + fi + done + if test -z "$haveit"; then + rpathdirs="$rpathdirs $dir" + fi + dnl Potentially add DIR to ltrpathdirs. + dnl The ltrpathdirs will be appended to $LTLIBNAME at the end. + haveit= + for x in $ltrpathdirs; do + if test "X$x" = "X$dir"; then + haveit=yes + break + fi + done + if test -z "$haveit"; then + ltrpathdirs="$ltrpathdirs $dir" + fi + fi + ;; + -l*) + dnl Handle this in the next round. + names_next_round="$names_next_round "`echo "X$dep" | sed -e 's/^X-l//'` + ;; + *.la) + dnl Handle this in the next round. Throw away the .la's + dnl directory; it is already contained in a preceding -L + dnl option. + names_next_round="$names_next_round "`echo "X$dep" | sed -e 's,^X.*/,,' -e 's,^lib,,' -e 's,\.la$,,'` + ;; + *) + dnl Most likely an immediate library name. + LIB[]NAME="${LIB[]NAME}${LIB[]NAME:+ }$dep" + LTLIB[]NAME="${LTLIB[]NAME}${LTLIB[]NAME:+ }$dep" + ;; + esac + done + fi + else + dnl Didn't find the library; assume it is in the system directories + dnl known to the linker and runtime loader. (All the system + dnl directories known to the linker should also be known to the + dnl runtime loader, otherwise the system is severely misconfigured.) + LIB[]NAME="${LIB[]NAME}${LIB[]NAME:+ }-l$name" + LTLIB[]NAME="${LTLIB[]NAME}${LTLIB[]NAME:+ }-l$name" + fi + fi + fi + done + done + if test "X$rpathdirs" != "X"; then + if test -n "$hardcode_libdir_separator"; then + dnl Weird platform: only the last -rpath option counts, the user must + dnl pass all path elements in one option. We can arrange that for a + dnl single library, but not when more than one $LIBNAMEs are used. + alldirs= + for found_dir in $rpathdirs; do + alldirs="${alldirs}${alldirs:+$hardcode_libdir_separator}$found_dir" + done + dnl Note: hardcode_libdir_flag_spec uses $libdir and $wl. + acl_save_libdir="$libdir" + libdir="$alldirs" + eval flag=\"$hardcode_libdir_flag_spec\" + libdir="$acl_save_libdir" + LIB[]NAME="${LIB[]NAME}${LIB[]NAME:+ }$flag" + else + dnl The -rpath options are cumulative. + for found_dir in $rpathdirs; do + acl_save_libdir="$libdir" + libdir="$found_dir" + eval flag=\"$hardcode_libdir_flag_spec\" + libdir="$acl_save_libdir" + LIB[]NAME="${LIB[]NAME}${LIB[]NAME:+ }$flag" + done + fi + fi + if test "X$ltrpathdirs" != "X"; then + dnl When using libtool, the option that works for both libraries and + dnl executables is -R. The -R options are cumulative. + for found_dir in $ltrpathdirs; do + LTLIB[]NAME="${LTLIB[]NAME}${LTLIB[]NAME:+ }-R$found_dir" + done + fi +]) + +dnl AC_LIB_APPENDTOVAR(VAR, CONTENTS) appends the elements of CONTENTS to VAR, +dnl unless already present in VAR. +dnl Works only for CPPFLAGS, not for LIB* variables because that sometimes +dnl contains two or three consecutive elements that belong together. +AC_DEFUN([AC_LIB_APPENDTOVAR], +[ + for element in [$2]; do + haveit= + for x in $[$1]; do + AC_LIB_WITH_FINAL_PREFIX([eval x=\"$x\"]) + if test "X$x" = "X$element"; then + haveit=yes + break + fi + done + if test -z "$haveit"; then + [$1]="${[$1]}${[$1]:+ }$element" + fi + done +]) diff --git a/m4/lib-prefix.m4 b/m4/lib-prefix.m4 new file mode 100644 index 0000000..0d895ca --- /dev/null +++ b/m4/lib-prefix.m4 @@ -0,0 +1,153 @@ +# lib-prefix.m4 serial 4 (gettext-0.14.2) +dnl Copyright (C) 2001-2005 Free Software Foundation, Inc. +dnl This file is free software; the Free Software Foundation +dnl gives unlimited permission to copy and/or distribute it, +dnl with or without modifications, as long as this notice is preserved. + +dnl From Bruno Haible. + +dnl AC_LIB_ARG_WITH is synonymous to AC_ARG_WITH in autoconf-2.13, and +dnl similar to AC_ARG_WITH in autoconf 2.52...2.57 except that is doesn't +dnl require excessive bracketing. +ifdef([AC_HELP_STRING], +[AC_DEFUN([AC_LIB_ARG_WITH], [AC_ARG_WITH([$1],[[$2]],[$3],[$4])])], +[AC_DEFUN([AC_][LIB_ARG_WITH], [AC_ARG_WITH([$1],[$2],[$3],[$4])])]) + +dnl AC_LIB_PREFIX adds to the CPPFLAGS and LDFLAGS the flags that are needed +dnl to access previously installed libraries. The basic assumption is that +dnl a user will want packages to use other packages he previously installed +dnl with the same --prefix option. +dnl This macro is not needed if only AC_LIB_LINKFLAGS is used to locate +dnl libraries, but is otherwise very convenient. +AC_DEFUN([AC_LIB_PREFIX], +[ + AC_BEFORE([$0], [AC_LIB_LINKFLAGS]) + AC_REQUIRE([AC_PROG_CC]) + AC_REQUIRE([AC_CANONICAL_HOST]) + AC_REQUIRE([AC_LIB_PREPARE_PREFIX]) + dnl By default, look in $includedir and $libdir. + use_additional=yes + AC_LIB_WITH_FINAL_PREFIX([ + eval additional_includedir=\"$includedir\" + eval additional_libdir=\"$libdir\" + ]) + AC_LIB_ARG_WITH([lib-prefix], +[ --with-lib-prefix[=DIR] search for libraries in DIR/include and DIR/lib + --without-lib-prefix don't search for libraries in includedir and libdir], +[ + if test "X$withval" = "Xno"; then + use_additional=no + else + if test "X$withval" = "X"; then + AC_LIB_WITH_FINAL_PREFIX([ + eval additional_includedir=\"$includedir\" + eval additional_libdir=\"$libdir\" + ]) + else + additional_includedir="$withval/include" + additional_libdir="$withval/lib" + fi + fi +]) + if test $use_additional = yes; then + dnl Potentially add $additional_includedir to $CPPFLAGS. + dnl But don't add it + dnl 1. if it's the standard /usr/include, + dnl 2. if it's already present in $CPPFLAGS, + dnl 3. if it's /usr/local/include and we are using GCC on Linux, + dnl 4. if it doesn't exist as a directory. + if test "X$additional_includedir" != "X/usr/include"; then + haveit= + for x in $CPPFLAGS; do + AC_LIB_WITH_FINAL_PREFIX([eval x=\"$x\"]) + if test "X$x" = "X-I$additional_includedir"; then + haveit=yes + break + fi + done + if test -z "$haveit"; then + if test "X$additional_includedir" = "X/usr/local/include"; then + if test -n "$GCC"; then + case $host_os in + linux* | gnu* | k*bsd*-gnu) haveit=yes;; + esac + fi + fi + if test -z "$haveit"; then + if test -d "$additional_includedir"; then + dnl Really add $additional_includedir to $CPPFLAGS. + CPPFLAGS="${CPPFLAGS}${CPPFLAGS:+ }-I$additional_includedir" + fi + fi + fi + fi + dnl Potentially add $additional_libdir to $LDFLAGS. + dnl But don't add it + dnl 1. if it's the standard /usr/lib, + dnl 2. if it's already present in $LDFLAGS, + dnl 3. if it's /usr/local/lib and we are using GCC on Linux, + dnl 4. if it doesn't exist as a directory. + if test "X$additional_libdir" != "X/usr/lib"; then + haveit= + for x in $LDFLAGS; do + AC_LIB_WITH_FINAL_PREFIX([eval x=\"$x\"]) + if test "X$x" = "X-L$additional_libdir"; then + haveit=yes + break + fi + done + if test -z "$haveit"; then + if test "X$additional_libdir" = "X/usr/local/lib"; then + if test -n "$GCC"; then + case $host_os in + linux*) haveit=yes;; + esac + fi + fi + if test -z "$haveit"; then + if test -d "$additional_libdir"; then + dnl Really add $additional_libdir to $LDFLAGS. + LDFLAGS="${LDFLAGS}${LDFLAGS:+ }-L$additional_libdir" + fi + fi + fi + fi + fi +]) + +dnl AC_LIB_PREPARE_PREFIX creates variables acl_final_prefix, +dnl acl_final_exec_prefix, containing the values to which $prefix and +dnl $exec_prefix will expand at the end of the configure script. +AC_DEFUN([AC_LIB_PREPARE_PREFIX], +[ + dnl Unfortunately, prefix and exec_prefix get only finally determined + dnl at the end of configure. + if test "X$prefix" = "XNONE"; then + acl_final_prefix="$ac_default_prefix" + else + acl_final_prefix="$prefix" + fi + if test "X$exec_prefix" = "XNONE"; then + acl_final_exec_prefix='${prefix}' + else + acl_final_exec_prefix="$exec_prefix" + fi + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + eval acl_final_exec_prefix=\"$acl_final_exec_prefix\" + prefix="$acl_save_prefix" +]) + +dnl AC_LIB_WITH_FINAL_PREFIX([statement]) evaluates statement, with the +dnl variables prefix and exec_prefix bound to the values they will have +dnl at the end of the configure script. +AC_DEFUN([AC_LIB_WITH_FINAL_PREFIX], +[ + acl_save_prefix="$prefix" + prefix="$acl_final_prefix" + acl_save_exec_prefix="$exec_prefix" + exec_prefix="$acl_final_exec_prefix" + $1 + exec_prefix="$acl_save_exec_prefix" + prefix="$acl_save_prefix" +]) diff --git a/m4/libtool.m4 b/m4/libtool.m4 new file mode 100644 index 0000000..a644432 --- /dev/null +++ b/m4/libtool.m4 @@ -0,0 +1,8372 @@ +# libtool.m4 - Configure libtool for the host system. -*-Autoconf-*- +# +# Copyright (C) 1996-2001, 2003-2015 Free Software Foundation, Inc. +# Written by Gordon Matzigkeit, 1996 +# +# This file is free software; the Free Software Foundation gives +# unlimited permission to copy and/or distribute it, with or without +# modifications, as long as this notice is preserved. + +m4_define([_LT_COPYING], [dnl +# Copyright (C) 2014 Free Software Foundation, Inc. +# This is free software; see the source for copying conditions. There is NO +# warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + +# GNU Libtool is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of of the License, or +# (at your option) any later version. +# +# As a special exception to the GNU General Public License, if you +# distribute this file as part of a program or library that is built +# using GNU Libtool, you may include this file under the same +# distribution terms that you use for the rest of that program. +# +# GNU Libtool is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +]) + +# serial 58 LT_INIT + + +# LT_PREREQ(VERSION) +# ------------------ +# Complain and exit if this libtool version is less that VERSION. +m4_defun([LT_PREREQ], +[m4_if(m4_version_compare(m4_defn([LT_PACKAGE_VERSION]), [$1]), -1, + [m4_default([$3], + [m4_fatal([Libtool version $1 or higher is required], + 63)])], + [$2])]) + + +# _LT_CHECK_BUILDDIR +# ------------------ +# Complain if the absolute build directory name contains unusual characters +m4_defun([_LT_CHECK_BUILDDIR], +[case `pwd` in + *\ * | *\ *) + AC_MSG_WARN([Libtool does not cope well with whitespace in `pwd`]) ;; +esac +]) + + +# LT_INIT([OPTIONS]) +# ------------------ +AC_DEFUN([LT_INIT], +[AC_PREREQ([2.62])dnl We use AC_PATH_PROGS_FEATURE_CHECK +AC_REQUIRE([AC_CONFIG_AUX_DIR_DEFAULT])dnl +AC_BEFORE([$0], [LT_LANG])dnl +AC_BEFORE([$0], [LT_OUTPUT])dnl +AC_BEFORE([$0], [LTDL_INIT])dnl +m4_require([_LT_CHECK_BUILDDIR])dnl + +dnl Autoconf doesn't catch unexpanded LT_ macros by default: +m4_pattern_forbid([^_?LT_[A-Z_]+$])dnl +m4_pattern_allow([^(_LT_EOF|LT_DLGLOBAL|LT_DLLAZY_OR_NOW|LT_MULTI_MODULE)$])dnl +dnl aclocal doesn't pull ltoptions.m4, ltsugar.m4, or ltversion.m4 +dnl unless we require an AC_DEFUNed macro: +AC_REQUIRE([LTOPTIONS_VERSION])dnl +AC_REQUIRE([LTSUGAR_VERSION])dnl +AC_REQUIRE([LTVERSION_VERSION])dnl +AC_REQUIRE([LTOBSOLETE_VERSION])dnl +m4_require([_LT_PROG_LTMAIN])dnl + +_LT_SHELL_INIT([SHELL=${CONFIG_SHELL-/bin/sh}]) + +dnl Parse OPTIONS +_LT_SET_OPTIONS([$0], [$1]) + +# This can be used to rebuild libtool when needed +LIBTOOL_DEPS=$ltmain + +# Always use our own libtool. +LIBTOOL='$(SHELL) $(top_builddir)/libtool' +AC_SUBST(LIBTOOL)dnl + +_LT_SETUP + +# Only expand once: +m4_define([LT_INIT]) +])# LT_INIT + +# Old names: +AU_ALIAS([AC_PROG_LIBTOOL], [LT_INIT]) +AU_ALIAS([AM_PROG_LIBTOOL], [LT_INIT]) +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_PROG_LIBTOOL], []) +dnl AC_DEFUN([AM_PROG_LIBTOOL], []) + + +# _LT_PREPARE_CC_BASENAME +# ----------------------- +m4_defun([_LT_PREPARE_CC_BASENAME], [ +# Calculate cc_basename. Skip known compiler wrappers and cross-prefix. +func_cc_basename () +{ + for cc_temp in @S|@*""; do + case $cc_temp in + compile | *[[\\/]]compile | ccache | *[[\\/]]ccache ) ;; + distcc | *[[\\/]]distcc | purify | *[[\\/]]purify ) ;; + \-*) ;; + *) break;; + esac + done + func_cc_basename_result=`$ECHO "$cc_temp" | $SED "s%.*/%%; s%^$host_alias-%%"` +} +])# _LT_PREPARE_CC_BASENAME + + +# _LT_CC_BASENAME(CC) +# ------------------- +# It would be clearer to call AC_REQUIREs from _LT_PREPARE_CC_BASENAME, +# but that macro is also expanded into generated libtool script, which +# arranges for $SED and $ECHO to be set by different means. +m4_defun([_LT_CC_BASENAME], +[m4_require([_LT_PREPARE_CC_BASENAME])dnl +AC_REQUIRE([_LT_DECL_SED])dnl +AC_REQUIRE([_LT_PROG_ECHO_BACKSLASH])dnl +func_cc_basename $1 +cc_basename=$func_cc_basename_result +]) + + +# _LT_FILEUTILS_DEFAULTS +# ---------------------- +# It is okay to use these file commands and assume they have been set +# sensibly after 'm4_require([_LT_FILEUTILS_DEFAULTS])'. +m4_defun([_LT_FILEUTILS_DEFAULTS], +[: ${CP="cp -f"} +: ${MV="mv -f"} +: ${RM="rm -f"} +])# _LT_FILEUTILS_DEFAULTS + + +# _LT_SETUP +# --------- +m4_defun([_LT_SETUP], +[AC_REQUIRE([AC_CANONICAL_HOST])dnl +AC_REQUIRE([AC_CANONICAL_BUILD])dnl +AC_REQUIRE([_LT_PREPARE_SED_QUOTE_VARS])dnl +AC_REQUIRE([_LT_PROG_ECHO_BACKSLASH])dnl + +_LT_DECL([], [PATH_SEPARATOR], [1], [The PATH separator for the build system])dnl +dnl +_LT_DECL([], [host_alias], [0], [The host system])dnl +_LT_DECL([], [host], [0])dnl +_LT_DECL([], [host_os], [0])dnl +dnl +_LT_DECL([], [build_alias], [0], [The build system])dnl +_LT_DECL([], [build], [0])dnl +_LT_DECL([], [build_os], [0])dnl +dnl +AC_REQUIRE([AC_PROG_CC])dnl +AC_REQUIRE([LT_PATH_LD])dnl +AC_REQUIRE([LT_PATH_NM])dnl +dnl +AC_REQUIRE([AC_PROG_LN_S])dnl +test -z "$LN_S" && LN_S="ln -s" +_LT_DECL([], [LN_S], [1], [Whether we need soft or hard links])dnl +dnl +AC_REQUIRE([LT_CMD_MAX_LEN])dnl +_LT_DECL([objext], [ac_objext], [0], [Object file suffix (normally "o")])dnl +_LT_DECL([], [exeext], [0], [Executable file suffix (normally "")])dnl +dnl +m4_require([_LT_FILEUTILS_DEFAULTS])dnl +m4_require([_LT_CHECK_SHELL_FEATURES])dnl +m4_require([_LT_PATH_CONVERSION_FUNCTIONS])dnl +m4_require([_LT_CMD_RELOAD])dnl +m4_require([_LT_CHECK_MAGIC_METHOD])dnl +m4_require([_LT_CHECK_SHAREDLIB_FROM_LINKLIB])dnl +m4_require([_LT_CMD_OLD_ARCHIVE])dnl +m4_require([_LT_CMD_GLOBAL_SYMBOLS])dnl +m4_require([_LT_WITH_SYSROOT])dnl +m4_require([_LT_CMD_TRUNCATE])dnl + +_LT_CONFIG_LIBTOOL_INIT([ +# See if we are running on zsh, and set the options that allow our +# commands through without removal of \ escapes INIT. +if test -n "\${ZSH_VERSION+set}"; then + setopt NO_GLOB_SUBST +fi +]) +if test -n "${ZSH_VERSION+set}"; then + setopt NO_GLOB_SUBST +fi + +_LT_CHECK_OBJDIR + +m4_require([_LT_TAG_COMPILER])dnl + +case $host_os in +aix3*) + # AIX sometimes has problems with the GCC collect2 program. For some + # reason, if we set the COLLECT_NAMES environment variable, the problems + # vanish in a puff of smoke. + if test set != "${COLLECT_NAMES+set}"; then + COLLECT_NAMES= + export COLLECT_NAMES + fi + ;; +esac + +# Global variables: +ofile=libtool +can_build_shared=yes + +# All known linkers require a '.a' archive for static linking (except MSVC, +# which needs '.lib'). +libext=a + +with_gnu_ld=$lt_cv_prog_gnu_ld + +old_CC=$CC +old_CFLAGS=$CFLAGS + +# Set sane defaults for various variables +test -z "$CC" && CC=cc +test -z "$LTCC" && LTCC=$CC +test -z "$LTCFLAGS" && LTCFLAGS=$CFLAGS +test -z "$LD" && LD=ld +test -z "$ac_objext" && ac_objext=o + +_LT_CC_BASENAME([$compiler]) + +# Only perform the check for file, if the check method requires it +test -z "$MAGIC_CMD" && MAGIC_CMD=file +case $deplibs_check_method in +file_magic*) + if test "$file_magic_cmd" = '$MAGIC_CMD'; then + _LT_PATH_MAGIC + fi + ;; +esac + +# Use C for the default configuration in the libtool script +LT_SUPPORTED_TAG([CC]) +_LT_LANG_C_CONFIG +_LT_LANG_DEFAULT_CONFIG +_LT_CONFIG_COMMANDS +])# _LT_SETUP + + +# _LT_PREPARE_SED_QUOTE_VARS +# -------------------------- +# Define a few sed substitution that help us do robust quoting. +m4_defun([_LT_PREPARE_SED_QUOTE_VARS], +[# Backslashify metacharacters that are still active within +# double-quoted strings. +sed_quote_subst='s/\([["`$\\]]\)/\\\1/g' + +# Same as above, but do not quote variable references. +double_quote_subst='s/\([["`\\]]\)/\\\1/g' + +# Sed substitution to delay expansion of an escaped shell variable in a +# double_quote_subst'ed string. +delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g' + +# Sed substitution to delay expansion of an escaped single quote. +delay_single_quote_subst='s/'\''/'\'\\\\\\\'\''/g' + +# Sed substitution to avoid accidental globbing in evaled expressions +no_glob_subst='s/\*/\\\*/g' +]) + +# _LT_PROG_LTMAIN +# --------------- +# Note that this code is called both from 'configure', and 'config.status' +# now that we use AC_CONFIG_COMMANDS to generate libtool. Notably, +# 'config.status' has no value for ac_aux_dir unless we are using Automake, +# so we pass a copy along to make sure it has a sensible value anyway. +m4_defun([_LT_PROG_LTMAIN], +[m4_ifdef([AC_REQUIRE_AUX_FILE], [AC_REQUIRE_AUX_FILE([ltmain.sh])])dnl +_LT_CONFIG_LIBTOOL_INIT([ac_aux_dir='$ac_aux_dir']) +ltmain=$ac_aux_dir/ltmain.sh +])# _LT_PROG_LTMAIN + + +## ------------------------------------- ## +## Accumulate code for creating libtool. ## +## ------------------------------------- ## + +# So that we can recreate a full libtool script including additional +# tags, we accumulate the chunks of code to send to AC_CONFIG_COMMANDS +# in macros and then make a single call at the end using the 'libtool' +# label. + + +# _LT_CONFIG_LIBTOOL_INIT([INIT-COMMANDS]) +# ---------------------------------------- +# Register INIT-COMMANDS to be passed to AC_CONFIG_COMMANDS later. +m4_define([_LT_CONFIG_LIBTOOL_INIT], +[m4_ifval([$1], + [m4_append([_LT_OUTPUT_LIBTOOL_INIT], + [$1 +])])]) + +# Initialize. +m4_define([_LT_OUTPUT_LIBTOOL_INIT]) + + +# _LT_CONFIG_LIBTOOL([COMMANDS]) +# ------------------------------ +# Register COMMANDS to be passed to AC_CONFIG_COMMANDS later. +m4_define([_LT_CONFIG_LIBTOOL], +[m4_ifval([$1], + [m4_append([_LT_OUTPUT_LIBTOOL_COMMANDS], + [$1 +])])]) + +# Initialize. +m4_define([_LT_OUTPUT_LIBTOOL_COMMANDS]) + + +# _LT_CONFIG_SAVE_COMMANDS([COMMANDS], [INIT_COMMANDS]) +# ----------------------------------------------------- +m4_defun([_LT_CONFIG_SAVE_COMMANDS], +[_LT_CONFIG_LIBTOOL([$1]) +_LT_CONFIG_LIBTOOL_INIT([$2]) +]) + + +# _LT_FORMAT_COMMENT([COMMENT]) +# ----------------------------- +# Add leading comment marks to the start of each line, and a trailing +# full-stop to the whole comment if one is not present already. +m4_define([_LT_FORMAT_COMMENT], +[m4_ifval([$1], [ +m4_bpatsubst([m4_bpatsubst([$1], [^ *], [# ])], + [['`$\]], [\\\&])]m4_bmatch([$1], [[!?.]$], [], [.]) +)]) + + + +## ------------------------ ## +## FIXME: Eliminate VARNAME ## +## ------------------------ ## + + +# _LT_DECL([CONFIGNAME], VARNAME, VALUE, [DESCRIPTION], [IS-TAGGED?]) +# ------------------------------------------------------------------- +# CONFIGNAME is the name given to the value in the libtool script. +# VARNAME is the (base) name used in the configure script. +# VALUE may be 0, 1 or 2 for a computed quote escaped value based on +# VARNAME. Any other value will be used directly. +m4_define([_LT_DECL], +[lt_if_append_uniq([lt_decl_varnames], [$2], [, ], + [lt_dict_add_subkey([lt_decl_dict], [$2], [libtool_name], + [m4_ifval([$1], [$1], [$2])]) + lt_dict_add_subkey([lt_decl_dict], [$2], [value], [$3]) + m4_ifval([$4], + [lt_dict_add_subkey([lt_decl_dict], [$2], [description], [$4])]) + lt_dict_add_subkey([lt_decl_dict], [$2], + [tagged?], [m4_ifval([$5], [yes], [no])])]) +]) + + +# _LT_TAGDECL([CONFIGNAME], VARNAME, VALUE, [DESCRIPTION]) +# -------------------------------------------------------- +m4_define([_LT_TAGDECL], [_LT_DECL([$1], [$2], [$3], [$4], [yes])]) + + +# lt_decl_tag_varnames([SEPARATOR], [VARNAME1...]) +# ------------------------------------------------ +m4_define([lt_decl_tag_varnames], +[_lt_decl_filter([tagged?], [yes], $@)]) + + +# _lt_decl_filter(SUBKEY, VALUE, [SEPARATOR], [VARNAME1..]) +# --------------------------------------------------------- +m4_define([_lt_decl_filter], +[m4_case([$#], + [0], [m4_fatal([$0: too few arguments: $#])], + [1], [m4_fatal([$0: too few arguments: $#: $1])], + [2], [lt_dict_filter([lt_decl_dict], [$1], [$2], [], lt_decl_varnames)], + [3], [lt_dict_filter([lt_decl_dict], [$1], [$2], [$3], lt_decl_varnames)], + [lt_dict_filter([lt_decl_dict], $@)])[]dnl +]) + + +# lt_decl_quote_varnames([SEPARATOR], [VARNAME1...]) +# -------------------------------------------------- +m4_define([lt_decl_quote_varnames], +[_lt_decl_filter([value], [1], $@)]) + + +# lt_decl_dquote_varnames([SEPARATOR], [VARNAME1...]) +# --------------------------------------------------- +m4_define([lt_decl_dquote_varnames], +[_lt_decl_filter([value], [2], $@)]) + + +# lt_decl_varnames_tagged([SEPARATOR], [VARNAME1...]) +# --------------------------------------------------- +m4_define([lt_decl_varnames_tagged], +[m4_assert([$# <= 2])dnl +_$0(m4_quote(m4_default([$1], [[, ]])), + m4_ifval([$2], [[$2]], [m4_dquote(lt_decl_tag_varnames)]), + m4_split(m4_normalize(m4_quote(_LT_TAGS)), [ ]))]) +m4_define([_lt_decl_varnames_tagged], +[m4_ifval([$3], [lt_combine([$1], [$2], [_], $3)])]) + + +# lt_decl_all_varnames([SEPARATOR], [VARNAME1...]) +# ------------------------------------------------ +m4_define([lt_decl_all_varnames], +[_$0(m4_quote(m4_default([$1], [[, ]])), + m4_if([$2], [], + m4_quote(lt_decl_varnames), + m4_quote(m4_shift($@))))[]dnl +]) +m4_define([_lt_decl_all_varnames], +[lt_join($@, lt_decl_varnames_tagged([$1], + lt_decl_tag_varnames([[, ]], m4_shift($@))))dnl +]) + + +# _LT_CONFIG_STATUS_DECLARE([VARNAME]) +# ------------------------------------ +# Quote a variable value, and forward it to 'config.status' so that its +# declaration there will have the same value as in 'configure'. VARNAME +# must have a single quote delimited value for this to work. +m4_define([_LT_CONFIG_STATUS_DECLARE], +[$1='`$ECHO "$][$1" | $SED "$delay_single_quote_subst"`']) + + +# _LT_CONFIG_STATUS_DECLARATIONS +# ------------------------------ +# We delimit libtool config variables with single quotes, so when +# we write them to config.status, we have to be sure to quote all +# embedded single quotes properly. In configure, this macro expands +# each variable declared with _LT_DECL (and _LT_TAGDECL) into: +# +# ='`$ECHO "$" | $SED "$delay_single_quote_subst"`' +m4_defun([_LT_CONFIG_STATUS_DECLARATIONS], +[m4_foreach([_lt_var], m4_quote(lt_decl_all_varnames), + [m4_n([_LT_CONFIG_STATUS_DECLARE(_lt_var)])])]) + + +# _LT_LIBTOOL_TAGS +# ---------------- +# Output comment and list of tags supported by the script +m4_defun([_LT_LIBTOOL_TAGS], +[_LT_FORMAT_COMMENT([The names of the tagged configurations supported by this script])dnl +available_tags='_LT_TAGS'dnl +]) + + +# _LT_LIBTOOL_DECLARE(VARNAME, [TAG]) +# ----------------------------------- +# Extract the dictionary values for VARNAME (optionally with TAG) and +# expand to a commented shell variable setting: +# +# # Some comment about what VAR is for. +# visible_name=$lt_internal_name +m4_define([_LT_LIBTOOL_DECLARE], +[_LT_FORMAT_COMMENT(m4_quote(lt_dict_fetch([lt_decl_dict], [$1], + [description])))[]dnl +m4_pushdef([_libtool_name], + m4_quote(lt_dict_fetch([lt_decl_dict], [$1], [libtool_name])))[]dnl +m4_case(m4_quote(lt_dict_fetch([lt_decl_dict], [$1], [value])), + [0], [_libtool_name=[$]$1], + [1], [_libtool_name=$lt_[]$1], + [2], [_libtool_name=$lt_[]$1], + [_libtool_name=lt_dict_fetch([lt_decl_dict], [$1], [value])])[]dnl +m4_ifval([$2], [_$2])[]m4_popdef([_libtool_name])[]dnl +]) + + +# _LT_LIBTOOL_CONFIG_VARS +# ----------------------- +# Produce commented declarations of non-tagged libtool config variables +# suitable for insertion in the LIBTOOL CONFIG section of the 'libtool' +# script. Tagged libtool config variables (even for the LIBTOOL CONFIG +# section) are produced by _LT_LIBTOOL_TAG_VARS. +m4_defun([_LT_LIBTOOL_CONFIG_VARS], +[m4_foreach([_lt_var], + m4_quote(_lt_decl_filter([tagged?], [no], [], lt_decl_varnames)), + [m4_n([_LT_LIBTOOL_DECLARE(_lt_var)])])]) + + +# _LT_LIBTOOL_TAG_VARS(TAG) +# ------------------------- +m4_define([_LT_LIBTOOL_TAG_VARS], +[m4_foreach([_lt_var], m4_quote(lt_decl_tag_varnames), + [m4_n([_LT_LIBTOOL_DECLARE(_lt_var, [$1])])])]) + + +# _LT_TAGVAR(VARNAME, [TAGNAME]) +# ------------------------------ +m4_define([_LT_TAGVAR], [m4_ifval([$2], [$1_$2], [$1])]) + + +# _LT_CONFIG_COMMANDS +# ------------------- +# Send accumulated output to $CONFIG_STATUS. Thanks to the lists of +# variables for single and double quote escaping we saved from calls +# to _LT_DECL, we can put quote escaped variables declarations +# into 'config.status', and then the shell code to quote escape them in +# for loops in 'config.status'. Finally, any additional code accumulated +# from calls to _LT_CONFIG_LIBTOOL_INIT is expanded. +m4_defun([_LT_CONFIG_COMMANDS], +[AC_PROVIDE_IFELSE([LT_OUTPUT], + dnl If the libtool generation code has been placed in $CONFIG_LT, + dnl instead of duplicating it all over again into config.status, + dnl then we will have config.status run $CONFIG_LT later, so it + dnl needs to know what name is stored there: + [AC_CONFIG_COMMANDS([libtool], + [$SHELL $CONFIG_LT || AS_EXIT(1)], [CONFIG_LT='$CONFIG_LT'])], + dnl If the libtool generation code is destined for config.status, + dnl expand the accumulated commands and init code now: + [AC_CONFIG_COMMANDS([libtool], + [_LT_OUTPUT_LIBTOOL_COMMANDS], [_LT_OUTPUT_LIBTOOL_COMMANDS_INIT])]) +])#_LT_CONFIG_COMMANDS + + +# Initialize. +m4_define([_LT_OUTPUT_LIBTOOL_COMMANDS_INIT], +[ + +# The HP-UX ksh and POSIX shell print the target directory to stdout +# if CDPATH is set. +(unset CDPATH) >/dev/null 2>&1 && unset CDPATH + +sed_quote_subst='$sed_quote_subst' +double_quote_subst='$double_quote_subst' +delay_variable_subst='$delay_variable_subst' +_LT_CONFIG_STATUS_DECLARATIONS +LTCC='$LTCC' +LTCFLAGS='$LTCFLAGS' +compiler='$compiler_DEFAULT' + +# A function that is used when there is no print builtin or printf. +func_fallback_echo () +{ + eval 'cat <<_LTECHO_EOF +\$[]1 +_LTECHO_EOF' +} + +# Quote evaled strings. +for var in lt_decl_all_varnames([[ \ +]], lt_decl_quote_varnames); do + case \`eval \\\\\$ECHO \\\\""\\\\\$\$var"\\\\"\` in + *[[\\\\\\\`\\"\\\$]]*) + eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"\\\$\$var\\" | \\\$SED \\"\\\$sed_quote_subst\\"\\\`\\\\\\"" ## exclude from sc_prohibit_nested_quotes + ;; + *) + eval "lt_\$var=\\\\\\"\\\$\$var\\\\\\"" + ;; + esac +done + +# Double-quote double-evaled strings. +for var in lt_decl_all_varnames([[ \ +]], lt_decl_dquote_varnames); do + case \`eval \\\\\$ECHO \\\\""\\\\\$\$var"\\\\"\` in + *[[\\\\\\\`\\"\\\$]]*) + eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"\\\$\$var\\" | \\\$SED -e \\"\\\$double_quote_subst\\" -e \\"\\\$sed_quote_subst\\" -e \\"\\\$delay_variable_subst\\"\\\`\\\\\\"" ## exclude from sc_prohibit_nested_quotes + ;; + *) + eval "lt_\$var=\\\\\\"\\\$\$var\\\\\\"" + ;; + esac +done + +_LT_OUTPUT_LIBTOOL_INIT +]) + +# _LT_GENERATED_FILE_INIT(FILE, [COMMENT]) +# ------------------------------------ +# Generate a child script FILE with all initialization necessary to +# reuse the environment learned by the parent script, and make the +# file executable. If COMMENT is supplied, it is inserted after the +# '#!' sequence but before initialization text begins. After this +# macro, additional text can be appended to FILE to form the body of +# the child script. The macro ends with non-zero status if the +# file could not be fully written (such as if the disk is full). +m4_ifdef([AS_INIT_GENERATED], +[m4_defun([_LT_GENERATED_FILE_INIT],[AS_INIT_GENERATED($@)])], +[m4_defun([_LT_GENERATED_FILE_INIT], +[m4_require([AS_PREPARE])]dnl +[m4_pushdef([AS_MESSAGE_LOG_FD])]dnl +[lt_write_fail=0 +cat >$1 <<_ASEOF || lt_write_fail=1 +#! $SHELL +# Generated by $as_me. +$2 +SHELL=\${CONFIG_SHELL-$SHELL} +export SHELL +_ASEOF +cat >>$1 <<\_ASEOF || lt_write_fail=1 +AS_SHELL_SANITIZE +_AS_PREPARE +exec AS_MESSAGE_FD>&1 +_ASEOF +test 0 = "$lt_write_fail" && chmod +x $1[]dnl +m4_popdef([AS_MESSAGE_LOG_FD])])])# _LT_GENERATED_FILE_INIT + +# LT_OUTPUT +# --------- +# This macro allows early generation of the libtool script (before +# AC_OUTPUT is called), incase it is used in configure for compilation +# tests. +AC_DEFUN([LT_OUTPUT], +[: ${CONFIG_LT=./config.lt} +AC_MSG_NOTICE([creating $CONFIG_LT]) +_LT_GENERATED_FILE_INIT(["$CONFIG_LT"], +[# Run this file to recreate a libtool stub with the current configuration.]) + +cat >>"$CONFIG_LT" <<\_LTEOF +lt_cl_silent=false +exec AS_MESSAGE_LOG_FD>>config.log +{ + echo + AS_BOX([Running $as_me.]) +} >&AS_MESSAGE_LOG_FD + +lt_cl_help="\ +'$as_me' creates a local libtool stub from the current configuration, +for use in further configure time tests before the real libtool is +generated. + +Usage: $[0] [[OPTIONS]] + + -h, --help print this help, then exit + -V, --version print version number, then exit + -q, --quiet do not print progress messages + -d, --debug don't remove temporary files + +Report bugs to ." + +lt_cl_version="\ +m4_ifset([AC_PACKAGE_NAME], [AC_PACKAGE_NAME ])config.lt[]dnl +m4_ifset([AC_PACKAGE_VERSION], [ AC_PACKAGE_VERSION]) +configured by $[0], generated by m4_PACKAGE_STRING. + +Copyright (C) 2011 Free Software Foundation, Inc. +This config.lt script is free software; the Free Software Foundation +gives unlimited permision to copy, distribute and modify it." + +while test 0 != $[#] +do + case $[1] in + --version | --v* | -V ) + echo "$lt_cl_version"; exit 0 ;; + --help | --h* | -h ) + echo "$lt_cl_help"; exit 0 ;; + --debug | --d* | -d ) + debug=: ;; + --quiet | --q* | --silent | --s* | -q ) + lt_cl_silent=: ;; + + -*) AC_MSG_ERROR([unrecognized option: $[1] +Try '$[0] --help' for more information.]) ;; + + *) AC_MSG_ERROR([unrecognized argument: $[1] +Try '$[0] --help' for more information.]) ;; + esac + shift +done + +if $lt_cl_silent; then + exec AS_MESSAGE_FD>/dev/null +fi +_LTEOF + +cat >>"$CONFIG_LT" <<_LTEOF +_LT_OUTPUT_LIBTOOL_COMMANDS_INIT +_LTEOF + +cat >>"$CONFIG_LT" <<\_LTEOF +AC_MSG_NOTICE([creating $ofile]) +_LT_OUTPUT_LIBTOOL_COMMANDS +AS_EXIT(0) +_LTEOF +chmod +x "$CONFIG_LT" + +# configure is writing to config.log, but config.lt does its own redirection, +# appending to config.log, which fails on DOS, as config.log is still kept +# open by configure. Here we exec the FD to /dev/null, effectively closing +# config.log, so it can be properly (re)opened and appended to by config.lt. +lt_cl_success=: +test yes = "$silent" && + lt_config_lt_args="$lt_config_lt_args --quiet" +exec AS_MESSAGE_LOG_FD>/dev/null +$SHELL "$CONFIG_LT" $lt_config_lt_args || lt_cl_success=false +exec AS_MESSAGE_LOG_FD>>config.log +$lt_cl_success || AS_EXIT(1) +])# LT_OUTPUT + + +# _LT_CONFIG(TAG) +# --------------- +# If TAG is the built-in tag, create an initial libtool script with a +# default configuration from the untagged config vars. Otherwise add code +# to config.status for appending the configuration named by TAG from the +# matching tagged config vars. +m4_defun([_LT_CONFIG], +[m4_require([_LT_FILEUTILS_DEFAULTS])dnl +_LT_CONFIG_SAVE_COMMANDS([ + m4_define([_LT_TAG], m4_if([$1], [], [C], [$1]))dnl + m4_if(_LT_TAG, [C], [ + # See if we are running on zsh, and set the options that allow our + # commands through without removal of \ escapes. + if test -n "${ZSH_VERSION+set}"; then + setopt NO_GLOB_SUBST + fi + + cfgfile=${ofile}T + trap "$RM \"$cfgfile\"; exit 1" 1 2 15 + $RM "$cfgfile" + + cat <<_LT_EOF >> "$cfgfile" +#! $SHELL +# Generated automatically by $as_me ($PACKAGE) $VERSION +# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`: +# NOTE: Changes made to this file will be lost: look at ltmain.sh. + +# Provide generalized library-building support services. +# Written by Gordon Matzigkeit, 1996 + +_LT_COPYING +_LT_LIBTOOL_TAGS + +# Configured defaults for sys_lib_dlsearch_path munging. +: \${LT_SYS_LIBRARY_PATH="$configure_time_lt_sys_library_path"} + +# ### BEGIN LIBTOOL CONFIG +_LT_LIBTOOL_CONFIG_VARS +_LT_LIBTOOL_TAG_VARS +# ### END LIBTOOL CONFIG + +_LT_EOF + + cat <<'_LT_EOF' >> "$cfgfile" + +# ### BEGIN FUNCTIONS SHARED WITH CONFIGURE + +_LT_PREPARE_MUNGE_PATH_LIST +_LT_PREPARE_CC_BASENAME + +# ### END FUNCTIONS SHARED WITH CONFIGURE + +_LT_EOF + + case $host_os in + aix3*) + cat <<\_LT_EOF >> "$cfgfile" +# AIX sometimes has problems with the GCC collect2 program. For some +# reason, if we set the COLLECT_NAMES environment variable, the problems +# vanish in a puff of smoke. +if test set != "${COLLECT_NAMES+set}"; then + COLLECT_NAMES= + export COLLECT_NAMES +fi +_LT_EOF + ;; + esac + + _LT_PROG_LTMAIN + + # We use sed instead of cat because bash on DJGPP gets confused if + # if finds mixed CR/LF and LF-only lines. Since sed operates in + # text mode, it properly converts lines to CR/LF. This bash problem + # is reportedly fixed, but why not run on old versions too? + sed '$q' "$ltmain" >> "$cfgfile" \ + || (rm -f "$cfgfile"; exit 1) + + mv -f "$cfgfile" "$ofile" || + (rm -f "$ofile" && cp "$cfgfile" "$ofile" && rm -f "$cfgfile") + chmod +x "$ofile" +], +[cat <<_LT_EOF >> "$ofile" + +dnl Unfortunately we have to use $1 here, since _LT_TAG is not expanded +dnl in a comment (ie after a #). +# ### BEGIN LIBTOOL TAG CONFIG: $1 +_LT_LIBTOOL_TAG_VARS(_LT_TAG) +# ### END LIBTOOL TAG CONFIG: $1 +_LT_EOF +])dnl /m4_if +], +[m4_if([$1], [], [ + PACKAGE='$PACKAGE' + VERSION='$VERSION' + RM='$RM' + ofile='$ofile'], []) +])dnl /_LT_CONFIG_SAVE_COMMANDS +])# _LT_CONFIG + + +# LT_SUPPORTED_TAG(TAG) +# --------------------- +# Trace this macro to discover what tags are supported by the libtool +# --tag option, using: +# autoconf --trace 'LT_SUPPORTED_TAG:$1' +AC_DEFUN([LT_SUPPORTED_TAG], []) + + +# C support is built-in for now +m4_define([_LT_LANG_C_enabled], []) +m4_define([_LT_TAGS], []) + + +# LT_LANG(LANG) +# ------------- +# Enable libtool support for the given language if not already enabled. +AC_DEFUN([LT_LANG], +[AC_BEFORE([$0], [LT_OUTPUT])dnl +m4_case([$1], + [C], [_LT_LANG(C)], + [C++], [_LT_LANG(CXX)], + [Go], [_LT_LANG(GO)], + [Java], [_LT_LANG(GCJ)], + [Fortran 77], [_LT_LANG(F77)], + [Fortran], [_LT_LANG(FC)], + [Windows Resource], [_LT_LANG(RC)], + [m4_ifdef([_LT_LANG_]$1[_CONFIG], + [_LT_LANG($1)], + [m4_fatal([$0: unsupported language: "$1"])])])dnl +])# LT_LANG + + +# _LT_LANG(LANGNAME) +# ------------------ +m4_defun([_LT_LANG], +[m4_ifdef([_LT_LANG_]$1[_enabled], [], + [LT_SUPPORTED_TAG([$1])dnl + m4_append([_LT_TAGS], [$1 ])dnl + m4_define([_LT_LANG_]$1[_enabled], [])dnl + _LT_LANG_$1_CONFIG($1)])dnl +])# _LT_LANG + + +m4_ifndef([AC_PROG_GO], [ +############################################################ +# NOTE: This macro has been submitted for inclusion into # +# GNU Autoconf as AC_PROG_GO. When it is available in # +# a released version of Autoconf we should remove this # +# macro and use it instead. # +############################################################ +m4_defun([AC_PROG_GO], +[AC_LANG_PUSH(Go)dnl +AC_ARG_VAR([GOC], [Go compiler command])dnl +AC_ARG_VAR([GOFLAGS], [Go compiler flags])dnl +_AC_ARG_VAR_LDFLAGS()dnl +AC_CHECK_TOOL(GOC, gccgo) +if test -z "$GOC"; then + if test -n "$ac_tool_prefix"; then + AC_CHECK_PROG(GOC, [${ac_tool_prefix}gccgo], [${ac_tool_prefix}gccgo]) + fi +fi +if test -z "$GOC"; then + AC_CHECK_PROG(GOC, gccgo, gccgo, false) +fi +])#m4_defun +])#m4_ifndef + + +# _LT_LANG_DEFAULT_CONFIG +# ----------------------- +m4_defun([_LT_LANG_DEFAULT_CONFIG], +[AC_PROVIDE_IFELSE([AC_PROG_CXX], + [LT_LANG(CXX)], + [m4_define([AC_PROG_CXX], defn([AC_PROG_CXX])[LT_LANG(CXX)])]) + +AC_PROVIDE_IFELSE([AC_PROG_F77], + [LT_LANG(F77)], + [m4_define([AC_PROG_F77], defn([AC_PROG_F77])[LT_LANG(F77)])]) + +AC_PROVIDE_IFELSE([AC_PROG_FC], + [LT_LANG(FC)], + [m4_define([AC_PROG_FC], defn([AC_PROG_FC])[LT_LANG(FC)])]) + +dnl The call to [A][M_PROG_GCJ] is quoted like that to stop aclocal +dnl pulling things in needlessly. +AC_PROVIDE_IFELSE([AC_PROG_GCJ], + [LT_LANG(GCJ)], + [AC_PROVIDE_IFELSE([A][M_PROG_GCJ], + [LT_LANG(GCJ)], + [AC_PROVIDE_IFELSE([LT_PROG_GCJ], + [LT_LANG(GCJ)], + [m4_ifdef([AC_PROG_GCJ], + [m4_define([AC_PROG_GCJ], defn([AC_PROG_GCJ])[LT_LANG(GCJ)])]) + m4_ifdef([A][M_PROG_GCJ], + [m4_define([A][M_PROG_GCJ], defn([A][M_PROG_GCJ])[LT_LANG(GCJ)])]) + m4_ifdef([LT_PROG_GCJ], + [m4_define([LT_PROG_GCJ], defn([LT_PROG_GCJ])[LT_LANG(GCJ)])])])])]) + +AC_PROVIDE_IFELSE([AC_PROG_GO], + [LT_LANG(GO)], + [m4_define([AC_PROG_GO], defn([AC_PROG_GO])[LT_LANG(GO)])]) + +AC_PROVIDE_IFELSE([LT_PROG_RC], + [LT_LANG(RC)], + [m4_define([LT_PROG_RC], defn([LT_PROG_RC])[LT_LANG(RC)])]) +])# _LT_LANG_DEFAULT_CONFIG + +# Obsolete macros: +AU_DEFUN([AC_LIBTOOL_CXX], [LT_LANG(C++)]) +AU_DEFUN([AC_LIBTOOL_F77], [LT_LANG(Fortran 77)]) +AU_DEFUN([AC_LIBTOOL_FC], [LT_LANG(Fortran)]) +AU_DEFUN([AC_LIBTOOL_GCJ], [LT_LANG(Java)]) +AU_DEFUN([AC_LIBTOOL_RC], [LT_LANG(Windows Resource)]) +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_LIBTOOL_CXX], []) +dnl AC_DEFUN([AC_LIBTOOL_F77], []) +dnl AC_DEFUN([AC_LIBTOOL_FC], []) +dnl AC_DEFUN([AC_LIBTOOL_GCJ], []) +dnl AC_DEFUN([AC_LIBTOOL_RC], []) + + +# _LT_TAG_COMPILER +# ---------------- +m4_defun([_LT_TAG_COMPILER], +[AC_REQUIRE([AC_PROG_CC])dnl + +_LT_DECL([LTCC], [CC], [1], [A C compiler])dnl +_LT_DECL([LTCFLAGS], [CFLAGS], [1], [LTCC compiler flags])dnl +_LT_TAGDECL([CC], [compiler], [1], [A language specific compiler])dnl +_LT_TAGDECL([with_gcc], [GCC], [0], [Is the compiler the GNU compiler?])dnl + +# If no C compiler was specified, use CC. +LTCC=${LTCC-"$CC"} + +# If no C compiler flags were specified, use CFLAGS. +LTCFLAGS=${LTCFLAGS-"$CFLAGS"} + +# Allow CC to be a program name with arguments. +compiler=$CC +])# _LT_TAG_COMPILER + + +# _LT_COMPILER_BOILERPLATE +# ------------------------ +# Check for compiler boilerplate output or warnings with +# the simple compiler test code. +m4_defun([_LT_COMPILER_BOILERPLATE], +[m4_require([_LT_DECL_SED])dnl +ac_outfile=conftest.$ac_objext +echo "$lt_simple_compile_test_code" >conftest.$ac_ext +eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err +_lt_compiler_boilerplate=`cat conftest.err` +$RM conftest* +])# _LT_COMPILER_BOILERPLATE + + +# _LT_LINKER_BOILERPLATE +# ---------------------- +# Check for linker boilerplate output or warnings with +# the simple link test code. +m4_defun([_LT_LINKER_BOILERPLATE], +[m4_require([_LT_DECL_SED])dnl +ac_outfile=conftest.$ac_objext +echo "$lt_simple_link_test_code" >conftest.$ac_ext +eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err +_lt_linker_boilerplate=`cat conftest.err` +$RM -r conftest* +])# _LT_LINKER_BOILERPLATE + +# _LT_REQUIRED_DARWIN_CHECKS +# ------------------------- +m4_defun_once([_LT_REQUIRED_DARWIN_CHECKS],[ + case $host_os in + rhapsody* | darwin*) + AC_CHECK_TOOL([DSYMUTIL], [dsymutil], [:]) + AC_CHECK_TOOL([NMEDIT], [nmedit], [:]) + AC_CHECK_TOOL([LIPO], [lipo], [:]) + AC_CHECK_TOOL([OTOOL], [otool], [:]) + AC_CHECK_TOOL([OTOOL64], [otool64], [:]) + _LT_DECL([], [DSYMUTIL], [1], + [Tool to manipulate archived DWARF debug symbol files on Mac OS X]) + _LT_DECL([], [NMEDIT], [1], + [Tool to change global to local symbols on Mac OS X]) + _LT_DECL([], [LIPO], [1], + [Tool to manipulate fat objects and archives on Mac OS X]) + _LT_DECL([], [OTOOL], [1], + [ldd/readelf like tool for Mach-O binaries on Mac OS X]) + _LT_DECL([], [OTOOL64], [1], + [ldd/readelf like tool for 64 bit Mach-O binaries on Mac OS X 10.4]) + + AC_CACHE_CHECK([for -single_module linker flag],[lt_cv_apple_cc_single_mod], + [lt_cv_apple_cc_single_mod=no + if test -z "$LT_MULTI_MODULE"; then + # By default we will add the -single_module flag. You can override + # by either setting the environment variable LT_MULTI_MODULE + # non-empty at configure time, or by adding -multi_module to the + # link flags. + rm -rf libconftest.dylib* + echo "int foo(void){return 1;}" > conftest.c + echo "$LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \ +-dynamiclib -Wl,-single_module conftest.c" >&AS_MESSAGE_LOG_FD + $LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \ + -dynamiclib -Wl,-single_module conftest.c 2>conftest.err + _lt_result=$? + # If there is a non-empty error log, and "single_module" + # appears in it, assume the flag caused a linker warning + if test -s conftest.err && $GREP single_module conftest.err; then + cat conftest.err >&AS_MESSAGE_LOG_FD + # Otherwise, if the output was created with a 0 exit code from + # the compiler, it worked. + elif test -f libconftest.dylib && test 0 = "$_lt_result"; then + lt_cv_apple_cc_single_mod=yes + else + cat conftest.err >&AS_MESSAGE_LOG_FD + fi + rm -rf libconftest.dylib* + rm -f conftest.* + fi]) + + AC_CACHE_CHECK([for -exported_symbols_list linker flag], + [lt_cv_ld_exported_symbols_list], + [lt_cv_ld_exported_symbols_list=no + save_LDFLAGS=$LDFLAGS + echo "_main" > conftest.sym + LDFLAGS="$LDFLAGS -Wl,-exported_symbols_list,conftest.sym" + AC_LINK_IFELSE([AC_LANG_PROGRAM([],[])], + [lt_cv_ld_exported_symbols_list=yes], + [lt_cv_ld_exported_symbols_list=no]) + LDFLAGS=$save_LDFLAGS + ]) + + AC_CACHE_CHECK([for -force_load linker flag],[lt_cv_ld_force_load], + [lt_cv_ld_force_load=no + cat > conftest.c << _LT_EOF +int forced_loaded() { return 2;} +_LT_EOF + echo "$LTCC $LTCFLAGS -c -o conftest.o conftest.c" >&AS_MESSAGE_LOG_FD + $LTCC $LTCFLAGS -c -o conftest.o conftest.c 2>&AS_MESSAGE_LOG_FD + echo "$AR cru libconftest.a conftest.o" >&AS_MESSAGE_LOG_FD + $AR cru libconftest.a conftest.o 2>&AS_MESSAGE_LOG_FD + echo "$RANLIB libconftest.a" >&AS_MESSAGE_LOG_FD + $RANLIB libconftest.a 2>&AS_MESSAGE_LOG_FD + cat > conftest.c << _LT_EOF +int main() { return 0;} +_LT_EOF + echo "$LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a" >&AS_MESSAGE_LOG_FD + $LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a 2>conftest.err + _lt_result=$? + if test -s conftest.err && $GREP force_load conftest.err; then + cat conftest.err >&AS_MESSAGE_LOG_FD + elif test -f conftest && test 0 = "$_lt_result" && $GREP forced_load conftest >/dev/null 2>&1; then + lt_cv_ld_force_load=yes + else + cat conftest.err >&AS_MESSAGE_LOG_FD + fi + rm -f conftest.err libconftest.a conftest conftest.c + rm -rf conftest.dSYM + ]) + case $host_os in + rhapsody* | darwin1.[[012]]) + _lt_dar_allow_undefined='$wl-undefined ${wl}suppress' ;; + darwin1.*) + _lt_dar_allow_undefined='$wl-flat_namespace $wl-undefined ${wl}suppress' ;; + darwin*) # darwin 5.x on + # if running on 10.5 or later, the deployment target defaults + # to the OS version, if on x86, and 10.4, the deployment + # target defaults to 10.4. Don't you love it? + case ${MACOSX_DEPLOYMENT_TARGET-10.0},$host in + 10.0,*86*-darwin8*|10.0,*-darwin[[91]]*) + _lt_dar_allow_undefined='$wl-undefined ${wl}dynamic_lookup' ;; + 10.[[012]][[,.]]*) + _lt_dar_allow_undefined='$wl-flat_namespace $wl-undefined ${wl}suppress' ;; + 10.*) + _lt_dar_allow_undefined='$wl-undefined ${wl}dynamic_lookup' ;; + esac + ;; + esac + if test yes = "$lt_cv_apple_cc_single_mod"; then + _lt_dar_single_mod='$single_module' + fi + if test yes = "$lt_cv_ld_exported_symbols_list"; then + _lt_dar_export_syms=' $wl-exported_symbols_list,$output_objdir/$libname-symbols.expsym' + else + _lt_dar_export_syms='~$NMEDIT -s $output_objdir/$libname-symbols.expsym $lib' + fi + if test : != "$DSYMUTIL" && test no = "$lt_cv_ld_force_load"; then + _lt_dsymutil='~$DSYMUTIL $lib || :' + else + _lt_dsymutil= + fi + ;; + esac +]) + + +# _LT_DARWIN_LINKER_FEATURES([TAG]) +# --------------------------------- +# Checks for linker and compiler features on darwin +m4_defun([_LT_DARWIN_LINKER_FEATURES], +[ + m4_require([_LT_REQUIRED_DARWIN_CHECKS]) + _LT_TAGVAR(archive_cmds_need_lc, $1)=no + _LT_TAGVAR(hardcode_direct, $1)=no + _LT_TAGVAR(hardcode_automatic, $1)=yes + _LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported + if test yes = "$lt_cv_ld_force_load"; then + _LT_TAGVAR(whole_archive_flag_spec, $1)='`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience $wl-force_load,$conv\"; done; func_echo_all \"$new_convenience\"`' + m4_case([$1], [F77], [_LT_TAGVAR(compiler_needs_object, $1)=yes], + [FC], [_LT_TAGVAR(compiler_needs_object, $1)=yes]) + else + _LT_TAGVAR(whole_archive_flag_spec, $1)='' + fi + _LT_TAGVAR(link_all_deplibs, $1)=yes + _LT_TAGVAR(allow_undefined_flag, $1)=$_lt_dar_allow_undefined + case $cc_basename in + ifort*|nagfor*) _lt_dar_can_shared=yes ;; + *) _lt_dar_can_shared=$GCC ;; + esac + if test yes = "$_lt_dar_can_shared"; then + output_verbose_link_cmd=func_echo_all + _LT_TAGVAR(archive_cmds, $1)="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod$_lt_dsymutil" + _LT_TAGVAR(module_cmds, $1)="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags$_lt_dsymutil" + _LT_TAGVAR(archive_expsym_cmds, $1)="sed 's|^|_|' < \$export_symbols > \$output_objdir/\$libname-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod$_lt_dar_export_syms$_lt_dsymutil" + _LT_TAGVAR(module_expsym_cmds, $1)="sed -e 's|^|_|' < \$export_symbols > \$output_objdir/\$libname-symbols.expsym~\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags$_lt_dar_export_syms$_lt_dsymutil" + m4_if([$1], [CXX], +[ if test yes != "$lt_cv_apple_cc_single_mod"; then + _LT_TAGVAR(archive_cmds, $1)="\$CC -r -keep_private_externs -nostdlib -o \$lib-master.o \$libobjs~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$lib-master.o \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring$_lt_dsymutil" + _LT_TAGVAR(archive_expsym_cmds, $1)="sed 's|^|_|' < \$export_symbols > \$output_objdir/\$libname-symbols.expsym~\$CC -r -keep_private_externs -nostdlib -o \$lib-master.o \$libobjs~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$lib-master.o \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring$_lt_dar_export_syms$_lt_dsymutil" + fi +],[]) + else + _LT_TAGVAR(ld_shlibs, $1)=no + fi +]) + +# _LT_SYS_MODULE_PATH_AIX([TAGNAME]) +# ---------------------------------- +# Links a minimal program and checks the executable +# for the system default hardcoded library path. In most cases, +# this is /usr/lib:/lib, but when the MPI compilers are used +# the location of the communication and MPI libs are included too. +# If we don't find anything, use the default library path according +# to the aix ld manual. +# Store the results from the different compilers for each TAGNAME. +# Allow to override them for all tags through lt_cv_aix_libpath. +m4_defun([_LT_SYS_MODULE_PATH_AIX], +[m4_require([_LT_DECL_SED])dnl +if test set = "${lt_cv_aix_libpath+set}"; then + aix_libpath=$lt_cv_aix_libpath +else + AC_CACHE_VAL([_LT_TAGVAR([lt_cv_aix_libpath_], [$1])], + [AC_LINK_IFELSE([AC_LANG_PROGRAM],[ + lt_aix_libpath_sed='[ + /Import File Strings/,/^$/ { + /^0/ { + s/^0 *\([^ ]*\) *$/\1/ + p + } + }]' + _LT_TAGVAR([lt_cv_aix_libpath_], [$1])=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` + # Check for a 64-bit object if we didn't find anything. + if test -z "$_LT_TAGVAR([lt_cv_aix_libpath_], [$1])"; then + _LT_TAGVAR([lt_cv_aix_libpath_], [$1])=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` + fi],[]) + if test -z "$_LT_TAGVAR([lt_cv_aix_libpath_], [$1])"; then + _LT_TAGVAR([lt_cv_aix_libpath_], [$1])=/usr/lib:/lib + fi + ]) + aix_libpath=$_LT_TAGVAR([lt_cv_aix_libpath_], [$1]) +fi +])# _LT_SYS_MODULE_PATH_AIX + + +# _LT_SHELL_INIT(ARG) +# ------------------- +m4_define([_LT_SHELL_INIT], +[m4_divert_text([M4SH-INIT], [$1 +])])# _LT_SHELL_INIT + + + +# _LT_PROG_ECHO_BACKSLASH +# ----------------------- +# Find how we can fake an echo command that does not interpret backslash. +# In particular, with Autoconf 2.60 or later we add some code to the start +# of the generated configure script that will find a shell with a builtin +# printf (that we can use as an echo command). +m4_defun([_LT_PROG_ECHO_BACKSLASH], +[ECHO='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' +ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO +ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO$ECHO + +AC_MSG_CHECKING([how to print strings]) +# Test print first, because it will be a builtin if present. +if test "X`( print -r -- -n ) 2>/dev/null`" = X-n && \ + test "X`print -r -- $ECHO 2>/dev/null`" = "X$ECHO"; then + ECHO='print -r --' +elif test "X`printf %s $ECHO 2>/dev/null`" = "X$ECHO"; then + ECHO='printf %s\n' +else + # Use this function as a fallback that always works. + func_fallback_echo () + { + eval 'cat <<_LTECHO_EOF +$[]1 +_LTECHO_EOF' + } + ECHO='func_fallback_echo' +fi + +# func_echo_all arg... +# Invoke $ECHO with all args, space-separated. +func_echo_all () +{ + $ECHO "$*" +} + +case $ECHO in + printf*) AC_MSG_RESULT([printf]) ;; + print*) AC_MSG_RESULT([print -r]) ;; + *) AC_MSG_RESULT([cat]) ;; +esac + +m4_ifdef([_AS_DETECT_SUGGESTED], +[_AS_DETECT_SUGGESTED([ + test -n "${ZSH_VERSION+set}${BASH_VERSION+set}" || ( + ECHO='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' + ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO + ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO$ECHO + PATH=/empty FPATH=/empty; export PATH FPATH + test "X`printf %s $ECHO`" = "X$ECHO" \ + || test "X`print -r -- $ECHO`" = "X$ECHO" )])]) + +_LT_DECL([], [SHELL], [1], [Shell to use when invoking shell scripts]) +_LT_DECL([], [ECHO], [1], [An echo program that protects backslashes]) +])# _LT_PROG_ECHO_BACKSLASH + + +# _LT_WITH_SYSROOT +# ---------------- +AC_DEFUN([_LT_WITH_SYSROOT], +[AC_MSG_CHECKING([for sysroot]) +AC_ARG_WITH([sysroot], +[AS_HELP_STRING([--with-sysroot@<:@=DIR@:>@], + [Search for dependent libraries within DIR (or the compiler's sysroot + if not specified).])], +[], [with_sysroot=no]) + +dnl lt_sysroot will always be passed unquoted. We quote it here +dnl in case the user passed a directory name. +lt_sysroot= +case $with_sysroot in #( + yes) + if test yes = "$GCC"; then + lt_sysroot=`$CC --print-sysroot 2>/dev/null` + fi + ;; #( + /*) + lt_sysroot=`echo "$with_sysroot" | sed -e "$sed_quote_subst"` + ;; #( + no|'') + ;; #( + *) + AC_MSG_RESULT([$with_sysroot]) + AC_MSG_ERROR([The sysroot must be an absolute path.]) + ;; +esac + + AC_MSG_RESULT([${lt_sysroot:-no}]) +_LT_DECL([], [lt_sysroot], [0], [The root where to search for ]dnl +[dependent libraries, and where our libraries should be installed.])]) + +# _LT_ENABLE_LOCK +# --------------- +m4_defun([_LT_ENABLE_LOCK], +[AC_ARG_ENABLE([libtool-lock], + [AS_HELP_STRING([--disable-libtool-lock], + [avoid locking (might break parallel builds)])]) +test no = "$enable_libtool_lock" || enable_libtool_lock=yes + +# Some flags need to be propagated to the compiler or linker for good +# libtool support. +case $host in +ia64-*-hpux*) + # Find out what ABI is being produced by ac_compile, and set mode + # options accordingly. + echo 'int i;' > conftest.$ac_ext + if AC_TRY_EVAL(ac_compile); then + case `/usr/bin/file conftest.$ac_objext` in + *ELF-32*) + HPUX_IA64_MODE=32 + ;; + *ELF-64*) + HPUX_IA64_MODE=64 + ;; + esac + fi + rm -rf conftest* + ;; +*-*-irix6*) + # Find out what ABI is being produced by ac_compile, and set linker + # options accordingly. + echo '[#]line '$LINENO' "configure"' > conftest.$ac_ext + if AC_TRY_EVAL(ac_compile); then + if test yes = "$lt_cv_prog_gnu_ld"; then + case `/usr/bin/file conftest.$ac_objext` in + *32-bit*) + LD="${LD-ld} -melf32bsmip" + ;; + *N32*) + LD="${LD-ld} -melf32bmipn32" + ;; + *64-bit*) + LD="${LD-ld} -melf64bmip" + ;; + esac + else + case `/usr/bin/file conftest.$ac_objext` in + *32-bit*) + LD="${LD-ld} -32" + ;; + *N32*) + LD="${LD-ld} -n32" + ;; + *64-bit*) + LD="${LD-ld} -64" + ;; + esac + fi + fi + rm -rf conftest* + ;; + +mips64*-*linux*) + # Find out what ABI is being produced by ac_compile, and set linker + # options accordingly. + echo '[#]line '$LINENO' "configure"' > conftest.$ac_ext + if AC_TRY_EVAL(ac_compile); then + emul=elf + case `/usr/bin/file conftest.$ac_objext` in + *32-bit*) + emul="${emul}32" + ;; + *64-bit*) + emul="${emul}64" + ;; + esac + case `/usr/bin/file conftest.$ac_objext` in + *MSB*) + emul="${emul}btsmip" + ;; + *LSB*) + emul="${emul}ltsmip" + ;; + esac + case `/usr/bin/file conftest.$ac_objext` in + *N32*) + emul="${emul}n32" + ;; + esac + LD="${LD-ld} -m $emul" + fi + rm -rf conftest* + ;; + +x86_64-*kfreebsd*-gnu|x86_64-*linux*|powerpc*-*linux*| \ +s390*-*linux*|s390*-*tpf*|sparc*-*linux*) + # Find out what ABI is being produced by ac_compile, and set linker + # options accordingly. Note that the listed cases only cover the + # situations where additional linker options are needed (such as when + # doing 32-bit compilation for a host where ld defaults to 64-bit, or + # vice versa); the common cases where no linker options are needed do + # not appear in the list. + echo 'int i;' > conftest.$ac_ext + if AC_TRY_EVAL(ac_compile); then + case `/usr/bin/file conftest.o` in + *32-bit*) + case $host in + x86_64-*kfreebsd*-gnu) + LD="${LD-ld} -m elf_i386_fbsd" + ;; + x86_64-*linux*) + case `/usr/bin/file conftest.o` in + *x86-64*) + LD="${LD-ld} -m elf32_x86_64" + ;; + *) + LD="${LD-ld} -m elf_i386" + ;; + esac + ;; + powerpc64le-*linux*) + LD="${LD-ld} -m elf32lppclinux" + ;; + powerpc64-*linux*) + LD="${LD-ld} -m elf32ppclinux" + ;; + s390x-*linux*) + LD="${LD-ld} -m elf_s390" + ;; + sparc64-*linux*) + LD="${LD-ld} -m elf32_sparc" + ;; + esac + ;; + *64-bit*) + case $host in + x86_64-*kfreebsd*-gnu) + LD="${LD-ld} -m elf_x86_64_fbsd" + ;; + x86_64-*linux*) + LD="${LD-ld} -m elf_x86_64" + ;; + powerpcle-*linux*) + LD="${LD-ld} -m elf64lppc" + ;; + powerpc-*linux*) + LD="${LD-ld} -m elf64ppc" + ;; + s390*-*linux*|s390*-*tpf*) + LD="${LD-ld} -m elf64_s390" + ;; + sparc*-*linux*) + LD="${LD-ld} -m elf64_sparc" + ;; + esac + ;; + esac + fi + rm -rf conftest* + ;; + +*-*-sco3.2v5*) + # On SCO OpenServer 5, we need -belf to get full-featured binaries. + SAVE_CFLAGS=$CFLAGS + CFLAGS="$CFLAGS -belf" + AC_CACHE_CHECK([whether the C compiler needs -belf], lt_cv_cc_needs_belf, + [AC_LANG_PUSH(C) + AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],[[]])],[lt_cv_cc_needs_belf=yes],[lt_cv_cc_needs_belf=no]) + AC_LANG_POP]) + if test yes != "$lt_cv_cc_needs_belf"; then + # this is probably gcc 2.8.0, egcs 1.0 or newer; no need for -belf + CFLAGS=$SAVE_CFLAGS + fi + ;; +*-*solaris*) + # Find out what ABI is being produced by ac_compile, and set linker + # options accordingly. + echo 'int i;' > conftest.$ac_ext + if AC_TRY_EVAL(ac_compile); then + case `/usr/bin/file conftest.o` in + *64-bit*) + case $lt_cv_prog_gnu_ld in + yes*) + case $host in + i?86-*-solaris*|x86_64-*-solaris*) + LD="${LD-ld} -m elf_x86_64" + ;; + sparc*-*-solaris*) + LD="${LD-ld} -m elf64_sparc" + ;; + esac + # GNU ld 2.21 introduced _sol2 emulations. Use them if available. + if ${LD-ld} -V | grep _sol2 >/dev/null 2>&1; then + LD=${LD-ld}_sol2 + fi + ;; + *) + if ${LD-ld} -64 -r -o conftest2.o conftest.o >/dev/null 2>&1; then + LD="${LD-ld} -64" + fi + ;; + esac + ;; + esac + fi + rm -rf conftest* + ;; +esac + +need_locks=$enable_libtool_lock +])# _LT_ENABLE_LOCK + + +# _LT_PROG_AR +# ----------- +m4_defun([_LT_PROG_AR], +[AC_CHECK_TOOLS(AR, [ar], false) +: ${AR=ar} +: ${AR_FLAGS=cru} +_LT_DECL([], [AR], [1], [The archiver]) +_LT_DECL([], [AR_FLAGS], [1], [Flags to create an archive]) + +AC_CACHE_CHECK([for archiver @FILE support], [lt_cv_ar_at_file], + [lt_cv_ar_at_file=no + AC_COMPILE_IFELSE([AC_LANG_PROGRAM], + [echo conftest.$ac_objext > conftest.lst + lt_ar_try='$AR $AR_FLAGS libconftest.a @conftest.lst >&AS_MESSAGE_LOG_FD' + AC_TRY_EVAL([lt_ar_try]) + if test 0 -eq "$ac_status"; then + # Ensure the archiver fails upon bogus file names. + rm -f conftest.$ac_objext libconftest.a + AC_TRY_EVAL([lt_ar_try]) + if test 0 -ne "$ac_status"; then + lt_cv_ar_at_file=@ + fi + fi + rm -f conftest.* libconftest.a + ]) + ]) + +if test no = "$lt_cv_ar_at_file"; then + archiver_list_spec= +else + archiver_list_spec=$lt_cv_ar_at_file +fi +_LT_DECL([], [archiver_list_spec], [1], + [How to feed a file listing to the archiver]) +])# _LT_PROG_AR + + +# _LT_CMD_OLD_ARCHIVE +# ------------------- +m4_defun([_LT_CMD_OLD_ARCHIVE], +[_LT_PROG_AR + +AC_CHECK_TOOL(STRIP, strip, :) +test -z "$STRIP" && STRIP=: +_LT_DECL([], [STRIP], [1], [A symbol stripping program]) + +AC_CHECK_TOOL(RANLIB, ranlib, :) +test -z "$RANLIB" && RANLIB=: +_LT_DECL([], [RANLIB], [1], + [Commands used to install an old-style archive]) + +# Determine commands to create old-style static archives. +old_archive_cmds='$AR $AR_FLAGS $oldlib$oldobjs' +old_postinstall_cmds='chmod 644 $oldlib' +old_postuninstall_cmds= + +if test -n "$RANLIB"; then + case $host_os in + bitrig* | openbsd*) + old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$tool_oldlib" + ;; + *) + old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$tool_oldlib" + ;; + esac + old_archive_cmds="$old_archive_cmds~\$RANLIB \$tool_oldlib" +fi + +case $host_os in + darwin*) + lock_old_archive_extraction=yes ;; + *) + lock_old_archive_extraction=no ;; +esac +_LT_DECL([], [old_postinstall_cmds], [2]) +_LT_DECL([], [old_postuninstall_cmds], [2]) +_LT_TAGDECL([], [old_archive_cmds], [2], + [Commands used to build an old-style archive]) +_LT_DECL([], [lock_old_archive_extraction], [0], + [Whether to use a lock for old archive extraction]) +])# _LT_CMD_OLD_ARCHIVE + + +# _LT_COMPILER_OPTION(MESSAGE, VARIABLE-NAME, FLAGS, +# [OUTPUT-FILE], [ACTION-SUCCESS], [ACTION-FAILURE]) +# ---------------------------------------------------------------- +# Check whether the given compiler option works +AC_DEFUN([_LT_COMPILER_OPTION], +[m4_require([_LT_FILEUTILS_DEFAULTS])dnl +m4_require([_LT_DECL_SED])dnl +AC_CACHE_CHECK([$1], [$2], + [$2=no + m4_if([$4], , [ac_outfile=conftest.$ac_objext], [ac_outfile=$4]) + echo "$lt_simple_compile_test_code" > conftest.$ac_ext + lt_compiler_flag="$3" ## exclude from sc_useless_quotes_in_assignment + # Insert the option either (1) after the last *FLAGS variable, or + # (2) before a word containing "conftest.", or (3) at the end. + # Note that $ac_compile itself does not contain backslashes and begins + # with a dollar sign (not a hyphen), so the echo should work correctly. + # The option is referenced via a variable to avoid confusing sed. + lt_compile=`echo "$ac_compile" | $SED \ + -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ + -e 's: [[^ ]]*conftest\.: $lt_compiler_flag&:; t' \ + -e 's:$: $lt_compiler_flag:'` + (eval echo "\"\$as_me:$LINENO: $lt_compile\"" >&AS_MESSAGE_LOG_FD) + (eval "$lt_compile" 2>conftest.err) + ac_status=$? + cat conftest.err >&AS_MESSAGE_LOG_FD + echo "$as_me:$LINENO: \$? = $ac_status" >&AS_MESSAGE_LOG_FD + if (exit $ac_status) && test -s "$ac_outfile"; then + # The compiler can only warn and ignore the option if not recognized + # So say no if there are warnings other than the usual output. + $ECHO "$_lt_compiler_boilerplate" | $SED '/^$/d' >conftest.exp + $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2 + if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then + $2=yes + fi + fi + $RM conftest* +]) + +if test yes = "[$]$2"; then + m4_if([$5], , :, [$5]) +else + m4_if([$6], , :, [$6]) +fi +])# _LT_COMPILER_OPTION + +# Old name: +AU_ALIAS([AC_LIBTOOL_COMPILER_OPTION], [_LT_COMPILER_OPTION]) +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_LIBTOOL_COMPILER_OPTION], []) + + +# _LT_LINKER_OPTION(MESSAGE, VARIABLE-NAME, FLAGS, +# [ACTION-SUCCESS], [ACTION-FAILURE]) +# ---------------------------------------------------- +# Check whether the given linker option works +AC_DEFUN([_LT_LINKER_OPTION], +[m4_require([_LT_FILEUTILS_DEFAULTS])dnl +m4_require([_LT_DECL_SED])dnl +AC_CACHE_CHECK([$1], [$2], + [$2=no + save_LDFLAGS=$LDFLAGS + LDFLAGS="$LDFLAGS $3" + echo "$lt_simple_link_test_code" > conftest.$ac_ext + if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then + # The linker can only warn and ignore the option if not recognized + # So say no if there are warnings + if test -s conftest.err; then + # Append any errors to the config.log. + cat conftest.err 1>&AS_MESSAGE_LOG_FD + $ECHO "$_lt_linker_boilerplate" | $SED '/^$/d' > conftest.exp + $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2 + if diff conftest.exp conftest.er2 >/dev/null; then + $2=yes + fi + else + $2=yes + fi + fi + $RM -r conftest* + LDFLAGS=$save_LDFLAGS +]) + +if test yes = "[$]$2"; then + m4_if([$4], , :, [$4]) +else + m4_if([$5], , :, [$5]) +fi +])# _LT_LINKER_OPTION + +# Old name: +AU_ALIAS([AC_LIBTOOL_LINKER_OPTION], [_LT_LINKER_OPTION]) +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_LIBTOOL_LINKER_OPTION], []) + + +# LT_CMD_MAX_LEN +#--------------- +AC_DEFUN([LT_CMD_MAX_LEN], +[AC_REQUIRE([AC_CANONICAL_HOST])dnl +# find the maximum length of command line arguments +AC_MSG_CHECKING([the maximum length of command line arguments]) +AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl + i=0 + teststring=ABCD + + case $build_os in + msdosdjgpp*) + # On DJGPP, this test can blow up pretty badly due to problems in libc + # (any single argument exceeding 2000 bytes causes a buffer overrun + # during glob expansion). Even if it were fixed, the result of this + # check would be larger than it should be. + lt_cv_sys_max_cmd_len=12288; # 12K is about right + ;; + + gnu*) + # Under GNU Hurd, this test is not required because there is + # no limit to the length of command line arguments. + # Libtool will interpret -1 as no limit whatsoever + lt_cv_sys_max_cmd_len=-1; + ;; + + cygwin* | mingw* | cegcc*) + # On Win9x/ME, this test blows up -- it succeeds, but takes + # about 5 minutes as the teststring grows exponentially. + # Worse, since 9x/ME are not pre-emptively multitasking, + # you end up with a "frozen" computer, even though with patience + # the test eventually succeeds (with a max line length of 256k). + # Instead, let's just punt: use the minimum linelength reported by + # all of the supported platforms: 8192 (on NT/2K/XP). + lt_cv_sys_max_cmd_len=8192; + ;; + + mint*) + # On MiNT this can take a long time and run out of memory. + lt_cv_sys_max_cmd_len=8192; + ;; + + amigaos*) + # On AmigaOS with pdksh, this test takes hours, literally. + # So we just punt and use a minimum line length of 8192. + lt_cv_sys_max_cmd_len=8192; + ;; + + bitrig* | darwin* | dragonfly* | freebsd* | netbsd* | openbsd*) + # This has been around since 386BSD, at least. Likely further. + if test -x /sbin/sysctl; then + lt_cv_sys_max_cmd_len=`/sbin/sysctl -n kern.argmax` + elif test -x /usr/sbin/sysctl; then + lt_cv_sys_max_cmd_len=`/usr/sbin/sysctl -n kern.argmax` + else + lt_cv_sys_max_cmd_len=65536 # usable default for all BSDs + fi + # And add a safety zone + lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4` + lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3` + ;; + + interix*) + # We know the value 262144 and hardcode it with a safety zone (like BSD) + lt_cv_sys_max_cmd_len=196608 + ;; + + os2*) + # The test takes a long time on OS/2. + lt_cv_sys_max_cmd_len=8192 + ;; + + osf*) + # Dr. Hans Ekkehard Plesser reports seeing a kernel panic running configure + # due to this test when exec_disable_arg_limit is 1 on Tru64. It is not + # nice to cause kernel panics so lets avoid the loop below. + # First set a reasonable default. + lt_cv_sys_max_cmd_len=16384 + # + if test -x /sbin/sysconfig; then + case `/sbin/sysconfig -q proc exec_disable_arg_limit` in + *1*) lt_cv_sys_max_cmd_len=-1 ;; + esac + fi + ;; + sco3.2v5*) + lt_cv_sys_max_cmd_len=102400 + ;; + sysv5* | sco5v6* | sysv4.2uw2*) + kargmax=`grep ARG_MAX /etc/conf/cf.d/stune 2>/dev/null` + if test -n "$kargmax"; then + lt_cv_sys_max_cmd_len=`echo $kargmax | sed 's/.*[[ ]]//'` + else + lt_cv_sys_max_cmd_len=32768 + fi + ;; + *) + lt_cv_sys_max_cmd_len=`(getconf ARG_MAX) 2> /dev/null` + if test -n "$lt_cv_sys_max_cmd_len" && \ + test undefined != "$lt_cv_sys_max_cmd_len"; then + lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4` + lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3` + else + # Make teststring a little bigger before we do anything with it. + # a 1K string should be a reasonable start. + for i in 1 2 3 4 5 6 7 8; do + teststring=$teststring$teststring + done + SHELL=${SHELL-${CONFIG_SHELL-/bin/sh}} + # If test is not a shell built-in, we'll probably end up computing a + # maximum length that is only half of the actual maximum length, but + # we can't tell. + while { test X`env echo "$teststring$teststring" 2>/dev/null` \ + = "X$teststring$teststring"; } >/dev/null 2>&1 && + test 17 != "$i" # 1/2 MB should be enough + do + i=`expr $i + 1` + teststring=$teststring$teststring + done + # Only check the string length outside the loop. + lt_cv_sys_max_cmd_len=`expr "X$teststring" : ".*" 2>&1` + teststring= + # Add a significant safety factor because C++ compilers can tack on + # massive amounts of additional arguments before passing them to the + # linker. It appears as though 1/2 is a usable value. + lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 2` + fi + ;; + esac +]) +if test -n "$lt_cv_sys_max_cmd_len"; then + AC_MSG_RESULT($lt_cv_sys_max_cmd_len) +else + AC_MSG_RESULT(none) +fi +max_cmd_len=$lt_cv_sys_max_cmd_len +_LT_DECL([], [max_cmd_len], [0], + [What is the maximum length of a command?]) +])# LT_CMD_MAX_LEN + +# Old name: +AU_ALIAS([AC_LIBTOOL_SYS_MAX_CMD_LEN], [LT_CMD_MAX_LEN]) +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_LIBTOOL_SYS_MAX_CMD_LEN], []) + + +# _LT_HEADER_DLFCN +# ---------------- +m4_defun([_LT_HEADER_DLFCN], +[AC_CHECK_HEADERS([dlfcn.h], [], [], [AC_INCLUDES_DEFAULT])dnl +])# _LT_HEADER_DLFCN + + +# _LT_TRY_DLOPEN_SELF (ACTION-IF-TRUE, ACTION-IF-TRUE-W-USCORE, +# ACTION-IF-FALSE, ACTION-IF-CROSS-COMPILING) +# ---------------------------------------------------------------- +m4_defun([_LT_TRY_DLOPEN_SELF], +[m4_require([_LT_HEADER_DLFCN])dnl +if test yes = "$cross_compiling"; then : + [$4] +else + lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 + lt_status=$lt_dlunknown + cat > conftest.$ac_ext <<_LT_EOF +[#line $LINENO "configure" +#include "confdefs.h" + +#if HAVE_DLFCN_H +#include +#endif + +#include + +#ifdef RTLD_GLOBAL +# define LT_DLGLOBAL RTLD_GLOBAL +#else +# ifdef DL_GLOBAL +# define LT_DLGLOBAL DL_GLOBAL +# else +# define LT_DLGLOBAL 0 +# endif +#endif + +/* We may have to define LT_DLLAZY_OR_NOW in the command line if we + find out it does not work in some platform. */ +#ifndef LT_DLLAZY_OR_NOW +# ifdef RTLD_LAZY +# define LT_DLLAZY_OR_NOW RTLD_LAZY +# else +# ifdef DL_LAZY +# define LT_DLLAZY_OR_NOW DL_LAZY +# else +# ifdef RTLD_NOW +# define LT_DLLAZY_OR_NOW RTLD_NOW +# else +# ifdef DL_NOW +# define LT_DLLAZY_OR_NOW DL_NOW +# else +# define LT_DLLAZY_OR_NOW 0 +# endif +# endif +# endif +# endif +#endif + +/* When -fvisibility=hidden is used, assume the code has been annotated + correspondingly for the symbols needed. */ +#if defined __GNUC__ && (((__GNUC__ == 3) && (__GNUC_MINOR__ >= 3)) || (__GNUC__ > 3)) +int fnord () __attribute__((visibility("default"))); +#endif + +int fnord () { return 42; } +int main () +{ + void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW); + int status = $lt_dlunknown; + + if (self) + { + if (dlsym (self,"fnord")) status = $lt_dlno_uscore; + else + { + if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore; + else puts (dlerror ()); + } + /* dlclose (self); */ + } + else + puts (dlerror ()); + + return status; +}] +_LT_EOF + if AC_TRY_EVAL(ac_link) && test -s "conftest$ac_exeext" 2>/dev/null; then + (./conftest; exit; ) >&AS_MESSAGE_LOG_FD 2>/dev/null + lt_status=$? + case x$lt_status in + x$lt_dlno_uscore) $1 ;; + x$lt_dlneed_uscore) $2 ;; + x$lt_dlunknown|x*) $3 ;; + esac + else : + # compilation failed + $3 + fi +fi +rm -fr conftest* +])# _LT_TRY_DLOPEN_SELF + + +# LT_SYS_DLOPEN_SELF +# ------------------ +AC_DEFUN([LT_SYS_DLOPEN_SELF], +[m4_require([_LT_HEADER_DLFCN])dnl +if test yes != "$enable_dlopen"; then + enable_dlopen=unknown + enable_dlopen_self=unknown + enable_dlopen_self_static=unknown +else + lt_cv_dlopen=no + lt_cv_dlopen_libs= + + case $host_os in + beos*) + lt_cv_dlopen=load_add_on + lt_cv_dlopen_libs= + lt_cv_dlopen_self=yes + ;; + + mingw* | pw32* | cegcc*) + lt_cv_dlopen=LoadLibrary + lt_cv_dlopen_libs= + ;; + + cygwin*) + lt_cv_dlopen=dlopen + lt_cv_dlopen_libs= + ;; + + darwin*) + # if libdl is installed we need to link against it + AC_CHECK_LIB([dl], [dlopen], + [lt_cv_dlopen=dlopen lt_cv_dlopen_libs=-ldl],[ + lt_cv_dlopen=dyld + lt_cv_dlopen_libs= + lt_cv_dlopen_self=yes + ]) + ;; + + tpf*) + # Don't try to run any link tests for TPF. We know it's impossible + # because TPF is a cross-compiler, and we know how we open DSOs. + lt_cv_dlopen=dlopen + lt_cv_dlopen_libs= + lt_cv_dlopen_self=no + ;; + + *) + AC_CHECK_FUNC([shl_load], + [lt_cv_dlopen=shl_load], + [AC_CHECK_LIB([dld], [shl_load], + [lt_cv_dlopen=shl_load lt_cv_dlopen_libs=-ldld], + [AC_CHECK_FUNC([dlopen], + [lt_cv_dlopen=dlopen], + [AC_CHECK_LIB([dl], [dlopen], + [lt_cv_dlopen=dlopen lt_cv_dlopen_libs=-ldl], + [AC_CHECK_LIB([svld], [dlopen], + [lt_cv_dlopen=dlopen lt_cv_dlopen_libs=-lsvld], + [AC_CHECK_LIB([dld], [dld_link], + [lt_cv_dlopen=dld_link lt_cv_dlopen_libs=-ldld]) + ]) + ]) + ]) + ]) + ]) + ;; + esac + + if test no = "$lt_cv_dlopen"; then + enable_dlopen=no + else + enable_dlopen=yes + fi + + case $lt_cv_dlopen in + dlopen) + save_CPPFLAGS=$CPPFLAGS + test yes = "$ac_cv_header_dlfcn_h" && CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H" + + save_LDFLAGS=$LDFLAGS + wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\" + + save_LIBS=$LIBS + LIBS="$lt_cv_dlopen_libs $LIBS" + + AC_CACHE_CHECK([whether a program can dlopen itself], + lt_cv_dlopen_self, [dnl + _LT_TRY_DLOPEN_SELF( + lt_cv_dlopen_self=yes, lt_cv_dlopen_self=yes, + lt_cv_dlopen_self=no, lt_cv_dlopen_self=cross) + ]) + + if test yes = "$lt_cv_dlopen_self"; then + wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $lt_prog_compiler_static\" + AC_CACHE_CHECK([whether a statically linked program can dlopen itself], + lt_cv_dlopen_self_static, [dnl + _LT_TRY_DLOPEN_SELF( + lt_cv_dlopen_self_static=yes, lt_cv_dlopen_self_static=yes, + lt_cv_dlopen_self_static=no, lt_cv_dlopen_self_static=cross) + ]) + fi + + CPPFLAGS=$save_CPPFLAGS + LDFLAGS=$save_LDFLAGS + LIBS=$save_LIBS + ;; + esac + + case $lt_cv_dlopen_self in + yes|no) enable_dlopen_self=$lt_cv_dlopen_self ;; + *) enable_dlopen_self=unknown ;; + esac + + case $lt_cv_dlopen_self_static in + yes|no) enable_dlopen_self_static=$lt_cv_dlopen_self_static ;; + *) enable_dlopen_self_static=unknown ;; + esac +fi +_LT_DECL([dlopen_support], [enable_dlopen], [0], + [Whether dlopen is supported]) +_LT_DECL([dlopen_self], [enable_dlopen_self], [0], + [Whether dlopen of programs is supported]) +_LT_DECL([dlopen_self_static], [enable_dlopen_self_static], [0], + [Whether dlopen of statically linked programs is supported]) +])# LT_SYS_DLOPEN_SELF + +# Old name: +AU_ALIAS([AC_LIBTOOL_DLOPEN_SELF], [LT_SYS_DLOPEN_SELF]) +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_LIBTOOL_DLOPEN_SELF], []) + + +# _LT_COMPILER_C_O([TAGNAME]) +# --------------------------- +# Check to see if options -c and -o are simultaneously supported by compiler. +# This macro does not hard code the compiler like AC_PROG_CC_C_O. +m4_defun([_LT_COMPILER_C_O], +[m4_require([_LT_DECL_SED])dnl +m4_require([_LT_FILEUTILS_DEFAULTS])dnl +m4_require([_LT_TAG_COMPILER])dnl +AC_CACHE_CHECK([if $compiler supports -c -o file.$ac_objext], + [_LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)], + [_LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)=no + $RM -r conftest 2>/dev/null + mkdir conftest + cd conftest + mkdir out + echo "$lt_simple_compile_test_code" > conftest.$ac_ext + + lt_compiler_flag="-o out/conftest2.$ac_objext" + # Insert the option either (1) after the last *FLAGS variable, or + # (2) before a word containing "conftest.", or (3) at the end. + # Note that $ac_compile itself does not contain backslashes and begins + # with a dollar sign (not a hyphen), so the echo should work correctly. + lt_compile=`echo "$ac_compile" | $SED \ + -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ + -e 's: [[^ ]]*conftest\.: $lt_compiler_flag&:; t' \ + -e 's:$: $lt_compiler_flag:'` + (eval echo "\"\$as_me:$LINENO: $lt_compile\"" >&AS_MESSAGE_LOG_FD) + (eval "$lt_compile" 2>out/conftest.err) + ac_status=$? + cat out/conftest.err >&AS_MESSAGE_LOG_FD + echo "$as_me:$LINENO: \$? = $ac_status" >&AS_MESSAGE_LOG_FD + if (exit $ac_status) && test -s out/conftest2.$ac_objext + then + # The compiler can only warn and ignore the option if not recognized + # So say no if there are warnings + $ECHO "$_lt_compiler_boilerplate" | $SED '/^$/d' > out/conftest.exp + $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2 + if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then + _LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)=yes + fi + fi + chmod u+w . 2>&AS_MESSAGE_LOG_FD + $RM conftest* + # SGI C++ compiler will create directory out/ii_files/ for + # template instantiation + test -d out/ii_files && $RM out/ii_files/* && rmdir out/ii_files + $RM out/* && rmdir out + cd .. + $RM -r conftest + $RM conftest* +]) +_LT_TAGDECL([compiler_c_o], [lt_cv_prog_compiler_c_o], [1], + [Does compiler simultaneously support -c and -o options?]) +])# _LT_COMPILER_C_O + + +# _LT_COMPILER_FILE_LOCKS([TAGNAME]) +# ---------------------------------- +# Check to see if we can do hard links to lock some files if needed +m4_defun([_LT_COMPILER_FILE_LOCKS], +[m4_require([_LT_ENABLE_LOCK])dnl +m4_require([_LT_FILEUTILS_DEFAULTS])dnl +_LT_COMPILER_C_O([$1]) + +hard_links=nottested +if test no = "$_LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)" && test no != "$need_locks"; then + # do not overwrite the value of need_locks provided by the user + AC_MSG_CHECKING([if we can lock with hard links]) + hard_links=yes + $RM conftest* + ln conftest.a conftest.b 2>/dev/null && hard_links=no + touch conftest.a + ln conftest.a conftest.b 2>&5 || hard_links=no + ln conftest.a conftest.b 2>/dev/null && hard_links=no + AC_MSG_RESULT([$hard_links]) + if test no = "$hard_links"; then + AC_MSG_WARN(['$CC' does not support '-c -o', so 'make -j' may be unsafe]) + need_locks=warn + fi +else + need_locks=no +fi +_LT_DECL([], [need_locks], [1], [Must we lock files when doing compilation?]) +])# _LT_COMPILER_FILE_LOCKS + + +# _LT_CHECK_OBJDIR +# ---------------- +m4_defun([_LT_CHECK_OBJDIR], +[AC_CACHE_CHECK([for objdir], [lt_cv_objdir], +[rm -f .libs 2>/dev/null +mkdir .libs 2>/dev/null +if test -d .libs; then + lt_cv_objdir=.libs +else + # MS-DOS does not allow filenames that begin with a dot. + lt_cv_objdir=_libs +fi +rmdir .libs 2>/dev/null]) +objdir=$lt_cv_objdir +_LT_DECL([], [objdir], [0], + [The name of the directory that contains temporary libtool files])dnl +m4_pattern_allow([LT_OBJDIR])dnl +AC_DEFINE_UNQUOTED([LT_OBJDIR], "$lt_cv_objdir/", + [Define to the sub-directory where libtool stores uninstalled libraries.]) +])# _LT_CHECK_OBJDIR + + +# _LT_LINKER_HARDCODE_LIBPATH([TAGNAME]) +# -------------------------------------- +# Check hardcoding attributes. +m4_defun([_LT_LINKER_HARDCODE_LIBPATH], +[AC_MSG_CHECKING([how to hardcode library paths into programs]) +_LT_TAGVAR(hardcode_action, $1)= +if test -n "$_LT_TAGVAR(hardcode_libdir_flag_spec, $1)" || + test -n "$_LT_TAGVAR(runpath_var, $1)" || + test yes = "$_LT_TAGVAR(hardcode_automatic, $1)"; then + + # We can hardcode non-existent directories. + if test no != "$_LT_TAGVAR(hardcode_direct, $1)" && + # If the only mechanism to avoid hardcoding is shlibpath_var, we + # have to relink, otherwise we might link with an installed library + # when we should be linking with a yet-to-be-installed one + ## test no != "$_LT_TAGVAR(hardcode_shlibpath_var, $1)" && + test no != "$_LT_TAGVAR(hardcode_minus_L, $1)"; then + # Linking always hardcodes the temporary library directory. + _LT_TAGVAR(hardcode_action, $1)=relink + else + # We can link without hardcoding, and we can hardcode nonexisting dirs. + _LT_TAGVAR(hardcode_action, $1)=immediate + fi +else + # We cannot hardcode anything, or else we can only hardcode existing + # directories. + _LT_TAGVAR(hardcode_action, $1)=unsupported +fi +AC_MSG_RESULT([$_LT_TAGVAR(hardcode_action, $1)]) + +if test relink = "$_LT_TAGVAR(hardcode_action, $1)" || + test yes = "$_LT_TAGVAR(inherit_rpath, $1)"; then + # Fast installation is not supported + enable_fast_install=no +elif test yes = "$shlibpath_overrides_runpath" || + test no = "$enable_shared"; then + # Fast installation is not necessary + enable_fast_install=needless +fi +_LT_TAGDECL([], [hardcode_action], [0], + [How to hardcode a shared library path into an executable]) +])# _LT_LINKER_HARDCODE_LIBPATH + + +# _LT_CMD_STRIPLIB +# ---------------- +m4_defun([_LT_CMD_STRIPLIB], +[m4_require([_LT_DECL_EGREP]) +striplib= +old_striplib= +AC_MSG_CHECKING([whether stripping libraries is possible]) +if test -n "$STRIP" && $STRIP -V 2>&1 | $GREP "GNU strip" >/dev/null; then + test -z "$old_striplib" && old_striplib="$STRIP --strip-debug" + test -z "$striplib" && striplib="$STRIP --strip-unneeded" + AC_MSG_RESULT([yes]) +else +# FIXME - insert some real tests, host_os isn't really good enough + case $host_os in + darwin*) + if test -n "$STRIP"; then + striplib="$STRIP -x" + old_striplib="$STRIP -S" + AC_MSG_RESULT([yes]) + else + AC_MSG_RESULT([no]) + fi + ;; + *) + AC_MSG_RESULT([no]) + ;; + esac +fi +_LT_DECL([], [old_striplib], [1], [Commands to strip libraries]) +_LT_DECL([], [striplib], [1]) +])# _LT_CMD_STRIPLIB + + +# _LT_PREPARE_MUNGE_PATH_LIST +# --------------------------- +# Make sure func_munge_path_list() is defined correctly. +m4_defun([_LT_PREPARE_MUNGE_PATH_LIST], +[[# func_munge_path_list VARIABLE PATH +# ----------------------------------- +# VARIABLE is name of variable containing _space_ separated list of +# directories to be munged by the contents of PATH, which is string +# having a format: +# "DIR[:DIR]:" +# string "DIR[ DIR]" will be prepended to VARIABLE +# ":DIR[:DIR]" +# string "DIR[ DIR]" will be appended to VARIABLE +# "DIRP[:DIRP]::[DIRA:]DIRA" +# string "DIRP[ DIRP]" will be prepended to VARIABLE and string +# "DIRA[ DIRA]" will be appended to VARIABLE +# "DIR[:DIR]" +# VARIABLE will be replaced by "DIR[ DIR]" +func_munge_path_list () +{ + case x@S|@2 in + x) + ;; + *:) + eval @S|@1=\"`$ECHO @S|@2 | $SED 's/:/ /g'` \@S|@@S|@1\" + ;; + x:*) + eval @S|@1=\"\@S|@@S|@1 `$ECHO @S|@2 | $SED 's/:/ /g'`\" + ;; + *::*) + eval @S|@1=\"\@S|@@S|@1\ `$ECHO @S|@2 | $SED -e 's/.*:://' -e 's/:/ /g'`\" + eval @S|@1=\"`$ECHO @S|@2 | $SED -e 's/::.*//' -e 's/:/ /g'`\ \@S|@@S|@1\" + ;; + *) + eval @S|@1=\"`$ECHO @S|@2 | $SED 's/:/ /g'`\" + ;; + esac +} +]])# _LT_PREPARE_PATH_LIST + + +# _LT_SYS_DYNAMIC_LINKER([TAG]) +# ----------------------------- +# PORTME Fill in your ld.so characteristics +m4_defun([_LT_SYS_DYNAMIC_LINKER], +[AC_REQUIRE([AC_CANONICAL_HOST])dnl +m4_require([_LT_DECL_EGREP])dnl +m4_require([_LT_FILEUTILS_DEFAULTS])dnl +m4_require([_LT_DECL_OBJDUMP])dnl +m4_require([_LT_DECL_SED])dnl +m4_require([_LT_CHECK_SHELL_FEATURES])dnl +m4_require([_LT_PREPARE_MUNGE_PATH_LIST])dnl +AC_MSG_CHECKING([dynamic linker characteristics]) +m4_if([$1], + [], [ +if test yes = "$GCC"; then + case $host_os in + darwin*) lt_awk_arg='/^libraries:/,/LR/' ;; + *) lt_awk_arg='/^libraries:/' ;; + esac + case $host_os in + mingw* | cegcc*) lt_sed_strip_eq='s|=\([[A-Za-z]]:\)|\1|g' ;; + *) lt_sed_strip_eq='s|=/|/|g' ;; + esac + lt_search_path_spec=`$CC -print-search-dirs | awk $lt_awk_arg | $SED -e "s/^libraries://" -e $lt_sed_strip_eq` + case $lt_search_path_spec in + *\;*) + # if the path contains ";" then we assume it to be the separator + # otherwise default to the standard path separator (i.e. ":") - it is + # assumed that no part of a normal pathname contains ";" but that should + # okay in the real world where ";" in dirpaths is itself problematic. + lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED 's/;/ /g'` + ;; + *) + lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED "s/$PATH_SEPARATOR/ /g"` + ;; + esac + # Ok, now we have the path, separated by spaces, we can step through it + # and add multilib dir if necessary... + lt_tmp_lt_search_path_spec= + lt_multi_os_dir=/`$CC $CPPFLAGS $CFLAGS $LDFLAGS -print-multi-os-directory 2>/dev/null` + # ...but if some path component already ends with the multilib dir we assume + # that all is fine and trust -print-search-dirs as is (GCC 4.2? or newer). + case "$lt_multi_os_dir; $lt_search_path_spec " in + "/; "* | "/.; "* | "/./; "* | *"$lt_multi_os_dir "* | *"$lt_multi_os_dir/ "*) + lt_multi_os_dir= + ;; + esac + for lt_sys_path in $lt_search_path_spec; do + if test -d "$lt_sys_path$lt_multi_os_dir"; then + lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path$lt_multi_os_dir" + elif test -n "$lt_multi_os_dir"; then + test -d "$lt_sys_path" && \ + lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path" + fi + done + lt_search_path_spec=`$ECHO "$lt_tmp_lt_search_path_spec" | awk ' +BEGIN {RS = " "; FS = "/|\n";} { + lt_foo = ""; + lt_count = 0; + for (lt_i = NF; lt_i > 0; lt_i--) { + if ($lt_i != "" && $lt_i != ".") { + if ($lt_i == "..") { + lt_count++; + } else { + if (lt_count == 0) { + lt_foo = "/" $lt_i lt_foo; + } else { + lt_count--; + } + } + } + } + if (lt_foo != "") { lt_freq[[lt_foo]]++; } + if (lt_freq[[lt_foo]] == 1) { print lt_foo; } +}'` + # AWK program above erroneously prepends '/' to C:/dos/paths + # for these hosts. + case $host_os in + mingw* | cegcc*) lt_search_path_spec=`$ECHO "$lt_search_path_spec" |\ + $SED 's|/\([[A-Za-z]]:\)|\1|g'` ;; + esac + sys_lib_search_path_spec=`$ECHO "$lt_search_path_spec" | $lt_NL2SP` +else + sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib" +fi]) +library_names_spec= +libname_spec='lib$name' +soname_spec= +shrext_cmds=.so +postinstall_cmds= +postuninstall_cmds= +finish_cmds= +finish_eval= +shlibpath_var= +shlibpath_overrides_runpath=unknown +version_type=none +dynamic_linker="$host_os ld.so" +sys_lib_dlsearch_path_spec="/lib /usr/lib" +need_lib_prefix=unknown +hardcode_into_libs=no + +# when you set need_version to no, make sure it does not cause -set_version +# flags to be left without arguments +need_version=unknown + +AC_ARG_VAR([LT_SYS_LIBRARY_PATH], +[User-defined run-time library search path.]) + +case $host_os in +aix3*) + version_type=linux # correct to gnu/linux during the next big refactor + library_names_spec='$libname$release$shared_ext$versuffix $libname.a' + shlibpath_var=LIBPATH + + # AIX 3 has no versioning support, so we append a major version to the name. + soname_spec='$libname$release$shared_ext$major' + ;; + +aix[[4-9]]*) + version_type=linux # correct to gnu/linux during the next big refactor + need_lib_prefix=no + need_version=no + hardcode_into_libs=yes + if test ia64 = "$host_cpu"; then + # AIX 5 supports IA64 + library_names_spec='$libname$release$shared_ext$major $libname$release$shared_ext$versuffix $libname$shared_ext' + shlibpath_var=LD_LIBRARY_PATH + else + # With GCC up to 2.95.x, collect2 would create an import file + # for dependence libraries. The import file would start with + # the line '#! .'. This would cause the generated library to + # depend on '.', always an invalid library. This was fixed in + # development snapshots of GCC prior to 3.0. + case $host_os in + aix4 | aix4.[[01]] | aix4.[[01]].*) + if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)' + echo ' yes ' + echo '#endif'; } | $CC -E - | $GREP yes > /dev/null; then + : + else + can_build_shared=no + fi + ;; + esac + # Using Import Files as archive members, it is possible to support + # filename-based versioning of shared library archives on AIX. While + # this would work for both with and without runtime linking, it will + # prevent static linking of such archives. So we do filename-based + # shared library versioning with .so extension only, which is used + # when both runtime linking and shared linking is enabled. + # Unfortunately, runtime linking may impact performance, so we do + # not want this to be the default eventually. Also, we use the + # versioned .so libs for executables only if there is the -brtl + # linker flag in LDFLAGS as well, or --with-aix-soname=svr4 only. + # To allow for filename-based versioning support, we need to create + # libNAME.so.V as an archive file, containing: + # *) an Import File, referring to the versioned filename of the + # archive as well as the shared archive member, telling the + # bitwidth (32 or 64) of that shared object, and providing the + # list of exported symbols of that shared object, eventually + # decorated with the 'weak' keyword + # *) the shared object with the F_LOADONLY flag set, to really avoid + # it being seen by the linker. + # At run time we better use the real file rather than another symlink, + # but for link time we create the symlink libNAME.so -> libNAME.so.V + + case $with_aix_soname,$aix_use_runtimelinking in + # AIX (on Power*) has no versioning support, so currently we cannot hardcode correct + # soname into executable. Probably we can add versioning support to + # collect2, so additional links can be useful in future. + aix,yes) # traditional libtool + dynamic_linker='AIX unversionable lib.so' + # If using run time linking (on AIX 4.2 or later) use lib.so + # instead of lib.a to let people know that these are not + # typical AIX shared libraries. + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + ;; + aix,no) # traditional AIX only + dynamic_linker='AIX lib.a[(]lib.so.V[)]' + # We preserve .a as extension for shared libraries through AIX4.2 + # and later when we are not doing run time linking. + library_names_spec='$libname$release.a $libname.a' + soname_spec='$libname$release$shared_ext$major' + ;; + svr4,*) # full svr4 only + dynamic_linker="AIX lib.so.V[(]$shared_archive_member_spec.o[)]" + library_names_spec='$libname$release$shared_ext$major $libname$shared_ext' + # We do not specify a path in Import Files, so LIBPATH fires. + shlibpath_overrides_runpath=yes + ;; + *,yes) # both, prefer svr4 + dynamic_linker="AIX lib.so.V[(]$shared_archive_member_spec.o[)], lib.a[(]lib.so.V[)]" + library_names_spec='$libname$release$shared_ext$major $libname$shared_ext' + # unpreferred sharedlib libNAME.a needs extra handling + postinstall_cmds='test -n "$linkname" || linkname="$realname"~func_stripname "" ".so" "$linkname"~$install_shared_prog "$dir/$func_stripname_result.$libext" "$destdir/$func_stripname_result.$libext"~test -z "$tstripme" || test -z "$striplib" || $striplib "$destdir/$func_stripname_result.$libext"' + postuninstall_cmds='for n in $library_names $old_library; do :; done~func_stripname "" ".so" "$n"~test "$func_stripname_result" = "$n" || func_append rmfiles " $odir/$func_stripname_result.$libext"' + # We do not specify a path in Import Files, so LIBPATH fires. + shlibpath_overrides_runpath=yes + ;; + *,no) # both, prefer aix + dynamic_linker="AIX lib.a[(]lib.so.V[)], lib.so.V[(]$shared_archive_member_spec.o[)]" + library_names_spec='$libname$release.a $libname.a' + soname_spec='$libname$release$shared_ext$major' + # unpreferred sharedlib libNAME.so.V and symlink libNAME.so need extra handling + postinstall_cmds='test -z "$dlname" || $install_shared_prog $dir/$dlname $destdir/$dlname~test -z "$tstripme" || test -z "$striplib" || $striplib $destdir/$dlname~test -n "$linkname" || linkname=$realname~func_stripname "" ".a" "$linkname"~(cd "$destdir" && $LN_S -f $dlname $func_stripname_result.so)' + postuninstall_cmds='test -z "$dlname" || func_append rmfiles " $odir/$dlname"~for n in $old_library $library_names; do :; done~func_stripname "" ".a" "$n"~func_append rmfiles " $odir/$func_stripname_result.so"' + ;; + esac + shlibpath_var=LIBPATH + fi + ;; + +amigaos*) + case $host_cpu in + powerpc) + # Since July 2007 AmigaOS4 officially supports .so libraries. + # When compiling the executable, add -use-dynld -Lsobjs: to the compileline. + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + ;; + m68k) + library_names_spec='$libname.ixlibrary $libname.a' + # Create ${libname}_ixlibrary.a entries in /sys/libs. + finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`func_echo_all "$lib" | $SED '\''s%^.*/\([[^/]]*\)\.ixlibrary$%\1%'\''`; $RM /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done' + ;; + esac + ;; + +beos*) + library_names_spec='$libname$shared_ext' + dynamic_linker="$host_os ld.so" + shlibpath_var=LIBRARY_PATH + ;; + +bsdi[[45]]*) + version_type=linux # correct to gnu/linux during the next big refactor + need_version=no + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + soname_spec='$libname$release$shared_ext$major' + finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir' + shlibpath_var=LD_LIBRARY_PATH + sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib" + sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib" + # the default ld.so.conf also contains /usr/contrib/lib and + # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow + # libtool to hard-code these into programs + ;; + +cygwin* | mingw* | pw32* | cegcc*) + version_type=windows + shrext_cmds=.dll + need_version=no + need_lib_prefix=no + + case $GCC,$cc_basename in + yes,*) + # gcc + library_names_spec='$libname.dll.a' + # DLL is installed to $(libdir)/../bin by postinstall_cmds + postinstall_cmds='base_file=`basename \$file`~ + dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\$base_file'\''i; echo \$dlname'\''`~ + dldir=$destdir/`dirname \$dlpath`~ + test -d \$dldir || mkdir -p \$dldir~ + $install_prog $dir/$dlname \$dldir/$dlname~ + chmod a+x \$dldir/$dlname~ + if test -n '\''$stripme'\'' && test -n '\''$striplib'\''; then + eval '\''$striplib \$dldir/$dlname'\'' || exit \$?; + fi' + postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~ + dlpath=$dir/\$dldll~ + $RM \$dlpath' + shlibpath_overrides_runpath=yes + + case $host_os in + cygwin*) + # Cygwin DLLs use 'cyg' prefix rather than 'lib' + soname_spec='`echo $libname | sed -e 's/^lib/cyg/'``echo $release | $SED -e 's/[[.]]/-/g'`$versuffix$shared_ext' +m4_if([$1], [],[ + sys_lib_search_path_spec="$sys_lib_search_path_spec /usr/lib/w32api"]) + ;; + mingw* | cegcc*) + # MinGW DLLs use traditional 'lib' prefix + soname_spec='$libname`echo $release | $SED -e 's/[[.]]/-/g'`$versuffix$shared_ext' + ;; + pw32*) + # pw32 DLLs use 'pw' prefix rather than 'lib' + library_names_spec='`echo $libname | sed -e 's/^lib/pw/'``echo $release | $SED -e 's/[[.]]/-/g'`$versuffix$shared_ext' + ;; + esac + dynamic_linker='Win32 ld.exe' + ;; + + *,cl*) + # Native MSVC + libname_spec='$name' + soname_spec='$libname`echo $release | $SED -e 's/[[.]]/-/g'`$versuffix$shared_ext' + library_names_spec='$libname.dll.lib' + + case $build_os in + mingw*) + sys_lib_search_path_spec= + lt_save_ifs=$IFS + IFS=';' + for lt_path in $LIB + do + IFS=$lt_save_ifs + # Let DOS variable expansion print the short 8.3 style file name. + lt_path=`cd "$lt_path" 2>/dev/null && cmd //C "for %i in (".") do @echo %~si"` + sys_lib_search_path_spec="$sys_lib_search_path_spec $lt_path" + done + IFS=$lt_save_ifs + # Convert to MSYS style. + sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | sed -e 's|\\\\|/|g' -e 's| \\([[a-zA-Z]]\\):| /\\1|g' -e 's|^ ||'` + ;; + cygwin*) + # Convert to unix form, then to dos form, then back to unix form + # but this time dos style (no spaces!) so that the unix form looks + # like /cygdrive/c/PROGRA~1:/cygdr... + sys_lib_search_path_spec=`cygpath --path --unix "$LIB"` + sys_lib_search_path_spec=`cygpath --path --dos "$sys_lib_search_path_spec" 2>/dev/null` + sys_lib_search_path_spec=`cygpath --path --unix "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"` + ;; + *) + sys_lib_search_path_spec=$LIB + if $ECHO "$sys_lib_search_path_spec" | [$GREP ';[c-zC-Z]:/' >/dev/null]; then + # It is most probably a Windows format PATH. + sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'` + else + sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"` + fi + # FIXME: find the short name or the path components, as spaces are + # common. (e.g. "Program Files" -> "PROGRA~1") + ;; + esac + + # DLL is installed to $(libdir)/../bin by postinstall_cmds + postinstall_cmds='base_file=`basename \$file`~ + dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\$base_file'\''i; echo \$dlname'\''`~ + dldir=$destdir/`dirname \$dlpath`~ + test -d \$dldir || mkdir -p \$dldir~ + $install_prog $dir/$dlname \$dldir/$dlname' + postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~ + dlpath=$dir/\$dldll~ + $RM \$dlpath' + shlibpath_overrides_runpath=yes + dynamic_linker='Win32 link.exe' + ;; + + *) + # Assume MSVC wrapper + library_names_spec='$libname`echo $release | $SED -e 's/[[.]]/-/g'`$versuffix$shared_ext $libname.lib' + dynamic_linker='Win32 ld.exe' + ;; + esac + # FIXME: first we should search . and the directory the executable is in + shlibpath_var=PATH + ;; + +darwin* | rhapsody*) + dynamic_linker="$host_os dyld" + version_type=darwin + need_lib_prefix=no + need_version=no + library_names_spec='$libname$release$major$shared_ext $libname$shared_ext' + soname_spec='$libname$release$major$shared_ext' + shlibpath_overrides_runpath=yes + shlibpath_var=DYLD_LIBRARY_PATH + shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`' +m4_if([$1], [],[ + sys_lib_search_path_spec="$sys_lib_search_path_spec /usr/local/lib"]) + sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib' + ;; + +dgux*) + version_type=linux # correct to gnu/linux during the next big refactor + need_lib_prefix=no + need_version=no + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + soname_spec='$libname$release$shared_ext$major' + shlibpath_var=LD_LIBRARY_PATH + ;; + +freebsd* | dragonfly*) + # DragonFly does not have aout. When/if they implement a new + # versioning mechanism, adjust this. + if test -x /usr/bin/objformat; then + objformat=`/usr/bin/objformat` + else + case $host_os in + freebsd[[23]].*) objformat=aout ;; + *) objformat=elf ;; + esac + fi + version_type=freebsd-$objformat + case $version_type in + freebsd-elf*) + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + soname_spec='$libname$release$shared_ext$major' + need_version=no + need_lib_prefix=no + ;; + freebsd-*) + library_names_spec='$libname$release$shared_ext$versuffix $libname$shared_ext$versuffix' + need_version=yes + ;; + esac + shlibpath_var=LD_LIBRARY_PATH + case $host_os in + freebsd2.*) + shlibpath_overrides_runpath=yes + ;; + freebsd3.[[01]]* | freebsdelf3.[[01]]*) + shlibpath_overrides_runpath=yes + hardcode_into_libs=yes + ;; + freebsd3.[[2-9]]* | freebsdelf3.[[2-9]]* | \ + freebsd4.[[0-5]] | freebsdelf4.[[0-5]] | freebsd4.1.1 | freebsdelf4.1.1) + shlibpath_overrides_runpath=no + hardcode_into_libs=yes + ;; + *) # from 4.6 on, and DragonFly + shlibpath_overrides_runpath=yes + hardcode_into_libs=yes + ;; + esac + ;; + +haiku*) + version_type=linux # correct to gnu/linux during the next big refactor + need_lib_prefix=no + need_version=no + dynamic_linker="$host_os runtime_loader" + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + soname_spec='$libname$release$shared_ext$major' + shlibpath_var=LIBRARY_PATH + shlibpath_overrides_runpath=no + sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib' + hardcode_into_libs=yes + ;; + +hpux9* | hpux10* | hpux11*) + # Give a soname corresponding to the major version so that dld.sl refuses to + # link against other versions. + version_type=sunos + need_lib_prefix=no + need_version=no + case $host_cpu in + ia64*) + shrext_cmds='.so' + hardcode_into_libs=yes + dynamic_linker="$host_os dld.so" + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + soname_spec='$libname$release$shared_ext$major' + if test 32 = "$HPUX_IA64_MODE"; then + sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib" + sys_lib_dlsearch_path_spec=/usr/lib/hpux32 + else + sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64" + sys_lib_dlsearch_path_spec=/usr/lib/hpux64 + fi + ;; + hppa*64*) + shrext_cmds='.sl' + hardcode_into_libs=yes + dynamic_linker="$host_os dld.sl" + shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH + shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + soname_spec='$libname$release$shared_ext$major' + sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64" + sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec + ;; + *) + shrext_cmds='.sl' + dynamic_linker="$host_os dld.sl" + shlibpath_var=SHLIB_PATH + shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + soname_spec='$libname$release$shared_ext$major' + ;; + esac + # HP-UX runs *really* slowly unless shared libraries are mode 555, ... + postinstall_cmds='chmod 555 $lib' + # or fails outright, so override atomically: + install_override_mode=555 + ;; + +interix[[3-9]]*) + version_type=linux # correct to gnu/linux during the next big refactor + need_lib_prefix=no + need_version=no + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + soname_spec='$libname$release$shared_ext$major' + dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no + hardcode_into_libs=yes + ;; + +irix5* | irix6* | nonstopux*) + case $host_os in + nonstopux*) version_type=nonstopux ;; + *) + if test yes = "$lt_cv_prog_gnu_ld"; then + version_type=linux # correct to gnu/linux during the next big refactor + else + version_type=irix + fi ;; + esac + need_lib_prefix=no + need_version=no + soname_spec='$libname$release$shared_ext$major' + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$release$shared_ext $libname$shared_ext' + case $host_os in + irix5* | nonstopux*) + libsuff= shlibsuff= + ;; + *) + case $LD in # libtool.m4 will add one of these switches to LD + *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ") + libsuff= shlibsuff= libmagic=32-bit;; + *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ") + libsuff=32 shlibsuff=N32 libmagic=N32;; + *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ") + libsuff=64 shlibsuff=64 libmagic=64-bit;; + *) libsuff= shlibsuff= libmagic=never-match;; + esac + ;; + esac + shlibpath_var=LD_LIBRARY${shlibsuff}_PATH + shlibpath_overrides_runpath=no + sys_lib_search_path_spec="/usr/lib$libsuff /lib$libsuff /usr/local/lib$libsuff" + sys_lib_dlsearch_path_spec="/usr/lib$libsuff /lib$libsuff" + hardcode_into_libs=yes + ;; + +# No shared lib support for Linux oldld, aout, or coff. +linux*oldld* | linux*aout* | linux*coff*) + dynamic_linker=no + ;; + +linux*android*) + version_type=none # Android doesn't support versioned libraries. + need_lib_prefix=no + need_version=no + library_names_spec='$libname$release$shared_ext' + soname_spec='$libname$release$shared_ext' + finish_cmds= + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes + + # This implies no fast_install, which is unacceptable. + # Some rework will be needed to allow for fast_install + # before this can be enabled. + hardcode_into_libs=yes + + dynamic_linker='Android linker' + # Don't embed -rpath directories since the linker doesn't support them. + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' + ;; + +# This must be glibc/ELF. +linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) + version_type=linux # correct to gnu/linux during the next big refactor + need_lib_prefix=no + need_version=no + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + soname_spec='$libname$release$shared_ext$major' + finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no + + # Some binutils ld are patched to set DT_RUNPATH + AC_CACHE_VAL([lt_cv_shlibpath_overrides_runpath], + [lt_cv_shlibpath_overrides_runpath=no + save_LDFLAGS=$LDFLAGS + save_libdir=$libdir + eval "libdir=/foo; wl=\"$_LT_TAGVAR(lt_prog_compiler_wl, $1)\"; \ + LDFLAGS=\"\$LDFLAGS $_LT_TAGVAR(hardcode_libdir_flag_spec, $1)\"" + AC_LINK_IFELSE([AC_LANG_PROGRAM([],[])], + [AS_IF([ ($OBJDUMP -p conftest$ac_exeext) 2>/dev/null | grep "RUNPATH.*$libdir" >/dev/null], + [lt_cv_shlibpath_overrides_runpath=yes])]) + LDFLAGS=$save_LDFLAGS + libdir=$save_libdir + ]) + shlibpath_overrides_runpath=$lt_cv_shlibpath_overrides_runpath + + # This implies no fast_install, which is unacceptable. + # Some rework will be needed to allow for fast_install + # before this can be enabled. + hardcode_into_libs=yes + + # Add ABI-specific directories to the system library path. + sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib" + + # Ideally, we could use ldconfig to report *all* directores which are + # searched for libraries, however this is still not possible. Aside from not + # being certain /sbin/ldconfig is available, command + # 'ldconfig -N -X -v | grep ^/' on 64bit Fedora does not report /usr/lib64, + # even though it is searched at run-time. Try to do the best guess by + # appending ld.so.conf contents (and includes) to the search path. + if test -f /etc/ld.so.conf; then + lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \[$]2)); skip = 1; } { if (!skip) print \[$]0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '` + sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra" + fi + + # We used to test for /lib/ld.so.1 and disable shared libraries on + # powerpc, because MkLinux only supported shared libraries with the + # GNU dynamic linker. Since this was broken with cross compilers, + # most powerpc-linux boxes support dynamic linking these days and + # people can always --disable-shared, the test was removed, and we + # assume the GNU/Linux dynamic linker is in use. + dynamic_linker='GNU/Linux ld.so' + ;; + +netbsd*) + version_type=sunos + need_lib_prefix=no + need_version=no + if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then + library_names_spec='$libname$release$shared_ext$versuffix $libname$shared_ext$versuffix' + finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir' + dynamic_linker='NetBSD (a.out) ld.so' + else + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + soname_spec='$libname$release$shared_ext$major' + dynamic_linker='NetBSD ld.elf_so' + fi + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes + hardcode_into_libs=yes + ;; + +newsos6) + version_type=linux # correct to gnu/linux during the next big refactor + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes + ;; + +*nto* | *qnx*) + version_type=qnx + need_lib_prefix=no + need_version=no + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + soname_spec='$libname$release$shared_ext$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no + hardcode_into_libs=yes + dynamic_linker='ldqnx.so' + ;; + +openbsd* | bitrig*) + version_type=sunos + sys_lib_dlsearch_path_spec=/usr/lib + need_lib_prefix=no + if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`"; then + need_version=no + else + need_version=yes + fi + library_names_spec='$libname$release$shared_ext$versuffix $libname$shared_ext$versuffix' + finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes + ;; + +os2*) + libname_spec='$name' + version_type=windows + shrext_cmds=.dll + need_version=no + need_lib_prefix=no + # OS/2 can only load a DLL with a base name of 8 characters or less. + soname_spec='`test -n "$os2dllname" && libname="$os2dllname"; + v=$($ECHO $release$versuffix | tr -d .-); + n=$($ECHO $libname | cut -b -$((8 - ${#v})) | tr . _); + $ECHO $n$v`$shared_ext' + library_names_spec='${libname}_dll.$libext' + dynamic_linker='OS/2 ld.exe' + shlibpath_var=BEGINLIBPATH + sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib" + sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec + postinstall_cmds='base_file=`basename \$file`~ + dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\$base_file'\''i; $ECHO \$dlname'\''`~ + dldir=$destdir/`dirname \$dlpath`~ + test -d \$dldir || mkdir -p \$dldir~ + $install_prog $dir/$dlname \$dldir/$dlname~ + chmod a+x \$dldir/$dlname~ + if test -n '\''$stripme'\'' && test -n '\''$striplib'\''; then + eval '\''$striplib \$dldir/$dlname'\'' || exit \$?; + fi' + postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; $ECHO \$dlname'\''`~ + dlpath=$dir/\$dldll~ + $RM \$dlpath' + ;; + +osf3* | osf4* | osf5*) + version_type=osf + need_lib_prefix=no + need_version=no + soname_spec='$libname$release$shared_ext$major' + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + shlibpath_var=LD_LIBRARY_PATH + sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib" + sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec + ;; + +rdos*) + dynamic_linker=no + ;; + +solaris*) + version_type=linux # correct to gnu/linux during the next big refactor + need_lib_prefix=no + need_version=no + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + soname_spec='$libname$release$shared_ext$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes + hardcode_into_libs=yes + # ldd complains unless libraries are executable + postinstall_cmds='chmod +x $lib' + ;; + +sunos4*) + version_type=sunos + library_names_spec='$libname$release$shared_ext$versuffix $libname$shared_ext$versuffix' + finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes + if test yes = "$with_gnu_ld"; then + need_lib_prefix=no + fi + need_version=yes + ;; + +sysv4 | sysv4.3*) + version_type=linux # correct to gnu/linux during the next big refactor + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + soname_spec='$libname$release$shared_ext$major' + shlibpath_var=LD_LIBRARY_PATH + case $host_vendor in + sni) + shlibpath_overrides_runpath=no + need_lib_prefix=no + runpath_var=LD_RUN_PATH + ;; + siemens) + need_lib_prefix=no + ;; + motorola) + need_lib_prefix=no + need_version=no + shlibpath_overrides_runpath=no + sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib' + ;; + esac + ;; + +sysv4*MP*) + if test -d /usr/nec; then + version_type=linux # correct to gnu/linux during the next big refactor + library_names_spec='$libname$shared_ext.$versuffix $libname$shared_ext.$major $libname$shared_ext' + soname_spec='$libname$shared_ext.$major' + shlibpath_var=LD_LIBRARY_PATH + fi + ;; + +sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*) + version_type=sco + need_lib_prefix=no + need_version=no + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext $libname$shared_ext' + soname_spec='$libname$release$shared_ext$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes + hardcode_into_libs=yes + if test yes = "$with_gnu_ld"; then + sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib' + else + sys_lib_search_path_spec='/usr/ccs/lib /usr/lib' + case $host_os in + sco3.2v5*) + sys_lib_search_path_spec="$sys_lib_search_path_spec /lib" + ;; + esac + fi + sys_lib_dlsearch_path_spec='/usr/lib' + ;; + +tpf*) + # TPF is a cross-target only. Preferred cross-host = GNU/Linux. + version_type=linux # correct to gnu/linux during the next big refactor + need_lib_prefix=no + need_version=no + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no + hardcode_into_libs=yes + ;; + +uts4*) + version_type=linux # correct to gnu/linux during the next big refactor + library_names_spec='$libname$release$shared_ext$versuffix $libname$release$shared_ext$major $libname$shared_ext' + soname_spec='$libname$release$shared_ext$major' + shlibpath_var=LD_LIBRARY_PATH + ;; + +*) + dynamic_linker=no + ;; +esac +AC_MSG_RESULT([$dynamic_linker]) +test no = "$dynamic_linker" && can_build_shared=no + +variables_saved_for_relink="PATH $shlibpath_var $runpath_var" +if test yes = "$GCC"; then + variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH" +fi + +if test set = "${lt_cv_sys_lib_search_path_spec+set}"; then + sys_lib_search_path_spec=$lt_cv_sys_lib_search_path_spec +fi + +if test set = "${lt_cv_sys_lib_dlsearch_path_spec+set}"; then + sys_lib_dlsearch_path_spec=$lt_cv_sys_lib_dlsearch_path_spec +fi + +# remember unaugmented sys_lib_dlsearch_path content for libtool script decls... +configure_time_dlsearch_path=$sys_lib_dlsearch_path_spec + +# ... but it needs LT_SYS_LIBRARY_PATH munging for other configure-time code +func_munge_path_list sys_lib_dlsearch_path_spec "$LT_SYS_LIBRARY_PATH" + +# to be used as default LT_SYS_LIBRARY_PATH value in generated libtool +configure_time_lt_sys_library_path=$LT_SYS_LIBRARY_PATH + +_LT_DECL([], [variables_saved_for_relink], [1], + [Variables whose values should be saved in libtool wrapper scripts and + restored at link time]) +_LT_DECL([], [need_lib_prefix], [0], + [Do we need the "lib" prefix for modules?]) +_LT_DECL([], [need_version], [0], [Do we need a version for libraries?]) +_LT_DECL([], [version_type], [0], [Library versioning type]) +_LT_DECL([], [runpath_var], [0], [Shared library runtime path variable]) +_LT_DECL([], [shlibpath_var], [0],[Shared library path variable]) +_LT_DECL([], [shlibpath_overrides_runpath], [0], + [Is shlibpath searched before the hard-coded library search path?]) +_LT_DECL([], [libname_spec], [1], [Format of library name prefix]) +_LT_DECL([], [library_names_spec], [1], + [[List of archive names. First name is the real one, the rest are links. + The last name is the one that the linker finds with -lNAME]]) +_LT_DECL([], [soname_spec], [1], + [[The coded name of the library, if different from the real name]]) +_LT_DECL([], [install_override_mode], [1], + [Permission mode override for installation of shared libraries]) +_LT_DECL([], [postinstall_cmds], [2], + [Command to use after installation of a shared archive]) +_LT_DECL([], [postuninstall_cmds], [2], + [Command to use after uninstallation of a shared archive]) +_LT_DECL([], [finish_cmds], [2], + [Commands used to finish a libtool library installation in a directory]) +_LT_DECL([], [finish_eval], [1], + [[As "finish_cmds", except a single script fragment to be evaled but + not shown]]) +_LT_DECL([], [hardcode_into_libs], [0], + [Whether we should hardcode library paths into libraries]) +_LT_DECL([], [sys_lib_search_path_spec], [2], + [Compile-time system search path for libraries]) +_LT_DECL([sys_lib_dlsearch_path_spec], [configure_time_dlsearch_path], [2], + [Detected run-time system search path for libraries]) +_LT_DECL([], [configure_time_lt_sys_library_path], [2], + [Explicit LT_SYS_LIBRARY_PATH set during ./configure time]) +])# _LT_SYS_DYNAMIC_LINKER + + +# _LT_PATH_TOOL_PREFIX(TOOL) +# -------------------------- +# find a file program that can recognize shared library +AC_DEFUN([_LT_PATH_TOOL_PREFIX], +[m4_require([_LT_DECL_EGREP])dnl +AC_MSG_CHECKING([for $1]) +AC_CACHE_VAL(lt_cv_path_MAGIC_CMD, +[case $MAGIC_CMD in +[[\\/*] | ?:[\\/]*]) + lt_cv_path_MAGIC_CMD=$MAGIC_CMD # Let the user override the test with a path. + ;; +*) + lt_save_MAGIC_CMD=$MAGIC_CMD + lt_save_ifs=$IFS; IFS=$PATH_SEPARATOR +dnl $ac_dummy forces splitting on constant user-supplied paths. +dnl POSIX.2 word splitting is done only on the output of word expansions, +dnl not every word. This closes a longstanding sh security hole. + ac_dummy="m4_if([$2], , $PATH, [$2])" + for ac_dir in $ac_dummy; do + IFS=$lt_save_ifs + test -z "$ac_dir" && ac_dir=. + if test -f "$ac_dir/$1"; then + lt_cv_path_MAGIC_CMD=$ac_dir/"$1" + if test -n "$file_magic_test_file"; then + case $deplibs_check_method in + "file_magic "*) + file_magic_regex=`expr "$deplibs_check_method" : "file_magic \(.*\)"` + MAGIC_CMD=$lt_cv_path_MAGIC_CMD + if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null | + $EGREP "$file_magic_regex" > /dev/null; then + : + else + cat <<_LT_EOF 1>&2 + +*** Warning: the command libtool uses to detect shared libraries, +*** $file_magic_cmd, produces output that libtool cannot recognize. +*** The result is that libtool may fail to recognize shared libraries +*** as such. This will affect the creation of libtool libraries that +*** depend on shared libraries, but programs linked with such libtool +*** libraries will work regardless of this problem. Nevertheless, you +*** may want to report the problem to your system manager and/or to +*** bug-libtool@gnu.org + +_LT_EOF + fi ;; + esac + fi + break + fi + done + IFS=$lt_save_ifs + MAGIC_CMD=$lt_save_MAGIC_CMD + ;; +esac]) +MAGIC_CMD=$lt_cv_path_MAGIC_CMD +if test -n "$MAGIC_CMD"; then + AC_MSG_RESULT($MAGIC_CMD) +else + AC_MSG_RESULT(no) +fi +_LT_DECL([], [MAGIC_CMD], [0], + [Used to examine libraries when file_magic_cmd begins with "file"])dnl +])# _LT_PATH_TOOL_PREFIX + +# Old name: +AU_ALIAS([AC_PATH_TOOL_PREFIX], [_LT_PATH_TOOL_PREFIX]) +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_PATH_TOOL_PREFIX], []) + + +# _LT_PATH_MAGIC +# -------------- +# find a file program that can recognize a shared library +m4_defun([_LT_PATH_MAGIC], +[_LT_PATH_TOOL_PREFIX(${ac_tool_prefix}file, /usr/bin$PATH_SEPARATOR$PATH) +if test -z "$lt_cv_path_MAGIC_CMD"; then + if test -n "$ac_tool_prefix"; then + _LT_PATH_TOOL_PREFIX(file, /usr/bin$PATH_SEPARATOR$PATH) + else + MAGIC_CMD=: + fi +fi +])# _LT_PATH_MAGIC + + +# LT_PATH_LD +# ---------- +# find the pathname to the GNU or non-GNU linker +AC_DEFUN([LT_PATH_LD], +[AC_REQUIRE([AC_PROG_CC])dnl +AC_REQUIRE([AC_CANONICAL_HOST])dnl +AC_REQUIRE([AC_CANONICAL_BUILD])dnl +m4_require([_LT_DECL_SED])dnl +m4_require([_LT_DECL_EGREP])dnl +m4_require([_LT_PROG_ECHO_BACKSLASH])dnl + +AC_ARG_WITH([gnu-ld], + [AS_HELP_STRING([--with-gnu-ld], + [assume the C compiler uses GNU ld @<:@default=no@:>@])], + [test no = "$withval" || with_gnu_ld=yes], + [with_gnu_ld=no])dnl + +ac_prog=ld +if test yes = "$GCC"; then + # Check if gcc -print-prog-name=ld gives a path. + AC_MSG_CHECKING([for ld used by $CC]) + case $host in + *-*-mingw*) + # gcc leaves a trailing carriage return, which upsets mingw + ac_prog=`($CC -print-prog-name=ld) 2>&5 | tr -d '\015'` ;; + *) + ac_prog=`($CC -print-prog-name=ld) 2>&5` ;; + esac + case $ac_prog in + # Accept absolute paths. + [[\\/]]* | ?:[[\\/]]*) + re_direlt='/[[^/]][[^/]]*/\.\./' + # Canonicalize the pathname of ld + ac_prog=`$ECHO "$ac_prog"| $SED 's%\\\\%/%g'` + while $ECHO "$ac_prog" | $GREP "$re_direlt" > /dev/null 2>&1; do + ac_prog=`$ECHO $ac_prog| $SED "s%$re_direlt%/%"` + done + test -z "$LD" && LD=$ac_prog + ;; + "") + # If it fails, then pretend we aren't using GCC. + ac_prog=ld + ;; + *) + # If it is relative, then search for the first ld in PATH. + with_gnu_ld=unknown + ;; + esac +elif test yes = "$with_gnu_ld"; then + AC_MSG_CHECKING([for GNU ld]) +else + AC_MSG_CHECKING([for non-GNU ld]) +fi +AC_CACHE_VAL(lt_cv_path_LD, +[if test -z "$LD"; then + lt_save_ifs=$IFS; IFS=$PATH_SEPARATOR + for ac_dir in $PATH; do + IFS=$lt_save_ifs + test -z "$ac_dir" && ac_dir=. + if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then + lt_cv_path_LD=$ac_dir/$ac_prog + # Check to see if the program is GNU ld. I'd rather use --version, + # but apparently some variants of GNU ld only accept -v. + # Break only if it was the GNU/non-GNU ld that we prefer. + case `"$lt_cv_path_LD" -v 2>&1 &1 conftest.i +cat conftest.i conftest.i >conftest2.i +: ${lt_DD:=$DD} +AC_PATH_PROGS_FEATURE_CHECK([lt_DD], [dd], +[if "$ac_path_lt_DD" bs=32 count=1 conftest.out 2>/dev/null; then + cmp -s conftest.i conftest.out \ + && ac_cv_path_lt_DD="$ac_path_lt_DD" ac_path_lt_DD_found=: +fi]) +rm -f conftest.i conftest2.i conftest.out]) +])# _LT_PATH_DD + + +# _LT_CMD_TRUNCATE +# ---------------- +# find command to truncate a binary pipe +m4_defun([_LT_CMD_TRUNCATE], +[m4_require([_LT_PATH_DD]) +AC_CACHE_CHECK([how to truncate binary pipes], [lt_cv_truncate_bin], +[printf 0123456789abcdef0123456789abcdef >conftest.i +cat conftest.i conftest.i >conftest2.i +lt_cv_truncate_bin= +if "$ac_cv_path_lt_DD" bs=32 count=1 conftest.out 2>/dev/null; then + cmp -s conftest.i conftest.out \ + && lt_cv_truncate_bin="$ac_cv_path_lt_DD bs=4096 count=1" +fi +rm -f conftest.i conftest2.i conftest.out +test -z "$lt_cv_truncate_bin" && lt_cv_truncate_bin="$SED -e 4q"]) +_LT_DECL([lt_truncate_bin], [lt_cv_truncate_bin], [1], + [Command to truncate a binary pipe]) +])# _LT_CMD_TRUNCATE + + +# _LT_CHECK_MAGIC_METHOD +# ---------------------- +# how to check for library dependencies +# -- PORTME fill in with the dynamic library characteristics +m4_defun([_LT_CHECK_MAGIC_METHOD], +[m4_require([_LT_DECL_EGREP]) +m4_require([_LT_DECL_OBJDUMP]) +AC_CACHE_CHECK([how to recognize dependent libraries], +lt_cv_deplibs_check_method, +[lt_cv_file_magic_cmd='$MAGIC_CMD' +lt_cv_file_magic_test_file= +lt_cv_deplibs_check_method='unknown' +# Need to set the preceding variable on all platforms that support +# interlibrary dependencies. +# 'none' -- dependencies not supported. +# 'unknown' -- same as none, but documents that we really don't know. +# 'pass_all' -- all dependencies passed with no checks. +# 'test_compile' -- check by making test program. +# 'file_magic [[regex]]' -- check by looking for files in library path +# that responds to the $file_magic_cmd with a given extended regex. +# If you have 'file' or equivalent on your system and you're not sure +# whether 'pass_all' will *always* work, you probably want this one. + +case $host_os in +aix[[4-9]]*) + lt_cv_deplibs_check_method=pass_all + ;; + +beos*) + lt_cv_deplibs_check_method=pass_all + ;; + +bsdi[[45]]*) + lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (shared object|dynamic lib)' + lt_cv_file_magic_cmd='/usr/bin/file -L' + lt_cv_file_magic_test_file=/shlib/libc.so + ;; + +cygwin*) + # func_win32_libid is a shell function defined in ltmain.sh + lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL' + lt_cv_file_magic_cmd='func_win32_libid' + ;; + +mingw* | pw32*) + # Base MSYS/MinGW do not provide the 'file' command needed by + # func_win32_libid shell function, so use a weaker test based on 'objdump', + # unless we find 'file', for example because we are cross-compiling. + if ( file / ) >/dev/null 2>&1; then + lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL' + lt_cv_file_magic_cmd='func_win32_libid' + else + # Keep this pattern in sync with the one in func_win32_libid. + lt_cv_deplibs_check_method='file_magic file format (pei*-i386(.*architecture: i386)?|pe-arm-wince|pe-x86-64)' + lt_cv_file_magic_cmd='$OBJDUMP -f' + fi + ;; + +cegcc*) + # use the weaker test based on 'objdump'. See mingw*. + lt_cv_deplibs_check_method='file_magic file format pe-arm-.*little(.*architecture: arm)?' + lt_cv_file_magic_cmd='$OBJDUMP -f' + ;; + +darwin* | rhapsody*) + lt_cv_deplibs_check_method=pass_all + ;; + +freebsd* | dragonfly*) + if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then + case $host_cpu in + i*86 ) + # Not sure whether the presence of OpenBSD here was a mistake. + # Let's accept both of them until this is cleared up. + lt_cv_deplibs_check_method='file_magic (FreeBSD|OpenBSD|DragonFly)/i[[3-9]]86 (compact )?demand paged shared library' + lt_cv_file_magic_cmd=/usr/bin/file + lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*` + ;; + esac + else + lt_cv_deplibs_check_method=pass_all + fi + ;; + +haiku*) + lt_cv_deplibs_check_method=pass_all + ;; + +hpux10.20* | hpux11*) + lt_cv_file_magic_cmd=/usr/bin/file + case $host_cpu in + ia64*) + lt_cv_deplibs_check_method='file_magic (s[[0-9]][[0-9]][[0-9]]|ELF-[[0-9]][[0-9]]) shared object file - IA64' + lt_cv_file_magic_test_file=/usr/lib/hpux32/libc.so + ;; + hppa*64*) + [lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF[ -][0-9][0-9])(-bit)?( [LM]SB)? shared object( file)?[, -]* PA-RISC [0-9]\.[0-9]'] + lt_cv_file_magic_test_file=/usr/lib/pa20_64/libc.sl + ;; + *) + lt_cv_deplibs_check_method='file_magic (s[[0-9]][[0-9]][[0-9]]|PA-RISC[[0-9]]\.[[0-9]]) shared library' + lt_cv_file_magic_test_file=/usr/lib/libc.sl + ;; + esac + ;; + +interix[[3-9]]*) + # PIC code is broken on Interix 3.x, that's why |\.a not |_pic\.a here + lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so|\.a)$' + ;; + +irix5* | irix6* | nonstopux*) + case $LD in + *-32|*"-32 ") libmagic=32-bit;; + *-n32|*"-n32 ") libmagic=N32;; + *-64|*"-64 ") libmagic=64-bit;; + *) libmagic=never-match;; + esac + lt_cv_deplibs_check_method=pass_all + ;; + +# This must be glibc/ELF. +linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) + lt_cv_deplibs_check_method=pass_all + ;; + +netbsd*) + if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then + lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$' + else + lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so|_pic\.a)$' + fi + ;; + +newos6*) + lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (executable|dynamic lib)' + lt_cv_file_magic_cmd=/usr/bin/file + lt_cv_file_magic_test_file=/usr/lib/libnls.so + ;; + +*nto* | *qnx*) + lt_cv_deplibs_check_method=pass_all + ;; + +openbsd* | bitrig*) + if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`"; then + lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|\.so|_pic\.a)$' + else + lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$' + fi + ;; + +osf3* | osf4* | osf5*) + lt_cv_deplibs_check_method=pass_all + ;; + +rdos*) + lt_cv_deplibs_check_method=pass_all + ;; + +solaris*) + lt_cv_deplibs_check_method=pass_all + ;; + +sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*) + lt_cv_deplibs_check_method=pass_all + ;; + +sysv4 | sysv4.3*) + case $host_vendor in + motorola) + lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (shared object|dynamic lib) M[[0-9]][[0-9]]* Version [[0-9]]' + lt_cv_file_magic_test_file=`echo /usr/lib/libc.so*` + ;; + ncr) + lt_cv_deplibs_check_method=pass_all + ;; + sequent) + lt_cv_file_magic_cmd='/bin/file' + lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[LM]]SB (shared object|dynamic lib )' + ;; + sni) + lt_cv_file_magic_cmd='/bin/file' + lt_cv_deplibs_check_method="file_magic ELF [[0-9]][[0-9]]*-bit [[LM]]SB dynamic lib" + lt_cv_file_magic_test_file=/lib/libc.so + ;; + siemens) + lt_cv_deplibs_check_method=pass_all + ;; + pc) + lt_cv_deplibs_check_method=pass_all + ;; + esac + ;; + +tpf*) + lt_cv_deplibs_check_method=pass_all + ;; +os2*) + lt_cv_deplibs_check_method=pass_all + ;; +esac +]) + +file_magic_glob= +want_nocaseglob=no +if test "$build" = "$host"; then + case $host_os in + mingw* | pw32*) + if ( shopt | grep nocaseglob ) >/dev/null 2>&1; then + want_nocaseglob=yes + else + file_magic_glob=`echo aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ | $SED -e "s/\(..\)/s\/[[\1]]\/[[\1]]\/g;/g"` + fi + ;; + esac +fi + +file_magic_cmd=$lt_cv_file_magic_cmd +deplibs_check_method=$lt_cv_deplibs_check_method +test -z "$deplibs_check_method" && deplibs_check_method=unknown + +_LT_DECL([], [deplibs_check_method], [1], + [Method to check whether dependent libraries are shared objects]) +_LT_DECL([], [file_magic_cmd], [1], + [Command to use when deplibs_check_method = "file_magic"]) +_LT_DECL([], [file_magic_glob], [1], + [How to find potential files when deplibs_check_method = "file_magic"]) +_LT_DECL([], [want_nocaseglob], [1], + [Find potential files using nocaseglob when deplibs_check_method = "file_magic"]) +])# _LT_CHECK_MAGIC_METHOD + + +# LT_PATH_NM +# ---------- +# find the pathname to a BSD- or MS-compatible name lister +AC_DEFUN([LT_PATH_NM], +[AC_REQUIRE([AC_PROG_CC])dnl +AC_CACHE_CHECK([for BSD- or MS-compatible name lister (nm)], lt_cv_path_NM, +[if test -n "$NM"; then + # Let the user override the test. + lt_cv_path_NM=$NM +else + lt_nm_to_check=${ac_tool_prefix}nm + if test -n "$ac_tool_prefix" && test "$build" = "$host"; then + lt_nm_to_check="$lt_nm_to_check nm" + fi + for lt_tmp_nm in $lt_nm_to_check; do + lt_save_ifs=$IFS; IFS=$PATH_SEPARATOR + for ac_dir in $PATH /usr/ccs/bin/elf /usr/ccs/bin /usr/ucb /bin; do + IFS=$lt_save_ifs + test -z "$ac_dir" && ac_dir=. + tmp_nm=$ac_dir/$lt_tmp_nm + if test -f "$tmp_nm" || test -f "$tmp_nm$ac_exeext"; then + # Check to see if the nm accepts a BSD-compat flag. + # Adding the 'sed 1q' prevents false positives on HP-UX, which says: + # nm: unknown option "B" ignored + # Tru64's nm complains that /dev/null is an invalid object file + # MSYS converts /dev/null to NUL, MinGW nm treats NUL as empty + case $build_os in + mingw*) lt_bad_file=conftest.nm/nofile ;; + *) lt_bad_file=/dev/null ;; + esac + case `"$tmp_nm" -B $lt_bad_file 2>&1 | sed '1q'` in + *$lt_bad_file* | *'Invalid file or object type'*) + lt_cv_path_NM="$tmp_nm -B" + break 2 + ;; + *) + case `"$tmp_nm" -p /dev/null 2>&1 | sed '1q'` in + */dev/null*) + lt_cv_path_NM="$tmp_nm -p" + break 2 + ;; + *) + lt_cv_path_NM=${lt_cv_path_NM="$tmp_nm"} # keep the first match, but + continue # so that we can try to find one that supports BSD flags + ;; + esac + ;; + esac + fi + done + IFS=$lt_save_ifs + done + : ${lt_cv_path_NM=no} +fi]) +if test no != "$lt_cv_path_NM"; then + NM=$lt_cv_path_NM +else + # Didn't find any BSD compatible name lister, look for dumpbin. + if test -n "$DUMPBIN"; then : + # Let the user override the test. + else + AC_CHECK_TOOLS(DUMPBIN, [dumpbin "link -dump"], :) + case `$DUMPBIN -symbols -headers /dev/null 2>&1 | sed '1q'` in + *COFF*) + DUMPBIN="$DUMPBIN -symbols -headers" + ;; + *) + DUMPBIN=: + ;; + esac + fi + AC_SUBST([DUMPBIN]) + if test : != "$DUMPBIN"; then + NM=$DUMPBIN + fi +fi +test -z "$NM" && NM=nm +AC_SUBST([NM]) +_LT_DECL([], [NM], [1], [A BSD- or MS-compatible name lister])dnl + +AC_CACHE_CHECK([the name lister ($NM) interface], [lt_cv_nm_interface], + [lt_cv_nm_interface="BSD nm" + echo "int some_variable = 0;" > conftest.$ac_ext + (eval echo "\"\$as_me:$LINENO: $ac_compile\"" >&AS_MESSAGE_LOG_FD) + (eval "$ac_compile" 2>conftest.err) + cat conftest.err >&AS_MESSAGE_LOG_FD + (eval echo "\"\$as_me:$LINENO: $NM \\\"conftest.$ac_objext\\\"\"" >&AS_MESSAGE_LOG_FD) + (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out) + cat conftest.err >&AS_MESSAGE_LOG_FD + (eval echo "\"\$as_me:$LINENO: output\"" >&AS_MESSAGE_LOG_FD) + cat conftest.out >&AS_MESSAGE_LOG_FD + if $GREP 'External.*some_variable' conftest.out > /dev/null; then + lt_cv_nm_interface="MS dumpbin" + fi + rm -f conftest*]) +])# LT_PATH_NM + +# Old names: +AU_ALIAS([AM_PROG_NM], [LT_PATH_NM]) +AU_ALIAS([AC_PROG_NM], [LT_PATH_NM]) +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AM_PROG_NM], []) +dnl AC_DEFUN([AC_PROG_NM], []) + +# _LT_CHECK_SHAREDLIB_FROM_LINKLIB +# -------------------------------- +# how to determine the name of the shared library +# associated with a specific link library. +# -- PORTME fill in with the dynamic library characteristics +m4_defun([_LT_CHECK_SHAREDLIB_FROM_LINKLIB], +[m4_require([_LT_DECL_EGREP]) +m4_require([_LT_DECL_OBJDUMP]) +m4_require([_LT_DECL_DLLTOOL]) +AC_CACHE_CHECK([how to associate runtime and link libraries], +lt_cv_sharedlib_from_linklib_cmd, +[lt_cv_sharedlib_from_linklib_cmd='unknown' + +case $host_os in +cygwin* | mingw* | pw32* | cegcc*) + # two different shell functions defined in ltmain.sh; + # decide which one to use based on capabilities of $DLLTOOL + case `$DLLTOOL --help 2>&1` in + *--identify-strict*) + lt_cv_sharedlib_from_linklib_cmd=func_cygming_dll_for_implib + ;; + *) + lt_cv_sharedlib_from_linklib_cmd=func_cygming_dll_for_implib_fallback + ;; + esac + ;; +*) + # fallback: assume linklib IS sharedlib + lt_cv_sharedlib_from_linklib_cmd=$ECHO + ;; +esac +]) +sharedlib_from_linklib_cmd=$lt_cv_sharedlib_from_linklib_cmd +test -z "$sharedlib_from_linklib_cmd" && sharedlib_from_linklib_cmd=$ECHO + +_LT_DECL([], [sharedlib_from_linklib_cmd], [1], + [Command to associate shared and link libraries]) +])# _LT_CHECK_SHAREDLIB_FROM_LINKLIB + + +# _LT_PATH_MANIFEST_TOOL +# ---------------------- +# locate the manifest tool +m4_defun([_LT_PATH_MANIFEST_TOOL], +[AC_CHECK_TOOL(MANIFEST_TOOL, mt, :) +test -z "$MANIFEST_TOOL" && MANIFEST_TOOL=mt +AC_CACHE_CHECK([if $MANIFEST_TOOL is a manifest tool], [lt_cv_path_mainfest_tool], + [lt_cv_path_mainfest_tool=no + echo "$as_me:$LINENO: $MANIFEST_TOOL '-?'" >&AS_MESSAGE_LOG_FD + $MANIFEST_TOOL '-?' 2>conftest.err > conftest.out + cat conftest.err >&AS_MESSAGE_LOG_FD + if $GREP 'Manifest Tool' conftest.out > /dev/null; then + lt_cv_path_mainfest_tool=yes + fi + rm -f conftest*]) +if test yes != "$lt_cv_path_mainfest_tool"; then + MANIFEST_TOOL=: +fi +_LT_DECL([], [MANIFEST_TOOL], [1], [Manifest tool])dnl +])# _LT_PATH_MANIFEST_TOOL + + +# _LT_DLL_DEF_P([FILE]) +# --------------------- +# True iff FILE is a Windows DLL '.def' file. +# Keep in sync with func_dll_def_p in the libtool script +AC_DEFUN([_LT_DLL_DEF_P], +[dnl + test DEF = "`$SED -n dnl + -e '\''s/^[[ ]]*//'\'' dnl Strip leading whitespace + -e '\''/^\(;.*\)*$/d'\'' dnl Delete empty lines and comments + -e '\''s/^\(EXPORTS\|LIBRARY\)\([[ ]].*\)*$/DEF/p'\'' dnl + -e q dnl Only consider the first "real" line + $1`" dnl +])# _LT_DLL_DEF_P + + +# LT_LIB_M +# -------- +# check for math library +AC_DEFUN([LT_LIB_M], +[AC_REQUIRE([AC_CANONICAL_HOST])dnl +LIBM= +case $host in +*-*-beos* | *-*-cegcc* | *-*-cygwin* | *-*-haiku* | *-*-pw32* | *-*-darwin*) + # These system don't have libm, or don't need it + ;; +*-ncr-sysv4.3*) + AC_CHECK_LIB(mw, _mwvalidcheckl, LIBM=-lmw) + AC_CHECK_LIB(m, cos, LIBM="$LIBM -lm") + ;; +*) + AC_CHECK_LIB(m, cos, LIBM=-lm) + ;; +esac +AC_SUBST([LIBM]) +])# LT_LIB_M + +# Old name: +AU_ALIAS([AC_CHECK_LIBM], [LT_LIB_M]) +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_CHECK_LIBM], []) + + +# _LT_COMPILER_NO_RTTI([TAGNAME]) +# ------------------------------- +m4_defun([_LT_COMPILER_NO_RTTI], +[m4_require([_LT_TAG_COMPILER])dnl + +_LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)= + +if test yes = "$GCC"; then + case $cc_basename in + nvcc*) + _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -Xcompiler -fno-builtin' ;; + *) + _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin' ;; + esac + + _LT_COMPILER_OPTION([if $compiler supports -fno-rtti -fno-exceptions], + lt_cv_prog_compiler_rtti_exceptions, + [-fno-rtti -fno-exceptions], [], + [_LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)="$_LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1) -fno-rtti -fno-exceptions"]) +fi +_LT_TAGDECL([no_builtin_flag], [lt_prog_compiler_no_builtin_flag], [1], + [Compiler flag to turn off builtin functions]) +])# _LT_COMPILER_NO_RTTI + + +# _LT_CMD_GLOBAL_SYMBOLS +# ---------------------- +m4_defun([_LT_CMD_GLOBAL_SYMBOLS], +[AC_REQUIRE([AC_CANONICAL_HOST])dnl +AC_REQUIRE([AC_PROG_CC])dnl +AC_REQUIRE([AC_PROG_AWK])dnl +AC_REQUIRE([LT_PATH_NM])dnl +AC_REQUIRE([LT_PATH_LD])dnl +m4_require([_LT_DECL_SED])dnl +m4_require([_LT_DECL_EGREP])dnl +m4_require([_LT_TAG_COMPILER])dnl + +# Check for command to grab the raw symbol name followed by C symbol from nm. +AC_MSG_CHECKING([command to parse $NM output from $compiler object]) +AC_CACHE_VAL([lt_cv_sys_global_symbol_pipe], +[ +# These are sane defaults that work on at least a few old systems. +# [They come from Ultrix. What could be older than Ultrix?!! ;)] + +# Character class describing NM global symbol codes. +symcode='[[BCDEGRST]]' + +# Regexp to match symbols that can be accessed directly from C. +sympat='\([[_A-Za-z]][[_A-Za-z0-9]]*\)' + +# Define system-specific variables. +case $host_os in +aix*) + symcode='[[BCDT]]' + ;; +cygwin* | mingw* | pw32* | cegcc*) + symcode='[[ABCDGISTW]]' + ;; +hpux*) + if test ia64 = "$host_cpu"; then + symcode='[[ABCDEGRST]]' + fi + ;; +irix* | nonstopux*) + symcode='[[BCDEGRST]]' + ;; +osf*) + symcode='[[BCDEGQRST]]' + ;; +solaris*) + symcode='[[BDRT]]' + ;; +sco3.2v5*) + symcode='[[DT]]' + ;; +sysv4.2uw2*) + symcode='[[DT]]' + ;; +sysv5* | sco5v6* | unixware* | OpenUNIX*) + symcode='[[ABDT]]' + ;; +sysv4) + symcode='[[DFNSTU]]' + ;; +esac + +# If we're using GNU nm, then use its standard symbol codes. +case `$NM -V 2>&1` in +*GNU* | *'with BFD'*) + symcode='[[ABCDGIRSTW]]' ;; +esac + +if test "$lt_cv_nm_interface" = "MS dumpbin"; then + # Gets list of data symbols to import. + lt_cv_sys_global_symbol_to_import="sed -n -e 's/^I .* \(.*\)$/\1/p'" + # Adjust the below global symbol transforms to fixup imported variables. + lt_cdecl_hook=" -e 's/^I .* \(.*\)$/extern __declspec(dllimport) char \1;/p'" + lt_c_name_hook=" -e 's/^I .* \(.*\)$/ {\"\1\", (void *) 0},/p'" + lt_c_name_lib_hook="\ + -e 's/^I .* \(lib.*\)$/ {\"\1\", (void *) 0},/p'\ + -e 's/^I .* \(.*\)$/ {\"lib\1\", (void *) 0},/p'" +else + # Disable hooks by default. + lt_cv_sys_global_symbol_to_import= + lt_cdecl_hook= + lt_c_name_hook= + lt_c_name_lib_hook= +fi + +# Transform an extracted symbol line into a proper C declaration. +# Some systems (esp. on ia64) link data and code symbols differently, +# so use this general approach. +lt_cv_sys_global_symbol_to_cdecl="sed -n"\ +$lt_cdecl_hook\ +" -e 's/^T .* \(.*\)$/extern int \1();/p'"\ +" -e 's/^$symcode$symcode* .* \(.*\)$/extern char \1;/p'" + +# Transform an extracted symbol line into symbol name and symbol address +lt_cv_sys_global_symbol_to_c_name_address="sed -n"\ +$lt_c_name_hook\ +" -e 's/^: \(.*\) .*$/ {\"\1\", (void *) 0},/p'"\ +" -e 's/^$symcode$symcode* .* \(.*\)$/ {\"\1\", (void *) \&\1},/p'" + +# Transform an extracted symbol line into symbol name with lib prefix and +# symbol address. +lt_cv_sys_global_symbol_to_c_name_address_lib_prefix="sed -n"\ +$lt_c_name_lib_hook\ +" -e 's/^: \(.*\) .*$/ {\"\1\", (void *) 0},/p'"\ +" -e 's/^$symcode$symcode* .* \(lib.*\)$/ {\"\1\", (void *) \&\1},/p'"\ +" -e 's/^$symcode$symcode* .* \(.*\)$/ {\"lib\1\", (void *) \&\1},/p'" + +# Handle CRLF in mingw tool chain +opt_cr= +case $build_os in +mingw*) + opt_cr=`$ECHO 'x\{0,1\}' | tr x '\015'` # option cr in regexp + ;; +esac + +# Try without a prefix underscore, then with it. +for ac_symprfx in "" "_"; do + + # Transform symcode, sympat, and symprfx into a raw symbol and a C symbol. + symxfrm="\\1 $ac_symprfx\\2 \\2" + + # Write the raw and C identifiers. + if test "$lt_cv_nm_interface" = "MS dumpbin"; then + # Fake it for dumpbin and say T for any non-static function, + # D for any global variable and I for any imported variable. + # Also find C++ and __fastcall symbols from MSVC++, + # which start with @ or ?. + lt_cv_sys_global_symbol_pipe="$AWK ['"\ +" {last_section=section; section=\$ 3};"\ +" /^COFF SYMBOL TABLE/{for(i in hide) delete hide[i]};"\ +" /Section length .*#relocs.*(pick any)/{hide[last_section]=1};"\ +" /^ *Symbol name *: /{split(\$ 0,sn,\":\"); si=substr(sn[2],2)};"\ +" /^ *Type *: code/{print \"T\",si,substr(si,length(prfx))};"\ +" /^ *Type *: data/{print \"I\",si,substr(si,length(prfx))};"\ +" \$ 0!~/External *\|/{next};"\ +" / 0+ UNDEF /{next}; / UNDEF \([^|]\)*()/{next};"\ +" {if(hide[section]) next};"\ +" {f=\"D\"}; \$ 0~/\(\).*\|/{f=\"T\"};"\ +" {split(\$ 0,a,/\||\r/); split(a[2],s)};"\ +" s[1]~/^[@?]/{print f,s[1],s[1]; next};"\ +" s[1]~prfx {split(s[1],t,\"@\"); print f,t[1],substr(t[1],length(prfx))}"\ +" ' prfx=^$ac_symprfx]" + else + lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[[ ]]\($symcode$symcode*\)[[ ]][[ ]]*$ac_symprfx$sympat$opt_cr$/$symxfrm/p'" + fi + lt_cv_sys_global_symbol_pipe="$lt_cv_sys_global_symbol_pipe | sed '/ __gnu_lto/d'" + + # Check to see that the pipe works correctly. + pipe_works=no + + rm -f conftest* + cat > conftest.$ac_ext <<_LT_EOF +#ifdef __cplusplus +extern "C" { +#endif +char nm_test_var; +void nm_test_func(void); +void nm_test_func(void){} +#ifdef __cplusplus +} +#endif +int main(){nm_test_var='a';nm_test_func();return(0);} +_LT_EOF + + if AC_TRY_EVAL(ac_compile); then + # Now try to grab the symbols. + nlist=conftest.nm + if AC_TRY_EVAL(NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist) && test -s "$nlist"; then + # Try sorting and uniquifying the output. + if sort "$nlist" | uniq > "$nlist"T; then + mv -f "$nlist"T "$nlist" + else + rm -f "$nlist"T + fi + + # Make sure that we snagged all the symbols we need. + if $GREP ' nm_test_var$' "$nlist" >/dev/null; then + if $GREP ' nm_test_func$' "$nlist" >/dev/null; then + cat <<_LT_EOF > conftest.$ac_ext +/* Keep this code in sync between libtool.m4, ltmain, lt_system.h, and tests. */ +#if defined _WIN32 || defined __CYGWIN__ || defined _WIN32_WCE +/* DATA imports from DLLs on WIN32 can't be const, because runtime + relocations are performed -- see ld's documentation on pseudo-relocs. */ +# define LT@&t@_DLSYM_CONST +#elif defined __osf__ +/* This system does not cope well with relocations in const data. */ +# define LT@&t@_DLSYM_CONST +#else +# define LT@&t@_DLSYM_CONST const +#endif + +#ifdef __cplusplus +extern "C" { +#endif + +_LT_EOF + # Now generate the symbol file. + eval "$lt_cv_sys_global_symbol_to_cdecl"' < "$nlist" | $GREP -v main >> conftest.$ac_ext' + + cat <<_LT_EOF >> conftest.$ac_ext + +/* The mapping between symbol names and symbols. */ +LT@&t@_DLSYM_CONST struct { + const char *name; + void *address; +} +lt__PROGRAM__LTX_preloaded_symbols[[]] = +{ + { "@PROGRAM@", (void *) 0 }, +_LT_EOF + $SED "s/^$symcode$symcode* .* \(.*\)$/ {\"\1\", (void *) \&\1},/" < "$nlist" | $GREP -v main >> conftest.$ac_ext + cat <<\_LT_EOF >> conftest.$ac_ext + {0, (void *) 0} +}; + +/* This works around a problem in FreeBSD linker */ +#ifdef FREEBSD_WORKAROUND +static const void *lt_preloaded_setup() { + return lt__PROGRAM__LTX_preloaded_symbols; +} +#endif + +#ifdef __cplusplus +} +#endif +_LT_EOF + # Now try linking the two files. + mv conftest.$ac_objext conftstm.$ac_objext + lt_globsym_save_LIBS=$LIBS + lt_globsym_save_CFLAGS=$CFLAGS + LIBS=conftstm.$ac_objext + CFLAGS="$CFLAGS$_LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)" + if AC_TRY_EVAL(ac_link) && test -s conftest$ac_exeext; then + pipe_works=yes + fi + LIBS=$lt_globsym_save_LIBS + CFLAGS=$lt_globsym_save_CFLAGS + else + echo "cannot find nm_test_func in $nlist" >&AS_MESSAGE_LOG_FD + fi + else + echo "cannot find nm_test_var in $nlist" >&AS_MESSAGE_LOG_FD + fi + else + echo "cannot run $lt_cv_sys_global_symbol_pipe" >&AS_MESSAGE_LOG_FD + fi + else + echo "$progname: failed program was:" >&AS_MESSAGE_LOG_FD + cat conftest.$ac_ext >&5 + fi + rm -rf conftest* conftst* + + # Do not use the global_symbol_pipe unless it works. + if test yes = "$pipe_works"; then + break + else + lt_cv_sys_global_symbol_pipe= + fi +done +]) +if test -z "$lt_cv_sys_global_symbol_pipe"; then + lt_cv_sys_global_symbol_to_cdecl= +fi +if test -z "$lt_cv_sys_global_symbol_pipe$lt_cv_sys_global_symbol_to_cdecl"; then + AC_MSG_RESULT(failed) +else + AC_MSG_RESULT(ok) +fi + +# Response file support. +if test "$lt_cv_nm_interface" = "MS dumpbin"; then + nm_file_list_spec='@' +elif $NM --help 2>/dev/null | grep '[[@]]FILE' >/dev/null; then + nm_file_list_spec='@' +fi + +_LT_DECL([global_symbol_pipe], [lt_cv_sys_global_symbol_pipe], [1], + [Take the output of nm and produce a listing of raw symbols and C names]) +_LT_DECL([global_symbol_to_cdecl], [lt_cv_sys_global_symbol_to_cdecl], [1], + [Transform the output of nm in a proper C declaration]) +_LT_DECL([global_symbol_to_import], [lt_cv_sys_global_symbol_to_import], [1], + [Transform the output of nm into a list of symbols to manually relocate]) +_LT_DECL([global_symbol_to_c_name_address], + [lt_cv_sys_global_symbol_to_c_name_address], [1], + [Transform the output of nm in a C name address pair]) +_LT_DECL([global_symbol_to_c_name_address_lib_prefix], + [lt_cv_sys_global_symbol_to_c_name_address_lib_prefix], [1], + [Transform the output of nm in a C name address pair when lib prefix is needed]) +_LT_DECL([nm_interface], [lt_cv_nm_interface], [1], + [The name lister interface]) +_LT_DECL([], [nm_file_list_spec], [1], + [Specify filename containing input files for $NM]) +]) # _LT_CMD_GLOBAL_SYMBOLS + + +# _LT_COMPILER_PIC([TAGNAME]) +# --------------------------- +m4_defun([_LT_COMPILER_PIC], +[m4_require([_LT_TAG_COMPILER])dnl +_LT_TAGVAR(lt_prog_compiler_wl, $1)= +_LT_TAGVAR(lt_prog_compiler_pic, $1)= +_LT_TAGVAR(lt_prog_compiler_static, $1)= + +m4_if([$1], [CXX], [ + # C++ specific cases for pic, static, wl, etc. + if test yes = "$GXX"; then + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' + + case $host_os in + aix*) + # All AIX code is PIC. + if test ia64 = "$host_cpu"; then + # AIX 5 now supports IA64 processor + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + fi + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' + ;; + + amigaos*) + case $host_cpu in + powerpc) + # see comment about AmigaOS4 .so support + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' + ;; + m68k) + # FIXME: we need at least 68020 code to build shared libraries, but + # adding the '-m68020' flag to GCC prevents building anything better, + # like '-m68040'. + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-m68020 -resident32 -malways-restore-a4' + ;; + esac + ;; + + beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*) + # PIC is the default for these OSes. + ;; + mingw* | cygwin* | os2* | pw32* | cegcc*) + # This hack is so that the source file can tell whether it is being + # built for inclusion in a dll (and should export symbols for example). + # Although the cygwin gcc ignores -fPIC, still need this for old-style + # (--disable-auto-import) libraries + m4_if([$1], [GCJ], [], + [_LT_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT']) + case $host_os in + os2*) + _LT_TAGVAR(lt_prog_compiler_static, $1)='$wl-static' + ;; + esac + ;; + darwin* | rhapsody*) + # PIC is the default on this platform + # Common symbols not allowed in MH_DYLIB files + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common' + ;; + *djgpp*) + # DJGPP does not support shared libraries at all + _LT_TAGVAR(lt_prog_compiler_pic, $1)= + ;; + haiku*) + # PIC is the default for Haiku. + # The "-static" flag exists, but is broken. + _LT_TAGVAR(lt_prog_compiler_static, $1)= + ;; + interix[[3-9]]*) + # Interix 3.x gcc -fpic/-fPIC options generate broken code. + # Instead, we relocate shared libraries at runtime. + ;; + sysv4*MP*) + if test -d /usr/nec; then + _LT_TAGVAR(lt_prog_compiler_pic, $1)=-Kconform_pic + fi + ;; + hpux*) + # PIC is the default for 64-bit PA HP-UX, but not for 32-bit + # PA HP-UX. On IA64 HP-UX, PIC is the default but the pic flag + # sets the default TLS model and affects inlining. + case $host_cpu in + hppa*64*) + ;; + *) + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' + ;; + esac + ;; + *qnx* | *nto*) + # QNX uses GNU C++, but need to define -shared option too, otherwise + # it will coredump. + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC -shared' + ;; + *) + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' + ;; + esac + else + case $host_os in + aix[[4-9]]*) + # All AIX code is PIC. + if test ia64 = "$host_cpu"; then + # AIX 5 now supports IA64 processor + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + else + _LT_TAGVAR(lt_prog_compiler_static, $1)='-bnso -bI:/lib/syscalls.exp' + fi + ;; + chorus*) + case $cc_basename in + cxch68*) + # Green Hills C++ Compiler + # _LT_TAGVAR(lt_prog_compiler_static, $1)="--no_auto_instantiation -u __main -u __premain -u _abort -r $COOL_DIR/lib/libOrb.a $MVME_DIR/lib/CC/libC.a $MVME_DIR/lib/classix/libcx.s.a" + ;; + esac + ;; + mingw* | cygwin* | os2* | pw32* | cegcc*) + # This hack is so that the source file can tell whether it is being + # built for inclusion in a dll (and should export symbols for example). + m4_if([$1], [GCJ], [], + [_LT_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT']) + ;; + dgux*) + case $cc_basename in + ec++*) + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + ;; + ghcx*) + # Green Hills C++ Compiler + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic' + ;; + *) + ;; + esac + ;; + freebsd* | dragonfly*) + # FreeBSD uses GNU C++ + ;; + hpux9* | hpux10* | hpux11*) + case $cc_basename in + CC*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_static, $1)='$wl-a ${wl}archive' + if test ia64 != "$host_cpu"; then + _LT_TAGVAR(lt_prog_compiler_pic, $1)='+Z' + fi + ;; + aCC*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_static, $1)='$wl-a ${wl}archive' + case $host_cpu in + hppa*64*|ia64*) + # +Z the default + ;; + *) + _LT_TAGVAR(lt_prog_compiler_pic, $1)='+Z' + ;; + esac + ;; + *) + ;; + esac + ;; + interix*) + # This is c89, which is MS Visual C++ (no shared libs) + # Anyone wants to do a port? + ;; + irix5* | irix6* | nonstopux*) + case $cc_basename in + CC*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' + # CC pic flag -KPIC is the default. + ;; + *) + ;; + esac + ;; + linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) + case $cc_basename in + KCC*) + # KAI C++ Compiler + _LT_TAGVAR(lt_prog_compiler_wl, $1)='--backend -Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' + ;; + ecpc* ) + # old Intel C++ for x86_64, which still supported -KPIC. + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' + ;; + icpc* ) + # Intel C++, used to be incompatible with GCC. + # ICC 10 doesn't accept -KPIC any more. + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' + ;; + pgCC* | pgcpp*) + # Portland Group C++ compiler + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fpic' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + ;; + cxx*) + # Compaq C++ + # Make sure the PIC flag is empty. It appears that all Alpha + # Linux and Compaq Tru64 Unix objects are PIC. + _LT_TAGVAR(lt_prog_compiler_pic, $1)= + _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' + ;; + xlc* | xlC* | bgxl[[cC]]* | mpixl[[cC]]*) + # IBM XL 8.0, 9.0 on PPC and BlueGene + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-qpic' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-qstaticlink' + ;; + *) + case `$CC -V 2>&1 | sed 5q` in + *Sun\ C*) + # Sun C++ 5.9 + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld ' + ;; + esac + ;; + esac + ;; + lynxos*) + ;; + m88k*) + ;; + mvs*) + case $cc_basename in + cxx*) + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-W c,exportall' + ;; + *) + ;; + esac + ;; + netbsd*) + ;; + *qnx* | *nto*) + # QNX uses GNU C++, but need to define -shared option too, otherwise + # it will coredump. + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC -shared' + ;; + osf3* | osf4* | osf5*) + case $cc_basename in + KCC*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='--backend -Wl,' + ;; + RCC*) + # Rational C++ 2.4.1 + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic' + ;; + cxx*) + # Digital/Compaq C++ + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + # Make sure the PIC flag is empty. It appears that all Alpha + # Linux and Compaq Tru64 Unix objects are PIC. + _LT_TAGVAR(lt_prog_compiler_pic, $1)= + _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' + ;; + *) + ;; + esac + ;; + psos*) + ;; + solaris*) + case $cc_basename in + CC* | sunCC*) + # Sun C++ 4.2, 5.x and Centerline C++ + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld ' + ;; + gcx*) + # Green Hills C++ Compiler + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-PIC' + ;; + *) + ;; + esac + ;; + sunos4*) + case $cc_basename in + CC*) + # Sun C++ 4.x + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + ;; + lcc*) + # Lucid + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic' + ;; + *) + ;; + esac + ;; + sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*) + case $cc_basename in + CC*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + ;; + esac + ;; + tandem*) + case $cc_basename in + NCC*) + # NonStop-UX NCC 3.20 + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + ;; + *) + ;; + esac + ;; + vxworks*) + ;; + *) + _LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no + ;; + esac + fi +], +[ + if test yes = "$GCC"; then + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' + + case $host_os in + aix*) + # All AIX code is PIC. + if test ia64 = "$host_cpu"; then + # AIX 5 now supports IA64 processor + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + fi + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' + ;; + + amigaos*) + case $host_cpu in + powerpc) + # see comment about AmigaOS4 .so support + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' + ;; + m68k) + # FIXME: we need at least 68020 code to build shared libraries, but + # adding the '-m68020' flag to GCC prevents building anything better, + # like '-m68040'. + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-m68020 -resident32 -malways-restore-a4' + ;; + esac + ;; + + beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*) + # PIC is the default for these OSes. + ;; + + mingw* | cygwin* | pw32* | os2* | cegcc*) + # This hack is so that the source file can tell whether it is being + # built for inclusion in a dll (and should export symbols for example). + # Although the cygwin gcc ignores -fPIC, still need this for old-style + # (--disable-auto-import) libraries + m4_if([$1], [GCJ], [], + [_LT_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT']) + case $host_os in + os2*) + _LT_TAGVAR(lt_prog_compiler_static, $1)='$wl-static' + ;; + esac + ;; + + darwin* | rhapsody*) + # PIC is the default on this platform + # Common symbols not allowed in MH_DYLIB files + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common' + ;; + + haiku*) + # PIC is the default for Haiku. + # The "-static" flag exists, but is broken. + _LT_TAGVAR(lt_prog_compiler_static, $1)= + ;; + + hpux*) + # PIC is the default for 64-bit PA HP-UX, but not for 32-bit + # PA HP-UX. On IA64 HP-UX, PIC is the default but the pic flag + # sets the default TLS model and affects inlining. + case $host_cpu in + hppa*64*) + # +Z the default + ;; + *) + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' + ;; + esac + ;; + + interix[[3-9]]*) + # Interix 3.x gcc -fpic/-fPIC options generate broken code. + # Instead, we relocate shared libraries at runtime. + ;; + + msdosdjgpp*) + # Just because we use GCC doesn't mean we suddenly get shared libraries + # on systems that don't support them. + _LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no + enable_shared=no + ;; + + *nto* | *qnx*) + # QNX uses GNU C++, but need to define -shared option too, otherwise + # it will coredump. + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC -shared' + ;; + + sysv4*MP*) + if test -d /usr/nec; then + _LT_TAGVAR(lt_prog_compiler_pic, $1)=-Kconform_pic + fi + ;; + + *) + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' + ;; + esac + + case $cc_basename in + nvcc*) # Cuda Compiler Driver 2.2 + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Xlinker ' + if test -n "$_LT_TAGVAR(lt_prog_compiler_pic, $1)"; then + _LT_TAGVAR(lt_prog_compiler_pic, $1)="-Xcompiler $_LT_TAGVAR(lt_prog_compiler_pic, $1)" + fi + ;; + esac + else + # PORTME Check for flag to pass linker flags through the system compiler. + case $host_os in + aix*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + if test ia64 = "$host_cpu"; then + # AIX 5 now supports IA64 processor + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + else + _LT_TAGVAR(lt_prog_compiler_static, $1)='-bnso -bI:/lib/syscalls.exp' + fi + ;; + + darwin* | rhapsody*) + # PIC is the default on this platform + # Common symbols not allowed in MH_DYLIB files + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common' + case $cc_basename in + nagfor*) + # NAG Fortran compiler + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,-Wl,,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-PIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + ;; + esac + ;; + + mingw* | cygwin* | pw32* | os2* | cegcc*) + # This hack is so that the source file can tell whether it is being + # built for inclusion in a dll (and should export symbols for example). + m4_if([$1], [GCJ], [], + [_LT_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT']) + case $host_os in + os2*) + _LT_TAGVAR(lt_prog_compiler_static, $1)='$wl-static' + ;; + esac + ;; + + hpux9* | hpux10* | hpux11*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but + # not for PA HP-UX. + case $host_cpu in + hppa*64*|ia64*) + # +Z the default + ;; + *) + _LT_TAGVAR(lt_prog_compiler_pic, $1)='+Z' + ;; + esac + # Is there a better lt_prog_compiler_static that works with the bundled CC? + _LT_TAGVAR(lt_prog_compiler_static, $1)='$wl-a ${wl}archive' + ;; + + irix5* | irix6* | nonstopux*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + # PIC (with -KPIC) is the default. + _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' + ;; + + linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) + case $cc_basename in + # old Intel for x86_64, which still supported -KPIC. + ecc*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' + ;; + # icc used to be incompatible with GCC. + # ICC 10 doesn't accept -KPIC any more. + icc* | ifort*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' + ;; + # Lahey Fortran 8.1. + lf95*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='--shared' + _LT_TAGVAR(lt_prog_compiler_static, $1)='--static' + ;; + nagfor*) + # NAG Fortran compiler + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,-Wl,,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-PIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + ;; + tcc*) + # Fabrice Bellard et al's Tiny C Compiler + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' + ;; + pgcc* | pgf77* | pgf90* | pgf95* | pgfortran*) + # Portland Group compilers (*not* the Pentium gcc compiler, + # which looks to be a dead project) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fpic' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + ;; + ccc*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + # All Alpha code is PIC. + _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' + ;; + xl* | bgxl* | bgf* | mpixl*) + # IBM XL C 8.0/Fortran 10.1, 11.1 on PPC and BlueGene + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-qpic' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-qstaticlink' + ;; + *) + case `$CC -V 2>&1 | sed 5q` in + *Sun\ Ceres\ Fortran* | *Sun*Fortran*\ [[1-7]].* | *Sun*Fortran*\ 8.[[0-3]]*) + # Sun Fortran 8.3 passes all unrecognized flags to the linker + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + _LT_TAGVAR(lt_prog_compiler_wl, $1)='' + ;; + *Sun\ F* | *Sun*Fortran*) + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld ' + ;; + *Sun\ C*) + # Sun C 5.9 + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + ;; + *Intel*\ [[CF]]*Compiler*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' + ;; + *Portland\ Group*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fpic' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + ;; + esac + ;; + esac + ;; + + newsos6) + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + ;; + + *nto* | *qnx*) + # QNX uses GNU C++, but need to define -shared option too, otherwise + # it will coredump. + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC -shared' + ;; + + osf3* | osf4* | osf5*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + # All OSF/1 code is PIC. + _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' + ;; + + rdos*) + _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' + ;; + + solaris*) + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + case $cc_basename in + f77* | f90* | f95* | sunf77* | sunf90* | sunf95*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld ';; + *) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,';; + esac + ;; + + sunos4*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld ' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-PIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + ;; + + sysv4 | sysv4.2uw2* | sysv4.3*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + ;; + + sysv4*MP*) + if test -d /usr/nec; then + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-Kconform_pic' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + fi + ;; + + sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + ;; + + unicos*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no + ;; + + uts4*) + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + ;; + + *) + _LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no + ;; + esac + fi +]) +case $host_os in + # For platforms that do not support PIC, -DPIC is meaningless: + *djgpp*) + _LT_TAGVAR(lt_prog_compiler_pic, $1)= + ;; + *) + _LT_TAGVAR(lt_prog_compiler_pic, $1)="$_LT_TAGVAR(lt_prog_compiler_pic, $1)@&t@m4_if([$1],[],[ -DPIC],[m4_if([$1],[CXX],[ -DPIC],[])])" + ;; +esac + +AC_CACHE_CHECK([for $compiler option to produce PIC], + [_LT_TAGVAR(lt_cv_prog_compiler_pic, $1)], + [_LT_TAGVAR(lt_cv_prog_compiler_pic, $1)=$_LT_TAGVAR(lt_prog_compiler_pic, $1)]) +_LT_TAGVAR(lt_prog_compiler_pic, $1)=$_LT_TAGVAR(lt_cv_prog_compiler_pic, $1) + +# +# Check to make sure the PIC flag actually works. +# +if test -n "$_LT_TAGVAR(lt_prog_compiler_pic, $1)"; then + _LT_COMPILER_OPTION([if $compiler PIC flag $_LT_TAGVAR(lt_prog_compiler_pic, $1) works], + [_LT_TAGVAR(lt_cv_prog_compiler_pic_works, $1)], + [$_LT_TAGVAR(lt_prog_compiler_pic, $1)@&t@m4_if([$1],[],[ -DPIC],[m4_if([$1],[CXX],[ -DPIC],[])])], [], + [case $_LT_TAGVAR(lt_prog_compiler_pic, $1) in + "" | " "*) ;; + *) _LT_TAGVAR(lt_prog_compiler_pic, $1)=" $_LT_TAGVAR(lt_prog_compiler_pic, $1)" ;; + esac], + [_LT_TAGVAR(lt_prog_compiler_pic, $1)= + _LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no]) +fi +_LT_TAGDECL([pic_flag], [lt_prog_compiler_pic], [1], + [Additional compiler flags for building library objects]) + +_LT_TAGDECL([wl], [lt_prog_compiler_wl], [1], + [How to pass a linker flag through the compiler]) +# +# Check to make sure the static flag actually works. +# +wl=$_LT_TAGVAR(lt_prog_compiler_wl, $1) eval lt_tmp_static_flag=\"$_LT_TAGVAR(lt_prog_compiler_static, $1)\" +_LT_LINKER_OPTION([if $compiler static flag $lt_tmp_static_flag works], + _LT_TAGVAR(lt_cv_prog_compiler_static_works, $1), + $lt_tmp_static_flag, + [], + [_LT_TAGVAR(lt_prog_compiler_static, $1)=]) +_LT_TAGDECL([link_static_flag], [lt_prog_compiler_static], [1], + [Compiler flag to prevent dynamic linking]) +])# _LT_COMPILER_PIC + + +# _LT_LINKER_SHLIBS([TAGNAME]) +# ---------------------------- +# See if the linker supports building shared libraries. +m4_defun([_LT_LINKER_SHLIBS], +[AC_REQUIRE([LT_PATH_LD])dnl +AC_REQUIRE([LT_PATH_NM])dnl +m4_require([_LT_PATH_MANIFEST_TOOL])dnl +m4_require([_LT_FILEUTILS_DEFAULTS])dnl +m4_require([_LT_DECL_EGREP])dnl +m4_require([_LT_DECL_SED])dnl +m4_require([_LT_CMD_GLOBAL_SYMBOLS])dnl +m4_require([_LT_TAG_COMPILER])dnl +AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries]) +m4_if([$1], [CXX], [ + _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols' + _LT_TAGVAR(exclude_expsyms, $1)=['_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*'] + case $host_os in + aix[[4-9]]*) + # If we're using GNU nm, then we don't want the "-C" option. + # -C means demangle to GNU nm, but means don't demangle to AIX nm. + # Without the "-l" option, or with the "-B" option, AIX nm treats + # weak defined symbols like other global defined symbols, whereas + # GNU nm marks them as "W". + # While the 'weak' keyword is ignored in the Export File, we need + # it in the Import File for the 'aix-soname' feature, so we have + # to replace the "-B" option with "-P" for AIX nm. + if $NM -V 2>&1 | $GREP 'GNU' > /dev/null; then + _LT_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B") || (\$ 2 == "W")) && ([substr](\$ 3,1,1) != ".")) { if (\$ 2 == "W") { print \$ 3 " weak" } else { print \$ 3 } } }'\'' | sort -u > $export_symbols' + else + _LT_TAGVAR(export_symbols_cmds, $1)='`func_echo_all $NM | $SED -e '\''s/B\([[^B]]*\)$/P\1/'\''` -PCpgl $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B") || (\$ 2 == "W") || (\$ 2 == "V") || (\$ 2 == "Z")) && ([substr](\$ 1,1,1) != ".")) { if ((\$ 2 == "W") || (\$ 2 == "V") || (\$ 2 == "Z")) { print \$ 1 " weak" } else { print \$ 1 } } }'\'' | sort -u > $export_symbols' + fi + ;; + pw32*) + _LT_TAGVAR(export_symbols_cmds, $1)=$ltdll_cmds + ;; + cygwin* | mingw* | cegcc*) + case $cc_basename in + cl*) + _LT_TAGVAR(exclude_expsyms, $1)='_NULL_IMPORT_DESCRIPTOR|_IMPORT_DESCRIPTOR_.*' + ;; + *) + _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/;s/^.*[[ ]]__nm__\([[^ ]]*\)[[ ]][[^ ]]*/\1 DATA/;/^I[[ ]]/d;/^[[AITW]][[ ]]/s/.* //'\'' | sort | uniq > $export_symbols' + _LT_TAGVAR(exclude_expsyms, $1)=['[_]+GLOBAL_OFFSET_TABLE_|[_]+GLOBAL__[FID]_.*|[_]+head_[A-Za-z0-9_]+_dll|[A-Za-z0-9_]+_dll_iname'] + ;; + esac + ;; + *) + _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols' + ;; + esac +], [ + runpath_var= + _LT_TAGVAR(allow_undefined_flag, $1)= + _LT_TAGVAR(always_export_symbols, $1)=no + _LT_TAGVAR(archive_cmds, $1)= + _LT_TAGVAR(archive_expsym_cmds, $1)= + _LT_TAGVAR(compiler_needs_object, $1)=no + _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no + _LT_TAGVAR(export_dynamic_flag_spec, $1)= + _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols' + _LT_TAGVAR(hardcode_automatic, $1)=no + _LT_TAGVAR(hardcode_direct, $1)=no + _LT_TAGVAR(hardcode_direct_absolute, $1)=no + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)= + _LT_TAGVAR(hardcode_libdir_separator, $1)= + _LT_TAGVAR(hardcode_minus_L, $1)=no + _LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported + _LT_TAGVAR(inherit_rpath, $1)=no + _LT_TAGVAR(link_all_deplibs, $1)=unknown + _LT_TAGVAR(module_cmds, $1)= + _LT_TAGVAR(module_expsym_cmds, $1)= + _LT_TAGVAR(old_archive_from_new_cmds, $1)= + _LT_TAGVAR(old_archive_from_expsyms_cmds, $1)= + _LT_TAGVAR(thread_safe_flag_spec, $1)= + _LT_TAGVAR(whole_archive_flag_spec, $1)= + # include_expsyms should be a list of space-separated symbols to be *always* + # included in the symbol list + _LT_TAGVAR(include_expsyms, $1)= + # exclude_expsyms can be an extended regexp of symbols to exclude + # it will be wrapped by ' (' and ')$', so one must not match beginning or + # end of line. Example: 'a|bc|.*d.*' will exclude the symbols 'a' and 'bc', + # as well as any symbol that contains 'd'. + _LT_TAGVAR(exclude_expsyms, $1)=['_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*'] + # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out + # platforms (ab)use it in PIC code, but their linkers get confused if + # the symbol is explicitly referenced. Since portable code cannot + # rely on this symbol name, it's probably fine to never include it in + # preloaded symbol tables. + # Exclude shared library initialization/finalization symbols. +dnl Note also adjust exclude_expsyms for C++ above. + extract_expsyms_cmds= + + case $host_os in + cygwin* | mingw* | pw32* | cegcc*) + # FIXME: the MSVC++ port hasn't been tested in a loooong time + # When not using gcc, we currently assume that we are using + # Microsoft Visual C++. + if test yes != "$GCC"; then + with_gnu_ld=no + fi + ;; + interix*) + # we just hope/assume this is gcc and not c89 (= MSVC++) + with_gnu_ld=yes + ;; + openbsd* | bitrig*) + with_gnu_ld=no + ;; + esac + + _LT_TAGVAR(ld_shlibs, $1)=yes + + # On some targets, GNU ld is compatible enough with the native linker + # that we're better off using the native interface for both. + lt_use_gnu_ld_interface=no + if test yes = "$with_gnu_ld"; then + case $host_os in + aix*) + # The AIX port of GNU ld has always aspired to compatibility + # with the native linker. However, as the warning in the GNU ld + # block says, versions before 2.19.5* couldn't really create working + # shared libraries, regardless of the interface used. + case `$LD -v 2>&1` in + *\ \(GNU\ Binutils\)\ 2.19.5*) ;; + *\ \(GNU\ Binutils\)\ 2.[[2-9]]*) ;; + *\ \(GNU\ Binutils\)\ [[3-9]]*) ;; + *) + lt_use_gnu_ld_interface=yes + ;; + esac + ;; + *) + lt_use_gnu_ld_interface=yes + ;; + esac + fi + + if test yes = "$lt_use_gnu_ld_interface"; then + # If archive_cmds runs LD, not CC, wlarc should be empty + wlarc='$wl' + + # Set some defaults for GNU ld with shared library support. These + # are reset later if shared libraries are not supported. Putting them + # here allows them to be overridden if necessary. + runpath_var=LD_RUN_PATH + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath $wl$libdir' + _LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl--export-dynamic' + # ancient GNU ld didn't support --whole-archive et. al. + if $LD --help 2>&1 | $GREP 'no-whole-archive' > /dev/null; then + _LT_TAGVAR(whole_archive_flag_spec, $1)=$wlarc'--whole-archive$convenience '$wlarc'--no-whole-archive' + else + _LT_TAGVAR(whole_archive_flag_spec, $1)= + fi + supports_anon_versioning=no + case `$LD -v | $SED -e 's/([^)]\+)\s\+//' 2>&1` in + *GNU\ gold*) supports_anon_versioning=yes ;; + *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.10.*) ;; # catch versions < 2.11 + *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ... + *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ... + *\ 2.11.*) ;; # other 2.11 versions + *) supports_anon_versioning=yes ;; + esac + + # See if GNU ld supports shared libraries. + case $host_os in + aix[[3-9]]*) + # On AIX/PPC, the GNU linker is very broken + if test ia64 != "$host_cpu"; then + _LT_TAGVAR(ld_shlibs, $1)=no + cat <<_LT_EOF 1>&2 + +*** Warning: the GNU linker, at least up to release 2.19, is reported +*** to be unable to reliably create shared libraries on AIX. +*** Therefore, libtool is disabling shared libraries support. If you +*** really care for shared libraries, you may want to install binutils +*** 2.20 or above, or modify your PATH so that a non-GNU linker is found. +*** You will then need to restart the configuration process. + +_LT_EOF + fi + ;; + + amigaos*) + case $host_cpu in + powerpc) + # see comment about AmigaOS4 .so support + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='' + ;; + m68k) + _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/a2ixlibrary.data~$ECHO "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$ECHO "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$ECHO "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$ECHO "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' + _LT_TAGVAR(hardcode_minus_L, $1)=yes + ;; + esac + ;; + + beos*) + if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then + _LT_TAGVAR(allow_undefined_flag, $1)=unsupported + # Joseph Beckenbach says some releases of gcc + # support --undefined. This deserves some investigation. FIXME + _LT_TAGVAR(archive_cmds, $1)='$CC -nostart $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib' + else + _LT_TAGVAR(ld_shlibs, $1)=no + fi + ;; + + cygwin* | mingw* | pw32* | cegcc*) + # _LT_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless, + # as there is no search path for DLLs. + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' + _LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl--export-all-symbols' + _LT_TAGVAR(allow_undefined_flag, $1)=unsupported + _LT_TAGVAR(always_export_symbols, $1)=no + _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes + _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/;s/^.*[[ ]]__nm__\([[^ ]]*\)[[ ]][[^ ]]*/\1 DATA/;/^I[[ ]]/d;/^[[AITW]][[ ]]/s/.* //'\'' | sort | uniq > $export_symbols' + _LT_TAGVAR(exclude_expsyms, $1)=['[_]+GLOBAL_OFFSET_TABLE_|[_]+GLOBAL__[FID]_.*|[_]+head_[A-Za-z0-9_]+_dll|[A-Za-z0-9_]+_dll_iname'] + + if $LD --help 2>&1 | $GREP 'auto-import' > /dev/null; then + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname $wl--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib' + # If the export-symbols file already is a .def file, use it as + # is; otherwise, prepend EXPORTS... + _LT_TAGVAR(archive_expsym_cmds, $1)='if _LT_DLL_DEF_P([$export_symbols]); then + cp $export_symbols $output_objdir/$soname.def; + else + echo EXPORTS > $output_objdir/$soname.def; + cat $export_symbols >> $output_objdir/$soname.def; + fi~ + $CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname $wl--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib' + else + _LT_TAGVAR(ld_shlibs, $1)=no + fi + ;; + + haiku*) + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib' + _LT_TAGVAR(link_all_deplibs, $1)=yes + ;; + + os2*) + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' + _LT_TAGVAR(hardcode_minus_L, $1)=yes + _LT_TAGVAR(allow_undefined_flag, $1)=unsupported + shrext_cmds=.dll + _LT_TAGVAR(archive_cmds, $1)='$ECHO "LIBRARY ${soname%$shared_ext} INITINSTANCE TERMINSTANCE" > $output_objdir/$libname.def~ + $ECHO "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~ + $ECHO "DATA MULTIPLE NONSHARED" >> $output_objdir/$libname.def~ + $ECHO EXPORTS >> $output_objdir/$libname.def~ + emxexp $libobjs | $SED /"_DLL_InitTerm"/d >> $output_objdir/$libname.def~ + $CC -Zdll -Zcrtdll -o $output_objdir/$soname $libobjs $deplibs $compiler_flags $output_objdir/$libname.def~ + emximp -o $lib $output_objdir/$libname.def' + _LT_TAGVAR(archive_expsym_cmds, $1)='$ECHO "LIBRARY ${soname%$shared_ext} INITINSTANCE TERMINSTANCE" > $output_objdir/$libname.def~ + $ECHO "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~ + $ECHO "DATA MULTIPLE NONSHARED" >> $output_objdir/$libname.def~ + $ECHO EXPORTS >> $output_objdir/$libname.def~ + prefix_cmds="$SED"~ + if test EXPORTS = "`$SED 1q $export_symbols`"; then + prefix_cmds="$prefix_cmds -e 1d"; + fi~ + prefix_cmds="$prefix_cmds -e \"s/^\(.*\)$/_\1/g\""~ + cat $export_symbols | $prefix_cmds >> $output_objdir/$libname.def~ + $CC -Zdll -Zcrtdll -o $output_objdir/$soname $libobjs $deplibs $compiler_flags $output_objdir/$libname.def~ + emximp -o $lib $output_objdir/$libname.def' + _LT_TAGVAR(old_archive_From_new_cmds, $1)='emximp -o $output_objdir/${libname}_dll.a $output_objdir/$libname.def' + _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes + ;; + + interix[[3-9]]*) + _LT_TAGVAR(hardcode_direct, $1)=no + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath,$libdir' + _LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl-E' + # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc. + # Instead, shared libraries are loaded at an image base (0x10000000 by + # default) and relocated if they conflict, which is a slow very memory + # consuming and fragmenting process. To avoid this, we pick a random, + # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link + # time. Moving up from 0x10000000 also allows more sbrk(2) space. + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-h,$soname $wl--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='sed "s|^|_|" $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-h,$soname $wl--retain-symbols-file,$output_objdir/$soname.expsym $wl--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib' + ;; + + gnu* | linux* | tpf* | k*bsd*-gnu | kopensolaris*-gnu) + tmp_diet=no + if test linux-dietlibc = "$host_os"; then + case $cc_basename in + diet\ *) tmp_diet=yes;; # linux-dietlibc with static linking (!diet-dyn) + esac + fi + if $LD --help 2>&1 | $EGREP ': supported targets:.* elf' > /dev/null \ + && test no = "$tmp_diet" + then + tmp_addflag=' $pic_flag' + tmp_sharedflag='-shared' + case $cc_basename,$host_cpu in + pgcc*) # Portland Group C compiler + _LT_TAGVAR(whole_archive_flag_spec, $1)='$wl--whole-archive`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` $wl--no-whole-archive' + tmp_addflag=' $pic_flag' + ;; + pgf77* | pgf90* | pgf95* | pgfortran*) + # Portland Group f77 and f90 compilers + _LT_TAGVAR(whole_archive_flag_spec, $1)='$wl--whole-archive`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` $wl--no-whole-archive' + tmp_addflag=' $pic_flag -Mnomain' ;; + ecc*,ia64* | icc*,ia64*) # Intel C compiler on ia64 + tmp_addflag=' -i_dynamic' ;; + efc*,ia64* | ifort*,ia64*) # Intel Fortran compiler on ia64 + tmp_addflag=' -i_dynamic -nofor_main' ;; + ifc* | ifort*) # Intel Fortran compiler + tmp_addflag=' -nofor_main' ;; + lf95*) # Lahey Fortran 8.1 + _LT_TAGVAR(whole_archive_flag_spec, $1)= + tmp_sharedflag='--shared' ;; + nagfor*) # NAGFOR 5.3 + tmp_sharedflag='-Wl,-shared' ;; + xl[[cC]]* | bgxl[[cC]]* | mpixl[[cC]]*) # IBM XL C 8.0 on PPC (deal with xlf below) + tmp_sharedflag='-qmkshrobj' + tmp_addflag= ;; + nvcc*) # Cuda Compiler Driver 2.2 + _LT_TAGVAR(whole_archive_flag_spec, $1)='$wl--whole-archive`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` $wl--no-whole-archive' + _LT_TAGVAR(compiler_needs_object, $1)=yes + ;; + esac + case `$CC -V 2>&1 | sed 5q` in + *Sun\ C*) # Sun C 5.9 + _LT_TAGVAR(whole_archive_flag_spec, $1)='$wl--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` $wl--no-whole-archive' + _LT_TAGVAR(compiler_needs_object, $1)=yes + tmp_sharedflag='-G' ;; + *Sun\ F*) # Sun Fortran 8.3 + tmp_sharedflag='-G' ;; + esac + _LT_TAGVAR(archive_cmds, $1)='$CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib' + + if test yes = "$supports_anon_versioning"; then + _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $output_objdir/$libname.ver~ + cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~ + echo "local: *; };" >> $output_objdir/$libname.ver~ + $CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags $wl-soname $wl$soname $wl-version-script $wl$output_objdir/$libname.ver -o $lib' + fi + + case $cc_basename in + tcc*) + _LT_TAGVAR(export_dynamic_flag_spec, $1)='-rdynamic' + ;; + xlf* | bgf* | bgxlf* | mpixlf*) + # IBM XL Fortran 10.1 on PPC cannot create shared libs itself + _LT_TAGVAR(whole_archive_flag_spec, $1)='--whole-archive$convenience --no-whole-archive' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath $wl$libdir' + _LT_TAGVAR(archive_cmds, $1)='$LD -shared $libobjs $deplibs $linker_flags -soname $soname -o $lib' + if test yes = "$supports_anon_versioning"; then + _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $output_objdir/$libname.ver~ + cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~ + echo "local: *; };" >> $output_objdir/$libname.ver~ + $LD -shared $libobjs $deplibs $linker_flags -soname $soname -version-script $output_objdir/$libname.ver -o $lib' + fi + ;; + esac + else + _LT_TAGVAR(ld_shlibs, $1)=no + fi + ;; + + netbsd*) + if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then + _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib' + wlarc= + else + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname $wl-retain-symbols-file $wl$export_symbols -o $lib' + fi + ;; + + solaris*) + if $LD -v 2>&1 | $GREP 'BFD 2\.8' > /dev/null; then + _LT_TAGVAR(ld_shlibs, $1)=no + cat <<_LT_EOF 1>&2 + +*** Warning: The releases 2.8.* of the GNU linker cannot reliably +*** create shared libraries on Solaris systems. Therefore, libtool +*** is disabling shared libraries support. We urge you to upgrade GNU +*** binutils to release 2.9.1 or newer. Another option is to modify +*** your PATH or compiler configuration so that the native linker is +*** used, and then restart. + +_LT_EOF + elif $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname $wl-retain-symbols-file $wl$export_symbols -o $lib' + else + _LT_TAGVAR(ld_shlibs, $1)=no + fi + ;; + + sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*) + case `$LD -v 2>&1` in + *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.1[[0-5]].*) + _LT_TAGVAR(ld_shlibs, $1)=no + cat <<_LT_EOF 1>&2 + +*** Warning: Releases of the GNU linker prior to 2.16.91.0.3 cannot +*** reliably create shared libraries on SCO systems. Therefore, libtool +*** is disabling shared libraries support. We urge you to upgrade GNU +*** binutils to release 2.16.91.0.3 or newer. Another option is to modify +*** your PATH or compiler configuration so that the native linker is +*** used, and then restart. + +_LT_EOF + ;; + *) + # For security reasons, it is highly recommended that you always + # use absolute paths for naming shared libraries, and exclude the + # DT_RUNPATH tag from executables and libraries. But doing so + # requires that you compile everything twice, which is a pain. + if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath $wl$libdir' + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags $wl-soname $wl$soname $wl-retain-symbols-file $wl$export_symbols -o $lib' + else + _LT_TAGVAR(ld_shlibs, $1)=no + fi + ;; + esac + ;; + + sunos4*) + _LT_TAGVAR(archive_cmds, $1)='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags' + wlarc= + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + ;; + + *) + if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname $wl-retain-symbols-file $wl$export_symbols -o $lib' + else + _LT_TAGVAR(ld_shlibs, $1)=no + fi + ;; + esac + + if test no = "$_LT_TAGVAR(ld_shlibs, $1)"; then + runpath_var= + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)= + _LT_TAGVAR(export_dynamic_flag_spec, $1)= + _LT_TAGVAR(whole_archive_flag_spec, $1)= + fi + else + # PORTME fill in a description of your system's linker (not GNU ld) + case $host_os in + aix3*) + _LT_TAGVAR(allow_undefined_flag, $1)=unsupported + _LT_TAGVAR(always_export_symbols, $1)=yes + _LT_TAGVAR(archive_expsym_cmds, $1)='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname' + # Note: this linker hardcodes the directories in LIBPATH if there + # are no directories specified by -L. + _LT_TAGVAR(hardcode_minus_L, $1)=yes + if test yes = "$GCC" && test -z "$lt_prog_compiler_static"; then + # Neither direct hardcoding nor static linking is supported with a + # broken collect2. + _LT_TAGVAR(hardcode_direct, $1)=unsupported + fi + ;; + + aix[[4-9]]*) + if test ia64 = "$host_cpu"; then + # On IA64, the linker does run time linking by default, so we don't + # have to do anything special. + aix_use_runtimelinking=no + exp_sym_flag='-Bexport' + no_entry_flag= + else + # If we're using GNU nm, then we don't want the "-C" option. + # -C means demangle to GNU nm, but means don't demangle to AIX nm. + # Without the "-l" option, or with the "-B" option, AIX nm treats + # weak defined symbols like other global defined symbols, whereas + # GNU nm marks them as "W". + # While the 'weak' keyword is ignored in the Export File, we need + # it in the Import File for the 'aix-soname' feature, so we have + # to replace the "-B" option with "-P" for AIX nm. + if $NM -V 2>&1 | $GREP 'GNU' > /dev/null; then + _LT_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B") || (\$ 2 == "W")) && ([substr](\$ 3,1,1) != ".")) { if (\$ 2 == "W") { print \$ 3 " weak" } else { print \$ 3 } } }'\'' | sort -u > $export_symbols' + else + _LT_TAGVAR(export_symbols_cmds, $1)='`func_echo_all $NM | $SED -e '\''s/B\([[^B]]*\)$/P\1/'\''` -PCpgl $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B") || (\$ 2 == "W") || (\$ 2 == "V") || (\$ 2 == "Z")) && ([substr](\$ 1,1,1) != ".")) { if ((\$ 2 == "W") || (\$ 2 == "V") || (\$ 2 == "Z")) { print \$ 1 " weak" } else { print \$ 1 } } }'\'' | sort -u > $export_symbols' + fi + aix_use_runtimelinking=no + + # Test if we are trying to use run time linking or normal + # AIX style linking. If -brtl is somewhere in LDFLAGS, we + # have runtime linking enabled, and use it for executables. + # For shared libraries, we enable/disable runtime linking + # depending on the kind of the shared library created - + # when "with_aix_soname,aix_use_runtimelinking" is: + # "aix,no" lib.a(lib.so.V) shared, rtl:no, for executables + # "aix,yes" lib.so shared, rtl:yes, for executables + # lib.a static archive + # "both,no" lib.so.V(shr.o) shared, rtl:yes + # lib.a(lib.so.V) shared, rtl:no, for executables + # "both,yes" lib.so.V(shr.o) shared, rtl:yes, for executables + # lib.a(lib.so.V) shared, rtl:no + # "svr4,*" lib.so.V(shr.o) shared, rtl:yes, for executables + # lib.a static archive + case $host_os in aix4.[[23]]|aix4.[[23]].*|aix[[5-9]]*) + for ld_flag in $LDFLAGS; do + if (test x-brtl = "x$ld_flag" || test x-Wl,-brtl = "x$ld_flag"); then + aix_use_runtimelinking=yes + break + fi + done + if test svr4,no = "$with_aix_soname,$aix_use_runtimelinking"; then + # With aix-soname=svr4, we create the lib.so.V shared archives only, + # so we don't have lib.a shared libs to link our executables. + # We have to force runtime linking in this case. + aix_use_runtimelinking=yes + LDFLAGS="$LDFLAGS -Wl,-brtl" + fi + ;; + esac + + exp_sym_flag='-bexport' + no_entry_flag='-bnoentry' + fi + + # When large executables or shared objects are built, AIX ld can + # have problems creating the table of contents. If linking a library + # or program results in "error TOC overflow" add -mminimal-toc to + # CXXFLAGS/CFLAGS for g++/gcc. In the cases where that is not + # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS. + + _LT_TAGVAR(archive_cmds, $1)='' + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_direct_absolute, $1)=yes + _LT_TAGVAR(hardcode_libdir_separator, $1)=':' + _LT_TAGVAR(link_all_deplibs, $1)=yes + _LT_TAGVAR(file_list_spec, $1)='$wl-f,' + case $with_aix_soname,$aix_use_runtimelinking in + aix,*) ;; # traditional, no import file + svr4,* | *,yes) # use import file + # The Import File defines what to hardcode. + _LT_TAGVAR(hardcode_direct, $1)=no + _LT_TAGVAR(hardcode_direct_absolute, $1)=no + ;; + esac + + if test yes = "$GCC"; then + case $host_os in aix4.[[012]]|aix4.[[012]].*) + # We only want to do this on AIX 4.2 and lower, the check + # below for broken collect2 doesn't work under 4.3+ + collect2name=`$CC -print-prog-name=collect2` + if test -f "$collect2name" && + strings "$collect2name" | $GREP resolve_lib_name >/dev/null + then + # We have reworked collect2 + : + else + # We have old collect2 + _LT_TAGVAR(hardcode_direct, $1)=unsupported + # It fails to find uninstalled libraries when the uninstalled + # path is not listed in the libpath. Setting hardcode_minus_L + # to unsupported forces relinking + _LT_TAGVAR(hardcode_minus_L, $1)=yes + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)= + fi + ;; + esac + shared_flag='-shared' + if test yes = "$aix_use_runtimelinking"; then + shared_flag="$shared_flag "'$wl-G' + fi + # Need to ensure runtime linking is disabled for the traditional + # shared library, or the linker may eventually find shared libraries + # /with/ Import File - we do not want to mix them. + shared_flag_aix='-shared' + shared_flag_svr4='-shared $wl-G' + else + # not using gcc + if test ia64 = "$host_cpu"; then + # VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release + # chokes on -Wl,-G. The following line is correct: + shared_flag='-G' + else + if test yes = "$aix_use_runtimelinking"; then + shared_flag='$wl-G' + else + shared_flag='$wl-bM:SRE' + fi + shared_flag_aix='$wl-bM:SRE' + shared_flag_svr4='$wl-G' + fi + fi + + _LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl-bexpall' + # It seems that -bexpall does not export symbols beginning with + # underscore (_), so it is better to generate a list of symbols to export. + _LT_TAGVAR(always_export_symbols, $1)=yes + if test aix,yes = "$with_aix_soname,$aix_use_runtimelinking"; then + # Warning - without using the other runtime loading flags (-brtl), + # -berok will link without error, but may produce a broken library. + _LT_TAGVAR(allow_undefined_flag, $1)='-berok' + # Determine the default libpath from the value encoded in an + # empty executable. + _LT_SYS_MODULE_PATH_AIX([$1]) + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-blibpath:$libdir:'"$aix_libpath" + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $deplibs $wl'$no_entry_flag' $compiler_flags `if test -n "$allow_undefined_flag"; then func_echo_all "$wl$allow_undefined_flag"; else :; fi` $wl'$exp_sym_flag:\$export_symbols' '$shared_flag + else + if test ia64 = "$host_cpu"; then + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-R $libdir:/usr/lib:/lib' + _LT_TAGVAR(allow_undefined_flag, $1)="-z nodefs" + _LT_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\$wl$no_entry_flag"' $compiler_flags $wl$allow_undefined_flag '"\$wl$exp_sym_flag:\$export_symbols" + else + # Determine the default libpath from the value encoded in an + # empty executable. + _LT_SYS_MODULE_PATH_AIX([$1]) + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-blibpath:$libdir:'"$aix_libpath" + # Warning - without using the other run time loading flags, + # -berok will link without error, but may produce a broken library. + _LT_TAGVAR(no_undefined_flag, $1)=' $wl-bernotok' + _LT_TAGVAR(allow_undefined_flag, $1)=' $wl-berok' + if test yes = "$with_gnu_ld"; then + # We only use this code for GNU lds that support --whole-archive. + _LT_TAGVAR(whole_archive_flag_spec, $1)='$wl--whole-archive$convenience $wl--no-whole-archive' + else + # Exported symbols can be pulled into shared objects from archives + _LT_TAGVAR(whole_archive_flag_spec, $1)='$convenience' + fi + _LT_TAGVAR(archive_cmds_need_lc, $1)=yes + _LT_TAGVAR(archive_expsym_cmds, $1)='$RM -r $output_objdir/$realname.d~$MKDIR $output_objdir/$realname.d' + # -brtl affects multiple linker settings, -berok does not and is overridden later + compiler_flags_filtered='`func_echo_all "$compiler_flags " | $SED -e "s%-brtl\\([[, ]]\\)%-berok\\1%g"`' + if test svr4 != "$with_aix_soname"; then + # This is similar to how AIX traditionally builds its shared libraries. + _LT_TAGVAR(archive_expsym_cmds, $1)="$_LT_TAGVAR(archive_expsym_cmds, $1)"'~$CC '$shared_flag_aix' -o $output_objdir/$realname.d/$soname $libobjs $deplibs $wl-bnoentry '$compiler_flags_filtered'$wl-bE:$export_symbols$allow_undefined_flag~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$realname.d/$soname' + fi + if test aix != "$with_aix_soname"; then + _LT_TAGVAR(archive_expsym_cmds, $1)="$_LT_TAGVAR(archive_expsym_cmds, $1)"'~$CC '$shared_flag_svr4' -o $output_objdir/$realname.d/$shared_archive_member_spec.o $libobjs $deplibs $wl-bnoentry '$compiler_flags_filtered'$wl-bE:$export_symbols$allow_undefined_flag~$STRIP -e $output_objdir/$realname.d/$shared_archive_member_spec.o~( func_echo_all "#! $soname($shared_archive_member_spec.o)"; if test shr_64 = "$shared_archive_member_spec"; then func_echo_all "# 64"; else func_echo_all "# 32"; fi; cat $export_symbols ) > $output_objdir/$realname.d/$shared_archive_member_spec.imp~$AR $AR_FLAGS $output_objdir/$soname $output_objdir/$realname.d/$shared_archive_member_spec.o $output_objdir/$realname.d/$shared_archive_member_spec.imp' + else + # used by -dlpreopen to get the symbols + _LT_TAGVAR(archive_expsym_cmds, $1)="$_LT_TAGVAR(archive_expsym_cmds, $1)"'~$MV $output_objdir/$realname.d/$soname $output_objdir' + fi + _LT_TAGVAR(archive_expsym_cmds, $1)="$_LT_TAGVAR(archive_expsym_cmds, $1)"'~$RM -r $output_objdir/$realname.d' + fi + fi + ;; + + amigaos*) + case $host_cpu in + powerpc) + # see comment about AmigaOS4 .so support + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='' + ;; + m68k) + _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/a2ixlibrary.data~$ECHO "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$ECHO "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$ECHO "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$ECHO "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' + _LT_TAGVAR(hardcode_minus_L, $1)=yes + ;; + esac + ;; + + bsdi[[45]]*) + _LT_TAGVAR(export_dynamic_flag_spec, $1)=-rdynamic + ;; + + cygwin* | mingw* | pw32* | cegcc*) + # When not using gcc, we currently assume that we are using + # Microsoft Visual C++. + # hardcode_libdir_flag_spec is actually meaningless, as there is + # no search path for DLLs. + case $cc_basename in + cl*) + # Native MSVC + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' ' + _LT_TAGVAR(allow_undefined_flag, $1)=unsupported + _LT_TAGVAR(always_export_symbols, $1)=yes + _LT_TAGVAR(file_list_spec, $1)='@' + # Tell ltmain to make .lib files, not .a files. + libext=lib + # Tell ltmain to make .dll files, not .so files. + shrext_cmds=.dll + # FIXME: Setting linknames here is a bad hack. + _LT_TAGVAR(archive_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $compiler_flags $deplibs -Wl,-DLL,-IMPLIB:"$tool_output_objdir$libname.dll.lib"~linknames=' + _LT_TAGVAR(archive_expsym_cmds, $1)='if _LT_DLL_DEF_P([$export_symbols]); then + cp "$export_symbols" "$output_objdir/$soname.def"; + echo "$tool_output_objdir$soname.def" > "$output_objdir/$soname.exp"; + else + $SED -e '\''s/^/-link -EXPORT:/'\'' < $export_symbols > $output_objdir/$soname.exp; + fi~ + $CC -o $tool_output_objdir$soname $libobjs $compiler_flags $deplibs "@$tool_output_objdir$soname.exp" -Wl,-DLL,-IMPLIB:"$tool_output_objdir$libname.dll.lib"~ + linknames=' + # The linker will not automatically build a static lib if we build a DLL. + # _LT_TAGVAR(old_archive_from_new_cmds, $1)='true' + _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes + _LT_TAGVAR(exclude_expsyms, $1)='_NULL_IMPORT_DESCRIPTOR|_IMPORT_DESCRIPTOR_.*' + _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1,DATA/'\'' | $SED -e '\''/^[[AITW]][[ ]]/s/.*[[ ]]//'\'' | sort | uniq > $export_symbols' + # Don't use ranlib + _LT_TAGVAR(old_postinstall_cmds, $1)='chmod 644 $oldlib' + _LT_TAGVAR(postlink_cmds, $1)='lt_outputfile="@OUTPUT@"~ + lt_tool_outputfile="@TOOL_OUTPUT@"~ + case $lt_outputfile in + *.exe|*.EXE) ;; + *) + lt_outputfile=$lt_outputfile.exe + lt_tool_outputfile=$lt_tool_outputfile.exe + ;; + esac~ + if test : != "$MANIFEST_TOOL" && test -f "$lt_outputfile.manifest"; then + $MANIFEST_TOOL -manifest "$lt_tool_outputfile.manifest" -outputresource:"$lt_tool_outputfile" || exit 1; + $RM "$lt_outputfile.manifest"; + fi' + ;; + *) + # Assume MSVC wrapper + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' ' + _LT_TAGVAR(allow_undefined_flag, $1)=unsupported + # Tell ltmain to make .lib files, not .a files. + libext=lib + # Tell ltmain to make .dll files, not .so files. + shrext_cmds=.dll + # FIXME: Setting linknames here is a bad hack. + _LT_TAGVAR(archive_cmds, $1)='$CC -o $lib $libobjs $compiler_flags `func_echo_all "$deplibs" | $SED '\''s/ -lc$//'\''` -link -dll~linknames=' + # The linker will automatically build a .lib file if we build a DLL. + _LT_TAGVAR(old_archive_from_new_cmds, $1)='true' + # FIXME: Should let the user specify the lib program. + _LT_TAGVAR(old_archive_cmds, $1)='lib -OUT:$oldlib$oldobjs$old_deplibs' + _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes + ;; + esac + ;; + + darwin* | rhapsody*) + _LT_DARWIN_LINKER_FEATURES($1) + ;; + + dgux*) + _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + ;; + + # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor + # support. Future versions do this automatically, but an explicit c++rt0.o + # does not break anything, and helps significantly (at the cost of a little + # extra space). + freebsd2.2*) + _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + ;; + + # Unfortunately, older versions of FreeBSD 2 do not have this feature. + freebsd2.*) + _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_minus_L, $1)=yes + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + ;; + + # FreeBSD 3 and greater uses gcc -shared to do shared libraries. + freebsd* | dragonfly*) + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + ;; + + hpux9*) + if test yes = "$GCC"; then + _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$CC -shared $pic_flag $wl+b $wl$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test "x$output_objdir/$soname" = "x$lib" || mv $output_objdir/$soname $lib' + else + _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test "x$output_objdir/$soname" = "x$lib" || mv $output_objdir/$soname $lib' + fi + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl+b $wl$libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)=: + _LT_TAGVAR(hardcode_direct, $1)=yes + + # hardcode_minus_L: Not really in the search PATH, + # but as the default location of the library. + _LT_TAGVAR(hardcode_minus_L, $1)=yes + _LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl-E' + ;; + + hpux10*) + if test yes,no = "$GCC,$with_gnu_ld"; then + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $wl+h $wl$soname $wl+b $wl$install_libdir -o $lib $libobjs $deplibs $compiler_flags' + else + _LT_TAGVAR(archive_cmds, $1)='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags' + fi + if test no = "$with_gnu_ld"; then + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl+b $wl$libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)=: + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_direct_absolute, $1)=yes + _LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl-E' + # hardcode_minus_L: Not really in the search PATH, + # but as the default location of the library. + _LT_TAGVAR(hardcode_minus_L, $1)=yes + fi + ;; + + hpux11*) + if test yes,no = "$GCC,$with_gnu_ld"; then + case $host_cpu in + hppa*64*) + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $wl+h $wl$soname -o $lib $libobjs $deplibs $compiler_flags' + ;; + ia64*) + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $wl+h $wl$soname $wl+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags' + ;; + *) + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $wl+h $wl$soname $wl+b $wl$install_libdir -o $lib $libobjs $deplibs $compiler_flags' + ;; + esac + else + case $host_cpu in + hppa*64*) + _LT_TAGVAR(archive_cmds, $1)='$CC -b $wl+h $wl$soname -o $lib $libobjs $deplibs $compiler_flags' + ;; + ia64*) + _LT_TAGVAR(archive_cmds, $1)='$CC -b $wl+h $wl$soname $wl+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags' + ;; + *) + m4_if($1, [], [ + # Older versions of the 11.00 compiler do not understand -b yet + # (HP92453-01 A.11.01.20 doesn't, HP92453-01 B.11.X.35175-35176.GP does) + _LT_LINKER_OPTION([if $CC understands -b], + _LT_TAGVAR(lt_cv_prog_compiler__b, $1), [-b], + [_LT_TAGVAR(archive_cmds, $1)='$CC -b $wl+h $wl$soname $wl+b $wl$install_libdir -o $lib $libobjs $deplibs $compiler_flags'], + [_LT_TAGVAR(archive_cmds, $1)='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'])], + [_LT_TAGVAR(archive_cmds, $1)='$CC -b $wl+h $wl$soname $wl+b $wl$install_libdir -o $lib $libobjs $deplibs $compiler_flags']) + ;; + esac + fi + if test no = "$with_gnu_ld"; then + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl+b $wl$libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)=: + + case $host_cpu in + hppa*64*|ia64*) + _LT_TAGVAR(hardcode_direct, $1)=no + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + ;; + *) + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_direct_absolute, $1)=yes + _LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl-E' + + # hardcode_minus_L: Not really in the search PATH, + # but as the default location of the library. + _LT_TAGVAR(hardcode_minus_L, $1)=yes + ;; + esac + fi + ;; + + irix5* | irix6* | nonstopux*) + if test yes = "$GCC"; then + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname `test -n "$verstring" && func_echo_all "$wl-set_version $wl$verstring"` $wl-update_registry $wl$output_objdir/so_locations -o $lib' + # Try to use the -exported_symbol ld option, if it does not + # work, assume that -exports_file does not work either and + # implicitly export all symbols. + # This should be the same for all languages, so no per-tag cache variable. + AC_CACHE_CHECK([whether the $host_os linker accepts -exported_symbol], + [lt_cv_irix_exported_symbol], + [save_LDFLAGS=$LDFLAGS + LDFLAGS="$LDFLAGS -shared $wl-exported_symbol ${wl}foo $wl-update_registry $wl/dev/null" + AC_LINK_IFELSE( + [AC_LANG_SOURCE( + [AC_LANG_CASE([C], [[int foo (void) { return 0; }]], + [C++], [[int foo (void) { return 0; }]], + [Fortran 77], [[ + subroutine foo + end]], + [Fortran], [[ + subroutine foo + end]])])], + [lt_cv_irix_exported_symbol=yes], + [lt_cv_irix_exported_symbol=no]) + LDFLAGS=$save_LDFLAGS]) + if test yes = "$lt_cv_irix_exported_symbol"; then + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname `test -n "$verstring" && func_echo_all "$wl-set_version $wl$verstring"` $wl-update_registry $wl$output_objdir/so_locations $wl-exports_file $wl$export_symbols -o $lib' + fi + else + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -exports_file $export_symbols -o $lib' + fi + _LT_TAGVAR(archive_cmds_need_lc, $1)='no' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath $wl$libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)=: + _LT_TAGVAR(inherit_rpath, $1)=yes + _LT_TAGVAR(link_all_deplibs, $1)=yes + ;; + + linux*) + case $cc_basename in + tcc*) + # Fabrice Bellard et al's Tiny C Compiler + _LT_TAGVAR(ld_shlibs, $1)=yes + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' + ;; + esac + ;; + + netbsd*) + if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then + _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' # a.out + else + _LT_TAGVAR(archive_cmds, $1)='$LD -shared -o $lib $libobjs $deplibs $linker_flags' # ELF + fi + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + ;; + + newsos6) + _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath $wl$libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)=: + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + ;; + + *nto* | *qnx*) + ;; + + openbsd* | bitrig*) + if test -f /usr/libexec/ld.so; then + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + _LT_TAGVAR(hardcode_direct_absolute, $1)=yes + if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`"; then + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags $wl-retain-symbols-file,$export_symbols' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath,$libdir' + _LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl-E' + else + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath,$libdir' + fi + else + _LT_TAGVAR(ld_shlibs, $1)=no + fi + ;; + + os2*) + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' + _LT_TAGVAR(hardcode_minus_L, $1)=yes + _LT_TAGVAR(allow_undefined_flag, $1)=unsupported + shrext_cmds=.dll + _LT_TAGVAR(archive_cmds, $1)='$ECHO "LIBRARY ${soname%$shared_ext} INITINSTANCE TERMINSTANCE" > $output_objdir/$libname.def~ + $ECHO "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~ + $ECHO "DATA MULTIPLE NONSHARED" >> $output_objdir/$libname.def~ + $ECHO EXPORTS >> $output_objdir/$libname.def~ + emxexp $libobjs | $SED /"_DLL_InitTerm"/d >> $output_objdir/$libname.def~ + $CC -Zdll -Zcrtdll -o $output_objdir/$soname $libobjs $deplibs $compiler_flags $output_objdir/$libname.def~ + emximp -o $lib $output_objdir/$libname.def' + _LT_TAGVAR(archive_expsym_cmds, $1)='$ECHO "LIBRARY ${soname%$shared_ext} INITINSTANCE TERMINSTANCE" > $output_objdir/$libname.def~ + $ECHO "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~ + $ECHO "DATA MULTIPLE NONSHARED" >> $output_objdir/$libname.def~ + $ECHO EXPORTS >> $output_objdir/$libname.def~ + prefix_cmds="$SED"~ + if test EXPORTS = "`$SED 1q $export_symbols`"; then + prefix_cmds="$prefix_cmds -e 1d"; + fi~ + prefix_cmds="$prefix_cmds -e \"s/^\(.*\)$/_\1/g\""~ + cat $export_symbols | $prefix_cmds >> $output_objdir/$libname.def~ + $CC -Zdll -Zcrtdll -o $output_objdir/$soname $libobjs $deplibs $compiler_flags $output_objdir/$libname.def~ + emximp -o $lib $output_objdir/$libname.def' + _LT_TAGVAR(old_archive_From_new_cmds, $1)='emximp -o $output_objdir/${libname}_dll.a $output_objdir/$libname.def' + _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes + ;; + + osf3*) + if test yes = "$GCC"; then + _LT_TAGVAR(allow_undefined_flag, $1)=' $wl-expect_unresolved $wl\*' + _LT_TAGVAR(archive_cmds, $1)='$CC -shared$allow_undefined_flag $libobjs $deplibs $compiler_flags $wl-soname $wl$soname `test -n "$verstring" && func_echo_all "$wl-set_version $wl$verstring"` $wl-update_registry $wl$output_objdir/so_locations -o $lib' + else + _LT_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*' + _LT_TAGVAR(archive_cmds, $1)='$CC -shared$allow_undefined_flag $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib' + fi + _LT_TAGVAR(archive_cmds_need_lc, $1)='no' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath $wl$libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)=: + ;; + + osf4* | osf5*) # as osf3* with the addition of -msym flag + if test yes = "$GCC"; then + _LT_TAGVAR(allow_undefined_flag, $1)=' $wl-expect_unresolved $wl\*' + _LT_TAGVAR(archive_cmds, $1)='$CC -shared$allow_undefined_flag $pic_flag $libobjs $deplibs $compiler_flags $wl-msym $wl-soname $wl$soname `test -n "$verstring" && func_echo_all "$wl-set_version $wl$verstring"` $wl-update_registry $wl$output_objdir/so_locations -o $lib' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath $wl$libdir' + else + _LT_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*' + _LT_TAGVAR(archive_cmds, $1)='$CC -shared$allow_undefined_flag $libobjs $deplibs $compiler_flags -msym -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; printf "%s\\n" "-hidden">> $lib.exp~ + $CC -shared$allow_undefined_flag $wl-input $wl$lib.exp $compiler_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && $ECHO "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib~$RM $lib.exp' + + # Both c and cxx compiler support -rpath directly + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir' + fi + _LT_TAGVAR(archive_cmds_need_lc, $1)='no' + _LT_TAGVAR(hardcode_libdir_separator, $1)=: + ;; + + solaris*) + _LT_TAGVAR(no_undefined_flag, $1)=' -z defs' + if test yes = "$GCC"; then + wlarc='$wl' + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $wl-z ${wl}text $wl-h $wl$soname -o $lib $libobjs $deplibs $compiler_flags' + _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~ + $CC -shared $pic_flag $wl-z ${wl}text $wl-M $wl$lib.exp $wl-h $wl$soname -o $lib $libobjs $deplibs $compiler_flags~$RM $lib.exp' + else + case `$CC -V 2>&1` in + *"Compilers 5.0"*) + wlarc='' + _LT_TAGVAR(archive_cmds, $1)='$LD -G$allow_undefined_flag -h $soname -o $lib $libobjs $deplibs $linker_flags' + _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~ + $LD -G$allow_undefined_flag -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$RM $lib.exp' + ;; + *) + wlarc='$wl' + _LT_TAGVAR(archive_cmds, $1)='$CC -G$allow_undefined_flag -h $soname -o $lib $libobjs $deplibs $compiler_flags' + _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~ + $CC -G$allow_undefined_flag -M $lib.exp -h $soname -o $lib $libobjs $deplibs $compiler_flags~$RM $lib.exp' + ;; + esac + fi + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + case $host_os in + solaris2.[[0-5]] | solaris2.[[0-5]].*) ;; + *) + # The compiler driver will combine and reorder linker options, + # but understands '-z linker_flag'. GCC discards it without '$wl', + # but is careful enough not to reorder. + # Supported since Solaris 2.6 (maybe 2.5.1?) + if test yes = "$GCC"; then + _LT_TAGVAR(whole_archive_flag_spec, $1)='$wl-z ${wl}allextract$convenience $wl-z ${wl}defaultextract' + else + _LT_TAGVAR(whole_archive_flag_spec, $1)='-z allextract$convenience -z defaultextract' + fi + ;; + esac + _LT_TAGVAR(link_all_deplibs, $1)=yes + ;; + + sunos4*) + if test sequent = "$host_vendor"; then + # Use $CC to link under sequent, because it throws in some extra .o + # files that make .init and .fini sections work. + _LT_TAGVAR(archive_cmds, $1)='$CC -G $wl-h $soname -o $lib $libobjs $deplibs $compiler_flags' + else + _LT_TAGVAR(archive_cmds, $1)='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags' + fi + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_minus_L, $1)=yes + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + ;; + + sysv4) + case $host_vendor in + sni) + _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' + _LT_TAGVAR(hardcode_direct, $1)=yes # is this really true??? + ;; + siemens) + ## LD is ld it makes a PLAMLIB + ## CC just makes a GrossModule. + _LT_TAGVAR(archive_cmds, $1)='$LD -G -o $lib $libobjs $deplibs $linker_flags' + _LT_TAGVAR(reload_cmds, $1)='$CC -r -o $output$reload_objs' + _LT_TAGVAR(hardcode_direct, $1)=no + ;; + motorola) + _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' + _LT_TAGVAR(hardcode_direct, $1)=no #Motorola manual says yes, but my tests say they lie + ;; + esac + runpath_var='LD_RUN_PATH' + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + ;; + + sysv4.3*) + _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + _LT_TAGVAR(export_dynamic_flag_spec, $1)='-Bexport' + ;; + + sysv4*MP*) + if test -d /usr/nec; then + _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + runpath_var=LD_RUN_PATH + hardcode_runpath_var=yes + _LT_TAGVAR(ld_shlibs, $1)=yes + fi + ;; + + sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[[01]].[[10]]* | unixware7* | sco3.2v5.0.[[024]]*) + _LT_TAGVAR(no_undefined_flag, $1)='$wl-z,text' + _LT_TAGVAR(archive_cmds_need_lc, $1)=no + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + runpath_var='LD_RUN_PATH' + + if test yes = "$GCC"; then + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $wl-Bexport:$export_symbols $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + else + _LT_TAGVAR(archive_cmds, $1)='$CC -G $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G $wl-Bexport:$export_symbols $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + fi + ;; + + sysv5* | sco3.2v5* | sco5v6*) + # Note: We CANNOT use -z defs as we might desire, because we do not + # link with -lc, and that would cause any symbols used from libc to + # always be unresolved, which means just about no library would + # ever link correctly. If we're not using GNU ld we use -z text + # though, which does catch some bad symbols but isn't as heavy-handed + # as -z defs. + _LT_TAGVAR(no_undefined_flag, $1)='$wl-z,text' + _LT_TAGVAR(allow_undefined_flag, $1)='$wl-z,nodefs' + _LT_TAGVAR(archive_cmds_need_lc, $1)=no + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-R,$libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)=':' + _LT_TAGVAR(link_all_deplibs, $1)=yes + _LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl-Bexport' + runpath_var='LD_RUN_PATH' + + if test yes = "$GCC"; then + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $wl-Bexport:$export_symbols $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + else + _LT_TAGVAR(archive_cmds, $1)='$CC -G $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G $wl-Bexport:$export_symbols $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + fi + ;; + + uts4*) + _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + ;; + + *) + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + esac + + if test sni = "$host_vendor"; then + case $host in + sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*) + _LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl-Blargedynsym' + ;; + esac + fi + fi +]) +AC_MSG_RESULT([$_LT_TAGVAR(ld_shlibs, $1)]) +test no = "$_LT_TAGVAR(ld_shlibs, $1)" && can_build_shared=no + +_LT_TAGVAR(with_gnu_ld, $1)=$with_gnu_ld + +_LT_DECL([], [libext], [0], [Old archive suffix (normally "a")])dnl +_LT_DECL([], [shrext_cmds], [1], [Shared library suffix (normally ".so")])dnl +_LT_DECL([], [extract_expsyms_cmds], [2], + [The commands to extract the exported symbol list from a shared archive]) + +# +# Do we need to explicitly link libc? +# +case "x$_LT_TAGVAR(archive_cmds_need_lc, $1)" in +x|xyes) + # Assume -lc should be added + _LT_TAGVAR(archive_cmds_need_lc, $1)=yes + + if test yes,yes = "$GCC,$enable_shared"; then + case $_LT_TAGVAR(archive_cmds, $1) in + *'~'*) + # FIXME: we may have to deal with multi-command sequences. + ;; + '$CC '*) + # Test whether the compiler implicitly links with -lc since on some + # systems, -lgcc has to come before -lc. If gcc already passes -lc + # to ld, don't add -lc before -lgcc. + AC_CACHE_CHECK([whether -lc should be explicitly linked in], + [lt_cv_]_LT_TAGVAR(archive_cmds_need_lc, $1), + [$RM conftest* + echo "$lt_simple_compile_test_code" > conftest.$ac_ext + + if AC_TRY_EVAL(ac_compile) 2>conftest.err; then + soname=conftest + lib=conftest + libobjs=conftest.$ac_objext + deplibs= + wl=$_LT_TAGVAR(lt_prog_compiler_wl, $1) + pic_flag=$_LT_TAGVAR(lt_prog_compiler_pic, $1) + compiler_flags=-v + linker_flags=-v + verstring= + output_objdir=. + libname=conftest + lt_save_allow_undefined_flag=$_LT_TAGVAR(allow_undefined_flag, $1) + _LT_TAGVAR(allow_undefined_flag, $1)= + if AC_TRY_EVAL(_LT_TAGVAR(archive_cmds, $1) 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1) + then + lt_cv_[]_LT_TAGVAR(archive_cmds_need_lc, $1)=no + else + lt_cv_[]_LT_TAGVAR(archive_cmds_need_lc, $1)=yes + fi + _LT_TAGVAR(allow_undefined_flag, $1)=$lt_save_allow_undefined_flag + else + cat conftest.err 1>&5 + fi + $RM conftest* + ]) + _LT_TAGVAR(archive_cmds_need_lc, $1)=$lt_cv_[]_LT_TAGVAR(archive_cmds_need_lc, $1) + ;; + esac + fi + ;; +esac + +_LT_TAGDECL([build_libtool_need_lc], [archive_cmds_need_lc], [0], + [Whether or not to add -lc for building shared libraries]) +_LT_TAGDECL([allow_libtool_libs_with_static_runtimes], + [enable_shared_with_static_runtimes], [0], + [Whether or not to disallow shared libs when runtime libs are static]) +_LT_TAGDECL([], [export_dynamic_flag_spec], [1], + [Compiler flag to allow reflexive dlopens]) +_LT_TAGDECL([], [whole_archive_flag_spec], [1], + [Compiler flag to generate shared objects directly from archives]) +_LT_TAGDECL([], [compiler_needs_object], [1], + [Whether the compiler copes with passing no objects directly]) +_LT_TAGDECL([], [old_archive_from_new_cmds], [2], + [Create an old-style archive from a shared archive]) +_LT_TAGDECL([], [old_archive_from_expsyms_cmds], [2], + [Create a temporary old-style archive to link instead of a shared archive]) +_LT_TAGDECL([], [archive_cmds], [2], [Commands used to build a shared archive]) +_LT_TAGDECL([], [archive_expsym_cmds], [2]) +_LT_TAGDECL([], [module_cmds], [2], + [Commands used to build a loadable module if different from building + a shared archive.]) +_LT_TAGDECL([], [module_expsym_cmds], [2]) +_LT_TAGDECL([], [with_gnu_ld], [1], + [Whether we are building with GNU ld or not]) +_LT_TAGDECL([], [allow_undefined_flag], [1], + [Flag that allows shared libraries with undefined symbols to be built]) +_LT_TAGDECL([], [no_undefined_flag], [1], + [Flag that enforces no undefined symbols]) +_LT_TAGDECL([], [hardcode_libdir_flag_spec], [1], + [Flag to hardcode $libdir into a binary during linking. + This must work even if $libdir does not exist]) +_LT_TAGDECL([], [hardcode_libdir_separator], [1], + [Whether we need a single "-rpath" flag with a separated argument]) +_LT_TAGDECL([], [hardcode_direct], [0], + [Set to "yes" if using DIR/libNAME$shared_ext during linking hardcodes + DIR into the resulting binary]) +_LT_TAGDECL([], [hardcode_direct_absolute], [0], + [Set to "yes" if using DIR/libNAME$shared_ext during linking hardcodes + DIR into the resulting binary and the resulting library dependency is + "absolute", i.e impossible to change by setting $shlibpath_var if the + library is relocated]) +_LT_TAGDECL([], [hardcode_minus_L], [0], + [Set to "yes" if using the -LDIR flag during linking hardcodes DIR + into the resulting binary]) +_LT_TAGDECL([], [hardcode_shlibpath_var], [0], + [Set to "yes" if using SHLIBPATH_VAR=DIR during linking hardcodes DIR + into the resulting binary]) +_LT_TAGDECL([], [hardcode_automatic], [0], + [Set to "yes" if building a shared library automatically hardcodes DIR + into the library and all subsequent libraries and executables linked + against it]) +_LT_TAGDECL([], [inherit_rpath], [0], + [Set to yes if linker adds runtime paths of dependent libraries + to runtime path list]) +_LT_TAGDECL([], [link_all_deplibs], [0], + [Whether libtool must link a program against all its dependency libraries]) +_LT_TAGDECL([], [always_export_symbols], [0], + [Set to "yes" if exported symbols are required]) +_LT_TAGDECL([], [export_symbols_cmds], [2], + [The commands to list exported symbols]) +_LT_TAGDECL([], [exclude_expsyms], [1], + [Symbols that should not be listed in the preloaded symbols]) +_LT_TAGDECL([], [include_expsyms], [1], + [Symbols that must always be exported]) +_LT_TAGDECL([], [prelink_cmds], [2], + [Commands necessary for linking programs (against libraries) with templates]) +_LT_TAGDECL([], [postlink_cmds], [2], + [Commands necessary for finishing linking programs]) +_LT_TAGDECL([], [file_list_spec], [1], + [Specify filename containing input files]) +dnl FIXME: Not yet implemented +dnl _LT_TAGDECL([], [thread_safe_flag_spec], [1], +dnl [Compiler flag to generate thread safe objects]) +])# _LT_LINKER_SHLIBS + + +# _LT_LANG_C_CONFIG([TAG]) +# ------------------------ +# Ensure that the configuration variables for a C compiler are suitably +# defined. These variables are subsequently used by _LT_CONFIG to write +# the compiler configuration to 'libtool'. +m4_defun([_LT_LANG_C_CONFIG], +[m4_require([_LT_DECL_EGREP])dnl +lt_save_CC=$CC +AC_LANG_PUSH(C) + +# Source file extension for C test sources. +ac_ext=c + +# Object file extension for compiled C test sources. +objext=o +_LT_TAGVAR(objext, $1)=$objext + +# Code to be used in simple compile tests +lt_simple_compile_test_code="int some_variable = 0;" + +# Code to be used in simple link tests +lt_simple_link_test_code='int main(){return(0);}' + +_LT_TAG_COMPILER +# Save the default compiler, since it gets overwritten when the other +# tags are being tested, and _LT_TAGVAR(compiler, []) is a NOP. +compiler_DEFAULT=$CC + +# save warnings/boilerplate of simple test code +_LT_COMPILER_BOILERPLATE +_LT_LINKER_BOILERPLATE + +## CAVEAT EMPTOR: +## There is no encapsulation within the following macros, do not change +## the running order or otherwise move them around unless you know exactly +## what you are doing... +if test -n "$compiler"; then + _LT_COMPILER_NO_RTTI($1) + _LT_COMPILER_PIC($1) + _LT_COMPILER_C_O($1) + _LT_COMPILER_FILE_LOCKS($1) + _LT_LINKER_SHLIBS($1) + _LT_SYS_DYNAMIC_LINKER($1) + _LT_LINKER_HARDCODE_LIBPATH($1) + LT_SYS_DLOPEN_SELF + _LT_CMD_STRIPLIB + + # Report what library types will actually be built + AC_MSG_CHECKING([if libtool supports shared libraries]) + AC_MSG_RESULT([$can_build_shared]) + + AC_MSG_CHECKING([whether to build shared libraries]) + test no = "$can_build_shared" && enable_shared=no + + # On AIX, shared libraries and static libraries use the same namespace, and + # are all built from PIC. + case $host_os in + aix3*) + test yes = "$enable_shared" && enable_static=no + if test -n "$RANLIB"; then + archive_cmds="$archive_cmds~\$RANLIB \$lib" + postinstall_cmds='$RANLIB $lib' + fi + ;; + + aix[[4-9]]*) + if test ia64 != "$host_cpu"; then + case $enable_shared,$with_aix_soname,$aix_use_runtimelinking in + yes,aix,yes) ;; # shared object as lib.so file only + yes,svr4,*) ;; # shared object as lib.so archive member only + yes,*) enable_static=no ;; # shared object in lib.a archive as well + esac + fi + ;; + esac + AC_MSG_RESULT([$enable_shared]) + + AC_MSG_CHECKING([whether to build static libraries]) + # Make sure either enable_shared or enable_static is yes. + test yes = "$enable_shared" || enable_static=yes + AC_MSG_RESULT([$enable_static]) + + _LT_CONFIG($1) +fi +AC_LANG_POP +CC=$lt_save_CC +])# _LT_LANG_C_CONFIG + + +# _LT_LANG_CXX_CONFIG([TAG]) +# -------------------------- +# Ensure that the configuration variables for a C++ compiler are suitably +# defined. These variables are subsequently used by _LT_CONFIG to write +# the compiler configuration to 'libtool'. +m4_defun([_LT_LANG_CXX_CONFIG], +[m4_require([_LT_FILEUTILS_DEFAULTS])dnl +m4_require([_LT_DECL_EGREP])dnl +m4_require([_LT_PATH_MANIFEST_TOOL])dnl +if test -n "$CXX" && ( test no != "$CXX" && + ( (test g++ = "$CXX" && `g++ -v >/dev/null 2>&1` ) || + (test g++ != "$CXX"))); then + AC_PROG_CXXCPP +else + _lt_caught_CXX_error=yes +fi + +AC_LANG_PUSH(C++) +_LT_TAGVAR(archive_cmds_need_lc, $1)=no +_LT_TAGVAR(allow_undefined_flag, $1)= +_LT_TAGVAR(always_export_symbols, $1)=no +_LT_TAGVAR(archive_expsym_cmds, $1)= +_LT_TAGVAR(compiler_needs_object, $1)=no +_LT_TAGVAR(export_dynamic_flag_spec, $1)= +_LT_TAGVAR(hardcode_direct, $1)=no +_LT_TAGVAR(hardcode_direct_absolute, $1)=no +_LT_TAGVAR(hardcode_libdir_flag_spec, $1)= +_LT_TAGVAR(hardcode_libdir_separator, $1)= +_LT_TAGVAR(hardcode_minus_L, $1)=no +_LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported +_LT_TAGVAR(hardcode_automatic, $1)=no +_LT_TAGVAR(inherit_rpath, $1)=no +_LT_TAGVAR(module_cmds, $1)= +_LT_TAGVAR(module_expsym_cmds, $1)= +_LT_TAGVAR(link_all_deplibs, $1)=unknown +_LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds +_LT_TAGVAR(reload_flag, $1)=$reload_flag +_LT_TAGVAR(reload_cmds, $1)=$reload_cmds +_LT_TAGVAR(no_undefined_flag, $1)= +_LT_TAGVAR(whole_archive_flag_spec, $1)= +_LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no + +# Source file extension for C++ test sources. +ac_ext=cpp + +# Object file extension for compiled C++ test sources. +objext=o +_LT_TAGVAR(objext, $1)=$objext + +# No sense in running all these tests if we already determined that +# the CXX compiler isn't working. Some variables (like enable_shared) +# are currently assumed to apply to all compilers on this platform, +# and will be corrupted by setting them based on a non-working compiler. +if test yes != "$_lt_caught_CXX_error"; then + # Code to be used in simple compile tests + lt_simple_compile_test_code="int some_variable = 0;" + + # Code to be used in simple link tests + lt_simple_link_test_code='int main(int, char *[[]]) { return(0); }' + + # ltmain only uses $CC for tagged configurations so make sure $CC is set. + _LT_TAG_COMPILER + + # save warnings/boilerplate of simple test code + _LT_COMPILER_BOILERPLATE + _LT_LINKER_BOILERPLATE + + # Allow CC to be a program name with arguments. + lt_save_CC=$CC + lt_save_CFLAGS=$CFLAGS + lt_save_LD=$LD + lt_save_GCC=$GCC + GCC=$GXX + lt_save_with_gnu_ld=$with_gnu_ld + lt_save_path_LD=$lt_cv_path_LD + if test -n "${lt_cv_prog_gnu_ldcxx+set}"; then + lt_cv_prog_gnu_ld=$lt_cv_prog_gnu_ldcxx + else + $as_unset lt_cv_prog_gnu_ld + fi + if test -n "${lt_cv_path_LDCXX+set}"; then + lt_cv_path_LD=$lt_cv_path_LDCXX + else + $as_unset lt_cv_path_LD + fi + test -z "${LDCXX+set}" || LD=$LDCXX + CC=${CXX-"c++"} + CFLAGS=$CXXFLAGS + compiler=$CC + _LT_TAGVAR(compiler, $1)=$CC + _LT_CC_BASENAME([$compiler]) + + if test -n "$compiler"; then + # We don't want -fno-exception when compiling C++ code, so set the + # no_builtin_flag separately + if test yes = "$GXX"; then + _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin' + else + _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)= + fi + + if test yes = "$GXX"; then + # Set up default GNU C++ configuration + + LT_PATH_LD + + # Check if GNU C++ uses GNU ld as the underlying linker, since the + # archiving commands below assume that GNU ld is being used. + if test yes = "$with_gnu_ld"; then + _LT_TAGVAR(archive_cmds, $1)='$CC $pic_flag -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-soname $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC $pic_flag -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-soname $wl$soname $wl-retain-symbols-file $wl$export_symbols -o $lib' + + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath $wl$libdir' + _LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl--export-dynamic' + + # If archive_cmds runs LD, not CC, wlarc should be empty + # XXX I think wlarc can be eliminated in ltcf-cxx, but I need to + # investigate it a little bit more. (MM) + wlarc='$wl' + + # ancient GNU ld didn't support --whole-archive et. al. + if eval "`$CC -print-prog-name=ld` --help 2>&1" | + $GREP 'no-whole-archive' > /dev/null; then + _LT_TAGVAR(whole_archive_flag_spec, $1)=$wlarc'--whole-archive$convenience '$wlarc'--no-whole-archive' + else + _LT_TAGVAR(whole_archive_flag_spec, $1)= + fi + else + with_gnu_ld=no + wlarc= + + # A generic and very simple default shared library creation + # command for GNU C++ for the case where it uses the native + # linker, instead of GNU ld. If possible, this setting should + # overridden to take advantage of the native linker features on + # the platform it is being used on. + _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib' + fi + + # Commands to make compiler produce verbose output that lists + # what "hidden" libraries, object files and flags are used when + # linking a shared library. + output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"' + + else + GXX=no + with_gnu_ld=no + wlarc= + fi + + # PORTME: fill in a description of your system's C++ link characteristics + AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries]) + _LT_TAGVAR(ld_shlibs, $1)=yes + case $host_os in + aix3*) + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + aix[[4-9]]*) + if test ia64 = "$host_cpu"; then + # On IA64, the linker does run time linking by default, so we don't + # have to do anything special. + aix_use_runtimelinking=no + exp_sym_flag='-Bexport' + no_entry_flag= + else + aix_use_runtimelinking=no + + # Test if we are trying to use run time linking or normal + # AIX style linking. If -brtl is somewhere in LDFLAGS, we + # have runtime linking enabled, and use it for executables. + # For shared libraries, we enable/disable runtime linking + # depending on the kind of the shared library created - + # when "with_aix_soname,aix_use_runtimelinking" is: + # "aix,no" lib.a(lib.so.V) shared, rtl:no, for executables + # "aix,yes" lib.so shared, rtl:yes, for executables + # lib.a static archive + # "both,no" lib.so.V(shr.o) shared, rtl:yes + # lib.a(lib.so.V) shared, rtl:no, for executables + # "both,yes" lib.so.V(shr.o) shared, rtl:yes, for executables + # lib.a(lib.so.V) shared, rtl:no + # "svr4,*" lib.so.V(shr.o) shared, rtl:yes, for executables + # lib.a static archive + case $host_os in aix4.[[23]]|aix4.[[23]].*|aix[[5-9]]*) + for ld_flag in $LDFLAGS; do + case $ld_flag in + *-brtl*) + aix_use_runtimelinking=yes + break + ;; + esac + done + if test svr4,no = "$with_aix_soname,$aix_use_runtimelinking"; then + # With aix-soname=svr4, we create the lib.so.V shared archives only, + # so we don't have lib.a shared libs to link our executables. + # We have to force runtime linking in this case. + aix_use_runtimelinking=yes + LDFLAGS="$LDFLAGS -Wl,-brtl" + fi + ;; + esac + + exp_sym_flag='-bexport' + no_entry_flag='-bnoentry' + fi + + # When large executables or shared objects are built, AIX ld can + # have problems creating the table of contents. If linking a library + # or program results in "error TOC overflow" add -mminimal-toc to + # CXXFLAGS/CFLAGS for g++/gcc. In the cases where that is not + # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS. + + _LT_TAGVAR(archive_cmds, $1)='' + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_direct_absolute, $1)=yes + _LT_TAGVAR(hardcode_libdir_separator, $1)=':' + _LT_TAGVAR(link_all_deplibs, $1)=yes + _LT_TAGVAR(file_list_spec, $1)='$wl-f,' + case $with_aix_soname,$aix_use_runtimelinking in + aix,*) ;; # no import file + svr4,* | *,yes) # use import file + # The Import File defines what to hardcode. + _LT_TAGVAR(hardcode_direct, $1)=no + _LT_TAGVAR(hardcode_direct_absolute, $1)=no + ;; + esac + + if test yes = "$GXX"; then + case $host_os in aix4.[[012]]|aix4.[[012]].*) + # We only want to do this on AIX 4.2 and lower, the check + # below for broken collect2 doesn't work under 4.3+ + collect2name=`$CC -print-prog-name=collect2` + if test -f "$collect2name" && + strings "$collect2name" | $GREP resolve_lib_name >/dev/null + then + # We have reworked collect2 + : + else + # We have old collect2 + _LT_TAGVAR(hardcode_direct, $1)=unsupported + # It fails to find uninstalled libraries when the uninstalled + # path is not listed in the libpath. Setting hardcode_minus_L + # to unsupported forces relinking + _LT_TAGVAR(hardcode_minus_L, $1)=yes + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)= + fi + esac + shared_flag='-shared' + if test yes = "$aix_use_runtimelinking"; then + shared_flag=$shared_flag' $wl-G' + fi + # Need to ensure runtime linking is disabled for the traditional + # shared library, or the linker may eventually find shared libraries + # /with/ Import File - we do not want to mix them. + shared_flag_aix='-shared' + shared_flag_svr4='-shared $wl-G' + else + # not using gcc + if test ia64 = "$host_cpu"; then + # VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release + # chokes on -Wl,-G. The following line is correct: + shared_flag='-G' + else + if test yes = "$aix_use_runtimelinking"; then + shared_flag='$wl-G' + else + shared_flag='$wl-bM:SRE' + fi + shared_flag_aix='$wl-bM:SRE' + shared_flag_svr4='$wl-G' + fi + fi + + _LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl-bexpall' + # It seems that -bexpall does not export symbols beginning with + # underscore (_), so it is better to generate a list of symbols to + # export. + _LT_TAGVAR(always_export_symbols, $1)=yes + if test aix,yes = "$with_aix_soname,$aix_use_runtimelinking"; then + # Warning - without using the other runtime loading flags (-brtl), + # -berok will link without error, but may produce a broken library. + # The "-G" linker flag allows undefined symbols. + _LT_TAGVAR(no_undefined_flag, $1)='-bernotok' + # Determine the default libpath from the value encoded in an empty + # executable. + _LT_SYS_MODULE_PATH_AIX([$1]) + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-blibpath:$libdir:'"$aix_libpath" + + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $deplibs $wl'$no_entry_flag' $compiler_flags `if test -n "$allow_undefined_flag"; then func_echo_all "$wl$allow_undefined_flag"; else :; fi` $wl'$exp_sym_flag:\$export_symbols' '$shared_flag + else + if test ia64 = "$host_cpu"; then + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-R $libdir:/usr/lib:/lib' + _LT_TAGVAR(allow_undefined_flag, $1)="-z nodefs" + _LT_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\$wl$no_entry_flag"' $compiler_flags $wl$allow_undefined_flag '"\$wl$exp_sym_flag:\$export_symbols" + else + # Determine the default libpath from the value encoded in an + # empty executable. + _LT_SYS_MODULE_PATH_AIX([$1]) + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-blibpath:$libdir:'"$aix_libpath" + # Warning - without using the other run time loading flags, + # -berok will link without error, but may produce a broken library. + _LT_TAGVAR(no_undefined_flag, $1)=' $wl-bernotok' + _LT_TAGVAR(allow_undefined_flag, $1)=' $wl-berok' + if test yes = "$with_gnu_ld"; then + # We only use this code for GNU lds that support --whole-archive. + _LT_TAGVAR(whole_archive_flag_spec, $1)='$wl--whole-archive$convenience $wl--no-whole-archive' + else + # Exported symbols can be pulled into shared objects from archives + _LT_TAGVAR(whole_archive_flag_spec, $1)='$convenience' + fi + _LT_TAGVAR(archive_cmds_need_lc, $1)=yes + _LT_TAGVAR(archive_expsym_cmds, $1)='$RM -r $output_objdir/$realname.d~$MKDIR $output_objdir/$realname.d' + # -brtl affects multiple linker settings, -berok does not and is overridden later + compiler_flags_filtered='`func_echo_all "$compiler_flags " | $SED -e "s%-brtl\\([[, ]]\\)%-berok\\1%g"`' + if test svr4 != "$with_aix_soname"; then + # This is similar to how AIX traditionally builds its shared + # libraries. Need -bnortl late, we may have -brtl in LDFLAGS. + _LT_TAGVAR(archive_expsym_cmds, $1)="$_LT_TAGVAR(archive_expsym_cmds, $1)"'~$CC '$shared_flag_aix' -o $output_objdir/$realname.d/$soname $libobjs $deplibs $wl-bnoentry '$compiler_flags_filtered'$wl-bE:$export_symbols$allow_undefined_flag~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$realname.d/$soname' + fi + if test aix != "$with_aix_soname"; then + _LT_TAGVAR(archive_expsym_cmds, $1)="$_LT_TAGVAR(archive_expsym_cmds, $1)"'~$CC '$shared_flag_svr4' -o $output_objdir/$realname.d/$shared_archive_member_spec.o $libobjs $deplibs $wl-bnoentry '$compiler_flags_filtered'$wl-bE:$export_symbols$allow_undefined_flag~$STRIP -e $output_objdir/$realname.d/$shared_archive_member_spec.o~( func_echo_all "#! $soname($shared_archive_member_spec.o)"; if test shr_64 = "$shared_archive_member_spec"; then func_echo_all "# 64"; else func_echo_all "# 32"; fi; cat $export_symbols ) > $output_objdir/$realname.d/$shared_archive_member_spec.imp~$AR $AR_FLAGS $output_objdir/$soname $output_objdir/$realname.d/$shared_archive_member_spec.o $output_objdir/$realname.d/$shared_archive_member_spec.imp' + else + # used by -dlpreopen to get the symbols + _LT_TAGVAR(archive_expsym_cmds, $1)="$_LT_TAGVAR(archive_expsym_cmds, $1)"'~$MV $output_objdir/$realname.d/$soname $output_objdir' + fi + _LT_TAGVAR(archive_expsym_cmds, $1)="$_LT_TAGVAR(archive_expsym_cmds, $1)"'~$RM -r $output_objdir/$realname.d' + fi + fi + ;; + + beos*) + if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then + _LT_TAGVAR(allow_undefined_flag, $1)=unsupported + # Joseph Beckenbach says some releases of gcc + # support --undefined. This deserves some investigation. FIXME + _LT_TAGVAR(archive_cmds, $1)='$CC -nostart $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib' + else + _LT_TAGVAR(ld_shlibs, $1)=no + fi + ;; + + chorus*) + case $cc_basename in + *) + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + esac + ;; + + cygwin* | mingw* | pw32* | cegcc*) + case $GXX,$cc_basename in + ,cl* | no,cl*) + # Native MSVC + # hardcode_libdir_flag_spec is actually meaningless, as there is + # no search path for DLLs. + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' ' + _LT_TAGVAR(allow_undefined_flag, $1)=unsupported + _LT_TAGVAR(always_export_symbols, $1)=yes + _LT_TAGVAR(file_list_spec, $1)='@' + # Tell ltmain to make .lib files, not .a files. + libext=lib + # Tell ltmain to make .dll files, not .so files. + shrext_cmds=.dll + # FIXME: Setting linknames here is a bad hack. + _LT_TAGVAR(archive_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $compiler_flags $deplibs -Wl,-DLL,-IMPLIB:"$tool_output_objdir$libname.dll.lib"~linknames=' + _LT_TAGVAR(archive_expsym_cmds, $1)='if _LT_DLL_DEF_P([$export_symbols]); then + cp "$export_symbols" "$output_objdir/$soname.def"; + echo "$tool_output_objdir$soname.def" > "$output_objdir/$soname.exp"; + else + $SED -e '\''s/^/-link -EXPORT:/'\'' < $export_symbols > $output_objdir/$soname.exp; + fi~ + $CC -o $tool_output_objdir$soname $libobjs $compiler_flags $deplibs "@$tool_output_objdir$soname.exp" -Wl,-DLL,-IMPLIB:"$tool_output_objdir$libname.dll.lib"~ + linknames=' + # The linker will not automatically build a static lib if we build a DLL. + # _LT_TAGVAR(old_archive_from_new_cmds, $1)='true' + _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes + # Don't use ranlib + _LT_TAGVAR(old_postinstall_cmds, $1)='chmod 644 $oldlib' + _LT_TAGVAR(postlink_cmds, $1)='lt_outputfile="@OUTPUT@"~ + lt_tool_outputfile="@TOOL_OUTPUT@"~ + case $lt_outputfile in + *.exe|*.EXE) ;; + *) + lt_outputfile=$lt_outputfile.exe + lt_tool_outputfile=$lt_tool_outputfile.exe + ;; + esac~ + func_to_tool_file "$lt_outputfile"~ + if test : != "$MANIFEST_TOOL" && test -f "$lt_outputfile.manifest"; then + $MANIFEST_TOOL -manifest "$lt_tool_outputfile.manifest" -outputresource:"$lt_tool_outputfile" || exit 1; + $RM "$lt_outputfile.manifest"; + fi' + ;; + *) + # g++ + # _LT_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless, + # as there is no search path for DLLs. + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' + _LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl--export-all-symbols' + _LT_TAGVAR(allow_undefined_flag, $1)=unsupported + _LT_TAGVAR(always_export_symbols, $1)=no + _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes + + if $LD --help 2>&1 | $GREP 'auto-import' > /dev/null; then + _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname $wl--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib' + # If the export-symbols file already is a .def file, use it as + # is; otherwise, prepend EXPORTS... + _LT_TAGVAR(archive_expsym_cmds, $1)='if _LT_DLL_DEF_P([$export_symbols]); then + cp $export_symbols $output_objdir/$soname.def; + else + echo EXPORTS > $output_objdir/$soname.def; + cat $export_symbols >> $output_objdir/$soname.def; + fi~ + $CC -shared -nostdlib $output_objdir/$soname.def $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname $wl--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib' + else + _LT_TAGVAR(ld_shlibs, $1)=no + fi + ;; + esac + ;; + darwin* | rhapsody*) + _LT_DARWIN_LINKER_FEATURES($1) + ;; + + os2*) + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' + _LT_TAGVAR(hardcode_minus_L, $1)=yes + _LT_TAGVAR(allow_undefined_flag, $1)=unsupported + shrext_cmds=.dll + _LT_TAGVAR(archive_cmds, $1)='$ECHO "LIBRARY ${soname%$shared_ext} INITINSTANCE TERMINSTANCE" > $output_objdir/$libname.def~ + $ECHO "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~ + $ECHO "DATA MULTIPLE NONSHARED" >> $output_objdir/$libname.def~ + $ECHO EXPORTS >> $output_objdir/$libname.def~ + emxexp $libobjs | $SED /"_DLL_InitTerm"/d >> $output_objdir/$libname.def~ + $CC -Zdll -Zcrtdll -o $output_objdir/$soname $libobjs $deplibs $compiler_flags $output_objdir/$libname.def~ + emximp -o $lib $output_objdir/$libname.def' + _LT_TAGVAR(archive_expsym_cmds, $1)='$ECHO "LIBRARY ${soname%$shared_ext} INITINSTANCE TERMINSTANCE" > $output_objdir/$libname.def~ + $ECHO "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~ + $ECHO "DATA MULTIPLE NONSHARED" >> $output_objdir/$libname.def~ + $ECHO EXPORTS >> $output_objdir/$libname.def~ + prefix_cmds="$SED"~ + if test EXPORTS = "`$SED 1q $export_symbols`"; then + prefix_cmds="$prefix_cmds -e 1d"; + fi~ + prefix_cmds="$prefix_cmds -e \"s/^\(.*\)$/_\1/g\""~ + cat $export_symbols | $prefix_cmds >> $output_objdir/$libname.def~ + $CC -Zdll -Zcrtdll -o $output_objdir/$soname $libobjs $deplibs $compiler_flags $output_objdir/$libname.def~ + emximp -o $lib $output_objdir/$libname.def' + _LT_TAGVAR(old_archive_From_new_cmds, $1)='emximp -o $output_objdir/${libname}_dll.a $output_objdir/$libname.def' + _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes + ;; + + dgux*) + case $cc_basename in + ec++*) + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + ghcx*) + # Green Hills C++ Compiler + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + *) + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + esac + ;; + + freebsd2.*) + # C++ shared libraries reported to be fairly broken before + # switch to ELF + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + + freebsd-elf*) + _LT_TAGVAR(archive_cmds_need_lc, $1)=no + ;; + + freebsd* | dragonfly*) + # FreeBSD 3 and later use GNU C++ and GNU ld with standard ELF + # conventions + _LT_TAGVAR(ld_shlibs, $1)=yes + ;; + + haiku*) + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib' + _LT_TAGVAR(link_all_deplibs, $1)=yes + ;; + + hpux9*) + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl+b $wl$libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)=: + _LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl-E' + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH, + # but as the default + # location of the library. + + case $cc_basename in + CC*) + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + aCC*) + _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$CC -b $wl+b $wl$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test "x$output_objdir/$soname" = "x$lib" || mv $output_objdir/$soname $lib' + # Commands to make compiler produce verbose output that lists + # what "hidden" libraries, object files and flags are used when + # linking a shared library. + # + # There doesn't appear to be a way to prevent this compiler from + # explicitly linking system object files so we need to strip them + # from the output so that they don't get included in the library + # dependencies. + output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $EGREP "\-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"' + ;; + *) + if test yes = "$GXX"; then + _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$CC -shared -nostdlib $pic_flag $wl+b $wl$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test "x$output_objdir/$soname" = "x$lib" || mv $output_objdir/$soname $lib' + else + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + fi + ;; + esac + ;; + + hpux10*|hpux11*) + if test no = "$with_gnu_ld"; then + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl+b $wl$libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)=: + + case $host_cpu in + hppa*64*|ia64*) + ;; + *) + _LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl-E' + ;; + esac + fi + case $host_cpu in + hppa*64*|ia64*) + _LT_TAGVAR(hardcode_direct, $1)=no + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + ;; + *) + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_direct_absolute, $1)=yes + _LT_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH, + # but as the default + # location of the library. + ;; + esac + + case $cc_basename in + CC*) + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + aCC*) + case $host_cpu in + hppa*64*) + _LT_TAGVAR(archive_cmds, $1)='$CC -b $wl+h $wl$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' + ;; + ia64*) + _LT_TAGVAR(archive_cmds, $1)='$CC -b $wl+h $wl$soname $wl+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' + ;; + *) + _LT_TAGVAR(archive_cmds, $1)='$CC -b $wl+h $wl$soname $wl+b $wl$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' + ;; + esac + # Commands to make compiler produce verbose output that lists + # what "hidden" libraries, object files and flags are used when + # linking a shared library. + # + # There doesn't appear to be a way to prevent this compiler from + # explicitly linking system object files so we need to strip them + # from the output so that they don't get included in the library + # dependencies. + output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $GREP "\-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"' + ;; + *) + if test yes = "$GXX"; then + if test no = "$with_gnu_ld"; then + case $host_cpu in + hppa*64*) + _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC $wl+h $wl$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' + ;; + ia64*) + _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $pic_flag $wl+h $wl$soname $wl+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' + ;; + *) + _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $pic_flag $wl+h $wl$soname $wl+b $wl$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' + ;; + esac + fi + else + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + fi + ;; + esac + ;; + + interix[[3-9]]*) + _LT_TAGVAR(hardcode_direct, $1)=no + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath,$libdir' + _LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl-E' + # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc. + # Instead, shared libraries are loaded at an image base (0x10000000 by + # default) and relocated if they conflict, which is a slow very memory + # consuming and fragmenting process. To avoid this, we pick a random, + # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link + # time. Moving up from 0x10000000 also allows more sbrk(2) space. + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-h,$soname $wl--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='sed "s|^|_|" $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags $wl-h,$soname $wl--retain-symbols-file,$output_objdir/$soname.expsym $wl--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib' + ;; + irix5* | irix6*) + case $cc_basename in + CC*) + # SGI C++ + _LT_TAGVAR(archive_cmds, $1)='$CC -shared -all -multigot $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib' + + # Archives containing C++ object files must be created using + # "CC -ar", where "CC" is the IRIX C++ compiler. This is + # necessary to make sure instantiated templates are included + # in the archive. + _LT_TAGVAR(old_archive_cmds, $1)='$CC -ar -WR,-u -o $oldlib $oldobjs' + ;; + *) + if test yes = "$GXX"; then + if test no = "$with_gnu_ld"; then + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-soname $wl$soname `test -n "$verstring" && func_echo_all "$wl-set_version $wl$verstring"` $wl-update_registry $wl$output_objdir/so_locations -o $lib' + else + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-soname $wl$soname `test -n "$verstring" && func_echo_all "$wl-set_version $wl$verstring"` -o $lib' + fi + fi + _LT_TAGVAR(link_all_deplibs, $1)=yes + ;; + esac + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath $wl$libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)=: + _LT_TAGVAR(inherit_rpath, $1)=yes + ;; + + linux* | k*bsd*-gnu | kopensolaris*-gnu | gnu*) + case $cc_basename in + KCC*) + # Kuck and Associates, Inc. (KAI) C++ Compiler + + # KCC will only create a shared library if the output file + # ends with ".so" (or ".sl" for HP-UX), so rename the library + # to its proper name (with version) after linking. + _LT_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\$tempext\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\$tempext\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib $wl-retain-symbols-file,$export_symbols; mv \$templib $lib' + # Commands to make compiler produce verbose output that lists + # what "hidden" libraries, object files and flags are used when + # linking a shared library. + # + # There doesn't appear to be a way to prevent this compiler from + # explicitly linking system object files so we need to strip them + # from the output so that they don't get included in the library + # dependencies. + output_verbose_link_cmd='templist=`$CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1 | $GREP "ld"`; rm -f libconftest$shared_ext; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"' + + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath,$libdir' + _LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl--export-dynamic' + + # Archives containing C++ object files must be created using + # "CC -Bstatic", where "CC" is the KAI C++ compiler. + _LT_TAGVAR(old_archive_cmds, $1)='$CC -Bstatic -o $oldlib $oldobjs' + ;; + icpc* | ecpc* ) + # Intel C++ + with_gnu_ld=yes + # version 8.0 and above of icpc choke on multiply defined symbols + # if we add $predep_objects and $postdep_objects, however 7.1 and + # earlier do not add the objects themselves. + case `$CC -V 2>&1` in + *"Version 7."*) + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-soname $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-soname $wl$soname $wl-retain-symbols-file $wl$export_symbols -o $lib' + ;; + *) # Version 8.0 or newer + tmp_idyn= + case $host_cpu in + ia64*) tmp_idyn=' -i_dynamic';; + esac + _LT_TAGVAR(archive_cmds, $1)='$CC -shared'"$tmp_idyn"' $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared'"$tmp_idyn"' $libobjs $deplibs $compiler_flags $wl-soname $wl$soname $wl-retain-symbols-file $wl$export_symbols -o $lib' + ;; + esac + _LT_TAGVAR(archive_cmds_need_lc, $1)=no + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath,$libdir' + _LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl--export-dynamic' + _LT_TAGVAR(whole_archive_flag_spec, $1)='$wl--whole-archive$convenience $wl--no-whole-archive' + ;; + pgCC* | pgcpp*) + # Portland Group C++ compiler + case `$CC -V` in + *pgCC\ [[1-5]].* | *pgcpp\ [[1-5]].*) + _LT_TAGVAR(prelink_cmds, $1)='tpldir=Template.dir~ + rm -rf $tpldir~ + $CC --prelink_objects --instantiation_dir $tpldir $objs $libobjs $compile_deplibs~ + compile_command="$compile_command `find $tpldir -name \*.o | sort | $NL2SP`"' + _LT_TAGVAR(old_archive_cmds, $1)='tpldir=Template.dir~ + rm -rf $tpldir~ + $CC --prelink_objects --instantiation_dir $tpldir $oldobjs$old_deplibs~ + $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | sort | $NL2SP`~ + $RANLIB $oldlib' + _LT_TAGVAR(archive_cmds, $1)='tpldir=Template.dir~ + rm -rf $tpldir~ + $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~ + $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags $wl-soname $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='tpldir=Template.dir~ + rm -rf $tpldir~ + $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~ + $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags $wl-soname $wl$soname $wl-retain-symbols-file $wl$export_symbols -o $lib' + ;; + *) # Version 6 and above use weak symbols + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-soname $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-soname $wl$soname $wl-retain-symbols-file $wl$export_symbols -o $lib' + ;; + esac + + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl--rpath $wl$libdir' + _LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl--export-dynamic' + _LT_TAGVAR(whole_archive_flag_spec, $1)='$wl--whole-archive`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` $wl--no-whole-archive' + ;; + cxx*) + # Compaq C++ + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-soname $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-soname $wl$soname -o $lib $wl-retain-symbols-file $wl$export_symbols' + + runpath_var=LD_RUN_PATH + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)=: + + # Commands to make compiler produce verbose output that lists + # what "hidden" libraries, object files and flags are used when + # linking a shared library. + # + # There doesn't appear to be a way to prevent this compiler from + # explicitly linking system object files so we need to strip them + # from the output so that they don't get included in the library + # dependencies. + output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "ld"`; templist=`func_echo_all "$templist" | $SED "s/\(^.*ld.*\)\( .*ld .*$\)/\1/"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "X$list" | $Xsed' + ;; + xl* | mpixl* | bgxl*) + # IBM XL 8.0 on PPC, with GNU ld + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath $wl$libdir' + _LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl--export-dynamic' + _LT_TAGVAR(archive_cmds, $1)='$CC -qmkshrobj $libobjs $deplibs $compiler_flags $wl-soname $wl$soname -o $lib' + if test yes = "$supports_anon_versioning"; then + _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $output_objdir/$libname.ver~ + cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~ + echo "local: *; };" >> $output_objdir/$libname.ver~ + $CC -qmkshrobj $libobjs $deplibs $compiler_flags $wl-soname $wl$soname $wl-version-script $wl$output_objdir/$libname.ver -o $lib' + fi + ;; + *) + case `$CC -V 2>&1 | sed 5q` in + *Sun\ C*) + # Sun C++ 5.9 + _LT_TAGVAR(no_undefined_flag, $1)=' -zdefs' + _LT_TAGVAR(archive_cmds, $1)='$CC -G$allow_undefined_flag -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G$allow_undefined_flag -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-retain-symbols-file $wl$export_symbols' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' + _LT_TAGVAR(whole_archive_flag_spec, $1)='$wl--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` $wl--no-whole-archive' + _LT_TAGVAR(compiler_needs_object, $1)=yes + + # Not sure whether something based on + # $CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1 + # would be better. + output_verbose_link_cmd='func_echo_all' + + # Archives containing C++ object files must be created using + # "CC -xar", where "CC" is the Sun C++ compiler. This is + # necessary to make sure instantiated templates are included + # in the archive. + _LT_TAGVAR(old_archive_cmds, $1)='$CC -xar -o $oldlib $oldobjs' + ;; + esac + ;; + esac + ;; + + lynxos*) + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + + m88k*) + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + + mvs*) + case $cc_basename in + cxx*) + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + *) + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + esac + ;; + + netbsd*) + if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then + _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $predep_objects $libobjs $deplibs $postdep_objects $linker_flags' + wlarc= + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + fi + # Workaround some broken pre-1.5 toolchains + output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP conftest.$objext | $SED -e "s:-lgcc -lc -lgcc::"' + ;; + + *nto* | *qnx*) + _LT_TAGVAR(ld_shlibs, $1)=yes + ;; + + openbsd* | bitrig*) + if test -f /usr/libexec/ld.so; then + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + _LT_TAGVAR(hardcode_direct_absolute, $1)=yes + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath,$libdir' + if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`"; then + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-retain-symbols-file,$export_symbols -o $lib' + _LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl-E' + _LT_TAGVAR(whole_archive_flag_spec, $1)=$wlarc'--whole-archive$convenience '$wlarc'--no-whole-archive' + fi + output_verbose_link_cmd=func_echo_all + else + _LT_TAGVAR(ld_shlibs, $1)=no + fi + ;; + + osf3* | osf4* | osf5*) + case $cc_basename in + KCC*) + # Kuck and Associates, Inc. (KAI) C++ Compiler + + # KCC will only create a shared library if the output file + # ends with ".so" (or ".sl" for HP-UX), so rename the library + # to its proper name (with version) after linking. + _LT_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo "$lib" | $SED -e "s/\$tempext\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib' + + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath,$libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)=: + + # Archives containing C++ object files must be created using + # the KAI C++ compiler. + case $host in + osf3*) _LT_TAGVAR(old_archive_cmds, $1)='$CC -Bstatic -o $oldlib $oldobjs' ;; + *) _LT_TAGVAR(old_archive_cmds, $1)='$CC -o $oldlib $oldobjs' ;; + esac + ;; + RCC*) + # Rational C++ 2.4.1 + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + cxx*) + case $host in + osf3*) + _LT_TAGVAR(allow_undefined_flag, $1)=' $wl-expect_unresolved $wl\*' + _LT_TAGVAR(archive_cmds, $1)='$CC -shared$allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-soname $soname `test -n "$verstring" && func_echo_all "$wl-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath $wl$libdir' + ;; + *) + _LT_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*' + _LT_TAGVAR(archive_cmds, $1)='$CC -shared$allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done~ + echo "-hidden">> $lib.exp~ + $CC -shared$allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname $wl-input $wl$lib.exp `test -n "$verstring" && $ECHO "-set_version $verstring"` -update_registry $output_objdir/so_locations -o $lib~ + $RM $lib.exp' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir' + ;; + esac + + _LT_TAGVAR(hardcode_libdir_separator, $1)=: + + # Commands to make compiler produce verbose output that lists + # what "hidden" libraries, object files and flags are used when + # linking a shared library. + # + # There doesn't appear to be a way to prevent this compiler from + # explicitly linking system object files so we need to strip them + # from the output so that they don't get included in the library + # dependencies. + output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "ld" | $GREP -v "ld:"`; templist=`func_echo_all "$templist" | $SED "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"' + ;; + *) + if test yes,no = "$GXX,$with_gnu_ld"; then + _LT_TAGVAR(allow_undefined_flag, $1)=' $wl-expect_unresolved $wl\*' + case $host in + osf3*) + _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-soname $wl$soname `test -n "$verstring" && func_echo_all "$wl-set_version $wl$verstring"` $wl-update_registry $wl$output_objdir/so_locations -o $lib' + ;; + *) + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -nostdlib $allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-msym $wl-soname $wl$soname `test -n "$verstring" && func_echo_all "$wl-set_version $wl$verstring"` $wl-update_registry $wl$output_objdir/so_locations -o $lib' + ;; + esac + + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-rpath $wl$libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)=: + + # Commands to make compiler produce verbose output that lists + # what "hidden" libraries, object files and flags are used when + # linking a shared library. + output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"' + + else + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + fi + ;; + esac + ;; + + psos*) + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + + sunos4*) + case $cc_basename in + CC*) + # Sun C++ 4.x + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + lcc*) + # Lucid + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + *) + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + esac + ;; + + solaris*) + case $cc_basename in + CC* | sunCC*) + # Sun C++ 4.2, 5.x and Centerline C++ + _LT_TAGVAR(archive_cmds_need_lc,$1)=yes + _LT_TAGVAR(no_undefined_flag, $1)=' -zdefs' + _LT_TAGVAR(archive_cmds, $1)='$CC -G$allow_undefined_flag -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' + _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~ + $CC -G$allow_undefined_flag $wl-M $wl$lib.exp -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$RM $lib.exp' + + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + case $host_os in + solaris2.[[0-5]] | solaris2.[[0-5]].*) ;; + *) + # The compiler driver will combine and reorder linker options, + # but understands '-z linker_flag'. + # Supported since Solaris 2.6 (maybe 2.5.1?) + _LT_TAGVAR(whole_archive_flag_spec, $1)='-z allextract$convenience -z defaultextract' + ;; + esac + _LT_TAGVAR(link_all_deplibs, $1)=yes + + output_verbose_link_cmd='func_echo_all' + + # Archives containing C++ object files must be created using + # "CC -xar", where "CC" is the Sun C++ compiler. This is + # necessary to make sure instantiated templates are included + # in the archive. + _LT_TAGVAR(old_archive_cmds, $1)='$CC -xar -o $oldlib $oldobjs' + ;; + gcx*) + # Green Hills C++ Compiler + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-h $wl$soname -o $lib' + + # The C++ compiler must be used to create the archive. + _LT_TAGVAR(old_archive_cmds, $1)='$CC $LDFLAGS -archive -o $oldlib $oldobjs' + ;; + *) + # GNU C++ compiler with Solaris linker + if test yes,no = "$GXX,$with_gnu_ld"; then + _LT_TAGVAR(no_undefined_flag, $1)=' $wl-z ${wl}defs' + if $CC --version | $GREP -v '^2\.7' > /dev/null; then + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-h $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~ + $CC -shared $pic_flag -nostdlib $wl-M $wl$lib.exp $wl-h $wl$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$RM $lib.exp' + + # Commands to make compiler produce verbose output that lists + # what "hidden" libraries, object files and flags are used when + # linking a shared library. + output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"' + else + # g++ 2.7 appears to require '-G' NOT '-shared' on this + # platform. + _LT_TAGVAR(archive_cmds, $1)='$CC -G -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags $wl-h $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~ + $CC -G -nostdlib $wl-M $wl$lib.exp $wl-h $wl$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$RM $lib.exp' + + # Commands to make compiler produce verbose output that lists + # what "hidden" libraries, object files and flags are used when + # linking a shared library. + output_verbose_link_cmd='$CC -G $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"' + fi + + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-R $wl$libdir' + case $host_os in + solaris2.[[0-5]] | solaris2.[[0-5]].*) ;; + *) + _LT_TAGVAR(whole_archive_flag_spec, $1)='$wl-z ${wl}allextract$convenience $wl-z ${wl}defaultextract' + ;; + esac + fi + ;; + esac + ;; + + sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[[01]].[[10]]* | unixware7* | sco3.2v5.0.[[024]]*) + _LT_TAGVAR(no_undefined_flag, $1)='$wl-z,text' + _LT_TAGVAR(archive_cmds_need_lc, $1)=no + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + runpath_var='LD_RUN_PATH' + + case $cc_basename in + CC*) + _LT_TAGVAR(archive_cmds, $1)='$CC -G $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G $wl-Bexport:$export_symbols $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + ;; + *) + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $wl-Bexport:$export_symbols $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + ;; + esac + ;; + + sysv5* | sco3.2v5* | sco5v6*) + # Note: We CANNOT use -z defs as we might desire, because we do not + # link with -lc, and that would cause any symbols used from libc to + # always be unresolved, which means just about no library would + # ever link correctly. If we're not using GNU ld we use -z text + # though, which does catch some bad symbols but isn't as heavy-handed + # as -z defs. + _LT_TAGVAR(no_undefined_flag, $1)='$wl-z,text' + _LT_TAGVAR(allow_undefined_flag, $1)='$wl-z,nodefs' + _LT_TAGVAR(archive_cmds_need_lc, $1)=no + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-R,$libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)=':' + _LT_TAGVAR(link_all_deplibs, $1)=yes + _LT_TAGVAR(export_dynamic_flag_spec, $1)='$wl-Bexport' + runpath_var='LD_RUN_PATH' + + case $cc_basename in + CC*) + _LT_TAGVAR(archive_cmds, $1)='$CC -G $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G $wl-Bexport:$export_symbols $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + _LT_TAGVAR(old_archive_cmds, $1)='$CC -Tprelink_objects $oldobjs~ + '"$_LT_TAGVAR(old_archive_cmds, $1)" + _LT_TAGVAR(reload_cmds, $1)='$CC -Tprelink_objects $reload_objs~ + '"$_LT_TAGVAR(reload_cmds, $1)" + ;; + *) + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $wl-Bexport:$export_symbols $wl-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + ;; + esac + ;; + + tandem*) + case $cc_basename in + NCC*) + # NonStop-UX NCC 3.20 + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + *) + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + esac + ;; + + vxworks*) + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + + *) + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + esac + + AC_MSG_RESULT([$_LT_TAGVAR(ld_shlibs, $1)]) + test no = "$_LT_TAGVAR(ld_shlibs, $1)" && can_build_shared=no + + _LT_TAGVAR(GCC, $1)=$GXX + _LT_TAGVAR(LD, $1)=$LD + + ## CAVEAT EMPTOR: + ## There is no encapsulation within the following macros, do not change + ## the running order or otherwise move them around unless you know exactly + ## what you are doing... + _LT_SYS_HIDDEN_LIBDEPS($1) + _LT_COMPILER_PIC($1) + _LT_COMPILER_C_O($1) + _LT_COMPILER_FILE_LOCKS($1) + _LT_LINKER_SHLIBS($1) + _LT_SYS_DYNAMIC_LINKER($1) + _LT_LINKER_HARDCODE_LIBPATH($1) + + _LT_CONFIG($1) + fi # test -n "$compiler" + + CC=$lt_save_CC + CFLAGS=$lt_save_CFLAGS + LDCXX=$LD + LD=$lt_save_LD + GCC=$lt_save_GCC + with_gnu_ld=$lt_save_with_gnu_ld + lt_cv_path_LDCXX=$lt_cv_path_LD + lt_cv_path_LD=$lt_save_path_LD + lt_cv_prog_gnu_ldcxx=$lt_cv_prog_gnu_ld + lt_cv_prog_gnu_ld=$lt_save_with_gnu_ld +fi # test yes != "$_lt_caught_CXX_error" + +AC_LANG_POP +])# _LT_LANG_CXX_CONFIG + + +# _LT_FUNC_STRIPNAME_CNF +# ---------------------- +# func_stripname_cnf prefix suffix name +# strip PREFIX and SUFFIX off of NAME. +# PREFIX and SUFFIX must not contain globbing or regex special +# characters, hashes, percent signs, but SUFFIX may contain a leading +# dot (in which case that matches only a dot). +# +# This function is identical to the (non-XSI) version of func_stripname, +# except this one can be used by m4 code that may be executed by configure, +# rather than the libtool script. +m4_defun([_LT_FUNC_STRIPNAME_CNF],[dnl +AC_REQUIRE([_LT_DECL_SED]) +AC_REQUIRE([_LT_PROG_ECHO_BACKSLASH]) +func_stripname_cnf () +{ + case @S|@2 in + .*) func_stripname_result=`$ECHO "@S|@3" | $SED "s%^@S|@1%%; s%\\\\@S|@2\$%%"`;; + *) func_stripname_result=`$ECHO "@S|@3" | $SED "s%^@S|@1%%; s%@S|@2\$%%"`;; + esac +} # func_stripname_cnf +])# _LT_FUNC_STRIPNAME_CNF + + +# _LT_SYS_HIDDEN_LIBDEPS([TAGNAME]) +# --------------------------------- +# Figure out "hidden" library dependencies from verbose +# compiler output when linking a shared library. +# Parse the compiler output and extract the necessary +# objects, libraries and library flags. +m4_defun([_LT_SYS_HIDDEN_LIBDEPS], +[m4_require([_LT_FILEUTILS_DEFAULTS])dnl +AC_REQUIRE([_LT_FUNC_STRIPNAME_CNF])dnl +# Dependencies to place before and after the object being linked: +_LT_TAGVAR(predep_objects, $1)= +_LT_TAGVAR(postdep_objects, $1)= +_LT_TAGVAR(predeps, $1)= +_LT_TAGVAR(postdeps, $1)= +_LT_TAGVAR(compiler_lib_search_path, $1)= + +dnl we can't use the lt_simple_compile_test_code here, +dnl because it contains code intended for an executable, +dnl not a library. It's possible we should let each +dnl tag define a new lt_????_link_test_code variable, +dnl but it's only used here... +m4_if([$1], [], [cat > conftest.$ac_ext <<_LT_EOF +int a; +void foo (void) { a = 0; } +_LT_EOF +], [$1], [CXX], [cat > conftest.$ac_ext <<_LT_EOF +class Foo +{ +public: + Foo (void) { a = 0; } +private: + int a; +}; +_LT_EOF +], [$1], [F77], [cat > conftest.$ac_ext <<_LT_EOF + subroutine foo + implicit none + integer*4 a + a=0 + return + end +_LT_EOF +], [$1], [FC], [cat > conftest.$ac_ext <<_LT_EOF + subroutine foo + implicit none + integer a + a=0 + return + end +_LT_EOF +], [$1], [GCJ], [cat > conftest.$ac_ext <<_LT_EOF +public class foo { + private int a; + public void bar (void) { + a = 0; + } +}; +_LT_EOF +], [$1], [GO], [cat > conftest.$ac_ext <<_LT_EOF +package foo +func foo() { +} +_LT_EOF +]) + +_lt_libdeps_save_CFLAGS=$CFLAGS +case "$CC $CFLAGS " in #( +*\ -flto*\ *) CFLAGS="$CFLAGS -fno-lto" ;; +*\ -fwhopr*\ *) CFLAGS="$CFLAGS -fno-whopr" ;; +*\ -fuse-linker-plugin*\ *) CFLAGS="$CFLAGS -fno-use-linker-plugin" ;; +esac + +dnl Parse the compiler output and extract the necessary +dnl objects, libraries and library flags. +if AC_TRY_EVAL(ac_compile); then + # Parse the compiler output and extract the necessary + # objects, libraries and library flags. + + # Sentinel used to keep track of whether or not we are before + # the conftest object file. + pre_test_object_deps_done=no + + for p in `eval "$output_verbose_link_cmd"`; do + case $prev$p in + + -L* | -R* | -l*) + # Some compilers place space between "-{L,R}" and the path. + # Remove the space. + if test x-L = "$p" || + test x-R = "$p"; then + prev=$p + continue + fi + + # Expand the sysroot to ease extracting the directories later. + if test -z "$prev"; then + case $p in + -L*) func_stripname_cnf '-L' '' "$p"; prev=-L; p=$func_stripname_result ;; + -R*) func_stripname_cnf '-R' '' "$p"; prev=-R; p=$func_stripname_result ;; + -l*) func_stripname_cnf '-l' '' "$p"; prev=-l; p=$func_stripname_result ;; + esac + fi + case $p in + =*) func_stripname_cnf '=' '' "$p"; p=$lt_sysroot$func_stripname_result ;; + esac + if test no = "$pre_test_object_deps_done"; then + case $prev in + -L | -R) + # Internal compiler library paths should come after those + # provided the user. The postdeps already come after the + # user supplied libs so there is no need to process them. + if test -z "$_LT_TAGVAR(compiler_lib_search_path, $1)"; then + _LT_TAGVAR(compiler_lib_search_path, $1)=$prev$p + else + _LT_TAGVAR(compiler_lib_search_path, $1)="${_LT_TAGVAR(compiler_lib_search_path, $1)} $prev$p" + fi + ;; + # The "-l" case would never come before the object being + # linked, so don't bother handling this case. + esac + else + if test -z "$_LT_TAGVAR(postdeps, $1)"; then + _LT_TAGVAR(postdeps, $1)=$prev$p + else + _LT_TAGVAR(postdeps, $1)="${_LT_TAGVAR(postdeps, $1)} $prev$p" + fi + fi + prev= + ;; + + *.lto.$objext) ;; # Ignore GCC LTO objects + *.$objext) + # This assumes that the test object file only shows up + # once in the compiler output. + if test "$p" = "conftest.$objext"; then + pre_test_object_deps_done=yes + continue + fi + + if test no = "$pre_test_object_deps_done"; then + if test -z "$_LT_TAGVAR(predep_objects, $1)"; then + _LT_TAGVAR(predep_objects, $1)=$p + else + _LT_TAGVAR(predep_objects, $1)="$_LT_TAGVAR(predep_objects, $1) $p" + fi + else + if test -z "$_LT_TAGVAR(postdep_objects, $1)"; then + _LT_TAGVAR(postdep_objects, $1)=$p + else + _LT_TAGVAR(postdep_objects, $1)="$_LT_TAGVAR(postdep_objects, $1) $p" + fi + fi + ;; + + *) ;; # Ignore the rest. + + esac + done + + # Clean up. + rm -f a.out a.exe +else + echo "libtool.m4: error: problem compiling $1 test program" +fi + +$RM -f confest.$objext +CFLAGS=$_lt_libdeps_save_CFLAGS + +# PORTME: override above test on systems where it is broken +m4_if([$1], [CXX], +[case $host_os in +interix[[3-9]]*) + # Interix 3.5 installs completely hosed .la files for C++, so rather than + # hack all around it, let's just trust "g++" to DTRT. + _LT_TAGVAR(predep_objects,$1)= + _LT_TAGVAR(postdep_objects,$1)= + _LT_TAGVAR(postdeps,$1)= + ;; +esac +]) + +case " $_LT_TAGVAR(postdeps, $1) " in +*" -lc "*) _LT_TAGVAR(archive_cmds_need_lc, $1)=no ;; +esac + _LT_TAGVAR(compiler_lib_search_dirs, $1)= +if test -n "${_LT_TAGVAR(compiler_lib_search_path, $1)}"; then + _LT_TAGVAR(compiler_lib_search_dirs, $1)=`echo " ${_LT_TAGVAR(compiler_lib_search_path, $1)}" | $SED -e 's! -L! !g' -e 's!^ !!'` +fi +_LT_TAGDECL([], [compiler_lib_search_dirs], [1], + [The directories searched by this compiler when creating a shared library]) +_LT_TAGDECL([], [predep_objects], [1], + [Dependencies to place before and after the objects being linked to + create a shared library]) +_LT_TAGDECL([], [postdep_objects], [1]) +_LT_TAGDECL([], [predeps], [1]) +_LT_TAGDECL([], [postdeps], [1]) +_LT_TAGDECL([], [compiler_lib_search_path], [1], + [The library search path used internally by the compiler when linking + a shared library]) +])# _LT_SYS_HIDDEN_LIBDEPS + + +# _LT_LANG_F77_CONFIG([TAG]) +# -------------------------- +# Ensure that the configuration variables for a Fortran 77 compiler are +# suitably defined. These variables are subsequently used by _LT_CONFIG +# to write the compiler configuration to 'libtool'. +m4_defun([_LT_LANG_F77_CONFIG], +[AC_LANG_PUSH(Fortran 77) +if test -z "$F77" || test no = "$F77"; then + _lt_disable_F77=yes +fi + +_LT_TAGVAR(archive_cmds_need_lc, $1)=no +_LT_TAGVAR(allow_undefined_flag, $1)= +_LT_TAGVAR(always_export_symbols, $1)=no +_LT_TAGVAR(archive_expsym_cmds, $1)= +_LT_TAGVAR(export_dynamic_flag_spec, $1)= +_LT_TAGVAR(hardcode_direct, $1)=no +_LT_TAGVAR(hardcode_direct_absolute, $1)=no +_LT_TAGVAR(hardcode_libdir_flag_spec, $1)= +_LT_TAGVAR(hardcode_libdir_separator, $1)= +_LT_TAGVAR(hardcode_minus_L, $1)=no +_LT_TAGVAR(hardcode_automatic, $1)=no +_LT_TAGVAR(inherit_rpath, $1)=no +_LT_TAGVAR(module_cmds, $1)= +_LT_TAGVAR(module_expsym_cmds, $1)= +_LT_TAGVAR(link_all_deplibs, $1)=unknown +_LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds +_LT_TAGVAR(reload_flag, $1)=$reload_flag +_LT_TAGVAR(reload_cmds, $1)=$reload_cmds +_LT_TAGVAR(no_undefined_flag, $1)= +_LT_TAGVAR(whole_archive_flag_spec, $1)= +_LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no + +# Source file extension for f77 test sources. +ac_ext=f + +# Object file extension for compiled f77 test sources. +objext=o +_LT_TAGVAR(objext, $1)=$objext + +# No sense in running all these tests if we already determined that +# the F77 compiler isn't working. Some variables (like enable_shared) +# are currently assumed to apply to all compilers on this platform, +# and will be corrupted by setting them based on a non-working compiler. +if test yes != "$_lt_disable_F77"; then + # Code to be used in simple compile tests + lt_simple_compile_test_code="\ + subroutine t + return + end +" + + # Code to be used in simple link tests + lt_simple_link_test_code="\ + program t + end +" + + # ltmain only uses $CC for tagged configurations so make sure $CC is set. + _LT_TAG_COMPILER + + # save warnings/boilerplate of simple test code + _LT_COMPILER_BOILERPLATE + _LT_LINKER_BOILERPLATE + + # Allow CC to be a program name with arguments. + lt_save_CC=$CC + lt_save_GCC=$GCC + lt_save_CFLAGS=$CFLAGS + CC=${F77-"f77"} + CFLAGS=$FFLAGS + compiler=$CC + _LT_TAGVAR(compiler, $1)=$CC + _LT_CC_BASENAME([$compiler]) + GCC=$G77 + if test -n "$compiler"; then + AC_MSG_CHECKING([if libtool supports shared libraries]) + AC_MSG_RESULT([$can_build_shared]) + + AC_MSG_CHECKING([whether to build shared libraries]) + test no = "$can_build_shared" && enable_shared=no + + # On AIX, shared libraries and static libraries use the same namespace, and + # are all built from PIC. + case $host_os in + aix3*) + test yes = "$enable_shared" && enable_static=no + if test -n "$RANLIB"; then + archive_cmds="$archive_cmds~\$RANLIB \$lib" + postinstall_cmds='$RANLIB $lib' + fi + ;; + aix[[4-9]]*) + if test ia64 != "$host_cpu"; then + case $enable_shared,$with_aix_soname,$aix_use_runtimelinking in + yes,aix,yes) ;; # shared object as lib.so file only + yes,svr4,*) ;; # shared object as lib.so archive member only + yes,*) enable_static=no ;; # shared object in lib.a archive as well + esac + fi + ;; + esac + AC_MSG_RESULT([$enable_shared]) + + AC_MSG_CHECKING([whether to build static libraries]) + # Make sure either enable_shared or enable_static is yes. + test yes = "$enable_shared" || enable_static=yes + AC_MSG_RESULT([$enable_static]) + + _LT_TAGVAR(GCC, $1)=$G77 + _LT_TAGVAR(LD, $1)=$LD + + ## CAVEAT EMPTOR: + ## There is no encapsulation within the following macros, do not change + ## the running order or otherwise move them around unless you know exactly + ## what you are doing... + _LT_COMPILER_PIC($1) + _LT_COMPILER_C_O($1) + _LT_COMPILER_FILE_LOCKS($1) + _LT_LINKER_SHLIBS($1) + _LT_SYS_DYNAMIC_LINKER($1) + _LT_LINKER_HARDCODE_LIBPATH($1) + + _LT_CONFIG($1) + fi # test -n "$compiler" + + GCC=$lt_save_GCC + CC=$lt_save_CC + CFLAGS=$lt_save_CFLAGS +fi # test yes != "$_lt_disable_F77" + +AC_LANG_POP +])# _LT_LANG_F77_CONFIG + + +# _LT_LANG_FC_CONFIG([TAG]) +# ------------------------- +# Ensure that the configuration variables for a Fortran compiler are +# suitably defined. These variables are subsequently used by _LT_CONFIG +# to write the compiler configuration to 'libtool'. +m4_defun([_LT_LANG_FC_CONFIG], +[AC_LANG_PUSH(Fortran) + +if test -z "$FC" || test no = "$FC"; then + _lt_disable_FC=yes +fi + +_LT_TAGVAR(archive_cmds_need_lc, $1)=no +_LT_TAGVAR(allow_undefined_flag, $1)= +_LT_TAGVAR(always_export_symbols, $1)=no +_LT_TAGVAR(archive_expsym_cmds, $1)= +_LT_TAGVAR(export_dynamic_flag_spec, $1)= +_LT_TAGVAR(hardcode_direct, $1)=no +_LT_TAGVAR(hardcode_direct_absolute, $1)=no +_LT_TAGVAR(hardcode_libdir_flag_spec, $1)= +_LT_TAGVAR(hardcode_libdir_separator, $1)= +_LT_TAGVAR(hardcode_minus_L, $1)=no +_LT_TAGVAR(hardcode_automatic, $1)=no +_LT_TAGVAR(inherit_rpath, $1)=no +_LT_TAGVAR(module_cmds, $1)= +_LT_TAGVAR(module_expsym_cmds, $1)= +_LT_TAGVAR(link_all_deplibs, $1)=unknown +_LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds +_LT_TAGVAR(reload_flag, $1)=$reload_flag +_LT_TAGVAR(reload_cmds, $1)=$reload_cmds +_LT_TAGVAR(no_undefined_flag, $1)= +_LT_TAGVAR(whole_archive_flag_spec, $1)= +_LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no + +# Source file extension for fc test sources. +ac_ext=${ac_fc_srcext-f} + +# Object file extension for compiled fc test sources. +objext=o +_LT_TAGVAR(objext, $1)=$objext + +# No sense in running all these tests if we already determined that +# the FC compiler isn't working. Some variables (like enable_shared) +# are currently assumed to apply to all compilers on this platform, +# and will be corrupted by setting them based on a non-working compiler. +if test yes != "$_lt_disable_FC"; then + # Code to be used in simple compile tests + lt_simple_compile_test_code="\ + subroutine t + return + end +" + + # Code to be used in simple link tests + lt_simple_link_test_code="\ + program t + end +" + + # ltmain only uses $CC for tagged configurations so make sure $CC is set. + _LT_TAG_COMPILER + + # save warnings/boilerplate of simple test code + _LT_COMPILER_BOILERPLATE + _LT_LINKER_BOILERPLATE + + # Allow CC to be a program name with arguments. + lt_save_CC=$CC + lt_save_GCC=$GCC + lt_save_CFLAGS=$CFLAGS + CC=${FC-"f95"} + CFLAGS=$FCFLAGS + compiler=$CC + GCC=$ac_cv_fc_compiler_gnu + + _LT_TAGVAR(compiler, $1)=$CC + _LT_CC_BASENAME([$compiler]) + + if test -n "$compiler"; then + AC_MSG_CHECKING([if libtool supports shared libraries]) + AC_MSG_RESULT([$can_build_shared]) + + AC_MSG_CHECKING([whether to build shared libraries]) + test no = "$can_build_shared" && enable_shared=no + + # On AIX, shared libraries and static libraries use the same namespace, and + # are all built from PIC. + case $host_os in + aix3*) + test yes = "$enable_shared" && enable_static=no + if test -n "$RANLIB"; then + archive_cmds="$archive_cmds~\$RANLIB \$lib" + postinstall_cmds='$RANLIB $lib' + fi + ;; + aix[[4-9]]*) + if test ia64 != "$host_cpu"; then + case $enable_shared,$with_aix_soname,$aix_use_runtimelinking in + yes,aix,yes) ;; # shared object as lib.so file only + yes,svr4,*) ;; # shared object as lib.so archive member only + yes,*) enable_static=no ;; # shared object in lib.a archive as well + esac + fi + ;; + esac + AC_MSG_RESULT([$enable_shared]) + + AC_MSG_CHECKING([whether to build static libraries]) + # Make sure either enable_shared or enable_static is yes. + test yes = "$enable_shared" || enable_static=yes + AC_MSG_RESULT([$enable_static]) + + _LT_TAGVAR(GCC, $1)=$ac_cv_fc_compiler_gnu + _LT_TAGVAR(LD, $1)=$LD + + ## CAVEAT EMPTOR: + ## There is no encapsulation within the following macros, do not change + ## the running order or otherwise move them around unless you know exactly + ## what you are doing... + _LT_SYS_HIDDEN_LIBDEPS($1) + _LT_COMPILER_PIC($1) + _LT_COMPILER_C_O($1) + _LT_COMPILER_FILE_LOCKS($1) + _LT_LINKER_SHLIBS($1) + _LT_SYS_DYNAMIC_LINKER($1) + _LT_LINKER_HARDCODE_LIBPATH($1) + + _LT_CONFIG($1) + fi # test -n "$compiler" + + GCC=$lt_save_GCC + CC=$lt_save_CC + CFLAGS=$lt_save_CFLAGS +fi # test yes != "$_lt_disable_FC" + +AC_LANG_POP +])# _LT_LANG_FC_CONFIG + + +# _LT_LANG_GCJ_CONFIG([TAG]) +# -------------------------- +# Ensure that the configuration variables for the GNU Java Compiler compiler +# are suitably defined. These variables are subsequently used by _LT_CONFIG +# to write the compiler configuration to 'libtool'. +m4_defun([_LT_LANG_GCJ_CONFIG], +[AC_REQUIRE([LT_PROG_GCJ])dnl +AC_LANG_SAVE + +# Source file extension for Java test sources. +ac_ext=java + +# Object file extension for compiled Java test sources. +objext=o +_LT_TAGVAR(objext, $1)=$objext + +# Code to be used in simple compile tests +lt_simple_compile_test_code="class foo {}" + +# Code to be used in simple link tests +lt_simple_link_test_code='public class conftest { public static void main(String[[]] argv) {}; }' + +# ltmain only uses $CC for tagged configurations so make sure $CC is set. +_LT_TAG_COMPILER + +# save warnings/boilerplate of simple test code +_LT_COMPILER_BOILERPLATE +_LT_LINKER_BOILERPLATE + +# Allow CC to be a program name with arguments. +lt_save_CC=$CC +lt_save_CFLAGS=$CFLAGS +lt_save_GCC=$GCC +GCC=yes +CC=${GCJ-"gcj"} +CFLAGS=$GCJFLAGS +compiler=$CC +_LT_TAGVAR(compiler, $1)=$CC +_LT_TAGVAR(LD, $1)=$LD +_LT_CC_BASENAME([$compiler]) + +# GCJ did not exist at the time GCC didn't implicitly link libc in. +_LT_TAGVAR(archive_cmds_need_lc, $1)=no + +_LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds +_LT_TAGVAR(reload_flag, $1)=$reload_flag +_LT_TAGVAR(reload_cmds, $1)=$reload_cmds + +## CAVEAT EMPTOR: +## There is no encapsulation within the following macros, do not change +## the running order or otherwise move them around unless you know exactly +## what you are doing... +if test -n "$compiler"; then + _LT_COMPILER_NO_RTTI($1) + _LT_COMPILER_PIC($1) + _LT_COMPILER_C_O($1) + _LT_COMPILER_FILE_LOCKS($1) + _LT_LINKER_SHLIBS($1) + _LT_LINKER_HARDCODE_LIBPATH($1) + + _LT_CONFIG($1) +fi + +AC_LANG_RESTORE + +GCC=$lt_save_GCC +CC=$lt_save_CC +CFLAGS=$lt_save_CFLAGS +])# _LT_LANG_GCJ_CONFIG + + +# _LT_LANG_GO_CONFIG([TAG]) +# -------------------------- +# Ensure that the configuration variables for the GNU Go compiler +# are suitably defined. These variables are subsequently used by _LT_CONFIG +# to write the compiler configuration to 'libtool'. +m4_defun([_LT_LANG_GO_CONFIG], +[AC_REQUIRE([LT_PROG_GO])dnl +AC_LANG_SAVE + +# Source file extension for Go test sources. +ac_ext=go + +# Object file extension for compiled Go test sources. +objext=o +_LT_TAGVAR(objext, $1)=$objext + +# Code to be used in simple compile tests +lt_simple_compile_test_code="package main; func main() { }" + +# Code to be used in simple link tests +lt_simple_link_test_code='package main; func main() { }' + +# ltmain only uses $CC for tagged configurations so make sure $CC is set. +_LT_TAG_COMPILER + +# save warnings/boilerplate of simple test code +_LT_COMPILER_BOILERPLATE +_LT_LINKER_BOILERPLATE + +# Allow CC to be a program name with arguments. +lt_save_CC=$CC +lt_save_CFLAGS=$CFLAGS +lt_save_GCC=$GCC +GCC=yes +CC=${GOC-"gccgo"} +CFLAGS=$GOFLAGS +compiler=$CC +_LT_TAGVAR(compiler, $1)=$CC +_LT_TAGVAR(LD, $1)=$LD +_LT_CC_BASENAME([$compiler]) + +# Go did not exist at the time GCC didn't implicitly link libc in. +_LT_TAGVAR(archive_cmds_need_lc, $1)=no + +_LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds +_LT_TAGVAR(reload_flag, $1)=$reload_flag +_LT_TAGVAR(reload_cmds, $1)=$reload_cmds + +## CAVEAT EMPTOR: +## There is no encapsulation within the following macros, do not change +## the running order or otherwise move them around unless you know exactly +## what you are doing... +if test -n "$compiler"; then + _LT_COMPILER_NO_RTTI($1) + _LT_COMPILER_PIC($1) + _LT_COMPILER_C_O($1) + _LT_COMPILER_FILE_LOCKS($1) + _LT_LINKER_SHLIBS($1) + _LT_LINKER_HARDCODE_LIBPATH($1) + + _LT_CONFIG($1) +fi + +AC_LANG_RESTORE + +GCC=$lt_save_GCC +CC=$lt_save_CC +CFLAGS=$lt_save_CFLAGS +])# _LT_LANG_GO_CONFIG + + +# _LT_LANG_RC_CONFIG([TAG]) +# ------------------------- +# Ensure that the configuration variables for the Windows resource compiler +# are suitably defined. These variables are subsequently used by _LT_CONFIG +# to write the compiler configuration to 'libtool'. +m4_defun([_LT_LANG_RC_CONFIG], +[AC_REQUIRE([LT_PROG_RC])dnl +AC_LANG_SAVE + +# Source file extension for RC test sources. +ac_ext=rc + +# Object file extension for compiled RC test sources. +objext=o +_LT_TAGVAR(objext, $1)=$objext + +# Code to be used in simple compile tests +lt_simple_compile_test_code='sample MENU { MENUITEM "&Soup", 100, CHECKED }' + +# Code to be used in simple link tests +lt_simple_link_test_code=$lt_simple_compile_test_code + +# ltmain only uses $CC for tagged configurations so make sure $CC is set. +_LT_TAG_COMPILER + +# save warnings/boilerplate of simple test code +_LT_COMPILER_BOILERPLATE +_LT_LINKER_BOILERPLATE + +# Allow CC to be a program name with arguments. +lt_save_CC=$CC +lt_save_CFLAGS=$CFLAGS +lt_save_GCC=$GCC +GCC= +CC=${RC-"windres"} +CFLAGS= +compiler=$CC +_LT_TAGVAR(compiler, $1)=$CC +_LT_CC_BASENAME([$compiler]) +_LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)=yes + +if test -n "$compiler"; then + : + _LT_CONFIG($1) +fi + +GCC=$lt_save_GCC +AC_LANG_RESTORE +CC=$lt_save_CC +CFLAGS=$lt_save_CFLAGS +])# _LT_LANG_RC_CONFIG + + +# LT_PROG_GCJ +# ----------- +AC_DEFUN([LT_PROG_GCJ], +[m4_ifdef([AC_PROG_GCJ], [AC_PROG_GCJ], + [m4_ifdef([A][M_PROG_GCJ], [A][M_PROG_GCJ], + [AC_CHECK_TOOL(GCJ, gcj,) + test set = "${GCJFLAGS+set}" || GCJFLAGS="-g -O2" + AC_SUBST(GCJFLAGS)])])[]dnl +]) + +# Old name: +AU_ALIAS([LT_AC_PROG_GCJ], [LT_PROG_GCJ]) +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([LT_AC_PROG_GCJ], []) + + +# LT_PROG_GO +# ---------- +AC_DEFUN([LT_PROG_GO], +[AC_CHECK_TOOL(GOC, gccgo,) +]) + + +# LT_PROG_RC +# ---------- +AC_DEFUN([LT_PROG_RC], +[AC_CHECK_TOOL(RC, windres,) +]) + +# Old name: +AU_ALIAS([LT_AC_PROG_RC], [LT_PROG_RC]) +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([LT_AC_PROG_RC], []) + + +# _LT_DECL_EGREP +# -------------- +# If we don't have a new enough Autoconf to choose the best grep +# available, choose the one first in the user's PATH. +m4_defun([_LT_DECL_EGREP], +[AC_REQUIRE([AC_PROG_EGREP])dnl +AC_REQUIRE([AC_PROG_FGREP])dnl +test -z "$GREP" && GREP=grep +_LT_DECL([], [GREP], [1], [A grep program that handles long lines]) +_LT_DECL([], [EGREP], [1], [An ERE matcher]) +_LT_DECL([], [FGREP], [1], [A literal string matcher]) +dnl Non-bleeding-edge autoconf doesn't subst GREP, so do it here too +AC_SUBST([GREP]) +]) + + +# _LT_DECL_OBJDUMP +# -------------- +# If we don't have a new enough Autoconf to choose the best objdump +# available, choose the one first in the user's PATH. +m4_defun([_LT_DECL_OBJDUMP], +[AC_CHECK_TOOL(OBJDUMP, objdump, false) +test -z "$OBJDUMP" && OBJDUMP=objdump +_LT_DECL([], [OBJDUMP], [1], [An object symbol dumper]) +AC_SUBST([OBJDUMP]) +]) + +# _LT_DECL_DLLTOOL +# ---------------- +# Ensure DLLTOOL variable is set. +m4_defun([_LT_DECL_DLLTOOL], +[AC_CHECK_TOOL(DLLTOOL, dlltool, false) +test -z "$DLLTOOL" && DLLTOOL=dlltool +_LT_DECL([], [DLLTOOL], [1], [DLL creation program]) +AC_SUBST([DLLTOOL]) +]) + +# _LT_DECL_SED +# ------------ +# Check for a fully-functional sed program, that truncates +# as few characters as possible. Prefer GNU sed if found. +m4_defun([_LT_DECL_SED], +[AC_PROG_SED +test -z "$SED" && SED=sed +Xsed="$SED -e 1s/^X//" +_LT_DECL([], [SED], [1], [A sed program that does not truncate output]) +_LT_DECL([], [Xsed], ["\$SED -e 1s/^X//"], + [Sed that helps us avoid accidentally triggering echo(1) options like -n]) +])# _LT_DECL_SED + +m4_ifndef([AC_PROG_SED], [ +############################################################ +# NOTE: This macro has been submitted for inclusion into # +# GNU Autoconf as AC_PROG_SED. When it is available in # +# a released version of Autoconf we should remove this # +# macro and use it instead. # +############################################################ + +m4_defun([AC_PROG_SED], +[AC_MSG_CHECKING([for a sed that does not truncate output]) +AC_CACHE_VAL(lt_cv_path_SED, +[# Loop through the user's path and test for sed and gsed. +# Then use that list of sed's as ones to test for truncation. +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for lt_ac_prog in sed gsed; do + for ac_exec_ext in '' $ac_executable_extensions; do + if $as_executable_p "$as_dir/$lt_ac_prog$ac_exec_ext"; then + lt_ac_sed_list="$lt_ac_sed_list $as_dir/$lt_ac_prog$ac_exec_ext" + fi + done + done +done +IFS=$as_save_IFS +lt_ac_max=0 +lt_ac_count=0 +# Add /usr/xpg4/bin/sed as it is typically found on Solaris +# along with /bin/sed that truncates output. +for lt_ac_sed in $lt_ac_sed_list /usr/xpg4/bin/sed; do + test ! -f "$lt_ac_sed" && continue + cat /dev/null > conftest.in + lt_ac_count=0 + echo $ECHO_N "0123456789$ECHO_C" >conftest.in + # Check for GNU sed and select it if it is found. + if "$lt_ac_sed" --version 2>&1 < /dev/null | grep 'GNU' > /dev/null; then + lt_cv_path_SED=$lt_ac_sed + break + fi + while true; do + cat conftest.in conftest.in >conftest.tmp + mv conftest.tmp conftest.in + cp conftest.in conftest.nl + echo >>conftest.nl + $lt_ac_sed -e 's/a$//' < conftest.nl >conftest.out || break + cmp -s conftest.out conftest.nl || break + # 10000 chars as input seems more than enough + test 10 -lt "$lt_ac_count" && break + lt_ac_count=`expr $lt_ac_count + 1` + if test "$lt_ac_count" -gt "$lt_ac_max"; then + lt_ac_max=$lt_ac_count + lt_cv_path_SED=$lt_ac_sed + fi + done +done +]) +SED=$lt_cv_path_SED +AC_SUBST([SED]) +AC_MSG_RESULT([$SED]) +])#AC_PROG_SED +])#m4_ifndef + +# Old name: +AU_ALIAS([LT_AC_PROG_SED], [AC_PROG_SED]) +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([LT_AC_PROG_SED], []) + + +# _LT_CHECK_SHELL_FEATURES +# ------------------------ +# Find out whether the shell is Bourne or XSI compatible, +# or has some other useful features. +m4_defun([_LT_CHECK_SHELL_FEATURES], +[if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then + lt_unset=unset +else + lt_unset=false +fi +_LT_DECL([], [lt_unset], [0], [whether the shell understands "unset"])dnl + +# test EBCDIC or ASCII +case `echo X|tr X '\101'` in + A) # ASCII based system + # \n is not interpreted correctly by Solaris 8 /usr/ucb/tr + lt_SP2NL='tr \040 \012' + lt_NL2SP='tr \015\012 \040\040' + ;; + *) # EBCDIC based system + lt_SP2NL='tr \100 \n' + lt_NL2SP='tr \r\n \100\100' + ;; +esac +_LT_DECL([SP2NL], [lt_SP2NL], [1], [turn spaces into newlines])dnl +_LT_DECL([NL2SP], [lt_NL2SP], [1], [turn newlines into spaces])dnl +])# _LT_CHECK_SHELL_FEATURES + + +# _LT_PATH_CONVERSION_FUNCTIONS +# ----------------------------- +# Determine what file name conversion functions should be used by +# func_to_host_file (and, implicitly, by func_to_host_path). These are needed +# for certain cross-compile configurations and native mingw. +m4_defun([_LT_PATH_CONVERSION_FUNCTIONS], +[AC_REQUIRE([AC_CANONICAL_HOST])dnl +AC_REQUIRE([AC_CANONICAL_BUILD])dnl +AC_MSG_CHECKING([how to convert $build file names to $host format]) +AC_CACHE_VAL(lt_cv_to_host_file_cmd, +[case $host in + *-*-mingw* ) + case $build in + *-*-mingw* ) # actually msys + lt_cv_to_host_file_cmd=func_convert_file_msys_to_w32 + ;; + *-*-cygwin* ) + lt_cv_to_host_file_cmd=func_convert_file_cygwin_to_w32 + ;; + * ) # otherwise, assume *nix + lt_cv_to_host_file_cmd=func_convert_file_nix_to_w32 + ;; + esac + ;; + *-*-cygwin* ) + case $build in + *-*-mingw* ) # actually msys + lt_cv_to_host_file_cmd=func_convert_file_msys_to_cygwin + ;; + *-*-cygwin* ) + lt_cv_to_host_file_cmd=func_convert_file_noop + ;; + * ) # otherwise, assume *nix + lt_cv_to_host_file_cmd=func_convert_file_nix_to_cygwin + ;; + esac + ;; + * ) # unhandled hosts (and "normal" native builds) + lt_cv_to_host_file_cmd=func_convert_file_noop + ;; +esac +]) +to_host_file_cmd=$lt_cv_to_host_file_cmd +AC_MSG_RESULT([$lt_cv_to_host_file_cmd]) +_LT_DECL([to_host_file_cmd], [lt_cv_to_host_file_cmd], + [0], [convert $build file names to $host format])dnl + +AC_MSG_CHECKING([how to convert $build file names to toolchain format]) +AC_CACHE_VAL(lt_cv_to_tool_file_cmd, +[#assume ordinary cross tools, or native build. +lt_cv_to_tool_file_cmd=func_convert_file_noop +case $host in + *-*-mingw* ) + case $build in + *-*-mingw* ) # actually msys + lt_cv_to_tool_file_cmd=func_convert_file_msys_to_w32 + ;; + esac + ;; +esac +]) +to_tool_file_cmd=$lt_cv_to_tool_file_cmd +AC_MSG_RESULT([$lt_cv_to_tool_file_cmd]) +_LT_DECL([to_tool_file_cmd], [lt_cv_to_tool_file_cmd], + [0], [convert $build files to toolchain format])dnl +])# _LT_PATH_CONVERSION_FUNCTIONS diff --git a/m4/longdouble.m4 b/m4/longdouble.m4 new file mode 100644 index 0000000..40cd7ce --- /dev/null +++ b/m4/longdouble.m4 @@ -0,0 +1,28 @@ +# longdouble.m4 serial 1 (gettext-0.12) +dnl Copyright (C) 2002-2003 Free Software Foundation, Inc. +dnl This file is free software; the Free Software Foundation +dnl gives unlimited permission to copy and/or distribute it, +dnl with or without modifications, as long as this notice is preserved. + +dnl From Bruno Haible. +dnl Test whether the compiler supports the 'long double' type. +dnl Prerequisite: AC_PROG_CC + +AC_DEFUN([gt_TYPE_LONGDOUBLE], +[ + AC_CACHE_CHECK([for long double], gt_cv_c_long_double, + [if test "$GCC" = yes; then + gt_cv_c_long_double=yes + else + AC_TRY_COMPILE([ + /* The Stardent Vistra knows sizeof(long double), but does not support it. */ + long double foo = 0.0; + /* On Ultrix 4.3 cc, long double is 4 and double is 8. */ + int array [2*(sizeof(long double) >= sizeof(double)) - 1]; + ], , + gt_cv_c_long_double=yes, gt_cv_c_long_double=no) + fi]) + if test $gt_cv_c_long_double = yes; then + AC_DEFINE(HAVE_LONG_DOUBLE, 1, [Define if you have the 'long double' type.]) + fi +]) diff --git a/m4/longlong.m4 b/m4/longlong.m4 new file mode 100644 index 0000000..7b399e0 --- /dev/null +++ b/m4/longlong.m4 @@ -0,0 +1,23 @@ +# longlong.m4 serial 5 +dnl Copyright (C) 1999-2004 Free Software Foundation, Inc. +dnl This file is free software; the Free Software Foundation +dnl gives unlimited permission to copy and/or distribute it, +dnl with or without modifications, as long as this notice is preserved. + +dnl From Paul Eggert. + +# Define HAVE_LONG_LONG if 'long long' works. + +AC_DEFUN([gl_AC_TYPE_LONG_LONG], +[ + AC_CACHE_CHECK([for long long], ac_cv_type_long_long, + [AC_TRY_LINK([long long ll = 1LL; int i = 63;], + [long long llmax = (long long) -1; + return ll << i | ll >> i | llmax / ll | llmax % ll;], + ac_cv_type_long_long=yes, + ac_cv_type_long_long=no)]) + if test $ac_cv_type_long_long = yes; then + AC_DEFINE(HAVE_LONG_LONG, 1, + [Define if you have the 'long long' type.]) + fi +]) diff --git a/m4/ltoptions.m4 b/m4/ltoptions.m4 new file mode 100644 index 0000000..94b0829 --- /dev/null +++ b/m4/ltoptions.m4 @@ -0,0 +1,437 @@ +# Helper functions for option handling. -*- Autoconf -*- +# +# Copyright (C) 2004-2005, 2007-2009, 2011-2015 Free Software +# Foundation, Inc. +# Written by Gary V. Vaughan, 2004 +# +# This file is free software; the Free Software Foundation gives +# unlimited permission to copy and/or distribute it, with or without +# modifications, as long as this notice is preserved. + +# serial 8 ltoptions.m4 + +# This is to help aclocal find these macros, as it can't see m4_define. +AC_DEFUN([LTOPTIONS_VERSION], [m4_if([1])]) + + +# _LT_MANGLE_OPTION(MACRO-NAME, OPTION-NAME) +# ------------------------------------------ +m4_define([_LT_MANGLE_OPTION], +[[_LT_OPTION_]m4_bpatsubst($1__$2, [[^a-zA-Z0-9_]], [_])]) + + +# _LT_SET_OPTION(MACRO-NAME, OPTION-NAME) +# --------------------------------------- +# Set option OPTION-NAME for macro MACRO-NAME, and if there is a +# matching handler defined, dispatch to it. Other OPTION-NAMEs are +# saved as a flag. +m4_define([_LT_SET_OPTION], +[m4_define(_LT_MANGLE_OPTION([$1], [$2]))dnl +m4_ifdef(_LT_MANGLE_DEFUN([$1], [$2]), + _LT_MANGLE_DEFUN([$1], [$2]), + [m4_warning([Unknown $1 option '$2'])])[]dnl +]) + + +# _LT_IF_OPTION(MACRO-NAME, OPTION-NAME, IF-SET, [IF-NOT-SET]) +# ------------------------------------------------------------ +# Execute IF-SET if OPTION is set, IF-NOT-SET otherwise. +m4_define([_LT_IF_OPTION], +[m4_ifdef(_LT_MANGLE_OPTION([$1], [$2]), [$3], [$4])]) + + +# _LT_UNLESS_OPTIONS(MACRO-NAME, OPTION-LIST, IF-NOT-SET) +# ------------------------------------------------------- +# Execute IF-NOT-SET unless all options in OPTION-LIST for MACRO-NAME +# are set. +m4_define([_LT_UNLESS_OPTIONS], +[m4_foreach([_LT_Option], m4_split(m4_normalize([$2])), + [m4_ifdef(_LT_MANGLE_OPTION([$1], _LT_Option), + [m4_define([$0_found])])])[]dnl +m4_ifdef([$0_found], [m4_undefine([$0_found])], [$3 +])[]dnl +]) + + +# _LT_SET_OPTIONS(MACRO-NAME, OPTION-LIST) +# ---------------------------------------- +# OPTION-LIST is a space-separated list of Libtool options associated +# with MACRO-NAME. If any OPTION has a matching handler declared with +# LT_OPTION_DEFINE, dispatch to that macro; otherwise complain about +# the unknown option and exit. +m4_defun([_LT_SET_OPTIONS], +[# Set options +m4_foreach([_LT_Option], m4_split(m4_normalize([$2])), + [_LT_SET_OPTION([$1], _LT_Option)]) + +m4_if([$1],[LT_INIT],[ + dnl + dnl Simply set some default values (i.e off) if boolean options were not + dnl specified: + _LT_UNLESS_OPTIONS([LT_INIT], [dlopen], [enable_dlopen=no + ]) + _LT_UNLESS_OPTIONS([LT_INIT], [win32-dll], [enable_win32_dll=no + ]) + dnl + dnl If no reference was made to various pairs of opposing options, then + dnl we run the default mode handler for the pair. For example, if neither + dnl 'shared' nor 'disable-shared' was passed, we enable building of shared + dnl archives by default: + _LT_UNLESS_OPTIONS([LT_INIT], [shared disable-shared], [_LT_ENABLE_SHARED]) + _LT_UNLESS_OPTIONS([LT_INIT], [static disable-static], [_LT_ENABLE_STATIC]) + _LT_UNLESS_OPTIONS([LT_INIT], [pic-only no-pic], [_LT_WITH_PIC]) + _LT_UNLESS_OPTIONS([LT_INIT], [fast-install disable-fast-install], + [_LT_ENABLE_FAST_INSTALL]) + _LT_UNLESS_OPTIONS([LT_INIT], [aix-soname=aix aix-soname=both aix-soname=svr4], + [_LT_WITH_AIX_SONAME([aix])]) + ]) +])# _LT_SET_OPTIONS + + +## --------------------------------- ## +## Macros to handle LT_INIT options. ## +## --------------------------------- ## + +# _LT_MANGLE_DEFUN(MACRO-NAME, OPTION-NAME) +# ----------------------------------------- +m4_define([_LT_MANGLE_DEFUN], +[[_LT_OPTION_DEFUN_]m4_bpatsubst(m4_toupper([$1__$2]), [[^A-Z0-9_]], [_])]) + + +# LT_OPTION_DEFINE(MACRO-NAME, OPTION-NAME, CODE) +# ----------------------------------------------- +m4_define([LT_OPTION_DEFINE], +[m4_define(_LT_MANGLE_DEFUN([$1], [$2]), [$3])[]dnl +])# LT_OPTION_DEFINE + + +# dlopen +# ------ +LT_OPTION_DEFINE([LT_INIT], [dlopen], [enable_dlopen=yes +]) + +AU_DEFUN([AC_LIBTOOL_DLOPEN], +[_LT_SET_OPTION([LT_INIT], [dlopen]) +AC_DIAGNOSE([obsolete], +[$0: Remove this warning and the call to _LT_SET_OPTION when you +put the 'dlopen' option into LT_INIT's first parameter.]) +]) + +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_LIBTOOL_DLOPEN], []) + + +# win32-dll +# --------- +# Declare package support for building win32 dll's. +LT_OPTION_DEFINE([LT_INIT], [win32-dll], +[enable_win32_dll=yes + +case $host in +*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-cegcc*) + AC_CHECK_TOOL(AS, as, false) + AC_CHECK_TOOL(DLLTOOL, dlltool, false) + AC_CHECK_TOOL(OBJDUMP, objdump, false) + ;; +esac + +test -z "$AS" && AS=as +_LT_DECL([], [AS], [1], [Assembler program])dnl + +test -z "$DLLTOOL" && DLLTOOL=dlltool +_LT_DECL([], [DLLTOOL], [1], [DLL creation program])dnl + +test -z "$OBJDUMP" && OBJDUMP=objdump +_LT_DECL([], [OBJDUMP], [1], [Object dumper program])dnl +])# win32-dll + +AU_DEFUN([AC_LIBTOOL_WIN32_DLL], +[AC_REQUIRE([AC_CANONICAL_HOST])dnl +_LT_SET_OPTION([LT_INIT], [win32-dll]) +AC_DIAGNOSE([obsolete], +[$0: Remove this warning and the call to _LT_SET_OPTION when you +put the 'win32-dll' option into LT_INIT's first parameter.]) +]) + +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_LIBTOOL_WIN32_DLL], []) + + +# _LT_ENABLE_SHARED([DEFAULT]) +# ---------------------------- +# implement the --enable-shared flag, and supports the 'shared' and +# 'disable-shared' LT_INIT options. +# DEFAULT is either 'yes' or 'no'. If omitted, it defaults to 'yes'. +m4_define([_LT_ENABLE_SHARED], +[m4_define([_LT_ENABLE_SHARED_DEFAULT], [m4_if($1, no, no, yes)])dnl +AC_ARG_ENABLE([shared], + [AS_HELP_STRING([--enable-shared@<:@=PKGS@:>@], + [build shared libraries @<:@default=]_LT_ENABLE_SHARED_DEFAULT[@:>@])], + [p=${PACKAGE-default} + case $enableval in + yes) enable_shared=yes ;; + no) enable_shared=no ;; + *) + enable_shared=no + # Look at the argument we got. We use all the common list separators. + lt_save_ifs=$IFS; IFS=$IFS$PATH_SEPARATOR, + for pkg in $enableval; do + IFS=$lt_save_ifs + if test "X$pkg" = "X$p"; then + enable_shared=yes + fi + done + IFS=$lt_save_ifs + ;; + esac], + [enable_shared=]_LT_ENABLE_SHARED_DEFAULT) + + _LT_DECL([build_libtool_libs], [enable_shared], [0], + [Whether or not to build shared libraries]) +])# _LT_ENABLE_SHARED + +LT_OPTION_DEFINE([LT_INIT], [shared], [_LT_ENABLE_SHARED([yes])]) +LT_OPTION_DEFINE([LT_INIT], [disable-shared], [_LT_ENABLE_SHARED([no])]) + +# Old names: +AC_DEFUN([AC_ENABLE_SHARED], +[_LT_SET_OPTION([LT_INIT], m4_if([$1], [no], [disable-])[shared]) +]) + +AC_DEFUN([AC_DISABLE_SHARED], +[_LT_SET_OPTION([LT_INIT], [disable-shared]) +]) + +AU_DEFUN([AM_ENABLE_SHARED], [AC_ENABLE_SHARED($@)]) +AU_DEFUN([AM_DISABLE_SHARED], [AC_DISABLE_SHARED($@)]) + +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AM_ENABLE_SHARED], []) +dnl AC_DEFUN([AM_DISABLE_SHARED], []) + + + +# _LT_ENABLE_STATIC([DEFAULT]) +# ---------------------------- +# implement the --enable-static flag, and support the 'static' and +# 'disable-static' LT_INIT options. +# DEFAULT is either 'yes' or 'no'. If omitted, it defaults to 'yes'. +m4_define([_LT_ENABLE_STATIC], +[m4_define([_LT_ENABLE_STATIC_DEFAULT], [m4_if($1, no, no, yes)])dnl +AC_ARG_ENABLE([static], + [AS_HELP_STRING([--enable-static@<:@=PKGS@:>@], + [build static libraries @<:@default=]_LT_ENABLE_STATIC_DEFAULT[@:>@])], + [p=${PACKAGE-default} + case $enableval in + yes) enable_static=yes ;; + no) enable_static=no ;; + *) + enable_static=no + # Look at the argument we got. We use all the common list separators. + lt_save_ifs=$IFS; IFS=$IFS$PATH_SEPARATOR, + for pkg in $enableval; do + IFS=$lt_save_ifs + if test "X$pkg" = "X$p"; then + enable_static=yes + fi + done + IFS=$lt_save_ifs + ;; + esac], + [enable_static=]_LT_ENABLE_STATIC_DEFAULT) + + _LT_DECL([build_old_libs], [enable_static], [0], + [Whether or not to build static libraries]) +])# _LT_ENABLE_STATIC + +LT_OPTION_DEFINE([LT_INIT], [static], [_LT_ENABLE_STATIC([yes])]) +LT_OPTION_DEFINE([LT_INIT], [disable-static], [_LT_ENABLE_STATIC([no])]) + +# Old names: +AC_DEFUN([AC_ENABLE_STATIC], +[_LT_SET_OPTION([LT_INIT], m4_if([$1], [no], [disable-])[static]) +]) + +AC_DEFUN([AC_DISABLE_STATIC], +[_LT_SET_OPTION([LT_INIT], [disable-static]) +]) + +AU_DEFUN([AM_ENABLE_STATIC], [AC_ENABLE_STATIC($@)]) +AU_DEFUN([AM_DISABLE_STATIC], [AC_DISABLE_STATIC($@)]) + +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AM_ENABLE_STATIC], []) +dnl AC_DEFUN([AM_DISABLE_STATIC], []) + + + +# _LT_ENABLE_FAST_INSTALL([DEFAULT]) +# ---------------------------------- +# implement the --enable-fast-install flag, and support the 'fast-install' +# and 'disable-fast-install' LT_INIT options. +# DEFAULT is either 'yes' or 'no'. If omitted, it defaults to 'yes'. +m4_define([_LT_ENABLE_FAST_INSTALL], +[m4_define([_LT_ENABLE_FAST_INSTALL_DEFAULT], [m4_if($1, no, no, yes)])dnl +AC_ARG_ENABLE([fast-install], + [AS_HELP_STRING([--enable-fast-install@<:@=PKGS@:>@], + [optimize for fast installation @<:@default=]_LT_ENABLE_FAST_INSTALL_DEFAULT[@:>@])], + [p=${PACKAGE-default} + case $enableval in + yes) enable_fast_install=yes ;; + no) enable_fast_install=no ;; + *) + enable_fast_install=no + # Look at the argument we got. We use all the common list separators. + lt_save_ifs=$IFS; IFS=$IFS$PATH_SEPARATOR, + for pkg in $enableval; do + IFS=$lt_save_ifs + if test "X$pkg" = "X$p"; then + enable_fast_install=yes + fi + done + IFS=$lt_save_ifs + ;; + esac], + [enable_fast_install=]_LT_ENABLE_FAST_INSTALL_DEFAULT) + +_LT_DECL([fast_install], [enable_fast_install], [0], + [Whether or not to optimize for fast installation])dnl +])# _LT_ENABLE_FAST_INSTALL + +LT_OPTION_DEFINE([LT_INIT], [fast-install], [_LT_ENABLE_FAST_INSTALL([yes])]) +LT_OPTION_DEFINE([LT_INIT], [disable-fast-install], [_LT_ENABLE_FAST_INSTALL([no])]) + +# Old names: +AU_DEFUN([AC_ENABLE_FAST_INSTALL], +[_LT_SET_OPTION([LT_INIT], m4_if([$1], [no], [disable-])[fast-install]) +AC_DIAGNOSE([obsolete], +[$0: Remove this warning and the call to _LT_SET_OPTION when you put +the 'fast-install' option into LT_INIT's first parameter.]) +]) + +AU_DEFUN([AC_DISABLE_FAST_INSTALL], +[_LT_SET_OPTION([LT_INIT], [disable-fast-install]) +AC_DIAGNOSE([obsolete], +[$0: Remove this warning and the call to _LT_SET_OPTION when you put +the 'disable-fast-install' option into LT_INIT's first parameter.]) +]) + +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_ENABLE_FAST_INSTALL], []) +dnl AC_DEFUN([AM_DISABLE_FAST_INSTALL], []) + + +# _LT_WITH_AIX_SONAME([DEFAULT]) +# ---------------------------------- +# implement the --with-aix-soname flag, and support the `aix-soname=aix' +# and `aix-soname=both' and `aix-soname=svr4' LT_INIT options. DEFAULT +# is either `aix', `both' or `svr4'. If omitted, it defaults to `aix'. +m4_define([_LT_WITH_AIX_SONAME], +[m4_define([_LT_WITH_AIX_SONAME_DEFAULT], [m4_if($1, svr4, svr4, m4_if($1, both, both, aix))])dnl +shared_archive_member_spec= +case $host,$enable_shared in +power*-*-aix[[5-9]]*,yes) + AC_MSG_CHECKING([which variant of shared library versioning to provide]) + AC_ARG_WITH([aix-soname], + [AS_HELP_STRING([--with-aix-soname=aix|svr4|both], + [shared library versioning (aka "SONAME") variant to provide on AIX, @<:@default=]_LT_WITH_AIX_SONAME_DEFAULT[@:>@.])], + [case $withval in + aix|svr4|both) + ;; + *) + AC_MSG_ERROR([Unknown argument to --with-aix-soname]) + ;; + esac + lt_cv_with_aix_soname=$with_aix_soname], + [AC_CACHE_VAL([lt_cv_with_aix_soname], + [lt_cv_with_aix_soname=]_LT_WITH_AIX_SONAME_DEFAULT) + with_aix_soname=$lt_cv_with_aix_soname]) + AC_MSG_RESULT([$with_aix_soname]) + if test aix != "$with_aix_soname"; then + # For the AIX way of multilib, we name the shared archive member + # based on the bitwidth used, traditionally 'shr.o' or 'shr_64.o', + # and 'shr.imp' or 'shr_64.imp', respectively, for the Import File. + # Even when GNU compilers ignore OBJECT_MODE but need '-maix64' flag, + # the AIX toolchain works better with OBJECT_MODE set (default 32). + if test 64 = "${OBJECT_MODE-32}"; then + shared_archive_member_spec=shr_64 + else + shared_archive_member_spec=shr + fi + fi + ;; +*) + with_aix_soname=aix + ;; +esac + +_LT_DECL([], [shared_archive_member_spec], [0], + [Shared archive member basename, for filename based shared library versioning on AIX])dnl +])# _LT_WITH_AIX_SONAME + +LT_OPTION_DEFINE([LT_INIT], [aix-soname=aix], [_LT_WITH_AIX_SONAME([aix])]) +LT_OPTION_DEFINE([LT_INIT], [aix-soname=both], [_LT_WITH_AIX_SONAME([both])]) +LT_OPTION_DEFINE([LT_INIT], [aix-soname=svr4], [_LT_WITH_AIX_SONAME([svr4])]) + + +# _LT_WITH_PIC([MODE]) +# -------------------- +# implement the --with-pic flag, and support the 'pic-only' and 'no-pic' +# LT_INIT options. +# MODE is either 'yes' or 'no'. If omitted, it defaults to 'both'. +m4_define([_LT_WITH_PIC], +[AC_ARG_WITH([pic], + [AS_HELP_STRING([--with-pic@<:@=PKGS@:>@], + [try to use only PIC/non-PIC objects @<:@default=use both@:>@])], + [lt_p=${PACKAGE-default} + case $withval in + yes|no) pic_mode=$withval ;; + *) + pic_mode=default + # Look at the argument we got. We use all the common list separators. + lt_save_ifs=$IFS; IFS=$IFS$PATH_SEPARATOR, + for lt_pkg in $withval; do + IFS=$lt_save_ifs + if test "X$lt_pkg" = "X$lt_p"; then + pic_mode=yes + fi + done + IFS=$lt_save_ifs + ;; + esac], + [pic_mode=m4_default([$1], [default])]) + +_LT_DECL([], [pic_mode], [0], [What type of objects to build])dnl +])# _LT_WITH_PIC + +LT_OPTION_DEFINE([LT_INIT], [pic-only], [_LT_WITH_PIC([yes])]) +LT_OPTION_DEFINE([LT_INIT], [no-pic], [_LT_WITH_PIC([no])]) + +# Old name: +AU_DEFUN([AC_LIBTOOL_PICMODE], +[_LT_SET_OPTION([LT_INIT], [pic-only]) +AC_DIAGNOSE([obsolete], +[$0: Remove this warning and the call to _LT_SET_OPTION when you +put the 'pic-only' option into LT_INIT's first parameter.]) +]) + +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_LIBTOOL_PICMODE], []) + +## ----------------- ## +## LTDL_INIT Options ## +## ----------------- ## + +m4_define([_LTDL_MODE], []) +LT_OPTION_DEFINE([LTDL_INIT], [nonrecursive], + [m4_define([_LTDL_MODE], [nonrecursive])]) +LT_OPTION_DEFINE([LTDL_INIT], [recursive], + [m4_define([_LTDL_MODE], [recursive])]) +LT_OPTION_DEFINE([LTDL_INIT], [subproject], + [m4_define([_LTDL_MODE], [subproject])]) + +m4_define([_LTDL_TYPE], []) +LT_OPTION_DEFINE([LTDL_INIT], [installable], + [m4_define([_LTDL_TYPE], [installable])]) +LT_OPTION_DEFINE([LTDL_INIT], [convenience], + [m4_define([_LTDL_TYPE], [convenience])]) diff --git a/m4/ltsugar.m4 b/m4/ltsugar.m4 new file mode 100644 index 0000000..48bc934 --- /dev/null +++ b/m4/ltsugar.m4 @@ -0,0 +1,124 @@ +# ltsugar.m4 -- libtool m4 base layer. -*-Autoconf-*- +# +# Copyright (C) 2004-2005, 2007-2008, 2011-2015 Free Software +# Foundation, Inc. +# Written by Gary V. Vaughan, 2004 +# +# This file is free software; the Free Software Foundation gives +# unlimited permission to copy and/or distribute it, with or without +# modifications, as long as this notice is preserved. + +# serial 6 ltsugar.m4 + +# This is to help aclocal find these macros, as it can't see m4_define. +AC_DEFUN([LTSUGAR_VERSION], [m4_if([0.1])]) + + +# lt_join(SEP, ARG1, [ARG2...]) +# ----------------------------- +# Produce ARG1SEPARG2...SEPARGn, omitting [] arguments and their +# associated separator. +# Needed until we can rely on m4_join from Autoconf 2.62, since all earlier +# versions in m4sugar had bugs. +m4_define([lt_join], +[m4_if([$#], [1], [], + [$#], [2], [[$2]], + [m4_if([$2], [], [], [[$2]_])$0([$1], m4_shift(m4_shift($@)))])]) +m4_define([_lt_join], +[m4_if([$#$2], [2], [], + [m4_if([$2], [], [], [[$1$2]])$0([$1], m4_shift(m4_shift($@)))])]) + + +# lt_car(LIST) +# lt_cdr(LIST) +# ------------ +# Manipulate m4 lists. +# These macros are necessary as long as will still need to support +# Autoconf-2.59, which quotes differently. +m4_define([lt_car], [[$1]]) +m4_define([lt_cdr], +[m4_if([$#], 0, [m4_fatal([$0: cannot be called without arguments])], + [$#], 1, [], + [m4_dquote(m4_shift($@))])]) +m4_define([lt_unquote], $1) + + +# lt_append(MACRO-NAME, STRING, [SEPARATOR]) +# ------------------------------------------ +# Redefine MACRO-NAME to hold its former content plus 'SEPARATOR''STRING'. +# Note that neither SEPARATOR nor STRING are expanded; they are appended +# to MACRO-NAME as is (leaving the expansion for when MACRO-NAME is invoked). +# No SEPARATOR is output if MACRO-NAME was previously undefined (different +# than defined and empty). +# +# This macro is needed until we can rely on Autoconf 2.62, since earlier +# versions of m4sugar mistakenly expanded SEPARATOR but not STRING. +m4_define([lt_append], +[m4_define([$1], + m4_ifdef([$1], [m4_defn([$1])[$3]])[$2])]) + + + +# lt_combine(SEP, PREFIX-LIST, INFIX, SUFFIX1, [SUFFIX2...]) +# ---------------------------------------------------------- +# Produce a SEP delimited list of all paired combinations of elements of +# PREFIX-LIST with SUFFIX1 through SUFFIXn. Each element of the list +# has the form PREFIXmINFIXSUFFIXn. +# Needed until we can rely on m4_combine added in Autoconf 2.62. +m4_define([lt_combine], +[m4_if(m4_eval([$# > 3]), [1], + [m4_pushdef([_Lt_sep], [m4_define([_Lt_sep], m4_defn([lt_car]))])]]dnl +[[m4_foreach([_Lt_prefix], [$2], + [m4_foreach([_Lt_suffix], + ]m4_dquote(m4_dquote(m4_shift(m4_shift(m4_shift($@)))))[, + [_Lt_sep([$1])[]m4_defn([_Lt_prefix])[$3]m4_defn([_Lt_suffix])])])])]) + + +# lt_if_append_uniq(MACRO-NAME, VARNAME, [SEPARATOR], [UNIQ], [NOT-UNIQ]) +# ----------------------------------------------------------------------- +# Iff MACRO-NAME does not yet contain VARNAME, then append it (delimited +# by SEPARATOR if supplied) and expand UNIQ, else NOT-UNIQ. +m4_define([lt_if_append_uniq], +[m4_ifdef([$1], + [m4_if(m4_index([$3]m4_defn([$1])[$3], [$3$2$3]), [-1], + [lt_append([$1], [$2], [$3])$4], + [$5])], + [lt_append([$1], [$2], [$3])$4])]) + + +# lt_dict_add(DICT, KEY, VALUE) +# ----------------------------- +m4_define([lt_dict_add], +[m4_define([$1($2)], [$3])]) + + +# lt_dict_add_subkey(DICT, KEY, SUBKEY, VALUE) +# -------------------------------------------- +m4_define([lt_dict_add_subkey], +[m4_define([$1($2:$3)], [$4])]) + + +# lt_dict_fetch(DICT, KEY, [SUBKEY]) +# ---------------------------------- +m4_define([lt_dict_fetch], +[m4_ifval([$3], + m4_ifdef([$1($2:$3)], [m4_defn([$1($2:$3)])]), + m4_ifdef([$1($2)], [m4_defn([$1($2)])]))]) + + +# lt_if_dict_fetch(DICT, KEY, [SUBKEY], VALUE, IF-TRUE, [IF-FALSE]) +# ----------------------------------------------------------------- +m4_define([lt_if_dict_fetch], +[m4_if(lt_dict_fetch([$1], [$2], [$3]), [$4], + [$5], + [$6])]) + + +# lt_dict_filter(DICT, [SUBKEY], VALUE, [SEPARATOR], KEY, [...]) +# -------------------------------------------------------------- +m4_define([lt_dict_filter], +[m4_if([$5], [], [], + [lt_join(m4_quote(m4_default([$4], [[, ]])), + lt_unquote(m4_split(m4_normalize(m4_foreach(_Lt_key, lt_car([m4_shiftn(4, $@)]), + [lt_if_dict_fetch([$1], _Lt_key, [$2], [$3], [_Lt_key ])])))))])[]dnl +]) diff --git a/m4/ltversion.m4 b/m4/ltversion.m4 new file mode 100644 index 0000000..fa04b52 --- /dev/null +++ b/m4/ltversion.m4 @@ -0,0 +1,23 @@ +# ltversion.m4 -- version numbers -*- Autoconf -*- +# +# Copyright (C) 2004, 2011-2015 Free Software Foundation, Inc. +# Written by Scott James Remnant, 2004 +# +# This file is free software; the Free Software Foundation gives +# unlimited permission to copy and/or distribute it, with or without +# modifications, as long as this notice is preserved. + +# @configure_input@ + +# serial 4179 ltversion.m4 +# This file is part of GNU Libtool + +m4_define([LT_PACKAGE_VERSION], [2.4.6]) +m4_define([LT_PACKAGE_REVISION], [2.4.6]) + +AC_DEFUN([LTVERSION_VERSION], +[macro_version='2.4.6' +macro_revision='2.4.6' +_LT_DECL(, macro_version, 0, [Which release of libtool.m4 was used?]) +_LT_DECL(, macro_revision, 0) +]) diff --git a/m4/lt~obsolete.m4 b/m4/lt~obsolete.m4 new file mode 100644 index 0000000..c6b26f8 --- /dev/null +++ b/m4/lt~obsolete.m4 @@ -0,0 +1,99 @@ +# lt~obsolete.m4 -- aclocal satisfying obsolete definitions. -*-Autoconf-*- +# +# Copyright (C) 2004-2005, 2007, 2009, 2011-2015 Free Software +# Foundation, Inc. +# Written by Scott James Remnant, 2004. +# +# This file is free software; the Free Software Foundation gives +# unlimited permission to copy and/or distribute it, with or without +# modifications, as long as this notice is preserved. + +# serial 5 lt~obsolete.m4 + +# These exist entirely to fool aclocal when bootstrapping libtool. +# +# In the past libtool.m4 has provided macros via AC_DEFUN (or AU_DEFUN), +# which have later been changed to m4_define as they aren't part of the +# exported API, or moved to Autoconf or Automake where they belong. +# +# The trouble is, aclocal is a bit thick. It'll see the old AC_DEFUN +# in /usr/share/aclocal/libtool.m4 and remember it, then when it sees us +# using a macro with the same name in our local m4/libtool.m4 it'll +# pull the old libtool.m4 in (it doesn't see our shiny new m4_define +# and doesn't know about Autoconf macros at all.) +# +# So we provide this file, which has a silly filename so it's always +# included after everything else. This provides aclocal with the +# AC_DEFUNs it wants, but when m4 processes it, it doesn't do anything +# because those macros already exist, or will be overwritten later. +# We use AC_DEFUN over AU_DEFUN for compatibility with aclocal-1.6. +# +# Anytime we withdraw an AC_DEFUN or AU_DEFUN, remember to add it here. +# Yes, that means every name once taken will need to remain here until +# we give up compatibility with versions before 1.7, at which point +# we need to keep only those names which we still refer to. + +# This is to help aclocal find these macros, as it can't see m4_define. +AC_DEFUN([LTOBSOLETE_VERSION], [m4_if([1])]) + +m4_ifndef([AC_LIBTOOL_LINKER_OPTION], [AC_DEFUN([AC_LIBTOOL_LINKER_OPTION])]) +m4_ifndef([AC_PROG_EGREP], [AC_DEFUN([AC_PROG_EGREP])]) +m4_ifndef([_LT_AC_PROG_ECHO_BACKSLASH], [AC_DEFUN([_LT_AC_PROG_ECHO_BACKSLASH])]) +m4_ifndef([_LT_AC_SHELL_INIT], [AC_DEFUN([_LT_AC_SHELL_INIT])]) +m4_ifndef([_LT_AC_SYS_LIBPATH_AIX], [AC_DEFUN([_LT_AC_SYS_LIBPATH_AIX])]) +m4_ifndef([_LT_PROG_LTMAIN], [AC_DEFUN([_LT_PROG_LTMAIN])]) +m4_ifndef([_LT_AC_TAGVAR], [AC_DEFUN([_LT_AC_TAGVAR])]) +m4_ifndef([AC_LTDL_ENABLE_INSTALL], [AC_DEFUN([AC_LTDL_ENABLE_INSTALL])]) +m4_ifndef([AC_LTDL_PREOPEN], [AC_DEFUN([AC_LTDL_PREOPEN])]) +m4_ifndef([_LT_AC_SYS_COMPILER], [AC_DEFUN([_LT_AC_SYS_COMPILER])]) +m4_ifndef([_LT_AC_LOCK], [AC_DEFUN([_LT_AC_LOCK])]) +m4_ifndef([AC_LIBTOOL_SYS_OLD_ARCHIVE], [AC_DEFUN([AC_LIBTOOL_SYS_OLD_ARCHIVE])]) +m4_ifndef([_LT_AC_TRY_DLOPEN_SELF], [AC_DEFUN([_LT_AC_TRY_DLOPEN_SELF])]) +m4_ifndef([AC_LIBTOOL_PROG_CC_C_O], [AC_DEFUN([AC_LIBTOOL_PROG_CC_C_O])]) +m4_ifndef([AC_LIBTOOL_SYS_HARD_LINK_LOCKS], [AC_DEFUN([AC_LIBTOOL_SYS_HARD_LINK_LOCKS])]) +m4_ifndef([AC_LIBTOOL_OBJDIR], [AC_DEFUN([AC_LIBTOOL_OBJDIR])]) +m4_ifndef([AC_LTDL_OBJDIR], [AC_DEFUN([AC_LTDL_OBJDIR])]) +m4_ifndef([AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH], [AC_DEFUN([AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH])]) +m4_ifndef([AC_LIBTOOL_SYS_LIB_STRIP], [AC_DEFUN([AC_LIBTOOL_SYS_LIB_STRIP])]) +m4_ifndef([AC_PATH_MAGIC], [AC_DEFUN([AC_PATH_MAGIC])]) +m4_ifndef([AC_PROG_LD_GNU], [AC_DEFUN([AC_PROG_LD_GNU])]) +m4_ifndef([AC_PROG_LD_RELOAD_FLAG], [AC_DEFUN([AC_PROG_LD_RELOAD_FLAG])]) +m4_ifndef([AC_DEPLIBS_CHECK_METHOD], [AC_DEFUN([AC_DEPLIBS_CHECK_METHOD])]) +m4_ifndef([AC_LIBTOOL_PROG_COMPILER_NO_RTTI], [AC_DEFUN([AC_LIBTOOL_PROG_COMPILER_NO_RTTI])]) +m4_ifndef([AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE], [AC_DEFUN([AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE])]) +m4_ifndef([AC_LIBTOOL_PROG_COMPILER_PIC], [AC_DEFUN([AC_LIBTOOL_PROG_COMPILER_PIC])]) +m4_ifndef([AC_LIBTOOL_PROG_LD_SHLIBS], [AC_DEFUN([AC_LIBTOOL_PROG_LD_SHLIBS])]) +m4_ifndef([AC_LIBTOOL_POSTDEP_PREDEP], [AC_DEFUN([AC_LIBTOOL_POSTDEP_PREDEP])]) +m4_ifndef([LT_AC_PROG_EGREP], [AC_DEFUN([LT_AC_PROG_EGREP])]) +m4_ifndef([LT_AC_PROG_SED], [AC_DEFUN([LT_AC_PROG_SED])]) +m4_ifndef([_LT_CC_BASENAME], [AC_DEFUN([_LT_CC_BASENAME])]) +m4_ifndef([_LT_COMPILER_BOILERPLATE], [AC_DEFUN([_LT_COMPILER_BOILERPLATE])]) +m4_ifndef([_LT_LINKER_BOILERPLATE], [AC_DEFUN([_LT_LINKER_BOILERPLATE])]) +m4_ifndef([_AC_PROG_LIBTOOL], [AC_DEFUN([_AC_PROG_LIBTOOL])]) +m4_ifndef([AC_LIBTOOL_SETUP], [AC_DEFUN([AC_LIBTOOL_SETUP])]) +m4_ifndef([_LT_AC_CHECK_DLFCN], [AC_DEFUN([_LT_AC_CHECK_DLFCN])]) +m4_ifndef([AC_LIBTOOL_SYS_DYNAMIC_LINKER], [AC_DEFUN([AC_LIBTOOL_SYS_DYNAMIC_LINKER])]) +m4_ifndef([_LT_AC_TAGCONFIG], [AC_DEFUN([_LT_AC_TAGCONFIG])]) +m4_ifndef([AC_DISABLE_FAST_INSTALL], [AC_DEFUN([AC_DISABLE_FAST_INSTALL])]) +m4_ifndef([_LT_AC_LANG_CXX], [AC_DEFUN([_LT_AC_LANG_CXX])]) +m4_ifndef([_LT_AC_LANG_F77], [AC_DEFUN([_LT_AC_LANG_F77])]) +m4_ifndef([_LT_AC_LANG_GCJ], [AC_DEFUN([_LT_AC_LANG_GCJ])]) +m4_ifndef([AC_LIBTOOL_LANG_C_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_C_CONFIG])]) +m4_ifndef([_LT_AC_LANG_C_CONFIG], [AC_DEFUN([_LT_AC_LANG_C_CONFIG])]) +m4_ifndef([AC_LIBTOOL_LANG_CXX_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_CXX_CONFIG])]) +m4_ifndef([_LT_AC_LANG_CXX_CONFIG], [AC_DEFUN([_LT_AC_LANG_CXX_CONFIG])]) +m4_ifndef([AC_LIBTOOL_LANG_F77_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_F77_CONFIG])]) +m4_ifndef([_LT_AC_LANG_F77_CONFIG], [AC_DEFUN([_LT_AC_LANG_F77_CONFIG])]) +m4_ifndef([AC_LIBTOOL_LANG_GCJ_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_GCJ_CONFIG])]) +m4_ifndef([_LT_AC_LANG_GCJ_CONFIG], [AC_DEFUN([_LT_AC_LANG_GCJ_CONFIG])]) +m4_ifndef([AC_LIBTOOL_LANG_RC_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_RC_CONFIG])]) +m4_ifndef([_LT_AC_LANG_RC_CONFIG], [AC_DEFUN([_LT_AC_LANG_RC_CONFIG])]) +m4_ifndef([AC_LIBTOOL_CONFIG], [AC_DEFUN([AC_LIBTOOL_CONFIG])]) +m4_ifndef([_LT_AC_FILE_LTDLL_C], [AC_DEFUN([_LT_AC_FILE_LTDLL_C])]) +m4_ifndef([_LT_REQUIRED_DARWIN_CHECKS], [AC_DEFUN([_LT_REQUIRED_DARWIN_CHECKS])]) +m4_ifndef([_LT_AC_PROG_CXXCPP], [AC_DEFUN([_LT_AC_PROG_CXXCPP])]) +m4_ifndef([_LT_PREPARE_SED_QUOTE_VARS], [AC_DEFUN([_LT_PREPARE_SED_QUOTE_VARS])]) +m4_ifndef([_LT_PROG_ECHO_BACKSLASH], [AC_DEFUN([_LT_PROG_ECHO_BACKSLASH])]) +m4_ifndef([_LT_PROG_F77], [AC_DEFUN([_LT_PROG_F77])]) +m4_ifndef([_LT_PROG_FC], [AC_DEFUN([_LT_PROG_FC])]) +m4_ifndef([_LT_PROG_CXX], [AC_DEFUN([_LT_PROG_CXX])]) diff --git a/m4/nls.m4 b/m4/nls.m4 new file mode 100644 index 0000000..2082c3b --- /dev/null +++ b/m4/nls.m4 @@ -0,0 +1,51 @@ +# nls.m4 serial 2 (gettext-0.14.3) +dnl Copyright (C) 1995-2003, 2005 Free Software Foundation, Inc. +dnl This file is free software; the Free Software Foundation +dnl gives unlimited permission to copy and/or distribute it, +dnl with or without modifications, as long as this notice is preserved. +dnl +dnl This file can can be used in projects which are not available under +dnl the GNU General Public License or the GNU Library General Public +dnl License but which still want to provide support for the GNU gettext +dnl functionality. +dnl Please note that the actual code of the GNU gettext library is covered +dnl by the GNU Library General Public License, and the rest of the GNU +dnl gettext package package is covered by the GNU General Public License. +dnl They are *not* in the public domain. + +dnl Authors: +dnl Ulrich Drepper , 1995-2000. +dnl Bruno Haible , 2000-2003. + +AC_PREREQ(2.50) + +AC_DEFUN([AM_NLS], +[ + AC_MSG_CHECKING([whether NLS is requested]) + dnl Default is enabled NLS + AC_ARG_ENABLE(nls, + [ --disable-nls do not use Native Language Support], + USE_NLS=$enableval, USE_NLS=yes) + AC_MSG_RESULT($USE_NLS) + AC_SUBST(USE_NLS) +]) + +AC_DEFUN([AM_MKINSTALLDIRS], +[ + dnl Tell automake >= 1.10 to complain if mkinstalldirs is missing. + m4_ifdef([AC_REQUIRE_AUX_FILE], [AC_REQUIRE_AUX_FILE([mkinstalldirs])]) + dnl If the AC_CONFIG_AUX_DIR macro for autoconf is used we possibly + dnl find the mkinstalldirs script in another subdir but $(top_srcdir). + dnl Try to locate it. + MKINSTALLDIRS= + if test -n "$ac_aux_dir"; then + case "$ac_aux_dir" in + /*) MKINSTALLDIRS="$ac_aux_dir/mkinstalldirs" ;; + *) MKINSTALLDIRS="\$(top_builddir)/$ac_aux_dir/mkinstalldirs" ;; + esac + fi + if test -z "$MKINSTALLDIRS"; then + MKINSTALLDIRS="\$(top_srcdir)/mkinstalldirs" + fi + AC_SUBST(MKINSTALLDIRS) +]) diff --git a/m4/po.m4 b/m4/po.m4 new file mode 100644 index 0000000..f2795ee --- /dev/null +++ b/m4/po.m4 @@ -0,0 +1,429 @@ +# po.m4 serial 7 (gettext-0.14.3) +dnl Copyright (C) 1995-2005 Free Software Foundation, Inc. +dnl This file is free software; the Free Software Foundation +dnl gives unlimited permission to copy and/or distribute it, +dnl with or without modifications, as long as this notice is preserved. +dnl +dnl This file can can be used in projects which are not available under +dnl the GNU General Public License or the GNU Library General Public +dnl License but which still want to provide support for the GNU gettext +dnl functionality. +dnl Please note that the actual code of the GNU gettext library is covered +dnl by the GNU Library General Public License, and the rest of the GNU +dnl gettext package package is covered by the GNU General Public License. +dnl They are *not* in the public domain. + +dnl Authors: +dnl Ulrich Drepper , 1995-2000. +dnl Bruno Haible , 2000-2003. + +AC_PREREQ(2.50) + +dnl Checks for all prerequisites of the po subdirectory. +AC_DEFUN([AM_PO_SUBDIRS], +[ + AC_REQUIRE([AC_PROG_MAKE_SET])dnl + AC_REQUIRE([AC_PROG_INSTALL])dnl + AC_REQUIRE([AM_MKINSTALLDIRS])dnl + AC_REQUIRE([AM_NLS])dnl + + dnl Perform the following tests also if --disable-nls has been given, + dnl because they are needed for "make dist" to work. + + dnl Search for GNU msgfmt in the PATH. + dnl The first test excludes Solaris msgfmt and early GNU msgfmt versions. + dnl The second test excludes FreeBSD msgfmt. + AM_PATH_PROG_WITH_TEST(MSGFMT, msgfmt, + [$ac_dir/$ac_word --statistics /dev/null >&]AS_MESSAGE_LOG_FD[ 2>&1 && + (if $ac_dir/$ac_word --statistics /dev/null 2>&1 >/dev/null | grep usage >/dev/null; then exit 1; else exit 0; fi)], + :) + AC_PATH_PROG(GMSGFMT, gmsgfmt, $MSGFMT) + + dnl Search for GNU xgettext 0.12 or newer in the PATH. + dnl The first test excludes Solaris xgettext and early GNU xgettext versions. + dnl The second test excludes FreeBSD xgettext. + AM_PATH_PROG_WITH_TEST(XGETTEXT, xgettext, + [$ac_dir/$ac_word --omit-header --copyright-holder= --msgid-bugs-address= /dev/null >&]AS_MESSAGE_LOG_FD[ 2>&1 && + (if $ac_dir/$ac_word --omit-header --copyright-holder= --msgid-bugs-address= /dev/null 2>&1 >/dev/null | grep usage >/dev/null; then exit 1; else exit 0; fi)], + :) + dnl Remove leftover from FreeBSD xgettext call. + rm -f messages.po + + dnl Search for GNU msgmerge 0.11 or newer in the PATH. + AM_PATH_PROG_WITH_TEST(MSGMERGE, msgmerge, + [$ac_dir/$ac_word --update -q /dev/null /dev/null >&]AS_MESSAGE_LOG_FD[ 2>&1], :) + + dnl This could go away some day; the PATH_PROG_WITH_TEST already does it. + dnl Test whether we really found GNU msgfmt. + if test "$GMSGFMT" != ":"; then + dnl If it is no GNU msgfmt we define it as : so that the + dnl Makefiles still can work. + if $GMSGFMT --statistics /dev/null >/dev/null 2>&1 && + (if $GMSGFMT --statistics /dev/null 2>&1 >/dev/null | grep usage >/dev/null; then exit 1; else exit 0; fi); then + : ; + else + GMSGFMT=`echo "$GMSGFMT" | sed -e 's,^.*/,,'` + AC_MSG_RESULT( + [found $GMSGFMT program is not GNU msgfmt; ignore it]) + GMSGFMT=":" + fi + fi + + dnl This could go away some day; the PATH_PROG_WITH_TEST already does it. + dnl Test whether we really found GNU xgettext. + if test "$XGETTEXT" != ":"; then + dnl If it is no GNU xgettext we define it as : so that the + dnl Makefiles still can work. + if $XGETTEXT --omit-header --copyright-holder= --msgid-bugs-address= /dev/null >/dev/null 2>&1 && + (if $XGETTEXT --omit-header --copyright-holder= --msgid-bugs-address= /dev/null 2>&1 >/dev/null | grep usage >/dev/null; then exit 1; else exit 0; fi); then + : ; + else + AC_MSG_RESULT( + [found xgettext program is not GNU xgettext; ignore it]) + XGETTEXT=":" + fi + dnl Remove leftover from FreeBSD xgettext call. + rm -f messages.po + fi + + AC_OUTPUT_COMMANDS([ + for ac_file in $CONFIG_FILES; do + # Support "outfile[:infile[:infile...]]" + case "$ac_file" in + *:*) ac_file=`echo "$ac_file"|sed 's%:.*%%'` ;; + esac + # PO directories have a Makefile.in generated from Makefile.in.in. + case "$ac_file" in */Makefile.in) + # Adjust a relative srcdir. + ac_dir=`echo "$ac_file"|sed 's%/[^/][^/]*$%%'` + ac_dir_suffix="/`echo "$ac_dir"|sed 's%^\./%%'`" + ac_dots=`echo "$ac_dir_suffix"|sed 's%/[^/]*%../%g'` + # In autoconf-2.13 it is called $ac_given_srcdir. + # In autoconf-2.50 it is called $srcdir. + test -n "$ac_given_srcdir" || ac_given_srcdir="$srcdir" + case "$ac_given_srcdir" in + .) top_srcdir=`echo $ac_dots|sed 's%/$%%'` ;; + /*) top_srcdir="$ac_given_srcdir" ;; + *) top_srcdir="$ac_dots$ac_given_srcdir" ;; + esac + # Treat a directory as a PO directory if and only if it has a + # POTFILES.in file. This allows packages to have multiple PO + # directories under different names or in different locations. + if test -f "$ac_given_srcdir/$ac_dir/POTFILES.in"; then + rm -f "$ac_dir/POTFILES" + test -n "$as_me" && echo "$as_me: creating $ac_dir/POTFILES" || echo "creating $ac_dir/POTFILES" + cat "$ac_given_srcdir/$ac_dir/POTFILES.in" | sed -e "/^#/d" -e "/^[ ]*\$/d" -e "s,.*, $top_srcdir/& \\\\," | sed -e "\$s/\(.*\) \\\\/\1/" > "$ac_dir/POTFILES" + POMAKEFILEDEPS="POTFILES.in" + # ALL_LINGUAS, POFILES, UPDATEPOFILES, DUMMYPOFILES, GMOFILES depend + # on $ac_dir but don't depend on user-specified configuration + # parameters. + if test -f "$ac_given_srcdir/$ac_dir/LINGUAS"; then + # The LINGUAS file contains the set of available languages. + if test -n "$OBSOLETE_ALL_LINGUAS"; then + test -n "$as_me" && echo "$as_me: setting ALL_LINGUAS in configure.in is obsolete" || echo "setting ALL_LINGUAS in configure.in is obsolete" + fi + ALL_LINGUAS_=`sed -e "/^#/d" -e "s/#.*//" "$ac_given_srcdir/$ac_dir/LINGUAS"` + # Hide the ALL_LINGUAS assigment from automake. + eval 'ALL_LINGUAS''=$ALL_LINGUAS_' + POMAKEFILEDEPS="$POMAKEFILEDEPS LINGUAS" + else + # The set of available languages was given in configure.in. + eval 'ALL_LINGUAS''=$OBSOLETE_ALL_LINGUAS' + fi + # Compute POFILES + # as $(foreach lang, $(ALL_LINGUAS), $(srcdir)/$(lang).po) + # Compute UPDATEPOFILES + # as $(foreach lang, $(ALL_LINGUAS), $(lang).po-update) + # Compute DUMMYPOFILES + # as $(foreach lang, $(ALL_LINGUAS), $(lang).nop) + # Compute GMOFILES + # as $(foreach lang, $(ALL_LINGUAS), $(srcdir)/$(lang).gmo) + case "$ac_given_srcdir" in + .) srcdirpre= ;; + *) srcdirpre='$(srcdir)/' ;; + esac + POFILES= + UPDATEPOFILES= + DUMMYPOFILES= + GMOFILES= + for lang in $ALL_LINGUAS; do + POFILES="$POFILES $srcdirpre$lang.po" + UPDATEPOFILES="$UPDATEPOFILES $lang.po-update" + DUMMYPOFILES="$DUMMYPOFILES $lang.nop" + GMOFILES="$GMOFILES $srcdirpre$lang.gmo" + done + # CATALOGS depends on both $ac_dir and the user's LINGUAS + # environment variable. + INST_LINGUAS= + if test -n "$ALL_LINGUAS"; then + for presentlang in $ALL_LINGUAS; do + useit=no + if test "%UNSET%" != "$LINGUAS"; then + desiredlanguages="$LINGUAS" + else + desiredlanguages="$ALL_LINGUAS" + fi + for desiredlang in $desiredlanguages; do + # Use the presentlang catalog if desiredlang is + # a. equal to presentlang, or + # b. a variant of presentlang (because in this case, + # presentlang can be used as a fallback for messages + # which are not translated in the desiredlang catalog). + case "$desiredlang" in + "$presentlang"*) useit=yes;; + esac + done + if test $useit = yes; then + INST_LINGUAS="$INST_LINGUAS $presentlang" + fi + done + fi + CATALOGS= + if test -n "$INST_LINGUAS"; then + for lang in $INST_LINGUAS; do + CATALOGS="$CATALOGS $lang.gmo" + done + fi + test -n "$as_me" && echo "$as_me: creating $ac_dir/Makefile" || echo "creating $ac_dir/Makefile" + sed -e "/^POTFILES =/r $ac_dir/POTFILES" -e "/^# Makevars/r $ac_given_srcdir/$ac_dir/Makevars" -e "s|@POFILES@|$POFILES|g" -e "s|@UPDATEPOFILES@|$UPDATEPOFILES|g" -e "s|@DUMMYPOFILES@|$DUMMYPOFILES|g" -e "s|@GMOFILES@|$GMOFILES|g" -e "s|@CATALOGS@|$CATALOGS|g" -e "s|@POMAKEFILEDEPS@|$POMAKEFILEDEPS|g" "$ac_dir/Makefile.in" > "$ac_dir/Makefile" + for f in "$ac_given_srcdir/$ac_dir"/Rules-*; do + if test -f "$f"; then + case "$f" in + *.orig | *.bak | *~) ;; + *) cat "$f" >> "$ac_dir/Makefile" ;; + esac + fi + done + fi + ;; + esac + done], + [# Capture the value of obsolete ALL_LINGUAS because we need it to compute + # POFILES, UPDATEPOFILES, DUMMYPOFILES, GMOFILES, CATALOGS. But hide it + # from automake. + eval 'OBSOLETE_ALL_LINGUAS''="$ALL_LINGUAS"' + # Capture the value of LINGUAS because we need it to compute CATALOGS. + LINGUAS="${LINGUAS-%UNSET%}" + ]) +]) + +dnl Postprocesses a Makefile in a directory containing PO files. +AC_DEFUN([AM_POSTPROCESS_PO_MAKEFILE], +[ + # When this code is run, in config.status, two variables have already been + # set: + # - OBSOLETE_ALL_LINGUAS is the value of LINGUAS set in configure.in, + # - LINGUAS is the value of the environment variable LINGUAS at configure + # time. + +changequote(,)dnl + # Adjust a relative srcdir. + ac_dir=`echo "$ac_file"|sed 's%/[^/][^/]*$%%'` + ac_dir_suffix="/`echo "$ac_dir"|sed 's%^\./%%'`" + ac_dots=`echo "$ac_dir_suffix"|sed 's%/[^/]*%../%g'` + # In autoconf-2.13 it is called $ac_given_srcdir. + # In autoconf-2.50 it is called $srcdir. + test -n "$ac_given_srcdir" || ac_given_srcdir="$srcdir" + case "$ac_given_srcdir" in + .) top_srcdir=`echo $ac_dots|sed 's%/$%%'` ;; + /*) top_srcdir="$ac_given_srcdir" ;; + *) top_srcdir="$ac_dots$ac_given_srcdir" ;; + esac + + # Find a way to echo strings without interpreting backslash. + if test "X`(echo '\t') 2>/dev/null`" = 'X\t'; then + gt_echo='echo' + else + if test "X`(printf '%s\n' '\t') 2>/dev/null`" = 'X\t'; then + gt_echo='printf %s\n' + else + echo_func () { + cat < "$ac_file.tmp" + if grep -l '@TCLCATALOGS@' "$ac_file" > /dev/null; then + # Add dependencies that cannot be formulated as a simple suffix rule. + for lang in $ALL_LINGUAS; do + frobbedlang=`echo $lang | sed -e 's/\..*$//' -e 'y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/'` + cat >> "$ac_file.tmp" < /dev/null; then + # Add dependencies that cannot be formulated as a simple suffix rule. + for lang in $ALL_LINGUAS; do + frobbedlang=`echo $lang | sed -e 's/_/-/g' -e 's/^sr-CS/sr-SP/' -e 's/@latin$/-Latn/' -e 's/@cyrillic$/-Cyrl/' -e 's/^sr-SP$/sr-SP-Latn/' -e 's/^uz-UZ$/uz-UZ-Latn/'` + cat >> "$ac_file.tmp" <> "$ac_file.tmp" < +#include +/* The string "%2$d %1$d", with dollar characters protected from the shell's + dollar expansion (possibly an autoconf bug). */ +static char format[] = { '%', '2', '$', 'd', ' ', '%', '1', '$', 'd', '\0' }; +static char buf[100]; +int main () +{ + sprintf (buf, format, 33, 55); + return (strcmp (buf, "55 33") != 0); +}], gt_cv_func_printf_posix=yes, gt_cv_func_printf_posix=no, + [ + AC_EGREP_CPP(notposix, [ +#if defined __NetBSD__ || defined _MSC_VER || defined __MINGW32__ || defined __CYGWIN__ + notposix +#endif + ], gt_cv_func_printf_posix="guessing no", + gt_cv_func_printf_posix="guessing yes") + ]) + ]) + case $gt_cv_func_printf_posix in + *yes) + AC_DEFINE(HAVE_POSIX_PRINTF, 1, + [Define if your printf() function supports format strings with positions.]) + ;; + esac +]) diff --git a/m4/progtest.m4 b/m4/progtest.m4 new file mode 100644 index 0000000..a56365c --- /dev/null +++ b/m4/progtest.m4 @@ -0,0 +1,92 @@ +# progtest.m4 serial 4 (gettext-0.14.2) +dnl Copyright (C) 1996-2003, 2005 Free Software Foundation, Inc. +dnl This file is free software; the Free Software Foundation +dnl gives unlimited permission to copy and/or distribute it, +dnl with or without modifications, as long as this notice is preserved. +dnl +dnl This file can can be used in projects which are not available under +dnl the GNU General Public License or the GNU Library General Public +dnl License but which still want to provide support for the GNU gettext +dnl functionality. +dnl Please note that the actual code of the GNU gettext library is covered +dnl by the GNU Library General Public License, and the rest of the GNU +dnl gettext package package is covered by the GNU General Public License. +dnl They are *not* in the public domain. + +dnl Authors: +dnl Ulrich Drepper , 1996. + +AC_PREREQ(2.50) + +# Search path for a program which passes the given test. + +dnl AM_PATH_PROG_WITH_TEST(VARIABLE, PROG-TO-CHECK-FOR, +dnl TEST-PERFORMED-ON-FOUND_PROGRAM [, VALUE-IF-NOT-FOUND [, PATH]]) +AC_DEFUN([AM_PATH_PROG_WITH_TEST], +[ +# Prepare PATH_SEPARATOR. +# The user is always right. +if test "${PATH_SEPARATOR+set}" != set; then + echo "#! /bin/sh" >conf$$.sh + echo "exit 0" >>conf$$.sh + chmod +x conf$$.sh + if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then + PATH_SEPARATOR=';' + else + PATH_SEPARATOR=: + fi + rm -f conf$$.sh +fi + +# Find out how to test for executable files. Don't use a zero-byte file, +# as systems may use methods other than mode bits to determine executability. +cat >conf$$.file <<_ASEOF +#! /bin/sh +exit 0 +_ASEOF +chmod +x conf$$.file +if test -x conf$$.file >/dev/null 2>&1; then + ac_executable_p="test -x" +else + ac_executable_p="test -f" +fi +rm -f conf$$.file + +# Extract the first word of "$2", so it can be a program name with args. +set dummy $2; ac_word=[$]2 +AC_MSG_CHECKING([for $ac_word]) +AC_CACHE_VAL(ac_cv_path_$1, +[case "[$]$1" in + [[\\/]]* | ?:[[\\/]]*) + ac_cv_path_$1="[$]$1" # Let the user override the test with a path. + ;; + *) + ac_save_IFS="$IFS"; IFS=$PATH_SEPARATOR + for ac_dir in ifelse([$5], , $PATH, [$5]); do + IFS="$ac_save_IFS" + test -z "$ac_dir" && ac_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if $ac_executable_p "$ac_dir/$ac_word$ac_exec_ext"; then + echo "$as_me: trying $ac_dir/$ac_word..." >&AS_MESSAGE_LOG_FD + if [$3]; then + ac_cv_path_$1="$ac_dir/$ac_word$ac_exec_ext" + break 2 + fi + fi + done + done + IFS="$ac_save_IFS" +dnl If no 4th arg is given, leave the cache variable unset, +dnl so AC_PATH_PROGS will keep looking. +ifelse([$4], , , [ test -z "[$]ac_cv_path_$1" && ac_cv_path_$1="$4" +])dnl + ;; +esac])dnl +$1="$ac_cv_path_$1" +if test ifelse([$4], , [-n "[$]$1"], ["[$]$1" != "$4"]); then + AC_MSG_RESULT([$]$1) +else + AC_MSG_RESULT(no) +fi +AC_SUBST($1)dnl +]) diff --git a/m4/signed.m4 b/m4/signed.m4 new file mode 100644 index 0000000..048f593 --- /dev/null +++ b/m4/signed.m4 @@ -0,0 +1,17 @@ +# signed.m4 serial 1 (gettext-0.10.40) +dnl Copyright (C) 2001-2002 Free Software Foundation, Inc. +dnl This file is free software; the Free Software Foundation +dnl gives unlimited permission to copy and/or distribute it, +dnl with or without modifications, as long as this notice is preserved. + +dnl From Bruno Haible. + +AC_DEFUN([bh_C_SIGNED], +[ + AC_CACHE_CHECK([for signed], bh_cv_c_signed, + [AC_TRY_COMPILE(, [signed char x;], bh_cv_c_signed=yes, bh_cv_c_signed=no)]) + if test $bh_cv_c_signed = no; then + AC_DEFINE(signed, , + [Define to empty if the C compiler doesn't support this keyword.]) + fi +]) diff --git a/m4/size_max.m4 b/m4/size_max.m4 new file mode 100644 index 0000000..4fe81c7 --- /dev/null +++ b/m4/size_max.m4 @@ -0,0 +1,59 @@ +# size_max.m4 serial 2 +dnl Copyright (C) 2003 Free Software Foundation, Inc. +dnl This file is free software; the Free Software Foundation +dnl gives unlimited permission to copy and/or distribute it, +dnl with or without modifications, as long as this notice is preserved. + +dnl From Bruno Haible. + +AC_DEFUN([gl_SIZE_MAX], +[ + AC_CHECK_HEADERS(stdint.h) + dnl First test whether the system already has SIZE_MAX. + AC_MSG_CHECKING([for SIZE_MAX]) + result= + AC_EGREP_CPP([Found it], [ +#include +#if HAVE_STDINT_H +#include +#endif +#ifdef SIZE_MAX +Found it +#endif +], result=yes) + if test -z "$result"; then + dnl Define it ourselves. Here we assume that the type 'size_t' is not wider + dnl than the type 'unsigned long'. + dnl The _AC_COMPUTE_INT macro works up to LONG_MAX, since it uses 'expr', + dnl which is guaranteed to work from LONG_MIN to LONG_MAX. + _AC_COMPUTE_INT([~(size_t)0 / 10], res_hi, + [#include ], result=?) + _AC_COMPUTE_INT([~(size_t)0 % 10], res_lo, + [#include ], result=?) + _AC_COMPUTE_INT([sizeof (size_t) <= sizeof (unsigned int)], fits_in_uint, + [#include ], result=?) + if test "$fits_in_uint" = 1; then + dnl Even though SIZE_MAX fits in an unsigned int, it must be of type + dnl 'unsigned long' if the type 'size_t' is the same as 'unsigned long'. + AC_TRY_COMPILE([#include + extern size_t foo; + extern unsigned long foo; + ], [], fits_in_uint=0) + fi + if test -z "$result"; then + if test "$fits_in_uint" = 1; then + result="$res_hi$res_lo"U + else + result="$res_hi$res_lo"UL + fi + else + dnl Shouldn't happen, but who knows... + result='~(size_t)0' + fi + fi + AC_MSG_RESULT([$result]) + if test "$result" != yes; then + AC_DEFINE_UNQUOTED([SIZE_MAX], [$result], + [Define as the maximum value of type 'size_t', if the system doesn't define it.]) + fi +]) diff --git a/m4/stdint_h.m4 b/m4/stdint_h.m4 new file mode 100644 index 0000000..3355f35 --- /dev/null +++ b/m4/stdint_h.m4 @@ -0,0 +1,26 @@ +# stdint_h.m4 serial 5 +dnl Copyright (C) 1997-2004 Free Software Foundation, Inc. +dnl This file is free software; the Free Software Foundation +dnl gives unlimited permission to copy and/or distribute it, +dnl with or without modifications, as long as this notice is preserved. + +dnl From Paul Eggert. + +# Define HAVE_STDINT_H_WITH_UINTMAX if exists, +# doesn't clash with , and declares uintmax_t. + +AC_DEFUN([gl_AC_HEADER_STDINT_H], +[ + AC_CACHE_CHECK([for stdint.h], gl_cv_header_stdint_h, + [AC_TRY_COMPILE( + [#include +#include ], + [uintmax_t i = (uintmax_t) -1;], + gl_cv_header_stdint_h=yes, + gl_cv_header_stdint_h=no)]) + if test $gl_cv_header_stdint_h = yes; then + AC_DEFINE_UNQUOTED(HAVE_STDINT_H_WITH_UINTMAX, 1, + [Define if exists, doesn't clash with , + and declares uintmax_t. ]) + fi +]) diff --git a/m4/uintmax_t.m4 b/m4/uintmax_t.m4 new file mode 100644 index 0000000..bf83ed7 --- /dev/null +++ b/m4/uintmax_t.m4 @@ -0,0 +1,30 @@ +# uintmax_t.m4 serial 9 +dnl Copyright (C) 1997-2004 Free Software Foundation, Inc. +dnl This file is free software; the Free Software Foundation +dnl gives unlimited permission to copy and/or distribute it, +dnl with or without modifications, as long as this notice is preserved. + +dnl From Paul Eggert. + +AC_PREREQ(2.13) + +# Define uintmax_t to 'unsigned long' or 'unsigned long long' +# if it is not already defined in or . + +AC_DEFUN([gl_AC_TYPE_UINTMAX_T], +[ + AC_REQUIRE([gl_AC_HEADER_INTTYPES_H]) + AC_REQUIRE([gl_AC_HEADER_STDINT_H]) + if test $gl_cv_header_inttypes_h = no && test $gl_cv_header_stdint_h = no; then + AC_REQUIRE([gl_AC_TYPE_UNSIGNED_LONG_LONG]) + test $ac_cv_type_unsigned_long_long = yes \ + && ac_type='unsigned long long' \ + || ac_type='unsigned long' + AC_DEFINE_UNQUOTED(uintmax_t, $ac_type, + [Define to unsigned long or unsigned long long + if and don't define.]) + else + AC_DEFINE(HAVE_UINTMAX_T, 1, + [Define if you have the 'uintmax_t' type in or .]) + fi +]) diff --git a/m4/ulonglong.m4 b/m4/ulonglong.m4 new file mode 100644 index 0000000..dee10cc --- /dev/null +++ b/m4/ulonglong.m4 @@ -0,0 +1,23 @@ +# ulonglong.m4 serial 4 +dnl Copyright (C) 1999-2004 Free Software Foundation, Inc. +dnl This file is free software; the Free Software Foundation +dnl gives unlimited permission to copy and/or distribute it, +dnl with or without modifications, as long as this notice is preserved. + +dnl From Paul Eggert. + +# Define HAVE_UNSIGNED_LONG_LONG if 'unsigned long long' works. + +AC_DEFUN([gl_AC_TYPE_UNSIGNED_LONG_LONG], +[ + AC_CACHE_CHECK([for unsigned long long], ac_cv_type_unsigned_long_long, + [AC_TRY_LINK([unsigned long long ull = 1ULL; int i = 63;], + [unsigned long long ullmax = (unsigned long long) -1; + return ull << i | ull >> i | ullmax / ull | ullmax % ull;], + ac_cv_type_unsigned_long_long=yes, + ac_cv_type_unsigned_long_long=no)]) + if test $ac_cv_type_unsigned_long_long = yes; then + AC_DEFINE(HAVE_UNSIGNED_LONG_LONG, 1, + [Define if you have the 'unsigned long long' type.]) + fi +]) diff --git a/m4/wchar_t.m4 b/m4/wchar_t.m4 new file mode 100644 index 0000000..cde2129 --- /dev/null +++ b/m4/wchar_t.m4 @@ -0,0 +1,20 @@ +# wchar_t.m4 serial 1 (gettext-0.12) +dnl Copyright (C) 2002-2003 Free Software Foundation, Inc. +dnl This file is free software; the Free Software Foundation +dnl gives unlimited permission to copy and/or distribute it, +dnl with or without modifications, as long as this notice is preserved. + +dnl From Bruno Haible. +dnl Test whether has the 'wchar_t' type. +dnl Prerequisite: AC_PROG_CC + +AC_DEFUN([gt_TYPE_WCHAR_T], +[ + AC_CACHE_CHECK([for wchar_t], gt_cv_c_wchar_t, + [AC_TRY_COMPILE([#include + wchar_t foo = (wchar_t)'\0';], , + gt_cv_c_wchar_t=yes, gt_cv_c_wchar_t=no)]) + if test $gt_cv_c_wchar_t = yes; then + AC_DEFINE(HAVE_WCHAR_T, 1, [Define if you have the 'wchar_t' type.]) + fi +]) diff --git a/m4/wint_t.m4 b/m4/wint_t.m4 new file mode 100644 index 0000000..b8fff9c --- /dev/null +++ b/m4/wint_t.m4 @@ -0,0 +1,20 @@ +# wint_t.m4 serial 1 (gettext-0.12) +dnl Copyright (C) 2003 Free Software Foundation, Inc. +dnl This file is free software; the Free Software Foundation +dnl gives unlimited permission to copy and/or distribute it, +dnl with or without modifications, as long as this notice is preserved. + +dnl From Bruno Haible. +dnl Test whether has the 'wint_t' type. +dnl Prerequisite: AC_PROG_CC + +AC_DEFUN([gt_TYPE_WINT_T], +[ + AC_CACHE_CHECK([for wint_t], gt_cv_c_wint_t, + [AC_TRY_COMPILE([#include + wint_t foo = (wchar_t)'\0';], , + gt_cv_c_wint_t=yes, gt_cv_c_wint_t=no)]) + if test $gt_cv_c_wint_t = yes; then + AC_DEFINE(HAVE_WINT_T, 1, [Define if you have the 'wint_t' type.]) + fi +]) diff --git a/m4/xsize.m4 b/m4/xsize.m4 new file mode 100644 index 0000000..85bb721 --- /dev/null +++ b/m4/xsize.m4 @@ -0,0 +1,13 @@ +# xsize.m4 serial 3 +dnl Copyright (C) 2003-2004 Free Software Foundation, Inc. +dnl This file is free software; the Free Software Foundation +dnl gives unlimited permission to copy and/or distribute it, +dnl with or without modifications, as long as this notice is preserved. + +AC_DEFUN([gl_XSIZE], +[ + dnl Prerequisites of lib/xsize.h. + AC_REQUIRE([gl_SIZE_MAX]) + AC_REQUIRE([AC_C_INLINE]) + AC_CHECK_HEADERS(stdint.h) +]) diff --git a/po/LINGUAS b/po/LINGUAS new file mode 100644 index 0000000..526cd57 --- /dev/null +++ b/po/LINGUAS @@ -0,0 +1,23 @@ +bg +ca +de +eu +es +fr +hu +id +it +ja +nb +nl +pl +pt +pt_BR +ru +sv +tg +tr +uk +zh_CN +zh_TW + diff --git a/po/Makefile.in.in b/po/Makefile.in.in new file mode 100644 index 0000000..1f5cc28 --- /dev/null +++ b/po/Makefile.in.in @@ -0,0 +1,384 @@ +# Makefile for PO directory in any package using GNU gettext. +# Copyright (C) 1995-1997, 2000-2005 by Ulrich Drepper +# +# This file can be copied and used freely without restrictions. It can +# be used in projects which are not available under the GNU General Public +# License but which still want to provide support for the GNU gettext +# functionality. +# Please note that the actual code of GNU gettext is covered by the GNU +# General Public License and is *not* in the public domain. +# +# Origin: gettext-0.14.4 + +PACKAGE = @PACKAGE@ +VERSION = @VERSION@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ + +SHELL = /bin/sh +@SET_MAKE@ + +srcdir = @srcdir@ +top_srcdir = @top_srcdir@ +VPATH = @srcdir@ + +prefix = @prefix@ +exec_prefix = @exec_prefix@ +datadir = @datadir@ +localedir = $(datadir)/locale +gettextsrcdir = $(datadir)/gettext/po + +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +MKINSTALLDIRS = @MKINSTALLDIRS@ +mkinstalldirs = $(SHELL) $(MKINSTALLDIRS) + +GMSGFMT = @GMSGFMT@ +MSGFMT = @MSGFMT@ +XGETTEXT = @XGETTEXT@ +MSGMERGE = msgmerge +MSGMERGE_UPDATE = @MSGMERGE@ --update +MSGINIT = msginit +MSGCONV = msgconv +MSGFILTER = msgfilter + +POFILES = @POFILES@ +GMOFILES = @GMOFILES@ +UPDATEPOFILES = @UPDATEPOFILES@ +DUMMYPOFILES = @DUMMYPOFILES@ +DISTFILES.common = Makefile.in.in remove-potcdate.sin \ +$(DISTFILES.common.extra1) $(DISTFILES.common.extra2) $(DISTFILES.common.extra3) +DISTFILES = $(DISTFILES.common) Makevars POTFILES.in \ +$(POFILES) $(GMOFILES) \ +$(DISTFILES.extra1) $(DISTFILES.extra2) $(DISTFILES.extra3) + +POTFILES = \ + +CATALOGS = @CATALOGS@ + +# Makevars gets inserted here. (Don't remove this line!) + +.SUFFIXES: +.SUFFIXES: .po .gmo .mo .sed .sin .nop .po-create .po-update + +.po.mo: + @echo "$(MSGFMT) -c -o $@ $<"; \ + $(MSGFMT) -c -o t-$@ $< && mv t-$@ $@ + +.po.gmo: + @lang=`echo $* | sed -e 's,.*/,,'`; \ + test "$(srcdir)" = . && cdcmd="" || cdcmd="cd $(srcdir) && "; \ + echo "$${cdcmd}rm -f $${lang}.gmo && $(GMSGFMT) -c --statistics -o $${lang}.gmo $${lang}.po"; \ + cd $(srcdir) && rm -f $${lang}.gmo && $(GMSGFMT) -c --statistics -o t-$${lang}.gmo $${lang}.po && mv t-$${lang}.gmo $${lang}.gmo + +.sin.sed: + sed -e '/^#/d' $< > t-$@ + mv t-$@ $@ + + +all: all-@USE_NLS@ + +all-yes: stamp-po +all-no: + +# $(srcdir)/$(DOMAIN).pot is only created when needed. When xgettext finds no +# internationalized messages, no $(srcdir)/$(DOMAIN).pot is created (because +# we don't want to bother translators with empty POT files). We assume that +# LINGUAS is empty in this case, i.e. $(POFILES) and $(GMOFILES) are empty. +# In this case, stamp-po is a nop (i.e. a phony target). + +# stamp-po is a timestamp denoting the last time at which the CATALOGS have +# been loosely updated. Its purpose is that when a developer or translator +# checks out the package via CVS, and the $(DOMAIN).pot file is not in CVS, +# "make" will update the $(DOMAIN).pot and the $(CATALOGS), but subsequent +# invocations of "make" will do nothing. This timestamp would not be necessary +# if updating the $(CATALOGS) would always touch them; however, the rule for +# $(POFILES) has been designed to not touch files that don't need to be +# changed. +stamp-po: $(srcdir)/$(DOMAIN).pot + test ! -f $(srcdir)/$(DOMAIN).pot || \ + test -z "$(GMOFILES)" || $(MAKE) $(GMOFILES) + @test ! -f $(srcdir)/$(DOMAIN).pot || { \ + echo "touch stamp-po" && \ + echo timestamp > stamp-poT && \ + mv stamp-poT stamp-po; \ + } + +# Note: Target 'all' must not depend on target '$(DOMAIN).pot-update', +# otherwise packages like GCC can not be built if only parts of the source +# have been downloaded. + +# This target rebuilds $(DOMAIN).pot; it is an expensive operation. +# Note that $(DOMAIN).pot is not touched if it doesn't need to be changed. +$(DOMAIN).pot-update: $(POTFILES) $(srcdir)/POTFILES.in remove-potcdate.sed + if test -n '$(MSGID_BUGS_ADDRESS)' || test '$(PACKAGE_BUGREPORT)' = '@'PACKAGE_BUGREPORT'@'; then \ + msgid_bugs_address='$(MSGID_BUGS_ADDRESS)'; \ + else \ + msgid_bugs_address='$(PACKAGE_BUGREPORT)'; \ + fi; \ + $(XGETTEXT) --default-domain=$(DOMAIN) --directory=$(top_srcdir) \ + --add-comments=TRANSLATORS: $(XGETTEXT_OPTIONS) \ + --files-from=$(srcdir)/POTFILES.in \ + --copyright-holder='$(COPYRIGHT_HOLDER)' \ + --msgid-bugs-address="$$msgid_bugs_address" + test ! -f $(DOMAIN).po || { \ + if test -f $(srcdir)/$(DOMAIN).pot; then \ + sed -f remove-potcdate.sed < $(srcdir)/$(DOMAIN).pot > $(DOMAIN).1po && \ + sed -f remove-potcdate.sed < $(DOMAIN).po > $(DOMAIN).2po && \ + if cmp $(DOMAIN).1po $(DOMAIN).2po >/dev/null 2>&1; then \ + rm -f $(DOMAIN).1po $(DOMAIN).2po $(DOMAIN).po; \ + else \ + rm -f $(DOMAIN).1po $(DOMAIN).2po $(srcdir)/$(DOMAIN).pot && \ + mv $(DOMAIN).po $(srcdir)/$(DOMAIN).pot; \ + fi; \ + else \ + mv $(DOMAIN).po $(srcdir)/$(DOMAIN).pot; \ + fi; \ + } + +# This rule has no dependencies: we don't need to update $(DOMAIN).pot at +# every "make" invocation, only create it when it is missing. +# Only "make $(DOMAIN).pot-update" or "make dist" will force an update. +$(srcdir)/$(DOMAIN).pot: + $(MAKE) $(DOMAIN).pot-update + +# This target rebuilds a PO file if $(DOMAIN).pot has changed. +# Note that a PO file is not touched if it doesn't need to be changed. +$(POFILES): $(srcdir)/$(DOMAIN).pot + @lang=`echo $@ | sed -e 's,.*/,,' -e 's/\.po$$//'`; \ + if test -f "$(srcdir)/$${lang}.po"; then \ + test "$(srcdir)" = . && cdcmd="" || cdcmd="cd $(srcdir) && "; \ + echo "$${cdcmd}$(MSGMERGE_UPDATE) $${lang}.po $(DOMAIN).pot"; \ + cd $(srcdir) && $(MSGMERGE_UPDATE) $${lang}.po $(DOMAIN).pot; \ + else \ + $(MAKE) $${lang}.po-create; \ + fi + + +install: install-exec install-data +install-exec: +install-data: install-data-@USE_NLS@ + if test "$(PACKAGE)" = "gettext-tools"; then \ + $(mkinstalldirs) $(DESTDIR)$(gettextsrcdir); \ + for file in $(DISTFILES.common) Makevars.template; do \ + $(INSTALL_DATA) $(srcdir)/$$file \ + $(DESTDIR)$(gettextsrcdir)/$$file; \ + done; \ + for file in Makevars; do \ + rm -f $(DESTDIR)$(gettextsrcdir)/$$file; \ + done; \ + else \ + : ; \ + fi +install-data-no: all +install-data-yes: all + $(mkinstalldirs) $(DESTDIR)$(datadir) + @catalogs='$(CATALOGS)'; \ + for cat in $$catalogs; do \ + cat=`basename $$cat`; \ + lang=`echo $$cat | sed -e 's/\.gmo$$//'`; \ + dir=$(localedir)/$$lang/LC_MESSAGES; \ + $(mkinstalldirs) $(DESTDIR)$$dir; \ + if test -r $$cat; then realcat=$$cat; else realcat=$(srcdir)/$$cat; fi; \ + $(INSTALL_DATA) $$realcat $(DESTDIR)$$dir/$(DOMAIN).mo; \ + echo "installing $$realcat as $(DESTDIR)$$dir/$(DOMAIN).mo"; \ + for lc in '' $(EXTRA_LOCALE_CATEGORIES); do \ + if test -n "$$lc"; then \ + if (cd $(DESTDIR)$(localedir)/$$lang && LC_ALL=C ls -l -d $$lc 2>/dev/null) | grep ' -> ' >/dev/null; then \ + link=`cd $(DESTDIR)$(localedir)/$$lang && LC_ALL=C ls -l -d $$lc | sed -e 's/^.* -> //'`; \ + mv $(DESTDIR)$(localedir)/$$lang/$$lc $(DESTDIR)$(localedir)/$$lang/$$lc.old; \ + mkdir $(DESTDIR)$(localedir)/$$lang/$$lc; \ + (cd $(DESTDIR)$(localedir)/$$lang/$$lc.old && \ + for file in *; do \ + if test -f $$file; then \ + ln -s ../$$link/$$file $(DESTDIR)$(localedir)/$$lang/$$lc/$$file; \ + fi; \ + done); \ + rm -f $(DESTDIR)$(localedir)/$$lang/$$lc.old; \ + else \ + if test -d $(DESTDIR)$(localedir)/$$lang/$$lc; then \ + :; \ + else \ + rm -f $(DESTDIR)$(localedir)/$$lang/$$lc; \ + mkdir $(DESTDIR)$(localedir)/$$lang/$$lc; \ + fi; \ + fi; \ + rm -f $(DESTDIR)$(localedir)/$$lang/$$lc/$(DOMAIN).mo; \ + ln -s ../LC_MESSAGES/$(DOMAIN).mo $(DESTDIR)$(localedir)/$$lang/$$lc/$(DOMAIN).mo 2>/dev/null || \ + ln $(DESTDIR)$(localedir)/$$lang/LC_MESSAGES/$(DOMAIN).mo $(DESTDIR)$(localedir)/$$lang/$$lc/$(DOMAIN).mo 2>/dev/null || \ + cp -p $(DESTDIR)$(localedir)/$$lang/LC_MESSAGES/$(DOMAIN).mo $(DESTDIR)$(localedir)/$$lang/$$lc/$(DOMAIN).mo; \ + echo "installing $$realcat link as $(DESTDIR)$(localedir)/$$lang/$$lc/$(DOMAIN).mo"; \ + fi; \ + done; \ + done + +install-strip: install + +installdirs: installdirs-exec installdirs-data +installdirs-exec: +installdirs-data: installdirs-data-@USE_NLS@ + if test "$(PACKAGE)" = "gettext-tools"; then \ + $(mkinstalldirs) $(DESTDIR)$(gettextsrcdir); \ + else \ + : ; \ + fi +installdirs-data-no: +installdirs-data-yes: + $(mkinstalldirs) $(DESTDIR)$(datadir) + @catalogs='$(CATALOGS)'; \ + for cat in $$catalogs; do \ + cat=`basename $$cat`; \ + lang=`echo $$cat | sed -e 's/\.gmo$$//'`; \ + dir=$(localedir)/$$lang/LC_MESSAGES; \ + $(mkinstalldirs) $(DESTDIR)$$dir; \ + for lc in '' $(EXTRA_LOCALE_CATEGORIES); do \ + if test -n "$$lc"; then \ + if (cd $(DESTDIR)$(localedir)/$$lang && LC_ALL=C ls -l -d $$lc 2>/dev/null) | grep ' -> ' >/dev/null; then \ + link=`cd $(DESTDIR)$(localedir)/$$lang && LC_ALL=C ls -l -d $$lc | sed -e 's/^.* -> //'`; \ + mv $(DESTDIR)$(localedir)/$$lang/$$lc $(DESTDIR)$(localedir)/$$lang/$$lc.old; \ + mkdir $(DESTDIR)$(localedir)/$$lang/$$lc; \ + (cd $(DESTDIR)$(localedir)/$$lang/$$lc.old && \ + for file in *; do \ + if test -f $$file; then \ + ln -s ../$$link/$$file $(DESTDIR)$(localedir)/$$lang/$$lc/$$file; \ + fi; \ + done); \ + rm -f $(DESTDIR)$(localedir)/$$lang/$$lc.old; \ + else \ + if test -d $(DESTDIR)$(localedir)/$$lang/$$lc; then \ + :; \ + else \ + rm -f $(DESTDIR)$(localedir)/$$lang/$$lc; \ + mkdir $(DESTDIR)$(localedir)/$$lang/$$lc; \ + fi; \ + fi; \ + fi; \ + done; \ + done + +# Define this as empty until I found a useful application. +installcheck: + +uninstall: uninstall-exec uninstall-data +uninstall-exec: +uninstall-data: uninstall-data-@USE_NLS@ + if test "$(PACKAGE)" = "gettext-tools"; then \ + for file in $(DISTFILES.common) Makevars.template; do \ + rm -f $(DESTDIR)$(gettextsrcdir)/$$file; \ + done; \ + else \ + : ; \ + fi +uninstall-data-no: +uninstall-data-yes: + catalogs='$(CATALOGS)'; \ + for cat in $$catalogs; do \ + cat=`basename $$cat`; \ + lang=`echo $$cat | sed -e 's/\.gmo$$//'`; \ + for lc in LC_MESSAGES $(EXTRA_LOCALE_CATEGORIES); do \ + rm -f $(DESTDIR)$(localedir)/$$lang/$$lc/$(DOMAIN).mo; \ + done; \ + done + +check: all + +info dvi ps pdf html tags TAGS ctags CTAGS ID: + +mostlyclean: + rm -f remove-potcdate.sed + rm -f stamp-poT + rm -f core core.* $(DOMAIN).po $(DOMAIN).1po $(DOMAIN).2po *.new.po + rm -fr *.o + +clean: mostlyclean + +distclean: clean + rm -f Makefile Makefile.in POTFILES *.mo + +maintainer-clean: distclean + @echo "This command is intended for maintainers to use;" + @echo "it deletes files that may require special tools to rebuild." + rm -f stamp-po $(GMOFILES) + +distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir) +dist distdir: + $(MAKE) update-po + @$(MAKE) dist2 +# This is a separate target because 'update-po' must be executed before. +dist2: stamp-po $(DISTFILES) + dists="$(DISTFILES)"; \ + if test "$(PACKAGE)" = "gettext-tools"; then \ + dists="$$dists Makevars.template"; \ + fi; \ + if test -f $(srcdir)/$(DOMAIN).pot; then \ + dists="$$dists $(DOMAIN).pot stamp-po"; \ + fi; \ + if test -f $(srcdir)/ChangeLog; then \ + dists="$$dists ChangeLog"; \ + fi; \ + for i in 0 1 2 3 4 5 6 7 8 9; do \ + if test -f $(srcdir)/ChangeLog.$$i; then \ + dists="$$dists ChangeLog.$$i"; \ + fi; \ + done; \ + if test -f $(srcdir)/LINGUAS; then dists="$$dists LINGUAS"; fi; \ + for file in $$dists; do \ + if test -f $$file; then \ + cp -p $$file $(distdir) || exit 1; \ + else \ + cp -p $(srcdir)/$$file $(distdir) || exit 1; \ + fi; \ + done + +update-po: Makefile + $(MAKE) $(DOMAIN).pot-update + test -z "$(UPDATEPOFILES)" || $(MAKE) $(UPDATEPOFILES) + $(MAKE) update-gmo + +# General rule for creating PO files. + +.nop.po-create: + @lang=`echo $@ | sed -e 's/\.po-create$$//'`; \ + echo "File $$lang.po does not exist. If you are a translator, you can create it through 'msginit'." 1>&2; \ + exit 1 + +# General rule for updating PO files. + +.nop.po-update: + @lang=`echo $@ | sed -e 's/\.po-update$$//'`; \ + if test "$(PACKAGE)" = "gettext-tools"; then PATH=`pwd`/../src:$$PATH; fi; \ + tmpdir=`pwd`; \ + echo "$$lang:"; \ + test "$(srcdir)" = . && cdcmd="" || cdcmd="cd $(srcdir) && "; \ + echo "$${cdcmd}$(MSGMERGE) $$lang.po $(DOMAIN).pot -o $$lang.new.po"; \ + cd $(srcdir); \ + if $(MSGMERGE) $$lang.po $(DOMAIN).pot -o $$tmpdir/$$lang.new.po; then \ + if cmp $$lang.po $$tmpdir/$$lang.new.po >/dev/null 2>&1; then \ + rm -f $$tmpdir/$$lang.new.po; \ + else \ + if mv -f $$tmpdir/$$lang.new.po $$lang.po; then \ + :; \ + else \ + echo "msgmerge for $$lang.po failed: cannot move $$tmpdir/$$lang.new.po to $$lang.po" 1>&2; \ + exit 1; \ + fi; \ + fi; \ + else \ + echo "msgmerge for $$lang.po failed!" 1>&2; \ + rm -f $$tmpdir/$$lang.new.po; \ + fi + +$(DUMMYPOFILES): + +update-gmo: Makefile $(GMOFILES) + @: + +Makefile: Makefile.in.in Makevars $(top_builddir)/config.status @POMAKEFILEDEPS@ + cd $(top_builddir) \ + && CONFIG_FILES=$(subdir)/$@.in CONFIG_HEADERS= \ + $(SHELL) ./config.status + +force: + +# Tell versions [3.59,3.63) of GNU make not to export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/po/Makevars b/po/Makevars new file mode 100644 index 0000000..07fc814 --- /dev/null +++ b/po/Makevars @@ -0,0 +1,41 @@ +# Makefile variables for PO directory in any package using GNU gettext. + +# Usually the message domain is the same as the package name. +DOMAIN = $(PACKAGE) + +# These two variables depend on the location of this directory. +subdir = po +top_builddir = .. + +# These options get passed to xgettext. +XGETTEXT_OPTIONS = --keyword=_ --keyword=N_ --keyword=ERROR --keyword=PRINT + +# This is the copyright holder that gets inserted into the header of the +# $(DOMAIN).pot file. Set this to the copyright holder of the surrounding +# package. (Note that the msgstr strings, extracted from the package's +# sources, belong to the copyright holder of the package.) Translators are +# expected to transfer the copyright for their translations to this person +# or entity, or to disclaim their copyright. The empty string stands for +# the public domain; in this case the translators are expected to disclaim +# their copyright. +COPYRIGHT_HOLDER = Red Hat, Inc. + +# This is the email address or URL to which the translators shall report +# bugs in the untranslated strings: +# - Strings which are not entire sentences, see the maintainer guidelines +# in the GNU gettext documentation, section 'Preparing Strings'. +# - Strings which use unclear terms or require additional context to be +# understood. +# - Strings which make invalid assumptions about notation of date, time or +# money. +# - Pluralisation problems. +# - Incorrect English spelling. +# - Incorrect formatting. +# It can be your email address, or a mailing list address where translators +# can write to without being subscribed, or the URL of a web page through +# which the translators can contact you. +MSGID_BUGS_ADDRESS = sssd-devel@lists.fedorahosted.org + +# This is the list of locale categories, beyond LC_MESSAGES, for which the +# message catalogs shall be used. It is usually empty. +EXTRA_LOCALE_CATEGORIES = diff --git a/po/POTFILES.in b/po/POTFILES.in new file mode 100644 index 0000000..f1eb344 --- /dev/null +++ b/po/POTFILES.in @@ -0,0 +1,33 @@ +# List of source files which contain translatable strings. +src/confdb/confdb_setup.c +src/config/SSSDConfig/__init__.py.in +src/monitor/monitor.c +src/providers/krb5/krb5_child.c +src/providers/ldap/ldap_child.c +src/providers/data_provider_be.c +src/sss_client/common.c +src/sss_client/nss_group.c +src/sss_client/nss_passwd.c +src/sss_client/pam_sss.c +src/sss_client/ssh/sss_ssh_authorizedkeys.c +src/sss_client/ssh/sss_ssh_knownhostsproxy.c +src/tools/sss_useradd.c +src/tools/sss_groupadd.c +src/tools/sss_groupdel.c +src/tools/sss_groupmod.c +src/tools/sss_groupshow.c +src/tools/sss_useradd.c +src/tools/sss_userdel.c +src/tools/sss_usermod.c +src/tools/sss_cache.c +src/tools/tools_util.c +src/tools/tools_util.h +src/tools/sssctl/sssctl.c +src/tools/sssctl/sssctl_cache.c +src/tools/sssctl/sssctl_config.c +src/tools/sssctl/sssctl_data.c +src/tools/sssctl/sssctl_domains.c +src/tools/sssctl/sssctl_logs.c +src/tools/sssctl/sssctl_sifp.c +src/tools/sssctl/sssctl_user_checks.c +src/util/util.h diff --git a/po/Rules-quot b/po/Rules-quot new file mode 100644 index 0000000..9c2a995 --- /dev/null +++ b/po/Rules-quot @@ -0,0 +1,47 @@ +# Special Makefile rules for English message catalogs with quotation marks. + +DISTFILES.common.extra1 = quot.sed boldquot.sed en@quot.header en@boldquot.header insert-header.sin Rules-quot + +.SUFFIXES: .insert-header .po-update-en + +en@quot.po-create: + $(MAKE) en@quot.po-update +en@boldquot.po-create: + $(MAKE) en@boldquot.po-update + +en@quot.po-update: en@quot.po-update-en +en@boldquot.po-update: en@boldquot.po-update-en + +.insert-header.po-update-en: + @lang=`echo $@ | sed -e 's/\.po-update-en$$//'`; \ + if test "$(PACKAGE)" = "gettext"; then PATH=`pwd`/../src:$$PATH; GETTEXTLIBDIR=`cd $(top_srcdir)/src && pwd`; export GETTEXTLIBDIR; fi; \ + tmpdir=`pwd`; \ + echo "$$lang:"; \ + ll=`echo $$lang | sed -e 's/@.*//'`; \ + LC_ALL=C; export LC_ALL; \ + cd $(srcdir); \ + if $(MSGINIT) -i $(DOMAIN).pot --no-translator -l $$ll -o - 2>/dev/null | sed -f $$tmpdir/$$lang.insert-header | $(MSGCONV) -t UTF-8 | $(MSGFILTER) sed -f `echo $$lang | sed -e 's/.*@//'`.sed 2>/dev/null > $$tmpdir/$$lang.new.po; then \ + if cmp $$lang.po $$tmpdir/$$lang.new.po >/dev/null 2>&1; then \ + rm -f $$tmpdir/$$lang.new.po; \ + else \ + if mv -f $$tmpdir/$$lang.new.po $$lang.po; then \ + :; \ + else \ + echo "creation of $$lang.po failed: cannot move $$tmpdir/$$lang.new.po to $$lang.po" 1>&2; \ + exit 1; \ + fi; \ + fi; \ + else \ + echo "creation of $$lang.po failed!" 1>&2; \ + rm -f $$tmpdir/$$lang.new.po; \ + fi + +en@quot.insert-header: insert-header.sin + sed -e '/^#/d' -e 's/HEADER/en@quot.header/g' $(srcdir)/insert-header.sin > en@quot.insert-header + +en@boldquot.insert-header: insert-header.sin + sed -e '/^#/d' -e 's/HEADER/en@boldquot.header/g' $(srcdir)/insert-header.sin > en@boldquot.insert-header + +mostlyclean: mostlyclean-quot +mostlyclean-quot: + rm -f *.insert-header diff --git a/po/bg.gmo b/po/bg.gmo new file mode 100644 index 0000000000000000000000000000000000000000..3b1a1903c373bfbb8537d38e3293ab1136d80b38 GIT binary patch literal 17131 zcmcJVYmgjQb;sL@6JWtS!@~ybHW-jVvunvVw%0c3v63t-$+A|mF^|~2GrhZG&rFY} zXS7-yupTzV4nc`y3dg}1hg9GL#ImHdR+25H2$fKIG4lmd6&GI;LMnw5pi;n>Q2G7O zz1`C@yM7g9YJ30F-S=_sIsfyx-Shp|pZ)oO&jF6NajZH!2)+Sc{c`^C`SC~)ya)UV zcm;UwD}&(8;7;%o@HX&W;FrJ<{FcA}1MpnV|JUQ2Ulj!J5z_ZQ?f;HfI;3{w%_B~mpxS*8)OyZ-br8HAybv4% zKL|>$1bhd0ANWS_>)Ux^Z_s@Zl?G?M&aLNFAb-IH{0qU=p!Bd4l%DPaHQytk^#65_ z-vTAqGvGM*GL)n9^`P`o2QLF30N)3G8ES}KtvDj^7#AUTRHzz za11;SN{%0bmxDh8wf@oHakv@OJhy_9|FfXhxd6Ti{3|d7zXwXrUx3p8JNb7FcqOQI zbD-?=IZ*3(0u)ca3tkKU1Uw%cr!ilHn?dzU_$PTj4Wi=UQE(%87<@PQGf?Y$J4)1f z36y?!fwJo!P~&|W)HqLqTE}-lwfhB#$iaEsRJ$?oN^m16{oD=e{^Ow9e+yg#{yT`O zf^#7sst-z_^tu+*^^bXMg0jm!p!9LnpZ~;Th!Q@)_3J^|?QfY;$H@`G=J;_I_u2>ucj4=zBMOTg{mhrk2iIQWmC`1kUXv-9~NstYE-Yr$#o zF7R=%2ELEM)c+yyR`6dzU7vuo+rcNmy-RgU^8Lz`q1P4*nRF9=Fr^POt@{;^0|u zC-_FlEMComlIJhLPlDeCH-Nj|k8gnwfs+4kK$aT(6x28uBHTQ<1=M(d4N9MHg2bBt z22i|w9NY-L@=8-la058O`2kS!{w*jzzJku`e=YwIJva!?g2%xK46kzW`T)3#^M}E$ z;D3X-NN_dIgi8e<1DP_I2T^Ho1XMiwH&AlDnnfpI4cr1gKyH$%oG4kS*H&+B|rt|Ne6D;~e6~T^t|d$UfrfYdH@13m^3;-pWU0 zk5_P1Id0(4=X#FUa6~%c^JWh5^CFIrV~nH4q0c!E0w@ri&C%g#`fK7+@q?QLDMy*( z4vsf*=(EFt{fBzSfwzITb0i$^TYa@@orKh$R>$K4zkaQr66DvlYBy&U?;zt?hz$DiUTeh42H$AeYje9~!! z<)}OxSHfnLrgKTF63$g?wJ_e>thVAXYLAD(y0DYRtuSeYGp(f4q(OT&Y|qAF8r9>l zp?}=lG7(0#RvcC4>0C|Q=}54yT#nN;EGLb2E2)LeRbzG?1$iPQ~GL(rHvigLNHdY_zN8sEx2Df)~8Z0J;;^(qbzO zQB4`KQKdtN1~sjvKa3jWBCU^7P1Oo#6P8n9?d5jTs>W%sJ}&E06jq|RPL~yxcslCT z+AD(%Qe0S=-Udjfr)$+l9M+PVYJ)b7M$!&v;&xbVOebM9m9SDNPdXjR?x)4p z)LCfQsD$k#Oxsbb&B(1i)pE=TomvI+v~6TrK-QMFvW0}Du#(iHY9pNP)M_6@G?+j$ z4g4OA;Pp8lR;R;io3?Rk;~7(e4I)9K9q#ZH#7-0ORA(lv#e3o!-%a6RIvdw&tHQCV zYGZ6FN@s(Kd{`4Xfv|mRI9{hTN}IK4-mP)W7@T4Y6Lh|GM<=RPr^OJKQx7&aqN&=z zDCoLciA2a?qj9#{sETXVJFATuTYo!AY8d1B?xG&ZT}#SQ&Fd*^kKxiTw8Rs`JvN-=-0B&T7s@u)Nv0MzfuInt>?X` zMAL0WC+BvzOh;(1a*KK2Ehr$aH`{4Ai-1#c+(20t?U>Gw%2?(uSs1jAYTTYv`=rr# z<`mzL=F^n}oo|ohX4V%DD`bRDqFRKy(vHPIyuwSn%n)-CE+KDf#VCpX)2*Z)PHdkH z=LmURO_SOlkwpH8M~5p?Vp5~xC8#e!^mz8^EUG|IJ(XjHAo1dMvq{Ho$SH<_VJ1Iskvyo>g8 zvm!RZD%D~XwCXVp@SQCUbF(alq|LbOoD!;Sx?y7bNN`=;nu=RVDg)N){nH^K^JcnE z=n8L-=iAX#V2(0ft%)hd9=<>)l;cuVvsK-La5K2p*0?c4ej|)(T{#hQmC~K$kTe=( z2n?hpWlDXHu5qJNkBQJqIGrZJWa%top|hEMUPCM342@T4l+HKGv#q3&bW#@tlBSYL#bM!5w6fcCfWN9osTl?yk+djD@DFq7;NJlU*tyaXFPrjXpLO<0aD% zHTNlCI55+W{ODqOur1nKt#|4cLx@DdHiGQHc~WtqPbxHd(UuQw+sP3WG0W$hRbj&2 z7QxQSkm>47usxnDCYtS?I>gG%ooZQ2EupIuQ9BBE_!1@!vRoCGXIQ}bafA^j4&m4(wzvzfF=-2H~6%xrwpZDP&p zQM)|LWmRj*Pzvd%dk0$gphr%RMc zO`0ixDwmSJ6w@j${mSE28Wc0Gf=(LjB+SY!8-sS)i8Jn%P>L6>kg!TKqCoLMY9}OC zk-BT^WHCF2SUhJ7!}l9W9we_N$?ct{W=?%V^5BG(N5(HJuH4m07p8_Udpoxn*PDJcP*c=| z%F<{i#@_w{f}sOh%rh}JTowZvjgcCXn(|As$&2W4-NXh)apfpuPbF!U`0m|2kK?%M zOfae1t6=j4P+x{To_n8l?zN=}$?2rwe9Pt8)oX`3QN#dMr&= z)4J$aY@tx5Yi?rp2L&&o!kC54lY>{$ceWo8`D!>9vBuRDk_YOmqEoP+oKGoMtUPn2 z%&NW%ddtdm%_L3bW5F)gB|r4$GOgIfY#(9LYF2%r2zMJ2b(>`0!p33OeA9|K?q`g! z*e~A1tyN)by1eF+i!Zl9clT$~aCQxcud9HN7eNt?>`9}tU5XNcwN>-?Tp3U49^*cP z*Q&U6cFk=h@O#_LNE&5w0!dlHeBNA-^wpZTAo`UeOQ?% zdQ{8SH_O2iIE7|qZGoi9q0%@joUAS$vB~o0(#H!oS3FgDFc?tTZm^wdGyC?*$-JD( zq;AFSPOA~@qWI8OQ3murpCT>lmJ+P@vxrGThFK^sv&aFnu}LoQM&kw(&{zg>PyBizT|xu^PypBXS}DX+57D-rBP}1rQzz; z`F3tFa(gN>lTtJMGF^2a@LlBU>rFI^@FA zt~jcXhwD4FnW$BTw<~7b?dJH{*xcOQXj}e4mAiM8a5Y9TCjF#i%`q)_tmcOpo0=J0 znGZM~PR)#L+p=wAUx}+nFCN*zb1Y0*QrsL5+dQ2aZ}Mt0OXY}ZShs3g+yu+g;B^qMtSh3@M$D;nX2*MzHAUN!RJ z(&o6K%3kX6O1X6O($ULCczV}8*MN zE`;61?s0A{^gg2#+EF`nAMKv*9iZJp_X!5zZugWLp6V`!-J`vIy@MJj?ClRVC=;FT z9?{^7-KX4$YDh%ksvEbrzjwc80}phM(4FQZLH9wX(Urqo`wYELngEjgboXf!073n= zW3FxQ{_dHe`v7npVd)}~Z8e%1*=*4#yN6N0)7{hh$MvTe@JW3+W@77`x*;tcSkr0N zv)J3uC5^c-8g#!xQzx9(re+J>r?uiCwbFT!rrcy5i@keHq{F>WgRDWr*`)64GQ;)` zNf+E+pg-aw*>TRFU_!gf9j+pa%<>%iLZ3sz_D2o6U+f(+B{K{o+gL38Fw{UeCN-^y zB@5k?l0h2jF2Vu6obDb&)2GlKCQ@e<>*UmurPZgy73hw!`A1_(ecVXnhc1gMyt@ZdxFW30&ba#P+8D@MB+=1qi$)&a7fcT2%(ITPt!YFIx-H^x_1a3 zE;EXZ09m?Eg;~LrvC{MeYrS*>0=>{!&JbFOCzm(C^J$PVA9M7?6emNcV*bmyp`8e} z%(}XZt9(;q=PBP50qz%xwY)RNxx>9fgA>@jBL99J6FiKGARXe$12qM{1d|9x{Lf;P zbITCp?UxB2qO0Gb#Cm}0N;9tEZ7*kmr(_`OBwAKqe%;~8T(n&i23 z_c04BGW-bwh=n#6LQHW(5sVhcO!k83Fd2(HYdc#%q zw^G>x@vv9*?n8B=y`p5MQw1lwD+no8oiTn$z2?xxr{V;WA!nD!-XQn)?lpelTVj@G zvBkJl;tgkh;X|ACd*1N#C{hwNm_cz4|6j&J-Nmsyt-!V;nNbw`O4bi!DYh!EdI2F2 zj?D=w2)bX^44hcTQ+LHK7q?x=LUvn;Olz`BQ-0mgEB_z+Q5nXKi-0KF$--bR9A#4Z zC~i~99B|yyC7H%&2&RQ+{|}>zp{L97CF2eKIPJU?GMTxy7(q z=>9p4PjpWaVF)Km5$H&sd7mC5iJac6vuucm<5~!{z#NVSR;ik5?=i+oJxZDu5S4tC zb}aWja?4Tht;}7I0k;aVW($S(16{i{IUP+RN zaS|w+v+&?FWaA<>mU3T>FlNp}BsltN0);VsJ7TK9t2G1H^T7%!a~a}W_Q_|kn(efy z;I!LhXf;|j$xOOfIy()H>XtQPjaDOw0+!xQ#3kN7tV@*@FW5x^{FFitYn9ogEK)zN z`jj**qjVQnI+b|G8ZKf6GNl5O_~S@nDignKJy!UH*8Q}Lrwf)6l(4L7$qF`_I~T?r zg|fiw(Pa;`w%>$BNqHTiq9k9>F%cv;CKSR@7OqrBSa~*F^hpWD38jPuJm6UG;NTr& zgX%zEzr4`AmdwP-!P?zd3Gz`_r!E#WCt7(m8WU7T4ybEb+5sW@#&m3^YO-+slvgYT z6AV)Sw zPV!pLwput&CwI=`y``!bWAld`4-}m7eyi?XR?zD%RxJuyn6?*OMK2Dze`sl#4NSjB zahcCun`={{0#zBzyjV162c!9VpW~7uiHcPX?P!R~Eu^@|W%RW2)^1f3Vq+}M156p}6v4DeK z|2Vu$ie6sjHdW?CMY9oFcyS9|W;ytgb5K{9{fa{=1*mk)_PmzfIaA2SNNyD`PS)Hg z-t_xX9ECA{5YAm)q*(}Dtrz|?yo>5PS{F4FE zMxhAfNT=owY-GOGc86fd7>Ti8!yWZP-UV}tIOP!Q777X7&|sC5aq-D`L!0sRniINB}a z`q&x2@zeR5C*Lmx-G>-X&tgqbdwXvx_p!^FLWUDvAS3262ef3oY;V)gL){0}L&lT) z#|+&saL0##O7TPSx~xzDC0TauqP@1VUO z++)j%xV-JKVjerA4;TLPfeM2t3g&uQ{udz5jik@MzKM;Q7>rN|zEb5WXF)fv0`|Q& ziDENVk^Ro3-`%gGIJntYZ@i9cX!-P@0^~XV0j;m$PG~2q;?KgP_oRNJ@jP%34NTtt zJz0ubysu!!!WPC$fNUfTCf(1H^i)AISzPha*h_&PacgX>3PF*{k3BdjW>PF9P?<%U z+x&isL}nGbs@9U?RA|#O&~GqYm)!DNLXf|pSw@v&gI~R4L{)*x3W+|k-C~FR8+Lod!-kL2dgvvdiw9b`$}@gkZ@!UK%=Yu6!S@_IBv-Oj z+!c3ETJ@=Lt*&4A<(oxoc7q}pmU;)5z4(9K-=<}1&CODYykfV8x|`e zq?2>`$Cs?qxs_FgdFm|m&Nc_`(aDMavn>0~lNPt!0|cCFSpHx0Yl|U8=yz8AUrenq zxv~dyJcWIbg(_6*k-87q%jD_j3tYr#6sjMNn1?QXJ(|CdvTQ7JO0%K>$(n1-OjYAz zM*icgA$x|3O2djH7%`d%NT@V(47bn=aB~O6^k3z5iaiPqk@biMGL5MQc5h?~F=!~X zX!87lvWcs$fjv1F`Hf*N#~sOk_+_Pq, 2012 +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" +"POT-Creation-Date: 2018-08-12 13:03+0000\n" +"PO-Revision-Date: 2014-12-14 11:44+0000\n" +"Last-Translator: Copied by Zanata \n" +"Language-Team: Bulgarian (http://www.transifex.com/projects/p/sssd/language/" +"bg/)\n" +"Language: bg\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" +"X-Generator: Zanata 4.4.5\n" + +#: src/config/SSSDConfig/__init__.py.in:43 +#: src/config/SSSDConfig/__init__.py.in:44 +msgid "Set the verbosity of the debug logging" +msgstr "Задава ниво на подробност на debug лог записите" + +#: src/config/SSSDConfig/__init__.py.in:45 +msgid "Include timestamps in debug logs" +msgstr "Включва час и дата в debug лога" + +#: src/config/SSSDConfig/__init__.py.in:46 +msgid "Include microseconds in timestamps in debug logs" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:47 +msgid "Write debug messages to logfiles" +msgstr "Записва debug съобщенията в логфайлове" + +#: src/config/SSSDConfig/__init__.py.in:48 +msgid "Watchdog timeout before restarting service" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:49 +msgid "Command to start service" +msgstr "Команда за стартиране на услугата" + +#: src/config/SSSDConfig/__init__.py.in:50 +msgid "Number of times to attempt connection to Data Providers" +msgstr "Време за опити за връзка с Data Provider-и" + +#: src/config/SSSDConfig/__init__.py.in:51 +msgid "The number of file descriptors that may be opened by this responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:52 +msgid "Idle time before automatic disconnection of a client" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:53 +msgid "Idle time before automatic shutdown of the responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:54 +msgid "Always query all the caches before querying the Data Providers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:57 +msgid "SSSD Services to start" +msgstr "SSSD услуги за стартиране" + +#: src/config/SSSDConfig/__init__.py.in:58 +msgid "SSSD Domains to start" +msgstr "SSSD домейни за стартиране" + +#: src/config/SSSDConfig/__init__.py.in:59 +msgid "Timeout for messages sent over the SBUS" +msgstr "Изчакване за съобщения, изпратени през SBUS" + +#: src/config/SSSDConfig/__init__.py.in:60 +#: src/config/SSSDConfig/__init__.py.in:197 +msgid "Regex to parse username and domain" +msgstr "Regex за намиране на потребителско име и домейн" + +#: src/config/SSSDConfig/__init__.py.in:61 +#: src/config/SSSDConfig/__init__.py.in:196 +msgid "Printf-compatible format for displaying fully-qualified names" +msgstr "Printf-съвместим формат за изобразяване на пълно-квалифицирани имена" + +#: src/config/SSSDConfig/__init__.py.in:62 +msgid "" +"Directory on the filesystem where SSSD should store Kerberos replay cache " +"files." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:63 +msgid "Domain to add to names without a domain component." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:64 +msgid "The user to drop privileges to" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:65 +msgid "Tune certificate verification" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:66 +msgid "All spaces in group or user names will be replaced with this character" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:67 +msgid "Tune sssd to honor or ignore netlink state changes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:68 +msgid "Enable or disable the implicit files domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:69 +msgid "A specific order of the domains to be looked up" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:72 +msgid "Enumeration cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:73 +msgid "Entry cache background update timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:74 +#: src/config/SSSDConfig/__init__.py.in:113 +msgid "Negative cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:75 +msgid "Files negative cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:76 +msgid "Users that SSSD should explicitly ignore" +msgstr "Потребители, които SSSD изрично трябва да игнорира" + +#: src/config/SSSDConfig/__init__.py.in:77 +msgid "Groups that SSSD should explicitly ignore" +msgstr "Групи, които SSSD изрично трябва да игнорира" + +#: src/config/SSSDConfig/__init__.py.in:78 +msgid "Should filtered users appear in groups" +msgstr "Да се показват ли филтрираните потребители в групи" + +#: src/config/SSSDConfig/__init__.py.in:79 +msgid "The value of the password field the NSS provider should return" +msgstr "Стойността на полето парола, което NSS доставчикът трябва да върне" + +#: src/config/SSSDConfig/__init__.py.in:80 +msgid "Override homedir value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:81 +msgid "" +"Substitute empty homedir value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:82 +msgid "Override shell value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:83 +msgid "The list of shells users are allowed to log in with" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:84 +msgid "" +"The list of shells that will be vetoed, and replaced with the fallback shell" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:85 +msgid "" +"If a shell stored in central directory is allowed but not available, use " +"this fallback" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:86 +msgid "Shell to use if the provider does not list one" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:87 +msgid "How long will be in-memory cache records valid" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:88 +msgid "List of user attributes the NSS responder is allowed to publish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:91 +msgid "How long to allow cached logins between online logins (days)" +msgstr "Колко дни да се позволява кеширано влизане между влизания онлайн" + +#: src/config/SSSDConfig/__init__.py.in:92 +msgid "How many failed logins attempts are allowed when offline" +msgstr "Колко неуспешни опита за влизане са разрешени, когато сме офлайн" + +#: src/config/SSSDConfig/__init__.py.in:93 +msgid "" +"How long (minutes) to deny login after offline_failed_login_attempts has " +"been reached" +msgstr "" +"Колко време (в минути) да е забранено влизането, след достигане броя " +"неуспешни опити за влизане, когато сме офлайн" + +#: src/config/SSSDConfig/__init__.py.in:94 +msgid "What kind of messages are displayed to the user during authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:95 +msgid "Filter PAM responses sent to the pam_sss" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:96 +msgid "How many seconds to keep identity information cached for PAM requests" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:97 +msgid "How many days before password expiration a warning should be displayed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:98 +msgid "List of trusted uids or user's name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:99 +msgid "List of domains accessible even for untrusted users." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:100 +msgid "Message printed when user account is expired." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:101 +msgid "Message printed when user account is locked." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:102 +msgid "Allow certificate based/Smartcard authentication." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:103 +msgid "Path to certificate database with PKCS#11 modules." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:104 +msgid "How many seconds will pam_sss wait for p11_child to finish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:105 +msgid "Which PAM services are permitted to contact application domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:108 +msgid "Whether to evaluate the time-based attributes in sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:109 +msgid "If true, SSSD will switch back to lower-wins ordering logic" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:110 +msgid "" +"Maximum number of rules that can be refreshed at once. If this is exceeded, " +"full refresh is performed." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:116 +msgid "Whether to hash host names and addresses in the known_hosts file" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:117 +msgid "" +"How many seconds to keep a host in the known_hosts file after its host keys " +"were requested" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:118 +msgid "Path to storage of trusted CA certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:121 +msgid "List of UIDs or user names allowed to access the PAC responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "How long the PAC data is considered valid" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:125 +msgid "List of UIDs or user names allowed to access the InfoPipe responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:126 +msgid "List of user attributes the InfoPipe is allowed to publish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:129 +msgid "The provider where the secrets will be stored in" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:130 +msgid "The maximum allowed number of nested containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:131 +msgid "The maximum number of secrets that can be stored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:132 +msgid "The maximum number of secrets that can be stored per UID" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:133 +msgid "The maximum payload size of a secret in kilobytes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:135 +msgid "The URL Custodia server is listening on" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:136 +msgid "The method to use when authenticating to a Custodia server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:137 +msgid "" +"The name of the headers that will be added into a HTTP request with the " +"value defined in auth_header_value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:138 +msgid "The value sssd-secrets would use for auth_header_name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:139 +msgid "" +"The list of the headers to forward to the Custodia server together with the " +"request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:140 +msgid "" +"The username to use when authenticating to a Custodia server using basic_auth" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:141 +msgid "" +"The password to use when authenticating to a Custodia server using basic_auth" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:142 +msgid "If true peer's certificate is verified if proxy_url uses https protocol" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:143 +msgid "" +"If false peer's certificate may contain different hostname than proxy_url " +"when https protocol is used" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:144 +msgid "Path to directory where certificate authority certificates are stored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:145 +msgid "Path to file containing server's CA certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:146 +msgid "Path to file containing client's certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:147 +msgid "Path to file containing client's private key" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:150 +msgid "Identity provider" +msgstr "Доставчик на самоличност" + +#: src/config/SSSDConfig/__init__.py.in:151 +msgid "Authentication provider" +msgstr "Доставчик на удостоверяване" + +#: src/config/SSSDConfig/__init__.py.in:152 +msgid "Access control provider" +msgstr "Доставчик на контрол на достъп" + +#: src/config/SSSDConfig/__init__.py.in:153 +msgid "Password change provider" +msgstr "Доставчик на смяна на парола" + +#: src/config/SSSDConfig/__init__.py.in:154 +msgid "SUDO provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:155 +msgid "Autofs provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:156 +msgid "Host identity provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:157 +msgid "SELinux provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:158 +msgid "Session management provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:161 +msgid "Whether the domain is usable by the OS or by applications" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:162 +msgid "Minimum user ID" +msgstr "Минимално ID на потребител" + +#: src/config/SSSDConfig/__init__.py.in:163 +msgid "Maximum user ID" +msgstr "Максимално ID на потребител" + +#: src/config/SSSDConfig/__init__.py.in:164 +msgid "Enable enumerating all users/groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:165 +msgid "Cache credentials for offline login" +msgstr "Кеширай идентификационни данни за офлайн влизане" + +#: src/config/SSSDConfig/__init__.py.in:166 +msgid "Store password hashes" +msgstr "Съхранявай хешове на пароли" + +#: src/config/SSSDConfig/__init__.py.in:167 +msgid "Display users/groups in fully-qualified form" +msgstr "Показвай потребители/групи в пълно -валифицирана форма" + +#: src/config/SSSDConfig/__init__.py.in:168 +msgid "Don't include group members in group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:180 +#: src/config/SSSDConfig/__init__.py.in:181 +msgid "Entry cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:170 +msgid "" +"Restrict or prefer a specific address family when performing DNS lookups" +msgstr "Ограничава или предпочита определена фамилия адреси при DNS търсения" + +#: src/config/SSSDConfig/__init__.py.in:171 +msgid "How long to keep cached entries after last successful login (days)" +msgstr "" +"Колко дни да се пазят кешираните записи след последното успешно влизане" + +#: src/config/SSSDConfig/__init__.py.in:172 +msgid "How long to wait for replies from DNS when resolving servers (seconds)" +msgstr "" +"Колко време да чакам за отговори от DNS при търсене на сървъри (секунди)" + +#: src/config/SSSDConfig/__init__.py.in:173 +msgid "The domain part of service discovery DNS query" +msgstr "Частта Домейн от DNS заявката за откриване на услуга" + +#: src/config/SSSDConfig/__init__.py.in:174 +msgid "Override GID value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:175 +msgid "Treat usernames as case sensitive" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:182 +msgid "How often should expired entries be refreshed in background" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:183 +msgid "Whether to automatically update the client's DNS entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:184 +#: src/config/SSSDConfig/__init__.py.in:206 +msgid "The TTL to apply to the client's DNS entry after updating it" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:207 +msgid "The interface whose IP should be used for dynamic DNS updates" +msgstr "Интерфейсът, чийто IP да се ползва за динамични DNS обновявания" + +#: src/config/SSSDConfig/__init__.py.in:186 +msgid "How often to periodically update the client's DNS entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:187 +msgid "Whether the provider should explicitly update the PTR record as well" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:188 +msgid "Whether the nsupdate utility should default to using TCP" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:189 +msgid "What kind of authentication should be used to perform the DNS update" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:190 +msgid "Override the DNS server used to perform the DNS update" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:191 +msgid "Control enumeration of trusted domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:192 +msgid "How often should subdomains list be refreshed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:193 +msgid "List of options that should be inherited into a subdomain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:194 +msgid "Default subdomain homedir value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:195 +msgid "How long can cached credentials be used for cached authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:198 +msgid "Whether to automatically create private groups for users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:201 +msgid "IPA domain" +msgstr "IPA домейн" + +#: src/config/SSSDConfig/__init__.py.in:202 +msgid "IPA server address" +msgstr "Адрес на IPA сървър" + +#: src/config/SSSDConfig/__init__.py.in:203 +msgid "Address of backup IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:204 +msgid "IPA client hostname" +msgstr "Име на хост на IPA клиент" + +#: src/config/SSSDConfig/__init__.py.in:205 +msgid "Whether to automatically update the client's DNS entry in FreeIPA" +msgstr "Дали автоматично да се обновява клиентския DNS запис във FreeIPA" + +#: src/config/SSSDConfig/__init__.py.in:208 +msgid "Search base for HBAC related objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:209 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:210 +msgid "" +"The amount of time in seconds between lookups of the SELinux maps against " +"the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:211 +msgid "If set to false, host argument given by PAM will be ignored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:212 +msgid "The automounter location this IPA client is using" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:213 +msgid "Search base for object containing info about IPA domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:214 +msgid "Search base for objects containing info about ID ranges" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:233 +msgid "Enable DNS sites - location based service discovery" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:216 +msgid "Search base for view containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:217 +msgid "Objectclass for view containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:218 +msgid "Attribute with the name of the view" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:219 +msgid "Objectclass for override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:220 +msgid "Attribute with the reference to the original object" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:221 +msgid "Objectclass for user override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:222 +msgid "Objectclass for group override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:223 +msgid "Search base for Desktop Profile related objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:224 +msgid "" +"The amount of time in seconds between lookups of the Desktop Profile rules " +"against the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:225 +msgid "" +"The amount of time in minutes between lookups of Desktop Profiles rules " +"against the IPA server when the last request did not find any rule" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:228 +msgid "Active Directory domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:229 +msgid "Enabled Active Directory domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:230 +msgid "Active Directory server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:231 +msgid "Active Directory backup server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:232 +msgid "Active Directory client hostname" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:420 +msgid "LDAP filter to determine access privileges" +msgstr "LDAP филтър за определяне права на достъп" + +#: src/config/SSSDConfig/__init__.py.in:235 +msgid "Whether to use the Global Catalog for lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:236 +msgid "Operation mode for GPO-based access control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:237 +msgid "" +"The amount of time between lookups of the GPO policy files against the AD " +"server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:238 +msgid "" +"PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " +"settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:239 +msgid "" +"PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " +"policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:240 +msgid "" +"PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:241 +msgid "" +"PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:242 +msgid "" +"PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:243 +msgid "PAM service names for which GPO-based access is always granted" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:244 +msgid "PAM service names for which GPO-based access is always denied" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:245 +msgid "" +"Default logon right (or permit/deny) to use for unmapped PAM service names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:246 +msgid "a particular site to be used by the client" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:247 +msgid "" +"Maximum age in days before the machine account password should be renewed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:248 +msgid "Option for tuning the machine account renewal task" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:252 +msgid "Kerberos server address" +msgstr "Адрес на Kerberos сървър" + +#: src/config/SSSDConfig/__init__.py.in:253 +msgid "Kerberos backup server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:254 +msgid "Kerberos realm" +msgstr "Kerberos област" + +#: src/config/SSSDConfig/__init__.py.in:255 +msgid "Authentication timeout" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:256 +msgid "Whether to create kdcinfo files" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:257 +msgid "Where to drop krb5 config snippets" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:260 +msgid "Directory to store credential caches" +msgstr "Директория за съхранение на кеша за данни за удостоверяване" + +#: src/config/SSSDConfig/__init__.py.in:261 +msgid "Location of the user's credential cache" +msgstr "Местоположение на кеша за данни за удостоверяване на потребители" + +#: src/config/SSSDConfig/__init__.py.in:262 +msgid "Location of the keytab to validate credentials" +msgstr "Местоположение на keytab за валидиране на данните за удостоверяване" + +#: src/config/SSSDConfig/__init__.py.in:263 +msgid "Enable credential validation" +msgstr "Разреши проверката на данните за удостоверяване" + +#: src/config/SSSDConfig/__init__.py.in:264 +msgid "Store password if offline for later online authentication" +msgstr "Записва паролата ако е офлайн за по-късно удостоверяване" + +#: src/config/SSSDConfig/__init__.py.in:265 +msgid "Renewable lifetime of the TGT" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:266 +msgid "Lifetime of the TGT" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:267 +msgid "Time between two checks for renewal" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:268 +msgid "Enables FAST" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:269 +msgid "Selects the principal to use for FAST" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:270 +msgid "Enables principal canonicalization" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:271 +msgid "Enables enterprise principals" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:272 +msgid "A mapping from user names to Kerberos principal names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:276 +msgid "Server where the change password service is running if not on the KDC" +msgstr "Сървърът, на който работи услугата за смяна на парола ако не е на KDC" + +#: src/config/SSSDConfig/__init__.py.in:279 +msgid "ldap_uri, The URI of the LDAP server" +msgstr "ldap_uri, URI на LDAP сървъра" + +#: src/config/SSSDConfig/__init__.py.in:280 +msgid "ldap_backup_uri, The URI of the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:281 +msgid "The default base DN" +msgstr "Базовият DN по подразбиране" + +#: src/config/SSSDConfig/__init__.py.in:282 +msgid "The Schema Type in use on the LDAP server, rfc2307" +msgstr "Използваният тип схема на LDAP сървъра, rfc2307" + +#: src/config/SSSDConfig/__init__.py.in:283 +msgid "The default bind DN" +msgstr "Подразбиращият се bind DN" + +#: src/config/SSSDConfig/__init__.py.in:284 +msgid "The type of the authentication token of the default bind DN" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:285 +msgid "The authentication token of the default bind DN" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:286 +msgid "Length of time to attempt connection" +msgstr "Продължителност на опитите за свързване" + +#: src/config/SSSDConfig/__init__.py.in:287 +msgid "Length of time to attempt synchronous LDAP operations" +msgstr "Продължителност на опитите за синхронни LDAP операции" + +#: src/config/SSSDConfig/__init__.py.in:288 +msgid "Length of time between attempts to reconnect while offline" +msgstr "Продължителност на времето между опитите за връзка докато е офлайн" + +#: src/config/SSSDConfig/__init__.py.in:289 +msgid "Use only the upper case for realm names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:290 +msgid "File that contains CA certificates" +msgstr "Файл, съдържащ CA сертификати" + +#: src/config/SSSDConfig/__init__.py.in:291 +msgid "Path to CA certificate directory" +msgstr "Път до директорията на CA сертификат" + +#: src/config/SSSDConfig/__init__.py.in:292 +msgid "File that contains the client certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:293 +msgid "File that contains the client key" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:294 +msgid "List of possible ciphers suites" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:295 +msgid "Require TLS certificate verification" +msgstr "Изисква TLS проверка на сертификат" + +#: src/config/SSSDConfig/__init__.py.in:296 +msgid "Specify the sasl mechanism to use" +msgstr "Задава за използване механизма sasl" + +#: src/config/SSSDConfig/__init__.py.in:297 +msgid "Specify the sasl authorization id to use" +msgstr "Задаване на sasl authorization id за употреба" + +#: src/config/SSSDConfig/__init__.py.in:298 +msgid "Specify the sasl authorization realm to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:299 +msgid "Specify the minimal SSF for LDAP sasl authorization" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:300 +msgid "Kerberos service keytab" +msgstr "keytab на Kerberos услуга" + +#: src/config/SSSDConfig/__init__.py.in:301 +msgid "Use Kerberos auth for LDAP connection" +msgstr "Ползвай Kerberos auth за LDAP връзка" + +#: src/config/SSSDConfig/__init__.py.in:302 +msgid "Follow LDAP referrals" +msgstr "Следвай LDAP референциите" + +#: src/config/SSSDConfig/__init__.py.in:303 +msgid "Lifetime of TGT for LDAP connection" +msgstr "Продължителност на живот на TGT за LDAP връзка" + +#: src/config/SSSDConfig/__init__.py.in:304 +msgid "How to dereference aliases" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:305 +msgid "Service name for DNS service lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:306 +msgid "The number of records to retrieve in a single LDAP query" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:307 +msgid "The number of members that must be missing to trigger a full deref" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:308 +msgid "" +"Whether the LDAP library should perform a reverse lookup to canonicalize the " +"host name during a SASL bind" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:310 +msgid "entryUSN attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:311 +msgid "lastUSN attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:313 +msgid "How long to retain a connection to the LDAP server before disconnecting" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:315 +msgid "Disable the LDAP paging control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:316 +msgid "Disable Active Directory range retrieval" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:319 +msgid "Length of time to wait for a search request" +msgstr "Продължителност на време за изчакване на заявка за търсене" + +#: src/config/SSSDConfig/__init__.py.in:320 +msgid "Length of time to wait for a enumeration request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:321 +msgid "Length of time between enumeration updates" +msgstr "Продължителност на време между актуализации на изброяване" + +#: src/config/SSSDConfig/__init__.py.in:322 +msgid "Length of time between cache cleanups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:323 +msgid "Require TLS for ID lookups" +msgstr "Изисква TLS за ИД справките" + +#: src/config/SSSDConfig/__init__.py.in:324 +msgid "Use ID-mapping of objectSID instead of pre-set IDs" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:325 +msgid "Base DN for user lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:326 +msgid "Scope of user lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:327 +msgid "Filter for user lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:328 +msgid "Objectclass for users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:329 +msgid "Username attribute" +msgstr "атрибут Потребителско име" + +#: src/config/SSSDConfig/__init__.py.in:331 +msgid "UID attribute" +msgstr "атрибут UID" + +#: src/config/SSSDConfig/__init__.py.in:332 +msgid "Primary GID attribute" +msgstr "атрибут Първичен GID" + +#: src/config/SSSDConfig/__init__.py.in:333 +msgid "GECOS attribute" +msgstr "атрибут GECOS" + +#: src/config/SSSDConfig/__init__.py.in:334 +msgid "Home directory attribute" +msgstr "атрибут Домашна директория" + +#: src/config/SSSDConfig/__init__.py.in:335 +msgid "Shell attribute" +msgstr "атрибут Команден интерпретатор" + +#: src/config/SSSDConfig/__init__.py.in:336 +msgid "UUID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:379 +msgid "objectSID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:338 +msgid "Active Directory primary group attribute for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:339 +msgid "User principal attribute (for Kerberos)" +msgstr "атрибут User principal (за Kerberos)" + +#: src/config/SSSDConfig/__init__.py.in:340 +msgid "Full Name" +msgstr "Пълно име" + +#: src/config/SSSDConfig/__init__.py.in:341 +msgid "memberOf attribute" +msgstr "атрибут членНа" + +#: src/config/SSSDConfig/__init__.py.in:342 +msgid "Modification time attribute" +msgstr "атрибут Момент на промяна" + +#: src/config/SSSDConfig/__init__.py.in:344 +msgid "shadowLastChange attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:345 +msgid "shadowMin attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:346 +msgid "shadowMax attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:347 +msgid "shadowWarning attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:348 +msgid "shadowInactive attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:349 +msgid "shadowExpire attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:350 +msgid "shadowFlag attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:351 +msgid "Attribute listing authorized PAM services" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:352 +msgid "Attribute listing authorized server hosts" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:353 +msgid "Attribute listing authorized server rhosts" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:354 +msgid "krbLastPwdChange attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:355 +msgid "krbPasswordExpiration attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:356 +msgid "Attribute indicating that server side password policies are active" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:357 +msgid "accountExpires attribute of AD" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:358 +msgid "userAccountControl attribute of AD" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:359 +msgid "nsAccountLock attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:360 +msgid "loginDisabled attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:361 +msgid "loginExpirationTime attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:362 +msgid "loginAllowedTimeMap attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:363 +msgid "SSH public key attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:364 +msgid "attribute listing allowed authentication types for a user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:365 +msgid "attribute containing the X509 certificate of the user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:366 +msgid "attribute containing the email address of the user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:368 +msgid "A list of extra attributes to download along with the user entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:370 +msgid "Base DN for group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:373 +msgid "Objectclass for groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:374 +msgid "Group name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:375 +msgid "Group password" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:376 +msgid "GID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:377 +msgid "Group member attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:378 +msgid "Group UUID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:380 +msgid "Modification time attribute for groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:381 +msgid "Type of the group and other flags" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:382 +msgid "The LDAP group external member attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:384 +msgid "Maximum nesting level SSSD will follow" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:386 +msgid "Base DN for netgroup lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:387 +msgid "Objectclass for netgroups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:388 +msgid "Netgroup name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:389 +msgid "Netgroups members attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:390 +msgid "Netgroup triple attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:391 +msgid "Modification time attribute for netgroups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:393 +msgid "Base DN for service lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:394 +msgid "Objectclass for services" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:395 +msgid "Service name attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:396 +msgid "Service port attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:397 +msgid "Service protocol attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:400 +msgid "Lower bound for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:401 +msgid "Upper bound for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:402 +msgid "Number of IDs for each slice when ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:403 +msgid "Use autorid-compatible algorithm for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:404 +msgid "Name of the default domain for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:405 +msgid "SID of the default domain for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:406 +msgid "Number of secondary slices" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:408 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:409 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:410 +msgid "Whether to use Token-Groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:411 +msgid "Set lower boundary for allowed IDs from the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:412 +msgid "Set upper boundary for allowed IDs from the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:413 +msgid "DN for ppolicy queries" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:414 +msgid "How many maximum entries to fetch during a wildcard request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:417 +msgid "Policy to evaluate the password expiration" +msgstr "Политика за определяне срок на валидност на парола" + +#: src/config/SSSDConfig/__init__.py.in:421 +msgid "Which attributes shall be used to evaluate if an account is expired" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:422 +msgid "Which rules should be used to evaluate access control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:425 +msgid "URI of an LDAP server where password changes are allowed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:426 +msgid "URI of a backup LDAP server where password changes are allowed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:427 +msgid "DNS service name for LDAP password change server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:428 +msgid "" +"Whether to update the ldap_user_shadow_last_change attribute after a " +"password change" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:431 +msgid "Base DN for sudo rules lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:432 +msgid "Automatic full refresh period" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:433 +msgid "Automatic smart refresh period" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:434 +msgid "Whether to filter rules by hostname, IP addresses and network" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:435 +msgid "" +"Hostnames and/or fully qualified domain names of this machine to filter sudo " +"rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:436 +msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:437 +msgid "Whether to include rules that contains netgroup in host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:438 +msgid "" +"Whether to include rules that contains regular expression in host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:439 +msgid "Object class for sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:440 +msgid "Sudo rule name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:441 +msgid "Sudo rule command attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:442 +msgid "Sudo rule host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:443 +msgid "Sudo rule user attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:444 +msgid "Sudo rule option attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Sudo rule runas attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:446 +msgid "Sudo rule runasuser attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:447 +msgid "Sudo rule runasgroup attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:448 +msgid "Sudo rule notbefore attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:449 +msgid "Sudo rule notafter attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:450 +msgid "Sudo rule order attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:453 +msgid "Object class for automounter maps" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:454 +msgid "Automounter map name attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:455 +msgid "Object class for automounter map entries" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:456 +msgid "Automounter map entry key attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:457 +msgid "Automounter map entry value attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:458 +msgid "Base DN for automounter map lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:461 +msgid "Comma separated list of allowed users" +msgstr "Списък разрешени потребители, разделени със запетая" + +#: src/config/SSSDConfig/__init__.py.in:462 +msgid "Comma separated list of prohibited users" +msgstr "Списък забранени потребители, разделени със запетая" + +#: src/config/SSSDConfig/__init__.py.in:465 +msgid "Default shell, /bin/bash" +msgstr "Подразбиращ се команден интерпретатор, /bin/bash" + +#: src/config/SSSDConfig/__init__.py.in:466 +msgid "Base for home directories" +msgstr "Място за домашните директории" + +#: src/config/SSSDConfig/__init__.py.in:469 +msgid "The number of preforked proxy children." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:472 +msgid "The name of the NSS library to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:473 +msgid "Whether to look up canonical group name from cache if possible" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:476 +msgid "PAM stack to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:479 +msgid "Path of passwd file sources." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:480 +msgid "Path of group file sources." +msgstr "" + +#: src/monitor/monitor.c:2449 +msgid "Become a daemon (default)" +msgstr "Продължава като демон (по подразбиране)" + +#: src/monitor/monitor.c:2451 +msgid "Run interactive (not a daemon)" +msgstr "Интерактивна работа (а не като демон)" + +#: src/monitor/monitor.c:2454 +msgid "Disable netlink interface" +msgstr "" + +#: src/monitor/monitor.c:2456 src/tools/sssctl/sssctl_logs.c:311 +msgid "Specify a non-default config file" +msgstr "Задаване на друг (не подразбиращия се) конфиг файл" + +#: src/monitor/monitor.c:2458 +msgid "Refresh the configuration database, then exit" +msgstr "" + +#: src/monitor/monitor.c:2461 +msgid "Print version number and exit" +msgstr "" + +#: src/monitor/monitor.c:2627 +msgid "SSSD is already running\n" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605 +msgid "Debug level" +msgstr "Ниво на debug" + +#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607 +msgid "Add debug timestamps" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609 +msgid "Show timestamps with microseconds" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611 +msgid "An open file descriptor for the debug logs" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613 +msgid "Send the debug output to stderr directly." +msgstr "" + +#: src/providers/krb5/krb5_child.c:3228 +msgid "The user to create FAST ccache as" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3230 +msgid "The group to create FAST ccache as" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3232 +msgid "Kerberos realm to use" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3234 +msgid "Requested lifetime of the ticket" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3236 +msgid "Requested renewable lifetime of the ticket" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3238 +msgid "FAST options ('never', 'try', 'demand')" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3241 +msgid "Specifies the server principal to use for FAST" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3243 +msgid "Requests canonicalization of the principal name" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3245 +msgid "Use custom version of krb5_get_init_creds_password" +msgstr "" + +#: src/providers/data_provider_be.c:556 +msgid "Domain of the information provider (mandatory)" +msgstr "" + +#: src/sss_client/common.c:1066 +msgid "Privileged socket has wrong ownership or permissions." +msgstr "" + +#: src/sss_client/common.c:1069 +msgid "Public socket has wrong ownership or permissions." +msgstr "" + +#: src/sss_client/common.c:1072 +msgid "Unexpected format of the server credential message." +msgstr "" + +#: src/sss_client/common.c:1075 +msgid "SSSD is not run by root." +msgstr "SSSD не е стартиран като root." + +#: src/sss_client/common.c:1080 +msgid "An error occurred, but no description can be found." +msgstr "Възникнала е грешка, но не може да се намери описание." + +#: src/sss_client/common.c:1086 +msgid "Unexpected error while looking for an error description" +msgstr "Неочаквана грешка при търсене на описание на грешка" + +#: src/sss_client/pam_sss.c:76 +msgid "Permission denied. " +msgstr "" + +#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782 +#: src/sss_client/pam_sss.c:793 +msgid "Server message: " +msgstr "Съобщение от сървъра:" + +#: src/sss_client/pam_sss.c:300 +msgid "Passwords do not match" +msgstr "Паролите не съвпадат" + +#: src/sss_client/pam_sss.c:488 +msgid "Password reset by root is not supported." +msgstr "Промяна на паролата от root не се поддържа." + +#: src/sss_client/pam_sss.c:529 +msgid "Authenticated with cached credentials" +msgstr "Удостоверен с кеширани идентификационни данни" + +#: src/sss_client/pam_sss.c:530 +msgid ", your cached password will expire at: " +msgstr ", кешираната парола ще изтече на: " + +#: src/sss_client/pam_sss.c:560 +#, c-format +msgid "Your password has expired. You have %1$d grace login(s) remaining." +msgstr "" + +#: src/sss_client/pam_sss.c:606 +#, c-format +msgid "Your password will expire in %1$d %2$s." +msgstr "" + +#: src/sss_client/pam_sss.c:655 +msgid "Authentication is denied until: " +msgstr "Удостоверяването е забранено до: " + +#: src/sss_client/pam_sss.c:676 +msgid "System is offline, password change not possible" +msgstr "Системата е офлайн, промяна на паролата не е възможна" + +#: src/sss_client/pam_sss.c:691 +msgid "" +"After changing the OTP password, you need to log out and back in order to " +"acquire a ticket" +msgstr "" + +#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792 +msgid "Password change failed. " +msgstr "Промяната на паролата не успя." + +#: src/sss_client/pam_sss.c:1926 +msgid "New Password: " +msgstr "Нова парола:" + +#: src/sss_client/pam_sss.c:1927 +msgid "Reenter new Password: " +msgstr "Отново новата парола:" + +#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042 +msgid "First Factor: " +msgstr "" + +#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202 +msgid "Second Factor (optional): " +msgstr "" + +#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205 +msgid "Second Factor: " +msgstr "" + +#: src/sss_client/pam_sss.c:2058 +msgid "Password: " +msgstr "Парола:" + +#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204 +msgid "First Factor (Current Password): " +msgstr "" + +#: src/sss_client/pam_sss.c:2208 +msgid "Current Password: " +msgstr "Текуща парола:" + +#: src/sss_client/pam_sss.c:2536 +msgid "Password expired. Change your password now." +msgstr "Паролата Ви е остаряла. Сменете я сега." + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 +#: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 +#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:670 +msgid "The debug level to run with" +msgstr "Нивото на debug записи при работа" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +msgid "The SSSD domain to use" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 +#: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 +#: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 +#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:716 +msgid "Error setting the locale\n" +msgstr "Грешка при задаване локални настр.\n" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:64 +msgid "Not enough memory\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:83 +msgid "User not specified\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:97 +msgid "Error looking up public keys\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +msgid "The port to use to connect to the host" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +msgid "Print the host ssh public keys" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +msgid "Invalid port\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +msgid "Host not specified\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +msgid "The path to the proxy command must be absolute\n" +msgstr "" + +#: src/tools/sss_useradd.c:49 src/tools/sss_usermod.c:48 +msgid "The UID of the user" +msgstr "UID на потребителя" + +#: src/tools/sss_useradd.c:50 src/tools/sss_usermod.c:50 +msgid "The comment string" +msgstr "Низ за коментар" + +#: src/tools/sss_useradd.c:51 src/tools/sss_usermod.c:51 +msgid "Home directory" +msgstr "Домашна директория" + +#: src/tools/sss_useradd.c:52 src/tools/sss_usermod.c:52 +msgid "Login shell" +msgstr "Команден интерпретатор" + +#: src/tools/sss_useradd.c:53 +msgid "Groups" +msgstr "Групи" + +#: src/tools/sss_useradd.c:54 +msgid "Create user's directory if it does not exist" +msgstr "Създай, ако не съществува, директория на потребителя" + +#: src/tools/sss_useradd.c:55 +msgid "Never create user's directory, overrides config" +msgstr "Никога не създавай директория на потребителя, въпреки конфиг." + +#: src/tools/sss_useradd.c:56 +msgid "Specify an alternative skeleton directory" +msgstr "Задайте алтернативна skeleton директория" + +#: src/tools/sss_useradd.c:57 src/tools/sss_usermod.c:60 +msgid "The SELinux user for user's login" +msgstr "SELinux потребителят за влизането на потребителя" + +#: src/tools/sss_useradd.c:87 src/tools/sss_groupmod.c:79 +#: src/tools/sss_usermod.c:92 +msgid "Specify group to add to\n" +msgstr "Задайте група, към която да го добавя\n" + +#: src/tools/sss_useradd.c:111 +msgid "Specify user to add\n" +msgstr "Задайте потребител за добавяне\n" + +#: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 +#: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_usermod.c:162 +msgid "Error initializing the tools - no local domain\n" +msgstr "Грешка при инициализирането на инструментите - няма локален домейн\n" + +#: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 +#: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_usermod.c:164 +msgid "Error initializing the tools\n" +msgstr "Грешка при инициализирането на инструментите\n" + +#: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 +#: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_usermod.c:173 +msgid "Invalid domain specified in FQDN\n" +msgstr "В FQDN е зададен невалиден домейн\n" + +#: src/tools/sss_useradd.c:142 src/tools/sss_groupmod.c:144 +#: src/tools/sss_groupmod.c:173 src/tools/sss_usermod.c:197 +#: src/tools/sss_usermod.c:226 +msgid "Internal error while parsing parameters\n" +msgstr "Вътрешна грешка при разбор на параметри\n" + +#: src/tools/sss_useradd.c:151 src/tools/sss_usermod.c:206 +#: src/tools/sss_usermod.c:235 +msgid "Groups must be in the same domain as user\n" +msgstr "Групите трябва да са в същия домейн като потребителя\n" + +#: src/tools/sss_useradd.c:159 +#, c-format +msgid "Cannot find group %1$s in local domain\n" +msgstr "" + +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +msgid "Cannot set default values\n" +msgstr "Не мога да задам стойностите по подразбиране\n" + +#: src/tools/sss_useradd.c:181 src/tools/sss_usermod.c:187 +msgid "The selected UID is outside the allowed range\n" +msgstr "Зададеният UID е извън позволения обхват\n" + +#: src/tools/sss_useradd.c:210 src/tools/sss_usermod.c:305 +msgid "Cannot set SELinux login context\n" +msgstr "Не мога да задам SELinux контекст за влизане\n" + +#: src/tools/sss_useradd.c:224 +msgid "Cannot get info about the user\n" +msgstr "Не мога да получа инфо за потребителя\n" + +#: src/tools/sss_useradd.c:236 +msgid "User's home directory already exists, not copying data from skeldir\n" +msgstr "" +"Домашната директория на потребителя вече съществува, няма да копирам данни " +"от skeldir\n" + +#: src/tools/sss_useradd.c:239 +#, c-format +msgid "Cannot create user's home directory: %1$s\n" +msgstr "" + +#: src/tools/sss_useradd.c:250 +#, c-format +msgid "Cannot create user's mail spool: %1$s\n" +msgstr "" + +#: src/tools/sss_useradd.c:270 +msgid "Could not allocate ID for the user - domain full?\n" +msgstr "Не можах да запазя ID за потребителя - домейнът ли е пълен?\n" + +#: src/tools/sss_useradd.c:274 +msgid "A user or group with the same name or ID already exists\n" +msgstr "Потребител или група с такова име или ID вече съществува\n" + +#: src/tools/sss_useradd.c:280 +msgid "Transaction error. Could not add user.\n" +msgstr "Грешка в транзакцията. Не можах да добавя потребителя.\n" + +#: src/tools/sss_groupadd.c:43 src/tools/sss_groupmod.c:48 +msgid "The GID of the group" +msgstr "GID на групата" + +#: src/tools/sss_groupadd.c:76 +msgid "Specify group to add\n" +msgstr "Задайте група за добавяне\n" + +#: src/tools/sss_groupadd.c:106 src/tools/sss_groupmod.c:198 +msgid "The selected GID is outside the allowed range\n" +msgstr "Зададеният GID е извън позволения обхват\n" + +#: src/tools/sss_groupadd.c:143 +msgid "Could not allocate ID for the group - domain full?\n" +msgstr "" + +#: src/tools/sss_groupadd.c:147 +msgid "A group with the same name or GID already exists\n" +msgstr "" + +#: src/tools/sss_groupadd.c:153 +msgid "Transaction error. Could not add group.\n" +msgstr "" + +#: src/tools/sss_groupdel.c:70 +msgid "Specify group to delete\n" +msgstr "" + +#: src/tools/sss_groupdel.c:104 +#, c-format +msgid "Group %1$s is outside the defined ID range for domain\n" +msgstr "Група %1$s е извън дефинирания ID обхват за домейн\n" + +#: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 +#: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 +#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 +#, c-format +msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" +msgstr "" + +#: src/tools/sss_groupdel.c:132 +msgid "" +"No such group in local domain. Removing groups only allowed in local " +"domain.\n" +msgstr "" + +#: src/tools/sss_groupdel.c:137 +msgid "Internal error. Could not remove group.\n" +msgstr "" + +#: src/tools/sss_groupmod.c:44 +msgid "Groups to add this group to" +msgstr "" + +#: src/tools/sss_groupmod.c:46 +msgid "Groups to remove this group from" +msgstr "" + +#: src/tools/sss_groupmod.c:87 src/tools/sss_usermod.c:100 +msgid "Specify group to remove from\n" +msgstr "" + +#: src/tools/sss_groupmod.c:101 +msgid "Specify group to modify\n" +msgstr "" + +#: src/tools/sss_groupmod.c:130 +msgid "" +"Cannot find group in local domain, modifying groups is allowed only in local " +"domain\n" +msgstr "" + +#: src/tools/sss_groupmod.c:153 src/tools/sss_groupmod.c:182 +msgid "Member groups must be in the same domain as parent group\n" +msgstr "" + +#: src/tools/sss_groupmod.c:161 src/tools/sss_groupmod.c:190 +#: src/tools/sss_usermod.c:214 src/tools/sss_usermod.c:243 +#, c-format +msgid "" +"Cannot find group %1$s in local domain, only groups in local domain are " +"allowed\n" +msgstr "" + +#: src/tools/sss_groupmod.c:257 +msgid "Could not modify group - check if member group names are correct\n" +msgstr "" + +#: src/tools/sss_groupmod.c:261 +msgid "Could not modify group - check if groupname is correct\n" +msgstr "" + +#: src/tools/sss_groupmod.c:265 +msgid "Transaction error. Could not modify group.\n" +msgstr "" + +#: src/tools/sss_groupshow.c:615 +#, c-format +msgid "%1$s%2$sGroup: %3$s\n" +msgstr "" + +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "" + +#: src/tools/sss_groupshow.c:618 +#, c-format +msgid "%1$sGID number: %2$d\n" +msgstr "" + +#: src/tools/sss_groupshow.c:620 +#, c-format +msgid "%1$sMember users: " +msgstr "" + +#: src/tools/sss_groupshow.c:627 +#, c-format +msgid "" +"\n" +"%1$sIs a member of: " +msgstr "" + +#: src/tools/sss_groupshow.c:634 +#, c-format +msgid "" +"\n" +"%1$sMember groups: " +msgstr "" + +#: src/tools/sss_groupshow.c:670 +msgid "Print indirect group members recursively" +msgstr "" + +#: src/tools/sss_groupshow.c:704 +msgid "Specify group to show\n" +msgstr "" + +#: src/tools/sss_groupshow.c:744 +msgid "" +"No such group in local domain. Printing groups only allowed in local " +"domain.\n" +msgstr "" + +#: src/tools/sss_groupshow.c:749 +msgid "Internal error. Could not print group.\n" +msgstr "" + +#: src/tools/sss_userdel.c:136 +msgid "Remove home directory and mail spool" +msgstr "" + +#: src/tools/sss_userdel.c:138 +msgid "Do not remove home directory and mail spool" +msgstr "" + +#: src/tools/sss_userdel.c:140 +msgid "Force removal of files not owned by the user" +msgstr "" + +#: src/tools/sss_userdel.c:142 +msgid "Kill users' processes before removing him" +msgstr "" + +#: src/tools/sss_userdel.c:188 +msgid "Specify user to delete\n" +msgstr "" + +#: src/tools/sss_userdel.c:234 +#, c-format +msgid "User %1$s is outside the defined ID range for domain\n" +msgstr "Потребител %1$s е извън дефинирания ID обхват за домейн\n" + +#: src/tools/sss_userdel.c:259 +msgid "Cannot reset SELinux login context\n" +msgstr "" + +#: src/tools/sss_userdel.c:271 +#, c-format +msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" +msgstr "" + +#: src/tools/sss_userdel.c:276 +msgid "Cannot determine if the user was logged in on this platform" +msgstr "" + +#: src/tools/sss_userdel.c:281 +msgid "Error while checking if the user was logged in\n" +msgstr "" + +#: src/tools/sss_userdel.c:288 +#, c-format +msgid "The post-delete command failed: %1$s\n" +msgstr "" + +#: src/tools/sss_userdel.c:308 +msgid "Not removing home dir - not owned by user\n" +msgstr "" + +#: src/tools/sss_userdel.c:310 +#, c-format +msgid "Cannot remove homedir: %1$s\n" +msgstr "" + +#: src/tools/sss_userdel.c:324 +msgid "" +"No such user in local domain. Removing users only allowed in local domain.\n" +msgstr "" + +#: src/tools/sss_userdel.c:329 +msgid "Internal error. Could not remove user.\n" +msgstr "" + +#: src/tools/sss_usermod.c:49 +msgid "The GID of the user" +msgstr "" + +#: src/tools/sss_usermod.c:53 +msgid "Groups to add this user to" +msgstr "" + +#: src/tools/sss_usermod.c:54 +msgid "Groups to remove this user from" +msgstr "" + +#: src/tools/sss_usermod.c:55 +msgid "Lock the account" +msgstr "" + +#: src/tools/sss_usermod.c:56 +msgid "Unlock the account" +msgstr "" + +#: src/tools/sss_usermod.c:57 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "" + +#: src/tools/sss_usermod.c:58 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "" + +#: src/tools/sss_usermod.c:59 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" + +#: src/tools/sss_usermod.c:117 src/tools/sss_usermod.c:126 +#: src/tools/sss_usermod.c:135 +msgid "Specify the attribute name/value pair(s)\n" +msgstr "" + +#: src/tools/sss_usermod.c:152 +msgid "Specify user to modify\n" +msgstr "" + +#: src/tools/sss_usermod.c:180 +msgid "" +"Cannot find user in local domain, modifying users is allowed only in local " +"domain\n" +msgstr "" + +#: src/tools/sss_usermod.c:322 +msgid "Could not modify user - check if group names are correct\n" +msgstr "" + +#: src/tools/sss_usermod.c:326 +msgid "Could not modify user - user already member of groups?\n" +msgstr "" + +#: src/tools/sss_usermod.c:330 +msgid "Transaction error. Could not modify user.\n" +msgstr "" + +#: src/tools/sss_cache.c:218 +msgid "No cache object matched the specified search\n" +msgstr "" + +#: src/tools/sss_cache.c:502 +#, c-format +msgid "Couldn't invalidate %1$s\n" +msgstr "" + +#: src/tools/sss_cache.c:509 +#, c-format +msgid "Couldn't invalidate %1$s %2$s\n" +msgstr "" + +#: src/tools/sss_cache.c:672 +msgid "Invalidate all cached entries" +msgstr "" + +#: src/tools/sss_cache.c:674 +msgid "Invalidate particular user" +msgstr "" + +#: src/tools/sss_cache.c:676 +msgid "Invalidate all users" +msgstr "" + +#: src/tools/sss_cache.c:678 +msgid "Invalidate particular group" +msgstr "" + +#: src/tools/sss_cache.c:680 +msgid "Invalidate all groups" +msgstr "" + +#: src/tools/sss_cache.c:682 +msgid "Invalidate particular netgroup" +msgstr "" + +#: src/tools/sss_cache.c:684 +msgid "Invalidate all netgroups" +msgstr "" + +#: src/tools/sss_cache.c:686 +msgid "Invalidate particular service" +msgstr "" + +#: src/tools/sss_cache.c:688 +msgid "Invalidate all services" +msgstr "" + +#: src/tools/sss_cache.c:691 +msgid "Invalidate particular autofs map" +msgstr "" + +#: src/tools/sss_cache.c:693 +msgid "Invalidate all autofs maps" +msgstr "" + +#: src/tools/sss_cache.c:697 +msgid "Invalidate particular SSH host" +msgstr "" + +#: src/tools/sss_cache.c:699 +msgid "Invalidate all SSH hosts" +msgstr "" + +#: src/tools/sss_cache.c:703 +msgid "Invalidate particular sudo rule" +msgstr "" + +#: src/tools/sss_cache.c:705 +msgid "Invalidate all cached sudo rules" +msgstr "" + +#: src/tools/sss_cache.c:708 +msgid "Only invalidate entries from a particular domain" +msgstr "" + +#: src/tools/sss_cache.c:762 +msgid "" +"Unexpected argument(s) provided, options that invalidate a single object " +"only accept a single provided argument.\n" +msgstr "" + +#: src/tools/sss_cache.c:772 +msgid "Please select at least one object to invalidate\n" +msgstr "" + +#: src/tools/sss_cache.c:852 +#, c-format +msgid "" +"Could not open domain %1$s. If the domain is a subdomain (trusted domain), " +"use fully qualified name instead of --domain/-d parameter.\n" +msgstr "" + +#: src/tools/sss_cache.c:856 +msgid "Could not open available domains\n" +msgstr "" + +#: src/tools/tools_util.c:202 +#, c-format +msgid "Name '%1$s' does not seem to be FQDN ('%2$s = TRUE' is set)\n" +msgstr "" + +#: src/tools/tools_util.c:309 +msgid "Out of memory\n" +msgstr "" + +#: src/tools/tools_util.h:40 +#, c-format +msgid "%1$s must be run as root\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:35 +msgid "yes" +msgstr "" + +#: src/tools/sssctl/sssctl.c:37 +msgid "no" +msgstr "" + +#: src/tools/sssctl/sssctl.c:39 +msgid "error" +msgstr "" + +#: src/tools/sssctl/sssctl.c:42 +msgid "Invalid result." +msgstr "" + +#: src/tools/sssctl/sssctl.c:78 +#, c-format +msgid "Unable to read user input\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:91 +#, c-format +msgid "Invalid input, please provide either '%s' or '%s'.\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 +#, c-format +msgid "Error while executing external command\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:156 +msgid "SSSD needs to be running. Start SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl.c:195 +msgid "SSSD must not be running. Stop SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl.c:231 +msgid "SSSD needs to be restarted. Restart SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:31 +#, c-format +msgid " %s is not present in cache.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:33 +msgid "Name" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:34 +msgid "Cache entry creation date" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:35 +msgid "Cache entry last update time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:36 +msgid "Cache entry expiration time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:37 +msgid "Cached in InfoPipe" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:512 +#, c-format +msgid "Error: Unable to get object [%d]: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:528 +#, c-format +msgid "%s: Unable to read value [%d]: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:556 +msgid "Specify name." +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:566 +#, c-format +msgid "Unable to parse name %s.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:592 src/tools/sssctl/sssctl_cache.c:639 +msgid "Search by SID" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:593 +msgid "Search by user ID" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:602 +msgid "Initgroups expiration time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:640 +msgid "Search by group ID" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:67 +#, c-format +msgid "" +"File %1$s does not exist. SSSD will use default configuration with files " +"provider.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:81 +#, c-format +msgid "" +"File ownership and permissions check failed. Expected root:root and 0600.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:104 +#, c-format +msgid "Issues identified by validators: %zu\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:114 +#, c-format +msgid "Messages generated during configuration merging: %zu\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:127 +#, c-format +msgid "Used configuration snippet files: %u\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:89 +#, c-format +msgid "Unable to create backup directory [%d]: %s" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:95 +msgid "SSSD backup of local data already exists, override?" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:111 +#, c-format +msgid "Unable to export user overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:118 +#, c-format +msgid "Unable to export group overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:134 src/tools/sssctl/sssctl_data.c:217 +msgid "Override existing backup" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:164 +#, c-format +msgid "Unable to import user overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:173 +#, c-format +msgid "Unable to import group overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:74 +#: src/tools/sssctl/sssctl_domains.c:339 +msgid "Start SSSD if it is not running" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:195 +msgid "Restart SSSD after data import" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:218 +msgid "Create clean cache files and import local data" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:219 +msgid "Stop SSSD before removing the cache" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:220 +msgid "Start SSSD when the cache is removed" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:235 +#, c-format +msgid "Creating backup of local data...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:238 +#, c-format +msgid "Unable to create backup of local data, can not remove the cache.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:243 +#, c-format +msgid "Removing cache files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:246 +#, c-format +msgid "Unable to remove cache files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:251 +#, c-format +msgid "Restoring local data...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:75 +msgid "Show domain list including primary or trusted domain type" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +#, c-format +msgid "Online status: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Online" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Offline" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:214 +#, c-format +msgid "Active servers:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:231 +msgid "not connected" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:278 +#, c-format +msgid "Discovered %s servers:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:296 +msgid "None so far.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:336 +msgid "Show online status" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:337 +msgid "Show information about active server" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:338 +msgid "Show list of discovered servers" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:344 +msgid "Specify domain name." +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:360 +#, c-format +msgid "Out of memory!\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:377 src/tools/sssctl/sssctl_domains.c:387 +#, c-format +msgid "Unable to get online status\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:397 +#, c-format +msgid "Unable to get server list\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:47 +msgid "\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:237 +msgid "Delete log files instead of truncating" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:248 +#, c-format +msgid "Deleting log files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:251 +#, c-format +msgid "Unable to remove log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:257 +#, c-format +msgid "Truncating log files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:260 +#, c-format +msgid "Unable to truncate log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:286 +#, c-format +msgid "Out of memory!" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:289 +#, c-format +msgid "Archiving log files into %s...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:292 +#, c-format +msgid "Unable to archive log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:317 +msgid "Specify debug level you want to set" +msgstr "" + +#: src/tools/sssctl/sssctl_sifp.c:28 +msgid "" +"Check that SSSD is running and the InfoPipe responder is enabled. Make sure " +"'ifp' is listed in the 'services' option in sssd.conf.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:91 +#, c-format +msgid "Unable to connect to the InfoPipe" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:97 +#, c-format +msgid "Unable to get user object" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:101 +#, c-format +msgid "SSSD InfoPipe user lookup result:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:113 +#, c-format +msgid "Unable to get user name attr" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:146 +#, c-format +msgid "dlopen failed with [%s].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:153 +#, c-format +msgid "dlsym failed with [%s].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:161 +#, c-format +msgid "malloc failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:168 +#, c-format +msgid "sss_getpwnam_r failed with [%d].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:173 +#, c-format +msgid "SSSD nss user lookup result:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:174 +#, c-format +msgid " - user name: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:175 +#, c-format +msgid " - user id: %d\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:176 +#, c-format +msgid " - group id: %d\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:177 +#, c-format +msgid " - gecos: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:178 +#, c-format +msgid " - home directory: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:179 +#, c-format +msgid "" +" - shell: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:211 +msgid "PAM action [auth|acct|setc|chau|open|clos], default: " +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:214 +msgid "PAM service, default: " +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:219 +msgid "Specify user name." +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:226 +#, c-format +msgid "" +"user: %s\n" +"action: %s\n" +"service: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:232 +#, c-format +msgid "User name lookup with [%s] failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:237 +#, c-format +msgid "InfoPipe User lookup with [%s] failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:244 +#, c-format +msgid "pam_start failed: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:249 +#, c-format +msgid "" +"testing pam_authenticate\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:253 +#, c-format +msgid "pam_get_item failed: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:257 +#, c-format +msgid "" +"pam_authenticate for user [%s]: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:260 +#, c-format +msgid "" +"testing pam_chauthtok\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:262 +#, c-format +msgid "" +"pam_chauthtok: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:264 +#, c-format +msgid "" +"testing pam_acct_mgmt\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:266 +#, c-format +msgid "" +"pam_acct_mgmt: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:268 +#, c-format +msgid "" +"testing pam_setcred\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:270 +#, c-format +msgid "" +"pam_setcred: [%s]\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:272 +#, c-format +msgid "" +"testing pam_open_session\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:274 +#, c-format +msgid "" +"pam_open_session: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:276 +#, c-format +msgid "" +"testing pam_close_session\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:278 +#, c-format +msgid "" +"pam_close_session: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:281 +#, c-format +msgid "unknown action\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:284 +#, c-format +msgid "PAM Environment:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:292 +#, c-format +msgid " - no env -\n" +msgstr "" + +#: src/util/util.h:75 +msgid "The user ID to run the server as" +msgstr "" + +#: src/util/util.h:77 +msgid "The group ID to run the server as" +msgstr "" + +#: src/util/util.h:85 +msgid "Informs that the responder has been socket-activated" +msgstr "" + +#: src/util/util.h:87 +msgid "Informs that the responder has been dbus-activated" +msgstr "" diff --git a/po/boldquot.sed b/po/boldquot.sed new file mode 100644 index 0000000..4b937aa --- /dev/null +++ b/po/boldquot.sed @@ -0,0 +1,10 @@ +s/"\([^"]*\)"/“\1”/g +s/`\([^`']*\)'/‘\1’/g +s/ '\([^`']*\)' / ‘\1’ /g +s/ '\([^`']*\)'$/ ‘\1’/g +s/^'\([^`']*\)' /‘\1’ /g +s/“”/""/g +s/“/“/g +s/”/”/g +s/‘/‘/g +s/’/’/g diff --git a/po/ca.gmo b/po/ca.gmo new file mode 100644 index 0000000000000000000000000000000000000000..6b03dcb12b04ade8b4621d7d024433aea8f89eae GIT binary patch literal 51438 zcmcJY2Y?+{dGCinAQoVQZCt=M<0=VjSGL?`TvpObTCB3xu5h7swSz z=nz6P7%*T;FaeASHW<@QOj`me56DX%A;}9R5FmsA0rFk~kC6BKf8RMXbIYzILKepV zJ2Pia{m$3UcaFYx^h0h-`1|C8lH?@t*dvqVn%_v0N9cyXxigc5S4kCo40t1WEciU| zMDTUt{@(EZkHDjO{=dPM;19ub!Q;+Kk}JWj;Kkrez~jNsfc!uCTmF-R58@*|KMlMH zTn|1TY=Y~-SA#153!tj_P4If~Kf%r5^{bNPJn(Jc6TmNn8^C0>{Xf|la2`CJ$FB#K z{^KB3O@0KX;A8k$^|%l`4%`7A1y;b5!47x|_!?08+z0CWzY5QP5uQKpZ11NlK-Kp; z@NwW?P~X2AJOO+^sQ&!Zfd2q0-(P}cm7KQ5`)NCPDfexVCMWlT&YlAv3BDeD40tD~cKjiD1o%DhDDbD?Bf$qVIry188ax)<3LXbO4O{`X zLFM-x@S)%>py=o}Q00FL6dnE(C^~p3lQIQQ1=WumKz%<2o&eqiD*u;)$AE7GcYz-Q zcZ0tL5j+umI;i>fCU6V*HBj^NEGDnUVII`|n?XKJz6D+no&-^kg8M+x_XGR~l1+XF zQpIE?nLifX1FHO+LACQ1@M!RMQ2E{sJ{tTf$WSG}3DGi2JfCxAZ&Ri71C_;{TO>iMPM@!%w=ajAi)fX@R{@DA{C z;HSg$uYxCY{|iw0J@!gZe*viep9GcPbiikV8o$?o8qWv7_255(n#ZS)`13JPblL_X zz2tUK?fw#|d7(iPy{`e)pX1<0unf|)NNdqB<0XM!sKJ)p|FAKVW9W55d`)~mRGAt-wKb5Q;J zEl~6D$gNI?mx7{?7I-T7W>DpP0z3=+TTt`lL1SKz6Tp=Fb)e{D0z4C}ftu&92Gy^3 zff}Db1~ooE16AKMpX7Y+e2}3_nxOjOgW>tVf*P-NR9^MJiT_*;J^-qHM{Pr%gHHo> z{~=K0^I&dNpJM|KfoF5S8C(T6!4=?}K(*&iFa;j~MK50iRo|b0PXJHf;qBQ0>iaS% zx_$-76ieO%iVnXA!qSt+@AQ1H22bOD4m<;V8L02>4fkIJML$0U>DuJTai1U8fGTG% zsCK*+RDXUHRDHh~o_`yBB=^4z?;kl1sLND(4nZ`MopT|0$^Y{ylgr_zO_w+%nbqBh=Ybys)n7jVHO|L9*~{4g9?N|h zJRUp{@K*3K+`k*tJpCjHNhUu7MeiH0@$&b8M{>U(JPCX;sCv8uR6l$M)O`GEz<&e9 z4^!Y4MbbJTM6iU7Zs$b83 zs=wa@!UB`$gRsoxbKu3`5l{2-H-H-7CMdeP9aK4=4ERIvQtnTFy3e!gK$U+psQ!90 zcsclS@O1F!;7ah6JwC3RLESe%jqmG0&C5kl`TQ{8qn_dOVI8Rat^`%j=YSf=kAfG0 zp9j^x{{+=v=aqasH-qZ`5~y~(7F5694_*NNGpKPqZOZGj3)J(QLG|;!;rVC5O-c_c z|8u9k9h<-_xt|C1{=J~)+fTvMz)Q;Le&AC<)%$ax()}lRA-JjHeDay#Apy=gqLG{O3v#v*1z{hcaKR5*b6}S<6$eg!lE0}WsY;XhkR&XWw zO;G*5f=ZqOUI427li(%bOF^~wv*2UFuYjuOPryfmN8jM%cLsO{_u~OOpz?cTxc?Za ze7*)A5B?Zb{~mFp&y$lu&7B`^`_(o9m_+xN0 z_zmz0;K~K>-(BF@+}{SOUp@`C!0&)e_2l}SJlzMu_1ym(xD#C0bUF2WP~-anFa>`C zo(mpBChNda@N{rLsD64gcqaG}@EGu`;4t`O@H{YWyL~bVUd8=e!7IS;hv#Q^eBSK^ z)s8oS%6}15JH8959mnkT`dkc(4z2^${sW-q;iteW!G8zUo=f(5JzfGngZqzykbZLF z{v?5flV^kHfZqmH-{THA-H(E*-wQyE%Oa?D{|k5lc>2xGkFNtSLr0_HmpAU&j4y;K|^r&vLrD0#vzE;IZH~p=pwt?!0SAeSjC%{X}z?gSqReg)LHd>hn!Uh#aVvvuHv(t+22KLfcfD2=IFFe6Sqwb};4si{NSCj{+Y3VsG~apuWEzd>q&SRo|C^Dfm7R zR+IcW*ak2CU1$}&7lh=JC%nY_>Fwb4-2WT+L~z$jonBrEj&uJVkSU&A1hHHTz6;y} zCNKB#-U@Ey_GO^@E}jQexIIOLCx1vz}JGBf1d|Mcc;9@ z>%SXZ!~JdGdhj!#+WQ~idEkYw_4?cZK8E|(fy(D@a2$N_Z9X28py>D>@J#Ug;055L zU+3j)0ng$7#i07}qu_Dizk(X4hrizG{t4ib+)skXfYaaxa384e?hnuZFR1TUyus_g z8dP~t1}DLngI9uo51tR6cDs+~HQ=$_zXKFKe+(48{vEgpOy1~naunRm?X}=6_*SqC zKI~2CWMB1M&R!54rUm-mJD-vW=~{=~Psy|Ws;iu)$`B=8g9cJPQhe7vp!)sDNs z8^A}t&E>#;aDn@;hx_s0_kQ{asDAn%0e=Ku#{JQ6cRCseAIbfT!4$j=Tn&C06kUD; zya@a;sCKV@httv1!6$Ox21T#$2Sp!$4Q>RFc&ESL4vNlS3SJI=AUyvG_;~Ku-s$gm zf@g5QAACCa7EpBk3((4am-pk-!BcpCbHLldmE3<6JR1B4sC<74s-KU!%lmB$cs2KL z05#A52~@jJc(=>Vvp|jiZt!^UW#Ab2cJKu72jDvJp?~1>{u1zH?k7N+lH3HU-N(Pj z(>(>${Vkxz_bSt1(nYi!4&)3KG!cU2gkX8D|jmSFQC#N zeXrBgI`DMvw}2Y28$qRe6_|qe1^i3!Oz!^`RJzB$-}AWw+|2zR@F?(3P~-Mt@M7>! zz{i5Wai5Rh$>0|5uLd6t-VR<1z6aa}KI8-BrT3uneLpw}{yV5~-2Oq=$10%s)vG}D z$GgB0@XtZ@=g}W>I=TXU3iq?%4sa1vIY)ok-|qph=KjT?-v14#d9dmuKEEsAI__@; z)$Y%N=Y!t^F9c8dsQ2$~aESXmLDlDfff|SZ0Jnl`KIZ8=;0EsR2KD?$pxSxy{mv(z z1FC+12C5z>eBAqaH~2{IJK&SR7l2oQUj&Z?kNiWg*U6yflFJ`?;)?)CQ@ zTvJ?-W>Vt$E4kM5Tm7fM4{`qt@LcdDJ>XAmcox^CJd1z7U-+$Oj}Q0%GbA_yZ1L=W zg?m_K@=orb71F(m`zMCqO7a$d{{U3KU%>Agm-^s|T)Vkm!ToBk`1d}3pTf;O;CI8r zTfo_n=1l?L3_geJKX~^x@O$7Nf;+iZ^7~Zq`{4V*?cigo1S`CH*&Iz{-Ir2Kdn*M~{}yWsDF#lL&Ge><1t z#5OMRnfN!x^K-bK%>`>QUee_EBEL6-`g=2%c*SYqUe8|1rTL-1eLTO5>(N}daXo@( zuLsLq@$Yr~xH8;7BH)L4c0bo^W1@gJ@cu{qJ~E{H9e&@!@Actc$zICu-{5+TZVG=d z;n~Xy_b2lE0jhkExPLEKg9|off1l#NKjV4`@AY?Fz<2Wdd0Zdo{&nHm5#WQlKFakkyn9A? zJ{)j@XaCNn7zh3Bb4WhO{bgJu+#d_B;X0PzzsGeqzr|-y<+_JUe?R5=B-ihAeVpqw zu0P`Xe_Su;`UKy^zXRd-bHjt%0?vVN;d(3Ye~0TDexCqd5z?OxUc|FDcqiE6TEXw% z4(~_6uk-9nT>5(r_dfx@Xm|8;NOxwySMdBFxULEJe-+X_nfvp@@4W%f1HTY{Kb7|{ z=bGobgJ;Kw=fB7O$M}6V*E+6?xnIe(iR(J9hlX^I4)|_xj^|sz_kdS|8@crNbFRC& zj^_EN^?<*N_^rP`AZh8*N?g13XXzzfcwGoz&C;~a2T-}8B%a{WEO z*M>B&;rD&~ehK(7@FuR?`F$MM0@r)Fe>&GreqRlK2-M%h`F$eSk^CM7@8tRbSNyx0 zAFm4c8v_0<&)Qs%;{Kn&_jBp*Dy|=LeTM5=F8w{5>l<7*bNwBc{)V_-FXa0_0Po_u zo=bo42xVLje$^lK{r425;d)X?yAdq&XrAlU{9eViF1-6wp6w66kKuRxyN@4F3O6@_ zZwzUw{C*6-AIY^Uy#ENle-VCf3F&SGPY=%?#_vb+`}15|x!%V0bgmh$lX!O__#&=r z`TZ?We-*B?xYysU0ng(1B)`85R=~g3Oa9)+wU+A&-SGFDA^mH?hjYIN90ni9)#SP) zyhq@zIP=^yT4SxWl+IV?rz*{~F|$7Pr`!F(Y_ri>Xz@@f)A>%TolaHKW~ZK(T4}S< zXs@t0XRbS=wM9wSr)QpbM#~>=8QYZBJIa@*>&__q(~xneRcR{UHR*vyrAq^MmR9yJRGXEw)F$0XYE|JydoFFyRnk^zzLM7UpGGrPQKee5QYs(d zt7@xF6-Lq;KWGw9+RYN#w42qbPP@`d+l{o`*jKMLN@YH4)MxW-Rj;&CZ#NH+f!&b( zazzg+d3w6iYNgW+vT4-Pg=S-KwOnZ?Bh&5b-b%WOMoqUH%>(IFY5K;_LQ0W)DYaBC zH~FqV*>tT+jncVBtE~q2Cnz`OOVxV+^Mz)0zC<}*|EvSj8QL_qX=uK*uu!ef_J7w~ zp)%dXh{q0GySG&9R2Zykb2y!3EXZ%Z)K05V5@}S&%Ph%oGQy|j%2a1IZCB?jt#)aC zfd+a*H8i0I#>PiNFC-%~ZTez*u2i3;ZZ_0AC&x3&FnUSr6^MmVtTkrSMyE~f%9d4H ztwRp)-k$PHbHu6+GE9EsQWR=z-s!D6RSzTyX8+9nUuBkH9=+w*f1NB;{)YF-2 zt&$}p3yp-R+53p*&^xi4sbsl2U21zb(7$0=S`bs#AL&A)R-LX=_mZZHQCJ}hO#yvh z>a^z?&FalGX?$e6e5--;6b2Z?&?okXx3fS(&LcEA{D$Mno;8 z77T2umNuqtU>YPN)C}rYLt}pjW-v|H>P@Le>3J%3F5|(gDj#%6P!oUXPLR*J?&qRH z2u8^pGp)kZ+sDxTG73b20O0(K1TWWvXVm`G8zGj?7xXdYMAL)&i1NoHk zEc(*;M9L;sUn=Y2{Pl)X3-+XaMs{~820=(WwIt{0;4xdv>y9M~STnrx^{>rp8!mn!p&=c;mLrqrpmS0@`K2-3pP zTVoqDGqq}6HG+0XQ?EDLN(9Z=^j+ENF5>_a2Z6O>a8j717(t@};dCV{R~W*16;ySq zw&v_Z)KTy()F$>)hm4^=7(`oqFBUPwYz;icWF<*!jcMrInR8Z^gQQzS0ky!fjZGCZ z@i|_rHTG4IrlA`O8TOR9CY^7Tt1}100Bp3$5I*7GdpSK{bZ2Ucc`pC;@JVw1ZcK$wUsW4OCExDikF)h5&3g z(W&^_siZ}+POXeAL8dWIVv0!WOicKk9SW(9S6!hdEccD-l`j2>lSrW4A;er|`bLqz z6=nQK!mojxn^sq6MJ@GR&?LR4E>$I&md+v6ue)H=>|CZD^h?ViYJZs`8z{c3drSnE z_A>oTQ}X4zv{h+*reKI_8`pJk$J1Tb-$JyQ+KmR<98i*svT(Z|an4)fves z@5MUfjK0a34-NU}Ylo!qHqks_JHw%K>nk-)pw4PpgCF>lx_!VK>D8)#7blF2_JD@5 z+NPN>Yf+SG#>qzMEU1&?LDxoj29dI0x`b+u*n>-N+A$Hy*V`aozHQS;u8p~#hB9s% zETK-)^lFv8l^VZ|qie20=?ML~cDjo15vlXl_FBaEfz_HN)?qyF)TNHnTLt~ZsUXX$ zHCL(C)}(8vs`a%~rPdrTYINPNs+;C|xbbwx4dtwLfMJ?X_syZTq!SYpo6^>t(R>Sy zy^>y4X=2YbuzjQ<9&o$GKO9c-3~lx+eJ;p6DVd?`lOczXsUT+R!IDXMjgtdqZ&@j)3pw&tg{NAxCPBT zY7wJ#>n|fl7;Ot)W{go4f(oFRz+!1pYZ?)P=@z~z^nRF7d=y`1j9BV1I$yCLLz-5) zd1PWTyP@utCN>pQod4FRs|!+1y)5aH;gMATMjeH=R=wH!jU?EUfmUSksKxYoXThd; z&`Fs$^;xWqRV|dGdbzc_>$7DN}!6p`MW<%UQO=8JSUdZZG++czgm$e6x9UsB&%k!)7N_8j() zC?7kwm2MnKrz_1i+*JayH7JQ@O|Y8_Ne_~esw;)`c(FQB1l4vWcyqOhH(@gtRs-cE z+1!vCUKfz&rf)(k*35M2gkwJZ(6xrb`)vSmg1Z1-+CD0=b=LbCUTDh67&DEWLt3@-f_7ujI~$I! zSAm_GKJH)6G#m4UZ;J`+b9=wFXpS66x^D}ewH3oR#n{HgY#+#&AL)54dD>d2Oq+yX zVb7fJ!5G&v3dV&CIzZ?pPb0lgt)0i%k+ne&AbUi1xp_sF`yf8%#wsilxvflGN^bHP zNsyMzQxZ(0Ju_%EmGT~YwTF?d%rCUDiWruu3XTUf1SVTK&sDu{Bpj@5`%sD7`;;Cl zBr~{L*k`2!Fr=(Xe0*c2vfwPOYzD8nAgo5U68+Qam=la{2(=xM1+tFmj6%i4uA^Rx zqmy$c@Wj{Ylc@@1E&CDf?&$*LbHscX0DuIrdbohAX}^L!_WYAmkmV8yo1!&L%)n69`13PM5wGvT0c^4XB_V)h74h<|JayHFK`O zx2SF|4*S2&^la>JxpIr&7E;p(?x&H+g}X$tnn?h>10n|IF{*(^oGsHvhRD3m)W&AM#F6Xb-elNG+MJOHb$kH zH&}NC?`Ql#ZFhHZUjq1~{Dpo_HR@o;+w0^ zCuXPxS#Deg8Z?Ju$=8G+y}iikS-8zMSNEk0_&j&Pn+X9vm+&!(hai&{9L2yApSr}F zu2o8Pd4iWnmDxRT4`-EqNhvy1qad1l^D8839jH&wH5>Itr{x+kZWMQM4azzb*CkkT zZoC8;GN72k2dzq}IXxHUO|q>zQ?cHo7bmw&ni60`5H$tNy@JM28hM>Y=l+=UA)*$S)5FNOaEGaezrl0t9~ z8u1NhWj1V$DJa>&L1D@ZZVPip!r-WX?y1VYTxhgfRtVNBiCZL*QJuZd3ap~^s0#E9 z^3zO%*kbD~2qarhEp|{rx=;nP3GviylPgpDoyeW!KCvWIf?-~Cl~9|W29?A=sm54@Iace$v}Ri;-om6F}2m3g%!{3rCB8DIFnIaH`!j=U!CvFyTLcMDcN3J z{62`$0}nJQC~2~SFI%k=ZX6Ra2w2nJyuZALGU0+wG@NY57Vj!o?t0m@rU{EHWWAhh zU;3T3E{K4GC5x=KmF$?9i1P@+F5@9xg}1T1dN>_5f5p7{>|k#tx|IJH^hN)(h3JtFCQ{E(?WoMs zA1n+wchhVi=-k*5SG0^&vpa}%fhm>uV|;@kwNW;;+bKEO!OUard9XK?l^NbPQHO15 zf2KN1`h7(=>W)UJq%UnEsoS!-j6icOz*!hwzzRVJUSDtCoYo!_Unqx3{n~%S^A~5?ZiYu4Z_i5e>6*fr3<7t)Ye*#l=DMF~OCi zpG29H)B;GvHpHq$8!}|m7OsSf&#uC>&J&yZC_?O)V|u!&)GpD(9+%NdcG^-jYBVl! zE2DRDRXVgh;s;AOAVtBV_pkF(eB>ilg$41LMNhK+$N5a|&G(==(zCAr^?qsNebCQs z*h63B)l>vPbkRwT+$plC<|=IHLpRP#Qq`ks8SJZ_QEAY!r3ICwTgG<|xsNxCZc&*C$b<=_9g`R)|Sz*JEeQiXKYCau_P5KBYI zHtM@fI)oLY;OA`}R$gX!dBn=EDMxs_jP74kZenxo%CEnc6F&P6R?9ZFw+4XOmc+HX zxZdXSdN}QS5otVs5tWT}qe7}G9&VSptZ)$O;yEEG`y# zYxiMC5!8khY_{gA3(~>ii=oe2jDfGR9L5*B@aM|6T<_Lac439?S0BQO>3uPE)yrBJ zII;{5@yTqW9$0Z6Mk z1!+^XO_tY3<(|n`x(bS=t#xejkOFn9g?}XWG|YGlJS{v96HL*xVa^RF6T3I<%$FJ_ zrm>_|FB8nMDHCo4OE4OxZQWp&B>_n&n+?-tT1jsre;x(2dZ!SKQ}A*Q{?1fhdFy*W z3@cCl<@Krq6XyKO7tkhbw#$Sqtfs2pXsWf!mR=_+%rzx(7a^Mef?|i%yV&3?c9~bR zc7Tp^j}Kl$8DMaz@Bo^C{FH^oloq%I1aDz(3pEt~PRI(MUAwP~Z}B309;Mzndm zAB$vdc{*g6kCPW5_E{v9kPKekZcGy(oEs+-Fo9yEty)^LvJXAxHr-5h<_V^&4w)W8 z>~5@fYmIk=LZ0Z?5asG)U}@zU#`+b@!ET5VAWo99Kn zig!fc=^4ML8ZE7#W!9d>h!9T)DOob)3*5=<^h3|yyxdvCk_o#H)Dsqyqb$s=Q(Hwq ztdQJdI^0pmq|x-E?NkI$C-zP-rb)(PLGFn*#j)thP9}^KVg5ij^`Xc)&{8oEZRsUX z!9tgo`08%Wwr*7Hilkul%V#OwEYQf8iSmmj6rVyC174IZ8fL%?57ip*!fY^Cl?S}V zue2|JtijCsyO$(awXo@9O_dV%i`Is~OJH4n;!m%$G{=&k!HbGj)M;$ixOK7tve2QB%=C&H4iZIlMR?S0{aUNHYK zK5KIQF-Qt&2+?1fOhVOCA_E(rxlO`w`W67g1F*Pp~nmsF2BoLAODXOpf zT?$JU3}>o|LOKsvwmy9r_E4UN%g2f>U4<094vtVMV(GNIUqcd8q-WS6gUZdaE=`W> z{WyLhBzL%%55P(Avr9LMD@__h7sFIlLOU#C#D(L%2u1CvDd;EJE*vBkdWTl{f`@-V zW};%o8I>=pC^Up=r`eQsttoS1Y~=>8Ri~O#JxI#;)(OGXBax^Z_0xCuG{`)7N7%l_ z5P8NV8VSi- zZPXkKyNwyTGa?4;tKn|R(=TF};;@C7wKyymu;yiF$;FKhp1dvQ7)GyKgi`Z^%vzC$ z!sXP9Og6QxoA@n(I=~kJ2GD*?QEoPfd5ktZWYMr5a^GL5UZxxn2ToYOiW9wMnrT?N zV?aC2dNNsLw|KHVJkmYVEHYtb*DQ_JKO|Iwt)n#+*oxe?R>H)F-4n?q{o9hMi}(z!}>XnBUTS+;EA(X2D)12Y#(vjj(>NmvayVG@&tp+AG{ zhYL68OQP&*C3ehphdA!uH74pP#l3|Et3(b0I72onF6X=0MG`-+7tNVN`mm=Ob-Ymc zvzP_NNEJyZ$zL;~;zq*AU8Du>&c7p#oJpbWfldo+pke%n`34Epy%4%PH>#|x!Yavb zG3;#jr?Pk7fLtJw;9-{n7T^$mU9Gz$`Xq~?(45Pa`oc=PQmME1Y#*82xOHsDmOZ<6 zZyVh+wqwu6ts`T;ZOun8TF8g;h2oX_zmoW6Ew1Q$E7fLs)SjCk)L>hr()@F4(`Za% z;D&<)g0-@F_;I$h0pA*`Vk-{^wP)}Kj}gyx*>si4j6Jzp{VKIEE`dQViad-qxbI|M zW0~U!vVB}-tz6mKhAc>o#}$@|Nwi$+RlY$`Egyn=&B(4D4AlB`QeC5#tmIGO;a{me^HNy%jt0lmd#5f3R}wwG^}SBX&S3=-5pm%X3Z9=QlO+-xwNoHTwqUYuEYrm zdlbsOCs@N-JAx^xCERdYgQqC=5SgTtQpSe1C@`il^W4F!9^O)GOyMHh2uG8GF3uR` z!Zo(?nUx3^nuC0$aFen5gfi-(Rq~kjMb}Upt)BW2^>d=^`<{j6YZN~fyv-RWVuDgb zr{L>!Tt(J$t=QOV6U$>MuUNt%R7GJl41(+w+fmW zPP!J!(S~3<7FlC`U?xYj^pnv3Q9CgM!jE%ETzOA=)@ZNxe1V)N9df`SV;W%b)qY^kFV!;g2_?4fj19tA_=z z-b^$aeM8|H5f9gw53y=}&#no39P+G1H=#8f!-nVVWuV3JW|rz6By)~o4;&JF373cGaRG*4_! zb#A!QtAyZI8&#*vS8QY5y~CQ+&}5}Fzux&BENj(VyS=b}?b?0&_6-xEkGV5b**}a? zy*7N^TD!1TOz8W%3yr3I+3v~BLl@`iR5WLF42{;O2{EkCu1_y!L;H&HT8C`|Lz}TdIH#w+V7INy z)?LcU2YPeas(O0rW$C%AFI{o%&=#yy0)Ev&*Oyq~D5d8QpFey7Ck!Qa#?azRaD-U| z;gpm*EzjBWElp&D1>zy;v}U(*jwRWZmHjNivwPl^ak>O+uJ^E^?z4t=EZ)zq`i2}1 zI3lvchIY3)CH8BE5-4B|9{6-G1jB(qVuej?&H4caA}h_}ea$M*OC6T2II^US(2-j@L_RP4r1iD!8{wICt1*Avw{emC}JR zO{@E9-VKDTqP1YWE4SK8vCUFh-*MBiy7!jtPbq83N>rtmGs*T=7T?G8P-fOr78=Vd zkrRvW<~S8j8d`jpRnYt&)sV2Za>Q51H^o&ceNL@$DwYV_n^zX|GgX?j_yIL9Iy%dJ zA8KDP@-FSoFxj>;^oTbBD~SM&s<*i}v2_;Rxf1cfroqy*6}yrq9!3*5QixCo8#I&f@#<=0v{+wOPE664I9D^+ID-YxhmGJ{|bA zKtbkIRj0{^5$|aiKk>V^_tP5Zw+pHuiZRnlbBNc44$moydeId+HAyrhQVt};gyJ*S zD;Dpu&hUOOFaUBCk!vCpC{+1{xvUB(MFn=Eh&gvawAtZJxOzs?Js*U*(qPZBb#W{L zu3-L)-p>P55jUYiVpZZJh5U_A$U22%FW!ZFL4#jg>8b)=(QvquGg8WcqbQ!-M$J7( zd_qe+_ae&+ycb43OL}@Qer$7&ea7O?MYhtNBAH}1kT1NOL)-FR?@85_!H8{WQb^e1 zJ&O1gdur>{47$ZiRVU3a-k~NiGv*28rZWyLxmGA@pZQ3wI!hN6I*@o(CR8`4?P4xs zy%i3qQWwpOKeq{*%PUgI%2Oz3Mtqy6{Lk6M?q!yi};r+E` zRWr_zEK``LP^n0@{iWrT`XpK|jm=diyQZw{|K-z0LAgP0W9tdgcaUF9R%eYmsG)`K zxcF|dr*f53r>f~HCC3XRH!Vj`*?D6=KYI0nn6G7K)5rL*Cbm4)CSq~i!pRiZZ>$FX zh$c$BdcOCv8Y|-isO4IRdl>xqCe1!hm;E-GZY^bd;Ga4pkwh4m?9KgI4}&`uDefT zT)Z30%fBrg7iQIsLehyoNC_lH9T67nT~2(y-mb|j=zaDa+BBeh}kI8Q&%fY zH4}EQwSk`g!wo0#eaULgfGD@{AwzR9H;vrF2-Tq=k^E7tmRRRamhP#|bHvx`!k3mB>4d4R2C6z9YRZxGY7!_d?-{=u+n zt92n37!-wojIbUONm8cL5gVeQ{|jiR*q~On6i*iG!>5O>CaP5G2cWXO-;f-&~kCs zXLf=1kfEp&7iq`Rv7KVJBTuJ>GWQX2V_bA|qba8^)51kooYzrusD+6B*5U{3sKt!!d(r!oo*QEXb8hx8Ppl2ruaf z&I_>$GMAd2V5bSM{0h%q>Ez?^CMq44Y-6TSsK}6FlwmWmLG2<#Wi3+fAdD2T>FCZ6 zELBG*Uhhtl z*?++cJ0O?dBw0TF60p#rebTYp-52&ziz4D00E|XL%M2iV%61x_yp8yt;v#_*QaPCO zCuw!9c8r?WIg^zGgtxx2euCRA-hne)`ju#%lk$kx4K!{}BIcF(iLUOjqgk`erGR)K zrZQ_UtG$lA!6Zd-E+R+Tx7VD+Gqd4=0j`?}4iU{XPAO7>%bUKm>}I$yk> zJ!A9E0+mhl3=rB=Ww-0{1?vM;bSqYxFr3o;VVYIlihpT}6-T9)|KHCyDzR;%-+ycq zB8)S(7%H(otC>APC%`e$6^LODe2k8Z1$E26-Vs7Yt*3hz??AUf;_+F&uwZ&@aYVe6 zDc8<73^lLW`e4+kR1pb=xRxjiaHhaenBppb04}yNMAde$eau#zu#Uc@z;+$a7aTLz zJ+c33wG$IzGgrfG%PA~OXU;iC*l$635#mQ_1esA=P-6H#;VH+?##=PU0zrbaH9jE zDheRItX)xQkn|hP7H*j|W>Hy-bRs!XUq###OS!-s^AEL+B$^-kIdI7~zR*8u;%5;G zF2q1KNBqH9Xz;OXuFK8dwK$Wpdx>)Ary@>UR5NPGrZGbuDNzpaV%Jas89RPFAwCj$ zMa-Hm7@90j6)m%PUZIn?2!HV|n*fWpl1M|%`^$uk?wQPwl6$f9otCA9Vr{}`i#nd)% znl*I=_tUcF+P5~v+^v>rBLCIzqZ$?~P*gXds-Uo;y*ghPP3ZtCofSd2PWC)MZ85h~ z3%*@8_cOX~^(q0qpn=I22*so1Ql80ANzC(c)w1}xOBZ|26bXxC{Rx5#s;gxGG?>u& zn=Ur4qX=^ES1}PYp%5_PHO`ZkOU1M{uKCOMpm&j-=pQQ3;zM^Lum4h6cpHju2ePv0 zk|LqRy4*&|t_pqtj--h11~b9z?Iiz%j9D0NONy6fRjcKhY*&1eO$k5Bv0>6S5*YtH ziK!>iNFu4&1Q9pJ9;GK{(lP7x8fJ|~x=J7K{0s=I41NVG1E?_i1T za7eM#a9Cuig<{L`uy`Jp_*9c!D!;i{GdE_@@pM=pVqt5QJgS@=Qh<|-X4mWtNi~e_ z%N1C&or8MXoi^D9$1j9>*=|~86xT4~5{@*g1wtHP${h2Ep(Xw#ol%Bo7JD@o4w?LQ zW?NHiWp9SgEn#KZnUiuKGad>mk{#|Y%fNlmfO5Y8#6i8o>K6x6#?~9jG!}eV^?@1I zG9pAK+L<9W7e8ZRU8L~!LWysr|H37!GlUY-U2rfhzVudJ`%^-Yl3S6nle?9fH%U;0y2lpg8|559UK{pf5uxXDhs zlpU>eFOxBxF8t=uODSj`XE+Mcx}>7wwwkxBYlIpyn)*QQTQrxd93+_A9KWK78FeiU zcKgS4XxU7Q?~)?ntt)oGaHtXnZlOxsG9QrbdZOiVc~TZ%(Q_e=-t#)6Vi(KH=hdB9 zS$QDKR?`*xry>vr>zcfc`=^LAdegOjMH= z9ZvpC4XG@>XJ)!0EJnd>XxibKW>Q37nbkc6v3NTMlR%$5vT07*9w&LXbG^2U|MK}jN!^`}AkWST6#Px`R0st#JFM1c=ciRSM#e$7^| z7=yW^Av-lU%2~7ANW@``lVgDC@Zz|b=enU4g)&nrgxPs8Rjz85OZob$Ss|Qk8JZ{? zrr`7*P7w`Ko

z$poKXjJ*ek$b@GMh;(4y_k3>U#5LGu3W-`u?gBa7LQGi?jma2e zZ*@{gyy!CyOhf!SV;hIwE?+0edcW1-%v=2nr+Mdw!mNAy+>*Z7pgxp!*5{-)kE1a# z<9#+Ire&C$A-DJeo0J21q)$sl-9R0Cp?bL&G)FQm2a?IP0@-vHWnod)Cb`P`r0ZPF zFvZA7>Xzjw(&Ikk(NW`CHt2At9qNTz%lV{vp1*n?p%TIVH{-vr2-+8>i#0Azx438^ zI)ep!l0wZQJuLSwX9&He#!^BoMyx=8r&5gT_5(V6*_uar*ITm2Gn!k2-kG*mSA4K_ z2eja^xtTfVI&&E1Fd5AK5%@x8GqiPsbl741_b@$$3=f*05{ODRuJIoBF``|A$ElesuRV&@V zp&w2-;wptW^ugz?OzOV|2WC}fQ05S^h@6}II^xc;{k)qfJ}e@ijT9nt#VQs4xB z2~O7;(0$|lqmsTcAP+Ypg26od=#Px&fM}3og2iu?I-LqBBT{X` z^;74RWAx%62e3G*!8^yf2jf1A2zNL32`^)_m)fY!TT3j?6pRLO$zZx9W9H`6T$esm z&`qOFq)jCR*UKR&-H@MlM64X)T_30Qun~>c>Hq=k6pZRtr`guO4X6D@GJa5~(d8{C zYEW;pF&jN2t`(^Y1OuA&w|Ji&5J{0Fj6NoXAaJ;zFFYtUUt@UT$5ObH*uH5+&FXL= z509*vP7mYbNj4a19Hars&x|O5#_Ij5HQHg=t4?!KDs20@4NAcUZAMQtH|Z2=>XMO4 zT12xw$*3oUrW`avtJ^Vyn}O=7b2a_r0kn7@7+S`|j+~7eOo28zofc;!EY%X~tXiwR znwxE@FhhD5(?@4dC_j#~@Kqgt%QM9xw2SxfPf20-vJ}2}kNzbG`2#TowLW7@cc4xj z!7Xo*XIbV{mUW|K)Hgm#;$!M+FH_*yos{!xMLUd!Z(i^tYt_o2U#P|hHv@Ac&7w^L zRg?%U+{!pGE6s?}>uoFTf$Z6^J{h)gvU=tfcgE7q@O0j7 zGD0Al2bvW6TkInECTwd5-Qo6_4GmR|${{^kBSuY2G(J1GZh*}U_=XH4Ba!qJKVv2_ z#>JIN54_L2)!3HS*#=}-tVGO__yWaM<>7%bLoMrjG$g%i#56d^r4&tKdx!zeBYgs+ zlq*}z0hYIb*{043VZ|^*@v6=KPnasY$$3~P-&#x zR5?waJTELgk(1ZCQZ2rTXYLl>j=F2bW^vpX$}}@)^RE=on~pOGruF$IQ>V&#i?6^h z61PFHPi3X=NQhQX6hNkyw^Bu}YbgZJDV#j3CG8>Zqc(M7wm^agelC1*M$sPd@sX`poBDbiGR1^+x zJE_?&Dm_8ME_$Us4u~o5e#(*-IPXFi@ve8TUx*u4pAT4EWpaeWd==A4Q)2{^RE`iJ zA+FOEVaUJGW6o^rG=`^O)^%r)`z3zaH?vjSRO4`g`v8VMGWI4%q!FT zl2f_z_vCE52g2uZy){pO49YWz{!_H40R@N*WLCkz(J_gNbGbY?G43;uZRyHNJ?%m8 z{9sD^{%X-wEjn|%(o>?22u5(q^BZQl_Kfiho2*)rlt-i;@acd0Fqn zNH_?EGN?NzHi=lI2h8$cb4}&^!wyvHdykR4+(+5@#eE;<8Ry3sFOw*oX1rXACP#NJ zR~J9qc$pk5fgg8wuv9v0Wx28jzaM3KhutMEiDT@}G`7qd@rprqs<^RvT*IoIczAR( znI|y2&$YH~L48vl<0-sxhWD;zSv#V-M_xgv4Ju|PB~)y?x`4T;m|byIxLZA4ydM$U zBka~>ha~fj&PcYRb$*)kB5LU#+1_|9DiUKN@%qHw=*^+I23myHcQq=pqE{<4%z~kK z>M>HvRRIjBs#H&UbdV(Wv*`HI0m?o-)#*{YqG6oZbZ8li*#;M`RNg_kNpT&R83jt{ znP0l6zRI@CwHya;Ky8)3#spIGE!D-thb3BcUQ4U zKdP?l0x_8+1YK_>`ay7J5zsSckIX1o-F*?%iR1Isvr+&;Tzl-yY%{< zkMS^?YiMa*)E#|H$|8hH5SOS-j8ECoB_8lnt_&2+D?g<;>WN^i}v%OQP+^=GN=l@W0f?W0IAVLAvKPg z1sFrIAx~7qcw96&E6Talj(gO}S0W^H`N>PV)J73HMRB0o7a}Iy{Y{7n9k9P7`;4-J z+^GDTxK&U--5MFdH@YTeCJM93yVR_VGE;HKHbZLI)BMX7Y-7MWWI&7lJ`GL2?8AWS zOr5}5GMBDXm|hT{Z$}2HY6a~K$`7GXF1*D5%aUCpHN4a2TM1OH%-zQ(R<816XmBBl zz$loR8G}J2WpF>pJHt?wIDR(U;EVp!LaA_JddHF!Cx?Y!g~r@I3lB&6jRK@!?JzC*K21 zj$V$M%A_kzp|?m5ufeszM8fOOR?A!yW_l$$Nzs-rGp)oTAB}|cs1zJOnqJwd9i}!K zdvra)vR*1HcN`tU_l1h7W~0p}ZYOP0!0Psgz)&;oY4HQ}Bf>k`9sC@PgU0I@wY`JwT^tPf>RVsS6x zj)7a;JTpn85L*~LQ?S|Pw19Nn>TZ1FYg)2#D~=YzA(riDil zCOpB}THLjSBgve@dJ+6caM!EZ#up`V_t9X{>D0+Qf}+B(Si<~fRu!~PO)O|qZeL}I z4>~ZoY+fUDpb5FCsF&=$F!-F+t^GV?SDZNJT$DA%NsY5=2p>ypH-6^YQyyJrMeBTV zeZ|Xy7HNDk_NquPZo!Zq7FT;%!(?gDmo4F%95Q12uW65uS*AznpmVD%>e~S8Nv^0+ z1@AQ&Vs_TJdM_>qnKv)*SRFHN&eWn7U}^F$MtSVo$eMCuB@4XNF{+w6cU;*NcSaTW z{@4ohQfBtA{2@ab&l*<~jBhhun(uKNb2xE46rp9|kRXcz#+Z{f!eiH7AP;g1rnI@7 zJa2O`2Wkj!)vZ0F#5syA@o8r@)>Ab^j#|ecI2xRO9*XBP32GG;*94(qZhWt-tZ|$e z{TuVVAu^a7YDuB0n#mHjw&oOAG=m;?Yl!G0Ycd{_(bb{mm>ocFougGqM zx=75iR?zw4eQXPjzuNIHtub z&~9ao?BjfICSeHeu#5^s=?3{S`B)}er$;n|cqLrlSgl$fDC**nLcYEO#pM&ns4-4& zbizULB!wytr;}{=?f8l1CfRLdqX4i-69xTKASXiMBB~PZGB{I3Y!IK!al2gyptB4U z)F2j3Y~PXT19?Yk#ME%#V7M(KcT9!`XE%<9*!7(F@Og1s^53@T_<$df#K6ir)8dES!qo_hMUiDtg~5 YPDSs3R;~9v3#XzNo)0(`J(A@A2iU^(XaE2J literal 0 HcmV?d00001 diff --git a/po/ca.po b/po/ca.po new file mode 100644 index 0000000..a732746 --- /dev/null +++ b/po/ca.po @@ -0,0 +1,2966 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) YEAR Red Hat, Inc. +# This file is distributed under the same license as the PACKAGE package. +# +# Translators: +# muzzol , 2012 +# muzzol , 2012 +# muzzol , 2012 +# sgallagh , 2011 +# sgallagh , 2011 +# Robert Antoni Buj Gelonch , 2015. #zanata +# Robert Antoni Buj Gelonch , 2017. #zanata +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" +"POT-Creation-Date: 2018-08-12 13:03+0000\n" +"PO-Revision-Date: 2017-10-15 03:02+0000\n" +"Last-Translator: Robert Antoni Buj Gelonch \n" +"Language-Team: Catalan (http://www.transifex.com/projects/p/sssd/language/" +"ca/)\n" +"Language: ca\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" +"X-Generator: Zanata 4.4.5\n" + +#: src/config/SSSDConfig/__init__.py.in:43 +#: src/config/SSSDConfig/__init__.py.in:44 +msgid "Set the verbosity of the debug logging" +msgstr "Estableix la verbositat del registre de depuració" + +#: src/config/SSSDConfig/__init__.py.in:45 +msgid "Include timestamps in debug logs" +msgstr "Inclou les marques temporals als registres de depuració" + +#: src/config/SSSDConfig/__init__.py.in:46 +msgid "Include microseconds in timestamps in debug logs" +msgstr "" +"Inclou els mil·lisegons a les marques temporals als registres de depuració" + +#: src/config/SSSDConfig/__init__.py.in:47 +msgid "Write debug messages to logfiles" +msgstr "Escriu els missatges de depuració als fitxers dels registres" + +#: src/config/SSSDConfig/__init__.py.in:48 +msgid "Watchdog timeout before restarting service" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:49 +msgid "Command to start service" +msgstr "L'ordre per iniciar el servei" + +#: src/config/SSSDConfig/__init__.py.in:50 +msgid "Number of times to attempt connection to Data Providers" +msgstr "El nombre de vegades per intentar la connexió als proveïdors de dades" + +#: src/config/SSSDConfig/__init__.py.in:51 +msgid "The number of file descriptors that may be opened by this responder" +msgstr "" +"El nombre de descriptors de fitxers que poden estar oberts per aquest " +"contestador" + +#: src/config/SSSDConfig/__init__.py.in:52 +msgid "Idle time before automatic disconnection of a client" +msgstr "El temps d'inactivitat abans de la desconnexió automàtica d'un client" + +#: src/config/SSSDConfig/__init__.py.in:53 +msgid "Idle time before automatic shutdown of the responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:54 +msgid "Always query all the caches before querying the Data Providers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:57 +msgid "SSSD Services to start" +msgstr "Els serveis del SSSD a iniciar" + +#: src/config/SSSDConfig/__init__.py.in:58 +msgid "SSSD Domains to start" +msgstr "Els dominis del SSSD a iniciar" + +#: src/config/SSSDConfig/__init__.py.in:59 +msgid "Timeout for messages sent over the SBUS" +msgstr "El temps d'expiració per als missatges enviats a través del SBUS" + +#: src/config/SSSDConfig/__init__.py.in:60 +#: src/config/SSSDConfig/__init__.py.in:197 +msgid "Regex to parse username and domain" +msgstr "L'expressió regular per analitzar el nom d'usuari i el domini" + +#: src/config/SSSDConfig/__init__.py.in:61 +#: src/config/SSSDConfig/__init__.py.in:196 +msgid "Printf-compatible format for displaying fully-qualified names" +msgstr "Format compatible amb printf per mostrar els FQN" + +#: src/config/SSSDConfig/__init__.py.in:62 +msgid "" +"Directory on the filesystem where SSSD should store Kerberos replay cache " +"files." +msgstr "" +"El directori del sistema de fitxers on el SSSD ha d'emmagatzemar els fitxers " +"de la memòria cau de repetició de Kerberos." + +#: src/config/SSSDConfig/__init__.py.in:63 +msgid "Domain to add to names without a domain component." +msgstr "El domini per afegir als noms sense un component de domini." + +#: src/config/SSSDConfig/__init__.py.in:64 +msgid "The user to drop privileges to" +msgstr "L'usuari a qui se li disminueixen els permisos" + +#: src/config/SSSDConfig/__init__.py.in:65 +msgid "Tune certificate verification" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:66 +msgid "All spaces in group or user names will be replaced with this character" +msgstr "" +"Tots els espais, als noms dels grups o dels usuaris, se substituiran amb " +"aquest caràcter" + +#: src/config/SSSDConfig/__init__.py.in:67 +msgid "Tune sssd to honor or ignore netlink state changes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:68 +msgid "Enable or disable the implicit files domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:69 +msgid "A specific order of the domains to be looked up" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:72 +msgid "Enumeration cache timeout length (seconds)" +msgstr "" +"Període de temps per a l'expiració de la memòria cau de les enumeracions (en " +"segons)" + +#: src/config/SSSDConfig/__init__.py.in:73 +msgid "Entry cache background update timeout length (seconds)" +msgstr "" +"Període de temps per a l'expiració de l'actualització en rerefons de les " +"entrades de la memòria cau (en segons)" + +#: src/config/SSSDConfig/__init__.py.in:74 +#: src/config/SSSDConfig/__init__.py.in:113 +msgid "Negative cache timeout length (seconds)" +msgstr "" +"Període de temps per a l'expiració de la memòria cau negativa (en segons)" + +#: src/config/SSSDConfig/__init__.py.in:75 +msgid "Files negative cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:76 +msgid "Users that SSSD should explicitly ignore" +msgstr "Els usuaris que l'SSSD hauria d'ignorar explícitament" + +#: src/config/SSSDConfig/__init__.py.in:77 +msgid "Groups that SSSD should explicitly ignore" +msgstr "Els grups que l'SSSD hauria d'ignorar explícitament" + +#: src/config/SSSDConfig/__init__.py.in:78 +msgid "Should filtered users appear in groups" +msgstr "Si els usuaris filtrats han d'aparèixer als grups" + +#: src/config/SSSDConfig/__init__.py.in:79 +msgid "The value of the password field the NSS provider should return" +msgstr "" +"El valor del camp de la contrasenya que ha de retornar el proveïdor NSS" + +#: src/config/SSSDConfig/__init__.py.in:80 +msgid "Override homedir value from the identity provider with this value" +msgstr "" +"Substitueix el valor de homedir del proveïdor d'identitat amb aquest valor" + +#: src/config/SSSDConfig/__init__.py.in:81 +msgid "" +"Substitute empty homedir value from the identity provider with this value" +msgstr "" +"Substitueix el valor buit de homedir del proveïdor d'identitat amb aquest " +"valor" + +#: src/config/SSSDConfig/__init__.py.in:82 +msgid "Override shell value from the identity provider with this value" +msgstr "" +"Substitueix el valor del shell del proveïdor d'identitat amb aquest valor" + +#: src/config/SSSDConfig/__init__.py.in:83 +msgid "The list of shells users are allowed to log in with" +msgstr "" +"La llista dels shells que els usuaris poden utilitzar per iniciar la sessió" + +#: src/config/SSSDConfig/__init__.py.in:84 +msgid "" +"The list of shells that will be vetoed, and replaced with the fallback shell" +msgstr "" +"La llista dels shells que es vetaran i se substituiran amb el shell " +"alternatiu" + +#: src/config/SSSDConfig/__init__.py.in:85 +msgid "" +"If a shell stored in central directory is allowed but not available, use " +"this fallback" +msgstr "" +"Si un shell emmagatzemat al directori central està permès però no es troba " +"disponible, utilitza aquesta alternativa" + +#: src/config/SSSDConfig/__init__.py.in:86 +msgid "Shell to use if the provider does not list one" +msgstr "El shell a utilitzar si el proveïdor no en llista cap" + +#: src/config/SSSDConfig/__init__.py.in:87 +msgid "How long will be in-memory cache records valid" +msgstr "Quant de temps seran vàlids els registres a la memòria cau" + +#: src/config/SSSDConfig/__init__.py.in:88 +msgid "List of user attributes the NSS responder is allowed to publish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:91 +msgid "How long to allow cached logins between online logins (days)" +msgstr "" +"Quant de temps s'ha de permetre entre els inicis de sessions en memòria cau " +"i els inicis de sessions en línia (en dies)" + +#: src/config/SSSDConfig/__init__.py.in:92 +msgid "How many failed logins attempts are allowed when offline" +msgstr "" +"Quants intents fallits d'inicis de sessió es permeten quan s'està " +"desconnectat" + +#: src/config/SSSDConfig/__init__.py.in:93 +msgid "" +"How long (minutes) to deny login after offline_failed_login_attempts has " +"been reached" +msgstr "" +"Quant de temps (en minuts) s'ha de denegar l'inici de sessió després d'haver " +"assolit offline_failed_login_attempts" + +#: src/config/SSSDConfig/__init__.py.in:94 +msgid "What kind of messages are displayed to the user during authentication" +msgstr "Quins tipus de missatges es mostren a l'usuari durant l'autenticació" + +#: src/config/SSSDConfig/__init__.py.in:95 +msgid "Filter PAM responses sent to the pam_sss" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:96 +msgid "How many seconds to keep identity information cached for PAM requests" +msgstr "" +"Quants segons s'ha de mantenir la informació en la memòria cau per a les " +"peticions PAM" + +#: src/config/SSSDConfig/__init__.py.in:97 +msgid "How many days before password expiration a warning should be displayed" +msgstr "" +"Quants dies abans del venciment de la contrasenya s'hauria de mostrar una " +"advertència" + +#: src/config/SSSDConfig/__init__.py.in:98 +msgid "List of trusted uids or user's name" +msgstr "La llista dels uid o dels noms d'usuari de confiança" + +#: src/config/SSSDConfig/__init__.py.in:99 +msgid "List of domains accessible even for untrusted users." +msgstr "" +"La llista dels dominis accessibles fins i tot per als usuaris que no són de " +"confiança." + +#: src/config/SSSDConfig/__init__.py.in:100 +msgid "Message printed when user account is expired." +msgstr "El missatge que es mostra quan venç el compte de l'usuari." + +#: src/config/SSSDConfig/__init__.py.in:101 +msgid "Message printed when user account is locked." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:102 +msgid "Allow certificate based/Smartcard authentication." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:103 +msgid "Path to certificate database with PKCS#11 modules." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:104 +msgid "How many seconds will pam_sss wait for p11_child to finish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:105 +msgid "Which PAM services are permitted to contact application domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:108 +msgid "Whether to evaluate the time-based attributes in sudo rules" +msgstr "Si s'avaluen els atributs basats en temps a les regles sudo" + +#: src/config/SSSDConfig/__init__.py.in:109 +msgid "If true, SSSD will switch back to lower-wins ordering logic" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:110 +msgid "" +"Maximum number of rules that can be refreshed at once. If this is exceeded, " +"full refresh is performed." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:116 +msgid "Whether to hash host names and addresses in the known_hosts file" +msgstr "" +"Si s'esbocinen els noms i les adreces dels amfitrions al fitxer known_hosts" + +#: src/config/SSSDConfig/__init__.py.in:117 +msgid "" +"How many seconds to keep a host in the known_hosts file after its host keys " +"were requested" +msgstr "" +"Quants segons s'ha de mantenir un amfitrió al fitxer known_hosts després que " +"s'hagi sol·licitat la seva clau" + +#: src/config/SSSDConfig/__init__.py.in:118 +msgid "Path to storage of trusted CA certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:121 +msgid "List of UIDs or user names allowed to access the PAC responder" +msgstr "" +"La llista dels UID o dels noms d'usuari que poden accedir al contestador del " +"PAC" + +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "How long the PAC data is considered valid" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:125 +msgid "List of UIDs or user names allowed to access the InfoPipe responder" +msgstr "" +"La llista dels UID o dels noms d'usuari que poden accedir al contestador de " +"l'InfoPipe" + +#: src/config/SSSDConfig/__init__.py.in:126 +msgid "List of user attributes the InfoPipe is allowed to publish" +msgstr "La llista dels atributs de l'usuari que l'InfoPipe pot publicar" + +#: src/config/SSSDConfig/__init__.py.in:129 +msgid "The provider where the secrets will be stored in" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:130 +msgid "The maximum allowed number of nested containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:131 +msgid "The maximum number of secrets that can be stored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:132 +msgid "The maximum number of secrets that can be stored per UID" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:133 +msgid "The maximum payload size of a secret in kilobytes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:135 +msgid "The URL Custodia server is listening on" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:136 +msgid "The method to use when authenticating to a Custodia server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:137 +msgid "" +"The name of the headers that will be added into a HTTP request with the " +"value defined in auth_header_value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:138 +msgid "The value sssd-secrets would use for auth_header_name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:139 +msgid "" +"The list of the headers to forward to the Custodia server together with the " +"request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:140 +msgid "" +"The username to use when authenticating to a Custodia server using basic_auth" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:141 +msgid "" +"The password to use when authenticating to a Custodia server using basic_auth" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:142 +msgid "If true peer's certificate is verified if proxy_url uses https protocol" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:143 +msgid "" +"If false peer's certificate may contain different hostname than proxy_url " +"when https protocol is used" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:144 +msgid "Path to directory where certificate authority certificates are stored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:145 +msgid "Path to file containing server's CA certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:146 +msgid "Path to file containing client's certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:147 +msgid "Path to file containing client's private key" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:150 +msgid "Identity provider" +msgstr "Proveïdor d'identitat" + +#: src/config/SSSDConfig/__init__.py.in:151 +msgid "Authentication provider" +msgstr "Proveïdor d'autenticació" + +#: src/config/SSSDConfig/__init__.py.in:152 +msgid "Access control provider" +msgstr "Proveïdor de control d'accés" + +#: src/config/SSSDConfig/__init__.py.in:153 +msgid "Password change provider" +msgstr "Proveïdor de canvi de contrasenya" + +#: src/config/SSSDConfig/__init__.py.in:154 +msgid "SUDO provider" +msgstr "Proveïdor de SUDO" + +#: src/config/SSSDConfig/__init__.py.in:155 +msgid "Autofs provider" +msgstr "Proveïdor d'Autofs" + +#: src/config/SSSDConfig/__init__.py.in:156 +msgid "Host identity provider" +msgstr "Proveïdor d'identitat d'amfitrions" + +#: src/config/SSSDConfig/__init__.py.in:157 +msgid "SELinux provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:158 +msgid "Session management provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:161 +msgid "Whether the domain is usable by the OS or by applications" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:162 +msgid "Minimum user ID" +msgstr "Id. mínim d'usuari" + +#: src/config/SSSDConfig/__init__.py.in:163 +msgid "Maximum user ID" +msgstr "Id. màxim d'usuari" + +#: src/config/SSSDConfig/__init__.py.in:164 +msgid "Enable enumerating all users/groups" +msgstr "Habilita l'enumeració de tots els usuaris/grups" + +#: src/config/SSSDConfig/__init__.py.in:165 +msgid "Cache credentials for offline login" +msgstr "Credencials en memòria cau per als inicis de sessions sense connexió" + +#: src/config/SSSDConfig/__init__.py.in:166 +msgid "Store password hashes" +msgstr "Emmagatzema els codis hash de les contrasenyes" + +#: src/config/SSSDConfig/__init__.py.in:167 +msgid "Display users/groups in fully-qualified form" +msgstr "Mostra els usuaris/grups en format plenament qualificat" + +#: src/config/SSSDConfig/__init__.py.in:168 +msgid "Don't include group members in group lookups" +msgstr "No incloure als membres dels grups en la recerca del grup" + +#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:180 +#: src/config/SSSDConfig/__init__.py.in:181 +msgid "Entry cache timeout length (seconds)" +msgstr "" +"Període de temps per a l'expiració de les entrades de la memòria cau (en " +"segons)" + +#: src/config/SSSDConfig/__init__.py.in:170 +msgid "" +"Restrict or prefer a specific address family when performing DNS lookups" +msgstr "" +"Restringeix o prefereix una família específica d'adreces quan es realitzi la " +"recerca del DNS" + +#: src/config/SSSDConfig/__init__.py.in:171 +msgid "How long to keep cached entries after last successful login (days)" +msgstr "" +"Quant de temps s'han de mantenir les entrades en la memòria cau després de " +"l'últim inici de sessió reeixit (en dies)" + +#: src/config/SSSDConfig/__init__.py.in:172 +msgid "How long to wait for replies from DNS when resolving servers (seconds)" +msgstr "" +"Temps d'expiració per a les respostes del DNS en la resolució dels servidors " +"(en segons)" + +#: src/config/SSSDConfig/__init__.py.in:173 +msgid "The domain part of service discovery DNS query" +msgstr "La part del domini de la consulta DNS del descobriment del servei" + +#: src/config/SSSDConfig/__init__.py.in:174 +msgid "Override GID value from the identity provider with this value" +msgstr "" +"Substitueix el valor del GID del proveïdor d'identitat amb aquest valor" + +#: src/config/SSSDConfig/__init__.py.in:175 +msgid "Treat usernames as case sensitive" +msgstr "Distingeix entre majúscules i minúscules als noms d'usuari" + +#: src/config/SSSDConfig/__init__.py.in:182 +msgid "How often should expired entries be refreshed in background" +msgstr "Amb quina freqüència les entrades vençudes s'actualitzen al rerefons" + +#: src/config/SSSDConfig/__init__.py.in:183 +msgid "Whether to automatically update the client's DNS entry" +msgstr "Si s'actualitza automàticament l'entrada DNS del client" + +#: src/config/SSSDConfig/__init__.py.in:184 +#: src/config/SSSDConfig/__init__.py.in:206 +msgid "The TTL to apply to the client's DNS entry after updating it" +msgstr "El TTL per aplicar a l'entrada DNS del client després d'actualitzar-ho" + +#: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:207 +msgid "The interface whose IP should be used for dynamic DNS updates" +msgstr "" +"La interfície amb la IP que s'hauria d'utilitzar per a les actualitzacions " +"dinàmiques DNS" + +#: src/config/SSSDConfig/__init__.py.in:186 +msgid "How often to periodically update the client's DNS entry" +msgstr "Cada quant s'actualitzarà automàticament l'entrada DNS del client" + +#: src/config/SSSDConfig/__init__.py.in:187 +msgid "Whether the provider should explicitly update the PTR record as well" +msgstr "Si el proveïdor ha d'actualitzar explícitament així el registre PTR" + +#: src/config/SSSDConfig/__init__.py.in:188 +msgid "Whether the nsupdate utility should default to using TCP" +msgstr "Si la utilitat nsupdate per defecte ha d'utilitzar TCP" + +#: src/config/SSSDConfig/__init__.py.in:189 +msgid "What kind of authentication should be used to perform the DNS update" +msgstr "" +"Quin tipus d'autenticació s'ha d'utilitzar per realitzar l'actualització del " +"DNS" + +#: src/config/SSSDConfig/__init__.py.in:190 +msgid "Override the DNS server used to perform the DNS update" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:191 +msgid "Control enumeration of trusted domains" +msgstr "Control de l'enumeració dels amfitrions de confiança" + +#: src/config/SSSDConfig/__init__.py.in:192 +msgid "How often should subdomains list be refreshed" +msgstr "Amb quina freqüència s'ha de refrescar la llista dels subdominis" + +#: src/config/SSSDConfig/__init__.py.in:193 +msgid "List of options that should be inherited into a subdomain" +msgstr "Llista de les opcions que han de ser inherents a un subdomini" + +#: src/config/SSSDConfig/__init__.py.in:194 +msgid "Default subdomain homedir value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:195 +msgid "How long can cached credentials be used for cached authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:198 +msgid "Whether to automatically create private groups for users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:201 +msgid "IPA domain" +msgstr "Domini IPA" + +#: src/config/SSSDConfig/__init__.py.in:202 +msgid "IPA server address" +msgstr "Adreça del servidor IPA" + +#: src/config/SSSDConfig/__init__.py.in:203 +msgid "Address of backup IPA server" +msgstr "Adreça del servidor IPA de reserva " + +#: src/config/SSSDConfig/__init__.py.in:204 +msgid "IPA client hostname" +msgstr "Nom d'amfitrió del client IPA" + +#: src/config/SSSDConfig/__init__.py.in:205 +msgid "Whether to automatically update the client's DNS entry in FreeIPA" +msgstr "Si s'actualitza automàticament l'entrada DNS del client a FreeIPA" + +#: src/config/SSSDConfig/__init__.py.in:208 +msgid "Search base for HBAC related objects" +msgstr "Base de cerca per als objectes relacionats amb HBAC" + +#: src/config/SSSDConfig/__init__.py.in:209 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server" +msgstr "" +"Quantitat de temps entre recerques de les regles HBAC contra el servidor IPA" + +#: src/config/SSSDConfig/__init__.py.in:210 +msgid "" +"The amount of time in seconds between lookups of the SELinux maps against " +"the IPA server" +msgstr "" +"Quantitat de temps en segons entre recerques de les assignacions SELinux " +"contra el servidor IPA" + +#: src/config/SSSDConfig/__init__.py.in:211 +msgid "If set to false, host argument given by PAM will be ignored" +msgstr "" +"Si s'estableix a fals, s'ignorarà l'argument de l'amfitrió proporcionat amb " +"PAM" + +#: src/config/SSSDConfig/__init__.py.in:212 +msgid "The automounter location this IPA client is using" +msgstr "" +"La ubicació de l'eina de muntatge automàtic que aquest client IPA està " +"utilitzant" + +#: src/config/SSSDConfig/__init__.py.in:213 +msgid "Search base for object containing info about IPA domain" +msgstr "" +"Base de cerca per a l'objecte que conté la informació sobre el domini de " +"l'IPA" + +#: src/config/SSSDConfig/__init__.py.in:214 +msgid "Search base for objects containing info about ID ranges" +msgstr "" +"Base de cerca per als objectes que contenen informació sobre els intervals " +"d'id." + +#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:233 +msgid "Enable DNS sites - location based service discovery" +msgstr "" +"Habilita els llocs DNS - el descobriment del servei es basa en la ubicació" + +#: src/config/SSSDConfig/__init__.py.in:216 +msgid "Search base for view containers" +msgstr "Base de cerca per als contenidors de la vista" + +#: src/config/SSSDConfig/__init__.py.in:217 +msgid "Objectclass for view containers" +msgstr "Objectclass per als contenidors de la vista" + +#: src/config/SSSDConfig/__init__.py.in:218 +msgid "Attribute with the name of the view" +msgstr "L'atribut amb el nom de la vista" + +#: src/config/SSSDConfig/__init__.py.in:219 +msgid "Objectclass for override objects" +msgstr "Objectclass per substituir els objectes" + +#: src/config/SSSDConfig/__init__.py.in:220 +msgid "Attribute with the reference to the original object" +msgstr "L'atribut amb la referència a l'objecte original" + +#: src/config/SSSDConfig/__init__.py.in:221 +msgid "Objectclass for user override objects" +msgstr "Objectclass per als objectes de substitució d'usuari" + +#: src/config/SSSDConfig/__init__.py.in:222 +msgid "Objectclass for group override objects" +msgstr "Objectclass per als objectes de substitució de grup" + +#: src/config/SSSDConfig/__init__.py.in:223 +msgid "Search base for Desktop Profile related objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:224 +msgid "" +"The amount of time in seconds between lookups of the Desktop Profile rules " +"against the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:225 +msgid "" +"The amount of time in minutes between lookups of Desktop Profiles rules " +"against the IPA server when the last request did not find any rule" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:228 +msgid "Active Directory domain" +msgstr "Domini Active Directory" + +#: src/config/SSSDConfig/__init__.py.in:229 +msgid "Enabled Active Directory domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:230 +msgid "Active Directory server address" +msgstr "Adreça del servidor de l'Active Directory" + +#: src/config/SSSDConfig/__init__.py.in:231 +msgid "Active Directory backup server address" +msgstr "Adreça del servidor de l'Active Directory de reserva" + +#: src/config/SSSDConfig/__init__.py.in:232 +msgid "Active Directory client hostname" +msgstr "Nom d'amfitrió del client d'Active Directory" + +#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:420 +msgid "LDAP filter to determine access privileges" +msgstr "Filtre LDAP per determinar els privilegis d'accés" + +#: src/config/SSSDConfig/__init__.py.in:235 +msgid "Whether to use the Global Catalog for lookups" +msgstr "Si s'utilitza el catàleg global per a les recerques" + +#: src/config/SSSDConfig/__init__.py.in:236 +msgid "Operation mode for GPO-based access control" +msgstr "Mode d'operació per al control d'accés basat en GPO" + +#: src/config/SSSDConfig/__init__.py.in:237 +msgid "" +"The amount of time between lookups of the GPO policy files against the AD " +"server" +msgstr "" +"Quantitat de temps entre recerques de fitxers de polítiques GPO contra el " +"servidor d'AD" + +#: src/config/SSSDConfig/__init__.py.in:238 +msgid "" +"PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " +"settings" +msgstr "" +"Noms dels serveis del PAM que s'assignen als ajusts de les polítiques " +"(Deny)InteractiveLogonRight del GPO" + +#: src/config/SSSDConfig/__init__.py.in:239 +msgid "" +"PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " +"policy settings" +msgstr "" +"Noms dels serveis del PAM que s'assignen als ajusts de les polítiques " +"(Deny)RemoteInteractiveLogonRight del GPO" + +#: src/config/SSSDConfig/__init__.py.in:240 +msgid "" +"PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" +msgstr "" +"Noms dels serveis del PAM que s'assignen als ajusts de les polítiques " +"(Deny)NetworkLogonRight del GPO" + +#: src/config/SSSDConfig/__init__.py.in:241 +msgid "" +"PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" +msgstr "" +"Noms dels serveis del PAM que s'assignen als ajusts de les polítiques " +"(Deny)BatchLogonRight del GPO" + +#: src/config/SSSDConfig/__init__.py.in:242 +msgid "" +"PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" +msgstr "" +"Noms dels serveis del PAM que s'assignen als ajusts de les polítiques " +"(Deny)ServiceLogonRight del GPO" + +#: src/config/SSSDConfig/__init__.py.in:243 +msgid "PAM service names for which GPO-based access is always granted" +msgstr "" +"Noms dels serveis del PAM als quals sempre se'ls garanteix l'accés basat en " +"GPO" + +#: src/config/SSSDConfig/__init__.py.in:244 +msgid "PAM service names for which GPO-based access is always denied" +msgstr "" +"Noms dels serveis del PAM als quals sempre se'ls denega l'accés basat en GPO" + +#: src/config/SSSDConfig/__init__.py.in:245 +msgid "" +"Default logon right (or permit/deny) to use for unmapped PAM service names" +msgstr "" +"Dret (permet o denega) predeterminat de l'inici de sessió a utilitzar per " +"als noms dels serveis del PAM sense assignar" + +#: src/config/SSSDConfig/__init__.py.in:246 +msgid "a particular site to be used by the client" +msgstr "un lloc determinat per utilitzar amb el client" + +#: src/config/SSSDConfig/__init__.py.in:247 +msgid "" +"Maximum age in days before the machine account password should be renewed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:248 +msgid "Option for tuning the machine account renewal task" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:252 +msgid "Kerberos server address" +msgstr "Adreça del servidor Kerberos" + +#: src/config/SSSDConfig/__init__.py.in:253 +msgid "Kerberos backup server address" +msgstr "Adreça del servidor Kerberos de reserva" + +#: src/config/SSSDConfig/__init__.py.in:254 +msgid "Kerberos realm" +msgstr "Reialme Kerberos" + +#: src/config/SSSDConfig/__init__.py.in:255 +msgid "Authentication timeout" +msgstr "Temps d'expiració de l'autenticació" + +#: src/config/SSSDConfig/__init__.py.in:256 +msgid "Whether to create kdcinfo files" +msgstr "Si es creen els fitxers kdcinfo" + +#: src/config/SSSDConfig/__init__.py.in:257 +msgid "Where to drop krb5 config snippets" +msgstr "Si es rebutgen les parts de la configuració del krb5" + +#: src/config/SSSDConfig/__init__.py.in:260 +msgid "Directory to store credential caches" +msgstr "Directori per emmagatzemar la memòria cau de les credencials" + +#: src/config/SSSDConfig/__init__.py.in:261 +msgid "Location of the user's credential cache" +msgstr "Ubicació de la memòria cau de les credencials de l'usuari" + +#: src/config/SSSDConfig/__init__.py.in:262 +msgid "Location of the keytab to validate credentials" +msgstr "Ubicació de la clau per validar les credencials" + +#: src/config/SSSDConfig/__init__.py.in:263 +msgid "Enable credential validation" +msgstr "Habilita la validació de credencials" + +#: src/config/SSSDConfig/__init__.py.in:264 +msgid "Store password if offline for later online authentication" +msgstr "" +"Emmagatzema la contrasenya si s'està desconnectat per a l'autenticació " +"posterior amb connexió" + +#: src/config/SSSDConfig/__init__.py.in:265 +msgid "Renewable lifetime of the TGT" +msgstr "Temps de vida renovable del TGT" + +#: src/config/SSSDConfig/__init__.py.in:266 +msgid "Lifetime of the TGT" +msgstr "Temps de vida del TGT" + +#: src/config/SSSDConfig/__init__.py.in:267 +msgid "Time between two checks for renewal" +msgstr "Temps entre les dues comprovacions per a la renovació" + +#: src/config/SSSDConfig/__init__.py.in:268 +msgid "Enables FAST" +msgstr "Habilita FAST" + +#: src/config/SSSDConfig/__init__.py.in:269 +msgid "Selects the principal to use for FAST" +msgstr "Selecciona el principal per utilitzar amb FAST" + +#: src/config/SSSDConfig/__init__.py.in:270 +msgid "Enables principal canonicalization" +msgstr "Habilita la canonització del principal" + +#: src/config/SSSDConfig/__init__.py.in:271 +msgid "Enables enterprise principals" +msgstr "Habilita els principals empresarials" + +#: src/config/SSSDConfig/__init__.py.in:272 +msgid "A mapping from user names to Kerberos principal names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:276 +msgid "Server where the change password service is running if not on the KDC" +msgstr "" +"Servidor on es troba el servei de canvi de contrasenya si no està al KDC" + +#: src/config/SSSDConfig/__init__.py.in:279 +msgid "ldap_uri, The URI of the LDAP server" +msgstr "ldap_uri, L'URI del servidor LDAP" + +#: src/config/SSSDConfig/__init__.py.in:280 +msgid "ldap_backup_uri, The URI of the LDAP server" +msgstr "ldap_backup_uri, L'URI del servidor LDAP" + +#: src/config/SSSDConfig/__init__.py.in:281 +msgid "The default base DN" +msgstr "El DN base per defecte" + +#: src/config/SSSDConfig/__init__.py.in:282 +msgid "The Schema Type in use on the LDAP server, rfc2307" +msgstr "El tipus d'esquema en ús al servidor LDAP, rfc2307" + +#: src/config/SSSDConfig/__init__.py.in:283 +msgid "The default bind DN" +msgstr "El DN de creació del vincle per defecte" + +#: src/config/SSSDConfig/__init__.py.in:284 +msgid "The type of the authentication token of the default bind DN" +msgstr "" +"El tipus del testimoni d'autenticació del DN de creació del vincle per " +"defecte" + +#: src/config/SSSDConfig/__init__.py.in:285 +msgid "The authentication token of the default bind DN" +msgstr "El testimoni d'autenticació del DN de creació del vincle per defecte" + +#: src/config/SSSDConfig/__init__.py.in:286 +msgid "Length of time to attempt connection" +msgstr "Període de temps per intentar una connexió" + +#: src/config/SSSDConfig/__init__.py.in:287 +msgid "Length of time to attempt synchronous LDAP operations" +msgstr "Període de temps per intentar operacions LDAP asíncrones" + +#: src/config/SSSDConfig/__init__.py.in:288 +msgid "Length of time between attempts to reconnect while offline" +msgstr "" +"Període de temps entre els intents per tornar a connectar mentre s'està " +"desconnectat" + +#: src/config/SSSDConfig/__init__.py.in:289 +msgid "Use only the upper case for realm names" +msgstr "Utilitza només majúscules pels noms de reialme" + +#: src/config/SSSDConfig/__init__.py.in:290 +msgid "File that contains CA certificates" +msgstr "Fitxer que conté els certificats de l'AC" + +#: src/config/SSSDConfig/__init__.py.in:291 +msgid "Path to CA certificate directory" +msgstr "Camí al directori del certificat de l'AC" + +#: src/config/SSSDConfig/__init__.py.in:292 +msgid "File that contains the client certificate" +msgstr "Fitxer que conté el certificat de client" + +#: src/config/SSSDConfig/__init__.py.in:293 +msgid "File that contains the client key" +msgstr "Fitxer que conté la clau de client" + +#: src/config/SSSDConfig/__init__.py.in:294 +msgid "List of possible ciphers suites" +msgstr "Llista de paquets de xifrat possibles" + +#: src/config/SSSDConfig/__init__.py.in:295 +msgid "Require TLS certificate verification" +msgstr "Requereix verificació de certificat TLS" + +#: src/config/SSSDConfig/__init__.py.in:296 +msgid "Specify the sasl mechanism to use" +msgstr "Especifica el mecanisme SASL a utilitzar" + +#: src/config/SSSDConfig/__init__.py.in:297 +msgid "Specify the sasl authorization id to use" +msgstr "Especifica l'id. d'autorització SASL a utilitzar" + +#: src/config/SSSDConfig/__init__.py.in:298 +msgid "Specify the sasl authorization realm to use" +msgstr "Especifica el reialme d'autorització SASL a utilitzar" + +#: src/config/SSSDConfig/__init__.py.in:299 +msgid "Specify the minimal SSF for LDAP sasl authorization" +msgstr "Especifica el SSF mínim per a l'autorització SASL de LDAP" + +#: src/config/SSSDConfig/__init__.py.in:300 +msgid "Kerberos service keytab" +msgstr "Taula de claus del servei del Kerberos" + +#: src/config/SSSDConfig/__init__.py.in:301 +msgid "Use Kerberos auth for LDAP connection" +msgstr "Utilitza l'autenticació Kerberos per a la connexió LDAP" + +#: src/config/SSSDConfig/__init__.py.in:302 +msgid "Follow LDAP referrals" +msgstr "Segueix les referències LDAP" + +#: src/config/SSSDConfig/__init__.py.in:303 +msgid "Lifetime of TGT for LDAP connection" +msgstr "Temps de vida del TGT per la connexió LDAP" + +#: src/config/SSSDConfig/__init__.py.in:304 +msgid "How to dereference aliases" +msgstr "Com desreferenciar els àlies" + +#: src/config/SSSDConfig/__init__.py.in:305 +msgid "Service name for DNS service lookups" +msgstr "Nom del servei per a la recerca del servei del DNS" + +#: src/config/SSSDConfig/__init__.py.in:306 +msgid "The number of records to retrieve in a single LDAP query" +msgstr "El nombre de registres a recuperar en una sola consulta LDAP" + +#: src/config/SSSDConfig/__init__.py.in:307 +msgid "The number of members that must be missing to trigger a full deref" +msgstr "" +"El nombre de membres que han de faltar per activar una de-referència completa" + +#: src/config/SSSDConfig/__init__.py.in:308 +msgid "" +"Whether the LDAP library should perform a reverse lookup to canonicalize the " +"host name during a SASL bind" +msgstr "" +"Si la biblioteca LDAP hauria de realitzar una recerca inversa per canonitzar " +"el nom d'amfitrió durant la creació del vincle SASL" + +#: src/config/SSSDConfig/__init__.py.in:310 +msgid "entryUSN attribute" +msgstr "L'atribut entryUSN" + +#: src/config/SSSDConfig/__init__.py.in:311 +msgid "lastUSN attribute" +msgstr "L'atribut lastUSN" + +#: src/config/SSSDConfig/__init__.py.in:313 +msgid "How long to retain a connection to the LDAP server before disconnecting" +msgstr "" +"Quant de temps s'ha de retenir una connexió al servidor LDAP abans de " +"desconnectar" + +#: src/config/SSSDConfig/__init__.py.in:315 +msgid "Disable the LDAP paging control" +msgstr "Inhabilita el control de paginació LDAP" + +#: src/config/SSSDConfig/__init__.py.in:316 +msgid "Disable Active Directory range retrieval" +msgstr "Inhabilita la recuperació de l'interval de l'Active Directory" + +#: src/config/SSSDConfig/__init__.py.in:319 +msgid "Length of time to wait for a search request" +msgstr "Període de temps per esperar una petició de cerca" + +#: src/config/SSSDConfig/__init__.py.in:320 +msgid "Length of time to wait for a enumeration request" +msgstr "Període de temps per esperar una petició d'enumeració" + +#: src/config/SSSDConfig/__init__.py.in:321 +msgid "Length of time between enumeration updates" +msgstr "Període de temps entre les actualitzacions de les enumeracions" + +#: src/config/SSSDConfig/__init__.py.in:322 +msgid "Length of time between cache cleanups" +msgstr "Període de temps entre les neteges de la memòria cau" + +#: src/config/SSSDConfig/__init__.py.in:323 +msgid "Require TLS for ID lookups" +msgstr "Requereix TLS per a la recerca d'id." + +#: src/config/SSSDConfig/__init__.py.in:324 +msgid "Use ID-mapping of objectSID instead of pre-set IDs" +msgstr "" +"Utilitza l'assignació dels id. de l'objectSID en lloc dels id. pre-establerts" + +#: src/config/SSSDConfig/__init__.py.in:325 +msgid "Base DN for user lookups" +msgstr "DN base per a la recerca de l'usuari" + +#: src/config/SSSDConfig/__init__.py.in:326 +msgid "Scope of user lookups" +msgstr "Abast de la recerca de l'usuari" + +#: src/config/SSSDConfig/__init__.py.in:327 +msgid "Filter for user lookups" +msgstr "Filtre per a la recerca de l'usuari" + +#: src/config/SSSDConfig/__init__.py.in:328 +msgid "Objectclass for users" +msgstr "Objectclass per als usuaris" + +#: src/config/SSSDConfig/__init__.py.in:329 +msgid "Username attribute" +msgstr "L'atribut nom d'usuari" + +#: src/config/SSSDConfig/__init__.py.in:331 +msgid "UID attribute" +msgstr "L'atribut UID" + +#: src/config/SSSDConfig/__init__.py.in:332 +msgid "Primary GID attribute" +msgstr "L'atribut GID primari" + +#: src/config/SSSDConfig/__init__.py.in:333 +msgid "GECOS attribute" +msgstr "L'atribut GECOS" + +#: src/config/SSSDConfig/__init__.py.in:334 +msgid "Home directory attribute" +msgstr "L'atribut directori inicial" + +#: src/config/SSSDConfig/__init__.py.in:335 +msgid "Shell attribute" +msgstr "L'atribut shell" + +#: src/config/SSSDConfig/__init__.py.in:336 +msgid "UUID attribute" +msgstr "L'atribut UUID" + +#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:379 +msgid "objectSID attribute" +msgstr "L'atribut objectSID" + +#: src/config/SSSDConfig/__init__.py.in:338 +msgid "Active Directory primary group attribute for ID-mapping" +msgstr "L'atribut grup primari de l'Active Directory per a l'assignació d'id." + +#: src/config/SSSDConfig/__init__.py.in:339 +msgid "User principal attribute (for Kerberos)" +msgstr "L'atribut usuari principal (per a Kerberos)" + +#: src/config/SSSDConfig/__init__.py.in:340 +msgid "Full Name" +msgstr "Nom complet" + +#: src/config/SSSDConfig/__init__.py.in:341 +msgid "memberOf attribute" +msgstr "L'atribut memberOf" + +#: src/config/SSSDConfig/__init__.py.in:342 +msgid "Modification time attribute" +msgstr "L'atribut data de modificació" + +#: src/config/SSSDConfig/__init__.py.in:344 +msgid "shadowLastChange attribute" +msgstr "L'atribut shadowLastChange" + +#: src/config/SSSDConfig/__init__.py.in:345 +msgid "shadowMin attribute" +msgstr "L'atribut shadowMin" + +#: src/config/SSSDConfig/__init__.py.in:346 +msgid "shadowMax attribute" +msgstr "L'atribut shadowMax" + +#: src/config/SSSDConfig/__init__.py.in:347 +msgid "shadowWarning attribute" +msgstr "L'atribut shadowWarning" + +#: src/config/SSSDConfig/__init__.py.in:348 +msgid "shadowInactive attribute" +msgstr "L'atribut shadowInactive" + +#: src/config/SSSDConfig/__init__.py.in:349 +msgid "shadowExpire attribute" +msgstr "L'atribut shadowExpire" + +#: src/config/SSSDConfig/__init__.py.in:350 +msgid "shadowFlag attribute" +msgstr "L'atribut shadowFlag" + +#: src/config/SSSDConfig/__init__.py.in:351 +msgid "Attribute listing authorized PAM services" +msgstr "L'atribut que llista els serveis PAM autoritzats" + +#: src/config/SSSDConfig/__init__.py.in:352 +msgid "Attribute listing authorized server hosts" +msgstr "L'atribut que llista els amfitrions dels servidors autoritzats" + +#: src/config/SSSDConfig/__init__.py.in:353 +msgid "Attribute listing authorized server rhosts" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:354 +msgid "krbLastPwdChange attribute" +msgstr "L'atribut krbLastPwdChange" + +#: src/config/SSSDConfig/__init__.py.in:355 +msgid "krbPasswordExpiration attribute" +msgstr "L'atribut krbPasswordExpiration" + +#: src/config/SSSDConfig/__init__.py.in:356 +msgid "Attribute indicating that server side password policies are active" +msgstr "" +"L'atribut que indica l'activació de les polítiques de contrasenya de servidor" + +#: src/config/SSSDConfig/__init__.py.in:357 +msgid "accountExpires attribute of AD" +msgstr "L'atribut accountExpires de l'AD" + +#: src/config/SSSDConfig/__init__.py.in:358 +msgid "userAccountControl attribute of AD" +msgstr "L'atribut userAccountControl de l'AD" + +#: src/config/SSSDConfig/__init__.py.in:359 +msgid "nsAccountLock attribute" +msgstr "L'atribut nsAccountLock" + +#: src/config/SSSDConfig/__init__.py.in:360 +msgid "loginDisabled attribute of NDS" +msgstr "L'atribut loginDisabled del NDS" + +#: src/config/SSSDConfig/__init__.py.in:361 +msgid "loginExpirationTime attribute of NDS" +msgstr "L'atribut loginExpirationTime del NDS" + +#: src/config/SSSDConfig/__init__.py.in:362 +msgid "loginAllowedTimeMap attribute of NDS" +msgstr "L'atribut loginAllowedTimeMap del NDS" + +#: src/config/SSSDConfig/__init__.py.in:363 +msgid "SSH public key attribute" +msgstr "L'atribut clau pública SSH" + +#: src/config/SSSDConfig/__init__.py.in:364 +msgid "attribute listing allowed authentication types for a user" +msgstr "atribut que llista els tipus permesos d'autenticació per a un usuari" + +#: src/config/SSSDConfig/__init__.py.in:365 +msgid "attribute containing the X509 certificate of the user" +msgstr "atribut que conté el certificat X509 de l'usuari" + +#: src/config/SSSDConfig/__init__.py.in:366 +msgid "attribute containing the email address of the user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:368 +msgid "A list of extra attributes to download along with the user entry" +msgstr "" +"Una llista dels atributs extres per baixar juntament amb l'entrada de " +"l'usuari" + +#: src/config/SSSDConfig/__init__.py.in:370 +msgid "Base DN for group lookups" +msgstr "DN base per a la recerca del grup" + +#: src/config/SSSDConfig/__init__.py.in:373 +msgid "Objectclass for groups" +msgstr "L'objectclass per als grups" + +#: src/config/SSSDConfig/__init__.py.in:374 +msgid "Group name" +msgstr "Nom del grup" + +#: src/config/SSSDConfig/__init__.py.in:375 +msgid "Group password" +msgstr "Contrasenya del grup" + +#: src/config/SSSDConfig/__init__.py.in:376 +msgid "GID attribute" +msgstr "L'atribut GID" + +#: src/config/SSSDConfig/__init__.py.in:377 +msgid "Group member attribute" +msgstr "L'atribut membre del grup" + +#: src/config/SSSDConfig/__init__.py.in:378 +msgid "Group UUID attribute" +msgstr "L'atribut UUID del grup" + +#: src/config/SSSDConfig/__init__.py.in:380 +msgid "Modification time attribute for groups" +msgstr "L'atribut data de modificació per als grups" + +#: src/config/SSSDConfig/__init__.py.in:381 +msgid "Type of the group and other flags" +msgstr "Tipus del grup i altres senyals" + +#: src/config/SSSDConfig/__init__.py.in:382 +msgid "The LDAP group external member attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:384 +msgid "Maximum nesting level SSSD will follow" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:386 +msgid "Base DN for netgroup lookups" +msgstr "DN base per a la recerca del grup de xarxa" + +#: src/config/SSSDConfig/__init__.py.in:387 +msgid "Objectclass for netgroups" +msgstr "L'objectclass per als grups de xarxa" + +#: src/config/SSSDConfig/__init__.py.in:388 +msgid "Netgroup name" +msgstr "Nom de grup de xarxa" + +#: src/config/SSSDConfig/__init__.py.in:389 +msgid "Netgroups members attribute" +msgstr "L'atribut membres del grup de xarxa" + +#: src/config/SSSDConfig/__init__.py.in:390 +msgid "Netgroup triple attribute" +msgstr "L'atribut triple del grup de xarxa" + +#: src/config/SSSDConfig/__init__.py.in:391 +msgid "Modification time attribute for netgroups" +msgstr "L'atribut data de modificació per als grups de xarxa" + +#: src/config/SSSDConfig/__init__.py.in:393 +msgid "Base DN for service lookups" +msgstr "DN base per a la recerca del servei" + +#: src/config/SSSDConfig/__init__.py.in:394 +msgid "Objectclass for services" +msgstr "Objectclass per als serveis" + +#: src/config/SSSDConfig/__init__.py.in:395 +msgid "Service name attribute" +msgstr "L'atribut nom del servei" + +#: src/config/SSSDConfig/__init__.py.in:396 +msgid "Service port attribute" +msgstr "L'atribut port del servei" + +#: src/config/SSSDConfig/__init__.py.in:397 +msgid "Service protocol attribute" +msgstr "L'atribut protocol del servei" + +#: src/config/SSSDConfig/__init__.py.in:400 +msgid "Lower bound for ID-mapping" +msgstr "Límit inferior per a l'assignació d'id." + +#: src/config/SSSDConfig/__init__.py.in:401 +msgid "Upper bound for ID-mapping" +msgstr "Límit superior per a l'assignació d'id." + +#: src/config/SSSDConfig/__init__.py.in:402 +msgid "Number of IDs for each slice when ID-mapping" +msgstr "Nombres d'id. per cada porció en l'assignació d'id." + +#: src/config/SSSDConfig/__init__.py.in:403 +msgid "Use autorid-compatible algorithm for ID-mapping" +msgstr "Utilitza l'algoritme compatible d'autorid per a l'assignació d'id." + +#: src/config/SSSDConfig/__init__.py.in:404 +msgid "Name of the default domain for ID-mapping" +msgstr "Nom del domini per defecte per a l'assignació d'id." + +#: src/config/SSSDConfig/__init__.py.in:405 +msgid "SID of the default domain for ID-mapping" +msgstr "SID del domini per defecte per a l'assignació d'id." + +#: src/config/SSSDConfig/__init__.py.in:406 +msgid "Number of secondary slices" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:408 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups" +msgstr "Utilitza LDAP_MATCHING_RULE_IN_CHAIN per a la recerca del grup" + +#: src/config/SSSDConfig/__init__.py.in:409 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups" +msgstr "Utilitza LDAP_MATCHING_RULE_IN_CHAIN per a la recerca del grup inicial" + +#: src/config/SSSDConfig/__init__.py.in:410 +msgid "Whether to use Token-Groups" +msgstr "Si s'utilitzen els grups amb testimonis" + +#: src/config/SSSDConfig/__init__.py.in:411 +msgid "Set lower boundary for allowed IDs from the LDAP server" +msgstr "Estableix el límit inferior per als id. permesos del servidor LDAP" + +#: src/config/SSSDConfig/__init__.py.in:412 +msgid "Set upper boundary for allowed IDs from the LDAP server" +msgstr "Estableix el límit superior per als id. permesos del servidor LDAP" + +#: src/config/SSSDConfig/__init__.py.in:413 +msgid "DN for ppolicy queries" +msgstr "DN per a les consultes ppolicy" + +#: src/config/SSSDConfig/__init__.py.in:414 +msgid "How many maximum entries to fetch during a wildcard request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:417 +msgid "Policy to evaluate the password expiration" +msgstr "Política per avaluar el venciment de la contrasenya" + +#: src/config/SSSDConfig/__init__.py.in:421 +msgid "Which attributes shall be used to evaluate if an account is expired" +msgstr "" +"Quins atributs s'haurien d'utilitzar per avaluar si el compte ha vençut" + +#: src/config/SSSDConfig/__init__.py.in:422 +msgid "Which rules should be used to evaluate access control" +msgstr "Quines regles s'haurien d'utilitzar per avaluar el control d'accés" + +#: src/config/SSSDConfig/__init__.py.in:425 +msgid "URI of an LDAP server where password changes are allowed" +msgstr "URI d'un servidor LDAP on es permeten els canvis de contrasenya" + +#: src/config/SSSDConfig/__init__.py.in:426 +msgid "URI of a backup LDAP server where password changes are allowed" +msgstr "" +"URI d'un servidor LDAP de reserva on es permeten els canvis de contrasenya" + +#: src/config/SSSDConfig/__init__.py.in:427 +msgid "DNS service name for LDAP password change server" +msgstr "Nom del servei DNS pel servidor LDAP de canvi de contrasenyes" + +#: src/config/SSSDConfig/__init__.py.in:428 +msgid "" +"Whether to update the ldap_user_shadow_last_change attribute after a " +"password change" +msgstr "" +"Si s'actualitza l'atribut ldap_user_shadow_last_change després d'un canvi de " +"contrasenya" + +#: src/config/SSSDConfig/__init__.py.in:431 +msgid "Base DN for sudo rules lookups" +msgstr "DN base per a la recerca de les regles sudo" + +#: src/config/SSSDConfig/__init__.py.in:432 +msgid "Automatic full refresh period" +msgstr "Període d'actualització automàtica completa" + +#: src/config/SSSDConfig/__init__.py.in:433 +msgid "Automatic smart refresh period" +msgstr "Període d'actualització automàtica intel·ligent" + +#: src/config/SSSDConfig/__init__.py.in:434 +msgid "Whether to filter rules by hostname, IP addresses and network" +msgstr "Si es filtren les regles per nom d'amfitrió, adreça IP i xarxa" + +#: src/config/SSSDConfig/__init__.py.in:435 +msgid "" +"Hostnames and/or fully qualified domain names of this machine to filter sudo " +"rules" +msgstr "" +"Noms d'amfitrió i/o noms de domini plenament qualificat d'aquesta màquina " +"per filtrar les regles de sudo" + +#: src/config/SSSDConfig/__init__.py.in:436 +msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" +msgstr "" +"Adreces IPv4 o IPv6 o xarxa d'aquesta màquina per filtrar regles de sudo" + +#: src/config/SSSDConfig/__init__.py.in:437 +msgid "Whether to include rules that contains netgroup in host attribute" +msgstr "" +"Si s'inclouen les regles que contenen el grup de xarxa a l'atribut de " +"l'amfitrió" + +#: src/config/SSSDConfig/__init__.py.in:438 +msgid "" +"Whether to include rules that contains regular expression in host attribute" +msgstr "" +"Si s'inclouen les regles que contenen expressions regulars a l'atribut de " +"l'amfitrió" + +#: src/config/SSSDConfig/__init__.py.in:439 +msgid "Object class for sudo rules" +msgstr "Objectclass de les regles sudo" + +#: src/config/SSSDConfig/__init__.py.in:440 +msgid "Sudo rule name" +msgstr "Nom de la regla sudo" + +#: src/config/SSSDConfig/__init__.py.in:441 +msgid "Sudo rule command attribute" +msgstr "Attribut command de la regla sudo" + +#: src/config/SSSDConfig/__init__.py.in:442 +msgid "Sudo rule host attribute" +msgstr "L'atribut host de la regla sudo" + +#: src/config/SSSDConfig/__init__.py.in:443 +msgid "Sudo rule user attribute" +msgstr "L'atribut user de la regla sudo" + +#: src/config/SSSDConfig/__init__.py.in:444 +msgid "Sudo rule option attribute" +msgstr "L'atribut option de la regla sudo" + +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Sudo rule runas attribute" +msgstr "L'atribut runas de la regla sudo" + +#: src/config/SSSDConfig/__init__.py.in:446 +msgid "Sudo rule runasuser attribute" +msgstr "L'atribut runasuser de la regla sudo" + +#: src/config/SSSDConfig/__init__.py.in:447 +msgid "Sudo rule runasgroup attribute" +msgstr "L'atribut runasgroup de la regla sudo" + +#: src/config/SSSDConfig/__init__.py.in:448 +msgid "Sudo rule notbefore attribute" +msgstr "L'atribut notbefore de la regla sudo" + +#: src/config/SSSDConfig/__init__.py.in:449 +msgid "Sudo rule notafter attribute" +msgstr "L'atribut notafter de la regla sudo" + +#: src/config/SSSDConfig/__init__.py.in:450 +msgid "Sudo rule order attribute" +msgstr "L'atribut order de la regla sudo" + +#: src/config/SSSDConfig/__init__.py.in:453 +msgid "Object class for automounter maps" +msgstr "Objectclass per a les assignacions de l'eina de muntatge automàtic" + +#: src/config/SSSDConfig/__init__.py.in:454 +msgid "Automounter map name attribute" +msgstr "L'atribut nom de l'assignació de l'eina de muntatge automàtic" + +#: src/config/SSSDConfig/__init__.py.in:455 +msgid "Object class for automounter map entries" +msgstr "" +"Objectclass per a les entrades de les assignacions de l'eina de muntatge " +"automàtic" + +#: src/config/SSSDConfig/__init__.py.in:456 +msgid "Automounter map entry key attribute" +msgstr "" +"L'atribut clau d'entrada de l'assignació de l'eina de muntatge automàtic" + +#: src/config/SSSDConfig/__init__.py.in:457 +msgid "Automounter map entry value attribute" +msgstr "" +"L'atribut valor de l'entrada de l'assignació l'eina de muntatge automàtic" + +#: src/config/SSSDConfig/__init__.py.in:458 +msgid "Base DN for automounter map lookups" +msgstr "" +"DN base per a la recerca de l'assignació de l'eina de muntatge automàtic" + +#: src/config/SSSDConfig/__init__.py.in:461 +msgid "Comma separated list of allowed users" +msgstr "Llista separada per comes dels usuaris autoritzats" + +#: src/config/SSSDConfig/__init__.py.in:462 +msgid "Comma separated list of prohibited users" +msgstr "Llista separada per comes dels usuaris no autoritzats" + +#: src/config/SSSDConfig/__init__.py.in:465 +msgid "Default shell, /bin/bash" +msgstr "El shell predeterminat, /bin/bash" + +#: src/config/SSSDConfig/__init__.py.in:466 +msgid "Base for home directories" +msgstr "Base per als directoris inicials" + +#: src/config/SSSDConfig/__init__.py.in:469 +msgid "The number of preforked proxy children." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:472 +msgid "The name of the NSS library to use" +msgstr "El nom de la biblioteca NSS a utilitzar" + +#: src/config/SSSDConfig/__init__.py.in:473 +msgid "Whether to look up canonical group name from cache if possible" +msgstr "" +"Si se cerca el nom del grup canònic des de la memòria cau, si és possible" + +#: src/config/SSSDConfig/__init__.py.in:476 +msgid "PAM stack to use" +msgstr "Pila PAM a utilitzar" + +#: src/config/SSSDConfig/__init__.py.in:479 +msgid "Path of passwd file sources." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:480 +msgid "Path of group file sources." +msgstr "" + +#: src/monitor/monitor.c:2449 +msgid "Become a daemon (default)" +msgstr "Esdevé un dimoni (per defecte)" + +#: src/monitor/monitor.c:2451 +msgid "Run interactive (not a daemon)" +msgstr "Executa en mode interactiu (no com a dimoni)" + +#: src/monitor/monitor.c:2454 +msgid "Disable netlink interface" +msgstr "" + +#: src/monitor/monitor.c:2456 src/tools/sssctl/sssctl_logs.c:311 +msgid "Specify a non-default config file" +msgstr "Especifica un fitxer de configuració diferent del predeterminat" + +#: src/monitor/monitor.c:2458 +msgid "Refresh the configuration database, then exit" +msgstr "" + +#: src/monitor/monitor.c:2461 +msgid "Print version number and exit" +msgstr "Imprimeix el número de versió i surt" + +#: src/monitor/monitor.c:2627 +msgid "SSSD is already running\n" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605 +msgid "Debug level" +msgstr "Nivell de depuració" + +#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607 +msgid "Add debug timestamps" +msgstr "Afegeix les marques temporals de depuració" + +#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609 +msgid "Show timestamps with microseconds" +msgstr "Mostra les marques temporals amb microsegons" + +#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611 +msgid "An open file descriptor for the debug logs" +msgstr "Un descriptor de fitxer obert pels registres de depuració" + +#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613 +msgid "Send the debug output to stderr directly." +msgstr "Envia directament la sortida de depuració al stderr." + +#: src/providers/krb5/krb5_child.c:3228 +msgid "The user to create FAST ccache as" +msgstr "L'usuari amb què es crea la ccache FAST" + +#: src/providers/krb5/krb5_child.c:3230 +msgid "The group to create FAST ccache as" +msgstr "El grup amb què es crea la ccache FAST" + +#: src/providers/krb5/krb5_child.c:3232 +msgid "Kerberos realm to use" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3234 +msgid "Requested lifetime of the ticket" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3236 +msgid "Requested renewable lifetime of the ticket" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3238 +msgid "FAST options ('never', 'try', 'demand')" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3241 +msgid "Specifies the server principal to use for FAST" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3243 +msgid "Requests canonicalization of the principal name" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3245 +msgid "Use custom version of krb5_get_init_creds_password" +msgstr "" + +#: src/providers/data_provider_be.c:556 +msgid "Domain of the information provider (mandatory)" +msgstr "Domini del proveïdor d'informació (obligatori)" + +#: src/sss_client/common.c:1066 +msgid "Privileged socket has wrong ownership or permissions." +msgstr "El sòcol amb privilegis té malament els permisos o el propietari." + +#: src/sss_client/common.c:1069 +msgid "Public socket has wrong ownership or permissions." +msgstr "El sòcol públic té malament els permisos o el propietari." + +#: src/sss_client/common.c:1072 +msgid "Unexpected format of the server credential message." +msgstr "Format inesperat del missatge de les credencials del servidor." + +#: src/sss_client/common.c:1075 +msgid "SSSD is not run by root." +msgstr "L'SSSD no s'està executant com a root." + +#: src/sss_client/common.c:1080 +msgid "An error occurred, but no description can be found." +msgstr "S'ha produït un error però no s'ha pogut trobar cap descripció." + +#: src/sss_client/common.c:1086 +msgid "Unexpected error while looking for an error description" +msgstr "Error inesperat en cercar una descripció de l'error" + +#: src/sss_client/pam_sss.c:76 +msgid "Permission denied. " +msgstr "Permís denegat." + +#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782 +#: src/sss_client/pam_sss.c:793 +msgid "Server message: " +msgstr "Missatge del servidor: " + +#: src/sss_client/pam_sss.c:300 +msgid "Passwords do not match" +msgstr "Les contrasenyes no coincideixen" + +#: src/sss_client/pam_sss.c:488 +msgid "Password reset by root is not supported." +msgstr "No s'admet el restabliment de la contrasenya pel root." + +#: src/sss_client/pam_sss.c:529 +msgid "Authenticated with cached credentials" +msgstr "S'ha autenticat amb credencials de la memòria cau" + +#: src/sss_client/pam_sss.c:530 +msgid ", your cached password will expire at: " +msgstr ", la vostra contrasenya en memòria cau vencerà el: " + +#: src/sss_client/pam_sss.c:560 +#, c-format +msgid "Your password has expired. You have %1$d grace login(s) remaining." +msgstr "" +"La vostra contrasenya ha vençut. Teniu %1$d inicis de sessió restants de " +"cortesia." + +#: src/sss_client/pam_sss.c:606 +#, c-format +msgid "Your password will expire in %1$d %2$s." +msgstr "La vostra contrasenya vencerà en %1$d %2$s." + +#: src/sss_client/pam_sss.c:655 +msgid "Authentication is denied until: " +msgstr "S'ha denegat l'autenticació fins: " + +#: src/sss_client/pam_sss.c:676 +msgid "System is offline, password change not possible" +msgstr "El sistema està desconnectat, el canvi de contrasenya no és possible" + +#: src/sss_client/pam_sss.c:691 +msgid "" +"After changing the OTP password, you need to log out and back in order to " +"acquire a ticket" +msgstr "" +"Després de canviar la contrasenya OTP, heu de tancar la sessió i tornar-la a " +"iniciar per tal d'adquirir un tiquet" + +#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792 +msgid "Password change failed. " +msgstr "Ha fallat el canvi de contrasenya." + +#: src/sss_client/pam_sss.c:1926 +msgid "New Password: " +msgstr "Nova contrasenya: " + +#: src/sss_client/pam_sss.c:1927 +msgid "Reenter new Password: " +msgstr "Torneu a introduir la nova contrasenya: " + +#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042 +msgid "First Factor: " +msgstr "Primer factor:" + +#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202 +msgid "Second Factor (optional): " +msgstr "" + +#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205 +msgid "Second Factor: " +msgstr "Segon factor:" + +#: src/sss_client/pam_sss.c:2058 +msgid "Password: " +msgstr "Contrasenya: " + +#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204 +msgid "First Factor (Current Password): " +msgstr "" + +#: src/sss_client/pam_sss.c:2208 +msgid "Current Password: " +msgstr "Contrasenya actual: " + +#: src/sss_client/pam_sss.c:2536 +msgid "Password expired. Change your password now." +msgstr "La contrasenya ha vençut. Canvieu ara la vostra contrasenya." + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 +#: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 +#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:670 +msgid "The debug level to run with" +msgstr "El nivell de depuració amb què s'executa" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +msgid "The SSSD domain to use" +msgstr "El domini SSSD a utilitzar" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 +#: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 +#: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 +#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:716 +msgid "Error setting the locale\n" +msgstr "S'ha produït un error en establir la configuració regional\n" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:64 +msgid "Not enough memory\n" +msgstr "No hi ha memòria suficient\n" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:83 +msgid "User not specified\n" +msgstr "No s'ha especificat l'usuari\n" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:97 +msgid "Error looking up public keys\n" +msgstr "S'ha produït un error en cercar les claus públiques\n" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +msgid "The port to use to connect to the host" +msgstr "El port a utilitzar per connectar-se a l'amfitrió" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +msgid "Print the host ssh public keys" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +msgid "Invalid port\n" +msgstr "Port no vàlid\n" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +msgid "Host not specified\n" +msgstr "No s'ha especificat l'amfitrió\n" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +msgid "The path to the proxy command must be absolute\n" +msgstr "El camí a l'ordre proxy ha de ser absolut\n" + +#: src/tools/sss_useradd.c:49 src/tools/sss_usermod.c:48 +msgid "The UID of the user" +msgstr "L'UID de l'usuari" + +#: src/tools/sss_useradd.c:50 src/tools/sss_usermod.c:50 +msgid "The comment string" +msgstr "La cadena del comentari" + +#: src/tools/sss_useradd.c:51 src/tools/sss_usermod.c:51 +msgid "Home directory" +msgstr "El directori inicial" + +#: src/tools/sss_useradd.c:52 src/tools/sss_usermod.c:52 +msgid "Login shell" +msgstr "El shell de l'inici de sessió" + +#: src/tools/sss_useradd.c:53 +msgid "Groups" +msgstr "Els grups" + +#: src/tools/sss_useradd.c:54 +msgid "Create user's directory if it does not exist" +msgstr "Crea el directori de l'usuari si no existeix" + +#: src/tools/sss_useradd.c:55 +msgid "Never create user's directory, overrides config" +msgstr "No creïs mai el directori de l'usuari, substitueix la configuració" + +#: src/tools/sss_useradd.c:56 +msgid "Specify an alternative skeleton directory" +msgstr "Especifica un directori esquemàtic alternatiu" + +#: src/tools/sss_useradd.c:57 src/tools/sss_usermod.c:60 +msgid "The SELinux user for user's login" +msgstr "L'usuari de SELinux per a l'inici de sessió de l'usuari" + +#: src/tools/sss_useradd.c:87 src/tools/sss_groupmod.c:79 +#: src/tools/sss_usermod.c:92 +msgid "Specify group to add to\n" +msgstr "Especifica el grup a afegir-se\n" + +#: src/tools/sss_useradd.c:111 +msgid "Specify user to add\n" +msgstr "Especifica l'usuari a afegir\n" + +#: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 +#: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_usermod.c:162 +msgid "Error initializing the tools - no local domain\n" +msgstr "" +"S'ha produït un error en inicialitzar les eines - no hi ha cap domini local\n" + +#: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 +#: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_usermod.c:164 +msgid "Error initializing the tools\n" +msgstr "S'ha produït un error en inicialitzar les eines\n" + +#: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 +#: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_usermod.c:173 +msgid "Invalid domain specified in FQDN\n" +msgstr "S'ha especificat un domini no vàlid al FQDN\n" + +#: src/tools/sss_useradd.c:142 src/tools/sss_groupmod.c:144 +#: src/tools/sss_groupmod.c:173 src/tools/sss_usermod.c:197 +#: src/tools/sss_usermod.c:226 +msgid "Internal error while parsing parameters\n" +msgstr "S'ha produït un error intern en analitzar els paràmetres\n" + +#: src/tools/sss_useradd.c:151 src/tools/sss_usermod.c:206 +#: src/tools/sss_usermod.c:235 +msgid "Groups must be in the same domain as user\n" +msgstr "Els grups han d'estar al mateix domini que l'usuari\n" + +#: src/tools/sss_useradd.c:159 +#, c-format +msgid "Cannot find group %1$s in local domain\n" +msgstr "No es pot trobar el grup %1$s al domini local\n" + +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +msgid "Cannot set default values\n" +msgstr "No es poden establir els valors per defecte\n" + +#: src/tools/sss_useradd.c:181 src/tools/sss_usermod.c:187 +msgid "The selected UID is outside the allowed range\n" +msgstr "L'UID seleccionat es troba fora de l'interval permès\n" + +#: src/tools/sss_useradd.c:210 src/tools/sss_usermod.c:305 +msgid "Cannot set SELinux login context\n" +msgstr "No es pot establir el context de l'inici de sessió de SELinux\n" + +#: src/tools/sss_useradd.c:224 +msgid "Cannot get info about the user\n" +msgstr "No es pot obtenir la informació sobre l'usuari\n" + +#: src/tools/sss_useradd.c:236 +msgid "User's home directory already exists, not copying data from skeldir\n" +msgstr "" +"El directori inicial de l'usuari ja existeix, no es copiaran les dades del " +"directori esquemàtic\n" + +#: src/tools/sss_useradd.c:239 +#, c-format +msgid "Cannot create user's home directory: %1$s\n" +msgstr "No es pot crear el directori inicial de l'usuari: %1$s\n" + +#: src/tools/sss_useradd.c:250 +#, c-format +msgid "Cannot create user's mail spool: %1$s\n" +msgstr "No es pot crear la gestió de cues del correu de l'usuari: %1$s\n" + +#: src/tools/sss_useradd.c:270 +msgid "Could not allocate ID for the user - domain full?\n" +msgstr "No s'ha pogut assignar un id. per a l'usuari - domini ple?\n" + +#: src/tools/sss_useradd.c:274 +msgid "A user or group with the same name or ID already exists\n" +msgstr "Ja existeix un usuari o grup amb el mateix nom o id.\n" + +#: src/tools/sss_useradd.c:280 +msgid "Transaction error. Could not add user.\n" +msgstr "S'ha produït un error de transacció. No s'ha pogut afegir l'usuari.\n" + +#: src/tools/sss_groupadd.c:43 src/tools/sss_groupmod.c:48 +msgid "The GID of the group" +msgstr "El GID del grup" + +#: src/tools/sss_groupadd.c:76 +msgid "Specify group to add\n" +msgstr "Especifica el grup a afegir\n" + +#: src/tools/sss_groupadd.c:106 src/tools/sss_groupmod.c:198 +msgid "The selected GID is outside the allowed range\n" +msgstr "El GID seleccionat està fora de l'interval permès\n" + +#: src/tools/sss_groupadd.c:143 +msgid "Could not allocate ID for the group - domain full?\n" +msgstr "No s'ha pogut assignar un id. pel grup - domini ple?\n" + +#: src/tools/sss_groupadd.c:147 +msgid "A group with the same name or GID already exists\n" +msgstr "Ja existeix un grup amb el mateix nom o GID\n" + +#: src/tools/sss_groupadd.c:153 +msgid "Transaction error. Could not add group.\n" +msgstr "" +"S'ha produït un error en la transacció. No s'ha pogut afegir el grup.\n" + +#: src/tools/sss_groupdel.c:70 +msgid "Specify group to delete\n" +msgstr "Especifiqueu el grup a eliminar\n" + +#: src/tools/sss_groupdel.c:104 +#, c-format +msgid "Group %1$s is outside the defined ID range for domain\n" +msgstr "El grup %1$s està fora de l'interval d'id. definit pel domini\n" + +#: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 +#: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 +#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 +#, c-format +msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" +msgstr "" +"Ha fallat la sol·licitud NSS (%1$d). L'entrada podria romandre en la memòria " +"cau.\n" + +#: src/tools/sss_groupdel.c:132 +msgid "" +"No such group in local domain. Removing groups only allowed in local " +"domain.\n" +msgstr "" +"No existeix el grup al domini local. L'eliminació dels grups només està " +"permesa al domini local.\n" + +#: src/tools/sss_groupdel.c:137 +msgid "Internal error. Could not remove group.\n" +msgstr "S'ha produït un error intern. No s'ha pogut eliminar el grup.\n" + +#: src/tools/sss_groupmod.c:44 +msgid "Groups to add this group to" +msgstr "Els grups per afegir aquest grup" + +#: src/tools/sss_groupmod.c:46 +msgid "Groups to remove this group from" +msgstr "Els grups per eliminar aquest grup" + +#: src/tools/sss_groupmod.c:87 src/tools/sss_usermod.c:100 +msgid "Specify group to remove from\n" +msgstr "Especifica el grup del qual s'ha d'eliminar\n" + +#: src/tools/sss_groupmod.c:101 +msgid "Specify group to modify\n" +msgstr "Especifica el grup a modificar\n" + +#: src/tools/sss_groupmod.c:130 +msgid "" +"Cannot find group in local domain, modifying groups is allowed only in local " +"domain\n" +msgstr "" +"No es pot trobar el grup al domini local, la modificació de grups només es " +"permet al domini local\n" + +#: src/tools/sss_groupmod.c:153 src/tools/sss_groupmod.c:182 +msgid "Member groups must be in the same domain as parent group\n" +msgstr "Els grups membres han d'estar al mateix domini com a grup primari\n" + +#: src/tools/sss_groupmod.c:161 src/tools/sss_groupmod.c:190 +#: src/tools/sss_usermod.c:214 src/tools/sss_usermod.c:243 +#, c-format +msgid "" +"Cannot find group %1$s in local domain, only groups in local domain are " +"allowed\n" +msgstr "" +"No s'ha pogut trobar el grup %1$s al domini local, només es permeten els " +"grups al domini local\n" + +#: src/tools/sss_groupmod.c:257 +msgid "Could not modify group - check if member group names are correct\n" +msgstr "" +"No s'ha pogut modificar el grup - comproveu que els noms dels grups membres " +"siguin correctes\n" + +#: src/tools/sss_groupmod.c:261 +msgid "Could not modify group - check if groupname is correct\n" +msgstr "" +"No s'ha pogut modificar el grup - comproveu que el nom de grup sigui " +"correcte\n" + +#: src/tools/sss_groupmod.c:265 +msgid "Transaction error. Could not modify group.\n" +msgstr "" +"S'ha produït un error en la transacció. No s'ha pogut modificar el grup.\n" + +#: src/tools/sss_groupshow.c:615 +#, c-format +msgid "%1$s%2$sGroup: %3$s\n" +msgstr "%1$s%2$sGrup: %3$s\n" + +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "Privat màgic " + +#: src/tools/sss_groupshow.c:618 +#, c-format +msgid "%1$sGID number: %2$d\n" +msgstr "%1$sNúmero GID: %2$d\n" + +#: src/tools/sss_groupshow.c:620 +#, c-format +msgid "%1$sMember users: " +msgstr "%1$sUsuaris membre: " + +#: src/tools/sss_groupshow.c:627 +#, c-format +msgid "" +"\n" +"%1$sIs a member of: " +msgstr "" +"\n" +"%1$sÉs un membre de: " + +#: src/tools/sss_groupshow.c:634 +#, c-format +msgid "" +"\n" +"%1$sMember groups: " +msgstr "" +"\n" +"%1$sGrups membres: " + +#: src/tools/sss_groupshow.c:670 +msgid "Print indirect group members recursively" +msgstr "Imprimeix els membres dels grups indirectes amb recursivitat" + +#: src/tools/sss_groupshow.c:704 +msgid "Specify group to show\n" +msgstr "Especifica el grup a mostrar\n" + +#: src/tools/sss_groupshow.c:744 +msgid "" +"No such group in local domain. Printing groups only allowed in local " +"domain.\n" +msgstr "" +"No s'ha trobat el grup al domini local. La impressió dels grups només està " +"permesa al domini local.\n" + +#: src/tools/sss_groupshow.c:749 +msgid "Internal error. Could not print group.\n" +msgstr "S'ha produït un error intern. No es pot imprimir el grup.\n" + +#: src/tools/sss_userdel.c:136 +msgid "Remove home directory and mail spool" +msgstr "Elimina el directori inicial i la gestió de cues del correu" + +#: src/tools/sss_userdel.c:138 +msgid "Do not remove home directory and mail spool" +msgstr "No eliminis el directori inicial i la gestió de cues del correu" + +#: src/tools/sss_userdel.c:140 +msgid "Force removal of files not owned by the user" +msgstr "Força l'eliminació de fitxers que no són propietat de l'usuari" + +#: src/tools/sss_userdel.c:142 +msgid "Kill users' processes before removing him" +msgstr "Mata els processos de l'usuari abans d'eliminar-lo" + +#: src/tools/sss_userdel.c:188 +msgid "Specify user to delete\n" +msgstr "Especifica l'usuari a eliminar\n" + +#: src/tools/sss_userdel.c:234 +#, c-format +msgid "User %1$s is outside the defined ID range for domain\n" +msgstr "L'usuari %1$s està fora de l'interval d'id. pel domini\n" + +#: src/tools/sss_userdel.c:259 +msgid "Cannot reset SELinux login context\n" +msgstr "No es pot reiniciar el context d'inici de sessió de SELinux\n" + +#: src/tools/sss_userdel.c:271 +#, c-format +msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" +msgstr "" +"ATENCIÓ: L'usuari (uid %1$lu) encara estava en la sessió quan es va " +"eliminar.\n" + +#: src/tools/sss_userdel.c:276 +msgid "Cannot determine if the user was logged in on this platform" +msgstr "" +"No es pot determinar si l'usuari tenia la sessió iniciada a aquesta " +"plataforma" + +#: src/tools/sss_userdel.c:281 +msgid "Error while checking if the user was logged in\n" +msgstr "" +"S'ha produït un error en comprovar si l'usuari havia iniciat la sessió\n" + +#: src/tools/sss_userdel.c:288 +#, c-format +msgid "The post-delete command failed: %1$s\n" +msgstr "L'ordre post-delete ha fallat: %1$s\n" + +#: src/tools/sss_userdel.c:308 +msgid "Not removing home dir - not owned by user\n" +msgstr "No s'ha eliminat el directori inicial - no és propietat de l'usuari\n" + +#: src/tools/sss_userdel.c:310 +#, c-format +msgid "Cannot remove homedir: %1$s\n" +msgstr "No es pot eliminar el directori inicial: %1$s\n" + +#: src/tools/sss_userdel.c:324 +msgid "" +"No such user in local domain. Removing users only allowed in local domain.\n" +msgstr "" +"No s'ha trobat l'usuari al domini local. L'eliminació d'usuaris dels grups " +"només està permesa al domini local.\n" + +#: src/tools/sss_userdel.c:329 +msgid "Internal error. Could not remove user.\n" +msgstr "S'ha produït un error intern. No s'ha pogut eliminar l'usuari.\n" + +#: src/tools/sss_usermod.c:49 +msgid "The GID of the user" +msgstr "El GID de l'usuari" + +#: src/tools/sss_usermod.c:53 +msgid "Groups to add this user to" +msgstr "Els grups per afegir aquest usuari" + +#: src/tools/sss_usermod.c:54 +msgid "Groups to remove this user from" +msgstr "Els grups per eliminar aquest usuari" + +#: src/tools/sss_usermod.c:55 +msgid "Lock the account" +msgstr "Bloqueja aquest compte" + +#: src/tools/sss_usermod.c:56 +msgid "Unlock the account" +msgstr "Desbloqueja aquest compte" + +#: src/tools/sss_usermod.c:57 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "Afegeix una parella atribut/valor. El format és nomatribut=valor." + +#: src/tools/sss_usermod.c:58 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "Elimina una parella atribut/valor. El format és nomatribut=valor." + +#: src/tools/sss_usermod.c:59 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" +"Estableix un atribut a una parella atribut/valor. El format és " +"nomatribut=valor. Per als atributs amb múltiples valors, l'ordre substitueix " +"els valors ja presents." + +#: src/tools/sss_usermod.c:117 src/tools/sss_usermod.c:126 +#: src/tools/sss_usermod.c:135 +msgid "Specify the attribute name/value pair(s)\n" +msgstr "Especifica les parelles nom/valor de l'atribut\n" + +#: src/tools/sss_usermod.c:152 +msgid "Specify user to modify\n" +msgstr "Especifica l'usuari a modificar\n" + +#: src/tools/sss_usermod.c:180 +msgid "" +"Cannot find user in local domain, modifying users is allowed only in local " +"domain\n" +msgstr "" +"No es pot trobar l'usuari al domini local, la modificació d'usuaris només es " +"permet al domini local\n" + +#: src/tools/sss_usermod.c:322 +msgid "Could not modify user - check if group names are correct\n" +msgstr "" +"No s'ha pogut modificar l'usuari - comproveu que els noms dels grups siguin " +"correctes\n" + +#: src/tools/sss_usermod.c:326 +msgid "Could not modify user - user already member of groups?\n" +msgstr "No s'ha pogut modificar l'usuari - l'usuari ja pertany als grups?\n" + +#: src/tools/sss_usermod.c:330 +msgid "Transaction error. Could not modify user.\n" +msgstr "" +"S'ha produït un error en la transacció. No s'ha pogut modificar l'usuari.\n" + +#: src/tools/sss_cache.c:218 +msgid "No cache object matched the specified search\n" +msgstr "Cap objecte de la memòria cau ha coincidit amb la cerca especificada\n" + +#: src/tools/sss_cache.c:502 +#, c-format +msgid "Couldn't invalidate %1$s\n" +msgstr "No s'ha pogut invalidar %1$s\n" + +#: src/tools/sss_cache.c:509 +#, c-format +msgid "Couldn't invalidate %1$s %2$s\n" +msgstr "No s'ha pogut invalidar %1$s %2$s\n" + +#: src/tools/sss_cache.c:672 +msgid "Invalidate all cached entries" +msgstr "" + +#: src/tools/sss_cache.c:674 +msgid "Invalidate particular user" +msgstr "Invalida un usuari determinat" + +#: src/tools/sss_cache.c:676 +msgid "Invalidate all users" +msgstr "Invalida tots els usuaris" + +#: src/tools/sss_cache.c:678 +msgid "Invalidate particular group" +msgstr "Invalida un grup determinat" + +#: src/tools/sss_cache.c:680 +msgid "Invalidate all groups" +msgstr "Invalida tots els grups" + +#: src/tools/sss_cache.c:682 +msgid "Invalidate particular netgroup" +msgstr "Invalida un grup de xarxa determinat" + +#: src/tools/sss_cache.c:684 +msgid "Invalidate all netgroups" +msgstr "Invalida tots els grups de xarxa" + +#: src/tools/sss_cache.c:686 +msgid "Invalidate particular service" +msgstr "Invalida un servei determinat" + +#: src/tools/sss_cache.c:688 +msgid "Invalidate all services" +msgstr "Invalida tots els serveis" + +#: src/tools/sss_cache.c:691 +msgid "Invalidate particular autofs map" +msgstr "Invalida una assignació autofs determinada" + +#: src/tools/sss_cache.c:693 +msgid "Invalidate all autofs maps" +msgstr "Invalida totes les assignacions autofs" + +#: src/tools/sss_cache.c:697 +msgid "Invalidate particular SSH host" +msgstr "Invalida un amfitrió SSH determinat" + +#: src/tools/sss_cache.c:699 +msgid "Invalidate all SSH hosts" +msgstr "Invalida tots els amfitrions SSH" + +#: src/tools/sss_cache.c:703 +msgid "Invalidate particular sudo rule" +msgstr "" + +#: src/tools/sss_cache.c:705 +msgid "Invalidate all cached sudo rules" +msgstr "" + +#: src/tools/sss_cache.c:708 +msgid "Only invalidate entries from a particular domain" +msgstr "Invalida les entrades només d'un domini determinat" + +#: src/tools/sss_cache.c:762 +msgid "" +"Unexpected argument(s) provided, options that invalidate a single object " +"only accept a single provided argument.\n" +msgstr "" + +#: src/tools/sss_cache.c:772 +msgid "Please select at least one object to invalidate\n" +msgstr "Si us plau, seleccioneu almenys un objecte a invalidar\n" + +#: src/tools/sss_cache.c:852 +#, c-format +msgid "" +"Could not open domain %1$s. If the domain is a subdomain (trusted domain), " +"use fully qualified name instead of --domain/-d parameter.\n" +msgstr "" +"No es pot obrir el domini %1$s. Si el domini és un subdomini (domini de " +"confiança), utilitzeu el FQN en lloc del paràmetre --domain/-d.\n" + +#: src/tools/sss_cache.c:856 +msgid "Could not open available domains\n" +msgstr "No s'han pogut obrir els dominis disponibles\n" + +#: src/tools/tools_util.c:202 +#, c-format +msgid "Name '%1$s' does not seem to be FQDN ('%2$s = TRUE' is set)\n" +msgstr "El nom '%1$s' no sembla un FQDN ('%2$s = TRUE' està establert)\n" + +#: src/tools/tools_util.c:309 +msgid "Out of memory\n" +msgstr "Sense memòria\n" + +#: src/tools/tools_util.h:40 +#, c-format +msgid "%1$s must be run as root\n" +msgstr "S'ha d'executar %1$s com a root\n" + +#: src/tools/sssctl/sssctl.c:35 +msgid "yes" +msgstr "" + +#: src/tools/sssctl/sssctl.c:37 +msgid "no" +msgstr "" + +#: src/tools/sssctl/sssctl.c:39 +msgid "error" +msgstr "" + +#: src/tools/sssctl/sssctl.c:42 +msgid "Invalid result." +msgstr "" + +#: src/tools/sssctl/sssctl.c:78 +#, c-format +msgid "Unable to read user input\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:91 +#, c-format +msgid "Invalid input, please provide either '%s' or '%s'.\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 +#, c-format +msgid "Error while executing external command\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:156 +msgid "SSSD needs to be running. Start SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl.c:195 +msgid "SSSD must not be running. Stop SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl.c:231 +msgid "SSSD needs to be restarted. Restart SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:31 +#, c-format +msgid " %s is not present in cache.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:33 +msgid "Name" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:34 +msgid "Cache entry creation date" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:35 +msgid "Cache entry last update time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:36 +msgid "Cache entry expiration time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:37 +msgid "Cached in InfoPipe" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:512 +#, c-format +msgid "Error: Unable to get object [%d]: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:528 +#, c-format +msgid "%s: Unable to read value [%d]: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:556 +msgid "Specify name." +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:566 +#, c-format +msgid "Unable to parse name %s.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:592 src/tools/sssctl/sssctl_cache.c:639 +msgid "Search by SID" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:593 +msgid "Search by user ID" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:602 +msgid "Initgroups expiration time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:640 +msgid "Search by group ID" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:67 +#, c-format +msgid "" +"File %1$s does not exist. SSSD will use default configuration with files " +"provider.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:81 +#, c-format +msgid "" +"File ownership and permissions check failed. Expected root:root and 0600.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:104 +#, c-format +msgid "Issues identified by validators: %zu\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:114 +#, c-format +msgid "Messages generated during configuration merging: %zu\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:127 +#, c-format +msgid "Used configuration snippet files: %u\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:89 +#, c-format +msgid "Unable to create backup directory [%d]: %s" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:95 +msgid "SSSD backup of local data already exists, override?" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:111 +#, c-format +msgid "Unable to export user overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:118 +#, c-format +msgid "Unable to export group overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:134 src/tools/sssctl/sssctl_data.c:217 +msgid "Override existing backup" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:164 +#, c-format +msgid "Unable to import user overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:173 +#, c-format +msgid "Unable to import group overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:74 +#: src/tools/sssctl/sssctl_domains.c:339 +msgid "Start SSSD if it is not running" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:195 +msgid "Restart SSSD after data import" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:218 +msgid "Create clean cache files and import local data" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:219 +msgid "Stop SSSD before removing the cache" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:220 +msgid "Start SSSD when the cache is removed" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:235 +#, c-format +msgid "Creating backup of local data...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:238 +#, c-format +msgid "Unable to create backup of local data, can not remove the cache.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:243 +#, c-format +msgid "Removing cache files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:246 +#, c-format +msgid "Unable to remove cache files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:251 +#, c-format +msgid "Restoring local data...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:75 +msgid "Show domain list including primary or trusted domain type" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +#, c-format +msgid "Online status: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Online" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Offline" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:214 +#, c-format +msgid "Active servers:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:231 +msgid "not connected" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:278 +#, c-format +msgid "Discovered %s servers:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:296 +msgid "None so far.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:336 +msgid "Show online status" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:337 +msgid "Show information about active server" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:338 +msgid "Show list of discovered servers" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:344 +msgid "Specify domain name." +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:360 +#, c-format +msgid "Out of memory!\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:377 src/tools/sssctl/sssctl_domains.c:387 +#, c-format +msgid "Unable to get online status\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:397 +#, c-format +msgid "Unable to get server list\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:47 +msgid "\n" +msgstr "\n" + +#: src/tools/sssctl/sssctl_logs.c:237 +msgid "Delete log files instead of truncating" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:248 +#, c-format +msgid "Deleting log files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:251 +#, c-format +msgid "Unable to remove log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:257 +#, c-format +msgid "Truncating log files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:260 +#, c-format +msgid "Unable to truncate log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:286 +#, c-format +msgid "Out of memory!" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:289 +#, c-format +msgid "Archiving log files into %s...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:292 +#, c-format +msgid "Unable to archive log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:317 +msgid "Specify debug level you want to set" +msgstr "" + +#: src/tools/sssctl/sssctl_sifp.c:28 +msgid "" +"Check that SSSD is running and the InfoPipe responder is enabled. Make sure " +"'ifp' is listed in the 'services' option in sssd.conf.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:91 +#, c-format +msgid "Unable to connect to the InfoPipe" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:97 +#, c-format +msgid "Unable to get user object" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:101 +#, c-format +msgid "SSSD InfoPipe user lookup result:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:113 +#, c-format +msgid "Unable to get user name attr" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:146 +#, c-format +msgid "dlopen failed with [%s].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:153 +#, c-format +msgid "dlsym failed with [%s].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:161 +#, c-format +msgid "malloc failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:168 +#, c-format +msgid "sss_getpwnam_r failed with [%d].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:173 +#, c-format +msgid "SSSD nss user lookup result:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:174 +#, c-format +msgid " - user name: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:175 +#, c-format +msgid " - user id: %d\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:176 +#, c-format +msgid " - group id: %d\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:177 +#, c-format +msgid " - gecos: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:178 +#, c-format +msgid " - home directory: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:179 +#, c-format +msgid "" +" - shell: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:211 +msgid "PAM action [auth|acct|setc|chau|open|clos], default: " +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:214 +msgid "PAM service, default: " +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:219 +msgid "Specify user name." +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:226 +#, c-format +msgid "" +"user: %s\n" +"action: %s\n" +"service: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:232 +#, c-format +msgid "User name lookup with [%s] failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:237 +#, c-format +msgid "InfoPipe User lookup with [%s] failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:244 +#, c-format +msgid "pam_start failed: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:249 +#, c-format +msgid "" +"testing pam_authenticate\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:253 +#, c-format +msgid "pam_get_item failed: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:257 +#, c-format +msgid "" +"pam_authenticate for user [%s]: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:260 +#, c-format +msgid "" +"testing pam_chauthtok\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:262 +#, c-format +msgid "" +"pam_chauthtok: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:264 +#, c-format +msgid "" +"testing pam_acct_mgmt\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:266 +#, c-format +msgid "" +"pam_acct_mgmt: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:268 +#, c-format +msgid "" +"testing pam_setcred\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:270 +#, c-format +msgid "" +"pam_setcred: [%s]\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:272 +#, c-format +msgid "" +"testing pam_open_session\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:274 +#, c-format +msgid "" +"pam_open_session: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:276 +#, c-format +msgid "" +"testing pam_close_session\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:278 +#, c-format +msgid "" +"pam_close_session: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:281 +#, c-format +msgid "unknown action\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:284 +#, c-format +msgid "PAM Environment:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:292 +#, c-format +msgid " - no env -\n" +msgstr "" + +#: src/util/util.h:75 +msgid "The user ID to run the server as" +msgstr "L'id. d'usuari amb què s'executa el servidor" + +#: src/util/util.h:77 +msgid "The group ID to run the server as" +msgstr "L'id. de grup amb què s'executa el servidor" + +#: src/util/util.h:85 +msgid "Informs that the responder has been socket-activated" +msgstr "" + +#: src/util/util.h:87 +msgid "Informs that the responder has been dbus-activated" +msgstr "" diff --git a/po/de.gmo b/po/de.gmo new file mode 100644 index 0000000000000000000000000000000000000000..ee8d9acb52231df45a3a7e098cffa53233252e03 GIT binary patch literal 45862 zcmb`Q37jNldH)MVjf;SC3CdA&?!xvgyWEQ$vpciPve&RP%j%-8J<~Na&Gd8+UEMp( zcp(~ypeW*P3?3MXnh=kWL@`8HrABtaB z)qB6s`&{o+?|$`|!(SWm_u9jv=w$HYPl%#Z9u-Bklk_x-{^@B^#H;9Q;PK!;gU5kC z0hQ#a)7|}YQ17n*j{!%)bHGV(HFy_zHTb9CrQl&_MA4JMwcy#{4lo86{PQ<~mvH}n z@HFsW!L{JBGhKbdpxV0|+zrly7l5Ay&jlZQRuruRSA#3SmdD=$`7inu|BJ!zfojLm zG~xvC9PnuHO7IkL8+a;M18G8ZC#d`n_~)PZ&wm7JJWiz3YS$X@so-`{`Defr!8<^u zdxyu5fGYP9Q0@LHNKw(*%cJOWa4X28=w;vt_&#t9d=#D90qz1dKJNxq?`J@j_breq zijJVrr+_6;?Y;)2h^P*#J+B8<-|vGOzem6|;1TD!@xKxrOw^a4dKPI0UM`5%3DI3aUTv0-3Vt$DrDE%7E+722kZqf>agV z1M*+=F#l8gz6a|4(^k25Zv)l;TS4{zUhoOvK2Y=cHz1@JeGj}Cd=iaQz1M(rIhqBP z?hPPGq6hu`H$lzU;SjN&p9-p+Z6HG&-2`eJ-VBP4J_2eTd>&N$z6(AcJds8p4W14j z39bRvj;le@-8{GqybC-Ed?WZ+@P1J3djM2@e-DbT4rj77uQ3>dmxH2%XMxK9d{E#|6umwIGL_M>EMBeOLH?(9E`X~4HK6)=KX?rI0Z`@s8TcgdND8Ow=rr(pa12zr z?*W;L=v!b6o(M6DUM>T*KF0n19sd3UpyuVvpvL=uLAB$EwQhdS22bSv>EM&Wo#1ic zEEt2gf*R*{fLgx~gQAbGf=>Z|=AS>A#%a7S235|m$7h3@uQsUpyB8!&^chg=@G%U! zo}UMb4zC9p(&%}h`uRRkbpLfw^n4VHM&q{zTn}yluLSP^HSeDWRsMHCmPT|YFEuWs z;1j{;fm(+z2i5*JfNJ*#K+)yLK!zy#tiON4Rj&UhgJ<*nQc(Tb1M*+=GX6)?qEGwh zkGqa7O7tvH^Zy#~Y2Zgd)$@OU8Z!9h^?T`zt}s>jZcW_(Jeh@ROkG z`6j6LAI(eEzZ_J#SAu%J6V$xb{rl&GD)-f(#`_OF{s(v#_vdVKCtmQm3JSg zd>{7r{{*UC{|~$yJmy+g-hJTN+<(R2KblDw9bOI&fSWPn$2dZ6nfy(zz5Y`v{HMksnG{kovxDr%7&j7^-7D27&S9*LGsQMlT zwN5?{(xvF=ZI14q32GeM;8EaR;K|@yK(*sTpvK{gpy=|4pyubu?e6_bQ2DO~SAi3t z+Hnu4b$>so_B{luKVJpcfd2(*9WEbn=@O8ki59?TfS&+Yfu~;Q=xH0Mb#)7<^>PoW z@*nWH4;1N=F74tV-bH$T^cx=%sP)0;u9qfdewj~{qE?s`YR7lSHq z2)q=02`Kt~2)qFN5qJ!^e3zS#%fU6=Uk|FCF9TPD4}ceeUjx;jCo`C8$3{@k8{o0v zJN@%N28X!+8mRKmex_^xW#HA^kAr&u4p8gm+h7$O*zMZ+22k(+7Q7fd;ReTtwt}Z| z|4LBf^#G`O`7U@hxZ+tZ-Ho8;{k@?2|6`D$j4pY$o9CBC#e%W3)Fgg4JbPM8n_uecFOUUJ)p{aBPcrfJMbLvh-o*E z7l7hp+rgv31yJc;28xdV)ZhOQJfHh>Au{E^0lWl!38-=VFnBijRe%4O8(sgFgJiFWBqm ze-0GAz6rb-{0gY{9Xs#pyAo9Uo)4}7@Add;Q1kFZ@Obd}o85Sx2Oi6P15|rn;_qJ# zUd#P&gE9Dh@Cfi2CiQ6WRPb@&0C*XAF{p8v11|yJ3W}b;2wn&tyXf#5Q1!h4JPEuT z)Vh2Rcp~^I@VVgEK&CEQ_dIwL_yLfqh|YSxo0m6$bS3&XQ1exJft&YtfuhsHUPv9_ z25=PoIH>tJ@kNf_uLreWZv|EVr@#}yZ-C3dpMg&TA9sthn@$3c+h#P zjn^%ptxNy@qhQSQuY#w5zW`4IPkE^;?+Q@!S_aj>IZ$+XJE-w^09+0JJGd1*?bqG> z&4NnzPH;K+m*6_^zd@zH>^4VtGoaqT4%ECp4DJL!2Wnha-0tMhB6t<|_k)*%-v(9x znZM!sKMo$reG63kZw1xvw}Wc;`#`ntQ~v&hm$~&?0?*|6Ft{AN5!?md18xAn3$6gy z+~Mf-S)l0mb>LIM-v(9R$G|c0>);c?OYU^@d<{6w{j0!9@F(Dn;B#N@=Ht)7jog0& zyZ|h{!tsGJsCDpaQ1yQX)cpJi)I1(@m%CpH>i$~rDPRTE_`V3#x_O^}|4ncU_t7gI zJ#GaxzHbGU@B5(o|Abe$eq98L&aMO3gLi<-z`p`d2fqY94g47>etzoRuHDZDHQslD zCGeg8`RBlExj+2Xj{j^2ujc-4P;~lPQ1kmAp!&P&9#_vZ!ByNpA5?ko1)mH4J$M0l z`D+}VHNbPZe?2HZ@G*~H_V0fL9?A2QU+c;}7u39O1vi0Ba2R|DTmwGpb#5Ln0ySOn9;G00v!G}TR{|E34@MoatBz}u~ zzaEUaPe9SjZQx1ZC%_ZIe*`tpKL%CK^51gp-U#mE{>7lue+ksO{2}-ZaP7UWpZ93$BX-zUD+@!cKZvD{CAs^@v&4)8tTb>Ppz%fXSiIeL0IxRd)2f;WK6-tNX_ z64bo?4tOQ_1yFQz{5#w_xdGJp-wUn<{{_@Io_3$(S2b`Q_wNQ(-@p6kE8gkme+pE- zxBB}pgE9BV{kHQnDcp-QyxCz_}9 zxcct{N0c5Eoj?7(ZeH8qdEEacxC#6Tcs;oOccEeMO`zugC*X6z>wXU#7kocB1D^1J zqsv=Ct+#u@?cnD?weO7Icl0p^Uc>zz;BvhOH9kKBp9DVjeXhSHP|r7lPXs5y72rI0 zI`}s5Oz`8N(tXF@|JwUqIVJD}o?iuu-mV8VUN`#tTfirC{~A!^`(E%E@XtJc2~_@n z16ALnKj7?>k;9_sH@LQN>F>X}&gI(6^@m*gdlc6%xc){r{4vy4S88|ef1d-sz$MyV z;ChxX?{aXE`_FPQ1!k)N5z`p`NI(4F(LTNA{6cvxPH#>r*M6Y>oHuKpMT)` zOD_FAgEWufx}M*N8JkZ%XGun<@%#l``n%IX^g2*9EPkc6`bn-MxWv!G-|6J}i*V!d zkHLT9y3Ch%JvhPjVVmjZyxW2~qSl&Gm90pJ1I*s4AaCQH^gm5veZ*mp?Zu0r` z>}sxQ?l*D$iyrWIw}b5eulB!QPMUkOr^rBlZ|8ar*X3L--s|ruk2mo9%Uti^TFJ9> z{PVj#zMtp%`v%vUTveX`ogVNv%kLSV?mxNzIM*)j@8bFdzt0ADgWu+Q1J}#Bj^)|= zK>fYKf$69}?JfCYj*F4t;cvj>30at_jH-q|n0@qsm#hieD!gVy)=c~E&_f@VZ>Bq8Y*;%X4OgE)*Ii5{s$CGBI-hCNmJ#n zj29a1W;{`zm`*D3TsckW8_h~QU#->Rt9fD~Nz-_uK{1V5JlAaOtyYp|G&s?!?oHw$IyKR1G#BFW^2AJg zE~d)8)LO1on&j(EHc_k6qIkNIw$$O?1eL~YxmxdiKG&?ymZ`_JKO2B}l0I!3D$SPX z=Bo9n-hAB+sxVB7Os*-R=cW9T8SLk&qf(X7t3 zs*O6NSQm{?Hrn+H9iYIuq#jRJYe|-jA~b{|L)SUlLAS#A(27cRqTF)rXJGtzrcgoF zk$A3At4>s*#sB9jP=3OeL?XWN4G1rUjT6qXaoocRtrNGb2jgm`pp8L8P=Io@}$Uo5>`! zJ{`{`&1$1!somQYf^GGE&3uS5AX>LR8}Px3 z=PS?@n@$sYRE{gg&Wo4bgt2Wa5|Dz5~grg6;&r~`B-=6ktI|-1+{7Y)_DW{&DF{+ zF_uupB&*7EG80B5tu-dfHCVa0U)GcZq+3Y^HO~@L)mJRUt;JfcF`po={4f*>>`J~e zo^4dBlM7m?Hro`)dUp9;JzY6E3$@;Nr6`uE_Xl6(R00dGPr~@d#S_JyR6tf`6G}k* zh*lt#u9;yql6`b|OSRs<*^z+>Fl1*|z`>>Plos346NNNpXUj0IxpLDuP>{-Dn5>ga zrh?B*SI4VjU4?{D0t_B;0PZAzS^HRxWUsaMy*<_4h zI|B@E2SW?|azV3EZP8kWQiNd|WVBu?0&3TY*GZ9qL)%6Jxw$&Ud$$Y?=IV)4T+mKU zrHh74^{FL$lN!H`1IOufQmd_uSB+QetH#UeG%sqj@0ZoEa&6KWCxe5gk}fb7v+?|N zf^IQ7IyywHMp!9&XA*BtnrP(>H24HAyWq5MmvJD<3$!Js^trTfNmCM~Hp4wCZ4 z10g}zPT&ApLUAKMQl{5=uv{>XIp#fg>PR=NfhBf`Mw(&k@I+ zsI}4S+53>;#c}j$(s;w*=va0`+mj}i0qcnW*C(oT(*ImtQrP?>>A{UUT4Sxc7;3~S z^0XqoT^(f1+jF!iG5ua6RZHqqm}tvWG?02FT|votHm@D_OO!Kh(@ytOo~iKFdR2;R zbukzTEwl|d&G3HSGUn*|MR_06YnD_H#@JkY9KBr1WmXz;&+GD1kQk99!G_YP#Z zp&{kOtweNi%ppzwhDH-@)Rq5r2bBvKH!Lb*c{I3xx)*Ahpyj>sF)RI~(ebSDsaw zLhEu)HXE~ryu}2T-QHhQ)aMtX&fCI>UxS4gV^w0KwH9(?%N|RTrE|%IiO6M?;k*aP z*Lr0Y18y9)AVmErIld>wNxhxLT9CTV2tX4esoXxH$a&TSbiW*xUXGO&N=IuJcnp`1 z%Vx`a+hWfoYC%%jW3Towv&rmS3$uc08BegVkdwk%6u99LR2n+t9EFXV+jL9w7Q-)YJ0^&T!C~aW1m?u<`Tm( zQLUF)9daKzMv2~t%OjP(U3H^}SX;pGThLfp!@^o|9yKQg%kg}9?WLLA)W&gCY*Tm9*#am^c~3MNbU99ZF{w4M0TtAPO60tZIf=->>AVxLD4Ls# zy578*qKW}4XJavMAvI&*932v;aF-x5GwzOgEn;9DBlb1pu26U{z}~y z+0H3VWA?Iv#Is#@$s>PO>BWM?!q={t-2jblJlNLt1B|$M;mQLrT$3Z8Q zgs}pRSp=OnlM?F4hU-$_ojs4NJTWEm`8VZ_g5M)v747oxJN>SrCh1y=AWv zXSLZp^-{@vjbeDM@_4ja`yST&b0p5SkHBj6Y}{sBL^NHUjm((xGTFEVv}B&OvfF)t zg!UqDr{Ee}oJua4?$)alpcykKyM%~IE(DS^)xge|$m%4|L@g=TZAz{exnz}xHz#r zCEW`fSzF6fh@TNCU;HTATE4kD+n#k6(59hiYjIEW0G0y$#6*W!@Umzt=4MApa{J0` zGlfu#DjT(cM6y`DuLC|TfCX|!#0G>{?kO*(YE91nP9#Xvl4w)JdvYFc|Ha)XP7 z7u7?!y==Ak9Qn-8f#btY%rZ#u4>3<@EaLd_@^iF@8($HR?btbdjx07L>I$FP&u;MS zdP|{e@V6yXj0X;8#~id+`uYR5g`E*I=CV7;ZVuYa$1%J?(Ad10_UULd+J;AsO~U@} zJUsloZK4(09_(awiuChEKi;;6Z)9WqMzne)Sxcsekz6he9S2|t@HDq!1vYUSU-JQY z;W;33!~B9PyNPvf|De8fr#@h5JLIH4^wMnYc2^c>h3PfyM;jmeYZV1SQc&fYay0* z2CmG;y&0d9HJRZQc5_1<1k2x&=DGc@(XUW~Q~M9O1v1{)=#fBZh?7UbA0J%pjwKGn zJugD1@)zFJL(^7xLE=JBGUFJNbRbXbHpDO*6y+j*Xk4>BCyh8EFd#I8ZGrHUJ#*)v zHh#img{m~V{Cv5Y6OEuh;e}1{|HFiEM(Li(!{5?ygih|9OqN9>3K_r^*NEj?Z%fE& z8nYf)|4b-Fa3u@<==8}MucAn2YI%+p*eg0<8zY6iiUnoI0D*K;NjP*TMF+{l&fZAN zy`3z{7fx+bDOm4x+Lpa{B8Z1|JMqo8q})z3#pjKn$8eJmXdbPOU=El{Go7x^$wGzb zXRGKeje5#>JHPB9bkwuKuE%~cDT>UmuYqWE=g{`tfjK&XUaxj(cCxOFI+a{p&nWGh zb*ASMCxGmBD<+M)6Zw@S?udG%(JAba7knrE^O*+GFQa!|t3It>d6NtKDe5pyw^rKb zi$;Q;uvwdyrxJLEf8ciLl-DAj3Tv5;TZ{;U#Xz}+Pdb;pbD?b>T5qLDzB&R9s(a^S z5teN``2quBs0GR^hE|-;@VMD%H6{pO%Qdo5mTEB$OuZ~y-3K2L7H^OO zYZ_H7D&^BNevda&`OdR7pjb6L&Dx~2WN>^Y&diO2FWx*{S;wMLyZ1EVH;ICD%2jd~ z7*S71ZhN)PxQDd027vSG+)q?X=f9y{c39V7;~MKX3Vd9q{GAR@eI$i;k2FpOf^8nPA71y&Zp2~i2TyJ z5ho=&(rv7uT8FqnBycp^9w#EP#Wqi@jhlrKM|9{K;b@3(!{y_adNy;^;-lZZ3penF z!V5DS^K^(ax6RbA5MFxUS--ap7x3Bll?9RZdjm5rr;gm0d~I{l?``)B7p4J=_p`7v z*X6uCkhBhtn`jK$l|tv4m9?V#p{lTFA(qSP)a>d9-WJ%SW0ec0AEO3)6hPnNb& z8!S966zI(D5Iw4nJNuP!5o;1JD};K4X|XsDS9g|N>;AyWTVg|g_Burp%{{<^bIt~z zITMA13=#pVp%OJ@dYF%pW4PPRdNfvKJ8YD?ARp&+!ZVEJSF<#7af-Qm&0cO()~g(l zR>SDJouknhy-#I+!A5OQu(;Kya5H1%cxn%rQ1pJFbWQ;{xH5g(tXSf`O-yLXu&%Iv z%B**~gpQ13ATpWY$J5I|*jt0KB%Y*J<|7DAYA*S9?%1TcD~Inq3OcxqR@QAcD^A{Z zEaoU=uNRf~gUVRP6@pm?Q5H90#pfk>%ti53kL3j?#gl}&wJjs6>VU8ZhkSp+kU5a3XqFI70vQBNpv$G(f z;qu-=WPB+X(w&85Y)mpW3kM2s3qy-v*N%tk9Tr9erwN_lRNmd~Day3DtydlZ7W$J=;W zKfHmY9U%W5tV>ZGAqt7dr1+FJYHzw@;`L4=ys_38$Gx#0b|qz4Y%ehVUDH)|<+2)K zG1KU1Qf|p?{)~)z=#{*EZVO(Tnr$x-i08_1Q`F05vix29Qo9fjQmy4+%h(JHlomP) zex^PI&U&sr0bk)j%qunta0Y4Ln@Nx@Vs|_!g#YWWKWA?Hy%#^lHSY=<(!kVW-$(2VrF1=VjHzBrT;cl7 zgByqA>xXxYZrZ+W*^Wd8R%vTGg_5+cJ(ZTm8f)V;O)FSa817fgCQb(?lS-pm7As>z zvC*7bHnM%Jv|d3Clv-lzn~j1s=dZrBbpEBK)obF_7py)1g7ePjkA$Ti$=<4J&(mE< zqSERMF8*}<#3dX*>jIXyGKONnMC#CU)(xN@N+JV}0 z<+3eoleXEgD2*lM*|qUTHsoLl%condxwWfS&Ckyd5V?tQFqzyufPuIQv8usISIwEG;;g)qjEuE$i!TpXu>(-8U#`6oG=|m{ zJI6MZF3r=aY9eGy!}SSbZt7EO<4gHcaM?($O*m<30}4DR4AkfBHoaoa<$O}AH&-mL z$4|Q=UcKV-WzQ&W#Fis~Ok?9m;r+TwW$%7`JIADG~ZDq$aNYvcIoJU1aU zVjZDutwp`$@Ptj%&3JL1xN}^!g!;`TaCg2bK|*_$#Qw;>``VKAw3~i>ObC{sey% zKIBEjES=Ts!N4e#uq=0$Ra+taDD))3!PG2Iso?CHYY1-+*x3G!+})mHqjfT!am%c2CsF`o)ZD+NR z-R*|C)XksYD;@Eb#=aXvM#?x19WKZ#-bsDcw#;RS+QE8;i4iO)0 zEVe0fDya_;K*Q%>&XiRoVn{9x<_cxuGd4-&(r(SIKFPqXSSX;QA%3*bMzaChrWha1 z<-V6{wiPIy#+=tcOH6}dV{~@kLkxF49<-Lo+h z9*@~+4H)idCW_NvY{xVE9wa)IkKTB_A(^g`O}#0%C;8|ZkBxGd6{0}xGkm;GAfhN| z9e%uNsCJwojai7)N_lP}4n*50C$;z$W0WXZY(^(QpeosHRA{Xm85ll}Ccc~E;0;g9 zD`g9?(4+@XRmWQ^`PzbIuRKm_r;KKm@y}KvnrBi&0?pt?kq?g}4|>W{c4t|qT5!re zxD~3x`@&MAuaX)%#^NAyIua>~eraT$)!T@Zd^e{xEe6n!eLz=kR_C3TLxhZL>l<}k*_vEoN8YT-lN9>FU+`(EU8Xy^6 z;&||5Jj$(o_Yu!RG|%8nOJ4+Q@U(<7) zyqLc$39*)ofh+ANnWx3lev%YlxkhTM4sAvB-&Jei|DEOSYBv{QLe}Mw0!mwym|~Zd z{n6bpife3Bf;QJHtQ+n8xMdwLzaGs6Ua%tC-A68V(6y@rHlPp5pj7c8QI0;hlWG#G zbm_!8LVFyO;p={|8gOy4xAr&F6 z<4|TZZxCx-{0H_EkJQR7J2^w#DKX|szH)Pb&km(>$Pn_S!%l0BnX>q)lUcE=uZvge zlgVE$C;l^xI+xpGle?-DD}=$LqhO9tW%U>jKgh-z^UdTBDq3D0RH5oANMq%yu7{o$ zYVDlXU%K8Ja$eI=HPycgWsA~fB-DVdt+SquqsJGC6*>7;PA4t#dUwVp8qynK# z7io5}-Q4#OUvTTtkHwIk7zua$$9^(qLfO^0Eb^<3TbQdC(^(%nOCM_MgNn`Cn8NTd z!Cj|i1ywR>*2?X1Nxm?Y(Sb9;8^#;tDdt+omvhrK8`x1D62dzvCZ2zxv9%``_uV&L zlMo_5+GiUcG7p!PBngW_{?~+E(0YW9nP~-nDKM&Pyqk!{_Eds8BQ?jfp|9U^Parf& zDNf1A$|y86KIBqD?NV~WT9p8l5H3_b$NZw*Na@OWg5)Sfw{)ata5O2WShGPrTk}B*pUXJKk^1u_^ zUQBKc6%#t0mr3O`X`u)Ug$NTp&BRZ?m{YW?ig<~i3qfrXeL)n?I z^YTn8wKm|bv7X%oTQHKUrP6aV6YY;Z1+T3diMa(sQ?wnB*#nNMSa%3=^KUtIzEUmo zJtp6}wc3+OU@8_dP&_F`>VHto3IJZLd`WUqLU zWmeE#{LDK+LwZl>;-->a{!Ep$?5%6QTyJoG244cP8_1-DgH;gHa0)CrN1csntTR_s z34!2FR3Y#{ma92TGJS{;@meitE_DXYJTWX+`scgap+0)1$daaZ?DKv1s?kv9sGYi! z4{9t9O{{VqA6$!o88f-Ogh;cW zh<+Eh-rx>p!KPrZGEGW22mE0y9ffDS%WxmfL6ugfkID=K(liN}FQm32?ffC%MiNb0?+s9l0UZU8V9a-l9i9=r3%0uRV(zy_5qV7mo|RbKqHrQ*-+jE!MubSi zMHy@PsNmNaC)h6EKq*QmDO=Y#CoxNi&cc}#BO+0(ccwQvS13pQvV-kbh&l4cIbA{g zU1Qxda6uN@z~$XAi6e0juOq9?w`s9r3Fw3PUZu$~c7HtV!TmbFwNYtfY3GH6L3JFCn!_pz z4jPksh42vk!+s0ETeccAw|>+ydSv?wnSe$iM|niQ@#_J{^-{G567L{Lx!VVWgSCh7 zjGG~-3S~kHlcwg{=ux>w+V&KNrDz##Ga?0F<&wEI@0k@?vfVXDm6|D0AZHdCaY&c7 z(%CH6occ{D>5M_!>!h(ER45p1QkTnL4HelA+JQniHrUJY3V~;7Cf)Sd$xBP&mQdMk zobhDug(bH?r&EPWey_^!9mJTUglkZ2r}3sK6jk}{Bxn5~gkYX>2*_We=}&UiAn;l}QMP(bh!{%qu zM6H=qAskSYB_4=_5!&exG*^Z7*E2yp5MA|zteuXrE)}6)wxBQ^DC5rhl;gRXLa0H} z2^a;YQX zZB3&3X0ZmkThvi}~ccH}PZU;Az25O|yI9cK@AbR3oB z-v@4!+bNunB%hOUy)3UExs49RA9SwuWsp&llLzn20b}3VGPn#48Co!?= zZSb@afOBt(?YZ22pkY9}&>)B>s#XdK?vl{F1LY{}DMnkQyL(+pY}C$Tl4k1~k?DUO z2_+}PVNBWr&WRRVk`GqI&H~9eRn95PG}}+THD41VrhnRakL$M zr`v=OE#SSb(tD(-Oj{HdIZ@D8ATtI+XK)75h=;+(W;to{Q=&*JkBe7t!dX!wCGi57 zwO1isXFF!Dz#_7hR`=&e_1Zf{FJWOgOj9k~6X?jo%tJRg^(l{P2u>Zm1erglXKS^C zJaHHhSj_%M8KnmSayet5%~BBuRLdvy1QWVYU-LP|o13_csFdSMv$!9&MK)^~w{xD0 zw%hv51jb)9%D;om}0ppz!IV-Xbcz}&sxB4uHk4q+;U zEaH0DTd_l}W?D05p}0jgtd(wNrm^OJK}2v>M|{P6eZ!6VrY!oiddmqMtoKb}?e(eO zYi)hrgz4oxG0(`Xdm>3r;RuRv#B0%D zFz3{E3?}efP67O~15Li7YIHJ4B}0wY;$XQwYHKZDC+@=S9rIATLK zlNxf>IB&^77P~{Rf(0~Z32zj`B|;UGdAEyL5esHsG!G#aUOgKy3%D*UU-R-29r%!y z5mLjD?Wa~UeGFQ@ThlgakXke{$v-3_^`~R^g{6sfw zvSXfed?((-lY?o8lCUhYcsQ$J*mi;y9I7#Q&N}H3oqg1ySqdGd-+X1Ai?B_0l-EqA zpcHpV3GlG?{k-A`Mh4T)s4u9rTq2 z6KDMzA~au-26PKSQ0oaua9cSHX=Xdwz>kKLzxaF_AuE|StPSZ_dp7mXrC@b6@wK;- zfoR|B@_o5x{7V$jDVn9}G33(?CJ?G%M&#OVY7(^X(&n39Q2=9B=3h%e)pq)CU{KON zY~Z|~tVfyX+DNBs+U8&uhGiG#+sZ|YMszJhg;T={TX{y7Ve=5Pl5KYyZks|npPwRi z%9zavv>~MdL)RH&eN!VfkneNJA}5jA$UAG@4ike?y_egWdcN1TgI z;EQz4yw>(TUPUSHw&^VzqhSPL^Vx`7WKyXL9#Qxl+otXyG8N->$BO&sTSBLDr9WtI zuD_l33}=*;Ml&NR(k7bMLET1;j|KBDyw63GTzui&dtS)roW&NAbp?*3)5`K4CclN~ zS`_G`bKg{xq96k=m2_}PX*^kMFj`6Mq$lV8bSCnTb0f|NTQHPH5zd^>UA4B4Yr7$b zToPpCJK=ViT`9Z7-NcA+`b(iv!~$!gC?)V?h9Cq@H78~%sHe2mMbfgY!tRUAf9JF( zy3YBN%)BgoHV{}eN7UFSDA%E#)=d_Eo zXFI!t#o^-`Su-p*`y2WFFu$5;HO#O!qOI>l zJJ?n=W9ZLfIAkvdBeDOl9_fP zIjP^Z`Vezk@~x;Rc6=LS7^>)+x||e4ie+khK6^_f$R@Dg`@k*<93$2@l}g9SRw4Az zX}R#a9$&NX=^T4&TDRSM{DmUqe1`geHQU9rugI}3KDTqeNn^RnWqzj zkHV2}o$2%aL?v*?zICR^i;1?|(Qiw(W=B$m@GQD%$s+KA`-9;2pG4mjFPS2+s3jAO zh9ly16pekTveMg2Qn)+qAan7Ub0YYSB^C=ttPQ$b`;q5|`o>eGgoYqVney-Sg4DNhBa{tT_HNa?elbQi(8aT=t7^aQ=`d;uALYuW??JE#?bUP_e~Qknn!F5 zWM4(vpcjfkAcW9|ED)yX+H;m)81hWh?Ne|MKh%fiQov2+5!;mF@8X-7DhyIS9v+{FOo6JveQry8)|va@;I4Q$wUB|;hi=A1;hv&G@B>hDJgX6ZH1-S(!GG%6Hl5FypzF%d3P<@m7 z#CaudSnOOntQB^ARYo2s!3rWB`l?Y-SJVW9X;BzfxhX1~Ppcu8=K|AF+u$rR>p2$XY`>7g}8>n3dLX z0(VtsaLw4P72JvzP{Zo>U$!QMHK+$24yJ4$i}fdKs-A}^RS?F6vlN}1!!b-T?PABB4zlop))12b5t(__!JmmFAb6=OhBeowr3Sd~2M7`FC?n8~c-kQp zBDO2;zZ7GUrJ$(DY~9j=!WuQ_WKjl{Ht17sEfmy0WfgtWQY`%7#n$3=-<~nP#uwlz z1#X#be-lMi#kxedv2|)e(*@T_ecyw`2FaIbxlJ)-k;^EOWVEI4&Co#iPI=UkeC9-j zkiz8pllO?V=d5|7>Si8^f{)o-0MotSC$PIPX2<(=<_+^v{O;-Cb9?o?@TFh(H&cgD zZJ(^19JKG=(yGmD04h|7F|#k^S%9J4(z7_7oeg6?6BKu{&)IeUpG~W8p!grNWO}4d zZ?WV5GF8To@6(D-!#N8D9RM2PP{p9bIz`v<+ zL^?gRwXEX9Tj$qu1A-x)<<1OwQMFTJZ~!?TjStTD@0_RF?P$X!!=`qxeT=&$6Z3o* znBSNQ+pvH8K?ee6A8~1ShgC>J*=?1SlX)vcJ_xTmyLRs1bnavL*jljBE3mmdr`{}i zYM|_~pelB#L5Gk(J4CR<6H{n=nT;!*Cz$)06`|-46bw5#o#W(%Hhbde0!GgTLbeW@ zSyz(e%w;@Zp!?HP+(*!2(Oulu@**V<=8J)>Fz?x9cD#9;dBw8Tkaw4J2sNrX&@}}!Md?c~0 zu3QmwuGt-8o|N2drKYE9f|z<$WUVxXN!m;y^p*gW&=kj(%n>4?E2)P1hfv_3<#r!N zbv6T$8_q-YGIuWQ=MY{K9P2s?F&i}3j?Q8<0RGzvMgs@$*be*Rkt1wdi?KXc{hK@Ec>G{Wj!98I|G3U+%lauy6NJpJ0w;6#`tG5E#6e8>u)DT=oq4E7%%{uOM&_J7h z`=YaLZfO-Z{|lQEeMaLD%WZ}|I+m#aG^)5?QLMl|o(XP{zHv918t+$>=>uNWIrWFJ zK}!hZ(o0BEasy4owf&v&SWq*1RGy`Y7HKWZR105I8%}++^TxE78(wNfP1%u;5Y1+H z=%e3glE{|&j)FyGW@xN8-vU>4ThQS!gbria77UXuS2uBb`L4Yw-kzp|$VAPutTR35LN4(-Z@SKf>`fHTh0NY` z9t)X2&XwEzS@BfJ?x!*kAuwK1ycC`q}5{e literal 0 HcmV?d00001 diff --git a/po/de.po b/po/de.po new file mode 100644 index 0000000..71dfe96 --- /dev/null +++ b/po/de.po @@ -0,0 +1,2933 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) YEAR Red Hat, Inc. +# This file is distributed under the same license as the PACKAGE package. +# +# Translators: +# Fabian Affolter , 2011 +# Mario Blättermann , 2014 +# sgallagh , 2011 +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" +"POT-Creation-Date: 2018-08-12 13:03+0000\n" +"PO-Revision-Date: 2014-12-14 11:45+0000\n" +"Last-Translator: Copied by Zanata \n" +"Language-Team: German (http://www.transifex.com/projects/p/sssd/language/" +"de/)\n" +"Language: de\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" +"X-Generator: Zanata 4.4.5\n" + +#: src/config/SSSDConfig/__init__.py.in:43 +#: src/config/SSSDConfig/__init__.py.in:44 +msgid "Set the verbosity of the debug logging" +msgstr "Ausführlichkeitsstufe der Fehlerdiagnose festlegen" + +#: src/config/SSSDConfig/__init__.py.in:45 +msgid "Include timestamps in debug logs" +msgstr "Zeitstempel in Fehlerdiagnoseprotokollen einschließen" + +#: src/config/SSSDConfig/__init__.py.in:46 +msgid "Include microseconds in timestamps in debug logs" +msgstr "Mikrosekunden in Zeitstempeln der Debug-Protokolle einschließen" + +#: src/config/SSSDConfig/__init__.py.in:47 +msgid "Write debug messages to logfiles" +msgstr "Fehlerdiagnosemeldungen in Protokolldateien schreiben" + +#: src/config/SSSDConfig/__init__.py.in:48 +msgid "Watchdog timeout before restarting service" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:49 +msgid "Command to start service" +msgstr "Befehl zum Starten des Dienstes" + +#: src/config/SSSDConfig/__init__.py.in:50 +msgid "Number of times to attempt connection to Data Providers" +msgstr "Anzahl der Verbindungsversuche zum Datenanbieter" + +#: src/config/SSSDConfig/__init__.py.in:51 +msgid "The number of file descriptors that may be opened by this responder" +msgstr "" +"Die Anzahl der Dateideskriptoren, die durch diesen Responder geöffnet werden " +"dürfen" + +#: src/config/SSSDConfig/__init__.py.in:52 +msgid "Idle time before automatic disconnection of a client" +msgstr "Untätige Zeit vor der automatischen Verbindungstrennung eines Clients " + +#: src/config/SSSDConfig/__init__.py.in:53 +msgid "Idle time before automatic shutdown of the responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:54 +msgid "Always query all the caches before querying the Data Providers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:57 +msgid "SSSD Services to start" +msgstr "SSSD-Dienste zum Starten" + +#: src/config/SSSDConfig/__init__.py.in:58 +msgid "SSSD Domains to start" +msgstr "SSSD-Domains zum Starten" + +#: src/config/SSSDConfig/__init__.py.in:59 +msgid "Timeout for messages sent over the SBUS" +msgstr "Zeitüberschreitung für Meldungen, die über SBUS gesendet werden" + +#: src/config/SSSDConfig/__init__.py.in:60 +#: src/config/SSSDConfig/__init__.py.in:197 +msgid "Regex to parse username and domain" +msgstr "Regulärer Ausdruck zum Verarbeiten von Benutzername und Domain" + +#: src/config/SSSDConfig/__init__.py.in:61 +#: src/config/SSSDConfig/__init__.py.in:196 +msgid "Printf-compatible format for displaying fully-qualified names" +msgstr "" +"Printf-kompatibles Format für die Darstellung voll ausgeschriebener Namen" + +#: src/config/SSSDConfig/__init__.py.in:62 +msgid "" +"Directory on the filesystem where SSSD should store Kerberos replay cache " +"files." +msgstr "" +"Verzeichnis im Dateisystem, in welchem SSSD Anwort-Zwischenspeicher-Dateien " +"ablegt." + +#: src/config/SSSDConfig/__init__.py.in:63 +msgid "Domain to add to names without a domain component." +msgstr "Domain, die zu Namen ohne Domain-Komponente hinzugefügt werden soll." + +#: src/config/SSSDConfig/__init__.py.in:64 +msgid "The user to drop privileges to" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:65 +msgid "Tune certificate verification" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:66 +msgid "All spaces in group or user names will be replaced with this character" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:67 +msgid "Tune sssd to honor or ignore netlink state changes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:68 +msgid "Enable or disable the implicit files domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:69 +msgid "A specific order of the domains to be looked up" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:72 +msgid "Enumeration cache timeout length (seconds)" +msgstr "Zeitspanne für den Aufzählungs-Zwischenspeicher (Sekunden)" + +#: src/config/SSSDConfig/__init__.py.in:73 +msgid "Entry cache background update timeout length (seconds)" +msgstr "" +"Zeitspanne für die Aktualisierung des Eintrags-Zwischenspeichers (Sekunden)" + +#: src/config/SSSDConfig/__init__.py.in:74 +#: src/config/SSSDConfig/__init__.py.in:113 +msgid "Negative cache timeout length (seconds)" +msgstr "Zeitspanne für den negativen Zwischenspeicher (Sekunden)" + +#: src/config/SSSDConfig/__init__.py.in:75 +msgid "Files negative cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:76 +msgid "Users that SSSD should explicitly ignore" +msgstr "Benutzer, die SSSD ausdrücklich ignorieren soll" + +#: src/config/SSSDConfig/__init__.py.in:77 +msgid "Groups that SSSD should explicitly ignore" +msgstr "Gruppen, die SSSD ausdrücklich ignorieren soll" + +#: src/config/SSSDConfig/__init__.py.in:78 +msgid "Should filtered users appear in groups" +msgstr "Anzeige von gefilterten Benutzern in Gruppen" + +#: src/config/SSSDConfig/__init__.py.in:79 +msgid "The value of the password field the NSS provider should return" +msgstr "" +"Der Wert des Passwort-Feldes, das der NSS-Dienstanbieter zurückgeben sollte" + +#: src/config/SSSDConfig/__init__.py.in:80 +msgid "Override homedir value from the identity provider with this value" +msgstr "" +"homedir-Wert des Identitäts-Anbieters wird durch diesen Wert außer Kraft " +"gesetzt" + +#: src/config/SSSDConfig/__init__.py.in:81 +msgid "" +"Substitute empty homedir value from the identity provider with this value" +msgstr "" +"Leerer homedir-Wert des Identitäts-Anbieters wird durch diesen Wert ersetzt" + +#: src/config/SSSDConfig/__init__.py.in:82 +msgid "Override shell value from the identity provider with this value" +msgstr "" +"Shell-Wert des Identitäts-Anbieters wird durch diesen Wert außer Kraft " +"gesetzt" + +#: src/config/SSSDConfig/__init__.py.in:83 +msgid "The list of shells users are allowed to log in with" +msgstr "Liste der Shells, mit denen sich der Benutzer anmelden darf" + +#: src/config/SSSDConfig/__init__.py.in:84 +msgid "" +"The list of shells that will be vetoed, and replaced with the fallback shell" +msgstr "" +"Die Liste der Shells, die abgewiesen und durch eine Ausweich-Shell ersetzt " +"werden" + +#: src/config/SSSDConfig/__init__.py.in:85 +msgid "" +"If a shell stored in central directory is allowed but not available, use " +"this fallback" +msgstr "" +"Falls eine Shell im zentralen Verzeichnis zugelassen, aber nicht verfügbar " +"ist, wird auf diese ausgewichen" + +#: src/config/SSSDConfig/__init__.py.in:86 +msgid "Shell to use if the provider does not list one" +msgstr "Zu verwendende Shell, wenn der Anbieter keine auflistet" + +#: src/config/SSSDConfig/__init__.py.in:87 +msgid "How long will be in-memory cache records valid" +msgstr "Gültigkeitsdauer der speichereigenen Zwischenspeicher-Datensätze" + +#: src/config/SSSDConfig/__init__.py.in:88 +msgid "List of user attributes the NSS responder is allowed to publish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:91 +msgid "How long to allow cached logins between online logins (days)" +msgstr "" +"Gibt die Anzahl der Tage an, für die zwischengespeicherte Anmeldungen " +"zwischen Online-Anmeldungen zulässig sind" + +#: src/config/SSSDConfig/__init__.py.in:92 +msgid "How many failed logins attempts are allowed when offline" +msgstr "Anzahl der zulässigen fehlgeschlagenen Anmeldungen im Offline-Modus" + +#: src/config/SSSDConfig/__init__.py.in:93 +msgid "" +"How long (minutes) to deny login after offline_failed_login_attempts has " +"been reached" +msgstr "" +"Zeitspanne in Minuten, nach der die Anmeldung verweigert wird, wenn " +"offline_failed_login_attempts erreicht wurde" + +#: src/config/SSSDConfig/__init__.py.in:94 +msgid "What kind of messages are displayed to the user during authentication" +msgstr "" +"Gibt die Art der Meldungen an, die dem Benutzer während der " +"Authentifizierung angezeigt werden" + +#: src/config/SSSDConfig/__init__.py.in:95 +msgid "Filter PAM responses sent to the pam_sss" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:96 +msgid "How many seconds to keep identity information cached for PAM requests" +msgstr "" +"Anzahl der Sekunden, die zwischengespeicherte PAM-Anfragen aufbewahrt werden " +"sollen" + +#: src/config/SSSDConfig/__init__.py.in:97 +msgid "How many days before password expiration a warning should be displayed" +msgstr "" +"Gibt die Anzahl der Tage vor dem Ablauf des Passworts an, bis eine Warnung " +"angezeigt wird" + +#: src/config/SSSDConfig/__init__.py.in:98 +msgid "List of trusted uids or user's name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:99 +msgid "List of domains accessible even for untrusted users." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:100 +msgid "Message printed when user account is expired." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:101 +msgid "Message printed when user account is locked." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:102 +msgid "Allow certificate based/Smartcard authentication." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:103 +msgid "Path to certificate database with PKCS#11 modules." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:104 +msgid "How many seconds will pam_sss wait for p11_child to finish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:105 +msgid "Which PAM services are permitted to contact application domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:108 +msgid "Whether to evaluate the time-based attributes in sudo rules" +msgstr "" +"Gibt an, ob zeitbasierte Attribute in Sudo-Regeln berechnet werden sollen" + +#: src/config/SSSDConfig/__init__.py.in:109 +msgid "If true, SSSD will switch back to lower-wins ordering logic" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:110 +msgid "" +"Maximum number of rules that can be refreshed at once. If this is exceeded, " +"full refresh is performed." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:116 +msgid "Whether to hash host names and addresses in the known_hosts file" +msgstr "" +"Gibt an, ob Prüfsummen von Hostnamen und Adressen in der Datei known_hosts " +"gespeichert werden" + +#: src/config/SSSDConfig/__init__.py.in:117 +msgid "" +"How many seconds to keep a host in the known_hosts file after its host keys " +"were requested" +msgstr "" +"Anzahl der Sekunden, die ein Rechner in der Datei known_host behalten werden " +"soll, nachdem dessen Schlüssel abgefragt wurden" + +#: src/config/SSSDConfig/__init__.py.in:118 +msgid "Path to storage of trusted CA certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:121 +msgid "List of UIDs or user names allowed to access the PAC responder" +msgstr "" +"Liste von Benutzer-IDs oder Benutzernamen für den Zugriff auf den PAC-" +"Responder" + +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "How long the PAC data is considered valid" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:125 +msgid "List of UIDs or user names allowed to access the InfoPipe responder" +msgstr "" +"Liste von Benutzer-IDs oder Benutzernamen für den Zugriff auf den InfoPipe-" +"Responder" + +#: src/config/SSSDConfig/__init__.py.in:126 +msgid "List of user attributes the InfoPipe is allowed to publish" +msgstr "Liste der Benutzerattribute, die InfoPipe veröffentlichen darf" + +#: src/config/SSSDConfig/__init__.py.in:129 +msgid "The provider where the secrets will be stored in" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:130 +msgid "The maximum allowed number of nested containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:131 +msgid "The maximum number of secrets that can be stored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:132 +msgid "The maximum number of secrets that can be stored per UID" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:133 +msgid "The maximum payload size of a secret in kilobytes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:135 +msgid "The URL Custodia server is listening on" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:136 +msgid "The method to use when authenticating to a Custodia server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:137 +msgid "" +"The name of the headers that will be added into a HTTP request with the " +"value defined in auth_header_value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:138 +msgid "The value sssd-secrets would use for auth_header_name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:139 +msgid "" +"The list of the headers to forward to the Custodia server together with the " +"request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:140 +msgid "" +"The username to use when authenticating to a Custodia server using basic_auth" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:141 +msgid "" +"The password to use when authenticating to a Custodia server using basic_auth" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:142 +msgid "If true peer's certificate is verified if proxy_url uses https protocol" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:143 +msgid "" +"If false peer's certificate may contain different hostname than proxy_url " +"when https protocol is used" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:144 +msgid "Path to directory where certificate authority certificates are stored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:145 +msgid "Path to file containing server's CA certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:146 +msgid "Path to file containing client's certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:147 +msgid "Path to file containing client's private key" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:150 +msgid "Identity provider" +msgstr "Identitäts-Anbieter" + +#: src/config/SSSDConfig/__init__.py.in:151 +msgid "Authentication provider" +msgstr "Authentifizierungs-Anbieter" + +#: src/config/SSSDConfig/__init__.py.in:152 +msgid "Access control provider" +msgstr "Zugriffskontroll-Anbieter" + +#: src/config/SSSDConfig/__init__.py.in:153 +msgid "Password change provider" +msgstr "Passwortänderungs-Anbieter" + +#: src/config/SSSDConfig/__init__.py.in:154 +msgid "SUDO provider" +msgstr "SUDO-Anbieter" + +#: src/config/SSSDConfig/__init__.py.in:155 +msgid "Autofs provider" +msgstr "Autofs-Anbieter" + +#: src/config/SSSDConfig/__init__.py.in:156 +msgid "Host identity provider" +msgstr "Rechner-Identitäts-Anbieter" + +#: src/config/SSSDConfig/__init__.py.in:157 +msgid "SELinux provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:158 +msgid "Session management provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:161 +msgid "Whether the domain is usable by the OS or by applications" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:162 +msgid "Minimum user ID" +msgstr "Minimale Benutzer‐ID" + +#: src/config/SSSDConfig/__init__.py.in:163 +msgid "Maximum user ID" +msgstr "Maximale Benutzer‐ID" + +#: src/config/SSSDConfig/__init__.py.in:164 +msgid "Enable enumerating all users/groups" +msgstr "Auflistung aller Benutzer/Gruppen aktivieren" + +#: src/config/SSSDConfig/__init__.py.in:165 +msgid "Cache credentials for offline login" +msgstr "Zwischengespeicherte Anmeldedaten für Offline-Anmeldung" + +#: src/config/SSSDConfig/__init__.py.in:166 +msgid "Store password hashes" +msgstr "Passwort-Prüfsummen speichern" + +#: src/config/SSSDConfig/__init__.py.in:167 +msgid "Display users/groups in fully-qualified form" +msgstr "Benutzer/Gruppen in voll ausgeschriebener Form anzeigen" + +#: src/config/SSSDConfig/__init__.py.in:168 +msgid "Don't include group members in group lookups" +msgstr "Gruppenmitglieder in Gruppen-Suchanfragen nicht einschließen" + +#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:180 +#: src/config/SSSDConfig/__init__.py.in:181 +msgid "Entry cache timeout length (seconds)" +msgstr "Zeitspanne für den Eintrags-Zwischenspeicher (Sekunden)" + +#: src/config/SSSDConfig/__init__.py.in:170 +msgid "" +"Restrict or prefer a specific address family when performing DNS lookups" +msgstr "" +"Eine spezifische Adressfamilie beim Ausführen von DNS-Suchanfragen " +"beschränken oder bevorzugen" + +#: src/config/SSSDConfig/__init__.py.in:171 +msgid "How long to keep cached entries after last successful login (days)" +msgstr "" +"Gibt die Anzahl der Tage an, wie lange zwischengespeicherte Einträge nach " +"der letzten Anmeldung aufbewahrt werden" + +#: src/config/SSSDConfig/__init__.py.in:172 +msgid "How long to wait for replies from DNS when resolving servers (seconds)" +msgstr "" +"Gibt die Anzahl Sekunden an, wie lange beim Auflösen von Servernamen auf " +"Antworten vom DNS-Dienst gewartet werden soll" + +#: src/config/SSSDConfig/__init__.py.in:173 +msgid "The domain part of service discovery DNS query" +msgstr "Der Domain-Teil der DNS-Abfrage zur Dienstsuche" + +#: src/config/SSSDConfig/__init__.py.in:174 +msgid "Override GID value from the identity provider with this value" +msgstr "" +"Den Gruppen-ID-Wert des Identitäts-Anbieters mit diesem Wert überschreiben" + +#: src/config/SSSDConfig/__init__.py.in:175 +msgid "Treat usernames as case sensitive" +msgstr "Groß-/Kleinschreibung in Benutzernamen berücksichtigen" + +#: src/config/SSSDConfig/__init__.py.in:182 +msgid "How often should expired entries be refreshed in background" +msgstr "Anzahl der Auffrischung abgelaufener Einträge im Hintergrund" + +#: src/config/SSSDConfig/__init__.py.in:183 +msgid "Whether to automatically update the client's DNS entry" +msgstr "Automatische Aktualisierung des DNS-Eintrags des Clients" + +#: src/config/SSSDConfig/__init__.py.in:184 +#: src/config/SSSDConfig/__init__.py.in:206 +msgid "The TTL to apply to the client's DNS entry after updating it" +msgstr "" +"Die auf den DNS-Eintrag des Clients anzuwendende TTL, nachdem dieser " +"aktualisiert wurde" + +#: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:207 +msgid "The interface whose IP should be used for dynamic DNS updates" +msgstr "" +"Schnittstelle, deren IP für dynamische DNS-Aktualisierungen verwendet werden " +"soll" + +#: src/config/SSSDConfig/__init__.py.in:186 +msgid "How often to periodically update the client's DNS entry" +msgstr "Gibt an, wie oft der DNS-Eintrag des Clients aktualisiert werden soll" + +#: src/config/SSSDConfig/__init__.py.in:187 +msgid "Whether the provider should explicitly update the PTR record as well" +msgstr "" +"Gibt an, ob der Anbieter den PTR-Datensatz ebenfalls explizit aktualisieren " +"soll" + +#: src/config/SSSDConfig/__init__.py.in:188 +msgid "Whether the nsupdate utility should default to using TCP" +msgstr "Gibt an, ob das nsupdate-Dienstprogramm per Vorgabe TCP verwenden soll" + +#: src/config/SSSDConfig/__init__.py.in:189 +msgid "What kind of authentication should be used to perform the DNS update" +msgstr "" +"Gibt an, welche Art der Authentifizierung bei der DNS-Aktualisierung " +"verwendet werden soll" + +#: src/config/SSSDConfig/__init__.py.in:190 +msgid "Override the DNS server used to perform the DNS update" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:191 +msgid "Control enumeration of trusted domains" +msgstr "Aufzählung vertrauenswürdiger Domains steuern" + +#: src/config/SSSDConfig/__init__.py.in:192 +msgid "How often should subdomains list be refreshed" +msgstr "Anzahl der Auffrischung der Subdomain-Liste" + +#: src/config/SSSDConfig/__init__.py.in:193 +msgid "List of options that should be inherited into a subdomain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:194 +msgid "Default subdomain homedir value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:195 +msgid "How long can cached credentials be used for cached authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:198 +msgid "Whether to automatically create private groups for users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:201 +msgid "IPA domain" +msgstr "IPA-Domain" + +#: src/config/SSSDConfig/__init__.py.in:202 +msgid "IPA server address" +msgstr "IPA-Serveradresse" + +#: src/config/SSSDConfig/__init__.py.in:203 +msgid "Address of backup IPA server" +msgstr "Adresse des Ersatz-IPA-Servers" + +#: src/config/SSSDConfig/__init__.py.in:204 +msgid "IPA client hostname" +msgstr "IPA-Client-Rechnername" + +#: src/config/SSSDConfig/__init__.py.in:205 +msgid "Whether to automatically update the client's DNS entry in FreeIPA" +msgstr "" +"Gibt an, ob der DNS-Eintrag des Clients in FreeIPA automatisch aktualisiert " +"werden soll" + +#: src/config/SSSDConfig/__init__.py.in:208 +msgid "Search base for HBAC related objects" +msgstr "Suchbasis für HBAC-bezogene Objekte" + +#: src/config/SSSDConfig/__init__.py.in:209 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server" +msgstr "Die Zeitspanne zwischen Suchanfragen der HBAC-Regeln an den IPA-Server" + +#: src/config/SSSDConfig/__init__.py.in:210 +msgid "" +"The amount of time in seconds between lookups of the SELinux maps against " +"the IPA server" +msgstr "" +"Die Zeitspanne in Sekunden zwischen Suchanfragen der SELinux-Zuweisung an " +"den IPA-Server" + +#: src/config/SSSDConfig/__init__.py.in:211 +msgid "If set to false, host argument given by PAM will be ignored" +msgstr "" +"Falls auf »false« gesetzt, wird das von PAM angegebene Host-Argument " +"ignoriert" + +#: src/config/SSSDConfig/__init__.py.in:212 +msgid "The automounter location this IPA client is using" +msgstr "Der Automounter-Ort, den dieser IPA-Client verwendet" + +#: src/config/SSSDConfig/__init__.py.in:213 +msgid "Search base for object containing info about IPA domain" +msgstr "" +"Suchbasis für Objekte, die Informationen über eine IPA-Domain enthalten" + +#: src/config/SSSDConfig/__init__.py.in:214 +msgid "Search base for objects containing info about ID ranges" +msgstr "Suchbasis für Objekte, die Informationen über ID-Bereiche enthalten" + +#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:233 +msgid "Enable DNS sites - location based service discovery" +msgstr "DNS-Sites aktivieren – standortbasierte Dienstsuche" + +#: src/config/SSSDConfig/__init__.py.in:216 +msgid "Search base for view containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:217 +msgid "Objectclass for view containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:218 +msgid "Attribute with the name of the view" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:219 +msgid "Objectclass for override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:220 +msgid "Attribute with the reference to the original object" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:221 +msgid "Objectclass for user override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:222 +msgid "Objectclass for group override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:223 +msgid "Search base for Desktop Profile related objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:224 +msgid "" +"The amount of time in seconds between lookups of the Desktop Profile rules " +"against the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:225 +msgid "" +"The amount of time in minutes between lookups of Desktop Profiles rules " +"against the IPA server when the last request did not find any rule" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:228 +msgid "Active Directory domain" +msgstr "Active-Directory-Domain" + +#: src/config/SSSDConfig/__init__.py.in:229 +msgid "Enabled Active Directory domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:230 +msgid "Active Directory server address" +msgstr "Adresse des Active-Directory-Servers" + +#: src/config/SSSDConfig/__init__.py.in:231 +msgid "Active Directory backup server address" +msgstr "Adresse des Ersatz-Active-Directory-Servers" + +#: src/config/SSSDConfig/__init__.py.in:232 +msgid "Active Directory client hostname" +msgstr "Hostname des Active-Directory-Clients" + +#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:420 +msgid "LDAP filter to determine access privileges" +msgstr "LDAP-Filter zum Bestimmen der Zugriffsprivilegien" + +#: src/config/SSSDConfig/__init__.py.in:235 +msgid "Whether to use the Global Catalog for lookups" +msgstr "Verwendung des globalen Katalogs für Suchvorgänge" + +#: src/config/SSSDConfig/__init__.py.in:236 +msgid "Operation mode for GPO-based access control" +msgstr "Operationsmodus für GPO-basierte Zuhgriffskontrolle" + +#: src/config/SSSDConfig/__init__.py.in:237 +msgid "" +"The amount of time between lookups of the GPO policy files against the AD " +"server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:238 +msgid "" +"PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " +"settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:239 +msgid "" +"PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " +"policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:240 +msgid "" +"PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:241 +msgid "" +"PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:242 +msgid "" +"PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:243 +msgid "PAM service names for which GPO-based access is always granted" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:244 +msgid "PAM service names for which GPO-based access is always denied" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:245 +msgid "" +"Default logon right (or permit/deny) to use for unmapped PAM service names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:246 +msgid "a particular site to be used by the client" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:247 +msgid "" +"Maximum age in days before the machine account password should be renewed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:248 +msgid "Option for tuning the machine account renewal task" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:252 +msgid "Kerberos server address" +msgstr "Kerberos-Serveradresse" + +#: src/config/SSSDConfig/__init__.py.in:253 +msgid "Kerberos backup server address" +msgstr "Adresse des Ersatz-Kerberos-Servers" + +#: src/config/SSSDConfig/__init__.py.in:254 +msgid "Kerberos realm" +msgstr "Kerberos-Realm" + +#: src/config/SSSDConfig/__init__.py.in:255 +msgid "Authentication timeout" +msgstr "Zeitüberschreitung bei Authentifizierung" + +#: src/config/SSSDConfig/__init__.py.in:256 +msgid "Whether to create kdcinfo files" +msgstr "Gibt an, ob kdcinfo-Dateien angelegt werden" + +#: src/config/SSSDConfig/__init__.py.in:257 +msgid "Where to drop krb5 config snippets" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:260 +msgid "Directory to store credential caches" +msgstr "Verzeichnis zum Speichern der Anmeldedaten" + +#: src/config/SSSDConfig/__init__.py.in:261 +msgid "Location of the user's credential cache" +msgstr "Ort des Zwischenspeichers für die Anmeldedaten des Benutzers" + +#: src/config/SSSDConfig/__init__.py.in:262 +msgid "Location of the keytab to validate credentials" +msgstr "Ort der Schlüsseltabelle zum Überprüfen von Anmeldedaten" + +#: src/config/SSSDConfig/__init__.py.in:263 +msgid "Enable credential validation" +msgstr "Validierung der Anmeldedaten aktivieren" + +#: src/config/SSSDConfig/__init__.py.in:264 +msgid "Store password if offline for later online authentication" +msgstr "Passwort im Offline-Modus für spätere Online-Anmeldung speichern" + +#: src/config/SSSDConfig/__init__.py.in:265 +msgid "Renewable lifetime of the TGT" +msgstr "Erneuerung der Lebensdauer des TGT" + +#: src/config/SSSDConfig/__init__.py.in:266 +msgid "Lifetime of the TGT" +msgstr "Lebensdauer des TGT" + +#: src/config/SSSDConfig/__init__.py.in:267 +msgid "Time between two checks for renewal" +msgstr "Zeitspanne zwischen zwei Prüfungen, ob Erneuerung nötig ist" + +#: src/config/SSSDConfig/__init__.py.in:268 +msgid "Enables FAST" +msgstr "Aktiviert FAST" + +#: src/config/SSSDConfig/__init__.py.in:269 +msgid "Selects the principal to use for FAST" +msgstr "Wählt den für FAST zu verwendenden Principal aus" + +#: src/config/SSSDConfig/__init__.py.in:270 +msgid "Enables principal canonicalization" +msgstr "Aktiviert Kanonisierung des Principals" + +#: src/config/SSSDConfig/__init__.py.in:271 +msgid "Enables enterprise principals" +msgstr "Enterprise-Principals aktivieren" + +#: src/config/SSSDConfig/__init__.py.in:272 +msgid "A mapping from user names to Kerberos principal names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:276 +msgid "Server where the change password service is running if not on the KDC" +msgstr "" +"Server, auf dem der Dienst zum Ändern des Passworts läuft, falls nicht KDC" + +#: src/config/SSSDConfig/__init__.py.in:279 +msgid "ldap_uri, The URI of the LDAP server" +msgstr "ldap_uri, die URI des LDAP-Servers" + +#: src/config/SSSDConfig/__init__.py.in:280 +msgid "ldap_backup_uri, The URI of the LDAP server" +msgstr "ldap_backup_uri, die URI des LDAP-Servers" + +#: src/config/SSSDConfig/__init__.py.in:281 +msgid "The default base DN" +msgstr "Vorgegebene Basis-DN" + +#: src/config/SSSDConfig/__init__.py.in:282 +msgid "The Schema Type in use on the LDAP server, rfc2307" +msgstr "Der vom LDAP-Server verwendete Schema-Typ gemäß RFC2307" + +#: src/config/SSSDConfig/__init__.py.in:283 +msgid "The default bind DN" +msgstr "Vorgegebene Bind-DN" + +#: src/config/SSSDConfig/__init__.py.in:284 +msgid "The type of the authentication token of the default bind DN" +msgstr "Typ des Authentifizierungs-Tokens der vorgegebenen Bind-DN" + +#: src/config/SSSDConfig/__init__.py.in:285 +msgid "The authentication token of the default bind DN" +msgstr "Authentifizierungs-Token für die vorgegebene Bind-DN" + +#: src/config/SSSDConfig/__init__.py.in:286 +msgid "Length of time to attempt connection" +msgstr "Zeitspanne für einen Verbindungsversuch" + +#: src/config/SSSDConfig/__init__.py.in:287 +msgid "Length of time to attempt synchronous LDAP operations" +msgstr "Zeitspanne für Versuche zur Ausführung synchroner LDAP-Vorgänge" + +#: src/config/SSSDConfig/__init__.py.in:288 +msgid "Length of time between attempts to reconnect while offline" +msgstr "" +"Zeitspanne zwischen Versuchen zum erneuten Verbindungsaufbau im Offline-Modus" + +#: src/config/SSSDConfig/__init__.py.in:289 +msgid "Use only the upper case for realm names" +msgstr "Nur Großschreibung für Realm-Namen verwenden" + +#: src/config/SSSDConfig/__init__.py.in:290 +msgid "File that contains CA certificates" +msgstr "Datei, die CA-Zertifikate enthält" + +#: src/config/SSSDConfig/__init__.py.in:291 +msgid "Path to CA certificate directory" +msgstr "Pfad zum CA-Zertifikatverzeichnis" + +#: src/config/SSSDConfig/__init__.py.in:292 +msgid "File that contains the client certificate" +msgstr "Datei, die das Client-Zertifikat enthält" + +#: src/config/SSSDConfig/__init__.py.in:293 +msgid "File that contains the client key" +msgstr "Datei, die den Client-Schlüssel enthält" + +#: src/config/SSSDConfig/__init__.py.in:294 +msgid "List of possible ciphers suites" +msgstr "Liste der möglichen Verschlüsselungs-Suites" + +#: src/config/SSSDConfig/__init__.py.in:295 +msgid "Require TLS certificate verification" +msgstr "TLS-Zertifikatüberprüfung erforderlich machen" + +#: src/config/SSSDConfig/__init__.py.in:296 +msgid "Specify the sasl mechanism to use" +msgstr "Zu verwendenden sasl-Mechanismus angeben" + +#: src/config/SSSDConfig/__init__.py.in:297 +msgid "Specify the sasl authorization id to use" +msgstr "Zu verwendende ID für sasl-Authentifizierung angeben" + +#: src/config/SSSDConfig/__init__.py.in:298 +msgid "Specify the sasl authorization realm to use" +msgstr "Zu verwendenden Realm für sasl-Authentifizierung angeben" + +#: src/config/SSSDConfig/__init__.py.in:299 +msgid "Specify the minimal SSF for LDAP sasl authorization" +msgstr "Gibt den minimalen SSF für die SASL-Authentifizierung über LDAP an" + +#: src/config/SSSDConfig/__init__.py.in:300 +msgid "Kerberos service keytab" +msgstr "Schlüsseltabelle des Kerberos-Dienstes" + +#: src/config/SSSDConfig/__init__.py.in:301 +msgid "Use Kerberos auth for LDAP connection" +msgstr "Kerberos-Authentifizierung für LDAP-Verbindung verwenden" + +#: src/config/SSSDConfig/__init__.py.in:302 +msgid "Follow LDAP referrals" +msgstr "LDAP-Verweisen folgen" + +#: src/config/SSSDConfig/__init__.py.in:303 +msgid "Lifetime of TGT for LDAP connection" +msgstr "Lebensdauer von TGT für LDAP-Verbindung" + +#: src/config/SSSDConfig/__init__.py.in:304 +msgid "How to dereference aliases" +msgstr "Dereferenzierung von Aliasen" + +#: src/config/SSSDConfig/__init__.py.in:305 +msgid "Service name for DNS service lookups" +msgstr "Dienstname für DNS-Service-Suchanfragen" + +#: src/config/SSSDConfig/__init__.py.in:306 +msgid "The number of records to retrieve in a single LDAP query" +msgstr "Anzahl der in einer einzelnen LDAP-Abfrage zu holenden Datensätze" + +#: src/config/SSSDConfig/__init__.py.in:307 +msgid "The number of members that must be missing to trigger a full deref" +msgstr "" +"Anzahl der Elemente, die fehlen müssen, um eine vollständige " +"Dereferenzierung auszulösen" + +#: src/config/SSSDConfig/__init__.py.in:308 +msgid "" +"Whether the LDAP library should perform a reverse lookup to canonicalize the " +"host name during a SASL bind" +msgstr "" +"Gibt an, ob die LDAP-Bibliothek eine Rückwärtssuche ausführen soll, um den " +"Rechnernamen während einer SASL-Bindung zu kanonisieren" + +#: src/config/SSSDConfig/__init__.py.in:310 +msgid "entryUSN attribute" +msgstr "entryUSN-Attribut" + +#: src/config/SSSDConfig/__init__.py.in:311 +msgid "lastUSN attribute" +msgstr "lastUSN-Attribut" + +#: src/config/SSSDConfig/__init__.py.in:313 +msgid "How long to retain a connection to the LDAP server before disconnecting" +msgstr "" +"Zeitspanne zum Halten einer Verbindung zum LDAP-Server, bis diese " +"unterbrochen wird" + +#: src/config/SSSDConfig/__init__.py.in:315 +msgid "Disable the LDAP paging control" +msgstr "LDAP-Paging-Steuerung deaktivieren" + +#: src/config/SSSDConfig/__init__.py.in:316 +msgid "Disable Active Directory range retrieval" +msgstr "Bereichsermittlung für Active Directory deaktivieren" + +#: src/config/SSSDConfig/__init__.py.in:319 +msgid "Length of time to wait for a search request" +msgstr "Zeitspanne zum Warten auf eine Suchanfrage" + +#: src/config/SSSDConfig/__init__.py.in:320 +msgid "Length of time to wait for a enumeration request" +msgstr "Zeitspanne zum Warten auf eine Auflistungsanfrage" + +#: src/config/SSSDConfig/__init__.py.in:321 +msgid "Length of time between enumeration updates" +msgstr "Zeitspanne zwischen Auflistungsanfragen" + +#: src/config/SSSDConfig/__init__.py.in:322 +msgid "Length of time between cache cleanups" +msgstr "Zeitspanne zwischen den Leerungen des Zwischenspeichers" + +#: src/config/SSSDConfig/__init__.py.in:323 +msgid "Require TLS for ID lookups" +msgstr "TLS für ID-Suchvorgänge erforderlich machen" + +#: src/config/SSSDConfig/__init__.py.in:324 +msgid "Use ID-mapping of objectSID instead of pre-set IDs" +msgstr "ID-Zuweisung von objectSID anstelle von voreingestellten IDs verwenden" + +#: src/config/SSSDConfig/__init__.py.in:325 +msgid "Base DN for user lookups" +msgstr "Basis-DN für Benutzer-Suchanfragen" + +#: src/config/SSSDConfig/__init__.py.in:326 +msgid "Scope of user lookups" +msgstr "Bereich für Benutzer-Suchanfragen" + +#: src/config/SSSDConfig/__init__.py.in:327 +msgid "Filter for user lookups" +msgstr "Filter für Benutzer-Suchanfragen" + +#: src/config/SSSDConfig/__init__.py.in:328 +msgid "Objectclass for users" +msgstr "Objektklasse für Benutzer" + +#: src/config/SSSDConfig/__init__.py.in:329 +msgid "Username attribute" +msgstr "Benutzername-Attribut" + +#: src/config/SSSDConfig/__init__.py.in:331 +msgid "UID attribute" +msgstr "UID-Attribut" + +#: src/config/SSSDConfig/__init__.py.in:332 +msgid "Primary GID attribute" +msgstr "Primäres GID-Attribut" + +#: src/config/SSSDConfig/__init__.py.in:333 +msgid "GECOS attribute" +msgstr "GECOS-Attribut" + +#: src/config/SSSDConfig/__init__.py.in:334 +msgid "Home directory attribute" +msgstr "Home-Verzeichnis-Attribut" + +#: src/config/SSSDConfig/__init__.py.in:335 +msgid "Shell attribute" +msgstr "Shell-Attribut" + +#: src/config/SSSDConfig/__init__.py.in:336 +msgid "UUID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:379 +msgid "objectSID attribute" +msgstr "objectSID -Attribut" + +#: src/config/SSSDConfig/__init__.py.in:338 +msgid "Active Directory primary group attribute for ID-mapping" +msgstr "Active-Directory-Primärgruppen-Attribut für ID-Zuweisung" + +#: src/config/SSSDConfig/__init__.py.in:339 +msgid "User principal attribute (for Kerberos)" +msgstr "Principal-Attribut verwenden (für Kerberos)" + +#: src/config/SSSDConfig/__init__.py.in:340 +msgid "Full Name" +msgstr "Vollständiger Name" + +#: src/config/SSSDConfig/__init__.py.in:341 +msgid "memberOf attribute" +msgstr "memberOf-Attribut" + +#: src/config/SSSDConfig/__init__.py.in:342 +msgid "Modification time attribute" +msgstr "Änderungszeit-Attribut" + +#: src/config/SSSDConfig/__init__.py.in:344 +msgid "shadowLastChange attribute" +msgstr "shadowLastChange-attribut" + +#: src/config/SSSDConfig/__init__.py.in:345 +msgid "shadowMin attribute" +msgstr "shadowMin-Attribut" + +#: src/config/SSSDConfig/__init__.py.in:346 +msgid "shadowMax attribute" +msgstr "shadowMax Attribut" + +#: src/config/SSSDConfig/__init__.py.in:347 +msgid "shadowWarning attribute" +msgstr "shadowWarning-Attribut" + +#: src/config/SSSDConfig/__init__.py.in:348 +msgid "shadowInactive attribute" +msgstr "shadowInactive-Attribut" + +#: src/config/SSSDConfig/__init__.py.in:349 +msgid "shadowExpire attribute" +msgstr "shadowExpire-Attribut" + +#: src/config/SSSDConfig/__init__.py.in:350 +msgid "shadowFlag attribute" +msgstr "shadowFlag-Attribut" + +#: src/config/SSSDConfig/__init__.py.in:351 +msgid "Attribute listing authorized PAM services" +msgstr "Attribut, welches die autorisierten PAM-Dienste auflistet" + +#: src/config/SSSDConfig/__init__.py.in:352 +msgid "Attribute listing authorized server hosts" +msgstr "Attribut, welches die autorisierten Server-Hosts auflistet" + +#: src/config/SSSDConfig/__init__.py.in:353 +msgid "Attribute listing authorized server rhosts" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:354 +msgid "krbLastPwdChange attribute" +msgstr "krbLastPwdChange-Attribut" + +#: src/config/SSSDConfig/__init__.py.in:355 +msgid "krbPasswordExpiration attribute" +msgstr "krbPasswordExpiration-Attribut" + +#: src/config/SSSDConfig/__init__.py.in:356 +msgid "Attribute indicating that server side password policies are active" +msgstr "" +"Attribut, welches angibt, dass die serverseitigen Passwortregeln aktiv sind" + +#: src/config/SSSDConfig/__init__.py.in:357 +msgid "accountExpires attribute of AD" +msgstr "accountExpires-Attribut von AD" + +#: src/config/SSSDConfig/__init__.py.in:358 +msgid "userAccountControl attribute of AD" +msgstr "userAccountControl-Attribut von AD" + +#: src/config/SSSDConfig/__init__.py.in:359 +msgid "nsAccountLock attribute" +msgstr "nsAccountLock-Attribut" + +#: src/config/SSSDConfig/__init__.py.in:360 +msgid "loginDisabled attribute of NDS" +msgstr "loginDisabled-Attribut von NDS" + +#: src/config/SSSDConfig/__init__.py.in:361 +msgid "loginExpirationTime attribute of NDS" +msgstr "loginExpirationTime-Attribut von NDS" + +#: src/config/SSSDConfig/__init__.py.in:362 +msgid "loginAllowedTimeMap attribute of NDS" +msgstr "loginAllowedTimeMap-Attribut von NDS" + +#: src/config/SSSDConfig/__init__.py.in:363 +msgid "SSH public key attribute" +msgstr "Attribut für öffentlichen SSH-Schlüssel" + +#: src/config/SSSDConfig/__init__.py.in:364 +msgid "attribute listing allowed authentication types for a user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:365 +msgid "attribute containing the X509 certificate of the user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:366 +msgid "attribute containing the email address of the user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:368 +msgid "A list of extra attributes to download along with the user entry" +msgstr "" +"Eine Liste der zusätzlich herunterzuladender Attribute zusammen mit dem " +"Benutzereintrag" + +#: src/config/SSSDConfig/__init__.py.in:370 +msgid "Base DN for group lookups" +msgstr "Basis-DN für Gruppen-Suchanfragen" + +#: src/config/SSSDConfig/__init__.py.in:373 +msgid "Objectclass for groups" +msgstr "Objektklasse für Gruppen" + +#: src/config/SSSDConfig/__init__.py.in:374 +msgid "Group name" +msgstr "Gruppenname" + +#: src/config/SSSDConfig/__init__.py.in:375 +msgid "Group password" +msgstr "Gruppenpasswort" + +#: src/config/SSSDConfig/__init__.py.in:376 +msgid "GID attribute" +msgstr "Gruppen-ID-Attribut" + +#: src/config/SSSDConfig/__init__.py.in:377 +msgid "Group member attribute" +msgstr "Gruppen-Mitgliedschafts-Attribut" + +#: src/config/SSSDConfig/__init__.py.in:378 +msgid "Group UUID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:380 +msgid "Modification time attribute for groups" +msgstr "Änderungszeit-Attribut für Gruppen" + +#: src/config/SSSDConfig/__init__.py.in:381 +msgid "Type of the group and other flags" +msgstr "Typ der Gruppe und weitere Flags" + +#: src/config/SSSDConfig/__init__.py.in:382 +msgid "The LDAP group external member attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:384 +msgid "Maximum nesting level SSSD will follow" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:386 +msgid "Base DN for netgroup lookups" +msgstr "Basis-DN für Netzgruppen-Suchanfragen" + +#: src/config/SSSDConfig/__init__.py.in:387 +msgid "Objectclass for netgroups" +msgstr "Objektklasse für Netzgruppen" + +#: src/config/SSSDConfig/__init__.py.in:388 +msgid "Netgroup name" +msgstr "Netzgruppenname" + +#: src/config/SSSDConfig/__init__.py.in:389 +msgid "Netgroups members attribute" +msgstr "Netzgruppen-Mitglieder-Attribut" + +#: src/config/SSSDConfig/__init__.py.in:390 +msgid "Netgroup triple attribute" +msgstr "Netzgruppen-Tripel-Attribut" + +#: src/config/SSSDConfig/__init__.py.in:391 +msgid "Modification time attribute for netgroups" +msgstr "Änderungszeit-Attribut für Netzgruppen" + +#: src/config/SSSDConfig/__init__.py.in:393 +msgid "Base DN for service lookups" +msgstr "Basis-DN für Dienste-Suchanfragen" + +#: src/config/SSSDConfig/__init__.py.in:394 +msgid "Objectclass for services" +msgstr "Objektklasse für Dienste" + +#: src/config/SSSDConfig/__init__.py.in:395 +msgid "Service name attribute" +msgstr "Name-Attribut des Dienstes" + +#: src/config/SSSDConfig/__init__.py.in:396 +msgid "Service port attribute" +msgstr "Port-Attribut des Dienstes" + +#: src/config/SSSDConfig/__init__.py.in:397 +msgid "Service protocol attribute" +msgstr "Protokoll-Attribut des Dienstes" + +#: src/config/SSSDConfig/__init__.py.in:400 +msgid "Lower bound for ID-mapping" +msgstr "Untere Grenze für ID-Zuweisung" + +#: src/config/SSSDConfig/__init__.py.in:401 +msgid "Upper bound for ID-mapping" +msgstr "Obere Grenze für ID-Zuweisung" + +#: src/config/SSSDConfig/__init__.py.in:402 +msgid "Number of IDs for each slice when ID-mapping" +msgstr "Anzahl der IDs für jeden Teil bei der ID-Zuweisung" + +#: src/config/SSSDConfig/__init__.py.in:403 +msgid "Use autorid-compatible algorithm for ID-mapping" +msgstr "autorid-kompatiblen Algorithmus für ID-Zuweisung verwenden" + +#: src/config/SSSDConfig/__init__.py.in:404 +msgid "Name of the default domain for ID-mapping" +msgstr "Name der Vorgabe-Domain für ID-Zuweisung" + +#: src/config/SSSDConfig/__init__.py.in:405 +msgid "SID of the default domain for ID-mapping" +msgstr "SID der Vorgabedomain für ID-Zuweisung" + +#: src/config/SSSDConfig/__init__.py.in:406 +msgid "Number of secondary slices" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:408 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups" +msgstr "LDAP_MATCHING_RULE_IN_CHAIN für Gruppen-Suchanfragen verwenden" + +#: src/config/SSSDConfig/__init__.py.in:409 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups" +msgstr "LDAP_MATCHING_RULE_IN_CHAIN für initgroup-Suchanfragen verwenden" + +#: src/config/SSSDConfig/__init__.py.in:410 +msgid "Whether to use Token-Groups" +msgstr "Verwendung von Token-Gruppen" + +#: src/config/SSSDConfig/__init__.py.in:411 +msgid "Set lower boundary for allowed IDs from the LDAP server" +msgstr "Untere Grenze für zulässige IDs des LDAP-Servers angeben" + +#: src/config/SSSDConfig/__init__.py.in:412 +msgid "Set upper boundary for allowed IDs from the LDAP server" +msgstr "Obere Grenze für zulässige IDs des LDAP-Servers angeben" + +#: src/config/SSSDConfig/__init__.py.in:413 +msgid "DN for ppolicy queries" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:414 +msgid "How many maximum entries to fetch during a wildcard request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:417 +msgid "Policy to evaluate the password expiration" +msgstr "Regel zum Ermitteln der Ablaufzeit des Passworts" + +#: src/config/SSSDConfig/__init__.py.in:421 +msgid "Which attributes shall be used to evaluate if an account is expired" +msgstr "" +"Attribute, die bei der Ermittlung verwendet werden, ob ein Konto abgelaufen " +"ist" + +#: src/config/SSSDConfig/__init__.py.in:422 +msgid "Which rules should be used to evaluate access control" +msgstr "Regeln für die Ermittlung der Zugriffskontrolle" + +#: src/config/SSSDConfig/__init__.py.in:425 +msgid "URI of an LDAP server where password changes are allowed" +msgstr "URI eines LDAP-Servers, wo Passwortänderungen zulässig sind" + +#: src/config/SSSDConfig/__init__.py.in:426 +msgid "URI of a backup LDAP server where password changes are allowed" +msgstr "URI eines Ersatz-LDAP-Servers, wo Passwortänderungen zulässig sind" + +#: src/config/SSSDConfig/__init__.py.in:427 +msgid "DNS service name for LDAP password change server" +msgstr "DNS-Dienstname für den LDAP-Passwortänderungsserver" + +#: src/config/SSSDConfig/__init__.py.in:428 +msgid "" +"Whether to update the ldap_user_shadow_last_change attribute after a " +"password change" +msgstr "" +"Gibt an, ob das Attribut ldap_user_shadow_last_change nach einer " +"Passwortänderung aktualisiert werden soll" + +#: src/config/SSSDConfig/__init__.py.in:431 +msgid "Base DN for sudo rules lookups" +msgstr "Basis-DN für Suchanfragen nach Sudo-Regeln" + +#: src/config/SSSDConfig/__init__.py.in:432 +msgid "Automatic full refresh period" +msgstr "Periode für automatische vollständige Aktualisierung" + +#: src/config/SSSDConfig/__init__.py.in:433 +msgid "Automatic smart refresh period" +msgstr "Periode für bedingte vollständige Aktualisierung" + +#: src/config/SSSDConfig/__init__.py.in:434 +msgid "Whether to filter rules by hostname, IP addresses and network" +msgstr "" +"Gibt an, ob Regeln nach Hostnamen, IP-Adressen oder Netzwerken gefiltert " +"werden sollen" + +#: src/config/SSSDConfig/__init__.py.in:435 +msgid "" +"Hostnames and/or fully qualified domain names of this machine to filter sudo " +"rules" +msgstr "" +"Hostnamen und/oder voll ausgeschriebene Domain-Namen dieses Rechners zum " +"Filtern von Sudo-Regeln" + +#: src/config/SSSDConfig/__init__.py.in:436 +msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" +msgstr "" +"IPv4- oder IPv6-Adressen oder Netzwerk dieses Rechners zum Filtern von sudo-" +"Regeln" + +#: src/config/SSSDConfig/__init__.py.in:437 +msgid "Whether to include rules that contains netgroup in host attribute" +msgstr "" +"Gibt an, ob Regeln im Host-Attribut einbezogen werden sollen, die " +"Netzgruppen enthalten" + +#: src/config/SSSDConfig/__init__.py.in:438 +msgid "" +"Whether to include rules that contains regular expression in host attribute" +msgstr "" +"Gibt an, ob Regeln im Host-Attribut einbezogen werden sollen, die reguläre " +"Ausdrücke enthalten" + +#: src/config/SSSDConfig/__init__.py.in:439 +msgid "Object class for sudo rules" +msgstr "Objektklasse für Sudo-Regeln" + +#: src/config/SSSDConfig/__init__.py.in:440 +msgid "Sudo rule name" +msgstr "Sudo-Regelname" + +#: src/config/SSSDConfig/__init__.py.in:441 +msgid "Sudo rule command attribute" +msgstr "Befehlsattribut der Sudo-Regel" + +#: src/config/SSSDConfig/__init__.py.in:442 +msgid "Sudo rule host attribute" +msgstr "Host-Attribut der Sudo-Regel" + +#: src/config/SSSDConfig/__init__.py.in:443 +msgid "Sudo rule user attribute" +msgstr "Benutzer-Attribut der Sudo-Regel" + +#: src/config/SSSDConfig/__init__.py.in:444 +msgid "Sudo rule option attribute" +msgstr "Optionsattribut der Sudo-Regel" + +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Sudo rule runas attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:446 +msgid "Sudo rule runasuser attribute" +msgstr "runasuser-Attribut der Sudo-Regel" + +#: src/config/SSSDConfig/__init__.py.in:447 +msgid "Sudo rule runasgroup attribute" +msgstr "runasgroup-Attribut der Sudo-Regel" + +#: src/config/SSSDConfig/__init__.py.in:448 +msgid "Sudo rule notbefore attribute" +msgstr "notbefore-Attribut der Sudo-Regel" + +#: src/config/SSSDConfig/__init__.py.in:449 +msgid "Sudo rule notafter attribute" +msgstr "notafter-Attribut der sudo-Regel" + +#: src/config/SSSDConfig/__init__.py.in:450 +msgid "Sudo rule order attribute" +msgstr "Reihenfolge-Attribut der Sudo-Regel" + +#: src/config/SSSDConfig/__init__.py.in:453 +msgid "Object class for automounter maps" +msgstr "Objektklasse für Automounter-Zuweisungen" + +#: src/config/SSSDConfig/__init__.py.in:454 +msgid "Automounter map name attribute" +msgstr "Name-Attribut der Automounter-Zuweisung" + +#: src/config/SSSDConfig/__init__.py.in:455 +msgid "Object class for automounter map entries" +msgstr "Objektklasse für Einträge von Automounter-Zuweisungen" + +#: src/config/SSSDConfig/__init__.py.in:456 +msgid "Automounter map entry key attribute" +msgstr "Schlüssel-Attribut des Automounter-Zuweisungseintrags" + +#: src/config/SSSDConfig/__init__.py.in:457 +msgid "Automounter map entry value attribute" +msgstr "Wert-Attribut des Automounter-Zuweisungseintrags" + +#: src/config/SSSDConfig/__init__.py.in:458 +msgid "Base DN for automounter map lookups" +msgstr "Basis-DN für Suchanfragen nach Automounter-Zuweisungen" + +#: src/config/SSSDConfig/__init__.py.in:461 +msgid "Comma separated list of allowed users" +msgstr "Durch Kommata getrennte Liste der erlaubten Benutzer" + +#: src/config/SSSDConfig/__init__.py.in:462 +msgid "Comma separated list of prohibited users" +msgstr "Durch Kommata getrennte Liste der verbotenen Benutzer" + +#: src/config/SSSDConfig/__init__.py.in:465 +msgid "Default shell, /bin/bash" +msgstr "Vorgabeshell, /bin/bash" + +#: src/config/SSSDConfig/__init__.py.in:466 +msgid "Base for home directories" +msgstr "Wurzel für Benutzerverzeichnisse" + +#: src/config/SSSDConfig/__init__.py.in:469 +msgid "The number of preforked proxy children." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:472 +msgid "The name of the NSS library to use" +msgstr "Name der zu verwendenden NSS-Bibliothek" + +#: src/config/SSSDConfig/__init__.py.in:473 +msgid "Whether to look up canonical group name from cache if possible" +msgstr "" +"Gibt an, ob wenn möglich im Zwischenspeicher nach dem kanonischen " +"Gruppennamen gesucht werden soll" + +#: src/config/SSSDConfig/__init__.py.in:476 +msgid "PAM stack to use" +msgstr "Zu verwendender PAM-Stapel" + +#: src/config/SSSDConfig/__init__.py.in:479 +msgid "Path of passwd file sources." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:480 +msgid "Path of group file sources." +msgstr "" + +#: src/monitor/monitor.c:2449 +msgid "Become a daemon (default)" +msgstr "Zum Hintergrunddienst werden (Vorgabe)" + +#: src/monitor/monitor.c:2451 +msgid "Run interactive (not a daemon)" +msgstr "Interaktiv ausführen (nicht als Hintergrunddienst)" + +#: src/monitor/monitor.c:2454 +msgid "Disable netlink interface" +msgstr "" + +#: src/monitor/monitor.c:2456 src/tools/sssctl/sssctl_logs.c:311 +msgid "Specify a non-default config file" +msgstr "Angabe einer nicht standardmäßigen Konfigurationsdatei" + +#: src/monitor/monitor.c:2458 +msgid "Refresh the configuration database, then exit" +msgstr "" + +#: src/monitor/monitor.c:2461 +msgid "Print version number and exit" +msgstr "Versionsnummer ausgeben und das Programm beenden" + +#: src/monitor/monitor.c:2627 +msgid "SSSD is already running\n" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605 +msgid "Debug level" +msgstr "Fehlerdiagnosestufe" + +#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607 +msgid "Add debug timestamps" +msgstr "Debug-Zeitstempel hinzufügen" + +#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609 +msgid "Show timestamps with microseconds" +msgstr "Zeitstempel mit Mikrosekunden anzeigen" + +#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611 +msgid "An open file descriptor for the debug logs" +msgstr "Offener Dateideskriptor für die Debug-Protokolle" + +#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613 +msgid "Send the debug output to stderr directly." +msgstr "" + +#: src/providers/krb5/krb5_child.c:3228 +msgid "The user to create FAST ccache as" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3230 +msgid "The group to create FAST ccache as" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3232 +msgid "Kerberos realm to use" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3234 +msgid "Requested lifetime of the ticket" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3236 +msgid "Requested renewable lifetime of the ticket" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3238 +msgid "FAST options ('never', 'try', 'demand')" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3241 +msgid "Specifies the server principal to use for FAST" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3243 +msgid "Requests canonicalization of the principal name" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3245 +msgid "Use custom version of krb5_get_init_creds_password" +msgstr "" + +#: src/providers/data_provider_be.c:556 +msgid "Domain of the information provider (mandatory)" +msgstr "Domain des Informationsanbieters (obligatorisch)" + +#: src/sss_client/common.c:1066 +msgid "Privileged socket has wrong ownership or permissions." +msgstr "Privilegierter Socket hat falsche Eigentums- oder Zugriffsrechte." + +#: src/sss_client/common.c:1069 +msgid "Public socket has wrong ownership or permissions." +msgstr "Öffentlicher Socket hat falsche Eigentums- oder Zugriffsrechte." + +#: src/sss_client/common.c:1072 +msgid "Unexpected format of the server credential message." +msgstr "Unerwartetes Format der Server-Anmeldenachricht." + +#: src/sss_client/common.c:1075 +msgid "SSSD is not run by root." +msgstr "SSSD wird nicht durch Root ausgeführt." + +#: src/sss_client/common.c:1080 +msgid "An error occurred, but no description can be found." +msgstr "" +"Ein Fehler ist aufgetreten, aber es kann keine Beschreibung gefunden werden." + +#: src/sss_client/common.c:1086 +msgid "Unexpected error while looking for an error description" +msgstr "Unerwarteter Fehler beim Suchen nach einer Fehlerbeschreibung" + +#: src/sss_client/pam_sss.c:76 +msgid "Permission denied. " +msgstr "" + +#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782 +#: src/sss_client/pam_sss.c:793 +msgid "Server message: " +msgstr "Server-Meldung: " + +#: src/sss_client/pam_sss.c:300 +msgid "Passwords do not match" +msgstr "Passwörter stimmen nicht überein" + +#: src/sss_client/pam_sss.c:488 +msgid "Password reset by root is not supported." +msgstr "Das Zurücksetzen des Passworts durch Root wird nicht unterstützt." + +#: src/sss_client/pam_sss.c:529 +msgid "Authenticated with cached credentials" +msgstr "Authentifiziert mit zwischengespeicherten Anmeldedaten" + +#: src/sss_client/pam_sss.c:530 +msgid ", your cached password will expire at: " +msgstr ", Ihr zwischengespeichertes Passwort läuft ab am: " + +#: src/sss_client/pam_sss.c:560 +#, c-format +msgid "Your password has expired. You have %1$d grace login(s) remaining." +msgstr "" +"Ihr Passwort ist abgelaufen. Ihnen verbleiben nur noch %1$d Anmeldungen." + +#: src/sss_client/pam_sss.c:606 +#, c-format +msgid "Your password will expire in %1$d %2$s." +msgstr "Ihr Passwort wird in %1$d %2$s ablaufen." + +#: src/sss_client/pam_sss.c:655 +msgid "Authentication is denied until: " +msgstr "Authentifizierung wird verweigert bis: " + +#: src/sss_client/pam_sss.c:676 +msgid "System is offline, password change not possible" +msgstr "System ist offline, Änderung des Passworts ist nicht möglich" + +#: src/sss_client/pam_sss.c:691 +msgid "" +"After changing the OTP password, you need to log out and back in order to " +"acquire a ticket" +msgstr "" +"Nach dem Ändern des OTP-Passworts müssen Sie sich ab- und wieder anmelden, " +"um ein Ticket erhalten zu können" + +#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792 +msgid "Password change failed. " +msgstr "Änderung des Passworts fehlgeschlagen. " + +#: src/sss_client/pam_sss.c:1926 +msgid "New Password: " +msgstr "Neues Passwort: " + +#: src/sss_client/pam_sss.c:1927 +msgid "Reenter new Password: " +msgstr "Neues Passwort wiederholen: " + +#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042 +msgid "First Factor: " +msgstr "" + +#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202 +msgid "Second Factor (optional): " +msgstr "" + +#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205 +msgid "Second Factor: " +msgstr "" + +#: src/sss_client/pam_sss.c:2058 +msgid "Password: " +msgstr "Passwort: " + +#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204 +msgid "First Factor (Current Password): " +msgstr "" + +#: src/sss_client/pam_sss.c:2208 +msgid "Current Password: " +msgstr "Aktuelles Passwort: " + +#: src/sss_client/pam_sss.c:2536 +msgid "Password expired. Change your password now." +msgstr "Passwort ist abgelaufen. Ändern Sie Ihr Passwort jetzt." + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 +#: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 +#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:670 +msgid "The debug level to run with" +msgstr "Stufe, mit der die Fehlerdiagnose ausgeführt werden soll" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +msgid "The SSSD domain to use" +msgstr "Die zu verwendende SSSD-Domain" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 +#: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 +#: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 +#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:716 +msgid "Error setting the locale\n" +msgstr "Fehler beim Setzen der Locale-Einstellung\n" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:64 +msgid "Not enough memory\n" +msgstr "Nicht genügend Speicher\n" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:83 +msgid "User not specified\n" +msgstr "Benutzer nicht angegeben\n" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:97 +msgid "Error looking up public keys\n" +msgstr "Fehler beim Nachschlagen der öffentlichen Schlüssel\n" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +msgid "The port to use to connect to the host" +msgstr "Der Port, der für die Verbindung zum Host benutzt werden soll" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +msgid "Print the host ssh public keys" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +msgid "Invalid port\n" +msgstr "Ungültiger Port\n" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +msgid "Host not specified\n" +msgstr "Rechner nicht angegeben\n" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +msgid "The path to the proxy command must be absolute\n" +msgstr "Der Pfad zum Proxy-Befehl muss absolut sein\n" + +#: src/tools/sss_useradd.c:49 src/tools/sss_usermod.c:48 +msgid "The UID of the user" +msgstr "Benutzer-ID des Benutzers" + +#: src/tools/sss_useradd.c:50 src/tools/sss_usermod.c:50 +msgid "The comment string" +msgstr "Die Kommentarzeichenkette" + +#: src/tools/sss_useradd.c:51 src/tools/sss_usermod.c:51 +msgid "Home directory" +msgstr "Benutzerverzeichnis" + +#: src/tools/sss_useradd.c:52 src/tools/sss_usermod.c:52 +msgid "Login shell" +msgstr "Anmelde-Shell" + +#: src/tools/sss_useradd.c:53 +msgid "Groups" +msgstr "Gruppen" + +#: src/tools/sss_useradd.c:54 +msgid "Create user's directory if it does not exist" +msgstr "Benutzerverzeichnis erstellen, falls es nicht existiert" + +#: src/tools/sss_useradd.c:55 +msgid "Never create user's directory, overrides config" +msgstr "" +"Home-Verzeichnis des Benutzers niemals anlegen; setzt die Konfiguration " +"außer Kraft" + +#: src/tools/sss_useradd.c:56 +msgid "Specify an alternative skeleton directory" +msgstr "Ein alternatives Skel-Verzeichnis angeben" + +#: src/tools/sss_useradd.c:57 src/tools/sss_usermod.c:60 +msgid "The SELinux user for user's login" +msgstr "Der SELinux-Benutzer für die Benutzeranmeldung" + +#: src/tools/sss_useradd.c:87 src/tools/sss_groupmod.c:79 +#: src/tools/sss_usermod.c:92 +msgid "Specify group to add to\n" +msgstr "Hinzuzufügende Gruppe angeben\n" + +#: src/tools/sss_useradd.c:111 +msgid "Specify user to add\n" +msgstr "Hinzuzufügenden Benutzer angeben\n" + +#: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 +#: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_usermod.c:162 +msgid "Error initializing the tools - no local domain\n" +msgstr "Fehler beim Initialisieren der Werkzeuge – keine lokale Domain\n" + +#: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 +#: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_usermod.c:164 +msgid "Error initializing the tools\n" +msgstr "Fehler beim Initialisieren der Werkzeuge\n" + +#: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 +#: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_usermod.c:173 +msgid "Invalid domain specified in FQDN\n" +msgstr "Ungültige Domain in FQDN angegeben\n" + +#: src/tools/sss_useradd.c:142 src/tools/sss_groupmod.c:144 +#: src/tools/sss_groupmod.c:173 src/tools/sss_usermod.c:197 +#: src/tools/sss_usermod.c:226 +msgid "Internal error while parsing parameters\n" +msgstr "Interner Fehler beim Einlesen der Parameter\n" + +#: src/tools/sss_useradd.c:151 src/tools/sss_usermod.c:206 +#: src/tools/sss_usermod.c:235 +msgid "Groups must be in the same domain as user\n" +msgstr "Gruppen müssen in der gleichen Domain wie Benutzer sein\n" + +#: src/tools/sss_useradd.c:159 +#, c-format +msgid "Cannot find group %1$s in local domain\n" +msgstr "Gruppe %1$s kann in lokaler Domain nicht gefunden werden\n" + +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +msgid "Cannot set default values\n" +msgstr "Vorgabewerte können nicht gesetzt werden\n" + +#: src/tools/sss_useradd.c:181 src/tools/sss_usermod.c:187 +msgid "The selected UID is outside the allowed range\n" +msgstr "Die gewählte Benutzer-ID liegt außerhalb des zulässigen Bereichs\n" + +#: src/tools/sss_useradd.c:210 src/tools/sss_usermod.c:305 +msgid "Cannot set SELinux login context\n" +msgstr "SELinux-Anmeldekontext kann nicht erhalten werden\n" + +#: src/tools/sss_useradd.c:224 +msgid "Cannot get info about the user\n" +msgstr "Info zum Benutzer nicht gefunden\n" + +#: src/tools/sss_useradd.c:236 +msgid "User's home directory already exists, not copying data from skeldir\n" +msgstr "" +"Home-Verzeichnis des Benutzers existiert bereits, es werden keine Daten aus " +"dem Skel-Verzeichnis kopiert.\n" + +#: src/tools/sss_useradd.c:239 +#, c-format +msgid "Cannot create user's home directory: %1$s\n" +msgstr "Home-Verzeichnis für den Benutzer kann nicht erstellt werden: %1$s\n" + +#: src/tools/sss_useradd.c:250 +#, c-format +msgid "Cannot create user's mail spool: %1$s\n" +msgstr "Mail-Spool für den Benutzer kann nicht angelegt werden: %1$s\n" + +#: src/tools/sss_useradd.c:270 +msgid "Could not allocate ID for the user - domain full?\n" +msgstr "ID für den Benutzer konnte nicht zugewiesen werden – Domain voll?\n" + +#: src/tools/sss_useradd.c:274 +msgid "A user or group with the same name or ID already exists\n" +msgstr "" +"Ein Benutzer oder eine Gruppe mit gleichem Namen oder ID existiert bereits\n" + +#: src/tools/sss_useradd.c:280 +msgid "Transaction error. Could not add user.\n" +msgstr "Transaktionsfehler. Benutzer kann nicht hinzugefügt werden.\n" + +#: src/tools/sss_groupadd.c:43 src/tools/sss_groupmod.c:48 +msgid "The GID of the group" +msgstr "Die Gruppen-ID der Gruppe" + +#: src/tools/sss_groupadd.c:76 +msgid "Specify group to add\n" +msgstr "Hinzuzufügende Gruppe angeben\n" + +#: src/tools/sss_groupadd.c:106 src/tools/sss_groupmod.c:198 +msgid "The selected GID is outside the allowed range\n" +msgstr "Die gewählte Gruppen-ID liegt außerhalb des zulässigen Bereichs\n" + +#: src/tools/sss_groupadd.c:143 +msgid "Could not allocate ID for the group - domain full?\n" +msgstr "ID für die Gruppe konnte nicht zugewiesen werden – Domain voll?\n" + +#: src/tools/sss_groupadd.c:147 +msgid "A group with the same name or GID already exists\n" +msgstr "Eine Gruppe mit gleichem Namen oder Gruppen-ID existiert bereits\n" + +#: src/tools/sss_groupadd.c:153 +msgid "Transaction error. Could not add group.\n" +msgstr "Transaktionsfehler. Gruppe kann nicht hinzugefügt werden.\n" + +#: src/tools/sss_groupdel.c:70 +msgid "Specify group to delete\n" +msgstr "Zu löschende Gruppe angeben\n" + +#: src/tools/sss_groupdel.c:104 +#, c-format +msgid "Group %1$s is outside the defined ID range for domain\n" +msgstr "" +"Gruppe %1$s ist außerhalb des für diese Domain festgelegten ID-Bereichs\n" + +#: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 +#: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 +#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 +#, c-format +msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" +msgstr "" +"NSS-Anfrage fehlgeschlagen (%1$d). Der Eintrag könnte im Zwischenspeicher " +"verbleiben.\n" + +#: src/tools/sss_groupdel.c:132 +msgid "" +"No such group in local domain. Removing groups only allowed in local " +"domain.\n" +msgstr "" +"Keine solche Gruppe in lokaler Domain. Entfernen von Gruppen ist nur in der " +"lokalen Domain zulässig.\n" + +#: src/tools/sss_groupdel.c:137 +msgid "Internal error. Could not remove group.\n" +msgstr "Interner Fehler. Gruppe konnte nicht entfernt werden.\n" + +#: src/tools/sss_groupmod.c:44 +msgid "Groups to add this group to" +msgstr "Gruppen, zu denen diese Gruppe hinzugefügt werden soll" + +#: src/tools/sss_groupmod.c:46 +msgid "Groups to remove this group from" +msgstr "Gruppen, aus denen diese Gruppe entfernt werden soll" + +#: src/tools/sss_groupmod.c:87 src/tools/sss_usermod.c:100 +msgid "Specify group to remove from\n" +msgstr "Gruppe angeben, aus der entfernt werden soll\n" + +#: src/tools/sss_groupmod.c:101 +msgid "Specify group to modify\n" +msgstr "Zu ändernde Gruppe angeben\n" + +#: src/tools/sss_groupmod.c:130 +msgid "" +"Cannot find group in local domain, modifying groups is allowed only in local " +"domain\n" +msgstr "" +"Gruppe kann in lokaler Domain nicht gefunden werden, das Ändern von Gruppen " +"ist nur in der lokalen Domain zulässig\n" + +#: src/tools/sss_groupmod.c:153 src/tools/sss_groupmod.c:182 +msgid "Member groups must be in the same domain as parent group\n" +msgstr "" +"Untergruppen müssen in der selben Domain sein wie die übergeordnete Gruppe\n" + +#: src/tools/sss_groupmod.c:161 src/tools/sss_groupmod.c:190 +#: src/tools/sss_usermod.c:214 src/tools/sss_usermod.c:243 +#, c-format +msgid "" +"Cannot find group %1$s in local domain, only groups in local domain are " +"allowed\n" +msgstr "" +"Gruppe %1$s kann in lokaler Domain nicht gefunden werden, nur Gruppen in " +"lokaler Domain sind zulässig\n" + +#: src/tools/sss_groupmod.c:257 +msgid "Could not modify group - check if member group names are correct\n" +msgstr "" +"Gruppe konnte nicht geändert werden – bitte prüfen, ob die Gruppennamen " +"korrekt sind.\n" + +#: src/tools/sss_groupmod.c:261 +msgid "Could not modify group - check if groupname is correct\n" +msgstr "" +"Gruppe kann nicht geändert werden – prüfen Sie, ob der Gruppenname korrekt " +"ist\n" + +#: src/tools/sss_groupmod.c:265 +msgid "Transaction error. Could not modify group.\n" +msgstr "Transaktionsfehler. Gruppe kann nicht geändert werden.\n" + +#: src/tools/sss_groupshow.c:615 +#, c-format +msgid "%1$s%2$sGroup: %3$s\n" +msgstr "%1$s%2$sGruppe: %3$s\n" + +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "Magic Private " + +#: src/tools/sss_groupshow.c:618 +#, c-format +msgid "%1$sGID number: %2$d\n" +msgstr "%1$sGruppen-ID-Nummer: %2$d\n" + +#: src/tools/sss_groupshow.c:620 +#, c-format +msgid "%1$sMember users: " +msgstr "%1$sMitglied Benutzer: " + +#: src/tools/sss_groupshow.c:627 +#, c-format +msgid "" +"\n" +"%1$sIs a member of: " +msgstr "" +"\n" +"%1$sIst Mitglied von: " + +#: src/tools/sss_groupshow.c:634 +#, c-format +msgid "" +"\n" +"%1$sMember groups: " +msgstr "" +"\n" +"%1$sMitglied Gruppen: " + +#: src/tools/sss_groupshow.c:670 +msgid "Print indirect group members recursively" +msgstr "Indirekte Gruppenmitglieder rekursiv ausgeben" + +#: src/tools/sss_groupshow.c:704 +msgid "Specify group to show\n" +msgstr "Anzuzeigende Gruppe angeben\n" + +#: src/tools/sss_groupshow.c:744 +msgid "" +"No such group in local domain. Printing groups only allowed in local " +"domain.\n" +msgstr "" +"Keine solche Gruppe in lokaler Domain. Die Ausgabe von Gruppen ist nur in " +"der lokalen Domain zulässig.\n" + +#: src/tools/sss_groupshow.c:749 +msgid "Internal error. Could not print group.\n" +msgstr "Interner Fehler. Gruppen können nicht ausgegeben werden.\n" + +#: src/tools/sss_userdel.c:136 +msgid "Remove home directory and mail spool" +msgstr "Home-Verzeichnis und Mail-Spool entfernen" + +#: src/tools/sss_userdel.c:138 +msgid "Do not remove home directory and mail spool" +msgstr "Home-Verzeichnis und Mail-Spool nicht entfernen" + +#: src/tools/sss_userdel.c:140 +msgid "Force removal of files not owned by the user" +msgstr "Das Löschen von Dateien erzwingen, die dem Benutzer nicht gehören" + +#: src/tools/sss_userdel.c:142 +msgid "Kill users' processes before removing him" +msgstr "Prozesse des Benutzers abwürgen, bevor dieser gelöscht wird" + +#: src/tools/sss_userdel.c:188 +msgid "Specify user to delete\n" +msgstr "Zu löschenden Benutzer angeben\n" + +#: src/tools/sss_userdel.c:234 +#, c-format +msgid "User %1$s is outside the defined ID range for domain\n" +msgstr "" +"Benutzer %1$s ist außerhalb des für diese Domain festgelegten ID-Bereichs\n" + +#: src/tools/sss_userdel.c:259 +msgid "Cannot reset SELinux login context\n" +msgstr "SELinux-Anmeldekontext kann nicht zurückgesetzt werden\n" + +#: src/tools/sss_userdel.c:271 +#, c-format +msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" +msgstr "WARNUNG: Der Benutzer (uid %1$lu) war beim Löschen noch angemeldet.\n" + +#: src/tools/sss_userdel.c:276 +msgid "Cannot determine if the user was logged in on this platform" +msgstr "" +"Es kann nicht ermittelt werden, ob der Benutzer auf dieser Plattform " +"angemeldet war." + +#: src/tools/sss_userdel.c:281 +msgid "Error while checking if the user was logged in\n" +msgstr "Fehler bei der Überprüfung, ob der Benutzer angemeldet war\n" + +#: src/tools/sss_userdel.c:288 +#, c-format +msgid "The post-delete command failed: %1$s\n" +msgstr "Der nach dem Löschen auszuführende Befehl ist fehlgeschlagen: %1$s\n" + +#: src/tools/sss_userdel.c:308 +msgid "Not removing home dir - not owned by user\n" +msgstr "Home-Verzeichnis wird nicht entfernt – es gehört nicht dem Benutzer\n" + +#: src/tools/sss_userdel.c:310 +#, c-format +msgid "Cannot remove homedir: %1$s\n" +msgstr "Home-Verzeichnis kann nicht entfernt werden: %1$s\n" + +#: src/tools/sss_userdel.c:324 +msgid "" +"No such user in local domain. Removing users only allowed in local domain.\n" +msgstr "" +"Kein solcher Benutzer in lokaler Domain. Entfernen von Benutzern ist nur in " +"der lokalen Domain zulässig.\n" + +#: src/tools/sss_userdel.c:329 +msgid "Internal error. Could not remove user.\n" +msgstr "Interner Fehler. Benutzer konnte nicht entfernt werden.\n" + +#: src/tools/sss_usermod.c:49 +msgid "The GID of the user" +msgstr "Gruppen-ID des Benutzers" + +#: src/tools/sss_usermod.c:53 +msgid "Groups to add this user to" +msgstr "Gruppen, zu denen dieser Benutzer hinzugefügt werden soll" + +#: src/tools/sss_usermod.c:54 +msgid "Groups to remove this user from" +msgstr "Gruppen, aus denen der Benutzer entfernt werden soll" + +#: src/tools/sss_usermod.c:55 +msgid "Lock the account" +msgstr "Das Konto sperren" + +#: src/tools/sss_usermod.c:56 +msgid "Unlock the account" +msgstr "Das Konto entsperren" + +#: src/tools/sss_usermod.c:57 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "Ein Attribut/Wert-Paar hinzufügen. Das Format ist Attributname=Wert." + +#: src/tools/sss_usermod.c:58 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "Ein Attribut/Wert-Paar löschen. Das Format ist Attributname=Wert." + +#: src/tools/sss_usermod.c:59 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" +"Ein Attribut für ein Attribut-Wert-Paar setzen. Das Format ist " +"Attributname=Wert. Bei Attributen mit mehreren Werten ersetzt der Befehl die " +"bereits vorhandenen Werte." + +#: src/tools/sss_usermod.c:117 src/tools/sss_usermod.c:126 +#: src/tools/sss_usermod.c:135 +msgid "Specify the attribute name/value pair(s)\n" +msgstr "Name/Wert-Paar(e) für das oder die Attribute angeben\n" + +#: src/tools/sss_usermod.c:152 +msgid "Specify user to modify\n" +msgstr "Zu ändernden Benutzer angeben\n" + +#: src/tools/sss_usermod.c:180 +msgid "" +"Cannot find user in local domain, modifying users is allowed only in local " +"domain\n" +msgstr "" +"Benutzer kann in lokaler Domain nicht gefunden werden, das Ändern von " +"Benutzern ist nur in der lokalen Domain zulässig\n" + +#: src/tools/sss_usermod.c:322 +msgid "Could not modify user - check if group names are correct\n" +msgstr "" +"Benutzer kann nicht geändert werden – bitte prüfen, ob die Gruppennamen " +"korrekt sind\n" + +#: src/tools/sss_usermod.c:326 +msgid "Could not modify user - user already member of groups?\n" +msgstr "" +"Benutzer kann nicht geändert werden – ist der Benutzer bereits Mitglied " +"einer Gruppe?\n" + +#: src/tools/sss_usermod.c:330 +msgid "Transaction error. Could not modify user.\n" +msgstr "Transaktionsfehler. Benutzer kann nicht geändert werden.\n" + +#: src/tools/sss_cache.c:218 +msgid "No cache object matched the specified search\n" +msgstr "" +"Kein Objekt im Zwischenspeicher entspricht der angegebenen Suchanfrage\n" + +#: src/tools/sss_cache.c:502 +#, c-format +msgid "Couldn't invalidate %1$s\n" +msgstr "" + +#: src/tools/sss_cache.c:509 +#, c-format +msgid "Couldn't invalidate %1$s %2$s\n" +msgstr "" + +#: src/tools/sss_cache.c:672 +msgid "Invalidate all cached entries" +msgstr "" + +#: src/tools/sss_cache.c:674 +msgid "Invalidate particular user" +msgstr "Bestimmten Benutzer annullieren" + +#: src/tools/sss_cache.c:676 +msgid "Invalidate all users" +msgstr "Alle Benutzer annullieren" + +#: src/tools/sss_cache.c:678 +msgid "Invalidate particular group" +msgstr "Bestimmte Gruppe annullieren" + +#: src/tools/sss_cache.c:680 +msgid "Invalidate all groups" +msgstr "Alle Gruppen annullieren" + +#: src/tools/sss_cache.c:682 +msgid "Invalidate particular netgroup" +msgstr "Bestimmte Netzgruppe annullieren" + +#: src/tools/sss_cache.c:684 +msgid "Invalidate all netgroups" +msgstr "Alle Netzgruppen annullieren" + +#: src/tools/sss_cache.c:686 +msgid "Invalidate particular service" +msgstr "Bestimmten Dienst annullieren" + +#: src/tools/sss_cache.c:688 +msgid "Invalidate all services" +msgstr "Alle Dienste annullieren" + +#: src/tools/sss_cache.c:691 +msgid "Invalidate particular autofs map" +msgstr "Bestimmte autofs-Zuweisung annullieren" + +#: src/tools/sss_cache.c:693 +msgid "Invalidate all autofs maps" +msgstr "Alle autofs-Zuweisungen annullieren" + +#: src/tools/sss_cache.c:697 +msgid "Invalidate particular SSH host" +msgstr "" + +#: src/tools/sss_cache.c:699 +msgid "Invalidate all SSH hosts" +msgstr "" + +#: src/tools/sss_cache.c:703 +msgid "Invalidate particular sudo rule" +msgstr "" + +#: src/tools/sss_cache.c:705 +msgid "Invalidate all cached sudo rules" +msgstr "" + +#: src/tools/sss_cache.c:708 +msgid "Only invalidate entries from a particular domain" +msgstr "Nur Einträge einer bestimmten Domain annullieren" + +#: src/tools/sss_cache.c:762 +msgid "" +"Unexpected argument(s) provided, options that invalidate a single object " +"only accept a single provided argument.\n" +msgstr "" + +#: src/tools/sss_cache.c:772 +msgid "Please select at least one object to invalidate\n" +msgstr "Bitte wählen Sie mindestens ein Objekt für die Annullierung\n" + +#: src/tools/sss_cache.c:852 +#, c-format +msgid "" +"Could not open domain %1$s. If the domain is a subdomain (trusted domain), " +"use fully qualified name instead of --domain/-d parameter.\n" +msgstr "" +"Domain %1$s kann nicht geöffnet werden. Falls es sich um eine Subdomain " +"(trusted domain) handelt, verwenden Sie den voll ausgeschriebenen Namen " +"anstelle des Parameters --domain/-d.\n" + +#: src/tools/sss_cache.c:856 +msgid "Could not open available domains\n" +msgstr "Verfügbare Domains konnten nicht geöffnet werden\n" + +#: src/tools/tools_util.c:202 +#, c-format +msgid "Name '%1$s' does not seem to be FQDN ('%2$s = TRUE' is set)\n" +msgstr "Name »%1$s« scheint kein FQDN zu sein (»%2$s = TRUE« ist gesetzt)\n" + +#: src/tools/tools_util.c:309 +msgid "Out of memory\n" +msgstr "Nicht genügend Speicher\n" + +#: src/tools/tools_util.h:40 +#, c-format +msgid "%1$s must be run as root\n" +msgstr "%1$s muss als Root ausgeführt werden\n" + +#: src/tools/sssctl/sssctl.c:35 +msgid "yes" +msgstr "" + +#: src/tools/sssctl/sssctl.c:37 +msgid "no" +msgstr "" + +#: src/tools/sssctl/sssctl.c:39 +msgid "error" +msgstr "" + +#: src/tools/sssctl/sssctl.c:42 +msgid "Invalid result." +msgstr "" + +#: src/tools/sssctl/sssctl.c:78 +#, c-format +msgid "Unable to read user input\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:91 +#, c-format +msgid "Invalid input, please provide either '%s' or '%s'.\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 +#, c-format +msgid "Error while executing external command\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:156 +msgid "SSSD needs to be running. Start SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl.c:195 +msgid "SSSD must not be running. Stop SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl.c:231 +msgid "SSSD needs to be restarted. Restart SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:31 +#, c-format +msgid " %s is not present in cache.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:33 +msgid "Name" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:34 +msgid "Cache entry creation date" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:35 +msgid "Cache entry last update time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:36 +msgid "Cache entry expiration time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:37 +msgid "Cached in InfoPipe" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:512 +#, c-format +msgid "Error: Unable to get object [%d]: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:528 +#, c-format +msgid "%s: Unable to read value [%d]: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:556 +msgid "Specify name." +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:566 +#, c-format +msgid "Unable to parse name %s.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:592 src/tools/sssctl/sssctl_cache.c:639 +msgid "Search by SID" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:593 +msgid "Search by user ID" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:602 +msgid "Initgroups expiration time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:640 +msgid "Search by group ID" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:67 +#, c-format +msgid "" +"File %1$s does not exist. SSSD will use default configuration with files " +"provider.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:81 +#, c-format +msgid "" +"File ownership and permissions check failed. Expected root:root and 0600.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:104 +#, c-format +msgid "Issues identified by validators: %zu\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:114 +#, c-format +msgid "Messages generated during configuration merging: %zu\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:127 +#, c-format +msgid "Used configuration snippet files: %u\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:89 +#, c-format +msgid "Unable to create backup directory [%d]: %s" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:95 +msgid "SSSD backup of local data already exists, override?" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:111 +#, c-format +msgid "Unable to export user overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:118 +#, c-format +msgid "Unable to export group overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:134 src/tools/sssctl/sssctl_data.c:217 +msgid "Override existing backup" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:164 +#, c-format +msgid "Unable to import user overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:173 +#, c-format +msgid "Unable to import group overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:74 +#: src/tools/sssctl/sssctl_domains.c:339 +msgid "Start SSSD if it is not running" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:195 +msgid "Restart SSSD after data import" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:218 +msgid "Create clean cache files and import local data" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:219 +msgid "Stop SSSD before removing the cache" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:220 +msgid "Start SSSD when the cache is removed" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:235 +#, c-format +msgid "Creating backup of local data...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:238 +#, c-format +msgid "Unable to create backup of local data, can not remove the cache.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:243 +#, c-format +msgid "Removing cache files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:246 +#, c-format +msgid "Unable to remove cache files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:251 +#, c-format +msgid "Restoring local data...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:75 +msgid "Show domain list including primary or trusted domain type" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +#, c-format +msgid "Online status: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Online" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Offline" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:214 +#, c-format +msgid "Active servers:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:231 +msgid "not connected" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:278 +#, c-format +msgid "Discovered %s servers:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:296 +msgid "None so far.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:336 +msgid "Show online status" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:337 +msgid "Show information about active server" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:338 +msgid "Show list of discovered servers" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:344 +msgid "Specify domain name." +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:360 +#, c-format +msgid "Out of memory!\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:377 src/tools/sssctl/sssctl_domains.c:387 +#, c-format +msgid "Unable to get online status\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:397 +#, c-format +msgid "Unable to get server list\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:47 +msgid "\n" +msgstr "\n" + +#: src/tools/sssctl/sssctl_logs.c:237 +msgid "Delete log files instead of truncating" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:248 +#, c-format +msgid "Deleting log files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:251 +#, c-format +msgid "Unable to remove log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:257 +#, c-format +msgid "Truncating log files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:260 +#, c-format +msgid "Unable to truncate log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:286 +#, c-format +msgid "Out of memory!" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:289 +#, c-format +msgid "Archiving log files into %s...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:292 +#, c-format +msgid "Unable to archive log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:317 +msgid "Specify debug level you want to set" +msgstr "" + +#: src/tools/sssctl/sssctl_sifp.c:28 +msgid "" +"Check that SSSD is running and the InfoPipe responder is enabled. Make sure " +"'ifp' is listed in the 'services' option in sssd.conf.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:91 +#, c-format +msgid "Unable to connect to the InfoPipe" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:97 +#, c-format +msgid "Unable to get user object" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:101 +#, c-format +msgid "SSSD InfoPipe user lookup result:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:113 +#, c-format +msgid "Unable to get user name attr" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:146 +#, c-format +msgid "dlopen failed with [%s].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:153 +#, c-format +msgid "dlsym failed with [%s].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:161 +#, c-format +msgid "malloc failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:168 +#, c-format +msgid "sss_getpwnam_r failed with [%d].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:173 +#, c-format +msgid "SSSD nss user lookup result:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:174 +#, c-format +msgid " - user name: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:175 +#, c-format +msgid " - user id: %d\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:176 +#, c-format +msgid " - group id: %d\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:177 +#, c-format +msgid " - gecos: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:178 +#, c-format +msgid " - home directory: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:179 +#, c-format +msgid "" +" - shell: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:211 +msgid "PAM action [auth|acct|setc|chau|open|clos], default: " +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:214 +msgid "PAM service, default: " +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:219 +msgid "Specify user name." +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:226 +#, c-format +msgid "" +"user: %s\n" +"action: %s\n" +"service: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:232 +#, c-format +msgid "User name lookup with [%s] failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:237 +#, c-format +msgid "InfoPipe User lookup with [%s] failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:244 +#, c-format +msgid "pam_start failed: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:249 +#, c-format +msgid "" +"testing pam_authenticate\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:253 +#, c-format +msgid "pam_get_item failed: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:257 +#, c-format +msgid "" +"pam_authenticate for user [%s]: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:260 +#, c-format +msgid "" +"testing pam_chauthtok\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:262 +#, c-format +msgid "" +"pam_chauthtok: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:264 +#, c-format +msgid "" +"testing pam_acct_mgmt\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:266 +#, c-format +msgid "" +"pam_acct_mgmt: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:268 +#, c-format +msgid "" +"testing pam_setcred\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:270 +#, c-format +msgid "" +"pam_setcred: [%s]\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:272 +#, c-format +msgid "" +"testing pam_open_session\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:274 +#, c-format +msgid "" +"pam_open_session: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:276 +#, c-format +msgid "" +"testing pam_close_session\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:278 +#, c-format +msgid "" +"pam_close_session: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:281 +#, c-format +msgid "unknown action\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:284 +#, c-format +msgid "PAM Environment:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:292 +#, c-format +msgid " - no env -\n" +msgstr "" + +#: src/util/util.h:75 +msgid "The user ID to run the server as" +msgstr "" + +#: src/util/util.h:77 +msgid "The group ID to run the server as" +msgstr "" + +#: src/util/util.h:85 +msgid "Informs that the responder has been socket-activated" +msgstr "" + +#: src/util/util.h:87 +msgid "Informs that the responder has been dbus-activated" +msgstr "" diff --git a/po/en@boldquot.header b/po/en@boldquot.header new file mode 100644 index 0000000..fedb6a0 --- /dev/null +++ b/po/en@boldquot.header @@ -0,0 +1,25 @@ +# All this catalog "translates" are quotation characters. +# The msgids must be ASCII and therefore cannot contain real quotation +# characters, only substitutes like grave accent (0x60), apostrophe (0x27) +# and double quote (0x22). These substitutes look strange; see +# http://www.cl.cam.ac.uk/~mgk25/ucs/quotes.html +# +# This catalog translates grave accent (0x60) and apostrophe (0x27) to +# left single quotation mark (U+2018) and right single quotation mark (U+2019). +# It also translates pairs of apostrophe (0x27) to +# left single quotation mark (U+2018) and right single quotation mark (U+2019) +# and pairs of quotation mark (0x22) to +# left double quotation mark (U+201C) and right double quotation mark (U+201D). +# +# When output to an UTF-8 terminal, the quotation characters appear perfectly. +# When output to an ISO-8859-1 terminal, the single quotation marks are +# transliterated to apostrophes (by iconv in glibc 2.2 or newer) or to +# grave/acute accent (by libiconv), and the double quotation marks are +# transliterated to 0x22. +# When output to an ASCII terminal, the single quotation marks are +# transliterated to apostrophes, and the double quotation marks are +# transliterated to 0x22. +# +# This catalog furthermore displays the text between the quotation marks in +# bold face, assuming the VT100/XTerm escape sequences. +# diff --git a/po/en@quot.header b/po/en@quot.header new file mode 100644 index 0000000..a9647fc --- /dev/null +++ b/po/en@quot.header @@ -0,0 +1,22 @@ +# All this catalog "translates" are quotation characters. +# The msgids must be ASCII and therefore cannot contain real quotation +# characters, only substitutes like grave accent (0x60), apostrophe (0x27) +# and double quote (0x22). These substitutes look strange; see +# http://www.cl.cam.ac.uk/~mgk25/ucs/quotes.html +# +# This catalog translates grave accent (0x60) and apostrophe (0x27) to +# left single quotation mark (U+2018) and right single quotation mark (U+2019). +# It also translates pairs of apostrophe (0x27) to +# left single quotation mark (U+2018) and right single quotation mark (U+2019) +# and pairs of quotation mark (0x22) to +# left double quotation mark (U+201C) and right double quotation mark (U+201D). +# +# When output to an UTF-8 terminal, the quotation characters appear perfectly. +# When output to an ISO-8859-1 terminal, the single quotation marks are +# transliterated to apostrophes (by iconv in glibc 2.2 or newer) or to +# grave/acute accent (by libiconv), and the double quotation marks are +# transliterated to 0x22. +# When output to an ASCII terminal, the single quotation marks are +# transliterated to apostrophes, and the double quotation marks are +# transliterated to 0x22. +# diff --git a/po/es.gmo b/po/es.gmo new file mode 100644 index 0000000000000000000000000000000000000000..b43c5d2804483de183aaccae2c46a21578362cdf GIT binary patch literal 39027 zcmbuI37jQYUGFQJ1%~W<0wk4vCYkP;$6BPilU* zs?Pd9|Ly$GIhDUZ`N;bc{+@e8k~{-^d{vTsp5K3anw}=f>Srd&CEyxx19&UA4tzOy zE%*?42KWu|RPe}il4L7*7O3r{M4W0%5HK=}l4}3a!(s`b42t1SfF;MC1 z0bdF#|1W^ofgc4Y!2bmIg1gR75}K6U4=UZGAg_|gz_Y<)c&PTA53UBcgR19+p!)wB z@N)2D;5FcPz!7lGg-P-(@Bpai?+4d{e+QlnuAsPa#RD5rpzf&0K`gDUSn@OtnOa1;1AxJ~bA^j7fIpy>VCaQ|Q6wcL-= z={vxm1h;@+1UG``kXY@y9aMcia20qjsPTU@coO)_;FaL-2K*+tpZoJ6w)k~E;7365 z%Xh$3@3|43H-ijW(hT=+3HKibH7<{VlH+3#UbW{L;PK!!pvGrwz~_Ua!yE{ylJ|h> z$EQJ9FF6_})AO~U_~th7D)7Z1RU{t!F9y|*%fTsd1Uv!!RZw#GyC6f6d>3S> zk`$)b`<PFxf)cxQ{YapA8-M@h5M6W zij%?Tfuh$e$gAY-pvLR-pvL8KQ01OOV^0S+f~xOU@J#RkcpCT$Q1$&HcmwzVI0Akh z6rI*UG|{C2D&IW;-wbLzJ^-rTFM{H~BVa1kcPyBK7k~^|G774_2LrwrRQ-PfD*snO z>4Ret61C$}5Yi?yAS{x+3skv(3Q9kG9TcCeBC+zV19iU>JR9tS+rig?((_*c)&746 zRqydIi^{tY)br~=jmre6_miN?yBidLz7rH37C_12pM%POHbhdo4WRD#gQ~v;YW(j7 z#TOp}#cz*<=idS~PN&`Ecnv5%xgAvfF9+4GUkLc&fS(4R$@8y)s_(}bELc1_3ltr9 zf*O}O@I3In;Hlszz%#(V3iusR^*j}2#84;af;+(5!KZ`o16BVcp!nm9;4{FlgR1{X zgiifDA3O`Z0Xzr14b=NNQ2E~iimx98)sDXdPXWIRo(CR1>it*^icg*m>U|fKyu1n& z-+vHPIX?i!50^3sl7r`hYHtTrzSjnPHz;~P1Ty5wKY(Lky4C5`0>`<(A5^*j4z33; z+U9z9Kd5@%0K(eIqu}}A=jJ@KfLgpgMmEa3QGi9Siq;@G|b-30?~RF(`U|4;1}Rr?aBx zm7w@~8dUrGp!CHD!7IRj1VzWQQ8pKWL!jy#2Sv{ph5I*vkUsexQ0X5B)t(b}dHvUd zkT|J=4e$XF7E4aq?fu*b-o*VIL0CWe94PvoyvO^yA56LbSy1$N5L7*%0mWxu0?!41 z0Gfjq7VBT>t+jxR(1bfmega?(=qR21Un7@D8O1#Yc~U6p^I+-R@_g==3mn zJNP)b0o;F^mv=9y@qGkb1O5vren0g&POtT#+I=f{HCPY$4p8|%53U3M8x;M9sYK(p z3lx7H1l6CngX-tU!Sle!K(+rE8ZW+F2f|uO8_d9m!Iy%=KjHoVAb2hJe*>x=r#{#5 z7H~cHF9X$%hrks4Dky$A@_FtD-3-Et$(ulmNWKJ$PS-u(_4w;S(fKbyjo*=X(g*M? zQ2n0)&jnu$cEERlSAoaA!0E6Fl$^G}>%iXtuK>RRUJs@fr_1v|wf|M%M)0HHap3pC z3&Eo&lVmq|8L0d(07s1 zfqMQnQ009RJOlhDxEVaE?)GE{cs%#FgU5n1;4{HKcp~^_@HFt3z@x#3LG|ZR@EY)O z@G|hqDd*!CfEuUQgO`JkfTHtvL6v*VwDZSBpvv72{xtY}Q006X6kU#;@$q^t2q}{H zgS<+ff>IFOXF>Jj1EBi*ZSVki-Cg)J;IDvc=TSUVJvV_VxF38Pco2L#_;T=c@ZI2c z@VCJ&;19vO!7WYapO1lhe^Sf&_YP3y|1zj?{|Yz+p3`<51J`kX4|oaqYv4KH=Rncn zJD})$LdV;cf){c>0*c?JK*{erz!C7XpvpgS*6X_w6rEoL>iq}8{kOn%+@JeG$K9a% z|5ES{@IFxT@NIAu+}w5fy%$uz4}g09x8SYdd71NJ25#W~!{Eu_*T56O{{W8zpVC8T zf~SM3?{(l-@O|JF;J<*+0?+CD`{#h7M;p}p*MX9kM?uNw_d$)zMHDJ|ydJy=d@i^H zd>MEO_!$sVCSL{_@?`fx=aYv)jqmvk;!WU<;28K)@N)1opy>TWP~&moyxW6Kpq@{F zdOjcUZQ$|Te+0Y<`~*b)ze5KcoGr6qz~2w= zzYL;clA~Vfa?t^m{?UM61y9xcSNZd^LFK<5ybyc=sP?`x+`m7(|5UjD7C6fLQ(o+4+KzZSfh``-b@e}5nF_}BY5-w58w^9&UIJ`9e4p959jsc&$-v=`KP zz5docyIkj}obdE1;2hVjJo_o|?OgiX8S42Czkk5B zH{9#p-{_z4_dB4*<~h68t}JVn|Loer=b2uxbCoDj3>{;BX@wm z5}rkPdPuMP-CQSgukqUkeg*s^uHWL)-?O^kA94GkJDwczzA|L9Q2b z{g6xRAMx+s`61c-H?E%u&rj#~kz9YtCB6A|uJ>?Bw|$rEHq!kc@G|f;@SnN#hnmj+ zR`Kq~xchysmvi07{SepbT>86{>n47m$8|ivuhc{Sj_3Ydu0Q1WTe&Xgx|I8Kz~AJ0 z6W2Sq4sxyI`Lnq6_f@Xb!tay$eL25h1%8d|e{(gs&I<4Uk>4NXdK&jzx&E8qzrhv% z&gRE&bKS!AitzA4@J6nyNdNcXFgOYRI+y;Ce6D zC0zRZbBAOeypnvkgMY{M$6OVz7jpdvm-MCnHaeJ{_}B1zANkhs`<-0(aeb5Pd0hHC zpLhDZpX-0vFLWr+Ud`{Pas5(w)&}q5`j>G3y?}yGaD6}A-v)ju{JuM24ZMQu6t0hO z{T0_W)NupX=lFdlsK52#1KsGE)!~2`~t-m*NJ)37=06)uB<@y<}_;(LKc5;oA=DLtq@7}L}_*=`> z;+o|;gZDc?{XNwo|Mvub-OM#cnwRBIiG`JZ|2)4x#I>30eO%{pT}%4^34Vra55MEz ziTwB^*Pn6yGS}~M^|DJPNjb<~g-#y#t*3(LFW15Vl z)7?&gmKVL5v^P^vvr4O;w)Ib^n{L}NnpT?KdZji`u140&R*@r{tyddUjVdW>^={gk zvW&G(tI}v^X|Iz`*3)LEbAXEbv!w55O4WVBnwG1mTCHbUTJ5xZ-A*%|?RMrG)R&CZ zYH6)L*`H2(jaEJDRa&!IGD5$y*$O$*Mmy9*l~%QSlX=%^S+_phB%NqsU2agtOr=|? z_EdJW**Tb2>)oC@Sn1W%$x2qQts8Guy1i-z3Re11som4dMyEYYj)Rr?EPY|W-kpb5 zO{0a8J%bKY9SCjj8g1GOeMc+3O1dZXg?6{odbdkUJJo8x+pX8urjz|%+V0TBtlDkN zsuqT^Euv0!`t2H3w$sjRy`4@qn)N&xMNpZKgb}CNnWp$&uiK!&I#j7yo2?m@Udouv zF)SG*E!bnW(`-~55UV2osP-Cj^->W{7(m?+2|C@zJI7YHro~3E#D$TwGC=ho^DwCh$^(J^I9o=OE1n~wcm7w%t;Bp!l$>rX( z>%Em23vwp3UcKc1ncDZs*P6l3xnPxhuff~A^+GD&K;Z60b9#zs>rQU+# zt84YCO264#lWdlvNlT+=o$X9bH5+ZUXu8oRO}pLcF^CYnrN<4|99H?kidr^3&F~_? zl--+Qz!B9REosHPQ?PN6Zc;Tn)k-sU#j`eTb!v^Nc`>Mw2t@!NOP(pR({9eI+;Wap z1BF^67NsbcsrQFp?ssHmaaXGkvHX^jJlzy z&()j!Hc3vinR>IiHeEN_Xs^Te%_O6FJ4`6CLYSRwKI_$6>A{&gBpV+eA0?krJVR5| z(_89YXxqu$*v`8f;u(ia1sYQ+eW5ozX-1-~GKqPU$qZdUg-l0pK=08F^UkH~oP-i^ zaoYUQ3;UHO1{^LnshJK$ZmrIv0?FLz1?rs5nwa7 zI2GcFEOaxbVQ_0DDm7ZOGTuEWbEr3@&C;zS;}iMKY`4*_HfGVCI2N5YenGQwPpn@y z(2OyzPxXK(3xWExw2#qnOPV(8?P;8+)fx7nUCY)`a*^!`5`|8|NM6IrNzEr}v>WmS z8uy3{;)EU}gpS+t1aHwGI8TFm-qXvxsUW=F+5RN7lBv&2L)#j)RgLAY$9fLV$j>sd zSN0W+)~aNy682{BuH>|uH@tbI>`i9NB~gvlW<$bUay$=_lBQb24p@XjvK~fqg zM@JqT)(2+H&?lK{g=^J@*-Goqj0KyJP|CwJR&)!tcFZ|8Y3$aga9ic1ZS8b%IZU+R zC)Am#2a~tX!8Q^&Id7$_sAMbBneM_JPquB@ynDRlLD@_r_ouemoFu5o!jJODlCZ>o z#(9n3W&zSxADf52j6P7uY)TX45HCY5SrwDoXq6QhlOq!&`3uu+lvAEEh`8JmNyRL5 zTkf6FY~WSUJLb@M&Z%yvRmxjVVA<{c_OkaipA6oXNVgrAI>n90DeleZT8i{Mmc0nm zwR&w8&kn-eF!5^qFJ=YV8Vx>K=YtPYnG%l#x9!d;)MCAMr+II8G7Ryl73G_u;pXV45HNP@Ar+en&( zAjk{OV!HP9KvND@q;nA#O)S+84PGi+jCB-|vQBeOio*+}JGs`(hr_1j#;`*$J%%L+ zGrkOS?5spROwT;@WyTpA7Dd2k^`^w>)4@u&ZFRa;rf51KgBga)it*uf3gN=U@wK^M z@SCj*fgP;ZmN9fdzWm(KBU`I#V^oI!Y$3n;w+o(5*8y#*uKw zShnb#ugjL$G@aS@pw6tAY-t0Hu0gLslQ2-T8#dfoMX8&;W=7G#%h6DnD41rex6x^E zEc3Q3*|7&5?)q8nH}#`uu2JlD;1yf|hMOEqgmFhrmI3P-hs~yej8?VGS#Y2{^-vqd zte7dA>Gx`oIr=HC(G?xpp#sc_!(oSWZ8}v&IiRhn%ja_FwqkDN@dkXAImBJA$y%vM zG$(1MkW#q;DpvCmNW`OzBsP?l?ldMH6EckfB1AE7Cc+-_PTxYn4Yz_8Nrw8 zjCmL;QQN^Ehcf%Mh5B=!Q!$IVL_926a?XjUH z2~cruh~aS;x9-fAGF7TsQ%mzx{DK_{4CD!i(_%^?|A{`!2n;__x}et&JE3&H6=>Qr zx{kU2R!6qpI=V|$2A5G>8oa~uL%IQL^_vwp;YrCKuQXf5?IOO-lj*r435aU1GMU_> zsG%B{T_XFUupD|WC?M;kXgAYnC8jy?0Axi>ocLi={fYa~~3h4|3tE zKUYI!m-;i^j4G9D6&2A6S=|AuHtUtP!XGQ7%3W)u&E481NvS$CqhuTwmsd)Z&9|#F z-A=pH&wR2%cuvkcKGrh1ay?YRbQKvcCyTpGK*mfiXYo2W&yE7zw&GijA!T{Q)*M) zF^!5WyeQ(<H=W3btg2 z@Xt|RW>TbHSCKQzDugUd=h7teNPO(Px85eLXsF)9NzL?*wFweq`bCSpkqRJ&z`iRb zw19`tlbtKSGgdVnpB*w;jNfL-uEU(R?TQg!W8VCZcFiIxMFZm-sB5$~hb}aJ7ZSx< z(DLD>wJAZ7ZWl*O;j{KsW16-dEXS305&P?-b$spuXW9HXn5SX!7E=!lfYZQZtx=6E zPQ5BQL}_~!q)8=^4=wFILLlEw!S_QYTqZ>k^$)p=S^~p* zp~d5ZK^MQFlky2-EkzciZL*ta7uqBeZg=3RR15><*Q^gBkZ>`}$dRAMR&F5{* zmWGS8C|=xb9O-Tc)fL&xR>cSW;2}_8!ty5Mbg|34kQxk5a$>W+{*;3+dy}T4mNMr)H7}l2$Nw1rPV;~ zn%xc_g6OUQNnTK&)m_oSmz>kpV*0qqxF#7N-(HH?mTaEQCr68Y2ev{*a+V{;gSHY8 zOOJy$Blei=u)8JV$UT>nw z-IJWnL+mtwqKxe<2(Ok=GP6_pHOO&z0D%|_jZM%nxyaBEn~l+U8g6l&#*{}`J>qi9 z=w>TLQ#R+5+;36g`D3-byhs%39}`K*l*t?NqS1PtDqAoLAstsNfTq%u$xf!Yqf`P9 z@|n0+Ym#v-CY7_!fC(PDTY8u_Mq@$EX%B zn_|9i8#~GYgJj&865CJt?V-42>fVmUsEQOs1T}kYqcn)AX9pP59_l5Joa8Cp8=@~T z`l@B0!h6fSsHsF27h;?8a(tn3nHT1Oxcyw_Eemf4i^rlU6K)i1GaVn_YHa7>%u2>c zgq<6%e`5=jCtLCwGcDnf?K?z5{K{r)#k8%u__>iSNnrxEn11o$Vk*VwIgxCgF&7bH z(lfXw zk3A}hP5#cqXN8#NFU-v^%0M1Ge7amAybM8@<=%FD@6fWZY~$8)Z%{Cm%vo~9*ESZ* zyD|gY*Lb&(6+o4+dX92J^brouAq8jv2IUndroD#LLAi9tHR7)wwE=)vvlf! z)=Hw{_4Rw!?Q1Ccm_FZYq&b_facCZ2ifMD#SM1Yrh-EeTmSGQ%f=1US0g+LrQwr9S zM@?#WF;tpAD>WpHg2Iw&uev0oWQ!`8ka@F8woT58HD6$gO?r3@1bu03++M&!1|#61 z|JppVLTp18Ee7&5z-~UMMaD+f7^g3Wq~}oP3SCGn7jFcVPw&z05IR|=FbzL5YYcUq zMnV!;PMnleB{rZ(V`kVpsVpReNm-ULrK&fJnWxub(-1y@yWmO@qkI$mZiTo_thR{X zv~2}NQ+KUrQJ0Z0rZ3VFJZH%(&?9Up^c8|9ok3o2ickz>oUP0^I~Dw8HU?^tB^9bs zq&d)Nb|&W)p|ifw&rUQh?iiM}F|s48u$VxW)x4X)@rt-L816zsv*J zYd8oVQzhFcCiX-^7nJwuBAg6CZ2?8?yVFa%)2FEFNI_gJdgJ@}j?Iq7TQ#=WpaREg zvnIvZLO9Y^#6Snjh;tmz8kVqaa^Vy~B-tKE%+dpIT34O&9_NvVxL!!tpgd6nTo}mD zP$12;&@@~jXUvRjs@S71xM6p*>=;Z|TtTl)vU-V8TxAuRf9RwZ#Y2!;KUIQEnkNgp zTQ#)7rH#xN<o?Dsi%rTfK+mPNt#z5QPJZ?nPl*wK*Q5x+%l2Ht^jIhx|fj(>3_@;g1$pj?L zG~DW^Xv+YhQ02*lnMW*&Iy z$wZ&cq~&l1{VZm%_EtpJK+dpAgAd5`!4@Z(c=y<9a6ofJTtD|pvP6tkI5_+E?l6Vc zcKM+pqN6i+KIkE9*)}Bm+C)2;62jT##YWkFc?cRHBJTbwDi21ZoR2gudLLLUR9#vD z2m?G!9)-1SbmKC>K8Tbr>4}xB#>MMHN@amjF)V>5x@P26>)f+9vL~b?PJzFc`3ztC zN$goM)y+wku2$|?_ZmxwZx#cnkVJbN;#NpMS+Ld$XZCGdcx?-bMGQ3s!x8t&O#kQA zSh+#hKJgx&+Y}nBVW%}slyKyWmlhn*Xo$8rCCP2l+>8(NdWAD>mhL7$-$EfqGHQt= zwZ2@XMdt!2#f`a=8O5We3R)mULQu_J1?L$9_Xt&VX;YpD1Z=WkU5}Ne<0Io^seHYn zCd`@kmgD8IpO1)3+_OgueER|;AYV!GWZMkAwOg;_2$oA2h}nr&Lvrm(Qy4p5Q3@;P z{Y12wgP9QsdmwG<<2xddTFj7Wv3PR`l{Z*guyCsnfYTcKv>NP4F`+fzhBy;5e}ap2 zP!nCOQ7jy=)KHtUk!(xd7qdLB5pxCO3Ox}3||Nf{aKc^RH|M>|9g z7rziSmypu)utd3}999IEJi9Gyr7DVsvAUt8C0b%u7-hV~=fFziO{ zjJsuI+m>|ymc8RUcJErXw=REbXlFLvs10rEPiI3DosFq^12xUIZqhs=8=k7y2)auJ z5dZIVr&sOSJu$RdYk8D9#9|UL#LL%jxOQm$wL=>&Pd8k#as3sSt>=$~LwoCU4b?u7 z?&_iS8`AYxY}~NH(}_q!X5@*Gbh;bUEktY^opd{viI{A9eVy3KY@^-DDpy@|)3i2A z5927_xM~catWOYgXrf+eZA`~!73X1F@Jz2ayK&vRg9i@|v+W2gJypM3Io9C|i7eT= z*>&pYx@IU~T|Ha3CNFMdTF+MP+_7^@LAwpZ>sN`^$jp#t?i+z$)0kMpuXoE%fvwo$^n021864e1~&ar@xeWqk-RvoV6r)jrNGBVv| zWm*TKy0`&)(Q6P9vv$<#vk<7-Sa=BkwNs-pY8h?inSN+xSRq_>$+9kP6@s&HzxG5@ zVzY7&V$QAsTB0c|1Pq7p_L%Nx)ekD=UL9*(m?CnlqZ$kyoPa5?wxs##JUUmOW(NfA z&(vzo(=h?Dr8Y!R5I(Zz@jj%kSj%(L_-kaV!=}OtXY)90(Vzv4p?PZrvN+yAPw^VC zd-S2E*9^Sqsa;oXmM?rdXib!VhHE&}n8Qj>HaK4x2pVUMw)4yyL7U(g9iD*pWr|mr z(6LvqgDKTfzBUyyl_RPt8a5Xm6g@1HH^RA+I4UVfsvpw%wA1LVaWJJ>$r33VPlNXJ zN~|DDZ$m5lEboF-e;PE7`h~X8#!_xAC=t$6%k#Phvc++uL0Z_=NQC_?RW|xV_9#Wk zSY`1jLuY1%>WQ|zBWO4ry~@Txh8~GEIG4IraxPI*7Z$0Mb7->4TB}lG zSQUh0R^#gq7efwBI6GRR2{Sv${G_u5Z9u+dYuKb|&*(01!{oxl8RK8`F<&-4Ni8yG zZANQYa<$475r=FB-Vc=LDU_CdHTmI0D=2b>UKWiQOjA7fBBsTqavPth&Y&&4BnmgR z7j~>lzwihZ2tRVVtBup#Ysha#9n{#Nfo@D!Bhc}5Aw$BJabk#m2zucGWmhYF@)X$3 zI)rIJUs1snhj?vVk*0RNqOB^hBn)lq$9c(8F49d=yJ?^4q#St@TnQ3w(nCAGSg|Rb zZF?cgqBwt{CMd*hf-=}iM(KDujt9S1+-fu7T+h*iFfR1lJ!AxJ;i0D2xTpZ%YO`FO zdBYF4R*gi+q)8nBI~!bQN1+*R(l3Gie15D(v{FaoFjFBnB&>F z5auK*>%7CtfMcX{mr|{pDNVXPuqONt5u)-I^J@cD7}ZKf7{gx^v9KIDOAVzTf271y z>YtpFW|J*W95y^;DUnGIznsXd)?DZ7p|F`ihRTJeP;r6tkw`zZ$zo}#QHL(9@HNB^ zURn#QKZ#||7*V~CMKf?Km0k1`l|s}gG_@$*6pt6LVxLrzAAh8+(Gub3k>=1knrr&T z3eCdFPor8~W=09fV8^yWI?8cJQpyiglNz49+FXj&l#Bv8ksoAwbCcl@ZHp@4aO|x(;C`FTdmLHUs+!z4_Hd~_<7?$ZV~q`kD~jW*-hez9nM@#TOj}wD z_p{>}-yoB(kAhtz64Sxx&;{ngLBKgQal*%?O>Cg{9J1nV;{Ai=kxfp1QHl=JR%a-t zsA+MY;*AYzNKZ*+8iv!Y?B8$;sH3^g(Fg~pQ*=zbGPuYPR0(DuXD@B60*LCW6WzUK@rIsx$3OS4I1=~co*HB0T+qy$hb`f;<#FE1i5JrpP(#amI@QKc&6?`%xdx5`vreSAbix)rXLU$b z4S37B)=$RaKg8E|)|u=Dw6Q8wgdHu;9AJlBA_fHxAgR;^{Win;cEh=~+{u(*N#vnY5ALLn4t;HQqc7 zE!K%$%cjSk6`O`l4EiGIUR%~d^U7`Snw^RHTnn0Y_X5&N2z4-6!GAc+w2_FRMd&gp zBiffsFZBMB;s-NGIK8jYP$)yJV>F)tiBH4)Cm*e4-;VbcDw6FAQ6ArLU1M>cB5av< zJEqNCiWp}iDIcKd6BQul!9Z|27({w~w(a38s<)XE58?5J2h1}HeXcZ7#_ZV8Fb0)t z?Tu3_g7R{2iI3VRVU|Bz40{wZ$r2Fh_ps3tskd{)Hm-9E_ghKqG{*Jz7DxH@IT13G zPw9f;ryyx+5im3e*2B;+%j0-4P6+3VpJaJ#X`hxtXr>DfH(4sd#Ds#jAnEdKh&zek zA$}IAVp7i{uuX?#Lg*cyo%|eriGI1SW(!Aov#+6*jU%{ak+*OI0dpF~1|VSP5cSA{de2 zXkARaa{)WrS^ebs|Au-17@%F>>Mp{B?2taHUQ z3fmo#WT+DlJZo}U@<z7z`$<$OIsC_g^U=gG9c zO%Uast~tVCF5zG}~3G!PKh>DAR@eIj~K* zoDC=gnTJy*Us4SUxiPKaunFCRvCaK>!qkQ7ezK{9)u!|)GL3dHSf-HeyNTjZNa#no zi*=NcSIW*5Ey>u464rI-C_T3m-NkDTXE3v*v^XjDZ!0Y$oOyx?f?PI~QDFrMR=glj zw3SjtbQ@(R;+*<|)=~=|-}rMjCjM z^R#G%_TURxxgwPz3agG1^pb{7<8kvvMaSh*8=T0B%a$w#V}s=4a&ab$BEvjGBM*a1 zbMtfIVH&6J_lh)qJB7XsSuC{*thDc` z6zMBrF1DnbB1_kf;TtJSl=Kf;;TYy)p=PgG5QHz2TiX;@EOFl?yckuAgh_GoLWP(P zj^QGYQoF3MsT5H%z6%sjHZ?oY+hQKLa|kGg)6NZ%DY)-;svSeDQ|&d@ zX%-&lYiUKShlIGH5^4>c*#Jeac&M}LtTT)7a=qv3_Y9|)P?U>}uFkgC_)v+gbd!BU z^46q1CT;0AWM}UehccSO2_g3=X)4b(b$NzcOqLI8rfY@??&BjeI`_`z%)98ZR@IkYhvcFNLn;(@Z}1Y9l@nIUbA)g!Az^qrguJ zzqulT7p-%HYpVmLsXOI7o?cJklc-B0xl8dFXQ_HQ8dJElPSH?C-W$YAXXkmm{Ci%6 zkuwP#Y{?kg0cP`Fw)<^7BUl-pLa0ifW64^s#av>!%@ElEdn|&uwhxDy9ENDVh4JHd z5jZR~55`r|AwX(tgM5%7Iy92=&_bC=rU1cD?JzHu8Ch|C4krZs@bS)*4zFLJ-a zH#FKNNiEH)+~F2$T!WQ4gxhQ$R~+XrNi!DFS4f%{R4^+|#^jsDsxB6WPAMS}%v zGFEEe9zLUGv0r%+*kt<8L`*`AG)`){Y9PolJUDG$HjTE!$YRHJKlZ}7&aZWb)1A`2 z3lAcV)GO%|sjwPV#aCKck@to$SJ@&0xtH@uj#rjn^{rV)qa5=n- z!Wx77N?Ek~i+h|{jb5_1&%n>%JwS=#3@sEW$Lm{(IvZN5ufDKBF^P!GX0Xnbtd5W@SX3@XV^Ef+}qn`yhOVAwaRsNg&cqdp(g z$2QsDEehvfHK0{$K)W~PU5Ej;=!CDdG@0@Ls7vozc!8Cr?C+cJzBlP!14^Dz>jz-;Pk9J_Kv zKm^P~Swa0kzF<0OZVa#wXbTu3X#SN}Vh5)^oU`f7X|D);VY4OwMuLtyAwO{?EH_;x z{?nHhip2Wtf^{gLkC_r?!DX-b0pg&FG&cIyDnI4=*~b(Z21$s=;cTv|*=sf(DFZZ&`lf`c52G6sC%P~0Zjtq0J_@AO{n^=Pc|eY z=+Y>hE3Tn!iajswgo|cw`zEG?_R$8-z)k)nN&aPI9~vUNeUzva;Z}V?IeO(9d9!{P zTsXD3k$n4Z1n->pir_f{V?l#xGu4eH4sc1utW`+_0ZjWqEApkcjBXz0|9TLnhbp09 z_gF4^-gXr8GCm4i7WV%clf_qdB4nUM)-J>5)R<=Qb@ HOo@S<=8@?(>70;4%6pZ zj6>NG!8D4W+TY;2TK##kjX3X&+1W7BbGsQM!e7ldbXYvo=n!TcQlbNaPr{+vV{2;zVL?DGCmr9%ihH0DK_n9kVNN1) zng_hJ&rx2X$))WDv64#DgSs|j>eCWfEyX%32wn#|`q?Tu))397Cq$@GlkCYRz?m=C zm0vRq1TM7KLyLGZ&7v|aB33G5(d)>Hr4&qTN^MXj!7Ddkp{QsuU9dmp*FHM>8bym0 zH|ChZNsPPXLj21?91(zK`-e2aoNMF!bL|73-`STVV`MVkj@$yUmuzVsEN*JkFN zU>a^Z%=aqna}|i3eG_A_f*d{IP+_S?c%C^4;n(?XpXbj!jrLTTxt zw9Lg^Gk8IRZkZVxrq7&~W3yE-4cbK@s{&o&V))&SmW0MPzy?>n>=MsaFf>Nm_-!t4 zVBxI~`oua!EFS-0t|7Gh()K z!7)Yre#UZX^2$r|{S~V6LmSH#;uV#?s;}bU8 zxyf0yi&^I?F$JuHpr3pO!mv|Z$=Jw(#c7x+o$`ZyAsR%QQr+?U8^&0O4IR~%193*4 zPNl@Sg>Cr@6Cxf@a85u&zeReGJ%T~y!+K<=?|x1}s-XB32ibHmcToj-;(;%61nZks z`Ea2vbu$}TX3-qB$89UQM>NTXEb~u1IgJL|q;*bO;z!3xzDRh~x>5GkKIt`N6AAPq9VRbv{go=HGWbf&C-Ed~Hpq7+5MAEl;nNLGKv>BwY;SI3 zWdx;^-~kI&1V^h|Y{egJCY_@Lo0jhY=hUNTTZ}D@aDK}8e*qDe)x1(Gy8TJ{tu{dD zc=t6Rg1MSgm3#11SwrXJ9%`2D1SM&%m_s>>mu0kjp`cgAzxf*IVC%Ut=<7Qca6#C7 z#s3YBVU355n6k>D3r*G%FdfiDL~FDI0rbG{<|@Dnwp<){kIKEUo(9gBJFS6n7sW`z zkacophLs zAP82A9U(BmGPy|WUl^d#;ssL%S_V^leAn!g$+;+_krUB0xu~@8MZ9%<9-O$3?FKR$ z69WjX5Kk5#1);&Mg$J~8H0ps6?S^G@@lqBmAn1ljyOP5T?Iu~rX>@wnaQpZ|p>PUM znJ86hT!LhTy|UWnLLLMw9|ZqIh=!(4RKOxue#U^-(j?lq=*u7_@)^r6>+Ohy&;g#fDe)90N3X${>R8WwO@9+iL!#gkq;RfEm6(U7pyOdph z6s1MgEhZI5*jWuYEbMZwgg~;`(*@i-G@8^^c*mCR+PGGR9f{@sJ9>AkjUa zR|Gw8&7?fr&7>l1+l-PGK|tHnEe;3_Y630CC~~rjmDR$J<_K+^PDb;GN#b;=MK3r> z?yj*L5c__JP5BNpQ_qdnkEHZzW3-yul*6`jeJs(xE-8)8`^Z!lAH*y|mpss?0j`(H zqP04sFlU5quSZdWv2yuiBDr2w7}8mz%&z*PKoVv^ZU{Bz;*xHMkN*2Icu;W)dAQ9~;k`o{0Uv=0PQzJTb!S}b5JPk9VI3~t>#X-I}G$@wjR@9o7i)6jxXxet; zmdC=&d)4)Y7283>0Oj6*af)WbJls^+d}rI}PFnmkPI7Z6A95mKS@170tNH%{&F25P z+`3W9Yezcj?WR6Tr*E&Q>fAMz=xNkrXrET*8yIPyaXb?{xvm<+=-HD#euCw8S>Dhh z|6Yj;aV4-0@l8AYZYG%`a;+U_D>gBuO-51q1G5&sk|Ky~3Z-qEEB~)2l+Qr;*nFE9 z=dyjTLrR+2IKeTt%ID`9sCjS`kE|7xfc>Q3!gSAuzG7c%@sS#nImkN`-4-+HauxDu zOz^2A4YIIR(|0_SR=sTDDa_Q0(jKfh7sul0rwLaqPHi3h+`$%kXOqlQ1}qq)D(z>) zj^$n(-%CkiKeTa3|GxzmDu~5fm-(zq{#L_2&nH=mCrdu>GVp4d&$|@w88Us|B`H4Y zvIS>muk?1I@jP_4{3l(C^ZLtu(Pf#p)~kv>G7>)MGMHv0Dz*4wm!hqM-*qXT`*&BI wT8p3BXI&OQ+z~(PviQYV{#lpBZ}_Uql1Ghpy7*cAs7vvDnUA`_1&rta0}~frJpcdz literal 0 HcmV?d00001 diff --git a/po/es.po b/po/es.po new file mode 100644 index 0000000..6debf91 --- /dev/null +++ b/po/es.po @@ -0,0 +1,2901 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) YEAR Red Hat, Inc. +# This file is distributed under the same license as the PACKAGE package. +# +# Translators: +# Adolfo Jayme Barrientos , 2012 +# Adolfo Jayme Barrientos , 2012 +# Daniel Cabrera , 2011 +# vareli , 2013 +# Daniel Cabrera , 2011 +# Hugo Jiménez Hernández , 2011 +# sgallagh , 2011 +# sgallagh , 2011 +# vareli , 2013 +# Emilio Herrera , 2018. #zanata +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" +"POT-Creation-Date: 2018-08-12 13:03+0000\n" +"PO-Revision-Date: 2018-06-01 03:11+0000\n" +"Last-Translator: Emilio Herrera \n" +"Language-Team: Spanish (http://www.transifex.com/projects/p/sssd/language/" +"es/)\n" +"Language: es\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" +"X-Generator: Zanata 4.4.5\n" + +#: src/config/SSSDConfig/__init__.py.in:43 +#: src/config/SSSDConfig/__init__.py.in:44 +msgid "Set the verbosity of the debug logging" +msgstr "Establece el nivel de detalle del registro de depuración" + +#: src/config/SSSDConfig/__init__.py.in:45 +msgid "Include timestamps in debug logs" +msgstr "Incluir la marca de tiempo en los registros de depuración" + +#: src/config/SSSDConfig/__init__.py.in:46 +msgid "Include microseconds in timestamps in debug logs" +msgstr "" +"Incluir microsegundos en la marca de tiempo en los registros de depuración" + +#: src/config/SSSDConfig/__init__.py.in:47 +msgid "Write debug messages to logfiles" +msgstr "Escribir los mensajes de depuración a archivos log" + +#: src/config/SSSDConfig/__init__.py.in:48 +msgid "Watchdog timeout before restarting service" +msgstr "Tiempo de espera del perro guardián antes de reiniciar el servicio" + +#: src/config/SSSDConfig/__init__.py.in:49 +msgid "Command to start service" +msgstr "Comando para iniciar el servicio" + +#: src/config/SSSDConfig/__init__.py.in:50 +msgid "Number of times to attempt connection to Data Providers" +msgstr "" +"Número de veces que debe intentar la conexión con los Proveedores de Datos" + +#: src/config/SSSDConfig/__init__.py.in:51 +msgid "The number of file descriptors that may be opened by this responder" +msgstr "" +"El número de descriptores de archivos que pueden ser abiertos por este " +"contestador" + +#: src/config/SSSDConfig/__init__.py.in:52 +msgid "Idle time before automatic disconnection of a client" +msgstr "Tiempo de inactividad antes de la desconexión automática de un cliente" + +#: src/config/SSSDConfig/__init__.py.in:53 +msgid "Idle time before automatic shutdown of the responder" +msgstr "Tiempo de inactividad antes del apagado automático de un contestador" + +#: src/config/SSSDConfig/__init__.py.in:54 +msgid "Always query all the caches before querying the Data Providers" +msgstr "" +"Preguntar siempre a todos los caches antes de preguntar a los Proveedores de " +"Datos" + +#: src/config/SSSDConfig/__init__.py.in:57 +msgid "SSSD Services to start" +msgstr "Servicios SSSD a iniciar" + +#: src/config/SSSDConfig/__init__.py.in:58 +msgid "SSSD Domains to start" +msgstr "Dominios SSSD a iniciar" + +#: src/config/SSSDConfig/__init__.py.in:59 +msgid "Timeout for messages sent over the SBUS" +msgstr "Tiempo máximo para los mensajes enviados a través de SBUS" + +#: src/config/SSSDConfig/__init__.py.in:60 +#: src/config/SSSDConfig/__init__.py.in:197 +msgid "Regex to parse username and domain" +msgstr "" +"Expresión regular para analizar sintácticamente el nombre de usuario y " +"dominio" + +#: src/config/SSSDConfig/__init__.py.in:61 +#: src/config/SSSDConfig/__init__.py.in:196 +msgid "Printf-compatible format for displaying fully-qualified names" +msgstr "" +"Formato compatible con printf para mostrar nombres completamente calificados" + +#: src/config/SSSDConfig/__init__.py.in:62 +msgid "" +"Directory on the filesystem where SSSD should store Kerberos replay cache " +"files." +msgstr "" +"Directorio en el sistema de archivos donde SSSD debería guardar fichero de " +"reproducción de cache de Kerberos." + +#: src/config/SSSDConfig/__init__.py.in:63 +msgid "Domain to add to names without a domain component." +msgstr "Dominio para añadir a los nombres sin componente de dominio" + +#: src/config/SSSDConfig/__init__.py.in:64 +msgid "The user to drop privileges to" +msgstr "El usuario a quitar privilegios" + +#: src/config/SSSDConfig/__init__.py.in:65 +msgid "Tune certificate verification" +msgstr "Ajustar la verificación del cetificado" + +#: src/config/SSSDConfig/__init__.py.in:66 +msgid "All spaces in group or user names will be replaced with this character" +msgstr "" +"Todos los espacios en los nombres de usuario o grupo serán reemplazados por " +"este caracter" + +#: src/config/SSSDConfig/__init__.py.in:67 +msgid "Tune sssd to honor or ignore netlink state changes" +msgstr "Ajustar sssd para aceptar o ignorar los cambios de estados de netlink" + +#: src/config/SSSDConfig/__init__.py.in:68 +msgid "Enable or disable the implicit files domain" +msgstr "Habilitar o deshabilitar el dominio implícito de archivos" + +#: src/config/SSSDConfig/__init__.py.in:69 +msgid "A specific order of the domains to be looked up" +msgstr "Un orden especifico de los dominios a buscar" + +#: src/config/SSSDConfig/__init__.py.in:72 +msgid "Enumeration cache timeout length (seconds)" +msgstr "Tiempo máximo (segundos) del caché de enumeración" + +#: src/config/SSSDConfig/__init__.py.in:73 +msgid "Entry cache background update timeout length (seconds)" +msgstr "" +"Tiempo máximo (segundos) de la entrada de caché a actualizar en segundo plano" + +#: src/config/SSSDConfig/__init__.py.in:74 +#: src/config/SSSDConfig/__init__.py.in:113 +msgid "Negative cache timeout length (seconds)" +msgstr "Tiempo máximo negativo del cache (segundos)" + +#: src/config/SSSDConfig/__init__.py.in:75 +msgid "Files negative cache timeout length (seconds)" +msgstr "" +"Longitud de tiempo de espera para el cache negativo de archivos (segundos)" + +#: src/config/SSSDConfig/__init__.py.in:76 +msgid "Users that SSSD should explicitly ignore" +msgstr "Usuarios que deben ser explícitamente ignorados por SSSD" + +#: src/config/SSSDConfig/__init__.py.in:77 +msgid "Groups that SSSD should explicitly ignore" +msgstr "Grupos que deben ser explícitamente ignorados por SSSD" + +#: src/config/SSSDConfig/__init__.py.in:78 +msgid "Should filtered users appear in groups" +msgstr "Deben aparecer los usuarios filtrados en los grupos" + +#: src/config/SSSDConfig/__init__.py.in:79 +msgid "The value of the password field the NSS provider should return" +msgstr "El valor del campo contraseña que el proveedor NSS debe devolver" + +#: src/config/SSSDConfig/__init__.py.in:80 +msgid "Override homedir value from the identity provider with this value" +msgstr "" +"Sustituye valores del directorio personal del proveedor de la identidad con " +"este valor" + +#: src/config/SSSDConfig/__init__.py.in:81 +msgid "" +"Substitute empty homedir value from the identity provider with this value" +msgstr "" +"Sustituir el valor vacío de homedir de la identidad del proveedor con este " +"valor" + +#: src/config/SSSDConfig/__init__.py.in:82 +msgid "Override shell value from the identity provider with this value" +msgstr "" +"Sustituir el valor de shell de la identidad del proveedor por este valor" + +#: src/config/SSSDConfig/__init__.py.in:83 +msgid "The list of shells users are allowed to log in with" +msgstr "Lista de los usuarios de consola habilitados para registrarse" + +#: src/config/SSSDConfig/__init__.py.in:84 +msgid "" +"The list of shells that will be vetoed, and replaced with the fallback shell" +msgstr "" +"Lista de consolas que serán vetadas, y reemplazadas por la consola de reserva" + +#: src/config/SSSDConfig/__init__.py.in:85 +msgid "" +"If a shell stored in central directory is allowed but not available, use " +"this fallback" +msgstr "" +"Si una consola almacenada en el directorio central es permitida pero no se " +"encuentra disponible, utilice esta de reserva" + +#: src/config/SSSDConfig/__init__.py.in:86 +msgid "Shell to use if the provider does not list one" +msgstr "Shell a usar si el proveedor no lista uno" + +#: src/config/SSSDConfig/__init__.py.in:87 +msgid "How long will be in-memory cache records valid" +msgstr "Cuanto serán validos en la memoria los cache los registros" + +#: src/config/SSSDConfig/__init__.py.in:88 +msgid "List of user attributes the NSS responder is allowed to publish" +msgstr "" +"Lista de los atributos de usuario que el contestador NSS tiene permitido " +"publicar" + +#: src/config/SSSDConfig/__init__.py.in:91 +msgid "How long to allow cached logins between online logins (days)" +msgstr "" +"Por cuánto tiempo permitir ingresos cacheados entre ingresos en línea (días)" + +#: src/config/SSSDConfig/__init__.py.in:92 +msgid "How many failed logins attempts are allowed when offline" +msgstr "" +"Cuantos intentos de ingreso fallidos se permiten cuando está desconectado" + +#: src/config/SSSDConfig/__init__.py.in:93 +msgid "" +"How long (minutes) to deny login after offline_failed_login_attempts has " +"been reached" +msgstr "" +"Cuántos minutos se denegará el ingreso después de que se alcance el máximo " +"de ingresos fallidos offline_failed_login_attempts" + +#: src/config/SSSDConfig/__init__.py.in:94 +msgid "What kind of messages are displayed to the user during authentication" +msgstr "Que clase de mensajes se muestran al usuario durante la autenticación" + +#: src/config/SSSDConfig/__init__.py.in:95 +msgid "Filter PAM responses sent to the pam_sss" +msgstr "Filtrar las respuestas PAM enviadas al pam_sss" + +#: src/config/SSSDConfig/__init__.py.in:96 +msgid "How many seconds to keep identity information cached for PAM requests" +msgstr "" +"Cuanto segundos se mantendrá la información de identidad almacenada para " +"solicitudes de PAM" + +#: src/config/SSSDConfig/__init__.py.in:97 +msgid "How many days before password expiration a warning should be displayed" +msgstr "Cuanto días se debe mostrar un aviso de expiración de contraseña" + +#: src/config/SSSDConfig/__init__.py.in:98 +msgid "List of trusted uids or user's name" +msgstr "Lista de uids o nombres de usuario de confianza" + +#: src/config/SSSDConfig/__init__.py.in:99 +msgid "List of domains accessible even for untrusted users." +msgstr "Lista de dominios accesibles aún para usuarios los que no se confie" + +#: src/config/SSSDConfig/__init__.py.in:100 +msgid "Message printed when user account is expired." +msgstr "Mensaje impreso cuando una cuenta de usuario expira" + +#: src/config/SSSDConfig/__init__.py.in:101 +msgid "Message printed when user account is locked." +msgstr "Mensaje impreso cuando una cuenta de usuario es bloqueada" + +#: src/config/SSSDConfig/__init__.py.in:102 +msgid "Allow certificate based/Smartcard authentication." +msgstr "Permitir el certificado basado/en autenticación Smartcard" + +#: src/config/SSSDConfig/__init__.py.in:103 +msgid "Path to certificate database with PKCS#11 modules." +msgstr "Ruta a la base de datos de certificados con módulos PKCS#11." + +#: src/config/SSSDConfig/__init__.py.in:104 +msgid "How many seconds will pam_sss wait for p11_child to finish" +msgstr "Cuantos segundos esperará pam_sss a que termine p11_child" + +#: src/config/SSSDConfig/__init__.py.in:105 +msgid "Which PAM services are permitted to contact application domains" +msgstr "" +"Que servicios PAM tienen permitido contactar con dominios de aplicación" + +#: src/config/SSSDConfig/__init__.py.in:108 +msgid "Whether to evaluate the time-based attributes in sudo rules" +msgstr "Ya sea para evaluar los atributos basados en el tiempo en reglas sudo" + +#: src/config/SSSDConfig/__init__.py.in:109 +msgid "If true, SSSD will switch back to lower-wins ordering logic" +msgstr "Si cierto, SSSD volverá a la lógica de ordenación de triunfos menores" + +#: src/config/SSSDConfig/__init__.py.in:110 +msgid "" +"Maximum number of rules that can be refreshed at once. If this is exceeded, " +"full refresh is performed." +msgstr "" +"Número máximo de reglas que se pueden refrescar de una vez. Si esto se " +"excede, se llevará a cabo un refresco total." + +#: src/config/SSSDConfig/__init__.py.in:116 +msgid "Whether to hash host names and addresses in the known_hosts file" +msgstr "" +"Si se deben picar los nombres de host y las direcciones en el archivo known-" +"hosts" + +#: src/config/SSSDConfig/__init__.py.in:117 +msgid "" +"How many seconds to keep a host in the known_hosts file after its host keys " +"were requested" +msgstr "" +"Cuantos segundos mantener un host en el archivos known_host después de que " +"se haya pedido su clave de host" + +#: src/config/SSSDConfig/__init__.py.in:118 +msgid "Path to storage of trusted CA certificates" +msgstr "Ruta al almacenamiento de los certificados CA de confianza" + +#: src/config/SSSDConfig/__init__.py.in:121 +msgid "List of UIDs or user names allowed to access the PAC responder" +msgstr "" +"Lista de UIDs o nombres de usuario que tienen permitido acceder al " +"contestador PAC" + +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "How long the PAC data is considered valid" +msgstr "Longitud de datos PAC considerados válidos" + +#: src/config/SSSDConfig/__init__.py.in:125 +msgid "List of UIDs or user names allowed to access the InfoPipe responder" +msgstr "" +"Lista de UIDs y nombres de usuarios que tienen permitido el acceso al " +"contestador InfoPipe" + +#: src/config/SSSDConfig/__init__.py.in:126 +msgid "List of user attributes the InfoPipe is allowed to publish" +msgstr "Lista de atributos de usuario que InforPipe tiene permitido publicar" + +#: src/config/SSSDConfig/__init__.py.in:129 +msgid "The provider where the secrets will be stored in" +msgstr "El proveedor donde se almacenarán los secretos" + +#: src/config/SSSDConfig/__init__.py.in:130 +msgid "The maximum allowed number of nested containers" +msgstr "El número máximo permitido de contenedores anidados" + +#: src/config/SSSDConfig/__init__.py.in:131 +msgid "The maximum number of secrets that can be stored" +msgstr "El número máximo de secretos que pueden ser almacenados" + +#: src/config/SSSDConfig/__init__.py.in:132 +msgid "The maximum number of secrets that can be stored per UID" +msgstr "El número máximo de secretos que puede ser almacenado por UID" + +#: src/config/SSSDConfig/__init__.py.in:133 +msgid "The maximum payload size of a secret in kilobytes" +msgstr "El tamaño de carga máxima de un secreto en kilobytes" + +#: src/config/SSSDConfig/__init__.py.in:135 +msgid "The URL Custodia server is listening on" +msgstr "El servidor URL Custodia está escuchando en" + +#: src/config/SSSDConfig/__init__.py.in:136 +msgid "The method to use when authenticating to a Custodia server" +msgstr "El método a usar cuando se autentica en un servidor Custodia" + +#: src/config/SSSDConfig/__init__.py.in:137 +msgid "" +"The name of the headers that will be added into a HTTP request with the " +"value defined in auth_header_value" +msgstr "" +"El nombre de las cabeceras que se añadirán a una petición HTTP con el valor " +"definido en auth_header_value" + +#: src/config/SSSDConfig/__init__.py.in:138 +msgid "The value sssd-secrets would use for auth_header_name" +msgstr "El valor que sssd-secrets debería usar para auth_header_name" + +#: src/config/SSSDConfig/__init__.py.in:139 +msgid "" +"The list of the headers to forward to the Custodia server together with the " +"request" +msgstr "" +"La lista de las cabeceras a enviar al servidor Custodia junto con la petición" + +#: src/config/SSSDConfig/__init__.py.in:140 +msgid "" +"The username to use when authenticating to a Custodia server using basic_auth" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:141 +msgid "" +"The password to use when authenticating to a Custodia server using basic_auth" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:142 +msgid "If true peer's certificate is verified if proxy_url uses https protocol" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:143 +msgid "" +"If false peer's certificate may contain different hostname than proxy_url " +"when https protocol is used" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:144 +msgid "Path to directory where certificate authority certificates are stored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:145 +msgid "Path to file containing server's CA certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:146 +msgid "Path to file containing client's certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:147 +msgid "Path to file containing client's private key" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:150 +msgid "Identity provider" +msgstr "Proveedor de identidad" + +#: src/config/SSSDConfig/__init__.py.in:151 +msgid "Authentication provider" +msgstr "Proveedor de Autenticación" + +#: src/config/SSSDConfig/__init__.py.in:152 +msgid "Access control provider" +msgstr "Proveedor de control de acceso" + +#: src/config/SSSDConfig/__init__.py.in:153 +msgid "Password change provider" +msgstr "Proveedor de cambio de contraseña" + +#: src/config/SSSDConfig/__init__.py.in:154 +msgid "SUDO provider" +msgstr "Proveedor de SUDO" + +#: src/config/SSSDConfig/__init__.py.in:155 +msgid "Autofs provider" +msgstr "Proveedor de Autofs" + +#: src/config/SSSDConfig/__init__.py.in:156 +msgid "Host identity provider" +msgstr "Suministrador de identidad de host" + +#: src/config/SSSDConfig/__init__.py.in:157 +msgid "SELinux provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:158 +msgid "Session management provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:161 +msgid "Whether the domain is usable by the OS or by applications" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:162 +msgid "Minimum user ID" +msgstr "ID mínimo de usuario" + +#: src/config/SSSDConfig/__init__.py.in:163 +msgid "Maximum user ID" +msgstr "ID máximo de usuario" + +#: src/config/SSSDConfig/__init__.py.in:164 +msgid "Enable enumerating all users/groups" +msgstr "Habilitar la enumeración de todos los usuarios/grupos" + +#: src/config/SSSDConfig/__init__.py.in:165 +msgid "Cache credentials for offline login" +msgstr "Hacer caché de las credenciales para ingresos fuera de línea" + +#: src/config/SSSDConfig/__init__.py.in:166 +msgid "Store password hashes" +msgstr "Guardar los hashes de la contraseña" + +#: src/config/SSSDConfig/__init__.py.in:167 +msgid "Display users/groups in fully-qualified form" +msgstr "Mostrar los usuarios/grupos en un formato completamente calificado" + +#: src/config/SSSDConfig/__init__.py.in:168 +msgid "Don't include group members in group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:180 +#: src/config/SSSDConfig/__init__.py.in:181 +msgid "Entry cache timeout length (seconds)" +msgstr "Tiempo máximo de una entrada del caché (segundos)" + +#: src/config/SSSDConfig/__init__.py.in:170 +msgid "" +"Restrict or prefer a specific address family when performing DNS lookups" +msgstr "" +"Restringir o preferir una familia de direcciones específica, cuando se " +"realicen búsquedas DNS" + +#: src/config/SSSDConfig/__init__.py.in:171 +msgid "How long to keep cached entries after last successful login (days)" +msgstr "Por cuánto tiempo permitir ingresos cacheados luego del último (días)" + +#: src/config/SSSDConfig/__init__.py.in:172 +msgid "How long to wait for replies from DNS when resolving servers (seconds)" +msgstr "" +"Cantidad de tiempo (en segundos) a esperar respuestas desde DNS cuando se " +"estén resolviendo servidores" + +#: src/config/SSSDConfig/__init__.py.in:173 +msgid "The domain part of service discovery DNS query" +msgstr "La sección del dominio de la consulta para descubrir servicios DNS" + +#: src/config/SSSDConfig/__init__.py.in:174 +msgid "Override GID value from the identity provider with this value" +msgstr "Sustituye valor GID del proveedor de la identidad con este valor" + +#: src/config/SSSDConfig/__init__.py.in:175 +msgid "Treat usernames as case sensitive" +msgstr "Trate al nombre de usuario con mayúsculas y minúsculas" + +#: src/config/SSSDConfig/__init__.py.in:182 +msgid "How often should expired entries be refreshed in background" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:183 +msgid "Whether to automatically update the client's DNS entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:184 +#: src/config/SSSDConfig/__init__.py.in:206 +msgid "The TTL to apply to the client's DNS entry after updating it" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:207 +msgid "The interface whose IP should be used for dynamic DNS updates" +msgstr "" +"La interfaz cuya IP debería ser utilizada para actualizaciones DNS " +"automáticas" + +#: src/config/SSSDConfig/__init__.py.in:186 +msgid "How often to periodically update the client's DNS entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:187 +msgid "Whether the provider should explicitly update the PTR record as well" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:188 +msgid "Whether the nsupdate utility should default to using TCP" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:189 +msgid "What kind of authentication should be used to perform the DNS update" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:190 +msgid "Override the DNS server used to perform the DNS update" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:191 +msgid "Control enumeration of trusted domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:192 +msgid "How often should subdomains list be refreshed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:193 +msgid "List of options that should be inherited into a subdomain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:194 +msgid "Default subdomain homedir value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:195 +msgid "How long can cached credentials be used for cached authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:198 +msgid "Whether to automatically create private groups for users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:201 +msgid "IPA domain" +msgstr "Dominio IPA" + +#: src/config/SSSDConfig/__init__.py.in:202 +msgid "IPA server address" +msgstr "Dirección del servidor IPA" + +#: src/config/SSSDConfig/__init__.py.in:203 +msgid "Address of backup IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:204 +msgid "IPA client hostname" +msgstr "Nombre de equipo del cliente IPA" + +#: src/config/SSSDConfig/__init__.py.in:205 +msgid "Whether to automatically update the client's DNS entry in FreeIPA" +msgstr "" +"Si actualizar o no en forma automática la entrada DNS del cliente en FreeIPA" + +#: src/config/SSSDConfig/__init__.py.in:208 +msgid "Search base for HBAC related objects" +msgstr "Búsqueda base para objetos HBAC" + +#: src/config/SSSDConfig/__init__.py.in:209 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server" +msgstr "" +"Cantidad de tiempo entre búsquedas de reglas HBAC contra el servidor IPA" + +#: src/config/SSSDConfig/__init__.py.in:210 +msgid "" +"The amount of time in seconds between lookups of the SELinux maps against " +"the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:211 +msgid "If set to false, host argument given by PAM will be ignored" +msgstr "" +"Si se lo define en 'false', será ignorado el argumento de equipo ofrecido " +"por PAM" + +#: src/config/SSSDConfig/__init__.py.in:212 +msgid "The automounter location this IPA client is using" +msgstr "La ubicación de montaje automático que este cliente de IPA está usando" + +#: src/config/SSSDConfig/__init__.py.in:213 +msgid "Search base for object containing info about IPA domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:214 +msgid "Search base for objects containing info about ID ranges" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:233 +msgid "Enable DNS sites - location based service discovery" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:216 +msgid "Search base for view containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:217 +msgid "Objectclass for view containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:218 +msgid "Attribute with the name of the view" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:219 +msgid "Objectclass for override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:220 +msgid "Attribute with the reference to the original object" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:221 +msgid "Objectclass for user override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:222 +msgid "Objectclass for group override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:223 +msgid "Search base for Desktop Profile related objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:224 +msgid "" +"The amount of time in seconds between lookups of the Desktop Profile rules " +"against the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:225 +msgid "" +"The amount of time in minutes between lookups of Desktop Profiles rules " +"against the IPA server when the last request did not find any rule" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:228 +msgid "Active Directory domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:229 +msgid "Enabled Active Directory domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:230 +msgid "Active Directory server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:231 +msgid "Active Directory backup server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:232 +msgid "Active Directory client hostname" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:420 +msgid "LDAP filter to determine access privileges" +msgstr "Filtro LDAP para determinar privilegios de acceso" + +#: src/config/SSSDConfig/__init__.py.in:235 +msgid "Whether to use the Global Catalog for lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:236 +msgid "Operation mode for GPO-based access control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:237 +msgid "" +"The amount of time between lookups of the GPO policy files against the AD " +"server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:238 +msgid "" +"PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " +"settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:239 +msgid "" +"PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " +"policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:240 +msgid "" +"PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:241 +msgid "" +"PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:242 +msgid "" +"PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:243 +msgid "PAM service names for which GPO-based access is always granted" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:244 +msgid "PAM service names for which GPO-based access is always denied" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:245 +msgid "" +"Default logon right (or permit/deny) to use for unmapped PAM service names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:246 +msgid "a particular site to be used by the client" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:247 +msgid "" +"Maximum age in days before the machine account password should be renewed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:248 +msgid "Option for tuning the machine account renewal task" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:252 +msgid "Kerberos server address" +msgstr "Dirección del servidor Kerberos" + +#: src/config/SSSDConfig/__init__.py.in:253 +msgid "Kerberos backup server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:254 +msgid "Kerberos realm" +msgstr "Reinado Kerberos" + +#: src/config/SSSDConfig/__init__.py.in:255 +msgid "Authentication timeout" +msgstr "Expiración de la autenticación" + +#: src/config/SSSDConfig/__init__.py.in:256 +msgid "Whether to create kdcinfo files" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:257 +msgid "Where to drop krb5 config snippets" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:260 +msgid "Directory to store credential caches" +msgstr "Directorio donde almacenar las credenciales cacheadas" + +#: src/config/SSSDConfig/__init__.py.in:261 +msgid "Location of the user's credential cache" +msgstr "Ubicación del caché de credenciales del usuario" + +#: src/config/SSSDConfig/__init__.py.in:262 +msgid "Location of the keytab to validate credentials" +msgstr "Ubicación de la tabla de claves para validar las credenciales" + +#: src/config/SSSDConfig/__init__.py.in:263 +msgid "Enable credential validation" +msgstr "Habilitar la validación de credenciales" + +#: src/config/SSSDConfig/__init__.py.in:264 +msgid "Store password if offline for later online authentication" +msgstr "" +"Si se encuentra desconectado, almacena contraseñas para más tarde realizar " +"una autenticación en línea" + +#: src/config/SSSDConfig/__init__.py.in:265 +msgid "Renewable lifetime of the TGT" +msgstr "ciclo de vida renovable del TGT" + +#: src/config/SSSDConfig/__init__.py.in:266 +msgid "Lifetime of the TGT" +msgstr "ciclo de vida del TGT" + +#: src/config/SSSDConfig/__init__.py.in:267 +msgid "Time between two checks for renewal" +msgstr "tiempo entre dos comprobaciones para renovación " + +#: src/config/SSSDConfig/__init__.py.in:268 +msgid "Enables FAST" +msgstr "Habilita FAST" + +#: src/config/SSSDConfig/__init__.py.in:269 +msgid "Selects the principal to use for FAST" +msgstr "Selecciona el principal para su uso por FAST" + +#: src/config/SSSDConfig/__init__.py.in:270 +msgid "Enables principal canonicalization" +msgstr "Habilita canonicalización principal" + +#: src/config/SSSDConfig/__init__.py.in:271 +msgid "Enables enterprise principals" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:272 +msgid "A mapping from user names to Kerberos principal names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:276 +msgid "Server where the change password service is running if not on the KDC" +msgstr "" +"El servidor en donde está ejecutándose el servicio de modificación de " +"contraseña, en caso de no ser KDC. " + +#: src/config/SSSDConfig/__init__.py.in:279 +msgid "ldap_uri, The URI of the LDAP server" +msgstr "ldap_uri, El URI del servidor LDAP" + +#: src/config/SSSDConfig/__init__.py.in:280 +msgid "ldap_backup_uri, The URI of the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:281 +msgid "The default base DN" +msgstr "DN base predeterminado" + +#: src/config/SSSDConfig/__init__.py.in:282 +msgid "The Schema Type in use on the LDAP server, rfc2307" +msgstr "El Tipo de Esquema a usar en el servidor LDAP, rfc2307" + +#: src/config/SSSDConfig/__init__.py.in:283 +msgid "The default bind DN" +msgstr "El DN Bind predeterminado" + +#: src/config/SSSDConfig/__init__.py.in:284 +msgid "The type of the authentication token of the default bind DN" +msgstr "El tipo del token de autenticación del DN bind predeterminado" + +#: src/config/SSSDConfig/__init__.py.in:285 +msgid "The authentication token of the default bind DN" +msgstr "El token de autenticación del DN bind predeterminado" + +#: src/config/SSSDConfig/__init__.py.in:286 +msgid "Length of time to attempt connection" +msgstr "Tiempo durante el que se intentará la conexión" + +#: src/config/SSSDConfig/__init__.py.in:287 +msgid "Length of time to attempt synchronous LDAP operations" +msgstr "Tiempo durante el que se intentará operaciones LDAP sincrónicas" + +#: src/config/SSSDConfig/__init__.py.in:288 +msgid "Length of time between attempts to reconnect while offline" +msgstr "Tiempo entre intentos de reconexión cuando esté fuera de línea" + +#: src/config/SSSDConfig/__init__.py.in:289 +msgid "Use only the upper case for realm names" +msgstr "Use solo el caso superior para nombres reales" + +#: src/config/SSSDConfig/__init__.py.in:290 +msgid "File that contains CA certificates" +msgstr "Archivo que contiene los certificados CA" + +#: src/config/SSSDConfig/__init__.py.in:291 +msgid "Path to CA certificate directory" +msgstr "Ruta hacia un directorio certificado CA" + +#: src/config/SSSDConfig/__init__.py.in:292 +msgid "File that contains the client certificate" +msgstr "Fichero que contiene el certificado de cliente" + +#: src/config/SSSDConfig/__init__.py.in:293 +msgid "File that contains the client key" +msgstr "Fichero que contiene la llave de cliente" + +#: src/config/SSSDConfig/__init__.py.in:294 +msgid "List of possible ciphers suites" +msgstr "Lista de posibles suites de cifrado" + +#: src/config/SSSDConfig/__init__.py.in:295 +msgid "Require TLS certificate verification" +msgstr "Requiere la verificación de certificado TLS" + +#: src/config/SSSDConfig/__init__.py.in:296 +msgid "Specify the sasl mechanism to use" +msgstr "Especificar el mecanismo sasl a usar" + +#: src/config/SSSDConfig/__init__.py.in:297 +msgid "Specify the sasl authorization id to use" +msgstr "Especifique el id de autorización sasl a usar" + +#: src/config/SSSDConfig/__init__.py.in:298 +msgid "Specify the sasl authorization realm to use" +msgstr "Especifica el reinado de autorización sasl a ser utilizado" + +#: src/config/SSSDConfig/__init__.py.in:299 +msgid "Specify the minimal SSF for LDAP sasl authorization" +msgstr "Especificar los SSF mínimos para autorizaciones sasl de LDAP" + +#: src/config/SSSDConfig/__init__.py.in:300 +msgid "Kerberos service keytab" +msgstr "Tabla de clave del servicio Kerberos" + +#: src/config/SSSDConfig/__init__.py.in:301 +msgid "Use Kerberos auth for LDAP connection" +msgstr "Usar auth Kerberos para la conexión LDAP" + +#: src/config/SSSDConfig/__init__.py.in:302 +msgid "Follow LDAP referrals" +msgstr "Seguir referencias LDAP" + +#: src/config/SSSDConfig/__init__.py.in:303 +msgid "Lifetime of TGT for LDAP connection" +msgstr "Período de vida del TGT para la conexión LDAP" + +#: src/config/SSSDConfig/__init__.py.in:304 +msgid "How to dereference aliases" +msgstr "Como eliminar aliases" + +#: src/config/SSSDConfig/__init__.py.in:305 +msgid "Service name for DNS service lookups" +msgstr "Nombre de servicio para busquedas de servicios DNS" + +#: src/config/SSSDConfig/__init__.py.in:306 +msgid "The number of records to retrieve in a single LDAP query" +msgstr "La cantidad de registros a ser obtenidos en una única consulta LDAP" + +#: src/config/SSSDConfig/__init__.py.in:307 +msgid "The number of members that must be missing to trigger a full deref" +msgstr "" +"La cantidad de miembros que deben faltar para desencadenar una deref completa" + +#: src/config/SSSDConfig/__init__.py.in:308 +msgid "" +"Whether the LDAP library should perform a reverse lookup to canonicalize the " +"host name during a SASL bind" +msgstr "" +"Si la Biblioteca LDAP debería realizar una búsqueda inversa para " +"canonicalizar el nombre del host durante un enlace SASL" + +#: src/config/SSSDConfig/__init__.py.in:310 +msgid "entryUSN attribute" +msgstr "atributo entryUSN" + +#: src/config/SSSDConfig/__init__.py.in:311 +msgid "lastUSN attribute" +msgstr "atributo lastUSN" + +#: src/config/SSSDConfig/__init__.py.in:313 +msgid "How long to retain a connection to the LDAP server before disconnecting" +msgstr "" +"El período de tiempo máximo para retener una conexión con el servidor LDAP " +"antes de desconectar" + +#: src/config/SSSDConfig/__init__.py.in:315 +msgid "Disable the LDAP paging control" +msgstr "Deshabilita el control de paginación LDAP" + +#: src/config/SSSDConfig/__init__.py.in:316 +msgid "Disable Active Directory range retrieval" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:319 +msgid "Length of time to wait for a search request" +msgstr "Tiempo máximo a esperar un pedido de búsqueda" + +#: src/config/SSSDConfig/__init__.py.in:320 +msgid "Length of time to wait for a enumeration request" +msgstr "periodo de espera para solicitud de enumeración" + +#: src/config/SSSDConfig/__init__.py.in:321 +msgid "Length of time between enumeration updates" +msgstr "Tiempo en segundos entre las actualizaciones de enumeración" + +#: src/config/SSSDConfig/__init__.py.in:322 +msgid "Length of time between cache cleanups" +msgstr "periodo de tiempo entre borrados de la caché" + +#: src/config/SSSDConfig/__init__.py.in:323 +msgid "Require TLS for ID lookups" +msgstr "Requiere TLS para búsquedas de ID" + +#: src/config/SSSDConfig/__init__.py.in:324 +msgid "Use ID-mapping of objectSID instead of pre-set IDs" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:325 +msgid "Base DN for user lookups" +msgstr "DN base para búsquedas de usuario" + +#: src/config/SSSDConfig/__init__.py.in:326 +msgid "Scope of user lookups" +msgstr "Ambito de las búsquedas del usuario" + +#: src/config/SSSDConfig/__init__.py.in:327 +msgid "Filter for user lookups" +msgstr "Filtro para las búsquedas del usuario" + +#: src/config/SSSDConfig/__init__.py.in:328 +msgid "Objectclass for users" +msgstr "Objectclass para los usuarios" + +#: src/config/SSSDConfig/__init__.py.in:329 +msgid "Username attribute" +msgstr "Atributo Username" + +#: src/config/SSSDConfig/__init__.py.in:331 +msgid "UID attribute" +msgstr "Atributo UID" + +#: src/config/SSSDConfig/__init__.py.in:332 +msgid "Primary GID attribute" +msgstr "Atributo GID primario" + +#: src/config/SSSDConfig/__init__.py.in:333 +msgid "GECOS attribute" +msgstr "Atributo GECOS" + +#: src/config/SSSDConfig/__init__.py.in:334 +msgid "Home directory attribute" +msgstr "Atributo Directorio de inicio" + +#: src/config/SSSDConfig/__init__.py.in:335 +msgid "Shell attribute" +msgstr "Atributo shell" + +#: src/config/SSSDConfig/__init__.py.in:336 +msgid "UUID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:379 +msgid "objectSID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:338 +msgid "Active Directory primary group attribute for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:339 +msgid "User principal attribute (for Kerberos)" +msgstr "Atributo principal del usuario (para Kerberos) " + +#: src/config/SSSDConfig/__init__.py.in:340 +msgid "Full Name" +msgstr "Nombre completo" + +#: src/config/SSSDConfig/__init__.py.in:341 +msgid "memberOf attribute" +msgstr "Atributo memberOf" + +#: src/config/SSSDConfig/__init__.py.in:342 +msgid "Modification time attribute" +msgstr "Atributo hora de modificación" + +#: src/config/SSSDConfig/__init__.py.in:344 +msgid "shadowLastChange attribute" +msgstr "atributo shadowLastChange" + +#: src/config/SSSDConfig/__init__.py.in:345 +msgid "shadowMin attribute" +msgstr "atributo shadowMin " + +#: src/config/SSSDConfig/__init__.py.in:346 +msgid "shadowMax attribute" +msgstr "atributo shadowMax" + +#: src/config/SSSDConfig/__init__.py.in:347 +msgid "shadowWarning attribute" +msgstr "atributo shadowWarning " + +#: src/config/SSSDConfig/__init__.py.in:348 +msgid "shadowInactive attribute" +msgstr "atributo shadowInactive " + +#: src/config/SSSDConfig/__init__.py.in:349 +msgid "shadowExpire attribute" +msgstr "atributo shadowExpire" + +#: src/config/SSSDConfig/__init__.py.in:350 +msgid "shadowFlag attribute" +msgstr "atributo shadowFlag " + +#: src/config/SSSDConfig/__init__.py.in:351 +msgid "Attribute listing authorized PAM services" +msgstr "listado de atributos de servicios PAM autorizados" + +#: src/config/SSSDConfig/__init__.py.in:352 +msgid "Attribute listing authorized server hosts" +msgstr "Atributo de listado de equipos de servidor autorizados" + +#: src/config/SSSDConfig/__init__.py.in:353 +msgid "Attribute listing authorized server rhosts" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:354 +msgid "krbLastPwdChange attribute" +msgstr "atributo krbLastPwdChange " + +#: src/config/SSSDConfig/__init__.py.in:355 +msgid "krbPasswordExpiration attribute" +msgstr "atributo krbPasswordExpiration " + +#: src/config/SSSDConfig/__init__.py.in:356 +msgid "Attribute indicating that server side password policies are active" +msgstr "" +"atributo indicando que las políticas de contraseña del lado del servidor " +"están activas" + +#: src/config/SSSDConfig/__init__.py.in:357 +msgid "accountExpires attribute of AD" +msgstr "atributo accountExpires de AD" + +#: src/config/SSSDConfig/__init__.py.in:358 +msgid "userAccountControl attribute of AD" +msgstr "atributo userAccountControl de AD" + +#: src/config/SSSDConfig/__init__.py.in:359 +msgid "nsAccountLock attribute" +msgstr "atributo nsAccountLock " + +#: src/config/SSSDConfig/__init__.py.in:360 +msgid "loginDisabled attribute of NDS" +msgstr "loginDisabled atributo de NDS" + +#: src/config/SSSDConfig/__init__.py.in:361 +msgid "loginExpirationTime attribute of NDS" +msgstr "loginExpirationTime atributo de NDS" + +#: src/config/SSSDConfig/__init__.py.in:362 +msgid "loginAllowedTimeMap attribute of NDS" +msgstr "loginAllowedTimeMap atributo de NDS" + +#: src/config/SSSDConfig/__init__.py.in:363 +msgid "SSH public key attribute" +msgstr "Atributo de clave pública SSH" + +#: src/config/SSSDConfig/__init__.py.in:364 +msgid "attribute listing allowed authentication types for a user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:365 +msgid "attribute containing the X509 certificate of the user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:366 +msgid "attribute containing the email address of the user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:368 +msgid "A list of extra attributes to download along with the user entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:370 +msgid "Base DN for group lookups" +msgstr "DN base para busqueda de grupos" + +#: src/config/SSSDConfig/__init__.py.in:373 +msgid "Objectclass for groups" +msgstr "clase objeto para" + +#: src/config/SSSDConfig/__init__.py.in:374 +msgid "Group name" +msgstr "Nombre del grupo" + +#: src/config/SSSDConfig/__init__.py.in:375 +msgid "Group password" +msgstr "Contraseña del grupo" + +#: src/config/SSSDConfig/__init__.py.in:376 +msgid "GID attribute" +msgstr "Atributo GID" + +#: src/config/SSSDConfig/__init__.py.in:377 +msgid "Group member attribute" +msgstr "Atributo de miembro del grupo" + +#: src/config/SSSDConfig/__init__.py.in:378 +msgid "Group UUID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:380 +msgid "Modification time attribute for groups" +msgstr "Atributo de modificación de tiempo para los grupos" + +#: src/config/SSSDConfig/__init__.py.in:381 +msgid "Type of the group and other flags" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:382 +msgid "The LDAP group external member attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:384 +msgid "Maximum nesting level SSSD will follow" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:386 +msgid "Base DN for netgroup lookups" +msgstr "DN base para búsquedas de grupos de red" + +#: src/config/SSSDConfig/__init__.py.in:387 +msgid "Objectclass for netgroups" +msgstr "Clases de objetos para grupos de red" + +#: src/config/SSSDConfig/__init__.py.in:388 +msgid "Netgroup name" +msgstr "Nombre de grupo de red" + +#: src/config/SSSDConfig/__init__.py.in:389 +msgid "Netgroups members attribute" +msgstr "Atributo de miembros de grupos de red" + +#: src/config/SSSDConfig/__init__.py.in:390 +msgid "Netgroup triple attribute" +msgstr "Atributo triple de grupo de red" + +#: src/config/SSSDConfig/__init__.py.in:391 +msgid "Modification time attribute for netgroups" +msgstr "Atributo de modificación de tiempo para grupos de red" + +#: src/config/SSSDConfig/__init__.py.in:393 +msgid "Base DN for service lookups" +msgstr "Base DN para servicio de búsquedas" + +#: src/config/SSSDConfig/__init__.py.in:394 +msgid "Objectclass for services" +msgstr "Clase de objeto para servicio" + +#: src/config/SSSDConfig/__init__.py.in:395 +msgid "Service name attribute" +msgstr "Atributo de nombre de servicio" + +#: src/config/SSSDConfig/__init__.py.in:396 +msgid "Service port attribute" +msgstr "Atributo de puerto de servicio" + +#: src/config/SSSDConfig/__init__.py.in:397 +msgid "Service protocol attribute" +msgstr "Atributo de protocolo de servidor" + +#: src/config/SSSDConfig/__init__.py.in:400 +msgid "Lower bound for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:401 +msgid "Upper bound for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:402 +msgid "Number of IDs for each slice when ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:403 +msgid "Use autorid-compatible algorithm for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:404 +msgid "Name of the default domain for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:405 +msgid "SID of the default domain for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:406 +msgid "Number of secondary slices" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:408 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:409 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:410 +msgid "Whether to use Token-Groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:411 +msgid "Set lower boundary for allowed IDs from the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:412 +msgid "Set upper boundary for allowed IDs from the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:413 +msgid "DN for ppolicy queries" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:414 +msgid "How many maximum entries to fetch during a wildcard request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:417 +msgid "Policy to evaluate the password expiration" +msgstr "Política para evaluar el vencimiento de la contraseña" + +#: src/config/SSSDConfig/__init__.py.in:421 +msgid "Which attributes shall be used to evaluate if an account is expired" +msgstr "" +"Los atributos que deberán ser utilizados para evaluar si una cuenta ha " +"expirado" + +#: src/config/SSSDConfig/__init__.py.in:422 +msgid "Which rules should be used to evaluate access control" +msgstr "Las reglas que deberían ser utilizadas para evaluar control de acceso" + +#: src/config/SSSDConfig/__init__.py.in:425 +msgid "URI of an LDAP server where password changes are allowed" +msgstr "" +"URI de un servidor LDAP donde se permite la modificación de contraseñas" + +#: src/config/SSSDConfig/__init__.py.in:426 +msgid "URI of a backup LDAP server where password changes are allowed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:427 +msgid "DNS service name for LDAP password change server" +msgstr "" +"Nombre del servicio DNS para el servidor de modificación de contraseñas LDAP" + +#: src/config/SSSDConfig/__init__.py.in:428 +msgid "" +"Whether to update the ldap_user_shadow_last_change attribute after a " +"password change" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:431 +msgid "Base DN for sudo rules lookups" +msgstr "Base DN para búsquedas de reglas sudo" + +#: src/config/SSSDConfig/__init__.py.in:432 +msgid "Automatic full refresh period" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:433 +msgid "Automatic smart refresh period" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:434 +msgid "Whether to filter rules by hostname, IP addresses and network" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:435 +msgid "" +"Hostnames and/or fully qualified domain names of this machine to filter sudo " +"rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:436 +msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:437 +msgid "Whether to include rules that contains netgroup in host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:438 +msgid "" +"Whether to include rules that contains regular expression in host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:439 +msgid "Object class for sudo rules" +msgstr "Objeto clase para reglas sudo" + +#: src/config/SSSDConfig/__init__.py.in:440 +msgid "Sudo rule name" +msgstr "Nombre de regla sudo" + +#: src/config/SSSDConfig/__init__.py.in:441 +msgid "Sudo rule command attribute" +msgstr "Atributo de regla de comando sudo" + +#: src/config/SSSDConfig/__init__.py.in:442 +msgid "Sudo rule host attribute" +msgstr "Atributo de la regla host de sudo" + +#: src/config/SSSDConfig/__init__.py.in:443 +msgid "Sudo rule user attribute" +msgstr "Atributo de la regla usuario de sudo" + +#: src/config/SSSDConfig/__init__.py.in:444 +msgid "Sudo rule option attribute" +msgstr "Atributo de la regla opción de sudo" + +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Sudo rule runas attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:446 +msgid "Sudo rule runasuser attribute" +msgstr "Atributo de la regla suda runasuser" + +#: src/config/SSSDConfig/__init__.py.in:447 +msgid "Sudo rule runasgroup attribute" +msgstr "Atributo de regla runasgroup de sudo" + +#: src/config/SSSDConfig/__init__.py.in:448 +msgid "Sudo rule notbefore attribute" +msgstr "Atributo de regla notbefore de sudo" + +#: src/config/SSSDConfig/__init__.py.in:449 +msgid "Sudo rule notafter attribute" +msgstr "Atributo de regla noafter de sudo" + +#: src/config/SSSDConfig/__init__.py.in:450 +msgid "Sudo rule order attribute" +msgstr "Atributo de regla orden de sudo" + +#: src/config/SSSDConfig/__init__.py.in:453 +msgid "Object class for automounter maps" +msgstr "Objeto clase para mapas automontador" + +#: src/config/SSSDConfig/__init__.py.in:454 +msgid "Automounter map name attribute" +msgstr "Atributo de nombre de mapa de automontador" + +#: src/config/SSSDConfig/__init__.py.in:455 +msgid "Object class for automounter map entries" +msgstr "Objeto clase para entradas de mapa de automontador" + +#: src/config/SSSDConfig/__init__.py.in:456 +msgid "Automounter map entry key attribute" +msgstr "Atributo de clave de entrada para mapa de automontador" + +#: src/config/SSSDConfig/__init__.py.in:457 +msgid "Automounter map entry value attribute" +msgstr "Atributo de valor de entrada para mapa de automontador" + +#: src/config/SSSDConfig/__init__.py.in:458 +msgid "Base DN for automounter map lookups" +msgstr "Base DN para búsquedas de mapa de automontador" + +#: src/config/SSSDConfig/__init__.py.in:461 +msgid "Comma separated list of allowed users" +msgstr "Lista separada por comas de usuarios autorizados" + +#: src/config/SSSDConfig/__init__.py.in:462 +msgid "Comma separated list of prohibited users" +msgstr "Lista separada por comas de usuarios prohibidos" + +#: src/config/SSSDConfig/__init__.py.in:465 +msgid "Default shell, /bin/bash" +msgstr "Shell predeterminado, /bin/bash" + +#: src/config/SSSDConfig/__init__.py.in:466 +msgid "Base for home directories" +msgstr "Base de los directorios de inicio" + +#: src/config/SSSDConfig/__init__.py.in:469 +msgid "The number of preforked proxy children." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:472 +msgid "The name of the NSS library to use" +msgstr "Nombre de la biblioteca NSS a usar" + +#: src/config/SSSDConfig/__init__.py.in:473 +msgid "Whether to look up canonical group name from cache if possible" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:476 +msgid "PAM stack to use" +msgstr "Pila PAM a usar" + +#: src/config/SSSDConfig/__init__.py.in:479 +msgid "Path of passwd file sources." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:480 +msgid "Path of group file sources." +msgstr "" + +#: src/monitor/monitor.c:2449 +msgid "Become a daemon (default)" +msgstr "Convertirse en demonio (predeterminado)" + +#: src/monitor/monitor.c:2451 +msgid "Run interactive (not a daemon)" +msgstr "Ejecutarse en forma interactiva (no un demonio)" + +#: src/monitor/monitor.c:2454 +msgid "Disable netlink interface" +msgstr "" + +#: src/monitor/monitor.c:2456 src/tools/sssctl/sssctl_logs.c:311 +msgid "Specify a non-default config file" +msgstr "Indicar un archivo de configuración diferente al predeterminado" + +#: src/monitor/monitor.c:2458 +msgid "Refresh the configuration database, then exit" +msgstr "" + +#: src/monitor/monitor.c:2461 +msgid "Print version number and exit" +msgstr "Muestra el número de versión y finaliza" + +#: src/monitor/monitor.c:2627 +msgid "SSSD is already running\n" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605 +msgid "Debug level" +msgstr "Nive de depuración" + +#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607 +msgid "Add debug timestamps" +msgstr "Agregar marcas de tiempo de depuración" + +#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609 +msgid "Show timestamps with microseconds" +msgstr "Mostrar marcas de tiempo con microsegundos" + +#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611 +msgid "An open file descriptor for the debug logs" +msgstr "Un arhivo abierto de descriptor para los registros de depuración" + +#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613 +msgid "Send the debug output to stderr directly." +msgstr "" + +#: src/providers/krb5/krb5_child.c:3228 +msgid "The user to create FAST ccache as" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3230 +msgid "The group to create FAST ccache as" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3232 +msgid "Kerberos realm to use" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3234 +msgid "Requested lifetime of the ticket" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3236 +msgid "Requested renewable lifetime of the ticket" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3238 +msgid "FAST options ('never', 'try', 'demand')" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3241 +msgid "Specifies the server principal to use for FAST" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3243 +msgid "Requests canonicalization of the principal name" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3245 +msgid "Use custom version of krb5_get_init_creds_password" +msgstr "" + +#: src/providers/data_provider_be.c:556 +msgid "Domain of the information provider (mandatory)" +msgstr "Dominio del proveedor de información (obligatorio)" + +#: src/sss_client/common.c:1066 +msgid "Privileged socket has wrong ownership or permissions." +msgstr "El zócalo privilegiado posee permisos o pertenencia equivocados." + +#: src/sss_client/common.c:1069 +msgid "Public socket has wrong ownership or permissions." +msgstr "El zócalo público posee permisos o pertenencia equivocados." + +#: src/sss_client/common.c:1072 +msgid "Unexpected format of the server credential message." +msgstr "Formato no esperado del mensaje de la credencial del servidor." + +#: src/sss_client/common.c:1075 +msgid "SSSD is not run by root." +msgstr "SSSD no está siendo ejecutado por el usuario root." + +#: src/sss_client/common.c:1080 +msgid "An error occurred, but no description can be found." +msgstr "Ha ocurrido un error, pero no se ha podido encontrar una descripción." + +#: src/sss_client/common.c:1086 +msgid "Unexpected error while looking for an error description" +msgstr "" +"Ha ocurrido un error no esperado mientras se buscaba la descripción del error" + +#: src/sss_client/pam_sss.c:76 +msgid "Permission denied. " +msgstr "" + +#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782 +#: src/sss_client/pam_sss.c:793 +msgid "Server message: " +msgstr "Mensaje del servidor:" + +#: src/sss_client/pam_sss.c:300 +msgid "Passwords do not match" +msgstr "Las contraseñas no coinciden" + +#: src/sss_client/pam_sss.c:488 +msgid "Password reset by root is not supported." +msgstr "No existe soporte para reseteado de la contraseña por el usuario root." + +#: src/sss_client/pam_sss.c:529 +msgid "Authenticated with cached credentials" +msgstr "Autenticado mediante credenciales cacheada" + +#: src/sss_client/pam_sss.c:530 +msgid ", your cached password will expire at: " +msgstr ", su contraseña cacheada vencerá el:" + +#: src/sss_client/pam_sss.c:560 +#, c-format +msgid "Your password has expired. You have %1$d grace login(s) remaining." +msgstr "" + +#: src/sss_client/pam_sss.c:606 +#, c-format +msgid "Your password will expire in %1$d %2$s." +msgstr "" + +#: src/sss_client/pam_sss.c:655 +msgid "Authentication is denied until: " +msgstr "La autenticación ha sido denegada hasta:" + +#: src/sss_client/pam_sss.c:676 +msgid "System is offline, password change not possible" +msgstr "El sistema está fuera de línea, no se puede cambiar la contraseña" + +#: src/sss_client/pam_sss.c:691 +msgid "" +"After changing the OTP password, you need to log out and back in order to " +"acquire a ticket" +msgstr "" + +#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792 +msgid "Password change failed. " +msgstr "Falló el cambio de contraseña." + +#: src/sss_client/pam_sss.c:1926 +msgid "New Password: " +msgstr "Nueva contraseña: " + +#: src/sss_client/pam_sss.c:1927 +msgid "Reenter new Password: " +msgstr "Reingrese la contraseña nueva:" + +#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042 +msgid "First Factor: " +msgstr "" + +#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202 +msgid "Second Factor (optional): " +msgstr "" + +#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205 +msgid "Second Factor: " +msgstr "" + +#: src/sss_client/pam_sss.c:2058 +msgid "Password: " +msgstr "Contraseña: " + +#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204 +msgid "First Factor (Current Password): " +msgstr "" + +#: src/sss_client/pam_sss.c:2208 +msgid "Current Password: " +msgstr "Contraseña actual: " + +#: src/sss_client/pam_sss.c:2536 +msgid "Password expired. Change your password now." +msgstr "La contraseña ha expirado. Modifíquela en este preciso momento." + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 +#: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 +#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:670 +msgid "The debug level to run with" +msgstr "Nivel de depuración en que se debe ejecutar" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +msgid "The SSSD domain to use" +msgstr "El dominio SSSD a usar" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 +#: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 +#: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 +#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:716 +msgid "Error setting the locale\n" +msgstr "Error al poner la región\n" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:64 +msgid "Not enough memory\n" +msgstr "Nos hay suficiente memoria\n" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:83 +msgid "User not specified\n" +msgstr "Usuario no especificado\n" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:97 +msgid "Error looking up public keys\n" +msgstr "Error buscando claves públicas\n" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +msgid "The port to use to connect to the host" +msgstr "El puerto a usar para conectar al host" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +msgid "Print the host ssh public keys" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +msgid "Invalid port\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +msgid "Host not specified\n" +msgstr "Host no especificado\n" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +msgid "The path to the proxy command must be absolute\n" +msgstr "La ruta al comando proxy debe ser absoluta\n" + +#: src/tools/sss_useradd.c:49 src/tools/sss_usermod.c:48 +msgid "The UID of the user" +msgstr "El UID del usuario" + +#: src/tools/sss_useradd.c:50 src/tools/sss_usermod.c:50 +msgid "The comment string" +msgstr "La cadena de comentarios" + +#: src/tools/sss_useradd.c:51 src/tools/sss_usermod.c:51 +msgid "Home directory" +msgstr "Directorio de inicio" + +#: src/tools/sss_useradd.c:52 src/tools/sss_usermod.c:52 +msgid "Login shell" +msgstr "Shell de ingreso" + +#: src/tools/sss_useradd.c:53 +msgid "Groups" +msgstr "Grupos" + +#: src/tools/sss_useradd.c:54 +msgid "Create user's directory if it does not exist" +msgstr "Crear el directorio del usuario si no existe" + +#: src/tools/sss_useradd.c:55 +msgid "Never create user's directory, overrides config" +msgstr "" +"La opción de nunca crear el directorio del usuario, anula la configurada" + +#: src/tools/sss_useradd.c:56 +msgid "Specify an alternative skeleton directory" +msgstr "Debe especificar un directorio esqueleto alternativo" + +#: src/tools/sss_useradd.c:57 src/tools/sss_usermod.c:60 +msgid "The SELinux user for user's login" +msgstr "El usuario de SELinux para el registro del usuario" + +#: src/tools/sss_useradd.c:87 src/tools/sss_groupmod.c:79 +#: src/tools/sss_usermod.c:92 +msgid "Specify group to add to\n" +msgstr "Especifica el grupo a ser añadido\n" + +#: src/tools/sss_useradd.c:111 +msgid "Specify user to add\n" +msgstr "Especifique el usuario a agregar\n" + +#: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 +#: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_usermod.c:162 +msgid "Error initializing the tools - no local domain\n" +msgstr "Error al inicializar las herramientas - no hay dominio local\n" + +#: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 +#: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_usermod.c:164 +msgid "Error initializing the tools\n" +msgstr "Error al inicializar las herramientas\n" + +#: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 +#: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_usermod.c:173 +msgid "Invalid domain specified in FQDN\n" +msgstr "Dominio inválido especificado en FQDN\n" + +#: src/tools/sss_useradd.c:142 src/tools/sss_groupmod.c:144 +#: src/tools/sss_groupmod.c:173 src/tools/sss_usermod.c:197 +#: src/tools/sss_usermod.c:226 +msgid "Internal error while parsing parameters\n" +msgstr "Error interno al analizar sintácticamente los parámetros.\n" + +#: src/tools/sss_useradd.c:151 src/tools/sss_usermod.c:206 +#: src/tools/sss_usermod.c:235 +msgid "Groups must be in the same domain as user\n" +msgstr "Los grupos deben estar en el mismo dominio que el usuario\n" + +#: src/tools/sss_useradd.c:159 +#, c-format +msgid "Cannot find group %1$s in local domain\n" +msgstr "" + +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +msgid "Cannot set default values\n" +msgstr "No se pudieron establecer los valores predeterminados\n" + +#: src/tools/sss_useradd.c:181 src/tools/sss_usermod.c:187 +msgid "The selected UID is outside the allowed range\n" +msgstr "El UID seleccionado está fuera del rango permitido\n" + +#: src/tools/sss_useradd.c:210 src/tools/sss_usermod.c:305 +msgid "Cannot set SELinux login context\n" +msgstr "No es posible definir contexto de registro de SELinux\n" + +#: src/tools/sss_useradd.c:224 +msgid "Cannot get info about the user\n" +msgstr "No se pudo obtener información del usuario\n" + +#: src/tools/sss_useradd.c:236 +msgid "User's home directory already exists, not copying data from skeldir\n" +msgstr "" +"El directorio de inicio del usuario ya existe, no copiar datos desde el " +"esqueleto\n" + +#: src/tools/sss_useradd.c:239 +#, c-format +msgid "Cannot create user's home directory: %1$s\n" +msgstr "" + +#: src/tools/sss_useradd.c:250 +#, c-format +msgid "Cannot create user's mail spool: %1$s\n" +msgstr "" + +#: src/tools/sss_useradd.c:270 +msgid "Could not allocate ID for the user - domain full?\n" +msgstr "No se pudo asignar el ID para el usuario - ¿el dominio estará lleno?\n" + +#: src/tools/sss_useradd.c:274 +msgid "A user or group with the same name or ID already exists\n" +msgstr "Ya existe un usuario o grupo con el mismo nombre o ID\n" + +#: src/tools/sss_useradd.c:280 +msgid "Transaction error. Could not add user.\n" +msgstr "Error en la transacción. No se pudo agregar el usuario.\n" + +#: src/tools/sss_groupadd.c:43 src/tools/sss_groupmod.c:48 +msgid "The GID of the group" +msgstr "El GID del grupo" + +#: src/tools/sss_groupadd.c:76 +msgid "Specify group to add\n" +msgstr "Especifique el grupo a agregar\n" + +#: src/tools/sss_groupadd.c:106 src/tools/sss_groupmod.c:198 +msgid "The selected GID is outside the allowed range\n" +msgstr "El GID elegido está fuera del rango permitido\n" + +#: src/tools/sss_groupadd.c:143 +msgid "Could not allocate ID for the group - domain full?\n" +msgstr "No se pudo asignar el ID para el grupo - ¿el dominio estará lleno?\n" + +#: src/tools/sss_groupadd.c:147 +msgid "A group with the same name or GID already exists\n" +msgstr "Ya existe un grupo con el mismo nombre o GID\n" + +#: src/tools/sss_groupadd.c:153 +msgid "Transaction error. Could not add group.\n" +msgstr "Error en la transacción. No se pudo agregar el grupo.\n" + +#: src/tools/sss_groupdel.c:70 +msgid "Specify group to delete\n" +msgstr "Especifique el grupo a borrar\n" + +#: src/tools/sss_groupdel.c:104 +#, c-format +msgid "Group %1$s is outside the defined ID range for domain\n" +msgstr "" + +#: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 +#: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 +#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 +#, c-format +msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" +msgstr "" + +#: src/tools/sss_groupdel.c:132 +msgid "" +"No such group in local domain. Removing groups only allowed in local " +"domain.\n" +msgstr "" +"No existe tal grupo en el dominio local. Eliminando los grupos que sólo se " +"permiten en el dominio local.\n" + +#: src/tools/sss_groupdel.c:137 +msgid "Internal error. Could not remove group.\n" +msgstr "Error interno. No se pudo eliminar el grupo.\n" + +#: src/tools/sss_groupmod.c:44 +msgid "Groups to add this group to" +msgstr "Grupos a los que se debe agregar este grupo" + +#: src/tools/sss_groupmod.c:46 +msgid "Groups to remove this group from" +msgstr "Grupos desde los que se debe eliminar este grupo" + +#: src/tools/sss_groupmod.c:87 src/tools/sss_usermod.c:100 +msgid "Specify group to remove from\n" +msgstr "Especifica el grupo a ser eliminado de\n" + +#: src/tools/sss_groupmod.c:101 +msgid "Specify group to modify\n" +msgstr "Especifique el grupo a modificar\n" + +#: src/tools/sss_groupmod.c:130 +msgid "" +"Cannot find group in local domain, modifying groups is allowed only in local " +"domain\n" +msgstr "" +"No se pudo encontrar el grupo en el dominio local, la modificación de grupos " +"se permite sólo en el dominio local\n" + +#: src/tools/sss_groupmod.c:153 src/tools/sss_groupmod.c:182 +msgid "Member groups must be in the same domain as parent group\n" +msgstr "" +"Los grupos miembro deben estar en el mismo dominio que el grupo padre\n" + +#: src/tools/sss_groupmod.c:161 src/tools/sss_groupmod.c:190 +#: src/tools/sss_usermod.c:214 src/tools/sss_usermod.c:243 +#, c-format +msgid "" +"Cannot find group %1$s in local domain, only groups in local domain are " +"allowed\n" +msgstr "" + +#: src/tools/sss_groupmod.c:257 +msgid "Could not modify group - check if member group names are correct\n" +msgstr "" +"No se pudo modificar el grupo - verifique si los nombre de grupo miembro son " +"los correctos\n" + +#: src/tools/sss_groupmod.c:261 +msgid "Could not modify group - check if groupname is correct\n" +msgstr "" +"No se pudo modificar el grupo - verifique si el nombre de grupo es correcto\n" + +#: src/tools/sss_groupmod.c:265 +msgid "Transaction error. Could not modify group.\n" +msgstr "Error de transacción. No se pudo modificar el grupo.\n" + +#: src/tools/sss_groupshow.c:615 +#, c-format +msgid "%1$s%2$sGroup: %3$s\n" +msgstr "" + +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "Magia privada" + +#: src/tools/sss_groupshow.c:618 +#, c-format +msgid "%1$sGID number: %2$d\n" +msgstr "" + +#: src/tools/sss_groupshow.c:620 +#, c-format +msgid "%1$sMember users: " +msgstr "" + +#: src/tools/sss_groupshow.c:627 +#, c-format +msgid "" +"\n" +"%1$sIs a member of: " +msgstr "" + +#: src/tools/sss_groupshow.c:634 +#, c-format +msgid "" +"\n" +"%1$sMember groups: " +msgstr "" + +#: src/tools/sss_groupshow.c:670 +msgid "Print indirect group members recursively" +msgstr "Imprime miembros de grupo indirecto en forma recursiva" + +#: src/tools/sss_groupshow.c:704 +msgid "Specify group to show\n" +msgstr "Especifica el grupo a mostrar\n" + +#: src/tools/sss_groupshow.c:744 +msgid "" +"No such group in local domain. Printing groups only allowed in local " +"domain.\n" +msgstr "" +"No existe tal grupo en el dominio local. Imprimir los grupos está permitido " +"únicamente en el dominio local.\n" + +#: src/tools/sss_groupshow.c:749 +msgid "Internal error. Could not print group.\n" +msgstr "Error interno. No se pudo imprimir el grupo.\n" + +#: src/tools/sss_userdel.c:136 +msgid "Remove home directory and mail spool" +msgstr "Eliminar el directorio de inicio y el receptor de correo" + +#: src/tools/sss_userdel.c:138 +msgid "Do not remove home directory and mail spool" +msgstr "No eliminar el directorio de inicio y el receptor de correo" + +#: src/tools/sss_userdel.c:140 +msgid "Force removal of files not owned by the user" +msgstr "Forzar la eliminación de los archivos que no pertenecen al usuario" + +#: src/tools/sss_userdel.c:142 +msgid "Kill users' processes before removing him" +msgstr "Finaliza los procesos del usuario antes de eliminarlo" + +#: src/tools/sss_userdel.c:188 +msgid "Specify user to delete\n" +msgstr "Especifique el usuario a borrar\n" + +#: src/tools/sss_userdel.c:234 +#, c-format +msgid "User %1$s is outside the defined ID range for domain\n" +msgstr "" + +#: src/tools/sss_userdel.c:259 +msgid "Cannot reset SELinux login context\n" +msgstr "No es posible reiniciar contexto de registro de SELinux\n" + +#: src/tools/sss_userdel.c:271 +#, c-format +msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" +msgstr "" + +#: src/tools/sss_userdel.c:276 +msgid "Cannot determine if the user was logged in on this platform" +msgstr "" +"No es posible determinar si el usuario estaba registrado en esta plataforma" + +#: src/tools/sss_userdel.c:281 +msgid "Error while checking if the user was logged in\n" +msgstr "Error mientras se verificaba si el usuario se encontraba registrado\n" + +#: src/tools/sss_userdel.c:288 +#, c-format +msgid "The post-delete command failed: %1$s\n" +msgstr "" + +#: src/tools/sss_userdel.c:308 +msgid "Not removing home dir - not owned by user\n" +msgstr "No eliminando el directorio de inicio - no pertenece al usuario\n" + +#: src/tools/sss_userdel.c:310 +#, c-format +msgid "Cannot remove homedir: %1$s\n" +msgstr "" + +#: src/tools/sss_userdel.c:324 +msgid "" +"No such user in local domain. Removing users only allowed in local domain.\n" +msgstr "" +"No existe ese usuario en el dominio local. La eliminación de usuarios se " +"permite en el dominio local.\n" + +#: src/tools/sss_userdel.c:329 +msgid "Internal error. Could not remove user.\n" +msgstr "Error interno. No se pudo eliminar el usuario.\n" + +#: src/tools/sss_usermod.c:49 +msgid "The GID of the user" +msgstr "El GID del Usuario" + +#: src/tools/sss_usermod.c:53 +msgid "Groups to add this user to" +msgstr "Grupos a los que se debe agregar este usuario" + +#: src/tools/sss_usermod.c:54 +msgid "Groups to remove this user from" +msgstr "Grupos desde los que hay que eliminar este usuario" + +#: src/tools/sss_usermod.c:55 +msgid "Lock the account" +msgstr "Bloquear la cuenta" + +#: src/tools/sss_usermod.c:56 +msgid "Unlock the account" +msgstr "Desbloquear la cuenta" + +#: src/tools/sss_usermod.c:57 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "" + +#: src/tools/sss_usermod.c:58 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "" + +#: src/tools/sss_usermod.c:59 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" + +#: src/tools/sss_usermod.c:117 src/tools/sss_usermod.c:126 +#: src/tools/sss_usermod.c:135 +msgid "Specify the attribute name/value pair(s)\n" +msgstr "" + +#: src/tools/sss_usermod.c:152 +msgid "Specify user to modify\n" +msgstr "Especifique el usuario a modificar\n" + +#: src/tools/sss_usermod.c:180 +msgid "" +"Cannot find user in local domain, modifying users is allowed only in local " +"domain\n" +msgstr "" +"No se pudo encontrar el usuario en el dominio local, la modificación de los " +"usuarios se permite solamente en el dominio local\n" + +#: src/tools/sss_usermod.c:322 +msgid "Could not modify user - check if group names are correct\n" +msgstr "" +"No se pudo modificar el usuario - verifique si los nombres de grupo son " +"correctos\n" + +#: src/tools/sss_usermod.c:326 +msgid "Could not modify user - user already member of groups?\n" +msgstr "" +"No se pudo modificar el usuario - ¿no será ya miembro de esos grupos?\n" + +#: src/tools/sss_usermod.c:330 +msgid "Transaction error. Could not modify user.\n" +msgstr "Error de transacción. No se pudo modificar el usuario.\n" + +#: src/tools/sss_cache.c:218 +msgid "No cache object matched the specified search\n" +msgstr "" + +#: src/tools/sss_cache.c:502 +#, c-format +msgid "Couldn't invalidate %1$s\n" +msgstr "" + +#: src/tools/sss_cache.c:509 +#, c-format +msgid "Couldn't invalidate %1$s %2$s\n" +msgstr "" + +#: src/tools/sss_cache.c:672 +msgid "Invalidate all cached entries" +msgstr "" + +#: src/tools/sss_cache.c:674 +msgid "Invalidate particular user" +msgstr "Usuario particular invalidado" + +#: src/tools/sss_cache.c:676 +msgid "Invalidate all users" +msgstr "Todos los usuarios invalidados" + +#: src/tools/sss_cache.c:678 +msgid "Invalidate particular group" +msgstr "" + +#: src/tools/sss_cache.c:680 +msgid "Invalidate all groups" +msgstr "" + +#: src/tools/sss_cache.c:682 +msgid "Invalidate particular netgroup" +msgstr "" + +#: src/tools/sss_cache.c:684 +msgid "Invalidate all netgroups" +msgstr "" + +#: src/tools/sss_cache.c:686 +msgid "Invalidate particular service" +msgstr "" + +#: src/tools/sss_cache.c:688 +msgid "Invalidate all services" +msgstr "" + +#: src/tools/sss_cache.c:691 +msgid "Invalidate particular autofs map" +msgstr "" + +#: src/tools/sss_cache.c:693 +msgid "Invalidate all autofs maps" +msgstr "" + +#: src/tools/sss_cache.c:697 +msgid "Invalidate particular SSH host" +msgstr "" + +#: src/tools/sss_cache.c:699 +msgid "Invalidate all SSH hosts" +msgstr "" + +#: src/tools/sss_cache.c:703 +msgid "Invalidate particular sudo rule" +msgstr "" + +#: src/tools/sss_cache.c:705 +msgid "Invalidate all cached sudo rules" +msgstr "" + +#: src/tools/sss_cache.c:708 +msgid "Only invalidate entries from a particular domain" +msgstr "" + +#: src/tools/sss_cache.c:762 +msgid "" +"Unexpected argument(s) provided, options that invalidate a single object " +"only accept a single provided argument.\n" +msgstr "" + +#: src/tools/sss_cache.c:772 +msgid "Please select at least one object to invalidate\n" +msgstr "" + +#: src/tools/sss_cache.c:852 +#, c-format +msgid "" +"Could not open domain %1$s. If the domain is a subdomain (trusted domain), " +"use fully qualified name instead of --domain/-d parameter.\n" +msgstr "" + +#: src/tools/sss_cache.c:856 +msgid "Could not open available domains\n" +msgstr "" + +#: src/tools/tools_util.c:202 +#, c-format +msgid "Name '%1$s' does not seem to be FQDN ('%2$s = TRUE' is set)\n" +msgstr "" + +#: src/tools/tools_util.c:309 +msgid "Out of memory\n" +msgstr "Falta memoria\n" + +#: src/tools/tools_util.h:40 +#, c-format +msgid "%1$s must be run as root\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:35 +msgid "yes" +msgstr "" + +#: src/tools/sssctl/sssctl.c:37 +msgid "no" +msgstr "" + +#: src/tools/sssctl/sssctl.c:39 +msgid "error" +msgstr "" + +#: src/tools/sssctl/sssctl.c:42 +msgid "Invalid result." +msgstr "" + +#: src/tools/sssctl/sssctl.c:78 +#, c-format +msgid "Unable to read user input\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:91 +#, c-format +msgid "Invalid input, please provide either '%s' or '%s'.\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 +#, c-format +msgid "Error while executing external command\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:156 +msgid "SSSD needs to be running. Start SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl.c:195 +msgid "SSSD must not be running. Stop SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl.c:231 +msgid "SSSD needs to be restarted. Restart SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:31 +#, c-format +msgid " %s is not present in cache.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:33 +msgid "Name" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:34 +msgid "Cache entry creation date" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:35 +msgid "Cache entry last update time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:36 +msgid "Cache entry expiration time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:37 +msgid "Cached in InfoPipe" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:512 +#, c-format +msgid "Error: Unable to get object [%d]: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:528 +#, c-format +msgid "%s: Unable to read value [%d]: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:556 +msgid "Specify name." +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:566 +#, c-format +msgid "Unable to parse name %s.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:592 src/tools/sssctl/sssctl_cache.c:639 +msgid "Search by SID" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:593 +msgid "Search by user ID" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:602 +msgid "Initgroups expiration time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:640 +msgid "Search by group ID" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:67 +#, c-format +msgid "" +"File %1$s does not exist. SSSD will use default configuration with files " +"provider.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:81 +#, c-format +msgid "" +"File ownership and permissions check failed. Expected root:root and 0600.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:104 +#, c-format +msgid "Issues identified by validators: %zu\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:114 +#, c-format +msgid "Messages generated during configuration merging: %zu\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:127 +#, c-format +msgid "Used configuration snippet files: %u\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:89 +#, c-format +msgid "Unable to create backup directory [%d]: %s" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:95 +msgid "SSSD backup of local data already exists, override?" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:111 +#, c-format +msgid "Unable to export user overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:118 +#, c-format +msgid "Unable to export group overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:134 src/tools/sssctl/sssctl_data.c:217 +msgid "Override existing backup" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:164 +#, c-format +msgid "Unable to import user overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:173 +#, c-format +msgid "Unable to import group overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:74 +#: src/tools/sssctl/sssctl_domains.c:339 +msgid "Start SSSD if it is not running" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:195 +msgid "Restart SSSD after data import" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:218 +msgid "Create clean cache files and import local data" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:219 +msgid "Stop SSSD before removing the cache" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:220 +msgid "Start SSSD when the cache is removed" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:235 +#, c-format +msgid "Creating backup of local data...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:238 +#, c-format +msgid "Unable to create backup of local data, can not remove the cache.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:243 +#, c-format +msgid "Removing cache files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:246 +#, c-format +msgid "Unable to remove cache files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:251 +#, c-format +msgid "Restoring local data...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:75 +msgid "Show domain list including primary or trusted domain type" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +#, c-format +msgid "Online status: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Online" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Offline" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:214 +#, c-format +msgid "Active servers:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:231 +msgid "not connected" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:278 +#, c-format +msgid "Discovered %s servers:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:296 +msgid "None so far.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:336 +msgid "Show online status" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:337 +msgid "Show information about active server" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:338 +msgid "Show list of discovered servers" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:344 +msgid "Specify domain name." +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:360 +#, c-format +msgid "Out of memory!\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:377 src/tools/sssctl/sssctl_domains.c:387 +#, c-format +msgid "Unable to get online status\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:397 +#, c-format +msgid "Unable to get server list\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:47 +msgid "\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:237 +msgid "Delete log files instead of truncating" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:248 +#, c-format +msgid "Deleting log files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:251 +#, c-format +msgid "Unable to remove log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:257 +#, c-format +msgid "Truncating log files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:260 +#, c-format +msgid "Unable to truncate log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:286 +#, c-format +msgid "Out of memory!" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:289 +#, c-format +msgid "Archiving log files into %s...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:292 +#, c-format +msgid "Unable to archive log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:317 +msgid "Specify debug level you want to set" +msgstr "" + +#: src/tools/sssctl/sssctl_sifp.c:28 +msgid "" +"Check that SSSD is running and the InfoPipe responder is enabled. Make sure " +"'ifp' is listed in the 'services' option in sssd.conf.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:91 +#, c-format +msgid "Unable to connect to the InfoPipe" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:97 +#, c-format +msgid "Unable to get user object" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:101 +#, c-format +msgid "SSSD InfoPipe user lookup result:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:113 +#, c-format +msgid "Unable to get user name attr" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:146 +#, c-format +msgid "dlopen failed with [%s].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:153 +#, c-format +msgid "dlsym failed with [%s].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:161 +#, c-format +msgid "malloc failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:168 +#, c-format +msgid "sss_getpwnam_r failed with [%d].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:173 +#, c-format +msgid "SSSD nss user lookup result:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:174 +#, c-format +msgid " - user name: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:175 +#, c-format +msgid " - user id: %d\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:176 +#, c-format +msgid " - group id: %d\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:177 +#, c-format +msgid " - gecos: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:178 +#, c-format +msgid " - home directory: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:179 +#, c-format +msgid "" +" - shell: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:211 +msgid "PAM action [auth|acct|setc|chau|open|clos], default: " +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:214 +msgid "PAM service, default: " +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:219 +msgid "Specify user name." +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:226 +#, c-format +msgid "" +"user: %s\n" +"action: %s\n" +"service: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:232 +#, c-format +msgid "User name lookup with [%s] failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:237 +#, c-format +msgid "InfoPipe User lookup with [%s] failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:244 +#, c-format +msgid "pam_start failed: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:249 +#, c-format +msgid "" +"testing pam_authenticate\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:253 +#, c-format +msgid "pam_get_item failed: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:257 +#, c-format +msgid "" +"pam_authenticate for user [%s]: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:260 +#, c-format +msgid "" +"testing pam_chauthtok\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:262 +#, c-format +msgid "" +"pam_chauthtok: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:264 +#, c-format +msgid "" +"testing pam_acct_mgmt\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:266 +#, c-format +msgid "" +"pam_acct_mgmt: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:268 +#, c-format +msgid "" +"testing pam_setcred\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:270 +#, c-format +msgid "" +"pam_setcred: [%s]\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:272 +#, c-format +msgid "" +"testing pam_open_session\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:274 +#, c-format +msgid "" +"pam_open_session: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:276 +#, c-format +msgid "" +"testing pam_close_session\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:278 +#, c-format +msgid "" +"pam_close_session: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:281 +#, c-format +msgid "unknown action\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:284 +#, c-format +msgid "PAM Environment:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:292 +#, c-format +msgid " - no env -\n" +msgstr "" + +#: src/util/util.h:75 +msgid "The user ID to run the server as" +msgstr "" + +#: src/util/util.h:77 +msgid "The group ID to run the server as" +msgstr "" + +#: src/util/util.h:85 +msgid "Informs that the responder has been socket-activated" +msgstr "" + +#: src/util/util.h:87 +msgid "Informs that the responder has been dbus-activated" +msgstr "" diff --git a/po/eu.gmo b/po/eu.gmo new file mode 100644 index 0000000000000000000000000000000000000000..00331a7066de6ae0a54eb6ce39e45ec4d3103038 GIT binary patch literal 5262 zcmbW4ON<;x8Gy?qye5vxgYYtt3bBb_J+o`C6El9!K5Q@8>$P_sz#yTT>Dt+1db%h5 z@OtNl$O$RACE`E=CVH+$KYx1Y-WL?tEceH`kGxB%FTzvz^2PO?cPq6Eeiwcaz5*YCKdGL71wY2~U*Hk= zU-%F_{2rz5gJO>hV?6&BivItGABOk6ue9rNxR>V>Q1n}cVpj@30H3S) z5|nv=1jVk`;9>ZCDD&^a2zh@u{17|@MXm+Ke>W;7Q1pHlioV~3pN2n#b@-c#yBJjb zF$G2L4E!X#T0IY-==pW{D0~?{2w#U{->;#}^LHrv{0E924-*{G>j0GZTTtY_TyX&9 z{b%8);J4u4NQ5__Uh2o!YKpF2PDEanNDD(XcJ^}v< z55e6Jl+RDWkMjH#DEYq$HGC0@eXm0C(=V(3H=&Go4@QanqfqQS#h3VL2~NXjpy>Mw z+y{RQC2qfi;_rV#(Ps}zW2$-*%6tn@?EMlv3>}<-FI4<_)&Dl+qwdEUGOmX5d=|?1 z*Pz6s51C3m2PID5hJ4hkd`Uk10!lvo8H$~6L3#fH8u_UXS3C>l{S_#7_Mqg!6t~v{ zjxO=9*e3eR#g?K1Zdt!_NnXe$aXQT{@s?PN9mlxklC>atBv-41|9*<^bJg=%D6#(x zcfD#8pNoESiQNaer@2|4et!}h#4mE4;+ELlBM;Se28#VG6Sco;o2@AMgxQKM&gbe$ z_$2oMZn-2c#D@)T(!}Qx>84~W6<^PAOU}q8IVb)dU6KQm&&{eqa=~9UwSRhFw*Tn9 z>_VCpgQnhpY+qJ3URa#hanWzvl-8sB!kTJ@p$=`k=<3|{ZI+w*+!Cv zO|9nrT#>zLBYu}-XX`eKj_5|)#f`Sf*4096+7Tn2Z>_AVg)~i4?P8ZZ6S<*_QFYzw zJV_$-d8b|-po@-@j)~B$Z(KZ*kCLP(0~G^3DB6+h=$_qVwDUz2=_S**N<3xqJaz3N z=Sdu?W8dL_4l0Yvo~(lI7g?^`7Hz$b881{bYm<4W)zrmA8b^*(i_0zDiJZ7;J;`!E zhqRRn`)+)F)27;lVQRBXEylS`V{EeCGaKtJvU*_BOe}&-iU8J33fA>pQbeH-Pip(g zO{=?NOI-vBuOkt>lXNz)9k=FeD0ZB`I={3fA)z<8$iFC>`1eMwqNnTF9qp1V6OAaD zyG{|Av>a*sK->DN@$S+qqpHj1mg^UN?^?Y$uP&1(+n<;0#`f$RC8F-Eo49NBn!$Hr zU8}7Qduu>wXqqb}Hj^U7sb&7+yN&vmEZMxAI^srfGMB{F%F-qdCI54E%@S1t7f&j& z;@!Jhnob_G#v&qCQ=<;COxg)}O|6pal8nikPbu$t-*|o8=v^U#ouuEFOv*^yxa-9R zNt(-G$Ot+~9J6HQr>r7LIWLx>LnkNXGMCGAQskKnc?BUNo@~&SiqA@ow!}q?cNQ0k z@k+WLvmSfpu$@j)#JMsh7rf`Qv8%w5R=w`uc($ra&g+VAg_qmAOJ*%(TFiDN15DO+r zyS3#jtARft@Od!Lw$Ri^r>0K?QzwGyqk8&SbL!aPDJ}$qYxbs-RWp{GK`5A>(bLn- znd7CLI4M{q@3P2n%rx1;2C^@;H}wq@o80JA9p4hPH-n*XIafmTIa9kt#ulb)gH>z# zO+9O}X9}witmpZl*=THRY}9iZ+^yMLb=FQ}P&y}T3>so>BdXqS*rIW8YqX}eMeXw9 z<%O{ar|VNS@i@sEtZoi4Jh!*<#vn2-J}J9R%3*r?`s(@M#8^(IUbAVi5O zw##eFQIVP`IG?2btf}LHf6PuFJ*mr|rw_#XvD13`;K|w-f(tgbY3ZBFBQy1x`tcg& z$fycfHBo5I?Pb8w#%D3e!^yoV;>u8Qtcr z;8?ZmOwA@?dfE<6nmRTxvZmlzGHn;-L)lvm=f6MfdW6p<22tJ*p%e%%M+#J zYtUebLaJ3Mp*gc7qgJFo*f!zzQb9@t-8FtB9TsIhV2#c>Dq~bzH<=R$4XqiS{&(r6 zTHyS%E-ok;de|s-RRsgDbj2mUSm-5;i-n^>7coL7Sz@Z9!Pg9hQQq%?qqq9)ov~$S z*^g(voMpBheyh}>Ttje}ZBy@Z?y__U+2 zio=2$V^*@JYuXa)%Fjj*v1UlhATD)AK!~>FX!b+sZZV|v>rM1jiWhh6-0sLb3Y6ov zO@8MwZ||5GPda6-ko-eTndn=bCkKlB)?GU}ntYNIMiz{u`bExJA}edF7_R}2Tvi`B z+be66a%E^%UlDg*ZtA)v0)-wHsnmYe($Q?kF7_45)>>MO2dV3eEOWA46P#YIe9bav zNcJo>E9wk&MqM`6VyxtiDoj;KS?+jYNF-}&)YUDw51*c7<)mW_MT5@<*$pT#49oPk zJ%TEMluU~ub-C_wbQpD|N?x{{Ucw%cmvdGwcald8XV|NZx@ZczxoMT5*kt%SL+1Gw zavaNS&XVq#cpzI_7v2A_m&$Txw8rOc)@HZhKT#n{=B%sMyjZ!Ts2RPnt(+M(-JzV> z), 2012 +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" +"POT-Creation-Date: 2018-08-12 13:03+0000\n" +"PO-Revision-Date: 2014-12-14 11:45+0000\n" +"Last-Translator: Copied by Zanata \n" +"Language-Team: Basque (http://www.transifex.com/projects/p/sssd/language/" +"eu/)\n" +"Language: eu\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" +"X-Generator: Zanata 4.4.5\n" + +#: src/config/SSSDConfig/__init__.py.in:43 +#: src/config/SSSDConfig/__init__.py.in:44 +msgid "Set the verbosity of the debug logging" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:45 +msgid "Include timestamps in debug logs" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:46 +msgid "Include microseconds in timestamps in debug logs" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:47 +msgid "Write debug messages to logfiles" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:48 +msgid "Watchdog timeout before restarting service" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:49 +msgid "Command to start service" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:50 +msgid "Number of times to attempt connection to Data Providers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:51 +msgid "The number of file descriptors that may be opened by this responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:52 +msgid "Idle time before automatic disconnection of a client" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:53 +msgid "Idle time before automatic shutdown of the responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:54 +msgid "Always query all the caches before querying the Data Providers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:57 +msgid "SSSD Services to start" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:58 +msgid "SSSD Domains to start" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:59 +msgid "Timeout for messages sent over the SBUS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:60 +#: src/config/SSSDConfig/__init__.py.in:197 +msgid "Regex to parse username and domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:61 +#: src/config/SSSDConfig/__init__.py.in:196 +msgid "Printf-compatible format for displaying fully-qualified names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:62 +msgid "" +"Directory on the filesystem where SSSD should store Kerberos replay cache " +"files." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:63 +msgid "Domain to add to names without a domain component." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:64 +msgid "The user to drop privileges to" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:65 +msgid "Tune certificate verification" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:66 +msgid "All spaces in group or user names will be replaced with this character" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:67 +msgid "Tune sssd to honor or ignore netlink state changes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:68 +msgid "Enable or disable the implicit files domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:69 +msgid "A specific order of the domains to be looked up" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:72 +msgid "Enumeration cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:73 +msgid "Entry cache background update timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:74 +#: src/config/SSSDConfig/__init__.py.in:113 +msgid "Negative cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:75 +msgid "Files negative cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:76 +msgid "Users that SSSD should explicitly ignore" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:77 +msgid "Groups that SSSD should explicitly ignore" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:78 +msgid "Should filtered users appear in groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:79 +msgid "The value of the password field the NSS provider should return" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:80 +msgid "Override homedir value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:81 +msgid "" +"Substitute empty homedir value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:82 +msgid "Override shell value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:83 +msgid "The list of shells users are allowed to log in with" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:84 +msgid "" +"The list of shells that will be vetoed, and replaced with the fallback shell" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:85 +msgid "" +"If a shell stored in central directory is allowed but not available, use " +"this fallback" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:86 +msgid "Shell to use if the provider does not list one" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:87 +msgid "How long will be in-memory cache records valid" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:88 +msgid "List of user attributes the NSS responder is allowed to publish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:91 +msgid "How long to allow cached logins between online logins (days)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:92 +msgid "How many failed logins attempts are allowed when offline" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:93 +msgid "" +"How long (minutes) to deny login after offline_failed_login_attempts has " +"been reached" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:94 +msgid "What kind of messages are displayed to the user during authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:95 +msgid "Filter PAM responses sent to the pam_sss" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:96 +msgid "How many seconds to keep identity information cached for PAM requests" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:97 +msgid "How many days before password expiration a warning should be displayed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:98 +msgid "List of trusted uids or user's name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:99 +msgid "List of domains accessible even for untrusted users." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:100 +msgid "Message printed when user account is expired." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:101 +msgid "Message printed when user account is locked." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:102 +msgid "Allow certificate based/Smartcard authentication." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:103 +msgid "Path to certificate database with PKCS#11 modules." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:104 +msgid "How many seconds will pam_sss wait for p11_child to finish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:105 +msgid "Which PAM services are permitted to contact application domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:108 +msgid "Whether to evaluate the time-based attributes in sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:109 +msgid "If true, SSSD will switch back to lower-wins ordering logic" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:110 +msgid "" +"Maximum number of rules that can be refreshed at once. If this is exceeded, " +"full refresh is performed." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:116 +msgid "Whether to hash host names and addresses in the known_hosts file" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:117 +msgid "" +"How many seconds to keep a host in the known_hosts file after its host keys " +"were requested" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:118 +msgid "Path to storage of trusted CA certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:121 +msgid "List of UIDs or user names allowed to access the PAC responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "How long the PAC data is considered valid" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:125 +msgid "List of UIDs or user names allowed to access the InfoPipe responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:126 +msgid "List of user attributes the InfoPipe is allowed to publish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:129 +msgid "The provider where the secrets will be stored in" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:130 +msgid "The maximum allowed number of nested containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:131 +msgid "The maximum number of secrets that can be stored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:132 +msgid "The maximum number of secrets that can be stored per UID" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:133 +msgid "The maximum payload size of a secret in kilobytes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:135 +msgid "The URL Custodia server is listening on" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:136 +msgid "The method to use when authenticating to a Custodia server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:137 +msgid "" +"The name of the headers that will be added into a HTTP request with the " +"value defined in auth_header_value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:138 +msgid "The value sssd-secrets would use for auth_header_name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:139 +msgid "" +"The list of the headers to forward to the Custodia server together with the " +"request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:140 +msgid "" +"The username to use when authenticating to a Custodia server using basic_auth" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:141 +msgid "" +"The password to use when authenticating to a Custodia server using basic_auth" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:142 +msgid "If true peer's certificate is verified if proxy_url uses https protocol" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:143 +msgid "" +"If false peer's certificate may contain different hostname than proxy_url " +"when https protocol is used" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:144 +msgid "Path to directory where certificate authority certificates are stored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:145 +msgid "Path to file containing server's CA certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:146 +msgid "Path to file containing client's certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:147 +msgid "Path to file containing client's private key" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:150 +msgid "Identity provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:151 +msgid "Authentication provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:152 +msgid "Access control provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:153 +msgid "Password change provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:154 +msgid "SUDO provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:155 +msgid "Autofs provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:156 +msgid "Host identity provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:157 +msgid "SELinux provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:158 +msgid "Session management provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:161 +msgid "Whether the domain is usable by the OS or by applications" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:162 +msgid "Minimum user ID" +msgstr "Gutxienezko erabiltzaile IDa" + +#: src/config/SSSDConfig/__init__.py.in:163 +msgid "Maximum user ID" +msgstr "Gehienezko erabiltzaile IDa" + +#: src/config/SSSDConfig/__init__.py.in:164 +msgid "Enable enumerating all users/groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:165 +msgid "Cache credentials for offline login" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:166 +msgid "Store password hashes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:167 +msgid "Display users/groups in fully-qualified form" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:168 +msgid "Don't include group members in group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:180 +#: src/config/SSSDConfig/__init__.py.in:181 +msgid "Entry cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:170 +msgid "" +"Restrict or prefer a specific address family when performing DNS lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:171 +msgid "How long to keep cached entries after last successful login (days)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:172 +msgid "How long to wait for replies from DNS when resolving servers (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:173 +msgid "The domain part of service discovery DNS query" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:174 +msgid "Override GID value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:175 +msgid "Treat usernames as case sensitive" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:182 +msgid "How often should expired entries be refreshed in background" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:183 +msgid "Whether to automatically update the client's DNS entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:184 +#: src/config/SSSDConfig/__init__.py.in:206 +msgid "The TTL to apply to the client's DNS entry after updating it" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:207 +msgid "The interface whose IP should be used for dynamic DNS updates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:186 +msgid "How often to periodically update the client's DNS entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:187 +msgid "Whether the provider should explicitly update the PTR record as well" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:188 +msgid "Whether the nsupdate utility should default to using TCP" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:189 +msgid "What kind of authentication should be used to perform the DNS update" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:190 +msgid "Override the DNS server used to perform the DNS update" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:191 +msgid "Control enumeration of trusted domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:192 +msgid "How often should subdomains list be refreshed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:193 +msgid "List of options that should be inherited into a subdomain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:194 +msgid "Default subdomain homedir value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:195 +msgid "How long can cached credentials be used for cached authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:198 +msgid "Whether to automatically create private groups for users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:201 +msgid "IPA domain" +msgstr "IPA domeinua" + +#: src/config/SSSDConfig/__init__.py.in:202 +msgid "IPA server address" +msgstr "IPA zerbitzariaren helbidea" + +#: src/config/SSSDConfig/__init__.py.in:203 +msgid "Address of backup IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:204 +msgid "IPA client hostname" +msgstr "IPA bezeroaren ostalari-izena" + +#: src/config/SSSDConfig/__init__.py.in:205 +msgid "Whether to automatically update the client's DNS entry in FreeIPA" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:208 +msgid "Search base for HBAC related objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:209 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:210 +msgid "" +"The amount of time in seconds between lookups of the SELinux maps against " +"the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:211 +msgid "If set to false, host argument given by PAM will be ignored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:212 +msgid "The automounter location this IPA client is using" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:213 +msgid "Search base for object containing info about IPA domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:214 +msgid "Search base for objects containing info about ID ranges" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:233 +msgid "Enable DNS sites - location based service discovery" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:216 +msgid "Search base for view containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:217 +msgid "Objectclass for view containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:218 +msgid "Attribute with the name of the view" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:219 +msgid "Objectclass for override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:220 +msgid "Attribute with the reference to the original object" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:221 +msgid "Objectclass for user override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:222 +msgid "Objectclass for group override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:223 +msgid "Search base for Desktop Profile related objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:224 +msgid "" +"The amount of time in seconds between lookups of the Desktop Profile rules " +"against the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:225 +msgid "" +"The amount of time in minutes between lookups of Desktop Profiles rules " +"against the IPA server when the last request did not find any rule" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:228 +msgid "Active Directory domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:229 +msgid "Enabled Active Directory domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:230 +msgid "Active Directory server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:231 +msgid "Active Directory backup server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:232 +msgid "Active Directory client hostname" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:420 +msgid "LDAP filter to determine access privileges" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:235 +msgid "Whether to use the Global Catalog for lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:236 +msgid "Operation mode for GPO-based access control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:237 +msgid "" +"The amount of time between lookups of the GPO policy files against the AD " +"server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:238 +msgid "" +"PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " +"settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:239 +msgid "" +"PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " +"policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:240 +msgid "" +"PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:241 +msgid "" +"PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:242 +msgid "" +"PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:243 +msgid "PAM service names for which GPO-based access is always granted" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:244 +msgid "PAM service names for which GPO-based access is always denied" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:245 +msgid "" +"Default logon right (or permit/deny) to use for unmapped PAM service names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:246 +msgid "a particular site to be used by the client" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:247 +msgid "" +"Maximum age in days before the machine account password should be renewed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:248 +msgid "Option for tuning the machine account renewal task" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:252 +msgid "Kerberos server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:253 +msgid "Kerberos backup server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:254 +msgid "Kerberos realm" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:255 +msgid "Authentication timeout" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:256 +msgid "Whether to create kdcinfo files" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:257 +msgid "Where to drop krb5 config snippets" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:260 +msgid "Directory to store credential caches" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:261 +msgid "Location of the user's credential cache" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:262 +msgid "Location of the keytab to validate credentials" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:263 +msgid "Enable credential validation" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:264 +msgid "Store password if offline for later online authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:265 +msgid "Renewable lifetime of the TGT" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:266 +msgid "Lifetime of the TGT" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:267 +msgid "Time between two checks for renewal" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:268 +msgid "Enables FAST" +msgstr "FAST gaitzen du" + +#: src/config/SSSDConfig/__init__.py.in:269 +msgid "Selects the principal to use for FAST" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:270 +msgid "Enables principal canonicalization" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:271 +msgid "Enables enterprise principals" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:272 +msgid "A mapping from user names to Kerberos principal names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:276 +msgid "Server where the change password service is running if not on the KDC" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:279 +msgid "ldap_uri, The URI of the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:280 +msgid "ldap_backup_uri, The URI of the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:281 +msgid "The default base DN" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:282 +msgid "The Schema Type in use on the LDAP server, rfc2307" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:283 +msgid "The default bind DN" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:284 +msgid "The type of the authentication token of the default bind DN" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:285 +msgid "The authentication token of the default bind DN" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:286 +msgid "Length of time to attempt connection" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:287 +msgid "Length of time to attempt synchronous LDAP operations" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:288 +msgid "Length of time between attempts to reconnect while offline" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:289 +msgid "Use only the upper case for realm names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:290 +msgid "File that contains CA certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:291 +msgid "Path to CA certificate directory" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:292 +msgid "File that contains the client certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:293 +msgid "File that contains the client key" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:294 +msgid "List of possible ciphers suites" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:295 +msgid "Require TLS certificate verification" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:296 +msgid "Specify the sasl mechanism to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:297 +msgid "Specify the sasl authorization id to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:298 +msgid "Specify the sasl authorization realm to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:299 +msgid "Specify the minimal SSF for LDAP sasl authorization" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:300 +msgid "Kerberos service keytab" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:301 +msgid "Use Kerberos auth for LDAP connection" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:302 +msgid "Follow LDAP referrals" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:303 +msgid "Lifetime of TGT for LDAP connection" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:304 +msgid "How to dereference aliases" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:305 +msgid "Service name for DNS service lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:306 +msgid "The number of records to retrieve in a single LDAP query" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:307 +msgid "The number of members that must be missing to trigger a full deref" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:308 +msgid "" +"Whether the LDAP library should perform a reverse lookup to canonicalize the " +"host name during a SASL bind" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:310 +msgid "entryUSN attribute" +msgstr "entryUSN atributua" + +#: src/config/SSSDConfig/__init__.py.in:311 +msgid "lastUSN attribute" +msgstr "lastUSN atributua" + +#: src/config/SSSDConfig/__init__.py.in:313 +msgid "How long to retain a connection to the LDAP server before disconnecting" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:315 +msgid "Disable the LDAP paging control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:316 +msgid "Disable Active Directory range retrieval" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:319 +msgid "Length of time to wait for a search request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:320 +msgid "Length of time to wait for a enumeration request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:321 +msgid "Length of time between enumeration updates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:322 +msgid "Length of time between cache cleanups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:323 +msgid "Require TLS for ID lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:324 +msgid "Use ID-mapping of objectSID instead of pre-set IDs" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:325 +msgid "Base DN for user lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:326 +msgid "Scope of user lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:327 +msgid "Filter for user lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:328 +msgid "Objectclass for users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:329 +msgid "Username attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:331 +msgid "UID attribute" +msgstr "UID atributua" + +#: src/config/SSSDConfig/__init__.py.in:332 +msgid "Primary GID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:333 +msgid "GECOS attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:334 +msgid "Home directory attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:335 +msgid "Shell attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:336 +msgid "UUID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:379 +msgid "objectSID attribute" +msgstr "objectSID atributua" + +#: src/config/SSSDConfig/__init__.py.in:338 +msgid "Active Directory primary group attribute for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:339 +msgid "User principal attribute (for Kerberos)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:340 +msgid "Full Name" +msgstr "Izen osoa" + +#: src/config/SSSDConfig/__init__.py.in:341 +msgid "memberOf attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:342 +msgid "Modification time attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:344 +msgid "shadowLastChange attribute" +msgstr "shadowLastChange atributua" + +#: src/config/SSSDConfig/__init__.py.in:345 +msgid "shadowMin attribute" +msgstr "shadowMin atributua" + +#: src/config/SSSDConfig/__init__.py.in:346 +msgid "shadowMax attribute" +msgstr "shadowMax atributua" + +#: src/config/SSSDConfig/__init__.py.in:347 +msgid "shadowWarning attribute" +msgstr "shadowWarning atributua" + +#: src/config/SSSDConfig/__init__.py.in:348 +msgid "shadowInactive attribute" +msgstr "shadowInactive atributua" + +#: src/config/SSSDConfig/__init__.py.in:349 +msgid "shadowExpire attribute" +msgstr "shadowExpire atributua" + +#: src/config/SSSDConfig/__init__.py.in:350 +msgid "shadowFlag attribute" +msgstr "shadowFlag atributua" + +#: src/config/SSSDConfig/__init__.py.in:351 +msgid "Attribute listing authorized PAM services" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:352 +msgid "Attribute listing authorized server hosts" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:353 +msgid "Attribute listing authorized server rhosts" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:354 +msgid "krbLastPwdChange attribute" +msgstr "krbLastPwdChange atributua" + +#: src/config/SSSDConfig/__init__.py.in:355 +msgid "krbPasswordExpiration attribute" +msgstr "krbPasswordExpiration atributua" + +#: src/config/SSSDConfig/__init__.py.in:356 +msgid "Attribute indicating that server side password policies are active" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:357 +msgid "accountExpires attribute of AD" +msgstr "ADren accountExpires atributua" + +#: src/config/SSSDConfig/__init__.py.in:358 +msgid "userAccountControl attribute of AD" +msgstr "ADren userAccountControl atributua" + +#: src/config/SSSDConfig/__init__.py.in:359 +msgid "nsAccountLock attribute" +msgstr "nsAccountLock atributua" + +#: src/config/SSSDConfig/__init__.py.in:360 +msgid "loginDisabled attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:361 +msgid "loginExpirationTime attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:362 +msgid "loginAllowedTimeMap attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:363 +msgid "SSH public key attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:364 +msgid "attribute listing allowed authentication types for a user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:365 +msgid "attribute containing the X509 certificate of the user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:366 +msgid "attribute containing the email address of the user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:368 +msgid "A list of extra attributes to download along with the user entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:370 +msgid "Base DN for group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:373 +msgid "Objectclass for groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:374 +msgid "Group name" +msgstr "Talde-izena" + +#: src/config/SSSDConfig/__init__.py.in:375 +msgid "Group password" +msgstr "Taldearen pasahitza" + +#: src/config/SSSDConfig/__init__.py.in:376 +msgid "GID attribute" +msgstr "GID atributua" + +#: src/config/SSSDConfig/__init__.py.in:377 +msgid "Group member attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:378 +msgid "Group UUID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:380 +msgid "Modification time attribute for groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:381 +msgid "Type of the group and other flags" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:382 +msgid "The LDAP group external member attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:384 +msgid "Maximum nesting level SSSD will follow" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:386 +msgid "Base DN for netgroup lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:387 +msgid "Objectclass for netgroups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:388 +msgid "Netgroup name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:389 +msgid "Netgroups members attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:390 +msgid "Netgroup triple attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:391 +msgid "Modification time attribute for netgroups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:393 +msgid "Base DN for service lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:394 +msgid "Objectclass for services" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:395 +msgid "Service name attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:396 +msgid "Service port attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:397 +msgid "Service protocol attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:400 +msgid "Lower bound for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:401 +msgid "Upper bound for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:402 +msgid "Number of IDs for each slice when ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:403 +msgid "Use autorid-compatible algorithm for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:404 +msgid "Name of the default domain for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:405 +msgid "SID of the default domain for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:406 +msgid "Number of secondary slices" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:408 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:409 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:410 +msgid "Whether to use Token-Groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:411 +msgid "Set lower boundary for allowed IDs from the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:412 +msgid "Set upper boundary for allowed IDs from the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:413 +msgid "DN for ppolicy queries" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:414 +msgid "How many maximum entries to fetch during a wildcard request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:417 +msgid "Policy to evaluate the password expiration" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:421 +msgid "Which attributes shall be used to evaluate if an account is expired" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:422 +msgid "Which rules should be used to evaluate access control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:425 +msgid "URI of an LDAP server where password changes are allowed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:426 +msgid "URI of a backup LDAP server where password changes are allowed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:427 +msgid "DNS service name for LDAP password change server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:428 +msgid "" +"Whether to update the ldap_user_shadow_last_change attribute after a " +"password change" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:431 +msgid "Base DN for sudo rules lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:432 +msgid "Automatic full refresh period" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:433 +msgid "Automatic smart refresh period" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:434 +msgid "Whether to filter rules by hostname, IP addresses and network" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:435 +msgid "" +"Hostnames and/or fully qualified domain names of this machine to filter sudo " +"rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:436 +msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:437 +msgid "Whether to include rules that contains netgroup in host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:438 +msgid "" +"Whether to include rules that contains regular expression in host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:439 +msgid "Object class for sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:440 +msgid "Sudo rule name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:441 +msgid "Sudo rule command attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:442 +msgid "Sudo rule host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:443 +msgid "Sudo rule user attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:444 +msgid "Sudo rule option attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Sudo rule runas attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:446 +msgid "Sudo rule runasuser attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:447 +msgid "Sudo rule runasgroup attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:448 +msgid "Sudo rule notbefore attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:449 +msgid "Sudo rule notafter attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:450 +msgid "Sudo rule order attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:453 +msgid "Object class for automounter maps" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:454 +msgid "Automounter map name attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:455 +msgid "Object class for automounter map entries" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:456 +msgid "Automounter map entry key attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:457 +msgid "Automounter map entry value attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:458 +msgid "Base DN for automounter map lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:461 +msgid "Comma separated list of allowed users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:462 +msgid "Comma separated list of prohibited users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:465 +msgid "Default shell, /bin/bash" +msgstr "Shell lehenetsia, /bin/bash" + +#: src/config/SSSDConfig/__init__.py.in:466 +msgid "Base for home directories" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:469 +msgid "The number of preforked proxy children." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:472 +msgid "The name of the NSS library to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:473 +msgid "Whether to look up canonical group name from cache if possible" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:476 +msgid "PAM stack to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:479 +msgid "Path of passwd file sources." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:480 +msgid "Path of group file sources." +msgstr "" + +#: src/monitor/monitor.c:2449 +msgid "Become a daemon (default)" +msgstr "" + +#: src/monitor/monitor.c:2451 +msgid "Run interactive (not a daemon)" +msgstr "" + +#: src/monitor/monitor.c:2454 +msgid "Disable netlink interface" +msgstr "" + +#: src/monitor/monitor.c:2456 src/tools/sssctl/sssctl_logs.c:311 +msgid "Specify a non-default config file" +msgstr "" + +#: src/monitor/monitor.c:2458 +msgid "Refresh the configuration database, then exit" +msgstr "" + +#: src/monitor/monitor.c:2461 +msgid "Print version number and exit" +msgstr "Inprimatu bertsio zenbakia eta irten" + +#: src/monitor/monitor.c:2627 +msgid "SSSD is already running\n" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605 +msgid "Debug level" +msgstr "Arazketa maila" + +#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607 +msgid "Add debug timestamps" +msgstr "Gehitu arazketako data-zigiluak" + +#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609 +msgid "Show timestamps with microseconds" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611 +msgid "An open file descriptor for the debug logs" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613 +msgid "Send the debug output to stderr directly." +msgstr "" + +#: src/providers/krb5/krb5_child.c:3228 +msgid "The user to create FAST ccache as" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3230 +msgid "The group to create FAST ccache as" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3232 +msgid "Kerberos realm to use" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3234 +msgid "Requested lifetime of the ticket" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3236 +msgid "Requested renewable lifetime of the ticket" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3238 +msgid "FAST options ('never', 'try', 'demand')" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3241 +msgid "Specifies the server principal to use for FAST" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3243 +msgid "Requests canonicalization of the principal name" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3245 +msgid "Use custom version of krb5_get_init_creds_password" +msgstr "" + +#: src/providers/data_provider_be.c:556 +msgid "Domain of the information provider (mandatory)" +msgstr "" + +#: src/sss_client/common.c:1066 +msgid "Privileged socket has wrong ownership or permissions." +msgstr "" + +#: src/sss_client/common.c:1069 +msgid "Public socket has wrong ownership or permissions." +msgstr "" + +#: src/sss_client/common.c:1072 +msgid "Unexpected format of the server credential message." +msgstr "" + +#: src/sss_client/common.c:1075 +msgid "SSSD is not run by root." +msgstr "" + +#: src/sss_client/common.c:1080 +msgid "An error occurred, but no description can be found." +msgstr "" + +#: src/sss_client/common.c:1086 +msgid "Unexpected error while looking for an error description" +msgstr "" + +#: src/sss_client/pam_sss.c:76 +msgid "Permission denied. " +msgstr "" + +#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782 +#: src/sss_client/pam_sss.c:793 +msgid "Server message: " +msgstr "" + +#: src/sss_client/pam_sss.c:300 +msgid "Passwords do not match" +msgstr "" + +#: src/sss_client/pam_sss.c:488 +msgid "Password reset by root is not supported." +msgstr "" + +#: src/sss_client/pam_sss.c:529 +msgid "Authenticated with cached credentials" +msgstr "" + +#: src/sss_client/pam_sss.c:530 +msgid ", your cached password will expire at: " +msgstr "" + +#: src/sss_client/pam_sss.c:560 +#, c-format +msgid "Your password has expired. You have %1$d grace login(s) remaining." +msgstr "" + +#: src/sss_client/pam_sss.c:606 +#, c-format +msgid "Your password will expire in %1$d %2$s." +msgstr "" + +#: src/sss_client/pam_sss.c:655 +msgid "Authentication is denied until: " +msgstr "" + +#: src/sss_client/pam_sss.c:676 +msgid "System is offline, password change not possible" +msgstr "" + +#: src/sss_client/pam_sss.c:691 +msgid "" +"After changing the OTP password, you need to log out and back in order to " +"acquire a ticket" +msgstr "" + +#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792 +msgid "Password change failed. " +msgstr "Huts egin du pasahitza aldatzeak. " + +#: src/sss_client/pam_sss.c:1926 +msgid "New Password: " +msgstr "Pasahitz berria: " + +#: src/sss_client/pam_sss.c:1927 +msgid "Reenter new Password: " +msgstr "Berriz sartu pasahitz berria: " + +#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042 +msgid "First Factor: " +msgstr "" + +#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202 +msgid "Second Factor (optional): " +msgstr "" + +#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205 +msgid "Second Factor: " +msgstr "" + +#: src/sss_client/pam_sss.c:2058 +msgid "Password: " +msgstr "Pasahitza: " + +#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204 +msgid "First Factor (Current Password): " +msgstr "" + +#: src/sss_client/pam_sss.c:2208 +msgid "Current Password: " +msgstr "Uneko pasahitza: " + +#: src/sss_client/pam_sss.c:2536 +msgid "Password expired. Change your password now." +msgstr "Pasahitza iraungita. Aldatu zure pasahitza orain." + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 +#: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 +#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:670 +msgid "The debug level to run with" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +msgid "The SSSD domain to use" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 +#: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 +#: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 +#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:716 +msgid "Error setting the locale\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:64 +msgid "Not enough memory\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:83 +msgid "User not specified\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:97 +msgid "Error looking up public keys\n" +msgstr "Errorea gako publikoak bilatzean\n" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +msgid "The port to use to connect to the host" +msgstr "Ostalarira konektatzeko erabiliko den ataka" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +msgid "Print the host ssh public keys" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +msgid "Invalid port\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +msgid "Host not specified\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +msgid "The path to the proxy command must be absolute\n" +msgstr "" + +#: src/tools/sss_useradd.c:49 src/tools/sss_usermod.c:48 +msgid "The UID of the user" +msgstr "Erabiltzailearen UIDa" + +#: src/tools/sss_useradd.c:50 src/tools/sss_usermod.c:50 +msgid "The comment string" +msgstr "Iruzkin katea" + +#: src/tools/sss_useradd.c:51 src/tools/sss_usermod.c:51 +msgid "Home directory" +msgstr "Direktorio nagusia" + +#: src/tools/sss_useradd.c:52 src/tools/sss_usermod.c:52 +msgid "Login shell" +msgstr "" + +#: src/tools/sss_useradd.c:53 +msgid "Groups" +msgstr "Taldeak" + +#: src/tools/sss_useradd.c:54 +msgid "Create user's directory if it does not exist" +msgstr "Sortu erabiltzailearen direktorioa ez bada existitzen" + +#: src/tools/sss_useradd.c:55 +msgid "Never create user's directory, overrides config" +msgstr "" + +#: src/tools/sss_useradd.c:56 +msgid "Specify an alternative skeleton directory" +msgstr "" + +#: src/tools/sss_useradd.c:57 src/tools/sss_usermod.c:60 +msgid "The SELinux user for user's login" +msgstr "" + +#: src/tools/sss_useradd.c:87 src/tools/sss_groupmod.c:79 +#: src/tools/sss_usermod.c:92 +msgid "Specify group to add to\n" +msgstr "" + +#: src/tools/sss_useradd.c:111 +msgid "Specify user to add\n" +msgstr "Zehaztu gehitu beharreko erabiltzailea\n" + +#: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 +#: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_usermod.c:162 +msgid "Error initializing the tools - no local domain\n" +msgstr "Errorea tresnak hasieratzean - domeinu lokalik ez\n" + +#: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 +#: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_usermod.c:164 +msgid "Error initializing the tools\n" +msgstr "Errorea tresnak hasieratzean\n" + +#: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 +#: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_usermod.c:173 +msgid "Invalid domain specified in FQDN\n" +msgstr "Baliogabeko domeinua zehaztu da FQDN-n\n" + +#: src/tools/sss_useradd.c:142 src/tools/sss_groupmod.c:144 +#: src/tools/sss_groupmod.c:173 src/tools/sss_usermod.c:197 +#: src/tools/sss_usermod.c:226 +msgid "Internal error while parsing parameters\n" +msgstr "Barne errorea parametroak analizatzean\n" + +#: src/tools/sss_useradd.c:151 src/tools/sss_usermod.c:206 +#: src/tools/sss_usermod.c:235 +msgid "Groups must be in the same domain as user\n" +msgstr "Taldeek erabiltzailearen domeinu berean egon behar dute\n" + +#: src/tools/sss_useradd.c:159 +#, c-format +msgid "Cannot find group %1$s in local domain\n" +msgstr "" + +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +msgid "Cannot set default values\n" +msgstr "Ezin dira balio lehenetsiak ezarri\n" + +#: src/tools/sss_useradd.c:181 src/tools/sss_usermod.c:187 +msgid "The selected UID is outside the allowed range\n" +msgstr "Hautatutako UIDa baimendutako bitartetik kanpo dago\n" + +#: src/tools/sss_useradd.c:210 src/tools/sss_usermod.c:305 +msgid "Cannot set SELinux login context\n" +msgstr "" + +#: src/tools/sss_useradd.c:224 +msgid "Cannot get info about the user\n" +msgstr "" + +#: src/tools/sss_useradd.c:236 +msgid "User's home directory already exists, not copying data from skeldir\n" +msgstr "" + +#: src/tools/sss_useradd.c:239 +#, c-format +msgid "Cannot create user's home directory: %1$s\n" +msgstr "" + +#: src/tools/sss_useradd.c:250 +#, c-format +msgid "Cannot create user's mail spool: %1$s\n" +msgstr "" + +#: src/tools/sss_useradd.c:270 +msgid "Could not allocate ID for the user - domain full?\n" +msgstr "" + +#: src/tools/sss_useradd.c:274 +msgid "A user or group with the same name or ID already exists\n" +msgstr "" + +#: src/tools/sss_useradd.c:280 +msgid "Transaction error. Could not add user.\n" +msgstr "" + +#: src/tools/sss_groupadd.c:43 src/tools/sss_groupmod.c:48 +msgid "The GID of the group" +msgstr "Taldearen GIDa" + +#: src/tools/sss_groupadd.c:76 +msgid "Specify group to add\n" +msgstr "" + +#: src/tools/sss_groupadd.c:106 src/tools/sss_groupmod.c:198 +msgid "The selected GID is outside the allowed range\n" +msgstr "Hautatutako UIDa baimendutako bitartetik kanpo dago\n" + +#: src/tools/sss_groupadd.c:143 +msgid "Could not allocate ID for the group - domain full?\n" +msgstr "" + +#: src/tools/sss_groupadd.c:147 +msgid "A group with the same name or GID already exists\n" +msgstr "" + +#: src/tools/sss_groupadd.c:153 +msgid "Transaction error. Could not add group.\n" +msgstr "" + +#: src/tools/sss_groupdel.c:70 +msgid "Specify group to delete\n" +msgstr "Zehaztu taldea ezabatzeko\n" + +#: src/tools/sss_groupdel.c:104 +#, c-format +msgid "Group %1$s is outside the defined ID range for domain\n" +msgstr "" + +#: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 +#: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 +#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 +#, c-format +msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" +msgstr "" + +#: src/tools/sss_groupdel.c:132 +msgid "" +"No such group in local domain. Removing groups only allowed in local " +"domain.\n" +msgstr "" + +#: src/tools/sss_groupdel.c:137 +msgid "Internal error. Could not remove group.\n" +msgstr "Barne errorea. Ezin izan da taldea kendu.\n" + +#: src/tools/sss_groupmod.c:44 +msgid "Groups to add this group to" +msgstr "" + +#: src/tools/sss_groupmod.c:46 +msgid "Groups to remove this group from" +msgstr "" + +#: src/tools/sss_groupmod.c:87 src/tools/sss_usermod.c:100 +msgid "Specify group to remove from\n" +msgstr "" + +#: src/tools/sss_groupmod.c:101 +msgid "Specify group to modify\n" +msgstr "" + +#: src/tools/sss_groupmod.c:130 +msgid "" +"Cannot find group in local domain, modifying groups is allowed only in local " +"domain\n" +msgstr "" + +#: src/tools/sss_groupmod.c:153 src/tools/sss_groupmod.c:182 +msgid "Member groups must be in the same domain as parent group\n" +msgstr "" + +#: src/tools/sss_groupmod.c:161 src/tools/sss_groupmod.c:190 +#: src/tools/sss_usermod.c:214 src/tools/sss_usermod.c:243 +#, c-format +msgid "" +"Cannot find group %1$s in local domain, only groups in local domain are " +"allowed\n" +msgstr "" + +#: src/tools/sss_groupmod.c:257 +msgid "Could not modify group - check if member group names are correct\n" +msgstr "" + +#: src/tools/sss_groupmod.c:261 +msgid "Could not modify group - check if groupname is correct\n" +msgstr "" + +#: src/tools/sss_groupmod.c:265 +msgid "Transaction error. Could not modify group.\n" +msgstr "" + +#: src/tools/sss_groupshow.c:615 +#, c-format +msgid "%1$s%2$sGroup: %3$s\n" +msgstr "%1$s%2$sTaldea: %3$s\n" + +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "" + +#: src/tools/sss_groupshow.c:618 +#, c-format +msgid "%1$sGID number: %2$d\n" +msgstr "%1$sGID zenbakia: %2$d\n" + +#: src/tools/sss_groupshow.c:620 +#, c-format +msgid "%1$sMember users: " +msgstr "" + +#: src/tools/sss_groupshow.c:627 +#, c-format +msgid "" +"\n" +"%1$sIs a member of: " +msgstr "" + +#: src/tools/sss_groupshow.c:634 +#, c-format +msgid "" +"\n" +"%1$sMember groups: " +msgstr "" + +#: src/tools/sss_groupshow.c:670 +msgid "Print indirect group members recursively" +msgstr "" + +#: src/tools/sss_groupshow.c:704 +msgid "Specify group to show\n" +msgstr "" + +#: src/tools/sss_groupshow.c:744 +msgid "" +"No such group in local domain. Printing groups only allowed in local " +"domain.\n" +msgstr "" + +#: src/tools/sss_groupshow.c:749 +msgid "Internal error. Could not print group.\n" +msgstr "" + +#: src/tools/sss_userdel.c:136 +msgid "Remove home directory and mail spool" +msgstr "" + +#: src/tools/sss_userdel.c:138 +msgid "Do not remove home directory and mail spool" +msgstr "" + +#: src/tools/sss_userdel.c:140 +msgid "Force removal of files not owned by the user" +msgstr "" + +#: src/tools/sss_userdel.c:142 +msgid "Kill users' processes before removing him" +msgstr "" + +#: src/tools/sss_userdel.c:188 +msgid "Specify user to delete\n" +msgstr "" + +#: src/tools/sss_userdel.c:234 +#, c-format +msgid "User %1$s is outside the defined ID range for domain\n" +msgstr "" + +#: src/tools/sss_userdel.c:259 +msgid "Cannot reset SELinux login context\n" +msgstr "" + +#: src/tools/sss_userdel.c:271 +#, c-format +msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" +msgstr "" + +#: src/tools/sss_userdel.c:276 +msgid "Cannot determine if the user was logged in on this platform" +msgstr "" + +#: src/tools/sss_userdel.c:281 +msgid "Error while checking if the user was logged in\n" +msgstr "" + +#: src/tools/sss_userdel.c:288 +#, c-format +msgid "The post-delete command failed: %1$s\n" +msgstr "" + +#: src/tools/sss_userdel.c:308 +msgid "Not removing home dir - not owned by user\n" +msgstr "" + +#: src/tools/sss_userdel.c:310 +#, c-format +msgid "Cannot remove homedir: %1$s\n" +msgstr "" + +#: src/tools/sss_userdel.c:324 +msgid "" +"No such user in local domain. Removing users only allowed in local domain.\n" +msgstr "" + +#: src/tools/sss_userdel.c:329 +msgid "Internal error. Could not remove user.\n" +msgstr "" + +#: src/tools/sss_usermod.c:49 +msgid "The GID of the user" +msgstr "" + +#: src/tools/sss_usermod.c:53 +msgid "Groups to add this user to" +msgstr "" + +#: src/tools/sss_usermod.c:54 +msgid "Groups to remove this user from" +msgstr "" + +#: src/tools/sss_usermod.c:55 +msgid "Lock the account" +msgstr "" + +#: src/tools/sss_usermod.c:56 +msgid "Unlock the account" +msgstr "Desblokeatu kontua" + +#: src/tools/sss_usermod.c:57 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "" + +#: src/tools/sss_usermod.c:58 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "" + +#: src/tools/sss_usermod.c:59 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" + +#: src/tools/sss_usermod.c:117 src/tools/sss_usermod.c:126 +#: src/tools/sss_usermod.c:135 +msgid "Specify the attribute name/value pair(s)\n" +msgstr "" + +#: src/tools/sss_usermod.c:152 +msgid "Specify user to modify\n" +msgstr "" + +#: src/tools/sss_usermod.c:180 +msgid "" +"Cannot find user in local domain, modifying users is allowed only in local " +"domain\n" +msgstr "" + +#: src/tools/sss_usermod.c:322 +msgid "Could not modify user - check if group names are correct\n" +msgstr "" + +#: src/tools/sss_usermod.c:326 +msgid "Could not modify user - user already member of groups?\n" +msgstr "" + +#: src/tools/sss_usermod.c:330 +msgid "Transaction error. Could not modify user.\n" +msgstr "" + +#: src/tools/sss_cache.c:218 +msgid "No cache object matched the specified search\n" +msgstr "" + +#: src/tools/sss_cache.c:502 +#, c-format +msgid "Couldn't invalidate %1$s\n" +msgstr "" + +#: src/tools/sss_cache.c:509 +#, c-format +msgid "Couldn't invalidate %1$s %2$s\n" +msgstr "" + +#: src/tools/sss_cache.c:672 +msgid "Invalidate all cached entries" +msgstr "" + +#: src/tools/sss_cache.c:674 +msgid "Invalidate particular user" +msgstr "Baliogabetu erabiltzaile bat" + +#: src/tools/sss_cache.c:676 +msgid "Invalidate all users" +msgstr "Baliogabetu erabiltzaile guztiak" + +#: src/tools/sss_cache.c:678 +msgid "Invalidate particular group" +msgstr "Baliogabetu talde bat" + +#: src/tools/sss_cache.c:680 +msgid "Invalidate all groups" +msgstr "Baliogabetu talde guztiak" + +#: src/tools/sss_cache.c:682 +msgid "Invalidate particular netgroup" +msgstr "" + +#: src/tools/sss_cache.c:684 +msgid "Invalidate all netgroups" +msgstr "" + +#: src/tools/sss_cache.c:686 +msgid "Invalidate particular service" +msgstr "Baliogabetu zerbitzu bat" + +#: src/tools/sss_cache.c:688 +msgid "Invalidate all services" +msgstr "Baliogabetu zerbitzu guztiak" + +#: src/tools/sss_cache.c:691 +msgid "Invalidate particular autofs map" +msgstr "" + +#: src/tools/sss_cache.c:693 +msgid "Invalidate all autofs maps" +msgstr "" + +#: src/tools/sss_cache.c:697 +msgid "Invalidate particular SSH host" +msgstr "" + +#: src/tools/sss_cache.c:699 +msgid "Invalidate all SSH hosts" +msgstr "" + +#: src/tools/sss_cache.c:703 +msgid "Invalidate particular sudo rule" +msgstr "" + +#: src/tools/sss_cache.c:705 +msgid "Invalidate all cached sudo rules" +msgstr "" + +#: src/tools/sss_cache.c:708 +msgid "Only invalidate entries from a particular domain" +msgstr "" + +#: src/tools/sss_cache.c:762 +msgid "" +"Unexpected argument(s) provided, options that invalidate a single object " +"only accept a single provided argument.\n" +msgstr "" + +#: src/tools/sss_cache.c:772 +msgid "Please select at least one object to invalidate\n" +msgstr "" + +#: src/tools/sss_cache.c:852 +#, c-format +msgid "" +"Could not open domain %1$s. If the domain is a subdomain (trusted domain), " +"use fully qualified name instead of --domain/-d parameter.\n" +msgstr "" + +#: src/tools/sss_cache.c:856 +msgid "Could not open available domains\n" +msgstr "" + +#: src/tools/tools_util.c:202 +#, c-format +msgid "Name '%1$s' does not seem to be FQDN ('%2$s = TRUE' is set)\n" +msgstr "" + +#: src/tools/tools_util.c:309 +msgid "Out of memory\n" +msgstr "" + +#: src/tools/tools_util.h:40 +#, c-format +msgid "%1$s must be run as root\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:35 +msgid "yes" +msgstr "" + +#: src/tools/sssctl/sssctl.c:37 +msgid "no" +msgstr "" + +#: src/tools/sssctl/sssctl.c:39 +msgid "error" +msgstr "" + +#: src/tools/sssctl/sssctl.c:42 +msgid "Invalid result." +msgstr "" + +#: src/tools/sssctl/sssctl.c:78 +#, c-format +msgid "Unable to read user input\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:91 +#, c-format +msgid "Invalid input, please provide either '%s' or '%s'.\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 +#, c-format +msgid "Error while executing external command\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:156 +msgid "SSSD needs to be running. Start SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl.c:195 +msgid "SSSD must not be running. Stop SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl.c:231 +msgid "SSSD needs to be restarted. Restart SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:31 +#, c-format +msgid " %s is not present in cache.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:33 +msgid "Name" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:34 +msgid "Cache entry creation date" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:35 +msgid "Cache entry last update time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:36 +msgid "Cache entry expiration time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:37 +msgid "Cached in InfoPipe" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:512 +#, c-format +msgid "Error: Unable to get object [%d]: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:528 +#, c-format +msgid "%s: Unable to read value [%d]: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:556 +msgid "Specify name." +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:566 +#, c-format +msgid "Unable to parse name %s.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:592 src/tools/sssctl/sssctl_cache.c:639 +msgid "Search by SID" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:593 +msgid "Search by user ID" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:602 +msgid "Initgroups expiration time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:640 +msgid "Search by group ID" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:67 +#, c-format +msgid "" +"File %1$s does not exist. SSSD will use default configuration with files " +"provider.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:81 +#, c-format +msgid "" +"File ownership and permissions check failed. Expected root:root and 0600.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:104 +#, c-format +msgid "Issues identified by validators: %zu\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:114 +#, c-format +msgid "Messages generated during configuration merging: %zu\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:127 +#, c-format +msgid "Used configuration snippet files: %u\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:89 +#, c-format +msgid "Unable to create backup directory [%d]: %s" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:95 +msgid "SSSD backup of local data already exists, override?" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:111 +#, c-format +msgid "Unable to export user overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:118 +#, c-format +msgid "Unable to export group overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:134 src/tools/sssctl/sssctl_data.c:217 +msgid "Override existing backup" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:164 +#, c-format +msgid "Unable to import user overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:173 +#, c-format +msgid "Unable to import group overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:74 +#: src/tools/sssctl/sssctl_domains.c:339 +msgid "Start SSSD if it is not running" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:195 +msgid "Restart SSSD after data import" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:218 +msgid "Create clean cache files and import local data" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:219 +msgid "Stop SSSD before removing the cache" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:220 +msgid "Start SSSD when the cache is removed" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:235 +#, c-format +msgid "Creating backup of local data...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:238 +#, c-format +msgid "Unable to create backup of local data, can not remove the cache.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:243 +#, c-format +msgid "Removing cache files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:246 +#, c-format +msgid "Unable to remove cache files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:251 +#, c-format +msgid "Restoring local data...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:75 +msgid "Show domain list including primary or trusted domain type" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +#, c-format +msgid "Online status: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Online" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Offline" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:214 +#, c-format +msgid "Active servers:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:231 +msgid "not connected" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:278 +#, c-format +msgid "Discovered %s servers:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:296 +msgid "None so far.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:336 +msgid "Show online status" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:337 +msgid "Show information about active server" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:338 +msgid "Show list of discovered servers" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:344 +msgid "Specify domain name." +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:360 +#, c-format +msgid "Out of memory!\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:377 src/tools/sssctl/sssctl_domains.c:387 +#, c-format +msgid "Unable to get online status\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:397 +#, c-format +msgid "Unable to get server list\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:47 +msgid "\n" +msgstr "\n" + +#: src/tools/sssctl/sssctl_logs.c:237 +msgid "Delete log files instead of truncating" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:248 +#, c-format +msgid "Deleting log files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:251 +#, c-format +msgid "Unable to remove log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:257 +#, c-format +msgid "Truncating log files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:260 +#, c-format +msgid "Unable to truncate log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:286 +#, c-format +msgid "Out of memory!" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:289 +#, c-format +msgid "Archiving log files into %s...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:292 +#, c-format +msgid "Unable to archive log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:317 +msgid "Specify debug level you want to set" +msgstr "" + +#: src/tools/sssctl/sssctl_sifp.c:28 +msgid "" +"Check that SSSD is running and the InfoPipe responder is enabled. Make sure " +"'ifp' is listed in the 'services' option in sssd.conf.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:91 +#, c-format +msgid "Unable to connect to the InfoPipe" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:97 +#, c-format +msgid "Unable to get user object" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:101 +#, c-format +msgid "SSSD InfoPipe user lookup result:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:113 +#, c-format +msgid "Unable to get user name attr" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:146 +#, c-format +msgid "dlopen failed with [%s].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:153 +#, c-format +msgid "dlsym failed with [%s].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:161 +#, c-format +msgid "malloc failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:168 +#, c-format +msgid "sss_getpwnam_r failed with [%d].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:173 +#, c-format +msgid "SSSD nss user lookup result:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:174 +#, c-format +msgid " - user name: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:175 +#, c-format +msgid " - user id: %d\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:176 +#, c-format +msgid " - group id: %d\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:177 +#, c-format +msgid " - gecos: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:178 +#, c-format +msgid " - home directory: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:179 +#, c-format +msgid "" +" - shell: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:211 +msgid "PAM action [auth|acct|setc|chau|open|clos], default: " +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:214 +msgid "PAM service, default: " +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:219 +msgid "Specify user name." +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:226 +#, c-format +msgid "" +"user: %s\n" +"action: %s\n" +"service: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:232 +#, c-format +msgid "User name lookup with [%s] failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:237 +#, c-format +msgid "InfoPipe User lookup with [%s] failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:244 +#, c-format +msgid "pam_start failed: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:249 +#, c-format +msgid "" +"testing pam_authenticate\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:253 +#, c-format +msgid "pam_get_item failed: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:257 +#, c-format +msgid "" +"pam_authenticate for user [%s]: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:260 +#, c-format +msgid "" +"testing pam_chauthtok\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:262 +#, c-format +msgid "" +"pam_chauthtok: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:264 +#, c-format +msgid "" +"testing pam_acct_mgmt\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:266 +#, c-format +msgid "" +"pam_acct_mgmt: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:268 +#, c-format +msgid "" +"testing pam_setcred\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:270 +#, c-format +msgid "" +"pam_setcred: [%s]\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:272 +#, c-format +msgid "" +"testing pam_open_session\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:274 +#, c-format +msgid "" +"pam_open_session: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:276 +#, c-format +msgid "" +"testing pam_close_session\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:278 +#, c-format +msgid "" +"pam_close_session: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:281 +#, c-format +msgid "unknown action\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:284 +#, c-format +msgid "PAM Environment:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:292 +#, c-format +msgid " - no env -\n" +msgstr "" + +#: src/util/util.h:75 +msgid "The user ID to run the server as" +msgstr "" + +#: src/util/util.h:77 +msgid "The group ID to run the server as" +msgstr "" + +#: src/util/util.h:85 +msgid "Informs that the responder has been socket-activated" +msgstr "" + +#: src/util/util.h:87 +msgid "Informs that the responder has been dbus-activated" +msgstr "" diff --git a/po/fr.gmo b/po/fr.gmo new file mode 100644 index 0000000000000000000000000000000000000000..abd49e80d66ca195ce68c217426f4fd529e02b88 GIT binary patch literal 51843 zcmcJY37lkAb^o8yXdKyP6ImW>&%ksK%&-o!G}E&*%=8S?J%ES~HC@%+1=Uq;Ei*I* zm53WADjG#xF>Z`o&}dW;7si~f zU%mJ4e$PGIJ@3xfk9gc`68=8!{sm0IqsXjwoDUuij)8}Q74QVG1D*)J8dNzS1eO0U!}Fho=TAM$$LTUq?R`4< zRB$J#{I3F!1wR04JU<`sJD|$_IY?2-Da(DFHh~v&-v;S&azD5Q{3~z*TsD{_Tfygo z8n?dyRqqc$m3PQclAH{#1djtJK()I8GE~WHK(*%+pyuT(pvLFt;7V}i3ZIt>IL!T< zz>C0dgy&B=+snTid=bxEp!)USp!$0x#6VM%RiNnPMo{D10!fnG2|fvY5WEunV^Hlm zg32!e&jPoARq!9Mh!{9dX zHz0zifzJZ9-rfMN2fq$#U7o?>)jZ6Cx_=``*5upZ_2BUk^;&QjDEfYg|3R|JPe7WO z3{d!S;C4{;-wLXqF9(kR?*Ucrd%?rOAAw9&^6L=IHQ;Jc<=zE~&i)Kc!JmVopOY^2 z^|S%h{am=e2h==$8q~Od8$1^LA*l8&xy7>r-Gjj z&;J%Yf%~6pX2Wo!) z1l0We1XO!ZztZ{Mxgb-QG(nBShr;uJ2Q^Gg6dnEp2un{++U(_C4W7dN40sy&GEn*M5BFaHML$0R8QSEKExtak1y#>ZQ2lrd zsPX(LsP=v#JpV3uF!w(X?+;>dRL?2k1>pLC&jU3N9{~>qzXEEWz6UM?4~E$t23`O{ za>)iz^}HNZdG84Kp9j_6zXR_Ae+H_amybJrd=}LG_d(Tj`h>5a^FYy085CW;Ea3Y< z)&E6M{rd^1{vNu`acRI|P~&zzsCL}~D&H%>Rp7@!jo0@<&GXUMcs*BuM{-{Vj{)Zc z-US}T{ccd}^phYYnfwG4y|1~}>)#F@!u>7a@!*R=wd3ue#^GU5>+x>`{umTLJp4LO zcQ&a0jDah_X;AIC8+sdGW`|Ths zF!?PImYIAOybyfiGrj&RK+SIx6kXi|s-8~<`~i3|_a{8d*V)rS)qg9f@p>b8Dfl3G zD)`^v0C?hdpVxJu?i--y_ij+@au29-eh~1m8+|>j1XbSUpxXI7Q1kdv@B;9ULG|w! zpvG%e$>(z&sPQj>>c{Vb8rKKF^T2-wHIJw4@b+v4_54;)<9vU3{uyvY=|Po$&ZPHa z1iYO4Sy1oa4{E*r2s{P6sEqCh-T?Ix z|5|XE``3Y@m#=~vk29uSkFJ1E<^BP15d2GU4fwbj@6QG><^H+g72sRI0q|R(#(fEm zJP|w(RR1Tyi@-ZU_4hO2ao|@#we#P=!@(nN^7%UrJdOJ;0Xv||dwsb77^rf-4ju#k z5Y+fS@n&BqCxBW<=Yq$AqoC^B0V>^X0q+8p{~e&l_aX4FACn~C1cBs%SugM7pvL1% z;8O5kK$U-N-OC>Y)xLG$SzrYeUEBq-6q7yR2JnQ2)8iC4#QjUaGr^C5YUj7Wr-45O zPX#ZW^ZCC4Jem973-}puC-;93LfXkQpY3w-p@9DbUdi)Inl8Uz0|Y_kavh@@4S3;M!Z@z2Ij+ z(b>j%FXu(zrQClSybw%o_4RoXsPe0z*2gnuf19-%5 zx?bG?$GQJ3xC%V(Hh4cc1|ARo2-LhCMk6);E5W0|3aID539bd-3_cnB4#f965W%LhTx*H^(|@YLJAJr(d0?(YHDfnNdFgD3u$_jd}^ zxV#j668La<{smC<_d{?Sc+?Ago^KBLHc<2SHSlTRuifGL&}E?JeGU{|ydD%?{a;Y& ze+r%op7KIZw+jK^h>iNe(&D+0%1K`qE`uJ}FZM?yyJiiS*4tyu5@%c2Uc76xcI)40J{`?GZko!?k z&v$_;_ipfX@RQ(a;CI0@z$LG8J@Xt;^l$~Jbk71W0`CCTzE6N7;D3V3fAOn*UEBy> z%KaJ7lmEh688`ceY7Webuk>ESPt>6RTCh*|bIK4juRQVqOMbG~UYMrF7^?7A~5l~)1J2k!>Q z!7qRl;3@a`^IhQC+`k`Gz25*e5B~vbevW;;^MhgVSnlrxMNe-7r@`-nH-Vep;QZ#J z;L+RZ+3ZdC8+*Z zLCx1|!85@J!Sles2QLGUe~a^j8$i|D0B;2U5F7=Mx!2oQ0&n2{A#e&j?ybJQZU<+$ z{{h$pul+s0|2(MqUiCJorwyRywGKWFd>yy}{4#hLc;ef={VPC?^EKe1;EO?<7w|&v zzW{1{pYRT+%M{f3Uk9rFw}WHgpMWa=n0Go~xe;8;{T-m{|2%jy_=I=)I4uK32iJhg z_Y&|7@Gn5s|6ici$BO%W9bOf13e>#Z4yqq-2Tuh*3@ZO$gV%$}ZkJ!r0GD$6LGWuf&K5^lPz5X#!`CFjI_fAmxcY~tG zM?j6=>3`_!?FMiQ_a6mS-xELL>;CEB)!g3>UI%^&+yE~BsE>OGJe&LXfh)kTgXe;W ze9Zf|22_7;16BX0K(+f9pwg{=!0Dj@Ucmi_z)Qe?4)f@om;6dECz-z(hgKFnrfd_*pKjihS0F|!|9t*w?90ETJj)VUJUJQnPD!7gNd%>rI{|Rawj`)=G-8J9|+`k{x^FIZz0sjY7c@v*@xwIS9xcv;= z1ulQs`~P>7VvWJUj;r5{1UhdJnWC1u13JKxW5ZL6MP6f4txYWAAIbeINhuU59j`6 z;8VaifhU3=0S^QJ5M}hwbd@}fV z;4$ETfU57{&wILofU7~}-vp{1W$-be{+`42Jgy&eJw7~q4)`VR_4jLBJGda_q{Q=A zaINO|)4BBbVeW4P&jF9u1O86px{d2%p2ff4EBw~8lfwO9gal6nTRi)J;T~3+yo3AO zLb_LS|FrO1N#4Zo?}O)XoyYGQmuOh?CR+R*?w4`Jzu)J#`u;xfd*R{B!Re6Z4FTT> zK9B2vc=uNDAHa`;o4E$~eKPn@;0M4>;Bnv%F46bfx#Hhep54lI57!%b_@`VS4=;Za z6M>VwKNGBlXQLqGnmjJt|2?>cH2)X8f$RDFegSw4csth!zyF!*4t_tx^&x(Li)%aA zGr073I@da`pL1Qp^-R*e3e?{V`Td{%GlAT*zZdiTFVN#5z_VWmU(7YH z2mD>dv(vbKi{F!6U(-YWmN*#gho4Exk9TqXA?aTNz631(-Ov5oxDMsvMlSJ<_&3V) zv$>wj^$8ws;cD`G54aB0-y6Ba+fE7hdiDw~tuOuU;`x1ChjYD#>mZ)p4VJm$-)s4C zdAL6);2-kr0j}STi2~ll`+wp0AtBw1`2BKzuMYQ0b|=4ojZ15{`1ewty{zy+Yxq2_ zi@CP(t^;$zUQwVeC+ zb2YeNfA;q&{{IuM$MIf&M+bZdzi;Pyko(t$XHNtl%k@#Nf92hc;rUR&ai0Abmtq|B zx62{<5cijG4Re1axSZ=qe!rRPz5EtmJ(=r$T>ASF*C)AtkLy9MQ@H+!>!)15&GiZL z#J~CQ`}yI)YXZ)IZ{m6j?_b1qEx(TiFAM3<0x#fM8+<3&;#$J*-wf}E!Ef;Fi(LA9 zHTVApe!=b-=aBC7fWO1@?{Hlk?*B5RyN3I7!|$B|SAl;Pe&4|R-{zX-x|e6igy(PO z{$u=>%v;HIA@>7ZBV14CdVEMH8KuA7Tr)gh555Py99+YtzyIcXFV_(~|Fjso^t&izgL7bujcm$`TbJx zW8ky7?&0^*TytFS=l)q-oB4e;_+e0gPvZAexDMg>TJW7*f4~+0uI9%p!~GQjzsj>V z*J0fMBlrO>{awZN1Fna;uH(|*bGg3Bbt~83aOrQ5>uw?W-woc!bv>8<-X7|>6#QF% zwBY|IDh=0_A?+Hl%%fSZSMhr(*UIqj^E|sH{C+aOu9Hu(CGrpoW5_ZGm9*KZr=?cfY&69k#)t+d*u**QAs9o5u?5g6Sv z97Z7-o@z4|lQX6IG;On~-aN4-qYR^$v|fQ&n8jLSI&E~?w61JLrPVs*z*y^LY4X_} zqaW&?yt&d&hM}p}T#3n1Iv*59!e&{GZaLYBz$9ipnVCY#l{cC}H5qU%~JQ;kl&%s9}lxk^2qs@5u5GK$blh?;$j z=nkV3hnYr}tCOX+4+G;HrlkcjW#f^~HEPw#Ds3-msThS7iqH~J{!*ts(`Z(2rAu3e zH(5zl#$oR%Lw%yVV#;g@`s$mq4(zN}b`?s?(ljemm1d79CQTR*)HeC*E4_ZyGs7&fnDJ_>Ov&`qxa%HO2skN6SYa|HL!qi)58&gxYYF#aY zc1TmNH`+=B&DioCXm!^ykHkS>E$N>WW+_I{Xh1k!$;uU`a8?ynovN)nyAX9$JPoyp zz0@IN=nn?b7T=3iOtD%6Pcd0Z(pqB@I(O!rHDw>^mQz73aBO2!#X@|I*J_Pj6{Kkx zhC+cobuLe58|CWMycmGZHU+{bJiph|lcT#(>wQm(Vwrls|3yw$kP!7L`0@_1Z1DmW zkX6})5|ECf6-cFLW>}46A78t%TJPNAWMJ|Y(Vi8se<=c`rMC1$A&uGD5)5$;_AU+- zm4-M>*2zUv!DnWwJF3c9NC+js?T~ixim;d{!L@-3Dp7^1#KsVS?It=Ext&T{BcZags9oveS)4=yD(=6rC_ zv#%JG#@j^mfb9&0!L1KynLwS@vL-+9Ck=a_H`1%s{w_`!8ST8LvD&7aFl$kiX~xMK z=`5&|TY|2Q@C+hl&U6X29I*$N9vK^tm{S~HbeZF#z4N436U zN2xW#iyA}sXm!(E4>z99yrG=6=9#A1bk_`8OFBM2K9aU(jOJTt?3MJYN)vmgf$bv= zao+6~&p4Fi1={LY`dpBCQU;KzUZX^nra@I6%v20QHSyvsD{(>WUYfL>#V{TZb37TTEyDAjh7K4jJ5?Y zGsdU}K?P7uV6pV5HHiqpbPIV3qaPL&nc~Zg5lcNr=PQn5NYhH!4UbP`H?+Od#HM12 z^Z)u}bxx|O*CkytJd*0)sH4!kpz1((26V`^_Vg5%-IqTIw|X>K8>}pw1sk1 zFSnL;W!p=lT%MTXY?hWreqniLwN&d>>D1L*qj}Xv5rT=V-OF3X9P_5Aip2DqB^87j zJJ;EPDI&c$D-Dqx%opiyj7TNs+chIg$e6yeFRE`XN!BT0dj|VQl#iX;O4kghla*#0 z?kWM<>X$^TCfLn|r29xo)0IMcyjYzmf@ZrCysp~Bo3IWGtATQotZPV(@`Y(OPE)k7 zuF*tqwpAtzXUaK)Ej|1Vkm`>4Oz}z9$L+qO*(ik`B9knDY|g&VR(M~vUL0%Q&#ltR^SKA0d1 zQIa)Yp3J-9+M26OnuK3s&z$eU7*{Y0#)S(y zKo})YBfU?(oyFLZwZRA=dqj4*c}0=CAU@W{QY;d=txQ}>Zt@sOke19-5=^7*Q)o4n z@^*W*otdr7&b6_Mn3f$C91my+EVgo9sz%*NI9S`3QHk5TlpZT2Gq_sVXQg=>!D}uEYf-Jl__R9a1Y;ONYx@*|tYbN&P_eM&%X+A<| zmT}h1l@rV~>q3}h>$PPJ9nf&uM3l@sNb7C%Zmz>^wwvF^I8Y#!st7{FD;AyZl7`c) zpzO&2S-j|M0TeZXKr|Y3>1&~wmX*?g3hGg9avyF^BIaB(=L&p_=H}vXVcty7#{QNo zx0tt(nlW%cjYKZoC5qKd0^l7GF|dwN4K(BAz(<&QrkGmvh*lymWUsGP&wTCL>p+sx zRXe(6=ehDfgXc&8E%e6|94t7pZ+0zeUrT*-0go9iOX%UOibQ7a9%yT_xDHq^uoBjf zIfxTX6^s)p$=IGO85`h9bz5$T%>LIW9ce3^va%AQP8)4`%Hv{!TB!JHnGikvqYvO{Z(aE>qg{auv zzdbdm16_$3Pe`s)D>bub6Xh1B+yJi8WcPld=gWXzneqkf=3ZpPXqn>WxmzHDcT-?&9iKbSAD#u;ko$2{NQlHH8eVN~t+H z6Xi{^u{u?;(PI=R)=!ucU{eq^1t(H}S^-AIvNn})K@3RW4C_QQdBZK@j(;)WPMhgPTwo{7( zRFEz-!E8c2H5=v1lzu02C%G>y$&_H27hNT^rYCu5MZumoT35Q8tvp6gdm%iKW^6K$ z->5h#&Sp$)jb>rTb5m&=NxFr_D6X4qD&10@?aaEtH#(ARDsF!7!{~trniP~YSwhZM ztArcJL<|Dfv^O6wZ=p=Mpc4%xo3O>Z>Xo}*HmzyG;tJU)Cz}?3XT1v|U|-21t8FD? za`dOb6tj96;2;56vX1;5=hi zAx4S1bm@RRl<6hu#MW(V2h@2~iDe;kpoQp>4<=I2RE<@p84orFoV#hY_jPWJ#T_jp z)$9%;onuMm;~3u{NNtu)?RH8|##njmJ@@yfvNOZmChD+l?N3#wNx!S;MjdN}M*7w! zlDaLM%Lp{r0-S|01ndxW;AJ*(8eeme1g&96#EIRBSn-MV?V8A(dQTmE};#py|oO_GooR7CQy(Xt3A}vqPRI|J|?(w^pmJ?l3DAyuqKi&yMf&mHz2e~A*@`a0ki$c7G+64Ve;I!Yg;zF-VY!tRm- z0<)3*rQ}iOp2lY=%YR{Z^W7g!sQ>iy%VZS~6kBW5r7~dOY;G z^C8(Hdk7U2RnVzdoxoyYPo>3f-Xy*V?Oe!($YxRCi7GMYBukPlih075-au7mu}g;& znP$DRKARSmAVw_&uG^(KsIe;8n@#o67T<_Lawqk|eqA`RMGx}ocYM1pcaAXto9+HtyVefX~)(QpN z79HE&nKh>QkfpU12cv@UCN_>2_iQwznX22B$kjiTA>Ve{iWjI^g)B4<=CYGnq zXy2p1&Q_5&rfoA?ngxx!ynb0h#H=!x*rgtYxm2_r1CW++3erflP4=#j$~}|sbQKg! z+v^zdkOB>>g?}XWG^}_FJS{v93rx|pVa*LC_n&n+?-tT1jsre;x(2MyC*rQ}A;3&u1#Hy!E{q!_L#f`g+xYadZCV8))OU z+GWBPc2hNObk%xgTd(64)|!&IixAC!PO(E8U2JeRyUeRun`hwMFWmpkiNGH&;QdctOMl!du`?QBJBzuGd_1aqC0 zW^A>0q~pWh@r=*2;k1aLOzA*)&tM{scRz&|WALihjd(PH&ljPB(>0JWRh|CYUjL(4udAAuRgZW~txX-WML|1@jN{vpm-ygQSp#5dEde1XL|0 zGO#ggMejpZVb5Zqs@17^*ALvNHH%+XQKlCJkC(G8&xpf_aMX!;#6En8Y!FK?b6uV` zrzTgfI{O04GBL5y#Khbj8W2Tk`T2%mao;m+0h`0$WO&;$D>@|fC~JJl!piM&abqG# zwU}HsVX*#Sqxi&1)2Iii?W%v6usN3l>g)a$=vs_LmKTdEd>YcHEXFAAD#pl#o_5Bm zz?|)FV{gG-i;;o687F)uvpklOz{4_<-bSwIB9iCMeYT3~P{CmvnY)fQCM}27A|e&l z1*5_rg^f=IOls<+2};IT@+eG9%?p)g&k79*L?nNT+N*Jw!jc8UnQEet&Uq`=mk-k( z>eF=jT=7X)AqB64BUFl5I_d7$ki-<}DZY?F93&Nbhj#dahrdr@qGIM5l`pC&bcAK6)szjb zDRW_N)4%L#P>e zXj*#K@D-iebm-yK3PtdJ0cw?*iqwXs)6=zL2=(vZKDK5jf7;aHfoNA-Npjl84&~a)p57v z85c23ao9r4TAUUOSo6BG!_%s6u&JjSS4~0z!|bxaXH_`E|QqNUNmR+D`QVH>Ug2>XR!*3kt&i-lD}p|#SaN1 zcaavjEzd_9Ig>))1DzK3K*RhGkp~IXy%D-CH>#|z!Y;`+G3@N?PZjUJ0l7dV!NXSy zSb&50b+zx3C`%SYp*5E)^@W{wrP63`-!we2X2a;%`t4h{ZCty3bZq;Y4a1}U*_zK_ zw2=2FhvJnN=92hjFRti&E7hiX)Sj8`*J0bF()x32(`Za{;D&<)g7va_;BmI}0pA*` zVk-{^wP)}Kj}gyx*>tJuj3c>B<0`cwR2^A8?qoV z9+y}lCed=OSLFslwf7L*YlpXvF;T122@Q>Uvb2NI#jb9xvy2!^-B zE&NsP%5Z`G?T2R>pYiSZ4UWPBk?{?OFez7li+JB6N|QdN5)s^9%d z7D{OYAKR0T507t5r6qRNRBwfl#13OAS4gNWYI78BT4Fk}W=mJbUO53ri6PXXM0I4# z#8#TCFjaBSUFcMKAvh7@m#qlieZ@v*!*f8{q*|?ORx0Sd#fpOjy}3MTjz%*QitoEz z_j0ntoxW(1+P5Hu?bAZ*+;J1WLq+-0RA?raOA`%2UouG`OSVb1CseFimbzQNw(c!i zo{8RQRC{A+iv_T*?aLMa4%U=9D9yi3h}*In6{C=RRTet1w-TC_X^XgHw$UeT<6*C5 zi9}&*Ie~`#3?ofr6|TGEipZ?lLQ@KqR4bR}wu=jFZ_SiAAz`~hxwi*vIO|6+CAEbc zPHXTK#Sx;AbVAD5;Ccnd6jq))cs0W7YmFVah}OW-q@as4M!9gU?R;i6!i8oaUn$%a zY(AlkdgzrrrVFBLXpMGHeTo)xqAY*U#`3j_p9eVKhvF>?5=IagVV=6-NWx8cMp0C?0jeJX>A`%?u@7o8)LiupNu6u`w`{ zBU<`N=>J+fF$2PnYe-yqcqGa11D%R}Y7VYD@9c}Z_GN;yAtET`lEr2mHw2~kFnVd^ zA#lQkNP<4voZmJ+mNz7UA8&-3w(Kge@r}r=O?tH@kdk%4ZRz~IsIa>*BUBId+>R_* zZsIFwZt7M+=S!TZ_mxPFnPKmp)bLGgerFBPAdZcUCpMQO{{3FTtKRiG?|^CZ3(9ay za5F?3rzoknhMjsXnk|2xYi0Q}Uza}3g(Cd%I<(;h4@c`^!>hLt&BlVM@PdekTTl+M zY73rS8@_SKix%C4-mD29JZCQhEpBNxbnwIAXnF7&L@YY*YC^}?Ts6FYZFdGc z$ChlZ$Q~Ws)S5=cyP`AQ8k}gXPFt;38RHXY$>k!**3eX?+-R1>Wm$fW=Jb*+n z$a169L4thP2U>adITsF|ec|9aE7NmUtv-9zS!eS{!ojVTomJJIr#pY}?3IHn&rQ!> zwffwUPJ=XPCK8@oefV|dp54toA7YzyT}83wPrGSKc=@!xpB%y>zI4e(w%I#uK@Cn+ zO0%ma83~R}m(H}?bE{XZ*tKid5b^jJH&c~clwk!zUgObPF}Fe;Tu}@8S4=fmEXzt; zjncPd)99wP`JkOMboLSrGK+0cM$+oE&FAnd_{OAKzgW9n=r8R{woR-Xyf9CvsyUHk zaBY2(fWrFp>hwZBUthAN*5M<8!F5<1oXS(5v)k4sD=+4p1HHLqX+6C(J!jd)ORgJS zk10xYuSVng65AQ2^xUCyhtA_Tp~MapO4+it;5zAVm6WZxB_;%55u$!%njR}~Q11-O z4Zh&n^X@h|=>FuM-9(I~ZNgLZE%Lt388R;ez7}StL5c8AwoSH4)oMWjY~?SkmScx@ zHdGrC9%_vEIbL_2+JXZ%aCFWL+H-HZ8tcjhDlVm+l}UmV(%C)lh63trd%^ML<1kH~ z-tO6b)1G^&oX7=HsQRBXW26|yM{Un;c>y^)hgX!}-m{xWnk{nxSq%f?pL=%O@YM!P zYxJ(DErnZEZ>G^AP4m#Fsj3FDr-|zjW9*2u7#|IQ!~%3JPuBplWY2vZxnidg@u1@_ z5)uyk*7-=>vQkdDUm0U!`eyAGxB8y@7#*?&Cunc3@Wn7*;-2FC!#(+{*gK+*1qsk! zXhn?=UUVLT1!6-jYV+vG{Yqt4NWY zd?ZRGtX^#I*6`a+=RujM)~BK-BN~s(oRO&b042{it=%Hh^jPvtqz;P zb(S#mNoPBg8u)^@Bdrf886kb0ozS~H8QJSVnZ!fSROu8c_~bWG03Bc^aT#$K2!mP} z_%K&!-{mUbzy}Tj$>4P_vDT)mYC!iW7bskqA1B;wQVr??him$;L ziA55Jwcy$4kA^^Qi|#CutB9Y_G}^ke0|~{R;9hO1dKkhK(`jcZ!8d9H(hn3Dqw|#5 zKhWVpww*Xtg_1&{c+<#N)|Y>{n==lVY#fLxTo!MxuH$y@(6~x^Q>P`)yP7YW3w&Zh zrep-}RjTUyF*B#;8!*cPxK0Y$&N^82dKSET75Hcz-`H=dg|tdz0}Jc|QDU_Z_P;SqMylz0}u z+0f&(sZE?ufSkz$zuJ;57%N^3%ed_=sEQc$&DJ0^R<9(ZoMsU|rO`x5TqByG-@Gjv zxGwQ6?Zl3y+Rx0CHCgfF z9z|x`GnXXh5G@PJp+c#%VoW7eChKD4rE4;Myf(0Bw;MN6vLYEQ%9NH8vF551U+orF z*nl=!+3{ymizWceCM?x>9GKR31!a*_vNm=n?d4ojm@Di%Vkref&FX+x^eL;@7U^30 zs?GbC)sMQT0AQX<&wwgS`^g$8Wh6WJ>roV^&~?*i^Yt5TPvaG#Y<(tP7`I|ui_3vN z#`fMC+M87nhxE}E+qLRUWriHEAv60q8xf|c*wg{^VX5|}QzK{!M4>$sL<8aIJ>83W z812YD#j}UfaRfsCOk8vxev3+7SeMU>Jw1wlRAP?*!PA7n2 zceK7rvwQB7#4Q|w#wJo%$3mb##V(YU1KlsPMJ@xmq{nrWHQFa zwhTrFJ+m1{nsS0jmymI1>PCTGadsL5n0*MaB5)Ji;9n*`LN*zpIXQu5HVbA1>P?sF zoQx_Y9$R#`JSARxWKOxF#L(o2u8n81;Fq(aw-yy8Ml^FAV1T>LhY`BxV=+>WvEfh) zK9dli#MvB^Fknp!CGS91+{De*p`=)W4N5V;IeJ{jrt`*@M=<2v_M-}R08zd=bFit% zcclwqC-izPIL@q?(dAq4rO?nh^7vQr9Br&thYl1ZXE?o0YgjYH+LOYC2Lkt?{6(DQ zgY^RAL59k>btK8|3Jy`VI@MW&nU{mL&9LIck$$h1 zMEyTcvOof}4-?!d{bn&_^t0mvwWzyUJOJ}-=4gc{gqy`AxV1_;I1X2zwT1N_BM1^m zOm;TTIh1mitVS4v-X=qy5ScJ25mh;12I-}`g7l9@FE{SlTuM3*nB+XEWTXR;TUj;+ z!339^z}%0yzaZ_&x1cpR`^P$?!q#~x2{Yghx}MNHB^V%^-Wkv7aXenl0iG>=7>&L($pkpGhvVof{3q3wS0zF znUx+!IHzR5!}qQxO1ruli%>=#HiVff1x8RB7foGX`$>MO6@Y{&*6Dm+V) zqGzTypyTl#zBf~h^U9q!i9fo^8U=s2>(U?cMC-NLUD2T@x!%d%22O~$y%DWG-$IC5 zmFd960Sd?HQH)-NU~xnsE;fq*af#sP=rx1iT;9c7NRF|LW)d`Q7$N`kf!H;2BQ!5h z7x_50eo*8q$?M%ls9&a8kt5mY&fCNM69_)ai<+{nAyl_ov z2PYZ!1FJTajrF^Of6qeGr$Y**k=7-yovCCEli^^G;kdS)?>=U7A@xk!+sR0kW*ncQ zY}7RE#t70eO{`97=|zEn1W@R6l=z_<^c|YjPdX}cqpddcUyyS)oJ8tiQNTYL*>FT4 ziyyLMlT-b(9wWseNpwsx0Yq}aN#5x;4ZMfQ248dNfq3ybB_Vpk3%jHxQzfMehRTq; zNV!R;;G8UShb7|~-DBdatbx$T*kP9y(0fw(*&|Esn^sb+1RCpM%HeQNfoO$s4PfH(OUNcoRz=3MbOMzQi(uP0Cc@X`C(_XH z%!sp@YoTRrh;O4!qBOEGHD$Jq=R3IUTlOi&d$hM#l1f@-F?X>VuSB8Dn7eyO~)LdP=w4er>FZAI^nF}@Ia5(y!`+gm<9I1iu4;rIwpUtH?-$kJ)eIBWW3;Z8A+#DxeH} zi6N~?Sh9{ZVDp{^hA0nn4kEnptn1sXY)>*1uga>**w$?~=FI~|N>g2O8Jv|b@no?` zVm36XYr`R?Um&OTZ|KOlP;KqoNt{mxDc8kx5(93vUem1I3E7#|y4 z(RAD}U##J|Uf3s#4XN*#XH{@$0U9fkSSLz4Yc6!it>D<4Vp`u5(mb_NeGBB42F)r^ zO*a2hm5?TyeKbSkqO2x6T9P>!4aZIX3X9w_yv9qj_65U}=48iCwo>~>P(CRwRimG- zmdm^Fuw zC_gzfS~jMj*pxsB)^9%PGvf(WYSG3a|2a@IcjGXkxOPP@VH?sn_V<|}3>4HFrF!nE z=u_T;r5Nt+up7p?EEDj=FYD!6c1Bu*sa^@?A?50B=v(Y@;r zzvtn5wMF*uy$?SKr-vKQ>IkZQhZfl@6)0V5Df4qUQ_@Qvwk13*-CQSf%9_aID#QVz z7Q8p28Cld7j2g_=0iS1dTh*bSpkYLXC>vcuE%D5t!(}A3Ac^>EMtS)RWkWuO;a#$T z!w{9D!SC-|;!MvDVvr$2|8=p&_hJM*%QwJ~u%Un(qPTyDdsLBj1Tto4llcyO&y2+} z%lxjHX2as*A1AdE!XU)Cj^04?Hxr2(bZmD-XO!3*0Ae1({zdF(J-x2nNb|il?Iq*| zs`M@uSw;Uwr5k(e>te$wE&CndLam#^vVhCAIygnN{lxgPM2b_MZ-{x}S|dScgSYb! z3KeCv8i1>Z1)^kHQG8Fx){26pnv@L%o9l$2V-u7L=Vy`cmA7Vjf-Yy|VTzt@xtw(-3iDeALsXRIgoZ~HwZ0u8l_MP?;3)v?Ji>}KJ z8j_SlNGiK+9?u@PIwBA4N#`BNS8(iJET{KT?$lO9Qn<6)e9&K4fo22juHCe(SmpiJ$Hl3*= z*c86`37xwx$AK;RYQg?6pUjd30o5c1)wK2y>I(1GM-9?#(?4BXd z!x4V273tf!7&{n>!->KoqO|@ivay4)>BNBL#i}f{6G>;Mefg@e`Y3<@o61_Wd5DBy zj+#hojB*Gzbi<6;5jL|r^CD#%$&#IhYQA-x1McB94~fMP{OZfjR8VvHEo^u(p2Hke zy<*I?NmGYG3qd z*#D&}$K7$!cM!Meh#I*Yu~M8NRhn8brg`E~UNjnMsC#owCf8ztOWh$;K@sOr5zC-2 zQ{+x4YD)64itVv-_=gKDo~C!tzgxAkm24-^=0aN5sK;m92T~lFUkKbXU2G%FlWJ{Y zxE?1zR~F<1U!`35H|J^*=*WJGiS!~XV#50D#Shz8P-yM;MFbTSR*z8&^YQ3w6hygn zOg+@UNf#7CTY}Ns$l(m*h0jj#kiZf-uGTl6&^i|14C=B_#ElsV29!^1x}u0OJvdXB z<=1X6C{xZAJJ4ZDTqU9Pf4&?8Brmv zi;>DU>l34-J@9y}txU=)X{OPkFyg3mw$$NY9Fo^54{5V)2u3ly>(;uUpu9Lg0r$}s zw3UB#j9R7GaVmX(1%GY+>Al+m#8Q!-0Vw#&t@~YmhY)TRBsXCc_`73(#A4!a(Fm=u zXW||vY-F`H{JXX0nnL6d~3_pPvB_XOk`)hz^mZO%jVqn7Iyz=Ic#5idSpny4I(R!?P^aIQ5KRzP9S$L%< zISUFeR5F^4_)|C6)QP=`AJi*Fu4_QMv_t#UhgN1O@>y_&HPsP#{%K2}WI?%hT{3Fc z-5aIhYascmFj*Q*X+ECX@Y{C__ELJGRIOXZLW*Vx(pgxn2BMGBJML!y7bA@d%+yV- zcxDdOMN#Iu;X41PSa&w&U0H3huOmM#|HVD7aG0ul44u^v;6YQ+7RN5L&)nn?^G!0r z6x)@@7huv$yegd{PSNX{EGeivsEDd$amkp47YB>c74B502N#JGcA;`YkHXAP2O~ zFYZT2?lBhIlzSU2 z-q*IujYTro+C1lwT@(;J$Q;_jKf+mXz*&5YeO;EFh&+{7$v6bR7y}dn)Y$Efq}=Z{ z{9DHlhw4nU=S5_DbBh%czfbA=zTA;T7@bA>7iku0Nzkse!K^QjO~HUxrLtKlzLbY- z`5^Se%D{z{HC!Zsl4}1XlnzdggkIP&eqaR6CAhoc944=@|*Bf-j?s7!F8&b%sCkPlFoS1q4So36!E6(+2!j|E|>`toVx$mQ(2fR@5$ zY`shVBUnEEO=xz4b5!sx zxLjf-JIWaq>%bf)tL~oZQ~Chp3-8A3bBH0vIXIVbI?Af&&jk9wTEK0+`XlZ@L(vpeuQ# zpRKOF`Qo#=(=MN}?{LJ5+OcIueq682LI=%TKu;EM4SFu&Bee&C z$$kdfM)0!W{qil;buu5Q6XmmMCs*S>Ry=Mg9CO3Lfra?mxJU{f_MRviJKLH@8V|7k zWC#9O9Z~Z$(v6Ipe>9fBMC@-AfS@OvM$4ct)Sou)SApKraL^HADtrR(W5JvnFi~04AGywaPee!BI(p zl4bjmGnW^So~ae3Re?M$M0(#VyC^I)a*;0gXLZNgq<;lhukn!*%TC)xQ7d@qgessW%?rM&>nq%TX;WP}M|yAJ?l^6^q#R$KeZfbX(UWRl5G zjuyw<7qmEpFHnMBqraI`FHbw8}B>V;1qbsxETv`>O}OzbZlE~AAIl`HxjKZeC^ zFIRx?3}khg69;Qc% zh%_JdUJW-D2mNdxvOFw+8E^R;d5cmm!~gJUqo? zlDY;;RGOW7E>WNTJA^I`%7yMN9P_cTv|);3a`M^EmN@u}@Ns@-o%6MpDR~H&PM9n$ z4mKC|@9r@t~aMZxCF z;$S50#3F($NL&i93gwV_JNuU*&Q7Otc4huBDYvHl6iFtFBwx^!WHa1Q%$t8xM(RF# z@-2uqon9wi)a8BD`R>VD6ev_plhN2PU23hVchtoW8J$Qqj~Ob#lo_c^u?sdHRG1WP0AF< zVQ0U%@cFNd@uJSFli=CtmZoS9keFJ;yK9BgD_S5Jyv6svA!02KZ;vNiiVTmD0=*&OxVKmhE-f(qsN>O{9 z^o%oD0R>VwQs_B{R{?tRf~bIu$I?CO4bGg5{>7U0v0!q|!f2cTSXN*s0H#S?`hC?Xnx-UW!ULF z`@GS;$Juwi*@6|qKRQvi{5E6$a~Q?e(W3foifDd%eeS9%sOXkv zIIu?@QjhjO-FuRK-nJ}3JjK4xtGv-V!9GtQ*G;9lc`AR>b#Q$?`k8W`rz{>@-}_Xj p*7rV(ht~H#-^k#tv52$YHyl~N;8C^S`zRb(pFf8779Lrj{C_d@q8$JL literal 0 HcmV?d00001 diff --git a/po/fr.po b/po/fr.po new file mode 100644 index 0000000..c6d964e --- /dev/null +++ b/po/fr.po @@ -0,0 +1,2962 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) YEAR Red Hat, Inc. +# This file is distributed under the same license as the PACKAGE package. +# +# Translators: +# Fabien Archambault , 2012 +# Jérôme Fenal , 2012-2014 +# Fabien Archambault , 2012 +# Mariko Vincent , 2012 +# Jérôme Fenal , 2015. #zanata +# Jérôme Fenal , 2016. #zanata +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" +"POT-Creation-Date: 2018-08-12 13:03+0000\n" +"PO-Revision-Date: 2016-02-24 03:43+0000\n" +"Last-Translator: Jérôme Fenal \n" +"Language-Team: French (http://www.transifex.com/projects/p/sssd/language/" +"fr/)\n" +"Language: fr\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" +"X-Generator: Zanata 4.4.5\n" + +#: src/config/SSSDConfig/__init__.py.in:43 +#: src/config/SSSDConfig/__init__.py.in:44 +msgid "Set the verbosity of the debug logging" +msgstr "Définir le niveau de détails de la sortie de débogage" + +#: src/config/SSSDConfig/__init__.py.in:45 +msgid "Include timestamps in debug logs" +msgstr "Ajouter l'horodatage dans les fichiers de débogage" + +#: src/config/SSSDConfig/__init__.py.in:46 +msgid "Include microseconds in timestamps in debug logs" +msgstr "" +"Ajouter les microsecondes pour l'horodatage dans les journaux de débogage" + +#: src/config/SSSDConfig/__init__.py.in:47 +msgid "Write debug messages to logfiles" +msgstr "Écrire les messages de débogage dans les journaux" + +#: src/config/SSSDConfig/__init__.py.in:48 +msgid "Watchdog timeout before restarting service" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:49 +msgid "Command to start service" +msgstr "Commande pour démarrer le service" + +#: src/config/SSSDConfig/__init__.py.in:50 +msgid "Number of times to attempt connection to Data Providers" +msgstr "Nombre d'essais pour tenter de se connecter au fournisseur de données" + +#: src/config/SSSDConfig/__init__.py.in:51 +msgid "The number of file descriptors that may be opened by this responder" +msgstr "" +"Le nombre de descripteurs de fichiers qui peuvent être ouverts par ce " +"répondeur" + +#: src/config/SSSDConfig/__init__.py.in:52 +msgid "Idle time before automatic disconnection of a client" +msgstr "durée d'inactivité avant la déconnexion automatique d'un client" + +#: src/config/SSSDConfig/__init__.py.in:53 +msgid "Idle time before automatic shutdown of the responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:54 +msgid "Always query all the caches before querying the Data Providers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:57 +msgid "SSSD Services to start" +msgstr "Services SSSD à démarrer" + +#: src/config/SSSDConfig/__init__.py.in:58 +msgid "SSSD Domains to start" +msgstr "Domaines SSSD à démarrer" + +#: src/config/SSSDConfig/__init__.py.in:59 +msgid "Timeout for messages sent over the SBUS" +msgstr "Délai d'attente pour les messages à envoyer à travers SBUS" + +#: src/config/SSSDConfig/__init__.py.in:60 +#: src/config/SSSDConfig/__init__.py.in:197 +msgid "Regex to parse username and domain" +msgstr "Expression rationnelle d'analyse des noms d'utilisateur et de domaine" + +#: src/config/SSSDConfig/__init__.py.in:61 +#: src/config/SSSDConfig/__init__.py.in:196 +msgid "Printf-compatible format for displaying fully-qualified names" +msgstr "Format compatible printf d'affichage des noms complétement qualifiés" + +#: src/config/SSSDConfig/__init__.py.in:62 +msgid "" +"Directory on the filesystem where SSSD should store Kerberos replay cache " +"files." +msgstr "" +"Répertoire du système de fichiers où SSSD doit stocker les fichiers de " +"relecture de Kerberos." + +#: src/config/SSSDConfig/__init__.py.in:63 +msgid "Domain to add to names without a domain component." +msgstr "Domaine à ajouter aux noms sans composant de nom de domaine." + +#: src/config/SSSDConfig/__init__.py.in:64 +msgid "The user to drop privileges to" +msgstr "L'utilisation vers lequel abandonner les privilèges" + +#: src/config/SSSDConfig/__init__.py.in:65 +msgid "Tune certificate verification" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:66 +msgid "All spaces in group or user names will be replaced with this character" +msgstr "" +"Tous les espaces dans les noms de groupes ou d'utilisateurs seront remplacés " +"par ce caractère" + +#: src/config/SSSDConfig/__init__.py.in:67 +msgid "Tune sssd to honor or ignore netlink state changes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:68 +msgid "Enable or disable the implicit files domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:69 +msgid "A specific order of the domains to be looked up" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:72 +msgid "Enumeration cache timeout length (seconds)" +msgstr "Délai d'attente du cache d'énumération (en secondes)" + +#: src/config/SSSDConfig/__init__.py.in:73 +msgid "Entry cache background update timeout length (seconds)" +msgstr "" +"Délai d'attente de mise à jour en arrière-plan de l'entrée de cache (en " +"secondes)" + +#: src/config/SSSDConfig/__init__.py.in:74 +#: src/config/SSSDConfig/__init__.py.in:113 +msgid "Negative cache timeout length (seconds)" +msgstr "Délai d'attente du cache négatif (en secondes)" + +#: src/config/SSSDConfig/__init__.py.in:75 +msgid "Files negative cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:76 +msgid "Users that SSSD should explicitly ignore" +msgstr "Utilisateurs que SSSD doit explicitement ignorer" + +#: src/config/SSSDConfig/__init__.py.in:77 +msgid "Groups that SSSD should explicitly ignore" +msgstr "Groupes que SSSD doit explicitement ignorer" + +#: src/config/SSSDConfig/__init__.py.in:78 +msgid "Should filtered users appear in groups" +msgstr "Les utilisateurs filtrés doivent-ils apparaître dans les groupes" + +#: src/config/SSSDConfig/__init__.py.in:79 +msgid "The value of the password field the NSS provider should return" +msgstr "Valeur du champ de mot de passe que le fournisseur NSS doit renvoyer" + +#: src/config/SSSDConfig/__init__.py.in:80 +msgid "Override homedir value from the identity provider with this value" +msgstr "" +"Remplacer par cette valeur celle du répertoire personnel obtenu avec le " +"fournisseur d'identité" + +#: src/config/SSSDConfig/__init__.py.in:81 +msgid "" +"Substitute empty homedir value from the identity provider with this value" +msgstr "" +"Substitution de la valeur homedir vide du fournisseur d'identité avec cette " +"valeur" + +#: src/config/SSSDConfig/__init__.py.in:82 +msgid "Override shell value from the identity provider with this value" +msgstr "Écraser le shell donné par le fournisseur d'identité avec cette valeur" + +#: src/config/SSSDConfig/__init__.py.in:83 +msgid "The list of shells users are allowed to log in with" +msgstr "" +"Liste des interpréteurs de commandes utilisateurs autorisés pour se connecter" + +#: src/config/SSSDConfig/__init__.py.in:84 +msgid "" +"The list of shells that will be vetoed, and replaced with the fallback shell" +msgstr "" +"Liste des interpréteurs de commandes bannis et remplacés par celui par défaut" + +#: src/config/SSSDConfig/__init__.py.in:85 +msgid "" +"If a shell stored in central directory is allowed but not available, use " +"this fallback" +msgstr "" +"Si un interpréteur de commandes stocké dans l'annuaire central est autorisé " +"mais indisponible, utiliser à défaut celui-ci" + +#: src/config/SSSDConfig/__init__.py.in:86 +msgid "Shell to use if the provider does not list one" +msgstr "Shell à utiliser si le fournisseur n'en propose aucun" + +#: src/config/SSSDConfig/__init__.py.in:87 +msgid "How long will be in-memory cache records valid" +msgstr "Durée de maintien en cache des enregistrements valides" + +#: src/config/SSSDConfig/__init__.py.in:88 +msgid "List of user attributes the NSS responder is allowed to publish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:91 +msgid "How long to allow cached logins between online logins (days)" +msgstr "" +"Délai pendant lequel les connexions utilisant le cache sont autorisées entre " +"deux connexions en ligne (en jours)" + +#: src/config/SSSDConfig/__init__.py.in:92 +msgid "How many failed logins attempts are allowed when offline" +msgstr "Nombre d'échecs de connexions hors-ligne autorisés" + +#: src/config/SSSDConfig/__init__.py.in:93 +msgid "" +"How long (minutes) to deny login after offline_failed_login_attempts has " +"been reached" +msgstr "" +"Durée d'interdiction de connexion après que offline_failed_login_attempts " +"est atteint (en minutes)" + +#: src/config/SSSDConfig/__init__.py.in:94 +msgid "What kind of messages are displayed to the user during authentication" +msgstr "" +"Quels types de messages sont affichés à l'utilisateur pendant " +"l'authentification" + +#: src/config/SSSDConfig/__init__.py.in:95 +msgid "Filter PAM responses sent to the pam_sss" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:96 +msgid "How many seconds to keep identity information cached for PAM requests" +msgstr "" +"Durée en secondes pendant laquelle les informations d'identité sont gardées " +"en cache pour les requêtes PAM" + +#: src/config/SSSDConfig/__init__.py.in:97 +msgid "How many days before password expiration a warning should be displayed" +msgstr "" +"Nombre de jours précédent l'expiration du mot de passe avant lesquels un " +"avertissement doit être affiché" + +#: src/config/SSSDConfig/__init__.py.in:98 +msgid "List of trusted uids or user's name" +msgstr "Liste des uid ou noms d'utilisateurs dignes de confiance" + +#: src/config/SSSDConfig/__init__.py.in:99 +msgid "List of domains accessible even for untrusted users." +msgstr "" +"Liste des domaines accessibles y compris par les utilisateurs non dignes de " +"confiance" + +#: src/config/SSSDConfig/__init__.py.in:100 +msgid "Message printed when user account is expired." +msgstr "Message affiché lorsque le compte a expiré" + +#: src/config/SSSDConfig/__init__.py.in:101 +msgid "Message printed when user account is locked." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:102 +msgid "Allow certificate based/Smartcard authentication." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:103 +msgid "Path to certificate database with PKCS#11 modules." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:104 +msgid "How many seconds will pam_sss wait for p11_child to finish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:105 +msgid "Which PAM services are permitted to contact application domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:108 +msgid "Whether to evaluate the time-based attributes in sudo rules" +msgstr "Faut-il évaluer les attributs dépendants du temps dans les règles sudo" + +#: src/config/SSSDConfig/__init__.py.in:109 +msgid "If true, SSSD will switch back to lower-wins ordering logic" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:110 +msgid "" +"Maximum number of rules that can be refreshed at once. If this is exceeded, " +"full refresh is performed." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:116 +msgid "Whether to hash host names and addresses in the known_hosts file" +msgstr "" +"Condenser ou non les noms de systèmes et adresses du fichier known_hosts" + +#: src/config/SSSDConfig/__init__.py.in:117 +msgid "" +"How many seconds to keep a host in the known_hosts file after its host keys " +"were requested" +msgstr "" +"Le nombre de secondes pour garder un hôte dans le fichier known_hosts après " +"que ses clés d'hôte ont été demandées" + +#: src/config/SSSDConfig/__init__.py.in:118 +msgid "Path to storage of trusted CA certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:121 +msgid "List of UIDs or user names allowed to access the PAC responder" +msgstr "" +"Listes des UID ou nom d'utilisateurs autorisés à accéder le répondeur PAC" + +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "How long the PAC data is considered valid" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:125 +msgid "List of UIDs or user names allowed to access the InfoPipe responder" +msgstr "" +"Listes des UID ou nom d'utilisateurs autorisés à accéder le répondeur " +"InfoPipe" + +#: src/config/SSSDConfig/__init__.py.in:126 +msgid "List of user attributes the InfoPipe is allowed to publish" +msgstr "Liste des attributs utilisateur que l'InfoPipe est autorisé à publier" + +#: src/config/SSSDConfig/__init__.py.in:129 +msgid "The provider where the secrets will be stored in" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:130 +msgid "The maximum allowed number of nested containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:131 +msgid "The maximum number of secrets that can be stored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:132 +msgid "The maximum number of secrets that can be stored per UID" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:133 +msgid "The maximum payload size of a secret in kilobytes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:135 +msgid "The URL Custodia server is listening on" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:136 +msgid "The method to use when authenticating to a Custodia server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:137 +msgid "" +"The name of the headers that will be added into a HTTP request with the " +"value defined in auth_header_value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:138 +msgid "The value sssd-secrets would use for auth_header_name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:139 +msgid "" +"The list of the headers to forward to the Custodia server together with the " +"request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:140 +msgid "" +"The username to use when authenticating to a Custodia server using basic_auth" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:141 +msgid "" +"The password to use when authenticating to a Custodia server using basic_auth" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:142 +msgid "If true peer's certificate is verified if proxy_url uses https protocol" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:143 +msgid "" +"If false peer's certificate may contain different hostname than proxy_url " +"when https protocol is used" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:144 +msgid "Path to directory where certificate authority certificates are stored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:145 +msgid "Path to file containing server's CA certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:146 +msgid "Path to file containing client's certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:147 +msgid "Path to file containing client's private key" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:150 +msgid "Identity provider" +msgstr "Fournisseur d'identité" + +#: src/config/SSSDConfig/__init__.py.in:151 +msgid "Authentication provider" +msgstr "Fournisseur d'authentification" + +#: src/config/SSSDConfig/__init__.py.in:152 +msgid "Access control provider" +msgstr "Fournisseur de contrôle d'accès" + +#: src/config/SSSDConfig/__init__.py.in:153 +msgid "Password change provider" +msgstr "Fournisseur de changement de mot de passe" + +#: src/config/SSSDConfig/__init__.py.in:154 +msgid "SUDO provider" +msgstr "Fournisseur SUDO" + +#: src/config/SSSDConfig/__init__.py.in:155 +msgid "Autofs provider" +msgstr "Fournisseur autofs" + +#: src/config/SSSDConfig/__init__.py.in:156 +msgid "Host identity provider" +msgstr "Fournisseur d'identité de l'hôte" + +#: src/config/SSSDConfig/__init__.py.in:157 +msgid "SELinux provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:158 +msgid "Session management provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:161 +msgid "Whether the domain is usable by the OS or by applications" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:162 +msgid "Minimum user ID" +msgstr "Identifiant utilisateur minimum" + +#: src/config/SSSDConfig/__init__.py.in:163 +msgid "Maximum user ID" +msgstr "Identifiant utilisateur maximum" + +#: src/config/SSSDConfig/__init__.py.in:164 +msgid "Enable enumerating all users/groups" +msgstr "Activer l'énumération de tous les utilisateurs/groupes" + +#: src/config/SSSDConfig/__init__.py.in:165 +msgid "Cache credentials for offline login" +msgstr "Mettre en cache les crédits pour une connexion hors-ligne" + +#: src/config/SSSDConfig/__init__.py.in:166 +msgid "Store password hashes" +msgstr "Stocker les sommes de contrôle des mots de passe" + +#: src/config/SSSDConfig/__init__.py.in:167 +msgid "Display users/groups in fully-qualified form" +msgstr "Afficher les utilisateurs/groupes dans un format complétement qualifié" + +#: src/config/SSSDConfig/__init__.py.in:168 +msgid "Don't include group members in group lookups" +msgstr "Ne pas inclure les membres des groupes dans les recherches de groupes." + +#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:180 +#: src/config/SSSDConfig/__init__.py.in:181 +msgid "Entry cache timeout length (seconds)" +msgstr "Durée de validité des entrées en cache (en secondes)" + +#: src/config/SSSDConfig/__init__.py.in:170 +msgid "" +"Restrict or prefer a specific address family when performing DNS lookups" +msgstr "Restreindre ou préférer une famille d'adresses lors des recherches DNS" + +#: src/config/SSSDConfig/__init__.py.in:171 +msgid "How long to keep cached entries after last successful login (days)" +msgstr "" +"Durée de validité des entrées en cache après la dernière connexion réussie " +"(en jours)" + +#: src/config/SSSDConfig/__init__.py.in:172 +msgid "How long to wait for replies from DNS when resolving servers (seconds)" +msgstr "" +"Délai d'attente des réponses du DNS lors de la résolution des serveurs (en " +"secondes)" + +#: src/config/SSSDConfig/__init__.py.in:173 +msgid "The domain part of service discovery DNS query" +msgstr "La partie domaine de la requête de découverte de service DNS" + +#: src/config/SSSDConfig/__init__.py.in:174 +msgid "Override GID value from the identity provider with this value" +msgstr "Écraser la valeur du GID du fournisseur d'identité avec cette valeur" + +#: src/config/SSSDConfig/__init__.py.in:175 +msgid "Treat usernames as case sensitive" +msgstr "Considère les noms d'utilisateur comme casse dépendant" + +#: src/config/SSSDConfig/__init__.py.in:182 +msgid "How often should expired entries be refreshed in background" +msgstr "Fréquence de rafraîchissement en arrière plan des entrées expirées" + +#: src/config/SSSDConfig/__init__.py.in:183 +msgid "Whether to automatically update the client's DNS entry" +msgstr "Choisir de mettre à jour automatiquement l'entrée DNS du client" + +#: src/config/SSSDConfig/__init__.py.in:184 +#: src/config/SSSDConfig/__init__.py.in:206 +msgid "The TTL to apply to the client's DNS entry after updating it" +msgstr "Le TTL à appliquer à l'entrée DNS du client après modification" + +#: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:207 +msgid "The interface whose IP should be used for dynamic DNS updates" +msgstr "" +"L'interface dont l'adresse IP doit être utilisée pour les mises à jour " +"dynamiques du DNS" + +#: src/config/SSSDConfig/__init__.py.in:186 +msgid "How often to periodically update the client's DNS entry" +msgstr "Fréquence de mise à jour automatique de l'entrée DNS du client" + +#: src/config/SSSDConfig/__init__.py.in:187 +msgid "Whether the provider should explicitly update the PTR record as well" +msgstr "" +"Selon que le fournisseur doit aussi ou non mettre à jour explicitement " +"l'enregistrement PTR" + +#: src/config/SSSDConfig/__init__.py.in:188 +msgid "Whether the nsupdate utility should default to using TCP" +msgstr "Selon que l'utilitaire nsupdate doit utiliser TCP par défaut" + +#: src/config/SSSDConfig/__init__.py.in:189 +msgid "What kind of authentication should be used to perform the DNS update" +msgstr "" +"Quel type d'authentification doit être utilisée pour effectuer la mise à " +"jour DNS" + +#: src/config/SSSDConfig/__init__.py.in:190 +msgid "Override the DNS server used to perform the DNS update" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:191 +msgid "Control enumeration of trusted domains" +msgstr "Contrôle l'énumération des domaines approuvés" + +#: src/config/SSSDConfig/__init__.py.in:192 +msgid "How often should subdomains list be refreshed" +msgstr "Fréquence de rafraîchissement des sous-domaines" + +#: src/config/SSSDConfig/__init__.py.in:193 +msgid "List of options that should be inherited into a subdomain" +msgstr "Listes des options qui doivent être héritées dans le sous-domaine" + +#: src/config/SSSDConfig/__init__.py.in:194 +msgid "Default subdomain homedir value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:195 +msgid "How long can cached credentials be used for cached authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:198 +msgid "Whether to automatically create private groups for users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:201 +msgid "IPA domain" +msgstr "Domaine IPA" + +#: src/config/SSSDConfig/__init__.py.in:202 +msgid "IPA server address" +msgstr "Adresse du serveur IPA" + +#: src/config/SSSDConfig/__init__.py.in:203 +msgid "Address of backup IPA server" +msgstr "Adresse du serveur IPA de secours" + +#: src/config/SSSDConfig/__init__.py.in:204 +msgid "IPA client hostname" +msgstr "Nom de système du client IPA" + +#: src/config/SSSDConfig/__init__.py.in:205 +msgid "Whether to automatically update the client's DNS entry in FreeIPA" +msgstr "" +"Choisir de mettre à jour automatiquement l'entrée DNS du client dans FreeIPA" + +#: src/config/SSSDConfig/__init__.py.in:208 +msgid "Search base for HBAC related objects" +msgstr "Base de recherche pour les objets HBAC" + +#: src/config/SSSDConfig/__init__.py.in:209 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server" +msgstr "Délai entre les recherches de règles HBAC sur le serveur IPA" + +#: src/config/SSSDConfig/__init__.py.in:210 +msgid "" +"The amount of time in seconds between lookups of the SELinux maps against " +"the IPA server" +msgstr "Délai entre les recherches de cartes SELinux sur le serveur IPA" + +#: src/config/SSSDConfig/__init__.py.in:211 +msgid "If set to false, host argument given by PAM will be ignored" +msgstr "Si mit à false, l’argument de l'hôte donné par PAM est ignoré" + +#: src/config/SSSDConfig/__init__.py.in:212 +msgid "The automounter location this IPA client is using" +msgstr "" +"L'emplacement de la carte de montage automatique utilisée par le client IPA" + +#: src/config/SSSDConfig/__init__.py.in:213 +msgid "Search base for object containing info about IPA domain" +msgstr "" +"Base de recherche pour l'objet contenant les informations de base à propos " +"du domaine IPA" + +#: src/config/SSSDConfig/__init__.py.in:214 +msgid "Search base for objects containing info about ID ranges" +msgstr "" +"Base de recherche pour les objets contenant les informations à propos des " +"plages d'ID" + +#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:233 +msgid "Enable DNS sites - location based service discovery" +msgstr "Activer les sites DNS - découverte de service basée sur l'emplacement" + +#: src/config/SSSDConfig/__init__.py.in:216 +msgid "Search base for view containers" +msgstr "Base de recherche des conteneurs de vues" + +#: src/config/SSSDConfig/__init__.py.in:217 +msgid "Objectclass for view containers" +msgstr "Classe d'objet pour les conteneurs de vues" + +#: src/config/SSSDConfig/__init__.py.in:218 +msgid "Attribute with the name of the view" +msgstr "Attribut avec le nom de la vue" + +#: src/config/SSSDConfig/__init__.py.in:219 +msgid "Objectclass for override objects" +msgstr "Classe d'objet surchargeant les objets" + +#: src/config/SSSDConfig/__init__.py.in:220 +msgid "Attribute with the reference to the original object" +msgstr "Attribut faisant référence à l'objet originel " + +#: src/config/SSSDConfig/__init__.py.in:221 +msgid "Objectclass for user override objects" +msgstr "Classe d'objet surchargeant les utilisateurs" + +#: src/config/SSSDConfig/__init__.py.in:222 +msgid "Objectclass for group override objects" +msgstr "Classe d'objet surchargeant les groupes" + +#: src/config/SSSDConfig/__init__.py.in:223 +msgid "Search base for Desktop Profile related objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:224 +msgid "" +"The amount of time in seconds between lookups of the Desktop Profile rules " +"against the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:225 +msgid "" +"The amount of time in minutes between lookups of Desktop Profiles rules " +"against the IPA server when the last request did not find any rule" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:228 +msgid "Active Directory domain" +msgstr "Domaine Active Directory" + +#: src/config/SSSDConfig/__init__.py.in:229 +msgid "Enabled Active Directory domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:230 +msgid "Active Directory server address" +msgstr "Adresse du serveur Active Directory" + +#: src/config/SSSDConfig/__init__.py.in:231 +msgid "Active Directory backup server address" +msgstr "Adresse du serveur Active Directory de secours" + +#: src/config/SSSDConfig/__init__.py.in:232 +msgid "Active Directory client hostname" +msgstr "Nom de système du client Active Directory" + +#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:420 +msgid "LDAP filter to determine access privileges" +msgstr "Filtre LDAP pour déterminer les autorisations d'accès" + +#: src/config/SSSDConfig/__init__.py.in:235 +msgid "Whether to use the Global Catalog for lookups" +msgstr "Choisir d'utiliser ou non le catalogue global pour les recherches" + +#: src/config/SSSDConfig/__init__.py.in:236 +msgid "Operation mode for GPO-based access control" +msgstr "Mode opératoire pour les contrôles d'accès basé sur les GPO" + +#: src/config/SSSDConfig/__init__.py.in:237 +msgid "" +"The amount of time between lookups of the GPO policy files against the AD " +"server" +msgstr "" +"Durée entre les recherches de fichiers de politiques de GPO dans le serveur " +"AD" + +#: src/config/SSSDConfig/__init__.py.in:238 +msgid "" +"PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " +"settings" +msgstr "" +"Noms de services PAM correspondant à la configuration de la politique " +"(Deny)InteractiveLogonRight de la GPO" + +#: src/config/SSSDConfig/__init__.py.in:239 +msgid "" +"PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " +"policy settings" +msgstr "" +"Noms de services PAM correspondant à la configuration de la politique " +"(Deny)RemoteInteractiveLogonRight de la GPO" + +#: src/config/SSSDConfig/__init__.py.in:240 +msgid "" +"PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" +msgstr "" +"Noms de services PAM correspondant à la configuration de la politique " +"(Deny)NetworkLogonRight de la GPO" + +#: src/config/SSSDConfig/__init__.py.in:241 +msgid "" +"PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" +msgstr "" +"Noms de services PAM correspondant à la configuration de la politique " +"(Deny)BatchLogonRight de la GPO" + +#: src/config/SSSDConfig/__init__.py.in:242 +msgid "" +"PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" +msgstr "" +"Noms de services PAM correspondant à la configuration de la politique " +"(Deny)ServiceLogonRight de la GPO" + +#: src/config/SSSDConfig/__init__.py.in:243 +msgid "PAM service names for which GPO-based access is always granted" +msgstr "" +"Noms de services PAM pour lesquels les accès s'appuyant sur la GPO sont " +"toujours autorisés" + +#: src/config/SSSDConfig/__init__.py.in:244 +msgid "PAM service names for which GPO-based access is always denied" +msgstr "" +"Noms de services PAM pour lesquels les accès s'appuyant sur la GPO sont " +"toujours interdits" + +#: src/config/SSSDConfig/__init__.py.in:245 +msgid "" +"Default logon right (or permit/deny) to use for unmapped PAM service names" +msgstr "" +"Droit de connexion par défaut (ou permission/interdiction) à utiliser pour " +"les noms de services sans correspondance" + +#: src/config/SSSDConfig/__init__.py.in:246 +msgid "a particular site to be used by the client" +msgstr "un site particulier utilisé par le client" + +#: src/config/SSSDConfig/__init__.py.in:247 +msgid "" +"Maximum age in days before the machine account password should be renewed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:248 +msgid "Option for tuning the machine account renewal task" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:252 +msgid "Kerberos server address" +msgstr "Adresse du serveur Kerberos" + +#: src/config/SSSDConfig/__init__.py.in:253 +msgid "Kerberos backup server address" +msgstr "Adresse du serveur Kerberos de secours" + +#: src/config/SSSDConfig/__init__.py.in:254 +msgid "Kerberos realm" +msgstr "Domaine Kerberos" + +#: src/config/SSSDConfig/__init__.py.in:255 +msgid "Authentication timeout" +msgstr "Délai avant expiration de l'authentification" + +#: src/config/SSSDConfig/__init__.py.in:256 +msgid "Whether to create kdcinfo files" +msgstr "Choisir de créer ou non les fichiers kdcinfo" + +#: src/config/SSSDConfig/__init__.py.in:257 +msgid "Where to drop krb5 config snippets" +msgstr "Où déposer les extraits de configuration krb5" + +#: src/config/SSSDConfig/__init__.py.in:260 +msgid "Directory to store credential caches" +msgstr "Répertoire pour stocker les caches de crédits" + +#: src/config/SSSDConfig/__init__.py.in:261 +msgid "Location of the user's credential cache" +msgstr "Emplacement du cache de crédits de l'utilisateur" + +#: src/config/SSSDConfig/__init__.py.in:262 +msgid "Location of the keytab to validate credentials" +msgstr "Emplacement du fichier keytab de validation des crédits" + +#: src/config/SSSDConfig/__init__.py.in:263 +msgid "Enable credential validation" +msgstr "Activer la validation des crédits" + +#: src/config/SSSDConfig/__init__.py.in:264 +msgid "Store password if offline for later online authentication" +msgstr "" +"Stocker le mot de passe, si hors-ligne, pour une authentification ultérieure " +"en ligne" + +#: src/config/SSSDConfig/__init__.py.in:265 +msgid "Renewable lifetime of the TGT" +msgstr "Durée de vie renouvelable du TGT" + +#: src/config/SSSDConfig/__init__.py.in:266 +msgid "Lifetime of the TGT" +msgstr "Durée de vie du TGT" + +#: src/config/SSSDConfig/__init__.py.in:267 +msgid "Time between two checks for renewal" +msgstr "Durée entre deux vérifications pour le renouvellement" + +#: src/config/SSSDConfig/__init__.py.in:268 +msgid "Enables FAST" +msgstr "Active FAST" + +#: src/config/SSSDConfig/__init__.py.in:269 +msgid "Selects the principal to use for FAST" +msgstr "Sélectionne le principal à utiliser avec FAST" + +#: src/config/SSSDConfig/__init__.py.in:270 +msgid "Enables principal canonicalization" +msgstr "Active la canonisation du principal" + +#: src/config/SSSDConfig/__init__.py.in:271 +msgid "Enables enterprise principals" +msgstr "Active les principals d'entreprise" + +#: src/config/SSSDConfig/__init__.py.in:272 +msgid "A mapping from user names to Kerberos principal names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:276 +msgid "Server where the change password service is running if not on the KDC" +msgstr "" +"Serveur où tourne le service de changement de mot de passe s'il n'est pas " +"sur le KDC" + +#: src/config/SSSDConfig/__init__.py.in:279 +msgid "ldap_uri, The URI of the LDAP server" +msgstr "ldap_uri, l'adresse du serveur LDAP" + +#: src/config/SSSDConfig/__init__.py.in:280 +msgid "ldap_backup_uri, The URI of the LDAP server" +msgstr "ldap_backup_uri, l'URI du serveur LDAP" + +#: src/config/SSSDConfig/__init__.py.in:281 +msgid "The default base DN" +msgstr "La base DN par défaut" + +#: src/config/SSSDConfig/__init__.py.in:282 +msgid "The Schema Type in use on the LDAP server, rfc2307" +msgstr "Le type de schéma utilisé sur le serveur LDAP, rfc2307" + +#: src/config/SSSDConfig/__init__.py.in:283 +msgid "The default bind DN" +msgstr "Le DN de connexion par défaut" + +#: src/config/SSSDConfig/__init__.py.in:284 +msgid "The type of the authentication token of the default bind DN" +msgstr "Le type de jeton d'authentification du DN de connexion par défaut" + +#: src/config/SSSDConfig/__init__.py.in:285 +msgid "The authentication token of the default bind DN" +msgstr "Le jeton d'authentification du DN de connexion par défaut" + +#: src/config/SSSDConfig/__init__.py.in:286 +msgid "Length of time to attempt connection" +msgstr "Durée pendant laquelle il sera tenté d'établir la connexion" + +#: src/config/SSSDConfig/__init__.py.in:287 +msgid "Length of time to attempt synchronous LDAP operations" +msgstr "Durée pendant laquelle il sera tenté des opérations LDAP synchrones" + +#: src/config/SSSDConfig/__init__.py.in:288 +msgid "Length of time between attempts to reconnect while offline" +msgstr "Durée d'attente entre deux essais de reconnexion en mode hors-ligne" + +#: src/config/SSSDConfig/__init__.py.in:289 +msgid "Use only the upper case for realm names" +msgstr "N'utiliser que des majuscules pour les noms de domaine" + +#: src/config/SSSDConfig/__init__.py.in:290 +msgid "File that contains CA certificates" +msgstr "Fichier contenant les certificats des CA" + +#: src/config/SSSDConfig/__init__.py.in:291 +msgid "Path to CA certificate directory" +msgstr "Chemin vers le répertoire de certificats des CA" + +#: src/config/SSSDConfig/__init__.py.in:292 +msgid "File that contains the client certificate" +msgstr "Fichier contenant le certificat client" + +#: src/config/SSSDConfig/__init__.py.in:293 +msgid "File that contains the client key" +msgstr "Fichier contenant la clé du client" + +#: src/config/SSSDConfig/__init__.py.in:294 +msgid "List of possible ciphers suites" +msgstr "Liste des suites de chiffrement possibles" + +#: src/config/SSSDConfig/__init__.py.in:295 +msgid "Require TLS certificate verification" +msgstr "Requiert une vérification de certificat TLS" + +#: src/config/SSSDConfig/__init__.py.in:296 +msgid "Specify the sasl mechanism to use" +msgstr "Spécifier le mécanisme SASL à utiliser" + +#: src/config/SSSDConfig/__init__.py.in:297 +msgid "Specify the sasl authorization id to use" +msgstr "Spécifier l'identité d'authorisation SASL à utiliser" + +#: src/config/SSSDConfig/__init__.py.in:298 +msgid "Specify the sasl authorization realm to use" +msgstr "Spécifier le domaine d'authorisation SASL à utiliser" + +#: src/config/SSSDConfig/__init__.py.in:299 +msgid "Specify the minimal SSF for LDAP sasl authorization" +msgstr "Spécifie le minimum SSF pour l'autorisation sasl LDAP" + +#: src/config/SSSDConfig/__init__.py.in:300 +msgid "Kerberos service keytab" +msgstr "Service du fichier keytab de Kerberos" + +#: src/config/SSSDConfig/__init__.py.in:301 +msgid "Use Kerberos auth for LDAP connection" +msgstr "Utiliser l'authentification Kerberos pour la connexion LDAP" + +#: src/config/SSSDConfig/__init__.py.in:302 +msgid "Follow LDAP referrals" +msgstr "Suivre les référents LDAP" + +#: src/config/SSSDConfig/__init__.py.in:303 +msgid "Lifetime of TGT for LDAP connection" +msgstr "Durée de vie du TGT pour la connexion LDAP" + +#: src/config/SSSDConfig/__init__.py.in:304 +msgid "How to dereference aliases" +msgstr "Comment déréférencer les alias" + +#: src/config/SSSDConfig/__init__.py.in:305 +msgid "Service name for DNS service lookups" +msgstr "Nom du service pour les recherches DNS" + +#: src/config/SSSDConfig/__init__.py.in:306 +msgid "The number of records to retrieve in a single LDAP query" +msgstr "Le nombre d'enregistrements à récupérer dans une requête LDAP unique" + +#: src/config/SSSDConfig/__init__.py.in:307 +msgid "The number of members that must be missing to trigger a full deref" +msgstr "" +"Nombre de membres qui doivent être manquants pour activer un déréférencement " +"complet" + +#: src/config/SSSDConfig/__init__.py.in:308 +msgid "" +"Whether the LDAP library should perform a reverse lookup to canonicalize the " +"host name during a SASL bind" +msgstr "" +"Est-ce que la bibliothèque LDAP doit effectuer une requête pour canoniser le " +"nom d'hôte pendant une connexion SASL ?" + +#: src/config/SSSDConfig/__init__.py.in:310 +msgid "entryUSN attribute" +msgstr "attribut entryUSN" + +#: src/config/SSSDConfig/__init__.py.in:311 +msgid "lastUSN attribute" +msgstr "attribut lastUSN" + +#: src/config/SSSDConfig/__init__.py.in:313 +msgid "How long to retain a connection to the LDAP server before disconnecting" +msgstr "" +"Combien de temps conserver la connexion au serveur LDAP avant de se " +"déconnecter" + +#: src/config/SSSDConfig/__init__.py.in:315 +msgid "Disable the LDAP paging control" +msgstr "Désactiver le contrôle des pages LDAP" + +#: src/config/SSSDConfig/__init__.py.in:316 +msgid "Disable Active Directory range retrieval" +msgstr "Désactiver la récupération de plage Active Directory." + +#: src/config/SSSDConfig/__init__.py.in:319 +msgid "Length of time to wait for a search request" +msgstr "Durée d'attente pour une requête de recherche" + +#: src/config/SSSDConfig/__init__.py.in:320 +msgid "Length of time to wait for a enumeration request" +msgstr "Durée d'attente pour une requête d'énumération" + +#: src/config/SSSDConfig/__init__.py.in:321 +msgid "Length of time between enumeration updates" +msgstr "Durée entre deux mises à jour d'énumération" + +#: src/config/SSSDConfig/__init__.py.in:322 +msgid "Length of time between cache cleanups" +msgstr "Durée entre les nettoyages de cache" + +#: src/config/SSSDConfig/__init__.py.in:323 +msgid "Require TLS for ID lookups" +msgstr "TLS est requis pour les recherches d'identifiants" + +#: src/config/SSSDConfig/__init__.py.in:324 +msgid "Use ID-mapping of objectSID instead of pre-set IDs" +msgstr "" +"Utilisation de la correspondance d'ID pour les objectSID au lieu d'ID pré-" +"établis" + +#: src/config/SSSDConfig/__init__.py.in:325 +msgid "Base DN for user lookups" +msgstr "Base DN pour les recherches d'utilisateurs" + +#: src/config/SSSDConfig/__init__.py.in:326 +msgid "Scope of user lookups" +msgstr "Scope des recherches d'utilisateurs" + +#: src/config/SSSDConfig/__init__.py.in:327 +msgid "Filter for user lookups" +msgstr "Filtre pour les recherches d'utilisateurs" + +#: src/config/SSSDConfig/__init__.py.in:328 +msgid "Objectclass for users" +msgstr "Classe d'objet pour les utilisateurs" + +#: src/config/SSSDConfig/__init__.py.in:329 +msgid "Username attribute" +msgstr "Attribut de nom d'utilisateur" + +#: src/config/SSSDConfig/__init__.py.in:331 +msgid "UID attribute" +msgstr "Attribut UID" + +#: src/config/SSSDConfig/__init__.py.in:332 +msgid "Primary GID attribute" +msgstr "Attribut de GID primaire" + +#: src/config/SSSDConfig/__init__.py.in:333 +msgid "GECOS attribute" +msgstr "Attribut GECOS" + +#: src/config/SSSDConfig/__init__.py.in:334 +msgid "Home directory attribute" +msgstr "Attribut de répertoire utilisateur" + +#: src/config/SSSDConfig/__init__.py.in:335 +msgid "Shell attribute" +msgstr "Attribut d'interpréteur de commandes" + +#: src/config/SSSDConfig/__init__.py.in:336 +msgid "UUID attribute" +msgstr "attribut UUID" + +#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:379 +msgid "objectSID attribute" +msgstr "attribut objectSID" + +#: src/config/SSSDConfig/__init__.py.in:338 +msgid "Active Directory primary group attribute for ID-mapping" +msgstr "Groupe primaire Active Directory pour la correspondance d'ID" + +#: src/config/SSSDConfig/__init__.py.in:339 +msgid "User principal attribute (for Kerberos)" +msgstr "Attribut d'utilisateur principal (pour Kerberos)" + +#: src/config/SSSDConfig/__init__.py.in:340 +msgid "Full Name" +msgstr "Nom complet" + +#: src/config/SSSDConfig/__init__.py.in:341 +msgid "memberOf attribute" +msgstr "Attribut memberOf" + +#: src/config/SSSDConfig/__init__.py.in:342 +msgid "Modification time attribute" +msgstr "Attribut de date de modification" + +#: src/config/SSSDConfig/__init__.py.in:344 +msgid "shadowLastChange attribute" +msgstr "Attribut shadowLastChange" + +#: src/config/SSSDConfig/__init__.py.in:345 +msgid "shadowMin attribute" +msgstr "Attribut shadowMin" + +#: src/config/SSSDConfig/__init__.py.in:346 +msgid "shadowMax attribute" +msgstr "Attribut shadowMax" + +#: src/config/SSSDConfig/__init__.py.in:347 +msgid "shadowWarning attribute" +msgstr "Attribut shadowWarning" + +#: src/config/SSSDConfig/__init__.py.in:348 +msgid "shadowInactive attribute" +msgstr "Attribut shadowInactive" + +#: src/config/SSSDConfig/__init__.py.in:349 +msgid "shadowExpire attribute" +msgstr "Attribut shadowExpire" + +#: src/config/SSSDConfig/__init__.py.in:350 +msgid "shadowFlag attribute" +msgstr "Attribut shadowFlag" + +#: src/config/SSSDConfig/__init__.py.in:351 +msgid "Attribute listing authorized PAM services" +msgstr "Attribut listant les services PAM autorisés" + +#: src/config/SSSDConfig/__init__.py.in:352 +msgid "Attribute listing authorized server hosts" +msgstr "Attribut listant les systèmes serveurs autorisés" + +#: src/config/SSSDConfig/__init__.py.in:353 +msgid "Attribute listing authorized server rhosts" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:354 +msgid "krbLastPwdChange attribute" +msgstr "Attribut krbLastPwdChange" + +#: src/config/SSSDConfig/__init__.py.in:355 +msgid "krbPasswordExpiration attribute" +msgstr "Attribut krbPasswordExpiration" + +#: src/config/SSSDConfig/__init__.py.in:356 +msgid "Attribute indicating that server side password policies are active" +msgstr "" +"Attribut indiquant que la stratégie de mot de passe du serveur est active" + +#: src/config/SSSDConfig/__init__.py.in:357 +msgid "accountExpires attribute of AD" +msgstr "Attribut AD accountExpires" + +#: src/config/SSSDConfig/__init__.py.in:358 +msgid "userAccountControl attribute of AD" +msgstr "Attribut AD userAccountControl" + +#: src/config/SSSDConfig/__init__.py.in:359 +msgid "nsAccountLock attribute" +msgstr "Attribut nsAccountLock" + +#: src/config/SSSDConfig/__init__.py.in:360 +msgid "loginDisabled attribute of NDS" +msgstr "Attribut NDS loginDisabled" + +#: src/config/SSSDConfig/__init__.py.in:361 +msgid "loginExpirationTime attribute of NDS" +msgstr "Attribut NDS loginExpirationTime" + +#: src/config/SSSDConfig/__init__.py.in:362 +msgid "loginAllowedTimeMap attribute of NDS" +msgstr "Attribut NDS loginAllowedTimeMap" + +#: src/config/SSSDConfig/__init__.py.in:363 +msgid "SSH public key attribute" +msgstr "Attribut de clé public SSH" + +#: src/config/SSSDConfig/__init__.py.in:364 +msgid "attribute listing allowed authentication types for a user" +msgstr "" +"attribut énumérant les types d'authentification autorisés pour un utilisateur" + +#: src/config/SSSDConfig/__init__.py.in:365 +msgid "attribute containing the X509 certificate of the user" +msgstr "attribut contenant le certificat X509 de l'utilisateur" + +#: src/config/SSSDConfig/__init__.py.in:366 +msgid "attribute containing the email address of the user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:368 +msgid "A list of extra attributes to download along with the user entry" +msgstr "" +"Une liste des attributs supplémentaires à télécharger avec l'entrée de " +"l'utilisateur" + +#: src/config/SSSDConfig/__init__.py.in:370 +msgid "Base DN for group lookups" +msgstr "DN de base pour les recherches de groupes" + +#: src/config/SSSDConfig/__init__.py.in:373 +msgid "Objectclass for groups" +msgstr "Classe d'objet pour les groupes" + +#: src/config/SSSDConfig/__init__.py.in:374 +msgid "Group name" +msgstr "Nom du groupe" + +#: src/config/SSSDConfig/__init__.py.in:375 +msgid "Group password" +msgstr "Mot de passe du groupe" + +#: src/config/SSSDConfig/__init__.py.in:376 +msgid "GID attribute" +msgstr "Attribut GID" + +#: src/config/SSSDConfig/__init__.py.in:377 +msgid "Group member attribute" +msgstr "Attribut membre du groupe" + +#: src/config/SSSDConfig/__init__.py.in:378 +msgid "Group UUID attribute" +msgstr "attribut de l'UUID du groupe" + +#: src/config/SSSDConfig/__init__.py.in:380 +msgid "Modification time attribute for groups" +msgstr "Attribut de date de modification pour les groupes" + +#: src/config/SSSDConfig/__init__.py.in:381 +msgid "Type of the group and other flags" +msgstr "Type de groupe et autres indicateurs" + +#: src/config/SSSDConfig/__init__.py.in:382 +msgid "The LDAP group external member attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:384 +msgid "Maximum nesting level SSSD will follow" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:386 +msgid "Base DN for netgroup lookups" +msgstr "DN de base pour les recherches de netgroup" + +#: src/config/SSSDConfig/__init__.py.in:387 +msgid "Objectclass for netgroups" +msgstr "Classe d'objet pour les groupes réseau" + +#: src/config/SSSDConfig/__init__.py.in:388 +msgid "Netgroup name" +msgstr "Nom du groupe réseau" + +#: src/config/SSSDConfig/__init__.py.in:389 +msgid "Netgroups members attribute" +msgstr "Attribut des membres des groupes réseau" + +#: src/config/SSSDConfig/__init__.py.in:390 +msgid "Netgroup triple attribute" +msgstr "Attribut triplet du groupe réseau" + +#: src/config/SSSDConfig/__init__.py.in:391 +msgid "Modification time attribute for netgroups" +msgstr "Attribut date de modification pour les groupes réseau" + +#: src/config/SSSDConfig/__init__.py.in:393 +msgid "Base DN for service lookups" +msgstr "Nom de domaine (DN) de base pour les recherches de service" + +#: src/config/SSSDConfig/__init__.py.in:394 +msgid "Objectclass for services" +msgstr "Classe objet pour les services" + +#: src/config/SSSDConfig/__init__.py.in:395 +msgid "Service name attribute" +msgstr "Attribut de nom de service" + +#: src/config/SSSDConfig/__init__.py.in:396 +msgid "Service port attribute" +msgstr "Attribut de port du service" + +#: src/config/SSSDConfig/__init__.py.in:397 +msgid "Service protocol attribute" +msgstr "Attribut de service du protocole" + +#: src/config/SSSDConfig/__init__.py.in:400 +msgid "Lower bound for ID-mapping" +msgstr "Limite inférieure pour la correspondance d'ID" + +#: src/config/SSSDConfig/__init__.py.in:401 +msgid "Upper bound for ID-mapping" +msgstr "Limite supérieure pour la correspondance d'ID" + +#: src/config/SSSDConfig/__init__.py.in:402 +msgid "Number of IDs for each slice when ID-mapping" +msgstr "Nombre d'ID par tranche pour la correspondance d'ID" + +#: src/config/SSSDConfig/__init__.py.in:403 +msgid "Use autorid-compatible algorithm for ID-mapping" +msgstr "" +"Utilisation d'un algorithme compatible autorid pour la correspondance d'ID" + +#: src/config/SSSDConfig/__init__.py.in:404 +msgid "Name of the default domain for ID-mapping" +msgstr "Nom du domaine par défaut pour la correspondance d'ID" + +#: src/config/SSSDConfig/__init__.py.in:405 +msgid "SID of the default domain for ID-mapping" +msgstr "SID du domaine par défaut pour la correspondance d'ID" + +#: src/config/SSSDConfig/__init__.py.in:406 +msgid "Number of secondary slices" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:408 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups" +msgstr "Utiliser LDAP_MATCHING_RULE_IN_CHAIN pour les recherches de groupes" + +#: src/config/SSSDConfig/__init__.py.in:409 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups" +msgstr "" +"Utiliser LDAP_MATCHING_RULE_IN_CHAIN pour les recherches de groupes " +"d'initialisation" + +#: src/config/SSSDConfig/__init__.py.in:410 +msgid "Whether to use Token-Groups" +msgstr "Choisir d'utiliser ou non les groupes de jetons" + +#: src/config/SSSDConfig/__init__.py.in:411 +msgid "Set lower boundary for allowed IDs from the LDAP server" +msgstr "" +"Définir la limite inférieure d'identifiants autorisés pour l'annuaire LDAP" + +#: src/config/SSSDConfig/__init__.py.in:412 +msgid "Set upper boundary for allowed IDs from the LDAP server" +msgstr "" +"Définir la limite supérieure d'identifiants autorisés pour l'annuaire LDAP" + +#: src/config/SSSDConfig/__init__.py.in:413 +msgid "DN for ppolicy queries" +msgstr "DN pour les requêtes sur ppolicy" + +#: src/config/SSSDConfig/__init__.py.in:414 +msgid "How many maximum entries to fetch during a wildcard request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:417 +msgid "Policy to evaluate the password expiration" +msgstr "Stratégie d'évaluation de l'expiration du mot de passe" + +#: src/config/SSSDConfig/__init__.py.in:421 +msgid "Which attributes shall be used to evaluate if an account is expired" +msgstr "Quels attributs utiliser pour déterminer si un compte a expiré" + +#: src/config/SSSDConfig/__init__.py.in:422 +msgid "Which rules should be used to evaluate access control" +msgstr "Quelles règles utiliser pour évaluer le contrôle d'accès" + +#: src/config/SSSDConfig/__init__.py.in:425 +msgid "URI of an LDAP server where password changes are allowed" +msgstr "URI d'un serveur LDAP où les changements de mot de passe sont acceptés" + +#: src/config/SSSDConfig/__init__.py.in:426 +msgid "URI of a backup LDAP server where password changes are allowed" +msgstr "" +"URI d'un serveur LDAP de secours où sont autorisées les modifications de mot " +"de passe" + +#: src/config/SSSDConfig/__init__.py.in:427 +msgid "DNS service name for LDAP password change server" +msgstr "Nom du service DNS pour le serveur de changement de mot de passe LDAP" + +#: src/config/SSSDConfig/__init__.py.in:428 +msgid "" +"Whether to update the ldap_user_shadow_last_change attribute after a " +"password change" +msgstr "" +"Choix de mise à jour de l'attribut ldap_user_shadow_last_change après un " +"changement de mot de passe" + +#: src/config/SSSDConfig/__init__.py.in:431 +msgid "Base DN for sudo rules lookups" +msgstr "Nom de domaine (DN) de base pour les recherches de règles sudo" + +#: src/config/SSSDConfig/__init__.py.in:432 +msgid "Automatic full refresh period" +msgstr "Périodicité de rafraichissement total" + +#: src/config/SSSDConfig/__init__.py.in:433 +msgid "Automatic smart refresh period" +msgstr "Périodicité de rafraichissement intelligent" + +#: src/config/SSSDConfig/__init__.py.in:434 +msgid "Whether to filter rules by hostname, IP addresses and network" +msgstr "Filter ou non sur les noms de systèmes, adresses IP et réseaux" + +#: src/config/SSSDConfig/__init__.py.in:435 +msgid "" +"Hostnames and/or fully qualified domain names of this machine to filter sudo " +"rules" +msgstr "" +"Noms de systèmes et/ou noms pleinement qualifiés de cette machine pour " +"filtrer les règles sudo" + +#: src/config/SSSDConfig/__init__.py.in:436 +msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" +msgstr "" +"Adresses ou réseaux IPv4 ou IPv6 de cette machine pour filtrer les règles " +"sudo" + +#: src/config/SSSDConfig/__init__.py.in:437 +msgid "Whether to include rules that contains netgroup in host attribute" +msgstr "" +"Inclure ou non les règles qui contiennent un netgroup dans l'attribut host" + +#: src/config/SSSDConfig/__init__.py.in:438 +msgid "" +"Whether to include rules that contains regular expression in host attribute" +msgstr "" +"Inclure ou non les règles qui contiennent une expression rationnelle dans " +"l'attribut host" + +#: src/config/SSSDConfig/__init__.py.in:439 +msgid "Object class for sudo rules" +msgstr "Classe objet pour les règles sudo" + +#: src/config/SSSDConfig/__init__.py.in:440 +msgid "Sudo rule name" +msgstr "Règle de nom sudo" + +#: src/config/SSSDConfig/__init__.py.in:441 +msgid "Sudo rule command attribute" +msgstr "Attribut de commande de règle sudo" + +#: src/config/SSSDConfig/__init__.py.in:442 +msgid "Sudo rule host attribute" +msgstr "Attribut hôte de la règle sudo" + +#: src/config/SSSDConfig/__init__.py.in:443 +msgid "Sudo rule user attribute" +msgstr "Attribut utilisateur de la règle sudo" + +#: src/config/SSSDConfig/__init__.py.in:444 +msgid "Sudo rule option attribute" +msgstr "Attribut option de la règle sudo" + +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Sudo rule runas attribute" +msgstr "Attribut de règle sudo runas" + +#: src/config/SSSDConfig/__init__.py.in:446 +msgid "Sudo rule runasuser attribute" +msgstr "Attribut runasuser de la règle sudo" + +#: src/config/SSSDConfig/__init__.py.in:447 +msgid "Sudo rule runasgroup attribute" +msgstr "Attribut runasgroup de la règle sudo" + +#: src/config/SSSDConfig/__init__.py.in:448 +msgid "Sudo rule notbefore attribute" +msgstr "Attribut notbefore de la règle sudo" + +#: src/config/SSSDConfig/__init__.py.in:449 +msgid "Sudo rule notafter attribute" +msgstr "Attribut notafter de règle sudo" + +#: src/config/SSSDConfig/__init__.py.in:450 +msgid "Sudo rule order attribute" +msgstr "Attribut d'ordre de règle sudo" + +#: src/config/SSSDConfig/__init__.py.in:453 +msgid "Object class for automounter maps" +msgstr "Classe objet pour la carte de montage automatique" + +#: src/config/SSSDConfig/__init__.py.in:454 +msgid "Automounter map name attribute" +msgstr "Nom de l'attribut de carte de montage automatique" + +#: src/config/SSSDConfig/__init__.py.in:455 +msgid "Object class for automounter map entries" +msgstr "Classe objet pour l'entrée de référence de montage automatique" + +#: src/config/SSSDConfig/__init__.py.in:456 +msgid "Automounter map entry key attribute" +msgstr "Attribut de clé d'entrée pour la carte de montage automatique" + +#: src/config/SSSDConfig/__init__.py.in:457 +msgid "Automounter map entry value attribute" +msgstr "Attribut de valeur pour la carte de montage automatique" + +#: src/config/SSSDConfig/__init__.py.in:458 +msgid "Base DN for automounter map lookups" +msgstr "Base DN pour les requêtes de carte de montage automatique" + +#: src/config/SSSDConfig/__init__.py.in:461 +msgid "Comma separated list of allowed users" +msgstr "Liste, séparée par des virgules, d'utilisateurs autorisés" + +#: src/config/SSSDConfig/__init__.py.in:462 +msgid "Comma separated list of prohibited users" +msgstr "Liste, séparée par des virgules, d'utilisateurs interdits" + +#: src/config/SSSDConfig/__init__.py.in:465 +msgid "Default shell, /bin/bash" +msgstr "Interpréteur de commande par défaut : /bin/bash" + +#: src/config/SSSDConfig/__init__.py.in:466 +msgid "Base for home directories" +msgstr "Base pour les répertoires utilisateur" + +#: src/config/SSSDConfig/__init__.py.in:469 +msgid "The number of preforked proxy children." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:472 +msgid "The name of the NSS library to use" +msgstr "Nom de la bibliothèque NSS à utiliser" + +#: src/config/SSSDConfig/__init__.py.in:473 +msgid "Whether to look up canonical group name from cache if possible" +msgstr "Rechercher le nom canonique du groupe dans le cache si possible" + +#: src/config/SSSDConfig/__init__.py.in:476 +msgid "PAM stack to use" +msgstr "Pile PAM à utiliser" + +#: src/config/SSSDConfig/__init__.py.in:479 +msgid "Path of passwd file sources." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:480 +msgid "Path of group file sources." +msgstr "" + +#: src/monitor/monitor.c:2449 +msgid "Become a daemon (default)" +msgstr "Devenir un démon (par défaut)" + +#: src/monitor/monitor.c:2451 +msgid "Run interactive (not a daemon)" +msgstr "Fonctionner en interactif (non démon)" + +#: src/monitor/monitor.c:2454 +msgid "Disable netlink interface" +msgstr "" + +#: src/monitor/monitor.c:2456 src/tools/sssctl/sssctl_logs.c:311 +msgid "Specify a non-default config file" +msgstr "Définir un fichier de configuration différent de celui par défaut" + +#: src/monitor/monitor.c:2458 +msgid "Refresh the configuration database, then exit" +msgstr "" + +#: src/monitor/monitor.c:2461 +msgid "Print version number and exit" +msgstr "Afficher le numéro de version et quitte" + +#: src/monitor/monitor.c:2627 +msgid "SSSD is already running\n" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605 +msgid "Debug level" +msgstr "Niveau de débogage" + +#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607 +msgid "Add debug timestamps" +msgstr "Ajouter l'horodatage au débogage" + +#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609 +msgid "Show timestamps with microseconds" +msgstr "Afficher l'horodatage en microsecondes" + +#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611 +msgid "An open file descriptor for the debug logs" +msgstr "Un descripteur de fichier ouvert pour les journaux de débogage" + +#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613 +msgid "Send the debug output to stderr directly." +msgstr "Envoyer la sortie de débogage directement vers l'erreur standard." + +#: src/providers/krb5/krb5_child.c:3228 +msgid "The user to create FAST ccache as" +msgstr "L'utilisateur à utiliser pour la création du ccache FAST" + +#: src/providers/krb5/krb5_child.c:3230 +msgid "The group to create FAST ccache as" +msgstr "Le groupe à utiliser pour la création du ccache FAST" + +#: src/providers/krb5/krb5_child.c:3232 +msgid "Kerberos realm to use" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3234 +msgid "Requested lifetime of the ticket" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3236 +msgid "Requested renewable lifetime of the ticket" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3238 +msgid "FAST options ('never', 'try', 'demand')" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3241 +msgid "Specifies the server principal to use for FAST" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3243 +msgid "Requests canonicalization of the principal name" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3245 +msgid "Use custom version of krb5_get_init_creds_password" +msgstr "" + +#: src/providers/data_provider_be.c:556 +msgid "Domain of the information provider (mandatory)" +msgstr "Domaine du fournisseur d'informations (obligatoire)" + +#: src/sss_client/common.c:1066 +msgid "Privileged socket has wrong ownership or permissions." +msgstr "" +"Le socket privilégié a de mauvaises permissions ou un mauvais propriétaire." + +#: src/sss_client/common.c:1069 +msgid "Public socket has wrong ownership or permissions." +msgstr "" +"Le socket public a de mauvaises permissions ou un mauvais propriétaire." + +#: src/sss_client/common.c:1072 +msgid "Unexpected format of the server credential message." +msgstr "Le message du serveur de crédits a un format inattendu." + +#: src/sss_client/common.c:1075 +msgid "SSSD is not run by root." +msgstr "SSSD n'est pas démarré par root." + +#: src/sss_client/common.c:1080 +msgid "An error occurred, but no description can be found." +msgstr "Une erreur est survenue mais aucune description n'est trouvée." + +#: src/sss_client/common.c:1086 +msgid "Unexpected error while looking for an error description" +msgstr "Erreur inattendue lors de la recherche de la description de l'erreur" + +#: src/sss_client/pam_sss.c:76 +msgid "Permission denied. " +msgstr "Accès refusé." + +#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782 +#: src/sss_client/pam_sss.c:793 +msgid "Server message: " +msgstr "Message du serveur : " + +#: src/sss_client/pam_sss.c:300 +msgid "Passwords do not match" +msgstr "Les mots de passe ne correspondent pas" + +#: src/sss_client/pam_sss.c:488 +msgid "Password reset by root is not supported." +msgstr "" +"La réinitialisation du mot de passe par root n'est pas prise en charge." + +#: src/sss_client/pam_sss.c:529 +msgid "Authenticated with cached credentials" +msgstr "Authentifié avec les crédits mis en cache" + +#: src/sss_client/pam_sss.c:530 +msgid ", your cached password will expire at: " +msgstr ", votre mot de passe en cache expirera à :" + +#: src/sss_client/pam_sss.c:560 +#, c-format +msgid "Your password has expired. You have %1$d grace login(s) remaining." +msgstr "" +"Votre mot de passe a expiré. Il vous reste %1$d connexion(s) autorisée(s)." + +#: src/sss_client/pam_sss.c:606 +#, c-format +msgid "Your password will expire in %1$d %2$s." +msgstr "Votre mot de passe expirera dans %1$d %2$s." + +#: src/sss_client/pam_sss.c:655 +msgid "Authentication is denied until: " +msgstr "L'authentification est refusée jusque :" + +#: src/sss_client/pam_sss.c:676 +msgid "System is offline, password change not possible" +msgstr "" +"Le système est hors-ligne, les modifications du mot de passe sont impossibles" + +#: src/sss_client/pam_sss.c:691 +msgid "" +"After changing the OTP password, you need to log out and back in order to " +"acquire a ticket" +msgstr "" +"Après avoir modifié le mot de passe OTP, vous devez vous déconnecter et vous " +"reconnecter afin d'acquérir un ticket" + +#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792 +msgid "Password change failed. " +msgstr "Échec du changement de mot de passe." + +#: src/sss_client/pam_sss.c:1926 +msgid "New Password: " +msgstr "Nouveau mot de passe : " + +#: src/sss_client/pam_sss.c:1927 +msgid "Reenter new Password: " +msgstr "Retaper le nouveau mot de passe : " + +#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042 +msgid "First Factor: " +msgstr "Premier facteur :" + +#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202 +msgid "Second Factor (optional): " +msgstr "" + +#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205 +msgid "Second Factor: " +msgstr "Second facteur :" + +#: src/sss_client/pam_sss.c:2058 +msgid "Password: " +msgstr "Mot de passe : " + +#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204 +msgid "First Factor (Current Password): " +msgstr "" + +#: src/sss_client/pam_sss.c:2208 +msgid "Current Password: " +msgstr "Mot de passe actuel : " + +#: src/sss_client/pam_sss.c:2536 +msgid "Password expired. Change your password now." +msgstr "Mot de passe expiré. Changez votre mot de passe maintenant." + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 +#: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 +#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:670 +msgid "The debug level to run with" +msgstr "Le niveau de débogage utilisé avec" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +msgid "The SSSD domain to use" +msgstr "Le domaine SSSD à utiliser" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 +#: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 +#: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 +#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:716 +msgid "Error setting the locale\n" +msgstr "Erreur lors du paramétrage de la locale\n" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:64 +msgid "Not enough memory\n" +msgstr "Mémoire insuffisante\n" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:83 +msgid "User not specified\n" +msgstr "Utilisateur non spécifié\n" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:97 +msgid "Error looking up public keys\n" +msgstr "Erreur lors de la recherche des clés publiques\n" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +msgid "The port to use to connect to the host" +msgstr "Le port à utiliser pour se connecter à l'hôte" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +msgid "Print the host ssh public keys" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +msgid "Invalid port\n" +msgstr "Port invalide\n" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +msgid "Host not specified\n" +msgstr "Hôte non spécifié\n" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +msgid "The path to the proxy command must be absolute\n" +msgstr "Le chemin vers la commande de proxy doit être absolue\n" + +#: src/tools/sss_useradd.c:49 src/tools/sss_usermod.c:48 +msgid "The UID of the user" +msgstr "L'UID de l'utilisateur" + +#: src/tools/sss_useradd.c:50 src/tools/sss_usermod.c:50 +msgid "The comment string" +msgstr "Phrase de commentaire" + +#: src/tools/sss_useradd.c:51 src/tools/sss_usermod.c:51 +msgid "Home directory" +msgstr "Répertoire utilisateur" + +#: src/tools/sss_useradd.c:52 src/tools/sss_usermod.c:52 +msgid "Login shell" +msgstr "Interpréteur de commandes de connexion" + +#: src/tools/sss_useradd.c:53 +msgid "Groups" +msgstr "Groupes" + +#: src/tools/sss_useradd.c:54 +msgid "Create user's directory if it does not exist" +msgstr "Créer le repertoire utilisateur s'il n'existe pas" + +#: src/tools/sss_useradd.c:55 +msgid "Never create user's directory, overrides config" +msgstr "Ne jamais créer de répertoire utilisateur, outrepasse la configuration" + +#: src/tools/sss_useradd.c:56 +msgid "Specify an alternative skeleton directory" +msgstr "Spécifie un répertoire squelette alternatif" + +#: src/tools/sss_useradd.c:57 src/tools/sss_usermod.c:60 +msgid "The SELinux user for user's login" +msgstr "L'utilisateur SELinux pour l'identifiant de l'utilisateur" + +#: src/tools/sss_useradd.c:87 src/tools/sss_groupmod.c:79 +#: src/tools/sss_usermod.c:92 +msgid "Specify group to add to\n" +msgstr "Définir le groupe à ajouter à\n" + +#: src/tools/sss_useradd.c:111 +msgid "Specify user to add\n" +msgstr "Définir l'utilisateur à ajouter à\n" + +#: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 +#: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_usermod.c:162 +msgid "Error initializing the tools - no local domain\n" +msgstr "Erreur à l'initialisation des outils - aucun domaine local\n" + +#: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 +#: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_usermod.c:164 +msgid "Error initializing the tools\n" +msgstr "Erreur à l'initialisation des outils\n" + +#: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 +#: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_usermod.c:173 +msgid "Invalid domain specified in FQDN\n" +msgstr "Domaine invalide définit dans le FQDN\n" + +#: src/tools/sss_useradd.c:142 src/tools/sss_groupmod.c:144 +#: src/tools/sss_groupmod.c:173 src/tools/sss_usermod.c:197 +#: src/tools/sss_usermod.c:226 +msgid "Internal error while parsing parameters\n" +msgstr "Erreur interne lors de l'analyse des paramètres\n" + +#: src/tools/sss_useradd.c:151 src/tools/sss_usermod.c:206 +#: src/tools/sss_usermod.c:235 +msgid "Groups must be in the same domain as user\n" +msgstr "Les groupes doivent être dans le même domaine que l'utilisateur\n" + +#: src/tools/sss_useradd.c:159 +#, c-format +msgid "Cannot find group %1$s in local domain\n" +msgstr "Impossible de trouver le groupe %1$s dans le domaine local\n" + +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +msgid "Cannot set default values\n" +msgstr "Impossible de définir les valeurs par défaut\n" + +#: src/tools/sss_useradd.c:181 src/tools/sss_usermod.c:187 +msgid "The selected UID is outside the allowed range\n" +msgstr "L'UID sélectionné est en dehors de la plage autorisée\n" + +#: src/tools/sss_useradd.c:210 src/tools/sss_usermod.c:305 +msgid "Cannot set SELinux login context\n" +msgstr "Impossible de définir le contexte de connexion SELinux\n" + +#: src/tools/sss_useradd.c:224 +msgid "Cannot get info about the user\n" +msgstr "Impossible de trouver les informations sur l'utilisateur\n" + +#: src/tools/sss_useradd.c:236 +msgid "User's home directory already exists, not copying data from skeldir\n" +msgstr "" +"Le répertoire de l'utilisateur existe déjà, les données du répertoire " +"squelette ne sont pas copiées\n" + +#: src/tools/sss_useradd.c:239 +#, c-format +msgid "Cannot create user's home directory: %1$s\n" +msgstr "Impossible de créer le répertoire de l'utilisateur : %1$s\n" + +#: src/tools/sss_useradd.c:250 +#, c-format +msgid "Cannot create user's mail spool: %1$s\n" +msgstr "" +"Impossible de créer le répertoire de réception des messages électroniques " +"pour l'utilisateur : %1$s\n" + +#: src/tools/sss_useradd.c:270 +msgid "Could not allocate ID for the user - domain full?\n" +msgstr "" +"L'identifiant de l'utilisateur ne peut pas être alloué - domaine plein ?\n" + +#: src/tools/sss_useradd.c:274 +msgid "A user or group with the same name or ID already exists\n" +msgstr "Un utilisateur ou groupe avec le même nom ou identifiant existe déjà\n" + +#: src/tools/sss_useradd.c:280 +msgid "Transaction error. Could not add user.\n" +msgstr "Erreur de transaction. Impossible d'ajouter l'utilisateur.\n" + +#: src/tools/sss_groupadd.c:43 src/tools/sss_groupmod.c:48 +msgid "The GID of the group" +msgstr "Le GID du groupe" + +#: src/tools/sss_groupadd.c:76 +msgid "Specify group to add\n" +msgstr "Définir le groupe à ajouter\n" + +#: src/tools/sss_groupadd.c:106 src/tools/sss_groupmod.c:198 +msgid "The selected GID is outside the allowed range\n" +msgstr "Le GID choisit est en dehors de la plage autorisée\n" + +#: src/tools/sss_groupadd.c:143 +msgid "Could not allocate ID for the group - domain full?\n" +msgstr "Impossible d'allouer l'identifiant du groupe - domaine plein ?\n" + +#: src/tools/sss_groupadd.c:147 +msgid "A group with the same name or GID already exists\n" +msgstr "Un groupe avec le même nom ou GID existe déjà\n" + +#: src/tools/sss_groupadd.c:153 +msgid "Transaction error. Could not add group.\n" +msgstr "Erreur de transaction. Impossible d'ajouter le groupe.\n" + +#: src/tools/sss_groupdel.c:70 +msgid "Specify group to delete\n" +msgstr "Spécifier le groupe à supprimer\n" + +#: src/tools/sss_groupdel.c:104 +#, c-format +msgid "Group %1$s is outside the defined ID range for domain\n" +msgstr "" +"Le groupe %1$s est en dehors de la plage d'identifiants définie pour le " +"domaine\n" + +#: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 +#: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 +#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 +#, c-format +msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" +msgstr "" +"Échec de requête NSS (%1$d). L'entrée peut persister dans le cache en " +"mémoire.\n" + +#: src/tools/sss_groupdel.c:132 +msgid "" +"No such group in local domain. Removing groups only allowed in local " +"domain.\n" +msgstr "" +"Aucun groupe dans le domaine local. La suppression de groupes n'est " +"autorisée que dans le domaine local.\n" + +#: src/tools/sss_groupdel.c:137 +msgid "Internal error. Could not remove group.\n" +msgstr "Erreur interne. Impossible de supprimer le groupe.\n" + +#: src/tools/sss_groupmod.c:44 +msgid "Groups to add this group to" +msgstr "Groupes auxquels ce groupe sera ajouté" + +#: src/tools/sss_groupmod.c:46 +msgid "Groups to remove this group from" +msgstr "Groupes desquels ce groupe sera retiré" + +#: src/tools/sss_groupmod.c:87 src/tools/sss_usermod.c:100 +msgid "Specify group to remove from\n" +msgstr "Définir le groupe duquel supprimer\n" + +#: src/tools/sss_groupmod.c:101 +msgid "Specify group to modify\n" +msgstr "Définir le groupe à modifier\n" + +#: src/tools/sss_groupmod.c:130 +msgid "" +"Cannot find group in local domain, modifying groups is allowed only in local " +"domain\n" +msgstr "" +"Impossible de trouver le groupe dans le domaine local, la modification des " +"groupes n'est autorisée que dans le domaine local\n" + +#: src/tools/sss_groupmod.c:153 src/tools/sss_groupmod.c:182 +msgid "Member groups must be in the same domain as parent group\n" +msgstr "" +"Les membres du groupe doivent être dans le même domaine que le groupe " +"parent\n" + +#: src/tools/sss_groupmod.c:161 src/tools/sss_groupmod.c:190 +#: src/tools/sss_usermod.c:214 src/tools/sss_usermod.c:243 +#, c-format +msgid "" +"Cannot find group %1$s in local domain, only groups in local domain are " +"allowed\n" +msgstr "" +"Impossible de trouver le groupe %1$s dans le domaine local, seuls les " +"groupes du domaine local sont autorisés\n" + +#: src/tools/sss_groupmod.c:257 +msgid "Could not modify group - check if member group names are correct\n" +msgstr "" +"Impossible de modifier le groupe - vérifier que les noms des groupes membres " +"sont corrects\n" + +#: src/tools/sss_groupmod.c:261 +msgid "Could not modify group - check if groupname is correct\n" +msgstr "" +"Impossible de modifier le groupe - vérifier que le nom du groupe est " +"correct\n" + +#: src/tools/sss_groupmod.c:265 +msgid "Transaction error. Could not modify group.\n" +msgstr "Erreur de transaction. Impossible de modifier le groupe.\n" + +#: src/tools/sss_groupshow.c:615 +#, c-format +msgid "%1$s%2$sGroup: %3$s\n" +msgstr "%1$s%2$sGroup: %3$s\n" + +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "Magie privée" + +#: src/tools/sss_groupshow.c:618 +#, c-format +msgid "%1$sGID number: %2$d\n" +msgstr "%1$s GID numéro : %2$d\n" + +#: src/tools/sss_groupshow.c:620 +#, c-format +msgid "%1$sMember users: " +msgstr "Utilisateurs membres de %1$s :" + +#: src/tools/sss_groupshow.c:627 +#, c-format +msgid "" +"\n" +"%1$sIs a member of: " +msgstr "" +"\n" +"%1$s est membre de : " + +#: src/tools/sss_groupshow.c:634 +#, c-format +msgid "" +"\n" +"%1$sMember groups: " +msgstr "" +"\n" +"Groupes membres de %1$s : " + +#: src/tools/sss_groupshow.c:670 +msgid "Print indirect group members recursively" +msgstr "Afficher les membres du groupe indirects récursivement" + +#: src/tools/sss_groupshow.c:704 +msgid "Specify group to show\n" +msgstr "Définir le groupe à afficher\n" + +#: src/tools/sss_groupshow.c:744 +msgid "" +"No such group in local domain. Printing groups only allowed in local " +"domain.\n" +msgstr "" +"Aucun groupe dans le domaine local. L'affichage des groupes n'est autorisé " +"que dans le domaine local.\n" + +#: src/tools/sss_groupshow.c:749 +msgid "Internal error. Could not print group.\n" +msgstr "Erreur interne. Impossible d'afficher le groupe.\n" + +#: src/tools/sss_userdel.c:136 +msgid "Remove home directory and mail spool" +msgstr "Suppression du répertoire personnel et de gestion des mails" + +#: src/tools/sss_userdel.c:138 +msgid "Do not remove home directory and mail spool" +msgstr "Ne pas supprimer le répertoire personnel et de gestion des mails" + +#: src/tools/sss_userdel.c:140 +msgid "Force removal of files not owned by the user" +msgstr "Forcer la suppression des fichiers n'appartenant pas à l'utilisateur" + +#: src/tools/sss_userdel.c:142 +msgid "Kill users' processes before removing him" +msgstr "Tuer les processus de l'utilisateur avant de le supprimer" + +#: src/tools/sss_userdel.c:188 +msgid "Specify user to delete\n" +msgstr "Définir l'utilisateur à supprimer\n" + +#: src/tools/sss_userdel.c:234 +#, c-format +msgid "User %1$s is outside the defined ID range for domain\n" +msgstr "" +"L'utilisateur %1$s est en dehors de la plage d'identifiants définie pour le " +"domaine\n" + +#: src/tools/sss_userdel.c:259 +msgid "Cannot reset SELinux login context\n" +msgstr "Impossible de réinitialiser le contexte de connexion SELinux\n" + +#: src/tools/sss_userdel.c:271 +#, c-format +msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" +msgstr "" +"ATTENTION : l'utilisateur (uid %1$lu) était encore connecté lors de sa " +"suppression.\n" + +#: src/tools/sss_userdel.c:276 +msgid "Cannot determine if the user was logged in on this platform" +msgstr "" +"Impossible de savoir si l'utilisateur était connecté sur cette plateforme" + +#: src/tools/sss_userdel.c:281 +msgid "Error while checking if the user was logged in\n" +msgstr "Erreur en vérifiant si l'utilisateur était connecté\n" + +#: src/tools/sss_userdel.c:288 +#, c-format +msgid "The post-delete command failed: %1$s\n" +msgstr "La commande post-suppression a échoué : %1$s\n" + +#: src/tools/sss_userdel.c:308 +msgid "Not removing home dir - not owned by user\n" +msgstr "" +"Le répertoire personnel n'est pas supprimé - l'utilisateur n'en est pas le " +"propriétaire\n" + +#: src/tools/sss_userdel.c:310 +#, c-format +msgid "Cannot remove homedir: %1$s\n" +msgstr "Impossible de supprimer le répertoire utilisateur : %1$s\n" + +#: src/tools/sss_userdel.c:324 +msgid "" +"No such user in local domain. Removing users only allowed in local domain.\n" +msgstr "" +"Aucun utilisateur dans le domaine local. La suppression des utilisateurs " +"n'est autorisée que dans le domaine local.\n" + +#: src/tools/sss_userdel.c:329 +msgid "Internal error. Could not remove user.\n" +msgstr "Erreur interne. Impossible de supprimer l'utilisateur.\n" + +#: src/tools/sss_usermod.c:49 +msgid "The GID of the user" +msgstr "Le GID de l'utilisateur" + +#: src/tools/sss_usermod.c:53 +msgid "Groups to add this user to" +msgstr "Groupes auxquels ajouter cet utilisateur" + +#: src/tools/sss_usermod.c:54 +msgid "Groups to remove this user from" +msgstr "Groupes auxquels enlever cet utilisateur" + +#: src/tools/sss_usermod.c:55 +msgid "Lock the account" +msgstr "Verrouiller le compte" + +#: src/tools/sss_usermod.c:56 +msgid "Unlock the account" +msgstr "Déverrouiller le compte" + +#: src/tools/sss_usermod.c:57 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "Ajouter une paire attribut/valeur. Le format est nom_attribut=valeur." + +#: src/tools/sss_usermod.c:58 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "" +"Supprimer une paire attribut/valeur. Le format est nom_attribut=valeur." + +#: src/tools/sss_usermod.c:59 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" +"Définir une paire attribut/valeur. Le format est nom_attribut=valeur. Pour " +"les attributs multi-valués, la commande remplace les valeurs déjà présentes." + +#: src/tools/sss_usermod.c:117 src/tools/sss_usermod.c:126 +#: src/tools/sss_usermod.c:135 +msgid "Specify the attribute name/value pair(s)\n" +msgstr "Indiquer les paires nom d'attributs et valeurs.\n" + +#: src/tools/sss_usermod.c:152 +msgid "Specify user to modify\n" +msgstr "Spécifier l'utilisateur à modifier\n" + +#: src/tools/sss_usermod.c:180 +msgid "" +"Cannot find user in local domain, modifying users is allowed only in local " +"domain\n" +msgstr "" +"Impossible de trouver l'utilisateur dans le domaine local, la modification " +"des utilisateurs n'est autorisée que dans le domaine local\n" + +#: src/tools/sss_usermod.c:322 +msgid "Could not modify user - check if group names are correct\n" +msgstr "" +"Impossible de modifier l'utilisateur - vérifiez que les noms de groupe sont " +"corrects\n" + +#: src/tools/sss_usermod.c:326 +msgid "Could not modify user - user already member of groups?\n" +msgstr "" +"Impossible de modifier l'utilisateur - l'utilisateur est déjà membre du " +"groupe ?\n" + +#: src/tools/sss_usermod.c:330 +msgid "Transaction error. Could not modify user.\n" +msgstr "Erreur de transaction. Impossible de modifier l'utlisateur.\n" + +#: src/tools/sss_cache.c:218 +msgid "No cache object matched the specified search\n" +msgstr "Aucun object trouvé dans le cache pour la recherche spécifiée\n" + +#: src/tools/sss_cache.c:502 +#, c-format +msgid "Couldn't invalidate %1$s\n" +msgstr "Impossible d'invalider %1$s\n" + +#: src/tools/sss_cache.c:509 +#, c-format +msgid "Couldn't invalidate %1$s %2$s\n" +msgstr "Impossible d'invalider %1$s %2$s\n" + +#: src/tools/sss_cache.c:672 +msgid "Invalidate all cached entries" +msgstr "" + +#: src/tools/sss_cache.c:674 +msgid "Invalidate particular user" +msgstr "Invalider un utilisateur spécifique" + +#: src/tools/sss_cache.c:676 +msgid "Invalidate all users" +msgstr "Invalider tous les utilisateurs" + +#: src/tools/sss_cache.c:678 +msgid "Invalidate particular group" +msgstr "Invalider un groupe particulier" + +#: src/tools/sss_cache.c:680 +msgid "Invalidate all groups" +msgstr "Invalider tous les groupes" + +#: src/tools/sss_cache.c:682 +msgid "Invalidate particular netgroup" +msgstr "Invalider un groupe réseau particulier" + +#: src/tools/sss_cache.c:684 +msgid "Invalidate all netgroups" +msgstr "Invalider tous les groupes réseau" + +#: src/tools/sss_cache.c:686 +msgid "Invalidate particular service" +msgstr "Invalidation d'un service particulier" + +#: src/tools/sss_cache.c:688 +msgid "Invalidate all services" +msgstr "Invalidation de tous les services" + +#: src/tools/sss_cache.c:691 +msgid "Invalidate particular autofs map" +msgstr "Invalidation d'une carte autofs particulière" + +#: src/tools/sss_cache.c:693 +msgid "Invalidate all autofs maps" +msgstr "Invalidation de toutes les cartes autofs" + +#: src/tools/sss_cache.c:697 +msgid "Invalidate particular SSH host" +msgstr "Invalider un hôte SSH particulier" + +#: src/tools/sss_cache.c:699 +msgid "Invalidate all SSH hosts" +msgstr "Invalider tous les hôtes SSH" + +#: src/tools/sss_cache.c:703 +msgid "Invalidate particular sudo rule" +msgstr "" + +#: src/tools/sss_cache.c:705 +msgid "Invalidate all cached sudo rules" +msgstr "" + +#: src/tools/sss_cache.c:708 +msgid "Only invalidate entries from a particular domain" +msgstr "N'invalider des entrées que d'un domaine spécifique" + +#: src/tools/sss_cache.c:762 +msgid "" +"Unexpected argument(s) provided, options that invalidate a single object " +"only accept a single provided argument.\n" +msgstr "" + +#: src/tools/sss_cache.c:772 +msgid "Please select at least one object to invalidate\n" +msgstr "Merci de sélectionner au moins un objet à invalider\n" + +#: src/tools/sss_cache.c:852 +#, c-format +msgid "" +"Could not open domain %1$s. If the domain is a subdomain (trusted domain), " +"use fully qualified name instead of --domain/-d parameter.\n" +msgstr "" +"Impossible d'ouvrir le domaine %1$s. Si le domaine est un sous-domaine " +"(domaine approuvé), utiliser le nom pleinement qualifié au lieu du paramètre " +"--domain/-d.\n" + +#: src/tools/sss_cache.c:856 +msgid "Could not open available domains\n" +msgstr "Impossible d'ouvrir aucun des domaines disponibles\n" + +#: src/tools/tools_util.c:202 +#, c-format +msgid "Name '%1$s' does not seem to be FQDN ('%2$s = TRUE' is set)\n" +msgstr "" +"Le nom « %1$s » ne semble pas être un FQDN (« %2$s = TRUE » est configuré)\n" + +#: src/tools/tools_util.c:309 +msgid "Out of memory\n" +msgstr "Mémoire saturée\n" + +#: src/tools/tools_util.h:40 +#, c-format +msgid "%1$s must be run as root\n" +msgstr "%1$s doit être lancé en tant que root\n" + +#: src/tools/sssctl/sssctl.c:35 +msgid "yes" +msgstr "" + +#: src/tools/sssctl/sssctl.c:37 +msgid "no" +msgstr "" + +#: src/tools/sssctl/sssctl.c:39 +msgid "error" +msgstr "" + +#: src/tools/sssctl/sssctl.c:42 +msgid "Invalid result." +msgstr "" + +#: src/tools/sssctl/sssctl.c:78 +#, c-format +msgid "Unable to read user input\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:91 +#, c-format +msgid "Invalid input, please provide either '%s' or '%s'.\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 +#, c-format +msgid "Error while executing external command\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:156 +msgid "SSSD needs to be running. Start SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl.c:195 +msgid "SSSD must not be running. Stop SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl.c:231 +msgid "SSSD needs to be restarted. Restart SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:31 +#, c-format +msgid " %s is not present in cache.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:33 +msgid "Name" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:34 +msgid "Cache entry creation date" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:35 +msgid "Cache entry last update time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:36 +msgid "Cache entry expiration time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:37 +msgid "Cached in InfoPipe" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:512 +#, c-format +msgid "Error: Unable to get object [%d]: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:528 +#, c-format +msgid "%s: Unable to read value [%d]: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:556 +msgid "Specify name." +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:566 +#, c-format +msgid "Unable to parse name %s.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:592 src/tools/sssctl/sssctl_cache.c:639 +msgid "Search by SID" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:593 +msgid "Search by user ID" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:602 +msgid "Initgroups expiration time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:640 +msgid "Search by group ID" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:67 +#, c-format +msgid "" +"File %1$s does not exist. SSSD will use default configuration with files " +"provider.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:81 +#, c-format +msgid "" +"File ownership and permissions check failed. Expected root:root and 0600.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:104 +#, c-format +msgid "Issues identified by validators: %zu\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:114 +#, c-format +msgid "Messages generated during configuration merging: %zu\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:127 +#, c-format +msgid "Used configuration snippet files: %u\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:89 +#, c-format +msgid "Unable to create backup directory [%d]: %s" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:95 +msgid "SSSD backup of local data already exists, override?" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:111 +#, c-format +msgid "Unable to export user overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:118 +#, c-format +msgid "Unable to export group overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:134 src/tools/sssctl/sssctl_data.c:217 +msgid "Override existing backup" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:164 +#, c-format +msgid "Unable to import user overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:173 +#, c-format +msgid "Unable to import group overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:74 +#: src/tools/sssctl/sssctl_domains.c:339 +msgid "Start SSSD if it is not running" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:195 +msgid "Restart SSSD after data import" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:218 +msgid "Create clean cache files and import local data" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:219 +msgid "Stop SSSD before removing the cache" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:220 +msgid "Start SSSD when the cache is removed" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:235 +#, c-format +msgid "Creating backup of local data...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:238 +#, c-format +msgid "Unable to create backup of local data, can not remove the cache.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:243 +#, c-format +msgid "Removing cache files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:246 +#, c-format +msgid "Unable to remove cache files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:251 +#, c-format +msgid "Restoring local data...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:75 +msgid "Show domain list including primary or trusted domain type" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +#, c-format +msgid "Online status: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Online" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Offline" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:214 +#, c-format +msgid "Active servers:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:231 +msgid "not connected" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:278 +#, c-format +msgid "Discovered %s servers:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:296 +msgid "None so far.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:336 +msgid "Show online status" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:337 +msgid "Show information about active server" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:338 +msgid "Show list of discovered servers" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:344 +msgid "Specify domain name." +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:360 +#, c-format +msgid "Out of memory!\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:377 src/tools/sssctl/sssctl_domains.c:387 +#, c-format +msgid "Unable to get online status\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:397 +#, c-format +msgid "Unable to get server list\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:47 +msgid "\n" +msgstr "\n" + +#: src/tools/sssctl/sssctl_logs.c:237 +msgid "Delete log files instead of truncating" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:248 +#, c-format +msgid "Deleting log files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:251 +#, c-format +msgid "Unable to remove log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:257 +#, c-format +msgid "Truncating log files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:260 +#, c-format +msgid "Unable to truncate log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:286 +#, c-format +msgid "Out of memory!" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:289 +#, c-format +msgid "Archiving log files into %s...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:292 +#, c-format +msgid "Unable to archive log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:317 +msgid "Specify debug level you want to set" +msgstr "" + +#: src/tools/sssctl/sssctl_sifp.c:28 +msgid "" +"Check that SSSD is running and the InfoPipe responder is enabled. Make sure " +"'ifp' is listed in the 'services' option in sssd.conf.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:91 +#, c-format +msgid "Unable to connect to the InfoPipe" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:97 +#, c-format +msgid "Unable to get user object" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:101 +#, c-format +msgid "SSSD InfoPipe user lookup result:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:113 +#, c-format +msgid "Unable to get user name attr" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:146 +#, c-format +msgid "dlopen failed with [%s].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:153 +#, c-format +msgid "dlsym failed with [%s].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:161 +#, c-format +msgid "malloc failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:168 +#, c-format +msgid "sss_getpwnam_r failed with [%d].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:173 +#, c-format +msgid "SSSD nss user lookup result:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:174 +#, c-format +msgid " - user name: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:175 +#, c-format +msgid " - user id: %d\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:176 +#, c-format +msgid " - group id: %d\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:177 +#, c-format +msgid " - gecos: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:178 +#, c-format +msgid " - home directory: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:179 +#, c-format +msgid "" +" - shell: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:211 +msgid "PAM action [auth|acct|setc|chau|open|clos], default: " +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:214 +msgid "PAM service, default: " +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:219 +msgid "Specify user name." +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:226 +#, c-format +msgid "" +"user: %s\n" +"action: %s\n" +"service: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:232 +#, c-format +msgid "User name lookup with [%s] failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:237 +#, c-format +msgid "InfoPipe User lookup with [%s] failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:244 +#, c-format +msgid "pam_start failed: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:249 +#, c-format +msgid "" +"testing pam_authenticate\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:253 +#, c-format +msgid "pam_get_item failed: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:257 +#, c-format +msgid "" +"pam_authenticate for user [%s]: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:260 +#, c-format +msgid "" +"testing pam_chauthtok\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:262 +#, c-format +msgid "" +"pam_chauthtok: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:264 +#, c-format +msgid "" +"testing pam_acct_mgmt\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:266 +#, c-format +msgid "" +"pam_acct_mgmt: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:268 +#, c-format +msgid "" +"testing pam_setcred\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:270 +#, c-format +msgid "" +"pam_setcred: [%s]\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:272 +#, c-format +msgid "" +"testing pam_open_session\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:274 +#, c-format +msgid "" +"pam_open_session: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:276 +#, c-format +msgid "" +"testing pam_close_session\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:278 +#, c-format +msgid "" +"pam_close_session: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:281 +#, c-format +msgid "unknown action\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:284 +#, c-format +msgid "PAM Environment:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:292 +#, c-format +msgid " - no env -\n" +msgstr "" + +#: src/util/util.h:75 +msgid "The user ID to run the server as" +msgstr "L'identifiant utilisateur sous lequel faire tourner le serveur" + +#: src/util/util.h:77 +msgid "The group ID to run the server as" +msgstr "L'identifiant de groupe sous lequel faire tourner le serveur" + +#: src/util/util.h:85 +msgid "Informs that the responder has been socket-activated" +msgstr "" + +#: src/util/util.h:87 +msgid "Informs that the responder has been dbus-activated" +msgstr "" diff --git a/po/hu.gmo b/po/hu.gmo new file mode 100644 index 0000000000000000000000000000000000000000..d7079e657fb6cba78ec1cd17f3f1ac8c8110bbf4 GIT binary patch literal 6792 zcmaKwTZ|k>6^4tD3mFo^Ef5kCDj_5`+1ZOPi8GFqti5Y{iEnuA1Q3YyOxMixPEYrw zt7bPdk>CL#At5A8fCq$-HUfc_SOTpGBFY2MGU9;;gir($0-^8#JRrdvQUrXbx@Tu* z4Q_4CKV4m2b?QIo{HJFB@Xl+$rnpvU@27>=C>4M&UCRg8{PjxR4=#Z320sq&1rzW? z;0vGze*wN1{44k#@J%-;^+E79@B`o@;O*ci!5MG^d?)yA@HX&A-~-^VzE z-%^ZU0&nF08SobHIj{nL5qul?b&#dicfj4?OQ5XxTKW7R-~sMsl6L_QgYy1KQ0({^ zct6+yWxnS@+0P5$ZtxXQ?D{kKcJM}Cek*u8DE8b};)CEE_eVjQXT8MFgR;-Bg0jy` z;4biYAb;u_CKKLnF7aMa);kEwKAtZ7p95u{uYh95i=eFkDtI^eOHl0odx_WIq|~k4 z-vx?Y`#|wy2nr7aa1Z#U^8P0!{-(sgfU`V*0~CH9xLK(WgR7wM_8D*qya396UIWGM z|CG<~g@nJoNvVfGndcsimT?~iW!)ht{g*(Ali!1~zcHx@+Y8k}E>Pb-edK%mh zei@YUKL-zkzXgTIJNRI0Y918-Jq9j=Pl60l-vsXfzYjhJ{t|ouya}hsdIvxmw*pE& zeF_x*J_lC8?}1|9YaoB>bv|VO{{kg0?`2WpEBJT@lzDytegga%xDULO#WZ*pl=&@47^y{?@F-d(^UB4P-lviWa*5yM zIzl@@6Mqqo>JUw0VJ}VgCU!hb6aR_ra*6LGA0MP$OWRLlX@A|#r}#qn5v`GZ)@TQ5 z62ro?T(Tdz#O~2W*s1GiZ=s3*B$wn8-wQ8y(IhVBX`@U0Cztp~u9X7(=N>-A-?+hF zqLmUiH_*gCn)YVeqcq`DV(C7bT*qk=3wP3HXmUZjzpg2934FZ#J_5-%HKPYk>@3*vzy2iSo+p}sh(I(5%Os9=TKg&!w zqw9UAla!&hkwrZhr3rHFNnF$j91Ctlu02}3!36Roh?#jjN~VY` zGbRx)^cfI~J<|hvS-KvDCfnIB#-@Fzj>!J>#0r>$+0AAgB}T_-D@quXB&pLa<8+iX zQytWKQ)8{}Ta#5r&n?eG(+v8t)9XRpH996({-cUY1d559wede22reSFHK{$ zoH&;Bp7c%<>tmC&V0f1`jWh}EZgn(@4SNclro#nMV)c5Q6q9O{I!xaE2pyB;S<8pwFw7t2_5SA6eZklKuI#tO?bgn?^!EW znQqVVMdCS*(+!C|;&2oKYUKMuWt2bP(fEOn|AA!Lw1f-z`X7SyCsXWa|Eu zk&Tiq|0}3xG@+PfWSf-*n^8-hG8>c8e44<+x-LPR4Jv9B=ep4jk`_YXT{El44+^0P z;jkFtC215cB*4b(cr4tLfP`R{LN$>fjN5*%mu3jccpzCdT9}M1(x@A_Mq8aVc$xhr z(^j7~&-6v^&Yf7D%m>Y8i_{QWCkKgwtSk{?X{V1E`Vd|vMk0JCUO^-?S9F(VW_^^f zuzXg@P^>^qZO}59yDGk!NTAg=!8}&mLMyvbgIFrES*`X=BWeyt$$%`y#+k|${oOQV z82yNn8H;=yg)taDuw;i&S?b};cu46o;kcJt8`Wc@&Y_6M*ti5BUt5ygJ3A$iecvj& z+YR)&LC>J7VyQ;Y<-HS2i)S>$AYn#l&BmU+^AGt~&X4Ebo@OMth@#O;r~J6>z6c#G z`z#DJq_D^&vZKDUL~4-MiwW3uR5+^b~N;S67NjA^GrfX z*s0txxfKqIf?#KS3^&r=KvFymT%em-+SRsWVrof6$s~l7sP@%`G7f{@r~6qnqs2+* z&#sJ|G(ol^FA=2E&52Mulcj6$R$U3JPqGw|Uejk5k36w>Y*|0Ke0Fu^^r^~OBPmur zXbbP0t+in_L@(mUV~U%dZJIF60?|;iG0j?)GpEm0eSKus>Jo}l(|hI@ z4piq4R2TN>g}t@;y${TDF|c~ptVgo?c-%e)RTuW@g@xL_{l&Nwfpt~yl{g@vYbb9| zjs|4bCxS%Sdju}&sn!S8q3?OT0I}!M$_f16C*`W=Owg_AjG69&`*MoL{t&?ofadliRmT`qgHJ^UA|TAM0S|Qt$Z`ixBMPl{z@#?$$M~iwO&K2A+CKw5$Mlpv8lLoGx4k>%=ZWGPsIEVBWRw1x*dd#}{W+Q@6a@oYA_wucb zomBjrv4Ix0Bs0K4kVF{9;UvJu%;gt5rej=19i4nzck-8$!Mb=Y-%Nsz5biRAF=FNn z_Ib*s*9@bM`iRgKn^rV(FD#V{n7C_(;;SppoTre>{N*fvIbP$iq-{VzxQUffA zc34H~Cr740!m^ofuEn0W9fWGvkAt-^#VvJmn60m0zEBKLIRUW|x-3=8upLedJfAwM z=C8PZR~@mbs2l99o9!E)62W>f>PS09HOFJv#j&_G5Ec`-xwM|Y8bd$3hSEkc8{?gYy(iKG2tv;i9>_dTOTXX2<@#J`VX2_q8| zmFwwtC{KsIn>YwhE;u?IPbF-*>NIyqa4QSCYX~QC--%+#6UR!@OsoyH++M!m98uK? zdhm(_2;&jQ>U;}5i90@BbcD3|5bFl~EXub!8s}sTCzX68mr}#di(~T%(@Mm{_4@SY zBymTIvc>Vdh5DGQ4zID?UCCBk5!Xwp$0y18$;|)O{%rG%tn|#6PiXOBEc4(yD$mx4Z3GgO|^{Y zrpVDee|0F;&D5rj=7nIKj5?gdho-|nHTWgfqsDVS&No~6D?YHcYbO6WSrbRK@Ud4T zYJ~{Yq^u+J6Qgix=*uF%??w4`j4Y{@TGXymRN;LTw2QtH36q}cQRRg~srpwB5TD3i zoB8j{NRH&3UtKdhWUTCj!s1w2(1j?C${a-{zt|0`F2B_4bG#j$?iZ&wBZqXE{fd(0 zr, 2013 +# Peter Bojtos , 2011,2013 +# Peter Bojtos , 2011 +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" +"POT-Creation-Date: 2018-08-12 13:03+0000\n" +"PO-Revision-Date: 2014-12-14 11:45+0000\n" +"Last-Translator: Copied by Zanata \n" +"Language-Team: Hungarian (http://www.transifex.com/projects/p/sssd/language/" +"hu/)\n" +"Language: hu\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" +"X-Generator: Zanata 4.4.5\n" + +#: src/config/SSSDConfig/__init__.py.in:43 +#: src/config/SSSDConfig/__init__.py.in:44 +msgid "Set the verbosity of the debug logging" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:45 +msgid "Include timestamps in debug logs" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:46 +msgid "Include microseconds in timestamps in debug logs" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:47 +msgid "Write debug messages to logfiles" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:48 +msgid "Watchdog timeout before restarting service" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:49 +msgid "Command to start service" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:50 +msgid "Number of times to attempt connection to Data Providers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:51 +msgid "The number of file descriptors that may be opened by this responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:52 +msgid "Idle time before automatic disconnection of a client" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:53 +msgid "Idle time before automatic shutdown of the responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:54 +msgid "Always query all the caches before querying the Data Providers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:57 +msgid "SSSD Services to start" +msgstr "Elindítandó SSSD szolgáltatások" + +#: src/config/SSSDConfig/__init__.py.in:58 +msgid "SSSD Domains to start" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:59 +msgid "Timeout for messages sent over the SBUS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:60 +#: src/config/SSSDConfig/__init__.py.in:197 +msgid "Regex to parse username and domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:61 +#: src/config/SSSDConfig/__init__.py.in:196 +msgid "Printf-compatible format for displaying fully-qualified names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:62 +msgid "" +"Directory on the filesystem where SSSD should store Kerberos replay cache " +"files." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:63 +msgid "Domain to add to names without a domain component." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:64 +msgid "The user to drop privileges to" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:65 +msgid "Tune certificate verification" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:66 +msgid "All spaces in group or user names will be replaced with this character" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:67 +msgid "Tune sssd to honor or ignore netlink state changes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:68 +msgid "Enable or disable the implicit files domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:69 +msgid "A specific order of the domains to be looked up" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:72 +msgid "Enumeration cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:73 +msgid "Entry cache background update timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:74 +#: src/config/SSSDConfig/__init__.py.in:113 +msgid "Negative cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:75 +msgid "Files negative cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:76 +msgid "Users that SSSD should explicitly ignore" +msgstr "SSSD által figyelmen kívül hagyott felhasználók" + +#: src/config/SSSDConfig/__init__.py.in:77 +msgid "Groups that SSSD should explicitly ignore" +msgstr "SSSD által figyelmen kívül hagyott csoportok" + +#: src/config/SSSDConfig/__init__.py.in:78 +msgid "Should filtered users appear in groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:79 +msgid "The value of the password field the NSS provider should return" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:80 +msgid "Override homedir value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:81 +msgid "" +"Substitute empty homedir value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:82 +msgid "Override shell value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:83 +msgid "The list of shells users are allowed to log in with" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:84 +msgid "" +"The list of shells that will be vetoed, and replaced with the fallback shell" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:85 +msgid "" +"If a shell stored in central directory is allowed but not available, use " +"this fallback" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:86 +msgid "Shell to use if the provider does not list one" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:87 +msgid "How long will be in-memory cache records valid" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:88 +msgid "List of user attributes the NSS responder is allowed to publish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:91 +msgid "How long to allow cached logins between online logins (days)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:92 +msgid "How many failed logins attempts are allowed when offline" +msgstr "Hány sikertelen bejelentkezés engedélyezett offline állapotban" + +#: src/config/SSSDConfig/__init__.py.in:93 +msgid "" +"How long (minutes) to deny login after offline_failed_login_attempts has " +"been reached" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:94 +msgid "What kind of messages are displayed to the user during authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:95 +msgid "Filter PAM responses sent to the pam_sss" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:96 +msgid "How many seconds to keep identity information cached for PAM requests" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:97 +msgid "How many days before password expiration a warning should be displayed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:98 +msgid "List of trusted uids or user's name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:99 +msgid "List of domains accessible even for untrusted users." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:100 +msgid "Message printed when user account is expired." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:101 +msgid "Message printed when user account is locked." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:102 +msgid "Allow certificate based/Smartcard authentication." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:103 +msgid "Path to certificate database with PKCS#11 modules." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:104 +msgid "How many seconds will pam_sss wait for p11_child to finish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:105 +msgid "Which PAM services are permitted to contact application domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:108 +msgid "Whether to evaluate the time-based attributes in sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:109 +msgid "If true, SSSD will switch back to lower-wins ordering logic" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:110 +msgid "" +"Maximum number of rules that can be refreshed at once. If this is exceeded, " +"full refresh is performed." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:116 +msgid "Whether to hash host names and addresses in the known_hosts file" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:117 +msgid "" +"How many seconds to keep a host in the known_hosts file after its host keys " +"were requested" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:118 +msgid "Path to storage of trusted CA certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:121 +msgid "List of UIDs or user names allowed to access the PAC responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "How long the PAC data is considered valid" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:125 +msgid "List of UIDs or user names allowed to access the InfoPipe responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:126 +msgid "List of user attributes the InfoPipe is allowed to publish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:129 +msgid "The provider where the secrets will be stored in" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:130 +msgid "The maximum allowed number of nested containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:131 +msgid "The maximum number of secrets that can be stored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:132 +msgid "The maximum number of secrets that can be stored per UID" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:133 +msgid "The maximum payload size of a secret in kilobytes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:135 +msgid "The URL Custodia server is listening on" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:136 +msgid "The method to use when authenticating to a Custodia server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:137 +msgid "" +"The name of the headers that will be added into a HTTP request with the " +"value defined in auth_header_value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:138 +msgid "The value sssd-secrets would use for auth_header_name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:139 +msgid "" +"The list of the headers to forward to the Custodia server together with the " +"request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:140 +msgid "" +"The username to use when authenticating to a Custodia server using basic_auth" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:141 +msgid "" +"The password to use when authenticating to a Custodia server using basic_auth" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:142 +msgid "If true peer's certificate is verified if proxy_url uses https protocol" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:143 +msgid "" +"If false peer's certificate may contain different hostname than proxy_url " +"when https protocol is used" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:144 +msgid "Path to directory where certificate authority certificates are stored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:145 +msgid "Path to file containing server's CA certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:146 +msgid "Path to file containing client's certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:147 +msgid "Path to file containing client's private key" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:150 +msgid "Identity provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:151 +msgid "Authentication provider" +msgstr "Azonosító-kiszolgáló" + +#: src/config/SSSDConfig/__init__.py.in:152 +msgid "Access control provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:153 +msgid "Password change provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:154 +msgid "SUDO provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:155 +msgid "Autofs provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:156 +msgid "Host identity provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:157 +msgid "SELinux provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:158 +msgid "Session management provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:161 +msgid "Whether the domain is usable by the OS or by applications" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:162 +msgid "Minimum user ID" +msgstr "Legkisebb felhasználói azonosító" + +#: src/config/SSSDConfig/__init__.py.in:163 +msgid "Maximum user ID" +msgstr "Legnagyobb felhasználói azonosító" + +#: src/config/SSSDConfig/__init__.py.in:164 +msgid "Enable enumerating all users/groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:165 +msgid "Cache credentials for offline login" +msgstr "Azonosítók gyorsítótárazása offline használathoz" + +#: src/config/SSSDConfig/__init__.py.in:166 +msgid "Store password hashes" +msgstr "Jelszó hash-ek tárolása" + +#: src/config/SSSDConfig/__init__.py.in:167 +msgid "Display users/groups in fully-qualified form" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:168 +msgid "Don't include group members in group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:180 +#: src/config/SSSDConfig/__init__.py.in:181 +msgid "Entry cache timeout length (seconds)" +msgstr "Bejegyzés-gyorsítótár érvényessége (másodperc)" + +#: src/config/SSSDConfig/__init__.py.in:170 +msgid "" +"Restrict or prefer a specific address family when performing DNS lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:171 +msgid "How long to keep cached entries after last successful login (days)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:172 +msgid "How long to wait for replies from DNS when resolving servers (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:173 +msgid "The domain part of service discovery DNS query" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:174 +msgid "Override GID value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:175 +msgid "Treat usernames as case sensitive" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:182 +msgid "How often should expired entries be refreshed in background" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:183 +msgid "Whether to automatically update the client's DNS entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:184 +#: src/config/SSSDConfig/__init__.py.in:206 +msgid "The TTL to apply to the client's DNS entry after updating it" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:207 +msgid "The interface whose IP should be used for dynamic DNS updates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:186 +msgid "How often to periodically update the client's DNS entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:187 +msgid "Whether the provider should explicitly update the PTR record as well" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:188 +msgid "Whether the nsupdate utility should default to using TCP" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:189 +msgid "What kind of authentication should be used to perform the DNS update" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:190 +msgid "Override the DNS server used to perform the DNS update" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:191 +msgid "Control enumeration of trusted domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:192 +msgid "How often should subdomains list be refreshed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:193 +msgid "List of options that should be inherited into a subdomain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:194 +msgid "Default subdomain homedir value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:195 +msgid "How long can cached credentials be used for cached authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:198 +msgid "Whether to automatically create private groups for users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:201 +msgid "IPA domain" +msgstr "IPA-tartomány" + +#: src/config/SSSDConfig/__init__.py.in:202 +msgid "IPA server address" +msgstr "IPA kiszolgáló címe" + +#: src/config/SSSDConfig/__init__.py.in:203 +msgid "Address of backup IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:204 +msgid "IPA client hostname" +msgstr "IPA kliens hosztneve" + +#: src/config/SSSDConfig/__init__.py.in:205 +msgid "Whether to automatically update the client's DNS entry in FreeIPA" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:208 +msgid "Search base for HBAC related objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:209 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:210 +msgid "" +"The amount of time in seconds between lookups of the SELinux maps against " +"the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:211 +msgid "If set to false, host argument given by PAM will be ignored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:212 +msgid "The automounter location this IPA client is using" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:213 +msgid "Search base for object containing info about IPA domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:214 +msgid "Search base for objects containing info about ID ranges" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:233 +msgid "Enable DNS sites - location based service discovery" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:216 +msgid "Search base for view containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:217 +msgid "Objectclass for view containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:218 +msgid "Attribute with the name of the view" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:219 +msgid "Objectclass for override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:220 +msgid "Attribute with the reference to the original object" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:221 +msgid "Objectclass for user override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:222 +msgid "Objectclass for group override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:223 +msgid "Search base for Desktop Profile related objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:224 +msgid "" +"The amount of time in seconds between lookups of the Desktop Profile rules " +"against the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:225 +msgid "" +"The amount of time in minutes between lookups of Desktop Profiles rules " +"against the IPA server when the last request did not find any rule" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:228 +msgid "Active Directory domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:229 +msgid "Enabled Active Directory domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:230 +msgid "Active Directory server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:231 +msgid "Active Directory backup server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:232 +msgid "Active Directory client hostname" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:420 +msgid "LDAP filter to determine access privileges" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:235 +msgid "Whether to use the Global Catalog for lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:236 +msgid "Operation mode for GPO-based access control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:237 +msgid "" +"The amount of time between lookups of the GPO policy files against the AD " +"server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:238 +msgid "" +"PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " +"settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:239 +msgid "" +"PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " +"policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:240 +msgid "" +"PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:241 +msgid "" +"PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:242 +msgid "" +"PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:243 +msgid "PAM service names for which GPO-based access is always granted" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:244 +msgid "PAM service names for which GPO-based access is always denied" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:245 +msgid "" +"Default logon right (or permit/deny) to use for unmapped PAM service names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:246 +msgid "a particular site to be used by the client" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:247 +msgid "" +"Maximum age in days before the machine account password should be renewed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:248 +msgid "Option for tuning the machine account renewal task" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:252 +msgid "Kerberos server address" +msgstr "Kerberos-kiszolgáló címe" + +#: src/config/SSSDConfig/__init__.py.in:253 +msgid "Kerberos backup server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:254 +msgid "Kerberos realm" +msgstr "Kerberos-tartomány" + +#: src/config/SSSDConfig/__init__.py.in:255 +msgid "Authentication timeout" +msgstr "Időtúllépés azonosításkor" + +#: src/config/SSSDConfig/__init__.py.in:256 +msgid "Whether to create kdcinfo files" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:257 +msgid "Where to drop krb5 config snippets" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:260 +msgid "Directory to store credential caches" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:261 +msgid "Location of the user's credential cache" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:262 +msgid "Location of the keytab to validate credentials" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:263 +msgid "Enable credential validation" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:264 +msgid "Store password if offline for later online authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:265 +msgid "Renewable lifetime of the TGT" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:266 +msgid "Lifetime of the TGT" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:267 +msgid "Time between two checks for renewal" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:268 +msgid "Enables FAST" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:269 +msgid "Selects the principal to use for FAST" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:270 +msgid "Enables principal canonicalization" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:271 +msgid "Enables enterprise principals" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:272 +msgid "A mapping from user names to Kerberos principal names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:276 +msgid "Server where the change password service is running if not on the KDC" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:279 +msgid "ldap_uri, The URI of the LDAP server" +msgstr "ldap_uri, az LDAP szerver URI-ja" + +#: src/config/SSSDConfig/__init__.py.in:280 +msgid "ldap_backup_uri, The URI of the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:281 +msgid "The default base DN" +msgstr "Alapértelmezett LDAP alap-DN-je" + +#: src/config/SSSDConfig/__init__.py.in:282 +msgid "The Schema Type in use on the LDAP server, rfc2307" +msgstr "Az LDAP szerveren használt séma-típus, rfc2307" + +#: src/config/SSSDConfig/__init__.py.in:283 +msgid "The default bind DN" +msgstr "Az alapértelmezett bind DN" + +#: src/config/SSSDConfig/__init__.py.in:284 +msgid "The type of the authentication token of the default bind DN" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:285 +msgid "The authentication token of the default bind DN" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:286 +msgid "Length of time to attempt connection" +msgstr "A kapcsolódási próbálkozás időtartama" + +#: src/config/SSSDConfig/__init__.py.in:287 +msgid "Length of time to attempt synchronous LDAP operations" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:288 +msgid "Length of time between attempts to reconnect while offline" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:289 +msgid "Use only the upper case for realm names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:290 +msgid "File that contains CA certificates" +msgstr "A CA tanusítványokat tartalmazó fájl" + +#: src/config/SSSDConfig/__init__.py.in:291 +msgid "Path to CA certificate directory" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:292 +msgid "File that contains the client certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:293 +msgid "File that contains the client key" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:294 +msgid "List of possible ciphers suites" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:295 +msgid "Require TLS certificate verification" +msgstr "TLS tanusítvány ellenőrzése" + +#: src/config/SSSDConfig/__init__.py.in:296 +msgid "Specify the sasl mechanism to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:297 +msgid "Specify the sasl authorization id to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:298 +msgid "Specify the sasl authorization realm to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:299 +msgid "Specify the minimal SSF for LDAP sasl authorization" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:300 +msgid "Kerberos service keytab" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:301 +msgid "Use Kerberos auth for LDAP connection" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:302 +msgid "Follow LDAP referrals" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:303 +msgid "Lifetime of TGT for LDAP connection" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:304 +msgid "How to dereference aliases" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:305 +msgid "Service name for DNS service lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:306 +msgid "The number of records to retrieve in a single LDAP query" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:307 +msgid "The number of members that must be missing to trigger a full deref" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:308 +msgid "" +"Whether the LDAP library should perform a reverse lookup to canonicalize the " +"host name during a SASL bind" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:310 +msgid "entryUSN attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:311 +msgid "lastUSN attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:313 +msgid "How long to retain a connection to the LDAP server before disconnecting" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:315 +msgid "Disable the LDAP paging control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:316 +msgid "Disable Active Directory range retrieval" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:319 +msgid "Length of time to wait for a search request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:320 +msgid "Length of time to wait for a enumeration request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:321 +msgid "Length of time between enumeration updates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:322 +msgid "Length of time between cache cleanups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:323 +msgid "Require TLS for ID lookups" +msgstr "TLS megkövetelése ID keresésekor" + +#: src/config/SSSDConfig/__init__.py.in:324 +msgid "Use ID-mapping of objectSID instead of pre-set IDs" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:325 +msgid "Base DN for user lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:326 +msgid "Scope of user lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:327 +msgid "Filter for user lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:328 +msgid "Objectclass for users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:329 +msgid "Username attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:331 +msgid "UID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:332 +msgid "Primary GID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:333 +msgid "GECOS attribute" +msgstr "GECOS attribútum" + +#: src/config/SSSDConfig/__init__.py.in:334 +msgid "Home directory attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:335 +msgid "Shell attribute" +msgstr "Shell attribútum" + +#: src/config/SSSDConfig/__init__.py.in:336 +msgid "UUID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:379 +msgid "objectSID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:338 +msgid "Active Directory primary group attribute for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:339 +msgid "User principal attribute (for Kerberos)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:340 +msgid "Full Name" +msgstr "Teljes név" + +#: src/config/SSSDConfig/__init__.py.in:341 +msgid "memberOf attribute" +msgstr "memberOf attribútum" + +#: src/config/SSSDConfig/__init__.py.in:342 +msgid "Modification time attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:344 +msgid "shadowLastChange attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:345 +msgid "shadowMin attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:346 +msgid "shadowMax attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:347 +msgid "shadowWarning attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:348 +msgid "shadowInactive attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:349 +msgid "shadowExpire attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:350 +msgid "shadowFlag attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:351 +msgid "Attribute listing authorized PAM services" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:352 +msgid "Attribute listing authorized server hosts" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:353 +msgid "Attribute listing authorized server rhosts" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:354 +msgid "krbLastPwdChange attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:355 +msgid "krbPasswordExpiration attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:356 +msgid "Attribute indicating that server side password policies are active" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:357 +msgid "accountExpires attribute of AD" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:358 +msgid "userAccountControl attribute of AD" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:359 +msgid "nsAccountLock attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:360 +msgid "loginDisabled attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:361 +msgid "loginExpirationTime attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:362 +msgid "loginAllowedTimeMap attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:363 +msgid "SSH public key attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:364 +msgid "attribute listing allowed authentication types for a user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:365 +msgid "attribute containing the X509 certificate of the user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:366 +msgid "attribute containing the email address of the user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:368 +msgid "A list of extra attributes to download along with the user entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:370 +msgid "Base DN for group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:373 +msgid "Objectclass for groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:374 +msgid "Group name" +msgstr "Csoport neve" + +#: src/config/SSSDConfig/__init__.py.in:375 +msgid "Group password" +msgstr "Csoport jelszava" + +#: src/config/SSSDConfig/__init__.py.in:376 +msgid "GID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:377 +msgid "Group member attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:378 +msgid "Group UUID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:380 +msgid "Modification time attribute for groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:381 +msgid "Type of the group and other flags" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:382 +msgid "The LDAP group external member attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:384 +msgid "Maximum nesting level SSSD will follow" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:386 +msgid "Base DN for netgroup lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:387 +msgid "Objectclass for netgroups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:388 +msgid "Netgroup name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:389 +msgid "Netgroups members attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:390 +msgid "Netgroup triple attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:391 +msgid "Modification time attribute for netgroups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:393 +msgid "Base DN for service lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:394 +msgid "Objectclass for services" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:395 +msgid "Service name attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:396 +msgid "Service port attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:397 +msgid "Service protocol attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:400 +msgid "Lower bound for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:401 +msgid "Upper bound for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:402 +msgid "Number of IDs for each slice when ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:403 +msgid "Use autorid-compatible algorithm for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:404 +msgid "Name of the default domain for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:405 +msgid "SID of the default domain for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:406 +msgid "Number of secondary slices" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:408 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:409 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:410 +msgid "Whether to use Token-Groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:411 +msgid "Set lower boundary for allowed IDs from the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:412 +msgid "Set upper boundary for allowed IDs from the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:413 +msgid "DN for ppolicy queries" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:414 +msgid "How many maximum entries to fetch during a wildcard request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:417 +msgid "Policy to evaluate the password expiration" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:421 +msgid "Which attributes shall be used to evaluate if an account is expired" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:422 +msgid "Which rules should be used to evaluate access control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:425 +msgid "URI of an LDAP server where password changes are allowed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:426 +msgid "URI of a backup LDAP server where password changes are allowed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:427 +msgid "DNS service name for LDAP password change server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:428 +msgid "" +"Whether to update the ldap_user_shadow_last_change attribute after a " +"password change" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:431 +msgid "Base DN for sudo rules lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:432 +msgid "Automatic full refresh period" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:433 +msgid "Automatic smart refresh period" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:434 +msgid "Whether to filter rules by hostname, IP addresses and network" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:435 +msgid "" +"Hostnames and/or fully qualified domain names of this machine to filter sudo " +"rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:436 +msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:437 +msgid "Whether to include rules that contains netgroup in host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:438 +msgid "" +"Whether to include rules that contains regular expression in host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:439 +msgid "Object class for sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:440 +msgid "Sudo rule name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:441 +msgid "Sudo rule command attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:442 +msgid "Sudo rule host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:443 +msgid "Sudo rule user attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:444 +msgid "Sudo rule option attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Sudo rule runas attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:446 +msgid "Sudo rule runasuser attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:447 +msgid "Sudo rule runasgroup attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:448 +msgid "Sudo rule notbefore attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:449 +msgid "Sudo rule notafter attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:450 +msgid "Sudo rule order attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:453 +msgid "Object class for automounter maps" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:454 +msgid "Automounter map name attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:455 +msgid "Object class for automounter map entries" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:456 +msgid "Automounter map entry key attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:457 +msgid "Automounter map entry value attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:458 +msgid "Base DN for automounter map lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:461 +msgid "Comma separated list of allowed users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:462 +msgid "Comma separated list of prohibited users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:465 +msgid "Default shell, /bin/bash" +msgstr "Alapértelmezett shell, /bin/bash" + +#: src/config/SSSDConfig/__init__.py.in:466 +msgid "Base for home directories" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:469 +msgid "The number of preforked proxy children." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:472 +msgid "The name of the NSS library to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:473 +msgid "Whether to look up canonical group name from cache if possible" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:476 +msgid "PAM stack to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:479 +msgid "Path of passwd file sources." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:480 +msgid "Path of group file sources." +msgstr "" + +#: src/monitor/monitor.c:2449 +msgid "Become a daemon (default)" +msgstr "" + +#: src/monitor/monitor.c:2451 +msgid "Run interactive (not a daemon)" +msgstr "" + +#: src/monitor/monitor.c:2454 +msgid "Disable netlink interface" +msgstr "" + +#: src/monitor/monitor.c:2456 src/tools/sssctl/sssctl_logs.c:311 +msgid "Specify a non-default config file" +msgstr "" + +#: src/monitor/monitor.c:2458 +msgid "Refresh the configuration database, then exit" +msgstr "" + +#: src/monitor/monitor.c:2461 +msgid "Print version number and exit" +msgstr "" + +#: src/monitor/monitor.c:2627 +msgid "SSSD is already running\n" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605 +msgid "Debug level" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607 +msgid "Add debug timestamps" +msgstr "Időbélyegek a hibakeresési kimenetben" + +#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609 +msgid "Show timestamps with microseconds" +msgstr "Mikroszekundum pontosságú időbélyegek" + +#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611 +msgid "An open file descriptor for the debug logs" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613 +msgid "Send the debug output to stderr directly." +msgstr "" + +#: src/providers/krb5/krb5_child.c:3228 +msgid "The user to create FAST ccache as" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3230 +msgid "The group to create FAST ccache as" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3232 +msgid "Kerberos realm to use" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3234 +msgid "Requested lifetime of the ticket" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3236 +msgid "Requested renewable lifetime of the ticket" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3238 +msgid "FAST options ('never', 'try', 'demand')" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3241 +msgid "Specifies the server principal to use for FAST" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3243 +msgid "Requests canonicalization of the principal name" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3245 +msgid "Use custom version of krb5_get_init_creds_password" +msgstr "" + +#: src/providers/data_provider_be.c:556 +msgid "Domain of the information provider (mandatory)" +msgstr "" + +#: src/sss_client/common.c:1066 +msgid "Privileged socket has wrong ownership or permissions." +msgstr "" + +#: src/sss_client/common.c:1069 +msgid "Public socket has wrong ownership or permissions." +msgstr "" + +#: src/sss_client/common.c:1072 +msgid "Unexpected format of the server credential message." +msgstr "" + +#: src/sss_client/common.c:1075 +msgid "SSSD is not run by root." +msgstr "Az SSSD nem root-ként fut." + +#: src/sss_client/common.c:1080 +msgid "An error occurred, but no description can be found." +msgstr "Hiba lépett fel, de nem érhetőek el részletek." + +#: src/sss_client/common.c:1086 +msgid "Unexpected error while looking for an error description" +msgstr "" + +#: src/sss_client/pam_sss.c:76 +msgid "Permission denied. " +msgstr "" + +#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782 +#: src/sss_client/pam_sss.c:793 +msgid "Server message: " +msgstr "Szerver üzenete:" + +#: src/sss_client/pam_sss.c:300 +msgid "Passwords do not match" +msgstr "A jelszavak nem egyeznek" + +#: src/sss_client/pam_sss.c:488 +msgid "Password reset by root is not supported." +msgstr "A jelszó root általi visszaállítása nem támogatott." + +#: src/sss_client/pam_sss.c:529 +msgid "Authenticated with cached credentials" +msgstr "Azonosítva gyorsítótárazott adatbázisból" + +#: src/sss_client/pam_sss.c:530 +msgid ", your cached password will expire at: " +msgstr ", a gyorsítótárazott jelszó lejár ekkor: " + +#: src/sss_client/pam_sss.c:560 +#, c-format +msgid "Your password has expired. You have %1$d grace login(s) remaining." +msgstr "" + +#: src/sss_client/pam_sss.c:606 +#, c-format +msgid "Your password will expire in %1$d %2$s." +msgstr "" + +#: src/sss_client/pam_sss.c:655 +msgid "Authentication is denied until: " +msgstr "A bejelentkezés tiltott eddig:" + +#: src/sss_client/pam_sss.c:676 +msgid "System is offline, password change not possible" +msgstr "A rendszer nem érhető el, a jelszó megváltoztatása nem lehetséges" + +#: src/sss_client/pam_sss.c:691 +msgid "" +"After changing the OTP password, you need to log out and back in order to " +"acquire a ticket" +msgstr "" + +#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792 +msgid "Password change failed. " +msgstr "A jelszó megváltoztatása nem sikerült." + +#: src/sss_client/pam_sss.c:1926 +msgid "New Password: " +msgstr "Új jelszó:" + +#: src/sss_client/pam_sss.c:1927 +msgid "Reenter new Password: " +msgstr "Jelszó mégegyszer: " + +#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042 +msgid "First Factor: " +msgstr "" + +#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202 +msgid "Second Factor (optional): " +msgstr "" + +#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205 +msgid "Second Factor: " +msgstr "" + +#: src/sss_client/pam_sss.c:2058 +msgid "Password: " +msgstr "Jelszó: " + +#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204 +msgid "First Factor (Current Password): " +msgstr "" + +#: src/sss_client/pam_sss.c:2208 +msgid "Current Password: " +msgstr "Jelenlegi jelszó:" + +#: src/sss_client/pam_sss.c:2536 +msgid "Password expired. Change your password now." +msgstr "A jelszava lejárt, változtass meg most." + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 +#: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 +#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:670 +msgid "The debug level to run with" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +msgid "The SSSD domain to use" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 +#: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 +#: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 +#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:716 +msgid "Error setting the locale\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:64 +msgid "Not enough memory\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:83 +msgid "User not specified\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:97 +msgid "Error looking up public keys\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +msgid "The port to use to connect to the host" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +msgid "Print the host ssh public keys" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +msgid "Invalid port\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +msgid "Host not specified\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +msgid "The path to the proxy command must be absolute\n" +msgstr "" + +#: src/tools/sss_useradd.c:49 src/tools/sss_usermod.c:48 +msgid "The UID of the user" +msgstr "A felhasználó UID-je" + +#: src/tools/sss_useradd.c:50 src/tools/sss_usermod.c:50 +msgid "The comment string" +msgstr "" + +#: src/tools/sss_useradd.c:51 src/tools/sss_usermod.c:51 +msgid "Home directory" +msgstr "Saját könyvtár" + +#: src/tools/sss_useradd.c:52 src/tools/sss_usermod.c:52 +msgid "Login shell" +msgstr "Bejelentkező shell" + +#: src/tools/sss_useradd.c:53 +msgid "Groups" +msgstr "Csoportok" + +#: src/tools/sss_useradd.c:54 +msgid "Create user's directory if it does not exist" +msgstr "Felhasználó könyvtárának létrehozása, ha nem létezik" + +#: src/tools/sss_useradd.c:55 +msgid "Never create user's directory, overrides config" +msgstr "Ne hozza létre a felhasználó könyvtárát" + +#: src/tools/sss_useradd.c:56 +msgid "Specify an alternative skeleton directory" +msgstr "" + +#: src/tools/sss_useradd.c:57 src/tools/sss_usermod.c:60 +msgid "The SELinux user for user's login" +msgstr "" + +#: src/tools/sss_useradd.c:87 src/tools/sss_groupmod.c:79 +#: src/tools/sss_usermod.c:92 +msgid "Specify group to add to\n" +msgstr "" + +#: src/tools/sss_useradd.c:111 +msgid "Specify user to add\n" +msgstr "" + +#: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 +#: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_usermod.c:162 +msgid "Error initializing the tools - no local domain\n" +msgstr "" + +#: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 +#: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_usermod.c:164 +msgid "Error initializing the tools\n" +msgstr "" + +#: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 +#: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_usermod.c:173 +msgid "Invalid domain specified in FQDN\n" +msgstr "" + +#: src/tools/sss_useradd.c:142 src/tools/sss_groupmod.c:144 +#: src/tools/sss_groupmod.c:173 src/tools/sss_usermod.c:197 +#: src/tools/sss_usermod.c:226 +msgid "Internal error while parsing parameters\n" +msgstr "" + +#: src/tools/sss_useradd.c:151 src/tools/sss_usermod.c:206 +#: src/tools/sss_usermod.c:235 +msgid "Groups must be in the same domain as user\n" +msgstr "" + +#: src/tools/sss_useradd.c:159 +#, c-format +msgid "Cannot find group %1$s in local domain\n" +msgstr "" + +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +msgid "Cannot set default values\n" +msgstr "Nem lehet beállítani az alapértékeket\n" + +#: src/tools/sss_useradd.c:181 src/tools/sss_usermod.c:187 +msgid "The selected UID is outside the allowed range\n" +msgstr "A megadott UID kívül esik a megengedett tartományon\n" + +#: src/tools/sss_useradd.c:210 src/tools/sss_usermod.c:305 +msgid "Cannot set SELinux login context\n" +msgstr "" + +#: src/tools/sss_useradd.c:224 +msgid "Cannot get info about the user\n" +msgstr "Nem áll rendelkezésre információ a felhasználóról\n" + +#: src/tools/sss_useradd.c:236 +msgid "User's home directory already exists, not copying data from skeldir\n" +msgstr "" +"A felhasználó könyvtára már létezik, a skel könyvtár tartalmát nem másolom " +"bele\n" + +#: src/tools/sss_useradd.c:239 +#, c-format +msgid "Cannot create user's home directory: %1$s\n" +msgstr "" + +#: src/tools/sss_useradd.c:250 +#, c-format +msgid "Cannot create user's mail spool: %1$s\n" +msgstr "" + +#: src/tools/sss_useradd.c:270 +msgid "Could not allocate ID for the user - domain full?\n" +msgstr "" + +#: src/tools/sss_useradd.c:274 +msgid "A user or group with the same name or ID already exists\n" +msgstr "" + +#: src/tools/sss_useradd.c:280 +msgid "Transaction error. Could not add user.\n" +msgstr "Tranzakcióhiba történt, nem lehetett létrehozni a felhasználót.\n" + +#: src/tools/sss_groupadd.c:43 src/tools/sss_groupmod.c:48 +msgid "The GID of the group" +msgstr "A csoport GID-je" + +#: src/tools/sss_groupadd.c:76 +msgid "Specify group to add\n" +msgstr "" + +#: src/tools/sss_groupadd.c:106 src/tools/sss_groupmod.c:198 +msgid "The selected GID is outside the allowed range\n" +msgstr "" + +#: src/tools/sss_groupadd.c:143 +msgid "Could not allocate ID for the group - domain full?\n" +msgstr "" + +#: src/tools/sss_groupadd.c:147 +msgid "A group with the same name or GID already exists\n" +msgstr "" + +#: src/tools/sss_groupadd.c:153 +msgid "Transaction error. Could not add group.\n" +msgstr "" + +#: src/tools/sss_groupdel.c:70 +msgid "Specify group to delete\n" +msgstr "" + +#: src/tools/sss_groupdel.c:104 +#, c-format +msgid "Group %1$s is outside the defined ID range for domain\n" +msgstr "" + +#: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 +#: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 +#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 +#, c-format +msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" +msgstr "" + +#: src/tools/sss_groupdel.c:132 +msgid "" +"No such group in local domain. Removing groups only allowed in local " +"domain.\n" +msgstr "" + +#: src/tools/sss_groupdel.c:137 +msgid "Internal error. Could not remove group.\n" +msgstr "" + +#: src/tools/sss_groupmod.c:44 +msgid "Groups to add this group to" +msgstr "" + +#: src/tools/sss_groupmod.c:46 +msgid "Groups to remove this group from" +msgstr "" + +#: src/tools/sss_groupmod.c:87 src/tools/sss_usermod.c:100 +msgid "Specify group to remove from\n" +msgstr "" + +#: src/tools/sss_groupmod.c:101 +msgid "Specify group to modify\n" +msgstr "" + +#: src/tools/sss_groupmod.c:130 +msgid "" +"Cannot find group in local domain, modifying groups is allowed only in local " +"domain\n" +msgstr "" + +#: src/tools/sss_groupmod.c:153 src/tools/sss_groupmod.c:182 +msgid "Member groups must be in the same domain as parent group\n" +msgstr "" + +#: src/tools/sss_groupmod.c:161 src/tools/sss_groupmod.c:190 +#: src/tools/sss_usermod.c:214 src/tools/sss_usermod.c:243 +#, c-format +msgid "" +"Cannot find group %1$s in local domain, only groups in local domain are " +"allowed\n" +msgstr "" + +#: src/tools/sss_groupmod.c:257 +msgid "Could not modify group - check if member group names are correct\n" +msgstr "" + +#: src/tools/sss_groupmod.c:261 +msgid "Could not modify group - check if groupname is correct\n" +msgstr "" + +#: src/tools/sss_groupmod.c:265 +msgid "Transaction error. Could not modify group.\n" +msgstr "" + +#: src/tools/sss_groupshow.c:615 +#, c-format +msgid "%1$s%2$sGroup: %3$s\n" +msgstr "" + +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "" + +#: src/tools/sss_groupshow.c:618 +#, c-format +msgid "%1$sGID number: %2$d\n" +msgstr "" + +#: src/tools/sss_groupshow.c:620 +#, c-format +msgid "%1$sMember users: " +msgstr "" + +#: src/tools/sss_groupshow.c:627 +#, c-format +msgid "" +"\n" +"%1$sIs a member of: " +msgstr "" + +#: src/tools/sss_groupshow.c:634 +#, c-format +msgid "" +"\n" +"%1$sMember groups: " +msgstr "" + +#: src/tools/sss_groupshow.c:670 +msgid "Print indirect group members recursively" +msgstr "" + +#: src/tools/sss_groupshow.c:704 +msgid "Specify group to show\n" +msgstr "" + +#: src/tools/sss_groupshow.c:744 +msgid "" +"No such group in local domain. Printing groups only allowed in local " +"domain.\n" +msgstr "" + +#: src/tools/sss_groupshow.c:749 +msgid "Internal error. Could not print group.\n" +msgstr "" + +#: src/tools/sss_userdel.c:136 +msgid "Remove home directory and mail spool" +msgstr "" + +#: src/tools/sss_userdel.c:138 +msgid "Do not remove home directory and mail spool" +msgstr "Ne törölje a saját könyvtárat és a helyi levelezést" + +#: src/tools/sss_userdel.c:140 +msgid "Force removal of files not owned by the user" +msgstr "Nem a felhasználó tulajdonában lévő fájlok törlése" + +#: src/tools/sss_userdel.c:142 +msgid "Kill users' processes before removing him" +msgstr "Felhasználó programjainak kilövése az eltávolítás előtt" + +#: src/tools/sss_userdel.c:188 +msgid "Specify user to delete\n" +msgstr "Adja meg a törlendő felhasználót\n" + +#: src/tools/sss_userdel.c:234 +#, c-format +msgid "User %1$s is outside the defined ID range for domain\n" +msgstr "" + +#: src/tools/sss_userdel.c:259 +msgid "Cannot reset SELinux login context\n" +msgstr "" + +#: src/tools/sss_userdel.c:271 +#, c-format +msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" +msgstr "" + +#: src/tools/sss_userdel.c:276 +msgid "Cannot determine if the user was logged in on this platform" +msgstr "" + +#: src/tools/sss_userdel.c:281 +msgid "Error while checking if the user was logged in\n" +msgstr "" + +#: src/tools/sss_userdel.c:288 +#, c-format +msgid "The post-delete command failed: %1$s\n" +msgstr "" + +#: src/tools/sss_userdel.c:308 +msgid "Not removing home dir - not owned by user\n" +msgstr "" + +#: src/tools/sss_userdel.c:310 +#, c-format +msgid "Cannot remove homedir: %1$s\n" +msgstr "" + +#: src/tools/sss_userdel.c:324 +msgid "" +"No such user in local domain. Removing users only allowed in local domain.\n" +msgstr "" + +#: src/tools/sss_userdel.c:329 +msgid "Internal error. Could not remove user.\n" +msgstr "Belső hiba történt, nem lehetett eltávolítani a felhasználót.\n" + +#: src/tools/sss_usermod.c:49 +msgid "The GID of the user" +msgstr "Felhasználó GID-je" + +#: src/tools/sss_usermod.c:53 +msgid "Groups to add this user to" +msgstr "Felhasználó hozzáadása a következő csoportokhoz" + +#: src/tools/sss_usermod.c:54 +msgid "Groups to remove this user from" +msgstr "" + +#: src/tools/sss_usermod.c:55 +msgid "Lock the account" +msgstr "Fiók zárolása" + +#: src/tools/sss_usermod.c:56 +msgid "Unlock the account" +msgstr "Fiók feloldása" + +#: src/tools/sss_usermod.c:57 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "" + +#: src/tools/sss_usermod.c:58 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "" + +#: src/tools/sss_usermod.c:59 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" + +#: src/tools/sss_usermod.c:117 src/tools/sss_usermod.c:126 +#: src/tools/sss_usermod.c:135 +msgid "Specify the attribute name/value pair(s)\n" +msgstr "" + +#: src/tools/sss_usermod.c:152 +msgid "Specify user to modify\n" +msgstr "Adja meg a módosítandó felhasználót\n" + +#: src/tools/sss_usermod.c:180 +msgid "" +"Cannot find user in local domain, modifying users is allowed only in local " +"domain\n" +msgstr "" + +#: src/tools/sss_usermod.c:322 +msgid "Could not modify user - check if group names are correct\n" +msgstr "" + +#: src/tools/sss_usermod.c:326 +msgid "Could not modify user - user already member of groups?\n" +msgstr "" + +#: src/tools/sss_usermod.c:330 +msgid "Transaction error. Could not modify user.\n" +msgstr "Tranzakcióhiba történt, a felhasználó nem módosítható.\n" + +#: src/tools/sss_cache.c:218 +msgid "No cache object matched the specified search\n" +msgstr "" + +#: src/tools/sss_cache.c:502 +#, c-format +msgid "Couldn't invalidate %1$s\n" +msgstr "" + +#: src/tools/sss_cache.c:509 +#, c-format +msgid "Couldn't invalidate %1$s %2$s\n" +msgstr "" + +#: src/tools/sss_cache.c:672 +msgid "Invalidate all cached entries" +msgstr "" + +#: src/tools/sss_cache.c:674 +msgid "Invalidate particular user" +msgstr "" + +#: src/tools/sss_cache.c:676 +msgid "Invalidate all users" +msgstr "" + +#: src/tools/sss_cache.c:678 +msgid "Invalidate particular group" +msgstr "" + +#: src/tools/sss_cache.c:680 +msgid "Invalidate all groups" +msgstr "" + +#: src/tools/sss_cache.c:682 +msgid "Invalidate particular netgroup" +msgstr "" + +#: src/tools/sss_cache.c:684 +msgid "Invalidate all netgroups" +msgstr "" + +#: src/tools/sss_cache.c:686 +msgid "Invalidate particular service" +msgstr "" + +#: src/tools/sss_cache.c:688 +msgid "Invalidate all services" +msgstr "" + +#: src/tools/sss_cache.c:691 +msgid "Invalidate particular autofs map" +msgstr "" + +#: src/tools/sss_cache.c:693 +msgid "Invalidate all autofs maps" +msgstr "" + +#: src/tools/sss_cache.c:697 +msgid "Invalidate particular SSH host" +msgstr "" + +#: src/tools/sss_cache.c:699 +msgid "Invalidate all SSH hosts" +msgstr "" + +#: src/tools/sss_cache.c:703 +msgid "Invalidate particular sudo rule" +msgstr "" + +#: src/tools/sss_cache.c:705 +msgid "Invalidate all cached sudo rules" +msgstr "" + +#: src/tools/sss_cache.c:708 +msgid "Only invalidate entries from a particular domain" +msgstr "" + +#: src/tools/sss_cache.c:762 +msgid "" +"Unexpected argument(s) provided, options that invalidate a single object " +"only accept a single provided argument.\n" +msgstr "" + +#: src/tools/sss_cache.c:772 +msgid "Please select at least one object to invalidate\n" +msgstr "" + +#: src/tools/sss_cache.c:852 +#, c-format +msgid "" +"Could not open domain %1$s. If the domain is a subdomain (trusted domain), " +"use fully qualified name instead of --domain/-d parameter.\n" +msgstr "" + +#: src/tools/sss_cache.c:856 +msgid "Could not open available domains\n" +msgstr "" + +#: src/tools/tools_util.c:202 +#, c-format +msgid "Name '%1$s' does not seem to be FQDN ('%2$s = TRUE' is set)\n" +msgstr "" + +#: src/tools/tools_util.c:309 +msgid "Out of memory\n" +msgstr "Elfogyott a memória\n" + +#: src/tools/tools_util.h:40 +#, c-format +msgid "%1$s must be run as root\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:35 +msgid "yes" +msgstr "" + +#: src/tools/sssctl/sssctl.c:37 +msgid "no" +msgstr "" + +#: src/tools/sssctl/sssctl.c:39 +msgid "error" +msgstr "" + +#: src/tools/sssctl/sssctl.c:42 +msgid "Invalid result." +msgstr "" + +#: src/tools/sssctl/sssctl.c:78 +#, c-format +msgid "Unable to read user input\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:91 +#, c-format +msgid "Invalid input, please provide either '%s' or '%s'.\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 +#, c-format +msgid "Error while executing external command\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:156 +msgid "SSSD needs to be running. Start SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl.c:195 +msgid "SSSD must not be running. Stop SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl.c:231 +msgid "SSSD needs to be restarted. Restart SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:31 +#, c-format +msgid " %s is not present in cache.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:33 +msgid "Name" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:34 +msgid "Cache entry creation date" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:35 +msgid "Cache entry last update time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:36 +msgid "Cache entry expiration time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:37 +msgid "Cached in InfoPipe" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:512 +#, c-format +msgid "Error: Unable to get object [%d]: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:528 +#, c-format +msgid "%s: Unable to read value [%d]: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:556 +msgid "Specify name." +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:566 +#, c-format +msgid "Unable to parse name %s.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:592 src/tools/sssctl/sssctl_cache.c:639 +msgid "Search by SID" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:593 +msgid "Search by user ID" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:602 +msgid "Initgroups expiration time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:640 +msgid "Search by group ID" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:67 +#, c-format +msgid "" +"File %1$s does not exist. SSSD will use default configuration with files " +"provider.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:81 +#, c-format +msgid "" +"File ownership and permissions check failed. Expected root:root and 0600.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:104 +#, c-format +msgid "Issues identified by validators: %zu\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:114 +#, c-format +msgid "Messages generated during configuration merging: %zu\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:127 +#, c-format +msgid "Used configuration snippet files: %u\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:89 +#, c-format +msgid "Unable to create backup directory [%d]: %s" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:95 +msgid "SSSD backup of local data already exists, override?" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:111 +#, c-format +msgid "Unable to export user overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:118 +#, c-format +msgid "Unable to export group overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:134 src/tools/sssctl/sssctl_data.c:217 +msgid "Override existing backup" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:164 +#, c-format +msgid "Unable to import user overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:173 +#, c-format +msgid "Unable to import group overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:74 +#: src/tools/sssctl/sssctl_domains.c:339 +msgid "Start SSSD if it is not running" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:195 +msgid "Restart SSSD after data import" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:218 +msgid "Create clean cache files and import local data" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:219 +msgid "Stop SSSD before removing the cache" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:220 +msgid "Start SSSD when the cache is removed" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:235 +#, c-format +msgid "Creating backup of local data...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:238 +#, c-format +msgid "Unable to create backup of local data, can not remove the cache.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:243 +#, c-format +msgid "Removing cache files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:246 +#, c-format +msgid "Unable to remove cache files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:251 +#, c-format +msgid "Restoring local data...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:75 +msgid "Show domain list including primary or trusted domain type" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +#, c-format +msgid "Online status: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Online" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Offline" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:214 +#, c-format +msgid "Active servers:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:231 +msgid "not connected" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:278 +#, c-format +msgid "Discovered %s servers:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:296 +msgid "None so far.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:336 +msgid "Show online status" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:337 +msgid "Show information about active server" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:338 +msgid "Show list of discovered servers" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:344 +msgid "Specify domain name." +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:360 +#, c-format +msgid "Out of memory!\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:377 src/tools/sssctl/sssctl_domains.c:387 +#, c-format +msgid "Unable to get online status\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:397 +#, c-format +msgid "Unable to get server list\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:47 +msgid "\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:237 +msgid "Delete log files instead of truncating" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:248 +#, c-format +msgid "Deleting log files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:251 +#, c-format +msgid "Unable to remove log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:257 +#, c-format +msgid "Truncating log files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:260 +#, c-format +msgid "Unable to truncate log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:286 +#, c-format +msgid "Out of memory!" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:289 +#, c-format +msgid "Archiving log files into %s...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:292 +#, c-format +msgid "Unable to archive log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:317 +msgid "Specify debug level you want to set" +msgstr "" + +#: src/tools/sssctl/sssctl_sifp.c:28 +msgid "" +"Check that SSSD is running and the InfoPipe responder is enabled. Make sure " +"'ifp' is listed in the 'services' option in sssd.conf.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:91 +#, c-format +msgid "Unable to connect to the InfoPipe" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:97 +#, c-format +msgid "Unable to get user object" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:101 +#, c-format +msgid "SSSD InfoPipe user lookup result:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:113 +#, c-format +msgid "Unable to get user name attr" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:146 +#, c-format +msgid "dlopen failed with [%s].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:153 +#, c-format +msgid "dlsym failed with [%s].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:161 +#, c-format +msgid "malloc failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:168 +#, c-format +msgid "sss_getpwnam_r failed with [%d].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:173 +#, c-format +msgid "SSSD nss user lookup result:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:174 +#, c-format +msgid " - user name: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:175 +#, c-format +msgid " - user id: %d\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:176 +#, c-format +msgid " - group id: %d\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:177 +#, c-format +msgid " - gecos: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:178 +#, c-format +msgid " - home directory: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:179 +#, c-format +msgid "" +" - shell: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:211 +msgid "PAM action [auth|acct|setc|chau|open|clos], default: " +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:214 +msgid "PAM service, default: " +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:219 +msgid "Specify user name." +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:226 +#, c-format +msgid "" +"user: %s\n" +"action: %s\n" +"service: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:232 +#, c-format +msgid "User name lookup with [%s] failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:237 +#, c-format +msgid "InfoPipe User lookup with [%s] failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:244 +#, c-format +msgid "pam_start failed: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:249 +#, c-format +msgid "" +"testing pam_authenticate\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:253 +#, c-format +msgid "pam_get_item failed: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:257 +#, c-format +msgid "" +"pam_authenticate for user [%s]: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:260 +#, c-format +msgid "" +"testing pam_chauthtok\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:262 +#, c-format +msgid "" +"pam_chauthtok: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:264 +#, c-format +msgid "" +"testing pam_acct_mgmt\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:266 +#, c-format +msgid "" +"pam_acct_mgmt: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:268 +#, c-format +msgid "" +"testing pam_setcred\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:270 +#, c-format +msgid "" +"pam_setcred: [%s]\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:272 +#, c-format +msgid "" +"testing pam_open_session\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:274 +#, c-format +msgid "" +"pam_open_session: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:276 +#, c-format +msgid "" +"testing pam_close_session\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:278 +#, c-format +msgid "" +"pam_close_session: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:281 +#, c-format +msgid "unknown action\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:284 +#, c-format +msgid "PAM Environment:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:292 +#, c-format +msgid " - no env -\n" +msgstr "" + +#: src/util/util.h:75 +msgid "The user ID to run the server as" +msgstr "" + +#: src/util/util.h:77 +msgid "The group ID to run the server as" +msgstr "" + +#: src/util/util.h:85 +msgid "Informs that the responder has been socket-activated" +msgstr "" + +#: src/util/util.h:87 +msgid "Informs that the responder has been dbus-activated" +msgstr "" diff --git a/po/id.gmo b/po/id.gmo new file mode 100644 index 0000000000000000000000000000000000000000..2a952366d179c2f93f15f11d389e014f00f71025 GIT binary patch literal 10852 zcmbW6ZHyh)S;tRETGHE4+8PK+n{Y@=<1~ABy|z<3>%4gF^~>5`d$V_)HVF{s-kE#v z_|BcVnHSre77#S5_|mGV&XP0q+Mt5B>=FWpF?E4e$rSx4qSvL*T>ULGT6e2>1zb z8T@1Laq#YY%J(P0Ii6nz-wFO2sD6GQd=&gk@B#3DLCx=h?*u+`8xP6 zo_`Kp06!0EoWBCsz<&bIgNsa7>;6el^8R)3`@w$%RsUO{*83(FCwvgpdXIoV0GH-yl;k`w-&$!1sb$$NB2{1yFkUSy27I3Tpg61SQYc zK*{f}?=yz~=6&2Gzhf14K&^WO^51-x8%@j?z=PmdtLJZnOvSvFLFT~+D_jGg;`t+> z#`^reS)Z`gsYIeZK;#{%?RQ;Mc0}_cBTK_kPfV9Z>ShLAC!3 z`1&2J7u0-y{yx?Oeg&ip^IxFWu@B=6z=y#J_;Iie{tu|}=TQD}a05IIehPdL{990V z@*m)n;31q`^Lq)r0DciX3*L$I==lOD{d@*QROTz7^zhf9*8fdVa^0QwB zwf^4$JK&#yn%BD?D&?^N9_9HgsQLX2*aJTWj=*nM-+K&lg6CfXQI+`zQ1$;4L?z}P zj6uA+AJn*~K+X3VQ0pCnh|GK#zYelA^BqwBcRwHXeTAFG8&&v8kSgZ)z$d}iz`McwFna0zAyD#P0JT0J zlz(3ZkANSm@Jrxvp1%bi0*^3BeIJ2({uNMi{W>Ulyq!s@pLc`O>l{c^^8$Dd{3wWv znm+>%g0F*G&%GF{?DKI@ywd^i03(X#uS@TH?w2vof~d@0lDlk2cCG6aWs`C@MPta0 zbo~TnozkUzH{~SdBIN^=;}q$mzFPc{T?{E&=bI_IB-0O4&g-GNv`$^mQ&^6>Bm=GI z3Cfy#GrgVQ=V^-U)vsRvScQ**()%-%uzDx>aSE>EbSHn140T;9!QEfveuW}C&?ULn zmuyVefFga%hjbmI%u#-ng2){wUj~;cZ=vY2l)ES$$_teGlKtqC-e<3;c-WvkM_HxZ zNx?jvU$jA8vLTNmpEyH-rrdRbyZAvIBtHo#ead?%=P0@`W%D7*3PoIZmhxQ`*`Y4^ z^Skm{#FxPTe|o)R^s4-}m0-Ajlc6 zpIEP(6uFb7I%tN>`0fXNuZVJc)r*P%S)NSBW6x&6#7n)LIY)@tCjDj&ZU#54g#?FT zH&nx!ibyL@Y?gazPS5Gpuouun5&2fqlyneuU{O#X9ZKb;9@~{vZNG@3r!}`*wb6j~ z=1oe)G(Go*L2qQke)+;#7nMvQd zQkgiPPRaw2SFSHk%|#WKN|iIt=4554|XS zS&kru=6u7tPKQyB(4=O!nkY#|#UwMQle8CDHvqoGqWWP}O*gp~V@=(y#(d3btifJH z;^xe$lb1Ty%kwns7CFx%j;sPZE->A0AdhQkq;ym3Wp4adT{Rzix$Sg1D>fTCBMYui zqOcd{a@awfq;=miWY5Q*hggeSLY_38B;^WNZS%FCCS!AUo5XfJ&P;!GecAS+P-+<_ zSuUe8dRI=`{gnG4K&FtwTxQi5P32otidv0(QQ5ijtG72g!tf?bO*M=!N|dRdtGxOhzGX!jpbK3gcjBQ)#(urQo3Y#DQB>%C_R(Fiqm5$n1rc<#n4(0{D|gnYoZa zG%`T1*Gq~x=f!{(J1;Y9-t}-?j7w8mT`_AjtdiZvf>D-C#i^lX*6_J)Jt+{?5zNVB z>L(Wi8BuR{zL>Lkd72UkU1aQs19LIBHcJ#2A@ia)thkT0%!a^uyCI&KiGVKb)iH2q z?Ut!~bKbP`^RzR4&dLyatG@Em2Q_?6R0IX_UPC16iD3)J-<7dANxfQjWR>JY4^T!%N~F zdwFkY*3)q8LFX<5YAA053m2uv+g0Rra67Kv2wp0P5_a=K$M%9WFYP6;sJ}5C<5+RU zWj9VpE{vCNJEi;0zV2c85`B-I1Xe8VK&}b!^uf(zBSJ9NhT6 zna@@Rvnj)@XlxDwFT;6lcryG+l4W5x3d|-Fmi1J^cB|g`Qe(S!9TF8X!Oblcifnn0 z^Eo9sf}K(`lk*9qrQ~FVfg-GHT{It}mnGY|vBGuOr@V zD{A>fyj#|rO)U3Vx9V1cn3DPB82a5FVJ@SrCP>Oi9aA~I&4e>*rHCSod*Ot9py|=> zSAJHvf5fOB31v;E=uTN>orsp3usKJuc)#2F_@YduKF;azx0dU~W!cRz?iJi|`_$`$ zDLaaa8!8fUoI^h2@+;5Gt^XNQHD$(piLFdSp0K*eyuIqTpC!5w zu9xik^2zhdXHMB?Pi=HoFI{YH1d}Aq+iTe%^xG$jLDt?(mTZ<~e%mLEM#r^7%I5ol zpQN7BHh4Zs2d(u>n{Aho(`%a;0`DC>uz0k6;AngCpj|w)bl}jV2e_!%-UzOS8hu*t zFqPVihwb9x(%}!3^)7f>-gXuhd1zpXglwYhiPZRc503Nf6Ud)8?e13lW%uTI37XGS ztqZtR0spo)18=-!S7SekgDiw4_Yd=Yvb3;p?b@~ZTs{!?gX{Bn?gHUS0?HO93tI6) zRQ0hC`U{UVJucbMZ>_DaotjEP%7RQ?mah}ZBOG~IXf{LN8(Hj@jRyo7jEfQTD~Ai~6gf&p9y>8* z6-wsRu&hEb+42ZvWSQM03WjRydyzNZ))E5Rb(BfH#2cIJ7_6!J#s=($nWt5`vMF_G%H2#hvAhlo~|3pB2B8lO_+ca%80~e z_YU$>G;g4rbq_K14W*6P(r|=2u(T0#cOlFXacT42Aoif=ateFx#JQ1M3;G-+P|uz^ zn_0t-Sxq~9;~iD*S~kS!u6TY(?pMx>oG%$qk`YoqQD7g+{YH>PI5np$sE7@t+z|pW z=f$KMry3!5TClBJsxr~aB4>|A&M^=Q9(ogYe$&p&Sjh)>DB{jX%oz`pDEnlVB)CvM z`{7JZjW|ZAXL>?{sCr&1a;}BOwm@psqZ^G+?3HO#+I+bHKOBcqI0~&uVcPVfI8M9c zkvB2Rp4~A>b^sJUC&v27BF?s2BVBK6teqr zGTKK>$(7Yx7OZ5PLyB(YtUCBBCcD10or1>r)n;c@RoJl(F;E1a=+4a2^1X8nDYgxE@oH6l|z$2 zhOvR2Ygyr`bk8x0S>8b)xcKeeBMZ7XIoov7hnjgX1HTxtVh+k?2P%(i8pAE6HKlJ; zF$>HPL)+cm$!kt0T@xo4&S@|%Wa9{|;|S~ob7s3;8kF4HaW;qh+U#>E>@2xFUE~ah zTw~s@)%;S{-CNw(_N6A!sVw(6P9ys_IF{V0bd7pvLTtPh4Ytg=VvK9Dm&HHpR3XA1 zL`1t98d|jLH6`dEXxs5m*`%I74l(o;L1UM&rJ-`kw1C@qGnz(~f#SftNUlr@)n2t` z>XbTkL1<~_ceT1+(o05-;b;@Bqan8KYhG52w3f&lgfrdQuI#{^-6crP!Svgr)EXXH zpe8XOcQ%0XP{=N8qI)V@O^Z2B4pJaTNL zKZ4$(TC><&&8w;8II+^2bD){2HI?d~W*5+5r^|U$7GN{{HNnv}M^3vLdE\n" +"Language-Team: Indonesian (http://www.transifex.com/projects/p/sssd/language/" +"id/)\n" +"Language: id\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=1; plural=0;\n" +"X-Generator: Zanata 4.4.5\n" + +#: src/config/SSSDConfig/__init__.py.in:43 +#: src/config/SSSDConfig/__init__.py.in:44 +msgid "Set the verbosity of the debug logging" +msgstr "Mengatur verbosity dari pencatatan debug" + +#: src/config/SSSDConfig/__init__.py.in:45 +msgid "Include timestamps in debug logs" +msgstr "Sertakan cap waktu di pencatatan debug" + +#: src/config/SSSDConfig/__init__.py.in:46 +msgid "Include microseconds in timestamps in debug logs" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:47 +msgid "Write debug messages to logfiles" +msgstr "Menulis pesan debug ke berkas log" + +#: src/config/SSSDConfig/__init__.py.in:48 +msgid "Watchdog timeout before restarting service" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:49 +msgid "Command to start service" +msgstr "Perintah untuk memulai layanan" + +#: src/config/SSSDConfig/__init__.py.in:50 +msgid "Number of times to attempt connection to Data Providers" +msgstr "Jumlah usaha yang dilakukan untuk mencoba koneksi ke Penyedia Data" + +#: src/config/SSSDConfig/__init__.py.in:51 +msgid "The number of file descriptors that may be opened by this responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:52 +msgid "Idle time before automatic disconnection of a client" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:53 +msgid "Idle time before automatic shutdown of the responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:54 +msgid "Always query all the caches before querying the Data Providers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:57 +msgid "SSSD Services to start" +msgstr "Layanan SSSD akan dijalankan" + +#: src/config/SSSDConfig/__init__.py.in:58 +msgid "SSSD Domains to start" +msgstr "Domain SSSD akan dijalankan" + +#: src/config/SSSDConfig/__init__.py.in:59 +msgid "Timeout for messages sent over the SBUS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:60 +#: src/config/SSSDConfig/__init__.py.in:197 +msgid "Regex to parse username and domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:61 +#: src/config/SSSDConfig/__init__.py.in:196 +msgid "Printf-compatible format for displaying fully-qualified names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:62 +msgid "" +"Directory on the filesystem where SSSD should store Kerberos replay cache " +"files." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:63 +msgid "Domain to add to names without a domain component." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:64 +msgid "The user to drop privileges to" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:65 +msgid "Tune certificate verification" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:66 +msgid "All spaces in group or user names will be replaced with this character" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:67 +msgid "Tune sssd to honor or ignore netlink state changes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:68 +msgid "Enable or disable the implicit files domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:69 +msgid "A specific order of the domains to be looked up" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:72 +msgid "Enumeration cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:73 +msgid "Entry cache background update timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:74 +#: src/config/SSSDConfig/__init__.py.in:113 +msgid "Negative cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:75 +msgid "Files negative cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:76 +msgid "Users that SSSD should explicitly ignore" +msgstr "Pengguna yang diabaikan secara eksplisit oleh SSSD" + +#: src/config/SSSDConfig/__init__.py.in:77 +msgid "Groups that SSSD should explicitly ignore" +msgstr "Grup yang diabaikan secara eksplisit oleh SSSD" + +#: src/config/SSSDConfig/__init__.py.in:78 +msgid "Should filtered users appear in groups" +msgstr "Haruskah pengguna yang disaring muncul dalam grup" + +#: src/config/SSSDConfig/__init__.py.in:79 +msgid "The value of the password field the NSS provider should return" +msgstr "Nilai kolom kata sandi yang harus dikembalikan oleh penyedia NSS" + +#: src/config/SSSDConfig/__init__.py.in:80 +msgid "Override homedir value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:81 +msgid "" +"Substitute empty homedir value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:82 +msgid "Override shell value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:83 +msgid "The list of shells users are allowed to log in with" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:84 +msgid "" +"The list of shells that will be vetoed, and replaced with the fallback shell" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:85 +msgid "" +"If a shell stored in central directory is allowed but not available, use " +"this fallback" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:86 +msgid "Shell to use if the provider does not list one" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:87 +msgid "How long will be in-memory cache records valid" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:88 +msgid "List of user attributes the NSS responder is allowed to publish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:91 +msgid "How long to allow cached logins between online logins (days)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:92 +msgid "How many failed logins attempts are allowed when offline" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:93 +msgid "" +"How long (minutes) to deny login after offline_failed_login_attempts has " +"been reached" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:94 +msgid "What kind of messages are displayed to the user during authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:95 +msgid "Filter PAM responses sent to the pam_sss" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:96 +msgid "How many seconds to keep identity information cached for PAM requests" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:97 +msgid "How many days before password expiration a warning should be displayed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:98 +msgid "List of trusted uids or user's name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:99 +msgid "List of domains accessible even for untrusted users." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:100 +msgid "Message printed when user account is expired." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:101 +msgid "Message printed when user account is locked." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:102 +msgid "Allow certificate based/Smartcard authentication." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:103 +msgid "Path to certificate database with PKCS#11 modules." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:104 +msgid "How many seconds will pam_sss wait for p11_child to finish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:105 +msgid "Which PAM services are permitted to contact application domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:108 +msgid "Whether to evaluate the time-based attributes in sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:109 +msgid "If true, SSSD will switch back to lower-wins ordering logic" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:110 +msgid "" +"Maximum number of rules that can be refreshed at once. If this is exceeded, " +"full refresh is performed." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:116 +msgid "Whether to hash host names and addresses in the known_hosts file" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:117 +msgid "" +"How many seconds to keep a host in the known_hosts file after its host keys " +"were requested" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:118 +msgid "Path to storage of trusted CA certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:121 +msgid "List of UIDs or user names allowed to access the PAC responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "How long the PAC data is considered valid" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:125 +msgid "List of UIDs or user names allowed to access the InfoPipe responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:126 +msgid "List of user attributes the InfoPipe is allowed to publish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:129 +msgid "The provider where the secrets will be stored in" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:130 +msgid "The maximum allowed number of nested containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:131 +msgid "The maximum number of secrets that can be stored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:132 +msgid "The maximum number of secrets that can be stored per UID" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:133 +msgid "The maximum payload size of a secret in kilobytes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:135 +msgid "The URL Custodia server is listening on" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:136 +msgid "The method to use when authenticating to a Custodia server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:137 +msgid "" +"The name of the headers that will be added into a HTTP request with the " +"value defined in auth_header_value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:138 +msgid "The value sssd-secrets would use for auth_header_name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:139 +msgid "" +"The list of the headers to forward to the Custodia server together with the " +"request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:140 +msgid "" +"The username to use when authenticating to a Custodia server using basic_auth" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:141 +msgid "" +"The password to use when authenticating to a Custodia server using basic_auth" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:142 +msgid "If true peer's certificate is verified if proxy_url uses https protocol" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:143 +msgid "" +"If false peer's certificate may contain different hostname than proxy_url " +"when https protocol is used" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:144 +msgid "Path to directory where certificate authority certificates are stored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:145 +msgid "Path to file containing server's CA certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:146 +msgid "Path to file containing client's certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:147 +msgid "Path to file containing client's private key" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:150 +msgid "Identity provider" +msgstr "Penyedia identitas" + +#: src/config/SSSDConfig/__init__.py.in:151 +msgid "Authentication provider" +msgstr "Penyedia otentikasi" + +#: src/config/SSSDConfig/__init__.py.in:152 +msgid "Access control provider" +msgstr "Penyedia kontrol akses" + +#: src/config/SSSDConfig/__init__.py.in:153 +msgid "Password change provider" +msgstr "Penyedia pengubah kata sandi" + +#: src/config/SSSDConfig/__init__.py.in:154 +msgid "SUDO provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:155 +msgid "Autofs provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:156 +msgid "Host identity provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:157 +msgid "SELinux provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:158 +msgid "Session management provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:161 +msgid "Whether the domain is usable by the OS or by applications" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:162 +msgid "Minimum user ID" +msgstr "ID pengguna minimum" + +#: src/config/SSSDConfig/__init__.py.in:163 +msgid "Maximum user ID" +msgstr "ID pengguna maksimum" + +#: src/config/SSSDConfig/__init__.py.in:164 +msgid "Enable enumerating all users/groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:165 +msgid "Cache credentials for offline login" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:166 +msgid "Store password hashes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:167 +msgid "Display users/groups in fully-qualified form" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:168 +msgid "Don't include group members in group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:180 +#: src/config/SSSDConfig/__init__.py.in:181 +msgid "Entry cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:170 +msgid "" +"Restrict or prefer a specific address family when performing DNS lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:171 +msgid "How long to keep cached entries after last successful login (days)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:172 +msgid "How long to wait for replies from DNS when resolving servers (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:173 +msgid "The domain part of service discovery DNS query" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:174 +msgid "Override GID value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:175 +msgid "Treat usernames as case sensitive" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:182 +msgid "How often should expired entries be refreshed in background" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:183 +msgid "Whether to automatically update the client's DNS entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:184 +#: src/config/SSSDConfig/__init__.py.in:206 +msgid "The TTL to apply to the client's DNS entry after updating it" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:207 +msgid "The interface whose IP should be used for dynamic DNS updates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:186 +msgid "How often to periodically update the client's DNS entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:187 +msgid "Whether the provider should explicitly update the PTR record as well" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:188 +msgid "Whether the nsupdate utility should default to using TCP" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:189 +msgid "What kind of authentication should be used to perform the DNS update" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:190 +msgid "Override the DNS server used to perform the DNS update" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:191 +msgid "Control enumeration of trusted domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:192 +msgid "How often should subdomains list be refreshed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:193 +msgid "List of options that should be inherited into a subdomain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:194 +msgid "Default subdomain homedir value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:195 +msgid "How long can cached credentials be used for cached authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:198 +msgid "Whether to automatically create private groups for users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:201 +msgid "IPA domain" +msgstr "Domain IPA" + +#: src/config/SSSDConfig/__init__.py.in:202 +msgid "IPA server address" +msgstr "Alamat server IPA" + +#: src/config/SSSDConfig/__init__.py.in:203 +msgid "Address of backup IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:204 +msgid "IPA client hostname" +msgstr "Nama host klien IPA" + +#: src/config/SSSDConfig/__init__.py.in:205 +msgid "Whether to automatically update the client's DNS entry in FreeIPA" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:208 +msgid "Search base for HBAC related objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:209 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:210 +msgid "" +"The amount of time in seconds between lookups of the SELinux maps against " +"the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:211 +msgid "If set to false, host argument given by PAM will be ignored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:212 +msgid "The automounter location this IPA client is using" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:213 +msgid "Search base for object containing info about IPA domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:214 +msgid "Search base for objects containing info about ID ranges" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:233 +msgid "Enable DNS sites - location based service discovery" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:216 +msgid "Search base for view containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:217 +msgid "Objectclass for view containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:218 +msgid "Attribute with the name of the view" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:219 +msgid "Objectclass for override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:220 +msgid "Attribute with the reference to the original object" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:221 +msgid "Objectclass for user override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:222 +msgid "Objectclass for group override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:223 +msgid "Search base for Desktop Profile related objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:224 +msgid "" +"The amount of time in seconds between lookups of the Desktop Profile rules " +"against the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:225 +msgid "" +"The amount of time in minutes between lookups of Desktop Profiles rules " +"against the IPA server when the last request did not find any rule" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:228 +msgid "Active Directory domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:229 +msgid "Enabled Active Directory domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:230 +msgid "Active Directory server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:231 +msgid "Active Directory backup server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:232 +msgid "Active Directory client hostname" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:420 +msgid "LDAP filter to determine access privileges" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:235 +msgid "Whether to use the Global Catalog for lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:236 +msgid "Operation mode for GPO-based access control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:237 +msgid "" +"The amount of time between lookups of the GPO policy files against the AD " +"server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:238 +msgid "" +"PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " +"settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:239 +msgid "" +"PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " +"policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:240 +msgid "" +"PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:241 +msgid "" +"PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:242 +msgid "" +"PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:243 +msgid "PAM service names for which GPO-based access is always granted" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:244 +msgid "PAM service names for which GPO-based access is always denied" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:245 +msgid "" +"Default logon right (or permit/deny) to use for unmapped PAM service names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:246 +msgid "a particular site to be used by the client" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:247 +msgid "" +"Maximum age in days before the machine account password should be renewed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:248 +msgid "Option for tuning the machine account renewal task" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:252 +msgid "Kerberos server address" +msgstr "Alamat server Kerberos" + +#: src/config/SSSDConfig/__init__.py.in:253 +msgid "Kerberos backup server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:254 +msgid "Kerberos realm" +msgstr "Realm Kerberos" + +#: src/config/SSSDConfig/__init__.py.in:255 +msgid "Authentication timeout" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:256 +msgid "Whether to create kdcinfo files" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:257 +msgid "Where to drop krb5 config snippets" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:260 +msgid "Directory to store credential caches" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:261 +msgid "Location of the user's credential cache" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:262 +msgid "Location of the keytab to validate credentials" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:263 +msgid "Enable credential validation" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:264 +msgid "Store password if offline for later online authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:265 +msgid "Renewable lifetime of the TGT" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:266 +msgid "Lifetime of the TGT" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:267 +msgid "Time between two checks for renewal" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:268 +msgid "Enables FAST" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:269 +msgid "Selects the principal to use for FAST" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:270 +msgid "Enables principal canonicalization" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:271 +msgid "Enables enterprise principals" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:272 +msgid "A mapping from user names to Kerberos principal names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:276 +msgid "Server where the change password service is running if not on the KDC" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:279 +msgid "ldap_uri, The URI of the LDAP server" +msgstr "ldap_uri, URI server LDAP" + +#: src/config/SSSDConfig/__init__.py.in:280 +msgid "ldap_backup_uri, The URI of the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:281 +msgid "The default base DN" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:282 +msgid "The Schema Type in use on the LDAP server, rfc2307" +msgstr "Jenis Skema yang digunakan pada server LDAP, rfc2307" + +#: src/config/SSSDConfig/__init__.py.in:283 +msgid "The default bind DN" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:284 +msgid "The type of the authentication token of the default bind DN" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:285 +msgid "The authentication token of the default bind DN" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:286 +msgid "Length of time to attempt connection" +msgstr "Lamanya waktu untuk mencoba koneksi" + +#: src/config/SSSDConfig/__init__.py.in:287 +msgid "Length of time to attempt synchronous LDAP operations" +msgstr "Lamanya waktu untuk mencoba operasi LDAP yang sinkron" + +#: src/config/SSSDConfig/__init__.py.in:288 +msgid "Length of time between attempts to reconnect while offline" +msgstr "Lamanya waktu antara upaya untuk menyambung kembali saat luring" + +#: src/config/SSSDConfig/__init__.py.in:289 +msgid "Use only the upper case for realm names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:290 +msgid "File that contains CA certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:291 +msgid "Path to CA certificate directory" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:292 +msgid "File that contains the client certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:293 +msgid "File that contains the client key" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:294 +msgid "List of possible ciphers suites" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:295 +msgid "Require TLS certificate verification" +msgstr "Membutuhkan verifikasi sertifikat TLS" + +#: src/config/SSSDConfig/__init__.py.in:296 +msgid "Specify the sasl mechanism to use" +msgstr "Tentukan mekanisme sasl yang digunakan" + +#: src/config/SSSDConfig/__init__.py.in:297 +msgid "Specify the sasl authorization id to use" +msgstr "Tentukan id otorisasi sasl yang digunakan" + +#: src/config/SSSDConfig/__init__.py.in:298 +msgid "Specify the sasl authorization realm to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:299 +msgid "Specify the minimal SSF for LDAP sasl authorization" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:300 +msgid "Kerberos service keytab" +msgstr "Keytab layanan Kerberos" + +#: src/config/SSSDConfig/__init__.py.in:301 +msgid "Use Kerberos auth for LDAP connection" +msgstr "Gunakan otentikasi Kerberos untuk koneksi LDAP" + +#: src/config/SSSDConfig/__init__.py.in:302 +msgid "Follow LDAP referrals" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:303 +msgid "Lifetime of TGT for LDAP connection" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:304 +msgid "How to dereference aliases" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:305 +msgid "Service name for DNS service lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:306 +msgid "The number of records to retrieve in a single LDAP query" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:307 +msgid "The number of members that must be missing to trigger a full deref" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:308 +msgid "" +"Whether the LDAP library should perform a reverse lookup to canonicalize the " +"host name during a SASL bind" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:310 +msgid "entryUSN attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:311 +msgid "lastUSN attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:313 +msgid "How long to retain a connection to the LDAP server before disconnecting" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:315 +msgid "Disable the LDAP paging control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:316 +msgid "Disable Active Directory range retrieval" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:319 +msgid "Length of time to wait for a search request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:320 +msgid "Length of time to wait for a enumeration request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:321 +msgid "Length of time between enumeration updates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:322 +msgid "Length of time between cache cleanups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:323 +msgid "Require TLS for ID lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:324 +msgid "Use ID-mapping of objectSID instead of pre-set IDs" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:325 +msgid "Base DN for user lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:326 +msgid "Scope of user lookups" +msgstr "Lingkup pencarian pengguna" + +#: src/config/SSSDConfig/__init__.py.in:327 +msgid "Filter for user lookups" +msgstr "Filter pencarian pengguna" + +#: src/config/SSSDConfig/__init__.py.in:328 +msgid "Objectclass for users" +msgstr "Objectclass untuk pengguna" + +#: src/config/SSSDConfig/__init__.py.in:329 +msgid "Username attribute" +msgstr "Atribut Nama pengguna" + +#: src/config/SSSDConfig/__init__.py.in:331 +msgid "UID attribute" +msgstr "Atribut UID" + +#: src/config/SSSDConfig/__init__.py.in:332 +msgid "Primary GID attribute" +msgstr "Atribut GID Primer" + +#: src/config/SSSDConfig/__init__.py.in:333 +msgid "GECOS attribute" +msgstr "Atribut GECOS" + +#: src/config/SSSDConfig/__init__.py.in:334 +msgid "Home directory attribute" +msgstr "Atribut direktori Home" + +#: src/config/SSSDConfig/__init__.py.in:335 +msgid "Shell attribute" +msgstr "Atribut Shell" + +#: src/config/SSSDConfig/__init__.py.in:336 +msgid "UUID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:379 +msgid "objectSID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:338 +msgid "Active Directory primary group attribute for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:339 +msgid "User principal attribute (for Kerberos)" +msgstr "Atribut utama pengguna (untuk Kerberos)" + +#: src/config/SSSDConfig/__init__.py.in:340 +msgid "Full Name" +msgstr "Nama Lengkap" + +#: src/config/SSSDConfig/__init__.py.in:341 +msgid "memberOf attribute" +msgstr "Atribut memberOf" + +#: src/config/SSSDConfig/__init__.py.in:342 +msgid "Modification time attribute" +msgstr "Atribut waktu modifikasi" + +#: src/config/SSSDConfig/__init__.py.in:344 +msgid "shadowLastChange attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:345 +msgid "shadowMin attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:346 +msgid "shadowMax attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:347 +msgid "shadowWarning attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:348 +msgid "shadowInactive attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:349 +msgid "shadowExpire attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:350 +msgid "shadowFlag attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:351 +msgid "Attribute listing authorized PAM services" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:352 +msgid "Attribute listing authorized server hosts" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:353 +msgid "Attribute listing authorized server rhosts" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:354 +msgid "krbLastPwdChange attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:355 +msgid "krbPasswordExpiration attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:356 +msgid "Attribute indicating that server side password policies are active" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:357 +msgid "accountExpires attribute of AD" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:358 +msgid "userAccountControl attribute of AD" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:359 +msgid "nsAccountLock attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:360 +msgid "loginDisabled attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:361 +msgid "loginExpirationTime attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:362 +msgid "loginAllowedTimeMap attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:363 +msgid "SSH public key attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:364 +msgid "attribute listing allowed authentication types for a user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:365 +msgid "attribute containing the X509 certificate of the user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:366 +msgid "attribute containing the email address of the user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:368 +msgid "A list of extra attributes to download along with the user entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:370 +msgid "Base DN for group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:373 +msgid "Objectclass for groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:374 +msgid "Group name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:375 +msgid "Group password" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:376 +msgid "GID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:377 +msgid "Group member attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:378 +msgid "Group UUID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:380 +msgid "Modification time attribute for groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:381 +msgid "Type of the group and other flags" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:382 +msgid "The LDAP group external member attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:384 +msgid "Maximum nesting level SSSD will follow" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:386 +msgid "Base DN for netgroup lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:387 +msgid "Objectclass for netgroups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:388 +msgid "Netgroup name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:389 +msgid "Netgroups members attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:390 +msgid "Netgroup triple attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:391 +msgid "Modification time attribute for netgroups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:393 +msgid "Base DN for service lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:394 +msgid "Objectclass for services" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:395 +msgid "Service name attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:396 +msgid "Service port attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:397 +msgid "Service protocol attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:400 +msgid "Lower bound for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:401 +msgid "Upper bound for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:402 +msgid "Number of IDs for each slice when ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:403 +msgid "Use autorid-compatible algorithm for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:404 +msgid "Name of the default domain for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:405 +msgid "SID of the default domain for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:406 +msgid "Number of secondary slices" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:408 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:409 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:410 +msgid "Whether to use Token-Groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:411 +msgid "Set lower boundary for allowed IDs from the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:412 +msgid "Set upper boundary for allowed IDs from the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:413 +msgid "DN for ppolicy queries" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:414 +msgid "How many maximum entries to fetch during a wildcard request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:417 +msgid "Policy to evaluate the password expiration" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:421 +msgid "Which attributes shall be used to evaluate if an account is expired" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:422 +msgid "Which rules should be used to evaluate access control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:425 +msgid "URI of an LDAP server where password changes are allowed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:426 +msgid "URI of a backup LDAP server where password changes are allowed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:427 +msgid "DNS service name for LDAP password change server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:428 +msgid "" +"Whether to update the ldap_user_shadow_last_change attribute after a " +"password change" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:431 +msgid "Base DN for sudo rules lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:432 +msgid "Automatic full refresh period" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:433 +msgid "Automatic smart refresh period" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:434 +msgid "Whether to filter rules by hostname, IP addresses and network" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:435 +msgid "" +"Hostnames and/or fully qualified domain names of this machine to filter sudo " +"rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:436 +msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:437 +msgid "Whether to include rules that contains netgroup in host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:438 +msgid "" +"Whether to include rules that contains regular expression in host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:439 +msgid "Object class for sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:440 +msgid "Sudo rule name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:441 +msgid "Sudo rule command attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:442 +msgid "Sudo rule host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:443 +msgid "Sudo rule user attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:444 +msgid "Sudo rule option attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Sudo rule runas attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:446 +msgid "Sudo rule runasuser attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:447 +msgid "Sudo rule runasgroup attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:448 +msgid "Sudo rule notbefore attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:449 +msgid "Sudo rule notafter attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:450 +msgid "Sudo rule order attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:453 +msgid "Object class for automounter maps" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:454 +msgid "Automounter map name attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:455 +msgid "Object class for automounter map entries" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:456 +msgid "Automounter map entry key attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:457 +msgid "Automounter map entry value attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:458 +msgid "Base DN for automounter map lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:461 +msgid "Comma separated list of allowed users" +msgstr "Daftar pengguna yang diijinkan dalam format yang dipisahkan koma" + +#: src/config/SSSDConfig/__init__.py.in:462 +msgid "Comma separated list of prohibited users" +msgstr "Daftar pengguna yang tidak diijinkan dalam format yang dipisahkan koma" + +#: src/config/SSSDConfig/__init__.py.in:465 +msgid "Default shell, /bin/bash" +msgstr "Shell default, /bin/bash" + +#: src/config/SSSDConfig/__init__.py.in:466 +msgid "Base for home directories" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:469 +msgid "The number of preforked proxy children." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:472 +msgid "The name of the NSS library to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:473 +msgid "Whether to look up canonical group name from cache if possible" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:476 +msgid "PAM stack to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:479 +msgid "Path of passwd file sources." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:480 +msgid "Path of group file sources." +msgstr "" + +#: src/monitor/monitor.c:2449 +msgid "Become a daemon (default)" +msgstr "" + +#: src/monitor/monitor.c:2451 +msgid "Run interactive (not a daemon)" +msgstr "" + +#: src/monitor/monitor.c:2454 +msgid "Disable netlink interface" +msgstr "" + +#: src/monitor/monitor.c:2456 src/tools/sssctl/sssctl_logs.c:311 +msgid "Specify a non-default config file" +msgstr "" + +#: src/monitor/monitor.c:2458 +msgid "Refresh the configuration database, then exit" +msgstr "" + +#: src/monitor/monitor.c:2461 +msgid "Print version number and exit" +msgstr "" + +#: src/monitor/monitor.c:2627 +msgid "SSSD is already running\n" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605 +msgid "Debug level" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607 +msgid "Add debug timestamps" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609 +msgid "Show timestamps with microseconds" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611 +msgid "An open file descriptor for the debug logs" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613 +msgid "Send the debug output to stderr directly." +msgstr "" + +#: src/providers/krb5/krb5_child.c:3228 +msgid "The user to create FAST ccache as" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3230 +msgid "The group to create FAST ccache as" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3232 +msgid "Kerberos realm to use" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3234 +msgid "Requested lifetime of the ticket" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3236 +msgid "Requested renewable lifetime of the ticket" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3238 +msgid "FAST options ('never', 'try', 'demand')" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3241 +msgid "Specifies the server principal to use for FAST" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3243 +msgid "Requests canonicalization of the principal name" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3245 +msgid "Use custom version of krb5_get_init_creds_password" +msgstr "" + +#: src/providers/data_provider_be.c:556 +msgid "Domain of the information provider (mandatory)" +msgstr "" + +#: src/sss_client/common.c:1066 +msgid "Privileged socket has wrong ownership or permissions." +msgstr "" + +#: src/sss_client/common.c:1069 +msgid "Public socket has wrong ownership or permissions." +msgstr "" + +#: src/sss_client/common.c:1072 +msgid "Unexpected format of the server credential message." +msgstr "" + +#: src/sss_client/common.c:1075 +msgid "SSSD is not run by root." +msgstr "" + +#: src/sss_client/common.c:1080 +msgid "An error occurred, but no description can be found." +msgstr "" + +#: src/sss_client/common.c:1086 +msgid "Unexpected error while looking for an error description" +msgstr "" + +#: src/sss_client/pam_sss.c:76 +msgid "Permission denied. " +msgstr "" + +#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782 +#: src/sss_client/pam_sss.c:793 +msgid "Server message: " +msgstr "Pesan server:" + +#: src/sss_client/pam_sss.c:300 +msgid "Passwords do not match" +msgstr "Kata sandi tidak cocok" + +#: src/sss_client/pam_sss.c:488 +msgid "Password reset by root is not supported." +msgstr "" + +#: src/sss_client/pam_sss.c:529 +msgid "Authenticated with cached credentials" +msgstr "" + +#: src/sss_client/pam_sss.c:530 +msgid ", your cached password will expire at: " +msgstr "" + +#: src/sss_client/pam_sss.c:560 +#, c-format +msgid "Your password has expired. You have %1$d grace login(s) remaining." +msgstr "" + +#: src/sss_client/pam_sss.c:606 +#, c-format +msgid "Your password will expire in %1$d %2$s." +msgstr "" + +#: src/sss_client/pam_sss.c:655 +msgid "Authentication is denied until: " +msgstr "" + +#: src/sss_client/pam_sss.c:676 +msgid "System is offline, password change not possible" +msgstr "Sistem sedang luring, perubahan kata sandi tidak dimungkinkan" + +#: src/sss_client/pam_sss.c:691 +msgid "" +"After changing the OTP password, you need to log out and back in order to " +"acquire a ticket" +msgstr "" + +#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792 +msgid "Password change failed. " +msgstr "Perubahan kata sandi gagal." + +#: src/sss_client/pam_sss.c:1926 +msgid "New Password: " +msgstr "Kata Sandi Baru: " + +#: src/sss_client/pam_sss.c:1927 +msgid "Reenter new Password: " +msgstr "Masukkan lagi kata sandi baru:" + +#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042 +msgid "First Factor: " +msgstr "" + +#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202 +msgid "Second Factor (optional): " +msgstr "" + +#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205 +msgid "Second Factor: " +msgstr "" + +#: src/sss_client/pam_sss.c:2058 +msgid "Password: " +msgstr "Kata sandi:" + +#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204 +msgid "First Factor (Current Password): " +msgstr "" + +#: src/sss_client/pam_sss.c:2208 +msgid "Current Password: " +msgstr "Kata sandi saat ini:" + +#: src/sss_client/pam_sss.c:2536 +msgid "Password expired. Change your password now." +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 +#: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 +#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:670 +msgid "The debug level to run with" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +msgid "The SSSD domain to use" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 +#: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 +#: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 +#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:716 +msgid "Error setting the locale\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:64 +msgid "Not enough memory\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:83 +msgid "User not specified\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:97 +msgid "Error looking up public keys\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +msgid "The port to use to connect to the host" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +msgid "Print the host ssh public keys" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +msgid "Invalid port\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +msgid "Host not specified\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +msgid "The path to the proxy command must be absolute\n" +msgstr "" + +#: src/tools/sss_useradd.c:49 src/tools/sss_usermod.c:48 +msgid "The UID of the user" +msgstr "UID dari pengguna" + +#: src/tools/sss_useradd.c:50 src/tools/sss_usermod.c:50 +msgid "The comment string" +msgstr "String komentar" + +#: src/tools/sss_useradd.c:51 src/tools/sss_usermod.c:51 +msgid "Home directory" +msgstr "Direktori Home" + +#: src/tools/sss_useradd.c:52 src/tools/sss_usermod.c:52 +msgid "Login shell" +msgstr "Shell login" + +#: src/tools/sss_useradd.c:53 +msgid "Groups" +msgstr "Grup" + +#: src/tools/sss_useradd.c:54 +msgid "Create user's directory if it does not exist" +msgstr "Buat direktori pengguna jika tidak ada" + +#: src/tools/sss_useradd.c:55 +msgid "Never create user's directory, overrides config" +msgstr "Jangan pernah buat direktori pengguna, timpa konfigurasi" + +#: src/tools/sss_useradd.c:56 +msgid "Specify an alternative skeleton directory" +msgstr "Tentukan direktori kerangka alternatif" + +#: src/tools/sss_useradd.c:57 src/tools/sss_usermod.c:60 +msgid "The SELinux user for user's login" +msgstr "" + +#: src/tools/sss_useradd.c:87 src/tools/sss_groupmod.c:79 +#: src/tools/sss_usermod.c:92 +msgid "Specify group to add to\n" +msgstr "" + +#: src/tools/sss_useradd.c:111 +msgid "Specify user to add\n" +msgstr "Tentukan pengguna untuk ditambahkan\n" + +#: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 +#: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_usermod.c:162 +msgid "Error initializing the tools - no local domain\n" +msgstr "" + +#: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 +#: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_usermod.c:164 +msgid "Error initializing the tools\n" +msgstr "Gagal saat menginisialisasi perkakas\n" + +#: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 +#: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_usermod.c:173 +msgid "Invalid domain specified in FQDN\n" +msgstr "Domain yang ditentukan dalam FQDN tidak valid\n" + +#: src/tools/sss_useradd.c:142 src/tools/sss_groupmod.c:144 +#: src/tools/sss_groupmod.c:173 src/tools/sss_usermod.c:197 +#: src/tools/sss_usermod.c:226 +msgid "Internal error while parsing parameters\n" +msgstr "Terjadi kesalahan internal ketika mengurai parameter\n" + +#: src/tools/sss_useradd.c:151 src/tools/sss_usermod.c:206 +#: src/tools/sss_usermod.c:235 +msgid "Groups must be in the same domain as user\n" +msgstr "Grup harus berada dalam domain yang sama dengan pengguna\n" + +#: src/tools/sss_useradd.c:159 +#, c-format +msgid "Cannot find group %1$s in local domain\n" +msgstr "" + +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +msgid "Cannot set default values\n" +msgstr "Tidak dapat menetapkan nilai default\n" + +#: src/tools/sss_useradd.c:181 src/tools/sss_usermod.c:187 +msgid "The selected UID is outside the allowed range\n" +msgstr "UID yang dipilih berada di luar rentang yang diizinkan\n" + +#: src/tools/sss_useradd.c:210 src/tools/sss_usermod.c:305 +msgid "Cannot set SELinux login context\n" +msgstr "" + +#: src/tools/sss_useradd.c:224 +msgid "Cannot get info about the user\n" +msgstr "Tidak bisa mendapatkan info tentang pengguna\n" + +#: src/tools/sss_useradd.c:236 +msgid "User's home directory already exists, not copying data from skeldir\n" +msgstr "" +"Direktori home milik pengguna sudah ada, tidak menyalin data dari skeldir\n" + +#: src/tools/sss_useradd.c:239 +#, c-format +msgid "Cannot create user's home directory: %1$s\n" +msgstr "" + +#: src/tools/sss_useradd.c:250 +#, c-format +msgid "Cannot create user's mail spool: %1$s\n" +msgstr "" + +#: src/tools/sss_useradd.c:270 +msgid "Could not allocate ID for the user - domain full?\n" +msgstr "Tidak dapat mengalokasikan ID untuk pengguna - domain penuh?\n" + +#: src/tools/sss_useradd.c:274 +msgid "A user or group with the same name or ID already exists\n" +msgstr "Pengguna atau grup dengan nama atau ID yang sama sudah ada\n" + +#: src/tools/sss_useradd.c:280 +msgid "Transaction error. Could not add user.\n" +msgstr "Kesalahan transaksi. Tidak dapat menambahkan pengguna.\n" + +#: src/tools/sss_groupadd.c:43 src/tools/sss_groupmod.c:48 +msgid "The GID of the group" +msgstr "GID grup" + +#: src/tools/sss_groupadd.c:76 +msgid "Specify group to add\n" +msgstr "Tentukan grup untuk ditambahkan\n" + +#: src/tools/sss_groupadd.c:106 src/tools/sss_groupmod.c:198 +msgid "The selected GID is outside the allowed range\n" +msgstr "GID yang dipilih berada di luar rentang yang diizinkan\n" + +#: src/tools/sss_groupadd.c:143 +msgid "Could not allocate ID for the group - domain full?\n" +msgstr "Tidak dapat mengalokasikan ID untuk grup - domain penuh?\n" + +#: src/tools/sss_groupadd.c:147 +msgid "A group with the same name or GID already exists\n" +msgstr "Grup dengan nama atau GID yang sama sudah ada\n" + +#: src/tools/sss_groupadd.c:153 +msgid "Transaction error. Could not add group.\n" +msgstr "Kesalahan transaksi. Tidak dapat menambahkan grup.\n" + +#: src/tools/sss_groupdel.c:70 +msgid "Specify group to delete\n" +msgstr "" + +#: src/tools/sss_groupdel.c:104 +#, c-format +msgid "Group %1$s is outside the defined ID range for domain\n" +msgstr "" + +#: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 +#: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 +#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 +#, c-format +msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" +msgstr "" + +#: src/tools/sss_groupdel.c:132 +msgid "" +"No such group in local domain. Removing groups only allowed in local " +"domain.\n" +msgstr "" +"Tidak ada grup seperti itu di domain lokal. Menghapus grup hanya " +"diperbolehkan dalam domain lokal.\n" + +#: src/tools/sss_groupdel.c:137 +msgid "Internal error. Could not remove group.\n" +msgstr "Kesalahan internal. Tidak dapat menghapus grup.\n" + +#: src/tools/sss_groupmod.c:44 +msgid "Groups to add this group to" +msgstr "" + +#: src/tools/sss_groupmod.c:46 +msgid "Groups to remove this group from" +msgstr "" + +#: src/tools/sss_groupmod.c:87 src/tools/sss_usermod.c:100 +msgid "Specify group to remove from\n" +msgstr "" + +#: src/tools/sss_groupmod.c:101 +msgid "Specify group to modify\n" +msgstr "Tentukan grup untuk dimodifikasi\n" + +#: src/tools/sss_groupmod.c:130 +msgid "" +"Cannot find group in local domain, modifying groups is allowed only in local " +"domain\n" +msgstr "" +"Tidak dapat menemukan grup di domain lokal, memodifikasi grup hanya " +"diperbolehkan dalam domain lokal\n" + +#: src/tools/sss_groupmod.c:153 src/tools/sss_groupmod.c:182 +msgid "Member groups must be in the same domain as parent group\n" +msgstr "" +"Anggota kelompok harus berada dalam domain yang sama sebagaimana kelompok " +"induknya\n" + +#: src/tools/sss_groupmod.c:161 src/tools/sss_groupmod.c:190 +#: src/tools/sss_usermod.c:214 src/tools/sss_usermod.c:243 +#, c-format +msgid "" +"Cannot find group %1$s in local domain, only groups in local domain are " +"allowed\n" +msgstr "" + +#: src/tools/sss_groupmod.c:257 +msgid "Could not modify group - check if member group names are correct\n" +msgstr "" +"Tidak bisa memodifikasi grup - periksa apakah nama grup anggota sudah benar\n" + +#: src/tools/sss_groupmod.c:261 +msgid "Could not modify group - check if groupname is correct\n" +msgstr "Tidak bisa memodifikasi grup - periksa apakah groupname sudah benar\n" + +#: src/tools/sss_groupmod.c:265 +msgid "Transaction error. Could not modify group.\n" +msgstr "Kesalahan transaksi. Tidak bisa memodifikasi grup.\n" + +#: src/tools/sss_groupshow.c:615 +#, c-format +msgid "%1$s%2$sGroup: %3$s\n" +msgstr "" + +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "" + +#: src/tools/sss_groupshow.c:618 +#, c-format +msgid "%1$sGID number: %2$d\n" +msgstr "" + +#: src/tools/sss_groupshow.c:620 +#, c-format +msgid "%1$sMember users: " +msgstr "" + +#: src/tools/sss_groupshow.c:627 +#, c-format +msgid "" +"\n" +"%1$sIs a member of: " +msgstr "" + +#: src/tools/sss_groupshow.c:634 +#, c-format +msgid "" +"\n" +"%1$sMember groups: " +msgstr "" + +#: src/tools/sss_groupshow.c:670 +msgid "Print indirect group members recursively" +msgstr "" + +#: src/tools/sss_groupshow.c:704 +msgid "Specify group to show\n" +msgstr "" + +#: src/tools/sss_groupshow.c:744 +msgid "" +"No such group in local domain. Printing groups only allowed in local " +"domain.\n" +msgstr "" + +#: src/tools/sss_groupshow.c:749 +msgid "Internal error. Could not print group.\n" +msgstr "" + +#: src/tools/sss_userdel.c:136 +msgid "Remove home directory and mail spool" +msgstr "Hapus direktori home, dan spool mail" + +#: src/tools/sss_userdel.c:138 +msgid "Do not remove home directory and mail spool" +msgstr "Jangan hapus direktori home dan spool mail" + +#: src/tools/sss_userdel.c:140 +msgid "Force removal of files not owned by the user" +msgstr "Paksa penghapusan berkas yang tidak dimiliki oleh pengguna" + +#: src/tools/sss_userdel.c:142 +msgid "Kill users' processes before removing him" +msgstr "" + +#: src/tools/sss_userdel.c:188 +msgid "Specify user to delete\n" +msgstr "Tentukan pengguna yang akan dihapus\n" + +#: src/tools/sss_userdel.c:234 +#, c-format +msgid "User %1$s is outside the defined ID range for domain\n" +msgstr "" + +#: src/tools/sss_userdel.c:259 +msgid "Cannot reset SELinux login context\n" +msgstr "" + +#: src/tools/sss_userdel.c:271 +#, c-format +msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" +msgstr "" + +#: src/tools/sss_userdel.c:276 +msgid "Cannot determine if the user was logged in on this platform" +msgstr "" + +#: src/tools/sss_userdel.c:281 +msgid "Error while checking if the user was logged in\n" +msgstr "" + +#: src/tools/sss_userdel.c:288 +#, c-format +msgid "The post-delete command failed: %1$s\n" +msgstr "" + +#: src/tools/sss_userdel.c:308 +msgid "Not removing home dir - not owned by user\n" +msgstr "Tidak menghapus home dir - tidak dimiliki oleh pengguna\n" + +#: src/tools/sss_userdel.c:310 +#, c-format +msgid "Cannot remove homedir: %1$s\n" +msgstr "" + +#: src/tools/sss_userdel.c:324 +msgid "" +"No such user in local domain. Removing users only allowed in local domain.\n" +msgstr "" +"Tidak ada pengguna seperti itu di domain lokal. Menghapus pengguna hanya " +"diperbolehkan dalam domain lokal.\n" + +#: src/tools/sss_userdel.c:329 +msgid "Internal error. Could not remove user.\n" +msgstr "Kesalahan internal. Tidak dapat menghapus pengguna.\n" + +#: src/tools/sss_usermod.c:49 +msgid "The GID of the user" +msgstr "GID pengguna" + +#: src/tools/sss_usermod.c:53 +msgid "Groups to add this user to" +msgstr "Pengguna ini akan ditambahkan ke grup" + +#: src/tools/sss_usermod.c:54 +msgid "Groups to remove this user from" +msgstr "Pengguna ini akan dihapus dari grup" + +#: src/tools/sss_usermod.c:55 +msgid "Lock the account" +msgstr "Kunci akun" + +#: src/tools/sss_usermod.c:56 +msgid "Unlock the account" +msgstr "Buka kunci akun" + +#: src/tools/sss_usermod.c:57 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "" + +#: src/tools/sss_usermod.c:58 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "" + +#: src/tools/sss_usermod.c:59 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" + +#: src/tools/sss_usermod.c:117 src/tools/sss_usermod.c:126 +#: src/tools/sss_usermod.c:135 +msgid "Specify the attribute name/value pair(s)\n" +msgstr "" + +#: src/tools/sss_usermod.c:152 +msgid "Specify user to modify\n" +msgstr "Tentukan pengguna untuk dimodifikasi\n" + +#: src/tools/sss_usermod.c:180 +msgid "" +"Cannot find user in local domain, modifying users is allowed only in local " +"domain\n" +msgstr "" +"Tidak dapat menemukan pengguna dalam domain lokal, memodifikasi pengguna " +"hanya diperbolehkan dalam domain lokal\n" + +#: src/tools/sss_usermod.c:322 +msgid "Could not modify user - check if group names are correct\n" +msgstr "" +"Tidak bisa memodifikasi pengguna - periksa apakah nama grup sudah benar\n" + +#: src/tools/sss_usermod.c:326 +msgid "Could not modify user - user already member of groups?\n" +msgstr "" +"Tidak bisa memodifikasi pengguna - pengguna sudah menjadi anggota kelompok?\n" + +#: src/tools/sss_usermod.c:330 +msgid "Transaction error. Could not modify user.\n" +msgstr "Kesalahan transaksi. Pengguna tidak dapat dimodifikasi.\n" + +#: src/tools/sss_cache.c:218 +msgid "No cache object matched the specified search\n" +msgstr "" + +#: src/tools/sss_cache.c:502 +#, c-format +msgid "Couldn't invalidate %1$s\n" +msgstr "" + +#: src/tools/sss_cache.c:509 +#, c-format +msgid "Couldn't invalidate %1$s %2$s\n" +msgstr "" + +#: src/tools/sss_cache.c:672 +msgid "Invalidate all cached entries" +msgstr "" + +#: src/tools/sss_cache.c:674 +msgid "Invalidate particular user" +msgstr "" + +#: src/tools/sss_cache.c:676 +msgid "Invalidate all users" +msgstr "" + +#: src/tools/sss_cache.c:678 +msgid "Invalidate particular group" +msgstr "" + +#: src/tools/sss_cache.c:680 +msgid "Invalidate all groups" +msgstr "" + +#: src/tools/sss_cache.c:682 +msgid "Invalidate particular netgroup" +msgstr "" + +#: src/tools/sss_cache.c:684 +msgid "Invalidate all netgroups" +msgstr "" + +#: src/tools/sss_cache.c:686 +msgid "Invalidate particular service" +msgstr "" + +#: src/tools/sss_cache.c:688 +msgid "Invalidate all services" +msgstr "" + +#: src/tools/sss_cache.c:691 +msgid "Invalidate particular autofs map" +msgstr "" + +#: src/tools/sss_cache.c:693 +msgid "Invalidate all autofs maps" +msgstr "" + +#: src/tools/sss_cache.c:697 +msgid "Invalidate particular SSH host" +msgstr "" + +#: src/tools/sss_cache.c:699 +msgid "Invalidate all SSH hosts" +msgstr "" + +#: src/tools/sss_cache.c:703 +msgid "Invalidate particular sudo rule" +msgstr "" + +#: src/tools/sss_cache.c:705 +msgid "Invalidate all cached sudo rules" +msgstr "" + +#: src/tools/sss_cache.c:708 +msgid "Only invalidate entries from a particular domain" +msgstr "" + +#: src/tools/sss_cache.c:762 +msgid "" +"Unexpected argument(s) provided, options that invalidate a single object " +"only accept a single provided argument.\n" +msgstr "" + +#: src/tools/sss_cache.c:772 +msgid "Please select at least one object to invalidate\n" +msgstr "" + +#: src/tools/sss_cache.c:852 +#, c-format +msgid "" +"Could not open domain %1$s. If the domain is a subdomain (trusted domain), " +"use fully qualified name instead of --domain/-d parameter.\n" +msgstr "" + +#: src/tools/sss_cache.c:856 +msgid "Could not open available domains\n" +msgstr "" + +#: src/tools/tools_util.c:202 +#, c-format +msgid "Name '%1$s' does not seem to be FQDN ('%2$s = TRUE' is set)\n" +msgstr "" + +#: src/tools/tools_util.c:309 +msgid "Out of memory\n" +msgstr "Kehabisan memori\n" + +#: src/tools/tools_util.h:40 +#, c-format +msgid "%1$s must be run as root\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:35 +msgid "yes" +msgstr "" + +#: src/tools/sssctl/sssctl.c:37 +msgid "no" +msgstr "" + +#: src/tools/sssctl/sssctl.c:39 +msgid "error" +msgstr "" + +#: src/tools/sssctl/sssctl.c:42 +msgid "Invalid result." +msgstr "" + +#: src/tools/sssctl/sssctl.c:78 +#, c-format +msgid "Unable to read user input\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:91 +#, c-format +msgid "Invalid input, please provide either '%s' or '%s'.\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 +#, c-format +msgid "Error while executing external command\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:156 +msgid "SSSD needs to be running. Start SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl.c:195 +msgid "SSSD must not be running. Stop SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl.c:231 +msgid "SSSD needs to be restarted. Restart SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:31 +#, c-format +msgid " %s is not present in cache.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:33 +msgid "Name" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:34 +msgid "Cache entry creation date" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:35 +msgid "Cache entry last update time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:36 +msgid "Cache entry expiration time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:37 +msgid "Cached in InfoPipe" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:512 +#, c-format +msgid "Error: Unable to get object [%d]: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:528 +#, c-format +msgid "%s: Unable to read value [%d]: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:556 +msgid "Specify name." +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:566 +#, c-format +msgid "Unable to parse name %s.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:592 src/tools/sssctl/sssctl_cache.c:639 +msgid "Search by SID" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:593 +msgid "Search by user ID" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:602 +msgid "Initgroups expiration time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:640 +msgid "Search by group ID" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:67 +#, c-format +msgid "" +"File %1$s does not exist. SSSD will use default configuration with files " +"provider.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:81 +#, c-format +msgid "" +"File ownership and permissions check failed. Expected root:root and 0600.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:104 +#, c-format +msgid "Issues identified by validators: %zu\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:114 +#, c-format +msgid "Messages generated during configuration merging: %zu\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:127 +#, c-format +msgid "Used configuration snippet files: %u\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:89 +#, c-format +msgid "Unable to create backup directory [%d]: %s" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:95 +msgid "SSSD backup of local data already exists, override?" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:111 +#, c-format +msgid "Unable to export user overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:118 +#, c-format +msgid "Unable to export group overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:134 src/tools/sssctl/sssctl_data.c:217 +msgid "Override existing backup" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:164 +#, c-format +msgid "Unable to import user overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:173 +#, c-format +msgid "Unable to import group overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:74 +#: src/tools/sssctl/sssctl_domains.c:339 +msgid "Start SSSD if it is not running" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:195 +msgid "Restart SSSD after data import" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:218 +msgid "Create clean cache files and import local data" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:219 +msgid "Stop SSSD before removing the cache" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:220 +msgid "Start SSSD when the cache is removed" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:235 +#, c-format +msgid "Creating backup of local data...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:238 +#, c-format +msgid "Unable to create backup of local data, can not remove the cache.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:243 +#, c-format +msgid "Removing cache files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:246 +#, c-format +msgid "Unable to remove cache files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:251 +#, c-format +msgid "Restoring local data...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:75 +msgid "Show domain list including primary or trusted domain type" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +#, c-format +msgid "Online status: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Online" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Offline" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:214 +#, c-format +msgid "Active servers:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:231 +msgid "not connected" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:278 +#, c-format +msgid "Discovered %s servers:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:296 +msgid "None so far.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:336 +msgid "Show online status" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:337 +msgid "Show information about active server" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:338 +msgid "Show list of discovered servers" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:344 +msgid "Specify domain name." +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:360 +#, c-format +msgid "Out of memory!\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:377 src/tools/sssctl/sssctl_domains.c:387 +#, c-format +msgid "Unable to get online status\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:397 +#, c-format +msgid "Unable to get server list\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:47 +msgid "\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:237 +msgid "Delete log files instead of truncating" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:248 +#, c-format +msgid "Deleting log files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:251 +#, c-format +msgid "Unable to remove log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:257 +#, c-format +msgid "Truncating log files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:260 +#, c-format +msgid "Unable to truncate log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:286 +#, c-format +msgid "Out of memory!" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:289 +#, c-format +msgid "Archiving log files into %s...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:292 +#, c-format +msgid "Unable to archive log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:317 +msgid "Specify debug level you want to set" +msgstr "" + +#: src/tools/sssctl/sssctl_sifp.c:28 +msgid "" +"Check that SSSD is running and the InfoPipe responder is enabled. Make sure " +"'ifp' is listed in the 'services' option in sssd.conf.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:91 +#, c-format +msgid "Unable to connect to the InfoPipe" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:97 +#, c-format +msgid "Unable to get user object" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:101 +#, c-format +msgid "SSSD InfoPipe user lookup result:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:113 +#, c-format +msgid "Unable to get user name attr" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:146 +#, c-format +msgid "dlopen failed with [%s].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:153 +#, c-format +msgid "dlsym failed with [%s].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:161 +#, c-format +msgid "malloc failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:168 +#, c-format +msgid "sss_getpwnam_r failed with [%d].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:173 +#, c-format +msgid "SSSD nss user lookup result:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:174 +#, c-format +msgid " - user name: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:175 +#, c-format +msgid " - user id: %d\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:176 +#, c-format +msgid " - group id: %d\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:177 +#, c-format +msgid " - gecos: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:178 +#, c-format +msgid " - home directory: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:179 +#, c-format +msgid "" +" - shell: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:211 +msgid "PAM action [auth|acct|setc|chau|open|clos], default: " +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:214 +msgid "PAM service, default: " +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:219 +msgid "Specify user name." +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:226 +#, c-format +msgid "" +"user: %s\n" +"action: %s\n" +"service: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:232 +#, c-format +msgid "User name lookup with [%s] failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:237 +#, c-format +msgid "InfoPipe User lookup with [%s] failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:244 +#, c-format +msgid "pam_start failed: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:249 +#, c-format +msgid "" +"testing pam_authenticate\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:253 +#, c-format +msgid "pam_get_item failed: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:257 +#, c-format +msgid "" +"pam_authenticate for user [%s]: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:260 +#, c-format +msgid "" +"testing pam_chauthtok\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:262 +#, c-format +msgid "" +"pam_chauthtok: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:264 +#, c-format +msgid "" +"testing pam_acct_mgmt\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:266 +#, c-format +msgid "" +"pam_acct_mgmt: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:268 +#, c-format +msgid "" +"testing pam_setcred\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:270 +#, c-format +msgid "" +"pam_setcred: [%s]\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:272 +#, c-format +msgid "" +"testing pam_open_session\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:274 +#, c-format +msgid "" +"pam_open_session: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:276 +#, c-format +msgid "" +"testing pam_close_session\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:278 +#, c-format +msgid "" +"pam_close_session: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:281 +#, c-format +msgid "unknown action\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:284 +#, c-format +msgid "PAM Environment:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:292 +#, c-format +msgid " - no env -\n" +msgstr "" + +#: src/util/util.h:75 +msgid "The user ID to run the server as" +msgstr "" + +#: src/util/util.h:77 +msgid "The group ID to run the server as" +msgstr "" + +#: src/util/util.h:85 +msgid "Informs that the responder has been socket-activated" +msgstr "" + +#: src/util/util.h:87 +msgid "Informs that the responder has been dbus-activated" +msgstr "" diff --git a/po/insert-header.sin b/po/insert-header.sin new file mode 100644 index 0000000..b26de01 --- /dev/null +++ b/po/insert-header.sin @@ -0,0 +1,23 @@ +# Sed script that inserts the file called HEADER before the header entry. +# +# At each occurrence of a line starting with "msgid ", we execute the following +# commands. At the first occurrence, insert the file. At the following +# occurrences, do nothing. The distinction between the first and the following +# occurrences is achieved by looking at the hold space. +/^msgid /{ +x +# Test if the hold space is empty. +s/m/m/ +ta +# Yes it was empty. First occurrence. Read the file. +r HEADER +# Output the file's contents by reading the next line. But don't lose the +# current line while doing this. +g +N +bb +:a +# The hold space was nonempty. Following occurrences. Do nothing. +x +:b +} diff --git a/po/it.gmo b/po/it.gmo new file mode 100644 index 0000000000000000000000000000000000000000..86c1ff3ad5c77b7552746d99aa2aa2768d9a3f2d GIT binary patch literal 18794 zcmb`Od5|1eeaD;2;I;6vOG@?8TBSv=Vj*#_pZzoozJJJ#_c% zdKEAb2!s%Vi7^li*boR;xJ;k|1qCsIgj7-$l2i()iV37hAlOg|{6SSnDxdG~z3%B5 ztqxZ)rMKVd?)P55_j|wlH+twPkH072^Lg5HXn*^JAow5fm8bBB&(di@upUgnt>D|h z?cmqIXM(>1p9Vhd^dNX1xDmV%JOGB^VNm_<1)l+a7CaOD8}Kaf-#q>=_*|}^c?M&_ zE5QBWUEsOu2R;jY+*92A=YSiyo&_~u54;$B1Go+RBKQLE5pV{)@Toy?IoJVp|NY=5 z@H-$~f|J;UwtN<-`7Q)60IvqsuLV9IybGKHzXXb2KLNGwCp|p~)`6SA%fQP)jqih^ z%RS)P;8(%T;6tGHe=0;dAKUqY6F_hTxY$ozp|0_~?lY*7ask*SCP$?`uG<=K~;12|nZT zo1pgfeQ+9F$EL(z*Mqv>14ZX|ftP|`26aw92er?0IV7FeHK5*?g0Ncf4p8U)VNmb= zEGT+D2wo2UgTG$Kp)pnP98lx8gF3(4L5;f$+yma{@e%MwuCF-9t?!NC3%Gs&)H(hq zsBv1H)^QpLX@k(?<)GHT9~52h1Ucg1O<)M#4{G0k0cyU7LDBQEVGvveJ|7ev5^yVc zAE@!)0>x)P0!6P=Ai8i12x)_Z;0<6OWQoBSK+XScP~(3JYMoDD65T%s)cP+0cY-^? zi@-O7qT>Vp`azJP!H+@lZ6m@XsFq z51i%tA|_M6L!joplRqK&VUVo^e+}ySBjAr7!xxCG_57HZX}?eA<(Gk1fjZ~X<6FUt zx&9cabv*SAZw5uTJ3#U2-JtgOaZv00A$S`2bMPeaaV$dmbOL0l!46RKl^);i@v9#H z9Xyri>n?Tj`D`%ddK$F#fiL0u5m4*DfkWq2!C_GIeiGEW{s}wEAc{StgScm_&J z=e!=2obCX%t{$lQ-si9X9^|Nk$FO*-WI~yx~fBUJrm;_rsv(IS*x^_go2T9ecqu!3cadco-C) zzXO~A9|Se-??6~L_z|dcIFrrl{%%m$9dH+TFUYHcAAs8Txz{+ky9Lz#b5QiV9~6In z6AZy$fG+``eyyWlAJjR%8+-=%Y4B|DuRx9eA*ko4&NzBq0KzIk3hMp`LGAmCpw|5} zQ0IK^bxzOh1$AzPzkVlpKG$CY#V6kbMeoyLM(L&Pp!(nH@wMQ&Tz?4M34R?ET~9&D ziLPgZ+rTZL?zjB)0Mvdy0-gtc#b1Bl<1fLRxqljyJ{RnOqT8Fnt>72HY49iD_25Mi zUF%K33&Hz9(f{k9`aPCTy1oj8HG;$7lfln}PX+%H6y3fJif>Q7!R>oHcnjCJgJ*$X z0QH`K1W}E_<6%<0Z!4(%-V8nl)EP=1f19R{=G5m;X-}d(foAjp^pIKcTf~@1R{k`z)VSJ56%6EBM&^;vchL>>j7@!x+B zJcIT;+I_T-)2h!i`SLp2`)PkhTSt2nO`p3Q1c$&^(Ef-vL)%Z&=VTfx(R7lo^;x35 zh8EJEMtd)99}STVK1h2P?J`>Rd7S^!1y84)M7x%DChZfnj8=Wl=ga&2#qAyokAkxC z{SW#6Zh!p@@ONl$rhSz5$F$pMhiQ`klvaJt@?TcK_t5U9-RkeX1zgnkP2p-b$ir6D zT8i6YKPrlqEN_P^Nw*uucl47y4x@593}(Vko(=juD3`)=DGrOM7l*0-WO;b~+-w+i z^Ehg+GAb#`VuBHaBF^>nSR>aO*lNW^5w^0l%(HIT&$H#E9p}MJyB)UUg+V7QlU`hu zQLkSFGijLh<1}1Mx-n0SR-W`r-nmHAGTne~)}iZw8)=!eqLQuJM*Oy0dEC~Ms5{at z$m?BLWFrY(Mlo(E<4#VY*-q#wlK^a^Z6>&Jb*A`?1>1NrX0V}r$TINy)5!+C@ z#ln-ACvi)+qOcvsJzlY)9WO?MZn-hop<@ag%e85<#l>!t#v!{*Qu?H6Rzi@p?J1w6 zJZeSVu$}dyB;6GDvUak#nxq}qq0la)ZZ}(Dn_1dj4aY`Ij7(~~80*oTQ_oL)%1&JJ zy2UJv79f|MnI@=TS@7KNKU|KwgBaG@k@b2}Sj7D(x3lcRabdPt@4;4Z)Lxv}QnHYU z2^t-tR+)uxRbDc4zMQmTW*Btap{Ob9h;KspwPG#D){~y9;o_j%y+&(0))>7oJo*rK zF#gykLk_!jC`=aJ4HGs_s+Hy9mFBCCHm(=<7I>jssm628Nc7QX@ar3Wv5EN!j3pqB+0i?zCFhE_KbYc;wa zr{|$~RXs}NNgBWyz0&2oGHK6n_w3BRFpn4GJeMiimF2CNYj_6b3qQz6IsVR8QdnzY zwbpmRF4!*Ii--o-@7!_IJXW{NlZ8RawG40JA?yv%bqnGv8*66R>Gd!wY*iCgSEI}P z{QN8uVp<7<-c4FbDGlFA5sSJf>KE%;E}>pb5;&=~p4p~H9(jpqj9kpKUSn*tgAKRm zH#BYDYA|})*!vAowVS~`8+u6!F^Y}S(pcnGZe#7jXi*2^E#Pg7NMYQ*%^uwb1>;`7 zEW#xSvk>DXpnK%z@H#&$bD7<%{2v>r&gF{wV+(7$T408wRYavZ_)r}8tFdsCthZlL zH{zIzfw?kh6u;UvrdWy4dt#_O=5QD<`h>H4=ff4e748;UcUkfyqa?#R6k4qWMY0;Y zZM%1{fNI}T^_5w-$vl~C3r0rc)i{Mqky0F$BADBU_&Cv6%8F7p!|pj2v#)L;Vi*?3 z2y>mv)uAUem$tftw$nDwO%t~^Jh8cyLrakf1cjZiEJ=zn=7shtquz_@fT9@fI28_! zYd=qrUgOoNWA*dwcfuXTqBfx^;mWob{kY|<0UO!%qS?I@!Hsc_Y0U~TRkt_19HUO% zP51FBLexkZEd-`2&2R7Oz91+_(R z)56OUn-=y0)$jcZ?&72|6%I5$;zY1-W{*M>abG5m3M!A75FtuCv9|zI;Smq&@U$M` zqWU(<)D5-xzYhGL)Z-$B6v=70flsKYk;*N2w2tdv|OAdWbQMclmTR9 zl}63BbMnPK<9@w`LmKV$Y&$HFZh}pD3oGcTj-7B`EG2yw)bd8 z?8l#wu1`k=X+IkN4pB+g&xJ)=mxUDG-s-g~QxBK*5`0JVC7_4sEXvARsV5qcGto{XYyo;`gGJ9i zld&-{Z`1`yCL$JZySwwwK#t$WBh?f+^WrY&SyoO3^DXR#%4Qhor$kf4Pn&pW69(WIn@}9`^ zP^6ryiR+HNSZXRMdX@UBdf54mFSNQjzRv1?y-ecghDJedmoWYFs|9YqGFsjV+B8%; zURmmZE6*V~z;2{@{Gl2##&7D)c5j~Wfy~o^RoIU+FSfQ_yyXQp zzl2KSqOZLpCJcx)Y@lZz7KXZ8z zav@4Rj^1lbYjV06;gqi6>yz8sR|Sg1mn_zDA7OhHjfAq3lvi$`R$zL{FM97h8X#H7 zrN&teW9_8{oYqpFO$64749Wtp!nsgB->~MYD1Ojtca4w;Y7v*X5@ z>vx7P-noB%?xwvH`{RC=my>&nPST#dZqO+v4`kC}Q50?L2zudKrNxV>#kig2k%IZS zJ(cC1iG4R6nA{=HpIImIMlqG!wrt%#xn=w0)@|X|i>J3-{QNC^=s3AQUQYD(VZTf0 zG`aPXaO>9TOD=Q$c9ZLvG!E@5r#VfS-dE-nd;O9Ka}|YGLVxZ|F04)-wma84(0Z<( z*o_JpV6rC<#8GcLoGX=#pzN_!mi_6?n^#s=rb-D)vKZeng)ZETWQsb)=Kf}FcXQWI zusJC=Z>*=ACZjyDXKv5VAqlrmZJF3XT?t8?loFo~%lM9RGkM@7y+Xb;PFQ)>!2`P{ zw-5X2)ui+$ccv{Oue38AZl`)Mv9CKI%Qv|TC#aYX)4p96S8cl@bYHL9kcQ`76>i;l z#l$U>*P|E+bVVFbl1rv8nYwg>`dc>|8Ypav3*3rU)Xu+le`pn_>vLoUJ%f_ysziZ< zBVQahF*D8DN$43DoHqMHmmW0aVdoeFk!Tx-w-SZOr>eC##EdT4v&X*w6;Y?ioG^ zn;BIw!OkM?3=+pDu?10sOJ4}lDT;Tx-Sv*pWbYb-5`Cu#M}OsNa4$s^oFc0wOjzcpF8!%O8ZIY! zCxc(wabva7Lefo2RNRRU5MhRcc2L4e33zo_(eiR)>!H4*c!3R!tXO%CmhEvpGG(09 ztt8JXeRhbbzci!%)!ggoNJkA<96ag}GvP3R=+k(Mm(#B9YFnzPPyxDBBZQ7XHYVnC#vs&gUUkR7A7YmSn9)I;GF!KnNPdth(;Wc(jfYZM+) z?upa|z71)MY&=mxdWHIO4wOSvM!4260Sq#)D zLY8d|W}L`~QZ7mA^sUo?4Gl(xJC%}Bx}m$?Cy9MuEX05!T{x6PzrT8RD^kv4IZ@tK zp)u-ol8m@kF%JA>zj1&bjq;_hc_bTyv7rPQ8fElz1CQF(6t6ccVKcWq9I;d72ox8~ zb-X(=9 z>A{cC(y%^tjWZz&cVvfdqX$H_lFkvmIP2C@5-DF?cfjB~EjDHk=VkPuPJ*lMDx8+W zSC#W{B(5QimsKnGUVy|4o`ePQ=Hn8(-BA26HU<U> z=@m~7h)n5bC5OtHI$kfQTB=@{Crvh#-Zkg)y`bMf;bHwoKi6n+v_U6rcU&6;`!HGj zctMh+@@M8Nr^!Z0)-k)m{ZyuL8D%b~M`hG@CI=Hzd8cHpN@^h=0Nc#Wxg!s!cEsyc zzbeguyP2g8O`_3y{$;+by1}F#nLc6;aXDnDhf3yZNw=jUK5lxgc`3q34_KD3x3cGI z>N&C_Mg?|CbQR+xnI51lpTPNKJ(VGuuZpTHhCDuHJyB*2GA&}V`ALHj826y^;P$}3 zTrvhng_Wl$jY<-%(qyh&V4~wnwOMVGVDJ&1fyGo5wW5K9+FZ(tXXbP+EMMM*cuk^e ztO^phEHs+zMKFExy%I19VbFlJS6aZj}tdqHC*N9{xG(HeNZP4u(M+_*S##Gp9e zqAU_u!;dCT?1qiUc`Ne1x6~AQS}WD!m4_sC$jG}=tz;hul6Y1t_GMa6hGTmn&4Dsw zreoZz8qP``%wb5qlU~(soj1p7O_7Y3Z*k?lm)N5+hh-ZYB6Bh&>Sm9~=<}07r?Bia zkF-gZ3!X=92m@~q=f=Tc>Y?eg{1j`deDaFem8)c7@36i*bY0{mvTsQ$9-!i_ad&r< z9871aVFtlh|FUdQMs|wv5LsJ8iN8R;Rn6F1=QX!_05WsGNZKF2p3wTorWQj z(o=&nB3rEI@XL_oQ<1+6m(PAa+cI_zGs(q}Ap{Zaur^Tyeoid zGSNo9mLiftI;>Tb5~Ny%G>DmSew;gn;bvn*t0NZ9O)LMeO6i$LgJG*#f%3KZwNCUA zCX)`5wSp%s$hP33ao6XF+-(ayGzB_@cN0Ky#K@p4W6vNvy2gz66^Yb7qimA?lR#y? z_P`DnBpcoIhM50oIB&=@2;Y`XtJJUH2>m*2`Y}1)#6x2zWeQc|Hir*2#jtLb@et4B z$3scCTUXxba9dCKUl^luCHYeY+!uc(qP(P6B|C=dN$Fui0c1*!s#E5}L3WxhgUowI z?Nt4Hglw#TQ*YE|@nNkz8tYz}W6oh1geqleJXpMW8PhHdyR=4HHM{k z*M%$t|E~oeAcB$W@43J#?6tZco0Eci%L?kmJgUU6*^d~>yD-PtX=R2q1yi=9I>$HB z>@%`apW)Kss`@VOl&9x^t#4XNMG4dm{O=uK)#FSaDu=KN#Y{)A<}qf~EYjHx4LrP4 zt&AVyh0WUhfd8r^Qkt~Yag==eVR3%RTwbgz%B9 zLZ#d?74GZohR=^+<=MQno+%EWT}v$3rHG}9zOy4$o)`gE1s{zXS@pYSDV8Mqk3?ba z1f@R6l=1U3-Xr}$Am*q#-kIbNrW&iW#t7yw6M`Rz{%EPsP%NUQ?3ftFQ4Hm|&$1b+ zgH{kZ;={zJ*>V=>Hvp>d%M8?tF-a*Dpw|k1 z?rqimDxD~q3Ym{mzj?8v5%y3A>0q6cF^rg%=NcQl+w*HBNG>Jgron@&!*j9r*wAKV zKa}JXeD6^PSK`Bqhj9#|70fRj8FU?#^Es~Ss=(YCY4lJdYL?7WqSq)ZZsAl6idH5y zBUc3)_?iT<4?n{mu3&%xM24#05NuHQ>O~tRw?kjkxiCXT0LMseIZd_9udkJNR0Uh7 ziyy8(BJFU7%IY*pAcbYZ<, 2011 +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" +"POT-Creation-Date: 2018-08-12 13:03+0000\n" +"PO-Revision-Date: 2014-12-14 11:46+0000\n" +"Last-Translator: Copied by Zanata \n" +"Language-Team: Italian (http://www.transifex.com/projects/p/sssd/language/" +"it/)\n" +"Language: it\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" +"X-Generator: Zanata 4.4.5\n" + +#: src/config/SSSDConfig/__init__.py.in:43 +#: src/config/SSSDConfig/__init__.py.in:44 +msgid "Set the verbosity of the debug logging" +msgstr "Imposta il livello di dettaglio dei messaggi di debug" + +#: src/config/SSSDConfig/__init__.py.in:45 +msgid "Include timestamps in debug logs" +msgstr "Includi i timestamp nei log" + +#: src/config/SSSDConfig/__init__.py.in:46 +msgid "Include microseconds in timestamps in debug logs" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:47 +msgid "Write debug messages to logfiles" +msgstr "Scrivere i messaggi di debug nei file di log" + +#: src/config/SSSDConfig/__init__.py.in:48 +msgid "Watchdog timeout before restarting service" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:49 +msgid "Command to start service" +msgstr "Comando per avviare il servizio" + +#: src/config/SSSDConfig/__init__.py.in:50 +msgid "Number of times to attempt connection to Data Providers" +msgstr "Numero di tentativi di connessione ai data providers" + +#: src/config/SSSDConfig/__init__.py.in:51 +msgid "The number of file descriptors that may be opened by this responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:52 +msgid "Idle time before automatic disconnection of a client" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:53 +msgid "Idle time before automatic shutdown of the responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:54 +msgid "Always query all the caches before querying the Data Providers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:57 +msgid "SSSD Services to start" +msgstr "Avvio dei servizi SSSD" + +#: src/config/SSSDConfig/__init__.py.in:58 +msgid "SSSD Domains to start" +msgstr "Avvio dei domini SSSD" + +#: src/config/SSSDConfig/__init__.py.in:59 +msgid "Timeout for messages sent over the SBUS" +msgstr "Timeout dei messaggi inviati sul SBUS" + +#: src/config/SSSDConfig/__init__.py.in:60 +#: src/config/SSSDConfig/__init__.py.in:197 +msgid "Regex to parse username and domain" +msgstr "Regex per il parsing di nome utente e dominio" + +#: src/config/SSSDConfig/__init__.py.in:61 +#: src/config/SSSDConfig/__init__.py.in:196 +msgid "Printf-compatible format for displaying fully-qualified names" +msgstr "Formato compatibile con printf per la visualizzazione di nomi completi" + +#: src/config/SSSDConfig/__init__.py.in:62 +msgid "" +"Directory on the filesystem where SSSD should store Kerberos replay cache " +"files." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:63 +msgid "Domain to add to names without a domain component." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:64 +msgid "The user to drop privileges to" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:65 +msgid "Tune certificate verification" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:66 +msgid "All spaces in group or user names will be replaced with this character" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:67 +msgid "Tune sssd to honor or ignore netlink state changes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:68 +msgid "Enable or disable the implicit files domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:69 +msgid "A specific order of the domains to be looked up" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:72 +msgid "Enumeration cache timeout length (seconds)" +msgstr "Durata timeout per la cache enumeration (secondi)" + +#: src/config/SSSDConfig/__init__.py.in:73 +msgid "Entry cache background update timeout length (seconds)" +msgstr "Durata timeout aggiornamento cache in background (secondi)" + +#: src/config/SSSDConfig/__init__.py.in:74 +#: src/config/SSSDConfig/__init__.py.in:113 +msgid "Negative cache timeout length (seconds)" +msgstr "Durata timeout negative cache (secondi)" + +#: src/config/SSSDConfig/__init__.py.in:75 +msgid "Files negative cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:76 +msgid "Users that SSSD should explicitly ignore" +msgstr "Utenti che SSSD dovrebbe ignorare esplicitamente" + +#: src/config/SSSDConfig/__init__.py.in:77 +msgid "Groups that SSSD should explicitly ignore" +msgstr "Gruppi che SSSD dovrebbe ignorare esplicitamente" + +#: src/config/SSSDConfig/__init__.py.in:78 +msgid "Should filtered users appear in groups" +msgstr "Specifica se mostrare gli utenti filtrati nei gruppi" + +#: src/config/SSSDConfig/__init__.py.in:79 +msgid "The value of the password field the NSS provider should return" +msgstr "" +"Il valore del campo password che deve essere ritornato dal provider NSS" + +#: src/config/SSSDConfig/__init__.py.in:80 +msgid "Override homedir value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:81 +msgid "" +"Substitute empty homedir value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:82 +msgid "Override shell value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:83 +msgid "The list of shells users are allowed to log in with" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:84 +msgid "" +"The list of shells that will be vetoed, and replaced with the fallback shell" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:85 +msgid "" +"If a shell stored in central directory is allowed but not available, use " +"this fallback" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:86 +msgid "Shell to use if the provider does not list one" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:87 +msgid "How long will be in-memory cache records valid" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:88 +msgid "List of user attributes the NSS responder is allowed to publish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:91 +msgid "How long to allow cached logins between online logins (days)" +msgstr "Per quanto tempo accettare login in cache tra login online (giorni)" + +#: src/config/SSSDConfig/__init__.py.in:92 +msgid "How many failed logins attempts are allowed when offline" +msgstr "Numero di tentativi di login falliti quando offline" + +#: src/config/SSSDConfig/__init__.py.in:93 +msgid "" +"How long (minutes) to deny login after offline_failed_login_attempts has " +"been reached" +msgstr "" +"Per quanto tempo (minuti) negare i tentativi di login dopo che " +"offline_failed_login_attemps è stato raggiunto" + +#: src/config/SSSDConfig/__init__.py.in:94 +msgid "What kind of messages are displayed to the user during authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:95 +msgid "Filter PAM responses sent to the pam_sss" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:96 +msgid "How many seconds to keep identity information cached for PAM requests" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:97 +msgid "How many days before password expiration a warning should be displayed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:98 +msgid "List of trusted uids or user's name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:99 +msgid "List of domains accessible even for untrusted users." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:100 +msgid "Message printed when user account is expired." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:101 +msgid "Message printed when user account is locked." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:102 +msgid "Allow certificate based/Smartcard authentication." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:103 +msgid "Path to certificate database with PKCS#11 modules." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:104 +msgid "How many seconds will pam_sss wait for p11_child to finish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:105 +msgid "Which PAM services are permitted to contact application domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:108 +msgid "Whether to evaluate the time-based attributes in sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:109 +msgid "If true, SSSD will switch back to lower-wins ordering logic" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:110 +msgid "" +"Maximum number of rules that can be refreshed at once. If this is exceeded, " +"full refresh is performed." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:116 +msgid "Whether to hash host names and addresses in the known_hosts file" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:117 +msgid "" +"How many seconds to keep a host in the known_hosts file after its host keys " +"were requested" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:118 +msgid "Path to storage of trusted CA certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:121 +msgid "List of UIDs or user names allowed to access the PAC responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "How long the PAC data is considered valid" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:125 +msgid "List of UIDs or user names allowed to access the InfoPipe responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:126 +msgid "List of user attributes the InfoPipe is allowed to publish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:129 +msgid "The provider where the secrets will be stored in" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:130 +msgid "The maximum allowed number of nested containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:131 +msgid "The maximum number of secrets that can be stored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:132 +msgid "The maximum number of secrets that can be stored per UID" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:133 +msgid "The maximum payload size of a secret in kilobytes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:135 +msgid "The URL Custodia server is listening on" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:136 +msgid "The method to use when authenticating to a Custodia server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:137 +msgid "" +"The name of the headers that will be added into a HTTP request with the " +"value defined in auth_header_value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:138 +msgid "The value sssd-secrets would use for auth_header_name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:139 +msgid "" +"The list of the headers to forward to the Custodia server together with the " +"request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:140 +msgid "" +"The username to use when authenticating to a Custodia server using basic_auth" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:141 +msgid "" +"The password to use when authenticating to a Custodia server using basic_auth" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:142 +msgid "If true peer's certificate is verified if proxy_url uses https protocol" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:143 +msgid "" +"If false peer's certificate may contain different hostname than proxy_url " +"when https protocol is used" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:144 +msgid "Path to directory where certificate authority certificates are stored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:145 +msgid "Path to file containing server's CA certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:146 +msgid "Path to file containing client's certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:147 +msgid "Path to file containing client's private key" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:150 +msgid "Identity provider" +msgstr "Provider di identità" + +#: src/config/SSSDConfig/__init__.py.in:151 +msgid "Authentication provider" +msgstr "Provider di autenticazione" + +#: src/config/SSSDConfig/__init__.py.in:152 +msgid "Access control provider" +msgstr "Provider di access control" + +#: src/config/SSSDConfig/__init__.py.in:153 +msgid "Password change provider" +msgstr "Provider di cambio password" + +#: src/config/SSSDConfig/__init__.py.in:154 +msgid "SUDO provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:155 +msgid "Autofs provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:156 +msgid "Host identity provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:157 +msgid "SELinux provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:158 +msgid "Session management provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:161 +msgid "Whether the domain is usable by the OS or by applications" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:162 +msgid "Minimum user ID" +msgstr "ID utente minimo" + +#: src/config/SSSDConfig/__init__.py.in:163 +msgid "Maximum user ID" +msgstr "ID utente massimo" + +#: src/config/SSSDConfig/__init__.py.in:164 +msgid "Enable enumerating all users/groups" +msgstr "Consentire l'enumerazione di tutti gli utenti/gruppi" + +#: src/config/SSSDConfig/__init__.py.in:165 +msgid "Cache credentials for offline login" +msgstr "Salvare in cache le credenziali per login offline" + +#: src/config/SSSDConfig/__init__.py.in:166 +msgid "Store password hashes" +msgstr "Salvare gli hash delle password" + +#: src/config/SSSDConfig/__init__.py.in:167 +msgid "Display users/groups in fully-qualified form" +msgstr "Mostrare utenti/gruppi in formato fully-qualified" + +#: src/config/SSSDConfig/__init__.py.in:168 +msgid "Don't include group members in group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:180 +#: src/config/SSSDConfig/__init__.py.in:181 +msgid "Entry cache timeout length (seconds)" +msgstr "Durata timeout elementi in cache (secondi)" + +#: src/config/SSSDConfig/__init__.py.in:170 +msgid "" +"Restrict or prefer a specific address family when performing DNS lookups" +msgstr "" +"Restringere o preferire una specifica famiglia di indirizzi per l'esecuzione " +"di lookup DNS" + +#: src/config/SSSDConfig/__init__.py.in:171 +msgid "How long to keep cached entries after last successful login (days)" +msgstr "" +"Per quanto tempo tenere in cache gli elementi dopo un login che ha avuto " +"successo (giorni)" + +#: src/config/SSSDConfig/__init__.py.in:172 +msgid "How long to wait for replies from DNS when resolving servers (seconds)" +msgstr "Il tempo di attesa per le richieste DNS (secondi)" + +#: src/config/SSSDConfig/__init__.py.in:173 +msgid "The domain part of service discovery DNS query" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:174 +msgid "Override GID value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:175 +msgid "Treat usernames as case sensitive" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:182 +msgid "How often should expired entries be refreshed in background" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:183 +msgid "Whether to automatically update the client's DNS entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:184 +#: src/config/SSSDConfig/__init__.py.in:206 +msgid "The TTL to apply to the client's DNS entry after updating it" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:207 +msgid "The interface whose IP should be used for dynamic DNS updates" +msgstr "" +"L'interfaccia il cui indirizzo IP dovrebbe essere usato per aggiornamenti " +"DNS dinamici." + +#: src/config/SSSDConfig/__init__.py.in:186 +msgid "How often to periodically update the client's DNS entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:187 +msgid "Whether the provider should explicitly update the PTR record as well" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:188 +msgid "Whether the nsupdate utility should default to using TCP" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:189 +msgid "What kind of authentication should be used to perform the DNS update" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:190 +msgid "Override the DNS server used to perform the DNS update" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:191 +msgid "Control enumeration of trusted domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:192 +msgid "How often should subdomains list be refreshed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:193 +msgid "List of options that should be inherited into a subdomain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:194 +msgid "Default subdomain homedir value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:195 +msgid "How long can cached credentials be used for cached authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:198 +msgid "Whether to automatically create private groups for users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:201 +msgid "IPA domain" +msgstr "Dominio IPA" + +#: src/config/SSSDConfig/__init__.py.in:202 +msgid "IPA server address" +msgstr "Indirizzo del server IPA" + +#: src/config/SSSDConfig/__init__.py.in:203 +msgid "Address of backup IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:204 +msgid "IPA client hostname" +msgstr "Hostname del client IPA" + +#: src/config/SSSDConfig/__init__.py.in:205 +msgid "Whether to automatically update the client's DNS entry in FreeIPA" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:208 +msgid "Search base for HBAC related objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:209 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:210 +msgid "" +"The amount of time in seconds between lookups of the SELinux maps against " +"the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:211 +msgid "If set to false, host argument given by PAM will be ignored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:212 +msgid "The automounter location this IPA client is using" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:213 +msgid "Search base for object containing info about IPA domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:214 +msgid "Search base for objects containing info about ID ranges" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:233 +msgid "Enable DNS sites - location based service discovery" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:216 +msgid "Search base for view containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:217 +msgid "Objectclass for view containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:218 +msgid "Attribute with the name of the view" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:219 +msgid "Objectclass for override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:220 +msgid "Attribute with the reference to the original object" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:221 +msgid "Objectclass for user override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:222 +msgid "Objectclass for group override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:223 +msgid "Search base for Desktop Profile related objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:224 +msgid "" +"The amount of time in seconds between lookups of the Desktop Profile rules " +"against the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:225 +msgid "" +"The amount of time in minutes between lookups of Desktop Profiles rules " +"against the IPA server when the last request did not find any rule" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:228 +msgid "Active Directory domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:229 +msgid "Enabled Active Directory domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:230 +msgid "Active Directory server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:231 +msgid "Active Directory backup server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:232 +msgid "Active Directory client hostname" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:420 +msgid "LDAP filter to determine access privileges" +msgstr "Filtro LDAP per determinare i privilegi di accesso" + +#: src/config/SSSDConfig/__init__.py.in:235 +msgid "Whether to use the Global Catalog for lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:236 +msgid "Operation mode for GPO-based access control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:237 +msgid "" +"The amount of time between lookups of the GPO policy files against the AD " +"server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:238 +msgid "" +"PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " +"settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:239 +msgid "" +"PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " +"policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:240 +msgid "" +"PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:241 +msgid "" +"PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:242 +msgid "" +"PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:243 +msgid "PAM service names for which GPO-based access is always granted" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:244 +msgid "PAM service names for which GPO-based access is always denied" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:245 +msgid "" +"Default logon right (or permit/deny) to use for unmapped PAM service names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:246 +msgid "a particular site to be used by the client" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:247 +msgid "" +"Maximum age in days before the machine account password should be renewed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:248 +msgid "Option for tuning the machine account renewal task" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:252 +msgid "Kerberos server address" +msgstr "Indirizzo del server Kerberos" + +#: src/config/SSSDConfig/__init__.py.in:253 +msgid "Kerberos backup server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:254 +msgid "Kerberos realm" +msgstr "Realm Kerberos" + +#: src/config/SSSDConfig/__init__.py.in:255 +msgid "Authentication timeout" +msgstr "Timeout di autenticazione" + +#: src/config/SSSDConfig/__init__.py.in:256 +msgid "Whether to create kdcinfo files" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:257 +msgid "Where to drop krb5 config snippets" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:260 +msgid "Directory to store credential caches" +msgstr "Directory in cui salvare le credenziali" + +#: src/config/SSSDConfig/__init__.py.in:261 +msgid "Location of the user's credential cache" +msgstr "Percorso della cache delle credenziali utente" + +#: src/config/SSSDConfig/__init__.py.in:262 +msgid "Location of the keytab to validate credentials" +msgstr "Percorso del keytab per la validazione delle credenziali" + +#: src/config/SSSDConfig/__init__.py.in:263 +msgid "Enable credential validation" +msgstr "Abilita la validazione delle credenziali" + +#: src/config/SSSDConfig/__init__.py.in:264 +msgid "Store password if offline for later online authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:265 +msgid "Renewable lifetime of the TGT" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:266 +msgid "Lifetime of the TGT" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:267 +msgid "Time between two checks for renewal" +msgstr "Intervallo di tempo tra due controlli di rinnovo" + +#: src/config/SSSDConfig/__init__.py.in:268 +msgid "Enables FAST" +msgstr "Abilita FAST" + +#: src/config/SSSDConfig/__init__.py.in:269 +msgid "Selects the principal to use for FAST" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:270 +msgid "Enables principal canonicalization" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:271 +msgid "Enables enterprise principals" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:272 +msgid "A mapping from user names to Kerberos principal names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:276 +msgid "Server where the change password service is running if not on the KDC" +msgstr "" +"Server dove viene eseguito il servizio di cambio password, se non nel KDC" + +#: src/config/SSSDConfig/__init__.py.in:279 +msgid "ldap_uri, The URI of the LDAP server" +msgstr "ldap_uri, l'indirizzo del server LDAP" + +#: src/config/SSSDConfig/__init__.py.in:280 +msgid "ldap_backup_uri, The URI of the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:281 +msgid "The default base DN" +msgstr "Il base DN predefinito" + +#: src/config/SSSDConfig/__init__.py.in:282 +msgid "The Schema Type in use on the LDAP server, rfc2307" +msgstr "Lo Schema Type utilizzato dal server LDAP, rfc2307" + +#: src/config/SSSDConfig/__init__.py.in:283 +msgid "The default bind DN" +msgstr "Il bind DN predefinito" + +#: src/config/SSSDConfig/__init__.py.in:284 +msgid "The type of the authentication token of the default bind DN" +msgstr "Il tipo di token di autenticazione del bind DN predefinito" + +#: src/config/SSSDConfig/__init__.py.in:285 +msgid "The authentication token of the default bind DN" +msgstr "Il token di autenticazione del bind DN predefinito" + +#: src/config/SSSDConfig/__init__.py.in:286 +msgid "Length of time to attempt connection" +msgstr "Durata del tentativo di connessione" + +#: src/config/SSSDConfig/__init__.py.in:287 +msgid "Length of time to attempt synchronous LDAP operations" +msgstr "Durata del tentativo di esecuzione di operazioni LDAP sincrone" + +#: src/config/SSSDConfig/__init__.py.in:288 +msgid "Length of time between attempts to reconnect while offline" +msgstr "Durata tra tentativi di riconnessione quando offline" + +#: src/config/SSSDConfig/__init__.py.in:289 +msgid "Use only the upper case for realm names" +msgstr "Usare solo maiuscole per i nomi dei realm" + +#: src/config/SSSDConfig/__init__.py.in:290 +msgid "File that contains CA certificates" +msgstr "File contenente i certificati CA" + +#: src/config/SSSDConfig/__init__.py.in:291 +msgid "Path to CA certificate directory" +msgstr "Percorso della directory dei cerficati della CA" + +#: src/config/SSSDConfig/__init__.py.in:292 +msgid "File that contains the client certificate" +msgstr "File contenente il certificato client" + +#: src/config/SSSDConfig/__init__.py.in:293 +msgid "File that contains the client key" +msgstr "File contenente la chiave client" + +#: src/config/SSSDConfig/__init__.py.in:294 +msgid "List of possible ciphers suites" +msgstr "Lista delle possibili cipher suite" + +#: src/config/SSSDConfig/__init__.py.in:295 +msgid "Require TLS certificate verification" +msgstr "Richiedere la verifica del certificato TLS" + +#: src/config/SSSDConfig/__init__.py.in:296 +msgid "Specify the sasl mechanism to use" +msgstr "Specificare il meccanismo sasl da usare" + +#: src/config/SSSDConfig/__init__.py.in:297 +msgid "Specify the sasl authorization id to use" +msgstr "Specificare l'id di autorizzazione sasl da usare" + +#: src/config/SSSDConfig/__init__.py.in:298 +msgid "Specify the sasl authorization realm to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:299 +msgid "Specify the minimal SSF for LDAP sasl authorization" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:300 +msgid "Kerberos service keytab" +msgstr "Keytab del servizio Kerberos" + +#: src/config/SSSDConfig/__init__.py.in:301 +msgid "Use Kerberos auth for LDAP connection" +msgstr "Usare autorizzazione Kerberos per la connessione LDAP" + +#: src/config/SSSDConfig/__init__.py.in:302 +msgid "Follow LDAP referrals" +msgstr "Seguire i referral LDAP" + +#: src/config/SSSDConfig/__init__.py.in:303 +msgid "Lifetime of TGT for LDAP connection" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:304 +msgid "How to dereference aliases" +msgstr "Metodo di deferenziazione degli alias" + +#: src/config/SSSDConfig/__init__.py.in:305 +msgid "Service name for DNS service lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:306 +msgid "The number of records to retrieve in a single LDAP query" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:307 +msgid "The number of members that must be missing to trigger a full deref" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:308 +msgid "" +"Whether the LDAP library should perform a reverse lookup to canonicalize the " +"host name during a SASL bind" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:310 +msgid "entryUSN attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:311 +msgid "lastUSN attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:313 +msgid "How long to retain a connection to the LDAP server before disconnecting" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:315 +msgid "Disable the LDAP paging control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:316 +msgid "Disable Active Directory range retrieval" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:319 +msgid "Length of time to wait for a search request" +msgstr "Durata attesa per le richieste di ricerca" + +#: src/config/SSSDConfig/__init__.py.in:320 +msgid "Length of time to wait for a enumeration request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:321 +msgid "Length of time between enumeration updates" +msgstr "Durata tra gli aggiornamenti alle enumeration" + +#: src/config/SSSDConfig/__init__.py.in:322 +msgid "Length of time between cache cleanups" +msgstr "Intervallo di tempo per la pulizia cache" + +#: src/config/SSSDConfig/__init__.py.in:323 +msgid "Require TLS for ID lookups" +msgstr "Richiedere TLS per gli ID lookup" + +#: src/config/SSSDConfig/__init__.py.in:324 +msgid "Use ID-mapping of objectSID instead of pre-set IDs" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:325 +msgid "Base DN for user lookups" +msgstr "Base DN per i lookup utente" + +#: src/config/SSSDConfig/__init__.py.in:326 +msgid "Scope of user lookups" +msgstr "Ambito di applicazione dei lookup utente" + +#: src/config/SSSDConfig/__init__.py.in:327 +msgid "Filter for user lookups" +msgstr "Filtro per i lookup utente" + +#: src/config/SSSDConfig/__init__.py.in:328 +msgid "Objectclass for users" +msgstr "Objectclass per gli utenti" + +#: src/config/SSSDConfig/__init__.py.in:329 +msgid "Username attribute" +msgstr "Attributo del nome utente" + +#: src/config/SSSDConfig/__init__.py.in:331 +msgid "UID attribute" +msgstr "Attributo UID" + +#: src/config/SSSDConfig/__init__.py.in:332 +msgid "Primary GID attribute" +msgstr "Attributo del GID primario" + +#: src/config/SSSDConfig/__init__.py.in:333 +msgid "GECOS attribute" +msgstr "Attributo GECOS" + +#: src/config/SSSDConfig/__init__.py.in:334 +msgid "Home directory attribute" +msgstr "Attributo della home directory" + +#: src/config/SSSDConfig/__init__.py.in:335 +msgid "Shell attribute" +msgstr "Attributo della shell" + +#: src/config/SSSDConfig/__init__.py.in:336 +msgid "UUID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:379 +msgid "objectSID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:338 +msgid "Active Directory primary group attribute for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:339 +msgid "User principal attribute (for Kerberos)" +msgstr "Attributo user principal (per Kerberos)" + +#: src/config/SSSDConfig/__init__.py.in:340 +msgid "Full Name" +msgstr "Nome completo" + +#: src/config/SSSDConfig/__init__.py.in:341 +msgid "memberOf attribute" +msgstr "Attributo memberOf" + +#: src/config/SSSDConfig/__init__.py.in:342 +msgid "Modification time attribute" +msgstr "Attributo data di modifica" + +#: src/config/SSSDConfig/__init__.py.in:344 +msgid "shadowLastChange attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:345 +msgid "shadowMin attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:346 +msgid "shadowMax attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:347 +msgid "shadowWarning attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:348 +msgid "shadowInactive attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:349 +msgid "shadowExpire attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:350 +msgid "shadowFlag attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:351 +msgid "Attribute listing authorized PAM services" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:352 +msgid "Attribute listing authorized server hosts" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:353 +msgid "Attribute listing authorized server rhosts" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:354 +msgid "krbLastPwdChange attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:355 +msgid "krbPasswordExpiration attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:356 +msgid "Attribute indicating that server side password policies are active" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:357 +msgid "accountExpires attribute of AD" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:358 +msgid "userAccountControl attribute of AD" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:359 +msgid "nsAccountLock attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:360 +msgid "loginDisabled attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:361 +msgid "loginExpirationTime attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:362 +msgid "loginAllowedTimeMap attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:363 +msgid "SSH public key attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:364 +msgid "attribute listing allowed authentication types for a user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:365 +msgid "attribute containing the X509 certificate of the user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:366 +msgid "attribute containing the email address of the user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:368 +msgid "A list of extra attributes to download along with the user entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:370 +msgid "Base DN for group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:373 +msgid "Objectclass for groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:374 +msgid "Group name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:375 +msgid "Group password" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:376 +msgid "GID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:377 +msgid "Group member attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:378 +msgid "Group UUID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:380 +msgid "Modification time attribute for groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:381 +msgid "Type of the group and other flags" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:382 +msgid "The LDAP group external member attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:384 +msgid "Maximum nesting level SSSD will follow" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:386 +msgid "Base DN for netgroup lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:387 +msgid "Objectclass for netgroups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:388 +msgid "Netgroup name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:389 +msgid "Netgroups members attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:390 +msgid "Netgroup triple attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:391 +msgid "Modification time attribute for netgroups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:393 +msgid "Base DN for service lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:394 +msgid "Objectclass for services" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:395 +msgid "Service name attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:396 +msgid "Service port attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:397 +msgid "Service protocol attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:400 +msgid "Lower bound for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:401 +msgid "Upper bound for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:402 +msgid "Number of IDs for each slice when ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:403 +msgid "Use autorid-compatible algorithm for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:404 +msgid "Name of the default domain for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:405 +msgid "SID of the default domain for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:406 +msgid "Number of secondary slices" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:408 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:409 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:410 +msgid "Whether to use Token-Groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:411 +msgid "Set lower boundary for allowed IDs from the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:412 +msgid "Set upper boundary for allowed IDs from the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:413 +msgid "DN for ppolicy queries" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:414 +msgid "How many maximum entries to fetch during a wildcard request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:417 +msgid "Policy to evaluate the password expiration" +msgstr "Politica per controllare la scadenza della password" + +#: src/config/SSSDConfig/__init__.py.in:421 +msgid "Which attributes shall be used to evaluate if an account is expired" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:422 +msgid "Which rules should be used to evaluate access control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:425 +msgid "URI of an LDAP server where password changes are allowed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:426 +msgid "URI of a backup LDAP server where password changes are allowed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:427 +msgid "DNS service name for LDAP password change server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:428 +msgid "" +"Whether to update the ldap_user_shadow_last_change attribute after a " +"password change" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:431 +msgid "Base DN for sudo rules lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:432 +msgid "Automatic full refresh period" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:433 +msgid "Automatic smart refresh period" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:434 +msgid "Whether to filter rules by hostname, IP addresses and network" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:435 +msgid "" +"Hostnames and/or fully qualified domain names of this machine to filter sudo " +"rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:436 +msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:437 +msgid "Whether to include rules that contains netgroup in host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:438 +msgid "" +"Whether to include rules that contains regular expression in host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:439 +msgid "Object class for sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:440 +msgid "Sudo rule name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:441 +msgid "Sudo rule command attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:442 +msgid "Sudo rule host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:443 +msgid "Sudo rule user attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:444 +msgid "Sudo rule option attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Sudo rule runas attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:446 +msgid "Sudo rule runasuser attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:447 +msgid "Sudo rule runasgroup attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:448 +msgid "Sudo rule notbefore attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:449 +msgid "Sudo rule notafter attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:450 +msgid "Sudo rule order attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:453 +msgid "Object class for automounter maps" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:454 +msgid "Automounter map name attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:455 +msgid "Object class for automounter map entries" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:456 +msgid "Automounter map entry key attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:457 +msgid "Automounter map entry value attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:458 +msgid "Base DN for automounter map lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:461 +msgid "Comma separated list of allowed users" +msgstr "Lista separata da virgola degli utenti abilitati" + +#: src/config/SSSDConfig/__init__.py.in:462 +msgid "Comma separated list of prohibited users" +msgstr "Lista separata da virgola degli utenti non abilitati" + +#: src/config/SSSDConfig/__init__.py.in:465 +msgid "Default shell, /bin/bash" +msgstr "Shell predefinita, /bin/bash" + +#: src/config/SSSDConfig/__init__.py.in:466 +msgid "Base for home directories" +msgstr "Base delle home directory" + +#: src/config/SSSDConfig/__init__.py.in:469 +msgid "The number of preforked proxy children." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:472 +msgid "The name of the NSS library to use" +msgstr "Il nome della libreria NSS da usare" + +#: src/config/SSSDConfig/__init__.py.in:473 +msgid "Whether to look up canonical group name from cache if possible" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:476 +msgid "PAM stack to use" +msgstr "Stack PAM da usare" + +#: src/config/SSSDConfig/__init__.py.in:479 +msgid "Path of passwd file sources." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:480 +msgid "Path of group file sources." +msgstr "" + +#: src/monitor/monitor.c:2449 +msgid "Become a daemon (default)" +msgstr "Esegui come demone (default)" + +#: src/monitor/monitor.c:2451 +msgid "Run interactive (not a daemon)" +msgstr "Esegui interattivamente (non come demone)" + +#: src/monitor/monitor.c:2454 +msgid "Disable netlink interface" +msgstr "" + +#: src/monitor/monitor.c:2456 src/tools/sssctl/sssctl_logs.c:311 +msgid "Specify a non-default config file" +msgstr "Specificare un file di configurazione specifico" + +#: src/monitor/monitor.c:2458 +msgid "Refresh the configuration database, then exit" +msgstr "" + +#: src/monitor/monitor.c:2461 +msgid "Print version number and exit" +msgstr "" + +#: src/monitor/monitor.c:2627 +msgid "SSSD is already running\n" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605 +msgid "Debug level" +msgstr "Livello debug" + +#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607 +msgid "Add debug timestamps" +msgstr "Includi timestamp di debug" + +#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609 +msgid "Show timestamps with microseconds" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611 +msgid "An open file descriptor for the debug logs" +msgstr "Un descrittore di file aperto per l'output di debug" + +#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613 +msgid "Send the debug output to stderr directly." +msgstr "" + +#: src/providers/krb5/krb5_child.c:3228 +msgid "The user to create FAST ccache as" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3230 +msgid "The group to create FAST ccache as" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3232 +msgid "Kerberos realm to use" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3234 +msgid "Requested lifetime of the ticket" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3236 +msgid "Requested renewable lifetime of the ticket" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3238 +msgid "FAST options ('never', 'try', 'demand')" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3241 +msgid "Specifies the server principal to use for FAST" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3243 +msgid "Requests canonicalization of the principal name" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3245 +msgid "Use custom version of krb5_get_init_creds_password" +msgstr "" + +#: src/providers/data_provider_be.c:556 +msgid "Domain of the information provider (mandatory)" +msgstr "Dominio del provider di informazioni (obbligatorio)" + +#: src/sss_client/common.c:1066 +msgid "Privileged socket has wrong ownership or permissions." +msgstr "Il socket privilegiato ha permessi o propritario non validi." + +#: src/sss_client/common.c:1069 +msgid "Public socket has wrong ownership or permissions." +msgstr "Il socket pubblico ha permessi o propritario non validi." + +#: src/sss_client/common.c:1072 +msgid "Unexpected format of the server credential message." +msgstr "" + +#: src/sss_client/common.c:1075 +msgid "SSSD is not run by root." +msgstr "SSSD non è eseguito da root." + +#: src/sss_client/common.c:1080 +msgid "An error occurred, but no description can be found." +msgstr "" + +#: src/sss_client/common.c:1086 +msgid "Unexpected error while looking for an error description" +msgstr "" + +#: src/sss_client/pam_sss.c:76 +msgid "Permission denied. " +msgstr "" + +#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782 +#: src/sss_client/pam_sss.c:793 +msgid "Server message: " +msgstr "Messaggio del server:" + +#: src/sss_client/pam_sss.c:300 +msgid "Passwords do not match" +msgstr "Le password non coincidono" + +#: src/sss_client/pam_sss.c:488 +msgid "Password reset by root is not supported." +msgstr "" + +#: src/sss_client/pam_sss.c:529 +msgid "Authenticated with cached credentials" +msgstr "Autenticato con le credenziali nella cache" + +#: src/sss_client/pam_sss.c:530 +msgid ", your cached password will expire at: " +msgstr ", la password in cache scadrà il: " + +#: src/sss_client/pam_sss.c:560 +#, c-format +msgid "Your password has expired. You have %1$d grace login(s) remaining." +msgstr "" + +#: src/sss_client/pam_sss.c:606 +#, c-format +msgid "Your password will expire in %1$d %2$s." +msgstr "" + +#: src/sss_client/pam_sss.c:655 +msgid "Authentication is denied until: " +msgstr "L'autenticazione verrà negata fino al: " + +#: src/sss_client/pam_sss.c:676 +msgid "System is offline, password change not possible" +msgstr "Il sistema è offline, non è possibile richiedere un cambio password" + +#: src/sss_client/pam_sss.c:691 +msgid "" +"After changing the OTP password, you need to log out and back in order to " +"acquire a ticket" +msgstr "" + +#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792 +msgid "Password change failed. " +msgstr "Cambio password fallito." + +#: src/sss_client/pam_sss.c:1926 +msgid "New Password: " +msgstr "Nuova password: " + +#: src/sss_client/pam_sss.c:1927 +msgid "Reenter new Password: " +msgstr "Conferma nuova password: " + +#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042 +msgid "First Factor: " +msgstr "" + +#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202 +msgid "Second Factor (optional): " +msgstr "" + +#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205 +msgid "Second Factor: " +msgstr "" + +#: src/sss_client/pam_sss.c:2058 +msgid "Password: " +msgstr "Password: " + +#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204 +msgid "First Factor (Current Password): " +msgstr "" + +#: src/sss_client/pam_sss.c:2208 +msgid "Current Password: " +msgstr "Password corrente: " + +#: src/sss_client/pam_sss.c:2536 +msgid "Password expired. Change your password now." +msgstr "Password scaduta. Cambiare la password ora." + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 +#: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 +#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:670 +msgid "The debug level to run with" +msgstr "Il livello di debug da utilizzare" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +msgid "The SSSD domain to use" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 +#: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 +#: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 +#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:716 +msgid "Error setting the locale\n" +msgstr "Errore di impostazione del locale\n" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:64 +msgid "Not enough memory\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:83 +msgid "User not specified\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:97 +msgid "Error looking up public keys\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +msgid "The port to use to connect to the host" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +msgid "Print the host ssh public keys" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +msgid "Invalid port\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +msgid "Host not specified\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +msgid "The path to the proxy command must be absolute\n" +msgstr "" + +#: src/tools/sss_useradd.c:49 src/tools/sss_usermod.c:48 +msgid "The UID of the user" +msgstr "L'UID dell'utente" + +#: src/tools/sss_useradd.c:50 src/tools/sss_usermod.c:50 +msgid "The comment string" +msgstr "La stringa di commento" + +#: src/tools/sss_useradd.c:51 src/tools/sss_usermod.c:51 +msgid "Home directory" +msgstr "Home directory" + +#: src/tools/sss_useradd.c:52 src/tools/sss_usermod.c:52 +msgid "Login shell" +msgstr "Shell di login" + +#: src/tools/sss_useradd.c:53 +msgid "Groups" +msgstr "Gruppi" + +#: src/tools/sss_useradd.c:54 +msgid "Create user's directory if it does not exist" +msgstr "Creare la directory utente se non esiste" + +#: src/tools/sss_useradd.c:55 +msgid "Never create user's directory, overrides config" +msgstr "Non creare mai le directory utente, forza la configurazione" + +#: src/tools/sss_useradd.c:56 +msgid "Specify an alternative skeleton directory" +msgstr "Specificare una directory skeleton alternativa" + +#: src/tools/sss_useradd.c:57 src/tools/sss_usermod.c:60 +msgid "The SELinux user for user's login" +msgstr "" + +#: src/tools/sss_useradd.c:87 src/tools/sss_groupmod.c:79 +#: src/tools/sss_usermod.c:92 +msgid "Specify group to add to\n" +msgstr "" + +#: src/tools/sss_useradd.c:111 +msgid "Specify user to add\n" +msgstr "Specificare un utente da aggiungere\n" + +#: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 +#: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_usermod.c:162 +msgid "Error initializing the tools - no local domain\n" +msgstr "Errore durante l'inizializzazione degli strumenti - nessun dominio\n" + +#: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 +#: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_usermod.c:164 +msgid "Error initializing the tools\n" +msgstr "Errore durante l'inizializzazione degli strumenti\n" + +#: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 +#: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_usermod.c:173 +msgid "Invalid domain specified in FQDN\n" +msgstr "Il dominio specificato nel FQDN non è valido\n" + +#: src/tools/sss_useradd.c:142 src/tools/sss_groupmod.c:144 +#: src/tools/sss_groupmod.c:173 src/tools/sss_usermod.c:197 +#: src/tools/sss_usermod.c:226 +msgid "Internal error while parsing parameters\n" +msgstr "Errore interno nel parsing dei parametri\n" + +#: src/tools/sss_useradd.c:151 src/tools/sss_usermod.c:206 +#: src/tools/sss_usermod.c:235 +msgid "Groups must be in the same domain as user\n" +msgstr "I gruppi devono essere nello stesso dominio dell'utente\n" + +#: src/tools/sss_useradd.c:159 +#, c-format +msgid "Cannot find group %1$s in local domain\n" +msgstr "" + +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +msgid "Cannot set default values\n" +msgstr "Impossibile impostare i valori predefiniti\n" + +#: src/tools/sss_useradd.c:181 src/tools/sss_usermod.c:187 +msgid "The selected UID is outside the allowed range\n" +msgstr "L'UID specificato non rientra nel range permesso\n" + +#: src/tools/sss_useradd.c:210 src/tools/sss_usermod.c:305 +msgid "Cannot set SELinux login context\n" +msgstr "" + +#: src/tools/sss_useradd.c:224 +msgid "Cannot get info about the user\n" +msgstr "Impossibile determinare le informazioni dell'utente\n" + +#: src/tools/sss_useradd.c:236 +msgid "User's home directory already exists, not copying data from skeldir\n" +msgstr "" +"La directory home dell'utente esiste, non vengono copiati dati dalla " +"directory skeleton\n" + +#: src/tools/sss_useradd.c:239 +#, c-format +msgid "Cannot create user's home directory: %1$s\n" +msgstr "" + +#: src/tools/sss_useradd.c:250 +#, c-format +msgid "Cannot create user's mail spool: %1$s\n" +msgstr "" + +#: src/tools/sss_useradd.c:270 +msgid "Could not allocate ID for the user - domain full?\n" +msgstr "Impossibile allocare l'ID utente - dominio pieno?\n" + +#: src/tools/sss_useradd.c:274 +msgid "A user or group with the same name or ID already exists\n" +msgstr "Utente o gruppo con lo stesso nome o ID già presente\n" + +#: src/tools/sss_useradd.c:280 +msgid "Transaction error. Could not add user.\n" +msgstr "Errore nella transazione. L'utente non è stato aggiunto.\n" + +#: src/tools/sss_groupadd.c:43 src/tools/sss_groupmod.c:48 +msgid "The GID of the group" +msgstr "Il GID del gruppo" + +#: src/tools/sss_groupadd.c:76 +msgid "Specify group to add\n" +msgstr "Specificare un gruppo da aggiungere\n" + +#: src/tools/sss_groupadd.c:106 src/tools/sss_groupmod.c:198 +msgid "The selected GID is outside the allowed range\n" +msgstr "Il GID specificato non è nel range permesso\n" + +#: src/tools/sss_groupadd.c:143 +msgid "Could not allocate ID for the group - domain full?\n" +msgstr "Impossibile allocare l'ID per il gruppo - dominio pieno?\n" + +#: src/tools/sss_groupadd.c:147 +msgid "A group with the same name or GID already exists\n" +msgstr "Gruppo con lo stesso nome o GID già esistente\n" + +#: src/tools/sss_groupadd.c:153 +msgid "Transaction error. Could not add group.\n" +msgstr "Errore della transazione. Impossibile aggiungere il gruppo.\n" + +#: src/tools/sss_groupdel.c:70 +msgid "Specify group to delete\n" +msgstr "Specificare il gruppo da eliminare\n" + +#: src/tools/sss_groupdel.c:104 +#, c-format +msgid "Group %1$s is outside the defined ID range for domain\n" +msgstr "" + +#: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 +#: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 +#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 +#, c-format +msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" +msgstr "" + +#: src/tools/sss_groupdel.c:132 +msgid "" +"No such group in local domain. Removing groups only allowed in local " +"domain.\n" +msgstr "" +"Gruppo non presente nel dominio locale. L'eliminazione di gruppi è permessa " +"solo nel dominio locale.\n" + +#: src/tools/sss_groupdel.c:137 +msgid "Internal error. Could not remove group.\n" +msgstr "Errore interno. Impossibile rimuovere il gruppo.\n" + +#: src/tools/sss_groupmod.c:44 +msgid "Groups to add this group to" +msgstr "Gruppi a cui aggiungere questo gruppo" + +#: src/tools/sss_groupmod.c:46 +msgid "Groups to remove this group from" +msgstr "Gruppi da cui eliminare questo gruppo" + +#: src/tools/sss_groupmod.c:87 src/tools/sss_usermod.c:100 +msgid "Specify group to remove from\n" +msgstr "" + +#: src/tools/sss_groupmod.c:101 +msgid "Specify group to modify\n" +msgstr "Specificare il gruppo da modificare\n" + +#: src/tools/sss_groupmod.c:130 +msgid "" +"Cannot find group in local domain, modifying groups is allowed only in local " +"domain\n" +msgstr "" +"Gruppo non presente nel dominio locale. La modifica dei gruppi è permessa " +"solo nel dominio locale.\n" + +#: src/tools/sss_groupmod.c:153 src/tools/sss_groupmod.c:182 +msgid "Member groups must be in the same domain as parent group\n" +msgstr "" +"I gruppi membri devono appartenere allo stesso dominio del gruppo radice\n" + +#: src/tools/sss_groupmod.c:161 src/tools/sss_groupmod.c:190 +#: src/tools/sss_usermod.c:214 src/tools/sss_usermod.c:243 +#, c-format +msgid "" +"Cannot find group %1$s in local domain, only groups in local domain are " +"allowed\n" +msgstr "" + +#: src/tools/sss_groupmod.c:257 +msgid "Could not modify group - check if member group names are correct\n" +msgstr "" +"Impossibile modificare il gruppo - controllare che i nomi dei gruppi siano " +"corretti\n" + +#: src/tools/sss_groupmod.c:261 +msgid "Could not modify group - check if groupname is correct\n" +msgstr "" +"Impossibile modificare il gruppo - controllare che il nome del gruppo sia " +"corretto\n" + +#: src/tools/sss_groupmod.c:265 +msgid "Transaction error. Could not modify group.\n" +msgstr "Errore della transazione. Impossibile modificare il gruppo.\n" + +#: src/tools/sss_groupshow.c:615 +#, c-format +msgid "%1$s%2$sGroup: %3$s\n" +msgstr "" + +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "Magic Private " + +#: src/tools/sss_groupshow.c:618 +#, c-format +msgid "%1$sGID number: %2$d\n" +msgstr "" + +#: src/tools/sss_groupshow.c:620 +#, c-format +msgid "%1$sMember users: " +msgstr "" + +#: src/tools/sss_groupshow.c:627 +#, c-format +msgid "" +"\n" +"%1$sIs a member of: " +msgstr "" + +#: src/tools/sss_groupshow.c:634 +#, c-format +msgid "" +"\n" +"%1$sMember groups: " +msgstr "" + +#: src/tools/sss_groupshow.c:670 +msgid "Print indirect group members recursively" +msgstr "Mostra ricorsivamente i membri indiretti del gruppo" + +#: src/tools/sss_groupshow.c:704 +msgid "Specify group to show\n" +msgstr "Specificare il gruppo da mostrate\n" + +#: src/tools/sss_groupshow.c:744 +msgid "" +"No such group in local domain. Printing groups only allowed in local " +"domain.\n" +msgstr "" +"Gruppo non presente nel dominio locale. La stampa dei gruppi è permessa solo " +"nel dominio locale.\n" + +#: src/tools/sss_groupshow.c:749 +msgid "Internal error. Could not print group.\n" +msgstr "Errore interno. Impossibile stampare il gruppo.\n" + +#: src/tools/sss_userdel.c:136 +msgid "Remove home directory and mail spool" +msgstr "Eliminare home directory e spool di mail" + +#: src/tools/sss_userdel.c:138 +msgid "Do not remove home directory and mail spool" +msgstr "Non eliminare la home directory e lo spool di mail" + +#: src/tools/sss_userdel.c:140 +msgid "Force removal of files not owned by the user" +msgstr "Forza la rimozione dei file non di proprietà dell'utente" + +#: src/tools/sss_userdel.c:142 +msgid "Kill users' processes before removing him" +msgstr "" + +#: src/tools/sss_userdel.c:188 +msgid "Specify user to delete\n" +msgstr "Specificare l'utente da cancellare\n" + +#: src/tools/sss_userdel.c:234 +#, c-format +msgid "User %1$s is outside the defined ID range for domain\n" +msgstr "" + +#: src/tools/sss_userdel.c:259 +msgid "Cannot reset SELinux login context\n" +msgstr "" + +#: src/tools/sss_userdel.c:271 +#, c-format +msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" +msgstr "" + +#: src/tools/sss_userdel.c:276 +msgid "Cannot determine if the user was logged in on this platform" +msgstr "" + +#: src/tools/sss_userdel.c:281 +msgid "Error while checking if the user was logged in\n" +msgstr "" + +#: src/tools/sss_userdel.c:288 +#, c-format +msgid "The post-delete command failed: %1$s\n" +msgstr "" + +#: src/tools/sss_userdel.c:308 +msgid "Not removing home dir - not owned by user\n" +msgstr "Home directory non eliminata - non appartiene all'utente\n" + +#: src/tools/sss_userdel.c:310 +#, c-format +msgid "Cannot remove homedir: %1$s\n" +msgstr "" + +#: src/tools/sss_userdel.c:324 +msgid "" +"No such user in local domain. Removing users only allowed in local domain.\n" +msgstr "" +"Utente non presente nel dominio locale. L'eliminazione degli utenti è " +"permessa solo nel dominio locale.\n" + +#: src/tools/sss_userdel.c:329 +msgid "Internal error. Could not remove user.\n" +msgstr "Errore interno. Impossibile rimuovere l'utente.\n" + +#: src/tools/sss_usermod.c:49 +msgid "The GID of the user" +msgstr "Il GID dell'utente" + +#: src/tools/sss_usermod.c:53 +msgid "Groups to add this user to" +msgstr "Gruppi a cui aggiungere questo utente" + +#: src/tools/sss_usermod.c:54 +msgid "Groups to remove this user from" +msgstr "Gruppi da cui rimuovere questo utente" + +#: src/tools/sss_usermod.c:55 +msgid "Lock the account" +msgstr "Bloccare l'account" + +#: src/tools/sss_usermod.c:56 +msgid "Unlock the account" +msgstr "Sbloccare l'account" + +#: src/tools/sss_usermod.c:57 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "" + +#: src/tools/sss_usermod.c:58 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "" + +#: src/tools/sss_usermod.c:59 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" + +#: src/tools/sss_usermod.c:117 src/tools/sss_usermod.c:126 +#: src/tools/sss_usermod.c:135 +msgid "Specify the attribute name/value pair(s)\n" +msgstr "" + +#: src/tools/sss_usermod.c:152 +msgid "Specify user to modify\n" +msgstr "Specificare l'utente da modificare\n" + +#: src/tools/sss_usermod.c:180 +msgid "" +"Cannot find user in local domain, modifying users is allowed only in local " +"domain\n" +msgstr "" +"Utente non presente nel dominio locale. La modifica degli utenti è permessa " +"solo nel dominio locale.\n" + +#: src/tools/sss_usermod.c:322 +msgid "Could not modify user - check if group names are correct\n" +msgstr "" +"Impossibile modificare l'utente - controllare che i nomi dei gruppi siano " +"corretti\n" + +#: src/tools/sss_usermod.c:326 +msgid "Could not modify user - user already member of groups?\n" +msgstr "Impossibile modificare l'utente - utente già membro di gruppi?\n" + +#: src/tools/sss_usermod.c:330 +msgid "Transaction error. Could not modify user.\n" +msgstr "Errore nella transazione. Impossibile modificare l'utente.\n" + +#: src/tools/sss_cache.c:218 +msgid "No cache object matched the specified search\n" +msgstr "" + +#: src/tools/sss_cache.c:502 +#, c-format +msgid "Couldn't invalidate %1$s\n" +msgstr "" + +#: src/tools/sss_cache.c:509 +#, c-format +msgid "Couldn't invalidate %1$s %2$s\n" +msgstr "" + +#: src/tools/sss_cache.c:672 +msgid "Invalidate all cached entries" +msgstr "" + +#: src/tools/sss_cache.c:674 +msgid "Invalidate particular user" +msgstr "" + +#: src/tools/sss_cache.c:676 +msgid "Invalidate all users" +msgstr "" + +#: src/tools/sss_cache.c:678 +msgid "Invalidate particular group" +msgstr "" + +#: src/tools/sss_cache.c:680 +msgid "Invalidate all groups" +msgstr "" + +#: src/tools/sss_cache.c:682 +msgid "Invalidate particular netgroup" +msgstr "" + +#: src/tools/sss_cache.c:684 +msgid "Invalidate all netgroups" +msgstr "" + +#: src/tools/sss_cache.c:686 +msgid "Invalidate particular service" +msgstr "" + +#: src/tools/sss_cache.c:688 +msgid "Invalidate all services" +msgstr "" + +#: src/tools/sss_cache.c:691 +msgid "Invalidate particular autofs map" +msgstr "" + +#: src/tools/sss_cache.c:693 +msgid "Invalidate all autofs maps" +msgstr "" + +#: src/tools/sss_cache.c:697 +msgid "Invalidate particular SSH host" +msgstr "" + +#: src/tools/sss_cache.c:699 +msgid "Invalidate all SSH hosts" +msgstr "" + +#: src/tools/sss_cache.c:703 +msgid "Invalidate particular sudo rule" +msgstr "" + +#: src/tools/sss_cache.c:705 +msgid "Invalidate all cached sudo rules" +msgstr "" + +#: src/tools/sss_cache.c:708 +msgid "Only invalidate entries from a particular domain" +msgstr "" + +#: src/tools/sss_cache.c:762 +msgid "" +"Unexpected argument(s) provided, options that invalidate a single object " +"only accept a single provided argument.\n" +msgstr "" + +#: src/tools/sss_cache.c:772 +msgid "Please select at least one object to invalidate\n" +msgstr "" + +#: src/tools/sss_cache.c:852 +#, c-format +msgid "" +"Could not open domain %1$s. If the domain is a subdomain (trusted domain), " +"use fully qualified name instead of --domain/-d parameter.\n" +msgstr "" + +#: src/tools/sss_cache.c:856 +msgid "Could not open available domains\n" +msgstr "" + +#: src/tools/tools_util.c:202 +#, c-format +msgid "Name '%1$s' does not seem to be FQDN ('%2$s = TRUE' is set)\n" +msgstr "" + +#: src/tools/tools_util.c:309 +msgid "Out of memory\n" +msgstr "Memoria esaurita\n" + +#: src/tools/tools_util.h:40 +#, c-format +msgid "%1$s must be run as root\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:35 +msgid "yes" +msgstr "" + +#: src/tools/sssctl/sssctl.c:37 +msgid "no" +msgstr "" + +#: src/tools/sssctl/sssctl.c:39 +msgid "error" +msgstr "" + +#: src/tools/sssctl/sssctl.c:42 +msgid "Invalid result." +msgstr "" + +#: src/tools/sssctl/sssctl.c:78 +#, c-format +msgid "Unable to read user input\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:91 +#, c-format +msgid "Invalid input, please provide either '%s' or '%s'.\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 +#, c-format +msgid "Error while executing external command\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:156 +msgid "SSSD needs to be running. Start SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl.c:195 +msgid "SSSD must not be running. Stop SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl.c:231 +msgid "SSSD needs to be restarted. Restart SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:31 +#, c-format +msgid " %s is not present in cache.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:33 +msgid "Name" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:34 +msgid "Cache entry creation date" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:35 +msgid "Cache entry last update time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:36 +msgid "Cache entry expiration time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:37 +msgid "Cached in InfoPipe" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:512 +#, c-format +msgid "Error: Unable to get object [%d]: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:528 +#, c-format +msgid "%s: Unable to read value [%d]: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:556 +msgid "Specify name." +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:566 +#, c-format +msgid "Unable to parse name %s.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:592 src/tools/sssctl/sssctl_cache.c:639 +msgid "Search by SID" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:593 +msgid "Search by user ID" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:602 +msgid "Initgroups expiration time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:640 +msgid "Search by group ID" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:67 +#, c-format +msgid "" +"File %1$s does not exist. SSSD will use default configuration with files " +"provider.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:81 +#, c-format +msgid "" +"File ownership and permissions check failed. Expected root:root and 0600.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:104 +#, c-format +msgid "Issues identified by validators: %zu\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:114 +#, c-format +msgid "Messages generated during configuration merging: %zu\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:127 +#, c-format +msgid "Used configuration snippet files: %u\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:89 +#, c-format +msgid "Unable to create backup directory [%d]: %s" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:95 +msgid "SSSD backup of local data already exists, override?" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:111 +#, c-format +msgid "Unable to export user overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:118 +#, c-format +msgid "Unable to export group overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:134 src/tools/sssctl/sssctl_data.c:217 +msgid "Override existing backup" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:164 +#, c-format +msgid "Unable to import user overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:173 +#, c-format +msgid "Unable to import group overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:74 +#: src/tools/sssctl/sssctl_domains.c:339 +msgid "Start SSSD if it is not running" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:195 +msgid "Restart SSSD after data import" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:218 +msgid "Create clean cache files and import local data" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:219 +msgid "Stop SSSD before removing the cache" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:220 +msgid "Start SSSD when the cache is removed" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:235 +#, c-format +msgid "Creating backup of local data...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:238 +#, c-format +msgid "Unable to create backup of local data, can not remove the cache.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:243 +#, c-format +msgid "Removing cache files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:246 +#, c-format +msgid "Unable to remove cache files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:251 +#, c-format +msgid "Restoring local data...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:75 +msgid "Show domain list including primary or trusted domain type" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +#, c-format +msgid "Online status: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Online" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Offline" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:214 +#, c-format +msgid "Active servers:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:231 +msgid "not connected" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:278 +#, c-format +msgid "Discovered %s servers:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:296 +msgid "None so far.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:336 +msgid "Show online status" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:337 +msgid "Show information about active server" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:338 +msgid "Show list of discovered servers" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:344 +msgid "Specify domain name." +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:360 +#, c-format +msgid "Out of memory!\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:377 src/tools/sssctl/sssctl_domains.c:387 +#, c-format +msgid "Unable to get online status\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:397 +#, c-format +msgid "Unable to get server list\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:47 +msgid "\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:237 +msgid "Delete log files instead of truncating" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:248 +#, c-format +msgid "Deleting log files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:251 +#, c-format +msgid "Unable to remove log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:257 +#, c-format +msgid "Truncating log files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:260 +#, c-format +msgid "Unable to truncate log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:286 +#, c-format +msgid "Out of memory!" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:289 +#, c-format +msgid "Archiving log files into %s...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:292 +#, c-format +msgid "Unable to archive log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:317 +msgid "Specify debug level you want to set" +msgstr "" + +#: src/tools/sssctl/sssctl_sifp.c:28 +msgid "" +"Check that SSSD is running and the InfoPipe responder is enabled. Make sure " +"'ifp' is listed in the 'services' option in sssd.conf.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:91 +#, c-format +msgid "Unable to connect to the InfoPipe" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:97 +#, c-format +msgid "Unable to get user object" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:101 +#, c-format +msgid "SSSD InfoPipe user lookup result:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:113 +#, c-format +msgid "Unable to get user name attr" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:146 +#, c-format +msgid "dlopen failed with [%s].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:153 +#, c-format +msgid "dlsym failed with [%s].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:161 +#, c-format +msgid "malloc failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:168 +#, c-format +msgid "sss_getpwnam_r failed with [%d].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:173 +#, c-format +msgid "SSSD nss user lookup result:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:174 +#, c-format +msgid " - user name: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:175 +#, c-format +msgid " - user id: %d\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:176 +#, c-format +msgid " - group id: %d\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:177 +#, c-format +msgid " - gecos: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:178 +#, c-format +msgid " - home directory: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:179 +#, c-format +msgid "" +" - shell: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:211 +msgid "PAM action [auth|acct|setc|chau|open|clos], default: " +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:214 +msgid "PAM service, default: " +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:219 +msgid "Specify user name." +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:226 +#, c-format +msgid "" +"user: %s\n" +"action: %s\n" +"service: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:232 +#, c-format +msgid "User name lookup with [%s] failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:237 +#, c-format +msgid "InfoPipe User lookup with [%s] failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:244 +#, c-format +msgid "pam_start failed: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:249 +#, c-format +msgid "" +"testing pam_authenticate\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:253 +#, c-format +msgid "pam_get_item failed: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:257 +#, c-format +msgid "" +"pam_authenticate for user [%s]: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:260 +#, c-format +msgid "" +"testing pam_chauthtok\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:262 +#, c-format +msgid "" +"pam_chauthtok: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:264 +#, c-format +msgid "" +"testing pam_acct_mgmt\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:266 +#, c-format +msgid "" +"pam_acct_mgmt: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:268 +#, c-format +msgid "" +"testing pam_setcred\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:270 +#, c-format +msgid "" +"pam_setcred: [%s]\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:272 +#, c-format +msgid "" +"testing pam_open_session\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:274 +#, c-format +msgid "" +"pam_open_session: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:276 +#, c-format +msgid "" +"testing pam_close_session\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:278 +#, c-format +msgid "" +"pam_close_session: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:281 +#, c-format +msgid "unknown action\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:284 +#, c-format +msgid "PAM Environment:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:292 +#, c-format +msgid " - no env -\n" +msgstr "" + +#: src/util/util.h:75 +msgid "The user ID to run the server as" +msgstr "" + +#: src/util/util.h:77 +msgid "The group ID to run the server as" +msgstr "" + +#: src/util/util.h:85 +msgid "Informs that the responder has been socket-activated" +msgstr "" + +#: src/util/util.h:87 +msgid "Informs that the responder has been dbus-activated" +msgstr "" diff --git a/po/ja.gmo b/po/ja.gmo new file mode 100644 index 0000000000000000000000000000000000000000..092fe18b4e707a452175e89ee532d1d4c5b16765 GIT binary patch literal 46752 zcmcJY37l2sdH+uq(}W~u(P*NH9=8a}04`C2F^X&w1(5+wViR(ixij1_bMJWXj5sDu zm>EG}!K*<%-wKL!1E9)1=3Z4Pg|Gx%R&wqgY7o5wp}5%0aX9K3cdq;5_}K%BKU6bw?Xye+o1UDoe*ghcqVu}*aW@} z`~;}}O##(j5fmTY2WlRl2Sf0WK+)}=Kt2Cngh}&xI;i?5f+v92f#Q=Ea6b4V_zCb` z5LNOq6Py9A0jGoC1{rE_Dn!=#r$EW)*TBz$-vpNX{s*Y> z9se=M7asyu-&pW{UItKzYiiYq+k{pf?ol}C!0Z7I{00G{!jk=Lo}}W zm<)=}Eui{wGxz~;4Jf)i3Z4wU0-gx|85n|xK+*Rd3{rA>4k*5u3aXxk{`#+hqVt2G z>e=P-H$lzQcR|hDaR|#KZ~`cKTMX*@*Ff>#evqLCe+O!uCsSDbel;k$?FL1^`@m0v zPlB4~AAy>ecS0o5VG{UWa3T0kumYX}eic+d?+3+yPk=NP?DOYufTwc)7MS3p;OU_H zKOMXR>;m~O*yFGN7*u;FU+(C81^6M(XMw7x9fYNW0Z{Ee2O?s@Z-BGFfAaWA26GMP zYryw|e+h~%KLRB;C($@l5ljI!-(LbXuUkR2^V{G_;15By|8wwz;0af{c^(Ujo>zhD zM+KzmpdXwJejVhI;LV(fZdZYNzS(03sCifhnqC6Mzkdy?-5MBz{|Ty{k03ni|7=iv z)(h&nb>K(9y`b9v3sCcY;uL4^J_V}2FN0@-cY)%I7ePJuU4Q;_Q1f}(RCojYICvV^ z52~F_b&y{24{hybJ^og@Ep#62#PLmM@ab@diLFtCbC9kCCw|7wPXYWG=TCtlSOqm-Z~d(6{|r!kSOV4mJHb=H zN5Ip;{own+?}4KKKZ26yQ*Ls21*qp+{rLc>dUk*(gRg+1*PnqWfd|18!T$z72%hk( zuD!9K%FXb26R77);F;hZ;CJ4H{|W*@|L2|D+zy7EKMH;v{7vw~;D3Q?@00~@92bC} zP;&9%ygQ!(p2c~=pRWaV|7lS5{57b4zO&8AcMCX$^F3e(_%l%YE!U3k z0qz2~fR`@{f``B#fR}<_hMC2e&x6yzpMqC_6Tj&A2W#8 zt>Ev$Tfq5rLg#+~7Qst9U3=TW?{NMDP;`Hho2P)k0Ivj3DLFlT6ZlciZw9{t-UrSG zPwsMbYx8&)sQ!K(RDHqCjy^NNNu1sWYW`jTHQt|s7lG%Mog950Jel)HK=I!`P~&|A z)cDS*xcZlYdhWMC)%$Z0k_H!dyLul4b^Y5QA{@M@$I)pKIDzw3pz3`EJR3X=YJQK0 zSnBtM;M>42f$stP!BOA_5Ec&}0>xMV&FG4t}g^t-+EB}c^cHbej6MO{woLxg427Q-@gHbHG&_5^S~Q#bNcH^u$l9J1T_y= zeaX?WAJn+^gExW4ecAOd2VT$lGvE#2TYk;)^=H9zI9~?77u*G&4(!XM#6_8pqw>7r-6hY2Z7SJ3b!`Ucvcd zQ2pEms{U_*s;3H`4*tSlKm87JGn{`6RJpr7?gY=~{Oh3js0Je9!3irIpDqQj;{0zx zjq9wHPEURT)VO;+ZUw~$e*~Tap0Ucw%_qReIN#{;t9(zE(hEWP6t1* z*3ti0LA84iDEj>sC^>ldovz(Upswfr`6iFw0QKBYK+*5QbuJ#B4z_T9C-?>Mr{G7x z=Jn3cxEVZ`^T)t8@b|%4;Dujv_I4>KI&A=(z?Zl*MR&c6kU zKVJ9vmV2DtJQF;b>vKWz#TWhc<>03|e-XSMe9yhkFUf%+=l6m)fqTIZf+ybR=Bo)* zJ2!x$M-M2zxF5U({Ek0Aev^}vYrt!`{&`UIvJ+IfAA_Rz+4sBWuLUpWe5J<&9^ddd z`T=+Ua~?Nb_y?fm?q5MY_rcBX{uQ9k^Wbc74JbbRuE(E%pWys0TO1v) z1gCPo0K5X+3ab3;;9T(E!B2zNJmT!qR`6=hzXyH*Jm*o@kITT*IRBhK|1vm{^M^sv z|2yD~;8_Tx+W8VFd3puZ{X^gvz>Bv!KHLb-=lr{%=zPKB&K@oRuj2fEkKYHck@RQZR%Dc~ER=y>T9uK&wH@y!oF zwez-}jy`9C;;S!#lG|s&8^Bq1J(ZA=bfMZ5cnR>Uj|PGzv-|4 z5ImmqUx4D@<6m%gW}?TNzz=i%EB^ceQ1u)DPXzxEd@oo9PXK=gN%&we++yx#{j=ep#HwX?~A~t9OB(~ za_H|OuKx(U9TZKXzpq3;z-zeo5f1%b%%M5HMJN96=it{lL>v9Ro3gNeZ~}N1I8PV( zJCg&J4BpB0<2e>^^l_ZW@llQ@4yHDEh2u_+xt!~-3%nHU<5vuPkgGsii2Pt z&s@gw8=U9B<=_uEKEg4XV-DBe0#4!R;P*t1=x>JqeG(UDb9|2D(;UCT^(h?7{Qd87 zO@CkX=hOM!&TsM9XTfXz^$(~}>Q6FoCHHRTXyEGXj!|4c4V(qOAJpGt4ou(vf&cwo@HUROQszV8OpZ(WEgt`W9Nip06LRfx zP=D{?_q)IkfOl}L@?kn)ILk${b_3{t1p24*kt=VE^9DzkkSaHTSlIr}{Fw`8yob zIX{u(^Sa>w9tW@E+I$XFz5V?=|L*4aeU4tPzlq}vj*oL*;F!ztG0y)2{3OS99QwP# zL2v{2mU6WC^DprG3;do9mN+it(BFj|r*iage1=1Rr*m|2e4H}>0=^G?4ty`ipK|;b z$2N}da72F(_#fZ!I1T)g|NWmH1;5JiQ;ttj=O;Pd;P*-3+rb*ge2yg?mvBvgPdl)G zZ}is=a#r!b|D4~l3HvzC<=Q(y{e6(%Uvxi%wctjM`#8SLF_n8ExEzfBuII;JbFAQK zTi^<_W-}gaddLt1(w10gG<0~ zfwyxMIiBUv-y*L60$gBc=m+phjx`+LMQQ4kUxThcetoj=~jP-7HBPX<_g83*SpGv&K&Ky{^z>8%Y}tK-TAPMG0mLX)S2t* zDiqs?K3CtN*4D5!zp$r0>@IZXE8V%yE_&&D%Zx|Em^o*%A4)K}80O1mS}C=(^pwl_ z*0CWChs6^0R9eb~uI@sq$eb0$3~i;JV(U0PQ|ihW!?r?4J}yQT>a6C=^`N8FPTTQF z3dPn!ORk$yP$t(Mk+K546JF>lbrf0(dDv9UV3UxlqJ!Di^SPexMWu4#Hn?cc9s6fI#+3T8% zQct&vm)a_sVz2|f2-|v)fpWeLu38j!<;#UqtCed197w$7-DHl)hy4Aa^a?I^Y6Izp#s z;;tN_+*lgu@XDv6_R^I&S?uU2Ey<(TJsDCJ))gNcc9vQTZM_myn{6sYp561Vow_Ho zmD=d*N~G)5{iCn4J>SiE+Dc(=ArcsqH*T^FC!pxXE3iu4%pi?C-aPHvLb2yo#|CC9 z^0#6OJt2;+gy*!-L{A)2>g>#+xVmy>(?HT}($5i@Y>>m2LeDHJEG$TMr3%6c-K7wn zkFM~-L=8P1ttj(ut6AC(YZB{eCyY&=SxgCCp}vjuj7`t*kGQ$_EZGzyRxOLg*VdFN z7MP)>grR8>4dbSUd(Jy6uBUq5nTFwO@cqj+Y|g_`K4}$14o2)Nc~;Jl$82Ek7UVj& zP=?Sta^j`IxbqUYnNQ@aCReN1;u| z$5F9J!Cb3&rm4vlAKxUWstk?LC*vS)MpH$KuvfED=%xusDaJ4#DwrbMkLNPSdu156 zsk56SK5}hJsa`vE@|?t6w=BvP+wsrLD+;EX|fTQNE*NY&d>lp*VhF zuCgddTq@IP3=b!w(#vQ%!zGLInEmGF=BYeqtWm-F%7@qF%XpS0ywE%fu-AEz?!j@X z3XS_!K2hYZXoW%*o1-CqUD*au&SMMn2xnYSZj2u*%D+AG5Ov?WATFtlkMtX^5C*)r zDVZcw(o;)D;gpVv?GaWQc};9WFx9w6^Qoq#vdS|4DX$_N-N`dKxuavE;tUyIRC4cR zL!ONE95&9?hsEnE6`5HGRVtnO;{2J!TZq%{);;9-U`y96nE)j=oGKoIbgEUVK8|^JUy) zB!Pd6Erl+*X09#yQvQ-$)KU?LuA^{U)S?_BbL-6S)c~P+PZvGPn|~}yb>xffgc+kN zI0wbn${1=+9`lY{qe6Zd%#Ukf_@d@r7m5Y>l!e%A|*iAR;@nQXqQNeT-G(TOj5g|(@oH99V z$(OrPLb4;3MnyC*9|EO{9-$;%R|)yC(lDlfBQ~5~lHcGY5%-u#MUy|hRK`&>vBK3s zWK4&ctd*7&;mw7;v84~D%e9`ZU~I;;Dc3cp{9cPBV=s7yVp`ME@>gIDi%c{kj5pp{ zt1PEe7wV>yuTg<}%-e~?X?B+-l)gk1?z+>8hd9i};Zai->3Y${0TeBK6BRcbY2`@F ztZ1nl&#lm2MDazHMp{80qqx2cZfkVUNS(RmRh9Xg?#Z@tsWbI#x_~`y_peU7+Py*c zG)3{N3BE!CKEkK&-XspP%d$n4u6&Cbxlz>NLTD^xv2{EIHw~LIgPuxG@0r?Uw4FHe z@}!{vJRz1!LIIm?A8KiHs9IR zjmOWlEX))9VqFoW)}&TZ-MH09lJ=kqcP~+SJnT4_s1SSPdQmoUmw0$_KHue(Nvj2O z76x07I&zS$(qp*_$l!b1pbG35qKfuMXp4AQG9T0|&N5@>3^iSXgB2U0xm`I@3+b*b z$>AZ0%VluY56yBYV}Oa)&?}{mTckl;g$yTFpK&#o)*)w5C^jJ-%Aq(#iRVYwry^Il z;HZaL>m?@Z6|Jmek*v6^kh6lha7nIQv^Je&XPFv-l(^@h+dBB2=TPkZ@5I>OF4gY4~ds_pX#fQ z1t4wZJ=2Kj%4zs&D%QagTu_W$B9|#kSVTEGmpDL0(OqS#B)UaMT=y)aa#;l#Nc2Ty z1Y>=BPf&rE5+a?Y3vKC`UGP&Mg-!GY4K0 zCC=a|u89>QxX&LydFN@ofxLM`u!6HDlc(v5brP7Nx?va|?rOl#RF1 zpDP2c^f=P$6|>E@m}pUJ!uwxcz!bxyXdw3An75@Yqu z<1!0oi!d?rJtGA@%%jehv~=WiMdcrdDHTT>XaT44h7_e~-;I>ftgkOssM1?(SyV0+ zOFb25Q;G2v&yHlabQu|a%5lx5mgdi#YFbxw8|6d1Mbz-zoav!Clc&%qnaZM8LZZjJN|j1MX$}G~ z!t@IMh~mQFS^^C7Gt33cdp43L^ub>`93NU-y}|aRVn&-;RlC?MFCA09nG5pJOmp)a zQyY@dBb<}LOf8Vi%C)2a=fHYW2*Iq}t%c5>P8U?noEpqZFLfQk`9`2kcS{G33T6?( zWolBAQ<0GQSmJ8f$Sv9gvxdKC{q;KPNW~&mQ3+-@H%EMcfstDpjwavRI%Zrr&BE2r zLi-}E5NL5pIyCKZp>7ragy$+ld@d>%c{XP|Ps)XP!hw*=4M(4=rM>X-aNgYc)6P{8 zgh?CYANI2w4w~NP%^W&U zJbQ9~6+>!rKU;2o(%~eYJ*lRPnu5T=iD>IdT35eqP74mcT1{9yrB>&tPrH;UEq)s)TFSvF=E7_dRSMd z=DKrG*e%Rfg6rITwGb1zHtLt8YyT`psW+@QNeYdze6Q4(6lV*S&SwH9>*8adStYc zj!0Y4TWl&n*8K?US z25}5Yy~uz#I>P8I?gm166h1#`6MO~$GeDh1sm!=-7AM_}VKLldBBY@0wf zb!Ga8DqZ~IwN#`sajbgq{7K69>T$e!Sf?VZg+ro^AWB5D2+-~BwlyhbOlz|B$S{L8 zQTDO6^iqAU+fp!k+PQnAhB4kmLrRq_!BuKEMNzISDs(CA!(Zww;7s5#L2sA7JccLc zl1x#WrkGXeb8$3p6%7#`s4po~zif0~giIH@wZ3G!>hth(^HglPZ%Of^;EgA+Z;3oqR3dU?ha$m0Wuso#8LI zg)BYmwOK674BU1(Kr9I5I^O0o*Dlj^&D1GYi)^N2;MlEHRnEESoZ!l0c&Hma8>f}xlFpB0 zEJWj@8eWCf8r*1AjjZNGeTwUG%jXSl5E5vAgM5PqcUfg!l3dmVqiC=&9W265H!g4! zo~u~S#Wr0zLlpHu&s2uo#s%@R5_ff&f|jHhwrpo!@>8f-oWcyowV48`r(bljo=Va6 zm`Jv$9E&7oYEd4E&t8SYqWwRT25BRf23!swmowTuh7}8%dls@Uty|mmv_{Yy?It;P zuc|rP=R_`o4I&uk6#vKfEaTkhhJ{l}9hd~SqS3HysoN)Y8r?0qZGR1Kl}QUU>=z0x zS8*)a=s~+}bJ6H-{SCJx05$1nVQk_Ld7UbY7iA@adGMi}BCmq17xfp_gk6hv^jMpk zUHu>nVJkMSg!Ul#AlIoJcbOQGeLM4dF=OZu9)l(7730{j+}3j8MH4QyN9N7DR_u-9 z!J_j+a^P~&>6E))Pp}-78MAJCn4C>CqPX)p+ka=5)44RS|D)p0h}w?1TssyL2UIPm zHhzj?b#*bMDE}O-TGdq>QBIlHaHNVe62iC_lmCv*gWDRymXKCVm<==?#3{CRSrx5c zrWPDH>ro2Zo{)gx2;!IE)4EGOMXvoPqO=?lsdFnH>232ee53KTR7d=rEB;b{;R`dl z@g@hexvcQ8N+JT93)Ysi_?Fx~y^WS>$f_`9Ew`aPe(S6>~8Bv?#~aQCL`( z{ii6;+X#J-Kp`!%vkc)j1(&GYwg+^wABVAOrxP8tg?ITjasE(UOX`S%68EUzVs6m@ z9-O43Twu#1>cxT#w*pnyjcEN)GwinQm@MK(!w2-xELJi@gfbSciE6kDx3UcBRco}v zJ-3k6OqBO1Ysma2H-2>}N=mD5)F9RCi&eUD24s%o3SGz=?IF~_T?`0aq?)A5Qo9PG zX|XK@uI;$E}5?7JwJlLxq#h29GgP+m$6+?0~I&K-j&~s1-X05#b91q z?XZI9_LI0|3>j0Rrw%Kl)Sr~A_l}iLL|&Dcvlg1Kn%^AEWAqh;FsM;mtV*vzX=jru zax$1lEGT|IQaR@U99^BhY+Nn7ekBtYR3cYI5IN+XA>sKFTnC!6#IDVsJ5w{0i#FV+ z{APu9NM%fOXU#IA8bps5(+>AhJy;}JK;Qz)rPuzX#bs8^ua7qTN1`kjW`6PRkw@NLA*^Z)PMYZqiCBQAeOh z;$<$!B-hc-rS3(YjRtJHswGY?05X=*95}C6+Sf)|KK5-#jDZvg9*|ESXlu4z z>%tt`9=U`Y!_jIpqU0DWhw~97b72?l&WN_Wx_4^ETIIy+wvW42IatdtDySizagCYz zNHINqI;w3-H%^{An~9nfN=No+B%^zX7+9a^=o!O44^##3SJ*xmzyIA*Ax_=4BIP&g z1rj)#`~X6h^)m(*PTS=^>WHIA?C1#SMKDPGA)2M5XTJlV=Q)wpU zkq!0zh#Jo^=|~dH>e$eXOR{CrrTomZH>yUBh0T+juMOoYWm+m${0@#D2&K^5w-&iH zX28_jc~jm~)Hb@Nvizyu`Gsuvk_m2%rb06@ zRz96yG-owQ?ifjb?ORE=tQgWBiB?uAmOR90MAiCDMCl3;THBWE+Rtvhj20P0mAcq3 zHGq+7DCgU4=K`~hXJ*OY5$h6*qO-7Zeow8>DI05=9&jss1j%s(mg-81lR8>+T?-`Q z3o46pt)(Rkw3lsxkKp2Y@!^lwJ^V|7t^^b+u!0nqLoqDEZ<51Fot9&W=bXOqlA2#G zmiJ_7bM|4mIvin#Du?)azXGm|BCi4lH=@+#?kbfPD+k017uxaNXY?*(++XFoeS_md zZjt;Z?V>eWNT>L~V$0ENIV2K$Yx$Gi<^y??vv_?i?tlh0dunrF1e@yi?Wgh}ncK+#%qbmGhYL5Z zgEJzM1;xr_x1+#z7$nydZzQ?qSk{p}RfW4ey(5P)i0gG1XBK@vzW#=0W5`svXV{}K zq#kw~47qlr-~X6YExGcend0AIjcZ^GcJ#N~O|DghMcWrQ+1exVC(2shpDnVxg>5ZXY%0 zx_M1gv;a@7O)S%r0Kag;1rwVlOl-Q~!tjENCQZ2L{0aO~uxW1omV#PO%3WgRCWaFx zPMUCuD<>i~nWs;>t;E|{vvI8!m%>?v+j=_5TZf-umopcxWZxbhz&IkgPma2l<-#7a z?@jaaxz0)9r*d7nBJXX5qZf5|cTE~Ue#w$0df*lvC5}qHLO0Y++kSv3*iFkyp1y&FSc2%VE=Wylvi%E_T^z)VsQytjF-Ri)-6wqc6J?$1kt9?7FefL)Tw$*lTKJ>_%YTu@6|LWRn%MNYp ztM+l)U+rI2?K{BrB;ej7YYcdcBv?|E21{6)qYyuTpjpYwSQlA;A!jnO1e|q`b=%rKI^Y~#9(UcDS2OQ z{o2~fwbsqe8kvIbYX648HH=|vy0bQUtv_W6))BfFmLx(2N?YNYX8>iz*5FJ^gVCg6=`_zQT^bN{uhiQnsCj( zuCJ^PJV~_;9_PVtF^x8>zRMxA(ie& zK-AyC2UnUPz{m7!b+wNk?GVS`zOMGQ=e!U*x*yuPwzlr+Sg33xa@5vc){hOZ?_GLm z+xFU;dq#RNdd9deVj-Gr{O~X`y{+1JyZS4peA1Ibe8sR(0K2H};N6Ji?dT)=eP{<` zb;`icN?m`wyAI!fcW@|m+e8Z~K-sRy6tdV!8yX22BcWpM;Xx;q z#xCM^I=tV@%uzm5Te{Uh5OEzs{;-Y8>XwagQhYBmk4R;zcRfm#8Ql8d!RH^9GJ7S)Uf^VM+|Ftx7?yIEtcP_QimWE3;TlEFntnYFs95N`@=(fK{+1;x&{ctOt1_ zaz{f9Op0mCv}D#O{$xK7AmgwY`hqU4_{sj25QI85dgZD~G|87DM*w$Ah4f>7;OSv` zeTb0A_R^8WK-wgXI0OXn)dvSxtT&D1OrR80l#3ox88$}*H8zFM-S1 zYS?^x%1{~l82Y3sA>YCz8kLIRZ#ekq%LrjzcVm6Z=*9olern;rm9Z@{N+y1cf+V~c ztiU$3-_~j$uEI)l8&D1+z^G%asc%hG6P)Fny8R;*CyP#Avg&btTFM*Jq?A`WTiptLx*jb}-GA!;`%#dS&?cm(n$= z75UN??>c-BI!Y2VIIyg? zBBcl|`Fx3KZRN8xS$h@Lv8_&0W7%hKaaQ6{HSp_W)xKx!2h)S=zM3yFWPAI6)JA$7 z48TiRhDS18Pn9<-yJqkyx(+)shP2{y3UOVv4_&#Dy9_7wsAzS>riKabjfZq0%3jFR&-n7< ztHj{M7G}8Ors|UN3KHbi+>@zf^y{xZa(K)B!M!W0eYp8a@iC!w81Ee}-$SU8{+NfH ze;HRZ))pQhWv{&0Obt?rNYpA)Cb@iWt+*(3(_4 zywfbIx)!+?=9?T`cfew1s>sCVxZIWtth=08CQ%0Wz=8)tNG-;sRS9EoDvkogx=b?B z0nXyk*6h!0*o?FLm&FG$)l%)%J7} zApM+3<&r`+JBika;)JX!N$U~Fu%5g4?$*(WRb}`Q;@vLvhVYoH*I!+G@Ks!WiaY+c zc;?PW37uFkzYc+ZeV(+tw*xFl;+l>mtjhoJQFDmsWW#U>-Hh>A6`Qe9L2cQS z*s8;8U(obf41cu!!-;*ykFIaG^D2+_(UdyD0H%Fp$!CMe@8~M#lQW12xwpXw_KMRNh?PsX`A#2>0NFAOVZ>Po&APviDzW{5Hl9(W?^!e;Z+`*wRnLu~OPtcAXFee?0FB$hD3DG;0!r~GS4Q?wZdIcP(gc7(eS|u+ z^oX%7%s0HbjyWh^5IDq&$co2J-=lR>ixP1OQFP567NElMP(Ef4mvhNx?U1ZGiE(x= zq97?s431^XqJ%PhQzcJ}7l#T67ZN>69!v~MMr44>0Pexj-&V)GeUY#xp$rO<9#;hC3Xy(Dq&YTV2`}p9- zJ!)z2!KDXZ=ubaJO0TwRGd;54kkEw5&X@x?eX#>4`Y>#5UGNscvxNy|o7(X2MLWEbC*omSkPu z;4{pVlZef*S!TmeR;R;%h>A}crAZEXRJUG_jVer(b^Y{5ZMo%)I04q6K2dGcddv90 z{m?q=I!V>S8g6|NeVq7XIM7jEA^@z1*cgUhz3*=_KieS^`8Bb|P7{*auv94{+vVghKw;IkVuKrmoA5u3VH27>(bL4r+8umI|`Wb=vz#ENaPo@85{vK^sXbUrqDoR3)VILck%)wtki9WpESrN40 z;Q^Q*2{DQ_T8_rMuPa5Oy`S+g5_89>(#PqIGnAGGI$|A>pK)w;H1<_SsKdTGA_bH2 zC72Ny*6%%l&s^@pn2g1f=nNgsQaEE?F$z_b#LLmgnc}5R=F~l-BuTnt9o?deaoZhN zrYapOu*dSSx1LH04Bwe7@#;HsaOFPpwswy^ytvpAx|ft2qKS_B$>BzosypKv*AFS$ zjviJMy@0MnEh28iYvR6J<;F~8ZFiw5G98bEL0sW{rE1?p z(iG`pIyFt*PcjV+u))V{eGh6?#dDN&Joyfl7~Js$_Ly?=p-3`G$+?x{-EKQ&oyUxl ztoK@Q9#NRJ%w&2Zidzr;J_er`A$ySC-7r!s7622S z;Qi}NJSmHvu!O}XyZy3R-4es#{r9rzjmrIPBQ|{M%&p6;xx~Q+ zpZzn!4`o8Cz?707$a154&Ga>_F&i1s1< z-1PPO-qo-zeIjNf$842|@68<v#!2Tw~8j$UoljaEy*_K*Ug6%ij`xgYr~Y*3v=eSBH>tZbL|mN3m7c$ zbP1Qu{=;1u;=@~(9ee-}nh8x}p?ZPs+cmfw-H(K2 z{*?Ab5Jl6tLi74>d>P-TJubOQeDbT&%kYu|HO0LuxOeGQ$-W;rh-Ub(HqPS z<1=-s#WlCZhP;_&>DUz(uAq66DS741T;(`f zKz@97c>1-W`$~*)|L^)3ndx7CA2W7-XS0THhYntXbRJc6h$(8!rDL5SZNqDyYvd-;(B&{q8MH9iZh(36zqc;bW5uc zU%{xvUiGmrtkuvB@d=ru+$U+SR92cK=k#h{(6|bj-60YfKU0@57`bqrWQ|nsaJp{9 zXX?G%;k%uk;1Nfd^64|GUYi*#*(a0d+>1z8*1P*@8~6I&wTE7OZWKAZ#))QMCw`u- zYAn?zCznsqhNr&m^~&~$^(a9wf*fE6j@X8|QAd@aiF+UWQX|%m=pjLyf@tT4B*yQ~ z-e*D}CkwlmF(U{!0w&hlo^tIfIkeSgUoW`aCTnT)jOYR(E7Hw$wOsnLv0VsO*jJ#7N@VDHgQ7^_w5~A^{^2Qt(wqb zRDCa_7g=^6dSc`2ya%GDlMViqj$LcE)zSKX_ex9bw-B(Q4>Kwy?cXpX%h%TS?r~Y! z$cT%PN0r$6Uj)=|{vvqzdjmLgt%88c%Kq}N^)0VPFsI|*L(`gwO-`1;Em z2G>0xHnsgD0UCsmx7z<|wVx$sH_5x*^5>zYWdGqQR!Y&rB*`#X&Z|sTM z*9|qpenrCyXakHd0blJ--V%#fPZBGkv;xF%aW{biBVk6xz|_i8wo)I_l-F+GSzCt7 z>cn(Yz{>QYC!TRE>zW}fu!sW!P%rC*q!gcaF1QxW{x`8o$k!)WB)&RKZ<_GS=+VAb zjh@e;X(2f^!$E`FDcc*ZJjbusc?T*YTpZ6u8qGeGX!DGlo>_BE_$-l23(A@m4lMXC;|<>QLDnFKtjY;-&^l=fWK*$!{UQnM*r z=sDg^oarHj*-4_3M2kC7p4a7wJR?P0$0WhJ8Bb%~6PX%P)-MidQw>C%LV!$GhXF-} z++LJaznnXg3CG}P=We@n4iCFH7NvyijbVUhwgpRxAxshk*J*9}z3iXjB|fPJzfNOh zKgKrMWsmsBZKCFhYSUwg2A7C|H|N`s{9U%b9oqsX5|>2lw;5K6DrHE_*kh(f2`J(h z$xug$TrnPvkS=J7P(-^TGw8Xh@sf~JYN^Ge>>kO(4?R4%W7FWvxDS4;)|Y6*DdK6% z9swJA2Oq$X#slAH*3sounAS#%bQl)DT4H@0Zo>&fipt59XT6aB(L+(FsAeE;y90>hx%JV4bNF z+&FyH%>L@YHsLU`m1el$b;}71Jm+>Yc!%4si0ra58{;xkMQ)i{3%J=pB55Y_C#uSS zA6wvd@Co*{p!Y`f(6S+^?f+eCF0aeBZmQo$Ao*sT{{0w@!EM|dnmwRhxqQ^qxQz0k zL!Q#-n%u`ehkK0cD&#-Z-O4Nn0*Oqgi;xu z9k;2DieAelBqYJ=7s{|1L<_?hc_qyg0W>RUE2sF--4Uv+B8_6#_aVR>EN=(0#F`S_?MicPHKj>CFlDBFeO7amYqw!kM@ zT-tZIPcO?j$qV^t>5xIQAl6{-OlqX&jz(4#q16(X{7>6wDl^@`+SV*tAy{!}#|pnf z>2~oXe$+6;LvDx~5o*7unIEpQl>N>MfvFeicY1`%AMr>5l4DL!P-;zvH%)Hj-=D9DSu0= zdYkAggy(8q$GJiO+#A>pZfC{?3n!kan*+c3%9f^F942Zc@hTfn$S4Qy?RG01?aLyU z@7ASbSKK^cxsY>2Ku=I*Yw?}9hbyO^2GNd6D~<=^M?@i%w(~LRPVD<_&uCED1tb{* z5f_M;R5P-;CL?$9OH=RLHheysKGEO4av9kb*8X7?3sRXvTVV6N5Jj@2W|+~X8lYkb zSRD6zmAx27Pp!WirT6d-?YQsIYkO)>$=B7EK9@lu^vG;zBOcz*>wjwxz3`GT9+@>y z@4+Xx*k)!QYh*vhvO3}{OXK(k*u$j!lixv5+eqf=cJ0REbum`|)Mc+iqSuEU4-%#` zEGA~9+to;vh2PJA7yzb{d$G~7b#rHO*<|&?i`qu+PpMtiWxGjx$`&f|6&p3x5v}CM zOyzpw6MlhnQ>2$Nt?!Oxr$Np$dQUfs2OZmO_6f76>vnefXcc~Gu)n>&3bzyBn5t+b z!WkJ2A;M7I!^ML;b{~G^Vf!CGN!@ADE)xbFdW~(&XoHN~6RjjGkL`0psNd)nd(qZ! z?a((@!-FrZIe0hk(xL&-PDy-xcxfN6De5}XEIqlUD&GmwUBUdJArTKk!55_!#T!UE zr#tNWekF&~F%+crd*L(Y)vPU=Q^{m;#ZlCnmiJ#?t=Yat?(Q$QuSZpD;uToZfGx(` zy|LJ{&i!C2?QLy7iDY783%rOhx@T}D^SC^492&W4b~{UUcu^vc?=fVC*>P_nD0VCL(B*dBjX9zY)CtvNnsk zG>LodH_ExB-rr4q0+(J{0qI&M;%<|zJv1HJD}+X>)NSXF^=JGZPx8jAS1ZYr*4MOf zMt)gh+il8*`+#nPPPkX!(sk1R|9!QM2%2&*wK&VyccaAxxwXvF^D^2|h+I#tINmnl za&^gZi=~WyYZbGeS}CRTzkh{_^$pz5WbHzVFA;lUmMCD4d?mlirrdB{S($`v3N(s? z$dbn!A#vpG#g$AesQVEET7^P*AE?0kZ=xxBI-1;+TMCwYirXNXn)!y6@s}L?4jqxr zOQgAu__|hVK>iJoNnx6nnePZIYwJ@<-W!OQDomEPWPHasN|Bhw7RpvV+$#$8s~+A> zi#QI_?UNtpzgHC*a(C{uTe_!EIZ85G=cJ4?))>b0zJQAceTF3MrLJ*VC~5I1tce=( z-j=9~hK*m;bp|BzFb^+X?wn7`M6Q)t7$#D0cPuA&%=a?=*Ia$?{e~`>&~|pgygtdf zUEdlG>m*6p=eVkd4vl}Q&+l5=WuG24huiz4>VN9(y(lhGKeN6j4W-&jeT)koL15P~ z5;ph6bi8x?X)F6aO451%Ibs~QUH)rp$53m!H^a8D*nig8LZv88EXCw@oei0p`Wz7b z^8URGt<_USD63tj2|`B8%tNY*-E%R_(msWD(yj!E1P8G7D%(&9q1Kvp!fS(~2sz7e zz76YiD$kB)rhxQwY{7=Kn*JVgX3(inCDSvlv8TEvySz>vk~jKzvQVGqgXDQjx2eBF z2T|t?`nQae5%@0wAfqE!onGN(;L+>KN2(}ZzpeJOixH#$R5kM<%+*{^$#A61QoZ(a z?(;1}2wms9Id@PmsCA6=b>^6DhUHlI4wx^e)LYhXLjNXT>hxi(C|J*kb(%ENhk6^# zy<`?MlW&9g;}!Ta{=7w&uScj(w#nrl_SCCe=j4f|v>!s;-pT^07f=Y@k^qtWgh#2)|0 zN7~vPGkL0_%jiqk(MO|wx;g$EF`uorg@|U|Uh;aO- zuR{-8gik+P_wDn~b>E2g?PZF@Ux;pWv+n!QzDWF4Xn&slB(%Snd=J`R$b1YsbIra4 oow*W!20C*!^$qCEb$tLjdx5V%XD&pae)bpr3^(}vvoG-f0loQfjQ{`u literal 0 HcmV?d00001 diff --git a/po/ja.po b/po/ja.po new file mode 100644 index 0000000..a266d44 --- /dev/null +++ b/po/ja.po @@ -0,0 +1,2847 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) YEAR Red Hat, Inc. +# This file is distributed under the same license as the PACKAGE package. +# +# Translators: +# Tomoyuki KATO , 2012-2013 +# Noriko Mizumoto , 2016. #zanata +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" +"POT-Creation-Date: 2018-08-12 13:03+0000\n" +"PO-Revision-Date: 2016-08-18 08:06+0000\n" +"Last-Translator: Noriko Mizumoto \n" +"Language-Team: Japanese (http://www.transifex.com/projects/p/sssd/language/" +"ja/)\n" +"Language: ja\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=1; plural=0;\n" +"X-Generator: Zanata 4.4.5\n" + +#: src/config/SSSDConfig/__init__.py.in:43 +#: src/config/SSSDConfig/__init__.py.in:44 +msgid "Set the verbosity of the debug logging" +msgstr "デバッグのロギングの冗長性を設定する" + +#: src/config/SSSDConfig/__init__.py.in:45 +msgid "Include timestamps in debug logs" +msgstr "デバッグログにタイムスタンプを含める" + +#: src/config/SSSDConfig/__init__.py.in:46 +msgid "Include microseconds in timestamps in debug logs" +msgstr "デバッグログにミリ秒単位のタイムスタンプを含める" + +#: src/config/SSSDConfig/__init__.py.in:47 +msgid "Write debug messages to logfiles" +msgstr "デバッグメッセージをログファイルに書き込む" + +#: src/config/SSSDConfig/__init__.py.in:48 +msgid "Watchdog timeout before restarting service" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:49 +msgid "Command to start service" +msgstr "サービス開始のコマンド" + +#: src/config/SSSDConfig/__init__.py.in:50 +msgid "Number of times to attempt connection to Data Providers" +msgstr "データプロバイダーの接続を試行する回数" + +#: src/config/SSSDConfig/__init__.py.in:51 +msgid "The number of file descriptors that may be opened by this responder" +msgstr "このレスポンダーににより開かれるファイル記述子の数" + +#: src/config/SSSDConfig/__init__.py.in:52 +msgid "Idle time before automatic disconnection of a client" +msgstr "クライアントの自動切断までのアイドル時間" + +#: src/config/SSSDConfig/__init__.py.in:53 +msgid "Idle time before automatic shutdown of the responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:54 +msgid "Always query all the caches before querying the Data Providers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:57 +msgid "SSSD Services to start" +msgstr "開始する SSSD サービス" + +#: src/config/SSSDConfig/__init__.py.in:58 +msgid "SSSD Domains to start" +msgstr "開始する SSSD ドメイン" + +#: src/config/SSSDConfig/__init__.py.in:59 +msgid "Timeout for messages sent over the SBUS" +msgstr "SBUS 経由のメッセージ送信のタイムアウト" + +#: src/config/SSSDConfig/__init__.py.in:60 +#: src/config/SSSDConfig/__init__.py.in:197 +msgid "Regex to parse username and domain" +msgstr "ユーザー名とドメインを構文解析する正規表現" + +#: src/config/SSSDConfig/__init__.py.in:61 +#: src/config/SSSDConfig/__init__.py.in:196 +msgid "Printf-compatible format for displaying fully-qualified names" +msgstr "完全修飾名を表示するための printf 互換の形式" + +#: src/config/SSSDConfig/__init__.py.in:62 +msgid "" +"Directory on the filesystem where SSSD should store Kerberos replay cache " +"files." +msgstr "" +"SSSD が Kerberos リプレイキャッシュファイルを保存するファイルシステムのディレ" +"クトリです。" + +#: src/config/SSSDConfig/__init__.py.in:63 +msgid "Domain to add to names without a domain component." +msgstr "domain 要素なしで追加するドメインの名前。" + +#: src/config/SSSDConfig/__init__.py.in:64 +msgid "The user to drop privileges to" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:65 +msgid "Tune certificate verification" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:66 +msgid "All spaces in group or user names will be replaced with this character" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:67 +msgid "Tune sssd to honor or ignore netlink state changes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:68 +msgid "Enable or disable the implicit files domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:69 +msgid "A specific order of the domains to be looked up" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:72 +msgid "Enumeration cache timeout length (seconds)" +msgstr "列挙キャッシュのタイムアウト(秒)" + +#: src/config/SSSDConfig/__init__.py.in:73 +msgid "Entry cache background update timeout length (seconds)" +msgstr "エントリーキャッシュのバックグラウンド更新のタイムアウト時間(秒)" + +#: src/config/SSSDConfig/__init__.py.in:74 +#: src/config/SSSDConfig/__init__.py.in:113 +msgid "Negative cache timeout length (seconds)" +msgstr "ネガティブキャッシュのタイムアウト(秒)" + +#: src/config/SSSDConfig/__init__.py.in:75 +msgid "Files negative cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:76 +msgid "Users that SSSD should explicitly ignore" +msgstr "SSSD が明示的に無視するユーザー" + +#: src/config/SSSDConfig/__init__.py.in:77 +msgid "Groups that SSSD should explicitly ignore" +msgstr "SSSD が明示的に無視するグループ" + +#: src/config/SSSDConfig/__init__.py.in:78 +msgid "Should filtered users appear in groups" +msgstr "フィルターされたユーザーをグループに表示する" + +#: src/config/SSSDConfig/__init__.py.in:79 +msgid "The value of the password field the NSS provider should return" +msgstr "NSS プロバイダーが返すパスワード項目の値" + +#: src/config/SSSDConfig/__init__.py.in:80 +msgid "Override homedir value from the identity provider with this value" +msgstr "識別プロバイダーからのホームディレクトリーの値をこの値で上書きする" + +#: src/config/SSSDConfig/__init__.py.in:81 +msgid "" +"Substitute empty homedir value from the identity provider with this value" +msgstr "" +"アイデンティティプロバイダーからの空のホームディレクトリーをこの値で置き換え" +"ます" + +#: src/config/SSSDConfig/__init__.py.in:82 +msgid "Override shell value from the identity provider with this value" +msgstr "アイデンティティプロバイダーからのシェル値をこの値で上書きします" + +#: src/config/SSSDConfig/__init__.py.in:83 +msgid "The list of shells users are allowed to log in with" +msgstr "ユーザーがログインを許可されるシェルの一覧" + +#: src/config/SSSDConfig/__init__.py.in:84 +msgid "" +"The list of shells that will be vetoed, and replaced with the fallback shell" +msgstr "拒否されてフォールバックシェルで置き換えられるシェルの一覧" + +#: src/config/SSSDConfig/__init__.py.in:85 +msgid "" +"If a shell stored in central directory is allowed but not available, use " +"this fallback" +msgstr "" +"中央ディレクトリーに保存されたシェルが許可されるが、利用できない場合、この" +"フォールバックを使用する" + +#: src/config/SSSDConfig/__init__.py.in:86 +msgid "Shell to use if the provider does not list one" +msgstr "プロバイダーが一覧に持っていないとき使用するシェル" + +#: src/config/SSSDConfig/__init__.py.in:87 +msgid "How long will be in-memory cache records valid" +msgstr "メモリー内のキャッシュレコードが有効な期間" + +#: src/config/SSSDConfig/__init__.py.in:88 +msgid "List of user attributes the NSS responder is allowed to publish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:91 +msgid "How long to allow cached logins between online logins (days)" +msgstr "オンラインログイン中にキャッシュによるログインが許容される期間(日数)" + +#: src/config/SSSDConfig/__init__.py.in:92 +msgid "How many failed logins attempts are allowed when offline" +msgstr "オフラインのときに許容されるログイン試行失敗回数" + +#: src/config/SSSDConfig/__init__.py.in:93 +msgid "" +"How long (minutes) to deny login after offline_failed_login_attempts has " +"been reached" +msgstr "offline_failed_login_attempts に達した後にログインを拒否する時間(分)" + +#: src/config/SSSDConfig/__init__.py.in:94 +msgid "What kind of messages are displayed to the user during authentication" +msgstr "認証中にユーザーに表示されるメッセージの種類" + +#: src/config/SSSDConfig/__init__.py.in:95 +msgid "Filter PAM responses sent to the pam_sss" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:96 +msgid "How many seconds to keep identity information cached for PAM requests" +msgstr "PAM 要求に対してキャッシュされた認証情報を保持する秒数" + +#: src/config/SSSDConfig/__init__.py.in:97 +msgid "How many days before password expiration a warning should be displayed" +msgstr "警告が表示されるパスワード失効前の日数" + +#: src/config/SSSDConfig/__init__.py.in:98 +msgid "List of trusted uids or user's name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:99 +msgid "List of domains accessible even for untrusted users." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:100 +msgid "Message printed when user account is expired." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:101 +msgid "Message printed when user account is locked." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:102 +msgid "Allow certificate based/Smartcard authentication." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:103 +msgid "Path to certificate database with PKCS#11 modules." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:104 +msgid "How many seconds will pam_sss wait for p11_child to finish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:105 +msgid "Which PAM services are permitted to contact application domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:108 +msgid "Whether to evaluate the time-based attributes in sudo rules" +msgstr "sudo ルールにおいて時間による属性を評価するかどうか" + +#: src/config/SSSDConfig/__init__.py.in:109 +msgid "If true, SSSD will switch back to lower-wins ordering logic" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:110 +msgid "" +"Maximum number of rules that can be refreshed at once. If this is exceeded, " +"full refresh is performed." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:116 +msgid "Whether to hash host names and addresses in the known_hosts file" +msgstr "known_hosts ファイルにおいてホスト名とアドレスをハッシュ化するかどうか" + +#: src/config/SSSDConfig/__init__.py.in:117 +msgid "" +"How many seconds to keep a host in the known_hosts file after its host keys " +"were requested" +msgstr "ホスト鍵が要求された後 known_hosts ファイルにホストを保持する秒数" + +#: src/config/SSSDConfig/__init__.py.in:118 +msgid "Path to storage of trusted CA certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:121 +msgid "List of UIDs or user names allowed to access the PAC responder" +msgstr "PAC レスポンダーへのアクセスが許可された UID またはユーザー名の一覧" + +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "How long the PAC data is considered valid" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:125 +msgid "List of UIDs or user names allowed to access the InfoPipe responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:126 +msgid "List of user attributes the InfoPipe is allowed to publish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:129 +msgid "The provider where the secrets will be stored in" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:130 +msgid "The maximum allowed number of nested containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:131 +msgid "The maximum number of secrets that can be stored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:132 +msgid "The maximum number of secrets that can be stored per UID" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:133 +msgid "The maximum payload size of a secret in kilobytes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:135 +msgid "The URL Custodia server is listening on" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:136 +msgid "The method to use when authenticating to a Custodia server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:137 +msgid "" +"The name of the headers that will be added into a HTTP request with the " +"value defined in auth_header_value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:138 +msgid "The value sssd-secrets would use for auth_header_name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:139 +msgid "" +"The list of the headers to forward to the Custodia server together with the " +"request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:140 +msgid "" +"The username to use when authenticating to a Custodia server using basic_auth" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:141 +msgid "" +"The password to use when authenticating to a Custodia server using basic_auth" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:142 +msgid "If true peer's certificate is verified if proxy_url uses https protocol" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:143 +msgid "" +"If false peer's certificate may contain different hostname than proxy_url " +"when https protocol is used" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:144 +msgid "Path to directory where certificate authority certificates are stored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:145 +msgid "Path to file containing server's CA certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:146 +msgid "Path to file containing client's certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:147 +msgid "Path to file containing client's private key" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:150 +msgid "Identity provider" +msgstr "アイデンティティプロバイダー" + +#: src/config/SSSDConfig/__init__.py.in:151 +msgid "Authentication provider" +msgstr "認証プロバイダー" + +#: src/config/SSSDConfig/__init__.py.in:152 +msgid "Access control provider" +msgstr "アクセス制御プロバイダー" + +#: src/config/SSSDConfig/__init__.py.in:153 +msgid "Password change provider" +msgstr "パスワード変更プロバイダー" + +#: src/config/SSSDConfig/__init__.py.in:154 +msgid "SUDO provider" +msgstr "SUDO プロバイダー" + +#: src/config/SSSDConfig/__init__.py.in:155 +msgid "Autofs provider" +msgstr "Autofs プロバイダー" + +#: src/config/SSSDConfig/__init__.py.in:156 +msgid "Host identity provider" +msgstr "ホスト識別プロバイダー" + +#: src/config/SSSDConfig/__init__.py.in:157 +msgid "SELinux provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:158 +msgid "Session management provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:161 +msgid "Whether the domain is usable by the OS or by applications" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:162 +msgid "Minimum user ID" +msgstr "最小ユーザー ID" + +#: src/config/SSSDConfig/__init__.py.in:163 +msgid "Maximum user ID" +msgstr "最大ユーザー ID" + +#: src/config/SSSDConfig/__init__.py.in:164 +msgid "Enable enumerating all users/groups" +msgstr "すべてのユーザー・グループの列挙を有効にする" + +#: src/config/SSSDConfig/__init__.py.in:165 +msgid "Cache credentials for offline login" +msgstr "オフラインログインのためにクレディンシャルをキャッシュする" + +#: src/config/SSSDConfig/__init__.py.in:166 +msgid "Store password hashes" +msgstr "パスワードハッシュを保存する" + +#: src/config/SSSDConfig/__init__.py.in:167 +msgid "Display users/groups in fully-qualified form" +msgstr "ユーザー・グループを完全修飾形式で表示する" + +#: src/config/SSSDConfig/__init__.py.in:168 +msgid "Don't include group members in group lookups" +msgstr "グループ検索にグループメンバーを含めない" + +#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:180 +#: src/config/SSSDConfig/__init__.py.in:181 +msgid "Entry cache timeout length (seconds)" +msgstr "エントリーキャッシュのタイムアウト長(秒)" + +#: src/config/SSSDConfig/__init__.py.in:170 +msgid "" +"Restrict or prefer a specific address family when performing DNS lookups" +msgstr "DNS 検索を実行するときに特定のアドレスファミリーを制限または優先します" + +#: src/config/SSSDConfig/__init__.py.in:171 +msgid "How long to keep cached entries after last successful login (days)" +msgstr "最終ログイン成功時からキャッシュエントリーを保持する日数" + +#: src/config/SSSDConfig/__init__.py.in:172 +msgid "How long to wait for replies from DNS when resolving servers (seconds)" +msgstr "サーバーを名前解決するときに DNS から応答を待つ時間(秒)" + +#: src/config/SSSDConfig/__init__.py.in:173 +msgid "The domain part of service discovery DNS query" +msgstr "サービス検索 DNS クエリーのドメイン部分" + +#: src/config/SSSDConfig/__init__.py.in:174 +msgid "Override GID value from the identity provider with this value" +msgstr "識別プロバイダーからの GID 値をこの値で上書きする" + +#: src/config/SSSDConfig/__init__.py.in:175 +msgid "Treat usernames as case sensitive" +msgstr "ユーザー名が大文字小文字を区別するよう取り扱う" + +#: src/config/SSSDConfig/__init__.py.in:182 +msgid "How often should expired entries be refreshed in background" +msgstr "期限切れのエントリーがバックグラウンドで更新される頻度" + +#: src/config/SSSDConfig/__init__.py.in:183 +msgid "Whether to automatically update the client's DNS entry" +msgstr "自動的にクライアントの DNS エントリーを更新するかどうか" + +#: src/config/SSSDConfig/__init__.py.in:184 +#: src/config/SSSDConfig/__init__.py.in:206 +msgid "The TTL to apply to the client's DNS entry after updating it" +msgstr "クライアントの DNS 項目を更新後、適用する TTL" + +#: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:207 +msgid "The interface whose IP should be used for dynamic DNS updates" +msgstr "動的 DNS 更新のために使用される IP のインターフェース" + +#: src/config/SSSDConfig/__init__.py.in:186 +msgid "How often to periodically update the client's DNS entry" +msgstr "どのくらい定期的にクライアントの DNS エントリーを更新するか" + +#: src/config/SSSDConfig/__init__.py.in:187 +msgid "Whether the provider should explicitly update the PTR record as well" +msgstr "" +"プロバイダーが同じように PTR レコードを明示的に更新する必要があるかどうか" + +#: src/config/SSSDConfig/__init__.py.in:188 +msgid "Whether the nsupdate utility should default to using TCP" +msgstr "nsupdate ユーティリティが標準で TCP を使用するかどうか" + +#: src/config/SSSDConfig/__init__.py.in:189 +msgid "What kind of authentication should be used to perform the DNS update" +msgstr "DNS 更新を実行するために使用すべき認証の種類" + +#: src/config/SSSDConfig/__init__.py.in:190 +msgid "Override the DNS server used to perform the DNS update" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:191 +msgid "Control enumeration of trusted domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:192 +msgid "How often should subdomains list be refreshed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:193 +msgid "List of options that should be inherited into a subdomain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:194 +msgid "Default subdomain homedir value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:195 +msgid "How long can cached credentials be used for cached authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:198 +msgid "Whether to automatically create private groups for users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:201 +msgid "IPA domain" +msgstr "IPA ドメイン" + +#: src/config/SSSDConfig/__init__.py.in:202 +msgid "IPA server address" +msgstr "IPA サーバーのアドレス" + +#: src/config/SSSDConfig/__init__.py.in:203 +msgid "Address of backup IPA server" +msgstr "バックアップ IPA サーバーのアドレス" + +#: src/config/SSSDConfig/__init__.py.in:204 +msgid "IPA client hostname" +msgstr "IPA クライアントのホスト名" + +#: src/config/SSSDConfig/__init__.py.in:205 +msgid "Whether to automatically update the client's DNS entry in FreeIPA" +msgstr "FreeIPA にあるクライアントの DNS エントリーを自動的に更新するかどうか" + +#: src/config/SSSDConfig/__init__.py.in:208 +msgid "Search base for HBAC related objects" +msgstr "HBAC 関連オブジェクトの検索ベース" + +#: src/config/SSSDConfig/__init__.py.in:209 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server" +msgstr "IPA サーバーに対する HBAC ルールを検索している間の合計時間" + +#: src/config/SSSDConfig/__init__.py.in:210 +msgid "" +"The amount of time in seconds between lookups of the SELinux maps against " +"the IPA server" +msgstr "IPA サーバーに対する SELinux マップの検索の間の秒単位の合計時間" + +#: src/config/SSSDConfig/__init__.py.in:211 +msgid "If set to false, host argument given by PAM will be ignored" +msgstr "もし偽に設定されていると、 PAM により渡されたホスト引数は無視されます" + +#: src/config/SSSDConfig/__init__.py.in:212 +msgid "The automounter location this IPA client is using" +msgstr "この IPA クライアントが使用している automounter の場所" + +#: src/config/SSSDConfig/__init__.py.in:213 +msgid "Search base for object containing info about IPA domain" +msgstr "IPA ドメインに関する情報を含むオブジェクトに対する検索ベース" + +#: src/config/SSSDConfig/__init__.py.in:214 +msgid "Search base for objects containing info about ID ranges" +msgstr "ID 範囲に関する情報を含むオブジェクトに対する検索ベース" + +#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:233 +msgid "Enable DNS sites - location based service discovery" +msgstr "DNS サイトの有効化 - 位置にサービス探索" + +#: src/config/SSSDConfig/__init__.py.in:216 +msgid "Search base for view containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:217 +msgid "Objectclass for view containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:218 +msgid "Attribute with the name of the view" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:219 +msgid "Objectclass for override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:220 +msgid "Attribute with the reference to the original object" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:221 +msgid "Objectclass for user override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:222 +msgid "Objectclass for group override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:223 +msgid "Search base for Desktop Profile related objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:224 +msgid "" +"The amount of time in seconds between lookups of the Desktop Profile rules " +"against the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:225 +msgid "" +"The amount of time in minutes between lookups of Desktop Profiles rules " +"against the IPA server when the last request did not find any rule" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:228 +msgid "Active Directory domain" +msgstr "Active Directory ドメイン" + +#: src/config/SSSDConfig/__init__.py.in:229 +msgid "Enabled Active Directory domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:230 +msgid "Active Directory server address" +msgstr "Active Directory サーバーアドレス" + +#: src/config/SSSDConfig/__init__.py.in:231 +msgid "Active Directory backup server address" +msgstr "Active Directory バックアップサーバーのアドレス" + +#: src/config/SSSDConfig/__init__.py.in:232 +msgid "Active Directory client hostname" +msgstr "Active Directory クライアントホスト名" + +#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:420 +msgid "LDAP filter to determine access privileges" +msgstr "アクセス権限を決めるための LDAP フィルター" + +#: src/config/SSSDConfig/__init__.py.in:235 +msgid "Whether to use the Global Catalog for lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:236 +msgid "Operation mode for GPO-based access control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:237 +msgid "" +"The amount of time between lookups of the GPO policy files against the AD " +"server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:238 +msgid "" +"PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " +"settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:239 +msgid "" +"PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " +"policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:240 +msgid "" +"PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:241 +msgid "" +"PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:242 +msgid "" +"PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:243 +msgid "PAM service names for which GPO-based access is always granted" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:244 +msgid "PAM service names for which GPO-based access is always denied" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:245 +msgid "" +"Default logon right (or permit/deny) to use for unmapped PAM service names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:246 +msgid "a particular site to be used by the client" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:247 +msgid "" +"Maximum age in days before the machine account password should be renewed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:248 +msgid "Option for tuning the machine account renewal task" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:252 +msgid "Kerberos server address" +msgstr "Kerberos サーバーのアドレス" + +#: src/config/SSSDConfig/__init__.py.in:253 +msgid "Kerberos backup server address" +msgstr "Kerberos バックアップサーバーのアドレス" + +#: src/config/SSSDConfig/__init__.py.in:254 +msgid "Kerberos realm" +msgstr "Kerberos レルム" + +#: src/config/SSSDConfig/__init__.py.in:255 +msgid "Authentication timeout" +msgstr "認証のタイムアウト" + +#: src/config/SSSDConfig/__init__.py.in:256 +msgid "Whether to create kdcinfo files" +msgstr "kdcinfo ファイルを作成するかどうか" + +#: src/config/SSSDConfig/__init__.py.in:257 +msgid "Where to drop krb5 config snippets" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:260 +msgid "Directory to store credential caches" +msgstr "クレディンシャルのキャッシュを保存するディレクトリー" + +#: src/config/SSSDConfig/__init__.py.in:261 +msgid "Location of the user's credential cache" +msgstr "ユーザーのクレディンシャルキャッシュの位置" + +#: src/config/SSSDConfig/__init__.py.in:262 +msgid "Location of the keytab to validate credentials" +msgstr "クレディンシャルを検証するキーテーブルの場所" + +#: src/config/SSSDConfig/__init__.py.in:263 +msgid "Enable credential validation" +msgstr "クレディンシャルの検証を有効にする" + +#: src/config/SSSDConfig/__init__.py.in:264 +msgid "Store password if offline for later online authentication" +msgstr "後からオンライン認証するためにオフラインの場合にパスワードを保存します" + +#: src/config/SSSDConfig/__init__.py.in:265 +msgid "Renewable lifetime of the TGT" +msgstr "更新可能な TGT の有効期間" + +#: src/config/SSSDConfig/__init__.py.in:266 +msgid "Lifetime of the TGT" +msgstr "TGT の有効期間" + +#: src/config/SSSDConfig/__init__.py.in:267 +msgid "Time between two checks for renewal" +msgstr "更新を確認する間隔" + +#: src/config/SSSDConfig/__init__.py.in:268 +msgid "Enables FAST" +msgstr "FAST を有効にする" + +#: src/config/SSSDConfig/__init__.py.in:269 +msgid "Selects the principal to use for FAST" +msgstr "FAST に使用するプリンシパルを選択する" + +#: src/config/SSSDConfig/__init__.py.in:270 +msgid "Enables principal canonicalization" +msgstr "プリンシパル正規化を有効にする" + +#: src/config/SSSDConfig/__init__.py.in:271 +msgid "Enables enterprise principals" +msgstr "エンタープライズ・プリンシパルの有効化" + +#: src/config/SSSDConfig/__init__.py.in:272 +msgid "A mapping from user names to Kerberos principal names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:276 +msgid "Server where the change password service is running if not on the KDC" +msgstr "KDC になければ、パスワード変更サービスが実行されているサーバー" + +#: src/config/SSSDConfig/__init__.py.in:279 +msgid "ldap_uri, The URI of the LDAP server" +msgstr "ldap_uri, LDAP サーバーの URI" + +#: src/config/SSSDConfig/__init__.py.in:280 +msgid "ldap_backup_uri, The URI of the LDAP server" +msgstr "ldap_backup_uri, LDAP サーバーの URI" + +#: src/config/SSSDConfig/__init__.py.in:281 +msgid "The default base DN" +msgstr "デフォルトのベース DN" + +#: src/config/SSSDConfig/__init__.py.in:282 +msgid "The Schema Type in use on the LDAP server, rfc2307" +msgstr "LDAP サーバーにおいて使用中のスキーマ形式, rfc2307" + +#: src/config/SSSDConfig/__init__.py.in:283 +msgid "The default bind DN" +msgstr "デフォルトのバインド DN" + +#: src/config/SSSDConfig/__init__.py.in:284 +msgid "The type of the authentication token of the default bind DN" +msgstr "デフォルトのバインド DN の認証トークンの種類" + +#: src/config/SSSDConfig/__init__.py.in:285 +msgid "The authentication token of the default bind DN" +msgstr "デフォルトのバインド DN の認証トークン" + +#: src/config/SSSDConfig/__init__.py.in:286 +msgid "Length of time to attempt connection" +msgstr "接続を試行する時間" + +#: src/config/SSSDConfig/__init__.py.in:287 +msgid "Length of time to attempt synchronous LDAP operations" +msgstr "LDAP 同期操作を試行する時間" + +#: src/config/SSSDConfig/__init__.py.in:288 +msgid "Length of time between attempts to reconnect while offline" +msgstr "オフラインの間に再接続を試行する時間" + +#: src/config/SSSDConfig/__init__.py.in:289 +msgid "Use only the upper case for realm names" +msgstr "レルム名に対して大文字のみを使用する" + +#: src/config/SSSDConfig/__init__.py.in:290 +msgid "File that contains CA certificates" +msgstr "CA 証明書を含むファイル" + +#: src/config/SSSDConfig/__init__.py.in:291 +msgid "Path to CA certificate directory" +msgstr "CA 証明書のディレクトリーのパス" + +#: src/config/SSSDConfig/__init__.py.in:292 +msgid "File that contains the client certificate" +msgstr "クライアント証明書を含むファイル" + +#: src/config/SSSDConfig/__init__.py.in:293 +msgid "File that contains the client key" +msgstr "クライアントの鍵を含むファイル" + +#: src/config/SSSDConfig/__init__.py.in:294 +msgid "List of possible ciphers suites" +msgstr "利用可能な暗号の一覧" + +#: src/config/SSSDConfig/__init__.py.in:295 +msgid "Require TLS certificate verification" +msgstr "TLS 証明書の検証を要求する" + +#: src/config/SSSDConfig/__init__.py.in:296 +msgid "Specify the sasl mechanism to use" +msgstr "使用する SASL メカニズムを指定する" + +#: src/config/SSSDConfig/__init__.py.in:297 +msgid "Specify the sasl authorization id to use" +msgstr "使用する SASL 認可 ID を指定する" + +#: src/config/SSSDConfig/__init__.py.in:298 +msgid "Specify the sasl authorization realm to use" +msgstr "使用する SASL 認可レルムを指定する" + +#: src/config/SSSDConfig/__init__.py.in:299 +msgid "Specify the minimal SSF for LDAP sasl authorization" +msgstr "LDAP SASL 認可の最小 SSF を指定する" + +#: src/config/SSSDConfig/__init__.py.in:300 +msgid "Kerberos service keytab" +msgstr "Kerberos サービスのキーテーブル" + +#: src/config/SSSDConfig/__init__.py.in:301 +msgid "Use Kerberos auth for LDAP connection" +msgstr "LDAP 接続に対して Kerberos 認証を使用する" + +#: src/config/SSSDConfig/__init__.py.in:302 +msgid "Follow LDAP referrals" +msgstr "LDAP リフェラルにしたがう" + +#: src/config/SSSDConfig/__init__.py.in:303 +msgid "Lifetime of TGT for LDAP connection" +msgstr "LDAP 接続の TGT の有効期間" + +#: src/config/SSSDConfig/__init__.py.in:304 +msgid "How to dereference aliases" +msgstr "エイリアスを参照解決する方法" + +#: src/config/SSSDConfig/__init__.py.in:305 +msgid "Service name for DNS service lookups" +msgstr "DNS サービス検索のサービス名" + +#: src/config/SSSDConfig/__init__.py.in:306 +msgid "The number of records to retrieve in a single LDAP query" +msgstr "単一の LDAP 問い合わせにおいて取得するレコード数" + +#: src/config/SSSDConfig/__init__.py.in:307 +msgid "The number of members that must be missing to trigger a full deref" +msgstr "完全な参照解決を引き起こすために欠けている必要があるメンバーの数" + +#: src/config/SSSDConfig/__init__.py.in:308 +msgid "" +"Whether the LDAP library should perform a reverse lookup to canonicalize the " +"host name during a SASL bind" +msgstr "" +"LDAP ライブラリーが SASL バインド中にホスト名を正規化するために逆引きを実行す" +"るかどうか" + +#: src/config/SSSDConfig/__init__.py.in:310 +msgid "entryUSN attribute" +msgstr "entryUSN 属性" + +#: src/config/SSSDConfig/__init__.py.in:311 +msgid "lastUSN attribute" +msgstr "lastUSN 属性" + +#: src/config/SSSDConfig/__init__.py.in:313 +msgid "How long to retain a connection to the LDAP server before disconnecting" +msgstr "LDAP サーバーを切断する前に接続を保持する時間" + +#: src/config/SSSDConfig/__init__.py.in:315 +msgid "Disable the LDAP paging control" +msgstr "LDAP ページング制御を無効化する" + +#: src/config/SSSDConfig/__init__.py.in:316 +msgid "Disable Active Directory range retrieval" +msgstr "Active Directory 範囲の取得の無効化" + +#: src/config/SSSDConfig/__init__.py.in:319 +msgid "Length of time to wait for a search request" +msgstr "検索要求を待つ時間" + +#: src/config/SSSDConfig/__init__.py.in:320 +msgid "Length of time to wait for a enumeration request" +msgstr "列挙の要求を待つ時間" + +#: src/config/SSSDConfig/__init__.py.in:321 +msgid "Length of time between enumeration updates" +msgstr "列挙の更新間隔" + +#: src/config/SSSDConfig/__init__.py.in:322 +msgid "Length of time between cache cleanups" +msgstr "キャッシュをクリーンアップする間隔" + +#: src/config/SSSDConfig/__init__.py.in:323 +msgid "Require TLS for ID lookups" +msgstr "ID 検索に TLS を要求する" + +#: src/config/SSSDConfig/__init__.py.in:324 +msgid "Use ID-mapping of objectSID instead of pre-set IDs" +msgstr "事前設定済み ID の代わりに objectSID の ID マッピングを使用します" + +#: src/config/SSSDConfig/__init__.py.in:325 +msgid "Base DN for user lookups" +msgstr "ユーザー検索のベース DN" + +#: src/config/SSSDConfig/__init__.py.in:326 +msgid "Scope of user lookups" +msgstr "ユーザー検索の範囲" + +#: src/config/SSSDConfig/__init__.py.in:327 +msgid "Filter for user lookups" +msgstr "ユーザー検索のフィルター" + +#: src/config/SSSDConfig/__init__.py.in:328 +msgid "Objectclass for users" +msgstr "ユーザーのオブジェクトクラス" + +#: src/config/SSSDConfig/__init__.py.in:329 +msgid "Username attribute" +msgstr "ユーザー名の属性" + +#: src/config/SSSDConfig/__init__.py.in:331 +msgid "UID attribute" +msgstr "UID の属性" + +#: src/config/SSSDConfig/__init__.py.in:332 +msgid "Primary GID attribute" +msgstr "プライマリー GID の属性" + +#: src/config/SSSDConfig/__init__.py.in:333 +msgid "GECOS attribute" +msgstr "GECOS の属性" + +#: src/config/SSSDConfig/__init__.py.in:334 +msgid "Home directory attribute" +msgstr "ホームディレクトリの属性" + +#: src/config/SSSDConfig/__init__.py.in:335 +msgid "Shell attribute" +msgstr "シェルの属性" + +#: src/config/SSSDConfig/__init__.py.in:336 +msgid "UUID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:379 +msgid "objectSID attribute" +msgstr "objectSID 属性" + +#: src/config/SSSDConfig/__init__.py.in:338 +msgid "Active Directory primary group attribute for ID-mapping" +msgstr "ID マッピングの Active Directory プライマリーグループ属性" + +#: src/config/SSSDConfig/__init__.py.in:339 +msgid "User principal attribute (for Kerberos)" +msgstr "ユーザープリンシパルの属性(Kerberos 用)" + +#: src/config/SSSDConfig/__init__.py.in:340 +msgid "Full Name" +msgstr "氏名" + +#: src/config/SSSDConfig/__init__.py.in:341 +msgid "memberOf attribute" +msgstr "memberOf 属性" + +#: src/config/SSSDConfig/__init__.py.in:342 +msgid "Modification time attribute" +msgstr "変更日時の属性" + +#: src/config/SSSDConfig/__init__.py.in:344 +msgid "shadowLastChange attribute" +msgstr "shadowLastChange 属性" + +#: src/config/SSSDConfig/__init__.py.in:345 +msgid "shadowMin attribute" +msgstr "shadowMin 属性" + +#: src/config/SSSDConfig/__init__.py.in:346 +msgid "shadowMax attribute" +msgstr "shadowMax 属性" + +#: src/config/SSSDConfig/__init__.py.in:347 +msgid "shadowWarning attribute" +msgstr "shadowWarning 属性" + +#: src/config/SSSDConfig/__init__.py.in:348 +msgid "shadowInactive attribute" +msgstr "shadowInactive 属性" + +#: src/config/SSSDConfig/__init__.py.in:349 +msgid "shadowExpire attribute" +msgstr "shadowExpire 属性" + +#: src/config/SSSDConfig/__init__.py.in:350 +msgid "shadowFlag attribute" +msgstr "shadowFlag 属性" + +#: src/config/SSSDConfig/__init__.py.in:351 +msgid "Attribute listing authorized PAM services" +msgstr "認可された PAM サービスを一覧化する属性" + +#: src/config/SSSDConfig/__init__.py.in:352 +msgid "Attribute listing authorized server hosts" +msgstr "認可されたサーバーホストを一覧化する属性" + +#: src/config/SSSDConfig/__init__.py.in:353 +msgid "Attribute listing authorized server rhosts" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:354 +msgid "krbLastPwdChange attribute" +msgstr "krbLastPwdChange 属性" + +#: src/config/SSSDConfig/__init__.py.in:355 +msgid "krbPasswordExpiration attribute" +msgstr "krbPasswordExpiration 属性" + +#: src/config/SSSDConfig/__init__.py.in:356 +msgid "Attribute indicating that server side password policies are active" +msgstr "サーバー側パスワードポリシーが有効であることを意味する属性" + +#: src/config/SSSDConfig/__init__.py.in:357 +msgid "accountExpires attribute of AD" +msgstr "AD の accountExpires 属性" + +#: src/config/SSSDConfig/__init__.py.in:358 +msgid "userAccountControl attribute of AD" +msgstr "AD の userAccountControl 属性" + +#: src/config/SSSDConfig/__init__.py.in:359 +msgid "nsAccountLock attribute" +msgstr "nsAccountLock 属性" + +#: src/config/SSSDConfig/__init__.py.in:360 +msgid "loginDisabled attribute of NDS" +msgstr "NDS の loginDisabled 属性" + +#: src/config/SSSDConfig/__init__.py.in:361 +msgid "loginExpirationTime attribute of NDS" +msgstr "NDS の loginExpirationTime 属性" + +#: src/config/SSSDConfig/__init__.py.in:362 +msgid "loginAllowedTimeMap attribute of NDS" +msgstr "NDS の loginAllowedTimeMap 属性" + +#: src/config/SSSDConfig/__init__.py.in:363 +msgid "SSH public key attribute" +msgstr "SSH 公開鍵の属性" + +#: src/config/SSSDConfig/__init__.py.in:364 +msgid "attribute listing allowed authentication types for a user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:365 +msgid "attribute containing the X509 certificate of the user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:366 +msgid "attribute containing the email address of the user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:368 +msgid "A list of extra attributes to download along with the user entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:370 +msgid "Base DN for group lookups" +msgstr "グループ検索のベース DN" + +#: src/config/SSSDConfig/__init__.py.in:373 +msgid "Objectclass for groups" +msgstr "グループのオブジェクトクラス" + +#: src/config/SSSDConfig/__init__.py.in:374 +msgid "Group name" +msgstr "グループ名" + +#: src/config/SSSDConfig/__init__.py.in:375 +msgid "Group password" +msgstr "グループのパスワード" + +#: src/config/SSSDConfig/__init__.py.in:376 +msgid "GID attribute" +msgstr "GID 属性" + +#: src/config/SSSDConfig/__init__.py.in:377 +msgid "Group member attribute" +msgstr "グループメンバー属性" + +#: src/config/SSSDConfig/__init__.py.in:378 +msgid "Group UUID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:380 +msgid "Modification time attribute for groups" +msgstr "グループの変更日時の属性" + +#: src/config/SSSDConfig/__init__.py.in:381 +msgid "Type of the group and other flags" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:382 +msgid "The LDAP group external member attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:384 +msgid "Maximum nesting level SSSD will follow" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:386 +msgid "Base DN for netgroup lookups" +msgstr "ネットグループ検索のベース DN" + +#: src/config/SSSDConfig/__init__.py.in:387 +msgid "Objectclass for netgroups" +msgstr "ネットグループのオブジェクトクラス" + +#: src/config/SSSDConfig/__init__.py.in:388 +msgid "Netgroup name" +msgstr "ネットグループ名" + +#: src/config/SSSDConfig/__init__.py.in:389 +msgid "Netgroups members attribute" +msgstr "ネットグループメンバーの属性" + +#: src/config/SSSDConfig/__init__.py.in:390 +msgid "Netgroup triple attribute" +msgstr "ネットグループの三つ組の属性" + +#: src/config/SSSDConfig/__init__.py.in:391 +msgid "Modification time attribute for netgroups" +msgstr "ネットグループの変更日時の属性" + +#: src/config/SSSDConfig/__init__.py.in:393 +msgid "Base DN for service lookups" +msgstr "サービス検索のベース DN" + +#: src/config/SSSDConfig/__init__.py.in:394 +msgid "Objectclass for services" +msgstr "サービスのオブジェクトクラス" + +#: src/config/SSSDConfig/__init__.py.in:395 +msgid "Service name attribute" +msgstr "サービス名の属性" + +#: src/config/SSSDConfig/__init__.py.in:396 +msgid "Service port attribute" +msgstr "サービスポートの属性" + +#: src/config/SSSDConfig/__init__.py.in:397 +msgid "Service protocol attribute" +msgstr "サービスプロトコルの属性" + +#: src/config/SSSDConfig/__init__.py.in:400 +msgid "Lower bound for ID-mapping" +msgstr "ID マッピングの下限" + +#: src/config/SSSDConfig/__init__.py.in:401 +msgid "Upper bound for ID-mapping" +msgstr "ID マッピングの上限" + +#: src/config/SSSDConfig/__init__.py.in:402 +msgid "Number of IDs for each slice when ID-mapping" +msgstr "ID マッピングするとき、各スライスに対する ID の数" + +#: src/config/SSSDConfig/__init__.py.in:403 +msgid "Use autorid-compatible algorithm for ID-mapping" +msgstr "ID マッピングに対する autorid 互換アルゴリズムを使用します" + +#: src/config/SSSDConfig/__init__.py.in:404 +msgid "Name of the default domain for ID-mapping" +msgstr "ID マッピングに対するデフォルトドメインの名前" + +#: src/config/SSSDConfig/__init__.py.in:405 +msgid "SID of the default domain for ID-mapping" +msgstr "ID マッピングに対するデフォルトドメインの SID" + +#: src/config/SSSDConfig/__init__.py.in:406 +msgid "Number of secondary slices" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:408 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups" +msgstr "グループ検索のために LDAP_MATCHING_RULE_IN_CHAIN を使用します" + +#: src/config/SSSDConfig/__init__.py.in:409 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups" +msgstr "初期グループの検索のために LDAP_MATCHING_RULE_IN_CHAIN を使用します" + +#: src/config/SSSDConfig/__init__.py.in:410 +msgid "Whether to use Token-Groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:411 +msgid "Set lower boundary for allowed IDs from the LDAP server" +msgstr "LDAP サーバーから許可される ID の下限の設定" + +#: src/config/SSSDConfig/__init__.py.in:412 +msgid "Set upper boundary for allowed IDs from the LDAP server" +msgstr "LDAP サーバーから許可される ID の上限の設定" + +#: src/config/SSSDConfig/__init__.py.in:413 +msgid "DN for ppolicy queries" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:414 +msgid "How many maximum entries to fetch during a wildcard request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:417 +msgid "Policy to evaluate the password expiration" +msgstr "パスワード失効の評価のポリシー" + +#: src/config/SSSDConfig/__init__.py.in:421 +msgid "Which attributes shall be used to evaluate if an account is expired" +msgstr "どの属性がアカウントが失効しているかを評価するために使用されるか" + +#: src/config/SSSDConfig/__init__.py.in:422 +msgid "Which rules should be used to evaluate access control" +msgstr "どのルールがアクセス制御を評価するために使用されるか" + +#: src/config/SSSDConfig/__init__.py.in:425 +msgid "URI of an LDAP server where password changes are allowed" +msgstr "パスワードの変更が許可される LDAP サーバーの URI" + +#: src/config/SSSDConfig/__init__.py.in:426 +msgid "URI of a backup LDAP server where password changes are allowed" +msgstr "パスワードの変更が許可されるバックアップ LDAP サーバーの URI" + +#: src/config/SSSDConfig/__init__.py.in:427 +msgid "DNS service name for LDAP password change server" +msgstr "LDAP パスワードの変更サーバーの DNS サービス名" + +#: src/config/SSSDConfig/__init__.py.in:428 +msgid "" +"Whether to update the ldap_user_shadow_last_change attribute after a " +"password change" +msgstr "パスワード変更後 ldap_user_shadow_last_change 属性を更新するかどうか" + +#: src/config/SSSDConfig/__init__.py.in:431 +msgid "Base DN for sudo rules lookups" +msgstr "sudo ルール検索のベース DN" + +#: src/config/SSSDConfig/__init__.py.in:432 +msgid "Automatic full refresh period" +msgstr "自動的な完全更新間隔" + +#: src/config/SSSDConfig/__init__.py.in:433 +msgid "Automatic smart refresh period" +msgstr "自動的なスマート更新間隔" + +#: src/config/SSSDConfig/__init__.py.in:434 +msgid "Whether to filter rules by hostname, IP addresses and network" +msgstr "" +"ホスト名、IP アドレスおよびネットワークによるフィルタールールを使用するかどう" +"か" + +#: src/config/SSSDConfig/__init__.py.in:435 +msgid "" +"Hostnames and/or fully qualified domain names of this machine to filter sudo " +"rules" +msgstr "" +"sudo ルールをフィルターするこのマシンのホスト名および/または完全修飾ドメイン" +"名" + +#: src/config/SSSDConfig/__init__.py.in:436 +msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" +msgstr "" +"sudo ルールをフィルターするこのマシンの IPv4 または IPv6 アドレスまたはネット" +"ワーク" + +#: src/config/SSSDConfig/__init__.py.in:437 +msgid "Whether to include rules that contains netgroup in host attribute" +msgstr "ホスト属性にネットワークグループを含むルールを含めるかどうか" + +#: src/config/SSSDConfig/__init__.py.in:438 +msgid "" +"Whether to include rules that contains regular expression in host attribute" +msgstr "ホスト属性に正規表現を含むルールを含めるかどうか" + +#: src/config/SSSDConfig/__init__.py.in:439 +msgid "Object class for sudo rules" +msgstr "sudo ルールのオブジェクトクラス" + +#: src/config/SSSDConfig/__init__.py.in:440 +msgid "Sudo rule name" +msgstr "sudo ルール名" + +#: src/config/SSSDConfig/__init__.py.in:441 +msgid "Sudo rule command attribute" +msgstr "sudo ルールのコマンドの属性" + +#: src/config/SSSDConfig/__init__.py.in:442 +msgid "Sudo rule host attribute" +msgstr "sudo ルールのホストの属性" + +#: src/config/SSSDConfig/__init__.py.in:443 +msgid "Sudo rule user attribute" +msgstr "sudo ルールのユーザーの属性" + +#: src/config/SSSDConfig/__init__.py.in:444 +msgid "Sudo rule option attribute" +msgstr "sudo ルールのオプションの属性" + +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Sudo rule runas attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:446 +msgid "Sudo rule runasuser attribute" +msgstr "sudo ルールの runasuser の属性" + +#: src/config/SSSDConfig/__init__.py.in:447 +msgid "Sudo rule runasgroup attribute" +msgstr "sudo ルールの runasgroup の属性" + +#: src/config/SSSDConfig/__init__.py.in:448 +msgid "Sudo rule notbefore attribute" +msgstr "sudo ルールの notbefore の属性" + +#: src/config/SSSDConfig/__init__.py.in:449 +msgid "Sudo rule notafter attribute" +msgstr "sudo ルールの notafter の属性" + +#: src/config/SSSDConfig/__init__.py.in:450 +msgid "Sudo rule order attribute" +msgstr "sudo ルールの order の属性" + +#: src/config/SSSDConfig/__init__.py.in:453 +msgid "Object class for automounter maps" +msgstr "automounter マップのオブジェクトクラス" + +#: src/config/SSSDConfig/__init__.py.in:454 +msgid "Automounter map name attribute" +msgstr "オートマウントのマップ名の属性" + +#: src/config/SSSDConfig/__init__.py.in:455 +msgid "Object class for automounter map entries" +msgstr "automounter マップエントリーのオブジェクトクラス" + +#: src/config/SSSDConfig/__init__.py.in:456 +msgid "Automounter map entry key attribute" +msgstr "automounter マップエントリーのキー属性" + +#: src/config/SSSDConfig/__init__.py.in:457 +msgid "Automounter map entry value attribute" +msgstr "automounter マップエントリーの値属性" + +#: src/config/SSSDConfig/__init__.py.in:458 +msgid "Base DN for automounter map lookups" +msgstr "automonter のマップ検索のベース DN" + +#: src/config/SSSDConfig/__init__.py.in:461 +msgid "Comma separated list of allowed users" +msgstr "許可ユーザーのカンマ区切り一覧" + +#: src/config/SSSDConfig/__init__.py.in:462 +msgid "Comma separated list of prohibited users" +msgstr "禁止ユーザーのカンマ区切り一覧" + +#: src/config/SSSDConfig/__init__.py.in:465 +msgid "Default shell, /bin/bash" +msgstr "デフォルトのシェル, /bin/bash" + +#: src/config/SSSDConfig/__init__.py.in:466 +msgid "Base for home directories" +msgstr "ホームディレクトリーのベース" + +#: src/config/SSSDConfig/__init__.py.in:469 +msgid "The number of preforked proxy children." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:472 +msgid "The name of the NSS library to use" +msgstr "使用する NSS ライブラリーの名前" + +#: src/config/SSSDConfig/__init__.py.in:473 +msgid "Whether to look up canonical group name from cache if possible" +msgstr "可能ならばキャッシュから正規化されたグループ名を検索するかどうか" + +#: src/config/SSSDConfig/__init__.py.in:476 +msgid "PAM stack to use" +msgstr "使用する PAM スタック" + +#: src/config/SSSDConfig/__init__.py.in:479 +msgid "Path of passwd file sources." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:480 +msgid "Path of group file sources." +msgstr "" + +#: src/monitor/monitor.c:2449 +msgid "Become a daemon (default)" +msgstr "デーモンとして実行(デフォルト)" + +#: src/monitor/monitor.c:2451 +msgid "Run interactive (not a daemon)" +msgstr "対話的に実行(デーモンではない)" + +#: src/monitor/monitor.c:2454 +msgid "Disable netlink interface" +msgstr "" + +#: src/monitor/monitor.c:2456 src/tools/sssctl/sssctl_logs.c:311 +msgid "Specify a non-default config file" +msgstr "非標準の設定ファイルの指定" + +#: src/monitor/monitor.c:2458 +msgid "Refresh the configuration database, then exit" +msgstr "" + +#: src/monitor/monitor.c:2461 +msgid "Print version number and exit" +msgstr "バージョン番号を表示して終了する" + +#: src/monitor/monitor.c:2627 +msgid "SSSD is already running\n" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605 +msgid "Debug level" +msgstr "デバッグレベル" + +#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607 +msgid "Add debug timestamps" +msgstr "デバッグのタイムスタンプを追加する" + +#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609 +msgid "Show timestamps with microseconds" +msgstr "タイムスタンプをミリ秒単位で表示する" + +#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611 +msgid "An open file descriptor for the debug logs" +msgstr "デバッグログのオープンファイルディスクリプター" + +#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613 +msgid "Send the debug output to stderr directly." +msgstr "" + +#: src/providers/krb5/krb5_child.c:3228 +msgid "The user to create FAST ccache as" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3230 +msgid "The group to create FAST ccache as" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3232 +msgid "Kerberos realm to use" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3234 +msgid "Requested lifetime of the ticket" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3236 +msgid "Requested renewable lifetime of the ticket" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3238 +msgid "FAST options ('never', 'try', 'demand')" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3241 +msgid "Specifies the server principal to use for FAST" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3243 +msgid "Requests canonicalization of the principal name" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3245 +msgid "Use custom version of krb5_get_init_creds_password" +msgstr "" + +#: src/providers/data_provider_be.c:556 +msgid "Domain of the information provider (mandatory)" +msgstr "情報プロバイダーのドメイン (必須)" + +#: src/sss_client/common.c:1066 +msgid "Privileged socket has wrong ownership or permissions." +msgstr "特権ソケットの所有者またはパーミッションが誤っています。" + +#: src/sss_client/common.c:1069 +msgid "Public socket has wrong ownership or permissions." +msgstr "公開ソケットの所有者またはパーミッションが誤っています。" + +#: src/sss_client/common.c:1072 +msgid "Unexpected format of the server credential message." +msgstr "サーバーのクレディンシャルメッセージの予期しない形式です。" + +#: src/sss_client/common.c:1075 +msgid "SSSD is not run by root." +msgstr "SSSD は root により実行されません。" + +#: src/sss_client/common.c:1080 +msgid "An error occurred, but no description can be found." +msgstr "エラーが発生しましたが、説明がありませんでした。" + +#: src/sss_client/common.c:1086 +msgid "Unexpected error while looking for an error description" +msgstr "エラーの説明を検索中に予期しないエラーが発生しました" + +#: src/sss_client/pam_sss.c:76 +msgid "Permission denied. " +msgstr "" + +#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782 +#: src/sss_client/pam_sss.c:793 +msgid "Server message: " +msgstr "サーバーのメッセージ: " + +#: src/sss_client/pam_sss.c:300 +msgid "Passwords do not match" +msgstr "パスワードが一致しません" + +#: src/sss_client/pam_sss.c:488 +msgid "Password reset by root is not supported." +msgstr "root によるパスワードのリセットはサポートされません。" + +#: src/sss_client/pam_sss.c:529 +msgid "Authenticated with cached credentials" +msgstr "キャッシュされているクレディンシャルを用いて認証されました" + +#: src/sss_client/pam_sss.c:530 +msgid ", your cached password will expire at: " +msgstr "、キャッシュされたパスワードが失効します: " + +#: src/sss_client/pam_sss.c:560 +#, c-format +msgid "Your password has expired. You have %1$d grace login(s) remaining." +msgstr "パスワードの期限が切れています。あと %1$d 回ログインできます。" + +#: src/sss_client/pam_sss.c:606 +#, c-format +msgid "Your password will expire in %1$d %2$s." +msgstr "あなたのパスワードは %1$d %2$s に期限切れになります。" + +#: src/sss_client/pam_sss.c:655 +msgid "Authentication is denied until: " +msgstr "次まで認証が拒否されます: " + +#: src/sss_client/pam_sss.c:676 +msgid "System is offline, password change not possible" +msgstr "システムがオフラインです、パスワード変更ができません" + +#: src/sss_client/pam_sss.c:691 +msgid "" +"After changing the OTP password, you need to log out and back in order to " +"acquire a ticket" +msgstr "" + +#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792 +msgid "Password change failed. " +msgstr "パスワードの変更に失敗しました。 " + +#: src/sss_client/pam_sss.c:1926 +msgid "New Password: " +msgstr "新しいパスワード: " + +#: src/sss_client/pam_sss.c:1927 +msgid "Reenter new Password: " +msgstr "新しいパスワードの再入力: " + +#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042 +msgid "First Factor: " +msgstr "" + +#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202 +msgid "Second Factor (optional): " +msgstr "" + +#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205 +msgid "Second Factor: " +msgstr "" + +#: src/sss_client/pam_sss.c:2058 +msgid "Password: " +msgstr "パスワード: " + +#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204 +msgid "First Factor (Current Password): " +msgstr "" + +#: src/sss_client/pam_sss.c:2208 +msgid "Current Password: " +msgstr "現在のパスワード: " + +#: src/sss_client/pam_sss.c:2536 +msgid "Password expired. Change your password now." +msgstr "パスワードの期限が切れました。いますぐパスワードを変更してください。" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 +#: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 +#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:670 +msgid "The debug level to run with" +msgstr "実行するデバッグレベル" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +msgid "The SSSD domain to use" +msgstr "使用する SSSD ドメイン" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 +#: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 +#: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 +#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:716 +msgid "Error setting the locale\n" +msgstr "ロケールの設定中にエラーが発生しました\n" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:64 +msgid "Not enough memory\n" +msgstr "十分なメモリーがありません\n" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:83 +msgid "User not specified\n" +msgstr "ユーザーが指定されていません\n" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:97 +msgid "Error looking up public keys\n" +msgstr "公開鍵の検索中にエラーが発生しました\n" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +msgid "The port to use to connect to the host" +msgstr "ホストへの接続に使用するポート" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +msgid "Print the host ssh public keys" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +msgid "Invalid port\n" +msgstr "無効なポート\n" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +msgid "Host not specified\n" +msgstr "ホストが指定されていません\n" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +msgid "The path to the proxy command must be absolute\n" +msgstr "プロキシーコマンドへのパスは絶対パスにする必要があります\n" + +#: src/tools/sss_useradd.c:49 src/tools/sss_usermod.c:48 +msgid "The UID of the user" +msgstr "ユーザーの UID" + +#: src/tools/sss_useradd.c:50 src/tools/sss_usermod.c:50 +msgid "The comment string" +msgstr "コメント文字列" + +#: src/tools/sss_useradd.c:51 src/tools/sss_usermod.c:51 +msgid "Home directory" +msgstr "ホームディレクトリー" + +#: src/tools/sss_useradd.c:52 src/tools/sss_usermod.c:52 +msgid "Login shell" +msgstr "ログインシェル" + +#: src/tools/sss_useradd.c:53 +msgid "Groups" +msgstr "グループ" + +#: src/tools/sss_useradd.c:54 +msgid "Create user's directory if it does not exist" +msgstr "ユーザーのディレクトリーが存在しなければ作成する" + +#: src/tools/sss_useradd.c:55 +msgid "Never create user's directory, overrides config" +msgstr "ユーザーのディレクトリーを作成しない、設定を上書きする" + +#: src/tools/sss_useradd.c:56 +msgid "Specify an alternative skeleton directory" +msgstr "代替のスケルトンディレクトリーを指定する" + +#: src/tools/sss_useradd.c:57 src/tools/sss_usermod.c:60 +msgid "The SELinux user for user's login" +msgstr "ユーザーのログインに対する SELinux ユーザー" + +#: src/tools/sss_useradd.c:87 src/tools/sss_groupmod.c:79 +#: src/tools/sss_usermod.c:92 +msgid "Specify group to add to\n" +msgstr "追加するグループを指定してください\n" + +#: src/tools/sss_useradd.c:111 +msgid "Specify user to add\n" +msgstr "追加するユーザーを指定してください\n" + +#: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 +#: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_usermod.c:162 +msgid "Error initializing the tools - no local domain\n" +msgstr "" +"ツールを初期化中にエラーが発生しました - ローカルドメインがありません\n" + +#: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 +#: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_usermod.c:164 +msgid "Error initializing the tools\n" +msgstr "ツールを初期化中にエラーが発生しました\n" + +#: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 +#: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_usermod.c:173 +msgid "Invalid domain specified in FQDN\n" +msgstr "FQDN で指定されたドメインが無効です\n" + +#: src/tools/sss_useradd.c:142 src/tools/sss_groupmod.c:144 +#: src/tools/sss_groupmod.c:173 src/tools/sss_usermod.c:197 +#: src/tools/sss_usermod.c:226 +msgid "Internal error while parsing parameters\n" +msgstr "パラメーターを解析中に内部エラーが発生しました\n" + +#: src/tools/sss_useradd.c:151 src/tools/sss_usermod.c:206 +#: src/tools/sss_usermod.c:235 +msgid "Groups must be in the same domain as user\n" +msgstr "グループがユーザーと同じドメインになければいけません\n" + +#: src/tools/sss_useradd.c:159 +#, c-format +msgid "Cannot find group %1$s in local domain\n" +msgstr "ローカルドメインにグループ %1$s を見つけられません\n" + +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +msgid "Cannot set default values\n" +msgstr "デフォルト値を設定できません\n" + +#: src/tools/sss_useradd.c:181 src/tools/sss_usermod.c:187 +msgid "The selected UID is outside the allowed range\n" +msgstr "選択された UID は許容される範囲を越えています\n" + +#: src/tools/sss_useradd.c:210 src/tools/sss_usermod.c:305 +msgid "Cannot set SELinux login context\n" +msgstr "SELinux ログインコンテキストを設定できません\n" + +#: src/tools/sss_useradd.c:224 +msgid "Cannot get info about the user\n" +msgstr "ユーザーに関する情報を取得できません\n" + +#: src/tools/sss_useradd.c:236 +msgid "User's home directory already exists, not copying data from skeldir\n" +msgstr "" +"ユーザーのホームディレクトリーがすでに存在します、スケルトンディレクトリーか" +"らデータをコピーしません\n" + +#: src/tools/sss_useradd.c:239 +#, c-format +msgid "Cannot create user's home directory: %1$s\n" +msgstr "ユーザーのホームディレクトリーを作成できません: %1$s\n" + +#: src/tools/sss_useradd.c:250 +#, c-format +msgid "Cannot create user's mail spool: %1$s\n" +msgstr "ユーザーのメールスプールを作成できません: %1$s\n" + +#: src/tools/sss_useradd.c:270 +msgid "Could not allocate ID for the user - domain full?\n" +msgstr "ユーザーに ID を割り当てられませんでした - ドメインがいっぱいですか?\n" + +#: src/tools/sss_useradd.c:274 +msgid "A user or group with the same name or ID already exists\n" +msgstr "同じ名前または ID を持つユーザーまたはグループがすでに存在します\n" + +#: src/tools/sss_useradd.c:280 +msgid "Transaction error. Could not add user.\n" +msgstr "トランザクションエラー。ユーザーを追加できませんでした。\n" + +#: src/tools/sss_groupadd.c:43 src/tools/sss_groupmod.c:48 +msgid "The GID of the group" +msgstr "グループの GID" + +#: src/tools/sss_groupadd.c:76 +msgid "Specify group to add\n" +msgstr "追加するグループを指定してください\n" + +#: src/tools/sss_groupadd.c:106 src/tools/sss_groupmod.c:198 +msgid "The selected GID is outside the allowed range\n" +msgstr "選択された GID は許容される範囲を越えています\n" + +#: src/tools/sss_groupadd.c:143 +msgid "Could not allocate ID for the group - domain full?\n" +msgstr "グループに ID を割り当てられませんでした - ドメインがいっぱいですか?\n" + +#: src/tools/sss_groupadd.c:147 +msgid "A group with the same name or GID already exists\n" +msgstr "同じ名前または GID を持つグループがすでに存在します\n" + +#: src/tools/sss_groupadd.c:153 +msgid "Transaction error. Could not add group.\n" +msgstr "トランザクションエラー。グループを追加できませんでした。\n" + +#: src/tools/sss_groupdel.c:70 +msgid "Specify group to delete\n" +msgstr "削除するグループを指定してください\n" + +#: src/tools/sss_groupdel.c:104 +#, c-format +msgid "Group %1$s is outside the defined ID range for domain\n" +msgstr "グループ %1$s はドメインに対して定義された ID の範囲を越えています\n" + +#: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 +#: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 +#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 +#, c-format +msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" +msgstr "" +"NSS リクエストに失敗しました (%1$d)。項目はメモリーキャッシュに残されます。\n" + +#: src/tools/sss_groupdel.c:132 +msgid "" +"No such group in local domain. Removing groups only allowed in local " +"domain.\n" +msgstr "" +"そのようなグループはローカルドメインにありません。グループの削除はローカルド" +"メインにおいてのみ許可されます。\n" + +#: src/tools/sss_groupdel.c:137 +msgid "Internal error. Could not remove group.\n" +msgstr "内部エラー。グループを削除できませんでした。\n" + +#: src/tools/sss_groupmod.c:44 +msgid "Groups to add this group to" +msgstr "このグループに追加するグループ" + +#: src/tools/sss_groupmod.c:46 +msgid "Groups to remove this group from" +msgstr "このグループから削除するグループ" + +#: src/tools/sss_groupmod.c:87 src/tools/sss_usermod.c:100 +msgid "Specify group to remove from\n" +msgstr "削除するグループを指定してください\n" + +#: src/tools/sss_groupmod.c:101 +msgid "Specify group to modify\n" +msgstr "変更するグループを指定してください\n" + +#: src/tools/sss_groupmod.c:130 +msgid "" +"Cannot find group in local domain, modifying groups is allowed only in local " +"domain\n" +msgstr "" +"ローカルドメインにグループが見つかりませんでした。グループの変更はローカルド" +"メインにおいてのみ許可されます\n" + +#: src/tools/sss_groupmod.c:153 src/tools/sss_groupmod.c:182 +msgid "Member groups must be in the same domain as parent group\n" +msgstr "メンバーグループが親グループと同じドメインにある必要があります\n" + +#: src/tools/sss_groupmod.c:161 src/tools/sss_groupmod.c:190 +#: src/tools/sss_usermod.c:214 src/tools/sss_usermod.c:243 +#, c-format +msgid "" +"Cannot find group %1$s in local domain, only groups in local domain are " +"allowed\n" +msgstr "" +"ローカルドメインにグループ %1$s が見つかりません。ローカルドメインにあるグ" +"ループのみが許可されます\n" + +#: src/tools/sss_groupmod.c:257 +msgid "Could not modify group - check if member group names are correct\n" +msgstr "" +"グループを変更できませんでした - メンバーグループ名が正しいかを確認してくださ" +"い\n" + +#: src/tools/sss_groupmod.c:261 +msgid "Could not modify group - check if groupname is correct\n" +msgstr "" +"グループを変更できませんでした - グループ名が正しいかを確認してください\n" + +#: src/tools/sss_groupmod.c:265 +msgid "Transaction error. Could not modify group.\n" +msgstr "トランザクションエラー。グループを変更できませんでした。\n" + +#: src/tools/sss_groupshow.c:615 +#, c-format +msgid "%1$s%2$sGroup: %3$s\n" +msgstr "%1$s%2$s グループ: %3$s\n" + +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "マジックプライベート " + +#: src/tools/sss_groupshow.c:618 +#, c-format +msgid "%1$sGID number: %2$d\n" +msgstr "%1$s GID 番号: %2$d\n" + +#: src/tools/sss_groupshow.c:620 +#, c-format +msgid "%1$sMember users: " +msgstr "%1$s メンバーユーザー: " + +#: src/tools/sss_groupshow.c:627 +#, c-format +msgid "" +"\n" +"%1$sIs a member of: " +msgstr "" +"\n" +"%1$s は次のメンバー: " + +#: src/tools/sss_groupshow.c:634 +#, c-format +msgid "" +"\n" +"%1$sMember groups: " +msgstr "" +"\n" +"%1$s メンバーグループ: " + +#: src/tools/sss_groupshow.c:670 +msgid "Print indirect group members recursively" +msgstr "間接グループメンバーを再帰的に表示する" + +#: src/tools/sss_groupshow.c:704 +msgid "Specify group to show\n" +msgstr "表示するグループを指定してください\n" + +#: src/tools/sss_groupshow.c:744 +msgid "" +"No such group in local domain. Printing groups only allowed in local " +"domain.\n" +msgstr "" +"そのようなグループはローカルドメインにありません。グループの表示はローカルド" +"メインにおいてのみ許可されます。\n" + +#: src/tools/sss_groupshow.c:749 +msgid "Internal error. Could not print group.\n" +msgstr "内部エラー。グループを表示できませんでした。\n" + +#: src/tools/sss_userdel.c:136 +msgid "Remove home directory and mail spool" +msgstr "ホームディレクトリーとメールスプールを削除する" + +#: src/tools/sss_userdel.c:138 +msgid "Do not remove home directory and mail spool" +msgstr "ホームディレクトリーとメールスプールを削除しない" + +#: src/tools/sss_userdel.c:140 +msgid "Force removal of files not owned by the user" +msgstr "ユーザーにより所有されていないファイルの強制削除" + +#: src/tools/sss_userdel.c:142 +msgid "Kill users' processes before removing him" +msgstr "ユーザーを削除する前にそのユーザーのプロセスを強制停止する" + +#: src/tools/sss_userdel.c:188 +msgid "Specify user to delete\n" +msgstr "削除するユーザーを指定する\n" + +#: src/tools/sss_userdel.c:234 +#, c-format +msgid "User %1$s is outside the defined ID range for domain\n" +msgstr "ユーザー %1$s はドメインに対して定義された ID の範囲を超えています\n" + +#: src/tools/sss_userdel.c:259 +msgid "Cannot reset SELinux login context\n" +msgstr "SELinux ログインコンテキストをリセットできません\n" + +#: src/tools/sss_userdel.c:271 +#, c-format +msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" +msgstr "" +"警告: ユーザー (uid %1$lu) が削除されたときにまだログインしていました。\n" + +#: src/tools/sss_userdel.c:276 +msgid "Cannot determine if the user was logged in on this platform" +msgstr "" +"ユーザーがこのプラットフォームにログインしていたかを確認できませんでした" + +#: src/tools/sss_userdel.c:281 +msgid "Error while checking if the user was logged in\n" +msgstr "ユーザーがログインしていたかを確認中にエラーが発生しました\n" + +#: src/tools/sss_userdel.c:288 +#, c-format +msgid "The post-delete command failed: %1$s\n" +msgstr "削除後コマンドの実行に失敗しました: %1$s\n" + +#: src/tools/sss_userdel.c:308 +msgid "Not removing home dir - not owned by user\n" +msgstr "" +"ホームディレクトリーを削除していません - ユーザーにより所有されていません\n" + +#: src/tools/sss_userdel.c:310 +#, c-format +msgid "Cannot remove homedir: %1$s\n" +msgstr "ホームディレクトリーを削除できません: %1$s\n" + +#: src/tools/sss_userdel.c:324 +msgid "" +"No such user in local domain. Removing users only allowed in local domain.\n" +msgstr "" +"そのようなユーザーはローカルドメインにいません。ユーザーの削除はローカルドメ" +"インにおいてのみ許可されます。\n" + +#: src/tools/sss_userdel.c:329 +msgid "Internal error. Could not remove user.\n" +msgstr "内部エラー。ユーザーを削除できませんでした。\n" + +#: src/tools/sss_usermod.c:49 +msgid "The GID of the user" +msgstr "ユーザーの GID" + +#: src/tools/sss_usermod.c:53 +msgid "Groups to add this user to" +msgstr "このユーザーを追加するグループ" + +#: src/tools/sss_usermod.c:54 +msgid "Groups to remove this user from" +msgstr "このユーザーを削除するグループ" + +#: src/tools/sss_usermod.c:55 +msgid "Lock the account" +msgstr "アカウントをロックする" + +#: src/tools/sss_usermod.c:56 +msgid "Unlock the account" +msgstr "アカウントをロック解除する" + +#: src/tools/sss_usermod.c:57 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "" + +#: src/tools/sss_usermod.c:58 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "" + +#: src/tools/sss_usermod.c:59 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" + +#: src/tools/sss_usermod.c:117 src/tools/sss_usermod.c:126 +#: src/tools/sss_usermod.c:135 +msgid "Specify the attribute name/value pair(s)\n" +msgstr "" + +#: src/tools/sss_usermod.c:152 +msgid "Specify user to modify\n" +msgstr "変更するユーザーを指定してください\n" + +#: src/tools/sss_usermod.c:180 +msgid "" +"Cannot find user in local domain, modifying users is allowed only in local " +"domain\n" +msgstr "" +"ローカルドメインにユーザーを見つけられません。ユーザーの変更はローカルドメイ" +"ンにおいてのみ許可されます。\n" + +#: src/tools/sss_usermod.c:322 +msgid "Could not modify user - check if group names are correct\n" +msgstr "" +"ユーザーを変更できませんでした - グループ名が正しいかを確認してください\n" + +#: src/tools/sss_usermod.c:326 +msgid "Could not modify user - user already member of groups?\n" +msgstr "" +"ユーザーを変更できませんでした - ユーザーはすでにグループのメンバーですか?\n" + +#: src/tools/sss_usermod.c:330 +msgid "Transaction error. Could not modify user.\n" +msgstr "トランザクションエラー。ユーザーを変更できませんでした。\n" + +#: src/tools/sss_cache.c:218 +msgid "No cache object matched the specified search\n" +msgstr "指定された検索に一致するキャッシュオブジェクトがありません\n" + +#: src/tools/sss_cache.c:502 +#, c-format +msgid "Couldn't invalidate %1$s\n" +msgstr "" + +#: src/tools/sss_cache.c:509 +#, c-format +msgid "Couldn't invalidate %1$s %2$s\n" +msgstr "" + +#: src/tools/sss_cache.c:672 +msgid "Invalidate all cached entries" +msgstr "" + +#: src/tools/sss_cache.c:674 +msgid "Invalidate particular user" +msgstr "特定のユーザーを無効にする" + +#: src/tools/sss_cache.c:676 +msgid "Invalidate all users" +msgstr "すべてのユーザーを無効にする" + +#: src/tools/sss_cache.c:678 +msgid "Invalidate particular group" +msgstr "特定のグループを無効にする" + +#: src/tools/sss_cache.c:680 +msgid "Invalidate all groups" +msgstr "すべてのグループを無効にする" + +#: src/tools/sss_cache.c:682 +msgid "Invalidate particular netgroup" +msgstr "特定のネットワークグループを無効にする" + +#: src/tools/sss_cache.c:684 +msgid "Invalidate all netgroups" +msgstr "すべてのネットワークグループを無効にする" + +#: src/tools/sss_cache.c:686 +msgid "Invalidate particular service" +msgstr "特定のサービスの無効化" + +#: src/tools/sss_cache.c:688 +msgid "Invalidate all services" +msgstr "すべてのサービスの無効化" + +#: src/tools/sss_cache.c:691 +msgid "Invalidate particular autofs map" +msgstr "特定の autofs マップの無効化" + +#: src/tools/sss_cache.c:693 +msgid "Invalidate all autofs maps" +msgstr "すべての autofs マップの無効化" + +#: src/tools/sss_cache.c:697 +msgid "Invalidate particular SSH host" +msgstr "" + +#: src/tools/sss_cache.c:699 +msgid "Invalidate all SSH hosts" +msgstr "" + +#: src/tools/sss_cache.c:703 +msgid "Invalidate particular sudo rule" +msgstr "" + +#: src/tools/sss_cache.c:705 +msgid "Invalidate all cached sudo rules" +msgstr "" + +#: src/tools/sss_cache.c:708 +msgid "Only invalidate entries from a particular domain" +msgstr "特定のドメインのみからエントリーを無効にする" + +#: src/tools/sss_cache.c:762 +msgid "" +"Unexpected argument(s) provided, options that invalidate a single object " +"only accept a single provided argument.\n" +msgstr "" + +#: src/tools/sss_cache.c:772 +msgid "Please select at least one object to invalidate\n" +msgstr "無効化するオブジェクトを少なくとも一つ選択してください\n" + +#: src/tools/sss_cache.c:852 +#, c-format +msgid "" +"Could not open domain %1$s. If the domain is a subdomain (trusted domain), " +"use fully qualified name instead of --domain/-d parameter.\n" +msgstr "" +"ドメイン %1$s を開けませんでした。ドメインがサブドメイン (信頼済みドメイン) " +"であれば、--domain/-d パラメーターの代わりに完全修飾名を使用してください。\n" + +#: src/tools/sss_cache.c:856 +msgid "Could not open available domains\n" +msgstr "利用可能なドメインを開けませんでした\n" + +#: src/tools/tools_util.c:202 +#, c-format +msgid "Name '%1$s' does not seem to be FQDN ('%2$s = TRUE' is set)\n" +msgstr "" +"名前 '%1$s' が FQDN であるように見えません ('%2$s = TRUE' が設定されます)\n" + +#: src/tools/tools_util.c:309 +msgid "Out of memory\n" +msgstr "メモリー不足\n" + +#: src/tools/tools_util.h:40 +#, c-format +msgid "%1$s must be run as root\n" +msgstr "%1$s は root として実行する必要があります\n" + +#: src/tools/sssctl/sssctl.c:35 +msgid "yes" +msgstr "" + +#: src/tools/sssctl/sssctl.c:37 +msgid "no" +msgstr "" + +#: src/tools/sssctl/sssctl.c:39 +msgid "error" +msgstr "" + +#: src/tools/sssctl/sssctl.c:42 +msgid "Invalid result." +msgstr "" + +#: src/tools/sssctl/sssctl.c:78 +#, c-format +msgid "Unable to read user input\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:91 +#, c-format +msgid "Invalid input, please provide either '%s' or '%s'.\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 +#, c-format +msgid "Error while executing external command\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:156 +msgid "SSSD needs to be running. Start SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl.c:195 +msgid "SSSD must not be running. Stop SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl.c:231 +msgid "SSSD needs to be restarted. Restart SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:31 +#, c-format +msgid " %s is not present in cache.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:33 +msgid "Name" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:34 +msgid "Cache entry creation date" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:35 +msgid "Cache entry last update time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:36 +msgid "Cache entry expiration time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:37 +msgid "Cached in InfoPipe" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:512 +#, c-format +msgid "Error: Unable to get object [%d]: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:528 +#, c-format +msgid "%s: Unable to read value [%d]: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:556 +msgid "Specify name." +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:566 +#, c-format +msgid "Unable to parse name %s.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:592 src/tools/sssctl/sssctl_cache.c:639 +msgid "Search by SID" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:593 +msgid "Search by user ID" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:602 +msgid "Initgroups expiration time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:640 +msgid "Search by group ID" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:67 +#, c-format +msgid "" +"File %1$s does not exist. SSSD will use default configuration with files " +"provider.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:81 +#, c-format +msgid "" +"File ownership and permissions check failed. Expected root:root and 0600.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:104 +#, c-format +msgid "Issues identified by validators: %zu\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:114 +#, c-format +msgid "Messages generated during configuration merging: %zu\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:127 +#, c-format +msgid "Used configuration snippet files: %u\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:89 +#, c-format +msgid "Unable to create backup directory [%d]: %s" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:95 +msgid "SSSD backup of local data already exists, override?" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:111 +#, c-format +msgid "Unable to export user overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:118 +#, c-format +msgid "Unable to export group overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:134 src/tools/sssctl/sssctl_data.c:217 +msgid "Override existing backup" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:164 +#, c-format +msgid "Unable to import user overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:173 +#, c-format +msgid "Unable to import group overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:74 +#: src/tools/sssctl/sssctl_domains.c:339 +msgid "Start SSSD if it is not running" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:195 +msgid "Restart SSSD after data import" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:218 +msgid "Create clean cache files and import local data" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:219 +msgid "Stop SSSD before removing the cache" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:220 +msgid "Start SSSD when the cache is removed" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:235 +#, c-format +msgid "Creating backup of local data...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:238 +#, c-format +msgid "Unable to create backup of local data, can not remove the cache.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:243 +#, c-format +msgid "Removing cache files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:246 +#, c-format +msgid "Unable to remove cache files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:251 +#, c-format +msgid "Restoring local data...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:75 +msgid "Show domain list including primary or trusted domain type" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +#, c-format +msgid "Online status: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Online" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Offline" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:214 +#, c-format +msgid "Active servers:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:231 +msgid "not connected" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:278 +#, c-format +msgid "Discovered %s servers:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:296 +msgid "None so far.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:336 +msgid "Show online status" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:337 +msgid "Show information about active server" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:338 +msgid "Show list of discovered servers" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:344 +msgid "Specify domain name." +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:360 +#, c-format +msgid "Out of memory!\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:377 src/tools/sssctl/sssctl_domains.c:387 +#, c-format +msgid "Unable to get online status\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:397 +#, c-format +msgid "Unable to get server list\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:47 +msgid "\n" +msgstr "\n" + +#: src/tools/sssctl/sssctl_logs.c:237 +msgid "Delete log files instead of truncating" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:248 +#, c-format +msgid "Deleting log files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:251 +#, c-format +msgid "Unable to remove log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:257 +#, c-format +msgid "Truncating log files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:260 +#, c-format +msgid "Unable to truncate log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:286 +#, c-format +msgid "Out of memory!" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:289 +#, c-format +msgid "Archiving log files into %s...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:292 +#, c-format +msgid "Unable to archive log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:317 +msgid "Specify debug level you want to set" +msgstr "" + +#: src/tools/sssctl/sssctl_sifp.c:28 +msgid "" +"Check that SSSD is running and the InfoPipe responder is enabled. Make sure " +"'ifp' is listed in the 'services' option in sssd.conf.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:91 +#, c-format +msgid "Unable to connect to the InfoPipe" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:97 +#, c-format +msgid "Unable to get user object" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:101 +#, c-format +msgid "SSSD InfoPipe user lookup result:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:113 +#, c-format +msgid "Unable to get user name attr" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:146 +#, c-format +msgid "dlopen failed with [%s].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:153 +#, c-format +msgid "dlsym failed with [%s].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:161 +#, c-format +msgid "malloc failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:168 +#, c-format +msgid "sss_getpwnam_r failed with [%d].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:173 +#, c-format +msgid "SSSD nss user lookup result:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:174 +#, c-format +msgid " - user name: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:175 +#, c-format +msgid " - user id: %d\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:176 +#, c-format +msgid " - group id: %d\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:177 +#, c-format +msgid " - gecos: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:178 +#, c-format +msgid " - home directory: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:179 +#, c-format +msgid "" +" - shell: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:211 +msgid "PAM action [auth|acct|setc|chau|open|clos], default: " +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:214 +msgid "PAM service, default: " +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:219 +msgid "Specify user name." +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:226 +#, c-format +msgid "" +"user: %s\n" +"action: %s\n" +"service: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:232 +#, c-format +msgid "User name lookup with [%s] failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:237 +#, c-format +msgid "InfoPipe User lookup with [%s] failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:244 +#, c-format +msgid "pam_start failed: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:249 +#, c-format +msgid "" +"testing pam_authenticate\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:253 +#, c-format +msgid "pam_get_item failed: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:257 +#, c-format +msgid "" +"pam_authenticate for user [%s]: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:260 +#, c-format +msgid "" +"testing pam_chauthtok\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:262 +#, c-format +msgid "" +"pam_chauthtok: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:264 +#, c-format +msgid "" +"testing pam_acct_mgmt\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:266 +#, c-format +msgid "" +"pam_acct_mgmt: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:268 +#, c-format +msgid "" +"testing pam_setcred\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:270 +#, c-format +msgid "" +"pam_setcred: [%s]\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:272 +#, c-format +msgid "" +"testing pam_open_session\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:274 +#, c-format +msgid "" +"pam_open_session: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:276 +#, c-format +msgid "" +"testing pam_close_session\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:278 +#, c-format +msgid "" +"pam_close_session: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:281 +#, c-format +msgid "unknown action\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:284 +#, c-format +msgid "PAM Environment:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:292 +#, c-format +msgid " - no env -\n" +msgstr "" + +#: src/util/util.h:75 +msgid "The user ID to run the server as" +msgstr "" + +#: src/util/util.h:77 +msgid "The group ID to run the server as" +msgstr "" + +#: src/util/util.h:85 +msgid "Informs that the responder has been socket-activated" +msgstr "" + +#: src/util/util.h:87 +msgid "Informs that the responder has been dbus-activated" +msgstr "" diff --git a/po/nb.gmo b/po/nb.gmo new file mode 100644 index 0000000000000000000000000000000000000000..e2a147ce068dcd31aa0740add477198c755fc91e GIT binary patch literal 1557 zcmZ{jTW=dh6vr0`moE3FT!gp`Pi<9=*G>(JHU!mi(#lHRTJg3*yv^=RoT+zbteIIm z?jzrzLcH->2_!xMydg#K33x>C#s}b$C;qd$iAhCAI{xjPJ$ufXkZiZ zuy0}S_~&QvgLMr0{j%XB@NMkB2iL)$!4Uinya@gYz6t&fz6P#6TYtX}zK;F1hFjpf z*zbdHfgJRCAA*;`N1)H~6X@f9SgYUv0)Bw~@1Xbp1N!>w&)0Q71brWE(4VOfz6U0a zUpM}*z)SFd4f=fFfggdtf-Ueb5aokcVZLva30{Etb)iP^BKQjIB^cTao`d=2`|-8? z@-uiDhIHpwFUy3rB-6?nos*f-bIFAXdZjxO%E^p5snt{cP8LF!E*Ok@B+DhfAV=Cd z#R^gRxGtDf)uR<=E(~Fu8&nJi+^2WTRqB0VQem_uMzFjH&bCi{IAq7NC<{`;PX@ce zP^xqL5wmuo4JX+VQxmbuKOT>F$!^tBQYn>$uy@I+_@!Y|flEG3o1>6r7|>@+DKuG4fef zd1$(%4=c}&8or;;!`m2WiAm5zup%aRv{{IWWQy$QX>sy6Cs&S~o5fMISS(u3*O7RIBLs5Bf7hI^}Fc3SPQkK2jS(_}fr44gQ2(JaTk z+VcOgvBGWNOK#H5Rh%zx7BTZ5(bIPC+OZzYt7_N=IOH0jK9;kmndn^+==9t%~Mly zUR@_v`olC~0d9@6ip^E^4mzUKN=IHZ6!JkA)uVe*^;3xlo?1P^t;(G0h3dkbJmw-u z{`*Ch{WK&PyOSRc?ioQ>Q_QKB(Rqj05oDAuofBtg@oH(hGQ{eF*eT0vB?((;iB^pw Z)&IPIauS8e{l9Y>DinvvDt%Sj`WHJYw-^8b literal 0 HcmV?d00001 diff --git a/po/nb.po b/po/nb.po new file mode 100644 index 0000000..b1d4584 --- /dev/null +++ b/po/nb.po @@ -0,0 +1,2800 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) YEAR Red Hat, Inc. +# This file is distributed under the same license as the PACKAGE package. +# +# Translators: +# Kjartan Maraas , 2012 +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" +"POT-Creation-Date: 2018-08-12 13:03+0000\n" +"PO-Revision-Date: 2014-12-14 11:46+0000\n" +"Last-Translator: Copied by Zanata \n" +"Language-Team: Norwegian Bokmål (http://www.transifex.com/projects/p/sssd/" +"language/nb/)\n" +"Language: nb\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" +"X-Generator: Zanata 4.4.5\n" + +#: src/config/SSSDConfig/__init__.py.in:43 +#: src/config/SSSDConfig/__init__.py.in:44 +msgid "Set the verbosity of the debug logging" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:45 +msgid "Include timestamps in debug logs" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:46 +msgid "Include microseconds in timestamps in debug logs" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:47 +msgid "Write debug messages to logfiles" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:48 +msgid "Watchdog timeout before restarting service" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:49 +msgid "Command to start service" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:50 +msgid "Number of times to attempt connection to Data Providers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:51 +msgid "The number of file descriptors that may be opened by this responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:52 +msgid "Idle time before automatic disconnection of a client" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:53 +msgid "Idle time before automatic shutdown of the responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:54 +msgid "Always query all the caches before querying the Data Providers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:57 +msgid "SSSD Services to start" +msgstr "SSSD-tjenester som skal startes" + +#: src/config/SSSDConfig/__init__.py.in:58 +msgid "SSSD Domains to start" +msgstr "SSSD-domener som skal startes" + +#: src/config/SSSDConfig/__init__.py.in:59 +msgid "Timeout for messages sent over the SBUS" +msgstr "Tidsavbrudd for meldinger som sendes over SBUS" + +#: src/config/SSSDConfig/__init__.py.in:60 +#: src/config/SSSDConfig/__init__.py.in:197 +msgid "Regex to parse username and domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:61 +#: src/config/SSSDConfig/__init__.py.in:196 +msgid "Printf-compatible format for displaying fully-qualified names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:62 +msgid "" +"Directory on the filesystem where SSSD should store Kerberos replay cache " +"files." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:63 +msgid "Domain to add to names without a domain component." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:64 +msgid "The user to drop privileges to" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:65 +msgid "Tune certificate verification" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:66 +msgid "All spaces in group or user names will be replaced with this character" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:67 +msgid "Tune sssd to honor or ignore netlink state changes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:68 +msgid "Enable or disable the implicit files domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:69 +msgid "A specific order of the domains to be looked up" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:72 +msgid "Enumeration cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:73 +msgid "Entry cache background update timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:74 +#: src/config/SSSDConfig/__init__.py.in:113 +msgid "Negative cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:75 +msgid "Files negative cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:76 +msgid "Users that SSSD should explicitly ignore" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:77 +msgid "Groups that SSSD should explicitly ignore" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:78 +msgid "Should filtered users appear in groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:79 +msgid "The value of the password field the NSS provider should return" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:80 +msgid "Override homedir value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:81 +msgid "" +"Substitute empty homedir value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:82 +msgid "Override shell value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:83 +msgid "The list of shells users are allowed to log in with" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:84 +msgid "" +"The list of shells that will be vetoed, and replaced with the fallback shell" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:85 +msgid "" +"If a shell stored in central directory is allowed but not available, use " +"this fallback" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:86 +msgid "Shell to use if the provider does not list one" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:87 +msgid "How long will be in-memory cache records valid" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:88 +msgid "List of user attributes the NSS responder is allowed to publish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:91 +msgid "How long to allow cached logins between online logins (days)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:92 +msgid "How many failed logins attempts are allowed when offline" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:93 +msgid "" +"How long (minutes) to deny login after offline_failed_login_attempts has " +"been reached" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:94 +msgid "What kind of messages are displayed to the user during authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:95 +msgid "Filter PAM responses sent to the pam_sss" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:96 +msgid "How many seconds to keep identity information cached for PAM requests" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:97 +msgid "How many days before password expiration a warning should be displayed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:98 +msgid "List of trusted uids or user's name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:99 +msgid "List of domains accessible even for untrusted users." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:100 +msgid "Message printed when user account is expired." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:101 +msgid "Message printed when user account is locked." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:102 +msgid "Allow certificate based/Smartcard authentication." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:103 +msgid "Path to certificate database with PKCS#11 modules." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:104 +msgid "How many seconds will pam_sss wait for p11_child to finish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:105 +msgid "Which PAM services are permitted to contact application domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:108 +msgid "Whether to evaluate the time-based attributes in sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:109 +msgid "If true, SSSD will switch back to lower-wins ordering logic" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:110 +msgid "" +"Maximum number of rules that can be refreshed at once. If this is exceeded, " +"full refresh is performed." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:116 +msgid "Whether to hash host names and addresses in the known_hosts file" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:117 +msgid "" +"How many seconds to keep a host in the known_hosts file after its host keys " +"were requested" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:118 +msgid "Path to storage of trusted CA certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:121 +msgid "List of UIDs or user names allowed to access the PAC responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "How long the PAC data is considered valid" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:125 +msgid "List of UIDs or user names allowed to access the InfoPipe responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:126 +msgid "List of user attributes the InfoPipe is allowed to publish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:129 +msgid "The provider where the secrets will be stored in" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:130 +msgid "The maximum allowed number of nested containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:131 +msgid "The maximum number of secrets that can be stored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:132 +msgid "The maximum number of secrets that can be stored per UID" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:133 +msgid "The maximum payload size of a secret in kilobytes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:135 +msgid "The URL Custodia server is listening on" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:136 +msgid "The method to use when authenticating to a Custodia server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:137 +msgid "" +"The name of the headers that will be added into a HTTP request with the " +"value defined in auth_header_value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:138 +msgid "The value sssd-secrets would use for auth_header_name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:139 +msgid "" +"The list of the headers to forward to the Custodia server together with the " +"request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:140 +msgid "" +"The username to use when authenticating to a Custodia server using basic_auth" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:141 +msgid "" +"The password to use when authenticating to a Custodia server using basic_auth" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:142 +msgid "If true peer's certificate is verified if proxy_url uses https protocol" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:143 +msgid "" +"If false peer's certificate may contain different hostname than proxy_url " +"when https protocol is used" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:144 +msgid "Path to directory where certificate authority certificates are stored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:145 +msgid "Path to file containing server's CA certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:146 +msgid "Path to file containing client's certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:147 +msgid "Path to file containing client's private key" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:150 +msgid "Identity provider" +msgstr "Identitetstilbyder" + +#: src/config/SSSDConfig/__init__.py.in:151 +msgid "Authentication provider" +msgstr "Autentiseringstilbyder" + +#: src/config/SSSDConfig/__init__.py.in:152 +msgid "Access control provider" +msgstr "Tilgangskontrolltilbyder" + +#: src/config/SSSDConfig/__init__.py.in:153 +msgid "Password change provider" +msgstr "Passordbyttetilbyder" + +#: src/config/SSSDConfig/__init__.py.in:154 +msgid "SUDO provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:155 +msgid "Autofs provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:156 +msgid "Host identity provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:157 +msgid "SELinux provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:158 +msgid "Session management provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:161 +msgid "Whether the domain is usable by the OS or by applications" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:162 +msgid "Minimum user ID" +msgstr "Minste bruker-ID" + +#: src/config/SSSDConfig/__init__.py.in:163 +msgid "Maximum user ID" +msgstr "Største bruker-ID" + +#: src/config/SSSDConfig/__init__.py.in:164 +msgid "Enable enumerating all users/groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:165 +msgid "Cache credentials for offline login" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:166 +msgid "Store password hashes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:167 +msgid "Display users/groups in fully-qualified form" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:168 +msgid "Don't include group members in group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:180 +#: src/config/SSSDConfig/__init__.py.in:181 +msgid "Entry cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:170 +msgid "" +"Restrict or prefer a specific address family when performing DNS lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:171 +msgid "How long to keep cached entries after last successful login (days)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:172 +msgid "How long to wait for replies from DNS when resolving servers (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:173 +msgid "The domain part of service discovery DNS query" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:174 +msgid "Override GID value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:175 +msgid "Treat usernames as case sensitive" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:182 +msgid "How often should expired entries be refreshed in background" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:183 +msgid "Whether to automatically update the client's DNS entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:184 +#: src/config/SSSDConfig/__init__.py.in:206 +msgid "The TTL to apply to the client's DNS entry after updating it" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:207 +msgid "The interface whose IP should be used for dynamic DNS updates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:186 +msgid "How often to periodically update the client's DNS entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:187 +msgid "Whether the provider should explicitly update the PTR record as well" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:188 +msgid "Whether the nsupdate utility should default to using TCP" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:189 +msgid "What kind of authentication should be used to perform the DNS update" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:190 +msgid "Override the DNS server used to perform the DNS update" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:191 +msgid "Control enumeration of trusted domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:192 +msgid "How often should subdomains list be refreshed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:193 +msgid "List of options that should be inherited into a subdomain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:194 +msgid "Default subdomain homedir value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:195 +msgid "How long can cached credentials be used for cached authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:198 +msgid "Whether to automatically create private groups for users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:201 +msgid "IPA domain" +msgstr "IPA-domene" + +#: src/config/SSSDConfig/__init__.py.in:202 +msgid "IPA server address" +msgstr "IPA-tjeneradresse" + +#: src/config/SSSDConfig/__init__.py.in:203 +msgid "Address of backup IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:204 +msgid "IPA client hostname" +msgstr "Vertsnavn for IPA-klient" + +#: src/config/SSSDConfig/__init__.py.in:205 +msgid "Whether to automatically update the client's DNS entry in FreeIPA" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:208 +msgid "Search base for HBAC related objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:209 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:210 +msgid "" +"The amount of time in seconds between lookups of the SELinux maps against " +"the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:211 +msgid "If set to false, host argument given by PAM will be ignored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:212 +msgid "The automounter location this IPA client is using" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:213 +msgid "Search base for object containing info about IPA domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:214 +msgid "Search base for objects containing info about ID ranges" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:233 +msgid "Enable DNS sites - location based service discovery" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:216 +msgid "Search base for view containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:217 +msgid "Objectclass for view containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:218 +msgid "Attribute with the name of the view" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:219 +msgid "Objectclass for override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:220 +msgid "Attribute with the reference to the original object" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:221 +msgid "Objectclass for user override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:222 +msgid "Objectclass for group override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:223 +msgid "Search base for Desktop Profile related objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:224 +msgid "" +"The amount of time in seconds between lookups of the Desktop Profile rules " +"against the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:225 +msgid "" +"The amount of time in minutes between lookups of Desktop Profiles rules " +"against the IPA server when the last request did not find any rule" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:228 +msgid "Active Directory domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:229 +msgid "Enabled Active Directory domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:230 +msgid "Active Directory server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:231 +msgid "Active Directory backup server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:232 +msgid "Active Directory client hostname" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:420 +msgid "LDAP filter to determine access privileges" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:235 +msgid "Whether to use the Global Catalog for lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:236 +msgid "Operation mode for GPO-based access control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:237 +msgid "" +"The amount of time between lookups of the GPO policy files against the AD " +"server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:238 +msgid "" +"PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " +"settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:239 +msgid "" +"PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " +"policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:240 +msgid "" +"PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:241 +msgid "" +"PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:242 +msgid "" +"PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:243 +msgid "PAM service names for which GPO-based access is always granted" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:244 +msgid "PAM service names for which GPO-based access is always denied" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:245 +msgid "" +"Default logon right (or permit/deny) to use for unmapped PAM service names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:246 +msgid "a particular site to be used by the client" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:247 +msgid "" +"Maximum age in days before the machine account password should be renewed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:248 +msgid "Option for tuning the machine account renewal task" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:252 +msgid "Kerberos server address" +msgstr "Tjeneradresse for Kerberos" + +#: src/config/SSSDConfig/__init__.py.in:253 +msgid "Kerberos backup server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:254 +msgid "Kerberos realm" +msgstr "Kerberos-område" + +#: src/config/SSSDConfig/__init__.py.in:255 +msgid "Authentication timeout" +msgstr "Tidsavbrudd for autentisering" + +#: src/config/SSSDConfig/__init__.py.in:256 +msgid "Whether to create kdcinfo files" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:257 +msgid "Where to drop krb5 config snippets" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:260 +msgid "Directory to store credential caches" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:261 +msgid "Location of the user's credential cache" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:262 +msgid "Location of the keytab to validate credentials" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:263 +msgid "Enable credential validation" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:264 +msgid "Store password if offline for later online authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:265 +msgid "Renewable lifetime of the TGT" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:266 +msgid "Lifetime of the TGT" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:267 +msgid "Time between two checks for renewal" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:268 +msgid "Enables FAST" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:269 +msgid "Selects the principal to use for FAST" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:270 +msgid "Enables principal canonicalization" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:271 +msgid "Enables enterprise principals" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:272 +msgid "A mapping from user names to Kerberos principal names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:276 +msgid "Server where the change password service is running if not on the KDC" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:279 +msgid "ldap_uri, The URI of the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:280 +msgid "ldap_backup_uri, The URI of the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:281 +msgid "The default base DN" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:282 +msgid "The Schema Type in use on the LDAP server, rfc2307" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:283 +msgid "The default bind DN" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:284 +msgid "The type of the authentication token of the default bind DN" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:285 +msgid "The authentication token of the default bind DN" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:286 +msgid "Length of time to attempt connection" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:287 +msgid "Length of time to attempt synchronous LDAP operations" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:288 +msgid "Length of time between attempts to reconnect while offline" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:289 +msgid "Use only the upper case for realm names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:290 +msgid "File that contains CA certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:291 +msgid "Path to CA certificate directory" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:292 +msgid "File that contains the client certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:293 +msgid "File that contains the client key" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:294 +msgid "List of possible ciphers suites" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:295 +msgid "Require TLS certificate verification" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:296 +msgid "Specify the sasl mechanism to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:297 +msgid "Specify the sasl authorization id to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:298 +msgid "Specify the sasl authorization realm to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:299 +msgid "Specify the minimal SSF for LDAP sasl authorization" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:300 +msgid "Kerberos service keytab" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:301 +msgid "Use Kerberos auth for LDAP connection" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:302 +msgid "Follow LDAP referrals" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:303 +msgid "Lifetime of TGT for LDAP connection" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:304 +msgid "How to dereference aliases" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:305 +msgid "Service name for DNS service lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:306 +msgid "The number of records to retrieve in a single LDAP query" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:307 +msgid "The number of members that must be missing to trigger a full deref" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:308 +msgid "" +"Whether the LDAP library should perform a reverse lookup to canonicalize the " +"host name during a SASL bind" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:310 +msgid "entryUSN attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:311 +msgid "lastUSN attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:313 +msgid "How long to retain a connection to the LDAP server before disconnecting" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:315 +msgid "Disable the LDAP paging control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:316 +msgid "Disable Active Directory range retrieval" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:319 +msgid "Length of time to wait for a search request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:320 +msgid "Length of time to wait for a enumeration request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:321 +msgid "Length of time between enumeration updates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:322 +msgid "Length of time between cache cleanups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:323 +msgid "Require TLS for ID lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:324 +msgid "Use ID-mapping of objectSID instead of pre-set IDs" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:325 +msgid "Base DN for user lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:326 +msgid "Scope of user lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:327 +msgid "Filter for user lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:328 +msgid "Objectclass for users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:329 +msgid "Username attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:331 +msgid "UID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:332 +msgid "Primary GID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:333 +msgid "GECOS attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:334 +msgid "Home directory attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:335 +msgid "Shell attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:336 +msgid "UUID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:379 +msgid "objectSID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:338 +msgid "Active Directory primary group attribute for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:339 +msgid "User principal attribute (for Kerberos)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:340 +msgid "Full Name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:341 +msgid "memberOf attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:342 +msgid "Modification time attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:344 +msgid "shadowLastChange attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:345 +msgid "shadowMin attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:346 +msgid "shadowMax attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:347 +msgid "shadowWarning attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:348 +msgid "shadowInactive attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:349 +msgid "shadowExpire attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:350 +msgid "shadowFlag attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:351 +msgid "Attribute listing authorized PAM services" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:352 +msgid "Attribute listing authorized server hosts" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:353 +msgid "Attribute listing authorized server rhosts" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:354 +msgid "krbLastPwdChange attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:355 +msgid "krbPasswordExpiration attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:356 +msgid "Attribute indicating that server side password policies are active" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:357 +msgid "accountExpires attribute of AD" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:358 +msgid "userAccountControl attribute of AD" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:359 +msgid "nsAccountLock attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:360 +msgid "loginDisabled attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:361 +msgid "loginExpirationTime attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:362 +msgid "loginAllowedTimeMap attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:363 +msgid "SSH public key attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:364 +msgid "attribute listing allowed authentication types for a user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:365 +msgid "attribute containing the X509 certificate of the user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:366 +msgid "attribute containing the email address of the user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:368 +msgid "A list of extra attributes to download along with the user entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:370 +msgid "Base DN for group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:373 +msgid "Objectclass for groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:374 +msgid "Group name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:375 +msgid "Group password" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:376 +msgid "GID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:377 +msgid "Group member attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:378 +msgid "Group UUID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:380 +msgid "Modification time attribute for groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:381 +msgid "Type of the group and other flags" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:382 +msgid "The LDAP group external member attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:384 +msgid "Maximum nesting level SSSD will follow" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:386 +msgid "Base DN for netgroup lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:387 +msgid "Objectclass for netgroups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:388 +msgid "Netgroup name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:389 +msgid "Netgroups members attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:390 +msgid "Netgroup triple attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:391 +msgid "Modification time attribute for netgroups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:393 +msgid "Base DN for service lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:394 +msgid "Objectclass for services" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:395 +msgid "Service name attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:396 +msgid "Service port attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:397 +msgid "Service protocol attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:400 +msgid "Lower bound for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:401 +msgid "Upper bound for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:402 +msgid "Number of IDs for each slice when ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:403 +msgid "Use autorid-compatible algorithm for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:404 +msgid "Name of the default domain for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:405 +msgid "SID of the default domain for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:406 +msgid "Number of secondary slices" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:408 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:409 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:410 +msgid "Whether to use Token-Groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:411 +msgid "Set lower boundary for allowed IDs from the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:412 +msgid "Set upper boundary for allowed IDs from the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:413 +msgid "DN for ppolicy queries" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:414 +msgid "How many maximum entries to fetch during a wildcard request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:417 +msgid "Policy to evaluate the password expiration" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:421 +msgid "Which attributes shall be used to evaluate if an account is expired" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:422 +msgid "Which rules should be used to evaluate access control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:425 +msgid "URI of an LDAP server where password changes are allowed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:426 +msgid "URI of a backup LDAP server where password changes are allowed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:427 +msgid "DNS service name for LDAP password change server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:428 +msgid "" +"Whether to update the ldap_user_shadow_last_change attribute after a " +"password change" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:431 +msgid "Base DN for sudo rules lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:432 +msgid "Automatic full refresh period" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:433 +msgid "Automatic smart refresh period" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:434 +msgid "Whether to filter rules by hostname, IP addresses and network" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:435 +msgid "" +"Hostnames and/or fully qualified domain names of this machine to filter sudo " +"rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:436 +msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:437 +msgid "Whether to include rules that contains netgroup in host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:438 +msgid "" +"Whether to include rules that contains regular expression in host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:439 +msgid "Object class for sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:440 +msgid "Sudo rule name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:441 +msgid "Sudo rule command attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:442 +msgid "Sudo rule host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:443 +msgid "Sudo rule user attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:444 +msgid "Sudo rule option attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Sudo rule runas attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:446 +msgid "Sudo rule runasuser attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:447 +msgid "Sudo rule runasgroup attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:448 +msgid "Sudo rule notbefore attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:449 +msgid "Sudo rule notafter attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:450 +msgid "Sudo rule order attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:453 +msgid "Object class for automounter maps" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:454 +msgid "Automounter map name attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:455 +msgid "Object class for automounter map entries" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:456 +msgid "Automounter map entry key attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:457 +msgid "Automounter map entry value attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:458 +msgid "Base DN for automounter map lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:461 +msgid "Comma separated list of allowed users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:462 +msgid "Comma separated list of prohibited users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:465 +msgid "Default shell, /bin/bash" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:466 +msgid "Base for home directories" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:469 +msgid "The number of preforked proxy children." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:472 +msgid "The name of the NSS library to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:473 +msgid "Whether to look up canonical group name from cache if possible" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:476 +msgid "PAM stack to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:479 +msgid "Path of passwd file sources." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:480 +msgid "Path of group file sources." +msgstr "" + +#: src/monitor/monitor.c:2449 +msgid "Become a daemon (default)" +msgstr "" + +#: src/monitor/monitor.c:2451 +msgid "Run interactive (not a daemon)" +msgstr "" + +#: src/monitor/monitor.c:2454 +msgid "Disable netlink interface" +msgstr "" + +#: src/monitor/monitor.c:2456 src/tools/sssctl/sssctl_logs.c:311 +msgid "Specify a non-default config file" +msgstr "" + +#: src/monitor/monitor.c:2458 +msgid "Refresh the configuration database, then exit" +msgstr "" + +#: src/monitor/monitor.c:2461 +msgid "Print version number and exit" +msgstr "" + +#: src/monitor/monitor.c:2627 +msgid "SSSD is already running\n" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605 +msgid "Debug level" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607 +msgid "Add debug timestamps" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609 +msgid "Show timestamps with microseconds" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611 +msgid "An open file descriptor for the debug logs" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613 +msgid "Send the debug output to stderr directly." +msgstr "" + +#: src/providers/krb5/krb5_child.c:3228 +msgid "The user to create FAST ccache as" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3230 +msgid "The group to create FAST ccache as" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3232 +msgid "Kerberos realm to use" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3234 +msgid "Requested lifetime of the ticket" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3236 +msgid "Requested renewable lifetime of the ticket" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3238 +msgid "FAST options ('never', 'try', 'demand')" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3241 +msgid "Specifies the server principal to use for FAST" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3243 +msgid "Requests canonicalization of the principal name" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3245 +msgid "Use custom version of krb5_get_init_creds_password" +msgstr "" + +#: src/providers/data_provider_be.c:556 +msgid "Domain of the information provider (mandatory)" +msgstr "" + +#: src/sss_client/common.c:1066 +msgid "Privileged socket has wrong ownership or permissions." +msgstr "" + +#: src/sss_client/common.c:1069 +msgid "Public socket has wrong ownership or permissions." +msgstr "" + +#: src/sss_client/common.c:1072 +msgid "Unexpected format of the server credential message." +msgstr "" + +#: src/sss_client/common.c:1075 +msgid "SSSD is not run by root." +msgstr "" + +#: src/sss_client/common.c:1080 +msgid "An error occurred, but no description can be found." +msgstr "" + +#: src/sss_client/common.c:1086 +msgid "Unexpected error while looking for an error description" +msgstr "" + +#: src/sss_client/pam_sss.c:76 +msgid "Permission denied. " +msgstr "" + +#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782 +#: src/sss_client/pam_sss.c:793 +msgid "Server message: " +msgstr "" + +#: src/sss_client/pam_sss.c:300 +msgid "Passwords do not match" +msgstr "" + +#: src/sss_client/pam_sss.c:488 +msgid "Password reset by root is not supported." +msgstr "" + +#: src/sss_client/pam_sss.c:529 +msgid "Authenticated with cached credentials" +msgstr "" + +#: src/sss_client/pam_sss.c:530 +msgid ", your cached password will expire at: " +msgstr "" + +#: src/sss_client/pam_sss.c:560 +#, c-format +msgid "Your password has expired. You have %1$d grace login(s) remaining." +msgstr "" + +#: src/sss_client/pam_sss.c:606 +#, c-format +msgid "Your password will expire in %1$d %2$s." +msgstr "" + +#: src/sss_client/pam_sss.c:655 +msgid "Authentication is denied until: " +msgstr "" + +#: src/sss_client/pam_sss.c:676 +msgid "System is offline, password change not possible" +msgstr "" + +#: src/sss_client/pam_sss.c:691 +msgid "" +"After changing the OTP password, you need to log out and back in order to " +"acquire a ticket" +msgstr "" + +#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792 +msgid "Password change failed. " +msgstr "" + +#: src/sss_client/pam_sss.c:1926 +msgid "New Password: " +msgstr "" + +#: src/sss_client/pam_sss.c:1927 +msgid "Reenter new Password: " +msgstr "" + +#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042 +msgid "First Factor: " +msgstr "" + +#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202 +msgid "Second Factor (optional): " +msgstr "" + +#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205 +msgid "Second Factor: " +msgstr "" + +#: src/sss_client/pam_sss.c:2058 +msgid "Password: " +msgstr "" + +#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204 +msgid "First Factor (Current Password): " +msgstr "" + +#: src/sss_client/pam_sss.c:2208 +msgid "Current Password: " +msgstr "" + +#: src/sss_client/pam_sss.c:2536 +msgid "Password expired. Change your password now." +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 +#: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 +#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:670 +msgid "The debug level to run with" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +msgid "The SSSD domain to use" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 +#: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 +#: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 +#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:716 +msgid "Error setting the locale\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:64 +msgid "Not enough memory\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:83 +msgid "User not specified\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:97 +msgid "Error looking up public keys\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +msgid "The port to use to connect to the host" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +msgid "Print the host ssh public keys" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +msgid "Invalid port\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +msgid "Host not specified\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +msgid "The path to the proxy command must be absolute\n" +msgstr "" + +#: src/tools/sss_useradd.c:49 src/tools/sss_usermod.c:48 +msgid "The UID of the user" +msgstr "" + +#: src/tools/sss_useradd.c:50 src/tools/sss_usermod.c:50 +msgid "The comment string" +msgstr "" + +#: src/tools/sss_useradd.c:51 src/tools/sss_usermod.c:51 +msgid "Home directory" +msgstr "" + +#: src/tools/sss_useradd.c:52 src/tools/sss_usermod.c:52 +msgid "Login shell" +msgstr "" + +#: src/tools/sss_useradd.c:53 +msgid "Groups" +msgstr "" + +#: src/tools/sss_useradd.c:54 +msgid "Create user's directory if it does not exist" +msgstr "" + +#: src/tools/sss_useradd.c:55 +msgid "Never create user's directory, overrides config" +msgstr "" + +#: src/tools/sss_useradd.c:56 +msgid "Specify an alternative skeleton directory" +msgstr "" + +#: src/tools/sss_useradd.c:57 src/tools/sss_usermod.c:60 +msgid "The SELinux user for user's login" +msgstr "" + +#: src/tools/sss_useradd.c:87 src/tools/sss_groupmod.c:79 +#: src/tools/sss_usermod.c:92 +msgid "Specify group to add to\n" +msgstr "" + +#: src/tools/sss_useradd.c:111 +msgid "Specify user to add\n" +msgstr "" + +#: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 +#: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_usermod.c:162 +msgid "Error initializing the tools - no local domain\n" +msgstr "" + +#: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 +#: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_usermod.c:164 +msgid "Error initializing the tools\n" +msgstr "" + +#: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 +#: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_usermod.c:173 +msgid "Invalid domain specified in FQDN\n" +msgstr "" + +#: src/tools/sss_useradd.c:142 src/tools/sss_groupmod.c:144 +#: src/tools/sss_groupmod.c:173 src/tools/sss_usermod.c:197 +#: src/tools/sss_usermod.c:226 +msgid "Internal error while parsing parameters\n" +msgstr "" + +#: src/tools/sss_useradd.c:151 src/tools/sss_usermod.c:206 +#: src/tools/sss_usermod.c:235 +msgid "Groups must be in the same domain as user\n" +msgstr "" + +#: src/tools/sss_useradd.c:159 +#, c-format +msgid "Cannot find group %1$s in local domain\n" +msgstr "" + +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +msgid "Cannot set default values\n" +msgstr "" + +#: src/tools/sss_useradd.c:181 src/tools/sss_usermod.c:187 +msgid "The selected UID is outside the allowed range\n" +msgstr "" + +#: src/tools/sss_useradd.c:210 src/tools/sss_usermod.c:305 +msgid "Cannot set SELinux login context\n" +msgstr "" + +#: src/tools/sss_useradd.c:224 +msgid "Cannot get info about the user\n" +msgstr "" + +#: src/tools/sss_useradd.c:236 +msgid "User's home directory already exists, not copying data from skeldir\n" +msgstr "" + +#: src/tools/sss_useradd.c:239 +#, c-format +msgid "Cannot create user's home directory: %1$s\n" +msgstr "" + +#: src/tools/sss_useradd.c:250 +#, c-format +msgid "Cannot create user's mail spool: %1$s\n" +msgstr "" + +#: src/tools/sss_useradd.c:270 +msgid "Could not allocate ID for the user - domain full?\n" +msgstr "" + +#: src/tools/sss_useradd.c:274 +msgid "A user or group with the same name or ID already exists\n" +msgstr "" + +#: src/tools/sss_useradd.c:280 +msgid "Transaction error. Could not add user.\n" +msgstr "" + +#: src/tools/sss_groupadd.c:43 src/tools/sss_groupmod.c:48 +msgid "The GID of the group" +msgstr "" + +#: src/tools/sss_groupadd.c:76 +msgid "Specify group to add\n" +msgstr "" + +#: src/tools/sss_groupadd.c:106 src/tools/sss_groupmod.c:198 +msgid "The selected GID is outside the allowed range\n" +msgstr "" + +#: src/tools/sss_groupadd.c:143 +msgid "Could not allocate ID for the group - domain full?\n" +msgstr "" + +#: src/tools/sss_groupadd.c:147 +msgid "A group with the same name or GID already exists\n" +msgstr "" + +#: src/tools/sss_groupadd.c:153 +msgid "Transaction error. Could not add group.\n" +msgstr "" + +#: src/tools/sss_groupdel.c:70 +msgid "Specify group to delete\n" +msgstr "" + +#: src/tools/sss_groupdel.c:104 +#, c-format +msgid "Group %1$s is outside the defined ID range for domain\n" +msgstr "" + +#: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 +#: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 +#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 +#, c-format +msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" +msgstr "" + +#: src/tools/sss_groupdel.c:132 +msgid "" +"No such group in local domain. Removing groups only allowed in local " +"domain.\n" +msgstr "" + +#: src/tools/sss_groupdel.c:137 +msgid "Internal error. Could not remove group.\n" +msgstr "" + +#: src/tools/sss_groupmod.c:44 +msgid "Groups to add this group to" +msgstr "" + +#: src/tools/sss_groupmod.c:46 +msgid "Groups to remove this group from" +msgstr "" + +#: src/tools/sss_groupmod.c:87 src/tools/sss_usermod.c:100 +msgid "Specify group to remove from\n" +msgstr "" + +#: src/tools/sss_groupmod.c:101 +msgid "Specify group to modify\n" +msgstr "" + +#: src/tools/sss_groupmod.c:130 +msgid "" +"Cannot find group in local domain, modifying groups is allowed only in local " +"domain\n" +msgstr "" + +#: src/tools/sss_groupmod.c:153 src/tools/sss_groupmod.c:182 +msgid "Member groups must be in the same domain as parent group\n" +msgstr "" + +#: src/tools/sss_groupmod.c:161 src/tools/sss_groupmod.c:190 +#: src/tools/sss_usermod.c:214 src/tools/sss_usermod.c:243 +#, c-format +msgid "" +"Cannot find group %1$s in local domain, only groups in local domain are " +"allowed\n" +msgstr "" + +#: src/tools/sss_groupmod.c:257 +msgid "Could not modify group - check if member group names are correct\n" +msgstr "" + +#: src/tools/sss_groupmod.c:261 +msgid "Could not modify group - check if groupname is correct\n" +msgstr "" + +#: src/tools/sss_groupmod.c:265 +msgid "Transaction error. Could not modify group.\n" +msgstr "" + +#: src/tools/sss_groupshow.c:615 +#, c-format +msgid "%1$s%2$sGroup: %3$s\n" +msgstr "" + +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "" + +#: src/tools/sss_groupshow.c:618 +#, c-format +msgid "%1$sGID number: %2$d\n" +msgstr "" + +#: src/tools/sss_groupshow.c:620 +#, c-format +msgid "%1$sMember users: " +msgstr "" + +#: src/tools/sss_groupshow.c:627 +#, c-format +msgid "" +"\n" +"%1$sIs a member of: " +msgstr "" + +#: src/tools/sss_groupshow.c:634 +#, c-format +msgid "" +"\n" +"%1$sMember groups: " +msgstr "" + +#: src/tools/sss_groupshow.c:670 +msgid "Print indirect group members recursively" +msgstr "" + +#: src/tools/sss_groupshow.c:704 +msgid "Specify group to show\n" +msgstr "" + +#: src/tools/sss_groupshow.c:744 +msgid "" +"No such group in local domain. Printing groups only allowed in local " +"domain.\n" +msgstr "" + +#: src/tools/sss_groupshow.c:749 +msgid "Internal error. Could not print group.\n" +msgstr "" + +#: src/tools/sss_userdel.c:136 +msgid "Remove home directory and mail spool" +msgstr "" + +#: src/tools/sss_userdel.c:138 +msgid "Do not remove home directory and mail spool" +msgstr "" + +#: src/tools/sss_userdel.c:140 +msgid "Force removal of files not owned by the user" +msgstr "" + +#: src/tools/sss_userdel.c:142 +msgid "Kill users' processes before removing him" +msgstr "" + +#: src/tools/sss_userdel.c:188 +msgid "Specify user to delete\n" +msgstr "" + +#: src/tools/sss_userdel.c:234 +#, c-format +msgid "User %1$s is outside the defined ID range for domain\n" +msgstr "" + +#: src/tools/sss_userdel.c:259 +msgid "Cannot reset SELinux login context\n" +msgstr "" + +#: src/tools/sss_userdel.c:271 +#, c-format +msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" +msgstr "" + +#: src/tools/sss_userdel.c:276 +msgid "Cannot determine if the user was logged in on this platform" +msgstr "" + +#: src/tools/sss_userdel.c:281 +msgid "Error while checking if the user was logged in\n" +msgstr "" + +#: src/tools/sss_userdel.c:288 +#, c-format +msgid "The post-delete command failed: %1$s\n" +msgstr "" + +#: src/tools/sss_userdel.c:308 +msgid "Not removing home dir - not owned by user\n" +msgstr "" + +#: src/tools/sss_userdel.c:310 +#, c-format +msgid "Cannot remove homedir: %1$s\n" +msgstr "" + +#: src/tools/sss_userdel.c:324 +msgid "" +"No such user in local domain. Removing users only allowed in local domain.\n" +msgstr "" + +#: src/tools/sss_userdel.c:329 +msgid "Internal error. Could not remove user.\n" +msgstr "" + +#: src/tools/sss_usermod.c:49 +msgid "The GID of the user" +msgstr "" + +#: src/tools/sss_usermod.c:53 +msgid "Groups to add this user to" +msgstr "" + +#: src/tools/sss_usermod.c:54 +msgid "Groups to remove this user from" +msgstr "" + +#: src/tools/sss_usermod.c:55 +msgid "Lock the account" +msgstr "" + +#: src/tools/sss_usermod.c:56 +msgid "Unlock the account" +msgstr "" + +#: src/tools/sss_usermod.c:57 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "" + +#: src/tools/sss_usermod.c:58 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "" + +#: src/tools/sss_usermod.c:59 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" + +#: src/tools/sss_usermod.c:117 src/tools/sss_usermod.c:126 +#: src/tools/sss_usermod.c:135 +msgid "Specify the attribute name/value pair(s)\n" +msgstr "" + +#: src/tools/sss_usermod.c:152 +msgid "Specify user to modify\n" +msgstr "" + +#: src/tools/sss_usermod.c:180 +msgid "" +"Cannot find user in local domain, modifying users is allowed only in local " +"domain\n" +msgstr "" + +#: src/tools/sss_usermod.c:322 +msgid "Could not modify user - check if group names are correct\n" +msgstr "" + +#: src/tools/sss_usermod.c:326 +msgid "Could not modify user - user already member of groups?\n" +msgstr "" + +#: src/tools/sss_usermod.c:330 +msgid "Transaction error. Could not modify user.\n" +msgstr "" + +#: src/tools/sss_cache.c:218 +msgid "No cache object matched the specified search\n" +msgstr "" + +#: src/tools/sss_cache.c:502 +#, c-format +msgid "Couldn't invalidate %1$s\n" +msgstr "" + +#: src/tools/sss_cache.c:509 +#, c-format +msgid "Couldn't invalidate %1$s %2$s\n" +msgstr "" + +#: src/tools/sss_cache.c:672 +msgid "Invalidate all cached entries" +msgstr "" + +#: src/tools/sss_cache.c:674 +msgid "Invalidate particular user" +msgstr "" + +#: src/tools/sss_cache.c:676 +msgid "Invalidate all users" +msgstr "" + +#: src/tools/sss_cache.c:678 +msgid "Invalidate particular group" +msgstr "" + +#: src/tools/sss_cache.c:680 +msgid "Invalidate all groups" +msgstr "" + +#: src/tools/sss_cache.c:682 +msgid "Invalidate particular netgroup" +msgstr "" + +#: src/tools/sss_cache.c:684 +msgid "Invalidate all netgroups" +msgstr "" + +#: src/tools/sss_cache.c:686 +msgid "Invalidate particular service" +msgstr "" + +#: src/tools/sss_cache.c:688 +msgid "Invalidate all services" +msgstr "" + +#: src/tools/sss_cache.c:691 +msgid "Invalidate particular autofs map" +msgstr "" + +#: src/tools/sss_cache.c:693 +msgid "Invalidate all autofs maps" +msgstr "" + +#: src/tools/sss_cache.c:697 +msgid "Invalidate particular SSH host" +msgstr "" + +#: src/tools/sss_cache.c:699 +msgid "Invalidate all SSH hosts" +msgstr "" + +#: src/tools/sss_cache.c:703 +msgid "Invalidate particular sudo rule" +msgstr "" + +#: src/tools/sss_cache.c:705 +msgid "Invalidate all cached sudo rules" +msgstr "" + +#: src/tools/sss_cache.c:708 +msgid "Only invalidate entries from a particular domain" +msgstr "" + +#: src/tools/sss_cache.c:762 +msgid "" +"Unexpected argument(s) provided, options that invalidate a single object " +"only accept a single provided argument.\n" +msgstr "" + +#: src/tools/sss_cache.c:772 +msgid "Please select at least one object to invalidate\n" +msgstr "" + +#: src/tools/sss_cache.c:852 +#, c-format +msgid "" +"Could not open domain %1$s. If the domain is a subdomain (trusted domain), " +"use fully qualified name instead of --domain/-d parameter.\n" +msgstr "" + +#: src/tools/sss_cache.c:856 +msgid "Could not open available domains\n" +msgstr "" + +#: src/tools/tools_util.c:202 +#, c-format +msgid "Name '%1$s' does not seem to be FQDN ('%2$s = TRUE' is set)\n" +msgstr "" + +#: src/tools/tools_util.c:309 +msgid "Out of memory\n" +msgstr "" + +#: src/tools/tools_util.h:40 +#, c-format +msgid "%1$s must be run as root\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:35 +msgid "yes" +msgstr "" + +#: src/tools/sssctl/sssctl.c:37 +msgid "no" +msgstr "" + +#: src/tools/sssctl/sssctl.c:39 +msgid "error" +msgstr "" + +#: src/tools/sssctl/sssctl.c:42 +msgid "Invalid result." +msgstr "" + +#: src/tools/sssctl/sssctl.c:78 +#, c-format +msgid "Unable to read user input\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:91 +#, c-format +msgid "Invalid input, please provide either '%s' or '%s'.\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 +#, c-format +msgid "Error while executing external command\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:156 +msgid "SSSD needs to be running. Start SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl.c:195 +msgid "SSSD must not be running. Stop SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl.c:231 +msgid "SSSD needs to be restarted. Restart SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:31 +#, c-format +msgid " %s is not present in cache.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:33 +msgid "Name" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:34 +msgid "Cache entry creation date" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:35 +msgid "Cache entry last update time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:36 +msgid "Cache entry expiration time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:37 +msgid "Cached in InfoPipe" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:512 +#, c-format +msgid "Error: Unable to get object [%d]: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:528 +#, c-format +msgid "%s: Unable to read value [%d]: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:556 +msgid "Specify name." +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:566 +#, c-format +msgid "Unable to parse name %s.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:592 src/tools/sssctl/sssctl_cache.c:639 +msgid "Search by SID" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:593 +msgid "Search by user ID" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:602 +msgid "Initgroups expiration time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:640 +msgid "Search by group ID" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:67 +#, c-format +msgid "" +"File %1$s does not exist. SSSD will use default configuration with files " +"provider.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:81 +#, c-format +msgid "" +"File ownership and permissions check failed. Expected root:root and 0600.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:104 +#, c-format +msgid "Issues identified by validators: %zu\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:114 +#, c-format +msgid "Messages generated during configuration merging: %zu\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:127 +#, c-format +msgid "Used configuration snippet files: %u\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:89 +#, c-format +msgid "Unable to create backup directory [%d]: %s" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:95 +msgid "SSSD backup of local data already exists, override?" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:111 +#, c-format +msgid "Unable to export user overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:118 +#, c-format +msgid "Unable to export group overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:134 src/tools/sssctl/sssctl_data.c:217 +msgid "Override existing backup" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:164 +#, c-format +msgid "Unable to import user overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:173 +#, c-format +msgid "Unable to import group overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:74 +#: src/tools/sssctl/sssctl_domains.c:339 +msgid "Start SSSD if it is not running" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:195 +msgid "Restart SSSD after data import" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:218 +msgid "Create clean cache files and import local data" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:219 +msgid "Stop SSSD before removing the cache" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:220 +msgid "Start SSSD when the cache is removed" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:235 +#, c-format +msgid "Creating backup of local data...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:238 +#, c-format +msgid "Unable to create backup of local data, can not remove the cache.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:243 +#, c-format +msgid "Removing cache files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:246 +#, c-format +msgid "Unable to remove cache files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:251 +#, c-format +msgid "Restoring local data...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:75 +msgid "Show domain list including primary or trusted domain type" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +#, c-format +msgid "Online status: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Online" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Offline" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:214 +#, c-format +msgid "Active servers:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:231 +msgid "not connected" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:278 +#, c-format +msgid "Discovered %s servers:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:296 +msgid "None so far.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:336 +msgid "Show online status" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:337 +msgid "Show information about active server" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:338 +msgid "Show list of discovered servers" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:344 +msgid "Specify domain name." +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:360 +#, c-format +msgid "Out of memory!\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:377 src/tools/sssctl/sssctl_domains.c:387 +#, c-format +msgid "Unable to get online status\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:397 +#, c-format +msgid "Unable to get server list\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:47 +msgid "\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:237 +msgid "Delete log files instead of truncating" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:248 +#, c-format +msgid "Deleting log files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:251 +#, c-format +msgid "Unable to remove log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:257 +#, c-format +msgid "Truncating log files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:260 +#, c-format +msgid "Unable to truncate log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:286 +#, c-format +msgid "Out of memory!" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:289 +#, c-format +msgid "Archiving log files into %s...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:292 +#, c-format +msgid "Unable to archive log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:317 +msgid "Specify debug level you want to set" +msgstr "" + +#: src/tools/sssctl/sssctl_sifp.c:28 +msgid "" +"Check that SSSD is running and the InfoPipe responder is enabled. Make sure " +"'ifp' is listed in the 'services' option in sssd.conf.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:91 +#, c-format +msgid "Unable to connect to the InfoPipe" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:97 +#, c-format +msgid "Unable to get user object" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:101 +#, c-format +msgid "SSSD InfoPipe user lookup result:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:113 +#, c-format +msgid "Unable to get user name attr" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:146 +#, c-format +msgid "dlopen failed with [%s].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:153 +#, c-format +msgid "dlsym failed with [%s].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:161 +#, c-format +msgid "malloc failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:168 +#, c-format +msgid "sss_getpwnam_r failed with [%d].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:173 +#, c-format +msgid "SSSD nss user lookup result:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:174 +#, c-format +msgid " - user name: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:175 +#, c-format +msgid " - user id: %d\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:176 +#, c-format +msgid " - group id: %d\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:177 +#, c-format +msgid " - gecos: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:178 +#, c-format +msgid " - home directory: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:179 +#, c-format +msgid "" +" - shell: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:211 +msgid "PAM action [auth|acct|setc|chau|open|clos], default: " +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:214 +msgid "PAM service, default: " +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:219 +msgid "Specify user name." +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:226 +#, c-format +msgid "" +"user: %s\n" +"action: %s\n" +"service: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:232 +#, c-format +msgid "User name lookup with [%s] failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:237 +#, c-format +msgid "InfoPipe User lookup with [%s] failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:244 +#, c-format +msgid "pam_start failed: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:249 +#, c-format +msgid "" +"testing pam_authenticate\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:253 +#, c-format +msgid "pam_get_item failed: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:257 +#, c-format +msgid "" +"pam_authenticate for user [%s]: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:260 +#, c-format +msgid "" +"testing pam_chauthtok\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:262 +#, c-format +msgid "" +"pam_chauthtok: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:264 +#, c-format +msgid "" +"testing pam_acct_mgmt\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:266 +#, c-format +msgid "" +"pam_acct_mgmt: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:268 +#, c-format +msgid "" +"testing pam_setcred\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:270 +#, c-format +msgid "" +"pam_setcred: [%s]\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:272 +#, c-format +msgid "" +"testing pam_open_session\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:274 +#, c-format +msgid "" +"pam_open_session: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:276 +#, c-format +msgid "" +"testing pam_close_session\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:278 +#, c-format +msgid "" +"pam_close_session: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:281 +#, c-format +msgid "unknown action\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:284 +#, c-format +msgid "PAM Environment:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:292 +#, c-format +msgid " - no env -\n" +msgstr "" + +#: src/util/util.h:75 +msgid "The user ID to run the server as" +msgstr "" + +#: src/util/util.h:77 +msgid "The group ID to run the server as" +msgstr "" + +#: src/util/util.h:85 +msgid "Informs that the responder has been socket-activated" +msgstr "" + +#: src/util/util.h:87 +msgid "Informs that the responder has been dbus-activated" +msgstr "" diff --git a/po/nl.gmo b/po/nl.gmo new file mode 100644 index 0000000000000000000000000000000000000000..6cf7081d8519a627d0d66a11636becf614fbe689 GIT binary patch literal 42204 zcmbuI34C2wb?y&CQsRV=iA-cTneD`q**44e@4pwC5 zFr<_)gcQp33N)n@Xenh#nVPoD&<8CoEkg?}P@wNY3oVqEvG4z_wf8yaN>{e?s$X`# zd(PS8+H0@1_S%ELcETfHmGF1>!;<6-aMv+Oa@50<I2n&%<# zY;X}&d9MXkzjuO{gMSWQ4E{HGGkEcNNwNl<3-}x01w8*5n1bH{RqmtCPm+_t6nqSL zHFzet1w0GPK%you0G0lC!~4&L_x}Q_-N*A$^|=Im9Jm!!`YI^WJs(uOHw1hDRK9-+ zs@^{W)&8^j-*w<-Q1rSB90T7D?gD=X?gYp9D0zP zG6eEpGR^-~pI3mQ+uOj)z^{U$^KlSu2;2%@3;r6Y_a6h5@6W*(foD^ zfNJl_1K!@t!DD#d1FGMuAS{sF1zrWd1ys3z4^p+{VPvj&Yr%EkE#dh9sQ!6Pc>iut z`FsPU$;lB!R{Ph1;+xw*@plbW{hk9J1^yoR81Mn`(cmXQ)#D4G`0Qwivk)qt}4y$M=FM_!pq)_5)Dqk7F>YKhFl0|25!=;0{oHG70Vm9{{fh zkAbKfA0yxv@E&k8_yv%rCXa*2dcFnJ_`DZ<68IT#6L`TD&Y!cO_~Nag>h}-eiQrE` zweQ#~oi9!UmET(Mc(4r;C3zuuJNQ9R{C+${qDjeiFa@6ticj7M!qUm7!t)Qp^Jx^W z{uly9=SfiYcslr4@E%Zf`7Q7i@I&B9;9r9&_|Kr|dlZe-IK2QAUkroFXCl0R7AQKu z0aQNk2>4M@{q%RB`t1k?%LedLP~&YD)cbou@!y9*nwoqaR69>0viN-~sBzl?MZed8 zj|YDbR6lW>yIG!H?6I=+M z4XXZ|!5hJOkpGf*h4=pgs=QNfaQfZ|p2qWbQ29)Quypc#Q02Y{WQZjn0k?xc2>5s! zb1TpHfG2=o0!5eaf*Lm`Q#f6bYy{Qc&j8i0zYVIKPk<+b-vCwqPry^b6L0cHyuE^r9^Q;;Od!+8+hZU&WpJYXGEKfDk$xde)TzXGb34_ zM?vw~BB*pP2hRlG532mX1=ZgtZFGHi3#j~_37!ky2Z}Eq0G00V!t+l+_2*f`@CJA- zcoujUsB+#6s{Wq=RsJ_Y<@=NH{x}Ay#={y=->(MG2e*Twb1UH6!3%i)1}M5bib2ZH zk&9|K{rPZ(jt(AHM_# z!Slx)$HD7(z6)dsCl7+>fxiGR0?)b4`)35ya|^r#d>wc(_z6(-_&4y;;E6jupL4)# zczzlvetIpadVd}~0X$;d`{7jZGM+C7Rlg~4J$MgzCHNqycKirb`RDKQ_uIe|dAL0M8hG^WUe7M5@9zY!0)Ge&ffw&_xm^cE zr+Yy4$EU!Xz$58g#oGd^zh4ZBj(-DEmE@!+djHhGD|!BXFa^H}s=prjB(MJ#P<+?~ zRsWZPr-N?>&jvpX9uNLKDEj{^sPTOI9ga7GN?#4n&j*#y?}Dd*9|A?MzXneRzXP5G z{t`SDJn_k1-da%cwgkKbRQe`(E_gTi?T2B%ft3(hK+)l);I-g~K(+5bK&3x>&dVDGMfW>E(R~qA{MUmQ zf`0=l|DS^wfvX!Xx5vP>Jiin?7yKY7Iq=o+{-mbYcL-F!?E{tmWuV&k0C)@ddGJ{9 zjCtpyOTb6-d>wcrI0A~#Ukt7S?+1?q-wFN-_$T0I@ROkGdF<1@og2VQd9H%1!B>Un z2SMfkeNf}%7of)XV_RO%T9B?yHiM%7J3;0Dh_>4!w}1?>*VZik}&j>d%=z1zk9uLm`5pBQivOnH7SsPrEMMdvSpCxPDvPXT`hZUs+#hWF2t!96^` z6cnF)3lv`+^-M4SDsX`3ouJzJTu^-Zu7FF3tq?b%fQRP&w!%i zFTkV0I53;Ny7yIH>x49aQ;8JjeNWEjYyU0;qa^0K6Fd z4yg8@@LbmyX~1hi@xe||{r+lj1biEaXh?ntBBGL~JdZrVkAiC7b$3xW@HSBW`daXE z@Z+Gy^-sWa!SkN)^xq7g#&Z=s1AKOPem$u6ybrtr{5+`qk9>ja*E2wsvlqMxd@HE* z{|u(!5ij)oF9g*e!{Ak52RsIR2Y5F4e()^tOQ6d6Pf-23_C;Ra6G7F#2`c{m;4t`6 za0B?LyZ!q{@I0Ouz{i8H2QLJ_0;;_a`&Fm+`QQaS?*J#kE_f#RWl-h*C#d?I|6-Rz z8w1XQ%I7{%{q+E-{67Y&AHNG;3!eOIUav7w{PYq~eDfeU0)7@e89e1Bo_-M2^KS5T zunyh`-VF|dpA64G1~uNVy2tgvW>Dol6I8t(02Tks;rUT7b$VSA@K!M8`z)ybxCa!y zKMbn9{|2gmj(eHsy9KRe58qF?*W;}RRi80X z8^A}r()}?*;Hf;n0o(|_54;`x3Ahd%yU+RMxuELzC!qM_bKptfj{+X`>(2LQfl6Ni zZvo#ADxXKZ%H`?h;3&@-cpLa$Q1Om@wb%1D@Cu$^2wnny5WE`vcEGcK!@u7SZsz?< zK+*fJz$?L@fos9_uW`BfRB(XjmxJrUKMwD|4?ddb^tJA17zDTQ{7mp_@MECH$vspJa$f<8t`CCh&xgOk`QaQ;{V)Qa0NxD_ zg0BO&gP#U>f~Wj1m-G9;I?wL`H-PDHI^F>e@%(CV4Ez#!F}UW9PS;(aD@>xqR+|`u=I~4)EAF`+Q;_sD60>TmwGrw|snF0*c;U@NDomLDm03@O1F=;r;i( z<9R;jey`72;CVccfa0GyQ0ear&+h@1&zC{b`+MMt;3I$A$N#C|Nj$FuPX&iTmG=}- z@$L+G52*BS0?z~A4?YZ3nQtP{o&LwmMSlGgVTj-2ore>i&+jIvzi0FNa`3qX@zl`- z{aw!c?}9G?pJZ?Rf6p%czLjrh67(m2R-O0jA^iOW{8NHxtG`DRm#QWwf~xl}z2xs) z!tWA}=KZmRy@clxE+$+^7$Cfh?;j$(jIfhu{mp~o%jXd$_$}VQ0#qN5fa0NlCg|@{ zg2uuVdH+npZ3K*N@W+H76ZH2ihol{F7iq2| ze1zu;_#*IYgfj_4gfZSd0^CTb^ZOb?{M!8jZzQ}heE)mi>2F_n z-puc5exCt83EURmKUR@Se;Nxn@$Kn^X@1`YqDqq0A^v^*{sG}xJpUAY9pM@LUQ0NF zFizM+SjGFZK#koKK>gkCVB_n5hu?n(9w0oDIH!Tqc~|pWJp404hwvjI?`{C~_ZWU3 z13nhKoA6?OGtA9i2J*je@ar+*>FELA556+|7HlB>1EpulDCsBtJ(+K>@SpkrpU&YYjW&F5==TCv3Ap8;GZo>J53BuWY8wcM^(BJn6XYlS6 z!nuU__ho*(jc`HfoxWw^`Ir2@x%6!{&v){Ck|ObU3E>>V`Mf&> z@I2yOO1Lh(yD?x3T*Le836liH{Qet$OUHbG za1rm00`+$)zxVmiQR|vmKnBx6kf@cvL{5}@c-;so) zc>caUVV{HlM)*&{RRrlu{jCc5KFIGu!W_@@U<*6}TmU}{zJSmmyqloE8Q%XlxYwSL z58zFNdkCK)e4g-s36CP4{!Sqr;P)d4zsK)?B$WSti-!tfJKx_JKKufFHQ_G^e-_?F z_%uIGS0KLro(i5ucssvq;a#2IUm)DT^B`fCa1GCYNVt>m9G=I(iwW^>9q;tl4fs`m zOse3o5nf364Z^*I`1f$)-pa#25dIJ0eS|cm=Vww4zn=geL--TkJq7%rKJxc34(8X; z&u!uPO977~?jC+03F>dZa8NMGDwieTg%H(W!KBbiX6jZ5JTcleaZL(g=8l7~e+3u*m%Og~qbCp_S`TO}+ zZLUH&UjIs`)2dB$J6SqKn?{BQ<|^~^wZ`=FbW1B#t)|s%qC1^-YI9k;Q<}bveKay#Hn;5DcjJy;Dz~Sy*63PU{f)JbwVkN zI=!v*m2PLI*{U6Yi^hhwTTV6l@!&B7rPMXVBnLW56(SR3w7`~=kU(E5^`2NFLaj~9 z8Z{DhiBK1(7TG95!9Kn3)fdffN70*8?Vf0`1GPw}x{QHVHU(GBr1M#;)~s4=|JsH% zI(?XX0bAUT-dB$n`*mQie;SuTAHg)!Nje z2CDTo88V(dy_d5jMQ^6o`Xw>SdFuP&XE~j9XwOtLtxPZibModzw%`N=y?6yyS<*9% zMv{+j+E#0H?{qdWRgv9^E)0Y?ycmJgQX6{WkmlT61;I66X_*9)WRrZ3WU@xC7z;Tw zQ=6zsbd@5)37uw&%tuy)!9)(-dKF>bv79CC&?dQ@_Q5z1n8k$9jjG$h(pdMboW%P+ zu;f6>u$r6|Ut3WoSYU?9CW>ZKG|Y=yDP1sDyrxR;s$u0ELj8IRHsj$iQ(6Ymz{qW- zz{)-3F&$Xh&$zBkND-Q9x6X|Ov>5*0#{6J9;zK;V)4)jE-HGtHy3@kyqF4QS&02M@ zb<1M<^lqhIo09TzDmI8%sfuR?20Z$@0U1>-XoNf>$GDDhk3y^+v5j5s*@hVK!8< zQMwOjfV2 zP1jA-8tW!1?U|%7sZ6HPJdB9;BCVNA7iKcl{`mO#FzJjn+8AG1dTZ9gvTS07W(dGV zw;(;?U@1f6e#I{Yxkqgiscn6<%&u!$16monFk^7$5oN}Nwj%teqlKvNRt0fMdtH=o zm_jJ<#et%eOh^wmjlv}vlj|e2G~>0<3CXZ=kNQ(ZOJudA{7Y6vx_XW@6`7-JVsx5} zEvj+vV?&mVK=BDfhABmX9%v99*o0}~RMH^O_ zIt&?;AvV^U3k`U4VlmhB$!3|>qneCu*|c%Tc**XynPhGSZ_%9Aq_pf6Si@!}Y7xpC z>#Qox>Ec4w^zpSS@nk_y6h^bZ)}RbA;&j&^+X3=vHU^K1vYBoex)^|>MJS@}y-^m9 z%$YS?>R`FmrW**pm}!&>vKYnn^Ke_gZ$|2#PeD|ft?4PJTFtpq+HwR-Zr`_-P3^^` z_pwCrtxUdBCVWhvI*Y|T$X-hqwdb=*Q*x`w!>7<_$VPP?1UCs=QiFj?F854q(%Lx; zd0Em>0G<#_6;lVYTwpxF_p7nCnOwKmC?2(0c*{MCTR&3xwD}7SlIbwqRrf+vWT$Bt3=}2ESq;>QnksP zO@pmQ^$KKbcg^z1aqWWv}@TOxOfgsfi)P(-Obwf~=QT_Vg}}mvWt!W}Od! zvX&1_BcjWv5wdAp1)Fd|Bbr3+DJxh+K00?CAfl+QJXIRH4JWRrrB&`#kb*>BL?xKZ zYv!`*UPdO0TzyCi9AOfm$3HCP@w~SI|N(=%c z*`%7SNptS*qc(9W=H4(&s%YrDRc<13ib$fjveiToqVcMot#z)bw5Bl=u&SqVCekyD z*0uS-FqvIVMuJ5)SDVDfbu+~HF8AQ+spM0O3DkCX@hyvh9Ba@Z_w2dWXKK*a@X4nL z*b5`Ft@4P2X)zy@T}8d6JeW$X953jD!;UDOVHw)+k5+0f_tlWiw+)Y~NRKh!Y%x&` zPcqyfxg3CUq~Z30BRyjLWHnj#HhP|xeGs#n?{G;rs%KAR$OdP1>lM7edFkcCOA)LN zD}0MJS>bc2&kA2vt0bQd_4i5VpHWctxgxf5M!UsfnMVsHN`!SP6UnXe##`$zl7g0d zoY5Ktv-P%^Xr?xom_`X&)}#fzWNxgAJJn&K{bq{cQkvZbYcyt+!v#WTsJ7EBkR zVq|+p0lh*}*CmtntkRJGafMjP^h&r4}RymH8 zKJj?xuBF{0!zOjrx6vOGG@_d4eWpZXLmMd+Ph~?ZAu;)Uv)!)A&A|kWX?h!bMDxOA z8xst(Gt30b0vkyZhRI)fI=(!*YJ=`6%^9s{mF=u)UMePkGcRPJndIg-sy4-;$8=5# zv$R06y)upbAA|KI5R&bcJ8N^@IiFOF3@6*mOI?RBz8TOayCnlxCEJ<7_2eWcr)ENC zV~ML_BVV*hwy*rn>KkO#p`t}m(N0Fk$0Hx0U}To2tMT_%*9@kcY`QvEo1W1Mffkn} zL(3Ky;#Sk2^dfnPFGA!pp3T_KaJkS=7!VS<>FSHLw3ptH?%KI~(?yyDq0-ib#G!Yi zA2S%=ONc+3O+yddsXjWzt$nB1qj4R;=12Jx#z^~e6ELz8jzU4{z zpxBKW4Pwzd)}7qZepnj&kh$%YOZuVbX5)HkVQHS3iS$F)41XY^ZF(kfkSc3@IlA8I%p)^p7$Y#cf5tqwhy&bM}Dp1%LX4}aQ z@2^SbL|(?yB`Mi*TJ1Sh#6B@fb45>GloE#Q($~chUHT=c)mTcAlXXP0L+dTI!gL9> z_K8+SMq0Esf@Qq}Ulo+~fxRl(5%@cm69Y-hf}YLMB*63eMO=@JE9neri&~@(>mL7u z9NdW!&eTa=JK7<(&=Bp>QT?Y9al9}6J5!aV= zu*9{YK{C!HVRv3;X2#NXtOow?_>)y%_v4z3;I(!oG?%!;in&8FhEamEvYpi>SXk-S zGo6Q9qUp>_>Z0pcC1YCj#$(k?<$~@?aj6^g7FhdC(IiM3+a}QKx-$7gmOg(8QYwl} z4681dKTi2YCC93Vb=uNe7$n*VB1bff03H82H6WKUrAgN_hH117cP6s`75ZC=wp?4`LH#sn4<^mg~=FKb;GLM97+t*_{=rGEIG85x`Jo8^|=;EKl7PGVf)JCCF+z`c}ot7 z{^`sr=$9~fcvYT8ubi%>Wd}8ws#`5>jY5>5B}~KHmFWzb5nlL0meK}kmXBo`Zo3>H z7KHMOPr2vXJx#X`Z?s&bGo68Rvr?JoufipO(QM11n{%8tAmRSh%9%w&zCQHq%}GBkW>Qe-M8nrrI8tmYP}vicjN9mB zy^daL3`7GM#>1*KUtkdf&#QdS4L5?@v+z&{Ih(tc@|bQ%(iUdptNOl$)%tv>Do0jx zVx97QeEGc32c`tt-yqwd&sSDi7mC;FU<3^srp_YlX5#|y@Jic!F1G2)6;Z5#(zKU- z#smptC9moV5zR@lV%)h*fcOdl14T*F}!M zW{$|don4ElF=PnIV2P!Iac$a~n!N1tORu&hyLN38dn0(z=={()a9?!U zp4aqX8TX73+C7W^J68|BHH0l8RaBTYv^mtfQS ztKcHn{u5DJhKR(uMUQgZtc*}-{;pJ!(C3%gXvsWcvvM70nG%Ps@VJ% z-#xXB%QSdZ=rZ?DRTmkVxTU18qZ?AG?}k0rr;)- z+xCDt_T$i2?R27ow(u_7CifqzYDFG#QsPO&7IT{oV8Lm0v}$a5M7-D}!&jh|R3ok* zs)v2sj*UgkX!w8{n#L-6h^dTC*F-hUg*#b>45BseaIZ|Tnu+jUWd)htYVy1-ZMeMzX6cc38pl{Uq*;!DGtoscv!P`jc=C z*0J1)j8{44tc3BKcaJB#Xnk8#7{sV8R+ZPFw6n$#tSGEA-m#og?a*O5AW?vYR!nV^roecWu@)RFjyzQ8u^_ zD`5j?0TUNkuDtdqDK52Qc75FNABVC`nB7G>;%LqvSVIDk4lDWRLw63621(uPq~BfG z`BqlR-?v-RF+a$l?0pKSnX1%N*v!bJct9(u%sLV!$(O0b;Dtq6TJumWk$3O*pEyL0!pO?yX1_io%eG~(OV-6)Auq{B&}{aVXYNloEZF1tu7^=V#pX6E`e*mhNG zIQay~SVn!|R$?M(($43ZK+J9o{}2vu!Exup)~alrA3p*6qsteYvWi?!lg1DaS`{Bg&f7MW4m@z zUG3A6q+4LOM3D)$tPX)-q8-jwlAJsbDVdCv&8;lM_$wD2R(ocvljiJ^LDDXN?{S}M zQa|8ZRdW`#jjkmxf2nq1A=?j`V8*B`)DvrE(}hKIR+D6o;q=$Om2%0NLt2u!vP!ff z5v>tbmu?~|XTYGfZMj~4@5alx$RMgLnfsL*aIhR&*|hCkptrHi%=vrJyu_l&EOcDh zQyYBB#+oJve1(rmay|nqRi(s9^=f5)uZH;E_DrSPT-d9cSzluv{$b$=v4b!}2_wu*-!*o<6LA%cICqz+?|X zUFNP_S-EgvSYbjt-#t-h8T0ze*BuHRO!qFmcvKJY+*2H!&QN-6J<0kR`K2#*Fu_!{`jRI)EmpX!qc!vVOc)xHdyvS-Sr64VPYi z$))@eabRb*zoycQcvlc03)3q$8;LZ5AXf}tF?c1XyOVgnn@zR& z9qDC%vyDgW*o^5pue1Y%<9XQE>{9e4Pt50ztrBSKO ziD@-ep3uHVOgv10s*W`%O)Noi4w}L8^t+mDOleGOx3gq>R;e^5;3B+%%gzHy%nhLV z7+IS4RCLaJc`O`wAAJXtSvL|YbIW7kN6J<_=dBe)Z$cQZ%#`;-s?r2$d5%3bx}6rW zY_YG(V4R!J=uEstDeZEN#j-AX6aM7vHw_R&*i2L{E4ctSu@ZvXg1Q{+R`+mP(vClK z-m=0n2?UrW<+Nfn=i2OhtL^ihDR2zC!|)^-%M6Adk`sv0s?GzgMRaUw=jxD)OUlBg zoV5y*`4p$o=~o{1;NXUR$I zcA%Nzrqbc@QbZpZD|~cQm~#>s&a(T{yqoQ03 zwX|rtEaG539uHQ4?9eSbTl5i!v}grGV6}||(Jh`a@8KM$Ok8FPxhA*5$#iQQHmuk7 z&01IW7MpSj0V2H8n5#g)=x|iJ;y|J2o!4~bB$n3%Cz0zKdjg5(&`BkFhyQSsjRYQ9cFC2-talqvH0M!To2UtF{eTZ znxa5wZIO=iMoOKTa0;okvES-Kwv~n~c5*av;d)UrFqBv17>mpk<8@Gbd#GbA_691x zxTmM_90TxvDi<2{SUkh7cJ`LLET2F;#mtY4$mPylh*#!OE!WGVmsp5pU52~YHft@Q zHgu|^%r_*DOFL$FOH*Rfcp7c@MNUvwPJ^Dva*`LZ4{-Xh6f++IEFUB1zaam9t|zxpl?(xzO#2ztMgDP1Kj^5y=MRHpEqkD_1aiB%m?d>sET<%%Zi6~f4S9R9Y!{YNr-FJU+IMY_DW?o z=F1qY&Tf+D`TwdFkaYJ9a2D8n{G7c z+mNF%nC!_~vudYu=y9bY%H5not|1VZT$9$#%j8LrVY#J_46DgT+~2aeOk|R+M6~A5 za|{6Qr)ptdTdl0waxt;Q@Yaa-Or}{F*4K)vyW*jBVyJTNZW6AVbS+>bB9+_{L84tB82A--aKHT4p;(Lke+J&1SWD zl#Dyw`u7^^iFVRoh2}ByBQG?`_!_fdIk~M$n>q5Y2HOMk>g7lN^RF|_=2SIkH})Pi zZ1qqI&0=hlGb}J+*%XUDN!(4E>r}gV?^e^%zTqKj^gsCDH(EHyv-FrlpSYV<)I@Ec zvw+_K&^B{FNc34~grha;tVO!8PBk=#PO zICJqhoBgEsAuagZoAqfE4_uhi)bt5UNcS-?v~j;ke4A464`w16X$nzRWu9h(OT&iR zpSd|Ot`8D*?0SRsW*@E25dm?i`pSW=pT56ImfgnsbL1c4)m zQBRYhy_@ziJ0=I=@|MgOmFQPq;U+<(HIQhcj@5;NO#Yjavl^JJ>ydu_V&>L?=r7%% z6Sqc3_(q#M%mrJ4tdUs?m6ddK+f^ARCMoCsb{yM1D2n?;4n3>jcZVA zVW+qHw7BAc1^LE023OQM^mMOD;a%XWzy$}!LA>f9XM114g0_lMn(9&mj6M8cChyqb z$)q2f#_W78?#Wd_szya4H%vxXxcmSs4c8KC7gZZGwW*jb2UTO9)+tB>>e1=ibSrF} z3}s60R;9Fc0Ya!7x0vkHA?bc*K!ekheDWI*j7naTHE3x@ib>yT$y6qQyo~T|X^lby zsmT>M!8C~li;kjz#8JK3rVpCT?b!}v>`+t`X11Y3dM3n`Ms#wzNEl`rMgo7CEOz6I zn-Y3-PTu?j+)_f0zN{9vIE8^Yoy}xj83fG3Wdep8t4jMB`A$lg3o4ez*JbD$ALvCf z^4%B{g*5&!gt`l&5pF-64bcH?O|^{Km{sr2(qQvi%xl#~)mSq5mb?gTGr+EyuI?=G zibdU86e|x~lrQDw&}ciw&TwX=-z-58_qZxs;%&C7tM_0phJLG3VeI!Wk@Vp#RK~C_ z*e+{ zKbCZYjWA#!oU;HUz~E^je@C3E0vK2M{yA z_rX&PrqQoecqF*6re(7+yk6zp`^AlX*H|%b)Sj*dV|;WDDQ;ICAx)gC_v%O}uFll) zWR5&SeaSzX0%f@r!luvi+}Vy4zYjukj}vDWu@oViIek7wmvaAvVIBnG`(zp$w)CsK zsg*hv7c+akmZZ;Pxb@SUdHyk0ZKcG;BrRwLZ*iW!uut;>^4WUdg|7H@fQ6pfB!4Q4 ziTE;irQ&cH`*O5kp36ckF8mw@IMVZI-NN zY8Gz-CD<9cjxr;#YzH*wO`wvW_Ka(N3cWS~6H0z-h_R9r)tG6xWS7RBP3l7CQDq=A zxM@xaEslJPC8HojF6O>0x?xvjrWV}}qn0YvWVY-SGLn8U8x8u&#KPL~izaYmneC$5 zW~fE8qDxgPtPwK=B@%JA;P#|~ZN{3W{{5X>Zq8TPqA~;NZ9U7HEODz_CM;9y z5@v#SrBt>w8r|vlOvrUBbBnF8Y%fG}I}TaPUE zZOc8vb5KnSBKdR{gHTS4a0P|?7|6{TQoX|P%g^Z`frEcZbeFfnD9J96ifK>UOWK|k z-ruhFincI!-LC`YX5xjNIX$;i?2xlaS+T}E~iFz0FfOcaIeNyHA_Zi zF{XPolx^b$TQRnXK3M~IXEb>I1o~`q4!eeK(f2S#>Q%i^tRxzur@`!WCP`*J1(xht z@)}I{$ac_rvdA3u?n+B+>W1F*u_P-&Q+tU=@k5W-YcPfT;zHJ8mDHP@Qlj!ktV-A% zv`t&7CdBG3FlJC*$m>Uvl0Xv=%csxalqDGXdzE=&^8Cy{Zr%+eLSAqc2cX7uj3`^t z27spU@EyCdhnSDz8Z-fH+{`u$H1)LkzBMl`38N4!nQvj5<2M(R=+yznJl6jB;jWuf_7BqTpHnr6g|rqhGgS#YPJ*)Ts0&CuF;@ z6ph!ytWFH9@e%B)Xrkt}l(-^xA@T(lY1aK_jxbPdFOv^W<57rPnvXK9eM%GtAU>Ti zkay7KF^hOZ$3xF1wQD|NK7LO}DVI`B@+AqE1Vu%dy$mooIOQSVUZ7WSkR^NMJ(VFN zI+cA4F63G3$t4j3hp4hh@BZc7uoK%p0GL*?_Ud z66R_4Z&ehPKpYkiq(BDpe@{UT=xOfu(Dm9r43;>q<@xhV0g!JDiUtN2Wf+4rU8rJl zMBdP-vCSFz?H+uDMx7ax%+_EmuwcpB9%M5|xI}|39QKc#l(aEYoQ+T6dXJ#g+2hk| zCxm-Gh^g6I`Kk}RuU+;7v7Za8vMvv2WoqeVA1DY8i7+!37h|+YFc%xE-1UfXi!MqH ze*P7Lalhz8Y*Vt&XKYIsZM2!4uBX(N81p5Vq{0C)=of$B>4-Of98Mah&m4L&Ee9>* z_QFPUntHbM_-AM_Q=T&9s_)VP!{rI0)( zT4{|>(X1Y}0IeI(8$MIeP+*kH9wthLfQAg=W)RniA}qIu6pJFPhJ>iPR3s;U&q9vm zId&)hA-gRTp>O+i6nQqoox-ScXNdckwd7+?9lJ;b0xa-vSBP!-59iZB*!z^i3evEe zeg_ZJc-Y88zGos5TtZc*<`UDJ?)1reqTD7h#oDePQB-JlPi(4Bl8H zox~pZZC!H5NDQqQuOtM_`(h#@#P5F@Nq>45+>$&AD~P?5+M#A~?O?S$=DHC;j>vG1 z4e4P~86?CG$}tEA)!I(1*j62Fz;xb2v#=PJrYoillqsdv-dH){`QnRTxlA&vuxD)) zzK#vi$YoU9Dl1}4zR9phbVGPF-D5pl8d`Y@EP<(o?|nPX~{RL{*Nd}956S~A!tTPBZfK4fi;PCp!DwJP(` zFf?s0tJWYR$F=*B9uzfngNeMvA)33_U^MpE;!2coVUEtfX!JiRPOi$5Sl?CdAJ@-e zCYNhTjaW1Bc%xC@;h$xI@Q{9*#X(&*LiJ-OvmI3Hcby4oFzRW3diXKgO}lXNm%WK* zcl3B8HD8!ANur*W>JOVk%Cn8=t8Z#4EJV-mJ<()I$agj*rL>>?>fIKgx7 zal9`}MEzYkTEmuo#x&3+Dq0QQ>yp29UInV*%+9 zdbg()J&iV1U2p+9KHSF=Gb0Br9NTPg%7(a=mtU@;t%NHVF)mC>l`m+leMgB12IPpY>;=M8sQYvn+HL)PEtubX) zvZcDPHreC)kxE7qaElRKTHcN83koGOn#Q2Q@^y~Fz+Gn5kJ|+<6hkF2k~H@x(I))g-dl0L=2vO3gE%ldv@e$7j7 z#>?(`>HVBbt8(tT?S-Wdlx*lMmRAZ3&(%=WH_;EMNwaoS1c_}!ap}9rwt64-tPT_v zFovL+wk)0Jlc(8=F#;>c_+h_WSU%e-8;EVITnA(KF!T&nw?o9*JuA<}%`j9)7sH72 zO;0TqQ#LGCSShrVCoGAJ-x+3Rhe8|tW@1^}1E!ak&-Q<)+F@bU`y+IuZxhrlASia^zERBdz3+*H^C~UP%%Y)bsl`F1 zic~Q1hDVpYL=NbsTH{=zJvQMG`+ z*EKi;X3`@1UoPKz9L)V6&{%2j>%dR7d;lXY7zU#=ki8Ibh!Lk z(d39%R_OMb-p-!jB5?P5nsoP*NRkxp8K45jW1gKmUqu63O=t4QLXcDo=7}6W#Vog) z4V0GHU9Z8u2XyYDoMYUvVOwa}zdED!zw+9>X#?eL&e$Lou;AId3bib&`RII5M`G<3 zSJgBqM9fj&8^BML?CtDRQSV4ViiYX`}Tc!4b*bOkiXSa0lB->SE6cW7i@n8U5 z%n)FwEcc0+q3P1L-m^`uWM=!!Bseq6>0BHgGM#$JWa&c`1to1P(iMt>v#a>_B@{Bd z(55h}8CW{kt&@VeDNNUam)}9hNyfn|zQE?46^QDIKm2ME*G|c2}snp9#N zcq0ltpK=Z|0L`<){wjB}#TCSx;hskSRl_ab@g?8AW$Mla`D6+U1%+EWcTilWgZn7v zk}u%*j56nEn;aJly)lViuXMeRje|J9lln(69(KBL%TD<`Ura0gUcPDv?h9A#=wzcz zh|*F*eJm^MSyjJzG0>)7|+^JjGDp zY>8?fyMTTFxz=M$$^7(6KUxW!RJ0m&(w1 zF_dK<#$-K4N|6JTB-4wz+bkH;YW-Zu0v^zzyB5pvstGg*J%bR6m-mS3e26#p1Urs5 zi1TUYP8AXd1JP?Ql4^#AeQhR3n1L!2O*it{tzTnMlsTP!^d0Pm=qi=Rm zDU0>f^i~WKyER<#ql5CKVl7dPikaACJYO>~8(jM$W#YAGqTgI~lLF|or8VXgDr4GA ziat*&%OS2`x=%MWw$}~7zh&aIJZMIIyO;_ zCfDr{fm#^%KTT%`nyAf4POF$T-!Fe*Y#ijWADK>JwC5xU`@0L(?Gt{PTR#3vTo8CH z4Etb*g-d*(q*)~NL{O_L%Qr)_mB{l7^b0JT=M(ZZ`OKIpa?~JFufeeS1rj>pq@5Uy zF5M4Qn1Qx<$kZoi^yHSXLCdeg@CBi;*vY4vY=VskNLIEuL(;b2`eXhG-4#SOaewOI zlAI1OEh-v!7}o`f@HC~*eL?tVR=O|9KaH(;Ul8Bf3sAl{dlSF=&RFQ^nNUKmu;sC_RCqLqdDRd~tzT^K~v s, 2011-2013 +# Nienke84, 2013 +# Nienke Hulzebos, 2013 +# Richard E. van der Luit , 2012 +# sgallagh , 2011 +# Wijnand Modderman-Lenstra , 2011 +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" +"POT-Creation-Date: 2018-08-12 13:03+0000\n" +"PO-Revision-Date: 2014-12-14 11:47+0000\n" +"Last-Translator: Copied by Zanata \n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/sssd/language/" +"nl/)\n" +"Language: nl\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" +"X-Generator: Zanata 4.4.5\n" + +#: src/config/SSSDConfig/__init__.py.in:43 +#: src/config/SSSDConfig/__init__.py.in:44 +msgid "Set the verbosity of the debug logging" +msgstr "Stel de verbositeit van de debug statements in" + +#: src/config/SSSDConfig/__init__.py.in:45 +msgid "Include timestamps in debug logs" +msgstr "Neem tijdstempels op in de debug logs" + +#: src/config/SSSDConfig/__init__.py.in:46 +msgid "Include microseconds in timestamps in debug logs" +msgstr "Voeg microseconden aan tijdstempel is debug log" + +#: src/config/SSSDConfig/__init__.py.in:47 +msgid "Write debug messages to logfiles" +msgstr "Schrijf debug berichten naar logbestanden" + +#: src/config/SSSDConfig/__init__.py.in:48 +msgid "Watchdog timeout before restarting service" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:49 +msgid "Command to start service" +msgstr "Commando om service te starten" + +#: src/config/SSSDConfig/__init__.py.in:50 +msgid "Number of times to attempt connection to Data Providers" +msgstr "Aantal pogingen naar de Data Providers te verbinden" + +#: src/config/SSSDConfig/__init__.py.in:51 +msgid "The number of file descriptors that may be opened by this responder" +msgstr "" +"Het aantal bestand descriptors die door deze beantwoorder geopend mogen " +"worden" + +#: src/config/SSSDConfig/__init__.py.in:52 +msgid "Idle time before automatic disconnection of a client" +msgstr "Duur van inactiviteit voor het automatisch loskoppelen van een cliënt" + +#: src/config/SSSDConfig/__init__.py.in:53 +msgid "Idle time before automatic shutdown of the responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:54 +msgid "Always query all the caches before querying the Data Providers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:57 +msgid "SSSD Services to start" +msgstr "SSSD Services die gestart moeten worden" + +#: src/config/SSSDConfig/__init__.py.in:58 +msgid "SSSD Domains to start" +msgstr "SSSD Domeinen die gestart moeten worden" + +#: src/config/SSSDConfig/__init__.py.in:59 +msgid "Timeout for messages sent over the SBUS" +msgstr "Timeout voor berichten die over SBUS worden verzonden" + +#: src/config/SSSDConfig/__init__.py.in:60 +#: src/config/SSSDConfig/__init__.py.in:197 +msgid "Regex to parse username and domain" +msgstr "Reguliere expressie om gebruikersnamen en domeinen te ontleden" + +#: src/config/SSSDConfig/__init__.py.in:61 +#: src/config/SSSDConfig/__init__.py.in:196 +msgid "Printf-compatible format for displaying fully-qualified names" +msgstr "Printf-compatibel formaat voor het tonen van namen in volledige vorm" + +#: src/config/SSSDConfig/__init__.py.in:62 +msgid "" +"Directory on the filesystem where SSSD should store Kerberos replay cache " +"files." +msgstr "" +"Map in het bestandssysteem waarin SSSD Kerberos replay cache bestanden moet " +"opslaan." + +#: src/config/SSSDConfig/__init__.py.in:63 +msgid "Domain to add to names without a domain component." +msgstr "Domein toe te voegen aan namen zonder een domein component." + +#: src/config/SSSDConfig/__init__.py.in:64 +msgid "The user to drop privileges to" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:65 +msgid "Tune certificate verification" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:66 +msgid "All spaces in group or user names will be replaced with this character" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:67 +msgid "Tune sssd to honor or ignore netlink state changes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:68 +msgid "Enable or disable the implicit files domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:69 +msgid "A specific order of the domains to be looked up" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:72 +msgid "Enumeration cache timeout length (seconds)" +msgstr "Enumeratie cache timeout duur (in seconden)" + +#: src/config/SSSDConfig/__init__.py.in:73 +msgid "Entry cache background update timeout length (seconds)" +msgstr "Entry cache achtergrond update timeout duur (in seconden)" + +#: src/config/SSSDConfig/__init__.py.in:74 +#: src/config/SSSDConfig/__init__.py.in:113 +msgid "Negative cache timeout length (seconds)" +msgstr "Negatieve cache timeout duur (in seconden)" + +#: src/config/SSSDConfig/__init__.py.in:75 +msgid "Files negative cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:76 +msgid "Users that SSSD should explicitly ignore" +msgstr "Gebruikers die SSSD expliciet dient te negeren" + +#: src/config/SSSDConfig/__init__.py.in:77 +msgid "Groups that SSSD should explicitly ignore" +msgstr "Groepen die SSSD expliciet dient te negeren" + +#: src/config/SSSDConfig/__init__.py.in:78 +msgid "Should filtered users appear in groups" +msgstr "Dienen gefilterde gebruikers zichtbaar te zijn in groepen" + +#: src/config/SSSDConfig/__init__.py.in:79 +msgid "The value of the password field the NSS provider should return" +msgstr "De waarde van het wachtwoordveld die de NSS aanbieder terug moet geven" + +#: src/config/SSSDConfig/__init__.py.in:80 +msgid "Override homedir value from the identity provider with this value" +msgstr "" +"Overschrijf homedir waarde van de identiteit aanbieder met deze waarde " + +#: src/config/SSSDConfig/__init__.py.in:81 +msgid "" +"Substitute empty homedir value from the identity provider with this value" +msgstr "" +"Vervang lege persoonlijke map waarde van de eindentiteitsaanbieder met deze " +"waarde" + +#: src/config/SSSDConfig/__init__.py.in:82 +msgid "Override shell value from the identity provider with this value" +msgstr "Overschrijf shell waarde van identiteit provider met deze waarde" + +#: src/config/SSSDConfig/__init__.py.in:83 +msgid "The list of shells users are allowed to log in with" +msgstr "De lijst van shells waarmee ingelogd kan worden" + +#: src/config/SSSDConfig/__init__.py.in:84 +msgid "" +"The list of shells that will be vetoed, and replaced with the fallback shell" +msgstr "" +"De lijst van shells die verboden zijn, en vervangen door de fallback shell" + +#: src/config/SSSDConfig/__init__.py.in:85 +msgid "" +"If a shell stored in central directory is allowed but not available, use " +"this fallback" +msgstr "" +"Als een shell opgeslagen in de centrale map toegestaan is, maar niet " +"beschikbaar, gebruik dan deze" + +#: src/config/SSSDConfig/__init__.py.in:86 +msgid "Shell to use if the provider does not list one" +msgstr "Te gebruiken shell als de aanbieder er geen aangeeft " + +#: src/config/SSSDConfig/__init__.py.in:87 +msgid "How long will be in-memory cache records valid" +msgstr "Hoe lang zullen cache records in het geheugen geldig blijven" + +#: src/config/SSSDConfig/__init__.py.in:88 +msgid "List of user attributes the NSS responder is allowed to publish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:91 +msgid "How long to allow cached logins between online logins (days)" +msgstr "Hoe lang zijn cached logins toegestaan tussen online logins (in dagen)" + +#: src/config/SSSDConfig/__init__.py.in:92 +msgid "How many failed logins attempts are allowed when offline" +msgstr "Hoe veel mislukte inlogpogingen zijn toegestaan in offline-modus" + +#: src/config/SSSDConfig/__init__.py.in:93 +msgid "" +"How long (minutes) to deny login after offline_failed_login_attempts has " +"been reached" +msgstr "" +"Hoe lang (in minuten) logins weigeren nadat offline_failed_login_attempts is " +"bereikt" + +#: src/config/SSSDConfig/__init__.py.in:94 +msgid "What kind of messages are displayed to the user during authentication" +msgstr "" +"Welke boodschappen worden aan de gebruiker getoond tijdens authenticatie" + +#: src/config/SSSDConfig/__init__.py.in:95 +msgid "Filter PAM responses sent to the pam_sss" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:96 +msgid "How many seconds to keep identity information cached for PAM requests" +msgstr "" +"Hoeveel seconden moet de identiteit informatie in cache opgeslagen worden " +"voor PAN aanvragen" + +#: src/config/SSSDConfig/__init__.py.in:97 +msgid "How many days before password expiration a warning should be displayed" +msgstr "" +"Hoeveel dagen voor het verlopen van het wachtwoord moet een waarschuwing " +"getoond worden" + +#: src/config/SSSDConfig/__init__.py.in:98 +msgid "List of trusted uids or user's name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:99 +msgid "List of domains accessible even for untrusted users." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:100 +msgid "Message printed when user account is expired." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:101 +msgid "Message printed when user account is locked." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:102 +msgid "Allow certificate based/Smartcard authentication." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:103 +msgid "Path to certificate database with PKCS#11 modules." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:104 +msgid "How many seconds will pam_sss wait for p11_child to finish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:105 +msgid "Which PAM services are permitted to contact application domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:108 +msgid "Whether to evaluate the time-based attributes in sudo rules" +msgstr "" +"Of de tijd-gebaseerde attributen in sudo regels moeten worden geëvalueerd" + +#: src/config/SSSDConfig/__init__.py.in:109 +msgid "If true, SSSD will switch back to lower-wins ordering logic" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:110 +msgid "" +"Maximum number of rules that can be refreshed at once. If this is exceeded, " +"full refresh is performed." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:116 +msgid "Whether to hash host names and addresses in the known_hosts file" +msgstr "" +"Moeten host namen en adressen gehashd worden in het known_hosts bestand" + +#: src/config/SSSDConfig/__init__.py.in:117 +msgid "" +"How many seconds to keep a host in the known_hosts file after its host keys " +"were requested" +msgstr "" +"Hoeveel seconden moet een host in het known_hosts bestand blijven nadat de " +"host sleutels ervan werden aangevraagd" + +#: src/config/SSSDConfig/__init__.py.in:118 +msgid "Path to storage of trusted CA certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:121 +msgid "List of UIDs or user names allowed to access the PAC responder" +msgstr "" +"Lijst met UID's of gebruikersnamen waarvoor toegang tot de PAC responder " +"toegestaan is" + +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "How long the PAC data is considered valid" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:125 +msgid "List of UIDs or user names allowed to access the InfoPipe responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:126 +msgid "List of user attributes the InfoPipe is allowed to publish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:129 +msgid "The provider where the secrets will be stored in" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:130 +msgid "The maximum allowed number of nested containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:131 +msgid "The maximum number of secrets that can be stored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:132 +msgid "The maximum number of secrets that can be stored per UID" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:133 +msgid "The maximum payload size of a secret in kilobytes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:135 +msgid "The URL Custodia server is listening on" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:136 +msgid "The method to use when authenticating to a Custodia server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:137 +msgid "" +"The name of the headers that will be added into a HTTP request with the " +"value defined in auth_header_value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:138 +msgid "The value sssd-secrets would use for auth_header_name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:139 +msgid "" +"The list of the headers to forward to the Custodia server together with the " +"request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:140 +msgid "" +"The username to use when authenticating to a Custodia server using basic_auth" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:141 +msgid "" +"The password to use when authenticating to a Custodia server using basic_auth" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:142 +msgid "If true peer's certificate is verified if proxy_url uses https protocol" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:143 +msgid "" +"If false peer's certificate may contain different hostname than proxy_url " +"when https protocol is used" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:144 +msgid "Path to directory where certificate authority certificates are stored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:145 +msgid "Path to file containing server's CA certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:146 +msgid "Path to file containing client's certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:147 +msgid "Path to file containing client's private key" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:150 +msgid "Identity provider" +msgstr "Identiteitaanbieder" + +#: src/config/SSSDConfig/__init__.py.in:151 +msgid "Authentication provider" +msgstr "Authentiecatieaanbieder" + +#: src/config/SSSDConfig/__init__.py.in:152 +msgid "Access control provider" +msgstr "Toegangscontroleaanbieder" + +#: src/config/SSSDConfig/__init__.py.in:153 +msgid "Password change provider" +msgstr "Wachtwoordwijzigingsaanbieder" + +#: src/config/SSSDConfig/__init__.py.in:154 +msgid "SUDO provider" +msgstr "SUDO provider" + +#: src/config/SSSDConfig/__init__.py.in:155 +msgid "Autofs provider" +msgstr "Autofs provider" + +#: src/config/SSSDConfig/__init__.py.in:156 +msgid "Host identity provider" +msgstr "Host identity provider" + +#: src/config/SSSDConfig/__init__.py.in:157 +msgid "SELinux provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:158 +msgid "Session management provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:161 +msgid "Whether the domain is usable by the OS or by applications" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:162 +msgid "Minimum user ID" +msgstr "Minimum gebruiker ID" + +#: src/config/SSSDConfig/__init__.py.in:163 +msgid "Maximum user ID" +msgstr "Maximum gebruiker ID" + +#: src/config/SSSDConfig/__init__.py.in:164 +msgid "Enable enumerating all users/groups" +msgstr "Schakel enumeratie van alle gebruikers/groepen" + +#: src/config/SSSDConfig/__init__.py.in:165 +msgid "Cache credentials for offline login" +msgstr "Cache inloggegevens voor offline gebruik" + +#: src/config/SSSDConfig/__init__.py.in:166 +msgid "Store password hashes" +msgstr "Sla vingerafdrukken van wachtwoorden op" + +#: src/config/SSSDConfig/__init__.py.in:167 +msgid "Display users/groups in fully-qualified form" +msgstr "Laat gebruikers/groepen in volledige vorm zien" + +#: src/config/SSSDConfig/__init__.py.in:168 +msgid "Don't include group members in group lookups" +msgstr "Neem groepsleden niet mee in groep zoekacties" + +#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:180 +#: src/config/SSSDConfig/__init__.py.in:181 +msgid "Entry cache timeout length (seconds)" +msgstr "Entry cache timeout duur (in seconden)" + +#: src/config/SSSDConfig/__init__.py.in:170 +msgid "" +"Restrict or prefer a specific address family when performing DNS lookups" +msgstr "" +"Beperk of geef de voorkeur aan een specifieke adresfamilie wanneer er DNS-" +"lookups uitgevoerd worden" + +#: src/config/SSSDConfig/__init__.py.in:171 +msgid "How long to keep cached entries after last successful login (days)" +msgstr "" +"Hoe lang blijven gegevens opgeslagen na een succesvolle login (in dagen)" + +#: src/config/SSSDConfig/__init__.py.in:172 +msgid "How long to wait for replies from DNS when resolving servers (seconds)" +msgstr "" +"Hoe lang te wachten op antwoord van de DSN bij het opzoeken van servers (in " +"seconden)" + +#: src/config/SSSDConfig/__init__.py.in:173 +msgid "The domain part of service discovery DNS query" +msgstr "Het domeingedeelte van DNS queries die service discovery uitvoeren" + +#: src/config/SSSDConfig/__init__.py.in:174 +msgid "Override GID value from the identity provider with this value" +msgstr "Overschrijf GID waarde van de identiteit aanbieder met deze waarde" + +#: src/config/SSSDConfig/__init__.py.in:175 +msgid "Treat usernames as case sensitive" +msgstr "Behandel gebruikersnamen als hoofdlettergevoelig" + +#: src/config/SSSDConfig/__init__.py.in:182 +msgid "How often should expired entries be refreshed in background" +msgstr "Hoe vaak moeten verlopen ingangen op de achtergrond ververst worden" + +#: src/config/SSSDConfig/__init__.py.in:183 +msgid "Whether to automatically update the client's DNS entry" +msgstr "Of de DNS ingang van de cliënt automatisch vernieuwd moet worden" + +#: src/config/SSSDConfig/__init__.py.in:184 +#: src/config/SSSDConfig/__init__.py.in:206 +msgid "The TTL to apply to the client's DNS entry after updating it" +msgstr "" +"De TTL die toegepast moet worden op de DNS ingang van de cliënt na het " +"vernieuwen hiervan" + +#: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:207 +msgid "The interface whose IP should be used for dynamic DNS updates" +msgstr "" +"De adapter wiens IP-adres gebruikt moet worden voor het dynamisch bijwerken " +"van de DNS" + +#: src/config/SSSDConfig/__init__.py.in:186 +msgid "How often to periodically update the client's DNS entry" +msgstr "Hoe vaak de DNS ingang van de client periodiek vernieuwd moet worden" + +#: src/config/SSSDConfig/__init__.py.in:187 +msgid "Whether the provider should explicitly update the PTR record as well" +msgstr "Of de provider ook de PTR record expliciet moet vernieuwen" + +#: src/config/SSSDConfig/__init__.py.in:188 +msgid "Whether the nsupdate utility should default to using TCP" +msgstr "Of het nsupdate hulpprogramma standaard TCP moet gebruiken" + +#: src/config/SSSDConfig/__init__.py.in:189 +msgid "What kind of authentication should be used to perform the DNS update" +msgstr "" +"Welke soort authenticatie moet gebruikt worden om de DNS vernieuwing uit te " +"voeren" + +#: src/config/SSSDConfig/__init__.py.in:190 +msgid "Override the DNS server used to perform the DNS update" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:191 +msgid "Control enumeration of trusted domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:192 +msgid "How often should subdomains list be refreshed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:193 +msgid "List of options that should be inherited into a subdomain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:194 +msgid "Default subdomain homedir value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:195 +msgid "How long can cached credentials be used for cached authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:198 +msgid "Whether to automatically create private groups for users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:201 +msgid "IPA domain" +msgstr "IPA-domein" + +#: src/config/SSSDConfig/__init__.py.in:202 +msgid "IPA server address" +msgstr "IPA-serveradres" + +#: src/config/SSSDConfig/__init__.py.in:203 +msgid "Address of backup IPA server" +msgstr "Adres van back-up IPA server" + +#: src/config/SSSDConfig/__init__.py.in:204 +msgid "IPA client hostname" +msgstr "IPA-clienthostname" + +#: src/config/SSSDConfig/__init__.py.in:205 +msgid "Whether to automatically update the client's DNS entry in FreeIPA" +msgstr "" +"Of de DNS-gegevens van de client automatisch bijgewerkt moeten worden in " +"FreeIPA" + +#: src/config/SSSDConfig/__init__.py.in:208 +msgid "Search base for HBAC related objects" +msgstr "Zoek basis voor HBAC gerelateerde objecten" + +#: src/config/SSSDConfig/__init__.py.in:209 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server" +msgstr "De tijdsduur tussen het opzoeken van HBAC regels voor de IPA server" + +#: src/config/SSSDConfig/__init__.py.in:210 +msgid "" +"The amount of time in seconds between lookups of the SELinux maps against " +"the IPA server" +msgstr "" +"De tijdsduur in seconden tussen zoekopdrachten in de SELinux mappen voor de " +"IPA server" + +#: src/config/SSSDConfig/__init__.py.in:211 +msgid "If set to false, host argument given by PAM will be ignored" +msgstr "" +"Als dit op false ingesteld is, wordt het host argument gegeven door PAM " +"genegeerd" + +#: src/config/SSSDConfig/__init__.py.in:212 +msgid "The automounter location this IPA client is using" +msgstr "De automounter locatie die door deze IPA client wordt gebruikt" + +#: src/config/SSSDConfig/__init__.py.in:213 +msgid "Search base for object containing info about IPA domain" +msgstr "Zoek in base voor object die info over IPA domein bevat " + +#: src/config/SSSDConfig/__init__.py.in:214 +msgid "Search base for objects containing info about ID ranges" +msgstr "Zoek in base voor objecten die info over ID bereiken bevat" + +#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:233 +msgid "Enable DNS sites - location based service discovery" +msgstr "Zet DNS sites aan - locatie gebaseerde service ontdekking" + +#: src/config/SSSDConfig/__init__.py.in:216 +msgid "Search base for view containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:217 +msgid "Objectclass for view containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:218 +msgid "Attribute with the name of the view" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:219 +msgid "Objectclass for override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:220 +msgid "Attribute with the reference to the original object" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:221 +msgid "Objectclass for user override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:222 +msgid "Objectclass for group override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:223 +msgid "Search base for Desktop Profile related objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:224 +msgid "" +"The amount of time in seconds between lookups of the Desktop Profile rules " +"against the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:225 +msgid "" +"The amount of time in minutes between lookups of Desktop Profiles rules " +"against the IPA server when the last request did not find any rule" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:228 +msgid "Active Directory domain" +msgstr "Active Directory domein" + +#: src/config/SSSDConfig/__init__.py.in:229 +msgid "Enabled Active Directory domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:230 +msgid "Active Directory server address" +msgstr "Active Directory server adres" + +#: src/config/SSSDConfig/__init__.py.in:231 +msgid "Active Directory backup server address" +msgstr "Active Directory back-up server adres" + +#: src/config/SSSDConfig/__init__.py.in:232 +msgid "Active Directory client hostname" +msgstr "Active Directory cliënt hostnaam" + +#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:420 +msgid "LDAP filter to determine access privileges" +msgstr "LDAP-filter om toegangsprivileges mee te bepalen" + +#: src/config/SSSDConfig/__init__.py.in:235 +msgid "Whether to use the Global Catalog for lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:236 +msgid "Operation mode for GPO-based access control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:237 +msgid "" +"The amount of time between lookups of the GPO policy files against the AD " +"server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:238 +msgid "" +"PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " +"settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:239 +msgid "" +"PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " +"policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:240 +msgid "" +"PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:241 +msgid "" +"PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:242 +msgid "" +"PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:243 +msgid "PAM service names for which GPO-based access is always granted" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:244 +msgid "PAM service names for which GPO-based access is always denied" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:245 +msgid "" +"Default logon right (or permit/deny) to use for unmapped PAM service names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:246 +msgid "a particular site to be used by the client" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:247 +msgid "" +"Maximum age in days before the machine account password should be renewed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:248 +msgid "Option for tuning the machine account renewal task" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:252 +msgid "Kerberos server address" +msgstr "Kerberos-serveradres" + +#: src/config/SSSDConfig/__init__.py.in:253 +msgid "Kerberos backup server address" +msgstr "Kerberos back-up server adres" + +#: src/config/SSSDConfig/__init__.py.in:254 +msgid "Kerberos realm" +msgstr "Kerberos-rijk" + +#: src/config/SSSDConfig/__init__.py.in:255 +msgid "Authentication timeout" +msgstr "Authenticatie timeout" + +#: src/config/SSSDConfig/__init__.py.in:256 +msgid "Whether to create kdcinfo files" +msgstr "Moeten kdcinfo bestanden aangemaakt worden" + +#: src/config/SSSDConfig/__init__.py.in:257 +msgid "Where to drop krb5 config snippets" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:260 +msgid "Directory to store credential caches" +msgstr "Werkmap waar authenticatiegegevens opgeslagen worden" + +#: src/config/SSSDConfig/__init__.py.in:261 +msgid "Location of the user's credential cache" +msgstr "Locatie van de authenticatiecache van de gebruiker" + +#: src/config/SSSDConfig/__init__.py.in:262 +msgid "Location of the keytab to validate credentials" +msgstr "Locatie van de keytab om authenticatiegegevens te valideren" + +#: src/config/SSSDConfig/__init__.py.in:263 +msgid "Enable credential validation" +msgstr "Schakel authenticatiegegevensvalidatie in" + +#: src/config/SSSDConfig/__init__.py.in:264 +msgid "Store password if offline for later online authentication" +msgstr "" +"Sla het wachtwoord op indien offline voor later gebruik bij online " +"authenticatie" + +#: src/config/SSSDConfig/__init__.py.in:265 +msgid "Renewable lifetime of the TGT" +msgstr "Vernieuwbare levensduur van de TGT" + +#: src/config/SSSDConfig/__init__.py.in:266 +msgid "Lifetime of the TGT" +msgstr "Levensduur van de TGT" + +#: src/config/SSSDConfig/__init__.py.in:267 +msgid "Time between two checks for renewal" +msgstr "Tijd tussen twee checks voor vernieuwing" + +#: src/config/SSSDConfig/__init__.py.in:268 +msgid "Enables FAST" +msgstr "Zet FAST aan" + +#: src/config/SSSDConfig/__init__.py.in:269 +msgid "Selects the principal to use for FAST" +msgstr "Selecteert de hoofdpersoon te gebruiken voor FAST " + +#: src/config/SSSDConfig/__init__.py.in:270 +msgid "Enables principal canonicalization" +msgstr "Zet hoofdpersoon sanctioneren aan" + +#: src/config/SSSDConfig/__init__.py.in:271 +msgid "Enables enterprise principals" +msgstr "Zet enterprise principals aan" + +#: src/config/SSSDConfig/__init__.py.in:272 +msgid "A mapping from user names to Kerberos principal names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:276 +msgid "Server where the change password service is running if not on the KDC" +msgstr "" +"Server waar het wachtwoord wijzigingsservice draait indien niet op de KDC" + +#: src/config/SSSDConfig/__init__.py.in:279 +msgid "ldap_uri, The URI of the LDAP server" +msgstr "ldap_uri, de URI van de LDAP server" + +#: src/config/SSSDConfig/__init__.py.in:280 +msgid "ldap_backup_uri, The URI of the LDAP server" +msgstr "ldap_backup_uri, De URI van de LDAP server" + +#: src/config/SSSDConfig/__init__.py.in:281 +msgid "The default base DN" +msgstr "De standaard base DN" + +#: src/config/SSSDConfig/__init__.py.in:282 +msgid "The Schema Type in use on the LDAP server, rfc2307" +msgstr "Het schema type wat gebruikt wordt op de LDAP server, rfc2307" + +#: src/config/SSSDConfig/__init__.py.in:283 +msgid "The default bind DN" +msgstr "De standaard bind DN" + +#: src/config/SSSDConfig/__init__.py.in:284 +msgid "The type of the authentication token of the default bind DN" +msgstr "Het type authenticatietoken van de standaard bind DN" + +#: src/config/SSSDConfig/__init__.py.in:285 +msgid "The authentication token of the default bind DN" +msgstr "Het authenticatietoken van de standaard bind DN" + +#: src/config/SSSDConfig/__init__.py.in:286 +msgid "Length of time to attempt connection" +msgstr "Hoe lang pogen te verbinden" + +#: src/config/SSSDConfig/__init__.py.in:287 +msgid "Length of time to attempt synchronous LDAP operations" +msgstr "Hoe lang proberen synchroon LDAP te benaderen" + +#: src/config/SSSDConfig/__init__.py.in:288 +msgid "Length of time between attempts to reconnect while offline" +msgstr "" +"Duur tussen pogingen om de verbinding opnieuw tot stand te brengen tijdens " +"offline zijn" + +#: src/config/SSSDConfig/__init__.py.in:289 +msgid "Use only the upper case for realm names" +msgstr "Gebruik alleen hoofdletters voor gebiedsnamen" + +#: src/config/SSSDConfig/__init__.py.in:290 +msgid "File that contains CA certificates" +msgstr "Bestand dat de bekende CA-certificaten bevat" + +#: src/config/SSSDConfig/__init__.py.in:291 +msgid "Path to CA certificate directory" +msgstr "Pad naar de CA-certificatenmap" + +#: src/config/SSSDConfig/__init__.py.in:292 +msgid "File that contains the client certificate" +msgstr "Bestand dat het client certificaat bevat" + +#: src/config/SSSDConfig/__init__.py.in:293 +msgid "File that contains the client key" +msgstr "Bestand dat de client sleutel bevat" + +#: src/config/SSSDConfig/__init__.py.in:294 +msgid "List of possible ciphers suites" +msgstr "Lijst van mogelijke sleutel suites" + +#: src/config/SSSDConfig/__init__.py.in:295 +msgid "Require TLS certificate verification" +msgstr "Vereis verificatie van het TLS-certificaat" + +#: src/config/SSSDConfig/__init__.py.in:296 +msgid "Specify the sasl mechanism to use" +msgstr "Geef het SASL-mechanisme op wat gebruikt moet worden" + +#: src/config/SSSDConfig/__init__.py.in:297 +msgid "Specify the sasl authorization id to use" +msgstr "Geef het SASL-authorisatie-ID op wat gebruikt moet worden" + +#: src/config/SSSDConfig/__init__.py.in:298 +msgid "Specify the sasl authorization realm to use" +msgstr "Specificeer het te gebruiken sasl autorisatiegebied " + +#: src/config/SSSDConfig/__init__.py.in:299 +msgid "Specify the minimal SSF for LDAP sasl authorization" +msgstr "Specificeer de minimale SSF voor LDAP sasl autorisatie" + +#: src/config/SSSDConfig/__init__.py.in:300 +msgid "Kerberos service keytab" +msgstr "Kerberos service keytab" + +#: src/config/SSSDConfig/__init__.py.in:301 +msgid "Use Kerberos auth for LDAP connection" +msgstr "Gebruik Kerberos authenticatie voor LDAP-connectie" + +#: src/config/SSSDConfig/__init__.py.in:302 +msgid "Follow LDAP referrals" +msgstr "Volg LDAP-doorverwijzingen" + +#: src/config/SSSDConfig/__init__.py.in:303 +msgid "Lifetime of TGT for LDAP connection" +msgstr "Levensduur van TGT voor LDAP-connectie" + +#: src/config/SSSDConfig/__init__.py.in:304 +msgid "How to dereference aliases" +msgstr "Hoe moet de alias referentie verwijderd worden" + +#: src/config/SSSDConfig/__init__.py.in:305 +msgid "Service name for DNS service lookups" +msgstr "Service naam voor DNS service opzoeken" + +#: src/config/SSSDConfig/__init__.py.in:306 +msgid "The number of records to retrieve in a single LDAP query" +msgstr "" +"Het aantal records dat opgehaald moet worden met een enkele LDAP bevraging" + +#: src/config/SSSDConfig/__init__.py.in:307 +msgid "The number of members that must be missing to trigger a full deref" +msgstr "" +"Het aantal leden van moet ontbreken om een volledige de-referentie te " +"veroorzaken" + +#: src/config/SSSDConfig/__init__.py.in:308 +msgid "" +"Whether the LDAP library should perform a reverse lookup to canonicalize the " +"host name during a SASL bind" +msgstr "" +"Moet de LDAP bibliotheek omgekeerd opzoeken uitvoeren om de hostnaam te " +"autoriseren tijdens een SASL binding" + +#: src/config/SSSDConfig/__init__.py.in:310 +msgid "entryUSN attribute" +msgstr "entryUSN attribuut" + +#: src/config/SSSDConfig/__init__.py.in:311 +msgid "lastUSN attribute" +msgstr "lastUSN attribuut" + +#: src/config/SSSDConfig/__init__.py.in:313 +msgid "How long to retain a connection to the LDAP server before disconnecting" +msgstr "" +"Hoe lang een verbinding met de LDAP server gebouden moet blijven voordat het " +"losgekoppeld wordt" + +#: src/config/SSSDConfig/__init__.py.in:315 +msgid "Disable the LDAP paging control" +msgstr "Het LDAP paging besturingselement uitschakelen" + +#: src/config/SSSDConfig/__init__.py.in:316 +msgid "Disable Active Directory range retrieval" +msgstr "Zet Active Directory bereik opvragen uit" + +#: src/config/SSSDConfig/__init__.py.in:319 +msgid "Length of time to wait for a search request" +msgstr "Tijd om te wachten op een zoekopdracht" + +#: src/config/SSSDConfig/__init__.py.in:320 +msgid "Length of time to wait for a enumeration request" +msgstr "Tijdsduur te wachten voor een opsommingsverzoek" + +#: src/config/SSSDConfig/__init__.py.in:321 +msgid "Length of time between enumeration updates" +msgstr "Tijd om te wachten tussen enumeratie-updates" + +#: src/config/SSSDConfig/__init__.py.in:322 +msgid "Length of time between cache cleanups" +msgstr "Tijdsduur tussen cache opschoningen" + +#: src/config/SSSDConfig/__init__.py.in:323 +msgid "Require TLS for ID lookups" +msgstr "Vereis TLS voor het opzoeken van ID's" + +#: src/config/SSSDConfig/__init__.py.in:324 +msgid "Use ID-mapping of objectSID instead of pre-set IDs" +msgstr "Gebruik ID-mapping van objectSID gebruiken in plaats van pre-set ID's" + +#: src/config/SSSDConfig/__init__.py.in:325 +msgid "Base DN for user lookups" +msgstr "Base DN voor het opzoeken van gebruikers" + +#: src/config/SSSDConfig/__init__.py.in:326 +msgid "Scope of user lookups" +msgstr "Scope voor het opzoeken van gebruikers" + +#: src/config/SSSDConfig/__init__.py.in:327 +msgid "Filter for user lookups" +msgstr "Filter voor het opzoeken van gebruikers" + +#: src/config/SSSDConfig/__init__.py.in:328 +msgid "Objectclass for users" +msgstr "Objectclass voor gebruikers" + +#: src/config/SSSDConfig/__init__.py.in:329 +msgid "Username attribute" +msgstr "Username-attribuut" + +#: src/config/SSSDConfig/__init__.py.in:331 +msgid "UID attribute" +msgstr "UID-attribuut" + +#: src/config/SSSDConfig/__init__.py.in:332 +msgid "Primary GID attribute" +msgstr "Primair GID-attribuut" + +#: src/config/SSSDConfig/__init__.py.in:333 +msgid "GECOS attribute" +msgstr "GECOS-attribuut" + +#: src/config/SSSDConfig/__init__.py.in:334 +msgid "Home directory attribute" +msgstr "Gebruikersmap-attribuut" + +#: src/config/SSSDConfig/__init__.py.in:335 +msgid "Shell attribute" +msgstr "Shell-attribuut" + +#: src/config/SSSDConfig/__init__.py.in:336 +msgid "UUID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:379 +msgid "objectSID attribute" +msgstr "objectSID attribuut" + +#: src/config/SSSDConfig/__init__.py.in:338 +msgid "Active Directory primary group attribute for ID-mapping" +msgstr "Active Directory primaire groep attribuut voor ID-mapping" + +#: src/config/SSSDConfig/__init__.py.in:339 +msgid "User principal attribute (for Kerberos)" +msgstr "Userprincipal-attribuut (voor Kerberos)" + +#: src/config/SSSDConfig/__init__.py.in:340 +msgid "Full Name" +msgstr "Volledige naam" + +#: src/config/SSSDConfig/__init__.py.in:341 +msgid "memberOf attribute" +msgstr "memberOf-attribuut" + +#: src/config/SSSDConfig/__init__.py.in:342 +msgid "Modification time attribute" +msgstr "Modification time-attribuut" + +#: src/config/SSSDConfig/__init__.py.in:344 +msgid "shadowLastChange attribute" +msgstr "shadowLastChange attribuut" + +#: src/config/SSSDConfig/__init__.py.in:345 +msgid "shadowMin attribute" +msgstr "shadowMin attribuut" + +#: src/config/SSSDConfig/__init__.py.in:346 +msgid "shadowMax attribute" +msgstr "shadowMax attribuut" + +#: src/config/SSSDConfig/__init__.py.in:347 +msgid "shadowWarning attribute" +msgstr "shadowWarning attribuut" + +#: src/config/SSSDConfig/__init__.py.in:348 +msgid "shadowInactive attribute" +msgstr "shadowInactive attribuut" + +#: src/config/SSSDConfig/__init__.py.in:349 +msgid "shadowExpire attribute" +msgstr "shadowExpire attribuut" + +#: src/config/SSSDConfig/__init__.py.in:350 +msgid "shadowFlag attribute" +msgstr "shadowFlag attribuut" + +#: src/config/SSSDConfig/__init__.py.in:351 +msgid "Attribute listing authorized PAM services" +msgstr "Attribuut voor tonen van geautoriseerde PAM services" + +#: src/config/SSSDConfig/__init__.py.in:352 +msgid "Attribute listing authorized server hosts" +msgstr "Attribuut dat geautoriseerde server hosts toont" + +#: src/config/SSSDConfig/__init__.py.in:353 +msgid "Attribute listing authorized server rhosts" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:354 +msgid "krbLastPwdChange attribute" +msgstr "krbLastPwdChange attribuut" + +#: src/config/SSSDConfig/__init__.py.in:355 +msgid "krbPasswordExpiration attribute" +msgstr "krbPasswordExpiration attribuut" + +#: src/config/SSSDConfig/__init__.py.in:356 +msgid "Attribute indicating that server side password policies are active" +msgstr "Attribuut welke aangeeft dat wachtwoordtactiek op de server actief is" + +#: src/config/SSSDConfig/__init__.py.in:357 +msgid "accountExpires attribute of AD" +msgstr "accountExpires attribuut van AD" + +#: src/config/SSSDConfig/__init__.py.in:358 +msgid "userAccountControl attribute of AD" +msgstr "userAccountControl attribuut van AD" + +#: src/config/SSSDConfig/__init__.py.in:359 +msgid "nsAccountLock attribute" +msgstr "nsAccountLock attribuut" + +#: src/config/SSSDConfig/__init__.py.in:360 +msgid "loginDisabled attribute of NDS" +msgstr "loginDisabled attribuut van NDS" + +#: src/config/SSSDConfig/__init__.py.in:361 +msgid "loginExpirationTime attribute of NDS" +msgstr "loginExpirationTime attribuut van NDS" + +#: src/config/SSSDConfig/__init__.py.in:362 +msgid "loginAllowedTimeMap attribute of NDS" +msgstr "loginAllowedTimeMap attribuut van NDS" + +#: src/config/SSSDConfig/__init__.py.in:363 +msgid "SSH public key attribute" +msgstr "SSH publieke sleutel attribuut" + +#: src/config/SSSDConfig/__init__.py.in:364 +msgid "attribute listing allowed authentication types for a user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:365 +msgid "attribute containing the X509 certificate of the user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:366 +msgid "attribute containing the email address of the user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:368 +msgid "A list of extra attributes to download along with the user entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:370 +msgid "Base DN for group lookups" +msgstr "Basis DN voor groep opzoeken" + +#: src/config/SSSDConfig/__init__.py.in:373 +msgid "Objectclass for groups" +msgstr "Objectklasse voor groepen" + +#: src/config/SSSDConfig/__init__.py.in:374 +msgid "Group name" +msgstr "Groepsnaam" + +#: src/config/SSSDConfig/__init__.py.in:375 +msgid "Group password" +msgstr "Groep wachtwoord" + +#: src/config/SSSDConfig/__init__.py.in:376 +msgid "GID attribute" +msgstr "GID attribuut" + +#: src/config/SSSDConfig/__init__.py.in:377 +msgid "Group member attribute" +msgstr "Groep deelnemer attribuut" + +#: src/config/SSSDConfig/__init__.py.in:378 +msgid "Group UUID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:380 +msgid "Modification time attribute for groups" +msgstr "Verandertijd attribuut voor groepen" + +#: src/config/SSSDConfig/__init__.py.in:381 +msgid "Type of the group and other flags" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:382 +msgid "The LDAP group external member attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:384 +msgid "Maximum nesting level SSSD will follow" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:386 +msgid "Base DN for netgroup lookups" +msgstr "Basis DN voor netgroep opzoeken" + +#: src/config/SSSDConfig/__init__.py.in:387 +msgid "Objectclass for netgroups" +msgstr "Objectklasse voor netgroepen" + +#: src/config/SSSDConfig/__init__.py.in:388 +msgid "Netgroup name" +msgstr "Netgroep naam" + +#: src/config/SSSDConfig/__init__.py.in:389 +msgid "Netgroups members attribute" +msgstr "Netgroep leden attribuut" + +#: src/config/SSSDConfig/__init__.py.in:390 +msgid "Netgroup triple attribute" +msgstr "Netgroep triple attibuut" + +#: src/config/SSSDConfig/__init__.py.in:391 +msgid "Modification time attribute for netgroups" +msgstr "Verandertijd attribuut voor netgroepen" + +#: src/config/SSSDConfig/__init__.py.in:393 +msgid "Base DN for service lookups" +msgstr "Basis DN voor service lookups" + +#: src/config/SSSDConfig/__init__.py.in:394 +msgid "Objectclass for services" +msgstr "Objectclass voor services" + +#: src/config/SSSDConfig/__init__.py.in:395 +msgid "Service name attribute" +msgstr "Service naam attribuut" + +#: src/config/SSSDConfig/__init__.py.in:396 +msgid "Service port attribute" +msgstr "Service port attribuut" + +#: src/config/SSSDConfig/__init__.py.in:397 +msgid "Service protocol attribute" +msgstr "Service protocol attribuut" + +#: src/config/SSSDConfig/__init__.py.in:400 +msgid "Lower bound for ID-mapping" +msgstr "Ondergrens voor ID-mapping" + +#: src/config/SSSDConfig/__init__.py.in:401 +msgid "Upper bound for ID-mapping" +msgstr "Bovengrens voor ID-mapping" + +#: src/config/SSSDConfig/__init__.py.in:402 +msgid "Number of IDs for each slice when ID-mapping" +msgstr "Aantal ID's voor elk segment bij ID-mapping" + +#: src/config/SSSDConfig/__init__.py.in:403 +msgid "Use autorid-compatible algorithm for ID-mapping" +msgstr "Gebruik autorid-compatibel algoritme voor ID-mapping" + +#: src/config/SSSDConfig/__init__.py.in:404 +msgid "Name of the default domain for ID-mapping" +msgstr "Naam van het standaard domein voor ID-mapping" + +#: src/config/SSSDConfig/__init__.py.in:405 +msgid "SID of the default domain for ID-mapping" +msgstr "SID van het standaard domein voor ID-mapping" + +#: src/config/SSSDConfig/__init__.py.in:406 +msgid "Number of secondary slices" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:408 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups" +msgstr "Gebruik LDAP_MATCHING_RULE_IN_CHAIN voor groep opzoeken" + +#: src/config/SSSDConfig/__init__.py.in:409 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups" +msgstr "Gebruik LDAP_MATCHING_RULE_IN_CHAIN voor initgroep opzoeken" + +#: src/config/SSSDConfig/__init__.py.in:410 +msgid "Whether to use Token-Groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:411 +msgid "Set lower boundary for allowed IDs from the LDAP server" +msgstr "Laagste grens instellen voor toegestane id's van de LDAP-server" + +#: src/config/SSSDConfig/__init__.py.in:412 +msgid "Set upper boundary for allowed IDs from the LDAP server" +msgstr "Hoogste grens instellen voor toegestane id's van de LDAP-server" + +#: src/config/SSSDConfig/__init__.py.in:413 +msgid "DN for ppolicy queries" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:414 +msgid "How many maximum entries to fetch during a wildcard request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:417 +msgid "Policy to evaluate the password expiration" +msgstr "Policy om wacthwoordverloop mee te evalueren" + +#: src/config/SSSDConfig/__init__.py.in:421 +msgid "Which attributes shall be used to evaluate if an account is expired" +msgstr "" +"Welke attributen worden gebruikt voor evaluatie als het account verlopen is" + +#: src/config/SSSDConfig/__init__.py.in:422 +msgid "Which rules should be used to evaluate access control" +msgstr "" +"Welke regels moeten gebruikt worden voor de evaluatie van toegangscontrole" + +#: src/config/SSSDConfig/__init__.py.in:425 +msgid "URI of an LDAP server where password changes are allowed" +msgstr "" +"URI van een LDAP server waarop wachtwoord veranderingen toegestaan zijn" + +#: src/config/SSSDConfig/__init__.py.in:426 +msgid "URI of a backup LDAP server where password changes are allowed" +msgstr "" +"URI van een back-up LDAP server waar wachtwoord veranderingen toegestaan zijn" + +#: src/config/SSSDConfig/__init__.py.in:427 +msgid "DNS service name for LDAP password change server" +msgstr "DNS service naam voor LDAP wachtwoord verander server" + +#: src/config/SSSDConfig/__init__.py.in:428 +msgid "" +"Whether to update the ldap_user_shadow_last_change attribute after a " +"password change" +msgstr "" +"Moet het ldap_user_shadow_last_change attribuut vernieuwd worden na een " +"wachtwoordwijziging" + +#: src/config/SSSDConfig/__init__.py.in:431 +msgid "Base DN for sudo rules lookups" +msgstr "Basis DN voor sudo regels lookups" + +#: src/config/SSSDConfig/__init__.py.in:432 +msgid "Automatic full refresh period" +msgstr "Automatische volledige ververs periode" + +#: src/config/SSSDConfig/__init__.py.in:433 +msgid "Automatic smart refresh period" +msgstr "Automatische slimme ververs periode" + +#: src/config/SSSDConfig/__init__.py.in:434 +msgid "Whether to filter rules by hostname, IP addresses and network" +msgstr "Moeten regels gefilterd worden volgens hostnaam, IP adres en netwerk" + +#: src/config/SSSDConfig/__init__.py.in:435 +msgid "" +"Hostnames and/or fully qualified domain names of this machine to filter sudo " +"rules" +msgstr "" +"Hostnamen en/of volledig gekwalificeerde domeinnamen van deze machine voor " +"het filteren van sudo regels" + +#: src/config/SSSDConfig/__init__.py.in:436 +msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" +msgstr "" +"IPv4 of IPv6 adressen of netwerk van deze machine voor het filteren van sudo " +"regels" + +#: src/config/SSSDConfig/__init__.py.in:437 +msgid "Whether to include rules that contains netgroup in host attribute" +msgstr "" +"Moeten regels toegevoegd worden die netgroep bevatten in host attribuut " + +#: src/config/SSSDConfig/__init__.py.in:438 +msgid "" +"Whether to include rules that contains regular expression in host attribute" +msgstr "" +"Moeten regels toegevoegd worden die regulaire expressie bevatten in host " +"attribuut " + +#: src/config/SSSDConfig/__init__.py.in:439 +msgid "Object class for sudo rules" +msgstr "Objectklasse voor sudo regels" + +#: src/config/SSSDConfig/__init__.py.in:440 +msgid "Sudo rule name" +msgstr "Sudo regelnaam" + +#: src/config/SSSDConfig/__init__.py.in:441 +msgid "Sudo rule command attribute" +msgstr "Sudo regel opdracht attribuut" + +#: src/config/SSSDConfig/__init__.py.in:442 +msgid "Sudo rule host attribute" +msgstr "Sudo regel host attribuut" + +#: src/config/SSSDConfig/__init__.py.in:443 +msgid "Sudo rule user attribute" +msgstr "Sudo regel gebruiker attribuut" + +#: src/config/SSSDConfig/__init__.py.in:444 +msgid "Sudo rule option attribute" +msgstr "Sudo regel optie attribuut" + +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Sudo rule runas attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:446 +msgid "Sudo rule runasuser attribute" +msgstr "Sudo regel runasuser attribuut" + +#: src/config/SSSDConfig/__init__.py.in:447 +msgid "Sudo rule runasgroup attribute" +msgstr "Sudo regel runasgroup attribuut" + +#: src/config/SSSDConfig/__init__.py.in:448 +msgid "Sudo rule notbefore attribute" +msgstr "Sudo regel notbefore attribuut" + +#: src/config/SSSDConfig/__init__.py.in:449 +msgid "Sudo rule notafter attribute" +msgstr "Sudo regel notafter attribuut" + +#: src/config/SSSDConfig/__init__.py.in:450 +msgid "Sudo rule order attribute" +msgstr "Sudo regel volgorde attribuut" + +#: src/config/SSSDConfig/__init__.py.in:453 +msgid "Object class for automounter maps" +msgstr "Object class voor automounter maps" + +#: src/config/SSSDConfig/__init__.py.in:454 +msgid "Automounter map name attribute" +msgstr "Automounter map naam attribuut" + +#: src/config/SSSDConfig/__init__.py.in:455 +msgid "Object class for automounter map entries" +msgstr "Objectklasse voor automounter map ingaven" + +#: src/config/SSSDConfig/__init__.py.in:456 +msgid "Automounter map entry key attribute" +msgstr "Automounter map sleutel ingave attribuut" + +#: src/config/SSSDConfig/__init__.py.in:457 +msgid "Automounter map entry value attribute" +msgstr "Automounter map ingavewaarde attribuut" + +#: src/config/SSSDConfig/__init__.py.in:458 +msgid "Base DN for automounter map lookups" +msgstr "Basis DN voor automounter kaart opzoeken" + +#: src/config/SSSDConfig/__init__.py.in:461 +msgid "Comma separated list of allowed users" +msgstr "Kommagescheiden lijst van toegestane gebruikers" + +#: src/config/SSSDConfig/__init__.py.in:462 +msgid "Comma separated list of prohibited users" +msgstr "Kommagescheiden lijst van geweigerde gebruikers" + +#: src/config/SSSDConfig/__init__.py.in:465 +msgid "Default shell, /bin/bash" +msgstr "Standaard shell, /bin/bash" + +#: src/config/SSSDConfig/__init__.py.in:466 +msgid "Base for home directories" +msgstr "Basis voor gebruikersmappen" + +#: src/config/SSSDConfig/__init__.py.in:469 +msgid "The number of preforked proxy children." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:472 +msgid "The name of the NSS library to use" +msgstr "De naam van de NSS-bibliotheek die gebruikt wordt" + +#: src/config/SSSDConfig/__init__.py.in:473 +msgid "Whether to look up canonical group name from cache if possible" +msgstr "Moet indien mogelijk canonieke groepsnaam in cache opgezocht worden " + +#: src/config/SSSDConfig/__init__.py.in:476 +msgid "PAM stack to use" +msgstr "PAM-stack die gebruikt wordt" + +#: src/config/SSSDConfig/__init__.py.in:479 +msgid "Path of passwd file sources." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:480 +msgid "Path of group file sources." +msgstr "" + +#: src/monitor/monitor.c:2449 +msgid "Become a daemon (default)" +msgstr "Start in de achtergrond (standaard)" + +#: src/monitor/monitor.c:2451 +msgid "Run interactive (not a daemon)" +msgstr "Start interactief (standaard)" + +#: src/monitor/monitor.c:2454 +msgid "Disable netlink interface" +msgstr "" + +#: src/monitor/monitor.c:2456 src/tools/sssctl/sssctl_logs.c:311 +msgid "Specify a non-default config file" +msgstr "Geef een niet-standaard configuratiebestand op" + +#: src/monitor/monitor.c:2458 +msgid "Refresh the configuration database, then exit" +msgstr "" + +#: src/monitor/monitor.c:2461 +msgid "Print version number and exit" +msgstr "Print versie nummer en sluit af" + +#: src/monitor/monitor.c:2627 +msgid "SSSD is already running\n" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605 +msgid "Debug level" +msgstr "Debug niveau" + +#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607 +msgid "Add debug timestamps" +msgstr "Voeg tijdstempels toe aan debugberichten" + +#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609 +msgid "Show timestamps with microseconds" +msgstr "Toon tijdstempel met microseconden" + +#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611 +msgid "An open file descriptor for the debug logs" +msgstr "Een geopend bestand voor de debug logs" + +#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613 +msgid "Send the debug output to stderr directly." +msgstr "" + +#: src/providers/krb5/krb5_child.c:3228 +msgid "The user to create FAST ccache as" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3230 +msgid "The group to create FAST ccache as" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3232 +msgid "Kerberos realm to use" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3234 +msgid "Requested lifetime of the ticket" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3236 +msgid "Requested renewable lifetime of the ticket" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3238 +msgid "FAST options ('never', 'try', 'demand')" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3241 +msgid "Specifies the server principal to use for FAST" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3243 +msgid "Requests canonicalization of the principal name" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3245 +msgid "Use custom version of krb5_get_init_creds_password" +msgstr "" + +#: src/providers/data_provider_be.c:556 +msgid "Domain of the information provider (mandatory)" +msgstr "Domein voor de informatie provider (verplicht)" + +#: src/sss_client/common.c:1066 +msgid "Privileged socket has wrong ownership or permissions." +msgstr "Socket met privileges heeft verkeerde rechten of eigendom." + +#: src/sss_client/common.c:1069 +msgid "Public socket has wrong ownership or permissions." +msgstr "Publiek socket heeft verkeerde rechten of eigendom." + +#: src/sss_client/common.c:1072 +msgid "Unexpected format of the server credential message." +msgstr "Onverwacht formaat van het inloggegevensbericht van de server." + +#: src/sss_client/common.c:1075 +msgid "SSSD is not run by root." +msgstr "SSSD wordt niet door root gestart." + +#: src/sss_client/common.c:1080 +msgid "An error occurred, but no description can be found." +msgstr "" +"Er is een fout opgetreden, maar er kan geen omschrijving gevonden worden." + +#: src/sss_client/common.c:1086 +msgid "Unexpected error while looking for an error description" +msgstr "Onverwachtte fout bij het opzoeken van een omschrijving" + +#: src/sss_client/pam_sss.c:76 +msgid "Permission denied. " +msgstr "" + +#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782 +#: src/sss_client/pam_sss.c:793 +msgid "Server message: " +msgstr "Serverbericht:" + +#: src/sss_client/pam_sss.c:300 +msgid "Passwords do not match" +msgstr "Wachtwoorden komen niet overeen" + +#: src/sss_client/pam_sss.c:488 +msgid "Password reset by root is not supported." +msgstr "Wachtwoorden als root wijzigen wordt niet ondersteund." + +#: src/sss_client/pam_sss.c:529 +msgid "Authenticated with cached credentials" +msgstr "Geauthenticeerd met gecachte inloggegevens." + +#: src/sss_client/pam_sss.c:530 +msgid ", your cached password will expire at: " +msgstr ", uw wachtwoord verloopt op:" + +#: src/sss_client/pam_sss.c:560 +#, c-format +msgid "Your password has expired. You have %1$d grace login(s) remaining." +msgstr "" +"Je wachtwoord is verlopen. Je hebt nog slechts %1$d login(s) beschikbaar." + +#: src/sss_client/pam_sss.c:606 +#, c-format +msgid "Your password will expire in %1$d %2$s." +msgstr "Je wachtwoord zal verlopen in %1$d %2$s." + +#: src/sss_client/pam_sss.c:655 +msgid "Authentication is denied until: " +msgstr "Inloggen wordt geweigerd tot:" + +#: src/sss_client/pam_sss.c:676 +msgid "System is offline, password change not possible" +msgstr "Systeem is offline, wachtwoord wijzigen niet mogelijk" + +#: src/sss_client/pam_sss.c:691 +msgid "" +"After changing the OTP password, you need to log out and back in order to " +"acquire a ticket" +msgstr "" + +#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792 +msgid "Password change failed. " +msgstr "Wijzigen van wachtwoord mislukt." + +#: src/sss_client/pam_sss.c:1926 +msgid "New Password: " +msgstr "Nieuw Wachtwoord: " + +#: src/sss_client/pam_sss.c:1927 +msgid "Reenter new Password: " +msgstr "Voer nieuw wachtwoord nogmaals in: " + +#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042 +msgid "First Factor: " +msgstr "" + +#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202 +msgid "Second Factor (optional): " +msgstr "" + +#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205 +msgid "Second Factor: " +msgstr "" + +#: src/sss_client/pam_sss.c:2058 +msgid "Password: " +msgstr "Wachtwoord: " + +#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204 +msgid "First Factor (Current Password): " +msgstr "" + +#: src/sss_client/pam_sss.c:2208 +msgid "Current Password: " +msgstr "Huidig wachtwoord:" + +#: src/sss_client/pam_sss.c:2536 +msgid "Password expired. Change your password now." +msgstr "Wachtwoord verlopen. Verander nu uw wachtwoord." + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 +#: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 +#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:670 +msgid "The debug level to run with" +msgstr "Het debugniveau waarmee gestart wordt" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +msgid "The SSSD domain to use" +msgstr "Hrt te gebruiken SSSD domein" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 +#: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 +#: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 +#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:716 +msgid "Error setting the locale\n" +msgstr "Fout bij het zetten van de locale\n" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:64 +msgid "Not enough memory\n" +msgstr "Niet genoeg geheugen\n" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:83 +msgid "User not specified\n" +msgstr "Gebruiker niet gespecificeerd\n" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:97 +msgid "Error looking up public keys\n" +msgstr "Fout bij het opzoeken van publieke sleutels\n" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +msgid "The port to use to connect to the host" +msgstr "De te gebruiken poort voor het verbinden met de host" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +msgid "Print the host ssh public keys" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +msgid "Invalid port\n" +msgstr "Ongeldige poort\n" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +msgid "Host not specified\n" +msgstr "Host niet gespecificeerd\n" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +msgid "The path to the proxy command must be absolute\n" +msgstr "Het pad naar het proxy commando moet absoluut zijn\n" + +#: src/tools/sss_useradd.c:49 src/tools/sss_usermod.c:48 +msgid "The UID of the user" +msgstr "Het UID van de gebruiker" + +#: src/tools/sss_useradd.c:50 src/tools/sss_usermod.c:50 +msgid "The comment string" +msgstr "Het commentaar" + +#: src/tools/sss_useradd.c:51 src/tools/sss_usermod.c:51 +msgid "Home directory" +msgstr "Gebruikersmap" + +#: src/tools/sss_useradd.c:52 src/tools/sss_usermod.c:52 +msgid "Login shell" +msgstr "Login shell" + +#: src/tools/sss_useradd.c:53 +msgid "Groups" +msgstr "Groepen" + +#: src/tools/sss_useradd.c:54 +msgid "Create user's directory if it does not exist" +msgstr "Maak gebruikersmap aan als deze niet bestaat" + +#: src/tools/sss_useradd.c:55 +msgid "Never create user's directory, overrides config" +msgstr "Maak nooit gebruikersmappen aan, overschrijft de configuratiewaarde" + +#: src/tools/sss_useradd.c:56 +msgid "Specify an alternative skeleton directory" +msgstr "Geef een alternatieve voorbeeldmap" + +#: src/tools/sss_useradd.c:57 src/tools/sss_usermod.c:60 +msgid "The SELinux user for user's login" +msgstr "De SELinux-gebruiker voor de login van de gebruiker" + +#: src/tools/sss_useradd.c:87 src/tools/sss_groupmod.c:79 +#: src/tools/sss_usermod.c:92 +msgid "Specify group to add to\n" +msgstr "Geef group op om toe te voegen\n" + +#: src/tools/sss_useradd.c:111 +msgid "Specify user to add\n" +msgstr "Geef gebruiker op om toe te voegen\n" + +#: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 +#: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_usermod.c:162 +msgid "Error initializing the tools - no local domain\n" +msgstr "Fout bij de initialisatie van de tools - geen lokaal domein\n" + +#: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 +#: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_usermod.c:164 +msgid "Error initializing the tools\n" +msgstr "Fout bij de initialisatie van de tools\n" + +#: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 +#: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_usermod.c:173 +msgid "Invalid domain specified in FQDN\n" +msgstr "Verkeerd domein gespecificeerd in de FQDN\n" + +#: src/tools/sss_useradd.c:142 src/tools/sss_groupmod.c:144 +#: src/tools/sss_groupmod.c:173 src/tools/sss_usermod.c:197 +#: src/tools/sss_usermod.c:226 +msgid "Internal error while parsing parameters\n" +msgstr "Interne fout bij het verwerken van de parameters\n" + +#: src/tools/sss_useradd.c:151 src/tools/sss_usermod.c:206 +#: src/tools/sss_usermod.c:235 +msgid "Groups must be in the same domain as user\n" +msgstr "" +"De groepen moeten zich in het zelfde domein als de gebruiker bevinden\n" + +#: src/tools/sss_useradd.c:159 +#, c-format +msgid "Cannot find group %1$s in local domain\n" +msgstr "" +"Kan groep %1$s niet in lokale domein vinden\n" +"\n" + +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +msgid "Cannot set default values\n" +msgstr "Kan de standaardwaarden niet zetten\n" + +#: src/tools/sss_useradd.c:181 src/tools/sss_usermod.c:187 +msgid "The selected UID is outside the allowed range\n" +msgstr "De geselecteerde UID valt buiten het toegestane bereik\n" + +#: src/tools/sss_useradd.c:210 src/tools/sss_usermod.c:305 +msgid "Cannot set SELinux login context\n" +msgstr "Kan de SELinux login context niet zetten\n" + +#: src/tools/sss_useradd.c:224 +msgid "Cannot get info about the user\n" +msgstr "Kan geen informatie ophalen over de gebruiker\n" + +#: src/tools/sss_useradd.c:236 +msgid "User's home directory already exists, not copying data from skeldir\n" +msgstr "De gebruikersmap bestaat reeds, voorbeeldmap niet gekopieerd\n" + +#: src/tools/sss_useradd.c:239 +#, c-format +msgid "Cannot create user's home directory: %1$s\n" +msgstr "Kan persoonlijk map voor gebruiker niet aanmaken: %1$s\n" + +#: src/tools/sss_useradd.c:250 +#, c-format +msgid "Cannot create user's mail spool: %1$s\n" +msgstr "Kan mail spool voor gebruiker niet aanmaken: %1$s\n" + +#: src/tools/sss_useradd.c:270 +msgid "Could not allocate ID for the user - domain full?\n" +msgstr "Kan geen ID vinden voor de gebruiker - zit het domein vol?\n" + +#: src/tools/sss_useradd.c:274 +msgid "A user or group with the same name or ID already exists\n" +msgstr "Een gebruiker of groep met een zelfde naam of ID bestaat reeds\n" + +#: src/tools/sss_useradd.c:280 +msgid "Transaction error. Could not add user.\n" +msgstr "Transactiefout. Kan de gebruiker niet toevoegen\n" + +#: src/tools/sss_groupadd.c:43 src/tools/sss_groupmod.c:48 +msgid "The GID of the group" +msgstr "De GID van de groep" + +#: src/tools/sss_groupadd.c:76 +msgid "Specify group to add\n" +msgstr "Geef groep op om toe te voegen\n" + +#: src/tools/sss_groupadd.c:106 src/tools/sss_groupmod.c:198 +msgid "The selected GID is outside the allowed range\n" +msgstr "De geselecteerde GID valt buiten het toegestane bereik\n" + +#: src/tools/sss_groupadd.c:143 +msgid "Could not allocate ID for the group - domain full?\n" +msgstr "Kan geen ID vinden voor de groep - zit het domein vol?\n" + +#: src/tools/sss_groupadd.c:147 +msgid "A group with the same name or GID already exists\n" +msgstr "Een groep met een zelfde naam of GID bestaat reeds\n" + +#: src/tools/sss_groupadd.c:153 +msgid "Transaction error. Could not add group.\n" +msgstr "Transactiefout. Kan de groep niet toevoegen\n" + +#: src/tools/sss_groupdel.c:70 +msgid "Specify group to delete\n" +msgstr "Geef groep op om te verwijderen\n" + +#: src/tools/sss_groupdel.c:104 +#, c-format +msgid "Group %1$s is outside the defined ID range for domain\n" +msgstr "Groep %1$s ligt buiten het gedefinieerde ID gebied voor domein\n" + +#: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 +#: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 +#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 +#, c-format +msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" +msgstr "" +"NSS verzoek mislukte (%1$d). Ingang blijft misschien in de geheugencache.\n" + +#: src/tools/sss_groupdel.c:132 +msgid "" +"No such group in local domain. Removing groups only allowed in local " +"domain.\n" +msgstr "" +"Groep niet gevonden in lokaal domein. Verwijderen van groepen is alleen " +"toegestaan in lokaal domein.\n" + +#: src/tools/sss_groupdel.c:137 +msgid "Internal error. Could not remove group.\n" +msgstr "Interne fout. Kan de groep niet verwijden.\n" + +#: src/tools/sss_groupmod.c:44 +msgid "Groups to add this group to" +msgstr "Groepen waar deze groep aan toe te voegen" + +#: src/tools/sss_groupmod.c:46 +msgid "Groups to remove this group from" +msgstr "Groepen om deze groep uit te verwijderen" + +#: src/tools/sss_groupmod.c:87 src/tools/sss_usermod.c:100 +msgid "Specify group to remove from\n" +msgstr "Specificeer de groep waaruit verwijderd moet worden\n" + +#: src/tools/sss_groupmod.c:101 +msgid "Specify group to modify\n" +msgstr "Specificeer de groep die aangepast moet worden\n" + +#: src/tools/sss_groupmod.c:130 +msgid "" +"Cannot find group in local domain, modifying groups is allowed only in local " +"domain\n" +msgstr "" +"Groep niet gevonden in lokaal domein, aanpassen van groepen is alleen " +"toegestaan in lokaal domein.\n" + +#: src/tools/sss_groupmod.c:153 src/tools/sss_groupmod.c:182 +msgid "Member groups must be in the same domain as parent group\n" +msgstr "" +"Lidmaatschappen moeten in het zelfde domein vallen als de daarboven liggende " +"groep\n" + +#: src/tools/sss_groupmod.c:161 src/tools/sss_groupmod.c:190 +#: src/tools/sss_usermod.c:214 src/tools/sss_usermod.c:243 +#, c-format +msgid "" +"Cannot find group %1$s in local domain, only groups in local domain are " +"allowed\n" +msgstr "" +"Kan groep %1$s niet in lokale domein vinden, alleen groepen in lokale domein " +"zijn toegestaan\n" + +#: src/tools/sss_groupmod.c:257 +msgid "Could not modify group - check if member group names are correct\n" +msgstr "" +"Kan de groep niet aanpassen - controleer of de namen van de lidmaatschappen " +"correct zijn\n" + +#: src/tools/sss_groupmod.c:261 +msgid "Could not modify group - check if groupname is correct\n" +msgstr "" +"Kan de groep niet aanpassen - controleer of de naam van de groep correct is\n" + +#: src/tools/sss_groupmod.c:265 +msgid "Transaction error. Could not modify group.\n" +msgstr "Transactiefout. Kan de groep niet aanpassen.\n" + +#: src/tools/sss_groupshow.c:615 +#, c-format +msgid "%1$s%2$sGroup: %3$s\n" +msgstr "%1$s%2$sGroep: %3$s\n" + +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "Magic Private " + +#: src/tools/sss_groupshow.c:618 +#, c-format +msgid "%1$sGID number: %2$d\n" +msgstr "%1$sGID nummer: %2$d\n" + +#: src/tools/sss_groupshow.c:620 +#, c-format +msgid "%1$sMember users: " +msgstr "%1$sLid gebruikers: " + +#: src/tools/sss_groupshow.c:627 +#, c-format +msgid "" +"\n" +"%1$sIs a member of: " +msgstr "" +"\n" +"%1$sIs lid van: " + +#: src/tools/sss_groupshow.c:634 +#, c-format +msgid "" +"\n" +"%1$sMember groups: " +msgstr "" +"\n" +"%1$sLid groepen: " + +#: src/tools/sss_groupshow.c:670 +msgid "Print indirect group members recursively" +msgstr "Geef indirecte groepslidmaatschappen recursief weer" + +#: src/tools/sss_groupshow.c:704 +msgid "Specify group to show\n" +msgstr "Specificeer de te tonen groep\n" + +#: src/tools/sss_groupshow.c:744 +msgid "" +"No such group in local domain. Printing groups only allowed in local " +"domain.\n" +msgstr "" +"Groep bestaat niet in het lokale domein. Weergave van groepen is alleen " +"toegestaan in het lokale domein.\n" + +#: src/tools/sss_groupshow.c:749 +msgid "Internal error. Could not print group.\n" +msgstr "Interne fout. Kan de groep niet weergeven.\n" + +#: src/tools/sss_userdel.c:136 +msgid "Remove home directory and mail spool" +msgstr "Verwijder gebruikersmap en postbestand" + +#: src/tools/sss_userdel.c:138 +msgid "Do not remove home directory and mail spool" +msgstr "Verwijder gebruikersmap en postbestand niet" + +#: src/tools/sss_userdel.c:140 +msgid "Force removal of files not owned by the user" +msgstr "" +"Forceer het verwijderen van bestanden die niet aan de gebruiker toebehoren" + +#: src/tools/sss_userdel.c:142 +msgid "Kill users' processes before removing him" +msgstr "" +"Kill de processen van de gebruiker voordat de gebruiker verwijderd wordt" + +#: src/tools/sss_userdel.c:188 +msgid "Specify user to delete\n" +msgstr "Specificeer de te verwijderen gebruiker\n" + +#: src/tools/sss_userdel.c:234 +#, c-format +msgid "User %1$s is outside the defined ID range for domain\n" +msgstr "Gebruiker %1$s ligt buiten het gedefinieerde ID bereik voor domein\n" + +#: src/tools/sss_userdel.c:259 +msgid "Cannot reset SELinux login context\n" +msgstr "Kan de SELinux logincontext niet herstellen\n" + +#: src/tools/sss_userdel.c:271 +#, c-format +msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" +msgstr "" +"WAARSCHUWING: De gebruiker (uid %1$lu) was nog ingelogd bij het " +"verwijderen.\n" + +#: src/tools/sss_userdel.c:276 +msgid "Cannot determine if the user was logged in on this platform" +msgstr "Kan niet bepalen of de gebruiker was ingelogd op dit platform" + +#: src/tools/sss_userdel.c:281 +msgid "Error while checking if the user was logged in\n" +msgstr "Fout bij het controleren of de gebruiker was ingelogd\n" + +#: src/tools/sss_userdel.c:288 +#, c-format +msgid "The post-delete command failed: %1$s\n" +msgstr "Het post-verwijder commando mislukte: %1$s\n" + +#: src/tools/sss_userdel.c:308 +msgid "Not removing home dir - not owned by user\n" +msgstr "" +"De gebruikersmap wordt niet verwijderd - de gebruiker is geen eigenaar\n" + +#: src/tools/sss_userdel.c:310 +#, c-format +msgid "Cannot remove homedir: %1$s\n" +msgstr "Kan persoonlijke map niet verwijderen: %1$s\n" + +#: src/tools/sss_userdel.c:324 +msgid "" +"No such user in local domain. Removing users only allowed in local domain.\n" +msgstr "" +"Gebruiker bestaat niet in het lokale domein. Het verwijderen van gebruikers " +"is alleen in het lokale domein toegestaan.\n" + +#: src/tools/sss_userdel.c:329 +msgid "Internal error. Could not remove user.\n" +msgstr "Interne fout. Kan de gebruiker niet verwijderen.\n" + +#: src/tools/sss_usermod.c:49 +msgid "The GID of the user" +msgstr "De GID van de gebruiker" + +#: src/tools/sss_usermod.c:53 +msgid "Groups to add this user to" +msgstr "Groepen waar deze gebruiker aan wordt toegevoegd" + +#: src/tools/sss_usermod.c:54 +msgid "Groups to remove this user from" +msgstr "Groepen waar deze gebruiker uit wordt verwijderd" + +#: src/tools/sss_usermod.c:55 +msgid "Lock the account" +msgstr "Bevries het account" + +#: src/tools/sss_usermod.c:56 +msgid "Unlock the account" +msgstr "Heractiveer het account" + +#: src/tools/sss_usermod.c:57 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "" + +#: src/tools/sss_usermod.c:58 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "" + +#: src/tools/sss_usermod.c:59 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" + +#: src/tools/sss_usermod.c:117 src/tools/sss_usermod.c:126 +#: src/tools/sss_usermod.c:135 +msgid "Specify the attribute name/value pair(s)\n" +msgstr "" + +#: src/tools/sss_usermod.c:152 +msgid "Specify user to modify\n" +msgstr "Geef de gebruiker op die aangepast moet worden\n" + +#: src/tools/sss_usermod.c:180 +msgid "" +"Cannot find user in local domain, modifying users is allowed only in local " +"domain\n" +msgstr "" +"Kan de gebruiker niet vinden in het lokale domein, het aanpassen van " +"gebruikers is alleen toegestaan in het lokale domein\n" + +#: src/tools/sss_usermod.c:322 +msgid "Could not modify user - check if group names are correct\n" +msgstr "" +"Kan de gebruiker niet aanpassen - controleer of de groepsnamen correct zijn\n" + +#: src/tools/sss_usermod.c:326 +msgid "Could not modify user - user already member of groups?\n" +msgstr "" +"Kan de gebruiker niet aanpassen - is de gebruiker reeds lid van de groepen?\n" + +#: src/tools/sss_usermod.c:330 +msgid "Transaction error. Could not modify user.\n" +msgstr "Transactiefout. Kan de gebruiker niet aanpassen.\n" + +#: src/tools/sss_cache.c:218 +msgid "No cache object matched the specified search\n" +msgstr "" +"Geen enkel cache object komt overeen met de gespecificeerde zoekopdracht\n" + +#: src/tools/sss_cache.c:502 +#, c-format +msgid "Couldn't invalidate %1$s\n" +msgstr "" + +#: src/tools/sss_cache.c:509 +#, c-format +msgid "Couldn't invalidate %1$s %2$s\n" +msgstr "" + +#: src/tools/sss_cache.c:672 +msgid "Invalidate all cached entries" +msgstr "" + +#: src/tools/sss_cache.c:674 +msgid "Invalidate particular user" +msgstr "Maak bepaalde gebruiker ongeldig" + +#: src/tools/sss_cache.c:676 +msgid "Invalidate all users" +msgstr "Maak alle gebruikers ongeldig" + +#: src/tools/sss_cache.c:678 +msgid "Invalidate particular group" +msgstr "Maak bepaalde groep ongeldig" + +#: src/tools/sss_cache.c:680 +msgid "Invalidate all groups" +msgstr "Maak alle groepen ongeldig" + +#: src/tools/sss_cache.c:682 +msgid "Invalidate particular netgroup" +msgstr "Maak bepaalde netgroep ongeldig" + +#: src/tools/sss_cache.c:684 +msgid "Invalidate all netgroups" +msgstr "Maak alle netgroepen ongeldig" + +#: src/tools/sss_cache.c:686 +msgid "Invalidate particular service" +msgstr "Maak bepaalde service ongeldig " + +#: src/tools/sss_cache.c:688 +msgid "Invalidate all services" +msgstr "Maak alle services ongeldig" + +#: src/tools/sss_cache.c:691 +msgid "Invalidate particular autofs map" +msgstr "Maak bepaalde autofs map ongeldig" + +#: src/tools/sss_cache.c:693 +msgid "Invalidate all autofs maps" +msgstr "Maak alle autofs mappen ongeldig" + +#: src/tools/sss_cache.c:697 +msgid "Invalidate particular SSH host" +msgstr "" + +#: src/tools/sss_cache.c:699 +msgid "Invalidate all SSH hosts" +msgstr "" + +#: src/tools/sss_cache.c:703 +msgid "Invalidate particular sudo rule" +msgstr "" + +#: src/tools/sss_cache.c:705 +msgid "Invalidate all cached sudo rules" +msgstr "" + +#: src/tools/sss_cache.c:708 +msgid "Only invalidate entries from a particular domain" +msgstr "Maak alleen ingangen van een bepaald domein ongeldig" + +#: src/tools/sss_cache.c:762 +msgid "" +"Unexpected argument(s) provided, options that invalidate a single object " +"only accept a single provided argument.\n" +msgstr "" + +#: src/tools/sss_cache.c:772 +msgid "Please select at least one object to invalidate\n" +msgstr "Selecteer tenminste een object om ongeldig te maken\n" + +#: src/tools/sss_cache.c:852 +#, c-format +msgid "" +"Could not open domain %1$s. If the domain is a subdomain (trusted domain), " +"use fully qualified name instead of --domain/-d parameter.\n" +msgstr "" +"Kon domein %1$s niet openen. Als het domein een subdomein (vertrouwd domein) " +"is, gebruik dan de volledig gekwalificeerde naam in plaats van --domain/-d " +"parameter.\n" + +#: src/tools/sss_cache.c:856 +msgid "Could not open available domains\n" +msgstr "Kon beschikbare domeinen niet openen\n" + +#: src/tools/tools_util.c:202 +#, c-format +msgid "Name '%1$s' does not seem to be FQDN ('%2$s = TRUE' is set)\n" +msgstr "Naam '%1$s' lijkt geen FQDN ('%2$s = TRUE' is ingesteld) te zijn\n" + +#: src/tools/tools_util.c:309 +msgid "Out of memory\n" +msgstr "Het geheugen zit vol\n" + +#: src/tools/tools_util.h:40 +#, c-format +msgid "%1$s must be run as root\n" +msgstr "%1$s moet als root uitgevoerd worden\n" + +#: src/tools/sssctl/sssctl.c:35 +msgid "yes" +msgstr "" + +#: src/tools/sssctl/sssctl.c:37 +msgid "no" +msgstr "" + +#: src/tools/sssctl/sssctl.c:39 +msgid "error" +msgstr "" + +#: src/tools/sssctl/sssctl.c:42 +msgid "Invalid result." +msgstr "" + +#: src/tools/sssctl/sssctl.c:78 +#, c-format +msgid "Unable to read user input\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:91 +#, c-format +msgid "Invalid input, please provide either '%s' or '%s'.\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 +#, c-format +msgid "Error while executing external command\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:156 +msgid "SSSD needs to be running. Start SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl.c:195 +msgid "SSSD must not be running. Stop SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl.c:231 +msgid "SSSD needs to be restarted. Restart SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:31 +#, c-format +msgid " %s is not present in cache.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:33 +msgid "Name" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:34 +msgid "Cache entry creation date" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:35 +msgid "Cache entry last update time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:36 +msgid "Cache entry expiration time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:37 +msgid "Cached in InfoPipe" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:512 +#, c-format +msgid "Error: Unable to get object [%d]: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:528 +#, c-format +msgid "%s: Unable to read value [%d]: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:556 +msgid "Specify name." +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:566 +#, c-format +msgid "Unable to parse name %s.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:592 src/tools/sssctl/sssctl_cache.c:639 +msgid "Search by SID" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:593 +msgid "Search by user ID" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:602 +msgid "Initgroups expiration time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:640 +msgid "Search by group ID" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:67 +#, c-format +msgid "" +"File %1$s does not exist. SSSD will use default configuration with files " +"provider.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:81 +#, c-format +msgid "" +"File ownership and permissions check failed. Expected root:root and 0600.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:104 +#, c-format +msgid "Issues identified by validators: %zu\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:114 +#, c-format +msgid "Messages generated during configuration merging: %zu\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:127 +#, c-format +msgid "Used configuration snippet files: %u\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:89 +#, c-format +msgid "Unable to create backup directory [%d]: %s" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:95 +msgid "SSSD backup of local data already exists, override?" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:111 +#, c-format +msgid "Unable to export user overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:118 +#, c-format +msgid "Unable to export group overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:134 src/tools/sssctl/sssctl_data.c:217 +msgid "Override existing backup" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:164 +#, c-format +msgid "Unable to import user overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:173 +#, c-format +msgid "Unable to import group overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:74 +#: src/tools/sssctl/sssctl_domains.c:339 +msgid "Start SSSD if it is not running" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:195 +msgid "Restart SSSD after data import" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:218 +msgid "Create clean cache files and import local data" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:219 +msgid "Stop SSSD before removing the cache" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:220 +msgid "Start SSSD when the cache is removed" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:235 +#, c-format +msgid "Creating backup of local data...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:238 +#, c-format +msgid "Unable to create backup of local data, can not remove the cache.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:243 +#, c-format +msgid "Removing cache files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:246 +#, c-format +msgid "Unable to remove cache files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:251 +#, c-format +msgid "Restoring local data...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:75 +msgid "Show domain list including primary or trusted domain type" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +#, c-format +msgid "Online status: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Online" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Offline" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:214 +#, c-format +msgid "Active servers:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:231 +msgid "not connected" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:278 +#, c-format +msgid "Discovered %s servers:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:296 +msgid "None so far.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:336 +msgid "Show online status" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:337 +msgid "Show information about active server" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:338 +msgid "Show list of discovered servers" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:344 +msgid "Specify domain name." +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:360 +#, c-format +msgid "Out of memory!\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:377 src/tools/sssctl/sssctl_domains.c:387 +#, c-format +msgid "Unable to get online status\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:397 +#, c-format +msgid "Unable to get server list\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:47 +msgid "\n" +msgstr "\n" + +#: src/tools/sssctl/sssctl_logs.c:237 +msgid "Delete log files instead of truncating" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:248 +#, c-format +msgid "Deleting log files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:251 +#, c-format +msgid "Unable to remove log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:257 +#, c-format +msgid "Truncating log files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:260 +#, c-format +msgid "Unable to truncate log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:286 +#, c-format +msgid "Out of memory!" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:289 +#, c-format +msgid "Archiving log files into %s...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:292 +#, c-format +msgid "Unable to archive log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:317 +msgid "Specify debug level you want to set" +msgstr "" + +#: src/tools/sssctl/sssctl_sifp.c:28 +msgid "" +"Check that SSSD is running and the InfoPipe responder is enabled. Make sure " +"'ifp' is listed in the 'services' option in sssd.conf.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:91 +#, c-format +msgid "Unable to connect to the InfoPipe" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:97 +#, c-format +msgid "Unable to get user object" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:101 +#, c-format +msgid "SSSD InfoPipe user lookup result:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:113 +#, c-format +msgid "Unable to get user name attr" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:146 +#, c-format +msgid "dlopen failed with [%s].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:153 +#, c-format +msgid "dlsym failed with [%s].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:161 +#, c-format +msgid "malloc failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:168 +#, c-format +msgid "sss_getpwnam_r failed with [%d].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:173 +#, c-format +msgid "SSSD nss user lookup result:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:174 +#, c-format +msgid " - user name: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:175 +#, c-format +msgid " - user id: %d\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:176 +#, c-format +msgid " - group id: %d\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:177 +#, c-format +msgid " - gecos: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:178 +#, c-format +msgid " - home directory: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:179 +#, c-format +msgid "" +" - shell: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:211 +msgid "PAM action [auth|acct|setc|chau|open|clos], default: " +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:214 +msgid "PAM service, default: " +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:219 +msgid "Specify user name." +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:226 +#, c-format +msgid "" +"user: %s\n" +"action: %s\n" +"service: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:232 +#, c-format +msgid "User name lookup with [%s] failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:237 +#, c-format +msgid "InfoPipe User lookup with [%s] failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:244 +#, c-format +msgid "pam_start failed: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:249 +#, c-format +msgid "" +"testing pam_authenticate\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:253 +#, c-format +msgid "pam_get_item failed: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:257 +#, c-format +msgid "" +"pam_authenticate for user [%s]: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:260 +#, c-format +msgid "" +"testing pam_chauthtok\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:262 +#, c-format +msgid "" +"pam_chauthtok: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:264 +#, c-format +msgid "" +"testing pam_acct_mgmt\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:266 +#, c-format +msgid "" +"pam_acct_mgmt: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:268 +#, c-format +msgid "" +"testing pam_setcred\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:270 +#, c-format +msgid "" +"pam_setcred: [%s]\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:272 +#, c-format +msgid "" +"testing pam_open_session\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:274 +#, c-format +msgid "" +"pam_open_session: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:276 +#, c-format +msgid "" +"testing pam_close_session\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:278 +#, c-format +msgid "" +"pam_close_session: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:281 +#, c-format +msgid "unknown action\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:284 +#, c-format +msgid "PAM Environment:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:292 +#, c-format +msgid " - no env -\n" +msgstr "" + +#: src/util/util.h:75 +msgid "The user ID to run the server as" +msgstr "" + +#: src/util/util.h:77 +msgid "The group ID to run the server as" +msgstr "" + +#: src/util/util.h:85 +msgid "Informs that the responder has been socket-activated" +msgstr "" + +#: src/util/util.h:87 +msgid "Informs that the responder has been dbus-activated" +msgstr "" diff --git a/po/pl.gmo b/po/pl.gmo new file mode 100644 index 0000000000000000000000000000000000000000..21045f387127df6bd173a8cbe452d9c1ad0746fa GIT binary patch literal 70148 zcmb@P2b>&7mH$V82{H~iXSaha$=0rdvmBKzTM4a%j19=6nc3B7cW2fUwB9`vY_Lr_ zayVl!J~DS?6YjtmFcRj-2L=v~Bba3V=EU?MJQOba&-?_3FJ> zud2U&$fI6a;P1Le6bi?I-#WBV*!;*s;kC2%v{3lfS%tz3@Ymqs;BUdhz{j0kC>#%- z03HBd2p$Yx4juts4L%-hfCqxl1P=mV1U>=09XuL*52*A$10D{32RsD)Z}4RBvF8*D zD#{t)LT~`Q6ub!}Na0i9eDKfUdEmTr3xy-W3V0g$bT9$m6rS$}`B(Ta{yPyooJcD7 z+2CSuC8+Y;0IEG+1zrW-39bYWJm1T)8N8VLTfj5HPl2a{e*~58ED~D^t^ntP&kguK zP~pA>o&rAR0*`+NIE(wOU;^F*9tpk$JOaEMRQr7uRJ;EWJOO;#fJ*1np!(^Dpz8An zQ0;vRjY821mxJoJo52m>yTDE0gWyJR(qAW5CnFXM-z1 z)$iZHIp8lrmHVhAp6^0X{ct6?2z()^e*PH9zrz3UA6-*8pH9*9CU_F~&*07A=Rwtf z(=ukOfAAtkhA4nsqowo6x@_Q#Z7yJ^acK##S2Of8Yx5wq6>fZ$Q z{so};$~!^vjk`d#%a_5&fe(TjFOOT}{OM>=^_dN7d_N7;xN3qk!RLcY@0H-A!8d`Y zgZ~VwTweo4|Anp0LH~a~_y*e>r$KI1DP>4d9XBYrw<6_kkyX_ks!d zBk)-8F<1KYQ$W%GQc(SV4XAvc1&YpZ0~P-h;DO+GLFM;L@JMjKCp#Vws^8BBMQ2;V z#o+TnrL#Lc|0$^Pcf?hM1up>Ap4WnBfNuabuD<{t3jPL!MHL=>wa-tNgKFRBf#-vF zgDUqQK*c-iDW30z;3eFTgQBw!foks`fd_*JKGpf#iQqBZp8=|VE5X&^X7Dud_23}* zDNy~<_cYJ_iI3vs{|(C)4`*_+d=jBhd|NEe}N~0 zzXcxy9$I#ObS$XyoD8b}&j!{1gP_LI%Rtp{cfk8Vwd?o6i@@K4%5NcqbqRPmcnSDI z@Eq`SpvL(l={)tz;h^GO0bUF~4^;bn8ia)u4jb}z8w435h4+X1$8Y!gUImJ7t_79v zjR9{1RqpqLbHML{;yaJ4dc4EHg!?l<)oTs70(>T@_TL@wH=z3U#2wy0>p{`~B&haz zQF#6_Q0@BvK;>5$_VGIxRQ*EM?^mFq8{!uO3jy=(+e;C>WT{1<|kfo~4ae*vn!4ybuKPXHBe6{zxG1D*`- z1XaFULGi!$fC~46fPVp1&m-zy{!75Q+>e4P@2kNBzz={*_mkj!@Ef4Y`?xWu>;8a) zpy=^-Q1R{tMTegQMK9k0H6DHq9t1xATBqmZK;^p>JQy4S)sIgHRsK(c%I}-u{y|Xb z9MSOcvk-hK_iI6ov+sbXfk!s|{$f!1?F9S5n?b$*04P59El}wn(emFn-_W*b%c*sug zmzCfd+}A;s<2F#``Y3o9_$5&D#18}h1yuVVKJN878&vtO0uKkD0jj>Q09S)w0L6cf zy3Wgc7I+}{Yr*5dr+_N&1gQ3YH7LIHzJQ+tMW;Uk6>h%?Pv;a+baEl6a*lw9f;WJo zw^xFy&)wh=;CI1A;QxT)*QZZ<_#tpM_kRa&0N)5+0sanrK6vThAv=Jd1+N7AuJ?Rz z1{ZSwK~U}W0H}KY2~;_be7fTqp!)R^(E1tFxOoY95qKxK2K+Use!2J=E{`@q)$dc_ z0`T|XdEo44dcN0yi@ARpsPsM$!cq#q0+)eTKg;E|*Mq9x{h;E{yutb8GEnKi6cn9) z0-Oat04l!&Zw%!QSOYKM`Rl+0{04Xu_($*r@VIAtx)*>KbN@W>Z1B_IDd1m0mE+{+ zc>i1u>b?nz{%!-sukHnv?r*@Oz{76xe(wX-e^-Ed{|r!ceFv!g-UX_DKL7 z?*Ck;gSnvYSAejRLJ2$<{3@t^KHzyyH%map-vp|Db#NB=22k|%X;AI>M^OE>0HRd5 zYrxsy%RzrULACRnz!SkAfuf&Bzu4)1DR?RO&jJF_p@F4E*1eNY5!AF2!0}lYd0Uind7(5hwFyNuD^z>$fdcFo!xNAU_^Ey!c z?WN)U+rY!QzbicdGI$vGKLHi~ub}F23ntv(37!Vt2dbU^1lo9d zjhA~asB$a?)ecVu)!x^F$APZ`MbCGFs_(Y~{u)%ekG{?2wLWk@_g8@nz~_Ua^N)b% zfHPj}^W=Hp8t%7&$AIq+&p!hypWlH;g2%tk^~)(c!y5wfnEZ z`#drm9N_+0py>HNa2t5o>zyvg!LzvkCs6eJ9dH#m^A4xqjiAzhE_gopSy1`x_m9rE zPXP6NEhzqQ3wSj6PEhT3FQ|6@8F)7MXYc}W(Hp$IYT#V%UkRQFehlmfzXOWD9Qa1R zUj!<>BB<~;gBqvr0af2`gQtLh0yVx*e3RE_7*x1dfok_%p!(%c;9~HMH~aHJ@G|aS z2dbPu0?XiWZ(;0%H-OIoe+epn?XBL=w}WSL|5;Ga9|YBo^WVnU2d@IvK1aRX^V=I-vw3Q--5@3SH8>ZvlCpx{ae5@zz4t+z{B3n z90#5WUID%h>;r!X9t)oQ9`E0a!6Ue@fR}*RgUa_Va2EIzZ~=JGdwt%z6kNvrb)cT# z1ug=A4ys?0_jx^^1RlWs1ek!gfNIybfvdsKfaijT-RbSV22_5xfER=B1m}Z412t}s zd%w$T%fK_ae-^0vydPW$-VdrD4*P)jOC3zO{~~xQ_$yHKd-w-E{j))}R}0kpJ3#f% zZtxKB0Z{GyCs1^E^oM*rZv$1Y7PvonBe)WL5vX`y1&;t92=5;RAJ6^%|KjtsL!Qi_<_5a7fP2ka=@ph_# zqT6?YYM*b0`@e#ha)0_~oo^0cL8`5_eD_cJ_)K`w}YaqPlKw*_d%8S zn6G*|7lDuAejE5`a0hrWcrB>-H-cw@?+ExkP~|=1YmT$PgSbBnTmmi!=YThZ>%n(} z>aPdEi@}v&_i=v{cp>+%1}_Ki3wYvxct7s|H}d>LpxR~TH(Wk?GN}9af$GN@-}Lm3 z1y!#;@Ca}NC^{Shmw_(_9}9jRRJ`wkqUS$?D#uCx>GgdYsQNw^JP-URcrN&RQ04Fc zmdlx=;04^@0IHon3LXaj7(563GuQ{7`Cm>4MNoX??chb=Pe9S_>~DMftOb{H{|Zq3 z`*l$1{uw+LJncKq50-+nx!(#Z{w<*D{Z3Hy@g?v~@Gqd~bK!TLt_Q%=xqmx&2zVc; zdj1$Z0X*(|p3eoK>bnIz4tz0q3HT0BboDc^A3XSeZ;wmBCEPy)JRkfxxCs0ssBzHu zeJ|eyp!)e~;KktEL5=4Jz^lQtf8gbRDR?;dcY~_uec(dy&*1T3{|}ws)`052r+}if zXM=}=UjeTIe+(*}r9X0dyb{#?4d5~0t3lQ8ec(TWUj#1$ul=!?|HI&F?tczyJe>Q0 z^OMU!_208W)#DSO+O_Z#?~gM;(ccrnQ^4(@=-`Fn{fEQ-cR|(f!2jpwcn3HK+zpDJe*r4qF+cTumVyfRWN-oajDYV3&*1*Mp!)amKlAdO0V@7_@N{q- zRDZq!6g~VqxEOr&&%NK5fNG~3z-z$U!6$(af=c&Ezi@1WqN`Vc>ZiAc=et3*_Yc4X zd@$T6zjXd}0jPAY237w_Q0@9!@NwXOf@=RCf@+uFgMDD~D<5y`!1>&lz)QiGg9n56 zfeQCSQ1pA~ubr+3z~^!Q0&qQe_-}mtRY1|%J3x*5Z-Ywb$lrQ<%>j?(egk+ExE)*o z-T>?ZN(tQc2cD@G`U3@R#0srg#>U>b; z8Uy>me*zWm8=&&v?~l$WE8wNvzX22-eIHc*`~S(u?hEs^RgQOq zqO0$N8YlZb==q)wYFu3fs-DjV7lH2vmG1rF`F@2N)_x1Y(|BG2RqyA6BjEeMbHNj5 z%&>mj0v^KsD?zp6+rX>9uY)S*qDRay`l^B}xqkz=6#NNz0XXlGGpyX(LFM;aa1HoL zQ28AEs2N6omw`&Z2tEyb33v?nOHk>~+;4`p>l49Cxc^7+N#OUuwcvS=o?+wvX7E|u zzZX=vMUR@X-g(Furvnco6p&fl7ZZn1F5Y zMDSIh^7~-8{}OmC_rC&_?&A-dVRo(KL8WsNcsRHad;+)%JQRE~C^{Yu_pbp(|L+3T zuAc&r0Dl_ZKjPpS1<~;l;9=l-py+HZsBqVSs>e8}d|ndp4WROWKPWo?3@AGJJ$O9$ zgeUm@d{FIrIjHAVQ0d(QD!)5GmG=YT{r%u0xi1_tgAstAgZ>MD48_6mshVa<9K@`K`Yt%9y`3pvK0(@?11~EO;@`G%oZ9Yc4#B`+orE^6raVXK@|H zbq>$Aaox_p=aT3*HD`nG37uL)^cXcSm$R zKZN_Y^89mLy9oD9P=Am^;Z9Ivct66t3>4ky@6931ZJ=oHJg%n^W;yq7;rHjkA@CUR z9`G@|JB{o4+~@y(#?4E(Cd0$G@xD&Di@2}y`(S=w7vB95+!f-V13r~^e;@8O9>oKW z=Gp7PFNfz>2jo#;B^KdpXbF zrU(43@ri{W*LYxP{&vN}+xL44l2=ij_9-jRbd=t2hXZgP`ar5sX&YiiqzY2j?^X$R! zdy?Ou4Zq*W?-sv5$Tg6Qr`ONozDzzBfZ}PF@cXb3=Dd)9gXfFF?`7fL>lB&468E15 zUkLt*>+kvfZLYWT`?cV!xPH#>I`{>!`)?NMUd6*-h8K_K{)_xx!lgN)7UEn7uH|}O zxL-=RuZ1|08LtVy1)t;k3gI3Xo(=O`^Tl_-VeoxmG1TWZ{EmOWhMvEaXhRj!jm-tQ;ePVR5-O5=R)|BmZ^ zuAg$9MELiB`a2pt6GT)f{0rBU`HdK0^Id~*XYzX(+|KnSem|Y}-vc#owZKb2{k@#u z@$Xgqp5W$PT&PBcS9A3fzn|w@xjxMO7Vx)ROjQM@Et|(K1fRjXcXH|PNaB1FJizXl z6L|j;uDinh#o)6URydApHNT%40z3!2DTH}E z`CiI3&iymPv#Y?Day=OCLo~C~{5;&8NF4p$m-?#bWLc;H@gt?IGUwQTwt{wb7 zkn1!2J~_nur-1*%v*lcm;{GY%sf5$ttz5IYE(_sq=J#fTixi;XimcgJ%bG|3Q9V5#B$O`$2v`EyNAM3yuw~6~Qt_3_hBs`CBKuEU?7Q@4LhG#zlPvlBS<0)Kg z_$?XuMIqc~p6TzF5dLuRxbW(4y9(n9)wzYJl{;N79& zx87*&`WM{)C)f2M{92yHzhn8an|JquV~WT1X(4}~0DlmEznuI3wx{$L&#ohl=W>61 zc&}F%aD82Iz(wFvJ>>7VT-S27h%=jOOb^4~`@y5Qe#&(?@Ad~*f#-7RZ!zh7gsaN^ zSHVwm&E@xJz_0VZ!gV_LPYB^p;JN<(lWPIb)^Q!g^=Ixc=iNBJ&jvrj{Wbi~|6Lkx z-VEMAm;^i$ye~XInBV$)0oUyC+aB=Wi@E=OxcM>3q*x-tPGx&Wh?@tI}M|tsYT=(+) zJg)mgz>9eQF7DsM{o!2agz&rh{Vkqv=K2S&_;(;b=5rm-wT0_@TnyxyvlgD(T-{8H z$!KMCTcwfI2Nx&)bge%aYSi0fO&%t*nn|^p)atEdtWjxJYOSPNOG?Gk_DcWELeiHE zRZ4XN&T9Id;w9BG56bpndwsN$l&g(Osa0=Gq~U7yq*B|N^jVnZ_R7eJy|UYOlM>~U zu=`qZwBoT<_GGl(Y$e+&Nuym$ip``^ueW9v^k&wgQ=6+)2m+sZDuvR+RjZdLwYF-? z(?zFJGCd7dRr0FoEdJYED{dR9B&~YVs1(b|&f-YBl3YEj{8Z0+UNTW{H@x=cWUSb1 zj@KLIWV|{ul2oo6qn1grMN&%=Yd>DJwkNIam841O6ICIpHxiYmIHC+Dh*fR2DCLr5 zgdg++Pg;#4$+Q~PZS7X2slt@&R`1*!OBJmR^D=bv{M;X7g>;gi(0O1YY!!@>S(3eDvpj(W3Ra=A~ebB z4fK{ZOJT`ii^eH!FV=?CM5bX=IwzD)bq|Gg2Q)>g^V#D_c?;zuwurES9cq z8`+X~X}HoVEP<4pV?}yP;k=h=njAeDwQJ~A#zqJy@;54{W|XK=EKxQkQy))Cl}1a% zRcuwrx>+gDAE5DDr6Pl-*rwPuaxJ#1^%|`(GG3f$CfBwr^iGjds8+^jnhbPWuj21w zg_jpw#biUEBigH$R2mIRS}&E_jYg$BFJbt=w~}(DS!z_rlnd$A#5D%%?OK^EX^62( zEg7sb=3_9D5G^Qo?-bgP&(>lZpa5Ka?v zPdg|XtB+JmRnjPmWf*bik`OCUR%)VpqdG|&Z&UJ?ZqM<{3( zO8o>a@v2IMHUXF$x&vekq%)#M5X7$F^+EBw$Y;1`_`&A}+t3!JhOcZ-#wv|!y=~>G0CyX6qjp>%vlm0w%j+QZ80T z>CZXk%3!fQ(wbXXCdnb+^;X&X;NVELrV>FrA&j>&L}Cnrlvl2iZQs^&CZ%gTtQBlIdxEGNU_R#U7|}qSh)hB zjH)_SA3N4)s5bOlK$G(#@It~}=@qxEuia6%l(Xo>`3Tpr)^>59>rsMWqJL_STu-}fYk zDiS~knYp%UQWM8f0%?{F=na8F6p7T?)iV-cTgkwRHPu@CIwv+0NszhH1okaNpl6p5 zMIqZOrC~|~!ygzJSgsaAG_4sIr$<%HNO*7;sHP@qi%=DlILrOX+Tt*BVw?G3c6D%U zw%%zTaB@-n*@H(6ajIXpvcBj7eDWqC^?H${KpwP_WAF z)ooQp%mq~0>j^RmTruQN3NFM|5UDFs~GOa?$OjB~4V zr@j!{xbh{c!k*%&TxcAgL2nc%(=dAa5JuD`3_;7vI4x~jsv{hf)ZJ-T)5QzAk(X5Q zeY&1Lg;2iEj9t>UF}K&4mOxYuQq?Ssx{l^Cxuv)h7Gw%bX!CrnEJSE3v6B8|wR5BJ zjJAMS+S|hIoX+l>J5N+#Z9IY8RUAQ#qi?+xYxFb92z}ny=h5f)NgZm?MzB63Mf$Ne zTSJv8uxflb@JKcL6mO)LX&i~&Ge3+}kkm|02*Q@6*Xrn49XbpQ5&16$SG&QyQ#Dh) zUTr}rbeVX(X;~gvBQglols`+#q_}0098oJa1kDb)Bh1EQCb6k0kQkWYmaiL#*2r>on`TUguZ&XDoco+mxWWBfRJhu z>T5%uiCR1jXw95ydo~S1W|F5TNMSS?-;OxxJhZvphG-MRK_y95SW`PD^0d)k$PzSW zrSO?>8I%YDHEpc)=#mZ8D5*1O+!d%b4TubdPy!2);5Ue>lfDr<4xMcZSWs*AzQpW< zTr0DQ_q>!to-@%;IAfh3Cs7m+WYLMfY^7-yfH&D5@_1G57yF18wJLBp>rma zEBrwe2v@lI#0Cd5NfTymoL>bp{VyFe<C3&Ay()^g&HA zuGXs3wW^aEkfPugqAM(S#U9?$foRZyOB$`k@al3Ugso<*y^W@pK9r`05M>&yva#5e z7;k*Llx>?L6@6L>xifs_x=N{SDI%&>u%3)Ckt6NY5MZtRdDERlL{~m@raN_Lkeiyx zoY^%PabxzpWHucnC|8u&?74-NDxQhnowG;3^CUBVh%ZM0P_kEbs2#*0Q;Xd?5C(9Wz6WvHE5c8kf~Xg32Isc?CIe#dTQZBuB}nxmf>Mgazj;SP+vkF;hIp zY;?<(kPddkDDVK4ZumCd|!)jE9 zvEt}fBvvJ>fSNNklpzt8uaw@&qX;TG%m07l3DQn80W)>aQ z3Q|DXD`P%Pd@51BoT1Dtc(l!%WfSd6D+qYqkHwQiv}j@W+h%~&_>KIp{LQ%R`NHrH5}VaZ}S047{*O{DW0;d!hs4Hj(avU=uI8iRR0ysJ)q6nr*Z3 z)8wILrbq%I3!a7IK`CpnISB@VH`o}4bY=Dr_FfYbJRHJg+7m<=FKT9|gCz~B9Jc5o zxdZu8&D^Yyn6=guq&n&3nkEzN*wtDeBN6#1us760%;U{m>oGM<(7srwL&4&>^hF;R zxQZ02VG4g3Y4jl#klYtK+>&tu@fM=_B88Y8IG9wd3W1=k))sNJcwKe0J!-~B)mYS8 zX_dAotC6|rXP=jN_av_F>VlePQ8k7POSpy@I7@&YtXb7zuF!Z1sknXKC#aJSVP-K?FQO zOJNam*mZ!takJGuY;<*5>z&w7BW;`A8ImrEdUL}RZppB`6>K)+;5omCT#z0w7f|F2#Faz(M|rb`Cd67}Fjkkh)aK@>`;L#f$(s z0SC^`pmsTl90si$vPDBpj;1JGH?g(d7;)CIz114Cb%R#D#6l&d5hGSEG7O6Tl-WEV z8O6pBLO2G4A*3TnY{JMpWh^$oT3mGEDGNyQ@H@AyAPOThhO&?;qpzbZDudFQmy<-B z2%NA0HH6A0lWwDLTr0P>!Y95UE?+9FuDJp?S}m~-?23ks|8&Jscew?x7(t}rOOibS z+>V}XhE&N#5}YpuUOlV%)F{r*Bxi>GXplrSS)~+_O^fAi?Pi}XgUN8YPf?n6Emw9# zs``=#HdQUfJ6BfmNiXOOzC!3K2`yWqp_DwjSu!9}`1Ij|sI$)j z>1Wx?R=b%j>ffnIqc&gp#O3R<5Y^gPyETt>gNoLQf|8L`(BSEX*|TIEcFd(Jt67!; z?axX~f6P4g{qOKF&(dR_&-9)yAJh~aHcnCeQ|TB#?|xOCO? zLM+kNKf97q8+HVyOW|MbkzymQRlaPw*IC`B31CH>=3Ol4G_ON(r+XXM*`|4~N)=W& zn@r?E_%#D8EGC#o>T+6{HQAn7NKIp61HHZz>1%|~kO zHEsxzT<#N+3#O@%M05#fCK1A|rKv|TX_}};g3MZ2leN$}O{mnogf!}NdQVWY4#mic zuHEV70yQUUrR|M+t=?|Br4Vzxv!tn#PQ}?GvO{LpiE><5vB@SEp;;;7n-FEH!kQ{l zp<0ht+_Y+w3CY$4*;L*UMjV-NJVVkW4vMOY73$ky9*onms^@*CNWIHh4?PX(E$MWS zMt3O)F~Bmb${`DD4c1aP8;kH^naPN+KaJ!|Vqu!eB=BktzG#bD@NdeWt$3s{$LiQ& zlnIVe1jb^~mhCcqpJrG^DNqq;83a93(_^byYe68X&sM&HauN+iFl!kC?4F{o8yLvi zMKVaP3)1*nQj`9q;X-ykFg2b7gP=k=2a7db!9y*wAg=us2&Z*Sd8L%(eZT{0xhA*q z8~Gw(;T0pMdL!pBwYG?ufj>@lrzVub+Mulzv8+q5$SF@sJgVFwlgu$D>p2!;DlAZ^ zDb)}|OrFsaN=^hCG!sx3%-sCcDDK4IhA`y3yiCtnM%^t{!kQQj%)iQYB|N6&I3%k9 z?e8ukykY1{hQT_QW@8<`dU;`O-d%Dph8gA^lNBXI%p_*Bsn#*c0%6y*KBpsZc`uWk z3YG7^gvQc}pI#amI}U9K*CF+wB*Fx8)=E}ywR{n#k+mpRQZUo1Y1KctXE{So3B0g& z`gcYcVP@Z3usDM@3r_K-wg%BLnS-sZJQstgw5ep&R>_!IijWik@+v!`&N>;*^dB-1 zi=DHPq?nJ)JXB#-iBUoSOOnF&tChy&qGZ#?%`0q~9l?ICrx3?dH0}m-Q5UJN+edTg zy6A&rtRlUGNg%!D3|#RIGL})3nFXAa6xPX3-Q}Z_>PmQd@V0@Omhj{G)ysAD zVAKfqa2AJTf3g9d37I~H&;+dXx0y?<_teN{x(`BWzXmrpIHq;)U3dM6oT)qXUQ^pB zM~#P`no(zWW=WcuUc;s3{IaK#VeM;5m6PnfP7B0L)I-|?QTd}xhzWK|TMNlqkd+ld zQ+}g~QG!zayzCHhShBY4 zO@Gh%jYZ*nZvmTyo)9_7-QQ)oIEh5^3(GAriLPM1kF#;#o$g*!q|sdo=#FWGvDfHE zAEBmMG3DGC4F%FA*1J1eVZE6|1IP=e)ef%iyupB;DN3Q0-40olQW-UnVAEM2FaxTxNey^$0W0U;K zylbv6jntb@ofnq^S&mYyK%hZ(Rv)6Nz!7?S+r&EadB!M*bIrqzJ;b7utR}sgo9rWp zRoI3agd!w!mdm?jspbJByLxS-&8xw?B`n)EA5vOo3^C(P<^L!}CPbMu|Bq7B+|a80 z-N6W2B`S{lyrFl z!+w7j7EKEiCKd!+REGRaJZj_G)PR1nfFk6OF+Nr9jbefWkLBrKPdb;JGvjRGkc=`}Ld*#O9wHW? zE_cIT6ZfnVmT!57$d?&!oaoa)`)3mmoJv~>SkGodmDr_IrYw}x;)!ZXAMxWr>PB1BovA$!w>d(WDpAyW*J-W z&BY9+UP_iV6dDgU-E>o7rX615NtwXmA%bsu$RkVz+DjQ`hklP?yDZf}GM>0QJAP2D z`dDIRV|ocmYpN24%MLLO5$<-#@# z18y0$xkqHUywV(2**7%m#>^WPHeWD`>ZU^VhQDm7nJ4!g$Rp>c94&l@-3hrh-R{DK zOs9(&T#0%M)vc<;bSDxhHLY^o-`MfU8poc%;>xL;m0M1WBXX}Au$95^%I-A{$*Ssx zD(3`nKGHJAF1I>jk(`3~`XRnitWk+SHe0NI%P&(d_ahTfm9H+q@n!q63~af@?K1_4y^^s?O`C=w z8uNXGRoE6x?;i^*Q?U>6uv?o(kjH##x0T63O%bglX0_0cVYOw>2gl;+8T0+NdQ-Aj z$_BMnb%d=<@Ky_k2nqW#v+%wrZ;k+I#R>yiq4m8N7NQ{HkDzSP%S>nRslUuM5TbRr$hz&uZB8)CQiEN*ku( zp226qF?TU2YJG8zav{dtc|wAOfG*WsHRLm#Ih(`U0>CIrCGRw3@B=VQJ3HQ4ZesCU z;~C+?i-$jyyPj*vF|I=)+$XQ@k+qoSQACc-y4m zv&WrfRI8?R*F7}nG%*Foaw{ZDmC%V699G)6@gY)d+Pb*y&b3vTjyTPp*H~55eo*P& z0(Pv*<_ltpj#k7Ut4*_L=Tj5?TV1lgut(ip5g&Fpczm9=cP6DV7;(1CWCR(c3Io}D zleW}UF2#yb+aA0!fuf|)y)c{xR~W>}vB>W6l-yonlyp9&2w|bu`am->8@=6MQMw^A zeORa{479hgPSnCvGm-D*1U?P66Y!y%xd!42eadcAsv(!KOE&lcMgE+7A)?FQ)>|&_ zPL&ALS!kiD-iFV{0WQo)1v~PT%PW#%(VXC*?FMQJueIEJ;&y?7eVJ6p9 z9hX=On;;WupJ6JoQglC57WT}Bnin+n`ggrFS1+X)g?1~PCO7?HiIzEv-NY6`dom+? z_i<>CSqx#z0@Ik8jP-%2;aQo^3H$3 zh0@H6nru)Sm7l!8L)Ft-Zr->iS;o#u7#$jo%SW`QW)*A##AO?d;udW)xJA!9M+7k@ zCMy$PFy@&$nG}auFvEbLaxPgOGI$6Hx)5yp!ShMw4x^Z&aI|IcmPT`MCyrb>yX0^Q zcG_+}b@Hyvsr2S#99$xpvwUl*ZCjRmuF{yQS`;O^yG>CPrQ21UJ(lL-h$Hb=d~`gbjXW6xtX*Jt9DApu1Dcr9J0h%3WKIZWcp=Bg_)PTuQb* z%Fp%Cvy?#XVhQg;rbR|Z$TUhA`GSOzrBx4=S5z!-oNJ>7zgdnEGYgZl=f=44&j-J5ipo}i}P$*BphjC2EjQyTL6xwW^ zL6R1Rs_3`56RAjU0PG=%5_WpX2@(gAv-w+ER4Z*)Vj9}?Gt*iWvZ)BXNGv98+89T5 z-;UO!<{g9!A;m=;D%B1 zvU11pSvZCYF8ZN8v^Rmagf$^yKja9q)QRDBL>wzl*f~Z`4mA;_h~p_oHO+8!q`qxJ zo;Ow(>RFFMlQV(*Ob=hAwTj&hWKlKq#$hABf|2UBhV&95&^0|l($>$@0P-vC1&t|_ z%QkViPUJjk%lqOK!@)NHPyv;1tEaZrUV2t(Cz#QJwR$^^2KPOuI{7Hm%34q&N9-@= z-i#5*&j{#BBidzsX(t?lWd>1i5ymw~OrYMm6N@>YcO@b78LKN~hJJM&CUtq%V<_zJ z3K#c5&;(&`tWA=18LR_~qD_(6pibv~Z{~gOGUra(9$GDJRTEk<#)`fwAQBJ73_5Q- z`K!2%Jsya8Gd;Yt_mDFHp=*1Io+t%vV+g^TEp#N?`W%&LUu}seMTquNy)!dQ#DNic zgbxY`#FBMuJuNEPM#4~TcUT;Zwl&NPn+BIWu=n87MLR_oF6jzL$4p#^(QA2I z*FHt;Dn@!xpuBHoPSFH!?KHEHog&!9hoZedAHv67s7-2$Np~(!8W;Dr6efe<^LhBs#x zVaqG$1GibSdV0{JlJ~l4p-q~q`hwT^E5&03YVXRgv>GC~deL#SrMk2L6#HKOcF%lB?vw^%l6yt!QE=-k`oVKDGCgUuSF zuRY7m)hXvr=BV_s8|PX$OeQkVWftgk^}<}sSnZJYh{ZiSe9RV#%}-6HYgnacmNFDO zFV)fwqO~nj1|b2m?%MahWy!{MP|4zClNwoVG^dSK0r%mN_FPQfOz|8&Xq%bCp>1aA zbm_6o7~3KzsxoX}=6uNqsg)DXi2onsOrr)(xUfaK1tZT$yGw=(1&mrNGiO-3Ho+oO zTssp<YZA66^0ll_+>cXn25vhi&N$n z^JUGsn!0!mN8sc#$v0vFYH>NQW#cv2-j$ntVbc=BW4AMIWB?&^i=9#*t)dmnp3N{J z4e#P!=9$Lta;n~PpTdP|+tPig|d%^h~iW=e7w<4nHW2q{vY-VRqPZ33uz2>%P*yx(hWUUB05j?Z< zh-_PNSC5&`Btn zgXn;D%LfWZH_QE`GA5LKf2Oaq3MiT0KrBcja)*|qz1%9eo&gh+E7a=zlk8-MFzmOr z<`N%DYb2~^0W;}4d!`dOAiUPr(VcqK-K zo`mfCN#TLh&bl5}J^K45v7ABW;vnkPkY@CT;D`t+40Z`V+zzS|- ztfM2SZ^!doXLP+vyP*4dz8kvUo@f+lUxSv^({v% zTbwLfu<*RT1?TlGT$C(4bMb;R&se}80sA&qc2-5B9pTRGgO@H`xcJQTJe-K4&un;j zBGhSs4b^%J|H8(un}(7L$8=N1_xsWzaZ^s`9ldzw8fNM?-eP^5D#cME;IxgXGe;+U zES^7qe0;p0V^FZZ4OXsGg!xFOYLDjpvH7y6%^wNz=Z}rdpPQz(m~$Xzu3f!$Mb>Bw z`xneqL&HM*WLsODv{*bR8gtYI@~%T%Z(X!`)5^Z{vT(|p!%_NH)JiNvYe(pLoCG{` z!wBcvjr6U=5P&LK8?)QyMQ2_>wt92XoZ3YfEle&+79_l$wQ#}37cELoJI#Jxc+pw< zIY*BdT)1#Sa{cx8TwxZ>CC)Je z218Ps+|mHB_dn|ui5>f9)av)P0cv8fI;_5BvL_ebqS;z#o|;gEwo)ID-!oA% ztT7EIyKigM5zng4;i5u^IAis33O`&7L&DPO%%#2iu8Gz#j_%}|%dA$M94{taFX52d z;;PNY)npPfFYdY}X*bxoSs#URsdRA|Yk$`lQQBilIQ=3D+YRB|ELZR_{UFNbv=nS8 z2n~x$<1OzEtB<6pVMpt`@2VA(dbu>oc@PwURm)a=_iZ$B{&OivQPh089!SO~hKjpy zQ+kt>juYc3Wm3QAj#g!doocrOJz#R2*CXw1wzjf^wqV7iMU)+^{H)<8zT0&y12o=* zNtTTXjt%C)Ldz01`&dO?uV6Uz#h7j$GvLG>u(qyrT8>7x;_R>w? zeo~+})RW24Dz#uaQB+;DPp)thX$4xs6iac&S=?4ykU{mHJ0`^^{Enqujcv5xBGP?( zasvK9pl#UbT7@l5?pts+tZ2p3j;cnBl^t>xr6{c&y^02H)Yo?1L|@bOH!U7PXKV33M{t@M*H(Y27{oQ_oI+qW-tfLwoJeR*txmbdWZ zp?nmlmyK%7k>GG~_g!W3_i;AX&?igkSsJ58qfo61U&dXhw7sx}N~`F*Z%nrBzH!%0 za=2hsS?yadt63+hRUHlv9oHGPZA#TrT^R5<@;4^N#GbJT4Y!TR%9DH%D2&mLPSyI% zcy-eH7{Vcfl_CV^*t~o0nAN=hS#QxtT%4%K>7L2<4yKg}7FH%Xbdu@1H8EUO&sQk$ zm|WZ0o1{JqL##=27M)ttbS8^dUQ5UpM4*wjh622k%Bk(zP!itMDAW%nRvfshh!?=P z-$O~lzxoo3pT%_AqcY>wGB&;Z3%Z4a2We#}OdM{E&KR$^I31QA+E%R$x7vlxIcih) z<%rGuT}-%_j4C@iVjA7q+&x*`rgj#6ml5_DyMg<4k#(`KjIqGSewv`NM=;)r}$j9hng2ai)@=q4Wl-GSg;`C`iQ#<-KsaZe$Ydnc=m zp~a$1aI>**vKu^Tv!o_^wCFOE7p2JAr}fc^-M7IoE1a2Lg!Ve9P2*WJP_Ia7&FfsB zwuP~Xp@^Y{^8`>nD4@)qlOmA5m|zwQ4GR}mvx*tyxC>}?6fqA z)qXG0>Wo!7rMl}DXUe(YtPVgOal*wLl(8=v60OI+uEWUBvK=8AHCa=gyL!h6YNis<(39L?HcMl%_~m}Qz~ zD8Uqwr>jz~F(I_xrs&Qz7hWUkVP&7nL1CMXWFLh8T+%FF=6ayrY$NkbMR8LQ88XPk zc;l0ImY^3Cl`F%|R@<$%?cgy!+$?rw0Hb_3;UmA$jGl6Awq|qG<|K1|bF5JuM?Og@ z*CzdKK_vB|@Q07Lj-*izIOz2DMgFlg92uf3hwwhPKBl2%E}` z84G3ecD^Tc|Fd3~D#P_LwKUHW9b~CN_<3Crq-1M|pA(A8mD8ySE1A}$POq0Gb3wy; zCz+4+q+!jE9y6V~A4*gVBNfhsg;^kA#8xq0>CCw*wM$kc%@3>wP8P*SCyVVtlPZ1W z=7~mhV8v9wcBmgdnURyUcS(6R>X`~;GqAb8$R~Gl^tY#^azsmy?Q@coIA(>RoN^-- z2LhOqa!fA>oW;vo7j4x#>GKUZ}#dhD_A+L)>%Dj#Oj z>ZV+N-dCm|XZ9h>p|j`eHsxxv3c9k9to3(C59h<7_xjAxpImP9PA7dp{8Ejn#~i0V zktnE5B)RAtdl3(CG?oZW5#}3n>6t+rXvo~R!?eo1*oJT)s zW;W$5T4xHDsSV{}^fydZ!7i~QBrLYzI)N!)OC?~NWaUO93HvUu5)m5{0##JQg83qF z1oQ2WYM80$EIYe~t`!_4Kr~4dmYkx$Jjizlb~b!Wr_tPCQz``jyC&~PJ~bbh^z zWK*0A1z5c$jLELSt6te0D~iF5X7Z7cQ{Vy4nOHQ9JlV*kCQoY7XV=*~Ng z4?cOSZxGOBB$N$O+F-lKhLsELn@%b_%$q>othsl=9;f-9 zINY!~7i$*fkY?F}m~w0l7R<+uB$-ajIFOr>-HkIK7Ri?9U6PZ+8OtVLtB#VdQGU&q zCl-h)M#q;a71I&sj8BZR|EeZ^N1-$s@{i#uQg>S#i}aI_2$nDG0NA&kF#Gw|=On*F zdn$Zj#c?80B~o3E_Yj&YSJ)D}fFzRRTicZM#5K|aW35V98B)72|2``pBFW!G^956AK8!oIx zm-vAr%k3}(J~t7A6m54?cGqET#*7d?J(UH3HrRo{>q-aS2OAek4r5#}e)!+uQ&{Ss@_9c`N zkuAq`Ds*fk?~0x$OKjj+WU%$wnL=2AO51zFmW(4}0k5Aokn0uaNoY z(NMQD^x{wd1{Qa7Ifbe^>}s(XW1Q0alg)X}MT3QOp?ouzKuDC_T~VcAVCW01M#7$( zT@hvmTp2RKfN7ESpOQX>4F{~Iv$5uSBDCGCZu1b62xhn&>;1|4XyfxmF8@Rp%r1N( z%ZlD%dCjcc6P#S;b(w z`z|R^l%xr76K!Mq409GsjJ#ojfyH5hO2vVBiO=w`@_ZL!7FJ)mMw{u1h1If@Nw1ZN z#M)>*HE-J5Yj(GKc~}Fq1ii^!pwG-XKy zVog=?^AiV0xoLBZ_#B~-Y9>u)iqV;Q(}vb;Ol(&AtgyRo-BX}$D_jiAm`oE?x9*ZT zr8mi`gY_huNn~0JPaC*L6v@o)ED_(u=gNGcIIdz83+qH$k~XMsT$4oYF^hJ5pdPjv zcxqiLs8ZG+*#59W#)u}s$S>8J8Tlk{OkT~BlLm1+eBW!XQScbXIhN088zhg^tZ0Qy zI12|i4<8WiXxW|myI+ONaS4EFvA}3bRHsNHQAzUMRC?HGeJGNf2D*_4#L!`e-b4JJ zjB%wgof}D!;SQ}asKke>VyWYmeE7Buyd$ibsrs2pG;K-4+DRG`?m^gS`1YMbbC8kd zc4Wd#HZkg&fTR!mm|B?ar^|^&w_xFB{a!MjctOmT{@YU?k{M+zvsnk~b}<|#Vm^Kv zcx)rAGZBf(CmosBX!oOSztr^W1U**xCCgG z2|69o@xKuoh?Em6f%!_orkLFRpL#);{J z<1;2+P172i>kKH}wa)(4DDyL#lmmmy6szFjVR3AI+Xo-kD7+x1^#_sT!*W*}_0t_p zBGso)7`>=Qw&14^l$~X__NB6YXT<5kZoYF|4`ISIsm5mwAFLfqwOvCu71B(L*?a7$ z(}_8ZLWgF1hqdR8?@(AFm;s|TCr`0-J$;!@eBrBRVo@f<#KD9*5PclNbMxG(@f^}{ zuMS3&$#$$@N$YjX5#(+mnW|_Lq`cH|1Mkt@HzN4i!W-rxmgDh|5DyoVXTUX_{$;6@ z_yzsMu_Xf*?o?FRKRSlE!Wpz~V1;>2c-eW4FYhPsWPwfRAPmH2a9v0%hg9ARVYP@x z%v?4$wWC>?d?PV8t?6Vc{!Db&%hiNxXT7Y|aA}ImUx--2^qAJdT2H1jD>r<<-C1r= z!Z|(KxjreU89J=SsEqz@!aNn~96>ApWF}vx8kww8XRng2p{NO)cxf?)WwbzhV!(I` z@PD{ubyy!gg=qNw6TV_jFsbUA2CbTtd46C4Ru0o$)< z&Pgha2=0?;|=*x+blj~5D)5}hvO4W$J)mm*A{4*U=w4zRS?KIV07TJX~Lvl zCxh%soiY`dbEwr+qRupNTu#T6M2D?Cw5ZlO(>-bDasDb%eqO z!c>g&Pug-l4QKq2&ZgPuYE5Nb?G^*5s3>~*ChdF`tFh~*DFb;erb)q@mjakqO-~*@ z+TMmnor9!D;ftx}Ert;F*1$mMF6Z2~W-XSZTX&9SnO@(ko7PP=8vFS^2X=>Sv#>eP z8tgM@6*d81WWU2Ho)i*98mVauxGZlG$|oIYZbLsXZ7cx{49jE?LhADtkbOrb4y z<`(5YxTf;VR>?gWg}3sE75GG>N_4-ApRZ$q-Iq!ytB4s|gEPyJl`n7hf|o{dTvMSI z=Cfq?5Ku1C?g!>2XmR?L+EibzlK`GCV=n7lu;6T<(>WxBO2p|JoeVQ`pU~`yB7~>3 zX7fOO~E@c$Qe#?V%w<*x*vFRC0wwgf+`j?!$mCgql6w z=h%HrAaqTq06t+y|MVug0VWzGe->nIWR58$iOaiu=Cv^sAH-tV7#%LL^LZy?Fwm+naVfWHf`D78n40A!*+LfMV zM+wIHyqv7vAyA*y9h=gPxnzpCI+rH5MLV0t)@0`*SE~QY6lx1uunOA)lKNSs+JOif z=~?tmA<~7BU|}|o3R%!I=iG`u(3jSxqZvDUX_@b7QOmgLcb_c0nvUgDU$*5aIo(`Q zA8l(flubs_-Xakh`$S%tZ95@!6rq0)aq*mrG_;qf%w6V}p=Cw}KI&mJ$+)_*P1j?> zrskLrTgFqH*+T`) zJ_)GxuaJtA?E$2Ta5l4bX8!vJt1Omge48Jp(Q%zT$5WS_-5=qoN)9D8cmJtZla&`ckd%_< zS?M_vdGf1Qrh&lB;MkZP;@%-d{LTg2Dj(=v?h2X`Rn@%5qCG{MUgT;!Rm_Kwhe?Bf zYYtQ~-=b5NiS^UqSCb2>UNbt}w_06p9@{eEmLT}0+I1KQ1Nc zyyJ6-C@$(Zdm7A!>(M!u8i=)rliGhmig%G7P(Yg9g*jI;ED-5Gy;J{|01 zZr{uA+PJMch+0f>XY8i(8x5aRQmYDB*!`Ngak{R>7H#y5z03hjn2h)S6~-`ESM^yL zO{mC5Cb23ypWhRum|LRspd$7yiH@Vz{lU^5)G;R?+e0Gi*|((Hl7`u&|B#ZB$nV<> zDHAQ^a!DoU={o%<8+*$2kP=&+eF1At`W48(Ey}h7eg=Y{F4Gqaw zo3SVR(f7jU6;o?X_;SP4WCw%x4>?M3G5G=Gm{u}mPpR~W{1^+Cu?~xbjVSEoP_aBI zlL&(jOY-i!%$GBBAkEg6#Pe~O>Ik;2$nsNAr8`5yanKalrYEyg_{?K}XXKPk5jKmg z@ZH(C`&Z6OOFS)$k}mOelx@mL?zc7O8nkQ!G&M^3-XrF6jtFA&gIKv&A}miE70iqx97dIyNV6i$(C%{r{!X`_~`Y znQT5Tq*9Dd$3|wp$$|=S#md{1i>LWuk$9gN=TPo+BI~(YS=IkMjUNz3IVUpC!E5YOL(e}L>I-VN~m`6pcHfYU+K8PTY}^~Q3$9tJ)U zp$^=ym^o$^9bT5<#e$w=95W!r{eOR^fcbMzl3ItdWA zlr1NI)00@#Ua_WHYqQbOK4b|MJT!YoG%y$wh0nzi1T)rZ;Bwz9U=1ba6b_+Lx6lo8 zLrv?Tp33PC#nj9m3SG74M(*?3*l$fJ$|rgS(y%=8?1YoBWbZbEtOq&|ObM0^4w~3? z%OxT4{LV|;JQfR%oe>9ReJe;!8rHtEddXr0j|z)5I$;N{5~YVUn%k<()ialFKW7`I z?nq3&KGk=XsN+bVl+kpi!YZ6e3LNw*VPUEidh^~K8c{aaEbqN_kq+B;l1h6gBP>3^ ziP9pkqiH+Y2bk^K=o*KRdosN1CV5um)LHYJLxyHBAt0~}po1Cl$Z3y^@kK8!nTx6) zMpBpYCC_Q1i$&y$;2tw^y{OY|%or~MU?|}9`?aswb6Z;S@H)z$L*yDz(IWKc`YetP7m4K|-@s|57I{pBEq>O{xkVdSI zd+1i`1ELf|zUL5<( zIXAi@|MY`?Y!@NoNa|u_JORn9tkyPh8fKu+k47#T=3|$_O-qThi4JMXh6(&U4lD8X z7+t;@?f52pn)xw>NEvr$ksP;lq`}F{O}eCj@Ecc7DbvLu^p|+cM93%~toS z4BN2Gr0UW@5j$KhD#aGbLv&(nBZg)b zJP0;4mv%1YrR|*HZjMs%6R0RXXoJCC-kf9|g2T9Ml2Hl5N@$LBG=hVHM&eC8aeHT;#;|GP;d`r-Y-Ltb zQ&u!LT!(Yod}s_M6;F0l?@mVm-Qo7ox!pm#yV!)iUR5S#My4+4kc-^Zms2i$mVsQO z{*xAklX^&2`wa5xAyS|Twqp2Qam|$~jV@7cs`yyD%zB~(>_8$$h^f>}zEZZ*muAVR zr}fB0@%V9A+II|3tri_{QYo0Oy z-?hQJVER}7m6Yk<+gZ_5zV0CCjt~Pnup&6o=X%cF)@l!4MnZY^zR6uK{7^gkRo4a2?kJ_w7LT;-)_&&v6~+qqCB4T}anF&0=6Gvi7q5x$?)6bE-g+;vMxqgHhFzz;>0U#vDex<*N@qWGPDh&DY*IraA)&3x`8 z*N1cMQZK-qGohaprj_>S8IXGGrNNbdTuPBz!JIEKpf{kuu=3`^!&G5@S$Mt-UDq_x zz%Q;?=KOkn$pcP@u>p}+pPVi3(3YISS~{TYHcI2)5U&}!^Ady&HfY{kg^4LPOPH_& zJs`YqtKy2v&LR9Jv7&|7U2R>)mgU~n;y>;V7d|#i9;v=e*Qfj6C7s-J2jjTwL$lGX zCOsI}n4)v)l-hEeiaF>?E)v#ylQ#09qH5K)PuZ9GKK|Gp#CQmO$v{g-Q|_y@oePHP!5sPGd%J`^{^OHF zBU+fUMLIsZNWoPevwNuyIX6vuJIaCVh02b=V|Gu4=eC)o#eQr9ml*-#v4^QqHVz(l zDhPy*;!R({q$C5G$%{`5Q^z<`gZzLYm%SM=tOSU?g_Tsp*1(EHAS^=IisB*DCjHnX zpv1doq)zUgv8mw>_RP9gI;BJ&zBv=L^87wJ!K&f&jJzYbYqz61Y_u`iwo@Tc$0ggPW4o#0^dSJ!rp)ToB9xtnR3q(o>ORiTgG zh9hf)MNvJUd4e9B(*{;`VlV79PEPryarZ5s&NyA!ZLCk? zw5AjG;3us2U>9P6Rv$J%-qlifb~<}5rtDq=;rKL~C&D4U z40X3JHmEFcLrm;o`!~~%JKOqOBqfOoF)=63G?$*O*LmHZY-OHsf1I{DKNrtV8srnG zafPN!WYB`EM1{aF^Z|-=3ryTb#j?Uf*)z4-rf+#gO0Pnh>{(9AzI+xB!9*fJ0OfN7 z!P4&vOLxSu9ko~JiQ7+Y5{_KRtd3^6R*B?BqMPYHQjCd;Yr zvP9ZSZeDd$y{1$ZIX$swP0u?@;LdMj}F_Cou<&s)9k}@nJ;B3 zj|VPp!^Z{vD8XcBk;QN21d~e)z{y3(Y>{^6cJJY6s|mbr9L>XBdK@3CMKTyjdx(dB zrt4Ul1B+HUIdTna0>glFoTDkYw{E#+)Q3+@)MQ~&b<_gno(?a=Ea(y;zB7gO1DiHp zwPN>2R;*jSVsYL&n#_?}K?msr%U$Onl8x(Vojb2}R6>tb%3etO@N!fb-BSiNFsclU zIh6BgF1lQsjA(RuT@`n9aUMd38rC~(I& z44&&g+A*zVx589dWl~j}^$*FKL^Nu*^G32geD>9F`}_#UEu$_mQDv5fqA`|G8TnFp z*-5Hi)+r{CinA7~6Td_ho$ZvN2!d6gsEJAm_8!TZ6MY#>%hkcW?Jg9MDCebNdT}c7 zGl7{8aQ!HW`IvlK)J%p!tkPA1^mI?wedC9mo#wP!=C(vSNe$^I2b-IOKIOdLj|B`3 zk!n#ESsGOAGM6R74r>__^hsyPDtvQ=V^(w^6`RRyha622yoKZ5P+N}7hM^c!Z{*I* zEElLG^*4T~5yTHs4a_KG6IeU_lyhgbvqICnc+UD)ox9p5cm`9oAg|$$$s7-BrPE~Q zqV{Cyc6C|1?M#TyjG}`AiNrOU@!)dgyd{_T+TkvRx zQsXHannQaz8`?41?7+cM(Hz5(QXtV;aXB8^EzQt=9<11=7KR~3Rp-#7Ef^DrYnTKI zY!NOecAiNLSxJQ+MpG4mP(#Vxm_b!bLXr7Wd|O<#y=UaZ_FO(D@0kTS6A7<(zfi%2 zW{q(pKO>02;akLtOv?JkwU2%HmGXwO_a#lCGR+?ketE+_!1;(=H=iw@|8+y%EXE8> z2@Ex!t=6^-`z42)zMU=*Y2!xAJ1otWRa7y$jg;sqtCw{?n#3w z0!JiH`MMs;1tgc>G1763g`Frq)S^n5&IxxDUpi7d zU0R&z$K~nu1H5+PqSZpAN@rV0;z^%)!Ru*f%!MgUPV_20aMDvsAxSg6!=vX`f~w`Y zI#9YnF7OY!fb7+9myefLMCo`MyQ&5$cAg?#*4D)oY`Yfv51RD+ZMta68fDILD(5s= z`c!7#R+%;(tuR>A<&l%7%j3bBE(xGa*C)HT@&xu_^5+|j!kH^QSDbQ|b}jTYNz$fQ z&~lLa>0(ZrIn(Kf6*ZlcHfYl+Id{Zd>R?V|_+gJoK_6F&0G=MA!8&oI*}qc#2_GZ6 P+, 2011-2014 +# sgallagh , 2011 +# Piotr Drąg , 2015. #zanata +# Piotr Drąg , 2016. #zanata +# Piotr Drąg , 2017. #zanata +# Piotr Drąg , 2018. #zanata +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" +"POT-Creation-Date: 2018-08-12 13:03+0000\n" +"PO-Revision-Date: 2018-03-09 11:38+0000\n" +"Last-Translator: Piotr Drąg \n" +"Language-Team: Polish (http://www.transifex.com/projects/p/sssd/language/" +"pl/)\n" +"Language: pl\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=3; plural=(n==1 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 " +"|| n%100>=20) ? 1 : 2);\n" +"X-Generator: Zanata 4.4.5\n" + +#: src/config/SSSDConfig/__init__.py.in:43 +#: src/config/SSSDConfig/__init__.py.in:44 +msgid "Set the verbosity of the debug logging" +msgstr "Ustawia liczbę komunikatów dziennika debugowania" + +#: src/config/SSSDConfig/__init__.py.in:45 +msgid "Include timestamps in debug logs" +msgstr "Dołącza daty w dziennikach debugowania" + +#: src/config/SSSDConfig/__init__.py.in:46 +msgid "Include microseconds in timestamps in debug logs" +msgstr "Dołączanie mikrosekund w datach w dziennikach debugowania" + +#: src/config/SSSDConfig/__init__.py.in:47 +msgid "Write debug messages to logfiles" +msgstr "Zapisuje komunikaty debugowania do plików dziennika" + +#: src/config/SSSDConfig/__init__.py.in:48 +msgid "Watchdog timeout before restarting service" +msgstr "Czas oczekiwania watchdoga przed ponownym uruchomieniem usługi" + +#: src/config/SSSDConfig/__init__.py.in:49 +msgid "Command to start service" +msgstr "Polecenie do uruchomienia usługi" + +#: src/config/SSSDConfig/__init__.py.in:50 +msgid "Number of times to attempt connection to Data Providers" +msgstr "Liczba prób połączenia do dostawców danych" + +#: src/config/SSSDConfig/__init__.py.in:51 +msgid "The number of file descriptors that may be opened by this responder" +msgstr "" +"Liczba deskryptorów plików, które mogą być otwarte przez ten program " +"odpowiadający" + +#: src/config/SSSDConfig/__init__.py.in:52 +msgid "Idle time before automatic disconnection of a client" +msgstr "Czas bezczynności przed automatycznym rozłączeniem klienta" + +#: src/config/SSSDConfig/__init__.py.in:53 +msgid "Idle time before automatic shutdown of the responder" +msgstr "" +"Czas bezczynności przed automatycznym wyłączeniem programu odpowiadającego" + +#: src/config/SSSDConfig/__init__.py.in:54 +msgid "Always query all the caches before querying the Data Providers" +msgstr "" +"Odpytywanie wszystkich pamięci podręcznych za każdym razem przed " +"odpytywaniem dostawców danych" + +#: src/config/SSSDConfig/__init__.py.in:57 +msgid "SSSD Services to start" +msgstr "Usługi SSSD do uruchomienia" + +#: src/config/SSSDConfig/__init__.py.in:58 +msgid "SSSD Domains to start" +msgstr "Domeny SSSD do uruchomienia" + +#: src/config/SSSDConfig/__init__.py.in:59 +msgid "Timeout for messages sent over the SBUS" +msgstr "Czas oczekiwania na komunikaty wysyłane przez SBUS" + +#: src/config/SSSDConfig/__init__.py.in:60 +#: src/config/SSSDConfig/__init__.py.in:197 +msgid "Regex to parse username and domain" +msgstr "Wyrażenie regularne do przetworzenia nazwy użytkownika i domeny" + +#: src/config/SSSDConfig/__init__.py.in:61 +#: src/config/SSSDConfig/__init__.py.in:196 +msgid "Printf-compatible format for displaying fully-qualified names" +msgstr "Format zgodny z printf do wyświetlania w pełni kwalifikowanych nazw" + +#: src/config/SSSDConfig/__init__.py.in:62 +msgid "" +"Directory on the filesystem where SSSD should store Kerberos replay cache " +"files." +msgstr "" +"Katalog w systemie plików, w którym SSSD powinno przechowywać pliki pamięci " +"podręcznej odtwarzania Kerberosa." + +#: src/config/SSSDConfig/__init__.py.in:63 +msgid "Domain to add to names without a domain component." +msgstr "Domeny do dodania do nazw bez składnika domeny." + +#: src/config/SSSDConfig/__init__.py.in:64 +msgid "The user to drop privileges to" +msgstr "Użytkownik, któremu porzucić uprawnienia" + +#: src/config/SSSDConfig/__init__.py.in:65 +msgid "Tune certificate verification" +msgstr "Dostraja sprawdzanie poprawności certyfikatów" + +#: src/config/SSSDConfig/__init__.py.in:66 +msgid "All spaces in group or user names will be replaced with this character" +msgstr "" +"Wszystkie spacji w nazwach grup i użytkowników zostaną zastąpione tym znakiem" + +#: src/config/SSSDConfig/__init__.py.in:67 +msgid "Tune sssd to honor or ignore netlink state changes" +msgstr "" +"Dostraja usługę SSSD, aby uwzględniała lub ignorowała zmiany stanu netlink" + +#: src/config/SSSDConfig/__init__.py.in:68 +msgid "Enable or disable the implicit files domain" +msgstr "Włącza lub wyłącza bezpośrednią domenę plików" + +#: src/config/SSSDConfig/__init__.py.in:69 +msgid "A specific order of the domains to be looked up" +msgstr "Konkretna kolejność domen do wyszukania" + +#: src/config/SSSDConfig/__init__.py.in:72 +msgid "Enumeration cache timeout length (seconds)" +msgstr "Czas oczekiwania pamięci podręcznej wyliczania (sekundy)" + +#: src/config/SSSDConfig/__init__.py.in:73 +msgid "Entry cache background update timeout length (seconds)" +msgstr "Czas oczekiwania aktualizacji tła pamięci podręcznej wpisów (sekundy)" + +#: src/config/SSSDConfig/__init__.py.in:74 +#: src/config/SSSDConfig/__init__.py.in:113 +msgid "Negative cache timeout length (seconds)" +msgstr "Ujemny czas oczekiwania pamięci podręcznej (sekundy)" + +#: src/config/SSSDConfig/__init__.py.in:75 +msgid "Files negative cache timeout length (seconds)" +msgstr "Ujemny czas oczekiwania pamięci podręcznej plików (sekundy)" + +#: src/config/SSSDConfig/__init__.py.in:76 +msgid "Users that SSSD should explicitly ignore" +msgstr "Użytkownicy, którzy powinni być bezpośrednio ignorowani przez SSSD" + +#: src/config/SSSDConfig/__init__.py.in:77 +msgid "Groups that SSSD should explicitly ignore" +msgstr "Grupy, które powinny być bezpośrednio ignorowane przez SSSD" + +#: src/config/SSSDConfig/__init__.py.in:78 +msgid "Should filtered users appear in groups" +msgstr "Czy filtrowani użytkownicy powinni pojawiać się w grupach" + +#: src/config/SSSDConfig/__init__.py.in:79 +msgid "The value of the password field the NSS provider should return" +msgstr "Wartość pola hasła, jaką dostawca NSS powinien zwrócić" + +#: src/config/SSSDConfig/__init__.py.in:80 +msgid "Override homedir value from the identity provider with this value" +msgstr "Zastępuje wartość katalogu domowego z dostawcy tożsamości tą wartością" + +#: src/config/SSSDConfig/__init__.py.in:81 +msgid "" +"Substitute empty homedir value from the identity provider with this value" +msgstr "" +"Zastępuje pustą wartość katalogu domowego z dostawcy tożsamości tą wartością" + +#: src/config/SSSDConfig/__init__.py.in:82 +msgid "Override shell value from the identity provider with this value" +msgstr "Zastępuje wartość powłoki od dostawcy tożsamości tą wartością" + +#: src/config/SSSDConfig/__init__.py.in:83 +msgid "The list of shells users are allowed to log in with" +msgstr "Lista powłok, za pomocą których użytkownicy mogą się logować" + +#: src/config/SSSDConfig/__init__.py.in:84 +msgid "" +"The list of shells that will be vetoed, and replaced with the fallback shell" +msgstr "Lista powłok, które zostaną zawetowane i zastąpione powłoką zastępczą" + +#: src/config/SSSDConfig/__init__.py.in:85 +msgid "" +"If a shell stored in central directory is allowed but not available, use " +"this fallback" +msgstr "" +"Jeśli powłoka przechowywana w katalogu centralnym jest dozwolona, ale nie " +"jest dostępna, to zostanie użyta ta powłoka zastępcza" + +#: src/config/SSSDConfig/__init__.py.in:86 +msgid "Shell to use if the provider does not list one" +msgstr "Powłoka do użycia, jeśli dostawca nie dostarcza żadnej" + +#: src/config/SSSDConfig/__init__.py.in:87 +msgid "How long will be in-memory cache records valid" +msgstr "Jak długo wpisy pamięci podręcznej in-memory są prawidłowe" + +#: src/config/SSSDConfig/__init__.py.in:88 +msgid "List of user attributes the NSS responder is allowed to publish" +msgstr "" +"Lista atrybutów użytkownika, które program odpowiadający NSS może publikować" + +#: src/config/SSSDConfig/__init__.py.in:91 +msgid "How long to allow cached logins between online logins (days)" +msgstr "" +"Jak długo umożliwiać logowania w pamięci podręcznej między logowaniami " +"w trybie online (dni)" + +#: src/config/SSSDConfig/__init__.py.in:92 +msgid "How many failed logins attempts are allowed when offline" +msgstr "Ile nieudanych prób zalogowania jest dozwolonych w trybie offline" + +#: src/config/SSSDConfig/__init__.py.in:93 +msgid "" +"How long (minutes) to deny login after offline_failed_login_attempts has " +"been reached" +msgstr "" +"Ile czasu (minut) nie pozwalać na zalogowanie po osiągnięciu " +"offline_failed_login_attempts" + +#: src/config/SSSDConfig/__init__.py.in:94 +msgid "What kind of messages are displayed to the user during authentication" +msgstr "" +"Jaki rodzaj komunikatów wyświetlać użytkownikowi podczas uwierzytelniania" + +#: src/config/SSSDConfig/__init__.py.in:95 +msgid "Filter PAM responses sent to the pam_sss" +msgstr "Filtruje odpowiedzi PAM wysłane do pam_sss" + +#: src/config/SSSDConfig/__init__.py.in:96 +msgid "How many seconds to keep identity information cached for PAM requests" +msgstr "" +"Ile sekund zatrzymać informacje o tożsamości w pamięci podręcznej dla żądań " +"PAM" + +#: src/config/SSSDConfig/__init__.py.in:97 +msgid "How many days before password expiration a warning should be displayed" +msgstr "Ile dni przed wygaśnięciem hasła wyświetlić ostrzeżenie" + +#: src/config/SSSDConfig/__init__.py.in:98 +msgid "List of trusted uids or user's name" +msgstr "Lista zaufanych UID lub nazw użytkowników" + +#: src/config/SSSDConfig/__init__.py.in:99 +msgid "List of domains accessible even for untrusted users." +msgstr "Lista domen dostępnych także dla niezaufanych użytkowników." + +#: src/config/SSSDConfig/__init__.py.in:100 +msgid "Message printed when user account is expired." +msgstr "Komunikat wyświetlany po wygaśnięciu konta użytkownika." + +#: src/config/SSSDConfig/__init__.py.in:101 +msgid "Message printed when user account is locked." +msgstr "Komunikat wyświetlany po zablokowaniu konta użytkownika." + +#: src/config/SSSDConfig/__init__.py.in:102 +msgid "Allow certificate based/Smartcard authentication." +msgstr "Zezwala na uwierzytelnianie za pomocą certyfikatów/smartcard." + +#: src/config/SSSDConfig/__init__.py.in:103 +msgid "Path to certificate database with PKCS#11 modules." +msgstr "Ścieżka do bazy danych certyfikatów z modułami PKCS#11." + +#: src/config/SSSDConfig/__init__.py.in:104 +msgid "How many seconds will pam_sss wait for p11_child to finish" +msgstr "Ile sekund pam_sss ma oczekiwać na ukończenie p11_child" + +#: src/config/SSSDConfig/__init__.py.in:105 +msgid "Which PAM services are permitted to contact application domains" +msgstr "Które usługi PAM mają zezwolenie na kontakt z domenami aplikacji" + +#: src/config/SSSDConfig/__init__.py.in:108 +msgid "Whether to evaluate the time-based attributes in sudo rules" +msgstr "Określa, czy szacować atrybuty oparte na czasie w regułach sudo" + +#: src/config/SSSDConfig/__init__.py.in:109 +msgid "If true, SSSD will switch back to lower-wins ordering logic" +msgstr "" +"Jeśli jest włączone, usługa SSSD przełączy z powrotem do logiki kolejności " +"„niższe wygrywa”" + +#: src/config/SSSDConfig/__init__.py.in:110 +msgid "" +"Maximum number of rules that can be refreshed at once. If this is exceeded, " +"full refresh is performed." +msgstr "" +"Maksymalna liczba reguł, jaką można odświeżyć jednocześnie. Jeśli zostanie " +"przekroczona, wykonywane jest pełne odświeżenie." + +#: src/config/SSSDConfig/__init__.py.in:116 +msgid "Whether to hash host names and addresses in the known_hosts file" +msgstr "Określa, czy mieszać nazwy komputerów i adresy w pliku known_hosts" + +#: src/config/SSSDConfig/__init__.py.in:117 +msgid "" +"How many seconds to keep a host in the known_hosts file after its host keys " +"were requested" +msgstr "" +"Ile sekund przechowywać komputer w pliku known_hosts po zażądaniu jego kluczy" + +#: src/config/SSSDConfig/__init__.py.in:118 +msgid "Path to storage of trusted CA certificates" +msgstr "Ścieżka do miejsca przechowywania zaufanych certyfikatów CA" + +#: src/config/SSSDConfig/__init__.py.in:121 +msgid "List of UIDs or user names allowed to access the PAC responder" +msgstr "" +"Lista UID lub nazw użytkowników mających dostęp do programu odpowiadającego " +"PAC" + +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "How long the PAC data is considered valid" +msgstr "Jak długo dane PAC są uważane za prawidłowe" + +#: src/config/SSSDConfig/__init__.py.in:125 +msgid "List of UIDs or user names allowed to access the InfoPipe responder" +msgstr "" +"Lista UID lub nazw użytkowników mających dostęp do programu odpowiadającego " +"InfoPipe" + +#: src/config/SSSDConfig/__init__.py.in:126 +msgid "List of user attributes the InfoPipe is allowed to publish" +msgstr "Lista atrybutów użytkownika, które InfoPipe może publikować" + +#: src/config/SSSDConfig/__init__.py.in:129 +msgid "The provider where the secrets will be stored in" +msgstr "Dostawca przechowujący hasła" + +#: src/config/SSSDConfig/__init__.py.in:130 +msgid "The maximum allowed number of nested containers" +msgstr "Maksymalnie dozwolona liczba zagnieżdżonych kontenerów" + +#: src/config/SSSDConfig/__init__.py.in:131 +msgid "The maximum number of secrets that can be stored" +msgstr "Maksymalna liczba przechowywanych haseł" + +#: src/config/SSSDConfig/__init__.py.in:132 +msgid "The maximum number of secrets that can be stored per UID" +msgstr "Maksymalna liczba haseł przechowywanych na UID" + +#: src/config/SSSDConfig/__init__.py.in:133 +msgid "The maximum payload size of a secret in kilobytes" +msgstr "Maksymalny rozmiar ładunku hasła w kilobajtach" + +#: src/config/SSSDConfig/__init__.py.in:135 +msgid "The URL Custodia server is listening on" +msgstr "Adres URL Custodia, który serwer nasłuchuje" + +#: src/config/SSSDConfig/__init__.py.in:136 +msgid "The method to use when authenticating to a Custodia server" +msgstr "Metoda używana podczas uwierzytelniania z serwerem Custodia" + +#: src/config/SSSDConfig/__init__.py.in:137 +msgid "" +"The name of the headers that will be added into a HTTP request with the " +"value defined in auth_header_value" +msgstr "" +"Nazwa nagłówków dodawanych do żądania HTTP z wartością określoną " +"w auth_header_value" + +#: src/config/SSSDConfig/__init__.py.in:138 +msgid "The value sssd-secrets would use for auth_header_name" +msgstr "Wartość, którą sssd-secrets używałoby dla auth_header_name" + +#: src/config/SSSDConfig/__init__.py.in:139 +msgid "" +"The list of the headers to forward to the Custodia server together with the " +"request" +msgstr "Lista nagłówków do przekazania do serwera Custodia razem z żądaniem" + +#: src/config/SSSDConfig/__init__.py.in:140 +msgid "" +"The username to use when authenticating to a Custodia server using basic_auth" +msgstr "" +"Nazwa użytkownika używana podczas uwierzytelniania z serwerem Custodia za " +"pomocą basic_auth" + +#: src/config/SSSDConfig/__init__.py.in:141 +msgid "" +"The password to use when authenticating to a Custodia server using basic_auth" +msgstr "" +"Hasło używane podczas uwierzytelniania z serwerem Custodia za pomocą " +"basic_auth" + +#: src/config/SSSDConfig/__init__.py.in:142 +msgid "If true peer's certificate is verified if proxy_url uses https protocol" +msgstr "" +"Czy certyfikat prawdziwego partnera jest weryfikowany, jeśli proxy_url używa " +"protokołu HTTPS" + +#: src/config/SSSDConfig/__init__.py.in:143 +msgid "" +"If false peer's certificate may contain different hostname than proxy_url " +"when https protocol is used" +msgstr "" +"Czy certyfikat fałszywego partnera może zawierać inną nazwę komputera niż " +"proxy_url, kiedy używany jest protokół HTTPS" + +#: src/config/SSSDConfig/__init__.py.in:144 +msgid "Path to directory where certificate authority certificates are stored" +msgstr "Ścieżka do katalogu z certyfikatami CA" + +#: src/config/SSSDConfig/__init__.py.in:145 +msgid "Path to file containing server's CA certificate" +msgstr "Ścieżka do pliku zawierającego certyfikat CA serwera" + +#: src/config/SSSDConfig/__init__.py.in:146 +msgid "Path to file containing client's certificate" +msgstr "Ścieżka do pliku zawierającego certyfikat klienta" + +#: src/config/SSSDConfig/__init__.py.in:147 +msgid "Path to file containing client's private key" +msgstr "Ścieżka do pliku zawierającego klucz prywatny klienta" + +#: src/config/SSSDConfig/__init__.py.in:150 +msgid "Identity provider" +msgstr "Dostawca tożsamości" + +#: src/config/SSSDConfig/__init__.py.in:151 +msgid "Authentication provider" +msgstr "Dostawca uwierzytelniania" + +#: src/config/SSSDConfig/__init__.py.in:152 +msgid "Access control provider" +msgstr "Dostawca kontroli dostępu" + +#: src/config/SSSDConfig/__init__.py.in:153 +msgid "Password change provider" +msgstr "Dostawca zmiany hasła" + +#: src/config/SSSDConfig/__init__.py.in:154 +msgid "SUDO provider" +msgstr "Dostawca SUDO" + +#: src/config/SSSDConfig/__init__.py.in:155 +msgid "Autofs provider" +msgstr "Dostawca Autofs" + +#: src/config/SSSDConfig/__init__.py.in:156 +msgid "Host identity provider" +msgstr "Dostawca tożsamości komputera" + +#: src/config/SSSDConfig/__init__.py.in:157 +msgid "SELinux provider" +msgstr "Dostawca SELinuksa" + +#: src/config/SSSDConfig/__init__.py.in:158 +msgid "Session management provider" +msgstr "Dostawca zarządzania sesją" + +#: src/config/SSSDConfig/__init__.py.in:161 +msgid "Whether the domain is usable by the OS or by applications" +msgstr "Czy domena jest używalna przez system operacyjny lub aplikacje" + +#: src/config/SSSDConfig/__init__.py.in:162 +msgid "Minimum user ID" +msgstr "Minimalny identyfikator użytkownika" + +#: src/config/SSSDConfig/__init__.py.in:163 +msgid "Maximum user ID" +msgstr "Maksymalny identyfikator użytkownika" + +#: src/config/SSSDConfig/__init__.py.in:164 +msgid "Enable enumerating all users/groups" +msgstr "Włącza wyliczanie wszystkich użytkowników/grup" + +#: src/config/SSSDConfig/__init__.py.in:165 +msgid "Cache credentials for offline login" +msgstr "Dane uwierzytelniające pamięci podręcznej dla logowań w trybie offline" + +#: src/config/SSSDConfig/__init__.py.in:166 +msgid "Store password hashes" +msgstr "Przechowuje mieszanie haseł" + +#: src/config/SSSDConfig/__init__.py.in:167 +msgid "Display users/groups in fully-qualified form" +msgstr "Wyświetla użytkowników/grupy w pełni kwalifikowanej formie" + +#: src/config/SSSDConfig/__init__.py.in:168 +msgid "Don't include group members in group lookups" +msgstr "Bez dołączania członków grup w wyszukiwaniach grup" + +#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:180 +#: src/config/SSSDConfig/__init__.py.in:181 +msgid "Entry cache timeout length (seconds)" +msgstr "Czas oczekiwania pamięci podręcznej wpisów (sekundy)" + +#: src/config/SSSDConfig/__init__.py.in:170 +msgid "" +"Restrict or prefer a specific address family when performing DNS lookups" +msgstr "" +"Ogranicza lub preferuje podaną rodzinę adresów podczas wykonywania " +"wyszukiwań DNS" + +#: src/config/SSSDConfig/__init__.py.in:171 +msgid "How long to keep cached entries after last successful login (days)" +msgstr "" +"Jak długo utrzymywać wpisy logowania w pamięci podręcznej po ostatnim udanym " +"zalogowaniu (dni)" + +#: src/config/SSSDConfig/__init__.py.in:172 +msgid "How long to wait for replies from DNS when resolving servers (seconds)" +msgstr "" +"Jak długo czekać na odpowiedzi od serwera DNS podczas rozwiązywania serwerów " +"(sekundy)" + +#: src/config/SSSDConfig/__init__.py.in:173 +msgid "The domain part of service discovery DNS query" +msgstr "Część domeny zapytania DNS wykrywania usługi" + +#: src/config/SSSDConfig/__init__.py.in:174 +msgid "Override GID value from the identity provider with this value" +msgstr "Zastępuje wartość GID z dostawcy tożsamości tą wartością" + +#: src/config/SSSDConfig/__init__.py.in:175 +msgid "Treat usernames as case sensitive" +msgstr "Rozróżnianie wielkości liter w nazwach użytkowników" + +#: src/config/SSSDConfig/__init__.py.in:182 +msgid "How often should expired entries be refreshed in background" +msgstr "Jak często odświeżać w tle wygasłe wpisy" + +#: src/config/SSSDConfig/__init__.py.in:183 +msgid "Whether to automatically update the client's DNS entry" +msgstr "Czy automatycznie aktualizować wpis DNS klienta" + +#: src/config/SSSDConfig/__init__.py.in:184 +#: src/config/SSSDConfig/__init__.py.in:206 +msgid "The TTL to apply to the client's DNS entry after updating it" +msgstr "TTL do zastosowania do wpisu DNS klienta po jego zaktualizowaniu" + +#: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:207 +msgid "The interface whose IP should be used for dynamic DNS updates" +msgstr "" +"Interfejs, którego adres IP powinien być używany do dynamicznych " +"aktualizacji DNS" + +#: src/config/SSSDConfig/__init__.py.in:186 +msgid "How often to periodically update the client's DNS entry" +msgstr "Jak często okresowo aktualizować wpis DNS klienta" + +#: src/config/SSSDConfig/__init__.py.in:187 +msgid "Whether the provider should explicitly update the PTR record as well" +msgstr "Określa, czy dostawca powinien aktualizować także wpis PTR" + +#: src/config/SSSDConfig/__init__.py.in:188 +msgid "Whether the nsupdate utility should default to using TCP" +msgstr "Określa, czy narzędzie nsupdate powinno domyślnie używać portu TCP" + +#: src/config/SSSDConfig/__init__.py.in:189 +msgid "What kind of authentication should be used to perform the DNS update" +msgstr "" +"Jakiego rodzaju uwierzytelnianie powinno być używane do wykonywania " +"aktualizacji DNS" + +#: src/config/SSSDConfig/__init__.py.in:190 +msgid "Override the DNS server used to perform the DNS update" +msgstr "Zastępuje serwer DNS używany do wykonywania aktualizacji DNS" + +#: src/config/SSSDConfig/__init__.py.in:191 +msgid "Control enumeration of trusted domains" +msgstr "Kontrola wyliczania zaufanych domen" + +#: src/config/SSSDConfig/__init__.py.in:192 +msgid "How often should subdomains list be refreshed" +msgstr "Jak często odświeżać listę poddomen" + +#: src/config/SSSDConfig/__init__.py.in:193 +msgid "List of options that should be inherited into a subdomain" +msgstr "Lista opcji dziedziczonych przez poddomenę" + +#: src/config/SSSDConfig/__init__.py.in:194 +msgid "Default subdomain homedir value" +msgstr "Domyślna wartość katalogu domowego poddomeny" + +#: src/config/SSSDConfig/__init__.py.in:195 +msgid "How long can cached credentials be used for cached authentication" +msgstr "" +"Jak długo dane uwierzytelniania w pamięci podręcznej mogą być używane do " +"uwierzytelniania w pamięci podręcznej" + +#: src/config/SSSDConfig/__init__.py.in:198 +msgid "Whether to automatically create private groups for users" +msgstr "Czy automatycznie tworzyć prywatne grupy dla użytkowników" + +#: src/config/SSSDConfig/__init__.py.in:201 +msgid "IPA domain" +msgstr "Domena IPA" + +#: src/config/SSSDConfig/__init__.py.in:202 +msgid "IPA server address" +msgstr "Adres serwera IPA" + +#: src/config/SSSDConfig/__init__.py.in:203 +msgid "Address of backup IPA server" +msgstr "Adres zapasowego serwera IPA" + +#: src/config/SSSDConfig/__init__.py.in:204 +msgid "IPA client hostname" +msgstr "Nazwa komputera klienta IPA" + +#: src/config/SSSDConfig/__init__.py.in:205 +msgid "Whether to automatically update the client's DNS entry in FreeIPA" +msgstr "" +"Czy automatycznie aktualizować wpis DNS klienta w oprogramowaniu FreeIPA" + +#: src/config/SSSDConfig/__init__.py.in:208 +msgid "Search base for HBAC related objects" +msgstr "Podstawa wyszukiwania pod kątem obiektów związanych z HBAC" + +#: src/config/SSSDConfig/__init__.py.in:209 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server" +msgstr "Czas między wyszukiwaniami reguł HBAC w serwerze IPA" + +#: src/config/SSSDConfig/__init__.py.in:210 +msgid "" +"The amount of time in seconds between lookups of the SELinux maps against " +"the IPA server" +msgstr "Czas w sekundach między wyszukiwaniami map SELinuksa w serwerze IPA" + +#: src/config/SSSDConfig/__init__.py.in:211 +msgid "If set to false, host argument given by PAM will be ignored" +msgstr "" +"Jeśli ustawiono na fałsz, to parametr komputera podany przez PAM zostanie " +"zignorowany" + +#: src/config/SSSDConfig/__init__.py.in:212 +msgid "The automounter location this IPA client is using" +msgstr "Położenie automountera, którego używa ten klient IPA" + +#: src/config/SSSDConfig/__init__.py.in:213 +msgid "Search base for object containing info about IPA domain" +msgstr "" +"Podstawa wyszukiwania dla obiektów zawierających informacje o domenie IPA" + +#: src/config/SSSDConfig/__init__.py.in:214 +msgid "Search base for objects containing info about ID ranges" +msgstr "" +"Podstawa wyszukiwania dla obiektów zawierających informacje o zakresach " +"identyfikatorów" + +#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:233 +msgid "Enable DNS sites - location based service discovery" +msgstr "Włącza witryny DNS — wykrywanie usług na podstawie położenia" + +#: src/config/SSSDConfig/__init__.py.in:216 +msgid "Search base for view containers" +msgstr "Podstawa wyszukiwania dla widoku kontenerów" + +#: src/config/SSSDConfig/__init__.py.in:217 +msgid "Objectclass for view containers" +msgstr "Klasa obiektu dla widoku kontenerów" + +#: src/config/SSSDConfig/__init__.py.in:218 +msgid "Attribute with the name of the view" +msgstr "Atrybut z nazwą widoku" + +#: src/config/SSSDConfig/__init__.py.in:219 +msgid "Objectclass for override objects" +msgstr "Klasa obiektu dla obiektów zastępowania" + +#: src/config/SSSDConfig/__init__.py.in:220 +msgid "Attribute with the reference to the original object" +msgstr "Atrybut z odniesieniem do pierwotnego obiektu" + +#: src/config/SSSDConfig/__init__.py.in:221 +msgid "Objectclass for user override objects" +msgstr "Klasa obiektu dla obiektów zastępowania użytkownika" + +#: src/config/SSSDConfig/__init__.py.in:222 +msgid "Objectclass for group override objects" +msgstr "Klasa obiektów dla obiektów zastępowania grup" + +#: src/config/SSSDConfig/__init__.py.in:223 +msgid "Search base for Desktop Profile related objects" +msgstr "Podstawa wyszukiwania pod kątem obiektów związanych z profilem pulpitu" + +#: src/config/SSSDConfig/__init__.py.in:224 +msgid "" +"The amount of time in seconds between lookups of the Desktop Profile rules " +"against the IPA server" +msgstr "" +"Czas w sekundach między wyszukiwaniami reguł profilu pulpitu w serwerze IPA" + +#: src/config/SSSDConfig/__init__.py.in:225 +msgid "" +"The amount of time in minutes between lookups of Desktop Profiles rules " +"against the IPA server when the last request did not find any rule" +msgstr "" +"Czas w minutach między wyszukiwaniami reguł profilów pulpitu w serwerze IPA, " +"kiedy ostatnie żądanie nie odnalazło żadnej reguły" + +#: src/config/SSSDConfig/__init__.py.in:228 +msgid "Active Directory domain" +msgstr "Domena Active Directory" + +#: src/config/SSSDConfig/__init__.py.in:229 +msgid "Enabled Active Directory domains" +msgstr "Włączone domeny Active Directory" + +#: src/config/SSSDConfig/__init__.py.in:230 +msgid "Active Directory server address" +msgstr "Adres serwera Active Directory" + +#: src/config/SSSDConfig/__init__.py.in:231 +msgid "Active Directory backup server address" +msgstr "Adres zapasowego serwera Active Directory" + +#: src/config/SSSDConfig/__init__.py.in:232 +msgid "Active Directory client hostname" +msgstr "Nazwa komputera klienta Active Directory" + +#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:420 +msgid "LDAP filter to determine access privileges" +msgstr "Filtr LDAP do określenia uprawnień dostępu" + +#: src/config/SSSDConfig/__init__.py.in:235 +msgid "Whether to use the Global Catalog for lookups" +msgstr "Czy używać Global Catalog do wyszukiwań" + +#: src/config/SSSDConfig/__init__.py.in:236 +msgid "Operation mode for GPO-based access control" +msgstr "Tryb działania dla kontroli dostępu opartej na GPO" + +#: src/config/SSSDConfig/__init__.py.in:237 +msgid "" +"The amount of time between lookups of the GPO policy files against the AD " +"server" +msgstr "Czas między wyszukiwaniami plików polityki GPO w serwerze AD" + +#: src/config/SSSDConfig/__init__.py.in:238 +msgid "" +"PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " +"settings" +msgstr "" +"Nazwy usług PAM mapujących do ustawień polityki GPO " +"(Deny)InteractiveLogonRight" + +#: src/config/SSSDConfig/__init__.py.in:239 +msgid "" +"PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " +"policy settings" +msgstr "" +"Nazwy usług PAM mapujących do ustawień polityki GPO " +"(Deny)RemoteInteractiveLogonRight" + +#: src/config/SSSDConfig/__init__.py.in:240 +msgid "" +"PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" +msgstr "" +"Nazwy usług PAM mapujących do ustawień polityki GPO (Deny)NetworkLogonRight" + +#: src/config/SSSDConfig/__init__.py.in:241 +msgid "" +"PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" +msgstr "" +"Nazwy usług PAM mapujących do ustawień polityki GPO (Deny)BatchLogonRight" + +#: src/config/SSSDConfig/__init__.py.in:242 +msgid "" +"PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" +msgstr "" +"Nazwy usług PAM mapujących do ustawień polityki GPO (Deny)ServiceLogonRight" + +#: src/config/SSSDConfig/__init__.py.in:243 +msgid "PAM service names for which GPO-based access is always granted" +msgstr "" +"Nazwy usług PAM, dla których zawsze udzielany jest dostęp oparty na GPO" + +#: src/config/SSSDConfig/__init__.py.in:244 +msgid "PAM service names for which GPO-based access is always denied" +msgstr "" +"Nazwy usług PAM, dla których zawsze odmawiany jest dostęp oparty na GPO" + +#: src/config/SSSDConfig/__init__.py.in:245 +msgid "" +"Default logon right (or permit/deny) to use for unmapped PAM service names" +msgstr "" +"Domyślne uprawnienie logowania (lub zezwolenie/odmowa) do użycia dla " +"niemapowanych nazw usług PAM" + +#: src/config/SSSDConfig/__init__.py.in:246 +msgid "a particular site to be used by the client" +msgstr "konkretna strona używana przez klienta" + +#: src/config/SSSDConfig/__init__.py.in:247 +msgid "" +"Maximum age in days before the machine account password should be renewed" +msgstr "" +"Maksymalny wiek w dniach przed wymaganiem odnowienia hasła konta komputera" + +#: src/config/SSSDConfig/__init__.py.in:248 +msgid "Option for tuning the machine account renewal task" +msgstr "Opcja dostrajania zadania odnawiania konta komputera" + +#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:252 +msgid "Kerberos server address" +msgstr "Adres serwera Kerberos" + +#: src/config/SSSDConfig/__init__.py.in:253 +msgid "Kerberos backup server address" +msgstr "Adres zapasowego serwera Kerberos" + +#: src/config/SSSDConfig/__init__.py.in:254 +msgid "Kerberos realm" +msgstr "Obszar Kerberos" + +#: src/config/SSSDConfig/__init__.py.in:255 +msgid "Authentication timeout" +msgstr "Czas oczekiwania na uwierzytelnienie" + +#: src/config/SSSDConfig/__init__.py.in:256 +msgid "Whether to create kdcinfo files" +msgstr "Określa, czy tworzyć pliki kdcinfo" + +#: src/config/SSSDConfig/__init__.py.in:257 +msgid "Where to drop krb5 config snippets" +msgstr "Gdzie umieścić wstawki konfiguracji krb5" + +#: src/config/SSSDConfig/__init__.py.in:260 +msgid "Directory to store credential caches" +msgstr "" +"Katalog do przechowywania pamięci podręcznych danych uwierzytelniających" + +#: src/config/SSSDConfig/__init__.py.in:261 +msgid "Location of the user's credential cache" +msgstr "Położenie pamięci podręcznej danych uwierzytelniających użytkownika" + +#: src/config/SSSDConfig/__init__.py.in:262 +msgid "Location of the keytab to validate credentials" +msgstr "Położenie tablicy kluczy do sprawdzania danych uwierzytelniających" + +#: src/config/SSSDConfig/__init__.py.in:263 +msgid "Enable credential validation" +msgstr "Włącza sprawdzanie danych uwierzytelniających" + +#: src/config/SSSDConfig/__init__.py.in:264 +msgid "Store password if offline for later online authentication" +msgstr "" +"Przechowuje hasło, jeśli w trybie offline do późniejszego uwierzytelnienia " +"w trybie online" + +#: src/config/SSSDConfig/__init__.py.in:265 +msgid "Renewable lifetime of the TGT" +msgstr "Odnawialny czas trwania TGT" + +#: src/config/SSSDConfig/__init__.py.in:266 +msgid "Lifetime of the TGT" +msgstr "Czas trwania TGT" + +#: src/config/SSSDConfig/__init__.py.in:267 +msgid "Time between two checks for renewal" +msgstr "Czas między dwoma sprawdzaniami odnowy" + +#: src/config/SSSDConfig/__init__.py.in:268 +msgid "Enables FAST" +msgstr "Włącza FAST" + +#: src/config/SSSDConfig/__init__.py.in:269 +msgid "Selects the principal to use for FAST" +msgstr "Wybiera naczelnika do użycia dla FAST" + +#: src/config/SSSDConfig/__init__.py.in:270 +msgid "Enables principal canonicalization" +msgstr "Włącza ujednolicanie naczelnika" + +#: src/config/SSSDConfig/__init__.py.in:271 +msgid "Enables enterprise principals" +msgstr "Włącza naczelników enterprise" + +#: src/config/SSSDConfig/__init__.py.in:272 +msgid "A mapping from user names to Kerberos principal names" +msgstr "Mapa nazw użytkowników do nazw naczelników Kerberos" + +#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:276 +msgid "Server where the change password service is running if not on the KDC" +msgstr "" +"Serwer, w którym jest uruchomiona usługa zmiany haseł, jeśli nie znajduje " +"się w KDC" + +#: src/config/SSSDConfig/__init__.py.in:279 +msgid "ldap_uri, The URI of the LDAP server" +msgstr "ldap_uri, adres URI serwera LDAP" + +#: src/config/SSSDConfig/__init__.py.in:280 +msgid "ldap_backup_uri, The URI of the LDAP server" +msgstr "ldap_backup_uri, adres URI serwera LDAP" + +#: src/config/SSSDConfig/__init__.py.in:281 +msgid "The default base DN" +msgstr "Domyślna podstawowa DN" + +#: src/config/SSSDConfig/__init__.py.in:282 +msgid "The Schema Type in use on the LDAP server, rfc2307" +msgstr "Typ Schema do użycia na serwerze LDAP, RFC2307" + +#: src/config/SSSDConfig/__init__.py.in:283 +msgid "The default bind DN" +msgstr "Domyślne DN dowiązania" + +#: src/config/SSSDConfig/__init__.py.in:284 +msgid "The type of the authentication token of the default bind DN" +msgstr "Typ tokenu uwierzytelniania domyślnego DN dowiązania" + +#: src/config/SSSDConfig/__init__.py.in:285 +msgid "The authentication token of the default bind DN" +msgstr "Token uwierzytelniania domyślnego DN dowiązania" + +#: src/config/SSSDConfig/__init__.py.in:286 +msgid "Length of time to attempt connection" +msgstr "Czas do próby połączenia" + +#: src/config/SSSDConfig/__init__.py.in:287 +msgid "Length of time to attempt synchronous LDAP operations" +msgstr "Czas do próby synchronicznych działań LDAP" + +#: src/config/SSSDConfig/__init__.py.in:288 +msgid "Length of time between attempts to reconnect while offline" +msgstr "Czas między próbami ponownego połączenia w trybie offline" + +#: src/config/SSSDConfig/__init__.py.in:289 +msgid "Use only the upper case for realm names" +msgstr "Użycie tylko wielkich znaków w nazwach obszarów" + +#: src/config/SSSDConfig/__init__.py.in:290 +msgid "File that contains CA certificates" +msgstr "Plik zawierający certyfikaty CA" + +#: src/config/SSSDConfig/__init__.py.in:291 +msgid "Path to CA certificate directory" +msgstr "Ścieżka do katalogu certyfikatów CA" + +#: src/config/SSSDConfig/__init__.py.in:292 +msgid "File that contains the client certificate" +msgstr "Plik zawierający certyfikat klienta" + +#: src/config/SSSDConfig/__init__.py.in:293 +msgid "File that contains the client key" +msgstr "Plik zawierający klucz klienta" + +#: src/config/SSSDConfig/__init__.py.in:294 +msgid "List of possible ciphers suites" +msgstr "Lista możliwych zestawów szyfrów" + +#: src/config/SSSDConfig/__init__.py.in:295 +msgid "Require TLS certificate verification" +msgstr "Wymaga sprawdzenia certyfikatu TLS" + +#: src/config/SSSDConfig/__init__.py.in:296 +msgid "Specify the sasl mechanism to use" +msgstr "Podaje używany mechanizm SASL" + +#: src/config/SSSDConfig/__init__.py.in:297 +msgid "Specify the sasl authorization id to use" +msgstr "Podaje używany identyfikator upoważnienia SASL" + +#: src/config/SSSDConfig/__init__.py.in:298 +msgid "Specify the sasl authorization realm to use" +msgstr "Podaje obszar upoważnienia SASL do użycia" + +#: src/config/SSSDConfig/__init__.py.in:299 +msgid "Specify the minimal SSF for LDAP sasl authorization" +msgstr "Podaje minimalne SSF dla upoważnienia sasl LDAP" + +#: src/config/SSSDConfig/__init__.py.in:300 +msgid "Kerberos service keytab" +msgstr "Tablica kluczy usługi Kerberos" + +#: src/config/SSSDConfig/__init__.py.in:301 +msgid "Use Kerberos auth for LDAP connection" +msgstr "Używa uwierzytelniania Kerberos dla połączenia LDAP" + +#: src/config/SSSDConfig/__init__.py.in:302 +msgid "Follow LDAP referrals" +msgstr "Podąża za odsyłaniami LDAP" + +#: src/config/SSSDConfig/__init__.py.in:303 +msgid "Lifetime of TGT for LDAP connection" +msgstr "Czas trwania TGT dla połączenia LDAP" + +#: src/config/SSSDConfig/__init__.py.in:304 +msgid "How to dereference aliases" +msgstr "Jak wskazywać aliasy" + +#: src/config/SSSDConfig/__init__.py.in:305 +msgid "Service name for DNS service lookups" +msgstr "Nazwa usługi do wyszukiwań usługi DNS" + +#: src/config/SSSDConfig/__init__.py.in:306 +msgid "The number of records to retrieve in a single LDAP query" +msgstr "Liczba wpisów do pobrania w jednym zapytaniu LDAP" + +#: src/config/SSSDConfig/__init__.py.in:307 +msgid "The number of members that must be missing to trigger a full deref" +msgstr "Suma liczb, których musi brakować, aby wywołać pełne „deref”" + +#: src/config/SSSDConfig/__init__.py.in:308 +msgid "" +"Whether the LDAP library should perform a reverse lookup to canonicalize the " +"host name during a SASL bind" +msgstr "" +"Określa, czy biblioteka LDAP powinna wykonywać odwrotne wyszukanie, aby " +"ujednolicić nazwę komputera podczas dowiązania SASL" + +#: src/config/SSSDConfig/__init__.py.in:310 +msgid "entryUSN attribute" +msgstr "Atrybut entryUSN" + +#: src/config/SSSDConfig/__init__.py.in:311 +msgid "lastUSN attribute" +msgstr "Atrybut lastUSN" + +#: src/config/SSSDConfig/__init__.py.in:313 +msgid "How long to retain a connection to the LDAP server before disconnecting" +msgstr "Jak długo utrzymywać połączenie z serwerem LDAP przed rozłączeniem" + +#: src/config/SSSDConfig/__init__.py.in:315 +msgid "Disable the LDAP paging control" +msgstr "Wyłącza kontrolę stronicowania LDAP" + +#: src/config/SSSDConfig/__init__.py.in:316 +msgid "Disable Active Directory range retrieval" +msgstr "Wyłącza pobieranie zakresu Active Directory" + +#: src/config/SSSDConfig/__init__.py.in:319 +msgid "Length of time to wait for a search request" +msgstr "Czas oczekiwania na żądanie wyszukiwania" + +#: src/config/SSSDConfig/__init__.py.in:320 +msgid "Length of time to wait for a enumeration request" +msgstr "Czas oczekiwania na żądanie wyliczenia" + +#: src/config/SSSDConfig/__init__.py.in:321 +msgid "Length of time between enumeration updates" +msgstr "Czas między aktualizacjami wyliczania" + +#: src/config/SSSDConfig/__init__.py.in:322 +msgid "Length of time between cache cleanups" +msgstr "Czas między czyszczeniem pamięci podręcznej" + +#: src/config/SSSDConfig/__init__.py.in:323 +msgid "Require TLS for ID lookups" +msgstr "Wymaga TLS dla wyszukiwania identyfikatorów" + +#: src/config/SSSDConfig/__init__.py.in:324 +msgid "Use ID-mapping of objectSID instead of pre-set IDs" +msgstr "" +"Używa mapowania identyfikatorów objectSID zamiast uprzednio ustawionych " +"identyfikatorów" + +#: src/config/SSSDConfig/__init__.py.in:325 +msgid "Base DN for user lookups" +msgstr "Podstawowe DN dla wyszukiwania użytkowników" + +#: src/config/SSSDConfig/__init__.py.in:326 +msgid "Scope of user lookups" +msgstr "Zakres wyszukiwania użytkowników" + +#: src/config/SSSDConfig/__init__.py.in:327 +msgid "Filter for user lookups" +msgstr "Filtruje wyszukiwania użytkowników" + +#: src/config/SSSDConfig/__init__.py.in:328 +msgid "Objectclass for users" +msgstr "Klasa obiektów dla użytkowników" + +#: src/config/SSSDConfig/__init__.py.in:329 +msgid "Username attribute" +msgstr "Atrybut nazwy użytkownika" + +#: src/config/SSSDConfig/__init__.py.in:331 +msgid "UID attribute" +msgstr "Atrybut UID" + +#: src/config/SSSDConfig/__init__.py.in:332 +msgid "Primary GID attribute" +msgstr "Pierwszy atrybut GID" + +#: src/config/SSSDConfig/__init__.py.in:333 +msgid "GECOS attribute" +msgstr "Atrybut GECOS" + +#: src/config/SSSDConfig/__init__.py.in:334 +msgid "Home directory attribute" +msgstr "Atrybut katalogu domowego" + +#: src/config/SSSDConfig/__init__.py.in:335 +msgid "Shell attribute" +msgstr "Atrybut powłoki" + +#: src/config/SSSDConfig/__init__.py.in:336 +msgid "UUID attribute" +msgstr "Atrybut UUID" + +#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:379 +msgid "objectSID attribute" +msgstr "Atrybut objectSID" + +#: src/config/SSSDConfig/__init__.py.in:338 +msgid "Active Directory primary group attribute for ID-mapping" +msgstr "Atrybut głównej grupy Active Directory dla mapowania identyfikatorów" + +#: src/config/SSSDConfig/__init__.py.in:339 +msgid "User principal attribute (for Kerberos)" +msgstr "Atrybut głównego użytkownika (dla Kerberos)" + +#: src/config/SSSDConfig/__init__.py.in:340 +msgid "Full Name" +msgstr "Imię i nazwisko" + +#: src/config/SSSDConfig/__init__.py.in:341 +msgid "memberOf attribute" +msgstr "Atrybut memberOf" + +#: src/config/SSSDConfig/__init__.py.in:342 +msgid "Modification time attribute" +msgstr "Atrybut czasu modyfikacji" + +#: src/config/SSSDConfig/__init__.py.in:344 +msgid "shadowLastChange attribute" +msgstr "Atrybut shadowLastChange" + +#: src/config/SSSDConfig/__init__.py.in:345 +msgid "shadowMin attribute" +msgstr "Atrybut shadowMin" + +#: src/config/SSSDConfig/__init__.py.in:346 +msgid "shadowMax attribute" +msgstr "Atrybut shadowMax" + +#: src/config/SSSDConfig/__init__.py.in:347 +msgid "shadowWarning attribute" +msgstr "Atrybut shadowWarning" + +#: src/config/SSSDConfig/__init__.py.in:348 +msgid "shadowInactive attribute" +msgstr "Atrybut shadowInactive" + +#: src/config/SSSDConfig/__init__.py.in:349 +msgid "shadowExpire attribute" +msgstr "Atrybut shadowExpire" + +#: src/config/SSSDConfig/__init__.py.in:350 +msgid "shadowFlag attribute" +msgstr "Atrybut shadowFlag" + +#: src/config/SSSDConfig/__init__.py.in:351 +msgid "Attribute listing authorized PAM services" +msgstr "Atrybut zawierający listę upoważnionych usług PAM" + +#: src/config/SSSDConfig/__init__.py.in:352 +msgid "Attribute listing authorized server hosts" +msgstr "Atrybut zawierający listę upoważnionych komputerów serwerowych" + +#: src/config/SSSDConfig/__init__.py.in:353 +msgid "Attribute listing authorized server rhosts" +msgstr "Atrybut zawierający listę upoważnionych rhosts serwera" + +#: src/config/SSSDConfig/__init__.py.in:354 +msgid "krbLastPwdChange attribute" +msgstr "Atrybut krbLastPwdChange" + +#: src/config/SSSDConfig/__init__.py.in:355 +msgid "krbPasswordExpiration attribute" +msgstr "Atrybut krbPasswordExpiration" + +#: src/config/SSSDConfig/__init__.py.in:356 +msgid "Attribute indicating that server side password policies are active" +msgstr "Atrybut wskazujący, czy polityki haseł po stronie serwera są aktywne" + +#: src/config/SSSDConfig/__init__.py.in:357 +msgid "accountExpires attribute of AD" +msgstr "Atrybut accountExpires AD" + +#: src/config/SSSDConfig/__init__.py.in:358 +msgid "userAccountControl attribute of AD" +msgstr "Atrybut userAccountControl AD" + +#: src/config/SSSDConfig/__init__.py.in:359 +msgid "nsAccountLock attribute" +msgstr "Atrybut nsAccountLock" + +#: src/config/SSSDConfig/__init__.py.in:360 +msgid "loginDisabled attribute of NDS" +msgstr "Atrybut loginDisabled NDS" + +#: src/config/SSSDConfig/__init__.py.in:361 +msgid "loginExpirationTime attribute of NDS" +msgstr "Atrybut loginExpirationTime NDS" + +#: src/config/SSSDConfig/__init__.py.in:362 +msgid "loginAllowedTimeMap attribute of NDS" +msgstr "Atrybut loginAllowedTimeMap NDS" + +#: src/config/SSSDConfig/__init__.py.in:363 +msgid "SSH public key attribute" +msgstr "Atrybut klucza publicznego SSH" + +#: src/config/SSSDConfig/__init__.py.in:364 +msgid "attribute listing allowed authentication types for a user" +msgstr "" +"atrybut zawierający listę dozwolonych typów uwierzytelniania dla użytkownika" + +#: src/config/SSSDConfig/__init__.py.in:365 +msgid "attribute containing the X509 certificate of the user" +msgstr "atrybut zawierający certyfikat X509 użytkownika" + +#: src/config/SSSDConfig/__init__.py.in:366 +msgid "attribute containing the email address of the user" +msgstr "atrybut zawierający adres e-mail użytkownika" + +#: src/config/SSSDConfig/__init__.py.in:368 +msgid "A list of extra attributes to download along with the user entry" +msgstr "Lista dodatkowych atrybutów do pobrania razem z wpisem użytkownika" + +#: src/config/SSSDConfig/__init__.py.in:370 +msgid "Base DN for group lookups" +msgstr "Podstawowe DN dla wyszukiwania grup" + +#: src/config/SSSDConfig/__init__.py.in:373 +msgid "Objectclass for groups" +msgstr "Klasa obiektów dla grup" + +#: src/config/SSSDConfig/__init__.py.in:374 +msgid "Group name" +msgstr "Nazwa grupy" + +#: src/config/SSSDConfig/__init__.py.in:375 +msgid "Group password" +msgstr "Hasło grupy" + +#: src/config/SSSDConfig/__init__.py.in:376 +msgid "GID attribute" +msgstr "Atrybut GID" + +#: src/config/SSSDConfig/__init__.py.in:377 +msgid "Group member attribute" +msgstr "Atrybut elementu grupy" + +#: src/config/SSSDConfig/__init__.py.in:378 +msgid "Group UUID attribute" +msgstr "Atrybut UUID grupy" + +#: src/config/SSSDConfig/__init__.py.in:380 +msgid "Modification time attribute for groups" +msgstr "Atrybut czasu modyfikacji grup" + +#: src/config/SSSDConfig/__init__.py.in:381 +msgid "Type of the group and other flags" +msgstr "Typ grupy i inne flagi" + +#: src/config/SSSDConfig/__init__.py.in:382 +msgid "The LDAP group external member attribute" +msgstr "Atrybut zewnętrznego członka grupy LDAP" + +#: src/config/SSSDConfig/__init__.py.in:384 +msgid "Maximum nesting level SSSD will follow" +msgstr "Maksymalny poziom zagnieżdżenia, jaki usługa SSSD będzie używała" + +#: src/config/SSSDConfig/__init__.py.in:386 +msgid "Base DN for netgroup lookups" +msgstr "Podstawowe DN dla wyszukiwania grupy sieciowej" + +#: src/config/SSSDConfig/__init__.py.in:387 +msgid "Objectclass for netgroups" +msgstr "Klasa obiektów dla grup sieciowych" + +#: src/config/SSSDConfig/__init__.py.in:388 +msgid "Netgroup name" +msgstr "Nazwa grupy sieciowej" + +#: src/config/SSSDConfig/__init__.py.in:389 +msgid "Netgroups members attribute" +msgstr "Atrybut elementów grupy sieciowej" + +#: src/config/SSSDConfig/__init__.py.in:390 +msgid "Netgroup triple attribute" +msgstr "Potrójny atrybut grupy sieciowej" + +#: src/config/SSSDConfig/__init__.py.in:391 +msgid "Modification time attribute for netgroups" +msgstr "Atrybut czasu modyfikacji grup sieciowych" + +#: src/config/SSSDConfig/__init__.py.in:393 +msgid "Base DN for service lookups" +msgstr "Podstawowe DN do wyszukiwania usług" + +#: src/config/SSSDConfig/__init__.py.in:394 +msgid "Objectclass for services" +msgstr "Klasa obiektów dla usług" + +#: src/config/SSSDConfig/__init__.py.in:395 +msgid "Service name attribute" +msgstr "Atrybut nazwy usługi" + +#: src/config/SSSDConfig/__init__.py.in:396 +msgid "Service port attribute" +msgstr "Atrybut portu usługi" + +#: src/config/SSSDConfig/__init__.py.in:397 +msgid "Service protocol attribute" +msgstr "Atrybut protokołu usługi" + +#: src/config/SSSDConfig/__init__.py.in:400 +msgid "Lower bound for ID-mapping" +msgstr "Niższa granica dla mapowania identyfikatorów" + +#: src/config/SSSDConfig/__init__.py.in:401 +msgid "Upper bound for ID-mapping" +msgstr "Wyższa granica dla mapowania identyfikatorów" + +#: src/config/SSSDConfig/__init__.py.in:402 +msgid "Number of IDs for each slice when ID-mapping" +msgstr "" +"Liczba identyfikatorów dla każdego fragmentu podczas mapowania " +"identyfikatorów" + +#: src/config/SSSDConfig/__init__.py.in:403 +msgid "Use autorid-compatible algorithm for ID-mapping" +msgstr "Używa algorytmu zgodnego z autorid do mapowania identyfikatorów" + +#: src/config/SSSDConfig/__init__.py.in:404 +msgid "Name of the default domain for ID-mapping" +msgstr "Nazwa domyślnej domeny dla mapowania identyfikatorów" + +#: src/config/SSSDConfig/__init__.py.in:405 +msgid "SID of the default domain for ID-mapping" +msgstr "SID domyślnej domeny dla mapowania identyfikatorów" + +#: src/config/SSSDConfig/__init__.py.in:406 +msgid "Number of secondary slices" +msgstr "Liczba drugorzędnych fragmentów" + +#: src/config/SSSDConfig/__init__.py.in:408 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups" +msgstr "Użycie LDAP_MATCHING_RULE_IN_CHAIN do wyszukiwania grup" + +#: src/config/SSSDConfig/__init__.py.in:409 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups" +msgstr "Użycie LDAP_MATCHING_RULE_IN_CHAIN do wyszukiwania grup inicjacyjnych" + +#: src/config/SSSDConfig/__init__.py.in:410 +msgid "Whether to use Token-Groups" +msgstr "Czy używać Token-Groups" + +#: src/config/SSSDConfig/__init__.py.in:411 +msgid "Set lower boundary for allowed IDs from the LDAP server" +msgstr "Ustawia dolną granicę dla dozwolonych identyfikatorów z serwera LDAP" + +#: src/config/SSSDConfig/__init__.py.in:412 +msgid "Set upper boundary for allowed IDs from the LDAP server" +msgstr "Ustawia górną granicę dla dozwolonych identyfikatorów z serwera LDAP" + +#: src/config/SSSDConfig/__init__.py.in:413 +msgid "DN for ppolicy queries" +msgstr "DN dla zapytań polityki" + +#: src/config/SSSDConfig/__init__.py.in:414 +msgid "How many maximum entries to fetch during a wildcard request" +msgstr "Ile maksymalnie wpisów pobierać podczas żądania z wieloznacznikiem" + +#: src/config/SSSDConfig/__init__.py.in:417 +msgid "Policy to evaluate the password expiration" +msgstr "Polityka do oszacowania wygaszenia hasła" + +#: src/config/SSSDConfig/__init__.py.in:421 +msgid "Which attributes shall be used to evaluate if an account is expired" +msgstr "Które atrybuty powinny być używane do sprawdzenia, czy konto wygasło" + +#: src/config/SSSDConfig/__init__.py.in:422 +msgid "Which rules should be used to evaluate access control" +msgstr "Które reguły powinny być używane do sprawdzania kontroli dostępu" + +#: src/config/SSSDConfig/__init__.py.in:425 +msgid "URI of an LDAP server where password changes are allowed" +msgstr "Adres URI serwera LDAP, gdzie zmiany hasła są dozwolone" + +#: src/config/SSSDConfig/__init__.py.in:426 +msgid "URI of a backup LDAP server where password changes are allowed" +msgstr "Adres URI zapasowego serwera LDAP, gdzie zmiany hasła są dozwolone" + +#: src/config/SSSDConfig/__init__.py.in:427 +msgid "DNS service name for LDAP password change server" +msgstr "Nazwa usługi DNS serwera zmiany hasła LDAP" + +#: src/config/SSSDConfig/__init__.py.in:428 +msgid "" +"Whether to update the ldap_user_shadow_last_change attribute after a " +"password change" +msgstr "" +"Określa, czy zaktualizować atrybut ldap_user_shadow_last_change po zmianie " +"hasła" + +#: src/config/SSSDConfig/__init__.py.in:431 +msgid "Base DN for sudo rules lookups" +msgstr "Podstawowe DN dla wyszukiwań reguł sudo" + +#: src/config/SSSDConfig/__init__.py.in:432 +msgid "Automatic full refresh period" +msgstr "Okres między automatycznymi pełnymi odświeżeniami" + +#: src/config/SSSDConfig/__init__.py.in:433 +msgid "Automatic smart refresh period" +msgstr "Okres między automatycznymi inteligentnymi odświeżeniami" + +#: src/config/SSSDConfig/__init__.py.in:434 +msgid "Whether to filter rules by hostname, IP addresses and network" +msgstr "" +"Określa, czy filtrować reguły według nazwy komputera, adresów IP i sieci" + +#: src/config/SSSDConfig/__init__.py.in:435 +msgid "" +"Hostnames and/or fully qualified domain names of this machine to filter sudo " +"rules" +msgstr "" +"Nazwy komputerów lub w pełni kwalifikowane nazwy domen tego komputera do " +"filtrowania reguł sudo" + +#: src/config/SSSDConfig/__init__.py.in:436 +msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" +msgstr "" +"Adresy lub sieci IPv4 lub IPv6 tego komputera do filtrowania reguł sudo" + +#: src/config/SSSDConfig/__init__.py.in:437 +msgid "Whether to include rules that contains netgroup in host attribute" +msgstr "" +"Określa, czy zawierać reguły zawierające grupy sieciowe w atrybucie komputera" + +#: src/config/SSSDConfig/__init__.py.in:438 +msgid "" +"Whether to include rules that contains regular expression in host attribute" +msgstr "" +"Określa, czy zawierać reguły zawierające wyrażenia regularne w atrybucie " +"komputera" + +#: src/config/SSSDConfig/__init__.py.in:439 +msgid "Object class for sudo rules" +msgstr "Klasa obiektów dla reguł sudo" + +#: src/config/SSSDConfig/__init__.py.in:440 +msgid "Sudo rule name" +msgstr "Nazwa reguły sudo" + +#: src/config/SSSDConfig/__init__.py.in:441 +msgid "Sudo rule command attribute" +msgstr "Atrybut polecenia reguły sudo" + +#: src/config/SSSDConfig/__init__.py.in:442 +msgid "Sudo rule host attribute" +msgstr "Atrybut komputera reguły sudo" + +#: src/config/SSSDConfig/__init__.py.in:443 +msgid "Sudo rule user attribute" +msgstr "Atrybut użytkownika reguły sudo" + +#: src/config/SSSDConfig/__init__.py.in:444 +msgid "Sudo rule option attribute" +msgstr "Atrybut opcji reguły sudo" + +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Sudo rule runas attribute" +msgstr "Atrybut runas reguły sudo" + +#: src/config/SSSDConfig/__init__.py.in:446 +msgid "Sudo rule runasuser attribute" +msgstr "Atrybut runasuser reguły sudo" + +#: src/config/SSSDConfig/__init__.py.in:447 +msgid "Sudo rule runasgroup attribute" +msgstr "Atrybut runasgroup reguły sudo" + +#: src/config/SSSDConfig/__init__.py.in:448 +msgid "Sudo rule notbefore attribute" +msgstr "Atrybut notbefore reguły sudo" + +#: src/config/SSSDConfig/__init__.py.in:449 +msgid "Sudo rule notafter attribute" +msgstr "Atrybut notafter reguły sudo" + +#: src/config/SSSDConfig/__init__.py.in:450 +msgid "Sudo rule order attribute" +msgstr "Atrybut kolejności reguły sudo" + +#: src/config/SSSDConfig/__init__.py.in:453 +msgid "Object class for automounter maps" +msgstr "Klasa obiektów dla map automountera" + +#: src/config/SSSDConfig/__init__.py.in:454 +msgid "Automounter map name attribute" +msgstr "Atrybut nazwy mapy automountera" + +#: src/config/SSSDConfig/__init__.py.in:455 +msgid "Object class for automounter map entries" +msgstr "Klasa obiektów dla wpisów map automountera" + +#: src/config/SSSDConfig/__init__.py.in:456 +msgid "Automounter map entry key attribute" +msgstr "Atrybut klucza wpisu mapy automountera" + +#: src/config/SSSDConfig/__init__.py.in:457 +msgid "Automounter map entry value attribute" +msgstr "Atrybut wartości wpisu mapy automountera" + +#: src/config/SSSDConfig/__init__.py.in:458 +msgid "Base DN for automounter map lookups" +msgstr "Podstawowe DN dla wyszukiwań map automountera" + +#: src/config/SSSDConfig/__init__.py.in:461 +msgid "Comma separated list of allowed users" +msgstr "Lista dozwolonych użytkowników oddzielonych przecinkami" + +#: src/config/SSSDConfig/__init__.py.in:462 +msgid "Comma separated list of prohibited users" +msgstr "Lista zabronionych użytkowników oddzielonych przecinkami" + +#: src/config/SSSDConfig/__init__.py.in:465 +msgid "Default shell, /bin/bash" +msgstr "Domyślna powłoka, /bin/bash" + +#: src/config/SSSDConfig/__init__.py.in:466 +msgid "Base for home directories" +msgstr "Podstawa katalogów domowych" + +#: src/config/SSSDConfig/__init__.py.in:469 +msgid "The number of preforked proxy children." +msgstr "Liczba elementów potomnych pośrednika przed rozwidleniem." + +#: src/config/SSSDConfig/__init__.py.in:472 +msgid "The name of the NSS library to use" +msgstr "Nazwa używanej biblioteki NSS" + +#: src/config/SSSDConfig/__init__.py.in:473 +msgid "Whether to look up canonical group name from cache if possible" +msgstr "" +"Określa, czy wyszukiwać kanoniczną nazwę grupy w pamięci podręcznej, jeśli " +"to możliwe" + +#: src/config/SSSDConfig/__init__.py.in:476 +msgid "PAM stack to use" +msgstr "Używany stos PAM" + +#: src/config/SSSDConfig/__init__.py.in:479 +msgid "Path of passwd file sources." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:480 +msgid "Path of group file sources." +msgstr "" + +#: src/monitor/monitor.c:2449 +msgid "Become a daemon (default)" +msgstr "Uruchamia jako usługa (domyślnie)" + +#: src/monitor/monitor.c:2451 +msgid "Run interactive (not a daemon)" +msgstr "Uruchamia interaktywnie (nie jako usługa)" + +#: src/monitor/monitor.c:2454 +msgid "Disable netlink interface" +msgstr "Wyłącza interfejs netlink" + +#: src/monitor/monitor.c:2456 src/tools/sssctl/sssctl_logs.c:311 +msgid "Specify a non-default config file" +msgstr "Podaje niedomyślny plik konfiguracji" + +#: src/monitor/monitor.c:2458 +msgid "Refresh the configuration database, then exit" +msgstr "Odświeża bazę danych konfiguracji, a następnie kończy działanie" + +#: src/monitor/monitor.c:2461 +msgid "Print version number and exit" +msgstr "Wyświetla numer wersji i kończy działanie" + +#: src/monitor/monitor.c:2627 +msgid "SSSD is already running\n" +msgstr "Usługa SSSD jest już uruchomiona\n" + +#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605 +msgid "Debug level" +msgstr "Poziom debugowania" + +#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607 +msgid "Add debug timestamps" +msgstr "Dodaje czasy debugowania" + +#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609 +msgid "Show timestamps with microseconds" +msgstr "Wyświetlanie dat z mikrosekundami" + +#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611 +msgid "An open file descriptor for the debug logs" +msgstr "Otwiera deskryptor pliku dla dzienników debugowania" + +#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613 +msgid "Send the debug output to stderr directly." +msgstr "" +"Wysyła wyjście debugowania bezpośrednio do standardowego wyjścia błędów." + +#: src/providers/krb5/krb5_child.c:3228 +msgid "The user to create FAST ccache as" +msgstr "Użytkownik, jako który utworzyć ccache FAST" + +#: src/providers/krb5/krb5_child.c:3230 +msgid "The group to create FAST ccache as" +msgstr "Grupa, jako którą utworzyć ccache FAST" + +#: src/providers/krb5/krb5_child.c:3232 +msgid "Kerberos realm to use" +msgstr "Używany obszar Kerberosa" + +#: src/providers/krb5/krb5_child.c:3234 +msgid "Requested lifetime of the ticket" +msgstr "Żądany czas trwania biletu" + +#: src/providers/krb5/krb5_child.c:3236 +msgid "Requested renewable lifetime of the ticket" +msgstr "Żądany odnawialny czas trwania biletu" + +#: src/providers/krb5/krb5_child.c:3238 +msgid "FAST options ('never', 'try', 'demand')" +msgstr "Opcje FAST („never”, „try”, „demand”)" + +#: src/providers/krb5/krb5_child.c:3241 +msgid "Specifies the server principal to use for FAST" +msgstr "Podaje naczelnika serwera używanego dla FAST" + +#: src/providers/krb5/krb5_child.c:3243 +msgid "Requests canonicalization of the principal name" +msgstr "Żąda ujednolicenie nazwy naczelnika" + +#: src/providers/krb5/krb5_child.c:3245 +msgid "Use custom version of krb5_get_init_creds_password" +msgstr "Użycie niestandardowej wersji krb5_get_init_creds_password" + +#: src/providers/data_provider_be.c:556 +msgid "Domain of the information provider (mandatory)" +msgstr "Domena dostawcy informacji (wymagane)" + +#: src/sss_client/common.c:1066 +msgid "Privileged socket has wrong ownership or permissions." +msgstr "Uprawnione gniazdo ma błędnego właściciela lub uprawnienia." + +#: src/sss_client/common.c:1069 +msgid "Public socket has wrong ownership or permissions." +msgstr "Publiczne gniazdo ma błędnego właściciela lub uprawnienia" + +#: src/sss_client/common.c:1072 +msgid "Unexpected format of the server credential message." +msgstr "Nieoczekiwany format komunikatu uwierzytelniającego serwera." + +#: src/sss_client/common.c:1075 +msgid "SSSD is not run by root." +msgstr "SSSD nie zostało uruchomione w trybie roota." + +#: src/sss_client/common.c:1080 +msgid "An error occurred, but no description can be found." +msgstr "Wystąpił błąd, ale nie odnaleziono jego opisu." + +#: src/sss_client/common.c:1086 +msgid "Unexpected error while looking for an error description" +msgstr "Nieoczekiwany błąd podczas wyszukiwania opisu błędu" + +#: src/sss_client/pam_sss.c:76 +msgid "Permission denied. " +msgstr "Odmowa uprawnienia." + +#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782 +#: src/sss_client/pam_sss.c:793 +msgid "Server message: " +msgstr "Komunikat serwera: " + +#: src/sss_client/pam_sss.c:300 +msgid "Passwords do not match" +msgstr "Hasła się nie zgadzają" + +#: src/sss_client/pam_sss.c:488 +msgid "Password reset by root is not supported." +msgstr "Przywrócenie hasła przez użytkownika root nie jest obsługiwane." + +#: src/sss_client/pam_sss.c:529 +msgid "Authenticated with cached credentials" +msgstr "Uwierzytelniono za pomocą danych z pamięci podręcznej" + +#: src/sss_client/pam_sss.c:530 +msgid ", your cached password will expire at: " +msgstr ", hasło w pamięci podręcznej wygaśnie za: " + +#: src/sss_client/pam_sss.c:560 +#, c-format +msgid "Your password has expired. You have %1$d grace login(s) remaining." +msgstr "Hasło wygasło. Pozostało %1$d możliwych logowań." + +#: src/sss_client/pam_sss.c:606 +#, c-format +msgid "Your password will expire in %1$d %2$s." +msgstr "Hasło wygaśnie za %1$d %2$s." + +#: src/sss_client/pam_sss.c:655 +msgid "Authentication is denied until: " +msgstr "Uwierzytelnianie jest zabronione do: " + +#: src/sss_client/pam_sss.c:676 +msgid "System is offline, password change not possible" +msgstr "System jest w trybie offline, zmiana hasła nie jest możliwa" + +#: src/sss_client/pam_sss.c:691 +msgid "" +"After changing the OTP password, you need to log out and back in order to " +"acquire a ticket" +msgstr "" +"Po zmianie hasła OTP należy się wylogować i zalogować ponownie, aby uzyskać " +"bilet" + +#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792 +msgid "Password change failed. " +msgstr "Zmiana hasła się nie powiodła. " + +#: src/sss_client/pam_sss.c:1926 +msgid "New Password: " +msgstr "Nowe hasło: " + +#: src/sss_client/pam_sss.c:1927 +msgid "Reenter new Password: " +msgstr "Proszę ponownie podać nowe hasło: " + +#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042 +msgid "First Factor: " +msgstr "Pierwszy czynnik: " + +#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202 +msgid "Second Factor (optional): " +msgstr "Drugi czynnik (opcjonalnie): " + +#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205 +msgid "Second Factor: " +msgstr "Drugi czynnik: " + +#: src/sss_client/pam_sss.c:2058 +msgid "Password: " +msgstr "Hasło: " + +#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204 +msgid "First Factor (Current Password): " +msgstr "Pierwszy czynnik (obecne hasło): " + +#: src/sss_client/pam_sss.c:2208 +msgid "Current Password: " +msgstr "Bieżące hasło: " + +#: src/sss_client/pam_sss.c:2536 +msgid "Password expired. Change your password now." +msgstr "Hasło wygasło. Proszę je zmienić teraz." + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 +#: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 +#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:670 +msgid "The debug level to run with" +msgstr "Poziom debugowania, z jakim uruchomić" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +msgid "The SSSD domain to use" +msgstr "Używana domena SSSD" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 +#: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 +#: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 +#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:716 +msgid "Error setting the locale\n" +msgstr "Błąd podczas ustawiania lokalizacji\n" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:64 +msgid "Not enough memory\n" +msgstr "Brak pamięci\n" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:83 +msgid "User not specified\n" +msgstr "Nie podano użytkownika\n" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:97 +msgid "Error looking up public keys\n" +msgstr "Błąd podczas wyszukiwania kluczy publicznych\n" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +msgid "The port to use to connect to the host" +msgstr "Port do użycia do połączenia z komputerem" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +msgid "Print the host ssh public keys" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +msgid "Invalid port\n" +msgstr "Nieprawidłowy port\n" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +msgid "Host not specified\n" +msgstr "Nie podano komputera\n" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +msgid "The path to the proxy command must be absolute\n" +msgstr "Ścieżka do polecenia pośrednika musi być bezwzględna\n" + +#: src/tools/sss_useradd.c:49 src/tools/sss_usermod.c:48 +msgid "The UID of the user" +msgstr "UID użytkownika" + +#: src/tools/sss_useradd.c:50 src/tools/sss_usermod.c:50 +msgid "The comment string" +msgstr "Ciąg komentarza" + +#: src/tools/sss_useradd.c:51 src/tools/sss_usermod.c:51 +msgid "Home directory" +msgstr "Katalog domowy" + +#: src/tools/sss_useradd.c:52 src/tools/sss_usermod.c:52 +msgid "Login shell" +msgstr "Powłoka logowania" + +#: src/tools/sss_useradd.c:53 +msgid "Groups" +msgstr "Grupy" + +#: src/tools/sss_useradd.c:54 +msgid "Create user's directory if it does not exist" +msgstr "Utworzy katalog użytkownika, jeśli nie istnieje" + +#: src/tools/sss_useradd.c:55 +msgid "Never create user's directory, overrides config" +msgstr "Nigdy nie tworzy katalogu użytkownika, zastępuje konfigurację" + +#: src/tools/sss_useradd.c:56 +msgid "Specify an alternative skeleton directory" +msgstr "Proszę podać alternatywny katalog szkieletu" + +#: src/tools/sss_useradd.c:57 src/tools/sss_usermod.c:60 +msgid "The SELinux user for user's login" +msgstr "Użytkownik SELinuksa dla loginu użytkownika" + +#: src/tools/sss_useradd.c:87 src/tools/sss_groupmod.c:79 +#: src/tools/sss_usermod.c:92 +msgid "Specify group to add to\n" +msgstr "Proszę podać grupę, do której dodać\n" + +#: src/tools/sss_useradd.c:111 +msgid "Specify user to add\n" +msgstr "Proszę podać użytkownika do dodania\n" + +#: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 +#: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_usermod.c:162 +msgid "Error initializing the tools - no local domain\n" +msgstr "Błąd podczas inicjowania narzędzi — brak lokalnej domeny\n" + +#: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 +#: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_usermod.c:164 +msgid "Error initializing the tools\n" +msgstr "Błąd podczas inicjowania narzędzi\n" + +#: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 +#: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_usermod.c:173 +msgid "Invalid domain specified in FQDN\n" +msgstr "Podano nieprawidłową domenę w FQDN\n" + +#: src/tools/sss_useradd.c:142 src/tools/sss_groupmod.c:144 +#: src/tools/sss_groupmod.c:173 src/tools/sss_usermod.c:197 +#: src/tools/sss_usermod.c:226 +msgid "Internal error while parsing parameters\n" +msgstr "Wewnętrzny błąd podczas przetwarzania parametrów\n" + +#: src/tools/sss_useradd.c:151 src/tools/sss_usermod.c:206 +#: src/tools/sss_usermod.c:235 +msgid "Groups must be in the same domain as user\n" +msgstr "Grupy muszą być w tej samej domenie co użytkownik\n" + +#: src/tools/sss_useradd.c:159 +#, c-format +msgid "Cannot find group %1$s in local domain\n" +msgstr "Nie można odnaleźć grupy %1$s w lokalnej domenie\n" + +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +msgid "Cannot set default values\n" +msgstr "Nie można ustawić domyślnych wartości\n" + +#: src/tools/sss_useradd.c:181 src/tools/sss_usermod.c:187 +msgid "The selected UID is outside the allowed range\n" +msgstr "Wybrany UID jest spoza dozwolonego zakresu\n" + +#: src/tools/sss_useradd.c:210 src/tools/sss_usermod.c:305 +msgid "Cannot set SELinux login context\n" +msgstr "Nie można ustawić kontekstu loginu SELinuksa\n" + +#: src/tools/sss_useradd.c:224 +msgid "Cannot get info about the user\n" +msgstr "Nie można uzyskać informacji o użytkowniku\n" + +#: src/tools/sss_useradd.c:236 +msgid "User's home directory already exists, not copying data from skeldir\n" +msgstr "" +"Katalog domowy użytkownika już istnieje, dane z katalogu szkieletu nie " +"zostaną skopiowane\n" + +#: src/tools/sss_useradd.c:239 +#, c-format +msgid "Cannot create user's home directory: %1$s\n" +msgstr "Nie można utworzyć katalogu domowego użytkownika: %1$s\n" + +#: src/tools/sss_useradd.c:250 +#, c-format +msgid "Cannot create user's mail spool: %1$s\n" +msgstr "Nie można utworzyć buforu poczty użytkownika: %1$s\n" + +#: src/tools/sss_useradd.c:270 +msgid "Could not allocate ID for the user - domain full?\n" +msgstr "" +"Nie można przydzielić identyfikatora użytkownikowi — czy domena jest pełna?\n" + +#: src/tools/sss_useradd.c:274 +msgid "A user or group with the same name or ID already exists\n" +msgstr "" +"Użytkownik lub grupa o tej samej nazwie lub identyfikatorze już istnieje\n" + +#: src/tools/sss_useradd.c:280 +msgid "Transaction error. Could not add user.\n" +msgstr "Błąd transakcji. Nie można dodać użytkownika.\n" + +#: src/tools/sss_groupadd.c:43 src/tools/sss_groupmod.c:48 +msgid "The GID of the group" +msgstr "GID grupy" + +#: src/tools/sss_groupadd.c:76 +msgid "Specify group to add\n" +msgstr "Proszę podać grupę do dodania\n" + +#: src/tools/sss_groupadd.c:106 src/tools/sss_groupmod.c:198 +msgid "The selected GID is outside the allowed range\n" +msgstr "Wybrany GID jest spoza dozwolonego zakresu\n" + +#: src/tools/sss_groupadd.c:143 +msgid "Could not allocate ID for the group - domain full?\n" +msgstr "Nie można przydzielić identyfikatora grupie — czy domena jest pełna?\n" + +#: src/tools/sss_groupadd.c:147 +msgid "A group with the same name or GID already exists\n" +msgstr "Grupa o tej samej nazwie lub GID już istnieje\n" + +#: src/tools/sss_groupadd.c:153 +msgid "Transaction error. Could not add group.\n" +msgstr "Błąd transakcji. Nie można dodać grupy.\n" + +#: src/tools/sss_groupdel.c:70 +msgid "Specify group to delete\n" +msgstr "Proszę podać grupę do usunięcia\n" + +#: src/tools/sss_groupdel.c:104 +#, c-format +msgid "Group %1$s is outside the defined ID range for domain\n" +msgstr "Grupa %1$s jest poza określonym zakresem identyfikatorów dla domeny\n" + +#: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 +#: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 +#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 +#, c-format +msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" +msgstr "" +"Żądanie NSS się nie powiodło (%1$d). Wpis może zostać w pamięci podręcznej.\n" + +#: src/tools/sss_groupdel.c:132 +msgid "" +"No such group in local domain. Removing groups only allowed in local " +"domain.\n" +msgstr "" +"Nie ma takiej grupy w lokalnej domenie. Usuwanie grup jest dozwolone tylko " +"w lokalnej domenie.\n" + +#: src/tools/sss_groupdel.c:137 +msgid "Internal error. Could not remove group.\n" +msgstr "Wewnętrzny błąd. Nie można usunąć grupy.\n" + +#: src/tools/sss_groupmod.c:44 +msgid "Groups to add this group to" +msgstr "Grupy, do których dodać tę grupę" + +#: src/tools/sss_groupmod.c:46 +msgid "Groups to remove this group from" +msgstr "Grupy, z których usunąć tę grupę" + +#: src/tools/sss_groupmod.c:87 src/tools/sss_usermod.c:100 +msgid "Specify group to remove from\n" +msgstr "Proszę podać grupę, z której usunąć\n" + +#: src/tools/sss_groupmod.c:101 +msgid "Specify group to modify\n" +msgstr "Proszę podać grupę do zmodyfikowania\n" + +#: src/tools/sss_groupmod.c:130 +msgid "" +"Cannot find group in local domain, modifying groups is allowed only in local " +"domain\n" +msgstr "" +"Nie można odnaleźć grupy w lokalnej domenie, modyfikowanie grup jest " +"dozwolone tylko w lokalnej domenie\n" + +#: src/tools/sss_groupmod.c:153 src/tools/sss_groupmod.c:182 +msgid "Member groups must be in the same domain as parent group\n" +msgstr "Członkowie grupy muszą być w tej samej domenie co grupa nadrzędna\n" + +#: src/tools/sss_groupmod.c:161 src/tools/sss_groupmod.c:190 +#: src/tools/sss_usermod.c:214 src/tools/sss_usermod.c:243 +#, c-format +msgid "" +"Cannot find group %1$s in local domain, only groups in local domain are " +"allowed\n" +msgstr "" +"Nie można odnaleźć grupy %1$s w lokalnej domenie, tylko grupy w lokalnej " +"domenie są dozwolone\n" + +#: src/tools/sss_groupmod.c:257 +msgid "Could not modify group - check if member group names are correct\n" +msgstr "" +"Nie można zmodyfikować grupy — proszę sprawdzić, czy nazwy członków grupy są " +"poprawne\n" + +#: src/tools/sss_groupmod.c:261 +msgid "Could not modify group - check if groupname is correct\n" +msgstr "" +"Nie można zmodyfikować grupy — proszę sprawdzić, czy nazwa grupy jest " +"poprawna\n" + +#: src/tools/sss_groupmod.c:265 +msgid "Transaction error. Could not modify group.\n" +msgstr "Błąd transakcji. Nie można zmodyfikować grupy.\n" + +#: src/tools/sss_groupshow.c:615 +#, c-format +msgid "%1$s%2$sGroup: %3$s\n" +msgstr "%1$s%2$sGrupa: %3$s\n" + +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "Prywatne magic " + +#: src/tools/sss_groupshow.c:618 +#, c-format +msgid "%1$sGID number: %2$d\n" +msgstr "%1$sNumer GID: %2$d\n" + +#: src/tools/sss_groupshow.c:620 +#, c-format +msgid "%1$sMember users: " +msgstr "%1$sUżytkownicy będący członkami: " + +#: src/tools/sss_groupshow.c:627 +#, c-format +msgid "" +"\n" +"%1$sIs a member of: " +msgstr "" +"\n" +"%1$sJest członkiem: " + +#: src/tools/sss_groupshow.c:634 +#, c-format +msgid "" +"\n" +"%1$sMember groups: " +msgstr "" +"\n" +"%1$sGrupy będące członkami: " + +#: src/tools/sss_groupshow.c:670 +msgid "Print indirect group members recursively" +msgstr "Rekursywnie drukuje niebezpośrednich członków grupy" + +#: src/tools/sss_groupshow.c:704 +msgid "Specify group to show\n" +msgstr "Proszę podać grupę do wyświetlenia\n" + +#: src/tools/sss_groupshow.c:744 +msgid "" +"No such group in local domain. Printing groups only allowed in local " +"domain.\n" +msgstr "" +"Nie ma takiej grupy w lokalnej domenie. Drukowanie grup jest dozwolone tylko " +"w lokalnej domenie.\n" + +#: src/tools/sss_groupshow.c:749 +msgid "Internal error. Could not print group.\n" +msgstr "Wewnętrzny błąd. Nie można wydrukować grupy.\n" + +#: src/tools/sss_userdel.c:136 +msgid "Remove home directory and mail spool" +msgstr "Usuwa katalog domowy i bufor poczty" + +#: src/tools/sss_userdel.c:138 +msgid "Do not remove home directory and mail spool" +msgstr "Nie usuwa katalogu domowego i bufora poczty" + +#: src/tools/sss_userdel.c:140 +msgid "Force removal of files not owned by the user" +msgstr "Wymusza usunięcie plików, których właścicielem nie jest użytkownik" + +#: src/tools/sss_userdel.c:142 +msgid "Kill users' processes before removing him" +msgstr "Usuwa procesy użytkownika przed jego usunięciem" + +#: src/tools/sss_userdel.c:188 +msgid "Specify user to delete\n" +msgstr "Proszę podać użytkownika do usunięcia\n" + +#: src/tools/sss_userdel.c:234 +#, c-format +msgid "User %1$s is outside the defined ID range for domain\n" +msgstr "" +"Użytkownik %1$s jest poza określonym zakresem identyfikatorów dla domeny\n" + +#: src/tools/sss_userdel.c:259 +msgid "Cannot reset SELinux login context\n" +msgstr "Nie można przywrócić kontekstu loginu SELinuksa\n" + +#: src/tools/sss_userdel.c:271 +#, c-format +msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" +msgstr "" +"OSTRZEŻENIE: użytkownik (UID %1$lu) był zalogowany podczas jego usunięcia.\n" + +#: src/tools/sss_userdel.c:276 +msgid "Cannot determine if the user was logged in on this platform" +msgstr "Nie można określić, czy użytkownik był zalogowany na tej platformie" + +#: src/tools/sss_userdel.c:281 +msgid "Error while checking if the user was logged in\n" +msgstr "Błąd podczas sprawdzania, czy użytkownik był zalogowany\n" + +#: src/tools/sss_userdel.c:288 +#, c-format +msgid "The post-delete command failed: %1$s\n" +msgstr "Polecenie po usunięciu nie powiodło się: %1$s\n" + +#: src/tools/sss_userdel.c:308 +msgid "Not removing home dir - not owned by user\n" +msgstr "" +"Katalog domowy nie zostanie usunięty — użytkownik nie jest właścicielem\n" + +#: src/tools/sss_userdel.c:310 +#, c-format +msgid "Cannot remove homedir: %1$s\n" +msgstr "Nie można usunąć katalogu domowego: %1$s\n" + +#: src/tools/sss_userdel.c:324 +msgid "" +"No such user in local domain. Removing users only allowed in local domain.\n" +msgstr "" +"Nie ma takiego użytkownika w lokalnej domenie. Usuwanie użytkowników jest " +"dozwolone tylko w lokalnej domenie.\n" + +#: src/tools/sss_userdel.c:329 +msgid "Internal error. Could not remove user.\n" +msgstr "Wewnętrzny błąd. Nie można usunąć użytkownika.\n" + +#: src/tools/sss_usermod.c:49 +msgid "The GID of the user" +msgstr "GID użytkownika" + +#: src/tools/sss_usermod.c:53 +msgid "Groups to add this user to" +msgstr "Grupy, do których dodać tego użytkownika" + +#: src/tools/sss_usermod.c:54 +msgid "Groups to remove this user from" +msgstr "Grupy, z których usunąć tego użytkownika" + +#: src/tools/sss_usermod.c:55 +msgid "Lock the account" +msgstr "Zablokowanie konta" + +#: src/tools/sss_usermod.c:56 +msgid "Unlock the account" +msgstr "Odblokowanie konta" + +#: src/tools/sss_usermod.c:57 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "Dodaje parę atrybut/wartość. Format to nazwaatrybutu=wartość." + +#: src/tools/sss_usermod.c:58 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "Usuwa parę atrybut/wartość. Format to nazwaatrybutu=wartość." + +#: src/tools/sss_usermod.c:59 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" +"Ustawia atrybut pary nazwa/wartość. Format to nazwaatrybutu=wartość. " +"W przypadku atrybutów o wielu wartościach polecenie zastępuje obecne już " +"wartości" + +#: src/tools/sss_usermod.c:117 src/tools/sss_usermod.c:126 +#: src/tools/sss_usermod.c:135 +msgid "Specify the attribute name/value pair(s)\n" +msgstr "Podaje atrybuty parom nazwa/atrybut\n" + +#: src/tools/sss_usermod.c:152 +msgid "Specify user to modify\n" +msgstr "Proszę podać użytkownika do zmodyfikowania\n" + +#: src/tools/sss_usermod.c:180 +msgid "" +"Cannot find user in local domain, modifying users is allowed only in local " +"domain\n" +msgstr "" +"Nie można odnaleźć użytkownika w lokalnej domenie, modyfikowanie " +"użytkowników jest dozwolone tylko w lokalnej domenie\n" + +#: src/tools/sss_usermod.c:322 +msgid "Could not modify user - check if group names are correct\n" +msgstr "" +"Nie można zmodyfikować użytkownika — proszę sprawdzić, czy nazwy grup są " +"poprawne\n" + +#: src/tools/sss_usermod.c:326 +msgid "Could not modify user - user already member of groups?\n" +msgstr "" +"Nie można zmodyfikować użytkownika — czy użytkownik jest już członkiem " +"grup?\n" + +#: src/tools/sss_usermod.c:330 +msgid "Transaction error. Could not modify user.\n" +msgstr "Błąd transakcji. Nie można zmodyfikować użytkownika.\n" + +#: src/tools/sss_cache.c:218 +msgid "No cache object matched the specified search\n" +msgstr "Żaden obiekt pamięci podręcznej nie pasuje do podanego wyszukiwania\n" + +#: src/tools/sss_cache.c:502 +#, c-format +msgid "Couldn't invalidate %1$s\n" +msgstr "Nie można unieważnić %1$s\n" + +#: src/tools/sss_cache.c:509 +#, c-format +msgid "Couldn't invalidate %1$s %2$s\n" +msgstr "Nie można unieważnić %1$s %2$s\n" + +#: src/tools/sss_cache.c:672 +msgid "Invalidate all cached entries" +msgstr "Unieważnia wszystkie wpisy w pamięci podręcznej" + +#: src/tools/sss_cache.c:674 +msgid "Invalidate particular user" +msgstr "Unieważnia podanego użytkownika" + +#: src/tools/sss_cache.c:676 +msgid "Invalidate all users" +msgstr "Unieważnia wszystkich użytkowników" + +#: src/tools/sss_cache.c:678 +msgid "Invalidate particular group" +msgstr "Unieważnia podaną grupę" + +#: src/tools/sss_cache.c:680 +msgid "Invalidate all groups" +msgstr "Unieważnia wszystkie grupy" + +#: src/tools/sss_cache.c:682 +msgid "Invalidate particular netgroup" +msgstr "Unieważnia podaną grupę sieciową" + +#: src/tools/sss_cache.c:684 +msgid "Invalidate all netgroups" +msgstr "Unieważnia wszystkie grupy sieciowe" + +#: src/tools/sss_cache.c:686 +msgid "Invalidate particular service" +msgstr "Unieważnia podaną usługę" + +#: src/tools/sss_cache.c:688 +msgid "Invalidate all services" +msgstr "Unieważnia wszystkie usługi" + +#: src/tools/sss_cache.c:691 +msgid "Invalidate particular autofs map" +msgstr "Unieważnia podaną mapę autofs" + +#: src/tools/sss_cache.c:693 +msgid "Invalidate all autofs maps" +msgstr "Unieważnia wszystkie mapy autofs" + +#: src/tools/sss_cache.c:697 +msgid "Invalidate particular SSH host" +msgstr "Unieważnia konkretny komputer SSH" + +#: src/tools/sss_cache.c:699 +msgid "Invalidate all SSH hosts" +msgstr "Unieważnia wszystkie komputery SSH" + +#: src/tools/sss_cache.c:703 +msgid "Invalidate particular sudo rule" +msgstr "Unieważnia podaną regułę sudo" + +#: src/tools/sss_cache.c:705 +msgid "Invalidate all cached sudo rules" +msgstr "Unieważnia wszystkie reguły sudo w pamięci podręcznej" + +#: src/tools/sss_cache.c:708 +msgid "Only invalidate entries from a particular domain" +msgstr "Unieważnia wpisy tylko z podanej domeny" + +#: src/tools/sss_cache.c:762 +msgid "" +"Unexpected argument(s) provided, options that invalidate a single object " +"only accept a single provided argument.\n" +msgstr "" +"Podano nieoczekiwane parametry, opcje unieważniające jeden obiekt przyjmują " +"tylko jeden podany parametr.\n" + +#: src/tools/sss_cache.c:772 +msgid "Please select at least one object to invalidate\n" +msgstr "Proszę wybrać co najmniej jeden obiekt do unieważnienia\n" + +#: src/tools/sss_cache.c:852 +#, c-format +msgid "" +"Could not open domain %1$s. If the domain is a subdomain (trusted domain), " +"use fully qualified name instead of --domain/-d parameter.\n" +msgstr "" +"Nie można otworzyć domeny %1$s. Jeśli domena jest poddomeną (zaufaną " +"domeną), należy użyć w pełni kwalifikowanej nazwy zamiast parametru --" +"domain/-d.\n" + +#: src/tools/sss_cache.c:856 +msgid "Could not open available domains\n" +msgstr "Nie można otworzyć dostępnych domen\n" + +#: src/tools/tools_util.c:202 +#, c-format +msgid "Name '%1$s' does not seem to be FQDN ('%2$s = TRUE' is set)\n" +msgstr "Nazwa „%1$s” nie jest FQDN (ustawione jest „%2$s = TRUE”)\n" + +#: src/tools/tools_util.c:309 +msgid "Out of memory\n" +msgstr "Brak pamięci\n" + +#: src/tools/tools_util.h:40 +#, c-format +msgid "%1$s must be run as root\n" +msgstr "%1$s musi zostać uruchomione jako root\n" + +#: src/tools/sssctl/sssctl.c:35 +msgid "yes" +msgstr "tak" + +#: src/tools/sssctl/sssctl.c:37 +msgid "no" +msgstr "nie" + +#: src/tools/sssctl/sssctl.c:39 +msgid "error" +msgstr "błąd" + +#: src/tools/sssctl/sssctl.c:42 +msgid "Invalid result." +msgstr "Nieprawidłowy wynik." + +#: src/tools/sssctl/sssctl.c:78 +#, c-format +msgid "Unable to read user input\n" +msgstr "Nie można odczytać wejścia użytkownika\n" + +#: src/tools/sssctl/sssctl.c:91 +#, c-format +msgid "Invalid input, please provide either '%s' or '%s'.\n" +msgstr "Nieprawidłowe wejście, proszę podać „%s” lub „%s”.\n" + +#: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 +#, c-format +msgid "Error while executing external command\n" +msgstr "Błąd podczas wykonywania polecenia zewnętrznego\n" + +#: src/tools/sssctl/sssctl.c:156 +msgid "SSSD needs to be running. Start SSSD now?" +msgstr "Usługa SSSD musi być uruchomiona. Uruchomić ją teraz?" + +#: src/tools/sssctl/sssctl.c:195 +msgid "SSSD must not be running. Stop SSSD now?" +msgstr "Usługa SSSD nie może być uruchomiona. Zatrzymać ją teraz?" + +#: src/tools/sssctl/sssctl.c:231 +msgid "SSSD needs to be restarted. Restart SSSD now?" +msgstr "Usługa SSSD musi zostać ponownie uruchomiona. Zrobić to teraz?" + +#: src/tools/sssctl/sssctl_cache.c:31 +#, c-format +msgid " %s is not present in cache.\n" +msgstr " %s nie jest w pamięci podręcznej.\n" + +#: src/tools/sssctl/sssctl_cache.c:33 +msgid "Name" +msgstr "Nazwa" + +#: src/tools/sssctl/sssctl_cache.c:34 +msgid "Cache entry creation date" +msgstr "Data utworzenia wpisu pamięci podręcznej" + +#: src/tools/sssctl/sssctl_cache.c:35 +msgid "Cache entry last update time" +msgstr "Czas ostatniej aktualizacji wpisu pamięci podręcznej" + +#: src/tools/sssctl/sssctl_cache.c:36 +msgid "Cache entry expiration time" +msgstr "Czas wygaśnięcia wpisu pamięci podręcznej" + +#: src/tools/sssctl/sssctl_cache.c:37 +msgid "Cached in InfoPipe" +msgstr "Umieszczono w pamięci podręcznej w InfoPipe" + +#: src/tools/sssctl/sssctl_cache.c:512 +#, c-format +msgid "Error: Unable to get object [%d]: %s\n" +msgstr "Błąd: nie można uzyskać obiektu [%d]: %s\n" + +#: src/tools/sssctl/sssctl_cache.c:528 +#, c-format +msgid "%s: Unable to read value [%d]: %s\n" +msgstr "%s: nie można odczytać wartości [%d]: %s\n" + +#: src/tools/sssctl/sssctl_cache.c:556 +msgid "Specify name." +msgstr "Należy podać nazwę." + +#: src/tools/sssctl/sssctl_cache.c:566 +#, c-format +msgid "Unable to parse name %s.\n" +msgstr "Nie można przetworzyć nazwy %s.\n" + +#: src/tools/sssctl/sssctl_cache.c:592 src/tools/sssctl/sssctl_cache.c:639 +msgid "Search by SID" +msgstr "Wyszukuje według SID" + +#: src/tools/sssctl/sssctl_cache.c:593 +msgid "Search by user ID" +msgstr "Wyszukuje według identyfikatorów użytkowników" + +#: src/tools/sssctl/sssctl_cache.c:602 +msgid "Initgroups expiration time" +msgstr "Czas wygaśnięcia grup inicjacji" + +#: src/tools/sssctl/sssctl_cache.c:640 +msgid "Search by group ID" +msgstr "Wyszukuje według identyfikatorów grup" + +#: src/tools/sssctl/sssctl_config.c:67 +#, c-format +msgid "" +"File %1$s does not exist. SSSD will use default configuration with files " +"provider.\n" +msgstr "" +"Plik %1$s nie istnieje. Usługa SSSD użyje domyślnej konfiguracji z dostawcą " +"plików.\n" + +#: src/tools/sssctl/sssctl_config.c:81 +#, c-format +msgid "" +"File ownership and permissions check failed. Expected root:root and 0600.\n" +msgstr "" +"Sprawdzenie właściciela i uprawnień pliku się nie powiodło. Oczekiwano root:" +"root i 0600.\n" + +#: src/tools/sssctl/sssctl_config.c:104 +#, c-format +msgid "Issues identified by validators: %zu\n" +msgstr "Problemy zidentyfikowane przez programy sprawdzające poprawność: %zu\n" + +#: src/tools/sssctl/sssctl_config.c:114 +#, c-format +msgid "Messages generated during configuration merging: %zu\n" +msgstr "Komunikaty utworzone podczas łączenia konfiguracji: %zu\n" + +#: src/tools/sssctl/sssctl_config.c:127 +#, c-format +msgid "Used configuration snippet files: %u\n" +msgstr "Użyte pliki wstawek konfiguracji: %u\n" + +#: src/tools/sssctl/sssctl_data.c:89 +#, c-format +msgid "Unable to create backup directory [%d]: %s" +msgstr "Nie można utworzyć katalogu kopii zapasowej [%d]: %s" + +#: src/tools/sssctl/sssctl_data.c:95 +msgid "SSSD backup of local data already exists, override?" +msgstr "Kopia zapasowa SSSD lokalnych danych już istnieje, zastąpić?" + +#: src/tools/sssctl/sssctl_data.c:111 +#, c-format +msgid "Unable to export user overrides\n" +msgstr "Nie można wyeksportować zastąpień użytkownika\n" + +#: src/tools/sssctl/sssctl_data.c:118 +#, c-format +msgid "Unable to export group overrides\n" +msgstr "Nie można wyeksportować zastąpień grupy\n" + +#: src/tools/sssctl/sssctl_data.c:134 src/tools/sssctl/sssctl_data.c:217 +msgid "Override existing backup" +msgstr "Zastępuje istniejącą kopię zapasową" + +#: src/tools/sssctl/sssctl_data.c:164 +#, c-format +msgid "Unable to import user overrides\n" +msgstr "Nie można zaimportować zastąpień użytkownika\n" + +#: src/tools/sssctl/sssctl_data.c:173 +#, c-format +msgid "Unable to import group overrides\n" +msgstr "Nie można zaimportować zastąpień grupy\n" + +#: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:74 +#: src/tools/sssctl/sssctl_domains.c:339 +msgid "Start SSSD if it is not running" +msgstr "Uruchamia usługę SSSD, jeśli nie jest uruchomiona" + +#: src/tools/sssctl/sssctl_data.c:195 +msgid "Restart SSSD after data import" +msgstr "Ponownie uruchamia usługę SSSD po imporcie danych" + +#: src/tools/sssctl/sssctl_data.c:218 +msgid "Create clean cache files and import local data" +msgstr "Tworzy czyste pliki pamięci podręcznej i importuje lokalne dane" + +#: src/tools/sssctl/sssctl_data.c:219 +msgid "Stop SSSD before removing the cache" +msgstr "Zatrzymuje usługę SSSD przed usunięciem pamięci podręcznej" + +#: src/tools/sssctl/sssctl_data.c:220 +msgid "Start SSSD when the cache is removed" +msgstr "Uruchamia usługę SSSD po usunięciu pamięci podręcznej" + +#: src/tools/sssctl/sssctl_data.c:235 +#, c-format +msgid "Creating backup of local data...\n" +msgstr "Tworzenie kopii zapasowej lokalnych danych…\n" + +#: src/tools/sssctl/sssctl_data.c:238 +#, c-format +msgid "Unable to create backup of local data, can not remove the cache.\n" +msgstr "" +"Nie można utworzyć kopii zapasowej lokalnych danych, nie można usunąć " +"pamięci podręcznej.\n" + +#: src/tools/sssctl/sssctl_data.c:243 +#, c-format +msgid "Removing cache files...\n" +msgstr "Usuwanie plików pamięci podręcznej…\n" + +#: src/tools/sssctl/sssctl_data.c:246 +#, c-format +msgid "Unable to remove cache files\n" +msgstr "Nie można usunąć plików pamięci podręcznej\n" + +#: src/tools/sssctl/sssctl_data.c:251 +#, c-format +msgid "Restoring local data...\n" +msgstr "Przywracanie lokalnych danych…\n" + +#: src/tools/sssctl/sssctl_domains.c:75 +msgid "Show domain list including primary or trusted domain type" +msgstr "Wyświetla listę domen, w tym główny i zaufany typ domeny" + +#: src/tools/sssctl/sssctl_domains.c:156 +#, c-format +msgid "Online status: %s\n" +msgstr "Stan online: %s\n" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Online" +msgstr "Online" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Offline" +msgstr "Offline" + +#: src/tools/sssctl/sssctl_domains.c:214 +#, c-format +msgid "Active servers:\n" +msgstr "Aktywne serwery:\n" + +#: src/tools/sssctl/sssctl_domains.c:231 +msgid "not connected" +msgstr "nie połączono" + +#: src/tools/sssctl/sssctl_domains.c:278 +#, c-format +msgid "Discovered %s servers:\n" +msgstr "Wykryte serwery (%s):\n" + +#: src/tools/sssctl/sssctl_domains.c:296 +msgid "None so far.\n" +msgstr "Jeszcze nic.\n" + +#: src/tools/sssctl/sssctl_domains.c:336 +msgid "Show online status" +msgstr "Wyświetla stan online" + +#: src/tools/sssctl/sssctl_domains.c:337 +msgid "Show information about active server" +msgstr "Wyświetla informacje o aktywnym serwerze" + +#: src/tools/sssctl/sssctl_domains.c:338 +msgid "Show list of discovered servers" +msgstr "Wyświetla listę wykrytych serwerów" + +#: src/tools/sssctl/sssctl_domains.c:344 +msgid "Specify domain name." +msgstr "Należy podać nazwę domeny." + +#: src/tools/sssctl/sssctl_domains.c:360 +#, c-format +msgid "Out of memory!\n" +msgstr "Brak pamięci.\n" + +#: src/tools/sssctl/sssctl_domains.c:377 src/tools/sssctl/sssctl_domains.c:387 +#, c-format +msgid "Unable to get online status\n" +msgstr "Nie można uzyskać stanu online\n" + +#: src/tools/sssctl/sssctl_domains.c:397 +#, c-format +msgid "Unable to get server list\n" +msgstr "Nie można uzyskać listy serwerów\n" + +#: src/tools/sssctl/sssctl_logs.c:47 +msgid "\n" +msgstr "\n" + +#: src/tools/sssctl/sssctl_logs.c:237 +msgid "Delete log files instead of truncating" +msgstr "Usuwa pliki dziennika zamiast ich skracania" + +#: src/tools/sssctl/sssctl_logs.c:248 +#, c-format +msgid "Deleting log files...\n" +msgstr "Usuwanie plików dziennika…\n" + +#: src/tools/sssctl/sssctl_logs.c:251 +#, c-format +msgid "Unable to remove log files\n" +msgstr "Nie można usunąć plików dziennika\n" + +#: src/tools/sssctl/sssctl_logs.c:257 +#, c-format +msgid "Truncating log files...\n" +msgstr "Skracanie plików dziennika…\n" + +#: src/tools/sssctl/sssctl_logs.c:260 +#, c-format +msgid "Unable to truncate log files\n" +msgstr "Nie można skrócić plików dziennika\n" + +#: src/tools/sssctl/sssctl_logs.c:286 +#, c-format +msgid "Out of memory!" +msgstr "Brak pamięci." + +#: src/tools/sssctl/sssctl_logs.c:289 +#, c-format +msgid "Archiving log files into %s...\n" +msgstr "Archiwizowanie plików dziennika w %s…\n" + +#: src/tools/sssctl/sssctl_logs.c:292 +#, c-format +msgid "Unable to archive log files\n" +msgstr "Nie można zarchiwizować plików dziennika\n" + +#: src/tools/sssctl/sssctl_logs.c:317 +msgid "Specify debug level you want to set" +msgstr "Podaje poziom debugowania do ustawienia" + +#: src/tools/sssctl/sssctl_sifp.c:28 +msgid "" +"Check that SSSD is running and the InfoPipe responder is enabled. Make sure " +"'ifp' is listed in the 'services' option in sssd.conf.\n" +msgstr "" +"Proszę sprawdzić, czy usługa SSSD jest uruchomiona i program odpowiadający " +"InfoPipe jest włączony. Należy się upewnić, że „ifp” jest w opcji „services” " +"pliku sssd.conf.\n" + +#: src/tools/sssctl/sssctl_user_checks.c:91 +#, c-format +msgid "Unable to connect to the InfoPipe" +msgstr "Nie można połączyć z InfoPipe" + +#: src/tools/sssctl/sssctl_user_checks.c:97 +#, c-format +msgid "Unable to get user object" +msgstr "Nie można uzyskać obiektu użytkownika" + +#: src/tools/sssctl/sssctl_user_checks.c:101 +#, c-format +msgid "SSSD InfoPipe user lookup result:\n" +msgstr "Wynik wyszukiwania użytkownika InfoPipe usługi SSSD:\n" + +#: src/tools/sssctl/sssctl_user_checks.c:113 +#, c-format +msgid "Unable to get user name attr" +msgstr "Nie można uzyskać atrybutu nazwy użytkownika" + +#: src/tools/sssctl/sssctl_user_checks.c:146 +#, c-format +msgid "dlopen failed with [%s].\n" +msgstr "dlopen się nie powiodło z [%s].\n" + +#: src/tools/sssctl/sssctl_user_checks.c:153 +#, c-format +msgid "dlsym failed with [%s].\n" +msgstr "dlsym się nie powiodło z [%s].\n" + +#: src/tools/sssctl/sssctl_user_checks.c:161 +#, c-format +msgid "malloc failed.\n" +msgstr "malloc się nie powiodło.\n" + +#: src/tools/sssctl/sssctl_user_checks.c:168 +#, c-format +msgid "sss_getpwnam_r failed with [%d].\n" +msgstr "sss_getpwnam_r się nie powiodło z [%d].\n" + +#: src/tools/sssctl/sssctl_user_checks.c:173 +#, c-format +msgid "SSSD nss user lookup result:\n" +msgstr "Wynik wyszukiwania użytkownika NSS usługi SSSD:\n" + +#: src/tools/sssctl/sssctl_user_checks.c:174 +#, c-format +msgid " - user name: %s\n" +msgstr " — nazwa użytkownika: %s\n" + +#: src/tools/sssctl/sssctl_user_checks.c:175 +#, c-format +msgid " - user id: %d\n" +msgstr " — identyfikator użytkownika: %d\n" + +#: src/tools/sssctl/sssctl_user_checks.c:176 +#, c-format +msgid " - group id: %d\n" +msgstr " — identyfikator grupy: %d\n" + +#: src/tools/sssctl/sssctl_user_checks.c:177 +#, c-format +msgid " - gecos: %s\n" +msgstr " — GECOS: %s\n" + +#: src/tools/sssctl/sssctl_user_checks.c:178 +#, c-format +msgid " - home directory: %s\n" +msgstr " — katalog domowy: %s\n" + +#: src/tools/sssctl/sssctl_user_checks.c:179 +#, c-format +msgid "" +" - shell: %s\n" +"\n" +msgstr "" +" — powłoka: %s\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:211 +msgid "PAM action [auth|acct|setc|chau|open|clos], default: " +msgstr "Działanie PAM [auth|acct|setc|chau|open|clos], domyślnie: " + +#: src/tools/sssctl/sssctl_user_checks.c:214 +msgid "PAM service, default: " +msgstr "Usługa PAM, domyślnie: " + +#: src/tools/sssctl/sssctl_user_checks.c:219 +msgid "Specify user name." +msgstr "Należy podać nazwę użytkownika." + +#: src/tools/sssctl/sssctl_user_checks.c:226 +#, c-format +msgid "" +"user: %s\n" +"action: %s\n" +"service: %s\n" +"\n" +msgstr "" +"użytkownik: %s\n" +"działanie: %s\n" +"usługa: %s\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:232 +#, c-format +msgid "User name lookup with [%s] failed.\n" +msgstr "Wyszukanie nazwy użytkownika [%s] się nie powiodło.\n" + +#: src/tools/sssctl/sssctl_user_checks.c:237 +#, c-format +msgid "InfoPipe User lookup with [%s] failed.\n" +msgstr "InfoPipe Wyszukanie użytkownika z [%s] się nie powiodło.\n" + +#: src/tools/sssctl/sssctl_user_checks.c:244 +#, c-format +msgid "pam_start failed: %s\n" +msgstr "pam_start się nie powiodło: %s\n" + +#: src/tools/sssctl/sssctl_user_checks.c:249 +#, c-format +msgid "" +"testing pam_authenticate\n" +"\n" +msgstr "" +"testowanie pam_authenticate\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:253 +#, c-format +msgid "pam_get_item failed: %s\n" +msgstr "pam_get_item się nie powiodło: %s\n" + +#: src/tools/sssctl/sssctl_user_checks.c:257 +#, c-format +msgid "" +"pam_authenticate for user [%s]: %s\n" +"\n" +msgstr "" +"pam_authenticate dla użytkownika [%s]: %s\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:260 +#, c-format +msgid "" +"testing pam_chauthtok\n" +"\n" +msgstr "" +"testowanie pam_chauthtok\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:262 +#, c-format +msgid "" +"pam_chauthtok: %s\n" +"\n" +msgstr "" +"pam_chauthtok: %s\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:264 +#, c-format +msgid "" +"testing pam_acct_mgmt\n" +"\n" +msgstr "" +"testowanie pam_acct_mgmt\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:266 +#, c-format +msgid "" +"pam_acct_mgmt: %s\n" +"\n" +msgstr "" +"pam_acct_mgmt: %s\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:268 +#, c-format +msgid "" +"testing pam_setcred\n" +"\n" +msgstr "" +"testowanie pam_setcred\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:270 +#, c-format +msgid "" +"pam_setcred: [%s]\n" +"\n" +msgstr "" +"pam_setcred: [%s]\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:272 +#, c-format +msgid "" +"testing pam_open_session\n" +"\n" +msgstr "" +"testowanie pam_open_session\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:274 +#, c-format +msgid "" +"pam_open_session: %s\n" +"\n" +msgstr "" +"pam_open_session: %s\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:276 +#, c-format +msgid "" +"testing pam_close_session\n" +"\n" +msgstr "" +"testowanie pam_close_session\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:278 +#, c-format +msgid "" +"pam_close_session: %s\n" +"\n" +msgstr "" +"pam_close_session: %s\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:281 +#, c-format +msgid "unknown action\n" +msgstr "nieznane działanie\n" + +#: src/tools/sssctl/sssctl_user_checks.c:284 +#, c-format +msgid "PAM Environment:\n" +msgstr "Środowisko PAM:\n" + +#: src/tools/sssctl/sssctl_user_checks.c:292 +#, c-format +msgid " - no env -\n" +msgstr " — brak środowiska —\n" + +#: src/util/util.h:75 +msgid "The user ID to run the server as" +msgstr "Identyfikator użytkownika, jako który uruchomić serwer" + +#: src/util/util.h:77 +msgid "The group ID to run the server as" +msgstr "Identyfikator grupy, jako którą uruchomić serwer" + +#: src/util/util.h:85 +msgid "Informs that the responder has been socket-activated" +msgstr "Informuje, że program odpowiadający został aktywowany gniazdem" + +#: src/util/util.h:87 +msgid "Informs that the responder has been dbus-activated" +msgstr "Informuje, że program odpowiadający został aktywowany magistralą D-Bus" diff --git a/po/pt.gmo b/po/pt.gmo new file mode 100644 index 0000000000000000000000000000000000000000..0623e597c17e60b7834164895a4336aa81b62857 GIT binary patch literal 18097 zcmb`Odypknea8<5P)B(wpyDdcL)n#`nSFq)i@**uv#{>&%rLVH1`+7Fx93i~_jX^p z`_AkvYDDpoC>k|tj79}P1SM)L|A>`n;*_bfOv*(6h+0;RRi=`Zu}mr{Ln$Wte9t-E zx9{xiEAiHz`QGk6eICE_d;jkK{c}$LfZ_95+6LO|&oJg6!5<9qhfnuxW3B-20k?u5 z26uqp1fK__1>pI z(dC=qi@=|Qqu}`$IC@Ngy1o;<6nr-*`h5Z9pZNxVH17|=XM)d$sF2EB2%ZVP6x8^` z;3n|Z;0wVwgQC;NzySOcQ1tvh$kCZ!fZE?Pnd~5VDfmk8FnA;QC2$A$B*+%cRyvC% zCPC3@286Vx0R~_X)H!?*6u*4cU;mT8K9|GS`RxET|Lq_{o7m%hpw|Cka3{D5YG3~i zijJGu%+=r&DEi+IivFJmHQx_GSj9Y@&FlQ04{DyvLD6eF_zG~`U%vt5pLu{kdjBy{ z=kT|n-aCy$-4CAY@lJ3r*PjKot|!53z{@yPj>fzO)O+`UTF09}wr<|*@o`Y=UIj(R zpMe~K`2`q&=e^jCyA9NMuLVWV9J~(vD5(D52gN7<4vH@4bEv{sfRMo43Em8@fOIim z12x`{K)wH8{`%~|t@CnllKWSKF9q)fMX!ha^&f*ex9@>EpI?F+?wLV%`F710V7CzYD7Wzk=e! z4G5jiaTL^hdp+I-(#7PU_~e5gzYbo@^?!obgIge;&OZgU?hpCvKL>SQ{|xH9&qvvu z1>OK^-u)o|%-#Ia`)>m$z&`@@{69dAcP2y)z)_H)%nYdKJ@6-|8S@TsE7t{`t$qQ; zr{4hs@GOYVk(m+j25<_5^~}3LUNxTqnaX?{)O=5ZqT3}bT6{AO-U8kSHo@c4?SXq?+Yt>Z1A==5hGtZJSD#rGEtJAE+=zKZMjfSTv~;1swSqVERp z1$Tg71J4G33F_R3I7IPh0BRjKfLp*EWC-&xcs2NKQ0Mpz9_so^Q0omr(cwXmC7G{) z9I5#UxC=Z7qOw&p1M0ndL7meVK+)}cp!iqJwF`Iwcouj&sC6!aXM)S1=6fT^(#==E z0Q@N^x}VMBMenOX&3`MXagKnfF7pmB1RnzL08hUPoe75EH28J!V(BQ}2p>YRQKie4AL++FVnwf-eg^nEKRzIzyC$>tm2jo?$D&hZBR zh%U>Zu0PHnjsJJxICvU|M^`fmo(sMnJOg|HJO_L~_We_H`aiBsy&c zZw7Azwa-t0cY#lUuK~~6Y0Lr`gZwjp!=GK?vlvu-w-0;{_&QK};tinA|9#-4;O9V{ z_qV~PgTDeV0MB@(XtP{3-~`ncxOzH)lbeM-vp?KLkqOd<)b%ehF>> zFWlwMaXWZ1*R!D3oq?k3qoD5pHK=)i>hZiWr*E$YncD0J#TV}ap9_8j)OtP#irzo+ z_cy>Cy1xY!o##QVZyD5nJ_lY3{w1jS{sn{u%~|6P$3f9=1%#yLi=g)TZ~po+lq6G` zyFopF$Y1{u6kl92>G)~{)VSA!h_ordJ>VnYi@~3PqQlv{-TKGDfa^Dc=YbywPXpCQ zAD!igXm`=xNh?3EDZhX^&-eRl?NJ}CfuXD~a33gHsDGBYcp9xq3us!a_Q7`T=S}=& zYu4u9559$_k9bu3_z3NEnm+HQ9kSny`9qJef!XE13q&(m&)U3q=msC1-%a)#@&Tf1 z%*SYNptWe9qUm#x_E!7N`Pi59{Q}zW(q857e;oX%|9%GeY8ppuKOgY84}7El{z;Er zFr|HlhUl4y_6Y4!+T%3IzCP#DUP9YTdmimf+Pi4_h(Gla|LCm6Z~91|>P+q zgtkEY1KMr0J88d3D`-VcKQ11GJnbS^hNb7MeaCT90-w?X@(0-sZqO1KjMt z3r1;&{q-bxH*LjVKL9?HCfS;&HE5Dc$&NmA4$OPND{0sJYk~CIW3;v|_FMM7= zlP-IZ_8T;P#%QuH%d`*Ew$egc`8kI#oBYKh_-5LSzkWUV5bgJAzvu6n&B03A%YsJO zSd5xMH_Y?pG;0RSal0Kvhr4kW1!1u>Fk?Y0OM6`&6pKNz7zKIQiGoCb(k!@X&qNTm zvnXt?@K&4``4DgP@+i~O*#j8V7Fi=Uk-D1YjH?1TTXZq=Rvm}7ObRG zzPk`7O;2umwbMq}4w`8vjFZhlCvC*YuV~!*8$$zw+C{AC zQ6E#!PkzW&R50B_8iezZy4qzmWftZ1n48=eC%watJeD7#!$sBS;++U*;(w&T5HPvF?Exa0MQKODerjYHxfJC&7F&byIj;@0|9 z$9k_5b>-@fr;kHeq!~J6ej`e7AxbOOI%6dW;T^=Y z9pv3KWm#5M#gEcml8~%3sI7vH9o`91I4hgXWD?G!_G$}+&10UT-^zzk((6RGV)}nHx{iEOF)Xa|L5t?W_*l@0vV!xKOy}x?x<1-S>`tXxgMAZYGeH(DL|KN?H@nlU5pfMG zpqV*lnJve*>2dyssC02w^u#U&DdLOWh{ep8tXl?LObxt zGkWdKg)HsV-mQ1AuiNK0*Ny3l8N96R{bs1zPC2)Y*hq+xZ<3^9R#&{82p4o9-n8De zfN(|4yR3!13kpV^ZjlFz5N1BYZ9t{K2u-H*qcWB?ils+nUsUH}S^Y7TmBG%j@8JsK zP=EPQ6m`pY(LZtv0=J@e$T8(T>)fCy{Az1MAlNH`Td#Y_o8^L~dP`%yj2Bbx&+M6j zA=|N3-C~*-Qq=aIV*vYACJBmgoS4 z3mYS-PJpnWx#UNdv?HGdQ620!67(%vH;Y-K<)o40_4CYe(jCP>c0jB7N`snrqlQz# zY-IN>6H`NGZ`CdF^;oY~DjZGfRCB(ztJv1@id2<`mI+w1 zlv<~JC21^XX_EGGr=xJ9WhByMy`h&w3@kgvv(2M0Yb>&ZdvK=;vrn##ylHQ;9JM5o z-V)WV6GN}*E`nmqYX;0(3iUf=m08$mV39Nr9Au6B>IJJQcOrI0pR$rfmv$gYas7*JX2n zOORzmH#Xc^h+AeVTCV#nQ}~rV=1w7@aFXJj}-0{v!%czmqM9(^=UcPei+R?19yAxp%LLnDD z=4N{Sb%;d+HSB^fyDl@0f5T9?n|M@1W@c=^9C>kHDvmOx|A@a3CauWp=aJy32UVC_ zz2U;=CR)(FY6I;m!cNlVk!ldU)ABVuTjwz1_%#-}t#~_K<9GDEUo(?pz^%6$A#y$I zx8Xrl^Vn5b88vWAC&b^g(R#(nmWNRIE|B${=G<>7%SI11kITHG*OOvlm=L$icyc_Q zdula9)49arp0!@E4Ia!a=2M0_8D#L;s1+U724zm1r8G4?jha?*)B=UEhzk`)K` z&D9;W0Qst9m^Jh}Nu3dql|lV1+ANFF$lUH)hfT`PnUO|mJ30MMjH_fVFbY%q*N!Kq z=K2Hm5{Su8Lv%3uVWW)!eMVrDvCfxs^DXPzsL|b>a~7w5yMbC3dx}@98PtzUBCbLl z!7VeVh^gj}%{fOBN0vR8ad8lKyBG?&5l%CiIZH|c9;Qu(%cvY%h0?QLaKA@_r^8r@ z)35oVs2vrovrM$CR6U(igm-XlhK|15)Qfoi<R+h||9p&YpC*oj2>IPa9&qwHbNZ|y?Mn`_ru-mjKPuvZgkeAmS&H*+gF&a9F+ z-h0^GmwA8wI^b@a=aN-(fZa&&{h?Z7ti7q3?Y%PdVwWOG(H9K0^@d#!+-4Ff2UcKE zPMPN=FWHbs92aGqgKVL(ZTpsM>?;TRvsV*|wCIJ($fk#^Z)>@@WD;WYCL(6XK>2iJ zu_df9qc-K)Q(?Wx4ujhyrGMtad_sHW@&@nKhP5ikQ)X%oVUFiBX-dXpsrI!TZfYp; zBO;3Gy&}hOJ1@nj(K4Bcp~3Fj^@+O|qN88HsnSGhzk0cnc@hvLpv0QmP-&gYxG#%} zUY3{xF4t)_xYs8+E*=DyV`AT)yYb+hIl#_xDKzBJ#sGEKUU8yjC;adecGStAs9!xL zb&`Gkup)NfM?09{Ee-mS2jPRt#TTLN)-B7{{APN|3dBhx?h^G>BL*8K3+4NpjQSxJ zrN07y;6$Lk@b;=i_-3nTQRFuDN?s)l6z>MoYpAp#JBTxRl}XmPm;ogojvuVwmXV9} z5>TBVOpBb_%z|k*!|q+ZEZ!VQR1VJWDVeM$rN$ZiX_BDT3UHg`Ee-E!4&TaJIQN~w z%-Hzev707?TPJ7d_DoL=%|_icD~9*yt++XSW3QDDA4qowd7d}X??~e=Ig)0rp_%Ce!{c&@8Fd&Z4HLF)%hnykTXqa@-4<-!zH`g=E4T2W>6l?Z= zzpLmpy!EPJ>(-rDUE})gBeEX0oJTr5&2|!Yc9ni3nR0uG83}_|LVxZI&#w$0v3GVk z(0Z;P+K1ToFr~u>qOik0*;TJac!Tj?EQ;>V(b47Q<&i=%5HCcBM^Hke2$Tqvk9J43 z|IgC7&24*UEC^1{K#G zJg|FsN57w@CWkaUnKXz=lGe^(2U+N$nRbt~((rEFkbGy5bnRt+-L`8f4Cu*q8w>MDt{r;y@J&&o5Kr{+RJm&8s*$UQC;{Q=^c319i(vpIvS!!}1B{D{ZQ^Y8L01dH zqDK(Oyvp9-baB`^$bPSz5_WciR8C1p?kgT#+LNjrTGP2##ANtFSVA3+{i@z%UqrHE zA6VR`;HU?Q-Gfl^cS=Qw+*O*eEai2G?Gs8bQJ1Z+KDzqJ)Ew+^sge-8)@uZFi&326 zFpvsBOq99^Y)YWTX81y%`ul?mKwUUf zKy$4!=u-k~?$XYyU(DjP)}1UB`n(WmzhRu41JESQh8d8&uB$ezKAHv_(@vb{?3v{3 z0({9K`qN`37hX4F-gnC&b&;=riJ+4+M%ii?c{^@#DrSl?(222i99Ex@Q7sEn49T=u z#QqVg3b$0-vO*W#vxTV;W!VWy{E0o1a@+_OCNIWZu!#cM)h7}*ZR6UJV2oNG+g*K( z9phUUG2N^=z(Y_mf}xZyUGpAFw7;fb%S`<}LZx-)BV`tL!y`J!bY5YN&(%9FfIYJY zhg_!>fon+u`DBi?sw_~mixCFP-)Mp~D4j3MF%nCAuO@->ZU#t8T2@`|G>EfVFF^_;T7Uy~k_f$I`bhE9%c zvPxc}^mDaQ0!G#Gq!#SS$Eiwsjv*le1Jw-LfXdjI&Sz-g!mfRj8B_9r6}c>`w=Dyj z+{`!yiAi=9zN%A!MkhX@^mFuf%&oRS$ogcdEUmG|mF;o{AFGf@Eee6iB7P0l#a~kE zsK4)eANL^>4J@zLd6HT}5TeQ_=GQDv zTRD4f9RZu|>z@-s&?1fHd=g(YwE21YLaUF8LN-lWoptHaV5CF^j3&-U1M0!&Y`Zq{ zlzcK&taupD$>p)rz?K%BjV48!mnPP3gTpHaWa84ft4Qp$UVjQz8Lh~;2R3q1AkdMA zWUGuM_E?##G=^E(-3e;t%Aw}GIyqj4{*R(Lj&dC^L0I?$ZY` z84z)EOD{|?($?YhHOQ12q#ZkKCj0%rQ!lavn$|D2a_@&lfWRbBav- zj-Wr2BczQ>y<-Fy4d}GKQ-^znA}W16U$WfTj6>x2*F5;VbVUyz9Yw5qsGY--h)emw z>}rXx3t@Yapu#F&EASG@icWG|#cI~!qmyTGbXL^DxAg4jwotQQto&1G}E z=tkrMK2tox(ZdC+4^a%I&gd12?=}+D{E)aqZlS}3*2IwEs1G>Mvt-tj?$~E&hOJCb zoGh(A$PYv0L->@o_rG0jbT*3FNtxF;1_`UjbN0tmqAJlU8SawKqIuP6zX}o1(9?!* zbnCB<{JvBaJfLc*ei=jJu?nbIBu4=ED4*SDA}_yGAXMOl+@4SR(aTJftv=xb8ZV)4 zkO3RSq;<UV!S?E&z=2Ba4y_8BClH3dpJ~t!PjuNq?0$XWW?-Q051Wn9RMvxi zTdqcCV!Y#{2PG_I(8^HBUr|}0@2p5%*YQWBgr#)qUdvRE=z-mzz%?BS=5WKJE@#+L zh`suWHSPixR0g)5DlV!uD+BHa+pIR|BU;~W#c~)18|IcOkCQn1O>a(5H2!)K z^MKk|f9!*mZ}|V2pw9&`{d!v%u&Qn*yEx26>A67!>$42{D++hN%n#SBbSyBWLyP(S8UP>Q?k9aCk(TFPn5 ziBde6AaK@egf5eZD*?hZlX9>ImkgfGz?9LgKV{;gN){>nS`)+MCy3UjZ4}1rWfV|( z+BE{_sxsSRGQOJ%&X&8dN;$vvc0SIY37)$mmE8FryVs8Z`A!LW^$AYHk~1ou6;g4P zWv=`m-cW=l9pp!*&!u`u{B1QL?`@3F?4G zmp{mn+x&pviQ|272MnYl^@LBC*#lCUS`HkGIJUD^Hy}29z!-{2c%`lnRD-rzNxW)~ zleDvP-98*Llhxr^yIn?I+5(4Dk0LhM z#xK{LEp`He6|JHcxsm-E`gEZ3=AaxhoGqD4mImq$>gNmR1NmKCQRSF@mjy;Ni(Ao5}egMKTn9$0xq(Z z>i(3T;{KOQfjsO@Hl3`b*+(3Rwd43)Lcz)%=OX3Gug#-mDYjvAF26LewRjsW>IGMm zw_Gz4Oo@F5>o%37AzW5#l#wRld`d6(dAuCqWTvkK^#3w_{pEq_D|L=6R9Vu{2P_Aj zAmQi?%0d~HIyUsaV;QIQ-5+@PHfUxvO8M zgD>|x7g*J3TvYy#T$zTW#~S|yD{B0H_=<~k@>w<9JxIWBUn@T1yy{|&&M8fpbwhlj eqxNe7goxh?Xx;J>WYMLI`s\n" +"Language-Team: Portuguese (http://www.transifex.com/projects/p/sssd/language/" +"pt/)\n" +"Language: pt\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" +"X-Generator: Zanata 4.4.5\n" + +#: src/config/SSSDConfig/__init__.py.in:43 +#: src/config/SSSDConfig/__init__.py.in:44 +msgid "Set the verbosity of the debug logging" +msgstr "Definir a verbosidade dos registos de depuração" + +#: src/config/SSSDConfig/__init__.py.in:45 +msgid "Include timestamps in debug logs" +msgstr "Incluir data e hora nos registos de depuração" + +#: src/config/SSSDConfig/__init__.py.in:46 +msgid "Include microseconds in timestamps in debug logs" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:47 +msgid "Write debug messages to logfiles" +msgstr "Gravar as mensagens de depuração em ficheiros de registo" + +#: src/config/SSSDConfig/__init__.py.in:48 +msgid "Watchdog timeout before restarting service" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:49 +msgid "Command to start service" +msgstr "Comando para iniciar serviço" + +#: src/config/SSSDConfig/__init__.py.in:50 +msgid "Number of times to attempt connection to Data Providers" +msgstr "Número de vezes para tentar ligação aos Fornecedores de Dados" + +#: src/config/SSSDConfig/__init__.py.in:51 +msgid "The number of file descriptors that may be opened by this responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:52 +msgid "Idle time before automatic disconnection of a client" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:53 +msgid "Idle time before automatic shutdown of the responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:54 +msgid "Always query all the caches before querying the Data Providers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:57 +msgid "SSSD Services to start" +msgstr "Serviços SSSD a iniciar" + +#: src/config/SSSDConfig/__init__.py.in:58 +msgid "SSSD Domains to start" +msgstr "Domínios SSSD a iniciar" + +#: src/config/SSSDConfig/__init__.py.in:59 +msgid "Timeout for messages sent over the SBUS" +msgstr "Limite de tempo para mensagens enviadas sobre SBUS" + +#: src/config/SSSDConfig/__init__.py.in:60 +#: src/config/SSSDConfig/__init__.py.in:197 +msgid "Regex to parse username and domain" +msgstr "Expressão regular para obter nome do utilizar e domínio" + +#: src/config/SSSDConfig/__init__.py.in:61 +#: src/config/SSSDConfig/__init__.py.in:196 +msgid "Printf-compatible format for displaying fully-qualified names" +msgstr "Formato compatível com o printf para apresentar nomes completos" + +#: src/config/SSSDConfig/__init__.py.in:62 +msgid "" +"Directory on the filesystem where SSSD should store Kerberos replay cache " +"files." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:63 +msgid "Domain to add to names without a domain component." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:64 +msgid "The user to drop privileges to" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:65 +msgid "Tune certificate verification" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:66 +msgid "All spaces in group or user names will be replaced with this character" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:67 +msgid "Tune sssd to honor or ignore netlink state changes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:68 +msgid "Enable or disable the implicit files domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:69 +msgid "A specific order of the domains to be looked up" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:72 +msgid "Enumeration cache timeout length (seconds)" +msgstr "Validade da cache de enumeração (segundos)" + +#: src/config/SSSDConfig/__init__.py.in:73 +msgid "Entry cache background update timeout length (seconds)" +msgstr "Validade da actualização da cache em segundo plano (segundos)" + +#: src/config/SSSDConfig/__init__.py.in:74 +#: src/config/SSSDConfig/__init__.py.in:113 +msgid "Negative cache timeout length (seconds)" +msgstr "Validade da cache negativa (segundos)" + +#: src/config/SSSDConfig/__init__.py.in:75 +msgid "Files negative cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:76 +msgid "Users that SSSD should explicitly ignore" +msgstr "Utilizadores que o SSSD devem explicitamente ignorar" + +#: src/config/SSSDConfig/__init__.py.in:77 +msgid "Groups that SSSD should explicitly ignore" +msgstr "Grupos que o SSSD devem explicitamente ignorar" + +#: src/config/SSSDConfig/__init__.py.in:78 +msgid "Should filtered users appear in groups" +msgstr "Devem os utilizadores filtrados aparecer em grupos" + +#: src/config/SSSDConfig/__init__.py.in:79 +msgid "The value of the password field the NSS provider should return" +msgstr "O valor do campo da senha que o fornecedor NSS deve retornar" + +#: src/config/SSSDConfig/__init__.py.in:80 +msgid "Override homedir value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:81 +msgid "" +"Substitute empty homedir value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:82 +msgid "Override shell value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:83 +msgid "The list of shells users are allowed to log in with" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:84 +msgid "" +"The list of shells that will be vetoed, and replaced with the fallback shell" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:85 +msgid "" +"If a shell stored in central directory is allowed but not available, use " +"this fallback" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:86 +msgid "Shell to use if the provider does not list one" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:87 +msgid "How long will be in-memory cache records valid" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:88 +msgid "List of user attributes the NSS responder is allowed to publish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:91 +msgid "How long to allow cached logins between online logins (days)" +msgstr "" +"Durante quanto tempo devem ser permitidas as caches de sessões entre sessões " +"online (dias)" + +#: src/config/SSSDConfig/__init__.py.in:92 +msgid "How many failed logins attempts are allowed when offline" +msgstr "" +"Quantas tentativas falhadas de inicio de sessão são permitidas quando offline" + +#: src/config/SSSDConfig/__init__.py.in:93 +msgid "" +"How long (minutes) to deny login after offline_failed_login_attempts has " +"been reached" +msgstr "" +"Quanto tempo (minutos) para negar a sessão após " +"offline_failed_login_attempts ter sido atingido" + +#: src/config/SSSDConfig/__init__.py.in:94 +msgid "What kind of messages are displayed to the user during authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:95 +msgid "Filter PAM responses sent to the pam_sss" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:96 +msgid "How many seconds to keep identity information cached for PAM requests" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:97 +msgid "How many days before password expiration a warning should be displayed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:98 +msgid "List of trusted uids or user's name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:99 +msgid "List of domains accessible even for untrusted users." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:100 +msgid "Message printed when user account is expired." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:101 +msgid "Message printed when user account is locked." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:102 +msgid "Allow certificate based/Smartcard authentication." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:103 +msgid "Path to certificate database with PKCS#11 modules." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:104 +msgid "How many seconds will pam_sss wait for p11_child to finish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:105 +msgid "Which PAM services are permitted to contact application domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:108 +msgid "Whether to evaluate the time-based attributes in sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:109 +msgid "If true, SSSD will switch back to lower-wins ordering logic" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:110 +msgid "" +"Maximum number of rules that can be refreshed at once. If this is exceeded, " +"full refresh is performed." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:116 +msgid "Whether to hash host names and addresses in the known_hosts file" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:117 +msgid "" +"How many seconds to keep a host in the known_hosts file after its host keys " +"were requested" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:118 +msgid "Path to storage of trusted CA certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:121 +msgid "List of UIDs or user names allowed to access the PAC responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "How long the PAC data is considered valid" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:125 +msgid "List of UIDs or user names allowed to access the InfoPipe responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:126 +msgid "List of user attributes the InfoPipe is allowed to publish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:129 +msgid "The provider where the secrets will be stored in" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:130 +msgid "The maximum allowed number of nested containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:131 +msgid "The maximum number of secrets that can be stored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:132 +msgid "The maximum number of secrets that can be stored per UID" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:133 +msgid "The maximum payload size of a secret in kilobytes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:135 +msgid "The URL Custodia server is listening on" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:136 +msgid "The method to use when authenticating to a Custodia server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:137 +msgid "" +"The name of the headers that will be added into a HTTP request with the " +"value defined in auth_header_value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:138 +msgid "The value sssd-secrets would use for auth_header_name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:139 +msgid "" +"The list of the headers to forward to the Custodia server together with the " +"request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:140 +msgid "" +"The username to use when authenticating to a Custodia server using basic_auth" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:141 +msgid "" +"The password to use when authenticating to a Custodia server using basic_auth" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:142 +msgid "If true peer's certificate is verified if proxy_url uses https protocol" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:143 +msgid "" +"If false peer's certificate may contain different hostname than proxy_url " +"when https protocol is used" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:144 +msgid "Path to directory where certificate authority certificates are stored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:145 +msgid "Path to file containing server's CA certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:146 +msgid "Path to file containing client's certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:147 +msgid "Path to file containing client's private key" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:150 +msgid "Identity provider" +msgstr "Fornecedor de identidade" + +#: src/config/SSSDConfig/__init__.py.in:151 +msgid "Authentication provider" +msgstr "Fornecedor de autenticação" + +#: src/config/SSSDConfig/__init__.py.in:152 +msgid "Access control provider" +msgstr "Fornecedor de controle de acesso" + +#: src/config/SSSDConfig/__init__.py.in:153 +msgid "Password change provider" +msgstr "Fornecedor de Alteração de Senha" + +#: src/config/SSSDConfig/__init__.py.in:154 +msgid "SUDO provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:155 +msgid "Autofs provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:156 +msgid "Host identity provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:157 +msgid "SELinux provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:158 +msgid "Session management provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:161 +msgid "Whether the domain is usable by the OS or by applications" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:162 +msgid "Minimum user ID" +msgstr "ID de utilizador mínimo" + +#: src/config/SSSDConfig/__init__.py.in:163 +msgid "Maximum user ID" +msgstr "ID de utilizador máximo" + +#: src/config/SSSDConfig/__init__.py.in:164 +msgid "Enable enumerating all users/groups" +msgstr "Permitir enumeração de todos os utilizadores/grupos" + +#: src/config/SSSDConfig/__init__.py.in:165 +msgid "Cache credentials for offline login" +msgstr "Efectuar cache de credenciais para sessões em modo desligado" + +#: src/config/SSSDConfig/__init__.py.in:166 +msgid "Store password hashes" +msgstr "Guardar hashes da senha" + +#: src/config/SSSDConfig/__init__.py.in:167 +msgid "Display users/groups in fully-qualified form" +msgstr "Apresentar utilizadores/grupos na forma completa" + +#: src/config/SSSDConfig/__init__.py.in:168 +msgid "Don't include group members in group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:180 +#: src/config/SSSDConfig/__init__.py.in:181 +msgid "Entry cache timeout length (seconds)" +msgstr "Validade da cache (segundos)" + +#: src/config/SSSDConfig/__init__.py.in:170 +msgid "" +"Restrict or prefer a specific address family when performing DNS lookups" +msgstr "" +"Restringir ou preferir famílias de endereços especificas quando efectua " +"consultas DNS" + +#: src/config/SSSDConfig/__init__.py.in:171 +msgid "How long to keep cached entries after last successful login (days)" +msgstr "" +"Durante quanto tempo devem ser permitidas as caches de sessões entre sessões " +"bem sucedidas (dias)" + +#: src/config/SSSDConfig/__init__.py.in:172 +msgid "How long to wait for replies from DNS when resolving servers (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:173 +msgid "The domain part of service discovery DNS query" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:174 +msgid "Override GID value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:175 +msgid "Treat usernames as case sensitive" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:182 +msgid "How often should expired entries be refreshed in background" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:183 +msgid "Whether to automatically update the client's DNS entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:184 +#: src/config/SSSDConfig/__init__.py.in:206 +msgid "The TTL to apply to the client's DNS entry after updating it" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:207 +msgid "The interface whose IP should be used for dynamic DNS updates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:186 +msgid "How often to periodically update the client's DNS entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:187 +msgid "Whether the provider should explicitly update the PTR record as well" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:188 +msgid "Whether the nsupdate utility should default to using TCP" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:189 +msgid "What kind of authentication should be used to perform the DNS update" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:190 +msgid "Override the DNS server used to perform the DNS update" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:191 +msgid "Control enumeration of trusted domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:192 +msgid "How often should subdomains list be refreshed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:193 +msgid "List of options that should be inherited into a subdomain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:194 +msgid "Default subdomain homedir value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:195 +msgid "How long can cached credentials be used for cached authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:198 +msgid "Whether to automatically create private groups for users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:201 +msgid "IPA domain" +msgstr "Domínio IPA" + +#: src/config/SSSDConfig/__init__.py.in:202 +msgid "IPA server address" +msgstr "Endereço do servidor IPA" + +#: src/config/SSSDConfig/__init__.py.in:203 +msgid "Address of backup IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:204 +msgid "IPA client hostname" +msgstr "Nome da máquina do cliente IPA" + +#: src/config/SSSDConfig/__init__.py.in:205 +msgid "Whether to automatically update the client's DNS entry in FreeIPA" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:208 +msgid "Search base for HBAC related objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:209 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:210 +msgid "" +"The amount of time in seconds between lookups of the SELinux maps against " +"the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:211 +msgid "If set to false, host argument given by PAM will be ignored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:212 +msgid "The automounter location this IPA client is using" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:213 +msgid "Search base for object containing info about IPA domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:214 +msgid "Search base for objects containing info about ID ranges" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:233 +msgid "Enable DNS sites - location based service discovery" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:216 +msgid "Search base for view containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:217 +msgid "Objectclass for view containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:218 +msgid "Attribute with the name of the view" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:219 +msgid "Objectclass for override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:220 +msgid "Attribute with the reference to the original object" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:221 +msgid "Objectclass for user override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:222 +msgid "Objectclass for group override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:223 +msgid "Search base for Desktop Profile related objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:224 +msgid "" +"The amount of time in seconds between lookups of the Desktop Profile rules " +"against the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:225 +msgid "" +"The amount of time in minutes between lookups of Desktop Profiles rules " +"against the IPA server when the last request did not find any rule" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:228 +msgid "Active Directory domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:229 +msgid "Enabled Active Directory domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:230 +msgid "Active Directory server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:231 +msgid "Active Directory backup server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:232 +msgid "Active Directory client hostname" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:420 +msgid "LDAP filter to determine access privileges" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:235 +msgid "Whether to use the Global Catalog for lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:236 +msgid "Operation mode for GPO-based access control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:237 +msgid "" +"The amount of time between lookups of the GPO policy files against the AD " +"server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:238 +msgid "" +"PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " +"settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:239 +msgid "" +"PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " +"policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:240 +msgid "" +"PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:241 +msgid "" +"PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:242 +msgid "" +"PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:243 +msgid "PAM service names for which GPO-based access is always granted" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:244 +msgid "PAM service names for which GPO-based access is always denied" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:245 +msgid "" +"Default logon right (or permit/deny) to use for unmapped PAM service names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:246 +msgid "a particular site to be used by the client" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:247 +msgid "" +"Maximum age in days before the machine account password should be renewed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:248 +msgid "Option for tuning the machine account renewal task" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:252 +msgid "Kerberos server address" +msgstr "Endereço do servidor Kerberos" + +#: src/config/SSSDConfig/__init__.py.in:253 +msgid "Kerberos backup server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:254 +msgid "Kerberos realm" +msgstr "Reino Kerberos" + +#: src/config/SSSDConfig/__init__.py.in:255 +msgid "Authentication timeout" +msgstr "Tempo de expiração da autenticação" + +#: src/config/SSSDConfig/__init__.py.in:256 +msgid "Whether to create kdcinfo files" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:257 +msgid "Where to drop krb5 config snippets" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:260 +msgid "Directory to store credential caches" +msgstr "Directório para armazenar as caches de credenciais" + +#: src/config/SSSDConfig/__init__.py.in:261 +msgid "Location of the user's credential cache" +msgstr "Localização da cache de credenciais dos utilizadores" + +#: src/config/SSSDConfig/__init__.py.in:262 +msgid "Location of the keytab to validate credentials" +msgstr "Localização da tabela de chaves (keytab) para validar credenciais" + +#: src/config/SSSDConfig/__init__.py.in:263 +msgid "Enable credential validation" +msgstr "Activar validação de credenciais" + +#: src/config/SSSDConfig/__init__.py.in:264 +msgid "Store password if offline for later online authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:265 +msgid "Renewable lifetime of the TGT" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:266 +msgid "Lifetime of the TGT" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:267 +msgid "Time between two checks for renewal" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:268 +msgid "Enables FAST" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:269 +msgid "Selects the principal to use for FAST" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:270 +msgid "Enables principal canonicalization" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:271 +msgid "Enables enterprise principals" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:272 +msgid "A mapping from user names to Kerberos principal names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:276 +msgid "Server where the change password service is running if not on the KDC" +msgstr "" +"Servidor onde está em execução o serviço de alteração de senha, se não " +"coincide com o KDC" + +#: src/config/SSSDConfig/__init__.py.in:279 +msgid "ldap_uri, The URI of the LDAP server" +msgstr "ldap_uri, O URI do servidor LDAP" + +#: src/config/SSSDConfig/__init__.py.in:280 +msgid "ldap_backup_uri, The URI of the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:281 +msgid "The default base DN" +msgstr "A base DN por omissão" + +#: src/config/SSSDConfig/__init__.py.in:282 +msgid "The Schema Type in use on the LDAP server, rfc2307" +msgstr "O tipo de Schema em utilização no servidor LDAP, rfc2307" + +#: src/config/SSSDConfig/__init__.py.in:283 +msgid "The default bind DN" +msgstr "O DN por omissão para a ligação" + +#: src/config/SSSDConfig/__init__.py.in:284 +msgid "The type of the authentication token of the default bind DN" +msgstr "O tipo de token de autenticação do bind DN por omissão" + +#: src/config/SSSDConfig/__init__.py.in:285 +msgid "The authentication token of the default bind DN" +msgstr "O token de autenticação do bind DN por omissão" + +#: src/config/SSSDConfig/__init__.py.in:286 +msgid "Length of time to attempt connection" +msgstr "Período de tempo para tentar ligação" + +#: src/config/SSSDConfig/__init__.py.in:287 +msgid "Length of time to attempt synchronous LDAP operations" +msgstr "Tempo de espera para tentar operações LDAP síncronas" + +#: src/config/SSSDConfig/__init__.py.in:288 +msgid "Length of time between attempts to reconnect while offline" +msgstr "Tempo de espera entre tentativas para re-conectar quando desligado" + +#: src/config/SSSDConfig/__init__.py.in:289 +msgid "Use only the upper case for realm names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:290 +msgid "File that contains CA certificates" +msgstr "Ficheiro que contêm os certificados CA" + +#: src/config/SSSDConfig/__init__.py.in:291 +msgid "Path to CA certificate directory" +msgstr "Caminho para o directório do certificado CA" + +#: src/config/SSSDConfig/__init__.py.in:292 +msgid "File that contains the client certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:293 +msgid "File that contains the client key" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:294 +msgid "List of possible ciphers suites" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:295 +msgid "Require TLS certificate verification" +msgstr "Obriga a verificação de certificados TLS" + +#: src/config/SSSDConfig/__init__.py.in:296 +msgid "Specify the sasl mechanism to use" +msgstr "Especificar mecanismo sasl a utilizar" + +#: src/config/SSSDConfig/__init__.py.in:297 +msgid "Specify the sasl authorization id to use" +msgstr "Especifique o id sasl para utilizar na autorização" + +#: src/config/SSSDConfig/__init__.py.in:298 +msgid "Specify the sasl authorization realm to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:299 +msgid "Specify the minimal SSF for LDAP sasl authorization" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:300 +msgid "Kerberos service keytab" +msgstr "Separador chave do serviço Kerberos" + +#: src/config/SSSDConfig/__init__.py.in:301 +msgid "Use Kerberos auth for LDAP connection" +msgstr "Utilizar autenticação Kerberos para ligações LDAP" + +#: src/config/SSSDConfig/__init__.py.in:302 +msgid "Follow LDAP referrals" +msgstr "Seguir os referrals LDAP" + +#: src/config/SSSDConfig/__init__.py.in:303 +msgid "Lifetime of TGT for LDAP connection" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:304 +msgid "How to dereference aliases" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:305 +msgid "Service name for DNS service lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:306 +msgid "The number of records to retrieve in a single LDAP query" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:307 +msgid "The number of members that must be missing to trigger a full deref" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:308 +msgid "" +"Whether the LDAP library should perform a reverse lookup to canonicalize the " +"host name during a SASL bind" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:310 +msgid "entryUSN attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:311 +msgid "lastUSN attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:313 +msgid "How long to retain a connection to the LDAP server before disconnecting" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:315 +msgid "Disable the LDAP paging control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:316 +msgid "Disable Active Directory range retrieval" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:319 +msgid "Length of time to wait for a search request" +msgstr "Tempo de espera por um pedido de pesquisa" + +#: src/config/SSSDConfig/__init__.py.in:320 +msgid "Length of time to wait for a enumeration request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:321 +msgid "Length of time between enumeration updates" +msgstr "Período de tempo entre enumeração de actualizações" + +#: src/config/SSSDConfig/__init__.py.in:322 +msgid "Length of time between cache cleanups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:323 +msgid "Require TLS for ID lookups" +msgstr "Requer TLS para consultas de ID" + +#: src/config/SSSDConfig/__init__.py.in:324 +msgid "Use ID-mapping of objectSID instead of pre-set IDs" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:325 +msgid "Base DN for user lookups" +msgstr "DN base para pesquisa de utilizadores" + +#: src/config/SSSDConfig/__init__.py.in:326 +msgid "Scope of user lookups" +msgstr "Âmbito das pesquisas do utilizador" + +#: src/config/SSSDConfig/__init__.py.in:327 +msgid "Filter for user lookups" +msgstr "Filtro para as pesquisas do utilizador" + +#: src/config/SSSDConfig/__init__.py.in:328 +msgid "Objectclass for users" +msgstr "Objectclass para utilizadores" + +#: src/config/SSSDConfig/__init__.py.in:329 +msgid "Username attribute" +msgstr "Atributo do nome do utilizador" + +#: src/config/SSSDConfig/__init__.py.in:331 +msgid "UID attribute" +msgstr "Atributo UID" + +#: src/config/SSSDConfig/__init__.py.in:332 +msgid "Primary GID attribute" +msgstr "Atributo GID primário" + +#: src/config/SSSDConfig/__init__.py.in:333 +msgid "GECOS attribute" +msgstr "Atributo GECOS" + +#: src/config/SSSDConfig/__init__.py.in:334 +msgid "Home directory attribute" +msgstr "Atributo da pasta pessoal" + +#: src/config/SSSDConfig/__init__.py.in:335 +msgid "Shell attribute" +msgstr "Atributo da Shell" + +#: src/config/SSSDConfig/__init__.py.in:336 +msgid "UUID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:379 +msgid "objectSID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:338 +msgid "Active Directory primary group attribute for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:339 +msgid "User principal attribute (for Kerberos)" +msgstr "Atributo principal do utilizador (para Kerberos)" + +#: src/config/SSSDConfig/__init__.py.in:340 +msgid "Full Name" +msgstr "Nome Completo" + +#: src/config/SSSDConfig/__init__.py.in:341 +msgid "memberOf attribute" +msgstr "Atributo memberOf" + +#: src/config/SSSDConfig/__init__.py.in:342 +msgid "Modification time attribute" +msgstr "Atributo da alteração da data" + +#: src/config/SSSDConfig/__init__.py.in:344 +msgid "shadowLastChange attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:345 +msgid "shadowMin attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:346 +msgid "shadowMax attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:347 +msgid "shadowWarning attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:348 +msgid "shadowInactive attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:349 +msgid "shadowExpire attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:350 +msgid "shadowFlag attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:351 +msgid "Attribute listing authorized PAM services" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:352 +msgid "Attribute listing authorized server hosts" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:353 +msgid "Attribute listing authorized server rhosts" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:354 +msgid "krbLastPwdChange attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:355 +msgid "krbPasswordExpiration attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:356 +msgid "Attribute indicating that server side password policies are active" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:357 +msgid "accountExpires attribute of AD" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:358 +msgid "userAccountControl attribute of AD" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:359 +msgid "nsAccountLock attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:360 +msgid "loginDisabled attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:361 +msgid "loginExpirationTime attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:362 +msgid "loginAllowedTimeMap attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:363 +msgid "SSH public key attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:364 +msgid "attribute listing allowed authentication types for a user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:365 +msgid "attribute containing the X509 certificate of the user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:366 +msgid "attribute containing the email address of the user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:368 +msgid "A list of extra attributes to download along with the user entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:370 +msgid "Base DN for group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:373 +msgid "Objectclass for groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:374 +msgid "Group name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:375 +msgid "Group password" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:376 +msgid "GID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:377 +msgid "Group member attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:378 +msgid "Group UUID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:380 +msgid "Modification time attribute for groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:381 +msgid "Type of the group and other flags" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:382 +msgid "The LDAP group external member attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:384 +msgid "Maximum nesting level SSSD will follow" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:386 +msgid "Base DN for netgroup lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:387 +msgid "Objectclass for netgroups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:388 +msgid "Netgroup name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:389 +msgid "Netgroups members attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:390 +msgid "Netgroup triple attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:391 +msgid "Modification time attribute for netgroups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:393 +msgid "Base DN for service lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:394 +msgid "Objectclass for services" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:395 +msgid "Service name attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:396 +msgid "Service port attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:397 +msgid "Service protocol attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:400 +msgid "Lower bound for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:401 +msgid "Upper bound for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:402 +msgid "Number of IDs for each slice when ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:403 +msgid "Use autorid-compatible algorithm for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:404 +msgid "Name of the default domain for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:405 +msgid "SID of the default domain for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:406 +msgid "Number of secondary slices" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:408 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:409 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:410 +msgid "Whether to use Token-Groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:411 +msgid "Set lower boundary for allowed IDs from the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:412 +msgid "Set upper boundary for allowed IDs from the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:413 +msgid "DN for ppolicy queries" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:414 +msgid "How many maximum entries to fetch during a wildcard request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:417 +msgid "Policy to evaluate the password expiration" +msgstr "Politica para avaliar a expiração da senha" + +#: src/config/SSSDConfig/__init__.py.in:421 +msgid "Which attributes shall be used to evaluate if an account is expired" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:422 +msgid "Which rules should be used to evaluate access control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:425 +msgid "URI of an LDAP server where password changes are allowed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:426 +msgid "URI of a backup LDAP server where password changes are allowed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:427 +msgid "DNS service name for LDAP password change server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:428 +msgid "" +"Whether to update the ldap_user_shadow_last_change attribute after a " +"password change" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:431 +msgid "Base DN for sudo rules lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:432 +msgid "Automatic full refresh period" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:433 +msgid "Automatic smart refresh period" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:434 +msgid "Whether to filter rules by hostname, IP addresses and network" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:435 +msgid "" +"Hostnames and/or fully qualified domain names of this machine to filter sudo " +"rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:436 +msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:437 +msgid "Whether to include rules that contains netgroup in host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:438 +msgid "" +"Whether to include rules that contains regular expression in host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:439 +msgid "Object class for sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:440 +msgid "Sudo rule name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:441 +msgid "Sudo rule command attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:442 +msgid "Sudo rule host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:443 +msgid "Sudo rule user attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:444 +msgid "Sudo rule option attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Sudo rule runas attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:446 +msgid "Sudo rule runasuser attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:447 +msgid "Sudo rule runasgroup attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:448 +msgid "Sudo rule notbefore attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:449 +msgid "Sudo rule notafter attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:450 +msgid "Sudo rule order attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:453 +msgid "Object class for automounter maps" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:454 +msgid "Automounter map name attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:455 +msgid "Object class for automounter map entries" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:456 +msgid "Automounter map entry key attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:457 +msgid "Automounter map entry value attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:458 +msgid "Base DN for automounter map lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:461 +msgid "Comma separated list of allowed users" +msgstr "Lista de utilizadores autorizados separados por vírgulas" + +#: src/config/SSSDConfig/__init__.py.in:462 +msgid "Comma separated list of prohibited users" +msgstr "Lista de utilizadores não autorizados separados por vírgulas" + +#: src/config/SSSDConfig/__init__.py.in:465 +msgid "Default shell, /bin/bash" +msgstr "Shell pré-definida, /bin/bash" + +#: src/config/SSSDConfig/__init__.py.in:466 +msgid "Base for home directories" +msgstr "Directório base para as pastas pessoais" + +#: src/config/SSSDConfig/__init__.py.in:469 +msgid "The number of preforked proxy children." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:472 +msgid "The name of the NSS library to use" +msgstr "O nome da biblioteca NSS a utilizar" + +#: src/config/SSSDConfig/__init__.py.in:473 +msgid "Whether to look up canonical group name from cache if possible" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:476 +msgid "PAM stack to use" +msgstr "Stack PAM a utilizar" + +#: src/config/SSSDConfig/__init__.py.in:479 +msgid "Path of passwd file sources." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:480 +msgid "Path of group file sources." +msgstr "" + +#: src/monitor/monitor.c:2449 +msgid "Become a daemon (default)" +msgstr "Tornar-se num serviço (omissão)" + +#: src/monitor/monitor.c:2451 +msgid "Run interactive (not a daemon)" +msgstr "Executar interactivamente (não como serviço)" + +#: src/monitor/monitor.c:2454 +msgid "Disable netlink interface" +msgstr "" + +#: src/monitor/monitor.c:2456 src/tools/sssctl/sssctl_logs.c:311 +msgid "Specify a non-default config file" +msgstr "Especificar um ficheiro de configuração não standard" + +#: src/monitor/monitor.c:2458 +msgid "Refresh the configuration database, then exit" +msgstr "" + +#: src/monitor/monitor.c:2461 +msgid "Print version number and exit" +msgstr "" + +#: src/monitor/monitor.c:2627 +msgid "SSSD is already running\n" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605 +msgid "Debug level" +msgstr "Nível de depuração" + +#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607 +msgid "Add debug timestamps" +msgstr "Adicionar tempos na depuração" + +#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609 +msgid "Show timestamps with microseconds" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611 +msgid "An open file descriptor for the debug logs" +msgstr "Um descritor de ficheiro aberto para os registos de depuração" + +#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613 +msgid "Send the debug output to stderr directly." +msgstr "" + +#: src/providers/krb5/krb5_child.c:3228 +msgid "The user to create FAST ccache as" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3230 +msgid "The group to create FAST ccache as" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3232 +msgid "Kerberos realm to use" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3234 +msgid "Requested lifetime of the ticket" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3236 +msgid "Requested renewable lifetime of the ticket" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3238 +msgid "FAST options ('never', 'try', 'demand')" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3241 +msgid "Specifies the server principal to use for FAST" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3243 +msgid "Requests canonicalization of the principal name" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3245 +msgid "Use custom version of krb5_get_init_creds_password" +msgstr "" + +#: src/providers/data_provider_be.c:556 +msgid "Domain of the information provider (mandatory)" +msgstr "Domínio do fornecedor de informação (obrigatório)" + +#: src/sss_client/common.c:1066 +msgid "Privileged socket has wrong ownership or permissions." +msgstr "" + +#: src/sss_client/common.c:1069 +msgid "Public socket has wrong ownership or permissions." +msgstr "" + +#: src/sss_client/common.c:1072 +msgid "Unexpected format of the server credential message." +msgstr "" + +#: src/sss_client/common.c:1075 +msgid "SSSD is not run by root." +msgstr "" + +#: src/sss_client/common.c:1080 +msgid "An error occurred, but no description can be found." +msgstr "" + +#: src/sss_client/common.c:1086 +msgid "Unexpected error while looking for an error description" +msgstr "" + +#: src/sss_client/pam_sss.c:76 +msgid "Permission denied. " +msgstr "" + +#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782 +#: src/sss_client/pam_sss.c:793 +msgid "Server message: " +msgstr "Mensagem do Servidor: " + +#: src/sss_client/pam_sss.c:300 +msgid "Passwords do not match" +msgstr "Senhas não coincidem" + +#: src/sss_client/pam_sss.c:488 +msgid "Password reset by root is not supported." +msgstr "" + +#: src/sss_client/pam_sss.c:529 +msgid "Authenticated with cached credentials" +msgstr "" + +#: src/sss_client/pam_sss.c:530 +msgid ", your cached password will expire at: " +msgstr ", a sua senha guardada em cache irá expirar em: " + +#: src/sss_client/pam_sss.c:560 +#, c-format +msgid "Your password has expired. You have %1$d grace login(s) remaining." +msgstr "" + +#: src/sss_client/pam_sss.c:606 +#, c-format +msgid "Your password will expire in %1$d %2$s." +msgstr "" + +#: src/sss_client/pam_sss.c:655 +msgid "Authentication is denied until: " +msgstr "" + +#: src/sss_client/pam_sss.c:676 +msgid "System is offline, password change not possible" +msgstr "O sistema está offline, a mudança de senha não é possível" + +#: src/sss_client/pam_sss.c:691 +msgid "" +"After changing the OTP password, you need to log out and back in order to " +"acquire a ticket" +msgstr "" + +#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792 +msgid "Password change failed. " +msgstr "Alteração da senha falhou." + +#: src/sss_client/pam_sss.c:1926 +msgid "New Password: " +msgstr "Nova Senha: " + +#: src/sss_client/pam_sss.c:1927 +msgid "Reenter new Password: " +msgstr "Digite a senha novamente: " + +#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042 +msgid "First Factor: " +msgstr "" + +#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202 +msgid "Second Factor (optional): " +msgstr "" + +#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205 +msgid "Second Factor: " +msgstr "" + +#: src/sss_client/pam_sss.c:2058 +msgid "Password: " +msgstr "Senha: " + +#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204 +msgid "First Factor (Current Password): " +msgstr "" + +#: src/sss_client/pam_sss.c:2208 +msgid "Current Password: " +msgstr "Senha actual: " + +#: src/sss_client/pam_sss.c:2536 +msgid "Password expired. Change your password now." +msgstr "A senha expirou. Altere a sua senha agora." + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 +#: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 +#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:670 +msgid "The debug level to run with" +msgstr "O nível de depuração a utilizar durante a execução" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +msgid "The SSSD domain to use" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 +#: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 +#: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 +#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:716 +msgid "Error setting the locale\n" +msgstr "Erro ao definir a configuração regional\n" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:64 +msgid "Not enough memory\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:83 +msgid "User not specified\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:97 +msgid "Error looking up public keys\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +msgid "The port to use to connect to the host" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +msgid "Print the host ssh public keys" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +msgid "Invalid port\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +msgid "Host not specified\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +msgid "The path to the proxy command must be absolute\n" +msgstr "" + +#: src/tools/sss_useradd.c:49 src/tools/sss_usermod.c:48 +msgid "The UID of the user" +msgstr "O UID do utilizador" + +#: src/tools/sss_useradd.c:50 src/tools/sss_usermod.c:50 +msgid "The comment string" +msgstr "Texto do comentário" + +#: src/tools/sss_useradd.c:51 src/tools/sss_usermod.c:51 +msgid "Home directory" +msgstr "Pasta pessoal" + +#: src/tools/sss_useradd.c:52 src/tools/sss_usermod.c:52 +msgid "Login shell" +msgstr "Shell" + +#: src/tools/sss_useradd.c:53 +msgid "Groups" +msgstr "Grupos" + +#: src/tools/sss_useradd.c:54 +msgid "Create user's directory if it does not exist" +msgstr "Criar pasta pessoal do utilizador, se ainda não existir" + +#: src/tools/sss_useradd.c:55 +msgid "Never create user's directory, overrides config" +msgstr "Nunca criar pasta pessoal do utilizador. Sobrepõem-se à configuração" + +#: src/tools/sss_useradd.c:56 +msgid "Specify an alternative skeleton directory" +msgstr "Indique um directório skeleton alternativo" + +#: src/tools/sss_useradd.c:57 src/tools/sss_usermod.c:60 +msgid "The SELinux user for user's login" +msgstr "O utilizador SELinux para a sessão do utilizador" + +#: src/tools/sss_useradd.c:87 src/tools/sss_groupmod.c:79 +#: src/tools/sss_usermod.c:92 +msgid "Specify group to add to\n" +msgstr "" + +#: src/tools/sss_useradd.c:111 +msgid "Specify user to add\n" +msgstr "Indique utilizador a adicionar\n" + +#: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 +#: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_usermod.c:162 +msgid "Error initializing the tools - no local domain\n" +msgstr "Erro ao inicializar as ferramentas - não existe domínio local\n" + +#: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 +#: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_usermod.c:164 +msgid "Error initializing the tools\n" +msgstr "Erro ao inicializar as ferramentas\n" + +#: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 +#: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_usermod.c:173 +msgid "Invalid domain specified in FQDN\n" +msgstr "Domínio inválido especificado no FQDN\n" + +#: src/tools/sss_useradd.c:142 src/tools/sss_groupmod.c:144 +#: src/tools/sss_groupmod.c:173 src/tools/sss_usermod.c:197 +#: src/tools/sss_usermod.c:226 +msgid "Internal error while parsing parameters\n" +msgstr "Erro interno ao processar parâmetros\n" + +#: src/tools/sss_useradd.c:151 src/tools/sss_usermod.c:206 +#: src/tools/sss_usermod.c:235 +msgid "Groups must be in the same domain as user\n" +msgstr "Os grupos têm de pertencer ao mesmo domínio que o utilizador\n" + +#: src/tools/sss_useradd.c:159 +#, c-format +msgid "Cannot find group %1$s in local domain\n" +msgstr "" + +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +msgid "Cannot set default values\n" +msgstr "Incapaz de definir valores por omissão\n" + +#: src/tools/sss_useradd.c:181 src/tools/sss_usermod.c:187 +msgid "The selected UID is outside the allowed range\n" +msgstr "O UID seleccionado está fora do intervalo permitido\n" + +#: src/tools/sss_useradd.c:210 src/tools/sss_usermod.c:305 +msgid "Cannot set SELinux login context\n" +msgstr "Não foi possível definir o contexto SELinux para a sessão\n" + +#: src/tools/sss_useradd.c:224 +msgid "Cannot get info about the user\n" +msgstr "Incapaz de obter informação acerca do utilizador\n" + +#: src/tools/sss_useradd.c:236 +msgid "User's home directory already exists, not copying data from skeldir\n" +msgstr "" +"A pasta pessoal do utilizador já existe. Conteúdo skeldir não copiado\n" + +#: src/tools/sss_useradd.c:239 +#, c-format +msgid "Cannot create user's home directory: %1$s\n" +msgstr "" + +#: src/tools/sss_useradd.c:250 +#, c-format +msgid "Cannot create user's mail spool: %1$s\n" +msgstr "" + +#: src/tools/sss_useradd.c:270 +msgid "Could not allocate ID for the user - domain full?\n" +msgstr "Incapaz de alocar um ID para o utilizador - domínio cheio?\n" + +#: src/tools/sss_useradd.c:274 +msgid "A user or group with the same name or ID already exists\n" +msgstr "Já existe um utilizador ou grupo com o mesmo nome ou ID\n" + +#: src/tools/sss_useradd.c:280 +msgid "Transaction error. Could not add user.\n" +msgstr "Erro na transacção. Não foi possível adicionar o utilizador.\n" + +#: src/tools/sss_groupadd.c:43 src/tools/sss_groupmod.c:48 +msgid "The GID of the group" +msgstr "O GID do grupo" + +#: src/tools/sss_groupadd.c:76 +msgid "Specify group to add\n" +msgstr "Indique grupo a adicionar\n" + +#: src/tools/sss_groupadd.c:106 src/tools/sss_groupmod.c:198 +msgid "The selected GID is outside the allowed range\n" +msgstr "O GID seleccionado está fora do intervalo permitido\n" + +#: src/tools/sss_groupadd.c:143 +msgid "Could not allocate ID for the group - domain full?\n" +msgstr "Incapaz de alocar um ID para o grupo - domínio cheio?\n" + +#: src/tools/sss_groupadd.c:147 +msgid "A group with the same name or GID already exists\n" +msgstr "Já existe um grupo com o mesmo nome ou GID\n" + +#: src/tools/sss_groupadd.c:153 +msgid "Transaction error. Could not add group.\n" +msgstr "Erro de transacção. Não foi possível adicionar o grupo.\n" + +#: src/tools/sss_groupdel.c:70 +msgid "Specify group to delete\n" +msgstr "Especifique grupo a remover\n" + +#: src/tools/sss_groupdel.c:104 +#, c-format +msgid "Group %1$s is outside the defined ID range for domain\n" +msgstr "" + +#: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 +#: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 +#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 +#, c-format +msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" +msgstr "" + +#: src/tools/sss_groupdel.c:132 +msgid "" +"No such group in local domain. Removing groups only allowed in local " +"domain.\n" +msgstr "" +"Grupo não existe no domínio local. Apenas é permitido remover grupos no " +"domínio local.\n" + +#: src/tools/sss_groupdel.c:137 +msgid "Internal error. Could not remove group.\n" +msgstr "Erro interno. Incapaz de remover grupo.\n" + +#: src/tools/sss_groupmod.c:44 +msgid "Groups to add this group to" +msgstr "Grupos para adicionar este grupo" + +#: src/tools/sss_groupmod.c:46 +msgid "Groups to remove this group from" +msgstr "Grupos para remover este projecto" + +#: src/tools/sss_groupmod.c:87 src/tools/sss_usermod.c:100 +msgid "Specify group to remove from\n" +msgstr "" + +#: src/tools/sss_groupmod.c:101 +msgid "Specify group to modify\n" +msgstr "Especifique grupo a modificar\n" + +#: src/tools/sss_groupmod.c:130 +msgid "" +"Cannot find group in local domain, modifying groups is allowed only in local " +"domain\n" +msgstr "" +"Grupo não foi encontrado no domínio local. Apenas é permitido modificar " +"grupos no domínio local\n" + +#: src/tools/sss_groupmod.c:153 src/tools/sss_groupmod.c:182 +msgid "Member groups must be in the same domain as parent group\n" +msgstr "Grupos membro têm de estar no mesmo domínio do grupo pai\n" + +#: src/tools/sss_groupmod.c:161 src/tools/sss_groupmod.c:190 +#: src/tools/sss_usermod.c:214 src/tools/sss_usermod.c:243 +#, c-format +msgid "" +"Cannot find group %1$s in local domain, only groups in local domain are " +"allowed\n" +msgstr "" + +#: src/tools/sss_groupmod.c:257 +msgid "Could not modify group - check if member group names are correct\n" +msgstr "" +"Incapaz de modificar grupo - verifique que o nome do grupo membro está " +"correcto\n" + +#: src/tools/sss_groupmod.c:261 +msgid "Could not modify group - check if groupname is correct\n" +msgstr "" +"Incapaz de modificar grupo - verifique que o nome do grupo está correcto\n" + +#: src/tools/sss_groupmod.c:265 +msgid "Transaction error. Could not modify group.\n" +msgstr "Erro de transacção. Não foi possível modificar o grupo.\n" + +#: src/tools/sss_groupshow.c:615 +#, c-format +msgid "%1$s%2$sGroup: %3$s\n" +msgstr "" + +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "\"Magic\" Privada" + +#: src/tools/sss_groupshow.c:618 +#, c-format +msgid "%1$sGID number: %2$d\n" +msgstr "" + +#: src/tools/sss_groupshow.c:620 +#, c-format +msgid "%1$sMember users: " +msgstr "" + +#: src/tools/sss_groupshow.c:627 +#, c-format +msgid "" +"\n" +"%1$sIs a member of: " +msgstr "" + +#: src/tools/sss_groupshow.c:634 +#, c-format +msgid "" +"\n" +"%1$sMember groups: " +msgstr "" + +#: src/tools/sss_groupshow.c:670 +msgid "Print indirect group members recursively" +msgstr "Imprimir membros de grupos indirectos recursivamente" + +#: src/tools/sss_groupshow.c:704 +msgid "Specify group to show\n" +msgstr "Especifique grupo a apresentar\n" + +#: src/tools/sss_groupshow.c:744 +msgid "" +"No such group in local domain. Printing groups only allowed in local " +"domain.\n" +msgstr "" +"Grupo não existe no domínio local. Grupos de impressão apenas permitidos no " +"domínio local.\n" + +#: src/tools/sss_groupshow.c:749 +msgid "Internal error. Could not print group.\n" +msgstr "Erro interno. Incapaz de imprimir grupo.\n" + +#: src/tools/sss_userdel.c:136 +msgid "Remove home directory and mail spool" +msgstr "Remover pasta pessoal e spool de correio" + +#: src/tools/sss_userdel.c:138 +msgid "Do not remove home directory and mail spool" +msgstr "Não remover pasta pessoal e spool de correio" + +#: src/tools/sss_userdel.c:140 +msgid "Force removal of files not owned by the user" +msgstr "Forçar a remoção de ficheiros não pertencentes ao utilizador" + +#: src/tools/sss_userdel.c:142 +msgid "Kill users' processes before removing him" +msgstr "Mate os processos do utilizador antes de o remover" + +#: src/tools/sss_userdel.c:188 +msgid "Specify user to delete\n" +msgstr "Especificar o utilizador a remover\n" + +#: src/tools/sss_userdel.c:234 +#, c-format +msgid "User %1$s is outside the defined ID range for domain\n" +msgstr "" + +#: src/tools/sss_userdel.c:259 +msgid "Cannot reset SELinux login context\n" +msgstr "Não foi possível redefinir o contexto SELinux para a sessão\n" + +#: src/tools/sss_userdel.c:271 +#, c-format +msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" +msgstr "" + +#: src/tools/sss_userdel.c:276 +msgid "Cannot determine if the user was logged in on this platform" +msgstr "" +"Não foi possível determinar se o utilizador estava autenticado nesta " +"plataforma" + +#: src/tools/sss_userdel.c:281 +msgid "Error while checking if the user was logged in\n" +msgstr "Erro ao verificar se o utilizador estava autenticado\n" + +#: src/tools/sss_userdel.c:288 +#, c-format +msgid "The post-delete command failed: %1$s\n" +msgstr "" + +#: src/tools/sss_userdel.c:308 +msgid "Not removing home dir - not owned by user\n" +msgstr "Pasta pessoal não removida - não pertence ao utilizador\n" + +#: src/tools/sss_userdel.c:310 +#, c-format +msgid "Cannot remove homedir: %1$s\n" +msgstr "" + +#: src/tools/sss_userdel.c:324 +msgid "" +"No such user in local domain. Removing users only allowed in local domain.\n" +msgstr "" +"Utilizador não existe no domínio local. Apenas é permitido remover " +"utilizadores no domínio local.\n" + +#: src/tools/sss_userdel.c:329 +msgid "Internal error. Could not remove user.\n" +msgstr "Erro interno. Incapaz de remover utilizador.\n" + +#: src/tools/sss_usermod.c:49 +msgid "The GID of the user" +msgstr "O GID do utilizador" + +#: src/tools/sss_usermod.c:53 +msgid "Groups to add this user to" +msgstr "Grupos para adicionar este utilizador" + +#: src/tools/sss_usermod.c:54 +msgid "Groups to remove this user from" +msgstr "Grupos para remover este utilizador" + +#: src/tools/sss_usermod.c:55 +msgid "Lock the account" +msgstr "Desactivar Conta" + +#: src/tools/sss_usermod.c:56 +msgid "Unlock the account" +msgstr "Activar a Conta" + +#: src/tools/sss_usermod.c:57 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "" + +#: src/tools/sss_usermod.c:58 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "" + +#: src/tools/sss_usermod.c:59 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" + +#: src/tools/sss_usermod.c:117 src/tools/sss_usermod.c:126 +#: src/tools/sss_usermod.c:135 +msgid "Specify the attribute name/value pair(s)\n" +msgstr "" + +#: src/tools/sss_usermod.c:152 +msgid "Specify user to modify\n" +msgstr "Especifique utilizador a modificar\n" + +#: src/tools/sss_usermod.c:180 +msgid "" +"Cannot find user in local domain, modifying users is allowed only in local " +"domain\n" +msgstr "" +"Utilizador não foi encontrado no domínio local. Apenas é permitido modificar " +"utilizadores no domínio local\n" + +#: src/tools/sss_usermod.c:322 +msgid "Could not modify user - check if group names are correct\n" +msgstr "" +"Incapaz de modificar utilizador - verifique se o nome do grupo está " +"correcto\n" + +#: src/tools/sss_usermod.c:326 +msgid "Could not modify user - user already member of groups?\n" +msgstr "Incapaz de modificar utilizador - utilizador já é membro de grupos?\n" + +#: src/tools/sss_usermod.c:330 +msgid "Transaction error. Could not modify user.\n" +msgstr "Erro na transacção. Não foi possível modificar o utilizador.\n" + +#: src/tools/sss_cache.c:218 +msgid "No cache object matched the specified search\n" +msgstr "" + +#: src/tools/sss_cache.c:502 +#, c-format +msgid "Couldn't invalidate %1$s\n" +msgstr "" + +#: src/tools/sss_cache.c:509 +#, c-format +msgid "Couldn't invalidate %1$s %2$s\n" +msgstr "" + +#: src/tools/sss_cache.c:672 +msgid "Invalidate all cached entries" +msgstr "" + +#: src/tools/sss_cache.c:674 +msgid "Invalidate particular user" +msgstr "" + +#: src/tools/sss_cache.c:676 +msgid "Invalidate all users" +msgstr "" + +#: src/tools/sss_cache.c:678 +msgid "Invalidate particular group" +msgstr "" + +#: src/tools/sss_cache.c:680 +msgid "Invalidate all groups" +msgstr "" + +#: src/tools/sss_cache.c:682 +msgid "Invalidate particular netgroup" +msgstr "" + +#: src/tools/sss_cache.c:684 +msgid "Invalidate all netgroups" +msgstr "" + +#: src/tools/sss_cache.c:686 +msgid "Invalidate particular service" +msgstr "" + +#: src/tools/sss_cache.c:688 +msgid "Invalidate all services" +msgstr "" + +#: src/tools/sss_cache.c:691 +msgid "Invalidate particular autofs map" +msgstr "" + +#: src/tools/sss_cache.c:693 +msgid "Invalidate all autofs maps" +msgstr "" + +#: src/tools/sss_cache.c:697 +msgid "Invalidate particular SSH host" +msgstr "" + +#: src/tools/sss_cache.c:699 +msgid "Invalidate all SSH hosts" +msgstr "" + +#: src/tools/sss_cache.c:703 +msgid "Invalidate particular sudo rule" +msgstr "" + +#: src/tools/sss_cache.c:705 +msgid "Invalidate all cached sudo rules" +msgstr "" + +#: src/tools/sss_cache.c:708 +msgid "Only invalidate entries from a particular domain" +msgstr "" + +#: src/tools/sss_cache.c:762 +msgid "" +"Unexpected argument(s) provided, options that invalidate a single object " +"only accept a single provided argument.\n" +msgstr "" + +#: src/tools/sss_cache.c:772 +msgid "Please select at least one object to invalidate\n" +msgstr "" + +#: src/tools/sss_cache.c:852 +#, c-format +msgid "" +"Could not open domain %1$s. If the domain is a subdomain (trusted domain), " +"use fully qualified name instead of --domain/-d parameter.\n" +msgstr "" + +#: src/tools/sss_cache.c:856 +msgid "Could not open available domains\n" +msgstr "" + +#: src/tools/tools_util.c:202 +#, c-format +msgid "Name '%1$s' does not seem to be FQDN ('%2$s = TRUE' is set)\n" +msgstr "" + +#: src/tools/tools_util.c:309 +msgid "Out of memory\n" +msgstr "Memória esgotada\n" + +#: src/tools/tools_util.h:40 +#, c-format +msgid "%1$s must be run as root\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:35 +msgid "yes" +msgstr "" + +#: src/tools/sssctl/sssctl.c:37 +msgid "no" +msgstr "" + +#: src/tools/sssctl/sssctl.c:39 +msgid "error" +msgstr "" + +#: src/tools/sssctl/sssctl.c:42 +msgid "Invalid result." +msgstr "" + +#: src/tools/sssctl/sssctl.c:78 +#, c-format +msgid "Unable to read user input\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:91 +#, c-format +msgid "Invalid input, please provide either '%s' or '%s'.\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 +#, c-format +msgid "Error while executing external command\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:156 +msgid "SSSD needs to be running. Start SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl.c:195 +msgid "SSSD must not be running. Stop SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl.c:231 +msgid "SSSD needs to be restarted. Restart SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:31 +#, c-format +msgid " %s is not present in cache.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:33 +msgid "Name" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:34 +msgid "Cache entry creation date" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:35 +msgid "Cache entry last update time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:36 +msgid "Cache entry expiration time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:37 +msgid "Cached in InfoPipe" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:512 +#, c-format +msgid "Error: Unable to get object [%d]: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:528 +#, c-format +msgid "%s: Unable to read value [%d]: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:556 +msgid "Specify name." +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:566 +#, c-format +msgid "Unable to parse name %s.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:592 src/tools/sssctl/sssctl_cache.c:639 +msgid "Search by SID" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:593 +msgid "Search by user ID" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:602 +msgid "Initgroups expiration time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:640 +msgid "Search by group ID" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:67 +#, c-format +msgid "" +"File %1$s does not exist. SSSD will use default configuration with files " +"provider.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:81 +#, c-format +msgid "" +"File ownership and permissions check failed. Expected root:root and 0600.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:104 +#, c-format +msgid "Issues identified by validators: %zu\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:114 +#, c-format +msgid "Messages generated during configuration merging: %zu\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:127 +#, c-format +msgid "Used configuration snippet files: %u\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:89 +#, c-format +msgid "Unable to create backup directory [%d]: %s" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:95 +msgid "SSSD backup of local data already exists, override?" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:111 +#, c-format +msgid "Unable to export user overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:118 +#, c-format +msgid "Unable to export group overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:134 src/tools/sssctl/sssctl_data.c:217 +msgid "Override existing backup" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:164 +#, c-format +msgid "Unable to import user overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:173 +#, c-format +msgid "Unable to import group overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:74 +#: src/tools/sssctl/sssctl_domains.c:339 +msgid "Start SSSD if it is not running" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:195 +msgid "Restart SSSD after data import" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:218 +msgid "Create clean cache files and import local data" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:219 +msgid "Stop SSSD before removing the cache" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:220 +msgid "Start SSSD when the cache is removed" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:235 +#, c-format +msgid "Creating backup of local data...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:238 +#, c-format +msgid "Unable to create backup of local data, can not remove the cache.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:243 +#, c-format +msgid "Removing cache files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:246 +#, c-format +msgid "Unable to remove cache files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:251 +#, c-format +msgid "Restoring local data...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:75 +msgid "Show domain list including primary or trusted domain type" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +#, c-format +msgid "Online status: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Online" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Offline" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:214 +#, c-format +msgid "Active servers:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:231 +msgid "not connected" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:278 +#, c-format +msgid "Discovered %s servers:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:296 +msgid "None so far.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:336 +msgid "Show online status" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:337 +msgid "Show information about active server" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:338 +msgid "Show list of discovered servers" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:344 +msgid "Specify domain name." +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:360 +#, c-format +msgid "Out of memory!\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:377 src/tools/sssctl/sssctl_domains.c:387 +#, c-format +msgid "Unable to get online status\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:397 +#, c-format +msgid "Unable to get server list\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:47 +msgid "\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:237 +msgid "Delete log files instead of truncating" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:248 +#, c-format +msgid "Deleting log files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:251 +#, c-format +msgid "Unable to remove log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:257 +#, c-format +msgid "Truncating log files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:260 +#, c-format +msgid "Unable to truncate log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:286 +#, c-format +msgid "Out of memory!" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:289 +#, c-format +msgid "Archiving log files into %s...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:292 +#, c-format +msgid "Unable to archive log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:317 +msgid "Specify debug level you want to set" +msgstr "" + +#: src/tools/sssctl/sssctl_sifp.c:28 +msgid "" +"Check that SSSD is running and the InfoPipe responder is enabled. Make sure " +"'ifp' is listed in the 'services' option in sssd.conf.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:91 +#, c-format +msgid "Unable to connect to the InfoPipe" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:97 +#, c-format +msgid "Unable to get user object" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:101 +#, c-format +msgid "SSSD InfoPipe user lookup result:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:113 +#, c-format +msgid "Unable to get user name attr" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:146 +#, c-format +msgid "dlopen failed with [%s].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:153 +#, c-format +msgid "dlsym failed with [%s].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:161 +#, c-format +msgid "malloc failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:168 +#, c-format +msgid "sss_getpwnam_r failed with [%d].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:173 +#, c-format +msgid "SSSD nss user lookup result:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:174 +#, c-format +msgid " - user name: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:175 +#, c-format +msgid " - user id: %d\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:176 +#, c-format +msgid " - group id: %d\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:177 +#, c-format +msgid " - gecos: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:178 +#, c-format +msgid " - home directory: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:179 +#, c-format +msgid "" +" - shell: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:211 +msgid "PAM action [auth|acct|setc|chau|open|clos], default: " +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:214 +msgid "PAM service, default: " +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:219 +msgid "Specify user name." +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:226 +#, c-format +msgid "" +"user: %s\n" +"action: %s\n" +"service: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:232 +#, c-format +msgid "User name lookup with [%s] failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:237 +#, c-format +msgid "InfoPipe User lookup with [%s] failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:244 +#, c-format +msgid "pam_start failed: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:249 +#, c-format +msgid "" +"testing pam_authenticate\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:253 +#, c-format +msgid "pam_get_item failed: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:257 +#, c-format +msgid "" +"pam_authenticate for user [%s]: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:260 +#, c-format +msgid "" +"testing pam_chauthtok\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:262 +#, c-format +msgid "" +"pam_chauthtok: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:264 +#, c-format +msgid "" +"testing pam_acct_mgmt\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:266 +#, c-format +msgid "" +"pam_acct_mgmt: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:268 +#, c-format +msgid "" +"testing pam_setcred\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:270 +#, c-format +msgid "" +"pam_setcred: [%s]\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:272 +#, c-format +msgid "" +"testing pam_open_session\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:274 +#, c-format +msgid "" +"pam_open_session: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:276 +#, c-format +msgid "" +"testing pam_close_session\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:278 +#, c-format +msgid "" +"pam_close_session: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:281 +#, c-format +msgid "unknown action\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:284 +#, c-format +msgid "PAM Environment:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:292 +#, c-format +msgid " - no env -\n" +msgstr "" + +#: src/util/util.h:75 +msgid "The user ID to run the server as" +msgstr "" + +#: src/util/util.h:77 +msgid "The group ID to run the server as" +msgstr "" + +#: src/util/util.h:85 +msgid "Informs that the responder has been socket-activated" +msgstr "" + +#: src/util/util.h:87 +msgid "Informs that the responder has been dbus-activated" +msgstr "" diff --git a/po/pt_BR.gmo b/po/pt_BR.gmo new file mode 100644 index 0000000000000000000000000000000000000000..98bf32e3e6393e5e23837fc0c5f6d4c6198215f5 GIT binary patch literal 1087 zcmZ`%U279T6kTooAint^f`V5NX(@z|^H6xCMRyeh6L$7x^yu8}I?RhjTcEci=5ZzX~4E?obtzHdc(xHcA|6=ytK+QjdGa4 z$%KbR(7UHncEO%CZ#eQ|D;5WAoiaM4z17C{>SmJ;n)~go-RGr!?i=ex%OxrnYkA^C z$AsjZi$%->PFGUpyes!OHdY=P=Q%DLo0Rr;JECD(dQ=tb(sM}jm1<2?YN9$%)rGLK zFjql9DE4`vitZELlBib1{1d9w!s^mUwlGd@Wzvyg;+C*2(*<&l3Ix;c-jF4(w`I s+{0X!, 2015. #zanata +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" +"POT-Creation-Date: 2018-08-12 13:03+0000\n" +"PO-Revision-Date: 2015-10-27 08:15+0000\n" +"Last-Translator: Marco Aurélio Krause \n" +"Language-Team: Portuguese (Brazil)\n" +"Language: pt_BR\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: Zanata 4.4.5\n" +"Plural-Forms: nplurals=2; plural=(n != 1)\n" + +#: src/config/SSSDConfig/__init__.py.in:43 +#: src/config/SSSDConfig/__init__.py.in:44 +msgid "Set the verbosity of the debug logging" +msgstr "Definir a verbosidade do log de depuração" + +#: src/config/SSSDConfig/__init__.py.in:45 +msgid "Include timestamps in debug logs" +msgstr "Incluir timestamps em logs de depuração" + +#: src/config/SSSDConfig/__init__.py.in:46 +msgid "Include microseconds in timestamps in debug logs" +msgstr "Incluir microssegundos em timestamps em logs de depuração" + +#: src/config/SSSDConfig/__init__.py.in:47 +msgid "Write debug messages to logfiles" +msgstr "Escrever mensagens de depuração para arquivos de log" + +#: src/config/SSSDConfig/__init__.py.in:48 +msgid "Watchdog timeout before restarting service" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:49 +msgid "Command to start service" +msgstr "Comando para iniciar o serviço" + +#: src/config/SSSDConfig/__init__.py.in:50 +msgid "Number of times to attempt connection to Data Providers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:51 +msgid "The number of file descriptors that may be opened by this responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:52 +msgid "Idle time before automatic disconnection of a client" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:53 +msgid "Idle time before automatic shutdown of the responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:54 +msgid "Always query all the caches before querying the Data Providers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:57 +msgid "SSSD Services to start" +msgstr "Serviços SSSD para iniciar" + +#: src/config/SSSDConfig/__init__.py.in:58 +msgid "SSSD Domains to start" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:59 +msgid "Timeout for messages sent over the SBUS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:60 +#: src/config/SSSDConfig/__init__.py.in:197 +msgid "Regex to parse username and domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:61 +#: src/config/SSSDConfig/__init__.py.in:196 +msgid "Printf-compatible format for displaying fully-qualified names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:62 +msgid "" +"Directory on the filesystem where SSSD should store Kerberos replay cache " +"files." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:63 +msgid "Domain to add to names without a domain component." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:64 +msgid "The user to drop privileges to" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:65 +msgid "Tune certificate verification" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:66 +msgid "All spaces in group or user names will be replaced with this character" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:67 +msgid "Tune sssd to honor or ignore netlink state changes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:68 +msgid "Enable or disable the implicit files domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:69 +msgid "A specific order of the domains to be looked up" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:72 +msgid "Enumeration cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:73 +msgid "Entry cache background update timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:74 +#: src/config/SSSDConfig/__init__.py.in:113 +msgid "Negative cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:75 +msgid "Files negative cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:76 +msgid "Users that SSSD should explicitly ignore" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:77 +msgid "Groups that SSSD should explicitly ignore" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:78 +msgid "Should filtered users appear in groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:79 +msgid "The value of the password field the NSS provider should return" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:80 +msgid "Override homedir value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:81 +msgid "" +"Substitute empty homedir value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:82 +msgid "Override shell value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:83 +msgid "The list of shells users are allowed to log in with" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:84 +msgid "" +"The list of shells that will be vetoed, and replaced with the fallback shell" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:85 +msgid "" +"If a shell stored in central directory is allowed but not available, use " +"this fallback" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:86 +msgid "Shell to use if the provider does not list one" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:87 +msgid "How long will be in-memory cache records valid" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:88 +msgid "List of user attributes the NSS responder is allowed to publish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:91 +msgid "How long to allow cached logins between online logins (days)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:92 +msgid "How many failed logins attempts are allowed when offline" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:93 +msgid "" +"How long (minutes) to deny login after offline_failed_login_attempts has " +"been reached" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:94 +msgid "What kind of messages are displayed to the user during authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:95 +msgid "Filter PAM responses sent to the pam_sss" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:96 +msgid "How many seconds to keep identity information cached for PAM requests" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:97 +msgid "How many days before password expiration a warning should be displayed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:98 +msgid "List of trusted uids or user's name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:99 +msgid "List of domains accessible even for untrusted users." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:100 +msgid "Message printed when user account is expired." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:101 +msgid "Message printed when user account is locked." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:102 +msgid "Allow certificate based/Smartcard authentication." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:103 +msgid "Path to certificate database with PKCS#11 modules." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:104 +msgid "How many seconds will pam_sss wait for p11_child to finish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:105 +msgid "Which PAM services are permitted to contact application domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:108 +msgid "Whether to evaluate the time-based attributes in sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:109 +msgid "If true, SSSD will switch back to lower-wins ordering logic" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:110 +msgid "" +"Maximum number of rules that can be refreshed at once. If this is exceeded, " +"full refresh is performed." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:116 +msgid "Whether to hash host names and addresses in the known_hosts file" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:117 +msgid "" +"How many seconds to keep a host in the known_hosts file after its host keys " +"were requested" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:118 +msgid "Path to storage of trusted CA certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:121 +msgid "List of UIDs or user names allowed to access the PAC responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "How long the PAC data is considered valid" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:125 +msgid "List of UIDs or user names allowed to access the InfoPipe responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:126 +msgid "List of user attributes the InfoPipe is allowed to publish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:129 +msgid "The provider where the secrets will be stored in" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:130 +msgid "The maximum allowed number of nested containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:131 +msgid "The maximum number of secrets that can be stored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:132 +msgid "The maximum number of secrets that can be stored per UID" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:133 +msgid "The maximum payload size of a secret in kilobytes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:135 +msgid "The URL Custodia server is listening on" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:136 +msgid "The method to use when authenticating to a Custodia server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:137 +msgid "" +"The name of the headers that will be added into a HTTP request with the " +"value defined in auth_header_value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:138 +msgid "The value sssd-secrets would use for auth_header_name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:139 +msgid "" +"The list of the headers to forward to the Custodia server together with the " +"request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:140 +msgid "" +"The username to use when authenticating to a Custodia server using basic_auth" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:141 +msgid "" +"The password to use when authenticating to a Custodia server using basic_auth" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:142 +msgid "If true peer's certificate is verified if proxy_url uses https protocol" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:143 +msgid "" +"If false peer's certificate may contain different hostname than proxy_url " +"when https protocol is used" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:144 +msgid "Path to directory where certificate authority certificates are stored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:145 +msgid "Path to file containing server's CA certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:146 +msgid "Path to file containing client's certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:147 +msgid "Path to file containing client's private key" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:150 +msgid "Identity provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:151 +msgid "Authentication provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:152 +msgid "Access control provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:153 +msgid "Password change provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:154 +msgid "SUDO provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:155 +msgid "Autofs provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:156 +msgid "Host identity provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:157 +msgid "SELinux provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:158 +msgid "Session management provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:161 +msgid "Whether the domain is usable by the OS or by applications" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:162 +msgid "Minimum user ID" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:163 +msgid "Maximum user ID" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:164 +msgid "Enable enumerating all users/groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:165 +msgid "Cache credentials for offline login" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:166 +msgid "Store password hashes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:167 +msgid "Display users/groups in fully-qualified form" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:168 +msgid "Don't include group members in group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:180 +#: src/config/SSSDConfig/__init__.py.in:181 +msgid "Entry cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:170 +msgid "" +"Restrict or prefer a specific address family when performing DNS lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:171 +msgid "How long to keep cached entries after last successful login (days)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:172 +msgid "How long to wait for replies from DNS when resolving servers (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:173 +msgid "The domain part of service discovery DNS query" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:174 +msgid "Override GID value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:175 +msgid "Treat usernames as case sensitive" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:182 +msgid "How often should expired entries be refreshed in background" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:183 +msgid "Whether to automatically update the client's DNS entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:184 +#: src/config/SSSDConfig/__init__.py.in:206 +msgid "The TTL to apply to the client's DNS entry after updating it" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:207 +msgid "The interface whose IP should be used for dynamic DNS updates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:186 +msgid "How often to periodically update the client's DNS entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:187 +msgid "Whether the provider should explicitly update the PTR record as well" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:188 +msgid "Whether the nsupdate utility should default to using TCP" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:189 +msgid "What kind of authentication should be used to perform the DNS update" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:190 +msgid "Override the DNS server used to perform the DNS update" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:191 +msgid "Control enumeration of trusted domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:192 +msgid "How often should subdomains list be refreshed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:193 +msgid "List of options that should be inherited into a subdomain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:194 +msgid "Default subdomain homedir value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:195 +msgid "How long can cached credentials be used for cached authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:198 +msgid "Whether to automatically create private groups for users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:201 +msgid "IPA domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:202 +msgid "IPA server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:203 +msgid "Address of backup IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:204 +msgid "IPA client hostname" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:205 +msgid "Whether to automatically update the client's DNS entry in FreeIPA" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:208 +msgid "Search base for HBAC related objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:209 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:210 +msgid "" +"The amount of time in seconds between lookups of the SELinux maps against " +"the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:211 +msgid "If set to false, host argument given by PAM will be ignored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:212 +msgid "The automounter location this IPA client is using" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:213 +msgid "Search base for object containing info about IPA domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:214 +msgid "Search base for objects containing info about ID ranges" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:233 +msgid "Enable DNS sites - location based service discovery" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:216 +msgid "Search base for view containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:217 +msgid "Objectclass for view containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:218 +msgid "Attribute with the name of the view" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:219 +msgid "Objectclass for override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:220 +msgid "Attribute with the reference to the original object" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:221 +msgid "Objectclass for user override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:222 +msgid "Objectclass for group override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:223 +msgid "Search base for Desktop Profile related objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:224 +msgid "" +"The amount of time in seconds between lookups of the Desktop Profile rules " +"against the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:225 +msgid "" +"The amount of time in minutes between lookups of Desktop Profiles rules " +"against the IPA server when the last request did not find any rule" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:228 +msgid "Active Directory domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:229 +msgid "Enabled Active Directory domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:230 +msgid "Active Directory server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:231 +msgid "Active Directory backup server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:232 +msgid "Active Directory client hostname" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:420 +msgid "LDAP filter to determine access privileges" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:235 +msgid "Whether to use the Global Catalog for lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:236 +msgid "Operation mode for GPO-based access control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:237 +msgid "" +"The amount of time between lookups of the GPO policy files against the AD " +"server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:238 +msgid "" +"PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " +"settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:239 +msgid "" +"PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " +"policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:240 +msgid "" +"PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:241 +msgid "" +"PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:242 +msgid "" +"PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:243 +msgid "PAM service names for which GPO-based access is always granted" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:244 +msgid "PAM service names for which GPO-based access is always denied" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:245 +msgid "" +"Default logon right (or permit/deny) to use for unmapped PAM service names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:246 +msgid "a particular site to be used by the client" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:247 +msgid "" +"Maximum age in days before the machine account password should be renewed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:248 +msgid "Option for tuning the machine account renewal task" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:252 +msgid "Kerberos server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:253 +msgid "Kerberos backup server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:254 +msgid "Kerberos realm" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:255 +msgid "Authentication timeout" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:256 +msgid "Whether to create kdcinfo files" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:257 +msgid "Where to drop krb5 config snippets" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:260 +msgid "Directory to store credential caches" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:261 +msgid "Location of the user's credential cache" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:262 +msgid "Location of the keytab to validate credentials" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:263 +msgid "Enable credential validation" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:264 +msgid "Store password if offline for later online authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:265 +msgid "Renewable lifetime of the TGT" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:266 +msgid "Lifetime of the TGT" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:267 +msgid "Time between two checks for renewal" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:268 +msgid "Enables FAST" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:269 +msgid "Selects the principal to use for FAST" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:270 +msgid "Enables principal canonicalization" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:271 +msgid "Enables enterprise principals" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:272 +msgid "A mapping from user names to Kerberos principal names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:276 +msgid "Server where the change password service is running if not on the KDC" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:279 +msgid "ldap_uri, The URI of the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:280 +msgid "ldap_backup_uri, The URI of the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:281 +msgid "The default base DN" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:282 +msgid "The Schema Type in use on the LDAP server, rfc2307" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:283 +msgid "The default bind DN" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:284 +msgid "The type of the authentication token of the default bind DN" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:285 +msgid "The authentication token of the default bind DN" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:286 +msgid "Length of time to attempt connection" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:287 +msgid "Length of time to attempt synchronous LDAP operations" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:288 +msgid "Length of time between attempts to reconnect while offline" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:289 +msgid "Use only the upper case for realm names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:290 +msgid "File that contains CA certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:291 +msgid "Path to CA certificate directory" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:292 +msgid "File that contains the client certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:293 +msgid "File that contains the client key" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:294 +msgid "List of possible ciphers suites" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:295 +msgid "Require TLS certificate verification" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:296 +msgid "Specify the sasl mechanism to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:297 +msgid "Specify the sasl authorization id to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:298 +msgid "Specify the sasl authorization realm to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:299 +msgid "Specify the minimal SSF for LDAP sasl authorization" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:300 +msgid "Kerberos service keytab" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:301 +msgid "Use Kerberos auth for LDAP connection" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:302 +msgid "Follow LDAP referrals" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:303 +msgid "Lifetime of TGT for LDAP connection" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:304 +msgid "How to dereference aliases" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:305 +msgid "Service name for DNS service lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:306 +msgid "The number of records to retrieve in a single LDAP query" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:307 +msgid "The number of members that must be missing to trigger a full deref" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:308 +msgid "" +"Whether the LDAP library should perform a reverse lookup to canonicalize the " +"host name during a SASL bind" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:310 +msgid "entryUSN attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:311 +msgid "lastUSN attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:313 +msgid "How long to retain a connection to the LDAP server before disconnecting" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:315 +msgid "Disable the LDAP paging control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:316 +msgid "Disable Active Directory range retrieval" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:319 +msgid "Length of time to wait for a search request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:320 +msgid "Length of time to wait for a enumeration request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:321 +msgid "Length of time between enumeration updates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:322 +msgid "Length of time between cache cleanups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:323 +msgid "Require TLS for ID lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:324 +msgid "Use ID-mapping of objectSID instead of pre-set IDs" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:325 +msgid "Base DN for user lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:326 +msgid "Scope of user lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:327 +msgid "Filter for user lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:328 +msgid "Objectclass for users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:329 +msgid "Username attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:331 +msgid "UID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:332 +msgid "Primary GID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:333 +msgid "GECOS attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:334 +msgid "Home directory attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:335 +msgid "Shell attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:336 +msgid "UUID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:379 +msgid "objectSID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:338 +msgid "Active Directory primary group attribute for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:339 +msgid "User principal attribute (for Kerberos)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:340 +msgid "Full Name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:341 +msgid "memberOf attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:342 +msgid "Modification time attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:344 +msgid "shadowLastChange attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:345 +msgid "shadowMin attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:346 +msgid "shadowMax attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:347 +msgid "shadowWarning attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:348 +msgid "shadowInactive attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:349 +msgid "shadowExpire attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:350 +msgid "shadowFlag attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:351 +msgid "Attribute listing authorized PAM services" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:352 +msgid "Attribute listing authorized server hosts" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:353 +msgid "Attribute listing authorized server rhosts" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:354 +msgid "krbLastPwdChange attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:355 +msgid "krbPasswordExpiration attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:356 +msgid "Attribute indicating that server side password policies are active" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:357 +msgid "accountExpires attribute of AD" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:358 +msgid "userAccountControl attribute of AD" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:359 +msgid "nsAccountLock attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:360 +msgid "loginDisabled attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:361 +msgid "loginExpirationTime attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:362 +msgid "loginAllowedTimeMap attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:363 +msgid "SSH public key attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:364 +msgid "attribute listing allowed authentication types for a user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:365 +msgid "attribute containing the X509 certificate of the user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:366 +msgid "attribute containing the email address of the user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:368 +msgid "A list of extra attributes to download along with the user entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:370 +msgid "Base DN for group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:373 +msgid "Objectclass for groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:374 +msgid "Group name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:375 +msgid "Group password" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:376 +msgid "GID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:377 +msgid "Group member attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:378 +msgid "Group UUID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:380 +msgid "Modification time attribute for groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:381 +msgid "Type of the group and other flags" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:382 +msgid "The LDAP group external member attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:384 +msgid "Maximum nesting level SSSD will follow" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:386 +msgid "Base DN for netgroup lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:387 +msgid "Objectclass for netgroups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:388 +msgid "Netgroup name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:389 +msgid "Netgroups members attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:390 +msgid "Netgroup triple attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:391 +msgid "Modification time attribute for netgroups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:393 +msgid "Base DN for service lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:394 +msgid "Objectclass for services" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:395 +msgid "Service name attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:396 +msgid "Service port attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:397 +msgid "Service protocol attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:400 +msgid "Lower bound for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:401 +msgid "Upper bound for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:402 +msgid "Number of IDs for each slice when ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:403 +msgid "Use autorid-compatible algorithm for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:404 +msgid "Name of the default domain for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:405 +msgid "SID of the default domain for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:406 +msgid "Number of secondary slices" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:408 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:409 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:410 +msgid "Whether to use Token-Groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:411 +msgid "Set lower boundary for allowed IDs from the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:412 +msgid "Set upper boundary for allowed IDs from the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:413 +msgid "DN for ppolicy queries" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:414 +msgid "How many maximum entries to fetch during a wildcard request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:417 +msgid "Policy to evaluate the password expiration" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:421 +msgid "Which attributes shall be used to evaluate if an account is expired" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:422 +msgid "Which rules should be used to evaluate access control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:425 +msgid "URI of an LDAP server where password changes are allowed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:426 +msgid "URI of a backup LDAP server where password changes are allowed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:427 +msgid "DNS service name for LDAP password change server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:428 +msgid "" +"Whether to update the ldap_user_shadow_last_change attribute after a " +"password change" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:431 +msgid "Base DN for sudo rules lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:432 +msgid "Automatic full refresh period" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:433 +msgid "Automatic smart refresh period" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:434 +msgid "Whether to filter rules by hostname, IP addresses and network" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:435 +msgid "" +"Hostnames and/or fully qualified domain names of this machine to filter sudo " +"rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:436 +msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:437 +msgid "Whether to include rules that contains netgroup in host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:438 +msgid "" +"Whether to include rules that contains regular expression in host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:439 +msgid "Object class for sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:440 +msgid "Sudo rule name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:441 +msgid "Sudo rule command attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:442 +msgid "Sudo rule host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:443 +msgid "Sudo rule user attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:444 +msgid "Sudo rule option attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Sudo rule runas attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:446 +msgid "Sudo rule runasuser attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:447 +msgid "Sudo rule runasgroup attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:448 +msgid "Sudo rule notbefore attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:449 +msgid "Sudo rule notafter attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:450 +msgid "Sudo rule order attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:453 +msgid "Object class for automounter maps" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:454 +msgid "Automounter map name attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:455 +msgid "Object class for automounter map entries" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:456 +msgid "Automounter map entry key attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:457 +msgid "Automounter map entry value attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:458 +msgid "Base DN for automounter map lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:461 +msgid "Comma separated list of allowed users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:462 +msgid "Comma separated list of prohibited users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:465 +msgid "Default shell, /bin/bash" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:466 +msgid "Base for home directories" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:469 +msgid "The number of preforked proxy children." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:472 +msgid "The name of the NSS library to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:473 +msgid "Whether to look up canonical group name from cache if possible" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:476 +msgid "PAM stack to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:479 +msgid "Path of passwd file sources." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:480 +msgid "Path of group file sources." +msgstr "" + +#: src/monitor/monitor.c:2449 +msgid "Become a daemon (default)" +msgstr "" + +#: src/monitor/monitor.c:2451 +msgid "Run interactive (not a daemon)" +msgstr "" + +#: src/monitor/monitor.c:2454 +msgid "Disable netlink interface" +msgstr "" + +#: src/monitor/monitor.c:2456 src/tools/sssctl/sssctl_logs.c:311 +msgid "Specify a non-default config file" +msgstr "" + +#: src/monitor/monitor.c:2458 +msgid "Refresh the configuration database, then exit" +msgstr "" + +#: src/monitor/monitor.c:2461 +msgid "Print version number and exit" +msgstr "" + +#: src/monitor/monitor.c:2627 +msgid "SSSD is already running\n" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605 +msgid "Debug level" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607 +msgid "Add debug timestamps" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609 +msgid "Show timestamps with microseconds" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611 +msgid "An open file descriptor for the debug logs" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613 +msgid "Send the debug output to stderr directly." +msgstr "" + +#: src/providers/krb5/krb5_child.c:3228 +msgid "The user to create FAST ccache as" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3230 +msgid "The group to create FAST ccache as" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3232 +msgid "Kerberos realm to use" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3234 +msgid "Requested lifetime of the ticket" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3236 +msgid "Requested renewable lifetime of the ticket" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3238 +msgid "FAST options ('never', 'try', 'demand')" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3241 +msgid "Specifies the server principal to use for FAST" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3243 +msgid "Requests canonicalization of the principal name" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3245 +msgid "Use custom version of krb5_get_init_creds_password" +msgstr "" + +#: src/providers/data_provider_be.c:556 +msgid "Domain of the information provider (mandatory)" +msgstr "" + +#: src/sss_client/common.c:1066 +msgid "Privileged socket has wrong ownership or permissions." +msgstr "" + +#: src/sss_client/common.c:1069 +msgid "Public socket has wrong ownership or permissions." +msgstr "" + +#: src/sss_client/common.c:1072 +msgid "Unexpected format of the server credential message." +msgstr "" + +#: src/sss_client/common.c:1075 +msgid "SSSD is not run by root." +msgstr "" + +#: src/sss_client/common.c:1080 +msgid "An error occurred, but no description can be found." +msgstr "" + +#: src/sss_client/common.c:1086 +msgid "Unexpected error while looking for an error description" +msgstr "" + +#: src/sss_client/pam_sss.c:76 +msgid "Permission denied. " +msgstr "" + +#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782 +#: src/sss_client/pam_sss.c:793 +msgid "Server message: " +msgstr "" + +#: src/sss_client/pam_sss.c:300 +msgid "Passwords do not match" +msgstr "" + +#: src/sss_client/pam_sss.c:488 +msgid "Password reset by root is not supported." +msgstr "" + +#: src/sss_client/pam_sss.c:529 +msgid "Authenticated with cached credentials" +msgstr "" + +#: src/sss_client/pam_sss.c:530 +msgid ", your cached password will expire at: " +msgstr "" + +#: src/sss_client/pam_sss.c:560 +#, c-format +msgid "Your password has expired. You have %1$d grace login(s) remaining." +msgstr "" + +#: src/sss_client/pam_sss.c:606 +#, c-format +msgid "Your password will expire in %1$d %2$s." +msgstr "" + +#: src/sss_client/pam_sss.c:655 +msgid "Authentication is denied until: " +msgstr "" + +#: src/sss_client/pam_sss.c:676 +msgid "System is offline, password change not possible" +msgstr "" + +#: src/sss_client/pam_sss.c:691 +msgid "" +"After changing the OTP password, you need to log out and back in order to " +"acquire a ticket" +msgstr "" + +#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792 +msgid "Password change failed. " +msgstr "" + +#: src/sss_client/pam_sss.c:1926 +msgid "New Password: " +msgstr "" + +#: src/sss_client/pam_sss.c:1927 +msgid "Reenter new Password: " +msgstr "" + +#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042 +msgid "First Factor: " +msgstr "" + +#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202 +msgid "Second Factor (optional): " +msgstr "" + +#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205 +msgid "Second Factor: " +msgstr "" + +#: src/sss_client/pam_sss.c:2058 +msgid "Password: " +msgstr "" + +#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204 +msgid "First Factor (Current Password): " +msgstr "" + +#: src/sss_client/pam_sss.c:2208 +msgid "Current Password: " +msgstr "" + +#: src/sss_client/pam_sss.c:2536 +msgid "Password expired. Change your password now." +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 +#: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 +#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:670 +msgid "The debug level to run with" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +msgid "The SSSD domain to use" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 +#: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 +#: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 +#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:716 +msgid "Error setting the locale\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:64 +msgid "Not enough memory\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:83 +msgid "User not specified\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:97 +msgid "Error looking up public keys\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +msgid "The port to use to connect to the host" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +msgid "Print the host ssh public keys" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +msgid "Invalid port\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +msgid "Host not specified\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +msgid "The path to the proxy command must be absolute\n" +msgstr "" + +#: src/tools/sss_useradd.c:49 src/tools/sss_usermod.c:48 +msgid "The UID of the user" +msgstr "" + +#: src/tools/sss_useradd.c:50 src/tools/sss_usermod.c:50 +msgid "The comment string" +msgstr "" + +#: src/tools/sss_useradd.c:51 src/tools/sss_usermod.c:51 +msgid "Home directory" +msgstr "" + +#: src/tools/sss_useradd.c:52 src/tools/sss_usermod.c:52 +msgid "Login shell" +msgstr "" + +#: src/tools/sss_useradd.c:53 +msgid "Groups" +msgstr "" + +#: src/tools/sss_useradd.c:54 +msgid "Create user's directory if it does not exist" +msgstr "" + +#: src/tools/sss_useradd.c:55 +msgid "Never create user's directory, overrides config" +msgstr "" + +#: src/tools/sss_useradd.c:56 +msgid "Specify an alternative skeleton directory" +msgstr "" + +#: src/tools/sss_useradd.c:57 src/tools/sss_usermod.c:60 +msgid "The SELinux user for user's login" +msgstr "" + +#: src/tools/sss_useradd.c:87 src/tools/sss_groupmod.c:79 +#: src/tools/sss_usermod.c:92 +msgid "Specify group to add to\n" +msgstr "" + +#: src/tools/sss_useradd.c:111 +msgid "Specify user to add\n" +msgstr "" + +#: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 +#: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_usermod.c:162 +msgid "Error initializing the tools - no local domain\n" +msgstr "" + +#: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 +#: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_usermod.c:164 +msgid "Error initializing the tools\n" +msgstr "" + +#: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 +#: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_usermod.c:173 +msgid "Invalid domain specified in FQDN\n" +msgstr "" + +#: src/tools/sss_useradd.c:142 src/tools/sss_groupmod.c:144 +#: src/tools/sss_groupmod.c:173 src/tools/sss_usermod.c:197 +#: src/tools/sss_usermod.c:226 +msgid "Internal error while parsing parameters\n" +msgstr "" + +#: src/tools/sss_useradd.c:151 src/tools/sss_usermod.c:206 +#: src/tools/sss_usermod.c:235 +msgid "Groups must be in the same domain as user\n" +msgstr "" + +#: src/tools/sss_useradd.c:159 +#, c-format +msgid "Cannot find group %1$s in local domain\n" +msgstr "" + +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +msgid "Cannot set default values\n" +msgstr "" + +#: src/tools/sss_useradd.c:181 src/tools/sss_usermod.c:187 +msgid "The selected UID is outside the allowed range\n" +msgstr "" + +#: src/tools/sss_useradd.c:210 src/tools/sss_usermod.c:305 +msgid "Cannot set SELinux login context\n" +msgstr "" + +#: src/tools/sss_useradd.c:224 +msgid "Cannot get info about the user\n" +msgstr "" + +#: src/tools/sss_useradd.c:236 +msgid "User's home directory already exists, not copying data from skeldir\n" +msgstr "" + +#: src/tools/sss_useradd.c:239 +#, c-format +msgid "Cannot create user's home directory: %1$s\n" +msgstr "" + +#: src/tools/sss_useradd.c:250 +#, c-format +msgid "Cannot create user's mail spool: %1$s\n" +msgstr "" + +#: src/tools/sss_useradd.c:270 +msgid "Could not allocate ID for the user - domain full?\n" +msgstr "" + +#: src/tools/sss_useradd.c:274 +msgid "A user or group with the same name or ID already exists\n" +msgstr "" + +#: src/tools/sss_useradd.c:280 +msgid "Transaction error. Could not add user.\n" +msgstr "" + +#: src/tools/sss_groupadd.c:43 src/tools/sss_groupmod.c:48 +msgid "The GID of the group" +msgstr "" + +#: src/tools/sss_groupadd.c:76 +msgid "Specify group to add\n" +msgstr "" + +#: src/tools/sss_groupadd.c:106 src/tools/sss_groupmod.c:198 +msgid "The selected GID is outside the allowed range\n" +msgstr "" + +#: src/tools/sss_groupadd.c:143 +msgid "Could not allocate ID for the group - domain full?\n" +msgstr "" + +#: src/tools/sss_groupadd.c:147 +msgid "A group with the same name or GID already exists\n" +msgstr "" + +#: src/tools/sss_groupadd.c:153 +msgid "Transaction error. Could not add group.\n" +msgstr "" + +#: src/tools/sss_groupdel.c:70 +msgid "Specify group to delete\n" +msgstr "" + +#: src/tools/sss_groupdel.c:104 +#, c-format +msgid "Group %1$s is outside the defined ID range for domain\n" +msgstr "" + +#: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 +#: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 +#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 +#, c-format +msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" +msgstr "" + +#: src/tools/sss_groupdel.c:132 +msgid "" +"No such group in local domain. Removing groups only allowed in local " +"domain.\n" +msgstr "" + +#: src/tools/sss_groupdel.c:137 +msgid "Internal error. Could not remove group.\n" +msgstr "" + +#: src/tools/sss_groupmod.c:44 +msgid "Groups to add this group to" +msgstr "" + +#: src/tools/sss_groupmod.c:46 +msgid "Groups to remove this group from" +msgstr "" + +#: src/tools/sss_groupmod.c:87 src/tools/sss_usermod.c:100 +msgid "Specify group to remove from\n" +msgstr "" + +#: src/tools/sss_groupmod.c:101 +msgid "Specify group to modify\n" +msgstr "" + +#: src/tools/sss_groupmod.c:130 +msgid "" +"Cannot find group in local domain, modifying groups is allowed only in local " +"domain\n" +msgstr "" + +#: src/tools/sss_groupmod.c:153 src/tools/sss_groupmod.c:182 +msgid "Member groups must be in the same domain as parent group\n" +msgstr "" + +#: src/tools/sss_groupmod.c:161 src/tools/sss_groupmod.c:190 +#: src/tools/sss_usermod.c:214 src/tools/sss_usermod.c:243 +#, c-format +msgid "" +"Cannot find group %1$s in local domain, only groups in local domain are " +"allowed\n" +msgstr "" + +#: src/tools/sss_groupmod.c:257 +msgid "Could not modify group - check if member group names are correct\n" +msgstr "" + +#: src/tools/sss_groupmod.c:261 +msgid "Could not modify group - check if groupname is correct\n" +msgstr "" + +#: src/tools/sss_groupmod.c:265 +msgid "Transaction error. Could not modify group.\n" +msgstr "" + +#: src/tools/sss_groupshow.c:615 +#, c-format +msgid "%1$s%2$sGroup: %3$s\n" +msgstr "" + +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "" + +#: src/tools/sss_groupshow.c:618 +#, c-format +msgid "%1$sGID number: %2$d\n" +msgstr "" + +#: src/tools/sss_groupshow.c:620 +#, c-format +msgid "%1$sMember users: " +msgstr "" + +#: src/tools/sss_groupshow.c:627 +#, c-format +msgid "" +"\n" +"%1$sIs a member of: " +msgstr "" + +#: src/tools/sss_groupshow.c:634 +#, c-format +msgid "" +"\n" +"%1$sMember groups: " +msgstr "" + +#: src/tools/sss_groupshow.c:670 +msgid "Print indirect group members recursively" +msgstr "" + +#: src/tools/sss_groupshow.c:704 +msgid "Specify group to show\n" +msgstr "" + +#: src/tools/sss_groupshow.c:744 +msgid "" +"No such group in local domain. Printing groups only allowed in local " +"domain.\n" +msgstr "" + +#: src/tools/sss_groupshow.c:749 +msgid "Internal error. Could not print group.\n" +msgstr "" + +#: src/tools/sss_userdel.c:136 +msgid "Remove home directory and mail spool" +msgstr "" + +#: src/tools/sss_userdel.c:138 +msgid "Do not remove home directory and mail spool" +msgstr "" + +#: src/tools/sss_userdel.c:140 +msgid "Force removal of files not owned by the user" +msgstr "" + +#: src/tools/sss_userdel.c:142 +msgid "Kill users' processes before removing him" +msgstr "" + +#: src/tools/sss_userdel.c:188 +msgid "Specify user to delete\n" +msgstr "" + +#: src/tools/sss_userdel.c:234 +#, c-format +msgid "User %1$s is outside the defined ID range for domain\n" +msgstr "" + +#: src/tools/sss_userdel.c:259 +msgid "Cannot reset SELinux login context\n" +msgstr "" + +#: src/tools/sss_userdel.c:271 +#, c-format +msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" +msgstr "" + +#: src/tools/sss_userdel.c:276 +msgid "Cannot determine if the user was logged in on this platform" +msgstr "" + +#: src/tools/sss_userdel.c:281 +msgid "Error while checking if the user was logged in\n" +msgstr "" + +#: src/tools/sss_userdel.c:288 +#, c-format +msgid "The post-delete command failed: %1$s\n" +msgstr "" + +#: src/tools/sss_userdel.c:308 +msgid "Not removing home dir - not owned by user\n" +msgstr "" + +#: src/tools/sss_userdel.c:310 +#, c-format +msgid "Cannot remove homedir: %1$s\n" +msgstr "" + +#: src/tools/sss_userdel.c:324 +msgid "" +"No such user in local domain. Removing users only allowed in local domain.\n" +msgstr "" + +#: src/tools/sss_userdel.c:329 +msgid "Internal error. Could not remove user.\n" +msgstr "" + +#: src/tools/sss_usermod.c:49 +msgid "The GID of the user" +msgstr "" + +#: src/tools/sss_usermod.c:53 +msgid "Groups to add this user to" +msgstr "" + +#: src/tools/sss_usermod.c:54 +msgid "Groups to remove this user from" +msgstr "" + +#: src/tools/sss_usermod.c:55 +msgid "Lock the account" +msgstr "" + +#: src/tools/sss_usermod.c:56 +msgid "Unlock the account" +msgstr "" + +#: src/tools/sss_usermod.c:57 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "" + +#: src/tools/sss_usermod.c:58 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "" + +#: src/tools/sss_usermod.c:59 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" + +#: src/tools/sss_usermod.c:117 src/tools/sss_usermod.c:126 +#: src/tools/sss_usermod.c:135 +msgid "Specify the attribute name/value pair(s)\n" +msgstr "" + +#: src/tools/sss_usermod.c:152 +msgid "Specify user to modify\n" +msgstr "" + +#: src/tools/sss_usermod.c:180 +msgid "" +"Cannot find user in local domain, modifying users is allowed only in local " +"domain\n" +msgstr "" + +#: src/tools/sss_usermod.c:322 +msgid "Could not modify user - check if group names are correct\n" +msgstr "" + +#: src/tools/sss_usermod.c:326 +msgid "Could not modify user - user already member of groups?\n" +msgstr "" + +#: src/tools/sss_usermod.c:330 +msgid "Transaction error. Could not modify user.\n" +msgstr "" + +#: src/tools/sss_cache.c:218 +msgid "No cache object matched the specified search\n" +msgstr "" + +#: src/tools/sss_cache.c:502 +#, c-format +msgid "Couldn't invalidate %1$s\n" +msgstr "" + +#: src/tools/sss_cache.c:509 +#, c-format +msgid "Couldn't invalidate %1$s %2$s\n" +msgstr "" + +#: src/tools/sss_cache.c:672 +msgid "Invalidate all cached entries" +msgstr "" + +#: src/tools/sss_cache.c:674 +msgid "Invalidate particular user" +msgstr "" + +#: src/tools/sss_cache.c:676 +msgid "Invalidate all users" +msgstr "" + +#: src/tools/sss_cache.c:678 +msgid "Invalidate particular group" +msgstr "" + +#: src/tools/sss_cache.c:680 +msgid "Invalidate all groups" +msgstr "" + +#: src/tools/sss_cache.c:682 +msgid "Invalidate particular netgroup" +msgstr "" + +#: src/tools/sss_cache.c:684 +msgid "Invalidate all netgroups" +msgstr "" + +#: src/tools/sss_cache.c:686 +msgid "Invalidate particular service" +msgstr "" + +#: src/tools/sss_cache.c:688 +msgid "Invalidate all services" +msgstr "" + +#: src/tools/sss_cache.c:691 +msgid "Invalidate particular autofs map" +msgstr "" + +#: src/tools/sss_cache.c:693 +msgid "Invalidate all autofs maps" +msgstr "" + +#: src/tools/sss_cache.c:697 +msgid "Invalidate particular SSH host" +msgstr "" + +#: src/tools/sss_cache.c:699 +msgid "Invalidate all SSH hosts" +msgstr "" + +#: src/tools/sss_cache.c:703 +msgid "Invalidate particular sudo rule" +msgstr "" + +#: src/tools/sss_cache.c:705 +msgid "Invalidate all cached sudo rules" +msgstr "" + +#: src/tools/sss_cache.c:708 +msgid "Only invalidate entries from a particular domain" +msgstr "" + +#: src/tools/sss_cache.c:762 +msgid "" +"Unexpected argument(s) provided, options that invalidate a single object " +"only accept a single provided argument.\n" +msgstr "" + +#: src/tools/sss_cache.c:772 +msgid "Please select at least one object to invalidate\n" +msgstr "" + +#: src/tools/sss_cache.c:852 +#, c-format +msgid "" +"Could not open domain %1$s. If the domain is a subdomain (trusted domain), " +"use fully qualified name instead of --domain/-d parameter.\n" +msgstr "" + +#: src/tools/sss_cache.c:856 +msgid "Could not open available domains\n" +msgstr "" + +#: src/tools/tools_util.c:202 +#, c-format +msgid "Name '%1$s' does not seem to be FQDN ('%2$s = TRUE' is set)\n" +msgstr "" + +#: src/tools/tools_util.c:309 +msgid "Out of memory\n" +msgstr "" + +#: src/tools/tools_util.h:40 +#, c-format +msgid "%1$s must be run as root\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:35 +msgid "yes" +msgstr "" + +#: src/tools/sssctl/sssctl.c:37 +msgid "no" +msgstr "" + +#: src/tools/sssctl/sssctl.c:39 +msgid "error" +msgstr "" + +#: src/tools/sssctl/sssctl.c:42 +msgid "Invalid result." +msgstr "" + +#: src/tools/sssctl/sssctl.c:78 +#, c-format +msgid "Unable to read user input\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:91 +#, c-format +msgid "Invalid input, please provide either '%s' or '%s'.\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 +#, c-format +msgid "Error while executing external command\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:156 +msgid "SSSD needs to be running. Start SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl.c:195 +msgid "SSSD must not be running. Stop SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl.c:231 +msgid "SSSD needs to be restarted. Restart SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:31 +#, c-format +msgid " %s is not present in cache.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:33 +msgid "Name" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:34 +msgid "Cache entry creation date" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:35 +msgid "Cache entry last update time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:36 +msgid "Cache entry expiration time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:37 +msgid "Cached in InfoPipe" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:512 +#, c-format +msgid "Error: Unable to get object [%d]: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:528 +#, c-format +msgid "%s: Unable to read value [%d]: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:556 +msgid "Specify name." +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:566 +#, c-format +msgid "Unable to parse name %s.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:592 src/tools/sssctl/sssctl_cache.c:639 +msgid "Search by SID" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:593 +msgid "Search by user ID" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:602 +msgid "Initgroups expiration time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:640 +msgid "Search by group ID" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:67 +#, c-format +msgid "" +"File %1$s does not exist. SSSD will use default configuration with files " +"provider.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:81 +#, c-format +msgid "" +"File ownership and permissions check failed. Expected root:root and 0600.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:104 +#, c-format +msgid "Issues identified by validators: %zu\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:114 +#, c-format +msgid "Messages generated during configuration merging: %zu\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:127 +#, c-format +msgid "Used configuration snippet files: %u\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:89 +#, c-format +msgid "Unable to create backup directory [%d]: %s" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:95 +msgid "SSSD backup of local data already exists, override?" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:111 +#, c-format +msgid "Unable to export user overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:118 +#, c-format +msgid "Unable to export group overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:134 src/tools/sssctl/sssctl_data.c:217 +msgid "Override existing backup" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:164 +#, c-format +msgid "Unable to import user overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:173 +#, c-format +msgid "Unable to import group overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:74 +#: src/tools/sssctl/sssctl_domains.c:339 +msgid "Start SSSD if it is not running" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:195 +msgid "Restart SSSD after data import" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:218 +msgid "Create clean cache files and import local data" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:219 +msgid "Stop SSSD before removing the cache" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:220 +msgid "Start SSSD when the cache is removed" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:235 +#, c-format +msgid "Creating backup of local data...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:238 +#, c-format +msgid "Unable to create backup of local data, can not remove the cache.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:243 +#, c-format +msgid "Removing cache files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:246 +#, c-format +msgid "Unable to remove cache files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:251 +#, c-format +msgid "Restoring local data...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:75 +msgid "Show domain list including primary or trusted domain type" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +#, c-format +msgid "Online status: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Online" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Offline" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:214 +#, c-format +msgid "Active servers:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:231 +msgid "not connected" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:278 +#, c-format +msgid "Discovered %s servers:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:296 +msgid "None so far.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:336 +msgid "Show online status" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:337 +msgid "Show information about active server" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:338 +msgid "Show list of discovered servers" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:344 +msgid "Specify domain name." +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:360 +#, c-format +msgid "Out of memory!\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:377 src/tools/sssctl/sssctl_domains.c:387 +#, c-format +msgid "Unable to get online status\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:397 +#, c-format +msgid "Unable to get server list\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:47 +msgid "\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:237 +msgid "Delete log files instead of truncating" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:248 +#, c-format +msgid "Deleting log files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:251 +#, c-format +msgid "Unable to remove log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:257 +#, c-format +msgid "Truncating log files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:260 +#, c-format +msgid "Unable to truncate log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:286 +#, c-format +msgid "Out of memory!" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:289 +#, c-format +msgid "Archiving log files into %s...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:292 +#, c-format +msgid "Unable to archive log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:317 +msgid "Specify debug level you want to set" +msgstr "" + +#: src/tools/sssctl/sssctl_sifp.c:28 +msgid "" +"Check that SSSD is running and the InfoPipe responder is enabled. Make sure " +"'ifp' is listed in the 'services' option in sssd.conf.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:91 +#, c-format +msgid "Unable to connect to the InfoPipe" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:97 +#, c-format +msgid "Unable to get user object" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:101 +#, c-format +msgid "SSSD InfoPipe user lookup result:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:113 +#, c-format +msgid "Unable to get user name attr" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:146 +#, c-format +msgid "dlopen failed with [%s].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:153 +#, c-format +msgid "dlsym failed with [%s].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:161 +#, c-format +msgid "malloc failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:168 +#, c-format +msgid "sss_getpwnam_r failed with [%d].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:173 +#, c-format +msgid "SSSD nss user lookup result:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:174 +#, c-format +msgid " - user name: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:175 +#, c-format +msgid " - user id: %d\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:176 +#, c-format +msgid " - group id: %d\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:177 +#, c-format +msgid " - gecos: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:178 +#, c-format +msgid " - home directory: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:179 +#, c-format +msgid "" +" - shell: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:211 +msgid "PAM action [auth|acct|setc|chau|open|clos], default: " +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:214 +msgid "PAM service, default: " +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:219 +msgid "Specify user name." +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:226 +#, c-format +msgid "" +"user: %s\n" +"action: %s\n" +"service: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:232 +#, c-format +msgid "User name lookup with [%s] failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:237 +#, c-format +msgid "InfoPipe User lookup with [%s] failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:244 +#, c-format +msgid "pam_start failed: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:249 +#, c-format +msgid "" +"testing pam_authenticate\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:253 +#, c-format +msgid "pam_get_item failed: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:257 +#, c-format +msgid "" +"pam_authenticate for user [%s]: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:260 +#, c-format +msgid "" +"testing pam_chauthtok\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:262 +#, c-format +msgid "" +"pam_chauthtok: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:264 +#, c-format +msgid "" +"testing pam_acct_mgmt\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:266 +#, c-format +msgid "" +"pam_acct_mgmt: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:268 +#, c-format +msgid "" +"testing pam_setcred\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:270 +#, c-format +msgid "" +"pam_setcred: [%s]\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:272 +#, c-format +msgid "" +"testing pam_open_session\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:274 +#, c-format +msgid "" +"pam_open_session: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:276 +#, c-format +msgid "" +"testing pam_close_session\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:278 +#, c-format +msgid "" +"pam_close_session: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:281 +#, c-format +msgid "unknown action\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:284 +#, c-format +msgid "PAM Environment:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:292 +#, c-format +msgid " - no env -\n" +msgstr "" + +#: src/util/util.h:75 +msgid "The user ID to run the server as" +msgstr "" + +#: src/util/util.h:77 +msgid "The group ID to run the server as" +msgstr "" + +#: src/util/util.h:85 +msgid "Informs that the responder has been socket-activated" +msgstr "" + +#: src/util/util.h:87 +msgid "Informs that the responder has been dbus-activated" +msgstr "" diff --git a/po/quot.sed b/po/quot.sed new file mode 100644 index 0000000..0122c46 --- /dev/null +++ b/po/quot.sed @@ -0,0 +1,6 @@ +s/"\([^"]*\)"/“\1”/g +s/`\([^`']*\)'/‘\1’/g +s/ '\([^`']*\)' / ‘\1’ /g +s/ '\([^`']*\)'$/ ‘\1’/g +s/^'\([^`']*\)' /‘\1’ /g +s/“”/""/g diff --git a/po/remove-potcdate.sin b/po/remove-potcdate.sin new file mode 100644 index 0000000..2436c49 --- /dev/null +++ b/po/remove-potcdate.sin @@ -0,0 +1,19 @@ +# Sed script that remove the POT-Creation-Date line in the header entry +# from a POT file. +# +# The distinction between the first and the following occurrences of the +# pattern is achieved by looking at the hold space. +/^"POT-Creation-Date: .*"$/{ +x +# Test if the hold space is empty. +s/P/P/ +ta +# Yes it was empty. First occurrence. Remove the line. +g +d +bb +:a +# The hold space was nonempty. Following occurrences. Do nothing. +x +:b +} diff --git a/po/ru.gmo b/po/ru.gmo new file mode 100644 index 0000000000000000000000000000000000000000..a340bac4be4a4c8aeeddcdb13ff7698aba6f9bec GIT binary patch literal 27809 zcmd6udyrh!edjM;)=9?T_-!YCaKV5jTl3HZBMSrwJwQe;Yb5MA!O+ulXQr*5?xAnD zq+xL)31lD=l6e_S46?v1NpPHzkkAupqpT~tPQ~u7Y&oG)WgL5J{fBo$Qnl;N*2dob ze1GTM+qWMx62eJk;ON`;_Idoy?|pvv_V?d$;bQ@Rr)eLcz3a_EaKQyZaM4A&8w78A zTM+yj_;&Ck;K#tZ;2^jV+zGxHJO#cB{2sUh{0aC`aNgV9_qT!X;kpLC58MrE-se1? z20zU8E8qt3XW)8p{X2r-67>Ur9sCw}1^5GS7Wn3Oy7~IS`CQ)&&I9iTuLl1ZTmt?W z`~)}~B6U9x&H;Z9WUAmlfo}o-1{8fi2G@bXyMy3z;8URbZw5aGJ`47N-vzba&q48T zE}PUo)_@-eE1<^z0VsZa2mB!Tf53k5y)f@G@FtM|gU|C1Qw2Lft@i}@E8w@lUj@Gl zBBJ0`Q1ksaa5ngMh<-nK4JbZ+8Vtb-DE>VHz7>2C3*%MA5kdWNX1jkK>^ByAxalPWkJffa33aVCq%iHK62kCnz~Q1!^CE0&3mA z2T{%7eIIi2o(*cft3dI08TbisgTLMbLR#=NsPV@^_5UHb8vF;3*TdvnxPA~6ov(mb zgBONQp4WmJw;q%}=D_R0XF<{PBT#brpB^uU8QRB{p!mHWL}h~8K)M7~Q0qJfN?-m1 zDE@vATnzp{Q2bboa?J%}P~)Ei`9Cm_gW~%a{QYl$kQDqSD1H53pys^D!3GU6Pwkz6&`EgHC%rk48b3O z;`0Rv^ExmDnL4-~WQyQEe?0|CAO0HT|KLI{E(ZHS(Y+Xi6~Q`C<2QrLz^DE9KLR!1 zPr)VNB{-K5%z=m^*a2#u=fNx9gr0*paQy>_zXQA!CT#$BfFAfa!27^F_zHLcTnrQc0(=d;6?_?|vL1XFgGRtn zkKX~AGPvsFLGYWp4~~I<3f=|IVbNXS^WY9}K2B^a_!4+K*pIT{I)c3*E+O~^DEWOG zd>H&WDEod0XQTbR3W}bq5#CyG5BM4I`=IpT>TBI~4Xkke9dH%6gfGRnJ)rphBQOT9 zK-l8TSHNEb8z8C~`~(z#-+^;@C%7GaANUw}5%^6|{5k=Of0x|gZ9WdE`cX5co-iI0^n8D1MEhJi7h~co`TicmC^s@Pk}G4l+e> z7>vOG4gM*38%j|IFTKh05Bwb0uY!`(bvHY@o&@jU`ZZ8;T({Ec=ML~gT)zNb0e%}~ zXz=&o6X3#6x^WFq`ZezsVkWp9l-&P2h^T^5n6Gu80VSsk5GJY-d=|VEdMJCsE$3!2bf?3HHz#(t^9e>%i}TbHR&$1D^z54YU-UxmRl)e1&?Llxq*bj>Squ^HXwmV#W`W~oxe++8<3lWa4 z*MpE4l)(>!e-6$EUjwy|4-Yw93Zl|M-s2yF;^RMnPw0N0To(K%Q2TmdI0&|ZXF#?P zERCFg?gzOQTr}eR*`1)i|Bqk+ylj-58r%)S`rrp3Uj>WC-1UBtDT4nCz6Z=PNb79{ zrT+&&R6Y0r7vBa8;QPS^o7_6_2GDowRY< zK7a2qkAk<-uBW|&_7v?w8YW}D4HdCJL~pV~Rn7OfyYAoX0PQFFdp932W#fHv?;CuO z4Bts(8)gqNxRrJpO@Cjd{R-`awBMzjqKOZfY4A1Le%ci6OSI(gCjVhKD4y%D-$C#s z_<;W`yZI#TS7}v$??WD+0ROH3Jm7H-`1`a!@YgHBBec6|2WX$6)o7D6$>dtv{j}`g z6|>I+~w)2K+MZS(^S{p#8dia{tKIF%k0#kNW#dz{r38 zDEQm7muNZKbF>9C+=u=3@b3niZ2a@I57T~+roUqjf~Ua}?J(^k+AP{1(U#M`PSc-s zeTRK=`3mL}pz>yex_vqA?X+FG;7>Yw5A6|M@b{vFU^Dnlnrtcg`<>(i`0r?+qdiVL zNegMo-<^E8m{y=o(C($_?>OxbX?M{2X!p@Bp;c)5TSt2rZ656dv_-U|w2#xiKui9% z@!?IhOKCULewj8#`xq_x>*d2&Xm6ptnf9ABLPYRI+P|l5p{=5oX;;&RX$NViX&2J; zca4LNf1l^h4Ya#xMcN6P{vM+J8`@r7@b^C2AKNGXxnl0+aX4O!tKm=-R%)d%7l)N{ zx!M!V2`9_7N|?{($D-kIA{WP7%9Y`8OQBc{qpcH#N)+a*i^5<@I9e&!CitQ{7FNfi zFwTufVM+g#E8$HmmxZ}vCCUv?GO7?);~qxT;;5o;XBydUU_KwkahNZcs+DpvoT!vH z7lxxsuw-~R9FB%+qhYl$9>vw%_(U8mfzEg$$B3{{@++~VEiLL|w-s$Wnkdpwd$TPR zSYj+!$>pn>yA+luqEa|gC`K$2=PQMYD)Wrcv|G1su{_F(HExuug?z4BD3>ziwcZzv z(*Wtcb&r}L~>i1;ST>sBrt&PC%aF>5#)$<>P0 z*}+nYDa==*VNsAP#x`wvWTaRqMIq!BO7tm}%2jq!8ut8vF~xE|R}6>Cm3 zE{seTN~5j=tcwv}vAhNDluN})u`)ZNr)5&xMO%;TocjLUryPx{EH_dPb3?Gpn5_xY zC1bw#`wutginR#UT3Q|-&xLU`f%vM>Ttwr-@<_S|qhQ)zDAZVCsGxzFj&Q454$-Pg zm63;Bo{YQ^DD+!S{Zcod?qiB34R?)6*^M{335^`dR2F|=0na2exFRxxH5g||c%SXIU^%1=x> zk7)iN?#oPQI->qfBXnJ3I>k0pdyD(sj%7(wjLF_RYq?@!q=3?)KjXo&vhA~ifp3ml zUBG0RLm9DDdA4$yeVW-y!R3l%ES2$A=M&BvXH1TbOwLZaLun3=2_$~7%6?JhL}76< z6Xg>8?F*Kdazi-2%$_i{0u$olk}soDZ9Kx>C&J9(Maq)3<)* zHM-gyIZ`Q)XU1kb*l_#)=4=q03|cQUd%qd37R$(W)_9==Gve9OaKhmvw+Vk?ZbSm{ zA@TMRtSB13-M+dV4o2e>)i@l3F+&mI9%rPyhvodNG8&VdPl#-wI#;)-Kfy5#v@vlx zH;EEw2XBg^i6oiAvJ}oeMa3L3Dy~^>gGcbxc9~*J4o9dMBS)n1;!n72&7fSDNRG?J z&C+aGzgdyCX-+96mcEhm6iU7LV7!7i9O4GqU93P_aJ$BDOoon2jwI+!*d&Laqy@IN z=W4KW9cBP+xaP5PT$O*Zdrs}_qa#ip2!i8ar6nxY$!5B=a#+Sik_2&&7fiV*Sr|5>?Za4nREt&G5gAGMib=Z=Ex+l6#9&? zIXSCfWhq~*4M*X4Ax{Kw&Pg*j^Gsc3a=>K33?0zI5=3G7h;qxATnXt)EWs&l8IS0I zPg+^ZcI*qA>BB^&0DsN+`ey3q?dhC5%I0iBQ-UNI#1m28g(r5p;#14k^aPoRm@AGq zFWW?$cGG>brf^dHP9dDNrHaUK zX|Ab+=VhXb(+o|66$<2nP{%4Vb*Jfa?_S&5Ny&7ICrkOUO1V_7#m=vDU{E+Lm%2@z zTCwufTqQro4(=p*tp=+KBav;B?QXbfgPFSVDocfuO|SfN>W-yiqmRqkSk3Zn-6dkO zt4ugIccy-uEJz>%;xn|E%QS-uR_8{sy>&=MA)Cvsh4I?B1rV~{V09*yY@Q`$B%MJA z1($CymFx*t6OUVF(&-~PJ{c#FgAZ+MqER+ZMs$`yzb4v}%?j6$x!2&a3sn%6J-zg4 zQyiDDJo`R&XPm^dwfF7`&NAD2#qZZYo5i~J#lmzleSHp;Rna5Ad~$BI)P?g;l0j%D zHc_+G-`i9y-RV?!-CdTe=HQS!WXHkUq0i%Z^MosRxHP(gwYX8Ha>1l0SWDoka45IL z6~F6FW-d}mANUG}XWV_}(2WMyqUH?Fo7>ITGk)EY)jF(6pUcwGAUPxGP+uC2d`#;L zJHANk3F!z|=NQKMx}jDPNlPK6@|M1I5>6n=FitNnhbL&|$GEMkLb)wNYzC!ZU71vi z{H`2E+O6fquqs{0s4%M!(AV)CLEFkIsco1R6Np@#^SbViSUR=jYeW~0MUxs{s*dz3 zzh^!r_U^=Bu7=>MQ;PJr{a|9}1dVonc{q&m7aYHpE^Wc{jhc>C;<3Vn$~w5e@j@KS z0m7i#5Zik_Bi55pDK?Z^O?f>LVXL^LXz31$qRY-iKEE)VIoqLWJ?>W3s|~9LvnhLs z=BC~!$aYf7#pymN&#cE+R|uhhdu$$XO6pk?C)l4r|~;D`7u&MI3=C!*Yj zJct$KGkCUHR!{J?o!Nn<m%K}Uutt4vo=KQ1YD#ktW474A#B6OP4PwC~Rro*2d#p z3~#6mQrWx9j2qvWxU6JPX~*$Mf-1!0?LAD~?Sv*b+v!a1r({}vBb7bYJVwqn*m@U1 zC1pezLJ{}GDasvpM8EvG%SnR4+E9#h=kOKkI5m0xL1568WY9vt_ME0W^eQWzoG9aE zaAUy+I4Ym$_0Z(kep9=*dxM}&1Bl&sr2d=gu8=G^d z)3k0L!EDkwFfjyIfTHj;jLq8|c-?U&Kk^<}he-DJqMDTitNOcY(Ed9=g)0-c-pfqu zPxLrN3&e>5+fj*qOq$Cf!K_T$6i&6-j$hAI%(;nNY(2~+jZhHBd2!|mSFTIyVVoP; zz16A0;Ypk?eq9bN$)mNUq~dDP8waH#Npk4ijJZX_bIfD67u^+?-J#1JkFjP^FnLB(oMgK*Q;mZlH%30 z0=5o(J6tJG;DD3E76Xh_mvQ;UQ|CZ|l8U!>C#I%u+gC~}QMFbn1smL>4NE6{(23y` zN>44*Juex&apPdH0nWsVdU#(u2WOABs!f`fauz*nNA2Zo{jxRibL{J8tYZ1RI??9$3 zAJIY~=C`5}MHGL6Pgi(+;{95x0nSQgYjIE<&Q082s}$yhvZ9UaS0-wn@x6h|UDs06 zN%z1xM8}WbmBYQavKusKQMhi&(p#3?v^>0Z`TD_?YuEIwk0#2MYVYcJv@qOzV{J6< z-B4Z>#&JAMUVx9iLH;D}8;OR?m7MBR(Qse6GTO6l?S@`^{J^ZeoO;NV<_*kU*gLSW zckaA!?)*gq^FKDgA02zwN1F>;z1i>My#w=l=gkl24lEj2;QFniq}OY@OSmjo7KLkz z(Wbai2v?Eem%?kKtvsj5m2MbSEx(Vza9z(Td_|2Ut#?C|8($QzuMyekI%}+2omkZ0 zzh%poK5AK|m>R)Wjp)Y&#gMpvqF+1gFZv1kE4BXF>2!+-Dm|-Lu3p~c+T6Z@o~1lO zMRvW4fs4Xww6)q#?q4WfV^2PLvbK2Rh84XFoBgyj#p>SWr96l9(&(aaArH!W))i|M z*m_rx-NuW;(u7^ci|1bxx{r%zm9CgOuz2y@@X9MgeH^%S@!YxL_2EEBcdoBnJTLj` z+Qkd>(MAkhJ9i+w`))UcJ_EBEGnX;*W?$3unckal%v4y!+0W)k=W^kKz6E_(^|;5` zjUA0`^~3c8jeF{c8#}`KX)dSg2gAm8?wsb{HvT^vRe6fBitRHVY*tnnj>dX}Nm-+9M`|30^>NYEc^w124 z8}~IHYV24P)E{YVGcxGJS|Q&})sNSY)=!4@m+FV*4jzx||UJS0U!8W0tX?v8%CDoP(LL2&!H- zX^0oxI8;BSakl@dp#CV|ACPEZ(hl+J6x=w$4fVT^p}WKo-Gn9l3!4xEtc5qmqoYCn z;l_4#l8iN(#JG!2O+HSEpsw2d@YI6ia5>Y@(h`e`5I>$&jR zZT=u@ZgV`+c98*#n^xK!O!tftaIzQmv>l$~xa36zO(`jAcC?zMkl|OoE@Bb>YlH`P zrZA3|=?3%Z2MgRDF`fFsp#C_Qry;^7k?bK+2Ie~7=jUWcV)hAB#si38me!VTo@AO6 zsEBm#Xk*Xpp#Eg5IhsDPfLUFlNr$YzS1V7g3=K9xpty%A^64nDO^x|rV<(F-G^jr% zdhXF@$qSNESqbl$#$?o}agS|9%E8_tbhk~1Jv-i*dC!rG9%*VASLktSsG(7Fgntji zNsVCRD3Z;FVV%PY_=U4j+|?|+AkK&SuJf6h{j=@HEs3BLA0lDiD}ys7{G!wYyPDPo zbZ3%O6K+erD2@0xXhE#hefjwR6n(Iw;6B4Eq2;n?+(HPt zD5=(CV>+5@K7e%X{KEkKkGu>jHhX`UMHHQ-xL0D+oMS& zGG~li!>zbm7Uj%%Q7I{x6N=gzoq!-H?9lSKUZ41 zT0WlSd|1*(*Dr(w5|K2g*^5P^LKwgfHoG@u*C))T(eeyGq-*=(f$W$7CV90)vT0mO zV=tav(O;Px!(p*0WS7KE5&19?M;YBw`G-v6NT&EKK1|*Ry>Cs9EH`+%et>Tkhwc+y zMopK{n0@=H{$w^1Hxm*qa*FjK+GnfvlZ{<$!{V`W61h`x$BvKiLkp9Rim5oS#!kM* zJ(y?PozAO7?6`$5M;)n~n`tUN^AfjPNb(LLnb4$Sp4MgCO4y{ON~PsfU9Ks|WEUb{LXJGlm}6#!!riGjLbR`TE%@6p48b6X*v?P5bhU|xj$$t8lP;dtm&dKtU-#FNKV0L zofshv`(zIJfSs_oEr)(%lM%`!W0n;m91fD)JWB|~naZ?si;YY};nO;nvTxgsW z3u1b$C9TmF$|>bi9NK32w4977Dqimm&Y%!3m#2-fC&hf6U`sxkoRYkXvF6vU?+NoK z8iJ9?fSqGBt=I;AM-j0ill<{6o~UXZM_dJ3PFSYG>B(fjiCMnNPWZS`w!58`PnZpy zw0AW)W3iH0p}ZdDhFG7k%UCSc?{I5)M%$l^z{E#C=~qIqLO#oOW+!|6NuA-R#2{Jc z-k|;^QO^Yx3l5%VUa;5t&YZ~93L3jwE?kNv7mVfW(5izc@d=HU43knq%W1yZ~M3k)o=#;JVQzoxE zze%9NTtIh8!1dO>Vj3;9;e-}3a3!Tj-T6Z0s}trA30$3-1=#kQ<0!;RyLYpks*Gyy; z{%j$KZl`A--()4GyK+3NWGMvf-AfVJeyPy?wM>7|v3c)TIFs6U+k$uAsSdiHiYLh_ z9@PvjM7~4>M$MW`$Q=EdT&J^ikm^7RybL|W(t9lsJPFgRNT^&$nwBOlK16mY5Skse zh79btHU21Pu$Y+PnU+O-wu%m1iU=yNcok1J=Ym#-MlW^vOV^j!to)fjyUGf6NWjdRS|X-N$ra3< zJ8S2*rIOA`o|a=}7;+Z>yDAG`+n!P(1oUGMavw)nNhyUEWW4Ncisz|I^df98^!xA^ zu(Ly^-PD7X0B!S}b)8k+P4+)ixmDtIi!{Te#ro9z#Wl&-O?S#Mk?pIFYk|YuhUbk* z&$foDKo;C%0eGNA%xGIT7Stc37dtfKej3{Jos_G?^=G^|3rMU^6Q!$U0F6CC{aH4pm3Ae%CU-%~ z;kX95J{|N223ZlAB>#$Hb2Lpy3n$R&Y>^lJ(+F4Nwqu-peK!8t_sNW!fQ1vs-7#Os zZ2Ra9>5i3F%|?>WV5Rr$UUn_@l=&G8^u6ROHz%<*lS$HphtJZbFI2_R zPpuj)35qi>>Rxb3Qa~`O?UiVe zVQPcwxbr?dkQw_pm0CLcd>XmHZyB^wwpJ&$H*+$6!g-Nae~>&Z4sNk`se8$X?V*DF zMzcZ(j*rFrJxFCte1K=Zn*<(m&7JZSeNx3dD9%S&TRqD)9kLTxZB|}-`I4D zKPt88klS*UgW0BT?re9=pKQ*a^PO9Mm!=L*W3@|n$Wor~qo4Uvk%k^N)kPjek}^MI z@3edMlPdPowT(gbV-~jg!c2~@eTIk^b8ot*3NMe9u-#bV3{H;-XRJkhO{UjAz35EN z{WFYqNkPZ44&8(9$5B^Vwx0Q<38--_GouxO((FeipeJwy?g3NxK-v2Cy`HxzQFTus zeas|Q9n%XxZdaX8wOfulomF0I{0Zf`(I^RXxK!q#y}NYV97LzCccZv#R~c<5m)oDQdJogiX-iSl zpkANSK9tD$Q@Bf=WD^QidZO$qBiIC6Y33~A>6Cv&!srgiB9*WK?N2P=$3sfkTpnq9 zZmIN1=y*~yv2^nxI!UrvkU7lg@({dqC0!G(xj^gKdengDrqazKd-iuAsSEB#zF2If zbNLrHtFeM3mXboU(&VfM*|Gz1t0gbdNl;8^dGM-?*71I(l7~`Pz5A1_i~-x5DslkR zKS5}|?N)VmrN4@9*hVY2g0s%Dav1^i3=tsO_VRNU<}j8J04TgCYZs zn&SD!4mzP8rgWSR70BduWdASfDMxZX=Wg?itsY8oRgT{0rq}lxt@GP1NLId-$+DFr zki=;(*n;X`FxQx*Av3Y5z4&+L1>P%7eiEdT@z-FIo+xf(MgJa)5n-vCg=z0ql|54R6;JYbyqpk zw{n;`J9DaBWDaN355@*>HL9nVz3M12O4~p0Hoq#Vtu%!j%EaYoO?D_NpI$ z1$95%`lGlQhJF(UCrz^1BaO^qp` z-K3Cd)i_@a6k%>huu=(VVmiio@wc5u-pQW!rt8SYn)L|R@e#XofQ6Oz*k;^0k^|#@R!vOFC7MofUXoKN z?0%D}Np_C3oGI{AY(y$)iMQj1y&r4eH)(K+V5fz)@I+ZZeOW_%uz~!@4Guip;yTi> zNa|z@9-yoDVXZ|z2oqVEBHx!#u5IkwJ>b(uX=xhZYC_E$Dql8tW~Z0TBNnmD^dM_; zt|ZR5bT86C=lPPv$5_<5G?bd`Gu11d-XAsU{KG}_gY3tiypp2YR%Bs5BNWd%=s{nc z|AY#kyvn|uiDn}U_Onx-0aKMSt5f>^h;ac$(<5Izl?=~4yG{mBT98JEj5WecK~RiD zxqafpV` zJL9melDBZQNRqqh*N7dIDah|MF&jPhlf{ls8OG?9DrIUj9?&|8?W#O- z<&O1d=ipf;=*rFKq)jNlvud`fXHXW*k`&PnFRq?0b4GQQ7s{lResnMIDcYoOL;1Ne zjx+~#LCw5}e`na<#D;Bh&CQI`zqP839Z~A!oUC(S{zzo5nL!q||COAN_Ok^sNLpa7 z1>=T5mvtsDcy|_cd81xo+?RCCw|726fU~y$E?f=t%g>f%)ox6q7KDA|cN$Si>I!SD z*y2>tIH$)HYZPXZVx>|FmslKb{yJ1Y5$o>%^k&CbP4-Gg^>&I0K1oeX*~A)c zZGZUJZQUE)Z%?PEOVPuLO0JmH(Z5s*0i-9remN*dq);v~`7}W0z9 zBi^0LL<{jQd|1ZkBt?DIOiL-?y-1ZTilM~wI52gAv^LqxyaM#%>jF1F&lz8t3gjngiEn9&%LEAatxBQMO?$JS7z*=x3FEliLYqCunZ~S;1yrWbXd9%s%31x}ANDF;>Kq#PNG^It zZj4H2%o?83M3vKzntC1F{HOt33M}KRW070$^0n}uHiBtmmu(2X4B2&R!2)?l-AZO z-l@?tfj<`|??ij<>5T%bB*8&R1OX&JmorU%h8xXSJ`=}co&)Q(s)CL}$5>2GO1n}m z!nqsgOhhNQ^=hyEu)6itO}!3igI+fOaNK3jeO6wRYj>HcXxpvT@;tUG~>@sy~@d@+U0bG4u%XDm@nKZw_4V-=E8R&04>YaH3>vd&08Tt7= zA2bVWQFzI#C7aNzY$B>Nn@C;-NYpDyX4;;-O7mMuM|oR+4Kmf+Nr;mhXJ{7`lf^hZ zyDVV3cNiVDEqn4)p_U}P%Fa4|=jx0OA~Nxi&vsJqhf!BEy-N)P=+o&IPq`J()0@C@tJo^~?&^g-7 zxUJBY nBbMU, 2012 +# Oleksii Levan , 2016. #zanata +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" +"POT-Creation-Date: 2018-08-12 13:03+0000\n" +"PO-Revision-Date: 2016-02-23 10:04+0000\n" +"Last-Translator: Oleksii Levan \n" +"Language-Team: Russian (http://www.transifex.com/projects/p/sssd/language/" +"ru/)\n" +"Language: ru\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n" +"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" +"X-Generator: Zanata 4.4.5\n" + +#: src/config/SSSDConfig/__init__.py.in:43 +#: src/config/SSSDConfig/__init__.py.in:44 +msgid "Set the verbosity of the debug logging" +msgstr "Установить подробность журнала отладки" + +#: src/config/SSSDConfig/__init__.py.in:45 +msgid "Include timestamps in debug logs" +msgstr "Добавить отметки времени в журнал отладки" + +#: src/config/SSSDConfig/__init__.py.in:46 +msgid "Include microseconds in timestamps in debug logs" +msgstr "Указывать микросекунды в отметках времени в журнале отладки" + +#: src/config/SSSDConfig/__init__.py.in:47 +msgid "Write debug messages to logfiles" +msgstr "Записывать отладочные сообщения в файлы журнала" + +#: src/config/SSSDConfig/__init__.py.in:48 +msgid "Watchdog timeout before restarting service" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:49 +msgid "Command to start service" +msgstr "Команда для запуска службы" + +#: src/config/SSSDConfig/__init__.py.in:50 +msgid "Number of times to attempt connection to Data Providers" +msgstr "Количество попыток подключения к поставщикам данных" + +#: src/config/SSSDConfig/__init__.py.in:51 +msgid "The number of file descriptors that may be opened by this responder" +msgstr "Количество файловых дескрипторов, которые может открыть этот процесс" + +#: src/config/SSSDConfig/__init__.py.in:52 +msgid "Idle time before automatic disconnection of a client" +msgstr "Время простоя до автоматического отсоединения клиента" + +#: src/config/SSSDConfig/__init__.py.in:53 +msgid "Idle time before automatic shutdown of the responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:54 +msgid "Always query all the caches before querying the Data Providers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:57 +msgid "SSSD Services to start" +msgstr "Запускаемые службы SSSD" + +#: src/config/SSSDConfig/__init__.py.in:58 +msgid "SSSD Domains to start" +msgstr "Запускаемые домены SSSD" + +#: src/config/SSSDConfig/__init__.py.in:59 +msgid "Timeout for messages sent over the SBUS" +msgstr "Тайм-аут для сообщений, отправленных через SBUS" + +#: src/config/SSSDConfig/__init__.py.in:60 +#: src/config/SSSDConfig/__init__.py.in:197 +msgid "Regex to parse username and domain" +msgstr "Регулярное выражение для разбора имени пользователя и домена" + +#: src/config/SSSDConfig/__init__.py.in:61 +#: src/config/SSSDConfig/__init__.py.in:196 +msgid "Printf-compatible format for displaying fully-qualified names" +msgstr "Printf-совместимый формат для отображения полностью определённых имён" + +#: src/config/SSSDConfig/__init__.py.in:62 +msgid "" +"Directory on the filesystem where SSSD should store Kerberos replay cache " +"files." +msgstr "" +"Каталог файловой системы, в котором SSSD должен сохранять файлы кеша повтора " +"Kerberos" + +#: src/config/SSSDConfig/__init__.py.in:63 +msgid "Domain to add to names without a domain component." +msgstr "Домен для имён без указанного компонента домена" + +#: src/config/SSSDConfig/__init__.py.in:64 +msgid "The user to drop privileges to" +msgstr "Пользователь, чьи привилегии будут использоваться" + +#: src/config/SSSDConfig/__init__.py.in:65 +msgid "Tune certificate verification" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:66 +msgid "All spaces in group or user names will be replaced with this character" +msgstr "" +"Все пробелы в именах пользователей и групп будут заменены этим символом" + +#: src/config/SSSDConfig/__init__.py.in:67 +msgid "Tune sssd to honor or ignore netlink state changes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:68 +msgid "Enable or disable the implicit files domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:69 +msgid "A specific order of the domains to be looked up" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:72 +msgid "Enumeration cache timeout length (seconds)" +msgstr "Длина тайм-аута кэша перечисления (в секундах)" + +#: src/config/SSSDConfig/__init__.py.in:73 +msgid "Entry cache background update timeout length (seconds)" +msgstr "Тайм-аут фонового обновления элемента списка кэша (в секундах)" + +#: src/config/SSSDConfig/__init__.py.in:74 +#: src/config/SSSDConfig/__init__.py.in:113 +msgid "Negative cache timeout length (seconds)" +msgstr "Отрицательная длина тайм-аута кэша (в секундах)" + +#: src/config/SSSDConfig/__init__.py.in:75 +msgid "Files negative cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:76 +msgid "Users that SSSD should explicitly ignore" +msgstr "Пользователи, которых SSSD должен явно игнорировать " + +#: src/config/SSSDConfig/__init__.py.in:77 +msgid "Groups that SSSD should explicitly ignore" +msgstr "Группы, которые SSSD должен явно игнорировать " + +#: src/config/SSSDConfig/__init__.py.in:78 +msgid "Should filtered users appear in groups" +msgstr "Должны ли отфильтрованные пользователи появляться в группах" + +#: src/config/SSSDConfig/__init__.py.in:79 +msgid "The value of the password field the NSS provider should return" +msgstr "Значение поля пароля, которое должен вернуть поставщик NSS" + +#: src/config/SSSDConfig/__init__.py.in:80 +msgid "Override homedir value from the identity provider with this value" +msgstr "" +"Переопределять значение домашнего каталога от поставщика учётных данных этим " +"значением" + +#: src/config/SSSDConfig/__init__.py.in:81 +msgid "" +"Substitute empty homedir value from the identity provider with this value" +msgstr "" +"Заменять пустое значение домашнего каталога от поставщика учётных данных " +"этим значением" + +#: src/config/SSSDConfig/__init__.py.in:82 +msgid "Override shell value from the identity provider with this value" +msgstr "" +"Переопределять значение командной оболочки от поставщика учётных данных этим " +"значением" + +#: src/config/SSSDConfig/__init__.py.in:83 +msgid "The list of shells users are allowed to log in with" +msgstr "" +"Список командных оболочек, с которыми пользователям разрешён вход в систему" + +#: src/config/SSSDConfig/__init__.py.in:84 +msgid "" +"The list of shells that will be vetoed, and replaced with the fallback shell" +msgstr "" +"Список командных оболочек, которые будут ветированы и заменены запасной " +"оболочкой" + +#: src/config/SSSDConfig/__init__.py.in:85 +msgid "" +"If a shell stored in central directory is allowed but not available, use " +"this fallback" +msgstr "" +"Если командная оболочка из центрального каталога разрешена, но не доступна, " +"использовать эту как запасную" + +#: src/config/SSSDConfig/__init__.py.in:86 +msgid "Shell to use if the provider does not list one" +msgstr "" +"Оболочка, которая будет использоваться, если поставщиком оболочка не указана" + +#: src/config/SSSDConfig/__init__.py.in:87 +msgid "How long will be in-memory cache records valid" +msgstr "Насколько долго записи кеша в памяти будут оставаться действительными" + +#: src/config/SSSDConfig/__init__.py.in:88 +msgid "List of user attributes the NSS responder is allowed to publish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:91 +msgid "How long to allow cached logins between online logins (days)" +msgstr "" +"Разрешённый интервал кэшированных входов между интерактивными входами (в " +"днях)" + +#: src/config/SSSDConfig/__init__.py.in:92 +msgid "How many failed logins attempts are allowed when offline" +msgstr "Разрешённое количество неудачных попыток неинтерактивного входа" + +#: src/config/SSSDConfig/__init__.py.in:93 +msgid "" +"How long (minutes) to deny login after offline_failed_login_attempts has " +"been reached" +msgstr "" +"Временной интервал (в минутах), в течение которого будет запрещён вход после " +"достижения offline_failed_login_attempts" + +#: src/config/SSSDConfig/__init__.py.in:94 +msgid "What kind of messages are displayed to the user during authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:95 +msgid "Filter PAM responses sent to the pam_sss" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:96 +msgid "How many seconds to keep identity information cached for PAM requests" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:97 +msgid "How many days before password expiration a warning should be displayed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:98 +msgid "List of trusted uids or user's name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:99 +msgid "List of domains accessible even for untrusted users." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:100 +msgid "Message printed when user account is expired." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:101 +msgid "Message printed when user account is locked." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:102 +msgid "Allow certificate based/Smartcard authentication." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:103 +msgid "Path to certificate database with PKCS#11 modules." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:104 +msgid "How many seconds will pam_sss wait for p11_child to finish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:105 +msgid "Which PAM services are permitted to contact application domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:108 +msgid "Whether to evaluate the time-based attributes in sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:109 +msgid "If true, SSSD will switch back to lower-wins ordering logic" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:110 +msgid "" +"Maximum number of rules that can be refreshed at once. If this is exceeded, " +"full refresh is performed." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:116 +msgid "Whether to hash host names and addresses in the known_hosts file" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:117 +msgid "" +"How many seconds to keep a host in the known_hosts file after its host keys " +"were requested" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:118 +msgid "Path to storage of trusted CA certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:121 +msgid "List of UIDs or user names allowed to access the PAC responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "How long the PAC data is considered valid" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:125 +msgid "List of UIDs or user names allowed to access the InfoPipe responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:126 +msgid "List of user attributes the InfoPipe is allowed to publish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:129 +msgid "The provider where the secrets will be stored in" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:130 +msgid "The maximum allowed number of nested containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:131 +msgid "The maximum number of secrets that can be stored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:132 +msgid "The maximum number of secrets that can be stored per UID" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:133 +msgid "The maximum payload size of a secret in kilobytes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:135 +msgid "The URL Custodia server is listening on" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:136 +msgid "The method to use when authenticating to a Custodia server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:137 +msgid "" +"The name of the headers that will be added into a HTTP request with the " +"value defined in auth_header_value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:138 +msgid "The value sssd-secrets would use for auth_header_name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:139 +msgid "" +"The list of the headers to forward to the Custodia server together with the " +"request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:140 +msgid "" +"The username to use when authenticating to a Custodia server using basic_auth" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:141 +msgid "" +"The password to use when authenticating to a Custodia server using basic_auth" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:142 +msgid "If true peer's certificate is verified if proxy_url uses https protocol" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:143 +msgid "" +"If false peer's certificate may contain different hostname than proxy_url " +"when https protocol is used" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:144 +msgid "Path to directory where certificate authority certificates are stored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:145 +msgid "Path to file containing server's CA certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:146 +msgid "Path to file containing client's certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:147 +msgid "Path to file containing client's private key" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:150 +msgid "Identity provider" +msgstr "Поставщик данных для идентификации" + +#: src/config/SSSDConfig/__init__.py.in:151 +msgid "Authentication provider" +msgstr "Поставщик данных для проверки подлинности" + +#: src/config/SSSDConfig/__init__.py.in:152 +msgid "Access control provider" +msgstr "Поставщик данных для контроля доступа" + +#: src/config/SSSDConfig/__init__.py.in:153 +msgid "Password change provider" +msgstr "Поставщик операции смены пароля" + +#: src/config/SSSDConfig/__init__.py.in:154 +msgid "SUDO provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:155 +msgid "Autofs provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:156 +msgid "Host identity provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:157 +msgid "SELinux provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:158 +msgid "Session management provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:161 +msgid "Whether the domain is usable by the OS or by applications" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:162 +msgid "Minimum user ID" +msgstr "Минимальный ID пользователя" + +#: src/config/SSSDConfig/__init__.py.in:163 +msgid "Maximum user ID" +msgstr "Максимальный ID пользователя" + +#: src/config/SSSDConfig/__init__.py.in:164 +msgid "Enable enumerating all users/groups" +msgstr "Включить перечисление всех пользователей/групп" + +#: src/config/SSSDConfig/__init__.py.in:165 +msgid "Cache credentials for offline login" +msgstr "Кэшировать учётные данные для неинтерактивного входа" + +#: src/config/SSSDConfig/__init__.py.in:166 +msgid "Store password hashes" +msgstr "Хранить хеши паролей" + +#: src/config/SSSDConfig/__init__.py.in:167 +msgid "Display users/groups in fully-qualified form" +msgstr "Отображать пользователей/группы в полной форме" + +#: src/config/SSSDConfig/__init__.py.in:168 +msgid "Don't include group members in group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:180 +#: src/config/SSSDConfig/__init__.py.in:181 +msgid "Entry cache timeout length (seconds)" +msgstr "Тайм-аут элемента списка кэша (в секундах)" + +#: src/config/SSSDConfig/__init__.py.in:170 +msgid "" +"Restrict or prefer a specific address family when performing DNS lookups" +msgstr "" +"Ограничивать или предпочитать определённое семейство адресов при выполнении " +"запросов DNS" + +#: src/config/SSSDConfig/__init__.py.in:171 +msgid "How long to keep cached entries after last successful login (days)" +msgstr "" +"Как долго хранить кэшированные элементы списка после последнего успешного " +"входа (в днях)" + +#: src/config/SSSDConfig/__init__.py.in:172 +msgid "How long to wait for replies from DNS when resolving servers (seconds)" +msgstr "Время ожидания ответа DNS при преобразовании имён серверов (секунд)" + +#: src/config/SSSDConfig/__init__.py.in:173 +msgid "The domain part of service discovery DNS query" +msgstr "Доменная часть DNS-запроса поиска служб" + +#: src/config/SSSDConfig/__init__.py.in:174 +msgid "Override GID value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:175 +msgid "Treat usernames as case sensitive" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:182 +msgid "How often should expired entries be refreshed in background" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:183 +msgid "Whether to automatically update the client's DNS entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:184 +#: src/config/SSSDConfig/__init__.py.in:206 +msgid "The TTL to apply to the client's DNS entry after updating it" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:207 +msgid "The interface whose IP should be used for dynamic DNS updates" +msgstr "Интерфейс, адрес которого будет использован для обновления DNS" + +#: src/config/SSSDConfig/__init__.py.in:186 +msgid "How often to periodically update the client's DNS entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:187 +msgid "Whether the provider should explicitly update the PTR record as well" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:188 +msgid "Whether the nsupdate utility should default to using TCP" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:189 +msgid "What kind of authentication should be used to perform the DNS update" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:190 +msgid "Override the DNS server used to perform the DNS update" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:191 +msgid "Control enumeration of trusted domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:192 +msgid "How often should subdomains list be refreshed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:193 +msgid "List of options that should be inherited into a subdomain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:194 +msgid "Default subdomain homedir value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:195 +msgid "How long can cached credentials be used for cached authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:198 +msgid "Whether to automatically create private groups for users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:201 +msgid "IPA domain" +msgstr "IPA-домен" + +#: src/config/SSSDConfig/__init__.py.in:202 +msgid "IPA server address" +msgstr "адрес сервера IPA" + +#: src/config/SSSDConfig/__init__.py.in:203 +msgid "Address of backup IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:204 +msgid "IPA client hostname" +msgstr "имя узла клиента IPA" + +#: src/config/SSSDConfig/__init__.py.in:205 +msgid "Whether to automatically update the client's DNS entry in FreeIPA" +msgstr "Если требуется автоматическое обновление записи в" + +#: src/config/SSSDConfig/__init__.py.in:208 +msgid "Search base for HBAC related objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:209 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:210 +msgid "" +"The amount of time in seconds between lookups of the SELinux maps against " +"the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:211 +msgid "If set to false, host argument given by PAM will be ignored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:212 +msgid "The automounter location this IPA client is using" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:213 +msgid "Search base for object containing info about IPA domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:214 +msgid "Search base for objects containing info about ID ranges" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:233 +msgid "Enable DNS sites - location based service discovery" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:216 +msgid "Search base for view containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:217 +msgid "Objectclass for view containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:218 +msgid "Attribute with the name of the view" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:219 +msgid "Objectclass for override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:220 +msgid "Attribute with the reference to the original object" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:221 +msgid "Objectclass for user override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:222 +msgid "Objectclass for group override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:223 +msgid "Search base for Desktop Profile related objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:224 +msgid "" +"The amount of time in seconds between lookups of the Desktop Profile rules " +"against the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:225 +msgid "" +"The amount of time in minutes between lookups of Desktop Profiles rules " +"against the IPA server when the last request did not find any rule" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:228 +msgid "Active Directory domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:229 +msgid "Enabled Active Directory domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:230 +msgid "Active Directory server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:231 +msgid "Active Directory backup server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:232 +msgid "Active Directory client hostname" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:420 +msgid "LDAP filter to determine access privileges" +msgstr "Фильтр LDAP для определения прав доступа" + +#: src/config/SSSDConfig/__init__.py.in:235 +msgid "Whether to use the Global Catalog for lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:236 +msgid "Operation mode for GPO-based access control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:237 +msgid "" +"The amount of time between lookups of the GPO policy files against the AD " +"server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:238 +msgid "" +"PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " +"settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:239 +msgid "" +"PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " +"policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:240 +msgid "" +"PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:241 +msgid "" +"PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:242 +msgid "" +"PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:243 +msgid "PAM service names for which GPO-based access is always granted" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:244 +msgid "PAM service names for which GPO-based access is always denied" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:245 +msgid "" +"Default logon right (or permit/deny) to use for unmapped PAM service names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:246 +msgid "a particular site to be used by the client" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:247 +msgid "" +"Maximum age in days before the machine account password should be renewed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:248 +msgid "Option for tuning the machine account renewal task" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:252 +msgid "Kerberos server address" +msgstr "Имя сервера Kerberos" + +#: src/config/SSSDConfig/__init__.py.in:253 +msgid "Kerberos backup server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:254 +msgid "Kerberos realm" +msgstr "Область действия Kerberos" + +#: src/config/SSSDConfig/__init__.py.in:255 +msgid "Authentication timeout" +msgstr "Тайм-аут проверки подлинности" + +#: src/config/SSSDConfig/__init__.py.in:256 +msgid "Whether to create kdcinfo files" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:257 +msgid "Where to drop krb5 config snippets" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:260 +msgid "Directory to store credential caches" +msgstr "Каталог для хранения кэшей учётных данных" + +#: src/config/SSSDConfig/__init__.py.in:261 +msgid "Location of the user's credential cache" +msgstr "Расположения кэша учётных данных пользователей" + +#: src/config/SSSDConfig/__init__.py.in:262 +msgid "Location of the keytab to validate credentials" +msgstr "Расположение keytab-файла для проверки учётных данных" + +#: src/config/SSSDConfig/__init__.py.in:263 +msgid "Enable credential validation" +msgstr "Включить проверку учётных данных" + +#: src/config/SSSDConfig/__init__.py.in:264 +msgid "Store password if offline for later online authentication" +msgstr "" +"При отсутствии соединения сохранить пароль и пройти аутентификацию позже" + +#: src/config/SSSDConfig/__init__.py.in:265 +msgid "Renewable lifetime of the TGT" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:266 +msgid "Lifetime of the TGT" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:267 +msgid "Time between two checks for renewal" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:268 +msgid "Enables FAST" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:269 +msgid "Selects the principal to use for FAST" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:270 +msgid "Enables principal canonicalization" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:271 +msgid "Enables enterprise principals" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:272 +msgid "A mapping from user names to Kerberos principal names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:276 +msgid "Server where the change password service is running if not on the KDC" +msgstr "Сервер, на котором запущена служба смены пароля (если не на KDC)" + +#: src/config/SSSDConfig/__init__.py.in:279 +msgid "ldap_uri, The URI of the LDAP server" +msgstr "ldap_uri, URI сервера LDAP " + +#: src/config/SSSDConfig/__init__.py.in:280 +msgid "ldap_backup_uri, The URI of the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:281 +msgid "The default base DN" +msgstr "Base DN по умолчанию" + +#: src/config/SSSDConfig/__init__.py.in:282 +msgid "The Schema Type in use on the LDAP server, rfc2307" +msgstr "Тип схемы, используемой на LDAP-сервере, rfc2307" + +#: src/config/SSSDConfig/__init__.py.in:283 +msgid "The default bind DN" +msgstr "Bind DN по умолчанию" + +#: src/config/SSSDConfig/__init__.py.in:284 +msgid "The type of the authentication token of the default bind DN" +msgstr "Тип маркера проверки подлинности для bind DN по умолчанию" + +#: src/config/SSSDConfig/__init__.py.in:285 +msgid "The authentication token of the default bind DN" +msgstr "Маркер проверки подлинности для bind DN по умолчанию" + +#: src/config/SSSDConfig/__init__.py.in:286 +msgid "Length of time to attempt connection" +msgstr "Временной интервал для попытки соединения" + +#: src/config/SSSDConfig/__init__.py.in:287 +msgid "Length of time to attempt synchronous LDAP operations" +msgstr "Временной интервал для попытки синхронизации операций LDAP" + +#: src/config/SSSDConfig/__init__.py.in:288 +msgid "Length of time between attempts to reconnect while offline" +msgstr "" +"Временной интервал между попытками возобновления соединения в автономного " +"режиме" + +#: src/config/SSSDConfig/__init__.py.in:289 +msgid "Use only the upper case for realm names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:290 +msgid "File that contains CA certificates" +msgstr "Файл содержащий сертификаты CA" + +#: src/config/SSSDConfig/__init__.py.in:291 +msgid "Path to CA certificate directory" +msgstr "Путь к каталогу с сертификатами CA" + +#: src/config/SSSDConfig/__init__.py.in:292 +msgid "File that contains the client certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:293 +msgid "File that contains the client key" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:294 +msgid "List of possible ciphers suites" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:295 +msgid "Require TLS certificate verification" +msgstr "Требуется проверка сертификата TLS" + +#: src/config/SSSDConfig/__init__.py.in:296 +msgid "Specify the sasl mechanism to use" +msgstr "Укажите механизм sasl" + +#: src/config/SSSDConfig/__init__.py.in:297 +msgid "Specify the sasl authorization id to use" +msgstr "Укажите идентификатор авторизации sasl" + +#: src/config/SSSDConfig/__init__.py.in:298 +msgid "Specify the sasl authorization realm to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:299 +msgid "Specify the minimal SSF for LDAP sasl authorization" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:300 +msgid "Kerberos service keytab" +msgstr "Keytab-файл службы Kerberos" + +#: src/config/SSSDConfig/__init__.py.in:301 +msgid "Use Kerberos auth for LDAP connection" +msgstr "Использовать проверку подлинности Kerberos для LDAP-соединения" + +#: src/config/SSSDConfig/__init__.py.in:302 +msgid "Follow LDAP referrals" +msgstr "Следовать ссылкам LDAP" + +#: src/config/SSSDConfig/__init__.py.in:303 +msgid "Lifetime of TGT for LDAP connection" +msgstr "Время жизни TGT для LDAP-соединений" + +#: src/config/SSSDConfig/__init__.py.in:304 +msgid "How to dereference aliases" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:305 +msgid "Service name for DNS service lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:306 +msgid "The number of records to retrieve in a single LDAP query" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:307 +msgid "The number of members that must be missing to trigger a full deref" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:308 +msgid "" +"Whether the LDAP library should perform a reverse lookup to canonicalize the " +"host name during a SASL bind" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:310 +msgid "entryUSN attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:311 +msgid "lastUSN attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:313 +msgid "How long to retain a connection to the LDAP server before disconnecting" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:315 +msgid "Disable the LDAP paging control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:316 +msgid "Disable Active Directory range retrieval" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:319 +msgid "Length of time to wait for a search request" +msgstr "Временной интервал, в течение которого ожидать поискового запроса" + +#: src/config/SSSDConfig/__init__.py.in:320 +msgid "Length of time to wait for a enumeration request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:321 +msgid "Length of time between enumeration updates" +msgstr "Временной интервал между обновлениями перечисления" + +#: src/config/SSSDConfig/__init__.py.in:322 +msgid "Length of time between cache cleanups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:323 +msgid "Require TLS for ID lookups" +msgstr "Требовать TLS для запросов ID" + +#: src/config/SSSDConfig/__init__.py.in:324 +msgid "Use ID-mapping of objectSID instead of pre-set IDs" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:325 +msgid "Base DN for user lookups" +msgstr "Base DN для поиска" + +#: src/config/SSSDConfig/__init__.py.in:326 +msgid "Scope of user lookups" +msgstr "Глубина поиска" + +#: src/config/SSSDConfig/__init__.py.in:327 +msgid "Filter for user lookups" +msgstr "Фильтр поиска" + +#: src/config/SSSDConfig/__init__.py.in:328 +msgid "Objectclass for users" +msgstr "Objectclass для пользователей" + +#: src/config/SSSDConfig/__init__.py.in:329 +msgid "Username attribute" +msgstr "Атрибут «username»" + +#: src/config/SSSDConfig/__init__.py.in:331 +msgid "UID attribute" +msgstr "Атрибут «UID»" + +#: src/config/SSSDConfig/__init__.py.in:332 +msgid "Primary GID attribute" +msgstr "Атрибут «primary GID»" + +#: src/config/SSSDConfig/__init__.py.in:333 +msgid "GECOS attribute" +msgstr "Атрибут «GECOS»" + +#: src/config/SSSDConfig/__init__.py.in:334 +msgid "Home directory attribute" +msgstr "Атрибут домашнего каталога" + +#: src/config/SSSDConfig/__init__.py.in:335 +msgid "Shell attribute" +msgstr "Атрибут оболочки" + +#: src/config/SSSDConfig/__init__.py.in:336 +msgid "UUID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:379 +msgid "objectSID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:338 +msgid "Active Directory primary group attribute for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:339 +msgid "User principal attribute (for Kerberos)" +msgstr "Атрибут участника-пользователя (для Kerberos)" + +#: src/config/SSSDConfig/__init__.py.in:340 +msgid "Full Name" +msgstr "Полное имя" + +#: src/config/SSSDConfig/__init__.py.in:341 +msgid "memberOf attribute" +msgstr "Атрибут memberOf" + +#: src/config/SSSDConfig/__init__.py.in:342 +msgid "Modification time attribute" +msgstr "Атрибут времени изменения" + +#: src/config/SSSDConfig/__init__.py.in:344 +msgid "shadowLastChange attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:345 +msgid "shadowMin attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:346 +msgid "shadowMax attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:347 +msgid "shadowWarning attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:348 +msgid "shadowInactive attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:349 +msgid "shadowExpire attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:350 +msgid "shadowFlag attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:351 +msgid "Attribute listing authorized PAM services" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:352 +msgid "Attribute listing authorized server hosts" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:353 +msgid "Attribute listing authorized server rhosts" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:354 +msgid "krbLastPwdChange attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:355 +msgid "krbPasswordExpiration attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:356 +msgid "Attribute indicating that server side password policies are active" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:357 +msgid "accountExpires attribute of AD" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:358 +msgid "userAccountControl attribute of AD" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:359 +msgid "nsAccountLock attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:360 +msgid "loginDisabled attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:361 +msgid "loginExpirationTime attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:362 +msgid "loginAllowedTimeMap attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:363 +msgid "SSH public key attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:364 +msgid "attribute listing allowed authentication types for a user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:365 +msgid "attribute containing the X509 certificate of the user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:366 +msgid "attribute containing the email address of the user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:368 +msgid "A list of extra attributes to download along with the user entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:370 +msgid "Base DN for group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:373 +msgid "Objectclass for groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:374 +msgid "Group name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:375 +msgid "Group password" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:376 +msgid "GID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:377 +msgid "Group member attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:378 +msgid "Group UUID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:380 +msgid "Modification time attribute for groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:381 +msgid "Type of the group and other flags" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:382 +msgid "The LDAP group external member attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:384 +msgid "Maximum nesting level SSSD will follow" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:386 +msgid "Base DN for netgroup lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:387 +msgid "Objectclass for netgroups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:388 +msgid "Netgroup name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:389 +msgid "Netgroups members attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:390 +msgid "Netgroup triple attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:391 +msgid "Modification time attribute for netgroups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:393 +msgid "Base DN for service lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:394 +msgid "Objectclass for services" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:395 +msgid "Service name attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:396 +msgid "Service port attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:397 +msgid "Service protocol attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:400 +msgid "Lower bound for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:401 +msgid "Upper bound for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:402 +msgid "Number of IDs for each slice when ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:403 +msgid "Use autorid-compatible algorithm for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:404 +msgid "Name of the default domain for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:405 +msgid "SID of the default domain for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:406 +msgid "Number of secondary slices" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:408 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:409 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:410 +msgid "Whether to use Token-Groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:411 +msgid "Set lower boundary for allowed IDs from the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:412 +msgid "Set upper boundary for allowed IDs from the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:413 +msgid "DN for ppolicy queries" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:414 +msgid "How many maximum entries to fetch during a wildcard request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:417 +msgid "Policy to evaluate the password expiration" +msgstr "Политика вычисления окончания срока действия пароля" + +#: src/config/SSSDConfig/__init__.py.in:421 +msgid "Which attributes shall be used to evaluate if an account is expired" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:422 +msgid "Which rules should be used to evaluate access control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:425 +msgid "URI of an LDAP server where password changes are allowed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:426 +msgid "URI of a backup LDAP server where password changes are allowed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:427 +msgid "DNS service name for LDAP password change server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:428 +msgid "" +"Whether to update the ldap_user_shadow_last_change attribute after a " +"password change" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:431 +msgid "Base DN for sudo rules lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:432 +msgid "Automatic full refresh period" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:433 +msgid "Automatic smart refresh period" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:434 +msgid "Whether to filter rules by hostname, IP addresses and network" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:435 +msgid "" +"Hostnames and/or fully qualified domain names of this machine to filter sudo " +"rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:436 +msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:437 +msgid "Whether to include rules that contains netgroup in host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:438 +msgid "" +"Whether to include rules that contains regular expression in host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:439 +msgid "Object class for sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:440 +msgid "Sudo rule name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:441 +msgid "Sudo rule command attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:442 +msgid "Sudo rule host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:443 +msgid "Sudo rule user attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:444 +msgid "Sudo rule option attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Sudo rule runas attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:446 +msgid "Sudo rule runasuser attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:447 +msgid "Sudo rule runasgroup attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:448 +msgid "Sudo rule notbefore attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:449 +msgid "Sudo rule notafter attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:450 +msgid "Sudo rule order attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:453 +msgid "Object class for automounter maps" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:454 +msgid "Automounter map name attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:455 +msgid "Object class for automounter map entries" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:456 +msgid "Automounter map entry key attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:457 +msgid "Automounter map entry value attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:458 +msgid "Base DN for automounter map lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:461 +msgid "Comma separated list of allowed users" +msgstr "Разделённый запятыми список разрешённых пользователей" + +#: src/config/SSSDConfig/__init__.py.in:462 +msgid "Comma separated list of prohibited users" +msgstr "Разделённый запятыми список запрещённых пользователей" + +#: src/config/SSSDConfig/__init__.py.in:465 +msgid "Default shell, /bin/bash" +msgstr "Оболочка по умолчанию, /bin/bash" + +#: src/config/SSSDConfig/__init__.py.in:466 +msgid "Base for home directories" +msgstr "Место для домашних каталогов" + +#: src/config/SSSDConfig/__init__.py.in:469 +msgid "The number of preforked proxy children." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:472 +msgid "The name of the NSS library to use" +msgstr "Имя используемой библиотеки NSS" + +#: src/config/SSSDConfig/__init__.py.in:473 +msgid "Whether to look up canonical group name from cache if possible" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:476 +msgid "PAM stack to use" +msgstr "Используемый стек PAM" + +#: src/config/SSSDConfig/__init__.py.in:479 +msgid "Path of passwd file sources." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:480 +msgid "Path of group file sources." +msgstr "" + +#: src/monitor/monitor.c:2449 +msgid "Become a daemon (default)" +msgstr "Запускаться в качестве службы (по умолчанию)" + +#: src/monitor/monitor.c:2451 +msgid "Run interactive (not a daemon)" +msgstr "Запускаться интерактивно (не службой)" + +#: src/monitor/monitor.c:2454 +msgid "Disable netlink interface" +msgstr "" + +#: src/monitor/monitor.c:2456 src/tools/sssctl/sssctl_logs.c:311 +msgid "Specify a non-default config file" +msgstr "Указать файл конфигурации" + +#: src/monitor/monitor.c:2458 +msgid "Refresh the configuration database, then exit" +msgstr "" + +#: src/monitor/monitor.c:2461 +msgid "Print version number and exit" +msgstr "" + +#: src/monitor/monitor.c:2627 +msgid "SSSD is already running\n" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605 +msgid "Debug level" +msgstr "Уровень отладки" + +#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607 +msgid "Add debug timestamps" +msgstr "Добавить отладочные отметки времени" + +#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609 +msgid "Show timestamps with microseconds" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611 +msgid "An open file descriptor for the debug logs" +msgstr "Открытый дескриптор файла для журналов отладки" + +#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613 +msgid "Send the debug output to stderr directly." +msgstr "" + +#: src/providers/krb5/krb5_child.c:3228 +msgid "The user to create FAST ccache as" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3230 +msgid "The group to create FAST ccache as" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3232 +msgid "Kerberos realm to use" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3234 +msgid "Requested lifetime of the ticket" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3236 +msgid "Requested renewable lifetime of the ticket" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3238 +msgid "FAST options ('never', 'try', 'demand')" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3241 +msgid "Specifies the server principal to use for FAST" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3243 +msgid "Requests canonicalization of the principal name" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3245 +msgid "Use custom version of krb5_get_init_creds_password" +msgstr "" + +#: src/providers/data_provider_be.c:556 +msgid "Domain of the information provider (mandatory)" +msgstr "Домен поставщика информации (обязательный)" + +#: src/sss_client/common.c:1066 +msgid "Privileged socket has wrong ownership or permissions." +msgstr "" +"Для привилегированного сокета установлен неверный владелец или права доступа." + +#: src/sss_client/common.c:1069 +msgid "Public socket has wrong ownership or permissions." +msgstr "" +"Для общедоступного сокета установлен неверный владелец или права доступа." + +#: src/sss_client/common.c:1072 +msgid "Unexpected format of the server credential message." +msgstr "" + +#: src/sss_client/common.c:1075 +msgid "SSSD is not run by root." +msgstr "" + +#: src/sss_client/common.c:1080 +msgid "An error occurred, but no description can be found." +msgstr "" + +#: src/sss_client/common.c:1086 +msgid "Unexpected error while looking for an error description" +msgstr "" + +#: src/sss_client/pam_sss.c:76 +msgid "Permission denied. " +msgstr "" + +#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782 +#: src/sss_client/pam_sss.c:793 +msgid "Server message: " +msgstr "Сообщение сервера:" + +#: src/sss_client/pam_sss.c:300 +msgid "Passwords do not match" +msgstr "Пароли не совпадают" + +#: src/sss_client/pam_sss.c:488 +msgid "Password reset by root is not supported." +msgstr "" + +#: src/sss_client/pam_sss.c:529 +msgid "Authenticated with cached credentials" +msgstr "" + +#: src/sss_client/pam_sss.c:530 +msgid ", your cached password will expire at: " +msgstr ", срок действия вашего кэшированного пароль истечёт:" + +#: src/sss_client/pam_sss.c:560 +#, c-format +msgid "Your password has expired. You have %1$d grace login(s) remaining." +msgstr "" + +#: src/sss_client/pam_sss.c:606 +#, c-format +msgid "Your password will expire in %1$d %2$s." +msgstr "" + +#: src/sss_client/pam_sss.c:655 +msgid "Authentication is denied until: " +msgstr "" + +#: src/sss_client/pam_sss.c:676 +msgid "System is offline, password change not possible" +msgstr "Система находится в автономном режиме, невозможно сменить пароль" + +#: src/sss_client/pam_sss.c:691 +msgid "" +"After changing the OTP password, you need to log out and back in order to " +"acquire a ticket" +msgstr "" + +#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792 +msgid "Password change failed. " +msgstr "Не удалось сменить пароль." + +#: src/sss_client/pam_sss.c:1926 +msgid "New Password: " +msgstr "Новый пароль:" + +#: src/sss_client/pam_sss.c:1927 +msgid "Reenter new Password: " +msgstr "Введите новый пароль ещё раз:" + +#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042 +msgid "First Factor: " +msgstr "" + +#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202 +msgid "Second Factor (optional): " +msgstr "" + +#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205 +msgid "Second Factor: " +msgstr "" + +#: src/sss_client/pam_sss.c:2058 +msgid "Password: " +msgstr "Пароль:" + +#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204 +msgid "First Factor (Current Password): " +msgstr "" + +#: src/sss_client/pam_sss.c:2208 +msgid "Current Password: " +msgstr "Текущий пароль:" + +#: src/sss_client/pam_sss.c:2536 +msgid "Password expired. Change your password now." +msgstr "Срок действия пароля истёк. Необходимо сейчас изменить ваш пароль." + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 +#: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 +#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:670 +msgid "The debug level to run with" +msgstr "Уровень отладки для запуска" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +msgid "The SSSD domain to use" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 +#: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 +#: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 +#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:716 +msgid "Error setting the locale\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:64 +msgid "Not enough memory\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:83 +msgid "User not specified\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:97 +msgid "Error looking up public keys\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +msgid "The port to use to connect to the host" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +msgid "Print the host ssh public keys" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +msgid "Invalid port\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +msgid "Host not specified\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +msgid "The path to the proxy command must be absolute\n" +msgstr "" + +#: src/tools/sss_useradd.c:49 src/tools/sss_usermod.c:48 +msgid "The UID of the user" +msgstr "UID пользователя" + +#: src/tools/sss_useradd.c:50 src/tools/sss_usermod.c:50 +msgid "The comment string" +msgstr "Строка комментария" + +#: src/tools/sss_useradd.c:51 src/tools/sss_usermod.c:51 +msgid "Home directory" +msgstr "Домашний каталог" + +#: src/tools/sss_useradd.c:52 src/tools/sss_usermod.c:52 +msgid "Login shell" +msgstr "Исходная оболочка" + +#: src/tools/sss_useradd.c:53 +msgid "Groups" +msgstr "Группы" + +#: src/tools/sss_useradd.c:54 +msgid "Create user's directory if it does not exist" +msgstr "Создать каталог пользователя, если он не существует" + +#: src/tools/sss_useradd.c:55 +msgid "Never create user's directory, overrides config" +msgstr "" + +#: src/tools/sss_useradd.c:56 +msgid "Specify an alternative skeleton directory" +msgstr "Укажите альтернативный скелетный каталог" + +#: src/tools/sss_useradd.c:57 src/tools/sss_usermod.c:60 +msgid "The SELinux user for user's login" +msgstr "" + +#: src/tools/sss_useradd.c:87 src/tools/sss_groupmod.c:79 +#: src/tools/sss_usermod.c:92 +msgid "Specify group to add to\n" +msgstr "" + +#: src/tools/sss_useradd.c:111 +msgid "Specify user to add\n" +msgstr "Укажите добавляемого пользователя\n" + +#: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 +#: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_usermod.c:162 +msgid "Error initializing the tools - no local domain\n" +msgstr "Ошибка инициализации инструментов - не найден локальный домен\n" + +#: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 +#: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_usermod.c:164 +msgid "Error initializing the tools\n" +msgstr "Ошибка инициализации инструментов\n" + +#: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 +#: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_usermod.c:173 +msgid "Invalid domain specified in FQDN\n" +msgstr "В FQDN указан неверный домен\n" + +#: src/tools/sss_useradd.c:142 src/tools/sss_groupmod.c:144 +#: src/tools/sss_groupmod.c:173 src/tools/sss_usermod.c:197 +#: src/tools/sss_usermod.c:226 +msgid "Internal error while parsing parameters\n" +msgstr "При разборе параметров возникла внутренняя ошибка\n" + +#: src/tools/sss_useradd.c:151 src/tools/sss_usermod.c:206 +#: src/tools/sss_usermod.c:235 +msgid "Groups must be in the same domain as user\n" +msgstr "Группы должны быть в том же домене, что и пользователь\n" + +#: src/tools/sss_useradd.c:159 +#, c-format +msgid "Cannot find group %1$s in local domain\n" +msgstr "" + +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +msgid "Cannot set default values\n" +msgstr "Не удалось установить значения по умолчанию\n" + +#: src/tools/sss_useradd.c:181 src/tools/sss_usermod.c:187 +msgid "The selected UID is outside the allowed range\n" +msgstr "Выбранный UID находится за пределами доступного диапазона\n" + +#: src/tools/sss_useradd.c:210 src/tools/sss_usermod.c:305 +msgid "Cannot set SELinux login context\n" +msgstr "" + +#: src/tools/sss_useradd.c:224 +msgid "Cannot get info about the user\n" +msgstr "Не удалось получить информацию о пользователе\n" + +#: src/tools/sss_useradd.c:236 +msgid "User's home directory already exists, not copying data from skeldir\n" +msgstr "" +"Домашний каталог пользователя уже существует, копирования данных из " +"скелетной директории выполнено не будет\n" + +#: src/tools/sss_useradd.c:239 +#, c-format +msgid "Cannot create user's home directory: %1$s\n" +msgstr "" + +#: src/tools/sss_useradd.c:250 +#, c-format +msgid "Cannot create user's mail spool: %1$s\n" +msgstr "" + +#: src/tools/sss_useradd.c:270 +msgid "Could not allocate ID for the user - domain full?\n" +msgstr "Для пользователя не удалось выделить ID - домен заполнен?\n" + +#: src/tools/sss_useradd.c:274 +msgid "A user or group with the same name or ID already exists\n" +msgstr "Пользователь или группа с таким именем или ID уже существует\n" + +#: src/tools/sss_useradd.c:280 +msgid "Transaction error. Could not add user.\n" +msgstr "Ошибка в транзакции. Невозможно добавить пользователя.\n" + +#: src/tools/sss_groupadd.c:43 src/tools/sss_groupmod.c:48 +msgid "The GID of the group" +msgstr "GID группы" + +#: src/tools/sss_groupadd.c:76 +msgid "Specify group to add\n" +msgstr "Укажите группу для добавления\n" + +#: src/tools/sss_groupadd.c:106 src/tools/sss_groupmod.c:198 +msgid "The selected GID is outside the allowed range\n" +msgstr "Выбранный GID находится вне разрешённого диапазона\n" + +#: src/tools/sss_groupadd.c:143 +msgid "Could not allocate ID for the group - domain full?\n" +msgstr "Не удалось выделить ID для группы - домен заполнен?\n" + +#: src/tools/sss_groupadd.c:147 +msgid "A group with the same name or GID already exists\n" +msgstr "Группа с таким же именем или GID уже существует\n" + +#: src/tools/sss_groupadd.c:153 +msgid "Transaction error. Could not add group.\n" +msgstr "Ошибка в транзакции. Не удалось добавить группу.\n" + +#: src/tools/sss_groupdel.c:70 +msgid "Specify group to delete\n" +msgstr "Укажите группу для удаления\n" + +#: src/tools/sss_groupdel.c:104 +#, c-format +msgid "Group %1$s is outside the defined ID range for domain\n" +msgstr "" + +#: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 +#: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 +#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 +#, c-format +msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" +msgstr "" + +#: src/tools/sss_groupdel.c:132 +msgid "" +"No such group in local domain. Removing groups only allowed in local " +"domain.\n" +msgstr "" +"В локальном домене такой группы нет. Удаление групп разрешено только в " +"локальном домене.\n" + +#: src/tools/sss_groupdel.c:137 +msgid "Internal error. Could not remove group.\n" +msgstr "Внутренняя ошибка. Не удалось удалить группу.\n" + +#: src/tools/sss_groupmod.c:44 +msgid "Groups to add this group to" +msgstr "Группы, к которым добавить эту группу" + +#: src/tools/sss_groupmod.c:46 +msgid "Groups to remove this group from" +msgstr "Группы, из которых удалить эту группу" + +#: src/tools/sss_groupmod.c:87 src/tools/sss_usermod.c:100 +msgid "Specify group to remove from\n" +msgstr "" + +#: src/tools/sss_groupmod.c:101 +msgid "Specify group to modify\n" +msgstr "Укажите группу для изменения\n" + +#: src/tools/sss_groupmod.c:130 +msgid "" +"Cannot find group in local domain, modifying groups is allowed only in local " +"domain\n" +msgstr "" +"Не удалось найти группу в локальном домене, изменение групп разрешено только " +"в локальном домене\n" + +#: src/tools/sss_groupmod.c:153 src/tools/sss_groupmod.c:182 +msgid "Member groups must be in the same domain as parent group\n" +msgstr "" +"Группы-участники должны быть в том же домене, что и родительская группа\n" + +#: src/tools/sss_groupmod.c:161 src/tools/sss_groupmod.c:190 +#: src/tools/sss_usermod.c:214 src/tools/sss_usermod.c:243 +#, c-format +msgid "" +"Cannot find group %1$s in local domain, only groups in local domain are " +"allowed\n" +msgstr "" + +#: src/tools/sss_groupmod.c:257 +msgid "Could not modify group - check if member group names are correct\n" +msgstr "" +"Не удалось изменить группу — проверьте правильность имён групп-участников\n" + +#: src/tools/sss_groupmod.c:261 +msgid "Could not modify group - check if groupname is correct\n" +msgstr "Не удалось изменить группу — проверьте правильность имени группы\n" + +#: src/tools/sss_groupmod.c:265 +msgid "Transaction error. Could not modify group.\n" +msgstr "Ошибка в транзакции. Не удалось изменить группу.\n" + +#: src/tools/sss_groupshow.c:615 +#, c-format +msgid "%1$s%2$sGroup: %3$s\n" +msgstr "" + +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "Magic Private" + +#: src/tools/sss_groupshow.c:618 +#, c-format +msgid "%1$sGID number: %2$d\n" +msgstr "" + +#: src/tools/sss_groupshow.c:620 +#, c-format +msgid "%1$sMember users: " +msgstr "" + +#: src/tools/sss_groupshow.c:627 +#, c-format +msgid "" +"\n" +"%1$sIs a member of: " +msgstr "" + +#: src/tools/sss_groupshow.c:634 +#, c-format +msgid "" +"\n" +"%1$sMember groups: " +msgstr "" + +#: src/tools/sss_groupshow.c:670 +msgid "Print indirect group members recursively" +msgstr "Рекурсивно выводить непрямых участников группы" + +#: src/tools/sss_groupshow.c:704 +msgid "Specify group to show\n" +msgstr "Укажите группу\n" + +#: src/tools/sss_groupshow.c:744 +msgid "" +"No such group in local domain. Printing groups only allowed in local " +"domain.\n" +msgstr "" +"В локальном домене нет такой группы. Печать групп разрешена только в " +"локальном домене.\n" + +#: src/tools/sss_groupshow.c:749 +msgid "Internal error. Could not print group.\n" +msgstr "Внутренняя ошибка. Невозможно напечатать группу.\n" + +#: src/tools/sss_userdel.c:136 +msgid "Remove home directory and mail spool" +msgstr "Удалить домашний каталог и почтовую очередь" + +#: src/tools/sss_userdel.c:138 +msgid "Do not remove home directory and mail spool" +msgstr "Не удалять домашний каталог и почтовую очередь" + +#: src/tools/sss_userdel.c:140 +msgid "Force removal of files not owned by the user" +msgstr "Принудительно удалять файлы, не принадлежащие пользователю" + +#: src/tools/sss_userdel.c:142 +msgid "Kill users' processes before removing him" +msgstr "" + +#: src/tools/sss_userdel.c:188 +msgid "Specify user to delete\n" +msgstr "Укажите пользователя для удаления\n" + +#: src/tools/sss_userdel.c:234 +#, c-format +msgid "User %1$s is outside the defined ID range for domain\n" +msgstr "" + +#: src/tools/sss_userdel.c:259 +msgid "Cannot reset SELinux login context\n" +msgstr "" + +#: src/tools/sss_userdel.c:271 +#, c-format +msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" +msgstr "" + +#: src/tools/sss_userdel.c:276 +msgid "Cannot determine if the user was logged in on this platform" +msgstr "" + +#: src/tools/sss_userdel.c:281 +msgid "Error while checking if the user was logged in\n" +msgstr "" + +#: src/tools/sss_userdel.c:288 +#, c-format +msgid "The post-delete command failed: %1$s\n" +msgstr "" + +#: src/tools/sss_userdel.c:308 +msgid "Not removing home dir - not owned by user\n" +msgstr "" +"Домашняя директория не удалена — пользователь не является её владельцем\n" + +#: src/tools/sss_userdel.c:310 +#, c-format +msgid "Cannot remove homedir: %1$s\n" +msgstr "" + +#: src/tools/sss_userdel.c:324 +msgid "" +"No such user in local domain. Removing users only allowed in local domain.\n" +msgstr "" +"В локальном домене нет такого пользователя. Удаление пользователей разрешено " +"только для локального домена.\n" + +#: src/tools/sss_userdel.c:329 +msgid "Internal error. Could not remove user.\n" +msgstr "Внутренняя ошибка. Не удалось удалить пользователя.\n" + +#: src/tools/sss_usermod.c:49 +msgid "The GID of the user" +msgstr "GID пользователя" + +#: src/tools/sss_usermod.c:53 +msgid "Groups to add this user to" +msgstr "Группы, к которым добавить этого пользователя" + +#: src/tools/sss_usermod.c:54 +msgid "Groups to remove this user from" +msgstr "Группы, из которых удалить этого пользователя" + +#: src/tools/sss_usermod.c:55 +msgid "Lock the account" +msgstr "Заблокировать учётную запись" + +#: src/tools/sss_usermod.c:56 +msgid "Unlock the account" +msgstr "Разблокировать учётную запись" + +#: src/tools/sss_usermod.c:57 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "" + +#: src/tools/sss_usermod.c:58 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "" + +#: src/tools/sss_usermod.c:59 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" + +#: src/tools/sss_usermod.c:117 src/tools/sss_usermod.c:126 +#: src/tools/sss_usermod.c:135 +msgid "Specify the attribute name/value pair(s)\n" +msgstr "" + +#: src/tools/sss_usermod.c:152 +msgid "Specify user to modify\n" +msgstr "Укажите пользователя для изменения\n" + +#: src/tools/sss_usermod.c:180 +msgid "" +"Cannot find user in local domain, modifying users is allowed only in local " +"domain\n" +msgstr "" +"Не удалось найти пользователя в локальном домене, изменение пользователей " +"разрешено только в локальном домене\n" + +#: src/tools/sss_usermod.c:322 +msgid "Could not modify user - check if group names are correct\n" +msgstr "Не удалось изменить пользователя — проверьте правильность имён групп\n" + +#: src/tools/sss_usermod.c:326 +msgid "Could not modify user - user already member of groups?\n" +msgstr "Не удалось изменить пользователя — он уже является членом групп?\n" + +#: src/tools/sss_usermod.c:330 +msgid "Transaction error. Could not modify user.\n" +msgstr "Ошибка в транзакции. Не удалось изменить пользователя.\n" + +#: src/tools/sss_cache.c:218 +msgid "No cache object matched the specified search\n" +msgstr "" + +#: src/tools/sss_cache.c:502 +#, c-format +msgid "Couldn't invalidate %1$s\n" +msgstr "" + +#: src/tools/sss_cache.c:509 +#, c-format +msgid "Couldn't invalidate %1$s %2$s\n" +msgstr "" + +#: src/tools/sss_cache.c:672 +msgid "Invalidate all cached entries" +msgstr "" + +#: src/tools/sss_cache.c:674 +msgid "Invalidate particular user" +msgstr "" + +#: src/tools/sss_cache.c:676 +msgid "Invalidate all users" +msgstr "" + +#: src/tools/sss_cache.c:678 +msgid "Invalidate particular group" +msgstr "" + +#: src/tools/sss_cache.c:680 +msgid "Invalidate all groups" +msgstr "" + +#: src/tools/sss_cache.c:682 +msgid "Invalidate particular netgroup" +msgstr "" + +#: src/tools/sss_cache.c:684 +msgid "Invalidate all netgroups" +msgstr "" + +#: src/tools/sss_cache.c:686 +msgid "Invalidate particular service" +msgstr "" + +#: src/tools/sss_cache.c:688 +msgid "Invalidate all services" +msgstr "" + +#: src/tools/sss_cache.c:691 +msgid "Invalidate particular autofs map" +msgstr "" + +#: src/tools/sss_cache.c:693 +msgid "Invalidate all autofs maps" +msgstr "" + +#: src/tools/sss_cache.c:697 +msgid "Invalidate particular SSH host" +msgstr "" + +#: src/tools/sss_cache.c:699 +msgid "Invalidate all SSH hosts" +msgstr "" + +#: src/tools/sss_cache.c:703 +msgid "Invalidate particular sudo rule" +msgstr "" + +#: src/tools/sss_cache.c:705 +msgid "Invalidate all cached sudo rules" +msgstr "" + +#: src/tools/sss_cache.c:708 +msgid "Only invalidate entries from a particular domain" +msgstr "" + +#: src/tools/sss_cache.c:762 +msgid "" +"Unexpected argument(s) provided, options that invalidate a single object " +"only accept a single provided argument.\n" +msgstr "" + +#: src/tools/sss_cache.c:772 +msgid "Please select at least one object to invalidate\n" +msgstr "" + +#: src/tools/sss_cache.c:852 +#, c-format +msgid "" +"Could not open domain %1$s. If the domain is a subdomain (trusted domain), " +"use fully qualified name instead of --domain/-d parameter.\n" +msgstr "" + +#: src/tools/sss_cache.c:856 +msgid "Could not open available domains\n" +msgstr "" + +#: src/tools/tools_util.c:202 +#, c-format +msgid "Name '%1$s' does not seem to be FQDN ('%2$s = TRUE' is set)\n" +msgstr "" + +#: src/tools/tools_util.c:309 +msgid "Out of memory\n" +msgstr "Недостаточно памяти\n" + +#: src/tools/tools_util.h:40 +#, c-format +msgid "%1$s must be run as root\n" +msgstr "%1$s требует прав суперпользователя\n" + +#: src/tools/sssctl/sssctl.c:35 +msgid "yes" +msgstr "" + +#: src/tools/sssctl/sssctl.c:37 +msgid "no" +msgstr "" + +#: src/tools/sssctl/sssctl.c:39 +msgid "error" +msgstr "" + +#: src/tools/sssctl/sssctl.c:42 +msgid "Invalid result." +msgstr "" + +#: src/tools/sssctl/sssctl.c:78 +#, c-format +msgid "Unable to read user input\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:91 +#, c-format +msgid "Invalid input, please provide either '%s' or '%s'.\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 +#, c-format +msgid "Error while executing external command\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:156 +msgid "SSSD needs to be running. Start SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl.c:195 +msgid "SSSD must not be running. Stop SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl.c:231 +msgid "SSSD needs to be restarted. Restart SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:31 +#, c-format +msgid " %s is not present in cache.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:33 +msgid "Name" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:34 +msgid "Cache entry creation date" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:35 +msgid "Cache entry last update time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:36 +msgid "Cache entry expiration time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:37 +msgid "Cached in InfoPipe" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:512 +#, c-format +msgid "Error: Unable to get object [%d]: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:528 +#, c-format +msgid "%s: Unable to read value [%d]: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:556 +msgid "Specify name." +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:566 +#, c-format +msgid "Unable to parse name %s.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:592 src/tools/sssctl/sssctl_cache.c:639 +msgid "Search by SID" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:593 +msgid "Search by user ID" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:602 +msgid "Initgroups expiration time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:640 +msgid "Search by group ID" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:67 +#, c-format +msgid "" +"File %1$s does not exist. SSSD will use default configuration with files " +"provider.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:81 +#, c-format +msgid "" +"File ownership and permissions check failed. Expected root:root and 0600.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:104 +#, c-format +msgid "Issues identified by validators: %zu\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:114 +#, c-format +msgid "Messages generated during configuration merging: %zu\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:127 +#, c-format +msgid "Used configuration snippet files: %u\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:89 +#, c-format +msgid "Unable to create backup directory [%d]: %s" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:95 +msgid "SSSD backup of local data already exists, override?" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:111 +#, c-format +msgid "Unable to export user overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:118 +#, c-format +msgid "Unable to export group overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:134 src/tools/sssctl/sssctl_data.c:217 +msgid "Override existing backup" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:164 +#, c-format +msgid "Unable to import user overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:173 +#, c-format +msgid "Unable to import group overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:74 +#: src/tools/sssctl/sssctl_domains.c:339 +msgid "Start SSSD if it is not running" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:195 +msgid "Restart SSSD after data import" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:218 +msgid "Create clean cache files and import local data" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:219 +msgid "Stop SSSD before removing the cache" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:220 +msgid "Start SSSD when the cache is removed" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:235 +#, c-format +msgid "Creating backup of local data...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:238 +#, c-format +msgid "Unable to create backup of local data, can not remove the cache.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:243 +#, c-format +msgid "Removing cache files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:246 +#, c-format +msgid "Unable to remove cache files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:251 +#, c-format +msgid "Restoring local data...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:75 +msgid "Show domain list including primary or trusted domain type" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +#, c-format +msgid "Online status: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Online" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Offline" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:214 +#, c-format +msgid "Active servers:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:231 +msgid "not connected" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:278 +#, c-format +msgid "Discovered %s servers:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:296 +msgid "None so far.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:336 +msgid "Show online status" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:337 +msgid "Show information about active server" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:338 +msgid "Show list of discovered servers" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:344 +msgid "Specify domain name." +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:360 +#, c-format +msgid "Out of memory!\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:377 src/tools/sssctl/sssctl_domains.c:387 +#, c-format +msgid "Unable to get online status\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:397 +#, c-format +msgid "Unable to get server list\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:47 +msgid "\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:237 +msgid "Delete log files instead of truncating" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:248 +#, c-format +msgid "Deleting log files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:251 +#, c-format +msgid "Unable to remove log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:257 +#, c-format +msgid "Truncating log files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:260 +#, c-format +msgid "Unable to truncate log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:286 +#, c-format +msgid "Out of memory!" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:289 +#, c-format +msgid "Archiving log files into %s...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:292 +#, c-format +msgid "Unable to archive log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:317 +msgid "Specify debug level you want to set" +msgstr "" + +#: src/tools/sssctl/sssctl_sifp.c:28 +msgid "" +"Check that SSSD is running and the InfoPipe responder is enabled. Make sure " +"'ifp' is listed in the 'services' option in sssd.conf.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:91 +#, c-format +msgid "Unable to connect to the InfoPipe" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:97 +#, c-format +msgid "Unable to get user object" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:101 +#, c-format +msgid "SSSD InfoPipe user lookup result:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:113 +#, c-format +msgid "Unable to get user name attr" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:146 +#, c-format +msgid "dlopen failed with [%s].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:153 +#, c-format +msgid "dlsym failed with [%s].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:161 +#, c-format +msgid "malloc failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:168 +#, c-format +msgid "sss_getpwnam_r failed with [%d].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:173 +#, c-format +msgid "SSSD nss user lookup result:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:174 +#, c-format +msgid " - user name: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:175 +#, c-format +msgid " - user id: %d\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:176 +#, c-format +msgid " - group id: %d\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:177 +#, c-format +msgid " - gecos: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:178 +#, c-format +msgid " - home directory: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:179 +#, c-format +msgid "" +" - shell: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:211 +msgid "PAM action [auth|acct|setc|chau|open|clos], default: " +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:214 +msgid "PAM service, default: " +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:219 +msgid "Specify user name." +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:226 +#, c-format +msgid "" +"user: %s\n" +"action: %s\n" +"service: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:232 +#, c-format +msgid "User name lookup with [%s] failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:237 +#, c-format +msgid "InfoPipe User lookup with [%s] failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:244 +#, c-format +msgid "pam_start failed: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:249 +#, c-format +msgid "" +"testing pam_authenticate\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:253 +#, c-format +msgid "pam_get_item failed: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:257 +#, c-format +msgid "" +"pam_authenticate for user [%s]: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:260 +#, c-format +msgid "" +"testing pam_chauthtok\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:262 +#, c-format +msgid "" +"pam_chauthtok: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:264 +#, c-format +msgid "" +"testing pam_acct_mgmt\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:266 +#, c-format +msgid "" +"pam_acct_mgmt: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:268 +#, c-format +msgid "" +"testing pam_setcred\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:270 +#, c-format +msgid "" +"pam_setcred: [%s]\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:272 +#, c-format +msgid "" +"testing pam_open_session\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:274 +#, c-format +msgid "" +"pam_open_session: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:276 +#, c-format +msgid "" +"testing pam_close_session\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:278 +#, c-format +msgid "" +"pam_close_session: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:281 +#, c-format +msgid "unknown action\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:284 +#, c-format +msgid "PAM Environment:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:292 +#, c-format +msgid " - no env -\n" +msgstr "" + +#: src/util/util.h:75 +msgid "The user ID to run the server as" +msgstr "ID пользователя, под которым запускать сервер" + +#: src/util/util.h:77 +msgid "The group ID to run the server as" +msgstr "ID группы, под которым запускать сервер" + +#: src/util/util.h:85 +msgid "Informs that the responder has been socket-activated" +msgstr "" + +#: src/util/util.h:87 +msgid "Informs that the responder has been dbus-activated" +msgstr "" diff --git a/po/sssd.pot b/po/sssd.pot new file mode 100644 index 0000000..940968b --- /dev/null +++ b/po/sssd.pot @@ -0,0 +1,2797 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) YEAR Red Hat, Inc. +# This file is distributed under the same license as the PACKAGE package. +# FIRST AUTHOR , YEAR. +# +#, fuzzy +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" +"POT-Creation-Date: 2018-08-12 13:03+0000\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME \n" +"Language-Team: LANGUAGE \n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=CHARSET\n" +"Content-Transfer-Encoding: 8bit\n" + +#: src/config/SSSDConfig/__init__.py.in:43 +#: src/config/SSSDConfig/__init__.py.in:44 +msgid "Set the verbosity of the debug logging" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:45 +msgid "Include timestamps in debug logs" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:46 +msgid "Include microseconds in timestamps in debug logs" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:47 +msgid "Write debug messages to logfiles" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:48 +msgid "Watchdog timeout before restarting service" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:49 +msgid "Command to start service" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:50 +msgid "Number of times to attempt connection to Data Providers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:51 +msgid "The number of file descriptors that may be opened by this responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:52 +msgid "Idle time before automatic disconnection of a client" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:53 +msgid "Idle time before automatic shutdown of the responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:54 +msgid "Always query all the caches before querying the Data Providers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:57 +msgid "SSSD Services to start" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:58 +msgid "SSSD Domains to start" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:59 +msgid "Timeout for messages sent over the SBUS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:60 +#: src/config/SSSDConfig/__init__.py.in:197 +msgid "Regex to parse username and domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:61 +#: src/config/SSSDConfig/__init__.py.in:196 +msgid "Printf-compatible format for displaying fully-qualified names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:62 +msgid "" +"Directory on the filesystem where SSSD should store Kerberos replay cache " +"files." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:63 +msgid "Domain to add to names without a domain component." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:64 +msgid "The user to drop privileges to" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:65 +msgid "Tune certificate verification" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:66 +msgid "All spaces in group or user names will be replaced with this character" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:67 +msgid "Tune sssd to honor or ignore netlink state changes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:68 +msgid "Enable or disable the implicit files domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:69 +msgid "A specific order of the domains to be looked up" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:72 +msgid "Enumeration cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:73 +msgid "Entry cache background update timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:74 +#: src/config/SSSDConfig/__init__.py.in:113 +msgid "Negative cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:75 +msgid "Files negative cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:76 +msgid "Users that SSSD should explicitly ignore" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:77 +msgid "Groups that SSSD should explicitly ignore" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:78 +msgid "Should filtered users appear in groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:79 +msgid "The value of the password field the NSS provider should return" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:80 +msgid "Override homedir value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:81 +msgid "" +"Substitute empty homedir value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:82 +msgid "Override shell value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:83 +msgid "The list of shells users are allowed to log in with" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:84 +msgid "" +"The list of shells that will be vetoed, and replaced with the fallback shell" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:85 +msgid "" +"If a shell stored in central directory is allowed but not available, use " +"this fallback" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:86 +msgid "Shell to use if the provider does not list one" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:87 +msgid "How long will be in-memory cache records valid" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:88 +msgid "List of user attributes the NSS responder is allowed to publish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:91 +msgid "How long to allow cached logins between online logins (days)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:92 +msgid "How many failed logins attempts are allowed when offline" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:93 +msgid "" +"How long (minutes) to deny login after offline_failed_login_attempts has " +"been reached" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:94 +msgid "What kind of messages are displayed to the user during authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:95 +msgid "Filter PAM responses sent to the pam_sss" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:96 +msgid "How many seconds to keep identity information cached for PAM requests" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:97 +msgid "How many days before password expiration a warning should be displayed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:98 +msgid "List of trusted uids or user's name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:99 +msgid "List of domains accessible even for untrusted users." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:100 +msgid "Message printed when user account is expired." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:101 +msgid "Message printed when user account is locked." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:102 +msgid "Allow certificate based/Smartcard authentication." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:103 +msgid "Path to certificate database with PKCS#11 modules." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:104 +msgid "How many seconds will pam_sss wait for p11_child to finish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:105 +msgid "Which PAM services are permitted to contact application domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:108 +msgid "Whether to evaluate the time-based attributes in sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:109 +msgid "If true, SSSD will switch back to lower-wins ordering logic" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:110 +msgid "" +"Maximum number of rules that can be refreshed at once. If this is exceeded, " +"full refresh is performed." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:116 +msgid "Whether to hash host names and addresses in the known_hosts file" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:117 +msgid "" +"How many seconds to keep a host in the known_hosts file after its host keys " +"were requested" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:118 +msgid "Path to storage of trusted CA certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:121 +msgid "List of UIDs or user names allowed to access the PAC responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "How long the PAC data is considered valid" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:125 +msgid "List of UIDs or user names allowed to access the InfoPipe responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:126 +msgid "List of user attributes the InfoPipe is allowed to publish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:129 +msgid "The provider where the secrets will be stored in" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:130 +msgid "The maximum allowed number of nested containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:131 +msgid "The maximum number of secrets that can be stored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:132 +msgid "The maximum number of secrets that can be stored per UID" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:133 +msgid "The maximum payload size of a secret in kilobytes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:135 +msgid "The URL Custodia server is listening on" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:136 +msgid "The method to use when authenticating to a Custodia server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:137 +msgid "" +"The name of the headers that will be added into a HTTP request with the " +"value defined in auth_header_value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:138 +msgid "The value sssd-secrets would use for auth_header_name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:139 +msgid "" +"The list of the headers to forward to the Custodia server together with the " +"request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:140 +msgid "" +"The username to use when authenticating to a Custodia server using basic_auth" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:141 +msgid "" +"The password to use when authenticating to a Custodia server using basic_auth" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:142 +msgid "If true peer's certificate is verified if proxy_url uses https protocol" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:143 +msgid "" +"If false peer's certificate may contain different hostname than proxy_url " +"when https protocol is used" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:144 +msgid "Path to directory where certificate authority certificates are stored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:145 +msgid "Path to file containing server's CA certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:146 +msgid "Path to file containing client's certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:147 +msgid "Path to file containing client's private key" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:150 +msgid "Identity provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:151 +msgid "Authentication provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:152 +msgid "Access control provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:153 +msgid "Password change provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:154 +msgid "SUDO provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:155 +msgid "Autofs provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:156 +msgid "Host identity provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:157 +msgid "SELinux provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:158 +msgid "Session management provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:161 +msgid "Whether the domain is usable by the OS or by applications" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:162 +msgid "Minimum user ID" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:163 +msgid "Maximum user ID" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:164 +msgid "Enable enumerating all users/groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:165 +msgid "Cache credentials for offline login" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:166 +msgid "Store password hashes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:167 +msgid "Display users/groups in fully-qualified form" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:168 +msgid "Don't include group members in group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:180 +#: src/config/SSSDConfig/__init__.py.in:181 +msgid "Entry cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:170 +msgid "" +"Restrict or prefer a specific address family when performing DNS lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:171 +msgid "How long to keep cached entries after last successful login (days)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:172 +msgid "How long to wait for replies from DNS when resolving servers (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:173 +msgid "The domain part of service discovery DNS query" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:174 +msgid "Override GID value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:175 +msgid "Treat usernames as case sensitive" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:182 +msgid "How often should expired entries be refreshed in background" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:183 +msgid "Whether to automatically update the client's DNS entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:184 +#: src/config/SSSDConfig/__init__.py.in:206 +msgid "The TTL to apply to the client's DNS entry after updating it" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:207 +msgid "The interface whose IP should be used for dynamic DNS updates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:186 +msgid "How often to periodically update the client's DNS entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:187 +msgid "Whether the provider should explicitly update the PTR record as well" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:188 +msgid "Whether the nsupdate utility should default to using TCP" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:189 +msgid "What kind of authentication should be used to perform the DNS update" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:190 +msgid "Override the DNS server used to perform the DNS update" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:191 +msgid "Control enumeration of trusted domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:192 +msgid "How often should subdomains list be refreshed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:193 +msgid "List of options that should be inherited into a subdomain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:194 +msgid "Default subdomain homedir value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:195 +msgid "How long can cached credentials be used for cached authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:198 +msgid "Whether to automatically create private groups for users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:201 +msgid "IPA domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:202 +msgid "IPA server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:203 +msgid "Address of backup IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:204 +msgid "IPA client hostname" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:205 +msgid "Whether to automatically update the client's DNS entry in FreeIPA" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:208 +msgid "Search base for HBAC related objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:209 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:210 +msgid "" +"The amount of time in seconds between lookups of the SELinux maps against " +"the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:211 +msgid "If set to false, host argument given by PAM will be ignored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:212 +msgid "The automounter location this IPA client is using" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:213 +msgid "Search base for object containing info about IPA domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:214 +msgid "Search base for objects containing info about ID ranges" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:233 +msgid "Enable DNS sites - location based service discovery" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:216 +msgid "Search base for view containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:217 +msgid "Objectclass for view containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:218 +msgid "Attribute with the name of the view" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:219 +msgid "Objectclass for override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:220 +msgid "Attribute with the reference to the original object" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:221 +msgid "Objectclass for user override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:222 +msgid "Objectclass for group override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:223 +msgid "Search base for Desktop Profile related objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:224 +msgid "" +"The amount of time in seconds between lookups of the Desktop Profile rules " +"against the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:225 +msgid "" +"The amount of time in minutes between lookups of Desktop Profiles rules " +"against the IPA server when the last request did not find any rule" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:228 +msgid "Active Directory domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:229 +msgid "Enabled Active Directory domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:230 +msgid "Active Directory server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:231 +msgid "Active Directory backup server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:232 +msgid "Active Directory client hostname" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:420 +msgid "LDAP filter to determine access privileges" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:235 +msgid "Whether to use the Global Catalog for lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:236 +msgid "Operation mode for GPO-based access control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:237 +msgid "" +"The amount of time between lookups of the GPO policy files against the AD " +"server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:238 +msgid "" +"PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " +"settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:239 +msgid "" +"PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " +"policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:240 +msgid "" +"PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:241 +msgid "" +"PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:242 +msgid "" +"PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:243 +msgid "PAM service names for which GPO-based access is always granted" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:244 +msgid "PAM service names for which GPO-based access is always denied" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:245 +msgid "" +"Default logon right (or permit/deny) to use for unmapped PAM service names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:246 +msgid "a particular site to be used by the client" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:247 +msgid "" +"Maximum age in days before the machine account password should be renewed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:248 +msgid "Option for tuning the machine account renewal task" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:252 +msgid "Kerberos server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:253 +msgid "Kerberos backup server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:254 +msgid "Kerberos realm" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:255 +msgid "Authentication timeout" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:256 +msgid "Whether to create kdcinfo files" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:257 +msgid "Where to drop krb5 config snippets" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:260 +msgid "Directory to store credential caches" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:261 +msgid "Location of the user's credential cache" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:262 +msgid "Location of the keytab to validate credentials" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:263 +msgid "Enable credential validation" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:264 +msgid "Store password if offline for later online authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:265 +msgid "Renewable lifetime of the TGT" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:266 +msgid "Lifetime of the TGT" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:267 +msgid "Time between two checks for renewal" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:268 +msgid "Enables FAST" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:269 +msgid "Selects the principal to use for FAST" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:270 +msgid "Enables principal canonicalization" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:271 +msgid "Enables enterprise principals" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:272 +msgid "A mapping from user names to Kerberos principal names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:276 +msgid "Server where the change password service is running if not on the KDC" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:279 +msgid "ldap_uri, The URI of the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:280 +msgid "ldap_backup_uri, The URI of the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:281 +msgid "The default base DN" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:282 +msgid "The Schema Type in use on the LDAP server, rfc2307" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:283 +msgid "The default bind DN" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:284 +msgid "The type of the authentication token of the default bind DN" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:285 +msgid "The authentication token of the default bind DN" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:286 +msgid "Length of time to attempt connection" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:287 +msgid "Length of time to attempt synchronous LDAP operations" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:288 +msgid "Length of time between attempts to reconnect while offline" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:289 +msgid "Use only the upper case for realm names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:290 +msgid "File that contains CA certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:291 +msgid "Path to CA certificate directory" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:292 +msgid "File that contains the client certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:293 +msgid "File that contains the client key" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:294 +msgid "List of possible ciphers suites" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:295 +msgid "Require TLS certificate verification" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:296 +msgid "Specify the sasl mechanism to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:297 +msgid "Specify the sasl authorization id to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:298 +msgid "Specify the sasl authorization realm to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:299 +msgid "Specify the minimal SSF for LDAP sasl authorization" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:300 +msgid "Kerberos service keytab" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:301 +msgid "Use Kerberos auth for LDAP connection" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:302 +msgid "Follow LDAP referrals" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:303 +msgid "Lifetime of TGT for LDAP connection" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:304 +msgid "How to dereference aliases" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:305 +msgid "Service name for DNS service lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:306 +msgid "The number of records to retrieve in a single LDAP query" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:307 +msgid "The number of members that must be missing to trigger a full deref" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:308 +msgid "" +"Whether the LDAP library should perform a reverse lookup to canonicalize the " +"host name during a SASL bind" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:310 +msgid "entryUSN attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:311 +msgid "lastUSN attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:313 +msgid "How long to retain a connection to the LDAP server before disconnecting" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:315 +msgid "Disable the LDAP paging control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:316 +msgid "Disable Active Directory range retrieval" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:319 +msgid "Length of time to wait for a search request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:320 +msgid "Length of time to wait for a enumeration request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:321 +msgid "Length of time between enumeration updates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:322 +msgid "Length of time between cache cleanups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:323 +msgid "Require TLS for ID lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:324 +msgid "Use ID-mapping of objectSID instead of pre-set IDs" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:325 +msgid "Base DN for user lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:326 +msgid "Scope of user lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:327 +msgid "Filter for user lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:328 +msgid "Objectclass for users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:329 +msgid "Username attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:331 +msgid "UID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:332 +msgid "Primary GID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:333 +msgid "GECOS attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:334 +msgid "Home directory attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:335 +msgid "Shell attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:336 +msgid "UUID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:379 +msgid "objectSID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:338 +msgid "Active Directory primary group attribute for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:339 +msgid "User principal attribute (for Kerberos)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:340 +msgid "Full Name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:341 +msgid "memberOf attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:342 +msgid "Modification time attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:344 +msgid "shadowLastChange attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:345 +msgid "shadowMin attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:346 +msgid "shadowMax attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:347 +msgid "shadowWarning attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:348 +msgid "shadowInactive attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:349 +msgid "shadowExpire attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:350 +msgid "shadowFlag attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:351 +msgid "Attribute listing authorized PAM services" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:352 +msgid "Attribute listing authorized server hosts" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:353 +msgid "Attribute listing authorized server rhosts" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:354 +msgid "krbLastPwdChange attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:355 +msgid "krbPasswordExpiration attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:356 +msgid "Attribute indicating that server side password policies are active" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:357 +msgid "accountExpires attribute of AD" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:358 +msgid "userAccountControl attribute of AD" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:359 +msgid "nsAccountLock attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:360 +msgid "loginDisabled attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:361 +msgid "loginExpirationTime attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:362 +msgid "loginAllowedTimeMap attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:363 +msgid "SSH public key attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:364 +msgid "attribute listing allowed authentication types for a user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:365 +msgid "attribute containing the X509 certificate of the user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:366 +msgid "attribute containing the email address of the user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:368 +msgid "A list of extra attributes to download along with the user entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:370 +msgid "Base DN for group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:373 +msgid "Objectclass for groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:374 +msgid "Group name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:375 +msgid "Group password" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:376 +msgid "GID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:377 +msgid "Group member attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:378 +msgid "Group UUID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:380 +msgid "Modification time attribute for groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:381 +msgid "Type of the group and other flags" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:382 +msgid "The LDAP group external member attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:384 +msgid "Maximum nesting level SSSD will follow" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:386 +msgid "Base DN for netgroup lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:387 +msgid "Objectclass for netgroups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:388 +msgid "Netgroup name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:389 +msgid "Netgroups members attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:390 +msgid "Netgroup triple attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:391 +msgid "Modification time attribute for netgroups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:393 +msgid "Base DN for service lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:394 +msgid "Objectclass for services" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:395 +msgid "Service name attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:396 +msgid "Service port attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:397 +msgid "Service protocol attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:400 +msgid "Lower bound for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:401 +msgid "Upper bound for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:402 +msgid "Number of IDs for each slice when ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:403 +msgid "Use autorid-compatible algorithm for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:404 +msgid "Name of the default domain for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:405 +msgid "SID of the default domain for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:406 +msgid "Number of secondary slices" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:408 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:409 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:410 +msgid "Whether to use Token-Groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:411 +msgid "Set lower boundary for allowed IDs from the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:412 +msgid "Set upper boundary for allowed IDs from the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:413 +msgid "DN for ppolicy queries" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:414 +msgid "How many maximum entries to fetch during a wildcard request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:417 +msgid "Policy to evaluate the password expiration" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:421 +msgid "Which attributes shall be used to evaluate if an account is expired" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:422 +msgid "Which rules should be used to evaluate access control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:425 +msgid "URI of an LDAP server where password changes are allowed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:426 +msgid "URI of a backup LDAP server where password changes are allowed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:427 +msgid "DNS service name for LDAP password change server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:428 +msgid "" +"Whether to update the ldap_user_shadow_last_change attribute after a " +"password change" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:431 +msgid "Base DN for sudo rules lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:432 +msgid "Automatic full refresh period" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:433 +msgid "Automatic smart refresh period" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:434 +msgid "Whether to filter rules by hostname, IP addresses and network" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:435 +msgid "" +"Hostnames and/or fully qualified domain names of this machine to filter sudo " +"rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:436 +msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:437 +msgid "Whether to include rules that contains netgroup in host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:438 +msgid "" +"Whether to include rules that contains regular expression in host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:439 +msgid "Object class for sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:440 +msgid "Sudo rule name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:441 +msgid "Sudo rule command attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:442 +msgid "Sudo rule host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:443 +msgid "Sudo rule user attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:444 +msgid "Sudo rule option attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Sudo rule runas attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:446 +msgid "Sudo rule runasuser attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:447 +msgid "Sudo rule runasgroup attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:448 +msgid "Sudo rule notbefore attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:449 +msgid "Sudo rule notafter attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:450 +msgid "Sudo rule order attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:453 +msgid "Object class for automounter maps" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:454 +msgid "Automounter map name attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:455 +msgid "Object class for automounter map entries" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:456 +msgid "Automounter map entry key attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:457 +msgid "Automounter map entry value attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:458 +msgid "Base DN for automounter map lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:461 +msgid "Comma separated list of allowed users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:462 +msgid "Comma separated list of prohibited users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:465 +msgid "Default shell, /bin/bash" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:466 +msgid "Base for home directories" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:469 +msgid "The number of preforked proxy children." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:472 +msgid "The name of the NSS library to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:473 +msgid "Whether to look up canonical group name from cache if possible" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:476 +msgid "PAM stack to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:479 +msgid "Path of passwd file sources." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:480 +msgid "Path of group file sources." +msgstr "" + +#: src/monitor/monitor.c:2449 +msgid "Become a daemon (default)" +msgstr "" + +#: src/monitor/monitor.c:2451 +msgid "Run interactive (not a daemon)" +msgstr "" + +#: src/monitor/monitor.c:2454 +msgid "Disable netlink interface" +msgstr "" + +#: src/monitor/monitor.c:2456 src/tools/sssctl/sssctl_logs.c:311 +msgid "Specify a non-default config file" +msgstr "" + +#: src/monitor/monitor.c:2458 +msgid "Refresh the configuration database, then exit" +msgstr "" + +#: src/monitor/monitor.c:2461 +msgid "Print version number and exit" +msgstr "" + +#: src/monitor/monitor.c:2627 +msgid "SSSD is already running\n" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605 +msgid "Debug level" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607 +msgid "Add debug timestamps" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609 +msgid "Show timestamps with microseconds" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611 +msgid "An open file descriptor for the debug logs" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613 +msgid "Send the debug output to stderr directly." +msgstr "" + +#: src/providers/krb5/krb5_child.c:3228 +msgid "The user to create FAST ccache as" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3230 +msgid "The group to create FAST ccache as" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3232 +msgid "Kerberos realm to use" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3234 +msgid "Requested lifetime of the ticket" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3236 +msgid "Requested renewable lifetime of the ticket" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3238 +msgid "FAST options ('never', 'try', 'demand')" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3241 +msgid "Specifies the server principal to use for FAST" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3243 +msgid "Requests canonicalization of the principal name" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3245 +msgid "Use custom version of krb5_get_init_creds_password" +msgstr "" + +#: src/providers/data_provider_be.c:556 +msgid "Domain of the information provider (mandatory)" +msgstr "" + +#: src/sss_client/common.c:1066 +msgid "Privileged socket has wrong ownership or permissions." +msgstr "" + +#: src/sss_client/common.c:1069 +msgid "Public socket has wrong ownership or permissions." +msgstr "" + +#: src/sss_client/common.c:1072 +msgid "Unexpected format of the server credential message." +msgstr "" + +#: src/sss_client/common.c:1075 +msgid "SSSD is not run by root." +msgstr "" + +#: src/sss_client/common.c:1080 +msgid "An error occurred, but no description can be found." +msgstr "" + +#: src/sss_client/common.c:1086 +msgid "Unexpected error while looking for an error description" +msgstr "" + +#: src/sss_client/pam_sss.c:76 +msgid "Permission denied. " +msgstr "" + +#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782 +#: src/sss_client/pam_sss.c:793 +msgid "Server message: " +msgstr "" + +#: src/sss_client/pam_sss.c:300 +msgid "Passwords do not match" +msgstr "" + +#: src/sss_client/pam_sss.c:488 +msgid "Password reset by root is not supported." +msgstr "" + +#: src/sss_client/pam_sss.c:529 +msgid "Authenticated with cached credentials" +msgstr "" + +#: src/sss_client/pam_sss.c:530 +msgid ", your cached password will expire at: " +msgstr "" + +#: src/sss_client/pam_sss.c:560 +#, c-format +msgid "Your password has expired. You have %1$d grace login(s) remaining." +msgstr "" + +#: src/sss_client/pam_sss.c:606 +#, c-format +msgid "Your password will expire in %1$d %2$s." +msgstr "" + +#: src/sss_client/pam_sss.c:655 +msgid "Authentication is denied until: " +msgstr "" + +#: src/sss_client/pam_sss.c:676 +msgid "System is offline, password change not possible" +msgstr "" + +#: src/sss_client/pam_sss.c:691 +msgid "" +"After changing the OTP password, you need to log out and back in order to " +"acquire a ticket" +msgstr "" + +#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792 +msgid "Password change failed. " +msgstr "" + +#: src/sss_client/pam_sss.c:1926 +msgid "New Password: " +msgstr "" + +#: src/sss_client/pam_sss.c:1927 +msgid "Reenter new Password: " +msgstr "" + +#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042 +msgid "First Factor: " +msgstr "" + +#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202 +msgid "Second Factor (optional): " +msgstr "" + +#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205 +msgid "Second Factor: " +msgstr "" + +#: src/sss_client/pam_sss.c:2058 +msgid "Password: " +msgstr "" + +#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204 +msgid "First Factor (Current Password): " +msgstr "" + +#: src/sss_client/pam_sss.c:2208 +msgid "Current Password: " +msgstr "" + +#: src/sss_client/pam_sss.c:2536 +msgid "Password expired. Change your password now." +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 +#: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 +#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:670 +msgid "The debug level to run with" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +msgid "The SSSD domain to use" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 +#: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 +#: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 +#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:716 +msgid "Error setting the locale\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:64 +msgid "Not enough memory\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:83 +msgid "User not specified\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:97 +msgid "Error looking up public keys\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +msgid "The port to use to connect to the host" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +msgid "Print the host ssh public keys" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +msgid "Invalid port\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +msgid "Host not specified\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +msgid "The path to the proxy command must be absolute\n" +msgstr "" + +#: src/tools/sss_useradd.c:49 src/tools/sss_usermod.c:48 +msgid "The UID of the user" +msgstr "" + +#: src/tools/sss_useradd.c:50 src/tools/sss_usermod.c:50 +msgid "The comment string" +msgstr "" + +#: src/tools/sss_useradd.c:51 src/tools/sss_usermod.c:51 +msgid "Home directory" +msgstr "" + +#: src/tools/sss_useradd.c:52 src/tools/sss_usermod.c:52 +msgid "Login shell" +msgstr "" + +#: src/tools/sss_useradd.c:53 +msgid "Groups" +msgstr "" + +#: src/tools/sss_useradd.c:54 +msgid "Create user's directory if it does not exist" +msgstr "" + +#: src/tools/sss_useradd.c:55 +msgid "Never create user's directory, overrides config" +msgstr "" + +#: src/tools/sss_useradd.c:56 +msgid "Specify an alternative skeleton directory" +msgstr "" + +#: src/tools/sss_useradd.c:57 src/tools/sss_usermod.c:60 +msgid "The SELinux user for user's login" +msgstr "" + +#: src/tools/sss_useradd.c:87 src/tools/sss_groupmod.c:79 +#: src/tools/sss_usermod.c:92 +msgid "Specify group to add to\n" +msgstr "" + +#: src/tools/sss_useradd.c:111 +msgid "Specify user to add\n" +msgstr "" + +#: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 +#: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_usermod.c:162 +msgid "Error initializing the tools - no local domain\n" +msgstr "" + +#: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 +#: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_usermod.c:164 +msgid "Error initializing the tools\n" +msgstr "" + +#: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 +#: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_usermod.c:173 +msgid "Invalid domain specified in FQDN\n" +msgstr "" + +#: src/tools/sss_useradd.c:142 src/tools/sss_groupmod.c:144 +#: src/tools/sss_groupmod.c:173 src/tools/sss_usermod.c:197 +#: src/tools/sss_usermod.c:226 +msgid "Internal error while parsing parameters\n" +msgstr "" + +#: src/tools/sss_useradd.c:151 src/tools/sss_usermod.c:206 +#: src/tools/sss_usermod.c:235 +msgid "Groups must be in the same domain as user\n" +msgstr "" + +#: src/tools/sss_useradd.c:159 +#, c-format +msgid "Cannot find group %1$s in local domain\n" +msgstr "" + +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +msgid "Cannot set default values\n" +msgstr "" + +#: src/tools/sss_useradd.c:181 src/tools/sss_usermod.c:187 +msgid "The selected UID is outside the allowed range\n" +msgstr "" + +#: src/tools/sss_useradd.c:210 src/tools/sss_usermod.c:305 +msgid "Cannot set SELinux login context\n" +msgstr "" + +#: src/tools/sss_useradd.c:224 +msgid "Cannot get info about the user\n" +msgstr "" + +#: src/tools/sss_useradd.c:236 +msgid "User's home directory already exists, not copying data from skeldir\n" +msgstr "" + +#: src/tools/sss_useradd.c:239 +#, c-format +msgid "Cannot create user's home directory: %1$s\n" +msgstr "" + +#: src/tools/sss_useradd.c:250 +#, c-format +msgid "Cannot create user's mail spool: %1$s\n" +msgstr "" + +#: src/tools/sss_useradd.c:270 +msgid "Could not allocate ID for the user - domain full?\n" +msgstr "" + +#: src/tools/sss_useradd.c:274 +msgid "A user or group with the same name or ID already exists\n" +msgstr "" + +#: src/tools/sss_useradd.c:280 +msgid "Transaction error. Could not add user.\n" +msgstr "" + +#: src/tools/sss_groupadd.c:43 src/tools/sss_groupmod.c:48 +msgid "The GID of the group" +msgstr "" + +#: src/tools/sss_groupadd.c:76 +msgid "Specify group to add\n" +msgstr "" + +#: src/tools/sss_groupadd.c:106 src/tools/sss_groupmod.c:198 +msgid "The selected GID is outside the allowed range\n" +msgstr "" + +#: src/tools/sss_groupadd.c:143 +msgid "Could not allocate ID for the group - domain full?\n" +msgstr "" + +#: src/tools/sss_groupadd.c:147 +msgid "A group with the same name or GID already exists\n" +msgstr "" + +#: src/tools/sss_groupadd.c:153 +msgid "Transaction error. Could not add group.\n" +msgstr "" + +#: src/tools/sss_groupdel.c:70 +msgid "Specify group to delete\n" +msgstr "" + +#: src/tools/sss_groupdel.c:104 +#, c-format +msgid "Group %1$s is outside the defined ID range for domain\n" +msgstr "" + +#: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 +#: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 +#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 +#, c-format +msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" +msgstr "" + +#: src/tools/sss_groupdel.c:132 +msgid "" +"No such group in local domain. Removing groups only allowed in local " +"domain.\n" +msgstr "" + +#: src/tools/sss_groupdel.c:137 +msgid "Internal error. Could not remove group.\n" +msgstr "" + +#: src/tools/sss_groupmod.c:44 +msgid "Groups to add this group to" +msgstr "" + +#: src/tools/sss_groupmod.c:46 +msgid "Groups to remove this group from" +msgstr "" + +#: src/tools/sss_groupmod.c:87 src/tools/sss_usermod.c:100 +msgid "Specify group to remove from\n" +msgstr "" + +#: src/tools/sss_groupmod.c:101 +msgid "Specify group to modify\n" +msgstr "" + +#: src/tools/sss_groupmod.c:130 +msgid "" +"Cannot find group in local domain, modifying groups is allowed only in local " +"domain\n" +msgstr "" + +#: src/tools/sss_groupmod.c:153 src/tools/sss_groupmod.c:182 +msgid "Member groups must be in the same domain as parent group\n" +msgstr "" + +#: src/tools/sss_groupmod.c:161 src/tools/sss_groupmod.c:190 +#: src/tools/sss_usermod.c:214 src/tools/sss_usermod.c:243 +#, c-format +msgid "" +"Cannot find group %1$s in local domain, only groups in local domain are " +"allowed\n" +msgstr "" + +#: src/tools/sss_groupmod.c:257 +msgid "Could not modify group - check if member group names are correct\n" +msgstr "" + +#: src/tools/sss_groupmod.c:261 +msgid "Could not modify group - check if groupname is correct\n" +msgstr "" + +#: src/tools/sss_groupmod.c:265 +msgid "Transaction error. Could not modify group.\n" +msgstr "" + +#: src/tools/sss_groupshow.c:615 +#, c-format +msgid "%1$s%2$sGroup: %3$s\n" +msgstr "" + +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "" + +#: src/tools/sss_groupshow.c:618 +#, c-format +msgid "%1$sGID number: %2$d\n" +msgstr "" + +#: src/tools/sss_groupshow.c:620 +#, c-format +msgid "%1$sMember users: " +msgstr "" + +#: src/tools/sss_groupshow.c:627 +#, c-format +msgid "" +"\n" +"%1$sIs a member of: " +msgstr "" + +#: src/tools/sss_groupshow.c:634 +#, c-format +msgid "" +"\n" +"%1$sMember groups: " +msgstr "" + +#: src/tools/sss_groupshow.c:670 +msgid "Print indirect group members recursively" +msgstr "" + +#: src/tools/sss_groupshow.c:704 +msgid "Specify group to show\n" +msgstr "" + +#: src/tools/sss_groupshow.c:744 +msgid "" +"No such group in local domain. Printing groups only allowed in local " +"domain.\n" +msgstr "" + +#: src/tools/sss_groupshow.c:749 +msgid "Internal error. Could not print group.\n" +msgstr "" + +#: src/tools/sss_userdel.c:136 +msgid "Remove home directory and mail spool" +msgstr "" + +#: src/tools/sss_userdel.c:138 +msgid "Do not remove home directory and mail spool" +msgstr "" + +#: src/tools/sss_userdel.c:140 +msgid "Force removal of files not owned by the user" +msgstr "" + +#: src/tools/sss_userdel.c:142 +msgid "Kill users' processes before removing him" +msgstr "" + +#: src/tools/sss_userdel.c:188 +msgid "Specify user to delete\n" +msgstr "" + +#: src/tools/sss_userdel.c:234 +#, c-format +msgid "User %1$s is outside the defined ID range for domain\n" +msgstr "" + +#: src/tools/sss_userdel.c:259 +msgid "Cannot reset SELinux login context\n" +msgstr "" + +#: src/tools/sss_userdel.c:271 +#, c-format +msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" +msgstr "" + +#: src/tools/sss_userdel.c:276 +msgid "Cannot determine if the user was logged in on this platform" +msgstr "" + +#: src/tools/sss_userdel.c:281 +msgid "Error while checking if the user was logged in\n" +msgstr "" + +#: src/tools/sss_userdel.c:288 +#, c-format +msgid "The post-delete command failed: %1$s\n" +msgstr "" + +#: src/tools/sss_userdel.c:308 +msgid "Not removing home dir - not owned by user\n" +msgstr "" + +#: src/tools/sss_userdel.c:310 +#, c-format +msgid "Cannot remove homedir: %1$s\n" +msgstr "" + +#: src/tools/sss_userdel.c:324 +msgid "" +"No such user in local domain. Removing users only allowed in local domain.\n" +msgstr "" + +#: src/tools/sss_userdel.c:329 +msgid "Internal error. Could not remove user.\n" +msgstr "" + +#: src/tools/sss_usermod.c:49 +msgid "The GID of the user" +msgstr "" + +#: src/tools/sss_usermod.c:53 +msgid "Groups to add this user to" +msgstr "" + +#: src/tools/sss_usermod.c:54 +msgid "Groups to remove this user from" +msgstr "" + +#: src/tools/sss_usermod.c:55 +msgid "Lock the account" +msgstr "" + +#: src/tools/sss_usermod.c:56 +msgid "Unlock the account" +msgstr "" + +#: src/tools/sss_usermod.c:57 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "" + +#: src/tools/sss_usermod.c:58 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "" + +#: src/tools/sss_usermod.c:59 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" + +#: src/tools/sss_usermod.c:117 src/tools/sss_usermod.c:126 +#: src/tools/sss_usermod.c:135 +msgid "Specify the attribute name/value pair(s)\n" +msgstr "" + +#: src/tools/sss_usermod.c:152 +msgid "Specify user to modify\n" +msgstr "" + +#: src/tools/sss_usermod.c:180 +msgid "" +"Cannot find user in local domain, modifying users is allowed only in local " +"domain\n" +msgstr "" + +#: src/tools/sss_usermod.c:322 +msgid "Could not modify user - check if group names are correct\n" +msgstr "" + +#: src/tools/sss_usermod.c:326 +msgid "Could not modify user - user already member of groups?\n" +msgstr "" + +#: src/tools/sss_usermod.c:330 +msgid "Transaction error. Could not modify user.\n" +msgstr "" + +#: src/tools/sss_cache.c:218 +msgid "No cache object matched the specified search\n" +msgstr "" + +#: src/tools/sss_cache.c:502 +#, c-format +msgid "Couldn't invalidate %1$s\n" +msgstr "" + +#: src/tools/sss_cache.c:509 +#, c-format +msgid "Couldn't invalidate %1$s %2$s\n" +msgstr "" + +#: src/tools/sss_cache.c:672 +msgid "Invalidate all cached entries" +msgstr "" + +#: src/tools/sss_cache.c:674 +msgid "Invalidate particular user" +msgstr "" + +#: src/tools/sss_cache.c:676 +msgid "Invalidate all users" +msgstr "" + +#: src/tools/sss_cache.c:678 +msgid "Invalidate particular group" +msgstr "" + +#: src/tools/sss_cache.c:680 +msgid "Invalidate all groups" +msgstr "" + +#: src/tools/sss_cache.c:682 +msgid "Invalidate particular netgroup" +msgstr "" + +#: src/tools/sss_cache.c:684 +msgid "Invalidate all netgroups" +msgstr "" + +#: src/tools/sss_cache.c:686 +msgid "Invalidate particular service" +msgstr "" + +#: src/tools/sss_cache.c:688 +msgid "Invalidate all services" +msgstr "" + +#: src/tools/sss_cache.c:691 +msgid "Invalidate particular autofs map" +msgstr "" + +#: src/tools/sss_cache.c:693 +msgid "Invalidate all autofs maps" +msgstr "" + +#: src/tools/sss_cache.c:697 +msgid "Invalidate particular SSH host" +msgstr "" + +#: src/tools/sss_cache.c:699 +msgid "Invalidate all SSH hosts" +msgstr "" + +#: src/tools/sss_cache.c:703 +msgid "Invalidate particular sudo rule" +msgstr "" + +#: src/tools/sss_cache.c:705 +msgid "Invalidate all cached sudo rules" +msgstr "" + +#: src/tools/sss_cache.c:708 +msgid "Only invalidate entries from a particular domain" +msgstr "" + +#: src/tools/sss_cache.c:762 +msgid "" +"Unexpected argument(s) provided, options that invalidate a single object " +"only accept a single provided argument.\n" +msgstr "" + +#: src/tools/sss_cache.c:772 +msgid "Please select at least one object to invalidate\n" +msgstr "" + +#: src/tools/sss_cache.c:852 +#, c-format +msgid "" +"Could not open domain %1$s. If the domain is a subdomain (trusted domain), " +"use fully qualified name instead of --domain/-d parameter.\n" +msgstr "" + +#: src/tools/sss_cache.c:856 +msgid "Could not open available domains\n" +msgstr "" + +#: src/tools/tools_util.c:202 +#, c-format +msgid "Name '%1$s' does not seem to be FQDN ('%2$s = TRUE' is set)\n" +msgstr "" + +#: src/tools/tools_util.c:309 +msgid "Out of memory\n" +msgstr "" + +#: src/tools/tools_util.h:40 +#, c-format +msgid "%1$s must be run as root\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:35 +msgid "yes" +msgstr "" + +#: src/tools/sssctl/sssctl.c:37 +msgid "no" +msgstr "" + +#: src/tools/sssctl/sssctl.c:39 +msgid "error" +msgstr "" + +#: src/tools/sssctl/sssctl.c:42 +msgid "Invalid result." +msgstr "" + +#: src/tools/sssctl/sssctl.c:78 +#, c-format +msgid "Unable to read user input\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:91 +#, c-format +msgid "Invalid input, please provide either '%s' or '%s'.\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 +#, c-format +msgid "Error while executing external command\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:156 +msgid "SSSD needs to be running. Start SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl.c:195 +msgid "SSSD must not be running. Stop SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl.c:231 +msgid "SSSD needs to be restarted. Restart SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:31 +#, c-format +msgid " %s is not present in cache.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:33 +msgid "Name" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:34 +msgid "Cache entry creation date" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:35 +msgid "Cache entry last update time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:36 +msgid "Cache entry expiration time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:37 +msgid "Cached in InfoPipe" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:512 +#, c-format +msgid "Error: Unable to get object [%d]: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:528 +#, c-format +msgid "%s: Unable to read value [%d]: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:556 +msgid "Specify name." +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:566 +#, c-format +msgid "Unable to parse name %s.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:592 src/tools/sssctl/sssctl_cache.c:639 +msgid "Search by SID" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:593 +msgid "Search by user ID" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:602 +msgid "Initgroups expiration time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:640 +msgid "Search by group ID" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:67 +#, c-format +msgid "" +"File %1$s does not exist. SSSD will use default configuration with files " +"provider.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:81 +#, c-format +msgid "" +"File ownership and permissions check failed. Expected root:root and 0600.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:104 +#, c-format +msgid "Issues identified by validators: %zu\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:114 +#, c-format +msgid "Messages generated during configuration merging: %zu\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:127 +#, c-format +msgid "Used configuration snippet files: %u\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:89 +#, c-format +msgid "Unable to create backup directory [%d]: %s" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:95 +msgid "SSSD backup of local data already exists, override?" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:111 +#, c-format +msgid "Unable to export user overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:118 +#, c-format +msgid "Unable to export group overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:134 src/tools/sssctl/sssctl_data.c:217 +msgid "Override existing backup" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:164 +#, c-format +msgid "Unable to import user overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:173 +#, c-format +msgid "Unable to import group overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:74 +#: src/tools/sssctl/sssctl_domains.c:339 +msgid "Start SSSD if it is not running" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:195 +msgid "Restart SSSD after data import" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:218 +msgid "Create clean cache files and import local data" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:219 +msgid "Stop SSSD before removing the cache" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:220 +msgid "Start SSSD when the cache is removed" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:235 +#, c-format +msgid "Creating backup of local data...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:238 +#, c-format +msgid "Unable to create backup of local data, can not remove the cache.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:243 +#, c-format +msgid "Removing cache files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:246 +#, c-format +msgid "Unable to remove cache files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:251 +#, c-format +msgid "Restoring local data...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:75 +msgid "Show domain list including primary or trusted domain type" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +#, c-format +msgid "Online status: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Online" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Offline" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:214 +#, c-format +msgid "Active servers:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:231 +msgid "not connected" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:278 +#, c-format +msgid "Discovered %s servers:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:296 +msgid "None so far.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:336 +msgid "Show online status" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:337 +msgid "Show information about active server" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:338 +msgid "Show list of discovered servers" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:344 +msgid "Specify domain name." +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:360 +#, c-format +msgid "Out of memory!\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:377 src/tools/sssctl/sssctl_domains.c:387 +#, c-format +msgid "Unable to get online status\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:397 +#, c-format +msgid "Unable to get server list\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:47 +msgid "\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:237 +msgid "Delete log files instead of truncating" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:248 +#, c-format +msgid "Deleting log files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:251 +#, c-format +msgid "Unable to remove log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:257 +#, c-format +msgid "Truncating log files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:260 +#, c-format +msgid "Unable to truncate log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:286 +#, c-format +msgid "Out of memory!" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:289 +#, c-format +msgid "Archiving log files into %s...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:292 +#, c-format +msgid "Unable to archive log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:317 +msgid "Specify debug level you want to set" +msgstr "" + +#: src/tools/sssctl/sssctl_sifp.c:28 +msgid "" +"Check that SSSD is running and the InfoPipe responder is enabled. Make sure " +"'ifp' is listed in the 'services' option in sssd.conf.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:91 +#, c-format +msgid "Unable to connect to the InfoPipe" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:97 +#, c-format +msgid "Unable to get user object" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:101 +#, c-format +msgid "SSSD InfoPipe user lookup result:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:113 +#, c-format +msgid "Unable to get user name attr" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:146 +#, c-format +msgid "dlopen failed with [%s].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:153 +#, c-format +msgid "dlsym failed with [%s].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:161 +#, c-format +msgid "malloc failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:168 +#, c-format +msgid "sss_getpwnam_r failed with [%d].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:173 +#, c-format +msgid "SSSD nss user lookup result:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:174 +#, c-format +msgid " - user name: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:175 +#, c-format +msgid " - user id: %d\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:176 +#, c-format +msgid " - group id: %d\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:177 +#, c-format +msgid " - gecos: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:178 +#, c-format +msgid " - home directory: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:179 +#, c-format +msgid "" +" - shell: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:211 +msgid "PAM action [auth|acct|setc|chau|open|clos], default: " +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:214 +msgid "PAM service, default: " +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:219 +msgid "Specify user name." +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:226 +#, c-format +msgid "" +"user: %s\n" +"action: %s\n" +"service: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:232 +#, c-format +msgid "User name lookup with [%s] failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:237 +#, c-format +msgid "InfoPipe User lookup with [%s] failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:244 +#, c-format +msgid "pam_start failed: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:249 +#, c-format +msgid "" +"testing pam_authenticate\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:253 +#, c-format +msgid "pam_get_item failed: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:257 +#, c-format +msgid "" +"pam_authenticate for user [%s]: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:260 +#, c-format +msgid "" +"testing pam_chauthtok\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:262 +#, c-format +msgid "" +"pam_chauthtok: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:264 +#, c-format +msgid "" +"testing pam_acct_mgmt\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:266 +#, c-format +msgid "" +"pam_acct_mgmt: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:268 +#, c-format +msgid "" +"testing pam_setcred\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:270 +#, c-format +msgid "" +"pam_setcred: [%s]\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:272 +#, c-format +msgid "" +"testing pam_open_session\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:274 +#, c-format +msgid "" +"pam_open_session: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:276 +#, c-format +msgid "" +"testing pam_close_session\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:278 +#, c-format +msgid "" +"pam_close_session: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:281 +#, c-format +msgid "unknown action\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:284 +#, c-format +msgid "PAM Environment:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:292 +#, c-format +msgid " - no env -\n" +msgstr "" + +#: src/util/util.h:75 +msgid "The user ID to run the server as" +msgstr "" + +#: src/util/util.h:77 +msgid "The group ID to run the server as" +msgstr "" + +#: src/util/util.h:85 +msgid "Informs that the responder has been socket-activated" +msgstr "" + +#: src/util/util.h:87 +msgid "Informs that the responder has been dbus-activated" +msgstr "" diff --git a/po/stamp-po b/po/stamp-po new file mode 100644 index 0000000..9788f70 --- /dev/null +++ b/po/stamp-po @@ -0,0 +1 @@ +timestamp diff --git a/po/sv.gmo b/po/sv.gmo new file mode 100644 index 0000000000000000000000000000000000000000..ee8d694527fa607fff3bb84a717cc93013ce4989 GIT binary patch literal 67517 zcmb`Q37lM2mH!Jt(ICjaFOMZ8fmA19H>@F@gpieV!m5T!S9N!#yQ|uI)d`Kb?}8hO zj-#S~2OM!5MMXzZMmF4q9Swf#pi*hmo~61rG)vcV?+{ z40tTKFL)lfKX@s4D0mI{c(4WT2R;*g0{AlU0Pt4u2=G0i;`=Ok2>2j)Ao$|`gjd^HTXVoIk?{wJs+FE3vj;>JRSTrcnbJOQ1Q+tvWvlG;5_g} z0q+Fm?_1!B;NItY_*22zxHp3d_!5Zki&;&gQ+cmnQoK)O`v8c_MV8B{xe5IhF_9;kj-TIueE zpz^yG)cX-|4)}NAZ17)#`yp@u_kL88>S+uADZO`r^T02Gs^>p~W$@@#ULTi&Dt`*< z`;DOZ%DX`Ejk`hB%a_5&fqwuaFszqH2b@@O!@c{Zr_xe`?P>p->p3qi&IW)PNI`XDH}{~WjpJa(WBn6W;$6RR25lYW#xdf~wD_f~SIS0oAYn6+8(14G4=WJ?0u8pDqPezb^)#2!0Gy zzJCuY+~H61bk74X#JwF9oqZ5geLn>55AOG5=WoY>N8&yeRQZ;JE5S|R$>5v7A@I|n z+N1mwPxpLK^tTWtFae(q9uD3Ls=Yr5icTH?j{|=T z?hPJPb$)adsQjD&s{PLd)&4`E`q9mx%6Ct|e+N~s-v`eJe+w$TMRe9B;HBV&;7#CJ z;O9a0^F3)iwaX!(!mR=?0ACEMe(nQdA*F+dz21gEx=88$!TtCVFYnc$=;o=Q(tS?A z*MrLU`@y;3cR=x-$JIUD!C->>R8Zww4K4$p39A0@3HTdO?Rwl+Z=ZFb=>K|9_4Bgu z{^OwP^*=$SR~q&HI}cR(R)8w+^T9>nM?kgL&q2}2USmE!od%wSdlRVgTn`=tz6wmh z_kyQ@Uj~)0KZEjL9(Q`#03M5b98~z5z)Qf}!~0)=s;_+;p3h@J`C9=h|JQ;ifZIUj z?{%Q~-+Ms$`$51zgDU5tP0#;@;5^*ppz`}#a9{8PpyJ&DE&#s)D!-4LaJudbI0T9w zZv_?ZW1#5p^PuSEK~VkS*WeSt$3NBS`Djq-UJULJj)7{&r-RD>4p8acAKZTh70;n9 z?>~#cSK?j+s-Hawo(vwAy88l9>1_l1z!!k}{sB;Y?pvVZKeX-nKNma@_ch@0U;|XR zR|NORLFM3r~z8{09g9mQ&c3BRd zin|FaAFl_MuaANUgI@wQPW&+7pF!3CA=|w?XM)P#)!-rEGeDL1)!<6-UqSJo!>{xF zo&oNMdkuIr_#{yIodQ+guLZ@I?hN>OP;~kbD1VQh@_0@JMJMNh%I6q(5cq6R^mYrV z@_YQu4(_Lc>%o5jSAqWpz68AJX~+)X=fEq$@(rHu3&2IV z?*dg{KL%CKKY_}}VNZ8F6;!)k2wFRX>Nl?d&j;TJt_FV%s$DL4hRdTZQ04nHxDfmu zcn&z{nV#;o;9}f2gNpA9AS|WyD{v`z&9hu?dlRVgeGgRlSp8#ir zKL(ZFe$NT{4%h(C<^3DM1pEegJorcOSn%lQdc5a?7vO#|cqVuscp~^0Q299FdEP#k zf^w&z=8+HV!8@6P~5*KY=u-n&7S@8_WC>*N`kD%IXAw(&E*Mf7v zSAp{X5m5fV3#z^kyV2?ITu}bjf&JiiQ1p5?I2ZgPcoFz}@D%WgH@UwmxD59l;0fR_ z!8&;0OTB;J0II(40u}EsgZqq^`S?8!s-ABHj{_e9ML&;uxzqi{;6=Ef18RiMh1f}+z~LHYkE zcpCUy@QL8bukv=j78KoG4;~1<3Vby9R#5HqPEh5!7d!y`5qK*22k<0t_NyH)1(jYi zxL*c70r&er#k&K16!fhgD#u~3@%T;)xExfxSA)lct>At&Xyp#>dqK6wgW>(3z(a5! z`dTmFd{E)f14TDa0rv!-4SstMEIFIt3cJqyTJXykASML&j)-k zeE$uoa+Utx!yf`3jq_Ac?=K1Op9~&`I|bD~H-aaF?*aS3uY;F>k9ob*;X3dv+^+=1 zSMCGV-h02n$Im%ng8MR1@wULl;7dUDyL&+8`zN62@Q>mB`EPW7Pys8ve?-|If>P0eCL%r-NsM{~X@`8ax*F!nb()t^<$9-2(Og)#3g7 zK(*`FK-JUFK=qTo{=w^WA*gWcLG|kvsQ&ck;Jy=7e!c^)1oyqo>*ETriu;A&82B@A z61?j6z|X*waQ_}$1RnENPj?-d;C>nit1i6(RQ;axk3QaQ1oi#-;B4@%pxX8G;055` zZ*%?7a&QCgSAy%n9|Sz(4yTXjfi!vP-JsfI)!RMZVNmJ42vqxi2%HE06jVJO@(!=3 zQ^7NFF9lT}Q{ZOs#_;{8pz3AMcRC+j2+BPH9tyq@yb63jcp|vpyFA^~zy$XeQ1$&> zQ0?+wQ0@E~Q00E~yFL9=LD5A8RDN#(6j3iSud-$w8R@I~N$;5)#h!4HS` zUkCef{}DU|yzo69?^ZCu{YFr9_Azh{_&ZQ^dhB~Wzh{GrzXt02i$JCO9`G9Q2Ve!f z=uW4rw}2<({#0=P6kLRR-}ia=3qi#<9NaGf55RpVsQ&UP@I3HA@IdhB_j|b(fRD$0 z0k{HO1s(*x3OpG6NAPjr-Jt5>)8O9VS3$Mw1EBJ8&ej6u1Gr2V4&x{vm%~2m5e;09*?G z09*~u{bwH!C&5A7{{&tN9`s@N_Z09<+;0KT0RICNUF`c2r}veh>Z1nE0;j7z|L*`5?g8*v@SuNjdFC`w?KTRk9M^+KfiDA(0pAYF|9znP z*N;GzXP-~FzY{^Fdm(rvcoldw*aj8umEhsvd&2wAfb#bcsQCBzq~md*_`~_2=y(_u zJ-iH5{I3TU?gQX);Fmzr(XYVMz+-p#cybwd0`8ZCqN_W>1pGFrdiZO=MW6EY20`_& zmx7|Z4}j~y`#{mb;rIABGzgx9`wmd?e-9KrJ^IsLuV;XZac>1hC%1zqgZG2`fP38Q z{cT@R*0 zY_J8+1OEI+Vv33w{*D?riDb3xVD>p{`?*Fe$hLI3LXvjUut zy9%mYuMF?s4l3XGf})3Cf(yY}Uvzpr7gV}efR6_!!CByQK&AUqungWF@GGGD&mLd$ z_BbctCE)(NzY<&y)&q_RZwIf& z{dw?maL!kppFIPV`$16oJnP@R9@l~=;;sdJF?a^?PY!BfDkpxXBqP;~gwfDeF5_s^jC z%JKJm`WJx-?iYavfp>uFcOL~6{s-XU;9lSK{2T)wfqN}@5jX;>+;@QT_hC@szXFO* z{utbIzvbm$2g?7`z~jN2z_Y=3gUa7S;Dz9<2OKX2mEKE0(Z_Az0pNSVL%<#2QQ$Yg zCxHJAs{D`sw)clJcp&ZysCI0F3ir=oANa-K{tI{{?t>q6`d86#QiP{*Cbd_n`Xg{@?fbjsg|``Jn1$E2whZ9KPQTs@=a0 zo(TR1JQ_Uo2VSqIgL1C})qlr8<@09nIPm@8Qt;ow_2A(@^zU`>7~D64`+;|WCx9OU zmCiRoh5u{7;~w&Mz7RZ#_g8^R_ZgtVy&k+6{1~YA+~Y@HKL>-eanA--|EoZ?;|;<6 zT5tvK`#{y_{y+Bgj|Z3GUIzAqH-aw#zXYlr*Zjogo_B)k-@gY%2Xp_^)87InxFS!MnrvUx6ym0YCNh&H|O68$i*`r@+g>KY|K(+0Q(^=Y#4O9{|O#eh!`w zp73*T$7{hl?iYc|*Ka`Od;Tw+UY-t~h5HSl-hTyDJSY9q`QBCFLfkikec;`o()($^ z6MyCLUIQxsw}5lO4}2Dk>i2~5EI!N-Gt0+)l2{V(Sa>%e_+zZ?|3yb)A?`7o&Rd;`1$ zJm9~b?ym-wujhfv=bfPF>zm-o;9o$6pZz=c-w(=v0~B4o0Tlgy5L7L~?$?3J z=RM#m@MoaXIp>ewf3|{Z&*y>b!1sZNf_whS>-|V@E$(%o+VNKKGVpVt>h+la_4umb zb8x=~TnrxZXV1q*a0%{L1pG317Vd-p;^WsUQ1$a7Q19Oft^~giD&6v5ef+-x9Kih< zQ2p?j(jKL2!9h^{`BR|M`A_gdaQ+^9n7=Xb0^E0kO6S+0;y>h3dsulkgQ}mKK()vF zK-KS;z;nRI?74@@r5A$7;(iHu40s240C+FBC-@EUDDVML{{8^&4<5eP9!59wz~gam z028nc9tqwO-0uMo!ToQb;{6e*c>e&3UjGap4({{lJ&d271RjL@Y*6j8D!8u$55s*E zsC?W8sy%mv@Ares=Py8|H|sGTPXa338KAze1`h;B0zM5?JTC)PU$+PM=fNXze?PeY z460lQ@9pmwfCuAV393Gx0?q@QU;@4ld=&U$a1Zc#`Y-%JDy3z()xNJQyqEuv;{F-W zE&Touo>O=pAN;7_zn0%icoyUNYv8AO{>-z5=MOyFc>ikfiJ z<7Xetu;@86~u{4MAAdEmc< zZ~qVc70)|)F5}ySeEXn0cK!V%xW54YdkFg%@B=(&gl|s)*Yo^3xW!j5Ax>CM=_et~ zkHOFJd?vW%^>F;W9Q-8j{sP_xZsA?=?@KuTErfYrA?&Y$rYxsRVzdsj#{{z3< z{Jx84pb$=JGF7YFyn`1@K2Bc6I~ z_$~N6&sXsGxbSY2-x@C-1V_O;!AdC4-}5{E{TIK#kK@PT1?=4ZP7Ce`kL5?o^H#ne zUkI=7rxWjRc=u}Dm*W0C_*n4Yz&g(fA?^3$ZyWAgyW)5v?x*p5kLRa6$K(G!p#F{k zPX`|heu(EPe$N6Wcee0%I=@H35uPvc`{}&@E+~1Z4PFT9?^XPcf3M;96pnZEAcB`( z%hN~rKHhKU`7rJ)z~Ay5$a4VCeBPZ0J_CFgkNyrL%nop0b1^3H{S`cS2loZw2|NsU zr5Et%Z%-bRvA~b%MffX+@2|v-I8i#9XC=R%9KJsfe17orc+$OyXFKj^hIdzkujKh_ zaED-~FaCLO97h=aJ*VJj9lu}iuS*HPH{<6#o`2@uS9rGadq1Af^817k?(G5phj;xv zd*OZ(coP2f_d1?AJeLH2FW~nkp0jzb;rR~l&kcTYmVP9ExPJqj3BD+V)3*b7_TqUj z&v$sv;QPtp`yjt3coyP5nQtHBc@*yFf)DUic>iKB{=EhF(?i(Byu2L0`kU)e`VYSC z!Mpu&-^K4$;rlaj5ApjcA#Cto+LL#O^6sSY{=$Hl;^ApLpN<~EJ9++rXN)la6y9$R zIG1bGi|6lO@E6>M*|3#$tIG%lY{+D-Gnos}lm%-1ed^;%o)|Z2E{{r_nd2R^)*YGa> z9mS7(_;xQip>RC+3Hkd3_=E8KRk;7#-qK#Y(>|9M;XWpO*QaxNzOFFfY2d|r$=`2z zp32iE%p9Hxy$pZv2M_1@DbFE%+Xq|$p3S4b#l-Uwo;vQYf;)KT@%yvj*ZE%KIR*Ct z!T+(m*WWjJ7V>T_&l7n57x$%n+s^MZ!H?j+mfyv{i-O~J@Y(oDz{9|Q5AXNqxBhPA znG=573;ugK?%xH+kHDeu{lnlp!~3iF{X~9Gfk%?|1K@jkF5}VPQr>M1zem6md5+`# z^Lf^Xyr$qYcz-|do(r~k;@=+pK8o+h2EXHc_zcgzyg!HMd%@%Re1A9Y_uxK+=d9rW z9)5p|_nUbBjwk-@$BzX($M9Ui^IaY~@~qj5PD)p%NhKMtjc=*7lIGCj#NV#*7sIXQ z|#RbEu>#Yl6! zmQ?Gl+F-lcn#%k&nn|s(Eh(Fybfh*mW}nPCnUbSI6y|PJ#%ms0c~8bC({{3@mb4}t zNhM8M&1QR6Nnd84c2c@RnZWbuCy^<=T(Po0X-ul5ygltCa;CSTsES@Coy~un8kH?$ zwWQrlTD3|w*;W~wtR>gXu0Gk5o}WxLCtF_nYBEtt)9uYxHQ8Pt8%t`}O;F0D(k7}U ziPaw;+9OGOq?V-QK2Z^pW-C!{Dq~7uics~mO)i%tWBi~Uc++lGh^F1DZ<%b@Qe~#v z+};>#lA+32voV}UYc)fYw5Et)yfQIS=j%|bIi6&7X5m-WT9mz+(uDQKV11%8W|>I| zl}^+K>qGTHGFCN0u>4k=tFTwQp z)WCS9H5KxoRdX^#nO63fLnTfR*E>W0HeE~uR%sn*F}B+Rr=5vPz15d&gak-nyh7)p z*WpK*KHt3bSNF&pvQKQWup0Va|(wuCQyQ)Q{{_Bm+$I9SSCyi`LdvLVYE-itS(}@bLC4b(^ zR84`NjM~-pY7=Al6ZspJQ!;YYstl4hMbq4#4Axq05m%*MBk8nOT`)l9w+Ab9n#v^E zZjfrFU2it1g|Y3GsWf@&WR2FTkPDT{_)JPir}k?8Ef%=H(yk=y107LcjilCUk<;ej z;AE>+tIkj8KJcxiT1y98^$Ddyd<}7pq2^?xN|IE>M6Hnw)#>xm8&QZBl)5(x^+)ur z!IAnlrLF2z0M!o_I6Lj@gAp!??ate(mC4$L1`mXjLhe}uB@@lD`e2t8PZeF*gc=EZm${Fa)vczb+N5p+g?aG^V6yg)mpX2 zpfOEV8X1Nt;V{iDTVeX8C3!nXTCrBGCWEw+D4;S%Msr_kCuoUJbplM{fw7_6L(V`t z1F8o>?DF0m62FUl1~=UgJ~uQ8ZINsE%1AO%Yt@@o^X*?#(Pz)kkc>JV41$phj+>0u zpwrmw9>p|2&ID%mWi_0CzL-9e^shAnr16{Mg$Tuj8InsyKi)lieQDI%Gk+9`KuE^d zyQ54es|?%pMQX8i|=T>V&mC3R8ywXxh4#lRo z!ZwG7#_A2_2-*pLyp|ynV-UpDu62B|0oT8&)jPh8RTxYsCltn*s(-ACrLAlXHP_cC zA_MUKt_9Dw|D-E=6zE8iX>g;?%wGSfy=8Ordzg(6ktE zgI)!d!$R8{8DbJcu#doX6{oz8H3#WUKAvS+*@eIPBrp~RxoMF&(-DKNAqjZyE=jToisz=(gz`MlBo7 zsMIt~t9?jSLySR7o8#jZMu`aqVTFqlWo#;|=ox*%Do5&D>Izu!sJu55WD>YyNS_#7 zh^rw|*GNhX8!@HbLMA74kR9It&aE`7e4`y}`V*X{K7e-iA(%{Bav|KsbGo#P?ENO- zkJYx-#!CG@7>WVWb&!`v+R0qPBaMvL+Y69JSqt!fvY}}S)nAYT!vroyWmD++ z$$~BQ#sVbmkt~h8g#$};mc{om+Uk)`SwiTdES%8uKqA7}lT9Qp+ZQ3zaq>a8(9-%QS`Ok&RFp0oZYJFweT(ZS9 zO4Au;+%>2*^N0+EPy!2);5WonC;K9H92(muU}0LT?}Lm!$hA_Nc*|>Y$a@C*DQBz; z;vmYz16g#coOdsi1p1psvxR}IK-lUAx!_Uiw|Tm8U$UfeQIkwDv?n*d!Ae=Y`IhOs?=3Q6OCA>J#f6j3g<{ z+Bm;5Wb?nQ&s0NAO_f5JLVE>{L7@0C8)-BtLVQ<$PeVOMKlBqKb@h$vVthhVtae}@ z&ZdIjYBG%m{CgTaq{;Fn0~<336;W%UIDjE$3Y6Sy_DZwMW`oJ!Sp9ly1R~Hx!P%IY zj%terEC{Bm_OV)Hm>Klk6rs6MP3Lt43lo}Np7PPxQ<&MSO^oY}y5?H->(wDe!EHoW zSnjf&e5C=IK?g2rv=;rV$rTa0nu*CRRJGJtkISm+bYtH;+4hUqomVZtp6;)!m}1Gj8U1GDV}3Gx}{5sdY05v>-3^# z2pY43N@f>6X;1UP5Lz3Co{_3|L1&bc#<5Y#W!w}NU@Bu+jq)&28Q+Y=s%Yg=W2U+? zB;s@1<@FZxw&f^9_%gS9G@i$BT=XGl)AUTni%k>Jk}_d=v&HPz7^w6RLxBfK5>P9k z2Ai_%DDBd6=>yhEhqz+d(scucDZS}wvkCqR(`@^sER{mdG&(93q`+jaiuy3|p+x0! zhBB+X@E@mjr_0lO}XspNf)kCg>+HiW;2p7nlfuP zzR2vbKHOlWjFHAcL9g{H)Z`NQPpTbCG^H~om6?7qN(SrrI@0WC}43s*Zh03}F zO%}@mFyVT8DjV1E&ucYl&|qsWt9L%6(U}*}3O2wNpDutx=st$FSbd*$7)p|(yj6SHKFU?~R1*~7PRQi#MCXMg~QKn=N8%PU28TPHa zgcvQ8%2<25@`lDBQ^CL@t7v2Abp#%*)h1$QX${H2q4cJ1NheLmPnCz7=@A7&7CeiI z2f1v(<|G&d-e7$g(v{jj=zC2_aDNDsSxXRLdqpEV4J>I;`LIO~$sNd#s^+vgX4+bh zkm6*6YZgt^W7ivHdLr^sU~fzhQIDsE+GA*#qJGg%hm6I3>5D!ta8<}u%O?Dxr_qKK zKyqJbaErzX#A}G^ixgsd;Gj~mA_Ri6Qd_|B%60Ye$#GLYs>Gt!T6=ILsZO$}gIuI# zsH&;fTQ#OBX*&-a3a>EMh!tBnL0&ZeG1`DDZZ<8jamvuBbrG&QnFjV`yTtMkaj`tz zQD+^sD2xVzQ-f&=6QW6{XVBUtj1qYxPb^xrnJ$VpL4`(+VSb}#Y|`~mf%r7R*WapH z{n!eHX?f`hlr)#WriaZYNv?BI_X`^0P*hKe)LmgL84m^;p`bgQDI-H-%f$ZEe}Dw39&T$Yfi~m2pmzDZ5IjA5b`GsTX|` z1CO=Jpz2EM&1?aXA{dwAyD#7%|3p29Dads9d)9uHDB%;A8qlkQ1tZtc1%eD+A#pP}VNt;@(>@SEqyX}#7mcDGItI6X0 zI}>SC=gTkaUz_`=Hzp?A^I12jX{{(sGLjlIcv@l3Y$=Bw3$aRTmd8N-vl7!6)0Dc6 zz64QSVnhvh%5`@7AcnwF8Y-x1p8{VG!a#Sx@U_h=VhD0gJp4sZ!x1Yd=A;2>1$kPo8h|(Ra%**4CF!hH3cjz zCa6c6GFq8^{p74trWz9)m~K0feMa~k8_#{4Q(S|j^0&%0loZFEEO01|gn@QtOKFu% zUaaEhhzMoeK}LgkWSu~LYotD2GPy3u)ixZ`7j1E@;wB;VtZmGEhZz=EyCOt#xerJ# zm}Wu}!6lrTLBmp0}9-O<&G>_;G07k_`u0aF>D*11zz+ z46@MHpe=>7u?QcQnT+`QvOvBh7KWKz09N+VwjhwqW~*311&M|%n6?Z7c4tA?4h-b=A{nI61X*}3 zscHVC?m}|jG1Z>~gP=eK1B=yN-a{#JFFyMz;ZN(BvPv10^#Lz5%Qd-;-^dpU3$G|K z)fxqZsWlbE4D500+ccn*)`Zzg1LVzSxgPY5R+%L zgi;WJhD-&NdowdXRf-!ixFQTWuPD>gmznMk*20ZrHTUme~>P=XngVFGb~UP#1NP`r6%8hpvq_IL0b6 z7fb@_t)SqFUy!kknoKR=oTRi?dg?A4m29qrl?Pv2Ou0?%L(AfSdvW!0Z8In}fmcp3>Gr3L0c3h1ZPVXy6p3 zNX3_=C|PUXrwdFn_v}+J8KRm`IzSeW&A3Fd(*+K_?eDaETxV8xh&U`+TklIGcz zabr{zXfCnN&CyEhOeGpXRxs_!VCv2n6zKUxDb%v-AuF0x#u-S^>8y+LpRB3O8aP?8 zeqGsDMT1x+RRz}3rFCxJBVuY#no65o51^Zs}nuj*C3Uy(hc;p{CObs4U)UGFbO zVHnAc|LLK45!j{9VZ~l=q>w?4C!*oG>E zEF^RLWnFTy#sMU|W@CemtHHV@EZe3JD=t%pnDVCfH;Rz~Q7X;9QEVC;+O@xZE(e?w z?OraYQAs@5}u% z(?W%b2Ei7UAwLt3CNXVlK|i@i5pqZvn<}?PF~Nb?vh;5zolDNS@;38ORKjXuN^H*g z$of@F2TokHNL)}x#!A)W%%mEPnlj)i>>W@K#IBs>zrtI@B)qvQIg15F13_KoE6$YZ z}J zW>IUu(8kpR#l9F;FCG#xO1REoF1X1mix1d8KF@ z9)+LM0GSUOmYvTEr9aOtp$gMGD{6nfq0TCxWN$Mann);QQHme*^T;6PC5$q*-dhM6 zRK4UZuPA0b=ybD9h5798LXXM>4)+mk(?c3zD9~QYFgo;k2-{_;3X<}~&DpVoYBwhm z%NxT>h+2EiEQ_XPv3!b~b+q;jzVm1^x+wT$Qq#L`HubNIs~@e>z##INnyKJ7Ee*J4 z)W#l>VSgUPn#RmqH8x++i<<n(qISi%mVbb59<)IOJ&IJM2y!;rM9uBdWO z0OunvW9%}kBNWlei?1JI8^s!x_+#2;^;>qCGPxg{f~tIV0gf--mnC4!4L;;6iYVzs z$%l?%dzGNkK!LIu6iqS)DZr}!r53H`+s=if8n*MbQ2>k}Mi?1F=wNKggDvG6uIzQI z=_|p-Pd;X2mO&wG{WoV9j9e%iGta7pisftfH-sk3A=YttK)q}eAofbeBBeGAK{RIj z2&=FynBG3-SE^#~;$gQol^~1xOm8cdgQ_BGM@(y>9mA^2f(?#^(>uodEzMN2SH=dl zRdtN5Oz>9oh6oA!GPUsTM{kAzS;0yJ<_?ra3oGeZtGP1Ix3n~BcsJW{`Z27WJ}la% z>|}&RKh#4(0g1QmL4W1jVHnIXWY(a-z-Gb_brI#Wpzdo=u{+E{sw+o>YTs`ZMhy{B z4Zfr3Jx@bWd1n0WpXt2%9_*@Mif9k~m8p1apRWtW#Z~#zfRAeE^i&5Pm2w+~;c1=E zyrb@-Q#8tPjB+8y%y~kD_<$}|T@B=QT6Rs8#%~vtU>-CmsdVHwbZiF5mm?p6Gtj7ma&$-&7$JdmK&tG@u zQMH=UU3b@#1q9i?NCRtt@$4*sJcQh%dVru{Nf#T#?M9$y}ovT@J&0kd1xOjQ({wwkz7M{Tw*P4 zgiJL13`2?KqWh(iuy@wgJfoS_zt2kx922Co{5l?}zr9 z#SpekZiL}$&>&cpDheav{G>HBc-rX;&$gI0Zd`3+`oshi4SH8wgl|@HMdQC~m7c7?L(#KRZrZRqS<22y7#%Yjmyf7VjVkB_2+KAYg{|0Ta0^~EjtF8*j8-bX zpv<%BWKtPs!3+h0^0}lxB=9gIbRpRGgBPPJ97fS2bJS(9mS*PQMjVBFcFExq?6lpy zcl17)Q|`^kIG98*X8G1q+qNw8T*c9=SY#!dyY|xP*pQbN_^wbK0@+)b< z2cNM|kVZ?>jAYOUnBc`G@!FLKg<#Q0k)tIrb5MGhTPReg;KLXu8L$+L>W33fU9{UL+QiRc#ETvX3xp zR}j3xy)Yv;VL@NI8AH3t<|bMC*+wJzh&DnS`5jHfW3reM`Qc8eyWl2lF>u8wX<5Fb z|J)y41rz;HAKIHhUBa4>upf2+Y3juAIs#5qrtBP}ltWEKDdKoaQB^ZqA8T%zlI4w+ zg>p8d(Bw>@IMTxxsjW(P1zAvyys_KJu3)UbrKNcZ0ce_OUb5OR(g5-+^#zS7kxMpm zxK89eSN8eXNR0W_b*R*3S&yQyughQD z2SF8ty|Fe((qym>G>SGv=AAkl_r02TyUCn8X?tjWaI>n=vN2KdRRNKB$Yz-H#*@D) zTiD})m^aJ)YxW*e1|W28FVP#tpluAnTiRxhWLux(B-&S7;z<#ry=>l@t0iK`h&;kO z1q5Qzy0)Ggm24wnsIWUMc1GJ8=9$gBOCH#@cg;s5Js10c6d=1ABE*ZNf2AVC*;N^x zoYp+3#%5%+(MPp~G|xOVSZflcm0h2$#}Ns?|BvnNohpoZ8A)OKs?8r{Ui~?19%gwu zE&}SDYPfie*RNjp?QoVTHXUKQyUD5L8!TU!&{| zEMEf`ZyG3Vq>aIoYL0RqC$%`BZK9;tYPXXc<)1Sk`b1RZ{;` zL2T7T(SvS)48}eDHgK6JX?pmLlPp9P*3vo^|Mpe2FM1on`juH4>KNMxp^YlGonDHN zsON*%7l=DdN*H#Vv^Bf;#wr}WrB0GhMK*0%=>td5fENUHkzR2w=@XESk+>9tH;THh z-3r*1jqIR6S>H;Xq5jcG-L zUPOJx#3iUG&kk#W;*(y_(N>0i57T^zHge;#q6gbt?K5xJXmx)iq&kJPh;UVR?SSksmwBaquy7j(w5NlI5_rVxFja*Brvf(O7qWvSWl?;+)p3p^|$x zIm$#Gf6+w{)I8%6BShRXgrX@jGDOV|>*aiPSMre$wqcn8odMXcfK%ewfE? zh0IbcZhFxyj0l|-#uM|RNW!WvZIXq9U5>*h0xu5D$}nMD$k2!dPS{5n2(i;>cvG$s zwzLX1aGNBnX9q1RdM}$6+B8#DoA44T1s2}MD;$6z*+v9$aEsG=e&}G9b$sdF<~2(; zF1=*s+7+8OY+Ai+^UAfGmtL}Dr5~#1bQD$pig#BbbZWx%P-KE-%4%`7yD~N`6NQoS zUIiZ11bx?-)L*gnVX^e%}QXisx{pl$2%*qHMP32YuAlIYXpO6$Hq<7XBA^Y zeZi(TZPclI#wsl)Bh;`zgkrY*NP{j}Bg(GS{Pd0M7Rq{!SC>yYI`?+D9~3-k&{?DO zwRgF?I^*2QT;)DC<2>_+%0%k9Tmzl0UYKbas~yrFvAAc4kJ&=8*{Ml&4XgCTGKOO3 zrCPi}w6;acAS6K6UHjgzSh8U)RI)hPs7h8H&7DN6fcfy)3w= zbm_55AG<Z5&J*-nR*Q~;nEeFThQ~2w7X=ukij@>W#kM?*Ctrx z6W7j2GC4%^%wS#tdm*&ZjEWOC26t!`h(&`W{!E?|8A@7)f|5Wwsk{)03pUov;tVQe zHRi7ZF^Z(c>umcUu@>wI+z`dK5L+9?{3HWQ23DIQqa&rDL@<4Y**@4@h?7kRBt+m~ zb%!Q2Ek|b_8)?{y%Ml@CTB!>8jH(K72apv@P8Vr7#EN|6nXoHF| zgglN`2W_d^I7RV$haHh1TqOhID=O z1mria0V0k0ckQeH*(6(dM%EV?-(B^cc!uIOT zQiif8-faG|as;ij%#Xv#)b68LJ|amrYSvg@p?xSF6sd2j;T0%i7~q#;d}AUG-7gNA zSC}np!PL~nYd8WYmr1@63s8;AcrEX*LHDlIWDA?+7#=%9zmWoj#4U72ebkCpET?UT z32}H6PiLN4_%5UBE3^$PSSV!7liX55?*UioXz#4%bYutZY`bp~K4FiBkgqK%G@`VQ zgsV3s#UTu$Vu#!Jl{%v^U4h4;o@imU_oT1XVIap@?mXw<(Uhg*fCMVzuHzrG;=5wg_X_x?CBmsB-v|hi;9h|;Y`|!uoJ-( ztBy&x6?gTR`b<&;188+DokCo)gO76Yf)A*uTT`0`*5<`6nG{=MxLOV6uisu>+C}^N zv_6o%RhEqtg$UGRI-|5sqDz^=NR2M^B$vfb#Jc%Th_$eOJ8LYwd zI&UBvU~T_E$>^rvPby1=rDGVsxcOlYf$(Oc93u zwvjIJuC!XhdhRiozVmlFfdj&8Zyp~W=RAAP_McUJ(8EQ`OYZ$9GTg9K4~K zDg>0Jd~GvZgvB%q?@a*Kv45Eoj@hVE63O)N&x}B#@?uLfWXgoCjtHDbdY37b)L$=0 zsW9#3%0@8k$m_s;i`u4%5(8*ytO!M&PFXtvOxmWk1zpka3$%0T-1n7RnciGo^h)wJMg^8sRZPY_^7HtzWmXyi{@-v{&v& zEL)tMws6ro<%Q>z7oCo8n~g_bsXtCz5wY|b&@WaSRkF+g0T?6f^^%0d0BMSz_wXy zR<2o=SKOk$g|k%Iu+g&gYm1XM3+M~56{|PSm4zK5d;9!N8<&^Q$^9v54oE34YYeg! ztzDt#a2oKe^<$iEH&$MbGJxr1W5S&2`KO)B5fu7z{@g}#{Q1eEdFRf$vb@6go2p8# z#yAeU-ZT2n=sS}OM@n|($d2c+Jx+T!Ido<`sbl|Vuh*D69d6lFm$y1SlVuf-G0`et zQg>BWgO0%_yzUD}2vjcI7Q%}Ds0%JefeJxslxlr!>yEqPl_R5-!i^)9#S8ltz=Yfj{L&3zWeqOazxt2+egYQv9a5hw}snBR0(O8imV}Z z1<5K1$x1!8StkTGmL+L=CZR*9`7h+1AH<*^-ip|#c2WK>JL+{>}!_GD6bkSvoC z963>K>xek)98{2m=?mVpP~kNUJFPT0MUmZ}be~GH<1WTKL?37|>#6#YjO@5=obQ?w zTXeLJqRt9{2n)q2B8wv3aa+4>1`I>39k;_4V;x&AY-Sym0m;bZw#h2yl&QWchM-U2 zRHIha;+UXVOb}@$DXp#6Q<{*YgvMwN=|~hTO9SH{E9OpWpt}NAYbuMK8_mjrL&=WY z+tg^vf5x=NxR66KzZHMl@u6it!S(bYD=cx#@_w^=X~GI9*mJC3p{4pmA>cU^5b#-%=T60|64IH5~;Rf>>&- zUDM$ym+m6bMMwPKXtBS&?){=1NF<{fqs!2XlpTg4kuZH+WKJIx@pDoqG`^8kA&@9v z!*66{-l|j=*!>Zs3{xpWkj&C}O@;K8meUEyHY7{k2sliOjl#$VEY*^6rY7QAIT0G2 ztLqG7@UTp!;@AVo0!1PUW2`s=Tib$FJK6^8C8O|;5tu`TIfjDlxGU-ck(R4%1RtxT zVoO*B@Vd)8a?D^9HQX}i#<`BqhVQ*!JeT{y{D5-Zr+ znnXNCI!1lj6(XJ!u^h`eJ+3l|b-oVSr5<&p;hJ)LEA#+UfrNrwyQ@&15hG3!-opx2 z?z#xYnq5Qz{fYf-n`-1SiX?0s3QJ}*h4mpakNnS+nMI6IdW`M_2_%3{TOq8)DcmSb zR|{@}s+1FF zIp#vWl%~YWY+U1w@sgc|@%vE=zf+g_67`O z7hWQb&m0L_r`p)epELe7&5M^Xmxt&_7mwA&89D739`F8Y4)#paeEa4w7v3G!v05&BCY;_sNTku!XqB@mNuy>fw6}3T!xewGut|)7dSX zCW48#RkjU7C>1(LF(J%}#U71&Vn{fzswvhn*?atR5u=6gO~mHejJH z7}uG#k-Kc>P?NmhNjy{_0s-7oBX=<9Ea$x05G|23z$X1h@gTi%@`t|K79S$mKHp@4`OwD>Jefri<`W zqbD=>RNw0zSIexD@s-^yqeweu3K?}3x(E55(ZAU4maUUjI!oS|9-x6yy$=(TDYS-$ z#N{$TX`nr2+?tWjL`=!(81%N9)oRv@T0KaPp$~00)hBsh6&L$rIatV92jp&*>C`$c zXrA8&vr0Q9%KLB6;2k|j0pe6bxq%ohBSF4Uo3-jR+AtI}Jtw=03fV$)NsH0uP=O3Q zO8WhbQFa!om_zl~Jc~|N4>vv|#W?RHPd3+-BxKY7$W*AkRh%d$>q2;?WL9WHWHn5= zhsWxO&2j42%V%Vv)?=afbqr2{t6Esz?`W2_-eGGX1S%qmLy^L!RZs?6;q%es)>C@n8c7#sC% zJ8q|wyFgOltMqrSk{Bkp%p>Odtln3f!aX^n(^v`KKx|B7_S`jxP`0x8kp#wym*vEC z3qwGVL#-eM@5ky;(;yzEfHeJicFlJ>EcT=Y?lkzgNj6TE=U-VNh zJam)_%QkxBWf`ARPnUJXabD(0UvVv$)oSiAdP3}V(mS(ulhI6}hN1?1nr7m&i=7X~J zmPyFo#Bz%s1Czee%EqWJ+@bMu0n+&y~A>VcTB+eQn;H3%?I~!*@lpUQ{9xS1%^3&T$)6DXCGmTx|K)sU7A|Oj@m}eL&DUV zxo=~b9U~GDP$yBlT*O0JZ5BdhQ0D~HOvhNWt`itFt}t(gNFIjQLY1b|Vuwd2+>{Iz zpfAYU1<`J_Jw@l>Zke5XfSbRX!0JcFuc=yLNRvZY9LNqCK zTw_`l6OJ;&&L&8OXnZFhozTtsxsZT5r^B0<#cC|4c;_Bw8z@~$LI172KxLT*V{ezt zMOJM{X$H=h49miC{ONc4;PP92!t^U&SCDM1eSuNu7X%eao;EF}WVvA-C8z(1U<>LM zGtyoaWpujuHhDlLgx~?qXu@e6q+<}%ZjCW?ByeOd8ID&|B3e<uuTiP=<6k%guCIiWF(Bt%D|g*oH}HT!~FZZmnV^c-}UQeFb{RTwt}!fuf4cr9rWbTk z0CmBTx;&a_V?i=m&0~OL+G{E%ELw^9Q86;Pvjrhf(W;X1I6R5#W|CP`3gy}B5Q zq$f;vq~u0sHvu9`r+bit-6PM!Pg#f(Iqbq?o{Q*FURI;*Tde45VR_PM#lWd@>#mk6V^8)!soUg zW;f1=Y13FUy`rSiS=nH>nXwLIYc{zFGnr{=sCH;+f_c@;_^_k>SnJfvE*u_{GxSu( zH(eB$!LJRtL9oqNIEzw8p}eu~LV4@jdaX4J@t2W0DYbIedWhdz0QQSf<+mOl`C2_6U zl+|0MzbS92p$%Y0S_~P5FcYn{M99#n6ZC!2Tynn#;|_z-yk}^V;U43Hg(t!Lo@wMf zp&;rDH5?z-iWrkAJ*oJ3K7^m%-PlLUUCcMVu2PR?M@@t^4sxyb<9JU z*94;P3d{6Cz1;d7^9Z~72s4S27JNNQ$euNQ&Bpc4xuN~^&Q!6*VqR=JBd*Zu&ZDxw zC$r9B%UW8I80iZb=>1c1FN2VmMtYZ;o@~jQIVrQ96Ay`+82Eh zRrD$<$G8k8jB=XZK_vMZKT1Z|6_K{FZ_Yu5N@3RQ_w&;=Nhg;o={h1h2JCj|7}9=` zXKhpp_YxUr!ijkw=kAjyzoRJRfRmHQZGvDqjA;jQw}y|~pLAmqWQ@2)X9+t5MJE=X z0}5zb-HId&o8Gx@ju&zjl7~8`Wi5*_TlA4hl; z`_8B2{lz5Gx3F97MCe)8e-dU3S3yT z1g!>eNr6`I#XLIJ1T@GqvD>CgvF)y zd_k8jJJZ zD*3HU;!dVq;aJIX=s6TWsAs}AF&EbRP2DLH>-^d&2hI4oC}DO-5gK?}STWz3zU4}# z?%47=E=EXSL%v9vXM}?G`dBDwug{j3ULUfI_WBr?mJ0cdnTeHB8|xLYP>}U4lzp;g z%tsZZX4qP6i(L=%wPH=g~D60Xiqy74(&hjaQ%kd_@K|aNtWHM`4 z8l53jF`3WRb!0w?32sziH#ljkWtqt5Alx3bP2AR-1Ye6Ayprz3&E(J=EY4)5tf_6% z*&&;2P_#x&vbAIrU08+sKgOrIU(cw5mc!+mD8$I}&#rh2spmuuC2DD$gX`|2$?b_(x%0@vt?zrgD#E+vsp$=bS-+% zzCaA7mC5Ro*0~*##15&3d^!@D9*UzayvA5Ekt(1g=z8o*!mPX4na!gVYNEr6sqQP; zoSn18vp`vL68_?(-d1#K*l^y?JG7Y1Hry`GgHu&2I>Sw@+R1_iq6`@*+MVj!C&`z- z;W6C%giy;=4Dp|)@ad-1PAE`K%i$>%>;yvt##xNtu|ym&Z?_IamB;E}hq4yWV_PfH ztE5(zt&n-7C^0326v-kEA$>B;Z>0C4+px^8h2k|qVs?9FtSC9dc(QFQLc(}ai<89x z2kK)TQ4CG8cI2YvmAVTmUxgR+7S?oaT)MSz+K(MGedCqm5uClUiF;FLD7EX>h&bv zA(gB*<8-5jpaW%{U-U^ko4zFV&VZ1%R&!JR$LvP38+Jf|W+bBuAsYqF?yN;bA{`5g z7z*2Bm9bhaP82SiQY@->sc&`4XjoQ_n$4Vpl_^ae z6>B99ItBQVDfy*pz+zeRUJfgYRNu8WP6o@+GYSps6P+t3$h*dokwb!YG<{|(Yz-rG zm->pMi2L;!H9dsZ#~aEse{VW3NK1t^=8V9U$#1S{&@`-|%z-DYGb3yak(pXphso5V zyJ3|)E$|}=6Xy_8-A{|qm|UUf7|-|qFoWk_v1A>#*T>zBJm3M5*gHqOPEZtb|X!* zH-5Z)iIFXvvS<)xJK|VLJ3`?}MkUsv*oK2t+$pW-YhwzJR;- z(|vr`_v2@kc0500l!=xNZCcMD<3-5z%SA%=RcBZ1x&Mx6IB|r|hloLk?l9`=@Rb|3 z{tc3pSok-H#*9>0|3p`0vQD6!&{@?CE{RploFz(dkOean>DPTXpWoC~MhMdCKy}x5 zbwN|Mw$DJMSR(D`BQK}h!CZRLOWeC-yEGng=(sF0JpxI5`Odkp(@YuhZ8Q?FWQM3Y zFyubBzsEgZf15~6%T}>XY^$>?!u~cu(e7hMBMU`r9Nh;Fi(7t7Cp zBJ(ZwnZ(2#E9}$E%phsQqNv)Jlvd}f5z-)KLQ@t5c`S=Zs&@wFO#V-j9naI=Io}+b zh2@&2K6n9B+?;wkBA3JN1LON$%zreNYg=E)E+xu-lVe3<+e~f9H)=%|EDbOs!xO?@ z!mxOu0wP6p8me^q%vT{afXhnF!-Px1${btBK`t#OTr(tK_KtZhVi~XjHWqcPaF`uq zcP@QxP@PUODFu`CQM*!%5j6T`6ws#olwHy~3|NLxaqW{mv5odnnR2lq zmTScrr_EwBAFj1J-7#11oRHbAFpL>wi`C#^ttn}2(PqfGesS15>q%O#fP{n9maFcO zhcn~jKEG`YUB@E|>}6#jM;Xh)W9(nJWm7{pLkMyuMduVM&3XpQ489(W$tx3~(gvMI z#O{bzFwV(qL`yD(xws8(s?#7HZ49dKbgngf;iDp|&h1mnT+@v5j<*)^0 znga4-TcX$QkPaPY*oMov9X+@#6=Nx=JG;F`+s(}IF`90oO|l7kX%$VhO}CL1tl{F? zA)O`v?zMx|g(wl#8JgevE)%$bEeyJOKsZv8j;6{lvQO$EPRjV=bwa7g1P8x{rD>I} zCQdAV>F45c-ij@2+x=u)P3bN9r!y<7H1QW-ZP_wgJDF=tmRM}NUUoNG$No<8Z}Lp8 zM9?{k)`vSLSWz`;UrZx8YAY_TOf0GJnVGF|2F5V9-#}!#jEo*bWmpYmdg4sfFO(u& zT9%1bK4%M2Eo)c|vVfH-0eI#tLu&<5D5Mj2p+_TBy&Ew|Pb{|E$nC{!+l>H_xpnXbNq|<7w zk)}Nta#dN}V%E`|>&D5o^Y~u%D}s$9p|xaS<$jZysqJhr+cY5b;A+ZxxOHC(#{lc3 zp-UaGDnmW&y1p>+RNR@L5OwzeSulQ~rjp!-gZ}+U!WZlyJHvNO7Zo$zhH6I7nmKF| zEzN88CaW~PU1IW3W=uL{BLH(HnUHpT!)+ray*n}(>jN=1uQb^mGi1rOwPS^UvMnxQ zXIL^gc>RZ7DSuF-O>-CkgKn4P{FQIlkV@Beq+z>z&;e#+gqcXIvW=LfsN>Ev7JN2F z|FFW`B((U}GhXPR>TKdXao)pPT8Km|($gc!%qj9u1Ad4TXCR4H!DBmYBnLENy0SX5 z9IFw@9b(xJW1|d5PlzK9G58=`BGsu)e1QdVLFv$5wt&UHL0Q+j(Tcb(b=9%$$ufmP zyK5mM%*D_)nwrYz;YGtf$OH|-1QG*!aJC?MebT5Y^r(rL%td@xv=5tK!jOJ?#h!(x(A zD;rL9(W{nnbP7or%{q6>ak!g@?P3FNI^|-ld$4H3Y9s{6ynzin+2JGZhxexUQAJW5 zU5{oNV}+(*Pvfe{g2j!s3TkxgRvDHLm8F;v?%k}!Fw=V>y@G;>F~ag=SZ8n7o@8T2hTRU&=ANK zY3j1xg}4N*oS*3-Vazh5d(1lDbLdh>)6L{B?O_I?TC*6(IXgoaqjiyi#}$bJYsO+z zWUt-0VtRXYdFZV0u8*dxIxM*9SPf>-rDe`!jhSP_Sll0P z{210EC2lZ%=`xll3H93!#pRO7zAf>n99$r|j>hfXf*=1_7g=e1%&6qE3<(@h5 z&@Nev7V|w)#ET!(yc0i`MzApGl?;Lv7RkQYT*y_KU1J>n5&KIXQbV?V^Mk}$3l3KO zs0Vsv(Y)F@oxMJ){5k2B2J8klh9*&yHApbDMtBZ_g-O_P!fF1DAcG}DTU%HbhoQ~5 z1r)d>u4`+hkMC{<6u#y63la&b4OG@4Ko6~&j^+MA%>Iq!%? zD-GD)Y&uP}OF>)@{KeQmbA;@6wvDS7c@Xy0}$6eKVFA$#TOT%S~9+sY}fF~;4E zC5Z2`bx zJt#uHvf9Ip8HZ*+b5L@+!#uOkp*!D432eQYeg+y5osiF!}d(DQ#GFR(T|^+hK94 z;}FW!*go?MrN$}|R%PRa6gf77nb!UFHkij)mZAkpsh_?QcCttdrER?=?Dmv|JI$D82Kj@Pt=pvzF#8V(grQUY&h0zoF&NxAxzgE#=8o|(?rk?^WPa%z z+d){rlDe~>+Qe0i}%j6i8t!%JR7px&vT`pI)LAlMe6k@Zxb8|-!R zzcDv@6AQ@n{&GPV=*%T2-9qx3d1Z{lZkUVFJfiR&nOYU)Ym9#FM7O*?Ic_TZ=zAGF z`*DRP|4c`6Augz}oUBn)bsPhA&Frcjw+aH~!um(2Yq!OC~LJ;z zjy~+v-(^kK=;<>fw4L}SMd^8st4voW7NRYBbWzvzlf{&MMD3*Sd}f;!r6{tn_a~h6 zntjfX>N1+!N#1jxyH!$K(hVHhuCdFKr0aE@dt@_gElG5iUt?*oyS2GzkFQx*EqogZ zCs7sYZXM$_f)K+}Yj{#K8){8E<}BA`v*@tSTWe#cU( zkIXXB&aJgHNz^DJf*5SuRd#M~!*FHtV1At)3pYzb6mjELhj8HjjdQq+WYgCjw`HO9 zX~sM5q<%HZ>rg%HepsC|J<~7d+*Sd0G)MrNi5+IkwU&W!Zx0U53lj{ zuDMpPkzD2#i%~rBwsY+qJ)ovQVatN8QJQ`b8K$_NAp`p?c`HgxHh+zd9SO~}*1_0> zL7t+xgeK0Cp9FJxyjCxZ6pzK5^`tAnhNnFgw#d6W5V~Mu%mOT98n>ML?nCkibP>%I0-)dtQIR1yQ}K|8Jcghxh` ztA`P1-eruKZ20jUFqIDSgR|GLq(|b}3QJbZn0fk)-zY{q_PWx~V=hpc8>Z1k*Zh z2Da&%-Tvp(x->8l4_~n3=$WEoDIB^k0Z)-OGh1iNg(QF9?AgIiB0ny~fj$ROrErsr zn__kdjX|xI3BaX(^xAp-cAHxF>pDPf!h*M=!M6Da;zaS7d_HT3VP98FG<;A>VYv+% z%B;si`o)06$f&{rIvn3=)tR@3q@}=HN=y0|TWz~^Q1N@+{Jyia6lu)3YOyoLxNH$l z_X8GeCT9*+Gv=BdzhhI|LQHu;8*((Qio$Rp&g6re{*tVnpt|mB1549A#47`Pe6p4|1&Xc)v++O1jBgxbZi+E3jBFOZbu97&tu|zt_+E zQC?7gt4(6v@8Ye2`TN+Wkedfv4G}Fxrsc>pf5EMRx%cp@-spZ6?hGuv?z}RvnD@{{ zvU>yJJRNNlF7u18r{5YFzOV<^?``Z1&~bHR=cgW528Ouu8v~ot3EHMR+o3h9lv9JX aoh_Q98#YG}=>s)&a=Gaj36?kj;Qs@oiW^1% literal 0 HcmV?d00001 diff --git a/po/sv.po b/po/sv.po new file mode 100644 index 0000000..bde18a8 --- /dev/null +++ b/po/sv.po @@ -0,0 +1,2939 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) YEAR Red Hat, Inc. +# This file is distributed under the same license as the PACKAGE package. +# +# Translators: +# Göran Uddeborg , 2013-2014 +# Göran Uddeborg , 2018. #zanata +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" +"POT-Creation-Date: 2018-08-12 13:03+0000\n" +"PO-Revision-Date: 2018-06-03 04:06+0000\n" +"Last-Translator: Göran Uddeborg \n" +"Language-Team: Swedish (http://www.transifex.com/projects/p/sssd/language/" +"sv/)\n" +"Language: sv\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" +"X-Generator: Zanata 4.4.5\n" + +#: src/config/SSSDConfig/__init__.py.in:43 +#: src/config/SSSDConfig/__init__.py.in:44 +msgid "Set the verbosity of the debug logging" +msgstr "Ange pratsamhet för felsökningsloggning" + +#: src/config/SSSDConfig/__init__.py.in:45 +msgid "Include timestamps in debug logs" +msgstr "Inkludera tidsstämplar i felsökningsloggar" + +#: src/config/SSSDConfig/__init__.py.in:46 +msgid "Include microseconds in timestamps in debug logs" +msgstr "Inkludera mikrosekunder i tidsstämplar i felsökningsloggar" + +#: src/config/SSSDConfig/__init__.py.in:47 +msgid "Write debug messages to logfiles" +msgstr "Skriv felmeddelanden till loggfiler" + +#: src/config/SSSDConfig/__init__.py.in:48 +msgid "Watchdog timeout before restarting service" +msgstr "Vakthundstidsgräns före tjänst startas om" + +#: src/config/SSSDConfig/__init__.py.in:49 +msgid "Command to start service" +msgstr "Kommando för att starta tjänst" + +#: src/config/SSSDConfig/__init__.py.in:50 +msgid "Number of times to attempt connection to Data Providers" +msgstr "Antal gånger att försöka ansluta till dataleverantörer" + +#: src/config/SSSDConfig/__init__.py.in:51 +msgid "The number of file descriptors that may be opened by this responder" +msgstr "Antalet fildeskriptorer som får öppnas av denna svarare" + +#: src/config/SSSDConfig/__init__.py.in:52 +msgid "Idle time before automatic disconnection of a client" +msgstr "Inaktiv tid före en klient automatiskt kopplas ifrån" + +#: src/config/SSSDConfig/__init__.py.in:53 +msgid "Idle time before automatic shutdown of the responder" +msgstr "Inaktiv tid före den svarande automatiskt stängs av" + +#: src/config/SSSDConfig/__init__.py.in:54 +msgid "Always query all the caches before querying the Data Providers" +msgstr "Fråga alltid alla cacharna före dataleverantörerna frågas" + +#: src/config/SSSDConfig/__init__.py.in:57 +msgid "SSSD Services to start" +msgstr "SSSD-tjänster att starta" + +#: src/config/SSSDConfig/__init__.py.in:58 +msgid "SSSD Domains to start" +msgstr "SSSD-domäner att starta" + +#: src/config/SSSDConfig/__init__.py.in:59 +msgid "Timeout for messages sent over the SBUS" +msgstr "Tidsgräns för meddelanden skickade via SBUS" + +#: src/config/SSSDConfig/__init__.py.in:60 +#: src/config/SSSDConfig/__init__.py.in:197 +msgid "Regex to parse username and domain" +msgstr "Reguljäruttryck för att tolka användarnamn och domän" + +#: src/config/SSSDConfig/__init__.py.in:61 +#: src/config/SSSDConfig/__init__.py.in:196 +msgid "Printf-compatible format for displaying fully-qualified names" +msgstr "Printf-kompatibla format för att visa fullständigt kvalificerade namn" + +#: src/config/SSSDConfig/__init__.py.in:62 +msgid "" +"Directory on the filesystem where SSSD should store Kerberos replay cache " +"files." +msgstr "" +"Katalog på filsystemet där SSSD skall lagra sparade återspolningsfiler från " +"Kerberos." + +#: src/config/SSSDConfig/__init__.py.in:63 +msgid "Domain to add to names without a domain component." +msgstr "Domän att lägga till till namn utan en domändel." + +#: src/config/SSSDConfig/__init__.py.in:64 +msgid "The user to drop privileges to" +msgstr "Användaren skall släppa behörigheter till" + +#: src/config/SSSDConfig/__init__.py.in:65 +msgid "Tune certificate verification" +msgstr "Trimma certifikatverifikation" + +#: src/config/SSSDConfig/__init__.py.in:66 +msgid "All spaces in group or user names will be replaced with this character" +msgstr "" +"Alla mellanrum i grupp- eller användarnamn kommer att ersättas med detta " +"tecken" + +#: src/config/SSSDConfig/__init__.py.in:67 +msgid "Tune sssd to honor or ignore netlink state changes" +msgstr "" +"Trimma sssd till att beakta eller ignorera ändringar av netlink-tillståndet" + +#: src/config/SSSDConfig/__init__.py.in:68 +msgid "Enable or disable the implicit files domain" +msgstr "Aktivera eller avaktivera den implicita fildomänen" + +#: src/config/SSSDConfig/__init__.py.in:69 +msgid "A specific order of the domains to be looked up" +msgstr "En specifik ordning på domänerna som skall slås upp" + +#: src/config/SSSDConfig/__init__.py.in:72 +msgid "Enumeration cache timeout length (seconds)" +msgstr "Tidsgränslängd för uppräkningscache (sekunder)" + +#: src/config/SSSDConfig/__init__.py.in:73 +msgid "Entry cache background update timeout length (seconds)" +msgstr "Tidsgränslängd för bakgrundsuppdateringar av postcache (sekunder)" + +#: src/config/SSSDConfig/__init__.py.in:74 +#: src/config/SSSDConfig/__init__.py.in:113 +msgid "Negative cache timeout length (seconds)" +msgstr "Tidsgränslängd för negativ cache (sekunder)" + +#: src/config/SSSDConfig/__init__.py.in:75 +msgid "Files negative cache timeout length (seconds)" +msgstr "Tidsgränslängd för negativ filcache (sekunder)" + +#: src/config/SSSDConfig/__init__.py.in:76 +msgid "Users that SSSD should explicitly ignore" +msgstr "Användare som SSSD uttryckligen skall bortse ifrån" + +#: src/config/SSSDConfig/__init__.py.in:77 +msgid "Groups that SSSD should explicitly ignore" +msgstr "Grupper som SSSD uttryckligen skall bortse ifrån" + +#: src/config/SSSDConfig/__init__.py.in:78 +msgid "Should filtered users appear in groups" +msgstr "Skall filtrerade användare förekomma i grupper" + +#: src/config/SSSDConfig/__init__.py.in:79 +msgid "The value of the password field the NSS provider should return" +msgstr "Värdet på lösenordsfältet som NSS-leverantörer skall returnera" + +#: src/config/SSSDConfig/__init__.py.in:80 +msgid "Override homedir value from the identity provider with this value" +msgstr "Åsidosätt hemkatalogvärdet från identitetsleverantören med detta värde" + +#: src/config/SSSDConfig/__init__.py.in:81 +msgid "" +"Substitute empty homedir value from the identity provider with this value" +msgstr "" +"Ersätt ett tomt hemkatalogvärde från identitetsleverantören med detta värde" + +#: src/config/SSSDConfig/__init__.py.in:82 +msgid "Override shell value from the identity provider with this value" +msgstr "Åsidosätt skalvärdet från identitetsleverantören med detta värde" + +#: src/config/SSSDConfig/__init__.py.in:83 +msgid "The list of shells users are allowed to log in with" +msgstr "Listan på skal användare får lova att logga in med" + +#: src/config/SSSDConfig/__init__.py.in:84 +msgid "" +"The list of shells that will be vetoed, and replaced with the fallback shell" +msgstr "Listan på skal som kommer förbjudas, och ersättas med standardskalet" + +#: src/config/SSSDConfig/__init__.py.in:85 +msgid "" +"If a shell stored in central directory is allowed but not available, use " +"this fallback" +msgstr "" +"Om ett skal lagrat i en central katalog är tillåtet men inte tillgängligt, " +"använd detta alternativ" + +#: src/config/SSSDConfig/__init__.py.in:86 +msgid "Shell to use if the provider does not list one" +msgstr "Skal att använda om leverantören inte listar något" + +#: src/config/SSSDConfig/__init__.py.in:87 +msgid "How long will be in-memory cache records valid" +msgstr "Hur länge sparade poster i minnet är giltiga" + +#: src/config/SSSDConfig/__init__.py.in:88 +msgid "List of user attributes the NSS responder is allowed to publish" +msgstr "Lista över användarattribut NSS-svaranden får publicera" + +#: src/config/SSSDConfig/__init__.py.in:91 +msgid "How long to allow cached logins between online logins (days)" +msgstr "" +"Hur länge sparade inloggningar tillåts mellan online-inloggningar (dagar)" + +#: src/config/SSSDConfig/__init__.py.in:92 +msgid "How many failed logins attempts are allowed when offline" +msgstr "Hur många misslyckade inloggningsförsök som tillåts i frånkopplat läge" + +#: src/config/SSSDConfig/__init__.py.in:93 +msgid "" +"How long (minutes) to deny login after offline_failed_login_attempts has " +"been reached" +msgstr "" +"Hur länge (minuter) som inloggning nekas efter att " +"frånkopplade_inloggningsförsök har nåtts" + +#: src/config/SSSDConfig/__init__.py.in:94 +msgid "What kind of messages are displayed to the user during authentication" +msgstr "Vilka slags meddelanden som visas för användaren under autentisering" + +#: src/config/SSSDConfig/__init__.py.in:95 +msgid "Filter PAM responses sent to the pam_sss" +msgstr "Filtrera PAM-svar skickade till pam_sss" + +#: src/config/SSSDConfig/__init__.py.in:96 +msgid "How many seconds to keep identity information cached for PAM requests" +msgstr "Hur många sekunder identitetsinformationen hålls sparad för PAM-frågor" + +#: src/config/SSSDConfig/__init__.py.in:97 +msgid "How many days before password expiration a warning should be displayed" +msgstr "Hur många dagar före ett lösenord går ut en varning skall visas" + +#: src/config/SSSDConfig/__init__.py.in:98 +msgid "List of trusted uids or user's name" +msgstr "Lista över betrodda uid:n eller användarnamn" + +#: src/config/SSSDConfig/__init__.py.in:99 +msgid "List of domains accessible even for untrusted users." +msgstr "Lista över domäner tillgängliga även för ej betrodda användare." + +#: src/config/SSSDConfig/__init__.py.in:100 +msgid "Message printed when user account is expired." +msgstr "Meddelande som skrivs när ett användarkonto har gått ut." + +#: src/config/SSSDConfig/__init__.py.in:101 +msgid "Message printed when user account is locked." +msgstr "Meddelande som skrivs när ett användarkonto är låst." + +#: src/config/SSSDConfig/__init__.py.in:102 +msgid "Allow certificate based/Smartcard authentication." +msgstr "Tillåt certifikatbaserad/smartkortsautentisering." + +#: src/config/SSSDConfig/__init__.py.in:103 +msgid "Path to certificate database with PKCS#11 modules." +msgstr "Sökväg till certifikatdatabasen med PKCS#11-moduler." + +#: src/config/SSSDConfig/__init__.py.in:104 +msgid "How many seconds will pam_sss wait for p11_child to finish" +msgstr "Hur många sekunder kommer pam_sss vänta på p11_child att avsluta" + +#: src/config/SSSDConfig/__init__.py.in:105 +msgid "Which PAM services are permitted to contact application domains" +msgstr "Vilken PAM-tjänster tillåts att kontakta applikationsdomäner" + +#: src/config/SSSDConfig/__init__.py.in:108 +msgid "Whether to evaluate the time-based attributes in sudo rules" +msgstr "Om tidsbaserade attribut i sudo-regler skall beräknas" + +#: src/config/SSSDConfig/__init__.py.in:109 +msgid "If true, SSSD will switch back to lower-wins ordering logic" +msgstr "" +"Om sant kommer SSSD byta tillbaka till ordningslogiken att lägre vinner" + +#: src/config/SSSDConfig/__init__.py.in:110 +msgid "" +"Maximum number of rules that can be refreshed at once. If this is exceeded, " +"full refresh is performed." +msgstr "" +"Maximalt antal regler som kan som kan uppdateras samtidigt. OM detta " +"överskrids utförs en fullständig uppdatering." + +#: src/config/SSSDConfig/__init__.py.in:116 +msgid "Whether to hash host names and addresses in the known_hosts file" +msgstr "" +"Om värdnamn och adresser i known_hosts-filen skall göras till kontrollsummor" + +#: src/config/SSSDConfig/__init__.py.in:117 +msgid "" +"How many seconds to keep a host in the known_hosts file after its host keys " +"were requested" +msgstr "" +"Hur många sekunder att behålla en värd i filen known_hosts efter att dess " +"värdnycklar begärdes" + +#: src/config/SSSDConfig/__init__.py.in:118 +msgid "Path to storage of trusted CA certificates" +msgstr "Sökväg till lagring av betrodda CA-certifikat" + +#: src/config/SSSDConfig/__init__.py.in:121 +msgid "List of UIDs or user names allowed to access the PAC responder" +msgstr "Lista över UID:er eller användarnamn som tillåts komma åt PAC-svararen" + +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "How long the PAC data is considered valid" +msgstr "Hur länge PAC-data betraktas som giltiga" + +#: src/config/SSSDConfig/__init__.py.in:125 +msgid "List of UIDs or user names allowed to access the InfoPipe responder" +msgstr "" +"Lista över UID:er eller användarnamn som tillåts komma åt InfoPipe-svararen" + +#: src/config/SSSDConfig/__init__.py.in:126 +msgid "List of user attributes the InfoPipe is allowed to publish" +msgstr "Lista över användarattribut InfoPipe får publicera" + +#: src/config/SSSDConfig/__init__.py.in:129 +msgid "The provider where the secrets will be stored in" +msgstr "Leverantören där hemligheter kommer lagras i" + +#: src/config/SSSDConfig/__init__.py.in:130 +msgid "The maximum allowed number of nested containers" +msgstr "Det maximala antalet tillåtna nästlade behållare" + +#: src/config/SSSDConfig/__init__.py.in:131 +msgid "The maximum number of secrets that can be stored" +msgstr "Det maximala antalet hemligheter som kan lagras" + +#: src/config/SSSDConfig/__init__.py.in:132 +msgid "The maximum number of secrets that can be stored per UID" +msgstr "Det maximala antalet hemligheter som kan lagras per UID" + +#: src/config/SSSDConfig/__init__.py.in:133 +msgid "The maximum payload size of a secret in kilobytes" +msgstr "Den maximala laststorleken av hemligheter i kilobyte" + +#: src/config/SSSDConfig/__init__.py.in:135 +msgid "The URL Custodia server is listening on" +msgstr "URL:en Custodia-servern lyssnar på" + +#: src/config/SSSDConfig/__init__.py.in:136 +msgid "The method to use when authenticating to a Custodia server" +msgstr "Metoden att använda vid autentisering mot en Custodia-server" + +#: src/config/SSSDConfig/__init__.py.in:137 +msgid "" +"The name of the headers that will be added into a HTTP request with the " +"value defined in auth_header_value" +msgstr "" +"Namnet på huvudena som kommer läggas till i en HTTP-begäran med värdet " +"definierat i auth_header_value" + +#: src/config/SSSDConfig/__init__.py.in:138 +msgid "The value sssd-secrets would use for auth_header_name" +msgstr "Värdet sssd-hemligheter skulle använda till auth_header_name" + +#: src/config/SSSDConfig/__init__.py.in:139 +msgid "" +"The list of the headers to forward to the Custodia server together with the " +"request" +msgstr "" +"Listan över huvuden att vidarebefordra till Custodia-servern tillsammans med " +"begäran" + +#: src/config/SSSDConfig/__init__.py.in:140 +msgid "" +"The username to use when authenticating to a Custodia server using basic_auth" +msgstr "" +"Användarnamnet att använda vid autentisering mot en Custodia-server med " +"basic_auth" + +#: src/config/SSSDConfig/__init__.py.in:141 +msgid "" +"The password to use when authenticating to a Custodia server using basic_auth" +msgstr "" +"Lösenordet att använda vid autentisering mot en Custodia-server med " +"basic_auth" + +#: src/config/SSSDConfig/__init__.py.in:142 +msgid "If true peer's certificate is verified if proxy_url uses https protocol" +msgstr "" +"Om sant verifieras motpartens certifikat om proxy_url använder protokollet " +"https" + +#: src/config/SSSDConfig/__init__.py.in:143 +msgid "" +"If false peer's certificate may contain different hostname than proxy_url " +"when https protocol is used" +msgstr "" +"Om falskt får motpartens certifikat innehålla ett annat värdnamn än " +"proxy_url när protokollet https används" + +#: src/config/SSSDConfig/__init__.py.in:144 +msgid "Path to directory where certificate authority certificates are stored" +msgstr "Sökväg till katalogen där certifikatutfärdares certifikat lagras" + +#: src/config/SSSDConfig/__init__.py.in:145 +msgid "Path to file containing server's CA certificate" +msgstr "Sökväg till filen som innehåller serverns CA-certifikat" + +#: src/config/SSSDConfig/__init__.py.in:146 +msgid "Path to file containing client's certificate" +msgstr "Sökväg till filen som innehåller klientens certifikat" + +#: src/config/SSSDConfig/__init__.py.in:147 +msgid "Path to file containing client's private key" +msgstr "Sökväg till filen som innehåller klientens privata nyckel" + +#: src/config/SSSDConfig/__init__.py.in:150 +msgid "Identity provider" +msgstr "Identifiera leverantör" + +#: src/config/SSSDConfig/__init__.py.in:151 +msgid "Authentication provider" +msgstr "Autentiseringsleverantör" + +#: src/config/SSSDConfig/__init__.py.in:152 +msgid "Access control provider" +msgstr "Leverantör av åtkomstkontroll" + +#: src/config/SSSDConfig/__init__.py.in:153 +msgid "Password change provider" +msgstr "Leverantör av lösenordsändringar" + +#: src/config/SSSDConfig/__init__.py.in:154 +msgid "SUDO provider" +msgstr "SUDO-leverantör" + +#: src/config/SSSDConfig/__init__.py.in:155 +msgid "Autofs provider" +msgstr "Autofs-leverantör" + +#: src/config/SSSDConfig/__init__.py.in:156 +msgid "Host identity provider" +msgstr "Värdidentitetsleverantör" + +#: src/config/SSSDConfig/__init__.py.in:157 +msgid "SELinux provider" +msgstr "SELinux-leverantör" + +#: src/config/SSSDConfig/__init__.py.in:158 +msgid "Session management provider" +msgstr "Sessionshanteringsleverantör" + +#: src/config/SSSDConfig/__init__.py.in:161 +msgid "Whether the domain is usable by the OS or by applications" +msgstr "Huruvida domänen är användbar av OS:et eller av program" + +#: src/config/SSSDConfig/__init__.py.in:162 +msgid "Minimum user ID" +msgstr "Minsta användar-ID" + +#: src/config/SSSDConfig/__init__.py.in:163 +msgid "Maximum user ID" +msgstr "Största användar-ID" + +#: src/config/SSSDConfig/__init__.py.in:164 +msgid "Enable enumerating all users/groups" +msgstr "Aktivera uppräkning av alla användare/grupper" + +#: src/config/SSSDConfig/__init__.py.in:165 +msgid "Cache credentials for offline login" +msgstr "Cache-kreditiv för frånkopplad inloggning" + +#: src/config/SSSDConfig/__init__.py.in:166 +msgid "Store password hashes" +msgstr "Lagra lösenords-kontrollsummor" + +#: src/config/SSSDConfig/__init__.py.in:167 +msgid "Display users/groups in fully-qualified form" +msgstr "Visa användare/grupper i fullständigt kvalificerat format" + +#: src/config/SSSDConfig/__init__.py.in:168 +msgid "Don't include group members in group lookups" +msgstr "Inkludera inte gruppmedlemmar i gruppuppslagningar" + +#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:180 +#: src/config/SSSDConfig/__init__.py.in:181 +msgid "Entry cache timeout length (seconds)" +msgstr "Tidsgränslängd för postcache (sekunder)" + +#: src/config/SSSDConfig/__init__.py.in:170 +msgid "" +"Restrict or prefer a specific address family when performing DNS lookups" +msgstr "Begränsa eller föredra en specifik adressfamilj vid DNS-uppslagningar" + +#: src/config/SSSDConfig/__init__.py.in:171 +msgid "How long to keep cached entries after last successful login (days)" +msgstr "" +"Hur länge cachade poster skall behållas efter senaste lyckade inloggning " +"(dagar)" + +#: src/config/SSSDConfig/__init__.py.in:172 +msgid "How long to wait for replies from DNS when resolving servers (seconds)" +msgstr "Hur länge man väntar på svar från DNS när servrar slås upp (sekunder)" + +#: src/config/SSSDConfig/__init__.py.in:173 +msgid "The domain part of service discovery DNS query" +msgstr "Domändelen av DNS-frågan för tjänstedetektering" + +#: src/config/SSSDConfig/__init__.py.in:174 +msgid "Override GID value from the identity provider with this value" +msgstr "Åsidosätt GID-värdet från identitetsleverantören med detta värde" + +#: src/config/SSSDConfig/__init__.py.in:175 +msgid "Treat usernames as case sensitive" +msgstr "Behandla användarnamn som skiftlägeskänsliga" + +#: src/config/SSSDConfig/__init__.py.in:182 +msgid "How often should expired entries be refreshed in background" +msgstr "Hur ofta utgångna poster skall förnyas i bakgrunden" + +#: src/config/SSSDConfig/__init__.py.in:183 +msgid "Whether to automatically update the client's DNS entry" +msgstr "Huruvida klienternas DNS-poster uppdateras automatiskt" + +#: src/config/SSSDConfig/__init__.py.in:184 +#: src/config/SSSDConfig/__init__.py.in:206 +msgid "The TTL to apply to the client's DNS entry after updating it" +msgstr "TTL:en att använda för klientens DNS-post efter att ha uppdaterat den" + +#: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:207 +msgid "The interface whose IP should be used for dynamic DNS updates" +msgstr "Gränssnittet var IP skall användas för dynamiska DNS-uppdateringar" + +#: src/config/SSSDConfig/__init__.py.in:186 +msgid "How often to periodically update the client's DNS entry" +msgstr "Hur ofta klienternas DNS-poster periodiskt skall uppdateras" + +#: src/config/SSSDConfig/__init__.py.in:187 +msgid "Whether the provider should explicitly update the PTR record as well" +msgstr "Huruvida leverantören explicit skall uppdatera PTR-posten också" + +#: src/config/SSSDConfig/__init__.py.in:188 +msgid "Whether the nsupdate utility should default to using TCP" +msgstr "Huruvida verktyget nsupdate skall använda TCP som standard" + +#: src/config/SSSDConfig/__init__.py.in:189 +msgid "What kind of authentication should be used to perform the DNS update" +msgstr "" +"Vilken sorts autentisering som skall användas för att utföra DNS-" +"uppdateringen" + +#: src/config/SSSDConfig/__init__.py.in:190 +msgid "Override the DNS server used to perform the DNS update" +msgstr "Åsidosätt DNS-servern som används för att utföra DNS-uppdateringen" + +#: src/config/SSSDConfig/__init__.py.in:191 +msgid "Control enumeration of trusted domains" +msgstr "Styr uppräkning av betrodda domäner" + +#: src/config/SSSDConfig/__init__.py.in:192 +msgid "How often should subdomains list be refreshed" +msgstr "Hur ofta skall listan över underdomäner uppdateras" + +#: src/config/SSSDConfig/__init__.py.in:193 +msgid "List of options that should be inherited into a subdomain" +msgstr "Lista över flaggor som skall ärvas in i en underdomän" + +#: src/config/SSSDConfig/__init__.py.in:194 +msgid "Default subdomain homedir value" +msgstr "Standard hemkatalogvärde för underdomäner" + +#: src/config/SSSDConfig/__init__.py.in:195 +msgid "How long can cached credentials be used for cached authentication" +msgstr "Hur länge cachade kreditiv får användas för cachad autentisering" + +#: src/config/SSSDConfig/__init__.py.in:198 +msgid "Whether to automatically create private groups for users" +msgstr "Huruvida privata grupper för användare skall skapas automatiskt" + +#: src/config/SSSDConfig/__init__.py.in:201 +msgid "IPA domain" +msgstr "IPA-domän" + +#: src/config/SSSDConfig/__init__.py.in:202 +msgid "IPA server address" +msgstr "IPA-serveradress" + +#: src/config/SSSDConfig/__init__.py.in:203 +msgid "Address of backup IPA server" +msgstr "Adress till reserv-IPA-server" + +#: src/config/SSSDConfig/__init__.py.in:204 +msgid "IPA client hostname" +msgstr "IPA-klientvärdnamn" + +#: src/config/SSSDConfig/__init__.py.in:205 +msgid "Whether to automatically update the client's DNS entry in FreeIPA" +msgstr "Om klientens DNS-post i FreeIPA automatiskt skall uppdateras" + +#: src/config/SSSDConfig/__init__.py.in:208 +msgid "Search base for HBAC related objects" +msgstr "Sökbas för HBAC-relaterade objekt" + +#: src/config/SSSDConfig/__init__.py.in:209 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server" +msgstr "Tidsåtgången mellan uppslagningar av HBAC-reglerna mot IPA-servern" + +#: src/config/SSSDConfig/__init__.py.in:210 +msgid "" +"The amount of time in seconds between lookups of the SELinux maps against " +"the IPA server" +msgstr "" +"Tiden i sekunder mellan uppslagningar av SELinux-mappningar mot IPA-servern" + +#: src/config/SSSDConfig/__init__.py.in:211 +msgid "If set to false, host argument given by PAM will be ignored" +msgstr "Om satt till falskt kommer värdargument givna av PAM ignoreras" + +#: src/config/SSSDConfig/__init__.py.in:212 +msgid "The automounter location this IPA client is using" +msgstr "Platsen för automatmonteraren denna IPA-klient använder" + +#: src/config/SSSDConfig/__init__.py.in:213 +msgid "Search base for object containing info about IPA domain" +msgstr "Sökbas för objekt som innehåller information om IPA-domänen" + +#: src/config/SSSDConfig/__init__.py.in:214 +msgid "Search base for objects containing info about ID ranges" +msgstr "Sökbas för objekt som innehåller information om ID-intervall" + +#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:233 +msgid "Enable DNS sites - location based service discovery" +msgstr "Aktivera DNS-sajter - platsbaserad detektering av tjänster" + +#: src/config/SSSDConfig/__init__.py.in:216 +msgid "Search base for view containers" +msgstr "Sökbas för vybehållare" + +#: src/config/SSSDConfig/__init__.py.in:217 +msgid "Objectclass for view containers" +msgstr "Objektklass för vybehållare" + +#: src/config/SSSDConfig/__init__.py.in:218 +msgid "Attribute with the name of the view" +msgstr "Attribut med namnet på vyn" + +#: src/config/SSSDConfig/__init__.py.in:219 +msgid "Objectclass for override objects" +msgstr "Objektklass för åsidosättande objekt" + +#: src/config/SSSDConfig/__init__.py.in:220 +msgid "Attribute with the reference to the original object" +msgstr "Attribut med referensen till originalobjektet" + +#: src/config/SSSDConfig/__init__.py.in:221 +msgid "Objectclass for user override objects" +msgstr "Objektklass för användaråsidosättande objekt" + +#: src/config/SSSDConfig/__init__.py.in:222 +msgid "Objectclass for group override objects" +msgstr "Objektklass för gruppåsidosättande objekt" + +#: src/config/SSSDConfig/__init__.py.in:223 +msgid "Search base for Desktop Profile related objects" +msgstr "Sökväg för objekt relaterade till skrivbordsprofiler" + +#: src/config/SSSDConfig/__init__.py.in:224 +msgid "" +"The amount of time in seconds between lookups of the Desktop Profile rules " +"against the IPA server" +msgstr "" +"Tiden i sekunder mellan uppslagningar av skrivbordsprofilsregler mot IPA-" +"servern" + +#: src/config/SSSDConfig/__init__.py.in:225 +msgid "" +"The amount of time in minutes between lookups of Desktop Profiles rules " +"against the IPA server when the last request did not find any rule" +msgstr "" +"Tiden i minuter mellan uppslagningar av skrivbordsprofilsregler mot IPA-" +"servern när det den senaste förfrågan inte hittade någon regel" + +#: src/config/SSSDConfig/__init__.py.in:228 +msgid "Active Directory domain" +msgstr "Active Directory-domän" + +#: src/config/SSSDConfig/__init__.py.in:229 +msgid "Enabled Active Directory domains" +msgstr "Aktivera Active Directory-domäner" + +#: src/config/SSSDConfig/__init__.py.in:230 +msgid "Active Directory server address" +msgstr "Adress till Active Directory-server" + +#: src/config/SSSDConfig/__init__.py.in:231 +msgid "Active Directory backup server address" +msgstr "Adress till Active Directory-reservserver" + +#: src/config/SSSDConfig/__init__.py.in:232 +msgid "Active Directory client hostname" +msgstr "Active Directory-klientvärdnamn" + +#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:420 +msgid "LDAP filter to determine access privileges" +msgstr "LDAP-filter för att bestämma åtkomstprivilegier" + +#: src/config/SSSDConfig/__init__.py.in:235 +msgid "Whether to use the Global Catalog for lookups" +msgstr "Huruvida den globala katalogen skall användas för uppslagningar" + +#: src/config/SSSDConfig/__init__.py.in:236 +msgid "Operation mode for GPO-based access control" +msgstr "Arbetsläge för GPO-baserad åtkomstkontroll" + +#: src/config/SSSDConfig/__init__.py.in:237 +msgid "" +"The amount of time between lookups of the GPO policy files against the AD " +"server" +msgstr "Tidsåtgången mellan uppslagningar av GPO-policyfiler mot AD-servern" + +#: src/config/SSSDConfig/__init__.py.in:238 +msgid "" +"PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " +"settings" +msgstr "" +"PAM-tjänstenamn som översätts till GPO-policyinställningen " +"(Deny)InteractiveLogonRight" + +#: src/config/SSSDConfig/__init__.py.in:239 +msgid "" +"PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " +"policy settings" +msgstr "" +"PAM-tjänstenamn som översätts till GPO-policyinställningen " +"(Deny)RemoteInteractiveLogonRight" + +#: src/config/SSSDConfig/__init__.py.in:240 +msgid "" +"PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" +msgstr "" +"PAM-tjänstenamn som översätts till GPO-policyinställningen " +"(Deny)NetworkLogonRight" + +#: src/config/SSSDConfig/__init__.py.in:241 +msgid "" +"PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" +msgstr "" +"PAM-tjänstenamn som översätts till GPO-policyinställningen " +"(Deny)BatchLogonRight" + +#: src/config/SSSDConfig/__init__.py.in:242 +msgid "" +"PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" +msgstr "" +"PAM-tjänstenamn som översätts till GPO-policyinställningen " +"(Deny)ServiceLogonRight" + +#: src/config/SSSDConfig/__init__.py.in:243 +msgid "PAM service names for which GPO-based access is always granted" +msgstr "PAM-tjänstenamn för vilka GPO-baserad åtkomst alltid tillåts" + +#: src/config/SSSDConfig/__init__.py.in:244 +msgid "PAM service names for which GPO-based access is always denied" +msgstr "PAM-tjänstenamn för vilka GPO-baserad åtkomst alltid nekas" + +#: src/config/SSSDConfig/__init__.py.in:245 +msgid "" +"Default logon right (or permit/deny) to use for unmapped PAM service names" +msgstr "" +"Standardinloggningsrättigheter (eller permit/deny) att använda för omappade " +"PAM-tjänstenamn" + +#: src/config/SSSDConfig/__init__.py.in:246 +msgid "a particular site to be used by the client" +msgstr "en viss sajt att användas av klienten" + +#: src/config/SSSDConfig/__init__.py.in:247 +msgid "" +"Maximum age in days before the machine account password should be renewed" +msgstr "Maximal ålder i dagar innan maskinkontots lösenord skall förnyas" + +#: src/config/SSSDConfig/__init__.py.in:248 +msgid "Option for tuning the machine account renewal task" +msgstr "Flagga för att trimma maskinkontots förnyelseuppgift" + +#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:252 +msgid "Kerberos server address" +msgstr "Adress till Kerberosserver" + +#: src/config/SSSDConfig/__init__.py.in:253 +msgid "Kerberos backup server address" +msgstr "Adress till reservserver för Kerberos" + +#: src/config/SSSDConfig/__init__.py.in:254 +msgid "Kerberos realm" +msgstr "Kerberosrike" + +#: src/config/SSSDConfig/__init__.py.in:255 +msgid "Authentication timeout" +msgstr "Autentiseringstidsgräns" + +#: src/config/SSSDConfig/__init__.py.in:256 +msgid "Whether to create kdcinfo files" +msgstr "Huruvida kdcinfo-filer skall skapas" + +#: src/config/SSSDConfig/__init__.py.in:257 +msgid "Where to drop krb5 config snippets" +msgstr "Var konfigurationssnuttar för krb5 skall läggas" + +#: src/config/SSSDConfig/__init__.py.in:260 +msgid "Directory to store credential caches" +msgstr "Katalog att lagra kreditiv-cachar i" + +#: src/config/SSSDConfig/__init__.py.in:261 +msgid "Location of the user's credential cache" +msgstr "Plats för användarens kreditiv-cache" + +#: src/config/SSSDConfig/__init__.py.in:262 +msgid "Location of the keytab to validate credentials" +msgstr "Plats för nyckeltabellen för att validera kreditiv" + +#: src/config/SSSDConfig/__init__.py.in:263 +msgid "Enable credential validation" +msgstr "Aktivera validering av kreditiv" + +#: src/config/SSSDConfig/__init__.py.in:264 +msgid "Store password if offline for later online authentication" +msgstr "Lagra lösenord när ej ansluten för ansluten autentisering senare" + +#: src/config/SSSDConfig/__init__.py.in:265 +msgid "Renewable lifetime of the TGT" +msgstr "Förnybar livstid för TGT:n" + +#: src/config/SSSDConfig/__init__.py.in:266 +msgid "Lifetime of the TGT" +msgstr "Livstid för TGT:n" + +#: src/config/SSSDConfig/__init__.py.in:267 +msgid "Time between two checks for renewal" +msgstr "Tid mellan två kontroller av förnyelse" + +#: src/config/SSSDConfig/__init__.py.in:268 +msgid "Enables FAST" +msgstr "Aktiverar FAST" + +#: src/config/SSSDConfig/__init__.py.in:269 +msgid "Selects the principal to use for FAST" +msgstr "Väljer huvudman att använda för FAST" + +#: src/config/SSSDConfig/__init__.py.in:270 +msgid "Enables principal canonicalization" +msgstr "Aktivera kanonisk form av huvudman" + +#: src/config/SSSDConfig/__init__.py.in:271 +msgid "Enables enterprise principals" +msgstr "Aktiverar företagshuvudmän" + +#: src/config/SSSDConfig/__init__.py.in:272 +msgid "A mapping from user names to Kerberos principal names" +msgstr "En översättning från användarnamn till Kerberos huvudmansnamn" + +#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:276 +msgid "Server where the change password service is running if not on the KDC" +msgstr "Server där ändringstjänsten för lösenord kör om inte på KDC:n" + +#: src/config/SSSDConfig/__init__.py.in:279 +msgid "ldap_uri, The URI of the LDAP server" +msgstr "ldap_uri, URI:n för LDAP-servern" + +#: src/config/SSSDConfig/__init__.py.in:280 +msgid "ldap_backup_uri, The URI of the LDAP server" +msgstr "ldap_backup_uri, URI:n för LDAP-servern" + +#: src/config/SSSDConfig/__init__.py.in:281 +msgid "The default base DN" +msgstr "Standard bas-DN" + +#: src/config/SSSDConfig/__init__.py.in:282 +msgid "The Schema Type in use on the LDAP server, rfc2307" +msgstr "Schematypen som används i LDAP-servern, rfc2307" + +#: src/config/SSSDConfig/__init__.py.in:283 +msgid "The default bind DN" +msgstr "Standard bindnings-DN" + +#: src/config/SSSDConfig/__init__.py.in:284 +msgid "The type of the authentication token of the default bind DN" +msgstr "Typen på autentiserings-token för standard bindnings-DN" + +#: src/config/SSSDConfig/__init__.py.in:285 +msgid "The authentication token of the default bind DN" +msgstr "Autentiserings-token för standard bindnings-DN" + +#: src/config/SSSDConfig/__init__.py.in:286 +msgid "Length of time to attempt connection" +msgstr "Tidslängd att försöka ansluta" + +#: src/config/SSSDConfig/__init__.py.in:287 +msgid "Length of time to attempt synchronous LDAP operations" +msgstr "Tidslängd att försök synkrona LDAP-operationer" + +#: src/config/SSSDConfig/__init__.py.in:288 +msgid "Length of time between attempts to reconnect while offline" +msgstr "Tidslängd mellan försök att återansluta vid frånkoppling" + +#: src/config/SSSDConfig/__init__.py.in:289 +msgid "Use only the upper case for realm names" +msgstr "Använd endast versaler för namn på riken" + +#: src/config/SSSDConfig/__init__.py.in:290 +msgid "File that contains CA certificates" +msgstr "Fil som innehåller CA-certifikat" + +#: src/config/SSSDConfig/__init__.py.in:291 +msgid "Path to CA certificate directory" +msgstr "Sökväg till katalogen med CA-certifikat" + +#: src/config/SSSDConfig/__init__.py.in:292 +msgid "File that contains the client certificate" +msgstr "Fil som innehåller klientcertifikatet" + +#: src/config/SSSDConfig/__init__.py.in:293 +msgid "File that contains the client key" +msgstr "Fil som innehåller klientnyckeln" + +#: src/config/SSSDConfig/__init__.py.in:294 +msgid "List of possible ciphers suites" +msgstr "Lista över möjliga chiffersviter" + +#: src/config/SSSDConfig/__init__.py.in:295 +msgid "Require TLS certificate verification" +msgstr "Kräv TLS-certifikatverifiering" + +#: src/config/SSSDConfig/__init__.py.in:296 +msgid "Specify the sasl mechanism to use" +msgstr "Ange sasl-mekanismen att använda" + +#: src/config/SSSDConfig/__init__.py.in:297 +msgid "Specify the sasl authorization id to use" +msgstr "Ange sasl-auktorisering-id att använda" + +#: src/config/SSSDConfig/__init__.py.in:298 +msgid "Specify the sasl authorization realm to use" +msgstr "Ange sasl-auktoriseringsrike att använda" + +#: src/config/SSSDConfig/__init__.py.in:299 +msgid "Specify the minimal SSF for LDAP sasl authorization" +msgstr "Ange minsta SSF för LDAP-sasl-auktorisering" + +#: src/config/SSSDConfig/__init__.py.in:300 +msgid "Kerberos service keytab" +msgstr "Kerberostjänstens nyckeltabell" + +#: src/config/SSSDConfig/__init__.py.in:301 +msgid "Use Kerberos auth for LDAP connection" +msgstr "Använd Kerberosautentisering för LDAP-anslutningaä" + +#: src/config/SSSDConfig/__init__.py.in:302 +msgid "Follow LDAP referrals" +msgstr "Följer LDAP-hänvisningar" + +#: src/config/SSSDConfig/__init__.py.in:303 +msgid "Lifetime of TGT for LDAP connection" +msgstr "Livslängd på TGT för LDAP-anslutning" + +#: src/config/SSSDConfig/__init__.py.in:304 +msgid "How to dereference aliases" +msgstr "Hur alias skall derefereras" + +#: src/config/SSSDConfig/__init__.py.in:305 +msgid "Service name for DNS service lookups" +msgstr "Tjänstenamn för uppslagning av DNS-tjänster" + +#: src/config/SSSDConfig/__init__.py.in:306 +msgid "The number of records to retrieve in a single LDAP query" +msgstr "Antalet poster som skall hämtas i en enda LDAP-fråga" + +#: src/config/SSSDConfig/__init__.py.in:307 +msgid "The number of members that must be missing to trigger a full deref" +msgstr "" +"Antalet medlemmar som måste saknas för att orsaka en fullständig dereferering" + +#: src/config/SSSDConfig/__init__.py.in:308 +msgid "" +"Whether the LDAP library should perform a reverse lookup to canonicalize the " +"host name during a SASL bind" +msgstr "" +"Huruvida LDAP-biblioteket skall utföra en omvänd uppslagning för att ta fram " +"värdnamnets kanoniska form under en SASL-bindning" + +#: src/config/SSSDConfig/__init__.py.in:310 +msgid "entryUSN attribute" +msgstr "entryUSN-attribut" + +#: src/config/SSSDConfig/__init__.py.in:311 +msgid "lastUSN attribute" +msgstr "lastUSN-attribut" + +#: src/config/SSSDConfig/__init__.py.in:313 +msgid "How long to retain a connection to the LDAP server before disconnecting" +msgstr "" +"Hur länge en anslutning till LDAP-servern skall behållas före den kopplas ner" + +#: src/config/SSSDConfig/__init__.py.in:315 +msgid "Disable the LDAP paging control" +msgstr "Avaktivera flödesstyrningen (paging) av LDAP" + +#: src/config/SSSDConfig/__init__.py.in:316 +msgid "Disable Active Directory range retrieval" +msgstr "Avaktivera Active Directorys intervallhämtande" + +#: src/config/SSSDConfig/__init__.py.in:319 +msgid "Length of time to wait for a search request" +msgstr "Tidslängd att vänta på en sökbegäran" + +#: src/config/SSSDConfig/__init__.py.in:320 +msgid "Length of time to wait for a enumeration request" +msgstr "Tidslängd att vänta på en uppräkningsbegäran" + +#: src/config/SSSDConfig/__init__.py.in:321 +msgid "Length of time between enumeration updates" +msgstr "Tidslängd mellan uppräkningsuppdateringar" + +#: src/config/SSSDConfig/__init__.py.in:322 +msgid "Length of time between cache cleanups" +msgstr "Tidslängd mellan cache-tömningar" + +#: src/config/SSSDConfig/__init__.py.in:323 +msgid "Require TLS for ID lookups" +msgstr "Kräv TLS för ID-uppslagningar" + +#: src/config/SSSDConfig/__init__.py.in:324 +msgid "Use ID-mapping of objectSID instead of pre-set IDs" +msgstr "Använd ID-översättning av objectSID istället för pre-set ID:n" + +#: src/config/SSSDConfig/__init__.py.in:325 +msgid "Base DN for user lookups" +msgstr "Bas-DN för användaruppslagningar" + +#: src/config/SSSDConfig/__init__.py.in:326 +msgid "Scope of user lookups" +msgstr "Omfång av användaruppslagningar" + +#: src/config/SSSDConfig/__init__.py.in:327 +msgid "Filter for user lookups" +msgstr "Filter för användaruppslagningar" + +#: src/config/SSSDConfig/__init__.py.in:328 +msgid "Objectclass for users" +msgstr "Objektklass för användare" + +#: src/config/SSSDConfig/__init__.py.in:329 +msgid "Username attribute" +msgstr "Användarnamnsattribut" + +#: src/config/SSSDConfig/__init__.py.in:331 +msgid "UID attribute" +msgstr "UID-attribut" + +#: src/config/SSSDConfig/__init__.py.in:332 +msgid "Primary GID attribute" +msgstr "Primärt GID-attribut" + +#: src/config/SSSDConfig/__init__.py.in:333 +msgid "GECOS attribute" +msgstr "GECOS-attribut" + +#: src/config/SSSDConfig/__init__.py.in:334 +msgid "Home directory attribute" +msgstr "Hemkatalogattribut" + +#: src/config/SSSDConfig/__init__.py.in:335 +msgid "Shell attribute" +msgstr "Skalattribut" + +#: src/config/SSSDConfig/__init__.py.in:336 +msgid "UUID attribute" +msgstr "UUID-attribut" + +#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:379 +msgid "objectSID attribute" +msgstr "objectSID-attribut" + +#: src/config/SSSDConfig/__init__.py.in:338 +msgid "Active Directory primary group attribute for ID-mapping" +msgstr "Primärt gruppattribut i Active Directory för ID-mappning" + +#: src/config/SSSDConfig/__init__.py.in:339 +msgid "User principal attribute (for Kerberos)" +msgstr "Användarens huvudmansattribut (för Kerberos)" + +#: src/config/SSSDConfig/__init__.py.in:340 +msgid "Full Name" +msgstr "Fullständigt namn" + +#: src/config/SSSDConfig/__init__.py.in:341 +msgid "memberOf attribute" +msgstr "medlemAv-attribut" + +#: src/config/SSSDConfig/__init__.py.in:342 +msgid "Modification time attribute" +msgstr "Modifieringstidsattribut" + +#: src/config/SSSDConfig/__init__.py.in:344 +msgid "shadowLastChange attribute" +msgstr "attributet shadowLastChange" + +#: src/config/SSSDConfig/__init__.py.in:345 +msgid "shadowMin attribute" +msgstr "shadowMin-attribut" + +#: src/config/SSSDConfig/__init__.py.in:346 +msgid "shadowMax attribute" +msgstr "shadowMax-attribut" + +#: src/config/SSSDConfig/__init__.py.in:347 +msgid "shadowWarning attribute" +msgstr "shadowWarning-attribut" + +#: src/config/SSSDConfig/__init__.py.in:348 +msgid "shadowInactive attribute" +msgstr "shadowInactive-attribut" + +#: src/config/SSSDConfig/__init__.py.in:349 +msgid "shadowExpire attribute" +msgstr "shadowExpire-attribut" + +#: src/config/SSSDConfig/__init__.py.in:350 +msgid "shadowFlag attribute" +msgstr "shadowFlag-attribut" + +#: src/config/SSSDConfig/__init__.py.in:351 +msgid "Attribute listing authorized PAM services" +msgstr "Attribut för listning av auktoriserade PAM-tjänster" + +#: src/config/SSSDConfig/__init__.py.in:352 +msgid "Attribute listing authorized server hosts" +msgstr "Attribut för listning av auktoriserade servervärdar" + +#: src/config/SSSDConfig/__init__.py.in:353 +msgid "Attribute listing authorized server rhosts" +msgstr "Attribut för listning av auktoriserade server-rhosts" + +#: src/config/SSSDConfig/__init__.py.in:354 +msgid "krbLastPwdChange attribute" +msgstr "attributet krbLastPwdChange" + +#: src/config/SSSDConfig/__init__.py.in:355 +msgid "krbPasswordExpiration attribute" +msgstr "krbPasswordExpiration-attribut" + +#: src/config/SSSDConfig/__init__.py.in:356 +msgid "Attribute indicating that server side password policies are active" +msgstr "Attribut som indikerar att serversidans lösenordspolicyer är aktiva" + +#: src/config/SSSDConfig/__init__.py.in:357 +msgid "accountExpires attribute of AD" +msgstr "AD:s attribut accountExpires" + +#: src/config/SSSDConfig/__init__.py.in:358 +msgid "userAccountControl attribute of AD" +msgstr "AD:s attribut userAccountControl" + +#: src/config/SSSDConfig/__init__.py.in:359 +msgid "nsAccountLock attribute" +msgstr "attributet nsAccountLock" + +#: src/config/SSSDConfig/__init__.py.in:360 +msgid "loginDisabled attribute of NDS" +msgstr "NDS attribut loginDisabled" + +#: src/config/SSSDConfig/__init__.py.in:361 +msgid "loginExpirationTime attribute of NDS" +msgstr "NDS attribut loginExpirationTime" + +#: src/config/SSSDConfig/__init__.py.in:362 +msgid "loginAllowedTimeMap attribute of NDS" +msgstr "NDS attribut loginAllowedTimeMap" + +#: src/config/SSSDConfig/__init__.py.in:363 +msgid "SSH public key attribute" +msgstr "Attribut för publik SSH-nyckel" + +#: src/config/SSSDConfig/__init__.py.in:364 +msgid "attribute listing allowed authentication types for a user" +msgstr "attribut för listning av tillåtna autentiseringstyper för en användare" + +#: src/config/SSSDConfig/__init__.py.in:365 +msgid "attribute containing the X509 certificate of the user" +msgstr "attribut som innehåller användarens X509-certifikat" + +#: src/config/SSSDConfig/__init__.py.in:366 +msgid "attribute containing the email address of the user" +msgstr "attribut som innehåller e-postadresser till användaren" + +#: src/config/SSSDConfig/__init__.py.in:368 +msgid "A list of extra attributes to download along with the user entry" +msgstr "En lista över extra attribut att hämta tillsammans med användarposten" + +#: src/config/SSSDConfig/__init__.py.in:370 +msgid "Base DN for group lookups" +msgstr "Bas-DN för gruppuppslagningar" + +#: src/config/SSSDConfig/__init__.py.in:373 +msgid "Objectclass for groups" +msgstr "Objektklass för grupper" + +#: src/config/SSSDConfig/__init__.py.in:374 +msgid "Group name" +msgstr "Gruppnamn" + +#: src/config/SSSDConfig/__init__.py.in:375 +msgid "Group password" +msgstr "Grupplösenord" + +#: src/config/SSSDConfig/__init__.py.in:376 +msgid "GID attribute" +msgstr "GID-attribut" + +#: src/config/SSSDConfig/__init__.py.in:377 +msgid "Group member attribute" +msgstr "Gruppmedlemsattribut" + +#: src/config/SSSDConfig/__init__.py.in:378 +msgid "Group UUID attribute" +msgstr "Grupp-UUID-attribut" + +#: src/config/SSSDConfig/__init__.py.in:380 +msgid "Modification time attribute for groups" +msgstr "Modifieringstidsattribut för grupper" + +#: src/config/SSSDConfig/__init__.py.in:381 +msgid "Type of the group and other flags" +msgstr "Typen av grupp och andra flaggor" + +#: src/config/SSSDConfig/__init__.py.in:382 +msgid "The LDAP group external member attribute" +msgstr "LDAP-gruppens externa medlemsattribut" + +#: src/config/SSSDConfig/__init__.py.in:384 +msgid "Maximum nesting level SSSD will follow" +msgstr "Maximal nästningsnivå SSSD kommer följa" + +#: src/config/SSSDConfig/__init__.py.in:386 +msgid "Base DN for netgroup lookups" +msgstr "Bas-DN för nätgruppuppslagningar" + +#: src/config/SSSDConfig/__init__.py.in:387 +msgid "Objectclass for netgroups" +msgstr "Objektklass för nätgrupper" + +#: src/config/SSSDConfig/__init__.py.in:388 +msgid "Netgroup name" +msgstr "Nätgruppnamn" + +#: src/config/SSSDConfig/__init__.py.in:389 +msgid "Netgroups members attribute" +msgstr "Attribut på nätgruppmedlemmar" + +#: src/config/SSSDConfig/__init__.py.in:390 +msgid "Netgroup triple attribute" +msgstr "Attribut på nätgruppstripplar" + +#: src/config/SSSDConfig/__init__.py.in:391 +msgid "Modification time attribute for netgroups" +msgstr "Modifieringstidsattribut för nätgrupper" + +#: src/config/SSSDConfig/__init__.py.in:393 +msgid "Base DN for service lookups" +msgstr "Bas-DN för tjänsteuppslagningar" + +#: src/config/SSSDConfig/__init__.py.in:394 +msgid "Objectclass for services" +msgstr "Objektklass för tjänster" + +#: src/config/SSSDConfig/__init__.py.in:395 +msgid "Service name attribute" +msgstr "Tjänstenamnsattribut" + +#: src/config/SSSDConfig/__init__.py.in:396 +msgid "Service port attribute" +msgstr "Tjänsteportsattribut" + +#: src/config/SSSDConfig/__init__.py.in:397 +msgid "Service protocol attribute" +msgstr "Tjänsteprotokollsattribut" + +#: src/config/SSSDConfig/__init__.py.in:400 +msgid "Lower bound for ID-mapping" +msgstr "Undre gräns för ID-mappning" + +#: src/config/SSSDConfig/__init__.py.in:401 +msgid "Upper bound for ID-mapping" +msgstr "Övre gräns för ID-mappning" + +#: src/config/SSSDConfig/__init__.py.in:402 +msgid "Number of IDs for each slice when ID-mapping" +msgstr "Antal ID:n till varje skiva vid ID-mappning" + +#: src/config/SSSDConfig/__init__.py.in:403 +msgid "Use autorid-compatible algorithm for ID-mapping" +msgstr "Använd en autorid-kompatibel algoritm för ID-mappning" + +#: src/config/SSSDConfig/__init__.py.in:404 +msgid "Name of the default domain for ID-mapping" +msgstr "Standarddomänens namn för ID-mappning" + +#: src/config/SSSDConfig/__init__.py.in:405 +msgid "SID of the default domain for ID-mapping" +msgstr "Standarddomänens SID för ID-mappning" + +#: src/config/SSSDConfig/__init__.py.in:406 +msgid "Number of secondary slices" +msgstr "Antal sekundära skivor" + +#: src/config/SSSDConfig/__init__.py.in:408 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups" +msgstr "Använd LDAP_MATCHING_RULE_IN_CHAIN för gruppuppslagningar" + +#: src/config/SSSDConfig/__init__.py.in:409 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups" +msgstr "Använd LDAP_MATCHING_RULE_IN_CHAIN för init-gruppuppslagningar" + +#: src/config/SSSDConfig/__init__.py.in:410 +msgid "Whether to use Token-Groups" +msgstr "Huruvida Token-Groups skall användas" + +#: src/config/SSSDConfig/__init__.py.in:411 +msgid "Set lower boundary for allowed IDs from the LDAP server" +msgstr "Sätt undre gräns för tillåtna ID:n från LDAP-servern" + +#: src/config/SSSDConfig/__init__.py.in:412 +msgid "Set upper boundary for allowed IDs from the LDAP server" +msgstr "Sätt övre gräns för tillåtna ID:n från LDAP-servern" + +#: src/config/SSSDConfig/__init__.py.in:413 +msgid "DN for ppolicy queries" +msgstr "DN för ppolicy-frågor" + +#: src/config/SSSDConfig/__init__.py.in:414 +msgid "How many maximum entries to fetch during a wildcard request" +msgstr "Hur många poster att maximalt hämta i en joker-begäran" + +#: src/config/SSSDConfig/__init__.py.in:417 +msgid "Policy to evaluate the password expiration" +msgstr "Policy för att utvärdera utgång av lösenord" + +#: src/config/SSSDConfig/__init__.py.in:421 +msgid "Which attributes shall be used to evaluate if an account is expired" +msgstr "Vilka attribut skall användas för att avgöra om ett konto gått ut" + +#: src/config/SSSDConfig/__init__.py.in:422 +msgid "Which rules should be used to evaluate access control" +msgstr "Vilka regler skall användas för att avgöra åtkomstkontroll" + +#: src/config/SSSDConfig/__init__.py.in:425 +msgid "URI of an LDAP server where password changes are allowed" +msgstr "URI till en LDAP-server där lösenordsändringar är tillåtna" + +#: src/config/SSSDConfig/__init__.py.in:426 +msgid "URI of a backup LDAP server where password changes are allowed" +msgstr "URI till en reserv-LDAP-server där lösenordsändringar är tillåtna" + +#: src/config/SSSDConfig/__init__.py.in:427 +msgid "DNS service name for LDAP password change server" +msgstr "DNS-tjänstenamn för LDAP-lösenordsändringsservern" + +#: src/config/SSSDConfig/__init__.py.in:428 +msgid "" +"Whether to update the ldap_user_shadow_last_change attribute after a " +"password change" +msgstr "" +"Huruvida attributet ldap_user_shadow_last_change skall uppdateras efter en " +"ändring av lösenord" + +#: src/config/SSSDConfig/__init__.py.in:431 +msgid "Base DN for sudo rules lookups" +msgstr "Bas-DN för regeluppslagningar" + +#: src/config/SSSDConfig/__init__.py.in:432 +msgid "Automatic full refresh period" +msgstr "Intervall mellan automatisk fullständig omläsning" + +#: src/config/SSSDConfig/__init__.py.in:433 +msgid "Automatic smart refresh period" +msgstr "Intervall mellan automatisk smart omläsning" + +#: src/config/SSSDConfig/__init__.py.in:434 +msgid "Whether to filter rules by hostname, IP addresses and network" +msgstr "" +"Huruvida regler skall filtreras efter värdnamn, IP-adresser och nätverk" + +#: src/config/SSSDConfig/__init__.py.in:435 +msgid "" +"Hostnames and/or fully qualified domain names of this machine to filter sudo " +"rules" +msgstr "" +"Värdnamn och/eller fullständigt kvalificerade domännamn på denna maskin för " +"att filtrera sudo-regler" + +#: src/config/SSSDConfig/__init__.py.in:436 +msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" +msgstr "" +"IPv4- eller IPv6-adresser eller -nätverk för denna maskin för att filtrera " +"sudo-regler" + +#: src/config/SSSDConfig/__init__.py.in:437 +msgid "Whether to include rules that contains netgroup in host attribute" +msgstr "" +"Huruvida regler som innehåller nätgrupper i värdattribut skall inkluderas" + +#: src/config/SSSDConfig/__init__.py.in:438 +msgid "" +"Whether to include rules that contains regular expression in host attribute" +msgstr "" +"Huruvida regler som innehåller reguljära uttryck i värdattribut skall " +"inkluderas" + +#: src/config/SSSDConfig/__init__.py.in:439 +msgid "Object class for sudo rules" +msgstr "Objektklass för sudo-regler" + +#: src/config/SSSDConfig/__init__.py.in:440 +msgid "Sudo rule name" +msgstr "Sudo-regelnamn" + +#: src/config/SSSDConfig/__init__.py.in:441 +msgid "Sudo rule command attribute" +msgstr "Attribut för sudo-regelkommandon" + +#: src/config/SSSDConfig/__init__.py.in:442 +msgid "Sudo rule host attribute" +msgstr "Attribut för sudo-regelvärd" + +#: src/config/SSSDConfig/__init__.py.in:443 +msgid "Sudo rule user attribute" +msgstr "Attribut för sudo-regelanvändare" + +#: src/config/SSSDConfig/__init__.py.in:444 +msgid "Sudo rule option attribute" +msgstr "Attribut för sudo-regelflaggor" + +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Sudo rule runas attribute" +msgstr "Sudo-regel-runas-attribut" + +#: src/config/SSSDConfig/__init__.py.in:446 +msgid "Sudo rule runasuser attribute" +msgstr "Attribut för sudo-runasuser" + +#: src/config/SSSDConfig/__init__.py.in:447 +msgid "Sudo rule runasgroup attribute" +msgstr "Attribut på runasgroup i sudo-regel" + +#: src/config/SSSDConfig/__init__.py.in:448 +msgid "Sudo rule notbefore attribute" +msgstr "Attribut för sudo-notbefore-regler" + +#: src/config/SSSDConfig/__init__.py.in:449 +msgid "Sudo rule notafter attribute" +msgstr "Attribut för sudo-notafter-regler" + +#: src/config/SSSDConfig/__init__.py.in:450 +msgid "Sudo rule order attribute" +msgstr "Attribut för sudo-order-regler" + +#: src/config/SSSDConfig/__init__.py.in:453 +msgid "Object class for automounter maps" +msgstr "Objektklass för avbildningar för automatmonterare" + +#: src/config/SSSDConfig/__init__.py.in:454 +msgid "Automounter map name attribute" +msgstr "Attribut för namn i avbildningar för automatmonterare" + +#: src/config/SSSDConfig/__init__.py.in:455 +msgid "Object class for automounter map entries" +msgstr "Objektklass för poster i avbildningar för automatmonterare" + +#: src/config/SSSDConfig/__init__.py.in:456 +msgid "Automounter map entry key attribute" +msgstr "Attribut för postnycklar i avbildningar för automatmonterare" + +#: src/config/SSSDConfig/__init__.py.in:457 +msgid "Automounter map entry value attribute" +msgstr "Attribut på postvärde i avbildning för automatmonteraren" + +#: src/config/SSSDConfig/__init__.py.in:458 +msgid "Base DN for automounter map lookups" +msgstr "Bas-DN för uppslagningar i avbildningar för automatmonterare" + +#: src/config/SSSDConfig/__init__.py.in:461 +msgid "Comma separated list of allowed users" +msgstr "Kommaseparerad lista över tillåtna användare" + +#: src/config/SSSDConfig/__init__.py.in:462 +msgid "Comma separated list of prohibited users" +msgstr "Kommaseparerad lista över förbjudna användare" + +#: src/config/SSSDConfig/__init__.py.in:465 +msgid "Default shell, /bin/bash" +msgstr "Standardskal, /bin/bash" + +#: src/config/SSSDConfig/__init__.py.in:466 +msgid "Base for home directories" +msgstr "Bas för hemkataloger" + +#: src/config/SSSDConfig/__init__.py.in:469 +msgid "The number of preforked proxy children." +msgstr "Antal ombudsbarn före grening" + +#: src/config/SSSDConfig/__init__.py.in:472 +msgid "The name of the NSS library to use" +msgstr "Namnet på NSS-biblioteket att använda" + +#: src/config/SSSDConfig/__init__.py.in:473 +msgid "Whether to look up canonical group name from cache if possible" +msgstr "Huruvida kanoniska gruppnamn skall slås upp från cachen om möjligt" + +#: src/config/SSSDConfig/__init__.py.in:476 +msgid "PAM stack to use" +msgstr "PAM-stack att använda" + +#: src/config/SSSDConfig/__init__.py.in:479 +msgid "Path of passwd file sources." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:480 +msgid "Path of group file sources." +msgstr "" + +#: src/monitor/monitor.c:2449 +msgid "Become a daemon (default)" +msgstr "Bli en demon (standard)" + +#: src/monitor/monitor.c:2451 +msgid "Run interactive (not a daemon)" +msgstr "Kör interaktivt (inte en demon)" + +#: src/monitor/monitor.c:2454 +msgid "Disable netlink interface" +msgstr "Avaktivera netlink-gränssnittet" + +#: src/monitor/monitor.c:2456 src/tools/sssctl/sssctl_logs.c:311 +msgid "Specify a non-default config file" +msgstr "Ange en konfigurationsfil annan än standard" + +#: src/monitor/monitor.c:2458 +msgid "Refresh the configuration database, then exit" +msgstr "Uppdatera konfigurationsdatabasen, avsluta sedan" + +#: src/monitor/monitor.c:2461 +msgid "Print version number and exit" +msgstr "Skriv ut versionsnumret och avsluta" + +#: src/monitor/monitor.c:2627 +msgid "SSSD is already running\n" +msgstr "SSSD kör redan\n" + +#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605 +msgid "Debug level" +msgstr "Felsökningsnivå" + +#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607 +msgid "Add debug timestamps" +msgstr "Lägg till felsökningstidstämplar" + +#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609 +msgid "Show timestamps with microseconds" +msgstr "Visa tidsstämplar med mikrosekunder" + +#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611 +msgid "An open file descriptor for the debug logs" +msgstr "Ett öppet filhandtag för felsökningsloggarna" + +#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613 +msgid "Send the debug output to stderr directly." +msgstr "Skicka felsökningsutdata direkt till standard fel." + +#: src/providers/krb5/krb5_child.c:3228 +msgid "The user to create FAST ccache as" +msgstr "Användaren att skapa en FAST-ccache som" + +#: src/providers/krb5/krb5_child.c:3230 +msgid "The group to create FAST ccache as" +msgstr "Gruppen att skapa en FAST-ccache som" + +#: src/providers/krb5/krb5_child.c:3232 +msgid "Kerberos realm to use" +msgstr "Kerberosrike att använda" + +#: src/providers/krb5/krb5_child.c:3234 +msgid "Requested lifetime of the ticket" +msgstr "Begärd livslängd på biljetten" + +#: src/providers/krb5/krb5_child.c:3236 +msgid "Requested renewable lifetime of the ticket" +msgstr "Begärd förnybar livslängd på biljetten" + +#: src/providers/krb5/krb5_child.c:3238 +msgid "FAST options ('never', 'try', 'demand')" +msgstr "FAST-flaggor (”never”, ”try”, ”demand”)" + +#: src/providers/krb5/krb5_child.c:3241 +msgid "Specifies the server principal to use for FAST" +msgstr "Anger serverhuvudmannen att använda för FAST" + +#: src/providers/krb5/krb5_child.c:3243 +msgid "Requests canonicalization of the principal name" +msgstr "Begär kanonisering av huvudmannanamnet" + +#: src/providers/krb5/krb5_child.c:3245 +msgid "Use custom version of krb5_get_init_creds_password" +msgstr "Använd en anpassad version av krb5_get_init_creds_password" + +#: src/providers/data_provider_be.c:556 +msgid "Domain of the information provider (mandatory)" +msgstr "Domän för informationsleverantören (obligatoriskt)" + +#: src/sss_client/common.c:1066 +msgid "Privileged socket has wrong ownership or permissions." +msgstr "Privilegierat uttag (socket) har fel ägarskap eller rättigheter." + +#: src/sss_client/common.c:1069 +msgid "Public socket has wrong ownership or permissions." +msgstr "Publikt uttag (socket) har fel ägarskap eller rättigheter." + +#: src/sss_client/common.c:1072 +msgid "Unexpected format of the server credential message." +msgstr "Oväntat format på serverns kreditivmeddelande." + +#: src/sss_client/common.c:1075 +msgid "SSSD is not run by root." +msgstr "SSSD körs inte av root." + +#: src/sss_client/common.c:1080 +msgid "An error occurred, but no description can be found." +msgstr "Ett fel uppstod, men ingen beskrivning kan hittas." + +#: src/sss_client/common.c:1086 +msgid "Unexpected error while looking for an error description" +msgstr "Oväntat fel vid sökning efter ett felmeddelande" + +#: src/sss_client/pam_sss.c:76 +msgid "Permission denied. " +msgstr "Åtkomst nekas. " + +#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782 +#: src/sss_client/pam_sss.c:793 +msgid "Server message: " +msgstr "Servermeddelande: " + +#: src/sss_client/pam_sss.c:300 +msgid "Passwords do not match" +msgstr "Lösenorden stämmer inte överens" + +#: src/sss_client/pam_sss.c:488 +msgid "Password reset by root is not supported." +msgstr "Återställning av lösenord av root stöds inte." + +#: src/sss_client/pam_sss.c:529 +msgid "Authenticated with cached credentials" +msgstr "Autentiserad med cachade kreditiv" + +#: src/sss_client/pam_sss.c:530 +msgid ", your cached password will expire at: " +msgstr ", ditt cache-lösenord kommer gå ut: " + +#: src/sss_client/pam_sss.c:560 +#, c-format +msgid "Your password has expired. You have %1$d grace login(s) remaining." +msgstr "Ditt lösenord har gått ut. Du har en frist på %1$d inloggningar kvar." + +#: src/sss_client/pam_sss.c:606 +#, c-format +msgid "Your password will expire in %1$d %2$s." +msgstr "Ditt lösenordet kommer gå ut om %1$d %2$s." + +#: src/sss_client/pam_sss.c:655 +msgid "Authentication is denied until: " +msgstr "Autentisering nekas till: " + +#: src/sss_client/pam_sss.c:676 +msgid "System is offline, password change not possible" +msgstr "Systemet är frånkopplat, ändring av lösenord är inte möjligt" + +#: src/sss_client/pam_sss.c:691 +msgid "" +"After changing the OTP password, you need to log out and back in order to " +"acquire a ticket" +msgstr "" +"Efter att ha ändrat OTP-lösenordet behöver du logga ut och tillbaka in för " +"att få en biljett" + +#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792 +msgid "Password change failed. " +msgstr "Lösenordsändringen misslyckades. " + +#: src/sss_client/pam_sss.c:1926 +msgid "New Password: " +msgstr "Nytt lösenord: " + +#: src/sss_client/pam_sss.c:1927 +msgid "Reenter new Password: " +msgstr "Skriv det nya lösenordet igen: " + +#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042 +msgid "First Factor: " +msgstr "Första faktorn: " + +#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202 +msgid "Second Factor (optional): " +msgstr "Andra faktorn (frivillig): " + +#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205 +msgid "Second Factor: " +msgstr "Andra faktorn: " + +#: src/sss_client/pam_sss.c:2058 +msgid "Password: " +msgstr "Lösenord: " + +#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204 +msgid "First Factor (Current Password): " +msgstr "Första faktorn (nuvarande lösenord): " + +#: src/sss_client/pam_sss.c:2208 +msgid "Current Password: " +msgstr "Nuvarande lösenord: " + +#: src/sss_client/pam_sss.c:2536 +msgid "Password expired. Change your password now." +msgstr "Lösenordet har gått ut. Ändra ditt lösenord nu." + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 +#: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 +#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:670 +msgid "The debug level to run with" +msgstr "Felsökningsnivån att köra med" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +msgid "The SSSD domain to use" +msgstr "SSSD-domäner att använda" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 +#: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 +#: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 +#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:716 +msgid "Error setting the locale\n" +msgstr "Fel när lokalen sattes\n" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:64 +msgid "Not enough memory\n" +msgstr "Inte tillräckligt med minne\n" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:83 +msgid "User not specified\n" +msgstr "Ingen användare angiven\n" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:97 +msgid "Error looking up public keys\n" +msgstr "Fel vid uppslagning av publika nycklar\n" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +msgid "The port to use to connect to the host" +msgstr "Porten att använda för att ansluta till värden" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +msgid "Print the host ssh public keys" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +msgid "Invalid port\n" +msgstr "Felaktig port\n" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +msgid "Host not specified\n" +msgstr "Värden inte angiven\n" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +msgid "The path to the proxy command must be absolute\n" +msgstr "Sökvägen till proxy-kommandot måste vara absolut\n" + +#: src/tools/sss_useradd.c:49 src/tools/sss_usermod.c:48 +msgid "The UID of the user" +msgstr "Användarens UID" + +#: src/tools/sss_useradd.c:50 src/tools/sss_usermod.c:50 +msgid "The comment string" +msgstr "Kommentarsträngen" + +#: src/tools/sss_useradd.c:51 src/tools/sss_usermod.c:51 +msgid "Home directory" +msgstr "Hemkatalogen" + +#: src/tools/sss_useradd.c:52 src/tools/sss_usermod.c:52 +msgid "Login shell" +msgstr "Inloggningsskalet" + +#: src/tools/sss_useradd.c:53 +msgid "Groups" +msgstr "Grupper" + +#: src/tools/sss_useradd.c:54 +msgid "Create user's directory if it does not exist" +msgstr "Skapa användarens katalog om den inte redan finns" + +#: src/tools/sss_useradd.c:55 +msgid "Never create user's directory, overrides config" +msgstr "Skapa aldrig användarens katalog, åsidosätter konfigurationen" + +#: src/tools/sss_useradd.c:56 +msgid "Specify an alternative skeleton directory" +msgstr "Ange en alternativ skelettkatalog" + +#: src/tools/sss_useradd.c:57 src/tools/sss_usermod.c:60 +msgid "The SELinux user for user's login" +msgstr "SELinux-användaren för användarens inloggning" + +#: src/tools/sss_useradd.c:87 src/tools/sss_groupmod.c:79 +#: src/tools/sss_usermod.c:92 +msgid "Specify group to add to\n" +msgstr "Ange en grupp att lägga till till\n" + +#: src/tools/sss_useradd.c:111 +msgid "Specify user to add\n" +msgstr "Ange en användare att lägga till\n" + +#: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 +#: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_usermod.c:162 +msgid "Error initializing the tools - no local domain\n" +msgstr "Fel vid initiering av verktygen — ingen lokal domän\n" + +#: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 +#: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_usermod.c:164 +msgid "Error initializing the tools\n" +msgstr "Fel vid initiering av verktygen\n" + +#: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 +#: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_usermod.c:173 +msgid "Invalid domain specified in FQDN\n" +msgstr "Ogiltig domän angiven i FQDN\n" + +#: src/tools/sss_useradd.c:142 src/tools/sss_groupmod.c:144 +#: src/tools/sss_groupmod.c:173 src/tools/sss_usermod.c:197 +#: src/tools/sss_usermod.c:226 +msgid "Internal error while parsing parameters\n" +msgstr "Internt fel vid tolkning av parametrar\n" + +#: src/tools/sss_useradd.c:151 src/tools/sss_usermod.c:206 +#: src/tools/sss_usermod.c:235 +msgid "Groups must be in the same domain as user\n" +msgstr "Grupper måste finnas i samma domän som användaren\n" + +#: src/tools/sss_useradd.c:159 +#, c-format +msgid "Cannot find group %1$s in local domain\n" +msgstr "Hittar inte gruppen %1$s i den lokala domänen\n" + +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +msgid "Cannot set default values\n" +msgstr "Kan inte sätta standardvärden\n" + +#: src/tools/sss_useradd.c:181 src/tools/sss_usermod.c:187 +msgid "The selected UID is outside the allowed range\n" +msgstr "Den valda UID:n är utanför det tillåtna intervallet\n" + +#: src/tools/sss_useradd.c:210 src/tools/sss_usermod.c:305 +msgid "Cannot set SELinux login context\n" +msgstr "Kan inte sätta SELinux-inloggningskontext\n" + +#: src/tools/sss_useradd.c:224 +msgid "Cannot get info about the user\n" +msgstr "Kan inte få information om användaren\n" + +#: src/tools/sss_useradd.c:236 +msgid "User's home directory already exists, not copying data from skeldir\n" +msgstr "" +"Användarens hemkatalog finns redan, kopierar inte data från " +"skelettkatalogen\n" + +#: src/tools/sss_useradd.c:239 +#, c-format +msgid "Cannot create user's home directory: %1$s\n" +msgstr "Kan inte skapa användarens hemkatalog: %1$s\n" + +#: src/tools/sss_useradd.c:250 +#, c-format +msgid "Cannot create user's mail spool: %1$s\n" +msgstr "Kan inte skapa användarens brevlåda: %1$s\n" + +#: src/tools/sss_useradd.c:270 +msgid "Could not allocate ID for the user - domain full?\n" +msgstr "Det gick inte att allokera ID för användaren - full domän?\n" + +#: src/tools/sss_useradd.c:274 +msgid "A user or group with the same name or ID already exists\n" +msgstr "En användare eller grupp med samma namn eller ID finns redan\n" + +#: src/tools/sss_useradd.c:280 +msgid "Transaction error. Could not add user.\n" +msgstr "Transaktionsfel. Det gick inte att lägga till användaren.\n" + +#: src/tools/sss_groupadd.c:43 src/tools/sss_groupmod.c:48 +msgid "The GID of the group" +msgstr "GID:t för gruppen" + +#: src/tools/sss_groupadd.c:76 +msgid "Specify group to add\n" +msgstr "Ange en grupp att lägga till\n" + +#: src/tools/sss_groupadd.c:106 src/tools/sss_groupmod.c:198 +msgid "The selected GID is outside the allowed range\n" +msgstr "Den valda GID:n är utanför det tillåtna intervallet\n" + +#: src/tools/sss_groupadd.c:143 +msgid "Could not allocate ID for the group - domain full?\n" +msgstr "Det gick inte att allokera ID för gruppen - full domän?\n" + +#: src/tools/sss_groupadd.c:147 +msgid "A group with the same name or GID already exists\n" +msgstr "En grupp med samma namn eller GID finns redan\n" + +#: src/tools/sss_groupadd.c:153 +msgid "Transaction error. Could not add group.\n" +msgstr "Transaktionsfel. Det gick inte att lägga till gruppen.\n" + +#: src/tools/sss_groupdel.c:70 +msgid "Specify group to delete\n" +msgstr "Ange grupp att ta bort\n" + +#: src/tools/sss_groupdel.c:104 +#, c-format +msgid "Group %1$s is outside the defined ID range for domain\n" +msgstr "Gruppen %1$s är utanför det definierade ID-intervallet för domänen\n" + +#: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 +#: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 +#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 +#, c-format +msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" +msgstr "" +"NSS-begäran misslyckades (%1$d). Posten kan finnas kvar i en minnes-cache.\n" + +#: src/tools/sss_groupdel.c:132 +msgid "" +"No such group in local domain. Removing groups only allowed in local " +"domain.\n" +msgstr "" +"Ingen sådan grupp i den lokala domänen. Att ta bort grupper är endast " +"tillåtet i den lokala domänen.\n" + +#: src/tools/sss_groupdel.c:137 +msgid "Internal error. Could not remove group.\n" +msgstr "Internt fel. Det gick inte att ta bort gruppen.\n" + +#: src/tools/sss_groupmod.c:44 +msgid "Groups to add this group to" +msgstr "Grupper att lägga till denna grupp till" + +#: src/tools/sss_groupmod.c:46 +msgid "Groups to remove this group from" +msgstr "Grupper att ta bort denna grupp från" + +#: src/tools/sss_groupmod.c:87 src/tools/sss_usermod.c:100 +msgid "Specify group to remove from\n" +msgstr "Ange grupp att ta bort ifrån\n" + +#: src/tools/sss_groupmod.c:101 +msgid "Specify group to modify\n" +msgstr "Ange grupp att ändra\n" + +#: src/tools/sss_groupmod.c:130 +msgid "" +"Cannot find group in local domain, modifying groups is allowed only in local " +"domain\n" +msgstr "" +"Kan inte hitta gruppen i den lokala domänen, att ändra grupper är endast " +"tillåtet i den lokala domänen\n" + +#: src/tools/sss_groupmod.c:153 src/tools/sss_groupmod.c:182 +msgid "Member groups must be in the same domain as parent group\n" +msgstr "Medlemsgrupper måste ligga i samma domän som föräldragrupper\n" + +#: src/tools/sss_groupmod.c:161 src/tools/sss_groupmod.c:190 +#: src/tools/sss_usermod.c:214 src/tools/sss_usermod.c:243 +#, c-format +msgid "" +"Cannot find group %1$s in local domain, only groups in local domain are " +"allowed\n" +msgstr "" +"Kan inte hitta grupp %1$s i den lokala domänen, endast grupper i den lokala " +"domänen är tillåtna\n" + +#: src/tools/sss_groupmod.c:257 +msgid "Could not modify group - check if member group names are correct\n" +msgstr "" +"Det gick inte att ändra gruppen - kontrollera om medlemsgruppsnamnen är " +"riktiga\n" + +#: src/tools/sss_groupmod.c:261 +msgid "Could not modify group - check if groupname is correct\n" +msgstr "" +"Det gick inte att ändra gruppen - kontrollera om gruppnamnet är riktigt\n" + +#: src/tools/sss_groupmod.c:265 +msgid "Transaction error. Could not modify group.\n" +msgstr "Transaktionsfel. Det gick inte att ändra gruppen.\n" + +#: src/tools/sss_groupshow.c:615 +#, c-format +msgid "%1$s%2$sGroup: %3$s\n" +msgstr "%1$s%2$sGrupp: %3$s\n" + +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "Magiskt privat " + +#: src/tools/sss_groupshow.c:618 +#, c-format +msgid "%1$sGID number: %2$d\n" +msgstr "%1$sGID-nummer: %2$d\n" + +#: src/tools/sss_groupshow.c:620 +#, c-format +msgid "%1$sMember users: " +msgstr "%1$sMedlemsanvändare: " + +#: src/tools/sss_groupshow.c:627 +#, c-format +msgid "" +"\n" +"%1$sIs a member of: " +msgstr "" +"\n" +"%1$sÄr en medlem i: " + +#: src/tools/sss_groupshow.c:634 +#, c-format +msgid "" +"\n" +"%1$sMember groups: " +msgstr "" +"\n" +"%1$sMedlemsgrupper: " + +#: src/tools/sss_groupshow.c:670 +msgid "Print indirect group members recursively" +msgstr "Skriv ut indirekta gruppmedlemmar rekursivt" + +#: src/tools/sss_groupshow.c:704 +msgid "Specify group to show\n" +msgstr "Ange en grupp att visa\n" + +#: src/tools/sss_groupshow.c:744 +msgid "" +"No such group in local domain. Printing groups only allowed in local " +"domain.\n" +msgstr "" +"Ingen sådan grupp i den lokala domänen. Att skriva ut grupper är endast " +"tillåtet i den lokala domänen.\n" + +#: src/tools/sss_groupshow.c:749 +msgid "Internal error. Could not print group.\n" +msgstr "Internt fel. Det gick inte att skriva ut gruppen.\n" + +#: src/tools/sss_userdel.c:136 +msgid "Remove home directory and mail spool" +msgstr "Ta bort hemkatalog och brevlåda" + +#: src/tools/sss_userdel.c:138 +msgid "Do not remove home directory and mail spool" +msgstr "Ta inte bort hemkatalog och brevlåda" + +#: src/tools/sss_userdel.c:140 +msgid "Force removal of files not owned by the user" +msgstr "Framtvinga borttagning av filer som inte ägs av användaren" + +#: src/tools/sss_userdel.c:142 +msgid "Kill users' processes before removing him" +msgstr "Döda användares processer före de tas bort" + +#: src/tools/sss_userdel.c:188 +msgid "Specify user to delete\n" +msgstr "Ange användare att ta bort\n" + +#: src/tools/sss_userdel.c:234 +#, c-format +msgid "User %1$s is outside the defined ID range for domain\n" +msgstr "" +"Användaren %1$s är utanför det definierade ID-intervallet för domänen\n" + +#: src/tools/sss_userdel.c:259 +msgid "Cannot reset SELinux login context\n" +msgstr "Kan inte återställa SELinux-inloggningskontext\n" + +#: src/tools/sss_userdel.c:271 +#, c-format +msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" +msgstr "" +"VARNING: Användaren (uid %1$lu) var fortfarande inloggad när han togs bort.\n" + +#: src/tools/sss_userdel.c:276 +msgid "Cannot determine if the user was logged in on this platform" +msgstr "Det går inte att avgöra om användaren var inloggad på denna plattform" + +#: src/tools/sss_userdel.c:281 +msgid "Error while checking if the user was logged in\n" +msgstr "Fel vid kontroll om användaren var inloggad\n" + +#: src/tools/sss_userdel.c:288 +#, c-format +msgid "The post-delete command failed: %1$s\n" +msgstr "Kommandot efter borttagandet misslyckades: %1$s\n" + +#: src/tools/sss_userdel.c:308 +msgid "Not removing home dir - not owned by user\n" +msgstr "Tar inte bort hemkatalogen - ägs inte av användaren\n" + +#: src/tools/sss_userdel.c:310 +#, c-format +msgid "Cannot remove homedir: %1$s\n" +msgstr "Kan inte ta bort hemkatalogen: %1$s\n" + +#: src/tools/sss_userdel.c:324 +msgid "" +"No such user in local domain. Removing users only allowed in local domain.\n" +msgstr "" +"Ingen sådan användare i den lokala domänen. Det går endast att ta bort " +"användare i den lokala domänen.\n" + +#: src/tools/sss_userdel.c:329 +msgid "Internal error. Could not remove user.\n" +msgstr "Internt fel. Det gick inte att ta bort användaren.\n" + +#: src/tools/sss_usermod.c:49 +msgid "The GID of the user" +msgstr "Användarens GID" + +#: src/tools/sss_usermod.c:53 +msgid "Groups to add this user to" +msgstr "Grupper att lägga till denna användare till" + +#: src/tools/sss_usermod.c:54 +msgid "Groups to remove this user from" +msgstr "Grupper att ta bort denna användare ifrån" + +#: src/tools/sss_usermod.c:55 +msgid "Lock the account" +msgstr "Lås kontot" + +#: src/tools/sss_usermod.c:56 +msgid "Unlock the account" +msgstr "Lås upp kontot" + +#: src/tools/sss_usermod.c:57 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "Lägg till ett attribut/värde-par. Formatet är attrnamn=värde." + +#: src/tools/sss_usermod.c:58 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "Ta bort ett attribut/värde-par. Formatet är attrnamn=värde." + +#: src/tools/sss_usermod.c:59 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" +"Sätt ett attribut till ett namn/värde-par. Formatet är attrnamn=värde. För " +"flervärda attribut ersätter kommandot de värden som redan finns" + +#: src/tools/sss_usermod.c:117 src/tools/sss_usermod.c:126 +#: src/tools/sss_usermod.c:135 +msgid "Specify the attribute name/value pair(s)\n" +msgstr "Ange attributets namn/värde-par\n" + +#: src/tools/sss_usermod.c:152 +msgid "Specify user to modify\n" +msgstr "Ange användare att ändra\n" + +#: src/tools/sss_usermod.c:180 +msgid "" +"Cannot find user in local domain, modifying users is allowed only in local " +"domain\n" +msgstr "" +"Det gick inte att hitta användaren i den lokala domänen, det går bara att " +"ändra användare i den lokala domänen\n" + +#: src/tools/sss_usermod.c:322 +msgid "Could not modify user - check if group names are correct\n" +msgstr "" +"Det gick inte att ändra användaren - kontrollera att gruppnamnen är riktiga\n" + +#: src/tools/sss_usermod.c:326 +msgid "Could not modify user - user already member of groups?\n" +msgstr "" +"Det gick inte att ändra användaren - är användaren redan medlem i grupper?\n" + +#: src/tools/sss_usermod.c:330 +msgid "Transaction error. Could not modify user.\n" +msgstr "Transaktionsfel. Det gick inte att ändra användaren.\n" + +#: src/tools/sss_cache.c:218 +msgid "No cache object matched the specified search\n" +msgstr "Inga cache-objekt matchade den angivna sökningen\n" + +#: src/tools/sss_cache.c:502 +#, c-format +msgid "Couldn't invalidate %1$s\n" +msgstr "Kunde inte invalidera %1$s\n" + +#: src/tools/sss_cache.c:509 +#, c-format +msgid "Couldn't invalidate %1$s %2$s\n" +msgstr "Kunde inte invalidera %1$s %2$s\n" + +#: src/tools/sss_cache.c:672 +msgid "Invalidate all cached entries" +msgstr "Invalidera alla cachade poster" + +#: src/tools/sss_cache.c:674 +msgid "Invalidate particular user" +msgstr "Invalidera en viss användare" + +#: src/tools/sss_cache.c:676 +msgid "Invalidate all users" +msgstr "Invalidera alla användare" + +#: src/tools/sss_cache.c:678 +msgid "Invalidate particular group" +msgstr "Invalidera en viss grupp" + +#: src/tools/sss_cache.c:680 +msgid "Invalidate all groups" +msgstr "Invalidera alla grupper" + +#: src/tools/sss_cache.c:682 +msgid "Invalidate particular netgroup" +msgstr "Invalidera en viss nätgrupp" + +#: src/tools/sss_cache.c:684 +msgid "Invalidate all netgroups" +msgstr "Invalidera alla nätgrupper" + +#: src/tools/sss_cache.c:686 +msgid "Invalidate particular service" +msgstr "Invalidera en viss tjänst" + +#: src/tools/sss_cache.c:688 +msgid "Invalidate all services" +msgstr "Invalidera alla tjänster" + +#: src/tools/sss_cache.c:691 +msgid "Invalidate particular autofs map" +msgstr "Invalidera en viss autofs-mapp" + +#: src/tools/sss_cache.c:693 +msgid "Invalidate all autofs maps" +msgstr "Invalidera alla autofs-mappar" + +#: src/tools/sss_cache.c:697 +msgid "Invalidate particular SSH host" +msgstr "Invalidera en viss SSH-värd" + +#: src/tools/sss_cache.c:699 +msgid "Invalidate all SSH hosts" +msgstr "Invalidera alla SSH-värdar" + +#: src/tools/sss_cache.c:703 +msgid "Invalidate particular sudo rule" +msgstr "Invalidera en viss sudo-regel" + +#: src/tools/sss_cache.c:705 +msgid "Invalidate all cached sudo rules" +msgstr "Invalidera alla cachade sudo-regler" + +#: src/tools/sss_cache.c:708 +msgid "Only invalidate entries from a particular domain" +msgstr "Invalidera endast poster från en viss domän" + +#: src/tools/sss_cache.c:762 +msgid "" +"Unexpected argument(s) provided, options that invalidate a single object " +"only accept a single provided argument.\n" +msgstr "" +"Oväntat argument angivet, flaggor som invaliderar ett ensamt objekt tar bara " +"ett ensamt angivet argument.\n" + +#: src/tools/sss_cache.c:772 +msgid "Please select at least one object to invalidate\n" +msgstr "Välj åtminstone ett objekt att invalidera\n" + +#: src/tools/sss_cache.c:852 +#, c-format +msgid "" +"Could not open domain %1$s. If the domain is a subdomain (trusted domain), " +"use fully qualified name instead of --domain/-d parameter.\n" +msgstr "" +"Kunde inte öppna domänen %1$s. Om domänen är en underdomän (betrodd domän), " +"använd fullt kvalificerat namn istället för parametrarna --domain/-d.\n" + +#: src/tools/sss_cache.c:856 +msgid "Could not open available domains\n" +msgstr "Kunde inte öppna tillgängliga domäner\n" + +#: src/tools/tools_util.c:202 +#, c-format +msgid "Name '%1$s' does not seem to be FQDN ('%2$s = TRUE' is set)\n" +msgstr "" +"Namnet ”%1$s” verkar inte vara ett fullt kvalificerad domännamn (”%2$s = " +"TRUE” är satt)\n" + +#: src/tools/tools_util.c:309 +msgid "Out of memory\n" +msgstr "Slut på minne\n" + +#: src/tools/tools_util.h:40 +#, c-format +msgid "%1$s must be run as root\n" +msgstr "%1$s måste köras som root\n" + +#: src/tools/sssctl/sssctl.c:35 +msgid "yes" +msgstr "ja" + +#: src/tools/sssctl/sssctl.c:37 +msgid "no" +msgstr "nej" + +#: src/tools/sssctl/sssctl.c:39 +msgid "error" +msgstr "fel" + +#: src/tools/sssctl/sssctl.c:42 +msgid "Invalid result." +msgstr "Felaktigt resultat." + +#: src/tools/sssctl/sssctl.c:78 +#, c-format +msgid "Unable to read user input\n" +msgstr "Kan inte läsa användarens indata\n" + +#: src/tools/sssctl/sssctl.c:91 +#, c-format +msgid "Invalid input, please provide either '%s' or '%s'.\n" +msgstr "Felaktig indata, ange antingen ”%s” eller ”%s”.\n" + +#: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 +#, c-format +msgid "Error while executing external command\n" +msgstr "Fel när externt kommando kördes\n" + +#: src/tools/sssctl/sssctl.c:156 +msgid "SSSD needs to be running. Start SSSD now?" +msgstr "SSSD behöver köras. Starta SSSD nu?" + +#: src/tools/sssctl/sssctl.c:195 +msgid "SSSD must not be running. Stop SSSD now?" +msgstr "SSSD får inte köra. Stoppa SSSD nu?" + +#: src/tools/sssctl/sssctl.c:231 +msgid "SSSD needs to be restarted. Restart SSSD now?" +msgstr "SSSD behöver startas om. Starta om SSSD nu?" + +#: src/tools/sssctl/sssctl_cache.c:31 +#, c-format +msgid " %s is not present in cache.\n" +msgstr " %s finns inte i cachen.\n" + +#: src/tools/sssctl/sssctl_cache.c:33 +msgid "Name" +msgstr "Namn" + +#: src/tools/sssctl/sssctl_cache.c:34 +msgid "Cache entry creation date" +msgstr "Datum då cache-posten skapades" + +#: src/tools/sssctl/sssctl_cache.c:35 +msgid "Cache entry last update time" +msgstr "Tidpunkt då cache-posten senast uppdaterades" + +#: src/tools/sssctl/sssctl_cache.c:36 +msgid "Cache entry expiration time" +msgstr "Tidpunkt då cache-posten går ut" + +#: src/tools/sssctl/sssctl_cache.c:37 +msgid "Cached in InfoPipe" +msgstr "Cachad i InfoPipe" + +#: src/tools/sssctl/sssctl_cache.c:512 +#, c-format +msgid "Error: Unable to get object [%d]: %s\n" +msgstr "Fel: kan inte hämta objektet [%d]: %s\n" + +#: src/tools/sssctl/sssctl_cache.c:528 +#, c-format +msgid "%s: Unable to read value [%d]: %s\n" +msgstr "%s: Kan inte läsa värdet [%d]: %s\n" + +#: src/tools/sssctl/sssctl_cache.c:556 +msgid "Specify name." +msgstr "Ange namn." + +#: src/tools/sssctl/sssctl_cache.c:566 +#, c-format +msgid "Unable to parse name %s.\n" +msgstr "Kan inte tolka namnet %s.\n" + +#: src/tools/sssctl/sssctl_cache.c:592 src/tools/sssctl/sssctl_cache.c:639 +msgid "Search by SID" +msgstr "Sök via SID" + +#: src/tools/sssctl/sssctl_cache.c:593 +msgid "Search by user ID" +msgstr "Sök via användar-ID" + +#: src/tools/sssctl/sssctl_cache.c:602 +msgid "Initgroups expiration time" +msgstr "Init-gruppers utgångstid" + +#: src/tools/sssctl/sssctl_cache.c:640 +msgid "Search by group ID" +msgstr "Sök via grupp-ID" + +#: src/tools/sssctl/sssctl_config.c:67 +#, c-format +msgid "" +"File %1$s does not exist. SSSD will use default configuration with files " +"provider.\n" +msgstr "" +"Filen %1$s finns inte. SSSD kommer använda standardkonfigurationen med " +"filleverantörer.\n" + +#: src/tools/sssctl/sssctl_config.c:81 +#, c-format +msgid "" +"File ownership and permissions check failed. Expected root:root and 0600.\n" +msgstr "" +"Kontrollen av filens ägarskap och rättigheter misslyckades. root:root och " +"0600 förväntades.\n" + +#: src/tools/sssctl/sssctl_config.c:104 +#, c-format +msgid "Issues identified by validators: %zu\n" +msgstr "Problem identifierade av validerare: %zu\n" + +#: src/tools/sssctl/sssctl_config.c:114 +#, c-format +msgid "Messages generated during configuration merging: %zu\n" +msgstr "Meddelanden genererade under sammanslagning av konfigurationen: %zu\n" + +#: src/tools/sssctl/sssctl_config.c:127 +#, c-format +msgid "Used configuration snippet files: %u\n" +msgstr "Använda konfigurationssnuttfiler: %u\n" + +#: src/tools/sssctl/sssctl_data.c:89 +#, c-format +msgid "Unable to create backup directory [%d]: %s" +msgstr "Kan inte skapa en katalog för säkerhetskopia [%d]: %s" + +#: src/tools/sssctl/sssctl_data.c:95 +msgid "SSSD backup of local data already exists, override?" +msgstr "En SSSD-säkerhetskopia av lokala data finns redan, åsidosätt?" + +#: src/tools/sssctl/sssctl_data.c:111 +#, c-format +msgid "Unable to export user overrides\n" +msgstr "Kan inte exportera användaråsidosättanden\n" + +#: src/tools/sssctl/sssctl_data.c:118 +#, c-format +msgid "Unable to export group overrides\n" +msgstr "Kan inte exportera gruppåsidosättanden\n" + +#: src/tools/sssctl/sssctl_data.c:134 src/tools/sssctl/sssctl_data.c:217 +msgid "Override existing backup" +msgstr "Åsidosätt befintlig säkerhetskopia" + +#: src/tools/sssctl/sssctl_data.c:164 +#, c-format +msgid "Unable to import user overrides\n" +msgstr "Kan inte importera användaråsidosättanden\n" + +#: src/tools/sssctl/sssctl_data.c:173 +#, c-format +msgid "Unable to import group overrides\n" +msgstr "Kan inte importera gruppåsidosättanden\n" + +#: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:74 +#: src/tools/sssctl/sssctl_domains.c:339 +msgid "Start SSSD if it is not running" +msgstr "Starta SSSD om den inte kör" + +#: src/tools/sssctl/sssctl_data.c:195 +msgid "Restart SSSD after data import" +msgstr "Starta om SSSD efter import av data" + +#: src/tools/sssctl/sssctl_data.c:218 +msgid "Create clean cache files and import local data" +msgstr "Skapa rena cachefiler och importera lokala data" + +#: src/tools/sssctl/sssctl_data.c:219 +msgid "Stop SSSD before removing the cache" +msgstr "Stoppa SSSD före cachen tas bort" + +#: src/tools/sssctl/sssctl_data.c:220 +msgid "Start SSSD when the cache is removed" +msgstr "Starta SSSD när cachen är borttagen" + +#: src/tools/sssctl/sssctl_data.c:235 +#, c-format +msgid "Creating backup of local data...\n" +msgstr "Skapa säkerhetskopia av lokala data …\n" + +#: src/tools/sssctl/sssctl_data.c:238 +#, c-format +msgid "Unable to create backup of local data, can not remove the cache.\n" +msgstr "" +"Kan inte skapa säkerhetskopia av lokala data, kan inte ta bort cachen.\n" + +#: src/tools/sssctl/sssctl_data.c:243 +#, c-format +msgid "Removing cache files...\n" +msgstr "Tar bort cache-filer …\n" + +#: src/tools/sssctl/sssctl_data.c:246 +#, c-format +msgid "Unable to remove cache files\n" +msgstr "Kan inte ta bort cache-filer\n" + +#: src/tools/sssctl/sssctl_data.c:251 +#, c-format +msgid "Restoring local data...\n" +msgstr "Återställer lokala data …\n" + +#: src/tools/sssctl/sssctl_domains.c:75 +msgid "Show domain list including primary or trusted domain type" +msgstr "Visa domänlistan inklusive primär eller betrodd domäntyp" + +#: src/tools/sssctl/sssctl_domains.c:156 +#, c-format +msgid "Online status: %s\n" +msgstr "Uppkopplingsstatus: %s\n" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Online" +msgstr "Uppkopplad" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Offline" +msgstr "Frånkopplad" + +#: src/tools/sssctl/sssctl_domains.c:214 +#, c-format +msgid "Active servers:\n" +msgstr "Aktiva servrar:\n" + +#: src/tools/sssctl/sssctl_domains.c:231 +msgid "not connected" +msgstr "inte ansluten" + +#: src/tools/sssctl/sssctl_domains.c:278 +#, c-format +msgid "Discovered %s servers:\n" +msgstr "Upptäckte %s servrar:\n" + +#: src/tools/sssctl/sssctl_domains.c:296 +msgid "None so far.\n" +msgstr "Ingen än så länge.\n" + +#: src/tools/sssctl/sssctl_domains.c:336 +msgid "Show online status" +msgstr "Visa uppkopplingsstatus" + +#: src/tools/sssctl/sssctl_domains.c:337 +msgid "Show information about active server" +msgstr "Visa information om aktiv server" + +#: src/tools/sssctl/sssctl_domains.c:338 +msgid "Show list of discovered servers" +msgstr "Visa lista över upptäckta servrar" + +#: src/tools/sssctl/sssctl_domains.c:344 +msgid "Specify domain name." +msgstr "Ange domännamn." + +#: src/tools/sssctl/sssctl_domains.c:360 +#, c-format +msgid "Out of memory!\n" +msgstr "Slut på minne!\n" + +#: src/tools/sssctl/sssctl_domains.c:377 src/tools/sssctl/sssctl_domains.c:387 +#, c-format +msgid "Unable to get online status\n" +msgstr "Kan inte ta reda på uppkopplingsstatus\n" + +#: src/tools/sssctl/sssctl_domains.c:397 +#, c-format +msgid "Unable to get server list\n" +msgstr "Kan inte ta reda på serverlistan\n" + +#: src/tools/sssctl/sssctl_logs.c:47 +msgid "\n" +msgstr "\n" + +#: src/tools/sssctl/sssctl_logs.c:237 +msgid "Delete log files instead of truncating" +msgstr "Radera loggfiler istället för att hugga av" + +#: src/tools/sssctl/sssctl_logs.c:248 +#, c-format +msgid "Deleting log files...\n" +msgstr "Raderar loggfiler …\n" + +#: src/tools/sssctl/sssctl_logs.c:251 +#, c-format +msgid "Unable to remove log files\n" +msgstr "Kan inte ta bort loggfiler\n" + +#: src/tools/sssctl/sssctl_logs.c:257 +#, c-format +msgid "Truncating log files...\n" +msgstr "Hugger av loggfiler …\n" + +#: src/tools/sssctl/sssctl_logs.c:260 +#, c-format +msgid "Unable to truncate log files\n" +msgstr "Kan inte hugga av loggfiler\n" + +#: src/tools/sssctl/sssctl_logs.c:286 +#, c-format +msgid "Out of memory!" +msgstr "Slut på minne!" + +#: src/tools/sssctl/sssctl_logs.c:289 +#, c-format +msgid "Archiving log files into %s...\n" +msgstr "Arkiverar loggfiler in i %s …\n" + +#: src/tools/sssctl/sssctl_logs.c:292 +#, c-format +msgid "Unable to archive log files\n" +msgstr "Kan inte arkivera loggfiler\n" + +#: src/tools/sssctl/sssctl_logs.c:317 +msgid "Specify debug level you want to set" +msgstr "Ange felsökningsnivå du vill sätta" + +#: src/tools/sssctl/sssctl_sifp.c:28 +msgid "" +"Check that SSSD is running and the InfoPipe responder is enabled. Make sure " +"'ifp' is listed in the 'services' option in sssd.conf.\n" +msgstr "" +"Kontrollera att SSSD kör och InfoPipe-respondenten är aktiverad. Se till " +"att ”ifp” listas i flaggan ”services” i sssd.conf.\n" + +#: src/tools/sssctl/sssctl_user_checks.c:91 +#, c-format +msgid "Unable to connect to the InfoPipe" +msgstr "Kan inte ansluta till InfoPipe" + +#: src/tools/sssctl/sssctl_user_checks.c:97 +#, c-format +msgid "Unable to get user object" +msgstr "Kan inte att användarobjektet" + +#: src/tools/sssctl/sssctl_user_checks.c:101 +#, c-format +msgid "SSSD InfoPipe user lookup result:\n" +msgstr "Resultat av SSSD InfoPipe-användaruppslagning:\n" + +#: src/tools/sssctl/sssctl_user_checks.c:113 +#, c-format +msgid "Unable to get user name attr" +msgstr "Kan inte hämta användarnamnsattribut" + +#: src/tools/sssctl/sssctl_user_checks.c:146 +#, c-format +msgid "dlopen failed with [%s].\n" +msgstr "dlopen misslyckades med [%s].\n" + +#: src/tools/sssctl/sssctl_user_checks.c:153 +#, c-format +msgid "dlsym failed with [%s].\n" +msgstr "dlsym misslyckades med [%s].\n" + +#: src/tools/sssctl/sssctl_user_checks.c:161 +#, c-format +msgid "malloc failed.\n" +msgstr "malloc misslyckades.\n" + +#: src/tools/sssctl/sssctl_user_checks.c:168 +#, c-format +msgid "sss_getpwnam_r failed with [%d].\n" +msgstr "sss_getpwnam_r misslyckades med [%d].\n" + +#: src/tools/sssctl/sssctl_user_checks.c:173 +#, c-format +msgid "SSSD nss user lookup result:\n" +msgstr "Resultat av SSSD nss-användaruppslagning:\n" + +#: src/tools/sssctl/sssctl_user_checks.c:174 +#, c-format +msgid " - user name: %s\n" +msgstr " - användarnamn: %s\n" + +#: src/tools/sssctl/sssctl_user_checks.c:175 +#, c-format +msgid " - user id: %d\n" +msgstr " - användar-id: %d\n" + +#: src/tools/sssctl/sssctl_user_checks.c:176 +#, c-format +msgid " - group id: %d\n" +msgstr " - grupp-id: %d\n" + +#: src/tools/sssctl/sssctl_user_checks.c:177 +#, c-format +msgid " - gecos: %s\n" +msgstr " - gecos: %s\n" + +#: src/tools/sssctl/sssctl_user_checks.c:178 +#, c-format +msgid " - home directory: %s\n" +msgstr " - hemkatalog: %s\n" + +#: src/tools/sssctl/sssctl_user_checks.c:179 +#, c-format +msgid "" +" - shell: %s\n" +"\n" +msgstr "" +" - skal: %s\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:211 +msgid "PAM action [auth|acct|setc|chau|open|clos], default: " +msgstr "PAM-åtgärd [auth|acct|setc|chau|open|clos], standard: " + +#: src/tools/sssctl/sssctl_user_checks.c:214 +msgid "PAM service, default: " +msgstr "PAM-tjänst, standard: " + +#: src/tools/sssctl/sssctl_user_checks.c:219 +msgid "Specify user name." +msgstr "Ange användarnamn." + +#: src/tools/sssctl/sssctl_user_checks.c:226 +#, c-format +msgid "" +"user: %s\n" +"action: %s\n" +"service: %s\n" +"\n" +msgstr "" +"användare: %s\n" +"åtgärd: %s\n" +"tjänst: %s\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:232 +#, c-format +msgid "User name lookup with [%s] failed.\n" +msgstr "Användarnamnsuppslagning med [%s] misslyckades.\n" + +#: src/tools/sssctl/sssctl_user_checks.c:237 +#, c-format +msgid "InfoPipe User lookup with [%s] failed.\n" +msgstr "InfoPipe-användaruppslagning med [%s] misslyckades.\n" + +#: src/tools/sssctl/sssctl_user_checks.c:244 +#, c-format +msgid "pam_start failed: %s\n" +msgstr "pam_start misslyckades: %s\n" + +#: src/tools/sssctl/sssctl_user_checks.c:249 +#, c-format +msgid "" +"testing pam_authenticate\n" +"\n" +msgstr "" +"testar pam_authenticate\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:253 +#, c-format +msgid "pam_get_item failed: %s\n" +msgstr "pam_get_item misslyckades: %s\n" + +#: src/tools/sssctl/sssctl_user_checks.c:257 +#, c-format +msgid "" +"pam_authenticate for user [%s]: %s\n" +"\n" +msgstr "" +"pam_authenticate för användaren [%s]: %s\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:260 +#, c-format +msgid "" +"testing pam_chauthtok\n" +"\n" +msgstr "" +"testar pam_chauthtok\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:262 +#, c-format +msgid "" +"pam_chauthtok: %s\n" +"\n" +msgstr "" +"pam_chauthtok: %s\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:264 +#, c-format +msgid "" +"testing pam_acct_mgmt\n" +"\n" +msgstr "" +"testar pam_acct_mgmt\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:266 +#, c-format +msgid "" +"pam_acct_mgmt: %s\n" +"\n" +msgstr "" +"pam_acct_mgmt: %s\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:268 +#, c-format +msgid "" +"testing pam_setcred\n" +"\n" +msgstr "" +"testar pam_setcred\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:270 +#, c-format +msgid "" +"pam_setcred: [%s]\n" +"\n" +msgstr "" +"pam_setcred: [%s]\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:272 +#, c-format +msgid "" +"testing pam_open_session\n" +"\n" +msgstr "" +"testar pam_open_session\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:274 +#, c-format +msgid "" +"pam_open_session: %s\n" +"\n" +msgstr "" +"pam_open_session: %s\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:276 +#, c-format +msgid "" +"testing pam_close_session\n" +"\n" +msgstr "" +"testar pam_close_session\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:278 +#, c-format +msgid "" +"pam_close_session: %s\n" +"\n" +msgstr "" +"pam_close_session: %s\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:281 +#, c-format +msgid "unknown action\n" +msgstr "okänd åtgärd\n" + +#: src/tools/sssctl/sssctl_user_checks.c:284 +#, c-format +msgid "PAM Environment:\n" +msgstr "PAM-miljö:\n" + +#: src/tools/sssctl/sssctl_user_checks.c:292 +#, c-format +msgid " - no env -\n" +msgstr " - ingen miljö -\n" + +#: src/util/util.h:75 +msgid "The user ID to run the server as" +msgstr "Användar-ID:t att köra servern som" + +#: src/util/util.h:77 +msgid "The group ID to run the server as" +msgstr "Grupp-ID:t att köra servern som" + +#: src/util/util.h:85 +msgid "Informs that the responder has been socket-activated" +msgstr "Informerar att respondenten har blivit uttagsaktiverad" + +#: src/util/util.h:87 +msgid "Informs that the responder has been dbus-activated" +msgstr "Informerar att respondenten har blivit dbus-aktiverad" diff --git a/po/tg.gmo b/po/tg.gmo new file mode 100644 index 0000000000000000000000000000000000000000..5d2cf79ac89e4f6d46bb07689f6f401de22310fd GIT binary patch literal 1155 zcmZ9K&u<$=6vqcB6c&Nn^6LPI2NznZ@!E-z%!WYPG>syX#ss&jI5F9sthcpyRx{(e z>8UhDLgGSI^;A_zh&yRQA!JFvN?{ zTabm0LVrL$jy%QKOW;v30N(*$20s9w13v{N2d=pGTv}CaVFOc31U*qF> z=xOK$=vm00!N+09&&y`#&XBNHXUjb+*{oK*f^yM)vMhu#eWjD(7sKXNe3@)pl89r~ z%Pl)6`_vqnB4Ud@OKOF>va9rJ!2a{)$6}9 zw3V?ksVJQW&BYd<)>2q> z8+fj}EqA|MD{r_h!q3RuJ-6e2$BWxU_WEBx4>p\n" +"Language-Team: Tajik (http://www.transifex.com/projects/p/sssd/language/" +"tg/)\n" +"Language: tg\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" +"X-Generator: Zanata 4.4.5\n" + +#: src/config/SSSDConfig/__init__.py.in:43 +#: src/config/SSSDConfig/__init__.py.in:44 +msgid "Set the verbosity of the debug logging" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:45 +msgid "Include timestamps in debug logs" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:46 +msgid "Include microseconds in timestamps in debug logs" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:47 +msgid "Write debug messages to logfiles" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:48 +msgid "Watchdog timeout before restarting service" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:49 +msgid "Command to start service" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:50 +msgid "Number of times to attempt connection to Data Providers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:51 +msgid "The number of file descriptors that may be opened by this responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:52 +msgid "Idle time before automatic disconnection of a client" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:53 +msgid "Idle time before automatic shutdown of the responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:54 +msgid "Always query all the caches before querying the Data Providers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:57 +msgid "SSSD Services to start" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:58 +msgid "SSSD Domains to start" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:59 +msgid "Timeout for messages sent over the SBUS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:60 +#: src/config/SSSDConfig/__init__.py.in:197 +msgid "Regex to parse username and domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:61 +#: src/config/SSSDConfig/__init__.py.in:196 +msgid "Printf-compatible format for displaying fully-qualified names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:62 +msgid "" +"Directory on the filesystem where SSSD should store Kerberos replay cache " +"files." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:63 +msgid "Domain to add to names without a domain component." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:64 +msgid "The user to drop privileges to" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:65 +msgid "Tune certificate verification" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:66 +msgid "All spaces in group or user names will be replaced with this character" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:67 +msgid "Tune sssd to honor or ignore netlink state changes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:68 +msgid "Enable or disable the implicit files domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:69 +msgid "A specific order of the domains to be looked up" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:72 +msgid "Enumeration cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:73 +msgid "Entry cache background update timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:74 +#: src/config/SSSDConfig/__init__.py.in:113 +msgid "Negative cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:75 +msgid "Files negative cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:76 +msgid "Users that SSSD should explicitly ignore" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:77 +msgid "Groups that SSSD should explicitly ignore" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:78 +msgid "Should filtered users appear in groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:79 +msgid "The value of the password field the NSS provider should return" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:80 +msgid "Override homedir value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:81 +msgid "" +"Substitute empty homedir value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:82 +msgid "Override shell value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:83 +msgid "The list of shells users are allowed to log in with" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:84 +msgid "" +"The list of shells that will be vetoed, and replaced with the fallback shell" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:85 +msgid "" +"If a shell stored in central directory is allowed but not available, use " +"this fallback" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:86 +msgid "Shell to use if the provider does not list one" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:87 +msgid "How long will be in-memory cache records valid" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:88 +msgid "List of user attributes the NSS responder is allowed to publish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:91 +msgid "How long to allow cached logins between online logins (days)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:92 +msgid "How many failed logins attempts are allowed when offline" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:93 +msgid "" +"How long (minutes) to deny login after offline_failed_login_attempts has " +"been reached" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:94 +msgid "What kind of messages are displayed to the user during authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:95 +msgid "Filter PAM responses sent to the pam_sss" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:96 +msgid "How many seconds to keep identity information cached for PAM requests" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:97 +msgid "How many days before password expiration a warning should be displayed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:98 +msgid "List of trusted uids or user's name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:99 +msgid "List of domains accessible even for untrusted users." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:100 +msgid "Message printed when user account is expired." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:101 +msgid "Message printed when user account is locked." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:102 +msgid "Allow certificate based/Smartcard authentication." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:103 +msgid "Path to certificate database with PKCS#11 modules." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:104 +msgid "How many seconds will pam_sss wait for p11_child to finish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:105 +msgid "Which PAM services are permitted to contact application domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:108 +msgid "Whether to evaluate the time-based attributes in sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:109 +msgid "If true, SSSD will switch back to lower-wins ordering logic" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:110 +msgid "" +"Maximum number of rules that can be refreshed at once. If this is exceeded, " +"full refresh is performed." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:116 +msgid "Whether to hash host names and addresses in the known_hosts file" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:117 +msgid "" +"How many seconds to keep a host in the known_hosts file after its host keys " +"were requested" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:118 +msgid "Path to storage of trusted CA certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:121 +msgid "List of UIDs or user names allowed to access the PAC responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "How long the PAC data is considered valid" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:125 +msgid "List of UIDs or user names allowed to access the InfoPipe responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:126 +msgid "List of user attributes the InfoPipe is allowed to publish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:129 +msgid "The provider where the secrets will be stored in" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:130 +msgid "The maximum allowed number of nested containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:131 +msgid "The maximum number of secrets that can be stored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:132 +msgid "The maximum number of secrets that can be stored per UID" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:133 +msgid "The maximum payload size of a secret in kilobytes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:135 +msgid "The URL Custodia server is listening on" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:136 +msgid "The method to use when authenticating to a Custodia server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:137 +msgid "" +"The name of the headers that will be added into a HTTP request with the " +"value defined in auth_header_value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:138 +msgid "The value sssd-secrets would use for auth_header_name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:139 +msgid "" +"The list of the headers to forward to the Custodia server together with the " +"request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:140 +msgid "" +"The username to use when authenticating to a Custodia server using basic_auth" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:141 +msgid "" +"The password to use when authenticating to a Custodia server using basic_auth" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:142 +msgid "If true peer's certificate is verified if proxy_url uses https protocol" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:143 +msgid "" +"If false peer's certificate may contain different hostname than proxy_url " +"when https protocol is used" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:144 +msgid "Path to directory where certificate authority certificates are stored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:145 +msgid "Path to file containing server's CA certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:146 +msgid "Path to file containing client's certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:147 +msgid "Path to file containing client's private key" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:150 +msgid "Identity provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:151 +msgid "Authentication provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:152 +msgid "Access control provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:153 +msgid "Password change provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:154 +msgid "SUDO provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:155 +msgid "Autofs provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:156 +msgid "Host identity provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:157 +msgid "SELinux provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:158 +msgid "Session management provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:161 +msgid "Whether the domain is usable by the OS or by applications" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:162 +msgid "Minimum user ID" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:163 +msgid "Maximum user ID" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:164 +msgid "Enable enumerating all users/groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:165 +msgid "Cache credentials for offline login" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:166 +msgid "Store password hashes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:167 +msgid "Display users/groups in fully-qualified form" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:168 +msgid "Don't include group members in group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:180 +#: src/config/SSSDConfig/__init__.py.in:181 +msgid "Entry cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:170 +msgid "" +"Restrict or prefer a specific address family when performing DNS lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:171 +msgid "How long to keep cached entries after last successful login (days)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:172 +msgid "How long to wait for replies from DNS when resolving servers (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:173 +msgid "The domain part of service discovery DNS query" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:174 +msgid "Override GID value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:175 +msgid "Treat usernames as case sensitive" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:182 +msgid "How often should expired entries be refreshed in background" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:183 +msgid "Whether to automatically update the client's DNS entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:184 +#: src/config/SSSDConfig/__init__.py.in:206 +msgid "The TTL to apply to the client's DNS entry after updating it" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:207 +msgid "The interface whose IP should be used for dynamic DNS updates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:186 +msgid "How often to periodically update the client's DNS entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:187 +msgid "Whether the provider should explicitly update the PTR record as well" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:188 +msgid "Whether the nsupdate utility should default to using TCP" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:189 +msgid "What kind of authentication should be used to perform the DNS update" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:190 +msgid "Override the DNS server used to perform the DNS update" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:191 +msgid "Control enumeration of trusted domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:192 +msgid "How often should subdomains list be refreshed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:193 +msgid "List of options that should be inherited into a subdomain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:194 +msgid "Default subdomain homedir value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:195 +msgid "How long can cached credentials be used for cached authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:198 +msgid "Whether to automatically create private groups for users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:201 +msgid "IPA domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:202 +msgid "IPA server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:203 +msgid "Address of backup IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:204 +msgid "IPA client hostname" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:205 +msgid "Whether to automatically update the client's DNS entry in FreeIPA" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:208 +msgid "Search base for HBAC related objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:209 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:210 +msgid "" +"The amount of time in seconds between lookups of the SELinux maps against " +"the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:211 +msgid "If set to false, host argument given by PAM will be ignored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:212 +msgid "The automounter location this IPA client is using" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:213 +msgid "Search base for object containing info about IPA domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:214 +msgid "Search base for objects containing info about ID ranges" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:233 +msgid "Enable DNS sites - location based service discovery" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:216 +msgid "Search base for view containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:217 +msgid "Objectclass for view containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:218 +msgid "Attribute with the name of the view" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:219 +msgid "Objectclass for override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:220 +msgid "Attribute with the reference to the original object" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:221 +msgid "Objectclass for user override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:222 +msgid "Objectclass for group override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:223 +msgid "Search base for Desktop Profile related objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:224 +msgid "" +"The amount of time in seconds between lookups of the Desktop Profile rules " +"against the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:225 +msgid "" +"The amount of time in minutes between lookups of Desktop Profiles rules " +"against the IPA server when the last request did not find any rule" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:228 +msgid "Active Directory domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:229 +msgid "Enabled Active Directory domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:230 +msgid "Active Directory server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:231 +msgid "Active Directory backup server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:232 +msgid "Active Directory client hostname" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:420 +msgid "LDAP filter to determine access privileges" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:235 +msgid "Whether to use the Global Catalog for lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:236 +msgid "Operation mode for GPO-based access control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:237 +msgid "" +"The amount of time between lookups of the GPO policy files against the AD " +"server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:238 +msgid "" +"PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " +"settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:239 +msgid "" +"PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " +"policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:240 +msgid "" +"PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:241 +msgid "" +"PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:242 +msgid "" +"PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:243 +msgid "PAM service names for which GPO-based access is always granted" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:244 +msgid "PAM service names for which GPO-based access is always denied" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:245 +msgid "" +"Default logon right (or permit/deny) to use for unmapped PAM service names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:246 +msgid "a particular site to be used by the client" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:247 +msgid "" +"Maximum age in days before the machine account password should be renewed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:248 +msgid "Option for tuning the machine account renewal task" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:252 +msgid "Kerberos server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:253 +msgid "Kerberos backup server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:254 +msgid "Kerberos realm" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:255 +msgid "Authentication timeout" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:256 +msgid "Whether to create kdcinfo files" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:257 +msgid "Where to drop krb5 config snippets" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:260 +msgid "Directory to store credential caches" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:261 +msgid "Location of the user's credential cache" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:262 +msgid "Location of the keytab to validate credentials" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:263 +msgid "Enable credential validation" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:264 +msgid "Store password if offline for later online authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:265 +msgid "Renewable lifetime of the TGT" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:266 +msgid "Lifetime of the TGT" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:267 +msgid "Time between two checks for renewal" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:268 +msgid "Enables FAST" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:269 +msgid "Selects the principal to use for FAST" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:270 +msgid "Enables principal canonicalization" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:271 +msgid "Enables enterprise principals" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:272 +msgid "A mapping from user names to Kerberos principal names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:276 +msgid "Server where the change password service is running if not on the KDC" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:279 +msgid "ldap_uri, The URI of the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:280 +msgid "ldap_backup_uri, The URI of the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:281 +msgid "The default base DN" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:282 +msgid "The Schema Type in use on the LDAP server, rfc2307" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:283 +msgid "The default bind DN" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:284 +msgid "The type of the authentication token of the default bind DN" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:285 +msgid "The authentication token of the default bind DN" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:286 +msgid "Length of time to attempt connection" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:287 +msgid "Length of time to attempt synchronous LDAP operations" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:288 +msgid "Length of time between attempts to reconnect while offline" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:289 +msgid "Use only the upper case for realm names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:290 +msgid "File that contains CA certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:291 +msgid "Path to CA certificate directory" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:292 +msgid "File that contains the client certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:293 +msgid "File that contains the client key" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:294 +msgid "List of possible ciphers suites" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:295 +msgid "Require TLS certificate verification" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:296 +msgid "Specify the sasl mechanism to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:297 +msgid "Specify the sasl authorization id to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:298 +msgid "Specify the sasl authorization realm to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:299 +msgid "Specify the minimal SSF for LDAP sasl authorization" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:300 +msgid "Kerberos service keytab" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:301 +msgid "Use Kerberos auth for LDAP connection" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:302 +msgid "Follow LDAP referrals" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:303 +msgid "Lifetime of TGT for LDAP connection" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:304 +msgid "How to dereference aliases" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:305 +msgid "Service name for DNS service lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:306 +msgid "The number of records to retrieve in a single LDAP query" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:307 +msgid "The number of members that must be missing to trigger a full deref" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:308 +msgid "" +"Whether the LDAP library should perform a reverse lookup to canonicalize the " +"host name during a SASL bind" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:310 +msgid "entryUSN attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:311 +msgid "lastUSN attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:313 +msgid "How long to retain a connection to the LDAP server before disconnecting" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:315 +msgid "Disable the LDAP paging control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:316 +msgid "Disable Active Directory range retrieval" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:319 +msgid "Length of time to wait for a search request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:320 +msgid "Length of time to wait for a enumeration request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:321 +msgid "Length of time between enumeration updates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:322 +msgid "Length of time between cache cleanups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:323 +msgid "Require TLS for ID lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:324 +msgid "Use ID-mapping of objectSID instead of pre-set IDs" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:325 +msgid "Base DN for user lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:326 +msgid "Scope of user lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:327 +msgid "Filter for user lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:328 +msgid "Objectclass for users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:329 +msgid "Username attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:331 +msgid "UID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:332 +msgid "Primary GID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:333 +msgid "GECOS attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:334 +msgid "Home directory attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:335 +msgid "Shell attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:336 +msgid "UUID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:379 +msgid "objectSID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:338 +msgid "Active Directory primary group attribute for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:339 +msgid "User principal attribute (for Kerberos)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:340 +msgid "Full Name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:341 +msgid "memberOf attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:342 +msgid "Modification time attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:344 +msgid "shadowLastChange attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:345 +msgid "shadowMin attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:346 +msgid "shadowMax attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:347 +msgid "shadowWarning attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:348 +msgid "shadowInactive attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:349 +msgid "shadowExpire attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:350 +msgid "shadowFlag attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:351 +msgid "Attribute listing authorized PAM services" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:352 +msgid "Attribute listing authorized server hosts" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:353 +msgid "Attribute listing authorized server rhosts" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:354 +msgid "krbLastPwdChange attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:355 +msgid "krbPasswordExpiration attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:356 +msgid "Attribute indicating that server side password policies are active" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:357 +msgid "accountExpires attribute of AD" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:358 +msgid "userAccountControl attribute of AD" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:359 +msgid "nsAccountLock attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:360 +msgid "loginDisabled attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:361 +msgid "loginExpirationTime attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:362 +msgid "loginAllowedTimeMap attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:363 +msgid "SSH public key attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:364 +msgid "attribute listing allowed authentication types for a user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:365 +msgid "attribute containing the X509 certificate of the user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:366 +msgid "attribute containing the email address of the user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:368 +msgid "A list of extra attributes to download along with the user entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:370 +msgid "Base DN for group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:373 +msgid "Objectclass for groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:374 +msgid "Group name" +msgstr "Номи гурӯҳ" + +#: src/config/SSSDConfig/__init__.py.in:375 +msgid "Group password" +msgstr "Пароли гурӯҳ" + +#: src/config/SSSDConfig/__init__.py.in:376 +msgid "GID attribute" +msgstr "Аттрибути GID" + +#: src/config/SSSDConfig/__init__.py.in:377 +msgid "Group member attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:378 +msgid "Group UUID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:380 +msgid "Modification time attribute for groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:381 +msgid "Type of the group and other flags" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:382 +msgid "The LDAP group external member attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:384 +msgid "Maximum nesting level SSSD will follow" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:386 +msgid "Base DN for netgroup lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:387 +msgid "Objectclass for netgroups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:388 +msgid "Netgroup name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:389 +msgid "Netgroups members attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:390 +msgid "Netgroup triple attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:391 +msgid "Modification time attribute for netgroups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:393 +msgid "Base DN for service lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:394 +msgid "Objectclass for services" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:395 +msgid "Service name attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:396 +msgid "Service port attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:397 +msgid "Service protocol attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:400 +msgid "Lower bound for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:401 +msgid "Upper bound for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:402 +msgid "Number of IDs for each slice when ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:403 +msgid "Use autorid-compatible algorithm for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:404 +msgid "Name of the default domain for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:405 +msgid "SID of the default domain for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:406 +msgid "Number of secondary slices" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:408 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:409 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:410 +msgid "Whether to use Token-Groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:411 +msgid "Set lower boundary for allowed IDs from the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:412 +msgid "Set upper boundary for allowed IDs from the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:413 +msgid "DN for ppolicy queries" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:414 +msgid "How many maximum entries to fetch during a wildcard request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:417 +msgid "Policy to evaluate the password expiration" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:421 +msgid "Which attributes shall be used to evaluate if an account is expired" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:422 +msgid "Which rules should be used to evaluate access control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:425 +msgid "URI of an LDAP server where password changes are allowed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:426 +msgid "URI of a backup LDAP server where password changes are allowed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:427 +msgid "DNS service name for LDAP password change server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:428 +msgid "" +"Whether to update the ldap_user_shadow_last_change attribute after a " +"password change" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:431 +msgid "Base DN for sudo rules lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:432 +msgid "Automatic full refresh period" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:433 +msgid "Automatic smart refresh period" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:434 +msgid "Whether to filter rules by hostname, IP addresses and network" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:435 +msgid "" +"Hostnames and/or fully qualified domain names of this machine to filter sudo " +"rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:436 +msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:437 +msgid "Whether to include rules that contains netgroup in host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:438 +msgid "" +"Whether to include rules that contains regular expression in host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:439 +msgid "Object class for sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:440 +msgid "Sudo rule name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:441 +msgid "Sudo rule command attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:442 +msgid "Sudo rule host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:443 +msgid "Sudo rule user attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:444 +msgid "Sudo rule option attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Sudo rule runas attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:446 +msgid "Sudo rule runasuser attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:447 +msgid "Sudo rule runasgroup attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:448 +msgid "Sudo rule notbefore attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:449 +msgid "Sudo rule notafter attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:450 +msgid "Sudo rule order attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:453 +msgid "Object class for automounter maps" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:454 +msgid "Automounter map name attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:455 +msgid "Object class for automounter map entries" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:456 +msgid "Automounter map entry key attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:457 +msgid "Automounter map entry value attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:458 +msgid "Base DN for automounter map lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:461 +msgid "Comma separated list of allowed users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:462 +msgid "Comma separated list of prohibited users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:465 +msgid "Default shell, /bin/bash" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:466 +msgid "Base for home directories" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:469 +msgid "The number of preforked proxy children." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:472 +msgid "The name of the NSS library to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:473 +msgid "Whether to look up canonical group name from cache if possible" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:476 +msgid "PAM stack to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:479 +msgid "Path of passwd file sources." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:480 +msgid "Path of group file sources." +msgstr "" + +#: src/monitor/monitor.c:2449 +msgid "Become a daemon (default)" +msgstr "" + +#: src/monitor/monitor.c:2451 +msgid "Run interactive (not a daemon)" +msgstr "" + +#: src/monitor/monitor.c:2454 +msgid "Disable netlink interface" +msgstr "" + +#: src/monitor/monitor.c:2456 src/tools/sssctl/sssctl_logs.c:311 +msgid "Specify a non-default config file" +msgstr "" + +#: src/monitor/monitor.c:2458 +msgid "Refresh the configuration database, then exit" +msgstr "" + +#: src/monitor/monitor.c:2461 +msgid "Print version number and exit" +msgstr "" + +#: src/monitor/monitor.c:2627 +msgid "SSSD is already running\n" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605 +msgid "Debug level" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607 +msgid "Add debug timestamps" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609 +msgid "Show timestamps with microseconds" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611 +msgid "An open file descriptor for the debug logs" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613 +msgid "Send the debug output to stderr directly." +msgstr "" + +#: src/providers/krb5/krb5_child.c:3228 +msgid "The user to create FAST ccache as" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3230 +msgid "The group to create FAST ccache as" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3232 +msgid "Kerberos realm to use" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3234 +msgid "Requested lifetime of the ticket" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3236 +msgid "Requested renewable lifetime of the ticket" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3238 +msgid "FAST options ('never', 'try', 'demand')" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3241 +msgid "Specifies the server principal to use for FAST" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3243 +msgid "Requests canonicalization of the principal name" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3245 +msgid "Use custom version of krb5_get_init_creds_password" +msgstr "" + +#: src/providers/data_provider_be.c:556 +msgid "Domain of the information provider (mandatory)" +msgstr "" + +#: src/sss_client/common.c:1066 +msgid "Privileged socket has wrong ownership or permissions." +msgstr "" + +#: src/sss_client/common.c:1069 +msgid "Public socket has wrong ownership or permissions." +msgstr "" + +#: src/sss_client/common.c:1072 +msgid "Unexpected format of the server credential message." +msgstr "" + +#: src/sss_client/common.c:1075 +msgid "SSSD is not run by root." +msgstr "" + +#: src/sss_client/common.c:1080 +msgid "An error occurred, but no description can be found." +msgstr "" + +#: src/sss_client/common.c:1086 +msgid "Unexpected error while looking for an error description" +msgstr "" + +#: src/sss_client/pam_sss.c:76 +msgid "Permission denied. " +msgstr "" + +#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782 +#: src/sss_client/pam_sss.c:793 +msgid "Server message: " +msgstr "" + +#: src/sss_client/pam_sss.c:300 +msgid "Passwords do not match" +msgstr "Паролҳо номувофиқанд" + +#: src/sss_client/pam_sss.c:488 +msgid "Password reset by root is not supported." +msgstr "" + +#: src/sss_client/pam_sss.c:529 +msgid "Authenticated with cached credentials" +msgstr "" + +#: src/sss_client/pam_sss.c:530 +msgid ", your cached password will expire at: " +msgstr "" + +#: src/sss_client/pam_sss.c:560 +#, c-format +msgid "Your password has expired. You have %1$d grace login(s) remaining." +msgstr "" + +#: src/sss_client/pam_sss.c:606 +#, c-format +msgid "Your password will expire in %1$d %2$s." +msgstr "" + +#: src/sss_client/pam_sss.c:655 +msgid "Authentication is denied until: " +msgstr "" + +#: src/sss_client/pam_sss.c:676 +msgid "System is offline, password change not possible" +msgstr "" + +#: src/sss_client/pam_sss.c:691 +msgid "" +"After changing the OTP password, you need to log out and back in order to " +"acquire a ticket" +msgstr "" + +#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792 +msgid "Password change failed. " +msgstr "" + +#: src/sss_client/pam_sss.c:1926 +msgid "New Password: " +msgstr "Пароли нав:" + +#: src/sss_client/pam_sss.c:1927 +msgid "Reenter new Password: " +msgstr "" + +#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042 +msgid "First Factor: " +msgstr "" + +#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202 +msgid "Second Factor (optional): " +msgstr "" + +#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205 +msgid "Second Factor: " +msgstr "" + +#: src/sss_client/pam_sss.c:2058 +msgid "Password: " +msgstr "Парол:" + +#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204 +msgid "First Factor (Current Password): " +msgstr "" + +#: src/sss_client/pam_sss.c:2208 +msgid "Current Password: " +msgstr "" + +#: src/sss_client/pam_sss.c:2536 +msgid "Password expired. Change your password now." +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 +#: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 +#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:670 +msgid "The debug level to run with" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +msgid "The SSSD domain to use" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 +#: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 +#: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 +#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:716 +msgid "Error setting the locale\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:64 +msgid "Not enough memory\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:83 +msgid "User not specified\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:97 +msgid "Error looking up public keys\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +msgid "The port to use to connect to the host" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +msgid "Print the host ssh public keys" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +msgid "Invalid port\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +msgid "Host not specified\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +msgid "The path to the proxy command must be absolute\n" +msgstr "" + +#: src/tools/sss_useradd.c:49 src/tools/sss_usermod.c:48 +msgid "The UID of the user" +msgstr "" + +#: src/tools/sss_useradd.c:50 src/tools/sss_usermod.c:50 +msgid "The comment string" +msgstr "" + +#: src/tools/sss_useradd.c:51 src/tools/sss_usermod.c:51 +msgid "Home directory" +msgstr "" + +#: src/tools/sss_useradd.c:52 src/tools/sss_usermod.c:52 +msgid "Login shell" +msgstr "" + +#: src/tools/sss_useradd.c:53 +msgid "Groups" +msgstr "Гуруҳҳо" + +#: src/tools/sss_useradd.c:54 +msgid "Create user's directory if it does not exist" +msgstr "" + +#: src/tools/sss_useradd.c:55 +msgid "Never create user's directory, overrides config" +msgstr "" + +#: src/tools/sss_useradd.c:56 +msgid "Specify an alternative skeleton directory" +msgstr "" + +#: src/tools/sss_useradd.c:57 src/tools/sss_usermod.c:60 +msgid "The SELinux user for user's login" +msgstr "" + +#: src/tools/sss_useradd.c:87 src/tools/sss_groupmod.c:79 +#: src/tools/sss_usermod.c:92 +msgid "Specify group to add to\n" +msgstr "" + +#: src/tools/sss_useradd.c:111 +msgid "Specify user to add\n" +msgstr "" + +#: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 +#: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_usermod.c:162 +msgid "Error initializing the tools - no local domain\n" +msgstr "" + +#: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 +#: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_usermod.c:164 +msgid "Error initializing the tools\n" +msgstr "" + +#: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 +#: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_usermod.c:173 +msgid "Invalid domain specified in FQDN\n" +msgstr "" + +#: src/tools/sss_useradd.c:142 src/tools/sss_groupmod.c:144 +#: src/tools/sss_groupmod.c:173 src/tools/sss_usermod.c:197 +#: src/tools/sss_usermod.c:226 +msgid "Internal error while parsing parameters\n" +msgstr "" + +#: src/tools/sss_useradd.c:151 src/tools/sss_usermod.c:206 +#: src/tools/sss_usermod.c:235 +msgid "Groups must be in the same domain as user\n" +msgstr "" + +#: src/tools/sss_useradd.c:159 +#, c-format +msgid "Cannot find group %1$s in local domain\n" +msgstr "" + +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +msgid "Cannot set default values\n" +msgstr "" + +#: src/tools/sss_useradd.c:181 src/tools/sss_usermod.c:187 +msgid "The selected UID is outside the allowed range\n" +msgstr "" + +#: src/tools/sss_useradd.c:210 src/tools/sss_usermod.c:305 +msgid "Cannot set SELinux login context\n" +msgstr "" + +#: src/tools/sss_useradd.c:224 +msgid "Cannot get info about the user\n" +msgstr "" + +#: src/tools/sss_useradd.c:236 +msgid "User's home directory already exists, not copying data from skeldir\n" +msgstr "" + +#: src/tools/sss_useradd.c:239 +#, c-format +msgid "Cannot create user's home directory: %1$s\n" +msgstr "" + +#: src/tools/sss_useradd.c:250 +#, c-format +msgid "Cannot create user's mail spool: %1$s\n" +msgstr "" + +#: src/tools/sss_useradd.c:270 +msgid "Could not allocate ID for the user - domain full?\n" +msgstr "" + +#: src/tools/sss_useradd.c:274 +msgid "A user or group with the same name or ID already exists\n" +msgstr "" + +#: src/tools/sss_useradd.c:280 +msgid "Transaction error. Could not add user.\n" +msgstr "" + +#: src/tools/sss_groupadd.c:43 src/tools/sss_groupmod.c:48 +msgid "The GID of the group" +msgstr "" + +#: src/tools/sss_groupadd.c:76 +msgid "Specify group to add\n" +msgstr "" + +#: src/tools/sss_groupadd.c:106 src/tools/sss_groupmod.c:198 +msgid "The selected GID is outside the allowed range\n" +msgstr "" + +#: src/tools/sss_groupadd.c:143 +msgid "Could not allocate ID for the group - domain full?\n" +msgstr "" + +#: src/tools/sss_groupadd.c:147 +msgid "A group with the same name or GID already exists\n" +msgstr "" + +#: src/tools/sss_groupadd.c:153 +msgid "Transaction error. Could not add group.\n" +msgstr "" + +#: src/tools/sss_groupdel.c:70 +msgid "Specify group to delete\n" +msgstr "" + +#: src/tools/sss_groupdel.c:104 +#, c-format +msgid "Group %1$s is outside the defined ID range for domain\n" +msgstr "" + +#: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 +#: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 +#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 +#, c-format +msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" +msgstr "" + +#: src/tools/sss_groupdel.c:132 +msgid "" +"No such group in local domain. Removing groups only allowed in local " +"domain.\n" +msgstr "" + +#: src/tools/sss_groupdel.c:137 +msgid "Internal error. Could not remove group.\n" +msgstr "" + +#: src/tools/sss_groupmod.c:44 +msgid "Groups to add this group to" +msgstr "" + +#: src/tools/sss_groupmod.c:46 +msgid "Groups to remove this group from" +msgstr "" + +#: src/tools/sss_groupmod.c:87 src/tools/sss_usermod.c:100 +msgid "Specify group to remove from\n" +msgstr "" + +#: src/tools/sss_groupmod.c:101 +msgid "Specify group to modify\n" +msgstr "" + +#: src/tools/sss_groupmod.c:130 +msgid "" +"Cannot find group in local domain, modifying groups is allowed only in local " +"domain\n" +msgstr "" + +#: src/tools/sss_groupmod.c:153 src/tools/sss_groupmod.c:182 +msgid "Member groups must be in the same domain as parent group\n" +msgstr "" + +#: src/tools/sss_groupmod.c:161 src/tools/sss_groupmod.c:190 +#: src/tools/sss_usermod.c:214 src/tools/sss_usermod.c:243 +#, c-format +msgid "" +"Cannot find group %1$s in local domain, only groups in local domain are " +"allowed\n" +msgstr "" + +#: src/tools/sss_groupmod.c:257 +msgid "Could not modify group - check if member group names are correct\n" +msgstr "" + +#: src/tools/sss_groupmod.c:261 +msgid "Could not modify group - check if groupname is correct\n" +msgstr "" + +#: src/tools/sss_groupmod.c:265 +msgid "Transaction error. Could not modify group.\n" +msgstr "" + +#: src/tools/sss_groupshow.c:615 +#, c-format +msgid "%1$s%2$sGroup: %3$s\n" +msgstr "" + +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "" + +#: src/tools/sss_groupshow.c:618 +#, c-format +msgid "%1$sGID number: %2$d\n" +msgstr "" + +#: src/tools/sss_groupshow.c:620 +#, c-format +msgid "%1$sMember users: " +msgstr "" + +#: src/tools/sss_groupshow.c:627 +#, c-format +msgid "" +"\n" +"%1$sIs a member of: " +msgstr "" + +#: src/tools/sss_groupshow.c:634 +#, c-format +msgid "" +"\n" +"%1$sMember groups: " +msgstr "" + +#: src/tools/sss_groupshow.c:670 +msgid "Print indirect group members recursively" +msgstr "" + +#: src/tools/sss_groupshow.c:704 +msgid "Specify group to show\n" +msgstr "" + +#: src/tools/sss_groupshow.c:744 +msgid "" +"No such group in local domain. Printing groups only allowed in local " +"domain.\n" +msgstr "" + +#: src/tools/sss_groupshow.c:749 +msgid "Internal error. Could not print group.\n" +msgstr "" + +#: src/tools/sss_userdel.c:136 +msgid "Remove home directory and mail spool" +msgstr "" + +#: src/tools/sss_userdel.c:138 +msgid "Do not remove home directory and mail spool" +msgstr "" + +#: src/tools/sss_userdel.c:140 +msgid "Force removal of files not owned by the user" +msgstr "" + +#: src/tools/sss_userdel.c:142 +msgid "Kill users' processes before removing him" +msgstr "" + +#: src/tools/sss_userdel.c:188 +msgid "Specify user to delete\n" +msgstr "" + +#: src/tools/sss_userdel.c:234 +#, c-format +msgid "User %1$s is outside the defined ID range for domain\n" +msgstr "" + +#: src/tools/sss_userdel.c:259 +msgid "Cannot reset SELinux login context\n" +msgstr "" + +#: src/tools/sss_userdel.c:271 +#, c-format +msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" +msgstr "" + +#: src/tools/sss_userdel.c:276 +msgid "Cannot determine if the user was logged in on this platform" +msgstr "" + +#: src/tools/sss_userdel.c:281 +msgid "Error while checking if the user was logged in\n" +msgstr "" + +#: src/tools/sss_userdel.c:288 +#, c-format +msgid "The post-delete command failed: %1$s\n" +msgstr "" + +#: src/tools/sss_userdel.c:308 +msgid "Not removing home dir - not owned by user\n" +msgstr "" + +#: src/tools/sss_userdel.c:310 +#, c-format +msgid "Cannot remove homedir: %1$s\n" +msgstr "" + +#: src/tools/sss_userdel.c:324 +msgid "" +"No such user in local domain. Removing users only allowed in local domain.\n" +msgstr "" + +#: src/tools/sss_userdel.c:329 +msgid "Internal error. Could not remove user.\n" +msgstr "" + +#: src/tools/sss_usermod.c:49 +msgid "The GID of the user" +msgstr "" + +#: src/tools/sss_usermod.c:53 +msgid "Groups to add this user to" +msgstr "" + +#: src/tools/sss_usermod.c:54 +msgid "Groups to remove this user from" +msgstr "" + +#: src/tools/sss_usermod.c:55 +msgid "Lock the account" +msgstr "Ҳисобро қулф кунед" + +#: src/tools/sss_usermod.c:56 +msgid "Unlock the account" +msgstr "Ҳисобро кушоед" + +#: src/tools/sss_usermod.c:57 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "" + +#: src/tools/sss_usermod.c:58 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "" + +#: src/tools/sss_usermod.c:59 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" + +#: src/tools/sss_usermod.c:117 src/tools/sss_usermod.c:126 +#: src/tools/sss_usermod.c:135 +msgid "Specify the attribute name/value pair(s)\n" +msgstr "" + +#: src/tools/sss_usermod.c:152 +msgid "Specify user to modify\n" +msgstr "" + +#: src/tools/sss_usermod.c:180 +msgid "" +"Cannot find user in local domain, modifying users is allowed only in local " +"domain\n" +msgstr "" + +#: src/tools/sss_usermod.c:322 +msgid "Could not modify user - check if group names are correct\n" +msgstr "" + +#: src/tools/sss_usermod.c:326 +msgid "Could not modify user - user already member of groups?\n" +msgstr "" + +#: src/tools/sss_usermod.c:330 +msgid "Transaction error. Could not modify user.\n" +msgstr "" + +#: src/tools/sss_cache.c:218 +msgid "No cache object matched the specified search\n" +msgstr "" + +#: src/tools/sss_cache.c:502 +#, c-format +msgid "Couldn't invalidate %1$s\n" +msgstr "" + +#: src/tools/sss_cache.c:509 +#, c-format +msgid "Couldn't invalidate %1$s %2$s\n" +msgstr "" + +#: src/tools/sss_cache.c:672 +msgid "Invalidate all cached entries" +msgstr "" + +#: src/tools/sss_cache.c:674 +msgid "Invalidate particular user" +msgstr "" + +#: src/tools/sss_cache.c:676 +msgid "Invalidate all users" +msgstr "" + +#: src/tools/sss_cache.c:678 +msgid "Invalidate particular group" +msgstr "" + +#: src/tools/sss_cache.c:680 +msgid "Invalidate all groups" +msgstr "" + +#: src/tools/sss_cache.c:682 +msgid "Invalidate particular netgroup" +msgstr "" + +#: src/tools/sss_cache.c:684 +msgid "Invalidate all netgroups" +msgstr "" + +#: src/tools/sss_cache.c:686 +msgid "Invalidate particular service" +msgstr "" + +#: src/tools/sss_cache.c:688 +msgid "Invalidate all services" +msgstr "" + +#: src/tools/sss_cache.c:691 +msgid "Invalidate particular autofs map" +msgstr "" + +#: src/tools/sss_cache.c:693 +msgid "Invalidate all autofs maps" +msgstr "" + +#: src/tools/sss_cache.c:697 +msgid "Invalidate particular SSH host" +msgstr "" + +#: src/tools/sss_cache.c:699 +msgid "Invalidate all SSH hosts" +msgstr "" + +#: src/tools/sss_cache.c:703 +msgid "Invalidate particular sudo rule" +msgstr "" + +#: src/tools/sss_cache.c:705 +msgid "Invalidate all cached sudo rules" +msgstr "" + +#: src/tools/sss_cache.c:708 +msgid "Only invalidate entries from a particular domain" +msgstr "" + +#: src/tools/sss_cache.c:762 +msgid "" +"Unexpected argument(s) provided, options that invalidate a single object " +"only accept a single provided argument.\n" +msgstr "" + +#: src/tools/sss_cache.c:772 +msgid "Please select at least one object to invalidate\n" +msgstr "" + +#: src/tools/sss_cache.c:852 +#, c-format +msgid "" +"Could not open domain %1$s. If the domain is a subdomain (trusted domain), " +"use fully qualified name instead of --domain/-d parameter.\n" +msgstr "" + +#: src/tools/sss_cache.c:856 +msgid "Could not open available domains\n" +msgstr "" + +#: src/tools/tools_util.c:202 +#, c-format +msgid "Name '%1$s' does not seem to be FQDN ('%2$s = TRUE' is set)\n" +msgstr "" + +#: src/tools/tools_util.c:309 +msgid "Out of memory\n" +msgstr "Берун аз хотира\n" + +#: src/tools/tools_util.h:40 +#, c-format +msgid "%1$s must be run as root\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:35 +msgid "yes" +msgstr "" + +#: src/tools/sssctl/sssctl.c:37 +msgid "no" +msgstr "" + +#: src/tools/sssctl/sssctl.c:39 +msgid "error" +msgstr "" + +#: src/tools/sssctl/sssctl.c:42 +msgid "Invalid result." +msgstr "" + +#: src/tools/sssctl/sssctl.c:78 +#, c-format +msgid "Unable to read user input\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:91 +#, c-format +msgid "Invalid input, please provide either '%s' or '%s'.\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 +#, c-format +msgid "Error while executing external command\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:156 +msgid "SSSD needs to be running. Start SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl.c:195 +msgid "SSSD must not be running. Stop SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl.c:231 +msgid "SSSD needs to be restarted. Restart SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:31 +#, c-format +msgid " %s is not present in cache.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:33 +msgid "Name" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:34 +msgid "Cache entry creation date" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:35 +msgid "Cache entry last update time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:36 +msgid "Cache entry expiration time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:37 +msgid "Cached in InfoPipe" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:512 +#, c-format +msgid "Error: Unable to get object [%d]: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:528 +#, c-format +msgid "%s: Unable to read value [%d]: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:556 +msgid "Specify name." +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:566 +#, c-format +msgid "Unable to parse name %s.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:592 src/tools/sssctl/sssctl_cache.c:639 +msgid "Search by SID" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:593 +msgid "Search by user ID" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:602 +msgid "Initgroups expiration time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:640 +msgid "Search by group ID" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:67 +#, c-format +msgid "" +"File %1$s does not exist. SSSD will use default configuration with files " +"provider.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:81 +#, c-format +msgid "" +"File ownership and permissions check failed. Expected root:root and 0600.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:104 +#, c-format +msgid "Issues identified by validators: %zu\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:114 +#, c-format +msgid "Messages generated during configuration merging: %zu\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:127 +#, c-format +msgid "Used configuration snippet files: %u\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:89 +#, c-format +msgid "Unable to create backup directory [%d]: %s" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:95 +msgid "SSSD backup of local data already exists, override?" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:111 +#, c-format +msgid "Unable to export user overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:118 +#, c-format +msgid "Unable to export group overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:134 src/tools/sssctl/sssctl_data.c:217 +msgid "Override existing backup" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:164 +#, c-format +msgid "Unable to import user overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:173 +#, c-format +msgid "Unable to import group overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:74 +#: src/tools/sssctl/sssctl_domains.c:339 +msgid "Start SSSD if it is not running" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:195 +msgid "Restart SSSD after data import" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:218 +msgid "Create clean cache files and import local data" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:219 +msgid "Stop SSSD before removing the cache" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:220 +msgid "Start SSSD when the cache is removed" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:235 +#, c-format +msgid "Creating backup of local data...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:238 +#, c-format +msgid "Unable to create backup of local data, can not remove the cache.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:243 +#, c-format +msgid "Removing cache files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:246 +#, c-format +msgid "Unable to remove cache files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:251 +#, c-format +msgid "Restoring local data...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:75 +msgid "Show domain list including primary or trusted domain type" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +#, c-format +msgid "Online status: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Online" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Offline" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:214 +#, c-format +msgid "Active servers:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:231 +msgid "not connected" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:278 +#, c-format +msgid "Discovered %s servers:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:296 +msgid "None so far.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:336 +msgid "Show online status" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:337 +msgid "Show information about active server" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:338 +msgid "Show list of discovered servers" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:344 +msgid "Specify domain name." +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:360 +#, c-format +msgid "Out of memory!\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:377 src/tools/sssctl/sssctl_domains.c:387 +#, c-format +msgid "Unable to get online status\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:397 +#, c-format +msgid "Unable to get server list\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:47 +msgid "\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:237 +msgid "Delete log files instead of truncating" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:248 +#, c-format +msgid "Deleting log files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:251 +#, c-format +msgid "Unable to remove log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:257 +#, c-format +msgid "Truncating log files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:260 +#, c-format +msgid "Unable to truncate log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:286 +#, c-format +msgid "Out of memory!" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:289 +#, c-format +msgid "Archiving log files into %s...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:292 +#, c-format +msgid "Unable to archive log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:317 +msgid "Specify debug level you want to set" +msgstr "" + +#: src/tools/sssctl/sssctl_sifp.c:28 +msgid "" +"Check that SSSD is running and the InfoPipe responder is enabled. Make sure " +"'ifp' is listed in the 'services' option in sssd.conf.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:91 +#, c-format +msgid "Unable to connect to the InfoPipe" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:97 +#, c-format +msgid "Unable to get user object" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:101 +#, c-format +msgid "SSSD InfoPipe user lookup result:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:113 +#, c-format +msgid "Unable to get user name attr" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:146 +#, c-format +msgid "dlopen failed with [%s].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:153 +#, c-format +msgid "dlsym failed with [%s].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:161 +#, c-format +msgid "malloc failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:168 +#, c-format +msgid "sss_getpwnam_r failed with [%d].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:173 +#, c-format +msgid "SSSD nss user lookup result:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:174 +#, c-format +msgid " - user name: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:175 +#, c-format +msgid " - user id: %d\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:176 +#, c-format +msgid " - group id: %d\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:177 +#, c-format +msgid " - gecos: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:178 +#, c-format +msgid " - home directory: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:179 +#, c-format +msgid "" +" - shell: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:211 +msgid "PAM action [auth|acct|setc|chau|open|clos], default: " +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:214 +msgid "PAM service, default: " +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:219 +msgid "Specify user name." +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:226 +#, c-format +msgid "" +"user: %s\n" +"action: %s\n" +"service: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:232 +#, c-format +msgid "User name lookup with [%s] failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:237 +#, c-format +msgid "InfoPipe User lookup with [%s] failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:244 +#, c-format +msgid "pam_start failed: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:249 +#, c-format +msgid "" +"testing pam_authenticate\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:253 +#, c-format +msgid "pam_get_item failed: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:257 +#, c-format +msgid "" +"pam_authenticate for user [%s]: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:260 +#, c-format +msgid "" +"testing pam_chauthtok\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:262 +#, c-format +msgid "" +"pam_chauthtok: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:264 +#, c-format +msgid "" +"testing pam_acct_mgmt\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:266 +#, c-format +msgid "" +"pam_acct_mgmt: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:268 +#, c-format +msgid "" +"testing pam_setcred\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:270 +#, c-format +msgid "" +"pam_setcred: [%s]\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:272 +#, c-format +msgid "" +"testing pam_open_session\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:274 +#, c-format +msgid "" +"pam_open_session: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:276 +#, c-format +msgid "" +"testing pam_close_session\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:278 +#, c-format +msgid "" +"pam_close_session: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:281 +#, c-format +msgid "unknown action\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:284 +#, c-format +msgid "PAM Environment:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:292 +#, c-format +msgid " - no env -\n" +msgstr "" + +#: src/util/util.h:75 +msgid "The user ID to run the server as" +msgstr "" + +#: src/util/util.h:77 +msgid "The group ID to run the server as" +msgstr "" + +#: src/util/util.h:85 +msgid "Informs that the responder has been socket-activated" +msgstr "" + +#: src/util/util.h:87 +msgid "Informs that the responder has been dbus-activated" +msgstr "" diff --git a/po/tr.gmo b/po/tr.gmo new file mode 100644 index 0000000000000000000000000000000000000000..0d9559f75d60384d4af509fa44f14ac3f12619ff GIT binary patch literal 858 zcmZva!EVz)5QYu39Lxd40TALax3)rS$8C^OhgNOVw2GS0s0|h3wy`J4QhV3hUAIld zYjEZY$G!q8M_z#&;>3|VV>?ig80ph^cK)5+9naVM3-27V+r$&1OWYye5`}#r9uXf2 zm-s|HB)$-LiEnfNll=D^jMi)?mRZ1Z!b!?P-mS zgzN~N8l@6h$GJ!D+r|_CfZaF-U$`v-8vRS#Z zRk`9mn{JoOan8rc2FTM82Dv^JW&+C-YqQYz&(F_2TT~Y#yznBG`dQT-<7a;HTtAr? z@U8Y&{*(*BYPZ+vwXa(kcr~}Bq(w;=o@VrNix<|<68cw7h$dVcv>Pu6d#rJ-D~=wa zW^Ea%Sjce*jiIn^Kgl&u*q+j<2|;FMXf{@xP, 2012 +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" +"POT-Creation-Date: 2018-08-12 13:03+0000\n" +"PO-Revision-Date: 2014-12-14 11:49+0000\n" +"Last-Translator: Copied by Zanata \n" +"Language-Team: Turkish (http://www.transifex.com/projects/p/sssd/language/" +"tr/)\n" +"Language: tr\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" +"X-Generator: Zanata 4.4.5\n" + +#: src/config/SSSDConfig/__init__.py.in:43 +#: src/config/SSSDConfig/__init__.py.in:44 +msgid "Set the verbosity of the debug logging" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:45 +msgid "Include timestamps in debug logs" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:46 +msgid "Include microseconds in timestamps in debug logs" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:47 +msgid "Write debug messages to logfiles" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:48 +msgid "Watchdog timeout before restarting service" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:49 +msgid "Command to start service" +msgstr "Servis başlatma komutu" + +#: src/config/SSSDConfig/__init__.py.in:50 +msgid "Number of times to attempt connection to Data Providers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:51 +msgid "The number of file descriptors that may be opened by this responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:52 +msgid "Idle time before automatic disconnection of a client" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:53 +msgid "Idle time before automatic shutdown of the responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:54 +msgid "Always query all the caches before querying the Data Providers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:57 +msgid "SSSD Services to start" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:58 +msgid "SSSD Domains to start" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:59 +msgid "Timeout for messages sent over the SBUS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:60 +#: src/config/SSSDConfig/__init__.py.in:197 +msgid "Regex to parse username and domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:61 +#: src/config/SSSDConfig/__init__.py.in:196 +msgid "Printf-compatible format for displaying fully-qualified names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:62 +msgid "" +"Directory on the filesystem where SSSD should store Kerberos replay cache " +"files." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:63 +msgid "Domain to add to names without a domain component." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:64 +msgid "The user to drop privileges to" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:65 +msgid "Tune certificate verification" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:66 +msgid "All spaces in group or user names will be replaced with this character" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:67 +msgid "Tune sssd to honor or ignore netlink state changes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:68 +msgid "Enable or disable the implicit files domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:69 +msgid "A specific order of the domains to be looked up" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:72 +msgid "Enumeration cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:73 +msgid "Entry cache background update timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:74 +#: src/config/SSSDConfig/__init__.py.in:113 +msgid "Negative cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:75 +msgid "Files negative cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:76 +msgid "Users that SSSD should explicitly ignore" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:77 +msgid "Groups that SSSD should explicitly ignore" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:78 +msgid "Should filtered users appear in groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:79 +msgid "The value of the password field the NSS provider should return" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:80 +msgid "Override homedir value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:81 +msgid "" +"Substitute empty homedir value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:82 +msgid "Override shell value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:83 +msgid "The list of shells users are allowed to log in with" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:84 +msgid "" +"The list of shells that will be vetoed, and replaced with the fallback shell" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:85 +msgid "" +"If a shell stored in central directory is allowed but not available, use " +"this fallback" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:86 +msgid "Shell to use if the provider does not list one" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:87 +msgid "How long will be in-memory cache records valid" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:88 +msgid "List of user attributes the NSS responder is allowed to publish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:91 +msgid "How long to allow cached logins between online logins (days)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:92 +msgid "How many failed logins attempts are allowed when offline" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:93 +msgid "" +"How long (minutes) to deny login after offline_failed_login_attempts has " +"been reached" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:94 +msgid "What kind of messages are displayed to the user during authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:95 +msgid "Filter PAM responses sent to the pam_sss" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:96 +msgid "How many seconds to keep identity information cached for PAM requests" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:97 +msgid "How many days before password expiration a warning should be displayed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:98 +msgid "List of trusted uids or user's name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:99 +msgid "List of domains accessible even for untrusted users." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:100 +msgid "Message printed when user account is expired." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:101 +msgid "Message printed when user account is locked." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:102 +msgid "Allow certificate based/Smartcard authentication." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:103 +msgid "Path to certificate database with PKCS#11 modules." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:104 +msgid "How many seconds will pam_sss wait for p11_child to finish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:105 +msgid "Which PAM services are permitted to contact application domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:108 +msgid "Whether to evaluate the time-based attributes in sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:109 +msgid "If true, SSSD will switch back to lower-wins ordering logic" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:110 +msgid "" +"Maximum number of rules that can be refreshed at once. If this is exceeded, " +"full refresh is performed." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:116 +msgid "Whether to hash host names and addresses in the known_hosts file" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:117 +msgid "" +"How many seconds to keep a host in the known_hosts file after its host keys " +"were requested" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:118 +msgid "Path to storage of trusted CA certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:121 +msgid "List of UIDs or user names allowed to access the PAC responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "How long the PAC data is considered valid" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:125 +msgid "List of UIDs or user names allowed to access the InfoPipe responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:126 +msgid "List of user attributes the InfoPipe is allowed to publish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:129 +msgid "The provider where the secrets will be stored in" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:130 +msgid "The maximum allowed number of nested containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:131 +msgid "The maximum number of secrets that can be stored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:132 +msgid "The maximum number of secrets that can be stored per UID" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:133 +msgid "The maximum payload size of a secret in kilobytes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:135 +msgid "The URL Custodia server is listening on" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:136 +msgid "The method to use when authenticating to a Custodia server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:137 +msgid "" +"The name of the headers that will be added into a HTTP request with the " +"value defined in auth_header_value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:138 +msgid "The value sssd-secrets would use for auth_header_name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:139 +msgid "" +"The list of the headers to forward to the Custodia server together with the " +"request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:140 +msgid "" +"The username to use when authenticating to a Custodia server using basic_auth" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:141 +msgid "" +"The password to use when authenticating to a Custodia server using basic_auth" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:142 +msgid "If true peer's certificate is verified if proxy_url uses https protocol" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:143 +msgid "" +"If false peer's certificate may contain different hostname than proxy_url " +"when https protocol is used" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:144 +msgid "Path to directory where certificate authority certificates are stored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:145 +msgid "Path to file containing server's CA certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:146 +msgid "Path to file containing client's certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:147 +msgid "Path to file containing client's private key" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:150 +msgid "Identity provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:151 +msgid "Authentication provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:152 +msgid "Access control provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:153 +msgid "Password change provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:154 +msgid "SUDO provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:155 +msgid "Autofs provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:156 +msgid "Host identity provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:157 +msgid "SELinux provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:158 +msgid "Session management provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:161 +msgid "Whether the domain is usable by the OS or by applications" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:162 +msgid "Minimum user ID" +msgstr "En az kullanıcı ID'si" + +#: src/config/SSSDConfig/__init__.py.in:163 +msgid "Maximum user ID" +msgstr "En fazla kullanıcı ID'si" + +#: src/config/SSSDConfig/__init__.py.in:164 +msgid "Enable enumerating all users/groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:165 +msgid "Cache credentials for offline login" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:166 +msgid "Store password hashes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:167 +msgid "Display users/groups in fully-qualified form" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:168 +msgid "Don't include group members in group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:180 +#: src/config/SSSDConfig/__init__.py.in:181 +msgid "Entry cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:170 +msgid "" +"Restrict or prefer a specific address family when performing DNS lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:171 +msgid "How long to keep cached entries after last successful login (days)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:172 +msgid "How long to wait for replies from DNS when resolving servers (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:173 +msgid "The domain part of service discovery DNS query" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:174 +msgid "Override GID value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:175 +msgid "Treat usernames as case sensitive" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:182 +msgid "How often should expired entries be refreshed in background" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:183 +msgid "Whether to automatically update the client's DNS entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:184 +#: src/config/SSSDConfig/__init__.py.in:206 +msgid "The TTL to apply to the client's DNS entry after updating it" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:207 +msgid "The interface whose IP should be used for dynamic DNS updates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:186 +msgid "How often to periodically update the client's DNS entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:187 +msgid "Whether the provider should explicitly update the PTR record as well" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:188 +msgid "Whether the nsupdate utility should default to using TCP" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:189 +msgid "What kind of authentication should be used to perform the DNS update" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:190 +msgid "Override the DNS server used to perform the DNS update" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:191 +msgid "Control enumeration of trusted domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:192 +msgid "How often should subdomains list be refreshed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:193 +msgid "List of options that should be inherited into a subdomain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:194 +msgid "Default subdomain homedir value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:195 +msgid "How long can cached credentials be used for cached authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:198 +msgid "Whether to automatically create private groups for users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:201 +msgid "IPA domain" +msgstr "IPA alanı" + +#: src/config/SSSDConfig/__init__.py.in:202 +msgid "IPA server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:203 +msgid "Address of backup IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:204 +msgid "IPA client hostname" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:205 +msgid "Whether to automatically update the client's DNS entry in FreeIPA" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:208 +msgid "Search base for HBAC related objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:209 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:210 +msgid "" +"The amount of time in seconds between lookups of the SELinux maps against " +"the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:211 +msgid "If set to false, host argument given by PAM will be ignored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:212 +msgid "The automounter location this IPA client is using" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:213 +msgid "Search base for object containing info about IPA domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:214 +msgid "Search base for objects containing info about ID ranges" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:233 +msgid "Enable DNS sites - location based service discovery" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:216 +msgid "Search base for view containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:217 +msgid "Objectclass for view containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:218 +msgid "Attribute with the name of the view" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:219 +msgid "Objectclass for override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:220 +msgid "Attribute with the reference to the original object" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:221 +msgid "Objectclass for user override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:222 +msgid "Objectclass for group override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:223 +msgid "Search base for Desktop Profile related objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:224 +msgid "" +"The amount of time in seconds between lookups of the Desktop Profile rules " +"against the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:225 +msgid "" +"The amount of time in minutes between lookups of Desktop Profiles rules " +"against the IPA server when the last request did not find any rule" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:228 +msgid "Active Directory domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:229 +msgid "Enabled Active Directory domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:230 +msgid "Active Directory server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:231 +msgid "Active Directory backup server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:232 +msgid "Active Directory client hostname" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:420 +msgid "LDAP filter to determine access privileges" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:235 +msgid "Whether to use the Global Catalog for lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:236 +msgid "Operation mode for GPO-based access control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:237 +msgid "" +"The amount of time between lookups of the GPO policy files against the AD " +"server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:238 +msgid "" +"PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " +"settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:239 +msgid "" +"PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " +"policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:240 +msgid "" +"PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:241 +msgid "" +"PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:242 +msgid "" +"PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:243 +msgid "PAM service names for which GPO-based access is always granted" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:244 +msgid "PAM service names for which GPO-based access is always denied" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:245 +msgid "" +"Default logon right (or permit/deny) to use for unmapped PAM service names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:246 +msgid "a particular site to be used by the client" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:247 +msgid "" +"Maximum age in days before the machine account password should be renewed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:248 +msgid "Option for tuning the machine account renewal task" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:252 +msgid "Kerberos server address" +msgstr "Kerberos sunucu adresi" + +#: src/config/SSSDConfig/__init__.py.in:253 +msgid "Kerberos backup server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:254 +msgid "Kerberos realm" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:255 +msgid "Authentication timeout" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:256 +msgid "Whether to create kdcinfo files" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:257 +msgid "Where to drop krb5 config snippets" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:260 +msgid "Directory to store credential caches" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:261 +msgid "Location of the user's credential cache" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:262 +msgid "Location of the keytab to validate credentials" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:263 +msgid "Enable credential validation" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:264 +msgid "Store password if offline for later online authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:265 +msgid "Renewable lifetime of the TGT" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:266 +msgid "Lifetime of the TGT" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:267 +msgid "Time between two checks for renewal" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:268 +msgid "Enables FAST" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:269 +msgid "Selects the principal to use for FAST" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:270 +msgid "Enables principal canonicalization" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:271 +msgid "Enables enterprise principals" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:272 +msgid "A mapping from user names to Kerberos principal names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:276 +msgid "Server where the change password service is running if not on the KDC" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:279 +msgid "ldap_uri, The URI of the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:280 +msgid "ldap_backup_uri, The URI of the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:281 +msgid "The default base DN" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:282 +msgid "The Schema Type in use on the LDAP server, rfc2307" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:283 +msgid "The default bind DN" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:284 +msgid "The type of the authentication token of the default bind DN" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:285 +msgid "The authentication token of the default bind DN" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:286 +msgid "Length of time to attempt connection" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:287 +msgid "Length of time to attempt synchronous LDAP operations" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:288 +msgid "Length of time between attempts to reconnect while offline" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:289 +msgid "Use only the upper case for realm names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:290 +msgid "File that contains CA certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:291 +msgid "Path to CA certificate directory" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:292 +msgid "File that contains the client certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:293 +msgid "File that contains the client key" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:294 +msgid "List of possible ciphers suites" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:295 +msgid "Require TLS certificate verification" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:296 +msgid "Specify the sasl mechanism to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:297 +msgid "Specify the sasl authorization id to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:298 +msgid "Specify the sasl authorization realm to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:299 +msgid "Specify the minimal SSF for LDAP sasl authorization" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:300 +msgid "Kerberos service keytab" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:301 +msgid "Use Kerberos auth for LDAP connection" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:302 +msgid "Follow LDAP referrals" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:303 +msgid "Lifetime of TGT for LDAP connection" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:304 +msgid "How to dereference aliases" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:305 +msgid "Service name for DNS service lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:306 +msgid "The number of records to retrieve in a single LDAP query" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:307 +msgid "The number of members that must be missing to trigger a full deref" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:308 +msgid "" +"Whether the LDAP library should perform a reverse lookup to canonicalize the " +"host name during a SASL bind" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:310 +msgid "entryUSN attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:311 +msgid "lastUSN attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:313 +msgid "How long to retain a connection to the LDAP server before disconnecting" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:315 +msgid "Disable the LDAP paging control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:316 +msgid "Disable Active Directory range retrieval" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:319 +msgid "Length of time to wait for a search request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:320 +msgid "Length of time to wait for a enumeration request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:321 +msgid "Length of time between enumeration updates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:322 +msgid "Length of time between cache cleanups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:323 +msgid "Require TLS for ID lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:324 +msgid "Use ID-mapping of objectSID instead of pre-set IDs" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:325 +msgid "Base DN for user lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:326 +msgid "Scope of user lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:327 +msgid "Filter for user lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:328 +msgid "Objectclass for users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:329 +msgid "Username attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:331 +msgid "UID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:332 +msgid "Primary GID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:333 +msgid "GECOS attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:334 +msgid "Home directory attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:335 +msgid "Shell attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:336 +msgid "UUID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:379 +msgid "objectSID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:338 +msgid "Active Directory primary group attribute for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:339 +msgid "User principal attribute (for Kerberos)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:340 +msgid "Full Name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:341 +msgid "memberOf attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:342 +msgid "Modification time attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:344 +msgid "shadowLastChange attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:345 +msgid "shadowMin attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:346 +msgid "shadowMax attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:347 +msgid "shadowWarning attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:348 +msgid "shadowInactive attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:349 +msgid "shadowExpire attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:350 +msgid "shadowFlag attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:351 +msgid "Attribute listing authorized PAM services" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:352 +msgid "Attribute listing authorized server hosts" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:353 +msgid "Attribute listing authorized server rhosts" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:354 +msgid "krbLastPwdChange attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:355 +msgid "krbPasswordExpiration attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:356 +msgid "Attribute indicating that server side password policies are active" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:357 +msgid "accountExpires attribute of AD" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:358 +msgid "userAccountControl attribute of AD" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:359 +msgid "nsAccountLock attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:360 +msgid "loginDisabled attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:361 +msgid "loginExpirationTime attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:362 +msgid "loginAllowedTimeMap attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:363 +msgid "SSH public key attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:364 +msgid "attribute listing allowed authentication types for a user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:365 +msgid "attribute containing the X509 certificate of the user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:366 +msgid "attribute containing the email address of the user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:368 +msgid "A list of extra attributes to download along with the user entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:370 +msgid "Base DN for group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:373 +msgid "Objectclass for groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:374 +msgid "Group name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:375 +msgid "Group password" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:376 +msgid "GID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:377 +msgid "Group member attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:378 +msgid "Group UUID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:380 +msgid "Modification time attribute for groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:381 +msgid "Type of the group and other flags" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:382 +msgid "The LDAP group external member attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:384 +msgid "Maximum nesting level SSSD will follow" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:386 +msgid "Base DN for netgroup lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:387 +msgid "Objectclass for netgroups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:388 +msgid "Netgroup name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:389 +msgid "Netgroups members attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:390 +msgid "Netgroup triple attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:391 +msgid "Modification time attribute for netgroups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:393 +msgid "Base DN for service lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:394 +msgid "Objectclass for services" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:395 +msgid "Service name attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:396 +msgid "Service port attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:397 +msgid "Service protocol attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:400 +msgid "Lower bound for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:401 +msgid "Upper bound for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:402 +msgid "Number of IDs for each slice when ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:403 +msgid "Use autorid-compatible algorithm for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:404 +msgid "Name of the default domain for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:405 +msgid "SID of the default domain for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:406 +msgid "Number of secondary slices" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:408 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:409 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:410 +msgid "Whether to use Token-Groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:411 +msgid "Set lower boundary for allowed IDs from the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:412 +msgid "Set upper boundary for allowed IDs from the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:413 +msgid "DN for ppolicy queries" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:414 +msgid "How many maximum entries to fetch during a wildcard request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:417 +msgid "Policy to evaluate the password expiration" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:421 +msgid "Which attributes shall be used to evaluate if an account is expired" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:422 +msgid "Which rules should be used to evaluate access control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:425 +msgid "URI of an LDAP server where password changes are allowed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:426 +msgid "URI of a backup LDAP server where password changes are allowed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:427 +msgid "DNS service name for LDAP password change server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:428 +msgid "" +"Whether to update the ldap_user_shadow_last_change attribute after a " +"password change" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:431 +msgid "Base DN for sudo rules lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:432 +msgid "Automatic full refresh period" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:433 +msgid "Automatic smart refresh period" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:434 +msgid "Whether to filter rules by hostname, IP addresses and network" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:435 +msgid "" +"Hostnames and/or fully qualified domain names of this machine to filter sudo " +"rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:436 +msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:437 +msgid "Whether to include rules that contains netgroup in host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:438 +msgid "" +"Whether to include rules that contains regular expression in host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:439 +msgid "Object class for sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:440 +msgid "Sudo rule name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:441 +msgid "Sudo rule command attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:442 +msgid "Sudo rule host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:443 +msgid "Sudo rule user attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:444 +msgid "Sudo rule option attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Sudo rule runas attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:446 +msgid "Sudo rule runasuser attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:447 +msgid "Sudo rule runasgroup attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:448 +msgid "Sudo rule notbefore attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:449 +msgid "Sudo rule notafter attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:450 +msgid "Sudo rule order attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:453 +msgid "Object class for automounter maps" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:454 +msgid "Automounter map name attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:455 +msgid "Object class for automounter map entries" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:456 +msgid "Automounter map entry key attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:457 +msgid "Automounter map entry value attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:458 +msgid "Base DN for automounter map lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:461 +msgid "Comma separated list of allowed users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:462 +msgid "Comma separated list of prohibited users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:465 +msgid "Default shell, /bin/bash" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:466 +msgid "Base for home directories" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:469 +msgid "The number of preforked proxy children." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:472 +msgid "The name of the NSS library to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:473 +msgid "Whether to look up canonical group name from cache if possible" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:476 +msgid "PAM stack to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:479 +msgid "Path of passwd file sources." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:480 +msgid "Path of group file sources." +msgstr "" + +#: src/monitor/monitor.c:2449 +msgid "Become a daemon (default)" +msgstr "" + +#: src/monitor/monitor.c:2451 +msgid "Run interactive (not a daemon)" +msgstr "" + +#: src/monitor/monitor.c:2454 +msgid "Disable netlink interface" +msgstr "" + +#: src/monitor/monitor.c:2456 src/tools/sssctl/sssctl_logs.c:311 +msgid "Specify a non-default config file" +msgstr "" + +#: src/monitor/monitor.c:2458 +msgid "Refresh the configuration database, then exit" +msgstr "" + +#: src/monitor/monitor.c:2461 +msgid "Print version number and exit" +msgstr "" + +#: src/monitor/monitor.c:2627 +msgid "SSSD is already running\n" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605 +msgid "Debug level" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607 +msgid "Add debug timestamps" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609 +msgid "Show timestamps with microseconds" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611 +msgid "An open file descriptor for the debug logs" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613 +msgid "Send the debug output to stderr directly." +msgstr "" + +#: src/providers/krb5/krb5_child.c:3228 +msgid "The user to create FAST ccache as" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3230 +msgid "The group to create FAST ccache as" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3232 +msgid "Kerberos realm to use" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3234 +msgid "Requested lifetime of the ticket" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3236 +msgid "Requested renewable lifetime of the ticket" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3238 +msgid "FAST options ('never', 'try', 'demand')" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3241 +msgid "Specifies the server principal to use for FAST" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3243 +msgid "Requests canonicalization of the principal name" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3245 +msgid "Use custom version of krb5_get_init_creds_password" +msgstr "" + +#: src/providers/data_provider_be.c:556 +msgid "Domain of the information provider (mandatory)" +msgstr "" + +#: src/sss_client/common.c:1066 +msgid "Privileged socket has wrong ownership or permissions." +msgstr "" + +#: src/sss_client/common.c:1069 +msgid "Public socket has wrong ownership or permissions." +msgstr "" + +#: src/sss_client/common.c:1072 +msgid "Unexpected format of the server credential message." +msgstr "" + +#: src/sss_client/common.c:1075 +msgid "SSSD is not run by root." +msgstr "" + +#: src/sss_client/common.c:1080 +msgid "An error occurred, but no description can be found." +msgstr "" + +#: src/sss_client/common.c:1086 +msgid "Unexpected error while looking for an error description" +msgstr "" + +#: src/sss_client/pam_sss.c:76 +msgid "Permission denied. " +msgstr "" + +#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782 +#: src/sss_client/pam_sss.c:793 +msgid "Server message: " +msgstr "" + +#: src/sss_client/pam_sss.c:300 +msgid "Passwords do not match" +msgstr "" + +#: src/sss_client/pam_sss.c:488 +msgid "Password reset by root is not supported." +msgstr "" + +#: src/sss_client/pam_sss.c:529 +msgid "Authenticated with cached credentials" +msgstr "" + +#: src/sss_client/pam_sss.c:530 +msgid ", your cached password will expire at: " +msgstr "" + +#: src/sss_client/pam_sss.c:560 +#, c-format +msgid "Your password has expired. You have %1$d grace login(s) remaining." +msgstr "" + +#: src/sss_client/pam_sss.c:606 +#, c-format +msgid "Your password will expire in %1$d %2$s." +msgstr "" + +#: src/sss_client/pam_sss.c:655 +msgid "Authentication is denied until: " +msgstr "" + +#: src/sss_client/pam_sss.c:676 +msgid "System is offline, password change not possible" +msgstr "" + +#: src/sss_client/pam_sss.c:691 +msgid "" +"After changing the OTP password, you need to log out and back in order to " +"acquire a ticket" +msgstr "" + +#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792 +msgid "Password change failed. " +msgstr "" + +#: src/sss_client/pam_sss.c:1926 +msgid "New Password: " +msgstr "" + +#: src/sss_client/pam_sss.c:1927 +msgid "Reenter new Password: " +msgstr "" + +#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042 +msgid "First Factor: " +msgstr "" + +#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202 +msgid "Second Factor (optional): " +msgstr "" + +#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205 +msgid "Second Factor: " +msgstr "" + +#: src/sss_client/pam_sss.c:2058 +msgid "Password: " +msgstr "" + +#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204 +msgid "First Factor (Current Password): " +msgstr "" + +#: src/sss_client/pam_sss.c:2208 +msgid "Current Password: " +msgstr "" + +#: src/sss_client/pam_sss.c:2536 +msgid "Password expired. Change your password now." +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 +#: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 +#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:670 +msgid "The debug level to run with" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +msgid "The SSSD domain to use" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 +#: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 +#: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 +#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:716 +msgid "Error setting the locale\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:64 +msgid "Not enough memory\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:83 +msgid "User not specified\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:97 +msgid "Error looking up public keys\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +msgid "The port to use to connect to the host" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +msgid "Print the host ssh public keys" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +msgid "Invalid port\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +msgid "Host not specified\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +msgid "The path to the proxy command must be absolute\n" +msgstr "" + +#: src/tools/sss_useradd.c:49 src/tools/sss_usermod.c:48 +msgid "The UID of the user" +msgstr "" + +#: src/tools/sss_useradd.c:50 src/tools/sss_usermod.c:50 +msgid "The comment string" +msgstr "" + +#: src/tools/sss_useradd.c:51 src/tools/sss_usermod.c:51 +msgid "Home directory" +msgstr "" + +#: src/tools/sss_useradd.c:52 src/tools/sss_usermod.c:52 +msgid "Login shell" +msgstr "" + +#: src/tools/sss_useradd.c:53 +msgid "Groups" +msgstr "" + +#: src/tools/sss_useradd.c:54 +msgid "Create user's directory if it does not exist" +msgstr "" + +#: src/tools/sss_useradd.c:55 +msgid "Never create user's directory, overrides config" +msgstr "" + +#: src/tools/sss_useradd.c:56 +msgid "Specify an alternative skeleton directory" +msgstr "" + +#: src/tools/sss_useradd.c:57 src/tools/sss_usermod.c:60 +msgid "The SELinux user for user's login" +msgstr "" + +#: src/tools/sss_useradd.c:87 src/tools/sss_groupmod.c:79 +#: src/tools/sss_usermod.c:92 +msgid "Specify group to add to\n" +msgstr "" + +#: src/tools/sss_useradd.c:111 +msgid "Specify user to add\n" +msgstr "" + +#: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 +#: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_usermod.c:162 +msgid "Error initializing the tools - no local domain\n" +msgstr "" + +#: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 +#: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_usermod.c:164 +msgid "Error initializing the tools\n" +msgstr "" + +#: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 +#: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_usermod.c:173 +msgid "Invalid domain specified in FQDN\n" +msgstr "" + +#: src/tools/sss_useradd.c:142 src/tools/sss_groupmod.c:144 +#: src/tools/sss_groupmod.c:173 src/tools/sss_usermod.c:197 +#: src/tools/sss_usermod.c:226 +msgid "Internal error while parsing parameters\n" +msgstr "" + +#: src/tools/sss_useradd.c:151 src/tools/sss_usermod.c:206 +#: src/tools/sss_usermod.c:235 +msgid "Groups must be in the same domain as user\n" +msgstr "" + +#: src/tools/sss_useradd.c:159 +#, c-format +msgid "Cannot find group %1$s in local domain\n" +msgstr "" + +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +msgid "Cannot set default values\n" +msgstr "" + +#: src/tools/sss_useradd.c:181 src/tools/sss_usermod.c:187 +msgid "The selected UID is outside the allowed range\n" +msgstr "" + +#: src/tools/sss_useradd.c:210 src/tools/sss_usermod.c:305 +msgid "Cannot set SELinux login context\n" +msgstr "" + +#: src/tools/sss_useradd.c:224 +msgid "Cannot get info about the user\n" +msgstr "" + +#: src/tools/sss_useradd.c:236 +msgid "User's home directory already exists, not copying data from skeldir\n" +msgstr "" + +#: src/tools/sss_useradd.c:239 +#, c-format +msgid "Cannot create user's home directory: %1$s\n" +msgstr "" + +#: src/tools/sss_useradd.c:250 +#, c-format +msgid "Cannot create user's mail spool: %1$s\n" +msgstr "" + +#: src/tools/sss_useradd.c:270 +msgid "Could not allocate ID for the user - domain full?\n" +msgstr "" + +#: src/tools/sss_useradd.c:274 +msgid "A user or group with the same name or ID already exists\n" +msgstr "" + +#: src/tools/sss_useradd.c:280 +msgid "Transaction error. Could not add user.\n" +msgstr "" + +#: src/tools/sss_groupadd.c:43 src/tools/sss_groupmod.c:48 +msgid "The GID of the group" +msgstr "" + +#: src/tools/sss_groupadd.c:76 +msgid "Specify group to add\n" +msgstr "" + +#: src/tools/sss_groupadd.c:106 src/tools/sss_groupmod.c:198 +msgid "The selected GID is outside the allowed range\n" +msgstr "" + +#: src/tools/sss_groupadd.c:143 +msgid "Could not allocate ID for the group - domain full?\n" +msgstr "" + +#: src/tools/sss_groupadd.c:147 +msgid "A group with the same name or GID already exists\n" +msgstr "" + +#: src/tools/sss_groupadd.c:153 +msgid "Transaction error. Could not add group.\n" +msgstr "" + +#: src/tools/sss_groupdel.c:70 +msgid "Specify group to delete\n" +msgstr "" + +#: src/tools/sss_groupdel.c:104 +#, c-format +msgid "Group %1$s is outside the defined ID range for domain\n" +msgstr "" + +#: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 +#: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 +#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 +#, c-format +msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" +msgstr "" + +#: src/tools/sss_groupdel.c:132 +msgid "" +"No such group in local domain. Removing groups only allowed in local " +"domain.\n" +msgstr "" + +#: src/tools/sss_groupdel.c:137 +msgid "Internal error. Could not remove group.\n" +msgstr "" + +#: src/tools/sss_groupmod.c:44 +msgid "Groups to add this group to" +msgstr "" + +#: src/tools/sss_groupmod.c:46 +msgid "Groups to remove this group from" +msgstr "" + +#: src/tools/sss_groupmod.c:87 src/tools/sss_usermod.c:100 +msgid "Specify group to remove from\n" +msgstr "" + +#: src/tools/sss_groupmod.c:101 +msgid "Specify group to modify\n" +msgstr "" + +#: src/tools/sss_groupmod.c:130 +msgid "" +"Cannot find group in local domain, modifying groups is allowed only in local " +"domain\n" +msgstr "" + +#: src/tools/sss_groupmod.c:153 src/tools/sss_groupmod.c:182 +msgid "Member groups must be in the same domain as parent group\n" +msgstr "" + +#: src/tools/sss_groupmod.c:161 src/tools/sss_groupmod.c:190 +#: src/tools/sss_usermod.c:214 src/tools/sss_usermod.c:243 +#, c-format +msgid "" +"Cannot find group %1$s in local domain, only groups in local domain are " +"allowed\n" +msgstr "" + +#: src/tools/sss_groupmod.c:257 +msgid "Could not modify group - check if member group names are correct\n" +msgstr "" + +#: src/tools/sss_groupmod.c:261 +msgid "Could not modify group - check if groupname is correct\n" +msgstr "" + +#: src/tools/sss_groupmod.c:265 +msgid "Transaction error. Could not modify group.\n" +msgstr "" + +#: src/tools/sss_groupshow.c:615 +#, c-format +msgid "%1$s%2$sGroup: %3$s\n" +msgstr "" + +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "" + +#: src/tools/sss_groupshow.c:618 +#, c-format +msgid "%1$sGID number: %2$d\n" +msgstr "" + +#: src/tools/sss_groupshow.c:620 +#, c-format +msgid "%1$sMember users: " +msgstr "" + +#: src/tools/sss_groupshow.c:627 +#, c-format +msgid "" +"\n" +"%1$sIs a member of: " +msgstr "" + +#: src/tools/sss_groupshow.c:634 +#, c-format +msgid "" +"\n" +"%1$sMember groups: " +msgstr "" + +#: src/tools/sss_groupshow.c:670 +msgid "Print indirect group members recursively" +msgstr "" + +#: src/tools/sss_groupshow.c:704 +msgid "Specify group to show\n" +msgstr "" + +#: src/tools/sss_groupshow.c:744 +msgid "" +"No such group in local domain. Printing groups only allowed in local " +"domain.\n" +msgstr "" + +#: src/tools/sss_groupshow.c:749 +msgid "Internal error. Could not print group.\n" +msgstr "" + +#: src/tools/sss_userdel.c:136 +msgid "Remove home directory and mail spool" +msgstr "" + +#: src/tools/sss_userdel.c:138 +msgid "Do not remove home directory and mail spool" +msgstr "" + +#: src/tools/sss_userdel.c:140 +msgid "Force removal of files not owned by the user" +msgstr "" + +#: src/tools/sss_userdel.c:142 +msgid "Kill users' processes before removing him" +msgstr "" + +#: src/tools/sss_userdel.c:188 +msgid "Specify user to delete\n" +msgstr "" + +#: src/tools/sss_userdel.c:234 +#, c-format +msgid "User %1$s is outside the defined ID range for domain\n" +msgstr "" + +#: src/tools/sss_userdel.c:259 +msgid "Cannot reset SELinux login context\n" +msgstr "" + +#: src/tools/sss_userdel.c:271 +#, c-format +msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" +msgstr "" + +#: src/tools/sss_userdel.c:276 +msgid "Cannot determine if the user was logged in on this platform" +msgstr "" + +#: src/tools/sss_userdel.c:281 +msgid "Error while checking if the user was logged in\n" +msgstr "" + +#: src/tools/sss_userdel.c:288 +#, c-format +msgid "The post-delete command failed: %1$s\n" +msgstr "" + +#: src/tools/sss_userdel.c:308 +msgid "Not removing home dir - not owned by user\n" +msgstr "" + +#: src/tools/sss_userdel.c:310 +#, c-format +msgid "Cannot remove homedir: %1$s\n" +msgstr "" + +#: src/tools/sss_userdel.c:324 +msgid "" +"No such user in local domain. Removing users only allowed in local domain.\n" +msgstr "" + +#: src/tools/sss_userdel.c:329 +msgid "Internal error. Could not remove user.\n" +msgstr "" + +#: src/tools/sss_usermod.c:49 +msgid "The GID of the user" +msgstr "" + +#: src/tools/sss_usermod.c:53 +msgid "Groups to add this user to" +msgstr "" + +#: src/tools/sss_usermod.c:54 +msgid "Groups to remove this user from" +msgstr "" + +#: src/tools/sss_usermod.c:55 +msgid "Lock the account" +msgstr "" + +#: src/tools/sss_usermod.c:56 +msgid "Unlock the account" +msgstr "" + +#: src/tools/sss_usermod.c:57 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "" + +#: src/tools/sss_usermod.c:58 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "" + +#: src/tools/sss_usermod.c:59 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" + +#: src/tools/sss_usermod.c:117 src/tools/sss_usermod.c:126 +#: src/tools/sss_usermod.c:135 +msgid "Specify the attribute name/value pair(s)\n" +msgstr "" + +#: src/tools/sss_usermod.c:152 +msgid "Specify user to modify\n" +msgstr "" + +#: src/tools/sss_usermod.c:180 +msgid "" +"Cannot find user in local domain, modifying users is allowed only in local " +"domain\n" +msgstr "" + +#: src/tools/sss_usermod.c:322 +msgid "Could not modify user - check if group names are correct\n" +msgstr "" + +#: src/tools/sss_usermod.c:326 +msgid "Could not modify user - user already member of groups?\n" +msgstr "" + +#: src/tools/sss_usermod.c:330 +msgid "Transaction error. Could not modify user.\n" +msgstr "" + +#: src/tools/sss_cache.c:218 +msgid "No cache object matched the specified search\n" +msgstr "" + +#: src/tools/sss_cache.c:502 +#, c-format +msgid "Couldn't invalidate %1$s\n" +msgstr "" + +#: src/tools/sss_cache.c:509 +#, c-format +msgid "Couldn't invalidate %1$s %2$s\n" +msgstr "" + +#: src/tools/sss_cache.c:672 +msgid "Invalidate all cached entries" +msgstr "" + +#: src/tools/sss_cache.c:674 +msgid "Invalidate particular user" +msgstr "" + +#: src/tools/sss_cache.c:676 +msgid "Invalidate all users" +msgstr "" + +#: src/tools/sss_cache.c:678 +msgid "Invalidate particular group" +msgstr "" + +#: src/tools/sss_cache.c:680 +msgid "Invalidate all groups" +msgstr "" + +#: src/tools/sss_cache.c:682 +msgid "Invalidate particular netgroup" +msgstr "" + +#: src/tools/sss_cache.c:684 +msgid "Invalidate all netgroups" +msgstr "" + +#: src/tools/sss_cache.c:686 +msgid "Invalidate particular service" +msgstr "" + +#: src/tools/sss_cache.c:688 +msgid "Invalidate all services" +msgstr "" + +#: src/tools/sss_cache.c:691 +msgid "Invalidate particular autofs map" +msgstr "" + +#: src/tools/sss_cache.c:693 +msgid "Invalidate all autofs maps" +msgstr "" + +#: src/tools/sss_cache.c:697 +msgid "Invalidate particular SSH host" +msgstr "" + +#: src/tools/sss_cache.c:699 +msgid "Invalidate all SSH hosts" +msgstr "" + +#: src/tools/sss_cache.c:703 +msgid "Invalidate particular sudo rule" +msgstr "" + +#: src/tools/sss_cache.c:705 +msgid "Invalidate all cached sudo rules" +msgstr "" + +#: src/tools/sss_cache.c:708 +msgid "Only invalidate entries from a particular domain" +msgstr "" + +#: src/tools/sss_cache.c:762 +msgid "" +"Unexpected argument(s) provided, options that invalidate a single object " +"only accept a single provided argument.\n" +msgstr "" + +#: src/tools/sss_cache.c:772 +msgid "Please select at least one object to invalidate\n" +msgstr "" + +#: src/tools/sss_cache.c:852 +#, c-format +msgid "" +"Could not open domain %1$s. If the domain is a subdomain (trusted domain), " +"use fully qualified name instead of --domain/-d parameter.\n" +msgstr "" + +#: src/tools/sss_cache.c:856 +msgid "Could not open available domains\n" +msgstr "" + +#: src/tools/tools_util.c:202 +#, c-format +msgid "Name '%1$s' does not seem to be FQDN ('%2$s = TRUE' is set)\n" +msgstr "" + +#: src/tools/tools_util.c:309 +msgid "Out of memory\n" +msgstr "" + +#: src/tools/tools_util.h:40 +#, c-format +msgid "%1$s must be run as root\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:35 +msgid "yes" +msgstr "" + +#: src/tools/sssctl/sssctl.c:37 +msgid "no" +msgstr "" + +#: src/tools/sssctl/sssctl.c:39 +msgid "error" +msgstr "" + +#: src/tools/sssctl/sssctl.c:42 +msgid "Invalid result." +msgstr "" + +#: src/tools/sssctl/sssctl.c:78 +#, c-format +msgid "Unable to read user input\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:91 +#, c-format +msgid "Invalid input, please provide either '%s' or '%s'.\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 +#, c-format +msgid "Error while executing external command\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:156 +msgid "SSSD needs to be running. Start SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl.c:195 +msgid "SSSD must not be running. Stop SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl.c:231 +msgid "SSSD needs to be restarted. Restart SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:31 +#, c-format +msgid " %s is not present in cache.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:33 +msgid "Name" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:34 +msgid "Cache entry creation date" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:35 +msgid "Cache entry last update time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:36 +msgid "Cache entry expiration time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:37 +msgid "Cached in InfoPipe" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:512 +#, c-format +msgid "Error: Unable to get object [%d]: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:528 +#, c-format +msgid "%s: Unable to read value [%d]: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:556 +msgid "Specify name." +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:566 +#, c-format +msgid "Unable to parse name %s.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:592 src/tools/sssctl/sssctl_cache.c:639 +msgid "Search by SID" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:593 +msgid "Search by user ID" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:602 +msgid "Initgroups expiration time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:640 +msgid "Search by group ID" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:67 +#, c-format +msgid "" +"File %1$s does not exist. SSSD will use default configuration with files " +"provider.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:81 +#, c-format +msgid "" +"File ownership and permissions check failed. Expected root:root and 0600.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:104 +#, c-format +msgid "Issues identified by validators: %zu\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:114 +#, c-format +msgid "Messages generated during configuration merging: %zu\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:127 +#, c-format +msgid "Used configuration snippet files: %u\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:89 +#, c-format +msgid "Unable to create backup directory [%d]: %s" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:95 +msgid "SSSD backup of local data already exists, override?" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:111 +#, c-format +msgid "Unable to export user overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:118 +#, c-format +msgid "Unable to export group overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:134 src/tools/sssctl/sssctl_data.c:217 +msgid "Override existing backup" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:164 +#, c-format +msgid "Unable to import user overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:173 +#, c-format +msgid "Unable to import group overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:74 +#: src/tools/sssctl/sssctl_domains.c:339 +msgid "Start SSSD if it is not running" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:195 +msgid "Restart SSSD after data import" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:218 +msgid "Create clean cache files and import local data" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:219 +msgid "Stop SSSD before removing the cache" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:220 +msgid "Start SSSD when the cache is removed" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:235 +#, c-format +msgid "Creating backup of local data...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:238 +#, c-format +msgid "Unable to create backup of local data, can not remove the cache.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:243 +#, c-format +msgid "Removing cache files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:246 +#, c-format +msgid "Unable to remove cache files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:251 +#, c-format +msgid "Restoring local data...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:75 +msgid "Show domain list including primary or trusted domain type" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +#, c-format +msgid "Online status: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Online" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Offline" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:214 +#, c-format +msgid "Active servers:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:231 +msgid "not connected" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:278 +#, c-format +msgid "Discovered %s servers:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:296 +msgid "None so far.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:336 +msgid "Show online status" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:337 +msgid "Show information about active server" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:338 +msgid "Show list of discovered servers" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:344 +msgid "Specify domain name." +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:360 +#, c-format +msgid "Out of memory!\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:377 src/tools/sssctl/sssctl_domains.c:387 +#, c-format +msgid "Unable to get online status\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:397 +#, c-format +msgid "Unable to get server list\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:47 +msgid "\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:237 +msgid "Delete log files instead of truncating" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:248 +#, c-format +msgid "Deleting log files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:251 +#, c-format +msgid "Unable to remove log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:257 +#, c-format +msgid "Truncating log files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:260 +#, c-format +msgid "Unable to truncate log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:286 +#, c-format +msgid "Out of memory!" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:289 +#, c-format +msgid "Archiving log files into %s...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:292 +#, c-format +msgid "Unable to archive log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:317 +msgid "Specify debug level you want to set" +msgstr "" + +#: src/tools/sssctl/sssctl_sifp.c:28 +msgid "" +"Check that SSSD is running and the InfoPipe responder is enabled. Make sure " +"'ifp' is listed in the 'services' option in sssd.conf.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:91 +#, c-format +msgid "Unable to connect to the InfoPipe" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:97 +#, c-format +msgid "Unable to get user object" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:101 +#, c-format +msgid "SSSD InfoPipe user lookup result:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:113 +#, c-format +msgid "Unable to get user name attr" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:146 +#, c-format +msgid "dlopen failed with [%s].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:153 +#, c-format +msgid "dlsym failed with [%s].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:161 +#, c-format +msgid "malloc failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:168 +#, c-format +msgid "sss_getpwnam_r failed with [%d].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:173 +#, c-format +msgid "SSSD nss user lookup result:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:174 +#, c-format +msgid " - user name: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:175 +#, c-format +msgid " - user id: %d\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:176 +#, c-format +msgid " - group id: %d\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:177 +#, c-format +msgid " - gecos: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:178 +#, c-format +msgid " - home directory: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:179 +#, c-format +msgid "" +" - shell: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:211 +msgid "PAM action [auth|acct|setc|chau|open|clos], default: " +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:214 +msgid "PAM service, default: " +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:219 +msgid "Specify user name." +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:226 +#, c-format +msgid "" +"user: %s\n" +"action: %s\n" +"service: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:232 +#, c-format +msgid "User name lookup with [%s] failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:237 +#, c-format +msgid "InfoPipe User lookup with [%s] failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:244 +#, c-format +msgid "pam_start failed: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:249 +#, c-format +msgid "" +"testing pam_authenticate\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:253 +#, c-format +msgid "pam_get_item failed: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:257 +#, c-format +msgid "" +"pam_authenticate for user [%s]: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:260 +#, c-format +msgid "" +"testing pam_chauthtok\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:262 +#, c-format +msgid "" +"pam_chauthtok: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:264 +#, c-format +msgid "" +"testing pam_acct_mgmt\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:266 +#, c-format +msgid "" +"pam_acct_mgmt: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:268 +#, c-format +msgid "" +"testing pam_setcred\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:270 +#, c-format +msgid "" +"pam_setcred: [%s]\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:272 +#, c-format +msgid "" +"testing pam_open_session\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:274 +#, c-format +msgid "" +"pam_open_session: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:276 +#, c-format +msgid "" +"testing pam_close_session\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:278 +#, c-format +msgid "" +"pam_close_session: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:281 +#, c-format +msgid "unknown action\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:284 +#, c-format +msgid "PAM Environment:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:292 +#, c-format +msgid " - no env -\n" +msgstr "" + +#: src/util/util.h:75 +msgid "The user ID to run the server as" +msgstr "" + +#: src/util/util.h:77 +msgid "The group ID to run the server as" +msgstr "" + +#: src/util/util.h:85 +msgid "Informs that the responder has been socket-activated" +msgstr "" + +#: src/util/util.h:87 +msgid "Informs that the responder has been dbus-activated" +msgstr "" diff --git a/po/uk.gmo b/po/uk.gmo new file mode 100644 index 0000000000000000000000000000000000000000..ca0ef60de413575ad68e5762a35698b7ea2cc1ee GIT binary patch literal 94209 zcmdR%2YemXmH$Vn!~_z0H$ySD!EymiF&Hpz7*|~A#5_w+wqof$MNe`eBr&~)>OexM zA$8M?DK=nCI;61@DZA-q6VjIivgrx`@9&&DfMdYFfyaTPj*X(dz#@1U_%<*G-yg1j9^_y2J^nio+=GYI?(yIRa2lxg zTmp(7w}Iz^4}#Ocosai+ECNp=eHC~V_yzEA@Gqds9Y$fNf>Xhf;MD=wgUa_^@DT8| zC;0P6fWt^H24nCFa4+zK;GW=SQ1tr-D7ya?916bjL@(!HP|r^Tb-g28zYg4o^e4gn z!7qaQfzN@;_lk*8v^RJVsC*LwE(F!SQb^wd>bZ}BD(7iX~#7NsPdiyRo_p*gTNh5iK2bM!@ zJ<01G2WlM729E@<2Q|)5g8YmA$bSq?bUcHi>lN@I@T1_B;8#KQf8k`OO9>oJ`kmk? za1*HfzW~+m9jExX3_TrqlCBfZ~UlpxV;{9s%A2s-2ra_4`-h{?O@8kC~w8`ws9B@J>+AeF}`h zUxSjS^l=~}6`cpFUAKT5=MCTi;EzGcT{OefV?nid4yfzPz~SJ#!C~O1 zLi#yy0qLC~lIXOA|5V?{!I5AeC_4WIYzFtA>GU`qRR1fW?q3H=uY4So-q-|+F3*Cm z1789qFRz>B`e`3f{TU8QzTX5&t}5UV@LEviy$gH|_1yQNd22gzeWpEKVbdK|752*4V0TIdQhajvN9WXbF7@Fup zkRgpe42}k$59y&W&2glQpycgt@LcfQAgmLOKg0FeTS47_1Z)Oh0LA|?jgfqv4XS+= zP;|Ho+!ee9RJ|VncL9G59u58@;86_XnWUG2Mes>b^$bJE)$RhQ^hdz4;7`FA+>_3W zFOCI|1Q&xxgSUWc&r{$C@W-I??MNj`9|bCXKB)1(96SpAAh;9wZSW1?&q2}uPoT=% zfO~;=fV+e1!J*(&U<^J7?gzg1Y`=a8DE>bc)VN;=s-88V z`24+~p8qtsGx$SL^*s;n1-|+m#{)o(`*=`%wiuiMUJI(6&xh;30wsTYo=aZv1W@#R z3wQ+hK2UP~47eNk0*H!=UUQz?r_({v_Zskca5JcO{|VG{d!O(1o(P^ydL<}6+W?B* z&w+0QcfP>&+kxP|q>ljAziHqMa1nSIcn{bHegV{YG{4E~od}BmR)V9z4}j{=v!L?r zu-NImH>h%s21TFqz>~o%z*m8v2TugQ1nT~4FZ6bf1H}jDfct<;!TrEXz%k%mpxXOY zQ0@3GI2#;Na6B7CWkeqYRn80Gu3)sp$7eTC?LG-q|CfWuf>(m#&&}XL;LkwS`??nI z$1reD(z8Ids|Ad~w}E?ucY_-54WRhsd*FfKi{NX)-CA8A?FXto2ZI{_@u0@P4U`<+ z0;+$X5BPOZbp0=IBKRVx`o=KVbv6yLlBRK1r5d@rbWKLm~de+WwNysq7!+Z~Ka9|5Xg zv%sm~J3!I@^8sG~HLeG~*~e!tDE_|)6n$<8*PjGM*I$CFFIw*MI}%j?ri1G572r7V zaZuy+8&G`mst&hLM}mivUIeN?7l8+Ww}LVF0C+g~EU0$<9aR42PUn~T;84l?}gW|)lfZ~@QfRcybfo}j`{}$)x z{Xx}xD)>gQ1JpRa4OII-3#z_vhxALJ%GtBqJ`X$yEP;CNrjULTRC|8}9s=&z>-Jy_C^}66Mdxz^ zRsvoRimo33tzV$%^leb({Tw_B+;xSI%QWx^(q&NXcrU1SJpt|x_JOh!KMnYIQ1stp zrT1q%sP>%;?g73XRDaikGr(s+>7Tt+#ft2RC`y0qWA5f^wRo(UjfCZ z&weXJ(A)xr=L{RPQ0Cxi~0mX0c0@a_*;GWYBY@XO%YVDrUZ@0H*<(vN_m*Uv%q^RJ-VvDe!ij{r5UCxbT5pycKz za3c61I1Bt8sBt;z?e33ugX-TGz_H*Tz~jK-@9=sr1SgQb1yp%o1yL!{Z^6mnd28Hn zy9ZSNehljQA(yzGoD8b`n?dpEr@>+1&q39<^QEEP0ZZTsT)zv9!Eb>Ffqwyqg8N_Q z<(>eZMEV+VJoq$t2>1_B?Kt>yAD`1fr7NKL@4cY()l;C#eF5AX-2Dn4_hwMzHxtzT zw}ayAdqLIr2~hp}4JiIP>`Lda@u2e02UUI#I0?KbT>lXmlYZq@p8rsAU(%C8`h0L7 z(yKw0b1N8w4~OgD1eO1{-~r%{S34h!1eKl&qDrC`@L2F0pvHNpYn*Q;fqH%+sQ#6~ zVc`2f@z>L!==c{<<24qhRK5$r;oz;H@;?qL-;Y4id#~%9|4smvZ!S0mTnUO_H-RI- ze+N$i{{$Wm9)G>(YXzs0{s?$5_&nGS?)pxb?~6gv`w>v(J|EIY-{AJU6BM1_4;~0U z2a11QbEEV9so*K3*MQ3RX>ca^%A0&V=Yk7K-vCOk{tIjdUjk1Cn^DG-!A?;9egKTY zpMj@>JKW;^o(Za76;OP7H>mtifJcHag2#i0-Rk3fAt=7P2;3FC6?`@LK~UrLF;M+^ z3fu+!8F&QvXYf#P*jmTaLDg3d=^MZ|kbV$Uxt|4J0e%zQ3H%ng7x*)9H}Iu^yS>ZH z8xHFFEKvC_1l7(}p!D0#;r@rgJxFf~*PjJ^&}Tn?U9J zR!IL16g~F2!`nL?6#t$AiqDsU`+zrqqW6cv!@#eCbHU$-`%~WQ`Q8MIZ&rcg=MRGC zfxiaD&!^pqE(X_w7l4!RV(h{DK!!Bh|8CcZ>%d8*e*}vE4!Ota&;lyoJHS!kZudHW zoC3au^o8Jb@LBL^aNqloDR3@`s78MVJHX4|2hG9XfoFlO_eW6|xCxY;HNT(O57-9I z0e=rJ1}A^O?bH3>QKVn}LAPVagQCZ^;4$F0LD6xS54jv34^AcB3oZm72hRoH_+c+^ zIk=ScS3%t$PopmduLUJ{JN=v6sWU*e=L6s@@b}^Rq>s9szYCnt^{;`V`(Yn*I$R2# zMtTD{8;m~g{4fVxLUK9yCh!^XGO+m*KEHnee2nxCpX46+S@4(OE$iGqzwH6nBi{rs z7@I??}Ph1==J;wY$bi(L#`)21&S`e0#|_J9`=5J7`%@35swhF0ylt& zQnYY`-~S~jx^!;Dc7YFo6T$aC>iX!%py)Y_#;afN1m}Uj1`h-$KJNb61)%776*wIH zI!IN~-@p;zgPVNZzYF$~KJf|9zaAV*`Xx~99J|^3zX_Z{`hX{0Pb~!}kiHc>6nqBM z_`VqMv`={)>@HB_@N;kuIP=q|`tP9HKjSk#|GEQI{l5mK7Z3QX*ES@}Qj@=^fB|6c=@?}#t>{CyR89_b%|r-LUv<@)5E?fR8Zq^BiI3c6;!(?e951`4m^SMW^iBdFW`7^k1zXp%>;KP{UEqI_=S-E z4tO!?{|1MG%fI4!=2~zM(i_3Oz-PcA;B#On_&abBxcIBCM;->xApJk!ByjpOE?3up z2a^6Ccr^HT@Nn?RfA{MbfS(}!Ht=2Gs6KoW@H61K;HrLNNZ{AN+riSa=wR?QUqiQn zSA!>lhkqTKfJ;H$AO8)1ZUgu&((}KGFAt9T4|o#%G<3D}eJ_oKLy#tv~0v2DDKDh;4%=KS_3&7KV=z8F8Q0YH{3&EK`a{jp&RQ|t#ZwAl*vD^Qrz&6rN|K;{; z87O*R3yOap22TNB1m}Q9|HQ}bGVplP-vDQUZ}_S6)A`^G((eW*fj#HlknWVo4s{8|g?)-EPIGOZYz(c`@!ExZX!MB00|Ap(XYr#86 z_kpT+`7d2=)`4##{a3IIp8G3Le+fK;^vGX3|GyR7gY*L+sw{d6d=Omo8`m#K|F_fY zQ{eerAO5_z_i}I*=|1pkaK>-3+2FIF`g_9foS$z1_apsTuoe6P7=u$@@cN2iiS*DH zkumU{pyc%8-@8572!4$8iT~sM`~}!a`tmsiZFj-w8eq4gt^n zlefPBUP^j1DE^rAXXoSlz@tfj2|O8m348~5@?YG)coOU){VnhT@btfWyZ#1#iS$SQ z=5*}&yX*67!PQ(}4~m|n{^9NWA-IP0ZZElCvKBm-^gqC(z;p1L&H>*E9uEEtoB;0H z)MWZ>HaLp(-C#TTWl;CWzoNz5$;C0FeioZ^K zm1AeXTfl3%z5x^;p8D!0^M9@cE2Q^*O_Ry#4dA|{-FM>CN=kCyC z`svr;t)wr1T~l-yxc3lGKLU;;efo|~re7`w#m|p}hk?=Sn=I}>98~#l2X_X43F`iz zLD3=J$?10`nW0T3pN5Ml#{~c66 z4%(&3UVmHkp381r-1M9Tfi`xm%O@0at)?N&g1acuw5C$>IddK=t=_ za5nfwup8WK5AXlA;0#>{=YYHI>E$m0?;w3UD0w<^ucqiArNOs?kAg>nn^fjR5 z?Ps9q+`PZj{d({e(r-MV$@I$^pyYZfI32tnJRbZNDE=8X)aiK&C_VBpI1(IsU{iD( zcp9j2{sDL<_?p<$7l5NlUmoy5@VF-QFnBT7_dB@B{PTB%ZznzE5SNE*K+*dn;G4ny z4|Tq{3RHi08P*g@U!Msc0lpj5xPA^4U+s06-+wPSll1q%rQpcnP3F(t3?4`NQBZvG z0(c@ge1!ME6%^e+7SewJCATMy^ykh5FCl#+sBzup@FvrH?*!HVzk=%b{3Dvo{#^o| zMfw}yBCvUskIQAC+VMqD?RZ7A^Wm}JD$+~9kAvR<#gEsFZnAmQ`3}mq78&xTBj)FRungpFe|t1m8NoDOv+oj&Zs8Jt(<7=h!CmJ3a*- zK>8S%;}mcqsB+&0iat+)(g)G;&JSInsz&lBQ2oxVpIk_o%FZeWA0$We<@%|ckFX_3HeB6HvYP{Zb zYLoe8{{f0G=1=zYGoa``V@i{)i}r!af6P?Z_n!pCZ#ztDiq`8nQ115X8aoauC&1M2!_a98m8aQzjtn#}HY zgS&D4S#UD=9C#Xd`0OULhZRtCd$wipIR6S<2p({T^JO=9GU<;6{5AL-=~45&{@oUMzf0gTT>mAgaXx5aQ?wbp8dSTd zFLL@_2VPA2dGLc^$C+-2b~~%d=2xAd^hY14aXRE|m#2RNrC*xP@%}Y~A0d4sDEb|L zuIu49gZGkt7`zHR^SmaT4}2dKAN8EyWb>v!fiI9=c!As9>2GpB;alJuu1{X<&wmbV zCq3&z*L#nEqTeY6FZXKjX3|5Kc>C9ZHGB|GdcD0Vin)FPsPTF`sCIr06dz7}bCaznJPPhd z`kSEi<_qA?;E?66-}eCzC4D@&C-^2%e9#My20sKI27VKa!M}&}&<-zeYQPJ?S8=}= zR5=%c`-3-wdxM_<#m7&9(s$np={-8VoRMJ6^+}+fUji!sYEb&;7MFN zQ#bkjp5s-d-wlrB-oJBTE~33T)b}MEcXKq8XGgBRjsr1>b|Rhp{>;fwxweAi3C`z$ z`W*{i3Z9+ItLsZi-^sl_Yp(A~`a@j*3diTj_ia$WH-Hasy>xIFjGJ z;rv-HlqmPF;l?Mqeje#hlb*?WGYD%&Yd}m?G?#nwgWt!YpJe)7T-WbO2m5~$*A5}C ze!b!T^_=g{fvSu~aqp*`@65UM%?Pj+MC?q@UJQ;W{XgKVLH&9i(*Iw@jOK+S;nXe|#FTyiF2fxhm#gJCky~!h8{~50R1AITYglqXxL|yp7{GoXgL92CV%Jqug`3_l*ER)MoQt_kT=$@fjaWjgr6a4z@?$JfaBx^Qhd=hFW_0GEU7!9wWI9h@h>-*f(7 zBz_()ye8Z`GRY8d2e88NLGB-vdtSGXqFl_Z{nqmT>7@Sz?f~|Kva1J&x*sCn3etDi zlyN-iw{rZL<5wI9k$)Yi-#*|`;11wMj&nF40?N*GlkX_bmxIeV`Z#|Z*M9`c-{}EQ z2KBp@^W=9M=c`G4g5#GQw{wi<`O#d*WwA8@T&Uo#qStcrn~*q=XY{)?muD{L@Ab=3%=u#SoXGJg*S^N_ zX3lr!_!8#_hv)t+;2*g*h2vGE&j$}BpMLM*7|wB8$af{@i#U$uIFI9pTt6Y?B^mup z`AEM2j0dj{&*|PS9IxVdfa8Z8TK79F+;8E$i(@S5!??GR;}xVY1HZ>n;QBRS@_QfY zw}odXaPds?>Nmn6`cLjPaqW$yAK`pvxc?5)ZJguYR{dVdwLQ6ZXt;iIz|+a~R*o;^ zaRxuoEnD4CVYhV%JKJ*lf6s?JM{sYqaIQPMlm2hg z-{H78LR}vIo`t2!!yG8~_!Y+<+}jbH4j#*)-vr8eoTHueH^9$wjO6@F z;D2zx$ZP;FuTMS^?kA^>1_SGO(K?`89FAANPlbyq(%~ue}eQn z(tB_m6Y_ta^Y3zf5y!hZlHbmpjNv$d<1CIJaUjS;hK)P4GNTd~;?82{l45sUZkrJM z)!BYwX?MA|tHQ;2SS4<+#HDgi+|^yI6iYpEdns-yv@9!*9umdP@zP>TnT*3Kp3-x1 zdn*@O?ZUEhXEAPV?=H6Vl)G1_`AX%uSXvP`Tb|0YVn>JFvSe?C7Uhbtbg9r;^rzMK zxU;v?6E7*o-Myu_P>H+C<(?st?hHHf(8_c*g3L!9N~3gf`iv=YsaHMa>XC=iGF=T_ zRq^WSF#cOqDlF+J#y#b@yI5$AR}?yWi}88GS}*XbN5!klz1`mX*0`%ssjMt_x5g{m zJ38XxsxEpN7kVgaQf&0&M$fXiXIU|>(E3_gz0yM~C&e9{Fb-Vl z=`K)APj~y0-kxGbjcF~fEOnG=P@$t-TACGWlwnA^S5rV|p{uK%yKUX&&N!u+JwLP9 zP2bBEhOoWV(%x0*u*Ot)s?t?#X>V(9p<%7Y2-e=#a%Z8vWY0q6j&gZXpTkw=Z5Xjw+vqpigyy-VYs_ReCZr_k9&kG<#Oh(MAV z^B657OEjsi2ja9WE0mUM#KmEA7tTu=(%3XE6&W*_r=z?yF8B7(x>hSn^6P`m%|gpt zdW~(VyJdN?Cz=E+SGo#}mh$;1Lz)~v8MjOHid`M#6Z;#N(=%GsU1*_gDyFgy`@&F zgb-cDQry;#%qQ6>LcE~beNdnu#do(XYhR(dMNT~+`ar;8mC>V7gp-nS=W46<$;O2N z4~$cR-O~YzyUHEyE$x(1kjgOT&J`h5psGZoa(DYh(0JaY*;Z0J1GD9vp*~5**5&N3 z&6;X0S6FREixus~mAQ)3Jl(~%Vt29BVoFm)qrosG8m7GD%_#k7QZ~*Buh^)z#x0DJ zIH1r$L$h2OCwPfl?L5#+25duZhD?D}KPU-;*_FNACViLa8PbR!dakV(-lEm$m1S{P zvAez8YPtPxMf}G9l417~80wbATuPw6D+luk)6@ND>*YrTu4GBw?k%z6LQ*jC~ zc7?dLQ0!zpN3<5(3cVdYBcsXk9P&eNoh`Sub+nh%B6ug{aVoQ1}MjuCAoZVKI73QtP`myjyB92MFl%aByjhWZFvS7j<|N4W)Qa(k9G zWsrQMsGuVlxw=AJ=}18r@q_{yas}4ZIV$cfx3;&fmPRt3qCgavKkxO_JW*Y!^}Z%Y zzD(WU`XZMW<$$(fxt7SNN#m%1w90Py4TnM;iPu>(GIC&h;ssM@wU>HVIkTBdg3px} zuyr{CKf8x04p~-gSx#$E_zM;+m?8?{nwCt9Goor{!gy#GxTYj;i(EzXI9o@@vkS}d z6ML}-!`s`shU=c}fU}F9A0EWEG90UA)(oOnDwWpJcvWrKpvmRV&H`4V3nQ%O5|1(& zDkJoOxlonM+LyHJ!CXeQy&U6{pcO;?l;BQW5tq71RZ`fvDLviz>wZ9BSI16=h!BWO zF?c?!M@sB$1i0Q?(zFEf=e)o$flG?ADfFm#%#!xf7(DG|X&u=J2bJh5i~Ajn)yti- zgs1bqaLN-fQb|sIX{lEtil-Tk%-L+u%phzge|j|~bjB-};ZC{^tt>MUtq?dU#_1H+ zrX8#EyfHe;3N&S<{F!qZCJ|(+n5@*zCA*nMX*$DCwk{Mwl6q<5r_ z!(iJ4EKF;4zXj`qU#qZ*kGv*_T*uI_cEvg-F``U7@I_ZQXX0g^z?8D_Y|fD77+YeH zIUdmzo2Q%hrAe}jnq*2LC!TLSqLXI|3cid?vO^>$*5WYNYI5dnhM1^UoHr~Kk^pJT zF03sby-Z+S7rJILzrrsh4&hV}pO|o9Nh&C7)BI|X&HqxFX$_QG9ffCd;}tXp4<$EK zOQT5K17U}2ho5XEi+ z2PniefRbfRFKKpJE;0G*Xurq?fdVv9a5W~SBWf{#Imc9F?^tLf@p z0;x40N=w6uvKg$Zv8Rj4b1Ro=vTY_(j}Pb}SLZLTDz@}miMVP-q9+{~a=e`q4y?65 zAG(u^=#$S}=uQI~{H97gVt5Hf+&z3$Je&a%v=&v^@R89pHP2k{YU?rDb&>@?q?Z#1 zP`+3D(%#?(*|gZB1Bn1)4XsQ0%5S#)*RIxO;bEzj$(+@r%s-`AUCDA zIBhz?pKg(DpOjS;P_u}RdIc*m*=r?y7`rJ^zg(dViTtreixd;BDJwX5wU?!n!(&N= z*^`w3Y498WU-esX+3Qm*T)hhQ62MJoB*B_8Yc{>e?67@l2}_w2nivJmN?oh>lpEc% z0js(dES1e?{YizObI;~8*yDEpw5pYXs5+S=)@ektSPno5xA&}0?Hc*HtRW2%Y|UkL z%}pA@Jcdy)1Do?-1C>0F<}B)MCm{*V)}a8RE5^)%AQZV0_C!;SU`DTaym@AF(YTE9 zj|&!y4FQbBF2#%O)?!As*xA)XRDoexQY6xdcZ;;QW~C}1X;M`c4pWR0LbaNNgxkb} za`Dov1aZK;Ns|>HDQMD&UJz%>2QfpM%Zb@HaS0__Bh|2;m1-LigERz#ifknsJF@EG z<;7xG(pW}AesJi$gz{x^qG4Y_4CDfc8gPoI#vIkT2m7ivx#{igh6{ zl=a#k>@2Km@9gcg;G=phZY}n-EQ?!vS=7NV(lS)5h1R=^Oj9a7*|VYZdd3E^U<)Vs zi>5!8m(YrfEedR!G7M_F7*|3j!yd1cTOJC|_oue#R8aHIXka)En5HnHm`Z&EZA^ld z$OgG<+_=SvDA5FU8b5~ljfSy|=n(?(X@al6wWjp36$*>;A_?>~^S|n!O(#hnbCLLk z2yy7D*F^0eFqV&p0!{olB+#uZb5QZ1gk!bU!V?n3Bt(w)MTEB!X(^|61xwdlJ=yIb z3CRN3jCm`L*4iO>OtLBl6L5uD3X71-eGV{~Hk(nWMrX8Yy_5K9!rK;ihNWA?y*V*O zTOzi$>=td|p~|w}9xYcUbCNXJ6%l?Q;Gm^m;z<}D8h8YyDcqQIc|PnC^w$tZL$#R(^1uoUkI7F%uXohlZyul6i+;)V^Rc=Vme zR&a&!8ADsB6zQvKi`t-aM&&%w3JxbKK!i}+6w>W(Ua6H^Tj7&lkd|+WW|Vva*V*2} zIY;XD@*t+FrFhrMYCh$KIfJhd`V@q4RYmkk!&XdQ zsxyv`vlyW!c?`3BK)mpQ^95IDt1~jrikHpsFj+GHPF)(&eA*dP=43hAOI^J^qgXd6 zYON?tGU6gLct&CPFa?JlbEPV3mX!egS&12))TwYAvIJ9|W=xHC%3^l9A%(zF8X>5< zTS2b}XQ1}Ma5v{n)s$>hsw*^Ex~jV&m1ygqHN}XARhb!5^jB|3p*!tWzHPbNS>Fc8 zU`-t0UeeG3ZinU$bT?UN8{ob=70swrFyz7cwE!$CCWJ@I+O#t4qTV4<8XA)tsNXx0 z-p2Xt=*)6kQd)zmva4z}oRrv|^x@DOIRia~CDBZ6c`?Ed7ZYl82MrDGkqLohYgv0| zWPV-ntIZrDi?%pc@GT)o)(U36OEHVHJP;zk+zpaDrm2&}<8sc-BSc$krk=P-13YRh zh}9yRtcA`2a;4!VyivF5by=x8G$ZG_)|QvcR9RhWS=L=Hm3u25DI^^4DydP?sXJT1 zcgVszi62+fY^upUP$?GJn~?Za(X4j7LQxMYE}Xv5oMan<%#>HvRDk!A7OPeeYgV`^7Qi*_GyL9<-*+c?L+h*@|gh^f)YZJ3%}z|CMkPWuWOlxTLC ztrUo?%dyB!o>X`;5*loyDi1ACI*4|S6tP?jwx*%Qq%zY`xX)IAiDBlh|ZfM^$L|WOWmu4o80}atSlpZFDD1ltG zlGR%+Uj#EUn~9Ysm}%Fv>L0dexk64EJeoc5J!6bu*$2y(SkOx39B(il&S z7tUWa)t1?D>_>VDi7X|--4HISVf8s%84jJ3?7=Zrk)}`*cyGA?S8@j*%ecwH0`_VQO6>CBZZ}hI3;Qs#w3 zPQLdXEf8ac z!g5PeL`}B(%bDEQmOE&P5ZxyMwNDyj4Enh7N9bwROl@vV0tK2&%=PVP(Oe6O2GA~; zp5Cz4ojU~3vx!omvd19{np7q;kPy?EoA`g)O=Y`*#A(o?7`kLI$Dh|P1YIHWpxP)(BCL2blZ;=o-XIAH-)Rg(trk_D{X z{$9(PJ#E`6B*H%N$Zk|^HF#M?dz|RyH%&cB_Gq9$8FmXE21{=GPq*FMj}(-gT3XSL z!>(`+EB3mgfCT>4c}Ucuxwk|rm`#;V!@l@b}A8rsF3D%DowVbr?~xFxxh8i*0r*ZOL{`c4$h2{?MBI# zAzvdH4L>DsnAleTG~Cmj-3U={LREShpy=V|)^jAG)CRl*Z+A4-TGLF$qm$v;>~C zueM~#xlIJCiIL`4!{pyrJ5~SPkA5s`)g!54JIC_4@bIUkka`=6InCyvi)pMkTdq;_? zyknxS&L>*6N)*S;!`JdD)C;3UF!$z=`ZnZDJS;*wS@}$H@Y!ap(+_No%y3yT^M2H1!K~1ro z78|TO7=pX5g@XwX$(y)6q=~O5Ak_?5X%y*jIHmheTuvr6jcK!J%G_l2qdQvAfn=MVPllL2|E*Wv`3M#HO-Dc&H(?W-~S1quW!EnpcGDC{0dZ5ZR0h*7pOtEWQ z9Zyl5viSNTd!tyRl76i8u==finc8ySu^O)O)de)ZVqaE)EjPHyR}qP)lXyM|hP|r< zj|L9Zo>Hb@W5oHE&p)qLBva1w^CzHA(TB1j5M6haU%Udcl(Wf89Qa(CHRg7dfB zX0t7WPT2ZyrY^8t1RK-LqC&yiwe>HA#?xTdPIN$fvrT|_S2F2R#mo>)V|yP_74{0I zkB{Y5sMtk3ysZrpv|~Pv+bZNBQY6t4i(2T7VbLjg;}-bQF}gJ}YoQ>u|^AF z6U{z@DX~`6UQ`u!%|y)`n(q4dd1FN>V+pf6$=D)Co(!z@} zHcT2-pLT(VuBW|RG=Ek+nKvg*ZB!Bve08ImZJGHj7=Qfy<>eWU!dqR#Q$`Z$1lWe<` zxApL|CV_g3CEN>@7LbfkY2snz8xkZ-s~&2vxLEFZ;t{R38MuAf!-{p8MixSS8im05 zg-R|5x7nYdh?b@qaf=(6ki{nPdMghOVMilfPIdw_2SvJkheGRW^e`I}vS7bgkT`9& z&LB^VKvlADa|K?JwgK=CLE>SjA34F}z;m|!miDN%wx%$NHsg$0OPp*vf-aJZNlBYL zqrNX=)~-j$hW26`xj75EQ>z$y%Dmj9oqqPBk#Zz^gcfq1Y!OeYWh;??+=*}(+JsjO zJTOXK*6t*KmJd;3i+-So-c5j(s3tt@ZGJ$JIw`!W2fGTZ?K?&lK58OPk;YSvBF*yl zj`EV#+IeGrp`Yc%X>uiyxAf>ms8y&XkUc8Pn~06}6?C*O>DIi22N;^VEGhN#Jb?cS zz2Grba@s;Zu9Ik&m>q|S~BUly?b&4R@d}4y>oo`~X&F3{mD16513Y9UxT17}* zJL?G)j;_galqLYiH~sMfTWK@=NM(Iz=syYc3khlbsn6ls0eZId_(;ryQ*cNeN)^HP>#>#JV= zpz)IDba2ncqXK%L;gg>s2Vl<~CW_i>yd4_ozH4lAZ-kDVo-r+aHWv-;f;TQI@5S3d?s}B6zT~S~Bwv64c%+d(Q z*n1FqQN>=TS0E&b^P%f=%pE2rnB6jC&D(n&1wOqcA<3p9i{{U8!x19jIY(Wrm!C`e z1f(%@F6 zNq!J8YdX1fZSm|$3n!m8W6t!&^B2vUx_HK%#gk8)G{Zlt=6sZd{#EW^Pw1-&^-s|V zmML5FtKEf;rP`vftg}&vTQtG%l(Mw7bNaWud&&64@cm*{uvlcREKcm5b=ZblV(ig% zQ_!+tFl|Sth5C#z=G5o*^j1pk&>mZ*#blfs-VdRh-Tp~~8eb#vU7>vai|h83NsW`s zrySMqc6lBGJe3f$Cg^L|vT${(x#JOPeKL$AEgvBhh3B#ebh>(BTgzDOQ1pn!J^T2W zEfm{6HHEHGm0nq@Q0#lDR&H>uZILoK39xm|d+%pWnm-3FnGi1&kwv2sy+jq*KHSke zl8`qho=*?j%go`UZ5HWt@39pbJ4>6WT2cE7=gU7xqnv0)_WvPgk{V{h(OH^XAbG~x zH9lNuU@~jPa)zaAb1brnYjq*1AEJ3?*j|Bp;c4R;btic-xGJhZDKe7eGk;EOC~p}K ziUaFZl!Zdvu`wx2W>BH2N&5;gqgYzH&R+kc)Z9J---u$b5Zf3f?THsmS}@B38C5lf zAcDm!Z1023h4`}R0yz;RSlwX=Ey_{d#!@A`iOVNKIX&lqh1(TR5MN>ZNdbN-KGRH7kVaVe(~39DOEJZqDT<%LbU{aA#5+mTPwHgSq|Ghv&CVtq&g{-AdG_I34q0lvJa%?gSr z`nw+<^UzmJf+D9JW6D%DZEXqN#ijOAA#B3@+%)+X%aT-}zB8E!o|j33DKhsjSl&n@ z4BHRxImYh6!c(5Z5cu^!b`i)o1B7u&_fRRi3n#9=ZgaqfdLM zl+!0W7-xI?Cgv9V(QxwhN(zIhs3Xs{m*mCa3=(2T+mDW_i?CRMmmx{CXZ7yM=%{Lg zI8!du#|aIB+6%ARhyG8sraG*_?W4>Q2ops0 z+e{zi!o)=`fP-ZcOHA^wcqnEto2}Q`05Je_rYwkzZ>IQ{$}lMT@l0=L9Z)g#nOKm< z=h9BTXV16& zheUQQb0s{SB5q=;TJi7WdnR-a*@#T#9@I|x;$mJAmeR~!HwRds{Y!&z%tlp{Sf)XK zW(0DTCs>`KQRZw_72rD3MJCr%zdVhgLfyp~rLeIhqk-oZx7D$l-{KX=x^j4juI}1d z;j=KgqAL}-{#`3E1d9oCR0%+Q$hqCwz{bOzh!+bym>}z^O-(L znh?*MGM1uz9llGI+0f3U1ki_{g#2j%yx!T=Tdi<8en#7<<$aWBHM> zd46$4yLhxJ-%-uz(y_-)7=OIy6H_!>43C`%We702+@-IhqPfpyPZ---Ph`%*mF6X@ zn=i5}r#PrRCk>f}+3scQSo6YSp_4DyE$@~A!Pt$^7e6M98MAWb%F%olg=kz`aTTBU z?Hq%rD*9B$bd6DbZA?cfVodMyF(cCgC&azWhs>Tadum3+aihl$5#dp(&5E^6h)<19@u(B{9EI*o98nrJZtTQ~at@WPiw{e{I}-sP0d!lb+-(!87`!=z+&~EnK+P|j%vc4z#Ha6E}+DI0CrjutL?%TxEDkkRXhx@PY zzYQVeg}>@QZqk2S-$SG0z6X;MVR0tBWb1oKRZ_&&eNT|-QI)c;|I)s7eUEeFK@$bb zm#gX$>RCh0dUSo?#{O&i)`dTZ!i5Jo^ym{RC`c0Zga*(-9^Ke~N&lsEZ9P@d`Lr=) z+BCfXMzx`FHdL(Mk&PkO<0>)k+dxa7gglpoc5jUP*4rJGMH}hV0L9h(<&~7$YEJs+ zSNiUvE0oi}Mhhg|N&f^(-yQXB?7ywiNa?S$XryQvBs0R&e|q^Oq}U7rHj3UHw0#2^ zMH3oM({D^;sY9YsbQ+@ZMBihKTK{eRx2r%69OKltISfAuF7kA^_#`>>%;Tz1#9FV; z@DP>uU$1t+OMSQWJwp2^6E=jHYcoz+$5XNKgT~|rQGOi+(W#nBk?TFNP9tx_Y*eQ= z{g*Qa&P^Ik=r|IoBicma-Q_#l#D`F+dy|M2B8geNmtf%KU_C3Zp@>m%4 z%^}aGz(k@Q52-m+qgHGPtPv{PGyoGsefL;p>wmoFJ=C&6?bYMPIt`yui%e=_`Yowd z!;xK@o<5g^iYOgo*lkJHlRUA8S|m3bL$%de)H->Y^-~uS=KkANVA^45BO0l#Vgps0 z>pDf*_^N`dx&B!HWsSx(S3n|sklV&B)eQOZ-Y8P~c-v_p3r*fM>gA69jD@My=2QKgD1(=`765`;Aj&Rf3i$2jhzxta@}}-J@xZVhXhkI?>&AD7esnx_p&4)~%)l0Szy9 zN!syP-^Lm;Yz5;e(1b3K1`Mil6BQ%Zq2H9R>-t+o#;_(CK^sXpAGOx<2-@)QE(Iyke=O>|A6`(mbqh^- z8=ON;j7_4G*GZKI{<9_|!fQ7gXadSWuc36sT&_Hw0^&$(FcNqreD|nzkglQl`yTfZ zGb^ArI2F{W4KxmFSc7sBjtSE9@R_pa*%xIKlo9vUdF7D#aKz$_j{0sV%lf`YXd?r& znPHb1b4NnlB1b@U37(KCl$v}r$W#ptp&ln59T(kXoWor|MX5)9_t6X)ZL&*6nPOtV zA6MH@gSrL18rgU6eBg}RHQe6fOZqRPD{CPFUJE0*5mGU(_!vRz?V>K3Veh}3N*+}U zQmr9FZgx~d{s_HZV;vAb$~Xa4B12Op5>WCA=nyO*bHJCd7TXH&Doov;^F25VN$|+oQNlXL=1HFdetS_*azQ z-Mobwkabj$aYO2wJ!zzS7-m9+!5ugURYVNWFqSZ+I6H`eB+`aLccgApKTX~YgD0nH ztwuZQyO(rc3BSFJ*fImADjl~`5q zs~p+;lEL+wtJ{>85%qmY;!Gd@9T?~=9 z&#leNX#CAqiVd|}$W$w&!e~krwx>f<+jTy>slM&f1O_GP6{m>CV6_HEA?nMz@p8*B zFN97aK@Ve8ZmTX61+(phVK$U1?dsyTv731lq(#7gs;~iksG2hIDnto7kd8!%wa7u! zXs59jl)-xUa4ev~4Rfc=?Z8q8@q~3UYLFPAeCCy)!rVQREeLM7o3Q&bj~J-9W=%I{wp{&L$cO;K$~cXLIE1~1_CRN4_;ZSedWa@;fUm+ zU?^~MO-9gCxJ}BKXqc*k?zDDEpe~g%R~uZ7U!OF!fl?c=G@}y_x-G!xT_300-k3+$ z1#ohGcE>k}+CafHQ6Qbdhw(sz5>+Cm#cXS^s13i^{pF#C2Zcr#Lc6{ z43TruK&oa-I>jXWArmDzrZ(UWJ$z^?&C2*cCRL|7U(ox>dy4}#Hr2$YrM!ymTAGS< zqbF-s<0{fBbA)L)w>scvv^Ads>8M)6P;urLrCJ^iSZjSCzsAM0}r;YyfinZ?#3{ zEwrU(u}*xy&5avqND{s9@`;vf=yq!r@`h}h!jt zNaB@lmZbbC{Yh+xO)0|cvv1=7-Dp&XBpZp64+sZ-k{Ym@N&GnzYSWO4Ge4AFlQ_mB zEN#ROs*zY$stc5bKNBlGlMw`-O_g^tkAjI4t&&F5#N3LWsF&9_(&xFqEGu2zK;>A) ziYI3-m+TKR1Ia?cTbdI{$OeBp{9W3<`!Gp9Gs_u!X=q$qS-xBl*k@>%EG}!oKyCry z_gp)xeLx>zgk8RUT|HH^+X37iMnQ|a8eNoj2zXixWiX?aXG^ zQQ!L#4@ktysbWzwbJRxgs21jp`NKwuG3Etjc6yy;fl;8q{IXU~HZlf)?QEUa=%Ti% zW`c;x`neRp5jzB+a^&!Md)90Wz7_y-+ePw!1-QC@H6C6f%kKWBll>}&6F(#|wrUL_ z0&9JoP+oUs49CCXp^@e%kja5zN%bP8F4LYFK|) zJ2f%0L6%~+`Y_m9M8rb4T`+6L9cfl%AW;uhW)*(CX07VW!f!Ohs6)PFfl~cINpeM;0@bvr65`2? zs-QJK0ddDiAyn9|;qqIJtkgGGWHI3jt9G)f+N^Th7G{kpi#2RqFhuHeo-Pbs@DR=B zn*_KGN%V^7UR9!vVYP4BP->Y2OIDah>nki(MI<^w=1bM1^vq=tksH%Y)HfcMuXBqY z31uf#hhwUhUE^}xJSHv$1cgt|Nx*Fxp_C2KNl-8>mDCgG)+<8oQ`$;sbCSoq6rpmaXX>Bz%wp4EQmb5Tu z$hCZs!V+;%li(uT-;w#Fr0b@jK^d!isqbO4#cgP_Nu$_4m;sq{+tp?po6%h|Cn3~S zPiG$`>0?PaeRX#u=PXI|QTBGV>JHZBt*lzZ;n}tlD{^#wMF; zGu>nx(PT#R`geetEEKaQW`wUdLB_MJ^ohJ`omn%JH_bB54qJ+lf%HLL&2itIJ}9<5 z%?2X-1M?IR{=R%dQ(Od_O@=u-UD7^F^m;0^Jk>=%?ey$p~fpqfwsSIy4D7|#y$JIz+C@msu(&kQA z!eCsa_r6JpIWX@55wNE3S%EpPNCTSV;K04+kA@(hX)+#joQkH0YZ&u9?C+@lPeUDi@Y%QIW>d-8jmgQ%Ni9Gae%u@t& zD^XGiUdv<_6l&0AZbMwx!`hc7dAGM6YB#=2pE`N&g1U<{rbO8r3cfaKh2-jXMz>by zr^~246Dz9IDta>0!R*UoxHp^^3ZI%Ft<`qvCb0?xv2FSBB7IXPbA@Z0i@mZX3CT4L zVm}pp5TdRk!d=!3-AJy=XLdd6v!wj>Tg@=DhLVwh5tT{3!O2}ke~q^35Ur7Gg^~f4 zZmzesK~spa8w?m`F0Hs>2I!Z)n~brBbqOd*SQ4i~Uv6 z#r6*IV&0?FCyp^21dVAaAq|+>hvQQC53yA!Qj8eH*5)20kRqcR4>g$AiqhuD=tLr~ zl?_)}QVX^IR2bAS0BS~l3#(OSq}BLK1z=toG&XO3h%R0-NQ;wp@GhuoR%vD*ptGz@ z64QcI7Wmg?X}CtiME$w2SQzino|R;{%|R2FY+U{9jsk8aWdvIdOPEU(R3$E zTOhnvcp0UYkG6^Z>?L~I>>-th6c&I%>Yf!pG#s>nC$_a-*7X_;DSj;%NWwUUFEr&d zo~@NBnjNA*RjoG44lo%`*4uM2Lm!YNJ|NP{OW352-UtCP*SEl&NgEVR!BI2s zQE09^9T1zC4h`HT>LM!$iDZ}!MQ*Wq*gOcOr5-JmX~TfSr3)#&`+Uzn%!i#exvncv zJe6!9H1CJTNDO|YS5wAw6*$JcXj#e}@RXKGav1CX?7c|*$9 zO5}x|Y;r5w(IQl~2Vi{5q}(s^$~_b-LQlJ;38$LYt!$ny%H3A`@{^1yyHBTVb&`KqO_aCFzbq|Cx!`a&D(GRPoyI; z&(5Y4Bo)~U3F-~67D#64 zv7}MbC%$s?laRqepTU-@9_4FTUX5d;X-hUYfs}O$3gXEL8L&g#368dD8=9sC1beek z-A%jHe*+y$14_YuxsuL>1^RgF@;>P`zMme(|RF3wx)f>~{HwG}j2?mP|78{c9n9`VKJ0FlBbRVw#C=&z6|Na}^u7pvL~wdW0?N`y>Krp(|erQ^?h} z@P~P7wOZ<5OAmZmR05|rGkujYF(?e5D>x;%_tu%ooGMg6gE&2+dR&%Dc!Ap1ARmni=#KRV*N<5x} z*gT{Ds14$iJ#9YFOTicy52?&!9F&@X`vA$=*{3IQd>ZrJD zJ6N!`U!VD?_3Sf`i>i?2K}h9#!1m7uqv#3>TB~w}zbwio&xmWxSiCW5^neEWWMp%$ zK?4w$kGO6PT@yD8Rzx@B=T)2K9Kli|LSQmM9lGUldgBC*?qI~*Vp~0Qk~B!3mTkXH z*;}0B`*|K@RBchyUhh=9A(w_LFeEum%R0d=IM~bsYZ!@ZL}nR^;2v;E!4*@$(g-;x zN0*U;pcIVu=HJK-?SpL9GAE@|-EUK>DA5S|&+wJOh4>R#F zb)yN$r9o9nHeID!46Y`N$i##U`rCw5EN{d^osuafr^rEb__KTMnO zc|=~4r^3otqn5xR@XMtG=Royf7vViyYLQwPEnktU8QaW>M$D@>e=7Vzli0r=Y?`SD z{!VM7r%f#z1ZCk4Mm{($cYNmPSy8g4p$#h7JS!xM^%K8!q z>0uCyMqL}^NlB~E%;l6@_g;2kD5wxxei;pEAQ~F-MkUoTi$W%}J{KoTrrz7cFrgHw z&A>98>J!0@nWiyi)21lGl&Y&n-Pnrft4C+^b|^9%BYFAtj5a83bKHt`^}u?4F@y9? z;cXE)b)+(bEt5f{Bfr8ZzRd3ml)|PTnj=`uMs~`%*nBz4<@0dEF5>Iy+x+#UWOruN zcQ>V*nl!aI*md_7>5qLM%%|2gG1o(>K64sxtZ7yCq&2JPeWrsIF}PBuICyQQ2J?fM zewE$lYv_ zto-t~2aZFmPG!_7=fFnhkkK5QZK;%dtjXC77=AQM;eP5PYMh*11xwbLImA7Qp@;P? zV~9p`6_1$J&xl2uWF9RQGEmHNu%@XM)+~QzHYJ!Gm=IguivFdc7gU-#^K!tLjEuf>&d1y?EYO zTyDC&ql||oicFZIzU@)GjW2Uv#IJ#P=rTFB<0TBdB1pQfNpJcN z<^bbhu5dQ+kXZqfswq?mL*Ubg2tu-UKIZ)hEeu$g^dX#qp z=!t2XI^So2-P_K?F6s<&bw!jMcFr*w=x^|`D$T^wXB#RO#cyv9&4sIiLt)c*`5>l< zVK;dLkLJeFJuR(2hFGt3PS|UqpwGs>N6eI%kSavaZB!H$$yVoAUFt|m2GeHtD&GLw zQ?0&}!U(M4YQVhiCfUw!YSD$ptCiLZX#~`NZgEv>C;85X%^M2Tn4tUQLMrFU;n~&} zrs2k+i3ZmG4_73LdYA?Z1!Yw+jjvG&M!}3Ggi6)3+GSQXTrnPKho(|Az~1>Fr;#Y3 zS@3ARn~XwE)gT}HhRH@#EId21bO>`U;X%Ss7D9YhC6IJaW zZ6?N(1gI?z->9-IsGLj_kcII111O)~7HiT?4Z7E5W{=ZG?-QWA19eABUk<=t14_!R zrbJuFfG+rBsagrp_EZo3&`Z;!^(=DciHE2060s-{^|#xkWM zsBy^_nVoI!QJLUYgDF7|$2$n`1hop9R|FN^1H%3HNGvMyb$ z`IasF4Vpz7%FIq0CEEH&s-qdTu_mbmjSq~FXiLpn^+!YPg2(zHi|FGk$T*`Abp$UE zw2nj($oiO)&6$1`CG#oACCtCgM{;|IZq>Y)JlSR+k7b6{XqhxQz3EaTtS|N8OVxx& zc|Bj@Qt60(Ub0dUcSJ)AWx-VbfJ{6wUO0cz)XzLV(t@{1QED6w5nBaKpE;&9F%W&b znm(BTqAgNhK3Vza_S`qzNg@lLbWw(aG1e|14PR|EtA>woz-ZZ{h#DF(Fq@55T8j1& z)jYI?P1g(}jxD6Ddj2lzNK}~*Vk)vZFOe+k7$9FlesBOq0cWJH7-N}4Jm8&%0xhRT z)X|8WBFb5I{~&$v*J&2&+584mnzkDjOL~Lq%f0_(X3EvM@sY+=oEt-L*-@JiB49q& ztS02;0A9Sm_KN|b){GC)Uy?lcI*cBWt|}&p5Z)qFp}NJi(vW#MPXseeHRK4oa3VcE zG&EKN6|^iAw;6D~Ncf^jT{ffB%V@DL*l6ZvQKE$3=&OP`-dyb9|9)e)5Gf7Bu4%f4 zq{g-~8U*{cUsq&`O)OJxNY;O#yo|a@i*04CRj%;aTCp=Z8gFWMRhqd15{|5ga`&XL z2yGaO_+vEx6thRt-hFI*JhG!JRo`I zj3z2N6?T2szyjws6-u>@x|7@z7ILx( zuUK#U6rG#HgmsX?JD%6SPLW17qgD@XO-F;u+J>x&%0*ouL9(XXx&2#FAZ(Z}8E)s= z8=C1LRD&{T13j`0kBU*DsltDFJk{fz`vkf4D3XwKNyvVKS>h@uAVeLwxE;@ z6;lFzHFay3-xBL(?zBfEOehg)xDatpHC$#viJadn_CO8uI*NPf+NWv~ZxaD|(rfZ! zDJf6G$P#AL7-)lJCW_BKecoJ6>8iq=u2{mnhv#axG)ZUp+sVO5S4RTOZr9B3A)n+J)>V+ZYyilTJtFz!elfZS%=oQEyT`cL<3@HUBCvcTiNmX`3o zCO;O{(EjOd3a`nxft_wl?We{{PKl^Gpfpg6bc4^iB+)#ju$Q)4+Ml*z>~2&dK2Lx2 z@nZea$cy#o0x#B|AiP+AQ}AN_?Z*pfYc@NDxf3o4Or+V$UFq=B(V)?NOQ!`deWeMW zR-;ivIrj~w&1TnCs$(Fvu{Cu`>er*S?60JVO53{{1#{9-U@a!Z>m+r|f8_P>x3ucC zqG=SeR4wtitg5}*0fc6ZM@%V}R*yVYf1-R=d1<*czkTVlp23LxztEx?{3$~Ier`|u zisJvNcFpm>M*V-PP4kPL<(}gIRf;X}zw?==SpLlf+l)P^(917j^I?^o=f6r710%G#57OCpQD%@~{~B|R)7Qt8iNJ;+0*jASsPz7LCx@`Eq{ zGTGHume$I7(|jm>`G7Lk+gCxVAJtx~4Q{?gAzLOM=xK_;r__usd~1dCjq$vhlNTH^ zZX9H*F1e;rSR1?zExO~W$rGr07cJ|XNL|->AAw+iJW-p6h1CArYub>!e`l-5)wRP> z#=I6_FeBWkUXhlO=wEBDKWmCrUEHSP>8}>;Bs8+RgveAh-$&Vwbu{b(7Y8R?JYw>s zk%9DxjYOudx0l%Ztz=4n7Zql~{K68+Ziq&e8`EVCXf(DqZdQE=S{s8U3&6ar0ITFC z9;9`mSKMQ>hkHaTxAG#3{cSHYSR~E;6|t(`uXoL151P`lu8D2)`Ul~@m3p)srJ0*? z3eqjcQTUAbE`P5TQjye}g5K_fpF|_%7p0Nym134ERgBCbriu+!eFfQuCO6}t0&Pa; zFRnoVl}#U$YSIn+nn~ImR=QQ)(pGHVGDBD8yXsA%M03SyJk!nlpr{F5(y0x+#nfKv zY13P>ifvj1N0d+$5~U>S7{&E~RGkKrxkl7?KR1jX8WzO~^?lv2ZfBu98$wNBnP7V% zP=K7$J+fX1U-rc&TyBMtv@hO@)mZXWp6B!#MJjbJNMzWfhX0DHKB848F%{ZY-&f$> zHOOq{N&^sjkQpE|9CvHLbkEsA#0qonYF4gS__o5KH?P@WrV62t%3$kfGA>AmZCG={ zZA{u0!l(=~S2WaSDU;Vj;fY3Ok(V*Kqj?LAq$#K~87c~+nDVmj4j4;T0dR)aQ8RK# zHtes(~zyM2;4HwAc@2$P7A zN!r9aXb(kZxs*tx2In3K?TdB~kjuo$DwQ-)IS)fDwL?6Uxf@(wIE#sDzQxj0T-4~B z6X;{8ZI|**_-}yFh;FMPUau5Q)!&f{-;`6#LZ%KniUn0TZK`H|Q<5~3ZBn;beJ(Sy z!_FwCcSR86c;{5ptIjTW!{lOHTbPj64SGY;rm|rmks%!!<0#&gv}vFsL)KK|b_to)wru%VLvPLWm0Y8!e^zKCU(dWtt>jQYaa>YzCVw_1TEN${L;;bXT=ffl>EQnh z*1T^Lqf)n<$%g70LYmVBd)hlBYc(JyfE$gCJbuHtTgNpDX4t9->!H)Cm!CAg$%vRl z)h*UZOfE||*jil*)@1XXZLZ%&RV;-}iao^tHwIY<0_J;KlGRo-qS=r!Joe`iBsB=V zKF-+p0eYbc6D$+=+aGpKrY$CQNDiMI)A*ho`OB?dMoOcw`)WwIn}}+-9A-i&4srLO zc0%7m#PHrr-!RS+<cQ5KO8 zLgdE9d?3rc9v{(C47)9 z(?z317^A(bSy^J_%uwJ-s=sL#4(6Xt-uyWmzqjf|mOXHLWZ>xx-qcl@gdMq_jaf=Bhaw`U0^$a! z!M$g$PelADKVkT1xQcQJh?pX*JdieS;kI{-C?r`7v7>tLosrLuxyySwjmV#XqPqR-*JZIiPc6DMni?^KQmp7I z;|?*)^AbXIKGztAR+}YyF19%K5LfFiBUI{*PB)Geo2Dy72DXuLpoOBQ*IelCuXs?u=IK(d06p{OulLGLRk74!>r7Pw9jl zPD$W!o*E^^k3UneS-`N}6^?Dw0wlf}q_ySVX^E-^%cMC?^Q3NLbQ$&?0R| z)Tp++IBLz@C=IBQBWKp32}4raUrp$@{Zjt53$ zG>!WHOPFxaRsxOlp$@6>Z;8#EHRT(9IHi+pV>5tOSOOoi0U1lsc7>}1Rk77k+0)r$ zF3CtZ;qEbZ61KD|7pUwIGp&;QLQyqJ$vu^%3eOXk`{HKcsdzYFdh#T9j={vRmK2Xe z)KSC;{GoV~^NVDJ_{_3FB5QO?8qpLHifhVhsWF`Vc}o?RgHoyUfP7CgQ37Z9tqNS) z438~spibuxRy)z})pRmcS7uVZKTJkeP8o4;6H7H(?Ju!&Drk0bXo{xJYA!0{!iXj1 zR0YXq<0k|qX%~O;qpjU~j}1T6%RdZt%W{yaq8bsP>c1(7(H;1K*S#X#*+mVwCo{n>fv5a_!=^x1Qhn`(ukZP7C3yD9LX% z-u4c0WiIxMD9@DoBslP_S^YTkFm9-{*&OSGq z%{lw+oAqO+Ru_d_UP;K}On>#Wj*?K5QKkAny(nNv_rXPm2=lwCWEB-c`@pVVv|>@q z65^*<#m)^ckwV%DJjJN-tM9u*ub5!%WG)UU9G` zWh%cqzK!zJ8XDVthGa!V zPE37#j|MY$$2X=Lg`m`>hfReqT7D=F_2J8VfrG?~26?QDs>r{L@mV!VJZcH>)!M(q zohZyvs@D5}iWrL_Cnk7m;*lrc2WVV0SdkZl>}7jPK^D>q0d;`Yu7iv3cKP`8Y?nph zSRE8km4|5cSE}T)A`!rU2BPqwRFR^j+Tb;1r7~|snM)I@JG_*6pPv9K0;*r@&-Xjj z8D{Q<(|_^Qm>_tLgv7$3#LV7K$}YoH)y?XnmO>P3x?Xgok>i$bbG*<|a8{XP7e^An zk+5~Ki-^FzHr45*01{^(z6>}x9_|EpDMV&?=DnG*Qun391=r^A+fhD)G4GvyqJ?DX zZdaz&KUQiZ#;4QolF_I1J%V?(!Wd!A5qYxMM+JNI4-_p$aS^Es$XDJNZWMOX=bx3) zB0!LhmUk^np~9nefN!!#5Hei8 zN)kfFFfErTcJFH!yb(y0RRdBluS-~8U6E`&m6D`%6sM}8*7b4eVbWzKBcPI3Jct?D z&Vc0+05K@p3eO`;N`aPI-4lE@UgLTzaCoHm4NpdqQoKu*q zk^>0KPE=R^Q91&E?mHyIUaN{HtTkO^_k}gdaLs{=xG{*eM)`WdiY}x{f~afMeUPvV z%Bov0P}_dT4571ryh8}yP~#{i6ovri&Fj|%RQkdStdklDdC*LiFZkY+jaC5;G}S+= zlW)1t`1bVne5M@&(|?%lpUibiTeI{EZKv_lblISHFpGVJ@$adTYA5AGMfnyotkU$mHf#I4a1qMWADxZ4iE!bAUC2?+#-7GsBG|K6Q-0}UiZ2d&+z~M+8 zGPgn0JdhbyDigtMO+qPpctgKC942~Ty!7CBt0pG-*XUDHnFK?09EMos(fk$* zTL~)wkF0tRbeDkcveFXHziQ|>wiVivV5lvPiUy5e9nx~xlEZ`c#1@e}Ix-CG;73Ze zSxjJUDU~h}9T*{MnM-f^rYrNH)50Ej36INNFoX-53E{h{Nt!DjTSfu2);?c&;+3oI zhh7!Efak@K@wGUh;>>uuCGx#>T^unAoh$2FQ#~7;+jvCp3|V%QfXE6(B4mk)#$HVS z`HIneux;P&b2Ppm?ik}%#v~n(W}InlHZ+!MQlVLYVPhIQn?)}f&YA_UAtZ1I1q=Qd zp!nGKUSa@Ol&mEvzI90|lSr4Pqy#5?A*(=yPRI&{3e3Wjs)snt;~gvjCZ5-K)b<7} zUF$pOyRR+hJ4f?l71+}_36l_oJ8wdx>^bVNWHCEXRPs-HAqMphFVFz@u2T=Gw)CAq z)ld%Iv2G+u>n%J2#inE`HWOTag~6$aqD(25{OSlGrFLeJA&6m&-?&914XY*6`b42z zx->tag}1r{>e|n5=y1yuKO>|toVVqw3bWO_$3! zz*Ss7aJWC&V!T0^cmZP%58W)ezLd%KMl6nUq>9hXAEK}>-q+=BJ^a0VRpgTFI>4#9 z;6&rW?$kgVxqgc$)L%99+3Ml6X7gX1Ir=JxBpR;DntQeZ0gl3q(9NmuNK>TK9GI)R zz^bkF1Sy_l{Ft>hwyBBK=2P$a*ThMU3eMOCFXqSldy6}%P*&uLw@?!p#HZ~P7)0e& z79~z->vMli#`)!^xqQQ$y;?~2P9^A68?ND(5hpjAcgfgf)A|x47x@D&8AC0XdOV<@ z@o;+e2lp@DN)F@kZe6i6Gspn81ZG;+Svy}~c$m3Z# zku=zmWn24ZaL(c;o_)F^7a&atLT0YN{@p9Pzv3#Z?YeGdOhA`=QsIl?fdAyWFfa#~ zxGp32Dj&PBIL+TXE7FaIq$Lg4srRcmWsR(Dq;o+MU7d6r&!0+GJ`FJ7L|C}-{9N^6-1(lP6#&~ z#i$~bjt)IfKOX%B3-(-n4o-bcDo&RufrauiAltQGS&k{N^Ib(!v`_pR`dZuw=SIlr z+fXhO5rn0UO6PcU8wAtTiNEsUOQk^jhp;NGsV{L*+j-I4i@H$IHF%<*GhH zyj-rr+vEw@v-PQs=uei{pBbY_wKd8}42s^DC1|2gLUloF{gQGcx(@XOu}XoZJD+qv zUWvL>iJBeMmgOi|v9Z?OK#DgSekuAXEEwXe=tPgBL@UC~N-g-6aE+1z84f2P6fy%Z z-<#zb|NKr>n(0-{;5|)|^=K`ET^Lm^-w*n?FdFBc@*Q%6yG48?9#nZKiKuyngA;%UAwt z`p%8Felfj#WqRq&itgQ=DP%oxD^M?wL_I5Y%NH0|95U}ys3CIO4 zA5ZQa-TdkF*8F(Nyr;_JcbC(@<(>I{5-KvJ2eDqAJI+BAn!k^mN*q02Yz{p?Usa>C&r;cC#QS(xr(QEPGZj%&?UMcw#CHGHG|M~Pw{r}PFXZrIC{qNs(+;V`?lUGmnc2U^< z6Mf-L8Jh$yUn;3PJ7$k1Q)F?@seKgL6l`Ey&QDX>44(Ar|9NA2Eo}nF--%@^wDsa6 zaZ^6D=gJs`5(P1kQdaynh-#Zh!;q}V@TiOo3+gW97MW&aH7fsnPHgbGzA{-k9GfJS7SIuCGS41o( z^|8@BeMvnc^}d;qmSOvC>Q z*Tqvsw56Q8x+Weq6|8v0=+KR*3n)vI5_p?saq_leo24{H*?U$B+(YcOuo#L%NlRqv zC3f+{RV2i!s*1#DUkXL_*Or$ymUi=$QPsy})=W7r{!c-AWu53nhbV}<%LrjovJ znIxFhNLB$Sk_pwHQ?b#*i^csbIxQuiY6q(H;(3WZ{mF@Zmprjc-d!i6^-55-Pv2bd$^f*&eKH-shX}+ zM;sESh2=sg5A4q*JGm);P(jc}%#&|Z#@Ov`P_UGAtF2dh=s1$QSZ zAZ1AUEB|U_iI9r6{bA_II4`#6RZ6A(QXO$yf$$5UX~30LeyitseVWLQu(>Vcva1A4>ur(`94z!a4mbO4O<`}>m_wNhN!y|NJ5Qm=Fau`z!fDuOX zV&pRfvjN(DqEg1Wh8P$T%u^2)NeN^fI+;xA4WfE1ex<|{xQ$^W`R-qjB>LPPghu&LeH-y1Vx@o@cD8Fmy(l7M3wZ zmEH9v!v10xxuMj@hq_cwe!hVbQPgMr0mFP*k{-ucujq?{>Qd3Bnx*Y-+#ICsu;)pI zsxSpnd|G?xiM|hUc(OSD#jo$~9nF_Mgw%kK2CO}YSmtW@z+&^{Z-4rezZgt*368et zR5MK87I>wW%zbk}xsM&&r485x@4Kz{OPc>Fh#T2qTVc zcpMKm8T$$S+u8(Qlihtjx1p8L<*&%U`#&y!b5MS3g)(0pAN}UWwJYdA)nQ+Ds_VTa zPjL0#?j`$zf#0vDGN0u;JKj57^c&$z7|KrO=4|KAiG0n`p2D;u4oyV>hM`z%^-tG^ z!!4~ez46ZF!R9^1+dsUux45{!e|T@cdwuU<{`Tzd-5->wC-D&HefAXoGHg zbQR57b|1_%)DB{3S$!}+xH&)i<+~RML-hx_eY=yBi?G{w7R!raHE$j6Xum`IW2x<5 zxH~(T^7)nN!L5U1f7R(n@l1POCE>jt5#(aDB>){vQ-dj=mc;jzoM~l6Mh-qwWqJ1$i>+U^mSeqV+ z3%fSnQpJ#0c~8ksY~E=^471iWtE9fZWs&lRX0_ngH?2jzzGad=jbsY)aM=kf?ZKgb pq8|oS)mjw|{8z_2DgMej*_sLAY_g(Dhl0DqeS8o3(dmC(_&*)PE!Y46 literal 0 HcmV?d00001 diff --git a/po/uk.po b/po/uk.po new file mode 100644 index 0000000..b76256b --- /dev/null +++ b/po/uk.po @@ -0,0 +1,3031 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) YEAR Red Hat, Inc. +# This file is distributed under the same license as the PACKAGE package. +# +# Translators: +# sgallagh , 2011 +# Yuri Chornoivan , 2011-2014 +# Yuri Chornoivan , 2013 +# Yuri Chornoivan , 2015. #zanata +# Yuri Chornoivan , 2017. #zanata +# Yuri Chornoivan , 2018. #zanata +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" +"POT-Creation-Date: 2018-08-12 13:03+0000\n" +"PO-Revision-Date: 2018-03-09 08:59+0000\n" +"Last-Translator: Copied by Zanata \n" +"Language-Team: Ukrainian (http://www.transifex.com/projects/p/sssd/language/" +"uk/)\n" +"Language: uk\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n" +"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" +"X-Generator: Zanata 4.4.5\n" + +#: src/config/SSSDConfig/__init__.py.in:43 +#: src/config/SSSDConfig/__init__.py.in:44 +msgid "Set the verbosity of the debug logging" +msgstr "Встановити рівень докладності діагностичних записів журналу" + +#: src/config/SSSDConfig/__init__.py.in:45 +msgid "Include timestamps in debug logs" +msgstr "Додати до діагностичних журналів позначки часу" + +#: src/config/SSSDConfig/__init__.py.in:46 +msgid "Include microseconds in timestamps in debug logs" +msgstr "Включати мілісекунди до часових позначок у журналах" + +#: src/config/SSSDConfig/__init__.py.in:47 +msgid "Write debug messages to logfiles" +msgstr "Записувати діагностичні повідомлення до файлів журналу" + +#: src/config/SSSDConfig/__init__.py.in:48 +msgid "Watchdog timeout before restarting service" +msgstr "" +"Час очікування відповіді засобу спостереження перед перезапуском служби" + +#: src/config/SSSDConfig/__init__.py.in:49 +msgid "Command to start service" +msgstr "Команда запуску служби" + +#: src/config/SSSDConfig/__init__.py.in:50 +msgid "Number of times to attempt connection to Data Providers" +msgstr "Кількість повторних спроб встановлення з’єднання з надавачами даних" + +#: src/config/SSSDConfig/__init__.py.in:51 +msgid "The number of file descriptors that may be opened by this responder" +msgstr "Кількість дескрипторів файлів, які може бути відкрито цим відповідачем" + +#: src/config/SSSDConfig/__init__.py.in:52 +msgid "Idle time before automatic disconnection of a client" +msgstr "" +"Проміжок бездіяльності до автоматичного від’єднання клієнтської частини" + +#: src/config/SSSDConfig/__init__.py.in:53 +msgid "Idle time before automatic shutdown of the responder" +msgstr "Проміжок бездіяльності до автоматичного вимикання відповідача" + +#: src/config/SSSDConfig/__init__.py.in:54 +msgid "Always query all the caches before querying the Data Providers" +msgstr "Завжди опитувати усі кеші до опитування засобів надання даних" + +#: src/config/SSSDConfig/__init__.py.in:57 +msgid "SSSD Services to start" +msgstr "Служби SSSD, які слід запустити" + +#: src/config/SSSDConfig/__init__.py.in:58 +msgid "SSSD Domains to start" +msgstr "Домени SSSD, які слід запустити" + +#: src/config/SSSDConfig/__init__.py.in:59 +msgid "Timeout for messages sent over the SBUS" +msgstr "Час очікування для повідомлень, надісланих за допомогою SBUS" + +#: src/config/SSSDConfig/__init__.py.in:60 +#: src/config/SSSDConfig/__init__.py.in:197 +msgid "Regex to parse username and domain" +msgstr "Формальний вираз для обробки імені користувача і домену" + +#: src/config/SSSDConfig/__init__.py.in:61 +#: src/config/SSSDConfig/__init__.py.in:196 +msgid "Printf-compatible format for displaying fully-qualified names" +msgstr "Сумісний з printf формат показу повних назв" + +#: src/config/SSSDConfig/__init__.py.in:62 +msgid "" +"Directory on the filesystem where SSSD should store Kerberos replay cache " +"files." +msgstr "" +"Каталог у файловій системі, де SSSD має зберігати файли кешу відтворення " +"Kerberos." + +#: src/config/SSSDConfig/__init__.py.in:63 +msgid "Domain to add to names without a domain component." +msgstr "Домен, який слід додати до назв без компонента домену." + +#: src/config/SSSDConfig/__init__.py.in:64 +msgid "The user to drop privileges to" +msgstr "Користувач, привілеї якого слід скинути" + +#: src/config/SSSDConfig/__init__.py.in:65 +msgid "Tune certificate verification" +msgstr "Скоригувати перевірку сертифікатів" + +#: src/config/SSSDConfig/__init__.py.in:66 +msgid "All spaces in group or user names will be replaced with this character" +msgstr "" +"Усі пробіли у назвах груп і іменах користувачів буде замінено на цей символ" + +#: src/config/SSSDConfig/__init__.py.in:67 +msgid "Tune sssd to honor or ignore netlink state changes" +msgstr "Налаштувати sssd на врахування або ігнорування змін стану netlink" + +#: src/config/SSSDConfig/__init__.py.in:68 +msgid "Enable or disable the implicit files domain" +msgstr "Увімкнути або вимкнути домен неявних файлів" + +#: src/config/SSSDConfig/__init__.py.in:69 +msgid "A specific order of the domains to be looked up" +msgstr "Певний порядок доменів, у якому їх слід використовувати для пошуку" + +#: src/config/SSSDConfig/__init__.py.in:72 +msgid "Enumeration cache timeout length (seconds)" +msgstr "Тривалість часу очікування на дані кешу нумерування (у секундах)" + +#: src/config/SSSDConfig/__init__.py.in:73 +msgid "Entry cache background update timeout length (seconds)" +msgstr "Час очікування на фонове оновлення кешу записів (у секундах)" + +#: src/config/SSSDConfig/__init__.py.in:74 +#: src/config/SSSDConfig/__init__.py.in:113 +msgid "Negative cache timeout length (seconds)" +msgstr "Від’ємний час очікування на дані з кешу (у секундах)" + +#: src/config/SSSDConfig/__init__.py.in:75 +msgid "Files negative cache timeout length (seconds)" +msgstr "Від’ємний час очікування на дані з кешу файлів (у секундах)" + +#: src/config/SSSDConfig/__init__.py.in:76 +msgid "Users that SSSD should explicitly ignore" +msgstr "Користувачі, яких SSSD має явно ігнорувати" + +#: src/config/SSSDConfig/__init__.py.in:77 +msgid "Groups that SSSD should explicitly ignore" +msgstr "Групи користувачів, які SSSD має явно ігнорувати" + +#: src/config/SSSDConfig/__init__.py.in:78 +msgid "Should filtered users appear in groups" +msgstr "Чи слід показувати відфільтрованих користувачів у групах" + +#: src/config/SSSDConfig/__init__.py.in:79 +msgid "The value of the password field the NSS provider should return" +msgstr "Значення поля пароля, яке має повертати постачальник даних NSS" + +#: src/config/SSSDConfig/__init__.py.in:80 +msgid "Override homedir value from the identity provider with this value" +msgstr "" +"Замінити значення назви домашнього каталогу від надавача профілю цим " +"значенням" + +#: src/config/SSSDConfig/__init__.py.in:81 +msgid "" +"Substitute empty homedir value from the identity provider with this value" +msgstr "" +"Замінювати порожні значення домашніх каталогів у засобі надання даних " +"профілів цим значенням" + +#: src/config/SSSDConfig/__init__.py.in:82 +msgid "Override shell value from the identity provider with this value" +msgstr "Замінити значення оболонки від надавача профілю цим значенням" + +#: src/config/SSSDConfig/__init__.py.in:83 +msgid "The list of shells users are allowed to log in with" +msgstr "Список оболонок, за допомогою яких можуть входити користувачі" + +#: src/config/SSSDConfig/__init__.py.in:84 +msgid "" +"The list of shells that will be vetoed, and replaced with the fallback shell" +msgstr "Список оболонок, які буде заборонено і замінено резервною оболонкою" + +#: src/config/SSSDConfig/__init__.py.in:85 +msgid "" +"If a shell stored in central directory is allowed but not available, use " +"this fallback" +msgstr "" +"Якщо оболонка, що зберігається у центральному каталозі дозволена, але " +"недоступна, використовувати цю резервну" + +#: src/config/SSSDConfig/__init__.py.in:86 +msgid "Shell to use if the provider does not list one" +msgstr "Оболонка, яку слід використовувати, якщо засіб не надає жодної" + +#: src/config/SSSDConfig/__init__.py.in:87 +msgid "How long will be in-memory cache records valid" +msgstr "Строк дії записів кешу у пам’яті" + +#: src/config/SSSDConfig/__init__.py.in:88 +msgid "List of user attributes the NSS responder is allowed to publish" +msgstr "" +"Список атрибутів запису користувача, які може оприлюднювати відповідач NSS" + +#: src/config/SSSDConfig/__init__.py.in:91 +msgid "How long to allow cached logins between online logins (days)" +msgstr "" +"Тривалість зберігання кешованих реєстраційних даних між входами до системи " +"(у днях)" + +#: src/config/SSSDConfig/__init__.py.in:92 +msgid "How many failed logins attempts are allowed when offline" +msgstr "Макс. дозволена кількість помилкових спроб входу у автономному режимі" + +#: src/config/SSSDConfig/__init__.py.in:93 +msgid "" +"How long (minutes) to deny login after offline_failed_login_attempts has " +"been reached" +msgstr "" +"Тривалість (у хвилинах) заборони входу після досягнення значення " +"offline_failed_login_attempts" + +#: src/config/SSSDConfig/__init__.py.in:94 +msgid "What kind of messages are displayed to the user during authentication" +msgstr "Тип повідомлень, які буде показано користувачеві під час розпізнавання" + +#: src/config/SSSDConfig/__init__.py.in:95 +msgid "Filter PAM responses sent to the pam_sss" +msgstr "Фільтрувати відповіді PAM, які надіслано pam_sss" + +#: src/config/SSSDConfig/__init__.py.in:96 +msgid "How many seconds to keep identity information cached for PAM requests" +msgstr "" +"Тривалість (у секундах) зберігання даних щодо розпізнавання у кеші для " +"запитів PAM" + +#: src/config/SSSDConfig/__init__.py.in:97 +msgid "How many days before password expiration a warning should be displayed" +msgstr "" +"Визначає кількість днів між днем, коли має бути показано попередження, і " +"днем, коли завершиться строк дії пароля" + +#: src/config/SSSDConfig/__init__.py.in:98 +msgid "List of trusted uids or user's name" +msgstr "Список надійних UUID або імен користувачів" + +#: src/config/SSSDConfig/__init__.py.in:99 +msgid "List of domains accessible even for untrusted users." +msgstr "" +"Список доменів, доступ до яких відкрито навіть для ненадійних користувачів." + +#: src/config/SSSDConfig/__init__.py.in:100 +msgid "Message printed when user account is expired." +msgstr "" +"Повідомлення, яке буде виведено, коли строк дії облікового запису " +"користувача буде завершено." + +#: src/config/SSSDConfig/__init__.py.in:101 +msgid "Message printed when user account is locked." +msgstr "" +"Повідомлення, яке буде виведено, коли обліковий запис користувача буде " +"заблоковано." + +#: src/config/SSSDConfig/__init__.py.in:102 +msgid "Allow certificate based/Smartcard authentication." +msgstr "Дозволити розпізнавання за сертифікатом або смарткарткою." + +#: src/config/SSSDConfig/__init__.py.in:103 +msgid "Path to certificate database with PKCS#11 modules." +msgstr "Шлях до бази даних сертифікатів із модулями PKCS#11." + +#: src/config/SSSDConfig/__init__.py.in:104 +msgid "How many seconds will pam_sss wait for p11_child to finish" +msgstr "" +"Час у секундах, протягом якого pam_sss очікуватиме на завершення роботи " +"p11_child" + +#: src/config/SSSDConfig/__init__.py.in:105 +msgid "Which PAM services are permitted to contact application domains" +msgstr "" +"Визначає, яким службам PAM дозволено встановлювати з'єднання із доменами " +"програм" + +#: src/config/SSSDConfig/__init__.py.in:108 +msgid "Whether to evaluate the time-based attributes in sudo rules" +msgstr "" +"Визначає, чи слід обробляти атрибути правил sudo, пов’язані з часовими " +"обмеженнями" + +#: src/config/SSSDConfig/__init__.py.in:109 +msgid "If true, SSSD will switch back to lower-wins ordering logic" +msgstr "" +"Якщо має значення true, SSSD перемикнеться на логіку упорядковування менший-" +"кращий" + +#: src/config/SSSDConfig/__init__.py.in:110 +msgid "" +"Maximum number of rules that can be refreshed at once. If this is exceeded, " +"full refresh is performed." +msgstr "" +"Максимальна кількість правил, які може бути одночасно оновлено. Якщо цю " +"кількість буде перевищено, буде виконано повне оновлення." + +#: src/config/SSSDConfig/__init__.py.in:116 +msgid "Whether to hash host names and addresses in the known_hosts file" +msgstr "Чи слід хешувати назви та адреси вузлів у файлі known_hosts" + +#: src/config/SSSDConfig/__init__.py.in:117 +msgid "" +"How many seconds to keep a host in the known_hosts file after its host keys " +"were requested" +msgstr "" +"Кількість секунд, протягом яких запису вузла зберігатиметься у файлі " +"known_hosts після надсилання запиту щодо ключів вузла" + +#: src/config/SSSDConfig/__init__.py.in:118 +msgid "Path to storage of trusted CA certificates" +msgstr "Шлях до сховища надійних сертифікатів служб сертифікації (CA)" + +#: src/config/SSSDConfig/__init__.py.in:121 +msgid "List of UIDs or user names allowed to access the PAC responder" +msgstr "" +"Список унікальних ідентифікаторів (UID) або імен користувачів, яким надано " +"доступ до відповідача PAC" + +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "How long the PAC data is considered valid" +msgstr "Час, протягом якого дані PAC вважатимуться чинними" + +#: src/config/SSSDConfig/__init__.py.in:125 +msgid "List of UIDs or user names allowed to access the InfoPipe responder" +msgstr "" +"Список унікальних ідентифікаторів (UID) або імен користувачів, яким надано " +"доступ до відповідача InfoPipe" + +#: src/config/SSSDConfig/__init__.py.in:126 +msgid "List of user attributes the InfoPipe is allowed to publish" +msgstr "Список атрибутів запису користувача, які може оприлюднювати InfoPipe" + +#: src/config/SSSDConfig/__init__.py.in:129 +msgid "The provider where the secrets will be stored in" +msgstr "Модуль надання даних, у якому будуть зберігатися реєстраційні дані" + +#: src/config/SSSDConfig/__init__.py.in:130 +msgid "The maximum allowed number of nested containers" +msgstr "Максимальна дозволена кількість вкладених контейнерів" + +#: src/config/SSSDConfig/__init__.py.in:131 +msgid "The maximum number of secrets that can be stored" +msgstr "Максимальна кількість записів реєстраційних даних, які можна зберігати" + +#: src/config/SSSDConfig/__init__.py.in:132 +msgid "The maximum number of secrets that can be stored per UID" +msgstr "" +"Максимальна кількість записів реєстраційних даних, які можна зберігати за UID" + +#: src/config/SSSDConfig/__init__.py.in:133 +msgid "The maximum payload size of a secret in kilobytes" +msgstr "Максимальний обсяг запису реєстраційних даних у кілобайтах" + +#: src/config/SSSDConfig/__init__.py.in:135 +msgid "The URL Custodia server is listening on" +msgstr "Адреса, на якій очікує дані сервер Custodia" + +#: src/config/SSSDConfig/__init__.py.in:136 +msgid "The method to use when authenticating to a Custodia server" +msgstr "Спосіб розпізнавання сервером Custodia" + +#: src/config/SSSDConfig/__init__.py.in:137 +msgid "" +"The name of the headers that will be added into a HTTP request with the " +"value defined in auth_header_value" +msgstr "" +"Назва заголовків, які буде додано до запиту HTTP зі значенням, яке визначено " +"в auth_header_value" + +#: src/config/SSSDConfig/__init__.py.in:138 +msgid "The value sssd-secrets would use for auth_header_name" +msgstr "Значення, яке sssd-secrets має використовувати для auth_header_name" + +#: src/config/SSSDConfig/__init__.py.in:139 +msgid "" +"The list of the headers to forward to the Custodia server together with the " +"request" +msgstr "" +"Список заголовків, які слід переспрямувати до сервера Custodia разом із " +"запитом" + +#: src/config/SSSDConfig/__init__.py.in:140 +msgid "" +"The username to use when authenticating to a Custodia server using basic_auth" +msgstr "" +"Ім'я користувача, яким слід скористатися для розпізнавання на сервері " +"Custodia з використанням basic_auth" + +#: src/config/SSSDConfig/__init__.py.in:141 +msgid "" +"The password to use when authenticating to a Custodia server using basic_auth" +msgstr "" +"Пароль, яким слід скористатися для розпізнавання на сервері Custodia з " +"використанням basic_auth" + +#: src/config/SSSDConfig/__init__.py.in:142 +msgid "If true peer's certificate is verified if proxy_url uses https protocol" +msgstr "" +"Якщо має значення true, сертифікат вузла перевірятиметься, якщо proxy_url " +"використовує протокол https" + +#: src/config/SSSDConfig/__init__.py.in:143 +msgid "" +"If false peer's certificate may contain different hostname than proxy_url " +"when https protocol is used" +msgstr "" +"Якщо має значення false, сертифікат вузла може містити іншу назву вузла ніж " +"proxy_url, якщо використано протокол https" + +#: src/config/SSSDConfig/__init__.py.in:144 +msgid "Path to directory where certificate authority certificates are stored" +msgstr "Шлях до каталогу, у якому зберігаються сертифікати служби сертифікації" + +#: src/config/SSSDConfig/__init__.py.in:145 +msgid "Path to file containing server's CA certificate" +msgstr "" +"Шлях до файла, у якому міститься сертифікат служби сертифікації (CA) сервера" + +#: src/config/SSSDConfig/__init__.py.in:146 +msgid "Path to file containing client's certificate" +msgstr "Шлях до файла, у якому міститься сертифікат клієнта" + +#: src/config/SSSDConfig/__init__.py.in:147 +msgid "Path to file containing client's private key" +msgstr "Шлях до файла, у якому міститься закритий ключ клієнта" + +#: src/config/SSSDConfig/__init__.py.in:150 +msgid "Identity provider" +msgstr "Служба профілів" + +#: src/config/SSSDConfig/__init__.py.in:151 +msgid "Authentication provider" +msgstr "Служба розпізнавання" + +#: src/config/SSSDConfig/__init__.py.in:152 +msgid "Access control provider" +msgstr "Служба керування доступом" + +#: src/config/SSSDConfig/__init__.py.in:153 +msgid "Password change provider" +msgstr "Служба зміни паролів" + +#: src/config/SSSDConfig/__init__.py.in:154 +msgid "SUDO provider" +msgstr "Служба SUDO" + +#: src/config/SSSDConfig/__init__.py.in:155 +msgid "Autofs provider" +msgstr "Служба автоматизації файлових систем" + +#: src/config/SSSDConfig/__init__.py.in:156 +msgid "Host identity provider" +msgstr "Служба профілів вузлів" + +#: src/config/SSSDConfig/__init__.py.in:157 +msgid "SELinux provider" +msgstr "Надавач даних SELinux" + +#: src/config/SSSDConfig/__init__.py.in:158 +msgid "Session management provider" +msgstr "Засіб керування сеансами" + +#: src/config/SSSDConfig/__init__.py.in:161 +msgid "Whether the domain is usable by the OS or by applications" +msgstr "" +"Визначає, чи можна використовувати домен у операційній системі або у " +"програмах" + +#: src/config/SSSDConfig/__init__.py.in:162 +msgid "Minimum user ID" +msgstr "Мін. ідентифікатор користувача" + +#: src/config/SSSDConfig/__init__.py.in:163 +msgid "Maximum user ID" +msgstr "Макс. ідентифікатор користувача" + +#: src/config/SSSDConfig/__init__.py.in:164 +msgid "Enable enumerating all users/groups" +msgstr "Увімкнути нумерацію всіх користувачів/груп" + +#: src/config/SSSDConfig/__init__.py.in:165 +msgid "Cache credentials for offline login" +msgstr "Кешувати реєстраційні дані для автономного входу" + +#: src/config/SSSDConfig/__init__.py.in:166 +msgid "Store password hashes" +msgstr "Зберігати хеші паролів" + +#: src/config/SSSDConfig/__init__.py.in:167 +msgid "Display users/groups in fully-qualified form" +msgstr "Показувати записи користувачів/груп повністю" + +#: src/config/SSSDConfig/__init__.py.in:168 +msgid "Don't include group members in group lookups" +msgstr "Не включати учасників групи у пошуки групи" + +#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:180 +#: src/config/SSSDConfig/__init__.py.in:181 +msgid "Entry cache timeout length (seconds)" +msgstr "Тривалість кешування записів (у секундах)" + +#: src/config/SSSDConfig/__init__.py.in:170 +msgid "" +"Restrict or prefer a specific address family when performing DNS lookups" +msgstr "" +"Обмежити або надавати перевагу певному сімейству адрес під час виконання " +"пошуків DNS" + +#: src/config/SSSDConfig/__init__.py.in:171 +msgid "How long to keep cached entries after last successful login (days)" +msgstr "" +"Тривалість зберігання кешованих записів після останнього успішного входу (у " +"днях)" + +#: src/config/SSSDConfig/__init__.py.in:172 +msgid "How long to wait for replies from DNS when resolving servers (seconds)" +msgstr "" +"Тривалість очікування на відповідь від DNS під час визначення адрес серверів " +"(у секундах)" + +#: src/config/SSSDConfig/__init__.py.in:173 +msgid "The domain part of service discovery DNS query" +msgstr "Частина запиту щодо виявлення служби DNS, пов’язана з доменом" + +#: src/config/SSSDConfig/__init__.py.in:174 +msgid "Override GID value from the identity provider with this value" +msgstr "" +"Замінити значення ідентифікатора групи від надавача профілю цим значенням" + +#: src/config/SSSDConfig/__init__.py.in:175 +msgid "Treat usernames as case sensitive" +msgstr "Враховувати регістр у іменах користувачів" + +#: src/config/SSSDConfig/__init__.py.in:182 +msgid "How often should expired entries be refreshed in background" +msgstr "Наскільки часто має виконувати оновлення у тлі застарілих записів" + +#: src/config/SSSDConfig/__init__.py.in:183 +msgid "Whether to automatically update the client's DNS entry" +msgstr "Визначає, чи слід автоматично оновлювати запис DNS клієнта" + +#: src/config/SSSDConfig/__init__.py.in:184 +#: src/config/SSSDConfig/__init__.py.in:206 +msgid "The TTL to apply to the client's DNS entry after updating it" +msgstr "" +"TTL, який слід застосовувати до запису DNS клієнта після його оновлення" + +#: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:207 +msgid "The interface whose IP should be used for dynamic DNS updates" +msgstr "" +"Інтерфейс, чию адресу IP має бути використано для динамічних оновлень DNS" + +#: src/config/SSSDConfig/__init__.py.in:186 +msgid "How often to periodically update the client's DNS entry" +msgstr "Визначає, наскільки часто слід періодично оновлювати запис DNS клієнта" + +#: src/config/SSSDConfig/__init__.py.in:187 +msgid "Whether the provider should explicitly update the PTR record as well" +msgstr "" +"Визначає, чи слід надавачу даних також явним чином оновлювати запис PTR" + +#: src/config/SSSDConfig/__init__.py.in:188 +msgid "Whether the nsupdate utility should default to using TCP" +msgstr "Визначає, чи слід програмі nsupdate типово використовувати TCP" + +#: src/config/SSSDConfig/__init__.py.in:189 +msgid "What kind of authentication should be used to perform the DNS update" +msgstr "" +"Визначає тип розпізнавання, який слід використовувати для виконання " +"оновлення DNS" + +#: src/config/SSSDConfig/__init__.py.in:190 +msgid "Override the DNS server used to perform the DNS update" +msgstr "" +"Перевизначити сервер DNS, який використовуватиметься для виконання оновлення " +"DNS" + +#: src/config/SSSDConfig/__init__.py.in:191 +msgid "Control enumeration of trusted domains" +msgstr "Керувати нумерацією надійних доменів" + +#: src/config/SSSDConfig/__init__.py.in:192 +msgid "How often should subdomains list be refreshed" +msgstr "Частота оновлення списку піддоменів" + +#: src/config/SSSDConfig/__init__.py.in:193 +msgid "List of options that should be inherited into a subdomain" +msgstr "Список параметрів, які має бути успадковано у піддомені" + +#: src/config/SSSDConfig/__init__.py.in:194 +msgid "Default subdomain homedir value" +msgstr "Типове значення домашнього каталогу для піддоменів" + +#: src/config/SSSDConfig/__init__.py.in:195 +msgid "How long can cached credentials be used for cached authentication" +msgstr "" +"Строк, протягом якого кешовані реєстраційні дані може бути використано для " +"розпізнавання за кешем" + +#: src/config/SSSDConfig/__init__.py.in:198 +msgid "Whether to automatically create private groups for users" +msgstr "" +"Визначає, чи слід автоматично створювати приватні групи для користувачів" + +#: src/config/SSSDConfig/__init__.py.in:201 +msgid "IPA domain" +msgstr "Домен IPA" + +#: src/config/SSSDConfig/__init__.py.in:202 +msgid "IPA server address" +msgstr "Адреса сервера IPA" + +#: src/config/SSSDConfig/__init__.py.in:203 +msgid "Address of backup IPA server" +msgstr "Адреса резервного сервера IPA" + +#: src/config/SSSDConfig/__init__.py.in:204 +msgid "IPA client hostname" +msgstr "Назва вузла клієнта IPA" + +#: src/config/SSSDConfig/__init__.py.in:205 +msgid "Whether to automatically update the client's DNS entry in FreeIPA" +msgstr "" +"Визначає, чи слід автоматично оновлювати запис DNS клієнтського вузла у " +"FreeIPA" + +#: src/config/SSSDConfig/__init__.py.in:208 +msgid "Search base for HBAC related objects" +msgstr "Шукати у базі об’єкти, пов’язані з HBAC" + +#: src/config/SSSDConfig/__init__.py.in:209 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server" +msgstr "" +"Інтервал часу між послідовними сеансами пошуку правил HBAC на сервері IPA" + +#: src/config/SSSDConfig/__init__.py.in:210 +msgid "" +"The amount of time in seconds between lookups of the SELinux maps against " +"the IPA server" +msgstr "Час, у секундах, між пошуками у картах SELinux на сервері IPA" + +#: src/config/SSSDConfig/__init__.py.in:211 +msgid "If set to false, host argument given by PAM will be ignored" +msgstr "" +"Якщо встановлено значення «false», аргумент вузла, наданий PAM, буде " +"проігноровано" + +#: src/config/SSSDConfig/__init__.py.in:212 +msgid "The automounter location this IPA client is using" +msgstr "Адреса автоматичного монтування, яку використовує цей клієнт IPA" + +#: src/config/SSSDConfig/__init__.py.in:213 +msgid "Search base for object containing info about IPA domain" +msgstr "Шукати у базі об’єкт, що містить дані щодо домену IPA" + +#: src/config/SSSDConfig/__init__.py.in:214 +msgid "Search base for objects containing info about ID ranges" +msgstr "Шукати у базі об’єкти, що містять дані щодо діапазонів ідентифікаторів" + +#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:233 +msgid "Enable DNS sites - location based service discovery" +msgstr "Увімкнути сайти DNS — визначення служб на основі адрес" + +#: src/config/SSSDConfig/__init__.py.in:216 +msgid "Search base for view containers" +msgstr "Шукати у базі контейнери перегляду" + +#: src/config/SSSDConfig/__init__.py.in:217 +msgid "Objectclass for view containers" +msgstr "Клас об’єктів для контейнерів перегляду" + +#: src/config/SSSDConfig/__init__.py.in:218 +msgid "Attribute with the name of the view" +msgstr "Атрибут із назвою перегляду" + +#: src/config/SSSDConfig/__init__.py.in:219 +msgid "Objectclass for override objects" +msgstr "Клас об’єктів для об’єктів перевизначення" + +#: src/config/SSSDConfig/__init__.py.in:220 +msgid "Attribute with the reference to the original object" +msgstr "Атрибут із посиланням на початковий об’єкт" + +#: src/config/SSSDConfig/__init__.py.in:221 +msgid "Objectclass for user override objects" +msgstr "Клас об’єктів для об’єктів перевизначення користувачів" + +#: src/config/SSSDConfig/__init__.py.in:222 +msgid "Objectclass for group override objects" +msgstr "Клас об’єктів для об’єктів перевизначення груп" + +#: src/config/SSSDConfig/__init__.py.in:223 +msgid "Search base for Desktop Profile related objects" +msgstr "Шукати у базі пов'язані і профілями станцій об'єкти" + +#: src/config/SSSDConfig/__init__.py.in:224 +msgid "" +"The amount of time in seconds between lookups of the Desktop Profile rules " +"against the IPA server" +msgstr "" +"Час, у секундах, між пошуками у правилах профілів станцій на сервері IPA" + +#: src/config/SSSDConfig/__init__.py.in:225 +msgid "" +"The amount of time in minutes between lookups of Desktop Profiles rules " +"against the IPA server when the last request did not find any rule" +msgstr "" +"Час, у хвилинах, між пошуками у правилах профілів станцій на сервері IPA, " +"якщо під час останнього запиту не було знайдено жодного правила" + +#: src/config/SSSDConfig/__init__.py.in:228 +msgid "Active Directory domain" +msgstr "Домен Active Directory" + +#: src/config/SSSDConfig/__init__.py.in:229 +msgid "Enabled Active Directory domains" +msgstr "Увімкнені домени Active Directory" + +#: src/config/SSSDConfig/__init__.py.in:230 +msgid "Active Directory server address" +msgstr "Адреса сервера Active Directory" + +#: src/config/SSSDConfig/__init__.py.in:231 +msgid "Active Directory backup server address" +msgstr "Адреса резервного сервера Active Directory" + +#: src/config/SSSDConfig/__init__.py.in:232 +msgid "Active Directory client hostname" +msgstr "Назва клієнтського вузла Active Directory" + +#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:420 +msgid "LDAP filter to determine access privileges" +msgstr "Фільтр LDAP для визначення прав доступу" + +#: src/config/SSSDConfig/__init__.py.in:235 +msgid "Whether to use the Global Catalog for lookups" +msgstr "Чи слід використовувати загальний каталог для пошуку" + +#: src/config/SSSDConfig/__init__.py.in:236 +msgid "Operation mode for GPO-based access control" +msgstr "Режим роботи для керування доступом на основі GPO" + +#: src/config/SSSDConfig/__init__.py.in:237 +msgid "" +"The amount of time between lookups of the GPO policy files against the AD " +"server" +msgstr "" +"Інтервал часу між послідовними сеансами пошуку правил GPO на сервері AD" + +#: src/config/SSSDConfig/__init__.py.in:238 +msgid "" +"PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " +"settings" +msgstr "" +"Назви служб PAM, які виконують прив’язування до параметрів правил GPO " +"(Deny)InteractiveLogonRight" + +#: src/config/SSSDConfig/__init__.py.in:239 +msgid "" +"PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " +"policy settings" +msgstr "" +"Назви служб PAM, які виконують прив’язування до параметрів правил GPO " +"(Deny)RemoteInteractiveLogonRight" + +#: src/config/SSSDConfig/__init__.py.in:240 +msgid "" +"PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" +msgstr "" +"Назви служб PAM, які виконують прив’язування до параметрів правил GPO " +"(Deny)NetworkLogonRight" + +#: src/config/SSSDConfig/__init__.py.in:241 +msgid "" +"PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" +msgstr "" +"Назви служб PAM, які виконують прив’язування до параметрів правил GPO " +"(Deny)BatchLogonRight" + +#: src/config/SSSDConfig/__init__.py.in:242 +msgid "" +"PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" +msgstr "" +"Назви служб PAM, які виконують прив’язування до параметрів правил GPO " +"(Deny)ServiceLogonRight" + +#: src/config/SSSDConfig/__init__.py.in:243 +msgid "PAM service names for which GPO-based access is always granted" +msgstr "Назви служб PAM, яким завжди надається доступ на основі GPO" + +#: src/config/SSSDConfig/__init__.py.in:244 +msgid "PAM service names for which GPO-based access is always denied" +msgstr "Назви служб PAM, яким ніколи не надається доступ на основі GPO" + +#: src/config/SSSDConfig/__init__.py.in:245 +msgid "" +"Default logon right (or permit/deny) to use for unmapped PAM service names" +msgstr "" +"Типове правило входу (або допуск/заборона), яким слід користуватися для " +"неприв’язаних назв служб PAM" + +#: src/config/SSSDConfig/__init__.py.in:246 +msgid "a particular site to be used by the client" +msgstr "певний сайт, який слід використовувати клієнту" + +#: src/config/SSSDConfig/__init__.py.in:247 +msgid "" +"Maximum age in days before the machine account password should be renewed" +msgstr "" +"Максимальний вік пароля облікового запису комп'ютера, при досягненні якого " +"пароль має бути оновлено" + +#: src/config/SSSDConfig/__init__.py.in:248 +msgid "Option for tuning the machine account renewal task" +msgstr "" +"Параметр налаштовування завдання оновлення облікових записів комп’ютерів" + +#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:252 +msgid "Kerberos server address" +msgstr "Адреса сервера Kerberos" + +#: src/config/SSSDConfig/__init__.py.in:253 +msgid "Kerberos backup server address" +msgstr "Адреса резервного сервера Kerberos" + +#: src/config/SSSDConfig/__init__.py.in:254 +msgid "Kerberos realm" +msgstr "Область Kerberos" + +#: src/config/SSSDConfig/__init__.py.in:255 +msgid "Authentication timeout" +msgstr "Час очікування на розпізнавання" + +#: src/config/SSSDConfig/__init__.py.in:256 +msgid "Whether to create kdcinfo files" +msgstr "Визначає, чи слід створювати файли kdcinfo" + +#: src/config/SSSDConfig/__init__.py.in:257 +msgid "Where to drop krb5 config snippets" +msgstr "Місце, куди слід скидати фрагменти налаштувань krb5" + +#: src/config/SSSDConfig/__init__.py.in:260 +msgid "Directory to store credential caches" +msgstr "Каталог, де зберігатиметься кеш реєстраційних даних" + +#: src/config/SSSDConfig/__init__.py.in:261 +msgid "Location of the user's credential cache" +msgstr "Адреса кешу реєстраційних даних користувача" + +#: src/config/SSSDConfig/__init__.py.in:262 +msgid "Location of the keytab to validate credentials" +msgstr "Адреса таблиці ключів для перевірки реєстраційних даних" + +#: src/config/SSSDConfig/__init__.py.in:263 +msgid "Enable credential validation" +msgstr "Увімкнути перевірку реєстраційних даних" + +#: src/config/SSSDConfig/__init__.py.in:264 +msgid "Store password if offline for later online authentication" +msgstr "Зберігати пароль у автономному режимі для розпізнавання у мережі" + +#: src/config/SSSDConfig/__init__.py.in:265 +msgid "Renewable lifetime of the TGT" +msgstr "Поновлюваний строк дії TGT" + +#: src/config/SSSDConfig/__init__.py.in:266 +msgid "Lifetime of the TGT" +msgstr "Строк дії TGT" + +#: src/config/SSSDConfig/__init__.py.in:267 +msgid "Time between two checks for renewal" +msgstr "Граничний час між двома перевірками для поновлення" + +#: src/config/SSSDConfig/__init__.py.in:268 +msgid "Enables FAST" +msgstr "Вмикає FAST" + +#: src/config/SSSDConfig/__init__.py.in:269 +msgid "Selects the principal to use for FAST" +msgstr "Визначає реєстраційний запис, який слід використовувати для FAST" + +#: src/config/SSSDConfig/__init__.py.in:270 +msgid "Enables principal canonicalization" +msgstr "Вмикає перетворення реєстраційних записів у канонічну форму" + +#: src/config/SSSDConfig/__init__.py.in:271 +msgid "Enables enterprise principals" +msgstr "Увімкнути промислові реєстраційні дані" + +#: src/config/SSSDConfig/__init__.py.in:272 +msgid "A mapping from user names to Kerberos principal names" +msgstr "Прив’язка імен користувачів до основних імен Kerberos" + +#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:276 +msgid "Server where the change password service is running if not on the KDC" +msgstr "" +"Сервер, на якому запущено службу зміни паролів, якщо такий не вдасться " +"виявити у KDC" + +#: src/config/SSSDConfig/__init__.py.in:279 +msgid "ldap_uri, The URI of the LDAP server" +msgstr "ldap_uri, адреса URI сервера LDAP" + +#: src/config/SSSDConfig/__init__.py.in:280 +msgid "ldap_backup_uri, The URI of the LDAP server" +msgstr "ldap_backup_uri, адреса сервера LDAP" + +#: src/config/SSSDConfig/__init__.py.in:281 +msgid "The default base DN" +msgstr "Типова базова назва домену" + +#: src/config/SSSDConfig/__init__.py.in:282 +msgid "The Schema Type in use on the LDAP server, rfc2307" +msgstr "Тип схеми, використаний на сервері LDAP, rfc2307" + +#: src/config/SSSDConfig/__init__.py.in:283 +msgid "The default bind DN" +msgstr "Типова назва домену прив’язки" + +#: src/config/SSSDConfig/__init__.py.in:284 +msgid "The type of the authentication token of the default bind DN" +msgstr "Тип розпізнавання для типової назви сервера прив’язки" + +#: src/config/SSSDConfig/__init__.py.in:285 +msgid "The authentication token of the default bind DN" +msgstr "Лексема розпізнавання типової назви сервера прив’язки" + +#: src/config/SSSDConfig/__init__.py.in:286 +msgid "Length of time to attempt connection" +msgstr "Проміжок часу між спробами встановлення з’єднання" + +#: src/config/SSSDConfig/__init__.py.in:287 +msgid "Length of time to attempt synchronous LDAP operations" +msgstr "Проміжок часу між спробами виконання синхронних операцій LDAP" + +#: src/config/SSSDConfig/__init__.py.in:288 +msgid "Length of time between attempts to reconnect while offline" +msgstr "" +"Проміжок часу між повторними спробами встановлення з’єднання у автономному " +"режимі" + +#: src/config/SSSDConfig/__init__.py.in:289 +msgid "Use only the upper case for realm names" +msgstr "Використовувати для назв областей лише великі літери" + +#: src/config/SSSDConfig/__init__.py.in:290 +msgid "File that contains CA certificates" +msgstr "Файл, що містить сертифікати CA" + +#: src/config/SSSDConfig/__init__.py.in:291 +msgid "Path to CA certificate directory" +msgstr "Шлях до каталогу сертифікатів CA" + +#: src/config/SSSDConfig/__init__.py.in:292 +msgid "File that contains the client certificate" +msgstr "Файл, що містить клієнтський сертифікат" + +#: src/config/SSSDConfig/__init__.py.in:293 +msgid "File that contains the client key" +msgstr "Файл, що містить клієнтський ключ" + +#: src/config/SSSDConfig/__init__.py.in:294 +msgid "List of possible ciphers suites" +msgstr "Показати список можливих інструментів шифрування" + +#: src/config/SSSDConfig/__init__.py.in:295 +msgid "Require TLS certificate verification" +msgstr "Потрібна перевірка сертифіката TLS" + +#: src/config/SSSDConfig/__init__.py.in:296 +msgid "Specify the sasl mechanism to use" +msgstr "Вкажіть механізм SASL, який слід використовувати" + +#: src/config/SSSDConfig/__init__.py.in:297 +msgid "Specify the sasl authorization id to use" +msgstr "Вкажіть ідентифікатор уповноваження SASL, який слід використовувати" + +#: src/config/SSSDConfig/__init__.py.in:298 +msgid "Specify the sasl authorization realm to use" +msgstr "Вкажіть область уповноваження SASL, яку слід використовувати" + +#: src/config/SSSDConfig/__init__.py.in:299 +msgid "Specify the minimal SSF for LDAP sasl authorization" +msgstr "" +"Вказати мінімальне значення SSF для розпізнавання на LDAP за допомогою sasl" + +#: src/config/SSSDConfig/__init__.py.in:300 +msgid "Kerberos service keytab" +msgstr "Таблиця ключів служби Kerberos" + +#: src/config/SSSDConfig/__init__.py.in:301 +msgid "Use Kerberos auth for LDAP connection" +msgstr "Розпізнавання Kerberos для з’єднання LDAP" + +#: src/config/SSSDConfig/__init__.py.in:302 +msgid "Follow LDAP referrals" +msgstr "Переходити за посиланнями LDAP" + +#: src/config/SSSDConfig/__init__.py.in:303 +msgid "Lifetime of TGT for LDAP connection" +msgstr "Строк дії TGT для з’єднання LDAP" + +#: src/config/SSSDConfig/__init__.py.in:304 +msgid "How to dereference aliases" +msgstr "Спосіб розіменування псевдонімів" + +#: src/config/SSSDConfig/__init__.py.in:305 +msgid "Service name for DNS service lookups" +msgstr "Назва служби для пошуків за допомогою служби DNS" + +#: src/config/SSSDConfig/__init__.py.in:306 +msgid "The number of records to retrieve in a single LDAP query" +msgstr "Кількість записів, які слід отримувати у відповідь на один запит LDAP" + +#: src/config/SSSDConfig/__init__.py.in:307 +msgid "The number of members that must be missing to trigger a full deref" +msgstr "" +"Кількість учасників, яких має не вистачати для вмикання повного скасування " +"посилань" + +#: src/config/SSSDConfig/__init__.py.in:308 +msgid "" +"Whether the LDAP library should perform a reverse lookup to canonicalize the " +"host name during a SASL bind" +msgstr "" +"Визначає, чи має бібліотека LDAP виконувати зворотній пошук з метою " +"переведення назв вузлів у канонічну форму під час прив’язки до SASL" + +#: src/config/SSSDConfig/__init__.py.in:310 +msgid "entryUSN attribute" +msgstr "Атрибут entryUSN" + +#: src/config/SSSDConfig/__init__.py.in:311 +msgid "lastUSN attribute" +msgstr "Атрибут lastUSN" + +#: src/config/SSSDConfig/__init__.py.in:313 +msgid "How long to retain a connection to the LDAP server before disconnecting" +msgstr "Тривалість підтримування з’єднання з сервером LDAP перед роз’єднанням" + +#: src/config/SSSDConfig/__init__.py.in:315 +msgid "Disable the LDAP paging control" +msgstr "Вимкнути контроль сторінок у LDAP" + +#: src/config/SSSDConfig/__init__.py.in:316 +msgid "Disable Active Directory range retrieval" +msgstr "Вимкнути отримання діапазонів Active Directory" + +#: src/config/SSSDConfig/__init__.py.in:319 +msgid "Length of time to wait for a search request" +msgstr "Тривалість очікування на дані запиту пошуку" + +#: src/config/SSSDConfig/__init__.py.in:320 +msgid "Length of time to wait for a enumeration request" +msgstr "Тривалість очікування на дані запиту щодо переліку" + +#: src/config/SSSDConfig/__init__.py.in:321 +msgid "Length of time between enumeration updates" +msgstr "Проміжок часу між оновленнями нумерації" + +#: src/config/SSSDConfig/__init__.py.in:322 +msgid "Length of time between cache cleanups" +msgstr "Проміжок часу між спорожненнями кешу" + +#: src/config/SSSDConfig/__init__.py.in:323 +msgid "Require TLS for ID lookups" +msgstr "Вимагати TLS для пошуків ідентифікаторів" + +#: src/config/SSSDConfig/__init__.py.in:324 +msgid "Use ID-mapping of objectSID instead of pre-set IDs" +msgstr "" +"Використовувати відповідності ідентифікаторів objectSID замість попередньо " +"встановлених ідентифікаторів" + +#: src/config/SSSDConfig/__init__.py.in:325 +msgid "Base DN for user lookups" +msgstr "Базова назва домену для пошуків користувачів" + +#: src/config/SSSDConfig/__init__.py.in:326 +msgid "Scope of user lookups" +msgstr "Діапазон пошуків користувачів" + +#: src/config/SSSDConfig/__init__.py.in:327 +msgid "Filter for user lookups" +msgstr "Фільтр пошуку користувачів" + +#: src/config/SSSDConfig/__init__.py.in:328 +msgid "Objectclass for users" +msgstr "Клас об’єктів для користувачів" + +#: src/config/SSSDConfig/__init__.py.in:329 +msgid "Username attribute" +msgstr "Атрибут імені користувача" + +#: src/config/SSSDConfig/__init__.py.in:331 +msgid "UID attribute" +msgstr "Атрибут UID" + +#: src/config/SSSDConfig/__init__.py.in:332 +msgid "Primary GID attribute" +msgstr "Головний атрибут GID" + +#: src/config/SSSDConfig/__init__.py.in:333 +msgid "GECOS attribute" +msgstr "Атрибут GECOS" + +#: src/config/SSSDConfig/__init__.py.in:334 +msgid "Home directory attribute" +msgstr "Атрибут домашнього каталогу" + +#: src/config/SSSDConfig/__init__.py.in:335 +msgid "Shell attribute" +msgstr "Атрибут оболонки" + +#: src/config/SSSDConfig/__init__.py.in:336 +msgid "UUID attribute" +msgstr "Атрибут UUID" + +#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:379 +msgid "objectSID attribute" +msgstr "Атрибут objectSID" + +#: src/config/SSSDConfig/__init__.py.in:338 +msgid "Active Directory primary group attribute for ID-mapping" +msgstr "" +"Атрибут основної групи Active Directory для встановлення відповідності " +"ідентифікатора" + +#: src/config/SSSDConfig/__init__.py.in:339 +msgid "User principal attribute (for Kerberos)" +msgstr "Атрибут реєстраційного запису користувача (для Kerberos)" + +#: src/config/SSSDConfig/__init__.py.in:340 +msgid "Full Name" +msgstr "Повне ім'я" + +#: src/config/SSSDConfig/__init__.py.in:341 +msgid "memberOf attribute" +msgstr "Атрибут memberOf" + +#: src/config/SSSDConfig/__init__.py.in:342 +msgid "Modification time attribute" +msgstr "Атрибут часу зміни" + +#: src/config/SSSDConfig/__init__.py.in:344 +msgid "shadowLastChange attribute" +msgstr "Атрибут shadowLastChange" + +#: src/config/SSSDConfig/__init__.py.in:345 +msgid "shadowMin attribute" +msgstr "Атрибут shadowMin" + +#: src/config/SSSDConfig/__init__.py.in:346 +msgid "shadowMax attribute" +msgstr "Атрибут shadowMax" + +#: src/config/SSSDConfig/__init__.py.in:347 +msgid "shadowWarning attribute" +msgstr "Атрибут shadowWarning" + +#: src/config/SSSDConfig/__init__.py.in:348 +msgid "shadowInactive attribute" +msgstr "Атрибут shadowInactive" + +#: src/config/SSSDConfig/__init__.py.in:349 +msgid "shadowExpire attribute" +msgstr "Атрибут shadowExpire" + +#: src/config/SSSDConfig/__init__.py.in:350 +msgid "shadowFlag attribute" +msgstr "Атрибут shadowFlag" + +#: src/config/SSSDConfig/__init__.py.in:351 +msgid "Attribute listing authorized PAM services" +msgstr "Атрибути зі списком уповноважених служб PAM" + +#: src/config/SSSDConfig/__init__.py.in:352 +msgid "Attribute listing authorized server hosts" +msgstr "Атрибути зі списком уповноважених серверних вузлів" + +#: src/config/SSSDConfig/__init__.py.in:353 +msgid "Attribute listing authorized server rhosts" +msgstr "Атрибути зі списком уповноважених серверних r-вузлів" + +#: src/config/SSSDConfig/__init__.py.in:354 +msgid "krbLastPwdChange attribute" +msgstr "Атрибут krbLastPwdChange" + +#: src/config/SSSDConfig/__init__.py.in:355 +msgid "krbPasswordExpiration attribute" +msgstr "Атрибут krbPasswordExpiration" + +#: src/config/SSSDConfig/__init__.py.in:356 +msgid "Attribute indicating that server side password policies are active" +msgstr "" +"Атрибут, що відповідає за активізацію правил обробки паролів на боці сервера" + +#: src/config/SSSDConfig/__init__.py.in:357 +msgid "accountExpires attribute of AD" +msgstr "Атрибут accountExpires AD" + +#: src/config/SSSDConfig/__init__.py.in:358 +msgid "userAccountControl attribute of AD" +msgstr "Атрибут userAccountControl AD" + +#: src/config/SSSDConfig/__init__.py.in:359 +msgid "nsAccountLock attribute" +msgstr "Атрибут nsAccountLock" + +#: src/config/SSSDConfig/__init__.py.in:360 +msgid "loginDisabled attribute of NDS" +msgstr "Атрибут loginDisabled NDS" + +#: src/config/SSSDConfig/__init__.py.in:361 +msgid "loginExpirationTime attribute of NDS" +msgstr "Атрибут loginExpirationTime NDS" + +#: src/config/SSSDConfig/__init__.py.in:362 +msgid "loginAllowedTimeMap attribute of NDS" +msgstr "Атрибут loginAllowedTimeMap NDS" + +#: src/config/SSSDConfig/__init__.py.in:363 +msgid "SSH public key attribute" +msgstr "Атрибут відкритого ключа SSH" + +#: src/config/SSSDConfig/__init__.py.in:364 +msgid "attribute listing allowed authentication types for a user" +msgstr "атрибут зі списком дозволених типів розпізнавання для користувача" + +#: src/config/SSSDConfig/__init__.py.in:365 +msgid "attribute containing the X509 certificate of the user" +msgstr "атрибут, що містить сертифікат X509 користувача" + +#: src/config/SSSDConfig/__init__.py.in:366 +msgid "attribute containing the email address of the user" +msgstr "атрибут, що містить адресу електронної пошти користувача" + +#: src/config/SSSDConfig/__init__.py.in:368 +msgid "A list of extra attributes to download along with the user entry" +msgstr "" +"Список додаткових атрибутів, які слід отримувати разом із записом користувача" + +#: src/config/SSSDConfig/__init__.py.in:370 +msgid "Base DN for group lookups" +msgstr "Базова назва домену для пошуків груп" + +#: src/config/SSSDConfig/__init__.py.in:373 +msgid "Objectclass for groups" +msgstr "Клас об’єктів для груп" + +#: src/config/SSSDConfig/__init__.py.in:374 +msgid "Group name" +msgstr "Назва групи" + +#: src/config/SSSDConfig/__init__.py.in:375 +msgid "Group password" +msgstr "Пароль групи" + +#: src/config/SSSDConfig/__init__.py.in:376 +msgid "GID attribute" +msgstr "Атрибут GID" + +#: src/config/SSSDConfig/__init__.py.in:377 +msgid "Group member attribute" +msgstr "Атрибут членства у групі" + +#: src/config/SSSDConfig/__init__.py.in:378 +msgid "Group UUID attribute" +msgstr "Атрибут UUID групи" + +#: src/config/SSSDConfig/__init__.py.in:380 +msgid "Modification time attribute for groups" +msgstr "Атрибут часу зміни для груп" + +#: src/config/SSSDConfig/__init__.py.in:381 +msgid "Type of the group and other flags" +msgstr "Тип групи та інші прапорці" + +#: src/config/SSSDConfig/__init__.py.in:382 +msgid "The LDAP group external member attribute" +msgstr "Атрибут групи LDAP зовнішнього учасника" + +#: src/config/SSSDConfig/__init__.py.in:384 +msgid "Maximum nesting level SSSD will follow" +msgstr "Максимальний рівень вкладеності, який використовуватиме SSSD" + +#: src/config/SSSDConfig/__init__.py.in:386 +msgid "Base DN for netgroup lookups" +msgstr "Базова назва домену для пошуків груп у мережі" + +#: src/config/SSSDConfig/__init__.py.in:387 +msgid "Objectclass for netgroups" +msgstr "Клас об’єктів для груп у мережі" + +#: src/config/SSSDConfig/__init__.py.in:388 +msgid "Netgroup name" +msgstr "Назва мережевої групи" + +#: src/config/SSSDConfig/__init__.py.in:389 +msgid "Netgroups members attribute" +msgstr "Атрибут членства у групах у мережі" + +#: src/config/SSSDConfig/__init__.py.in:390 +msgid "Netgroup triple attribute" +msgstr "Атрибут трійки груп у мережі" + +#: src/config/SSSDConfig/__init__.py.in:391 +msgid "Modification time attribute for netgroups" +msgstr "Атрибут часу зміни для мережевих груп" + +#: src/config/SSSDConfig/__init__.py.in:393 +msgid "Base DN for service lookups" +msgstr "Базова сервер назв домену для пошуку служб" + +#: src/config/SSSDConfig/__init__.py.in:394 +msgid "Objectclass for services" +msgstr "Клас об’єктів для служб" + +#: src/config/SSSDConfig/__init__.py.in:395 +msgid "Service name attribute" +msgstr "Атрибут назви служби" + +#: src/config/SSSDConfig/__init__.py.in:396 +msgid "Service port attribute" +msgstr "Атрибут порту служби" + +#: src/config/SSSDConfig/__init__.py.in:397 +msgid "Service protocol attribute" +msgstr "Атрибут протоколу служби" + +#: src/config/SSSDConfig/__init__.py.in:400 +msgid "Lower bound for ID-mapping" +msgstr "Нижня межа встановлення відповідності ідентифікатора" + +#: src/config/SSSDConfig/__init__.py.in:401 +msgid "Upper bound for ID-mapping" +msgstr "Верхня межа встановлення відповідності ідентифікатора" + +#: src/config/SSSDConfig/__init__.py.in:402 +msgid "Number of IDs for each slice when ID-mapping" +msgstr "" +"Кількість ідентифікаторів для кожного зрізу під час встановлення " +"відповідності ідентифікаторів" + +#: src/config/SSSDConfig/__init__.py.in:403 +msgid "Use autorid-compatible algorithm for ID-mapping" +msgstr "" +"Використовувати для встановлення відповідності ідентифікаторів алгоритм, " +"сумісний з autorid" + +#: src/config/SSSDConfig/__init__.py.in:404 +msgid "Name of the default domain for ID-mapping" +msgstr "Назва типового домену для встановлення відповідності ідентифікаторів" + +#: src/config/SSSDConfig/__init__.py.in:405 +msgid "SID of the default domain for ID-mapping" +msgstr "SID типового домену для встановлення відповідності ідентифікаторів" + +#: src/config/SSSDConfig/__init__.py.in:406 +msgid "Number of secondary slices" +msgstr "Кількість вторинних зрізів" + +#: src/config/SSSDConfig/__init__.py.in:408 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups" +msgstr "Використовувати LDAP_MATCHING_RULE_IN_CHAIN щодо пошуків груп (group)" + +#: src/config/SSSDConfig/__init__.py.in:409 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups" +msgstr "" +"Використовувати LDAP_MATCHING_RULE_IN_CHAIN щодо пошуків початкових груп " +"(initgroup)" + +#: src/config/SSSDConfig/__init__.py.in:410 +msgid "Whether to use Token-Groups" +msgstr "Визначає, чи слід використовувати крупи реєстраційних записів" + +#: src/config/SSSDConfig/__init__.py.in:411 +msgid "Set lower boundary for allowed IDs from the LDAP server" +msgstr "Встановити нижню межу для дозволених ідентифікаторів із сервера LDAP" + +#: src/config/SSSDConfig/__init__.py.in:412 +msgid "Set upper boundary for allowed IDs from the LDAP server" +msgstr "Встановити верхню межу для дозволених ідентифікаторів із сервера LDAP" + +#: src/config/SSSDConfig/__init__.py.in:413 +msgid "DN for ppolicy queries" +msgstr "DN для запитів щодо ppolicy" + +#: src/config/SSSDConfig/__init__.py.in:414 +msgid "How many maximum entries to fetch during a wildcard request" +msgstr "" +"Максимальна кількість записів для отримання під час обробки запитів із " +"замінниками" + +#: src/config/SSSDConfig/__init__.py.in:417 +msgid "Policy to evaluate the password expiration" +msgstr "Правила оцінки завершення строку дії пароля" + +#: src/config/SSSDConfig/__init__.py.in:421 +msgid "Which attributes shall be used to evaluate if an account is expired" +msgstr "" +"Атрибути які слід використовувати для визначення чинності облікового запису" + +#: src/config/SSSDConfig/__init__.py.in:422 +msgid "Which rules should be used to evaluate access control" +msgstr "" +"Правила, які має бути використано для визначення достатності прав доступу" + +#: src/config/SSSDConfig/__init__.py.in:425 +msgid "URI of an LDAP server where password changes are allowed" +msgstr "Адреса на сервері LDAP, для якої можливі зміни паролів" + +#: src/config/SSSDConfig/__init__.py.in:426 +msgid "URI of a backup LDAP server where password changes are allowed" +msgstr "Адреса резервного сервера LDAP, для якої можливі зміни паролів" + +#: src/config/SSSDConfig/__init__.py.in:427 +msgid "DNS service name for LDAP password change server" +msgstr "Назва у службі DNS сервера зміни паролів LDAP" + +#: src/config/SSSDConfig/__init__.py.in:428 +msgid "" +"Whether to update the ldap_user_shadow_last_change attribute after a " +"password change" +msgstr "" +"Визначає, чи слід оновлювати атрибут ldap_user_shadow_last_change після " +"зміни пароля" + +#: src/config/SSSDConfig/__init__.py.in:431 +msgid "Base DN for sudo rules lookups" +msgstr "Базова назва домену для пошуків правил sudo" + +#: src/config/SSSDConfig/__init__.py.in:432 +msgid "Automatic full refresh period" +msgstr "Період автоматичного повного оновлення даних" + +#: src/config/SSSDConfig/__init__.py.in:433 +msgid "Automatic smart refresh period" +msgstr "Період автоматичного кмітливого оновлення даних" + +#: src/config/SSSDConfig/__init__.py.in:434 +msgid "Whether to filter rules by hostname, IP addresses and network" +msgstr "" +"Визначає, чи слід фільтрувати правила за назвами вузлів, IP-адресами та " +"мережами" + +#: src/config/SSSDConfig/__init__.py.in:435 +msgid "" +"Hostnames and/or fully qualified domain names of this machine to filter sudo " +"rules" +msgstr "" +"Назви вузлів і/або повні назви у домені для цього комп’ютера для " +"фільтрування списку правил sudo" + +#: src/config/SSSDConfig/__init__.py.in:436 +msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" +msgstr "" +"Адреси IPv4 або IPv6 чи мережа цього комп’ютера для фільтрування списку " +"правил sudo" + +#: src/config/SSSDConfig/__init__.py.in:437 +msgid "Whether to include rules that contains netgroup in host attribute" +msgstr "" +"Визначає, чи слід включати правила, що містять мережеву групу у атрибуті " +"вузла" + +#: src/config/SSSDConfig/__init__.py.in:438 +msgid "" +"Whether to include rules that contains regular expression in host attribute" +msgstr "" +"Визначає, чи слід включати правила, що містять формальний вираз у атрибуті " +"вузла" + +#: src/config/SSSDConfig/__init__.py.in:439 +msgid "Object class for sudo rules" +msgstr "Клас об’єктів для правил sudo" + +#: src/config/SSSDConfig/__init__.py.in:440 +msgid "Sudo rule name" +msgstr "Назва правила sudo" + +#: src/config/SSSDConfig/__init__.py.in:441 +msgid "Sudo rule command attribute" +msgstr "Атрибут команди правила sudo" + +#: src/config/SSSDConfig/__init__.py.in:442 +msgid "Sudo rule host attribute" +msgstr "Атрибут вузла правила sudo" + +#: src/config/SSSDConfig/__init__.py.in:443 +msgid "Sudo rule user attribute" +msgstr "Атрибут користувача правила sudo" + +#: src/config/SSSDConfig/__init__.py.in:444 +msgid "Sudo rule option attribute" +msgstr "Атрибут параметрів правила sudo" + +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Sudo rule runas attribute" +msgstr "Атрибут runas правила sudo" + +#: src/config/SSSDConfig/__init__.py.in:446 +msgid "Sudo rule runasuser attribute" +msgstr "" +"Атрибут користувача, від імені якого виконуватиметься запуск, правила sudo" + +#: src/config/SSSDConfig/__init__.py.in:447 +msgid "Sudo rule runasgroup attribute" +msgstr "Атрибут групи, від імені якої виконуватиметься запуск, правила sudo" + +#: src/config/SSSDConfig/__init__.py.in:448 +msgid "Sudo rule notbefore attribute" +msgstr "Атрибут граничного часу початку дії правила sudo" + +#: src/config/SSSDConfig/__init__.py.in:449 +msgid "Sudo rule notafter attribute" +msgstr "Атрибут граничного часу завершення дії правила sudo" + +#: src/config/SSSDConfig/__init__.py.in:450 +msgid "Sudo rule order attribute" +msgstr "Атрибут порядку правила sudo" + +#: src/config/SSSDConfig/__init__.py.in:453 +msgid "Object class for automounter maps" +msgstr "Клас об’єктів для карт автоматичного монтування" + +#: src/config/SSSDConfig/__init__.py.in:454 +msgid "Automounter map name attribute" +msgstr "Атрибут назви карти автоматичного монтування" + +#: src/config/SSSDConfig/__init__.py.in:455 +msgid "Object class for automounter map entries" +msgstr "Клас об’єктів для записів карт автоматичного монтування" + +#: src/config/SSSDConfig/__init__.py.in:456 +msgid "Automounter map entry key attribute" +msgstr "Атрибут ключа запису карти автоматичного монтування" + +#: src/config/SSSDConfig/__init__.py.in:457 +msgid "Automounter map entry value attribute" +msgstr "Атрибут значення запису карти автоматичного монтування" + +#: src/config/SSSDConfig/__init__.py.in:458 +msgid "Base DN for automounter map lookups" +msgstr "Базовий сервер назв домену для пошуків карти автоматичного монтування" + +#: src/config/SSSDConfig/__init__.py.in:461 +msgid "Comma separated list of allowed users" +msgstr "Відокремлений комами список дозволених користувачів" + +#: src/config/SSSDConfig/__init__.py.in:462 +msgid "Comma separated list of prohibited users" +msgstr "Відокремлений комами список заборонених користувачів" + +#: src/config/SSSDConfig/__init__.py.in:465 +msgid "Default shell, /bin/bash" +msgstr "Типова оболонка, /bin/bash" + +#: src/config/SSSDConfig/__init__.py.in:466 +msgid "Base for home directories" +msgstr "Базова адреса домашніх каталогів" + +#: src/config/SSSDConfig/__init__.py.in:469 +msgid "The number of preforked proxy children." +msgstr "Кількість попередньо відгалужених дочірніх проксі-записів." + +#: src/config/SSSDConfig/__init__.py.in:472 +msgid "The name of the NSS library to use" +msgstr "Назва бібліотеки NSS, яку слід використовувати" + +#: src/config/SSSDConfig/__init__.py.in:473 +msgid "Whether to look up canonical group name from cache if possible" +msgstr "" +"Визначає, чи слід виконувати пошук канонічної назви групи у кеші, якщо це " +"можливо" + +#: src/config/SSSDConfig/__init__.py.in:476 +msgid "PAM stack to use" +msgstr "Стек PAM, який слід використовувати" + +#: src/config/SSSDConfig/__init__.py.in:479 +msgid "Path of passwd file sources." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:480 +msgid "Path of group file sources." +msgstr "" + +#: src/monitor/monitor.c:2449 +msgid "Become a daemon (default)" +msgstr "Запуститися фонову службу (типова поведінка)" + +#: src/monitor/monitor.c:2451 +msgid "Run interactive (not a daemon)" +msgstr "Запустити у інтерактивному режимі (без фонової служби)" + +#: src/monitor/monitor.c:2454 +msgid "Disable netlink interface" +msgstr "Вимкнути інтерфейс netlink" + +#: src/monitor/monitor.c:2456 src/tools/sssctl/sssctl_logs.c:311 +msgid "Specify a non-default config file" +msgstr "Вказати нетиповий файл налаштувань" + +#: src/monitor/monitor.c:2458 +msgid "Refresh the configuration database, then exit" +msgstr "Оновити налаштування бази даних, потім вийти" + +#: src/monitor/monitor.c:2461 +msgid "Print version number and exit" +msgstr "Вивести номер версії і завершити роботу" + +#: src/monitor/monitor.c:2627 +msgid "SSSD is already running\n" +msgstr "SSSD вже запущено\n" + +#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605 +msgid "Debug level" +msgstr "Рівень зневаджування" + +#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607 +msgid "Add debug timestamps" +msgstr "Додавати діагностичні часові позначки" + +#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609 +msgid "Show timestamps with microseconds" +msgstr "Показувати мікросекунди у часових позначках" + +#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611 +msgid "An open file descriptor for the debug logs" +msgstr "Дескриптор відкритого файла для запису журналів діагностики" + +#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613 +msgid "Send the debug output to stderr directly." +msgstr "Надіслати діагностичну інформацію безпосередньо до stderr." + +#: src/providers/krb5/krb5_child.c:3228 +msgid "The user to create FAST ccache as" +msgstr "Користувач, від імені якого слід створити ccache FAST" + +#: src/providers/krb5/krb5_child.c:3230 +msgid "The group to create FAST ccache as" +msgstr "Група, від імені якої слід створити ccache FAST" + +#: src/providers/krb5/krb5_child.c:3232 +msgid "Kerberos realm to use" +msgstr "Область Kerberos, якою слід скористатися" + +#: src/providers/krb5/krb5_child.c:3234 +msgid "Requested lifetime of the ticket" +msgstr "Запитаний строк дії квитка" + +#: src/providers/krb5/krb5_child.c:3236 +msgid "Requested renewable lifetime of the ticket" +msgstr "Запитаний час оновлення строку дії квитка" + +#: src/providers/krb5/krb5_child.c:3238 +msgid "FAST options ('never', 'try', 'demand')" +msgstr "Параметри FAST ('never', 'try', 'demand')" + +#: src/providers/krb5/krb5_child.c:3241 +msgid "Specifies the server principal to use for FAST" +msgstr "" +"Визначає реєстраційний запис сервера, який слід використовувати для FAST" + +#: src/providers/krb5/krb5_child.c:3243 +msgid "Requests canonicalization of the principal name" +msgstr "Вимагає перетворення реєстраційного запису у канонічну форму" + +#: src/providers/krb5/krb5_child.c:3245 +msgid "Use custom version of krb5_get_init_creds_password" +msgstr "Використовувати нетипову версію krb5_get_init_creds_password" + +#: src/providers/data_provider_be.c:556 +msgid "Domain of the information provider (mandatory)" +msgstr "Домен надання відомостей (обов’язковий)" + +#: src/sss_client/common.c:1066 +msgid "Privileged socket has wrong ownership or permissions." +msgstr "У привілейованого сокета помилковий власник або права доступу." + +#: src/sss_client/common.c:1069 +msgid "Public socket has wrong ownership or permissions." +msgstr "У відкритого сокета помилковий власник або права доступу." + +#: src/sss_client/common.c:1072 +msgid "Unexpected format of the server credential message." +msgstr "Некоректний формат повідомлення щодо реєстраційних даних сервера." + +#: src/sss_client/common.c:1075 +msgid "SSSD is not run by root." +msgstr "SSSD запущено не від імені користувача root." + +#: src/sss_client/common.c:1080 +msgid "An error occurred, but no description can be found." +msgstr "Сталася помилка, але не вдалося знайти її опису." + +#: src/sss_client/common.c:1086 +msgid "Unexpected error while looking for an error description" +msgstr "Неочікувана помилка під час пошуку опису помилки" + +#: src/sss_client/pam_sss.c:76 +msgid "Permission denied. " +msgstr "Відмовлено у доступі. " + +#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782 +#: src/sss_client/pam_sss.c:793 +msgid "Server message: " +msgstr "Повідомлення сервера: " + +#: src/sss_client/pam_sss.c:300 +msgid "Passwords do not match" +msgstr "Паролі не збігаються" + +#: src/sss_client/pam_sss.c:488 +msgid "Password reset by root is not supported." +msgstr "Підтримки скидання пароля користувачем root не передбачено." + +#: src/sss_client/pam_sss.c:529 +msgid "Authenticated with cached credentials" +msgstr "Розпізнано за реєстраційними даними з кешу" + +#: src/sss_client/pam_sss.c:530 +msgid ", your cached password will expire at: " +msgstr ", строк дії вашого кешованого пароля завершиться: " + +#: src/sss_client/pam_sss.c:560 +#, c-format +msgid "Your password has expired. You have %1$d grace login(s) remaining." +msgstr "Строк дії вашого пароля вичерпано. Залишилося %1$d резервних входи." + +#: src/sss_client/pam_sss.c:606 +#, c-format +msgid "Your password will expire in %1$d %2$s." +msgstr "Строк дії вашого пароля завершиться за %1$d %2$s." + +#: src/sss_client/pam_sss.c:655 +msgid "Authentication is denied until: " +msgstr "Розпізнавання заборонено до: " + +#: src/sss_client/pam_sss.c:676 +msgid "System is offline, password change not possible" +msgstr "Система працює у автономному режимі, зміна пароля неможлива" + +#: src/sss_client/pam_sss.c:691 +msgid "" +"After changing the OTP password, you need to log out and back in order to " +"acquire a ticket" +msgstr "" +"Після зміни пароля OTP вам слід вийти із системи і увійти до неї знову, щоб " +"отримати про квиток" + +#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792 +msgid "Password change failed. " +msgstr "Спроба зміни пароля зазнала невдачі. " + +#: src/sss_client/pam_sss.c:1926 +msgid "New Password: " +msgstr "Новий пароль: " + +#: src/sss_client/pam_sss.c:1927 +msgid "Reenter new Password: " +msgstr "Ще раз введіть новий пароль: " + +#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042 +msgid "First Factor: " +msgstr "Перший фактор:" + +#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202 +msgid "Second Factor (optional): " +msgstr "Другий фактор (необов'язковий): " + +#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205 +msgid "Second Factor: " +msgstr "Другий фактор:" + +#: src/sss_client/pam_sss.c:2058 +msgid "Password: " +msgstr "Пароль: " + +#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204 +msgid "First Factor (Current Password): " +msgstr "Перший фактор (поточний пароль): " + +#: src/sss_client/pam_sss.c:2208 +msgid "Current Password: " +msgstr "Поточний пароль: " + +#: src/sss_client/pam_sss.c:2536 +msgid "Password expired. Change your password now." +msgstr "Строк дії пароля вичерпано. Змініть ваш пароль." + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 +#: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 +#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:670 +msgid "The debug level to run with" +msgstr "Рівень діагностики під час запуску" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +msgid "The SSSD domain to use" +msgstr "Домен SSSD, який слід використовувати" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 +#: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 +#: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 +#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:716 +msgid "Error setting the locale\n" +msgstr "Помилка під час спроби встановити локаль\n" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:64 +msgid "Not enough memory\n" +msgstr "Недостатньо пам’яті\n" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:83 +msgid "User not specified\n" +msgstr "Не вказано користувача\n" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:97 +msgid "Error looking up public keys\n" +msgstr "Помилка під час спроби пошуку відкритих ключів\n" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +msgid "The port to use to connect to the host" +msgstr "Порт, яким слід користуватися для встановлення з’єднань з вузлом" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +msgid "Print the host ssh public keys" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +msgid "Invalid port\n" +msgstr "Некоректний порт.\n" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +msgid "Host not specified\n" +msgstr "Не вказано вузол\n" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +msgid "The path to the proxy command must be absolute\n" +msgstr "Має бути вказано абсолютний шлях до команди проксі-сервера\n" + +#: src/tools/sss_useradd.c:49 src/tools/sss_usermod.c:48 +msgid "The UID of the user" +msgstr "Ідентифікатор користувача" + +#: src/tools/sss_useradd.c:50 src/tools/sss_usermod.c:50 +msgid "The comment string" +msgstr "Рядок коментаря" + +#: src/tools/sss_useradd.c:51 src/tools/sss_usermod.c:51 +msgid "Home directory" +msgstr "Домашній каталог" + +#: src/tools/sss_useradd.c:52 src/tools/sss_usermod.c:52 +msgid "Login shell" +msgstr "Оболонка входу" + +#: src/tools/sss_useradd.c:53 +msgid "Groups" +msgstr "Групи" + +#: src/tools/sss_useradd.c:54 +msgid "Create user's directory if it does not exist" +msgstr "Створити каталог користувача, якщо його ще не існує" + +#: src/tools/sss_useradd.c:55 +msgid "Never create user's directory, overrides config" +msgstr "Ніколи не створювати каталог користувача, перевизначає налаштування" + +#: src/tools/sss_useradd.c:56 +msgid "Specify an alternative skeleton directory" +msgstr "Вказати альтернативний основний каталог" + +#: src/tools/sss_useradd.c:57 src/tools/sss_usermod.c:60 +msgid "The SELinux user for user's login" +msgstr "Ім’я користувача SELinux для входу до системи" + +#: src/tools/sss_useradd.c:87 src/tools/sss_groupmod.c:79 +#: src/tools/sss_usermod.c:92 +msgid "Specify group to add to\n" +msgstr "Вкажіть групу для додавання\n" + +#: src/tools/sss_useradd.c:111 +msgid "Specify user to add\n" +msgstr "Вкажіть користувача, запис якого слід додати\n" + +#: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 +#: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_usermod.c:162 +msgid "Error initializing the tools - no local domain\n" +msgstr "Помилка ініціалізації інструментів: немає локального домену\n" + +#: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 +#: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_usermod.c:164 +msgid "Error initializing the tools\n" +msgstr "Помилка ініціалізації інструментів\n" + +#: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 +#: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_usermod.c:173 +msgid "Invalid domain specified in FQDN\n" +msgstr "У FQDN вказано некоректний домен\n" + +#: src/tools/sss_useradd.c:142 src/tools/sss_groupmod.c:144 +#: src/tools/sss_groupmod.c:173 src/tools/sss_usermod.c:197 +#: src/tools/sss_usermod.c:226 +msgid "Internal error while parsing parameters\n" +msgstr "Внутрішня помилка під час обробки параметрів\n" + +#: src/tools/sss_useradd.c:151 src/tools/sss_usermod.c:206 +#: src/tools/sss_usermod.c:235 +msgid "Groups must be in the same domain as user\n" +msgstr "Групи мають належати до того самого домену, що і користувач\n" + +#: src/tools/sss_useradd.c:159 +#, c-format +msgid "Cannot find group %1$s in local domain\n" +msgstr "Не вдалося знайти групу %1$s у локальному домені\n" + +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +msgid "Cannot set default values\n" +msgstr "Не вдалося встановити типові значення\n" + +#: src/tools/sss_useradd.c:181 src/tools/sss_usermod.c:187 +msgid "The selected UID is outside the allowed range\n" +msgstr "" +"Вибраний ідентифікатор користувача не належить до діапазону дозволених\n" + +#: src/tools/sss_useradd.c:210 src/tools/sss_usermod.c:305 +msgid "Cannot set SELinux login context\n" +msgstr "Не вдалося встановити контекст входу SELinux\n" + +#: src/tools/sss_useradd.c:224 +msgid "Cannot get info about the user\n" +msgstr "Не вдалося отримати відомості щодо користувача\n" + +#: src/tools/sss_useradd.c:236 +msgid "User's home directory already exists, not copying data from skeldir\n" +msgstr "" +"Домашній каталог користувача вже існує, копіювання даних з каталогу skel не " +"виконуватиметься\n" + +#: src/tools/sss_useradd.c:239 +#, c-format +msgid "Cannot create user's home directory: %1$s\n" +msgstr "Не вдалося створити домашній каталог користувача: %1$s\n" + +#: src/tools/sss_useradd.c:250 +#, c-format +msgid "Cannot create user's mail spool: %1$s\n" +msgstr "Не вдалося створити поштовий буфер користувача: %1$s\n" + +#: src/tools/sss_useradd.c:270 +msgid "Could not allocate ID for the user - domain full?\n" +msgstr "" +"Не вдалося отримати ідентифікатор для користувача. Домен переповнено?\n" + +#: src/tools/sss_useradd.c:274 +msgid "A user or group with the same name or ID already exists\n" +msgstr "" +"Вже існує користувач або група з таким самим іменем, назвою або " +"ідентифікатором\n" + +#: src/tools/sss_useradd.c:280 +msgid "Transaction error. Could not add user.\n" +msgstr "Помилка під час виконання операції. Не вдалося додати користувача.\n" + +#: src/tools/sss_groupadd.c:43 src/tools/sss_groupmod.c:48 +msgid "The GID of the group" +msgstr "Ідентифікатор групи" + +#: src/tools/sss_groupadd.c:76 +msgid "Specify group to add\n" +msgstr "Вкажіть групу, яку слід додати\n" + +#: src/tools/sss_groupadd.c:106 src/tools/sss_groupmod.c:198 +msgid "The selected GID is outside the allowed range\n" +msgstr "Вибраний ідентифікатор групи не належить до діапазону дозволених\n" + +#: src/tools/sss_groupadd.c:143 +msgid "Could not allocate ID for the group - domain full?\n" +msgstr "Не вдалося отримати ідентифікатор для групи. Домен переповнено?\n" + +#: src/tools/sss_groupadd.c:147 +msgid "A group with the same name or GID already exists\n" +msgstr "Вже існує група з такою самою назвою або ідентифікатором\n" + +#: src/tools/sss_groupadd.c:153 +msgid "Transaction error. Could not add group.\n" +msgstr "Помилка під час виконання операції Не вдалося додати групу.\n" + +#: src/tools/sss_groupdel.c:70 +msgid "Specify group to delete\n" +msgstr "Вкажіть групу, яку слід вилучити\n" + +#: src/tools/sss_groupdel.c:104 +#, c-format +msgid "Group %1$s is outside the defined ID range for domain\n" +msgstr "Група %1$s не належить визначеному діапазону ідентифікаторів домену\n" + +#: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 +#: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 +#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 +#, c-format +msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" +msgstr "" +"Спроба запиту NSS зазнала невдачі (%1$d). Запис може залишитися у кеші у " +"пам’яті.\n" + +#: src/tools/sss_groupdel.c:132 +msgid "" +"No such group in local domain. Removing groups only allowed in local " +"domain.\n" +msgstr "" +"У локальному домені немає такої групи. Вилучення груп можливе лише у межах " +"локального домену.\n" + +#: src/tools/sss_groupdel.c:137 +msgid "Internal error. Could not remove group.\n" +msgstr "Внутрішня помилка. Не вдалося вилучити запис групи.\n" + +#: src/tools/sss_groupmod.c:44 +msgid "Groups to add this group to" +msgstr "Групи, до яких слід додати цю групу" + +#: src/tools/sss_groupmod.c:46 +msgid "Groups to remove this group from" +msgstr "Групи, з яких слід вилучити цю групу" + +#: src/tools/sss_groupmod.c:87 src/tools/sss_usermod.c:100 +msgid "Specify group to remove from\n" +msgstr "Вкажіть групу, запис якої слід вилучити\n" + +#: src/tools/sss_groupmod.c:101 +msgid "Specify group to modify\n" +msgstr "Вкажіть групу, запис якої слід змінити\n" + +#: src/tools/sss_groupmod.c:130 +msgid "" +"Cannot find group in local domain, modifying groups is allowed only in local " +"domain\n" +msgstr "" +"Не вдалося знайти групу у локальному домені. Зміну записів груп можна " +"виконувати лише у межах локального домену\n" + +#: src/tools/sss_groupmod.c:153 src/tools/sss_groupmod.c:182 +msgid "Member groups must be in the same domain as parent group\n" +msgstr "" +"Групи-учасники мають належати до того самого домену, що і основна група\n" + +#: src/tools/sss_groupmod.c:161 src/tools/sss_groupmod.c:190 +#: src/tools/sss_usermod.c:214 src/tools/sss_usermod.c:243 +#, c-format +msgid "" +"Cannot find group %1$s in local domain, only groups in local domain are " +"allowed\n" +msgstr "" +"Не вдалося знайти групу %1$s у локальному домені, можна використовувати лише " +"групи з локального домену\n" + +#: src/tools/sss_groupmod.c:257 +msgid "Could not modify group - check if member group names are correct\n" +msgstr "" +"Не вдалося змінити запис групи. Перевірте, чи правильно вказано назви груп-" +"учасників\n" + +#: src/tools/sss_groupmod.c:261 +msgid "Could not modify group - check if groupname is correct\n" +msgstr "" +"Не вдалося змінити запис групи. Перевірте, чи правильно вказано назву групи\n" + +#: src/tools/sss_groupmod.c:265 +msgid "Transaction error. Could not modify group.\n" +msgstr "Помилка під час виконання операції Не вдалося змінити групу.\n" + +#: src/tools/sss_groupshow.c:615 +#, c-format +msgid "%1$s%2$sGroup: %3$s\n" +msgstr "%1$s%2$sГрупа: %3$s\n" + +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "Магічна приватна " + +#: src/tools/sss_groupshow.c:618 +#, c-format +msgid "%1$sGID number: %2$d\n" +msgstr "%1$sНомер GID: %2$d\n" + +#: src/tools/sss_groupshow.c:620 +#, c-format +msgid "%1$sMember users: " +msgstr "%1$sКористувачі-учасники: " + +#: src/tools/sss_groupshow.c:627 +#, c-format +msgid "" +"\n" +"%1$sIs a member of: " +msgstr "" +"\n" +"%1$sє учасником: " + +#: src/tools/sss_groupshow.c:634 +#, c-format +msgid "" +"\n" +"%1$sMember groups: " +msgstr "" +"\n" +"%1$sГрупи-учасники: " + +#: src/tools/sss_groupshow.c:670 +msgid "Print indirect group members recursively" +msgstr "Виводити дані щодо непрямих учасників групи рекурсивно" + +#: src/tools/sss_groupshow.c:704 +msgid "Specify group to show\n" +msgstr "Вкажіть групу, дані якої слід показати\n" + +#: src/tools/sss_groupshow.c:744 +msgid "" +"No such group in local domain. Printing groups only allowed in local " +"domain.\n" +msgstr "" +"У локальному домені немає такої групи. Вивід даних груп можливий лише у " +"межах локального домену.\n" + +#: src/tools/sss_groupshow.c:749 +msgid "Internal error. Could not print group.\n" +msgstr "Внутрішня помилка. Не вдалося вивести дані групи.\n" + +#: src/tools/sss_userdel.c:136 +msgid "Remove home directory and mail spool" +msgstr "Вилучити домашній каталог і поштовий буфер" + +#: src/tools/sss_userdel.c:138 +msgid "Do not remove home directory and mail spool" +msgstr "Не вилучати домашній каталог і поштовий буфер" + +#: src/tools/sss_userdel.c:140 +msgid "Force removal of files not owned by the user" +msgstr "Примусово вилучити файли, які не належать користувачеві" + +#: src/tools/sss_userdel.c:142 +msgid "Kill users' processes before removing him" +msgstr "Припинити роботу процесів користувача перед вилученням його запису" + +#: src/tools/sss_userdel.c:188 +msgid "Specify user to delete\n" +msgstr "Вкажіть користувача, запис якого слід вилучити\n" + +#: src/tools/sss_userdel.c:234 +#, c-format +msgid "User %1$s is outside the defined ID range for domain\n" +msgstr "" +"Користувач %1$s не належить визначеному діапазону ідентифікаторів домену\n" + +#: src/tools/sss_userdel.c:259 +msgid "Cannot reset SELinux login context\n" +msgstr "Не вдалося відновити початковий контекст входу SELinux\n" + +#: src/tools/sss_userdel.c:271 +#, c-format +msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" +msgstr "" +"ПОПЕРЕДЖЕННЯ: користувач (uid %1$lu) все ще працював у системі на час " +"вилучення його запису.\n" + +#: src/tools/sss_userdel.c:276 +msgid "Cannot determine if the user was logged in on this platform" +msgstr "" +"Не вдалося визначити, чи увійшов користувач до системи на цій платформі" + +#: src/tools/sss_userdel.c:281 +msgid "Error while checking if the user was logged in\n" +msgstr "Помилка під час перевірки входу користувача до системи\n" + +#: src/tools/sss_userdel.c:288 +#, c-format +msgid "The post-delete command failed: %1$s\n" +msgstr "Помилка команди, яку слід було виконати після вилучення запису: %1$s\n" + +#: src/tools/sss_userdel.c:308 +msgid "Not removing home dir - not owned by user\n" +msgstr "Домашній каталог не буде вилучено. Він не належить користувачеві.\n" + +#: src/tools/sss_userdel.c:310 +#, c-format +msgid "Cannot remove homedir: %1$s\n" +msgstr "Не вдалося вилучити домашній каталог: %1$s\n" + +#: src/tools/sss_userdel.c:324 +msgid "" +"No such user in local domain. Removing users only allowed in local domain.\n" +msgstr "" +"У локальному домені немає такого користувача. Вилучення користувачів можливе " +"лише у межах локального домену.\n" + +#: src/tools/sss_userdel.c:329 +msgid "Internal error. Could not remove user.\n" +msgstr "Внутрішня помилка Не вдалося вилучити запис користувача.\n" + +#: src/tools/sss_usermod.c:49 +msgid "The GID of the user" +msgstr "Ідентифікатор групи користувача" + +#: src/tools/sss_usermod.c:53 +msgid "Groups to add this user to" +msgstr "Групи, до яких слід додати цього користувача" + +#: src/tools/sss_usermod.c:54 +msgid "Groups to remove this user from" +msgstr "Групи, з яких слід вилучити цього користувача" + +#: src/tools/sss_usermod.c:55 +msgid "Lock the account" +msgstr "Заблокувати обліковий запис" + +#: src/tools/sss_usermod.c:56 +msgid "Unlock the account" +msgstr "Розблокувати обліковий запис" + +#: src/tools/sss_usermod.c:57 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "Додати пару атрибут-значення. Форматування: атрибут=значення." + +#: src/tools/sss_usermod.c:58 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "Вилучити пару атрибут-значення. Форматування: атрибут=значення." + +#: src/tools/sss_usermod.c:59 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" +"Встановити для вказаного за назвою атрибута значення. Форматування: " +"атрибут=значення. Для атрибутів з декількома значеннями команда призведе до " +"заміни поточних значень." + +#: src/tools/sss_usermod.c:117 src/tools/sss_usermod.c:126 +#: src/tools/sss_usermod.c:135 +msgid "Specify the attribute name/value pair(s)\n" +msgstr "Вказати пари атрибут-значення\n" + +#: src/tools/sss_usermod.c:152 +msgid "Specify user to modify\n" +msgstr "Вкажіть користувача, запис якого слід змінити\n" + +#: src/tools/sss_usermod.c:180 +msgid "" +"Cannot find user in local domain, modifying users is allowed only in local " +"domain\n" +msgstr "" +"Не вдалося знайти користувача у локальному домені. Зміну записів " +"користувачів можна виконувати лише у межах локального домену\n" + +#: src/tools/sss_usermod.c:322 +msgid "Could not modify user - check if group names are correct\n" +msgstr "" +"Не вдалося змінити запис користувача. Перевірте, чи правильно вказано назви " +"груп\n" + +#: src/tools/sss_usermod.c:326 +msgid "Could not modify user - user already member of groups?\n" +msgstr "" +"Не вдалося змінити запис користувача. Користувач вже є учасником груп?\n" + +#: src/tools/sss_usermod.c:330 +msgid "Transaction error. Could not modify user.\n" +msgstr "" +"Помилка під час виконання операції. Не вдалося змінити запис користувача.\n" + +#: src/tools/sss_cache.c:218 +msgid "No cache object matched the specified search\n" +msgstr "Вказаному критерію пошуку не відповідає жоден об’єкт у кеші\n" + +#: src/tools/sss_cache.c:502 +#, c-format +msgid "Couldn't invalidate %1$s\n" +msgstr "Не вдалося скасувати чинність %1$s\n" + +#: src/tools/sss_cache.c:509 +#, c-format +msgid "Couldn't invalidate %1$s %2$s\n" +msgstr "Не вдалося скасувати чинність %1$s %2$s\n" + +#: src/tools/sss_cache.c:672 +msgid "Invalidate all cached entries" +msgstr "Скасувати чинність усіх кешованих записів" + +#: src/tools/sss_cache.c:674 +msgid "Invalidate particular user" +msgstr "Скасувати визначення певного користувача" + +#: src/tools/sss_cache.c:676 +msgid "Invalidate all users" +msgstr "Скасувати визначення всіх користувачів" + +#: src/tools/sss_cache.c:678 +msgid "Invalidate particular group" +msgstr "Скасувати визначення певної групи" + +#: src/tools/sss_cache.c:680 +msgid "Invalidate all groups" +msgstr "Скасувати визначення всіх груп" + +#: src/tools/sss_cache.c:682 +msgid "Invalidate particular netgroup" +msgstr "Скасувати визначення певної мережевої групи" + +#: src/tools/sss_cache.c:684 +msgid "Invalidate all netgroups" +msgstr "Скасувати визначення всіх мережевих груп" + +#: src/tools/sss_cache.c:686 +msgid "Invalidate particular service" +msgstr "Скасувати визначення певної служби" + +#: src/tools/sss_cache.c:688 +msgid "Invalidate all services" +msgstr "Скасувати визначення всіх служб" + +#: src/tools/sss_cache.c:691 +msgid "Invalidate particular autofs map" +msgstr "Скасувати визначення певну карту autofs" + +#: src/tools/sss_cache.c:693 +msgid "Invalidate all autofs maps" +msgstr "Скасувати визначення всіх карт autofs" + +#: src/tools/sss_cache.c:697 +msgid "Invalidate particular SSH host" +msgstr "Скасувати чинність певного вузла SSH" + +#: src/tools/sss_cache.c:699 +msgid "Invalidate all SSH hosts" +msgstr "Скасувати чинність усіх вузлів SSH" + +#: src/tools/sss_cache.c:703 +msgid "Invalidate particular sudo rule" +msgstr "Скасувати чинність певного правила sudo" + +#: src/tools/sss_cache.c:705 +msgid "Invalidate all cached sudo rules" +msgstr "Скасувати чинність усіх кешованих правил sudo" + +#: src/tools/sss_cache.c:708 +msgid "Only invalidate entries from a particular domain" +msgstr "Скасувати визначення лише записів з певного домену" + +#: src/tools/sss_cache.c:762 +msgid "" +"Unexpected argument(s) provided, options that invalidate a single object " +"only accept a single provided argument.\n" +msgstr "" +"Надано неочікувані аргументи. Параметри, які скасовують чинність окремого " +"об'єкта вимагають лише одного наданого аргументу.\n" + +#: src/tools/sss_cache.c:772 +msgid "Please select at least one object to invalidate\n" +msgstr "" +"Будь ласка, виберіть принаймні один об’єкт для скасовування відповідності\n" + +#: src/tools/sss_cache.c:852 +#, c-format +msgid "" +"Could not open domain %1$s. If the domain is a subdomain (trusted domain), " +"use fully qualified name instead of --domain/-d parameter.\n" +msgstr "" +"Не вдалося відкрити домен %1$s. Якщо цей домен є піддоменом (довіреним " +"доменом), скористайтеся повною назвою замість параметра --domain/-d.\n" + +#: src/tools/sss_cache.c:856 +msgid "Could not open available domains\n" +msgstr "Не вдалося відкрити доступні домени\n" + +#: src/tools/tools_util.c:202 +#, c-format +msgid "Name '%1$s' does not seem to be FQDN ('%2$s = TRUE' is set)\n" +msgstr "Здається, назва «%1$s» не є FQDN (встановлено «%2$s = TRUE»)\n" + +#: src/tools/tools_util.c:309 +msgid "Out of memory\n" +msgstr "Не вистачає пам'яті\n" + +#: src/tools/tools_util.h:40 +#, c-format +msgid "%1$s must be run as root\n" +msgstr "%1$s слід запускати від імені користувача root\n" + +#: src/tools/sssctl/sssctl.c:35 +msgid "yes" +msgstr "так" + +#: src/tools/sssctl/sssctl.c:37 +msgid "no" +msgstr "ні" + +#: src/tools/sssctl/sssctl.c:39 +msgid "error" +msgstr "помилка" + +#: src/tools/sssctl/sssctl.c:42 +msgid "Invalid result." +msgstr "Некоректний результат." + +#: src/tools/sssctl/sssctl.c:78 +#, c-format +msgid "Unable to read user input\n" +msgstr "Не вдалося прочитати вхідні дані користувача\n" + +#: src/tools/sssctl/sssctl.c:91 +#, c-format +msgid "Invalid input, please provide either '%s' or '%s'.\n" +msgstr "Некоректні вхідні дані, будь ласка, вкажіть «%s» або «%s».\n" + +#: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 +#, c-format +msgid "Error while executing external command\n" +msgstr "Помилка під час спроби виконати зовнішню команду\n" + +#: src/tools/sssctl/sssctl.c:156 +msgid "SSSD needs to be running. Start SSSD now?" +msgstr "SSSD має бути запущено. Запустити SSSD зараз?" + +#: src/tools/sssctl/sssctl.c:195 +msgid "SSSD must not be running. Stop SSSD now?" +msgstr "Роботу SSSD не завершено. Зупинити SSSD зараз?" + +#: src/tools/sssctl/sssctl.c:231 +msgid "SSSD needs to be restarted. Restart SSSD now?" +msgstr "SSSD слід перезапустити. Перезапустити SSSD зараз?" + +#: src/tools/sssctl/sssctl_cache.c:31 +#, c-format +msgid " %s is not present in cache.\n" +msgstr " %s немає у кеші.\n" + +#: src/tools/sssctl/sssctl_cache.c:33 +msgid "Name" +msgstr "Назва" + +#: src/tools/sssctl/sssctl_cache.c:34 +msgid "Cache entry creation date" +msgstr "Дата створення запису у кеші" + +#: src/tools/sssctl/sssctl_cache.c:35 +msgid "Cache entry last update time" +msgstr "Момент останнього оновлення запису у кеші" + +#: src/tools/sssctl/sssctl_cache.c:36 +msgid "Cache entry expiration time" +msgstr "Час завершення строку дії запису у кеші" + +#: src/tools/sssctl/sssctl_cache.c:37 +msgid "Cached in InfoPipe" +msgstr "Кешовано в InfoPipe" + +#: src/tools/sssctl/sssctl_cache.c:512 +#, c-format +msgid "Error: Unable to get object [%d]: %s\n" +msgstr "Помилка: не вдалося отримати об'єкт [%d]: %s\n" + +#: src/tools/sssctl/sssctl_cache.c:528 +#, c-format +msgid "%s: Unable to read value [%d]: %s\n" +msgstr "%s: не вдалося прочитати значення [%d]: %s\n" + +#: src/tools/sssctl/sssctl_cache.c:556 +msgid "Specify name." +msgstr "Вказати ім'я." + +#: src/tools/sssctl/sssctl_cache.c:566 +#, c-format +msgid "Unable to parse name %s.\n" +msgstr "Не вдалося обробити ім'я %s.\n" + +#: src/tools/sssctl/sssctl_cache.c:592 src/tools/sssctl/sssctl_cache.c:639 +msgid "Search by SID" +msgstr "Шукати за SID" + +#: src/tools/sssctl/sssctl_cache.c:593 +msgid "Search by user ID" +msgstr "Шукати за ідентифікатором користувача" + +#: src/tools/sssctl/sssctl_cache.c:602 +msgid "Initgroups expiration time" +msgstr "Час завершення строку дії груп ініціалізації" + +#: src/tools/sssctl/sssctl_cache.c:640 +msgid "Search by group ID" +msgstr "Шукати за ідентифікатором групи" + +#: src/tools/sssctl/sssctl_config.c:67 +#, c-format +msgid "" +"File %1$s does not exist. SSSD will use default configuration with files " +"provider.\n" +msgstr "" +"Файла %1$s не існує. SSSD використовуватиме типові налаштування для модуля " +"надання даних щодо файлів.\n" + +#: src/tools/sssctl/sssctl_config.c:81 +#, c-format +msgid "" +"File ownership and permissions check failed. Expected root:root and 0600.\n" +msgstr "" +"Не вдалося виконати перевірку прав власності і доступу до файлів. Мало бути " +"root:root і 0600.\n" + +#: src/tools/sssctl/sssctl_config.c:104 +#, c-format +msgid "Issues identified by validators: %zu\n" +msgstr "Вади, які виявлено засобами перевірки: %zu\n" + +#: src/tools/sssctl/sssctl_config.c:114 +#, c-format +msgid "Messages generated during configuration merging: %zu\n" +msgstr "Повідомлення, створені під час об'єднування налаштувань: %zu\n" + +#: src/tools/sssctl/sssctl_config.c:127 +#, c-format +msgid "Used configuration snippet files: %u\n" +msgstr "Використані файли фрагментів налаштувань: %u\n" + +#: src/tools/sssctl/sssctl_data.c:89 +#, c-format +msgid "Unable to create backup directory [%d]: %s" +msgstr "Не вдалося створити каталог резервної копії [%d]: %s" + +#: src/tools/sssctl/sssctl_data.c:95 +msgid "SSSD backup of local data already exists, override?" +msgstr "" +"Резервна копія SSSD для локальних даних вже існує. Хочете її перезаписати?" + +#: src/tools/sssctl/sssctl_data.c:111 +#, c-format +msgid "Unable to export user overrides\n" +msgstr "Не вдалося експортувати перевизначення користувача\n" + +#: src/tools/sssctl/sssctl_data.c:118 +#, c-format +msgid "Unable to export group overrides\n" +msgstr "Не вдалося експортувати перевизначення групи\n" + +#: src/tools/sssctl/sssctl_data.c:134 src/tools/sssctl/sssctl_data.c:217 +msgid "Override existing backup" +msgstr "Перевизначити наявну резервну копію" + +#: src/tools/sssctl/sssctl_data.c:164 +#, c-format +msgid "Unable to import user overrides\n" +msgstr "Не вдалося імпортувати перевизначення користувача\n" + +#: src/tools/sssctl/sssctl_data.c:173 +#, c-format +msgid "Unable to import group overrides\n" +msgstr "Не вдалося імпортувати перевизначення групи\n" + +#: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:74 +#: src/tools/sssctl/sssctl_domains.c:339 +msgid "Start SSSD if it is not running" +msgstr "Запустити SSSD, якщо його ще не запущено" + +#: src/tools/sssctl/sssctl_data.c:195 +msgid "Restart SSSD after data import" +msgstr "Перезапустити SSSD після імпортування даних" + +#: src/tools/sssctl/sssctl_data.c:218 +msgid "Create clean cache files and import local data" +msgstr "Створити порожні файли кешу і імпортувати локальні дані" + +#: src/tools/sssctl/sssctl_data.c:219 +msgid "Stop SSSD before removing the cache" +msgstr "Зупинка SSSD до вилучення кешу" + +#: src/tools/sssctl/sssctl_data.c:220 +msgid "Start SSSD when the cache is removed" +msgstr "Запуск SSSD після вилучення кешу" + +#: src/tools/sssctl/sssctl_data.c:235 +#, c-format +msgid "Creating backup of local data...\n" +msgstr "Створюємо резервну копію локальних даних...\n" + +#: src/tools/sssctl/sssctl_data.c:238 +#, c-format +msgid "Unable to create backup of local data, can not remove the cache.\n" +msgstr "" +"Не вдалося створити резервну копію локальних даних, не вдалося вилучити " +"кеш.\n" + +#: src/tools/sssctl/sssctl_data.c:243 +#, c-format +msgid "Removing cache files...\n" +msgstr "Вилучаємо файли кешу...\n" + +#: src/tools/sssctl/sssctl_data.c:246 +#, c-format +msgid "Unable to remove cache files\n" +msgstr "Не вдалося вилучити файли кешу\n" + +#: src/tools/sssctl/sssctl_data.c:251 +#, c-format +msgid "Restoring local data...\n" +msgstr "Відновлюємо локальні дані...\n" + +#: src/tools/sssctl/sssctl_domains.c:75 +msgid "Show domain list including primary or trusted domain type" +msgstr "" +"Показати список доменів з включенням основних або довірених типів доменів" + +#: src/tools/sssctl/sssctl_domains.c:156 +#, c-format +msgid "Online status: %s\n" +msgstr "Стан з'єднання: %s\n" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Online" +msgstr "У мережі" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Offline" +msgstr "Поза мережею" + +#: src/tools/sssctl/sssctl_domains.c:214 +#, c-format +msgid "Active servers:\n" +msgstr "Активні сервери:\n" + +#: src/tools/sssctl/sssctl_domains.c:231 +msgid "not connected" +msgstr "не з’єднано" + +#: src/tools/sssctl/sssctl_domains.c:278 +#, c-format +msgid "Discovered %s servers:\n" +msgstr "Виявлено сервери %s:\n" + +#: src/tools/sssctl/sssctl_domains.c:296 +msgid "None so far.\n" +msgstr "Поки немає.\n" + +#: src/tools/sssctl/sssctl_domains.c:336 +msgid "Show online status" +msgstr "Показати стан з'єднання" + +#: src/tools/sssctl/sssctl_domains.c:337 +msgid "Show information about active server" +msgstr "Показати дані щодо активного сервера" + +#: src/tools/sssctl/sssctl_domains.c:338 +msgid "Show list of discovered servers" +msgstr "Показати список виявлених серверів" + +#: src/tools/sssctl/sssctl_domains.c:344 +msgid "Specify domain name." +msgstr "Вказати назву домену." + +#: src/tools/sssctl/sssctl_domains.c:360 +#, c-format +msgid "Out of memory!\n" +msgstr "Не вистачає пам'яті\n" + +#: src/tools/sssctl/sssctl_domains.c:377 src/tools/sssctl/sssctl_domains.c:387 +#, c-format +msgid "Unable to get online status\n" +msgstr "Не вдалося отримати стан з'єднання\n" + +#: src/tools/sssctl/sssctl_domains.c:397 +#, c-format +msgid "Unable to get server list\n" +msgstr "Не вдалося отримати список серверів\n" + +#: src/tools/sssctl/sssctl_logs.c:47 +msgid "\n" +msgstr "\n" + +#: src/tools/sssctl/sssctl_logs.c:237 +msgid "Delete log files instead of truncating" +msgstr "Вилучити файли журналу замість обрізання" + +#: src/tools/sssctl/sssctl_logs.c:248 +#, c-format +msgid "Deleting log files...\n" +msgstr "Вилучаємо файли журналу...\n" + +#: src/tools/sssctl/sssctl_logs.c:251 +#, c-format +msgid "Unable to remove log files\n" +msgstr "Не вдалося вилучити файли журналу\n" + +#: src/tools/sssctl/sssctl_logs.c:257 +#, c-format +msgid "Truncating log files...\n" +msgstr "Обрізаємо файли журналу...\n" + +#: src/tools/sssctl/sssctl_logs.c:260 +#, c-format +msgid "Unable to truncate log files\n" +msgstr "Не вдалося обрізати файли журналу\n" + +#: src/tools/sssctl/sssctl_logs.c:286 +#, c-format +msgid "Out of memory!" +msgstr "Не вистачає пам'яті!" + +#: src/tools/sssctl/sssctl_logs.c:289 +#, c-format +msgid "Archiving log files into %s...\n" +msgstr "Архівуємо файли журналу до %s...\n" + +#: src/tools/sssctl/sssctl_logs.c:292 +#, c-format +msgid "Unable to archive log files\n" +msgstr "Не вдалося архівувати файли журналу\n" + +#: src/tools/sssctl/sssctl_logs.c:317 +msgid "Specify debug level you want to set" +msgstr "Вкажіть рівень діагностики, яким ви хочете скористатися" + +#: src/tools/sssctl/sssctl_sifp.c:28 +msgid "" +"Check that SSSD is running and the InfoPipe responder is enabled. Make sure " +"'ifp' is listed in the 'services' option in sssd.conf.\n" +msgstr "" +"Перевірте, чи запущено SSSD і чи увімкнено відповідач InfoPipe. " +"Переконайтеся, що у списку параметра «services» у sssd.conf є запис «ifp».\n" + +#: src/tools/sssctl/sssctl_user_checks.c:91 +#, c-format +msgid "Unable to connect to the InfoPipe" +msgstr "Не вдалося встановити з'єднання із InfoPipe" + +#: src/tools/sssctl/sssctl_user_checks.c:97 +#, c-format +msgid "Unable to get user object" +msgstr "Не вдалося отримати об'єкт користувача" + +#: src/tools/sssctl/sssctl_user_checks.c:101 +#, c-format +msgid "SSSD InfoPipe user lookup result:\n" +msgstr "Результат пошуку користувача у InfoPipe SSSD:\n" + +#: src/tools/sssctl/sssctl_user_checks.c:113 +#, c-format +msgid "Unable to get user name attr" +msgstr "Не вдалося отримати атрибут імені користувача" + +#: src/tools/sssctl/sssctl_user_checks.c:146 +#, c-format +msgid "dlopen failed with [%s].\n" +msgstr "Помилка dlopen [%s].\n" + +#: src/tools/sssctl/sssctl_user_checks.c:153 +#, c-format +msgid "dlsym failed with [%s].\n" +msgstr "Помилка dlsym [%s].\n" + +#: src/tools/sssctl/sssctl_user_checks.c:161 +#, c-format +msgid "malloc failed.\n" +msgstr "Помилка malloc.\n" + +#: src/tools/sssctl/sssctl_user_checks.c:168 +#, c-format +msgid "sss_getpwnam_r failed with [%d].\n" +msgstr "помилка sss_getpwnam_r [%d].\n" + +#: src/tools/sssctl/sssctl_user_checks.c:173 +#, c-format +msgid "SSSD nss user lookup result:\n" +msgstr "Результат пошуку користувача у nss SSSD:\n" + +#: src/tools/sssctl/sssctl_user_checks.c:174 +#, c-format +msgid " - user name: %s\n" +msgstr " - ім'я користувача: %s\n" + +#: src/tools/sssctl/sssctl_user_checks.c:175 +#, c-format +msgid " - user id: %d\n" +msgstr " - ід. користувача: %d\n" + +#: src/tools/sssctl/sssctl_user_checks.c:176 +#, c-format +msgid " - group id: %d\n" +msgstr " - ід. групи: %d\n" + +#: src/tools/sssctl/sssctl_user_checks.c:177 +#, c-format +msgid " - gecos: %s\n" +msgstr " - gecos: %s\n" + +#: src/tools/sssctl/sssctl_user_checks.c:178 +#, c-format +msgid " - home directory: %s\n" +msgstr " - домашній каталог: %s\n" + +#: src/tools/sssctl/sssctl_user_checks.c:179 +#, c-format +msgid "" +" - shell: %s\n" +"\n" +msgstr "" +" - оболонка: %s\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:211 +msgid "PAM action [auth|acct|setc|chau|open|clos], default: " +msgstr "Дія PAM [auth|acct|setc|chau|open|clos], типове значення: " + +#: src/tools/sssctl/sssctl_user_checks.c:214 +msgid "PAM service, default: " +msgstr "Служба PAM, типове значення: " + +#: src/tools/sssctl/sssctl_user_checks.c:219 +msgid "Specify user name." +msgstr "Вказати ім'я користувача." + +#: src/tools/sssctl/sssctl_user_checks.c:226 +#, c-format +msgid "" +"user: %s\n" +"action: %s\n" +"service: %s\n" +"\n" +msgstr "" +"користувач: %s\n" +"дія: %s\n" +"служба: %s\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:232 +#, c-format +msgid "User name lookup with [%s] failed.\n" +msgstr "Не вдалося знайти користувача за допомогою [%s].\n" + +#: src/tools/sssctl/sssctl_user_checks.c:237 +#, c-format +msgid "InfoPipe User lookup with [%s] failed.\n" +msgstr "Не вдалося знайти користувача InfoPipe за допомогою [%s].\n" + +#: src/tools/sssctl/sssctl_user_checks.c:244 +#, c-format +msgid "pam_start failed: %s\n" +msgstr "Помилка pam_start: %s\n" + +#: src/tools/sssctl/sssctl_user_checks.c:249 +#, c-format +msgid "" +"testing pam_authenticate\n" +"\n" +msgstr "" +"перевіряємо pam_authenticate\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:253 +#, c-format +msgid "pam_get_item failed: %s\n" +msgstr "Помилка pam_get_item: %s\n" + +#: src/tools/sssctl/sssctl_user_checks.c:257 +#, c-format +msgid "" +"pam_authenticate for user [%s]: %s\n" +"\n" +msgstr "" +"pam_authenticate для користувача [%s]: %s\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:260 +#, c-format +msgid "" +"testing pam_chauthtok\n" +"\n" +msgstr "" +"перевіряємо pam_chauthtok\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:262 +#, c-format +msgid "" +"pam_chauthtok: %s\n" +"\n" +msgstr "" +"pam_chauthtok: %s\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:264 +#, c-format +msgid "" +"testing pam_acct_mgmt\n" +"\n" +msgstr "" +"перевіряємо pam_acct_mgmt\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:266 +#, c-format +msgid "" +"pam_acct_mgmt: %s\n" +"\n" +msgstr "" +"pam_acct_mgmt: %s\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:268 +#, c-format +msgid "" +"testing pam_setcred\n" +"\n" +msgstr "" +"перевіряємо pam_setcred\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:270 +#, c-format +msgid "" +"pam_setcred: [%s]\n" +"\n" +msgstr "" +"pam_setcred: [%s]\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:272 +#, c-format +msgid "" +"testing pam_open_session\n" +"\n" +msgstr "" +"перевіряємо pam_open_session\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:274 +#, c-format +msgid "" +"pam_open_session: %s\n" +"\n" +msgstr "" +"pam_open_session: %s\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:276 +#, c-format +msgid "" +"testing pam_close_session\n" +"\n" +msgstr "" +"перевіряємо pam_close_session\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:278 +#, c-format +msgid "" +"pam_close_session: %s\n" +"\n" +msgstr "" +"pam_close_session: %s\n" +"\n" + +#: src/tools/sssctl/sssctl_user_checks.c:281 +#, c-format +msgid "unknown action\n" +msgstr "невідома дія\n" + +#: src/tools/sssctl/sssctl_user_checks.c:284 +#, c-format +msgid "PAM Environment:\n" +msgstr "Середовище PAM:\n" + +#: src/tools/sssctl/sssctl_user_checks.c:292 +#, c-format +msgid " - no env -\n" +msgstr " - немає середовища -\n" + +#: src/util/util.h:75 +msgid "The user ID to run the server as" +msgstr "Ідентифікатор користувача, від імені якого слід запустити сервер" + +#: src/util/util.h:77 +msgid "The group ID to run the server as" +msgstr "Ідентифікатор групи, від імені якої слід запустити сервер" + +#: src/util/util.h:85 +msgid "Informs that the responder has been socket-activated" +msgstr "Інформує про те, що на відповідачі задіяно сокет" + +#: src/util/util.h:87 +msgid "Informs that the responder has been dbus-activated" +msgstr "Інформує про те, що на відповідачі задіяно D-Bus" diff --git a/po/zh_CN.gmo b/po/zh_CN.gmo new file mode 100644 index 0000000000000000000000000000000000000000..c2c8640cea0e7d509569a9a4d2b63dce98507d9b GIT binary patch literal 1268 zcmZ9KQEwYX5XToNr5qs9q85-4T3%2qv_88{rRYLXjBzWgO=~5lARa*LyY+eDe0%J! zou*HXASF~m6i_fliIj>~L{y0*fue{uhYA4E!AU0`Pm_%fMyeo4`%r zVc>s247?BgAN%(7BGJIOW^CkC19+37Z~UL z0|eQ`KsvE_riXR_4$pvFgTPb3{oqf7KMM}!spUOSGNrJn;VN}MYeu+K&SS-7i%FDk z>N*QGcd6zg#F{slXlhgtjRp-ptOZt@N}Z&0m!Z8t_ig2(}$|D|Yv0yCVN~=tbc|y{R*Vx63D;jo`Zb{jZ9gl4X10nlT{gc8u``E6sgOi9gUK%g%Ei{+O zS_Khm_@PK;I)XiDc2V0=KzTTV-8z+u>CyKqr^xVLUfe*9Nm2}5;lUSn@NkuDs~j{X z4ag}W8_L09lw8$lZUm>t(d>xzAvw)LCes}aHZznN%AB;4|J2<4s(WXvxA={@dc#~_ zF^lVF=`y)8ClwwKtHt)-hLC1}Wcdb?@9vDj%;gi!1&0FZ!K@Ui+5WZg)3V z&HSvnb{iz_wg2eN{f>I=<=(>F&h3u*_LoQg@yCVwYk!%wpC8rgudSP{g`L%}cmDhp wb+?zy>QAO~WoLQD{4i%W=gsB2$XvN@W^biM-R&E_nU0xTPdn-T2qSKw2X#!XU;qFB literal 0 HcmV?d00001 diff --git a/po/zh_CN.po b/po/zh_CN.po new file mode 100644 index 0000000..c99de03 --- /dev/null +++ b/po/zh_CN.po @@ -0,0 +1,2800 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) YEAR Red Hat, Inc. +# This file is distributed under the same license as the PACKAGE package. +# +# Translators: +# Christopher Meng , 2012 +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" +"POT-Creation-Date: 2018-08-12 13:03+0000\n" +"PO-Revision-Date: 2014-12-14 11:50+0000\n" +"Last-Translator: Copied by Zanata \n" +"Language-Team: Chinese (China) (http://www.transifex.com/projects/p/sssd/" +"language/zh_CN/)\n" +"Language: zh_CN\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=1; plural=0;\n" +"X-Generator: Zanata 4.4.5\n" + +#: src/config/SSSDConfig/__init__.py.in:43 +#: src/config/SSSDConfig/__init__.py.in:44 +msgid "Set the verbosity of the debug logging" +msgstr "设定调试日志记录等级" + +#: src/config/SSSDConfig/__init__.py.in:45 +msgid "Include timestamps in debug logs" +msgstr "在调试日志中包含时间戳" + +#: src/config/SSSDConfig/__init__.py.in:46 +msgid "Include microseconds in timestamps in debug logs" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:47 +msgid "Write debug messages to logfiles" +msgstr "写入调试信息到日志文件" + +#: src/config/SSSDConfig/__init__.py.in:48 +msgid "Watchdog timeout before restarting service" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:49 +msgid "Command to start service" +msgstr "启动服务命令" + +#: src/config/SSSDConfig/__init__.py.in:50 +msgid "Number of times to attempt connection to Data Providers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:51 +msgid "The number of file descriptors that may be opened by this responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:52 +msgid "Idle time before automatic disconnection of a client" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:53 +msgid "Idle time before automatic shutdown of the responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:54 +msgid "Always query all the caches before querying the Data Providers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:57 +msgid "SSSD Services to start" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:58 +msgid "SSSD Domains to start" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:59 +msgid "Timeout for messages sent over the SBUS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:60 +#: src/config/SSSDConfig/__init__.py.in:197 +msgid "Regex to parse username and domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:61 +#: src/config/SSSDConfig/__init__.py.in:196 +msgid "Printf-compatible format for displaying fully-qualified names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:62 +msgid "" +"Directory on the filesystem where SSSD should store Kerberos replay cache " +"files." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:63 +msgid "Domain to add to names without a domain component." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:64 +msgid "The user to drop privileges to" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:65 +msgid "Tune certificate verification" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:66 +msgid "All spaces in group or user names will be replaced with this character" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:67 +msgid "Tune sssd to honor or ignore netlink state changes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:68 +msgid "Enable or disable the implicit files domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:69 +msgid "A specific order of the domains to be looked up" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:72 +msgid "Enumeration cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:73 +msgid "Entry cache background update timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:74 +#: src/config/SSSDConfig/__init__.py.in:113 +msgid "Negative cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:75 +msgid "Files negative cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:76 +msgid "Users that SSSD should explicitly ignore" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:77 +msgid "Groups that SSSD should explicitly ignore" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:78 +msgid "Should filtered users appear in groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:79 +msgid "The value of the password field the NSS provider should return" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:80 +msgid "Override homedir value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:81 +msgid "" +"Substitute empty homedir value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:82 +msgid "Override shell value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:83 +msgid "The list of shells users are allowed to log in with" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:84 +msgid "" +"The list of shells that will be vetoed, and replaced with the fallback shell" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:85 +msgid "" +"If a shell stored in central directory is allowed but not available, use " +"this fallback" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:86 +msgid "Shell to use if the provider does not list one" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:87 +msgid "How long will be in-memory cache records valid" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:88 +msgid "List of user attributes the NSS responder is allowed to publish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:91 +msgid "How long to allow cached logins between online logins (days)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:92 +msgid "How many failed logins attempts are allowed when offline" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:93 +msgid "" +"How long (minutes) to deny login after offline_failed_login_attempts has " +"been reached" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:94 +msgid "What kind of messages are displayed to the user during authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:95 +msgid "Filter PAM responses sent to the pam_sss" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:96 +msgid "How many seconds to keep identity information cached for PAM requests" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:97 +msgid "How many days before password expiration a warning should be displayed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:98 +msgid "List of trusted uids or user's name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:99 +msgid "List of domains accessible even for untrusted users." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:100 +msgid "Message printed when user account is expired." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:101 +msgid "Message printed when user account is locked." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:102 +msgid "Allow certificate based/Smartcard authentication." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:103 +msgid "Path to certificate database with PKCS#11 modules." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:104 +msgid "How many seconds will pam_sss wait for p11_child to finish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:105 +msgid "Which PAM services are permitted to contact application domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:108 +msgid "Whether to evaluate the time-based attributes in sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:109 +msgid "If true, SSSD will switch back to lower-wins ordering logic" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:110 +msgid "" +"Maximum number of rules that can be refreshed at once. If this is exceeded, " +"full refresh is performed." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:116 +msgid "Whether to hash host names and addresses in the known_hosts file" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:117 +msgid "" +"How many seconds to keep a host in the known_hosts file after its host keys " +"were requested" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:118 +msgid "Path to storage of trusted CA certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:121 +msgid "List of UIDs or user names allowed to access the PAC responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "How long the PAC data is considered valid" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:125 +msgid "List of UIDs or user names allowed to access the InfoPipe responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:126 +msgid "List of user attributes the InfoPipe is allowed to publish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:129 +msgid "The provider where the secrets will be stored in" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:130 +msgid "The maximum allowed number of nested containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:131 +msgid "The maximum number of secrets that can be stored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:132 +msgid "The maximum number of secrets that can be stored per UID" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:133 +msgid "The maximum payload size of a secret in kilobytes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:135 +msgid "The URL Custodia server is listening on" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:136 +msgid "The method to use when authenticating to a Custodia server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:137 +msgid "" +"The name of the headers that will be added into a HTTP request with the " +"value defined in auth_header_value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:138 +msgid "The value sssd-secrets would use for auth_header_name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:139 +msgid "" +"The list of the headers to forward to the Custodia server together with the " +"request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:140 +msgid "" +"The username to use when authenticating to a Custodia server using basic_auth" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:141 +msgid "" +"The password to use when authenticating to a Custodia server using basic_auth" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:142 +msgid "If true peer's certificate is verified if proxy_url uses https protocol" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:143 +msgid "" +"If false peer's certificate may contain different hostname than proxy_url " +"when https protocol is used" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:144 +msgid "Path to directory where certificate authority certificates are stored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:145 +msgid "Path to file containing server's CA certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:146 +msgid "Path to file containing client's certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:147 +msgid "Path to file containing client's private key" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:150 +msgid "Identity provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:151 +msgid "Authentication provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:152 +msgid "Access control provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:153 +msgid "Password change provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:154 +msgid "SUDO provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:155 +msgid "Autofs provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:156 +msgid "Host identity provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:157 +msgid "SELinux provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:158 +msgid "Session management provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:161 +msgid "Whether the domain is usable by the OS or by applications" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:162 +msgid "Minimum user ID" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:163 +msgid "Maximum user ID" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:164 +msgid "Enable enumerating all users/groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:165 +msgid "Cache credentials for offline login" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:166 +msgid "Store password hashes" +msgstr "保存密码哈希值" + +#: src/config/SSSDConfig/__init__.py.in:167 +msgid "Display users/groups in fully-qualified form" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:168 +msgid "Don't include group members in group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:180 +#: src/config/SSSDConfig/__init__.py.in:181 +msgid "Entry cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:170 +msgid "" +"Restrict or prefer a specific address family when performing DNS lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:171 +msgid "How long to keep cached entries after last successful login (days)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:172 +msgid "How long to wait for replies from DNS when resolving servers (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:173 +msgid "The domain part of service discovery DNS query" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:174 +msgid "Override GID value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:175 +msgid "Treat usernames as case sensitive" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:182 +msgid "How often should expired entries be refreshed in background" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:183 +msgid "Whether to automatically update the client's DNS entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:184 +#: src/config/SSSDConfig/__init__.py.in:206 +msgid "The TTL to apply to the client's DNS entry after updating it" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:207 +msgid "The interface whose IP should be used for dynamic DNS updates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:186 +msgid "How often to periodically update the client's DNS entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:187 +msgid "Whether the provider should explicitly update the PTR record as well" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:188 +msgid "Whether the nsupdate utility should default to using TCP" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:189 +msgid "What kind of authentication should be used to perform the DNS update" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:190 +msgid "Override the DNS server used to perform the DNS update" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:191 +msgid "Control enumeration of trusted domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:192 +msgid "How often should subdomains list be refreshed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:193 +msgid "List of options that should be inherited into a subdomain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:194 +msgid "Default subdomain homedir value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:195 +msgid "How long can cached credentials be used for cached authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:198 +msgid "Whether to automatically create private groups for users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:201 +msgid "IPA domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:202 +msgid "IPA server address" +msgstr "IPA 服务器地址" + +#: src/config/SSSDConfig/__init__.py.in:203 +msgid "Address of backup IPA server" +msgstr "IPA 备份服务器地址" + +#: src/config/SSSDConfig/__init__.py.in:204 +msgid "IPA client hostname" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:205 +msgid "Whether to automatically update the client's DNS entry in FreeIPA" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:208 +msgid "Search base for HBAC related objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:209 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:210 +msgid "" +"The amount of time in seconds between lookups of the SELinux maps against " +"the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:211 +msgid "If set to false, host argument given by PAM will be ignored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:212 +msgid "The automounter location this IPA client is using" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:213 +msgid "Search base for object containing info about IPA domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:214 +msgid "Search base for objects containing info about ID ranges" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:233 +msgid "Enable DNS sites - location based service discovery" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:216 +msgid "Search base for view containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:217 +msgid "Objectclass for view containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:218 +msgid "Attribute with the name of the view" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:219 +msgid "Objectclass for override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:220 +msgid "Attribute with the reference to the original object" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:221 +msgid "Objectclass for user override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:222 +msgid "Objectclass for group override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:223 +msgid "Search base for Desktop Profile related objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:224 +msgid "" +"The amount of time in seconds between lookups of the Desktop Profile rules " +"against the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:225 +msgid "" +"The amount of time in minutes between lookups of Desktop Profiles rules " +"against the IPA server when the last request did not find any rule" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:228 +msgid "Active Directory domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:229 +msgid "Enabled Active Directory domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:230 +msgid "Active Directory server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:231 +msgid "Active Directory backup server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:232 +msgid "Active Directory client hostname" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:420 +msgid "LDAP filter to determine access privileges" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:235 +msgid "Whether to use the Global Catalog for lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:236 +msgid "Operation mode for GPO-based access control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:237 +msgid "" +"The amount of time between lookups of the GPO policy files against the AD " +"server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:238 +msgid "" +"PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " +"settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:239 +msgid "" +"PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " +"policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:240 +msgid "" +"PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:241 +msgid "" +"PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:242 +msgid "" +"PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:243 +msgid "PAM service names for which GPO-based access is always granted" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:244 +msgid "PAM service names for which GPO-based access is always denied" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:245 +msgid "" +"Default logon right (or permit/deny) to use for unmapped PAM service names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:246 +msgid "a particular site to be used by the client" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:247 +msgid "" +"Maximum age in days before the machine account password should be renewed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:248 +msgid "Option for tuning the machine account renewal task" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:252 +msgid "Kerberos server address" +msgstr "Kerberos 服务器地址" + +#: src/config/SSSDConfig/__init__.py.in:253 +msgid "Kerberos backup server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:254 +msgid "Kerberos realm" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:255 +msgid "Authentication timeout" +msgstr "验证超时" + +#: src/config/SSSDConfig/__init__.py.in:256 +msgid "Whether to create kdcinfo files" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:257 +msgid "Where to drop krb5 config snippets" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:260 +msgid "Directory to store credential caches" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:261 +msgid "Location of the user's credential cache" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:262 +msgid "Location of the keytab to validate credentials" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:263 +msgid "Enable credential validation" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:264 +msgid "Store password if offline for later online authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:265 +msgid "Renewable lifetime of the TGT" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:266 +msgid "Lifetime of the TGT" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:267 +msgid "Time between two checks for renewal" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:268 +msgid "Enables FAST" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:269 +msgid "Selects the principal to use for FAST" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:270 +msgid "Enables principal canonicalization" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:271 +msgid "Enables enterprise principals" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:272 +msgid "A mapping from user names to Kerberos principal names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:276 +msgid "Server where the change password service is running if not on the KDC" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:279 +msgid "ldap_uri, The URI of the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:280 +msgid "ldap_backup_uri, The URI of the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:281 +msgid "The default base DN" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:282 +msgid "The Schema Type in use on the LDAP server, rfc2307" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:283 +msgid "The default bind DN" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:284 +msgid "The type of the authentication token of the default bind DN" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:285 +msgid "The authentication token of the default bind DN" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:286 +msgid "Length of time to attempt connection" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:287 +msgid "Length of time to attempt synchronous LDAP operations" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:288 +msgid "Length of time between attempts to reconnect while offline" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:289 +msgid "Use only the upper case for realm names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:290 +msgid "File that contains CA certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:291 +msgid "Path to CA certificate directory" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:292 +msgid "File that contains the client certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:293 +msgid "File that contains the client key" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:294 +msgid "List of possible ciphers suites" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:295 +msgid "Require TLS certificate verification" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:296 +msgid "Specify the sasl mechanism to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:297 +msgid "Specify the sasl authorization id to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:298 +msgid "Specify the sasl authorization realm to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:299 +msgid "Specify the minimal SSF for LDAP sasl authorization" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:300 +msgid "Kerberos service keytab" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:301 +msgid "Use Kerberos auth for LDAP connection" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:302 +msgid "Follow LDAP referrals" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:303 +msgid "Lifetime of TGT for LDAP connection" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:304 +msgid "How to dereference aliases" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:305 +msgid "Service name for DNS service lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:306 +msgid "The number of records to retrieve in a single LDAP query" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:307 +msgid "The number of members that must be missing to trigger a full deref" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:308 +msgid "" +"Whether the LDAP library should perform a reverse lookup to canonicalize the " +"host name during a SASL bind" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:310 +msgid "entryUSN attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:311 +msgid "lastUSN attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:313 +msgid "How long to retain a connection to the LDAP server before disconnecting" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:315 +msgid "Disable the LDAP paging control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:316 +msgid "Disable Active Directory range retrieval" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:319 +msgid "Length of time to wait for a search request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:320 +msgid "Length of time to wait for a enumeration request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:321 +msgid "Length of time between enumeration updates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:322 +msgid "Length of time between cache cleanups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:323 +msgid "Require TLS for ID lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:324 +msgid "Use ID-mapping of objectSID instead of pre-set IDs" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:325 +msgid "Base DN for user lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:326 +msgid "Scope of user lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:327 +msgid "Filter for user lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:328 +msgid "Objectclass for users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:329 +msgid "Username attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:331 +msgid "UID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:332 +msgid "Primary GID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:333 +msgid "GECOS attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:334 +msgid "Home directory attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:335 +msgid "Shell attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:336 +msgid "UUID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:379 +msgid "objectSID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:338 +msgid "Active Directory primary group attribute for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:339 +msgid "User principal attribute (for Kerberos)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:340 +msgid "Full Name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:341 +msgid "memberOf attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:342 +msgid "Modification time attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:344 +msgid "shadowLastChange attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:345 +msgid "shadowMin attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:346 +msgid "shadowMax attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:347 +msgid "shadowWarning attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:348 +msgid "shadowInactive attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:349 +msgid "shadowExpire attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:350 +msgid "shadowFlag attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:351 +msgid "Attribute listing authorized PAM services" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:352 +msgid "Attribute listing authorized server hosts" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:353 +msgid "Attribute listing authorized server rhosts" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:354 +msgid "krbLastPwdChange attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:355 +msgid "krbPasswordExpiration attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:356 +msgid "Attribute indicating that server side password policies are active" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:357 +msgid "accountExpires attribute of AD" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:358 +msgid "userAccountControl attribute of AD" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:359 +msgid "nsAccountLock attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:360 +msgid "loginDisabled attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:361 +msgid "loginExpirationTime attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:362 +msgid "loginAllowedTimeMap attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:363 +msgid "SSH public key attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:364 +msgid "attribute listing allowed authentication types for a user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:365 +msgid "attribute containing the X509 certificate of the user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:366 +msgid "attribute containing the email address of the user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:368 +msgid "A list of extra attributes to download along with the user entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:370 +msgid "Base DN for group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:373 +msgid "Objectclass for groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:374 +msgid "Group name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:375 +msgid "Group password" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:376 +msgid "GID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:377 +msgid "Group member attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:378 +msgid "Group UUID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:380 +msgid "Modification time attribute for groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:381 +msgid "Type of the group and other flags" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:382 +msgid "The LDAP group external member attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:384 +msgid "Maximum nesting level SSSD will follow" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:386 +msgid "Base DN for netgroup lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:387 +msgid "Objectclass for netgroups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:388 +msgid "Netgroup name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:389 +msgid "Netgroups members attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:390 +msgid "Netgroup triple attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:391 +msgid "Modification time attribute for netgroups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:393 +msgid "Base DN for service lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:394 +msgid "Objectclass for services" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:395 +msgid "Service name attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:396 +msgid "Service port attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:397 +msgid "Service protocol attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:400 +msgid "Lower bound for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:401 +msgid "Upper bound for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:402 +msgid "Number of IDs for each slice when ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:403 +msgid "Use autorid-compatible algorithm for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:404 +msgid "Name of the default domain for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:405 +msgid "SID of the default domain for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:406 +msgid "Number of secondary slices" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:408 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:409 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:410 +msgid "Whether to use Token-Groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:411 +msgid "Set lower boundary for allowed IDs from the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:412 +msgid "Set upper boundary for allowed IDs from the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:413 +msgid "DN for ppolicy queries" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:414 +msgid "How many maximum entries to fetch during a wildcard request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:417 +msgid "Policy to evaluate the password expiration" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:421 +msgid "Which attributes shall be used to evaluate if an account is expired" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:422 +msgid "Which rules should be used to evaluate access control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:425 +msgid "URI of an LDAP server where password changes are allowed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:426 +msgid "URI of a backup LDAP server where password changes are allowed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:427 +msgid "DNS service name for LDAP password change server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:428 +msgid "" +"Whether to update the ldap_user_shadow_last_change attribute after a " +"password change" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:431 +msgid "Base DN for sudo rules lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:432 +msgid "Automatic full refresh period" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:433 +msgid "Automatic smart refresh period" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:434 +msgid "Whether to filter rules by hostname, IP addresses and network" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:435 +msgid "" +"Hostnames and/or fully qualified domain names of this machine to filter sudo " +"rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:436 +msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:437 +msgid "Whether to include rules that contains netgroup in host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:438 +msgid "" +"Whether to include rules that contains regular expression in host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:439 +msgid "Object class for sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:440 +msgid "Sudo rule name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:441 +msgid "Sudo rule command attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:442 +msgid "Sudo rule host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:443 +msgid "Sudo rule user attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:444 +msgid "Sudo rule option attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Sudo rule runas attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:446 +msgid "Sudo rule runasuser attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:447 +msgid "Sudo rule runasgroup attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:448 +msgid "Sudo rule notbefore attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:449 +msgid "Sudo rule notafter attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:450 +msgid "Sudo rule order attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:453 +msgid "Object class for automounter maps" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:454 +msgid "Automounter map name attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:455 +msgid "Object class for automounter map entries" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:456 +msgid "Automounter map entry key attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:457 +msgid "Automounter map entry value attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:458 +msgid "Base DN for automounter map lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:461 +msgid "Comma separated list of allowed users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:462 +msgid "Comma separated list of prohibited users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:465 +msgid "Default shell, /bin/bash" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:466 +msgid "Base for home directories" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:469 +msgid "The number of preforked proxy children." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:472 +msgid "The name of the NSS library to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:473 +msgid "Whether to look up canonical group name from cache if possible" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:476 +msgid "PAM stack to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:479 +msgid "Path of passwd file sources." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:480 +msgid "Path of group file sources." +msgstr "" + +#: src/monitor/monitor.c:2449 +msgid "Become a daemon (default)" +msgstr "" + +#: src/monitor/monitor.c:2451 +msgid "Run interactive (not a daemon)" +msgstr "" + +#: src/monitor/monitor.c:2454 +msgid "Disable netlink interface" +msgstr "" + +#: src/monitor/monitor.c:2456 src/tools/sssctl/sssctl_logs.c:311 +msgid "Specify a non-default config file" +msgstr "" + +#: src/monitor/monitor.c:2458 +msgid "Refresh the configuration database, then exit" +msgstr "" + +#: src/monitor/monitor.c:2461 +msgid "Print version number and exit" +msgstr "" + +#: src/monitor/monitor.c:2627 +msgid "SSSD is already running\n" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605 +msgid "Debug level" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607 +msgid "Add debug timestamps" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609 +msgid "Show timestamps with microseconds" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611 +msgid "An open file descriptor for the debug logs" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613 +msgid "Send the debug output to stderr directly." +msgstr "" + +#: src/providers/krb5/krb5_child.c:3228 +msgid "The user to create FAST ccache as" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3230 +msgid "The group to create FAST ccache as" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3232 +msgid "Kerberos realm to use" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3234 +msgid "Requested lifetime of the ticket" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3236 +msgid "Requested renewable lifetime of the ticket" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3238 +msgid "FAST options ('never', 'try', 'demand')" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3241 +msgid "Specifies the server principal to use for FAST" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3243 +msgid "Requests canonicalization of the principal name" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3245 +msgid "Use custom version of krb5_get_init_creds_password" +msgstr "" + +#: src/providers/data_provider_be.c:556 +msgid "Domain of the information provider (mandatory)" +msgstr "" + +#: src/sss_client/common.c:1066 +msgid "Privileged socket has wrong ownership or permissions." +msgstr "" + +#: src/sss_client/common.c:1069 +msgid "Public socket has wrong ownership or permissions." +msgstr "" + +#: src/sss_client/common.c:1072 +msgid "Unexpected format of the server credential message." +msgstr "" + +#: src/sss_client/common.c:1075 +msgid "SSSD is not run by root." +msgstr "" + +#: src/sss_client/common.c:1080 +msgid "An error occurred, but no description can be found." +msgstr "" + +#: src/sss_client/common.c:1086 +msgid "Unexpected error while looking for an error description" +msgstr "" + +#: src/sss_client/pam_sss.c:76 +msgid "Permission denied. " +msgstr "" + +#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782 +#: src/sss_client/pam_sss.c:793 +msgid "Server message: " +msgstr "" + +#: src/sss_client/pam_sss.c:300 +msgid "Passwords do not match" +msgstr "" + +#: src/sss_client/pam_sss.c:488 +msgid "Password reset by root is not supported." +msgstr "" + +#: src/sss_client/pam_sss.c:529 +msgid "Authenticated with cached credentials" +msgstr "" + +#: src/sss_client/pam_sss.c:530 +msgid ", your cached password will expire at: " +msgstr "" + +#: src/sss_client/pam_sss.c:560 +#, c-format +msgid "Your password has expired. You have %1$d grace login(s) remaining." +msgstr "" + +#: src/sss_client/pam_sss.c:606 +#, c-format +msgid "Your password will expire in %1$d %2$s." +msgstr "" + +#: src/sss_client/pam_sss.c:655 +msgid "Authentication is denied until: " +msgstr "" + +#: src/sss_client/pam_sss.c:676 +msgid "System is offline, password change not possible" +msgstr "" + +#: src/sss_client/pam_sss.c:691 +msgid "" +"After changing the OTP password, you need to log out and back in order to " +"acquire a ticket" +msgstr "" + +#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792 +msgid "Password change failed. " +msgstr "" + +#: src/sss_client/pam_sss.c:1926 +msgid "New Password: " +msgstr "" + +#: src/sss_client/pam_sss.c:1927 +msgid "Reenter new Password: " +msgstr "" + +#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042 +msgid "First Factor: " +msgstr "" + +#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202 +msgid "Second Factor (optional): " +msgstr "" + +#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205 +msgid "Second Factor: " +msgstr "" + +#: src/sss_client/pam_sss.c:2058 +msgid "Password: " +msgstr "" + +#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204 +msgid "First Factor (Current Password): " +msgstr "" + +#: src/sss_client/pam_sss.c:2208 +msgid "Current Password: " +msgstr "" + +#: src/sss_client/pam_sss.c:2536 +msgid "Password expired. Change your password now." +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 +#: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 +#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:670 +msgid "The debug level to run with" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +msgid "The SSSD domain to use" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 +#: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 +#: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 +#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:716 +msgid "Error setting the locale\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:64 +msgid "Not enough memory\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:83 +msgid "User not specified\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:97 +msgid "Error looking up public keys\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +msgid "The port to use to connect to the host" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +msgid "Print the host ssh public keys" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +msgid "Invalid port\n" +msgstr "无效端口\n" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +msgid "Host not specified\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +msgid "The path to the proxy command must be absolute\n" +msgstr "" + +#: src/tools/sss_useradd.c:49 src/tools/sss_usermod.c:48 +msgid "The UID of the user" +msgstr "" + +#: src/tools/sss_useradd.c:50 src/tools/sss_usermod.c:50 +msgid "The comment string" +msgstr "" + +#: src/tools/sss_useradd.c:51 src/tools/sss_usermod.c:51 +msgid "Home directory" +msgstr "" + +#: src/tools/sss_useradd.c:52 src/tools/sss_usermod.c:52 +msgid "Login shell" +msgstr "" + +#: src/tools/sss_useradd.c:53 +msgid "Groups" +msgstr "" + +#: src/tools/sss_useradd.c:54 +msgid "Create user's directory if it does not exist" +msgstr "" + +#: src/tools/sss_useradd.c:55 +msgid "Never create user's directory, overrides config" +msgstr "" + +#: src/tools/sss_useradd.c:56 +msgid "Specify an alternative skeleton directory" +msgstr "" + +#: src/tools/sss_useradd.c:57 src/tools/sss_usermod.c:60 +msgid "The SELinux user for user's login" +msgstr "" + +#: src/tools/sss_useradd.c:87 src/tools/sss_groupmod.c:79 +#: src/tools/sss_usermod.c:92 +msgid "Specify group to add to\n" +msgstr "" + +#: src/tools/sss_useradd.c:111 +msgid "Specify user to add\n" +msgstr "" + +#: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 +#: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_usermod.c:162 +msgid "Error initializing the tools - no local domain\n" +msgstr "" + +#: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 +#: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_usermod.c:164 +msgid "Error initializing the tools\n" +msgstr "" + +#: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 +#: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_usermod.c:173 +msgid "Invalid domain specified in FQDN\n" +msgstr "" + +#: src/tools/sss_useradd.c:142 src/tools/sss_groupmod.c:144 +#: src/tools/sss_groupmod.c:173 src/tools/sss_usermod.c:197 +#: src/tools/sss_usermod.c:226 +msgid "Internal error while parsing parameters\n" +msgstr "" + +#: src/tools/sss_useradd.c:151 src/tools/sss_usermod.c:206 +#: src/tools/sss_usermod.c:235 +msgid "Groups must be in the same domain as user\n" +msgstr "" + +#: src/tools/sss_useradd.c:159 +#, c-format +msgid "Cannot find group %1$s in local domain\n" +msgstr "" + +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +msgid "Cannot set default values\n" +msgstr "" + +#: src/tools/sss_useradd.c:181 src/tools/sss_usermod.c:187 +msgid "The selected UID is outside the allowed range\n" +msgstr "" + +#: src/tools/sss_useradd.c:210 src/tools/sss_usermod.c:305 +msgid "Cannot set SELinux login context\n" +msgstr "" + +#: src/tools/sss_useradd.c:224 +msgid "Cannot get info about the user\n" +msgstr "" + +#: src/tools/sss_useradd.c:236 +msgid "User's home directory already exists, not copying data from skeldir\n" +msgstr "" + +#: src/tools/sss_useradd.c:239 +#, c-format +msgid "Cannot create user's home directory: %1$s\n" +msgstr "" + +#: src/tools/sss_useradd.c:250 +#, c-format +msgid "Cannot create user's mail spool: %1$s\n" +msgstr "" + +#: src/tools/sss_useradd.c:270 +msgid "Could not allocate ID for the user - domain full?\n" +msgstr "" + +#: src/tools/sss_useradd.c:274 +msgid "A user or group with the same name or ID already exists\n" +msgstr "" + +#: src/tools/sss_useradd.c:280 +msgid "Transaction error. Could not add user.\n" +msgstr "" + +#: src/tools/sss_groupadd.c:43 src/tools/sss_groupmod.c:48 +msgid "The GID of the group" +msgstr "" + +#: src/tools/sss_groupadd.c:76 +msgid "Specify group to add\n" +msgstr "" + +#: src/tools/sss_groupadd.c:106 src/tools/sss_groupmod.c:198 +msgid "The selected GID is outside the allowed range\n" +msgstr "" + +#: src/tools/sss_groupadd.c:143 +msgid "Could not allocate ID for the group - domain full?\n" +msgstr "" + +#: src/tools/sss_groupadd.c:147 +msgid "A group with the same name or GID already exists\n" +msgstr "" + +#: src/tools/sss_groupadd.c:153 +msgid "Transaction error. Could not add group.\n" +msgstr "" + +#: src/tools/sss_groupdel.c:70 +msgid "Specify group to delete\n" +msgstr "" + +#: src/tools/sss_groupdel.c:104 +#, c-format +msgid "Group %1$s is outside the defined ID range for domain\n" +msgstr "" + +#: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 +#: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 +#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 +#, c-format +msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" +msgstr "" + +#: src/tools/sss_groupdel.c:132 +msgid "" +"No such group in local domain. Removing groups only allowed in local " +"domain.\n" +msgstr "" + +#: src/tools/sss_groupdel.c:137 +msgid "Internal error. Could not remove group.\n" +msgstr "" + +#: src/tools/sss_groupmod.c:44 +msgid "Groups to add this group to" +msgstr "" + +#: src/tools/sss_groupmod.c:46 +msgid "Groups to remove this group from" +msgstr "" + +#: src/tools/sss_groupmod.c:87 src/tools/sss_usermod.c:100 +msgid "Specify group to remove from\n" +msgstr "" + +#: src/tools/sss_groupmod.c:101 +msgid "Specify group to modify\n" +msgstr "" + +#: src/tools/sss_groupmod.c:130 +msgid "" +"Cannot find group in local domain, modifying groups is allowed only in local " +"domain\n" +msgstr "" + +#: src/tools/sss_groupmod.c:153 src/tools/sss_groupmod.c:182 +msgid "Member groups must be in the same domain as parent group\n" +msgstr "" + +#: src/tools/sss_groupmod.c:161 src/tools/sss_groupmod.c:190 +#: src/tools/sss_usermod.c:214 src/tools/sss_usermod.c:243 +#, c-format +msgid "" +"Cannot find group %1$s in local domain, only groups in local domain are " +"allowed\n" +msgstr "" + +#: src/tools/sss_groupmod.c:257 +msgid "Could not modify group - check if member group names are correct\n" +msgstr "" + +#: src/tools/sss_groupmod.c:261 +msgid "Could not modify group - check if groupname is correct\n" +msgstr "" + +#: src/tools/sss_groupmod.c:265 +msgid "Transaction error. Could not modify group.\n" +msgstr "" + +#: src/tools/sss_groupshow.c:615 +#, c-format +msgid "%1$s%2$sGroup: %3$s\n" +msgstr "" + +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "" + +#: src/tools/sss_groupshow.c:618 +#, c-format +msgid "%1$sGID number: %2$d\n" +msgstr "" + +#: src/tools/sss_groupshow.c:620 +#, c-format +msgid "%1$sMember users: " +msgstr "" + +#: src/tools/sss_groupshow.c:627 +#, c-format +msgid "" +"\n" +"%1$sIs a member of: " +msgstr "" + +#: src/tools/sss_groupshow.c:634 +#, c-format +msgid "" +"\n" +"%1$sMember groups: " +msgstr "" + +#: src/tools/sss_groupshow.c:670 +msgid "Print indirect group members recursively" +msgstr "" + +#: src/tools/sss_groupshow.c:704 +msgid "Specify group to show\n" +msgstr "" + +#: src/tools/sss_groupshow.c:744 +msgid "" +"No such group in local domain. Printing groups only allowed in local " +"domain.\n" +msgstr "" + +#: src/tools/sss_groupshow.c:749 +msgid "Internal error. Could not print group.\n" +msgstr "" + +#: src/tools/sss_userdel.c:136 +msgid "Remove home directory and mail spool" +msgstr "" + +#: src/tools/sss_userdel.c:138 +msgid "Do not remove home directory and mail spool" +msgstr "" + +#: src/tools/sss_userdel.c:140 +msgid "Force removal of files not owned by the user" +msgstr "" + +#: src/tools/sss_userdel.c:142 +msgid "Kill users' processes before removing him" +msgstr "" + +#: src/tools/sss_userdel.c:188 +msgid "Specify user to delete\n" +msgstr "" + +#: src/tools/sss_userdel.c:234 +#, c-format +msgid "User %1$s is outside the defined ID range for domain\n" +msgstr "" + +#: src/tools/sss_userdel.c:259 +msgid "Cannot reset SELinux login context\n" +msgstr "" + +#: src/tools/sss_userdel.c:271 +#, c-format +msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" +msgstr "" + +#: src/tools/sss_userdel.c:276 +msgid "Cannot determine if the user was logged in on this platform" +msgstr "" + +#: src/tools/sss_userdel.c:281 +msgid "Error while checking if the user was logged in\n" +msgstr "" + +#: src/tools/sss_userdel.c:288 +#, c-format +msgid "The post-delete command failed: %1$s\n" +msgstr "" + +#: src/tools/sss_userdel.c:308 +msgid "Not removing home dir - not owned by user\n" +msgstr "" + +#: src/tools/sss_userdel.c:310 +#, c-format +msgid "Cannot remove homedir: %1$s\n" +msgstr "" + +#: src/tools/sss_userdel.c:324 +msgid "" +"No such user in local domain. Removing users only allowed in local domain.\n" +msgstr "" + +#: src/tools/sss_userdel.c:329 +msgid "Internal error. Could not remove user.\n" +msgstr "" + +#: src/tools/sss_usermod.c:49 +msgid "The GID of the user" +msgstr "" + +#: src/tools/sss_usermod.c:53 +msgid "Groups to add this user to" +msgstr "" + +#: src/tools/sss_usermod.c:54 +msgid "Groups to remove this user from" +msgstr "" + +#: src/tools/sss_usermod.c:55 +msgid "Lock the account" +msgstr "" + +#: src/tools/sss_usermod.c:56 +msgid "Unlock the account" +msgstr "" + +#: src/tools/sss_usermod.c:57 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "" + +#: src/tools/sss_usermod.c:58 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "" + +#: src/tools/sss_usermod.c:59 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" + +#: src/tools/sss_usermod.c:117 src/tools/sss_usermod.c:126 +#: src/tools/sss_usermod.c:135 +msgid "Specify the attribute name/value pair(s)\n" +msgstr "" + +#: src/tools/sss_usermod.c:152 +msgid "Specify user to modify\n" +msgstr "" + +#: src/tools/sss_usermod.c:180 +msgid "" +"Cannot find user in local domain, modifying users is allowed only in local " +"domain\n" +msgstr "" + +#: src/tools/sss_usermod.c:322 +msgid "Could not modify user - check if group names are correct\n" +msgstr "" + +#: src/tools/sss_usermod.c:326 +msgid "Could not modify user - user already member of groups?\n" +msgstr "" + +#: src/tools/sss_usermod.c:330 +msgid "Transaction error. Could not modify user.\n" +msgstr "" + +#: src/tools/sss_cache.c:218 +msgid "No cache object matched the specified search\n" +msgstr "" + +#: src/tools/sss_cache.c:502 +#, c-format +msgid "Couldn't invalidate %1$s\n" +msgstr "" + +#: src/tools/sss_cache.c:509 +#, c-format +msgid "Couldn't invalidate %1$s %2$s\n" +msgstr "" + +#: src/tools/sss_cache.c:672 +msgid "Invalidate all cached entries" +msgstr "" + +#: src/tools/sss_cache.c:674 +msgid "Invalidate particular user" +msgstr "" + +#: src/tools/sss_cache.c:676 +msgid "Invalidate all users" +msgstr "" + +#: src/tools/sss_cache.c:678 +msgid "Invalidate particular group" +msgstr "" + +#: src/tools/sss_cache.c:680 +msgid "Invalidate all groups" +msgstr "" + +#: src/tools/sss_cache.c:682 +msgid "Invalidate particular netgroup" +msgstr "" + +#: src/tools/sss_cache.c:684 +msgid "Invalidate all netgroups" +msgstr "" + +#: src/tools/sss_cache.c:686 +msgid "Invalidate particular service" +msgstr "" + +#: src/tools/sss_cache.c:688 +msgid "Invalidate all services" +msgstr "" + +#: src/tools/sss_cache.c:691 +msgid "Invalidate particular autofs map" +msgstr "" + +#: src/tools/sss_cache.c:693 +msgid "Invalidate all autofs maps" +msgstr "" + +#: src/tools/sss_cache.c:697 +msgid "Invalidate particular SSH host" +msgstr "" + +#: src/tools/sss_cache.c:699 +msgid "Invalidate all SSH hosts" +msgstr "" + +#: src/tools/sss_cache.c:703 +msgid "Invalidate particular sudo rule" +msgstr "" + +#: src/tools/sss_cache.c:705 +msgid "Invalidate all cached sudo rules" +msgstr "" + +#: src/tools/sss_cache.c:708 +msgid "Only invalidate entries from a particular domain" +msgstr "" + +#: src/tools/sss_cache.c:762 +msgid "" +"Unexpected argument(s) provided, options that invalidate a single object " +"only accept a single provided argument.\n" +msgstr "" + +#: src/tools/sss_cache.c:772 +msgid "Please select at least one object to invalidate\n" +msgstr "" + +#: src/tools/sss_cache.c:852 +#, c-format +msgid "" +"Could not open domain %1$s. If the domain is a subdomain (trusted domain), " +"use fully qualified name instead of --domain/-d parameter.\n" +msgstr "" + +#: src/tools/sss_cache.c:856 +msgid "Could not open available domains\n" +msgstr "" + +#: src/tools/tools_util.c:202 +#, c-format +msgid "Name '%1$s' does not seem to be FQDN ('%2$s = TRUE' is set)\n" +msgstr "" + +#: src/tools/tools_util.c:309 +msgid "Out of memory\n" +msgstr "" + +#: src/tools/tools_util.h:40 +#, c-format +msgid "%1$s must be run as root\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:35 +msgid "yes" +msgstr "" + +#: src/tools/sssctl/sssctl.c:37 +msgid "no" +msgstr "" + +#: src/tools/sssctl/sssctl.c:39 +msgid "error" +msgstr "" + +#: src/tools/sssctl/sssctl.c:42 +msgid "Invalid result." +msgstr "" + +#: src/tools/sssctl/sssctl.c:78 +#, c-format +msgid "Unable to read user input\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:91 +#, c-format +msgid "Invalid input, please provide either '%s' or '%s'.\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 +#, c-format +msgid "Error while executing external command\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:156 +msgid "SSSD needs to be running. Start SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl.c:195 +msgid "SSSD must not be running. Stop SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl.c:231 +msgid "SSSD needs to be restarted. Restart SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:31 +#, c-format +msgid " %s is not present in cache.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:33 +msgid "Name" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:34 +msgid "Cache entry creation date" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:35 +msgid "Cache entry last update time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:36 +msgid "Cache entry expiration time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:37 +msgid "Cached in InfoPipe" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:512 +#, c-format +msgid "Error: Unable to get object [%d]: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:528 +#, c-format +msgid "%s: Unable to read value [%d]: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:556 +msgid "Specify name." +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:566 +#, c-format +msgid "Unable to parse name %s.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:592 src/tools/sssctl/sssctl_cache.c:639 +msgid "Search by SID" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:593 +msgid "Search by user ID" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:602 +msgid "Initgroups expiration time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:640 +msgid "Search by group ID" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:67 +#, c-format +msgid "" +"File %1$s does not exist. SSSD will use default configuration with files " +"provider.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:81 +#, c-format +msgid "" +"File ownership and permissions check failed. Expected root:root and 0600.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:104 +#, c-format +msgid "Issues identified by validators: %zu\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:114 +#, c-format +msgid "Messages generated during configuration merging: %zu\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:127 +#, c-format +msgid "Used configuration snippet files: %u\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:89 +#, c-format +msgid "Unable to create backup directory [%d]: %s" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:95 +msgid "SSSD backup of local data already exists, override?" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:111 +#, c-format +msgid "Unable to export user overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:118 +#, c-format +msgid "Unable to export group overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:134 src/tools/sssctl/sssctl_data.c:217 +msgid "Override existing backup" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:164 +#, c-format +msgid "Unable to import user overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:173 +#, c-format +msgid "Unable to import group overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:74 +#: src/tools/sssctl/sssctl_domains.c:339 +msgid "Start SSSD if it is not running" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:195 +msgid "Restart SSSD after data import" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:218 +msgid "Create clean cache files and import local data" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:219 +msgid "Stop SSSD before removing the cache" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:220 +msgid "Start SSSD when the cache is removed" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:235 +#, c-format +msgid "Creating backup of local data...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:238 +#, c-format +msgid "Unable to create backup of local data, can not remove the cache.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:243 +#, c-format +msgid "Removing cache files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:246 +#, c-format +msgid "Unable to remove cache files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:251 +#, c-format +msgid "Restoring local data...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:75 +msgid "Show domain list including primary or trusted domain type" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +#, c-format +msgid "Online status: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Online" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Offline" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:214 +#, c-format +msgid "Active servers:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:231 +msgid "not connected" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:278 +#, c-format +msgid "Discovered %s servers:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:296 +msgid "None so far.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:336 +msgid "Show online status" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:337 +msgid "Show information about active server" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:338 +msgid "Show list of discovered servers" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:344 +msgid "Specify domain name." +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:360 +#, c-format +msgid "Out of memory!\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:377 src/tools/sssctl/sssctl_domains.c:387 +#, c-format +msgid "Unable to get online status\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:397 +#, c-format +msgid "Unable to get server list\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:47 +msgid "\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:237 +msgid "Delete log files instead of truncating" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:248 +#, c-format +msgid "Deleting log files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:251 +#, c-format +msgid "Unable to remove log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:257 +#, c-format +msgid "Truncating log files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:260 +#, c-format +msgid "Unable to truncate log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:286 +#, c-format +msgid "Out of memory!" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:289 +#, c-format +msgid "Archiving log files into %s...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:292 +#, c-format +msgid "Unable to archive log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:317 +msgid "Specify debug level you want to set" +msgstr "" + +#: src/tools/sssctl/sssctl_sifp.c:28 +msgid "" +"Check that SSSD is running and the InfoPipe responder is enabled. Make sure " +"'ifp' is listed in the 'services' option in sssd.conf.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:91 +#, c-format +msgid "Unable to connect to the InfoPipe" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:97 +#, c-format +msgid "Unable to get user object" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:101 +#, c-format +msgid "SSSD InfoPipe user lookup result:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:113 +#, c-format +msgid "Unable to get user name attr" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:146 +#, c-format +msgid "dlopen failed with [%s].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:153 +#, c-format +msgid "dlsym failed with [%s].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:161 +#, c-format +msgid "malloc failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:168 +#, c-format +msgid "sss_getpwnam_r failed with [%d].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:173 +#, c-format +msgid "SSSD nss user lookup result:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:174 +#, c-format +msgid " - user name: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:175 +#, c-format +msgid " - user id: %d\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:176 +#, c-format +msgid " - group id: %d\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:177 +#, c-format +msgid " - gecos: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:178 +#, c-format +msgid " - home directory: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:179 +#, c-format +msgid "" +" - shell: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:211 +msgid "PAM action [auth|acct|setc|chau|open|clos], default: " +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:214 +msgid "PAM service, default: " +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:219 +msgid "Specify user name." +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:226 +#, c-format +msgid "" +"user: %s\n" +"action: %s\n" +"service: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:232 +#, c-format +msgid "User name lookup with [%s] failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:237 +#, c-format +msgid "InfoPipe User lookup with [%s] failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:244 +#, c-format +msgid "pam_start failed: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:249 +#, c-format +msgid "" +"testing pam_authenticate\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:253 +#, c-format +msgid "pam_get_item failed: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:257 +#, c-format +msgid "" +"pam_authenticate for user [%s]: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:260 +#, c-format +msgid "" +"testing pam_chauthtok\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:262 +#, c-format +msgid "" +"pam_chauthtok: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:264 +#, c-format +msgid "" +"testing pam_acct_mgmt\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:266 +#, c-format +msgid "" +"pam_acct_mgmt: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:268 +#, c-format +msgid "" +"testing pam_setcred\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:270 +#, c-format +msgid "" +"pam_setcred: [%s]\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:272 +#, c-format +msgid "" +"testing pam_open_session\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:274 +#, c-format +msgid "" +"pam_open_session: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:276 +#, c-format +msgid "" +"testing pam_close_session\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:278 +#, c-format +msgid "" +"pam_close_session: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:281 +#, c-format +msgid "unknown action\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:284 +#, c-format +msgid "PAM Environment:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:292 +#, c-format +msgid " - no env -\n" +msgstr "" + +#: src/util/util.h:75 +msgid "The user ID to run the server as" +msgstr "" + +#: src/util/util.h:77 +msgid "The group ID to run the server as" +msgstr "" + +#: src/util/util.h:85 +msgid "Informs that the responder has been socket-activated" +msgstr "" + +#: src/util/util.h:87 +msgid "Informs that the responder has been dbus-activated" +msgstr "" diff --git a/po/zh_TW.gmo b/po/zh_TW.gmo new file mode 100644 index 0000000000000000000000000000000000000000..e5b1597715f386fef71f58e3638f78ae23ecf8ec GIT binary patch literal 10259 zcmbtY4Qw38bsjsZTVMWMJ9Sd0si&=zNEVM2Z8=sb%eE{^vZ^1;Bqhg5^Rv9$JFa!N zd)?g=Mb&AkABvPnigYBBqC|=Mp(KhjMg3W#_=^H93b$wwz(tF~Nm0Puy}JU1Q^Y8m zq5=B7nYq0qMN@LS;PBhsdGqGYoAly0{A$P)>#Q8yENcefla_N;8`Hq{T`6?{W}m#Vvl_uI)G0Ap9C%eE(UG`;*T}r z-y^^dAeP3?0?Cfcz~2V`C6EK(1Je3F0+L_9`UUyC21w5)@DG69K=SV>a0&3Iz*6A< z07-7iL+}Bx8vkgWQ6N;Z6c8fpFM#Bq4)y#lunf=t3?#V+Vbmtzmlei<8}NJsNb4ix zNp1-cLs$in{J2436i9ac2uSO_2&8?#0i^MN2c&iWr+WW5ob!ix{w9$2;dS8e1OFWO zJHQh_8h;%~^ZhOG>%jMceNcKb({s>6pyMZ+CFp$RmBM^V=zwnRz z`8fX)j+ai8<6aa0HKP#srrus$uF0Hl;`gOmjQnXB!4c#=99h+K+3B(748L= z-TB)@PV`C%!Lcx0=>KT~)bNdEsD_52GU+5IS& zaZ(1P@vj0g1=|6nb#?(s{~(aoI|?Mf{WXyM^S*k16v0O8DFKq)_kgqyZveLfCxPDu zK7z%QA1vTQzyTmafV~4Gy??Lp10d=96_D2dB*=>FSO$bDRtY3~V?bI*EAX4Z0U+sn zA4vZHrRx6*gh_50kk+*cNcw*Wqvw^mQ1%g!)_Xsan(z@I`RNHD2bKfL-YSK=fD{L3faI@#P|puSh@MvfX+0_6 zTHpa7mdbt#B)dKW-Uprc=$aVPVGV(EGH{KvrWppo6rppm`=nvPb3 z7Dgl6??-zTjpAS%8n#O25|H+a`1K7m+LzCu(X|-uduUJ51Fn^5>(FQobWsk{^+h!D z^NVP7y(B^WN9c-+)=wA3R|M@fG}_a-7x@cm$6{!pceV=cF|_=}aYM05*UM;>Cv?H( ztXAB~m{GSPPQRrdUQqZnuncWA8pT5;+UL;>G`fBRZ9Uo#(el@F+{Do+9=4;cLCas? z#?24VUPt>hS_v9LNW{bjVE%dqH^c`BPjOY_|M$_JL!)?j7L6{1gSZ~Re~QbEXul=i z;4A@t3T*{i6m1I{U6coO{U#dal(kJOX}RDf0oVHt*_)-!q&BD14bE+>x3{O?dUf3E;Mq!fsu&r zI6PvRu5BfF%C>eGQQc;%qEQ~zYtwP=8cE%8wPea+tI{yWbd8AS8kSikJo`P3u+lDj zNsm}CS>sVnPeOiCRF7%tgu9rnCJ*q4tw%|nmT-6srdzRC!Z3B7u;PXZ8Pl{}9y83S zT9jd;E21TM)JkfGS;CW6)QB}0W?Tw5+;HHTgjEmkT4thw&lwS#rBrxqjzqCe>c4lD zaoxpqF^g-pSi9IYQV>k(pkJ+@@6Zxy9lN&LN+vb#=qb(CT-cnzX2J`>8iWNOD}}wP zGinVQSR@EYX+EZq^_64}L8r(vh*@+~S~k)V|#GZOj^J%M`> z)ZD4l6NwUDR%@7LwVG4MDg(7*Lo6~phOoQ^s*hMn5sjg)u5Mc}TV*gBQRz~IJ5vyV{QY11?53#kD9nras zM23On%$Si-ZnEl4#9(bh5cF&NOzaYD9$UX<6^|qg+NwIsaVgBiJ2`>4rG!8z zXwj$*)?@1h{kRPUCR=Yt66q-17myy=Dv1!ZgdwJ@+a^4q3%}Rb!3$t=+abqO9w&7O z!1J>OOL-xmQnmpT#rBmhBqw~W((_&fDVl|xh@gBrJ1IS4#0+c@7P9u$%FQ9RLAQ|* zmLvF~$Q>JXGmZlXdrQkF8mZTi4#X40Qkos9Lje3KsLN#=iALxUAZcvncD=#XYH5s$ z-{P2d?hsd*H#Z+hZoAN@MIu((qh#`*5+0jv@$Mu~w6S0OogT#rb;pA3SRfQy@Vz6do zHIL}Fi~JRbHsVg+BJo&N+JqIDK#RDTkS`MFyQ;MoGeMn|qEK>ZHc=7Cx7D&ND1I$@ z5rv+k#dWx;T5>Kp9uwpX46db8U;&C~nPjY5kV^yT!L-b9zPv#(iL4L@L_xyD(FI*5 zoCsr`?Rr9YK_3PB&g+s{1B=1ZpYlnF{aDLPmUdwaGNpKBCt7RLz zB#jxOY@$%iD-HycIt8WSB=fXRI;N^P4`HZ)tDEVzp}hB*|whyrn#7N3!Dsf;lkXf<~e zq$S=>uDBw-M_HwIs|os^eJE|kgs23}L6uf(x^O}tsU)3NgLq+PM9uYMd+hSX9z=rVpXm}fR!l4y>%c|8IR;^pZx2>tF zUjNGGP?estY&X2gi5t=IOX;{1uCXe(<2X^IE$He+`t9MA#`LIVYg9ggeJwj4+VVGZ*tkb*`JLC@ZV4uP=2ea*UY1vlPK!hNFYruHfQLXw&*lYYHAMFI^g1ji1TLp>Rz@3XX8~oo-nwfuEu)=-dLEyDPWW ztPL+O$dLgt-43rYBlxXq#w+-8{9+4jNu+Hp5k^g&bSk)+5|7Tx@)ca(u3Wkz^zHCE z-K4UgoTOZ{taMrFGa>fjM4P{7(3`&Gb#!Nr?ej+VXUicBdAF`*ZXWiAkD@PgeAMe~^E%rzgI6&uGc}NTXP@8FO}QOfNOER!I&)+&+t>tQ zISS%X+0pGEy5P0k^gB9drjDbZc?VB@|~Jv(@mWry0c!v_k2 z@;TQy1t~T&*_YWf=H2e{rrI)tt=>cjUz9u5nH?Nn%%C`T{7mN7u}tqcR7+E6(PH)f z{Tfe03qz22N1JeZfo+P%xiq!YZx zi4c>vLoOKOk2ZPTmtjfvQmcIFwIB2*&*U0=vc3Jvr!D()$BwY8g<52#gP=cMO6%+=IRUlzh#?Zd5W{`mBV6aD#BK{hb|9>k0H z1xm3_f9Q7e6 zz4LqglYPMmbY_lU&b95MP!uURGc`?ldU>xmK9;%E%Fyi{XosB4VaiyUJl@rT%ndw< zERer{u+xQ)3*NqK&?v({AOblV!)_s6Wnb=Mk4O;t>OiC4cOWn?$Yz?qr6=2hL~1$V zU1;^%y1iTHyrx@7&P?w_=14!%IXg6ftY5Gnj`pwp7*iA{BZV%-ve({-)Wm&e^75T} zCvFjs3?1=Lw~*H^jKd8xqvvxcPG*i=Em({N9NvuynAbE2B4ctB6nN83xl=7jE96(U zr8yWSd5_fQ*#YGseOd6E4`eT1^N$`v?0D0YnXYprBxsR&mv1U}(su>#@)^J7X6Dk! z%;-31Msle5q#$*Q+nI?mN|D|{nBbjgWZAJx2=W5wfp`=%_MFQOwSlE1UCtuPOxMlq zg|q(2POoFH-!&R|3evf~gTX!&J$=x)NAXKbkJqe{5ihY@^GQkH%2nP?DsZ6`>>Ctc z5IFH`8>0Bw%-DXKx=ZYtaBk7pg}LtVJNvvVt(3%9_mH254|t8ea_zaUTi)1tCWBQ5 zE+QC0x#qWWZ(Yfr9`sL5z^e!y92WV*NN|4;{Hi;5sC#Cz1N7=OwtA!2!Guhn98jpf zBjkpUfQ@s;L^bFfm6ue2 z>I~|o%7PkEkBOmJ3PLCI_IZ}Q*fleuc3NsfMyP}u?gk^V-0qXv=^I|(6}g2}QXMMr zlnhkn?Qi$rKAoKyMTs;kauD@1Q~M>O1iqK_1&Wm91ygZ;X3uvZ&oTpJD8E>)uMv(C zA0TF(BQxXYX2yO@wLtf6$a(#@vZvcnterSnT)izOFUy*Nyezm@@#LKyvZ`PKTc8N? zcaMmZ5LN8-6f^{etHWNit6BV{t-Tv2`g@o7q4bPNr8 zw{I(km*dDZQNE&E>I|t-)YCEq?w+ql6)E$KAqxk_<{cvf8$I|0j!zM?80JQ_Fkc}? zg#?{BEjJ6@fuVtG=CgIa&cNKF&dl}k%sW?6*~m&8R76D8F_PUoi88V{Gt@~-mg7f5 zfs5yTfo}lFzi|YgH{3HbdTn;@(FX^wd6J?C=cK6Rn17%#w|i76!=U0q_LGd5 zGtGswR6i6QZSV@tyII>1Fk|sAKe?k|PjBjEapY$QnzLso@yo;S?p>%R3hZF0US$m< Q)6^TeM2sWq8OpN%1;5xPEC2ui literal 0 HcmV?d00001 diff --git a/po/zh_TW.po b/po/zh_TW.po new file mode 100644 index 0000000..9a2ac19 --- /dev/null +++ b/po/zh_TW.po @@ -0,0 +1,2799 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) YEAR Red Hat, Inc. +# This file is distributed under the same license as the PACKAGE package. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"Report-Msgid-Bugs-To: sssd-devel@lists.fedorahosted.org\n" +"POT-Creation-Date: 2018-08-12 13:03+0000\n" +"PO-Revision-Date: 2014-12-14 11:50+0000\n" +"Last-Translator: Copied by Zanata \n" +"Language-Team: Chinese (Taiwan) (http://www.transifex.com/projects/p/sssd/" +"language/zh_TW/)\n" +"Language: zh_TW\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=1; plural=0;\n" +"X-Generator: Zanata 4.4.5\n" + +#: src/config/SSSDConfig/__init__.py.in:43 +#: src/config/SSSDConfig/__init__.py.in:44 +msgid "Set the verbosity of the debug logging" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:45 +msgid "Include timestamps in debug logs" +msgstr "在除錯日誌內加入時間戳記" + +#: src/config/SSSDConfig/__init__.py.in:46 +msgid "Include microseconds in timestamps in debug logs" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:47 +msgid "Write debug messages to logfiles" +msgstr "將除錯訊息寫入日誌檔" + +#: src/config/SSSDConfig/__init__.py.in:48 +msgid "Watchdog timeout before restarting service" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:49 +msgid "Command to start service" +msgstr "啟動服務的指令" + +#: src/config/SSSDConfig/__init__.py.in:50 +msgid "Number of times to attempt connection to Data Providers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:51 +msgid "The number of file descriptors that may be opened by this responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:52 +msgid "Idle time before automatic disconnection of a client" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:53 +msgid "Idle time before automatic shutdown of the responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:54 +msgid "Always query all the caches before querying the Data Providers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:57 +msgid "SSSD Services to start" +msgstr "要啟動的 SSSD 服務" + +#: src/config/SSSDConfig/__init__.py.in:58 +msgid "SSSD Domains to start" +msgstr "要啟動的 SSSD 網域" + +#: src/config/SSSDConfig/__init__.py.in:59 +msgid "Timeout for messages sent over the SBUS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:60 +#: src/config/SSSDConfig/__init__.py.in:197 +msgid "Regex to parse username and domain" +msgstr "用來解析使用者名稱與網域的正規表示式" + +#: src/config/SSSDConfig/__init__.py.in:61 +#: src/config/SSSDConfig/__init__.py.in:196 +msgid "Printf-compatible format for displaying fully-qualified names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:62 +msgid "" +"Directory on the filesystem where SSSD should store Kerberos replay cache " +"files." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:63 +msgid "Domain to add to names without a domain component." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:64 +msgid "The user to drop privileges to" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:65 +msgid "Tune certificate verification" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:66 +msgid "All spaces in group or user names will be replaced with this character" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:67 +msgid "Tune sssd to honor or ignore netlink state changes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:68 +msgid "Enable or disable the implicit files domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:69 +msgid "A specific order of the domains to be looked up" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:72 +msgid "Enumeration cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:73 +msgid "Entry cache background update timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:74 +#: src/config/SSSDConfig/__init__.py.in:113 +msgid "Negative cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:75 +msgid "Files negative cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:76 +msgid "Users that SSSD should explicitly ignore" +msgstr "SSSD 應該明確忽略的使用者" + +#: src/config/SSSDConfig/__init__.py.in:77 +msgid "Groups that SSSD should explicitly ignore" +msgstr "SSSD 應該明確忽略的群組" + +#: src/config/SSSDConfig/__init__.py.in:78 +msgid "Should filtered users appear in groups" +msgstr "過濾的使用者是否應該顯現在群組內" + +#: src/config/SSSDConfig/__init__.py.in:79 +msgid "The value of the password field the NSS provider should return" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:80 +msgid "Override homedir value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:81 +msgid "" +"Substitute empty homedir value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:82 +msgid "Override shell value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:83 +msgid "The list of shells users are allowed to log in with" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:84 +msgid "" +"The list of shells that will be vetoed, and replaced with the fallback shell" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:85 +msgid "" +"If a shell stored in central directory is allowed but not available, use " +"this fallback" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:86 +msgid "Shell to use if the provider does not list one" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:87 +msgid "How long will be in-memory cache records valid" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:88 +msgid "List of user attributes the NSS responder is allowed to publish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:91 +msgid "How long to allow cached logins between online logins (days)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:92 +msgid "How many failed logins attempts are allowed when offline" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:93 +msgid "" +"How long (minutes) to deny login after offline_failed_login_attempts has " +"been reached" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:94 +msgid "What kind of messages are displayed to the user during authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:95 +msgid "Filter PAM responses sent to the pam_sss" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:96 +msgid "How many seconds to keep identity information cached for PAM requests" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:97 +msgid "How many days before password expiration a warning should be displayed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:98 +msgid "List of trusted uids or user's name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:99 +msgid "List of domains accessible even for untrusted users." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:100 +msgid "Message printed when user account is expired." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:101 +msgid "Message printed when user account is locked." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:102 +msgid "Allow certificate based/Smartcard authentication." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:103 +msgid "Path to certificate database with PKCS#11 modules." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:104 +msgid "How many seconds will pam_sss wait for p11_child to finish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:105 +msgid "Which PAM services are permitted to contact application domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:108 +msgid "Whether to evaluate the time-based attributes in sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:109 +msgid "If true, SSSD will switch back to lower-wins ordering logic" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:110 +msgid "" +"Maximum number of rules that can be refreshed at once. If this is exceeded, " +"full refresh is performed." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:116 +msgid "Whether to hash host names and addresses in the known_hosts file" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:117 +msgid "" +"How many seconds to keep a host in the known_hosts file after its host keys " +"were requested" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:118 +msgid "Path to storage of trusted CA certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:121 +msgid "List of UIDs or user names allowed to access the PAC responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:122 +msgid "How long the PAC data is considered valid" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:125 +msgid "List of UIDs or user names allowed to access the InfoPipe responder" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:126 +msgid "List of user attributes the InfoPipe is allowed to publish" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:129 +msgid "The provider where the secrets will be stored in" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:130 +msgid "The maximum allowed number of nested containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:131 +msgid "The maximum number of secrets that can be stored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:132 +msgid "The maximum number of secrets that can be stored per UID" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:133 +msgid "The maximum payload size of a secret in kilobytes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:135 +msgid "The URL Custodia server is listening on" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:136 +msgid "The method to use when authenticating to a Custodia server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:137 +msgid "" +"The name of the headers that will be added into a HTTP request with the " +"value defined in auth_header_value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:138 +msgid "The value sssd-secrets would use for auth_header_name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:139 +msgid "" +"The list of the headers to forward to the Custodia server together with the " +"request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:140 +msgid "" +"The username to use when authenticating to a Custodia server using basic_auth" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:141 +msgid "" +"The password to use when authenticating to a Custodia server using basic_auth" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:142 +msgid "If true peer's certificate is verified if proxy_url uses https protocol" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:143 +msgid "" +"If false peer's certificate may contain different hostname than proxy_url " +"when https protocol is used" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:144 +msgid "Path to directory where certificate authority certificates are stored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:145 +msgid "Path to file containing server's CA certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:146 +msgid "Path to file containing client's certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:147 +msgid "Path to file containing client's private key" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:150 +msgid "Identity provider" +msgstr "身分提供者" + +#: src/config/SSSDConfig/__init__.py.in:151 +msgid "Authentication provider" +msgstr "認證提供者" + +#: src/config/SSSDConfig/__init__.py.in:152 +msgid "Access control provider" +msgstr "存取控制提供者" + +#: src/config/SSSDConfig/__init__.py.in:153 +msgid "Password change provider" +msgstr "密碼變更提供者" + +#: src/config/SSSDConfig/__init__.py.in:154 +msgid "SUDO provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:155 +msgid "Autofs provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:156 +msgid "Host identity provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:157 +msgid "SELinux provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:158 +msgid "Session management provider" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:161 +msgid "Whether the domain is usable by the OS or by applications" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:162 +msgid "Minimum user ID" +msgstr "最小的使用者 ID" + +#: src/config/SSSDConfig/__init__.py.in:163 +msgid "Maximum user ID" +msgstr "最大的使用者 ID" + +#: src/config/SSSDConfig/__init__.py.in:164 +msgid "Enable enumerating all users/groups" +msgstr "啟用所有使用者或群組的列舉" + +#: src/config/SSSDConfig/__init__.py.in:165 +msgid "Cache credentials for offline login" +msgstr "供離線登入使用的快取憑證" + +#: src/config/SSSDConfig/__init__.py.in:166 +msgid "Store password hashes" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:167 +msgid "Display users/groups in fully-qualified form" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:168 +msgid "Don't include group members in group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:169 +#: src/config/SSSDConfig/__init__.py.in:176 +#: src/config/SSSDConfig/__init__.py.in:177 +#: src/config/SSSDConfig/__init__.py.in:178 +#: src/config/SSSDConfig/__init__.py.in:179 +#: src/config/SSSDConfig/__init__.py.in:180 +#: src/config/SSSDConfig/__init__.py.in:181 +msgid "Entry cache timeout length (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:170 +msgid "" +"Restrict or prefer a specific address family when performing DNS lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:171 +msgid "How long to keep cached entries after last successful login (days)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:172 +msgid "How long to wait for replies from DNS when resolving servers (seconds)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:173 +msgid "The domain part of service discovery DNS query" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:174 +msgid "Override GID value from the identity provider with this value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:175 +msgid "Treat usernames as case sensitive" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:182 +msgid "How often should expired entries be refreshed in background" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:183 +msgid "Whether to automatically update the client's DNS entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:184 +#: src/config/SSSDConfig/__init__.py.in:206 +msgid "The TTL to apply to the client's DNS entry after updating it" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:185 +#: src/config/SSSDConfig/__init__.py.in:207 +msgid "The interface whose IP should be used for dynamic DNS updates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:186 +msgid "How often to periodically update the client's DNS entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:187 +msgid "Whether the provider should explicitly update the PTR record as well" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:188 +msgid "Whether the nsupdate utility should default to using TCP" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:189 +msgid "What kind of authentication should be used to perform the DNS update" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:190 +msgid "Override the DNS server used to perform the DNS update" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:191 +msgid "Control enumeration of trusted domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:192 +msgid "How often should subdomains list be refreshed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:193 +msgid "List of options that should be inherited into a subdomain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:194 +msgid "Default subdomain homedir value" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:195 +msgid "How long can cached credentials be used for cached authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:198 +msgid "Whether to automatically create private groups for users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:201 +msgid "IPA domain" +msgstr "IPA 網域" + +#: src/config/SSSDConfig/__init__.py.in:202 +msgid "IPA server address" +msgstr "IPA 伺服器位址" + +#: src/config/SSSDConfig/__init__.py.in:203 +msgid "Address of backup IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:204 +msgid "IPA client hostname" +msgstr "IPA 客戶端主機名稱" + +#: src/config/SSSDConfig/__init__.py.in:205 +msgid "Whether to automatically update the client's DNS entry in FreeIPA" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:208 +msgid "Search base for HBAC related objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:209 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:210 +msgid "" +"The amount of time in seconds between lookups of the SELinux maps against " +"the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:211 +msgid "If set to false, host argument given by PAM will be ignored" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:212 +msgid "The automounter location this IPA client is using" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:213 +msgid "Search base for object containing info about IPA domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:214 +msgid "Search base for objects containing info about ID ranges" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:215 +#: src/config/SSSDConfig/__init__.py.in:233 +msgid "Enable DNS sites - location based service discovery" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:216 +msgid "Search base for view containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:217 +msgid "Objectclass for view containers" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:218 +msgid "Attribute with the name of the view" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:219 +msgid "Objectclass for override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:220 +msgid "Attribute with the reference to the original object" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:221 +msgid "Objectclass for user override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:222 +msgid "Objectclass for group override objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:223 +msgid "Search base for Desktop Profile related objects" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:224 +msgid "" +"The amount of time in seconds between lookups of the Desktop Profile rules " +"against the IPA server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:225 +msgid "" +"The amount of time in minutes between lookups of Desktop Profiles rules " +"against the IPA server when the last request did not find any rule" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:228 +msgid "Active Directory domain" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:229 +msgid "Enabled Active Directory domains" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:230 +msgid "Active Directory server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:231 +msgid "Active Directory backup server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:232 +msgid "Active Directory client hostname" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:234 +#: src/config/SSSDConfig/__init__.py.in:420 +msgid "LDAP filter to determine access privileges" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:235 +msgid "Whether to use the Global Catalog for lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:236 +msgid "Operation mode for GPO-based access control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:237 +msgid "" +"The amount of time between lookups of the GPO policy files against the AD " +"server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:238 +msgid "" +"PAM service names that map to the GPO (Deny)InteractiveLogonRight policy " +"settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:239 +msgid "" +"PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight " +"policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:240 +msgid "" +"PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:241 +msgid "" +"PAM service names that map to the GPO (Deny)BatchLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:242 +msgid "" +"PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:243 +msgid "PAM service names for which GPO-based access is always granted" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:244 +msgid "PAM service names for which GPO-based access is always denied" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:245 +msgid "" +"Default logon right (or permit/deny) to use for unmapped PAM service names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:246 +msgid "a particular site to be used by the client" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:247 +msgid "" +"Maximum age in days before the machine account password should be renewed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:248 +msgid "Option for tuning the machine account renewal task" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:251 +#: src/config/SSSDConfig/__init__.py.in:252 +msgid "Kerberos server address" +msgstr "Kerberos 伺服器位址" + +#: src/config/SSSDConfig/__init__.py.in:253 +msgid "Kerberos backup server address" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:254 +msgid "Kerberos realm" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:255 +msgid "Authentication timeout" +msgstr "認證逾時" + +#: src/config/SSSDConfig/__init__.py.in:256 +msgid "Whether to create kdcinfo files" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:257 +msgid "Where to drop krb5 config snippets" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:260 +msgid "Directory to store credential caches" +msgstr "儲存憑證快取的目錄" + +#: src/config/SSSDConfig/__init__.py.in:261 +msgid "Location of the user's credential cache" +msgstr "使用者憑證快取的位置" + +#: src/config/SSSDConfig/__init__.py.in:262 +msgid "Location of the keytab to validate credentials" +msgstr "驗證憑證用的金鑰表格位置" + +#: src/config/SSSDConfig/__init__.py.in:263 +msgid "Enable credential validation" +msgstr "啟用憑證驗證" + +#: src/config/SSSDConfig/__init__.py.in:264 +msgid "Store password if offline for later online authentication" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:265 +msgid "Renewable lifetime of the TGT" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:266 +msgid "Lifetime of the TGT" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:267 +msgid "Time between two checks for renewal" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:268 +msgid "Enables FAST" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:269 +msgid "Selects the principal to use for FAST" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:270 +msgid "Enables principal canonicalization" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:271 +msgid "Enables enterprise principals" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:272 +msgid "A mapping from user names to Kerberos principal names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:275 +#: src/config/SSSDConfig/__init__.py.in:276 +msgid "Server where the change password service is running if not on the KDC" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:279 +msgid "ldap_uri, The URI of the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:280 +msgid "ldap_backup_uri, The URI of the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:281 +msgid "The default base DN" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:282 +msgid "The Schema Type in use on the LDAP server, rfc2307" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:283 +msgid "The default bind DN" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:284 +msgid "The type of the authentication token of the default bind DN" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:285 +msgid "The authentication token of the default bind DN" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:286 +msgid "Length of time to attempt connection" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:287 +msgid "Length of time to attempt synchronous LDAP operations" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:288 +msgid "Length of time between attempts to reconnect while offline" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:289 +msgid "Use only the upper case for realm names" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:290 +msgid "File that contains CA certificates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:291 +msgid "Path to CA certificate directory" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:292 +msgid "File that contains the client certificate" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:293 +msgid "File that contains the client key" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:294 +msgid "List of possible ciphers suites" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:295 +msgid "Require TLS certificate verification" +msgstr "需要 TLS 憑證驗證" + +#: src/config/SSSDConfig/__init__.py.in:296 +msgid "Specify the sasl mechanism to use" +msgstr "指定要使用的 sasl 機制" + +#: src/config/SSSDConfig/__init__.py.in:297 +msgid "Specify the sasl authorization id to use" +msgstr "指定要使用的 sasl 認證 id" + +#: src/config/SSSDConfig/__init__.py.in:298 +msgid "Specify the sasl authorization realm to use" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:299 +msgid "Specify the minimal SSF for LDAP sasl authorization" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:300 +msgid "Kerberos service keytab" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:301 +msgid "Use Kerberos auth for LDAP connection" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:302 +msgid "Follow LDAP referrals" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:303 +msgid "Lifetime of TGT for LDAP connection" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:304 +msgid "How to dereference aliases" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:305 +msgid "Service name for DNS service lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:306 +msgid "The number of records to retrieve in a single LDAP query" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:307 +msgid "The number of members that must be missing to trigger a full deref" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:308 +msgid "" +"Whether the LDAP library should perform a reverse lookup to canonicalize the " +"host name during a SASL bind" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:310 +msgid "entryUSN attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:311 +msgid "lastUSN attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:313 +msgid "How long to retain a connection to the LDAP server before disconnecting" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:315 +msgid "Disable the LDAP paging control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:316 +msgid "Disable Active Directory range retrieval" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:319 +msgid "Length of time to wait for a search request" +msgstr "搜尋請求的等候時間長度" + +#: src/config/SSSDConfig/__init__.py.in:320 +msgid "Length of time to wait for a enumeration request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:321 +msgid "Length of time between enumeration updates" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:322 +msgid "Length of time between cache cleanups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:323 +msgid "Require TLS for ID lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:324 +msgid "Use ID-mapping of objectSID instead of pre-set IDs" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:325 +msgid "Base DN for user lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:326 +msgid "Scope of user lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:327 +msgid "Filter for user lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:328 +msgid "Objectclass for users" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:329 +msgid "Username attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:331 +msgid "UID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:332 +msgid "Primary GID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:333 +msgid "GECOS attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:334 +msgid "Home directory attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:335 +msgid "Shell attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:336 +msgid "UUID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:337 +#: src/config/SSSDConfig/__init__.py.in:379 +msgid "objectSID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:338 +msgid "Active Directory primary group attribute for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:339 +msgid "User principal attribute (for Kerberos)" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:340 +msgid "Full Name" +msgstr "全名" + +#: src/config/SSSDConfig/__init__.py.in:341 +msgid "memberOf attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:342 +msgid "Modification time attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:344 +msgid "shadowLastChange attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:345 +msgid "shadowMin attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:346 +msgid "shadowMax attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:347 +msgid "shadowWarning attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:348 +msgid "shadowInactive attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:349 +msgid "shadowExpire attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:350 +msgid "shadowFlag attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:351 +msgid "Attribute listing authorized PAM services" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:352 +msgid "Attribute listing authorized server hosts" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:353 +msgid "Attribute listing authorized server rhosts" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:354 +msgid "krbLastPwdChange attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:355 +msgid "krbPasswordExpiration attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:356 +msgid "Attribute indicating that server side password policies are active" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:357 +msgid "accountExpires attribute of AD" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:358 +msgid "userAccountControl attribute of AD" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:359 +msgid "nsAccountLock attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:360 +msgid "loginDisabled attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:361 +msgid "loginExpirationTime attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:362 +msgid "loginAllowedTimeMap attribute of NDS" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:363 +msgid "SSH public key attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:364 +msgid "attribute listing allowed authentication types for a user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:365 +msgid "attribute containing the X509 certificate of the user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:366 +msgid "attribute containing the email address of the user" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:368 +msgid "A list of extra attributes to download along with the user entry" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:370 +msgid "Base DN for group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:373 +msgid "Objectclass for groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:374 +msgid "Group name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:375 +msgid "Group password" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:376 +msgid "GID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:377 +msgid "Group member attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:378 +msgid "Group UUID attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:380 +msgid "Modification time attribute for groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:381 +msgid "Type of the group and other flags" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:382 +msgid "The LDAP group external member attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:384 +msgid "Maximum nesting level SSSD will follow" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:386 +msgid "Base DN for netgroup lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:387 +msgid "Objectclass for netgroups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:388 +msgid "Netgroup name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:389 +msgid "Netgroups members attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:390 +msgid "Netgroup triple attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:391 +msgid "Modification time attribute for netgroups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:393 +msgid "Base DN for service lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:394 +msgid "Objectclass for services" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:395 +msgid "Service name attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:396 +msgid "Service port attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:397 +msgid "Service protocol attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:400 +msgid "Lower bound for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:401 +msgid "Upper bound for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:402 +msgid "Number of IDs for each slice when ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:403 +msgid "Use autorid-compatible algorithm for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:404 +msgid "Name of the default domain for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:405 +msgid "SID of the default domain for ID-mapping" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:406 +msgid "Number of secondary slices" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:408 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:409 +msgid "Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:410 +msgid "Whether to use Token-Groups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:411 +msgid "Set lower boundary for allowed IDs from the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:412 +msgid "Set upper boundary for allowed IDs from the LDAP server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:413 +msgid "DN for ppolicy queries" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:414 +msgid "How many maximum entries to fetch during a wildcard request" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:417 +msgid "Policy to evaluate the password expiration" +msgstr "評估密碼過期時效的策略" + +#: src/config/SSSDConfig/__init__.py.in:421 +msgid "Which attributes shall be used to evaluate if an account is expired" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:422 +msgid "Which rules should be used to evaluate access control" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:425 +msgid "URI of an LDAP server where password changes are allowed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:426 +msgid "URI of a backup LDAP server where password changes are allowed" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:427 +msgid "DNS service name for LDAP password change server" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:428 +msgid "" +"Whether to update the ldap_user_shadow_last_change attribute after a " +"password change" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:431 +msgid "Base DN for sudo rules lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:432 +msgid "Automatic full refresh period" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:433 +msgid "Automatic smart refresh period" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:434 +msgid "Whether to filter rules by hostname, IP addresses and network" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:435 +msgid "" +"Hostnames and/or fully qualified domain names of this machine to filter sudo " +"rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:436 +msgid "IPv4 or IPv6 addresses or network of this machine to filter sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:437 +msgid "Whether to include rules that contains netgroup in host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:438 +msgid "" +"Whether to include rules that contains regular expression in host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:439 +msgid "Object class for sudo rules" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:440 +msgid "Sudo rule name" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:441 +msgid "Sudo rule command attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:442 +msgid "Sudo rule host attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:443 +msgid "Sudo rule user attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:444 +msgid "Sudo rule option attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:445 +msgid "Sudo rule runas attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:446 +msgid "Sudo rule runasuser attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:447 +msgid "Sudo rule runasgroup attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:448 +msgid "Sudo rule notbefore attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:449 +msgid "Sudo rule notafter attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:450 +msgid "Sudo rule order attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:453 +msgid "Object class for automounter maps" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:454 +msgid "Automounter map name attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:455 +msgid "Object class for automounter map entries" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:456 +msgid "Automounter map entry key attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:457 +msgid "Automounter map entry value attribute" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:458 +msgid "Base DN for automounter map lookups" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:461 +msgid "Comma separated list of allowed users" +msgstr "許可的使用者清單,請使用半形逗號作為分隔" + +#: src/config/SSSDConfig/__init__.py.in:462 +msgid "Comma separated list of prohibited users" +msgstr "被禁止的使用者清單,請使用半形逗號作為分隔" + +#: src/config/SSSDConfig/__init__.py.in:465 +msgid "Default shell, /bin/bash" +msgstr "預設 shell,/bin/bash" + +#: src/config/SSSDConfig/__init__.py.in:466 +msgid "Base for home directories" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:469 +msgid "The number of preforked proxy children." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:472 +msgid "The name of the NSS library to use" +msgstr "要使用的 NSS 函式庫名稱" + +#: src/config/SSSDConfig/__init__.py.in:473 +msgid "Whether to look up canonical group name from cache if possible" +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:476 +msgid "PAM stack to use" +msgstr "要使用的 PAM 堆疊" + +#: src/config/SSSDConfig/__init__.py.in:479 +msgid "Path of passwd file sources." +msgstr "" + +#: src/config/SSSDConfig/__init__.py.in:480 +msgid "Path of group file sources." +msgstr "" + +#: src/monitor/monitor.c:2449 +msgid "Become a daemon (default)" +msgstr "作為幕後程式 (預設)" + +#: src/monitor/monitor.c:2451 +msgid "Run interactive (not a daemon)" +msgstr "以互動方式執行 (非幕後程式)" + +#: src/monitor/monitor.c:2454 +msgid "Disable netlink interface" +msgstr "" + +#: src/monitor/monitor.c:2456 src/tools/sssctl/sssctl_logs.c:311 +msgid "Specify a non-default config file" +msgstr "指定非預設的配置檔" + +#: src/monitor/monitor.c:2458 +msgid "Refresh the configuration database, then exit" +msgstr "" + +#: src/monitor/monitor.c:2461 +msgid "Print version number and exit" +msgstr "" + +#: src/monitor/monitor.c:2627 +msgid "SSSD is already running\n" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3216 src/providers/ldap/ldap_child.c:605 +msgid "Debug level" +msgstr "除錯層級" + +#: src/providers/krb5/krb5_child.c:3218 src/providers/ldap/ldap_child.c:607 +msgid "Add debug timestamps" +msgstr "加入除錯時間戳記" + +#: src/providers/krb5/krb5_child.c:3220 src/providers/ldap/ldap_child.c:609 +msgid "Show timestamps with microseconds" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3222 src/providers/ldap/ldap_child.c:611 +msgid "An open file descriptor for the debug logs" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3225 src/providers/ldap/ldap_child.c:613 +msgid "Send the debug output to stderr directly." +msgstr "" + +#: src/providers/krb5/krb5_child.c:3228 +msgid "The user to create FAST ccache as" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3230 +msgid "The group to create FAST ccache as" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3232 +msgid "Kerberos realm to use" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3234 +msgid "Requested lifetime of the ticket" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3236 +msgid "Requested renewable lifetime of the ticket" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3238 +msgid "FAST options ('never', 'try', 'demand')" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3241 +msgid "Specifies the server principal to use for FAST" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3243 +msgid "Requests canonicalization of the principal name" +msgstr "" + +#: src/providers/krb5/krb5_child.c:3245 +msgid "Use custom version of krb5_get_init_creds_password" +msgstr "" + +#: src/providers/data_provider_be.c:556 +msgid "Domain of the information provider (mandatory)" +msgstr "" + +#: src/sss_client/common.c:1066 +msgid "Privileged socket has wrong ownership or permissions." +msgstr "" + +#: src/sss_client/common.c:1069 +msgid "Public socket has wrong ownership or permissions." +msgstr "" + +#: src/sss_client/common.c:1072 +msgid "Unexpected format of the server credential message." +msgstr "" + +#: src/sss_client/common.c:1075 +msgid "SSSD is not run by root." +msgstr "" + +#: src/sss_client/common.c:1080 +msgid "An error occurred, but no description can be found." +msgstr "" + +#: src/sss_client/common.c:1086 +msgid "Unexpected error while looking for an error description" +msgstr "" + +#: src/sss_client/pam_sss.c:76 +msgid "Permission denied. " +msgstr "" + +#: src/sss_client/pam_sss.c:77 src/sss_client/pam_sss.c:782 +#: src/sss_client/pam_sss.c:793 +msgid "Server message: " +msgstr "伺服器訊息:" + +#: src/sss_client/pam_sss.c:300 +msgid "Passwords do not match" +msgstr "密碼不相符" + +#: src/sss_client/pam_sss.c:488 +msgid "Password reset by root is not supported." +msgstr "" + +#: src/sss_client/pam_sss.c:529 +msgid "Authenticated with cached credentials" +msgstr "" + +#: src/sss_client/pam_sss.c:530 +msgid ", your cached password will expire at: " +msgstr ",您快取的密碼將在此刻過期:" + +#: src/sss_client/pam_sss.c:560 +#, c-format +msgid "Your password has expired. You have %1$d grace login(s) remaining." +msgstr "" + +#: src/sss_client/pam_sss.c:606 +#, c-format +msgid "Your password will expire in %1$d %2$s." +msgstr "" + +#: src/sss_client/pam_sss.c:655 +msgid "Authentication is denied until: " +msgstr "" + +#: src/sss_client/pam_sss.c:676 +msgid "System is offline, password change not possible" +msgstr "系統已離線,不可能作密碼變更" + +#: src/sss_client/pam_sss.c:691 +msgid "" +"After changing the OTP password, you need to log out and back in order to " +"acquire a ticket" +msgstr "" + +#: src/sss_client/pam_sss.c:779 src/sss_client/pam_sss.c:792 +msgid "Password change failed. " +msgstr "密碼變更失敗。" + +#: src/sss_client/pam_sss.c:1926 +msgid "New Password: " +msgstr "新密碼:" + +#: src/sss_client/pam_sss.c:1927 +msgid "Reenter new Password: " +msgstr "再次輸入新密碼:" + +#: src/sss_client/pam_sss.c:2039 src/sss_client/pam_sss.c:2042 +msgid "First Factor: " +msgstr "" + +#: src/sss_client/pam_sss.c:2040 src/sss_client/pam_sss.c:2202 +msgid "Second Factor (optional): " +msgstr "" + +#: src/sss_client/pam_sss.c:2043 src/sss_client/pam_sss.c:2205 +msgid "Second Factor: " +msgstr "" + +#: src/sss_client/pam_sss.c:2058 +msgid "Password: " +msgstr "密碼:" + +#: src/sss_client/pam_sss.c:2201 src/sss_client/pam_sss.c:2204 +msgid "First Factor (Current Password): " +msgstr "" + +#: src/sss_client/pam_sss.c:2208 +msgid "Current Password: " +msgstr "目前的密碼:" + +#: src/sss_client/pam_sss.c:2536 +msgid "Password expired. Change your password now." +msgstr "密碼已過期。請立刻變更您的密碼。" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:41 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:204 src/tools/sss_useradd.c:48 +#: src/tools/sss_groupadd.c:41 src/tools/sss_groupdel.c:44 +#: src/tools/sss_groupmod.c:42 src/tools/sss_groupshow.c:668 +#: src/tools/sss_userdel.c:134 src/tools/sss_usermod.c:47 +#: src/tools/sss_cache.c:670 +msgid "The debug level to run with" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:43 +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:208 +msgid "The SSSD domain to use" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:57 src/tools/sss_useradd.c:74 +#: src/tools/sss_groupadd.c:59 src/tools/sss_groupdel.c:54 +#: src/tools/sss_groupmod.c:66 src/tools/sss_groupshow.c:680 +#: src/tools/sss_userdel.c:152 src/tools/sss_usermod.c:79 +#: src/tools/sss_cache.c:716 +msgid "Error setting the locale\n" +msgstr "設定區域設置時發生錯誤\n" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:64 +msgid "Not enough memory\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:83 +msgid "User not specified\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_authorizedkeys.c:97 +msgid "Error looking up public keys\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:206 +msgid "The port to use to connect to the host" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:210 +msgid "Print the host ssh public keys" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:252 +msgid "Invalid port\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:257 +msgid "Host not specified\n" +msgstr "" + +#: src/sss_client/ssh/sss_ssh_knownhostsproxy.c:263 +msgid "The path to the proxy command must be absolute\n" +msgstr "" + +#: src/tools/sss_useradd.c:49 src/tools/sss_usermod.c:48 +msgid "The UID of the user" +msgstr "使用者的 UID" + +#: src/tools/sss_useradd.c:50 src/tools/sss_usermod.c:50 +msgid "The comment string" +msgstr "註解字串" + +#: src/tools/sss_useradd.c:51 src/tools/sss_usermod.c:51 +msgid "Home directory" +msgstr "家目錄" + +#: src/tools/sss_useradd.c:52 src/tools/sss_usermod.c:52 +msgid "Login shell" +msgstr "登入用 shell" + +#: src/tools/sss_useradd.c:53 +msgid "Groups" +msgstr "群組" + +#: src/tools/sss_useradd.c:54 +msgid "Create user's directory if it does not exist" +msgstr "如果使用者的目錄不存在便將它建立" + +#: src/tools/sss_useradd.c:55 +msgid "Never create user's directory, overrides config" +msgstr "永遠不建立使用者的目錄,凌駕配置" + +#: src/tools/sss_useradd.c:56 +msgid "Specify an alternative skeleton directory" +msgstr "指定替代的骨幹目錄" + +#: src/tools/sss_useradd.c:57 src/tools/sss_usermod.c:60 +msgid "The SELinux user for user's login" +msgstr "" + +#: src/tools/sss_useradd.c:87 src/tools/sss_groupmod.c:79 +#: src/tools/sss_usermod.c:92 +msgid "Specify group to add to\n" +msgstr "" + +#: src/tools/sss_useradd.c:111 +msgid "Specify user to add\n" +msgstr "指定要加入的使用者\n" + +#: src/tools/sss_useradd.c:121 src/tools/sss_groupadd.c:86 +#: src/tools/sss_groupdel.c:80 src/tools/sss_groupmod.c:113 +#: src/tools/sss_groupshow.c:714 src/tools/sss_userdel.c:198 +#: src/tools/sss_usermod.c:162 +msgid "Error initializing the tools - no local domain\n" +msgstr "初始化工具時發生錯誤 - 沒有本機網域\n" + +#: src/tools/sss_useradd.c:123 src/tools/sss_groupadd.c:88 +#: src/tools/sss_groupdel.c:82 src/tools/sss_groupmod.c:115 +#: src/tools/sss_groupshow.c:716 src/tools/sss_userdel.c:200 +#: src/tools/sss_usermod.c:164 +msgid "Error initializing the tools\n" +msgstr "初始化工具時發生錯誤\n" + +#: src/tools/sss_useradd.c:132 src/tools/sss_groupadd.c:97 +#: src/tools/sss_groupdel.c:91 src/tools/sss_groupmod.c:123 +#: src/tools/sss_groupshow.c:725 src/tools/sss_userdel.c:209 +#: src/tools/sss_usermod.c:173 +msgid "Invalid domain specified in FQDN\n" +msgstr "在 FQDN 內指定了無效的網域\n" + +#: src/tools/sss_useradd.c:142 src/tools/sss_groupmod.c:144 +#: src/tools/sss_groupmod.c:173 src/tools/sss_usermod.c:197 +#: src/tools/sss_usermod.c:226 +msgid "Internal error while parsing parameters\n" +msgstr "當解析參數時發生內部錯誤\n" + +#: src/tools/sss_useradd.c:151 src/tools/sss_usermod.c:206 +#: src/tools/sss_usermod.c:235 +msgid "Groups must be in the same domain as user\n" +msgstr "群組必須位於與使用者相同的網域內\n" + +#: src/tools/sss_useradd.c:159 +#, c-format +msgid "Cannot find group %1$s in local domain\n" +msgstr "" + +#: src/tools/sss_useradd.c:174 src/tools/sss_userdel.c:219 +msgid "Cannot set default values\n" +msgstr "無法設定預設值\n" + +#: src/tools/sss_useradd.c:181 src/tools/sss_usermod.c:187 +msgid "The selected UID is outside the allowed range\n" +msgstr "所選的 UID 位於許可的範圍外\n" + +#: src/tools/sss_useradd.c:210 src/tools/sss_usermod.c:305 +msgid "Cannot set SELinux login context\n" +msgstr "" + +#: src/tools/sss_useradd.c:224 +msgid "Cannot get info about the user\n" +msgstr "無法取得關於這位使用者的資訊\n" + +#: src/tools/sss_useradd.c:236 +msgid "User's home directory already exists, not copying data from skeldir\n" +msgstr "使用者的家目錄已經存在,不會從骨幹目錄複製資料\n" + +#: src/tools/sss_useradd.c:239 +#, c-format +msgid "Cannot create user's home directory: %1$s\n" +msgstr "" + +#: src/tools/sss_useradd.c:250 +#, c-format +msgid "Cannot create user's mail spool: %1$s\n" +msgstr "" + +#: src/tools/sss_useradd.c:270 +msgid "Could not allocate ID for the user - domain full?\n" +msgstr "無法為使用者分配 ID - 網域已滿?\n" + +#: src/tools/sss_useradd.c:274 +msgid "A user or group with the same name or ID already exists\n" +msgstr "已經存在相同名稱的使用者或群組\n" + +#: src/tools/sss_useradd.c:280 +msgid "Transaction error. Could not add user.\n" +msgstr "處理事項發生錯誤。無法加入使用者。\n" + +#: src/tools/sss_groupadd.c:43 src/tools/sss_groupmod.c:48 +msgid "The GID of the group" +msgstr "群組的 GID" + +#: src/tools/sss_groupadd.c:76 +msgid "Specify group to add\n" +msgstr "指定要加入的群組\n" + +#: src/tools/sss_groupadd.c:106 src/tools/sss_groupmod.c:198 +msgid "The selected GID is outside the allowed range\n" +msgstr "所選的 GID 位於許可的範圍外\n" + +#: src/tools/sss_groupadd.c:143 +msgid "Could not allocate ID for the group - domain full?\n" +msgstr "無法為群組分配 ID - 網域已滿?\n" + +#: src/tools/sss_groupadd.c:147 +msgid "A group with the same name or GID already exists\n" +msgstr "已經存在相同名稱的群組或 GID\n" + +#: src/tools/sss_groupadd.c:153 +msgid "Transaction error. Could not add group.\n" +msgstr "處理事項發生錯誤。無法加入群組。\n" + +#: src/tools/sss_groupdel.c:70 +msgid "Specify group to delete\n" +msgstr "指定要刪除的群組\n" + +#: src/tools/sss_groupdel.c:104 +#, c-format +msgid "Group %1$s is outside the defined ID range for domain\n" +msgstr "" + +#: src/tools/sss_groupdel.c:119 src/tools/sss_groupmod.c:225 +#: src/tools/sss_groupmod.c:232 src/tools/sss_groupmod.c:239 +#: src/tools/sss_userdel.c:295 src/tools/sss_usermod.c:282 +#: src/tools/sss_usermod.c:289 src/tools/sss_usermod.c:296 +#, c-format +msgid "NSS request failed (%1$d). Entry might remain in memory cache.\n" +msgstr "" + +#: src/tools/sss_groupdel.c:132 +msgid "" +"No such group in local domain. Removing groups only allowed in local " +"domain.\n" +msgstr "在本機網域內沒有這樣的群組。只許可在本機網域內移除群組。\n" + +#: src/tools/sss_groupdel.c:137 +msgid "Internal error. Could not remove group.\n" +msgstr "內部錯誤。無法移除群組。\n" + +#: src/tools/sss_groupmod.c:44 +msgid "Groups to add this group to" +msgstr "" + +#: src/tools/sss_groupmod.c:46 +msgid "Groups to remove this group from" +msgstr "" + +#: src/tools/sss_groupmod.c:87 src/tools/sss_usermod.c:100 +msgid "Specify group to remove from\n" +msgstr "" + +#: src/tools/sss_groupmod.c:101 +msgid "Specify group to modify\n" +msgstr "指定要修改的群組\n" + +#: src/tools/sss_groupmod.c:130 +msgid "" +"Cannot find group in local domain, modifying groups is allowed only in local " +"domain\n" +msgstr "在本機網域內找不到群組,只許可在本機網域內修改群組\n" + +#: src/tools/sss_groupmod.c:153 src/tools/sss_groupmod.c:182 +msgid "Member groups must be in the same domain as parent group\n" +msgstr "成員群組必須位於與親代群組相同的網域內\n" + +#: src/tools/sss_groupmod.c:161 src/tools/sss_groupmod.c:190 +#: src/tools/sss_usermod.c:214 src/tools/sss_usermod.c:243 +#, c-format +msgid "" +"Cannot find group %1$s in local domain, only groups in local domain are " +"allowed\n" +msgstr "" + +#: src/tools/sss_groupmod.c:257 +msgid "Could not modify group - check if member group names are correct\n" +msgstr "" + +#: src/tools/sss_groupmod.c:261 +msgid "Could not modify group - check if groupname is correct\n" +msgstr "無法修改群組 - 請檢查群組名稱是否正確\n" + +#: src/tools/sss_groupmod.c:265 +msgid "Transaction error. Could not modify group.\n" +msgstr "處理事項發生錯誤。無法修改群組。\n" + +#: src/tools/sss_groupshow.c:615 +#, c-format +msgid "%1$s%2$sGroup: %3$s\n" +msgstr "" + +#: src/tools/sss_groupshow.c:616 +msgid "Magic Private " +msgstr "魔法隱私" + +#: src/tools/sss_groupshow.c:618 +#, c-format +msgid "%1$sGID number: %2$d\n" +msgstr "" + +#: src/tools/sss_groupshow.c:620 +#, c-format +msgid "%1$sMember users: " +msgstr "" + +#: src/tools/sss_groupshow.c:627 +#, c-format +msgid "" +"\n" +"%1$sIs a member of: " +msgstr "" + +#: src/tools/sss_groupshow.c:634 +#, c-format +msgid "" +"\n" +"%1$sMember groups: " +msgstr "" + +#: src/tools/sss_groupshow.c:670 +msgid "Print indirect group members recursively" +msgstr "遞迴地列出間接的群組成員" + +#: src/tools/sss_groupshow.c:704 +msgid "Specify group to show\n" +msgstr "指定要顯示的群組\n" + +#: src/tools/sss_groupshow.c:744 +msgid "" +"No such group in local domain. Printing groups only allowed in local " +"domain.\n" +msgstr "本機網域內沒有這樣的群組。只許可在本機網域內列出群組。\n" + +#: src/tools/sss_groupshow.c:749 +msgid "Internal error. Could not print group.\n" +msgstr "內部錯誤。無法列出群組。\n" + +#: src/tools/sss_userdel.c:136 +msgid "Remove home directory and mail spool" +msgstr "" + +#: src/tools/sss_userdel.c:138 +msgid "Do not remove home directory and mail spool" +msgstr "" + +#: src/tools/sss_userdel.c:140 +msgid "Force removal of files not owned by the user" +msgstr "強制檔案的移除並非由使用者所擁有" + +#: src/tools/sss_userdel.c:142 +msgid "Kill users' processes before removing him" +msgstr "" + +#: src/tools/sss_userdel.c:188 +msgid "Specify user to delete\n" +msgstr "指定要刪除的使用者\n" + +#: src/tools/sss_userdel.c:234 +#, c-format +msgid "User %1$s is outside the defined ID range for domain\n" +msgstr "" + +#: src/tools/sss_userdel.c:259 +msgid "Cannot reset SELinux login context\n" +msgstr "" + +#: src/tools/sss_userdel.c:271 +#, c-format +msgid "WARNING: The user (uid %1$lu) was still logged in when deleted.\n" +msgstr "" + +#: src/tools/sss_userdel.c:276 +msgid "Cannot determine if the user was logged in on this platform" +msgstr "" + +#: src/tools/sss_userdel.c:281 +msgid "Error while checking if the user was logged in\n" +msgstr "" + +#: src/tools/sss_userdel.c:288 +#, c-format +msgid "The post-delete command failed: %1$s\n" +msgstr "" + +#: src/tools/sss_userdel.c:308 +msgid "Not removing home dir - not owned by user\n" +msgstr "不會移除家目錄 - 並非由使用者所擁有\n" + +#: src/tools/sss_userdel.c:310 +#, c-format +msgid "Cannot remove homedir: %1$s\n" +msgstr "" + +#: src/tools/sss_userdel.c:324 +msgid "" +"No such user in local domain. Removing users only allowed in local domain.\n" +msgstr "在本機網域內沒有這樣的使用者。只許可在本機網域內移除使用者。\n" + +#: src/tools/sss_userdel.c:329 +msgid "Internal error. Could not remove user.\n" +msgstr "內部錯誤。無法移除使用者。\n" + +#: src/tools/sss_usermod.c:49 +msgid "The GID of the user" +msgstr "使用者的 GID" + +#: src/tools/sss_usermod.c:53 +msgid "Groups to add this user to" +msgstr "" + +#: src/tools/sss_usermod.c:54 +msgid "Groups to remove this user from" +msgstr "" + +#: src/tools/sss_usermod.c:55 +msgid "Lock the account" +msgstr "鎖住這個帳號" + +#: src/tools/sss_usermod.c:56 +msgid "Unlock the account" +msgstr "解除這個帳號的鎖" + +#: src/tools/sss_usermod.c:57 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "" + +#: src/tools/sss_usermod.c:58 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "" + +#: src/tools/sss_usermod.c:59 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" + +#: src/tools/sss_usermod.c:117 src/tools/sss_usermod.c:126 +#: src/tools/sss_usermod.c:135 +msgid "Specify the attribute name/value pair(s)\n" +msgstr "" + +#: src/tools/sss_usermod.c:152 +msgid "Specify user to modify\n" +msgstr "指定要修改的使用者\n" + +#: src/tools/sss_usermod.c:180 +msgid "" +"Cannot find user in local domain, modifying users is allowed only in local " +"domain\n" +msgstr "在本機網域內找不到使用者,只許可在本機網域內修改使用者\n" + +#: src/tools/sss_usermod.c:322 +msgid "Could not modify user - check if group names are correct\n" +msgstr "無法修改使用者 - 請檢查群組名稱是否正確\n" + +#: src/tools/sss_usermod.c:326 +msgid "Could not modify user - user already member of groups?\n" +msgstr "無法修改使用者 - 使用者是否已經是群組的成員?\n" + +#: src/tools/sss_usermod.c:330 +msgid "Transaction error. Could not modify user.\n" +msgstr "處理事項發生錯誤。無法修改使用者。\n" + +#: src/tools/sss_cache.c:218 +msgid "No cache object matched the specified search\n" +msgstr "" + +#: src/tools/sss_cache.c:502 +#, c-format +msgid "Couldn't invalidate %1$s\n" +msgstr "" + +#: src/tools/sss_cache.c:509 +#, c-format +msgid "Couldn't invalidate %1$s %2$s\n" +msgstr "" + +#: src/tools/sss_cache.c:672 +msgid "Invalidate all cached entries" +msgstr "" + +#: src/tools/sss_cache.c:674 +msgid "Invalidate particular user" +msgstr "" + +#: src/tools/sss_cache.c:676 +msgid "Invalidate all users" +msgstr "" + +#: src/tools/sss_cache.c:678 +msgid "Invalidate particular group" +msgstr "" + +#: src/tools/sss_cache.c:680 +msgid "Invalidate all groups" +msgstr "" + +#: src/tools/sss_cache.c:682 +msgid "Invalidate particular netgroup" +msgstr "" + +#: src/tools/sss_cache.c:684 +msgid "Invalidate all netgroups" +msgstr "" + +#: src/tools/sss_cache.c:686 +msgid "Invalidate particular service" +msgstr "" + +#: src/tools/sss_cache.c:688 +msgid "Invalidate all services" +msgstr "" + +#: src/tools/sss_cache.c:691 +msgid "Invalidate particular autofs map" +msgstr "" + +#: src/tools/sss_cache.c:693 +msgid "Invalidate all autofs maps" +msgstr "" + +#: src/tools/sss_cache.c:697 +msgid "Invalidate particular SSH host" +msgstr "" + +#: src/tools/sss_cache.c:699 +msgid "Invalidate all SSH hosts" +msgstr "" + +#: src/tools/sss_cache.c:703 +msgid "Invalidate particular sudo rule" +msgstr "" + +#: src/tools/sss_cache.c:705 +msgid "Invalidate all cached sudo rules" +msgstr "" + +#: src/tools/sss_cache.c:708 +msgid "Only invalidate entries from a particular domain" +msgstr "" + +#: src/tools/sss_cache.c:762 +msgid "" +"Unexpected argument(s) provided, options that invalidate a single object " +"only accept a single provided argument.\n" +msgstr "" + +#: src/tools/sss_cache.c:772 +msgid "Please select at least one object to invalidate\n" +msgstr "" + +#: src/tools/sss_cache.c:852 +#, c-format +msgid "" +"Could not open domain %1$s. If the domain is a subdomain (trusted domain), " +"use fully qualified name instead of --domain/-d parameter.\n" +msgstr "" + +#: src/tools/sss_cache.c:856 +msgid "Could not open available domains\n" +msgstr "" + +#: src/tools/tools_util.c:202 +#, c-format +msgid "Name '%1$s' does not seem to be FQDN ('%2$s = TRUE' is set)\n" +msgstr "" + +#: src/tools/tools_util.c:309 +msgid "Out of memory\n" +msgstr "記憶體耗盡\n" + +#: src/tools/tools_util.h:40 +#, c-format +msgid "%1$s must be run as root\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:35 +msgid "yes" +msgstr "" + +#: src/tools/sssctl/sssctl.c:37 +msgid "no" +msgstr "" + +#: src/tools/sssctl/sssctl.c:39 +msgid "error" +msgstr "" + +#: src/tools/sssctl/sssctl.c:42 +msgid "Invalid result." +msgstr "" + +#: src/tools/sssctl/sssctl.c:78 +#, c-format +msgid "Unable to read user input\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:91 +#, c-format +msgid "Invalid input, please provide either '%s' or '%s'.\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:109 src/tools/sssctl/sssctl.c:114 +#, c-format +msgid "Error while executing external command\n" +msgstr "" + +#: src/tools/sssctl/sssctl.c:156 +msgid "SSSD needs to be running. Start SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl.c:195 +msgid "SSSD must not be running. Stop SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl.c:231 +msgid "SSSD needs to be restarted. Restart SSSD now?" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:31 +#, c-format +msgid " %s is not present in cache.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:33 +msgid "Name" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:34 +msgid "Cache entry creation date" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:35 +msgid "Cache entry last update time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:36 +msgid "Cache entry expiration time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:37 +msgid "Cached in InfoPipe" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:512 +#, c-format +msgid "Error: Unable to get object [%d]: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:528 +#, c-format +msgid "%s: Unable to read value [%d]: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:556 +msgid "Specify name." +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:566 +#, c-format +msgid "Unable to parse name %s.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:592 src/tools/sssctl/sssctl_cache.c:639 +msgid "Search by SID" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:593 +msgid "Search by user ID" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:602 +msgid "Initgroups expiration time" +msgstr "" + +#: src/tools/sssctl/sssctl_cache.c:640 +msgid "Search by group ID" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:67 +#, c-format +msgid "" +"File %1$s does not exist. SSSD will use default configuration with files " +"provider.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:81 +#, c-format +msgid "" +"File ownership and permissions check failed. Expected root:root and 0600.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:104 +#, c-format +msgid "Issues identified by validators: %zu\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:114 +#, c-format +msgid "Messages generated during configuration merging: %zu\n" +msgstr "" + +#: src/tools/sssctl/sssctl_config.c:127 +#, c-format +msgid "Used configuration snippet files: %u\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:89 +#, c-format +msgid "Unable to create backup directory [%d]: %s" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:95 +msgid "SSSD backup of local data already exists, override?" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:111 +#, c-format +msgid "Unable to export user overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:118 +#, c-format +msgid "Unable to export group overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:134 src/tools/sssctl/sssctl_data.c:217 +msgid "Override existing backup" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:164 +#, c-format +msgid "Unable to import user overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:173 +#, c-format +msgid "Unable to import group overrides\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:194 src/tools/sssctl/sssctl_domains.c:74 +#: src/tools/sssctl/sssctl_domains.c:339 +msgid "Start SSSD if it is not running" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:195 +msgid "Restart SSSD after data import" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:218 +msgid "Create clean cache files and import local data" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:219 +msgid "Stop SSSD before removing the cache" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:220 +msgid "Start SSSD when the cache is removed" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:235 +#, c-format +msgid "Creating backup of local data...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:238 +#, c-format +msgid "Unable to create backup of local data, can not remove the cache.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:243 +#, c-format +msgid "Removing cache files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:246 +#, c-format +msgid "Unable to remove cache files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_data.c:251 +#, c-format +msgid "Restoring local data...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:75 +msgid "Show domain list including primary or trusted domain type" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +#, c-format +msgid "Online status: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Online" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:156 +msgid "Offline" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:214 +#, c-format +msgid "Active servers:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:231 +msgid "not connected" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:278 +#, c-format +msgid "Discovered %s servers:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:296 +msgid "None so far.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:336 +msgid "Show online status" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:337 +msgid "Show information about active server" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:338 +msgid "Show list of discovered servers" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:344 +msgid "Specify domain name." +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:360 +#, c-format +msgid "Out of memory!\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:377 src/tools/sssctl/sssctl_domains.c:387 +#, c-format +msgid "Unable to get online status\n" +msgstr "" + +#: src/tools/sssctl/sssctl_domains.c:397 +#, c-format +msgid "Unable to get server list\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:47 +msgid "\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:237 +msgid "Delete log files instead of truncating" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:248 +#, c-format +msgid "Deleting log files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:251 +#, c-format +msgid "Unable to remove log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:257 +#, c-format +msgid "Truncating log files...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:260 +#, c-format +msgid "Unable to truncate log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:286 +#, c-format +msgid "Out of memory!" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:289 +#, c-format +msgid "Archiving log files into %s...\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:292 +#, c-format +msgid "Unable to archive log files\n" +msgstr "" + +#: src/tools/sssctl/sssctl_logs.c:317 +msgid "Specify debug level you want to set" +msgstr "" + +#: src/tools/sssctl/sssctl_sifp.c:28 +msgid "" +"Check that SSSD is running and the InfoPipe responder is enabled. Make sure " +"'ifp' is listed in the 'services' option in sssd.conf.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:91 +#, c-format +msgid "Unable to connect to the InfoPipe" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:97 +#, c-format +msgid "Unable to get user object" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:101 +#, c-format +msgid "SSSD InfoPipe user lookup result:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:113 +#, c-format +msgid "Unable to get user name attr" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:146 +#, c-format +msgid "dlopen failed with [%s].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:153 +#, c-format +msgid "dlsym failed with [%s].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:161 +#, c-format +msgid "malloc failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:168 +#, c-format +msgid "sss_getpwnam_r failed with [%d].\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:173 +#, c-format +msgid "SSSD nss user lookup result:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:174 +#, c-format +msgid " - user name: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:175 +#, c-format +msgid " - user id: %d\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:176 +#, c-format +msgid " - group id: %d\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:177 +#, c-format +msgid " - gecos: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:178 +#, c-format +msgid " - home directory: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:179 +#, c-format +msgid "" +" - shell: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:211 +msgid "PAM action [auth|acct|setc|chau|open|clos], default: " +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:214 +msgid "PAM service, default: " +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:219 +msgid "Specify user name." +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:226 +#, c-format +msgid "" +"user: %s\n" +"action: %s\n" +"service: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:232 +#, c-format +msgid "User name lookup with [%s] failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:237 +#, c-format +msgid "InfoPipe User lookup with [%s] failed.\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:244 +#, c-format +msgid "pam_start failed: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:249 +#, c-format +msgid "" +"testing pam_authenticate\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:253 +#, c-format +msgid "pam_get_item failed: %s\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:257 +#, c-format +msgid "" +"pam_authenticate for user [%s]: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:260 +#, c-format +msgid "" +"testing pam_chauthtok\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:262 +#, c-format +msgid "" +"pam_chauthtok: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:264 +#, c-format +msgid "" +"testing pam_acct_mgmt\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:266 +#, c-format +msgid "" +"pam_acct_mgmt: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:268 +#, c-format +msgid "" +"testing pam_setcred\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:270 +#, c-format +msgid "" +"pam_setcred: [%s]\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:272 +#, c-format +msgid "" +"testing pam_open_session\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:274 +#, c-format +msgid "" +"pam_open_session: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:276 +#, c-format +msgid "" +"testing pam_close_session\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:278 +#, c-format +msgid "" +"pam_close_session: %s\n" +"\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:281 +#, c-format +msgid "unknown action\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:284 +#, c-format +msgid "PAM Environment:\n" +msgstr "" + +#: src/tools/sssctl/sssctl_user_checks.c:292 +#, c-format +msgid " - no env -\n" +msgstr "" + +#: src/util/util.h:75 +msgid "The user ID to run the server as" +msgstr "" + +#: src/util/util.h:77 +msgid "The group ID to run the server as" +msgstr "" + +#: src/util/util.h:85 +msgid "Informs that the responder has been socket-activated" +msgstr "" + +#: src/util/util.h:87 +msgid "Informs that the responder has been dbus-activated" +msgstr "" diff --git a/src/build_macros.m4 b/src/build_macros.m4 new file mode 100644 index 0000000..92d7c65 --- /dev/null +++ b/src/build_macros.m4 @@ -0,0 +1,50 @@ +AC_DEFUN([BUILD_WITH_SHARED_BUILD_DIR], + [ AC_ARG_WITH([shared-build-dir], + [AC_HELP_STRING([--with-shared-build-dir=DIR], + [temporary build directory where libraries are installed [$srcdir/sharedbuild]])]) + + sharedbuilddir="$srcdir/sharedbuild" + if test x"$with_shared_build_dir" != x; then + sharedbuilddir=$with_shared_build_dir + CFLAGS="$CFLAGS -I$with_shared_build_dir/include" + CPPFLAGS="$CPPFLAGS -I$with_shared_build_dir/include" + LDFLAGS="$LDFLAGS -L$with_shared_build_dir/lib" + fi + AC_SUBST(sharedbuilddir) + ]) + +AC_DEFUN([BUILD_WITH_AUX_INFO], + [ AC_ARG_WITH([aux-info], + [AC_HELP_STRING([--with-aux-info], + [Build with -aux-info output])]) + ]) +AM_CONDITIONAL([WANT_AUX_INFO], [test x$with_aux_info = xyes]) + +dnl AC_CONFIG_FILES conditionalization requires using AM_COND_IF, however +dnl dnl AM_COND_IF is new to Automake 1.11. To use it on new Automake without +dnl dnl requiring same, a fallback implementation for older Autoconf is provided. +dnl dnl Note that disabling of AC_CONFIG_FILES requires Automake 1.11, this code +dnl dnl is correct only in terms of m4sh generated script. +m4_ifndef([AM_COND_IF], [AC_DEFUN([AM_COND_IF], [ +if test -z "$$1_TRUE"; then : +m4_n([$2])[]dnl +m4_ifval([$3], +[else +$3 +])dnl +fi[]dnl +])]) + +dnl SSS_AC_EXPAND_LIB_DIR() prepare variable sss_extra_libdir, +dnl variable will contain expanded version of string "$libdir" +dnl therefore this variable can be safely added to LDFLAGS as +dnl "-L$sss_extra_libdir ". +AC_DEFUN([SSS_AC_EXPAND_LIB_DIR], +[ + AC_REQUIRE([AC_LIB_PREPARE_PREFIX]) + dnl By default, look in $includedir and $libdir. + AC_LIB_WITH_FINAL_PREFIX([ + eval additional_libdir=\"$libdir\" + ]) + sss_extra_libdir="$additional_libdir" +]) diff --git a/src/conf_macros.m4 b/src/conf_macros.m4 new file mode 100644 index 0000000..7001a3e --- /dev/null +++ b/src/conf_macros.m4 @@ -0,0 +1,950 @@ +AC_DEFUN([WITH_DB_PATH], + [ AC_ARG_WITH([db-path], + [AC_HELP_STRING([--with-db-path=PATH], + [Path to the SSSD databases [/var/lib/sss/db]] + ) + ] + ) + config_dbpath="\"SSS_STATEDIR\"/db" + dbpath="${localstatedir}/lib/sss/db" + if test x"$with_db_path" != x; then + config_dbpath=$with_db_path + dbpath=$with_db_path + fi + AC_SUBST(dbpath) + AC_DEFINE_UNQUOTED(DB_PATH, "$config_dbpath", [Path to the SSSD databases]) + ]) + +AC_DEFUN([WITH_PLUGIN_PATH], + [ AC_ARG_WITH([plugin-path], + [AC_HELP_STRING([--with-plugin-path=PATH], + [Path to the SSSD data provider plugins [/usr/lib/sssd]] + ) + ] + ) + pluginpath="${libdir}/sssd" + config_pluginpath="\"LIBDIR\"/sssd" + if test x"$with_plugin_path" != x; then + pluginpath=$with_plugin_path + config_pluginpath=$with_plugin_path + fi + AC_SUBST(pluginpath) + AC_DEFINE_UNQUOTED(DATA_PROVIDER_PLUGINS_PATH, "$config_pluginpath", [Path to the SSSD data provider plugins]) + ]) + +AC_DEFUN([WITH_PID_PATH], + [ AC_ARG_WITH([pid-path], + [AC_HELP_STRING([--with-pid-path=PATH], + [Where to store pid files for the SSSD [/var/run]] + ) + ] + ) + config_pidpath="\"VARDIR\"/run" + pidpath="${localstatedir}/run" + if test x"$with_pid_path" != x; then + config_pidpath=$with_pid_path + pidpath=$with_pid_path + fi + AC_SUBST(pidpath) + AC_DEFINE_UNQUOTED(PID_PATH, "$config_pidpath", [Where to store pid files for the SSSD]) + ]) + +AC_DEFUN([WITH_LOG_PATH], + [ AC_ARG_WITH([log-path], + [AC_HELP_STRING([--with-log-path=PATH], + [Where to store log files for the SSSD [/var/log/sssd]] + ) + ] + ) + config_logpath="\"VARDIR\"/log/sssd" + logpath="${localstatedir}/log/sssd" + if test x"$with_log_path" != x; then + config_logpath=$with_log_path + logpath=$with_log_path + fi + AC_SUBST(logpath) + AC_DEFINE_UNQUOTED(LOG_PATH, "$config_logpath", [Where to store log files for the SSSD]) + ]) + +AC_DEFUN([WITH_PUBCONF_PATH], + [ AC_ARG_WITH([pubconf-path], + [AC_HELP_STRING([--with-pubconf-path=PATH], + [Where to store pubconf files for the SSSD [/var/lib/sss/pubconf]] + ) + ] + ) + config_pubconfpath="\"SSS_STATEDIR\"/pubconf" + pubconfpath="${localstatedir}/lib/sss/pubconf" + if test x"$with_pubconf_path" != x; then + config_pubconfpath=$with_pubconf_path + pubconfpath=$with_pubconf_path + fi + AC_SUBST(pubconfpath) + AC_DEFINE_UNQUOTED(PUBCONF_PATH, "$config_pubconfpath", [Where to store pubconf files for the SSSD]) + ]) + +AC_DEFUN([WITH_PIPE_PATH], + [ AC_ARG_WITH([pipe-path], + [AC_HELP_STRING([--with-pipe-path=PATH], + [Where to store pipe files for the SSSD interconnects [/var/lib/sss/pipes]] + ) + ] + ) + config_pipepath="\"SSS_STATEDIR\"/pipes" + pipepath="${localstatedir}/lib/sss/pipes" + if test x"$with_pipe_path" != x; then + config_pipepath=$with_pipe_path + pipepath=$with_pipe_path + fi + AC_SUBST(pipepath) + AC_DEFINE_UNQUOTED(PIPE_PATH, "$config_pipepath", [Where to store pipe files for the SSSD interconnects]) + ]) + +AC_DEFUN([WITH_MCACHE_PATH], + [ AC_ARG_WITH([mcache-path], + [AC_HELP_STRING([--with-mcache-path=PATH], + [Where to store mmap cache files for the SSSD interconnects [/var/lib/sss/mc]] + ) + ] + ) + config_mcpath="\"SSS_STATEDIR\"/mc" + mcpath="${localstatedir}/lib/sss/mc" + if test x"$with_mcache_path" != x; then + config_mcpath=$with_mcache_path + mcpath=$with_mcache_path + fi + AC_SUBST(mcpath) + AC_DEFINE_UNQUOTED(MCACHE_PATH, "$config_mcpath", [Where to store mmap cache files for the SSSD interconnects]) + ]) + +AC_DEFUN([WITH_INITSCRIPT], + [ AC_ARG_WITH([initscript], + [AC_HELP_STRING([--with-initscript=INITSCRIPT_TYPE], + [Type of your init script (sysv|systemd). [sysv]] + ) + ] + ) + default_initscript=sysv + if test x"$with_initscript" = x; then + with_initscript=$default_initscript + fi + + if test x"$with_initscript" = xsysv || \ + test x"$with_initscript" = xsystemd; then + initscript=$with_initscript + else + AC_MSG_ERROR([Illegal value -$with_initscript- for option --with-initscript]) + fi + + AM_CONDITIONAL([HAVE_SYSV], [test x"$initscript" = xsysv]) + AM_CONDITIONAL([HAVE_SYSTEMD_UNIT], [test x"$initscript" = xsystemd]) + AC_MSG_NOTICE([Will use init script type: $initscript]) + ]) + +AC_DEFUN([WITH_SYSLOG], + [ AC_ARG_WITH([syslog], + [AC_HELP_STRING([--with-syslog=SYSLOG_TYPE], + [Type of your system logger (syslog|journald). [syslog]] + ) + ], + [], + [with_syslog="syslog"] + ) + + if test x"$with_syslog" = xsyslog || \ + test x"$with_syslog" = xjournald; then + syslog=$with_syslog + else + AC_MSG_ERROR([Unknown syslog type, supported types are syslog and journald]) + fi + + AM_CONDITIONAL([WITH_JOURNALD], [test x"$syslog" = xjournald]) + ]) + +AC_DEFUN([WITH_ENVIRONMENT_FILE], + [ AC_ARG_WITH([environment_file], + [AC_HELP_STRING([--with-environment-file=PATH], [Path to environment file [/etc/sysconfig/sssd]]) + ] + ) + + ENVIRONMENT_FILE_PATH="${sysconfdir}/sysconfig/sssd" + if test x"$with_environment_file" != x; then + ENVIRONMENT_FILE_PATH=$with_environment_file + fi + AC_SUBST(environment_file, [$ENVIRONMENT_FILE_PATH]) + ]) + +AC_DEFUN([WITH_INIT_DIR], + [ AC_ARG_WITH([init-dir], + [AC_HELP_STRING([--with-init-dir=DIR], + [Where to store init script for sssd [/etc/rc.d/init.d]] + ) + ] + ) + initdir="${sysconfdir}/rc.d/init.d" + if test x$osname = xgentoo; then + initdir="${sysconfdir}/init.d" + fi + if test x"$with_init_dir" != x; then + initdir=$with_init_dir + fi + AC_SUBST(initdir) + ]) + +dnl A macro to configure the directory to install the systemd unit files to +AC_DEFUN([WITH_SYSTEMD_UNIT_DIR], + [ AC_ARG_WITH([systemdunitdir], + [ AC_HELP_STRING([--with-systemdunitdir=DIR], + [Directory for systemd service files [Auto]] + ), + ], + ) + if test x"$with_systemdunitdir" != x; then + systemdunitdir=$with_systemdunitdir + else + systemdunitdir=$($PKG_CONFIG --variable=systemdsystemunitdir systemd) + if test x"$systemdunitdir" = x; then + AC_MSG_ERROR([Could not detect systemd unit directory]) + fi + fi + AC_SUBST(systemdunitdir) + ]) + +dnl A macro to configure the directory to install the systemd unit file +dnl overrides to +AC_DEFUN([WITH_SYSTEMD_CONF_DIR], + [ AC_ARG_WITH([systemdconfdir], + [ AC_HELP_STRING([--with-systemdconfdir=DIR], + [Directory for systemd service file overrides [Auto]] + ), + ], + ) + if test x"$with_systemdconfdir" != x; then + systemdconfdir=$with_systemdconfdir + else + systemdconfdir=$($PKG_CONFIG --variable=systemdsystemconfdir systemd) + if test x"$systemdconfdir" = x; then + AC_MSG_ERROR([Could not detect systemd config directory]) + fi + fi + AC_SUBST(systemdconfdir, [$systemdconfdir/sssd.service.d]) + ]) + +AC_DEFUN([WITH_MANPAGES], + [ AC_ARG_WITH([manpages], + [AC_HELP_STRING([--with-manpages], + [Whether to regenerate man pages from DocBook sources [yes]] + ) + ], + [], + with_manpages=yes + ) + if test x"$with_manpages" = xyes; then + HAVE_MANPAGES=1 + AC_SUBST(HAVE_MANPAGES) + fi + ]) +AM_CONDITIONAL([BUILD_MANPAGES], [test x$with_manpages = xyes]) + +AC_DEFUN([WITH_XML_CATALOG], + [ AC_ARG_WITH([xml-catalog-path], + [AC_HELP_STRING([--with-xml-catalog-path=PATH], + [Where to look for XML catalog [/etc/xml/catalog]] + ) + ] + ) + SGML_CATALOG_FILES="/etc/xml/catalog" + if test x"$with_xml_catalog_path" != x; then + SGML_CATALOG_FILES="$with_xml_catalog_path" + fi + AC_SUBST([SGML_CATALOG_FILES]) + ]) + +AC_DEFUN([WITH_KRB5_PLUGIN_PATH], + [ AC_ARG_WITH([krb5-plugin-path], + [AC_HELP_STRING([--with-krb5-plugin-path=PATH], + [Path to Kerberos plugin store [/usr/lib/krb5/plugins/libkrb5]] + ) + ] + ) + krb5pluginpath="${libdir}/krb5/plugins/libkrb5" + if test x"$with_krb5_plugin_path" != x; then + krb5pluginpath=$with_krb5_plugin_path + fi + AC_SUBST(krb5pluginpath) + ]) + +AC_DEFUN([WITH_CIFS_PLUGIN_PATH], + [ AC_ARG_WITH([cifs-plugin-path], + [AC_HELP_STRING([--with-cifs-plugin-path=PATH], + [Path to cifs-utils plugin store [/usr/lib/cifs-utils]] + ) + ] + ) + cifspluginpath="${libdir}/cifs-utils" + if test x"$with_cifs_plugin_path" != x; then + cifspluginpath=$with_cifs_plugin_path + fi + AC_SUBST(cifspluginpath) + ]) + +AC_DEFUN([WITH_WINBIND_PLUGIN_PATH], + [ AC_ARG_WITH([winbind-plugin-path], + [AC_HELP_STRING([--with-winbind-plugin-path=PATH], + [Path to winbind idmap plugin store [/usr/lib/samba/idmap]] + ) + ] + ) + winbindpluginpath="${libdir}/samba/idmap" + if test x"$with_winbind_plugin_path" != x; then + winbindpluginpath=$with_winbind_plugin_path + fi + AC_SUBST(winbindpluginpath) + ]) + +AC_DEFUN([WITH_KRB5_RCACHE_DIR], + [ AC_ARG_WITH([krb5-rcache-dir], + [AC_HELP_STRING([--with-krb5-rcache-dir=PATH], + [Path to store Kerberos replay caches [__LIBKRB5_DEFAULTS__]] + ) + ] + ) + krb5rcachedir="__LIBKRB5_DEFAULTS__" + if test x"$with_krb5_rcache_dir" != x; then + krb5rcachedir=$with_krb5_rcache_dir + fi + AC_SUBST(krb5rcachedir) + AC_DEFINE_UNQUOTED(KRB5_RCACHE_DIR, "$krb5rcachedir", [Directory used for storing Kerberos replay caches]) + ]) + +AC_DEFUN([WITH_DEFAULT_CCACHE_DIR], + [ AC_ARG_WITH([default-ccache-dir], + [AC_HELP_STRING([--with-default-ccache-dir=CCACHEDIR], + [The default value of krb5_ccachedir [/tmp]] + ) + ] + ) + config_def_ccache_dir="/tmp" + if test x"$with_default_ccache_dir" != x; then + config_def_ccache_dir=$with_default_ccache_dir + fi + AC_SUBST(config_def_ccache_dir) + AC_DEFINE_UNQUOTED(DEFAULT_CCACHE_DIR, "$config_def_ccache_dir", [The default value of krb5_ccachedir]) + ]) + +AC_DEFUN([WITH_DEFAULT_CCNAME_TEMPLATE], + [ AC_ARG_WITH([default-ccname-template], + [AC_HELP_STRING([--with-default-ccname-template=CCACHE], + [The default fallback value of krb5_ccname_template [FILE:%d/krb5cc_%U_XXXXXX]] + ) + ] + ) + config_def_ccname_template="FILE:%d/krb5cc_%U_XXXXXX" + if test x"$with_default_ccname_template" != x; then + config_def_ccname_template=$with_default_ccname_template + fi + AC_SUBST(config_def_ccname_template) + AC_DEFINE_UNQUOTED(DEFAULT_CCNAME_TEMPLATE, "$config_def_ccname_template", [The default value of krb5_ccname_template]) + ]) + +AC_DEFUN([WITH_KRB5AUTHDATA_PLUGIN_PATH], + [ AC_ARG_WITH([krb5authdata-plugin-path], + [AC_HELP_STRING([--with-krb5authdata-plugin-path=PATH], + [Path to Kerberos authdata plugin store [/usr/lib/krb5/plugins/authdata]] + ) + ] + ) + krb5authdatapluginpath="${libdir}/krb5/plugins/authdata" + if test x"$with_krb5authdata_plugin_path" != x; then + krb5authdatapluginpath=$with_krb5authdata_plugin_path + fi + AC_SUBST(krb5authdatapluginpath) + ]) + +AC_DEFUN([WITH_KRB5_CONF], + [ AC_ARG_WITH([krb5_conf], + [AC_HELP_STRING([--with-krb5-conf=PATH], [Path to krb5.conf file [/etc/krb5.conf]]) + ] + ) + + KRB5_CONF_PATH="\"SYSCONFDIR\"/krb5.conf" + if test x"$with_krb5_conf" != x; then + KRB5_CONF_PATH=$with_krb5_conf + fi + AC_DEFINE_UNQUOTED([KRB5_CONF_PATH], ["$KRB5_CONF_PATH"], [KRB5 configuration file]) + ]) + +AC_DEFUN([WITH_PYTHON2_BINDINGS], + [ AC_ARG_WITH([python2-bindings], + [AC_HELP_STRING([--with-python2-bindings], + [Whether to build python2 bindings [yes]]) + ], + [], + [with_python2_bindings=yes] + ) + if test x"$with_python2_bindings" = xyes; then + AC_SUBST([HAVE_PYTHON2_BINDINGS], [1]) + AC_DEFINE_UNQUOTED([HAVE_PYTHON2_BINDINGS], [1], + [Build with python2 bindings]) + fi + AM_CONDITIONAL([BUILD_PYTHON2_BINDINGS], + [test x"$with_python2_bindings" = xyes]) + ]) + +AC_DEFUN([WITH_PYTHON3_BINDINGS], + [ AC_ARG_WITH([python3-bindings], + [AC_HELP_STRING([--with-python3-bindings], + [Whether to build python3 bindings [yes]]) + ], + [], + [with_python3_bindings=yes] + ) + if test x"$with_python3_bindings" = xyes; then + AC_SUBST([HAVE_PYTHON3_BINDINGS], [1]) + AC_DEFINE_UNQUOTED([HAVE_PYTHON3_BINDINGS], [1], + [Build with python3 bindings]) + fi + AM_CONDITIONAL([BUILD_PYTHON3_BINDINGS], + [test x"$with_python3_bindings" = xyes]) + ]) + +AC_DEFUN([WITH_SELINUX], + [ AC_ARG_WITH([selinux], + [AC_HELP_STRING([--with-selinux], + [Whether to build with SELinux support [yes]] + ) + ], + [], + with_selinux=yes + ) + if test x"$with_selinux" = xyes; then + HAVE_SELINUX=1 + AC_SUBST(HAVE_SELINUX) + AC_DEFINE_UNQUOTED(HAVE_SELINUX, 1, [Build with SELinux support]) + fi + AM_CONDITIONAL([BUILD_SELINUX], [test x"$with_selinux" = xyes]) + ]) + +AC_DEFUN([WITH_TEST_DIR], + [ AC_ARG_WITH([test-dir], + [AC_HELP_STRING([--with-test-dir=PATH], + [Directory used for make check temporary files [$builddir]] + ) + ], + [TEST_DIR=$withval], + [TEST_DIR="."] + ) + AC_SUBST(TEST_DIR) + AC_DEFINE_UNQUOTED(TEST_DIR, "$TEST_DIR", [Directory used for 'make check' temporary files]) + ]) + +AC_DEFUN([WITH_IPA_GETKEYTAB], + [ AC_ARG_WITH([ipa_getkeytab], + [AC_HELP_STRING([--with-ipa-getkeytab=PATH], + [Path to ipa_getkeytab binary to retrieve keytabs from FreeIPA server [/usr/sbin/ipa-getkeytab]] + ) + ] + ) + IPA_GETKEYTAB_PATH="/usr/sbin/ipa-getkeytab" + if test x"$with_ipa_getkeytab" != x; then + IPA_GETKEYTAB_PATH=$with_ipa_getkeytab + fi + AC_DEFINE_UNQUOTED(IPA_GETKEYTAB_PATH, "$IPA_GETKEYTAB_PATH", [The path to the ipa-getkeytab utility]) + ]) + +AC_DEFUN([WITH_NSCD], + [ AC_ARG_WITH([nscd], + [AC_HELP_STRING([--with-nscd=PATH], + [Path to nscd binary to attempt to flush nscd cache after local domain operations [/usr/sbin/nscd]] + ) + ] + ) + NSCD_PATH="/usr/sbin/nscd" + if test x"$with_nscd" != x; then + NSCD_PATH=$with_nscd + AC_SUBST(NSCD_PATH) + fi + AC_DEFINE_UNQUOTED(HAVE_NSCD, $NSCD_PATH, [flush nscd cache after local domain operations]) + ]) + +AC_DEFUN([WITH_NSCD_CONF], + [ AC_ARG_WITH([nscd_conf], + [AC_HELP_STRING([--with-nscd-conf=PATH], [Path to nscd.conf file [/etc/nscd.conf]]) + ] + ) + + NSCD_CONF_PATH="/etc/nscd.conf" + if test x"$with_nscd_conf" != x; then + NSCD_CONF_PATH=$with_nscd_conf + fi + AC_DEFINE_UNQUOTED([NSCD_CONF_PATH], ["$NSCD_CONF_PATH"], [NSCD configuration file]) + ]) + + +AC_DEFUN([WITH_SEMANAGE], + [ AC_ARG_WITH([semanage], + [AC_HELP_STRING([--with-semanage], + [Whether to build with SELinux user management support [yes]] + ) + ], + [], + with_semanage=yes + ) + if test x"$with_semanage" = xyes; then + HAVE_SEMANAGE=1 + AC_SUBST(HAVE_SEMANAGE) + AC_DEFINE_UNQUOTED(HAVE_SEMANAGE, 1, [Build with SELinux support]) + fi + AM_CONDITIONAL([BUILD_SEMANAGE], [test x"$with_semanage" = xyes]) + ]) + +AC_DEFUN([WITH_GPO_CACHE_PATH], + [ AC_ARG_WITH([gpo-cache-path], + [AC_HELP_STRING([--with-gpo-cache-path=PATH], + [Where to store GPO policy files [/var/lib/sss/gpo_cache]] + ) + ] + ) + config_gpocachepath="\"SSS_STATEDIR\"/gpo_cache" + gpocachepath="${localstatedir}/lib/sss/gpo_cache" + if test x"$with_gpo_cache_path" != x; then + config_gpocachepath=$with_gpo_cache_path + gpocachepath=$with_gpo_cache_path + fi + AC_SUBST(gpocachepath) + AC_DEFINE_UNQUOTED(GPO_CACHE_PATH, "$config_gpocachepath", [Where to store GPO policy files]) + ]) + +AC_DEFUN([WITH_LIBNL], + [ AC_ARG_WITH([libnl], + [AC_HELP_STRING([--with-libnl], + [Whether to build with libnetlink support (libnl3, libnl1, no) [auto]] + ) + ], + [], + with_libnl=yes + ) + + if test x"$with_libnl" = xyes; then + + AM_CHECK_LIBNL3 + + if test x"$HAVE_LIBNL" != x1; then + AM_CHECK_LIBNL1 + fi + + if test x"$HAVE_LIBNL" != x1; then + AC_MSG_WARN([Building without netlink]) + fi + + elif test x"$with_libnl" = xlibnl3; then + + AM_CHECK_LIBNL3 + + if test x"$HAVE_LIBNL" != x1; then + AC_MSG_ERROR([Libnl3 required, but not available]) + fi + + elif test x"$with_libnl" = xlibnl1; then + + AM_CHECK_LIBNL1 + + if test x"$HAVE_LIBNL" != x1; then + AC_MSG_ERROR([Libnl required, but not available]) + fi + fi + ]) + +AC_DEFUN([WITH_CRYPTO], + [ AC_ARG_WITH([crypto], + [AC_HELP_STRING([--with-crypto=CRYPTO_LIB], + [The cryptographic library to use (nss|libcrypto). The default is nss.] + ) + ], + [], + with_crypto=nss + ) + + cryptolib="" + if test x"$with_crypto" != x; then + if test x"$with_crypto" = xnss || \ + test x"$with_crypto" = xlibcrypto; then + cryptolib="$with_crypto"; + else + AC_MSG_ERROR([Illegal value -$with_crypto- for option --with-crypto]) + fi + fi + AM_CONDITIONAL([HAVE_NSS], [test x"$cryptolib" = xnss]) + AM_CONDITIONAL([HAVE_LIBCRYPTO], [test x"$cryptolib" = xlibcrypto]) + ]) + +AC_DEFUN([WITH_NOLOGIN_SHELL], + [ AC_ARG_WITH([nologin-shell], + [AC_HELP_STRING([--with-nologin-shell=PATH], + [The shell used to deny access to users [/sbin/nologin]] + ) + ] + ) + nologin_shell="/sbin/nologin" + if test x"$with_nologin_shell" != x; then + nologin_shell=$with_nologin_shell + fi + AC_DEFINE_UNQUOTED(NOLOGIN_SHELL, "$nologin_shell", [The shell used to deny access to users]) + ]) + +AC_DEFUN([WITH_SESSION_RECORDING_SHELL], + [ AC_ARG_WITH([session-recording-shell], + [AC_HELP_STRING([--with-session-recording-shell=PATH], + [The shell used to record user sessions [/usr/bin/tlog-rec-session]] + ) + ] + ) + session_recording_shell="/usr/bin/tlog-rec-session" + if test x"$with_session_recording_shell" != x; then + session_recording_shell=$with_session_recording_shell + fi + AC_SUBST(session_recording_shell) + AC_DEFINE_UNQUOTED(SESSION_RECORDING_SHELL, "$session_recording_shell", + [The shell used to record user sessions]) + ]) + +AC_ARG_ENABLE([all-experimental-features], + [AS_HELP_STRING([--enable-all-experimental-features], + [build all experimental features])], + [build_all_experimental_features=$enableval], + [build_all_experimental_features=no]) + + +AC_DEFUN([WITH_UNICODE_LIB], + [ AC_ARG_WITH([unicode-lib], + [AC_HELP_STRING([--with-unicode-lib=], + [Which library to use for Unicode processing (libunistring, glib2) [glib2]] + ) + ] + ) + unicode_lib="glib2" + if test x"$with_unicode_lib" != x; then + unicode_lib=$with_unicode_lib + fi + + if test x"$unicode_lib" != x"libunistring" -a x"$unicode_lib" != x"glib2"; then + AC_MSG_ERROR([Unsupported Unicode library]) + fi + + AM_CONDITIONAL([WITH_LIBUNISTRING], test x"$unicode_lib" = x"libunistring") + AM_CONDITIONAL([WITH_GLIB], test x"$unicode_lib" = x"glib2") + ]) + +AC_DEFUN([WITH_APP_LIBS], + [ AC_ARG_WITH([app-libs], + [AC_HELP_STRING([--with-app-libs=], + [Path to the 3rd party application plugins [/usr/lib/sssd/modules]] + ) + ] + ) + appmodpath="${libdir}/sssd/modules" + config_appmodpath="\"LIBDIR\"/sssd/modules" + if test x"$with_app_libs" != x; then + appmodpath=$with_app_libs + config_appmodpath=$with_app_libs + fi + AC_SUBST(appmodpath) + AC_DEFINE_UNQUOTED(APP_MODULES_PATH, "$config_appmodpath", [Path to the 3rd party modules]) + ]) + +AC_DEFUN([WITH_SUDO], + [ AC_ARG_WITH([sudo], + [AC_HELP_STRING([--with-sudo], + [Whether to build with sudo support [yes]] + ) + ], + [with_sudo=$withval], + with_sudo=yes + ) + + if test x"$with_sudo" = xyes; then + AC_DEFINE(BUILD_SUDO, 1, [whether to build with SUDO support]) + fi + AM_CONDITIONAL([BUILD_SUDO], [test x"$with_sudo" = xyes]) + ]) + +AC_DEFUN([WITH_SUDO_LIB_PATH], + [ AC_ARG_WITH([sudo-lib-path], + [AC_HELP_STRING([--with-sudo-lib-path=], + [Path to the sudo library [/usr/lib/]] + ) + ] + ) + sudolibpath="${libdir}" + if test x"$with_sudo_lib_path" != x; then + sudolibpath=$with_sudo_lib_path + fi + AC_SUBST(sudolibpath) + ]) + +AC_DEFUN([WITH_AUTOFS], + [ AC_ARG_WITH([autofs], + [AC_HELP_STRING([--with-autofs], + [Whether to build with autofs support [yes]] + ) + ], + [with_autofs=$withval], + with_autofs=yes + ) + + if test x"$with_autofs" = xyes; then + AC_DEFINE(BUILD_AUTOFS, 1, [whether to build with AUTOFS support]) + fi + AM_CONDITIONAL([BUILD_AUTOFS], [test x"$with_autofs" = xyes]) + ]) + +AC_DEFUN([WITH_SSH], + [ AC_ARG_WITH([ssh], + [AC_HELP_STRING([--with-ssh], + [Whether to build with SSH support [yes]] + ) + ], + [with_ssh=$withval], + with_ssh=yes + ) + + if test x"$with_ssh" = xyes; then + AC_DEFINE(BUILD_SSH, 1, [whether to build with SSH support]) + fi + AM_CONDITIONAL([BUILD_SSH], [test x"$with_ssh" = xyes]) + ]) + +AC_DEFUN([WITH_IFP], + [ AC_ARG_WITH([infopipe], + [AC_HELP_STRING([--with-infopipe], + [Whether to build with InfoPipe support [yes]] + ) + ], + [with_infopipe=$withval], + with_infopipe=yes + ) + + if test x"$with_infopipe" = xyes; then + AC_DEFINE(BUILD_IFP, 1, [whether to build with InfoPipe support]) + fi + AM_CONDITIONAL([BUILD_IFP], [test x"$with_infopipe" = xyes]) + ]) + +AC_DEFUN([WITH_LIBWBCLIENT], + [ AC_ARG_WITH([libwbclient], + [AC_HELP_STRING([--with-libwbclient], + [Whether to build SSSD implementation of libwbclient [yes]] + ) + ], + [with_libwbclient=$withval], + with_libwbclient=yes + ) + + if test x"$with_libwbclient" = xyes; then + AC_DEFINE(BUILD_LIBWBCLIENT, 1, [whether to build SSSD implementation of libwbclient]) + + libwbclient_version="0.14" + AC_SUBST(libwbclient_version) + + libwbclient_version_info="14:0:14" + AC_SUBST(libwbclient_version_info) + fi + AM_CONDITIONAL([BUILD_LIBWBCLIENT], [test x"$with_libwbclient" = xyes]) + ]) + +AC_DEFUN([WITH_SAMBA], + [ AC_ARG_WITH([samba], + [AC_HELP_STRING([--with-samba], + [Whether to build with samba4 libraries [yes]] + ) + ], + [with_samba=$withval], + [with_samba=yes] + ) + + if test x"$with_samba" = xyes; then + AC_DEFINE(BUILD_SAMBA, 1, [whether to build with samba support]) + fi + AM_CONDITIONAL([BUILD_SAMBA], [test x"$with_samba" = xyes]) + ]) + +AC_ARG_ENABLE([dbus-tests], + [AS_HELP_STRING([--enable-dbus-tests], + [enable running tests using a dbus server instance [default=yes]])], + [build_dbus_tests=$enableval], + [build_dbus_tests=yes]) +AM_CONDITIONAL([BUILD_DBUS_TESTS], [test x$build_dbus_tests = xyes]) + +AC_ARG_ENABLE([sss-default-nss-plugin], + [AS_HELP_STRING([--enable-sss-default-nss-plugin], + [This option change standard behaviour of sss nss + plugin. If this option is enabled the sss nss + plugin will behave as it was not in + nsswitch.conf when sssd is not running. + [default=no]])], + [enable_sss_default_nss_plugin=$enableval], + [enable_sss_default_nss_plugin=no]) +AS_IF([test x$enable_sss_default_nss_plugin = xyes], + AC_DEFINE_UNQUOTED([NONSTANDARD_SSS_NSS_BEHAVIOUR], [1], + [whether to build sssd nss plugin with nonstandard glibc behaviour])) + +AC_DEFUN([WITH_NFS], + [ AC_ARG_WITH([nfsv4-idmapd-plugin], + [AC_HELP_STRING([--with-nfsv4-idmapd-plugin], + [Whether to build with NFSv4 IDMAP support [yes]] + ) + ], + [with_nfsv4_idmap=$withval], + [with_nfsv4_idmap=yes] + ) + + if test x"$with_nfsv4_idmap" = xyes; then + AC_DEFINE(BUILD_NFS_IDMAP, 1, [whether to build with NFSv4 IDMAP support]) + fi + AM_CONDITIONAL([BUILD_NFS_IDMAP], [test x"$with_nfsv4_idmap" = xyes]) + ]) + +AC_DEFUN([WITH_NFS_LIB_PATH], + [ AC_ARG_WITH([nfs-lib-path], + [AC_HELP_STRING([--with-nfs-lib-path=], + [Path to the NFS library [${libdir}]] + ) + ] + ) + nfslibpath="${libdir}" + if test x"$with_nfs_lib_path" != x; then + nfslibpath=$with_nfs_lib_path + fi + AC_SUBST(nfslibpath) + ]) + +AC_DEFUN([WITH_SSSD_USER], + [ AC_ARG_WITH([sssd-user], + [AS_HELP_STRING([--with-sssd-user=], + [User for running SSSD (root)] + ) + ] + ) + + SSSD_USER=root + + if test x"$with_sssd_user" != x; then + SSSD_USER=$with_sssd_user + fi + + AC_SUBST(SSSD_USER) + AC_DEFINE_UNQUOTED(SSSD_USER, "$SSSD_USER", ["The default user to run SSSD as"]) + AM_CONDITIONAL([SSSD_USER], [test x"$with_sssd_user" != x]) + ]) + + AC_DEFUN([WITH_AD_GPO_DEFAULT], + [ AC_ARG_WITH([ad-gpo-default], + [AS_HELP_STRING([--with-ad-gpo-default=[enforcing|permissive]], + [Default enforcing level for AD GPO access-control (enforcing)] + ) + ] + ) + GPO_DEFAULT=enforcing + + if test x"$with_ad_gpo_default" != x; then + if test ! "$with_ad_gpo_default" = "enforcing" -a ! "$with_ad_gpo_default" = "permissive"; then + AC_MSG_ERROR("GPO Default must be either "enforcing" or "permissive") + else + GPO_DEFAULT=$with_ad_gpo_default + fi + fi + + AC_SUBST(GPO_DEFAULT) + AC_DEFINE_UNQUOTED(AD_GPO_ACCESS_MODE_DEFAULT, "$GPO_DEFAULT", ["The default enforcing level for AD GPO access-control"]) + AM_CONDITIONAL([GPO_DEFAULT_ENFORCING], [test x"$GPO_DEFAULT" = xenforcing]) + ]) + +AC_DEFUN([ENABLE_POLKIT_RULES_PATH], + [ + polkitdir="/usr/share/polkit-1/rules.d" + AC_ARG_ENABLE([polkit-rules-path], + [AC_HELP_STRING([--enable-polkit-rules-path=PATH], + [Path to store polkit rules at. Use --disable to not install the rules at all. [/usr/share/polkit-1/rules.d]] + ) + ], + [ polkitdir=$enableval ], + ) + + if test x"$polkitdir" != xno; then + HAVE_POLKIT_RULES_D=1 + AC_SUBST(polkitdir) + fi + + AM_CONDITIONAL([HAVE_POLKIT_RULES_D], [test x$HAVE_POLKIT_RULES_D != x]) + ]) + +dnl Backwards compat for older autoconf +AC_DEFUN([SSSD_RUNSTATEDIR], + [ + if test x"$runstatedir" = x; then + AC_SUBST([runstatedir], + ["${localstatedir}/run"]) + fi + ]) + +AC_DEFUN([WITH_SECRETS], + [ AC_ARG_WITH([secrets], + [AC_HELP_STRING([--with-secrets], + [Whether to build with secrets support [yes]] + ) + ], + [with_secrets=$withval], + with_secrets=yes + ) + + if test x"$with_secrets" = xyes; then + AC_DEFINE(BUILD_SECRETS, 1, [whether to build with SECRETS support]) + fi + AM_CONDITIONAL([BUILD_SECRETS], [test x"$with_secrets" = xyes]) + ]) + +AC_DEFUN([WITH_KCM], + [ AC_ARG_WITH([kcm], + [AC_HELP_STRING([--with-kcm], + [Whether to build with KCM server support [yes]] + ) + ], + [with_kcm=$withval], + with_kcm=yes + ) + + if test x"$with_kcm" = xyes; then + AC_DEFINE(BUILD_KCM, 1, [whether to build with KCM server support]) + fi + AM_CONDITIONAL([BUILD_KCM], [test x"$with_kcm" = xyes]) + ]) + +AC_DEFUN([WITH_SECRETS_DB_PATH], + [ AC_ARG_WITH([secrets-db-path], + [AC_HELP_STRING([--with-secrets-db-path=PATH], + [Path to the SSSD databases [/var/lib/sss/secrets]] + ) + ] + ) + config_secdbpath="\"SSS_STATEDIR\"/secrets" + secdbpath="${localstatedir}/lib/sss/secrets" + if test x"$with_secrets_db_path" != x; then + config_secdbpath=$with_secrets_db_path + secdbpath=$with_secrets_db_path + fi + AC_SUBST(secdbpath) + AC_DEFINE_UNQUOTED(SECRETS_DB_PATH, "$config_secdbpath", [Path to the SSSD Secrets databases]) + ]) + +AC_ARG_ENABLE([files-domain], + [AS_HELP_STRING([--enable-files-domain], + [If this feature is enabled, then SSSD always enables + a domain with id_provider=files even if the domain + is not specified in the config file + [default=no]])], + [enable_files_domain=$enableval], + [enable_files_domain=no]) +AS_IF([test x$enable_files_domain = xyes], + AC_DEFINE_UNQUOTED([ADD_FILES_DOMAIN], [1], + [whether to build unconditionally enable files domain])) +AM_CONDITIONAL([ADD_FILES_DOMAIN], [test x$enable_files_domain = xyes]) diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c new file mode 100644 index 0000000..a3eb9c6 --- /dev/null +++ b/src/confdb/confdb.c @@ -0,0 +1,2203 @@ +/* + SSSD + + SSSD Configuration DB + + Copyright (C) Simo Sorce 2008 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include +#include "util/util.h" +#include "confdb/confdb.h" +#include "confdb/confdb_private.h" +#include "util/strtonum.h" +#include "db/sysdb.h" + +#define CONFDB_ZERO_CHECK_OR_JUMP(var, ret, err, label) do { \ + if (!var) { \ + ret = err; \ + goto label; \ + } \ +} while(0) + +/* Warning messages */ +#define SAME_DOMAINS_ERROR_MSG "Domain '%s' is the same as or differs only "\ + "in case from domain '%s'.\n" + +static char *prepend_cn(char *str, int *slen, const char *comp, int clen) +{ + char *ret; + + ret = talloc_realloc(NULL, str, char, *slen + 4 + clen + 1); + if (!ret) + return NULL; + + /* move current string to the end */ + memmove(&ret[clen +4], ret, *slen+1); /* includes termination */ + memcpy(ret, "cn=", 3); + memcpy(&ret[3], comp, clen); + ret[clen+3] = ','; + + *slen = *slen + 4 + clen; + + return ret; +} + +int parse_section(TALLOC_CTX *mem_ctx, const char *section, + char **sec_dn, const char **rdn_name) +{ + TALLOC_CTX *tmp_ctx; + char *dn = NULL; + char *p; + const char *s; + int l, ret; + + /* section must be a non null string and must not start with '/' */ + if (!section || !*section || *section == '/') return EINVAL; + + tmp_ctx = talloc_new(mem_ctx); + if (!tmp_ctx) return ENOMEM; + + s = section; + l = 0; + while ((p = strchrnul(s, '/'))) { + if (l == 0) { + dn = talloc_asprintf(tmp_ctx, "cn=%s", s); + l = 3 + (p-s); + dn[l] = '\0'; + } else { + dn = prepend_cn(dn, &l, s, p-s); + } + if (!dn) { + ret = ENOMEM; + goto done; + } + if (*p == '\0') { + if (rdn_name) *rdn_name = s; + break; /* reached end */ + } + s = p+1; + if (*s == '\0') { /* a section cannot end in '.' */ + ret = EINVAL; + goto done; + } + } + + *sec_dn = talloc_steal(mem_ctx, dn); + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +int confdb_add_param(struct confdb_ctx *cdb, + bool replace, + const char *section, + const char *attribute, + const char **values) +{ + TALLOC_CTX *tmp_ctx = NULL; + struct ldb_message *msg; + struct ldb_result *res; + struct ldb_dn *dn; + char *secdn; + const char *rdn_name; + int ret, i; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + ret = ENOMEM; + goto done; + } + + ret = parse_section(tmp_ctx, section, &secdn, &rdn_name); + if (ret != EOK) { + goto done; + } + + dn = ldb_dn_new(tmp_ctx, cdb->ldb, secdn); + CONFDB_ZERO_CHECK_OR_JUMP(dn, ret, EIO, done); + + ret = ldb_search(cdb->ldb, tmp_ctx, &res, + dn, LDB_SCOPE_BASE, NULL, NULL); + if (ret != LDB_SUCCESS) { + ret = EIO; + goto done; + } + + msg = ldb_msg_new(tmp_ctx); + CONFDB_ZERO_CHECK_OR_JUMP(msg, ret, ENOMEM, done); + + msg->dn = talloc_steal(msg, dn); + CONFDB_ZERO_CHECK_OR_JUMP(msg->dn, ret, ENOMEM, done); + + if (res->count == 0) { /* add a new message */ + errno = 0; + + /* cn first */ + ret = ldb_msg_add_string(msg, "cn", rdn_name); + if (ret != LDB_SUCCESS) { + if (errno) ret = errno; + else ret = EIO; + goto done; + } + + /* now the requested attribute */ + for (i = 0; values[i]; i++) { + ret = ldb_msg_add_string(msg, attribute, values[i]); + if (ret != LDB_SUCCESS) { + if (errno) ret = errno; + else ret = EIO; + goto done; + } + } + + ret = ldb_add(cdb->ldb, msg); + if (ret != LDB_SUCCESS) { + ret = EIO; + goto done; + } + + } else { + int optype; + errno = 0; + + /* mark this as a replacement */ + if (replace) optype = LDB_FLAG_MOD_REPLACE; + else optype = LDB_FLAG_MOD_ADD; + ret = ldb_msg_add_empty(msg, attribute, optype, NULL); + if (ret != LDB_SUCCESS) { + if (errno) ret = errno; + else ret = EIO; + goto done; + } + + /* now the requested attribute */ + for (i = 0; values[i]; i++) { + ret = ldb_msg_add_string(msg, attribute, values[i]); + if (ret != LDB_SUCCESS) { + if (errno) ret = errno; + else ret = EIO; + goto done; + } + } + + ret = ldb_modify(cdb->ldb, msg); + if (ret != LDB_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, + "ldb_modify failed: [%s](%d)[%s]\n", + ldb_strerror(ret), ret, ldb_errstring(cdb->ldb)); + ret = EIO; + goto done; + } + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to add [%s] to [%s], error [%d] (%s)\n", + attribute, section, ret, strerror(ret)); + } + return ret; +} + +int confdb_get_param(struct confdb_ctx *cdb, + TALLOC_CTX *mem_ctx, + const char *section, + const char *attribute, + char ***values) +{ + TALLOC_CTX *tmp_ctx; + struct ldb_result *res; + struct ldb_dn *dn; + char *secdn; + const char *attrs[] = { attribute, NULL }; + char **vals; + struct ldb_message_element *el; + int ret, i; + + tmp_ctx = talloc_new(mem_ctx); + if (!tmp_ctx) + return ENOMEM; + + ret = parse_section(tmp_ctx, section, &secdn, NULL); + if (ret != EOK) { + goto done; + } + + dn = ldb_dn_new(tmp_ctx, cdb->ldb, secdn); + if (!dn) { + ret = EIO; + goto done; + } + + ret = ldb_search(cdb->ldb, tmp_ctx, &res, + dn, LDB_SCOPE_BASE, attrs, NULL); + if (ret != LDB_SUCCESS) { + ret = EIO; + goto done; + } + if (res->count > 1) { + ret = EIO; + goto done; + } + + vals = talloc_zero(mem_ctx, char *); + ret = EOK; + + if (res->count > 0) { + el = ldb_msg_find_element(res->msgs[0], attribute); + if (el && el->num_values > 0) { + vals = talloc_realloc(mem_ctx, vals, char *, el->num_values +1); + if (!vals) { + ret = ENOMEM; + goto done; + } + /* should always be strings so this should be safe */ + for (i = 0; i < el->num_values; i++) { + struct ldb_val v = el->values[i]; + vals[i] = talloc_strndup(vals, (char *)v.data, v.length); + if (!vals[i]) { + ret = ENOMEM; + goto done; + } + } + vals[i] = NULL; + } + } + + *values = vals; + +done: + talloc_free(tmp_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to get [%s] from [%s], error [%d] (%s)\n", + attribute, section, ret, strerror(ret)); + } + return ret; +} + +int confdb_set_string(struct confdb_ctx *cdb, + const char *section, + const char *attribute, + const char *val) +{ + TALLOC_CTX *tmp_ctx; + struct ldb_dn *dn; + char *secdn; + struct ldb_message *msg; + int ret, lret; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + return ENOMEM; + } + + ret = parse_section(tmp_ctx, section, &secdn, NULL); + if (ret != EOK) { + goto done; + } + + dn = ldb_dn_new(tmp_ctx, cdb->ldb, secdn); + if (!dn) { + ret = EIO; + goto done; + } + + msg = ldb_msg_new(tmp_ctx); + if (!msg) { + ret = ENOMEM; + goto done; + } + + msg->dn = dn; + + lret = ldb_msg_add_empty(msg, attribute, LDB_FLAG_MOD_REPLACE, NULL); + if (lret != LDB_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, + "ldb_msg_add_empty failed: [%s]\n", ldb_strerror(lret)); + ret = EIO; + goto done; + } + + lret = ldb_msg_add_string(msg, attribute, val); + if (lret != LDB_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, + "ldb_msg_add_string failed: [%s]\n", ldb_strerror(lret)); + ret = EIO; + goto done; + } + + lret = ldb_modify(cdb->ldb, msg); + if (lret != LDB_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, + "ldb_modify failed: [%s](%d)[%s]\n", + ldb_strerror(lret), lret, ldb_errstring(cdb->ldb)); + ret = EIO; + goto done; + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to set [%s] from [%s], error [%d] (%s)\n", + attribute, section, ret, strerror(ret)); + } + return ret; +} + +int confdb_get_string(struct confdb_ctx *cdb, TALLOC_CTX *ctx, + const char *section, const char *attribute, + const char *defstr, char **result) +{ + char **values = NULL; + char *restr; + int ret; + + ret = confdb_get_param(cdb, ctx, section, attribute, &values); + if (ret != EOK) { + goto failed; + } + + if (values[0]) { + if (values[1] != NULL) { + /* too many values */ + ret = EINVAL; + goto failed; + } + restr = talloc_steal(ctx, values[0]); + } else { + /* Did not return a value, so use the default */ + + if (defstr == NULL) { /* No default given */ + *result = NULL; + talloc_free(values); + return EOK; + } + + /* Copy the default string */ + restr = talloc_strdup(ctx, defstr); + } + if (!restr) { + ret = ENOMEM; + goto failed; + } + + talloc_free(values); + + *result = restr; + return EOK; + +failed: + talloc_free(values); + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to get [%s] from [%s], error [%d] (%s)\n", + attribute, section, ret, strerror(ret)); + return ret; +} + +int confdb_get_int(struct confdb_ctx *cdb, + const char *section, const char *attribute, + int defval, int *result) +{ + char **values = NULL; + long val; + int ret; + TALLOC_CTX *tmp_ctx; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + ret = ENOMEM; + goto failed; + } + + ret = confdb_get_param(cdb, tmp_ctx, section, attribute, &values); + if (ret != EOK) { + goto failed; + } + + if (values[0]) { + if (values[1] != NULL) { + /* too many values */ + ret = EINVAL; + goto failed; + } + + errno = 0; + val = strtol(values[0], NULL, 0); + ret = errno; + if (ret != 0) { + goto failed; + } + + if (val < INT_MIN || val > INT_MAX) { + ret = ERANGE; + goto failed; + } + + } else { + val = defval; + } + + talloc_free(tmp_ctx); + + *result = (int)val; + return EOK; + +failed: + talloc_free(tmp_ctx); + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to read [%s] from [%s], error [%d] (%s)\n", + attribute, section, ret, strerror(ret)); + return ret; +} + +long confdb_get_long(struct confdb_ctx *cdb, + const char *section, const char *attribute, + long defval, long *result) +{ + char **values = NULL; + long val; + int ret; + TALLOC_CTX *tmp_ctx; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + ret = ENOMEM; + goto failed; + } + + ret = confdb_get_param(cdb, tmp_ctx, section, attribute, &values); + if (ret != EOK) { + goto failed; + } + + if (values[0]) { + if (values[1] != NULL) { + /* too many values */ + ret = EINVAL; + goto failed; + } + + errno = 0; + val = strtol(values[0], NULL, 0); + ret = errno; + if (ret != 0) { + goto failed; + } + + } else { + val = defval; + } + + talloc_free(tmp_ctx); + + *result = val; + return EOK; + +failed: + talloc_free(tmp_ctx); + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to read [%s] from [%s], error [%d] (%s)\n", + attribute, section, ret, strerror(ret)); + return ret; +} + +int confdb_get_bool(struct confdb_ctx *cdb, + const char *section, const char *attribute, + bool defval, bool *result) +{ + char **values = NULL; + bool val; + int ret; + TALLOC_CTX *tmp_ctx; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + ret = ENOMEM; + goto failed; + } + + ret = confdb_get_param(cdb, tmp_ctx, section, attribute, &values); + if (ret != EOK) { + goto failed; + } + + if (values[0]) { + if (values[1] != NULL) { + /* too many values */ + ret = EINVAL; + goto failed; + } + + if (strcasecmp(values[0], "FALSE") == 0) { + val = false; + + } else if (strcasecmp(values[0], "TRUE") == 0) { + val = true; + + } else { + + DEBUG(SSSDBG_OP_FAILURE, "Value is not a boolean!\n"); + ret = EINVAL; + goto failed; + } + + } else { + val = defval; + } + + talloc_free(tmp_ctx); + + *result = val; + return EOK; + +failed: + talloc_free(tmp_ctx); + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to read [%s] from [%s], error [%d] (%s)\n", + attribute, section, ret, strerror(ret)); + return ret; +} + +/* WARNING: Unlike other similar functions, this one does NOT take a default, + * and returns ENOENT if the attribute was not found ! */ +int confdb_get_string_as_list(struct confdb_ctx *cdb, TALLOC_CTX *ctx, + const char *section, const char *attribute, + char ***result) +{ + char **values = NULL; + int ret; + + ret = confdb_get_param(cdb, ctx, section, attribute, &values); + if (ret != EOK) { + goto done; + } + + if (values && values[0]) { + if (values[1] != NULL) { + /* too many values */ + ret = EINVAL; + goto done; + } + } else { + /* Did not return a value */ + ret = ENOENT; + goto done; + } + + ret = split_on_separator(ctx, values[0], ',', true, true, result, NULL); + +done: + talloc_free(values); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to get [%s] from [%s], error [%d] (%s)\n", + attribute, section, ret, strerror(ret)); + } + return ret; +} + +int confdb_init(TALLOC_CTX *mem_ctx, + struct confdb_ctx **cdb_ctx, + const char *confdb_location) +{ + struct confdb_ctx *cdb; + int ret = EOK; + mode_t old_umask; + + cdb = talloc_zero(mem_ctx, struct confdb_ctx); + if (!cdb) + return ENOMEM; + + /* Because confdb calls use sync ldb calls, we create a separate event + * context here. This will prevent the ldb sync calls to start nested + * events. + * NOTE: this means that we *cannot* do async calls and return in confdb + * unless we convert all calls and hook back to the main event context. + */ + + cdb->pev = tevent_context_init(cdb); + if (!cdb->pev) { + talloc_free(cdb); + return EIO; + } + + cdb->ldb = ldb_init(cdb, cdb->pev); + if (!cdb->ldb) { + talloc_free(cdb); + return EIO; + } + + ret = ldb_set_debug(cdb->ldb, ldb_debug_messages, NULL); + if (ret != LDB_SUCCESS) { + DEBUG(SSSDBG_FATAL_FAILURE,"Could not set up debug fn.\n"); + talloc_free(cdb); + return EIO; + } + + old_umask = umask(SSS_DFL_UMASK); + + ret = ldb_connect(cdb->ldb, confdb_location, 0, NULL); + umask(old_umask); + if (ret != LDB_SUCCESS) { + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to open config database [%s]\n", + confdb_location); + talloc_free(cdb); + return EIO; + } + + *cdb_ctx = cdb; + + return EOK; +} + +static errno_t get_entry_as_uint32(struct ldb_message *msg, + uint32_t *return_value, + const char *entry, + uint32_t default_value) +{ + const char *tmp = NULL; + char *endptr; + uint32_t u32ret = 0; + + *return_value = 0; + + if (!msg || !entry) { + return EFAULT; + } + + tmp = ldb_msg_find_attr_as_string(msg, entry, NULL); + if (tmp == NULL) { + *return_value = default_value; + return EOK; + } + + if ((*tmp == '-') || (*tmp == '\0')) { + return EINVAL; + } + + u32ret = strtouint32 (tmp, &endptr, 10); + if (errno) { + return errno; + } + + if (*endptr != '\0') { + /* Not all of the string was a valid number */ + return EINVAL; + } + + *return_value = u32ret; + return EOK; +} + +static errno_t get_entry_as_bool(struct ldb_message *msg, + bool *return_value, + const char *entry, + bool default_value) +{ + const char *tmp = NULL; + + *return_value = 0; + + if (!msg || !entry) { + return EFAULT; + } + + tmp = ldb_msg_find_attr_as_string(msg, entry, NULL); + if (tmp == NULL || *tmp == '\0') { + *return_value = default_value; + return EOK; + } + + if (strcasecmp(tmp, "FALSE") == 0) { + *return_value = 0; + } + else if (strcasecmp(tmp, "TRUE") == 0) { + *return_value = 1; + } + else { + return EINVAL; + } + + return EOK; +} + + +/* The default UID/GID for domains is 1. This wouldn't work well with + * the local provider */ +static uint32_t confdb_get_min_id(struct sss_domain_info *domain) +{ + uint32_t defval = SSSD_MIN_ID; + + if (domain && strcasecmp(domain->provider, "local") == 0) { + defval = SSSD_LOCAL_MINID; + } + + return defval; +} + +static errno_t init_cached_auth_timeout(struct confdb_ctx *cdb, + struct ldb_message *msg, + uint32_t *_cached_auth_timeout) +{ + int cred_expiration; + int id_timeout; + errno_t ret; + uint32_t cached_auth_timeout; + + ret = get_entry_as_uint32(msg, &cached_auth_timeout, + CONFDB_DOMAIN_CACHED_AUTH_TIMEOUT, 0); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Invalid value for [%s]\n", CONFDB_DOMAIN_CACHED_AUTH_TIMEOUT); + goto done; + } + + ret = confdb_get_int(cdb, CONFDB_PAM_CONF_ENTRY, + CONFDB_PAM_CRED_TIMEOUT, 0, &cred_expiration); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to read expiration time of offline credentials.\n"); + goto done; + } + + /* convert from days to seconds */ + cred_expiration *= 3600 * 24; + if (cred_expiration != 0 && + cred_expiration < cached_auth_timeout) { + cached_auth_timeout = cred_expiration; + } + + /* Set up the PAM identity timeout */ + ret = confdb_get_int(cdb, CONFDB_PAM_CONF_ENTRY, + CONFDB_PAM_ID_TIMEOUT, 5, + &id_timeout); + if (ret != EOK) goto done; + + if (cached_auth_timeout > id_timeout) { + DEBUG(SSSDBG_MINOR_FAILURE, + "cached_auth_timeout is greater than pam_id_timeout so be aware " + "that back end could be called to handle initgroups.\n"); + } + + ret = EOK; + +done: + if (ret == EOK) { + *_cached_auth_timeout = cached_auth_timeout; + } + return ret; +} + +static int confdb_get_domain_section(TALLOC_CTX *mem_ctx, + struct confdb_ctx *cdb, + const char *section, + const char *name, + struct ldb_result **_res) +{ + TALLOC_CTX *tmp_ctx; + int ret; + struct ldb_result *res; + struct ldb_dn *dn; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + dn = ldb_dn_new_fmt(tmp_ctx, cdb->ldb, "cn=%s,%s", name, section); + if (dn == NULL) { + ret = ENOMEM; + goto done; + } + + ret = ldb_search(cdb->ldb, tmp_ctx, &res, dn, + LDB_SCOPE_BASE, NULL, NULL); + if (ret != LDB_SUCCESS) { + ret = sysdb_error_to_errno(ret); + goto done; + } + + if (res->count == 0) { + ret = ENOENT; + goto done; + } else if (res->count > 1) { + ret = E2BIG; + goto done; + } + + *_res = talloc_steal(mem_ctx, res); + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} + +static int confdb_get_domain_internal(struct confdb_ctx *cdb, + TALLOC_CTX *mem_ctx, + const char *name, + struct sss_domain_info **_domain) +{ + struct sss_domain_info *domain; + struct ldb_result *res; + TALLOC_CTX *tmp_ctx; + const char *tmp; + int ret, val; + uint32_t entry_cache_timeout; + char *default_domain; + bool fqnames_default = false; + int memcache_timeout; + bool enum_default; + + tmp_ctx = talloc_new(mem_ctx); + if (!tmp_ctx) return ENOMEM; + + ret = confdb_get_domain_section(tmp_ctx, cdb, CONFDB_DOMAIN_BASEDN, + name, &res); + if (ret == ENOENT) { + DEBUG(SSSDBG_FATAL_FAILURE, "Unknown domain [%s]\n", name); + goto done; + } else if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Error %d: %s while retrieving %s\n", + ret, sss_strerror(ret), name); + goto done; + } + + ret = confdb_get_int(cdb, + CONFDB_NSS_CONF_ENTRY, + CONFDB_MEMCACHE_TIMEOUT, + 300, &memcache_timeout); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Unable to get memory cache entry timeout.\n"); + goto done; + } + + domain = talloc_zero(mem_ctx, struct sss_domain_info); + if (!domain) { + ret = ENOMEM; + goto done; + } + + tmp = ldb_msg_find_attr_as_string(res->msgs[0], "cn", NULL); + if (!tmp) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Invalid configuration entry, fatal error!\n"); + ret = EINVAL; + goto done; + } + domain->name = talloc_strdup(domain, tmp); + if (!domain->name) { + ret = ENOMEM; + goto done; + } + domain->conn_name = domain->name; + + tmp = ldb_msg_find_attr_as_string(res->msgs[0], + CONFDB_DOMAIN_ID_PROVIDER, + NULL); + if (tmp) { + domain->provider = talloc_strdup(domain, tmp); + if (!domain->provider) { + ret = ENOMEM; + goto done; + } + } + else { + DEBUG(SSSDBG_FATAL_FAILURE, + "Domain [%s] does not specify an ID provider, disabling!\n", + domain->name); + ret = EINVAL; + goto done; + } + + ret = get_entry_as_bool(res->msgs[0], &domain->mpg, + CONFDB_DOMAIN_AUTO_UPG, 0); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Invalid value for %s\n", CONFDB_DOMAIN_AUTO_UPG); + goto done; + } + + if (strcasecmp(domain->provider, "local") == 0) { + /* If this is the local provider, we need to ensure that + * no other provider was specified for other types, since + * the local provider cannot load them. + */ + tmp = ldb_msg_find_attr_as_string(res->msgs[0], + CONFDB_DOMAIN_AUTH_PROVIDER, + NULL); + if (tmp && strcasecmp(tmp, "local") != 0) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Local ID provider does not support [%s] as an AUTH provider.\n", tmp); + ret = EINVAL; + goto done; + } + + tmp = ldb_msg_find_attr_as_string(res->msgs[0], + CONFDB_DOMAIN_ACCESS_PROVIDER, + NULL); + if (tmp && strcasecmp(tmp, "permit") != 0) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Local ID provider does not support [%s] as an ACCESS provider.\n", tmp); + ret = EINVAL; + goto done; + } + + tmp = ldb_msg_find_attr_as_string(res->msgs[0], + CONFDB_DOMAIN_CHPASS_PROVIDER, + NULL); + if (tmp && strcasecmp(tmp, "local") != 0) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Local ID provider does not support [%s] as a CHPASS provider.\n", tmp); + ret = EINVAL; + goto done; + } + + /* The LOCAL provider use always Magic Private Groups */ + domain->mpg = true; + } + + domain->timeout = ldb_msg_find_attr_as_int(res->msgs[0], + CONFDB_DOMAIN_TIMEOUT, 0); + + /* Determine if this domain can be enumerated */ + + /* TEMP: test if the old bitfield conf value is used and warn it has been + * superseded. */ + val = ldb_msg_find_attr_as_int(res->msgs[0], CONFDB_DOMAIN_ENUMERATE, 0); + if (val > 0) { /* ok there was a number in here */ + DEBUG(SSSDBG_FATAL_FAILURE, + "Warning: enumeration parameter in %s still uses integers! " + "Enumeration is now a boolean and takes true/false values. " + "Interpreting as true\n", domain->name); + domain->enumerate = true; + } else { /* assume the new format */ + enum_default = is_files_provider(domain); + + ret = get_entry_as_bool(res->msgs[0], &domain->enumerate, + CONFDB_DOMAIN_ENUMERATE, enum_default); + if(ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Invalid value for %s\n", CONFDB_DOMAIN_ENUMERATE); + goto done; + } + } + + if (is_files_provider(domain)) { + /* The password field must be reported as 'x', else pam_unix won't + * authenticate this entry. See man pwconv(8) for more details. + */ + domain->pwfield = "x"; + } + + if (!domain->enumerate) { + DEBUG(SSSDBG_TRACE_FUNC, "No enumeration for [%s]!\n", domain->name); + DEBUG(SSSDBG_TRACE_FUNC, + "Please note that when enumeration is disabled `getent " + "passwd` does not return all users by design. See " + "sssd.conf man page for more detailed information\n"); + } + + ret = confdb_get_string(cdb, tmp_ctx, CONFDB_MONITOR_CONF_ENTRY, + CONFDB_MONITOR_DEFAULT_DOMAIN, NULL, + &default_domain); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot get the default domain [%d]: %s\n", + ret, strerror(ret)); + goto done; + } + + /* Determine if user/group names will be Fully Qualified + * in NSS interfaces */ + if (default_domain != NULL) { + DEBUG(SSSDBG_CONF_SETTINGS, + "Default domain suffix set. Changing default for " + "use_fully_qualified_names to True.\n"); + fqnames_default = true; + } + + ret = get_entry_as_bool(res->msgs[0], &domain->fqnames, + CONFDB_DOMAIN_FQ, fqnames_default); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Invalid value for %s\n", + CONFDB_DOMAIN_FQ); + goto done; + } + + if (default_domain != NULL && domain->fqnames == false) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Invalid configuration detected (default_domain_suffix is used " + "while use_fully_qualified_names was set to false).\n"); + ret = ERR_INVALID_CONFIG; + goto done; + } + + ret = get_entry_as_bool(res->msgs[0], &domain->ignore_group_members, + CONFDB_DOMAIN_IGNORE_GROUP_MEMBERS, 0); + if(ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Invalid value for %s\n", + CONFDB_DOMAIN_IGNORE_GROUP_MEMBERS); + goto done; + } + + ret = get_entry_as_uint32(res->msgs[0], &domain->id_min, + CONFDB_DOMAIN_MINID, + confdb_get_min_id(domain)); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Invalid value for minId\n"); + ret = EINVAL; + goto done; + } + + ret = get_entry_as_uint32(res->msgs[0], &domain->id_max, + CONFDB_DOMAIN_MAXID, 0); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Invalid value for maxId\n"); + ret = EINVAL; + goto done; + } + + if (domain->id_max && (domain->id_max < domain->id_min)) { + DEBUG(SSSDBG_FATAL_FAILURE, "Invalid domain range\n"); + ret = EINVAL; + goto done; + } + + /* Do we allow to cache credentials */ + ret = get_entry_as_bool(res->msgs[0], &domain->cache_credentials, + CONFDB_DOMAIN_CACHE_CREDS, 0); + if(ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Invalid value for %s\n", CONFDB_DOMAIN_CACHE_CREDS); + goto done; + } + + ret = get_entry_as_uint32(res->msgs[0], + &domain->cache_credentials_min_ff_length, + CONFDB_DOMAIN_CACHE_CREDS_MIN_FF_LENGTH, + CONFDB_DEFAULT_CACHE_CREDS_MIN_FF_LENGTH); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Invalid value for %s\n", + CONFDB_DOMAIN_CACHE_CREDS_MIN_FF_LENGTH); + goto done; + } + + ret = get_entry_as_bool(res->msgs[0], &domain->legacy_passwords, + CONFDB_DOMAIN_LEGACY_PASS, 0); + if(ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Invalid value for %s\n", CONFDB_DOMAIN_LEGACY_PASS); + goto done; + } + + /* Get the global entry cache timeout setting */ + ret = get_entry_as_uint32(res->msgs[0], &entry_cache_timeout, + CONFDB_DOMAIN_ENTRY_CACHE_TIMEOUT, 5400); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Invalid value for [%s]\n", + CONFDB_DOMAIN_ENTRY_CACHE_TIMEOUT); + goto done; + } + + /* Override the user cache timeout, if specified */ + ret = get_entry_as_uint32(res->msgs[0], &domain->user_timeout, + CONFDB_DOMAIN_USER_CACHE_TIMEOUT, + entry_cache_timeout); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Invalid value for [%s]\n", + CONFDB_DOMAIN_USER_CACHE_TIMEOUT); + goto done; + } + + if (domain->user_timeout < memcache_timeout) { + DEBUG(SSSDBG_CONF_SETTINGS, + "%s is less than %s. User records will not be updated before " + "memory cache entry expires.\n", + CONFDB_DOMAIN_USER_CACHE_TIMEOUT, CONFDB_MEMCACHE_TIMEOUT); + } + + /* Override the group cache timeout, if specified */ + ret = get_entry_as_uint32(res->msgs[0], &domain->group_timeout, + CONFDB_DOMAIN_GROUP_CACHE_TIMEOUT, + entry_cache_timeout); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Invalid value for [%s]\n", + CONFDB_DOMAIN_GROUP_CACHE_TIMEOUT); + goto done; + } + + if (domain->group_timeout < memcache_timeout) { + DEBUG(SSSDBG_CONF_SETTINGS, + "%s is less than %s. Group records will not be updated before " + "memory cache entry expires.\n", + CONFDB_DOMAIN_GROUP_CACHE_TIMEOUT, CONFDB_MEMCACHE_TIMEOUT); + } + + /* Override the netgroup cache timeout, if specified */ + ret = get_entry_as_uint32(res->msgs[0], &domain->netgroup_timeout, + CONFDB_DOMAIN_NETGROUP_CACHE_TIMEOUT, + entry_cache_timeout); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Invalid value for [%s]\n", + CONFDB_DOMAIN_NETGROUP_CACHE_TIMEOUT); + goto done; + } + + /* Override the service cache timeout, if specified */ + ret = get_entry_as_uint32(res->msgs[0], &domain->service_timeout, + CONFDB_DOMAIN_SERVICE_CACHE_TIMEOUT, + entry_cache_timeout); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Invalid value for [%s]\n", + CONFDB_DOMAIN_SERVICE_CACHE_TIMEOUT); + goto done; + } + + /* Override the autofs cache timeout, if specified */ + ret = get_entry_as_uint32(res->msgs[0], &domain->autofsmap_timeout, + CONFDB_DOMAIN_AUTOFS_CACHE_TIMEOUT, + entry_cache_timeout); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Invalid value for [%s]\n", + CONFDB_DOMAIN_AUTOFS_CACHE_TIMEOUT); + goto done; + } + + /* Override the sudo cache timeout, if specified */ + ret = get_entry_as_uint32(res->msgs[0], &domain->sudo_timeout, + CONFDB_DOMAIN_SUDO_CACHE_TIMEOUT, + entry_cache_timeout); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Invalid value for [%s]\n", + CONFDB_DOMAIN_SUDO_CACHE_TIMEOUT); + goto done; + } + + /* Override the ssh known hosts timeout, if specified */ + ret = get_entry_as_uint32(res->msgs[0], &domain->ssh_host_timeout, + CONFDB_DOMAIN_SSH_HOST_CACHE_TIMEOUT, + entry_cache_timeout); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Invalid value for [%s]\n", + CONFDB_DOMAIN_SSH_HOST_CACHE_TIMEOUT); + goto done; + } + + /* Set refresh_expired_interval, if specified */ + ret = get_entry_as_uint32(res->msgs[0], &domain->refresh_expired_interval, + CONFDB_DOMAIN_REFRESH_EXPIRED_INTERVAL, + 0); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Invalid value for [%s]\n", + CONFDB_DOMAIN_REFRESH_EXPIRED_INTERVAL); + goto done; + } + + /* detect and fix misconfiguration */ + if (domain->refresh_expired_interval > entry_cache_timeout) { + DEBUG(SSSDBG_CONF_SETTINGS, + "refresh_expired_interval (%d) cannot be greater than " + "entry_cache_timeout (%u)\n", + domain->refresh_expired_interval, entry_cache_timeout); + + domain->refresh_expired_interval = 0.75 * entry_cache_timeout; + + DEBUG(SSSDBG_CONF_SETTINGS, + "refresh_expired_interval is being set to recommended value " + "entry_cache_timeout * 0.75 (%u).\n", + domain->refresh_expired_interval); + } + + /* Set the PAM warning time, if specified. If not specified, pass on + * the "not set" value of "-1" which means "use provider default". The + * value 0 means "always display the warning if server sends one" */ + domain->pwd_expiration_warning = -1; + + val = ldb_msg_find_attr_as_int(res->msgs[0], + CONFDB_DOMAIN_PWD_EXPIRATION_WARNING, + -1); + if (val == -1) { + ret = confdb_get_int(cdb, CONFDB_PAM_CONF_ENTRY, + CONFDB_PAM_PWD_EXPIRATION_WARNING, + -1, &val); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to read PAM expiration warning, not fatal.\n"); + val = -1; + } + } + + DEBUG(SSSDBG_TRACE_LIBS, "pwd_expiration_warning is %d\n", val); + if (val >= 0) { + DEBUG(SSSDBG_CONF_SETTINGS, + "Setting domain password expiration warning to %d days\n", val); + /* The value is in days, transform it to seconds */ + domain->pwd_expiration_warning = val * 24 * 3600; + } + + ret = get_entry_as_uint32(res->msgs[0], &domain->override_gid, + CONFDB_DOMAIN_OVERRIDE_GID, 0); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Invalid value for [%s]\n", CONFDB_DOMAIN_OVERRIDE_GID); + goto done; + } + + tmp = ldb_msg_find_attr_as_string(res->msgs[0], + CONFDB_NSS_OVERRIDE_HOMEDIR, NULL); + /* Here we skip the files provider as it should always return *only* + * what's in the files and nothing else. */ + if (tmp != NULL && !is_files_provider(domain)) { + domain->override_homedir = talloc_strdup(domain, tmp); + if (!domain->override_homedir) { + ret = ENOMEM; + goto done; + } + } + + tmp = ldb_msg_find_attr_as_string(res->msgs[0], + CONFDB_NSS_FALLBACK_HOMEDIR, NULL); + if (tmp != NULL) { + domain->fallback_homedir = talloc_strdup(domain, tmp); + if (!domain->fallback_homedir) { + ret = ENOMEM; + goto done; + } + } + + tmp = ldb_msg_find_attr_as_string(res->msgs[0], + CONFDB_DOMAIN_SUBDOMAIN_HOMEDIR, + CONFDB_DOMAIN_DEFAULT_SUBDOMAIN_HOMEDIR); + if (tmp != NULL) { + domain->subdomain_homedir = talloc_strdup(domain, tmp); + if (!domain->subdomain_homedir) { + ret = ENOMEM; + goto done; + } + } + + tmp = ldb_msg_find_attr_as_string(res->msgs[0], + CONFDB_NSS_HOMEDIR_SUBSTRING, NULL); + if (tmp != NULL) { + domain->homedir_substr = talloc_strdup(domain, tmp); + if (domain->homedir_substr == NULL) { + ret = ENOMEM; + goto done; + } + } + + tmp = ldb_msg_find_attr_as_string(res->msgs[0], + CONFDB_NSS_OVERRIDE_SHELL, NULL); + /* Here we skip the files provider as it should always return *only* + * what's in the files and nothing else. */ + if (tmp != NULL && !is_files_provider(domain)) { + domain->override_shell = talloc_strdup(domain, tmp); + if (!domain->override_shell) { + ret = ENOMEM; + goto done; + } + } + + tmp = ldb_msg_find_attr_as_string(res->msgs[0], + CONFDB_NSS_DEFAULT_SHELL, NULL); + if (tmp != NULL) { + domain->default_shell = talloc_strdup(domain, tmp); + if (!domain->default_shell) { + ret = ENOMEM; + goto done; + } + } + + tmp = ldb_msg_find_attr_as_string(res->msgs[0], + CONFDB_DOMAIN_CASE_SENSITIVE, NULL); + if (tmp != NULL) { + if (strcasecmp(tmp, "true") == 0) { + domain->case_sensitive = true; + domain->case_preserve = true; + } else if (strcasecmp(tmp, "false") == 0) { + domain->case_sensitive = false; + domain->case_preserve = false; + } else if (strcasecmp(tmp, "preserving") == 0) { + domain->case_sensitive = false; + domain->case_preserve = true; + } else { + DEBUG(SSSDBG_FATAL_FAILURE, + "Invalid value for %s\n", CONFDB_DOMAIN_CASE_SENSITIVE); + ret = EINVAL; + goto done; + } + } else { + /* default */ + if (strcasecmp(domain->provider, "ad") == 0) { + domain->case_sensitive = false; + domain->case_preserve = false; + } else { + domain->case_sensitive = true; + domain->case_preserve = true; + } + } + + if (domain->case_sensitive == false && + strcasecmp(domain->provider, "local") == 0) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Local ID provider does not support the case insensitive flag\n"); + ret = EINVAL; + goto done; + } + + tmp = ldb_msg_find_attr_as_string(res->msgs[0], + CONFDB_NSS_PWFIELD, NULL); + if (tmp != NULL) { + domain->pwfield = talloc_strdup(domain, tmp); + if (!domain->pwfield) { + ret = ENOMEM; + goto done; + } + } + + tmp = ldb_msg_find_attr_as_string(res->msgs[0], + CONFDB_SUBDOMAIN_ENUMERATE, + CONFDB_DEFAULT_SUBDOMAIN_ENUMERATE); + if (tmp != NULL) { + ret = split_on_separator(domain, tmp, ',', true, true, + &domain->sd_enumerate, NULL); + if (ret != 0) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Cannot parse %s\n", CONFDB_SUBDOMAIN_ENUMERATE); + goto done; + } + } + + tmp = ldb_msg_find_attr_as_string(res->msgs[0], + CONFDB_DOMAIN_SUBDOMAIN_INHERIT, + NULL); + if (tmp != NULL) { + ret = split_on_separator(domain, tmp, ',', true, true, + &domain->sd_inherit, NULL); + if (ret != 0) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Cannot parse %s\n", CONFDB_SUBDOMAIN_ENUMERATE); + goto done; + } + } + + domain->type = DOM_TYPE_POSIX; + tmp = ldb_msg_find_attr_as_string(res->msgs[0], + CONFDB_DOMAIN_TYPE, + CONFDB_DOMAIN_TYPE_POSIX); + if (tmp != NULL) { + if (strcasecmp(tmp, CONFDB_DOMAIN_TYPE_POSIX) == 0) { + domain->type = DOM_TYPE_POSIX; + } else if (strcasecmp(tmp, CONFDB_DOMAIN_TYPE_APP) == 0) { + domain->type = DOM_TYPE_APPLICATION; + } else { + DEBUG(SSSDBG_FATAL_FAILURE, + "Invalid value %s for [%s]\n", tmp, CONFDB_DOMAIN_TYPE); + ret = EINVAL; + goto done; + } + } + + ret = get_entry_as_uint32(res->msgs[0], &domain->subdomain_refresh_interval, + CONFDB_DOMAIN_SUBDOMAIN_REFRESH, + CONFDB_DOMAIN_SUBDOMAIN_REFRESH_DEFAULT_VALUE); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Invalid value for [%s]\n", CONFDB_DOMAIN_SUBDOMAIN_REFRESH); + goto done; + } else if (domain->subdomain_refresh_interval == 0) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Invalid value for [%s]. Setting up the default value: %d\n", + CONFDB_DOMAIN_SUBDOMAIN_REFRESH, + CONFDB_DOMAIN_SUBDOMAIN_REFRESH_DEFAULT_VALUE); + + domain->subdomain_refresh_interval = + CONFDB_DOMAIN_SUBDOMAIN_REFRESH_DEFAULT_VALUE; + } + + ret = init_cached_auth_timeout(cdb, res->msgs[0], + &domain->cached_auth_timeout); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "init_cached_auth_timeout failed: %s:[%d].\n", + sss_strerror(ret), ret); + goto done; + } + + domain->has_views = false; + domain->view_name = NULL; + + domain->state = DOM_ACTIVE; + + *_domain = domain; + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} + +int confdb_get_domains(struct confdb_ctx *cdb, + struct sss_domain_info **domains) +{ + TALLOC_CTX *tmp_ctx; + struct sss_domain_info *domain = NULL; + char **domlist; + int ret, i; + + if (cdb->doms) { + *domains = cdb->doms; + return EOK; + } + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) return ENOMEM; + + ret = confdb_get_string_as_list(cdb, tmp_ctx, + CONFDB_MONITOR_CONF_ENTRY, + CONFDB_MONITOR_ACTIVE_DOMAINS, + &domlist); + if (ret == ENOENT) { + DEBUG(SSSDBG_FATAL_FAILURE, "No domains configured, fatal error!\n"); + goto done; + } + if (ret != EOK ) { + DEBUG(SSSDBG_FATAL_FAILURE, "Fatal error retrieving domains list!\n"); + goto done; + } + + for (i = 0; domlist[i]; i++) { + /* check if domain name is really unique */ + DLIST_FOR_EACH(domain, cdb->doms) { + if (strcasecmp(domain->name, domlist[i]) == 0) { + DEBUG(SSSDBG_FATAL_FAILURE, + SAME_DOMAINS_ERROR_MSG, domlist[i], domain->name); + sss_log(SSS_LOG_CRIT, + SAME_DOMAINS_ERROR_MSG, domlist[i], domain->name); + + ret = EINVAL; + goto done; + } + } + + domain = NULL; + ret = confdb_get_domain_internal(cdb, cdb, domlist[i], &domain); + if (ret) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Error (%d [%s]) retrieving domain [%s], skipping!\n", + ret, sss_strerror(ret), domlist[i]); + continue; + } + + DLIST_ADD_END(cdb->doms, domain, struct sss_domain_info *); + } + + if (cdb->doms == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, + "No properly configured domains, fatal error!\n"); + ret = ENOENT; + goto done; + } + + *domains = cdb->doms; + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +int confdb_get_domain(struct confdb_ctx *cdb, + const char *name, + struct sss_domain_info **_domain) +{ + struct sss_domain_info *dom, *doms; + int ret; + + ret = confdb_get_domains(cdb, &doms); + if (ret != EOK) { + return ret; + } + + for (dom = doms; dom; dom = get_next_domain(dom, 0)) { + if (strcasecmp(dom->name, name) == 0) { + *_domain = dom; + return EOK; + } + } + + return ENOENT; +} + +int confdb_list_all_domain_names(TALLOC_CTX *mem_ctx, + struct confdb_ctx *cdb, + char ***_names) +{ + TALLOC_CTX *tmp_ctx = NULL; + struct ldb_dn *dn = NULL; + struct ldb_result *res = NULL; + static const char *attrs[] = {CONFDB_DOMAIN_ATTR, NULL}; + const char *name = NULL; + char **names = NULL; + int i; + int ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + dn = ldb_dn_new(tmp_ctx, cdb->ldb, CONFDB_DOMAIN_BASEDN); + if (dn == NULL) { + ret = ENOMEM; + goto done; + } + + ret = ldb_search(cdb->ldb, tmp_ctx, &res, dn, LDB_SCOPE_ONELEVEL, + attrs, NULL); + if (ret != LDB_SUCCESS) { + ret = EIO; + goto done; + } + + names = talloc_zero_array(tmp_ctx, char*, res->count + 1); + if (names == NULL) { + ret = ENOMEM; + goto done; + } + + for (i = 0; i < res->count; i++) { + name = ldb_msg_find_attr_as_string(res->msgs[i], CONFDB_DOMAIN_ATTR, + NULL); + if (name == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, + "The object [%s] doesn't have a name\n", + ldb_dn_get_linearized(res->msgs[i]->dn)); + ret = EINVAL; + goto done; + } + + names[i] = talloc_strdup(names, name); + if (names[i] == NULL) { + ret = ENOMEM; + goto done; + } + } + + *_names = talloc_steal(mem_ctx, names); + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +int confdb_get_sub_sections(TALLOC_CTX *mem_ctx, + struct confdb_ctx *cdb, + const char *section, + char ***sections, + int *num_sections) +{ + TALLOC_CTX *tmp_ctx = NULL; + char *secdn; + struct ldb_dn *base = NULL; + struct ldb_result *res = NULL; + static const char *attrs[] = {"cn", NULL}; + char **names; + int base_comp_num; + int num; + int i; + int ret; + + tmp_ctx = talloc_new(mem_ctx); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + ret = parse_section(tmp_ctx, section, &secdn, NULL); + if (ret != EOK) { + goto done; + } + + base = ldb_dn_new(tmp_ctx, cdb->ldb, secdn); + if (base == NULL) { + ret = ENOMEM; + goto done; + } + + base_comp_num = ldb_dn_get_comp_num(base); + + ret = ldb_search(cdb->ldb, tmp_ctx, &res, base, LDB_SCOPE_SUBTREE, + attrs, NULL); + if (ret != LDB_SUCCESS) { + ret = EIO; + goto done; + } + + names = talloc_zero_array(tmp_ctx, char *, res->count + 1); + if (names == NULL) { + ret = ENOMEM; + goto done; + } + + for (num = 0, i = 0; i < res->count; i++) { + const struct ldb_val *val; + char *name; + int n; + int j; + + n = ldb_dn_get_comp_num(res->msgs[i]->dn); + if (n == base_comp_num) continue; + + name = NULL; + for (j = n - base_comp_num - 1; j >= 0; j--) { + val = ldb_dn_get_component_val(res->msgs[i]->dn, j); + if (name == NULL) { + name = talloc_strndup(names, + (const char *)val->data, val->length); + } else { + name = talloc_asprintf(names, "%s/%.*s", name, + (int)val->length, + (const char *)val->data); + } + if (name == NULL) { + ret = ENOMEM; + goto done; + } + } + + names[num] = name; + if (names[num] == NULL) { + ret = ENOMEM; + goto done; + } + + num++; + } + + *sections = talloc_steal(mem_ctx, names); + *num_sections = num; + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static bool need_implicit_files_domain(TALLOC_CTX *tmp_ctx, + struct confdb_ctx *cdb, + struct ldb_result *doms) +{ + const char *id_provider = NULL; + unsigned int i; + errno_t ret; + char **domlist; + const char *val; + + ret = confdb_get_string_as_list(cdb, tmp_ctx, + CONFDB_MONITOR_CONF_ENTRY, + CONFDB_MONITOR_ACTIVE_DOMAINS, + &domlist); + if (ret == ENOENT) { + return true; + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot get active domains %d[%s]\n", + ret, sss_strerror(ret)); + return false; + } + + for (i = 0; i < doms->count; i++) { + val = ldb_msg_find_attr_as_string(doms->msgs[i], CONFDB_DOMAIN_ATTR, + NULL); + if (val == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "The object [%s] doesn't have a name\n", + ldb_dn_get_linearized(doms->msgs[i]->dn)); + continue; + } + + /* skip disabled domain */ + if (!string_in_list(val, domlist, false)) { + continue; + } + + id_provider = ldb_msg_find_attr_as_string(doms->msgs[i], + CONFDB_DOMAIN_ID_PROVIDER, + NULL); + if (id_provider == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "The object [%s] doesn't have an id_provider\n", + ldb_dn_get_linearized(doms->msgs[i]->dn)); + continue; + } + + if (strcasecmp(id_provider, "files") == 0) { + return false; + } + + if (strcasecmp(id_provider, "proxy") == 0) { + val = ldb_msg_find_attr_as_string(doms->msgs[i], + CONFDB_PROXY_LIBNAME, NULL); + if (val == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "The object [%s] doesn't have proxy_lib_name with " + "id_provider proxy\n", + ldb_dn_get_linearized(doms->msgs[i]->dn)); + continue; + } + + /* id_provider = proxy + proxy_lib_name = files are equivalent + * to id_provider = files + */ + if (strcmp(val, "files") == 0) { + return false; + } + } + } + + return true; +} + +static int confdb_has_files_domain(struct confdb_ctx *cdb) +{ + TALLOC_CTX *tmp_ctx = NULL; + struct ldb_dn *dn = NULL; + struct ldb_result *res = NULL; + static const char *attrs[] = { CONFDB_DOMAIN_ID_PROVIDER, + CONFDB_DOMAIN_ATTR, + CONFDB_PROXY_LIBNAME, NULL }; + int ret; + bool need_files_dom; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + dn = ldb_dn_new(tmp_ctx, cdb->ldb, CONFDB_DOMAIN_BASEDN); + if (dn == NULL) { + ret = ENOMEM; + goto done; + } + + ret = ldb_search(cdb->ldb, tmp_ctx, &res, dn, LDB_SCOPE_ONELEVEL, + attrs, NULL); + if (ret != LDB_SUCCESS) { + ret = EIO; + goto done; + } + + need_files_dom = need_implicit_files_domain(tmp_ctx, cdb, res); + + ret = need_files_dom ? ENOENT : EOK; +done: + talloc_free(tmp_ctx); + return ret; +} + +static int create_files_domain(struct confdb_ctx *cdb, + const char *name) +{ + TALLOC_CTX *tmp_ctx = NULL; + errno_t ret; + char *cdb_path = NULL; + const char *val[2] = { NULL, NULL }; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return ENOMEM; + } + + cdb_path = talloc_asprintf(tmp_ctx, CONFDB_DOMAIN_PATH_TMPL, name); + if (cdb_path == NULL) { + ret = ENOMEM; + goto done; + } + + val[0] = "files"; + ret = confdb_add_param(cdb, true, cdb_path, "id_provider", val); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add id_provider [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} + +static int activate_files_domain(struct confdb_ctx *cdb, + const char *name) +{ + errno_t ret; + TALLOC_CTX *tmp_ctx; + char *monitor_domlist; + const char *domlist[2] = { NULL, NULL }; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + ret = confdb_get_string(cdb, tmp_ctx, + CONFDB_MONITOR_CONF_ENTRY, + CONFDB_MONITOR_ACTIVE_DOMAINS, + NULL, + &monitor_domlist); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Fatal error retrieving domains list!\n"); + goto done; + } + + if (monitor_domlist != NULL) { + domlist[0] = talloc_asprintf(tmp_ctx, "%s,%s", name, monitor_domlist); + if (domlist[0] == NULL) { + ret = ENOMEM; + goto done; + } + } else { + domlist[0] = name; + } + + ret = confdb_add_param(cdb, true, + CONFDB_MONITOR_CONF_ENTRY, + CONFDB_MONITOR_ACTIVE_DOMAINS, + domlist); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot extend the domain list [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} + +int confdb_ensure_files_domain(struct confdb_ctx *cdb, + const char *implicit_files_dom_name) +{ +#ifdef ADD_FILES_DOMAIN + const bool default_enable_files = true; +#else + const bool default_enable_files = false; +#endif + errno_t ret; + bool enable_files; + + ret = confdb_get_bool(cdb, + CONFDB_MONITOR_CONF_ENTRY, + CONFDB_MONITOR_ENABLE_FILES_DOM, + default_enable_files, &enable_files); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot get the value of %s assuming %s\n", + CONFDB_MONITOR_ENABLE_FILES_DOM, + default_enable_files ? "true" : "false"); + return ret; + } + + if (enable_files == false) { + DEBUG(SSSDBG_CONF_SETTINGS, "The implicit files domain is disabled\n"); + return EOK; + } + + ret = confdb_has_files_domain(cdb); + if (ret == EOK) { + DEBUG(SSSDBG_CONF_SETTINGS, "The files domain is already enabled\n"); + return EOK; + } else if (ret != ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, "Error looking up the files domain\n"); + return ret; + } + + /* ENOENT, so let's add a files domain */ + ret = create_files_domain(cdb, implicit_files_dom_name); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot add an implicit files domain\n"); + return ret; + } + + return activate_files_domain(cdb, implicit_files_dom_name); +} + +static int confdb_get_parent_domain(TALLOC_CTX *mem_ctx, + const char *name, + struct confdb_ctx *cdb, + struct ldb_result *app_dom, + struct ldb_result **_parent_dom) +{ + const char *inherit_from; + + inherit_from = ldb_msg_find_attr_as_string(app_dom->msgs[0], + CONFDB_DOMAIN_INHERIT_FROM, NULL); + if (inherit_from == NULL) { + DEBUG(SSSDBG_CONF_SETTINGS, + "%s does not inherit from any POSIX domain\n", name); + *_parent_dom = NULL; + return EOK; + } + + return confdb_get_domain_section(mem_ctx, cdb, + CONFDB_DOMAIN_BASEDN, inherit_from, + _parent_dom); +} + +static int confdb_add_app_domain(TALLOC_CTX *mem_ctx, + struct confdb_ctx *cdb, + const char *name) +{ + char *cdb_path = NULL; + const char *val[2] = { NULL, NULL }; + int ret; + + cdb_path = talloc_asprintf(mem_ctx, CONFDB_DOMAIN_PATH_TMPL, name); + if (cdb_path == NULL) { + return ENOMEM; + } + + val[0] = CONFDB_DOMAIN_TYPE_APP; + ret = confdb_add_param(cdb, true, cdb_path, CONFDB_DOMAIN_TYPE, val); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add id_provider [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + return EOK; +} + +static int confdb_merge_parent_domain(const char *name, + struct confdb_ctx *cdb, + struct ldb_result *app_section) +{ + int ret; + int ldb_flag; + struct ldb_result *parent_domain = NULL; + struct ldb_message *replace_msg = NULL; + struct ldb_message *app_msg = NULL; + struct ldb_dn *domain_dn; + struct ldb_message_element *el = NULL; + TALLOC_CTX *tmp_ctx = NULL; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return ENOMEM; + } + + domain_dn = ldb_dn_new_fmt(tmp_ctx, + cdb->ldb, + "%s=%s,%s", + CONFDB_DOMAIN_ATTR, + name, + CONFDB_DOMAIN_BASEDN); + if (domain_dn == NULL) { + ret = ENOMEM; + goto done; + } + + /* Copy the parent domain parameters */ + ret = confdb_get_parent_domain(tmp_ctx, name, cdb, + app_section, &parent_domain); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot retrieve the parent domain [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + if (parent_domain != NULL) { + replace_msg = ldb_msg_copy(tmp_ctx, parent_domain->msgs[0]); + if (replace_msg == NULL) { + ret = ENOMEM; + goto done; + } + replace_msg->dn = domain_dn; + + for (unsigned i = 0; i < replace_msg->num_elements; i++) { + replace_msg->elements[i].flags = LDB_FLAG_MOD_ADD; + } + + el = ldb_msg_find_element(replace_msg, "cn"); + if (el != NULL) { + /* Don't add second cn */ + ldb_msg_remove_element(replace_msg, el); + } + + ret = ldb_modify(cdb->ldb, replace_msg); + if (ret != LDB_SUCCESS) { + ret = sysdb_error_to_errno(ret); + DEBUG(SSSDBG_OP_FAILURE, + "Inheriting options from parent domain failed [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + } + + /* Finally, add any app-domain specific overrides */ + app_msg = ldb_msg_new(tmp_ctx); + if (app_msg == NULL) { + ret = ENOMEM; + goto done; + } + app_msg->dn = domain_dn; + + for (unsigned i = 0; i < app_section->msgs[0]->num_elements; i++) { + struct ldb_message_element *app_el = &app_section->msgs[0]->elements[i]; + + /* These elements will be skipped when replacing attributes in + * a domain to avoid EEXIST errors + */ + if (strcasecmp(app_el->name, "cn") == 0) { + continue; + } + + if (replace_msg != NULL) { + el = ldb_msg_find_element(replace_msg, + app_section->msgs[0]->elements[i].name); + if (el == NULL) { + /* Adding an element */ + ldb_flag = LDB_FLAG_MOD_ADD; + } else { + /* Overriding an element */ + ldb_flag = LDB_FLAG_MOD_REPLACE; + } + } else { + /* If there was no domain to inherit from, just add all */ + ldb_flag = LDB_FLAG_MOD_ADD; + } + + ret = ldb_msg_add(app_msg, + &app_section->msgs[0]->elements[i], + ldb_flag); + if (ret != LDB_SUCCESS) { + continue; + } + } + + /* We use permissive modification here because adding cn or + * distinguishedName from the app_section to the application + * message would throw EEXIST + */ + ret = sss_ldb_modify_permissive(cdb->ldb, app_msg); + if (ret != LDB_SUCCESS) { + ret = sysdb_error_to_errno(ret); + DEBUG(SSSDBG_OP_FAILURE, + "Adding app-specific options failed [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + DEBUG(SSSDBG_TRACE_LIBS, "Added a domain section for %s\n", name); + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} + +int confdb_expand_app_domains(struct confdb_ctx *cdb) +{ + int ret; + char **domlist; + TALLOC_CTX *tmp_ctx; + struct ldb_result *app_domain = NULL; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + ret = confdb_get_string_as_list(cdb, tmp_ctx, + CONFDB_MONITOR_CONF_ENTRY, + CONFDB_MONITOR_ACTIVE_DOMAINS, + &domlist); + if (ret == ENOENT) { + DEBUG(SSSDBG_FATAL_FAILURE, "No domains configured, fatal error!\n"); + goto done; + } else if (ret != EOK ) { + DEBUG(SSSDBG_FATAL_FAILURE, "Fatal error retrieving domains list!\n"); + goto done; + } + + for (int i = 0; domlist[i]; i++) { + ret = confdb_get_domain_section(tmp_ctx, cdb, + CONFDB_APP_DOMAIN_BASEDN, domlist[i], + &app_domain); + if (ret == ENOENT) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "%s is not an app domain\n", domlist[i]); + continue; + } else if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Error %d: %s while retrieving %s\n", + ret, sss_strerror(ret), domlist[i]); + goto done; + } + + ret = confdb_add_app_domain(tmp_ctx, cdb, domlist[i]); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot add the app domain section [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = confdb_merge_parent_domain(domlist[i], cdb, app_domain); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot add options into the app domain section [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + } + + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h new file mode 100644 index 0000000..8af625f --- /dev/null +++ b/src/confdb/confdb.h @@ -0,0 +1,669 @@ +/* + SSSD + + SSSD Configuration DB + + Copyright (C) Simo Sorce 2008 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _CONF_DB_H +#define _CONF_DB_H + +#include +#include +#include +#include +#include + +#include "config.h" + +/** + * @defgroup sss_confdb The ConfDB API + * The ConfDB is an interface for data providers to + * access the configuration information provided in + * the sssd.conf + * @{ + */ + +#define CONFDB_DEFAULT_CFG_FILE_VER 2 +#define CONFDB_FILE "config.ldb" +#define SSSD_CONFIG_FILE SSSD_CONF_DIR"/sssd.conf" +#define CONFDB_DEFAULT_CONFIG_DIR SSSD_CONF_DIR"/conf.d" +#define SSSD_MIN_ID 1 +#define SSSD_LOCAL_MINID 1000 +#define CONFDB_DEFAULT_SHELL_FALLBACK "/bin/sh" + + +/* Configuration options */ + +/* Services */ +#define CONFDB_SERVICE_PATH_TMPL "config/%s" +#define CONFDB_SERVICE_COMMAND "command" +#define CONFDB_SERVICE_DEBUG_LEVEL "debug_level" +#define CONFDB_SERVICE_DEBUG_LEVEL_ALIAS "debug" +#define CONFDB_SERVICE_DEBUG_TIMESTAMPS "debug_timestamps" +#define CONFDB_SERVICE_DEBUG_MICROSECONDS "debug_microseconds" +#define CONFDB_SERVICE_DEBUG_TO_FILES "debug_to_files" +#define CONFDB_SERVICE_RECON_RETRIES "reconnection_retries" +#define CONFDB_SERVICE_FD_LIMIT "fd_limit" +#define CONFDB_SERVICE_ALLOWED_UIDS "allowed_uids" + +/* Monitor */ +#define CONFDB_MONITOR_CONF_ENTRY "config/sssd" +#define CONFDB_MONITOR_SBUS_TIMEOUT "sbus_timeout" +#define CONFDB_MONITOR_ACTIVE_SERVICES "services" +#define CONFDB_MONITOR_ACTIVE_DOMAINS "domains" +#define CONFDB_MONITOR_TRY_INOTIFY "try_inotify" +#define CONFDB_MONITOR_KRB5_RCACHEDIR "krb5_rcache_dir" +#define CONFDB_MONITOR_DEFAULT_DOMAIN "default_domain_suffix" +#define CONFDB_MONITOR_OVERRIDE_SPACE "override_space" +#define CONFDB_MONITOR_USER_RUNAS "user" +#define CONFDB_MONITOR_CERT_VERIFICATION "certificate_verification" +#define CONFDB_MONITOR_DISABLE_NETLINK "disable_netlink" +#define CONFDB_MONITOR_ENABLE_FILES_DOM "enable_files_domain" +#define CONFDB_MONITOR_DOMAIN_RESOLUTION_ORDER "domain_resolution_order" + +/* Both monitor and domains */ +#define CONFDB_NAME_REGEX "re_expression" +#define CONFDB_FULL_NAME_FORMAT "full_name_format" +#define CONFDB_DEFAULT_FULL_NAME_FORMAT_INTERNAL "%1$s@%2$s%3$s" +#define CONFDB_DEFAULT_FULL_NAME_FORMAT "%1$s@%2$s" + +/* Responders */ +#define CONFDB_RESPONDER_GET_DOMAINS_TIMEOUT "get_domains_timeout" +#define CONFDB_RESPONDER_CLI_IDLE_TIMEOUT "client_idle_timeout" +#define CONFDB_RESPONDER_CLI_IDLE_DEFAULT_TIMEOUT 60 +#define CONFDB_RESPONDER_LOCAL_NEG_TIMEOUT "local_negative_timeout" +#define CONFDB_RESPONDER_LOCAL_NEG_TIMEOUT_DEFAULT 14400 +#define CONFDB_RESPONDER_IDLE_TIMEOUT "responder_idle_timeout" +#define CONFDB_RESPONDER_IDLE_DEFAULT_TIMEOUT 300 +#define CONFDB_RESPONDER_CACHE_FIRST "cache_first" + +/* NSS */ +#define CONFDB_NSS_CONF_ENTRY "config/nss" +#define CONFDB_NSS_ENUM_CACHE_TIMEOUT "enum_cache_timeout" +#define CONFDB_NSS_ENTRY_CACHE_NOWAIT_PERCENTAGE "entry_cache_nowait_percentage" +#define CONFDB_NSS_ENTRY_NEG_TIMEOUT "entry_negative_timeout" +#define CONFDB_NSS_FILTER_USERS_IN_GROUPS "filter_users_in_groups" +#define CONFDB_NSS_FILTER_USERS "filter_users" +#define CONFDB_NSS_FILTER_GROUPS "filter_groups" +#define CONFDB_NSS_PWFIELD "pwfield" +#define CONFDB_NSS_OVERRIDE_HOMEDIR "override_homedir" +#define CONFDB_NSS_FALLBACK_HOMEDIR "fallback_homedir" +#define CONFDB_NSS_OVERRIDE_SHELL "override_shell" +#define CONFDB_NSS_VETOED_SHELL "vetoed_shells" +#define CONFDB_NSS_ALLOWED_SHELL "allowed_shells" +#define CONFDB_NSS_SHELL_FALLBACK "shell_fallback" +#define CONFDB_NSS_DEFAULT_SHELL "default_shell" +#define CONFDB_MEMCACHE_TIMEOUT "memcache_timeout" +#define CONFDB_NSS_HOMEDIR_SUBSTRING "homedir_substring" +#define CONFDB_DEFAULT_HOMEDIR_SUBSTRING "/home" + +/* PAM */ +#define CONFDB_PAM_CONF_ENTRY "config/pam" +#define CONFDB_PAM_CRED_TIMEOUT "offline_credentials_expiration" +#define CONFDB_PAM_FAILED_LOGIN_ATTEMPTS "offline_failed_login_attempts" +#define CONFDB_DEFAULT_PAM_FAILED_LOGIN_ATTEMPTS 0 +#define CONFDB_PAM_FAILED_LOGIN_DELAY "offline_failed_login_delay" +#define CONFDB_DEFAULT_PAM_FAILED_LOGIN_DELAY 5 +#define CONFDB_PAM_VERBOSITY "pam_verbosity" +#define CONFDB_PAM_RESPONSE_FILTER "pam_response_filter" +#define CONFDB_PAM_ID_TIMEOUT "pam_id_timeout" +#define CONFDB_PAM_PWD_EXPIRATION_WARNING "pam_pwd_expiration_warning" +#define CONFDB_PAM_TRUSTED_USERS "pam_trusted_users" +#define CONFDB_PAM_PUBLIC_DOMAINS "pam_public_domains" +#define CONFDB_PAM_ACCOUNT_EXPIRED_MESSAGE "pam_account_expired_message" +#define CONFDB_PAM_ACCOUNT_LOCKED_MESSAGE "pam_account_locked_message" +#define CONFDB_PAM_CERT_AUTH "pam_cert_auth" +#define CONFDB_PAM_CERT_DB_PATH "pam_cert_db_path" +#define CONFDB_PAM_P11_CHILD_TIMEOUT "p11_child_timeout" +#define CONFDB_PAM_APP_SERVICES "pam_app_services" + +/* SUDO */ +#define CONFDB_SUDO_CONF_ENTRY "config/sudo" +#define CONFDB_SUDO_CACHE_TIMEOUT "sudo_cache_timeout" +#define CONFDB_DEFAULT_SUDO_CACHE_TIMEOUT 180 +#define CONFDB_SUDO_TIMED "sudo_timed" +#define CONFDB_DEFAULT_SUDO_TIMED false +#define CONFDB_SUDO_INVERSE_ORDER "sudo_inverse_order" +#define CONFDB_DEFAULT_SUDO_INVERSE_ORDER false +#define CONFDB_SUDO_THRESHOLD "sudo_threshold" +#define CONFDB_DEFAULT_SUDO_THRESHOLD 50 + +/* autofs */ +#define CONFDB_AUTOFS_CONF_ENTRY "config/autofs" +#define CONFDB_AUTOFS_MAP_NEG_TIMEOUT "autofs_negative_timeout" + +/* SSH */ +#define CONFDB_SSH_CONF_ENTRY "config/ssh" +#define CONFDB_SSH_HASH_KNOWN_HOSTS "ssh_hash_known_hosts" +#define CONFDB_DEFAULT_SSH_HASH_KNOWN_HOSTS true +#define CONFDB_SSH_KNOWN_HOSTS_TIMEOUT "ssh_known_hosts_timeout" +#define CONFDB_DEFAULT_SSH_KNOWN_HOSTS_TIMEOUT 180 +#define CONFDB_SSH_CA_DB "ca_db" +#ifdef HAVE_NSS +#define CONFDB_DEFAULT_SSH_CA_DB SYSCONFDIR"/pki/nssdb" +#else +#define CONFDB_DEFAULT_SSH_CA_DB SYSCONFDIR"/sssd/pki/sssd_auth_ca_db.pem" +#endif +#define CONFDB_SSH_USE_CERT_KEYS "ssh_use_certificate_keys" +#define CONFDB_DEFAULT_SSH_USE_CERT_KEYS true + +/* PAC */ +#define CONFDB_PAC_CONF_ENTRY "config/pac" +#define CONFDB_PAC_LIFETIME "pac_lifetime" + +/* InfoPipe */ +#define CONFDB_IFP_CONF_ENTRY "config/ifp" +#define CONFDB_IFP_USER_ATTR_LIST "user_attributes" +#define CONFDB_IFP_WILDCARD_LIMIT "wildcard_limit" + +/* Session Recording */ +#define CONFDB_SESSION_RECORDING_CONF_ENTRY "config/session_recording" +#define CONFDB_SESSION_RECORDING_SCOPE "scope" +#define CONFDB_SESSION_RECORDING_USERS "users" +#define CONFDB_SESSION_RECORDING_GROUPS "groups" + +/* Domains */ +#define CONFDB_DOMAIN_PATH_TMPL "config/domain/%s" +#define CONFDB_DOMAIN_BASEDN "cn=domain,cn=config" +#define CONFDB_APP_DOMAIN_BASEDN "cn=application,cn=config" +#define CONFDB_DOMAIN_ID_PROVIDER "id_provider" +#define CONFDB_DOMAIN_AUTH_PROVIDER "auth_provider" +#define CONFDB_DOMAIN_ACCESS_PROVIDER "access_provider" +#define CONFDB_DOMAIN_CHPASS_PROVIDER "chpass_provider" +#define CONFDB_DOMAIN_SUDO_PROVIDER "sudo_provider" +#define CONFDB_DOMAIN_AUTOFS_PROVIDER "autofs_provider" +#define CONFDB_DOMAIN_SELINUX_PROVIDER "selinux_provider" +#define CONFDB_DOMAIN_HOSTID_PROVIDER "hostid_provider" +#define CONFDB_DOMAIN_SUBDOMAINS_PROVIDER "subdomains_provider" +#define CONFDB_DOMAIN_SESSION_PROVIDER "session_provider" +#define CONFDB_DOMAIN_COMMAND "command" +#define CONFDB_DOMAIN_TIMEOUT "timeout" +#define CONFDB_DOMAIN_ATTR "cn" +#define CONFDB_DOMAIN_ENUMERATE "enumerate" +#define CONFDB_SUBDOMAIN_ENUMERATE "subdomain_enumerate" +#define CONFDB_DEFAULT_SUBDOMAIN_ENUMERATE "none" +#define CONFDB_DOMAIN_MINID "min_id" +#define CONFDB_DOMAIN_MAXID "max_id" +#define CONFDB_DOMAIN_CACHE_CREDS "cache_credentials" +#define CONFDB_DOMAIN_CACHE_CREDS_MIN_FF_LENGTH \ + "cache_credentials_minimal_first_factor_length" +#define CONFDB_DEFAULT_CACHE_CREDS_MIN_FF_LENGTH 8 +#define CONFDB_DOMAIN_LEGACY_PASS "store_legacy_passwords" +#define CONFDB_DOMAIN_AUTO_UPG "auto_private_groups" +#define CONFDB_DOMAIN_FQ "use_fully_qualified_names" +#define CONFDB_DOMAIN_ENTRY_CACHE_TIMEOUT "entry_cache_timeout" +#define CONFDB_DOMAIN_ACCOUNT_CACHE_EXPIRATION "account_cache_expiration" +#define CONFDB_DOMAIN_OVERRIDE_GID "override_gid" +#define CONFDB_DOMAIN_CASE_SENSITIVE "case_sensitive" +#define CONFDB_DOMAIN_SUBDOMAIN_HOMEDIR "subdomain_homedir" +#define CONFDB_DOMAIN_DEFAULT_SUBDOMAIN_HOMEDIR "/home/%d/%u" +#define CONFDB_DOMAIN_IGNORE_GROUP_MEMBERS "ignore_group_members" +#define CONFDB_DOMAIN_SUBDOMAIN_REFRESH "subdomain_refresh_interval" +#define CONFDB_DOMAIN_SUBDOMAIN_REFRESH_DEFAULT_VALUE 14400 + +#define CONFDB_DOMAIN_USER_CACHE_TIMEOUT "entry_cache_user_timeout" +#define CONFDB_DOMAIN_GROUP_CACHE_TIMEOUT "entry_cache_group_timeout" +#define CONFDB_DOMAIN_NETGROUP_CACHE_TIMEOUT "entry_cache_netgroup_timeout" +#define CONFDB_DOMAIN_SERVICE_CACHE_TIMEOUT "entry_cache_service_timeout" +#define CONFDB_DOMAIN_AUTOFS_CACHE_TIMEOUT "entry_cache_autofs_timeout" +#define CONFDB_DOMAIN_SUDO_CACHE_TIMEOUT "entry_cache_sudo_timeout" +#define CONFDB_DOMAIN_SSH_HOST_CACHE_TIMEOUT "entry_cache_ssh_host_timeout" +#define CONFDB_DOMAIN_PWD_EXPIRATION_WARNING "pwd_expiration_warning" +#define CONFDB_DOMAIN_REFRESH_EXPIRED_INTERVAL "refresh_expired_interval" +#define CONFDB_DOMAIN_OFFLINE_TIMEOUT "offline_timeout" +#define CONFDB_DOMAIN_SUBDOMAIN_INHERIT "subdomain_inherit" +#define CONFDB_DOMAIN_CACHED_AUTH_TIMEOUT "cached_auth_timeout" +#define CONFDB_DOMAIN_TYPE "domain_type" +#define CONFDB_DOMAIN_TYPE_POSIX "posix" +#define CONFDB_DOMAIN_TYPE_APP "application" +#define CONFDB_DOMAIN_INHERIT_FROM "inherit_from" + +/* Local Provider */ +#define CONFDB_LOCAL_DEFAULT_SHELL "default_shell" +#define CONFDB_LOCAL_DEFAULT_BASEDIR "base_directory" +#define CONFDB_LOCAL_CREATE_HOMEDIR "create_homedir" +#define CONFDB_LOCAL_REMOVE_HOMEDIR "remove_homedir" +#define CONFDB_LOCAL_UMASK "homedir_umask" +#define CONFDB_LOCAL_SKEL_DIR "skel_dir" +#define CONFDB_LOCAL_MAIL_DIR "mail_dir" +#define CONFDB_LOCAL_USERDEL_CMD "userdel_cmd" + +/* Proxy Provider */ +#define CONFDB_PROXY_LIBNAME "proxy_lib_name" +#define CONFDB_PROXY_PAM_TARGET "proxy_pam_target" +#define CONFDB_PROXY_FAST_ALIAS "proxy_fast_alias" +#define CONFDB_PROXY_MAX_CHILDREN "proxy_max_children" + +/* Files Provider */ +#define CONFDB_FILES_PASSWD "passwd_files" +#define CONFDB_FILES_GROUP "group_files" + +/* Secrets Service */ +#define CONFDB_SEC_CONF_ENTRY "config/secrets" +#define CONFDB_SEC_CONTAINERS_NEST_LEVEL "containers_nest_level" +#define CONFDB_SEC_MAX_SECRETS "max_secrets" +#define CONFDB_SEC_MAX_UID_SECRETS "max_uid_secrets" +#define CONFDB_SEC_MAX_PAYLOAD_SIZE "max_payload_size" + +/* KCM Service */ +#define CONFDB_KCM_CONF_ENTRY "config/kcm" +#define CONFDB_KCM_SOCKET "socket_path" +#define CONFDB_KCM_DB "ccache_storage" /* Undocumented on purpose */ + +struct confdb_ctx; +struct config_file_ctx; + +/** sssd domain state */ +enum sss_domain_state { + /** Domain is usable by both responders and providers. This + * is the default state after creating a new domain + */ + DOM_ACTIVE, + /** Domain was removed, should not be used be neither responders + * not providers. + */ + DOM_DISABLED, + /** Domain cannot be contacted. Providers return an offline error code + * when receiving request for inactive domain, but responders should + * return cached data + */ + DOM_INACTIVE, + /** Domain is being updated. Responders should ignore cached data and + * always contact the DP + */ + DOM_INCONSISTENT, +}; + +/** Whether the domain only supports looking up POSIX entries */ +enum sss_domain_type { + /** This is the default domain type. It resolves only entries + * with the full POSIX set of attributes + */ + DOM_TYPE_POSIX, + /** In this mode, entries are typically resolved only by name */ + DOM_TYPE_APPLICATION, +}; + +/** + * Data structure storing all of the basic features + * of a domain. + */ +struct sss_domain_info { + enum sss_domain_type type; + + char *name; + char *conn_name; + char *provider; + int timeout; + bool enumerate; + char **sd_enumerate; + bool fqnames; + bool mpg; + bool ignore_group_members; + uint32_t id_min; + uint32_t id_max; + const char *pwfield; + + bool cache_credentials; + uint32_t cache_credentials_min_ff_length; + bool legacy_passwords; + bool case_sensitive; + bool case_preserve; + + gid_t override_gid; + const char *override_homedir; + const char *fallback_homedir; + const char *subdomain_homedir; + const char *homedir_substr; + const char *override_shell; + const char *default_shell; + + uint32_t user_timeout; + uint32_t group_timeout; + uint32_t netgroup_timeout; + uint32_t service_timeout; + uint32_t autofsmap_timeout; + uint32_t sudo_timeout; + uint32_t ssh_host_timeout; + + uint32_t refresh_expired_interval; + uint32_t subdomain_refresh_interval; + uint32_t cached_auth_timeout; + + int pwd_expiration_warning; + + struct sysdb_ctx *sysdb; + struct sss_names_ctx *names; + + struct sss_domain_info *parent; + struct sss_domain_info *subdomains; + char *realm; + char *flat_name; + char *domain_id; + uint32_t trust_direction; + struct timeval subdomains_last_checked; + + bool has_views; + const char *view_name; + + struct sss_domain_info *prev; + struct sss_domain_info *next; + + enum sss_domain_state state; + char **sd_inherit; + + /* Do not use the forest pointer directly in new code, but rather the + * forest_root pointer. sss_domain_info will be more opaque in the future + */ + char *forest; + struct sss_domain_info *forest_root; + const char **upn_suffixes; + + struct certmap_info **certmaps; + bool user_name_hint; + + /* Do not use the _output_fqnames property directly in new code, but rather + * use sss_domain_info_{get,set}_output_fqnames(). */ + bool output_fqnames; +}; + +/** + * Initialize the connection to the ConfDB + * + * @param[in] mem_ctx The parent memory context for the confdb_ctx + * @param[out] cdb_ctx The newly-created connection object + * @param[in] confdb_location The absolute path to the ConfDB file on the + * filesystem + * + * @return 0 - Connection succeeded and cdb_ctx was populated + * @return ENOMEM - There was not enough memory to create the cdb_ctx + * @return EIO - There was an I/O error communicating with the ConfDB file + */ +int confdb_init(TALLOC_CTX *mem_ctx, + struct confdb_ctx **cdb_ctx, + const char *confdb_location); + +/** + * Get a domain object for the named domain + * + * @param[in] cdb The connection object to the confdb + * @param[in] name The name of the domain to retrieve + * @param[out] domain A pointer to a domain object for the domain given by + * name + * + * @return 0 - Lookup succeeded and domain was populated + * @return ENOMEM - There was insufficient memory to complete the operation + * @return ENOENT - The named domain does not exist or is not set active + */ +int confdb_get_domain(struct confdb_ctx *cdb, + const char *name, + struct sss_domain_info **domain); + +/** + * Get a null-terminated linked-list of active domain objects + * @param[in] cdb The connection object to the confdb + * @param[out] domains A pointer to the first entry of a linked-list of domain + * objects + * + * @return 0 - Lookup succeeded and all active domains are in the list + * @return ENOMEM - There was insufficient memory to complete the operation + * @return ENOENT - No active domains are configured + */ +int confdb_get_domains(struct confdb_ctx *cdb, + struct sss_domain_info **domains); + +int confdb_ensure_files_domain(struct confdb_ctx *cdb, + const char *implicit_files_dom_name); + +int confdb_expand_app_domains(struct confdb_ctx *cdb); + +/** + * Get a null-terminated linked-list of all domain names + * @param[in] mem_ctx The parent memory context for the value list + * @param[in] cdb The connection object to the confdb + * @param[out] _names Output list + * + * @return 0 - Lookup succeeded and all domain names are in the list + * @return ENOMEM - There was insufficient memory to complete the operation + * @return ENOENT - No active domains are configured + * @return EIO - There was an I/O error communicating with the ConfDB file + * @return EINVAL - Corrupted confdb object + */ +int confdb_list_all_domain_names(TALLOC_CTX *mem_ctx, + struct confdb_ctx *cdb, + char ***_names); + + +/** + * @brief Add an arbitrary parameter to the confdb. + * + * This is mostly useful + * for testing, as they will not persist between SSSD restarts. For + * persistence, make changes to the sssd.conf file. + * + * @param[in] cdb The connection object to the confdb + * @param[in] replace If replace is set to true, pre-existing values will be + * overwritten. + * If it is false, the provided values will be added to the + * attribute. + * @param[in] section The ConfDB section to update. This is constructed from + * the format of the sssd.conf file. All sections start + * with 'config/'. Subsections are separated by slashes. + * e.g. [domain/LDAP] in sssd.conf would translate to + * config/domain/LDAP + * @param[in] attribute The name of the attribute to update + * @param[in] values A null-terminated array of values to add to the attribute + * + * @return 0 - Successfully added the provided value(s) + * @return ENOMEM - There was insufficient memory to complete the operation + * @return EINVAL - The section could not be parsed + * @return EIO - An I/O error occurred communicating with the ConfDB + */ +int confdb_add_param(struct confdb_ctx *cdb, + bool replace, + const char *section, + const char *attribute, + const char **values); + +/** + * @brief Retrieve all values for an attribute + * + * @param[in] cdb The connection object to the confdb + * @param[in] mem_ctx The parent memory context for the value list + * @param[in] section The ConfDB section to update. This is constructed from + * the format of the sssd.conf file. All sections start + * with 'config/'. Subsections are separated by slashes. + * e.g. [domain/LDAP] in sssd.conf would translate to + * config/domain/LDAP + * @param[in] attribute The name of the attribute to update + * @param[out] values A null-terminated array of cstrings containing all + * values for this attribute + * + * @return 0 - Successfully retrieved the value(s) + * @return ENOMEM - There was insufficient memory to complete the operation + * @return EINVAL - The section could not be parsed + * @return EIO - An I/O error occurred while communicating with the ConfDB + */ +int confdb_get_param(struct confdb_ctx *cdb, + TALLOC_CTX *mem_ctx, + const char *section, + const char *attribute, + char ***values); + +/** + * @brief Convenience function to retrieve a single-valued attribute as a + * string + * + * @param[in] cdb The connection object to the confdb + * @param[in] ctx The parent memory context for the returned string + * @param[in] section The ConfDB section to update. This is constructed from + * the format of the sssd.conf file. All sections start + * with 'config/'. Subsections are separated by slashes. + * e.g. [domain/LDAP] in sssd.conf would translate to + * config/domain/LDAP + * @param[in] attribute The name of the attribute to update + * @param[in] defstr If not NULL, the string to use if the attribute does not + * exist in the ConfDB + * @param[out] result A pointer to the retrieved (or default) string + * + * @return 0 - Successfully retrieved the entry (or used the default) + * @return ENOMEM - There was insufficient memory to complete the operation + * @return EINVAL - The section could not be parsed, or the attribute was not + * single-valued. + * @return EIO - An I/O error occurred while communicating with the ConfDB + */ +int confdb_get_string(struct confdb_ctx *cdb, TALLOC_CTX *ctx, + const char *section, const char *attribute, + const char *defstr, char **result); + +/** + * @brief Convenience function to retrieve a single-valued attribute as an + * integer + * + * @param[in] cdb The connection object to the confdb + * @param[in] section The ConfDB section to update. This is constructed from + * the format of the sssd.conf file. All sections start + * with 'config/'. Subsections are separated by slashes. + * e.g. [domain/LDAP] in sssd.conf would translate to + * config/domain/LDAP + * @param[in] attribute The name of the attribute to update + * @param[in] defval If not NULL, the integer to use if the attribute does not + * exist in the ConfDB + * @param[out] result A pointer to the retrieved (or default) integer + * + * @return 0 - Successfully retrieved the entry (or used the default) + * @return ENOMEM - There was insufficient memory to complete the operation + * @return EINVAL - The section could not be parsed, or the attribute was not + * single-valued. + * @return EIO - An I/O error occurred while communicating with the ConfDB + * @return ERANGE - The value stored in the ConfDB was outside the range + * [INT_MIN..INT_MAX] + */ +int confdb_get_int(struct confdb_ctx *cdb, + const char *section, const char *attribute, + int defval, int *result); + +/** + * @brief Convenience function to retrieve a single-valued attribute as a + * boolean + * + * This function will read (in a case-insensitive manner) a "true" or "false" + * value from the ConfDB and convert it to an integral bool value. + * + * @param[in] cdb The connection object to the confdb + * @param[in] section The ConfDB section to update. This is constructed from + * the format of the sssd.conf file. All sections start + * with 'config/'. Subsections are separated by slashes. + * e.g. [domain/LDAP] in sssd.conf would translate to + * config/domain/LDAP + * @param[in] attribute The name of the attribute to update + * @param[in] defval If not NULL, the boolean state to use if the attribute + * does not exist in the ConfDB + * @param[out] result A pointer to the retrieved (or default) bool + * + * @return 0 - Successfully retrieved the entry (or used the default) + * @return ENOMEM - There was insufficient memory to complete the operation + * @return EINVAL - The section could not be parsed, the attribute was not + * single-valued, or the value was not a boolean. + * @return EIO - An I/O error occurred while communicating with the ConfDB + */ +int confdb_get_bool(struct confdb_ctx *cdb, + const char *section, const char *attribute, + bool defval, bool *result); + +/** + * @brief Convenience function to set a single-valued attribute as a string + * + * @param[in] cdb The connection object to the confdb + * @param[in] section The ConfDB section to update. This is constructed from + * the format of the sssd.conf file. All sections start + * with 'config/'. Subsections are separated by slashes. + * e.g. [domain/LDAP] in sssd.conf would translate to + * config/domain/LDAP + * @param[in] attribute The name of the attribute to update + * @param[in] val New value of the attribute. + * + * @return 0 - Successfully retrieved the entry (or used the default) + * @return ENOMEM - There was insufficient memory to complete the operation + * @return EINVAL - The section could not be parsed + * @return EIO - An I/O error occurred while communicating with the ConfDB + */ +int confdb_set_string(struct confdb_ctx *cdb, + const char *section, + const char *attribute, + const char *val); + +/** + * @brief Convenience function to retrieve a single-valued attribute as a + * null-terminated array of strings + * + * This function will automatically split a comma-separated string in an + * attribute into a null-terminated array of strings. This is useful for + * storing and retrieving ordered lists, as ConfDB multivalued attributes do + * not guarantee retrieval order. + * + * @param[in] cdb The connection object to the confdb + * @param[in] ctx The parent memory context for the returned string + * @param[in] section The ConfDB section to update. This is constructed from + * the format of the sssd.conf file. All sections start + * with 'config/'. Subsections are separated by slashes. + * e.g. [domain/LDAP] in sssd.conf would translate to + * config/domain/LDAP + * @param[in] attribute The name of the attribute to update + * @param[out] result A pointer to the retrieved array of strings + * + * @return 0 - Successfully retrieved the entry (or used the default) + * @return ENOMEM - There was insufficient memory to complete the operation + * @return EINVAL - The section could not be parsed, or the attribute was not + * single-valued. + * @return ENOENT - The attribute was not found. + * @return EIO - An I/O error occurred while communicating with the ConfDB + */ +int confdb_get_string_as_list(struct confdb_ctx *cdb, TALLOC_CTX *ctx, + const char *section, const char *attribute, + char ***result); + +/** + * @brief Convenience function to retrieve a list of subsections given a + * configuration section name + * + * @param[in] mem_ctx The parent memory context for the returned list + * @param[in] cdb The connection object to the confdb + * @param[in] section The ConfDB section to look for. + * All sections should start with 'config/'. + * Subsections are separated by slashes. + * @param[out] sections Names of the subsections relative to the section + * requested. If "a/b" is requested then "c/d" is + * returned for the section named [a/b/c/d] + * @param[out] num_sections Number of section names returned + * + * @return 0 - Successfully retrieved the entry (or used the default) + * @return ENOMEM - There was insufficient memory to complete the operation + * @return EINVAL - The section could not be parsed. + * @return ENOENT - No section was found. + * @return EIO - An I/O error occurred while communicating with the ConfDB + */ +int confdb_get_sub_sections(TALLOC_CTX *mem_ctx, + struct confdb_ctx *cdb, + const char *section, + char ***sections, + int *num_sections); +/** + * @} + */ +#endif diff --git a/src/confdb/confdb_private.h b/src/confdb/confdb_private.h new file mode 100644 index 0000000..1bab99c --- /dev/null +++ b/src/confdb/confdb_private.h @@ -0,0 +1,35 @@ +/* + SSSD + + Configuration Database + + Copyright (C) Stephen Gallagher 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef CONFDB_PRIVATE_H_ +#define CONFDB_PRIVATE_H_ + +struct confdb_ctx { + struct tevent_context *pev; + struct ldb_context *ldb; + + struct sss_domain_info *doms; +}; + +int parse_section(TALLOC_CTX *mem_ctx, const char *section, + char **sec_dn, const char **rdn_name); + +#endif /* CONFDB_PRIVATE_H_ */ diff --git a/src/confdb/confdb_setup.c b/src/confdb/confdb_setup.c new file mode 100644 index 0000000..5e35589 --- /dev/null +++ b/src/confdb/confdb_setup.c @@ -0,0 +1,449 @@ +/* + SSSD + + Configuration Database + + Copyright (C) Stephen Gallagher 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" +#include +#include "util/util.h" +#include "db/sysdb.h" +#include "confdb.h" +#include "confdb_private.h" +#include "confdb_setup.h" +#include "util/sss_ini.h" + +#ifndef SSSD_FALLBACK_CONFIG_LDIF +#define SSSD_FALLBACK_CONFIG_LDIF \ +"dn: cn=config\n" \ +"version: 2\n\n" \ +"dn: cn=sssd,cn=config\n" \ +"cn: sssd\n" \ +"enable_files_domain: true\n" \ +"services: nss\n\n" +#endif /* SSSD_FALLBACK_CONFIG_LDIF */ + +static int confdb_test(struct confdb_ctx *cdb) +{ + char **values; + int ret; + + ret = confdb_get_param(cdb, cdb, + "config", + "version", + &values); + if (ret != EOK) { + return ret; + } + + if (values[0] == NULL) { + /* empty database, will need to init */ + talloc_free(values); + return ENOENT; + } + + if (values[1] != NULL) { + /* more than 1 value?? */ + talloc_free(values); + return EIO; + } + + if (strcmp(values[0], CONFDB_VERSION) != 0) { + /* Existing version does not match executable version */ + DEBUG(SSSDBG_CRIT_FAILURE, "Upgrading confdb version from %s to %s\n", + values[0], CONFDB_VERSION); + + /* This is recoverable, since we purge the confdb file + * when we re-initialize it. + */ + talloc_free(values); + return ENOENT; + } + + talloc_free(values); + return EOK; +} + +static int confdb_purge(struct confdb_ctx *cdb) +{ + int ret; + unsigned int i; + TALLOC_CTX *tmp_ctx; + struct ldb_result *res; + struct ldb_dn *dn; + const char *attrs[] = { "dn", NULL }; + + tmp_ctx = talloc_new(NULL); + + dn = ldb_dn_new(tmp_ctx, cdb->ldb, "cn=config"); + + /* Get the list of all DNs */ + ret = ldb_search(cdb->ldb, tmp_ctx, &res, dn, + LDB_SCOPE_SUBTREE, attrs, NULL); + if (ret != LDB_SUCCESS) { + ret = sysdb_error_to_errno(ret); + goto done; + } + + for(i=0; icount; i++) { + /* Delete this DN */ + ret = ldb_delete(cdb->ldb, res->msgs[i]->dn); + if (ret != LDB_SUCCESS) { + ret = sysdb_error_to_errno(ret); + goto done; + } + } + +done: + talloc_free(tmp_ctx); + return ret; +} + +static int confdb_create_base(struct confdb_ctx *cdb) +{ + int ret; + struct ldb_ldif *ldif; + + const char *base_ldif = CONFDB_BASE_LDIF; + + while ((ldif = ldb_ldif_read_string(cdb->ldb, &base_ldif))) { + ret = ldb_add(cdb->ldb, ldif->msg); + if (ret != LDB_SUCCESS) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to initialize DB (%d,[%s]), aborting!\n", + ret, ldb_errstring(cdb->ldb)); + return EIO; + } + ldb_ldif_read_free(cdb->ldb, ldif); + } + + return EOK; +} + +static int confdb_ldif_from_ini_file(TALLOC_CTX *mem_ctx, + const char *config_file, + const char *config_dir, + struct sss_ini_initdata *init_data, + const char **_timestr, + const char **_ldif) +{ + errno_t ret; + char timestr[21]; + int version; + + ret = sss_ini_config_access_check(init_data); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Permission check on config file failed.\n"); + return EPERM; + } + + ret = sss_ini_get_stat(init_data); + if (ret != EOK) { + ret = errno; + DEBUG(SSSDBG_FATAL_FAILURE, + "Status check on config file failed.\n"); + return ret; + } + + errno = 0; + ret = sss_ini_get_mtime(init_data, sizeof(timestr), timestr); + if (ret <= 0 || ret >= (int)sizeof(timestr)) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to convert time_t to string??\n"); + ret = errno ? errno : EFAULT; + return ret; + } + + /* FIXME: Determine if the conf file or any snippet has changed + * since we last updated the confdb or if some snippet was + * added or removed. + */ + + ret = sss_ini_get_config(init_data, config_file, config_dir); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to load configuration\n"); + return ret; + } + + ret = sss_ini_call_validators(init_data, + SSSDDATADIR"/cfg_rules.ini"); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to call validators\n"); + /* This is not fatal, continue */ + } + + /* Make sure that the config file version matches the confdb version */ + ret = sss_ini_get_cfgobj(init_data, "sssd", "config_file_version"); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Internal error determining config_file_version\n"); + return ret; + } + + ret = sss_ini_check_config_obj(init_data); + if (ret != EOK) { + /* No known version. Use default. */ + DEBUG(SSSDBG_CONF_SETTINGS, + "Value of config_file_version option not found. " + "Assumed to be version %d.\n", CONFDB_DEFAULT_CFG_FILE_VER); + } else { + version = sss_ini_get_int_config_value(init_data, + CONFDB_DEFAULT_CFG_FILE_VER, + -1, &ret); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Config file version could not be determined\n"); + return ret; + } else if (version < CONFDB_VERSION_INT) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Config file is an old version. " + "Please run configuration upgrade script.\n"); + return EINVAL; + } else if (version > CONFDB_VERSION_INT) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Config file version is newer than confdb\n"); + return EINVAL; + } + } + + ret = sss_confdb_create_ldif(mem_ctx, init_data, _ldif); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Could not create LDIF for confdb\n"); + return ret; + } + + *_timestr = talloc_strdup(mem_ctx, timestr); + if (*_timestr == NULL) { + return ENOMEM; + } + + return EOK; +} + +static int confdb_fallback_ldif(TALLOC_CTX *mem_ctx, + const char **_timestr, + const char **_ldif) +{ + *_timestr = talloc_strdup(mem_ctx, "1"); + *_ldif = talloc_strdup(mem_ctx, SSSD_FALLBACK_CONFIG_LDIF); + if (*_timestr == NULL || *_ldif == NULL) { + return ENOMEM; + } + + return EOK; +} + +static int confdb_init_db(const char *config_file, const char *config_dir, + struct confdb_ctx *cdb) +{ + TALLOC_CTX *tmp_ctx; + int ret; + int sret = EOK; + bool in_transaction = false; + const char *timestr = NULL; + const char *config_ldif; + const char *vals[2] = { NULL, NULL }; + struct ldb_ldif *ldif; + struct sss_ini_initdata *init_data; + + tmp_ctx = talloc_new(cdb); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory.\n"); + return ENOMEM; + } + + init_data = sss_ini_initdata_init(tmp_ctx); + if (!init_data) { + DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory.\n"); + ret = ENOMEM; + goto done; + } + + /* Open config file */ + ret = sss_ini_config_file_open(init_data, config_file); + if (ret == EOK) { + ret = confdb_ldif_from_ini_file(tmp_ctx, + config_file, + config_dir, + init_data, + ×tr, + &config_ldif); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot convert INI to LDIF [%d]: [%s]\n", + ret, sss_strerror(ret)); + goto done; + } + } else if (ret == ENOENT) { + ret = confdb_fallback_ldif(tmp_ctx, ×tr, &config_ldif); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot create a fallback configuration [%d]: [%s]\n", + ret, sss_strerror(ret)); + goto done; + } + } else { + DEBUG(SSSDBG_CONF_SETTINGS, + "sss_ini_config_file_open failed: %s [%d]\n", sss_strerror(ret), + ret); + goto done; + } + + DEBUG(SSSDBG_CONF_SETTINGS, "LDIF file to import: \n%s\n", config_ldif); + + /* Set up a transaction to replace the configuration */ + ret = ldb_transaction_start(cdb->ldb); + if (ret != LDB_SUCCESS) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to start a transaction for " + "updating the configuration\n"); + ret = sysdb_error_to_errno(ret); + goto done; + } + in_transaction = true; + + /* Purge existing database */ + ret = confdb_purge(cdb); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Could not purge existing configuration\n"); + goto done; + } + + while ((ldif = ldb_ldif_read_string(cdb->ldb, &config_ldif))) { + ret = ldb_add(cdb->ldb, ldif->msg); + if (ret != LDB_SUCCESS) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to initialize DB (%d,[%s]), aborting!\n", + ret, ldb_errstring(cdb->ldb)); + ret = EIO; + goto done; + } + ldb_ldif_read_free(cdb->ldb, ldif); + } + + /* now store the lastUpdate time so that we do not re-init if nothing + * changed on restart */ + + vals[0] = timestr; + ret = confdb_add_param(cdb, true, "config", "lastUpdate", vals); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to set last update time on db!\n"); + goto done; + } + + ret = ldb_transaction_commit(cdb->ldb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n"); + goto done; + } + in_transaction = false; + + ret = EOK; + +done: + if (in_transaction) { + sret = ldb_transaction_cancel(cdb->ldb); + if (sret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to cancel transaction\n"); + } + } + + sss_ini_config_destroy(init_data); + sss_ini_close_file(init_data); + + talloc_zfree(tmp_ctx); + return ret; +} + +errno_t confdb_setup(TALLOC_CTX *mem_ctx, + const char *cdb_file, + const char *config_file, + const char *config_dir, + struct confdb_ctx **_cdb) +{ + TALLOC_CTX *tmp_ctx; + struct confdb_ctx *cdb; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return ENOMEM; + } + + ret = confdb_init(tmp_ctx, &cdb, cdb_file); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "The confdb initialization failed " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + /* Initialize the CDB from the configuration file */ + ret = confdb_test(cdb); + if (ret == ENOENT) { + /* First-time setup */ + + /* Purge any existing confdb in case an old + * misconfiguration gets in the way + */ + talloc_zfree(cdb); + ret = unlink(cdb_file); + if (ret != EOK && errno != ENOENT) { + ret = errno; + DEBUG(SSSDBG_MINOR_FAILURE, + "Purging existing confdb failed: %d [%s].\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = confdb_init(tmp_ctx, &cdb, cdb_file); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "The confdb initialization failed " + "[%d]: %s\n", ret, sss_strerror(ret)); + } + + /* Load special entries */ + ret = confdb_create_base(cdb); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Unable to load special entries into confdb\n"); + goto done; + } + } else if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Fatal error initializing confdb\n"); + goto done; + } + + ret = confdb_init_db(config_file, config_dir, cdb); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "ConfDB initialization has failed " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + *_cdb = talloc_steal(mem_ctx, cdb); + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} diff --git a/src/confdb/confdb_setup.h b/src/confdb/confdb_setup.h new file mode 100644 index 0000000..9f647ec --- /dev/null +++ b/src/confdb/confdb_setup.h @@ -0,0 +1,54 @@ +/* + SSSD + + Configuration Database + + Copyright (C) Stephen Gallagher 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef CONFDB_SETUP_H_ +#define CONFDB_SETUP_H_ + +#define CONFDB_VERSION "2" +#define CONFDB_VERSION_INT 2 + +#define CONFDB_BASE_LDIF \ + "dn: @ATTRIBUTES\n" \ + "cn: CASE_INSENSITIVE\n" \ + "dc: CASE_INSENSITIVE\n" \ + "dn: CASE_INSENSITIVE\n" \ + "name: CASE_INSENSITIVE\n" \ + "objectclass: CASE_INSENSITIVE\n" \ + "\n" \ + "dn: @INDEXLIST\n" \ + "@IDXATTR: cn\n" \ + "\n" \ + "dn: @MODULES\n" \ + "@LIST: server_sort\n" \ + "\n" + +#define CONFDB_INTERNAL_LDIF \ + "dn: cn=config\n" \ + "version: "CONFDB_VERSION"\n" \ + "\n" + +errno_t confdb_setup(TALLOC_CTX *mem_ctx, + const char *cdb_file, + const char *config_file, + const char *config_dir, + struct confdb_ctx **_cdb); + +#endif /* CONFDB_SETUP_H_ */ diff --git a/src/config/SSSDConfig/__init__.py b/src/config/SSSDConfig/__init__.py new file mode 100644 index 0000000..1e73045 --- /dev/null +++ b/src/config/SSSDConfig/__init__.py @@ -0,0 +1,2162 @@ +''' +Created on Sep 18, 2009 + +@author: sgallagh +''' + +import os +import gettext +import re +import sys +from .ipachangeconf import SSSDChangeConf + +# Exceptions +class SSSDConfigException(Exception): pass +class ParsingError(Exception): pass +class AlreadyInitializedError(SSSDConfigException): pass +class NotInitializedError(SSSDConfigException): pass +class NoOutputFileError(SSSDConfigException): pass +class NoServiceError(SSSDConfigException): pass +class NoSectionError(SSSDConfigException): pass +class NoOptionError(SSSDConfigException): pass +class ServiceNotRecognizedError(SSSDConfigException): pass +class ServiceAlreadyExists(SSSDConfigException): pass +class NoDomainError(SSSDConfigException): pass +class DomainNotRecognized(SSSDConfigException): pass +class DomainAlreadyExistsError(SSSDConfigException): pass +class NoSuchProviderError(SSSDConfigException): pass +class NoSuchProviderSubtypeError(SSSDConfigException): pass +class ProviderSubtypeInUse(SSSDConfigException): pass + +PACKAGE = 'sss_daemon' +LOCALEDIR = '/usr/share/locale' + +translation = gettext.translation(PACKAGE, LOCALEDIR, fallback=True) +if sys.version_info[0] > 2: + _ = translation.gettext +else: + _ = translation.ugettext + +# TODO: This needs to be made external +option_strings = { + # [service] + 'debug' : _('Set the verbosity of the debug logging'), + 'debug_level' : _('Set the verbosity of the debug logging'), + 'debug_timestamps' : _('Include timestamps in debug logs'), + 'debug_microseconds' : _('Include microseconds in timestamps in debug logs'), + 'debug_to_files' : _('Write debug messages to logfiles'), + 'timeout' : _('Watchdog timeout before restarting service'), + 'command' : _('Command to start service'), + 'reconnection_retries' : _('Number of times to attempt connection to Data Providers'), + 'fd_limit' : _('The number of file descriptors that may be opened by this responder'), + 'client_idle_timeout' : _('Idle time before automatic disconnection of a client'), + 'responder_idle_timeout' : _('Idle time before automatic shutdown of the responder'), + 'cache_first': _('Always query all the caches before querying the Data Providers'), + + # [sssd] + 'services' : _('SSSD Services to start'), + 'domains' : _('SSSD Domains to start'), + 'sbus_timeout' : _('Timeout for messages sent over the SBUS'), + 're_expression' : _('Regex to parse username and domain'), + 'full_name_format' : _('Printf-compatible format for displaying fully-qualified names'), + 'krb5_rcache_dir' : _('Directory on the filesystem where SSSD should store Kerberos replay cache files.'), + 'default_domain_suffix' : _('Domain to add to names without a domain component.'), + 'user' : _('The user to drop privileges to'), + 'certificate_verification' : _('Tune certificate verification'), + 'override_space': _('All spaces in group or user names will be replaced with this character'), + 'disable_netlink' : _('Tune sssd to honor or ignore netlink state changes'), + 'enable_files_domain' : _('Enable or disable the implicit files domain'), + 'domain_resolution_order': _('A specific order of the domains to be looked up'), + + # [nss] + 'enum_cache_timeout' : _('Enumeration cache timeout length (seconds)'), + 'entry_cache_no_wait_timeout' : _('Entry cache background update timeout length (seconds)'), + 'entry_negative_timeout' : _('Negative cache timeout length (seconds)'), + 'local_negative_timeout' : _('Files negative cache timeout length (seconds)'), + 'filter_users' : _('Users that SSSD should explicitly ignore'), + 'filter_groups' : _('Groups that SSSD should explicitly ignore'), + 'filter_users_in_groups' : _('Should filtered users appear in groups'), + 'pwfield' : _('The value of the password field the NSS provider should return'), + 'override_homedir' : _('Override homedir value from the identity provider with this value'), + 'fallback_homedir' : _('Substitute empty homedir value from the identity provider with this value'), + 'override_shell': _('Override shell value from the identity provider with this value'), + 'allowed_shells' : _('The list of shells users are allowed to log in with'), + 'vetoed_shells' : _('The list of shells that will be vetoed, and replaced with the fallback shell'), + 'shell_fallback' : _('If a shell stored in central directory is allowed but not available, use this fallback'), + 'default_shell': _('Shell to use if the provider does not list one'), + 'memcache_timeout': _('How long will be in-memory cache records valid'), + 'user_attributes': _('List of user attributes the NSS responder is allowed to publish'), + + # [pam] + 'offline_credentials_expiration' : _('How long to allow cached logins between online logins (days)'), + 'offline_failed_login_attempts' : _('How many failed logins attempts are allowed when offline'), + 'offline_failed_login_delay' : _('How long (minutes) to deny login after offline_failed_login_attempts has been reached'), + 'pam_verbosity' : _('What kind of messages are displayed to the user during authentication'), + 'pam_response_filter' : _('Filter PAM responses sent to the pam_sss'), + 'pam_id_timeout' : _('How many seconds to keep identity information cached for PAM requests'), + 'pam_pwd_expiration_warning' : _('How many days before password expiration a warning should be displayed'), + 'pam_trusted_users' : _('List of trusted uids or user\'s name'), + 'pam_public_domains' : _('List of domains accessible even for untrusted users.'), + 'pam_account_expired_message' : _('Message printed when user account is expired.'), + 'pam_account_locked_message' : _('Message printed when user account is locked.'), + 'pam_cert_auth' : _('Allow certificate based/Smartcard authentication.'), + 'pam_cert_db_path' : _('Path to certificate database with PKCS#11 modules.'), + 'p11_child_timeout' : _('How many seconds will pam_sss wait for p11_child to finish'), + 'pam_app_services' : _('Which PAM services are permitted to contact application domains'), + + # [sudo] + 'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'), + 'sudo_inverse_order' : _('If true, SSSD will switch back to lower-wins ordering logic'), + 'sudo_threshold' : _('Maximum number of rules that can be refreshed at once. If this is exceeded, full refresh is performed.'), + + # [autofs] + 'autofs_negative_timeout' : _('Negative cache timeout length (seconds)'), + + # [ssh] + 'ssh_hash_known_hosts': _('Whether to hash host names and addresses in the known_hosts file'), + 'ssh_known_hosts_timeout': _('How many seconds to keep a host in the known_hosts file after its host keys were requested'), + 'ca_db': _('Path to storage of trusted CA certificates'), + + # [pac] + 'allowed_uids': _('List of UIDs or user names allowed to access the PAC responder'), + 'pac_lifetime': _('How long the PAC data is considered valid'), + + # [ifp] + 'allowed_uids': _('List of UIDs or user names allowed to access the InfoPipe responder'), + 'user_attributes': _('List of user attributes the InfoPipe is allowed to publish'), + + # [secrets] + 'provider': _('The provider where the secrets will be stored in'), + 'containers_nest_level': _('The maximum allowed number of nested containers'), + 'max_secrets': _('The maximum number of secrets that can be stored'), + 'max_uid_secrets': _('The maximum number of secrets that can be stored per UID'), + 'max_payload_size': _('The maximum payload size of a secret in kilobytes'), + # secrets - proxy + 'proxy_url': _('The URL Custodia server is listening on'), + 'auth_type': _('The method to use when authenticating to a Custodia server'), + 'auth_header_name': _('The name of the headers that will be added into a HTTP request with the value defined in auth_header_value'), + 'auth_header_value': _('The value sssd-secrets would use for auth_header_name'), + 'forward_headers': _('The list of the headers to forward to the Custodia server together with the request'), + 'username': _('The username to use when authenticating to a Custodia server using basic_auth'), + 'password': _('The password to use when authenticating to a Custodia server using basic_auth'), + 'verify_peer': _('If true peer\'s certificate is verified if proxy_url uses https protocol'), + 'verify_host': _('If false peer\'s certificate may contain different hostname than proxy_url when https protocol is used'), + 'capath': _('Path to directory where certificate authority certificates are stored'), + 'cacert': _('Path to file containing server\'s CA certificate'), + 'cert': _('Path to file containing client\'s certificate'), + 'key': _('Path to file containing client\'s private key'), + + # [provider] + 'id_provider' : _('Identity provider'), + 'auth_provider' : _('Authentication provider'), + 'access_provider' : _('Access control provider'), + 'chpass_provider' : _('Password change provider'), + 'sudo_provider' : _('SUDO provider'), + 'autofs_provider' : _('Autofs provider'), + 'hostid_provider' : _('Host identity provider'), + 'selinux_provider' : _('SELinux provider'), + 'session_provider' : _('Session management provider'), + + # [domain] + 'domain_type' : _('Whether the domain is usable by the OS or by applications'), + 'min_id' : _('Minimum user ID'), + 'max_id' : _('Maximum user ID'), + 'enumerate' : _('Enable enumerating all users/groups'), + 'cache_credentials' : _('Cache credentials for offline login'), + 'store_legacy_passwords' : _('Store password hashes'), + 'use_fully_qualified_names' : _('Display users/groups in fully-qualified form'), + 'ignore_group_members' : _('Don\'t include group members in group lookups'), + 'entry_cache_timeout' : _('Entry cache timeout length (seconds)'), + 'lookup_family_order' : _('Restrict or prefer a specific address family when performing DNS lookups'), + 'account_cache_expiration' : _('How long to keep cached entries after last successful login (days)'), + 'dns_resolver_timeout' : _('How long to wait for replies from DNS when resolving servers (seconds)'), + 'dns_discovery_domain' : _('The domain part of service discovery DNS query'), + 'override_gid' : _('Override GID value from the identity provider with this value'), + 'case_sensitive' : _('Treat usernames as case sensitive'), + 'entry_cache_user_timeout' : _('Entry cache timeout length (seconds)'), + 'entry_cache_group_timeout' : _('Entry cache timeout length (seconds)'), + 'entry_cache_netgroup_timeout' : _('Entry cache timeout length (seconds)'), + 'entry_cache_service_timeout' : _('Entry cache timeout length (seconds)'), + 'entry_cache_autofs_timeout' : _('Entry cache timeout length (seconds)'), + 'entry_cache_sudo_timeout' : _('Entry cache timeout length (seconds)'), + 'refresh_expired_interval' : _('How often should expired entries be refreshed in background'), + 'dyndns_update' : _("Whether to automatically update the client's DNS entry"), + 'dyndns_ttl' : _("The TTL to apply to the client's DNS entry after updating it"), + 'dyndns_iface' : _("The interface whose IP should be used for dynamic DNS updates"), + 'dyndns_refresh_interval' : _("How often to periodically update the client's DNS entry"), + 'dyndns_update_ptr' : _("Whether the provider should explicitly update the PTR record as well"), + 'dyndns_force_tcp' : _("Whether the nsupdate utility should default to using TCP"), + 'dyndns_auth' : _("What kind of authentication should be used to perform the DNS update"), + 'dyndns_server' : _("Override the DNS server used to perform the DNS update"), + 'subdomain_enumerate' : _('Control enumeration of trusted domains'), + 'subdomain_refresh_interval' : _('How often should subdomains list be refreshed'), + 'subdomain_inherit' : _('List of options that should be inherited into a subdomain'), + 'subdomain_homedir' : _('Default subdomain homedir value'), + 'cached_auth_timeout' : _('How long can cached credentials be used for cached authentication'), + 'full_name_format' : _('Printf-compatible format for displaying fully-qualified names'), + 're_expression' : _('Regex to parse username and domain'), + 'auto_private_groups' : _('Whether to automatically create private groups for users'), + + # [provider/ipa] + 'ipa_domain' : _('IPA domain'), + 'ipa_server' : _('IPA server address'), + 'ipa_backup_server' : _('Address of backup IPA server'), + 'ipa_hostname' : _('IPA client hostname'), + 'ipa_dyndns_update' : _("Whether to automatically update the client's DNS entry in FreeIPA"), + 'ipa_dyndns_ttl' : _("The TTL to apply to the client's DNS entry after updating it"), + 'ipa_dyndns_iface' : _("The interface whose IP should be used for dynamic DNS updates"), + 'ipa_hbac_search_base' : _("Search base for HBAC related objects"), + 'ipa_hbac_refresh' : _("The amount of time between lookups of the HBAC rules against the IPA server"), + 'ipa_selinux_refresh' : _("The amount of time in seconds between lookups of the SELinux maps against the IPA server"), + 'ipa_hbac_support_srchost' : _("If set to false, host argument given by PAM will be ignored"), + 'ipa_automount_location' : _("The automounter location this IPA client is using"), + 'ipa_master_domain_search_base': _("Search base for object containing info about IPA domain"), + 'ipa_ranges_search_base': _("Search base for objects containing info about ID ranges"), + 'ipa_enable_dns_sites': _("Enable DNS sites - location based service discovery"), + 'ipa_views_search_base': _("Search base for view containers"), + 'ipa_view_class': _("Objectclass for view containers"), + 'ipa_view_name': _("Attribute with the name of the view"), + 'ipa_override_object_class': _("Objectclass for override objects"), + 'ipa_anchor_uuid': _("Attribute with the reference to the original object"), + 'ipa_user_override_object_class': _("Objectclass for user override objects"), + 'ipa_group_override_object_class': _("Objectclass for group override objects"), + 'ipa_deskprofile_search_base': _("Search base for Desktop Profile related objects"), + 'ipa_deskprofile_refresh': _("The amount of time in seconds between lookups of the Desktop Profile rules against the IPA server"), + 'ipa_deskprofile_request_interval': _("The amount of time in minutes between lookups of Desktop Profiles rules against the IPA server when the last request did not find any rule"), + + # [provider/ad] + 'ad_domain' : _('Active Directory domain'), + 'ad_enabled_domains' : _('Enabled Active Directory domains'), + 'ad_server' : _('Active Directory server address'), + 'ad_backup_server' : _('Active Directory backup server address'), + 'ad_hostname' : _('Active Directory client hostname'), + 'ad_enable_dns_sites' : _('Enable DNS sites - location based service discovery'), + 'ad_access_filter' : _('LDAP filter to determine access privileges'), + 'ad_enable_gc' : _('Whether to use the Global Catalog for lookups'), + 'ad_gpo_access_control' : _('Operation mode for GPO-based access control'), + 'ad_gpo_cache_timeout' : _("The amount of time between lookups of the GPO policy files against the AD server"), + 'ad_gpo_map_interactive' : _('PAM service names that map to the GPO (Deny)InteractiveLogonRight policy settings'), + 'ad_gpo_map_remote_interactive' : _('PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight policy settings'), + 'ad_gpo_map_network' : _('PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings'), + 'ad_gpo_map_batch' : _('PAM service names that map to the GPO (Deny)BatchLogonRight policy settings'), + 'ad_gpo_map_service' : _('PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings'), + 'ad_gpo_map_permit' : _('PAM service names for which GPO-based access is always granted'), + 'ad_gpo_map_deny' : _('PAM service names for which GPO-based access is always denied'), + 'ad_gpo_default_right' : _('Default logon right (or permit/deny) to use for unmapped PAM service names'), + 'ad_site' : _('a particular site to be used by the client'), + 'ad_maximum_machine_account_password_age' : _('Maximum age in days before the machine account password should be renewed'), + 'ad_machine_account_password_renewal_opts' : _('Option for tuning the machine account renewal task'), + + # [provider/krb5] + 'krb5_kdcip' : _('Kerberos server address'), + 'krb5_server' : _('Kerberos server address'), + 'krb5_backup_server' : _('Kerberos backup server address'), + 'krb5_realm' : _('Kerberos realm'), + 'krb5_auth_timeout' : _('Authentication timeout'), + 'krb5_use_kdcinfo' : _('Whether to create kdcinfo files'), + 'krb5_confd_path' : _('Where to drop krb5 config snippets'), + + # [provider/krb5/auth] + 'krb5_ccachedir' : _('Directory to store credential caches'), + 'krb5_ccname_template' : _("Location of the user's credential cache"), + 'krb5_keytab' : _("Location of the keytab to validate credentials"), + 'krb5_validate' : _("Enable credential validation"), + 'krb5_store_password_if_offline' : _("Store password if offline for later online authentication"), + 'krb5_renewable_lifetime' : _("Renewable lifetime of the TGT"), + 'krb5_lifetime' : _("Lifetime of the TGT"), + 'krb5_renew_interval' : _("Time between two checks for renewal"), + 'krb5_use_fast' : _("Enables FAST"), + 'krb5_fast_principal' : _("Selects the principal to use for FAST"), + 'krb5_canonicalize' : _("Enables principal canonicalization"), + 'krb5_use_enterprise_principal' : _("Enables enterprise principals"), + 'krb5_map_user' : _('A mapping from user names to Kerberos principal names'), + + # [provider/krb5/chpass] + 'krb5_kpasswd' : _('Server where the change password service is running if not on the KDC'), + 'krb5_backup_kpasswd' : _('Server where the change password service is running if not on the KDC'), + + # [provider/ldap] + 'ldap_uri' : _('ldap_uri, The URI of the LDAP server'), + 'ldap_backup_uri' : _('ldap_backup_uri, The URI of the LDAP server'), + 'ldap_search_base' : _('The default base DN'), + 'ldap_schema' : _('The Schema Type in use on the LDAP server, rfc2307'), + 'ldap_default_bind_dn' : _('The default bind DN'), + 'ldap_default_authtok_type' : _('The type of the authentication token of the default bind DN'), + 'ldap_default_authtok' : _('The authentication token of the default bind DN'), + 'ldap_network_timeout' : _('Length of time to attempt connection'), + 'ldap_opt_timeout' : _('Length of time to attempt synchronous LDAP operations'), + 'ldap_offline_timeout' : _('Length of time between attempts to reconnect while offline'), + 'ldap_force_upper_case_realm' : _('Use only the upper case for realm names'), + 'ldap_tls_cacert' : _('File that contains CA certificates'), + 'ldap_tls_cacertdir' : _('Path to CA certificate directory'), + 'ldap_tls_cert' : _('File that contains the client certificate'), + 'ldap_tls_key' :_('File that contains the client key'), + 'ldap_tls_cipher_suite' :_('List of possible ciphers suites'), + 'ldap_tls_reqcert' : _('Require TLS certificate verification'), + 'ldap_sasl_mech' : _('Specify the sasl mechanism to use'), + 'ldap_sasl_authid' : _('Specify the sasl authorization id to use'), + 'ldap_sasl_realm' : _('Specify the sasl authorization realm to use'), + 'ldap_sasl_minssf' : _('Specify the minimal SSF for LDAP sasl authorization'), + 'ldap_krb5_keytab' : _('Kerberos service keytab'), + 'ldap_krb5_init_creds' : _('Use Kerberos auth for LDAP connection'), + 'ldap_referrals' : _('Follow LDAP referrals'), + 'ldap_krb5_ticket_lifetime' : _('Lifetime of TGT for LDAP connection'), + 'ldap_deref' : _('How to dereference aliases'), + 'ldap_dns_service_name' : _('Service name for DNS service lookups'), + 'ldap_page_size' : _('The number of records to retrieve in a single LDAP query'), + 'ldap_deref_threshold' : _('The number of members that must be missing to trigger a full deref'), + 'ldap_sasl_canonicalize' : _('Whether the LDAP library should perform a reverse lookup to canonicalize the host name during a SASL bind'), + + 'ldap_entry_usn' : _('entryUSN attribute'), + 'ldap_rootdse_last_usn' : _('lastUSN attribute'), + + 'ldap_connection_expiration_timeout' : _('How long to retain a connection to the LDAP server before disconnecting'), + + 'ldap_disable_paging' : _('Disable the LDAP paging control'), + 'ldap_disable_range_retrieval' : _('Disable Active Directory range retrieval'), + + # [provider/ldap/id] + 'ldap_search_timeout' : _('Length of time to wait for a search request'), + 'ldap_enumeration_search_timeout' : _('Length of time to wait for a enumeration request'), + 'ldap_enumeration_refresh_timeout' : _('Length of time between enumeration updates'), + 'ldap_purge_cache_timeout' : _('Length of time between cache cleanups'), + 'ldap_id_use_start_tls' : _('Require TLS for ID lookups'), + 'ldap_id_mapping' : _('Use ID-mapping of objectSID instead of pre-set IDs'), + 'ldap_user_search_base' : _('Base DN for user lookups'), + 'ldap_user_search_scope' : _('Scope of user lookups'), + 'ldap_user_search_filter' : _('Filter for user lookups'), + 'ldap_user_object_class' : _('Objectclass for users'), + 'ldap_user_name' : _('Username attribute'), + #not used # 'ldap_user_pwd' :_('Password attribute'), + 'ldap_user_uid_number' : _('UID attribute'), + 'ldap_user_gid_number' : _('Primary GID attribute'), + 'ldap_user_gecos' : _('GECOS attribute'), + 'ldap_user_home_directory' : _('Home directory attribute'), + 'ldap_user_shell' : _('Shell attribute'), + 'ldap_user_uuid' : _('UUID attribute'), + 'ldap_user_objectsid' : _("objectSID attribute"), + 'ldap_user_primary_group' : _('Active Directory primary group attribute for ID-mapping'), + 'ldap_user_principal' : _('User principal attribute (for Kerberos)'), + 'ldap_user_fullname' : _('Full Name'), + 'ldap_user_member_of' : _('memberOf attribute'), + 'ldap_user_modify_timestamp' : _('Modification time attribute'), + #replaced by ldap_entry_usn# 'ldap_user_entry_usn' : _('entryUSN attribute'), + 'ldap_user_shadow_last_change' : _('shadowLastChange attribute'), + 'ldap_user_shadow_min' : _('shadowMin attribute'), + 'ldap_user_shadow_max' : _('shadowMax attribute'), + 'ldap_user_shadow_warning' : _('shadowWarning attribute'), + 'ldap_user_shadow_inactive' : _('shadowInactive attribute'), + 'ldap_user_shadow_expire' : _('shadowExpire attribute'), + 'ldap_user_shadow_flag' : _('shadowFlag attribute'), + 'ldap_user_authorized_service' : _('Attribute listing authorized PAM services'), + 'ldap_user_authorized_host' : _('Attribute listing authorized server hosts'), + 'ldap_user_authorized_rhost' : _('Attribute listing authorized server rhosts'), + 'ldap_user_krb_last_pwd_change' : _('krbLastPwdChange attribute'), + 'ldap_user_krb_password_expiration' : _('krbPasswordExpiration attribute'), + 'ldap_pwd_attribute' : _('Attribute indicating that server side password policies are active'), + 'ldap_user_ad_account_expires' : _('accountExpires attribute of AD'), + 'ldap_user_ad_user_account_control' : _('userAccountControl attribute of AD'), + 'ldap_ns_account_lock' : _('nsAccountLock attribute'), + 'ldap_user_nds_login_disabled' : _('loginDisabled attribute of NDS'), + 'ldap_user_nds_login_expiration_time' : _('loginExpirationTime attribute of NDS'), + 'ldap_user_nds_login_allowed_time_map' : _('loginAllowedTimeMap attribute of NDS'), + 'ldap_user_ssh_public_key' : _('SSH public key attribute'), + 'ldap_user_auth_type' : _('attribute listing allowed authentication types for a user'), + 'ldap_user_certificate' : _('attribute containing the X509 certificate of the user'), + 'ldap_user_email' : _('attribute containing the email address of the user'), + + 'ldap_user_extra_attrs' : _('A list of extra attributes to download along with the user entry'), + + 'ldap_group_search_base' : _('Base DN for group lookups'), + # not used # 'ldap_group_search_scope' : _('Scope of group lookups'), + # not used # 'ldap_group_search_filter' : _('Filter for group lookups'), + 'ldap_group_object_class' : _('Objectclass for groups'), + 'ldap_group_name' : _('Group name'), + 'ldap_group_pwd' : _('Group password'), + 'ldap_group_gid_number' : _('GID attribute'), + 'ldap_group_member' : _('Group member attribute'), + 'ldap_group_uuid' : _('Group UUID attribute'), + 'ldap_group_objectsid' : _("objectSID attribute"), + 'ldap_group_modify_timestamp' : _('Modification time attribute for groups'), + 'ldap_group_type' : _('Type of the group and other flags'), + 'ldap_group_external_member' : _('The LDAP group external member attribute'), + #replaced by ldap_entry_usn# 'ldap_group_entry_usn' : _('entryUSN attribute'), + 'ldap_group_nesting_level' : _('Maximum nesting level SSSD will follow'), + + 'ldap_netgroup_search_base' : _('Base DN for netgroup lookups'), + 'ldap_netgroup_object_class' : _('Objectclass for netgroups'), + 'ldap_netgroup_name' : _('Netgroup name'), + 'ldap_netgroup_member' : _('Netgroups members attribute'), + 'ldap_netgroup_triple' : _('Netgroup triple attribute'), + 'ldap_netgroup_modify_timestamp' : _('Modification time attribute for netgroups'), + + 'ldap_service_search_base' : _('Base DN for service lookups'), + 'ldap_service_object_class' : _('Objectclass for services'), + 'ldap_service_name' : _('Service name attribute'), + 'ldap_service_port' : _('Service port attribute'), + 'ldap_service_proto' : _('Service protocol attribute'), + #replaced by ldap_entry_usn# 'ldap_service_entry_usn' : _('Service entryUSN attribute'), + + 'ldap_idmap_range_min' : _('Lower bound for ID-mapping'), + 'ldap_idmap_range_max' : _('Upper bound for ID-mapping'), + 'ldap_idmap_range_size' : _('Number of IDs for each slice when ID-mapping'), + 'ldap_idmap_autorid_compat' : _('Use autorid-compatible algorithm for ID-mapping'), + 'ldap_idmap_default_domain' : _('Name of the default domain for ID-mapping'), + 'ldap_idmap_default_domain_sid' : _('SID of the default domain for ID-mapping'), + 'ldap_idmap_helper_table_size' : _('Number of secondary slices'), + + 'ldap_groups_use_matching_rule_in_chain' : _('Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups'), + 'ldap_initgroups_use_matching_rule_in_chain' : _('Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups'), + 'ldap_use_tokengroups' : _('Whether to use Token-Groups'), + 'ldap_min_id' : _('Set lower boundary for allowed IDs from the LDAP server'), + 'ldap_max_id' : _('Set upper boundary for allowed IDs from the LDAP server'), + 'ldap_pwdlockout_dn' : _('DN for ppolicy queries'), + 'wildcard_limit' : _('How many maximum entries to fetch during a wildcard request'), + + # [provider/ldap/auth] + 'ldap_pwd_policy' : _('Policy to evaluate the password expiration'), + + # [provider/ldap/access] + 'ldap_access_filter' : _('LDAP filter to determine access privileges'), + 'ldap_account_expire_policy' : _('Which attributes shall be used to evaluate if an account is expired'), + 'ldap_access_order' : _('Which rules should be used to evaluate access control'), + + # [provider/ldap/chpass] + 'ldap_chpass_uri' : _('URI of an LDAP server where password changes are allowed'), + 'ldap_chpass_backup_uri' : _('URI of a backup LDAP server where password changes are allowed'), + 'ldap_chpass_dns_service_name' : _('DNS service name for LDAP password change server'), + 'ldap_chpass_update_last_change' : _('Whether to update the ldap_user_shadow_last_change attribute after a password change'), + + # [provider/ldap/sudo] + 'ldap_sudo_search_base' : _('Base DN for sudo rules lookups'), + 'ldap_sudo_full_refresh_interval' : _('Automatic full refresh period'), + 'ldap_sudo_smart_refresh_interval' : _('Automatic smart refresh period'), + 'ldap_sudo_use_host_filter' : _('Whether to filter rules by hostname, IP addresses and network'), + 'ldap_sudo_hostnames' : _('Hostnames and/or fully qualified domain names of this machine to filter sudo rules'), + 'ldap_sudo_ip' : _('IPv4 or IPv6 addresses or network of this machine to filter sudo rules'), + 'ldap_sudo_include_netgroups' : _('Whether to include rules that contains netgroup in host attribute'), + 'ldap_sudo_include_regexp' : _('Whether to include rules that contains regular expression in host attribute'), + 'ldap_sudorule_object_class' : _('Object class for sudo rules'), + 'ldap_sudorule_name' : _('Sudo rule name'), + 'ldap_sudorule_command' : _('Sudo rule command attribute'), + 'ldap_sudorule_host' : _('Sudo rule host attribute'), + 'ldap_sudorule_user' : _('Sudo rule user attribute'), + 'ldap_sudorule_option' : _('Sudo rule option attribute'), + 'ldap_sudorule_runas' : _('Sudo rule runas attribute'), + 'ldap_sudorule_runasuser' : _('Sudo rule runasuser attribute'), + 'ldap_sudorule_runasgroup' : _('Sudo rule runasgroup attribute'), + 'ldap_sudorule_notbefore' : _('Sudo rule notbefore attribute'), + 'ldap_sudorule_notafter' : _('Sudo rule notafter attribute'), + 'ldap_sudorule_order' : _('Sudo rule order attribute'), + + # [provider/ldap/autofs] + 'ldap_autofs_map_object_class' : _('Object class for automounter maps'), + 'ldap_autofs_map_name' : _('Automounter map name attribute'), + 'ldap_autofs_entry_object_class' : _('Object class for automounter map entries'), + 'ldap_autofs_entry_key' : _('Automounter map entry key attribute'), + 'ldap_autofs_entry_value' : _('Automounter map entry value attribute'), + 'ldap_autofs_search_base' : _('Base DN for automounter map lookups'), + + # [provider/simple/access] + 'simple_allow_users' : _('Comma separated list of allowed users'), + 'simple_deny_users' : _('Comma separated list of prohibited users'), + + # [provider/local/id] + 'default_shell' : _('Default shell, /bin/bash'), + 'base_directory' : _('Base for home directories'), + + # [provider/proxy] + 'proxy_max_children' : _('The number of preforked proxy children.'), + + # [provider/proxy/id] + 'proxy_lib_name' : _('The name of the NSS library to use'), + 'proxy_fast_alias' : _('Whether to look up canonical group name from cache if possible'), + + # [provider/proxy/auth] + 'proxy_pam_target' : _('PAM stack to use'), + + # [provider/files] + 'passwd_files' : _('Path of passwd file sources.'), + 'group_files' : _('Path of group file sources.') +} + +def striplist(l): + return([x.strip() for x in l]) + +def options_overlap(options1, options2): + overlap = [] + for option in options1: + if option in options2: + overlap.append(option) + return overlap + +class SSSDConfigSchema(SSSDChangeConf): + def __init__(self, schemafile, schemaplugindir): + SSSDChangeConf.__init__(self) + #TODO: get these from a global setting + if not schemafile: + schemafile = '${prefix}/share/sssd/sssd.api.conf' + if not schemaplugindir: + schemaplugindir = '${prefix}/share/sssd/sssd.api.d' + + try: + #Read the primary config file + fd = open(schemafile, 'r') + self.readfp(fd) + fd.close() + # Read in the provider files + for file in filter(lambda f: re.search(r'^sssd-.*\.conf$', f), + os.listdir(schemaplugindir)): + fd = open(schemaplugindir+ "/" + file) + self.readfp(fd) + fd.close() + except IOError: + raise + except SyntaxError: # can be raised with readfp + raise ParsingError + + # Set up lookup table for types + self.type_lookup = { + 'bool' : bool, + 'int' : int, + 'long' : long if sys.version_info[0] == 2 else int, + 'float': float, + 'str' : str, + 'list' : list, + 'None' : None + } + + # Lookup table for acceptable boolean values + self.bool_lookup = { + 'false' : False, + 'true' : True, + } + + def get_options(self, section): + if not self.has_section(section): + raise NoSectionError + options = self.options(section) + + # Indexes + PRIMARY_TYPE = 0 + SUBTYPE = 1 + MANDATORY = 2 + DEFAULT = 3 + + # Parse values + parsed_options = {} + for option in self.strip_comments_empty(options): + unparsed_option = option['value'] + split_option = striplist(unparsed_option.split(',')) + optionlen = len(split_option) + + primarytype = self.type_lookup[split_option[PRIMARY_TYPE]] + subtype = self.type_lookup[split_option[SUBTYPE]] + mandatory = self.bool_lookup[split_option[MANDATORY]] + + if option['name'] in option_strings: + desc = option_strings[option['name']] + else: + desc = None + + if optionlen == 3: + # This option has no defaults + parsed_options[option['name']] = \ + (primarytype, + subtype, + mandatory, + desc, + None) + elif optionlen == 4: + if type(split_option[DEFAULT]) == primarytype: + parsed_options[option['name']] = \ + (primarytype, + subtype, + mandatory, + desc, + split_option[DEFAULT]) + elif primarytype == list: + if (type(split_option[DEFAULT]) == subtype): + parsed_options[option['name']] = \ + (primarytype, + subtype, + mandatory, + desc, + [split_option[DEFAULT]]) + else: + try: + if subtype == bool and \ + type(split_option[DEFAULT]) == str: + parsed_options[option['name']] = \ + (primarytype, + subtype, + mandatory, + desc, + [self.bool_lookup[split_option[DEFAULT].lower()]]) + else: + parsed_options[option['name']] = \ + (primarytype, + subtype, + mandatory, + desc, + [subtype(split_option[DEFAULT])]) + except ValueError: + raise ParsingError + else: + try: + if primarytype == bool and \ + type(split_option[DEFAULT]) == str: + parsed_options[option['name']] = \ + (primarytype, + subtype, + mandatory, + desc, + self.bool_lookup[split_option[DEFAULT].lower()]) + else: + parsed_options[option['name']] = \ + (primarytype, + subtype, + mandatory, + desc, + primarytype(split_option[DEFAULT])) + except ValueError: + raise ParsingError + + elif optionlen > 4: + if (primarytype != list): + raise ParsingError + fixed_options = [] + for x in split_option[DEFAULT:]: + if type(x) != subtype: + try: + if (subtype == bool and type(x) == str): + newvalue = self.bool_lookup[x.lower()] + else: + newvalue = subtype(x) + fixed_options.extend([newvalue]) + except ValueError: + raise ParsingError + else: + fixed_options.extend([x]) + parsed_options[option['name']] = \ + (primarytype, + subtype, + mandatory, + desc, + fixed_options) + else: + # Bad config file + raise ParsingError + + return parsed_options + + def get_option(self, section, option): + if not self.has_section(section): + raise NoSectionError(section) + if not self.has_option(section, option): + raise NoOptionError("Section [%s] has no option [%s]" % + (section, option)) + + return self.get_options(section)[option] + + def get_defaults(self, section): + if not self.has_section(section): + raise NoSectionError(section) + + schema_options = self.get_options(section) + defaults = dict([(x,schema_options[x][4]) + for x in schema_options.keys() + if schema_options[x][4] != None]) + + return defaults + + def get_services(self): + service_list = [x['name'] for x in self.sections() + if x['name'] != 'service' and + not x['name'].startswith('domain') and + not x['name'].startswith('provider')] + return service_list + + def get_providers(self): + providers = {} + for section in self.sections(): + splitsection = section['name'].split('/') + if (splitsection[0] == 'provider'): + if(len(splitsection) == 3): + if splitsection[1] not in providers: + providers[splitsection[1]] = [] + providers[splitsection[1]].extend([splitsection[2]]) + for key in providers.keys(): + providers[key] = tuple(providers[key]) + return providers + +class SSSDConfigObject(object): + def __init__(self): + self.name = None + self.options = {} + + def get_name(self): + """ + Return the name of the object + + === Returns === + The domain name + + === Errors === + No errors + """ + return self.name + + def get_option(self, optionname): + """ + Return the value of an service option + + optionname: + The option to get. + + === Returns === + The value for the requested option. + + === Errors === + NoOptionError: + The specified option was not listed in the service + """ + if optionname in self.options.keys(): + return self.options[optionname] + raise NoOptionError(optionname) + + def get_all_options(self): + """ + Return a dictionary of name/value pairs for this object + + === Returns === + A dictionary of name/value pairs currently in use for this object + + === Errors === + No errors + """ + return self.options + + def remove_option(self, optionname): + """ + Remove an option from the object. If the option does not exist, it is ignored. + + === Returns === + No return value. + + === Errors === + No errors + """ + if optionname in self.options: + del self.options[optionname] + +class SSSDService(SSSDConfigObject): + ''' + Object to manipulate SSSD service options + ''' + + def __init__(self, servicename, apischema): + """ + Create a new SSSDService, setting its defaults to those found in the + schema. This constructor should not be used directly. Use + SSSDConfig.new_service() instead. + + name: + The service name + apischema: + An SSSDConfigSchema? object created by SSSDConfig.__init__() + + === Returns === + The newly-created SSSDService object. + + === Errors === + TypeError: + The API schema passed in was unusable or the name was not a string. + ServiceNotRecognizedError: + The service was not listed in the schema + """ + SSSDConfigObject.__init__(self) + + if not isinstance(apischema, SSSDConfigSchema) or type(servicename) != str: + raise TypeError + + if not apischema.has_section(servicename): + raise ServiceNotRecognizedError(servicename) + + self.name = servicename + self.schema = apischema + + # Set up the service object with any known defaults + self.options = {} + + # Include a list of hidden options + self.hidden_options = [] + + # Set up default options for all services + self.options.update(self.schema.get_defaults('service')) + + # Set up default options for this service + self.options.update(self.schema.get_defaults(self.name)) + + def list_options_with_mandatory(self): + """ + List options for the service, including the mandatory flag. + + === Returns === + A dictionary of configurable options. This dictionary is keyed on the + option name with a tuple of the variable type, subtype ('None' if the + type is not a collection type), whether it is mandatory, the + translated option description, and the default value (or 'None') as + the value. + + Example: + { 'enumerate' : + (bool, None, False, u'Enable enumerating all users/groups', True) } + + === Errors === + No errors + """ + options = {} + + # Get the list of available options for all services + schema_options = self.schema.get_options('service') + options.update(schema_options) + + schema_options = self.schema.get_options(self.name) + options.update(schema_options) + + return options + + def list_options(self): + """ + List all options that apply to this service + + === Returns === + A dictionary of configurable options. This dictionary is keyed on the + option name with a tuple of the variable type, subtype ('None' if the + type is not a collection type), the translated option description, and + the default value (or 'None') as the value. + + Example: + { 'services' : + (list, str, u'SSSD Services to start', ['nss', 'pam']) } + + === Errors === + No Errors + """ + options = self.list_options_with_mandatory() + + # Filter out the mandatory field to maintain compatibility + # with older versions of the API + filtered_options = {} + for key in options.keys(): + filtered_options[key] = (options[key][0], options[key][1], options[key][3], options[key][4]) + + return filtered_options + + def list_mandatory_options(self): + """ + List all mandatory options that apply to this service + + === Returns === + A dictionary of configurable options. This dictionary is keyed on the + option name with a tuple of the variable type, subtype ('None' if the + type is not a collection type), the translated option description, and + the default value (or 'None') as the value. + + Example: + { 'services' : + (list, str, u'SSSD Services to start', ['nss', 'pam']) } + + === Errors === + No Errors + """ + options = self.list_options_with_mandatory() + + # Filter out the mandatory field to maintain compatibility + # with older versions of the API + filtered_options = {} + for key in options.keys(): + if options[key][2]: + filtered_options[key] = (options[key][0], options[key][1], options[key][3], options[key][4]) + + return filtered_options + + def set_option(self, optionname, value): + """ + Set a service option to the specified value (or values) + + optionname: + The option to change + value: + The value to set. This may be a single value or a list of values. If + it is set to None, it resets the option to its default. + + === Returns === + No return value + + === Errors === + NoOptionError: + The specified option is not listed in the schema + TypeError: + The value specified was not of the expected type + """ + if self.schema.has_option(self.name, optionname): + option_schema = self.schema.get_option(self.name, optionname) + elif self.schema.has_option('service', optionname): + option_schema = self.schema.get_option('service', optionname) + elif optionname in self.hidden_options: + # Set this option and do not add it to the list of changeable values + self.options[optionname] = value + return + else: + raise NoOptionError('Section [%s] has no option [%s]' % (self.name, optionname)) + + if value == None: + self.remove_option(optionname) + return + + raise_error = False + + # If we were expecting a list and didn't get one, + # Create a list with a single entry. If it's the + # wrong subtype, it will fail below + if option_schema[0] == list and type(value) != list: + if type(value) == str: + value = striplist(value.split(',')) + else: + value = [value] + + if type(value) != option_schema[0]: + # If it's possible to convert it, do so + try: + if option_schema[0] == bool and type(value) == str: + value = self.schema.bool_lookup[value.lower()] + elif option_schema[0] == int and type(value) == str: + # Make sure we handle any reasonable base + value = int(value, 0) + else: + value = option_schema[0](value) + except ValueError: + raise_error = True + except KeyError: + raise_error = True + + if raise_error: + raise TypeError('Expected %s for %s, received %s' % + (option_schema[0], optionname, type(value))) + + if type(value) == list: + # Iterate through the list an ensure that all members + # are of the appropriate subtype + try: + newvalue = [] + for x in value: + if option_schema[1] == bool and \ + type(x) == str: + newvalue.extend([self.schema.bool_lookup[x.lower()]]) + else: + newvalue.extend([option_schema[1](x)]) + except ValueError: + raise_error = True + except KeyError: + raise_error = True + + if raise_error: + raise TypeError('Expected %s' % option_schema[1]) + + value = newvalue + + self.options[optionname] = value + +class SSSDDomain(SSSDConfigObject): + """ + Object to manipulate SSSD domain options + """ + def __init__(self, domainname, apischema): + """ + Creates a new, empty SSSDDomain. This domain is inactive by default. + This constructor should not be used directly. Use + SSSDConfig.new_domain() instead. + + name: + The domain name. + apischema: + An SSSDConfigSchema object created by SSSDConfig.__init__() + + === Returns === + The newly-created SSSDDomain object. + + === Errors === + TypeError: + apischema was not an SSSDConfigSchema object or domainname was not + a string + """ + SSSDConfigObject.__init__(self) + + if not isinstance(apischema, SSSDConfigSchema) or type(domainname) != str: + raise TypeError + + self.name = domainname + self.schema = apischema + self.active = False + self.oldname = None + self.providers = [] + + # Set up the domain object with any known defaults + self.options = {} + + # Set up default options for all domains + self.options.update(self.schema.get_defaults('provider')) + self.options.update(self.schema.get_defaults('domain')) + + def set_active(self, active): + """ + Enable or disable this domain + + active: + Boolean value. If True, this domain will be added to the active + domains list when it is saved. If False, it will be removed from the + active domains list when it is saved. + + === Returns === + No return value + + === Errors === + No errors + """ + self.active = bool(active) + + def list_options_with_mandatory(self): + """ + List options for the currently-configured providers, including the + mandatory flag + + === Returns === + A dictionary of configurable options. This dictionary is keyed on the + option name with a tuple of the variable type, subtype ('None' if the + type is not a collection type), whether it is mandatory, the + translated option description, and the default value (or 'None') as + the value. + + Example: + { 'enumerate' : + (bool, None, False, u'Enable enumerating all users/groups', True) } + + === Errors === + No errors + """ + options = {} + # Get the list of available options for all domains + options.update(self.schema.get_options('provider')) + + options.update(self.schema.get_options('domain')) + + # Candidate for future optimization: will update primary type + # for each subtype + for (provider, providertype) in self.providers: + schema_options = self.schema.get_options('provider/%s' + % provider) + options.update(schema_options) + schema_options = self.schema.get_options('provider/%s/%s' + % (provider, providertype)) + options.update(schema_options) + return options + + def list_options(self): + """ + List options available for the currently-configured providers. + + === Returns === + A dictionary of configurable options. This dictionary is keyed on the + option name with a tuple of the variable type, subtype ('None' if the + type is not a collection type), the translated option description, and + the default value (or 'None') as the value. + + Example: + { 'enumerate' : + (bool, None, u'Enable enumerating all users/groups', True) } + + === Errors === + No errors + """ + options = self.list_options_with_mandatory() + + # Filter out the mandatory field to maintain compatibility + # with older versions of the API + filtered_options = {} + for key in options.keys(): + filtered_options[key] = (options[key][0], options[key][1], options[key][3], options[key][4]) + + return filtered_options + + def list_mandatory_options(self): + """ + List mandatory options for the currently-configured providers. + + === Returns === + A dictionary of configurable options. This dictionary is keyed on the + option name with a tuple of the variable type, subtype ('None' if the + type is not a collection type), the translated option description, and + the default value (or 'None') as the value. + + Example: + { 'enumerate' : + (bool, None, u'Enable enumerating all users/groups', True) } + + === Errors === + No errors + """ + options = self.list_options_with_mandatory() + + # Filter out the mandatory field to maintain compatibility + # with older versions of the API + filtered_options = {} + for key in options.keys(): + if options[key][2]: + filtered_options[key] = (options[key][0], options[key][1], options[key][3], options[key][4]) + + return filtered_options + + def list_provider_options(self, provider, provider_type=None): + """ + If provider_type is specified, list all options applicable to that + target, otherwise list all possible options available for a provider. + + type: + Provider backend type. (e.g. local, ldap, krb5, etc.) + provider_type: + Subtype of the backend type. (e.g. id, auth, access, chpass) + + === Returns === + + A dictionary of configurable options for the specified provider type. + This dictionary is keyed on the option name with a tuple of the + variable type, subtype ('None' if the type is not a collection type), + the translated option description, and the default value (or 'None') + as the value. + + === Errors === + + NoSuchProviderError: + The specified provider is not listed in the schema or plugins + NoSuchProviderSubtypeError: + The specified provider subtype is not listed in the schema + """ + #TODO section checking + + options = self.schema.get_options('provider/%s' % provider) + if(provider_type): + options.update(self.schema.get_options('provider/%s/%s' % + (provider, provider_type))) + else: + # Add options from all provider subtypes + known_providers = self.list_providers() + for provider_type in known_providers[provider]: + options.update(self.list_provider_options(provider, + provider_type)) + return options + + def list_providers(self): + """ + Return a dictionary of providers. + + === Returns === + Returns a dictionary of providers, keyed on the primary type, with the + value being a tuple of the subtypes it supports. + + Example: + { 'ldap' : ('id', 'auth', 'chpass') } + + === Errors === + No Errors + """ + return self.schema.get_providers() + + def set_option(self, option, value): + """ + Set a domain option to the specified value (or values) + + option: + The option to change. + value: + The value to set. This may be a single value or a list of values. + If it is set to None, it resets the option to its default. + + === Returns === + No return value. + + === Errors === + NoOptionError: + The specified option is not listed in the schema + TypeError: + The value specified was not of the expected type + """ + options = self.list_options() + if (option not in options.keys()): + raise NoOptionError('Section [%s] has no option [%s]' % + (self.name, option)) + + if value == None: + self.remove_option(option) + return + + option_schema = options[option] + raise_error = False + + # If we were expecting a list and didn't get one, + # Create a list with a single entry. If it's the + # wrong subtype, it will fail below + if option_schema[0] == list and type(value) != list: + if type(value) == str: + value = striplist(value.split(',')) + else: + value = [value] + + if type(value) != option_schema[0]: + # If it's possible to convert it, do so + try: + if option_schema[0] == bool and \ + type(value) == str: + value = self.schema.bool_lookup[value.lower()] + elif option_schema[0] == int and type(value) == str: + # Make sure we handle any reasonable base + value = int(value, 0) + else: + value = option_schema[0](value) + except ValueError: + raise_error = True + except KeyError: + raise_error = True + + if raise_error: + raise TypeError('Expected %s for %s, received %s' % + (option_schema[0], option, type(value))) + + if type(value) == list: + # Iterate through the list an ensure that all members + # are of the appropriate subtype + try: + newvalue = [] + for x in value: + if option_schema[1] == bool and \ + type(x) == str: + newvalue.extend([self.schema.bool_lookup[x.lower()]]) + else: + newvalue.extend([option_schema[1](x)]) + except ValueError: + raise_error = True + except KeyError: + raise_error = True + + if raise_error: + raise TypeError('Expected %s' % option_schema[1]) + value = newvalue + + # Check whether we're adding a provider entry. + is_provider = option.rfind('_provider') + if (is_provider > 0): + provider = option[:is_provider] + try: + self.add_provider(value, provider) + except NoSuchProviderError: + raise NoOptionError + else: + self.options[option] = value + + def set_name(self, newname): + """ + Change the name of the domain + + newname: + New name for this domain + + === Returns === + No return value. + + === Errors === + TypeError: + newname was not a string + """ + + if type(newname) != str: + raise TypeError + + if not self.oldname: + # Only set the oldname once + self.oldname = self.name + self.name = newname + + def add_provider(self, provider, provider_type): + """ + Add a new provider type to the domain + + type: + Provider backend type. (e.g. local, ldap, krb5, etc.) + subtype: + Subtype of the backend type. (e.g. id, auth, chpass) + + === Returns === + No return value. + + === Errors === + ProviderSubtypeInUse: + Another backend is already providing this subtype + NoSuchProviderError: + The specified provider is not listed in the schema or plugins + NoSuchProviderSubtypeError: + The specified provider subtype is not listed in the schema + """ + # Check that provider and provider_type are valid + configured_providers = self.list_providers() + if provider in configured_providers.keys(): + if provider_type not in configured_providers[provider]: + raise NoSuchProviderSubtypeError(provider_type) + else: + raise NoSuchProviderError + + # Don't add a provider twice + with_this_type = [x for x in self.providers if x[1] == provider_type] + if len(with_this_type) > 1: + # This should never happen! + raise ProviderSubtypeInUse + if len(with_this_type) == 1: + if with_this_type[0][0] != provider: + raise ProviderSubtypeInUse(with_this_type[0][0]) + else: + self.providers.extend([(provider, provider_type)]) + + option_name = '%s_provider' % provider_type + self.options[option_name] = provider + + # Add defaults for this provider + self.options.update(self.schema.get_defaults('provider/%s' % + provider)) + self.options.update(self.schema.get_defaults('provider/%s/%s' % + (provider, + provider_type))) + + def remove_provider(self, provider_type): + """ + Remove a provider from the domain. If the provider is not present, it + is ignored. + + provider_type: + Subtype of the backend type. (e.g. id, auth, chpass) + + === Returns === + No return value. + + === Errors === + No Errors + """ + + provider = None + for (provider, ptype) in self.providers: + if ptype == provider_type: + break + provider = None + + # Check whether the provider_type was found + if not provider: + return + + # Remove any unused options when removing the provider. + options = self.list_provider_options(provider, provider_type) + + # Trim any options that are used by other providers, + # if that provider is in use + for (prov, ptype) in self.providers: + # Ignore the one being removed + if (prov, ptype) == (provider, provider_type): + continue + + provider_options = self.list_provider_options(prov, ptype) + overlap = options_overlap(options.keys(), provider_options.keys()) + for opt in overlap: + del options[opt] + + # We should now have a list of options used only by this + # provider. So we remove them. + for option in options: + if option in self.options: + del self.options[option] + + # Remove this provider from the option list + option = '%s_provider' % provider_type + if option in self.options: + del self.options[option] + + self.providers.remove((provider, provider_type)) + +class SSSDConfig(SSSDChangeConf): + """ + class SSSDConfig + Primary class for operating on SSSD configurations + """ + def __init__(self, schemafile=None, schemaplugindir=None): + """ + Initialize the SSSD config parser/editor. This constructor does not + open or create a config file. If the schemafile and schemaplugindir + are not passed, it will use the system defaults. + + schemafile: + The path to the API schema config file. Usually + ${prefix}/share/sssd/sssd.api.conf + schemaplugindir: + The path the directory containing the provider schema config files. + Usually ${prefix}/share/sssd/sssd.api.d + + === Returns === + The newly-created SSSDConfig object. + + === Errors === + IOError: + Exception raised when the schema file could not be opened for + reading. + ParsingError: + The main schema file or one of those in the plugin directory could + not be parsed. + """ + SSSDChangeConf.__init__(self) + self.schema = SSSDConfigSchema(schemafile, schemaplugindir) + self.configfile = None + self.initialized = False + self.API_VERSION = 2 + + def import_config(self,configfile=None): + """ + Read in a config file, populating all of the service and domain + objects with the read values. + + configfile: + The path to the SSSD config file. If not specified, use the system + default, usually ${prefix}/etc/sssd.conf + + === Returns === + No return value + + === Errors === + IOError: + Exception raised when the file could not be opened for reading + ParsingError: + Exception raised when errors occur attempting to parse a file. + AlreadyInitializedError: + This SSSDConfig object was already initialized by a call to + import_config() or new_config() + """ + if self.initialized: + raise AlreadyInitializedError + + if not configfile: + #TODO: get this from a global setting + configfile = '${prefix}/etc/sssd/sssd.conf' + # open will raise an IOError if it fails + fd = open(configfile, 'r') + + try: + self.readfp(fd) + except: + raise ParsingError + + fd.close() + self.configfile = configfile + self.initialized = True + + try: + if int(self.get('sssd', 'config_file_version')) != self.API_VERSION: + raise ParsingError("Wrong config_file_version") + except TypeError: + # This happens when config_file_version is missing. We + # can assume it is the default version and continue. + pass + + def new_config(self): + """ + Initialize the SSSDConfig object with the defaults from the schema. + + === Returns === + No return value + + === Errors === + AlreadyInitializedError: + This SSSDConfig object was already initialized by a call to + import_config() or new_config() + """ + if self.initialized: + raise AlreadyInitializedError + + self.initialized = True + + #Initialize all services + for servicename in self.schema.get_services(): + service = self.new_service(servicename) + + def write(self, outputfile=None): + """ + Write out the configuration to a file. + + outputfile: + The path to write the new config file. If it is not specified, it + will use the path specified by the import() call. + === Returns === + No return value + + === Errors === + IOError: + Exception raised when the file could not be opened for writing + NotInitializedError: + This SSSDConfig object has not had import_config() or new_config() + run on it yet. + NoOutputFileError: + No outputfile was specified and this SSSDConfig object was not + initialized by import() + """ + if not self.initialized: + raise NotInitializedError + + if outputfile == None: + if(self.configfile == None): + raise NoOutputFileError + + outputfile = self.configfile + + # open() will raise IOError if it fails + old_umask = os.umask(0o177) + of = open(outputfile, "wb") + output = self.dump(self.opts).encode('utf-8') + of.write(output) + of.close() + os.umask(old_umask) + + def list_active_services(self): + """ + Return a list of all active services. + + === Returns === + The list of active services. + + === Errors === + NotInitializedError: + This SSSDConfig object has not had import_config() or new_config() + run on it yet. + """ + if not self.initialized: + raise NotInitializedError + + if (self.has_option('sssd', 'services')): + active_services = striplist(self.get('sssd', 'services').split(',')) + service_dict = dict.fromkeys(active_services) + if '' in service_dict: + del service_dict[''] + + # Remove any entries in this list that don't + # correspond to an active service, for integrity + configured_services = self.list_services() + for srv in list(service_dict): + if srv not in configured_services: + del service_dict[srv] + + active_services = list(service_dict) + else: + active_services = [] + + return active_services + + def list_inactive_services(self): + """ + Return a list of all disabled services. + + === Returns === + The list of inactive services. + + === Errors === + NotInitializedError: + This SSSDConfig object has not had import_config() or new_config() + run on it yet. + """ + if not self.initialized: + raise NotInitializedError + + if (self.has_option('sssd', 'services')): + active_services = striplist(self.get('sssd', 'services').split(',')) + else: + active_services = [] + + services = [x for x in self.list_services() + if x not in active_services] + return services + + def list_services(self): + """ + Retrieve a list of known services. + + === Returns === + The list of known services. + + === Errors === + NotInitializedError: + This SSSDConfig object has not had import_config() or new_config() + run on it yet. + """ + if not self.initialized: + raise NotInitializedError + + service_list = [x['name'] for x in self.sections() + if not x['name'].startswith('domain') ] + return service_list + + def get_service(self, name): + """ + Get an SSSDService object to edit a service. + + name: + The name of the service to return. + + === Returns === + An SSSDService instance containing the current state of a service in + the SSSDConfig + + === Errors === + NoServiceError: + There is no such service with the specified name in the SSSDConfig. + NotInitializedError: + This SSSDConfig object has not had import_config() or new_config() + run on it yet. + """ + if not self.initialized: + raise NotInitializedError + if not self.has_section(name): + raise NoServiceError + + service = SSSDService(name, self.schema) + for opt in self.strip_comments_empty(self.options(name)): + try: + service.set_option(opt['name'], opt['value']) + except NoOptionError: + # If we come across an option that we don't recognize, + # we should just ignore it and continue + pass + + return service + + def new_service(self, name): + """ + Create a new service from the defaults and return the SSSDService + object for it. This function will also add this service to the list of + active services in the [SSSD] section. + + name: + The name of the service to create and return. + + === Returns === + The newly-created SSSDService object + + === Errors === + ServiceNotRecognizedError: + There is no such service in the schema. + ServiceAlreadyExistsError: + The service being created already exists in the SSSDConfig object. + NotInitializedError: + This SSSDConfig object has not had import_config() or new_config() + run on it yet. + """ + if not self.initialized: + raise NotInitializedError + if (self.has_section(name)): + raise ServiceAlreadyExists(name) + + service = SSSDService(name, self.schema) + self.save_service(service) + return service + + def activate_service(self, name): + """ + Activate a service + + name: + The name of the service to activate + + === Returns === + No return value + + === Errors === + NotInitializedError: + This SSSDConfig object has not had import_config() or new_config() + run on it yet. + NoServiceError: + There is no such service with the specified name in the SSSDConfig. + """ + + if not self.initialized: + raise NotInitializedError + + if name not in self.list_services(): + raise NoServiceError + + item = self.get_option_index('sssd', 'services')[1] + if not item: + self.set('sssd','services', name) + return + + # Turn the items into a set of dictionary keys + # This guarantees uniqueness and makes it easy + # to add a new value + service_dict = dict.fromkeys(striplist(item['value'].split(','))) + if '' in service_dict: + del service_dict[''] + + # Add a new key for the service being activated + service_dict[name] = None + + # Write out the joined keys + self.set('sssd','services', ", ".join(service_dict.keys())) + + def deactivate_service(self, name): + """ + Deactivate a service + + name: + The name of the service to deactivate + + === Returns === + No return value + + === Errors === + NotInitializedError: + This SSSDConfig object has not had import_config() or new_config() + run on it yet. + NoServiceError: + There is no such service with the specified name in the SSSDConfig. + """ + + if not self.initialized: + raise NotInitializedError + + if name not in self.list_services(): + raise NoServiceError + item = self.get_option_index('sssd', 'services')[1] + if not item: + self.set('sssd','services', '') + return + + # Turn the items into a set of dictionary keys + # This guarantees uniqueness and makes it easy + # to remove the one unwanted value. + service_dict = dict.fromkeys(striplist(item['value'].split(','))) + if '' in service_dict: + del service_dict[''] + + # Remove the unwanted service from the lest + if name in service_dict: + del service_dict[name] + + # Write out the joined keys + self.set('sssd','services', ", ".join(service_dict.keys())) + + def delete_service(self, name): + """ + Remove a service from the SSSDConfig object. This function will also + remove this service from the list of active services in the [SSSD] + section. Has no effect if the service does not exist. + + === Returns === + No return value + + === Errors === + NotInitializedError: + This SSSDConfig object has not had import_config() or new_config() + run on it yet. + """ + if not self.initialized: + raise NotInitializedError + self.delete_option('section', name) + + def save_service(self, service): + """ + Save the changes made to the service object back to the SSSDConfig + object. + + service_object: + The SSSDService object to save to the configuration. + + === Returns === + No return value + === Errors === + NotInitializedError: + This SSSDConfig object has not had import_config() or new_config() + run on it yet. + TypeError: + service_object was not of the type SSSDService + """ + if not self.initialized: + raise NotInitializedError + if not isinstance(service, SSSDService): + raise TypeError + + name = service.get_name() + # Ensure that the existing section is removed + # This way we ensure that we are getting a + # complete copy of the service. + # delete_option() is a noop if the section + # does not exist. + index = self.delete_option('section', name) + + addkw = [] + for option,value in service.get_all_options().items(): + if (type(value) == list): + value = ', '.join(value) + if option == "debug_level": + value = self._get_debug_level_val(value) + addkw.append( { 'type' : 'option', + 'name' : option, + 'value' : str(value) } ) + + self.add_section(name, addkw, index) + + def list_active_domains(self): + """ + Return a list of all active domains. + + === Returns === + The list of configured, active domains. + + === Errors === + NotInitializedError: + This SSSDConfig object has not had import_config() or new_config() + run on it yet. + """ + if not self.initialized: + raise NotInitializedError + + if (self.has_option('sssd', 'domains')): + active_domains = striplist(self.get('sssd', 'domains').split(',')) + domain_dict = dict.fromkeys(active_domains) + if '' in domain_dict: + del domain_dict[''] + + # Remove any entries in this list that don't + # correspond to an active domain, for integrity + configured_domains = self.list_domains() + for dom in list(domain_dict): + if dom not in configured_domains: + del domain_dict[dom] + + active_domains = list(domain_dict) + else: + active_domains = [] + + return active_domains + + def list_inactive_domains(self): + """ + Return a list of all configured, but disabled domains. + + === Returns === + The list of configured, inactive domains. + + === Errors === + NotInitializedError: + This SSSDConfig object has not had import_config() or new_config() + run on it yet. + """ + if not self.initialized: + raise NotInitializedError + + if (self.has_option('sssd', 'domains')): + active_domains = striplist(self.get('sssd', 'domains').split(',')) + else: + active_domains = [] + + domains = [x for x in self.list_domains() + if x not in active_domains] + return domains + + def list_domains(self): + """ + Return a list of all configured domains, including inactive domains. + + === Returns === + The list of configured domains, both active and inactive. + + === Errors === + NotInitializedError: + This SSSDConfig object has not had import_config() or new_config() + run on it yet. + """ + if not self.initialized: + raise NotInitializedError + domains = [x['name'][7:] for x in self.sections() if x['name'].startswith('domain/')] + return domains + + def get_domain(self, name): + """ + Get an SSSDDomain object to edit a domain. + + name: + The name of the domain to return. + + === Returns === + An SSSDDomain instance containing the current state of a domain in the + SSSDConfig + + === Errors === + NoDomainError: + There is no such domain with the specified name in the SSSDConfig. + NotInitializedError: + This SSSDConfig object has not had import_config() or new_config() + run on it yet. + """ + if not self.initialized: + raise NotInitializedError + if not self.has_section('domain/%s' % name): + raise NoDomainError(name) + + domain = SSSDDomain(name, self.schema) + + # Read in the providers first or we may have type + # errors trying to read in their options + providers = [ (x['name'],x['value']) for x in self.strip_comments_empty(self.options('domain/%s' % name)) + if x['name'].rfind('_provider') > 0] + + for (option, value) in providers: + try: + domain.set_option(option, value) + except NoOptionError: + # If we come across an option that we don't recognize, + # we should just ignore it and continue + pass + + # Read in all the options from the configuration + for opt in self.strip_comments_empty(self.options('domain/%s' % name)): + if (opt['name'], opt['value']) not in providers: + try: + domain.set_option(opt['name'], opt['value']) + except NoOptionError: + # If we come across an option that we don't recognize, + # we should just ignore it and continue + pass + + # Determine if this domain is currently active + domain.active = self.is_domain_active(name) + + return domain + + def new_domain(self, name): + """ + Create a new, empty domain and return the SSSDDomain object for it. + + name: + The name of the domain to create and return. + + === Returns === + The newly-created SSSDDomain object + + === Errors === + DomainAlreadyExistsError: + The service being created already exists in the SSSDConfig object. + NotInitializedError: + This SSSDConfig object has not had import_config() or new_config() + run on it yet. + """ + if not self.initialized: + raise NotInitializedError + if self.has_section('domain/%s' % name): + raise DomainAlreadyExistsError + + domain = SSSDDomain(name, self.schema) + self.save_domain(domain) + return domain + + def is_domain_active(self, name): + """ + Is a particular domain set active + + name: + The name of the configured domain to check + + === Returns === + True if the domain is active, False if it is inactive + + === Errors === + NotInitializedError: + This SSSDConfig object has not had import_config() or new_config() + run on it yet. + NoDomainError: + No domain by this name is configured + """ + + if not self.initialized: + raise NotInitializedError + + if name not in self.list_domains(): + raise NoDomainError + + return name in self.list_active_domains() + + def activate_domain(self, name): + """ + Activate a configured domain + + name: + The name of the configured domain to activate + + === Returns === + No return value + + === Errors === + NotInitializedError: + This SSSDConfig object has not had import_config() or new_config() + run on it yet. + NoDomainError: + No domain by this name is configured + """ + + if not self.initialized: + raise NotInitializedError + + if name not in self.list_domains(): + raise NoDomainError + + item = self.get_option_index('sssd', 'domains')[1] + if not item: + self.set('sssd','domains', name) + return + + # Turn the items into a set of dictionary keys + # This guarantees uniqueness and makes it easy + # to add a new value + domain_dict = dict.fromkeys(striplist(item['value'].split(','))) + if '' in domain_dict: + del domain_dict[''] + + # Add a new key for the domain being activated + domain_dict[name] = None + + # Write out the joined keys + self.set('sssd','domains', ", ".join(domain_dict.keys())) + + def deactivate_domain(self, name): + """ + Deactivate a configured domain + + name: + The name of the configured domain to deactivate + + === Returns === + No return value + + === Errors === + NotInitializedError: + This SSSDConfig object has not had import_config() or new_config() + run on it yet. + NoDomainError: + No domain by this name is configured + """ + + if not self.initialized: + raise NotInitializedError + + if name not in self.list_domains(): + raise NoDomainError + item = self.get_option_index('sssd', 'domains')[1] + if not item: + self.set('sssd','domains', '') + return + + # Turn the items into a set of dictionary keys + # This guarantees uniqueness and makes it easy + # to remove the one unwanted value. + domain_dict = dict.fromkeys(striplist(item['value'].split(','))) + if '' in domain_dict: + del domain_dict[''] + + # Remove the unwanted domain from the lest + if name in domain_dict: + del domain_dict[name] + + # Write out the joined keys + self.set('sssd','domains', ", ".join(domain_dict.keys())) + + def delete_domain(self, name): + """ + Remove a domain from the SSSDConfig object. This function will also + remove this domain from the list of active domains in the [SSSD] + section, if it is there. + + === Returns === + No return value + + === Errors === + NotInitializedError: + This SSSDConfig object has not had import_config() or new_config() + run on it yet. + """ + if not self.initialized: + raise NotInitializedError + + # Remove the domain from the active domains list if applicable + self.deactivate_domain(name) + self.delete_option('section', 'domain/%s' % name) + + def save_domain(self, domain): + """ + Save the changes made to the domain object back to the SSSDConfig + object. If this domain is marked active, ensure it is present in the + active domain list in the [SSSD] section + + domain_object: + The SSSDDomain object to save to the configuration. + + === Returns === + No return value + + === Errors === + NotInitializedError: + This SSSDConfig object has not had import_config() or new_config() + run on it yet. + TypeError: + domain_object was not of type SSSDDomain + """ + if not self.initialized: + raise NotInitializedError + if not isinstance(domain, SSSDDomain): + raise TypeError + + name = domain.get_name() + + oldindex = None + if domain.oldname and domain.oldname != name: + # We are renaming this domain + # Remove the old section + + self.deactivate_domain(domain.oldname) + oldindex = self.delete_option('section', 'domain/%s' % + domain.oldname) + + # Reset the oldname, in case we're not done with + # this domain object. + domain.oldname = None; + + sectionname = 'domain/%s' % name + (no, section_subtree) = self.findOpts(self.opts, 'section', sectionname) + + if name not in self.list_domains(): + self.add_section(sectionname, []); + + for option in self.options(sectionname): + if option['type'] == 'option': + if option['name'] not in domain.get_all_options(): + self.delete_option_subtree(section_subtree['value'], 'option', option['name'], True) + + for option,value in domain.get_all_options().items(): + if (type(value) == list): + value = ', '.join(value) + if option == "debug_level": + value = self._get_debug_level_val(value) + self.set(sectionname, option, str(value)) + + if domain.active: + self.activate_domain(name) + else: + self.deactivate_domain(name) diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in new file mode 100644 index 0000000..32b74e4 --- /dev/null +++ b/src/config/SSSDConfig/__init__.py.in @@ -0,0 +1,2162 @@ +''' +Created on Sep 18, 2009 + +@author: sgallagh +''' + +import os +import gettext +import re +import sys +from .ipachangeconf import SSSDChangeConf + +# Exceptions +class SSSDConfigException(Exception): pass +class ParsingError(Exception): pass +class AlreadyInitializedError(SSSDConfigException): pass +class NotInitializedError(SSSDConfigException): pass +class NoOutputFileError(SSSDConfigException): pass +class NoServiceError(SSSDConfigException): pass +class NoSectionError(SSSDConfigException): pass +class NoOptionError(SSSDConfigException): pass +class ServiceNotRecognizedError(SSSDConfigException): pass +class ServiceAlreadyExists(SSSDConfigException): pass +class NoDomainError(SSSDConfigException): pass +class DomainNotRecognized(SSSDConfigException): pass +class DomainAlreadyExistsError(SSSDConfigException): pass +class NoSuchProviderError(SSSDConfigException): pass +class NoSuchProviderSubtypeError(SSSDConfigException): pass +class ProviderSubtypeInUse(SSSDConfigException): pass + +PACKAGE = 'sss_daemon' +LOCALEDIR = '/usr/share/locale' + +translation = gettext.translation(PACKAGE, LOCALEDIR, fallback=True) +if sys.version_info[0] > 2: + _ = translation.gettext +else: + _ = translation.ugettext + +# TODO: This needs to be made external +option_strings = { + # [service] + 'debug' : _('Set the verbosity of the debug logging'), + 'debug_level' : _('Set the verbosity of the debug logging'), + 'debug_timestamps' : _('Include timestamps in debug logs'), + 'debug_microseconds' : _('Include microseconds in timestamps in debug logs'), + 'debug_to_files' : _('Write debug messages to logfiles'), + 'timeout' : _('Watchdog timeout before restarting service'), + 'command' : _('Command to start service'), + 'reconnection_retries' : _('Number of times to attempt connection to Data Providers'), + 'fd_limit' : _('The number of file descriptors that may be opened by this responder'), + 'client_idle_timeout' : _('Idle time before automatic disconnection of a client'), + 'responder_idle_timeout' : _('Idle time before automatic shutdown of the responder'), + 'cache_first': _('Always query all the caches before querying the Data Providers'), + + # [sssd] + 'services' : _('SSSD Services to start'), + 'domains' : _('SSSD Domains to start'), + 'sbus_timeout' : _('Timeout for messages sent over the SBUS'), + 're_expression' : _('Regex to parse username and domain'), + 'full_name_format' : _('Printf-compatible format for displaying fully-qualified names'), + 'krb5_rcache_dir' : _('Directory on the filesystem where SSSD should store Kerberos replay cache files.'), + 'default_domain_suffix' : _('Domain to add to names without a domain component.'), + 'user' : _('The user to drop privileges to'), + 'certificate_verification' : _('Tune certificate verification'), + 'override_space': _('All spaces in group or user names will be replaced with this character'), + 'disable_netlink' : _('Tune sssd to honor or ignore netlink state changes'), + 'enable_files_domain' : _('Enable or disable the implicit files domain'), + 'domain_resolution_order': _('A specific order of the domains to be looked up'), + + # [nss] + 'enum_cache_timeout' : _('Enumeration cache timeout length (seconds)'), + 'entry_cache_no_wait_timeout' : _('Entry cache background update timeout length (seconds)'), + 'entry_negative_timeout' : _('Negative cache timeout length (seconds)'), + 'local_negative_timeout' : _('Files negative cache timeout length (seconds)'), + 'filter_users' : _('Users that SSSD should explicitly ignore'), + 'filter_groups' : _('Groups that SSSD should explicitly ignore'), + 'filter_users_in_groups' : _('Should filtered users appear in groups'), + 'pwfield' : _('The value of the password field the NSS provider should return'), + 'override_homedir' : _('Override homedir value from the identity provider with this value'), + 'fallback_homedir' : _('Substitute empty homedir value from the identity provider with this value'), + 'override_shell': _('Override shell value from the identity provider with this value'), + 'allowed_shells' : _('The list of shells users are allowed to log in with'), + 'vetoed_shells' : _('The list of shells that will be vetoed, and replaced with the fallback shell'), + 'shell_fallback' : _('If a shell stored in central directory is allowed but not available, use this fallback'), + 'default_shell': _('Shell to use if the provider does not list one'), + 'memcache_timeout': _('How long will be in-memory cache records valid'), + 'user_attributes': _('List of user attributes the NSS responder is allowed to publish'), + + # [pam] + 'offline_credentials_expiration' : _('How long to allow cached logins between online logins (days)'), + 'offline_failed_login_attempts' : _('How many failed logins attempts are allowed when offline'), + 'offline_failed_login_delay' : _('How long (minutes) to deny login after offline_failed_login_attempts has been reached'), + 'pam_verbosity' : _('What kind of messages are displayed to the user during authentication'), + 'pam_response_filter' : _('Filter PAM responses sent to the pam_sss'), + 'pam_id_timeout' : _('How many seconds to keep identity information cached for PAM requests'), + 'pam_pwd_expiration_warning' : _('How many days before password expiration a warning should be displayed'), + 'pam_trusted_users' : _('List of trusted uids or user\'s name'), + 'pam_public_domains' : _('List of domains accessible even for untrusted users.'), + 'pam_account_expired_message' : _('Message printed when user account is expired.'), + 'pam_account_locked_message' : _('Message printed when user account is locked.'), + 'pam_cert_auth' : _('Allow certificate based/Smartcard authentication.'), + 'pam_cert_db_path' : _('Path to certificate database with PKCS#11 modules.'), + 'p11_child_timeout' : _('How many seconds will pam_sss wait for p11_child to finish'), + 'pam_app_services' : _('Which PAM services are permitted to contact application domains'), + + # [sudo] + 'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'), + 'sudo_inverse_order' : _('If true, SSSD will switch back to lower-wins ordering logic'), + 'sudo_threshold' : _('Maximum number of rules that can be refreshed at once. If this is exceeded, full refresh is performed.'), + + # [autofs] + 'autofs_negative_timeout' : _('Negative cache timeout length (seconds)'), + + # [ssh] + 'ssh_hash_known_hosts': _('Whether to hash host names and addresses in the known_hosts file'), + 'ssh_known_hosts_timeout': _('How many seconds to keep a host in the known_hosts file after its host keys were requested'), + 'ca_db': _('Path to storage of trusted CA certificates'), + + # [pac] + 'allowed_uids': _('List of UIDs or user names allowed to access the PAC responder'), + 'pac_lifetime': _('How long the PAC data is considered valid'), + + # [ifp] + 'allowed_uids': _('List of UIDs or user names allowed to access the InfoPipe responder'), + 'user_attributes': _('List of user attributes the InfoPipe is allowed to publish'), + + # [secrets] + 'provider': _('The provider where the secrets will be stored in'), + 'containers_nest_level': _('The maximum allowed number of nested containers'), + 'max_secrets': _('The maximum number of secrets that can be stored'), + 'max_uid_secrets': _('The maximum number of secrets that can be stored per UID'), + 'max_payload_size': _('The maximum payload size of a secret in kilobytes'), + # secrets - proxy + 'proxy_url': _('The URL Custodia server is listening on'), + 'auth_type': _('The method to use when authenticating to a Custodia server'), + 'auth_header_name': _('The name of the headers that will be added into a HTTP request with the value defined in auth_header_value'), + 'auth_header_value': _('The value sssd-secrets would use for auth_header_name'), + 'forward_headers': _('The list of the headers to forward to the Custodia server together with the request'), + 'username': _('The username to use when authenticating to a Custodia server using basic_auth'), + 'password': _('The password to use when authenticating to a Custodia server using basic_auth'), + 'verify_peer': _('If true peer\'s certificate is verified if proxy_url uses https protocol'), + 'verify_host': _('If false peer\'s certificate may contain different hostname than proxy_url when https protocol is used'), + 'capath': _('Path to directory where certificate authority certificates are stored'), + 'cacert': _('Path to file containing server\'s CA certificate'), + 'cert': _('Path to file containing client\'s certificate'), + 'key': _('Path to file containing client\'s private key'), + + # [provider] + 'id_provider' : _('Identity provider'), + 'auth_provider' : _('Authentication provider'), + 'access_provider' : _('Access control provider'), + 'chpass_provider' : _('Password change provider'), + 'sudo_provider' : _('SUDO provider'), + 'autofs_provider' : _('Autofs provider'), + 'hostid_provider' : _('Host identity provider'), + 'selinux_provider' : _('SELinux provider'), + 'session_provider' : _('Session management provider'), + + # [domain] + 'domain_type' : _('Whether the domain is usable by the OS or by applications'), + 'min_id' : _('Minimum user ID'), + 'max_id' : _('Maximum user ID'), + 'enumerate' : _('Enable enumerating all users/groups'), + 'cache_credentials' : _('Cache credentials for offline login'), + 'store_legacy_passwords' : _('Store password hashes'), + 'use_fully_qualified_names' : _('Display users/groups in fully-qualified form'), + 'ignore_group_members' : _('Don\'t include group members in group lookups'), + 'entry_cache_timeout' : _('Entry cache timeout length (seconds)'), + 'lookup_family_order' : _('Restrict or prefer a specific address family when performing DNS lookups'), + 'account_cache_expiration' : _('How long to keep cached entries after last successful login (days)'), + 'dns_resolver_timeout' : _('How long to wait for replies from DNS when resolving servers (seconds)'), + 'dns_discovery_domain' : _('The domain part of service discovery DNS query'), + 'override_gid' : _('Override GID value from the identity provider with this value'), + 'case_sensitive' : _('Treat usernames as case sensitive'), + 'entry_cache_user_timeout' : _('Entry cache timeout length (seconds)'), + 'entry_cache_group_timeout' : _('Entry cache timeout length (seconds)'), + 'entry_cache_netgroup_timeout' : _('Entry cache timeout length (seconds)'), + 'entry_cache_service_timeout' : _('Entry cache timeout length (seconds)'), + 'entry_cache_autofs_timeout' : _('Entry cache timeout length (seconds)'), + 'entry_cache_sudo_timeout' : _('Entry cache timeout length (seconds)'), + 'refresh_expired_interval' : _('How often should expired entries be refreshed in background'), + 'dyndns_update' : _("Whether to automatically update the client's DNS entry"), + 'dyndns_ttl' : _("The TTL to apply to the client's DNS entry after updating it"), + 'dyndns_iface' : _("The interface whose IP should be used for dynamic DNS updates"), + 'dyndns_refresh_interval' : _("How often to periodically update the client's DNS entry"), + 'dyndns_update_ptr' : _("Whether the provider should explicitly update the PTR record as well"), + 'dyndns_force_tcp' : _("Whether the nsupdate utility should default to using TCP"), + 'dyndns_auth' : _("What kind of authentication should be used to perform the DNS update"), + 'dyndns_server' : _("Override the DNS server used to perform the DNS update"), + 'subdomain_enumerate' : _('Control enumeration of trusted domains'), + 'subdomain_refresh_interval' : _('How often should subdomains list be refreshed'), + 'subdomain_inherit' : _('List of options that should be inherited into a subdomain'), + 'subdomain_homedir' : _('Default subdomain homedir value'), + 'cached_auth_timeout' : _('How long can cached credentials be used for cached authentication'), + 'full_name_format' : _('Printf-compatible format for displaying fully-qualified names'), + 're_expression' : _('Regex to parse username and domain'), + 'auto_private_groups' : _('Whether to automatically create private groups for users'), + + # [provider/ipa] + 'ipa_domain' : _('IPA domain'), + 'ipa_server' : _('IPA server address'), + 'ipa_backup_server' : _('Address of backup IPA server'), + 'ipa_hostname' : _('IPA client hostname'), + 'ipa_dyndns_update' : _("Whether to automatically update the client's DNS entry in FreeIPA"), + 'ipa_dyndns_ttl' : _("The TTL to apply to the client's DNS entry after updating it"), + 'ipa_dyndns_iface' : _("The interface whose IP should be used for dynamic DNS updates"), + 'ipa_hbac_search_base' : _("Search base for HBAC related objects"), + 'ipa_hbac_refresh' : _("The amount of time between lookups of the HBAC rules against the IPA server"), + 'ipa_selinux_refresh' : _("The amount of time in seconds between lookups of the SELinux maps against the IPA server"), + 'ipa_hbac_support_srchost' : _("If set to false, host argument given by PAM will be ignored"), + 'ipa_automount_location' : _("The automounter location this IPA client is using"), + 'ipa_master_domain_search_base': _("Search base for object containing info about IPA domain"), + 'ipa_ranges_search_base': _("Search base for objects containing info about ID ranges"), + 'ipa_enable_dns_sites': _("Enable DNS sites - location based service discovery"), + 'ipa_views_search_base': _("Search base for view containers"), + 'ipa_view_class': _("Objectclass for view containers"), + 'ipa_view_name': _("Attribute with the name of the view"), + 'ipa_override_object_class': _("Objectclass for override objects"), + 'ipa_anchor_uuid': _("Attribute with the reference to the original object"), + 'ipa_user_override_object_class': _("Objectclass for user override objects"), + 'ipa_group_override_object_class': _("Objectclass for group override objects"), + 'ipa_deskprofile_search_base': _("Search base for Desktop Profile related objects"), + 'ipa_deskprofile_refresh': _("The amount of time in seconds between lookups of the Desktop Profile rules against the IPA server"), + 'ipa_deskprofile_request_interval': _("The amount of time in minutes between lookups of Desktop Profiles rules against the IPA server when the last request did not find any rule"), + + # [provider/ad] + 'ad_domain' : _('Active Directory domain'), + 'ad_enabled_domains' : _('Enabled Active Directory domains'), + 'ad_server' : _('Active Directory server address'), + 'ad_backup_server' : _('Active Directory backup server address'), + 'ad_hostname' : _('Active Directory client hostname'), + 'ad_enable_dns_sites' : _('Enable DNS sites - location based service discovery'), + 'ad_access_filter' : _('LDAP filter to determine access privileges'), + 'ad_enable_gc' : _('Whether to use the Global Catalog for lookups'), + 'ad_gpo_access_control' : _('Operation mode for GPO-based access control'), + 'ad_gpo_cache_timeout' : _("The amount of time between lookups of the GPO policy files against the AD server"), + 'ad_gpo_map_interactive' : _('PAM service names that map to the GPO (Deny)InteractiveLogonRight policy settings'), + 'ad_gpo_map_remote_interactive' : _('PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight policy settings'), + 'ad_gpo_map_network' : _('PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings'), + 'ad_gpo_map_batch' : _('PAM service names that map to the GPO (Deny)BatchLogonRight policy settings'), + 'ad_gpo_map_service' : _('PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings'), + 'ad_gpo_map_permit' : _('PAM service names for which GPO-based access is always granted'), + 'ad_gpo_map_deny' : _('PAM service names for which GPO-based access is always denied'), + 'ad_gpo_default_right' : _('Default logon right (or permit/deny) to use for unmapped PAM service names'), + 'ad_site' : _('a particular site to be used by the client'), + 'ad_maximum_machine_account_password_age' : _('Maximum age in days before the machine account password should be renewed'), + 'ad_machine_account_password_renewal_opts' : _('Option for tuning the machine account renewal task'), + + # [provider/krb5] + 'krb5_kdcip' : _('Kerberos server address'), + 'krb5_server' : _('Kerberos server address'), + 'krb5_backup_server' : _('Kerberos backup server address'), + 'krb5_realm' : _('Kerberos realm'), + 'krb5_auth_timeout' : _('Authentication timeout'), + 'krb5_use_kdcinfo' : _('Whether to create kdcinfo files'), + 'krb5_confd_path' : _('Where to drop krb5 config snippets'), + + # [provider/krb5/auth] + 'krb5_ccachedir' : _('Directory to store credential caches'), + 'krb5_ccname_template' : _("Location of the user's credential cache"), + 'krb5_keytab' : _("Location of the keytab to validate credentials"), + 'krb5_validate' : _("Enable credential validation"), + 'krb5_store_password_if_offline' : _("Store password if offline for later online authentication"), + 'krb5_renewable_lifetime' : _("Renewable lifetime of the TGT"), + 'krb5_lifetime' : _("Lifetime of the TGT"), + 'krb5_renew_interval' : _("Time between two checks for renewal"), + 'krb5_use_fast' : _("Enables FAST"), + 'krb5_fast_principal' : _("Selects the principal to use for FAST"), + 'krb5_canonicalize' : _("Enables principal canonicalization"), + 'krb5_use_enterprise_principal' : _("Enables enterprise principals"), + 'krb5_map_user' : _('A mapping from user names to Kerberos principal names'), + + # [provider/krb5/chpass] + 'krb5_kpasswd' : _('Server where the change password service is running if not on the KDC'), + 'krb5_backup_kpasswd' : _('Server where the change password service is running if not on the KDC'), + + # [provider/ldap] + 'ldap_uri' : _('ldap_uri, The URI of the LDAP server'), + 'ldap_backup_uri' : _('ldap_backup_uri, The URI of the LDAP server'), + 'ldap_search_base' : _('The default base DN'), + 'ldap_schema' : _('The Schema Type in use on the LDAP server, rfc2307'), + 'ldap_default_bind_dn' : _('The default bind DN'), + 'ldap_default_authtok_type' : _('The type of the authentication token of the default bind DN'), + 'ldap_default_authtok' : _('The authentication token of the default bind DN'), + 'ldap_network_timeout' : _('Length of time to attempt connection'), + 'ldap_opt_timeout' : _('Length of time to attempt synchronous LDAP operations'), + 'ldap_offline_timeout' : _('Length of time between attempts to reconnect while offline'), + 'ldap_force_upper_case_realm' : _('Use only the upper case for realm names'), + 'ldap_tls_cacert' : _('File that contains CA certificates'), + 'ldap_tls_cacertdir' : _('Path to CA certificate directory'), + 'ldap_tls_cert' : _('File that contains the client certificate'), + 'ldap_tls_key' :_('File that contains the client key'), + 'ldap_tls_cipher_suite' :_('List of possible ciphers suites'), + 'ldap_tls_reqcert' : _('Require TLS certificate verification'), + 'ldap_sasl_mech' : _('Specify the sasl mechanism to use'), + 'ldap_sasl_authid' : _('Specify the sasl authorization id to use'), + 'ldap_sasl_realm' : _('Specify the sasl authorization realm to use'), + 'ldap_sasl_minssf' : _('Specify the minimal SSF for LDAP sasl authorization'), + 'ldap_krb5_keytab' : _('Kerberos service keytab'), + 'ldap_krb5_init_creds' : _('Use Kerberos auth for LDAP connection'), + 'ldap_referrals' : _('Follow LDAP referrals'), + 'ldap_krb5_ticket_lifetime' : _('Lifetime of TGT for LDAP connection'), + 'ldap_deref' : _('How to dereference aliases'), + 'ldap_dns_service_name' : _('Service name for DNS service lookups'), + 'ldap_page_size' : _('The number of records to retrieve in a single LDAP query'), + 'ldap_deref_threshold' : _('The number of members that must be missing to trigger a full deref'), + 'ldap_sasl_canonicalize' : _('Whether the LDAP library should perform a reverse lookup to canonicalize the host name during a SASL bind'), + + 'ldap_entry_usn' : _('entryUSN attribute'), + 'ldap_rootdse_last_usn' : _('lastUSN attribute'), + + 'ldap_connection_expiration_timeout' : _('How long to retain a connection to the LDAP server before disconnecting'), + + 'ldap_disable_paging' : _('Disable the LDAP paging control'), + 'ldap_disable_range_retrieval' : _('Disable Active Directory range retrieval'), + + # [provider/ldap/id] + 'ldap_search_timeout' : _('Length of time to wait for a search request'), + 'ldap_enumeration_search_timeout' : _('Length of time to wait for a enumeration request'), + 'ldap_enumeration_refresh_timeout' : _('Length of time between enumeration updates'), + 'ldap_purge_cache_timeout' : _('Length of time between cache cleanups'), + 'ldap_id_use_start_tls' : _('Require TLS for ID lookups'), + 'ldap_id_mapping' : _('Use ID-mapping of objectSID instead of pre-set IDs'), + 'ldap_user_search_base' : _('Base DN for user lookups'), + 'ldap_user_search_scope' : _('Scope of user lookups'), + 'ldap_user_search_filter' : _('Filter for user lookups'), + 'ldap_user_object_class' : _('Objectclass for users'), + 'ldap_user_name' : _('Username attribute'), + #not used # 'ldap_user_pwd' :_('Password attribute'), + 'ldap_user_uid_number' : _('UID attribute'), + 'ldap_user_gid_number' : _('Primary GID attribute'), + 'ldap_user_gecos' : _('GECOS attribute'), + 'ldap_user_home_directory' : _('Home directory attribute'), + 'ldap_user_shell' : _('Shell attribute'), + 'ldap_user_uuid' : _('UUID attribute'), + 'ldap_user_objectsid' : _("objectSID attribute"), + 'ldap_user_primary_group' : _('Active Directory primary group attribute for ID-mapping'), + 'ldap_user_principal' : _('User principal attribute (for Kerberos)'), + 'ldap_user_fullname' : _('Full Name'), + 'ldap_user_member_of' : _('memberOf attribute'), + 'ldap_user_modify_timestamp' : _('Modification time attribute'), + #replaced by ldap_entry_usn# 'ldap_user_entry_usn' : _('entryUSN attribute'), + 'ldap_user_shadow_last_change' : _('shadowLastChange attribute'), + 'ldap_user_shadow_min' : _('shadowMin attribute'), + 'ldap_user_shadow_max' : _('shadowMax attribute'), + 'ldap_user_shadow_warning' : _('shadowWarning attribute'), + 'ldap_user_shadow_inactive' : _('shadowInactive attribute'), + 'ldap_user_shadow_expire' : _('shadowExpire attribute'), + 'ldap_user_shadow_flag' : _('shadowFlag attribute'), + 'ldap_user_authorized_service' : _('Attribute listing authorized PAM services'), + 'ldap_user_authorized_host' : _('Attribute listing authorized server hosts'), + 'ldap_user_authorized_rhost' : _('Attribute listing authorized server rhosts'), + 'ldap_user_krb_last_pwd_change' : _('krbLastPwdChange attribute'), + 'ldap_user_krb_password_expiration' : _('krbPasswordExpiration attribute'), + 'ldap_pwd_attribute' : _('Attribute indicating that server side password policies are active'), + 'ldap_user_ad_account_expires' : _('accountExpires attribute of AD'), + 'ldap_user_ad_user_account_control' : _('userAccountControl attribute of AD'), + 'ldap_ns_account_lock' : _('nsAccountLock attribute'), + 'ldap_user_nds_login_disabled' : _('loginDisabled attribute of NDS'), + 'ldap_user_nds_login_expiration_time' : _('loginExpirationTime attribute of NDS'), + 'ldap_user_nds_login_allowed_time_map' : _('loginAllowedTimeMap attribute of NDS'), + 'ldap_user_ssh_public_key' : _('SSH public key attribute'), + 'ldap_user_auth_type' : _('attribute listing allowed authentication types for a user'), + 'ldap_user_certificate' : _('attribute containing the X509 certificate of the user'), + 'ldap_user_email' : _('attribute containing the email address of the user'), + + 'ldap_user_extra_attrs' : _('A list of extra attributes to download along with the user entry'), + + 'ldap_group_search_base' : _('Base DN for group lookups'), + # not used # 'ldap_group_search_scope' : _('Scope of group lookups'), + # not used # 'ldap_group_search_filter' : _('Filter for group lookups'), + 'ldap_group_object_class' : _('Objectclass for groups'), + 'ldap_group_name' : _('Group name'), + 'ldap_group_pwd' : _('Group password'), + 'ldap_group_gid_number' : _('GID attribute'), + 'ldap_group_member' : _('Group member attribute'), + 'ldap_group_uuid' : _('Group UUID attribute'), + 'ldap_group_objectsid' : _("objectSID attribute"), + 'ldap_group_modify_timestamp' : _('Modification time attribute for groups'), + 'ldap_group_type' : _('Type of the group and other flags'), + 'ldap_group_external_member' : _('The LDAP group external member attribute'), + #replaced by ldap_entry_usn# 'ldap_group_entry_usn' : _('entryUSN attribute'), + 'ldap_group_nesting_level' : _('Maximum nesting level SSSD will follow'), + + 'ldap_netgroup_search_base' : _('Base DN for netgroup lookups'), + 'ldap_netgroup_object_class' : _('Objectclass for netgroups'), + 'ldap_netgroup_name' : _('Netgroup name'), + 'ldap_netgroup_member' : _('Netgroups members attribute'), + 'ldap_netgroup_triple' : _('Netgroup triple attribute'), + 'ldap_netgroup_modify_timestamp' : _('Modification time attribute for netgroups'), + + 'ldap_service_search_base' : _('Base DN for service lookups'), + 'ldap_service_object_class' : _('Objectclass for services'), + 'ldap_service_name' : _('Service name attribute'), + 'ldap_service_port' : _('Service port attribute'), + 'ldap_service_proto' : _('Service protocol attribute'), + #replaced by ldap_entry_usn# 'ldap_service_entry_usn' : _('Service entryUSN attribute'), + + 'ldap_idmap_range_min' : _('Lower bound for ID-mapping'), + 'ldap_idmap_range_max' : _('Upper bound for ID-mapping'), + 'ldap_idmap_range_size' : _('Number of IDs for each slice when ID-mapping'), + 'ldap_idmap_autorid_compat' : _('Use autorid-compatible algorithm for ID-mapping'), + 'ldap_idmap_default_domain' : _('Name of the default domain for ID-mapping'), + 'ldap_idmap_default_domain_sid' : _('SID of the default domain for ID-mapping'), + 'ldap_idmap_helper_table_size' : _('Number of secondary slices'), + + 'ldap_groups_use_matching_rule_in_chain' : _('Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups'), + 'ldap_initgroups_use_matching_rule_in_chain' : _('Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups'), + 'ldap_use_tokengroups' : _('Whether to use Token-Groups'), + 'ldap_min_id' : _('Set lower boundary for allowed IDs from the LDAP server'), + 'ldap_max_id' : _('Set upper boundary for allowed IDs from the LDAP server'), + 'ldap_pwdlockout_dn' : _('DN for ppolicy queries'), + 'wildcard_limit' : _('How many maximum entries to fetch during a wildcard request'), + + # [provider/ldap/auth] + 'ldap_pwd_policy' : _('Policy to evaluate the password expiration'), + + # [provider/ldap/access] + 'ldap_access_filter' : _('LDAP filter to determine access privileges'), + 'ldap_account_expire_policy' : _('Which attributes shall be used to evaluate if an account is expired'), + 'ldap_access_order' : _('Which rules should be used to evaluate access control'), + + # [provider/ldap/chpass] + 'ldap_chpass_uri' : _('URI of an LDAP server where password changes are allowed'), + 'ldap_chpass_backup_uri' : _('URI of a backup LDAP server where password changes are allowed'), + 'ldap_chpass_dns_service_name' : _('DNS service name for LDAP password change server'), + 'ldap_chpass_update_last_change' : _('Whether to update the ldap_user_shadow_last_change attribute after a password change'), + + # [provider/ldap/sudo] + 'ldap_sudo_search_base' : _('Base DN for sudo rules lookups'), + 'ldap_sudo_full_refresh_interval' : _('Automatic full refresh period'), + 'ldap_sudo_smart_refresh_interval' : _('Automatic smart refresh period'), + 'ldap_sudo_use_host_filter' : _('Whether to filter rules by hostname, IP addresses and network'), + 'ldap_sudo_hostnames' : _('Hostnames and/or fully qualified domain names of this machine to filter sudo rules'), + 'ldap_sudo_ip' : _('IPv4 or IPv6 addresses or network of this machine to filter sudo rules'), + 'ldap_sudo_include_netgroups' : _('Whether to include rules that contains netgroup in host attribute'), + 'ldap_sudo_include_regexp' : _('Whether to include rules that contains regular expression in host attribute'), + 'ldap_sudorule_object_class' : _('Object class for sudo rules'), + 'ldap_sudorule_name' : _('Sudo rule name'), + 'ldap_sudorule_command' : _('Sudo rule command attribute'), + 'ldap_sudorule_host' : _('Sudo rule host attribute'), + 'ldap_sudorule_user' : _('Sudo rule user attribute'), + 'ldap_sudorule_option' : _('Sudo rule option attribute'), + 'ldap_sudorule_runas' : _('Sudo rule runas attribute'), + 'ldap_sudorule_runasuser' : _('Sudo rule runasuser attribute'), + 'ldap_sudorule_runasgroup' : _('Sudo rule runasgroup attribute'), + 'ldap_sudorule_notbefore' : _('Sudo rule notbefore attribute'), + 'ldap_sudorule_notafter' : _('Sudo rule notafter attribute'), + 'ldap_sudorule_order' : _('Sudo rule order attribute'), + + # [provider/ldap/autofs] + 'ldap_autofs_map_object_class' : _('Object class for automounter maps'), + 'ldap_autofs_map_name' : _('Automounter map name attribute'), + 'ldap_autofs_entry_object_class' : _('Object class for automounter map entries'), + 'ldap_autofs_entry_key' : _('Automounter map entry key attribute'), + 'ldap_autofs_entry_value' : _('Automounter map entry value attribute'), + 'ldap_autofs_search_base' : _('Base DN for automounter map lookups'), + + # [provider/simple/access] + 'simple_allow_users' : _('Comma separated list of allowed users'), + 'simple_deny_users' : _('Comma separated list of prohibited users'), + + # [provider/local/id] + 'default_shell' : _('Default shell, /bin/bash'), + 'base_directory' : _('Base for home directories'), + + # [provider/proxy] + 'proxy_max_children' : _('The number of preforked proxy children.'), + + # [provider/proxy/id] + 'proxy_lib_name' : _('The name of the NSS library to use'), + 'proxy_fast_alias' : _('Whether to look up canonical group name from cache if possible'), + + # [provider/proxy/auth] + 'proxy_pam_target' : _('PAM stack to use'), + + # [provider/files] + 'passwd_files' : _('Path of passwd file sources.'), + 'group_files' : _('Path of group file sources.') +} + +def striplist(l): + return([x.strip() for x in l]) + +def options_overlap(options1, options2): + overlap = [] + for option in options1: + if option in options2: + overlap.append(option) + return overlap + +class SSSDConfigSchema(SSSDChangeConf): + def __init__(self, schemafile, schemaplugindir): + SSSDChangeConf.__init__(self) + #TODO: get these from a global setting + if not schemafile: + schemafile = '@datadir@/sssd/sssd.api.conf' + if not schemaplugindir: + schemaplugindir = '@datadir@/sssd/sssd.api.d' + + try: + #Read the primary config file + fd = open(schemafile, 'r') + self.readfp(fd) + fd.close() + # Read in the provider files + for file in filter(lambda f: re.search(r'^sssd-.*\.conf$', f), + os.listdir(schemaplugindir)): + fd = open(schemaplugindir+ "/" + file) + self.readfp(fd) + fd.close() + except IOError: + raise + except SyntaxError: # can be raised with readfp + raise ParsingError + + # Set up lookup table for types + self.type_lookup = { + 'bool' : bool, + 'int' : int, + 'long' : long if sys.version_info[0] == 2 else int, + 'float': float, + 'str' : str, + 'list' : list, + 'None' : None + } + + # Lookup table for acceptable boolean values + self.bool_lookup = { + 'false' : False, + 'true' : True, + } + + def get_options(self, section): + if not self.has_section(section): + raise NoSectionError + options = self.options(section) + + # Indexes + PRIMARY_TYPE = 0 + SUBTYPE = 1 + MANDATORY = 2 + DEFAULT = 3 + + # Parse values + parsed_options = {} + for option in self.strip_comments_empty(options): + unparsed_option = option['value'] + split_option = striplist(unparsed_option.split(',')) + optionlen = len(split_option) + + primarytype = self.type_lookup[split_option[PRIMARY_TYPE]] + subtype = self.type_lookup[split_option[SUBTYPE]] + mandatory = self.bool_lookup[split_option[MANDATORY]] + + if option['name'] in option_strings: + desc = option_strings[option['name']] + else: + desc = None + + if optionlen == 3: + # This option has no defaults + parsed_options[option['name']] = \ + (primarytype, + subtype, + mandatory, + desc, + None) + elif optionlen == 4: + if type(split_option[DEFAULT]) == primarytype: + parsed_options[option['name']] = \ + (primarytype, + subtype, + mandatory, + desc, + split_option[DEFAULT]) + elif primarytype == list: + if (type(split_option[DEFAULT]) == subtype): + parsed_options[option['name']] = \ + (primarytype, + subtype, + mandatory, + desc, + [split_option[DEFAULT]]) + else: + try: + if subtype == bool and \ + type(split_option[DEFAULT]) == str: + parsed_options[option['name']] = \ + (primarytype, + subtype, + mandatory, + desc, + [self.bool_lookup[split_option[DEFAULT].lower()]]) + else: + parsed_options[option['name']] = \ + (primarytype, + subtype, + mandatory, + desc, + [subtype(split_option[DEFAULT])]) + except ValueError: + raise ParsingError + else: + try: + if primarytype == bool and \ + type(split_option[DEFAULT]) == str: + parsed_options[option['name']] = \ + (primarytype, + subtype, + mandatory, + desc, + self.bool_lookup[split_option[DEFAULT].lower()]) + else: + parsed_options[option['name']] = \ + (primarytype, + subtype, + mandatory, + desc, + primarytype(split_option[DEFAULT])) + except ValueError: + raise ParsingError + + elif optionlen > 4: + if (primarytype != list): + raise ParsingError + fixed_options = [] + for x in split_option[DEFAULT:]: + if type(x) != subtype: + try: + if (subtype == bool and type(x) == str): + newvalue = self.bool_lookup[x.lower()] + else: + newvalue = subtype(x) + fixed_options.extend([newvalue]) + except ValueError: + raise ParsingError + else: + fixed_options.extend([x]) + parsed_options[option['name']] = \ + (primarytype, + subtype, + mandatory, + desc, + fixed_options) + else: + # Bad config file + raise ParsingError + + return parsed_options + + def get_option(self, section, option): + if not self.has_section(section): + raise NoSectionError(section) + if not self.has_option(section, option): + raise NoOptionError("Section [%s] has no option [%s]" % + (section, option)) + + return self.get_options(section)[option] + + def get_defaults(self, section): + if not self.has_section(section): + raise NoSectionError(section) + + schema_options = self.get_options(section) + defaults = dict([(x,schema_options[x][4]) + for x in schema_options.keys() + if schema_options[x][4] != None]) + + return defaults + + def get_services(self): + service_list = [x['name'] for x in self.sections() + if x['name'] != 'service' and + not x['name'].startswith('domain') and + not x['name'].startswith('provider')] + return service_list + + def get_providers(self): + providers = {} + for section in self.sections(): + splitsection = section['name'].split('/') + if (splitsection[0] == 'provider'): + if(len(splitsection) == 3): + if splitsection[1] not in providers: + providers[splitsection[1]] = [] + providers[splitsection[1]].extend([splitsection[2]]) + for key in providers.keys(): + providers[key] = tuple(providers[key]) + return providers + +class SSSDConfigObject(object): + def __init__(self): + self.name = None + self.options = {} + + def get_name(self): + """ + Return the name of the object + + === Returns === + The domain name + + === Errors === + No errors + """ + return self.name + + def get_option(self, optionname): + """ + Return the value of an service option + + optionname: + The option to get. + + === Returns === + The value for the requested option. + + === Errors === + NoOptionError: + The specified option was not listed in the service + """ + if optionname in self.options.keys(): + return self.options[optionname] + raise NoOptionError(optionname) + + def get_all_options(self): + """ + Return a dictionary of name/value pairs for this object + + === Returns === + A dictionary of name/value pairs currently in use for this object + + === Errors === + No errors + """ + return self.options + + def remove_option(self, optionname): + """ + Remove an option from the object. If the option does not exist, it is ignored. + + === Returns === + No return value. + + === Errors === + No errors + """ + if optionname in self.options: + del self.options[optionname] + +class SSSDService(SSSDConfigObject): + ''' + Object to manipulate SSSD service options + ''' + + def __init__(self, servicename, apischema): + """ + Create a new SSSDService, setting its defaults to those found in the + schema. This constructor should not be used directly. Use + SSSDConfig.new_service() instead. + + name: + The service name + apischema: + An SSSDConfigSchema? object created by SSSDConfig.__init__() + + === Returns === + The newly-created SSSDService object. + + === Errors === + TypeError: + The API schema passed in was unusable or the name was not a string. + ServiceNotRecognizedError: + The service was not listed in the schema + """ + SSSDConfigObject.__init__(self) + + if not isinstance(apischema, SSSDConfigSchema) or type(servicename) != str: + raise TypeError + + if not apischema.has_section(servicename): + raise ServiceNotRecognizedError(servicename) + + self.name = servicename + self.schema = apischema + + # Set up the service object with any known defaults + self.options = {} + + # Include a list of hidden options + self.hidden_options = [] + + # Set up default options for all services + self.options.update(self.schema.get_defaults('service')) + + # Set up default options for this service + self.options.update(self.schema.get_defaults(self.name)) + + def list_options_with_mandatory(self): + """ + List options for the service, including the mandatory flag. + + === Returns === + A dictionary of configurable options. This dictionary is keyed on the + option name with a tuple of the variable type, subtype ('None' if the + type is not a collection type), whether it is mandatory, the + translated option description, and the default value (or 'None') as + the value. + + Example: + { 'enumerate' : + (bool, None, False, u'Enable enumerating all users/groups', True) } + + === Errors === + No errors + """ + options = {} + + # Get the list of available options for all services + schema_options = self.schema.get_options('service') + options.update(schema_options) + + schema_options = self.schema.get_options(self.name) + options.update(schema_options) + + return options + + def list_options(self): + """ + List all options that apply to this service + + === Returns === + A dictionary of configurable options. This dictionary is keyed on the + option name with a tuple of the variable type, subtype ('None' if the + type is not a collection type), the translated option description, and + the default value (or 'None') as the value. + + Example: + { 'services' : + (list, str, u'SSSD Services to start', ['nss', 'pam']) } + + === Errors === + No Errors + """ + options = self.list_options_with_mandatory() + + # Filter out the mandatory field to maintain compatibility + # with older versions of the API + filtered_options = {} + for key in options.keys(): + filtered_options[key] = (options[key][0], options[key][1], options[key][3], options[key][4]) + + return filtered_options + + def list_mandatory_options(self): + """ + List all mandatory options that apply to this service + + === Returns === + A dictionary of configurable options. This dictionary is keyed on the + option name with a tuple of the variable type, subtype ('None' if the + type is not a collection type), the translated option description, and + the default value (or 'None') as the value. + + Example: + { 'services' : + (list, str, u'SSSD Services to start', ['nss', 'pam']) } + + === Errors === + No Errors + """ + options = self.list_options_with_mandatory() + + # Filter out the mandatory field to maintain compatibility + # with older versions of the API + filtered_options = {} + for key in options.keys(): + if options[key][2]: + filtered_options[key] = (options[key][0], options[key][1], options[key][3], options[key][4]) + + return filtered_options + + def set_option(self, optionname, value): + """ + Set a service option to the specified value (or values) + + optionname: + The option to change + value: + The value to set. This may be a single value or a list of values. If + it is set to None, it resets the option to its default. + + === Returns === + No return value + + === Errors === + NoOptionError: + The specified option is not listed in the schema + TypeError: + The value specified was not of the expected type + """ + if self.schema.has_option(self.name, optionname): + option_schema = self.schema.get_option(self.name, optionname) + elif self.schema.has_option('service', optionname): + option_schema = self.schema.get_option('service', optionname) + elif optionname in self.hidden_options: + # Set this option and do not add it to the list of changeable values + self.options[optionname] = value + return + else: + raise NoOptionError('Section [%s] has no option [%s]' % (self.name, optionname)) + + if value == None: + self.remove_option(optionname) + return + + raise_error = False + + # If we were expecting a list and didn't get one, + # Create a list with a single entry. If it's the + # wrong subtype, it will fail below + if option_schema[0] == list and type(value) != list: + if type(value) == str: + value = striplist(value.split(',')) + else: + value = [value] + + if type(value) != option_schema[0]: + # If it's possible to convert it, do so + try: + if option_schema[0] == bool and type(value) == str: + value = self.schema.bool_lookup[value.lower()] + elif option_schema[0] == int and type(value) == str: + # Make sure we handle any reasonable base + value = int(value, 0) + else: + value = option_schema[0](value) + except ValueError: + raise_error = True + except KeyError: + raise_error = True + + if raise_error: + raise TypeError('Expected %s for %s, received %s' % + (option_schema[0], optionname, type(value))) + + if type(value) == list: + # Iterate through the list an ensure that all members + # are of the appropriate subtype + try: + newvalue = [] + for x in value: + if option_schema[1] == bool and \ + type(x) == str: + newvalue.extend([self.schema.bool_lookup[x.lower()]]) + else: + newvalue.extend([option_schema[1](x)]) + except ValueError: + raise_error = True + except KeyError: + raise_error = True + + if raise_error: + raise TypeError('Expected %s' % option_schema[1]) + + value = newvalue + + self.options[optionname] = value + +class SSSDDomain(SSSDConfigObject): + """ + Object to manipulate SSSD domain options + """ + def __init__(self, domainname, apischema): + """ + Creates a new, empty SSSDDomain. This domain is inactive by default. + This constructor should not be used directly. Use + SSSDConfig.new_domain() instead. + + name: + The domain name. + apischema: + An SSSDConfigSchema object created by SSSDConfig.__init__() + + === Returns === + The newly-created SSSDDomain object. + + === Errors === + TypeError: + apischema was not an SSSDConfigSchema object or domainname was not + a string + """ + SSSDConfigObject.__init__(self) + + if not isinstance(apischema, SSSDConfigSchema) or type(domainname) != str: + raise TypeError + + self.name = domainname + self.schema = apischema + self.active = False + self.oldname = None + self.providers = [] + + # Set up the domain object with any known defaults + self.options = {} + + # Set up default options for all domains + self.options.update(self.schema.get_defaults('provider')) + self.options.update(self.schema.get_defaults('domain')) + + def set_active(self, active): + """ + Enable or disable this domain + + active: + Boolean value. If True, this domain will be added to the active + domains list when it is saved. If False, it will be removed from the + active domains list when it is saved. + + === Returns === + No return value + + === Errors === + No errors + """ + self.active = bool(active) + + def list_options_with_mandatory(self): + """ + List options for the currently-configured providers, including the + mandatory flag + + === Returns === + A dictionary of configurable options. This dictionary is keyed on the + option name with a tuple of the variable type, subtype ('None' if the + type is not a collection type), whether it is mandatory, the + translated option description, and the default value (or 'None') as + the value. + + Example: + { 'enumerate' : + (bool, None, False, u'Enable enumerating all users/groups', True) } + + === Errors === + No errors + """ + options = {} + # Get the list of available options for all domains + options.update(self.schema.get_options('provider')) + + options.update(self.schema.get_options('domain')) + + # Candidate for future optimization: will update primary type + # for each subtype + for (provider, providertype) in self.providers: + schema_options = self.schema.get_options('provider/%s' + % provider) + options.update(schema_options) + schema_options = self.schema.get_options('provider/%s/%s' + % (provider, providertype)) + options.update(schema_options) + return options + + def list_options(self): + """ + List options available for the currently-configured providers. + + === Returns === + A dictionary of configurable options. This dictionary is keyed on the + option name with a tuple of the variable type, subtype ('None' if the + type is not a collection type), the translated option description, and + the default value (or 'None') as the value. + + Example: + { 'enumerate' : + (bool, None, u'Enable enumerating all users/groups', True) } + + === Errors === + No errors + """ + options = self.list_options_with_mandatory() + + # Filter out the mandatory field to maintain compatibility + # with older versions of the API + filtered_options = {} + for key in options.keys(): + filtered_options[key] = (options[key][0], options[key][1], options[key][3], options[key][4]) + + return filtered_options + + def list_mandatory_options(self): + """ + List mandatory options for the currently-configured providers. + + === Returns === + A dictionary of configurable options. This dictionary is keyed on the + option name with a tuple of the variable type, subtype ('None' if the + type is not a collection type), the translated option description, and + the default value (or 'None') as the value. + + Example: + { 'enumerate' : + (bool, None, u'Enable enumerating all users/groups', True) } + + === Errors === + No errors + """ + options = self.list_options_with_mandatory() + + # Filter out the mandatory field to maintain compatibility + # with older versions of the API + filtered_options = {} + for key in options.keys(): + if options[key][2]: + filtered_options[key] = (options[key][0], options[key][1], options[key][3], options[key][4]) + + return filtered_options + + def list_provider_options(self, provider, provider_type=None): + """ + If provider_type is specified, list all options applicable to that + target, otherwise list all possible options available for a provider. + + type: + Provider backend type. (e.g. local, ldap, krb5, etc.) + provider_type: + Subtype of the backend type. (e.g. id, auth, access, chpass) + + === Returns === + + A dictionary of configurable options for the specified provider type. + This dictionary is keyed on the option name with a tuple of the + variable type, subtype ('None' if the type is not a collection type), + the translated option description, and the default value (or 'None') + as the value. + + === Errors === + + NoSuchProviderError: + The specified provider is not listed in the schema or plugins + NoSuchProviderSubtypeError: + The specified provider subtype is not listed in the schema + """ + #TODO section checking + + options = self.schema.get_options('provider/%s' % provider) + if(provider_type): + options.update(self.schema.get_options('provider/%s/%s' % + (provider, provider_type))) + else: + # Add options from all provider subtypes + known_providers = self.list_providers() + for provider_type in known_providers[provider]: + options.update(self.list_provider_options(provider, + provider_type)) + return options + + def list_providers(self): + """ + Return a dictionary of providers. + + === Returns === + Returns a dictionary of providers, keyed on the primary type, with the + value being a tuple of the subtypes it supports. + + Example: + { 'ldap' : ('id', 'auth', 'chpass') } + + === Errors === + No Errors + """ + return self.schema.get_providers() + + def set_option(self, option, value): + """ + Set a domain option to the specified value (or values) + + option: + The option to change. + value: + The value to set. This may be a single value or a list of values. + If it is set to None, it resets the option to its default. + + === Returns === + No return value. + + === Errors === + NoOptionError: + The specified option is not listed in the schema + TypeError: + The value specified was not of the expected type + """ + options = self.list_options() + if (option not in options.keys()): + raise NoOptionError('Section [%s] has no option [%s]' % + (self.name, option)) + + if value == None: + self.remove_option(option) + return + + option_schema = options[option] + raise_error = False + + # If we were expecting a list and didn't get one, + # Create a list with a single entry. If it's the + # wrong subtype, it will fail below + if option_schema[0] == list and type(value) != list: + if type(value) == str: + value = striplist(value.split(',')) + else: + value = [value] + + if type(value) != option_schema[0]: + # If it's possible to convert it, do so + try: + if option_schema[0] == bool and \ + type(value) == str: + value = self.schema.bool_lookup[value.lower()] + elif option_schema[0] == int and type(value) == str: + # Make sure we handle any reasonable base + value = int(value, 0) + else: + value = option_schema[0](value) + except ValueError: + raise_error = True + except KeyError: + raise_error = True + + if raise_error: + raise TypeError('Expected %s for %s, received %s' % + (option_schema[0], option, type(value))) + + if type(value) == list: + # Iterate through the list an ensure that all members + # are of the appropriate subtype + try: + newvalue = [] + for x in value: + if option_schema[1] == bool and \ + type(x) == str: + newvalue.extend([self.schema.bool_lookup[x.lower()]]) + else: + newvalue.extend([option_schema[1](x)]) + except ValueError: + raise_error = True + except KeyError: + raise_error = True + + if raise_error: + raise TypeError('Expected %s' % option_schema[1]) + value = newvalue + + # Check whether we're adding a provider entry. + is_provider = option.rfind('_provider') + if (is_provider > 0): + provider = option[:is_provider] + try: + self.add_provider(value, provider) + except NoSuchProviderError: + raise NoOptionError + else: + self.options[option] = value + + def set_name(self, newname): + """ + Change the name of the domain + + newname: + New name for this domain + + === Returns === + No return value. + + === Errors === + TypeError: + newname was not a string + """ + + if type(newname) != str: + raise TypeError + + if not self.oldname: + # Only set the oldname once + self.oldname = self.name + self.name = newname + + def add_provider(self, provider, provider_type): + """ + Add a new provider type to the domain + + type: + Provider backend type. (e.g. local, ldap, krb5, etc.) + subtype: + Subtype of the backend type. (e.g. id, auth, chpass) + + === Returns === + No return value. + + === Errors === + ProviderSubtypeInUse: + Another backend is already providing this subtype + NoSuchProviderError: + The specified provider is not listed in the schema or plugins + NoSuchProviderSubtypeError: + The specified provider subtype is not listed in the schema + """ + # Check that provider and provider_type are valid + configured_providers = self.list_providers() + if provider in configured_providers.keys(): + if provider_type not in configured_providers[provider]: + raise NoSuchProviderSubtypeError(provider_type) + else: + raise NoSuchProviderError + + # Don't add a provider twice + with_this_type = [x for x in self.providers if x[1] == provider_type] + if len(with_this_type) > 1: + # This should never happen! + raise ProviderSubtypeInUse + if len(with_this_type) == 1: + if with_this_type[0][0] != provider: + raise ProviderSubtypeInUse(with_this_type[0][0]) + else: + self.providers.extend([(provider, provider_type)]) + + option_name = '%s_provider' % provider_type + self.options[option_name] = provider + + # Add defaults for this provider + self.options.update(self.schema.get_defaults('provider/%s' % + provider)) + self.options.update(self.schema.get_defaults('provider/%s/%s' % + (provider, + provider_type))) + + def remove_provider(self, provider_type): + """ + Remove a provider from the domain. If the provider is not present, it + is ignored. + + provider_type: + Subtype of the backend type. (e.g. id, auth, chpass) + + === Returns === + No return value. + + === Errors === + No Errors + """ + + provider = None + for (provider, ptype) in self.providers: + if ptype == provider_type: + break + provider = None + + # Check whether the provider_type was found + if not provider: + return + + # Remove any unused options when removing the provider. + options = self.list_provider_options(provider, provider_type) + + # Trim any options that are used by other providers, + # if that provider is in use + for (prov, ptype) in self.providers: + # Ignore the one being removed + if (prov, ptype) == (provider, provider_type): + continue + + provider_options = self.list_provider_options(prov, ptype) + overlap = options_overlap(options.keys(), provider_options.keys()) + for opt in overlap: + del options[opt] + + # We should now have a list of options used only by this + # provider. So we remove them. + for option in options: + if option in self.options: + del self.options[option] + + # Remove this provider from the option list + option = '%s_provider' % provider_type + if option in self.options: + del self.options[option] + + self.providers.remove((provider, provider_type)) + +class SSSDConfig(SSSDChangeConf): + """ + class SSSDConfig + Primary class for operating on SSSD configurations + """ + def __init__(self, schemafile=None, schemaplugindir=None): + """ + Initialize the SSSD config parser/editor. This constructor does not + open or create a config file. If the schemafile and schemaplugindir + are not passed, it will use the system defaults. + + schemafile: + The path to the API schema config file. Usually + @datadir@/sssd/sssd.api.conf + schemaplugindir: + The path the directory containing the provider schema config files. + Usually @datadir@/sssd/sssd.api.d + + === Returns === + The newly-created SSSDConfig object. + + === Errors === + IOError: + Exception raised when the schema file could not be opened for + reading. + ParsingError: + The main schema file or one of those in the plugin directory could + not be parsed. + """ + SSSDChangeConf.__init__(self) + self.schema = SSSDConfigSchema(schemafile, schemaplugindir) + self.configfile = None + self.initialized = False + self.API_VERSION = 2 + + def import_config(self,configfile=None): + """ + Read in a config file, populating all of the service and domain + objects with the read values. + + configfile: + The path to the SSSD config file. If not specified, use the system + default, usually @sysconfdir@/sssd.conf + + === Returns === + No return value + + === Errors === + IOError: + Exception raised when the file could not be opened for reading + ParsingError: + Exception raised when errors occur attempting to parse a file. + AlreadyInitializedError: + This SSSDConfig object was already initialized by a call to + import_config() or new_config() + """ + if self.initialized: + raise AlreadyInitializedError + + if not configfile: + #TODO: get this from a global setting + configfile = '@sysconfdir@/sssd/sssd.conf' + # open will raise an IOError if it fails + fd = open(configfile, 'r') + + try: + self.readfp(fd) + except: + raise ParsingError + + fd.close() + self.configfile = configfile + self.initialized = True + + try: + if int(self.get('sssd', 'config_file_version')) != self.API_VERSION: + raise ParsingError("Wrong config_file_version") + except TypeError: + # This happens when config_file_version is missing. We + # can assume it is the default version and continue. + pass + + def new_config(self): + """ + Initialize the SSSDConfig object with the defaults from the schema. + + === Returns === + No return value + + === Errors === + AlreadyInitializedError: + This SSSDConfig object was already initialized by a call to + import_config() or new_config() + """ + if self.initialized: + raise AlreadyInitializedError + + self.initialized = True + + #Initialize all services + for servicename in self.schema.get_services(): + service = self.new_service(servicename) + + def write(self, outputfile=None): + """ + Write out the configuration to a file. + + outputfile: + The path to write the new config file. If it is not specified, it + will use the path specified by the import() call. + === Returns === + No return value + + === Errors === + IOError: + Exception raised when the file could not be opened for writing + NotInitializedError: + This SSSDConfig object has not had import_config() or new_config() + run on it yet. + NoOutputFileError: + No outputfile was specified and this SSSDConfig object was not + initialized by import() + """ + if not self.initialized: + raise NotInitializedError + + if outputfile == None: + if(self.configfile == None): + raise NoOutputFileError + + outputfile = self.configfile + + # open() will raise IOError if it fails + old_umask = os.umask(0o177) + of = open(outputfile, "wb") + output = self.dump(self.opts).encode('utf-8') + of.write(output) + of.close() + os.umask(old_umask) + + def list_active_services(self): + """ + Return a list of all active services. + + === Returns === + The list of active services. + + === Errors === + NotInitializedError: + This SSSDConfig object has not had import_config() or new_config() + run on it yet. + """ + if not self.initialized: + raise NotInitializedError + + if (self.has_option('sssd', 'services')): + active_services = striplist(self.get('sssd', 'services').split(',')) + service_dict = dict.fromkeys(active_services) + if '' in service_dict: + del service_dict[''] + + # Remove any entries in this list that don't + # correspond to an active service, for integrity + configured_services = self.list_services() + for srv in list(service_dict): + if srv not in configured_services: + del service_dict[srv] + + active_services = list(service_dict) + else: + active_services = [] + + return active_services + + def list_inactive_services(self): + """ + Return a list of all disabled services. + + === Returns === + The list of inactive services. + + === Errors === + NotInitializedError: + This SSSDConfig object has not had import_config() or new_config() + run on it yet. + """ + if not self.initialized: + raise NotInitializedError + + if (self.has_option('sssd', 'services')): + active_services = striplist(self.get('sssd', 'services').split(',')) + else: + active_services = [] + + services = [x for x in self.list_services() + if x not in active_services] + return services + + def list_services(self): + """ + Retrieve a list of known services. + + === Returns === + The list of known services. + + === Errors === + NotInitializedError: + This SSSDConfig object has not had import_config() or new_config() + run on it yet. + """ + if not self.initialized: + raise NotInitializedError + + service_list = [x['name'] for x in self.sections() + if not x['name'].startswith('domain') ] + return service_list + + def get_service(self, name): + """ + Get an SSSDService object to edit a service. + + name: + The name of the service to return. + + === Returns === + An SSSDService instance containing the current state of a service in + the SSSDConfig + + === Errors === + NoServiceError: + There is no such service with the specified name in the SSSDConfig. + NotInitializedError: + This SSSDConfig object has not had import_config() or new_config() + run on it yet. + """ + if not self.initialized: + raise NotInitializedError + if not self.has_section(name): + raise NoServiceError + + service = SSSDService(name, self.schema) + for opt in self.strip_comments_empty(self.options(name)): + try: + service.set_option(opt['name'], opt['value']) + except NoOptionError: + # If we come across an option that we don't recognize, + # we should just ignore it and continue + pass + + return service + + def new_service(self, name): + """ + Create a new service from the defaults and return the SSSDService + object for it. This function will also add this service to the list of + active services in the [SSSD] section. + + name: + The name of the service to create and return. + + === Returns === + The newly-created SSSDService object + + === Errors === + ServiceNotRecognizedError: + There is no such service in the schema. + ServiceAlreadyExistsError: + The service being created already exists in the SSSDConfig object. + NotInitializedError: + This SSSDConfig object has not had import_config() or new_config() + run on it yet. + """ + if not self.initialized: + raise NotInitializedError + if (self.has_section(name)): + raise ServiceAlreadyExists(name) + + service = SSSDService(name, self.schema) + self.save_service(service) + return service + + def activate_service(self, name): + """ + Activate a service + + name: + The name of the service to activate + + === Returns === + No return value + + === Errors === + NotInitializedError: + This SSSDConfig object has not had import_config() or new_config() + run on it yet. + NoServiceError: + There is no such service with the specified name in the SSSDConfig. + """ + + if not self.initialized: + raise NotInitializedError + + if name not in self.list_services(): + raise NoServiceError + + item = self.get_option_index('sssd', 'services')[1] + if not item: + self.set('sssd','services', name) + return + + # Turn the items into a set of dictionary keys + # This guarantees uniqueness and makes it easy + # to add a new value + service_dict = dict.fromkeys(striplist(item['value'].split(','))) + if '' in service_dict: + del service_dict[''] + + # Add a new key for the service being activated + service_dict[name] = None + + # Write out the joined keys + self.set('sssd','services', ", ".join(service_dict.keys())) + + def deactivate_service(self, name): + """ + Deactivate a service + + name: + The name of the service to deactivate + + === Returns === + No return value + + === Errors === + NotInitializedError: + This SSSDConfig object has not had import_config() or new_config() + run on it yet. + NoServiceError: + There is no such service with the specified name in the SSSDConfig. + """ + + if not self.initialized: + raise NotInitializedError + + if name not in self.list_services(): + raise NoServiceError + item = self.get_option_index('sssd', 'services')[1] + if not item: + self.set('sssd','services', '') + return + + # Turn the items into a set of dictionary keys + # This guarantees uniqueness and makes it easy + # to remove the one unwanted value. + service_dict = dict.fromkeys(striplist(item['value'].split(','))) + if '' in service_dict: + del service_dict[''] + + # Remove the unwanted service from the lest + if name in service_dict: + del service_dict[name] + + # Write out the joined keys + self.set('sssd','services', ", ".join(service_dict.keys())) + + def delete_service(self, name): + """ + Remove a service from the SSSDConfig object. This function will also + remove this service from the list of active services in the [SSSD] + section. Has no effect if the service does not exist. + + === Returns === + No return value + + === Errors === + NotInitializedError: + This SSSDConfig object has not had import_config() or new_config() + run on it yet. + """ + if not self.initialized: + raise NotInitializedError + self.delete_option('section', name) + + def save_service(self, service): + """ + Save the changes made to the service object back to the SSSDConfig + object. + + service_object: + The SSSDService object to save to the configuration. + + === Returns === + No return value + === Errors === + NotInitializedError: + This SSSDConfig object has not had import_config() or new_config() + run on it yet. + TypeError: + service_object was not of the type SSSDService + """ + if not self.initialized: + raise NotInitializedError + if not isinstance(service, SSSDService): + raise TypeError + + name = service.get_name() + # Ensure that the existing section is removed + # This way we ensure that we are getting a + # complete copy of the service. + # delete_option() is a noop if the section + # does not exist. + index = self.delete_option('section', name) + + addkw = [] + for option,value in service.get_all_options().items(): + if (type(value) == list): + value = ', '.join(value) + if option == "debug_level": + value = self._get_debug_level_val(value) + addkw.append( { 'type' : 'option', + 'name' : option, + 'value' : str(value) } ) + + self.add_section(name, addkw, index) + + def list_active_domains(self): + """ + Return a list of all active domains. + + === Returns === + The list of configured, active domains. + + === Errors === + NotInitializedError: + This SSSDConfig object has not had import_config() or new_config() + run on it yet. + """ + if not self.initialized: + raise NotInitializedError + + if (self.has_option('sssd', 'domains')): + active_domains = striplist(self.get('sssd', 'domains').split(',')) + domain_dict = dict.fromkeys(active_domains) + if '' in domain_dict: + del domain_dict[''] + + # Remove any entries in this list that don't + # correspond to an active domain, for integrity + configured_domains = self.list_domains() + for dom in list(domain_dict): + if dom not in configured_domains: + del domain_dict[dom] + + active_domains = list(domain_dict) + else: + active_domains = [] + + return active_domains + + def list_inactive_domains(self): + """ + Return a list of all configured, but disabled domains. + + === Returns === + The list of configured, inactive domains. + + === Errors === + NotInitializedError: + This SSSDConfig object has not had import_config() or new_config() + run on it yet. + """ + if not self.initialized: + raise NotInitializedError + + if (self.has_option('sssd', 'domains')): + active_domains = striplist(self.get('sssd', 'domains').split(',')) + else: + active_domains = [] + + domains = [x for x in self.list_domains() + if x not in active_domains] + return domains + + def list_domains(self): + """ + Return a list of all configured domains, including inactive domains. + + === Returns === + The list of configured domains, both active and inactive. + + === Errors === + NotInitializedError: + This SSSDConfig object has not had import_config() or new_config() + run on it yet. + """ + if not self.initialized: + raise NotInitializedError + domains = [x['name'][7:] for x in self.sections() if x['name'].startswith('domain/')] + return domains + + def get_domain(self, name): + """ + Get an SSSDDomain object to edit a domain. + + name: + The name of the domain to return. + + === Returns === + An SSSDDomain instance containing the current state of a domain in the + SSSDConfig + + === Errors === + NoDomainError: + There is no such domain with the specified name in the SSSDConfig. + NotInitializedError: + This SSSDConfig object has not had import_config() or new_config() + run on it yet. + """ + if not self.initialized: + raise NotInitializedError + if not self.has_section('domain/%s' % name): + raise NoDomainError(name) + + domain = SSSDDomain(name, self.schema) + + # Read in the providers first or we may have type + # errors trying to read in their options + providers = [ (x['name'],x['value']) for x in self.strip_comments_empty(self.options('domain/%s' % name)) + if x['name'].rfind('_provider') > 0] + + for (option, value) in providers: + try: + domain.set_option(option, value) + except NoOptionError: + # If we come across an option that we don't recognize, + # we should just ignore it and continue + pass + + # Read in all the options from the configuration + for opt in self.strip_comments_empty(self.options('domain/%s' % name)): + if (opt['name'], opt['value']) not in providers: + try: + domain.set_option(opt['name'], opt['value']) + except NoOptionError: + # If we come across an option that we don't recognize, + # we should just ignore it and continue + pass + + # Determine if this domain is currently active + domain.active = self.is_domain_active(name) + + return domain + + def new_domain(self, name): + """ + Create a new, empty domain and return the SSSDDomain object for it. + + name: + The name of the domain to create and return. + + === Returns === + The newly-created SSSDDomain object + + === Errors === + DomainAlreadyExistsError: + The service being created already exists in the SSSDConfig object. + NotInitializedError: + This SSSDConfig object has not had import_config() or new_config() + run on it yet. + """ + if not self.initialized: + raise NotInitializedError + if self.has_section('domain/%s' % name): + raise DomainAlreadyExistsError + + domain = SSSDDomain(name, self.schema) + self.save_domain(domain) + return domain + + def is_domain_active(self, name): + """ + Is a particular domain set active + + name: + The name of the configured domain to check + + === Returns === + True if the domain is active, False if it is inactive + + === Errors === + NotInitializedError: + This SSSDConfig object has not had import_config() or new_config() + run on it yet. + NoDomainError: + No domain by this name is configured + """ + + if not self.initialized: + raise NotInitializedError + + if name not in self.list_domains(): + raise NoDomainError + + return name in self.list_active_domains() + + def activate_domain(self, name): + """ + Activate a configured domain + + name: + The name of the configured domain to activate + + === Returns === + No return value + + === Errors === + NotInitializedError: + This SSSDConfig object has not had import_config() or new_config() + run on it yet. + NoDomainError: + No domain by this name is configured + """ + + if not self.initialized: + raise NotInitializedError + + if name not in self.list_domains(): + raise NoDomainError + + item = self.get_option_index('sssd', 'domains')[1] + if not item: + self.set('sssd','domains', name) + return + + # Turn the items into a set of dictionary keys + # This guarantees uniqueness and makes it easy + # to add a new value + domain_dict = dict.fromkeys(striplist(item['value'].split(','))) + if '' in domain_dict: + del domain_dict[''] + + # Add a new key for the domain being activated + domain_dict[name] = None + + # Write out the joined keys + self.set('sssd','domains', ", ".join(domain_dict.keys())) + + def deactivate_domain(self, name): + """ + Deactivate a configured domain + + name: + The name of the configured domain to deactivate + + === Returns === + No return value + + === Errors === + NotInitializedError: + This SSSDConfig object has not had import_config() or new_config() + run on it yet. + NoDomainError: + No domain by this name is configured + """ + + if not self.initialized: + raise NotInitializedError + + if name not in self.list_domains(): + raise NoDomainError + item = self.get_option_index('sssd', 'domains')[1] + if not item: + self.set('sssd','domains', '') + return + + # Turn the items into a set of dictionary keys + # This guarantees uniqueness and makes it easy + # to remove the one unwanted value. + domain_dict = dict.fromkeys(striplist(item['value'].split(','))) + if '' in domain_dict: + del domain_dict[''] + + # Remove the unwanted domain from the lest + if name in domain_dict: + del domain_dict[name] + + # Write out the joined keys + self.set('sssd','domains', ", ".join(domain_dict.keys())) + + def delete_domain(self, name): + """ + Remove a domain from the SSSDConfig object. This function will also + remove this domain from the list of active domains in the [SSSD] + section, if it is there. + + === Returns === + No return value + + === Errors === + NotInitializedError: + This SSSDConfig object has not had import_config() or new_config() + run on it yet. + """ + if not self.initialized: + raise NotInitializedError + + # Remove the domain from the active domains list if applicable + self.deactivate_domain(name) + self.delete_option('section', 'domain/%s' % name) + + def save_domain(self, domain): + """ + Save the changes made to the domain object back to the SSSDConfig + object. If this domain is marked active, ensure it is present in the + active domain list in the [SSSD] section + + domain_object: + The SSSDDomain object to save to the configuration. + + === Returns === + No return value + + === Errors === + NotInitializedError: + This SSSDConfig object has not had import_config() or new_config() + run on it yet. + TypeError: + domain_object was not of type SSSDDomain + """ + if not self.initialized: + raise NotInitializedError + if not isinstance(domain, SSSDDomain): + raise TypeError + + name = domain.get_name() + + oldindex = None + if domain.oldname and domain.oldname != name: + # We are renaming this domain + # Remove the old section + + self.deactivate_domain(domain.oldname) + oldindex = self.delete_option('section', 'domain/%s' % + domain.oldname) + + # Reset the oldname, in case we're not done with + # this domain object. + domain.oldname = None; + + sectionname = 'domain/%s' % name + (no, section_subtree) = self.findOpts(self.opts, 'section', sectionname) + + if name not in self.list_domains(): + self.add_section(sectionname, []); + + for option in self.options(sectionname): + if option['type'] == 'option': + if option['name'] not in domain.get_all_options(): + self.delete_option_subtree(section_subtree['value'], 'option', option['name'], True) + + for option,value in domain.get_all_options().items(): + if (type(value) == list): + value = ', '.join(value) + if option == "debug_level": + value = self._get_debug_level_val(value) + self.set(sectionname, option, str(value)) + + if domain.active: + self.activate_domain(name) + else: + self.deactivate_domain(name) diff --git a/src/config/SSSDConfig/ipachangeconf.py b/src/config/SSSDConfig/ipachangeconf.py new file mode 100644 index 0000000..6c63cc1 --- /dev/null +++ b/src/config/SSSDConfig/ipachangeconf.py @@ -0,0 +1,595 @@ +# +# ipachangeconf - configuration file manipulation classes and functions +# partially based on authconfig code +# Copyright (c) 1999-2007 Red Hat, Inc. +# Author: Simo Sorce +# +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import fcntl +import os +import string +import time +import shutil +import re + +def openLocked(filename, perms, create = True): + fd = -1 + + flags = os.O_RDWR + if create: + flags = flags | os.O_CREAT + + try: + fd = os.open(filename, flags, perms) + fcntl.lockf(fd, fcntl.LOCK_EX) + except OSError as err: + errno, strerr = err.args + if fd != -1: + try: + os.close(fd) + except OSError: + pass + raise IOError(errno, strerr) + return os.fdopen(fd, "r+") + + + #TODO: add subsection as a concept + # (ex. REALM.NAME = { foo = x bar = y } ) + #TODO: put section delimiters as separating element of the list + # so that we can process multiple sections in one go + #TODO: add a comment all but provided options as a section option +class IPAChangeConf(object): + + def __init__(self, name): + self.progname = name + self.indent = ("","","") + self.assign = (" = ","=") + self.dassign = self.assign[0] + self.comment = ("#",) + self.dcomment = self.comment[0] + self.eol = ("\n",) + self.deol = self.eol[0] + self.sectnamdel = ("[","]") + self.subsectdel = ("{","}") + self.backup_suffix = ".ipabkp" + + def setProgName(self, name): + self.progname = name + + def setIndent(self, indent): + if type(indent) is tuple: + self.indent = indent + elif type(indent) is str: + self.indent = (indent, ) + else: + raise ValueError('Indent must be a list of strings') + + def setOptionAssignment(self, assign): + if type(assign) is tuple: + self.assign = assign + else: + self.assign = (assign, ) + self.dassign = self.assign[0] + + def setCommentPrefix(self, comment): + if type(comment) is tuple: + self.comment = comment + else: + self.comment = (comment, ) + self.dcomment = self.comment[0] + + def setEndLine(self, eol): + if type(eol) is tuple: + self.eol = eol + else: + self.eol = (eol, ) + self.deol = self.eol[0] + + def setSectionNameDelimiters(self, delims): + self.sectnamdel = delims + + def setSubSectionDelimiters(self, delims): + self.subsectdel = delims + + def matchComment(self, line): + for v in self.comment: + if line.lstrip().startswith(v): + return line.lstrip()[len(v):] + return False + + def matchEmpty(self, line): + if line.strip() == "": + return True + return False + + def matchSection(self, line): + cl = "".join(line.strip().split()) + if len(self.sectnamdel) != 2: + return False + if not cl.startswith(self.sectnamdel[0]): + return False + if not cl.endswith(self.sectnamdel[1]): + return False + return cl[len(self.sectnamdel[0]):-len(self.sectnamdel[1])] + + def matchSubSection(self, line): + if self.matchComment(line): + return False + + parts = line.split(self.dassign, 1) + if len(parts) < 2: + return False + + if parts[1].strip() == self.subsectdel[0]: + return parts[0].strip() + + return False + + def matchSubSectionEnd(self, line): + if self.matchComment(line): + return False + + if line.strip() == self.subsectdel[1]: + return True + + return False + + def getSectionLine(self, section): + if len(self.sectnamdel) != 2: + return section + return self.sectnamdel[0]+section+self.sectnamdel[1]+self.deol + + @staticmethod + def _get_debug_level_val(value): + if value > 16: + value = hex(value) + + return value + + def dump(self, options, level=0): + output = "" + if level >= len(self.indent): + level = len(self.indent)-1 + + for o in options: + if o['type'] == "section": + output += self.sectnamdel[0]+o['name']+self.sectnamdel[1]+self.deol + output += self.dump(o['value'], level+1) + continue + if o['type'] == "subsection": + output += self.indent[level]+o['name']+self.dassign+self.subsectdel[0]+self.deol + output += self.dump(o['value'], level+1) + output += self.indent[level]+self.subsectdel[1]+self.deol + continue + if o['type'] == "option": + output += self.indent[level]+o['name']+self.dassign+o['value']+self.deol + continue + if o['type'] == "comment": + output += self.dcomment+o['value']+self.deol + continue + if o['type'] == "empty": + output += self.deol + continue + raise SyntaxError('Unknown type: ['+o['type']+']') + + return output + + def parseLine(self, line): + + if self.matchEmpty(line): + return {'name':'empty', 'type':'empty'} + + value = self.matchComment(line) + if value: + return {'name':'comment', 'type':'comment', 'value':value.rstrip()} + + parts = line.split(self.dassign, 1) + if len(parts) < 2: + raise SyntaxError('Syntax Error: Unknown line format') + + return {'name':parts[0].strip(), 'type':'option', 'value':parts[1].rstrip()} + + def findOpts(self, opts, type, name, exclude_sections=False): + + num = 0 + for o in opts: + if o['type'] == type and o['name'] == name: + return (num, o) + if exclude_sections and (o['type'] == "section" or o['type'] == "subsection"): + return (num, None) + num += 1 + return (num, None) + + def commentOpts(self, inopts, level = 0): + + opts = [] + + if level >= len(self.indent): + level = len(self.indent)-1 + + for o in inopts: + if o['type'] == 'section': + no = self.commentOpts(o['value'], level+1) + val = self.dcomment+self.sectnamdel[0]+o['name']+self.sectnamdel[1] + opts.append({'name':'comment', 'type':'comment', 'value':val}) + for n in no: + opts.append(n) + continue + if o['type'] == 'subsection': + no = self.commentOpts(o['value'], level+1) + val = self.indent[level]+o['name']+self.dassign+self.subsectdel[0] + opts.append({'name':'comment', 'type':'comment', 'value':val}) + for n in no: + opts.append(n) + val = self.indent[level]+self.subsectdel[1] + opts.append({'name':'comment', 'type':'comment', 'value':val}) + continue + if o['type'] == 'option': + val = self.indent[level]+o['name']+self.dassign+o['value'] + opts.append({'name':'comment', 'type':'comment', 'value':val}) + continue + if o['type'] == 'comment': + opts.append(o) + continue + if o['type'] == 'empty': + opts.append({'name':'comment', 'type':'comment', 'value':''}) + continue + raise SyntaxError('Unknown type: ['+o['type']+']') + + return opts + + def mergeOld(self, oldopts, newopts): + + opts = [] + + for o in oldopts: + if o['type'] == "section" or o['type'] == "subsection": + (num, no) = self.findOpts(newopts, o['type'], o['name']) + if not no: + opts.append(o) + continue + if no['action'] == "set": + mo = self.mergeOld(o['value'], no['value']) + opts.append({'name':o['name'], 'type':o['type'], 'value':mo}) + continue + if no['action'] == "comment": + co = self.commentOpts(o['value']) + for c in co: + opts.append(c) + continue + if no['action'] == "remove": + continue + raise SyntaxError('Unknown action: ['+no['action']+']') + + if o['type'] == "comment" or o['type'] == "empty": + opts.append(o) + continue + + if o['type'] == "option": + (num, no) = self.findOpts(newopts, 'option', o['name'], True) + if not no: + opts.append(o) + continue + if no['action'] == 'comment' or no['action'] == 'remove': + if no['value'] != None and o['value'] != no['value']: + opts.append(o) + continue + if no['action'] == 'comment': + opts.append({'name':'comment', 'type':'comment', + 'value':self.dcomment+o['name']+self.dassign+o['value']}) + continue + if no['action'] == 'set': + opts.append(no) + continue + raise SyntaxError('Unknown action: ['+o['action']+']') + + raise SyntaxError('Unknown type: ['+o['type']+']') + + return opts + + def mergeNew(self, opts, newopts): + + cline = 0 + + for no in newopts: + + if no['type'] == "section" or no['type'] == "subsection": + (num, o) = self.findOpts(opts, no['type'], no['name']) + if not o: + if no['action'] == 'set': + opts.append(no) + continue + if no['action'] == "set": + self.mergeNew(o['value'], no['value']) + continue + cline = num+1 + continue + + if no['type'] == "option": + (num, o) = self.findOpts(opts, no['type'], no['name'], True) + if not o: + if no['action'] == 'set': + opts.append(no) + continue + cline = num+1 + continue + + if no['type'] == "comment" or no['type'] == "empty": + opts.insert(cline, no) + cline += 1 + continue + + raise SyntaxError('Unknown type: ['+no['type']+']') + + + def merge(self, oldopts, newopts): + + #Use a two pass strategy + #First we create a new opts tree from oldopts removing/commenting + # the options as indicated by the contents of newopts + #Second we fill in the new opts tree with options as indicated + # in the newopts tree (this is because entire (sub)sections may + # exist in the newopts that do not exist in oldopts) + + opts = self.mergeOld(oldopts, newopts) + self.mergeNew(opts, newopts) + return opts + + #TODO: Make parse() recursive? + def parse(self, f): + + opts = [] + sectopts = [] + section = None + subsectopts = [] + subsection = None + curopts = opts + fatheropts = opts + + # Read in the old file. + for line in f: + + # It's a section start. + value = self.matchSection(line) + if value: + if section is not None: + opts.append({'name':section, 'type':'section', 'value':sectopts}) + sectopts = [] + curopts = sectopts + fatheropts = sectopts + section = value + continue + + # It's a subsection start. + value = self.matchSubSection(line) + if value: + if subsection is not None: + raise SyntaxError('nested subsections are not supported yet') + subsectopts = [] + curopts = subsectopts + subsection = value + continue + + value = self.matchSubSectionEnd(line) + if value: + if subsection is None: + raise SyntaxError('Unmatched end subsection terminator found') + fatheropts.append({'name':subsection, 'type':'subsection', 'value':subsectopts}) + subsection = None + curopts = fatheropts + continue + + # Copy anything else as is. + curopts.append(self.parseLine(line)) + + #Add last section if any + if len(sectopts) is not 0: + opts.append({'name':section, 'type':'section', 'value':sectopts}) + + return opts + + # Write settings to configuration file + # file is a path + # options is a set of dictionaries in the form: + # [{'name': 'foo', 'value': 'bar', 'action': 'set/comment'}] + # section is a section name like 'global' + def changeConf(self, file, newopts): + autosection = False + savedsection = None + done = False + output = "" + f = None + try: + #Do not catch an unexisting file error, we want to fail in that case + shutil.copy2(file, file+self.backup_suffix) + + f = openLocked(file, 0o644) + + oldopts = self.parse(f) + + options = self.merge(oldopts, newopts) + + output = self.dump(options) + + # Write it out and close it. + f.seek(0) + f.truncate(0) + f.write(output) + finally: + try: + if f: + f.close() + except IOError: + pass + return True + + # Write settings to new file, backup old + # file is a path + # options is a set of dictionaries in the form: + # [{'name': 'foo', 'value': 'bar', 'action': 'set/comment'}] + # section is a section name like 'global' + def newConf(self, file, options): + autosection = False + savedsection = None + done = False + output = "" + f = None + try: + try: + shutil.copy2(file, file+self.backup_suffix) + except IOError as err: + if err.errno == 2: + # The orign file did not exist + pass + + f = openLocked(file, 0o644) + + # Truncate + f.seek(0) + f.truncate(0) + + output = self.dump(options) + + f.write(output) + finally: + try: + if f: + f.close() + except IOError: + pass + return True + +# An SSSD-specific subclass of IPAChangeConf +class SSSDChangeConf(IPAChangeConf): + OPTCRE = re.compile( + r'(?P +# Qt Help Project / Custom Filters. + +QHP_CUST_FILTER_ATTRS = + +# The QHP_SECT_FILTER_ATTRS tag specifies the list of the attributes this +# project's +# filter section matches. +# +# Qt Help Project / Filter Attributes. + +QHP_SECT_FILTER_ATTRS = + +# If the GENERATE_QHP tag is set to YES, the QHG_LOCATION tag can +# be used to specify the location of Qt's qhelpgenerator. +# If non-empty doxygen will try to run qhelpgenerator on the generated +# .qhp file. + +QHG_LOCATION = + +# If the GENERATE_ECLIPSEHELP tag is set to YES, additional index files +# will be generated, which together with the HTML files, form an Eclipse help +# plugin. To install this plugin and make it available under the help contents +# menu in Eclipse, the contents of the directory containing the HTML and XML +# files needs to be copied into the plugins directory of eclipse. The name of +# the directory within the plugins directory should be the same as +# the ECLIPSE_DOC_ID value. After copying Eclipse needs to be restarted before +# the help appears. + +GENERATE_ECLIPSEHELP = NO + +# A unique identifier for the eclipse help plugin. When installing the plugin +# the directory name containing the HTML and XML files should also have +# this name. + +ECLIPSE_DOC_ID = org.doxygen.Project + +# The DISABLE_INDEX tag can be used to turn on/off the condensed index (tabs) +# at top of each HTML page. The value NO (the default) enables the index and +# the value YES disables it. Since the tabs have the same information as the +# navigation tree you can set this option to NO if you already set +# GENERATE_TREEVIEW to YES. + +DISABLE_INDEX = NO + +# The GENERATE_TREEVIEW tag is used to specify whether a tree-like index +# structure should be generated to display hierarchical information. +# If the tag value is set to YES, a side panel will be generated +# containing a tree-like index structure (just like the one that +# is generated for HTML Help). For this to work a browser that supports +# JavaScript, DHTML, CSS and frames is required (i.e. any modern browser). +# Windows users are probably better off using the HTML help feature. +# Since the tree basically has the same information as the tab index you +# could consider to set DISABLE_INDEX to NO when enabling this option. + +GENERATE_TREEVIEW = NONE + +# The ENUM_VALUES_PER_LINE tag can be used to set the number of enum values +# (range [0,1..20]) that doxygen will group on one line in the generated HTML +# documentation. Note that a value of 0 will completely suppress the enum +# values from appearing in the overview section. + +ENUM_VALUES_PER_LINE = 4 + +# If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be +# used to set the initial width (in pixels) of the frame in which the tree +# is shown. + +TREEVIEW_WIDTH = 250 + +# When the EXT_LINKS_IN_WINDOW option is set to YES doxygen will open +# links to external symbols imported via tag files in a separate window. + +EXT_LINKS_IN_WINDOW = NO + +# Use this tag to change the font size of Latex formulas included +# as images in the HTML documentation. The default is 10. Note that +# when you change the font size after a successful doxygen run you need +# to manually remove any form_*.png images from the HTML output directory +# to force them to be regenerated. + +FORMULA_FONTSIZE = 10 + +# Use the FORMULA_TRANPARENT tag to determine whether or not the images +# generated for formulas are transparent PNGs. Transparent PNGs are +# not supported properly for IE 6.0, but are supported on all modern browsers. +# Note that when changing this option you need to delete any form_*.png files +# in the HTML output before the changes have effect. + +FORMULA_TRANSPARENT = YES + +# Enable the USE_MATHJAX option to render LaTeX formulas using MathJax +# (see http://www.mathjax.org) which uses client side Javascript for the +# rendering instead of using prerendered bitmaps. Use this if you do not +# have LaTeX installed or if you want to formulas look prettier in the HTML +# output. When enabled you may also need to install MathJax separately and +# configure the path to it using the MATHJAX_RELPATH option. + +USE_MATHJAX = NO + +# When MathJax is enabled you can set the default output format to be used for +# thA MathJax output. Supported types are HTML-CSS, NativeMML (i.e. MathML) and +# SVG. The default value is HTML-CSS, which is slower, but has the best +# compatibility. + +MATHJAX_FORMAT = HTML-CSS + +# When MathJax is enabled you need to specify the location relative to the +# HTML output directory using the MATHJAX_RELPATH option. The destination +# directory should contain the MathJax.js script. For instance, if the mathjax +# directory is located at the same level as the HTML output directory, then +# MATHJAX_RELPATH should be ../mathjax. The default value points to +# the MathJax Content Delivery Network so you can quickly see the result without +# installing MathJax. +# However, it is strongly recommended to install a local +# copy of MathJax from http://www.mathjax.org before deployment. + +MATHJAX_RELPATH = http://cdn.mathjax.org/mathjax/latest + +# The MATHJAX_EXTENSIONS tag can be used to specify one or MathJax extension +# names that should be enabled during MathJax rendering. + +MATHJAX_EXTENSIONS = + +# When the SEARCHENGINE tag is enabled doxygen will generate a search box +# for the HTML output. The underlying search engine uses javascript +# and DHTML and should work on any modern browser. Note that when using +# HTML help (GENERATE_HTMLHELP), Qt help (GENERATE_QHP), or docsets +# (GENERATE_DOCSET) there is already a search function so this one should +# typically be disabled. For large projects the javascript based search engine +# can be slow, then enabling SERVER_BASED_SEARCH may provide a better solution. + +SEARCHENGINE = NO + +# When the SERVER_BASED_SEARCH tag is enabled the search engine will be +# implemented using a web server instead of a web client using Javascript. +# There are two flavours of web server based search depending on the +# EXTERNAL_SEARCH setting. When disabled, doxygen will generate a PHP script for +# searching and an index file used by the script. When EXTERNAL_SEARCH is +# enabled the indexing and searching needs to be provided by external tools. +# See the manual for details. + +SERVER_BASED_SEARCH = NO + +# When EXTERNAL_SEARCH is enabled doxygen will no longer generate the PHP +# script for searching. Instead the search results are written to an XML file +# which needs to be processed by an external indexer. Doxygen will invoke an +# external search engine pointed to by the SEARCHENGINE_URL option to obtain +# the search results. Doxygen ships with an example indexer (doxyindexer) and +# search engine (doxysearch.cgi) which are based on the open source search engine +# library Xapian. See the manual for configuration details. + +EXTERNAL_SEARCH = NO + +# The SEARCHENGINE_URL should point to a search engine hosted by a web server +# which will returned the search results when EXTERNAL_SEARCH is enabled. +# Doxygen ships with an example search engine (doxysearch) which is based on +# the open source search engine library Xapian. See the manual for configuration +# details. + +SEARCHENGINE_URL = + +# When SERVER_BASED_SEARCH and EXTERNAL_SEARCH are both enabled the unindexed +# search data is written to a file for indexing by an external tool. With the +# SEARCHDATA_FILE tag the name of this file can be specified. + +SEARCHDATA_FILE = searchdata.xml + +# The EXTRA_SEARCH_MAPPINGS tag can be used to enable searching through other +# doxygen projects that are not otherwise connected via tags files, but are +# all added to the same search index. Each project needs to have a tag file set +# via GENERATE_TAGFILE. The search mapping then maps the name of the tag file +# to a relative location where the documentation can be found, +# similar to the +# TAGFILES option but without actually processing the tag file. +# The format is: EXTRA_SEARCH_MAPPINGS = tagname1=loc1 tagname2=loc2 ... + +EXTRA_SEARCH_MAPPINGS = + +#--------------------------------------------------------------------------- +# configuration options related to the LaTeX output +#--------------------------------------------------------------------------- + +# If the GENERATE_LATEX tag is set to YES (the default) Doxygen will +# generate Latex output. + +GENERATE_LATEX = NO + +# The LATEX_OUTPUT tag is used to specify where the LaTeX docs will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `latex' will be used as the default path. + +LATEX_OUTPUT = latex + +# The LATEX_CMD_NAME tag can be used to specify the LaTeX command name to be +# invoked. If left blank `latex' will be used as the default command name. +# Note that when enabling USE_PDFLATEX this option is only used for +# generating bitmaps for formulas in the HTML output, but not in the +# Makefile that is written to the output directory. + +LATEX_CMD_NAME = latex + +# The MAKEINDEX_CMD_NAME tag can be used to specify the command name to +# generate index for LaTeX. If left blank `makeindex' will be used as the +# default command name. + +MAKEINDEX_CMD_NAME = makeindex + +# If the COMPACT_LATEX tag is set to YES Doxygen generates more compact +# LaTeX documents. This may be useful for small projects and may help to +# save some trees in general. + +COMPACT_LATEX = NO + +# The PAPER_TYPE tag can be used to set the paper type that is used +# by the printer. Possible values are: a4, letter, legal and +# executive. If left blank a4wide will be used. + +PAPER_TYPE = a4wide + +# The EXTRA_PACKAGES tag can be to specify one or more names of LaTeX +# packages that should be included in the LaTeX output. + +EXTRA_PACKAGES = + +# The LATEX_HEADER tag can be used to specify a personal LaTeX header for +# the generated latex document. The header should contain everything until +# the first chapter. If it is left blank doxygen will generate a +# standard header. Notice: only use this tag if you know what you are doing! + +LATEX_HEADER = + +# The LATEX_FOOTER tag can be used to specify a personal LaTeX footer for +# the generated latex document. The footer should contain everything after +# the last chapter. If it is left blank doxygen will generate a +# standard footer. Notice: only use this tag if you know what you are doing! + +LATEX_FOOTER = + +# If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated +# is prepared for conversion to pdf (using ps2pdf). The pdf file will +# contain links (just like the HTML output) instead of page references +# This makes the output suitable for online browsing using a pdf viewer. + +PDF_HYPERLINKS = YES + +# If the USE_PDFLATEX tag is set to YES, pdflatex will be used instead of +# plain latex in the generated Makefile. Set this option to YES to get a +# higher quality PDF documentation. + +USE_PDFLATEX = YES + +# If the LATEX_BATCHMODE tag is set to YES, doxygen will add the \\batchmode. +# command to the generated LaTeX files. This will instruct LaTeX to keep +# running if errors occur, instead of asking the user for help. +# This option is also used when generating formulas in HTML. + +LATEX_BATCHMODE = NO + +# If LATEX_HIDE_INDICES is set to YES then doxygen will not +# include the index chapters (such as File Index, Compound Index, etc.) +# in the output. + +LATEX_HIDE_INDICES = NO + +# If LATEX_SOURCE_CODE is set to YES then doxygen will include +# source code with syntax highlighting in the LaTeX output. +# Note that which sources are shown also depends on other settings +# such as SOURCE_BROWSER. + +LATEX_SOURCE_CODE = NO + +# The LATEX_BIB_STYLE tag can be used to specify the style to use for the +# bibliography, e.g. plainnat, or ieeetr. The default style is "plain". See +# http://en.wikipedia.org/wiki/BibTeX for more info. + +LATEX_BIB_STYLE = plain + +#--------------------------------------------------------------------------- +# configuration options related to the RTF output +#--------------------------------------------------------------------------- + +# If the GENERATE_RTF tag is set to YES Doxygen will generate RTF output +# The RTF output is optimized for Word 97 and may not look very pretty with +# other RTF readers or editors. + +GENERATE_RTF = NO + +# The RTF_OUTPUT tag is used to specify where the RTF docs will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `rtf' will be used as the default path. + +RTF_OUTPUT = rtf + +# If the COMPACT_RTF tag is set to YES Doxygen generates more compact +# RTF documents. This may be useful for small projects and may help to +# save some trees in general. + +COMPACT_RTF = NO + +# If the RTF_HYPERLINKS tag is set to YES, the RTF that is generated +# will contain hyperlink fields. The RTF file will +# contain links (just like the HTML output) instead of page references. +# This makes the output suitable for online browsing using WORD or other +# programs which support those fields. +# Note: wordpad (write) and others do not support links. + +RTF_HYPERLINKS = NO + +# Load style sheet definitions from file. Syntax is similar to doxygen's +# config file, i.e. a series of assignments. You only have to provide +# replacements, missing definitions are set to their default value. + +RTF_STYLESHEET_FILE = + +# Set optional variables used in the generation of an rtf document. +# Syntax is similar to doxygen's config file. + +RTF_EXTENSIONS_FILE = + +#--------------------------------------------------------------------------- +# configuration options related to the man page output +#--------------------------------------------------------------------------- + +# If the GENERATE_MAN tag is set to YES (the default) Doxygen will +# generate man pages + +GENERATE_MAN = NO + +# The MAN_OUTPUT tag is used to specify where the man pages will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `man' will be used as the default path. + +MAN_OUTPUT = man + +# The MAN_EXTENSION tag determines the extension that is added to +# the generated man pages (default is the subroutine's section .3) + +MAN_EXTENSION = .3 + +# If the MAN_LINKS tag is set to YES and Doxygen generates man output, +# then it will generate one additional man file for each entity +# documented in the real man page(s). These additional files +# only source the real man page, but without them the man command +# would be unable to find the correct page. The default is NO. + +MAN_LINKS = NO + +#--------------------------------------------------------------------------- +# configuration options related to the XML output +#--------------------------------------------------------------------------- + +# If the GENERATE_XML tag is set to YES Doxygen will +# generate an XML file that captures the structure of +# the code including all documentation. + +GENERATE_XML = NO + +# The XML_OUTPUT tag is used to specify where the XML pages will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `xml' will be used as the default path. + +XML_OUTPUT = xml + +# The XML_SCHEMA tag can be used to specify an XML schema, +# which can be used by a validating XML parser to check the +# syntax of the XML files. + +XML_SCHEMA = + +# The XML_DTD tag can be used to specify an XML DTD, +# which can be used by a validating XML parser to check the +# syntax of the XML files. + +XML_DTD = + +# If the XML_PROGRAMLISTING tag is set to YES Doxygen will +# dump the program listings (including syntax highlighting +# and cross-referencing information) to the XML output. Note that +# enabling this will significantly increase the size of the XML output. + +XML_PROGRAMLISTING = YES + +#--------------------------------------------------------------------------- +# configuration options for the AutoGen Definitions output +#--------------------------------------------------------------------------- + +# If the GENERATE_AUTOGEN_DEF tag is set to YES Doxygen will +# generate an AutoGen Definitions (see autogen.sf.net) file +# that captures the structure of the code including all +# documentation. Note that this feature is still experimental +# and incomplete at the moment. + +GENERATE_AUTOGEN_DEF = NO + +#--------------------------------------------------------------------------- +# configuration options related to the Perl module output +#--------------------------------------------------------------------------- + +# If the GENERATE_PERLMOD tag is set to YES Doxygen will +# generate a Perl module file that captures the structure of +# the code including all documentation. Note that this +# feature is still experimental and incomplete at the +# moment. + +GENERATE_PERLMOD = NO + +# If the PERLMOD_LATEX tag is set to YES Doxygen will generate +# the necessary Makefile rules, Perl scripts and LaTeX code to be able +# to generate PDF and DVI output from the Perl module output. + +PERLMOD_LATEX = NO + +# If the PERLMOD_PRETTY tag is set to YES the Perl module output will be +# nicely formatted so it can be parsed by a human reader. +# This is useful +# if you want to understand what is going on. +# On the other hand, if this +# tag is set to NO the size of the Perl module output will be much smaller +# and Perl will parse it just the same. + +PERLMOD_PRETTY = YES + +# The names of the make variables in the generated doxyrules.make file +# are prefixed with the string contained in PERLMOD_MAKEVAR_PREFIX. +# This is useful so different doxyrules.make files included by the same +# Makefile don't overwrite each other's variables. + +PERLMOD_MAKEVAR_PREFIX = + +#--------------------------------------------------------------------------- +# Configuration options related to the preprocessor +#--------------------------------------------------------------------------- + +# If the ENABLE_PREPROCESSING tag is set to YES (the default) Doxygen will +# evaluate all C-preprocessor directives found in the sources and include +# files. + +ENABLE_PREPROCESSING = YES + +# If the MACRO_EXPANSION tag is set to YES Doxygen will expand all macro +# names in the source code. If set to NO (the default) only conditional +# compilation will be performed. Macro expansion can be done in a controlled +# way by setting EXPAND_ONLY_PREDEF to YES. + +MACRO_EXPANSION = NO + +# If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES +# then the macro expansion is limited to the macros specified with the +# PREDEFINED and EXPAND_AS_DEFINED tags. + +EXPAND_ONLY_PREDEF = NO + +# If the SEARCH_INCLUDES tag is set to YES (the default) the includes files +# pointed to by INCLUDE_PATH will be searched when a #include is found. + +SEARCH_INCLUDES = YES + +# The INCLUDE_PATH tag can be used to specify one or more directories that +# contain include files that are not input files but should be processed by +# the preprocessor. + +INCLUDE_PATH = + +# You can use the INCLUDE_FILE_PATTERNS tag to specify one or more wildcard +# patterns (like *.h and *.hpp) to filter out the header-files in the +# directories. If left blank, the patterns specified with FILE_PATTERNS will +# be used. + +INCLUDE_FILE_PATTERNS = + +# The PREDEFINED tag can be used to specify one or more macro names that +# are defined before the preprocessor is started (similar to the -D option of +# gcc). The argument of the tag is a list of macros of the form: name +# or name=definition (no spaces). If the definition and the = are +# omitted =1 is assumed. To prevent a macro definition from being +# undefined via #undef or recursively expanded use the := operator +# instead of the = operator. + +PREDEFINED = DOXYGEN + +# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then +# this tag can be used to specify a list of macro names that should be expanded. +# The macro definition that is found in the sources will be used. +# Use the PREDEFINED tag if you want to use a different macro definition that +# overrules the definition found in the source code. + +EXPAND_AS_DEFINED = + +# If the SKIP_FUNCTION_MACROS tag is set to YES (the default) then +# doxygen's preprocessor will remove all references to function-like macros +# that are alone on a line, have an all uppercase name, and do not end with a +# semicolon, because these will confuse the parser if not removed. + +SKIP_FUNCTION_MACROS = YES + +#--------------------------------------------------------------------------- +# Configuration::additions related to external references +#--------------------------------------------------------------------------- + +# The TAGFILES option can be used to specify one or more tagfiles. For each +# tag file the location of the external documentation should be added. The +# format of a tag file without this location is as follows: +# +# TAGFILES = file1 file2 ... +# Adding location for the tag files is done as follows: +# +# TAGFILES = file1=loc1 "file2 = loc2" ... +# where "loc1" and "loc2" can be relative or absolute paths +# or URLs. Note that each tag file must have a unique name (where the name does +# NOT include the path). If a tag file is not located in the directory in which +# doxygen is run, you must also specify the path to the tagfile here. + +TAGFILES = + +# When a file name is specified after GENERATE_TAGFILE, doxygen will create +# a tag file that is based on the input files it reads. + +GENERATE_TAGFILE = + +# If the ALLEXTERNALS tag is set to YES all external classes will be listed +# in the class index. If set to NO only the inherited external classes +# will be listed. + +ALLEXTERNALS = NO + +# If the EXTERNAL_GROUPS tag is set to YES all external groups will be listed +# in the modules index. If set to NO, only the current project's groups will +# be listed. + +EXTERNAL_GROUPS = YES + +# The PERL_PATH should be the absolute path and name of the perl script +# interpreter (i.e. the result of `which perl'). + +PERL_PATH = /usr/bin/perl + +#--------------------------------------------------------------------------- +# Configuration options related to the dot tool +#--------------------------------------------------------------------------- + +# If the CLASS_DIAGRAMS tag is set to YES (the default) Doxygen will +# generate a inheritance diagram (in HTML, RTF and LaTeX) for classes with base +# or super classes. Setting the tag to NO turns the diagrams off. Note that +# this option also works with HAVE_DOT disabled, but it is recommended to +# install and use dot, since it yields more powerful graphs. + +CLASS_DIAGRAMS = YES + +# You can define message sequence charts within doxygen comments using the \msc +# command. Doxygen will then run the mscgen tool (see +# http://www.mcternan.me.uk/mscgen/) to produce the chart and insert it in the +# documentation. The MSCGEN_PATH tag allows you to specify the directory where +# the mscgen tool resides. If left empty the tool is assumed to be found in the +# default search path. + +MSCGEN_PATH = + +# If set to YES, the inheritance and collaboration graphs will hide +# inheritance and usage relations if the target is undocumented +# or is not a class. + +HIDE_UNDOC_RELATIONS = YES + +# If you set the HAVE_DOT tag to YES then doxygen will assume the dot tool is +# available from the path. This tool is part of Graphviz, a graph visualization +# toolkit from AT&T and Lucent Bell Labs. The other options in this section +# have no effect if this option is set to NO (the default) + +HAVE_DOT = NO + +# The DOT_NUM_THREADS specifies the number of dot invocations doxygen is +# allowed to run in parallel. When set to 0 (the default) doxygen will +# base this on the number of processors available in the system. You can set it +# explicitly to a value larger than 0 to get control over the balance +# between CPU load and processing speed. + +DOT_NUM_THREADS = 0 + +# By default doxygen will use the Helvetica font for all dot files that +# doxygen generates. When you want a differently looking font you can specify +# the font name using DOT_FONTNAME. You need to make sure dot is able to find +# the font, which can be done by putting it in a standard location or by setting +# the DOTFONTPATH environment variable or by setting DOT_FONTPATH to the +# directory containing the font. + +DOT_FONTNAME = FreeSans + +# The DOT_FONTSIZE tag can be used to set the size of the font of dot graphs. +# The default size is 10pt. + +DOT_FONTSIZE = 10 + +# By default doxygen will tell dot to use the Helvetica font. +# If you specify a different font using DOT_FONTNAME you can use DOT_FONTPATH to +# set the path where dot can find it. + +DOT_FONTPATH = + +# If the CLASS_GRAPH and HAVE_DOT tags are set to YES then doxygen +# will generate a graph for each documented class showing the direct and +# indirect inheritance relations. Setting this tag to YES will force the +# CLASS_DIAGRAMS tag to NO. + +CLASS_GRAPH = YES + +# If the COLLABORATION_GRAPH and HAVE_DOT tags are set to YES then doxygen +# will generate a graph for each documented class showing the direct and +# indirect implementation dependencies (inheritance, containment, and +# class references variables) of the class with other documented classes. + +COLLABORATION_GRAPH = YES + +# If the GROUP_GRAPHS and HAVE_DOT tags are set to YES then doxygen +# will generate a graph for groups, showing the direct groups dependencies + +GROUP_GRAPHS = YES + +# If the UML_LOOK tag is set to YES doxygen will generate inheritance and +# collaboration diagrams in a style similar to the OMG's Unified Modeling +# Language. + +UML_LOOK = NO + +# If the UML_LOOK tag is enabled, the fields and methods are shown inside +# the class node. If there are many fields or methods and many nodes the +# graph may become too big to be useful. The UML_LIMIT_NUM_FIELDS +# threshold limits the number of items for each type to make the size more +# managable. Set this to 0 for no limit. Note that the threshold may be +# exceeded by 50% before the limit is enforced. + +UML_LIMIT_NUM_FIELDS = 10 + +# If set to YES, the inheritance and collaboration graphs will show the +# relations between templates and their instances. + +TEMPLATE_RELATIONS = NO + +# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDE_GRAPH, and HAVE_DOT +# tags are set to YES then doxygen will generate a graph for each documented +# file showing the direct and indirect include dependencies of the file with +# other documented files. + +INCLUDE_GRAPH = YES + +# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDED_BY_GRAPH, and +# HAVE_DOT tags are set to YES then doxygen will generate a graph for each +# documented header file showing the documented files that directly or +# indirectly include this file. + +INCLUDED_BY_GRAPH = YES + +# If the CALL_GRAPH and HAVE_DOT options are set to YES then +# doxygen will generate a call dependency graph for every global function +# or class method. Note that enabling this option will significantly increase +# the time of a run. So in most cases it will be better to enable call graphs +# for selected functions only using the \callgraph command. + +CALL_GRAPH = NO + +# If the CALLER_GRAPH and HAVE_DOT tags are set to YES then +# doxygen will generate a caller dependency graph for every global function +# or class method. Note that enabling this option will significantly increase +# the time of a run. So in most cases it will be better to enable caller +# graphs for selected functions only using the \callergraph command. + +CALLER_GRAPH = NO + +# If the GRAPHICAL_HIERARCHY and HAVE_DOT tags are set to YES then doxygen +# will generate a graphical hierarchy of all classes instead of a textual one. + +GRAPHICAL_HIERARCHY = YES + +# If the DIRECTORY_GRAPH and HAVE_DOT tags are set to YES +# then doxygen will show the dependencies a directory has on other directories +# in a graphical way. The dependency relations are determined by the #include +# relations between the files in the directories. + +DIRECTORY_GRAPH = YES + +# The DOT_IMAGE_FORMAT tag can be used to set the image format of the images +# generated by dot. Possible values are svg, png, jpg, or gif. +# If left blank png will be used. If you choose svg you need to set +# HTML_FILE_EXTENSION to xhtml in order to make the SVG files +# visible in IE 9+ (other browsers do not have this requirement). + +DOT_IMAGE_FORMAT = png + +# If DOT_IMAGE_FORMAT is set to svg, then this option can be set to YES to +# enable generation of interactive SVG images that allow zooming and panning. +# Note that this requires a modern browser other than Internet Explorer. +# Tested and working are Firefox, Chrome, Safari, and Opera. For IE 9+ you +# need to set HTML_FILE_EXTENSION to xhtml in order to make the SVG files +# visible. Older versions of IE do not have SVG support. + +INTERACTIVE_SVG = NO + +# The tag DOT_PATH can be used to specify the path where the dot tool can be +# found. If left blank, it is assumed the dot tool can be found in the path. + +DOT_PATH = + +# The DOTFILE_DIRS tag can be used to specify one or more directories that +# contain dot files that are included in the documentation (see the +# \dotfile command). + +DOTFILE_DIRS = + +# The MSCFILE_DIRS tag can be used to specify one or more directories that +# contain msc files that are included in the documentation (see the +# \mscfile command). + +MSCFILE_DIRS = + +# The DOT_GRAPH_MAX_NODES tag can be used to set the maximum number of +# nodes that will be shown in the graph. If the number of nodes in a graph +# becomes larger than this value, doxygen will truncate the graph, which is +# visualized by representing a node as a red box. Note that doxygen if the +# number of direct children of the root node in a graph is already larger than +# DOT_GRAPH_MAX_NODES then the graph will not be shown at all. Also note +# that the size of a graph can be further restricted by MAX_DOT_GRAPH_DEPTH. + +DOT_GRAPH_MAX_NODES = 50 + +# The MAX_DOT_GRAPH_DEPTH tag can be used to set the maximum depth of the +# graphs generated by dot. A depth value of 3 means that only nodes reachable +# from the root by following a path via at most 3 edges will be shown. Nodes +# that lay further from the root node will be omitted. Note that setting this +# option to 1 or 2 may greatly reduce the computation time needed for large +# code bases. Also note that the size of a graph can be further restricted by +# DOT_GRAPH_MAX_NODES. Using a depth of 0 means no depth restriction. + +MAX_DOT_GRAPH_DEPTH = 0 + +# Set the DOT_TRANSPARENT tag to YES to generate images with a transparent +# background. This is disabled by default, because dot on Windows does not +# seem to support this out of the box. Warning: Depending on the platform used, +# enabling this option may lead to badly anti-aliased labels on the edges of +# a graph (i.e. they become hard to read). + +DOT_TRANSPARENT = YES + +# Set the DOT_MULTI_TARGETS tag to YES allow dot to generate multiple output +# files in one run (i.e. multiple -o and -T options on the command line). This +# makes dot run faster, but since only newer versions of dot (>1.8.10) +# support this, this feature is disabled by default. + +DOT_MULTI_TARGETS = NO + +# If the GENERATE_LEGEND tag is set to YES (the default) Doxygen will +# generate a legend page explaining the meaning of the various boxes and +# arrows in the dot generated graphs. + +GENERATE_LEGEND = YES + +# If the DOT_CLEANUP tag is set to YES (the default) Doxygen will +# remove the intermediate dot files that are used to generate +# the various graphs. + +DOT_CLEANUP = YES diff --git a/src/examples/logrotate b/src/examples/logrotate new file mode 100644 index 0000000..ecf0c61 --- /dev/null +++ b/src/examples/logrotate @@ -0,0 +1,12 @@ +/var/log/sssd/*.log { + weekly + missingok + notifempty + sharedscripts + rotate 2 + compress + delaycompress + postrotate + /bin/kill -HUP `cat /var/run/sssd.pid 2>/dev/null` 2> /dev/null || true + endscript +} diff --git a/src/examples/rwtab.in b/src/examples/rwtab.in new file mode 100644 index 0000000..200bbb5 --- /dev/null +++ b/src/examples/rwtab.in @@ -0,0 +1 @@ +dirs @sharedstatedir@/sss diff --git a/src/examples/sssd-example.conf b/src/examples/sssd-example.conf new file mode 100644 index 0000000..34b2b22 --- /dev/null +++ b/src/examples/sssd-example.conf @@ -0,0 +1,54 @@ +[sssd] +config_file_version = 2 +services = nss, pam +# SSSD will not start if you do not configure any domains. +# Add new domain configurations as [domain/] sections, and +# then add the list of domains (in the order you want them to be +# queried) to the "domains" attribute below and uncomment it. +; domains = LDAP + +[nss] + +[pam] + +# Example LDAP domain +; [domain/LDAP] +; id_provider = ldap +; auth_provider = ldap +# ldap_schema can be set to "rfc2307", which stores group member names in the +# "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in +# the "member" attribute. If you do not know this value, ask your LDAP +# administrator. +; ldap_schema = rfc2307 +; ldap_uri = ldap://ldap.mydomain.org +; ldap_search_base = dc=mydomain,dc=org +# Note that enabling enumeration will have a moderate performance impact. +# Consequently, the default value for enumeration is FALSE. +# Refer to the sssd.conf man page for full details. +; enumerate = false +# Allow offline logins by locally storing password hashes (default: false). +; cache_credentials = true + +# An example Active Directory domain. Please note that this configuration +# works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis +# compliant attribute names. To support UNIX clients with AD 2003 or older, +# you must install Microsoft Services For UNIX and map LDAP attributes onto +# msSFU30* attribute names. +; [domain/AD] +; id_provider = ldap +; auth_provider = krb5 +; chpass_provider = krb5 +; +; ldap_uri = ldap://your.ad.example.com +; ldap_search_base = dc=example,dc=com +; ldap_schema = rfc2307bis +; ldap_sasl_mech = GSSAPI +; ldap_user_object_class = user +; ldap_group_object_class = group +; ldap_user_home_directory = unixHomeDirectory +; ldap_user_principal = userPrincipalName +; ldap_account_expire_policy = ad +; ldap_force_upper_case_realm = true +; +; krb5_server = your.ad.example.com +; krb5_realm = EXAMPLE.COM diff --git a/src/examples/sssd-shadowutils b/src/examples/sssd-shadowutils new file mode 100644 index 0000000..626c7d0 --- /dev/null +++ b/src/examples/sssd-shadowutils @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass +auth required pam_deny.so + +account required pam_unix.so +account required pam_permit.so diff --git a/src/examples/sssd.conf b/src/examples/sssd.conf new file mode 100644 index 0000000..1e8b537 --- /dev/null +++ b/src/examples/sssd.conf @@ -0,0 +1,15 @@ +[sssd] +services = nss, pam +domains = shadowutils + +[nss] + +[pam] + +[domain/shadowutils] +id_provider = files + +auth_provider = proxy +proxy_pam_target = sssd-shadowutils + +proxy_fast_alias = True diff --git a/src/examples/sssdproxytest b/src/examples/sssdproxytest new file mode 100644 index 0000000..1421796 --- /dev/null +++ b/src/examples/sssdproxytest @@ -0,0 +1,5 @@ +#%PAM-1.0 +auth irequired pam_ldap.so + +account required pam_ldap.so + diff --git a/src/examples/sudo b/src/examples/sudo new file mode 100644 index 0000000..4af91ba --- /dev/null +++ b/src/examples/sudo @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth required pam_sss.so +account required pam_sss.so +password required pam_sss.so +session optional pam_keyinit.so revoke +session required pam_limits.so diff --git a/src/external/cifsidmap.m4 b/src/external/cifsidmap.m4 new file mode 100644 index 0000000..0aac8fa --- /dev/null +++ b/src/external/cifsidmap.m4 @@ -0,0 +1,19 @@ +AC_ARG_ENABLE([cifs-idmap-plugin], + [AS_HELP_STRING([--disable-cifs-idmap-plugin], + [do not build CIFS idmap plugin])], + [build_cifs_idmap_plugin=$enableval], + [build_cifs_idmap_plugin=yes]) + +AS_IF([test x$build_cifs_idmap_plugin = xyes], + [AC_CHECK_HEADER([cifsidmap.h], [], + [AC_MSG_ERROR([ +You must have the cifsidmap header installed to build the idmap plugin. +If you want to build sssd withoud cifsidmap plugin then specify +--disable-cifs-idmap-plugin when running configure.])]) + ]) + +AM_CONDITIONAL([BUILD_CIFS_IDMAP_PLUGIN], + [test x$build_cifs_idmap_plugin = xyes]) + +AM_COND_IF([BUILD_CIFS_IDMAP_PLUGIN], + [AC_DEFINE_UNQUOTED(HAVE_CIFS_IDMAP_PLUGIN, 1, [Build with cifs idmap plugin])]) diff --git a/src/external/crypto.m4 b/src/external/crypto.m4 new file mode 100644 index 0000000..b08c832 --- /dev/null +++ b/src/external/crypto.m4 @@ -0,0 +1,10 @@ +AC_DEFUN([AM_CHECK_NSS], + [PKG_CHECK_MODULES([NSS],[nss]) + AC_DEFINE_UNQUOTED(HAVE_NSS, 1, [Build with NSS crypto back end]) +]) + +AC_DEFUN([AM_CHECK_LIBCRYPTO], + [PKG_CHECK_MODULES([CRYPTO],[libcrypto]) + PKG_CHECK_MODULES([SSL],[libssl]) + AC_DEFINE_UNQUOTED(HAVE_LIBCRYPTO, 1, [Build with libcrypt crypto back end]) +]) diff --git a/src/external/cwrap.m4 b/src/external/cwrap.m4 new file mode 100644 index 0000000..b8489cc --- /dev/null +++ b/src/external/cwrap.m4 @@ -0,0 +1,30 @@ +dnl A macro to check presence of a cwrap wrapper on the system +dnl Usage: +dnl AM_CHECK_WRAPPER(name, conditional) +dnl If the cwrap library is found, sets the HAVE_$name conditional +AC_DEFUN([AM_CHECK_WRAPPER], +[ + AC_MSG_CHECKING([for $1]) + PKG_CHECK_EXISTS([$1], + [ + AC_MSG_RESULT([yes]) + AC_SUBST([$2], [yes]) + ], + [ + AC_MSG_RESULT([no]) + AC_SUBST([$2], [no]) + AC_MSG_WARN([cwrap library $1 not found, some tests will not run]) + ]) + + AM_CONDITIONAL($2, [ test x$$2 = xyes]) +]) + +AC_DEFUN([AM_CHECK_UID_WRAPPER], +[ + AM_CHECK_WRAPPER(uid_wrapper, HAVE_UID_WRAPPER) +]) + +AC_DEFUN([AM_CHECK_NSS_WRAPPER], +[ + AM_CHECK_WRAPPER(nss_wrapper, HAVE_NSS_WRAPPER) +]) diff --git a/src/external/docbook.m4 b/src/external/docbook.m4 new file mode 100644 index 0000000..deb8632 --- /dev/null +++ b/src/external/docbook.m4 @@ -0,0 +1,32 @@ +dnl Checks for tools needed to generate manual pages +AC_DEFUN([CHECK_XML_TOOLS], +[ + AC_PATH_PROG([XSLTPROC], [xsltproc]) + if test ! -x "$XSLTPROC"; then + AC_MSG_ERROR([Could not find xsltproc]) + fi + + AC_PATH_PROG([XMLLINT], [xmllint]) + if test ! -x "$XMLLINT"; then + AC_MSG_ERROR([Could not find xmllint]) + fi +]) + +dnl Usage: +dnl CHECK_STYLESHEET_URI(FILE, URI, [FRIENDLY-NAME], [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND]) +dnl Checks if the XML catalog given by FILE exists and +dnl if a particular URI appears in the XML catalog +AC_DEFUN([CHECK_STYLESHEET], +[ + AC_CHECK_FILE($1, [], [AC_MSG_ERROR([could not find XML catalog])]) + + AC_MSG_CHECKING([for ifelse([$3],,[$2],[$3]) in XML catalog]) + if AC_RUN_LOG([$XSLTPROC --catalogs --nonet --noout "$2" >&2]); then + AC_MSG_RESULT([yes]) + m4_ifval([$4], [$4], [:]) + else + AC_MSG_RESULT([no]) + m4_ifval([$5], [$5], [:]) + fi +]) + diff --git a/src/external/glib.m4 b/src/external/glib.m4 new file mode 100644 index 0000000..3db2513 --- /dev/null +++ b/src/external/glib.m4 @@ -0,0 +1,11 @@ +PKG_CHECK_MODULES([GLIB2],[glib-2.0]) + +if test x$has_glib2 != xno; then + SAFE_LIBS="$LIBS" + LIBS="$GLIB2_LIBS" + + AC_CHECK_FUNC([g_utf8_validate], + AC_DEFINE([HAVE_G_UTF8_VALIDATE], [1], + [Define if g_utf8_validate exists])) + LIBS="$SAFE_LIBS" +fi diff --git a/src/external/inotify.m4 b/src/external/inotify.m4 new file mode 100644 index 0000000..3ae5ae3 --- /dev/null +++ b/src/external/inotify.m4 @@ -0,0 +1,34 @@ +dnl A macro to check if inotify works +AC_DEFUN([AM_CHECK_INOTIFY], +[ + AC_CHECK_HEADERS([sys/inotify.h]) + + AC_MSG_CHECKING([whether sys/inotify.h actually works]) + AC_LINK_IFELSE( + [AC_LANG_SOURCE([ +#ifdef HAVE_SYS_INOTIFY_H +#include +#endif +int main () { + return (-1 == inotify_init()); +}])], + [AC_MSG_RESULT([yes]); inotify_works=yes], + [AC_MSG_RESULT([no])] + ) + + SSS_AC_EXPAND_LIB_DIR() + AS_IF([test x"$inotify_works" != xyes], + [AC_CHECK_LIB([inotify], + [inotify_init], + [INOTIFY_LIBS="$sss_extra_libdir -linotify" + inotify_works=yes], + [inotify_works=no], + [$sss_extra_libdir])] + ) + + AS_IF([test x"$inotify_works" = xyes], + [AC_DEFINE_UNQUOTED([HAVE_INOTIFY], [1], [Inotify works])]) + AC_SUBST(INOTIFY_LIBS) + + AM_CONDITIONAL([HAVE_INOTIFY], [test x"$inotify_works" = xyes]) +]) diff --git a/src/external/intgcheck.m4 b/src/external/intgcheck.m4 new file mode 100644 index 0000000..60a7bf3 --- /dev/null +++ b/src/external/intgcheck.m4 @@ -0,0 +1,35 @@ +AC_CHECK_PROG([HAVE_FAKEROOT], [fakeroot], [yes], [no]) + +AC_PATH_PROG([PYTEST], [py.test]) +AS_IF([test -n "$PYTEST"], [HAVE_PYTEST=yes], [HAVE_PYTEST=no]) + +dnl Check for variable and fail unless value is "yes" +dnl The second argument will be printed in error message in case of error +dnl Usage: +dnl SSS_INTGCHECK_REQ(variable, message) + +AC_DEFUN([SSS_INTGCHECK_REQ], [ + AS_IF([test x$$1 = xyes], , [ + AC_MSG_ERROR([cannot enable integration tests: $2 not found])]) +]) + +AC_DEFUN([SSS_ENABLE_INTGCHECK_REQS], [ + AC_ARG_ENABLE(intgcheck-reqs, + [AS_HELP_STRING([--enable-intgcheck-reqs], + [enable checking for integration test requirements [default=no]])], + [enable_intgcheck_reqs="$enableval"], + [enable_intgcheck_reqs="no"]) + if test x"$enable_intgcheck_reqs" = xyes; then + SSS_INTGCHECK_REQ([HAVE_UID_WRAPPER], [uid_wrapper]) + SSS_INTGCHECK_REQ([HAVE_NSS_WRAPPER], [nss_wrapper]) + SSS_INTGCHECK_REQ([HAVE_SLAPD], [slapd]) + SSS_INTGCHECK_REQ([HAVE_LDAPMODIFY], [ldapmodify]) + SSS_INTGCHECK_REQ([HAVE_FAKEROOT], [fakeroot]) + SSS_INTGCHECK_REQ([HAVE_PYTHON2], [python2]) + SSS_INTGCHECK_REQ([HAVE_PYTEST], [pytest]) + SSS_INTGCHECK_REQ([HAVE_PY2MOD_LDAP], [python-ldap]) + SSS_INTGCHECK_REQ([HAVE_PY2MOD_LDAP], [pyldb]) + fi +]) + +AM_CONDITIONAL([INTG_BUILD], [test x"$enable_intgcheck_reqs" = xyes]) diff --git a/src/external/krb5.m4 b/src/external/krb5.m4 new file mode 100644 index 0000000..b844c2f --- /dev/null +++ b/src/external/krb5.m4 @@ -0,0 +1,116 @@ +AC_SUBST(KRB5_CFLAGS) +AC_SUBST(KRB5_LIBS) + +if test x$KRB5_LIBS != x; then + KRB5_PASSED_LIBS=$KRB5_LIBS +fi + +if test x$KRB5_CFLAGS != x; then + KRB5_PASSED_CFLAGS=$KRB5_CFLAGS +fi + +AC_PATH_TOOL(KRB5_CONFIG, krb5-config) +AC_MSG_CHECKING(for working krb5-config) +if test -x "$KRB5_CONFIG"; then + KRB5_CFLAGS="`$KRB5_CONFIG --cflags`" + KRB5_LIBS="`$KRB5_CONFIG --libs`" + AC_MSG_RESULT(yes) +else + AC_MSG_RESULT([no]) + if test x$KRB5_PASSED_LIBS = x; then + AC_MSG_ERROR([Please install MIT kerberos devel package]) + fi +fi + +if test x$KRB5_PASSED_LIBS != x; then + KRB5_LIBS=$KRB5_PASSED_LIBS +fi + +if test x$KRB5_PASSED_CFLAGS != x; then + KRB5_CFLAGS=$KRB5_PASSED_CFLAGS +fi + +AC_ARG_VAR([KRB5_CFLAGS], [C compiler flags for kerberos, overriding krb5-config])dnl +AC_ARG_VAR([KRB5_LIBS], [linker flags for kerberos, overriding krb5-config])dnl + +SAVE_CFLAGS=$CFLAGS +SAVE_LIBS=$LIBS +CFLAGS="$CFLAGS $KRB5_CFLAGS" +LIBS="$LIBS $KRB5_LIBS" +AC_CHECK_HEADERS([krb5.h krb5/krb5.h]) +AC_CHECK_TYPES([krb5_ticket_times, krb5_times, krb5_trace_info], [], [], + [ #ifdef HAVE_KRB5_KRB5_H + #include + #else + #include + #endif + ]) +AC_CHECK_FUNCS([krb5_get_init_creds_opt_alloc krb5_get_error_message \ + krb5_free_unparsed_name \ + krb5_get_init_creds_opt_set_expire_callback \ + krb5_get_init_creds_opt_set_fast_ccache_name \ + krb5_get_init_creds_opt_set_fast_flags \ + krb5_get_init_creds_opt_set_canonicalize \ + krb5_get_init_creds_opt_set_responder \ + krb5_parse_name_flags \ + krb5_unparse_name_flags \ + krb5_get_init_creds_opt_set_change_password_prompt \ + krb5_free_keytab_entry_contents \ + krb5_kt_free_entry \ + krb5_princ_realm \ + krb5_get_time_offsets \ + krb5_principal_get_realm \ + krb5_cc_cache_match \ + krb5_timestamp_to_sfstring \ + krb5_set_trace_callback \ + krb5_find_authdata \ + krb5_kt_have_content \ + krb5_cc_get_full_name]) +CFLAGS=$SAVE_CFLAGS +LIBS=$SAVE_LIBS +CFLAGS="$CFLAGS $KRB5_CFLAGS" +LIBS="$LIBS $KRB5_LIBS" + +if test x$ac_cv_header_krb5_h != xyes -a x$ac_cv_header_krb5_krb5_h != xyes +then + AC_MSG_ERROR(you must have Kerberos 5 header files to build sssd) +fi + +AC_ARG_ENABLE([krb5-locator-plugin], + [AS_HELP_STRING([--disable-krb5-locator-plugin], + [do not build Kerberos locator plugin])], + [build_locator=$enableval], + [build_locator=yes]) + +AC_CHECK_HEADER([krb5/locate_plugin.h], + [have_locate_plugin=yes], + [have_locate_plugin=no] + [AC_MSG_NOTICE([Kerberos locator plugin cannot be built])], + [ #ifdef HAVE_KRB5_KRB5_H + #include + #else + #include + #endif + ]) +AM_CONDITIONAL([BUILD_KRB5_LOCATOR_PLUGIN], + [test x$have_locate_plugin = xyes -a x$build_locator = xyes]) +AM_COND_IF([BUILD_KRB5_LOCATOR_PLUGIN], + [AC_DEFINE_UNQUOTED(HAVE_KRB5_LOCATOR_PLUGIN, 1, [Build with krb5 locator plugin])]) + +AC_CHECK_HEADER([krb5/localauth_plugin.h], + [have_localauth_plugin=yes], + [have_localauth_plugin=no] + [AC_MSG_NOTICE([Kerberos localauth plugin cannot be built])], + [ #ifdef HAVE_KRB5_KRB5_H + #include + #else + #include + #endif + ]) +AM_CONDITIONAL([BUILD_KRB5_LOCALAUTH_PLUGIN], + [test x$have_localauth_plugin = xyes]) +AM_COND_IF([BUILD_KRB5_LOCALAUTH_PLUGIN], + [AC_DEFINE_UNQUOTED(HAVE_KRB5_LOCALAUTH_PLUGIN, 1, [Build with krb5 localauth plugin])]) + +CFLAGS=$SAVE_CFLAGS +LIBS=$SAVE_LIBS diff --git a/src/external/ldap.m4 b/src/external/ldap.m4 new file mode 100644 index 0000000..cd13fde --- /dev/null +++ b/src/external/ldap.m4 @@ -0,0 +1,96 @@ +dnl AC_SUBST(LDAP_LIBS) +dnl +dnl AC_CHECK_HEADERS(lber.h ldap.h, , AC_MSG_ERROR("could not locate LDAP header files please install devel package")) +dnl +dnl AC_CHECK_LIB(lber, main, LDAP_LIBS="-llber $LDAP_LIBS") +dnl AC_CHECK_LIB(ldap, main, LDAP_LIBS="-lldap $LDAP_LIBS") +dnl +dnl --------------------------------------------------------------------------- +dnl - Check for Mozilla LDAP or OpenLDAP SDK +dnl --------------------------------------------------------------------------- + +for p in /usr/include/openldap24 /usr/local/include; do + if test -f "${p}/ldap.h"; then + OPENLDAP_CFLAGS="${OPENLDAP_CFLAGS} -I${p}" + break; + fi +done + +for p in /usr/lib64/openldap24 /usr/lib/openldap24 /usr/local/lib ; do + if test -f "${p}/libldap.so"; then + OPENLDAP_LIBS="${OPENLDAP_LIBS} -L${p}" + break; + fi +done + +SAVE_CFLAGS=$CFLAGS +SAVE_LIBS=$LIBS +CFLAGS="$CFLAGS $OPENLDAP_CFLAGS" +LIBS="$LIBS $OPENLDAP_LIBS" +AC_CHECK_LIB(ldap, ldap_search, with_ldap=yes) +dnl Check for other libraries we need to link with to get the main routines. +test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes], , -llber) } +test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes], , -llber -lkrb) } +test "$with_ldap" != "yes" && { AC_CHECK_LIB(ldap, ldap_open, [with_ldap=yes with_ldap_lber=yes with_ldap_krb=yes with_ldap_des=yes], , -llber -lkrb -ldes) } +CFLAGS=$SAVE_CFLAGS +LIBS=$SAVE_LIBS +dnl Recently, we need -lber even though the main routines are elsewhere, +dnl because otherwise we get link errors w.r.t. ber_pvt_opt_on. So just +dnl check for that (it's a variable not a fun but that doesn't seem to +dnl matter in these checks) and stick in -lber if so. Can't hurt (even to +dnl stick it in always shouldn't hurt, I don't think) ... #### Someone who +dnl #### understands LDAP needs to fix this properly. +test "$with_ldap_lber" != "yes" && { AC_CHECK_LIB(lber, ber_pvt_opt_on, with_ldap_lber=yes) } + +if test "$with_ldap" = "yes"; then + if test "$with_ldap_des" = "yes" ; then + OPENLDAP_LIBS="${OPENLDAP_LIBS} -ldes" + fi + if test "$with_ldap_krb" = "yes" ; then + OPENLDAP_LIBS="${OPENLDAP_LIBS} -lkrb" + fi + if test "$with_ldap_lber" = "yes" ; then + OPENLDAP_LIBS="${OPENLDAP_LIBS} -llber" + fi + OPENLDAP_LIBS="${OPENLDAP_LIBS} -lldap" +else + AC_MSG_ERROR([OpenLDAP not found]) +fi + +AC_SUBST(OPENLDAP_LIBS) +AC_SUBST(OPENLDAP_CFLAGS) + +SAVE_CFLAGS=$CFLAGS +SAVE_LIBS=$LIBS +CFLAGS="$CFLAGS $OPENLDAP_CFLAGS" +LIBS="$LIBS $OPENLDAP_LIBS" +AC_CHECK_FUNCS([ldap_control_create ldap_init_fd \ + ldap_create_deref_control_value \ + ldap_parse_derefresponse_control \ + ldap_derefresponse_free]) +AC_CHECK_MEMBERS([struct ldap_conncb.lc_arg], + [AC_RUN_IFELSE( + [AC_LANG_PROGRAM( + [[ #include ]], + [[ + struct ldap_conncb cb; + return ldap_set_option(NULL, LDAP_OPT_CONNECT_CB, &cb); + ]] )], + [AC_DEFINE([HAVE_LDAP_CONNCB], [1], + [Define if LDAP connection callbacks are available])], + [AC_MSG_WARN([Found broken callback implementation])], + [])], + [], [[#include ]]) + +AC_CHECK_TYPE([LDAPDerefRes], + [], + [AC_MSG_ERROR([The OpenLDAP version found does not contain the required type LDAPDerefRes])], + [[#include ]]) + +CFLAGS=$SAVE_CFLAGS +LIBS=$SAVE_LIBS + +AC_PATH_PROG([SLAPD], [slapd], , + [$PATH$PATH_SEPARATOR/usr/sbin$PATH_SEPARATOR]) +AS_IF([test -n "$SLAPD"], [HAVE_SLAPD=yes], [HAVE_SLAPD=no]) +AC_CHECK_PROG([HAVE_LDAPMODIFY], [ldapmodify], [yes], [no]) diff --git a/src/external/libcares.m4 b/src/external/libcares.m4 new file mode 100644 index 0000000..0a764d3 --- /dev/null +++ b/src/external/libcares.m4 @@ -0,0 +1,15 @@ +AC_SUBST(CARES_LIBS) +AC_SUBST(CARES_CFLAGS) + +PKG_CHECK_MODULES([CARES], [libcares], [found_libcares=yes], [found_libcares=no]) + +SSS_AC_EXPAND_LIB_DIR() +AS_IF([test x"$found_libcares" != xyes], + [AC_CHECK_HEADERS([ares.h], + [AC_CHECK_LIB([cares], + [ares_init], + [CARES_LIBS="-L$sss_extra_libdir -lcares"], + [AC_MSG_ERROR([No usable c-ares library found])], + [-L$sss_extra_libdir])], + [AC_MSG_ERROR([c-ares header files are not installed])])] +) diff --git a/src/external/libcmocka.m4 b/src/external/libcmocka.m4 new file mode 100644 index 0000000..230aa92 --- /dev/null +++ b/src/external/libcmocka.m4 @@ -0,0 +1,18 @@ +dnl A macro to check presence of cmocka on the system +AC_DEFUN([AM_CHECK_CMOCKA], +[ + PKG_CHECK_EXISTS(cmocka >= 1.0.0, + [AC_CHECK_HEADERS([stdarg.h stddef.h setjmp.h], + [], dnl We are only intrested in action-if-not-found + [AC_MSG_WARN([Header files stdarg.h stddef.h setjmp.h are required by cmocka]) + cmocka_required_headers="no" + ] + ) + AS_IF([test x"$cmocka_required_headers" != x"no"], + [PKG_CHECK_MODULES([CMOCKA], [cmocka], [have_cmocka="yes"])] + )], + dnl PKG_CHECK_EXISTS ACTION-IF-NOT-FOUND + [AC_MSG_WARN([No libcmocka-1.0.0 or newer library found, cmocka tests will not be built])] + ) + AM_CONDITIONAL([HAVE_CMOCKA], [test x$have_cmocka = xyes]) +]) diff --git a/src/external/libcollection.m4 b/src/external/libcollection.m4 new file mode 100644 index 0000000..0f737c1 --- /dev/null +++ b/src/external/libcollection.m4 @@ -0,0 +1,9 @@ +AC_SUBST(COLLECTION_CFLAGS) +AC_SUBST(COLLECTION_LIBS) + +PKG_CHECK_MODULES(COLLECTION, + collection >= 0.5.1, + , + AC_MSG_ERROR("Please install libcollection-devel") + ) + diff --git a/src/external/libcurl.m4 b/src/external/libcurl.m4 new file mode 100644 index 0000000..94cea9e --- /dev/null +++ b/src/external/libcurl.m4 @@ -0,0 +1,28 @@ +PKG_CHECK_MODULES([CURL], [libcurl], [found_libcurl=yes], + [AC_MSG_ERROR([The libcurl development library was not found. +You must have the header file curl/curl.h installed to build sssd +with secrets and KCM responder. If you want to build sssd without these +responders then specify --without-secrets --without-kcm when running configure. +])]) + +AS_IF([test x"$found_libcurl" = xyes], + CFLAGS="$CFLAGS $CURL_CFLAGS" + + AC_MSG_CHECKING([For CURLOPT_UNIX_SOCKET_PATH support in libcurl]) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM( + [[#include + CURLoption opt = CURLOPT_UNIX_SOCKET_PATH; + ]])], + [have_curlopt_unix_sockpath=yes] + [AC_MSG_RESULT([yes])], + [have_curlopt_unix_sockpath=no] + [AC_MSG_RESULT([no, libcurl support will be disabled])],) + + CFLAGS=$SAVE_CFLAGS +) + +AC_SUBST(CURL_LIBS) +AC_SUBST(CURL_CFLAGS) + +AM_COND_IF([BUILD_WITH_LIBCURL], + [AC_DEFINE_UNQUOTED(HAVE_LIBCURL, 1, [Build with libcurl support])]) diff --git a/src/external/libdhash.m4 b/src/external/libdhash.m4 new file mode 100644 index 0000000..2ca5136 --- /dev/null +++ b/src/external/libdhash.m4 @@ -0,0 +1,9 @@ +AC_SUBST(DHASH_CFLAGS) +AC_SUBST(DHASH_LIBS) + +PKG_CHECK_MODULES(DHASH, + dhash >= 0.4.2, + , + AC_MSG_ERROR("Please install libdhash-devel") + ) + diff --git a/src/external/libhttp_parser.m4 b/src/external/libhttp_parser.m4 new file mode 100644 index 0000000..3a5ef0d --- /dev/null +++ b/src/external/libhttp_parser.m4 @@ -0,0 +1,22 @@ +AC_SUBST(HTTP_PARSER_LIBS) +AC_SUBST(HTTP_PARSER_CFLAGS) + +PKG_CHECK_MODULES([HTTP_PARSER], [http_parser], [found_http_parser=yes], [found_http_parser=no]) + +SSS_AC_EXPAND_LIB_DIR() +AS_IF([test x"$found_http_parser" != xyes], + [AC_CHECK_HEADERS([http_parser.h], + [AC_CHECK_LIB([http_parser_strict], + [http_parser_init], + [HTTP_PARSER_LIBS="-L$sss_extra_libdir -lhttp_parser_strict"], + [AC_CHECK_LIB([http_parser], + [http_parser_init], + [HTTP_PARSER_LIBS="-L$sss_extra_libdir -lhttp_parser"], + [AC_MSG_ERROR([libhttp_parser missing http_parser_init])], + [-L$sss_extra_libdir -lhttp_parser]) + ], + [-L$sss_extra_libdir -lhttp_parser_strict])], + [AC_MSG_ERROR([ +You must have the header file http_parser.h installed to build sssd +with secrets responder. If you want to build sssd without secret responder +then specify --without-secrets when running configure.])])]) diff --git a/src/external/libini_config.m4 b/src/external/libini_config.m4 new file mode 100644 index 0000000..a2bba42 --- /dev/null +++ b/src/external/libini_config.m4 @@ -0,0 +1,48 @@ +PKG_CHECK_MODULES(INI_CONFIG_V0, [ + ini_config >= 0.6.1], [ + + INI_CONFIG_CFLAGS="$INI_CONFIG_V0_CFLAGS" + INI_CONFIG_LIBS="$INI_CONFIG_V0_LIBS" + HAVE_LIBINI_CONFIG_V0=1 + AC_DEFINE_UNQUOTED(HAVE_LIBINI_CONFIG_V0, 1, [libini_config version 0.6.1 or greater]) + PKG_CHECK_MODULES(INI_CONFIG_V1, [ + ini_config >= 1.0.0], [ + + INI_CONFIG_CFLAGS="$INI_CONFIG_V1_CFLAGS" + INI_CONFIG_LIBS="$INI_CONFIG_V1_LIBS" + HAVE_LIBINI_CONFIG_V1=1 + AC_DEFINE_UNQUOTED(HAVE_LIBINI_CONFIG_V1, 1, [libini_config version 1.0.0 or greater]) + PKG_CHECK_MODULES(INI_CONFIG_V1_1, [ + ini_config >= 1.1.0], [ + + INI_CONFIG_CFLAGS="$INI_CONFIG_V1_1_CFLAGS" + INI_CONFIG_LIBS="$INI_CONFIG_V1_1_LIBS" + HAVE_LIBINI_CONFIG_V1_1=1 + AC_DEFINE_UNQUOTED(HAVE_LIBINI_CONFIG_V1_1, 1, [libini_config version 1.1.0 or greater]) + PKG_CHECK_MODULES(INI_CONFIG_V1_3, [ + ini_config >= 1.3.0], [ + + INI_CONFIG_CFLAGS="$INI_CONFIG_V1_3_CFLAGS" + INI_CONFIG_LIBS="$INI_CONFIG_V1_3_LIBS" + HAVE_LIBINI_CONFIG_V1_3=1 + AC_DEFINE_UNQUOTED(HAVE_LIBINI_CONFIG_V1_3, 1, + [libini_config version 1.3.0 or greater]) + ], [ + AC_MSG_WARN([libini_config-devel >= 1.3.0 not available, using older version]) + ] + ) + ], [ + AC_MSG_WARN([libini_config-devel >= 1.1.0 not available, using older version]) + ] + ) + ], [ + AC_MSG_WARN([libini_config-devel >= 1.0.0 not available, using older version]) + ] + ) + ], [ + AC_MSG_ERROR([Please install libini_config-devel]) + ] +) + +AC_SUBST(INI_CONFIG_CFLAGS) +AC_SUBST(INI_CONFIG_LIBS) diff --git a/src/external/libjansson.m4 b/src/external/libjansson.m4 new file mode 100644 index 0000000..d877698 --- /dev/null +++ b/src/external/libjansson.m4 @@ -0,0 +1,18 @@ +AC_SUBST(JANSSON_LIBS) +AC_SUBST(JANSSON_CFLAGS) + +PKG_CHECK_MODULES([JANSSON], [jansson], [found_jansson=yes], [found_jansson=no]) + +SSS_AC_EXPAND_LIB_DIR() +AS_IF([test x"$found_jansson" != xyes], + [AC_CHECK_HEADERS([jansson.h], + [AC_CHECK_LIB([jansson], + [jansson_loads], + [JANSSON_LIBS="-L$sss_extra_libdir -ljansson"], + [AC_MSG_ERROR([libjansson missing jansson_loads])], + [-L$sss_extra_libdir -ljanson])], + [AC_MSG_ERROR([ +You must have the header file jansson.h installed to build sssd +with secrets and KCM responder. If you want to build sssd without these +responders then specify --without-secrets --without-kcm when running configure. +])])]) diff --git a/src/external/libkeyutils.m4 b/src/external/libkeyutils.m4 new file mode 100644 index 0000000..5753d77 --- /dev/null +++ b/src/external/libkeyutils.m4 @@ -0,0 +1,11 @@ +AC_SUBST(KEYUTILS_LIBS) + +AC_CHECK_HEADERS([keyutils.h], + [AC_CHECK_LIB([keyutils], [add_key], + [AC_DEFINE(USE_KEYRING, 1, [Define if the keyring should be used]) + KEYUTILS_LIBS="-lkeyutils" + ], + [AC_MSG_WARN([No usable keyutils library found])] + )], + [AC_MSG_WARN([keyutils header files are not available])] +) diff --git a/src/external/libldb.m4 b/src/external/libldb.m4 new file mode 100644 index 0000000..c400add --- /dev/null +++ b/src/external/libldb.m4 @@ -0,0 +1,42 @@ +AC_SUBST(LDB_CFLAGS) +AC_SUBST(LDB_LIBS) + +PKG_CHECK_MODULES(LDB, ldb >= 0.9.2) + +AC_CHECK_HEADERS(ldb.h ldb_module.h, + [AC_CHECK_LIB(ldb, ldb_init, [LDB_LIBS="-lldb"], , -ltevent -ltdb -ldl -lldap) ], + [AC_MSG_ERROR([LDB header files are not installed])] +) + +AC_ARG_WITH([ldb-lib-dir], + [AC_HELP_STRING([--with-ldb-lib-dir=PATH], + [Path to store ldb modules [${libdir}/ldb]] + ) + ] + ) + +if test x"$with_ldb_lib_dir" != x; then + ldblibdir=$with_ldb_lib_dir +else + ldblibdir="`$PKG_CONFIG --variable=modulesdir ldb`" + if ! test -d $ldblibdir; then + ldblibdir="${libdir}/ldb" + fi +fi + +AC_MSG_CHECKING([feature ldb runtime version check]) +AC_ARG_ENABLE(ldb-version-check, + [AS_HELP_STRING([--enable-ldb-version-check], + [compile with ldb runtime version check [default=no]])], + enable_ldb_version_check="$enableval", + enable_ldb_version_check="no") +if test x"$enable_ldb_version_check" = xyes ; then + AC_MSG_RESULT([yes]) + AC_DEFINE([SSS_LDB_VERSION_CHECK], [1], + [Define to 1 if you want ldb version check.]) +else + AC_MSG_RESULT([no]) +fi + +AC_MSG_NOTICE([ldb lib directory: $ldblibdir]) +AC_SUBST(ldblibdir) diff --git a/src/external/libnfsidmap.m4 b/src/external/libnfsidmap.m4 new file mode 100644 index 0000000..676e2f9 --- /dev/null +++ b/src/external/libnfsidmap.m4 @@ -0,0 +1,29 @@ +AC_SUBST(NFSIDMAP_OBJ) +AC_SUBST(NFSIDMAP_CFLAGS) +AC_SUBST(NFSIDMAP_LIBS) + +AS_IF([test x"$with_nfsv4_idmap" = xyes], [ + PKG_CHECK_MODULES([NFSIDMAP], [libnfsidmap], [found_nfsidmap=yes], + [found_nfsidmap=no]) + + SSS_AC_EXPAND_LIB_DIR() + AS_IF([test x"$found_nfsidmap" != xyes], + [AC_CHECK_HEADER([nfsidmap.h], + [AC_CHECK_LIB([nfsidmap], + [nfs4_init_name_mapping], + [NFSIDMAP_LIBS="-L$sss_extra_libdir -lnfsidmap"], + [AC_MSG_ERROR([libnfsidmap missing nfs4_init_name_mapping])], + [-L$sss_extra_libdir])], + [AC_MSG_ERROR([libnfsidmap header files are not installed] +If you want to build sssd without nfs idmap pluging then specify +--without-nfsv4-idmapd-plugin when running configure.)])]) + + AC_CHECK_HEADERS([nfsidmap_plugin.h], [], [], + [#ifdef HAVE_STDLIB_H +# include +#endif +#ifdef HAVE_STDINT_H +# include +#endif +#include ]) +]) diff --git a/src/external/libnl.m4 b/src/external/libnl.m4 new file mode 100644 index 0000000..25be3f1 --- /dev/null +++ b/src/external/libnl.m4 @@ -0,0 +1,88 @@ +dnl A macro to check if this particular version of libnl supports particular common libnl functions +AC_DEFUN([AM_CHECK_LIBNL_FCS], +[ + AC_CHECK_LIB($1, + [nl_socket_add_membership], + [AC_DEFINE([HAVE_NL_SOCKET_ADD_MEMBERSHIP], 1, [Does libnl have nl_socket_add_membership?]) + ], + ) + + AC_CHECK_LIB($1, + [nl_socket_modify_cb], + [AC_DEFINE([HAVE_NL_SOCKET_MODIFY_CB], 1, [Does libnl have nl_socket_modify_cb?]) + ], + ) + + AC_CHECK_LIB($1, + [rtnl_route_get_oif], + [AC_DEFINE([HAVE_RTNL_ROUTE_GET_OIF], 1, [Does libnl have rtnl_route_get_oif?]) + ], + ) + + AC_CHECK_LIB($1, + [nl_set_passcred], + [AC_DEFINE([HAVE_NL_SET_PASSCRED], 1, [Does libnl have nl_set_passcred?]) + ], + ) + + AC_CHECK_LIB($1, + [nl_socket_set_passcred], + [AC_DEFINE([HAVE_NL_SOCKET_SET_PASSCRED], 1, [Does libnl have nl_socket_set_passcred?]) + ], + ) +]) + +dnl A macro to check the availability and version of libnetlink +AC_DEFUN([AM_CHECK_LIBNL1], +[ + PKG_CHECK_MODULES(LIBNL1, libnl-1 >= 1.1,[ + + HAVE_LIBNL=1 + HAVE_LIBNL1=1 + + LIBNL_CFLAGS="$LIBNL1_CFLAGS" + LIBNL_LIBS="$LIBNL1_LIBS" + + AC_DEFINE_UNQUOTED(HAVE_LIBNL, 1, [Build with libnetlink support]) + AC_DEFINE_UNQUOTED(HAVE_LIBNL1, 1, [Libnetlink version = 1]) + + AC_MSG_NOTICE([Building with libnl]) + + AC_CHECK_HEADERS(netlink.h) + AC_CHECK_LIB(nl, nl_connect, [ LIBNL_LIBS="-lnl" ], [AC_MSG_ERROR([libnl is required])]) + + AM_CHECK_LIBNL_FCS(nl) + + + ],[AC_MSG_WARN([Netlink v1 support unavailable or too old])]) + + AC_SUBST(LIBNL_CFLAGS) + AC_SUBST(LIBNL_LIBS) +]) + +dnl A macro to check the availability of libnetlink version 3 + +AC_DEFUN([AM_CHECK_LIBNL3], +[ + PKG_CHECK_MODULES(LIBNL3, [ + libnl-3.0 >= 3.0 + libnl-route-3.0 >= 3.0], [ + + HAVE_LIBNL=1 + HAVE_LIBNL3=1 + + LIBNL_CFLAGS="$LIBNL3_CFLAGS" + LIBNL_LIBS="$LIBNL3_LIBS" + + AC_DEFINE_UNQUOTED(HAVE_LIBNL, 1, [Build with libnetlink support]) + AC_DEFINE_UNQUOTED(HAVE_LIBNL3, 1, [Libnetlink version = 3]) + + AC_MSG_NOTICE([Building with libnl3]) + + AM_CHECK_LIBNL_FCS(nl-3) + + ],[AC_MSG_WARN([Netlink v3 support unavailable or too old])]) + + AC_SUBST(LIBNL_CFLAGS) + AC_SUBST(LIBNL_LIBS) +]) diff --git a/src/external/libpcre.m4 b/src/external/libpcre.m4 new file mode 100644 index 0000000..2326cbf --- /dev/null +++ b/src/external/libpcre.m4 @@ -0,0 +1,21 @@ +AC_SUBST(PCRE_LIBS) +AC_SUBST(PCRE_CFLAGS) + +PKG_CHECK_MODULES([PCRE], [libpcre], [found_libpcre=yes], [found_libpcre=no]) +PKG_CHECK_EXISTS(libpcre >= 7, + [AC_MSG_NOTICE([PCRE version is 7 or higher])], + [AC_MSG_NOTICE([PCRE version is below 7]) + AC_DEFINE([HAVE_LIBPCRE_LESSER_THAN_7], + 1, + [Define if libpcre version is less than 7])]) + +SSS_AC_EXPAND_LIB_DIR() +AS_IF([test x"$found_libpcre" != xyes], + [AC_CHECK_HEADERS([pcre.h], + [AC_CHECK_LIB([pcre], + [pcre_compile], + [PCRE_LIBS="-L$sss_extra_libdir -lpcre"], + [AC_MSG_ERROR([No usable PCRE library found])], + [-L$sss_extra_libdir])], + [AC_MSG_ERROR([pcre header files are not installed])])] +) diff --git a/src/external/libpopt.m4 b/src/external/libpopt.m4 new file mode 100644 index 0000000..e6a3e71 --- /dev/null +++ b/src/external/libpopt.m4 @@ -0,0 +1,15 @@ +AC_SUBST(POPT_LIBS) +AC_SUBST(POPT_CFLAGS) + +PKG_CHECK_MODULES([POPT], [popt], [found_popt=yes], [found_popt=no]) + +SSS_AC_EXPAND_LIB_DIR() +AS_IF([test x"$found_popt" != xyes], + [AC_CHECK_HEADERS([popt.h], + [AC_CHECK_LIB([popt], + [poptGetContext], + [POPT_LIBS="-L$sss_extra_libdir -lpopt"], + [AC_MSG_ERROR([POPT library must support poptGetContext])], + [-L$sss_extra_libdir])], + [AC_MSG_ERROR([POPT header files are not installed])])] +) diff --git a/src/external/libresolv.m4 b/src/external/libresolv.m4 new file mode 100644 index 0000000..225cf2b --- /dev/null +++ b/src/external/libresolv.m4 @@ -0,0 +1,12 @@ +AC_SUBST(RESOLV_CFLAGS) +AC_SUBST(RESOLV_LIBS) + +# Some unit tests require libresolv to fake DNS packets +SSS_AC_EXPAND_LIB_DIR() +AC_CHECK_LIB([resolv], + [ns_name_compress], + [RESOLV_LIBS="-L$sss_extra_libdir -lresolv"], + [AC_MSG_WARN([No libresolv detected, some tests will not run])], + [-L$sss_extra_libdir]) + +AM_CONDITIONAL([HAVE_LIBRESOLV], [test x"$RESOLV_LIBS" != "x"]) diff --git a/src/external/libtalloc.m4 b/src/external/libtalloc.m4 new file mode 100644 index 0000000..06a1b29 --- /dev/null +++ b/src/external/libtalloc.m4 @@ -0,0 +1,15 @@ +AC_SUBST(TALLOC_CFLAGS) +AC_SUBST(TALLOC_LIBS) + +PKG_CHECK_MODULES([TALLOC], [talloc], [found_talloc=yes], [found_talloc=no]) + +SSS_AC_EXPAND_LIB_DIR() +AS_IF([test x"$found_talloc" != xyes], + [AC_CHECK_HEADER([talloc.h], + [AC_CHECK_LIB([talloc], + [talloc_init], + [TALLOC_LIBS="-L$sss_extra_libdir -ltalloc"], + [AC_MSG_ERROR([libtalloc missing talloc_init])], + [-L$sss_extra_libdir])], + [AC_MSG_ERROR([libtalloc header files are not installed])])] +) diff --git a/src/external/libtdb.m4 b/src/external/libtdb.m4 new file mode 100644 index 0000000..f740d05 --- /dev/null +++ b/src/external/libtdb.m4 @@ -0,0 +1,15 @@ +AC_SUBST(TDB_CFLAGS) +AC_SUBST(TDB_LIBS) + +PKG_CHECK_MODULES([TDB], [tdb >= 1.1.3], [found_tdb=yes], [found_tdb=no]) + +SSS_AC_EXPAND_LIB_DIR() +AS_IF([test x"$found_tdb" != xyes], + [AC_CHECK_HEADERS([tdb.h], + [AC_CHECK_LIB([tdb], + [tdb_repack], + [TDB_LIBS="-L$sss_extra_libdir -ltdb"], + [AC_MSG_ERROR([library TDB must support tdb_repack])], + [-L$sss_extra_libdir])], + [AC_MSG_ERROR([tdb header files are not installed])])] +) diff --git a/src/external/libtevent.m4 b/src/external/libtevent.m4 new file mode 100644 index 0000000..d3df1d0 --- /dev/null +++ b/src/external/libtevent.m4 @@ -0,0 +1,15 @@ +AC_SUBST(TEVENT_CFLAGS) +AC_SUBST(TEVENT_LIBS) + +PKG_CHECK_MODULES([TEVENT], [tevent], [found_tevent=yes], [found_tevent=no]) + +SSS_AC_EXPAND_LIB_DIR() +AS_IF([test x"$found_tevent" != xyes], + [AC_CHECK_HEADER([tevent.h], + [AC_CHECK_LIB([tevent], + [tevent_context_init], + [TEVENT_LIBS="-L$sss_extra_libdir -ltevent -ltalloc"], + [AC_MSG_ERROR([libtevent missing tevent_context_init])], + [-L$sss_extra_libdir -ltalloc])], + [AC_MSG_ERROR([tevent header files are not installed])])] +) diff --git a/src/external/libunistring.m4 b/src/external/libunistring.m4 new file mode 100644 index 0000000..bbc92b3 --- /dev/null +++ b/src/external/libunistring.m4 @@ -0,0 +1,31 @@ +SSS_AC_EXPAND_LIB_DIR() + +AC_CHECK_HEADERS([unistr.h], + [AC_CHECK_LIB([unistring], + [u8_strlen], + [UNISTRING_LIBS="-lunistring"], + [AC_MSG_ERROR([No usable libunistring library found])], + [-L$sss_extra_libdir])], + [AC_MSG_ERROR([libunistring header files are not installed])] +) + +AC_CHECK_HEADERS([unicase.h], + [AC_CHECK_LIB([unistring], + [u8_casecmp], + [UNISTRING_LIBS="-lunistring"], + [AC_MSG_ERROR([No usable libunistring library found])], + [-L$sss_extra_libdir])], + [AC_MSG_ERROR([libunistring header files are not installed])] +) + +AC_CHECK_HEADERS([unistr.h], + [AC_CHECK_LIB([unistring], + [u8_check], + [UNISTRING_LIBS="-lunistring"], + [AC_MSG_ERROR([No usable libunistring library found])], + [-L$sss_extra_libdir])], + [AC_MSG_ERROR([libunistring header files are not installed])] +) + + +UNISTRING_LIBS="-L$sss_extra_libdir $UNISTRING_LIBS " diff --git a/src/external/libuuid.m4 b/src/external/libuuid.m4 new file mode 100644 index 0000000..323521c --- /dev/null +++ b/src/external/libuuid.m4 @@ -0,0 +1,17 @@ +AC_SUBST(UUID_LIBS) +AC_SUBST(UUID_CFLAGS) + +PKG_CHECK_MODULES([UUID], [uuid], [found_uuid=yes], [found_uuid=no]) + +SSS_AC_EXPAND_LIB_DIR() +AS_IF([test x"$found_uuid" != xyes], + [AC_CHECK_HEADERS([uuid/uuid.h], + [AC_CHECK_LIB([uuid], + [uuid_generate], + [UUID_LIBS="-L$sss_extra_libdir -luuid"], + [AC_MSG_ERROR([libuuid missing uuid_generate])], + [-L$sss_extra_libdir -luuid])], + [AC_MSG_ERROR([ +You must have the header file uuid.h installed to build sssd +with KCM responder. If you want to build sssd without KCM responder +then specify --without-kcm when running configure.])])]) diff --git a/src/external/nscd.m4 b/src/external/nscd.m4 new file mode 100644 index 0000000..d0f1291 --- /dev/null +++ b/src/external/nscd.m4 @@ -0,0 +1,9 @@ +AC_PATH_PROG(NSCD, nscd, $NSCD_PATH) +AC_MSG_CHECKING(for nscd) +AC_DEFINE_UNQUOTED([NSCD_PATH], "$NSCD", [The path to nscd, if available]) + +if test -x "$NSCD"; then + AC_MSG_RESULT(yes) +else + AC_MSG_RESULT([not installed, assuming standard location]) +fi diff --git a/src/external/nsupdate.m4 b/src/external/nsupdate.m4 new file mode 100644 index 0000000..b7048d5 --- /dev/null +++ b/src/external/nsupdate.m4 @@ -0,0 +1,19 @@ +AC_PATH_PROG(NSUPDATE, nsupdate) +AC_MSG_CHECKING(for executable nsupdate) +if test -x "$NSUPDATE"; then + AC_DEFINE_UNQUOTED([NSUPDATE_PATH], ["$NSUPDATE"], [The path to nsupdate]) + AC_MSG_RESULT(yes) + + AC_MSG_CHECKING(for nsupdate 'realm' support') + if AC_RUN_LOG([echo realm |$NSUPDATE >&2]); then + AC_MSG_RESULT([yes]) + AC_DEFINE_UNQUOTED([HAVE_NSUPDATE_REALM], 1, [Whether to use the 'realm' directive with nsupdate]) + else + AC_MSG_RESULT([no]) + AC_MSG_WARN([Will build without the 'realm' directive]) + fi + +else + AC_MSG_RESULT([no]) + AC_MSG_ERROR([nsupdate is not available]) +fi diff --git a/src/external/p11-kit.m4 b/src/external/p11-kit.m4 new file mode 100644 index 0000000..a959f43 --- /dev/null +++ b/src/external/p11-kit.m4 @@ -0,0 +1,4 @@ +AC_SUBST(P11_KIT_CFLAGS) +AC_SUBST(P11_KIT_LIBS) + +PKG_CHECK_MODULES([P11_KIT], [p11-kit-1]) diff --git a/src/external/pac_responder.m4 b/src/external/pac_responder.m4 new file mode 100644 index 0000000..e0685f0 --- /dev/null +++ b/src/external/pac_responder.m4 @@ -0,0 +1,39 @@ +AC_ARG_ENABLE([pac-responder], + [AS_HELP_STRING([--enable-pac-responder], + [build pac responder])], + [build_pac_responder=$enableval], + [build_pac_responder=yes]) + +krb5_version_ok=no +if test x$build_pac_responder = xyes +then + AC_PATH_PROG(KRB5_CONFIG, krb5-config) + AC_MSG_CHECKING(for supported MIT krb5 version) + KRB5_VERSION="`$KRB5_CONFIG --version`" + case $KRB5_VERSION in + Kerberos\ 5\ release\ 1.9* | \ + Kerberos\ 5\ release\ 1.10* | \ + Kerberos\ 5\ release\ 1.11* | \ + Kerberos\ 5\ release\ 1.12* | \ + Kerberos\ 5\ release\ 1.13* | \ + Kerberos\ 5\ release\ 1.14* | \ + Kerberos\ 5\ release\ 1.15* | \ + Kerberos\ 5\ release\ 1.16*) + krb5_version_ok=yes + AC_MSG_RESULT([yes]) + ;; + *) + AC_MSG_RESULT([no]) + AC_MSG_WARN([Cannot build authdata plugin with this version of + MIT Kerberos, please use 1.9.x or later]) + esac +fi + +if test x$with_samba != xyes +then + AC_MSG_WARN([Cannot build PAC responder without Samba]) +fi + +AM_CONDITIONAL([BUILD_PAC_RESPONDER], [test x$build_pac_responder = xyes -a x$with_samba = xyes -a x$krb5_version_ok = xyes ]) +AM_COND_IF([BUILD_PAC_RESPONDER], + [AC_DEFINE_UNQUOTED(HAVE_PAC_RESPONDER, 1, [Build with the PAC responder])]) diff --git a/src/external/pam.m4 b/src/external/pam.m4 new file mode 100644 index 0000000..0dc7f19 --- /dev/null +++ b/src/external/pam.m4 @@ -0,0 +1,41 @@ +AC_SUBST(PAM_LIBS) +AC_SUBST(PAM_MISC_LIBS) + +AC_CHECK_HEADERS([security/pam_appl.h security/pam_modules.h], + [AC_CHECK_LIB([pam], [pam_get_item], + [PAM_LIBS="-lpam"], + [AC_MSG_ERROR([PAM must support pam_get_item])])], + [AC_MSG_ERROR([PAM development libraries not installed])] +) + +AC_CHECK_HEADERS([security/pam_ext.h security/pam_modutil.h]) +AC_CHECK_HEADERS([security/pam_misc.h security/_pam_macros.h]) +AC_CHECK_HEADERS([security/openpam.h],,,[ + #ifdef HAVE_SECURITY_PAM_APPL_H + #include + #endif + ]) + +AC_CHECK_LIB([pam_misc], [misc_conv], + [PAM_MISC_LIBS="-lpam_misc"]) + +dnl save LIBS to restore later +save_LIBS="$LIBS" +LIBS="$PAM_LIBS" + +AC_CHECK_FUNCS(pam_modutil_getlogin pam_vsyslog) + +dnl restore LIBS +LIBS="$save_LIBS" + +PKG_CHECK_MODULES([GDM_PAM_EXTENSIONS], [gdm-pam-extensions], + [found_gdm_pam_extensions=yes], + [AC_MSG_NOTICE([gdm-pam-extensions were not found. gdm support +for multiple certificates will not be build. +])]) + +AC_SUBST(GDM_PAM_EXTENSIONS_CFLAGS) + +AS_IF([test x"$found_gdm_pam_extensions" = xyes], + [AC_DEFINE_UNQUOTED(HAVE_GDM_PAM_EXTENSIONS, 1, + [Build with gdm-pam-extensions support])]) diff --git a/src/external/pkg.m4 b/src/external/pkg.m4 new file mode 100644 index 0000000..568127f --- /dev/null +++ b/src/external/pkg.m4 @@ -0,0 +1,156 @@ +# pkg.m4 - Macros to locate and utilise pkg-config. -*- Autoconf -*- +# +# Copyright © 2004 Scott James Remnant . +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, see . +# +# As a special exception to the GNU General Public License, if you +# distribute this file as part of a program that contains a +# configuration script generated by Autoconf, you may include it under +# the same distribution terms that you use for the rest of that program. + +# PKG_PROG_PKG_CONFIG([MIN-VERSION]) +# ---------------------------------- +AC_DEFUN([PKG_PROG_PKG_CONFIG], +[m4_pattern_forbid([^_?PKG_[A-Z_]+$]) +m4_pattern_allow([^PKG_CONFIG(_PATH)?$]) +AC_ARG_VAR([PKG_CONFIG], [path to pkg-config utility])dnl +if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then + AC_PATH_TOOL([PKG_CONFIG], [pkg-config]) +fi +if test -n "$PKG_CONFIG"; then + _pkg_min_version=m4_default([$1], [0.9.0]) + AC_MSG_CHECKING([pkg-config is at least version $_pkg_min_version]) + if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then + AC_MSG_RESULT([yes]) + else + AC_MSG_RESULT([no]) + PKG_CONFIG="" + fi + +fi[]dnl +])# PKG_PROG_PKG_CONFIG + +# PKG_CHECK_EXISTS(MODULES, [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND]) +# +# Check to see whether a particular set of modules exists. Similar +# to PKG_CHECK_MODULES(), but does not set variables or print errors. +# +# +# Similar to PKG_CHECK_MODULES, make sure that the first instance of +# this or PKG_CHECK_MODULES is called, or make sure to call +# PKG_CHECK_EXISTS manually +# -------------------------------------------------------------- +AC_DEFUN([PKG_CHECK_EXISTS], +[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl +if test -n "$PKG_CONFIG" && \ + AC_RUN_LOG([$PKG_CONFIG --exists --print-errors "$1"]); then + m4_ifval([$2], [$2], [:]) +m4_ifvaln([$3], [else + $3])dnl +fi]) + + +# _PKG_CONFIG([VARIABLE], [COMMAND], [MODULES]) +# --------------------------------------------- +m4_define([_PKG_CONFIG], +[if test -n "$PKG_CONFIG"; then + if test -n "$$1"; then + pkg_cv_[]$1="$$1" + else + PKG_CHECK_EXISTS([$3], + [pkg_cv_[]$1=`$PKG_CONFIG --[]$2 "$3" 2>/dev/null`], + [pkg_failed=yes]) + fi +else + pkg_failed=untried +fi[]dnl +])# _PKG_CONFIG + +# _PKG_SHORT_ERRORS_SUPPORTED +# ----------------------------- +AC_DEFUN([_PKG_SHORT_ERRORS_SUPPORTED], +[AC_REQUIRE([PKG_PROG_PKG_CONFIG]) +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi[]dnl +])# _PKG_SHORT_ERRORS_SUPPORTED + + +# PKG_CHECK_MODULES(VARIABLE-PREFIX, MODULES, [ACTION-IF-FOUND], +# [ACTION-IF-NOT-FOUND]) +# +# +# Note that if there is a possibility the first call to +# PKG_CHECK_MODULES might not happen, you should be sure to include an +# explicit call to PKG_PROG_PKG_CONFIG in your configure.ac +# +# +# -------------------------------------------------------------- +AC_DEFUN([PKG_CHECK_MODULES], +[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl +AC_ARG_VAR([$1][_CFLAGS], [C compiler flags for $1, overriding pkg-config])dnl +AC_ARG_VAR([$1][_LIBS], [linker flags for $1, overriding pkg-config])dnl + +pkg_failed=no +AC_MSG_CHECKING([for $1]) + +_PKG_CONFIG([$1][_CFLAGS], [cflags], [$2]) +_PKG_CONFIG([$1][_LIBS], [libs], [$2]) + +m4_define([_PKG_TEXT], [Alternatively, you may set the environment variables $1[]_CFLAGS +and $1[]_LIBS to avoid the need to call pkg-config. +See the pkg-config man page for more details.]) + +if test $pkg_failed = yes; then + _PKG_SHORT_ERRORS_SUPPORTED + if test $_pkg_short_errors_supported = yes; then + $1[]_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "$2"` + else + $1[]_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "$2"` + fi + # Put the nasty error message in config.log where it belongs + echo "$$1[]_PKG_ERRORS" >&AS_MESSAGE_LOG_FD + + ifelse([$4], , [AC_MSG_ERROR(dnl +[Package requirements ($2) were not met: + +$$1_PKG_ERRORS + +Consider adjusting the PKG_CONFIG_PATH environment variable if you +installed software in a non-standard prefix. + +_PKG_TEXT +])], + [AC_MSG_RESULT([no]) + $4]) +elif test $pkg_failed = untried; then + ifelse([$4], , [AC_MSG_FAILURE(dnl +[The pkg-config script could not be found or is too old. Make sure it +is in your PATH or set the PKG_CONFIG environment variable to the full +path to pkg-config. + +_PKG_TEXT + +To get pkg-config, see .])], + [$4]) +else + $1[]_CFLAGS=$pkg_cv_[]$1[]_CFLAGS + $1[]_LIBS=$pkg_cv_[]$1[]_LIBS + AC_MSG_RESULT([yes]) + ifelse([$3], , :, [$3]) +fi[]dnl +])# PKG_CHECK_MODULES diff --git a/src/external/platform.m4 b/src/external/platform.m4 new file mode 100644 index 0000000..c67e081 --- /dev/null +++ b/src/external/platform.m4 @@ -0,0 +1,48 @@ +AC_ARG_WITH([os], + [AC_HELP_STRING([--with-os=OS_TYPE], [Type of your operation system (fedora|redhat|suse|gentoo)])] + ) +osname="" +if test x"$with_os" != x ; then + if test x"$with_os" = xfedora || \ + test x"$with_os" = xredhat || \ + test x"$with_os" = xsuse || \ + test x"$with_os" = xgentoo || \ + test x"$with_os" = xdebian ; then + osname=$with_os + else + AC_MSG_ERROR([Illegal value -$with_os- for option --with-os]) + fi +fi + +if test x"$osname" = x ; then + if test -f /etc/fedora-release ; then + osname="fedora" + elif test -f /etc/redhat-release ; then + osname="redhat" + elif test -f /etc/SuSE-release ; then + osname="suse" + elif test -f /etc/debian_version ; then + osname="debian" + elif test -f /etc/gentoo-release ; then + osname="gentoo" + fi + + AC_MSG_NOTICE([Detected operating system type: $osname]) +fi + +AM_CONDITIONAL([HAVE_FEDORA], [test x"$osname" = xfedora]) +AM_CONDITIONAL([HAVE_REDHAT], [test x"$osname" = xredhat]) +AM_CONDITIONAL([HAVE_SUSE], [test x"$osname" = xsuse]) +AM_CONDITIONAL([HAVE_DEBIAN], [test x"$osname" = xdebian]) +AM_CONDITIONAL([HAVE_GENTOO], [test x"$osname" = xgentoo]) + +AC_CHECK_MEMBERS([struct ucred.pid, struct ucred.uid, struct ucred.gid], , , + [[#include ]]) + +if test x"$ac_cv_member_struct_ucred_pid" = xyes -a \ + x"$ac_cv_member_struct_ucred_uid" = xyes -a \ + x"$ac_cv_member_struct_ucred_gid" = xyes ; then + AC_DEFINE([HAVE_UCRED], [1], [Define if struct ucred is available]) +else + AC_MSG_WARN([struct ucred is not available]) +fi diff --git a/src/external/python.m4 b/src/external/python.m4 new file mode 100644 index 0000000..be4e3b2 --- /dev/null +++ b/src/external/python.m4 @@ -0,0 +1,102 @@ +dnl Check for python-config and substitute needed CFLAGS and LDFLAGS +dnl Usage: +dnl AM_PYTHON_CONFIG(python_with_major_version) +dnl argument python_with_major_version should be either python2 or python3 +dnl This function sets the PYTHON_CFLAGS, PYTHON_LIBS and PYTHON_INCLUDES +dnl variables + +AC_DEFUN([AM_PYTHON_CONFIG], +[ + AC_PATH_PROG([PYTHON_CONFIG], [python$PYTHON_VERSION-config]) + AS_IF([test x"$PYTHON_CONFIG" = x], + AC_MSG_ERROR([ +The program python$PYTHON_VERSION-config was not found in search path. +Please ensure that it is installed and its directory is included in the search +path. If you want to build sssd without $1 bindings then specify +--without-$1-bindings when running configure.])) + + PYTHON_CFLAGS="` $PYTHON_CONFIG --cflags`" + PYTHON_LIBS="` $PYTHON_CONFIG --libs`" + PYTHON_INCLUDES="` $PYTHON_CONFIG --includes`" +]) + +dnl Taken from GNOME sources +dnl a macro to check for ability to create python extensions +dnl AM_CHECK_PYTHON_HEADERS([ACTION-IF-POSSIBLE], [ACTION-IF-NOT-POSSIBLE]) +AC_DEFUN([AM_CHECK_PYTHON_HEADERS], +[ + AC_REQUIRE([AM_PATH_PYTHON]) + AC_MSG_CHECKING(for headers required to compile python extensions) + + dnl check if the headers exist: + save_CPPFLAGS="$CPPFLAGS" + CPPFLAGS="$CPPFLAGS $PYTHON_INCLUDES" + AC_TRY_CPP([#include ],dnl + [AC_MSG_RESULT([found]) + $1],dnl + [AC_MSG_RESULT([not found]) + $2]) + CPPFLAGS="$save_CPPFLAGS" +]) + +dnl Clean variables after detection of python +AC_DEFUN([SSS_CLEAN_PYTHON_VARIABLES], +[ + unset pyexecdir pkgpyexecdir pythondir pgkpythondir + unset PYTHON PYTHON_CFLAGS PYTHON_LIBS PYTHON_INCLUDES + unset PYTHON_PREFIX PYTHON_EXEC_PREFIX PYTHON_VERSION PYTHON_CONFIG + + dnl removed cached variables, required for reusing of AM_PATH_PYTHON + unset am_cv_pathless_PYTHON ac_cv_path_PYTHON am_cv_python_version + unset am_cv_python_platform am_cv_python_pythondir am_cv_python_pyexecdir + unset ac_cv_path_PYTHON_CONFIG +]) + +dnl =========================================================================== +dnl http://www.gnu.org/software/autoconf-archive/ax_python_module.html +dnl =========================================================================== +dnl +dnl SYNOPSIS +dnl +dnl AM_PYTHON2_MODULE(modname[, fatal]) +dnl +dnl DESCRIPTION +dnl +dnl Checks for Python 2 module. +dnl +dnl If fatal is non-empty then absence of a module will trigger an error. +dnl +dnl LICENSE +dnl +dnl Copyright (c) 2008 Andrew Collier +dnl +dnl Copying and distribution of this file, with or without modification, are +dnl permitted in any medium without royalty provided the copyright notice +dnl and this notice are preserved. This file is offered as-is, without any +dnl warranty. +AC_DEFUN([AM_PYTHON2_MODULE],[ + if test x"$PYTHON2" = x; then + if test -n "$2"; then + AC_MSG_ERROR([cannot look for $1 module: Python 2 not found]) + else + AC_MSG_NOTICE([cannot look for $1 module: Python 2 not found]) + eval AS_TR_CPP(HAVE_PY2MOD_$1)=no + fi + else + AC_MSG_CHECKING($(basename $PYTHON2) module: $1) + $PYTHON2 -c "import $1" 2>/dev/null + if test $? -eq 0; then + AC_MSG_RESULT(yes) + eval AS_TR_CPP(HAVE_PY2MOD_$1)=yes + else + AC_MSG_RESULT(no) + eval AS_TR_CPP(HAVE_PY2MOD_$1)=no + # + if test -n "$2" + then + AC_MSG_ERROR(failed to find required module $1) + exit 1 + fi + fi + fi +]) diff --git a/src/external/samba.m4 b/src/external/samba.m4 new file mode 100644 index 0000000..7a8c1eb --- /dev/null +++ b/src/external/samba.m4 @@ -0,0 +1,132 @@ +AC_SUBST(NDR_NBT_CFLAGS) +AC_SUBST(NDR_NBT_LIBS) +AC_SUBST(SMBCLIENT_CFLAGS) +AC_SUBST(SMBCLIENT_LIBS) +AC_SUBST(NDR_KRB5PAC_CFLAGS) +AC_SUBST(NDR_KRB5PAC_LIBS) + +if test x"$with_samba" = xyes; then + PKG_CHECK_MODULES(NDR_NBT, ndr_nbt, , + AC_MSG_ERROR([[Please install Samba 4 NDR NBT development libraries. +Samba 4 libraries are necessary for building ad and ipa provider. +If you do not want to build these providers it is possible to build SSSD +without them. In this case, you will need to execute configure script +with argument --without-samba + ]])) + + PKG_CHECK_MODULES(NDR_KRB5PAC, ndr_krb5pac, , + AC_MSG_ERROR([[Please install Samba 4 NDR KRB5PAC development libraries. +Samba 4 libraries are necessary for building ad and ipa provider. +If you do not want to build these providers it is possible to build SSSD +without them. In this case, you will need to execute configure script +with argument --without-samba + ]])) + + PKG_CHECK_MODULES(SMBCLIENT, smbclient, , + AC_MSG_ERROR([[Please install libsmbclient development libraries. +libsmbclient libraries are necessary for building ad and ipa provider. +If you do not want to build these providers it is possible to build SSSD +without them. In this case, you will need to execute configure script +with argument --without-samba + ]])) + + if test x"$HAVE_LIBINI_CONFIG_V1_1" != x1; then + AC_MSG_ERROR([[Please install libini_config development libraries +v1.1.0, or newer. libini_config libraries are necessary for building ipa +provider, as well as for building gpo-based access control in ad provider. If +you do not want to build these providers it is possible to build SSSD without +them. In this case, you will need to execute configure script with argument +--without-samba + ]]) + fi + + AC_ARG_WITH([smb-idmap-interface-version], + [AC_HELP_STRING([--with-smb-idmap-interface-version=[5|6]], + [Idmap interface version of installed Samba] + ) + ] + ) + + if test x"$with_smb_idmap_interface_version" != x; then + if test x"$with_smb_idmap_interface_version" = x5 -o x"$with_smb_idmap_interface_version" = x6; then + idmap_test_result=$with_smb_idmap_interface_version + else + AC_MSG_ERROR([Illegal value -$with_smb_idmap_interface_version- for option --with-smb-idmap-interface-version]) + fi + else + + AC_MSG_CHECKING([Samba's idmap plugin interface version]) + sambalibdir="`$PKG_CONFIG --variable=libdir smbclient`"/samba + SAVE_CFLAGS=$CFLAGS + SAVE_LIBS=$LIBS + CFLAGS="$CFLAGS $SMBCLIENT_CFLAGS $NDR_NBT_CFLAGS $NDR_KRB5PAC_CFLAGS -I/usr/include/samba-4.0" + LIBS="$LIBS -L${sambalibdir} -lidmap-samba4 -Wl,-rpath ${sambalibdir}" + AC_RUN_IFELSE( + [AC_LANG_SOURCE([ +#include +#include +#include +#include +#include + +struct winbindd_domain; + +/* overwrite some winbind internal functions */ +struct winbindd_domain *find_domain_from_name(const char *domain_name) +{ + return NULL; +} + +bool get_global_winbindd_state_offline(void) { + return false; +} + +struct tevent_context *winbind_event_context(void) +{ + return NULL; +} + +struct idmap_methods; + +NTSTATUS smb_register_idmap(int version, const char *name, struct idmap_methods *methods); + +int main(void) +{ + int v; + NTSTATUS ret; + + /* Check the versions we know about */ + for (v = 5; v <= 6; v++) { + ret = smb_register_idmap(v, NULL, NULL); + if (!NT_STATUS_EQUAL(ret, NT_STATUS_OBJECT_TYPE_MISMATCH)) { + return v; + } + } + + return -1; +}])], + [AC_MSG_ERROR([idmap version test program is not expected to return 0])], + [idmap_test_result=$?; AC_MSG_RESULT([idmap test result is: $idmap_test_result])] + ) + fi + + CFLAGS=$SAVE_CFLAGS + LIBS=$SAVE_LIBS + + if test $idmap_test_result -eq 5 -o $idmap_test_result -eq 6 ; then + idmap_version=$idmap_test_result + else + AC_MSG_ERROR([Cannot determine Samba's idmap interface version, please use --with-smb-idmap-interface-version]) + fi + AC_MSG_NOTICE([Samba's idmap interface version: $idmap_version]) + AC_DEFINE_UNQUOTED(SMB_IDMAP_INTERFACE_VERSION, $idmap_version, + [Detected version of Samba's idmap plugin interface]) +fi + +SAVE_CFLAGS=$CFLAGS +CFLAGS="$CFLAGS $SMBCLIENT_CFLAGS $NDR_NBT_CFLAGS $NDR_KRB5PAC_CFLAGS -I/usr/include/samba-4.0" +AC_CHECK_MEMBERS([struct PAC_LOGON_INFO.resource_groups], , , + [[ #include + #include + #include ]]) +CFLAGS=$SAVE_CFLAGS diff --git a/src/external/sasl.m4 b/src/external/sasl.m4 new file mode 100644 index 0000000..791a835 --- /dev/null +++ b/src/external/sasl.m4 @@ -0,0 +1,15 @@ +AC_SUBST(SASL_LIBS) +AC_SUBST(SASL_CFLAGS) + +PKG_CHECK_MODULES([SASL], [libsasl2], [found_sasl=yes], [found_sasl=no]) + +SSS_AC_EXPAND_LIB_DIR() +AS_IF([test x"$found_sasl" != xyes], + [AC_CHECK_HEADERS([sasl/sasl.h], + [AC_CHECK_LIB([sasl2], + [sasl_client_init], + [SASL_LIBS="-L$sss_extra_libdir -lsasl2"], + [AC_MSG_ERROR([SASL library must support sasl_client_init])], + [-L$sss_extra_libdir])], + [AC_MSG_ERROR([SASL header files are not installed])])] +) diff --git a/src/external/selinux.m4 b/src/external/selinux.m4 new file mode 100644 index 0000000..d1b961a --- /dev/null +++ b/src/external/selinux.m4 @@ -0,0 +1,25 @@ +dnl A macro to check the availability of SELinux +AC_DEFUN([AM_CHECK_SELINUX], +[ + AC_CHECK_HEADERS(selinux/selinux.h, + [AC_CHECK_LIB(selinux, is_selinux_enabled, + [SELINUX_LIBS="-lselinux"], + [AC_MSG_ERROR([SELinux library is missing])] + ) + ], + [AC_MSG_ERROR([SELinux headers are missing])]) + AC_SUBST(SELINUX_LIBS) +]) + +dnl A macro to check the availability of SELinux management library +AC_DEFUN([AM_CHECK_SEMANAGE], +[ + AC_CHECK_HEADERS(semanage/semanage.h, + [AC_CHECK_LIB(semanage, semanage_handle_create, + [SEMANAGE_LIBS="-lsemanage"], + [AC_MSG_ERROR([libsemanage is missing])] + ) + ], + [AC_MSG_ERROR([libsemanage is missing])]) + AC_SUBST(SEMANAGE_LIBS) +]) diff --git a/src/external/service.m4 b/src/external/service.m4 new file mode 100644 index 0000000..b69760f --- /dev/null +++ b/src/external/service.m4 @@ -0,0 +1,13 @@ +AC_DEFUN([CHECK_SERVICE_EXECUTABLE], + [ AC_PATH_PROG([SERVICE], [service], [], [/sbin:/usr/sbin]) + AC_MSG_CHECKING(for the executable \"service\") + if test -x "$SERVICE"; then + AC_DEFINE(HAVE_SERVICE, 1, [Whether the service command is available]) + AC_DEFINE_UNQUOTED([SERVICE_PATH], ["$SERVICE"], [The path to service]) + AC_MSG_RESULT(yes) + else + AC_MSG_RESULT([no]) + AC_MSG_WARN([the service executable is not available]) + fi + ] +) diff --git a/src/external/signal.m4 b/src/external/signal.m4 new file mode 100644 index 0000000..747c7db --- /dev/null +++ b/src/external/signal.m4 @@ -0,0 +1 @@ +AC_CHECK_FUNCS(sigprocmask sigblock sigaction getpgrp prctl) diff --git a/src/external/sizes.m4 b/src/external/sizes.m4 new file mode 100644 index 0000000..c4f00d6 --- /dev/null +++ b/src/external/sizes.m4 @@ -0,0 +1,50 @@ +# Solaris needs HAVE_LONG_LONG defined +AC_CHECK_TYPES(long long) + +AC_CHECK_SIZEOF(int) +AC_CHECK_SIZEOF(char) +AC_CHECK_SIZEOF(short) +AC_CHECK_SIZEOF(long) +AC_CHECK_SIZEOF(long long) +AC_CHECK_SIZEOF(uid_t) +AC_CHECK_SIZEOF(gid_t) +AC_CHECK_SIZEOF(id_t) + +if test $ac_cv_sizeof_long_long -lt 8 ; then +AC_MSG_ERROR([SSSD requires long long of 64-bits]) +fi + +AC_CHECK_TYPE(uint_t, unsigned int) +AC_CHECK_TYPE(int8_t, char) +AC_CHECK_TYPE(uint8_t, unsigned char) +AC_CHECK_TYPE(int16_t, short) +AC_CHECK_TYPE(uint16_t, unsigned short) + +if test $ac_cv_sizeof_int -eq 4 ; then +AC_CHECK_TYPE(int32_t, int) +AC_CHECK_TYPE(uint32_t, unsigned int) +elif test $ac_cv_size_long -eq 4 ; then +AC_CHECK_TYPE(int32_t, long) +AC_CHECK_TYPE(uint32_t, unsigned long) +else +AC_MSG_ERROR([LIBREPLACE no 32-bit type found]) +fi + +AC_CHECK_TYPE(int64_t, long long) +AC_CHECK_TYPE(uint64_t, unsigned long long) + +AC_CHECK_TYPE(size_t, unsigned int) +AC_CHECK_TYPE(ssize_t, int) + +AC_CHECK_SIZEOF(off_t) +AC_CHECK_SIZEOF(size_t) +AC_CHECK_SIZEOF(ssize_t) + + +AC_CHECK_TYPES([intptr_t], + [], + [AC_DEFINE_UNQUOTED([intptr_t], [long long], + [Define to `long long' + if does not define.])]) +AC_CHECK_TYPE(uintptr_t, unsigned long long) +AC_CHECK_TYPE(ptrdiff_t, unsigned long long) diff --git a/src/external/systemd.m4 b/src/external/systemd.m4 new file mode 100644 index 0000000..e61b0f1 --- /dev/null +++ b/src/external/systemd.m4 @@ -0,0 +1,57 @@ +dnl A macro to check presence of systemd on the system +PKG_CHECK_EXISTS([systemd], + [HAVE_SYSTEMD=yes], + [HAVE_SYSTEMD=no]) + +dnl Libraries libsystemd-journal and libsystem-login are deprecarted +dnl since systemd 209 and are removed in systemd 230. The library libsystemd +dnl is replacement of libsystemd-{login,journal,daemon,id128} libraries +PKG_CHECK_EXISTS([libsystemd], + [HAVE_LIBSYSTEMD=yes], + [HAVE_LIBSYSTEMD=no]) + +AS_IF([test x$HAVE_LIBSYSTEMD = xyes], + [login_lib_name=libsystemd], + [login_lib_name=libsystemd-login]) + +AS_IF([test x$HAVE_SYSTEMD = xyes], + [AC_DEFINE_UNQUOTED([HAVE_SYSTEMD], 1, [Build with systemd support])], + [AC_MSG_NOTICE([Build without systemd support])]) + +AS_IF([test x$HAVE_SYSTEMD = xyes], + [PKG_CHECK_MODULES( + [SYSTEMD_LOGIN], + [$login_lib_name], + [AC_DEFINE_UNQUOTED([HAVE_SYSTEMD_LOGIN], 1, + [Build with $login_lib_name support])], + [AC_MSG_NOTICE([Build without $login_lib_name support])])], + [AC_MSG_NOTICE([Build without $login_lib_name support])]) + +AS_IF([test x$HAVE_LIBSYSTEMD = xyes], + [daemon_lib_name=libsystemd], + [daemon_lib_name=libsystemd-daemon]) + +AS_IF([test x$HAVE_SYSTEMD = xyes], + [PKG_CHECK_MODULES( + [SYSTEMD_DAEMON], + [$daemon_lib_name], + [AC_DEFINE_UNQUOTED([HAVE_SYSTEMD_DAEMON], 1, + [Build with $daemon_lib_name support])], + [AC_MSG_NOTICE([Build without $daemon_lib_name support])])], + [AC_MSG_NOTICE([Build without $daemon_lib_name support])]) + +dnl A macro to check presence of journald on the system +AC_DEFUN([AM_CHECK_JOURNALD], +[ + AS_IF([test x$HAVE_LIBSYSTEMD = xyes], + [journal_lib_name=libsystemd], + [journal_lib_name=libsystemd-journal]) + + PKG_CHECK_MODULES(JOURNALD, [$journal_lib_name], + [AC_DEFINE_UNQUOTED([WITH_JOURNALD], 1, + [journald is available])]) + dnl Some older versions of pkg-config might not set these automatically + dnl while setting CFLAGS and LIBS manually twice doesn't hurt. + AC_SUBST([JOURNALD_CFLAGS]) + AC_SUBST([JOURNALD_LIBS]) +]) diff --git a/src/external/systemtap.m4 b/src/external/systemtap.m4 new file mode 100644 index 0000000..d1caa20 --- /dev/null +++ b/src/external/systemtap.m4 @@ -0,0 +1,35 @@ +dnl A macro to check the availability of systemtap user-space probes +AC_DEFUN([AM_CHECK_SYSTEMTAP], +[ + AC_ARG_ENABLE([systemtap], + [AS_HELP_STRING([--enable-systemtap], + [Enable inclusion of systemtap trace support])], + [ENABLE_SYSTEMTAP="${enableval}"], [ENABLE_SYSTEMTAP='no']) + + if test "x${ENABLE_SYSTEMTAP}" = xyes; then + AC_CHECK_PROGS(DTRACE, dtrace) + if test -z "$DTRACE"; then + AC_MSG_ERROR([dtrace not found]) + fi + + AC_CHECK_HEADER([sys/sdt.h], [SDT_H_FOUND='yes'], + [SDT_H_FOUND='no'; + AC_MSG_ERROR([systemtap support needs sys/sdt.h header])]) + + AC_DEFINE([HAVE_SYSTEMTAP], [1], [Define to 1 if systemtap is enabled]) + HAVE_SYSTEMTAP=1 + + AC_ARG_WITH([tapset-install-dir], + [AS_HELP_STRING([--with-tapset-install-dir], + [The absolute path where the tapset dir will be installed])], + [if test "x${withval}" = x; then + tapset_dir="\$(datadir)/systemtap/tapset" + else + tapset_dir="${withval}" + fi], + [tapset_dir="\$(datadir)/systemtap/tapset"]) + AC_SUBST(tapset_dir) + fi + + AM_CONDITIONAL([BUILD_SYSTEMTAP], [test x$HAVE_SYSTEMTAP = x1]) +]) diff --git a/src/external/test_ca.m4 b/src/external/test_ca.m4 new file mode 100644 index 0000000..2cdb3c7 --- /dev/null +++ b/src/external/test_ca.m4 @@ -0,0 +1,68 @@ +dnl Check for tools needed to run the test CA +AC_DEFUN([AM_CHECK_TEST_CA], +[ + AC_PATH_PROG([OPENSSL], [openssl]) + if test ! -x "$OPENSSL"; then + AC_MSG_NOTICE([Could not find openssl]) + fi + + AC_PATH_PROG([SSH_KEYGEN], [ssh-keygen]) + if test ! -x "$SSH_KEYGEN"; then + AC_MSG_NOTICE([Could not find ssh-keygen]) + else + AC_MSG_CHECKING([for -m option of ssh-keygen]) + if AC_RUN_LOG([$SSH_KEYGEN --help 2>&1 |grep -- '-m ' > /dev/null]); then + AC_MSG_RESULT([yes]) + else + SSH_KEYGEN="" + AC_MSG_RESULT([no]) + fi + fi + + if test x$cryptolib = xnss; then + AC_PATH_PROG([CERTUTIL], [certutil]) + if test ! -x "$CERTUTIL"; then + AC_MSG_NOTICE([Could not find certutil]) + fi + + AC_PATH_PROG([PK12UTIL], [pk12util]) + if test ! -x "$PK12UTIL"; then + AC_MSG_NOTICE([Could not find pk12util]) + fi + + AM_CONDITIONAL([BUILD_TEST_CA], [test -x "$OPENSSL" -a -x "$SSH_KEYGEN" -a -x "$CERTUTIL" -a -x "$PK12UTIL"]) + else + + for p in /usr/lib64/pkcs11/libsofthsm2.so /usr/lib/pkcs11/libsofthsm2.so /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so; do + if test -f "${p}"; then + SOFTHSM2_PATH="${p}" + break; + fi + done + if test -n "$SOFTHSM2_PATH"; then + AC_SUBST(SOFTHSM2_PATH) + AC_DEFINE_UNQUOTED(SOFTHSM2_PATH, "$SOFTHSM2_PATH" , + [Path to softhsm2 PKCS#11 module]) + AC_MSG_NOTICE([Using softhsm2 PKCS11 module: $SOFTHSM2_PATH]) + else + AC_MSG_NOTICE([Could not find softhsm2 PKCS11 module]) + fi + + AC_PATH_PROG([SOFTHSM2_UTIL], [softhsm2-util]) + if test ! -x "$SOFTHSM2_UTIL"; then + AC_MSG_NOTICE([Could not find softhsm2-util]) + fi + + AC_PATH_PROG([P11TOOL], [p11tool]) + if test ! -x "$P11TOOL"; then + AC_MSG_NOTICE([Could not find p11tool]) + fi + + AM_CONDITIONAL([BUILD_TEST_CA], [test -x "$OPENSSL" -a -x "$SSH_KEYGEN" -a -x "$SOFTHSM2_PATH" -a -x "$SOFTHSM2_UTIL" -a -x "$P11TOOL"]) + fi + + AM_COND_IF([BUILD_TEST_CA], + [AC_DEFINE_UNQUOTED(HAVE_TEST_CA, 1, + [Build with certificates from test CA])], + [AC_MSG_WARN([Test CA cannot be build, skiping some tests])]) +]) diff --git a/src/krb5_plugin/sssd_krb5_localauth_plugin.c b/src/krb5_plugin/sssd_krb5_localauth_plugin.c new file mode 100644 index 0000000..60567d7 --- /dev/null +++ b/src/krb5_plugin/sssd_krb5_localauth_plugin.c @@ -0,0 +1,195 @@ +/* + Authors: + Sumit Bose + + Copyright (C) 2014 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include + +#include + +enum nss_status _nss_sss_getpwnam_r(const char *name, struct passwd *result, + char *buffer, size_t buflen, int *errnop); + +#define DEFAULT_BUFSIZE 4096 + +static krb5_error_code sss_userok(krb5_context context, + krb5_localauth_moddata data, + krb5_const_principal aname, + const char *lname) +{ + krb5_error_code kerr; + char *princ_str; + struct passwd pwd = { 0 }; + char *buffer = NULL; + size_t buflen; + enum nss_status nss_status; + int nss_errno; + uid_t princ_uid; + int ret; + + kerr = krb5_unparse_name(context, aname, &princ_str); + if (kerr != 0) { + ret = kerr; + goto done; + } + + if (strcasecmp(princ_str, lname) == 0) { + ret = 0; + goto done; + } + + buflen = DEFAULT_BUFSIZE; + buffer = malloc(buflen); + if (buffer == NULL) { + ret = ENOMEM; + goto done; + } + + nss_status = _nss_sss_getpwnam_r(princ_str, &pwd, buffer, buflen, + &nss_errno); + if (nss_status != NSS_STATUS_SUCCESS) { + if (nss_status == NSS_STATUS_NOTFOUND) { + ret = KRB5_PLUGIN_NO_HANDLE; + } else { + ret = EIO; + } + goto done; + } + + princ_uid = pwd.pw_uid; + + nss_status = _nss_sss_getpwnam_r(lname, &pwd, buffer, buflen, &nss_errno); + if (nss_status != NSS_STATUS_SUCCESS) { + if (nss_status == NSS_STATUS_NOTFOUND) { + ret = KRB5_PLUGIN_NO_HANDLE; + } else { + ret = EIO; + } + goto done; + } + + if (princ_uid != pwd.pw_uid) { + ret = EPERM; + goto done; + } + + ret = 0; + +done: + krb5_free_unparsed_name(context, princ_str); + free(buffer); + + if (ret != 0) { + return KRB5_PLUGIN_NO_HANDLE; + } + + return ret; +} + +static krb5_error_code sss_an2ln(krb5_context context, + krb5_localauth_moddata data, + const char *type, const char *residual, + krb5_const_principal aname, char **lname_out) +{ + krb5_error_code kerr; + char *princ_str; + struct passwd pwd = { 0 }; + char *buffer = NULL; + size_t buflen; + enum nss_status nss_status; + int nss_errno; + int ret; + char *str; + + kerr = krb5_unparse_name(context, aname, &princ_str); + if (kerr != 0) { + return kerr; + } + + buflen = DEFAULT_BUFSIZE; + buffer = malloc(buflen); + if (buffer == NULL) { + ret = ENOMEM; + goto done; + } + + nss_status = _nss_sss_getpwnam_r(princ_str, &pwd, buffer, buflen, + &nss_errno); + if (nss_status != NSS_STATUS_SUCCESS) { + if (nss_status == NSS_STATUS_NOTFOUND) { + ret = KRB5_LNAME_NOTRANS; + } else { + ret = EIO; + } + goto done; + } + + if (pwd.pw_name == NULL) { + ret = EINVAL; + goto done; + } + + str = strdup(pwd.pw_name); + if (str == NULL) { + ret = ENOMEM; + goto done; + } + + *lname_out = str; + + ret = 0; + +done: + krb5_free_unparsed_name(context, princ_str); + free(buffer); + + return ret; +} + +static void sss_freestr(krb5_context context, + krb5_localauth_moddata data, char *str) +{ + free(str); +} + +krb5_error_code +localauth_sssd_initvt(krb5_context context, int maj_ver, int min_ver, + krb5_plugin_vtable vtable) +{ + + if (maj_ver != 1 || min_ver != 1) { + return KRB5_PLUGIN_VER_NOTSUPP; + } + + krb5_localauth_vtable vt = (krb5_localauth_vtable)vtable; + + vt->init = NULL; + vt->fini = NULL; + vt->name = "sssd"; + vt->an2ln = sss_an2ln; + vt->userok = sss_userok; + vt->free_string = sss_freestr; + + return 0; +} + diff --git a/src/krb5_plugin/sssd_krb5_locator_plugin.c b/src/krb5_plugin/sssd_krb5_locator_plugin.c new file mode 100644 index 0000000..952d487 --- /dev/null +++ b/src/krb5_plugin/sssd_krb5_locator_plugin.c @@ -0,0 +1,597 @@ +/* + Authors: + Sumit Bose + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "util/sss_krb5.h" +#include + +#include "providers/krb5/krb5_common.h" + +/* The following override of KDCINFO_TMPL and KPASSWDINFO_TMPL is not very + * elegant but since they are defined in krb5_common.h with the help of + * PUBCONF_PATH from config.h and PUBCONF_PATH can by set by a configure + * options I didn't found another way to change the path for a unit test. */ +#ifdef TEST_PUBCONF_PATH +#ifdef KDCINFO_TMPL +#undef KDCINFO_TMPL +#endif +#define KDCINFO_TMPL TEST_PUBCONF_PATH"/kdcinfo.%s" + +#ifdef KPASSWDINFO_TMPL +#undef KPASSWDINFO_TMPL +#endif +#define KPASSWDINFO_TMPL TEST_PUBCONF_PATH"/kpasswdinfo.%s" +#endif /* TEST_PUBCONF_PATH */ + +#define DEFAULT_KERBEROS_PORT 88 +#define DEFAULT_KADMIN_PORT 749 +#define DEFAULT_KPASSWD_PORT 464 + +#define BUFSIZE 4096 +#define PORT_STR_SIZE 7 +#define SSSD_KRB5_LOCATOR_DEBUG "SSSD_KRB5_LOCATOR_DEBUG" +#define SSSD_KRB5_LOCATOR_DISABLE "SSSD_KRB5_LOCATOR_DISABLE" +#define DEBUG_KEY "[sssd_krb5_locator] " +#define PLUGIN_DEBUG(body) do { \ + if (ctx->debug) { \ + plugin_debug_fn body; \ + } \ +} while(0) + +struct addr_port { + char *addr; + uint16_t port; +}; + +struct sssd_ctx { + char *sssd_realm; + struct addr_port *kdc_addr; + struct addr_port *kpasswd_addr; + bool debug; + bool disabled; +}; + +void plugin_debug_fn(const char *format, ...) +{ + va_list ap; + char *s = NULL; + int ret; + + va_start(ap, format); + + ret = vasprintf(&s, format, ap); + va_end(ap); + if (ret < 0) { + /* ENOMEM */ + return; + } + + fprintf(stderr, DEBUG_KEY "%s", s); + free(s); +} + + +static void free_addr_port_list(struct addr_port **list) +{ + size_t c; + + if (list == NULL || *list == NULL) { + return; + } + + for (c = 0; (*list)[c].addr != NULL; c++) { + free((*list)[c].addr); + } + free(*list); + *list = NULL; +} + +static int copy_addr_port_list(struct addr_port *src, bool clear_port, + struct addr_port **dst) +{ + size_t c; + struct addr_port *d = NULL; + int ret; + + /* only copy if dst is initialized to NULL */ + if (dst == NULL || *dst != NULL) { + return EINVAL; + } + + if (src == NULL) { + return 0; + } + + for (c = 0; src[c].addr != NULL; c++); + + d = calloc((c + 1), sizeof(struct addr_port)); + if (d == NULL) { + return ENOMEM; + } + + for (c = 0; src[c].addr != NULL; c++) { + d[c].addr = strdup(src[c].addr); + if (d[c].addr == NULL) { + ret = ENOMEM; + goto done; + } + if (clear_port) { + d[c].port = 0; + } else { + d[c].port = src[c].port; + } + } + + ret = EOK; + +done: + if (ret != EOK) { + free_addr_port_list(&d); + } else { + *dst = d; + } + + return ret; +} + +static int buf_to_addr_port_list(struct sssd_ctx *ctx, + uint8_t *buf, size_t buf_size, + struct addr_port **list) +{ + struct addr_port *l = NULL; + int ret; + uint8_t *p; + uint8_t *pn; + size_t c; + size_t len; + size_t addr_len; + char *addr_str = NULL; + char *tmp = NULL; + char *port_str; + long port; + char *endptr; + + /* only create if list is initialized to NULL */ + if (buf == NULL || buf_size == 0 || list == NULL || *list != NULL) { + return EINVAL; + } + + c = 1; /* to account for a missing \n at the very end */ + p = buf; + while ((p - buf) < buf_size + && (p = memchr(p, '\n', buf_size - (p - buf))) != NULL) { + p++; + c++; + } + + l = calloc((c + 1), sizeof(struct addr_port)); + if (l == NULL) { + return ENOMEM; + } + + c = 0; + p = buf; + do { + pn = memchr(p, '\n', buf_size - (p - buf)); + if (pn != NULL) { + len = pn - p; + } else { + len = buf_size - (p - buf); + } + if (len == 0) { + /* empty line no more processing */ + break; + } + + free(tmp); + tmp = strndup((char *) p, len); + if (tmp == NULL) { + ret = ENOMEM; + goto done; + } + + port_str = strrchr(tmp, ':'); + if (port_str == NULL) { + port = 0; + } else if (tmp[0] == '[' && *(port_str - 1) != ']') { + /* IPv6 address without port number */ + port = 0; + } else { + *port_str = '\0'; + ++port_str; + + if (isdigit(*port_str)) { + errno = 0; + port = strtol(port_str, &endptr, 10); + if (errno != 0) { + ret = errno; + PLUGIN_DEBUG(("strtol failed on [%s]: [%d][%s], " + "assuming default.\n", port_str, ret, + strerror(ret))); + port = 0; + } + if (*endptr != '\0') { + PLUGIN_DEBUG(("Found additional characters [%s] in port " + "number [%s], assuming default.\n", endptr, + port_str)); + port = 0; + } + + if (port < 0 || port > 65535) { + PLUGIN_DEBUG(("Illegal port number [%ld], assuming " + "default.\n", port)); + port = 0; + } + } else { + PLUGIN_DEBUG(("Illegal port number [%s], assuming default.\n", + port_str)); + port = 0; + } + } + + /* make sure tmp is not modified so that it can be freed later */ + addr_str = tmp; + /* strip leading '[' and trailing ']' from IPv6 addresses */ + if (addr_str[0] == '[' + && (addr_len = strlen(addr_str)) + && addr_str[addr_len - 1] == ']') { + addr_str[addr_len -1] = '\0'; + addr_str++; + } + + PLUGIN_DEBUG(("Found [%s][%d].\n", addr_str, port)); + + l[c].addr = strdup(addr_str); + if (l[c].addr == NULL) { + ret = ENOMEM; + goto done; + } + l[c].port = port; + + c++; + p = pn == NULL ? NULL : (pn + 1); + } while (p != NULL); + + ret = EOK; + +done: + free(tmp); + if (ret != EOK) { + free_addr_port_list(&l); + } else { + *list = l; + } + + return ret; +} + +static int get_krb5info(const char *realm, struct sssd_ctx *ctx, + enum locate_service_type svc) +{ + int ret; + char *krb5info_name = NULL; + size_t len; + uint8_t buf[BUFSIZE + 1]; + int fd = -1; + const char *name_tmpl = NULL; + + switch (svc) { + case locate_service_kdc: + name_tmpl = KDCINFO_TMPL; + break; + case locate_service_kpasswd: + name_tmpl = KPASSWDINFO_TMPL; + break; + default: + PLUGIN_DEBUG(("Unsupported service [%d].\n", svc)); + return EINVAL; + } + + + len = strlen(realm) + strlen(name_tmpl); + + krb5info_name = calloc(1, len + 1); + if (krb5info_name == NULL) { + PLUGIN_DEBUG(("malloc failed.\n")); + return ENOMEM; + } + + ret = snprintf(krb5info_name, len, name_tmpl, realm); + if (ret < 0) { + PLUGIN_DEBUG(("snprintf failed.\n")); + ret = EINVAL; + goto done; + } + krb5info_name[len] = '\0'; + + fd = open(krb5info_name, O_RDONLY); + if (fd == -1) { + PLUGIN_DEBUG(("open failed [%s][%d][%s].\n", + krb5info_name, errno, strerror(errno))); + ret = errno; + goto done; + } + + memset(buf, 0, BUFSIZE+1); + + errno = 0; + len = sss_atomic_read_s(fd, buf, BUFSIZE); + if (len == -1) { + ret = errno; + PLUGIN_DEBUG(("read failed [%d][%s].\n", ret, strerror(ret))); + close(fd); + goto done; + } + close(fd); + + if (len == BUFSIZE) { + PLUGIN_DEBUG(("Content of krb5info file [%s] is [%d] or larger.\n", + krb5info_name, BUFSIZE)); + } + + switch (svc) { + case locate_service_kdc: + free_addr_port_list(&(ctx->kdc_addr)); + ret = buf_to_addr_port_list(ctx, buf, len, &(ctx->kdc_addr)); + if (ret != EOK) { + goto done; + } + break; + case locate_service_kpasswd: + free_addr_port_list(&(ctx->kpasswd_addr)); + ret = buf_to_addr_port_list(ctx, buf, len, &(ctx->kpasswd_addr)); + if (ret != EOK) { + goto done; + } + break; + default: + PLUGIN_DEBUG(("Unsupported service [%d].\n", svc)); + ret = EINVAL; + goto done; + } + + ret = 0; +done: + free(krb5info_name); + return ret; +} + +krb5_error_code sssd_krb5_locator_init(krb5_context context, + void **private_data) +{ + struct sssd_ctx *ctx; + const char *dummy; + + ctx = calloc(1,sizeof(struct sssd_ctx)); + if (ctx == NULL) return KRB5_PLUGIN_NO_HANDLE; + + dummy = getenv(SSSD_KRB5_LOCATOR_DEBUG); + if (dummy == NULL) { + ctx->debug = false; + } else { + ctx->debug = true; + PLUGIN_DEBUG(("sssd_krb5_locator_init called\n")); + } + + dummy = getenv(SSSD_KRB5_LOCATOR_DISABLE); + if (dummy == NULL) { + ctx->disabled = false; + } else { + ctx->disabled = true; + PLUGIN_DEBUG(("SSSD KRB5 locator plugin is disabled.\n")); + } + + *private_data = ctx; + + return 0; +} + +void sssd_krb5_locator_close(void *private_data) +{ + struct sssd_ctx *ctx; + + if (private_data == NULL) return; + + ctx = (struct sssd_ctx *) private_data; + PLUGIN_DEBUG(("sssd_krb5_locator_close called\n")); + + free_addr_port_list(&(ctx->kdc_addr)); + free_addr_port_list(&(ctx->kpasswd_addr)); + free(ctx->sssd_realm); + free(ctx); + + return; +} + +krb5_error_code sssd_krb5_locator_lookup(void *private_data, + enum locate_service_type svc, + const char *realm, + int socktype, + int family, + int (*cbfunc)(void *, int, struct sockaddr *), + void *cbdata) +{ + int ret; + struct addrinfo *ai; + struct sssd_ctx *ctx; + struct addrinfo ai_hints; + uint16_t port = 0; + uint16_t default_port = 0; + struct addr_port *addr = NULL; + char port_str[PORT_STR_SIZE]; + size_t c; + + if (private_data == NULL) return KRB5_PLUGIN_NO_HANDLE; + ctx = (struct sssd_ctx *) private_data; + + if (realm == NULL || cbfunc == NULL || cbdata == NULL) { + return KRB5_PLUGIN_NO_HANDLE; + } + + if (ctx->disabled) { + PLUGIN_DEBUG(("Plugin disabled, nothing to do.\n")); + return KRB5_PLUGIN_NO_HANDLE; + } + + if (ctx->sssd_realm == NULL || strcmp(ctx->sssd_realm, realm) != 0) { + free(ctx->sssd_realm); + ctx->sssd_realm = strdup(realm); + if (ctx->sssd_realm == NULL) { + PLUGIN_DEBUG(("strdup failed.\n")); + return KRB5_PLUGIN_NO_HANDLE; + } + + ret = get_krb5info(realm, ctx, locate_service_kdc); + if (ret != EOK) { + PLUGIN_DEBUG(("get_krb5info failed.\n")); + return KRB5_PLUGIN_NO_HANDLE; + } + + if (svc == locate_service_kadmin || svc == locate_service_kpasswd || + svc == locate_service_master_kdc) { + ret = get_krb5info(realm, ctx, locate_service_kpasswd); + if (ret != EOK) { + PLUGIN_DEBUG(("reading kpasswd address failed, " + "using kdc address.\n")); + free_addr_port_list(&(ctx->kpasswd_addr)); + ret = copy_addr_port_list(ctx->kdc_addr, true, + &(ctx->kpasswd_addr)); + if (ret != EOK) { + PLUGIN_DEBUG(("copying address list failed.\n")); + return KRB5_PLUGIN_NO_HANDLE; + } + } + } + } + + PLUGIN_DEBUG(("sssd_realm[%s] requested realm[%s] family[%d] socktype[%d] " + "locate_service[%d]\n", ctx->sssd_realm, realm, family, + socktype, svc)); + + switch (svc) { + case locate_service_kdc: + addr = ctx->kdc_addr; + default_port = DEFAULT_KERBEROS_PORT; + break; + case locate_service_master_kdc: + addr = ctx->kpasswd_addr; + default_port = DEFAULT_KERBEROS_PORT; + break; + case locate_service_kadmin: + addr = ctx->kpasswd_addr; + default_port = DEFAULT_KADMIN_PORT; + break; + case locate_service_kpasswd: + addr = ctx->kpasswd_addr; + default_port = DEFAULT_KPASSWD_PORT; + break; + case locate_service_krb524: + return KRB5_PLUGIN_NO_HANDLE; + default: + return KRB5_PLUGIN_NO_HANDLE; + } + + switch (family) { + case AF_UNSPEC: + case AF_INET: + case AF_INET6: + break; + default: + return KRB5_PLUGIN_NO_HANDLE; + } + + switch (socktype) { + case SOCK_STREAM: + case SOCK_DGRAM: + break; + default: + return KRB5_PLUGIN_NO_HANDLE; + } + + if (strcmp(realm, ctx->sssd_realm) != 0) + return KRB5_PLUGIN_NO_HANDLE; + + for (c = 0; addr[c].addr != NULL; c++) { + port = (addr[c].port == 0 ? default_port : addr[c].port); + memset(port_str, 0, PORT_STR_SIZE); + ret = snprintf(port_str, PORT_STR_SIZE-1, "%u", port); + if (ret < 0 || ret >= (PORT_STR_SIZE-1)) { + PLUGIN_DEBUG(("snprintf failed.\n")); + return KRB5_PLUGIN_NO_HANDLE; + } + + memset(&ai_hints, 0, sizeof(struct addrinfo)); + ai_hints.ai_flags = AI_NUMERICHOST|AI_NUMERICSERV; + ai_hints.ai_socktype = socktype; + + ret = getaddrinfo(addr[c].addr, port_str, &ai_hints, &ai); + if (ret != 0) { + PLUGIN_DEBUG(("getaddrinfo failed [%d][%s].\n", ret, + gai_strerror(ret))); + if (ret == EAI_SYSTEM) { + PLUGIN_DEBUG(("getaddrinfo failed [%d][%s].\n", + errno, strerror(errno))); + } + return KRB5_PLUGIN_NO_HANDLE; + } + + PLUGIN_DEBUG(("addr[%s:%s] family[%d] socktype[%d]\n", addr[c].addr, + port_str, ai->ai_family, ai->ai_socktype)); + + if ((family == AF_UNSPEC || ai->ai_family == family) && + ai->ai_socktype == socktype) { + + ret = cbfunc(cbdata, socktype, ai->ai_addr); + if (ret != 0) { + PLUGIN_DEBUG(("cbfunc failed\n")); + freeaddrinfo(ai); + return ret; + } else { + PLUGIN_DEBUG(("[%s] used\n", addr[c].addr)); + } + } else { + PLUGIN_DEBUG(("[%s] NOT used\n", addr[c].addr)); + } + freeaddrinfo(ai); + } + + return 0; +} + +const krb5plugin_service_locate_ftable service_locator = { + 0, /* version */ + sssd_krb5_locator_init, + sssd_krb5_locator_close, + sssd_krb5_locator_lookup, +}; diff --git a/src/ldb_modules/memberof.c b/src/ldb_modules/memberof.c new file mode 100644 index 0000000..5e1ff95 --- /dev/null +++ b/src/ldb_modules/memberof.c @@ -0,0 +1,4585 @@ +/* + SSSD memberof module + + Copyright (C) Simo Sorce 2008-2011 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "ldb_module.h" +#include "util/util.h" + +#define DB_MEMBER "member" +#define DB_GHOST "ghost" +#define DB_MEMBEROF "memberof" +#define DB_MEMBERUID "memberuid" +#define DB_NAME "name" +#define DB_USER_CLASS "user" +#define DB_GROUP_CLASS "group" +#define DB_CACHE_EXPIRE "dataExpireTimestamp" +#define DB_OC "objectCategory" + +#ifndef MAX +#define MAX(a,b) (((a) > (b)) ? (a) : (b)) +#endif + +struct mbof_val_array { + struct ldb_val *vals; + int num; +}; + +struct mbof_dn_array { + struct ldb_dn **dns; + int num; +}; + +struct mbof_dn { + struct mbof_dn *next; + struct ldb_dn *dn; +}; + +struct mbof_ctx { + struct ldb_module *module; + struct ldb_request *req; + + struct ldb_control **ret_ctrls; + struct ldb_extended *ret_resp; +}; + +struct mbof_add_operation { + struct mbof_add_ctx *add_ctx; + struct mbof_add_operation *next; + + struct mbof_dn_array *parents; + struct ldb_dn *entry_dn; + + struct ldb_message *entry; +}; + +struct mbof_memberuid_op { + struct ldb_dn *dn; + struct ldb_message_element *el; +}; + +struct mbof_add_ctx { + struct mbof_ctx *ctx; + + struct mbof_add_operation *add_list; + struct mbof_add_operation *current_op; + + struct ldb_message *msg; + struct ldb_dn *msg_dn; + bool terminate; + + struct mbof_dn *missing; + + struct mbof_memberuid_op *muops; + int num_muops; + int cur_muop; +}; + +struct mbof_del_ancestors_ctx { + struct mbof_dn_array *new_list; + int num_direct; + int cur; + + struct ldb_message *entry; +}; + +struct mbof_del_operation { + struct mbof_del_ctx *del_ctx; + struct mbof_del_operation *parent; + struct mbof_del_operation **children; + int num_children; + int next_child; + + struct ldb_dn *entry_dn; + + struct ldb_message *entry; + struct ldb_message **parents; + int num_parents; + int cur_parent; + + struct mbof_del_ancestors_ctx *anc_ctx; +}; + +struct mbof_mod_ctx; + +struct mbof_del_ctx { + struct mbof_ctx *ctx; + + struct mbof_del_operation *first; + struct mbof_dn *history; + + struct ldb_message **mus; + int num_mus; + + struct mbof_memberuid_op *muops; + int num_muops; + int cur_muop; + + struct mbof_memberuid_op *ghops; + int num_ghops; + int cur_ghop; + + struct mbof_mod_ctx *follow_mod; + bool is_mod; +}; + +struct mbof_mod_del_op { + struct mbof_mod_ctx *mod_ctx; + + struct ldb_message *mod_msg; + struct ldb_message_element *el; + + hash_table_t *inherited_gh; +}; + +struct mbof_mod_ctx { + struct mbof_ctx *ctx; + + const struct ldb_message_element *membel; + const struct ldb_message_element *ghel; + struct ldb_message *entry; + + struct mbof_dn_array *mb_add; + struct mbof_dn_array *mb_remove; + + struct mbof_val_array *gh_add; + struct mbof_val_array *gh_remove; + struct mbof_mod_del_op *igh; + + struct ldb_message *msg; + bool terminate; +}; + +static struct mbof_ctx *mbof_init(struct ldb_module *module, + struct ldb_request *req) +{ + struct mbof_ctx *ctx; + + ctx = talloc_zero(req, struct mbof_ctx); + if (!ctx) { + return NULL; + } + + ctx->module = module; + ctx->req = req; + + return ctx; +} + +static void *hash_alloc(const size_t size, void *pvt) +{ + return talloc_size(pvt, size); +} + +static void hash_free(void *ptr, void *pvt) +{ + talloc_free(ptr); +} + +static int entry_has_objectclass(struct ldb_message *entry, + const char *objectclass) +{ + struct ldb_message_element *el; + struct ldb_val *val; + int i; + + el = ldb_msg_find_element(entry, DB_OC); + if (!el) { + return LDB_ERR_OPERATIONS_ERROR; + } + + for (i = 0; i < el->num_values; i++) { + val = &(el->values[i]); + if (strncasecmp(objectclass, (char *)val->data, val->length) == 0) { + return LDB_SUCCESS; + } + } + + return LDB_ERR_NO_SUCH_ATTRIBUTE; +} + +static int entry_is_user_object(struct ldb_message *entry) +{ + return entry_has_objectclass(entry, DB_USER_CLASS); +} + +static int entry_is_group_object(struct ldb_message *entry) +{ + return entry_has_objectclass(entry, DB_GROUP_CLASS); +} + +static int mbof_append_muop(TALLOC_CTX *memctx, + struct mbof_memberuid_op **_muops, + int *_num_muops, + int flags, + struct ldb_dn *parent, + const char *name, + const char *element_name) +{ + struct mbof_memberuid_op *muops = *_muops; + int num_muops = *_num_muops; + struct mbof_memberuid_op *op; + struct ldb_val *val; + int i; + + op = NULL; + if (muops) { + for (i = 0; i < num_muops; i++) { + if (ldb_dn_compare(parent, muops[i].dn) == 0) { + op = &muops[i]; + break; + } + } + } + if (!op) { + muops = talloc_realloc(memctx, muops, + struct mbof_memberuid_op, + num_muops + 1); + if (!muops) { + return LDB_ERR_OPERATIONS_ERROR; + } + op = &muops[num_muops]; + num_muops++; + *_muops = muops; + *_num_muops = num_muops; + + op->dn = parent; + op->el = NULL; + } + + if (!op->el) { + op->el = talloc_zero(muops, struct ldb_message_element); + if (!op->el) { + return LDB_ERR_OPERATIONS_ERROR; + } + op->el->name = talloc_strdup(op->el, element_name); + if (!op->el->name) { + return LDB_ERR_OPERATIONS_ERROR; + } + op->el->flags = flags; + } + + for (i = 0; i < op->el->num_values; i++) { + if (strcmp((char *)op->el->values[i].data, name) == 0) { + /* we already have this value, get out*/ + return LDB_SUCCESS; + } + } + + val = talloc_realloc(op->el, op->el->values, + struct ldb_val, op->el->num_values + 1); + if (!val) { + return LDB_ERR_OPERATIONS_ERROR; + } + val[op->el->num_values].data = (uint8_t *)talloc_strdup(val, name); + if (!val[op->el->num_values].data) { + return LDB_ERR_OPERATIONS_ERROR; + } + val[op->el->num_values].length = strlen(name); + + op->el->values = val; + op->el->num_values++; + + return LDB_SUCCESS; +} + + +/* add operation */ + +/* An add operation is quite simple. + * First of all a new object cannot yet have parents, so the only memberof + * attribute that can be added to any member contains just one object DN. + * + * The real add operation is done first, to assure nothing else fails. + * Then we list all members of the object just created, and for each member + * we create an "add operation" and we pass it a parent list of one member + * (the object we just added again). + * + * For each add operation we lookup the object we want to operate on. + * We take the list of memberof attributes and sort out which parents are + * still missing from the parent list we have provided. + * We modify the object memberof attributes to reflect the new memberships. + * Then we list all members of this object, and for each once again we create + * an "add operation" as we did in the initial object. + * + * Processing stops when the target object does not have members or when it + * already has all the parents (can happen if nested groups create loops). + * + * Group cache unrolling: + * Every time we add a memberof attribute to an actual user object, + * we proceed to store the user name. + * + * At the end we will add a memberuid attribute to our new object that + * includes all direct and indirect user members names. + * + * Group objects can also contain a "ghost" attribute. A ghost attribute + * represents a user that is a member of the group but has not yet been + * looked up so there is no real user entry with member/memberof links. + * + * If an object being added contains a "ghost" attribute, the ghost attribute + * is in turn copied to all parents of that object so that retrieving a + * group returns both its direct and indirect members. The ghost attribute is + * similar to the memberuid attribute in many respects. One difference is that + * the memberuid attribute is completely generated and managed by the memberof + * plugin - in contrast, the ghost attribute is added to the entry that "owns" + * it and only propagated to parent groups. + */ + +static int mbof_append_addop(struct mbof_add_ctx *add_ctx, + struct mbof_dn_array *parents, + struct ldb_dn *entry_dn) +{ + struct mbof_add_operation *lastop = NULL; + struct mbof_add_operation *addop; + + /* test if this is a duplicate */ + /* FIXME: this is not efficient */ + if (add_ctx->add_list) { + do { + if (lastop) { + lastop = lastop->next; + } else { + lastop = add_ctx->add_list; + } + + /* FIXME: check if this is right, might have to compare parents */ + if (ldb_dn_compare(lastop->entry_dn, entry_dn) == 0) { + /* duplicate found */ + return LDB_SUCCESS; + } + } while (lastop->next); + } + + addop = talloc_zero(add_ctx, struct mbof_add_operation); + if (!addop) { + return LDB_ERR_OPERATIONS_ERROR; + } + + addop->add_ctx = add_ctx; + addop->parents = parents; + addop->entry_dn = entry_dn; + + if (add_ctx->add_list) { + lastop->next = addop; + } else { + add_ctx->add_list = addop; + } + + return LDB_SUCCESS; +} + +static int mbof_add_fill_ghop_ex(struct mbof_add_ctx *add_ctx, + struct ldb_message *entry, + struct mbof_dn_array *parents, + struct ldb_val *ghvals, + unsigned int num_gh_vals) +{ + int ret; + int i, j; + + if (!parents || parents->num == 0) { + /* no parents attributes ... */ + return LDB_SUCCESS; + } + + ret = entry_is_group_object(entry); + switch (ret) { + case LDB_SUCCESS: + /* it's a group object, continue */ + break; + + case LDB_ERR_NO_SUCH_ATTRIBUTE: + /* it is not a group object, just return */ + return LDB_SUCCESS; + + default: + /* an error occurred, return */ + return ret; + } + + ldb_debug(ldb_module_get_ctx(add_ctx->ctx->module), + LDB_DEBUG_TRACE, + "will add %d ghost users to %d parents\n", + num_gh_vals, parents->num); + + for (i = 0; i < parents->num; i++) { + for (j = 0; j < num_gh_vals; j++) { + ret = mbof_append_muop(add_ctx, &add_ctx->muops, + &add_ctx->num_muops, + LDB_FLAG_MOD_ADD, + parents->dns[i], + (const char *) ghvals[j].data, + DB_GHOST); + if (ret != LDB_SUCCESS) { + return ret; + } + } + } + + return LDB_SUCCESS; +} + +static int memberof_recompute_task(struct ldb_module *module, + struct ldb_request *req); + +static int mbof_add_callback(struct ldb_request *req, + struct ldb_reply *ares); +static int mbof_next_add(struct mbof_add_operation *addop); +static int mbof_next_add_callback(struct ldb_request *req, + struct ldb_reply *ares); +static int mbof_add_operation(struct mbof_add_operation *addop); +static int mbof_add_fill_ghop(struct mbof_add_ctx *add_ctx, + struct ldb_message *entry, + struct mbof_dn_array *parents); +static int mbof_add_missing(struct mbof_add_ctx *add_ctx, struct ldb_dn *dn); +static int mbof_add_cleanup(struct mbof_add_ctx *add_ctx); +static int mbof_add_cleanup_callback(struct ldb_request *req, + struct ldb_reply *ares); +static int mbof_add_muop(struct mbof_add_ctx *add_ctx); +static int mbof_add_muop_callback(struct ldb_request *req, + struct ldb_reply *ares); + +static int memberof_add(struct ldb_module *module, struct ldb_request *req) +{ + struct ldb_context *ldb = ldb_module_get_ctx(module); + struct mbof_add_ctx *add_ctx; + struct mbof_ctx *ctx; + struct ldb_request *add_req; + struct ldb_message_element *el; + struct mbof_dn_array *parents; + struct ldb_dn *valdn; + int i, ret; + + if (ldb_dn_is_special(req->op.add.message->dn)) { + + if (strcmp("@MEMBEROF-REBUILD", + ldb_dn_get_linearized(req->op.add.message->dn)) == 0) { + return memberof_recompute_task(module, req); + } + + /* do not manipulate other control entries */ + return ldb_next_request(module, req); + } + + /* check if memberof is specified */ + el = ldb_msg_find_element(req->op.add.message, DB_MEMBEROF); + if (el) { + ldb_debug(ldb, LDB_DEBUG_ERROR, + "Error: the memberof attribute is readonly."); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + + /* check if memberuid is specified */ + el = ldb_msg_find_element(req->op.add.message, DB_MEMBERUID); + if (el) { + ldb_debug(ldb, LDB_DEBUG_ERROR, + "Error: the memberuid attribute is readonly."); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + + ctx = mbof_init(module, req); + if (!ctx) { + return LDB_ERR_OPERATIONS_ERROR; + } + + add_ctx = talloc_zero(ctx, struct mbof_add_ctx); + if (!add_ctx) { + return LDB_ERR_OPERATIONS_ERROR; + } + add_ctx->ctx = ctx; + + add_ctx->msg = ldb_msg_copy(add_ctx, req->op.add.message); + if (!add_ctx->msg) { + return LDB_ERR_OPERATIONS_ERROR; + } + add_ctx->msg_dn = add_ctx->msg->dn; + + /* continue with normal ops if there are no members */ + el = ldb_msg_find_element(add_ctx->msg, DB_MEMBER); + if (!el) { + add_ctx->terminate = true; + goto done; + } + + parents = talloc_zero(add_ctx, struct mbof_dn_array); + if (!parents) { + return LDB_ERR_OPERATIONS_ERROR; + } + parents->dns = talloc_array(parents, struct ldb_dn *, 1); + if (!parents->dns) { + return LDB_ERR_OPERATIONS_ERROR; + } + parents->dns[0] = add_ctx->msg_dn; + parents->num = 1; + + /* process new members */ + /* check we are not adding ourselves as member as well */ + for (i = 0; i < el->num_values; i++) { + valdn = ldb_dn_from_ldb_val(add_ctx, ldb, &el->values[i]); + if (!valdn || !ldb_dn_validate(valdn)) { + ldb_debug(ldb, LDB_DEBUG_ERROR, "Invalid dn value: [%s]", + (const char *)el->values[i].data); + return LDB_ERR_INVALID_DN_SYNTAX; + } + if (ldb_dn_compare(valdn, req->op.add.message->dn) == 0) { + ldb_debug(ldb, LDB_DEBUG_ERROR, + "Adding self as member is not permitted! Skipping"); + continue; + } + ret = mbof_append_addop(add_ctx, parents, valdn); + if (ret != LDB_SUCCESS) { + return ret; + } + } + +done: + /* add original object */ + ret = ldb_build_add_req(&add_req, ldb, add_ctx, + add_ctx->msg, req->controls, + add_ctx, mbof_add_callback, + req); + if (ret != LDB_SUCCESS) { + return ret; + } + + return ldb_next_request(module, add_req); +} + +static int mbof_add_callback(struct ldb_request *req, + struct ldb_reply *ares) +{ + struct mbof_add_ctx *add_ctx; + struct mbof_ctx *ctx; + int ret; + + add_ctx = talloc_get_type(req->context, struct mbof_add_ctx); + ctx = add_ctx->ctx; + + if (!ares) { + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + if (ares->error != LDB_SUCCESS) { + return ldb_module_done(ctx->req, + ares->controls, + ares->response, + ares->error); + } + + switch (ares->type) { + case LDB_REPLY_ENTRY: + /* shouldn't happen */ + talloc_zfree(ares); + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + case LDB_REPLY_REFERRAL: + /* ignore */ + break; + + case LDB_REPLY_DONE: + if (add_ctx->terminate) { + return ldb_module_done(ctx->req, + ctx->ret_ctrls, + ctx->ret_resp, + LDB_SUCCESS); + } + + if (add_ctx->current_op == NULL) { + /* first operation */ + ctx->ret_ctrls = talloc_steal(ctx, ares->controls); + ctx->ret_resp = talloc_steal(ctx, ares->response); + ret = mbof_next_add(add_ctx->add_list); + } + else if (add_ctx->current_op->next) { + /* next operation */ + ret = mbof_next_add(add_ctx->current_op->next); + } + else { + /* no more operations */ + if (add_ctx->missing) { + ret = mbof_add_cleanup(add_ctx); + } + else if (add_ctx->muops) { + ret = mbof_add_muop(add_ctx); + } + else { + return ldb_module_done(ctx->req, + ctx->ret_ctrls, + ctx->ret_resp, + LDB_SUCCESS); + } + } + + if (ret != LDB_SUCCESS) { + talloc_zfree(ares); + return ldb_module_done(ctx->req, NULL, NULL, ret); + } + } + + talloc_zfree(ares); + return LDB_SUCCESS; +} + +static int mbof_next_add(struct mbof_add_operation *addop) +{ + static const char *attrs[] = { DB_OC, DB_NAME, + DB_MEMBER, DB_GHOST, + DB_MEMBEROF, NULL }; + struct ldb_context *ldb; + struct ldb_request *req; + struct mbof_add_ctx *add_ctx; + struct mbof_ctx *ctx; + int ret; + + add_ctx = addop->add_ctx; + ctx = add_ctx->ctx; + ldb = ldb_module_get_ctx(ctx->module); + + /* mark the operation as being handled */ + add_ctx->current_op = addop; + + ret = ldb_build_search_req(&req, ldb, ctx, + addop->entry_dn, LDB_SCOPE_BASE, + NULL, attrs, NULL, + addop, mbof_next_add_callback, + ctx->req); + if (ret != LDB_SUCCESS) { + return ret; + } + + return ldb_request(ldb, req); +} + +static int mbof_next_add_callback(struct ldb_request *req, + struct ldb_reply *ares) +{ + struct mbof_add_operation *addop; + struct mbof_add_ctx *add_ctx; + struct ldb_context *ldb; + struct mbof_ctx *ctx; + int ret; + + addop = talloc_get_type(req->context, struct mbof_add_operation); + add_ctx = addop->add_ctx; + ctx = add_ctx->ctx; + ldb = ldb_module_get_ctx(ctx->module); + + if (!ares) { + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + if (ares->error != LDB_SUCCESS) { + return ldb_module_done(ctx->req, + ares->controls, + ares->response, + ares->error); + } + + switch (ares->type) { + case LDB_REPLY_ENTRY: + if (addop->entry != NULL) { + ldb_debug(ldb, LDB_DEBUG_TRACE, + "Found multiple entries for (%s)", + ldb_dn_get_linearized(addop->entry_dn)); + /* more than one entry per DN!? DB corrupted? */ + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + + addop->entry = talloc_steal(addop, ares->message); + if (addop->entry == NULL) { + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + + break; + case LDB_REPLY_REFERRAL: + /* ignore */ + break; + + case LDB_REPLY_DONE: + talloc_zfree(ares); + if (addop->entry == NULL) { + ldb_debug(ldb, LDB_DEBUG_TRACE, "Entry not found (%s)", + ldb_dn_get_linearized(addop->entry_dn)); + + /* this target does not exists, save as missing */ + ret = mbof_add_missing(add_ctx, addop->entry_dn); + if (ret != LDB_SUCCESS) { + return ldb_module_done(ctx->req, NULL, NULL, ret); + } + /* now try the next operation */ + if (add_ctx->current_op->next) { + ret = mbof_next_add(add_ctx->current_op->next); + } + else { + /* no more operations */ + if (add_ctx->missing) { + ret = mbof_add_cleanup(add_ctx); + } + else if (add_ctx->muops) { + ret = mbof_add_muop(add_ctx); + } + else { + return ldb_module_done(ctx->req, + ctx->ret_ctrls, + ctx->ret_resp, + LDB_SUCCESS); + } + } + if (ret != LDB_SUCCESS) { + return ldb_module_done(ctx->req, NULL, NULL, ret); + } + } + else { + ret = mbof_add_operation(addop); + if (ret != LDB_SUCCESS) { + return ldb_module_done(ctx->req, NULL, NULL, ret); + } + } + return LDB_SUCCESS; + } + + talloc_zfree(ares); + return LDB_SUCCESS; +} + +/* if it is a group, add all members for cascade effect + * add memberof attribute to this entry + */ +static int mbof_add_operation(struct mbof_add_operation *addop) +{ + + TALLOC_CTX *tmp_ctx; + struct mbof_ctx *ctx; + struct mbof_add_ctx *add_ctx; + struct ldb_context *ldb; + struct ldb_message_element *el; + struct ldb_request *mod_req; + struct ldb_message *msg; + struct ldb_dn *elval_dn; + struct ldb_dn *valdn; + struct mbof_dn_array *parents; + int i, j, ret; + const char *val; + const char *name; + + add_ctx = addop->add_ctx; + ctx = add_ctx->ctx; + ldb = ldb_module_get_ctx(ctx->module); + + parents = talloc_zero(add_ctx, struct mbof_dn_array); + if (!parents) { + return LDB_ERR_OPERATIONS_ERROR; + } + /* can't be more than the immediate parent */ + parents->dns = talloc_array(parents, struct ldb_dn *, + addop->parents->num); + if (!parents->dns) { + return LDB_ERR_OPERATIONS_ERROR; + } + + /* create new parent set for this entry */ + for (i = 0; i < addop->parents->num; i++) { + /* never add yourself as memberof */ + if (ldb_dn_compare(addop->parents->dns[i], addop->entry_dn) == 0) { + continue; + } + parents->dns[parents->num] = addop->parents->dns[i]; + parents->num++; + } + + /* remove entries that are already there */ + el = ldb_msg_find_element(addop->entry, DB_MEMBEROF); + if (el) { + + tmp_ctx = talloc_new(addop); + if (!tmp_ctx) return LDB_ERR_OPERATIONS_ERROR; + + for (i = 0; i < el->num_values; i++) { + elval_dn = ldb_dn_from_ldb_val(tmp_ctx, ldb, &el->values[i]); + if (!elval_dn) { + ldb_debug(ldb, LDB_DEBUG_TRACE, "Invalid DN in memberof [%s]", + (const char *)el->values[i].data); + talloc_free(tmp_ctx); + return LDB_ERR_OPERATIONS_ERROR; + } + for (j = 0; j < parents->num; j++) { + if (ldb_dn_compare(parents->dns[j], elval_dn) == 0) { + /* duplicate found */ + break; + } + } + if (j < parents->num) { + /* remove duplicate */ + for (;j+1 < parents->num; j++) { + parents->dns[j] = parents->dns[j+1]; + } + parents->num--; + } + } + + if (parents->num == 0) { + /* already contains all parents as memberof, skip to next */ + talloc_free(tmp_ctx); + talloc_free(addop->entry); + addop->entry = NULL; + + if (addop->next) { + return mbof_next_add(addop->next); + } + else if (add_ctx->muops) { + return mbof_add_muop(add_ctx); + } + else { + /* that was the last entry, get out */ + return ldb_module_done(ctx->req, + ctx->ret_ctrls, + ctx->ret_resp, + LDB_SUCCESS); + } + } + talloc_free(tmp_ctx); + } + + /* if it is a group add all members */ + el = ldb_msg_find_element(addop->entry, DB_MEMBER); + if (el) { + for (i = 0; i < el->num_values; i++) { + valdn = ldb_dn_from_ldb_val(add_ctx, ldb, &el->values[i]); + if (!valdn) { + ldb_debug(ldb, LDB_DEBUG_TRACE, "Invalid DN in member [%s]", + (const char *)el->values[i].data); + return LDB_ERR_OPERATIONS_ERROR; + } + if (!ldb_dn_validate(valdn)) { + ldb_debug(ldb, LDB_DEBUG_TRACE, + "Invalid DN syntax for member [%s]", + (const char *)el->values[i].data); + return LDB_ERR_INVALID_DN_SYNTAX; + } + ret = mbof_append_addop(add_ctx, parents, valdn); + if (ret != LDB_SUCCESS) { + return ret; + } + } + } + + /* check if we need to store memberuid ops for this entry */ + ret = entry_is_user_object(addop->entry); + switch (ret) { + case LDB_SUCCESS: + /* it's a user object */ + name = ldb_msg_find_attr_as_string(addop->entry, DB_NAME, NULL); + if (!name) { + return LDB_ERR_OPERATIONS_ERROR; + } + + for (i = 0; i < parents->num; i++) { + ret = mbof_append_muop(add_ctx, &add_ctx->muops, + &add_ctx->num_muops, + LDB_FLAG_MOD_ADD, + parents->dns[i], name, + DB_MEMBERUID); + if (ret != LDB_SUCCESS) { + return ret; + } + } + + break; + + case LDB_ERR_NO_SUCH_ATTRIBUTE: + /* it is not a user object, continue */ + break; + + default: + /* an error occurred, return */ + return ret; + } + + ret = mbof_add_fill_ghop(add_ctx, addop->entry, parents); + if (ret != LDB_SUCCESS) { + return ret; + } + + /* we are done with the entry now */ + talloc_free(addop->entry); + addop->entry = NULL; + + /* add memberof to entry */ + msg = ldb_msg_new(addop); + if (!msg) return LDB_ERR_OPERATIONS_ERROR; + + msg->dn = addop->entry_dn; + + ret = ldb_msg_add_empty(msg, DB_MEMBEROF, LDB_FLAG_MOD_ADD, &el); + if (ret != LDB_SUCCESS) { + return ret; + } + el->values = talloc_array(msg, struct ldb_val, parents->num); + if (!el->values) { + return LDB_ERR_OPERATIONS_ERROR; + } + for (i = 0, j = 0; i < parents->num; i++) { + if (ldb_dn_compare(parents->dns[i], msg->dn) == 0) continue; + val = ldb_dn_get_linearized(parents->dns[i]); + el->values[j].length = strlen(val); + el->values[j].data = (uint8_t *)talloc_strdup(el->values, val); + if (!el->values[j].data) { + return LDB_ERR_OPERATIONS_ERROR; + } + j++; + } + el->num_values = j; + + ret = ldb_build_mod_req(&mod_req, ldb, add_ctx, + msg, NULL, + add_ctx, mbof_add_callback, + ctx->req); + if (ret != LDB_SUCCESS) { + return ret; + } + talloc_steal(mod_req, msg); + + return ldb_next_request(ctx->module, mod_req); +} + +static int mbof_add_fill_ghop(struct mbof_add_ctx *add_ctx, + struct ldb_message *entry, + struct mbof_dn_array *parents) +{ + struct ldb_message_element *ghel; + + ghel = ldb_msg_find_element(entry, DB_GHOST); + if (ghel == NULL || ghel->num_values == 0) { + /* No ghel attribute, just return success */ + return LDB_SUCCESS; + } + + return mbof_add_fill_ghop_ex(add_ctx, entry, parents, + ghel->values, ghel->num_values); +} + +static int mbof_add_missing(struct mbof_add_ctx *add_ctx, struct ldb_dn *dn) +{ + struct mbof_dn *mdn; + + mdn = talloc(add_ctx, struct mbof_dn); + if (!mdn) { + return LDB_ERR_OPERATIONS_ERROR; + } + mdn->dn = talloc_steal(mdn, dn); + + /* add to the list */ + mdn->next = add_ctx->missing; + add_ctx->missing = mdn; + + return LDB_SUCCESS; +} + +/* remove unexisting members and add memberuid attribute */ +static int mbof_add_cleanup(struct mbof_add_ctx *add_ctx) +{ + struct ldb_context *ldb; + struct ldb_message *msg; + struct ldb_request *mod_req; + struct ldb_message_element *el; + struct mbof_ctx *ctx; + struct mbof_dn *iter; + const char *val; + int ret, i, num; + + ctx = add_ctx->ctx; + ldb = ldb_module_get_ctx(ctx->module); + + num = 0; + for (iter = add_ctx->missing; iter; iter = iter->next) { + num++; + } + if (num == 0) { + return LDB_ERR_OPERATIONS_ERROR; + } + + msg = ldb_msg_new(add_ctx); + if (!msg) return LDB_ERR_OPERATIONS_ERROR; + + msg->dn = add_ctx->msg_dn; + + ret = ldb_msg_add_empty(msg, DB_MEMBER, LDB_FLAG_MOD_DELETE, &el); + if (ret != LDB_SUCCESS) { + return ret; + } + el->values = talloc_array(msg, struct ldb_val, num); + if (!el->values) { + return LDB_ERR_OPERATIONS_ERROR; + } + el->num_values = num; + for (i = 0, iter = add_ctx->missing; iter; iter = iter->next, i++) { + val = ldb_dn_get_linearized(iter->dn); + el->values[i].length = strlen(val); + el->values[i].data = (uint8_t *)talloc_strdup(el->values, val); + if (!el->values[i].data) { + return LDB_ERR_OPERATIONS_ERROR; + } + } + + ret = ldb_build_mod_req(&mod_req, ldb, add_ctx, + msg, NULL, + add_ctx, mbof_add_cleanup_callback, + ctx->req); + if (ret != LDB_SUCCESS) { + return ret; + } + + return ldb_next_request(ctx->module, mod_req); +} + +static int mbof_add_cleanup_callback(struct ldb_request *req, + struct ldb_reply *ares) +{ + struct mbof_add_ctx *add_ctx; + struct mbof_ctx *ctx; + int ret; + + add_ctx = talloc_get_type(req->context, struct mbof_add_ctx); + ctx = add_ctx->ctx; + + if (!ares) { + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + if (ares->error != LDB_SUCCESS) { + return ldb_module_done(ctx->req, + ares->controls, + ares->response, + ares->error); + } + + switch (ares->type) { + case LDB_REPLY_ENTRY: + /* shouldn't happen */ + talloc_zfree(ares); + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + case LDB_REPLY_REFERRAL: + /* ignore */ + break; + + case LDB_REPLY_DONE: + if (add_ctx->muops) { + ret = mbof_add_muop(add_ctx); + } + else { + return ldb_module_done(ctx->req, + ctx->ret_ctrls, + ctx->ret_resp, + LDB_SUCCESS); + } + + if (ret != LDB_SUCCESS) { + talloc_zfree(ares); + return ldb_module_done(ctx->req, NULL, NULL, ret); + } + } + + talloc_zfree(ares); + return LDB_SUCCESS; +} + +/* add memberuid attributes to parent groups */ +static int mbof_add_muop(struct mbof_add_ctx *add_ctx) +{ + struct ldb_context *ldb; + struct ldb_message *msg; + struct ldb_request *mod_req; + struct mbof_ctx *ctx; + int ret; + + ctx = add_ctx->ctx; + ldb = ldb_module_get_ctx(ctx->module); + + msg = ldb_msg_new(add_ctx); + if (!msg) return LDB_ERR_OPERATIONS_ERROR; + + msg->dn = add_ctx->muops[add_ctx->cur_muop].dn; + msg->elements = add_ctx->muops[add_ctx->cur_muop].el; + msg->num_elements = 1; + + ret = ldb_build_mod_req(&mod_req, ldb, add_ctx, + msg, NULL, + add_ctx, mbof_add_muop_callback, + ctx->req); + if (ret != LDB_SUCCESS) { + return ret; + } + + ret = ldb_request_add_control(mod_req, LDB_CONTROL_PERMISSIVE_MODIFY_OID, + false, NULL); + if (ret != LDB_SUCCESS) { + talloc_free(mod_req); + return ret; + } + + return ldb_next_request(ctx->module, mod_req); +} + +static int mbof_add_muop_callback(struct ldb_request *req, + struct ldb_reply *ares) +{ + struct mbof_add_ctx *add_ctx; + struct mbof_ctx *ctx; + int ret; + + add_ctx = talloc_get_type(req->context, struct mbof_add_ctx); + ctx = add_ctx->ctx; + + if (!ares) { + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + if (ares->error != LDB_SUCCESS) { + return ldb_module_done(ctx->req, + ares->controls, + ares->response, + ares->error); + } + + switch (ares->type) { + case LDB_REPLY_ENTRY: + /* shouldn't happen */ + talloc_zfree(ares); + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + case LDB_REPLY_REFERRAL: + /* ignore */ + break; + + case LDB_REPLY_DONE: + add_ctx->cur_muop++; + if (add_ctx->cur_muop < add_ctx->num_muops) { + ret = mbof_add_muop(add_ctx); + } + else { + return ldb_module_done(ctx->req, + ctx->ret_ctrls, + ctx->ret_resp, + LDB_SUCCESS); + } + + if (ret != LDB_SUCCESS) { + talloc_zfree(ares); + return ldb_module_done(ctx->req, NULL, NULL, ret); + } + } + + talloc_zfree(ares); + return LDB_SUCCESS; +} + + + + +/* delete operations */ + +/* The implementation of delete operations is a bit more complex than an add + * operation. This is because we need to recompute memberships of potentially + * quite far descendants and we also have to account for loops and how to + * break them without ending in an endless loop ourselves. + * The difficulty is in the fact that while the member -> memberof link is + * direct, memberof -> member is not as membership is transitive. + * + * Ok, first of all, contrary to the add operation, a delete operation + * involves an existing object that may have existing parents. So, first, we + * search the object itself to get the original membership lists (member and + * memberof) for this object, and we also search for any object that has it as + * one of its members. + * Once we have the results, we store object and parents and proceed with the + * original operation to make sure it is valid. + * + * Once the original op returns we proceed fixing parents (parents being each + * object that has the delete operation target object as member), if any. + * + * For each parent we retrieved we proceed to delete the member attribute that + * points to the object we just deleted. Once done for all parents (or if no + * parents exists), we proceed with the children and descendants. + * + * To handle the children we create a first ancestor operation that reflects + * the delete we just made. We set as parents of this object the parents just + * retrieved with the first search. Then we create a remove list. + * + * The remove list contains all objects in the original memberof list and the + * object dn itself of the original delete operation target object (the first + * ancestor). + * + * An operation is identified by an object that contains a tree of + * descendants: + * The remove list for the children, the immediate parent, and the dn and + * entry of the object this operation is about. + * + * We now proceed with adding a new operation for each original member of the + * first ancestor. + * + * In each operation we must first lookup the target object and each immediate + * parent (all the objects in the tree that have target as a "member"). + * + * Then we proceed to calculate the new memberof list that we are going to set + * on the target object. + * The new memberof list starts with including all the objects that have the + * target as their direct member. + * Finally for each entry in this provisional new memberof list we add all its + * memberof elements to the new memberof list (taking care of excluding + * duplicates). This way we are certain all direct and indirect membership are + * accounted for. + * + * At this point we have the final new memberof list for this operation and we + * can proceed to modify the entry. + * + * Once the entry has been modified we proceed again to check if there are any + * children of this entry (the entry has "member"s). + * We create a new remove list that is the difference between the original + * entry memberof list and the new memberof list we just stored back in the + * object. + * Then for each member we create a new operation. + * + * We continue to process operations until no new operations need to be + * performed. + * + * Ordering is important here, se the mbof_del_get_next() function to + * understand how we proceed to select which new operation to process. + * + * As a final operation remove any memberuid corresponding to a removal of + * a memberof field from a user entry. Also if the original entry had a ghost + * attribute, we need to remove that attribute from all its parents as well. + * + * There is one catch though - at the memberof level, we can't know if the + * attribute being removed from a parent group is just inherited from the group + * being removed or also a direct member of the parent group. To make sure + * that the attribute is displayed next time the group is requested, we also + * set expire the parent group at the same time. + */ + +static int mbof_del_search_callback(struct ldb_request *req, + struct ldb_reply *ares); +static int mbof_orig_del(struct mbof_del_ctx *ctx); +static int mbof_orig_del_callback(struct ldb_request *req, + struct ldb_reply *ares); +static int mbof_del_cleanup_parents(struct mbof_del_ctx *del_ctx); +static int mbof_del_clean_par_callback(struct ldb_request *req, + struct ldb_reply *ares); +static int mbof_del_cleanup_children(struct mbof_del_ctx *del_ctx); +static int mbof_append_delop(struct mbof_del_operation *parent, + struct ldb_dn *entry_dn); +static int mbof_del_execute_op(struct mbof_del_operation *delop); +static int mbof_del_exop_search_callback(struct ldb_request *req, + struct ldb_reply *ares); +static int mbof_del_execute_cont(struct mbof_del_operation *delop); +static int mbof_del_ancestors(struct mbof_del_operation *delop); +static int mbof_del_anc_callback(struct ldb_request *req, + struct ldb_reply *ares); +static int mbof_del_mod_entry(struct mbof_del_operation *delop); +static int mbof_del_mod_callback(struct ldb_request *req, + struct ldb_reply *ares); +static int mbof_del_progeny(struct mbof_del_operation *delop); +static int mbof_del_get_next(struct mbof_del_operation *delop, + struct mbof_del_operation **nextop); +static int mbof_del_fill_muop(struct mbof_del_ctx *del_ctx, + struct ldb_message *entry); +static int mbof_del_fill_ghop(struct mbof_del_ctx *del_ctx, + struct ldb_message *entry); +static int mbof_del_muop(struct mbof_del_ctx *ctx); +static int mbof_del_muop_callback(struct ldb_request *req, + struct ldb_reply *ares); +static int mbof_del_ghop(struct mbof_del_ctx *del_ctx); +static int mbof_del_ghop_callback(struct ldb_request *req, + struct ldb_reply *ares); +static void free_delop_contents(struct mbof_del_operation *delop); + + +static int memberof_del(struct ldb_module *module, struct ldb_request *req) +{ + static const char *attrs[] = { DB_OC, DB_NAME, + DB_MEMBER, DB_MEMBEROF, + DB_GHOST, NULL }; + struct ldb_context *ldb = ldb_module_get_ctx(module); + struct mbof_del_operation *first; + struct ldb_request *search; + char *expression; + const char *dn; + char *clean_dn; + struct mbof_del_ctx *del_ctx; + struct mbof_ctx *ctx; + int ret; + errno_t sret; + + if (ldb_dn_is_special(req->op.del.dn)) { + /* do not manipulate our control entries */ + return ldb_next_request(module, req); + } + + ctx = mbof_init(module, req); + if (!ctx) { + return LDB_ERR_OPERATIONS_ERROR; + } + + del_ctx = talloc_zero(ctx, struct mbof_del_ctx); + if (!del_ctx) { + talloc_free(ctx); + return LDB_ERR_OPERATIONS_ERROR; + } + del_ctx->ctx = ctx; + + /* create first entry */ + /* the first entry is the parent of all entries and the one where we remove + * member from, it does not get the same treatment as others */ + first = talloc_zero(del_ctx, struct mbof_del_operation); + if (!first) { + talloc_free(ctx); + return LDB_ERR_OPERATIONS_ERROR; + } + del_ctx->first = first; + + first->del_ctx = del_ctx; + first->entry_dn = req->op.del.dn; + + dn = ldb_dn_get_linearized(req->op.del.dn); + if (!dn) { + talloc_free(ctx); + return LDB_ERR_OPERATIONS_ERROR; + } + + sret = sss_filter_sanitize(del_ctx, dn, &clean_dn); + if (sret != 0) { + talloc_free(ctx); + return LDB_ERR_OPERATIONS_ERROR; + } + + expression = talloc_asprintf(del_ctx, + "(|(distinguishedName=%s)(%s=%s))", + clean_dn, DB_MEMBER, clean_dn); + if (!expression) { + talloc_free(ctx); + return LDB_ERR_OPERATIONS_ERROR; + } + talloc_zfree(clean_dn); + + ret = ldb_build_search_req(&search, ldb, del_ctx, + NULL, LDB_SCOPE_SUBTREE, + expression, attrs, NULL, + first, mbof_del_search_callback, + req); + if (ret != LDB_SUCCESS) { + talloc_free(ctx); + return ret; + } + + return ldb_request(ldb, search); +} + +static int mbof_del_search_callback(struct ldb_request *req, + struct ldb_reply *ares) +{ + struct mbof_del_operation *first; + struct ldb_context *ldb; + struct ldb_message *msg; + struct mbof_del_ctx *del_ctx; + struct mbof_ctx *ctx; + int ret; + + first = talloc_get_type(req->context, struct mbof_del_operation); + del_ctx = first->del_ctx; + ctx = del_ctx->ctx; + ldb = ldb_module_get_ctx(ctx->module); + + if (!ares) { + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + if (ares->error != LDB_SUCCESS) { + return ldb_module_done(ctx->req, + ares->controls, + ares->response, + ares->error); + } + + switch (ares->type) { + case LDB_REPLY_ENTRY: + msg = ares->message; + + if (ldb_dn_compare(msg->dn, ctx->req->op.del.dn) == 0) { + + if (first->entry != NULL) { + /* more than one entry per DN!? DB corrupted? */ + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + + first->entry = talloc_steal(first, msg); + if (first->entry == NULL) { + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + } else { + first->parents = talloc_realloc(first, first->parents, + struct ldb_message *, + first->num_parents + 1); + if (!first->parents) { + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + msg = talloc_steal(first->parents, ares->message); + if (!msg) { + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + first->parents[first->num_parents] = msg; + first->num_parents++; + } + break; + case LDB_REPLY_REFERRAL: + /* ignore */ + break; + + case LDB_REPLY_DONE: + if (first->entry == NULL) { + /* this target does not exists, too bad! */ + ldb_debug(ldb, LDB_DEBUG_TRACE, + "Target entry (%s) not found", + ldb_dn_get_linearized(first->entry_dn)); + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_NO_SUCH_OBJECT); + } + + /* now perform the requested delete, before proceeding further */ + ret = mbof_orig_del(del_ctx); + if (ret != LDB_SUCCESS) { + talloc_zfree(ares); + return ldb_module_done(ctx->req, NULL, NULL, ret); + } + } + + talloc_zfree(ares); + return LDB_SUCCESS; +} + +static int mbof_orig_del(struct mbof_del_ctx *del_ctx) +{ + struct ldb_request *del_req; + struct mbof_ctx *ctx; + int ret; + + ctx = del_ctx->ctx; + + ret = ldb_build_del_req(&del_req, ldb_module_get_ctx(ctx->module), + ctx->req, ctx->req->op.del.dn, NULL, + del_ctx, mbof_orig_del_callback, + ctx->req); + if (ret != LDB_SUCCESS) { + return ret; + } + + return ldb_next_request(ctx->module, del_req); +} + +static int mbof_orig_del_callback(struct ldb_request *req, + struct ldb_reply *ares) +{ + struct ldb_context *ldb; + struct mbof_del_ctx *del_ctx; + struct mbof_ctx *ctx; + int ret; + + del_ctx = talloc_get_type(req->context, struct mbof_del_ctx); + ctx = del_ctx->ctx; + ldb = ldb_module_get_ctx(ctx->module); + + if (!ares) { + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + if (ares->error != LDB_SUCCESS) { + return ldb_module_done(ctx->req, + ares->controls, + ares->response, + ares->error); + } + + if (ares->type != LDB_REPLY_DONE) { + talloc_zfree(ares); + ldb_set_errstring(ldb, "Invalid reply type!"); + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + + /* save real call stuff */ + ctx->ret_ctrls = talloc_steal(ctx, ares->controls); + ctx->ret_resp = talloc_steal(ctx, ares->response); + + /* prep following clean ops */ + if (del_ctx->first->num_parents) { + + /* if there are parents there may be memberuids to remove */ + ret = mbof_del_fill_muop(del_ctx, del_ctx->first->entry); + if (ret != LDB_SUCCESS) { + talloc_zfree(ares); + return ldb_module_done(ctx->req, NULL, NULL, ret); + } + + /* ..or ghost attributes to remove */ + ret = mbof_del_fill_ghop(del_ctx, del_ctx->first->entry); + if (ret != LDB_SUCCESS) { + talloc_zfree(ares); + return ldb_module_done(ctx->req, NULL, NULL, ret); + } + + /* if there are any parents, fire a removal sequence */ + ret = mbof_del_cleanup_parents(del_ctx); + } + else if (ldb_msg_find_element(del_ctx->first->entry, DB_MEMBER)) { + /* if there are any children, fire a removal sequence */ + ret = mbof_del_cleanup_children(del_ctx); + } + /* see if there are memberuid operations to perform */ + else if (del_ctx->muops) { + return mbof_del_muop(del_ctx); + } + /* see if we need to remove some ghost users */ + else if (del_ctx->ghops) { + return mbof_del_ghop(del_ctx); + } + else { + /* no parents nor children, end ops */ + return ldb_module_done(ctx->req, + ares->controls, + ares->response, + LDB_SUCCESS); + } + if (ret != LDB_SUCCESS) { + talloc_zfree(ares); + return ldb_module_done(ctx->req, NULL, NULL, ret); + } + + talloc_zfree(ares); + return LDB_SUCCESS; +} + +static int mbof_del_cleanup_parents(struct mbof_del_ctx *del_ctx) +{ + struct mbof_del_operation *first; + struct mbof_ctx *ctx; + struct ldb_context *ldb; + struct ldb_request *mod_req; + struct ldb_message *msg; + struct ldb_message_element *el; + const char *val; + int ret; + + first = del_ctx->first; + ctx = del_ctx->ctx; + ldb = ldb_module_get_ctx(ctx->module); + + msg = ldb_msg_new(first->parents); + if (!msg) return LDB_ERR_OPERATIONS_ERROR; + + msg->dn = first->parents[first->cur_parent]->dn; + first->cur_parent++; + + ret = ldb_msg_add_empty(msg, DB_MEMBER, LDB_FLAG_MOD_DELETE, &el); + if (ret != LDB_SUCCESS) { + return ret; + } + el->values = talloc_array(msg, struct ldb_val, 1); + if (!el->values) { + return LDB_ERR_OPERATIONS_ERROR; + } + val = ldb_dn_get_linearized(first->entry_dn); + el->values[0].length = strlen(val); + el->values[0].data = (uint8_t *)talloc_strdup(el->values, val); + if (!el->values[0].data) { + return LDB_ERR_OPERATIONS_ERROR; + } + el->num_values = 1; + + ret = ldb_build_mod_req(&mod_req, ldb, first->parents, + msg, NULL, + del_ctx, mbof_del_clean_par_callback, + ctx->req); + if (ret != LDB_SUCCESS) { + return ret; + } + + return ldb_next_request(ctx->module, mod_req); +} + +static int mbof_del_clean_par_callback(struct ldb_request *req, + struct ldb_reply *ares) +{ + struct mbof_del_operation *first; + struct ldb_context *ldb; + struct mbof_del_ctx *del_ctx; + struct mbof_ctx *ctx; + int ret; + + del_ctx = talloc_get_type(req->context, struct mbof_del_ctx); + first = del_ctx->first; + ctx = del_ctx->ctx; + ldb = ldb_module_get_ctx(ctx->module); + + if (!ares) { + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + + if (ares->error != LDB_SUCCESS) { + return ldb_module_done(ctx->req, + ares->controls, + ares->response, + ares->error); + } + + if (ares->type != LDB_REPLY_DONE) { + talloc_zfree(ares); + ldb_set_errstring(ldb, "Invalid reply type!"); + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + + if (first->num_parents > first->cur_parent) { + /* still parents to cleanup, go on */ + ret = mbof_del_cleanup_parents(del_ctx); + } + else { + /* continue */ + if (ldb_msg_find_element(first->entry, DB_MEMBER)) { + /* if there are any children, fire a removal sequence */ + ret = mbof_del_cleanup_children(del_ctx); + } + /* see if there are memberuid operations to perform */ + else if (del_ctx->muops) { + return mbof_del_muop(del_ctx); + } + /* see if we need to remove some ghost users */ + else if (del_ctx->ghops) { + return mbof_del_ghop(del_ctx); + } + else { + /* no children, end ops */ + return ldb_module_done(ctx->req, + ctx->ret_ctrls, + ctx->ret_resp, + LDB_SUCCESS); + } + } + + if (ret != LDB_SUCCESS) { + talloc_zfree(ares); + return ldb_module_done(ctx->req, NULL, NULL, ret); + } + + talloc_zfree(ares); + return LDB_SUCCESS; +} + +static int mbof_del_cleanup_children(struct mbof_del_ctx *del_ctx) +{ + struct mbof_del_operation *first; + struct mbof_ctx *ctx; + struct ldb_context *ldb; + const struct ldb_message_element *el; + struct ldb_dn *valdn; + int i, ret; + + first = del_ctx->first; + ctx = del_ctx->ctx; + ldb = ldb_module_get_ctx(ctx->module); + + el = ldb_msg_find_element(first->entry, DB_MEMBER); + + /* prepare del sets */ + for (i = 0; i < el->num_values; i++) { + valdn = ldb_dn_from_ldb_val(first, ldb, &el->values[i]); + if (!valdn || !ldb_dn_validate(valdn)) { + ldb_debug(ldb, LDB_DEBUG_TRACE, + "Invalid dn syntax for member [%s]", + (const char *)el->values[i].data); + return LDB_ERR_INVALID_DN_SYNTAX; + } + ret = mbof_append_delop(first, valdn); + if (ret != LDB_SUCCESS) { + return ret; + } + } + + /* now that sets are built, start processing */ + return mbof_del_execute_op(first->children[0]); +} + +static int mbof_append_delop(struct mbof_del_operation *parent, + struct ldb_dn *entry_dn) +{ + struct mbof_del_operation *delop; + + delop = talloc_zero(parent, struct mbof_del_operation); + if (!delop) { + return LDB_ERR_OPERATIONS_ERROR; + } + + delop->del_ctx = parent->del_ctx; + delop->parent = parent; + delop->entry_dn = entry_dn; + + parent->children = talloc_realloc(parent, parent->children, + struct mbof_del_operation *, + parent->num_children +1); + if (!parent->children) { + talloc_free(delop); + return LDB_ERR_OPERATIONS_ERROR; + } + + parent->children[parent->num_children] = delop; + parent->num_children++; + + return LDB_SUCCESS; +} + +static int mbof_del_execute_op(struct mbof_del_operation *delop) +{ + struct mbof_del_ctx *del_ctx; + struct mbof_ctx *ctx; + struct ldb_context *ldb; + struct ldb_request *search; + char *expression; + const char *dn; + char *clean_dn; + static const char *attrs[] = { DB_OC, DB_NAME, + DB_MEMBER, DB_MEMBEROF, NULL }; + int ret; + + del_ctx = delop->del_ctx; + ctx = del_ctx->ctx; + ldb = ldb_module_get_ctx(ctx->module); + + /* load entry */ + dn = ldb_dn_get_linearized(delop->entry_dn); + if (!dn) { + return LDB_ERR_OPERATIONS_ERROR; + } + + ret = sss_filter_sanitize(del_ctx, dn, &clean_dn); + if (ret != 0) { + return LDB_ERR_OPERATIONS_ERROR; + } + + expression = talloc_asprintf(del_ctx, + "(|(distinguishedName=%s)(%s=%s))", + clean_dn, DB_MEMBER, clean_dn); + if (!expression) { + return LDB_ERR_OPERATIONS_ERROR; + } + talloc_zfree(clean_dn); + + ret = ldb_build_search_req(&search, ldb, delop, + NULL, LDB_SCOPE_SUBTREE, + expression, attrs, NULL, + delop, mbof_del_exop_search_callback, + ctx->req); + if (ret != LDB_SUCCESS) { + talloc_free(ctx); + return ret; + } + + return ldb_request(ldb, search); +} + +static int mbof_del_exop_search_callback(struct ldb_request *req, + struct ldb_reply *ares) +{ + struct mbof_del_operation *delop; + struct mbof_del_ctx *del_ctx; + struct ldb_context *ldb; + struct mbof_ctx *ctx; + struct ldb_message *msg; + int ret; + + delop = talloc_get_type(req->context, struct mbof_del_operation); + del_ctx = delop->del_ctx; + ctx = del_ctx->ctx; + ldb = ldb_module_get_ctx(ctx->module); + + if (!ares) { + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + if (ares->error != LDB_SUCCESS) { + return ldb_module_done(ctx->req, + ares->controls, + ares->response, + ares->error); + } + + switch (ares->type) { + case LDB_REPLY_ENTRY: + msg = ares->message; + + if (ldb_dn_compare(msg->dn, delop->entry_dn) == 0) { + + if (delop->entry != NULL) { + ldb_debug(ldb, LDB_DEBUG_TRACE, + "Found multiple entries for (%s)", + ldb_dn_get_linearized(delop->entry_dn)); + /* more than one entry per DN!? DB corrupted? */ + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + + delop->entry = talloc_steal(delop, msg); + if (delop->entry == NULL) { + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + } else { + delop->parents = talloc_realloc(delop, delop->parents, + struct ldb_message *, + delop->num_parents + 1); + if (!delop->parents) { + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + msg = talloc_steal(delop->parents, msg); + if (!msg) { + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + delop->parents[delop->num_parents] = msg; + delop->num_parents++; + } + break; + case LDB_REPLY_REFERRAL: + /* ignore */ + break; + + case LDB_REPLY_DONE: + if (delop->entry == NULL) { + /* no target, no party! */ + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + + /* ok process the entry */ + ret = mbof_del_execute_cont(delop); + + if (ret != LDB_SUCCESS) { + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + } + + talloc_zfree(ares); + return LDB_SUCCESS; +} + +static int mbof_del_execute_cont(struct mbof_del_operation *delop) +{ + struct mbof_del_ancestors_ctx *anc_ctx; + struct mbof_dn_array *new_list; + int i; + + anc_ctx = talloc_zero(delop, struct mbof_del_ancestors_ctx); + if (!anc_ctx) { + return LDB_ERR_OPERATIONS_ERROR; + } + delop->anc_ctx = anc_ctx; + + new_list = talloc_zero(anc_ctx, struct mbof_dn_array); + if (!new_list) { + return LDB_ERR_OPERATIONS_ERROR; + } + + /* at the very least we have a number of memberof elements + * equal to the number of objects that have this entry as + * direct member */ + new_list->num = delop->num_parents; + + /* attach the list to the operation */ + delop->anc_ctx->new_list = new_list; + delop->anc_ctx->num_direct = new_list->num; + + /* do we have any direct parent at all? */ + if (new_list->num == 0) { + /* no entries at all, entry ended up being orphaned */ + /* skip to directly set the new memberof list for this entry */ + + return mbof_del_mod_entry(delop); + } + + /* fill in the list if we have parents */ + new_list->dns = talloc_zero_array(new_list, + struct ldb_dn *, + new_list->num); + if (!new_list->dns) { + return LDB_ERR_OPERATIONS_ERROR; + } + for (i = 0; i < delop->num_parents; i++) { + new_list->dns[i] = delop->parents[i]->dn; + } + + /* before proceeding we also need to fetch the ancestors (anew as some may + * have changed by preceding operations) */ + return mbof_del_ancestors(delop); +} + +static int mbof_del_ancestors(struct mbof_del_operation *delop) +{ + struct mbof_del_ancestors_ctx *anc_ctx; + struct mbof_del_ctx *del_ctx; + struct mbof_ctx *ctx; + struct ldb_context *ldb; + struct mbof_dn_array *new_list; + static const char *attrs[] = { DB_MEMBEROF, NULL }; + struct ldb_request *search; + int ret; + + del_ctx = delop->del_ctx; + ctx = del_ctx->ctx; + ldb = ldb_module_get_ctx(ctx->module); + anc_ctx = delop->anc_ctx; + new_list = anc_ctx->new_list; + + ret = ldb_build_search_req(&search, ldb, anc_ctx, + new_list->dns[anc_ctx->cur], + LDB_SCOPE_BASE, NULL, attrs, NULL, + delop, mbof_del_anc_callback, + ctx->req); + if (ret != LDB_SUCCESS) { + return ret; + } + + return ldb_request(ldb, search); +} + +static int mbof_del_anc_callback(struct ldb_request *req, + struct ldb_reply *ares) +{ + struct mbof_del_ancestors_ctx *anc_ctx; + struct mbof_del_operation *delop; + struct mbof_del_ctx *del_ctx; + struct mbof_ctx *ctx; + struct ldb_context *ldb; + struct ldb_message *msg; + const struct ldb_message_element *el; + struct mbof_dn_array *new_list; + struct ldb_dn *valdn; + int i, j, ret; + + delop = talloc_get_type(req->context, struct mbof_del_operation); + del_ctx = delop->del_ctx; + ctx = del_ctx->ctx; + ldb = ldb_module_get_ctx(ctx->module); + anc_ctx = delop->anc_ctx; + new_list = anc_ctx->new_list; + + if (!ares) { + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + if (ares->error != LDB_SUCCESS) { + return ldb_module_done(ctx->req, + ares->controls, + ares->response, + ares->error); + } + + switch (ares->type) { + case LDB_REPLY_ENTRY: + msg = ares->message; + + if (anc_ctx->entry != NULL) { + ldb_debug(ldb, LDB_DEBUG_TRACE, + "Found multiple entries for (%s)", + ldb_dn_get_linearized(anc_ctx->entry->dn)); + /* more than one entry per DN!? DB corrupted? */ + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + + anc_ctx->entry = talloc_steal(anc_ctx, msg); + if (anc_ctx->entry == NULL) { + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + break; + case LDB_REPLY_REFERRAL: + /* ignore */ + break; + + case LDB_REPLY_DONE: + if (anc_ctx->entry == NULL) { + /* no target, no party! */ + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + + /* check entry */ + el = ldb_msg_find_element(anc_ctx->entry, DB_MEMBEROF); + if (el) { + for (i = 0; i < el->num_values; i++) { + valdn = ldb_dn_from_ldb_val(new_list, ldb, &el->values[i]); + if (!valdn) { + ldb_debug(ldb, LDB_DEBUG_TRACE, + "Invalid dn for memberof: (%s)", + (const char *)el->values[i].data); + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + for (j = 0; j < new_list->num; j++) { + if (ldb_dn_compare(valdn, new_list->dns[j]) == 0) + break; + } + if (j < new_list->num) { + talloc_free(valdn); + continue; + } + /* do not re-add the original deleted entry by mistake */ + if (ldb_dn_compare(valdn, del_ctx->first->entry_dn) == 0) { + talloc_free(valdn); + continue; + } + new_list->dns = talloc_realloc(new_list, + new_list->dns, + struct ldb_dn *, + new_list->num + 1); + if (!new_list->dns) { + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + new_list->dns[new_list->num] = valdn; + new_list->num++; + } + } + + /* done with this one */ + talloc_free(anc_ctx->entry); + anc_ctx->entry = NULL; + anc_ctx->cur++; + + /* check if we need to process any more */ + if (anc_ctx->cur < anc_ctx->num_direct) { + /* ok process the next one */ + ret = mbof_del_ancestors(delop); + } else { + /* ok, end of the story, proceed to modify the entry */ + ret = mbof_del_mod_entry(delop); + } + + if (ret != LDB_SUCCESS) { + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + } + + talloc_zfree(ares); + return LDB_SUCCESS; +} + +static int mbof_del_mod_entry(struct mbof_del_operation *delop) +{ + struct mbof_del_ctx *del_ctx; + struct mbof_ctx *ctx; + struct ldb_context *ldb; + struct mbof_dn_array *new_list; + struct ldb_request *mod_req; + struct ldb_message *msg; + struct ldb_message_element *el; + struct ldb_dn **diff = NULL; + const char *name; + const char *val; + int i, j, k; + bool is_user; + int ret; + + del_ctx = delop->del_ctx; + ctx = del_ctx->ctx; + ldb = ldb_module_get_ctx(ctx->module); + new_list = delop->anc_ctx->new_list; + + /* if this is a user we need to find out which entries have been + * removed so that we can later schedule removal of memberuid + * attributes from these entries */ + ret = entry_is_user_object(delop->entry); + switch (ret) { + case LDB_SUCCESS: + /* it's a user object */ + is_user = true; + break; + case LDB_ERR_NO_SUCH_ATTRIBUTE: + /* it is not a user object, continue */ + is_user = false; + break; + default: + /* an error occurred, return */ + return ret; + } + + if (is_user) { + /* prepare memberuid delete list */ + /* copy all original memberof entries, and then later remove + * the ones that will survive in the entry */ + el = ldb_msg_find_element(delop->entry, DB_MEMBEROF); + if (!el || !el->num_values) { + return LDB_ERR_OPERATIONS_ERROR; + } + diff = talloc_array(del_ctx, struct ldb_dn *, + el->num_values + 1); + if (!diff) { + return LDB_ERR_OPERATIONS_ERROR; + } + for (i = 0, j = 0; i < el->num_values; i++) { + diff[j] = ldb_dn_from_ldb_val(diff, ldb, &el->values[i]); + if (!diff[j]) { + return LDB_ERR_OPERATIONS_ERROR; + } + /* skip the deleted entry if this is a delete op */ + if (!del_ctx->is_mod) { + if (ldb_dn_compare(del_ctx->first->entry_dn, diff[j]) == 0) { + continue; + } + } + j++; + } + /* zero terminate array */ + diff[j] = NULL; + } + + /* change memberof on entry */ + msg = ldb_msg_new(delop); + if (!msg) return LDB_ERR_OPERATIONS_ERROR; + + msg->dn = delop->entry_dn; + + if (new_list->num) { + ret = ldb_msg_add_empty(msg, DB_MEMBEROF, LDB_FLAG_MOD_REPLACE, &el); + if (ret != LDB_SUCCESS) { + return ret; + } + + el->values = talloc_array(el, struct ldb_val, new_list->num); + if (!el->values) { + return LDB_ERR_OPERATIONS_ERROR; + } + for (i = 0, j = 0; i < new_list->num; i++) { + if (ldb_dn_compare(new_list->dns[i], msg->dn) == 0) + continue; + val = ldb_dn_get_linearized(new_list->dns[i]); + if (!val) { + return LDB_ERR_OPERATIONS_ERROR; + } + el->values[j].length = strlen(val); + el->values[j].data = (uint8_t *)talloc_strdup(el->values, val); + if (!el->values[j].data) { + return LDB_ERR_OPERATIONS_ERROR; + } + j++; + + if (is_user) { + /* compare the entry's original memberof list with the new + * one and for each missing entry add a memberuid removal + * operation */ + for (k = 0; diff[k]; k++) { + if (ldb_dn_compare(new_list->dns[i], diff[k]) == 0) { + break; + } + } + if (diff[k]) { + talloc_zfree(diff[k]); + for (; diff[k + 1]; k++) { + diff[k] = diff[k + 1]; + } + diff[k] = NULL; + } + } + } + el->num_values = j; + + } + else { + ret = ldb_msg_add_empty(msg, DB_MEMBEROF, LDB_FLAG_MOD_DELETE, &el); + if (ret != LDB_SUCCESS) { + return ret; + } + } + + if (is_user && diff[0]) { + /* file memberuid removal operations */ + name = ldb_msg_find_attr_as_string(delop->entry, DB_NAME, NULL); + if (!name) { + return LDB_ERR_OPERATIONS_ERROR; + } + + for (i = 0; diff[i]; i++) { + ret = mbof_append_muop(del_ctx, &del_ctx->muops, + &del_ctx->num_muops, + LDB_FLAG_MOD_DELETE, + diff[i], name, + DB_MEMBERUID); + if (ret != LDB_SUCCESS) { + return ret; + } + talloc_steal(del_ctx->muops, diff[i]); + } + } + + ret = ldb_build_mod_req(&mod_req, ldb, delop, + msg, NULL, + delop, mbof_del_mod_callback, + ctx->req); + if (ret != LDB_SUCCESS) { + return ret; + } + talloc_steal(mod_req, msg); + + return ldb_next_request(ctx->module, mod_req); +} + +static int mbof_del_mod_callback(struct ldb_request *req, + struct ldb_reply *ares) +{ + struct mbof_del_operation *delop; + struct mbof_del_ctx *del_ctx; + struct ldb_context *ldb; + struct mbof_ctx *ctx; + int ret; + + delop = talloc_get_type(req->context, struct mbof_del_operation); + del_ctx = delop->del_ctx; + ctx = del_ctx->ctx; + ldb = ldb_module_get_ctx(ctx->module); + + if (!ares) { + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + if (ares->error != LDB_SUCCESS) { + return ldb_module_done(ctx->req, + ares->controls, + ares->response, + ares->error); + } + + switch (ares->type) { + case LDB_REPLY_ENTRY: + ldb_debug(ldb, LDB_DEBUG_TRACE, "Got an entry on a non search op?!"); + /* shouldn't happen */ + talloc_zfree(ares); + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + case LDB_REPLY_REFERRAL: + /* ignore */ + talloc_zfree(ares); + break; + + case LDB_REPLY_DONE: + + ret = mbof_del_progeny(delop); + + if (ret != LDB_SUCCESS) { + talloc_zfree(ares); + return ldb_module_done(ctx->req, NULL, NULL, ret); + } + } + + return LDB_SUCCESS; +} + +static int mbof_mod_add(struct mbof_mod_ctx *mod_ctx, + struct mbof_dn_array *ael, + struct mbof_val_array *addgh); + +static int mbof_del_progeny(struct mbof_del_operation *delop) +{ + struct mbof_ctx *ctx; + struct mbof_del_ctx *del_ctx; + struct mbof_del_operation *nextop; + const struct ldb_message_element *el; + struct ldb_context *ldb; + struct ldb_dn *valdn; + int i, ret; + + del_ctx = delop->del_ctx; + ctx = del_ctx->ctx; + ldb = ldb_module_get_ctx(ctx->module); + + /* now verify if this entry is a group and members need to be processed as + * well */ + + el = ldb_msg_find_element(delop->entry, DB_MEMBER); + if (el) { + for (i = 0; i < el->num_values; i++) { + valdn = ldb_dn_from_ldb_val(delop, ldb, &el->values[i]); + if (!valdn || !ldb_dn_validate(valdn)) { + ldb_debug(ldb, LDB_DEBUG_TRACE, + "Invalid DN for member: (%s)", + (const char *)el->values[i].data); + return LDB_ERR_INVALID_DN_SYNTAX; + } + ret = mbof_append_delop(delop, valdn); + if (ret != LDB_SUCCESS) { + return ret; + } + } + } + + /* finally find the next entry to handle */ + ret = mbof_del_get_next(delop, &nextop); + if (ret != LDB_SUCCESS) { + return ret; + } + + free_delop_contents(delop); + + if (nextop) { + return mbof_del_execute_op(nextop); + } + + /* see if there are memberuid operations to perform */ + if (del_ctx->muops) { + return mbof_del_muop(del_ctx); + } + /* see if we need to remove some ghost users */ + else if (del_ctx->ghops) { + return mbof_del_ghop(del_ctx); + } + /* see if there are follow functions to run */ + if (del_ctx->follow_mod) { + return mbof_mod_add(del_ctx->follow_mod, + del_ctx->follow_mod->mb_add, + del_ctx->follow_mod->gh_add); + } + + /* ok, no more ops, this means our job is done */ + return ldb_module_done(ctx->req, + ctx->ret_ctrls, + ctx->ret_resp, + LDB_SUCCESS); +} + +static int mbof_del_get_next(struct mbof_del_operation *delop, + struct mbof_del_operation **nextop) +{ + struct mbof_del_operation *top, *cop; + struct mbof_del_ctx *del_ctx; + struct mbof_dn *save, *tmp; + + del_ctx = delop->del_ctx; + + /* first of all, save the current delop in the history */ + save = talloc_zero(del_ctx, struct mbof_dn); + if (!save) { + return LDB_ERR_OPERATIONS_ERROR; + } + save->dn = delop->entry_dn; + + if (del_ctx->history) { + tmp = del_ctx->history; + while (tmp->next) tmp = tmp->next; + tmp->next = save; + } else { + del_ctx->history = save; + } + + /* Find next one */ + for (top = delop; top; top = top->parent) { + if (top->num_children == 0 || top->next_child >= top->num_children) { + /* no children, go for next one */ + continue; + } + + while (top->next_child < top->num_children) { + cop = top->children[top->next_child]; + top->next_child++; + + /* verify this operation has not already been performed */ + for (tmp = del_ctx->history; tmp; tmp = tmp->next) { + if (ldb_dn_compare(tmp->dn, cop->entry_dn) == 0) { + break; + } + } + if (tmp == NULL) { + /* and return the current one */ + *nextop = cop; + return LDB_SUCCESS; + } + } + } + + /* we have no more ops */ + *nextop = NULL; + return LDB_SUCCESS; +} + +static int mbof_del_fill_muop(struct mbof_del_ctx *del_ctx, + struct ldb_message *entry) +{ + struct ldb_message_element *el; + char *name; + int ret; + int i; + + el = ldb_msg_find_element(entry, DB_MEMBEROF); + if (!el || el->num_values == 0) { + /* no memberof attributes ... */ + return LDB_SUCCESS; + } + + ret = entry_is_user_object(entry); + switch (ret) { + case LDB_SUCCESS: + /* it's a user object, continue */ + break; + + case LDB_ERR_NO_SUCH_ATTRIBUTE: + /* it is not a user object, just return */ + return LDB_SUCCESS; + + default: + /* an error occurred, return */ + return ret; + } + + name = talloc_strdup(del_ctx, + ldb_msg_find_attr_as_string(entry, DB_NAME, NULL)); + if (!name) { + return LDB_ERR_OPERATIONS_ERROR; + } + + for (i = 0; i < el->num_values; i++) { + struct ldb_dn *valdn; + + valdn = ldb_dn_from_ldb_val(del_ctx, + ldb_module_get_ctx(del_ctx->ctx->module), + &el->values[i]); + if (!valdn || !ldb_dn_validate(valdn)) { + ldb_debug(ldb_module_get_ctx(del_ctx->ctx->module), + LDB_DEBUG_ERROR, + "Invalid dn value: [%s]", + (const char *)el->values[i].data); + } + + ret = mbof_append_muop(del_ctx, &del_ctx->muops, + &del_ctx->num_muops, + LDB_FLAG_MOD_DELETE, + valdn, name, + DB_MEMBERUID); + if (ret != LDB_SUCCESS) { + return ret; + } + talloc_steal(del_ctx->muops, valdn); + } + + return LDB_SUCCESS; +} + +static int mbof_del_fill_ghop_ex(struct mbof_del_ctx *del_ctx, + struct ldb_message *entry, + struct ldb_val *ghvals, + unsigned int num_gh_vals) +{ + struct ldb_message_element *mbof; + struct ldb_dn *valdn; + int ret; + int i, j; + + mbof = ldb_msg_find_element(entry, DB_MEMBEROF); + if (!mbof || mbof->num_values == 0) { + /* no memberof attributes ... */ + return LDB_SUCCESS; + } + + ret = entry_is_group_object(entry); + switch (ret) { + case LDB_SUCCESS: + /* it's a group object, continue */ + break; + + case LDB_ERR_NO_SUCH_ATTRIBUTE: + /* it is not a group object, just return */ + return LDB_SUCCESS; + + default: + /* an error occurred, return */ + return ret; + } + + ldb_debug(ldb_module_get_ctx(del_ctx->ctx->module), + LDB_DEBUG_TRACE, + "will delete %d ghost users from %d parents\n", + num_gh_vals, mbof->num_values); + + for (i = 0; i < mbof->num_values; i++) { + valdn = ldb_dn_from_ldb_val(del_ctx, + ldb_module_get_ctx(del_ctx->ctx->module), + &mbof->values[i]); + if (!valdn || !ldb_dn_validate(valdn)) { + ldb_debug(ldb_module_get_ctx(del_ctx->ctx->module), + LDB_DEBUG_ERROR, + "Invalid dn value: [%s]", + (const char *)mbof->values[i].data); + } + + ldb_debug(ldb_module_get_ctx(del_ctx->ctx->module), + LDB_DEBUG_TRACE, + "processing ghosts in parent [%s]\n", + (const char *) mbof->values[i].data); + + for (j = 0; j < num_gh_vals; j++) { + ret = mbof_append_muop(del_ctx, &del_ctx->ghops, + &del_ctx->num_ghops, + LDB_FLAG_MOD_DELETE, + valdn, + (const char *) ghvals[j].data, + DB_GHOST); + if (ret != LDB_SUCCESS) { + return ret; + } + talloc_steal(del_ctx->ghops, valdn); + } + } + + return LDB_SUCCESS; +} + +static int mbof_del_fill_ghop(struct mbof_del_ctx *del_ctx, + struct ldb_message *entry) +{ + struct ldb_message_element *ghel; + + ghel = ldb_msg_find_element(entry, DB_GHOST); + if (ghel == NULL || ghel->num_values == 0) { + /* No ghel attribute, just return success */ + return LDB_SUCCESS; + } + + return mbof_del_fill_ghop_ex(del_ctx, entry, + ghel->values, ghel->num_values); +} + +/* del memberuid attributes from parent groups */ +static int mbof_del_muop(struct mbof_del_ctx *del_ctx) +{ + struct ldb_context *ldb; + struct ldb_message *msg; + struct ldb_request *mod_req; + struct mbof_ctx *ctx; + int ret; + + ctx = del_ctx->ctx; + ldb = ldb_module_get_ctx(ctx->module); + + msg = ldb_msg_new(del_ctx); + if (!msg) return LDB_ERR_OPERATIONS_ERROR; + + msg->dn = del_ctx->muops[del_ctx->cur_muop].dn; + msg->elements = del_ctx->muops[del_ctx->cur_muop].el; + msg->num_elements = 1; + + ret = ldb_build_mod_req(&mod_req, ldb, del_ctx, + msg, NULL, + del_ctx, mbof_del_muop_callback, + ctx->req); + if (ret != LDB_SUCCESS) { + return ret; + } + + return ldb_next_request(ctx->module, mod_req); +} + +static int mbof_del_muop_callback(struct ldb_request *req, + struct ldb_reply *ares) +{ + struct mbof_del_ctx *del_ctx; + struct mbof_ctx *ctx; + int ret; + + del_ctx = talloc_get_type(req->context, struct mbof_del_ctx); + ctx = del_ctx->ctx; + + if (!ares) { + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + /* if the attribute was not present it means the db is not + * perfectly consistent but failing here is not useful + * anyway and missing entries cause no harm if we are trying + * to remove them anyway */ + if (ares->error != LDB_SUCCESS && + ares->error != LDB_ERR_NO_SUCH_ATTRIBUTE) { + return ldb_module_done(ctx->req, + ares->controls, + ares->response, + ares->error); + } + + switch (ares->type) { + case LDB_REPLY_ENTRY: + /* shouldn't happen */ + talloc_zfree(ares); + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + case LDB_REPLY_REFERRAL: + /* ignore */ + break; + + case LDB_REPLY_DONE: + del_ctx->cur_muop++; + if (del_ctx->cur_muop < del_ctx->num_muops) { + ret = mbof_del_muop(del_ctx); + } + /* see if we need to remove some ghost users */ + else if (del_ctx->ghops) { + return mbof_del_ghop(del_ctx); + } + /* see if there are follow functions to run */ + else if (del_ctx->follow_mod) { + return mbof_mod_add(del_ctx->follow_mod, + del_ctx->follow_mod->mb_add, + del_ctx->follow_mod->gh_add); + } + else { + return ldb_module_done(ctx->req, + ctx->ret_ctrls, + ctx->ret_resp, + LDB_SUCCESS); + } + + if (ret != LDB_SUCCESS) { + talloc_zfree(ares); + return ldb_module_done(ctx->req, NULL, NULL, ret); + } + } + + talloc_zfree(ares); + return LDB_SUCCESS; +} + +/* del ghost attributes from parent groups */ +static int mbof_del_ghop(struct mbof_del_ctx *del_ctx) +{ + struct ldb_context *ldb; + struct ldb_message *msg; + struct ldb_request *mod_req; + struct mbof_ctx *ctx; + int ret; + + ctx = del_ctx->ctx; + ldb = ldb_module_get_ctx(ctx->module); + + msg = ldb_msg_new(del_ctx); + if (!msg) return LDB_ERR_OPERATIONS_ERROR; + + msg->dn = del_ctx->ghops[del_ctx->cur_ghop].dn; + + ret = ldb_msg_add(msg, del_ctx->ghops[del_ctx->cur_ghop].el, + LDB_FLAG_MOD_DELETE); + if (ret != LDB_SUCCESS) { + return ret; + } + + /* Also expire any parent groups to force reloading direct members in + * case the ghost users we remove now were actually *also* direct members + * of the parent groups + */ + ret = ldb_msg_add_empty(msg, DB_CACHE_EXPIRE, LDB_FLAG_MOD_REPLACE, NULL); + if (ret != LDB_SUCCESS) { + return ret; + } + + ret = ldb_msg_add_string(msg, DB_CACHE_EXPIRE, "1"); + if (ret != LDB_SUCCESS) { + return ret; + } + + ret = ldb_build_mod_req(&mod_req, ldb, del_ctx, + msg, NULL, + del_ctx, mbof_del_ghop_callback, + ctx->req); + if (ret != LDB_SUCCESS) { + return ret; + } + + return ldb_next_request(ctx->module, mod_req); +} + +static int mbof_del_ghop_callback(struct ldb_request *req, + struct ldb_reply *ares) +{ + struct mbof_del_ctx *del_ctx; + struct mbof_ctx *ctx; + int ret; + + del_ctx = talloc_get_type(req->context, struct mbof_del_ctx); + ctx = del_ctx->ctx; + + if (!ares) { + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + + /* We must treat no such attribute as non-fatal b/c the entry + * might have been directly nested in the parent as well and + * updated with another replace operation. + */ + if (ares->error != LDB_SUCCESS && + ares->error != LDB_ERR_NO_SUCH_ATTRIBUTE) { + return ldb_module_done(ctx->req, + ares->controls, + ares->response, + ares->error); + } + + switch (ares->type) { + case LDB_REPLY_ENTRY: + /* shouldn't happen */ + talloc_zfree(ares); + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + case LDB_REPLY_REFERRAL: + /* ignore */ + break; + + case LDB_REPLY_DONE: + del_ctx->cur_ghop++; + if (del_ctx->cur_ghop < del_ctx->num_ghops) { + ret = mbof_del_ghop(del_ctx); + } + /* see if there are follow functions to run */ + else if (del_ctx->follow_mod) { + return mbof_mod_add(del_ctx->follow_mod, + del_ctx->follow_mod->mb_add, + del_ctx->follow_mod->gh_add); + } + else { + return ldb_module_done(ctx->req, + ctx->ret_ctrls, + ctx->ret_resp, + LDB_SUCCESS); + } + + if (ret != LDB_SUCCESS) { + talloc_zfree(ares); + return ldb_module_done(ctx->req, NULL, NULL, ret); + } + } + + talloc_zfree(ares); + return LDB_SUCCESS; +} + +/* delop may carry on a lot of memory, so we need a function to clean up + * the payload without breaking the delop chain */ +static void free_delop_contents(struct mbof_del_operation *delop) +{ + talloc_zfree(delop->entry); + talloc_zfree(delop->parents); + talloc_zfree(delop->anc_ctx); + delop->num_parents = 0; + delop->cur_parent = 0; +} + +/* mod operation */ + +/* A modify operation just implements either an add operation, or a delete + * operation or both (replace) in turn. + * One difference between a modify and a pure add or a pure delete is that + * the object is not created a new or not completely removed, but the setup just + * treats it in the same way children objects are treated in a pure add or delete + * operation. A list of appropriate parents and objects to modify is built, then + * we jump directly in the add or delete code. + * If both add and delete are necessary, delete operations are performed first + * and then a followup add operation is concatenated + * + * Another difference is the ghost users. Because of its semi-managed nature, + * the ghost attribute requires some special care. During a modify operation, the + * ghost attribute can be set to a new list. That list coming, from an + * application, would typically only include the direct ghost + * members. However, we want to keep both direct and indirect ghost members + * in the cache to be able to return them all in a single call. To solve + * that problem, we also iterate over members of the group being modified, + * collect all ghost entries and add them back in case the original modify + * operation wiped them out. + */ + +static int mbof_mod_callback(struct ldb_request *req, + struct ldb_reply *ares); +static int mbof_collect_child_ghosts(struct mbof_mod_ctx *mod_ctx); +static int mbof_get_ghost_from_parent(struct mbof_mod_del_op *igh); +static int mbof_get_ghost_from_parent_cb(struct ldb_request *req, + struct ldb_reply *ares); +static int mbof_orig_mod(struct mbof_mod_ctx *mod_ctx); +static int mbof_orig_mod_callback(struct ldb_request *req, + struct ldb_reply *ares); +static int mbof_inherited_mod(struct mbof_mod_ctx *mod_ctx); +static int mbof_inherited_mod_callback(struct ldb_request *req, + struct ldb_reply *ares); +static int mbof_mod_process(struct mbof_mod_ctx *mod_ctx, bool *done); +static int mbof_mod_process_membel(TALLOC_CTX *mem_ctx, struct ldb_context *ldb, + struct ldb_message *entry, + const struct ldb_message_element *membel, + struct mbof_dn_array **_added, + struct mbof_dn_array **_removed); +static int mbof_mod_process_ghel(TALLOC_CTX *mem_ctx, + struct ldb_message *entry, + const struct ldb_message_element *ghel, + const struct ldb_message_element *inherited, + struct mbof_val_array **_added, + struct mbof_val_array **_removed); +static int mbof_mod_delete(struct mbof_mod_ctx *mod_ctx, + struct mbof_dn_array *del, + struct mbof_val_array *delgh); +static int mbof_fill_dn_array(TALLOC_CTX *memctx, + struct ldb_context *ldb, + const struct ldb_message_element *el, + struct mbof_dn_array **dn_array); +static int mbof_fill_vals_array(TALLOC_CTX *memctx, + unsigned int num_values, + struct ldb_val *values, + struct mbof_val_array **val_array); +static int mbof_fill_vals_array_el(TALLOC_CTX *memctx, + const struct ldb_message_element *el, + struct mbof_val_array **val_array); + +static int memberof_mod(struct ldb_module *module, struct ldb_request *req) +{ + struct ldb_message_element *el; + struct mbof_mod_ctx *mod_ctx; + struct mbof_ctx *ctx; + static const char *attrs[] = { DB_OC, DB_GHOST, + DB_MEMBER, DB_MEMBEROF, NULL}; + struct ldb_context *ldb = ldb_module_get_ctx(module); + struct ldb_request *search; + int ret; + + if (getenv("SSSD_UPGRADE_DB")) { + /* do not do anything during upgrade */ + return ldb_next_request(module, req); + } + + if (ldb_dn_is_special(req->op.mod.message->dn)) { + /* do not manipulate our control entries */ + return ldb_next_request(module, req); + } + + /* check if memberof is specified */ + el = ldb_msg_find_element(req->op.mod.message, DB_MEMBEROF); + if (el) { + ldb_debug(ldb, LDB_DEBUG_ERROR, + "Error: the memberof attribute is readonly."); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + + /* check if memberuid is specified */ + el = ldb_msg_find_element(req->op.mod.message, DB_MEMBERUID); + if (el) { + ldb_debug(ldb, LDB_DEBUG_ERROR, + "Error: the memberuid attribute is readonly."); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + + ctx = mbof_init(module, req); + if (!ctx) { + return LDB_ERR_OPERATIONS_ERROR; + } + + mod_ctx = talloc_zero(ctx, struct mbof_mod_ctx); + if (!mod_ctx) { + talloc_free(ctx); + return LDB_ERR_OPERATIONS_ERROR; + } + mod_ctx->ctx = ctx; + + mod_ctx->msg = ldb_msg_copy(mod_ctx, req->op.mod.message); + if (!mod_ctx->msg) { + return LDB_ERR_OPERATIONS_ERROR; + } + + mod_ctx->membel = ldb_msg_find_element(mod_ctx->msg, DB_MEMBER); + mod_ctx->ghel = ldb_msg_find_element(mod_ctx->msg, DB_GHOST); + + /* continue with normal ops if there are no members and no ghosts */ + if (mod_ctx->membel == NULL && mod_ctx->ghel == NULL) { + mod_ctx->terminate = true; + return mbof_orig_mod(mod_ctx); + } + + /* can't do anything, + * must check first what's on the entry */ + ret = ldb_build_search_req(&search, ldb, mod_ctx, + mod_ctx->msg->dn, LDB_SCOPE_BASE, + NULL, attrs, NULL, + mod_ctx, mbof_mod_callback, + req); + if (ret != LDB_SUCCESS) { + talloc_free(ctx); + return ret; + } + + return ldb_request(ldb, search); +} + + +static int mbof_mod_callback(struct ldb_request *req, + struct ldb_reply *ares) +{ + struct mbof_mod_ctx *mod_ctx; + struct ldb_context *ldb; + struct mbof_ctx *ctx; + int ret; + + mod_ctx = talloc_get_type(req->context, struct mbof_mod_ctx); + ctx = mod_ctx->ctx; + ldb = ldb_module_get_ctx(ctx->module); + + if (!ares) { + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + if (ares->error != LDB_SUCCESS) { + return ldb_module_done(ctx->req, + ares->controls, + ares->response, + ares->error); + } + + switch (ares->type) { + case LDB_REPLY_ENTRY: + if (mod_ctx->entry != NULL) { + ldb_debug(ldb, LDB_DEBUG_TRACE, + "Found multiple entries for (%s)", + ldb_dn_get_linearized(mod_ctx->msg->dn)); + /* more than one entry per DN!? DB corrupted? */ + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + + mod_ctx->entry = talloc_steal(mod_ctx, ares->message); + if (mod_ctx->entry == NULL) { + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + break; + case LDB_REPLY_REFERRAL: + /* ignore */ + break; + + case LDB_REPLY_DONE: + if (mod_ctx->entry == NULL) { + ldb_debug(ldb, LDB_DEBUG_TRACE, "Entry not found (%s)", + ldb_dn_get_linearized(mod_ctx->msg->dn)); + /* this target does not exists, too bad! */ + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_NO_SUCH_OBJECT); + } + + ret = mbof_collect_child_ghosts(mod_ctx); + if (ret != LDB_SUCCESS) { + talloc_zfree(ares); + return ldb_module_done(ctx->req, NULL, NULL, ret); + } + } + + talloc_zfree(ares); + return LDB_SUCCESS; +} + +static int mbof_collect_child_ghosts(struct mbof_mod_ctx *mod_ctx) +{ + int ret; + const struct ldb_message_element *member; + + member = ldb_msg_find_element(mod_ctx->entry, DB_MEMBER); + + if (member == NULL || member->num_values == 0 || + mod_ctx->ghel == NULL || mod_ctx->ghel->flags != LDB_FLAG_MOD_REPLACE) { + ret = mbof_orig_mod(mod_ctx); + if (ret != LDB_SUCCESS) { + return ret; + } + + return LDB_SUCCESS; + } + + mod_ctx->igh = talloc_zero(mod_ctx, struct mbof_mod_del_op); + if (mod_ctx->igh == NULL) { + return LDB_ERR_OPERATIONS_ERROR; + } + mod_ctx->igh->mod_ctx = mod_ctx; + + ret = hash_create_ex(1024, &mod_ctx->igh->inherited_gh, 0, 0, 0, 0, + hash_alloc, hash_free, mod_ctx, NULL, NULL); + if (ret != HASH_SUCCESS) { + return LDB_ERR_OPERATIONS_ERROR; + } + + + return mbof_get_ghost_from_parent(mod_ctx->igh); +} + +static int mbof_get_ghost_from_parent(struct mbof_mod_del_op *igh) +{ + struct ldb_request *search; + struct ldb_context *ldb; + struct mbof_ctx *ctx; + int ret; + static const char *attrs[] = { DB_GHOST, NULL }; + char *expression; + char *clean_dn; + const char *dn; + + ctx = igh->mod_ctx->ctx; + ldb = ldb_module_get_ctx(ctx->module); + + dn = ldb_dn_get_linearized(igh->mod_ctx->entry->dn); + if (!dn) { + talloc_free(ctx); + return LDB_ERR_OPERATIONS_ERROR; + } + + ret = sss_filter_sanitize(igh, dn, &clean_dn); + if (ret != 0) { + return LDB_ERR_OPERATIONS_ERROR; + } + + expression = talloc_asprintf(igh, + "(&(%s=%s)(%s=%s))", + DB_OC, DB_GROUP_CLASS, + DB_MEMBEROF, clean_dn); + if (!expression) { + return LDB_ERR_OPERATIONS_ERROR; + } + talloc_zfree(clean_dn); + + ret = ldb_build_search_req(&search, ldb, igh, + NULL, + LDB_SCOPE_SUBTREE, + expression, attrs, NULL, + igh, mbof_get_ghost_from_parent_cb, + ctx->req); + if (ret != LDB_SUCCESS) { + return ret; + } + + return ldb_request(ldb, search); +} + +static int mbof_get_ghost_from_parent_cb(struct ldb_request *req, + struct ldb_reply *ares) +{ + struct mbof_mod_del_op *igh; + struct mbof_ctx *ctx; + struct ldb_message_element *el; + struct ldb_val *dupval; + int ret; + hash_value_t value; + hash_key_t key; + int i; + + igh = talloc_get_type(req->context, struct mbof_mod_del_op); + ctx = igh->mod_ctx->ctx; + + if (!ares) { + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + if (ares->error != LDB_SUCCESS) { + return ldb_module_done(ctx->req, + ares->controls, + ares->response, + ares->error); + } + + switch (ares->type) { + case LDB_REPLY_ENTRY: + el = ldb_msg_find_element(ares->message, DB_GHOST); + if (!el) { + break; + } + + for (i=0; i < el->num_values; i++) { + key.type = HASH_KEY_STRING; + key.str = (char *) el->values[i].data; + + if (hash_has_key(igh->inherited_gh, &key)) { + /* We already have this user. Don't re-add him */ + continue; + } + + dupval = talloc_zero(igh->inherited_gh, struct ldb_val); + if (dupval == NULL) { + return LDB_ERR_OPERATIONS_ERROR; + } + + *dupval = ldb_val_dup(igh->inherited_gh, &el->values[i]); + if (dupval->data == NULL) { + return LDB_ERR_OPERATIONS_ERROR; + } + + value.type = HASH_VALUE_PTR; + value.ptr = dupval; + + ret = hash_enter(igh->inherited_gh, &key, &value); + if (ret != HASH_SUCCESS) { + return LDB_ERR_OPERATIONS_ERROR; + } + } + break; + + case LDB_REPLY_REFERRAL: + /* ignore */ + break; + + case LDB_REPLY_DONE: + /* All the children are gathered, let's do the real + * modify operation + */ + ret = mbof_orig_mod(igh->mod_ctx); + if (ret != LDB_SUCCESS) { + talloc_zfree(ares); + return ldb_module_done(ctx->req, NULL, NULL, ret); + } + break; + } + + talloc_zfree(ares); + return LDB_SUCCESS; +} + +static int mbof_orig_mod(struct mbof_mod_ctx *mod_ctx) +{ + struct ldb_request *mod_req; + struct ldb_context *ldb; + struct mbof_ctx *ctx; + int ret; + + ctx = mod_ctx->ctx; + ldb = ldb_module_get_ctx(ctx->module); + + ret = ldb_build_mod_req(&mod_req, ldb, ctx->req, + mod_ctx->msg, ctx->req->controls, + mod_ctx, mbof_orig_mod_callback, + ctx->req); + if (ret != LDB_SUCCESS) { + return ret; + } + + return ldb_next_request(ctx->module, mod_req); +} + +static int mbof_orig_mod_callback(struct ldb_request *req, + struct ldb_reply *ares) +{ + struct ldb_context *ldb; + struct mbof_mod_ctx *mod_ctx; + struct mbof_ctx *ctx; + int ret; + + mod_ctx = talloc_get_type(req->context, struct mbof_mod_ctx); + ctx = mod_ctx->ctx; + ldb = ldb_module_get_ctx(ctx->module); + + if (!ares) { + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + if (ares->error != LDB_SUCCESS) { + return ldb_module_done(ctx->req, + ares->controls, + ares->response, + ares->error); + } + + if (ares->type != LDB_REPLY_DONE) { + talloc_zfree(ares); + ldb_debug(ldb, LDB_DEBUG_TRACE, "Invalid reply type!"); + ldb_set_errstring(ldb, "Invalid reply type!"); + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + + /* save real call stuff */ + ctx->ret_ctrls = talloc_steal(ctx, ares->controls); + ctx->ret_resp = talloc_steal(ctx, ares->response); + + if (!mod_ctx->terminate) { + /* next step */ + if (mod_ctx->igh && mod_ctx->igh->inherited_gh && + hash_count(mod_ctx->igh->inherited_gh) > 0) { + ret = mbof_inherited_mod(mod_ctx); + } else { + ret = mbof_mod_process(mod_ctx, &mod_ctx->terminate); + } + + if (ret != LDB_SUCCESS) { + talloc_zfree(ares); + return ldb_module_done(ctx->req, NULL, NULL, ret); + } + } + + if (mod_ctx->terminate) { + talloc_zfree(ares); + return ldb_module_done(ctx->req, + ctx->ret_ctrls, + ctx->ret_resp, + LDB_SUCCESS); + } + + talloc_zfree(ares); + return LDB_SUCCESS; +} + +static int mbof_inherited_mod(struct mbof_mod_ctx *mod_ctx) +{ + struct ldb_request *mod_req; + struct ldb_context *ldb; + struct mbof_ctx *ctx; + int ret; + struct ldb_message_element *el; + struct ldb_message *msg; + struct ldb_val *val; + struct ldb_val *dupval; + hash_value_t *values; + unsigned long num_values; + int i, j; + + ctx = mod_ctx->ctx; + ldb = ldb_module_get_ctx(ctx->module); + + /* add back the inherited children to entry */ + msg = ldb_msg_new(mod_ctx); + if (!msg) return LDB_ERR_OPERATIONS_ERROR; + + msg->dn = mod_ctx->entry->dn; + + /* We only inherit during replaces, so it's safe to only look + * at the replaced set + */ + ret = ldb_msg_add_empty(msg, DB_GHOST, LDB_FLAG_MOD_ADD, &el); + if (ret != LDB_SUCCESS) { + return ret; + } + + ret = hash_values(mod_ctx->igh->inherited_gh, &num_values, &values); + if (ret != HASH_SUCCESS) { + return LDB_ERR_OPERATIONS_ERROR; + } + + el->values = talloc_array(msg, struct ldb_val, num_values); + if (!el->values) { + return LDB_ERR_OPERATIONS_ERROR; + } + + for (i = 0, j = 0; i < num_values; i++) { + val = talloc_get_type(values[i].ptr, struct ldb_val); + + dupval = ldb_msg_find_val(mod_ctx->ghel, val); + if (dupval) { + continue; + } + + el->values[j].length = strlen((const char *) val->data); + el->values[j].data = (uint8_t *) talloc_strdup(el->values, + (const char *) val->data); + if (!el->values[j].data) { + return LDB_ERR_OPERATIONS_ERROR; + } + j++; + } + el->num_values = j; + + if (el->num_values == 0) { + /* nothing to do */ + /* We cannot modify element which has 0 values */ + msg->num_elements = 0; + } + + mod_ctx->igh->mod_msg = msg; + mod_ctx->igh->el = el; + + ret = ldb_build_mod_req(&mod_req, ldb, ctx->req, + msg, ctx->req->controls, + mod_ctx, mbof_inherited_mod_callback, + ctx->req); + if (ret != LDB_SUCCESS) { + return ret; + } + + return ldb_next_request(ctx->module, mod_req); +} + +static int mbof_inherited_mod_callback(struct ldb_request *req, + struct ldb_reply *ares) +{ + struct ldb_context *ldb; + struct mbof_mod_ctx *mod_ctx; + struct mbof_ctx *ctx; + int ret; + + mod_ctx = talloc_get_type(req->context, struct mbof_mod_ctx); + ctx = mod_ctx->ctx; + ldb = ldb_module_get_ctx(ctx->module); + + if (!ares) { + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + if (ares->error != LDB_SUCCESS) { + return ldb_module_done(ctx->req, + ares->controls, + ares->response, + ares->error); + } + + if (ares->type != LDB_REPLY_DONE) { + talloc_zfree(ares); + ldb_debug(ldb, LDB_DEBUG_TRACE, "Invalid reply type!"); + ldb_set_errstring(ldb, "Invalid reply type!"); + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + + ret = mbof_mod_process(mod_ctx, &mod_ctx->terminate); + if (ret != LDB_SUCCESS) { + talloc_zfree(ares); + return ldb_module_done(ctx->req, NULL, NULL, ret); + } + + if (mod_ctx->terminate) { + talloc_zfree(ares); + return ldb_module_done(ctx->req, + ctx->ret_ctrls, + ctx->ret_resp, + LDB_SUCCESS); + } + + talloc_zfree(ares); + return LDB_SUCCESS; +} + +static int mbof_mod_process(struct mbof_mod_ctx *mod_ctx, bool *done) +{ + struct ldb_context *ldb; + struct mbof_ctx *ctx; + int ret; + + ctx = mod_ctx->ctx; + ldb = ldb_module_get_ctx(ctx->module); + + ret = mbof_mod_process_membel(mod_ctx, ldb, mod_ctx->entry, mod_ctx->membel, + &mod_ctx->mb_add, &mod_ctx->mb_remove); + if (ret != LDB_SUCCESS) { + return ret; + } + + ret = mbof_mod_process_ghel(mod_ctx, mod_ctx->entry, mod_ctx->ghel, + mod_ctx->igh ? mod_ctx->igh->el : NULL, + &mod_ctx->gh_add, &mod_ctx->gh_remove); + if (ret != LDB_SUCCESS) { + return ret; + } + + /* Process the operations */ + /* if we have something to remove, do it first */ + if ((mod_ctx->mb_remove && mod_ctx->mb_remove->num) || + (mod_ctx->gh_remove && mod_ctx->gh_remove->num)) { + return mbof_mod_delete(mod_ctx, mod_ctx->mb_remove, mod_ctx->gh_remove); + } + + /* if there is nothing to remove and we have stuff to add, + * do it right away */ + if ((mod_ctx->mb_add && mod_ctx->mb_add->num) || + (mod_ctx->gh_add && mod_ctx->gh_add->num)) { + return mbof_mod_add(mod_ctx, mod_ctx->mb_add, mod_ctx->gh_add); + } + + /* the replacement function resulted in a null op, + * nothing to do, return happily */ + *done = true; + return LDB_SUCCESS; +} + +static int mbof_mod_process_membel(TALLOC_CTX *mem_ctx, + struct ldb_context *ldb, + struct ldb_message *entry, + const struct ldb_message_element *membel, + struct mbof_dn_array **_added, + struct mbof_dn_array **_removed) +{ + const struct ldb_message_element *el; + struct mbof_dn_array *removed = NULL; + struct mbof_dn_array *added = NULL; + int i, j, ret; + + if (!membel) { + /* Nothing to do.. */ + return LDB_SUCCESS; + } + + switch (membel->flags) { + case LDB_FLAG_MOD_ADD: + + ret = mbof_fill_dn_array(mem_ctx, ldb, membel, &added); + if (ret != LDB_SUCCESS) { + return ret; + } + break; + + case LDB_FLAG_MOD_DELETE: + + if (membel->num_values == 0) { + el = ldb_msg_find_element(entry, DB_MEMBER); + } else { + el = membel; + } + + if (!el) { + /* nothing to do really */ + break; + } + + ret = mbof_fill_dn_array(mem_ctx, ldb, el, &removed); + if (ret != LDB_SUCCESS) { + return ret; + } + break; + + case LDB_FLAG_MOD_REPLACE: + + removed = NULL; + el = ldb_msg_find_element(entry, DB_MEMBER); + if (el) { + ret = mbof_fill_dn_array(mem_ctx, ldb, el, &removed); + if (ret != LDB_SUCCESS) { + return ret; + } + } + + added = NULL; + el = membel; + if (el) { + ret = mbof_fill_dn_array(mem_ctx, ldb, el, &added); + if (ret != LDB_SUCCESS) { + talloc_free(removed); + return ret; + } + } + + /* remove from arrays values that ended up unchanged */ + if (removed && removed->num && added && added->num) { + for (i = 0; i < added->num; i++) { + for (j = 0; j < removed->num; j++) { + if (ldb_dn_compare(added->dns[i], removed->dns[j]) == 0) { + break; + } + } + if (j < removed->num) { + /* preexisting one, not removed, nor added */ + for (; j+1 < removed->num; j++) { + removed->dns[j] = removed->dns[j+1]; + } + removed->num--; + for (j = i; j+1 < added->num; j++) { + added->dns[j] = added->dns[j+1]; + } + added->num--; + i--; + } + } + } + break; + + default: + return LDB_ERR_OPERATIONS_ERROR; + } + + *_added = added; + *_removed = removed; + return LDB_SUCCESS; +} + +static int mbof_mod_process_ghel(TALLOC_CTX *mem_ctx, + struct ldb_message *entry, + const struct ldb_message_element *ghel, + const struct ldb_message_element *inherited, + struct mbof_val_array **_added, + struct mbof_val_array **_removed) +{ + const struct ldb_message_element *el; + struct mbof_val_array *removed = NULL; + struct mbof_val_array *added = NULL; + int i, j, ret; + + if (!ghel) { + /* Nothing to do.. */ + return LDB_SUCCESS; + } + + el = ldb_msg_find_element(entry, DB_MEMBEROF); + if (!el || el->num_values == 0) { + /* no memberof attributes ... */ + return LDB_SUCCESS; + } + + switch (ghel->flags) { + case LDB_FLAG_MOD_ADD: + ret = mbof_fill_vals_array_el(mem_ctx, ghel, &added); + if (ret != LDB_SUCCESS) { + return ret; + } + break; + + case LDB_FLAG_MOD_DELETE: + if (ghel->num_values == 0) { + el = ldb_msg_find_element(entry, DB_GHOST); + } else { + el = ghel; + } + + if (!el) { + /* nothing to do really */ + break; + } + + ret = mbof_fill_vals_array_el(mem_ctx, ghel, &removed); + if (ret != LDB_SUCCESS) { + return ret; + } + break; + + case LDB_FLAG_MOD_REPLACE: + el = ldb_msg_find_element(entry, DB_GHOST); + if (el) { + ret = mbof_fill_vals_array_el(mem_ctx, el, &removed); + if (ret != LDB_SUCCESS) { + return ret; + } + } + + el = ghel; + if (el) { + ret = mbof_fill_vals_array_el(mem_ctx, el, &added); + if (ret != LDB_SUCCESS) { + talloc_free(removed); + return ret; + } + } + + if (inherited) { + ret = mbof_fill_vals_array_el(mem_ctx, inherited, &added); + if (ret != LDB_SUCCESS) { + talloc_free(added); + talloc_free(removed); + return ret; + } + } + + /* remove from arrays values that ended up unchanged */ + if (removed && removed->num && added && added->num) { + for (i = 0; i < added->num; i++) { + for (j = 0; j < removed->num; j++) { + if (strcmp((const char *) added->vals[i].data, + (const char *) removed->vals[j].data) == 0) { + break; + } + } + if (j < removed->num) { + /* preexisting one, not removed, nor added */ + for (; j+1 < removed->num; j++) { + removed->vals[j] = removed->vals[j+1]; + } + removed->num--; + for (j = i; j+1 < added->num; j++) { + added->vals[j] = added->vals[j+1]; + } + added->num--; + i--; + } + } + } + break; + + default: + return LDB_ERR_OPERATIONS_ERROR; + } + + *_added = added; + *_removed = removed; + return LDB_SUCCESS; +} + +static int mbof_mod_add(struct mbof_mod_ctx *mod_ctx, + struct mbof_dn_array *ael, + struct mbof_val_array *addgh) +{ + const struct ldb_message_element *el; + struct mbof_dn_array *parents; + struct mbof_add_ctx *add_ctx; + struct ldb_context *ldb; + struct mbof_ctx *ctx; + int i, ret; + + ctx = mod_ctx->ctx; + ldb = ldb_module_get_ctx(ctx->module); + + el = ldb_msg_find_element(mod_ctx->entry, DB_MEMBEROF); + + /* all the parents + itself */ + ret = mbof_fill_dn_array(mod_ctx, ldb, el, &parents); + if (ret != LDB_SUCCESS) { + return ret; + } + + add_ctx = talloc_zero(mod_ctx, struct mbof_add_ctx); + if (!add_ctx) { + return LDB_ERR_OPERATIONS_ERROR; + } + add_ctx->ctx = ctx; + add_ctx->msg_dn = mod_ctx->msg->dn; + + if (addgh != NULL) { + /* Build the memberuid add op */ + ret = mbof_add_fill_ghop_ex(add_ctx, mod_ctx->entry, + parents, addgh->vals, addgh->num); + if (ret != LDB_SUCCESS) { + return ret; + } + } + + if (ael != NULL && ael->num > 0) { + /* Add itself to the list of the parents to also get the memberuid */ + parents->dns = talloc_realloc(parents, parents->dns, + struct ldb_dn *, parents->num + 1); + if (!parents->dns) { + return LDB_ERR_OPERATIONS_ERROR; + } + parents->dns[parents->num] = mod_ctx->entry->dn; + parents->num++; + + /* Build the member-add array */ + for (i = 0; i < ael->num; i++) { + ret = mbof_append_addop(add_ctx, parents, ael->dns[i]); + if (ret != LDB_SUCCESS) { + return ret; + } + } + + return mbof_next_add(add_ctx->add_list); + } + + return mbof_add_muop(add_ctx); +} + +static int mbof_mod_delete(struct mbof_mod_ctx *mod_ctx, + struct mbof_dn_array *del, + struct mbof_val_array *delgh) +{ + struct mbof_del_operation *first; + struct mbof_del_ctx *del_ctx; + struct mbof_ctx *ctx; + int i, ret; + + ctx = mod_ctx->ctx; + + del_ctx = talloc_zero(mod_ctx, struct mbof_del_ctx); + if (!del_ctx) { + return LDB_ERR_OPERATIONS_ERROR; + } + del_ctx->ctx = ctx; + del_ctx->is_mod = true; + + /* create first entry */ + /* the first entry is the parent of all entries and the one where we + * remove member from, it does not get the same treatment as others */ + first = talloc_zero(del_ctx, struct mbof_del_operation); + if (!first) { + return LDB_ERR_OPERATIONS_ERROR; + } + del_ctx->first = first; + + /* add followup function if we also have stuff to add */ + if ((mod_ctx->mb_add && mod_ctx->mb_add->num > 0) || + (mod_ctx->gh_add && mod_ctx->gh_add->num > 0)) { + del_ctx->follow_mod = mod_ctx; + } + + first->del_ctx = del_ctx; + first->entry = mod_ctx->entry; + first->entry_dn = mod_ctx->entry->dn; + + if (delgh != NULL) { + ret = mbof_del_fill_ghop_ex(del_ctx, del_ctx->first->entry, + delgh->vals, delgh->num); + if (ret != LDB_SUCCESS) { + return ret; + } + } + + /* prepare del sets */ + if (del != NULL && del->num > 0) { + for (i = 0; i < del->num; i++) { + ret = mbof_append_delop(first, del->dns[i]); + if (ret != LDB_SUCCESS) { + return ret; + } + } + + /* now that sets are built, start processing */ + return mbof_del_execute_op(first->children[0]); + } + + /* No member processing, just delete ghosts */ + return mbof_del_ghop(del_ctx); +} + +static int mbof_fill_dn_array(TALLOC_CTX *memctx, + struct ldb_context *ldb, + const struct ldb_message_element *el, + struct mbof_dn_array **dn_array) +{ + struct mbof_dn_array *ar; + struct ldb_dn *valdn; + int i; + + ar = talloc_zero(memctx, struct mbof_dn_array); + if (!ar) { + return LDB_ERR_OPERATIONS_ERROR; + } + *dn_array = ar; + + if (!el || el->num_values == 0) { + return LDB_SUCCESS; + } + + ar->dns = talloc_array(ar, struct ldb_dn *, el->num_values); + if (!ar->dns) { + return LDB_ERR_OPERATIONS_ERROR; + } + ar->num = el->num_values; + + for (i = 0; i < ar->num; i++) { + valdn = ldb_dn_from_ldb_val(ar, ldb, &el->values[i]); + if (!valdn || !ldb_dn_validate(valdn)) { + ldb_debug(ldb, LDB_DEBUG_TRACE, "Invalid dn value: [%s]", + (const char *)el->values[i].data); + return LDB_ERR_INVALID_DN_SYNTAX; + } + ar->dns[i] = valdn; + } + + return LDB_SUCCESS; +} + +static int mbof_fill_vals_array(TALLOC_CTX *memctx, + unsigned int num_values, + struct ldb_val *values, + struct mbof_val_array **val_array) +{ + struct mbof_val_array *var = *val_array; + int i, vi; + + if (var == NULL) { + var = talloc_zero(memctx, struct mbof_val_array); + if (!var) { + return LDB_ERR_OPERATIONS_ERROR; + } + *val_array = var; + } + + if (values == NULL || num_values == 0) { + return LDB_SUCCESS; + } + + /* We do not care about duplicate values now. + * They will be filtered later */ + vi = var->num; + var->num += num_values; + var->vals = talloc_realloc(memctx, var->vals, struct ldb_val, var->num); + if (!var->vals) { + return LDB_ERR_OPERATIONS_ERROR; + } + + /* FIXME - use ldb_val_dup() */ + for (i = 0; i < num_values; i++) { + var->vals[vi].length = strlen((const char *) values[i].data); + var->vals[vi].data = (uint8_t *) talloc_strdup(var, + (const char *) values[i].data); + if (var->vals[vi].data == NULL) { + return LDB_ERR_OPERATIONS_ERROR; + } + vi++; + } + + return LDB_SUCCESS; +} + +static int mbof_fill_vals_array_el(TALLOC_CTX *memctx, + const struct ldb_message_element *el, + struct mbof_val_array **val_array) +{ + if (el == NULL) { + return LDB_SUCCESS; + } + + return mbof_fill_vals_array(memctx, el->num_values, el->values, + val_array); +} + +/************************* + * Cleanup task routines * + *************************/ + +struct mbof_member { + struct mbof_member *prev; + struct mbof_member *next; + + struct ldb_dn *dn; + const char *name; + bool orig_has_memberof; + bool orig_has_memberuid; + struct ldb_message_element *orig_members; + + struct mbof_member **members; + + hash_table_t *memberofs; + + struct ldb_message_element *memuids; + + enum { MBOF_GROUP_TO_DO = 0, + MBOF_GROUP_DONE, + MBOF_USER, + MBOF_ITER_ERROR } status; +}; + +struct mbof_rcmp_context { + struct ldb_module *module; + struct ldb_request *req; + + struct mbof_member *user_list; + hash_table_t *user_table; + + struct mbof_member *group_list; + hash_table_t *group_table; +}; + +static int mbof_steal_msg_el(TALLOC_CTX *memctx, + const char *name, + struct ldb_message *msg, + struct ldb_message_element **_dest) +{ + struct ldb_message_element *src; + struct ldb_message_element *dest; + + src = ldb_msg_find_element(msg, name); + if (!src) { + return LDB_ERR_NO_SUCH_ATTRIBUTE; + } + + dest = talloc_zero(memctx, struct ldb_message_element); + if (!dest) { + return LDB_ERR_OPERATIONS_ERROR; + } + + *dest = *src; + talloc_steal(dest, dest->name); + talloc_steal(dest, dest->values); + + *_dest = dest; + return LDB_SUCCESS; +} + +static int mbof_rcmp_usr_callback(struct ldb_request *req, + struct ldb_reply *ares); +static int mbof_rcmp_search_groups(struct mbof_rcmp_context *ctx); +static int mbof_rcmp_grp_callback(struct ldb_request *req, + struct ldb_reply *ares); +static int mbof_member_update(struct mbof_rcmp_context *ctx, + struct mbof_member *parent, + struct mbof_member *mem); +static bool mbof_member_iter(hash_entry_t *item, void *user_data); +static int mbof_add_memuid(struct mbof_member *grp, const char *user); +static int mbof_rcmp_update(struct mbof_rcmp_context *ctx); +static int mbof_rcmp_mod_callback(struct ldb_request *req, + struct ldb_reply *ares); + +static int memberof_recompute_task(struct ldb_module *module, + struct ldb_request *req) +{ + struct ldb_context *ldb = ldb_module_get_ctx(module); + static const char *attrs[] = { DB_NAME, DB_MEMBEROF, NULL }; + static const char *filter = "("DB_OC"="DB_USER_CLASS")"; + struct mbof_rcmp_context *ctx; + struct ldb_request *src_req; + int ret; + + ctx = talloc_zero(req, struct mbof_rcmp_context); + if (!ctx) { + return LDB_ERR_OPERATIONS_ERROR; + } + ctx->module = module; + ctx->req = req; + + ret = hash_create_ex(1024, &ctx->user_table, 0, 0, 0, 0, + hash_alloc, hash_free, ctx, NULL, NULL); + if (ret != HASH_SUCCESS) { + return LDB_ERR_OPERATIONS_ERROR; + } + + ret = ldb_build_search_req(&src_req, ldb, ctx, + NULL, LDB_SCOPE_SUBTREE, + filter, attrs, NULL, + ctx, mbof_rcmp_usr_callback, ctx->req); + if (ret != LDB_SUCCESS) { + return ret; + } + + return ldb_request(ldb, src_req); +} + +static int mbof_rcmp_usr_callback(struct ldb_request *req, + struct ldb_reply *ares) +{ + struct mbof_rcmp_context *ctx; + struct mbof_member *usr; + hash_value_t value; + hash_key_t key; + const char *name; + int ret; + + ctx = talloc_get_type(req->context, struct mbof_rcmp_context); + + if (!ares) { + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + if (ares->error != LDB_SUCCESS) { + return ldb_module_done(ctx->req, + ares->controls, + ares->response, + ares->error); + } + + switch (ares->type) { + case LDB_REPLY_ENTRY: + + usr = talloc_zero(ctx, struct mbof_member); + if (!usr) { + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + + usr->status = MBOF_USER; + usr->dn = talloc_steal(usr, ares->message->dn); + name = ldb_msg_find_attr_as_string(ares->message, DB_NAME, NULL); + if (name) { + usr->name = talloc_steal(usr, name); + } + + if (ldb_msg_find_element(ares->message, DB_MEMBEROF)) { + usr->orig_has_memberof = true; + } + + DLIST_ADD(ctx->user_list, usr); + + key.type = HASH_KEY_STRING; + key.str = discard_const(ldb_dn_get_linearized(usr->dn)); + value.type = HASH_VALUE_PTR; + value.ptr = usr; + + ret = hash_enter(ctx->user_table, &key, &value); + if (ret != HASH_SUCCESS) { + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + + break; + + case LDB_REPLY_REFERRAL: + /* ignore */ + break; + + case LDB_REPLY_DONE: + talloc_zfree(ares); + + /* and now search groups */ + return mbof_rcmp_search_groups(ctx); + } + + talloc_zfree(ares); + return LDB_SUCCESS; +} + +static int mbof_rcmp_search_groups(struct mbof_rcmp_context *ctx) +{ + struct ldb_context *ldb = ldb_module_get_ctx(ctx->module); + static const char *attrs[] = { DB_MEMBEROF, DB_MEMBERUID, + DB_NAME, DB_MEMBER, NULL }; + static const char *filter = "("DB_OC"="DB_GROUP_CLASS")"; + struct ldb_request *req; + int ret; + + ret = hash_create_ex(1024, &ctx->group_table, 0, 0, 0, 0, + hash_alloc, hash_free, ctx, NULL, NULL); + if (ret != HASH_SUCCESS) { + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + + ret = ldb_build_search_req(&req, ldb, ctx, + NULL, LDB_SCOPE_SUBTREE, + filter, attrs, NULL, + ctx, mbof_rcmp_grp_callback, ctx->req); + if (ret != LDB_SUCCESS) { + return ret; + } + + return ldb_request(ldb, req); +} + +static int mbof_rcmp_grp_callback(struct ldb_request *req, + struct ldb_reply *ares) +{ + struct ldb_context *ldb; + struct mbof_rcmp_context *ctx; + struct ldb_message_element *el; + struct mbof_member *iter; + struct mbof_member *grp; + hash_value_t value; + hash_key_t key; + const char *name; + int i, j; + int ret; + + ctx = talloc_get_type(req->context, struct mbof_rcmp_context); + ldb = ldb_module_get_ctx(ctx->module); + + if (!ares) { + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + if (ares->error != LDB_SUCCESS) { + return ldb_module_done(ctx->req, + ares->controls, + ares->response, + ares->error); + } + + switch (ares->type) { + case LDB_REPLY_ENTRY: + + grp = talloc_zero(ctx, struct mbof_member); + if (!grp) { + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + + grp->status = MBOF_GROUP_TO_DO; + grp->dn = talloc_steal(grp, ares->message->dn); + grp->name = ldb_msg_find_attr_as_string(ares->message, DB_NAME, NULL); + name = ldb_msg_find_attr_as_string(ares->message, DB_NAME, NULL); + if (name) { + grp->name = talloc_steal(grp, name); + } + + if (ldb_msg_find_element(ares->message, DB_MEMBEROF)) { + grp->orig_has_memberof = true; + } + + if (ldb_msg_find_element(ares->message, DB_MEMBERUID)) { + grp->orig_has_memberuid = true; + } + + ret = mbof_steal_msg_el(grp, DB_MEMBER, + ares->message, &grp->orig_members); + if (ret != LDB_SUCCESS && ret != LDB_ERR_NO_SUCH_ATTRIBUTE) { + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + + DLIST_ADD(ctx->group_list, grp); + + key.type = HASH_KEY_STRING; + key.str = discard_const(ldb_dn_get_linearized(grp->dn)); + value.type = HASH_VALUE_PTR; + value.ptr = grp; + + ret = hash_enter(ctx->group_table, &key, &value); + if (ret != HASH_SUCCESS) { + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + + break; + + case LDB_REPLY_REFERRAL: + /* ignore */ + break; + + case LDB_REPLY_DONE: + talloc_zfree(ares); + + if (!ctx->group_list) { + /* no groups? */ + return ldb_module_done(ctx->req, NULL, NULL, LDB_SUCCESS); + } + + /* for each group compute the members list */ + for (iter = ctx->group_list; iter; iter = iter->next) { + + el = iter->orig_members; + if (!el || el->num_values == 0) { + /* no members */ + continue; + } + + /* we have at most num_values group members */ + iter->members = talloc_array(iter, struct mbof_member *, + el->num_values +1); + if (!iter->members) { + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + + for (i = 0, j = 0; i < el->num_values; i++) { + key.type = HASH_KEY_STRING; + key.str = (char *)el->values[i].data; + + ret = hash_lookup(ctx->user_table, &key, &value); + switch (ret) { + case HASH_SUCCESS: + iter->members[j] = (struct mbof_member *)value.ptr; + j++; + break; + + case HASH_ERROR_KEY_NOT_FOUND: + /* not a user, see if it is a group */ + + ret = hash_lookup(ctx->group_table, &key, &value); + if (ret != HASH_SUCCESS) { + if (ret != HASH_ERROR_KEY_NOT_FOUND) { + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + } + if (ret == HASH_ERROR_KEY_NOT_FOUND) { + /* not a known user, nor a known group!? + give a warning and continue */ + ldb_debug(ldb, LDB_DEBUG_ERROR, + "member attribute [%s] has no corresponding" + " entry!", key.str); + break; + } + + iter->members[j] = (struct mbof_member *)value.ptr; + j++; + break; + + default: + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + } + /* terminate */ + iter->members[j] = NULL; + + talloc_zfree(iter->orig_members); + } + + /* now generate correct memberof tables */ + while (ctx->group_list->status == MBOF_GROUP_TO_DO) { + + grp = ctx->group_list; + + /* move to end of list and mark as done. + * NOTE: this is not efficient, but will do for now */ + DLIST_DEMOTE(ctx->group_list, grp, struct mbof_member *); + grp->status = MBOF_GROUP_DONE; + + /* verify if members need updating */ + if (!grp->members) { + continue; + } + for (i = 0; grp->members[i]; i++) { + ret = mbof_member_update(ctx, grp, grp->members[i]); + if (ret != LDB_SUCCESS) { + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + } + } + + /* ok all done, now go on and modify the tree */ + return mbof_rcmp_update(ctx); + } + + talloc_zfree(ares); + return LDB_SUCCESS; +} + +static int mbof_member_update(struct mbof_rcmp_context *ctx, + struct mbof_member *parent, + struct mbof_member *mem) +{ + hash_value_t value; + hash_key_t key; + int ret; + + /* ignore loops */ + if (parent == mem) return LDB_SUCCESS; + + key.type = HASH_KEY_STRING; + key.str = discard_const(ldb_dn_get_linearized(parent->dn)); + + if (!mem->memberofs) { + ret = hash_create_ex(32, &mem->memberofs, 0, 0, 0, 0, + hash_alloc, hash_free, mem, NULL, NULL); + if (ret != HASH_SUCCESS) { + return LDB_ERR_OPERATIONS_ERROR; + } + + ret = HASH_ERROR_KEY_NOT_FOUND; + + } else { + + ret = hash_lookup(mem->memberofs, &key, &value); + if (ret != HASH_SUCCESS) { + if (ret != HASH_ERROR_KEY_NOT_FOUND) { + /* fatal error */ + return LDB_ERR_OPERATIONS_ERROR; + } + } + } + + if (ret == HASH_ERROR_KEY_NOT_FOUND) { + + /* it's missing, update member */ + value.type = HASH_VALUE_PTR; + value.ptr = parent; + + ret = hash_enter(mem->memberofs, &key, &value); + if (ret != HASH_SUCCESS) { + return LDB_ERR_OPERATIONS_ERROR; + } + + if (mem->status == MBOF_USER) { + /* add corresponding memuid to the group */ + ret = mbof_add_memuid(parent, mem->name); + if (ret != LDB_SUCCESS) { + return ret; + } + } + + /* if we updated a group, mark it as TO DO again */ + if (mem->status == MBOF_GROUP_DONE) { + mem->status = MBOF_GROUP_TO_DO; + } + } + + /* now see if the parent has memberofs to pass down */ + if (parent->memberofs) { + ret = hash_iterate(parent->memberofs, mbof_member_iter, mem); + if (ret != HASH_SUCCESS) { + return LDB_ERR_OPERATIONS_ERROR; + } + if (mem->status == MBOF_ITER_ERROR) { + return LDB_ERR_OPERATIONS_ERROR; + } + } + + /* finally, if it was made TO DO move it to the head */ + if (mem->status == MBOF_GROUP_TO_DO) { + DLIST_PROMOTE(ctx->group_list, mem); + } + + return LDB_SUCCESS; +} + +static bool mbof_member_iter(hash_entry_t *item, void *user_data) +{ + struct mbof_member *parent; + struct mbof_member *mem; + hash_value_t value; + int ret; + + mem = talloc_get_type(user_data, struct mbof_member); + + /* exclude self */ + if (strcmp(item->key.str, ldb_dn_get_linearized(mem->dn)) == 0) { + return true; + } + + /* check if we already have it */ + ret = hash_lookup(mem->memberofs, &item->key, &value); + if (ret != HASH_SUCCESS) { + if (ret != HASH_ERROR_KEY_NOT_FOUND) { + /* fatal error */ + mem->status = MBOF_ITER_ERROR; + return false; + } + + /* was not already here, add it and mark group as TO DO */ + ret = hash_enter(mem->memberofs, &item->key, &item->value); + if (ret != HASH_SUCCESS) { + return LDB_ERR_OPERATIONS_ERROR; + } + + if (mem->status == MBOF_GROUP_DONE) { + mem->status = MBOF_GROUP_TO_DO; + } + + if (mem->status == MBOF_USER) { + /* add corresponding memuid to the group */ + parent = (struct mbof_member *)item->value.ptr; + ret = mbof_add_memuid(parent, mem->name); + if (ret != LDB_SUCCESS) { + mem->status = MBOF_ITER_ERROR; + return false; + } + } + } + + return true; +} + +static int mbof_add_memuid(struct mbof_member *grp, const char *user) +{ + struct ldb_val *vals; + int n; + + if (!grp->memuids) { + grp->memuids = talloc_zero(grp, struct ldb_message_element); + if (!grp->memuids) { + return LDB_ERR_OPERATIONS_ERROR; + } + + grp->memuids->name = talloc_strdup(grp->memuids, DB_MEMBERUID); + if (!grp->memuids->name) { + return LDB_ERR_OPERATIONS_ERROR; + } + } + + n = grp->memuids->num_values; + vals = talloc_realloc(grp->memuids, + grp->memuids->values, + struct ldb_val, n + 1); + if (!vals) { + return LDB_ERR_OPERATIONS_ERROR; + } + + vals[n].data = (uint8_t *)talloc_strdup(vals, user); + vals[n].length = strlen(user); + + grp->memuids->values = vals; + grp->memuids->num_values = n + 1; + + return LDB_SUCCESS; +} + +static int mbof_rcmp_update(struct mbof_rcmp_context *ctx) +{ + struct ldb_context *ldb = ldb_module_get_ctx(ctx->module); + struct ldb_message_element *el; + struct ldb_message *msg = NULL; + struct ldb_request *req; + struct mbof_member *x = NULL; + hash_key_t *keys; + unsigned long count; + int flags; + int ret, i; + + /* we process all users first and then all groups */ + if (ctx->user_list) { + /* take the next entry and remove it from the list */ + x = ctx->user_list; + DLIST_REMOVE(ctx->user_list, x); + } + else if (ctx->group_list) { + /* take the next entry and remove it from the list */ + x = ctx->group_list; + DLIST_REMOVE(ctx->group_list, x); + } + else { + /* processing terminated, return */ + ret = LDB_SUCCESS; + goto done; + } + + msg = ldb_msg_new(ctx); + if (!msg) { + ret = LDB_ERR_OPERATIONS_ERROR; + goto done; + } + + msg->dn = x->dn; + + /* process memberof */ + if (x->memberofs) { + ret = hash_keys(x->memberofs, &count, &keys); + if (ret != HASH_SUCCESS) { + ret = LDB_ERR_OPERATIONS_ERROR; + goto done; + } + + if (x->orig_has_memberof) { + flags = LDB_FLAG_MOD_REPLACE; + } else { + flags = LDB_FLAG_MOD_ADD; + } + + ret = ldb_msg_add_empty(msg, DB_MEMBEROF, flags, &el); + if (ret != LDB_SUCCESS) { + goto done; + } + + el->values = talloc_array(el, struct ldb_val, count); + if (!el->values) { + ret = LDB_ERR_OPERATIONS_ERROR; + goto done; + } + el->num_values = count; + + for (i = 0; i < count; i++) { + el->values[i].data = (uint8_t *)keys[i].str; + el->values[i].length = strlen(keys[i].str); + } + } else if (x->orig_has_memberof) { + ret = ldb_msg_add_empty(msg, DB_MEMBEROF, LDB_FLAG_MOD_DELETE, NULL); + if (ret != LDB_SUCCESS) { + goto done; + } + } + + /* process memberuid */ + if (x->memuids) { + if (x->orig_has_memberuid) { + flags = LDB_FLAG_MOD_REPLACE; + } else { + flags = LDB_FLAG_MOD_ADD; + } + + ret = ldb_msg_add(msg, x->memuids, flags); + if (ret != LDB_SUCCESS) { + goto done; + } + } + else if (x->orig_has_memberuid) { + ret = ldb_msg_add_empty(msg, DB_MEMBERUID, LDB_FLAG_MOD_DELETE, NULL); + if (ret != LDB_SUCCESS) { + goto done; + } + } + + ret = ldb_build_mod_req(&req, ldb, ctx, msg, NULL, + ctx, mbof_rcmp_mod_callback, + ctx->req); + if (ret != LDB_SUCCESS) { + goto done; + } + talloc_steal(req, msg); + + /* fire next call */ + return ldb_next_request(ctx->module, req); + +done: + /* all users and groups have been processed */ + return ldb_module_done(ctx->req, NULL, NULL, ret); +} + +static int mbof_rcmp_mod_callback(struct ldb_request *req, + struct ldb_reply *ares) +{ + struct ldb_context *ldb; + struct mbof_rcmp_context *ctx; + + ctx = talloc_get_type(req->context, struct mbof_rcmp_context); + ldb = ldb_module_get_ctx(ctx->module); + + if (!ares) { + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + } + if (ares->error != LDB_SUCCESS) { + return ldb_module_done(ctx->req, + ares->controls, + ares->response, + ares->error); + } + + switch (ares->type) { + case LDB_REPLY_ENTRY: + ldb_debug(ldb, LDB_DEBUG_TRACE, "Got an entry on a non search op?!"); + /* shouldn't happen */ + talloc_zfree(ares); + return ldb_module_done(ctx->req, NULL, NULL, + LDB_ERR_OPERATIONS_ERROR); + case LDB_REPLY_REFERRAL: + /* ignore */ + talloc_zfree(ares); + break; + + case LDB_REPLY_DONE: + talloc_zfree(ares); + + /* update the next one */ + return mbof_rcmp_update(ctx); + } + + return LDB_SUCCESS; +} + + + +/* module init code */ + +static int memberof_init(struct ldb_module *module) +{ + struct ldb_context *ldb = ldb_module_get_ctx(module); + int ret; + + /* set syntaxes for member and memberof so that comparisons in filters and + * such are done right */ + ret = ldb_schema_attribute_add(ldb, DB_MEMBER, 0, LDB_SYNTAX_DN); + if (ret != 0) return LDB_ERR_OPERATIONS_ERROR; + + ret = ldb_schema_attribute_add(ldb, DB_MEMBEROF, 0, LDB_SYNTAX_DN); + if (ret != 0) return LDB_ERR_OPERATIONS_ERROR; + + return ldb_next_init(module); +} + +const struct ldb_module_ops ldb_memberof_module_ops = { + .name = "memberof", + .init_context = memberof_init, + .add = memberof_add, + .modify = memberof_mod, + .del = memberof_del, +}; + +int ldb_init_module(const char *version) +{ +#if defined(SSS_LDB_VERSION_CHECK) && defined(LDB_MODULE_CHECK_VERSION) + LDB_MODULE_CHECK_VERSION(version); +#endif /* SSS_LDB_VERSION_CHECK && LDB_MODULE_CHECK_VERSION */ + return ldb_register_module(&ldb_memberof_module_ops); +} diff --git a/src/lib/certmap/sss_cert_content_common.c b/src/lib/certmap/sss_cert_content_common.c new file mode 100644 index 0000000..4291933 --- /dev/null +++ b/src/lib/certmap/sss_cert_content_common.c @@ -0,0 +1,199 @@ +/* + SSSD - certificate handling utils + The calls defined here should be useable outside of SSSD as well, e.g. in + libsss_certmap. + + Copyright (C) Sumit Bose 2017 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "lib/certmap/sss_certmap_int.h" + +int get_short_name(TALLOC_CTX *mem_ctx, const char *full_name, + char delim, char **short_name) +{ + char *at; + char *s; + + if (full_name == NULL || delim == '\0' || short_name == NULL) { + return EINVAL; + } + + at = strchr(full_name, delim); + if (at != NULL) { + s = talloc_strndup(mem_ctx, full_name, (at - full_name)); + } else { + s = talloc_strdup(mem_ctx, full_name); + } + if (s == NULL) { + return ENOMEM; + } + + *short_name = s; + + return 0; +} + +int add_to_san_list(TALLOC_CTX *mem_ctx, bool is_bin, + enum san_opt san_opt, const uint8_t *data, size_t len, + struct san_list **item) +{ + struct san_list *i; + + if (data == NULL || len == 0 || san_opt == SAN_INVALID) { + return EINVAL; + } + + i = talloc_zero(mem_ctx, struct san_list); + if (i == NULL) { + return ENOMEM; + } + + i->san_opt = san_opt; + if (is_bin) { + i->bin_val = talloc_memdup(i, data, len); + i->bin_val_len = len; + } else { + i->val = talloc_strndup(i, (const char *) data, len); + } + if (i->val == NULL) { + talloc_free(i); + return ENOMEM; + } + + *item = i; + + return 0; +} + +int add_principal_to_san_list(TALLOC_CTX *mem_ctx, enum san_opt san_opt, + const char *princ, struct san_list **item) +{ + struct san_list *i = NULL; + int ret; + + i = talloc_zero(mem_ctx, struct san_list); + if (i == NULL) { + return ENOMEM; + } + i->san_opt = san_opt; + + i->val = talloc_strdup(i, princ); + if (i->val == NULL) { + ret = ENOMEM; + goto done; + } + + ret = get_short_name(i, i->val, '@', &(i->short_name)); + if (ret != 0) { + goto done; + } + + ret = 0; + +done: + if (ret == 0) { + *item = i; + } else { + talloc_free(i); + } + + return ret; +} + +int rdn_list_2_dn_str(TALLOC_CTX *mem_ctx, const char *conversion, + const char **rdn_list, char **result) +{ + char *str = NULL; + size_t c; + int ret; + char *conv = NULL; + + str = talloc_strdup(mem_ctx, ""); + if (str == NULL) { + ret = ENOMEM; + goto done; + } + if (conversion == NULL || strcmp(conversion, "nss_ldap") == 0 + || strcmp(conversion, "nss") == 0) { + for (c = 0; rdn_list[c] != NULL; c++); + while (c != 0) { + c--; + str = talloc_asprintf_append(str, "%s%s", + (rdn_list[c + 1] == NULL) ? "" : ",", + rdn_list[c]); + if (str == NULL) { + ret = ENOMEM; + goto done; + } + }; + } else if (strcmp(conversion, "ad_ldap") == 0) { + for (c = 0; rdn_list[c] != NULL; c++); + while (c != 0) { + c--; + conv = check_ad_attr_name(str, rdn_list[c]); + str = talloc_asprintf_append(str, "%s%s", + (rdn_list[c + 1] == NULL) ? "" : ",", + conv == NULL ? rdn_list[c] : conv); + talloc_free(conv); + conv = NULL; + if (str == NULL) { + ret = ENOMEM; + goto done; + } + }; + } else if (strcmp(conversion, "nss_x500") == 0) { + for (c = 0; rdn_list[c] != NULL; c++) { + str = talloc_asprintf_append(str, "%s%s", (c == 0) ? "" : ",", + rdn_list[c]); + if (str == NULL) { + ret = ENOMEM; + goto done; + } + } + } else if (strcmp(conversion, "ad_x500") == 0 + || strcmp(conversion, "ad") == 0) { + for (c = 0; rdn_list[c] != NULL; c++) { + conv = check_ad_attr_name(str, rdn_list[c]); + str = talloc_asprintf_append(str, "%s%s", + (c == 0) ? "" : ",", + conv == NULL ? rdn_list[c] : conv); + talloc_free(conv); + conv = NULL; + if (str == NULL) { + ret = ENOMEM; + goto done; + } + } + } else { + ret = EINVAL; + goto done; + } + + ret = 0; + +done: + if (ret == 0) { + *result = str; + } else { + talloc_free(str); + } + + return ret; +} diff --git a/src/lib/certmap/sss_cert_content_crypto.c b/src/lib/certmap/sss_cert_content_crypto.c new file mode 100644 index 0000000..ee9aec2 --- /dev/null +++ b/src/lib/certmap/sss_cert_content_crypto.c @@ -0,0 +1,814 @@ +/* + SSSD - certificate handling utils - OpenSSL version + The calls defined here should be useable outside of SSSD as well, e.g. in + libsss_certmap. + + Copyright (C) Sumit Bose 2017 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include +#include +#include +#include +#include +#include +#include + +#include "util/crypto/sss_crypto.h" +#include "util/cert.h" +#include "lib/certmap/sss_certmap.h" +#include "lib/certmap/sss_certmap_int.h" + +/* backward compatible macros for OpenSSL < 1.1 */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define ASN1_STRING_get0_data(o) ASN1_STRING_data(o) +#define X509_get_extension_flags(o) ((o)->ex_flags) +#define X509_get_key_usage(o) ((o)->ex_kusage) +#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ + +typedef struct PrincipalName_st { + ASN1_INTEGER *name_type; + STACK_OF(ASN1_GENERALSTRING) *name_string; +} PrincipalName; + +ASN1_SEQUENCE(PrincipalName) = { + ASN1_EXP(PrincipalName, name_type, ASN1_INTEGER, 0), + ASN1_EXP_SEQUENCE_OF(PrincipalName, name_string, ASN1_GENERALSTRING, 1) +} ASN1_SEQUENCE_END(PrincipalName) + +IMPLEMENT_ASN1_FUNCTIONS(PrincipalName) + +typedef struct KRB5PrincipalName_st { + ASN1_STRING *realm; + PrincipalName *principal_name; +} KRB5PrincipalName; + +ASN1_SEQUENCE(KRB5PrincipalName) = { + ASN1_EXP(KRB5PrincipalName, realm, ASN1_GENERALSTRING, 0), + ASN1_EXP(KRB5PrincipalName, principal_name, PrincipalName, 1) +} ASN1_SEQUENCE_END(KRB5PrincipalName) + +IMPLEMENT_ASN1_FUNCTIONS(KRB5PrincipalName) + +enum san_opt openssl_name_type_to_san_opt(int type) +{ + switch (type) { + case GEN_OTHERNAME: + return SAN_OTHER_NAME; + case GEN_EMAIL: + return SAN_RFC822_NAME; + case GEN_DNS: + return SAN_DNS_NAME; + case GEN_X400: + return SAN_X400_ADDRESS; + case GEN_DIRNAME: + return SAN_DIRECTORY_NAME; + case GEN_EDIPARTY: + return SAN_EDIPART_NAME; + case GEN_URI: + return SAN_URI; + case GEN_IPADD: + return SAN_IP_ADDRESS; + case GEN_RID: + return SAN_REGISTERED_ID; + default: + return SAN_INVALID; + } +} + +static int add_string_other_name_to_san_list(TALLOC_CTX *mem_ctx, + enum san_opt san_opt, + OTHERNAME *other_name, + struct san_list **item) +{ + struct san_list *i = NULL; + int ret; + char oid_buf[128]; /* FIXME: any other size ?? */ + int len; + unsigned char *p; + + len = OBJ_obj2txt(oid_buf, sizeof(oid_buf), other_name->type_id, 1); + if (len <= 0) { + return EINVAL; + } + + i = talloc_zero(mem_ctx, struct san_list); + if (i == NULL) { + return ENOMEM; + } + i->san_opt = san_opt; + + i->other_name_oid = talloc_strndup(i, oid_buf, len); + if (i->other_name_oid == NULL) { + ret = ENOMEM; + goto done; + } + + len = i2d_ASN1_TYPE(other_name->value, NULL); + if (len <= 0) { + ret = EINVAL; + goto done; + } + + i->bin_val = talloc_size(mem_ctx, len); + if (i->bin_val == NULL) { + ret = ENOMEM; + goto done; + } + + /* i2d_TYPE increment the second argument so that it points to the end of + * the written data hence we cannot use i->bin_val directly. */ + p = i->bin_val; + i->bin_val_len = i2d_ASN1_TYPE(other_name->value, &p); + + ret = 0; + +done: + if (ret == 0) { + *item = i; + } else { + talloc_free(i); + } + + return ret; +} + +static int add_nt_princ_to_san_list(TALLOC_CTX *mem_ctx, + enum san_opt san_opt, + GENERAL_NAME *current, + struct san_list **item) +{ + struct san_list *i = NULL; + int ret; + OTHERNAME *other_name = current->d.otherName; + + if (ASN1_TYPE_get(other_name->value) != V_ASN1_UTF8STRING) { + return EINVAL; + } + + i = talloc_zero(mem_ctx, struct san_list); + if (i == NULL) { + return ENOMEM; + } + i->san_opt = san_opt; + + i->val = talloc_strndup(i, + (const char *) ASN1_STRING_get0_data( + other_name->value->value.utf8string), + ASN1_STRING_length(other_name->value->value.utf8string)); + if (i->val == NULL) { + ret = ENOMEM; + goto done; + } + + ret = get_short_name(i, i->val, '@', &(i->short_name)); + if (ret != 0) { + goto done; + } + + ret = 0; + +done: + if (ret == 0) { + *item = i; + } else { + talloc_free(i); + } + + return ret; +} + +void *ASN1_TYPE_unpack_sequence(const ASN1_ITEM *it, const ASN1_TYPE *t) +{ + if (t == NULL || t->type != V_ASN1_SEQUENCE || t->value.sequence == NULL) + return NULL; + return ASN1_item_unpack(t->value.sequence, it); +} + +static int add_pkinit_princ_to_san_list(TALLOC_CTX *mem_ctx, + enum san_opt san_opt, + GENERAL_NAME *current, + struct san_list **item) +{ + struct san_list *i = NULL; + int ret; + KRB5PrincipalName *princ = NULL; + size_t c; + const unsigned char *p; + const ASN1_STRING *oct; + ASN1_GENERALSTRING *name_comp; + + oct = current->d.otherName->value->value.sequence; + p = oct->data; + princ = d2i_KRB5PrincipalName(NULL, &p, oct->length); + if (princ == NULL) { + return EINVAL; + } + + if (princ->realm == NULL + || princ->principal_name == NULL + || princ->principal_name->name_string == NULL + || sk_ASN1_GENERALSTRING_num(princ->principal_name->name_string) + == 0) { + ret = EINVAL; + goto done; + } + + i = talloc_zero(mem_ctx, struct san_list); + if (i == NULL) { + ret = ENOMEM; + goto done; + } + i->san_opt = san_opt; + + i->val = talloc_strdup(i, ""); + if (i->val == NULL) { + ret = ENOMEM; + goto done; + } + + for (c = 0; + c < sk_ASN1_GENERALSTRING_num(princ->principal_name->name_string); + c++) { + + if (c > 0) { + i->val = talloc_strdup_append(i->val, "/"); + if (i->val == NULL) { + ret = ENOMEM; + goto done; + } + } + + name_comp = sk_ASN1_GENERALSTRING_value( + princ->principal_name->name_string, c); + i->val = talloc_strndup_append(i->val, + (const char *) ASN1_STRING_get0_data(name_comp), + ASN1_STRING_length(name_comp)); + if (i->val == NULL) { + ret = ENOMEM; + goto done; + } + } + + i->val = talloc_asprintf_append(i->val, "@%.*s", + ASN1_STRING_length(princ->realm), + ASN1_STRING_get0_data(princ->realm)); + if (i->val == NULL) { + ret = ENOMEM; + goto done; + } + + ret = get_short_name(i, i->val, '@', &(i->short_name)); + if (ret != 0) { + goto done; + } + + ret = 0; + +done: + KRB5PrincipalName_free(princ); + if (ret == 0) { + *item = i; + } else { + talloc_free(i); + } + + return ret; +} + +static int add_ip_to_san_list(TALLOC_CTX *mem_ctx, enum san_opt san_opt, + const uint8_t *data, size_t len, + struct san_list **item) +{ + struct san_list *i = NULL; + + i = talloc_zero(mem_ctx, struct san_list); + if (i == NULL) { + return ENOMEM; + } + i->san_opt = san_opt; + + i->val = talloc_strndup(i, (const char *) data, len); + if (i->val == NULL) { + talloc_free(i); + return ENOMEM; + } + + *item = i; + return 0; +} + +static int get_rdn_list(TALLOC_CTX *mem_ctx, X509_NAME *name, + const char ***rdn_list) +{ + int ret; + size_t c; + const char **list = NULL; + X509_NAME_ENTRY *e; + ASN1_STRING *rdn_str; + ASN1_OBJECT *rdn_name; + BIO *bio_mem = NULL; + char *tmp_str; + long tmp_str_size; + + int nid; + const char *sn; + + bio_mem = BIO_new(BIO_s_mem()); + if (bio_mem == NULL) { + ret = ENOMEM; + goto done; + } + + list = talloc_zero_array(mem_ctx, const char *, + X509_NAME_entry_count(name) + 1); + if (list == NULL) { + ret = ENOMEM; + goto done; + } + + for (c = 0; c < X509_NAME_entry_count(name); c++) { + e = X509_NAME_get_entry(name, c); + rdn_str = X509_NAME_ENTRY_get_data(e); + + ret = ASN1_STRING_print_ex(bio_mem, rdn_str, ASN1_STRFLGS_RFC2253); + if (ret < 0) { + ret = EIO; + goto done; + } + + tmp_str_size = BIO_get_mem_data(bio_mem, &tmp_str); + if (tmp_str_size == 0) { + ret = EINVAL; + goto done; + } + + rdn_name = X509_NAME_ENTRY_get_object(e); + nid = OBJ_obj2nid(rdn_name); + sn = OBJ_nid2sn(nid); + + list[c] = talloc_asprintf(list, "%s=%.*s", openssl_2_nss_attr_name(sn), + (int) tmp_str_size, tmp_str); + ret = BIO_reset(bio_mem); + if (ret != 1) { + /* BIO_reset() for BIO_s_mem returns 1 for sucess */ + ret = ENOMEM; + goto done; + } + if (list[c] == NULL) { + ret = ENOMEM; + goto done; + } + } + + ret = 0; + +done: + BIO_free_all(bio_mem); + if (ret == 0) { + *rdn_list = list; + } else { + talloc_free(list); + } + + return ret; +} + +static int add_rdn_list_to_san_list(TALLOC_CTX *mem_ctx, + enum san_opt san_opt, + X509_NAME *name, + struct san_list **item) +{ + struct san_list *i = NULL; + int ret; + + i = talloc_zero(mem_ctx, struct san_list); + if (i == NULL) { + return ENOMEM; + } + i->san_opt = san_opt; + + ret = get_rdn_list(i, name, &(i->rdn_list)); + if (ret != 0) { + talloc_free(i); + return ret; + } + + *item = i; + return 0; +} + +static int add_oid_to_san_list(TALLOC_CTX *mem_ctx, + enum san_opt san_opt, + ASN1_OBJECT *oid, + struct san_list **item) +{ + struct san_list *i = NULL; + char oid_buf[128]; /* FIXME: any other size ?? */ + int len; + + len = OBJ_obj2txt(oid_buf, sizeof(oid_buf), oid, 1); + if (len <= 0) { + return EINVAL; + } + + i = talloc_zero(mem_ctx, struct san_list); + if (i == NULL) { + return ENOMEM; + } + i->san_opt = san_opt; + + i->val = talloc_strndup(i, oid_buf, len); + if (i->val == NULL) { + talloc_free(i); + return ENOMEM; + } + + *item = i; + return 0; +} + +static int get_san(TALLOC_CTX *mem_ctx, X509 *cert, struct san_list **san_list) +{ + STACK_OF(GENERAL_NAME) *extsan = NULL; + GENERAL_NAME *current; + size_t c; + int ret; + int crit; + struct san_list *list = NULL; + struct san_list *item = NULL; + struct san_list *item_s = NULL; + struct san_list *item_p = NULL; + struct san_list *item_pb = NULL; + int len; + unsigned char *data; + unsigned char *p; + + extsan = X509_get_ext_d2i(cert, NID_subject_alt_name, &crit, NULL); + if (extsan == NULL) { + if (crit == -1) { /* extension could not be found */ + return EOK; + } else { + return EINVAL; + } + } + + for (c = 0; c < sk_GENERAL_NAME_num(extsan); c++) { + current = sk_GENERAL_NAME_value(extsan, c); + switch (current->type) { + case GEN_OTHERNAME: + ret = add_string_other_name_to_san_list(mem_ctx, + SAN_STRING_OTHER_NAME, + current->d.otherName, + &item_s); + if (ret != 0) { + goto done; + } + DLIST_ADD(list, item_s); + + item_p = NULL; + if (strcmp(item_s->other_name_oid, NT_PRINCIPAL_OID) == 0) { + ret = add_nt_princ_to_san_list(mem_ctx, SAN_NT, current, + &item_p); + if (ret != 0) { + goto done; + } + DLIST_ADD(list, item_p); + } else if (strcmp(item_s->other_name_oid, PKINIT_OID) == 0) { + ret = add_pkinit_princ_to_san_list(mem_ctx, SAN_PKINIT, + current, &item_p); + if (ret != 0) { + goto done; + } + DLIST_ADD(list, item_p); + } + + if (item_p != NULL) { + ret = add_principal_to_san_list(mem_ctx, SAN_PRINCIPAL, + item_p->val, &item_pb); + if (ret != 0) { + goto done; + } + DLIST_ADD(list, item_pb); + } + + break; + case GEN_EMAIL: + ret = add_to_san_list(mem_ctx, false, + openssl_name_type_to_san_opt(current->type), + ASN1_STRING_get0_data(current->d.rfc822Name), + ASN1_STRING_length(current->d.rfc822Name), + &item); + if (ret != 0) { + goto done; + } + + ret = get_short_name(item, item->val, '@', &(item->short_name)); + if (ret != 0) { + goto done; + } + + DLIST_ADD(list, item); + break; + case GEN_DNS: + ret = add_to_san_list(mem_ctx, false, + openssl_name_type_to_san_opt(current->type), + ASN1_STRING_get0_data(current->d.dNSName), + ASN1_STRING_length(current->d.dNSName), + &item); + if (ret != 0) { + goto done; + } + + ret = get_short_name(item, item->val, '.', &(item->short_name)); + if (ret != 0) { + goto done; + } + + DLIST_ADD(list, item); + break; + case GEN_URI: + ret = add_to_san_list(mem_ctx, false, + openssl_name_type_to_san_opt(current->type), + ASN1_STRING_get0_data(current->d.uniformResourceIdentifier), + ASN1_STRING_length(current->d.uniformResourceIdentifier), + &item); + if (ret != 0) { + goto done; + } + break; + case GEN_IPADD: + ret = add_ip_to_san_list(mem_ctx, + openssl_name_type_to_san_opt(current->type), + ASN1_STRING_get0_data(current->d.iPAddress), + ASN1_STRING_length(current->d.iPAddress), + &item); + if (ret != 0) { + goto done; + } + DLIST_ADD(list, item); + break; + case GEN_DIRNAME: + ret = add_rdn_list_to_san_list(mem_ctx, + openssl_name_type_to_san_opt(current->type), + current->d.directoryName, &item); + if (ret != 0) { + goto done; + } + DLIST_ADD(list, item); + break; + case GEN_RID: + ret = add_oid_to_san_list(mem_ctx, + openssl_name_type_to_san_opt(current->type), + current->d.registeredID, &item); + if (ret != 0) { + goto done; + } + DLIST_ADD(list, item); + break; + case GEN_X400: + len = i2d_ASN1_TYPE(current->d.x400Address, NULL); + if (len <= 0) { + ret = EINVAL; + goto done; + } + + data = talloc_size(mem_ctx, len); + if (data == NULL) { + ret = ENOMEM; + goto done; + } + + /* i2d_TYPE increment the second argument so that it points to the end of + * the written data hence we cannot use i->bin_val directly. */ + p = data; + len = i2d_ASN1_TYPE(current->d.x400Address, &p); + + ret = add_to_san_list(mem_ctx, true, + openssl_name_type_to_san_opt(current->type), + data, len, &item); + if (ret != 0) { + goto done; + } + DLIST_ADD(list, item); + break; + case GEN_EDIPARTY: + len = i2d_EDIPARTYNAME(current->d.ediPartyName, NULL); + if (len <= 0) { + ret = EINVAL; + goto done; + } + + data = talloc_size(mem_ctx, len); + if (data == NULL) { + ret = ENOMEM; + goto done; + } + + /* i2d_TYPE increment the second argument so that it points to the end of + * the written data hence we cannot use i->bin_val directly. */ + p = data; + len = i2d_EDIPARTYNAME(current->d.ediPartyName, &data); + + ret = add_to_san_list(mem_ctx, true, + openssl_name_type_to_san_opt(current->type), + data, len, &item); + if (ret != 0) { + goto done; + } + DLIST_ADD(list, item); + break; + default: + ret = EINVAL; + goto done; + } + } + + ret = EOK; + +done: + GENERAL_NAMES_free(extsan); + + if (ret == EOK) { + *san_list = list; + } + + return ret; +} + +static int get_extended_key_usage_oids(TALLOC_CTX *mem_ctx, + X509 *cert, + const char ***_oids) +{ + const char **oids_list = NULL; + size_t c; + int ret; + char oid_buf[128]; /* FIXME: any other size ?? */ + int len; + EXTENDED_KEY_USAGE *extusage = NULL; + int crit; + size_t eku_count = 0; + + extusage = X509_get_ext_d2i(cert, NID_ext_key_usage, &crit, NULL); + if (extusage == NULL) { + if (crit == -1) { /* extension could not be found */ + eku_count = 0; + } else { + return EINVAL; + } + } else { + eku_count = sk_ASN1_OBJECT_num(extusage); + } + + oids_list = talloc_zero_array(mem_ctx, const char *, eku_count + 1); + if (oids_list == NULL) { + return ENOMEM; + } + + for (c = 0; c < eku_count; c++) { + len = OBJ_obj2txt(oid_buf, sizeof(oid_buf), + sk_ASN1_OBJECT_value(extusage, c), 1); + if (len < 0) { + return EIO; + } + + oids_list[c] = talloc_strndup(oids_list, oid_buf, len); + if (oids_list[c] == NULL) { + ret = ENOMEM; + goto done; + } + } + + ret = 0; + +done: + sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free); + if (ret == 0) { + *_oids = oids_list; + } else { + talloc_free(oids_list); + } + + return ret; +} + +int sss_cert_get_content(TALLOC_CTX *mem_ctx, + const uint8_t *der_blob, size_t der_size, + struct sss_cert_content **content) +{ + int ret; + struct sss_cert_content *cont = NULL; + X509 *cert = NULL; + const unsigned char *der; + BIO *bio_mem = NULL; + X509_NAME *tmp_name; + + if (der_blob == NULL || der_size == 0) { + return EINVAL; + } + + cont = talloc_zero(mem_ctx, struct sss_cert_content); + if (cont == NULL) { + return ENOMEM; + } + + bio_mem = BIO_new(BIO_s_mem()); + if (bio_mem == NULL) { + ret = ENOMEM; + goto done; + } + + der = (const unsigned char *) der_blob; + cert = d2i_X509(NULL, &der, (int) der_size); + if (cert == NULL) { + ret = EINVAL; + goto done; + } + + tmp_name = X509_get_issuer_name(cert); + + ret = get_rdn_list(cont, tmp_name, &cont->issuer_rdn_list); + if (ret != 0) { + goto done; + } + + ret = rdn_list_2_dn_str(cont, NULL, cont->issuer_rdn_list, + &cont->issuer_str); + if (ret != 0) { + goto done; + } + + tmp_name = X509_get_subject_name(cert); + + ret = get_rdn_list(cont, tmp_name, &cont->subject_rdn_list); + if (ret != 0) { + goto done; + } + + ret = rdn_list_2_dn_str(cont, NULL, cont->subject_rdn_list, + &cont->subject_str); + if (ret != 0) { + goto done; + } + + ret = X509_check_purpose(cert, -1, -1); + if (ret < 0) { + ret = EIO; + goto done; + } + if (!(X509_get_extension_flags(cert) & EXFLAG_KUSAGE)) { + ret = EINVAL; + goto done; + } + cont->key_usage = X509_get_key_usage(cert); + + ret = get_extended_key_usage_oids(cont, cert, + &(cont->extended_key_usage_oids)); + if (ret != 0) { + goto done; + } + + ret = get_san(cont, cert, &(cont->san_list)); + if (ret != 0) { + goto done; + } + + cont->cert_der = talloc_memdup(cont, der_blob, der_size); + if (cont->cert_der == NULL) { + ret = ENOMEM; + goto done; + } + + cont->cert_der_size = der_size; + + ret = EOK; + +done: + + X509_free(cert); + BIO_free_all(bio_mem); + CRYPTO_cleanup_all_ex_data(); + + if (ret == EOK) { + *content = cont; + } else { + talloc_free(cont); + } + + return ret; +} diff --git a/src/lib/certmap/sss_cert_content_nss.c b/src/lib/certmap/sss_cert_content_nss.c new file mode 100644 index 0000000..ed7ce24 --- /dev/null +++ b/src/lib/certmap/sss_cert_content_nss.c @@ -0,0 +1,925 @@ +/* + SSSD - certificate handling utils - NSS version + The calls defined here should be useable outside of SSSD as well, e.g. in + libsss_certmap. + + Copyright (C) Sumit Bose 2017 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "util/crypto/sss_crypto.h" +#include "util/crypto/nss/nss_util.h" +#include "util/cert.h" +#include "lib/certmap/sss_certmap.h" +#include "lib/certmap/sss_certmap_int.h" + + +/* The following two functions are copied from NSS's lib/certdb/secname.c + * because CERT_AddAVA is not exported. I just renamed it and made it static + * to avoid issues if the call gets exported some time in future. */ + +static void ** +AddToArray(PLArenaPool *arena, void **array, void *element) +{ + unsigned count; + void **ap; + + /* Count up number of slots already in use in the array */ + count = 0; + ap = array; + if (ap) { + while (*ap++) { + count++; + } + } + + if (array) { + array = (void**) PORT_ArenaGrow(arena, array, + (count + 1) * sizeof(void *), + (count + 2) * sizeof(void *)); + } else { + array = (void**) PORT_ArenaAlloc(arena, (count + 2) * sizeof(void *)); + } + if (array) { + array[count] = element; + array[count+1] = 0; + } + return array; +} + + +static SECStatus +sss_CERT_AddAVA(PLArenaPool *arena, CERTRDN *rdn, CERTAVA *ava) +{ + rdn->avas = (CERTAVA**) AddToArray(arena, (void**) rdn->avas, ava); + return rdn->avas ? SECSuccess : SECFailure; +} + +static SECItem * +cert_get_ext_by_tag(CERTCertificate *cert, SECOidTag tag) +{ + SECOidData *oid; + int i; + + oid = SECOID_FindOIDByTag(tag); + for (i = 0; + (cert->extensions != NULL) && (cert->extensions[i] != NULL); + i++) + if (SECITEM_ItemsAreEqual(&cert->extensions[i]->id, &oid->oid)) + return &cert->extensions[i]->value; + return NULL; +} + +static int get_extended_key_usage_oids(TALLOC_CTX *mem_ctx, + CERTCertificate *cert, + const char ***_oids) +{ + PLArenaPool *pool; + SECItem *ext; + SECItem **oids = NULL; + const char **oids_list = NULL; + size_t c; + SECStatus rv; + char *tmp_str; + int ret; + + pool = PORT_NewArena(sizeof(double)); + ext = cert_get_ext_by_tag(cert, SEC_OID_X509_EXT_KEY_USAGE); + if (ext != NULL) { + rv = SEC_ASN1DecodeItem(pool, &oids, + SEC_ASN1_GET(SEC_SequenceOfObjectIDTemplate), + ext); + if (rv != SECSuccess) { + ret = EINVAL; + goto done; + } + } + + for (c = 0; (oids != NULL && oids[c] != NULL); c++); + oids_list = talloc_zero_array(mem_ctx, const char *, c + 1); + if (oids_list == NULL) { + return ENOMEM; + } + + for (c = 0; (oids != NULL && oids[c] != NULL); c++) { + tmp_str = CERT_GetOidString(oids[c]); + /* it is expected that NSS OID strings start with "OID." but we + * prefer the plain dotted-decimal version so the prefix is skipped */ + if (tmp_str == NULL || strncmp(tmp_str, "OID.", 4) != 0) { + PR_smprintf_free(tmp_str); + ret = EINVAL; + goto done; + } + + oids_list[c] = talloc_strdup(oids_list, tmp_str + 4); + PR_smprintf_free(tmp_str); + if(oids_list[c] == NULL) { + ret = ENOMEM; + goto done; + } + } + + ret = 0; + +done: + PORT_FreeArena(pool, PR_TRUE); + if (ret == 0) { + *_oids = oids_list; + } else { + talloc_free(oids_list); + } + + return ret; + +} + +static int get_rdn_str(TALLOC_CTX *mem_ctx, CERTAVA **avas, + const char **rdn_str) +{ + size_t c; + char *tmp_name = NULL; + const char *tmp_str = NULL; + int ret; + SECStatus rv; + CERTRDN rdn = { 0 }; + CERTName *name = NULL; + PLArenaPool *arena = NULL; + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (arena == NULL) { + ret = ENOMEM; + goto done; + } + + + /* Multiple AVAs should be avoided because there is no general ordering + * rule and the RDN strings are not reproducible */ + for (c = 0; avas[c] != NULL; c++) { + rv = sss_CERT_AddAVA(arena, &rdn, avas[c]); + if (rv != SECSuccess) { + ret = EIO; + goto done; + } + } + + name = CERT_CreateName(&rdn, NULL); + if (name == NULL) { + ret = EIO; + goto done; + } + + tmp_name = CERT_NameToAscii(name); + CERT_DestroyName(name); + if (tmp_name == NULL) { + ret = EIO; + goto done; + } + + tmp_str = talloc_strdup(mem_ctx, tmp_name); + PORT_Free(tmp_name); + if (tmp_str == NULL) { + ret = ENOMEM; + goto done; + } + + ret = 0; + +done: + if (ret == 0) { + *rdn_str = tmp_str; + } else { + talloc_free(discard_const(tmp_str)); + } + PORT_FreeArena(arena, PR_FALSE); + + return ret; +} + +static int get_rdn_list(TALLOC_CTX *mem_ctx, CERTRDN **rdns, + const char ***rdn_list) +{ + int ret; + size_t c; + const char **list = NULL; + + for (c = 0; rdns[c] != NULL; c++); + list = talloc_zero_array(mem_ctx, const char *, c + 1); + if (list == NULL) { + ret = ENOMEM; + goto done; + } + for (c = 0; rdns[c] != NULL; c++) { + ret = get_rdn_str(list, rdns[c]->avas, + &(list[c])); + if (ret != 0) { + goto done; + } + } + + ret = 0; + +done: + if (ret == 0) { + *rdn_list = list; + } else { + talloc_free(list); + } + + return ret; +} + +enum san_opt nss_name_type_to_san_opt(CERTGeneralNameType type) +{ + switch (type) { + case certOtherName: + return SAN_OTHER_NAME; + case certRFC822Name: + return SAN_RFC822_NAME; + case certDNSName: + return SAN_DNS_NAME; + case certX400Address: + return SAN_X400_ADDRESS; + case certDirectoryName: + return SAN_DIRECTORY_NAME; + case certEDIPartyName: + return SAN_EDIPART_NAME; + case certURI: + return SAN_URI; + case certIPAddress: + return SAN_IP_ADDRESS; + case certRegisterID: + return SAN_REGISTERED_ID; + default: + return SAN_INVALID; + } +} + +/* taken from pkinit_crypto_nss.c of MIT Kerberos */ +/* KerberosString: RFC 4120, 5.2.1. */ +static const SEC_ASN1Template kerberos_string_template[] = { + { + SEC_ASN1_GENERAL_STRING, + 0, + NULL, + sizeof(SECItem), + } +}; + +/* Realm: RFC 4120, 5.2.2. */ +struct realm { + SECItem name; +}; +static const SEC_ASN1Template realm_template[] = { + { + SEC_ASN1_GENERAL_STRING, + 0, + NULL, + sizeof(SECItem), + } +}; + +/* PrincipalName: RFC 4120, 5.2.2. */ +static const SEC_ASN1Template sequence_of_kerberos_string_template[] = { + { + SEC_ASN1_SEQUENCE_OF, + 0, + &kerberos_string_template, + 0, + } +}; + +struct principal_name { + SECItem name_type; + SECItem **name_string; +}; +static const SEC_ASN1Template principal_name_template[] = { + { + SEC_ASN1_SEQUENCE, + 0, + NULL, + sizeof(struct principal_name), + }, + { + SEC_ASN1_CONTEXT_SPECIFIC | 0 | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT, + offsetof(struct principal_name, name_type), + &SEC_IntegerTemplate, + sizeof(SECItem), + }, + { + SEC_ASN1_CONTEXT_SPECIFIC | 1 | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT, + offsetof(struct principal_name, name_string), + sequence_of_kerberos_string_template, + sizeof(struct SECItem **), + }, + {0, 0, NULL, 0}, +}; + +/* KRB5PrincipalName: RFC 4556, 3.2.2. */ +struct kerberos_principal_name { + SECItem realm; + struct principal_name principal_name; +}; +static const SEC_ASN1Template kerberos_principal_name_template[] = { + { + SEC_ASN1_SEQUENCE, + 0, + NULL, + sizeof(struct kerberos_principal_name), + }, + { + SEC_ASN1_CONTEXT_SPECIFIC | 0 | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT, + offsetof(struct kerberos_principal_name, realm), + &realm_template, + sizeof(struct realm), + }, + { + SEC_ASN1_CONTEXT_SPECIFIC | 1 | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT, + offsetof(struct kerberos_principal_name, principal_name), + &principal_name_template, + sizeof(struct principal_name), + }, + {0, 0, NULL, 0} +}; + +static int add_string_other_name_to_san_list(TALLOC_CTX *mem_ctx, + enum san_opt san_opt, + CERTGeneralName *current, + struct san_list **item) +{ + struct san_list *i = NULL; + int ret; + char *tmp_str; + + tmp_str = CERT_GetOidString(&(current->name.OthName.oid)); + /* it is expected that NSS OID strings start with "OID." but we + * prefer the plain dotted-decimal version so the prefix is skipped */ + if (tmp_str == NULL || strncmp(tmp_str, "OID.", 4) != 0) { + PR_smprintf_free(tmp_str); + return EINVAL; + } + + i = talloc_zero(mem_ctx, struct san_list); + if (i == NULL) { + PR_smprintf_free(tmp_str); + return ENOMEM; + } + i->san_opt = san_opt; + + i->other_name_oid = talloc_strdup(i, tmp_str + 4); + PR_smprintf_free(tmp_str); + if (i->other_name_oid == NULL) { + ret = ENOMEM; + goto done; + } + + i->bin_val = talloc_memdup(i, current->name.OthName.name.data, + current->name.OthName.name.len); + if (i->bin_val == NULL) { + ret = ENOMEM; + goto done; + } + i->bin_val_len = current->name.OthName.name.len; + + ret = 0; + +done: + if (ret == 0) { + *item = i; + } else { + talloc_free(i); + } + + return ret; +} + +static int add_nt_princ_to_san_list(TALLOC_CTX *mem_ctx, + PLArenaPool *pool, + enum san_opt san_opt, + CERTGeneralName *current, + struct san_list **item) +{ + struct san_list *i = NULL; + SECStatus rv; + SECItem tmp_secitem = { 0 }; + int ret; + + rv = SEC_ASN1DecodeItem(pool, &tmp_secitem, + SEC_ASN1_GET(SEC_UTF8StringTemplate), + &(current->name.OthName.name)); + if (rv != SECSuccess) { + return EINVAL; + } + + i = talloc_zero(mem_ctx, struct san_list); + if (i == NULL) { + return ENOMEM; + } + i->san_opt = san_opt; + + i->val = talloc_strndup(i, (char *) tmp_secitem.data, + tmp_secitem.len); + if (i->val == NULL) { + ret = ENOMEM; + goto done; + } + + ret = get_short_name(i, i->val, '@', &(i->short_name)); + if (ret != 0) { + goto done; + } + + ret = 0; + +done: + if (ret == 0) { + *item = i; + } else { + talloc_free(i); + } + + return ret; +} + +static int add_pkinit_princ_to_san_list(TALLOC_CTX *mem_ctx, + PLArenaPool *pool, + enum san_opt san_opt, + CERTGeneralName *current, + struct san_list **item) +{ + struct san_list *i = NULL; + SECStatus rv; + /* To avoid 'Wmissing-braces' warnings with older versions of + * gcc kerberos_principal_name cannot be initialized with { 0 } + * but must be initialized with memset(). + */ + struct kerberos_principal_name kname; + int ret; + size_t c; + + memset(&kname, 0, sizeof(kname)); + + rv = SEC_ASN1DecodeItem(pool, &kname, + kerberos_principal_name_template, + &(current->name.OthName.name)); + if (rv != SECSuccess) { + return EINVAL; + } + + i = talloc_zero(mem_ctx, struct san_list); + if (i == NULL) { + return ENOMEM; + } + i->san_opt = san_opt; + + if (kname.principal_name.name_string != NULL) { + i->val = talloc_strdup(i, ""); + if (i->val == NULL) { + ret = ENOMEM; + goto done; + } + for (c = 0; kname.principal_name.name_string[c] != NULL; c++) { + if (c > 0) { + i->val = talloc_strdup_append(i->val, "/"); + if (i->val == NULL) { + ret = ENOMEM; + goto done; + } + } + i->val = talloc_strndup_append(i->val, + (char *) kname.principal_name.name_string[c]->data, + kname.principal_name.name_string[c]->len); + if (i->val == NULL) { + ret = ENOMEM; + goto done; + } + } + i->val = talloc_asprintf_append(i->val, "@%.*s", + kname.realm.len, + (char *) kname.realm.data); + if (i->val == NULL) { + ret = ENOMEM; + goto done; + } + + ret = get_short_name(i, i->val, '@', &(i->short_name)); + if (ret != 0) { + goto done; + } + } + + ret = 0; + +done: + if (ret == 0) { + *item = i; + } else { + talloc_free(i); + } + + return ret; +} + +static int add_oid_to_san_list(TALLOC_CTX *mem_ctx, + enum san_opt san_opt, + SECItem oid, + struct san_list **item) +{ + struct san_list *i = NULL; + char *tmp_str; + + tmp_str = CERT_GetOidString(&oid); + /* it is expected that NSS OID strings start with "OID." but we + * prefer the plain dotted-decimal version so the prefix is skipped */ + if (tmp_str == NULL || strncmp(tmp_str, "OID.", 4) != 0) { + PR_smprintf_free(tmp_str); + return EINVAL; + } + + i = talloc_zero(mem_ctx, struct san_list); + if (i == NULL) { + PR_smprintf_free(tmp_str); + return ENOMEM; + } + i->san_opt = san_opt; + + i->val = talloc_strdup(i, tmp_str + 4); + PR_smprintf_free(tmp_str); + if (i->val == NULL) { + talloc_free(i); + return ENOMEM; + } + + *item = i; + return 0; +} + +static int add_rdn_list_to_san_list(TALLOC_CTX *mem_ctx, + enum san_opt san_opt, + CERTName name, + struct san_list **item) +{ + struct san_list *i = NULL; + int ret; + + i = talloc_zero(mem_ctx, struct san_list); + if (i == NULL) { + return ENOMEM; + } + i->san_opt = san_opt; + + ret = get_rdn_list(i, name.rdns, &(i->rdn_list)); + if (ret != 0) { + talloc_free(i); + return ret; + } + + *item = i; + return 0; +} + +static int add_ip_to_san_list(TALLOC_CTX *mem_ctx, enum san_opt san_opt, + uint8_t *data, size_t len, + struct san_list **item) +{ + struct san_list *i; + PRStatus st; + PRNetAddr addr; + char addrBuf[80]; + + if (data == NULL || len == 0 || san_opt == SAN_INVALID) { + return EINVAL; + } + + /* taken from secu_PrintIPAddress() */ + memset(&addr, 0, sizeof addr); + if (len == 4) { + addr.inet.family = PR_AF_INET; + memcpy(&addr.inet.ip, data, len); + } else if (len == 16) { + addr.ipv6.family = PR_AF_INET6; + memcpy(addr.ipv6.ip.pr_s6_addr, data, len); + if (PR_IsNetAddrType(&addr, PR_IpAddrV4Mapped)) { + /* convert to IPv4. */ + addr.inet.family = PR_AF_INET; + memcpy(&addr.inet.ip, &addr.ipv6.ip.pr_s6_addr[12], 4); + memset(&addr.inet.pad[0], 0, sizeof addr.inet.pad); + } + } else { + return EINVAL; + } + + st = PR_NetAddrToString(&addr, addrBuf, sizeof addrBuf); + if (st != PR_SUCCESS) { + return EIO; + } + + i = talloc_zero(mem_ctx, struct san_list); + if (i == NULL) { + return ENOMEM; + } + + i->san_opt = san_opt; + i->val = talloc_strdup(i, addrBuf); + if (i->val == NULL) { + talloc_free(i); + return ENOMEM; + } + + *item = i; + return 0; +} + +static int get_san(TALLOC_CTX *mem_ctx, CERTCertificate *cert, + struct san_list **san_list) +{ + + SECItem subAltName = { 0 }; + SECStatus rv; + CERTGeneralName *name_list = NULL; + CERTGeneralName *current; + PLArenaPool *pool = NULL; + int ret; + struct san_list *list = NULL; + struct san_list *item = NULL; + struct san_list *item_s = NULL; + struct san_list *item_p = NULL; + struct san_list *item_pb = NULL; + + rv = CERT_FindCertExtension(cert, SEC_OID_X509_SUBJECT_ALT_NAME, + &subAltName); + if (rv != SECSuccess) { + if (rv == SECFailure + && PORT_GetError() == SEC_ERROR_EXTENSION_NOT_FOUND) { + ret = EOK; + } else { + ret = EIO; + } + goto done; + } + + pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (pool == NULL) { + ret = ENOMEM; + goto done; + } + + name_list = CERT_DecodeAltNameExtension(pool, &subAltName); + if (name_list == NULL ) { + ret = EIO; + goto done; + } + + current = name_list; + do { + switch (current->type) { + case certOtherName: + ret = add_string_other_name_to_san_list(mem_ctx, + SAN_STRING_OTHER_NAME, + current, &item_s); + if (ret != 0) { + goto done; + } + DLIST_ADD(list, item_s); + + item_p = NULL; + if (strcmp(item_s->other_name_oid, NT_PRINCIPAL_OID) == 0) { + ret = add_nt_princ_to_san_list(mem_ctx, pool, SAN_NT, current, + &item_p); + if (ret != 0) { + goto done; + } + DLIST_ADD(list, item_p); + } else if (strcmp(item_s->other_name_oid, PKINIT_OID) == 0) { + ret = add_pkinit_princ_to_san_list(mem_ctx, pool, SAN_PKINIT, + current, &item_p); + if (ret != 0) { + goto done; + } + DLIST_ADD(list, item_p); + } + + if (item_p != NULL) { + ret = add_principal_to_san_list(mem_ctx, SAN_PRINCIPAL, + item_p->val, &item_pb); + if (ret != 0) { + goto done; + } + DLIST_ADD(list, item_pb); + } + + break; + case certRFC822Name: + case certDNSName: + case certURI: + ret = add_to_san_list(mem_ctx, false, + nss_name_type_to_san_opt(current->type), + current->name.other.data, + current->name.other.len, &item); + if (ret != 0) { + goto done; + } + + if (current->type == certRFC822Name + || current->type == certDNSName) { + ret = get_short_name(item, item->val, + (current->type == certRFC822Name + ? '@' : '.'), + &(item->short_name)); + if (ret != 0) { + goto done; + } + } + + DLIST_ADD(list, item); + break; + case certIPAddress: + ret = add_ip_to_san_list(mem_ctx, + nss_name_type_to_san_opt(current->type), + current->name.other.data, + current->name.other.len, &item); + if (ret != 0) { + goto done; + } + DLIST_ADD(list, item); + break; + case certDirectoryName: + ret = add_rdn_list_to_san_list(mem_ctx, + nss_name_type_to_san_opt(current->type), + current->name.directoryName, &item); + if (ret != 0) { + goto done; + } + DLIST_ADD(list, item); + break; + case certRegisterID: + ret = add_oid_to_san_list(mem_ctx, + nss_name_type_to_san_opt(current->type), + current->name.other, &item); + if (ret != 0) { + goto done; + } + DLIST_ADD(list, item); + break; + case certX400Address: + case certEDIPartyName: + ret = add_to_san_list(mem_ctx, true, + nss_name_type_to_san_opt(current->type), + current->name.other.data, + current->name.other.len, &item); + if (ret != 0) { + goto done; + } + DLIST_ADD(list, item); + break; + default: + ret = EINVAL; + goto done; + } + + current = CERT_GetNextGeneralName(current); + if (current == NULL) { + ret = EIO; + goto done; + } + } while (current != name_list); + +done: + + /* Don't free nameList, it's part of the arena. */ + + if (pool != NULL) { + PORT_FreeArena(pool, PR_FALSE); + } + + if (subAltName.data != NULL) { + SECITEM_FreeItem(&subAltName, PR_FALSE); + } + + if (ret == EOK) { + *san_list = list; + } + return ret; +} + +int sss_cert_get_content(TALLOC_CTX *mem_ctx, + const uint8_t *der_blob, size_t der_size, + struct sss_cert_content **content) +{ + int ret; + struct sss_cert_content *cont = NULL; + CERTCertDBHandle *handle; + CERTCertificate *cert = NULL; + SECItem der_item; + NSSInitContext *nss_ctx; + + if (der_blob == NULL || der_size == 0) { + return EINVAL; + } + + nss_ctx = NSS_InitContext("", "", "", "", NULL, NSS_INIT_READONLY + | NSS_INIT_NOCERTDB + | NSS_INIT_NOMODDB + | NSS_INIT_FORCEOPEN + | NSS_INIT_NOROOTINIT + | NSS_INIT_OPTIMIZESPACE); + if (nss_ctx == NULL) { + return EIO; + } + + cont = talloc_zero(mem_ctx, struct sss_cert_content); + if (cont == NULL) { + return ENOMEM; + } + + handle = CERT_GetDefaultCertDB(); + der_item.len = der_size; + der_item.data = discard_const(der_blob); + + cert = CERT_NewTempCertificate(handle, &der_item, NULL, PR_FALSE, PR_TRUE); + if (cert == NULL) { + ret = EINVAL; + goto done; + } + + cont->issuer_str = talloc_strdup(cont, cert->issuerName); + if (cont->issuer_str == NULL) { + ret = ENOMEM; + goto done; + } + + ret = get_rdn_list(cont, cert->issuer.rdns, &cont->issuer_rdn_list); + if (ret != 0) { + goto done; + } + + cont->subject_str = talloc_strdup(cont, cert->subjectName); + if (cont->subject_str == NULL) { + ret = ENOMEM; + goto done; + } + + ret = get_rdn_list(cont, cert->subject.rdns, &cont->subject_rdn_list); + if (ret != 0) { + goto done; + } + + + cont->key_usage = cert->keyUsage; + + ret = get_extended_key_usage_oids(cont, cert, + &(cont->extended_key_usage_oids)); + if (ret != 0) { + goto done; + } + + ret = get_san(cont, cert, &(cont->san_list)); + if (ret != 0) { + goto done; + } + + cont->cert_der = talloc_memdup(cont, der_blob, der_size); + if (cont->cert_der == NULL) { + ret = ENOMEM; + goto done; + } + + cont->cert_der_size = der_size; + ret = EOK; + +done: + + CERT_DestroyCertificate(cert); + NSS_ShutdownContext(nss_ctx); + + if (ret == EOK) { + *content = cont; + } else { + talloc_free(cont); + } + + return ret; +} diff --git a/src/lib/certmap/sss_certmap.c b/src/lib/certmap/sss_certmap.c new file mode 100644 index 0000000..f6f6f98 --- /dev/null +++ b/src/lib/certmap/sss_certmap.c @@ -0,0 +1,916 @@ +/* + SSSD + + Library for rule based certificate to user mapping + + Authors: + Sumit Bose + + Copyright (C) 2017 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include + +#include "util/util.h" +#include "util/cert.h" +#include "util/crypto/sss_crypto.h" +#include "lib/certmap/sss_certmap.h" +#include "lib/certmap/sss_certmap_int.h" + +int debug_level; +void sss_debug_fn(const char *file, + long line, + const char *function, + int level, + const char *format, ...) +{ + return; +} + +static int get_type_prefix(TALLOC_CTX *mem_ctx, const char *match_rule, + char **type, const char **rule_start) +{ + const char *c; + char *delim; + + *type = NULL; + *rule_start = match_rule; + + delim = strchr(match_rule, ':'); + if (delim == NULL) { + /* no type prefix found */ + return 0; + } + + /* rule starts with ':', empty type */ + if (delim == match_rule) { + *rule_start = delim + 1; + return EOK; + } + + for (c = match_rule; c < delim; c++) { + /* type prefix may only contain digits and upper-case ASCII characters */ + if (!(isascii(*c) && (isdigit(*c) || isupper(*c)))) { + /* no type prefix found */ + return 0; + } + } + + *rule_start = delim + 1; + *type = talloc_strndup(mem_ctx, match_rule, (delim - match_rule)); + if (*type == NULL) { + return ENOMEM; + } + + return 0; +} + +static int parse_match_rule(struct sss_certmap_ctx *ctx, const char *match_rule, + struct krb5_match_rule **parsed_match_rule) +{ + int ret; + char *type; + const char *rule_start; + + ret = get_type_prefix(ctx, match_rule, &type, &rule_start); + if (ret != EOK) { + CM_DEBUG(ctx, "Failed to read rule type."); + goto done; + } + + if (type == NULL || strcmp(type, "KRB5") == 0) { + ret = parse_krb5_match_rule(ctx, rule_start, parsed_match_rule); + if (ret != EOK) { + CM_DEBUG(ctx, "Failed to parse KRB5 matching rule."); + goto done; + } + } else { + CM_DEBUG(ctx, "Unsupported matching rule type."); + ret = ESRCH; + goto done; + } + + ret = EOK; + +done: + talloc_free(type); + + return ret; +} + +static int parse_mapping_rule(struct sss_certmap_ctx *ctx, + const char *mapping_rule, + struct ldap_mapping_rule **parsed_mapping_rule) +{ + int ret; + char *type; + const char *rule_start; + + ret = get_type_prefix(ctx, mapping_rule, &type, &rule_start); + if (ret != EOK) { + CM_DEBUG(ctx, "Failed to read rule type."); + goto done; + } + + if (type == NULL || strcmp(type, "LDAP") == 0) { + ret = parse_ldap_mapping_rule(ctx, rule_start, parsed_mapping_rule); + if (ret != EOK) { + CM_DEBUG(ctx, "Failed to parse LDAP mapping rule."); + goto done; + } + } else { + CM_DEBUG(ctx, "Unsupported mapping rule type."); + ret = ESRCH; + goto done; + } + + ret = EOK; + +done: + talloc_free(type); + + return ret; +} + +int sss_certmap_add_rule(struct sss_certmap_ctx *ctx, + uint32_t priority, const char *match_rule, + const char *map_rule, const char **domains) +{ + size_t c; + int ret; + struct match_map_rule *rule; + struct TALLOC_CTX *tmp_ctx; + struct priority_list *p; + struct priority_list *p_new; + struct krb5_match_rule *parsed_match_rule; + struct ldap_mapping_rule *parsed_mapping_rule; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + rule = talloc_zero(tmp_ctx, struct match_map_rule); + if (rule == NULL) { + ret = ENOMEM; + goto done; + } + + rule->priority = priority; + + if (match_rule == NULL) { + match_rule = DEFAULT_MATCH_RULE; + } + ret = parse_match_rule(ctx, match_rule, &parsed_match_rule); + if (ret == 0) { + rule->parsed_match_rule = talloc_steal(rule, parsed_match_rule); + rule->match_rule = talloc_strdup(rule, match_rule); + if (rule->match_rule == NULL) { + ret = ENOMEM; + goto done; + } + } else if (ret == ESRCH) { + /* report unsupported rules */ + goto done; + } else { + goto done; + } + + if (map_rule == NULL) { + map_rule = DEFAULT_MAP_RULE; + } + ret = parse_mapping_rule(ctx, map_rule, &parsed_mapping_rule); + if (ret == 0) { + rule->parsed_mapping_rule = talloc_steal(rule, parsed_mapping_rule); + rule->map_rule = talloc_strdup(rule, map_rule); + if (rule->map_rule == NULL) { + ret = ENOMEM; + goto done; + } + } else if (ret == ESRCH) { + /* report unsupported rules */ + goto done; + } else { + goto done; + } + + if (domains != NULL && *domains != NULL) { + for (c = 0; domains[c] != NULL; c++); + rule->domains = talloc_zero_array(rule, char *, c + 1); + if (rule->domains == NULL) { + ret = ENOMEM; + goto done; + } + for (c = 0; domains[c] != NULL; c++) { + rule->domains[c] = talloc_strdup(rule->domains, domains[c]); + if (rule->domains[c] == NULL) { + ret = ENOMEM; + goto done; + } + } + } + + if (ctx->prio_list == NULL) { + ctx->prio_list = talloc_zero(ctx, struct priority_list); + if (ctx->prio_list == NULL) { + ret = ENOMEM; + goto done; + } + + ctx->prio_list->priority = rule->priority; + ctx->prio_list->rule_list = rule; + } else { + for (p = ctx->prio_list; p != NULL && p->priority < rule->priority; + p = p->next); + if (p != NULL && p->priority == priority) { + DLIST_ADD(p->rule_list, rule); + } else { + p_new = talloc_zero(ctx, struct priority_list); + if (p_new == NULL) { + ret = ENOMEM; + goto done; + } + + p_new->priority = rule->priority; + p_new->rule_list = rule; + + if (p == NULL) { + DLIST_ADD_END(ctx->prio_list, p_new, struct priority_list *); + } else if (p->prev == NULL) { + DLIST_ADD(ctx->prio_list, p_new); + } else { + DLIST_ADD_AFTER(ctx->prio_list, p_new, p->prev); + } + } + } + + talloc_steal(ctx, rule); + + ret = EOK; + +done: + talloc_free(tmp_ctx); + + return ret; +} + +static int expand_cert(struct sss_certmap_ctx *ctx, + struct parsed_template *parsed_template, + struct sss_cert_content *cert_content, + char **expanded) +{ + int ret; + char *tmp_str = NULL; + + if (parsed_template->conversion == NULL + || strcmp(parsed_template->conversion, "bin") == 0) { + ret = bin_to_ldap_filter_value(ctx, cert_content->cert_der, + cert_content->cert_der_size, &tmp_str); + if (ret != 0) { + CM_DEBUG(ctx, "bin conversion failed."); + goto done; + } + } else if (strcmp(parsed_template->conversion, "base64") == 0) { + tmp_str = sss_base64_encode(ctx, cert_content->cert_der, + cert_content->cert_der_size); + if (tmp_str == NULL) { + CM_DEBUG(ctx, "base64 conversion failed."); + ret = ENOMEM; + goto done; + } + } else { + CM_DEBUG(ctx, "Unsupported conversion."); + ret = EINVAL; + goto done; + } + + ret = 0; + +done: + if (ret == 0) { + *expanded = tmp_str; + } else { + talloc_free(tmp_str); + } + + return ret; +} + +static int expand_san_blob(struct sss_certmap_ctx *ctx, enum san_opt san_opt, + struct san_list *san_list, char **expanded) +{ + struct san_list *item; + char *exp; + int ret; + + DLIST_FOR_EACH(item, san_list) { + if (item->san_opt == san_opt) { + ret = bin_to_ldap_filter_value(ctx, item->bin_val, + item->bin_val_len, &exp); + if (ret != 0) { + CM_DEBUG(ctx, "bin conversion failed."); + return ret; + } + + *expanded = exp; + return 0; + } + } + + return ENOENT; +} + +static int expand_san_string(struct sss_certmap_ctx *ctx, enum san_opt san_opt, + struct san_list *san_list, const char *attr_name, + char **expanded) +{ + struct san_list *item; + char *exp; + + DLIST_FOR_EACH(item, san_list) { + if (item->san_opt == san_opt) { + if (attr_name == NULL) { + exp = talloc_strdup(ctx, item->val); + } else if (strcasecmp(attr_name, "short_name") == 0) { + exp = talloc_strdup(ctx, item->short_name); + } else { + CM_DEBUG(ctx, "Unsupported attribute name [%s].", attr_name); + return EINVAL; + } + + if (exp == NULL) { + return ENOMEM; + } + + *expanded = exp; + return 0; + } + } + + return ENOENT; +} + +static int expand_san_rdn_list(struct sss_certmap_ctx *ctx, + enum san_opt san_opt, + struct san_list *san_list, + const char *conversion, + char **expanded) +{ + struct san_list *item; + char *exp; + int ret; + + DLIST_FOR_EACH(item, san_list) { + if (item->san_opt == san_opt) { + ret = rdn_list_2_dn_str(ctx, conversion, item->rdn_list, &exp); + if (ret != 0) { + return ret; + } + + *expanded = exp; + return 0; + } + } + + return ENOENT; +} + + +static int expand_san(struct sss_certmap_ctx *ctx, + struct parsed_template *parsed_template, + struct san_list *san_list, + char **expanded) +{ + int ret; + + if (strcmp("subject_rfc822_name", parsed_template->name) == 0) { + ret = expand_san_string(ctx, SAN_RFC822_NAME, san_list, + parsed_template->attr_name, expanded); + } else if (strcmp("subject_dns_name", parsed_template->name) == 0) { + ret = expand_san_string(ctx, SAN_DNS_NAME, san_list, + parsed_template->attr_name, expanded); + } else if (strcmp("subject_x400_address", parsed_template->name) == 0) { + ret = expand_san_blob(ctx, SAN_X400_ADDRESS, san_list, expanded); + } else if (strcmp("subject_directory_name", parsed_template->name) == 0) { + ret = expand_san_rdn_list(ctx, SAN_DIRECTORY_NAME, san_list, + parsed_template->conversion, expanded); + } else if (strcmp("subject_ediparty_name", parsed_template->name) == 0) { + ret = expand_san_blob(ctx, SAN_EDIPART_NAME, san_list, expanded); + } else if (strcmp("subject_uri", parsed_template->name) == 0) { + ret = expand_san_string(ctx, SAN_URI, san_list, + parsed_template->attr_name, expanded); + } else if (strcmp("subject_ip_address", parsed_template->name) == 0) { + ret = expand_san_string(ctx, SAN_IP_ADDRESS, san_list, + parsed_template->attr_name, expanded); + } else if (strcmp("subject_registered_id", parsed_template->name) == 0) { + ret = expand_san_string(ctx, SAN_REGISTERED_ID, san_list, + parsed_template->attr_name, expanded); + } else if (strcmp("subject_pkinit_principal", parsed_template->name) == 0) { + ret = expand_san_string(ctx, SAN_PKINIT, san_list, + parsed_template->attr_name, expanded); + } else if (strcmp("subject_nt_principal", parsed_template->name) == 0) { + ret = expand_san_string(ctx, SAN_NT, san_list, + parsed_template->attr_name, expanded); + } else if (strcmp("subject_principal", parsed_template->name) == 0) { + ret = expand_san_string(ctx, SAN_PRINCIPAL, san_list, + parsed_template->attr_name, expanded); + } else { + CM_DEBUG(ctx, "Unsupported template name [%s].n", + parsed_template->name); + ret = EINVAL; + } + + return ret; +} + +static int expand_template(struct sss_certmap_ctx *ctx, + struct parsed_template *parsed_template, + struct sss_cert_content *cert_content, + char **expanded) +{ + int ret; + char *exp = NULL; + + if (strcmp("issuer_dn", parsed_template->name) == 0) { + ret = rdn_list_2_dn_str(ctx, parsed_template->conversion, + cert_content->issuer_rdn_list, &exp); + } else if (strcmp("subject_dn", parsed_template->name) == 0) { + ret = rdn_list_2_dn_str(ctx, parsed_template->conversion, + cert_content->subject_rdn_list, &exp); + } else if (strncmp("subject_", parsed_template->name, 8) == 0) { + ret = expand_san(ctx, parsed_template, cert_content->san_list, &exp); + } else if (strcmp("cert", parsed_template->name) == 0) { + ret = expand_cert(ctx, parsed_template, cert_content, &exp); + } else { + CM_DEBUG(ctx, "Unsupported template name."); + ret = EINVAL; + goto done; + } + if (ret != 0) { + CM_DEBUG(ctx, "Failed to expand [%s] template.", parsed_template->name); + goto done; + } + + if (exp == NULL) { + ret = ENOMEM; + goto done; + } + + ret = 0; + +done: + if (ret == 0) { + *expanded = exp; + } else { + talloc_free(exp); + } + + return ret; +} + +static int get_filter(struct sss_certmap_ctx *ctx, + struct ldap_mapping_rule *parsed_mapping_rule, + struct sss_cert_content *cert_content, + char **filter) +{ + struct ldap_mapping_rule_comp *comp; + char *result = NULL; + char *expanded = NULL; + int ret; + + result = talloc_strdup(ctx, ""); + if (result == NULL) { + return ENOMEM; + } + + for (comp = parsed_mapping_rule->list; comp != NULL; comp = comp->next) { + if (comp->type == comp_string) { + result = talloc_strdup_append(result, comp->val); + } else if (comp->type == comp_template) { + ret = expand_template(ctx, comp->parsed_template, cert_content, + &expanded); + if (ret != 0) { + CM_DEBUG(ctx, "Failed to expanded template."); + goto done; + } + + result = talloc_strdup_append(result, expanded); + talloc_free(expanded); + expanded = NULL; + if (result == NULL) { + ret = ENOMEM; + goto done; + } + } else { + ret = EINVAL; + CM_DEBUG(ctx, "Unsupported component type."); + goto done; + } + } + + ret = 0; +done: + talloc_free(expanded); + if (ret == 0) { + *filter = result; + } else { + talloc_free(result); + } + + return ret; +} + +static bool check_san_regexp(struct sss_certmap_ctx *ctx, + enum san_opt san_opt, regex_t regexp, + struct san_list *san_list) +{ + struct san_list *item; + bool match = false; + int ret; + char *tmp_str = NULL; + + DLIST_FOR_EACH(item, san_list) { + if (item->san_opt == san_opt) { + if (item->san_opt == SAN_DIRECTORY_NAME) { + /* use LDAP order for matching */ + ret = rdn_list_2_dn_str(ctx, NULL, item->rdn_list, &tmp_str); + if (ret != 0 || tmp_str == NULL) { + return false; + } + match = (regexec(®exp, tmp_str, 0, NULL, 0) == 0); + talloc_free(tmp_str); + } else { + match = (item->val != NULL + && regexec(®exp, item->val, 0, NULL, 0) == 0); + } + if (!match) { + return false; + } + } + } + + return match; +} + +static bool check_san_blob(enum san_opt san_opt, + uint8_t *bin_val, size_t bin_val_len, + struct san_list *san_list) +{ + struct san_list *item; + bool match = false; + + if (bin_val == NULL || bin_val_len == 0) { + return false; + } + + DLIST_FOR_EACH(item, san_list) { + if (item->san_opt == san_opt) { + match = (item->bin_val != NULL && item->bin_val_len != 0 + && memmem(item->bin_val, item->bin_val_len, + bin_val, bin_val_len) != NULL); + if (!match) { + return false; + } + } + } + + return match; +} + +static bool check_san_str_other_name(enum san_opt san_opt, + const char *str_other_name_oid, + regex_t regexp, + struct san_list *san_list) +{ + struct san_list *item; + bool match = false; + char *tmp_str; + + if (str_other_name_oid == NULL) { + return false; + } + + DLIST_FOR_EACH(item, san_list) { + if (item->san_opt == san_opt + && strcmp(item->other_name_oid, str_other_name_oid) == 0) { + match = false; + if (item->bin_val != NULL && item->bin_val_len != 0) { + tmp_str = talloc_strndup(item, (char *) item->bin_val, + item->bin_val_len); + if (tmp_str != NULL) { + match = (regexec(®exp, tmp_str, 0, NULL, 0) == 0); + } + talloc_free(tmp_str); + } + if (!match) { + return false; + } + } + } + + return match; +} + +static bool do_san_match(struct sss_certmap_ctx *ctx, + struct component_list *comp, + struct san_list *san_list) +{ + switch (comp->san_opt) { + case SAN_OTHER_NAME: + return check_san_blob(SAN_STRING_OTHER_NAME, + comp->bin_val, comp->bin_val_len, + san_list); + break; + case SAN_X400_ADDRESS: + case SAN_EDIPART_NAME: + return check_san_blob(comp->san_opt, comp->bin_val, comp->bin_val_len, + san_list); + break; + case SAN_RFC822_NAME: + case SAN_DNS_NAME: + case SAN_DIRECTORY_NAME: + case SAN_URI: + case SAN_IP_ADDRESS: + case SAN_REGISTERED_ID: + case SAN_PKINIT: + case SAN_NT: + case SAN_PRINCIPAL: + return check_san_regexp(ctx, comp->san_opt, comp->regexp, san_list); + break; + case SAN_STRING_OTHER_NAME: + return check_san_str_other_name(comp->san_opt, comp->str_other_name_oid, + comp->regexp, san_list); + break; + default: + CM_DEBUG(ctx, "Unsupported SAN option [%d].", comp->san_opt); + return false; + } +} + +static int do_match(struct sss_certmap_ctx *ctx, + struct krb5_match_rule *parsed_match_rule, + struct sss_cert_content *cert_content) +{ + struct component_list *comp; + bool match = false; + size_t c; + + if (parsed_match_rule == NULL || cert_content == NULL) { + return EINVAL; + } + + /* Issuer */ + for (comp = parsed_match_rule->issuer; comp != NULL; comp = comp->next) { + match = (cert_content->issuer_str != NULL + && regexec(&(comp->regexp), cert_content->issuer_str, + 0, NULL, 0) == 0); + if (match && parsed_match_rule->r == relation_or) { + /* match */ + return 0; + } else if (!match && parsed_match_rule->r == relation_and) { + /* no match */ + return ENOENT; + } + + } + + /* Subject */ + for (comp = parsed_match_rule->subject; comp != NULL; comp = comp->next) { + match = (cert_content->subject_str != NULL + && regexec(&(comp->regexp), cert_content->subject_str, + 0, NULL, 0) == 0); + if (match && parsed_match_rule->r == relation_or) { + /* match */ + return 0; + } else if (!match && parsed_match_rule->r == relation_and) { + /* no match */ + return ENOENT; + } + + } + + /* Key Usage */ + for (comp = parsed_match_rule->ku; comp != NULL; comp = comp->next) { + match = ((cert_content->key_usage & comp->ku) == comp->ku); + if (match && parsed_match_rule->r == relation_or) { + /* match */ + return 0; + } else if (!match && parsed_match_rule->r == relation_and) { + /* no match */ + return ENOENT; + } + } + + /* Extended Key Usage */ + for (comp = parsed_match_rule->eku; comp != NULL; comp = comp->next) { + for (c = 0; comp->eku_oid_list[c] != NULL; c++) { + match = string_in_list(comp->eku_oid_list[c], + discard_const( + cert_content->extended_key_usage_oids), + true); + if (match && parsed_match_rule->r == relation_or) { + /* match */ + return 0; + } else if (!match && parsed_match_rule->r == relation_and) { + /* no match */ + return ENOENT; + } + } + } + + /* SAN */ + for (comp = parsed_match_rule->san; comp != NULL; comp = comp->next) { + match = do_san_match(ctx, comp, cert_content->san_list); + if (match && parsed_match_rule->r == relation_or) { + /* match */ + return 0; + } else if (!match && parsed_match_rule->r == relation_and) { + /* no match */ + return ENOENT; + } + } + + if (match) { + /* match */ + return 0; + } + + /* no match */ + return ENOENT; +} + +int sss_certmap_match_cert(struct sss_certmap_ctx *ctx, + const uint8_t *der_cert, size_t der_size) +{ + int ret; + struct match_map_rule *r; + struct priority_list *p; + struct sss_cert_content *cert_content = NULL; + + ret = sss_cert_get_content(ctx, der_cert, der_size, &cert_content); + if (ret != 0) { + CM_DEBUG(ctx, "Failed to get certificate content."); + return ret; + } + + if (ctx->prio_list == NULL) { + /* Match all certificates if there are no rules applied */ + ret = 0; + goto done; + } + + for (p = ctx->prio_list; p != NULL; p = p->next) { + for (r = p->rule_list; r != NULL; r = r->next) { + ret = do_match(ctx, r->parsed_match_rule, cert_content); + if (ret == 0) { + /* match */ + goto done; + } + } + } + + ret = ENOENT; +done: + talloc_free(cert_content); + + return ret; +} + +int sss_certmap_get_search_filter(struct sss_certmap_ctx *ctx, + const uint8_t *der_cert, size_t der_size, + char **_filter, char ***_domains) +{ + int ret; + struct match_map_rule *r; + struct priority_list *p; + struct sss_cert_content *cert_content = NULL; + char *filter = NULL; + char **domains = NULL; + size_t c; + + if (_filter == NULL || _domains == NULL) { + return EINVAL; + } + + ret = sss_cert_get_content(ctx, der_cert, der_size, &cert_content); + if (ret != 0) { + CM_DEBUG(ctx, "Failed to get certificate content [%d].", ret); + return ret; + } + + if (ctx->prio_list == NULL) { + if (ctx->default_mapping_rule == NULL) { + CM_DEBUG(ctx, "No matching or mapping rules available."); + return EINVAL; + } + + ret = get_filter(ctx, ctx->default_mapping_rule, cert_content, &filter); + goto done; + } + + for (p = ctx->prio_list; p != NULL; p = p->next) { + for (r = p->rule_list; r != NULL; r = r->next) { + ret = do_match(ctx, r->parsed_match_rule, cert_content); + if (ret == 0) { + /* match */ + ret = get_filter(ctx, r->parsed_mapping_rule, cert_content, + &filter); + if (ret != 0) { + CM_DEBUG(ctx, "Failed to get filter"); + goto done; + } + + if (r->domains != NULL) { + for (c = 0; r->domains[c] != NULL; c++); + domains = talloc_zero_array(ctx, char *, c + 1); + if (domains == NULL) { + ret = ENOMEM; + goto done; + } + + for (c = 0; r->domains[c] != NULL; c++) { + domains[c] = talloc_strdup(domains, r->domains[c]); + if (domains[c] == NULL) { + ret = ENOMEM; + goto done; + } + } + } + + ret = 0; + goto done; + } + } + } + + ret = ENOENT; + +done: + talloc_free(cert_content); + if (ret == 0) { + *_filter = filter; + *_domains = domains; + } else { + talloc_free(filter); + talloc_free(domains); + } + + return ret; +} + +int sss_certmap_init(TALLOC_CTX *mem_ctx, + sss_certmap_ext_debug *debug, void *debug_priv, + struct sss_certmap_ctx **ctx) +{ + int ret; + + if (ctx == NULL) { + return EINVAL; + } + + *ctx = talloc_zero(mem_ctx, struct sss_certmap_ctx); + if (*ctx == NULL) { + return ENOMEM; + } + + (*ctx)->debug = debug; + (*ctx)->debug_priv = debug_priv; + + ret = parse_mapping_rule(*ctx, DEFAULT_MAP_RULE, + &((*ctx)->default_mapping_rule)); + if (ret != 0) { + CM_DEBUG((*ctx), "Failed to parse default mapping rule."); + talloc_free(*ctx); + *ctx = NULL; + return ret; + } + + CM_DEBUG((*ctx), "sss_certmap initialized."); + return EOK; +} + +void sss_certmap_free_ctx(struct sss_certmap_ctx *ctx) +{ + talloc_free(ctx); +} + +void sss_certmap_free_filter_and_domains(char *filter, char **domains) +{ + talloc_free(filter); + talloc_free(domains); +} diff --git a/src/lib/certmap/sss_certmap.doxy.in b/src/lib/certmap/sss_certmap.doxy.in new file mode 100644 index 0000000..e8959e2 --- /dev/null +++ b/src/lib/certmap/sss_certmap.doxy.in @@ -0,0 +1,3 @@ +PROJECT_NAME = sss_certmap +OUTPUT_DIRECTORY = certmap_doc +INPUT = @abs_top_srcdir@/src/lib/certmap/sss_certmap.h diff --git a/src/lib/certmap/sss_certmap.exports b/src/lib/certmap/sss_certmap.exports new file mode 100644 index 0000000..8b5d536 --- /dev/null +++ b/src/lib/certmap/sss_certmap.exports @@ -0,0 +1,13 @@ +SSS_CERTMAP_0.0 { + global: + sss_certmap_init; + sss_certmap_free_ctx; + sss_certmap_err_msg; + sss_certmap_add_rule; + sss_certmap_match_cert; + sss_certmap_get_search_filter; + sss_cert_get_content; + sss_certmap_free_filter_and_domains; + local: + *; +}; diff --git a/src/lib/certmap/sss_certmap.h b/src/lib/certmap/sss_certmap.h new file mode 100644 index 0000000..646e0f3 --- /dev/null +++ b/src/lib/certmap/sss_certmap.h @@ -0,0 +1,152 @@ +/* + SSSD + + Library for rule based certificate to user mapping + + Authors: + Sumit Bose + + Copyright (C) 2017 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _SSS_CERTMAP_H_ +#define _SSS_CERTMAP_H_ + +#include +#include +#include + +/** + * @defgroup sss_certmap Allow rule-based mapping of certificates to users + * Libsss_certmap provides a mechanism to map X509 certificate to users based + * on rules. + * @{ + */ + +/** + * Opaque type for the idmap context + */ +struct sss_certmap_ctx; + +/** + * Lowest priority of a rule + */ +#define SSS_CERTMAP_MIN_PRIO UINT32_MAX + +/** + * Typedef for external debug callback + */ +typedef void (sss_certmap_ext_debug)(void *pvt, + const char *file, long line, + const char *function, + const char *format, ...); +/** + * @brief Initialize certmap context + * + * @param[in] mem_ctx Talloc memory context, may be NULL + * @param[in] debug Callback to handle debug output, may be NULL + * @param[in] debug_priv Private data for debugging callback, may be NULL + * @param[out] ctx New certmap context + * + * @return + * - 0: success + * - ENOMEM: failed to allocate internal Talloc context + * - EINVAL: ctx is NULL + */ +int sss_certmap_init(TALLOC_CTX *mem_ctx, + sss_certmap_ext_debug *debug, void *debug_priv, + struct sss_certmap_ctx **ctx); + +/** + * @brief Free certmap context + * + * @param[in] ctx certmap context previously initialized with + * @ref sss_certmap_init, may be NULL + */ +void sss_certmap_free_ctx(struct sss_certmap_ctx *ctx); + +/** + * @brief Add a rule to the certmap context + * + * @param[in] ctx certmap context previously initialized with + * @ref sss_certmap_init + * @param[in] priority priority of the rule, 0 is the hightest priority, the + * lowest is SSS_CERTMAP_MIN_PRIO + * @param[in] match_rule String with the matching rule + * @param[in] map_rule String with the mapping rule + * @param[in] domains NULL-terminated string array with a list of domains + * the rule should be valid for, i.e. only this domains + * should be searched for matching users + * + * @return + * - 0: success + */ +int sss_certmap_add_rule(struct sss_certmap_ctx *ctx, + uint32_t priority, const char *match_rule, + const char *map_rule, const char **domains); + +/** + * @brief Check if a certificate matches any of the applied rules + * + * @param[in] ctx certmap context previously initialized with + * @ref sss_certmap_init + * @param[in] der_cert binary blog with the DER encoded certificate + * @param[in] der_size size of the certificate blob + * + * @return + * - 0: certificate matches a rule + * - ENOENT: certificate does not match + * - EINVAL: internal error + */ +int sss_certmap_match_cert(struct sss_certmap_ctx *ctx, + const uint8_t *der_cert, size_t der_size); + +/** + * @brief Get the LDAP filter string for a certificate + * + * @param[in] ctx certmap context previously initialized with + * @ref sss_certmap_init + * @param[in] der_cert binary blog with the DER encoded certificate + * @param[in] der_size size of the certificate blob + * @param[out] filter LDAP filter string, caller should free the data by + * calling sss_certmap_free_filter_and_domains + * @param[out] domains NULL-terminated array of strings with the domains the + * rule applies, caller should free the data by calling + * sss_certmap_free_filter_and_domains + * + * @return + * - 0: certificate matches a rule + * - ENOENT: certificate does not match + * - EINVAL: internal error + */ +int sss_certmap_get_search_filter(struct sss_certmap_ctx *ctx, + const uint8_t *der_cert, size_t der_size, + char **filter, char ***domains); + +/** + * @brief Free data returned by @ref sss_certmap_get_search_filter + * + * @param[in] filter LDAP filter strings returned by + * sss_certmap_get_search_filter + * @param[in] domains string array of domains returned by + * sss_certmap_get_search_filter + */ +void sss_certmap_free_filter_and_domains(char *filter, char **domains); + +/** + * @} + */ +#endif /* _SSS_CERTMAP_H_ */ diff --git a/src/lib/certmap/sss_certmap.pc.in b/src/lib/certmap/sss_certmap.pc.in new file mode 100644 index 0000000..f1a4432 --- /dev/null +++ b/src/lib/certmap/sss_certmap.pc.in @@ -0,0 +1,11 @@ +prefix=@prefix@ +exec_prefix=@exec_prefix@ +libdir=@libdir@ +includedir=@includedir@ + +Name: sss_certmap +Description: SSS certificate mapping library +Version: @VERSION@ +Libs: -L${libdir} -lsss_certmap +Cflags: +URL: https://pagure.io/SSSD/sssd/ diff --git a/src/lib/certmap/sss_certmap_attr_names.c b/src/lib/certmap/sss_certmap_attr_names.c new file mode 100644 index 0000000..65c0f91 --- /dev/null +++ b/src/lib/certmap/sss_certmap_attr_names.c @@ -0,0 +1,134 @@ +/* + SSSD + + Library for rule based certificate to user mapping - Attribute name + mapping for different implementations + + Authors: + Sumit Bose + + Copyright (C) 2017 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +/* NSS data taken from nss-utils:nss/lib/util/secoid.c and + * nss:nss/lib/certdb/alg1485.c */ + +/* AD data taken from + * https://msdn.microsoft.com/en-us/library/windows/desktop/aa376556%28v=vs.85%29.aspx + * and wine source code dlls/crypt32/oid.c  and include/wincrypt.h . */ + +/* OpenSSL data taken from include/openssl/obj_mac.h */ + +#include +#include +#include + +struct oid_attr_name_map { + bool nss_ad_differ; + bool nss_openssl_differ; + const char *oid; + const char *nss; + const char *ad; + const char *openssl; +} oid_attr_name_map[] = { + { false, false, "2.5.4.3", "CN", "CN", "CN"}, + { true, false, "2.5.4.8", "ST", "S", "ST"}, + { false, false, "2.5.4.10", "O", "O", "O"}, + { false, false, "2.5.4.11", "OU", "OU", "OU"}, + { false, false, "2.5.4.46", "dnQualifier", "dnQualifier", "dnQualifier"}, + { false, false, "2.5.4.6", "C", "C", "C"}, + { true, false, "2.5.4.5", "serialNumber", "SERIALNUMBER", "serialNumber"}, + { false, false, "2.5.4.7", "L", "L", "L"}, + { true, false, "2.5.4.12", "title", "T", "title"}, + { false, false, "2.5.4.4", "SN", "SN", "SN"}, + { true, true, "2.5.4.42", "givenName", "G", "GN"}, + { true, false, "2.5.4.43", "initials", "I", "initials"}, + { true, false, "2.5.4.44", "generationQualifier", "OID.2.5.4.44", "generationQualifier"}, + { false, false, "0.9.2342.19200300.100.1.25", "DC", "DC", "DC"}, + { true, true, "0.9.2342.19200300.100.1.3", "MAIL", "OID,0.9.2342.19200300.100.1.3", "mail"}, + { true, false, "0.9.2342.19200300.100.1.1", "UID", "OID.0.9.2342.19200300.100.1.1", "UID"}, + { true, true, "2.5.4.13", "OID.2.5.4.13", "Description", "description"}, + { true, false, "2.5.4.16", "postalAddress", "OID.2.5.4.16", "postalAddress"}, + { true, false, "2.5.4.17", "postalCode", "PostalCode", "postalCode"}, + { true, false, "2.5.4.18", "postOfficeBox", "POBox", "postOfficeBox"}, + { true, false, "2.5.4.51", "houseIdentifier", "OID.2.5.4.51", "houseIdentifier"}, + { false, true, "1.2.840.113549.1.9.1", "E", "E", "emailAddress"}, + { false, true, "2.5.4.9", "STREET", "STREET", "street"}, + { true, false, "2.5.4.65", "pseudonym", "OID.2.5.4.65", "pseudonym"}, + { true, false, "2.5.4.15", "businessCategory", "OID.2.5.4.15", "businessCategory"}, + { true, false, "2.5.4.41", "name", "OID.2.5.4.41", "name"}, + + { false, false, NULL, NULL, NULL, NULL} +}; + +char *check_ad_attr_name(TALLOC_CTX *mem_ctx, const char *rdn) +{ + char *p; + size_t c; + size_t len; + + if (rdn == NULL) { + return NULL; + } + + p = strchr(rdn, '='); + if (p == NULL) { + return NULL; + } + + len = p - rdn; + if (len == 0) { + return NULL; + } + + for (c = 0; oid_attr_name_map[c].oid != NULL; c++) { + if (!oid_attr_name_map[c].nss_ad_differ) { + continue; + } + + if (strlen(oid_attr_name_map[c].nss) != len + || strncmp(rdn, oid_attr_name_map[c].nss, len) != 0) { + continue; + } + + return talloc_asprintf(mem_ctx, "%s%s", oid_attr_name_map[c].ad, p); + } + + return NULL; +} + +const char *openssl_2_nss_attr_name(const char *attr) +{ + size_t c; + + if (attr == NULL) { + return NULL; + } + + for (c = 0; oid_attr_name_map[c].oid != NULL; c++) { + if (!oid_attr_name_map[c].nss_openssl_differ) { + continue; + } + + if (strcmp(attr, oid_attr_name_map[c].openssl) != 0) { + continue; + } + + return oid_attr_name_map[c].nss; + } + + return attr; +} diff --git a/src/lib/certmap/sss_certmap_int.h b/src/lib/certmap/sss_certmap_int.h new file mode 100644 index 0000000..479cc16 --- /dev/null +++ b/src/lib/certmap/sss_certmap_int.h @@ -0,0 +1,210 @@ +/* + SSSD + + Library for rule based certificate to user mapping + + Authors: + Sumit Bose + + Copyright (C) 2017 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __SSS_CERTMAP_INT_H__ +#define __SSS_CERTMAP_INT_H__ + +#include +#include +#include +#include +#include + +#include "lib/certmap/sss_certmap.h" + +#define CM_DEBUG(cm_ctx, format, ...) do { \ + if (cm_ctx != NULL && cm_ctx->debug != NULL) { \ + cm_ctx->debug(cm_ctx->debug_priv, __FILE__, __LINE__, __FUNCTION__, \ + format, ##__VA_ARGS__); \ + } \ +} while (0) + +#define DEFAULT_MATCH_RULE "digitalSignatureclientAuth" +#define DEFAULT_MAP_RULE "LDAP:(userCertificate;binary={cert!bin})" + +#define PKINIT_OID "1.3.6.1.5.2.2" +#define NT_PRINCIPAL_OID "1.3.6.1.4.1.311.20.2.3" + +enum san_opt { + SAN_OTHER_NAME = 0, + SAN_RFC822_NAME, + SAN_DNS_NAME, + SAN_X400_ADDRESS, + SAN_DIRECTORY_NAME, + SAN_EDIPART_NAME, + SAN_URI, + SAN_IP_ADDRESS, + SAN_REGISTERED_ID, + SAN_PKINIT, + SAN_NT, + SAN_PRINCIPAL, + SAN_STRING_OTHER_NAME, + + SAN_END, + SAN_INVALID +}; + +/* KRB5 matching rule */ +enum relation_type { + relation_none = 0, + relation_and, + relation_or +}; + +struct component_list { + char *val; + regex_t regexp; + uint32_t ku; + const char **eku_oid_list; + enum san_opt san_opt; + char *str_other_name_oid; + uint8_t *bin_val; + size_t bin_val_len; + struct component_list *prev; + struct component_list *next; +}; + +struct krb5_match_rule { + enum relation_type r; + struct component_list *issuer; + struct component_list *subject; + struct component_list *ku; + struct component_list *eku; + struct component_list *san; +}; + +enum comp_type { + comp_none = 0, + comp_string, + comp_template +}; + +struct parsed_template { + char *name; + char *attr_name; + char *conversion; +}; + +struct ldap_mapping_rule_comp { + enum comp_type type; + char *val; + struct parsed_template *parsed_template; + struct ldap_mapping_rule_comp *prev; + struct ldap_mapping_rule_comp *next; +}; + +struct ldap_mapping_rule { + struct ldap_mapping_rule_comp *list; +}; + +struct match_map_rule { + uint32_t priority; + char *match_rule; + struct krb5_match_rule *parsed_match_rule; + char *map_rule; + struct ldap_mapping_rule *parsed_mapping_rule; + char **domains; + struct match_map_rule *prev; + struct match_map_rule *next; +}; + +struct priority_list { + uint32_t priority; + struct match_map_rule *rule_list; + struct priority_list *prev; + struct priority_list *next; +}; + +struct sss_certmap_ctx { + struct priority_list *prio_list; + sss_certmap_ext_debug *debug; + void *debug_priv; + struct ldap_mapping_rule *default_mapping_rule; +}; + +struct san_list { + enum san_opt san_opt; + char *val; + uint8_t *bin_val; + size_t bin_val_len; + char *other_name_oid; + char *short_name; + const char **rdn_list; + struct san_list *prev; + struct san_list *next; +}; + +/* key usage flags, see RFC 3280 section 4.2.1.3 */ +#define SSS_KU_DIGITAL_SIGNATURE 0x0080 +#define SSS_KU_NON_REPUDIATION 0x0040 +#define SSS_KU_KEY_ENCIPHERMENT 0x0020 +#define SSS_KU_DATA_ENCIPHERMENT 0x0010 +#define SSS_KU_KEY_AGREEMENT 0x0008 +#define SSS_KU_KEY_CERT_SIGN 0x0004 +#define SSS_KU_CRL_SIGN 0x0002 +#define SSS_KU_ENCIPHER_ONLY 0x0001 +#define SSS_KU_DECIPHER_ONLY 0x8000 + +struct sss_cert_content { + char *issuer_str; + const char **issuer_rdn_list; + char *subject_str; + const char **subject_rdn_list; + uint32_t key_usage; + const char **extended_key_usage_oids; + struct san_list *san_list; + + uint8_t *cert_der; + size_t cert_der_size; +}; + +int sss_cert_get_content(TALLOC_CTX *mem_ctx, + const uint8_t *der_blob, size_t der_size, + struct sss_cert_content **content); + +char *check_ad_attr_name(TALLOC_CTX *mem_ctx, const char *rdn); + +char *openssl_2_nss_attr_name(const char *attr); + +int parse_krb5_match_rule(struct sss_certmap_ctx *ctx, + const char *rule_start, + struct krb5_match_rule **match_rule); + +int parse_ldap_mapping_rule(struct sss_certmap_ctx *ctx, + const char *rule_start, + struct ldap_mapping_rule **mapping_rule); + +int get_short_name(TALLOC_CTX *mem_ctx, const char *full_name, + char delim, char **short_name); + +int add_to_san_list(TALLOC_CTX *mem_ctx, bool is_bin, + enum san_opt san_opt, const uint8_t *data, size_t len, + struct san_list **item); + +int add_principal_to_san_list(TALLOC_CTX *mem_ctx, enum san_opt san_opt, + const char *princ, struct san_list **item); + +int rdn_list_2_dn_str(TALLOC_CTX *mem_ctx, const char *conversion, + const char **rdn_list, char **result); +#endif /* __SSS_CERTMAP_INT_H__ */ diff --git a/src/lib/certmap/sss_certmap_krb5_match.c b/src/lib/certmap/sss_certmap_krb5_match.c new file mode 100644 index 0000000..125e925 --- /dev/null +++ b/src/lib/certmap/sss_certmap_krb5_match.c @@ -0,0 +1,562 @@ +/* + SSSD + + Library for rule based certificate to user mapping - KRB5 matching rules + + Authors: + Sumit Bose + + Copyright (C) 2017 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "util/util.h" +#include "util/crypto/sss_crypto.h" +#include "lib/certmap/sss_certmap.h" +#include "lib/certmap/sss_certmap_int.h" + +static bool is_dotted_decimal(const char *s, size_t len) +{ + size_t c = 0; + bool has_dot = false; + + if (s == NULL || !isdigit(s[c++])) { + return false; + } + + while ((len == 0 && s[c] != '\0') || (len != 0 && c < len)) { + if (s[c] != '.' && !isdigit(s[c])) { + return false; + } + if (!has_dot && s[c] == '.') { + has_dot = true; + } + c++; + } + + return (has_dot && isdigit(s[c - 1])); +} + +static int component_list_destructor(void *data) +{ + struct component_list *comp = talloc_get_type(data, struct component_list); + + if (comp != NULL) { + regfree(&(comp->regexp)); + } + + return 0; +} + +/* + * The syntax of the MIT Kerberos style matching rules is: + * [KRB5:][relation-operator]component-rule ... + * + * where: + * + * relation-operator + * can be either &&, meaning all component rules must match, or ||, + * meaning only one component rule must match. The default is &&. + * + * component-rule + * can be one of the following. Note that there is no punctuation or whitespace between component rules. + * regular-expression + * regular-expression + * regular-expression + * extended-key-usage + * key-usage + * + * see man sss-certmap for more details + * + */ + +static int get_comp_value(TALLOC_CTX *mem_ctx, + struct sss_certmap_ctx *ctx, + const char **cur, + struct component_list **_comp) + +{ + struct component_list *comp = NULL; + const char *end; + int ret; + + comp = talloc_zero(mem_ctx, struct component_list); + if (comp == NULL) { + ret = ENOMEM; + goto done; + } + + talloc_set_destructor((TALLOC_CTX *) comp, component_list_destructor); + + end = strchr(*cur, '<'); + + if (end == NULL) { + comp->val = talloc_strdup(comp, *cur); + } else { + comp->val = talloc_strndup(comp, *cur, end - *cur); + } + if (comp->val == NULL) { + ret = ENOMEM; + goto done; + } + if (*(comp->val) == '\0') { + CM_DEBUG(ctx, "Missing component value."); + ret = EINVAL; + goto done; + } + + *cur += strlen(comp->val); + *_comp = comp; + ret = 0; + +done: + if (ret != 0) { + talloc_free(comp); + } + + return ret; +} + +static int parse_krb5_get_eku_value(TALLOC_CTX *mem_ctx, + struct sss_certmap_ctx *ctx, + const char **cur, + struct component_list **_comp) +{ + struct component_list *comp = NULL; + int ret; + char **eku_list; + size_t c; + size_t k; + const char *o; + size_t e = 0; + int eku_list_size; + + struct ext_key_usage { + const char *name; + const char *oid; + } ext_key_usage[] = { + /* RFC 3280 section 4.2.1.13 */ + {"serverAuth", "1.3.6.1.5.5.7.3.1"}, + {"clientAuth", "1.3.6.1.5.5.7.3.2"}, + {"codeSigning", "1.3.6.1.5.5.7.3.3"}, + {"emailProtection", "1.3.6.1.5.5.7.3.4"}, + {"timeStamping", "1.3.6.1.5.5.7.3.8"}, + {"OCSPSigning", "1.3.6.1.5.5.7.3.9"}, + + /* RFC 4556 section 3.2.2 */ + {"KPClientAuth", "1.3.6.1.5.2.3.4"}, + {"pkinit", "1.3.6.1.5.2.3.4"}, + + /* https://support.microsoft.com/en-us/help/287547/object-ids-associated-with-microsoft-cryptography*/ + {"msScLogin", "1.3.6.1.4.1.311.20.2.2"}, + + {NULL ,0} + }; + + ret = get_comp_value(mem_ctx, ctx, cur, &comp); + if (ret != 0) { + CM_DEBUG(ctx, "Failed to parse regexp."); + goto done; + } + + ret = split_on_separator(mem_ctx, comp->val, ',', true, true, + &eku_list, &eku_list_size); + if (ret != 0) { + CM_DEBUG(ctx, "Failed to split list."); + goto done; + } + + comp->eku_oid_list = talloc_zero_array(comp, const char *, + eku_list_size + 1); + if (comp->eku_oid_list == NULL) { + ret = ENOMEM; + goto done; + } + + for (c = 0; eku_list[c] != NULL; c++) { + for (k = 0; ext_key_usage[k].name != NULL; k++) { +CM_DEBUG(ctx, "[%s][%s].", eku_list[c], ext_key_usage[k].name); + if (strcasecmp(eku_list[c], ext_key_usage[k].name) == 0) { + comp->eku_oid_list[e] = talloc_strdup(comp->eku_oid_list, + ext_key_usage[k].oid); + if (comp->eku_oid_list[e] == NULL) { + ret = ENOMEM; + goto done; + } + e++; + break; + } + } + + if (ext_key_usage[k].name == NULL) { + /* check for an dotted-decimal OID */ + if (*(eku_list[c]) != '.') { + o = eku_list[c]; + if (is_dotted_decimal(o, 0)) { + /* looks like a OID, only '.' and digits */ + comp->eku_oid_list[e] = talloc_strdup(comp->eku_oid_list, + eku_list[c]); + if (comp->eku_oid_list[e] == NULL) { + ret = ENOMEM; + goto done; + } + e++; + continue; + } + } + CM_DEBUG(ctx, "No matching extended key usage found."); + ret = EINVAL; + goto done; + } + } + + if (e == 0) { + talloc_free(comp->eku_oid_list); + comp->eku_oid_list = NULL; + } + + ret = 0; + +done: + if (ret == 0) { + *_comp = comp; + } else { + talloc_free(comp); + } + + return ret; +} + +static int parse_krb5_get_ku_value(TALLOC_CTX *mem_ctx, + struct sss_certmap_ctx *ctx, + const char **cur, + struct component_list **_comp) +{ + struct component_list *comp = NULL; + int ret; + char **ku_list; + size_t c; + size_t k; + + struct key_usage { + const char *name; + uint32_t flag; + } key_usage[] = { + {"digitalSignature" , SSS_KU_DIGITAL_SIGNATURE}, + {"nonRepudiation" , SSS_KU_NON_REPUDIATION}, + {"keyEncipherment" , SSS_KU_KEY_ENCIPHERMENT}, + {"dataEncipherment" , SSS_KU_DATA_ENCIPHERMENT}, + {"keyAgreement" , SSS_KU_KEY_AGREEMENT}, + {"keyCertSign" , SSS_KU_KEY_CERT_SIGN}, + {"cRLSign" , SSS_KU_CRL_SIGN}, + {"encipherOnly" , SSS_KU_ENCIPHER_ONLY}, + {"decipherOnly" , SSS_KU_DECIPHER_ONLY}, + {NULL ,0} + }; + + + ret = get_comp_value(mem_ctx, ctx, cur, &comp); + if (ret != 0) { + CM_DEBUG(ctx, "Failed to get value."); + goto done; + } + + ret = split_on_separator(mem_ctx, comp->val, ',', true, true, + &ku_list, NULL); + if (ret != 0) { + CM_DEBUG(ctx, "Failed to split list."); + goto done; + } + + for (c = 0; ku_list[c] != NULL; c++) { + for (k = 0; key_usage[k].name != NULL; k++) { + if (strcasecmp(ku_list[c], key_usage[k].name) == 0) { + comp->ku |= key_usage[k].flag; + break; + } + } + + if (key_usage[k].name == NULL) { + /* FIXME: add check for numerical ku */ + CM_DEBUG(ctx, "No matching key usage found."); + ret = EINVAL; + goto done; + } + } + + ret = 0; + +done: + if (ret == 0) { + *_comp = comp; + } else { + talloc_free(comp); + } + + return ret; +} + +static int parse_krb5_get_component_value(TALLOC_CTX *mem_ctx, + struct sss_certmap_ctx *ctx, + const char **cur, + struct component_list **_comp) +{ + struct component_list *comp = NULL; + int ret; + + ret = get_comp_value(mem_ctx, ctx, cur, &comp); + if (ret != 0) { + CM_DEBUG(ctx, "Failed to parse regexp."); + goto done; + } + + ret = regcomp(&(comp->regexp), comp->val, REG_EXTENDED); + if (ret != 0) { + CM_DEBUG(ctx, "Failed to parse regexp."); + goto done; + } + + ret = 0; + +done: + if (ret == 0) { + *_comp = comp; + } else { + talloc_free(comp); + } + + return ret; +} + +struct san_name { + const char *name; + enum san_opt san_opt; + bool is_string; +} san_names[] = { + /* https://www.ietf.org/rfc/rfc3280.txt section 4.2.1.7 */ + {"otherName", SAN_OTHER_NAME, false}, + {"rfc822Name", SAN_RFC822_NAME,true}, + {"dNSName", SAN_DNS_NAME, true}, + {"x400Address", SAN_X400_ADDRESS, false}, + {"directoryName", SAN_DIRECTORY_NAME, true}, + {"ediPartyName", SAN_EDIPART_NAME, false}, + {"uniformResourceIdentifier", SAN_URI, true}, + {"iPAddress", SAN_IP_ADDRESS, true}, + {"registeredID", SAN_REGISTERED_ID, true}, + /* https://www.ietf.org/rfc/rfc4556.txt section 3.2.2 */ + {"pkinitSAN", SAN_PKINIT, true}, + /* https://support.microsoft.com/en-us/help/287547/object-ids-associated-with-microsoft-cryptography */ + {"ntPrincipalName", SAN_NT, true}, + /* both previous principal types */ + {"Principal", SAN_PRINCIPAL, true}, + {"stringOtherName", SAN_STRING_OTHER_NAME, true}, + {NULL, SAN_END, false} +}; + +static int parse_krb5_get_san_option(TALLOC_CTX *mem_ctx, + struct sss_certmap_ctx *ctx, + const char **cur, + enum san_opt *option, + char **str_other_name_oid) +{ + char *end; + size_t c; + size_t len; + + end = strchr(*cur, '>'); + if (end == NULL) { + CM_DEBUG(ctx, "Failed to parse SAN option."); + return EINVAL; + } + + len = end - *cur; + + if (len == 0) { + c= SAN_PRINCIPAL; + } else { + for (c = 0; san_names[c].name != NULL; c++) { + if (strncasecmp(*cur, san_names[c].name, len) == 0) { + break; + } + } + if (san_names[c].name == NULL) { + if (is_dotted_decimal(*cur, len)) { + c = SAN_STRING_OTHER_NAME; + *str_other_name_oid = talloc_strndup(mem_ctx, *cur, len); + if (*str_other_name_oid == NULL) { + CM_DEBUG(ctx, "talloc_strndup failed."); + return ENOMEM; + } + } else { + CM_DEBUG(ctx, "Unknown SAN option."); + return EINVAL; + } + } + } + + *option = san_names[c].san_opt; + *cur = end + 1; + + return 0; +} + +static int parse_krb5_get_san_value(TALLOC_CTX *mem_ctx, + struct sss_certmap_ctx *ctx, + const char **cur, + struct component_list **_comp) +{ + struct component_list *comp = NULL; + enum san_opt san_opt = SAN_PRINCIPAL; + int ret; + char *str_other_name_oid = NULL; + + if (*(*cur - 1) == ':') { + ret = parse_krb5_get_san_option(mem_ctx, ctx, cur, &san_opt, + &str_other_name_oid); + if (ret != 0) { + goto done; + } + } + + if (san_names[san_opt].is_string) { + ret = parse_krb5_get_component_value(mem_ctx, ctx, cur, &comp); + if (ret != 0) { + goto done; + } + } else { + ret = get_comp_value(mem_ctx, ctx, cur, &comp); + if (ret != 0) { + goto done; + } + + if (comp->val != NULL) { + comp->bin_val = sss_base64_decode(comp, comp->val, + &comp->bin_val_len); + /* for some reasons the NSS version of sss_base64_decode might + * return a non-NULL value on error but len is still 0, so better + * check both. */ + if (comp->bin_val == NULL || comp->bin_val_len == 0) { + CM_DEBUG(ctx, "Base64 decode failed."); + ret = EINVAL; + goto done; + } + } + } + comp->san_opt = san_opt; + +done: + if (ret == 0) { + comp->str_other_name_oid = talloc_steal(comp, str_other_name_oid); + *_comp = comp; + } else { + talloc_free(comp); + talloc_free(str_other_name_oid); + } + + return ret; +} + +int parse_krb5_match_rule(struct sss_certmap_ctx *ctx, + const char *rule_start, + struct krb5_match_rule **match_rule) +{ + const char *cur; + struct krb5_match_rule *rule; + struct component_list *comp; + int ret; + + rule = talloc_zero(ctx, struct krb5_match_rule); + if (rule == NULL) { + ret = ENOMEM; + goto done; + } + + cur = rule_start; + /* check relation */ + if (strncmp(cur, "&&", 2) == 0) { + rule->r = relation_and; + cur += 2; + } else if (strncmp(cur, "||", 2) == 0) { + rule->r = relation_or; + cur += 2; + } else { + rule->r = relation_and; + } + + while (*cur != '\0') { + /* new component must start with '<' */ + if (*cur != '<') { + CM_DEBUG(ctx, "Invalid KRB5 matching rule."); + ret = EINVAL; + goto done; + } + cur++; + + if (strncmp(cur, "ISSUER>", 7) == 0) { + cur += 7; + ret = parse_krb5_get_component_value(rule, ctx, &cur, &comp); + if (ret != 0) { + goto done; + } + DLIST_ADD(rule->issuer, comp); + } else if (strncmp(cur, "SUBJECT>", 8) == 0) { + cur += 8; + ret = parse_krb5_get_component_value(rule, ctx, &cur, &comp); + if (ret != 0) { + goto done; + } + DLIST_ADD(rule->subject, comp); + } else if (strncmp(cur, "KU>", 3) == 0) { + cur += 3; + ret = parse_krb5_get_ku_value(rule, ctx, &cur, &comp); + if (ret != 0) { + goto done; + } + DLIST_ADD(rule->ku, comp); + } else if (strncmp(cur, "EKU>", 4) == 0) { + cur += 4; + ret = parse_krb5_get_eku_value(rule, ctx, &cur, &comp); + if (ret != 0) { + goto done; + } + DLIST_ADD(rule->eku, comp); + } else if (strncmp(cur, "SAN>", 4) == 0 + || strncmp(cur, "SAN:", 4) == 0) { + cur += 4; + ret = parse_krb5_get_san_value(rule, ctx, &cur, &comp); + if (ret != 0) { + goto done; + } + DLIST_ADD(rule->san, comp); + } else { + CM_DEBUG(ctx, "Invalid KRB5 matching rule."); + ret = EINVAL; + goto done; + } + } + + ret = 0; + +done: + if (ret == 0) { + *match_rule = rule; + } else { + talloc_free(rule); + } + + return ret; +} diff --git a/src/lib/certmap/sss_certmap_ldap_mapping.c b/src/lib/certmap/sss_certmap_ldap_mapping.c new file mode 100644 index 0000000..a50e504 --- /dev/null +++ b/src/lib/certmap/sss_certmap_ldap_mapping.c @@ -0,0 +1,371 @@ +/* + SSSD + + Library for rule based certificate to user mapping - LDAP mapping rules + + Authors: + Sumit Bose + + Copyright (C) 2017 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include + +#include "util/dlinklist.h" +#include "lib/certmap/sss_certmap.h" +#include "lib/certmap/sss_certmap_int.h" + +struct template_table { + const char *name; + const char **attr_name; + const char **conversion; +}; + +const char *empty[] = {NULL}; +const char *name_attr[] = {"short_name", NULL}; +const char *x500_conv[] = {"ad_x500", "ad", "ad_ldap", + "nss_x500", "nss", "nss_ldap", NULL}; +const char *bin_conv[] = {"bin", "base64", NULL}; + +struct template_table template_table[] = { + {"issuer_dn", empty, x500_conv}, + {"subject_dn", empty, x500_conv}, + {"cert", empty, bin_conv}, + {"subject_rfc822_name", name_attr, empty}, + {"subject_dns_name", name_attr, empty}, + {"subject_x400_address", empty, empty}, + {"subject_directory_name", empty, empty}, + {"subject_ediparty_name", empty, empty}, + {"subject_uri", empty, empty}, + {"subject_ip_address", empty, empty}, + {"subject_registered_id", empty, empty}, + {"subject_pkinit_principal", name_attr, empty}, + {"subject_nt_principal", name_attr, empty}, + {"subject_principal", name_attr, empty}, + {NULL, NULL, NULL}}; + +static int check_parsed_template(struct sss_certmap_ctx *ctx, + struct parsed_template *parsed) +{ + size_t n; + size_t a; + size_t c; + bool attr_name_valid = false; + bool conversion_valid = false; + + for (n = 0; template_table[n].name != NULL; n++) { + if (strcmp(template_table[n].name, parsed->name) != 0) { + continue; + } + + if (parsed->attr_name != NULL) { + for (a = 0; template_table[n].attr_name[a] != NULL; a++) { + if (strcmp(template_table[n].attr_name[a], + parsed->attr_name) == 0) { + attr_name_valid = true; + break; + } + } + } else { + attr_name_valid = true; + } + + if (parsed->conversion != NULL) { + for (c = 0; template_table[n].conversion[c] != NULL; c++) { + if (strcmp(template_table[n].conversion[c], + parsed->conversion) == 0) { + conversion_valid = true; + break; + } + } + } else { + conversion_valid = true; + } + + if (attr_name_valid && conversion_valid) { + return 0; + } + } + + return EINVAL; +} + +static int parse_template(TALLOC_CTX *mem_ctx, struct sss_certmap_ctx *ctx, + const char *template, + struct parsed_template **parsed_template) +{ + int ret; + struct parsed_template *parsed = NULL; + const char *dot; + const char *excl; + const char *p; + + parsed = talloc_zero(mem_ctx, struct parsed_template); + if (parsed == NULL) { + ret = ENOMEM; + goto done; + } + + dot = strchr(template, '.'); + if (dot != NULL) { + p = strchr(dot + 1, '.'); + if (p != NULL) { + CM_DEBUG(ctx, "Only one '.' allowed in template."); + ret = EINVAL; + goto done; + } + + if (dot == template) { + CM_DEBUG(ctx, "Missing name in template."); + ret = EINVAL; + goto done; + } + } + + excl = strchr(template, '!'); + if (excl != NULL) { + p = strchr(excl + 1, '!'); + if (p != NULL) { + CM_DEBUG(ctx, "Only one '!' allowed in template."); + ret = EINVAL; + goto done; + } + + if (excl == template) { + CM_DEBUG(ctx, "Missing name in template."); + ret = EINVAL; + goto done; + } + } + + if (excl != NULL && excl[1] != '\0') { + parsed->conversion = talloc_strdup(parsed, excl + 1); + if (parsed->conversion == NULL) { + CM_DEBUG(ctx, "Memory allocation failed."); + ret = ENOMEM; + goto done; + } + } + + if (dot != NULL && dot[1] != '\0' && dot[1] != '!') { + if (excl == NULL) { + parsed->attr_name = talloc_strdup(parsed, dot + 1); + } else { + parsed->attr_name = talloc_strndup(parsed, dot + 1, + (excl - dot - 1)); + } + if (parsed->attr_name == NULL) { + CM_DEBUG(ctx, "Memory allocation failed."); + ret = ENOMEM; + goto done; + } + } + + if (dot != NULL) { + parsed->name = talloc_strndup(parsed, template, (dot - template)); + } else if (excl != NULL) { + parsed->name = talloc_strndup(parsed, template, (excl - template)); + } else { + parsed->name = talloc_strdup(parsed, template); + } + if (parsed->name == NULL) { + ret = ENOMEM; + goto done; + } + + ret = check_parsed_template(ctx, parsed); + if (ret != 0) { + CM_DEBUG(ctx, "Parse template invalid."); + goto done; + } + + ret = 0; + +done: + if (ret == 0) { + *parsed_template = parsed; + } else { + talloc_free(parsed); + } + + return ret; +} + +static int add_comp(struct sss_certmap_ctx *ctx, struct ldap_mapping_rule *rule, + const char *string, enum comp_type type) +{ + int ret; + struct ldap_mapping_rule_comp *comp; + + comp = talloc_zero(rule, struct ldap_mapping_rule_comp); + if (comp == NULL) { + return ENOMEM; + } + + comp->type = type; + comp->val = talloc_strdup(comp, string); + if (comp->val == NULL) { + talloc_free(comp); + return ENOMEM; + } + + if (type == comp_template) { + ret = parse_template(comp, ctx, string, &comp->parsed_template); + if (ret != 0) { + talloc_free(comp); + return ret; + } + } + + DLIST_ADD_END(rule->list, comp, struct ldap_mapping_rule_comp *); + + return 0; +} + +static int add_string(struct sss_certmap_ctx *ctx, + struct ldap_mapping_rule *rule, const char *string) +{ + return add_comp(ctx, rule, string, comp_string); +} + +static int add_template(struct sss_certmap_ctx *ctx, + struct ldap_mapping_rule *rule, const char *string) +{ + return add_comp(ctx, rule, string, comp_template); +} + +int parse_ldap_mapping_rule(struct sss_certmap_ctx *ctx, + const char *rule_start, + struct ldap_mapping_rule **mapping_rule) +{ + size_t c; + const char *cur; + char *tmp_string = NULL; + size_t tmp_string_size; + struct ldap_mapping_rule *rule = NULL; + int ret; + bool in_template = false; + + rule = talloc_zero(ctx, struct ldap_mapping_rule); + if (rule == NULL) { + ret = ENOMEM; + goto done; + } + + tmp_string_size = strlen(rule_start) + 1; + tmp_string = talloc_zero_size(ctx, tmp_string_size); + if (tmp_string == NULL) { + ret = ENOMEM; + goto done; + } + + cur = rule_start; + c = 0; + + while (*cur != '\0') { + if (c > tmp_string_size) { + CM_DEBUG(ctx, "Cannot parse mapping rule."); + ret = EIO; + goto done; + } + switch (*cur) { + case '{': + if (in_template) { + CM_DEBUG(ctx, "'{' not allowed in templates."); + ret = EINVAL; + goto done; + } + if (cur[1] == '{') { + /* Add only a single '{' to the output */ + tmp_string[c] = '{'; + c++; + cur += 2; + } else { + if (c != 0) { + ret = add_string(ctx, rule, tmp_string); + if (ret != 0) { + CM_DEBUG(ctx, "Failed to add string."); + ret = EINVAL; + goto done; + } + memset(tmp_string, 0, tmp_string_size); + c = 0; + } + cur++; + in_template = true; + } + break; + case '}': + if (cur[1] == '}') { + if (in_template) { + CM_DEBUG(ctx, "'}}' not allowed in templates."); + ret = EINVAL; + goto done; + } else { + /* Add only a single '}' to the output */ + tmp_string[c] = '}'; + c++; + cur += 2; + } + } else { + ret = add_template(ctx, rule, tmp_string); + if (ret != 0) { + CM_DEBUG(ctx, "Failed to add template."); + ret = EINVAL; + goto done; + } + memset(tmp_string, 0, tmp_string_size); + c = 0; + cur++; + in_template = false; + } + break; + default: + tmp_string[c] = *cur; + c++; + cur++; + } + } + if (in_template) { + CM_DEBUG(ctx, "Rule ended inside template."); + ret = EINVAL; + goto done; + } + if (c != 0) { + ret = add_string(ctx, rule, tmp_string); + if (ret != 0) { + CM_DEBUG(ctx, "Failed to add string."); + ret = EINVAL; + goto done; + } + } + + ret = 0; + +done: + if (ret == 0) { + *mapping_rule = rule; + } else { + talloc_free(rule); + } + + talloc_free(tmp_string); + + return ret; +} diff --git a/src/lib/cifs_idmap_sss/cifs_idmap_sss.c b/src/lib/cifs_idmap_sss/cifs_idmap_sss.c new file mode 100644 index 0000000..e7a0b83 --- /dev/null +++ b/src/lib/cifs_idmap_sss/cifs_idmap_sss.c @@ -0,0 +1,335 @@ +/* + Authors: + Benjamin Franzke + + Copyright (C) 2013 Benjamin Franzke + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +/* TODO: Support of [all] samba's Unix SIDs: + * Users: S-1-22-1-%UID + * Groups: S-1-22-2-%GID + */ + +#include +#include +#include +#include +#include +#include + +#include + +#include "lib/idmap/sss_idmap.h" +#include "sss_client/idmap/sss_nss_idmap.h" + +#ifdef DEBUG +#include +#define debug(str, ...) \ + syslog(0, "%s: " str "\n", \ + __FUNCTION__, ##__VA_ARGS__) +#else +#define debug(...) do { } while(0) +#endif + +struct sssd_ctx { + struct sss_idmap_ctx *idmap; + const char **errmsg; +}; + +#define ctx_set_error(ctx, error) \ + do { \ + *ctx->errmsg = error; \ + debug("%s", error ? error : ""); \ + } while (0); + +int cifs_idmap_init_plugin(void **handle, const char **errmsg) +{ + struct sssd_ctx *ctx; + enum idmap_error_code err; + + if (handle == NULL || errmsg == NULL) + return EINVAL; + + ctx = malloc(sizeof *ctx); + if (!ctx) { + *errmsg = "Failed to allocate context"; + return -1; + } + ctx->errmsg = errmsg; + ctx_set_error(ctx, NULL); + + err = sss_idmap_init(NULL, NULL, NULL, &ctx->idmap); + if (err != IDMAP_SUCCESS) { + ctx_set_error(ctx, idmap_error_string(err)); + free(ctx); + return -1; + } + + *handle = ctx; + return 0; +} + +void cifs_idmap_exit_plugin(void *handle) +{ + struct sssd_ctx *ctx = handle; + + debug("exit"); + + if (ctx == NULL) + return; + + sss_idmap_free(ctx->idmap); + + free(ctx); +} + + +/* Test with `getcifsacl file` on client. */ +int cifs_idmap_sid_to_str(void *handle, const struct cifs_sid *csid, + char **name) +{ + struct sssd_ctx *ctx = handle; + enum idmap_error_code iderr; + char *sid; + enum sss_id_type id_type; + int err; + + iderr = sss_idmap_bin_sid_to_sid(ctx->idmap, (const uint8_t *) csid, + sizeof(*csid), &sid); + if (iderr != IDMAP_SUCCESS) { + ctx_set_error(ctx, idmap_error_string(iderr)); + *name = NULL; + return -1; + } + + debug("sid: %s", sid); + + err = sss_nss_getnamebysid(sid, name, &id_type); + if (err != 0) { + ctx_set_error(ctx, strerror(err)); + *name = NULL; + return -err; + } + + /* FIXME: Map Samba Unix SIDs? (sid->id and use getpwuid)? */ + + debug("name: %s", *name); + + return 0; +} + +static int sid_to_cifs_sid(struct sssd_ctx *ctx, const char *sid, + struct cifs_sid *csid) +{ + uint8_t *bsid = NULL; + enum idmap_error_code err; + size_t length; + + err = sss_idmap_sid_to_bin_sid(ctx->idmap, + sid, &bsid, &length); + if (err != IDMAP_SUCCESS) { + ctx_set_error(ctx, idmap_error_string(err)); + return -1; + } + if (length > sizeof(struct cifs_sid)) { + ctx_set_error(ctx, "too large sid length"); + free(bsid); + return -1; + } + + memcpy(csid, bsid, length); + sss_idmap_free_bin_sid(ctx->idmap, bsid); + + return 0; +} + +/* Test with setcifsacl -a */ +int cifs_idmap_str_to_sid(void *handle, const char *name, + struct cifs_sid *csid) +{ + struct sssd_ctx *ctx = handle; + int err; + enum sss_id_type id_type; + char *sid = NULL; + int success = 0; + + debug("%s", name); + + err = sss_nss_getsidbyname(name, &sid, &id_type); + if (err != 0) { + /* Might be a raw string representation of SID, + * try converting that before returning an error. */ + if (sid_to_cifs_sid(ctx, name, csid) == 0) + return 0; + + ctx_set_error(ctx, strerror(err)); + return -err; + } + + if (sid_to_cifs_sid(ctx, sid, csid) != 0) + success = -1; + + free(sid); + + return success; +} + +static int samba_unix_sid_to_id(const char *sid, struct cifs_uxid *cuxid) +{ + id_t id; + uint8_t type; + + if (sscanf(sid, "S-1-22-%hhu-%u", &type, &id) != 2) + return -1; + + switch (type) { + case 1: + cuxid->type = CIFS_UXID_TYPE_UID; + cuxid->id.uid = id; + break; + case 2: + cuxid->type = CIFS_UXID_TYPE_GID; + cuxid->id.gid = id; + break; + default: + cuxid->type = CIFS_UXID_TYPE_UNKNOWN; + return -1; + } + + return 0; +} + +static int sss_sid_to_id(struct sssd_ctx *ctx, const char *sid, + struct cifs_uxid *cuxid) +{ + int err; + enum sss_id_type id_type; + + err = sss_nss_getidbysid(sid, (uint32_t *)&cuxid->id.uid, &id_type); + if (err != 0) { + ctx_set_error(ctx, strerror(err)); + return -1; + } + + switch (id_type) { + case SSS_ID_TYPE_UID: + cuxid->type = CIFS_UXID_TYPE_UID; + break; + case SSS_ID_TYPE_GID: + cuxid->type = CIFS_UXID_TYPE_GID; + break; + case SSS_ID_TYPE_BOTH: + cuxid->type = CIFS_UXID_TYPE_BOTH; + break; + case SSS_ID_TYPE_NOT_SPECIFIED: + default: + return -1; + } + + return 0; +} + +/** + * cifs_idmap_sids_to_ids - convert struct cifs_sids to struct cifs_uxids + * usecase: mount.cifs -o sec=krb5,multiuser,cifsacl,nounix + * test: ls -n on mounted share + */ +int cifs_idmap_sids_to_ids(void *handle, const struct cifs_sid *csid, + const size_t num, struct cifs_uxid *cuxid) +{ + struct sssd_ctx *ctx = handle; + enum idmap_error_code err; + int success = -1; + size_t i; + char *sid; + + debug("num: %zd", num); + + if (num > UINT_MAX) { + ctx_set_error(ctx, "num is too large."); + return EINVAL; + } + + for (i = 0; i < num; ++i) { + err = sss_idmap_bin_sid_to_sid(ctx->idmap, (const uint8_t *) &csid[i], + sizeof(csid[i]), &sid); + if (err != IDMAP_SUCCESS) { + ctx_set_error(ctx, idmap_error_string(err)); + continue; + } + + cuxid[i].type = CIFS_UXID_TYPE_UNKNOWN; + + if (sss_sid_to_id(ctx, sid, &cuxid[i]) == 0 || + samba_unix_sid_to_id(sid, &cuxid[i]) == 0) { + + debug("setting uid of %s to %d", sid, cuxid[i].id.uid); + success = 0; + } + + free(sid); + } + + return success; +} + + +int cifs_idmap_ids_to_sids(void *handle, const struct cifs_uxid *cuxid, + const size_t num, struct cifs_sid *csid) +{ + struct sssd_ctx *ctx = handle; + int err, success = -1; + char *sid; + enum sss_id_type id_type; + size_t i; + + debug("num ids: %zd", num); + + if (num > UINT_MAX) { + ctx_set_error(ctx, "num is too large."); + return EINVAL; + } + + for (i = 0; i < num; ++i) { + switch (cuxid[i].type) { + case CIFS_UXID_TYPE_UID: + err = sss_nss_getsidbyuid((uint32_t)cuxid[i].id.uid, + &sid, &id_type); + break; + case CIFS_UXID_TYPE_GID: + err = sss_nss_getsidbygid((uint32_t)cuxid[i].id.gid, + &sid, &id_type); + break; + default: + err = sss_nss_getsidbyid((uint32_t)cuxid[i].id.uid, &sid, &id_type); + } + if (err != 0) { + ctx_set_error(ctx, strerror(err)); + csid[i].revision = 0; + /* FIXME: would it be safe to map *any* uid/gids unknown by sssd to + * SAMBA's UNIX SIDs? */ + continue; + } + + if (sid_to_cifs_sid(ctx, sid, csid) == 0) + success = 0; + else + csid[i].revision = 0; + free(sid); + } + + return success; +} diff --git a/src/lib/idmap/sss_idmap.c b/src/lib/idmap/sss_idmap.c new file mode 100644 index 0000000..57e9d30 --- /dev/null +++ b/src/lib/idmap/sss_idmap.c @@ -0,0 +1,1613 @@ +/* + SSSD + + ID-mapping library + + Authors: + Sumit Bose + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include + +#include "lib/idmap/sss_idmap.h" +#include "lib/idmap/sss_idmap_private.h" +#include "shared/murmurhash3.h" + +#define SID_FMT "%s-%d" +#define SID_STR_MAX_LEN 1024 + +/* Hold all parameters for unix<->sid mapping relevant for + * given slice. */ +struct idmap_range_params { + uint32_t min_id; + uint32_t max_id; + char *range_id; + + uint32_t first_rid; + struct idmap_range_params *next; +}; + +struct idmap_domain_info { + char *name; + char *sid; + struct idmap_range_params range_params; + struct idmap_domain_info *next; + bool external_mapping; + + struct idmap_range_params *helpers; + bool auto_add_ranges; + bool helpers_owner; + + idmap_store_cb cb; + void *pvt; +}; + +static void *default_alloc(size_t size, void *pvt) +{ + return malloc(size); +} + +static void default_free(void *ptr, void *pvt) +{ + free(ptr); +} + +static char *idmap_strdup(struct sss_idmap_ctx *ctx, const char *str) +{ + char *new = NULL; + size_t len; + + CHECK_IDMAP_CTX(ctx, NULL); + + len = strlen(str) + 1; + + new = ctx->alloc_func(len, ctx->alloc_pvt); + if (new == NULL) { + return NULL; + } + + memcpy(new, str, len); + + return new; +} + +static bool ranges_eq(const struct idmap_range_params *a, + const struct idmap_range_params *b) +{ + if (a == NULL || b == NULL) { + return false; + } + + if (a->first_rid == b->first_rid + && a->min_id == b->min_id + && a->max_id == b->max_id) { + return true; + } + + return false; +} + +static enum idmap_error_code +construct_range(struct sss_idmap_ctx *ctx, + const struct idmap_range_params *src, + char *id, + struct idmap_range_params **_dst) +{ + struct idmap_range_params *dst; + + if (src == NULL || id == NULL || _dst == NULL) { + return IDMAP_ERROR; + } + + dst = ctx->alloc_func(sizeof(struct idmap_range_params), ctx->alloc_pvt); + if (dst == NULL) { + return IDMAP_OUT_OF_MEMORY; + } + + dst->min_id = src->min_id; + dst->max_id = src->max_id; + dst->first_rid = src->first_rid; + dst->next = NULL; + dst->range_id = id; + + *_dst = dst; + return IDMAP_SUCCESS; +} + +static bool id_is_in_range(uint32_t id, + struct idmap_range_params *rp, + uint32_t *rid) +{ + if (id == 0 || rp == NULL) { + return false; + } + + if (id >= rp->min_id && id <= rp->max_id) { + if (rid != NULL) { + *rid = rp->first_rid + (id - rp->min_id); + } + + return true; + } + + return false; +} + +const char *idmap_error_string(enum idmap_error_code err) +{ + switch (err) { + case IDMAP_SUCCESS: + return "IDMAP operation successful"; + break; + case IDMAP_NOT_IMPLEMENTED: + return "IDMAP Function is not yet implemented"; + break; + case IDMAP_ERROR: + return "IDMAP general error"; + break; + case IDMAP_OUT_OF_MEMORY: + return "IDMAP operation ran out of memory"; + break; + case IDMAP_NO_DOMAIN: + return "IDMAP domain not found"; + break; + case IDMAP_CONTEXT_INVALID: + return "IDMAP context is invalid"; + break; + case IDMAP_SID_INVALID: + return "IDMAP SID is invalid"; + break; + case IDMAP_SID_UNKNOWN: + return "IDMAP SID not found"; + break; + case IDMAP_NO_RANGE: + return "IDMAP range not found"; + break; + case IDMAP_BUILTIN_SID: + return "IDMAP SID from BUILTIN domain"; + break; + case IDMAP_OUT_OF_SLICES: + return "IDMAP not more free slices"; + break; + case IDMAP_COLLISION: + return "IDMAP new range collides with existing one"; + break; + case IDMAP_EXTERNAL: + return "IDMAP ID managed externally"; + break; + case IDMAP_NAME_UNKNOWN: + return "IDMAP domain with the given name not found"; + break; + default: + return "IDMAP unknown error code"; + } +} + +bool is_domain_sid(const char *sid) +{ + const char *p; + long long a; + char *endptr; + size_t c; + + if (sid == NULL || strncmp(sid, DOM_SID_PREFIX, DOM_SID_PREFIX_LEN) != 0) { + return false; + } + + p = sid + DOM_SID_PREFIX_LEN; + c = 0; + + do { + errno = 0; + a = strtoull(p, &endptr, 10); + if (errno != 0 || a > UINT32_MAX) { + return false; + } + + if (*endptr == '-') { + p = endptr + 1; + } else if (*endptr != '\0') { + return false; + } + c++; + } while(c < 3 && *endptr != '\0'); + + if (c != 3 || *endptr != '\0') { + return false; + } + + return true; +} + +enum idmap_error_code sss_idmap_init(idmap_alloc_func *alloc_func, + void *alloc_pvt, + idmap_free_func *free_func, + struct sss_idmap_ctx **_ctx) +{ + struct sss_idmap_ctx *ctx; + + if (alloc_func == NULL) { + alloc_func = default_alloc; + } + + ctx = alloc_func(sizeof(struct sss_idmap_ctx), alloc_pvt); + if (ctx == NULL) { + return IDMAP_OUT_OF_MEMORY; + } + memset(ctx, 0, sizeof(struct sss_idmap_ctx)); + + ctx->alloc_func = alloc_func; + ctx->alloc_pvt = alloc_pvt; + ctx->free_func = (free_func == NULL) ? default_free : free_func; + + /* Set default values. */ + ctx->idmap_opts.autorid_mode = SSS_IDMAP_DEFAULT_AUTORID; + ctx->idmap_opts.idmap_lower = SSS_IDMAP_DEFAULT_LOWER; + ctx->idmap_opts.idmap_upper = SSS_IDMAP_DEFAULT_UPPER; + ctx->idmap_opts.rangesize = SSS_IDMAP_DEFAULT_RANGESIZE; + ctx->idmap_opts.extra_slice_init = SSS_IDMAP_DEFAULT_EXTRA_SLICE_INIT; + + *_ctx = ctx; + + return IDMAP_SUCCESS; +} + +static void free_helpers(struct sss_idmap_ctx *ctx, + struct idmap_range_params *helpers, + bool helpers_owner) +{ + struct idmap_range_params *it = helpers; + struct idmap_range_params *tmp; + + if (helpers_owner == false) { + return; + } + + while (it != NULL) { + tmp = it->next; + + ctx->free_func(it->range_id, ctx->alloc_pvt); + ctx->free_func(it, ctx->alloc_pvt); + + it = tmp; + } +} + +static struct idmap_range_params* +get_helper_by_id(struct idmap_range_params *helpers, const char *id) +{ + struct idmap_range_params *it; + + for (it = helpers; it != NULL; it = it->next) { + if (strcmp(it->range_id, id) == 0) { + return it; + } + } + + return NULL; +} + +static void sss_idmap_free_domain(struct sss_idmap_ctx *ctx, + struct idmap_domain_info *dom) +{ + if (ctx == NULL || dom == NULL) { + return; + } + + ctx->free_func(dom->range_params.range_id, ctx->alloc_pvt); + + free_helpers(ctx, dom->helpers, dom->helpers_owner); + + ctx->free_func(dom->name, ctx->alloc_pvt); + ctx->free_func(dom->sid, ctx->alloc_pvt); + ctx->free_func(dom, ctx->alloc_pvt); +} + +enum idmap_error_code sss_idmap_free(struct sss_idmap_ctx *ctx) +{ + struct idmap_domain_info *dom; + struct idmap_domain_info *next; + + CHECK_IDMAP_CTX(ctx, IDMAP_CONTEXT_INVALID); + + next = ctx->idmap_domain_info; + while (next) { + dom = next; + next = dom->next; + sss_idmap_free_domain(ctx, dom); + } + + ctx->free_func(ctx, ctx->alloc_pvt); + + return IDMAP_SUCCESS; +} + +static enum idmap_error_code sss_idmap_free_ptr(struct sss_idmap_ctx *ctx, + void *ptr) +{ + CHECK_IDMAP_CTX(ctx, IDMAP_CONTEXT_INVALID); + + if (ptr != NULL) { + ctx->free_func(ptr, ctx->alloc_pvt); + } + + return IDMAP_SUCCESS; +} + +enum idmap_error_code sss_idmap_free_sid(struct sss_idmap_ctx *ctx, + char *sid) +{ + return sss_idmap_free_ptr(ctx, sid); +} + +enum idmap_error_code sss_idmap_free_dom_sid(struct sss_idmap_ctx *ctx, + struct sss_dom_sid *dom_sid) +{ + return sss_idmap_free_ptr(ctx, dom_sid); +} + +enum idmap_error_code sss_idmap_free_smb_sid(struct sss_idmap_ctx *ctx, + struct dom_sid *smb_sid) +{ + return sss_idmap_free_ptr(ctx, smb_sid); +} + +enum idmap_error_code sss_idmap_free_bin_sid(struct sss_idmap_ctx *ctx, + uint8_t *bin_sid) +{ + return sss_idmap_free_ptr(ctx, bin_sid); +} + +static bool check_overlap(struct idmap_range_params *range, + id_t min, id_t max) +{ + return ((range->min_id <= min && range->max_id >= max) + || (range->min_id >= min && range->min_id <= max) + || (range->max_id >= min && range->max_id <= max)); +} + +static bool check_dom_overlap(struct idmap_range_params *prim_range, + /* struct idmap_range_params *sec_ranges, */ + id_t min, + id_t max) +{ + return check_overlap(prim_range, min, max); +} + +enum idmap_error_code sss_idmap_calculate_range(struct sss_idmap_ctx *ctx, + const char *range_id, + id_t *slice_num, + struct sss_idmap_range *_range) +{ + id_t max_slices; + id_t orig_slice; + id_t new_slice = 0; + id_t min; + id_t max; + id_t idmap_lower; + id_t idmap_upper; + id_t rangesize; + bool autorid_mode; + uint32_t hash_val; + struct idmap_domain_info *dom; + + CHECK_IDMAP_CTX(ctx, IDMAP_CONTEXT_INVALID); + + idmap_lower = ctx->idmap_opts.idmap_lower; + idmap_upper = ctx->idmap_opts.idmap_upper; + rangesize = ctx->idmap_opts.rangesize; + autorid_mode = ctx->idmap_opts.autorid_mode; + + max_slices = (idmap_upper - idmap_lower) / rangesize; + + if (slice_num && *slice_num != -1) { + /* The slice is being set explicitly. + * This may happen at system startup when we're loading + * previously-determined slices. In the future, we may also + * permit configuration to select the slice for a domain + * explicitly. + */ + new_slice = *slice_num; + min = (rangesize * new_slice) + idmap_lower; + max = min + rangesize - 1; + for (dom = ctx->idmap_domain_info; dom != NULL; dom = dom->next) { + if (check_dom_overlap(&dom->range_params,min, max)) { + /* This range overlaps one already registered + * Fail, because the slice was manually configured + */ + return IDMAP_COLLISION; + } + } + } else { + /* If slice is -1, we're being asked to pick a new slice */ + + if (autorid_mode) { + /* In autorid compatibility mode, always start at 0 and find the + * first free value. + */ + orig_slice = 0; + } else { + /* Hash the range identifier string */ + hash_val = murmurhash3(range_id, strlen(range_id), 0xdeadbeef); + + /* Now get take the modulus of the hash val and the max_slices + * to determine its optimal position in the range. + */ + new_slice = hash_val % max_slices; + orig_slice = new_slice; + } + + min = (rangesize * new_slice) + idmap_lower; + max = min + rangesize - 1; + /* Verify that this slice is not already in use */ + do { + for (dom = ctx->idmap_domain_info; dom != NULL; dom = dom->next) { + + if (check_dom_overlap(&dom->range_params, + min, max)) { + /* This range overlaps one already registered + * We'll try the next available slot + */ + new_slice++; + if (new_slice >= max_slices) { + /* loop around to the beginning if necessary */ + new_slice = 0; + } + + min = (rangesize * new_slice) + idmap_lower; + max = min + rangesize - 1; + break; + } + } + + /* Keep trying until dom is NULL (meaning we got to the end + * without matching) or we have run out of slices and gotten + * back to the first one we tried. + */ + } while (dom && new_slice != orig_slice); + + if (dom) { + /* We looped all the way through and found no empty slots */ + return IDMAP_OUT_OF_SLICES; + } + } + + _range->min = (rangesize * new_slice) + idmap_lower; + _range->max = _range->min + rangesize - 1; + + if (slice_num) { + *slice_num = new_slice; + } + + return IDMAP_SUCCESS; +} + +enum idmap_error_code sss_idmap_check_collision_ex(const char *o_name, + const char *o_sid, + struct sss_idmap_range *o_range, + uint32_t o_first_rid, + const char *o_range_id, + bool o_external_mapping, + const char *n_name, + const char *n_sid, + struct sss_idmap_range *n_range, + uint32_t n_first_rid, + const char *n_range_id, + bool n_external_mapping) +{ + bool names_equal; + bool sids_equal; + + /* TODO: if both ranges have the same ID check if an update is + * needed. */ + + /* Check if ID ranges overlap. + * ID ranges with external mapping may overlap. */ + if ((!n_external_mapping && !o_external_mapping) + && ((n_range->min >= o_range->min + && n_range->min <= o_range->max) + || (n_range->max >= o_range->min + && n_range->max <= o_range->max))) { + return IDMAP_COLLISION; + } + + names_equal = (strcasecmp(n_name, o_name) == 0); + sids_equal = ((n_sid == NULL && o_sid == NULL) + || (n_sid != NULL && o_sid != NULL + && strcasecmp(n_sid, o_sid) == 0)); + + /* check if domain name and SID are consistent */ + if ((names_equal && !sids_equal) || (!names_equal && sids_equal)) { + return IDMAP_COLLISION; + } + + /* check if external_mapping is consistent */ + if (names_equal && sids_equal + && n_external_mapping != o_external_mapping) { + return IDMAP_COLLISION; + } + + /* check if RID ranges overlap */ + if (names_equal && sids_equal + && n_external_mapping == false + && n_first_rid >= o_first_rid + && n_first_rid <= o_first_rid + (o_range->max - o_range->min)) { + return IDMAP_COLLISION; + } + + return IDMAP_SUCCESS; +} + +enum idmap_error_code sss_idmap_check_collision(struct sss_idmap_ctx *ctx, + char *n_name, char *n_sid, + struct sss_idmap_range *n_range, + uint32_t n_first_rid, + char *n_range_id, + bool n_external_mapping) +{ + struct idmap_domain_info *dom; + enum idmap_error_code err; + struct sss_idmap_range range; + + for (dom = ctx->idmap_domain_info; dom != NULL; dom = dom->next) { + + range.min = dom->range_params.min_id; + range.max = dom->range_params.max_id; + + err = sss_idmap_check_collision_ex(dom->name, dom->sid, + &range, + dom->range_params.first_rid, + dom->range_params.range_id, + dom->external_mapping, + n_name, n_sid, n_range, n_first_rid, + n_range_id, n_external_mapping); + if (err != IDMAP_SUCCESS) { + return err; + } + } + return IDMAP_SUCCESS; +} + +static enum +idmap_error_code dom_check_collision(struct idmap_domain_info *dom_list, + struct idmap_domain_info *new_dom) +{ + struct idmap_domain_info *dom; + enum idmap_error_code err; + struct sss_idmap_range range; + struct sss_idmap_range new_dom_range = { new_dom->range_params.min_id, + new_dom->range_params.max_id }; + + for (dom = dom_list; dom != NULL; dom = dom->next) { + range.min = dom->range_params.min_id; + range.max = dom->range_params.max_id; + + err = sss_idmap_check_collision_ex(dom->name, dom->sid, + &range, + dom->range_params.first_rid, + dom->range_params.range_id, + dom->external_mapping, + new_dom->name, new_dom->sid, + &new_dom_range, + new_dom->range_params.first_rid, + new_dom->range_params.range_id, + new_dom->external_mapping); + if (err != IDMAP_SUCCESS) { + return err; + } + } + return IDMAP_SUCCESS; +} + +static char* +generate_sec_slice_name(struct sss_idmap_ctx *ctx, + const char *domain_sid, uint32_t rid) +{ + const char *SEC_SLICE_NAME_FMT = "%s-%"PRIu32; + char *slice_name; + int len, len2; + + len = snprintf(NULL, 0, SEC_SLICE_NAME_FMT, domain_sid, rid); + if (len <= 0) { + return NULL; + } + + slice_name = ctx->alloc_func(len + 1, ctx->alloc_pvt); + if (slice_name == NULL) { + return NULL; + } + + len2 = snprintf(slice_name, len + 1, SEC_SLICE_NAME_FMT, domain_sid, + rid); + if (len != len2) { + ctx->free_func(slice_name, ctx->alloc_pvt); + return NULL; + } + + return slice_name; +} + +static enum idmap_error_code +generate_slice(struct sss_idmap_ctx *ctx, char *slice_name, uint32_t first_rid, + struct idmap_range_params **_slice) +{ + struct idmap_range_params *slice; + struct sss_idmap_range tmp_range; + enum idmap_error_code err; + + slice = ctx->alloc_func(sizeof(struct idmap_range_params), ctx->alloc_pvt); + if (slice == NULL) { + return IDMAP_OUT_OF_MEMORY; + } + + slice->next = NULL; + + err = sss_idmap_calculate_range(ctx, slice_name, NULL, &tmp_range); + if (err != IDMAP_SUCCESS) { + ctx->free_func(slice, ctx->alloc_pvt); + return err; + } + + slice->min_id = tmp_range.min; + slice->max_id = tmp_range.max; + slice->range_id = slice_name; + slice->first_rid = first_rid; + + *_slice = slice; + return IDMAP_SUCCESS; +} + +static enum idmap_error_code +get_helpers(struct sss_idmap_ctx *ctx, + const char *domain_sid, + uint32_t first_rid, + struct idmap_range_params **_sec_slices) +{ + struct idmap_range_params *prev = NULL; + struct idmap_range_params *sec_slices = NULL; + static enum idmap_error_code err; + struct idmap_range_params *slice; + char *secondary_name; + + for (int i = 0; i < ctx->idmap_opts.extra_slice_init; i++) { + secondary_name = generate_sec_slice_name(ctx, domain_sid, first_rid); + if (secondary_name == NULL) { + err = IDMAP_OUT_OF_MEMORY; + goto fail; + } + + err = generate_slice(ctx, secondary_name, first_rid, &slice); + if (err != IDMAP_SUCCESS) { + goto fail; + } + + first_rid += ctx->idmap_opts.rangesize; + + if (prev != NULL) { + prev->next = slice; + } + + if (sec_slices == NULL) { + sec_slices = slice; + } + + prev = slice; + } + + *_sec_slices = sec_slices; + return IDMAP_SUCCESS; + +fail: + ctx->free_func(secondary_name, ctx->alloc_pvt); + + /* Free already generated helpers. */ + free_helpers(ctx, sec_slices, true); + + return err; +} + +enum idmap_error_code sss_idmap_add_domain_ex(struct sss_idmap_ctx *ctx, + const char *domain_name, + const char *domain_sid, + struct sss_idmap_range *range, + const char *range_id, + uint32_t rid, + bool external_mapping) +{ + struct idmap_domain_info *dom = NULL; + enum idmap_error_code err; + + CHECK_IDMAP_CTX(ctx, IDMAP_CONTEXT_INVALID); + + if (domain_name == NULL) { + return IDMAP_NO_DOMAIN; + } + + if (range == NULL) { + return IDMAP_NO_RANGE; + } + + /* For algorithmic mapping a valid domain SID is required, for external + * mapping it may be NULL, but if set it should be valid. */ + if ((!external_mapping && !is_domain_sid(domain_sid)) + || (external_mapping + && domain_sid != NULL + && !is_domain_sid(domain_sid))) { + return IDMAP_SID_INVALID; + } + + dom = ctx->alloc_func(sizeof(struct idmap_domain_info), ctx->alloc_pvt); + if (dom == NULL) { + return IDMAP_OUT_OF_MEMORY; + } + memset(dom, 0, sizeof(struct idmap_domain_info)); + + dom->name = idmap_strdup(ctx, domain_name); + if (dom->name == NULL) { + err = IDMAP_OUT_OF_MEMORY; + goto fail; + } + + if (domain_sid != NULL) { + dom->sid = idmap_strdup(ctx, domain_sid); + if (dom->sid == NULL) { + err = IDMAP_OUT_OF_MEMORY; + goto fail; + } + } + + dom->range_params.min_id = range->min; + dom->range_params.max_id = range->max; + + if (range_id != NULL) { + dom->range_params.range_id = idmap_strdup(ctx, range_id); + if (dom->range_params.range_id == NULL) { + err = IDMAP_OUT_OF_MEMORY; + goto fail; + } + } + + dom->range_params.first_rid = rid; + dom->external_mapping = external_mapping; + + err = dom_check_collision(ctx->idmap_domain_info, dom); + if (err != IDMAP_SUCCESS) { + goto fail; + } + + dom->next = ctx->idmap_domain_info; + ctx->idmap_domain_info = dom; + + return IDMAP_SUCCESS; + +fail: + sss_idmap_free_domain(ctx, dom); + + return err; +} + +enum idmap_error_code +sss_idmap_add_auto_domain_ex(struct sss_idmap_ctx *ctx, + const char *domain_name, + const char *domain_sid, + struct sss_idmap_range *range, + const char *range_id, + uint32_t rid, + bool external_mapping, + idmap_store_cb cb, + void *pvt) +{ + enum idmap_error_code err; + + err = sss_idmap_add_domain_ex(ctx, domain_name, domain_sid, range, + range_id, rid, external_mapping); + if (err != IDMAP_SUCCESS) { + return err; + } + + if (external_mapping) { + /* There's no point in generating secondary ranges if external_mapping + is enabled. */ + ctx->idmap_domain_info->auto_add_ranges = false; + return IDMAP_SUCCESS; + } + + if ((range->max - range->min + 1) != ctx->idmap_opts.rangesize) { + /* Range of primary slice is not equal to the value of + ldap_idmap_range_size option. */ + return IDMAP_ERROR; + } + + /* No additional secondary ranges should be added if no sec ranges are + predeclared. */ + if (ctx->idmap_opts.extra_slice_init == 0) { + ctx->idmap_domain_info->auto_add_ranges = false; + return IDMAP_SUCCESS; + } + + /* Add size of primary slice for first_rid of secondary slices. */ + rid += ctx->idmap_opts.rangesize; + err = get_helpers(ctx, domain_sid, rid, + &ctx->idmap_domain_info->helpers); + if (err == IDMAP_SUCCESS) { + ctx->idmap_domain_info->auto_add_ranges = true; + ctx->idmap_domain_info->helpers_owner = true; + } else { + /* Running out of slices for secondary mapping is a non-fatal + * problem. */ + if (err == IDMAP_OUT_OF_SLICES) { + err = IDMAP_SUCCESS; + } + ctx->idmap_domain_info->auto_add_ranges = false; + } + + ctx->idmap_domain_info->cb = cb; + ctx->idmap_domain_info->pvt = pvt; + + return err; +} + +enum idmap_error_code sss_idmap_add_domain(struct sss_idmap_ctx *ctx, + const char *domain_name, + const char *domain_sid, + struct sss_idmap_range *range) +{ + return sss_idmap_add_domain_ex(ctx, domain_name, domain_sid, range, NULL, + 0, false); +} + +static bool sss_idmap_sid_is_builtin(const char *sid) +{ + if (strncmp(sid, "S-1-5-32-", 9) == 0) { + return true; + } + + return false; +} + +static bool parse_rid(const char *sid, size_t dom_prefix_len, long long *_rid) +{ + long long rid; + char *endptr; + + errno = 0; + /* Use suffix of sid - part after domain and following '-' */ + rid = strtoull(sid + dom_prefix_len + 1, &endptr, 10); + if (errno != 0 || rid > UINT32_MAX || *endptr != '\0') { + return false; + } + + *_rid = rid; + return true; +} + +static bool is_sid_from_dom(const char *dom_sid, const char *sid, + size_t *_dom_sid_len) +{ + size_t dom_sid_len; + + if (dom_sid == NULL) { + return false; + } + + dom_sid_len = strlen(dom_sid); + *_dom_sid_len = dom_sid_len; + + if (strlen(sid) < dom_sid_len || sid[dom_sid_len] != '-') { + return false; + } + + return strncmp(sid, dom_sid, dom_sid_len) == 0; +} + +static bool comp_id(struct idmap_range_params *range_params, long long rid, + uint32_t *_id) +{ + uint32_t id; + + if (rid >= range_params->first_rid + && ((UINT32_MAX - range_params->min_id) > + (rid - range_params->first_rid))) { + id = range_params->min_id + (rid - range_params->first_rid); + if (id <= range_params->max_id) { + *_id = id; + return true; + } + } + return false; +} + +static enum idmap_error_code +get_range(struct sss_idmap_ctx *ctx, + struct idmap_range_params *helpers, + const char *dom_sid, + long long rid, + struct idmap_range_params **_range) +{ + char *secondary_name = NULL; + enum idmap_error_code err; + int first_rid; + struct idmap_range_params *range; + struct idmap_range_params *helper; + + first_rid = (rid / ctx->idmap_opts.rangesize) * ctx->idmap_opts.rangesize; + + secondary_name = generate_sec_slice_name(ctx, dom_sid, first_rid); + if (secondary_name == NULL) { + err = IDMAP_OUT_OF_MEMORY; + goto error; + } + + helper = get_helper_by_id(helpers, secondary_name); + if (helper != NULL) { + /* Utilize helper's range. */ + err = construct_range(ctx, helper, secondary_name, &range); + } else { + /* Have to generate a whole new range. */ + err = generate_slice(ctx, secondary_name, first_rid, &range); + } + + if (err != IDMAP_SUCCESS) { + goto error; + } + + *_range = range; + return IDMAP_SUCCESS; + +error: + ctx->free_func(secondary_name, ctx->alloc_pvt); + return err; +} + +static enum idmap_error_code +spawn_dom(struct sss_idmap_ctx *ctx, + struct idmap_domain_info *parent, + struct idmap_range_params *range) +{ + struct sss_idmap_range tmp; + static enum idmap_error_code err; + struct idmap_domain_info *it; + + tmp.min = range->min_id; + tmp.max = range->max_id; + + err = sss_idmap_add_domain_ex(ctx, + parent->name, + parent->sid, + &tmp, range->range_id, + range->first_rid, false); + if (err != IDMAP_SUCCESS) { + return err; + } + + it = ctx->idmap_domain_info; + while (it != NULL) { + /* Find the newly added domain. */ + if (ranges_eq(&it->range_params, range)) { + + /* Share helpers. */ + it->helpers = parent->helpers; + it->auto_add_ranges = parent->auto_add_ranges; + + /* Share call back for storing domains */ + it->cb = parent->cb; + it->pvt = parent->pvt; + break; + } + + it = it->next; + } + + if (it == NULL) { + /* Failed to find just added domain. */ + return IDMAP_ERROR; + } + + /* Store mapping for newly created domain. */ + if (it->cb != NULL) { + err = it->cb(it->name, + it->sid, + it->range_params.range_id, + it->range_params.min_id, + it->range_params.max_id, + it->range_params.first_rid, + it->pvt); + if (err != IDMAP_SUCCESS) { + return err; + } + } + + return IDMAP_SUCCESS; +} + +static enum idmap_error_code +add_dom_for_sid(struct sss_idmap_ctx *ctx, + struct idmap_domain_info *matched_dom, + const char *sid, + uint32_t *_id) +{ + enum idmap_error_code err; + long long rid; + struct idmap_range_params *range = NULL; + + if (parse_rid(sid, strlen(matched_dom->sid), &rid) == false) { + err = IDMAP_SID_INVALID; + goto done; + } + + err = get_range(ctx, matched_dom->helpers, matched_dom->sid, rid, &range); + if (err != IDMAP_SUCCESS) { + goto done; + } + + err = spawn_dom(ctx, matched_dom, range); + if (err != IDMAP_SUCCESS) { + goto done; + } + + if (!comp_id(range, rid, _id)) { + err = IDMAP_ERROR; + goto done; + } + + err = IDMAP_SUCCESS; + +done: + if (range != NULL) { + ctx->free_func(range->range_id, ctx->alloc_pvt); + } + ctx->free_func(range, ctx->alloc_pvt); + return err; +} + +enum idmap_error_code sss_idmap_sid_to_unix(struct sss_idmap_ctx *ctx, + const char *sid, + uint32_t *_id) +{ + struct idmap_domain_info *idmap_domain_info; + struct idmap_domain_info *matched_dom = NULL; + size_t dom_len; + long long rid; + + if (sid == NULL || _id == NULL) { + return IDMAP_ERROR; + } + + CHECK_IDMAP_CTX(ctx, IDMAP_CONTEXT_INVALID); + + idmap_domain_info = ctx->idmap_domain_info; + + if (sss_idmap_sid_is_builtin(sid)) { + return IDMAP_BUILTIN_SID; + } + + /* Try primary slices */ + while (idmap_domain_info != NULL) { + + if (is_sid_from_dom(idmap_domain_info->sid, sid, &dom_len)) { + + if (idmap_domain_info->external_mapping == true) { + return IDMAP_EXTERNAL; + } + + if (parse_rid(sid, dom_len, &rid) == false) { + return IDMAP_SID_INVALID; + } + + if (comp_id(&idmap_domain_info->range_params, rid, _id)) { + return IDMAP_SUCCESS; + } + + matched_dom = idmap_domain_info; + } + + idmap_domain_info = idmap_domain_info->next; + } + + if (matched_dom != NULL && matched_dom->auto_add_ranges) { + return add_dom_for_sid(ctx, matched_dom, sid, _id); + } + + return matched_dom ? IDMAP_NO_RANGE : IDMAP_NO_DOMAIN; +} + +enum idmap_error_code sss_idmap_check_sid_unix(struct sss_idmap_ctx *ctx, + const char *sid, + uint32_t id) +{ + struct idmap_domain_info *idmap_domain_info; + size_t dom_len; + bool no_range = false; + + if (sid == NULL) { + return IDMAP_ERROR; + } + + CHECK_IDMAP_CTX(ctx, IDMAP_CONTEXT_INVALID); + + if (ctx->idmap_domain_info == NULL) { + return IDMAP_NO_DOMAIN; + } + + idmap_domain_info = ctx->idmap_domain_info; + + if (sss_idmap_sid_is_builtin(sid)) { + return IDMAP_BUILTIN_SID; + } + + while (idmap_domain_info != NULL) { + if (idmap_domain_info->sid != NULL) { + dom_len = strlen(idmap_domain_info->sid); + if (strlen(sid) > dom_len && sid[dom_len] == '-' + && strncmp(sid, idmap_domain_info->sid, dom_len) == 0) { + + if (id >= idmap_domain_info->range_params.min_id + && id <= idmap_domain_info->range_params.max_id) { + return IDMAP_SUCCESS; + } + + no_range = true; + } + } + + idmap_domain_info = idmap_domain_info->next; + } + + return no_range ? IDMAP_NO_RANGE : IDMAP_SID_UNKNOWN; +} + +static enum idmap_error_code generate_sid(struct sss_idmap_ctx *ctx, + const char *dom_sid, + uint32_t rid, + char **_sid) +{ + char *sid; + int len; + int ret; + + len = snprintf(NULL, 0, SID_FMT, dom_sid, rid); + if (len <= 0 || len > SID_STR_MAX_LEN) { + return IDMAP_ERROR; + } + + sid = ctx->alloc_func(len + 1, ctx->alloc_pvt); + if (sid == NULL) { + return IDMAP_OUT_OF_MEMORY; + } + + ret = snprintf(sid, len + 1, SID_FMT, dom_sid, rid); + if (ret != len) { + ctx->free_func(sid, ctx->alloc_pvt); + return IDMAP_ERROR; + } + + *_sid = sid; + return IDMAP_SUCCESS; +} + +enum idmap_error_code sss_idmap_unix_to_sid(struct sss_idmap_ctx *ctx, + uint32_t id, + char **_sid) +{ + struct idmap_domain_info *idmap_domain_info; + uint32_t rid; + enum idmap_error_code err; + + CHECK_IDMAP_CTX(ctx, IDMAP_CONTEXT_INVALID); + + idmap_domain_info = ctx->idmap_domain_info; + + while (idmap_domain_info != NULL) { + if (id_is_in_range(id, &idmap_domain_info->range_params, &rid)) { + + if (idmap_domain_info->external_mapping == true + || idmap_domain_info->sid == NULL) { + return IDMAP_EXTERNAL; + } + + return generate_sid(ctx, idmap_domain_info->sid, rid, _sid); + } + + idmap_domain_info = idmap_domain_info->next; + } + + /* Check secondary ranges. */ + idmap_domain_info = ctx->idmap_domain_info; + while (idmap_domain_info != NULL) { + + for (struct idmap_range_params *it = idmap_domain_info->helpers; + it != NULL; + it = it->next) { + + if (idmap_domain_info->helpers_owner == false) { + /* Checking helpers on owner is sufficient. */ + continue; + } + + if (id_is_in_range(id, it, &rid)) { + + if (idmap_domain_info->external_mapping == true + || idmap_domain_info->sid == NULL) { + return IDMAP_EXTERNAL; + } + + err = spawn_dom(ctx, idmap_domain_info, it); + if (err != IDMAP_SUCCESS) { + return err; + } + + return generate_sid(ctx, idmap_domain_info->sid, rid, _sid); + } + } + + idmap_domain_info = idmap_domain_info->next; + } + + return IDMAP_NO_DOMAIN; +} + +enum idmap_error_code sss_idmap_dom_sid_to_unix(struct sss_idmap_ctx *ctx, + struct sss_dom_sid *dom_sid, + uint32_t *id) +{ + enum idmap_error_code err; + char *sid; + + CHECK_IDMAP_CTX(ctx, IDMAP_CONTEXT_INVALID); + + err = sss_idmap_dom_sid_to_sid(ctx, dom_sid, &sid); + if (err != IDMAP_SUCCESS) { + goto done; + } + + err = sss_idmap_sid_to_unix(ctx, sid, id); + +done: + ctx->free_func(sid, ctx->alloc_pvt); + + return err; +} + +enum idmap_error_code sss_idmap_bin_sid_to_unix(struct sss_idmap_ctx *ctx, + uint8_t *bin_sid, + size_t length, + uint32_t *id) +{ + enum idmap_error_code err; + char *sid; + + CHECK_IDMAP_CTX(ctx, IDMAP_CONTEXT_INVALID); + + err = sss_idmap_bin_sid_to_sid(ctx, bin_sid, length, &sid); + if (err != IDMAP_SUCCESS) { + goto done; + } + + err = sss_idmap_sid_to_unix(ctx, sid, id); + +done: + ctx->free_func(sid, ctx->alloc_pvt); + + return err; +} + +enum idmap_error_code sss_idmap_smb_sid_to_unix(struct sss_idmap_ctx *ctx, + struct dom_sid *smb_sid, + uint32_t *id) +{ + enum idmap_error_code err; + char *sid; + + CHECK_IDMAP_CTX(ctx, IDMAP_CONTEXT_INVALID); + + err = sss_idmap_smb_sid_to_sid(ctx, smb_sid, &sid); + if (err != IDMAP_SUCCESS) { + goto done; + } + + err = sss_idmap_sid_to_unix(ctx, sid, id); + +done: + ctx->free_func(sid, ctx->alloc_pvt); + + return err; +} + +enum idmap_error_code sss_idmap_check_dom_sid_to_unix(struct sss_idmap_ctx *ctx, + struct sss_dom_sid *dom_sid, + uint32_t id) +{ + enum idmap_error_code err; + char *sid; + + CHECK_IDMAP_CTX(ctx, IDMAP_CONTEXT_INVALID); + + err = sss_idmap_dom_sid_to_sid(ctx, dom_sid, &sid); + if (err != IDMAP_SUCCESS) { + goto done; + } + + err = sss_idmap_check_sid_unix(ctx, sid, id); + +done: + ctx->free_func(sid, ctx->alloc_pvt); + + return err; +} + +enum idmap_error_code sss_idmap_check_bin_sid_unix(struct sss_idmap_ctx *ctx, + uint8_t *bin_sid, + size_t length, + uint32_t id) +{ + enum idmap_error_code err; + char *sid; + + CHECK_IDMAP_CTX(ctx, IDMAP_CONTEXT_INVALID); + + err = sss_idmap_bin_sid_to_sid(ctx, bin_sid, length, &sid); + if (err != IDMAP_SUCCESS) { + goto done; + } + + err = sss_idmap_check_sid_unix(ctx, sid, id); + +done: + ctx->free_func(sid, ctx->alloc_pvt); + + return err; +} + +enum idmap_error_code sss_idmap_check_smb_sid_unix(struct sss_idmap_ctx *ctx, + struct dom_sid *smb_sid, + uint32_t id) +{ + enum idmap_error_code err; + char *sid; + + CHECK_IDMAP_CTX(ctx, IDMAP_CONTEXT_INVALID); + + err = sss_idmap_smb_sid_to_sid(ctx, smb_sid, &sid); + if (err != IDMAP_SUCCESS) { + goto done; + } + + err = sss_idmap_check_sid_unix(ctx, sid, id); + +done: + ctx->free_func(sid, ctx->alloc_pvt); + + return err; +} +enum idmap_error_code sss_idmap_unix_to_dom_sid(struct sss_idmap_ctx *ctx, + uint32_t id, + struct sss_dom_sid **_dom_sid) +{ + enum idmap_error_code err; + char *sid = NULL; + struct sss_dom_sid *dom_sid = NULL; + + CHECK_IDMAP_CTX(ctx, IDMAP_CONTEXT_INVALID); + + err = sss_idmap_unix_to_sid(ctx, id, &sid); + if (err != IDMAP_SUCCESS) { + goto done; + } + + err = sss_idmap_sid_to_dom_sid(ctx, sid, &dom_sid); + if (err != IDMAP_SUCCESS) { + goto done; + } + + *_dom_sid = dom_sid; + err = IDMAP_SUCCESS; + +done: + ctx->free_func(sid, ctx->alloc_pvt); + if (err != IDMAP_SUCCESS) { + ctx->free_func(dom_sid, ctx->alloc_pvt); + } + + return err; +} + +enum idmap_error_code sss_idmap_unix_to_bin_sid(struct sss_idmap_ctx *ctx, + uint32_t id, + uint8_t **_bin_sid, + size_t *_length) +{ + enum idmap_error_code err; + char *sid = NULL; + uint8_t *bin_sid = NULL; + size_t length; + + CHECK_IDMAP_CTX(ctx, IDMAP_CONTEXT_INVALID); + + err = sss_idmap_unix_to_sid(ctx, id, &sid); + if (err != IDMAP_SUCCESS) { + goto done; + } + + err = sss_idmap_sid_to_bin_sid(ctx, sid, &bin_sid, &length); + if (err != IDMAP_SUCCESS) { + goto done; + } + + *_bin_sid = bin_sid; + *_length = length; + err = IDMAP_SUCCESS; + +done: + ctx->free_func(sid, ctx->alloc_pvt); + if (err != IDMAP_SUCCESS) { + ctx->free_func(bin_sid, ctx->alloc_pvt); + } + + return err; + +} + +enum idmap_error_code +sss_idmap_ctx_set_autorid(struct sss_idmap_ctx *ctx, bool use_autorid) +{ + CHECK_IDMAP_CTX(ctx, IDMAP_CONTEXT_INVALID); + ctx->idmap_opts.autorid_mode = use_autorid; + return IDMAP_SUCCESS; +} + +enum idmap_error_code +sss_idmap_ctx_set_lower(struct sss_idmap_ctx *ctx, id_t lower) +{ + CHECK_IDMAP_CTX(ctx, IDMAP_CONTEXT_INVALID); + ctx->idmap_opts.idmap_lower = lower; + return IDMAP_SUCCESS; +} + +enum idmap_error_code +sss_idmap_ctx_set_upper(struct sss_idmap_ctx *ctx, id_t upper) +{ + CHECK_IDMAP_CTX(ctx, IDMAP_CONTEXT_INVALID); + ctx->idmap_opts.idmap_upper = upper; + return IDMAP_SUCCESS; +} + +enum idmap_error_code +sss_idmap_ctx_set_rangesize(struct sss_idmap_ctx *ctx, id_t rangesize) +{ + CHECK_IDMAP_CTX(ctx, IDMAP_CONTEXT_INVALID); + ctx->idmap_opts.rangesize = rangesize; + return IDMAP_SUCCESS; +} + +enum idmap_error_code +sss_idmap_ctx_set_extra_slice_init(struct sss_idmap_ctx *ctx, + int extra_slice_init) +{ + CHECK_IDMAP_CTX(ctx, IDMAP_CONTEXT_INVALID); + ctx->idmap_opts.extra_slice_init = extra_slice_init; + return IDMAP_SUCCESS; +} + +enum idmap_error_code +sss_idmap_ctx_get_autorid(struct sss_idmap_ctx *ctx, bool *_autorid) +{ + CHECK_IDMAP_CTX(ctx, IDMAP_CONTEXT_INVALID); + *_autorid = ctx->idmap_opts.autorid_mode; + return IDMAP_SUCCESS; +} + +enum idmap_error_code +sss_idmap_ctx_get_lower(struct sss_idmap_ctx *ctx, id_t *_lower) +{ + CHECK_IDMAP_CTX(ctx, IDMAP_CONTEXT_INVALID); + *_lower = ctx->idmap_opts.idmap_lower; + return IDMAP_SUCCESS; +} + +enum idmap_error_code +sss_idmap_ctx_get_upper(struct sss_idmap_ctx *ctx, id_t *_upper) +{ + CHECK_IDMAP_CTX(ctx, IDMAP_CONTEXT_INVALID); + *_upper = ctx->idmap_opts.idmap_upper; + return IDMAP_SUCCESS; +} + +enum idmap_error_code +sss_idmap_ctx_get_rangesize(struct sss_idmap_ctx *ctx, id_t *_rangesize) +{ + CHECK_IDMAP_CTX(ctx, IDMAP_CONTEXT_INVALID); + *_rangesize = ctx->idmap_opts.rangesize; + return IDMAP_SUCCESS; +} + +enum idmap_error_code +sss_idmap_domain_has_algorithmic_mapping(struct sss_idmap_ctx *ctx, + const char *dom_sid, + bool *has_algorithmic_mapping) +{ + struct idmap_domain_info *idmap_domain_info; + size_t len; + size_t dom_sid_len; + + if (dom_sid == NULL) { + return IDMAP_SID_INVALID; + } + + CHECK_IDMAP_CTX(ctx, IDMAP_CONTEXT_INVALID); + + if (ctx->idmap_domain_info == NULL) { + return IDMAP_NO_DOMAIN; + } + + idmap_domain_info = ctx->idmap_domain_info; + + while (idmap_domain_info != NULL) { + if (idmap_domain_info->sid != NULL) { + len = strlen(idmap_domain_info->sid); + dom_sid_len = strlen(dom_sid); + if (((dom_sid_len > len && dom_sid[len] == '-') + || dom_sid_len == len) + && strncmp(dom_sid, idmap_domain_info->sid, len) == 0) { + + *has_algorithmic_mapping = !idmap_domain_info->external_mapping; + return IDMAP_SUCCESS; + + } + } + + idmap_domain_info = idmap_domain_info->next; + } + + return IDMAP_SID_UNKNOWN; +} + +enum idmap_error_code +sss_idmap_domain_by_name_has_algorithmic_mapping(struct sss_idmap_ctx *ctx, + const char *dom_name, + bool *has_algorithmic_mapping) +{ + struct idmap_domain_info *idmap_domain_info; + + if (dom_name == NULL) { + return IDMAP_ERROR; + } + + CHECK_IDMAP_CTX(ctx, IDMAP_CONTEXT_INVALID); + + if (ctx->idmap_domain_info == NULL) { + return IDMAP_NO_DOMAIN; + } + + idmap_domain_info = ctx->idmap_domain_info; + + while (idmap_domain_info != NULL) { + if (idmap_domain_info->name != NULL + && strcmp(dom_name, idmap_domain_info->name) == 0) { + + *has_algorithmic_mapping = !idmap_domain_info->external_mapping; + return IDMAP_SUCCESS; + } + + idmap_domain_info = idmap_domain_info->next; + } + + return IDMAP_NAME_UNKNOWN; +} diff --git a/src/lib/idmap/sss_idmap.doxy.in b/src/lib/idmap/sss_idmap.doxy.in new file mode 100644 index 0000000..833498b --- /dev/null +++ b/src/lib/idmap/sss_idmap.doxy.in @@ -0,0 +1,1883 @@ +# Doxyfile 1.8.3 + +# This file describes the settings to be used by the documentation system +# doxygen (www.doxygen.org) for a project. +# +# All text after a hash (#) is considered a comment and will be ignored. +# The format is: +# TAG = value [value, ...] +# For lists items can also be appended using: +# TAG += value [value, ...] +# Values that contain spaces should be placed between quotes (" "). + +#--------------------------------------------------------------------------- +# Project related configuration options +#--------------------------------------------------------------------------- + +# This tag specifies the encoding used for all characters in the config file +# that follow. The default is UTF-8 which is also the encoding used for all +# text before the first occurrence of this tag. Doxygen uses libiconv (or the +# iconv built into libc) for the transcoding. See +# http://www.gnu.org/software/libiconv for the list of possible encodings. + +DOXYFILE_ENCODING = UTF-8 + +# The PROJECT_NAME tag is a single word (or sequence of words) that should +# identify the project. Note that if you do not use Doxywizard you need +# to put quotes around the project name if it contains spaces. + +PROJECT_NAME = sss_idmap + +# The PROJECT_NUMBER tag can be used to enter a project or revision number. +# This could be handy for archiving the generated documentation or +# if some version control system is used. + +PROJECT_NUMBER = @PACKAGE_VERSION@ + +# Using the PROJECT_BRIEF tag one can provide an optional one line description +# for a project that appears at the top of each page and should give viewer +# a quick idea about the purpose of the project. Keep the description short. + +PROJECT_BRIEF = + +# With the PROJECT_LOGO tag one can specify an logo or icon that is +# included in the documentation. The maximum height of the logo should not +# exceed 55 pixels and the maximum width should not exceed 200 pixels. +# Doxygen will copy the logo to the output directory. + +PROJECT_LOGO = + +# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) +# base path where the generated documentation will be put. +# If a relative path is entered, it will be relative to the location +# where doxygen was started. If left blank the current directory will be used. + +OUTPUT_DIRECTORY = idmap_doc + +# If the CREATE_SUBDIRS tag is set to YES, then doxygen will create +# 4096 sub-directories (in 2 levels) under the output directory of each output +# format and will distribute the generated files over these directories. +# Enabling this option can be useful when feeding doxygen a huge amount of +# source files, where putting all generated files in the same directory would +# otherwise cause performance problems for the file system. + +CREATE_SUBDIRS = NO + +# The OUTPUT_LANGUAGE tag is used to specify the language in which all +# documentation generated by doxygen is written. Doxygen will use this +# information to generate all constant output in the proper language. +# The default language is English, other supported languages are: +# Afrikaans, Arabic, Brazilian, Catalan, Chinese, Chinese-Traditional, +# Croatian, Czech, Danish, Dutch, Esperanto, Farsi, Finnish, French, German, +# Greek, Hungarian, Italian, Japanese, Japanese-en (Japanese with English +# messages), Korean, Korean-en, Lithuanian, Norwegian, Macedonian, Persian, +# Polish, Portuguese, Romanian, Russian, Serbian, Serbian-Cyrillic, Slovak, +# Slovene, Spanish, Swedish, Ukrainian, and Vietnamese. + +OUTPUT_LANGUAGE = English + +# If the BRIEF_MEMBER_DESC tag is set to YES (the default) Doxygen will +# include brief member descriptions after the members that are listed in +# the file and class documentation (similar to JavaDoc). +# Set to NO to disable this. + +BRIEF_MEMBER_DESC = YES + +# If the REPEAT_BRIEF tag is set to YES (the default) Doxygen will prepend +# the brief description of a member or function before the detailed description. +# Note: if both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the +# brief descriptions will be completely suppressed. + +REPEAT_BRIEF = YES + +# This tag implements a quasi-intelligent brief description abbreviator +# that is used to form the text in various listings. Each string +# in this list, if found as the leading text of the brief description, will be +# stripped from the text and the result after processing the whole list, is +# used as the annotated text. Otherwise, the brief description is used as-is. +# If left blank, the following values are used ("$name" is automatically +# replaced with the name of the entity): "The $name class" "The $name widget" +# "The $name file" "is" "provides" "specifies" "contains" +# "represents" "a" "an" "the" + +ABBREVIATE_BRIEF = "The $name class" \ + "The $name widget" \ + "The $name file" \ + is \ + provides \ + specifies \ + contains \ + represents \ + a \ + an \ + the + +# If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then +# Doxygen will generate a detailed section even if there is only a brief +# description. + +ALWAYS_DETAILED_SEC = NO + +# If the INLINE_INHERITED_MEMB tag is set to YES, doxygen will show all +# inherited members of a class in the documentation of that class as if those +# members were ordinary class members. Constructors, destructors and assignment +# operators of the base classes will not be shown. + +INLINE_INHERITED_MEMB = NO + +# If the FULL_PATH_NAMES tag is set to YES then Doxygen will prepend the full +# path before files name in the file list and in the header files. If set +# to NO the shortest path that makes the file name unique will be used. + +FULL_PATH_NAMES = YES + +# If the FULL_PATH_NAMES tag is set to YES then the STRIP_FROM_PATH tag +# can be used to strip a user-defined part of the path. Stripping is +# only done if one of the specified strings matches the left-hand part of +# the path. The tag can be used to show relative paths in the file list. +# If left blank the directory from which doxygen is run is used as the +# path to strip. Note that you specify absolute paths here, but also +# relative paths, which will be relative from the directory where doxygen is +# started. + +STRIP_FROM_PATH = + +# The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of +# the path mentioned in the documentation of a class, which tells +# the reader which header file to include in order to use a class. +# If left blank only the name of the header file containing the class +# definition is used. Otherwise one should specify the include paths that +# are normally passed to the compiler using the -I flag. + +STRIP_FROM_INC_PATH = + +# If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter +# (but less readable) file names. This can be useful if your file system +# doesn't support long names like on DOS, Mac, or CD-ROM. + +SHORT_NAMES = NO + +# If the JAVADOC_AUTOBRIEF tag is set to YES then Doxygen +# will interpret the first line (until the first dot) of a JavaDoc-style +# comment as the brief description. If set to NO, the JavaDoc +# comments will behave just like regular Qt-style comments +# (thus requiring an explicit @brief command for a brief description.) + +JAVADOC_AUTOBRIEF = YES + +# If the QT_AUTOBRIEF tag is set to YES then Doxygen will +# interpret the first line (until the first dot) of a Qt-style +# comment as the brief description. If set to NO, the comments +# will behave just like regular Qt-style comments (thus requiring +# an explicit \brief command for a brief description.) + +QT_AUTOBRIEF = NO + +# The MULTILINE_CPP_IS_BRIEF tag can be set to YES to make Doxygen +# treat a multi-line C++ special comment block (i.e. a block of //! or /// +# comments) as a brief description. This used to be the default behaviour. +# The new default is to treat a multi-line C++ comment block as a detailed +# description. Set this tag to YES if you prefer the old behaviour instead. + +MULTILINE_CPP_IS_BRIEF = NO + +# If the INHERIT_DOCS tag is set to YES (the default) then an undocumented +# member inherits the documentation from any documented member that it +# re-implements. + +INHERIT_DOCS = YES + +# If the SEPARATE_MEMBER_PAGES tag is set to YES, then doxygen will produce +# a new page for each member. If set to NO, the documentation of a member will +# be part of the file/class/namespace that contains it. + +SEPARATE_MEMBER_PAGES = NO + +# The TAB_SIZE tag can be used to set the number of spaces in a tab. +# Doxygen uses this value to replace tabs by spaces in code fragments. + +TAB_SIZE = 8 + +# This tag can be used to specify a number of aliases that acts +# as commands in the documentation. An alias has the form "name=value". +# For example adding "sideeffect=\par Side Effects:\n" will allow you to +# put the command \sideeffect (or @sideeffect) in the documentation, which +# will result in a user-defined paragraph with heading "Side Effects:". +# You can put \n's in the value part of an alias to insert newlines. + +ALIASES = + +# This tag can be used to specify a number of word-keyword mappings (TCL only). +# A mapping has the form "name=value". For example adding +# "class=itcl::class" will allow you to use the command class in the +# itcl::class meaning. + +TCL_SUBST = + +# Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C +# sources only. Doxygen will then generate output that is more tailored for C. +# For instance, some of the names that are used will be different. The list +# of all members will be omitted, etc. + +OPTIMIZE_OUTPUT_FOR_C = YES + +# Set the OPTIMIZE_OUTPUT_JAVA tag to YES if your project consists of Java +# sources only. Doxygen will then generate output that is more tailored for +# Java. For instance, namespaces will be presented as packages, qualified +# scopes will look different, etc. + +OPTIMIZE_OUTPUT_JAVA = NO + +# Set the OPTIMIZE_FOR_FORTRAN tag to YES if your project consists of Fortran +# sources only. Doxygen will then generate output that is more tailored for +# Fortran. + +OPTIMIZE_FOR_FORTRAN = NO + +# Set the OPTIMIZE_OUTPUT_VHDL tag to YES if your project consists of VHDL +# sources. Doxygen will then generate output that is tailored for +# VHDL. + +OPTIMIZE_OUTPUT_VHDL = NO + +# Doxygen selects the parser to use depending on the extension of the files it +# parses. With this tag you can assign which parser to use for a given +# extension. Doxygen has a built-in mapping, but you can override or extend it +# using this tag. The format is ext=language, where ext is a file extension, +# and language is one of the parsers supported by doxygen: IDL, Java, +# Javascript, CSharp, C, C++, D, PHP, Objective-C, Python, Fortran, VHDL, C, +# C++. For instance to make doxygen treat .inc files as Fortran files (default +# is PHP), and .f files as C (default is Fortran), use: inc=Fortran f=C. Note +# that for custom extensions you also need to set FILE_PATTERNS otherwise the +# files are not read by doxygen. + +EXTENSION_MAPPING = + +# If MARKDOWN_SUPPORT is enabled (the default) then doxygen pre-processes all +# comments according to the Markdown format, which allows for more readable +# documentation. See http://daringfireball.net/projects/markdown/ for details. +# The output of markdown processing is further processed by doxygen, so you +# can mix doxygen, HTML, and XML commands with Markdown formatting. +# Disable only in case of backward compatibilities issues. + +MARKDOWN_SUPPORT = YES + +# When enabled doxygen tries to link words that correspond to documented classes, +# or namespaces to their corresponding documentation. Such a link can be +# prevented in individual cases by by putting a % sign in front of the word or +# globally by setting AUTOLINK_SUPPORT to NO. + +AUTOLINK_SUPPORT = YES + +# If you use STL classes (i.e. std::string, std::vector, etc.) but do not want +# to include (a tag file for) the STL sources as input, then you should +# set this tag to YES in order to let doxygen match functions declarations and +# definitions whose arguments contain STL classes (e.g. func(std::string); v.s. +# func(std::string) {}). This also makes the inheritance and collaboration +# diagrams that involve STL classes more complete and accurate. + +BUILTIN_STL_SUPPORT = NO + +# If you use Microsoft's C++/CLI language, you should set this option to YES to +# enable parsing support. + +CPP_CLI_SUPPORT = NO + +# Set the SIP_SUPPORT tag to YES if your project consists of sip sources only. +# Doxygen will parse them like normal C++ but will assume all classes use public +# instead of private inheritance when no explicit protection keyword is present. + +SIP_SUPPORT = NO + +# For Microsoft's IDL there are propget and propput attributes to indicate +# getter and setter methods for a property. Setting this option to YES (the +# default) will make doxygen replace the get and set methods by a property in +# the documentation. This will only work if the methods are indeed getting or +# setting a simple type. If this is not the case, or you want to show the +# methods anyway, you should set this option to NO. + +IDL_PROPERTY_SUPPORT = YES + +# If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC +# tag is set to YES, then doxygen will reuse the documentation of the first +# member in the group (if any) for the other members of the group. By default +# all members of a group must be documented explicitly. + +DISTRIBUTE_GROUP_DOC = NO + +# Set the SUBGROUPING tag to YES (the default) to allow class member groups of +# the same type (for instance a group of public functions) to be put as a +# subgroup of that type (e.g. under the Public Functions section). Set it to +# NO to prevent subgrouping. Alternatively, this can be done per class using +# the \nosubgrouping command. + +SUBGROUPING = YES + +# When the INLINE_GROUPED_CLASSES tag is set to YES, classes, structs and +# unions are shown inside the group in which they are included (e.g. using +# @ingroup) instead of on a separate page (for HTML and Man pages) or +# section (for LaTeX and RTF). + +INLINE_GROUPED_CLASSES = NO + +# When the INLINE_SIMPLE_STRUCTS tag is set to YES, structs, classes, and +# unions with only public data fields will be shown inline in the documentation +# of the scope in which they are defined (i.e. file, namespace, or group +# documentation), provided this scope is documented. If set to NO (the default), +# structs, classes, and unions are shown on a separate page (for HTML and Man +# pages) or section (for LaTeX and RTF). + +INLINE_SIMPLE_STRUCTS = NO + +# When TYPEDEF_HIDES_STRUCT is enabled, a typedef of a struct, union, or enum +# is documented as struct, union, or enum with the name of the typedef. So +# typedef struct TypeS {} TypeT, will appear in the documentation as a struct +# with name TypeT. When disabled the typedef will appear as a member of a file, +# namespace, or class. And the struct will be named TypeS. This can typically +# be useful for C code in case the coding convention dictates that all compound +# types are typedef'ed and only the typedef is referenced, never the tag name. + +TYPEDEF_HIDES_STRUCT = NO + +# The SYMBOL_CACHE_SIZE determines the size of the internal cache use to +# determine which symbols to keep in memory and which to flush to disk. +# When the cache is full, less often used symbols will be written to disk. +# For small to medium size projects (<1000 input files) the default value is +# probably good enough. For larger projects a too small cache size can cause +# doxygen to be busy swapping symbols to and from disk most of the time +# causing a significant performance penalty. +# If the system has enough physical memory increasing the cache will improve the +# performance by keeping more symbols in memory. Note that the value works on +# a logarithmic scale so increasing the size by one will roughly double the +# memory usage. The cache size is given by this formula: +# 2^(16+SYMBOL_CACHE_SIZE). The valid range is 0..9, the default is 0, +# corresponding to a cache size of 2^16 = 65536 symbols. + +SYMBOL_CACHE_SIZE = 0 + +# Similar to the SYMBOL_CACHE_SIZE the size of the symbol lookup cache can be +# set using LOOKUP_CACHE_SIZE. This cache is used to resolve symbols given +# their name and scope. Since this can be an expensive process and often the +# same symbol appear multiple times in the code, doxygen keeps a cache of +# pre-resolved symbols. If the cache is too small doxygen will become slower. +# If the cache is too large, memory is wasted. The cache size is given by this +# formula: 2^(16+LOOKUP_CACHE_SIZE). The valid range is 0..9, the default is 0, +# corresponding to a cache size of 2^16 = 65536 symbols. + +LOOKUP_CACHE_SIZE = 0 + +#--------------------------------------------------------------------------- +# Build related configuration options +#--------------------------------------------------------------------------- + +# If the EXTRACT_ALL tag is set to YES doxygen will assume all entities in +# documentation are documented, even if no documentation was available. +# Private class members and static file members will be hidden unless +# the EXTRACT_PRIVATE and EXTRACT_STATIC tags are set to YES + +EXTRACT_ALL = NO + +# If the EXTRACT_PRIVATE tag is set to YES all private members of a class +# will be included in the documentation. + +EXTRACT_PRIVATE = NO + +# If the EXTRACT_PACKAGE tag is set to YES all members with package or internal +# scope will be included in the documentation. + +EXTRACT_PACKAGE = NO + +# If the EXTRACT_STATIC tag is set to YES all static members of a file +# will be included in the documentation. + +EXTRACT_STATIC = NO + +# If the EXTRACT_LOCAL_CLASSES tag is set to YES classes (and structs) +# defined locally in source files will be included in the documentation. +# If set to NO only classes defined in header files are included. + +EXTRACT_LOCAL_CLASSES = NO + +# This flag is only useful for Objective-C code. When set to YES local +# methods, which are defined in the implementation section but not in +# the interface are included in the documentation. +# If set to NO (the default) only methods in the interface are included. + +EXTRACT_LOCAL_METHODS = NO + +# If this flag is set to YES, the members of anonymous namespaces will be +# extracted and appear in the documentation as a namespace called +# 'anonymous_namespace{file}', where file will be replaced with the base +# name of the file that contains the anonymous namespace. By default +# anonymous namespaces are hidden. + +EXTRACT_ANON_NSPACES = NO + +# If the HIDE_UNDOC_MEMBERS tag is set to YES, Doxygen will hide all +# undocumented members of documented classes, files or namespaces. +# If set to NO (the default) these members will be included in the +# various overviews, but no documentation section is generated. +# This option has no effect if EXTRACT_ALL is enabled. + +HIDE_UNDOC_MEMBERS = YES + +# If the HIDE_UNDOC_CLASSES tag is set to YES, Doxygen will hide all +# undocumented classes that are normally visible in the class hierarchy. +# If set to NO (the default) these classes will be included in the various +# overviews. This option has no effect if EXTRACT_ALL is enabled. + +HIDE_UNDOC_CLASSES = YES + +# If the HIDE_FRIEND_COMPOUNDS tag is set to YES, Doxygen will hide all +# friend (class|struct|union) declarations. +# If set to NO (the default) these declarations will be included in the +# documentation. + +HIDE_FRIEND_COMPOUNDS = NO + +# If the HIDE_IN_BODY_DOCS tag is set to YES, Doxygen will hide any +# documentation blocks found inside the body of a function. +# If set to NO (the default) these blocks will be appended to the +# function's detailed documentation block. + +HIDE_IN_BODY_DOCS = NO + +# The INTERNAL_DOCS tag determines if documentation +# that is typed after a \internal command is included. If the tag is set +# to NO (the default) then the documentation will be excluded. +# Set it to YES to include the internal documentation. + +INTERNAL_DOCS = NO + +# If the CASE_SENSE_NAMES tag is set to NO then Doxygen will only generate +# file names in lower-case letters. If set to YES upper-case letters are also +# allowed. This is useful if you have classes or files whose names only differ +# in case and if your file system supports case sensitive file names. Windows +# and Mac users are advised to set this option to NO. + +CASE_SENSE_NAMES = YES + +# If the HIDE_SCOPE_NAMES tag is set to NO (the default) then Doxygen +# will show members with their full class and namespace scopes in the +# documentation. If set to YES the scope will be hidden. + +HIDE_SCOPE_NAMES = NO + +# If the SHOW_INCLUDE_FILES tag is set to YES (the default) then Doxygen +# will put a list of the files that are included by a file in the documentation +# of that file. + +SHOW_INCLUDE_FILES = YES + +# If the FORCE_LOCAL_INCLUDES tag is set to YES then Doxygen +# will list include files with double quotes in the documentation +# rather than with sharp brackets. + +FORCE_LOCAL_INCLUDES = NO + +# If the INLINE_INFO tag is set to YES (the default) then a tag [inline] +# is inserted in the documentation for inline members. + +INLINE_INFO = YES + +# If the SORT_MEMBER_DOCS tag is set to YES (the default) then doxygen +# will sort the (detailed) documentation of file and class members +# alphabetically by member name. If set to NO the members will appear in +# declaration order. + +SORT_MEMBER_DOCS = YES + +# If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the +# brief documentation of file, namespace and class members alphabetically +# by member name. If set to NO (the default) the members will appear in +# declaration order. + +SORT_BRIEF_DOCS = NO + +# If the SORT_MEMBERS_CTORS_1ST tag is set to YES then doxygen +# will sort the (brief and detailed) documentation of class members so that +# constructors and destructors are listed first. If set to NO (the default) +# the constructors will appear in the respective orders defined by +# SORT_MEMBER_DOCS and SORT_BRIEF_DOCS. +# This tag will be ignored for brief docs if SORT_BRIEF_DOCS is set to NO +# and ignored for detailed docs if SORT_MEMBER_DOCS is set to NO. + +SORT_MEMBERS_CTORS_1ST = NO + +# If the SORT_GROUP_NAMES tag is set to YES then doxygen will sort the +# hierarchy of group names into alphabetical order. If set to NO (the default) +# the group names will appear in their defined order. + +SORT_GROUP_NAMES = NO + +# If the SORT_BY_SCOPE_NAME tag is set to YES, the class list will be +# sorted by fully-qualified names, including namespaces. If set to +# NO (the default), the class list will be sorted only by class name, +# not including the namespace part. +# Note: This option is not very useful if HIDE_SCOPE_NAMES is set to YES. +# Note: This option applies only to the class list, not to the +# alphabetical list. + +SORT_BY_SCOPE_NAME = NO + +# If the STRICT_PROTO_MATCHING option is enabled and doxygen fails to +# do proper type resolution of all parameters of a function it will reject a +# match between the prototype and the implementation of a member function even +# if there is only one candidate or it is obvious which candidate to choose +# by doing a simple string match. By disabling STRICT_PROTO_MATCHING doxygen +# will still accept a match between prototype and implementation in such cases. + +STRICT_PROTO_MATCHING = NO + +# The GENERATE_TODOLIST tag can be used to enable (YES) or +# disable (NO) the todo list. This list is created by putting \todo +# commands in the documentation. + +GENERATE_TODOLIST = YES + +# The GENERATE_TESTLIST tag can be used to enable (YES) or +# disable (NO) the test list. This list is created by putting \test +# commands in the documentation. + +GENERATE_TESTLIST = YES + +# The GENERATE_BUGLIST tag can be used to enable (YES) or +# disable (NO) the bug list. This list is created by putting \bug +# commands in the documentation. + +GENERATE_BUGLIST = YES + +# The GENERATE_DEPRECATEDLIST tag can be used to enable (YES) or +# disable (NO) the deprecated list. This list is created by putting +# \deprecated commands in the documentation. + +GENERATE_DEPRECATEDLIST= YES + +# The ENABLED_SECTIONS tag can be used to enable conditional +# documentation sections, marked by \if section-label ... \endif +# and \cond section-label ... \endcond blocks. + +ENABLED_SECTIONS = + +# The MAX_INITIALIZER_LINES tag determines the maximum number of lines +# the initial value of a variable or macro consists of for it to appear in +# the documentation. If the initializer consists of more lines than specified +# here it will be hidden. Use a value of 0 to hide initializers completely. +# The appearance of the initializer of individual variables and macros in the +# documentation can be controlled using \showinitializer or \hideinitializer +# command in the documentation regardless of this setting. + +MAX_INITIALIZER_LINES = 30 + +# Set the SHOW_USED_FILES tag to NO to disable the list of files generated +# at the bottom of the documentation of classes and structs. If set to YES the +# list will mention the files that were used to generate the documentation. + +SHOW_USED_FILES = YES + +# Set the SHOW_FILES tag to NO to disable the generation of the Files page. +# This will remove the Files entry from the Quick Index and from the +# Folder Tree View (if specified). The default is YES. + +SHOW_FILES = YES + +# Set the SHOW_NAMESPACES tag to NO to disable the generation of the +# Namespaces page. +# This will remove the Namespaces entry from the Quick Index +# and from the Folder Tree View (if specified). The default is YES. + +SHOW_NAMESPACES = YES + +# The FILE_VERSION_FILTER tag can be used to specify a program or script that +# doxygen should invoke to get the current version for each file (typically from +# the version control system). Doxygen will invoke the program by executing (via +# popen()) the command , where is the value of +# the FILE_VERSION_FILTER tag, and is the name of an input file +# provided by doxygen. Whatever the program writes to standard output +# is used as the file version. See the manual for examples. + +FILE_VERSION_FILTER = + +# The LAYOUT_FILE tag can be used to specify a layout file which will be parsed +# by doxygen. The layout file controls the global structure of the generated +# output files in an output format independent way. To create the layout file +# that represents doxygen's defaults, run doxygen with the -l option. +# You can optionally specify a file name after the option, if omitted +# DoxygenLayout.xml will be used as the name of the layout file. + +LAYOUT_FILE = + +# The CITE_BIB_FILES tag can be used to specify one or more bib files +# containing the references data. This must be a list of .bib files. The +# .bib extension is automatically appended if omitted. Using this command +# requires the bibtex tool to be installed. See also +# http://en.wikipedia.org/wiki/BibTeX for more info. For LaTeX the style +# of the bibliography can be controlled using LATEX_BIB_STYLE. To use this +# feature you need bibtex and perl available in the search path. Do not use +# file names with spaces, bibtex cannot handle them. + +CITE_BIB_FILES = + +#--------------------------------------------------------------------------- +# configuration options related to warning and progress messages +#--------------------------------------------------------------------------- + +# The QUIET tag can be used to turn on/off the messages that are generated +# by doxygen. Possible values are YES and NO. If left blank NO is used. + +QUIET = NO + +# The WARNINGS tag can be used to turn on/off the warning messages that are +# generated by doxygen. Possible values are YES and NO. If left blank +# NO is used. + +WARNINGS = YES + +# If WARN_IF_UNDOCUMENTED is set to YES, then doxygen will generate warnings +# for undocumented members. If EXTRACT_ALL is set to YES then this flag will +# automatically be disabled. + +WARN_IF_UNDOCUMENTED = YES + +# If WARN_IF_DOC_ERROR is set to YES, doxygen will generate warnings for +# potential errors in the documentation, such as not documenting some +# parameters in a documented function, or documenting parameters that +# don't exist or using markup commands wrongly. + +WARN_IF_DOC_ERROR = YES + +# The WARN_NO_PARAMDOC option can be enabled to get warnings for +# functions that are documented, but have no documentation for their parameters +# or return value. If set to NO (the default) doxygen will only warn about +# wrong or incomplete parameter documentation, but not about the absence of +# documentation. + +WARN_NO_PARAMDOC = NO + +# The WARN_FORMAT tag determines the format of the warning messages that +# doxygen can produce. The string should contain the $file, $line, and $text +# tags, which will be replaced by the file and line number from which the +# warning originated and the warning text. Optionally the format may contain +# $version, which will be replaced by the version of the file (if it could +# be obtained via FILE_VERSION_FILTER) + +WARN_FORMAT = "$file:$line: $text" + +# The WARN_LOGFILE tag can be used to specify a file to which warning +# and error messages should be written. If left blank the output is written +# to stderr. + +WARN_LOGFILE = + +#--------------------------------------------------------------------------- +# configuration options related to the input files +#--------------------------------------------------------------------------- + +# The INPUT tag can be used to specify the files and/or directories that contain +# documented source files. You may enter file names like "myfile.cpp" or +# directories like "/usr/src/myproject". Separate the files or directories +# with spaces. + +INPUT = @abs_top_srcdir@/src/lib/idmap/sss_idmap.h + +# This tag can be used to specify the character encoding of the source files +# that doxygen parses. Internally doxygen uses the UTF-8 encoding, which is +# also the default input encoding. Doxygen uses libiconv (or the iconv built +# into libc) for the transcoding. See http://www.gnu.org/software/libiconv for +# the list of possible encodings. + +INPUT_ENCODING = UTF-8 + +# If the value of the INPUT tag contains directories, you can use the +# FILE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp +# and *.h) to filter out the source-files in the directories. If left +# blank the following patterns are tested: +# *.c *.cc *.cxx *.cpp *.c++ *.d *.java *.ii *.ixx *.ipp *.i++ *.inl *.h *.hh +# *.hxx *.hpp *.h++ *.idl *.odl *.cs *.php *.php3 *.inc *.m *.mm *.dox *.py +# *.f90 *.f *.for *.vhd *.vhdl + +FILE_PATTERNS = *.cpp \ + *.cc \ + *.c \ + *.h \ + *.hh \ + *.hpp \ + *.dox + +# The RECURSIVE tag can be used to turn specify whether or not subdirectories +# should be searched for input files as well. Possible values are YES and NO. +# If left blank NO is used. + +RECURSIVE = NO + +# The EXCLUDE tag can be used to specify files and/or directories that should be +# excluded from the INPUT source files. This way you can easily exclude a +# subdirectory from a directory tree whose root is specified with the INPUT tag. +# Note that relative paths are relative to the directory from which doxygen is +# run. + +EXCLUDE = + +# The EXCLUDE_SYMLINKS tag can be used to select whether or not files or +# directories that are symbolic links (a UNIX file system feature) are excluded +# from the input. + +EXCLUDE_SYMLINKS = NO + +# If the value of the INPUT tag contains directories, you can use the +# EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude +# certain files from those directories. Note that the wildcards are matched +# against the file with absolute path, so to exclude all test directories +# for example use the pattern */test/* + +EXCLUDE_PATTERNS = */.git/* \ + */.svn/* \ + */cmake/* \ + */build/* + +# The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names +# (namespaces, classes, functions, etc.) that should be excluded from the +# output. The symbol name can be a fully qualified name, a word, or if the +# wildcard * is used, a substring. Examples: ANamespace, AClass, +# AClass::ANamespace, ANamespace::*Test + +EXCLUDE_SYMBOLS = + +# The EXAMPLE_PATH tag can be used to specify one or more files or +# directories that contain example code fragments that are included (see +# the \include command). + +EXAMPLE_PATH = + +# If the value of the EXAMPLE_PATH tag contains directories, you can use the +# EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp +# and *.h) to filter out the source-files in the directories. If left +# blank all files are included. + +EXAMPLE_PATTERNS = + +# If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be +# searched for input files to be used with the \include or \dontinclude +# commands irrespective of the value of the RECURSIVE tag. +# Possible values are YES and NO. If left blank NO is used. + +EXAMPLE_RECURSIVE = NO + +# The IMAGE_PATH tag can be used to specify one or more files or +# directories that contain image that are included in the documentation (see +# the \image command). + +IMAGE_PATH = + +# The INPUT_FILTER tag can be used to specify a program that doxygen should +# invoke to filter for each input file. Doxygen will invoke the filter program +# by executing (via popen()) the command , where +# is the value of the INPUT_FILTER tag, and is the name of an +# input file. Doxygen will then use the output that the filter program writes +# to standard output. +# If FILTER_PATTERNS is specified, this tag will be +# ignored. + +INPUT_FILTER = + +# The FILTER_PATTERNS tag can be used to specify filters on a per file pattern +# basis. +# Doxygen will compare the file name with each pattern and apply the +# filter if there is a match. +# The filters are a list of the form: +# pattern=filter (like *.cpp=my_cpp_filter). See INPUT_FILTER for further +# info on how filters are used. If FILTER_PATTERNS is empty or if +# non of the patterns match the file name, INPUT_FILTER is applied. + +FILTER_PATTERNS = + +# If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using +# INPUT_FILTER) will be used to filter the input files when producing source +# files to browse (i.e. when SOURCE_BROWSER is set to YES). + +FILTER_SOURCE_FILES = NO + +# The FILTER_SOURCE_PATTERNS tag can be used to specify source filters per file +# pattern. A pattern will override the setting for FILTER_PATTERN (if any) +# and it is also possible to disable source filtering for a specific pattern +# using *.ext= (so without naming a filter). This option only has effect when +# FILTER_SOURCE_FILES is enabled. + +FILTER_SOURCE_PATTERNS = + +# If the USE_MD_FILE_AS_MAINPAGE tag refers to the name of a markdown file that +# is part of the input, its contents will be placed on the main page (index.html). +# This can be useful if you have a project on for instance GitHub and want reuse +# the introduction page also for the doxygen output. + +USE_MDFILE_AS_MAINPAGE = + +#--------------------------------------------------------------------------- +# configuration options related to source browsing +#--------------------------------------------------------------------------- + +# If the SOURCE_BROWSER tag is set to YES then a list of source files will +# be generated. Documented entities will be cross-referenced with these sources. +# Note: To get rid of all source code in the generated output, make sure also +# VERBATIM_HEADERS is set to NO. + +SOURCE_BROWSER = NO + +# Setting the INLINE_SOURCES tag to YES will include the body +# of functions and classes directly in the documentation. + +INLINE_SOURCES = NO + +# Setting the STRIP_CODE_COMMENTS tag to YES (the default) will instruct +# doxygen to hide any special comment blocks from generated source code +# fragments. Normal C, C++ and Fortran comments will always remain visible. + +STRIP_CODE_COMMENTS = YES + +# If the REFERENCED_BY_RELATION tag is set to YES +# then for each documented function all documented +# functions referencing it will be listed. + +REFERENCED_BY_RELATION = NO + +# If the REFERENCES_RELATION tag is set to YES +# then for each documented function all documented entities +# called/used by that function will be listed. + +REFERENCES_RELATION = NO + +# If the REFERENCES_LINK_SOURCE tag is set to YES (the default) +# and SOURCE_BROWSER tag is set to YES, then the hyperlinks from +# functions in REFERENCES_RELATION and REFERENCED_BY_RELATION lists will +# link to the source code. +# Otherwise they will link to the documentation. + +REFERENCES_LINK_SOURCE = YES + +# If the USE_HTAGS tag is set to YES then the references to source code +# will point to the HTML generated by the htags(1) tool instead of doxygen +# built-in source browser. The htags tool is part of GNU's global source +# tagging system (see http://www.gnu.org/software/global/global.html). You +# will need version 4.8.6 or higher. + +USE_HTAGS = NO + +# If the VERBATIM_HEADERS tag is set to YES (the default) then Doxygen +# will generate a verbatim copy of the header file for each class for +# which an include is specified. Set to NO to disable this. + +VERBATIM_HEADERS = YES + +#--------------------------------------------------------------------------- +# configuration options related to the alphabetical class index +#--------------------------------------------------------------------------- + +# If the ALPHABETICAL_INDEX tag is set to YES, an alphabetical index +# of all compounds will be generated. Enable this if the project +# contains a lot of classes, structs, unions or interfaces. + +ALPHABETICAL_INDEX = NO + +# If the alphabetical index is enabled (see ALPHABETICAL_INDEX) then +# the COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns +# in which this list will be split (can be a number in the range [1..20]) + +COLS_IN_ALPHA_INDEX = 5 + +# In case all classes in a project start with a common prefix, all +# classes will be put under the same header in the alphabetical index. +# The IGNORE_PREFIX tag can be used to specify one or more prefixes that +# should be ignored while generating the index headers. + +IGNORE_PREFIX = + +#--------------------------------------------------------------------------- +# configuration options related to the HTML output +#--------------------------------------------------------------------------- + +# If the GENERATE_HTML tag is set to YES (the default) Doxygen will +# generate HTML output. + +GENERATE_HTML = YES + +# The HTML_OUTPUT tag is used to specify where the HTML docs will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `html' will be used as the default path. + +HTML_OUTPUT = html + +# The HTML_FILE_EXTENSION tag can be used to specify the file extension for +# each generated HTML page (for example: .htm,.php,.asp). If it is left blank +# doxygen will generate files with .html extension. + +HTML_FILE_EXTENSION = .html + +# The HTML_HEADER tag can be used to specify a personal HTML header for +# each generated HTML page. If it is left blank doxygen will generate a +# standard header. Note that when using a custom header you are responsible +# for the proper inclusion of any scripts and style sheets that doxygen +# needs, which is dependent on the configuration options used. +# It is advised to generate a default header using "doxygen -w html +# header.html footer.html stylesheet.css YourConfigFile" and then modify +# that header. Note that the header is subject to change so you typically +# have to redo this when upgrading to a newer version of doxygen or when +# changing the value of configuration settings such as GENERATE_TREEVIEW! + +HTML_HEADER = + +# The HTML_FOOTER tag can be used to specify a personal HTML footer for +# each generated HTML page. If it is left blank doxygen will generate a +# standard footer. + +HTML_FOOTER = + +# The HTML_STYLESHEET tag can be used to specify a user-defined cascading +# style sheet that is used by each HTML page. It can be used to +# fine-tune the look of the HTML output. If left blank doxygen will +# generate a default style sheet. Note that it is recommended to use +# HTML_EXTRA_STYLESHEET instead of this one, as it is more robust and this +# tag will in the future become obsolete. + +HTML_STYLESHEET = + +# The HTML_EXTRA_STYLESHEET tag can be used to specify an additional +# user-defined cascading style sheet that is included after the standard +# style sheets created by doxygen. Using this option one can overrule +# certain style aspects. This is preferred over using HTML_STYLESHEET +# since it does not replace the standard style sheet and is therefor more +# robust against future updates. Doxygen will copy the style sheet file to +# the output directory. + +HTML_EXTRA_STYLESHEET = + +# The HTML_EXTRA_FILES tag can be used to specify one or more extra images or +# other source files which should be copied to the HTML output directory. Note +# that these files will be copied to the base HTML output directory. Use the +# $relpath$ marker in the HTML_HEADER and/or HTML_FOOTER files to load these +# files. In the HTML_STYLESHEET file, use the file name only. Also note that +# the files will be copied as-is; there are no commands or markers available. + +HTML_EXTRA_FILES = + +# The HTML_COLORSTYLE_HUE tag controls the color of the HTML output. +# Doxygen will adjust the colors in the style sheet and background images +# according to this color. Hue is specified as an angle on a colorwheel, +# see http://en.wikipedia.org/wiki/Hue for more information. +# For instance the value 0 represents red, 60 is yellow, 120 is green, +# 180 is cyan, 240 is blue, 300 purple, and 360 is red again. +# The allowed range is 0 to 359. + +HTML_COLORSTYLE_HUE = 220 + +# The HTML_COLORSTYLE_SAT tag controls the purity (or saturation) of +# the colors in the HTML output. For a value of 0 the output will use +# grayscales only. A value of 255 will produce the most vivid colors. + +HTML_COLORSTYLE_SAT = 100 + +# The HTML_COLORSTYLE_GAMMA tag controls the gamma correction applied to +# the luminance component of the colors in the HTML output. Values below +# 100 gradually make the output lighter, whereas values above 100 make +# the output darker. The value divided by 100 is the actual gamma applied, +# so 80 represents a gamma of 0.8, The value 220 represents a gamma of 2.2, +# and 100 does not change the gamma. + +HTML_COLORSTYLE_GAMMA = 80 + +# If the HTML_TIMESTAMP tag is set to YES then the footer of each generated HTML +# page will contain the date and time when the page was generated. Setting +# this to NO can help when comparing the output of multiple runs. + +HTML_TIMESTAMP = NO + +# If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML +# documentation will contain sections that can be hidden and shown after the +# page has loaded. + +HTML_DYNAMIC_SECTIONS = NO + +# With HTML_INDEX_NUM_ENTRIES one can control the preferred number of +# entries shown in the various tree structured indices initially; the user +# can expand and collapse entries dynamically later on. Doxygen will expand +# the tree to such a level that at most the specified number of entries are +# visible (unless a fully collapsed tree already exceeds this amount). +# So setting the number of entries 1 will produce a full collapsed tree by +# default. 0 is a special value representing an infinite number of entries +# and will result in a full expanded tree by default. + +HTML_INDEX_NUM_ENTRIES = 100 + +# If the GENERATE_DOCSET tag is set to YES, additional index files +# will be generated that can be used as input for Apple's Xcode 3 +# integrated development environment, introduced with OSX 10.5 (Leopard). +# To create a documentation set, doxygen will generate a Makefile in the +# HTML output directory. Running make will produce the docset in that +# directory and running "make install" will install the docset in +# ~/Library/Developer/Shared/Documentation/DocSets so that Xcode will find +# it at startup. +# See http://developer.apple.com/tools/creatingdocsetswithdoxygen.html +# for more information. + +GENERATE_DOCSET = NO + +# When GENERATE_DOCSET tag is set to YES, this tag determines the name of the +# feed. A documentation feed provides an umbrella under which multiple +# documentation sets from a single provider (such as a company or product suite) +# can be grouped. + +DOCSET_FEEDNAME = "Doxygen generated docs" + +# When GENERATE_DOCSET tag is set to YES, this tag specifies a string that +# should uniquely identify the documentation set bundle. This should be a +# reverse domain-name style string, e.g. com.mycompany.MyDocSet. Doxygen +# will append .docset to the name. + +DOCSET_BUNDLE_ID = org.doxygen.Project + +# When GENERATE_PUBLISHER_ID tag specifies a string that should uniquely +# identify the documentation publisher. This should be a reverse domain-name +# style string, e.g. com.mycompany.MyDocSet.documentation. + +DOCSET_PUBLISHER_ID = org.doxygen.Publisher + +# The GENERATE_PUBLISHER_NAME tag identifies the documentation publisher. + +DOCSET_PUBLISHER_NAME = Publisher + +# If the GENERATE_HTMLHELP tag is set to YES, additional index files +# will be generated that can be used as input for tools like the +# Microsoft HTML help workshop to generate a compiled HTML help file (.chm) +# of the generated HTML documentation. + +GENERATE_HTMLHELP = NO + +# If the GENERATE_HTMLHELP tag is set to YES, the CHM_FILE tag can +# be used to specify the file name of the resulting .chm file. You +# can add a path in front of the file if the result should not be +# written to the html output directory. + +CHM_FILE = + +# If the GENERATE_HTMLHELP tag is set to YES, the HHC_LOCATION tag can +# be used to specify the location (absolute path including file name) of +# the HTML help compiler (hhc.exe). If non-empty doxygen will try to run +# the HTML help compiler on the generated index.hhp. + +HHC_LOCATION = + +# If the GENERATE_HTMLHELP tag is set to YES, the GENERATE_CHI flag +# controls if a separate .chi index file is generated (YES) or that +# it should be included in the master .chm file (NO). + +GENERATE_CHI = NO + +# If the GENERATE_HTMLHELP tag is set to YES, the CHM_INDEX_ENCODING +# is used to encode HtmlHelp index (hhk), content (hhc) and project file +# content. + +CHM_INDEX_ENCODING = + +# If the GENERATE_HTMLHELP tag is set to YES, the BINARY_TOC flag +# controls whether a binary table of contents is generated (YES) or a +# normal table of contents (NO) in the .chm file. + +BINARY_TOC = NO + +# The TOC_EXPAND flag can be set to YES to add extra items for group members +# to the contents of the HTML help documentation and to the tree view. + +TOC_EXPAND = NO + +# If the GENERATE_QHP tag is set to YES and both QHP_NAMESPACE and +# QHP_VIRTUAL_FOLDER are set, an additional index file will be generated +# that can be used as input for Qt's qhelpgenerator to generate a +# Qt Compressed Help (.qch) of the generated HTML documentation. + +GENERATE_QHP = NO + +# If the QHG_LOCATION tag is specified, the QCH_FILE tag can +# be used to specify the file name of the resulting .qch file. +# The path specified is relative to the HTML output folder. + +QCH_FILE = + +# The QHP_NAMESPACE tag specifies the namespace to use when generating +# Qt Help Project output. For more information please see +# http://doc.trolltech.com/qthelpproject.html#namespace + +QHP_NAMESPACE = + +# The QHP_VIRTUAL_FOLDER tag specifies the namespace to use when generating +# Qt Help Project output. For more information please see +# http://doc.trolltech.com/qthelpproject.html#virtual-folders + +QHP_VIRTUAL_FOLDER = doc + +# If QHP_CUST_FILTER_NAME is set, it specifies the name of a custom filter to +# add. For more information please see +# http://doc.trolltech.com/qthelpproject.html#custom-filters + +QHP_CUST_FILTER_NAME = + +# The QHP_CUST_FILT_ATTRS tag specifies the list of the attributes of the +# custom filter to add. For more information please see +# +# Qt Help Project / Custom Filters. + +QHP_CUST_FILTER_ATTRS = + +# The QHP_SECT_FILTER_ATTRS tag specifies the list of the attributes this +# project's +# filter section matches. +# +# Qt Help Project / Filter Attributes. + +QHP_SECT_FILTER_ATTRS = + +# If the GENERATE_QHP tag is set to YES, the QHG_LOCATION tag can +# be used to specify the location of Qt's qhelpgenerator. +# If non-empty doxygen will try to run qhelpgenerator on the generated +# .qhp file. + +QHG_LOCATION = + +# If the GENERATE_ECLIPSEHELP tag is set to YES, additional index files +# will be generated, which together with the HTML files, form an Eclipse help +# plugin. To install this plugin and make it available under the help contents +# menu in Eclipse, the contents of the directory containing the HTML and XML +# files needs to be copied into the plugins directory of eclipse. The name of +# the directory within the plugins directory should be the same as +# the ECLIPSE_DOC_ID value. After copying Eclipse needs to be restarted before +# the help appears. + +GENERATE_ECLIPSEHELP = NO + +# A unique identifier for the eclipse help plugin. When installing the plugin +# the directory name containing the HTML and XML files should also have +# this name. + +ECLIPSE_DOC_ID = org.doxygen.Project + +# The DISABLE_INDEX tag can be used to turn on/off the condensed index (tabs) +# at top of each HTML page. The value NO (the default) enables the index and +# the value YES disables it. Since the tabs have the same information as the +# navigation tree you can set this option to NO if you already set +# GENERATE_TREEVIEW to YES. + +DISABLE_INDEX = NO + +# The GENERATE_TREEVIEW tag is used to specify whether a tree-like index +# structure should be generated to display hierarchical information. +# If the tag value is set to YES, a side panel will be generated +# containing a tree-like index structure (just like the one that +# is generated for HTML Help). For this to work a browser that supports +# JavaScript, DHTML, CSS and frames is required (i.e. any modern browser). +# Windows users are probably better off using the HTML help feature. +# Since the tree basically has the same information as the tab index you +# could consider to set DISABLE_INDEX to NO when enabling this option. + +GENERATE_TREEVIEW = NONE + +# The ENUM_VALUES_PER_LINE tag can be used to set the number of enum values +# (range [0,1..20]) that doxygen will group on one line in the generated HTML +# documentation. Note that a value of 0 will completely suppress the enum +# values from appearing in the overview section. + +ENUM_VALUES_PER_LINE = 4 + +# If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be +# used to set the initial width (in pixels) of the frame in which the tree +# is shown. + +TREEVIEW_WIDTH = 250 + +# When the EXT_LINKS_IN_WINDOW option is set to YES doxygen will open +# links to external symbols imported via tag files in a separate window. + +EXT_LINKS_IN_WINDOW = NO + +# Use this tag to change the font size of Latex formulas included +# as images in the HTML documentation. The default is 10. Note that +# when you change the font size after a successful doxygen run you need +# to manually remove any form_*.png images from the HTML output directory +# to force them to be regenerated. + +FORMULA_FONTSIZE = 10 + +# Use the FORMULA_TRANPARENT tag to determine whether or not the images +# generated for formulas are transparent PNGs. Transparent PNGs are +# not supported properly for IE 6.0, but are supported on all modern browsers. +# Note that when changing this option you need to delete any form_*.png files +# in the HTML output before the changes have effect. + +FORMULA_TRANSPARENT = YES + +# Enable the USE_MATHJAX option to render LaTeX formulas using MathJax +# (see http://www.mathjax.org) which uses client side Javascript for the +# rendering instead of using prerendered bitmaps. Use this if you do not +# have LaTeX installed or if you want to formulas look prettier in the HTML +# output. When enabled you may also need to install MathJax separately and +# configure the path to it using the MATHJAX_RELPATH option. + +USE_MATHJAX = NO + +# When MathJax is enabled you can set the default output format to be used for +# thA MathJax output. Supported types are HTML-CSS, NativeMML (i.e. MathML) and +# SVG. The default value is HTML-CSS, which is slower, but has the best +# compatibility. + +MATHJAX_FORMAT = HTML-CSS + +# When MathJax is enabled you need to specify the location relative to the +# HTML output directory using the MATHJAX_RELPATH option. The destination +# directory should contain the MathJax.js script. For instance, if the mathjax +# directory is located at the same level as the HTML output directory, then +# MATHJAX_RELPATH should be ../mathjax. The default value points to +# the MathJax Content Delivery Network so you can quickly see the result without +# installing MathJax. +# However, it is strongly recommended to install a local +# copy of MathJax from http://www.mathjax.org before deployment. + +MATHJAX_RELPATH = http://cdn.mathjax.org/mathjax/latest + +# The MATHJAX_EXTENSIONS tag can be used to specify one or MathJax extension +# names that should be enabled during MathJax rendering. + +MATHJAX_EXTENSIONS = + +# When the SEARCHENGINE tag is enabled doxygen will generate a search box +# for the HTML output. The underlying search engine uses javascript +# and DHTML and should work on any modern browser. Note that when using +# HTML help (GENERATE_HTMLHELP), Qt help (GENERATE_QHP), or docsets +# (GENERATE_DOCSET) there is already a search function so this one should +# typically be disabled. For large projects the javascript based search engine +# can be slow, then enabling SERVER_BASED_SEARCH may provide a better solution. + +SEARCHENGINE = NO + +# When the SERVER_BASED_SEARCH tag is enabled the search engine will be +# implemented using a web server instead of a web client using Javascript. +# There are two flavours of web server based search depending on the +# EXTERNAL_SEARCH setting. When disabled, doxygen will generate a PHP script for +# searching and an index file used by the script. When EXTERNAL_SEARCH is +# enabled the indexing and searching needs to be provided by external tools. +# See the manual for details. + +SERVER_BASED_SEARCH = NO + +# When EXTERNAL_SEARCH is enabled doxygen will no longer generate the PHP +# script for searching. Instead the search results are written to an XML file +# which needs to be processed by an external indexer. Doxygen will invoke an +# external search engine pointed to by the SEARCHENGINE_URL option to obtain +# the search results. Doxygen ships with an example indexer (doxyindexer) and +# search engine (doxysearch.cgi) which are based on the open source search engine +# library Xapian. See the manual for configuration details. + +EXTERNAL_SEARCH = NO + +# The SEARCHENGINE_URL should point to a search engine hosted by a web server +# which will returned the search results when EXTERNAL_SEARCH is enabled. +# Doxygen ships with an example search engine (doxysearch) which is based on +# the open source search engine library Xapian. See the manual for configuration +# details. + +SEARCHENGINE_URL = + +# When SERVER_BASED_SEARCH and EXTERNAL_SEARCH are both enabled the unindexed +# search data is written to a file for indexing by an external tool. With the +# SEARCHDATA_FILE tag the name of this file can be specified. + +SEARCHDATA_FILE = searchdata.xml + +# The EXTRA_SEARCH_MAPPINGS tag can be used to enable searching through other +# doxygen projects that are not otherwise connected via tags files, but are +# all added to the same search index. Each project needs to have a tag file set +# via GENERATE_TAGFILE. The search mapping then maps the name of the tag file +# to a relative location where the documentation can be found, +# similar to the +# TAGFILES option but without actually processing the tag file. +# The format is: EXTRA_SEARCH_MAPPINGS = tagname1=loc1 tagname2=loc2 ... + +EXTRA_SEARCH_MAPPINGS = + +#--------------------------------------------------------------------------- +# configuration options related to the LaTeX output +#--------------------------------------------------------------------------- + +# If the GENERATE_LATEX tag is set to YES (the default) Doxygen will +# generate Latex output. + +GENERATE_LATEX = NO + +# The LATEX_OUTPUT tag is used to specify where the LaTeX docs will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `latex' will be used as the default path. + +LATEX_OUTPUT = latex + +# The LATEX_CMD_NAME tag can be used to specify the LaTeX command name to be +# invoked. If left blank `latex' will be used as the default command name. +# Note that when enabling USE_PDFLATEX this option is only used for +# generating bitmaps for formulas in the HTML output, but not in the +# Makefile that is written to the output directory. + +LATEX_CMD_NAME = latex + +# The MAKEINDEX_CMD_NAME tag can be used to specify the command name to +# generate index for LaTeX. If left blank `makeindex' will be used as the +# default command name. + +MAKEINDEX_CMD_NAME = makeindex + +# If the COMPACT_LATEX tag is set to YES Doxygen generates more compact +# LaTeX documents. This may be useful for small projects and may help to +# save some trees in general. + +COMPACT_LATEX = NO + +# The PAPER_TYPE tag can be used to set the paper type that is used +# by the printer. Possible values are: a4, letter, legal and +# executive. If left blank a4wide will be used. + +PAPER_TYPE = a4wide + +# The EXTRA_PACKAGES tag can be to specify one or more names of LaTeX +# packages that should be included in the LaTeX output. + +EXTRA_PACKAGES = + +# The LATEX_HEADER tag can be used to specify a personal LaTeX header for +# the generated latex document. The header should contain everything until +# the first chapter. If it is left blank doxygen will generate a +# standard header. Notice: only use this tag if you know what you are doing! + +LATEX_HEADER = + +# The LATEX_FOOTER tag can be used to specify a personal LaTeX footer for +# the generated latex document. The footer should contain everything after +# the last chapter. If it is left blank doxygen will generate a +# standard footer. Notice: only use this tag if you know what you are doing! + +LATEX_FOOTER = + +# If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated +# is prepared for conversion to pdf (using ps2pdf). The pdf file will +# contain links (just like the HTML output) instead of page references +# This makes the output suitable for online browsing using a pdf viewer. + +PDF_HYPERLINKS = YES + +# If the USE_PDFLATEX tag is set to YES, pdflatex will be used instead of +# plain latex in the generated Makefile. Set this option to YES to get a +# higher quality PDF documentation. + +USE_PDFLATEX = YES + +# If the LATEX_BATCHMODE tag is set to YES, doxygen will add the \\batchmode. +# command to the generated LaTeX files. This will instruct LaTeX to keep +# running if errors occur, instead of asking the user for help. +# This option is also used when generating formulas in HTML. + +LATEX_BATCHMODE = NO + +# If LATEX_HIDE_INDICES is set to YES then doxygen will not +# include the index chapters (such as File Index, Compound Index, etc.) +# in the output. + +LATEX_HIDE_INDICES = NO + +# If LATEX_SOURCE_CODE is set to YES then doxygen will include +# source code with syntax highlighting in the LaTeX output. +# Note that which sources are shown also depends on other settings +# such as SOURCE_BROWSER. + +LATEX_SOURCE_CODE = NO + +# The LATEX_BIB_STYLE tag can be used to specify the style to use for the +# bibliography, e.g. plainnat, or ieeetr. The default style is "plain". See +# http://en.wikipedia.org/wiki/BibTeX for more info. + +LATEX_BIB_STYLE = plain + +#--------------------------------------------------------------------------- +# configuration options related to the RTF output +#--------------------------------------------------------------------------- + +# If the GENERATE_RTF tag is set to YES Doxygen will generate RTF output +# The RTF output is optimized for Word 97 and may not look very pretty with +# other RTF readers or editors. + +GENERATE_RTF = NO + +# The RTF_OUTPUT tag is used to specify where the RTF docs will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `rtf' will be used as the default path. + +RTF_OUTPUT = rtf + +# If the COMPACT_RTF tag is set to YES Doxygen generates more compact +# RTF documents. This may be useful for small projects and may help to +# save some trees in general. + +COMPACT_RTF = NO + +# If the RTF_HYPERLINKS tag is set to YES, the RTF that is generated +# will contain hyperlink fields. The RTF file will +# contain links (just like the HTML output) instead of page references. +# This makes the output suitable for online browsing using WORD or other +# programs which support those fields. +# Note: wordpad (write) and others do not support links. + +RTF_HYPERLINKS = NO + +# Load style sheet definitions from file. Syntax is similar to doxygen's +# config file, i.e. a series of assignments. You only have to provide +# replacements, missing definitions are set to their default value. + +RTF_STYLESHEET_FILE = + +# Set optional variables used in the generation of an rtf document. +# Syntax is similar to doxygen's config file. + +RTF_EXTENSIONS_FILE = + +#--------------------------------------------------------------------------- +# configuration options related to the man page output +#--------------------------------------------------------------------------- + +# If the GENERATE_MAN tag is set to YES (the default) Doxygen will +# generate man pages + +GENERATE_MAN = NO + +# The MAN_OUTPUT tag is used to specify where the man pages will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `man' will be used as the default path. + +MAN_OUTPUT = man + +# The MAN_EXTENSION tag determines the extension that is added to +# the generated man pages (default is the subroutine's section .3) + +MAN_EXTENSION = .3 + +# If the MAN_LINKS tag is set to YES and Doxygen generates man output, +# then it will generate one additional man file for each entity +# documented in the real man page(s). These additional files +# only source the real man page, but without them the man command +# would be unable to find the correct page. The default is NO. + +MAN_LINKS = NO + +#--------------------------------------------------------------------------- +# configuration options related to the XML output +#--------------------------------------------------------------------------- + +# If the GENERATE_XML tag is set to YES Doxygen will +# generate an XML file that captures the structure of +# the code including all documentation. + +GENERATE_XML = NO + +# The XML_OUTPUT tag is used to specify where the XML pages will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `xml' will be used as the default path. + +XML_OUTPUT = xml + +# The XML_SCHEMA tag can be used to specify an XML schema, +# which can be used by a validating XML parser to check the +# syntax of the XML files. + +XML_SCHEMA = + +# The XML_DTD tag can be used to specify an XML DTD, +# which can be used by a validating XML parser to check the +# syntax of the XML files. + +XML_DTD = + +# If the XML_PROGRAMLISTING tag is set to YES Doxygen will +# dump the program listings (including syntax highlighting +# and cross-referencing information) to the XML output. Note that +# enabling this will significantly increase the size of the XML output. + +XML_PROGRAMLISTING = YES + +#--------------------------------------------------------------------------- +# configuration options for the AutoGen Definitions output +#--------------------------------------------------------------------------- + +# If the GENERATE_AUTOGEN_DEF tag is set to YES Doxygen will +# generate an AutoGen Definitions (see autogen.sf.net) file +# that captures the structure of the code including all +# documentation. Note that this feature is still experimental +# and incomplete at the moment. + +GENERATE_AUTOGEN_DEF = NO + +#--------------------------------------------------------------------------- +# configuration options related to the Perl module output +#--------------------------------------------------------------------------- + +# If the GENERATE_PERLMOD tag is set to YES Doxygen will +# generate a Perl module file that captures the structure of +# the code including all documentation. Note that this +# feature is still experimental and incomplete at the +# moment. + +GENERATE_PERLMOD = NO + +# If the PERLMOD_LATEX tag is set to YES Doxygen will generate +# the necessary Makefile rules, Perl scripts and LaTeX code to be able +# to generate PDF and DVI output from the Perl module output. + +PERLMOD_LATEX = NO + +# If the PERLMOD_PRETTY tag is set to YES the Perl module output will be +# nicely formatted so it can be parsed by a human reader. +# This is useful +# if you want to understand what is going on. +# On the other hand, if this +# tag is set to NO the size of the Perl module output will be much smaller +# and Perl will parse it just the same. + +PERLMOD_PRETTY = YES + +# The names of the make variables in the generated doxyrules.make file +# are prefixed with the string contained in PERLMOD_MAKEVAR_PREFIX. +# This is useful so different doxyrules.make files included by the same +# Makefile don't overwrite each other's variables. + +PERLMOD_MAKEVAR_PREFIX = + +#--------------------------------------------------------------------------- +# Configuration options related to the preprocessor +#--------------------------------------------------------------------------- + +# If the ENABLE_PREPROCESSING tag is set to YES (the default) Doxygen will +# evaluate all C-preprocessor directives found in the sources and include +# files. + +ENABLE_PREPROCESSING = YES + +# If the MACRO_EXPANSION tag is set to YES Doxygen will expand all macro +# names in the source code. If set to NO (the default) only conditional +# compilation will be performed. Macro expansion can be done in a controlled +# way by setting EXPAND_ONLY_PREDEF to YES. + +MACRO_EXPANSION = NO + +# If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES +# then the macro expansion is limited to the macros specified with the +# PREDEFINED and EXPAND_AS_DEFINED tags. + +EXPAND_ONLY_PREDEF = NO + +# If the SEARCH_INCLUDES tag is set to YES (the default) the includes files +# pointed to by INCLUDE_PATH will be searched when a #include is found. + +SEARCH_INCLUDES = YES + +# The INCLUDE_PATH tag can be used to specify one or more directories that +# contain include files that are not input files but should be processed by +# the preprocessor. + +INCLUDE_PATH = + +# You can use the INCLUDE_FILE_PATTERNS tag to specify one or more wildcard +# patterns (like *.h and *.hpp) to filter out the header-files in the +# directories. If left blank, the patterns specified with FILE_PATTERNS will +# be used. + +INCLUDE_FILE_PATTERNS = + +# The PREDEFINED tag can be used to specify one or more macro names that +# are defined before the preprocessor is started (similar to the -D option of +# gcc). The argument of the tag is a list of macros of the form: name +# or name=definition (no spaces). If the definition and the = are +# omitted =1 is assumed. To prevent a macro definition from being +# undefined via #undef or recursively expanded use the := operator +# instead of the = operator. + +PREDEFINED = DOXYGEN + +# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then +# this tag can be used to specify a list of macro names that should be expanded. +# The macro definition that is found in the sources will be used. +# Use the PREDEFINED tag if you want to use a different macro definition that +# overrules the definition found in the source code. + +EXPAND_AS_DEFINED = + +# If the SKIP_FUNCTION_MACROS tag is set to YES (the default) then +# doxygen's preprocessor will remove all references to function-like macros +# that are alone on a line, have an all uppercase name, and do not end with a +# semicolon, because these will confuse the parser if not removed. + +SKIP_FUNCTION_MACROS = YES + +#--------------------------------------------------------------------------- +# Configuration::additions related to external references +#--------------------------------------------------------------------------- + +# The TAGFILES option can be used to specify one or more tagfiles. For each +# tag file the location of the external documentation should be added. The +# format of a tag file without this location is as follows: +# +# TAGFILES = file1 file2 ... +# Adding location for the tag files is done as follows: +# +# TAGFILES = file1=loc1 "file2 = loc2" ... +# where "loc1" and "loc2" can be relative or absolute paths +# or URLs. Note that each tag file must have a unique name (where the name does +# NOT include the path). If a tag file is not located in the directory in which +# doxygen is run, you must also specify the path to the tagfile here. + +TAGFILES = + +# When a file name is specified after GENERATE_TAGFILE, doxygen will create +# a tag file that is based on the input files it reads. + +GENERATE_TAGFILE = + +# If the ALLEXTERNALS tag is set to YES all external classes will be listed +# in the class index. If set to NO only the inherited external classes +# will be listed. + +ALLEXTERNALS = NO + +# If the EXTERNAL_GROUPS tag is set to YES all external groups will be listed +# in the modules index. If set to NO, only the current project's groups will +# be listed. + +EXTERNAL_GROUPS = YES + +# The PERL_PATH should be the absolute path and name of the perl script +# interpreter (i.e. the result of `which perl'). + +PERL_PATH = /usr/bin/perl + +#--------------------------------------------------------------------------- +# Configuration options related to the dot tool +#--------------------------------------------------------------------------- + +# If the CLASS_DIAGRAMS tag is set to YES (the default) Doxygen will +# generate a inheritance diagram (in HTML, RTF and LaTeX) for classes with base +# or super classes. Setting the tag to NO turns the diagrams off. Note that +# this option also works with HAVE_DOT disabled, but it is recommended to +# install and use dot, since it yields more powerful graphs. + +CLASS_DIAGRAMS = YES + +# You can define message sequence charts within doxygen comments using the \msc +# command. Doxygen will then run the mscgen tool (see +# http://www.mcternan.me.uk/mscgen/) to produce the chart and insert it in the +# documentation. The MSCGEN_PATH tag allows you to specify the directory where +# the mscgen tool resides. If left empty the tool is assumed to be found in the +# default search path. + +MSCGEN_PATH = + +# If set to YES, the inheritance and collaboration graphs will hide +# inheritance and usage relations if the target is undocumented +# or is not a class. + +HIDE_UNDOC_RELATIONS = YES + +# If you set the HAVE_DOT tag to YES then doxygen will assume the dot tool is +# available from the path. This tool is part of Graphviz, a graph visualization +# toolkit from AT&T and Lucent Bell Labs. The other options in this section +# have no effect if this option is set to NO (the default) + +HAVE_DOT = NO + +# The DOT_NUM_THREADS specifies the number of dot invocations doxygen is +# allowed to run in parallel. When set to 0 (the default) doxygen will +# base this on the number of processors available in the system. You can set it +# explicitly to a value larger than 0 to get control over the balance +# between CPU load and processing speed. + +DOT_NUM_THREADS = 0 + +# By default doxygen will use the Helvetica font for all dot files that +# doxygen generates. When you want a differently looking font you can specify +# the font name using DOT_FONTNAME. You need to make sure dot is able to find +# the font, which can be done by putting it in a standard location or by setting +# the DOTFONTPATH environment variable or by setting DOT_FONTPATH to the +# directory containing the font. + +DOT_FONTNAME = FreeSans + +# The DOT_FONTSIZE tag can be used to set the size of the font of dot graphs. +# The default size is 10pt. + +DOT_FONTSIZE = 10 + +# By default doxygen will tell dot to use the Helvetica font. +# If you specify a different font using DOT_FONTNAME you can use DOT_FONTPATH to +# set the path where dot can find it. + +DOT_FONTPATH = + +# If the CLASS_GRAPH and HAVE_DOT tags are set to YES then doxygen +# will generate a graph for each documented class showing the direct and +# indirect inheritance relations. Setting this tag to YES will force the +# CLASS_DIAGRAMS tag to NO. + +CLASS_GRAPH = YES + +# If the COLLABORATION_GRAPH and HAVE_DOT tags are set to YES then doxygen +# will generate a graph for each documented class showing the direct and +# indirect implementation dependencies (inheritance, containment, and +# class references variables) of the class with other documented classes. + +COLLABORATION_GRAPH = YES + +# If the GROUP_GRAPHS and HAVE_DOT tags are set to YES then doxygen +# will generate a graph for groups, showing the direct groups dependencies + +GROUP_GRAPHS = YES + +# If the UML_LOOK tag is set to YES doxygen will generate inheritance and +# collaboration diagrams in a style similar to the OMG's Unified Modeling +# Language. + +UML_LOOK = NO + +# If the UML_LOOK tag is enabled, the fields and methods are shown inside +# the class node. If there are many fields or methods and many nodes the +# graph may become too big to be useful. The UML_LIMIT_NUM_FIELDS +# threshold limits the number of items for each type to make the size more +# managable. Set this to 0 for no limit. Note that the threshold may be +# exceeded by 50% before the limit is enforced. + +UML_LIMIT_NUM_FIELDS = 10 + +# If set to YES, the inheritance and collaboration graphs will show the +# relations between templates and their instances. + +TEMPLATE_RELATIONS = NO + +# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDE_GRAPH, and HAVE_DOT +# tags are set to YES then doxygen will generate a graph for each documented +# file showing the direct and indirect include dependencies of the file with +# other documented files. + +INCLUDE_GRAPH = YES + +# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDED_BY_GRAPH, and +# HAVE_DOT tags are set to YES then doxygen will generate a graph for each +# documented header file showing the documented files that directly or +# indirectly include this file. + +INCLUDED_BY_GRAPH = YES + +# If the CALL_GRAPH and HAVE_DOT options are set to YES then +# doxygen will generate a call dependency graph for every global function +# or class method. Note that enabling this option will significantly increase +# the time of a run. So in most cases it will be better to enable call graphs +# for selected functions only using the \callgraph command. + +CALL_GRAPH = NO + +# If the CALLER_GRAPH and HAVE_DOT tags are set to YES then +# doxygen will generate a caller dependency graph for every global function +# or class method. Note that enabling this option will significantly increase +# the time of a run. So in most cases it will be better to enable caller +# graphs for selected functions only using the \callergraph command. + +CALLER_GRAPH = NO + +# If the GRAPHICAL_HIERARCHY and HAVE_DOT tags are set to YES then doxygen +# will generate a graphical hierarchy of all classes instead of a textual one. + +GRAPHICAL_HIERARCHY = YES + +# If the DIRECTORY_GRAPH and HAVE_DOT tags are set to YES +# then doxygen will show the dependencies a directory has on other directories +# in a graphical way. The dependency relations are determined by the #include +# relations between the files in the directories. + +DIRECTORY_GRAPH = YES + +# The DOT_IMAGE_FORMAT tag can be used to set the image format of the images +# generated by dot. Possible values are svg, png, jpg, or gif. +# If left blank png will be used. If you choose svg you need to set +# HTML_FILE_EXTENSION to xhtml in order to make the SVG files +# visible in IE 9+ (other browsers do not have this requirement). + +DOT_IMAGE_FORMAT = png + +# If DOT_IMAGE_FORMAT is set to svg, then this option can be set to YES to +# enable generation of interactive SVG images that allow zooming and panning. +# Note that this requires a modern browser other than Internet Explorer. +# Tested and working are Firefox, Chrome, Safari, and Opera. For IE 9+ you +# need to set HTML_FILE_EXTENSION to xhtml in order to make the SVG files +# visible. Older versions of IE do not have SVG support. + +INTERACTIVE_SVG = NO + +# The tag DOT_PATH can be used to specify the path where the dot tool can be +# found. If left blank, it is assumed the dot tool can be found in the path. + +DOT_PATH = + +# The DOTFILE_DIRS tag can be used to specify one or more directories that +# contain dot files that are included in the documentation (see the +# \dotfile command). + +DOTFILE_DIRS = + +# The MSCFILE_DIRS tag can be used to specify one or more directories that +# contain msc files that are included in the documentation (see the +# \mscfile command). + +MSCFILE_DIRS = + +# The DOT_GRAPH_MAX_NODES tag can be used to set the maximum number of +# nodes that will be shown in the graph. If the number of nodes in a graph +# becomes larger than this value, doxygen will truncate the graph, which is +# visualized by representing a node as a red box. Note that doxygen if the +# number of direct children of the root node in a graph is already larger than +# DOT_GRAPH_MAX_NODES then the graph will not be shown at all. Also note +# that the size of a graph can be further restricted by MAX_DOT_GRAPH_DEPTH. + +DOT_GRAPH_MAX_NODES = 50 + +# The MAX_DOT_GRAPH_DEPTH tag can be used to set the maximum depth of the +# graphs generated by dot. A depth value of 3 means that only nodes reachable +# from the root by following a path via at most 3 edges will be shown. Nodes +# that lay further from the root node will be omitted. Note that setting this +# option to 1 or 2 may greatly reduce the computation time needed for large +# code bases. Also note that the size of a graph can be further restricted by +# DOT_GRAPH_MAX_NODES. Using a depth of 0 means no depth restriction. + +MAX_DOT_GRAPH_DEPTH = 0 + +# Set the DOT_TRANSPARENT tag to YES to generate images with a transparent +# background. This is disabled by default, because dot on Windows does not +# seem to support this out of the box. Warning: Depending on the platform used, +# enabling this option may lead to badly anti-aliased labels on the edges of +# a graph (i.e. they become hard to read). + +DOT_TRANSPARENT = YES + +# Set the DOT_MULTI_TARGETS tag to YES allow dot to generate multiple output +# files in one run (i.e. multiple -o and -T options on the command line). This +# makes dot run faster, but since only newer versions of dot (>1.8.10) +# support this, this feature is disabled by default. + +DOT_MULTI_TARGETS = NO + +# If the GENERATE_LEGEND tag is set to YES (the default) Doxygen will +# generate a legend page explaining the meaning of the various boxes and +# arrows in the dot generated graphs. + +GENERATE_LEGEND = YES + +# If the DOT_CLEANUP tag is set to YES (the default) Doxygen will +# remove the intermediate dot files that are used to generate +# the various graphs. + +DOT_CLEANUP = YES diff --git a/src/lib/idmap/sss_idmap.exports b/src/lib/idmap/sss_idmap.exports new file mode 100644 index 0000000..8406777 --- /dev/null +++ b/src/lib/idmap/sss_idmap.exports @@ -0,0 +1,66 @@ +SSS_IDMAP_0.4 { + + # public functions + global: + + sss_idmap_init; + sss_idmap_ctx_set_autorid; + sss_idmap_ctx_set_lower; + sss_idmap_ctx_set_upper; + sss_idmap_ctx_set_rangesize; + sss_idmap_ctx_get_autorid; + sss_idmap_ctx_get_lower; + sss_idmap_ctx_get_upper; + sss_idmap_ctx_get_rangesize; + sss_idmap_calculate_range; + sss_idmap_add_domain; + sss_idmap_add_domain_ex; + sss_idmap_check_collision; + sss_idmap_check_collision_ex; + sss_idmap_sid_to_unix; + sss_idmap_dom_sid_to_unix; + sss_idmap_bin_sid_to_unix; + sss_idmap_smb_sid_to_unix; + sss_idmap_check_sid_unix; + sss_idmap_check_dom_sid_to_unix; + sss_idmap_check_bin_sid_unix; + sss_idmap_check_smb_sid_unix; + sss_idmap_unix_to_sid; + sss_idmap_unix_to_dom_sid; + sss_idmap_unix_to_bin_sid; + sss_idmap_free; + sss_idmap_free_sid; + sss_idmap_free_dom_sid; + sss_idmap_free_smb_sid; + sss_idmap_free_bin_sid; + idmap_error_string; + is_domain_sid; + sss_idmap_domain_has_algorithmic_mapping; + sss_idmap_domain_by_name_has_algorithmic_mapping; + sss_idmap_bin_sid_to_dom_sid; + sss_idmap_bin_sid_to_sid; + sss_idmap_dom_sid_to_bin_sid; + sss_idmap_sid_to_bin_sid; + sss_idmap_dom_sid_to_sid; + sss_idmap_sid_to_dom_sid; + sss_idmap_sid_to_smb_sid; + sss_idmap_smb_sid_to_sid; + sss_idmap_dom_sid_to_smb_sid; + sss_idmap_smb_sid_to_dom_sid; + sss_idmap_bin_sid_to_smb_sid; + sss_idmap_smb_sid_to_bin_sid; + + # everything else is local + local: + *; +}; + +SSS_IDMAP_0.5 { + + # public functions + global: + + sss_idmap_ctx_set_extra_slice_init; + sss_idmap_add_auto_domain_ex; + +} SSS_IDMAP_0.4; diff --git a/src/lib/idmap/sss_idmap.h b/src/lib/idmap/sss_idmap.h new file mode 100644 index 0000000..9c27a16 --- /dev/null +++ b/src/lib/idmap/sss_idmap.h @@ -0,0 +1,962 @@ +/* + SSSD + + ID-mapping library + + Authors: + Sumit Bose + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef SSS_IDMAP_H_ +#define SSS_IDMAP_H_ + +#include +#include +#include +#include + +#define DOM_SID_PREFIX "S-1-5-21-" +#define DOM_SID_PREFIX_LEN (sizeof(DOM_SID_PREFIX) - 1) + +/** + * @defgroup sss_idmap Map Unix UIDs and GIDs to SIDs and back + * Libsss_idmap provides a mechanism to translate a SID to a UNIX UID or GID + * or the other way round. + * @{ + */ + +/** + * Error codes used by libsss_idmap + */ +enum idmap_error_code { + /** Success */ + IDMAP_SUCCESS = 0, + + /** Function is not yet implemented */ + IDMAP_NOT_IMPLEMENTED, + + /** General error */ + IDMAP_ERROR, + + /** Ran out of memory during processing */ + IDMAP_OUT_OF_MEMORY, + + /** No domain added */ + IDMAP_NO_DOMAIN, + + /** The provided idmap context is invalid */ + IDMAP_CONTEXT_INVALID, + + /** The provided SID is invalid */ + IDMAP_SID_INVALID, + + /** The provided SID was not found */ + IDMAP_SID_UNKNOWN, + + /** The provided UID or GID could not be mapped */ + IDMAP_NO_RANGE, + + /** The provided SID is a built-in one */ + IDMAP_BUILTIN_SID, + + /** No more free slices */ + IDMAP_OUT_OF_SLICES, + + /** New domain collides with existing one */ + IDMAP_COLLISION, + + /** External source should be consulted for idmapping */ + IDMAP_EXTERNAL, + + /** The provided name was not found */ + IDMAP_NAME_UNKNOWN, + + /** Sentinel to indicate the end of the error code list, not returned by + * any call */ + IDMAP_ERR_LAST +}; + +/** + * Typedef for memory allocation functions + */ +typedef void *(idmap_alloc_func)(size_t size, void *pvt); +typedef void (idmap_free_func)(void *ptr, void *pvt); + +/** + * Typedef for storing mappings of dynamically created domains + */ +typedef enum idmap_error_code (*idmap_store_cb)(const char *dom_name, + const char *dom_sid, + const char *range_id, + uint32_t min_id, + uint32_t max_id, + uint32_t first_rid, + void *pvt); + +/** + * Structure for id ranges + * FIXME: this struct might change when it is clear how ranges are handled on + * the server side + */ +struct sss_idmap_range { + uint32_t min; + uint32_t max; +}; + +/** + * Opaque type for SIDs + */ +struct sss_dom_sid; + +/** + * Opaque type for the idmap context + */ +struct sss_idmap_ctx; + +/** + * Placeholder for Samba's struct dom_sid. Consumers of libsss_idmap should + * include an appropriate Samba header file to define struct dom_sid. We use + * it here to avoid a hard dependency on Samba devel packages. + */ +struct dom_sid; + +/** + * @brief Initialize idmap context + * + * @param[in] alloc_func Function to allocate memory for the context, if + * NULL malloc() id used + * @param[in] alloc_pvt Private data for allocation routine + * @param[in] free_func Function to free the memory the context, if + * NULL free() id used + * @param[out] ctx idmap context + * + * @return + * - #IDMAP_OUT_OF_MEMORY: Insufficient memory to create the context + */ +enum idmap_error_code sss_idmap_init(idmap_alloc_func *alloc_func, + void *alloc_pvt, + idmap_free_func *free_func, + struct sss_idmap_ctx **ctx); + +/** + * @brief Set/unset autorid compatibility mode + * + * @param[in] ctx idmap context + * @param[in] use_autorid If true, autorid compatibility mode will be used + */ +enum idmap_error_code +sss_idmap_ctx_set_autorid(struct sss_idmap_ctx *ctx, bool use_autorid); + +/** + * @brief Set the lower bound of the range of POSIX IDs + * + * @param[in] ctx idmap context + * @param[in] lower lower bound of the range + */ +enum idmap_error_code +sss_idmap_ctx_set_lower(struct sss_idmap_ctx *ctx, id_t lower); + +/** + * @brief Set the upper bound of the range of POSIX IDs + * + * @param[in] ctx idmap context + * @param[in] upper upper bound of the range + */ +enum idmap_error_code +sss_idmap_ctx_set_upper(struct sss_idmap_ctx *ctx, id_t upper); + +/** + * @brief Set the range size of POSIX IDs available for single domain + * + * @param[in] ctx idmap context + * @param[in] rangesize range size of IDs + */ +enum idmap_error_code +sss_idmap_ctx_set_rangesize(struct sss_idmap_ctx *ctx, id_t rangesize); + +/** + * @brief Set the number of secondary slices available for domain + * + * @param[in] ctx idmap context + * @param[in] extra_slice_init number of secondary slices to be generated + * at startup + */ +enum idmap_error_code +sss_idmap_ctx_set_extra_slice_init(struct sss_idmap_ctx *ctx, + int extra_slice_init); + +/** + * @brief Check if autorid compatibility mode is set + * + * @param[in] ctx idmap context + * @param[out] _autorid true if autorid is used + */ +enum idmap_error_code +sss_idmap_ctx_get_autorid(struct sss_idmap_ctx *ctx, bool *_autorid); + +/** + * @brief Get the lower bound of the range of POSIX IDs + * + * @param[in] ctx idmap context + * @param[out] _lower returned lower bound + */ +enum idmap_error_code +sss_idmap_ctx_get_lower(struct sss_idmap_ctx *ctx, id_t *_lower); + +/** + * @brief Get the upper bound of the range of POSIX IDs + * + * @param[in] ctx idmap context + * @param[out] _upper returned upper bound + */ +enum idmap_error_code +sss_idmap_ctx_get_upper(struct sss_idmap_ctx *ctx, id_t *_upper); + +/** + * @brief Get the range size of POSIX IDs available for single domain + * + * @param[in] ctx idmap context + * @param[out] rangesize returned range size + */ +enum idmap_error_code +sss_idmap_ctx_get_rangesize(struct sss_idmap_ctx *ctx, id_t *rangesize); + +/** + * @brief Calculate new range of available POSIX IDs + * + * @param[in] ctx Idmap context + * @param[in] dom_sid Zero-terminated string representation of the domain + * SID (S-1-15-.....) + * @param[in,out] slice_num Slice number to be used. Set this pointer to NULL or + * the addressed value to -1 to calculate slice number + * automatically. The calculated value will be + * returned in this parameter. + * @param[out] range Structure containing upper and lower bound of the + * range of POSIX IDs + * + * @return + * - #IDMAP_OUT_OF_SLICES: Cannot calculate new range because all slices are + * used. + */ +enum idmap_error_code sss_idmap_calculate_range(struct sss_idmap_ctx *ctx, + const char *dom_sid, + id_t *slice_num, + struct sss_idmap_range *range); + +/** + * @brief Add a domain to the idmap context + * + * @param[in] ctx Idmap context + * @param[in] domain_name Zero-terminated string with the domain name + * @param[in] domain_sid Zero-terminated string representation of the domain + * SID (S-1-15-.....) + * @param[in] range TBD Some information about the id ranges of this + * domain + * + * @return + * - #IDMAP_OUT_OF_MEMORY: Insufficient memory to store the data in the idmap + * context + * - #IDMAP_SID_INVALID: Invalid SID provided + * - #IDMAP_NO_DOMAIN: No domain domain name given + * - #IDMAP_COLLISION: New domain collides with existing one + */ +enum idmap_error_code sss_idmap_add_domain(struct sss_idmap_ctx *ctx, + const char *domain_name, + const char *domain_sid, + struct sss_idmap_range *range); + +/** + * @brief Add a domain with the first mappable RID to the idmap context + * + * @param[in] ctx Idmap context + * @param[in] domain_name Zero-terminated string with the domain name + * @param[in] domain_sid Zero-terminated string representation of the domain + * SID (S-1-15-.....) + * @param[in] range TBD Some information about the id ranges of this + * domain + * @param[in] range_id optional unique identifier of a range, it is needed + * to allow updates at runtime + * @param[in] rid The RID that should be mapped to the first ID of the + * given range. + * @param[in] external_mapping If set to true the ID will not be mapped + * algorithmically, but the *_to_unix and *_unix_to_* + * calls will return IDMAP_EXTERNAL to instruct the + * caller to check external sources. For a single + * domain all ranges must be of the same type. It is + * not possible to mix algorithmic and external + * mapping. + * + * @return + * - #IDMAP_OUT_OF_MEMORY: Insufficient memory to store the data in the idmap + * context + * - #IDMAP_SID_INVALID: Invalid SID provided + * - #IDMAP_NO_DOMAIN: No domain domain name given + * - #IDMAP_COLLISION: New domain collides with existing one + */ +enum idmap_error_code sss_idmap_add_domain_ex(struct sss_idmap_ctx *ctx, + const char *domain_name, + const char *domain_sid, + struct sss_idmap_range *range, + const char *range_id, + uint32_t rid, + bool external_mapping); + +/** + * @brief Add a domain with the first mappable RID to the idmap context and + * generate automatically secondary slices + * + * @param[in] ctx Idmap context + * @param[in] domain_name Zero-terminated string with the domain name + * @param[in] domain_sid Zero-terminated string representation of the domain + * SID (S-1-15-.....) + * @param[in] range TBD Some information about the id ranges of this + * domain + * @param[in] range_id optional unique identifier of a range, it is needed + * to allow updates at runtime + * @param[in] rid The RID that should be mapped to the first ID of the + * given range. + * @param[in] external_mapping If set to true the ID will not be mapped + * algorithmically, but the *_to_unix and *_unix_to_* + * calls will return IDMAP_EXTERNAL to instruct the + * caller to check external sources. For a single + * domain all ranges must be of the same type. It is + * not possible to mix algorithmic and external + * mapping. + * @param[in] cb The callback for storing mapping of dynamically + * created domains. + * @param[in] pvt Private data for callback cb. + * + * @return + * - #IDMAP_OUT_OF_MEMORY: Insufficient memory to store the data in the idmap + * context + * - #IDMAP_SID_INVALID: Invalid SID provided + * - #IDMAP_NO_DOMAIN: No domain domain name given + * - #IDMAP_COLLISION: New domain collides with existing one + */ +enum idmap_error_code +sss_idmap_add_auto_domain_ex(struct sss_idmap_ctx *ctx, + const char *domain_name, + const char *domain_sid, + struct sss_idmap_range *range, + const char *range_id, + uint32_t rid, + bool external_mapping, + idmap_store_cb cb, + void *pvt); + +/** + * @brief Check if a new range would collide with any existing one + * + * @param[in] ctx Idmap context + * @param[in] n_name Zero-terminated string with the domain name the new + * range should belong to + * @param[in] n_sid Zero-terminated string representation of the domain + * SID (S-1-15-.....) the new range sould belong to + * @param[in] n_range The new id range + * @param[in] n_range_id unique identifier of the new range, it is needed + * to allow updates at runtime, may be NULL + * @param[in] n_first_rid The RID that should be mapped to the first ID of the + * new range. + * @param[in] n_external_mapping Mapping type of the new range + * + * @return + * - #IDMAP_COLLISION: New range collides with existing one + */ +enum idmap_error_code sss_idmap_check_collision(struct sss_idmap_ctx *ctx, + char *n_name, char *n_sid, + struct sss_idmap_range *n_range, + uint32_t n_first_rid, + char *n_range_id, + bool n_external_mapping); + +/** + * @brief Check if two ranges would collide + * + * @param[in] o_name Zero-terminated string with the domain name the + * first range should belong to + * @param[in] o_sid Zero-terminated string representation of the domain + * SID (S-1-15-.....) the first range sould belong to + * @param[in] o_range The first id range + * @param[in] o_range_id unique identifier of the first range, it is needed + * to allow updates at runtime, may be NULL + * @param[in] o_first_rid The RID that should be mapped to the first ID of the + * first range. + * @param[in] o_external_mapping Mapping type of the first range + * @param[in] n_name Zero-terminated string with the domain name the + * second range should belong to + * @param[in] n_sid Zero-terminated string representation of the domain + * SID (S-1-15-.....) the second range sould belong to + * @param[in] n_range The second id range + * @param[in] n_range_id unique identifier of the second range, it is needed + * to allow updates at runtime, may be NULL + * @param[in] n_first_rid The RID that should be mapped to the first ID of the + * second range. + * @param[in] n_external_mapping Mapping type of the second range + * + * @return + * - #IDMAP_COLLISION: New range collides with existing one + */ +enum idmap_error_code sss_idmap_check_collision_ex(const char *o_name, + const char *o_sid, + struct sss_idmap_range *o_range, + uint32_t o_first_rid, + const char *o_range_id, + bool o_external_mapping, + const char *n_name, + const char *n_sid, + struct sss_idmap_range *n_range, + uint32_t n_first_rid, + const char *n_range_id, + bool n_external_mapping); +/** + * @brief Translate SID to a unix UID or GID + * + * @param[in] ctx Idmap context + * @param[in] sid Zero-terminated string representation of the SID + * @param[out] id Returned unix UID or GID + * + * @return + * - #IDMAP_NO_DOMAIN: No domains are added to the idmap context + * - #IDMAP_SID_INVALID: Invalid SID provided + * - #IDMAP_SID_UNKNOWN: SID cannot be found in the domains added to the + * idmap context + * - #IDMAP_EXTERNAL: external source is authoritative for mapping + */ +enum idmap_error_code sss_idmap_sid_to_unix(struct sss_idmap_ctx *ctx, + const char *sid, + uint32_t *id); + +/** + * @brief Translate a SID stucture to a unix UID or GID + * + * @param[in] ctx Idmap context + * @param[in] dom_sid SID structure + * @param[out] id Returned unix UID or GID + * + * @return + * - #IDMAP_NO_DOMAIN: No domains are added to the idmap context + * - #IDMAP_SID_INVALID: Invalid SID provided + * - #IDMAP_SID_UNKNOWN: SID cannot be found in the domains added to the + * idmap context + * - #IDMAP_EXTERNAL: external source is authoritative for mapping + */ +enum idmap_error_code sss_idmap_dom_sid_to_unix(struct sss_idmap_ctx *ctx, + struct sss_dom_sid *dom_sid, + uint32_t *id); + +/** + * @brief Translate a binary SID to a unix UID or GID + * + * @param[in] ctx Idmap context + * @param[in] bin_sid Array with the binary SID + * @param[in] length Size of the array containing the binary SID + * @param[out] id Returned unix UID or GID + * + * @return + * - #IDMAP_NO_DOMAIN: No domains are added to the idmap context + * - #IDMAP_SID_INVALID: Invalid SID provided + * - #IDMAP_SID_UNKNOWN: SID cannot be found in the domains added to the + * idmap context + * - #IDMAP_EXTERNAL: external source is authoritative for mapping + */ +enum idmap_error_code sss_idmap_bin_sid_to_unix(struct sss_idmap_ctx *ctx, + uint8_t *bin_sid, + size_t length, + uint32_t *id); + +/** + * @brief Translate a Samba dom_sid stucture to a unix UID or GID + * + * @param[in] ctx Idmap context + * @param[in] smb_sid Samba dom_sid structure + * @param[out] id Returned unix UID or GID + * + * @return + * - #IDMAP_NO_DOMAIN: No domains are added to the idmap context + * - #IDMAP_SID_INVALID: Invalid SID provided + * - #IDMAP_SID_UNKNOWN: SID cannot be found in the domains added to the + * idmap context + * - #IDMAP_EXTERNAL: external source is authoritative for mapping + */ +enum idmap_error_code sss_idmap_smb_sid_to_unix(struct sss_idmap_ctx *ctx, + struct dom_sid *smb_sid, + uint32_t *id); + +/** + * @brief Check if a SID and a unix UID or GID belong to the same range + * + * @param[in] ctx Idmap context + * @param[in] sid Zero-terminated string representation of the SID + * @param[in] id Unix UID or GID + * + * @return + * - #IDMAP_NO_DOMAIN: No domains are added to the idmap context + * - #IDMAP_SID_INVALID: Invalid SID provided + * - #IDMAP_SID_UNKNOWN: SID cannot be found in the domains added to the + * idmap context + * - #IDMAP_NO_RANGE No matching ID range found + */ +enum idmap_error_code sss_idmap_check_sid_unix(struct sss_idmap_ctx *ctx, + const char *sid, + uint32_t id); + +/** + * @brief Check if a SID structure and a unix UID or GID belong to the same range + * + * @param[in] ctx Idmap context + * @param[in] dom_sid SID structure + * @param[in] id Unix UID or GID + * + * @return + * - #IDMAP_NO_DOMAIN: No domains are added to the idmap context + * - #IDMAP_SID_INVALID: Invalid SID provided + * - #IDMAP_SID_UNKNOWN: SID cannot be found in the domains added to the + * idmap context + * - #IDMAP_NO_RANGE No matching ID range found + */ +enum idmap_error_code sss_idmap_check_dom_sid_unix(struct sss_idmap_ctx *ctx, + struct sss_dom_sid *dom_sid, + uint32_t id); + +/** + * @brief Check if a binary SID and a unix UID or GID belong to the same range + * + * @param[in] ctx Idmap context + * @param[in] bin_sid Array with the binary SID + * @param[in] length Size of the array containing the binary SID + * @param[in] id Unix UID or GID + * + * @return + * - #IDMAP_NO_DOMAIN: No domains are added to the idmap context + * - #IDMAP_SID_INVALID: Invalid SID provided + * - #IDMAP_SID_UNKNOWN: SID cannot be found in the domains added to the + * idmap context + * - #IDMAP_NO_RANGE No matching ID range found + */ +enum idmap_error_code sss_idmap_check_bin_sid_unix(struct sss_idmap_ctx *ctx, + uint8_t *bin_sid, + size_t length, + uint32_t id); + +/** + * @brief Check if a Samba dom_sid structure and a unix UID or GID belong to + * the same range + * + * @param[in] ctx Idmap context + * @param[in] smb_sid Samba dom_sid structure + * @param[in] id Unix UID or GID + * + * @return + * - #IDMAP_NO_DOMAIN: No domains are added to the idmap context + * - #IDMAP_SID_INVALID: Invalid SID provided + * - #IDMAP_SID_UNKNOWN: SID cannot be found in the domains added to the + * idmap context + * - #IDMAP_NO_RANGE No matching ID range found + */ +enum idmap_error_code sss_idmap_check_smb_sid_unix(struct sss_idmap_ctx *ctx, + struct dom_sid *smb_sid, + uint32_t id); + +/** + * @brief Translate unix UID or GID to a SID + * + * @param[in] ctx Idmap context + * @param[in] id unix UID or GID + * @param[out] sid Zero-terminated string representation of the SID, must be + * freed if not needed anymore + * + * @return + * - #IDMAP_NO_DOMAIN: No domains are added to the idmap context + * - #IDMAP_NO_RANGE: The provided ID cannot be found in the domains added + * to the idmap context + * - #IDMAP_EXTERNAL: external source is authoritative for mapping + */ +enum idmap_error_code sss_idmap_unix_to_sid(struct sss_idmap_ctx *ctx, + uint32_t id, + char **sid); + +/** + * @brief Translate unix UID or GID to a SID structure + * + * @param[in] ctx Idmap context + * @param[in] id unix UID or GID + * @param[out] dom_sid SID structure, must be freed if not needed anymore + * + * @return + * - #IDMAP_NO_DOMAIN: No domains are added to the idmap context + * - #IDMAP_NO_RANGE: The provided ID cannot be found in the domains added + * to the idmap context + * - #IDMAP_EXTERNAL: external source is authoritative for mapping + */ +enum idmap_error_code sss_idmap_unix_to_dom_sid(struct sss_idmap_ctx *ctx, + uint32_t id, + struct sss_dom_sid **dom_sid); + +/** + * @brief Translate unix UID or GID to a binary SID + * + * @param[in] ctx Idmap context + * @param[in] id unix UID or GID + * @param[out] bin_sid Array with the binary SID, + * must be freed if not needed anymore + * @param[out] length size of the array containing the binary SID + * + * @return + * - #IDMAP_NO_DOMAIN: No domains are added to the idmap context + * - #IDMAP_NO_RANGE: The provided ID cannot be found in the domains added + * to the idmap context + * - #IDMAP_EXTERNAL: external source is authoritative for mapping + */ +enum idmap_error_code sss_idmap_unix_to_bin_sid(struct sss_idmap_ctx *ctx, + uint32_t id, + uint8_t **bin_sid, + size_t *length); + +/** + * @brief Free all the allocated memory of the idmap context + * + * @param[in] ctx Idmap context + * + * @return + * - #IDMAP_CONTEXT_INVALID: Provided context is invalid + */ +enum idmap_error_code sss_idmap_free(struct sss_idmap_ctx *ctx); + +/** + * @brief Free mapped SID. + * + * @param[in] ctx Idmap context + * @param[in] sid SID to be freed. + * + * @return + * - #IDMAP_CONTEXT_INVALID: Provided context is invalid + */ +enum idmap_error_code sss_idmap_free_sid(struct sss_idmap_ctx *ctx, + char *sid); + +/** + * @brief Free mapped domain SID. + * + * @param[in] ctx Idmap context + * @param[in] dom_sid Domain SID to be freed. + * + * @return + * - #IDMAP_CONTEXT_INVALID: Provided context is invalid + */ +enum idmap_error_code sss_idmap_free_dom_sid(struct sss_idmap_ctx *ctx, + struct sss_dom_sid *dom_sid); + +/** + * @brief Free mapped Samba SID. + * + * @param[in] ctx Idmap context + * @param[in] smb_sid Samba SID to be freed. + * + * @return + * - #IDMAP_CONTEXT_INVALID: Provided context is invalid + */ +enum idmap_error_code sss_idmap_free_smb_sid(struct sss_idmap_ctx *ctx, + struct dom_sid *smb_sid); + +/** + * @brief Free mapped binary SID. + * + * @param[in] ctx Idmap context + * @param[in] bin_sid Binary SID to be freed. + * + * @return + * - #IDMAP_CONTEXT_INVALID: Provided context is invalid + */ +enum idmap_error_code sss_idmap_free_bin_sid(struct sss_idmap_ctx *ctx, + uint8_t *bin_sid); + +/** + * @brief Translate error code to a string + * + * @param[in] err Idmap error code + * + * @return + * - Error description as a zero-terminated string + */ +const char *idmap_error_string(enum idmap_error_code err); + +/** + * @brief Check if given string can be used as domain SID + * + * @param[in] str String to check + * + * @return + * - true: String can be used as domain SID + * - false: String can not be used as domain SID + */ +bool is_domain_sid(const char *str); + +/** + * @brief Check if a domain is configured with algorithmic mapping + * + * @param[in] ctx Idmap context + * @param[in] dom_sid SID string, can be either a domain SID + * or an object SID + * @param[out] has_algorithmic_mapping Boolean value indicating if the given + * domain is configured for algorithmic + * mapping or not. + * + * @return + * - #IDMAP_SUCCESS: Domain for the given SID was found and + * has_algorithmic_mapping is set accordingly + * - #IDMAP_SID_INVALID: Provided SID is invalid + * - #IDMAP_CONTEXT_INVALID: Provided idmap context is invalid + * - #IDMAP_NO_DOMAIN: No domains are available in the idmap context + * - #IDMAP_SID_UNKNOWN: No domain with the given SID was found in the + * idmap context + */ +enum idmap_error_code +sss_idmap_domain_has_algorithmic_mapping(struct sss_idmap_ctx *ctx, + const char *dom_sid, + bool *has_algorithmic_mapping); + +/** + * @brief Check if a domain is configured with algorithmic mapping + * + * @param[in] ctx Idmap context + * @param[in] dom_name Name of the domain + * @param[out] has_algorithmic_mapping Boolean value indicating if the given + * domain is configured for algorithmic + * mapping or not. + * + * @return + * - #IDMAP_SUCCESS: Domain for the given name was found and + * has_algorithmic_mapping is set accordingly + * - #IDMAP_ERROR: Provided name is invalid + * - #IDMAP_CONTEXT_INVALID: Provided idmap context is invalid + * - #IDMAP_NO_DOMAIN: No domains are available in the idmap context + * - #IDMAP_NAME_UNKNOWN: No domain with the given name was found in the + * idmap context + */ +enum idmap_error_code +sss_idmap_domain_by_name_has_algorithmic_mapping(struct sss_idmap_ctx *ctx, + const char *dom_name, + bool *has_algorithmic_mapping); + +/** + * @brief Convert binary SID to SID structure + * + * @param[in] ctx Idmap context + * @param[in] bin_sid Array with the binary SID + * @param[in] length Size of the array containing the binary SID + * @param[out] dom_sid SID structure, + * must be freed if not needed anymore + * + * @return + * - #IDMAP_SID_INVALID: Given SID is invalid + * - #IDMAP_OUT_OF_MEMORY: Failed to allocate memory for the result + */ +enum idmap_error_code sss_idmap_bin_sid_to_dom_sid(struct sss_idmap_ctx *ctx, + const uint8_t *bin_sid, + size_t length, + struct sss_dom_sid **dom_sid); + +/** + * @brief Convert binary SID to SID string + * + * @param[in] ctx Idmap context + * @param[in] bin_sid Array with the binary SID + * @param[in] length Size of the array containing the binary SID + * @param[out] sid Zero-terminated string representation of the SID, + * must be freed if not needed anymore + * + * @return + * - #IDMAP_SID_INVALID: Given SID is invalid + * - #IDMAP_OUT_OF_MEMORY: Failed to allocate memory for the result + */ +enum idmap_error_code sss_idmap_bin_sid_to_sid(struct sss_idmap_ctx *ctx, + const uint8_t *bin_sid, + size_t length, + char **sid); + +/** + * @brief Convert SID structure to binary SID + * + * @param[in] ctx Idmap context + * @param[in] dom_sid SID structure + * @param[out] bin_sid Array with the binary SID, + * must be freed if not needed anymore + * @param[out] length Size of the array containing the binary SID + * + * @return + * - #IDMAP_SID_INVALID: Given SID is invalid + * - #IDMAP_OUT_OF_MEMORY: Failed to allocate memory for the result + */ +enum idmap_error_code sss_idmap_dom_sid_to_bin_sid(struct sss_idmap_ctx *ctx, + struct sss_dom_sid *dom_sid, + uint8_t **bin_sid, + size_t *length); + +/** + * @brief Convert SID string to binary SID + * + * @param[in] ctx Idmap context + * @param[in] sid Zero-terminated string representation of the SID + * @param[out] bin_sid Array with the binary SID, + * must be freed if not needed anymore + * @param[out] length Size of the array containing the binary SID + * + * @return + * - #IDMAP_SID_INVALID: Given SID is invalid + * - #IDMAP_OUT_OF_MEMORY: Failed to allocate memory for the result + */ +enum idmap_error_code sss_idmap_sid_to_bin_sid(struct sss_idmap_ctx *ctx, + const char *sid, + uint8_t **bin_sid, + size_t *length); + +/** + * @brief Convert SID structure to SID string + * + * @param[in] ctx Idmap context + * @param[in] dom_sid SID structure + * @param[out] sid Zero-terminated string representation of the SID, + * must be freed if not needed anymore + * + * @return + * - #IDMAP_SID_INVALID: Given SID is invalid + * - #IDMAP_OUT_OF_MEMORY: Failed to allocate memory for the result + */ +enum idmap_error_code sss_idmap_dom_sid_to_sid(struct sss_idmap_ctx *ctx, + struct sss_dom_sid *dom_sid, + char **sid); + +/** + * @brief Convert SID string to SID structure + * + * @param[in] ctx Idmap context + * @param[in] sid Zero-terminated string representation of the SID + * @param[out] dom_sid SID structure, + * must be freed if not needed anymore + * + * @return + * - #IDMAP_SID_INVALID: Given SID is invalid + * - #IDMAP_OUT_OF_MEMORY: Failed to allocate memory for the result + */ +enum idmap_error_code sss_idmap_sid_to_dom_sid(struct sss_idmap_ctx *ctx, + const char *sid, + struct sss_dom_sid **dom_sid); + +/** + * @brief Convert SID string to Samba dom_sid structure + * + * @param[in] ctx Idmap context + * @param[in] sid Zero-terminated string representation of the SID + * @param[out] smb_sid Samba dom_sid structure, + * must be freed if not needed anymore + * + * @return + * - #IDMAP_SID_INVALID: Given SID is invalid + * - #IDMAP_OUT_OF_MEMORY: Failed to allocate memory for the result + */ +enum idmap_error_code sss_idmap_sid_to_smb_sid(struct sss_idmap_ctx *ctx, + const char *sid, + struct dom_sid **smb_sid); + +/** + * @brief Convert Samba dom_sid structure to SID string + * + * @param[in] ctx Idmap context + * @param[in] smb_sid Samba dom_sid structure + * @param[out] sid Zero-terminated string representation of the SID, + * must be freed if not needed anymore + * + * @return + * - #IDMAP_SID_INVALID: Given SID is invalid + * - #IDMAP_OUT_OF_MEMORY: Failed to allocate memory for the result + */ +enum idmap_error_code sss_idmap_smb_sid_to_sid(struct sss_idmap_ctx *ctx, + struct dom_sid *smb_sid, + char **sid); + +/** + * @brief Convert SID stucture to Samba dom_sid structure + * + * @param[in] ctx Idmap context + * @param[in] dom_sid SID structure + * @param[out] smb_sid Samba dom_sid structure, + * must be freed if not needed anymore + * + * @return + * - #IDMAP_SID_INVALID: Given SID is invalid + * - #IDMAP_OUT_OF_MEMORY: Failed to allocate memory for the result + */ +enum idmap_error_code sss_idmap_dom_sid_to_smb_sid(struct sss_idmap_ctx *ctx, + struct sss_dom_sid *dom_sid, + struct dom_sid **smb_sid); + +/** + * @brief Convert Samba dom_sid structure to SID structure + * + * @param[in] ctx Idmap context + * @param[in] smb_sid Samba dom_sid structure + * @param[out] dom_sid SID structure, + * must be freed if not needed anymore + * + * @return + * - #IDMAP_SID_INVALID: Given SID is invalid + * - #IDMAP_OUT_OF_MEMORY: Failed to allocate memory for the result + */ +enum idmap_error_code sss_idmap_smb_sid_to_dom_sid(struct sss_idmap_ctx *ctx, + struct dom_sid *smb_sid, + struct sss_dom_sid **dom_sid); + +/** + * @brief Convert binary SID to Samba dom_sid structure + * + * @param[in] ctx Idmap context + * @param[in] bin_sid Array with the binary SID + * @param[in] length Size of the array containing the binary SID + * @param[out] smb_sid Samba dom_sid structure, + * must be freed if not needed anymore + * + * @return + * - #IDMAP_SID_INVALID: Given SID is invalid + * - #IDMAP_OUT_OF_MEMORY: Failed to allocate memory for the result + */ +enum idmap_error_code sss_idmap_bin_sid_to_smb_sid(struct sss_idmap_ctx *ctx, + const uint8_t *bin_sid, + size_t length, + struct dom_sid **smb_sid); + +/** + * @brief Convert Samba dom_sid structure to binary SID + * + * @param[in] ctx Idmap context + * @param[in] smb_sid Samba dom_sid structure + * @param[out] bin_sid Array with the binary SID, + * must be freed if not needed anymore + * @param[out] length Size of the array containing the binary SID + * + * @return + * - #IDMAP_SID_INVALID: Given SID is invalid + * - #IDMAP_OUT_OF_MEMORY: Failed to allocate memory for the result + */ +enum idmap_error_code sss_idmap_smb_sid_to_bin_sid(struct sss_idmap_ctx *ctx, + struct dom_sid *smb_sid, + uint8_t **bin_sid, + size_t *length); +/** + * @} + */ +#endif /* SSS_IDMAP_H_ */ diff --git a/src/lib/idmap/sss_idmap.pc.in b/src/lib/idmap/sss_idmap.pc.in new file mode 100644 index 0000000..c5cc564 --- /dev/null +++ b/src/lib/idmap/sss_idmap.pc.in @@ -0,0 +1,11 @@ +prefix=@prefix@ +exec_prefix=@exec_prefix@ +libdir=@libdir@ +includedir=@includedir@ + +Name: sss_idmap +Description: SSS idmap (SID <-> uid,gid) library +Version: @VERSION@ +Libs: -L${libdir} -lsss_idmap +Cflags: +URL: https://pagure.io/SSSD/sssd/ diff --git a/src/lib/idmap/sss_idmap_conv.c b/src/lib/idmap/sss_idmap_conv.c new file mode 100644 index 0000000..fd06b23 --- /dev/null +++ b/src/lib/idmap/sss_idmap_conv.c @@ -0,0 +1,569 @@ +/* + SSSD + + ID-mapping library - conversion utilities + + Authors: + Sumit Bose + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include + +#include "lib/idmap/sss_idmap.h" +#include "lib/idmap/sss_idmap_private.h" +#include "util/util.h" +#include "util/sss_endian.h" + +#define SID_ID_AUTHS 6 +#define SID_SUB_AUTHS 15 +struct sss_dom_sid { + uint8_t sid_rev_num; + int8_t num_auths; /* [range(0,15)] */ + uint8_t id_auth[SID_ID_AUTHS]; /* highest order byte has index 0 */ + uint32_t sub_auths[SID_SUB_AUTHS]; /* host byte-order */ +}; + +enum idmap_error_code sss_idmap_bin_sid_to_dom_sid(struct sss_idmap_ctx *ctx, + const uint8_t *bin_sid, + size_t length, + struct sss_dom_sid **_dom_sid) +{ + enum idmap_error_code err; + struct sss_dom_sid *dom_sid; + size_t i = 0; + size_t p = 0; + uint32_t val; + + CHECK_IDMAP_CTX(ctx, IDMAP_CONTEXT_INVALID); + + if (length > sizeof(struct sss_dom_sid)) return IDMAP_SID_INVALID; + + dom_sid = ctx->alloc_func(sizeof(struct sss_dom_sid), ctx->alloc_pvt); + if (dom_sid == NULL) { + return IDMAP_OUT_OF_MEMORY; + } + memset(dom_sid, 0, sizeof(struct sss_dom_sid)); + + /* Safely copy in the SID revision number */ + dom_sid->sid_rev_num = (uint8_t) *(bin_sid + p); + p++; + + /* Safely copy in the number of sub auth values */ + dom_sid->num_auths = (uint8_t) *(bin_sid + p); + p++; + + /* Make sure we aren't being told to read more bin_sid + * than can fit in the structure + */ + if (dom_sid->num_auths > SID_SUB_AUTHS) { + err = IDMAP_SID_INVALID; + goto done; + } + + /* Safely copy in the id_auth values */ + for (i = 0; i < SID_ID_AUTHS; i++) { + dom_sid->id_auth[i] = (uint8_t) *(bin_sid + p); + p++; + } + + /* Safely copy in the sub_auths values */ + for (i = 0; i < dom_sid->num_auths; i++) { + /* SID sub auth values in Active Directory are stored little-endian, + * we store them in host order */ + SAFEALIGN_COPY_UINT32(&val, bin_sid + p, &p); + dom_sid->sub_auths[i] = le32toh(val); + } + + *_dom_sid = dom_sid; + err = IDMAP_SUCCESS; + +done: + if (err != IDMAP_SUCCESS) { + ctx->free_func(dom_sid, ctx->alloc_pvt); + } + return err; +} + +enum idmap_error_code sss_idmap_dom_sid_to_bin_sid(struct sss_idmap_ctx *ctx, + struct sss_dom_sid *dom_sid, + uint8_t **_bin_sid, + size_t *_length) +{ + enum idmap_error_code err; + uint8_t *bin_sid; + size_t length; + size_t i = 0; + size_t p = 0; + uint32_t val; + + CHECK_IDMAP_CTX(ctx, IDMAP_CONTEXT_INVALID); + + if (dom_sid->num_auths > SID_SUB_AUTHS) { + return IDMAP_SID_INVALID; + } + + length = 2 + SID_ID_AUTHS + dom_sid->num_auths * 4; + + bin_sid = ctx->alloc_func(length, ctx->alloc_pvt); + if (bin_sid == NULL) { + return IDMAP_OUT_OF_MEMORY; + } + + bin_sid[p] = dom_sid->sid_rev_num; + p++; + + bin_sid[p] = dom_sid->num_auths; + p++; + + for (i = 0; i < SID_ID_AUTHS; i++) { + bin_sid[p] = dom_sid->id_auth[i]; + p++; + } + + for (i = 0; i < dom_sid->num_auths; i++) { + if (p + sizeof(uint32_t) > length) { + err = IDMAP_SID_INVALID; + goto done; + } + val = htole32(dom_sid->sub_auths[i]); + SAFEALIGN_COPY_UINT32(bin_sid + p, &val, &p); + } + + *_bin_sid = bin_sid; + *_length = length; + + err = IDMAP_SUCCESS; +done: + if (err != IDMAP_SUCCESS) { + ctx->free_func(bin_sid, ctx->alloc_pvt); + } + return err; +} + +enum idmap_error_code sss_idmap_dom_sid_to_sid(struct sss_idmap_ctx *ctx, + struct sss_dom_sid *dom_sid, + char **_sid) +{ + enum idmap_error_code err; + char *sid_buf; + size_t sid_buf_len; + char *p; + int nc; + int8_t i; + uint32_t id_auth_val = 0; + + if (dom_sid->num_auths > SID_SUB_AUTHS) { + return IDMAP_SID_INVALID; + } + + sid_buf_len = 25 + dom_sid->num_auths * 11; + sid_buf = ctx->alloc_func(sid_buf_len, ctx->alloc_pvt); + if (sid_buf == NULL) { + return IDMAP_OUT_OF_MEMORY; + } + memset(sid_buf, 0, sid_buf_len); + + /* Only 32bits are used for the string representation */ + id_auth_val = (dom_sid->id_auth[2] << 24) + + (dom_sid->id_auth[3] << 16) + + (dom_sid->id_auth[4] << 8) + + (dom_sid->id_auth[5]); + + nc = snprintf(sid_buf, sid_buf_len, "S-%u-%lu", dom_sid->sid_rev_num, + (unsigned long) id_auth_val); + if (nc < 0 || nc >= sid_buf_len) { + err = IDMAP_SID_INVALID; + goto done; + } + + + /* Loop through the sub-auths, if any, prepending a hyphen + * for each one. + */ + p = sid_buf; + for (i = 0; i < dom_sid->num_auths ; i++) { + p += nc; + sid_buf_len -= nc; + + nc = snprintf(p, sid_buf_len, "-%lu", + (unsigned long) dom_sid->sub_auths[i]); + if (nc < 0 || nc >= sid_buf_len) { + err = IDMAP_SID_INVALID; + goto done; + } + } + + *_sid = sid_buf; + err = IDMAP_SUCCESS; + +done: + if (err != IDMAP_SUCCESS) { + ctx->free_func(sid_buf, ctx->alloc_pvt); + } + + return err; +} + +enum idmap_error_code sss_idmap_sid_to_dom_sid(struct sss_idmap_ctx *ctx, + const char *sid, + struct sss_dom_sid **_dom_sid) +{ + enum idmap_error_code err; + unsigned long ul; + char *r; + char *end; + struct sss_dom_sid *dom_sid; + + CHECK_IDMAP_CTX(ctx, IDMAP_CONTEXT_INVALID); + + if (sid == NULL || (sid[0] != 'S' && sid[0] != 's') || sid[1] != '-') { + return IDMAP_SID_INVALID; + } + + dom_sid = ctx->alloc_func(sizeof(struct sss_dom_sid), ctx->alloc_pvt); + if (dom_sid == NULL) { + return IDMAP_OUT_OF_MEMORY; + } + memset(dom_sid, 0, sizeof(struct sss_dom_sid)); + + + if (!isdigit(sid[2])) { + err = IDMAP_SID_INVALID; + goto done; + } + errno = 0; + ul = strtoul(sid + 2, &r, 10); + if (errno != 0 || r == NULL || *r != '-' || ul > UINT8_MAX) { + err = IDMAP_SID_INVALID; + goto done; + } + dom_sid->sid_rev_num = (uint8_t) ul; + r++; + + if (!isdigit(*r)) { + err = IDMAP_SID_INVALID; + goto done; + } + errno = 0; + ul = strtoul(r, &r, 10); + if (errno != 0 || r == NULL || ul > UINT32_MAX) { + err = IDMAP_SID_INVALID; + goto done; + } + + /* id_auth in the string should always be <2^32 in decimal */ + /* store values in the same order as the binary representation */ + dom_sid->id_auth[0] = 0; + dom_sid->id_auth[1] = 0; + dom_sid->id_auth[2] = (ul & 0xff000000) >> 24; + dom_sid->id_auth[3] = (ul & 0x00ff0000) >> 16; + dom_sid->id_auth[4] = (ul & 0x0000ff00) >> 8; + dom_sid->id_auth[5] = (ul & 0x000000ff); + + if (*r == '\0') { + /* no sub auths given */ + err = IDMAP_SUCCESS; + goto done; + } + + if (*r != '-') { + err = IDMAP_SID_INVALID; + goto done; + } + + do { + if (dom_sid->num_auths >= SID_SUB_AUTHS) { + err = IDMAP_SID_INVALID; + goto done; + } + + r++; + if (!isdigit(*r)) { + err = IDMAP_SID_INVALID; + goto done; + } + + errno = 0; + ul = strtoul(r, &end, 10); + if (errno != 0 || ul > UINT32_MAX || end == NULL || + (*end != '\0' && *end != '-')) { + err = IDMAP_SID_INVALID; + goto done; + } + + dom_sid->sub_auths[dom_sid->num_auths++] = ul; + + r = end; + } while (*r != '\0'); + + err = IDMAP_SUCCESS; + +done: + if (err != IDMAP_SUCCESS) { + ctx->free_func(dom_sid, ctx->alloc_pvt); + } else { + *_dom_sid = dom_sid; + } + + return err; +} + +enum idmap_error_code sss_idmap_sid_to_bin_sid(struct sss_idmap_ctx *ctx, + const char *sid, + uint8_t **_bin_sid, + size_t *_length) +{ + enum idmap_error_code err; + struct sss_dom_sid *dom_sid = NULL; + size_t length; + uint8_t *bin_sid = NULL; + + err = sss_idmap_sid_to_dom_sid(ctx, sid, &dom_sid); + if (err != IDMAP_SUCCESS) { + goto done; + } + + err = sss_idmap_dom_sid_to_bin_sid(ctx, dom_sid, &bin_sid, &length); + if (err != IDMAP_SUCCESS) { + goto done; + } + + *_length = length; + *_bin_sid = bin_sid; + err = IDMAP_SUCCESS; + +done: + ctx->free_func(dom_sid, ctx->alloc_pvt); + if (err != IDMAP_SUCCESS) { + ctx->free_func(bin_sid, ctx->alloc_pvt); + } + + return err; +} + +enum idmap_error_code sss_idmap_bin_sid_to_sid(struct sss_idmap_ctx *ctx, + const uint8_t *bin_sid, + size_t length, + char **_sid) +{ + enum idmap_error_code err; + struct sss_dom_sid *dom_sid = NULL; + char *sid = NULL; + + err = sss_idmap_bin_sid_to_dom_sid(ctx, bin_sid, length, &dom_sid); + if (err != IDMAP_SUCCESS) { + goto done; + } + + err = sss_idmap_dom_sid_to_sid(ctx, dom_sid, &sid); + if (err != IDMAP_SUCCESS) { + goto done; + } + + *_sid = sid; + err = IDMAP_SUCCESS; + +done: + ctx->free_func(dom_sid, ctx->alloc_pvt); + if (err != IDMAP_SUCCESS) { + ctx->free_func(sid, ctx->alloc_pvt); + } + + return err; +} + +enum idmap_error_code sss_idmap_sid_to_smb_sid(struct sss_idmap_ctx *ctx, + const char *sid, + struct dom_sid **_smb_sid) +{ + enum idmap_error_code err; + struct sss_dom_sid *dom_sid = NULL; + struct dom_sid *smb_sid = NULL; + + err = sss_idmap_sid_to_dom_sid(ctx, sid, &dom_sid); + if (err != IDMAP_SUCCESS) { + goto done; + } + + err = sss_idmap_dom_sid_to_smb_sid(ctx, dom_sid, &smb_sid); + if (err != IDMAP_SUCCESS) { + goto done; + } + + *_smb_sid = smb_sid; + err = IDMAP_SUCCESS; + +done: + ctx->free_func(dom_sid, ctx->alloc_pvt); + if (err != IDMAP_SUCCESS) { + ctx->free_func(smb_sid, ctx->alloc_pvt); + } + + return err; +} + +enum idmap_error_code sss_idmap_smb_sid_to_sid(struct sss_idmap_ctx *ctx, + struct dom_sid *smb_sid, + char **_sid) +{ + enum idmap_error_code err; + struct sss_dom_sid *dom_sid = NULL; + char *sid = NULL; + + err = sss_idmap_smb_sid_to_dom_sid(ctx, smb_sid, &dom_sid); + if (err != IDMAP_SUCCESS) { + goto done; + } + + err = sss_idmap_dom_sid_to_sid(ctx, dom_sid, &sid); + if (err != IDMAP_SUCCESS) { + goto done; + } + + *_sid = sid; + err = IDMAP_SUCCESS; + +done: + ctx->free_func(dom_sid, ctx->alloc_pvt); + if (err != IDMAP_SUCCESS) { + ctx->free_func(sid, ctx->alloc_pvt); + } + + return err; +} + +enum idmap_error_code sss_idmap_dom_sid_to_smb_sid(struct sss_idmap_ctx *ctx, + struct sss_dom_sid *dom_sid, + struct dom_sid **_smb_sid) +{ + struct dom_sid *smb_sid; + size_t c; + + smb_sid = ctx->alloc_func(sizeof(struct dom_sid), ctx->alloc_pvt); + if (smb_sid == NULL) { + return IDMAP_OUT_OF_MEMORY; + } + memset(smb_sid, 0, sizeof(struct dom_sid)); + + smb_sid->sid_rev_num = dom_sid->sid_rev_num; + smb_sid->num_auths = dom_sid->num_auths; + for (c = 0; c < SID_ID_AUTHS; c++) { + smb_sid->id_auth[c] = dom_sid->id_auth[c]; + } + for (c = 0; c < SID_SUB_AUTHS; c++) { + smb_sid->sub_auths[c] = dom_sid->sub_auths[c]; + } + + *_smb_sid = smb_sid; + + return IDMAP_SUCCESS; +} + +enum idmap_error_code sss_idmap_smb_sid_to_dom_sid(struct sss_idmap_ctx *ctx, + struct dom_sid *smb_sid, + struct sss_dom_sid **_dom_sid) +{ + struct sss_dom_sid *dom_sid; + size_t c; + + dom_sid = ctx->alloc_func(sizeof(struct sss_dom_sid), ctx->alloc_pvt); + if (dom_sid == NULL) { + return IDMAP_OUT_OF_MEMORY; + } + memset(dom_sid, 0, sizeof(struct sss_dom_sid)); + + dom_sid->sid_rev_num = smb_sid->sid_rev_num; + dom_sid->num_auths = smb_sid->num_auths; + for (c = 0; c < SID_ID_AUTHS; c++) { + dom_sid->id_auth[c] = smb_sid->id_auth[c]; + } + for (c = 0; c < SID_SUB_AUTHS; c++) { + dom_sid->sub_auths[c] = smb_sid->sub_auths[c]; + } + + *_dom_sid = dom_sid; + + return IDMAP_SUCCESS; +} + +enum idmap_error_code sss_idmap_bin_sid_to_smb_sid(struct sss_idmap_ctx *ctx, + const uint8_t *bin_sid, + size_t length, + struct dom_sid **_smb_sid) +{ + enum idmap_error_code err; + struct sss_dom_sid *dom_sid = NULL; + struct dom_sid *smb_sid = NULL; + + err = sss_idmap_bin_sid_to_dom_sid(ctx, bin_sid, length, &dom_sid); + if (err != IDMAP_SUCCESS) { + goto done; + } + + err = sss_idmap_dom_sid_to_smb_sid(ctx, dom_sid, &smb_sid); + if (err != IDMAP_SUCCESS) { + goto done; + } + + *_smb_sid = smb_sid; + err = IDMAP_SUCCESS; + +done: + ctx->free_func(dom_sid, ctx->alloc_pvt); + if (err != IDMAP_SUCCESS) { + ctx->free_func(smb_sid, ctx->alloc_pvt); + } + + return err; +} + +enum idmap_error_code sss_idmap_smb_sid_to_bin_sid(struct sss_idmap_ctx *ctx, + struct dom_sid *smb_sid, + uint8_t **_bin_sid, + size_t *_length) +{ + enum idmap_error_code err; + struct sss_dom_sid *dom_sid = NULL; + uint8_t *bin_sid = NULL; + size_t length; + + err = sss_idmap_smb_sid_to_dom_sid(ctx, smb_sid, &dom_sid); + if (err != IDMAP_SUCCESS) { + goto done; + } + + err = sss_idmap_dom_sid_to_bin_sid(ctx, dom_sid, &bin_sid, &length); + if (err != IDMAP_SUCCESS) { + goto done; + } + + *_bin_sid = bin_sid; + *_length = length; + err = IDMAP_SUCCESS; + +done: + ctx->free_func(dom_sid, ctx->alloc_pvt); + if (err != IDMAP_SUCCESS) { + ctx->free_func(bin_sid, ctx->alloc_pvt); + } + + return err; +} diff --git a/src/lib/idmap/sss_idmap_private.h b/src/lib/idmap/sss_idmap_private.h new file mode 100644 index 0000000..15300d1 --- /dev/null +++ b/src/lib/idmap/sss_idmap_private.h @@ -0,0 +1,84 @@ +/* + SSSD + + ID-mapping library - private headers + + Authors: + Sumit Bose + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef SSS_IDMAP_PRIVATE_H_ +#define SSS_IDMAP_PRIVATE_H_ + +#define SSS_IDMAP_DEFAULT_LOWER 200000 +#define SSS_IDMAP_DEFAULT_UPPER 2000200000 +#define SSS_IDMAP_DEFAULT_RANGESIZE 200000 +#define SSS_IDMAP_DEFAULT_AUTORID false +#define SSS_IDMAP_DEFAULT_EXTRA_SLICE_INIT 10 + +#define CHECK_IDMAP_CTX(ctx, ret) do { \ + if (ctx == NULL || ctx->alloc_func == NULL || ctx->free_func == NULL) { \ + return ret; \ + } \ +} while(0) + +struct sss_idmap_opts { + /* true if autorid compatibility mode is used */ + bool autorid_mode; + + /* smallest available id (for all domains) */ + id_t idmap_lower; + + /* highest available id (for all domains) */ + id_t idmap_upper; + + /* number of available UIDs (for single domain) */ + id_t rangesize; + + /* maximal number of secondary slices */ + int extra_slice_init; +}; + +struct sss_idmap_ctx { + idmap_alloc_func *alloc_func; + void *alloc_pvt; + idmap_free_func *free_func; + struct sss_idmap_opts idmap_opts; + struct idmap_domain_info *idmap_domain_info; +}; + +/* This is a copy of the definition in the samba gen_ndr/security.h header + * file. We use it here to be able to offer conversions form struct dom_sid to + * string or binary representation since those are not made available by + * public samba libraries. + * + * If the definition ever changes on the samba side we have to adopt the + * change. But chances are very low that this will ever happen since e.g. this + * struct is also defined in public documentation from Microsoft. See e.g. + * section 2.4.2.3 of "[MS-DTYP]: Windows Data Types" + * http://msdn.microsoft.com/en-us/library/cc230364(v=prot.10) + */ + +struct dom_sid { + uint8_t sid_rev_num; + int8_t num_auths; + uint8_t id_auth[6]; + uint32_t sub_auths[15]; +}; + +#endif /* SSS_IDMAP_PRIVATE_H_ */ diff --git a/src/lib/ipa_hbac/hbac_evaluator.c b/src/lib/ipa_hbac/hbac_evaluator.c new file mode 100644 index 0000000..ce13bd5 --- /dev/null +++ b/src/lib/ipa_hbac/hbac_evaluator.c @@ -0,0 +1,520 @@ +/* + SSSD + + IPA Backend Module -- Access control + + Authors: + Sumit Bose + Stephen Gallagher + + Copyright (C) 2011 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" /* for HAVE_FUNCTION_ATTRIBUTE_FORMAT in "ipa_hbac.h" */ + +#include +#include +#include +#include "ipa_hbac.h" +#include "sss_utf8.h" + +#ifndef HAVE_ERRNO_T +#define HAVE_ERRNO_T +typedef int errno_t; +#endif + +#ifndef EOK +#define EOK 0 +#endif + +/* HBAC logging system */ + +/* debug macro */ +#define HBAC_DEBUG(level, format, ...) do { \ + if (hbac_debug_fn != NULL) { \ + hbac_debug_fn(__FILE__, __LINE__, __FUNCTION__, \ + level, format, ##__VA_ARGS__); \ + } \ +} while (0) + +/* static pointer to external logging function */ +static hbac_debug_fn_t hbac_debug_fn = NULL; + +/* setup function for external logging function */ +void hbac_enable_debug(hbac_debug_fn_t external_debug_fn) +{ + hbac_debug_fn = external_debug_fn; +} + +/* auxiliary function for hbac_request_element logging */ +static void hbac_request_element_debug_print(struct hbac_request_element *el, + const char *label); + +/* auxiliary function for hbac_eval_req logging */ +static void hbac_req_debug_print(struct hbac_eval_req *req); + +/* auxiliary function for hbac_rule_element logging */ +static void hbac_rule_element_debug_print(struct hbac_rule_element *el, + const char *label); + +/* auxiliary function for hbac_rule logging */ +static void hbac_rule_debug_print(struct hbac_rule *rule); + + +/* Placeholder structure for future HBAC time-based + * evaluation rules + */ +struct hbac_time_rules { + int not_yet_implemented; +}; + +enum hbac_eval_result_int { + HBAC_EVAL_MATCH_ERROR = -1, + HBAC_EVAL_MATCHED, + HBAC_EVAL_UNMATCHED +}; + +static bool hbac_rule_element_is_complete(struct hbac_rule_element *el) +{ + if (el == NULL) return false; + if (el->category == HBAC_CATEGORY_ALL) return true; + + if (el->names == NULL && el->groups == NULL) return false; + + if ((el->names && el->names[0] != NULL) + || (el->groups && el->groups[0] != NULL)) + return true; + + /* If other categories are added, handle them here */ + + return false; +} + +bool hbac_rule_is_complete(struct hbac_rule *rule, uint32_t *missing_attrs) +{ + bool complete = true; + + *missing_attrs = 0; + + if (rule == NULL) { + /* No rule passed in? */ + return false; + } + + /* Make sure we have all elements */ + if (!hbac_rule_element_is_complete(rule->users)) { + complete = false; + *missing_attrs |= HBAC_RULE_ELEMENT_USERS; + } + + if (!hbac_rule_element_is_complete(rule->services)) { + complete = false; + *missing_attrs |= HBAC_RULE_ELEMENT_SERVICES; + } + + if (!hbac_rule_element_is_complete(rule->targethosts)) { + complete = false; + *missing_attrs |= HBAC_RULE_ELEMENT_TARGETHOSTS; + } + + if (!hbac_rule_element_is_complete(rule->srchosts)) { + complete = false; + *missing_attrs |= HBAC_RULE_ELEMENT_SOURCEHOSTS; + } + + return complete; +} + +enum hbac_eval_result_int hbac_evaluate_rule(struct hbac_rule *rule, + struct hbac_eval_req *hbac_req, + enum hbac_error_code *error); + +enum hbac_eval_result hbac_evaluate(struct hbac_rule **rules, + struct hbac_eval_req *hbac_req, + struct hbac_info **info) +{ + uint32_t i; + + enum hbac_error_code ret; + enum hbac_eval_result result = HBAC_EVAL_DENY; + enum hbac_eval_result_int intermediate_result; + + HBAC_DEBUG(HBAC_DBG_INFO, "[< hbac_evaluate()\n"); + hbac_req_debug_print(hbac_req); + + if (info) { + *info = malloc(sizeof(struct hbac_info)); + if (!*info) { + HBAC_DEBUG(HBAC_DBG_ERROR, "Out of memory.\n"); + return HBAC_EVAL_OOM; + } + (*info)->code = HBAC_ERROR_UNKNOWN; + (*info)->rule_name = NULL; + } + + for (i = 0; rules[i]; i++) { + hbac_rule_debug_print(rules[i]); + intermediate_result = hbac_evaluate_rule(rules[i], hbac_req, &ret); + if (intermediate_result == HBAC_EVAL_UNMATCHED) { + /* This rule did not match at all. Skip it */ + HBAC_DEBUG(HBAC_DBG_INFO, "The rule [%s] did not match.\n", + rules[i]->name); + continue; + } else if (intermediate_result == HBAC_EVAL_MATCHED) { + HBAC_DEBUG(HBAC_DBG_INFO, "ALLOWED by rule [%s].\n", rules[i]->name); + result = HBAC_EVAL_ALLOW; + if (info) { + (*info)->code = HBAC_SUCCESS; + (*info)->rule_name = strdup(rules[i]->name); + if (!(*info)->rule_name) { + HBAC_DEBUG(HBAC_DBG_ERROR, "Out of memory.\n"); + result = HBAC_EVAL_ERROR; + (*info)->code = HBAC_ERROR_OUT_OF_MEMORY; + } + } + break; + } else { + /* An error occurred processing this rule */ + HBAC_DEBUG(HBAC_DBG_ERROR, + "Error %d occurred during evaluating of rule [%s].\n", + ret, rules[i]->name); + result = HBAC_EVAL_ERROR; + if (info) { + (*info)->code = ret; + (*info)->rule_name = strdup(rules[i]->name); + } + /* Explicitly not checking the result of strdup(), since if + * it's NULL, we can't do anything anyway. + */ + goto done; + } + } + + /* If we've reached the end of the loop, we have either set the + * result to ALLOW explicitly or we'll stick with the default DENY. + */ +done: + + HBAC_DEBUG(HBAC_DBG_INFO, "hbac_evaluate() >]\n"); + return result; +} + +static errno_t hbac_evaluate_element(struct hbac_rule_element *rule_el, + struct hbac_request_element *req_el, + bool *matched); + +enum hbac_eval_result_int hbac_evaluate_rule(struct hbac_rule *rule, + struct hbac_eval_req *hbac_req, + enum hbac_error_code *error) +{ + errno_t ret; + bool matched; + + if (!rule->enabled) { + HBAC_DEBUG(HBAC_DBG_INFO, "Rule [%s] is not enabled\n", rule->name); + return HBAC_EVAL_UNMATCHED; + } + + /* Make sure we have all elements */ + if (!rule->users + || !rule->services + || !rule->targethosts + || !rule->srchosts) { + HBAC_DEBUG(HBAC_DBG_INFO, + "Rule [%s] cannot be parsed, some elements are empty\n", + rule->name); + *error = HBAC_ERROR_UNPARSEABLE_RULE; + return HBAC_EVAL_MATCH_ERROR; + } + + /* Check users */ + ret = hbac_evaluate_element(rule->users, + hbac_req->user, + &matched); + if (ret != EOK) { + HBAC_DEBUG(HBAC_DBG_ERROR, + "Cannot parse user elements of rule [%s]\n", rule->name); + *error = HBAC_ERROR_UNPARSEABLE_RULE; + return HBAC_EVAL_MATCH_ERROR; + } else if (!matched) { + return HBAC_EVAL_UNMATCHED; + } + + /* Check services */ + ret = hbac_evaluate_element(rule->services, + hbac_req->service, + &matched); + if (ret != EOK) { + HBAC_DEBUG(HBAC_DBG_ERROR, + "Cannot parse service elements of rule [%s]\n", rule->name); + *error = HBAC_ERROR_UNPARSEABLE_RULE; + return HBAC_EVAL_MATCH_ERROR; + } else if (!matched) { + return HBAC_EVAL_UNMATCHED; + } + + /* Check target hosts */ + ret = hbac_evaluate_element(rule->targethosts, + hbac_req->targethost, + &matched); + if (ret != EOK) { + HBAC_DEBUG(HBAC_DBG_ERROR, + "Cannot parse targethost elements of rule [%s]\n", + rule->name); + *error = HBAC_ERROR_UNPARSEABLE_RULE; + return HBAC_EVAL_MATCH_ERROR; + } else if (!matched) { + return HBAC_EVAL_UNMATCHED; + } + + /* Check source hosts */ + ret = hbac_evaluate_element(rule->srchosts, + hbac_req->srchost, + &matched); + if (ret != EOK) { + HBAC_DEBUG(HBAC_DBG_ERROR, + "Cannot parse srchost elements of rule [%s]\n", + rule->name); + *error = HBAC_ERROR_UNPARSEABLE_RULE; + return HBAC_EVAL_MATCH_ERROR; + } else if (!matched) { + return HBAC_EVAL_UNMATCHED; + } + return HBAC_EVAL_MATCHED; +} + +static errno_t hbac_evaluate_element(struct hbac_rule_element *rule_el, + struct hbac_request_element *req_el, + bool *matched) +{ + size_t i, j; + const uint8_t *rule_name; + const uint8_t *req_name; + int ret; + + if (rule_el->category & HBAC_CATEGORY_ALL) { + *matched = true; + return EOK; + } + + /* First check the name list */ + if (rule_el->names) { + for (i = 0; rule_el->names[i]; i++) { + if (req_el->name != NULL) { + rule_name = (const uint8_t *) rule_el->names[i]; + req_name = (const uint8_t *) req_el->name; + + /* Do a case-insensitive comparison. */ + ret = sss_utf8_case_eq(rule_name, req_name); + if (ret != EOK && ret != ENOMATCH) { + return ret; + } else if (ret == EOK) { + *matched = true; + return EOK; + } + } + } + } + + if (rule_el->groups) { + /* Not found in the name list + * Check for group membership + */ + for (i = 0; rule_el->groups[i]; i++) { + rule_name = (const uint8_t *) rule_el->groups[i]; + + for (j = 0; req_el->groups[j]; j++) { + req_name = (const uint8_t *) req_el->groups[j]; + + /* Do a case-insensitive comparison. */ + ret = sss_utf8_case_eq(rule_name, req_name); + if (ret != EOK && ret != ENOMATCH) { + return ret; + } else if (ret == EOK) { + *matched = true; + return EOK; + } + } + } + } + + /* Not found in groups either */ + *matched = false; + return EOK; +} + +const char *hbac_result_string(enum hbac_eval_result result) +{ + switch (result) { + case HBAC_EVAL_ALLOW: + return "HBAC_EVAL_ALLOW"; + case HBAC_EVAL_DENY: + return "HBAC_EVAL_DENY"; + case HBAC_EVAL_ERROR: + return "HBAC_EVAL_ERROR"; + case HBAC_EVAL_OOM: + return "Could not allocate memory for hbac_info object"; + } + return "HBAC_EVAL_ERROR"; +} + +void hbac_free_info(struct hbac_info *info) +{ + if (info == NULL) return; + + free(info->rule_name); + free(info); +} + +const char *hbac_error_string(enum hbac_error_code code) +{ + switch (code) { + case HBAC_SUCCESS: + return "Success"; + case HBAC_ERROR_NOT_IMPLEMENTED: + return "Function is not yet implemented"; + case HBAC_ERROR_OUT_OF_MEMORY: + return "Out of memory"; + case HBAC_ERROR_UNPARSEABLE_RULE: + return "Rule could not be evaluated"; + case HBAC_ERROR_UNKNOWN: + default: + return "Unknown error code"; + } +} + +static void hbac_request_element_debug_print(struct hbac_request_element *el, + const char *label) +{ + int i; + + if (el) { + if (el->name) { + HBAC_DEBUG(HBAC_DBG_TRACE, "\t\t%s [%s]\n", label, el->name); + } + + if (el->groups) { + if (el->groups[0]) { + HBAC_DEBUG(HBAC_DBG_TRACE, "\t\t%s_group:\n", label); + for (i = 0; el->groups[i]; i++) { + HBAC_DEBUG(HBAC_DBG_TRACE, "\t\t\t[%s]\n", el->groups[i]); + } + } else { + HBAC_DEBUG(HBAC_DBG_TRACE, "\t\t%s_group (none)\n", label); + } + } + } else { + HBAC_DEBUG(HBAC_DBG_TRACE, "\t%s (none)\n", label); + } +} + +static void hbac_req_debug_print(struct hbac_eval_req *req) +{ + HBAC_DEBUG(HBAC_DBG_TRACE, "\tREQUEST:\n"); + if (req) { + struct tm *local_time = NULL; + size_t ret; + const size_t buff_size = 100; + char time_buff[buff_size]; + + hbac_request_element_debug_print(req->service, "service"); + hbac_request_element_debug_print(req->user, "user"); + hbac_request_element_debug_print(req->targethost, "targethost"); + hbac_request_element_debug_print(req->srchost, "srchost"); + + local_time = localtime(&req->request_time); + if (local_time == NULL) { + return; + } + + ret = strftime(time_buff, buff_size, "%Y-%m-%d %H:%M:%S", local_time); + if (ret <= 0) { + return; + } + + HBAC_DEBUG(HBAC_DBG_TRACE, "\t\trequest time %s\n", time_buff); + } else { + HBAC_DEBUG(HBAC_DBG_TRACE, "\tRequest is EMPTY.\n"); + } +} + +static void hbac_rule_element_debug_print(struct hbac_rule_element *el, + const char *label) +{ + int i; + + if (el) { + HBAC_DEBUG(HBAC_DBG_TRACE, "\t\tcategory [%#x] [%s]\n", el->category, + (el->category == HBAC_CATEGORY_ALL) ? "ALL" : "NONE"); + + if (el->names) { + if (el->names[0]) { + HBAC_DEBUG(HBAC_DBG_TRACE, "\t\t%s_names:\n", label); + for (i = 0; el->names[i]; i++) { + HBAC_DEBUG(HBAC_DBG_TRACE, "\t\t\t[%s]\n", el->names[i]); + } + } else { + HBAC_DEBUG(HBAC_DBG_TRACE, "\t\t%s_names (none)\n", label); + } + } + + if (el->groups) { + if (el->groups[0]) { + HBAC_DEBUG(HBAC_DBG_TRACE, "\t\t%s_groups:\n", label); + for (i = 0; el->groups[i]; i++) { + HBAC_DEBUG(HBAC_DBG_TRACE, "\t\t\t[%s]\n", el->groups[i]); + } + } else { + HBAC_DEBUG(HBAC_DBG_TRACE, "\t\t%s_groups (none)\n", label); + } + } + } +} + +static void hbac_rule_debug_print(struct hbac_rule *rule) +{ + if (rule) { + HBAC_DEBUG(HBAC_DBG_TRACE, "\tRULE [%s] [%s]:\n", + rule->name, (rule->enabled) ? "ENABLED" : "DISABLED"); + if (rule->services) { + HBAC_DEBUG(HBAC_DBG_TRACE, "\tservices:\n"); + hbac_rule_element_debug_print(rule->services, "services"); + } else { + HBAC_DEBUG(HBAC_DBG_TRACE, "\tservices (none)\n"); + } + + if (rule->users) { + HBAC_DEBUG(HBAC_DBG_TRACE, "\tusers:\n"); + hbac_rule_element_debug_print(rule->users, "users"); + } else { + HBAC_DEBUG(HBAC_DBG_TRACE, "\tusers (none)\n"); + } + + if (rule->targethosts) { + HBAC_DEBUG(HBAC_DBG_TRACE, "\ttargethosts:\n"); + hbac_rule_element_debug_print(rule->targethosts, "targethosts"); + } else { + HBAC_DEBUG(HBAC_DBG_TRACE, "\ttargethosts (none)\n"); + } + + if (rule->srchosts) { + HBAC_DEBUG(HBAC_DBG_TRACE, "\tsrchosts:\n"); + hbac_rule_element_debug_print(rule->srchosts, "srchosts"); + } else { + HBAC_DEBUG(HBAC_DBG_TRACE, "\tsrchosts (none)\n"); + } + } +} diff --git a/src/lib/ipa_hbac/ipa_hbac.doxy.in b/src/lib/ipa_hbac/ipa_hbac.doxy.in new file mode 100644 index 0000000..d1e9f99 --- /dev/null +++ b/src/lib/ipa_hbac/ipa_hbac.doxy.in @@ -0,0 +1,1883 @@ +# Doxyfile 1.8.3 + +# This file describes the settings to be used by the documentation system +# doxygen (www.doxygen.org) for a project. +# +# All text after a hash (#) is considered a comment and will be ignored. +# The format is: +# TAG = value [value, ...] +# For lists items can also be appended using: +# TAG += value [value, ...] +# Values that contain spaces should be placed between quotes (" "). + +#--------------------------------------------------------------------------- +# Project related configuration options +#--------------------------------------------------------------------------- + +# This tag specifies the encoding used for all characters in the config file +# that follow. The default is UTF-8 which is also the encoding used for all +# text before the first occurrence of this tag. Doxygen uses libiconv (or the +# iconv built into libc) for the transcoding. See +# http://www.gnu.org/software/libiconv for the list of possible encodings. + +DOXYFILE_ENCODING = UTF-8 + +# The PROJECT_NAME tag is a single word (or sequence of words) that should +# identify the project. Note that if you do not use Doxywizard you need +# to put quotes around the project name if it contains spaces. + +PROJECT_NAME = ipa_hbac + +# The PROJECT_NUMBER tag can be used to enter a project or revision number. +# This could be handy for archiving the generated documentation or +# if some version control system is used. + +PROJECT_NUMBER = @PACKAGE_VERSION@ + +# Using the PROJECT_BRIEF tag one can provide an optional one line description +# for a project that appears at the top of each page and should give viewer +# a quick idea about the purpose of the project. Keep the description short. + +PROJECT_BRIEF = + +# With the PROJECT_LOGO tag one can specify an logo or icon that is +# included in the documentation. The maximum height of the logo should not +# exceed 55 pixels and the maximum width should not exceed 200 pixels. +# Doxygen will copy the logo to the output directory. + +PROJECT_LOGO = + +# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) +# base path where the generated documentation will be put. +# If a relative path is entered, it will be relative to the location +# where doxygen was started. If left blank the current directory will be used. + +OUTPUT_DIRECTORY = hbac_doc + +# If the CREATE_SUBDIRS tag is set to YES, then doxygen will create +# 4096 sub-directories (in 2 levels) under the output directory of each output +# format and will distribute the generated files over these directories. +# Enabling this option can be useful when feeding doxygen a huge amount of +# source files, where putting all generated files in the same directory would +# otherwise cause performance problems for the file system. + +CREATE_SUBDIRS = NO + +# The OUTPUT_LANGUAGE tag is used to specify the language in which all +# documentation generated by doxygen is written. Doxygen will use this +# information to generate all constant output in the proper language. +# The default language is English, other supported languages are: +# Afrikaans, Arabic, Brazilian, Catalan, Chinese, Chinese-Traditional, +# Croatian, Czech, Danish, Dutch, Esperanto, Farsi, Finnish, French, German, +# Greek, Hungarian, Italian, Japanese, Japanese-en (Japanese with English +# messages), Korean, Korean-en, Lithuanian, Norwegian, Macedonian, Persian, +# Polish, Portuguese, Romanian, Russian, Serbian, Serbian-Cyrillic, Slovak, +# Slovene, Spanish, Swedish, Ukrainian, and Vietnamese. + +OUTPUT_LANGUAGE = English + +# If the BRIEF_MEMBER_DESC tag is set to YES (the default) Doxygen will +# include brief member descriptions after the members that are listed in +# the file and class documentation (similar to JavaDoc). +# Set to NO to disable this. + +BRIEF_MEMBER_DESC = YES + +# If the REPEAT_BRIEF tag is set to YES (the default) Doxygen will prepend +# the brief description of a member or function before the detailed description. +# Note: if both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the +# brief descriptions will be completely suppressed. + +REPEAT_BRIEF = YES + +# This tag implements a quasi-intelligent brief description abbreviator +# that is used to form the text in various listings. Each string +# in this list, if found as the leading text of the brief description, will be +# stripped from the text and the result after processing the whole list, is +# used as the annotated text. Otherwise, the brief description is used as-is. +# If left blank, the following values are used ("$name" is automatically +# replaced with the name of the entity): "The $name class" "The $name widget" +# "The $name file" "is" "provides" "specifies" "contains" +# "represents" "a" "an" "the" + +ABBREVIATE_BRIEF = "The $name class" \ + "The $name widget" \ + "The $name file" \ + is \ + provides \ + specifies \ + contains \ + represents \ + a \ + an \ + the + +# If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then +# Doxygen will generate a detailed section even if there is only a brief +# description. + +ALWAYS_DETAILED_SEC = NO + +# If the INLINE_INHERITED_MEMB tag is set to YES, doxygen will show all +# inherited members of a class in the documentation of that class as if those +# members were ordinary class members. Constructors, destructors and assignment +# operators of the base classes will not be shown. + +INLINE_INHERITED_MEMB = NO + +# If the FULL_PATH_NAMES tag is set to YES then Doxygen will prepend the full +# path before files name in the file list and in the header files. If set +# to NO the shortest path that makes the file name unique will be used. + +FULL_PATH_NAMES = YES + +# If the FULL_PATH_NAMES tag is set to YES then the STRIP_FROM_PATH tag +# can be used to strip a user-defined part of the path. Stripping is +# only done if one of the specified strings matches the left-hand part of +# the path. The tag can be used to show relative paths in the file list. +# If left blank the directory from which doxygen is run is used as the +# path to strip. Note that you specify absolute paths here, but also +# relative paths, which will be relative from the directory where doxygen is +# started. + +STRIP_FROM_PATH = + +# The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of +# the path mentioned in the documentation of a class, which tells +# the reader which header file to include in order to use a class. +# If left blank only the name of the header file containing the class +# definition is used. Otherwise one should specify the include paths that +# are normally passed to the compiler using the -I flag. + +STRIP_FROM_INC_PATH = + +# If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter +# (but less readable) file names. This can be useful if your file system +# doesn't support long names like on DOS, Mac, or CD-ROM. + +SHORT_NAMES = NO + +# If the JAVADOC_AUTOBRIEF tag is set to YES then Doxygen +# will interpret the first line (until the first dot) of a JavaDoc-style +# comment as the brief description. If set to NO, the JavaDoc +# comments will behave just like regular Qt-style comments +# (thus requiring an explicit @brief command for a brief description.) + +JAVADOC_AUTOBRIEF = YES + +# If the QT_AUTOBRIEF tag is set to YES then Doxygen will +# interpret the first line (until the first dot) of a Qt-style +# comment as the brief description. If set to NO, the comments +# will behave just like regular Qt-style comments (thus requiring +# an explicit \brief command for a brief description.) + +QT_AUTOBRIEF = NO + +# The MULTILINE_CPP_IS_BRIEF tag can be set to YES to make Doxygen +# treat a multi-line C++ special comment block (i.e. a block of //! or /// +# comments) as a brief description. This used to be the default behaviour. +# The new default is to treat a multi-line C++ comment block as a detailed +# description. Set this tag to YES if you prefer the old behaviour instead. + +MULTILINE_CPP_IS_BRIEF = NO + +# If the INHERIT_DOCS tag is set to YES (the default) then an undocumented +# member inherits the documentation from any documented member that it +# re-implements. + +INHERIT_DOCS = YES + +# If the SEPARATE_MEMBER_PAGES tag is set to YES, then doxygen will produce +# a new page for each member. If set to NO, the documentation of a member will +# be part of the file/class/namespace that contains it. + +SEPARATE_MEMBER_PAGES = NO + +# The TAB_SIZE tag can be used to set the number of spaces in a tab. +# Doxygen uses this value to replace tabs by spaces in code fragments. + +TAB_SIZE = 8 + +# This tag can be used to specify a number of aliases that acts +# as commands in the documentation. An alias has the form "name=value". +# For example adding "sideeffect=\par Side Effects:\n" will allow you to +# put the command \sideeffect (or @sideeffect) in the documentation, which +# will result in a user-defined paragraph with heading "Side Effects:". +# You can put \n's in the value part of an alias to insert newlines. + +ALIASES = + +# This tag can be used to specify a number of word-keyword mappings (TCL only). +# A mapping has the form "name=value". For example adding +# "class=itcl::class" will allow you to use the command class in the +# itcl::class meaning. + +TCL_SUBST = + +# Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C +# sources only. Doxygen will then generate output that is more tailored for C. +# For instance, some of the names that are used will be different. The list +# of all members will be omitted, etc. + +OPTIMIZE_OUTPUT_FOR_C = YES + +# Set the OPTIMIZE_OUTPUT_JAVA tag to YES if your project consists of Java +# sources only. Doxygen will then generate output that is more tailored for +# Java. For instance, namespaces will be presented as packages, qualified +# scopes will look different, etc. + +OPTIMIZE_OUTPUT_JAVA = NO + +# Set the OPTIMIZE_FOR_FORTRAN tag to YES if your project consists of Fortran +# sources only. Doxygen will then generate output that is more tailored for +# Fortran. + +OPTIMIZE_FOR_FORTRAN = NO + +# Set the OPTIMIZE_OUTPUT_VHDL tag to YES if your project consists of VHDL +# sources. Doxygen will then generate output that is tailored for +# VHDL. + +OPTIMIZE_OUTPUT_VHDL = NO + +# Doxygen selects the parser to use depending on the extension of the files it +# parses. With this tag you can assign which parser to use for a given +# extension. Doxygen has a built-in mapping, but you can override or extend it +# using this tag. The format is ext=language, where ext is a file extension, +# and language is one of the parsers supported by doxygen: IDL, Java, +# Javascript, CSharp, C, C++, D, PHP, Objective-C, Python, Fortran, VHDL, C, +# C++. For instance to make doxygen treat .inc files as Fortran files (default +# is PHP), and .f files as C (default is Fortran), use: inc=Fortran f=C. Note +# that for custom extensions you also need to set FILE_PATTERNS otherwise the +# files are not read by doxygen. + +EXTENSION_MAPPING = + +# If MARKDOWN_SUPPORT is enabled (the default) then doxygen pre-processes all +# comments according to the Markdown format, which allows for more readable +# documentation. See http://daringfireball.net/projects/markdown/ for details. +# The output of markdown processing is further processed by doxygen, so you +# can mix doxygen, HTML, and XML commands with Markdown formatting. +# Disable only in case of backward compatibilities issues. + +MARKDOWN_SUPPORT = YES + +# When enabled doxygen tries to link words that correspond to documented classes, +# or namespaces to their corresponding documentation. Such a link can be +# prevented in individual cases by by putting a % sign in front of the word or +# globally by setting AUTOLINK_SUPPORT to NO. + +AUTOLINK_SUPPORT = YES + +# If you use STL classes (i.e. std::string, std::vector, etc.) but do not want +# to include (a tag file for) the STL sources as input, then you should +# set this tag to YES in order to let doxygen match functions declarations and +# definitions whose arguments contain STL classes (e.g. func(std::string); v.s. +# func(std::string) {}). This also makes the inheritance and collaboration +# diagrams that involve STL classes more complete and accurate. + +BUILTIN_STL_SUPPORT = NO + +# If you use Microsoft's C++/CLI language, you should set this option to YES to +# enable parsing support. + +CPP_CLI_SUPPORT = NO + +# Set the SIP_SUPPORT tag to YES if your project consists of sip sources only. +# Doxygen will parse them like normal C++ but will assume all classes use public +# instead of private inheritance when no explicit protection keyword is present. + +SIP_SUPPORT = NO + +# For Microsoft's IDL there are propget and propput attributes to indicate +# getter and setter methods for a property. Setting this option to YES (the +# default) will make doxygen replace the get and set methods by a property in +# the documentation. This will only work if the methods are indeed getting or +# setting a simple type. If this is not the case, or you want to show the +# methods anyway, you should set this option to NO. + +IDL_PROPERTY_SUPPORT = YES + +# If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC +# tag is set to YES, then doxygen will reuse the documentation of the first +# member in the group (if any) for the other members of the group. By default +# all members of a group must be documented explicitly. + +DISTRIBUTE_GROUP_DOC = NO + +# Set the SUBGROUPING tag to YES (the default) to allow class member groups of +# the same type (for instance a group of public functions) to be put as a +# subgroup of that type (e.g. under the Public Functions section). Set it to +# NO to prevent subgrouping. Alternatively, this can be done per class using +# the \nosubgrouping command. + +SUBGROUPING = YES + +# When the INLINE_GROUPED_CLASSES tag is set to YES, classes, structs and +# unions are shown inside the group in which they are included (e.g. using +# @ingroup) instead of on a separate page (for HTML and Man pages) or +# section (for LaTeX and RTF). + +INLINE_GROUPED_CLASSES = NO + +# When the INLINE_SIMPLE_STRUCTS tag is set to YES, structs, classes, and +# unions with only public data fields will be shown inline in the documentation +# of the scope in which they are defined (i.e. file, namespace, or group +# documentation), provided this scope is documented. If set to NO (the default), +# structs, classes, and unions are shown on a separate page (for HTML and Man +# pages) or section (for LaTeX and RTF). + +INLINE_SIMPLE_STRUCTS = NO + +# When TYPEDEF_HIDES_STRUCT is enabled, a typedef of a struct, union, or enum +# is documented as struct, union, or enum with the name of the typedef. So +# typedef struct TypeS {} TypeT, will appear in the documentation as a struct +# with name TypeT. When disabled the typedef will appear as a member of a file, +# namespace, or class. And the struct will be named TypeS. This can typically +# be useful for C code in case the coding convention dictates that all compound +# types are typedef'ed and only the typedef is referenced, never the tag name. + +TYPEDEF_HIDES_STRUCT = NO + +# The SYMBOL_CACHE_SIZE determines the size of the internal cache use to +# determine which symbols to keep in memory and which to flush to disk. +# When the cache is full, less often used symbols will be written to disk. +# For small to medium size projects (<1000 input files) the default value is +# probably good enough. For larger projects a too small cache size can cause +# doxygen to be busy swapping symbols to and from disk most of the time +# causing a significant performance penalty. +# If the system has enough physical memory increasing the cache will improve the +# performance by keeping more symbols in memory. Note that the value works on +# a logarithmic scale so increasing the size by one will roughly double the +# memory usage. The cache size is given by this formula: +# 2^(16+SYMBOL_CACHE_SIZE). The valid range is 0..9, the default is 0, +# corresponding to a cache size of 2^16 = 65536 symbols. + +SYMBOL_CACHE_SIZE = 0 + +# Similar to the SYMBOL_CACHE_SIZE the size of the symbol lookup cache can be +# set using LOOKUP_CACHE_SIZE. This cache is used to resolve symbols given +# their name and scope. Since this can be an expensive process and often the +# same symbol appear multiple times in the code, doxygen keeps a cache of +# pre-resolved symbols. If the cache is too small doxygen will become slower. +# If the cache is too large, memory is wasted. The cache size is given by this +# formula: 2^(16+LOOKUP_CACHE_SIZE). The valid range is 0..9, the default is 0, +# corresponding to a cache size of 2^16 = 65536 symbols. + +LOOKUP_CACHE_SIZE = 0 + +#--------------------------------------------------------------------------- +# Build related configuration options +#--------------------------------------------------------------------------- + +# If the EXTRACT_ALL tag is set to YES doxygen will assume all entities in +# documentation are documented, even if no documentation was available. +# Private class members and static file members will be hidden unless +# the EXTRACT_PRIVATE and EXTRACT_STATIC tags are set to YES + +EXTRACT_ALL = NO + +# If the EXTRACT_PRIVATE tag is set to YES all private members of a class +# will be included in the documentation. + +EXTRACT_PRIVATE = NO + +# If the EXTRACT_PACKAGE tag is set to YES all members with package or internal +# scope will be included in the documentation. + +EXTRACT_PACKAGE = NO + +# If the EXTRACT_STATIC tag is set to YES all static members of a file +# will be included in the documentation. + +EXTRACT_STATIC = NO + +# If the EXTRACT_LOCAL_CLASSES tag is set to YES classes (and structs) +# defined locally in source files will be included in the documentation. +# If set to NO only classes defined in header files are included. + +EXTRACT_LOCAL_CLASSES = NO + +# This flag is only useful for Objective-C code. When set to YES local +# methods, which are defined in the implementation section but not in +# the interface are included in the documentation. +# If set to NO (the default) only methods in the interface are included. + +EXTRACT_LOCAL_METHODS = NO + +# If this flag is set to YES, the members of anonymous namespaces will be +# extracted and appear in the documentation as a namespace called +# 'anonymous_namespace{file}', where file will be replaced with the base +# name of the file that contains the anonymous namespace. By default +# anonymous namespaces are hidden. + +EXTRACT_ANON_NSPACES = NO + +# If the HIDE_UNDOC_MEMBERS tag is set to YES, Doxygen will hide all +# undocumented members of documented classes, files or namespaces. +# If set to NO (the default) these members will be included in the +# various overviews, but no documentation section is generated. +# This option has no effect if EXTRACT_ALL is enabled. + +HIDE_UNDOC_MEMBERS = YES + +# If the HIDE_UNDOC_CLASSES tag is set to YES, Doxygen will hide all +# undocumented classes that are normally visible in the class hierarchy. +# If set to NO (the default) these classes will be included in the various +# overviews. This option has no effect if EXTRACT_ALL is enabled. + +HIDE_UNDOC_CLASSES = YES + +# If the HIDE_FRIEND_COMPOUNDS tag is set to YES, Doxygen will hide all +# friend (class|struct|union) declarations. +# If set to NO (the default) these declarations will be included in the +# documentation. + +HIDE_FRIEND_COMPOUNDS = NO + +# If the HIDE_IN_BODY_DOCS tag is set to YES, Doxygen will hide any +# documentation blocks found inside the body of a function. +# If set to NO (the default) these blocks will be appended to the +# function's detailed documentation block. + +HIDE_IN_BODY_DOCS = NO + +# The INTERNAL_DOCS tag determines if documentation +# that is typed after a \internal command is included. If the tag is set +# to NO (the default) then the documentation will be excluded. +# Set it to YES to include the internal documentation. + +INTERNAL_DOCS = NO + +# If the CASE_SENSE_NAMES tag is set to NO then Doxygen will only generate +# file names in lower-case letters. If set to YES upper-case letters are also +# allowed. This is useful if you have classes or files whose names only differ +# in case and if your file system supports case sensitive file names. Windows +# and Mac users are advised to set this option to NO. + +CASE_SENSE_NAMES = YES + +# If the HIDE_SCOPE_NAMES tag is set to NO (the default) then Doxygen +# will show members with their full class and namespace scopes in the +# documentation. If set to YES the scope will be hidden. + +HIDE_SCOPE_NAMES = NO + +# If the SHOW_INCLUDE_FILES tag is set to YES (the default) then Doxygen +# will put a list of the files that are included by a file in the documentation +# of that file. + +SHOW_INCLUDE_FILES = YES + +# If the FORCE_LOCAL_INCLUDES tag is set to YES then Doxygen +# will list include files with double quotes in the documentation +# rather than with sharp brackets. + +FORCE_LOCAL_INCLUDES = NO + +# If the INLINE_INFO tag is set to YES (the default) then a tag [inline] +# is inserted in the documentation for inline members. + +INLINE_INFO = YES + +# If the SORT_MEMBER_DOCS tag is set to YES (the default) then doxygen +# will sort the (detailed) documentation of file and class members +# alphabetically by member name. If set to NO the members will appear in +# declaration order. + +SORT_MEMBER_DOCS = YES + +# If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the +# brief documentation of file, namespace and class members alphabetically +# by member name. If set to NO (the default) the members will appear in +# declaration order. + +SORT_BRIEF_DOCS = NO + +# If the SORT_MEMBERS_CTORS_1ST tag is set to YES then doxygen +# will sort the (brief and detailed) documentation of class members so that +# constructors and destructors are listed first. If set to NO (the default) +# the constructors will appear in the respective orders defined by +# SORT_MEMBER_DOCS and SORT_BRIEF_DOCS. +# This tag will be ignored for brief docs if SORT_BRIEF_DOCS is set to NO +# and ignored for detailed docs if SORT_MEMBER_DOCS is set to NO. + +SORT_MEMBERS_CTORS_1ST = NO + +# If the SORT_GROUP_NAMES tag is set to YES then doxygen will sort the +# hierarchy of group names into alphabetical order. If set to NO (the default) +# the group names will appear in their defined order. + +SORT_GROUP_NAMES = NO + +# If the SORT_BY_SCOPE_NAME tag is set to YES, the class list will be +# sorted by fully-qualified names, including namespaces. If set to +# NO (the default), the class list will be sorted only by class name, +# not including the namespace part. +# Note: This option is not very useful if HIDE_SCOPE_NAMES is set to YES. +# Note: This option applies only to the class list, not to the +# alphabetical list. + +SORT_BY_SCOPE_NAME = NO + +# If the STRICT_PROTO_MATCHING option is enabled and doxygen fails to +# do proper type resolution of all parameters of a function it will reject a +# match between the prototype and the implementation of a member function even +# if there is only one candidate or it is obvious which candidate to choose +# by doing a simple string match. By disabling STRICT_PROTO_MATCHING doxygen +# will still accept a match between prototype and implementation in such cases. + +STRICT_PROTO_MATCHING = NO + +# The GENERATE_TODOLIST tag can be used to enable (YES) or +# disable (NO) the todo list. This list is created by putting \todo +# commands in the documentation. + +GENERATE_TODOLIST = YES + +# The GENERATE_TESTLIST tag can be used to enable (YES) or +# disable (NO) the test list. This list is created by putting \test +# commands in the documentation. + +GENERATE_TESTLIST = YES + +# The GENERATE_BUGLIST tag can be used to enable (YES) or +# disable (NO) the bug list. This list is created by putting \bug +# commands in the documentation. + +GENERATE_BUGLIST = YES + +# The GENERATE_DEPRECATEDLIST tag can be used to enable (YES) or +# disable (NO) the deprecated list. This list is created by putting +# \deprecated commands in the documentation. + +GENERATE_DEPRECATEDLIST= YES + +# The ENABLED_SECTIONS tag can be used to enable conditional +# documentation sections, marked by \if section-label ... \endif +# and \cond section-label ... \endcond blocks. + +ENABLED_SECTIONS = + +# The MAX_INITIALIZER_LINES tag determines the maximum number of lines +# the initial value of a variable or macro consists of for it to appear in +# the documentation. If the initializer consists of more lines than specified +# here it will be hidden. Use a value of 0 to hide initializers completely. +# The appearance of the initializer of individual variables and macros in the +# documentation can be controlled using \showinitializer or \hideinitializer +# command in the documentation regardless of this setting. + +MAX_INITIALIZER_LINES = 30 + +# Set the SHOW_USED_FILES tag to NO to disable the list of files generated +# at the bottom of the documentation of classes and structs. If set to YES the +# list will mention the files that were used to generate the documentation. + +SHOW_USED_FILES = YES + +# Set the SHOW_FILES tag to NO to disable the generation of the Files page. +# This will remove the Files entry from the Quick Index and from the +# Folder Tree View (if specified). The default is YES. + +SHOW_FILES = YES + +# Set the SHOW_NAMESPACES tag to NO to disable the generation of the +# Namespaces page. +# This will remove the Namespaces entry from the Quick Index +# and from the Folder Tree View (if specified). The default is YES. + +SHOW_NAMESPACES = YES + +# The FILE_VERSION_FILTER tag can be used to specify a program or script that +# doxygen should invoke to get the current version for each file (typically from +# the version control system). Doxygen will invoke the program by executing (via +# popen()) the command , where is the value of +# the FILE_VERSION_FILTER tag, and is the name of an input file +# provided by doxygen. Whatever the program writes to standard output +# is used as the file version. See the manual for examples. + +FILE_VERSION_FILTER = + +# The LAYOUT_FILE tag can be used to specify a layout file which will be parsed +# by doxygen. The layout file controls the global structure of the generated +# output files in an output format independent way. To create the layout file +# that represents doxygen's defaults, run doxygen with the -l option. +# You can optionally specify a file name after the option, if omitted +# DoxygenLayout.xml will be used as the name of the layout file. + +LAYOUT_FILE = + +# The CITE_BIB_FILES tag can be used to specify one or more bib files +# containing the references data. This must be a list of .bib files. The +# .bib extension is automatically appended if omitted. Using this command +# requires the bibtex tool to be installed. See also +# http://en.wikipedia.org/wiki/BibTeX for more info. For LaTeX the style +# of the bibliography can be controlled using LATEX_BIB_STYLE. To use this +# feature you need bibtex and perl available in the search path. Do not use +# file names with spaces, bibtex cannot handle them. + +CITE_BIB_FILES = + +#--------------------------------------------------------------------------- +# configuration options related to warning and progress messages +#--------------------------------------------------------------------------- + +# The QUIET tag can be used to turn on/off the messages that are generated +# by doxygen. Possible values are YES and NO. If left blank NO is used. + +QUIET = NO + +# The WARNINGS tag can be used to turn on/off the warning messages that are +# generated by doxygen. Possible values are YES and NO. If left blank +# NO is used. + +WARNINGS = YES + +# If WARN_IF_UNDOCUMENTED is set to YES, then doxygen will generate warnings +# for undocumented members. If EXTRACT_ALL is set to YES then this flag will +# automatically be disabled. + +WARN_IF_UNDOCUMENTED = YES + +# If WARN_IF_DOC_ERROR is set to YES, doxygen will generate warnings for +# potential errors in the documentation, such as not documenting some +# parameters in a documented function, or documenting parameters that +# don't exist or using markup commands wrongly. + +WARN_IF_DOC_ERROR = YES + +# The WARN_NO_PARAMDOC option can be enabled to get warnings for +# functions that are documented, but have no documentation for their parameters +# or return value. If set to NO (the default) doxygen will only warn about +# wrong or incomplete parameter documentation, but not about the absence of +# documentation. + +WARN_NO_PARAMDOC = NO + +# The WARN_FORMAT tag determines the format of the warning messages that +# doxygen can produce. The string should contain the $file, $line, and $text +# tags, which will be replaced by the file and line number from which the +# warning originated and the warning text. Optionally the format may contain +# $version, which will be replaced by the version of the file (if it could +# be obtained via FILE_VERSION_FILTER) + +WARN_FORMAT = "$file:$line: $text" + +# The WARN_LOGFILE tag can be used to specify a file to which warning +# and error messages should be written. If left blank the output is written +# to stderr. + +WARN_LOGFILE = + +#--------------------------------------------------------------------------- +# configuration options related to the input files +#--------------------------------------------------------------------------- + +# The INPUT tag can be used to specify the files and/or directories that contain +# documented source files. You may enter file names like "myfile.cpp" or +# directories like "/usr/src/myproject". Separate the files or directories +# with spaces. + +INPUT = @abs_top_srcdir@/src/lib/ipa_hbac/ipa_hbac.h + +# This tag can be used to specify the character encoding of the source files +# that doxygen parses. Internally doxygen uses the UTF-8 encoding, which is +# also the default input encoding. Doxygen uses libiconv (or the iconv built +# into libc) for the transcoding. See http://www.gnu.org/software/libiconv for +# the list of possible encodings. + +INPUT_ENCODING = UTF-8 + +# If the value of the INPUT tag contains directories, you can use the +# FILE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp +# and *.h) to filter out the source-files in the directories. If left +# blank the following patterns are tested: +# *.c *.cc *.cxx *.cpp *.c++ *.d *.java *.ii *.ixx *.ipp *.i++ *.inl *.h *.hh +# *.hxx *.hpp *.h++ *.idl *.odl *.cs *.php *.php3 *.inc *.m *.mm *.dox *.py +# *.f90 *.f *.for *.vhd *.vhdl + +FILE_PATTERNS = *.cpp \ + *.cc \ + *.c \ + *.h \ + *.hh \ + *.hpp \ + *.dox + +# The RECURSIVE tag can be used to turn specify whether or not subdirectories +# should be searched for input files as well. Possible values are YES and NO. +# If left blank NO is used. + +RECURSIVE = NO + +# The EXCLUDE tag can be used to specify files and/or directories that should be +# excluded from the INPUT source files. This way you can easily exclude a +# subdirectory from a directory tree whose root is specified with the INPUT tag. +# Note that relative paths are relative to the directory from which doxygen is +# run. + +EXCLUDE = + +# The EXCLUDE_SYMLINKS tag can be used to select whether or not files or +# directories that are symbolic links (a Unix file system feature) are excluded +# from the input. + +EXCLUDE_SYMLINKS = NO + +# If the value of the INPUT tag contains directories, you can use the +# EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude +# certain files from those directories. Note that the wildcards are matched +# against the file with absolute path, so to exclude all test directories +# for example use the pattern */test/* + +EXCLUDE_PATTERNS = */.git/* \ + */.svn/* \ + */cmake/* \ + */build/* + +# The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names +# (namespaces, classes, functions, etc.) that should be excluded from the +# output. The symbol name can be a fully qualified name, a word, or if the +# wildcard * is used, a substring. Examples: ANamespace, AClass, +# AClass::ANamespace, ANamespace::*Test + +EXCLUDE_SYMBOLS = + +# The EXAMPLE_PATH tag can be used to specify one or more files or +# directories that contain example code fragments that are included (see +# the \include command). + +EXAMPLE_PATH = + +# If the value of the EXAMPLE_PATH tag contains directories, you can use the +# EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp +# and *.h) to filter out the source-files in the directories. If left +# blank all files are included. + +EXAMPLE_PATTERNS = + +# If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be +# searched for input files to be used with the \include or \dontinclude +# commands irrespective of the value of the RECURSIVE tag. +# Possible values are YES and NO. If left blank NO is used. + +EXAMPLE_RECURSIVE = NO + +# The IMAGE_PATH tag can be used to specify one or more files or +# directories that contain image that are included in the documentation (see +# the \image command). + +IMAGE_PATH = + +# The INPUT_FILTER tag can be used to specify a program that doxygen should +# invoke to filter for each input file. Doxygen will invoke the filter program +# by executing (via popen()) the command , where +# is the value of the INPUT_FILTER tag, and is the name of an +# input file. Doxygen will then use the output that the filter program writes +# to standard output. +# If FILTER_PATTERNS is specified, this tag will be +# ignored. + +INPUT_FILTER = + +# The FILTER_PATTERNS tag can be used to specify filters on a per file pattern +# basis. +# Doxygen will compare the file name with each pattern and apply the +# filter if there is a match. +# The filters are a list of the form: +# pattern=filter (like *.cpp=my_cpp_filter). See INPUT_FILTER for further +# info on how filters are used. If FILTER_PATTERNS is empty or if +# non of the patterns match the file name, INPUT_FILTER is applied. + +FILTER_PATTERNS = + +# If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using +# INPUT_FILTER) will be used to filter the input files when producing source +# files to browse (i.e. when SOURCE_BROWSER is set to YES). + +FILTER_SOURCE_FILES = NO + +# The FILTER_SOURCE_PATTERNS tag can be used to specify source filters per file +# pattern. A pattern will override the setting for FILTER_PATTERN (if any) +# and it is also possible to disable source filtering for a specific pattern +# using *.ext= (so without naming a filter). This option only has effect when +# FILTER_SOURCE_FILES is enabled. + +FILTER_SOURCE_PATTERNS = + +# If the USE_MD_FILE_AS_MAINPAGE tag refers to the name of a markdown file that +# is part of the input, its contents will be placed on the main page (index.html). +# This can be useful if you have a project on for instance GitHub and want reuse +# the introduction page also for the doxygen output. + +USE_MDFILE_AS_MAINPAGE = + +#--------------------------------------------------------------------------- +# configuration options related to source browsing +#--------------------------------------------------------------------------- + +# If the SOURCE_BROWSER tag is set to YES then a list of source files will +# be generated. Documented entities will be cross-referenced with these sources. +# Note: To get rid of all source code in the generated output, make sure also +# VERBATIM_HEADERS is set to NO. + +SOURCE_BROWSER = NO + +# Setting the INLINE_SOURCES tag to YES will include the body +# of functions and classes directly in the documentation. + +INLINE_SOURCES = NO + +# Setting the STRIP_CODE_COMMENTS tag to YES (the default) will instruct +# doxygen to hide any special comment blocks from generated source code +# fragments. Normal C, C++ and Fortran comments will always remain visible. + +STRIP_CODE_COMMENTS = YES + +# If the REFERENCED_BY_RELATION tag is set to YES +# then for each documented function all documented +# functions referencing it will be listed. + +REFERENCED_BY_RELATION = NO + +# If the REFERENCES_RELATION tag is set to YES +# then for each documented function all documented entities +# called/used by that function will be listed. + +REFERENCES_RELATION = NO + +# If the REFERENCES_LINK_SOURCE tag is set to YES (the default) +# and SOURCE_BROWSER tag is set to YES, then the hyperlinks from +# functions in REFERENCES_RELATION and REFERENCED_BY_RELATION lists will +# link to the source code. +# Otherwise they will link to the documentation. + +REFERENCES_LINK_SOURCE = YES + +# If the USE_HTAGS tag is set to YES then the references to source code +# will point to the HTML generated by the htags(1) tool instead of doxygen +# built-in source browser. The htags tool is part of GNU's global source +# tagging system (see http://www.gnu.org/software/global/global.html). You +# will need version 4.8.6 or higher. + +USE_HTAGS = NO + +# If the VERBATIM_HEADERS tag is set to YES (the default) then Doxygen +# will generate a verbatim copy of the header file for each class for +# which an include is specified. Set to NO to disable this. + +VERBATIM_HEADERS = YES + +#--------------------------------------------------------------------------- +# configuration options related to the alphabetical class index +#--------------------------------------------------------------------------- + +# If the ALPHABETICAL_INDEX tag is set to YES, an alphabetical index +# of all compounds will be generated. Enable this if the project +# contains a lot of classes, structs, unions or interfaces. + +ALPHABETICAL_INDEX = NO + +# If the alphabetical index is enabled (see ALPHABETICAL_INDEX) then +# the COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns +# in which this list will be split (can be a number in the range [1..20]) + +COLS_IN_ALPHA_INDEX = 5 + +# In case all classes in a project start with a common prefix, all +# classes will be put under the same header in the alphabetical index. +# The IGNORE_PREFIX tag can be used to specify one or more prefixes that +# should be ignored while generating the index headers. + +IGNORE_PREFIX = + +#--------------------------------------------------------------------------- +# configuration options related to the HTML output +#--------------------------------------------------------------------------- + +# If the GENERATE_HTML tag is set to YES (the default) Doxygen will +# generate HTML output. + +GENERATE_HTML = YES + +# The HTML_OUTPUT tag is used to specify where the HTML docs will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `html' will be used as the default path. + +HTML_OUTPUT = html + +# The HTML_FILE_EXTENSION tag can be used to specify the file extension for +# each generated HTML page (for example: .htm,.php,.asp). If it is left blank +# doxygen will generate files with .html extension. + +HTML_FILE_EXTENSION = .html + +# The HTML_HEADER tag can be used to specify a personal HTML header for +# each generated HTML page. If it is left blank doxygen will generate a +# standard header. Note that when using a custom header you are responsible +# for the proper inclusion of any scripts and style sheets that doxygen +# needs, which is dependent on the configuration options used. +# It is advised to generate a default header using "doxygen -w html +# header.html footer.html stylesheet.css YourConfigFile" and then modify +# that header. Note that the header is subject to change so you typically +# have to redo this when upgrading to a newer version of doxygen or when +# changing the value of configuration settings such as GENERATE_TREEVIEW! + +HTML_HEADER = + +# The HTML_FOOTER tag can be used to specify a personal HTML footer for +# each generated HTML page. If it is left blank doxygen will generate a +# standard footer. + +HTML_FOOTER = + +# The HTML_STYLESHEET tag can be used to specify a user-defined cascading +# style sheet that is used by each HTML page. It can be used to +# fine-tune the look of the HTML output. If left blank doxygen will +# generate a default style sheet. Note that it is recommended to use +# HTML_EXTRA_STYLESHEET instead of this one, as it is more robust and this +# tag will in the future become obsolete. + +HTML_STYLESHEET = + +# The HTML_EXTRA_STYLESHEET tag can be used to specify an additional +# user-defined cascading style sheet that is included after the standard +# style sheets created by doxygen. Using this option one can overrule +# certain style aspects. This is preferred over using HTML_STYLESHEET +# since it does not replace the standard style sheet and is therefor more +# robust against future updates. Doxygen will copy the style sheet file to +# the output directory. + +HTML_EXTRA_STYLESHEET = + +# The HTML_EXTRA_FILES tag can be used to specify one or more extra images or +# other source files which should be copied to the HTML output directory. Note +# that these files will be copied to the base HTML output directory. Use the +# $relpath$ marker in the HTML_HEADER and/or HTML_FOOTER files to load these +# files. In the HTML_STYLESHEET file, use the file name only. Also note that +# the files will be copied as-is; there are no commands or markers available. + +HTML_EXTRA_FILES = + +# The HTML_COLORSTYLE_HUE tag controls the color of the HTML output. +# Doxygen will adjust the colors in the style sheet and background images +# according to this color. Hue is specified as an angle on a colorwheel, +# see http://en.wikipedia.org/wiki/Hue for more information. +# For instance the value 0 represents red, 60 is yellow, 120 is green, +# 180 is cyan, 240 is blue, 300 purple, and 360 is red again. +# The allowed range is 0 to 359. + +HTML_COLORSTYLE_HUE = 220 + +# The HTML_COLORSTYLE_SAT tag controls the purity (or saturation) of +# the colors in the HTML output. For a value of 0 the output will use +# grayscales only. A value of 255 will produce the most vivid colors. + +HTML_COLORSTYLE_SAT = 100 + +# The HTML_COLORSTYLE_GAMMA tag controls the gamma correction applied to +# the luminance component of the colors in the HTML output. Values below +# 100 gradually make the output lighter, whereas values above 100 make +# the output darker. The value divided by 100 is the actual gamma applied, +# so 80 represents a gamma of 0.8, The value 220 represents a gamma of 2.2, +# and 100 does not change the gamma. + +HTML_COLORSTYLE_GAMMA = 80 + +# If the HTML_TIMESTAMP tag is set to YES then the footer of each generated HTML +# page will contain the date and time when the page was generated. Setting +# this to NO can help when comparing the output of multiple runs. + +HTML_TIMESTAMP = NO + +# If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML +# documentation will contain sections that can be hidden and shown after the +# page has loaded. + +HTML_DYNAMIC_SECTIONS = NO + +# With HTML_INDEX_NUM_ENTRIES one can control the preferred number of +# entries shown in the various tree structured indices initially; the user +# can expand and collapse entries dynamically later on. Doxygen will expand +# the tree to such a level that at most the specified number of entries are +# visible (unless a fully collapsed tree already exceeds this amount). +# So setting the number of entries 1 will produce a full collapsed tree by +# default. 0 is a special value representing an infinite number of entries +# and will result in a full expanded tree by default. + +HTML_INDEX_NUM_ENTRIES = 100 + +# If the GENERATE_DOCSET tag is set to YES, additional index files +# will be generated that can be used as input for Apple's Xcode 3 +# integrated development environment, introduced with OSX 10.5 (Leopard). +# To create a documentation set, doxygen will generate a Makefile in the +# HTML output directory. Running make will produce the docset in that +# directory and running "make install" will install the docset in +# ~/Library/Developer/Shared/Documentation/DocSets so that Xcode will find +# it at startup. +# See http://developer.apple.com/tools/creatingdocsetswithdoxygen.html +# for more information. + +GENERATE_DOCSET = NO + +# When GENERATE_DOCSET tag is set to YES, this tag determines the name of the +# feed. A documentation feed provides an umbrella under which multiple +# documentation sets from a single provider (such as a company or product suite) +# can be grouped. + +DOCSET_FEEDNAME = "Doxygen generated docs" + +# When GENERATE_DOCSET tag is set to YES, this tag specifies a string that +# should uniquely identify the documentation set bundle. This should be a +# reverse domain-name style string, e.g. com.mycompany.MyDocSet. Doxygen +# will append .docset to the name. + +DOCSET_BUNDLE_ID = org.doxygen.Project + +# When GENERATE_PUBLISHER_ID tag specifies a string that should uniquely +# identify the documentation publisher. This should be a reverse domain-name +# style string, e.g. com.mycompany.MyDocSet.documentation. + +DOCSET_PUBLISHER_ID = org.doxygen.Publisher + +# The GENERATE_PUBLISHER_NAME tag identifies the documentation publisher. + +DOCSET_PUBLISHER_NAME = Publisher + +# If the GENERATE_HTMLHELP tag is set to YES, additional index files +# will be generated that can be used as input for tools like the +# Microsoft HTML help workshop to generate a compiled HTML help file (.chm) +# of the generated HTML documentation. + +GENERATE_HTMLHELP = NO + +# If the GENERATE_HTMLHELP tag is set to YES, the CHM_FILE tag can +# be used to specify the file name of the resulting .chm file. You +# can add a path in front of the file if the result should not be +# written to the html output directory. + +CHM_FILE = + +# If the GENERATE_HTMLHELP tag is set to YES, the HHC_LOCATION tag can +# be used to specify the location (absolute path including file name) of +# the HTML help compiler (hhc.exe). If non-empty doxygen will try to run +# the HTML help compiler on the generated index.hhp. + +HHC_LOCATION = + +# If the GENERATE_HTMLHELP tag is set to YES, the GENERATE_CHI flag +# controls if a separate .chi index file is generated (YES) or that +# it should be included in the master .chm file (NO). + +GENERATE_CHI = NO + +# If the GENERATE_HTMLHELP tag is set to YES, the CHM_INDEX_ENCODING +# is used to encode HtmlHelp index (hhk), content (hhc) and project file +# content. + +CHM_INDEX_ENCODING = + +# If the GENERATE_HTMLHELP tag is set to YES, the BINARY_TOC flag +# controls whether a binary table of contents is generated (YES) or a +# normal table of contents (NO) in the .chm file. + +BINARY_TOC = NO + +# The TOC_EXPAND flag can be set to YES to add extra items for group members +# to the contents of the HTML help documentation and to the tree view. + +TOC_EXPAND = NO + +# If the GENERATE_QHP tag is set to YES and both QHP_NAMESPACE and +# QHP_VIRTUAL_FOLDER are set, an additional index file will be generated +# that can be used as input for Qt's qhelpgenerator to generate a +# Qt Compressed Help (.qch) of the generated HTML documentation. + +GENERATE_QHP = NO + +# If the QHG_LOCATION tag is specified, the QCH_FILE tag can +# be used to specify the file name of the resulting .qch file. +# The path specified is relative to the HTML output folder. + +QCH_FILE = + +# The QHP_NAMESPACE tag specifies the namespace to use when generating +# Qt Help Project output. For more information please see +# http://doc.trolltech.com/qthelpproject.html#namespace + +QHP_NAMESPACE = + +# The QHP_VIRTUAL_FOLDER tag specifies the namespace to use when generating +# Qt Help Project output. For more information please see +# http://doc.trolltech.com/qthelpproject.html#virtual-folders + +QHP_VIRTUAL_FOLDER = doc + +# If QHP_CUST_FILTER_NAME is set, it specifies the name of a custom filter to +# add. For more information please see +# http://doc.trolltech.com/qthelpproject.html#custom-filters + +QHP_CUST_FILTER_NAME = + +# The QHP_CUST_FILT_ATTRS tag specifies the list of the attributes of the +# custom filter to add. For more information please see +# +# Qt Help Project / Custom Filters. + +QHP_CUST_FILTER_ATTRS = + +# The QHP_SECT_FILTER_ATTRS tag specifies the list of the attributes this +# project's +# filter section matches. +# +# Qt Help Project / Filter Attributes. + +QHP_SECT_FILTER_ATTRS = + +# If the GENERATE_QHP tag is set to YES, the QHG_LOCATION tag can +# be used to specify the location of Qt's qhelpgenerator. +# If non-empty doxygen will try to run qhelpgenerator on the generated +# .qhp file. + +QHG_LOCATION = + +# If the GENERATE_ECLIPSEHELP tag is set to YES, additional index files +# will be generated, which together with the HTML files, form an Eclipse help +# plugin. To install this plugin and make it available under the help contents +# menu in Eclipse, the contents of the directory containing the HTML and XML +# files needs to be copied into the plugins directory of eclipse. The name of +# the directory within the plugins directory should be the same as +# the ECLIPSE_DOC_ID value. After copying Eclipse needs to be restarted before +# the help appears. + +GENERATE_ECLIPSEHELP = NO + +# A unique identifier for the eclipse help plugin. When installing the plugin +# the directory name containing the HTML and XML files should also have +# this name. + +ECLIPSE_DOC_ID = org.doxygen.Project + +# The DISABLE_INDEX tag can be used to turn on/off the condensed index (tabs) +# at top of each HTML page. The value NO (the default) enables the index and +# the value YES disables it. Since the tabs have the same information as the +# navigation tree you can set this option to NO if you already set +# GENERATE_TREEVIEW to YES. + +DISABLE_INDEX = NO + +# The GENERATE_TREEVIEW tag is used to specify whether a tree-like index +# structure should be generated to display hierarchical information. +# If the tag value is set to YES, a side panel will be generated +# containing a tree-like index structure (just like the one that +# is generated for HTML Help). For this to work a browser that supports +# JavaScript, DHTML, CSS and frames is required (i.e. any modern browser). +# Windows users are probably better off using the HTML help feature. +# Since the tree basically has the same information as the tab index you +# could consider to set DISABLE_INDEX to NO when enabling this option. + +GENERATE_TREEVIEW = NONE + +# The ENUM_VALUES_PER_LINE tag can be used to set the number of enum values +# (range [0,1..20]) that doxygen will group on one line in the generated HTML +# documentation. Note that a value of 0 will completely suppress the enum +# values from appearing in the overview section. + +ENUM_VALUES_PER_LINE = 4 + +# If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be +# used to set the initial width (in pixels) of the frame in which the tree +# is shown. + +TREEVIEW_WIDTH = 250 + +# When the EXT_LINKS_IN_WINDOW option is set to YES doxygen will open +# links to external symbols imported via tag files in a separate window. + +EXT_LINKS_IN_WINDOW = NO + +# Use this tag to change the font size of Latex formulas included +# as images in the HTML documentation. The default is 10. Note that +# when you change the font size after a successful doxygen run you need +# to manually remove any form_*.png images from the HTML output directory +# to force them to be regenerated. + +FORMULA_FONTSIZE = 10 + +# Use the FORMULA_TRANPARENT tag to determine whether or not the images +# generated for formulas are transparent PNGs. Transparent PNGs are +# not supported properly for IE 6.0, but are supported on all modern browsers. +# Note that when changing this option you need to delete any form_*.png files +# in the HTML output before the changes have effect. + +FORMULA_TRANSPARENT = YES + +# Enable the USE_MATHJAX option to render LaTeX formulas using MathJax +# (see http://www.mathjax.org) which uses client side Javascript for the +# rendering instead of using prerendered bitmaps. Use this if you do not +# have LaTeX installed or if you want to formulas look prettier in the HTML +# output. When enabled you may also need to install MathJax separately and +# configure the path to it using the MATHJAX_RELPATH option. + +USE_MATHJAX = NO + +# When MathJax is enabled you can set the default output format to be used for +# thA MathJax output. Supported types are HTML-CSS, NativeMML (i.e. MathML) and +# SVG. The default value is HTML-CSS, which is slower, but has the best +# compatibility. + +MATHJAX_FORMAT = HTML-CSS + +# When MathJax is enabled you need to specify the location relative to the +# HTML output directory using the MATHJAX_RELPATH option. The destination +# directory should contain the MathJax.js script. For instance, if the mathjax +# directory is located at the same level as the HTML output directory, then +# MATHJAX_RELPATH should be ../mathjax. The default value points to +# the MathJax Content Delivery Network so you can quickly see the result without +# installing MathJax. +# However, it is strongly recommended to install a local +# copy of MathJax from http://www.mathjax.org before deployment. + +MATHJAX_RELPATH = http://cdn.mathjax.org/mathjax/latest + +# The MATHJAX_EXTENSIONS tag can be used to specify one or MathJax extension +# names that should be enabled during MathJax rendering. + +MATHJAX_EXTENSIONS = + +# When the SEARCHENGINE tag is enabled doxygen will generate a search box +# for the HTML output. The underlying search engine uses javascript +# and DHTML and should work on any modern browser. Note that when using +# HTML help (GENERATE_HTMLHELP), Qt help (GENERATE_QHP), or docsets +# (GENERATE_DOCSET) there is already a search function so this one should +# typically be disabled. For large projects the javascript based search engine +# can be slow, then enabling SERVER_BASED_SEARCH may provide a better solution. + +SEARCHENGINE = NO + +# When the SERVER_BASED_SEARCH tag is enabled the search engine will be +# implemented using a web server instead of a web client using Javascript. +# There are two flavours of web server based search depending on the +# EXTERNAL_SEARCH setting. When disabled, doxygen will generate a PHP script for +# searching and an index file used by the script. When EXTERNAL_SEARCH is +# enabled the indexing and searching needs to be provided by external tools. +# See the manual for details. + +SERVER_BASED_SEARCH = NO + +# When EXTERNAL_SEARCH is enabled doxygen will no longer generate the PHP +# script for searching. Instead the search results are written to an XML file +# which needs to be processed by an external indexer. Doxygen will invoke an +# external search engine pointed to by the SEARCHENGINE_URL option to obtain +# the search results. Doxygen ships with an example indexer (doxyindexer) and +# search engine (doxysearch.cgi) which are based on the open source search engine +# library Xapian. See the manual for configuration details. + +EXTERNAL_SEARCH = NO + +# The SEARCHENGINE_URL should point to a search engine hosted by a web server +# which will returned the search results when EXTERNAL_SEARCH is enabled. +# Doxygen ships with an example search engine (doxysearch) which is based on +# the open source search engine library Xapian. See the manual for configuration +# details. + +SEARCHENGINE_URL = + +# When SERVER_BASED_SEARCH and EXTERNAL_SEARCH are both enabled the unindexed +# search data is written to a file for indexing by an external tool. With the +# SEARCHDATA_FILE tag the name of this file can be specified. + +SEARCHDATA_FILE = searchdata.xml + +# The EXTRA_SEARCH_MAPPINGS tag can be used to enable searching through other +# doxygen projects that are not otherwise connected via tags files, but are +# all added to the same search index. Each project needs to have a tag file set +# via GENERATE_TAGFILE. The search mapping then maps the name of the tag file +# to a relative location where the documentation can be found, +# similar to the +# TAGFILES option but without actually processing the tag file. +# The format is: EXTRA_SEARCH_MAPPINGS = tagname1=loc1 tagname2=loc2 ... + +EXTRA_SEARCH_MAPPINGS = + +#--------------------------------------------------------------------------- +# configuration options related to the LaTeX output +#--------------------------------------------------------------------------- + +# If the GENERATE_LATEX tag is set to YES (the default) Doxygen will +# generate Latex output. + +GENERATE_LATEX = NO + +# The LATEX_OUTPUT tag is used to specify where the LaTeX docs will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `latex' will be used as the default path. + +LATEX_OUTPUT = latex + +# The LATEX_CMD_NAME tag can be used to specify the LaTeX command name to be +# invoked. If left blank `latex' will be used as the default command name. +# Note that when enabling USE_PDFLATEX this option is only used for +# generating bitmaps for formulas in the HTML output, but not in the +# Makefile that is written to the output directory. + +LATEX_CMD_NAME = latex + +# The MAKEINDEX_CMD_NAME tag can be used to specify the command name to +# generate index for LaTeX. If left blank `makeindex' will be used as the +# default command name. + +MAKEINDEX_CMD_NAME = makeindex + +# If the COMPACT_LATEX tag is set to YES Doxygen generates more compact +# LaTeX documents. This may be useful for small projects and may help to +# save some trees in general. + +COMPACT_LATEX = NO + +# The PAPER_TYPE tag can be used to set the paper type that is used +# by the printer. Possible values are: a4, letter, legal and +# executive. If left blank a4wide will be used. + +PAPER_TYPE = a4wide + +# The EXTRA_PACKAGES tag can be to specify one or more names of LaTeX +# packages that should be included in the LaTeX output. + +EXTRA_PACKAGES = + +# The LATEX_HEADER tag can be used to specify a personal LaTeX header for +# the generated latex document. The header should contain everything until +# the first chapter. If it is left blank doxygen will generate a +# standard header. Notice: only use this tag if you know what you are doing! + +LATEX_HEADER = + +# The LATEX_FOOTER tag can be used to specify a personal LaTeX footer for +# the generated latex document. The footer should contain everything after +# the last chapter. If it is left blank doxygen will generate a +# standard footer. Notice: only use this tag if you know what you are doing! + +LATEX_FOOTER = + +# If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated +# is prepared for conversion to pdf (using ps2pdf). The pdf file will +# contain links (just like the HTML output) instead of page references +# This makes the output suitable for online browsing using a pdf viewer. + +PDF_HYPERLINKS = YES + +# If the USE_PDFLATEX tag is set to YES, pdflatex will be used instead of +# plain latex in the generated Makefile. Set this option to YES to get a +# higher quality PDF documentation. + +USE_PDFLATEX = YES + +# If the LATEX_BATCHMODE tag is set to YES, doxygen will add the \\batchmode. +# command to the generated LaTeX files. This will instruct LaTeX to keep +# running if errors occur, instead of asking the user for help. +# This option is also used when generating formulas in HTML. + +LATEX_BATCHMODE = NO + +# If LATEX_HIDE_INDICES is set to YES then doxygen will not +# include the index chapters (such as File Index, Compound Index, etc.) +# in the output. + +LATEX_HIDE_INDICES = NO + +# If LATEX_SOURCE_CODE is set to YES then doxygen will include +# source code with syntax highlighting in the LaTeX output. +# Note that which sources are shown also depends on other settings +# such as SOURCE_BROWSER. + +LATEX_SOURCE_CODE = NO + +# The LATEX_BIB_STYLE tag can be used to specify the style to use for the +# bibliography, e.g. plainnat, or ieeetr. The default style is "plain". See +# http://en.wikipedia.org/wiki/BibTeX for more info. + +LATEX_BIB_STYLE = plain + +#--------------------------------------------------------------------------- +# configuration options related to the RTF output +#--------------------------------------------------------------------------- + +# If the GENERATE_RTF tag is set to YES Doxygen will generate RTF output +# The RTF output is optimized for Word 97 and may not look very pretty with +# other RTF readers or editors. + +GENERATE_RTF = NO + +# The RTF_OUTPUT tag is used to specify where the RTF docs will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `rtf' will be used as the default path. + +RTF_OUTPUT = rtf + +# If the COMPACT_RTF tag is set to YES Doxygen generates more compact +# RTF documents. This may be useful for small projects and may help to +# save some trees in general. + +COMPACT_RTF = NO + +# If the RTF_HYPERLINKS tag is set to YES, the RTF that is generated +# will contain hyperlink fields. The RTF file will +# contain links (just like the HTML output) instead of page references. +# This makes the output suitable for online browsing using WORD or other +# programs which support those fields. +# Note: wordpad (write) and others do not support links. + +RTF_HYPERLINKS = NO + +# Load style sheet definitions from file. Syntax is similar to doxygen's +# config file, i.e. a series of assignments. You only have to provide +# replacements, missing definitions are set to their default value. + +RTF_STYLESHEET_FILE = + +# Set optional variables used in the generation of an rtf document. +# Syntax is similar to doxygen's config file. + +RTF_EXTENSIONS_FILE = + +#--------------------------------------------------------------------------- +# configuration options related to the man page output +#--------------------------------------------------------------------------- + +# If the GENERATE_MAN tag is set to YES (the default) Doxygen will +# generate man pages + +GENERATE_MAN = NO + +# The MAN_OUTPUT tag is used to specify where the man pages will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `man' will be used as the default path. + +MAN_OUTPUT = man + +# The MAN_EXTENSION tag determines the extension that is added to +# the generated man pages (default is the subroutine's section .3) + +MAN_EXTENSION = .3 + +# If the MAN_LINKS tag is set to YES and Doxygen generates man output, +# then it will generate one additional man file for each entity +# documented in the real man page(s). These additional files +# only source the real man page, but without them the man command +# would be unable to find the correct page. The default is NO. + +MAN_LINKS = NO + +#--------------------------------------------------------------------------- +# configuration options related to the XML output +#--------------------------------------------------------------------------- + +# If the GENERATE_XML tag is set to YES Doxygen will +# generate an XML file that captures the structure of +# the code including all documentation. + +GENERATE_XML = NO + +# The XML_OUTPUT tag is used to specify where the XML pages will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `xml' will be used as the default path. + +XML_OUTPUT = xml + +# The XML_SCHEMA tag can be used to specify an XML schema, +# which can be used by a validating XML parser to check the +# syntax of the XML files. + +XML_SCHEMA = + +# The XML_DTD tag can be used to specify an XML DTD, +# which can be used by a validating XML parser to check the +# syntax of the XML files. + +XML_DTD = + +# If the XML_PROGRAMLISTING tag is set to YES Doxygen will +# dump the program listings (including syntax highlighting +# and cross-referencing information) to the XML output. Note that +# enabling this will significantly increase the size of the XML output. + +XML_PROGRAMLISTING = YES + +#--------------------------------------------------------------------------- +# configuration options for the AutoGen Definitions output +#--------------------------------------------------------------------------- + +# If the GENERATE_AUTOGEN_DEF tag is set to YES Doxygen will +# generate an AutoGen Definitions (see autogen.sf.net) file +# that captures the structure of the code including all +# documentation. Note that this feature is still experimental +# and incomplete at the moment. + +GENERATE_AUTOGEN_DEF = NO + +#--------------------------------------------------------------------------- +# configuration options related to the Perl module output +#--------------------------------------------------------------------------- + +# If the GENERATE_PERLMOD tag is set to YES Doxygen will +# generate a Perl module file that captures the structure of +# the code including all documentation. Note that this +# feature is still experimental and incomplete at the +# moment. + +GENERATE_PERLMOD = NO + +# If the PERLMOD_LATEX tag is set to YES Doxygen will generate +# the necessary Makefile rules, Perl scripts and LaTeX code to be able +# to generate PDF and DVI output from the Perl module output. + +PERLMOD_LATEX = NO + +# If the PERLMOD_PRETTY tag is set to YES the Perl module output will be +# nicely formatted so it can be parsed by a human reader. +# This is useful +# if you want to understand what is going on. +# On the other hand, if this +# tag is set to NO the size of the Perl module output will be much smaller +# and Perl will parse it just the same. + +PERLMOD_PRETTY = YES + +# The names of the make variables in the generated doxyrules.make file +# are prefixed with the string contained in PERLMOD_MAKEVAR_PREFIX. +# This is useful so different doxyrules.make files included by the same +# Makefile don't overwrite each other's variables. + +PERLMOD_MAKEVAR_PREFIX = + +#--------------------------------------------------------------------------- +# Configuration options related to the preprocessor +#--------------------------------------------------------------------------- + +# If the ENABLE_PREPROCESSING tag is set to YES (the default) Doxygen will +# evaluate all C-preprocessor directives found in the sources and include +# files. + +ENABLE_PREPROCESSING = YES + +# If the MACRO_EXPANSION tag is set to YES Doxygen will expand all macro +# names in the source code. If set to NO (the default) only conditional +# compilation will be performed. Macro expansion can be done in a controlled +# way by setting EXPAND_ONLY_PREDEF to YES. + +MACRO_EXPANSION = NO + +# If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES +# then the macro expansion is limited to the macros specified with the +# PREDEFINED and EXPAND_AS_DEFINED tags. + +EXPAND_ONLY_PREDEF = NO + +# If the SEARCH_INCLUDES tag is set to YES (the default) the includes files +# pointed to by INCLUDE_PATH will be searched when a #include is found. + +SEARCH_INCLUDES = YES + +# The INCLUDE_PATH tag can be used to specify one or more directories that +# contain include files that are not input files but should be processed by +# the preprocessor. + +INCLUDE_PATH = + +# You can use the INCLUDE_FILE_PATTERNS tag to specify one or more wildcard +# patterns (like *.h and *.hpp) to filter out the header-files in the +# directories. If left blank, the patterns specified with FILE_PATTERNS will +# be used. + +INCLUDE_FILE_PATTERNS = + +# The PREDEFINED tag can be used to specify one or more macro names that +# are defined before the preprocessor is started (similar to the -D option of +# gcc). The argument of the tag is a list of macros of the form: name +# or name=definition (no spaces). If the definition and the = are +# omitted =1 is assumed. To prevent a macro definition from being +# undefined via #undef or recursively expanded use the := operator +# instead of the = operator. + +PREDEFINED = DOXYGEN + +# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then +# this tag can be used to specify a list of macro names that should be expanded. +# The macro definition that is found in the sources will be used. +# Use the PREDEFINED tag if you want to use a different macro definition that +# overrules the definition found in the source code. + +EXPAND_AS_DEFINED = + +# If the SKIP_FUNCTION_MACROS tag is set to YES (the default) then +# doxygen's preprocessor will remove all references to function-like macros +# that are alone on a line, have an all uppercase name, and do not end with a +# semicolon, because these will confuse the parser if not removed. + +SKIP_FUNCTION_MACROS = YES + +#--------------------------------------------------------------------------- +# Configuration::additions related to external references +#--------------------------------------------------------------------------- + +# The TAGFILES option can be used to specify one or more tagfiles. For each +# tag file the location of the external documentation should be added. The +# format of a tag file without this location is as follows: +# +# TAGFILES = file1 file2 ... +# Adding location for the tag files is done as follows: +# +# TAGFILES = file1=loc1 "file2 = loc2" ... +# where "loc1" and "loc2" can be relative or absolute paths +# or URLs. Note that each tag file must have a unique name (where the name does +# NOT include the path). If a tag file is not located in the directory in which +# doxygen is run, you must also specify the path to the tagfile here. + +TAGFILES = + +# When a file name is specified after GENERATE_TAGFILE, doxygen will create +# a tag file that is based on the input files it reads. + +GENERATE_TAGFILE = + +# If the ALLEXTERNALS tag is set to YES all external classes will be listed +# in the class index. If set to NO only the inherited external classes +# will be listed. + +ALLEXTERNALS = NO + +# If the EXTERNAL_GROUPS tag is set to YES all external groups will be listed +# in the modules index. If set to NO, only the current project's groups will +# be listed. + +EXTERNAL_GROUPS = YES + +# The PERL_PATH should be the absolute path and name of the perl script +# interpreter (i.e. the result of `which perl'). + +PERL_PATH = /usr/bin/perl + +#--------------------------------------------------------------------------- +# Configuration options related to the dot tool +#--------------------------------------------------------------------------- + +# If the CLASS_DIAGRAMS tag is set to YES (the default) Doxygen will +# generate a inheritance diagram (in HTML, RTF and LaTeX) for classes with base +# or super classes. Setting the tag to NO turns the diagrams off. Note that +# this option also works with HAVE_DOT disabled, but it is recommended to +# install and use dot, since it yields more powerful graphs. + +CLASS_DIAGRAMS = YES + +# You can define message sequence charts within doxygen comments using the \msc +# command. Doxygen will then run the mscgen tool (see +# http://www.mcternan.me.uk/mscgen/) to produce the chart and insert it in the +# documentation. The MSCGEN_PATH tag allows you to specify the directory where +# the mscgen tool resides. If left empty the tool is assumed to be found in the +# default search path. + +MSCGEN_PATH = + +# If set to YES, the inheritance and collaboration graphs will hide +# inheritance and usage relations if the target is undocumented +# or is not a class. + +HIDE_UNDOC_RELATIONS = YES + +# If you set the HAVE_DOT tag to YES then doxygen will assume the dot tool is +# available from the path. This tool is part of Graphviz, a graph visualization +# toolkit from AT&T and Lucent Bell Labs. The other options in this section +# have no effect if this option is set to NO (the default) + +HAVE_DOT = NO + +# The DOT_NUM_THREADS specifies the number of dot invocations doxygen is +# allowed to run in parallel. When set to 0 (the default) doxygen will +# base this on the number of processors available in the system. You can set it +# explicitly to a value larger than 0 to get control over the balance +# between CPU load and processing speed. + +DOT_NUM_THREADS = 0 + +# By default doxygen will use the Helvetica font for all dot files that +# doxygen generates. When you want a differently looking font you can specify +# the font name using DOT_FONTNAME. You need to make sure dot is able to find +# the font, which can be done by putting it in a standard location or by setting +# the DOTFONTPATH environment variable or by setting DOT_FONTPATH to the +# directory containing the font. + +DOT_FONTNAME = FreeSans + +# The DOT_FONTSIZE tag can be used to set the size of the font of dot graphs. +# The default size is 10pt. + +DOT_FONTSIZE = 10 + +# By default doxygen will tell dot to use the Helvetica font. +# If you specify a different font using DOT_FONTNAME you can use DOT_FONTPATH to +# set the path where dot can find it. + +DOT_FONTPATH = + +# If the CLASS_GRAPH and HAVE_DOT tags are set to YES then doxygen +# will generate a graph for each documented class showing the direct and +# indirect inheritance relations. Setting this tag to YES will force the +# CLASS_DIAGRAMS tag to NO. + +CLASS_GRAPH = YES + +# If the COLLABORATION_GRAPH and HAVE_DOT tags are set to YES then doxygen +# will generate a graph for each documented class showing the direct and +# indirect implementation dependencies (inheritance, containment, and +# class references variables) of the class with other documented classes. + +COLLABORATION_GRAPH = YES + +# If the GROUP_GRAPHS and HAVE_DOT tags are set to YES then doxygen +# will generate a graph for groups, showing the direct groups dependencies + +GROUP_GRAPHS = YES + +# If the UML_LOOK tag is set to YES doxygen will generate inheritance and +# collaboration diagrams in a style similar to the OMG's Unified Modeling +# Language. + +UML_LOOK = NO + +# If the UML_LOOK tag is enabled, the fields and methods are shown inside +# the class node. If there are many fields or methods and many nodes the +# graph may become too big to be useful. The UML_LIMIT_NUM_FIELDS +# threshold limits the number of items for each type to make the size more +# managable. Set this to 0 for no limit. Note that the threshold may be +# exceeded by 50% before the limit is enforced. + +UML_LIMIT_NUM_FIELDS = 10 + +# If set to YES, the inheritance and collaboration graphs will show the +# relations between templates and their instances. + +TEMPLATE_RELATIONS = NO + +# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDE_GRAPH, and HAVE_DOT +# tags are set to YES then doxygen will generate a graph for each documented +# file showing the direct and indirect include dependencies of the file with +# other documented files. + +INCLUDE_GRAPH = YES + +# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDED_BY_GRAPH, and +# HAVE_DOT tags are set to YES then doxygen will generate a graph for each +# documented header file showing the documented files that directly or +# indirectly include this file. + +INCLUDED_BY_GRAPH = YES + +# If the CALL_GRAPH and HAVE_DOT options are set to YES then +# doxygen will generate a call dependency graph for every global function +# or class method. Note that enabling this option will significantly increase +# the time of a run. So in most cases it will be better to enable call graphs +# for selected functions only using the \callgraph command. + +CALL_GRAPH = NO + +# If the CALLER_GRAPH and HAVE_DOT tags are set to YES then +# doxygen will generate a caller dependency graph for every global function +# or class method. Note that enabling this option will significantly increase +# the time of a run. So in most cases it will be better to enable caller +# graphs for selected functions only using the \callergraph command. + +CALLER_GRAPH = NO + +# If the GRAPHICAL_HIERARCHY and HAVE_DOT tags are set to YES then doxygen +# will generate a graphical hierarchy of all classes instead of a textual one. + +GRAPHICAL_HIERARCHY = YES + +# If the DIRECTORY_GRAPH and HAVE_DOT tags are set to YES +# then doxygen will show the dependencies a directory has on other directories +# in a graphical way. The dependency relations are determined by the #include +# relations between the files in the directories. + +DIRECTORY_GRAPH = YES + +# The DOT_IMAGE_FORMAT tag can be used to set the image format of the images +# generated by dot. Possible values are svg, png, jpg, or gif. +# If left blank png will be used. If you choose svg you need to set +# HTML_FILE_EXTENSION to xhtml in order to make the SVG files +# visible in IE 9+ (other browsers do not have this requirement). + +DOT_IMAGE_FORMAT = png + +# If DOT_IMAGE_FORMAT is set to svg, then this option can be set to YES to +# enable generation of interactive SVG images that allow zooming and panning. +# Note that this requires a modern browser other than Internet Explorer. +# Tested and working are Firefox, Chrome, Safari, and Opera. For IE 9+ you +# need to set HTML_FILE_EXTENSION to xhtml in order to make the SVG files +# visible. Older versions of IE do not have SVG support. + +INTERACTIVE_SVG = NO + +# The tag DOT_PATH can be used to specify the path where the dot tool can be +# found. If left blank, it is assumed the dot tool can be found in the path. + +DOT_PATH = + +# The DOTFILE_DIRS tag can be used to specify one or more directories that +# contain dot files that are included in the documentation (see the +# \dotfile command). + +DOTFILE_DIRS = + +# The MSCFILE_DIRS tag can be used to specify one or more directories that +# contain msc files that are included in the documentation (see the +# \mscfile command). + +MSCFILE_DIRS = + +# The DOT_GRAPH_MAX_NODES tag can be used to set the maximum number of +# nodes that will be shown in the graph. If the number of nodes in a graph +# becomes larger than this value, doxygen will truncate the graph, which is +# visualized by representing a node as a red box. Note that doxygen if the +# number of direct children of the root node in a graph is already larger than +# DOT_GRAPH_MAX_NODES then the graph will not be shown at all. Also note +# that the size of a graph can be further restricted by MAX_DOT_GRAPH_DEPTH. + +DOT_GRAPH_MAX_NODES = 50 + +# The MAX_DOT_GRAPH_DEPTH tag can be used to set the maximum depth of the +# graphs generated by dot. A depth value of 3 means that only nodes reachable +# from the root by following a path via at most 3 edges will be shown. Nodes +# that lay further from the root node will be omitted. Note that setting this +# option to 1 or 2 may greatly reduce the computation time needed for large +# code bases. Also note that the size of a graph can be further restricted by +# DOT_GRAPH_MAX_NODES. Using a depth of 0 means no depth restriction. + +MAX_DOT_GRAPH_DEPTH = 0 + +# Set the DOT_TRANSPARENT tag to YES to generate images with a transparent +# background. This is disabled by default, because dot on Windows does not +# seem to support this out of the box. Warning: Depending on the platform used, +# enabling this option may lead to badly anti-aliased labels on the edges of +# a graph (i.e. they become hard to read). + +DOT_TRANSPARENT = YES + +# Set the DOT_MULTI_TARGETS tag to YES allow dot to generate multiple output +# files in one run (i.e. multiple -o and -T options on the command line). This +# makes dot run faster, but since only newer versions of dot (>1.8.10) +# support this, this feature is disabled by default. + +DOT_MULTI_TARGETS = NO + +# If the GENERATE_LEGEND tag is set to YES (the default) Doxygen will +# generate a legend page explaining the meaning of the various boxes and +# arrows in the dot generated graphs. + +GENERATE_LEGEND = YES + +# If the DOT_CLEANUP tag is set to YES (the default) Doxygen will +# remove the intermediate dot files that are used to generate +# the various graphs. + +DOT_CLEANUP = YES diff --git a/src/lib/ipa_hbac/ipa_hbac.exports b/src/lib/ipa_hbac/ipa_hbac.exports new file mode 100644 index 0000000..abdcc5f --- /dev/null +++ b/src/lib/ipa_hbac/ipa_hbac.exports @@ -0,0 +1,20 @@ +IPA_HBAC_0.0.1 { + + # public functions + global: + + hbac_evaluate; + hbac_result_string; + hbac_error_string; + hbac_free_info; + hbac_rule_is_complete; + + # everything else is local + local: + *; +}; + +IPA_HBAC_0.1.0 { + global: + hbac_enable_debug; +} IPA_HBAC_0.0.1; diff --git a/src/lib/ipa_hbac/ipa_hbac.h b/src/lib/ipa_hbac/ipa_hbac.h new file mode 100644 index 0000000..f9d339c --- /dev/null +++ b/src/lib/ipa_hbac/ipa_hbac.h @@ -0,0 +1,344 @@ +/* + SSSD + + IPA Backend Module -- Access control + + Authors: + Sumit Bose + Stephen Gallagher + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef IPA_HBAC_H_ +#define IPA_HBAC_H_ + +/** + * @defgroup ipa_hbac Host-Based Access Control Resolver + * Libipa_hbac provides a mechanism to validate FreeIPA + * HBAC rules as well as evaluate whether they apply to + * a particular user login attempt. + * + * Libipa_hbac is case-insensitive and compatible with + * UTF-8. + * @{ + */ + +#include +#include +#include + +/** Debug levels for HBAC. */ +enum hbac_debug_level { + HBAC_DBG_FATAL, /** Fatal failure (not used). */ + HBAC_DBG_ERROR, /** Serious failure (out of memory, for example). */ + HBAC_DBG_WARNING, /** Warnings (not used). */ + HBAC_DBG_INFO, /** HBAC allow/disallow info. */ + HBAC_DBG_TRACE /** Verbose description of rules. */ +}; + +#ifdef HAVE_FUNCTION_ATTRIBUTE_FORMAT +#define HBAC_ATTRIBUTE_PRINTF(a1, a2) __attribute__((format(printf, a1, a2))) +#else +#define HBAC_ATTRIBUTE_PRINTF(a1, a2) +#endif + +/** + * Function pointer to HBAC external debugging function. + */ +typedef void (*hbac_debug_fn_t)(const char *file, int line, + const char *function, + enum hbac_debug_level, const char *format, + ...) HBAC_ATTRIBUTE_PRINTF(5, 6); + +/** + * HBAC uses external_debug_fn for logging messages. + * @param[in] external_debug_fn Pointer to external logging function. + */ +void hbac_enable_debug(hbac_debug_fn_t external_debug_fn); + +/** Result of HBAC evaluation */ +enum hbac_eval_result { + /** An error occurred + * See the #hbac_info for more details + */ + HBAC_EVAL_ERROR = -1, + + /** Evaluation grants access */ + HBAC_EVAL_ALLOW, + + /** Evaluation denies access */ + HBAC_EVAL_DENY, + + /** Evaluation failed due to lack of memory + * #hbac_info is not available + */ + HBAC_EVAL_OOM +}; + +/** + * No service category specified + */ +#define HBAC_CATEGORY_NULL 0x0000 + +/** + * Rule should apply to all + */ +#define HBAC_CATEGORY_ALL 0x0001 + +/** + * Opaque type contained in hbac_evaluator.c + */ +struct hbac_time_rules; + +/** + * Component of an HBAC rule + * + * Components can be one of users, target hosts, + * source hosts, or services. + */ +struct hbac_rule_element { + /** + * Category for this element + * + * This value is a bitmask. + * See #HBAC_CATEGORY_NULL and + * #HBAC_CATEGORY_ALL + */ + uint32_t category; + + /** + * List of explicit members of this rule component + * + * - Users: usernames + * - Hosts: hostnames + * - Services: PAM service names + */ + const char **names; + + /** + * List of group members of this rule component + * + * - Users: user groups (POSIX or non-POSIX) + * - Hosts: hostgroups + * - Services: PAM service groups. + */ + const char **groups; +}; + +/** + * HBAC rule object for evaluation + */ +struct hbac_rule { + const char *name; + bool enabled; + + /** + * Services and service groups + * for which this rule applies + */ + struct hbac_rule_element *services; + + /** + * Users and groups for which this + * rule applies + */ + struct hbac_rule_element *users; + + /** + * Target hosts for which this rule apples + */ + struct hbac_rule_element *targethosts; + + /** + * Source hosts for which this rule applies + */ + struct hbac_rule_element *srchosts; + + /** + * For future use + */ + struct hbac_time_rules *timerules; +}; + +/** + * Component of an HBAC request + */ +struct hbac_request_element { + /** + * List of explicit members of this request component + * + * - Users: usernames + * - Hosts: hostnames + * - Services: PAM service names + */ + const char *name; + + /** + * List of group members of this request component + * + * - Users: user groups (POSIX or non-POSIX) + * - Hosts: hostgroups + * - Services: PAM service groups. + */ + const char **groups; +}; + +/** + * Request object for an HBAC rule evaluation + * + * + */ +struct hbac_eval_req { + /** This is a list of service DNs to check, + * it must consist of the actual service + * requested, as well as all parent groups + * containing that service. + */ + struct hbac_request_element *service; + + /** This is a list of user DNs to check, + * it must consist of the actual user + * requested, as well as all parent groups + * containing that user. + */ + struct hbac_request_element *user; + + /** This is a list of target hosts to check, + * it must consist of the actual target host + * requested, as well as all parent groups + * containing that target host. + */ + struct hbac_request_element *targethost; + + /** This is a list of source hosts to check, + * it must consist of the actual source host + * requested, as well as all parent groups + * containing that source host. + */ + struct hbac_request_element *srchost; + + /** For future use */ + time_t request_time; +}; + +/** + * Error code returned by the evaluator + */ +enum hbac_error_code { + /** Unexpected error */ + HBAC_ERROR_UNKNOWN = -1, + + /** Successful evaluation */ + HBAC_SUCCESS, + + /** Function is not yet implemented */ + HBAC_ERROR_NOT_IMPLEMENTED, + + /** Ran out of memory during processing */ + HBAC_ERROR_OUT_OF_MEMORY, + + /** Parse error while evaluating rule */ + HBAC_ERROR_UNPARSEABLE_RULE +}; + +/** Extended information */ +struct hbac_info { + /** + * If the hbac_eval_result was HBAC_EVAL_ERROR, + * this will be an error code. + * Otherwise it will be HBAC_SUCCESS + */ + enum hbac_error_code code; + + /** + * Specify the name of the rule that matched or + * threw an error + */ + char *rule_name; +}; + + +/** + * @brief Evaluate an authorization request against a set of HBAC rules + * + * @param[in] rules A NULL-terminated list of rules to evaluate against + * @param[in] hbac_req A user authorization request + * @param[out] info Extended information (including the name of the + * rule that allowed access (or caused a parse error) + * @return + * - #HBAC_EVAL_ERROR: An error occurred + * - #HBAC_EVAL_ALLOW: Access is granted + * - #HBAC_EVAL_DENY: Access is denied + * - #HBAC_EVAL_OOM: Insufficient memory to complete the evaluation + */ +enum hbac_eval_result hbac_evaluate(struct hbac_rule **rules, + struct hbac_eval_req *hbac_req, + struct hbac_info **info); + +/** + * @brief Display result of hbac evaluation in human-readable form + * @param[in] result Return value of #hbac_evaluate + * @return English string describing the evaluation result + */ +const char *hbac_result_string(enum hbac_eval_result result); + +/** + * @brief Display error description + * @param code Error code returned in #hbac_info + * @return English string describing the error + */ +const char *hbac_error_string(enum hbac_error_code code); + +/** + * @brief Function to safely free #hbac_info returned by #hbac_evaluate + * @param info #hbac_info returned by #hbac_evaluate + */ +void hbac_free_info(struct hbac_info *info); + +/** User element */ +#define HBAC_RULE_ELEMENT_USERS 0x01 + +/** Service element */ +#define HBAC_RULE_ELEMENT_SERVICES 0x02 + +/** Target host element */ +#define HBAC_RULE_ELEMENT_TARGETHOSTS 0x04 + +/** Source host element */ +#define HBAC_RULE_ELEMENT_SOURCEHOSTS 0x08 + +/** + * @brief Evaluate whether an HBAC rule contains all necessary elements + * + * @param[in] rule An HBAC rule to evaluate + * @param[out] missing_attrs A list of attributes missing from the rule + * This is a bitmask that may contain one or more + * of #HBAC_RULE_ELEMENT_USERS, + * #HBAC_RULE_ELEMENT_SERVICES, + * #HBAC_RULE_ELEMENT_TARGETHOSTS and + * #HBAC_RULE_ELEMENT_SOURCEHOSTS + * + * @return True if the rule contains all mandatory attributes + * + * @note This function does not care if the rule is enabled or disabled + */ +bool hbac_rule_is_complete(struct hbac_rule *rule, uint32_t *missing_attrs); + +/** + * @} + */ +#endif /* IPA_HBAC_H_ */ diff --git a/src/lib/ipa_hbac/ipa_hbac.pc.in b/src/lib/ipa_hbac/ipa_hbac.pc.in new file mode 100644 index 0000000..8366a0a --- /dev/null +++ b/src/lib/ipa_hbac/ipa_hbac.pc.in @@ -0,0 +1,11 @@ +prefix=@prefix@ +exec_prefix=@exec_prefix@ +libdir=@libdir@ +includedir=@includedir@ + +Name: ipa_hbac +Description: FreeIPA HBAC Evaluator library +Version: @VERSION@ +Libs: -L${libdir} -lipa_hbac +Cflags: +URL: https://pagure.io/SSSD/sssd/ diff --git a/src/lib/sifp/sss_sifp.c b/src/lib/sifp/sss_sifp.c new file mode 100644 index 0000000..3dad40f --- /dev/null +++ b/src/lib/sifp/sss_sifp.c @@ -0,0 +1,473 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2014 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "lib/sifp/sss_sifp.h" +#include "lib/sifp/sss_sifp_dbus.h" +#include "lib/sifp/sss_sifp_private.h" + +#define DBUS_IFACE_PROP "org.freedesktop.DBus.Properties" + +static void * default_alloc(size_t size, void *pvt) +{ + return malloc(size); +} + +static void default_free(void *ptr, void *pvt) +{ + free(ptr); +} + +static DBusMessage * sss_sifp_create_prop_msg(const char *object_path, + const char *method) +{ + return sss_sifp_create_message(object_path, DBUS_IFACE_PROP, method); +} + +sss_sifp_error +sss_sifp_init(sss_sifp_ctx **_ctx) +{ + return sss_sifp_init_ex(NULL, default_alloc, default_free, _ctx); +} + +sss_sifp_error +sss_sifp_init_ex(void *alloc_pvt, + sss_sifp_alloc_func *alloc_func, + sss_sifp_free_func *free_func, + sss_sifp_ctx **_ctx) +{ + sss_sifp_ctx *ctx = NULL; + DBusConnection *conn = NULL; + DBusError dbus_error; + sss_sifp_error ret; + + if (_ctx == NULL || alloc_func == NULL || free_func == NULL) { + return SSS_SIFP_INVALID_ARGUMENT; + } + + dbus_error_init(&dbus_error); + + ctx = alloc_func(sizeof(sss_sifp_ctx), alloc_pvt); + if (ctx == NULL) { + ret = SSS_SIFP_OUT_OF_MEMORY; + goto done; + } + + ctx->conn = NULL; + ctx->alloc_fn = alloc_func; + ctx->free_fn = free_func; + ctx->alloc_pvt = alloc_pvt; + ctx->io_error = alloc_func(sizeof(DBusError), alloc_pvt); + if (ctx->io_error == NULL) { + ret = SSS_SIFP_OUT_OF_MEMORY; + goto done; + } + + *_ctx = ctx; + + dbus_error_init(ctx->io_error); + + conn = dbus_bus_get(DBUS_BUS_SYSTEM, &dbus_error); + if (dbus_error_is_set(&dbus_error)) { + sss_sifp_set_io_error(ctx, &dbus_error); + ret = SSS_SIFP_IO_ERROR; + goto done; + } + + ctx->conn = conn; + + ret = SSS_SIFP_OK; + +done: + if (ret != SSS_SIFP_OK) { + sss_sifp_free(&ctx); + } + + dbus_error_free(&dbus_error); + return ret; +} + +const char * +sss_sifp_get_last_io_error_name(sss_sifp_ctx *ctx) +{ + if (ctx == NULL) { + return "Invalid sss_sifp context"; + } + + if (!dbus_error_is_set(ctx->io_error)) { + return NULL; + } + + return ctx->io_error->name; +} + +const char * +sss_sifp_get_last_io_error_message(sss_sifp_ctx *ctx) +{ + if (ctx == NULL) { + return "Invalid sss_sifp context"; + } + + if (!dbus_error_is_set(ctx->io_error)) { + return NULL; + } + + return ctx->io_error->message; +} + +const char * +sss_sifp_strerr(sss_sifp_error error) +{ + switch (error) { + case SSS_SIFP_OK: + return "Success"; + case SSS_SIFP_OUT_OF_MEMORY: + return "Out of memory"; + case SSS_SIFP_INVALID_ARGUMENT: + return "Invalid argument"; + case SSS_SIFP_IO_ERROR: + return "Communication error"; + case SSS_SIFP_INTERNAL_ERROR: + return "Internal error"; + case SSS_SIFP_NOT_SUPPORTED: + return "Not supported"; + case SSS_SIFP_ATTR_MISSING: + return "Attribute does not exist"; + case SSS_SIFP_ATTR_NULL: + return "Attribute does not have any value set"; + case SSS_SIFP_INCORRECT_TYPE: + return "Incorrect type"; + case SSS_SIFP_ERROR_SENTINEL: + return "Invalid error code"; + } + + return "Invalid error code"; +} + +sss_sifp_error +sss_sifp_fetch_attr(sss_sifp_ctx *ctx, + const char *object_path, + const char *interface, + const char *name, + sss_sifp_attr ***_attrs) +{ + DBusMessage *msg = NULL; + DBusMessage *reply = NULL; + dbus_bool_t bret; + sss_sifp_error ret; + + if (ctx == NULL || object_path == NULL || interface == NULL + || name == NULL || _attrs == NULL) { + return SSS_SIFP_INVALID_ARGUMENT; + } + + /* Message format: + * In: string:interface + * In: string:attribute + * Out: variant(misc:value) + */ + + msg = sss_sifp_create_prop_msg(object_path, "Get"); + if (msg == NULL) { + ret = SSS_SIFP_OUT_OF_MEMORY; + goto done; + } + + bret = dbus_message_append_args(msg, DBUS_TYPE_STRING, &interface, + DBUS_TYPE_STRING, &name, + DBUS_TYPE_INVALID); + if (!bret) { + ret = SSS_SIFP_OUT_OF_MEMORY; + goto done; + } + + ret = sss_sifp_send_message(ctx, msg, &reply); + if (ret != SSS_SIFP_OK) { + goto done; + } + + ret = sss_sifp_parse_attr(ctx, name, reply, _attrs); + +done: + if (msg != NULL) { + dbus_message_unref(msg); + } + + if (reply != NULL) { + dbus_message_unref(reply); + } + + return ret; +} + +sss_sifp_error +sss_sifp_fetch_all_attrs(sss_sifp_ctx *ctx, + const char *object_path, + const char *interface, + sss_sifp_attr ***_attrs) +{ + DBusMessage *msg = NULL; + DBusMessage *reply = NULL; + dbus_bool_t bret; + sss_sifp_error ret; + + if (ctx == NULL || object_path == NULL || interface == NULL + || _attrs == NULL) { + return SSS_SIFP_INVALID_ARGUMENT; + } + + msg = sss_sifp_create_prop_msg(object_path, "GetAll"); + if (msg == NULL) { + ret = SSS_SIFP_OUT_OF_MEMORY; + goto done; + } + + bret = dbus_message_append_args(msg, DBUS_TYPE_STRING, &interface, + DBUS_TYPE_INVALID); + if (!bret) { + ret = SSS_SIFP_OUT_OF_MEMORY; + goto done; + } + + ret = sss_sifp_send_message(ctx, msg, &reply); + if (ret != SSS_SIFP_OK) { + goto done; + } + + ret = sss_sifp_parse_attr_list(ctx, reply, _attrs); + +done: + if (msg != NULL) { + dbus_message_unref(msg); + } + + if (reply != NULL) { + dbus_message_unref(reply); + } + + return ret; +} + +sss_sifp_error +sss_sifp_fetch_object(sss_sifp_ctx *ctx, + const char *object_path, + const char *interface, + sss_sifp_object **_object) +{ + sss_sifp_object *object = NULL; + sss_sifp_attr **attrs = NULL; + const char *name = NULL; + sss_sifp_error ret; + + if (ctx == NULL || object_path == NULL || interface == NULL + || _object == NULL) { + return SSS_SIFP_INVALID_ARGUMENT; + } + + ret = sss_sifp_fetch_all_attrs(ctx, object_path, interface, &attrs); + if (ret != SSS_SIFP_OK) { + goto done; + } + + ret = sss_sifp_find_attr_as_string(attrs, "name", &name); + if (ret != SSS_SIFP_OK) { + goto done; + } + + object = _alloc_zero(ctx, sss_sifp_object, 1); + if (object == NULL) { + ret = SSS_SIFP_OUT_OF_MEMORY; + goto done; + } + + object->attrs = attrs; + + object->name = sss_sifp_strdup(ctx, name); + if (object->name == NULL) { + ret = SSS_SIFP_OUT_OF_MEMORY; + goto done; + } + + object->object_path = sss_sifp_strdup(ctx, object_path); + if (object->object_path == NULL) { + ret = SSS_SIFP_OUT_OF_MEMORY; + goto done; + } + + object->interface = sss_sifp_strdup(ctx, interface); + if (object->interface == NULL) { + ret = SSS_SIFP_OUT_OF_MEMORY; + goto done; + } + + *_object = object; + + ret = SSS_SIFP_OK; + +done: + if (ret != SSS_SIFP_OK) { + sss_sifp_free_object(ctx, &object); + } + + return ret; +} + +void +sss_sifp_free(sss_sifp_ctx **_ctx) +{ + sss_sifp_ctx *ctx = NULL; + + if (_ctx == NULL || *_ctx == NULL) { + return; + } + + ctx = *_ctx; + + if (ctx->conn != NULL) { + dbus_connection_unref(ctx->conn); + } + + if (ctx->io_error != NULL) { + dbus_error_free(ctx->io_error); + _free(ctx, ctx->io_error); + } + + _free(ctx, ctx); + *_ctx = NULL; + + return; +} + +void +sss_sifp_free_attrs(sss_sifp_ctx *ctx, + sss_sifp_attr ***_attrs) +{ + sss_sifp_attr **attrs = NULL; + unsigned int i, j; + + if (_attrs == NULL || *_attrs == NULL) { + return; + } + + attrs = *_attrs; + + for (i = 0; attrs[i] != NULL; i++) { + switch (attrs[i]->type) { + case SSS_SIFP_ATTR_TYPE_BOOL: + _free(ctx, attrs[i]->data.boolean); + break; + case SSS_SIFP_ATTR_TYPE_INT16: + _free(ctx, attrs[i]->data.int16); + break; + case SSS_SIFP_ATTR_TYPE_UINT16: + _free(ctx, attrs[i]->data.uint16); + break; + case SSS_SIFP_ATTR_TYPE_INT32: + _free(ctx, attrs[i]->data.int32); + break; + case SSS_SIFP_ATTR_TYPE_UINT32: + _free(ctx, attrs[i]->data.uint32); + break; + case SSS_SIFP_ATTR_TYPE_INT64: + _free(ctx, attrs[i]->data.int64); + break; + case SSS_SIFP_ATTR_TYPE_UINT64: + _free(ctx, attrs[i]->data.uint64); + break; + case SSS_SIFP_ATTR_TYPE_STRING: + for (j = 0; j < attrs[i]->num_values; j++) { + _free(ctx, attrs[i]->data.str[j]); + } + _free(ctx, attrs[i]->data.str); + break; + case SSS_SIFP_ATTR_TYPE_STRING_DICT: + if (attrs[i]->data.str_dict != NULL) { + hash_destroy(attrs[i]->data.str_dict); + } + attrs[i]->data.str_dict = NULL; + break; + } + _free(ctx, attrs[i]->name); + _free(ctx, attrs[i]); + } + + _free(ctx, attrs); + + *_attrs = NULL; +} + +void +sss_sifp_free_object(sss_sifp_ctx *ctx, + sss_sifp_object **_object) +{ + sss_sifp_object *object = NULL; + + if (_object == NULL || *_object == NULL) { + return; + } + + object = *_object; + + sss_sifp_free_attrs(ctx, &object->attrs); + _free(ctx, object->object_path); + _free(ctx, object->interface); + _free(ctx, object->name); + _free(ctx, object); + + *_object = NULL; +} + +void +sss_sifp_free_string(sss_sifp_ctx *ctx, + char **_str) +{ + if (_str == NULL || *_str == NULL) { + return; + } + + _free(ctx, *_str); + + *_str = NULL; +} + +void +sss_sifp_free_string_array(sss_sifp_ctx *ctx, + char ***_str_array) +{ + char **str_array = NULL; + int i; + + if (_str_array == NULL || *_str_array == NULL) { + return; + } + + str_array = *_str_array; + + for (i = 0; str_array[i] != NULL; i++) { + _free(ctx, str_array[i]); + } + + _free(ctx, str_array); + + *_str_array = NULL; +} diff --git a/src/lib/sifp/sss_sifp.h b/src/lib/sifp/sss_sifp.h new file mode 100644 index 0000000..95a7518 --- /dev/null +++ b/src/lib/sifp/sss_sifp.h @@ -0,0 +1,564 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2014 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef SSS_SIFP_H_ +#define SSS_SIFP_H_ + +#include +#include +#include +#include + +/** + * @defgroup sss_simpleifp Simple interface to SSSD InfoPipe responder. + * Libsss_simpleifp provides a synchronous interface to simplify basic + * communication with SSSD InfoPipe responder. + * + * This interface is not a full replacement for the complete D-Bus API and it + * provides only access to the most common tasks like fetching attributes + * of SSSD objects. + * + * If there is a need for a more sophisticated communication with the SSSD + * InfoPipe responder a D-Bus API of your choice should be used. + * + * @{ + */ + +/** SSSD InfoPipe bus address */ +#define SSS_SIFP_ADDRESS "org.freedesktop.sssd.infopipe" + +/* Backwards-compatible address */ +#define SSS_SIFP_IFP SSS_SIFP_ADDRESS + +/* Backwards-compatible interface definitions */ +#define SSS_SIFP_IFACE_IFP SSS_SIFP_IFP +#define SSS_SIFP_IFACE_COMPONENTS "org.freedesktop.sssd.infopipe.Components" +#define SSS_SIFP_IFACE_SERVICES "org.freedesktop.sssd.infopipe.Services" +#define SSS_SIFP_IFACE_DOMAINS "org.freedesktop.sssd.infopipe.Domains" +#define SSS_SIFP_IFACE_USERS "org.freedesktop.sssd.infopipe.Users" +#define SSS_SIFP_IFACE_GROUPS "org.freedesktop.sssd.infopipe.Groups" + +/** + * SSSD InfoPipe object path. + * Look at InfoPipe introspection and SSSD documentation for more objects. + */ +#define SSS_SIFP_PATH "/org/freedesktop/sssd/infopipe" + +/** + * SSSD InfoPipe object path. + * Look at InfoPipe introspection and SSSD documentation for more interfaces. + */ +#define SSS_SIFP_IFACE "org.freedesktop.sssd.infopipe" + +/** + * Opaque libsss_sifp context. One context shall not be used by multiple + * threads. Each thread needs to create and use its own context. + * + * @see sss_sifp_init + * @see sss_sifp_init_ex + */ +typedef struct sss_sifp_ctx sss_sifp_ctx; + +/** + * Typedef for memory allocation functions + */ +typedef void (sss_sifp_free_func)(void *ptr, void *pvt); +typedef void *(sss_sifp_alloc_func)(size_t size, void *pvt); + +/** + * Error codes used by libsss_sifp + */ +typedef enum sss_sifp_error { + /** Success */ + SSS_SIFP_OK = 0, + + /** Ran out of memory during processing */ + SSS_SIFP_OUT_OF_MEMORY, + + /** Invalid argument */ + SSS_SIFP_INVALID_ARGUMENT, + + /** + * Input/output error + * + * @see sss_sifp_get_last_io_error() to get more information + */ + SSS_SIFP_IO_ERROR, + + /** Internal error */ + SSS_SIFP_INTERNAL_ERROR, + + /** Operation not supported */ + SSS_SIFP_NOT_SUPPORTED, + + /** Attribute does not exist */ + SSS_SIFP_ATTR_MISSING, + + /** Attribute does not have any value set */ + SSS_SIFP_ATTR_NULL, + + /** Incorrect attribute type */ + SSS_SIFP_INCORRECT_TYPE, + + /** Always last */ + SSS_SIFP_ERROR_SENTINEL +} sss_sifp_error; + +/** + * D-Bus object attribute + */ +typedef struct sss_sifp_attr sss_sifp_attr; + +/** + * D-Bus object + */ +typedef struct sss_sifp_object { + char *name; + char *object_path; + char *interface; + sss_sifp_attr **attrs; +} sss_sifp_object; + +/** + * @brief Initialize sss_sifp context using default allocator (malloc) + * + * @param[out] _ctx sss_sifp context + */ +sss_sifp_error +sss_sifp_init(sss_sifp_ctx **_ctx); + +/** + * @brief Initialize sss_sifp context + * + * @param[in] alloc_pvt Private data for allocation routine + * @param[in] alloc_func Function to allocate memory for the context, if + * NULL malloc() is used + * @param[in] free_func Function to free the memory of the context, if + * NULL free() is used + * @param[out] _ctx sss_sifp context + */ +sss_sifp_error +sss_sifp_init_ex(void *alloc_pvt, + sss_sifp_alloc_func *alloc_func, + sss_sifp_free_func *free_func, + sss_sifp_ctx **_ctx); + +/** + * @brief Return last error name from underlying D-Bus communication + * + * @param[in] ctx sss_sifp context + * @return Error message or NULL if no error occurred during last D-Bus call. + */ +const char * +sss_sifp_get_last_io_error_name(sss_sifp_ctx *ctx); + +/** + * @brief Return last error message from underlying D-Bus communication + * + * @param[in] ctx sss_sifp context + * @return Error message or NULL if no error occurred during last D-Bus call. + */ +const char * +sss_sifp_get_last_io_error_message(sss_sifp_ctx *ctx); + +/** + * @brief Translate error code into human readable message. + * + * @param[in] error sss_sifp error code + * @return Error message. + */ +const char * +sss_sifp_strerr(sss_sifp_error error); + +/** + * @brief Fetch selected attributes of given object. + * + * @param[in] ctx sss_sifp context + * @param[in] object_path D-Bus object path + * @param[in] interface D-Bus interface + * @param[in] name Name of desired attribute + * @param[out] _attrs List of acquired attributes + */ +sss_sifp_error +sss_sifp_fetch_attr(sss_sifp_ctx *ctx, + const char *object_path, + const char *interface, + const char *name, + sss_sifp_attr ***_attrs); + +/** + * @brief Fetch all attributes of given object. + * + * @param[in] ctx sss_sifp context + * @param[in] object_path D-Bus object path + * @param[in] interface D-Bus interface + * @param[out] _attrs Acquired attributes + */ +sss_sifp_error +sss_sifp_fetch_all_attrs(sss_sifp_ctx *ctx, + const char *object_path, + const char *interface, + sss_sifp_attr ***_attrs); + +/** + * @brief Fetch D-Bus object. + * + * @param[in] ctx sss_sifp context + * @param[in] object_path D-Bus object path + * @param[in] interface D-Bus interface + * @param[out] _object Object and its attributes + */ +sss_sifp_error +sss_sifp_fetch_object(sss_sifp_ctx *ctx, + const char *object_path, + const char *interface, + sss_sifp_object **_object); + +/** + * @brief Find attribute in list and return its value. + * + * @param[in] attrs Attributes + * @param[in] name Name of the attribute to find + * @param[out] _value Output value + */ +sss_sifp_error +sss_sifp_find_attr_as_bool(sss_sifp_attr **attrs, + const char *name, + bool *_value); + +/** + * @brief Find attribute in list and return its value. + * + * @param[in] attrs Attributes + * @param[in] name Name of the attribute to find + * @param[out] _value Output value + */ +sss_sifp_error +sss_sifp_find_attr_as_int16(sss_sifp_attr **attrs, + const char *name, + int16_t *_value); + +/** + * @brief Find attribute in list and return its value. + * + * @param[in] attrs Attributes + * @param[in] name Name of the attribute to find + * @param[out] _value Output value + */ +sss_sifp_error +sss_sifp_find_attr_as_uint16(sss_sifp_attr **attrs, + const char *name, + uint16_t *_value); + +/** + * @brief Find attribute in list and return its value. + * + * @param[in] attrs Attributes + * @param[in] name Name of the attribute to find + * @param[out] _value Output value + */ +sss_sifp_error +sss_sifp_find_attr_as_int32(sss_sifp_attr **attrs, + const char *name, + int32_t *_value); + +/** + * @brief Find attribute in list and return its value. + * + * @param[in] attrs Attributes + * @param[in] name Name of the attribute to find + * @param[out] _value Output value + */ +sss_sifp_error +sss_sifp_find_attr_as_uint32(sss_sifp_attr **attrs, + const char *name, + uint32_t *_value); + +/** + * @brief Find attribute in list and return its value. + * + * @param[in] attrs Attributes + * @param[in] name Name of the attribute to find + * @param[out] _value Output value + */ +sss_sifp_error +sss_sifp_find_attr_as_int64(sss_sifp_attr **attrs, + const char *name, + int64_t *_value); + +/** + * @brief Find attribute in list and return its value. + * + * @param[in] attrs Attributes + * @param[in] name Name of the attribute to find + * @param[out] _value Output value + */ +sss_sifp_error +sss_sifp_find_attr_as_uint64(sss_sifp_attr **attrs, + const char *name, + uint64_t *_value); + +/** + * @brief Find attribute in list and return its value. + * + * @param[in] attrs Attributes + * @param[in] name Name of the attribute to find + * @param[out] _value Output value + */ +sss_sifp_error +sss_sifp_find_attr_as_string(sss_sifp_attr **attrs, + const char *name, + const char **_value); + +/** + * @brief Find attribute in list and return its value. + * + * The dictionary is stored in dhash table, the values + * are pointers to NULL-terminated string array. + * + * @param[in] attrs Attributes + * @param[in] name Name of the attribute to find + * @param[out] _value Output value + */ +sss_sifp_error +sss_sifp_find_attr_as_string_dict(sss_sifp_attr **attrs, + const char *name, + hash_table_t **_value); + +/** + * @brief Find attribute in list and return its values. + * + * @param[in] attrs Attributes + * @param[in] name Name of the attribute to find + * @param[out] _num_values Number of values in the array + * @param[out] _value Output array + */ +sss_sifp_error +sss_sifp_find_attr_as_bool_array(sss_sifp_attr **attrs, + const char *name, + unsigned int *_num_values, + bool **_value); + +/** + * @brief Find attribute in list and return its values. + * + * @param[in] attrs Attributes + * @param[in] name Name of the attribute to find + * @param[out] _num_values Number of values in the array + * @param[out] _value Output array + */ +sss_sifp_error +sss_sifp_find_attr_as_int16_array(sss_sifp_attr **attrs, + const char *name, + unsigned int *_num_values, + int16_t **_value); + +/** + * @brief Find attribute in list and return its values. + * + * @param[in] attrs Attributes + * @param[in] name Name of the attribute to find + * @param[out] _num_values Number of values in the array + * @param[out] _value Output array + */ +sss_sifp_error +sss_sifp_find_attr_as_uint16_array(sss_sifp_attr **attrs, + const char *name, + unsigned int *_num_values, + uint16_t **_value); + +/** + * @brief Find attribute in list and return its values. + * + * @param[in] attrs Attributes + * @param[in] name Name of the attribute to find + * @param[out] _num_values Number of values in the array + * @param[out] _value Output array + */ +sss_sifp_error +sss_sifp_find_attr_as_int32_array(sss_sifp_attr **attrs, + const char *name, + unsigned int *_num_values, + int32_t **_value); + +/** + * @brief Find attribute in list and return its values. + * + * @param[in] attrs Attributes + * @param[in] name Name of the attribute to find + * @param[out] _num_values Number of values in the array + * @param[out] _value Output array + */ +sss_sifp_error +sss_sifp_find_attr_as_uint32_array(sss_sifp_attr **attrs, + const char *name, + unsigned int *_num_values, + uint32_t **_value); + +/** + * @brief Find attribute in list and return its values. + * + * @param[in] attrs Attributes + * @param[in] name Name of the attribute to find + * @param[out] _num_values Number of values in the array + * @param[out] _value Output array + */ +sss_sifp_error +sss_sifp_find_attr_as_int64_array(sss_sifp_attr **attrs, + const char *name, + unsigned int *_num_values, + int64_t **_value); + +/** + * @brief Find attribute in list and return its values. + * + * @param[in] attrs Attributes + * @param[in] name Name of the attribute to find + * @param[out] _num_values Number of values in the array + * @param[out] _value Output array + */ +sss_sifp_error +sss_sifp_find_attr_as_uint64_array(sss_sifp_attr **attrs, + const char *name, + unsigned int *_num_values, + uint64_t **_value); + +/** + * @brief Find attribute in list and return its values. + * + * @param[in] attrs Attributes + * @param[in] name Name of the attribute to find + * @param[out] _num_values Number of values in the array + * @param[out] _value Output array + */ +sss_sifp_error +sss_sifp_find_attr_as_string_array(sss_sifp_attr **attrs, + const char *name, + unsigned int *_num_values, + const char * const **_value); + +/** + * @brief Free sss_sifp context and set it to NULL. + * + * @param[in,out] _ctx sss_sifp context + */ +void +sss_sifp_free(sss_sifp_ctx **_ctx); + +/** + * @brief Free attribute list and set it to NULL. + * + * @param[in] ctx sss_sifp context + * @param[in,out] _attrs Attributes + */ +void +sss_sifp_free_attrs(sss_sifp_ctx *ctx, + sss_sifp_attr ***_attrs); + +/** + * @brief Free sss_sifp object and set it to NULL. + * + * @param[in] ctx sss_sifp context + * @param[in,out] _object Object + */ +void +sss_sifp_free_object(sss_sifp_ctx *ctx, + sss_sifp_object **_object); + +/** + * @brief Free string and set it to NULL. + * + * @param[in] ctx sss_sifp context + * @param[in,out] _str String + */ +void +sss_sifp_free_string(sss_sifp_ctx *ctx, + char **_str); + +/** + * @brief Free array of strings and set it to NULL. + * + * @param[in] ctx sss_sifp context + * @param[in,out] _str_array Array of strings + */ +void +sss_sifp_free_string_array(sss_sifp_ctx *ctx, + char ***_str_array); + +/** + * @} + */ + +/** + * @defgroup common Most common use cases of SSSD InfoPipe responder. + * @{ + */ + +/** + * @brief List names of available domains. + * + * @param[in] ctx sss_sifp context + * @param[out] _domains List of domain names + */ +sss_sifp_error +sss_sifp_list_domains(sss_sifp_ctx *ctx, + char ***_domains); + +/** + * @brief Fetch all information about domain by name. + * + * @param[in] ctx sss_sifp context + * @param[in] name Domain name + * @param[out] _domain Domain object + */ +sss_sifp_error +sss_sifp_fetch_domain_by_name(sss_sifp_ctx *ctx, + const char *name, + sss_sifp_object **_domain); + +/** + * @brief Fetch all information about user by uid. + * + * @param[in] ctx sss_sifp context + * @param[in] uid User ID + * @param[out] _user User object + */ +sss_sifp_error +sss_sifp_fetch_user_by_uid(sss_sifp_ctx *ctx, + uid_t uid, + sss_sifp_object **_user); + +/** + * @brief Fetch all information about user by name. + * + * @param[in] ctx sss_sifp context + * @param[in] name User name + * @param[out] _user User object + */ +sss_sifp_error +sss_sifp_fetch_user_by_name(sss_sifp_ctx *ctx, + const char *name, + sss_sifp_object **_user); + +/** + * @} + */ + +#endif /* SSS_SIFP_H_ */ diff --git a/src/lib/sifp/sss_sifp_attrs.c b/src/lib/sifp/sss_sifp_attrs.c new file mode 100644 index 0000000..1004252 --- /dev/null +++ b/src/lib/sifp/sss_sifp_attrs.c @@ -0,0 +1,317 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2014 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "lib/sifp/sss_sifp.h" +#include "lib/sifp/sss_sifp_private.h" + +#define GET_ATTR(attrs, name, rtype, field, out, ret) do { \ + sss_sifp_attr *attr = sss_sifp_find_attr(attrs, name); \ + \ + if (attr == NULL) { \ + ret = SSS_SIFP_ATTR_MISSING; \ + break; \ + } \ + \ + if (attr->type != rtype) { \ + ret = SSS_SIFP_INCORRECT_TYPE; \ + break; \ + } \ + \ + if (attr->data.field == NULL) { \ + ret = SSS_SIFP_ATTR_NULL; \ + break; \ + } \ + \ + out = attr->data.field[0]; \ + \ + ret = SSS_SIFP_OK; \ +} while (0) + +#define GET_ATTR_ARRAY(attrs, name, rtype, field, out_num, out_val, ret) \ +do { \ + sss_sifp_attr *attr = sss_sifp_find_attr(attrs, name); \ + \ + if (attr == NULL) { \ + ret = SSS_SIFP_ATTR_MISSING; \ + break; \ + } \ + \ + if (attr->type != rtype) { \ + ret = SSS_SIFP_INCORRECT_TYPE; \ + break; \ + } \ + \ + if (attr->data.field == NULL) { \ + out_num = 0; \ + out_val = NULL; \ + ret = SSS_SIFP_ATTR_NULL; \ + break; \ + } \ + \ + out_num = attr->num_values; \ + out_val = attr->data.field; \ + \ + ret = SSS_SIFP_OK; \ +} while (0) + +static sss_sifp_attr *sss_sifp_find_attr(sss_sifp_attr **attrs, + const char *name) +{ + int i; + + if (attrs == NULL || name == NULL) { + return NULL; + } + + for (i = 0; attrs[i] != NULL; i++) { + if (strcmp(attrs[i]->name, name) == 0) { + return attrs[i]; + } + } + + return NULL; +} + +sss_sifp_error +sss_sifp_find_attr_as_bool(sss_sifp_attr **attrs, + const char *name, + bool *_value) +{ + sss_sifp_error ret; + GET_ATTR(attrs, name, SSS_SIFP_ATTR_TYPE_BOOL, boolean, *_value, ret); + return ret; +} + +sss_sifp_error +sss_sifp_find_attr_as_int16(sss_sifp_attr **attrs, + const char *name, + int16_t *_value) +{ + sss_sifp_error ret; + GET_ATTR(attrs, name, SSS_SIFP_ATTR_TYPE_INT16, int16, *_value, ret); + return ret; +} + +sss_sifp_error +sss_sifp_find_attr_as_uint16(sss_sifp_attr **attrs, + const char *name, + uint16_t *_value) +{ + sss_sifp_error ret; + GET_ATTR(attrs, name, SSS_SIFP_ATTR_TYPE_UINT16, uint16, *_value, ret); + return ret; +} + +sss_sifp_error +sss_sifp_find_attr_as_int32(sss_sifp_attr **attrs, + const char *name, + int32_t *_value) +{ + sss_sifp_error ret; + GET_ATTR(attrs, name, SSS_SIFP_ATTR_TYPE_INT32, int32, *_value, ret); + return ret; +} + +sss_sifp_error +sss_sifp_find_attr_as_uint32(sss_sifp_attr **attrs, + const char *name, + uint32_t *_value) +{ + sss_sifp_error ret; + GET_ATTR(attrs, name, SSS_SIFP_ATTR_TYPE_UINT32, uint32, *_value, ret); + return ret; +} + +sss_sifp_error +sss_sifp_find_attr_as_int64(sss_sifp_attr **attrs, + const char *name, + int64_t *_value) +{ + sss_sifp_error ret; + GET_ATTR(attrs, name, SSS_SIFP_ATTR_TYPE_INT64, int64, *_value, ret); + return ret; +} + +sss_sifp_error +sss_sifp_find_attr_as_uint64(sss_sifp_attr **attrs, + const char *name, + uint64_t *_value) +{ + sss_sifp_error ret; + GET_ATTR(attrs, name, SSS_SIFP_ATTR_TYPE_UINT64, uint64, *_value, ret); + return ret; +} + +sss_sifp_error +sss_sifp_find_attr_as_string(sss_sifp_attr **attrs, + const char *name, + const char **_value) +{ + sss_sifp_error ret; + const char *value = NULL; + + GET_ATTR(attrs, name, SSS_SIFP_ATTR_TYPE_STRING, str, value, ret); + + if (ret == SSS_SIFP_ATTR_NULL) { + *_value = NULL; + return ret; + } + + *_value = value; + return ret; +} + +sss_sifp_error +sss_sifp_find_attr_as_string_dict(sss_sifp_attr **attrs, + const char *name, + hash_table_t **_value) +{ + sss_sifp_attr *attr = sss_sifp_find_attr(attrs, name); + + if (attr == NULL) { + return SSS_SIFP_ATTR_MISSING; + } + + if (attr->type != SSS_SIFP_ATTR_TYPE_STRING_DICT) { + return SSS_SIFP_INCORRECT_TYPE; + } + + if (attr->data.str_dict == NULL) { + *_value = NULL; + return SSS_SIFP_ATTR_NULL; + } + + *_value = attr->data.str_dict; + + return SSS_SIFP_OK; +} + +/** + * @brief Find attribute in list and return its values. + * + * @param[in] attrs Attributes + * @param[in] name Name of the attribute to find + * + * @return Attribute values or NULL if it is not found. + */ +sss_sifp_error +sss_sifp_find_attr_as_bool_array(sss_sifp_attr **attrs, + const char *name, + unsigned int *_num_values, + bool **_value) +{ + sss_sifp_error ret; + GET_ATTR_ARRAY(attrs, name, SSS_SIFP_ATTR_TYPE_BOOL, boolean, + *_num_values, *_value, ret); + return ret; +} + +sss_sifp_error +sss_sifp_find_attr_as_int16_array(sss_sifp_attr **attrs, + const char *name, + unsigned int *_num_values, + int16_t **_value) +{ + sss_sifp_error ret; + GET_ATTR_ARRAY(attrs, name, SSS_SIFP_ATTR_TYPE_INT16, int16, + *_num_values, *_value, ret); + return ret; +} + +sss_sifp_error +sss_sifp_find_attr_as_uint16_array(sss_sifp_attr **attrs, + const char *name, + unsigned int *_num_values, + uint16_t **_value) +{ + sss_sifp_error ret; + GET_ATTR_ARRAY(attrs, name, SSS_SIFP_ATTR_TYPE_UINT16, uint16, + *_num_values, *_value, ret); + return ret; +} + +sss_sifp_error +sss_sifp_find_attr_as_int32_array(sss_sifp_attr **attrs, + const char *name, + unsigned int *_num_values, + int32_t **_value) +{ + sss_sifp_error ret; + GET_ATTR_ARRAY(attrs, name, SSS_SIFP_ATTR_TYPE_INT32, int32, + *_num_values, *_value, ret); + return ret; +} + +sss_sifp_error +sss_sifp_find_attr_as_uint32_array(sss_sifp_attr **attrs, + const char *name, + unsigned int *_num_values, + uint32_t **_value) +{ + sss_sifp_error ret; + GET_ATTR_ARRAY(attrs, name, SSS_SIFP_ATTR_TYPE_UINT32, uint32, + *_num_values, *_value, ret); + return ret; +} + +sss_sifp_error +sss_sifp_find_attr_as_int64_array(sss_sifp_attr **attrs, + const char *name, + unsigned int *_num_values, + int64_t **_value) +{ + sss_sifp_error ret; + GET_ATTR_ARRAY(attrs, name, SSS_SIFP_ATTR_TYPE_INT64, int64, + *_num_values, *_value, ret); + return ret; +} + +sss_sifp_error +sss_sifp_find_attr_as_uint64_array(sss_sifp_attr **attrs, + const char *name, + unsigned int *_num_values, + uint64_t **_value) +{ + sss_sifp_error ret; + GET_ATTR_ARRAY(attrs, name, SSS_SIFP_ATTR_TYPE_UINT64, uint64, + *_num_values, *_value, ret); + return ret; +} + +sss_sifp_error +sss_sifp_find_attr_as_string_array(sss_sifp_attr **attrs, + const char *name, + unsigned int *_num_values, + const char * const **_value) +{ + sss_sifp_error ret; + char **value; + + GET_ATTR_ARRAY(attrs, name, SSS_SIFP_ATTR_TYPE_STRING, str, + *_num_values, value, ret); + + if (ret == SSS_SIFP_OK || ret == SSS_SIFP_ATTR_NULL) { + *_value = (const char * const *)value; + } + + return ret; +} diff --git a/src/lib/sifp/sss_sifp_common.c b/src/lib/sifp/sss_sifp_common.c new file mode 100644 index 0000000..8913d0b --- /dev/null +++ b/src/lib/sifp/sss_sifp_common.c @@ -0,0 +1,183 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2014 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "lib/sifp/sss_sifp.h" +#include "lib/sifp/sss_sifp_dbus.h" +#include "lib/sifp/sss_sifp_private.h" +#include "responder/ifp/ifp_iface.h" + +#define SSS_SIFP_ATTR_NAME "name" + +static sss_sifp_error +sss_sifp_fetch_object_by_attr(sss_sifp_ctx *ctx, + const char *path, + const char *iface_find, + const char *iface_object, + const char *method, + int attr_type, + const void *attr, + sss_sifp_object **_object) +{ + sss_sifp_object *object = NULL; + char *object_path = NULL; + sss_sifp_error ret; + + if (method == NULL || attr == NULL || attr_type == DBUS_TYPE_INVALID) { + return SSS_SIFP_INVALID_ARGUMENT; + } + + ret = sss_sifp_invoke_find_ex(ctx, path, iface_find, method, &object_path, + attr_type, attr, DBUS_TYPE_INVALID); + if (ret != SSS_SIFP_OK) { + goto done; + } + + ret = sss_sifp_fetch_object(ctx, object_path, iface_object, &object); + if (ret != SSS_SIFP_OK) { + goto done; + } + + *_object = object; + + ret = SSS_SIFP_OK; + +done: + sss_sifp_free_string(ctx, &object_path); + + return ret; +} + +static sss_sifp_error +sss_sifp_fetch_object_by_name(sss_sifp_ctx *ctx, + const char *path, + const char *iface_find, + const char *iface_object, + const char *method, + const char *name, + sss_sifp_object **_object) +{ + return sss_sifp_fetch_object_by_attr(ctx, path, iface_find, iface_object, + method, DBUS_TYPE_STRING, &name, + _object); +} + +sss_sifp_error +sss_sifp_list_domains(sss_sifp_ctx *ctx, + char ***_domains) +{ + sss_sifp_attr **attrs = NULL; + char **object_paths = NULL; + char **domains = NULL; + const char *name = NULL; + unsigned int size; + unsigned int i; + sss_sifp_error ret; + + if (_domains == NULL) { + return SSS_SIFP_INVALID_ARGUMENT; + } + + ret = sss_sifp_invoke_list_ex(ctx, IFP_PATH, IFACE_IFP, "Domains", + &object_paths, DBUS_TYPE_INVALID); + if (ret != SSS_SIFP_OK) { + goto done; + } + + /* calculate number of paths acquired and allocate memory for domains */ + for (size = 0; object_paths[size] != NULL; size++); + + domains = _alloc_zero(ctx, char *, size + 1); + if (domains == NULL) { + ret = SSS_SIFP_OUT_OF_MEMORY; + goto done; + } + + /* fetch domain name */ + for (i = 0; i < size; i++) { + ret = sss_sifp_fetch_attr(ctx, object_paths[i], IFACE_IFP_DOMAINS, + SSS_SIFP_ATTR_NAME, &attrs); + if (ret != SSS_SIFP_OK) { + goto done; + } + + ret = sss_sifp_find_attr_as_string(attrs, SSS_SIFP_ATTR_NAME, &name); + if (ret != SSS_SIFP_OK) { + goto done; + } + + domains[i] = sss_sifp_strdup(ctx, name); + if (domains[i] == NULL) { + ret = SSS_SIFP_OUT_OF_MEMORY; + goto done; + } + + sss_sifp_free_attrs(ctx, &attrs); + } + + domains[i] = NULL; + + *_domains = domains; + + ret = SSS_SIFP_OK; + +done: + sss_sifp_free_attrs(ctx, &attrs); + sss_sifp_free_string_array(ctx, &object_paths); + + if (ret != SSS_SIFP_OK) { + sss_sifp_free_string_array(ctx, &domains); + } + + return ret; +} + +sss_sifp_error +sss_sifp_fetch_domain_by_name(sss_sifp_ctx *ctx, + const char *name, + sss_sifp_object **_domain) +{ + return sss_sifp_fetch_object_by_name(ctx, IFP_PATH, IFACE_IFP, + IFACE_IFP_DOMAINS, "DomainByName", + name, _domain); +} + +sss_sifp_error +sss_sifp_fetch_user_by_uid(sss_sifp_ctx *ctx, + uid_t uid, + sss_sifp_object **_user) +{ + uint64_t _uid = uid; + + return sss_sifp_fetch_object_by_attr(ctx, IFP_PATH_USERS, IFACE_IFP_USERS, + IFACE_IFP_USERS_USER, "ByID", + DBUS_TYPE_UINT64, &_uid, _user); +} + +sss_sifp_error +sss_sifp_fetch_user_by_name(sss_sifp_ctx *ctx, + const char *name, + sss_sifp_object **_user) +{ + return sss_sifp_fetch_object_by_name(ctx, IFP_PATH_USERS, IFACE_IFP_USERS, + IFACE_IFP_USERS_USER, "ByName", + name, _user); +} diff --git a/src/lib/sifp/sss_sifp_dbus.c b/src/lib/sifp/sss_sifp_dbus.c new file mode 100644 index 0000000..2906c5a --- /dev/null +++ b/src/lib/sifp/sss_sifp_dbus.c @@ -0,0 +1,275 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2014 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "lib/sifp/sss_sifp.h" +#include "lib/sifp/sss_sifp_dbus.h" +#include "lib/sifp/sss_sifp_private.h" + +static sss_sifp_error sss_sifp_ifp_call(sss_sifp_ctx *ctx, + const char *object_path, + const char *interface, + const char *method, + int first_arg_type, + va_list ap, + DBusMessage **_reply) +{ + DBusMessage *msg = NULL; + sss_sifp_error ret; + dbus_bool_t bret; + + if (object_path == NULL || interface == NULL || method == NULL) { + return SSS_SIFP_INVALID_ARGUMENT; + } + + msg = sss_sifp_create_message(object_path, interface, method); + if (msg == NULL) { + ret = SSS_SIFP_OUT_OF_MEMORY; + goto done; + } + + if (first_arg_type != DBUS_TYPE_INVALID) { + bret = dbus_message_append_args_valist(msg, first_arg_type, ap); + if (!bret) { + ret = SSS_SIFP_IO_ERROR; + goto done; + } + } + + ret = sss_sifp_send_message(ctx, msg, _reply); + +done: + if (msg != NULL) { + dbus_message_unref(msg); + } + + return ret; +} + +DBusMessage * +sss_sifp_create_message(const char *object_path, + const char *interface, + const char *method) +{ + return dbus_message_new_method_call(SSS_SIFP_ADDRESS, object_path, + interface, method); +} + +sss_sifp_error +sss_sifp_send_message(sss_sifp_ctx *ctx, + DBusMessage *msg, + DBusMessage **_reply) +{ + return sss_sifp_send_message_ex(ctx, msg, 5000, _reply); +} + +sss_sifp_error +sss_sifp_send_message_ex(sss_sifp_ctx *ctx, + DBusMessage *msg, + int timeout, + DBusMessage **_reply) +{ + DBusMessage *reply = NULL; + DBusError dbus_error; + sss_sifp_error ret; + + if (ctx == NULL || msg == NULL) { + return SSS_SIFP_INVALID_ARGUMENT; + } + + dbus_error_init(&dbus_error); + + reply = dbus_connection_send_with_reply_and_block(ctx->conn, msg, + timeout, &dbus_error); + if (dbus_error_is_set(&dbus_error)) { + sss_sifp_set_io_error(ctx, &dbus_error); + ret = SSS_SIFP_IO_ERROR; + goto done; + } + + if (_reply == NULL) { + dbus_message_unref(reply); + } else { + *_reply = reply; + } + + ret = SSS_SIFP_OK; + +done: + dbus_error_free(&dbus_error); + return ret; +} + +static sss_sifp_error +sss_sifp_invoke_list_va(sss_sifp_ctx *ctx, + const char *object_path, + const char *interface, + const char *method, + char ***_object_paths, + int first_arg_type, + va_list ap) +{ + DBusMessage *reply = NULL; + char *dbus_method = NULL; + sss_sifp_error ret; + + if (ctx == NULL || method == NULL || _object_paths == NULL) { + return SSS_SIFP_INVALID_ARGUMENT; + } + + dbus_method = sss_sifp_strcat(ctx, "List", method); + if (dbus_method == NULL) { + ret = SSS_SIFP_OUT_OF_MEMORY; + goto done; + } + + ret = sss_sifp_ifp_call(ctx, object_path, interface, dbus_method, + first_arg_type, ap, &reply); + if (ret != SSS_SIFP_OK) { + goto done; + } + + ret = sss_sifp_parse_object_path_list(ctx, reply, _object_paths); + +done: + sss_sifp_free_string(ctx, &dbus_method); + + if (reply != NULL) { + dbus_message_unref(reply); + } + + return ret; +} + +sss_sifp_error +sss_sifp_invoke_list_ex(sss_sifp_ctx *ctx, + const char *object_path, + const char *interface, + const char *method, + char ***_object_paths, + int first_arg_type, + ...) +{ + va_list ap; + sss_sifp_error ret; + + va_start(ap, first_arg_type); + ret = sss_sifp_invoke_list_va(ctx, object_path, interface, method, + _object_paths, first_arg_type, ap); + va_end(ap); + return ret; +} + +sss_sifp_error +sss_sifp_invoke_list(sss_sifp_ctx *ctx, + const char *method, + char ***_object_paths, + int first_arg_type, + ...) +{ + va_list ap; + sss_sifp_error ret; + + va_start(ap, first_arg_type); + ret = sss_sifp_invoke_list_ex(ctx, SSS_SIFP_PATH, SSS_SIFP_IFACE, method, + _object_paths, first_arg_type, ap); + va_end(ap); + return ret; +} + +static sss_sifp_error +sss_sifp_invoke_find_va(sss_sifp_ctx *ctx, + const char *object_path, + const char *interface, + const char *method, + char **_object_path, + int first_arg_type, + va_list ap) +{ + DBusMessage *reply = NULL; + char *dbus_method = NULL; + sss_sifp_error ret; + + if (ctx == NULL || method == NULL || _object_path == NULL) { + return SSS_SIFP_INVALID_ARGUMENT; + } + + dbus_method = sss_sifp_strcat(ctx, "Find", method); + if (dbus_method == NULL) { + ret = SSS_SIFP_OUT_OF_MEMORY; + goto done; + } + + ret = sss_sifp_ifp_call(ctx, object_path, interface, dbus_method, + first_arg_type, ap, &reply); + if (ret != SSS_SIFP_OK) { + goto done; + } + + ret = sss_sifp_parse_object_path(ctx, reply, _object_path); + +done: + sss_sifp_free_string(ctx, &dbus_method); + + if (reply != NULL) { + dbus_message_unref(reply); + } + + return ret; +} + +sss_sifp_error +sss_sifp_invoke_find_ex(sss_sifp_ctx *ctx, + const char *object_path, + const char *interface, + const char *method, + char **_object_path, + int first_arg_type, + ...) +{ + va_list ap; + sss_sifp_error ret; + + va_start(ap, first_arg_type); + ret = sss_sifp_invoke_find_va(ctx, object_path, interface, method, + _object_path, first_arg_type, ap); + va_end(ap); + return ret; +} + +sss_sifp_error +sss_sifp_invoke_find(sss_sifp_ctx *ctx, + const char *method, + char **_object_path, + int first_arg_type, + ...) +{ + va_list ap; + sss_sifp_error ret; + + va_start(ap, first_arg_type); + ret = sss_sifp_invoke_find_va(ctx, SSS_SIFP_PATH, SSS_SIFP_IFACE, method, + _object_path, first_arg_type, ap); + va_end(ap); + return ret; +} diff --git a/src/lib/sifp/sss_sifp_dbus.h b/src/lib/sifp/sss_sifp_dbus.h new file mode 100644 index 0000000..875d781 --- /dev/null +++ b/src/lib/sifp/sss_sifp_dbus.h @@ -0,0 +1,174 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2014 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef SSS_SIFP_DBUS_H_ +#define SSS_SIFP_DBUS_H_ + +#include +#include + +/** + * @defgroup sss_sifp_dbus Advanced InfoPipe method calls. + * + * Functions in this module provide a way to reuse sss_sifp connection + * to the SSSD's InfoPipe responder. + * + * This allows the caller to send more sophisticated messages to the InfoPipe + * and to use both sss_sifp and D-Bus without the need of maintaining two + * separate D-Bus connections. + * + * However, these functions require the caller to understand the D-Bus + * bindings from libdbus. + * + * @{ + */ + +/** + * @brief Create a new method call message for SSSD InfoPipe bus. + * + * @param[in] object_path D-Bus object path + * @param[in] interface D-Bus interface + * @param[in] method D-Bus method + * + * @return D-Bus message. + */ +DBusMessage * +sss_sifp_create_message(const char *object_path, + const char *interface, + const char *method); + +/** + * @brief Send D-Bus message to SSSD InfoPipe bus with 5 seconds timeout. + * + * @param[in] ctx sss_sifp context + * @param[in] msg D-Bus message + * @param[in] _reply D-Bus reply, may be NULL if the caller is not interested + * + * @return D-Bus message. + */ +sss_sifp_error +sss_sifp_send_message(sss_sifp_ctx *ctx, + DBusMessage *msg, + DBusMessage **_reply); + +/** + * @brief Send D-Bus message to SSSD InfoPipe bus. + * + * @param[in] ctx sss_sifp context + * @param[in] msg D-Bus message + * @param[in] timeout Timeout + * @param[in] _reply D-Bus reply, may be NULL if the caller is not interested + * + * @return D-Bus message. + */ +sss_sifp_error +sss_sifp_send_message_ex(sss_sifp_ctx *ctx, + DBusMessage *msg, + int timeout, + DBusMessage **_reply); + +/** + * @brief List objects that satisfies given conditions. This routine will + * invoke List D-Bus method on given interface and object path. If + * no interface or object path is given, /org/freedesktop/sssd/infopipe and + * org.freedesktop.sssd.infopipe is used. Arguments to this method are given + * as standard variadic D-Bus arguments. + * + * @param[in] ctx sss_sifp context + * @param[in] object_path D-Bus object path + * @param[in] interface D-Bus interface + * @param[in] method D-Bus method to call without the 'List' prefix + * @param[out] _object_paths List of object paths + * @param[in] first_arg_type Type of the first D-Bus argument + * @param[in] ... D-Bus arguments + */ +sss_sifp_error +sss_sifp_invoke_list_ex(sss_sifp_ctx *ctx, + const char *object_path, + const char *interface, + const char *method, + char ***_object_paths, + int first_arg_type, + ...); + +/** + * @brief List objects that satisfies given conditions. This routine will + * invoke List D-Bus method on SSSD InfoPipe interface. Arguments + * to this method are given as standard variadic D-Bus arguments. + * + * @param[in] ctx sss_sifp context + * @param[in] method D-Bus method to call without the 'List' prefix + * @param[out] _object_paths List of object paths + * @param[in] first_arg_type Type of the first D-Bus argument + * @param[in] ... D-Bus arguments + */ +sss_sifp_error +sss_sifp_invoke_list(sss_sifp_ctx *ctx, + const char *method, + char ***_object_paths, + int first_arg_type, + ...); + +/** + * @brief Find single object that satisfies given conditions. This routine will + * invoke Find D-Bus method on given interface and object path. If + * no interface or object path is given, /org/freedesktop/sssd/infopipe and + * org.freedesktop.sssd.infopipe is used. Arguments to this method are given + * as standard variadic D-Bus arguments. + * + * @param[in] ctx sss_sifp context + * @param[in] object_path D-Bus object path + * @param[in] interface D-Bus interface + * @param[in] method D-Bus method to call without the 'Find' prefix + * @param[out] _object_path Object path + * @param[in] first_arg_type Type of the first D-Bus argument + * @param[in] ... D-Bus arguments + */ +sss_sifp_error +sss_sifp_invoke_find_ex(sss_sifp_ctx *ctx, + const char *object_path, + const char *interface, + const char *method, + char **_object_path, + int first_arg_type, + ...); + +/** + * @brief Find single object that satisfies given conditions. This routine will + * invoke Find D-Bus method on SSSD InfoPipe interface. Arguments + * to this method are given as standard variadic D-Bus arguments. + * + * @param[in] ctx sss_sifp context + * @param[in] method D-Bus method to call without the 'Find' prefix + * @param[out] _object_path Object path + * @param[in] first_arg_type Type of the first D-Bus argument + * @param[in] ... D-Bus arguments + */ +sss_sifp_error +sss_sifp_invoke_find(sss_sifp_ctx *ctx, + const char *method, + char **_object_path, + int first_arg_type, + ...); + +/** + * @} + */ +#endif /* SSS_SIFP_DBUS_H_ */ diff --git a/src/lib/sifp/sss_sifp_parser.c b/src/lib/sifp/sss_sifp_parser.c new file mode 100644 index 0000000..43eab4d --- /dev/null +++ b/src/lib/sifp/sss_sifp_parser.c @@ -0,0 +1,723 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2014 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "lib/sifp/sss_sifp.h" +#include "lib/sifp/sss_sifp_private.h" + +#define check_dbus_arg(iter, type, ret, done) do { \ + if (dbus_message_iter_get_arg_type((iter)) != (type)) { \ + ret = SSS_SIFP_INTERNAL_ERROR; \ + goto done; \ + } \ +} while (0) + +#define parse_basic(ctx, iter, ret, attr_type, dbus_type, \ + data_type, field, done) \ +do { \ + dbus_type val; \ + dbus_message_iter_get_basic(iter, &val); \ + attr->type = attr_type; \ + attr->data.field = _alloc_zero(ctx, data_type, 1); \ + \ + if (attr->data.field == NULL) { \ + ret = SSS_SIFP_OUT_OF_MEMORY; \ + goto done; \ + } \ + \ + attr->data.field[0] = val; \ + attr->num_values = 1; \ + \ + ret = SSS_SIFP_OK; \ +} while (0) + +#define parse_array(ctx, iter, ret, attr_type, dbus_type, \ + data_type, field, done) \ +do { \ + dbus_type val; \ + unsigned int i; \ + \ + attr->type = attr_type; \ + if (attr->num_values == 0) { \ + attr->data.field = NULL; \ + ret = SSS_SIFP_OK; \ + goto done; \ + } \ + \ + attr->data.field = _alloc_zero(ctx, data_type, attr->num_values); \ + if (attr->data.field == NULL) { \ + ret = SSS_SIFP_OUT_OF_MEMORY; \ + goto done; \ + } \ + \ + for (i = 0; i < attr->num_values; i++) { \ + dbus_message_iter_get_basic(iter, &val); \ + attr->data.field[i] = val; \ + \ + if (!dbus_message_iter_next(iter) && i + 1 < attr->num_values) { \ + ret = SSS_SIFP_INTERNAL_ERROR; \ + goto done; \ + } \ + } \ + \ + ret = SSS_SIFP_OK; \ +} while (0) + +static unsigned int +sss_sifp_get_array_length(DBusMessageIter *iter) +{ + DBusMessageIter array_iter; + unsigned int size; + + dbus_message_iter_recurse(iter, &array_iter); + + if (dbus_message_iter_get_arg_type(&array_iter) == DBUS_TYPE_INVALID) { + return 0; + } + + size = 0; + do { + size++; + } while (dbus_message_iter_next(&array_iter)); + + return size; +} + +static void hash_delete_cb(hash_entry_t *item, + hash_destroy_enum type, + void *pvt) +{ + sss_sifp_ctx *ctx = (sss_sifp_ctx*)pvt; + char **values = (char**)(item->value.ptr); + int i; + + if (values == NULL) { + return; + } + + for (i = 0; values[i] != NULL; i++) { + _free(ctx, values[i]); + values[i] = NULL; + } + + _free(ctx, values); + item->value.ptr = NULL; +} + +static sss_sifp_error +sss_sifp_parse_dict(sss_sifp_ctx *ctx, + DBusMessageIter *iter, + hash_table_t *table) +{ + DBusMessageIter dict_iter; + DBusMessageIter array_iter; + sss_sifp_error ret; + hash_key_t table_key; + hash_value_t table_value; + const char *key = NULL; + const char *value = NULL; + char **values = NULL; + unsigned int i; + unsigned int num_values; + int hret; + + dbus_message_iter_recurse(iter, &dict_iter); + + /* get the key */ + check_dbus_arg(&dict_iter, DBUS_TYPE_STRING, ret, done); + dbus_message_iter_get_basic(&dict_iter, &key); + + table_key.type = HASH_KEY_STRING; + table_key.str = sss_sifp_strdup(ctx, key); + if (table_key.str == NULL) { + ret = SSS_SIFP_OUT_OF_MEMORY; + goto done; + } + + if (!dbus_message_iter_next(&dict_iter)) { + ret = SSS_SIFP_INTERNAL_ERROR; + goto done; + } + + /* now read the value */ + switch (dbus_message_iter_get_arg_type(&dict_iter)) { + case DBUS_TYPE_STRING: + dbus_message_iter_get_basic(&dict_iter, &value); + values = _alloc_zero(ctx, char *, 2); + if (values == NULL) { + ret = SSS_SIFP_OUT_OF_MEMORY; + goto done; + } + + values[0] = sss_sifp_strdup(ctx, value); + if (values[0] == NULL) { + ret = SSS_SIFP_OUT_OF_MEMORY; + goto done; + } + + values[1] = NULL; + + ret = SSS_SIFP_OK; + break; + case DBUS_TYPE_ARRAY: + num_values = sss_sifp_get_array_length(&dict_iter); + if (num_values == 0) { + values = NULL; + ret = SSS_SIFP_OK; + goto done; + } + + if (dbus_message_iter_get_element_type(&dict_iter) + != DBUS_TYPE_STRING) { + ret = SSS_SIFP_NOT_SUPPORTED; + goto done; + } + + dbus_message_iter_recurse(&dict_iter, &array_iter); + + values = _alloc_zero(ctx, char*, num_values + 1); + if (values == NULL) { + ret = SSS_SIFP_OUT_OF_MEMORY; + goto done; + } + + for (i = 0; i < num_values; i++) { + dbus_message_iter_get_basic(&array_iter, &value); + values[i] = sss_sifp_strdup(ctx, value); + if (values[i] == NULL) { + ret = SSS_SIFP_OUT_OF_MEMORY; + goto done; + } + + dbus_message_iter_next(&array_iter); + } + + ret = SSS_SIFP_OK; + break; + default: + ret = SSS_SIFP_NOT_SUPPORTED; + break; + } + + table_value.type = HASH_VALUE_PTR; + table_value.ptr = values; + + hret = hash_enter(table, &table_key, &table_value); + if (hret == HASH_ERROR_NO_MEMORY) { + ret = SSS_SIFP_OUT_OF_MEMORY; + } else if (hret != HASH_SUCCESS) { + ret = SSS_SIFP_INTERNAL_ERROR; + } + +done: + if (table_key.str != NULL) { + _free(ctx, table_key.str); + } + + if (ret != SSS_SIFP_OK) { + if (values != NULL) { + for (i = 0; values[i] != NULL; i++) { + _free(ctx, values[i]); + } + _free(ctx, values); + } + } + + return ret; +} + +static sss_sifp_error +sss_sifp_parse_basic(sss_sifp_ctx *ctx, + DBusMessageIter *iter, + sss_sifp_attr *attr) +{ + sss_sifp_error ret; + + switch (dbus_message_iter_get_arg_type(iter)) { + case DBUS_TYPE_BOOLEAN: + parse_basic(ctx, iter, ret, SSS_SIFP_ATTR_TYPE_BOOL, + dbus_bool_t, bool, boolean, done); + break; + case DBUS_TYPE_INT16: + parse_basic(ctx, iter, ret, SSS_SIFP_ATTR_TYPE_INT16, + int16_t, int16_t, int16, done); + break; + case DBUS_TYPE_UINT16: + parse_basic(ctx, iter, ret, SSS_SIFP_ATTR_TYPE_UINT16, + uint16_t, uint16_t, uint16, done); + break; + case DBUS_TYPE_INT32: + parse_basic(ctx, iter, ret, SSS_SIFP_ATTR_TYPE_INT32, + int32_t, int32_t, int32, done); + break; + case DBUS_TYPE_UINT32: + parse_basic(ctx, iter, ret, SSS_SIFP_ATTR_TYPE_UINT32, + uint32_t, uint32_t, uint32, done); + break; + case DBUS_TYPE_INT64: + parse_basic(ctx, iter, ret, SSS_SIFP_ATTR_TYPE_INT64, + int64_t, int64_t, int64, done); + break; + case DBUS_TYPE_UINT64: + parse_basic(ctx, iter, ret, SSS_SIFP_ATTR_TYPE_UINT64, + uint64_t, uint64_t, uint64, done); + break; + case DBUS_TYPE_STRING: + case DBUS_TYPE_OBJECT_PATH: + { + const char *val = NULL; + + dbus_message_iter_get_basic(iter, &val); + + attr->type = SSS_SIFP_ATTR_TYPE_STRING; + attr->data.str = _alloc_zero(ctx, char*, 1); + if (attr->data.str == NULL) { \ + ret = SSS_SIFP_OUT_OF_MEMORY; + goto done; + } + + attr->data.str[0] = sss_sifp_strdup(ctx, val); + if (attr->data.str[0] == NULL) { + _free(ctx, attr->data.str); + ret = SSS_SIFP_OUT_OF_MEMORY; + goto done; + } + + attr->num_values = 1; + + ret = SSS_SIFP_OK; + break; + } + default: + ret = SSS_SIFP_INVALID_ARGUMENT; + break; + } + +done: + return ret; +} + +static sss_sifp_error +sss_sifp_parse_array(sss_sifp_ctx *ctx, + DBusMessageIter *iter, + sss_sifp_attr *attr) +{ + DBusMessageIter array_iter; + sss_sifp_error ret; + int hret; + + attr->num_values = sss_sifp_get_array_length(iter); + dbus_message_iter_recurse(iter, &array_iter); + + switch (dbus_message_iter_get_element_type(iter)) { + case DBUS_TYPE_BOOLEAN: + parse_array(ctx, &array_iter, ret, SSS_SIFP_ATTR_TYPE_BOOL, + dbus_bool_t, bool, boolean, done); + break; + case DBUS_TYPE_INT16: + parse_array(ctx, &array_iter, ret, SSS_SIFP_ATTR_TYPE_INT16, + int16_t, int16_t, int16, done); + break; + case DBUS_TYPE_UINT16: + parse_array(ctx, &array_iter, ret, SSS_SIFP_ATTR_TYPE_UINT16, + uint16_t, uint16_t, uint16, done); + break; + case DBUS_TYPE_INT32: + parse_array(ctx, &array_iter, ret, SSS_SIFP_ATTR_TYPE_INT32, + int32_t, int32_t, int32, done); + break; + case DBUS_TYPE_UINT32: + parse_array(ctx, &array_iter, ret, SSS_SIFP_ATTR_TYPE_UINT32, + uint32_t, uint32_t, uint32, done); + break; + case DBUS_TYPE_INT64: + parse_array(ctx, &array_iter, ret, SSS_SIFP_ATTR_TYPE_INT64, + int64_t, int64_t, int64, done); + break; + case DBUS_TYPE_UINT64: + parse_array(ctx, &array_iter, ret, SSS_SIFP_ATTR_TYPE_UINT64, + uint64_t, uint64_t, uint64, done); + break; + case DBUS_TYPE_STRING: + case DBUS_TYPE_OBJECT_PATH: ; + const char *val; + unsigned int i; + + attr->type = SSS_SIFP_ATTR_TYPE_STRING; + if (attr->num_values == 0) { + attr->data.str = NULL; + ret = SSS_SIFP_OK; + goto done; + } + + attr->data.str = _alloc_zero(ctx, char *, attr->num_values); + if (attr->data.str == NULL) { + ret = SSS_SIFP_OUT_OF_MEMORY; + goto done; + } + + for (i = 0; i < attr->num_values; i++) { + dbus_message_iter_get_basic(&array_iter, &val); + attr->data.str[i] = sss_sifp_strdup(ctx, val); + if (attr->data.str[i] == NULL) { + ret = SSS_SIFP_OUT_OF_MEMORY; + goto done; + } + + if (!dbus_message_iter_next(&array_iter) + && i + 1 < attr->num_values) { + ret = SSS_SIFP_INTERNAL_ERROR; + goto done; + } + } + + ret = SSS_SIFP_OK; + break; + case DBUS_TYPE_DICT_ENTRY: + attr->type = SSS_SIFP_ATTR_TYPE_STRING_DICT; + if (attr->num_values == 0) { + attr->data.str_dict = NULL; + ret = SSS_SIFP_OK; + goto done; + } + + hret = hash_create_ex(10, &(attr->data.str_dict), 0, 0, 0, 0, + ctx->alloc_fn, ctx->free_fn, ctx->alloc_pvt, + hash_delete_cb, ctx); + if (hret != HASH_SUCCESS) { + ret = SSS_SIFP_OUT_OF_MEMORY; + goto done; + } + + for (i = 0; i < attr->num_values; i++) { + ret = sss_sifp_parse_dict(ctx, &array_iter, attr->data.str_dict); + if (ret != SSS_SIFP_OK) { + _free(ctx, attr->data.str_dict); + goto done; + } + + if (!dbus_message_iter_next(&array_iter) + && i + 1 < attr->num_values) { + ret = SSS_SIFP_INTERNAL_ERROR; + goto done; + } + } + + ret = SSS_SIFP_OK; + break; + default: + ret = SSS_SIFP_INVALID_ARGUMENT; + break; + } + +done: + if (ret != SSS_SIFP_OK) { + if (attr->type == SSS_SIFP_ATTR_TYPE_STRING && attr->data.str != NULL) { + for (unsigned int i = 0; + attr->data.str[i] != NULL && i < attr->num_values; + i++) { + _free(ctx, attr->data.str[i]); + } + _free(ctx, attr->data.str); + } else if (attr->type == SSS_SIFP_ATTR_TYPE_STRING_DICT + && attr->data.str_dict != NULL) { + hash_destroy(attr->data.str_dict); + attr->data.str_dict = NULL; + } + } + + return ret; +} + +static sss_sifp_error +sss_sifp_parse_variant(sss_sifp_ctx *ctx, + DBusMessageIter *iter, + sss_sifp_attr *attr) +{ + DBusMessageIter variant_iter; + sss_sifp_error ret; + int type; + + check_dbus_arg(iter, DBUS_TYPE_VARIANT, ret, done); + + dbus_message_iter_recurse(iter, &variant_iter); + + type = dbus_message_iter_get_arg_type(&variant_iter); + if (dbus_type_is_basic(type)) { + ret = sss_sifp_parse_basic(ctx, &variant_iter, attr); + } else { + /* container types */ + switch (type) { + /* case DBUS_TYPE_DICT_ENTRY may only be contained within an array + * in variant */ + case DBUS_TYPE_ARRAY: + ret = sss_sifp_parse_array(ctx, &variant_iter, attr); + break; + default: + ret = SSS_SIFP_NOT_SUPPORTED; + break; + } + } + +done: + return ret; +} + +/** + * DBusMessage format: + * variant:value + * + * Iterator has to point to the variant but not inside the variant. + */ +static sss_sifp_error +sss_sifp_parse_single_attr(sss_sifp_ctx *ctx, + const char *name, + DBusMessageIter *iter, + sss_sifp_attr **_attr) +{ + sss_sifp_attr *attr = NULL; + sss_sifp_error ret; + + attr = _alloc_zero(ctx, sss_sifp_attr, 1); + if (attr == NULL) { + ret = SSS_SIFP_OUT_OF_MEMORY; + goto done; + } + + attr->name = sss_sifp_strdup(ctx, name); + if (attr->name == NULL) { + _free(ctx, attr); + ret = SSS_SIFP_OUT_OF_MEMORY; + goto done; + } + + ret = sss_sifp_parse_variant(ctx, iter, attr); + if (ret != SSS_SIFP_OK) { + _free(ctx, attr->name); + _free(ctx, attr); + } + + *_attr = attr; + +done: + return ret; +} + +/** + * DBusMessage format: + * variant:value + */ +sss_sifp_error +sss_sifp_parse_attr(sss_sifp_ctx *ctx, + const char *name, + DBusMessage *msg, + sss_sifp_attr ***_attrs) +{ + sss_sifp_attr **attrs = NULL; + DBusMessageIter iter; + sss_sifp_error ret; + + dbus_message_iter_init(msg, &iter); + + attrs = _alloc_zero(ctx, sss_sifp_attr *, 2); + if (attrs == NULL) { + ret = SSS_SIFP_OUT_OF_MEMORY; + goto done; + } + + ret = sss_sifp_parse_single_attr(ctx, name, &iter, &attrs[0]); + if (ret != SSS_SIFP_OK) { + goto done; + } + + *_attrs = attrs; + + ret = SSS_SIFP_OK; + +done: + if (ret != SSS_SIFP_OK) { + sss_sifp_free_attrs(ctx, &attrs); + } + + return ret; +} + +/** + * DBusMessage format: + * array of dict_entry(string:attr_name, variant:value) + */ +sss_sifp_error +sss_sifp_parse_attr_list(sss_sifp_ctx *ctx, + DBusMessage *msg, + sss_sifp_attr ***_attrs) +{ + DBusMessageIter iter; + DBusMessageIter array_iter; + DBusMessageIter dict_iter; + sss_sifp_attr **attrs = NULL; + const char *name = NULL; + unsigned int num_values; + sss_sifp_error ret; + unsigned int i; + + dbus_message_iter_init(msg, &iter); + + check_dbus_arg(&iter, DBUS_TYPE_ARRAY, ret, done); + + if (dbus_message_iter_get_element_type(&iter) != DBUS_TYPE_DICT_ENTRY) { + ret = SSS_SIFP_INTERNAL_ERROR; + goto done; + } + + num_values = sss_sifp_get_array_length(&iter); + attrs = _alloc_zero(ctx, sss_sifp_attr *, num_values + 1); + if (attrs == NULL) { + ret = SSS_SIFP_OUT_OF_MEMORY; + goto done; + } + + dbus_message_iter_recurse(&iter, &array_iter); + + for (i = 0; i < num_values; i++) { + dbus_message_iter_recurse(&array_iter, &dict_iter); + + /* get the key */ + check_dbus_arg(&dict_iter, DBUS_TYPE_STRING, ret, done); + dbus_message_iter_get_basic(&dict_iter, &name); + + if (!dbus_message_iter_next(&dict_iter)) { + ret = SSS_SIFP_INTERNAL_ERROR; + goto done; + } + + /* now read the value */ + check_dbus_arg(&dict_iter, DBUS_TYPE_VARIANT, ret, done); + + ret = sss_sifp_parse_single_attr(ctx, name, &dict_iter, &attrs[i]); + if (ret != SSS_SIFP_OK) { + goto done; + } + + dbus_message_iter_next(&array_iter); + } + + *_attrs = attrs; + ret = SSS_SIFP_OK; + +done: + if (ret != SSS_SIFP_OK) { + sss_sifp_free_attrs(ctx, &attrs); + } + + return ret; +} + +sss_sifp_error +sss_sifp_parse_object_path(sss_sifp_ctx *ctx, + DBusMessage *msg, + char **_object_path) +{ + char *object_path = NULL; + const char *dbus_path = NULL; + DBusError dbus_error; + dbus_bool_t bret; + sss_sifp_error ret; + + dbus_error_init(&dbus_error); + + bret = dbus_message_get_args(msg, &dbus_error, + DBUS_TYPE_OBJECT_PATH, &dbus_path, + DBUS_TYPE_INVALID); + if (!bret) { + sss_sifp_set_io_error(ctx, &dbus_error); + ret = SSS_SIFP_IO_ERROR; + goto done; + } + + object_path = sss_sifp_strdup(ctx, dbus_path); + if (object_path == NULL) { + ret = SSS_SIFP_OUT_OF_MEMORY; + goto done; + } + + *_object_path = object_path; + ret = SSS_SIFP_OK; + +done: + dbus_error_free(&dbus_error); + + return ret; +} + +sss_sifp_error +sss_sifp_parse_object_path_list(sss_sifp_ctx *ctx, + DBusMessage *msg, + char ***_object_paths) +{ + char **object_paths = NULL; + char **dbus_paths = NULL; + int num_paths; + DBusError dbus_error; + dbus_bool_t bret; + sss_sifp_error ret; + int i; + + dbus_error_init(&dbus_error); + + bret = dbus_message_get_args(msg, &dbus_error, + DBUS_TYPE_ARRAY, DBUS_TYPE_OBJECT_PATH, + &dbus_paths, &num_paths, + DBUS_TYPE_INVALID); + if (!bret) { + sss_sifp_set_io_error(ctx, &dbus_error); + ret = SSS_SIFP_IO_ERROR; + goto done; + } + + object_paths = _alloc_zero(ctx, char *, num_paths + 1); + if (object_paths == NULL) { + ret = SSS_SIFP_OUT_OF_MEMORY; + goto done; + } + + for (i = 0; i < num_paths; i++) { + object_paths[i] = sss_sifp_strdup(ctx, dbus_paths[i]); + if (object_paths[i] == NULL) { + ret = SSS_SIFP_OUT_OF_MEMORY; + goto done; + } + } + + *_object_paths = object_paths; + ret = SSS_SIFP_OK; + +done: + dbus_error_free(&dbus_error); + dbus_free_string_array(dbus_paths); + + if (ret != SSS_SIFP_OK && object_paths != NULL) { + sss_sifp_free_string_array(ctx, &object_paths); + } + + return ret; +} diff --git a/src/lib/sifp/sss_sifp_private.h b/src/lib/sifp/sss_sifp_private.h new file mode 100644 index 0000000..9af8f7b --- /dev/null +++ b/src/lib/sifp/sss_sifp_private.h @@ -0,0 +1,112 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2014 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef SSS_SIFP_PRIVATE_H_ +#define SSS_SIFP_PRIVATE_H_ + +#include +#include "lib/sifp/sss_sifp.h" + +void *sss_sifp_alloc_zero(sss_sifp_ctx *ctx, size_t size, size_t num); + +#define _alloc_zero(ctx, type, num) sss_sifp_alloc_zero(ctx, sizeof(type), num) + +#define _free(ctx, var) \ + do { \ + ctx->free_fn((var), ctx->alloc_pvt); \ + (var) = NULL; \ + } while (0) + +struct sss_sifp_ctx { + DBusConnection *conn; + sss_sifp_alloc_func *alloc_fn; + sss_sifp_free_func *free_fn; + void *alloc_pvt; + + DBusError *io_error; +}; + +enum sss_sifp_attr_type { + SSS_SIFP_ATTR_TYPE_BOOL, + SSS_SIFP_ATTR_TYPE_INT16, + SSS_SIFP_ATTR_TYPE_UINT16, + SSS_SIFP_ATTR_TYPE_INT32, + SSS_SIFP_ATTR_TYPE_UINT32, + SSS_SIFP_ATTR_TYPE_INT64, + SSS_SIFP_ATTR_TYPE_UINT64, + SSS_SIFP_ATTR_TYPE_STRING, + SSS_SIFP_ATTR_TYPE_STRING_DICT +}; + +/** + * D-Bus object attribute + */ +struct sss_sifp_attr { + char *name; + enum sss_sifp_attr_type type; + unsigned int num_values; + union { + bool *boolean; + int16_t *int16; + uint16_t *uint16; + int32_t *int32; + uint32_t *uint32; + int64_t *int64; + uint64_t *uint64; + char **str; + hash_table_t *str_dict; + } data; +}; + +void +sss_sifp_set_io_error(sss_sifp_ctx *ctx, + DBusError *error); + +char * +sss_sifp_strdup(sss_sifp_ctx *ctx, + const char *str); + +char * +sss_sifp_strcat(sss_sifp_ctx *ctx, + const char *str1, + const char *str2); + +sss_sifp_error +sss_sifp_parse_attr(sss_sifp_ctx *ctx, + const char *name, + DBusMessage *msg, + sss_sifp_attr ***_attrs); + +sss_sifp_error +sss_sifp_parse_attr_list(sss_sifp_ctx *ctx, + DBusMessage *msg, + sss_sifp_attr ***_attrs); + +sss_sifp_error +sss_sifp_parse_object_path(sss_sifp_ctx *ctx, + DBusMessage *msg, + char **_object_path); + +sss_sifp_error +sss_sifp_parse_object_path_list(sss_sifp_ctx *ctx, + DBusMessage *msg, + char ***_object_paths); + +#endif /* SSS_SIFP_PRIVATE_H_ */ diff --git a/src/lib/sifp/sss_sifp_utils.c b/src/lib/sifp/sss_sifp_utils.c new file mode 100644 index 0000000..36cbb83 --- /dev/null +++ b/src/lib/sifp/sss_sifp_utils.c @@ -0,0 +1,90 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2014 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "lib/sifp/sss_sifp.h" +#include "lib/sifp/sss_sifp_private.h" + +void *sss_sifp_alloc_zero(sss_sifp_ctx *ctx, size_t size, size_t num) +{ + void *addr = ctx->alloc_fn(size * num, ctx->alloc_pvt); + + if (addr == NULL) { + return NULL; + } + + memset(addr, '\0', size * num); + + return addr; +} + +void sss_sifp_set_io_error(sss_sifp_ctx *ctx, DBusError *error) +{ + dbus_error_free(ctx->io_error); + dbus_error_init(ctx->io_error); + dbus_set_error(ctx->io_error, error->name, "%s", error->message); +} + +char * sss_sifp_strdup(sss_sifp_ctx *ctx, const char *str) +{ + char *result = NULL; + size_t str_len; + + if (str == NULL) { + return NULL; + } + + str_len = strlen(str); + result = _alloc_zero(ctx, char, str_len + 1); + if (result == NULL) { + return NULL; + } + + memcpy(result, str, str_len); + + return result; +} + +char * sss_sifp_strcat(sss_sifp_ctx *ctx, const char *str1, const char *str2) +{ + char *result = NULL; + + if (str1 == NULL) { + return sss_sifp_strdup(ctx, str2); + } + + if (str2 == NULL) { + return sss_sifp_strdup(ctx, str1); + } + + size_t len = strlen(str1) + strlen(str2) + 1; + + result = _alloc_zero(ctx, char, len); + if (result == NULL) { + return NULL; + } + + strcat(result, str1); + strcat(result, str2); + + return result; +} diff --git a/src/lib/sifp/sss_simpleifp.doxy.in b/src/lib/sifp/sss_simpleifp.doxy.in new file mode 100644 index 0000000..0270ada --- /dev/null +++ b/src/lib/sifp/sss_simpleifp.doxy.in @@ -0,0 +1,1539 @@ +# Doxyfile 1.6.1 + +# This file describes the settings to be used by the documentation system +# doxygen (www.doxygen.org) for a project +# +# All text after a hash (#) is considered a comment and will be ignored +# The format is: +# TAG = value [value, ...] +# For lists items can also be appended using: +# TAG += value [value, ...] +# Values that contain spaces should be placed between quotes (" ") + +#--------------------------------------------------------------------------- +# Project related configuration options +#--------------------------------------------------------------------------- + +# This tag specifies the encoding used for all characters in the config file +# that follow. The default is UTF-8 which is also the encoding used for all +# text before the first occurrence of this tag. Doxygen uses libiconv (or the +# iconv built into libc) for the transcoding. See +# http://www.gnu.org/software/libiconv for the list of possible encodings. + +DOXYFILE_ENCODING = UTF-8 + +# The PROJECT_NAME tag is a single word (or a sequence of words surrounded +# by quotes) that should identify the project. + +PROJECT_NAME = sss_simpleifp + +# The PROJECT_NUMBER tag can be used to enter a project or revision number. +# This could be handy for archiving the generated documentation or +# if some version control system is used. + +PROJECT_NUMBER = @PACKAGE_VERSION@ + +# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) +# base path where the generated documentation will be put. +# If a relative path is entered, it will be relative to the location +# where doxygen was started. If left blank the current directory will be used. + +OUTPUT_DIRECTORY = sss_simpleifp_doc + +# If the CREATE_SUBDIRS tag is set to YES, then doxygen will create +# 4096 sub-directories (in 2 levels) under the output directory of each output +# format and will distribute the generated files over these directories. +# Enabling this option can be useful when feeding doxygen a huge amount of +# source files, where putting all generated files in the same directory would +# otherwise cause performance problems for the file system. + +CREATE_SUBDIRS = NO + +# The OUTPUT_LANGUAGE tag is used to specify the language in which all +# documentation generated by doxygen is written. Doxygen will use this +# information to generate all constant output in the proper language. +# The default language is English, other supported languages are: +# Afrikaans, Arabic, Brazilian, Catalan, Chinese, Chinese-Traditional, +# Croatian, Czech, Danish, Dutch, Esperanto, Farsi, Finnish, French, German, +# Greek, Hungarian, Italian, Japanese, Japanese-en (Japanese with English +# messages), Korean, Korean-en, Lithuanian, Norwegian, Macedonian, Persian, +# Polish, Portuguese, Romanian, Russian, Serbian, Serbian-Cyrilic, Slovak, +# Slovene, Spanish, Swedish, Ukrainian, and Vietnamese. + +OUTPUT_LANGUAGE = English + +# If the BRIEF_MEMBER_DESC tag is set to YES (the default) Doxygen will +# include brief member descriptions after the members that are listed in +# the file and class documentation (similar to JavaDoc). +# Set to NO to disable this. + +BRIEF_MEMBER_DESC = YES + +# If the REPEAT_BRIEF tag is set to YES (the default) Doxygen will prepend +# the brief description of a member or function before the detailed description. +# Note: if both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the +# brief descriptions will be completely suppressed. + +REPEAT_BRIEF = YES + +# This tag implements a quasi-intelligent brief description abbreviator +# that is used to form the text in various listings. Each string +# in this list, if found as the leading text of the brief description, will be +# stripped from the text and the result after processing the whole list, is +# used as the annotated text. Otherwise, the brief description is used as-is. +# If left blank, the following values are used ("$name" is automatically +# replaced with the name of the entity): "The $name class" "The $name widget" +# "The $name file" "is" "provides" "specifies" "contains" +# "represents" "a" "an" "the" + +ABBREVIATE_BRIEF = "The $name class" \ + "The $name widget" \ + "The $name file" \ + is \ + provides \ + specifies \ + contains \ + represents \ + a \ + an \ + the + +# If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then +# Doxygen will generate a detailed section even if there is only a brief +# description. + +ALWAYS_DETAILED_SEC = NO + +# If the INLINE_INHERITED_MEMB tag is set to YES, doxygen will show all +# inherited members of a class in the documentation of that class as if those +# members were ordinary class members. Constructors, destructors and assignment +# operators of the base classes will not be shown. + +INLINE_INHERITED_MEMB = NO + +# If the FULL_PATH_NAMES tag is set to YES then Doxygen will prepend the full +# path before files name in the file list and in the header files. If set +# to NO the shortest path that makes the file name unique will be used. + +FULL_PATH_NAMES = YES + +# If the FULL_PATH_NAMES tag is set to YES then the STRIP_FROM_PATH tag +# can be used to strip a user-defined part of the path. Stripping is +# only done if one of the specified strings matches the left-hand part of +# the path. The tag can be used to show relative paths in the file list. +# If left blank the directory from which doxygen is run is used as the +# path to strip. + +STRIP_FROM_PATH = + +# The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of +# the path mentioned in the documentation of a class, which tells +# the reader which header file to include in order to use a class. +# If left blank only the name of the header file containing the class +# definition is used. Otherwise one should specify the include paths that +# are normally passed to the compiler using the -I flag. + +STRIP_FROM_INC_PATH = + +# If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter +# (but less readable) file names. This can be useful is your file systems +# doesn't support long names like on DOS, Mac, or CD-ROM. + +SHORT_NAMES = NO + +# If the JAVADOC_AUTOBRIEF tag is set to YES then Doxygen +# will interpret the first line (until the first dot) of a JavaDoc-style +# comment as the brief description. If set to NO, the JavaDoc +# comments will behave just like regular Qt-style comments +# (thus requiring an explicit @brief command for a brief description.) + +JAVADOC_AUTOBRIEF = YES + +# If the QT_AUTOBRIEF tag is set to YES then Doxygen will +# interpret the first line (until the first dot) of a Qt-style +# comment as the brief description. If set to NO, the comments +# will behave just like regular Qt-style comments (thus requiring +# an explicit \brief command for a brief description.) + +QT_AUTOBRIEF = NO + +# The MULTILINE_CPP_IS_BRIEF tag can be set to YES to make Doxygen +# treat a multi-line C++ special comment block (i.e. a block of //! or /// +# comments) as a brief description. This used to be the default behaviour. +# The new default is to treat a multi-line C++ comment block as a detailed +# description. Set this tag to YES if you prefer the old behaviour instead. + +MULTILINE_CPP_IS_BRIEF = NO + +# If the INHERIT_DOCS tag is set to YES (the default) then an undocumented +# member inherits the documentation from any documented member that it +# re-implements. + +INHERIT_DOCS = YES + +# If the SEPARATE_MEMBER_PAGES tag is set to YES, then doxygen will produce +# a new page for each member. If set to NO, the documentation of a member will +# be part of the file/class/namespace that contains it. + +SEPARATE_MEMBER_PAGES = NO + +# The TAB_SIZE tag can be used to set the number of spaces in a tab. +# Doxygen uses this value to replace tabs by spaces in code fragments. + +TAB_SIZE = 8 + +# This tag can be used to specify a number of aliases that acts +# as commands in the documentation. An alias has the form "name=value". +# For example adding "sideeffect=\par Side Effects:\n" will allow you to +# put the command \sideeffect (or @sideeffect) in the documentation, which +# will result in a user-defined paragraph with heading "Side Effects:". +# You can put \n's in the value part of an alias to insert newlines. + +ALIASES = + +# Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C +# sources only. Doxygen will then generate output that is more tailored for C. +# For instance, some of the names that are used will be different. The list +# of all members will be omitted, etc. + +OPTIMIZE_OUTPUT_FOR_C = YES + +# Set the OPTIMIZE_OUTPUT_JAVA tag to YES if your project consists of Java +# sources only. Doxygen will then generate output that is more tailored for +# Java. For instance, namespaces will be presented as packages, qualified +# scopes will look different, etc. + +OPTIMIZE_OUTPUT_JAVA = NO + +# Set the OPTIMIZE_FOR_FORTRAN tag to YES if your project consists of Fortran +# sources only. Doxygen will then generate output that is more tailored for +# Fortran. + +OPTIMIZE_FOR_FORTRAN = NO + +# Set the OPTIMIZE_OUTPUT_VHDL tag to YES if your project consists of VHDL +# sources. Doxygen will then generate output that is tailored for +# VHDL. + +OPTIMIZE_OUTPUT_VHDL = NO + +# Doxygen selects the parser to use depending on the extension of the files it parses. +# With this tag you can assign which parser to use for a given extension. +# Doxygen has a built-in mapping, but you can override or extend it using this tag. +# The format is ext=language, where ext is a file extension, and language is one of +# the parsers supported by doxygen: IDL, Java, Javascript, C#, C, C++, D, PHP, +# Objective-C, Python, Fortran, VHDL, C, C++. For instance to make doxygen treat +# .inc files as Fortran files (default is PHP), and .f files as C (default is Fortran), +# use: inc=Fortran f=C. Note that for custom extensions you also need to set FILE_PATTERNS otherwise the files are not read by doxygen. + +EXTENSION_MAPPING = + +# If you use STL classes (i.e. std::string, std::vector, etc.) but do not want +# to include (a tag file for) the STL sources as input, then you should +# set this tag to YES in order to let doxygen match functions declarations and +# definitions whose arguments contain STL classes (e.g. func(std::string); v.s. +# func(std::string) {}). This also make the inheritance and collaboration +# diagrams that involve STL classes more complete and accurate. + +BUILTIN_STL_SUPPORT = NO + +# If you use Microsoft's C++/CLI language, you should set this option to YES to +# enable parsing support. + +CPP_CLI_SUPPORT = NO + +# Set the SIP_SUPPORT tag to YES if your project consists of sip sources only. +# Doxygen will parse them like normal C++ but will assume all classes use public +# instead of private inheritance when no explicit protection keyword is present. + +SIP_SUPPORT = NO + +# For Microsoft's IDL there are propget and propput attributes to indicate getter +# and setter methods for a property. Setting this option to YES (the default) +# will make doxygen to replace the get and set methods by a property in the +# documentation. This will only work if the methods are indeed getting or +# setting a simple type. If this is not the case, or you want to show the +# methods anyway, you should set this option to NO. + +IDL_PROPERTY_SUPPORT = YES + +# If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC +# tag is set to YES, then doxygen will reuse the documentation of the first +# member in the group (if any) for the other members of the group. By default +# all members of a group must be documented explicitly. + +DISTRIBUTE_GROUP_DOC = NO + +# Set the SUBGROUPING tag to YES (the default) to allow class member groups of +# the same type (for instance a group of public functions) to be put as a +# subgroup of that type (e.g. under the Public Functions section). Set it to +# NO to prevent subgrouping. Alternatively, this can be done per class using +# the \nosubgrouping command. + +SUBGROUPING = YES + +# When TYPEDEF_HIDES_STRUCT is enabled, a typedef of a struct, union, or enum +# is documented as struct, union, or enum with the name of the typedef. So +# typedef struct TypeS {} TypeT, will appear in the documentation as a struct +# with name TypeT. When disabled the typedef will appear as a member of a file, +# namespace, or class. And the struct will be named TypeS. This can typically +# be useful for C code in case the coding convention dictates that all compound +# types are typedef'ed and only the typedef is referenced, never the tag name. + +TYPEDEF_HIDES_STRUCT = NO + +# The SYMBOL_CACHE_SIZE determines the size of the internal cache use to +# determine which symbols to keep in memory and which to flush to disk. +# When the cache is full, less often used symbols will be written to disk. +# For small to medium size projects (<1000 input files) the default value is +# probably good enough. For larger projects a too small cache size can cause +# doxygen to be busy swapping symbols to and from disk most of the time +# causing a significant performance penality. +# If the system has enough physical memory increasing the cache will improve the +# performance by keeping more symbols in memory. Note that the value works on +# a logarithmic scale so increasing the size by one will rougly double the +# memory usage. The cache size is given by this formula: +# 2^(16+SYMBOL_CACHE_SIZE). The valid range is 0..9, the default is 0, +# corresponding to a cache size of 2^16 = 65536 symbols + +SYMBOL_CACHE_SIZE = 0 + +#--------------------------------------------------------------------------- +# Build related configuration options +#--------------------------------------------------------------------------- + +# If the EXTRACT_ALL tag is set to YES doxygen will assume all entities in +# documentation are documented, even if no documentation was available. +# Private class members and static file members will be hidden unless +# the EXTRACT_PRIVATE and EXTRACT_STATIC tags are set to YES + +EXTRACT_ALL = NO + +# If the EXTRACT_PRIVATE tag is set to YES all private members of a class +# will be included in the documentation. + +EXTRACT_PRIVATE = NO + +# If the EXTRACT_STATIC tag is set to YES all static members of a file +# will be included in the documentation. + +EXTRACT_STATIC = NO + +# If the EXTRACT_LOCAL_CLASSES tag is set to YES classes (and structs) +# defined locally in source files will be included in the documentation. +# If set to NO only classes defined in header files are included. + +EXTRACT_LOCAL_CLASSES = NO + +# This flag is only useful for Objective-C code. When set to YES local +# methods, which are defined in the implementation section but not in +# the interface are included in the documentation. +# If set to NO (the default) only methods in the interface are included. + +EXTRACT_LOCAL_METHODS = NO + +# If this flag is set to YES, the members of anonymous namespaces will be +# extracted and appear in the documentation as a namespace called +# 'anonymous_namespace{file}', where file will be replaced with the base +# name of the file that contains the anonymous namespace. By default +# anonymous namespace are hidden. + +EXTRACT_ANON_NSPACES = NO + +# If the HIDE_UNDOC_MEMBERS tag is set to YES, Doxygen will hide all +# undocumented members of documented classes, files or namespaces. +# If set to NO (the default) these members will be included in the +# various overviews, but no documentation section is generated. +# This option has no effect if EXTRACT_ALL is enabled. + +HIDE_UNDOC_MEMBERS = YES + +# If the HIDE_UNDOC_CLASSES tag is set to YES, Doxygen will hide all +# undocumented classes that are normally visible in the class hierarchy. +# If set to NO (the default) these classes will be included in the various +# overviews. This option has no effect if EXTRACT_ALL is enabled. + +HIDE_UNDOC_CLASSES = YES + +# If the HIDE_FRIEND_COMPOUNDS tag is set to YES, Doxygen will hide all +# friend (class|struct|union) declarations. +# If set to NO (the default) these declarations will be included in the +# documentation. + +HIDE_FRIEND_COMPOUNDS = NO + +# If the HIDE_IN_BODY_DOCS tag is set to YES, Doxygen will hide any +# documentation blocks found inside the body of a function. +# If set to NO (the default) these blocks will be appended to the +# function's detailed documentation block. + +HIDE_IN_BODY_DOCS = NO + +# The INTERNAL_DOCS tag determines if documentation +# that is typed after a \internal command is included. If the tag is set +# to NO (the default) then the documentation will be excluded. +# Set it to YES to include the internal documentation. + +INTERNAL_DOCS = NO + +# If the CASE_SENSE_NAMES tag is set to NO then Doxygen will only generate +# file names in lower-case letters. If set to YES upper-case letters are also +# allowed. This is useful if you have classes or files whose names only differ +# in case and if your file system supports case sensitive file names. Windows +# and Mac users are advised to set this option to NO. + +CASE_SENSE_NAMES = YES + +# If the HIDE_SCOPE_NAMES tag is set to NO (the default) then Doxygen +# will show members with their full class and namespace scopes in the +# documentation. If set to YES the scope will be hidden. + +HIDE_SCOPE_NAMES = NO + +# If the SHOW_INCLUDE_FILES tag is set to YES (the default) then Doxygen +# will put a list of the files that are included by a file in the documentation +# of that file. + +SHOW_INCLUDE_FILES = YES + +# If the INLINE_INFO tag is set to YES (the default) then a tag [inline] +# is inserted in the documentation for inline members. + +INLINE_INFO = YES + +# If the SORT_MEMBER_DOCS tag is set to YES (the default) then doxygen +# will sort the (detailed) documentation of file and class members +# alphabetically by member name. If set to NO the members will appear in +# declaration order. + +SORT_MEMBER_DOCS = YES + +# If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the +# brief documentation of file, namespace and class members alphabetically +# by member name. If set to NO (the default) the members will appear in +# declaration order. + +SORT_BRIEF_DOCS = NO + +# If the SORT_MEMBERS_CTORS_1ST tag is set to YES then doxygen will sort the (brief and detailed) documentation of class members so that constructors and destructors are listed first. If set to NO (the default) the constructors will appear in the respective orders defined by SORT_MEMBER_DOCS and SORT_BRIEF_DOCS. This tag will be ignored for brief docs if SORT_BRIEF_DOCS is set to NO and ignored for detailed docs if SORT_MEMBER_DOCS is set to NO. + +SORT_MEMBERS_CTORS_1ST = NO + +# If the SORT_GROUP_NAMES tag is set to YES then doxygen will sort the +# hierarchy of group names into alphabetical order. If set to NO (the default) +# the group names will appear in their defined order. + +SORT_GROUP_NAMES = NO + +# If the SORT_BY_SCOPE_NAME tag is set to YES, the class list will be +# sorted by fully-qualified names, including namespaces. If set to +# NO (the default), the class list will be sorted only by class name, +# not including the namespace part. +# Note: This option is not very useful if HIDE_SCOPE_NAMES is set to YES. +# Note: This option applies only to the class list, not to the +# alphabetical list. + +SORT_BY_SCOPE_NAME = NO + +# The GENERATE_TODOLIST tag can be used to enable (YES) or +# disable (NO) the todo list. This list is created by putting \todo +# commands in the documentation. + +GENERATE_TODOLIST = YES + +# The GENERATE_TESTLIST tag can be used to enable (YES) or +# disable (NO) the test list. This list is created by putting \test +# commands in the documentation. + +GENERATE_TESTLIST = YES + +# The GENERATE_BUGLIST tag can be used to enable (YES) or +# disable (NO) the bug list. This list is created by putting \bug +# commands in the documentation. + +GENERATE_BUGLIST = YES + +# The GENERATE_DEPRECATEDLIST tag can be used to enable (YES) or +# disable (NO) the deprecated list. This list is created by putting +# \deprecated commands in the documentation. + +GENERATE_DEPRECATEDLIST= YES + +# The ENABLED_SECTIONS tag can be used to enable conditional +# documentation sections, marked by \if sectionname ... \endif. + +ENABLED_SECTIONS = + +# The MAX_INITIALIZER_LINES tag determines the maximum number of lines +# the initial value of a variable or define consists of for it to appear in +# the documentation. If the initializer consists of more lines than specified +# here it will be hidden. Use a value of 0 to hide initializers completely. +# The appearance of the initializer of individual variables and defines in the +# documentation can be controlled using \showinitializer or \hideinitializer +# command in the documentation regardless of this setting. + +MAX_INITIALIZER_LINES = 30 + +# Set the SHOW_USED_FILES tag to NO to disable the list of files generated +# at the bottom of the documentation of classes and structs. If set to YES the +# list will mention the files that were used to generate the documentation. + +SHOW_USED_FILES = YES + +# If the sources in your project are distributed over multiple directories +# then setting the SHOW_DIRECTORIES tag to YES will show the directory hierarchy +# in the documentation. The default is NO. + +SHOW_DIRECTORIES = NO + +# Set the SHOW_FILES tag to NO to disable the generation of the Files page. +# This will remove the Files entry from the Quick Index and from the +# Folder Tree View (if specified). The default is YES. + +SHOW_FILES = YES + +# Set the SHOW_NAMESPACES tag to NO to disable the generation of the +# Namespaces page. +# This will remove the Namespaces entry from the Quick Index +# and from the Folder Tree View (if specified). The default is YES. + +SHOW_NAMESPACES = YES + +# The FILE_VERSION_FILTER tag can be used to specify a program or script that +# doxygen should invoke to get the current version for each file (typically from +# the version control system). Doxygen will invoke the program by executing (via +# popen()) the command , where is the value of +# the FILE_VERSION_FILTER tag, and is the name of an input file +# provided by doxygen. Whatever the program writes to standard output +# is used as the file version. See the manual for examples. + +FILE_VERSION_FILTER = + +# The LAYOUT_FILE tag can be used to specify a layout file which will be parsed by +# doxygen. The layout file controls the global structure of the generated output files +# in an output format independent way. The create the layout file that represents +# doxygen's defaults, run doxygen with the -l option. You can optionally specify a +# file name after the option, if omitted DoxygenLayout.xml will be used as the name +# of the layout file. + +LAYOUT_FILE = + +#--------------------------------------------------------------------------- +# configuration options related to warning and progress messages +#--------------------------------------------------------------------------- + +# The QUIET tag can be used to turn on/off the messages that are generated +# by doxygen. Possible values are YES and NO. If left blank NO is used. + +QUIET = NO + +# The WARNINGS tag can be used to turn on/off the warning messages that are +# generated by doxygen. Possible values are YES and NO. If left blank +# NO is used. + +WARNINGS = YES + +# If WARN_IF_UNDOCUMENTED is set to YES, then doxygen will generate warnings +# for undocumented members. If EXTRACT_ALL is set to YES then this flag will +# automatically be disabled. + +WARN_IF_UNDOCUMENTED = YES + +# If WARN_IF_DOC_ERROR is set to YES, doxygen will generate warnings for +# potential errors in the documentation, such as not documenting some +# parameters in a documented function, or documenting parameters that +# don't exist or using markup commands wrongly. + +WARN_IF_DOC_ERROR = YES + +# This WARN_NO_PARAMDOC option can be abled to get warnings for +# functions that are documented, but have no documentation for their parameters +# or return value. If set to NO (the default) doxygen will only warn about +# wrong or incomplete parameter documentation, but not about the absence of +# documentation. + +WARN_NO_PARAMDOC = NO + +# The WARN_FORMAT tag determines the format of the warning messages that +# doxygen can produce. The string should contain the $file, $line, and $text +# tags, which will be replaced by the file and line number from which the +# warning originated and the warning text. Optionally the format may contain +# $version, which will be replaced by the version of the file (if it could +# be obtained via FILE_VERSION_FILTER) + +WARN_FORMAT = "$file:$line: $text" + +# The WARN_LOGFILE tag can be used to specify a file to which warning +# and error messages should be written. If left blank the output is written +# to stderr. + +WARN_LOGFILE = + +#--------------------------------------------------------------------------- +# configuration options related to the input files +#--------------------------------------------------------------------------- + +# The INPUT tag can be used to specify the files and/or directories that contain +# documented source files. You may enter file names like "myfile.cpp" or +# directories like "/usr/src/myproject". Separate the files or directories +# with spaces. + +INPUT = @abs_top_srcdir@/src/lib/sifp/sss_sifp.h + +# This tag can be used to specify the character encoding of the source files +# that doxygen parses. Internally doxygen uses the UTF-8 encoding, which is +# also the default input encoding. Doxygen uses libiconv (or the iconv built +# into libc) for the transcoding. See http://www.gnu.org/software/libiconv for +# the list of possible encodings. + +INPUT_ENCODING = UTF-8 + +# If the value of the INPUT tag contains directories, you can use the +# FILE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp +# and *.h) to filter out the source-files in the directories. If left +# blank the following patterns are tested: +# *.c *.cc *.cxx *.cpp *.c++ *.java *.ii *.ixx *.ipp *.i++ *.inl *.h *.hh *.hxx +# *.hpp *.h++ *.idl *.odl *.cs *.php *.php3 *.inc *.m *.mm *.py *.f90 + +FILE_PATTERNS = *.cpp \ + *.cc \ + *.c \ + *.h \ + *.hh \ + *.hpp \ + *.dox + +# The RECURSIVE tag can be used to turn specify whether or not subdirectories +# should be searched for input files as well. Possible values are YES and NO. +# If left blank NO is used. + +RECURSIVE = NO + +# The EXCLUDE tag can be used to specify files and/or directories that should +# excluded from the INPUT source files. This way you can easily exclude a +# subdirectory from a directory tree whose root is specified with the INPUT tag. + +EXCLUDE = + +# The EXCLUDE_SYMLINKS tag can be used select whether or not files or +# directories that are symbolic links (a Unix filesystem feature) are excluded +# from the input. + +EXCLUDE_SYMLINKS = NO + +# If the value of the INPUT tag contains directories, you can use the +# EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude +# certain files from those directories. Note that the wildcards are matched +# against the file with absolute path, so to exclude all test directories +# for example use the pattern */test/* + +EXCLUDE_PATTERNS = */.git/* \ + */.svn/* \ + */cmake/* \ + */build/* + +# The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names +# (namespaces, classes, functions, etc.) that should be excluded from the +# output. The symbol name can be a fully qualified name, a word, or if the +# wildcard * is used, a substring. Examples: ANamespace, AClass, +# AClass::ANamespace, ANamespace::*Test + +EXCLUDE_SYMBOLS = + +# The EXAMPLE_PATH tag can be used to specify one or more files or +# directories that contain example code fragments that are included (see +# the \include command). + +EXAMPLE_PATH = + +# If the value of the EXAMPLE_PATH tag contains directories, you can use the +# EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp +# and *.h) to filter out the source-files in the directories. If left +# blank all files are included. + +EXAMPLE_PATTERNS = + +# If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be +# searched for input files to be used with the \include or \dontinclude +# commands irrespective of the value of the RECURSIVE tag. +# Possible values are YES and NO. If left blank NO is used. + +EXAMPLE_RECURSIVE = NO + +# The IMAGE_PATH tag can be used to specify one or more files or +# directories that contain image that are included in the documentation (see +# the \image command). + +IMAGE_PATH = + +# The INPUT_FILTER tag can be used to specify a program that doxygen should +# invoke to filter for each input file. Doxygen will invoke the filter program +# by executing (via popen()) the command , where +# is the value of the INPUT_FILTER tag, and is the name of an +# input file. Doxygen will then use the output that the filter program writes +# to standard output. +# If FILTER_PATTERNS is specified, this tag will be +# ignored. + +INPUT_FILTER = + +# The FILTER_PATTERNS tag can be used to specify filters on a per file pattern +# basis. +# Doxygen will compare the file name with each pattern and apply the +# filter if there is a match. +# The filters are a list of the form: +# pattern=filter (like *.cpp=my_cpp_filter). See INPUT_FILTER for further +# info on how filters are used. If FILTER_PATTERNS is empty, INPUT_FILTER +# is applied to all files. + +FILTER_PATTERNS = + +# If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using +# INPUT_FILTER) will be used to filter the input files when producing source +# files to browse (i.e. when SOURCE_BROWSER is set to YES). + +FILTER_SOURCE_FILES = NO + +#--------------------------------------------------------------------------- +# configuration options related to source browsing +#--------------------------------------------------------------------------- + +# If the SOURCE_BROWSER tag is set to YES then a list of source files will +# be generated. Documented entities will be cross-referenced with these sources. +# Note: To get rid of all source code in the generated output, make sure also +# VERBATIM_HEADERS is set to NO. + +SOURCE_BROWSER = NO + +# Setting the INLINE_SOURCES tag to YES will include the body +# of functions and classes directly in the documentation. + +INLINE_SOURCES = NO + +# Setting the STRIP_CODE_COMMENTS tag to YES (the default) will instruct +# doxygen to hide any special comment blocks from generated source code +# fragments. Normal C and C++ comments will always remain visible. + +STRIP_CODE_COMMENTS = YES + +# If the REFERENCED_BY_RELATION tag is set to YES +# then for each documented function all documented +# functions referencing it will be listed. + +REFERENCED_BY_RELATION = NO + +# If the REFERENCES_RELATION tag is set to YES +# then for each documented function all documented entities +# called/used by that function will be listed. + +REFERENCES_RELATION = NO + +# If the REFERENCES_LINK_SOURCE tag is set to YES (the default) +# and SOURCE_BROWSER tag is set to YES, then the hyperlinks from +# functions in REFERENCES_RELATION and REFERENCED_BY_RELATION lists will +# link to the source code. +# Otherwise they will link to the documentation. + +REFERENCES_LINK_SOURCE = YES + +# If the USE_HTAGS tag is set to YES then the references to source code +# will point to the HTML generated by the htags(1) tool instead of doxygen +# built-in source browser. The htags tool is part of GNU's global source +# tagging system (see http://www.gnu.org/software/global/global.html). You +# will need version 4.8.6 or higher. + +USE_HTAGS = NO + +# If the VERBATIM_HEADERS tag is set to YES (the default) then Doxygen +# will generate a verbatim copy of the header file for each class for +# which an include is specified. Set to NO to disable this. + +VERBATIM_HEADERS = YES + +#--------------------------------------------------------------------------- +# configuration options related to the alphabetical class index +#--------------------------------------------------------------------------- + +# If the ALPHABETICAL_INDEX tag is set to YES, an alphabetical index +# of all compounds will be generated. Enable this if the project +# contains a lot of classes, structs, unions or interfaces. + +ALPHABETICAL_INDEX = NO + +# If the alphabetical index is enabled (see ALPHABETICAL_INDEX) then +# the COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns +# in which this list will be split (can be a number in the range [1..20]) + +COLS_IN_ALPHA_INDEX = 5 + +# In case all classes in a project start with a common prefix, all +# classes will be put under the same header in the alphabetical index. +# The IGNORE_PREFIX tag can be used to specify one or more prefixes that +# should be ignored while generating the index headers. + +IGNORE_PREFIX = + +#--------------------------------------------------------------------------- +# configuration options related to the HTML output +#--------------------------------------------------------------------------- + +# If the GENERATE_HTML tag is set to YES (the default) Doxygen will +# generate HTML output. + +GENERATE_HTML = YES + +# If the HTML_TIMESTAMP tag is set to YES then the footer of each generated +# HTML page will contain the date and time when the page was generated. Setting +# this to NO can help when comparing the output of multiple runs. + +HTML_TIMESTAMP = NO + +# The HTML_OUTPUT tag is used to specify where the HTML docs will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `html' will be used as the default path. + +HTML_OUTPUT = html + +# The HTML_FILE_EXTENSION tag can be used to specify the file extension for +# each generated HTML page (for example: .htm,.php,.asp). If it is left blank +# doxygen will generate files with .html extension. + +HTML_FILE_EXTENSION = .html + +# The HTML_HEADER tag can be used to specify a personal HTML header for +# each generated HTML page. If it is left blank doxygen will generate a +# standard header. + +HTML_HEADER = + +# The HTML_FOOTER tag can be used to specify a personal HTML footer for +# each generated HTML page. If it is left blank doxygen will generate a +# standard footer. + +HTML_FOOTER = + +# The HTML_STYLESHEET tag can be used to specify a user-defined cascading +# style sheet that is used by each HTML page. It can be used to +# fine-tune the look of the HTML output. If the tag is left blank doxygen +# will generate a default style sheet. Note that doxygen will try to copy +# the style sheet file to the HTML output directory, so don't put your own +# stylesheet in the HTML output directory as well, or it will be erased! + +HTML_STYLESHEET = + +# If the HTML_ALIGN_MEMBERS tag is set to YES, the members of classes, +# files or namespaces will be aligned in HTML using tables. If set to +# NO a bullet list will be used. + +HTML_ALIGN_MEMBERS = YES + +# If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML +# documentation will contain sections that can be hidden and shown after the +# page has loaded. For this to work a browser that supports +# JavaScript and DHTML is required (for instance Mozilla 1.0+, Firefox +# Netscape 6.0+, Internet explorer 5.0+, Konqueror, or Safari). + +HTML_DYNAMIC_SECTIONS = NO + +# If the GENERATE_DOCSET tag is set to YES, additional index files +# will be generated that can be used as input for Apple's Xcode 3 +# integrated development environment, introduced with OSX 10.5 (Leopard). +# To create a documentation set, doxygen will generate a Makefile in the +# HTML output directory. Running make will produce the docset in that +# directory and running "make install" will install the docset in +# ~/Library/Developer/Shared/Documentation/DocSets so that Xcode will find +# it at startup. +# See http://developer.apple.com/tools/creatingdocsetswithdoxygen.html for more information. + +GENERATE_DOCSET = NO + +# When GENERATE_DOCSET tag is set to YES, this tag determines the name of the +# feed. A documentation feed provides an umbrella under which multiple +# documentation sets from a single provider (such as a company or product suite) +# can be grouped. + +DOCSET_FEEDNAME = "Doxygen generated docs" + +# When GENERATE_DOCSET tag is set to YES, this tag specifies a string that +# should uniquely identify the documentation set bundle. This should be a +# reverse domain-name style string, e.g. com.mycompany.MyDocSet. Doxygen +# will append .docset to the name. + +DOCSET_BUNDLE_ID = org.doxygen.Project + +# If the GENERATE_HTMLHELP tag is set to YES, additional index files +# will be generated that can be used as input for tools like the +# Microsoft HTML help workshop to generate a compiled HTML help file (.chm) +# of the generated HTML documentation. + +GENERATE_HTMLHELP = NO + +# If the GENERATE_HTMLHELP tag is set to YES, the CHM_FILE tag can +# be used to specify the file name of the resulting .chm file. You +# can add a path in front of the file if the result should not be +# written to the html output directory. + +CHM_FILE = + +# If the GENERATE_HTMLHELP tag is set to YES, the HHC_LOCATION tag can +# be used to specify the location (absolute path including file name) of +# the HTML help compiler (hhc.exe). If non-empty doxygen will try to run +# the HTML help compiler on the generated index.hhp. + +HHC_LOCATION = + +# If the GENERATE_HTMLHELP tag is set to YES, the GENERATE_CHI flag +# controls if a separate .chi index file is generated (YES) or that +# it should be included in the master .chm file (NO). + +GENERATE_CHI = NO + +# If the GENERATE_HTMLHELP tag is set to YES, the CHM_INDEX_ENCODING +# is used to encode HtmlHelp index (hhk), content (hhc) and project file +# content. + +CHM_INDEX_ENCODING = + +# If the GENERATE_HTMLHELP tag is set to YES, the BINARY_TOC flag +# controls whether a binary table of contents is generated (YES) or a +# normal table of contents (NO) in the .chm file. + +BINARY_TOC = NO + +# The TOC_EXPAND flag can be set to YES to add extra items for group members +# to the contents of the HTML help documentation and to the tree view. + +TOC_EXPAND = NO + +# If the GENERATE_QHP tag is set to YES and both QHP_NAMESPACE and QHP_VIRTUAL_FOLDER +# are set, an additional index file will be generated that can be used as input for +# Qt's qhelpgenerator to generate a Qt Compressed Help (.qch) of the generated +# HTML documentation. + +GENERATE_QHP = NO + +# If the QHG_LOCATION tag is specified, the QCH_FILE tag can +# be used to specify the file name of the resulting .qch file. +# The path specified is relative to the HTML output folder. + +QCH_FILE = + +# The QHP_NAMESPACE tag specifies the namespace to use when generating +# Qt Help Project output. For more information please see +# http://doc.trolltech.com/qthelpproject.html#namespace + +QHP_NAMESPACE = + +# The QHP_VIRTUAL_FOLDER tag specifies the namespace to use when generating +# Qt Help Project output. For more information please see +# http://doc.trolltech.com/qthelpproject.html#virtual-folders + +QHP_VIRTUAL_FOLDER = doc + +# If QHP_CUST_FILTER_NAME is set, it specifies the name of a custom filter to add. +# For more information please see +# http://doc.trolltech.com/qthelpproject.html#custom-filters + +QHP_CUST_FILTER_NAME = + +# The QHP_CUST_FILT_ATTRS tag specifies the list of the attributes of the custom filter to add.For more information please see +# Qt Help Project / Custom Filters. + +QHP_CUST_FILTER_ATTRS = + +# The QHP_SECT_FILTER_ATTRS tag specifies the list of the attributes this project's +# filter section matches. +# Qt Help Project / Filter Attributes. + +QHP_SECT_FILTER_ATTRS = + +# If the GENERATE_QHP tag is set to YES, the QHG_LOCATION tag can +# be used to specify the location of Qt's qhelpgenerator. +# If non-empty doxygen will try to run qhelpgenerator on the generated +# .qhp file. + +QHG_LOCATION = + +# The DISABLE_INDEX tag can be used to turn on/off the condensed index at +# top of each HTML page. The value NO (the default) enables the index and +# the value YES disables it. + +DISABLE_INDEX = NO + +# This tag can be used to set the number of enum values (range [1..20]) +# that doxygen will group on one line in the generated HTML documentation. + +ENUM_VALUES_PER_LINE = 4 + +# The GENERATE_TREEVIEW tag is used to specify whether a tree-like index +# structure should be generated to display hierarchical information. +# If the tag value is set to YES, a side panel will be generated +# containing a tree-like index structure (just like the one that +# is generated for HTML Help). For this to work a browser that supports +# JavaScript, DHTML, CSS and frames is required (i.e. any modern browser). +# Windows users are probably better off using the HTML help feature. + +GENERATE_TREEVIEW = NONE + +# By enabling USE_INLINE_TREES, doxygen will generate the Groups, Directories, +# and Class Hierarchy pages using a tree view instead of an ordered list. + +USE_INLINE_TREES = NO + +# If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be +# used to set the initial width (in pixels) of the frame in which the tree +# is shown. + +TREEVIEW_WIDTH = 250 + +# Use this tag to change the font size of Latex formulas included +# as images in the HTML documentation. The default is 10. Note that +# when you change the font size after a successful doxygen run you need +# to manually remove any form_*.png images from the HTML output directory +# to force them to be regenerated. + +FORMULA_FONTSIZE = 10 + +# When the SEARCHENGINE tag is enable doxygen will generate a search box for the HTML output. The underlying search engine uses javascript +# and DHTML and should work on any modern browser. Note that when using HTML help (GENERATE_HTMLHELP) or Qt help (GENERATE_QHP) +# there is already a search function so this one should typically +# be disabled. + +SEARCHENGINE = NO + +#--------------------------------------------------------------------------- +# configuration options related to the LaTeX output +#--------------------------------------------------------------------------- + +# If the GENERATE_LATEX tag is set to YES (the default) Doxygen will +# generate Latex output. + +GENERATE_LATEX = NO + +# The LATEX_OUTPUT tag is used to specify where the LaTeX docs will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `latex' will be used as the default path. + +LATEX_OUTPUT = latex + +# The LATEX_CMD_NAME tag can be used to specify the LaTeX command name to be +# invoked. If left blank `latex' will be used as the default command name. + +LATEX_CMD_NAME = latex + +# The MAKEINDEX_CMD_NAME tag can be used to specify the command name to +# generate index for LaTeX. If left blank `makeindex' will be used as the +# default command name. + +MAKEINDEX_CMD_NAME = makeindex + +# If the COMPACT_LATEX tag is set to YES Doxygen generates more compact +# LaTeX documents. This may be useful for small projects and may help to +# save some trees in general. + +COMPACT_LATEX = NO + +# The PAPER_TYPE tag can be used to set the paper type that is used +# by the printer. Possible values are: a4, a4wide, letter, legal and +# executive. If left blank a4wide will be used. + +PAPER_TYPE = a4wide + +# The EXTRA_PACKAGES tag can be to specify one or more names of LaTeX +# packages that should be included in the LaTeX output. + +EXTRA_PACKAGES = + +# The LATEX_HEADER tag can be used to specify a personal LaTeX header for +# the generated latex document. The header should contain everything until +# the first chapter. If it is left blank doxygen will generate a +# standard header. Notice: only use this tag if you know what you are doing! + +LATEX_HEADER = + +# If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated +# is prepared for conversion to pdf (using ps2pdf). The pdf file will +# contain links (just like the HTML output) instead of page references +# This makes the output suitable for online browsing using a pdf viewer. + +PDF_HYPERLINKS = YES + +# If the USE_PDFLATEX tag is set to YES, pdflatex will be used instead of +# plain latex in the generated Makefile. Set this option to YES to get a +# higher quality PDF documentation. + +USE_PDFLATEX = YES + +# If the LATEX_BATCHMODE tag is set to YES, doxygen will add the \\batchmode. +# command to the generated LaTeX files. This will instruct LaTeX to keep +# running if errors occur, instead of asking the user for help. +# This option is also used when generating formulas in HTML. + +LATEX_BATCHMODE = NO + +# If LATEX_HIDE_INDICES is set to YES then doxygen will not +# include the index chapters (such as File Index, Compound Index, etc.) +# in the output. + +LATEX_HIDE_INDICES = NO + +# If LATEX_SOURCE_CODE is set to YES then doxygen will include source code with syntax highlighting in the LaTeX output. Note that which sources are shown also depends on other settings such as SOURCE_BROWSER. + +LATEX_SOURCE_CODE = NO + +#--------------------------------------------------------------------------- +# configuration options related to the RTF output +#--------------------------------------------------------------------------- + +# If the GENERATE_RTF tag is set to YES Doxygen will generate RTF output +# The RTF output is optimized for Word 97 and may not look very pretty with +# other RTF readers or editors. + +GENERATE_RTF = NO + +# The RTF_OUTPUT tag is used to specify where the RTF docs will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `rtf' will be used as the default path. + +RTF_OUTPUT = rtf + +# If the COMPACT_RTF tag is set to YES Doxygen generates more compact +# RTF documents. This may be useful for small projects and may help to +# save some trees in general. + +COMPACT_RTF = NO + +# If the RTF_HYPERLINKS tag is set to YES, the RTF that is generated +# will contain hyperlink fields. The RTF file will +# contain links (just like the HTML output) instead of page references. +# This makes the output suitable for online browsing using WORD or other +# programs which support those fields. +# Note: wordpad (write) and others do not support links. + +RTF_HYPERLINKS = NO + +# Load stylesheet definitions from file. Syntax is similar to doxygen's +# config file, i.e. a series of assignments. You only have to provide +# replacements, missing definitions are set to their default value. + +RTF_STYLESHEET_FILE = + +# Set optional variables used in the generation of an rtf document. +# Syntax is similar to doxygen's config file. + +RTF_EXTENSIONS_FILE = + +#--------------------------------------------------------------------------- +# configuration options related to the man page output +#--------------------------------------------------------------------------- + +# If the GENERATE_MAN tag is set to YES (the default) Doxygen will +# generate man pages + +GENERATE_MAN = NO + +# The MAN_OUTPUT tag is used to specify where the man pages will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `man' will be used as the default path. + +MAN_OUTPUT = man + +# The MAN_EXTENSION tag determines the extension that is added to +# the generated man pages (default is the subroutine's section .3) + +MAN_EXTENSION = .3 + +# If the MAN_LINKS tag is set to YES and Doxygen generates man output, +# then it will generate one additional man file for each entity +# documented in the real man page(s). These additional files +# only source the real man page, but without them the man command +# would be unable to find the correct page. The default is NO. + +MAN_LINKS = NO + +#--------------------------------------------------------------------------- +# configuration options related to the XML output +#--------------------------------------------------------------------------- + +# If the GENERATE_XML tag is set to YES Doxygen will +# generate an XML file that captures the structure of +# the code including all documentation. + +GENERATE_XML = NO + +# The XML_OUTPUT tag is used to specify where the XML pages will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `xml' will be used as the default path. + +XML_OUTPUT = xml + +# The XML_SCHEMA tag can be used to specify an XML schema, +# which can be used by a validating XML parser to check the +# syntax of the XML files. + +XML_SCHEMA = + +# The XML_DTD tag can be used to specify an XML DTD, +# which can be used by a validating XML parser to check the +# syntax of the XML files. + +XML_DTD = + +# If the XML_PROGRAMLISTING tag is set to YES Doxygen will +# dump the program listings (including syntax highlighting +# and cross-referencing information) to the XML output. Note that +# enabling this will significantly increase the size of the XML output. + +XML_PROGRAMLISTING = YES + +#--------------------------------------------------------------------------- +# configuration options for the AutoGen Definitions output +#--------------------------------------------------------------------------- + +# If the GENERATE_AUTOGEN_DEF tag is set to YES Doxygen will +# generate an AutoGen Definitions (see autogen.sf.net) file +# that captures the structure of the code including all +# documentation. Note that this feature is still experimental +# and incomplete at the moment. + +GENERATE_AUTOGEN_DEF = NO + +#--------------------------------------------------------------------------- +# configuration options related to the Perl module output +#--------------------------------------------------------------------------- + +# If the GENERATE_PERLMOD tag is set to YES Doxygen will +# generate a Perl module file that captures the structure of +# the code including all documentation. Note that this +# feature is still experimental and incomplete at the +# moment. + +GENERATE_PERLMOD = NO + +# If the PERLMOD_LATEX tag is set to YES Doxygen will generate +# the necessary Makefile rules, Perl scripts and LaTeX code to be able +# to generate PDF and DVI output from the Perl module output. + +PERLMOD_LATEX = NO + +# If the PERLMOD_PRETTY tag is set to YES the Perl module output will be +# nicely formatted so it can be parsed by a human reader. +# This is useful +# if you want to understand what is going on. +# On the other hand, if this +# tag is set to NO the size of the Perl module output will be much smaller +# and Perl will parse it just the same. + +PERLMOD_PRETTY = YES + +# The names of the make variables in the generated doxyrules.make file +# are prefixed with the string contained in PERLMOD_MAKEVAR_PREFIX. +# This is useful so different doxyrules.make files included by the same +# Makefile don't overwrite each other's variables. + +PERLMOD_MAKEVAR_PREFIX = + +#--------------------------------------------------------------------------- +# Configuration options related to the preprocessor +#--------------------------------------------------------------------------- + +# If the ENABLE_PREPROCESSING tag is set to YES (the default) Doxygen will +# evaluate all C-preprocessor directives found in the sources and include +# files. + +ENABLE_PREPROCESSING = YES + +# If the MACRO_EXPANSION tag is set to YES Doxygen will expand all macro +# names in the source code. If set to NO (the default) only conditional +# compilation will be performed. Macro expansion can be done in a controlled +# way by setting EXPAND_ONLY_PREDEF to YES. + +MACRO_EXPANSION = NO + +# If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES +# then the macro expansion is limited to the macros specified with the +# PREDEFINED and EXPAND_AS_DEFINED tags. + +EXPAND_ONLY_PREDEF = NO + +# If the SEARCH_INCLUDES tag is set to YES (the default) the includes files +# in the INCLUDE_PATH (see below) will be search if a #include is found. + +SEARCH_INCLUDES = YES + +# The INCLUDE_PATH tag can be used to specify one or more directories that +# contain include files that are not input files but should be processed by +# the preprocessor. + +INCLUDE_PATH = + +# You can use the INCLUDE_FILE_PATTERNS tag to specify one or more wildcard +# patterns (like *.h and *.hpp) to filter out the header-files in the +# directories. If left blank, the patterns specified with FILE_PATTERNS will +# be used. + +INCLUDE_FILE_PATTERNS = + +# The PREDEFINED tag can be used to specify one or more macro names that +# are defined before the preprocessor is started (similar to the -D option of +# gcc). The argument of the tag is a list of macros of the form: name +# or name=definition (no spaces). If the definition and the = are +# omitted =1 is assumed. To prevent a macro definition from being +# undefined via #undef or recursively expanded use the := operator +# instead of the = operator. + +PREDEFINED = DOXYGEN + +# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then +# this tag can be used to specify a list of macro names that should be expanded. +# The macro definition that is found in the sources will be used. +# Use the PREDEFINED tag if you want to use a different macro definition. + +EXPAND_AS_DEFINED = + +# If the SKIP_FUNCTION_MACROS tag is set to YES (the default) then +# doxygen's preprocessor will remove all function-like macros that are alone +# on a line, have an all uppercase name, and do not end with a semicolon. Such +# function macros are typically used for boiler-plate code, and will confuse +# the parser if not removed. + +SKIP_FUNCTION_MACROS = YES + +#--------------------------------------------------------------------------- +# Configuration::additions related to external references +#--------------------------------------------------------------------------- + +# The TAGFILES option can be used to specify one or more tagfiles. +# Optionally an initial location of the external documentation +# can be added for each tagfile. The format of a tag file without +# this location is as follows: +# +# TAGFILES = file1 file2 ... +# Adding location for the tag files is done as follows: +# +# TAGFILES = file1=loc1 "file2 = loc2" ... +# where "loc1" and "loc2" can be relative or absolute paths or +# URLs. If a location is present for each tag, the installdox tool +# does not have to be run to correct the links. +# Note that each tag file must have a unique name +# (where the name does NOT include the path) +# If a tag file is not located in the directory in which doxygen +# is run, you must also specify the path to the tagfile here. + +TAGFILES = + +# When a file name is specified after GENERATE_TAGFILE, doxygen will create +# a tag file that is based on the input files it reads. + +GENERATE_TAGFILE = + +# If the ALLEXTERNALS tag is set to YES all external classes will be listed +# in the class index. If set to NO only the inherited external classes +# will be listed. + +ALLEXTERNALS = NO + +# If the EXTERNAL_GROUPS tag is set to YES all external groups will be listed +# in the modules index. If set to NO, only the current project's groups will +# be listed. + +EXTERNAL_GROUPS = YES + +# The PERL_PATH should be the absolute path and name of the perl script +# interpreter (i.e. the result of `which perl'). + +PERL_PATH = /usr/bin/perl + +#--------------------------------------------------------------------------- +# Configuration options related to the dot tool +#--------------------------------------------------------------------------- + +# If the CLASS_DIAGRAMS tag is set to YES (the default) Doxygen will +# generate a inheritance diagram (in HTML, RTF and LaTeX) for classes with base +# or super classes. Setting the tag to NO turns the diagrams off. Note that +# this option is superseded by the HAVE_DOT option below. This is only a +# fallback. It is recommended to install and use dot, since it yields more +# powerful graphs. + +CLASS_DIAGRAMS = YES + +# You can define message sequence charts within doxygen comments using the \msc +# command. Doxygen will then run the mscgen tool (see +# http://www.mcternan.me.uk/mscgen/) to produce the chart and insert it in the +# documentation. The MSCGEN_PATH tag allows you to specify the directory where +# the mscgen tool resides. If left empty the tool is assumed to be found in the +# default search path. + +MSCGEN_PATH = + +# If set to YES, the inheritance and collaboration graphs will hide +# inheritance and usage relations if the target is undocumented +# or is not a class. + +HIDE_UNDOC_RELATIONS = YES + +# If you set the HAVE_DOT tag to YES then doxygen will assume the dot tool is +# available from the path. This tool is part of Graphviz, a graph visualization +# toolkit from AT&T and Lucent Bell Labs. The other options in this section +# have no effect if this option is set to NO (the default) + +HAVE_DOT = NO + +# By default doxygen will write a font called FreeSans.ttf to the output +# directory and reference it in all dot files that doxygen generates. This +# font does not include all possible unicode characters however, so when you need +# these (or just want a differently looking font) you can specify the font name +# using DOT_FONTNAME. You need need to make sure dot is able to find the font, +# which can be done by putting it in a standard location or by setting the +# DOTFONTPATH environment variable or by setting DOT_FONTPATH to the directory +# containing the font. + +DOT_FONTNAME = FreeSans + +# The DOT_FONTSIZE tag can be used to set the size of the font of dot graphs. +# The default size is 10pt. + +DOT_FONTSIZE = 10 + +# By default doxygen will tell dot to use the output directory to look for the +# FreeSans.ttf font (which doxygen will put there itself). If you specify a +# different font using DOT_FONTNAME you can set the path where dot +# can find it using this tag. + +DOT_FONTPATH = + +# If the CLASS_GRAPH and HAVE_DOT tags are set to YES then doxygen +# will generate a graph for each documented class showing the direct and +# indirect inheritance relations. Setting this tag to YES will force the +# the CLASS_DIAGRAMS tag to NO. + +CLASS_GRAPH = YES + +# If the COLLABORATION_GRAPH and HAVE_DOT tags are set to YES then doxygen +# will generate a graph for each documented class showing the direct and +# indirect implementation dependencies (inheritance, containment, and +# class references variables) of the class with other documented classes. + +COLLABORATION_GRAPH = YES + +# If the GROUP_GRAPHS and HAVE_DOT tags are set to YES then doxygen +# will generate a graph for groups, showing the direct groups dependencies + +GROUP_GRAPHS = YES + +# If the UML_LOOK tag is set to YES doxygen will generate inheritance and +# collaboration diagrams in a style similar to the OMG's Unified Modeling +# Language. + +UML_LOOK = NO + +# If set to YES, the inheritance and collaboration graphs will show the +# relations between templates and their instances. + +TEMPLATE_RELATIONS = NO + +# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDE_GRAPH, and HAVE_DOT +# tags are set to YES then doxygen will generate a graph for each documented +# file showing the direct and indirect include dependencies of the file with +# other documented files. + +INCLUDE_GRAPH = YES + +# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDED_BY_GRAPH, and +# HAVE_DOT tags are set to YES then doxygen will generate a graph for each +# documented header file showing the documented files that directly or +# indirectly include this file. + +INCLUDED_BY_GRAPH = YES + +# If the CALL_GRAPH and HAVE_DOT options are set to YES then +# doxygen will generate a call dependency graph for every global function +# or class method. Note that enabling this option will significantly increase +# the time of a run. So in most cases it will be better to enable call graphs +# for selected functions only using the \callgraph command. + +CALL_GRAPH = NO + +# If the CALLER_GRAPH and HAVE_DOT tags are set to YES then +# doxygen will generate a caller dependency graph for every global function +# or class method. Note that enabling this option will significantly increase +# the time of a run. So in most cases it will be better to enable caller +# graphs for selected functions only using the \callergraph command. + +CALLER_GRAPH = NO + +# If the GRAPHICAL_HIERARCHY and HAVE_DOT tags are set to YES then doxygen +# will graphical hierarchy of all classes instead of a textual one. + +GRAPHICAL_HIERARCHY = YES + +# If the DIRECTORY_GRAPH, SHOW_DIRECTORIES and HAVE_DOT tags are set to YES +# then doxygen will show the dependencies a directory has on other directories +# in a graphical way. The dependency relations are determined by the #include +# relations between the files in the directories. + +DIRECTORY_GRAPH = YES + +# The DOT_IMAGE_FORMAT tag can be used to set the image format of the images +# generated by dot. Possible values are png, jpg, or gif +# If left blank png will be used. + +DOT_IMAGE_FORMAT = png + +# The tag DOT_PATH can be used to specify the path where the dot tool can be +# found. If left blank, it is assumed the dot tool can be found in the path. + +DOT_PATH = + +# The DOTFILE_DIRS tag can be used to specify one or more directories that +# contain dot files that are included in the documentation (see the +# \dotfile command). + +DOTFILE_DIRS = + +# The DOT_GRAPH_MAX_NODES tag can be used to set the maximum number of +# nodes that will be shown in the graph. If the number of nodes in a graph +# becomes larger than this value, doxygen will truncate the graph, which is +# visualized by representing a node as a red box. Note that doxygen if the +# number of direct children of the root node in a graph is already larger than +# DOT_GRAPH_MAX_NODES then the graph will not be shown at all. Also note +# that the size of a graph can be further restricted by MAX_DOT_GRAPH_DEPTH. + +DOT_GRAPH_MAX_NODES = 50 + +# The MAX_DOT_GRAPH_DEPTH tag can be used to set the maximum depth of the +# graphs generated by dot. A depth value of 3 means that only nodes reachable +# from the root by following a path via at most 3 edges will be shown. Nodes +# that lay further from the root node will be omitted. Note that setting this +# option to 1 or 2 may greatly reduce the computation time needed for large +# code bases. Also note that the size of a graph can be further restricted by +# DOT_GRAPH_MAX_NODES. Using a depth of 0 means no depth restriction. + +MAX_DOT_GRAPH_DEPTH = 0 + +# Set the DOT_TRANSPARENT tag to YES to generate images with a transparent +# background. This is disabled by default, because dot on Windows does not +# seem to support this out of the box. Warning: Depending on the platform used, +# enabling this option may lead to badly anti-aliased labels on the edges of +# a graph (i.e. they become hard to read). + +DOT_TRANSPARENT = YES + +# Set the DOT_MULTI_TARGETS tag to YES allow dot to generate multiple output +# files in one run (i.e. multiple -o and -T options on the command line). This +# makes dot run faster, but since only newer versions of dot (>1.8.10) +# support this, this feature is disabled by default. + +DOT_MULTI_TARGETS = NO + +# If the GENERATE_LEGEND tag is set to YES (the default) Doxygen will +# generate a legend page explaining the meaning of the various boxes and +# arrows in the dot generated graphs. + +GENERATE_LEGEND = YES + +# If the DOT_CLEANUP tag is set to YES (the default) Doxygen will +# remove the intermediate dot files that are used to generate +# the various graphs. + +DOT_CLEANUP = YES diff --git a/src/lib/sifp/sss_simpleifp.exports b/src/lib/sifp/sss_simpleifp.exports new file mode 100644 index 0000000..f491092 --- /dev/null +++ b/src/lib/sifp/sss_simpleifp.exports @@ -0,0 +1,56 @@ +SSS_SIMPLEIFP_0.0 { + + # public functions + global: + + sss_sifp_init; + sss_sifp_init_ex; + sss_sifp_get_last_io_error_name; + sss_sifp_get_last_io_error_message; + sss_sifp_create_message; + sss_sifp_send_message; + sss_sifp_send_message_ex; + sss_sifp_fetch_attr; + sss_sifp_fetch_all_attrs; + sss_sifp_fetch_object; + sss_sifp_invoke_list; + sss_sifp_invoke_find; + sss_sifp_find_attr_as_bool; + sss_sifp_find_attr_as_int16; + sss_sifp_find_attr_as_uint16; + sss_sifp_find_attr_as_int32; + sss_sifp_find_attr_as_uint32; + sss_sifp_find_attr_as_int64; + sss_sifp_find_attr_as_uint64; + sss_sifp_find_attr_as_string; + sss_sifp_find_attr_as_string_dict; + sss_sifp_find_attr_as_bool_array; + sss_sifp_find_attr_as_int16_array; + sss_sifp_find_attr_as_uint16_array; + sss_sifp_find_attr_as_int32_array; + sss_sifp_find_attr_as_uint32_array; + sss_sifp_find_attr_as_int64_array; + sss_sifp_find_attr_as_uint64_array; + sss_sifp_find_attr_as_string_array; + sss_sifp_free; + sss_sifp_free_attrs; + sss_sifp_free_object; + sss_sifp_free_string; + sss_sifp_free_string_array; + sss_sifp_list_domains; + sss_sifp_fetch_domain_by_name; + sss_sifp_fetch_user_by_uid; + sss_sifp_fetch_user_by_name; + + # everything else is local + local: + *; +}; + +SSS_SIMPLEIFP_0.1 { + # public functions + global: + sss_sifp_strerr; + sss_sifp_invoke_list_ex; + sss_sifp_invoke_find_ex; +} SSS_SIMPLEIFP_0.0; diff --git a/src/lib/sifp/sss_simpleifp.pc.in b/src/lib/sifp/sss_simpleifp.pc.in new file mode 100644 index 0000000..2d5005d --- /dev/null +++ b/src/lib/sifp/sss_simpleifp.pc.in @@ -0,0 +1,12 @@ +prefix=@prefix@ +exec_prefix=@exec_prefix@ +libdir=@libdir@ +includedir=@includedir@ + +Name: sss_simpleifp +Description: A library that simplifies work with the InfoPipe responder +Version: @VERSION@ +Requires: dbus-1, dhash +Libs: -L@libdir@ -lsss_simpleifp +Cflags: -I${includedir} +URL: https://pagure.io/SSSD/sssd/ diff --git a/src/lib/winbind_idmap_sss/libdlopen-test-winbind-idmap.c b/src/lib/winbind_idmap_sss/libdlopen-test-winbind-idmap.c new file mode 100644 index 0000000..94e8719 --- /dev/null +++ b/src/lib/winbind_idmap_sss/libdlopen-test-winbind-idmap.c @@ -0,0 +1,31 @@ +/* + SSSD + + ID-mapping plugin for winbind - helper library for dlopen test + + Authors: + Sumit Bose + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "lib/winbind_idmap_sss/winbind_idmap_sss.h" + +NTSTATUS smb_register_idmap(int version, const char *name, + struct idmap_methods *methods) +{ + return NT_STATUS_OK; +} diff --git a/src/lib/winbind_idmap_sss/winbind_idmap_sss.c b/src/lib/winbind_idmap_sss/winbind_idmap_sss.c new file mode 100644 index 0000000..0d91094 --- /dev/null +++ b/src/lib/winbind_idmap_sss/winbind_idmap_sss.c @@ -0,0 +1,216 @@ +/* + SSSD + + ID-mapping plugin for winbind + + Authors: + Sumit Bose + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "lib/winbind_idmap_sss/winbind_idmap_sss.h" +#include "sss_client/idmap/sss_nss_idmap.h" +#include "lib/idmap/sss_idmap.h" +#include "util/util_sss_idmap.h" + +struct idmap_sss_ctx { + struct sss_idmap_ctx *idmap_ctx; +}; + +static NTSTATUS idmap_sss_initialize(struct idmap_domain *dom) +{ + struct idmap_sss_ctx *ctx; + enum idmap_error_code err; + + if (dom == NULL) { + return ERROR_INVALID_PARAMETER; + } + + ctx = talloc_zero(dom, struct idmap_sss_ctx); + if (ctx == NULL) { + return NT_STATUS_NO_MEMORY; + } + + err = sss_idmap_init(sss_idmap_talloc, ctx, sss_idmap_talloc_free, + &ctx->idmap_ctx); + if (err != IDMAP_SUCCESS) { + talloc_free(ctx); + return NT_STATUS_NO_MEMORY; + } + + dom->private_data = ctx; + + return NT_STATUS_OK; +} + +static NTSTATUS idmap_sss_unixids_to_sids(struct idmap_domain *dom, + struct id_map **map) +{ + size_t c; + int ret; + char *sid_str; + enum sss_id_type id_type; + struct dom_sid *sid; + enum idmap_error_code err; + struct idmap_sss_ctx *ctx; + + if (dom == NULL) { + return ERROR_INVALID_PARAMETER; + } + + ctx = talloc_get_type(dom->private_data, struct idmap_sss_ctx); + if (ctx == NULL) { + return ERROR_INVALID_PARAMETER; + } + + for (c = 0; map[c]; c++) { + map[c]->status = ID_UNKNOWN; + } + + for (c = 0; map[c]; c++) { + switch (map[c]->xid.type) { + case ID_TYPE_UID: + ret = sss_nss_getsidbyuid(map[c]->xid.id, &sid_str, &id_type); + break; + case ID_TYPE_GID: + ret = sss_nss_getsidbygid(map[c]->xid.id, &sid_str, &id_type); + break; + default: + ret = sss_nss_getsidbyid(map[c]->xid.id, &sid_str, &id_type); + } + if (ret != 0) { + if (ret == ENOENT) { + map[c]->status = ID_UNMAPPED; + } + continue; + } + + switch (id_type) { + case SSS_ID_TYPE_UID: + map[c]->xid.type = ID_TYPE_UID; + break; + case SSS_ID_TYPE_GID: + map[c]->xid.type = ID_TYPE_GID; + break; + case SSS_ID_TYPE_BOTH: + map[c]->xid.type = ID_TYPE_BOTH; + break; + default: + free(sid_str); + continue; + } + + err = sss_idmap_sid_to_smb_sid(ctx->idmap_ctx, sid_str, &sid); + free(sid_str); + if (err != IDMAP_SUCCESS) { + continue; + } + + memcpy(map[c]->sid, sid, sizeof(struct dom_sid)); + sss_idmap_free_smb_sid(ctx->idmap_ctx, sid); + + map[c]->status = ID_MAPPED; + } + + return NT_STATUS_OK; +} + +static NTSTATUS idmap_sss_sids_to_unixids(struct idmap_domain *dom, + struct id_map **map) +{ + size_t c; + int ret; + char *sid_str; + enum sss_id_type id_type; + enum idmap_error_code err; + struct idmap_sss_ctx *ctx; + uint32_t id; + + if (dom == NULL) { + return ERROR_INVALID_PARAMETER; + } + + ctx = talloc_get_type(dom->private_data, struct idmap_sss_ctx); + if (ctx == NULL) { + return ERROR_INVALID_PARAMETER; + } + + for (c = 0; map[c]; c++) { + map[c]->status = ID_UNKNOWN; + } + + for (c = 0; map[c]; c++) { + err = sss_idmap_smb_sid_to_sid(ctx->idmap_ctx, map[c]->sid, &sid_str); + if (err != IDMAP_SUCCESS) { + continue; + } + + ret = sss_nss_getidbysid(sid_str, &id, &id_type); + sss_idmap_free_sid(ctx->idmap_ctx, sid_str); + if (ret != 0) { + if (ret == ENOENT) { + map[c]->status = ID_UNMAPPED; + } + continue; + } + + switch (id_type) { + case SSS_ID_TYPE_UID: + map[c]->xid.type = ID_TYPE_UID; + break; + case SSS_ID_TYPE_GID: + map[c]->xid.type = ID_TYPE_GID; + break; + case SSS_ID_TYPE_BOTH: + map[c]->xid.type = ID_TYPE_BOTH; + break; + default: + continue; + } + + map[c]->xid.id = id; + + map[c]->status = ID_MAPPED; + } + + return NT_STATUS_OK; +} + +static struct idmap_methods sss_methods = { + .init = idmap_sss_initialize, + .unixids_to_sids = idmap_sss_unixids_to_sids, + .sids_to_unixids = idmap_sss_sids_to_unixids, +}; + +#if SMB_IDMAP_INTERFACE_VERSION == 5 +NTSTATUS idmap_sss_init(void) +#elif SMB_IDMAP_INTERFACE_VERSION == 6 +NTSTATUS idmap_sss_init(TALLOC_CTX *ctx) +#else +#error Unexpected Samba idmpa inferface version +#endif +{ + return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "sss", &sss_methods); +} + +NTSTATUS samba_init_module(void) +{ + return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "sss", &sss_methods); +} diff --git a/src/lib/winbind_idmap_sss/winbind_idmap_sss.h b/src/lib/winbind_idmap_sss/winbind_idmap_sss.h new file mode 100644 index 0000000..868049f --- /dev/null +++ b/src/lib/winbind_idmap_sss/winbind_idmap_sss.h @@ -0,0 +1,102 @@ +/* + SSSD + + ID-mapping plugin for winbind + + Authors: + Sumit Bose + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _WINBIND_SSS_IDMAP_H_ +#define _WINBIND_SSS_IDMAP_H_ + +#include +#include + +#include +#include +#include + +#include "config.h" + +/* The following definitions are taken from the Samba header files + * - winbindd/idmap_proto.h + * - idmap.d + * - gen_ndr/idmap.h + * and can be removed if the related Samba header files become public headers + * or if this plugin is build inside the Samba source tree. */ + +enum id_type { + ID_TYPE_NOT_SPECIFIED, + ID_TYPE_UID, + ID_TYPE_GID, + ID_TYPE_BOTH +}; + +struct unixid { + uint32_t id; + enum id_type type; +}; + +enum id_mapping { + ID_UNKNOWN, + ID_MAPPED, + ID_UNMAPPED, + ID_EXPIRED +}; + +struct id_map { + struct dom_sid *sid; + struct unixid xid; + enum id_mapping status; +}; + +#ifndef SMB_IDMAP_INTERFACE_VERSION +#error Missing Samba idmap interface version +#endif + +struct idmap_domain { + const char *name; + struct idmap_methods *methods; + uint32_t low_id; + uint32_t high_id; + bool read_only; + void *private_data; +}; + +/* Filled out by IDMAP backends */ +struct idmap_methods { + + /* Called when backend is first loaded */ + NTSTATUS (*init)(struct idmap_domain *dom); + + /* Map an array of uids/gids to SIDs. The caller specifies + the uid/gid and type. Gets back the SID. */ + NTSTATUS (*unixids_to_sids)(struct idmap_domain *dom, struct id_map **ids); + + /* Map an arry of SIDs to uids/gids. The caller sets the SID + and type and gets back a uid or gid. */ + NTSTATUS (*sids_to_unixids)(struct idmap_domain *dom, struct id_map **ids); + + /* Allocate a Unix-ID. */ + NTSTATUS (*allocate_id)(struct idmap_domain *dom, struct unixid *id); +}; + +NTSTATUS smb_register_idmap(int version, const char *name, + struct idmap_methods *methods); +#endif /* _WINBIND_SSS_IDMAP_H_ */ diff --git a/src/m4/.dir b/src/m4/.dir new file mode 100644 index 0000000..e69de29 diff --git a/src/man/Makefile.am b/src/man/Makefile.am new file mode 100644 index 0000000..06e5253 --- /dev/null +++ b/src/man/Makefile.am @@ -0,0 +1,260 @@ +# The following variable is dependent on placement of this file +top_builddir = ../.. + +############ +# MANPAGES # +############ + + +# If no conditions are given, *all* conditionals are expanded. We don't want +# to include any conditions by default, so we need to pass a phony conditional +if BUILD_SUDO +# conditionals are delimeted with a semicolon +SUDO_CONDS = ;with_sudo +endif +if BUILD_AUTOFS +AUTOFS_CONDS = ;with_autofs +endif +if BUILD_SSH +SSH_CONDS = ;with_ssh +endif +if BUILD_PAC_RESPONDER +PAC_RESPONDER_CONDS = ;with_pac_responder +endif +if BUILD_IFP +IFP_CONDS = ;with_ifp +endif +if BUILD_SECRETS +SEC_CONDS = ;with_secrets +endif +if BUILD_SECRETS +KCM_CONDS = ;with_kcm +endif +if BUILD_SYSTEMTAP +STAP_CONDS = ;with_stap +endif +if GPO_DEFAULT_ENFORCING +GPO_CONDS = ;gpo_default_enforcing +else +GPO_CONDS = ;gpo_default_permissive +endif +if HAVE_SYSTEMD_UNIT +SYSTEMD_CONDS = ;have_systemd +endif +if ADD_FILES_DOMAIN +FILES_CONDS = ;enable_files_domain +else +FILES_CONDS = ;no_enable_files_domain +endif +if HAVE_NSS +CRYPTO_CONDS = ;with_nss +else +CRYPTO_CONDS = ;with_openssl +endif +CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SEC_CONDS)$(SYSTEMD_CONDS)$(FILES_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(CRYPTO_CONDS) + + +#Special Rules: +export SGML_CATALOG_FILES +DOCBOOK_XSLT = @DOCBOOK_XSLT@ +DOCBOOK_XSLT ?= http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl +XMLLINT_FLAGS = --catalogs --postvalid --nonet --noent --xinclude --noout +XSLTPROC_FLAGS = --catalogs --xinclude --nonet + +if HAVE_PROFILE_CATALOGS +XSLTPROC_FLAGS += --stringparam profile.condition "$(CONDS)" +endif + +EXTRA_DIST = $(wildcard $(srcdir)/*.xml) $(wildcard $(srcdir)/include/*.xml) +man_MANS = \ + sss_useradd.8 sss_userdel.8 sss_usermod.8 \ + sss_groupadd.8 sss_groupdel.8 sss_groupmod.8 \ + sssd.8 sssd.conf.5 sssd-ldap.5 \ + sssd-krb5.5 sssd-simple.5 sss-certmap.5 \ + sssd_krb5_locator_plugin.8 sss_groupshow.8 \ + pam_sss.8 sss_obfuscate.8 sss_cache.8 sss_debuglevel.8 sss_seed.8 \ + sss_override.8 idmap_sss.8 sssctl.8 sssd-session-recording.5 \ + $(NULL) + +if BUILD_SAMBA +man_MANS += sssd-ipa.5 sssd-ad.5 +endif + +if BUILD_SSH +man_MANS += sss_ssh_authorizedkeys.1 sss_ssh_knownhostsproxy.1 +endif + +if BUILD_SUDO +man_MANS += sssd-sudo.5 +endif + +if BUILD_IFP +man_MANS += sssd-ifp.5 +endif + +if BUILD_SECRETS +man_MANS += sssd-secrets.5 +endif + +if BUILD_KCM +man_MANS += sssd-kcm.8 +endif + +if BUILD_SYSTEMTAP +man_MANS += sssd-systemtap.5 +endif + +if BUILD_NFS_IDMAP +man_MANS += sss_rpcidmapd.5 +endif + +if HAVE_INOTIFY +man_MANS += sssd-files.5 +endif + +SUFFIXES = .1.xml .1 .3.xml .3 .5.xml .5 .8.xml .8 +.1.xml.1: + $(XMLLINT) $(XMLLINT_FLAGS) $< + $(XSLTPROC) -o $@ $(XSLTPROC_FLAGS) $(DOCBOOK_XSLT) $< + +.3.xml.3: + $(XMLLINT) $(XMLLINT_FLAGS) $< + $(XSLTPROC) -o $@ $(XSLTPROC_FLAGS) $(DOCBOOK_XSLT) $< + +.5.xml.5: + $(XMLLINT) $(XMLLINT_FLAGS) $< + $(XSLTPROC) -o $@ $(XSLTPROC_FLAGS) $(DOCBOOK_XSLT) $< + +.8.xml.8: + $(XMLLINT) $(XMLLINT_FLAGS) $< + $(XSLTPROC) -o $@ $(XSLTPROC_FLAGS) $(DOCBOOK_XSLT) $< + +######################## +# MANPAGE TRANSLATIONS # +######################## + +PO4A=@PO4A@ +SED=@SED@ + +PACKAGE_DOC=sssd-docs + +POTFILE = po/$(PACKAGE_DOC).pot +PO4A_CONFIG = po/po4a.cfg + +# Extract the list of languages from the po4a config file. +LINGUAS_DIST = `$(SED) -ne 's/^.*\[po4a_langs\] \(.*\)$$/\1/p' $(srcdir)/$(PO4A_CONFIG)` + +# If the user has not defined it let's use the default. +LINGUAS ?= $(LINGUAS_DIST) + +PO4A_COMMON_OPTS = --option doctype=docbook \ + --package-name $(PACKAGE_DOC) \ + --variable builddir=$(CURDIR) \ + --package-version $(PACKAGE_VERSION) \ + --msgid-bugs-address sssd-devel@redhat.com \ + --copyright-holder "Red Hat" + +PO4A_BUILD_OPTS = $(PO4A_COMMON_OPTS) --no-backups + +EXTRA_DIST += \ + $(POTFILE)\ + $(PO4A_CONFIG) + +XML_DOC = $(wildcard $(srcdir)/*.xml) $(wildcard $(srcdir)/include/*.xml) + +if HAVE_PO4A +CFG_PAGES = $(addprefix $(srcdir)/, $(shell grep '\[type:docbook\]' $(PO4A_CONFIG) | awk '{print $$2}' | tr '\n' ' ')) +NONTRANSLATED_PAGES = $(filter-out $(CFG_PAGES), $(XML_DOC)) + + +# FIXME: Use a stamp file until po4a supports them internally. +man.stamp: $(XML_DOC) $(POTFILE) $(PO4A_CONFIG) + cd $(srcdir) && \ + $(PO4A) $(PO4A_BUILD_OPTS) $(PO4A_CONFIG) + touch $@ + +update-po: + @if test x"$(NONTRANSLATED_PAGES)" != "x"; then \ + echo "The following pages are not translated" $(NONTRANSLATED_PAGES); \ + exit 1; \ + fi + cd $(srcdir) && \ + $(PO4A) $(PO4A_BUILD_OPTS) --force $(PO4A_CONFIG) + +dist-hook: man.stamp + if [ -f man.stamp ]; then \ + cp man.stamp $(distdir); \ + for lang in $(LINGUAS_DIST); do \ + cp $(srcdir)/po/$$lang.po $(distdir)/po; \ + $(mkdir_p) $(distdir)/$$lang; \ + cp -r $(builddir)/$$lang $(distdir)/; \ + done; \ + else \ + cp $(srcdir)/man.stamp $(distdir); \ + for lang in $(LINGUAS_DIST); do \ + cp $(srcdir)/po/$$lang.po $(distdir)/po; \ + $(mkdir_p) $(distdir)/$$lang; \ + cp -r $(srcdir)/$$lang $(distdir)/; \ + done; \ + fi + + +clean-local: + for lang in $(LINGUAS); do \ + if [ -d $$lang ]; then \ + rm -rf $$lang; \ + fi \ + done + rm -f $(man_MANS) + rm -f man.stamp + +else + +man.stamp: $(XML_DOC) + touch $@ + +clean-local: + rm -f $(man_MANS) + rm -f man.stamp + +endif + +# Generate translated manual pages +all-local: all-local-@USE_NLS@ +all-local-no: +all-local-yes: man.stamp + if [ -z $$recursion ]; then \ + for lang in $(LINGUAS); do \ + if [ -d $$lang ]; then \ + sources=$$(ls -1 $$lang/*.xml); \ + manpages=$$(echo $$sources | $(SED) 's/\.xml//g'); \ + $(MAKE) recursion=1 man_MANS="$$manpages"; \ + fi \ + done \ + fi + +install-data-local: install-data-local-@USE_NLS@ +install-data-local-no: +install-data-local-yes: + for lang in $(LINGUAS); do \ + if [ -d $$lang ]; then \ + sources=$$(ls -1 $$lang/*.xml); \ + manpages=$$(echo $$sources | $(SED) 's/\.xml//g'); \ + $(MAKE) install-man \ + mandir="$(mandir)/$$lang" \ + man_MANS="$$manpages"; \ + fi \ + done + +uninstall-local: uninstall-local-@USE_NLS@ +uninstall-local-no: +uninstall-local-yes: + for lang in $(LINGUAS); do \ + if [ -d $$lang ]; then \ + sources=$$(ls -1 $$lang/*.xml); \ + manpages=$$(echo $$sources | $(SED) 's/\.xml//g'); \ + $(MAKE) uninstall-man \ + mandir="$(mandir)/$$lang" \ + man_MANS="$$manpages"; \ + fi \ + done diff --git a/src/man/Makefile.in b/src/man/Makefile.in new file mode 100644 index 0000000..fa0de6a --- /dev/null +++ b/src/man/Makefile.in @@ -0,0 +1,1053 @@ +# Makefile.in generated by automake 1.15.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2017 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ +VPATH = @srcdir@ +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_PROFILE_CATALOGS_TRUE@am__append_1 = --stringparam profile.condition "$(CONDS)" +@BUILD_SAMBA_TRUE@am__append_2 = sssd-ipa.5 sssd-ad.5 +@BUILD_SSH_TRUE@am__append_3 = sss_ssh_authorizedkeys.1 sss_ssh_knownhostsproxy.1 +@BUILD_SUDO_TRUE@am__append_4 = sssd-sudo.5 +@BUILD_IFP_TRUE@am__append_5 = sssd-ifp.5 +@BUILD_SECRETS_TRUE@am__append_6 = sssd-secrets.5 +@BUILD_KCM_TRUE@am__append_7 = sssd-kcm.8 +@BUILD_SYSTEMTAP_TRUE@am__append_8 = sssd-systemtap.5 +@BUILD_NFS_IDMAP_TRUE@am__append_9 = sss_rpcidmapd.5 +@HAVE_INOTIFY_TRUE@am__append_10 = sssd-files.5 +subdir = src/man +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ + $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ + $(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \ + $(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/m4/nls.m4 \ + $(top_srcdir)/m4/po.m4 $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/version.m4 $(top_srcdir)/src/build_macros.m4 \ + $(top_srcdir)/src/external/platform.m4 \ + $(top_srcdir)/src/conf_macros.m4 \ + $(top_srcdir)/src/external/pkg.m4 \ + $(top_srcdir)/src/external/libpopt.m4 \ + $(top_srcdir)/src/external/libtalloc.m4 \ + $(top_srcdir)/src/external/libtdb.m4 \ + $(top_srcdir)/src/external/libtevent.m4 \ + $(top_srcdir)/src/external/libldb.m4 \ + $(top_srcdir)/src/external/libdhash.m4 \ + $(top_srcdir)/src/external/libcollection.m4 \ + $(top_srcdir)/src/external/libini_config.m4 \ + $(top_srcdir)/src/external/pam.m4 \ + $(top_srcdir)/src/external/ldap.m4 \ + $(top_srcdir)/src/external/libpcre.m4 \ + $(top_srcdir)/src/external/krb5.m4 \ + $(top_srcdir)/src/external/libcares.m4 \ + $(top_srcdir)/src/external/libcmocka.m4 \ + $(top_srcdir)/src/external/docbook.m4 \ + $(top_srcdir)/src/external/sizes.m4 \ + $(top_srcdir)/src/external/python.m4 \ + $(top_srcdir)/src/external/selinux.m4 \ + $(top_srcdir)/src/external/crypto.m4 \ + $(top_srcdir)/src/external/nscd.m4 \ + $(top_srcdir)/src/external/nsupdate.m4 \ + $(top_srcdir)/src/external/libkeyutils.m4 \ + $(top_srcdir)/src/external/libnl.m4 \ + $(top_srcdir)/src/external/systemd.m4 \ + $(top_srcdir)/src/external/pac_responder.m4 \ + $(top_srcdir)/src/external/cifsidmap.m4 \ + $(top_srcdir)/src/external/signal.m4 \ + $(top_srcdir)/src/external/inotify.m4 \ + $(top_srcdir)/src/external/samba.m4 \ + $(top_srcdir)/src/external/sasl.m4 \ + $(top_srcdir)/src/external/libnfsidmap.m4 \ + $(top_srcdir)/src/external/cwrap.m4 \ + $(top_srcdir)/src/external/libresolv.m4 \ + $(top_srcdir)/src/external/intgcheck.m4 \ + $(top_srcdir)/src/external/systemtap.m4 \ + $(top_srcdir)/src/external/service.m4 \ + $(top_srcdir)/src/external/test_ca.m4 \ + $(top_srcdir)/src/external/libhttp_parser.m4 \ + $(top_srcdir)/src/external/libuuid.m4 \ + $(top_srcdir)/src/external/libcurl.m4 \ + $(top_srcdir)/src/external/libjansson.m4 \ + $(top_srcdir)/src/external/libunistring.m4 \ + $(top_srcdir)/src/external/glib.m4 \ + $(top_srcdir)/src/external/p11-kit.m4 \ + $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) +mkinstalldirs = $(SHELL) $(top_srcdir)/build/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +SOURCES = +DIST_SOURCES = +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +man1dir = $(mandir)/man1 +am__installdirs = "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man5dir)" \ + "$(DESTDIR)$(man8dir)" +man5dir = $(mandir)/man5 +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +am__DIST_COMMON = $(srcdir)/Makefile.in \ + $(top_srcdir)/build/mkinstalldirs +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +CARES_CFLAGS = @CARES_CFLAGS@ +CARES_LIBS = @CARES_LIBS@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CERTUTIL = @CERTUTIL@ +CFLAGS = @CFLAGS@ +CHECK_CFLAGS = @CHECK_CFLAGS@ +CHECK_LIBS = @CHECK_LIBS@ +CMOCKA_CFLAGS = @CMOCKA_CFLAGS@ +CMOCKA_LIBS = @CMOCKA_LIBS@ +COLLECTION_CFLAGS = @COLLECTION_CFLAGS@ +COLLECTION_LIBS = @COLLECTION_LIBS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CRYPTO_CFLAGS = @CRYPTO_CFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CURL_CFLAGS = @CURL_CFLAGS@ +CURL_LIBS = @CURL_LIBS@ +CYGPATH_W = @CYGPATH_W@ +DBUS_CFLAGS = @DBUS_CFLAGS@ +DBUS_LIBS = @DBUS_LIBS@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DHASH_CFLAGS = @DHASH_CFLAGS@ +DHASH_LIBS = @DHASH_LIBS@ +DLLTOOL = @DLLTOOL@ +DOCBOOK_XSLT = @DOCBOOK_XSLT@ +DOXYGEN = @DOXYGEN@ +DSYMUTIL = @DSYMUTIL@ +DTRACE = @DTRACE@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GDM_PAM_EXTENSIONS_CFLAGS = @GDM_PAM_EXTENSIONS_CFLAGS@ +GDM_PAM_EXTENSIONS_LIBS = @GDM_PAM_EXTENSIONS_LIBS@ +GLIB2_CFLAGS = @GLIB2_CFLAGS@ +GLIB2_LIBS = @GLIB2_LIBS@ +GMSGFMT = @GMSGFMT@ +GPO_DEFAULT = @GPO_DEFAULT@ +GREP = @GREP@ +HAVE_FAKEROOT = @HAVE_FAKEROOT@ +HAVE_LDAPMODIFY = @HAVE_LDAPMODIFY@ +HAVE_MANPAGES = @HAVE_MANPAGES@ +HAVE_NSS_WRAPPER = @HAVE_NSS_WRAPPER@ +HAVE_PYTHON2 = @HAVE_PYTHON2@ +HAVE_PYTHON2_BINDINGS = @HAVE_PYTHON2_BINDINGS@ +HAVE_PYTHON3 = @HAVE_PYTHON3@ +HAVE_PYTHON3_BINDINGS = @HAVE_PYTHON3_BINDINGS@ +HAVE_SELINUX = @HAVE_SELINUX@ +HAVE_SEMANAGE = @HAVE_SEMANAGE@ +HAVE_UID_WRAPPER = @HAVE_UID_WRAPPER@ +HTTP_PARSER_CFLAGS = @HTTP_PARSER_CFLAGS@ +HTTP_PARSER_LIBS = @HTTP_PARSER_LIBS@ +INI_CONFIG_CFLAGS = @INI_CONFIG_CFLAGS@ +INI_CONFIG_LIBS = @INI_CONFIG_LIBS@ +INI_CONFIG_V0_CFLAGS = @INI_CONFIG_V0_CFLAGS@ +INI_CONFIG_V0_LIBS = @INI_CONFIG_V0_LIBS@ +INI_CONFIG_V1_1_CFLAGS = @INI_CONFIG_V1_1_CFLAGS@ +INI_CONFIG_V1_1_LIBS = @INI_CONFIG_V1_1_LIBS@ +INI_CONFIG_V1_3_CFLAGS = @INI_CONFIG_V1_3_CFLAGS@ +INI_CONFIG_V1_3_LIBS = @INI_CONFIG_V1_3_LIBS@ +INI_CONFIG_V1_CFLAGS = @INI_CONFIG_V1_CFLAGS@ +INI_CONFIG_V1_LIBS = @INI_CONFIG_V1_LIBS@ +INOTIFY_LIBS = @INOTIFY_LIBS@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +JANSSON_CFLAGS = @JANSSON_CFLAGS@ +JANSSON_LIBS = @JANSSON_LIBS@ +JOURNALD_CFLAGS = @JOURNALD_CFLAGS@ +JOURNALD_LIBS = @JOURNALD_LIBS@ +KEYUTILS_LIBS = @KEYUTILS_LIBS@ +KRB5_CFLAGS = @KRB5_CFLAGS@ +KRB5_CONFIG = @KRB5_CONFIG@ +KRB5_LIBS = @KRB5_LIBS@ +LD = @LD@ +LDB_CFLAGS = @LDB_CFLAGS@ +LDB_LIBS = @LDB_LIBS@ +LDFLAGS = @LDFLAGS@ +LIBADD_DL = @LIBADD_DL@ +LIBADD_DLD_LINK = @LIBADD_DLD_LINK@ +LIBADD_DLOPEN = @LIBADD_DLOPEN@ +LIBADD_SHL_LOAD = @LIBADD_SHL_LOAD@ +LIBADD_TIMER = @LIBADD_TIMER@ +LIBCLOCK_GETTIME = @LIBCLOCK_GETTIME@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNL1_CFLAGS = @LIBNL1_CFLAGS@ +LIBNL1_LIBS = @LIBNL1_LIBS@ +LIBNL3_CFLAGS = @LIBNL3_CFLAGS@ +LIBNL3_LIBS = @LIBNL3_LIBS@ +LIBNL_CFLAGS = @LIBNL_CFLAGS@ +LIBNL_LIBS = @LIBNL_LIBS@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +LT_DLLOADERS = @LT_DLLOADERS@ +LT_DLPREOPEN = @LT_DLPREOPEN@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +MKINSTALLDIRS = @MKINSTALLDIRS@ +MSGFMT = @MSGFMT@ +MSGMERGE = @MSGMERGE@ +NDR_KRB5PAC_CFLAGS = @NDR_KRB5PAC_CFLAGS@ +NDR_KRB5PAC_LIBS = @NDR_KRB5PAC_LIBS@ +NDR_NBT_CFLAGS = @NDR_NBT_CFLAGS@ +NDR_NBT_LIBS = @NDR_NBT_LIBS@ +NFSIDMAP_CFLAGS = @NFSIDMAP_CFLAGS@ +NFSIDMAP_LIBS = @NFSIDMAP_LIBS@ +NFSIDMAP_OBJ = @NFSIDMAP_OBJ@ +NM = @NM@ +NMEDIT = @NMEDIT@ +NSCD = @NSCD@ +NSCD_PATH = @NSCD_PATH@ +NSS_CFLAGS = @NSS_CFLAGS@ +NSS_LIBS = @NSS_LIBS@ +NSUPDATE = @NSUPDATE@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OPENLDAP_CFLAGS = @OPENLDAP_CFLAGS@ +OPENLDAP_LIBS = @OPENLDAP_LIBS@ +OPENSSL = @OPENSSL@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +P11TOOL = @P11TOOL@ +P11_KIT_CFLAGS = @P11_KIT_CFLAGS@ +P11_KIT_LIBS = @P11_KIT_LIBS@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_LIBS = @PAM_LIBS@ +PAM_MISC_LIBS = @PAM_MISC_LIBS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PCRE_CFLAGS = @PCRE_CFLAGS@ +PCRE_LIBS = @PCRE_LIBS@ +PK12UTIL = @PK12UTIL@ +PKG_CONFIG = @PKG_CONFIG@ + +######################## +# MANPAGE TRANSLATIONS # +######################## +PO4A = @PO4A@ +POPT_CFLAGS = @POPT_CFLAGS@ +POPT_LIBS = @POPT_LIBS@ +POSUB = @POSUB@ +PRERELEASE_VERSION = @PRERELEASE_VERSION@ +PYTEST = @PYTEST@ +PYTHON = @PYTHON@ +PYTHON2 = @PYTHON2@ +PYTHON2_CFLAGS = @PYTHON2_CFLAGS@ +PYTHON2_EXEC_PREFIX = @PYTHON2_EXEC_PREFIX@ +PYTHON2_INCLUDES = @PYTHON2_INCLUDES@ +PYTHON2_LIBS = @PYTHON2_LIBS@ +PYTHON2_PREFIX = @PYTHON2_PREFIX@ +PYTHON2_VERSION = @PYTHON2_VERSION@ +PYTHON3 = @PYTHON3@ +PYTHON3_CFLAGS = @PYTHON3_CFLAGS@ +PYTHON3_EXEC_PREFIX = @PYTHON3_EXEC_PREFIX@ +PYTHON3_INCLUDES = @PYTHON3_INCLUDES@ +PYTHON3_LIBS = @PYTHON3_LIBS@ +PYTHON3_PREFIX = @PYTHON3_PREFIX@ +PYTHON3_VERSION = @PYTHON3_VERSION@ +PYTHON_CONFIG = @PYTHON_CONFIG@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ +RANLIB = @RANLIB@ +RESOLV_CFLAGS = @RESOLV_CFLAGS@ +RESOLV_LIBS = @RESOLV_LIBS@ +SASL_CFLAGS = @SASL_CFLAGS@ +SASL_LIBS = @SASL_LIBS@ +SED = @SED@ +SELINUX_LIBS = @SELINUX_LIBS@ +SEMANAGE_LIBS = @SEMANAGE_LIBS@ +SERVICE = @SERVICE@ +SET_MAKE = @SET_MAKE@ +SGML_CATALOG_FILES = @SGML_CATALOG_FILES@ +SHELL = @SHELL@ +SLAPD = @SLAPD@ +SMBCLIENT_CFLAGS = @SMBCLIENT_CFLAGS@ +SMBCLIENT_LIBS = @SMBCLIENT_LIBS@ +SOFTHSM2_PATH = @SOFTHSM2_PATH@ +SOFTHSM2_UTIL = @SOFTHSM2_UTIL@ +SSH_KEYGEN = @SSH_KEYGEN@ +SSL_CFLAGS = @SSL_CFLAGS@ +SSL_LIBS = @SSL_LIBS@ +SSSD_USER = @SSSD_USER@ +STRIP = @STRIP@ +SYSTEMD_DAEMON_CFLAGS = @SYSTEMD_DAEMON_CFLAGS@ +SYSTEMD_DAEMON_LIBS = @SYSTEMD_DAEMON_LIBS@ +SYSTEMD_LOGIN_CFLAGS = @SYSTEMD_LOGIN_CFLAGS@ +SYSTEMD_LOGIN_LIBS = @SYSTEMD_LOGIN_LIBS@ +TALLOC_CFLAGS = @TALLOC_CFLAGS@ +TALLOC_LIBS = @TALLOC_LIBS@ +TDB_CFLAGS = @TDB_CFLAGS@ +TDB_LIBS = @TDB_LIBS@ +TEST_DIR = @TEST_DIR@ +TEVENT_CFLAGS = @TEVENT_CFLAGS@ +TEVENT_LIBS = @TEVENT_LIBS@ +UNICODE_LIBS = @UNICODE_LIBS@ +USE_NLS = @USE_NLS@ +UUID_CFLAGS = @UUID_CFLAGS@ +UUID_LIBS = @UUID_LIBS@ +VERSION = @VERSION@ +XGETTEXT = @XGETTEXT@ +XMLLINT = @XMLLINT@ +XSLTPROC = @XSLTPROC@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +appmodpath = @appmodpath@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +cifspluginpath = @cifspluginpath@ +config_def_ccache_dir = @config_def_ccache_dir@ +config_def_ccname_template = @config_def_ccname_template@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbpath = @dbpath@ +docdir = @docdir@ +dvidir = @dvidir@ +environment_file = @environment_file@ +exec_prefix = @exec_prefix@ +gpocachepath = @gpocachepath@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +initdir = @initdir@ +install_sh = @install_sh@ +krb5authdatapluginpath = @krb5authdatapluginpath@ +krb5pluginpath = @krb5pluginpath@ +krb5rcachedir = @krb5rcachedir@ +ldblibdir = @ldblibdir@ +libdir = @libdir@ +libexecdir = @libexecdir@ +libwbclient_version = @libwbclient_version@ +libwbclient_version_info = @libwbclient_version_info@ +localedir = @localedir@ +localstatedir = @localstatedir@ +logpath = @logpath@ +mandir = @mandir@ +mcpath = @mcpath@ +mkdir_p = @mkdir_p@ +nfsidmaplibdir = @nfsidmaplibdir@ +nfslibpath = @nfslibpath@ +nsslibdir = @nsslibdir@ +oldincludedir = @oldincludedir@ +pammoddir = @pammoddir@ +pdfdir = @pdfdir@ +pidpath = @pidpath@ +pipepath = @pipepath@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ +pluginpath = @pluginpath@ +polkitdir = @polkitdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +pubconfpath = @pubconfpath@ +py2execdir = @py2execdir@ +py3execdir = @py3execdir@ +pyexecdir = @pyexecdir@ +python2dir = @python2dir@ +python3dir = @python3dir@ +pythondir = @pythondir@ +runstatedir = @runstatedir@ +sbindir = @sbindir@ +secdbpath = @secdbpath@ +session_recording_shell = @session_recording_shell@ +sharedbuilddir = @sharedbuilddir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sudolibpath = @sudolibpath@ +sysconfdir = @sysconfdir@ +systemdconfdir = @systemdconfdir@ +systemdunitdir = @systemdunitdir@ +tapset_dir = @tapset_dir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ + +# The following variable is dependent on placement of this file +top_builddir = ../.. +top_srcdir = @top_srcdir@ +winbindpluginpath = @winbindpluginpath@ + +############ +# MANPAGES # +############ + +# If no conditions are given, *all* conditionals are expanded. We don't want +# to include any conditions by default, so we need to pass a phony conditional +# conditionals are delimeted with a semicolon +@BUILD_SUDO_TRUE@SUDO_CONDS = ;with_sudo +@BUILD_AUTOFS_TRUE@AUTOFS_CONDS = ;with_autofs +@BUILD_SSH_TRUE@SSH_CONDS = ;with_ssh +@BUILD_PAC_RESPONDER_TRUE@PAC_RESPONDER_CONDS = ;with_pac_responder +@BUILD_IFP_TRUE@IFP_CONDS = ;with_ifp +@BUILD_SECRETS_TRUE@SEC_CONDS = ;with_secrets +@BUILD_SECRETS_TRUE@KCM_CONDS = ;with_kcm +@BUILD_SYSTEMTAP_TRUE@STAP_CONDS = ;with_stap +@GPO_DEFAULT_ENFORCING_FALSE@GPO_CONDS = ;gpo_default_permissive +@GPO_DEFAULT_ENFORCING_TRUE@GPO_CONDS = ;gpo_default_enforcing +@HAVE_SYSTEMD_UNIT_TRUE@SYSTEMD_CONDS = ;have_systemd +@ADD_FILES_DOMAIN_FALSE@FILES_CONDS = ;no_enable_files_domain +@ADD_FILES_DOMAIN_TRUE@FILES_CONDS = ;enable_files_domain +@HAVE_NSS_FALSE@CRYPTO_CONDS = ;with_openssl +@HAVE_NSS_TRUE@CRYPTO_CONDS = ;with_nss +CONDS = with_false$(SUDO_CONDS)$(AUTOFS_CONDS)$(SSH_CONDS)$(PAC_RESPONDER_CONDS)$(IFP_CONDS)$(GPO_CONDS)$(SEC_CONDS)$(SYSTEMD_CONDS)$(FILES_CONDS)$(KCM_CONDS)$(STAP_CONDS)$(CRYPTO_CONDS) +XMLLINT_FLAGS = --catalogs --postvalid --nonet --noent --xinclude --noout +XSLTPROC_FLAGS = --catalogs --xinclude --nonet $(am__append_1) +EXTRA_DIST = $(wildcard $(srcdir)/*.xml) $(wildcard \ + $(srcdir)/include/*.xml) $(POTFILE) $(PO4A_CONFIG) +man_MANS = sss_useradd.8 sss_userdel.8 sss_usermod.8 sss_groupadd.8 \ + sss_groupdel.8 sss_groupmod.8 sssd.8 sssd.conf.5 sssd-ldap.5 \ + sssd-krb5.5 sssd-simple.5 sss-certmap.5 \ + sssd_krb5_locator_plugin.8 sss_groupshow.8 pam_sss.8 \ + sss_obfuscate.8 sss_cache.8 sss_debuglevel.8 sss_seed.8 \ + sss_override.8 idmap_sss.8 sssctl.8 sssd-session-recording.5 \ + $(NULL) $(am__append_2) $(am__append_3) $(am__append_4) \ + $(am__append_5) $(am__append_6) $(am__append_7) \ + $(am__append_8) $(am__append_9) $(am__append_10) +SUFFIXES = .1.xml .1 .3.xml .3 .5.xml .5 .8.xml .8 +PACKAGE_DOC = sssd-docs +POTFILE = po/$(PACKAGE_DOC).pot +PO4A_CONFIG = po/po4a.cfg + +# Extract the list of languages from the po4a config file. +LINGUAS_DIST = `$(SED) -ne 's/^.*\[po4a_langs\] \(.*\)$$/\1/p' $(srcdir)/$(PO4A_CONFIG)` +PO4A_COMMON_OPTS = --option doctype=docbook \ + --package-name $(PACKAGE_DOC) \ + --variable builddir=$(CURDIR) \ + --package-version $(PACKAGE_VERSION) \ + --msgid-bugs-address sssd-devel@redhat.com \ + --copyright-holder "Red Hat" + +PO4A_BUILD_OPTS = $(PO4A_COMMON_OPTS) --no-backups +XML_DOC = $(wildcard $(srcdir)/*.xml) $(wildcard $(srcdir)/include/*.xml) +@HAVE_PO4A_TRUE@CFG_PAGES = $(addprefix $(srcdir)/, $(shell grep '\[type:docbook\]' $(PO4A_CONFIG) | awk '{print $$2}' | tr '\n' ' ')) +@HAVE_PO4A_TRUE@NONTRANSLATED_PAGES = $(filter-out $(CFG_PAGES), $(XML_DOC)) +all: all-am + +.SUFFIXES: +.SUFFIXES: .1.xml .1 .3.xml .3 .5.xml .5 .8.xml .8 +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/man/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/man/Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man1: $(man_MANS) + @$(NORMAL_INSTALL) + @list1=''; \ + list2='$(man_MANS)'; \ + test -n "$(man1dir)" \ + && test -n "`echo $$list1$$list2`" \ + || exit 0; \ + echo " $(MKDIR_P) '$(DESTDIR)$(man1dir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(man1dir)" || exit 1; \ + { for i in $$list1; do echo "$$i"; done; \ + if test -n "$$list2"; then \ + for i in $$list2; do echo "$$i"; done \ + | sed -n '/\.1[a-z]*$$/p'; \ + fi; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^1][0-9a-z]*$$,1,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man1dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man1dir)/$$inst" || exit $$?; \ + fi; \ + done; \ + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man1dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man1dir)" || exit $$?; }; \ + done; } + +uninstall-man1: + @$(NORMAL_UNINSTALL) + @list=''; test -n "$(man1dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.1[a-z]*$$/p'; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^1][0-9a-z]*$$,1,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + dir='$(DESTDIR)$(man1dir)'; $(am__uninstall_files_from_dir) +install-man5: $(man_MANS) + @$(NORMAL_INSTALL) + @list1=''; \ + list2='$(man_MANS)'; \ + test -n "$(man5dir)" \ + && test -n "`echo $$list1$$list2`" \ + || exit 0; \ + echo " $(MKDIR_P) '$(DESTDIR)$(man5dir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(man5dir)" || exit 1; \ + { for i in $$list1; do echo "$$i"; done; \ + if test -n "$$list2"; then \ + for i in $$list2; do echo "$$i"; done \ + | sed -n '/\.5[a-z]*$$/p'; \ + fi; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst" || exit $$?; \ + fi; \ + done; \ + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man5dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man5dir)" || exit $$?; }; \ + done; } + +uninstall-man5: + @$(NORMAL_UNINSTALL) + @list=''; test -n "$(man5dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.5[a-z]*$$/p'; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + dir='$(DESTDIR)$(man5dir)'; $(am__uninstall_files_from_dir) +install-man8: $(man_MANS) + @$(NORMAL_INSTALL) + @list1=''; \ + list2='$(man_MANS)'; \ + test -n "$(man8dir)" \ + && test -n "`echo $$list1$$list2`" \ + || exit 0; \ + echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \ + { for i in $$list1; do echo "$$i"; done; \ + if test -n "$$list2"; then \ + for i in $$list2; do echo "$$i"; done \ + | sed -n '/\.8[a-z]*$$/p'; \ + fi; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \ + fi; \ + done; \ + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \ + done; } + +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list=''; test -n "$(man8dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.8[a-z]*$$/p'; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir) +tags TAGS: + +ctags CTAGS: + +cscope cscopelist: + +@HAVE_PO4A_FALSE@dist-hook: + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done + $(MAKE) $(AM_MAKEFLAGS) \ + top_distdir="$(top_distdir)" distdir="$(distdir)" \ + dist-hook +check-am: all-am +check: check-am +all-am: Makefile $(MANS) all-local +installdirs: + for dir in "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-local mostlyclean-am + +distclean: distclean-am + -rm -f Makefile +distclean-am: clean-am distclean-generic + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-data-local install-man + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: install-man1 install-man5 install-man8 + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-generic mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-local uninstall-man + +uninstall-man: uninstall-man1 uninstall-man5 uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: all all-am all-local check check-am clean clean-generic \ + clean-libtool clean-local cscopelist-am ctags-am dist-hook \ + distclean distclean-generic distclean-libtool distdir dvi \ + dvi-am html html-am info info-am install install-am \ + install-data install-data-am install-data-local install-dvi \ + install-dvi-am install-exec install-exec-am install-html \ + install-html-am install-info install-info-am install-man \ + install-man1 install-man5 install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am install-strip \ + installcheck installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags-am uninstall \ + uninstall-am uninstall-local uninstall-man uninstall-man1 \ + uninstall-man5 uninstall-man8 + +.PRECIOUS: Makefile + + +#Special Rules: +export SGML_CATALOG_FILES +DOCBOOK_XSLT ?= http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl +.1.xml.1: + $(XMLLINT) $(XMLLINT_FLAGS) $< + $(XSLTPROC) -o $@ $(XSLTPROC_FLAGS) $(DOCBOOK_XSLT) $< + +.3.xml.3: + $(XMLLINT) $(XMLLINT_FLAGS) $< + $(XSLTPROC) -o $@ $(XSLTPROC_FLAGS) $(DOCBOOK_XSLT) $< + +.5.xml.5: + $(XMLLINT) $(XMLLINT_FLAGS) $< + $(XSLTPROC) -o $@ $(XSLTPROC_FLAGS) $(DOCBOOK_XSLT) $< + +.8.xml.8: + $(XMLLINT) $(XMLLINT_FLAGS) $< + $(XSLTPROC) -o $@ $(XSLTPROC_FLAGS) $(DOCBOOK_XSLT) $< + +# If the user has not defined it let's use the default. +LINGUAS ?= $(LINGUAS_DIST) + +# FIXME: Use a stamp file until po4a supports them internally. +@HAVE_PO4A_TRUE@man.stamp: $(XML_DOC) $(POTFILE) $(PO4A_CONFIG) +@HAVE_PO4A_TRUE@ cd $(srcdir) && \ +@HAVE_PO4A_TRUE@ $(PO4A) $(PO4A_BUILD_OPTS) $(PO4A_CONFIG) +@HAVE_PO4A_TRUE@ touch $@ + +@HAVE_PO4A_TRUE@update-po: +@HAVE_PO4A_TRUE@ @if test x"$(NONTRANSLATED_PAGES)" != "x"; then \ +@HAVE_PO4A_TRUE@ echo "The following pages are not translated" $(NONTRANSLATED_PAGES); \ +@HAVE_PO4A_TRUE@ exit 1; \ +@HAVE_PO4A_TRUE@ fi +@HAVE_PO4A_TRUE@ cd $(srcdir) && \ +@HAVE_PO4A_TRUE@ $(PO4A) $(PO4A_BUILD_OPTS) --force $(PO4A_CONFIG) + +@HAVE_PO4A_TRUE@dist-hook: man.stamp +@HAVE_PO4A_TRUE@ if [ -f man.stamp ]; then \ +@HAVE_PO4A_TRUE@ cp man.stamp $(distdir); \ +@HAVE_PO4A_TRUE@ for lang in $(LINGUAS_DIST); do \ +@HAVE_PO4A_TRUE@ cp $(srcdir)/po/$$lang.po $(distdir)/po; \ +@HAVE_PO4A_TRUE@ $(mkdir_p) $(distdir)/$$lang; \ +@HAVE_PO4A_TRUE@ cp -r $(builddir)/$$lang $(distdir)/; \ +@HAVE_PO4A_TRUE@ done; \ +@HAVE_PO4A_TRUE@ else \ +@HAVE_PO4A_TRUE@ cp $(srcdir)/man.stamp $(distdir); \ +@HAVE_PO4A_TRUE@ for lang in $(LINGUAS_DIST); do \ +@HAVE_PO4A_TRUE@ cp $(srcdir)/po/$$lang.po $(distdir)/po; \ +@HAVE_PO4A_TRUE@ $(mkdir_p) $(distdir)/$$lang; \ +@HAVE_PO4A_TRUE@ cp -r $(srcdir)/$$lang $(distdir)/; \ +@HAVE_PO4A_TRUE@ done; \ +@HAVE_PO4A_TRUE@ fi + +@HAVE_PO4A_TRUE@clean-local: +@HAVE_PO4A_TRUE@ for lang in $(LINGUAS); do \ +@HAVE_PO4A_TRUE@ if [ -d $$lang ]; then \ +@HAVE_PO4A_TRUE@ rm -rf $$lang; \ +@HAVE_PO4A_TRUE@ fi \ +@HAVE_PO4A_TRUE@ done +@HAVE_PO4A_TRUE@ rm -f $(man_MANS) +@HAVE_PO4A_TRUE@ rm -f man.stamp + +@HAVE_PO4A_FALSE@man.stamp: $(XML_DOC) +@HAVE_PO4A_FALSE@ touch $@ + +@HAVE_PO4A_FALSE@clean-local: +@HAVE_PO4A_FALSE@ rm -f $(man_MANS) +@HAVE_PO4A_FALSE@ rm -f man.stamp + +# Generate translated manual pages +all-local: all-local-@USE_NLS@ +all-local-no: +all-local-yes: man.stamp + if [ -z $$recursion ]; then \ + for lang in $(LINGUAS); do \ + if [ -d $$lang ]; then \ + sources=$$(ls -1 $$lang/*.xml); \ + manpages=$$(echo $$sources | $(SED) 's/\.xml//g'); \ + $(MAKE) recursion=1 man_MANS="$$manpages"; \ + fi \ + done \ + fi + +install-data-local: install-data-local-@USE_NLS@ +install-data-local-no: +install-data-local-yes: + for lang in $(LINGUAS); do \ + if [ -d $$lang ]; then \ + sources=$$(ls -1 $$lang/*.xml); \ + manpages=$$(echo $$sources | $(SED) 's/\.xml//g'); \ + $(MAKE) install-man \ + mandir="$(mandir)/$$lang" \ + man_MANS="$$manpages"; \ + fi \ + done + +uninstall-local: uninstall-local-@USE_NLS@ +uninstall-local-no: +uninstall-local-yes: + for lang in $(LINGUAS); do \ + if [ -d $$lang ]; then \ + sources=$$(ls -1 $$lang/*.xml); \ + manpages=$$(echo $$sources | $(SED) 's/\.xml//g'); \ + $(MAKE) uninstall-man \ + mandir="$(mandir)/$$lang" \ + man_MANS="$$manpages"; \ + fi \ + done + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/man/br/include/ad_modified_defaults.xml b/src/man/br/include/ad_modified_defaults.xml new file mode 100644 index 0000000..7c6def2 --- /dev/null +++ b/src/man/br/include/ad_modified_defaults.xml @@ -0,0 +1,77 @@ + + MODIFIED DEFAULT OPTIONS + + Certain option defaults do not match their respective backend provider +defaults, these option names and AD provider-specific defaults are listed +below: + + + KRB5 Provider + + + + krb5_validate = true + + + + + krb5_use_enterprise_principal = true + + + + + + LDAP Provider + + + + ldap_schema = ad + + + + + ldap_force_upper_case_realm = true + + + + + ldap_id_mapping = true + + + + + ldap_sasl_mech = gssapi + + + + + ldap_referrals = false + + + + + ldap_account_expire_policy = ad + + + + + ldap_use_tokengroups = true + + + + + ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM) + + + The AD provider looks for a different principal than the LDAP provider by +default, because in an Active Directory environment the principals are +divided into two groups - User Principals and Service Principals. Only User +Principal can be used to obtain a TGT and by default, computer object's +principal is constructed from its sAMAccountName and the AD realm. The +well-known host/hostname@REALM principal is a Service Principal and thus +cannot be used to get a TGT with. + + + + + diff --git a/src/man/br/include/autofs_restart.xml b/src/man/br/include/autofs_restart.xml new file mode 100644 index 0000000..f31efe5 --- /dev/null +++ b/src/man/br/include/autofs_restart.xml @@ -0,0 +1,5 @@ + + Please note that the automounter only reads the master map on startup, so if +any autofs-related changes are made to the sssd.conf, you typically also +need to restart the automounter daemon after restarting the SSSD. + diff --git a/src/man/br/include/debug_levels.xml b/src/man/br/include/debug_levels.xml new file mode 100644 index 0000000..5148252 --- /dev/null +++ b/src/man/br/include/debug_levels.xml @@ -0,0 +1,86 @@ + + + SSSD supports two representations for specifying the debug level. The +simplest is to specify a decimal value from 0-9, which represents enabling +that level and all lower-level debug messages. The more comprehensive option +is to specify a hexadecimal bitmask to enable or disable specific levels +(such as if you wish to suppress a level). + + + Please note that each SSSD service logs into its own log file. Also please +note that enabling debug_level in the [sssd] +section only enables debugging just for the sssd process itself, not for the +responder or provider processes. The debug_level parameter +should be added to all sections that you wish to produce debug logs from. + + + In addition to changing the log level in the config file using the +debug_level parameter, which is persistent, but requires SSSD +restart, it is also possible to change the debug level on the fly using the + sss_debuglevel +8 tool. + + + Currently supported debug levels: + + + 0, 0x0010: Fatal +failures. Anything that would prevent SSSD from starting up or causes it to +cease running. + + + 1, 0x0020: Critical failures. An +error that doesn't kill SSSD, but one that indicates that at least one major +feature is not going to work properly. + + + 2, 0x0040: Serious failures. An +error announcing that a particular request or operation has failed. + + + 3, 0x0080: Minor failures. These +are the errors that would percolate down to cause the operation failure of +2. + + + 4, 0x0100: Configuration settings. + + + 5, 0x0200: Function data. + + + 6, 0x0400: Trace messages for +operation functions. + + + 7, 0x1000: Trace messages for +internal control functions. + + + 8, 0x2000: Contents of +function-internal variables that may be interesting. + + + 9, 0x4000: Extremely low-level +tracing information. + + + To log required bitmask debug levels, simply add their numbers together as +shown in following examples: + + + Example: To log fatal failures, critical failures, +serious failures and function data use 0x0270. + + + Example: To log fatal failures, configuration settings, +function data, trace messages for internal control functions use 0x1310. + + + Note: The bitmask format of debug levels was introduced +in 1.7.0. + + + Default: 0 + + diff --git a/src/man/br/include/debug_levels_tools.xml b/src/man/br/include/debug_levels_tools.xml new file mode 100644 index 0000000..8bc77cf --- /dev/null +++ b/src/man/br/include/debug_levels_tools.xml @@ -0,0 +1,72 @@ + + + SSSD supports two representations for specifying the debug level. The +simplest is to specify a decimal value from 0-9, which represents enabling +that level and all lower-level debug messages. The more comprehensive option +is to specify a hexadecimal bitmask to enable or disable specific levels +(such as if you wish to suppress a level). + + + Currently supported debug levels: + + + 0, 0x0010: Fatal +failures. Anything that would prevent SSSD from starting up or causes it to +cease running. + + + 1, 0x0020: Critical failures. An +error that doesn't kill SSSD, but one that indicates that at least one major +feature is not going to work properly. + + + 2, 0x0040: Serious failures. An +error announcing that a particular request or operation has failed. + + + 3, 0x0080: Minor failures. These +are the errors that would percolate down to cause the operation failure of +2. + + + 4, 0x0100: Configuration settings. + + + 5, 0x0200: Function data. + + + 6, 0x0400: Trace messages for +operation functions. + + + 7, 0x1000: Trace messages for +internal control functions. + + + 8, 0x2000: Contents of +function-internal variables that may be interesting. + + + 9, 0x4000: Extremely low-level +tracing information. + + + To log required bitmask debug levels, simply add their numbers together as +shown in following examples: + + + Example: To log fatal failures, critical failures, +serious failures and function data use 0x0270. + + + Example: To log fatal failures, configuration settings, +function data, trace messages for internal control functions use 0x1310. + + + Note: The bitmask format of debug levels was introduced +in 1.7.0. + + + Default: 0 + + diff --git a/src/man/br/include/experimental.xml b/src/man/br/include/experimental.xml new file mode 100644 index 0000000..7103a0e --- /dev/null +++ b/src/man/br/include/experimental.xml @@ -0,0 +1,2 @@ + This is an experimental feature, please use +https://pagure.io/SSSD/sssd/ to report any issues. diff --git a/src/man/br/include/failover.xml b/src/man/br/include/failover.xml new file mode 100644 index 0000000..ebb7b21 --- /dev/null +++ b/src/man/br/include/failover.xml @@ -0,0 +1,97 @@ + + FAILOVER + + The failover feature allows back ends to automatically switch to a different +server if the current server fails. + + + Failover Syntax + + The list of servers is given as a comma-separated list; any number of spaces +is allowed around the comma. The servers are listed in order of +preference. The list can contain any number of servers. + + + For each failover-enabled config option, two variants exist: +primary and backup. The idea is +that servers in the primary list are preferred and backup servers are only +searched if no primary servers can be reached. If a backup server is +selected, a timeout of 31 seconds is set. After this timeout SSSD will +periodically try to reconnect to one of the primary servers. If it succeeds, +it will replace the current active (backup) server. + + + + The Failover Mechanism + + The failover mechanism distinguishes between a machine and a service. The +back end first tries to resolve the hostname of a given machine; if this +resolution attempt fails, the machine is considered offline. No further +attempts are made to connect to this machine for any other service. If the +resolution attempt succeeds, the back end tries to connect to a service on +this machine. If the service connection attempt fails, then only this +particular service is considered offline and the back end automatically +switches over to the next service. The machine is still considered online +and might still be tried for another service. + + + Further connection attempts are made to machines or services marked as +offline after a specified period of time; this is currently hard coded to 30 +seconds. + + + If there are no more machines to try, the back end as a whole switches to +offline mode, and then attempts to reconnect every 30 seconds. + + + + Failover time outs and tuning + + Resolving a server to connect to can be as simple as running a single DNS +query or can involve several steps, such as finding the correct site or +trying out multiple host names in case some of the configured servers are +not reachable. The more complex scenarios can take some time and SSSD needs +to balance between providing enough time to finish the resolution process +but on the other hand, not trying for too long before falling back to +offline mode. If the SSSD debug logs show that the server resolution is +timing out before a live server is contacted, you can consider changing the +time outs. + + + This section lists the available tunables. Please refer to their description +in the +sssd.conf5 +, manual page. + + + dns_resolver_op_timeout + + + + How long would SSSD talk to a single DNS server. + + + + + + dns_resolver_timeout + + + + How long would SSSD try to resolve a failover service. This service +resolution internally might include several steps, such as resolving DNS SRV +queries or locating the site. + + + + + + + For LDAP-based providers, the resolve operation is performed as part of an +LDAP connection operation. Therefore, also the +ldap_opt_timeout> timeout should be set to a larger value +than dns_resolver_timeout which in turn should be set to a +larger value than dns_resolver_op_timeout. + + + diff --git a/src/man/br/include/homedir_substring.xml b/src/man/br/include/homedir_substring.xml new file mode 100644 index 0000000..d7533de --- /dev/null +++ b/src/man/br/include/homedir_substring.xml @@ -0,0 +1,17 @@ + + homedir_substring (string) + + + The value of this option will be used in the expansion of the +override_homedir option if the template contains the +format string %H. An LDAP directory entry can directly +contain this template so that this option can be used to expand the home +directory path for each client machine (or operating system). It can be set +per-domain or globally in the [nss] section. A value specified in a domain +section will override one set in the [nss] section. + + + Default: /home + + + diff --git a/src/man/br/include/ipa_modified_defaults.xml b/src/man/br/include/ipa_modified_defaults.xml new file mode 100644 index 0000000..4ad4b45 --- /dev/null +++ b/src/man/br/include/ipa_modified_defaults.xml @@ -0,0 +1,123 @@ + + MODIFIED DEFAULT OPTIONS + + Certain option defaults do not match their respective backend provider +defaults, these option names and IPA provider-specific defaults are listed +below: + + + KRB5 Provider + + + + krb5_validate = true + + + + + krb5_use_fast = try + + + + + krb5_canonicalize = true + + + + + + LDAP Provider - General + + + + ldap_schema = ipa_v1 + + + + + ldap_force_upper_case_realm = true + + + + + ldap_sasl_mech = GSSAPI + + + + + ldap_sasl_minssf = 56 + + + + + ldap_account_expire_policy = ipa + + + + + ldap_use_tokengroups = true + + + + + + LDAP Provider - User options + + + + ldap_user_member_of = memberOf + + + + + ldap_user_uuid = ipaUniqueID + + + + + ldap_user_ssh_public_key = ipaSshPubKey + + + + + ldap_user_auth_type = ipaUserAuthType + + + + + + LDAP Provider - Group options + + + + ldap_group_object_class = ipaUserGroup + + + + + ldap_group_object_class_alt = posixGroup + + + + + ldap_group_member = member + + + + + ldap_group_uuid = ipaUniqueID + + + + + ldap_group_objectsid = ipaNTSecurityIdentifier + + + + + ldap_group_external_member = ipaExternalMember + + + + + diff --git a/src/man/br/include/ldap_id_mapping.xml b/src/man/br/include/ldap_id_mapping.xml new file mode 100644 index 0000000..b9be536 --- /dev/null +++ b/src/man/br/include/ldap_id_mapping.xml @@ -0,0 +1,278 @@ + + ID MAPPING + + The ID-mapping feature allows SSSD to act as a client of Active Directory +without requiring administrators to extend user attributes to support POSIX +attributes for user and group identifiers. + + + NOTE: When ID-mapping is enabled, the uidNumber and gidNumber attributes are +ignored. This is to avoid the possibility of conflicts between +automatically-assigned and manually-assigned values. If you need to use +manually-assigned values, ALL values must be manually-assigned. + + + Please note that changing the ID mapping related configuration options will +cause user and group IDs to change. At the moment, SSSD does not support +changing IDs, so the SSSD database must be removed. Because cached passwords +are also stored in the database, removing the database should only be +performed while the authentication servers are reachable, otherwise users +might get locked out. In order to cache the password, an authentication must +be performed. It is not sufficient to use +sss_cache 8 + to remove the database, rather the process consists of: + + + + Making sure the remote servers are reachable + + + + + Stopping the SSSD service + + + + + Removing the database + + + + + Starting the SSSD service + + + + Moreover, as the change of IDs might necessitate the adjustment of other +system properties such as file and directory ownership, it's advisable to +plan ahead and test the ID mapping configuration thoroughly. + + + + Mapping Algorithm + + Active Directory provides an objectSID for every user and group object in +the directory. This objectSID can be broken up into components that +represent the Active Directory domain identity and the relative identifier +(RID) of the user or group object. + + + The SSSD ID-mapping algorithm takes a range of available UIDs and divides it +into equally-sized component sections - called "slices"-. Each slice +represents the space available to an Active Directory domain. + + + When a user or group entry for a particular domain is encountered for the +first time, the SSSD allocates one of the available slices for that +domain. In order to make this slice-assignment repeatable on different +client machines, we select the slice based on the following algorithm: + + + The SID string is passed through the murmurhash3 algorithm to convert it to +a 32-bit hashed value. We then take the modulus of this value with the total +number of available slices to pick the slice. + + + NOTE: It is possible to encounter collisions in the hash and subsequent +modulus. In these situations, we will select the next available slice, but +it may not be possible to reproduce the same exact set of slices on other +machines (since the order that they are encountered will determine their +slice). In this situation, it is recommended to either switch to using +explicit POSIX attributes in Active Directory (disabling ID-mapping) or +configure a default domain to guarantee that at least one is always +consistent. See Configuration for details. + + + + + Configuration + + Minimum configuration (in the [domain/DOMAINNAME] section): + + + +ldap_id_mapping = True +ldap_schema = ad + + + + The default configuration results in configuring 10,000 slices, each capable +of holding up to 200,000 IDs, starting from 200,000 and going up to +2,000,200,000. This should be sufficient for most deployments. + + + Advanced Configuration + + + ldap_idmap_range_min (integer) + + + Specifies the lower bound of the range of POSIX IDs to use for mapping +Active Directory user and group SIDs. + + + NOTE: This option is different from min_id in that +min_id acts to filter the output of requests to this domain, +whereas this option controls the range of ID assignment. This is a subtle +distinction, but the good general advice would be to have +min_id be less-than or equal to +ldap_idmap_range_min + + + Default: 200000 + + + + + ldap_idmap_range_max (integer) + + + Specifies the upper bound of the range of POSIX IDs to use for mapping +Active Directory user and group SIDs. + + + NOTE: This option is different from max_id in that +max_id acts to filter the output of requests to this domain, +whereas this option controls the range of ID assignment. This is a subtle +distinction, but the good general advice would be to have +max_id be greater-than or equal to +ldap_idmap_range_max + + + Default: 2000200000 + + + + + ldap_idmap_range_size (integer) + + + Specifies the number of IDs available for each slice. If the range size +does not divide evenly into the min and max values, it will create as many +complete slices as it can. + + + NOTE: The value of this option must be at least as large as the highest user +RID planned for use on the Active Directory server. User lookups and login +will fail for any user whose RID is greater than this value. + + + For example, if your most recently-added Active Directory user has +objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, +ldap_idmap_range_size must be at least 1108 as range size is +equal to maximal SID minus minimal SID plus one (e.g. 1108 = 1107 - 0 + 1). + + + It is important to plan ahead for future expansion, as changing this value +will result in changing all of the ID mappings on the system, leading to +users with different local IDs than they previously had. + + + Default: 200000 + + + + + ldap_idmap_default_domain_sid (string) + + + Specify the domain SID of the default domain. This will guarantee that this +domain will always be assigned to slice zero in the ID map, bypassing the +murmurhash algorithm described above. + + + Default: not set + + + + + ldap_idmap_default_domain (string) + + + Specify the name of the default domain. + + + Default: not set + + + + + ldap_idmap_autorid_compat (boolean) + + + Changes the behavior of the ID-mapping algorithm to behave more similarly to +winbind's idmap_autorid algorithm. + + + When this option is configured, domains will be allocated starting with +slice zero and increasing monatomically with each additional domain. + + + NOTE: This algorithm is non-deterministic (it depends on the order that +users and groups are requested). If this mode is required for compatibility +with machines running winbind, it is recommended to also use the +ldap_idmap_default_domain_sid option to guarantee that at +least one domain is consistently allocated to slice zero. + + + Default: False + + + + + ldap_idmap_helper_table_size (integer) + + + Maximal number of secondary slices that is tried when performing mapping +from UNIX id to SID. + + + Note: Additional secondary slices might be generated when SID is being +mapped to UNIX id and RID part of SID is out of range for secondary slices +generated so far. If value of ldap_idmap_helper_table_size is equal to 0 +then no additional secondary slices are generated. + + + Default: 10 + + + + + + + + + Well-Known SIDs + + SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a +special hardcoded meaning. Since the generic users and groups related to +those Well-Known SIDs have no equivalent in a Linux/UNIX environment no +POSIX IDs are available for those objects. + + + The SID name space is organized in authorities which can be seen as +different domains. The authorities for the Well-Known SIDs are + + Null Authority + World Authority + Local Authority + Creator Authority + NT Authority + Built-in + + The capitalized version of these names are used as domain names when +returning the fully qualified name of a Well-Known SID. + + + Since some utilities allow to modify SID based access control information +with the help of a name instead of using the SID directly SSSD supports to +look up the SID by the name as well. To avoid collisions only the fully +qualified names can be used to look up Well-Known SIDs. As a result the +domain names NULL AUTHORITY, WORLD AUTHORITY, + LOCAL AUTHORITY, CREATOR AUTHORITY, NT +AUTHORITY and BUILTIN should not be used as domain +names in sssd.conf. + + + + diff --git a/src/man/br/include/ldap_search_bases.xml b/src/man/br/include/ldap_search_bases.xml new file mode 100644 index 0000000..189f862 --- /dev/null +++ b/src/man/br/include/ldap_search_bases.xml @@ -0,0 +1,31 @@ + + + An optional base DN, search scope and LDAP filter to restrict LDAP searches +for this attribute type. + + + syntax: +search_base[?scope?[filter][?search_base?scope?[filter]]*] + + + + The scope can be one of "base", "onelevel" or "subtree". The scope functions +as specified in section 4.5.1.2 of http://tools.ietf.org/html/rfc4511 + + + The filter must be a valid LDAP search filter as specified by +http://www.ietf.org/rfc/rfc2254.txt + + + For examples of this syntax, please refer to the +ldap_search_base examples section. + + + Default: the value of ldap_search_base + + + Please note that specifying scope or filter is not supported for searches +against an Active Directory Server that might yield a large number of +results and trigger the Range Retrieval extension in the response. + + diff --git a/src/man/br/include/local.xml b/src/man/br/include/local.xml new file mode 100644 index 0000000..ce849a3 --- /dev/null +++ b/src/man/br/include/local.xml @@ -0,0 +1,17 @@ + + THE LOCAL DOMAIN + + In order to function correctly, a domain with +id_provider=local must be created and the SSSD must be +running. + + + The administrator might want to use the SSSD local users instead of +traditional UNIX users in cases where the group nesting (see +sss_groupadd 8 +) is needed. The local users are also useful for testing and +development of the SSSD without having to deploy a full remote server. The +sss_user* and sss_group* tools use a +local LDB storage to store users and groups. + + diff --git a/src/man/br/include/override_homedir.xml b/src/man/br/include/override_homedir.xml new file mode 100644 index 0000000..94caee1 --- /dev/null +++ b/src/man/br/include/override_homedir.xml @@ -0,0 +1,63 @@ + +override_homedir (string) + + + Override the user's home directory. You can either provide an absolute value +or a template. In the template, the following sequences are substituted: + + + %u + login name + + + %U + UID number + + + %d + domain name + + + %f + fully qualified user name (user@domain) + + + %l + The first letter of the login name. + + + %P + UPN - User Principal Name (name@REALM) + + + %o + + The original home directory retrieved from the identity provider. + + + + %H + + The value of configure option homedir_substring. + + + + %% + a literal '%' + + + + + + This option can also be set per-domain. + + + example: +override_homedir = /home/%u + + + + Default: Not set (SSSD will use the value retrieved from LDAP) + + + diff --git a/src/man/br/include/param_help.xml b/src/man/br/include/param_help.xml new file mode 100644 index 0000000..d28020b --- /dev/null +++ b/src/man/br/include/param_help.xml @@ -0,0 +1,10 @@ + + + , + + + + Display help message and exit. + + + diff --git a/src/man/br/include/param_help_py.xml b/src/man/br/include/param_help_py.xml new file mode 100644 index 0000000..a2478bf --- /dev/null +++ b/src/man/br/include/param_help_py.xml @@ -0,0 +1,10 @@ + + + , + + + + Display help message and exit. + + + diff --git a/src/man/br/include/seealso.xml b/src/man/br/include/seealso.xml new file mode 100644 index 0000000..d6415a2 --- /dev/null +++ b/src/man/br/include/seealso.xml @@ -0,0 +1,61 @@ + + GWELET IVEZ + + sssd8 +, +sssd.conf5 +, +sssd-ldap5 +, +sssd-krb55 +, +sssd-simple5 +, +sssd-ipa5 +, +sssd-ad5 +, +sssd-sudo 5 +, +sssd-secrets 5 +, +sssd-session-recording +5 , +sss_cache8 +, +sss_debuglevel8 +, +sss_groupadd8 +, +sss_groupdel8 +, +sss_groupshow8 +, +sss_groupmod8 +, +sss_useradd8 +, +sss_userdel8 +, +sss_usermod8 +, +sss_obfuscate8 +, +sss_seed8 +, +sssd_krb5_locator_plugin8 +, +sss_ssh_authorizedkeys +8 , +sss_ssh_knownhostsproxy +8 , sssd-ifp +5 , +pam_sss8 +. +sss_rpcidmapd 5 + +sssd-systemtap 5 + + + diff --git a/src/man/br/include/service_discovery.xml b/src/man/br/include/service_discovery.xml new file mode 100644 index 0000000..2e417a9 --- /dev/null +++ b/src/man/br/include/service_discovery.xml @@ -0,0 +1,41 @@ + + SERVICE DISCOVERY + + The service discovery feature allows back ends to automatically find the +appropriate servers to connect to using a special DNS query. This feature is +not supported for backup servers. + + + Configuration + + If no servers are specified, the back end automatically uses service +discovery to try to find a server. Optionally, the user may choose to use +both fixed server addresses and service discovery by inserting a special +keyword, _srv_, in the list of servers. The order of +preference is maintained. This feature is useful if, for example, the user +prefers to use service discovery whenever possible, and fall back to a +specific server when no servers can be discovered using DNS. + + + + The domain name + + Please refer to the dns_discovery_domain parameter in the + sssd.conf +5 manual page for more details. + + + + The protocol + + The queries usually specify _tcp as the protocol. Exceptions are documented +in respective option description. + + + + See Also + + For more information on the service discovery mechanism, refer to RFC 2782. + + + diff --git a/src/man/br/include/upstream.xml b/src/man/br/include/upstream.xml new file mode 100644 index 0000000..ba04020 --- /dev/null +++ b/src/man/br/include/upstream.xml @@ -0,0 +1,3 @@ + +SSSD The SSSD upstream - +https://pagure.io/SSSD/sssd/ diff --git a/src/man/ca/include/ad_modified_defaults.xml b/src/man/ca/include/ad_modified_defaults.xml new file mode 100644 index 0000000..7c6def2 --- /dev/null +++ b/src/man/ca/include/ad_modified_defaults.xml @@ -0,0 +1,77 @@ + + MODIFIED DEFAULT OPTIONS + + Certain option defaults do not match their respective backend provider +defaults, these option names and AD provider-specific defaults are listed +below: + + + KRB5 Provider + + + + krb5_validate = true + + + + + krb5_use_enterprise_principal = true + + + + + + LDAP Provider + + + + ldap_schema = ad + + + + + ldap_force_upper_case_realm = true + + + + + ldap_id_mapping = true + + + + + ldap_sasl_mech = gssapi + + + + + ldap_referrals = false + + + + + ldap_account_expire_policy = ad + + + + + ldap_use_tokengroups = true + + + + + ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM) + + + The AD provider looks for a different principal than the LDAP provider by +default, because in an Active Directory environment the principals are +divided into two groups - User Principals and Service Principals. Only User +Principal can be used to obtain a TGT and by default, computer object's +principal is constructed from its sAMAccountName and the AD realm. The +well-known host/hostname@REALM principal is a Service Principal and thus +cannot be used to get a TGT with. + + + + + diff --git a/src/man/ca/include/autofs_restart.xml b/src/man/ca/include/autofs_restart.xml new file mode 100644 index 0000000..f31efe5 --- /dev/null +++ b/src/man/ca/include/autofs_restart.xml @@ -0,0 +1,5 @@ + + Please note that the automounter only reads the master map on startup, so if +any autofs-related changes are made to the sssd.conf, you typically also +need to restart the automounter daemon after restarting the SSSD. + diff --git a/src/man/ca/include/debug_levels.xml b/src/man/ca/include/debug_levels.xml new file mode 100644 index 0000000..61a039d --- /dev/null +++ b/src/man/ca/include/debug_levels.xml @@ -0,0 +1,92 @@ + + + L'SSSD admet dues representacions per a l'especificació del nivell de +depuració. La més senzilla és especificar un número del 0-9, que representa +el que permet cada nivell i tots els missatges de depuració de nivell +baix. L'opció més exhaustiva és especificar una màscara de bits en +hexadecimal per activar o desactivar els nivells específics (per exemple, si +voleu suprimir un nivell). + + + Si us plau, tingueu en compte que cadascun dels serveis de l'SSSD registra +el seu fitxer propi de registre. També tingueu en compte que l'habilitació +del debug_level a la secció [sssd]únicament +habilita la depuració del mateix procés de l'sssd, no per al procés del +contestador o del proveïdor. El paràmetre debug_level s'ha +d'afegir en totes les seccions que vulgueu que generin registres. + + + A més de canviar el nivell del registre al fitxer de configuració amb el +paràmetre debug_level, que és permanent, però requereix que +es reiniciï l'SSSD, també és possible canviar el nivell de depuració al vol +amb l'eina sss_debuglevel +8 . + + + Els nivells de depuració que s'admeten actualment: + + + 0, 0x0010: Fallides +fatals. Qualsevol cosa que impedeixi la posada en marxa de l'SSSD o provoqui +el seu cessament. + + + 1, 0x0020: Critical failures. An +error that doesn't kill SSSD, but one that indicates that at least one major +feature is not going to work properly. + + + 2, 0x0040: Fallides serioses. Un +error que anuncia que una petició o una operació en particular ha fallat. + + + 3, 0x0080: Fallides +menors. Aquests són els errors que enterboleixen i poden fer fracassar +l'operació dels 2. + + + 4, 0x0100: Ajusts de la +configuració. + + + 5, 0x0200: Dades de les funcions. + + + 6, 0x0400: Missatges de traça per +al funcionament de les funcions. + + + 7, 0x1000: Missatges de traça per +a les funcions internes de control. + + + 8, 0x2000: Contingut de les +variables de les funcions internes que poden ser interessants. + + + 9, 0x4000: Informació de traçat +extremadament de baix nivell. + + + Per registrar els nivells de depuració de la màscara de bits que es +requereixi, només heu d'afegir els seus números com es mostra en els +següents exemples: + + + Exemple: Per registrar les fallides fatals, les +fallides crítiques, les fallides serioses i les dades de les funcions, +utilitzeu0x0270. + + + Exemple: Per registrar les fallides fatals, els ajusts +de la configuració, les dades de les funcions, els missatges de traça per a +les funcions internes de control, utilitzeu 0x1310. + + + Nota: El format de la màscara de bits dels nivells de +depuració es va introduir en la versió 1.7.0. + + + Per defecte: 0 + + diff --git a/src/man/ca/include/debug_levels_tools.xml b/src/man/ca/include/debug_levels_tools.xml new file mode 100644 index 0000000..c70b984 --- /dev/null +++ b/src/man/ca/include/debug_levels_tools.xml @@ -0,0 +1,77 @@ + + + L'SSSD admet dues representacions per a l'especificació del nivell de +depuració. La més senzilla és especificar un número del 0-9, que representa +el que permet cada nivell i tots els missatges de depuració de nivell +baix. L'opció més exhaustiva és especificar una màscara de bits en +hexadecimal per activar o desactivar els nivells específics (per exemple, si +voleu suprimir un nivell). + + + Els nivells de depuració que s'admeten actualment: + + + 0, 0x0010: Fallides +fatals. Qualsevol cosa que impedeixi la posada en marxa de l'SSSD o provoqui +el seu cessament. + + + 1, 0x0020: Critical failures. An +error that doesn't kill SSSD, but one that indicates that at least one major +feature is not going to work properly. + + + 2, 0x0040: Fallides serioses. Un +error que anuncia que una petició o una operació en particular ha fallat. + + + 3, 0x0080: Fallides +menors. Aquests són els errors que enterboleixen i poden fer fracassar +l'operació dels 2. + + + 4, 0x0100: Ajusts de la +configuració. + + + 5, 0x0200: Dades de les funcions. + + + 6, 0x0400: Missatges de traça per +al funcionament de les funcions. + + + 7, 0x1000: Missatges de traça per +a les funcions internes de control. + + + 8, 0x2000: Contingut de les +variables de les funcions internes que poden ser interessants. + + + 9, 0x4000: Informació de traçat +extremadament de baix nivell. + + + Per registrar els nivells de depuració de la màscara de bits que es +requereixi, només heu d'afegir els seus números com es mostra en els +següents exemples: + + + Exemple: Per registrar les fallides fatals, les +fallides crítiques, les fallides serioses i les dades de les funcions, +utilitzeu0x0270. + + + Exemple: Per registrar les fallides fatals, els ajusts +de la configuració, les dades de les funcions, els missatges de traça per a +les funcions internes de control, utilitzeu 0x1310. + + + Nota: El format de la màscara de bits dels nivells de +depuració es va introduir en la versió 1.7.0. + + + Per defecte: 0 + + diff --git a/src/man/ca/include/experimental.xml b/src/man/ca/include/experimental.xml new file mode 100644 index 0000000..7103a0e --- /dev/null +++ b/src/man/ca/include/experimental.xml @@ -0,0 +1,2 @@ + This is an experimental feature, please use +https://pagure.io/SSSD/sssd/ to report any issues. diff --git a/src/man/ca/include/failover.xml b/src/man/ca/include/failover.xml new file mode 100644 index 0000000..ebb7b21 --- /dev/null +++ b/src/man/ca/include/failover.xml @@ -0,0 +1,97 @@ + + FAILOVER + + The failover feature allows back ends to automatically switch to a different +server if the current server fails. + + + Failover Syntax + + The list of servers is given as a comma-separated list; any number of spaces +is allowed around the comma. The servers are listed in order of +preference. The list can contain any number of servers. + + + For each failover-enabled config option, two variants exist: +primary and backup. The idea is +that servers in the primary list are preferred and backup servers are only +searched if no primary servers can be reached. If a backup server is +selected, a timeout of 31 seconds is set. After this timeout SSSD will +periodically try to reconnect to one of the primary servers. If it succeeds, +it will replace the current active (backup) server. + + + + The Failover Mechanism + + The failover mechanism distinguishes between a machine and a service. The +back end first tries to resolve the hostname of a given machine; if this +resolution attempt fails, the machine is considered offline. No further +attempts are made to connect to this machine for any other service. If the +resolution attempt succeeds, the back end tries to connect to a service on +this machine. If the service connection attempt fails, then only this +particular service is considered offline and the back end automatically +switches over to the next service. The machine is still considered online +and might still be tried for another service. + + + Further connection attempts are made to machines or services marked as +offline after a specified period of time; this is currently hard coded to 30 +seconds. + + + If there are no more machines to try, the back end as a whole switches to +offline mode, and then attempts to reconnect every 30 seconds. + + + + Failover time outs and tuning + + Resolving a server to connect to can be as simple as running a single DNS +query or can involve several steps, such as finding the correct site or +trying out multiple host names in case some of the configured servers are +not reachable. The more complex scenarios can take some time and SSSD needs +to balance between providing enough time to finish the resolution process +but on the other hand, not trying for too long before falling back to +offline mode. If the SSSD debug logs show that the server resolution is +timing out before a live server is contacted, you can consider changing the +time outs. + + + This section lists the available tunables. Please refer to their description +in the +sssd.conf5 +, manual page. + + + dns_resolver_op_timeout + + + + How long would SSSD talk to a single DNS server. + + + + + + dns_resolver_timeout + + + + How long would SSSD try to resolve a failover service. This service +resolution internally might include several steps, such as resolving DNS SRV +queries or locating the site. + + + + + + + For LDAP-based providers, the resolve operation is performed as part of an +LDAP connection operation. Therefore, also the +ldap_opt_timeout> timeout should be set to a larger value +than dns_resolver_timeout which in turn should be set to a +larger value than dns_resolver_op_timeout. + + + diff --git a/src/man/ca/include/homedir_substring.xml b/src/man/ca/include/homedir_substring.xml new file mode 100644 index 0000000..f7328c7 --- /dev/null +++ b/src/man/ca/include/homedir_substring.xml @@ -0,0 +1,17 @@ + + homedir_substring (cadena) + + + The value of this option will be used in the expansion of the +override_homedir option if the template contains the +format string %H. An LDAP directory entry can directly +contain this template so that this option can be used to expand the home +directory path for each client machine (or operating system). It can be set +per-domain or globally in the [nss] section. A value specified in a domain +section will override one set in the [nss] section. + + + Per defecte: /home + + + diff --git a/src/man/ca/include/ipa_modified_defaults.xml b/src/man/ca/include/ipa_modified_defaults.xml new file mode 100644 index 0000000..4ad4b45 --- /dev/null +++ b/src/man/ca/include/ipa_modified_defaults.xml @@ -0,0 +1,123 @@ + + MODIFIED DEFAULT OPTIONS + + Certain option defaults do not match their respective backend provider +defaults, these option names and IPA provider-specific defaults are listed +below: + + + KRB5 Provider + + + + krb5_validate = true + + + + + krb5_use_fast = try + + + + + krb5_canonicalize = true + + + + + + LDAP Provider - General + + + + ldap_schema = ipa_v1 + + + + + ldap_force_upper_case_realm = true + + + + + ldap_sasl_mech = GSSAPI + + + + + ldap_sasl_minssf = 56 + + + + + ldap_account_expire_policy = ipa + + + + + ldap_use_tokengroups = true + + + + + + LDAP Provider - User options + + + + ldap_user_member_of = memberOf + + + + + ldap_user_uuid = ipaUniqueID + + + + + ldap_user_ssh_public_key = ipaSshPubKey + + + + + ldap_user_auth_type = ipaUserAuthType + + + + + + LDAP Provider - Group options + + + + ldap_group_object_class = ipaUserGroup + + + + + ldap_group_object_class_alt = posixGroup + + + + + ldap_group_member = member + + + + + ldap_group_uuid = ipaUniqueID + + + + + ldap_group_objectsid = ipaNTSecurityIdentifier + + + + + ldap_group_external_member = ipaExternalMember + + + + + diff --git a/src/man/ca/include/ldap_id_mapping.xml b/src/man/ca/include/ldap_id_mapping.xml new file mode 100644 index 0000000..751f9cd --- /dev/null +++ b/src/man/ca/include/ldap_id_mapping.xml @@ -0,0 +1,278 @@ + + ID MAPPING + + The ID-mapping feature allows SSSD to act as a client of Active Directory +without requiring administrators to extend user attributes to support POSIX +attributes for user and group identifiers. + + + NOTE: When ID-mapping is enabled, the uidNumber and gidNumber attributes are +ignored. This is to avoid the possibility of conflicts between +automatically-assigned and manually-assigned values. If you need to use +manually-assigned values, ALL values must be manually-assigned. + + + Please note that changing the ID mapping related configuration options will +cause user and group IDs to change. At the moment, SSSD does not support +changing IDs, so the SSSD database must be removed. Because cached passwords +are also stored in the database, removing the database should only be +performed while the authentication servers are reachable, otherwise users +might get locked out. In order to cache the password, an authentication must +be performed. It is not sufficient to use +sss_cache 8 + to remove the database, rather the process consists of: + + + + Making sure the remote servers are reachable + + + + + Stopping the SSSD service + + + + + Removing the database + + + + + Starting the SSSD service + + + + Moreover, as the change of IDs might necessitate the adjustment of other +system properties such as file and directory ownership, it's advisable to +plan ahead and test the ID mapping configuration thoroughly. + + + + Mapping Algorithm + + Active Directory provides an objectSID for every user and group object in +the directory. This objectSID can be broken up into components that +represent the Active Directory domain identity and the relative identifier +(RID) of the user or group object. + + + The SSSD ID-mapping algorithm takes a range of available UIDs and divides it +into equally-sized component sections - called "slices"-. Each slice +represents the space available to an Active Directory domain. + + + When a user or group entry for a particular domain is encountered for the +first time, the SSSD allocates one of the available slices for that +domain. In order to make this slice-assignment repeatable on different +client machines, we select the slice based on the following algorithm: + + + The SID string is passed through the murmurhash3 algorithm to convert it to +a 32-bit hashed value. We then take the modulus of this value with the total +number of available slices to pick the slice. + + + NOTE: It is possible to encounter collisions in the hash and subsequent +modulus. In these situations, we will select the next available slice, but +it may not be possible to reproduce the same exact set of slices on other +machines (since the order that they are encountered will determine their +slice). In this situation, it is recommended to either switch to using +explicit POSIX attributes in Active Directory (disabling ID-mapping) or +configure a default domain to guarantee that at least one is always +consistent. See Configuration for details. + + + + + Configuració + + Minimum configuration (in the [domain/DOMAINNAME] section): + + + +ldap_id_mapping = True +ldap_schema = ad + + + + The default configuration results in configuring 10,000 slices, each capable +of holding up to 200,000 IDs, starting from 200,000 and going up to +2,000,200,000. This should be sufficient for most deployments. + + + Advanced Configuration + + + ldap_idmap_range_min (enter) + + + Specifies the lower bound of the range of POSIX IDs to use for mapping +Active Directory user and group SIDs. + + + NOTE: This option is different from min_id in that +min_id acts to filter the output of requests to this domain, +whereas this option controls the range of ID assignment. This is a subtle +distinction, but the good general advice would be to have +min_id be less-than or equal to +ldap_idmap_range_min + + + Per defecte: 200000 + + + + + ldap_idmap_range_max (enter) + + + Specifies the upper bound of the range of POSIX IDs to use for mapping +Active Directory user and group SIDs. + + + NOTE: This option is different from max_id in that +max_id acts to filter the output of requests to this domain, +whereas this option controls the range of ID assignment. This is a subtle +distinction, but the good general advice would be to have +max_id be greater-than or equal to +ldap_idmap_range_max + + + Per defecte: 2000200000 + + + + + ldap_idmap_range_size (enter) + + + Specifies the number of IDs available for each slice. If the range size +does not divide evenly into the min and max values, it will create as many +complete slices as it can. + + + NOTE: The value of this option must be at least as large as the highest user +RID planned for use on the Active Directory server. User lookups and login +will fail for any user whose RID is greater than this value. + + + For example, if your most recently-added Active Directory user has +objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, +ldap_idmap_range_size must be at least 1108 as range size is +equal to maximal SID minus minimal SID plus one (e.g. 1108 = 1107 - 0 + 1). + + + It is important to plan ahead for future expansion, as changing this value +will result in changing all of the ID mappings on the system, leading to +users with different local IDs than they previously had. + + + Per defecte: 200000 + + + + + ldap_idmap_default_domain_sid (cadena) + + + Specify the domain SID of the default domain. This will guarantee that this +domain will always be assigned to slice zero in the ID map, bypassing the +murmurhash algorithm described above. + + + Per defecte: sense establir + + + + + ldap_idmap_default_domain (cadena) + + + Specify the name of the default domain. + + + Per defecte: sense establir + + + + + ldap_idmap_autorid_compat (booleà) + + + Changes the behavior of the ID-mapping algorithm to behave more similarly to +winbind's idmap_autorid algorithm. + + + When this option is configured, domains will be allocated starting with +slice zero and increasing monatomically with each additional domain. + + + NOTE: This algorithm is non-deterministic (it depends on the order that +users and groups are requested). If this mode is required for compatibility +with machines running winbind, it is recommended to also use the +ldap_idmap_default_domain_sid option to guarantee that at +least one domain is consistently allocated to slice zero. + + + Per defecte: False + + + + + ldap_idmap_helper_table_size (integer) + + + Maximal number of secondary slices that is tried when performing mapping +from UNIX id to SID. + + + Note: Additional secondary slices might be generated when SID is being +mapped to UNIX id and RID part of SID is out of range for secondary slices +generated so far. If value of ldap_idmap_helper_table_size is equal to 0 +then no additional secondary slices are generated. + + + Per defecte: 10 + + + + + + + + + Well-Known SIDs + + SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a +special hardcoded meaning. Since the generic users and groups related to +those Well-Known SIDs have no equivalent in a Linux/UNIX environment no +POSIX IDs are available for those objects. + + + The SID name space is organized in authorities which can be seen as +different domains. The authorities for the Well-Known SIDs are + + Null Authority + World Authority + Local Authority + Creator Authority + NT Authority + Built-in + + The capitalized version of these names are used as domain names when +returning the fully qualified name of a Well-Known SID. + + + Since some utilities allow to modify SID based access control information +with the help of a name instead of using the SID directly SSSD supports to +look up the SID by the name as well. To avoid collisions only the fully +qualified names can be used to look up Well-Known SIDs. As a result the +domain names NULL AUTHORITY, WORLD AUTHORITY, + LOCAL AUTHORITY, CREATOR AUTHORITY, NT +AUTHORITY and BUILTIN should not be used as domain +names in sssd.conf. + + + + diff --git a/src/man/ca/include/ldap_search_bases.xml b/src/man/ca/include/ldap_search_bases.xml new file mode 100644 index 0000000..a97835a --- /dev/null +++ b/src/man/ca/include/ldap_search_bases.xml @@ -0,0 +1,31 @@ + + + An optional base DN, search scope and LDAP filter to restrict LDAP searches +for this attribute type. + + + syntax: +search_base[?scope?[filter][?search_base?scope?[filter]]*] + + + + The scope can be one of "base", "onelevel" or "subtree". The scope functions +as specified in section 4.5.1.2 of http://tools.ietf.org/html/rfc4511 + + + The filter must be a valid LDAP search filter as specified by +http://www.ietf.org/rfc/rfc2254.txt + + + For examples of this syntax, please refer to the +ldap_search_base examples section. + + + Per defecte: el valor de ldap_search_base + + + Please note that specifying scope or filter is not supported for searches +against an Active Directory Server that might yield a large number of +results and trigger the Range Retrieval extension in the response. + + diff --git a/src/man/ca/include/local.xml b/src/man/ca/include/local.xml new file mode 100644 index 0000000..38c058b --- /dev/null +++ b/src/man/ca/include/local.xml @@ -0,0 +1,17 @@ + + EL DOMINI LOCAL + + Per a un funcionament correcte, s'ha de crear un domini amb +id_provider=local i l'SSSD ha d'estar en execució. + + + L'administrador pot ser que vulgui utilitzar els usuaris locals de l'SSSD en +lloc dels usuaris tradicionals d'UNIX en els casos en què es requereixi la +imbricació dels grups (vegeu +sss_groupadd 8 +). Els usuaris locals també són útils per provar i desplegar +l'SSSD sense haver de desplegar tot un servidor remot. Les eines +sss_user* i sss_group* utilitzen +l'emmagatzematge LDB local per emmagatzemar els usuaris i els grups. + + diff --git a/src/man/ca/include/override_homedir.xml b/src/man/ca/include/override_homedir.xml new file mode 100644 index 0000000..5bc390a --- /dev/null +++ b/src/man/ca/include/override_homedir.xml @@ -0,0 +1,63 @@ + +override_homedir (cadena) + + + Override the user's home directory. You can either provide an absolute value +or a template. In the template, the following sequences are substituted: + + + %u + nom d'usuari + + + %U + UID number + + + %d + domain name + + + %f + fully qualified user name (user@domain) + + + %l + The first letter of the login name. + + + %P + UPN - User Principal Name (name@REALM) + + + %o + + The original home directory retrieved from the identity provider. + + + + %H + + The value of configure option homedir_substring. + + + + %% + a literal '%' + + + + + + This option can also be set per-domain. + + + exemple: +override_homedir = /home/%u + + + + Default: Not set (SSSD will use the value retrieved from LDAP) + + + diff --git a/src/man/ca/include/param_help.xml b/src/man/ca/include/param_help.xml new file mode 100644 index 0000000..e7f3253 --- /dev/null +++ b/src/man/ca/include/param_help.xml @@ -0,0 +1,10 @@ + + + , + + + + Mostra el missatge d'ajuda i surt. + + + diff --git a/src/man/ca/include/param_help_py.xml b/src/man/ca/include/param_help_py.xml new file mode 100644 index 0000000..7c6afb5 --- /dev/null +++ b/src/man/ca/include/param_help_py.xml @@ -0,0 +1,10 @@ + + + , + + + + Mostra el missatge d'ajuda i surt. + + + diff --git a/src/man/ca/include/seealso.xml b/src/man/ca/include/seealso.xml new file mode 100644 index 0000000..5db74a6 --- /dev/null +++ b/src/man/ca/include/seealso.xml @@ -0,0 +1,61 @@ + + VEGEU TAMBÉ + + sssd8 +, +sssd.conf5 +, +sssd-ldap5 +, +sssd-krb55 +, +sssd-simple5 +, +sssd-ipa5 +, +sssd-ad5 +, +sssd-sudo 5 +, +sssd-secrets 5 +, +sssd-session-recording +5 , +sss_cache8 +, +sss_debuglevel8 +, +sss_groupadd8 +, +sss_groupdel8 +, +sss_groupshow8 +, +sss_groupmod8 +, +sss_useradd8 +, +sss_userdel8 +, +sss_usermod8 +, +sss_obfuscate8 +, +sss_seed8 +, +sssd_krb5_locator_plugin8 +, +sss_ssh_authorizedkeys +8 , +sss_ssh_knownhostsproxy +8 , sssd-ifp +5 , +pam_sss8 +. +sss_rpcidmapd 5 + +sssd-systemtap 5 + + + diff --git a/src/man/ca/include/service_discovery.xml b/src/man/ca/include/service_discovery.xml new file mode 100644 index 0000000..032d52c --- /dev/null +++ b/src/man/ca/include/service_discovery.xml @@ -0,0 +1,41 @@ + + SERVICE DISCOVERY + + The service discovery feature allows back ends to automatically find the +appropriate servers to connect to using a special DNS query. This feature is +not supported for backup servers. + + + Configuració + + If no servers are specified, the back end automatically uses service +discovery to try to find a server. Optionally, the user may choose to use +both fixed server addresses and service discovery by inserting a special +keyword, _srv_, in the list of servers. The order of +preference is maintained. This feature is useful if, for example, the user +prefers to use service discovery whenever possible, and fall back to a +specific server when no servers can be discovered using DNS. + + + + El nom del domini + + Please refer to the dns_discovery_domain parameter in the + sssd.conf +5 manual page for more details. + + + + El protocol + + The queries usually specify _tcp as the protocol. Exceptions are documented +in respective option description. + + + + Vegeu també + + For more information on the service discovery mechanism, refer to RFC 2782. + + + diff --git a/src/man/ca/include/upstream.xml b/src/man/ca/include/upstream.xml new file mode 100644 index 0000000..ba04020 --- /dev/null +++ b/src/man/ca/include/upstream.xml @@ -0,0 +1,3 @@ + +SSSD The SSSD upstream - +https://pagure.io/SSSD/sssd/ diff --git a/src/man/ca/pam_sss.8.xml b/src/man/ca/pam_sss.8.xml new file mode 100644 index 0000000..700e69c --- /dev/null +++ b/src/man/ca/pam_sss.8.xml @@ -0,0 +1,205 @@ + + + +Pàgines del manual de l'SSSD + + + + + pam_sss + 8 + + + + pam_sss + Mòdul de PAM per SSSD + + + + +pam_sss.so +quiet +forward_pass +use_first_pass +use_authtok +retry=N +ignore_unknown_user +ignore_authinfo_unavail +domains=X +allow_missing_name +prompt_always + + + + DESCRIPCIÓ + pam_sss.so és la interfície PAM a l'SSSD (System Security +Services daemon). Els errors i els resultats es registren a través de +syslog(3) amb el canal LOG_AUTHPRIV. + + + + OPCIONS + + + + + + + Suprimeix el registre dels missatges per als usuaris desconeguts. + + + + + + + + Si s'estableix , la contrasenya que +s'introdueix es posa a la pila perquè els altres mòduls del PAM l'utilitzin. + + + + + + + + + L'argument use_first_pass obliga al mòdul que utilitzi una contrasenya +apilada anteriorment dels mòduls i mai ho demanarà l'usuari - si no hi ha +cap contrasenya o no és correcta, es denegarà l'accés a l'usuari. + + + + + + + + Quan el canvi de contrasenya força al mòdul a establir la nova contrasenya a +la proporcionada per un mòdul de contrasenya prèviament apilat. + + + + + + + + Si s'especifica, en cas de fallar l'autenticació a l'usuari se li demanarà N +vegades més una contrasenya. Per defecte és 0. + Si us plau, tingueu en compte que aquesta opció podria no funcionar com +s'espera si l'aplicació que crida PAM gestiona pel seu compte el diàleg amb +l'usuari. Un exemple típic és sshd amb +. + + + + + + + + Si s'especifica aquesta opció i no existeix l'usuari, el mòdul PAM retornarà +PAM_IGNORE. Això provoca que el marc de treball del PAM ignori aquest mòdul. + + + + + + + + + Especifica que el mòdul PAM ha de retornar PAM_IGNORE si no pot contactar +amb el domini SSSD. Això provoca que el marc de treball del PAM ignori +aquest mòdul. + + + + + + + + + Permet a l'administrador que restringeixi els dominis que un servei PAM +concret pot autentificar-s'hi. El format és una llista separada per comes +dels noms dels dominis SSSD, com s'especifica al fitxer sssd.conf. + + + NOTA: Ha d'utilitzar-se juntament amb les opcions +pam_trusted_users i pam_public_domains. Si us +plau, vegeu la pàgina del manual de +sssd.conf 5 + per a més informació sobre aquestes dues opcions del +contestador del PAM. + + + + + + + + + + The main purpose of this option is to let SSSD determine the user name based +on additional information, e.g. the certificate from a Smartcard. + + + The current use case are login managers which can monitor a Smartcard reader +for card events. In case a Smartcard is inserted the login manager will call +a PAM stack which includes a line like +auth sufficient pam_sss.so allow_missing_name + In this case SSSD will try to determine the user name based on the +content of the Smartcard, returns it to pam_sss which will finally put it on +the PAM stack. + + + + + + + + + + Always prompt the user for credentials. With this option credentials +requested by other PAM modules, typically a password, will be ignored and +pam_sss will prompt for credentials again. Based on the pre-auth reply by +SSSD pam_sss might prompt for a password, a Smartcard PIN or other +credentials. + + + + + + + + TIPUS DE MÒDULS PROPORCIONATS + Es proporcionen tots els tipus de mòduls (, +, i +). + + + + + FITXERS + Si falla el restabliment d'una contrasenya per root, perquè el proveïdor +SSSD corresponent no admet el restabliment de les contrasenyes, es pot +mostrar un missatge concret. Aquest missatge per exemple pot contenir les +instruccions sobre com es restableix una contrasenya. + + El missatge es llegeix del fitxer +pam_sss_pw_reset_message.LOC on LOC representa una +cadena de la configuració regional retornada amb +setlocale3 +. Si no hi ha cap coincidència, es mostra el contingut del +fitxer pam_sss_pw_reset_message.txt. El propietari dels +fitxers ha de ser root i tan sols root ha de tenir els permisos de lectura i +escriptura, mentre que tots els altres usuaris únicament han de tenir els +permisos de lectura. + + Aquests fitxers se cerquen al directori +/etc/sssd/customize/NOM_DOMINI/. Si no hi ha present +cap fitxer que hi coincideixi, es mostrarà un missatge genèric. + + + + + + diff --git a/src/man/ca/sss_cache.8.xml b/src/man/ca/sss_cache.8.xml new file mode 100644 index 0000000..1de68c9 --- /dev/null +++ b/src/man/ca/sss_cache.8.xml @@ -0,0 +1,221 @@ + + + +Pàgines del manual de l'SSSD + + + + + sss_cache + 8 + + + + sss_cache + fa neteja de la memòria cau + + + + +sss_cache +opcions + + + + DESCRIPCIÓ + + sss_cache invalidates records in SSSD cache. Invalidated +records are forced to be reloaded from server as soon as related SSSD +backend is online. Options that invalidate a single object only accept a +single provided argument. + + + + + OPCIONS + + + + , + + + + Invalidate all cached entries. + + + + + + , +usuari + + + + Invalida un usuari específic. + + + + + + , + + + + Invalida tots els registres dels usuaris. Aquesta opció anul·la la +invalidació d'un usuari específic, si també es va especificar. + + + + + + , grup + + + + Invalida un grup específic. + + + + + + , + + + + Invalida tots els registres dels grups. Aquesta opció anul·la la invalidació +d'un grup específic, si també es va especificar. + + + + + + , +grup-de-xarxa + + + + invalida un grup de xarxa específic. + + + + + + , + + + + Invalida tots els registres dels grups de xarxa. Aquesta opció anul·la la +invalidació d'un grup de xarxa específic, si també es va especificar. + + + + + + , +servei + + + + invalida un servei específic. + + + + + + , + + + + Invalida tots els registres dels serveis. Aquesta opció anul·la la +invalidació d'un servei específic, si també es va especificar. + + + + + + , +assignació-autofs + + + + Invalida una assignació autofs específica. + + + + + + , + + + + Invalida tots els registres de les assignacions autofs. Aquesta opció +anul·la la invalidació d'una assignació autofs específica, si també es va +especificar. + + + + + + , +nom-amfitrió + + + + Invalida les claus públiques SSH d'un amfitrió especific. + + + + + + , + + + + Invalida tots els registres de les claus públiques SSH de tots els +amfitrions. Aquesta opció anul·la la invalidació d'una clau pública SSH d'un +amfitrió específic, si també es va especificar. + + + + + + , +rule + + + + Invalidate particular sudo rule. + + + + + + , + + + + Invalidate all cached sudo rules. This option overrides invalidation of +specific sudo rule if it was also set. + + + + + + , +domini + + + + Restringeix el procés d'invalidació a tan sols un domini concret. + + + + + + + + + + + diff --git a/src/man/ca/sss_groupadd.8.xml b/src/man/ca/sss_groupadd.8.xml new file mode 100644 index 0000000..5e2cf8c --- /dev/null +++ b/src/man/ca/sss_groupadd.8.xml @@ -0,0 +1,58 @@ + + + +Pàgines del manual de l'SSSD + + + + + sss_groupadd + 8 + + + + sss_groupadd + crea un nou grup + + + + +sss_groupadd +opcions GRUP + + + + DESCRIPCIÓ + + sss_groupadd crea un nou grup. Aquests grups són +compatibles amb els grups POSIX, amb la característica addicional que poden +contenir altres grups com a membres. + + + + + OPCIONS + + + + , GID + + + + Estableix el GID del grup al valor del GID. Si no +se'n proporciona cap, es tria automàticament. + + + + + + + + + + + + + diff --git a/src/man/ca/sss_groupdel.8.xml b/src/man/ca/sss_groupdel.8.xml new file mode 100644 index 0000000..cfa9231 --- /dev/null +++ b/src/man/ca/sss_groupdel.8.xml @@ -0,0 +1,46 @@ + + + +Pàgines del manual de l'SSSD + + + + + sss_groupdel + 8 + + + + sss_groupdel + suprimeix un grup + + + + +sss_groupdel +opcions GRUP + + + + DESCRIPCIÓ + + sss_groupdel suprimeix un grup identificat amb el seu nom +de GRUP del sistema. + + + + + OPCIONS + + + + + + + + + + + diff --git a/src/man/ca/sss_groupmod.8.xml b/src/man/ca/sss_groupmod.8.xml new file mode 100644 index 0000000..3000c8a --- /dev/null +++ b/src/man/ca/sss_groupmod.8.xml @@ -0,0 +1,72 @@ + + + +Pàgines del manual de l'SSSD + + + + + sss_groupmod + 8 + + + + sss_groupmod + modifica un grup + + + + +sss_groupmod +opcions +GRUP + + + + DESCRIPCIÓ + + sss_groupmod modifica el grup per reflectir els canvis +que s'especifiquen a la línia d'ordres. + + + + + OPCIONS + + + + , +GRUPS + + + + Afegeix aquest grup als grups especificats amb el paràmetre +GRUPS. El paràmetre +GRUPS és una llista delimitada per comes dels +noms dels grups. + + + + + + , +GRUPS + + + + Suprimeix aquest grup dels grups especificats amb el paràmetre +GRUPS. + + + + + + + + + + + + + diff --git a/src/man/ca/sss_groupshow.8.xml b/src/man/ca/sss_groupshow.8.xml new file mode 100644 index 0000000..d2e51b9 --- /dev/null +++ b/src/man/ca/sss_groupshow.8.xml @@ -0,0 +1,59 @@ + + + +Pàgines del manual de l'SSSD + + + + + sss_groupshow + 8 + + + + sss_groupshow + imprimeix les propietats d'un grup + + + + +sss_groupshow +opcions GRUP + + + + DESCRIPCIÓ + + sss_groupshow mostra la informació sobre un grup +identificat amb el seu nom de GRUP. La informació +inclou el número de l'id. del grup, els membres del grup i el grup primari. + + + + + OPCIONS + + + + , + + + + Also print indirect group members in a tree-like hierarchy. Note that this +also affects printing parent groups - without , only the +direct parent will be printed. + + + + + + + + + + + + + diff --git a/src/man/ca/sss_obfuscate.8.xml b/src/man/ca/sss_obfuscate.8.xml new file mode 100644 index 0000000..83cc0b0 --- /dev/null +++ b/src/man/ca/sss_obfuscate.8.xml @@ -0,0 +1,98 @@ + + + +Pàgines del manual de l'SSSD + + + + + sss_obfuscate + 8 + + + + sss_obfuscate + ofusca una contrasenya en text clar + + + + +sss_obfuscate +opcions [PASSWORD] + + + + DESCRIPCIÓ + + sss_obfuscate converteix una contrasenya especificada a +un format illegible per als humans i la posa a la secció del domini adequat +del fitxer de configuració de l'SSSD. + + + La contrasenya en text clar es llegeix de l'entrada estàndard o s'introdueix +de forma interactiva. La contrasenya ofuscada es fica al paràmetre +ldap_default_authtok del domini SSSD indicat, i el paràmetre +ldap_default_authtok_type s'estableix a +obfuscated_password. Consulteu +sssd-ldap 5 + per a més detalls sobre aquests paràmetres. + + + Tingueu en compte que ofuscar les contrasenyes no proporciona cap +benefici real de seguretat, ja que un atacant encara podria +extreure la contrasenya amb enginyeria inversa. Es recomana +aferrissadament l'ús de mecanismes d'autenticació +millors com els certificats al cantó del client o el GSSAPI. + + + + + OPCIONS + + + + + , + + + + La contrasenya per ofuscar es llegirà de l'entrada estàndard. + + + + + + , +DOMINI + + + + El domini SSSD on s'utilitza la contrasenya. El nom per defecte és +default. + + + + + + , +FITXER + + + + Llegeix el fitxer de configuració que s'especifica amb el paràmetre +posicional. + + + Per defecte: /etc/sssd/sssd.conf + + + + + + + + + + diff --git a/src/man/ca/sss_rpcidmapd.5.xml b/src/man/ca/sss_rpcidmapd.5.xml new file mode 100644 index 0000000..ea4f529 --- /dev/null +++ b/src/man/ca/sss_rpcidmapd.5.xml @@ -0,0 +1,113 @@ + + + +Pàgines del manual de l'SSSD + + +sss rpc.idmapd plugin +Noam Meltzer +Primary Data Inc. Desenvolupador +(2013-2014) Noam +Meltzer Desenvolupador (2014-) +tsnoam@gmail.com + + + sss_rpcidmapd + 5 + Formats i convencions dels fitxers + + + + sss_rpcidmapd + les directrius de configuració del complement sss per al rpc.idmapd + + + + FITXER DE CONFIGURACIÓ + + El fitxer de configuració rpc.idmapd normalment es troba a +/etc/idmapd.conf. Vegeu +idmapd.conf 5 + per més informació. + + + + + AMPLIACIÓ DE LA CONFIGURACIÓ DE L'SSS + + Habilita el complement SSS + + En la secció [Translation], modifiqueu o establiu l'atribut +Method per abastar sss. + + + + Secció de configuració [sss] + + Per canviar el valor per defecte d'un dels atributs de configuració del +connector de l'sss que es llisten a continuació, +necessitareu crear-li una secció de configuració, anomenada +[sss]. + + + Atributs de configuració + + memcache (booleà) + + + Indica si s'utilitza o no la tècnica d'optimització de la memòria cau. + + + Per defecte: True + + + + + + + + + INTEGRACIÓ DE L'SSSD + + El connector sss requereix que s'habiliti el contestador del +NSS al sssd. + + + L'atribut use_fully_qualified_names ha d'estar habilitat en +tots els dominis (els clients de NFSv4 esperen un FQN per a ser enviats al +cable). + + + + + EXEMPLE + + En el següent exemple es mostra un idmapd.conf mínim que fa ús del connector +sss. +[General] +Verbosity = 2 +# el domini ha de sincronitzar-se entre el servidor i els clients del NFSv4 +# Solaris/Illumos/AIX utilitzen "localdomain" com a predeterminat! +Domain = default + +[Mapping] +Nobody-User = nfsnobody +Nobody-Group = nfsnobody + +[Translation] +Method = sss + + + + + + VEGEU TAMBÉ + + sssd8 +, idmapd.conf +5 + + + + diff --git a/src/man/ca/sss_seed.8.xml b/src/man/ca/sss_seed.8.xml new file mode 100644 index 0000000..b63af2c --- /dev/null +++ b/src/man/ca/sss_seed.8.xml @@ -0,0 +1,169 @@ + + + +Pàgines del manual de l'SSSD + + + + + sss_seed + 8 + + + + sss_seed + implanta la memòria cau de l'SSSD amb un usuari + + + + +sss_seed +opcions -D +DOMINI -n +USUARI + + + + DESCRIPCIÓ + + sss_seed implanta la memòria cau de l'SSSD amb una +entrada d'un usuari i la contrasenya temporal. Si l'entrada d'un usuari ja +està present a la memòria cau de l'SSSD aleshores s'actualitza l'entrada amb +la contrasenya temporal. + + + + + + + OPCIONS + + + + , +DOMINI + + + + Proporciona el nom del domini en el qual l'usuari n'és membre. El domini +també s'utilitza per recuperar la informació de l'usuari. El domini ha +d'estar configurat a l'sssd.conf. S'ha de proporcionar l'opció del +DOMINI. La informació recuperada del domini +anul·la aquella que es proporcioni a les opcions. + + + + + + , +USER + + + + L'entrada del nom d'usuari a crear o modificar a la memòria cau. S'ha de +proporcionar l'opció de l'USUARI. + + + + + + , UID + + + + Estableix l'UID de l'usuari a UID. + + + + + + , GID + + + + Estableix el GID de l'usuari a GID. + + + + + + , +COMMENTARI + + + + Qualsevol cadena de text amb la descripció de l'usuari. Sovint s'utilitza +com a camp per al nom complet de l'usuari. + + + + + + , +DIRECTORI_INICIAL + + + + Establix el directori inicial de l'usuari a +DIRECTORI_INICIAL. + + + + + + , +SHELL + + + + Estableix el shell d'inici de sessió de l'usuari a +SHELL. + + + + + + , + + + + Mode interactiu per a la introducció de la informació de l'usuari. Aquesta +opció només demanà la informació no proporcionada a les opcions o que no es +recuperi del domini. + + + + + + , +FITXER_CONTRASENYA + + + + Especifica el fitxer des d'on llegir la contrasenya de l'usuari. (si no +s'especifica, es demana per la contrasenya) + + + + + + + + + NOTES + + La longitud de la contrasenya (o la mida del fitxer que s'especifica amb +l'opció -p o --password-file) ha de ser més petita o igual que PASS_MAX +bytes (64 bytes en els sistemes que no defineixen globalment el valor de +PASS_MAX). + + + + + + + + + + diff --git a/src/man/ca/sss_useradd.8.xml b/src/man/ca/sss_useradd.8.xml new file mode 100644 index 0000000..e9a95c5 --- /dev/null +++ b/src/man/ca/sss_useradd.8.xml @@ -0,0 +1,166 @@ + + + +Pàgines del manual de l'SSSD + + + + + sss_useradd + 8 + + + + sss_useradd + crea un nou usuari + + + + +sss_useradd +OPCIONS +USUARI + + + + DESCRIPCIÓ + + sss_useradd crea un nou compte d'usuari amb els valors +que s'especifiquen en la línia d'ordres més els valors per defecte del +sistema. + + + + + OPCIONS + + + + , UID + + + + Estableix l'UID de l'usuari al valor de l'UID. Si +no se'n proporciona cap, es tria automàticament. + + + + + + , +COMMENTARI + + + + Qualsevol cadena de text amb la descripció de l'usuari. Sovint s'utilitza +com a camp per al nom complet de l'usuari. + + + + + + , +DIRECTORI_INICIAL + + + + El directori inicial del compte de l'usuari. Per defecte s'afegeix +l'USUARI a /home i +s'utilitza aquest com el directori inicial. La base que s'afegeix abans de +l'USUARI es pot personalitzar amb l'ajust +user_defaults/baseDirectory a l'sssd.conf. + + + + + + , +SHELL + + + + El shell d'inici de sessió de l'usuari. Per defecte és +/bin/bash. Es pot canviar el valor per defecte amb +l'ajust user_defaults/defaultShell de l'sssd.conf. + + + + + + , +GRUPS + + + + Una llista dels grups existents que aquest usuari també n'és membre. + + + + + + , + + + + Crea el directori inicial de l'usuari si no existeix. Al directori inicial +es copiaran els fitxers i els directoris continguts al directori esquemàtic +(que es pot definir amb l'opció -k o al fitxer de configuració). + + + + + + , + + + + No crea el directori inicial de l'usuari. Substitueix els ajusts de la +configuració. + + + + + + , +DIRECTORI_ESQUEMÀTIC + + + + El directori esquemàtic que conté els fitxers i els directoris per copiar al +directori inicial de l'usuari, quan es crea el directori inicial amb +sss_useradd. + + + No es copiaran els fitxers especials (dispositius de blocs, dispositius de +caràcters, canonades amb noms i sòcols d'UNIX). + + + Aquesta opció tan sols és vàlida si s'especifica l'opció +(o ), o bé la creació dels directoris inicials +està establerta a TRUE a la configuració. + + + + + + , +SELINUX_USER + + + + L'usuari de SELinux per a l'inici de sessió de l'usuari. Si no s'especifica, +s'utilitzarà el predeterminat del sistema. + + + + + + + + + + + + + diff --git a/src/man/ca/sss_userdel.8.xml b/src/man/ca/sss_userdel.8.xml new file mode 100644 index 0000000..e05ea52 --- /dev/null +++ b/src/man/ca/sss_userdel.8.xml @@ -0,0 +1,92 @@ + + + +Pàgines del manual de l'SSSD + + + + + sss_userdel + 8 + + + + sss_userdel + suprimeix el compte d'un usuari + + + + +sss_userdel +opcions USUARI + + + + DESCRIPCIÓ + + sss_userdel suprimeix un usuari identificat amb el nom +d'usuari USUARI del sistema. + + + + + OPCIONS + + + + + , + + + + Els fitxers al directori inicial de l'usuari seran eliminats juntament amb +el mateix directori inicial i la gestió de cues del correu de +l'usuari. Substitueix la configuració. + + + + + + , + + + + Els fitxers al directori inicial de l'usuari no seran eliminats juntament +amb el mateix directori inicial i la gestió de cues del correu de +l'usuari. Substitueix la configuració. + + + + + + , + + + + Aquesta opció obliga a sss_userdel a suprimir el +directori inicial i la gestió de cues del correu de l'usuari, encara que no +siguin de la propietat de l'usuari especificat. + + + + + + , + + + + Abans d'eliminar realment a l'usuari, acaba tots els seus processos. + + + + + + + + + + + + diff --git a/src/man/ca/sss_usermod.8.xml b/src/man/ca/sss_usermod.8.xml new file mode 100644 index 0000000..9ae8d44 --- /dev/null +++ b/src/man/ca/sss_usermod.8.xml @@ -0,0 +1,170 @@ + + + +Pàgines del manual de l'SSSD + + + + + sss_usermod + 8 + + + + sss_usermod + modifica el compte d'un usuari + + + + +sss_usermod +OPCIONS +USUARI + + + + DESCRIPCIÓ + + sss_usermod modifica el compte especificat amb +USUARI per reflectir els canvis que +s'especifiquen a la línia d'ordres. + + + + + OPCIONS + + + + , +COMMENTARI + + + + Qualsevol cadena de text amb la descripció de l'usuari. Sovint s'utilitza +com a camp per al nom complet de l'usuari. + + + + + + , +DIRECTORI_INICIAL + + + + El directori inicial del compte de l'usuari. + + + + + + , +SHELL + + + + El shell d'inici de sessió de l'usuari. + + + + + + , +GRUPS + + + + Annexa aquest usuari als grups que s'especifiquen amb el paràmetre dels +GRUPS. El paràmetre dels +GRUPS és una llista delimitada per comes dels +noms dels grups. + + + + + + , +GRUPS + + + + Remove this user from groups specified by the +GROUPS parameter. + + + + + + , + + + + Bloqueja el compte de l'usuari. L'usuari no podrà iniciar la sessió. + + + + + + , + + + + Desbloqueja el compte de l'usuari. + + + + + + , +SELINUX_USER + + + + L'usuari de SELinux per a l'inici de sessió de l'usuari. + + + + + + NOM_ATRIBUT_VALOR + + + + Afegeix una parella atribut/valor. El format és nomatribut=valor. + + + + + + NOM_ATRIBUT_VALOR + + + + Estableix un atribut a la parella nom/valor. El format és +nomatribut=valor. Per als atributs amb múltiples valors, l'ordre substitueix +els valors ja presents + + + + + + NOM_ATRIBUT_VALOR + + + + Elimina una parella atribut/valor. El format és nomatribut=valor. + + + + + + + + + + + + + diff --git a/src/man/ca/sssd-ifp.5.xml b/src/man/ca/sssd-ifp.5.xml new file mode 100644 index 0000000..af1f355 --- /dev/null +++ b/src/man/ca/sssd-ifp.5.xml @@ -0,0 +1,140 @@ + + + +Pàgines del manual de l'SSSD + + + + + sssd-ifp + 5 + Formats i convencions dels fitxers + + + + sssd-ifp + contestador de l'InfoPipe de l'SSSD + + + + DESCRIPCIÓ + + En aquesta pàgina del manual es descriu la configuració del contestador de +l'InfoPipe per a sssd +8 . Per a una referència detallada de +la sintaxi, consulteu la secció FORMAT DEL FITXER de la +pàgina del manual sssd.conf +5 . + + + El contestador de l'InfoPipe proporciona una interfície D-Bus publica que es +pot accedir a través del bus del sistema. La interfície permet que l'usuari +consulti informació sobre els usuaris i els grups remots a través del bus +del sistema. + + + + + OPCIONS DE CONFIGURACIÓ + + Es poden utilitzar aquestes opcions per configurar el contestador de +l'InfoPipe. + + + + allowed_uids (cadena) + + + Especifica una llista separada per comes dels valors dels UID o dels noms +d'usuaris que estan assignats per accedir al contestador de l'InfoPipe. Els +noms d'usuaris es resolen als UID en la preparació. + + + Per defecte: 0 (únicament a l'usuari root se li permet l'accés al +contestador de l'InfoPipe) + + + Tingueu en compte que encara que s'utilitzi l'UID 0 com a valor per defecte +se sobreescriurà amb aquesta opció. Si encara voleu permetre que l'usuari +root accedeixi al contestador de l'InfoPipe, el que seria el cas típic, +també cal afegir 0 a la llista dels UID permesos. + + + + + + user_attributes (cadena) + + + Especifica una llista separada per comes dels atributs de la llista negra o +blanca. + + + Per defecte, el contestador de l'InfoPipe únicament permet que se +sol·licitin el conjunt per defecte dels atributs POSIX. Aquest conjunt és el +mateix que es retorna amb +getpwnam 3 + i inclou: + + name + nom d'inici de sessió de l'usuari + + + uidNumber + id. de l'usuari + + + gidNumber + id. del grup primari + + + gecos + informació de l'usuari, normalment el nom complet + + + homeDirectory + directori inicial + + + loginShell + shell de l'usuari + + + + + Es poden afegir altres atributs a aquest conjunt amb ++nom_atribut o suprimir explícitament un atribut amb +-nom_atribut. Per exemple, per permetre +telephoneNumber però denegar loginShell, +podríeu utilitzar la següent configuració: +user_attributes = +telephoneNumber, -loginShell + + + + Per defecte: sense establir. Únicament es permet el conjunt per defecte dels +atributs POSIX. + + + + + + wildcard_limit (integer) + + + Specifies an upper limit on the number of entries that are downloaded during +a wildcard lookup that overrides caller-supplied limit. + + + Default: 0 (let the caller set an upper limit) + + + + + + + + + + + diff --git a/src/man/ca/sssd-simple.5.xml b/src/man/ca/sssd-simple.5.xml new file mode 100644 index 0000000..8a80d56 --- /dev/null +++ b/src/man/ca/sssd-simple.5.xml @@ -0,0 +1,154 @@ + + + +Pàgines del manual de l'SSSD + + + + + sssd-simple + 5 + Formats i convencions dels fitxers + + + + sssd-simple + el fitxer de configuració per al proveïdor de control d'accés 'simple' de +l'SSSD + + + + DESCRIPCIÓ + + En aquesta pàgina del manual es descriu la configuració del proveïdor de +control d'accés simple per a +sssd +8. Per a una referència detallada de +la sintaxi, aneu a la secció FORMAT DEL FITXER de la pàgina +del manual sssd.conf +5 . + + + El proveïdor d'accés simple concedeix o denega l'accés basat en una llista +d'accés o denegació dels noms dels usuaris o dels noms dels +grups. S'apliquen les regles següents: + + + Si totes les llistes estan buides, es concedeix l'accés + + + + Si es proporciona alguna llista, l'ordre d'avaluació és permissió, +denegació. Això vol dir que qualsevol coincidència amb la regla de denegació +reemplaçarà qualsevol coincidència amb la regla de permissió. + + + + + Si es proporcionen una o ambdues llistes de "permissió", tots els usuaris +són denegats excepte els que apareixen a la llista. + + + + + Si només es proporcionen llistes de "denegació", es concedeix l'accés a tots +els usuaris excepte els que apareixen a la llista. + + + + + + + + OPCIONS DE CONFIGURACIÓ + Per a més informació sobre la configuració d'un domini SSSD, consulteu la +secció SECCIONS DELS DOMINIS de la pàgina del manual + sssd.conf +5 . + + simple_allow_users (cadena) + + + Llista separada per comes dels usuaris a qui se'ls permet iniciar la sessió. + + + + + + simple_deny_users (cadena) + + + Llista separada per comes dels usuaris a qui se'ls denega explícitament +l'accés. + + + + + simple_allow_groups (cadena) + + + Llista separada per comes dels grups a qui se'ls permet iniciar la +sessió. Això s'aplica únicament als grups dins d'aquest domini SSSD. No +s'avaluen els grups locals. + + + + + + simple_deny_groups (cadena) + + + Llista separada per comes dels grups a qui se'ls denega explícitament +l'accés. Això s'aplica únicament als grups dins d'aquest domini SSSD. No +s'avaluen els grups locals. + + + + + + + Specifying no values for any of the lists is equivalent to skipping it +entirely. Beware of this while generating parameters for the simple provider +using automated scripts. + + + Si us plau, tingueu en compte que és un error de configuració si es +defineixen alhora simple_allow_users i simple_deny_users. + + + + + EXEMPLE + + En el següent exemple s'assumeix que l'SSD està configurat correctament i +que exemple.com és un dels dominis de la secció +[sssd]. En aquest exemple es mostren únicament +les opcions específiques del proveïdor d'accés simple. + + + +[domini/exemple.com] +access_provider = simple +simple_allow_users = usuari1, usuari2 + + + + + + NOTES + + La jerarquia completa de la pertinença a un grup es resol abans de la +comprovació de l'accés, de manera que fins i tot els grups imbricats es +poden incloure a les llistes d'accés. Si us plau, tingueu cura que l'opció +ldap_group_nesting_level pot influir amb els resultats i s'ha +d'establir amb un valor suficient. L'opció ( +sssd-ldap5 +). + + + + + + + diff --git a/src/man/ca/sssd.8.xml b/src/man/ca/sssd.8.xml new file mode 100644 index 0000000..4177d70 --- /dev/null +++ b/src/man/ca/sssd.8.xml @@ -0,0 +1,232 @@ + + + +Pàgines del manual de l'SSSD + + + + + sssd + 8 + + + + sssd + dimoni dels serveis de seguretat del sistema (System Security Services +Daemon) + + + + +sssd +options + + + + DESCRIPCIÓ + + L'SSSD proporciona un conjunt de dimonis per gestionar +l'accés als directoris remots i els mecanismes d'autenticació. Proporciona +una interfície NSS i PAM cap al sistema i un sistema d'accés a la capa de +dades amb connectors per connectar a orígens múltiples de comptes diferents, +com ara la interfície D-Bus. També és la base per proporcionar l'auditoria +dels clients i les polítiques dels serveis per a projectes com +FreeIPA. Proporciona una base de dades més robusta on emmagatzemar els +usuaris locals, així com dades addicionals de l'usuari. + + + + + OPCIONS + + + + , +NIVELL + + + + + + mode + + + + 1: Afegeix una marca temporal als registres de +depuració + + + 0: Inhabilita la marca temporal als registres de +depuració + + + Per defecte: 1 + + + + + + mode + + + + 1: Afegeix els mil·lisegons a les marques temporals als +missatges de depuració + + + 0: Inhabilita els mil·lisegons a les marques temporals + + + Per defecte: 0 + + + + + + , + + + + Envia la sortida de depuració als fitxers en comptes de l'stderr. Per +defecte, els fitxers dels registres s'emmagatzemen a +/var/log/sssd i hi ha fitxers dels registres que se +separen per a cadascun dels serveis i dels dominis de l'SSSD. + + + This option is deprecated. It is replaced by +. + + + + + + value + + + + Location where SSSD will send log messages. This option overrides the value +of the deprecated option . The deprecated +option will still work if the is not used. + + + stderr: Redirect debug messages to standard error +output. + + + files: Redirect debug messages to the log files. By +default, the log files are stored in /var/log/sssd and +there are separate log files for every SSSD service and domain. + + + journald: Redirect debug messages to systemd-journald + + + Per defecte: sense establir + + + + + + , + + + + Esdevé un dimoni després de la posada en marxa. + + + + + + , + + + + Executa en primer pla, no esdevinguis un dimoni. + + + + + + , + + + + Especifica un fitxer de configuració diferent al predeterminat. Per defecte +és /etc/sssd/sssd.conf. Per consultar la sintaxi del +fitxer de configuració i les opcions, aneu a la pàgina del manual del + sssd.conf +5. + + + + + + + + + + + Imprimeix el número de la versió i surt. + + + + + + + + Senyals + + + SIGTERM/SIGINT + + + Informa l'SSSD per finalitzar elegantment tots els seus processos fills i +després atura el monitor. + + + + + SIGHUP + + + Diu a l'SSSD que deixi d'escriure als actuals descriptors de fitxers de +depuració i que els tanqui i els reobri. Això intenta facilitar la rotació +dels registres amb programes com logrotate. + + + + + SIGUSR1 + + + Diu a l'SSSD que simuli l'operació sense connexió pel període del paràmetre +offline_timeout. Això és útil per fer proves. El senyal es +pot enviar directament al procés sssd o sssd_be. + + + + + SIGUSR2 + + + Diu a l'SSSD que es desconnecti immediatament. Això és útil per fer +proves. El senyal es pot enviar directament al procés sssd o sssd_be. + + + + + + + + NOTES + + Si la variable d'entorn SSS_NSS_USE_MEMCACHE està establerta a "NO", les +aplicacions clients no utilitzaran el fast en la memòria cau. + + + + + + + diff --git a/src/man/cs/include/ad_modified_defaults.xml b/src/man/cs/include/ad_modified_defaults.xml new file mode 100644 index 0000000..7c6def2 --- /dev/null +++ b/src/man/cs/include/ad_modified_defaults.xml @@ -0,0 +1,77 @@ + + MODIFIED DEFAULT OPTIONS + + Certain option defaults do not match their respective backend provider +defaults, these option names and AD provider-specific defaults are listed +below: + + + KRB5 Provider + + + + krb5_validate = true + + + + + krb5_use_enterprise_principal = true + + + + + + LDAP Provider + + + + ldap_schema = ad + + + + + ldap_force_upper_case_realm = true + + + + + ldap_id_mapping = true + + + + + ldap_sasl_mech = gssapi + + + + + ldap_referrals = false + + + + + ldap_account_expire_policy = ad + + + + + ldap_use_tokengroups = true + + + + + ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM) + + + The AD provider looks for a different principal than the LDAP provider by +default, because in an Active Directory environment the principals are +divided into two groups - User Principals and Service Principals. Only User +Principal can be used to obtain a TGT and by default, computer object's +principal is constructed from its sAMAccountName and the AD realm. The +well-known host/hostname@REALM principal is a Service Principal and thus +cannot be used to get a TGT with. + + + + + diff --git a/src/man/cs/include/autofs_restart.xml b/src/man/cs/include/autofs_restart.xml new file mode 100644 index 0000000..f31efe5 --- /dev/null +++ b/src/man/cs/include/autofs_restart.xml @@ -0,0 +1,5 @@ + + Please note that the automounter only reads the master map on startup, so if +any autofs-related changes are made to the sssd.conf, you typically also +need to restart the automounter daemon after restarting the SSSD. + diff --git a/src/man/cs/include/debug_levels.xml b/src/man/cs/include/debug_levels.xml new file mode 100644 index 0000000..5148252 --- /dev/null +++ b/src/man/cs/include/debug_levels.xml @@ -0,0 +1,86 @@ + + + SSSD supports two representations for specifying the debug level. The +simplest is to specify a decimal value from 0-9, which represents enabling +that level and all lower-level debug messages. The more comprehensive option +is to specify a hexadecimal bitmask to enable or disable specific levels +(such as if you wish to suppress a level). + + + Please note that each SSSD service logs into its own log file. Also please +note that enabling debug_level in the [sssd] +section only enables debugging just for the sssd process itself, not for the +responder or provider processes. The debug_level parameter +should be added to all sections that you wish to produce debug logs from. + + + In addition to changing the log level in the config file using the +debug_level parameter, which is persistent, but requires SSSD +restart, it is also possible to change the debug level on the fly using the + sss_debuglevel +8 tool. + + + Currently supported debug levels: + + + 0, 0x0010: Fatal +failures. Anything that would prevent SSSD from starting up or causes it to +cease running. + + + 1, 0x0020: Critical failures. An +error that doesn't kill SSSD, but one that indicates that at least one major +feature is not going to work properly. + + + 2, 0x0040: Serious failures. An +error announcing that a particular request or operation has failed. + + + 3, 0x0080: Minor failures. These +are the errors that would percolate down to cause the operation failure of +2. + + + 4, 0x0100: Configuration settings. + + + 5, 0x0200: Function data. + + + 6, 0x0400: Trace messages for +operation functions. + + + 7, 0x1000: Trace messages for +internal control functions. + + + 8, 0x2000: Contents of +function-internal variables that may be interesting. + + + 9, 0x4000: Extremely low-level +tracing information. + + + To log required bitmask debug levels, simply add their numbers together as +shown in following examples: + + + Example: To log fatal failures, critical failures, +serious failures and function data use 0x0270. + + + Example: To log fatal failures, configuration settings, +function data, trace messages for internal control functions use 0x1310. + + + Note: The bitmask format of debug levels was introduced +in 1.7.0. + + + Default: 0 + + diff --git a/src/man/cs/include/debug_levels_tools.xml b/src/man/cs/include/debug_levels_tools.xml new file mode 100644 index 0000000..8bc77cf --- /dev/null +++ b/src/man/cs/include/debug_levels_tools.xml @@ -0,0 +1,72 @@ + + + SSSD supports two representations for specifying the debug level. The +simplest is to specify a decimal value from 0-9, which represents enabling +that level and all lower-level debug messages. The more comprehensive option +is to specify a hexadecimal bitmask to enable or disable specific levels +(such as if you wish to suppress a level). + + + Currently supported debug levels: + + + 0, 0x0010: Fatal +failures. Anything that would prevent SSSD from starting up or causes it to +cease running. + + + 1, 0x0020: Critical failures. An +error that doesn't kill SSSD, but one that indicates that at least one major +feature is not going to work properly. + + + 2, 0x0040: Serious failures. An +error announcing that a particular request or operation has failed. + + + 3, 0x0080: Minor failures. These +are the errors that would percolate down to cause the operation failure of +2. + + + 4, 0x0100: Configuration settings. + + + 5, 0x0200: Function data. + + + 6, 0x0400: Trace messages for +operation functions. + + + 7, 0x1000: Trace messages for +internal control functions. + + + 8, 0x2000: Contents of +function-internal variables that may be interesting. + + + 9, 0x4000: Extremely low-level +tracing information. + + + To log required bitmask debug levels, simply add their numbers together as +shown in following examples: + + + Example: To log fatal failures, critical failures, +serious failures and function data use 0x0270. + + + Example: To log fatal failures, configuration settings, +function data, trace messages for internal control functions use 0x1310. + + + Note: The bitmask format of debug levels was introduced +in 1.7.0. + + + Default: 0 + + diff --git a/src/man/cs/include/experimental.xml b/src/man/cs/include/experimental.xml new file mode 100644 index 0000000..7103a0e --- /dev/null +++ b/src/man/cs/include/experimental.xml @@ -0,0 +1,2 @@ + This is an experimental feature, please use +https://pagure.io/SSSD/sssd/ to report any issues. diff --git a/src/man/cs/include/failover.xml b/src/man/cs/include/failover.xml new file mode 100644 index 0000000..ebb7b21 --- /dev/null +++ b/src/man/cs/include/failover.xml @@ -0,0 +1,97 @@ + + FAILOVER + + The failover feature allows back ends to automatically switch to a different +server if the current server fails. + + + Failover Syntax + + The list of servers is given as a comma-separated list; any number of spaces +is allowed around the comma. The servers are listed in order of +preference. The list can contain any number of servers. + + + For each failover-enabled config option, two variants exist: +primary and backup. The idea is +that servers in the primary list are preferred and backup servers are only +searched if no primary servers can be reached. If a backup server is +selected, a timeout of 31 seconds is set. After this timeout SSSD will +periodically try to reconnect to one of the primary servers. If it succeeds, +it will replace the current active (backup) server. + + + + The Failover Mechanism + + The failover mechanism distinguishes between a machine and a service. The +back end first tries to resolve the hostname of a given machine; if this +resolution attempt fails, the machine is considered offline. No further +attempts are made to connect to this machine for any other service. If the +resolution attempt succeeds, the back end tries to connect to a service on +this machine. If the service connection attempt fails, then only this +particular service is considered offline and the back end automatically +switches over to the next service. The machine is still considered online +and might still be tried for another service. + + + Further connection attempts are made to machines or services marked as +offline after a specified period of time; this is currently hard coded to 30 +seconds. + + + If there are no more machines to try, the back end as a whole switches to +offline mode, and then attempts to reconnect every 30 seconds. + + + + Failover time outs and tuning + + Resolving a server to connect to can be as simple as running a single DNS +query or can involve several steps, such as finding the correct site or +trying out multiple host names in case some of the configured servers are +not reachable. The more complex scenarios can take some time and SSSD needs +to balance between providing enough time to finish the resolution process +but on the other hand, not trying for too long before falling back to +offline mode. If the SSSD debug logs show that the server resolution is +timing out before a live server is contacted, you can consider changing the +time outs. + + + This section lists the available tunables. Please refer to their description +in the +sssd.conf5 +, manual page. + + + dns_resolver_op_timeout + + + + How long would SSSD talk to a single DNS server. + + + + + + dns_resolver_timeout + + + + How long would SSSD try to resolve a failover service. This service +resolution internally might include several steps, such as resolving DNS SRV +queries or locating the site. + + + + + + + For LDAP-based providers, the resolve operation is performed as part of an +LDAP connection operation. Therefore, also the +ldap_opt_timeout> timeout should be set to a larger value +than dns_resolver_timeout which in turn should be set to a +larger value than dns_resolver_op_timeout. + + + diff --git a/src/man/cs/include/homedir_substring.xml b/src/man/cs/include/homedir_substring.xml new file mode 100644 index 0000000..d7533de --- /dev/null +++ b/src/man/cs/include/homedir_substring.xml @@ -0,0 +1,17 @@ + + homedir_substring (string) + + + The value of this option will be used in the expansion of the +override_homedir option if the template contains the +format string %H. An LDAP directory entry can directly +contain this template so that this option can be used to expand the home +directory path for each client machine (or operating system). It can be set +per-domain or globally in the [nss] section. A value specified in a domain +section will override one set in the [nss] section. + + + Default: /home + + + diff --git a/src/man/cs/include/ipa_modified_defaults.xml b/src/man/cs/include/ipa_modified_defaults.xml new file mode 100644 index 0000000..4ad4b45 --- /dev/null +++ b/src/man/cs/include/ipa_modified_defaults.xml @@ -0,0 +1,123 @@ + + MODIFIED DEFAULT OPTIONS + + Certain option defaults do not match their respective backend provider +defaults, these option names and IPA provider-specific defaults are listed +below: + + + KRB5 Provider + + + + krb5_validate = true + + + + + krb5_use_fast = try + + + + + krb5_canonicalize = true + + + + + + LDAP Provider - General + + + + ldap_schema = ipa_v1 + + + + + ldap_force_upper_case_realm = true + + + + + ldap_sasl_mech = GSSAPI + + + + + ldap_sasl_minssf = 56 + + + + + ldap_account_expire_policy = ipa + + + + + ldap_use_tokengroups = true + + + + + + LDAP Provider - User options + + + + ldap_user_member_of = memberOf + + + + + ldap_user_uuid = ipaUniqueID + + + + + ldap_user_ssh_public_key = ipaSshPubKey + + + + + ldap_user_auth_type = ipaUserAuthType + + + + + + LDAP Provider - Group options + + + + ldap_group_object_class = ipaUserGroup + + + + + ldap_group_object_class_alt = posixGroup + + + + + ldap_group_member = member + + + + + ldap_group_uuid = ipaUniqueID + + + + + ldap_group_objectsid = ipaNTSecurityIdentifier + + + + + ldap_group_external_member = ipaExternalMember + + + + + diff --git a/src/man/cs/include/ldap_id_mapping.xml b/src/man/cs/include/ldap_id_mapping.xml new file mode 100644 index 0000000..b9be536 --- /dev/null +++ b/src/man/cs/include/ldap_id_mapping.xml @@ -0,0 +1,278 @@ + + ID MAPPING + + The ID-mapping feature allows SSSD to act as a client of Active Directory +without requiring administrators to extend user attributes to support POSIX +attributes for user and group identifiers. + + + NOTE: When ID-mapping is enabled, the uidNumber and gidNumber attributes are +ignored. This is to avoid the possibility of conflicts between +automatically-assigned and manually-assigned values. If you need to use +manually-assigned values, ALL values must be manually-assigned. + + + Please note that changing the ID mapping related configuration options will +cause user and group IDs to change. At the moment, SSSD does not support +changing IDs, so the SSSD database must be removed. Because cached passwords +are also stored in the database, removing the database should only be +performed while the authentication servers are reachable, otherwise users +might get locked out. In order to cache the password, an authentication must +be performed. It is not sufficient to use +sss_cache 8 + to remove the database, rather the process consists of: + + + + Making sure the remote servers are reachable + + + + + Stopping the SSSD service + + + + + Removing the database + + + + + Starting the SSSD service + + + + Moreover, as the change of IDs might necessitate the adjustment of other +system properties such as file and directory ownership, it's advisable to +plan ahead and test the ID mapping configuration thoroughly. + + + + Mapping Algorithm + + Active Directory provides an objectSID for every user and group object in +the directory. This objectSID can be broken up into components that +represent the Active Directory domain identity and the relative identifier +(RID) of the user or group object. + + + The SSSD ID-mapping algorithm takes a range of available UIDs and divides it +into equally-sized component sections - called "slices"-. Each slice +represents the space available to an Active Directory domain. + + + When a user or group entry for a particular domain is encountered for the +first time, the SSSD allocates one of the available slices for that +domain. In order to make this slice-assignment repeatable on different +client machines, we select the slice based on the following algorithm: + + + The SID string is passed through the murmurhash3 algorithm to convert it to +a 32-bit hashed value. We then take the modulus of this value with the total +number of available slices to pick the slice. + + + NOTE: It is possible to encounter collisions in the hash and subsequent +modulus. In these situations, we will select the next available slice, but +it may not be possible to reproduce the same exact set of slices on other +machines (since the order that they are encountered will determine their +slice). In this situation, it is recommended to either switch to using +explicit POSIX attributes in Active Directory (disabling ID-mapping) or +configure a default domain to guarantee that at least one is always +consistent. See Configuration for details. + + + + + Configuration + + Minimum configuration (in the [domain/DOMAINNAME] section): + + + +ldap_id_mapping = True +ldap_schema = ad + + + + The default configuration results in configuring 10,000 slices, each capable +of holding up to 200,000 IDs, starting from 200,000 and going up to +2,000,200,000. This should be sufficient for most deployments. + + + Advanced Configuration + + + ldap_idmap_range_min (integer) + + + Specifies the lower bound of the range of POSIX IDs to use for mapping +Active Directory user and group SIDs. + + + NOTE: This option is different from min_id in that +min_id acts to filter the output of requests to this domain, +whereas this option controls the range of ID assignment. This is a subtle +distinction, but the good general advice would be to have +min_id be less-than or equal to +ldap_idmap_range_min + + + Default: 200000 + + + + + ldap_idmap_range_max (integer) + + + Specifies the upper bound of the range of POSIX IDs to use for mapping +Active Directory user and group SIDs. + + + NOTE: This option is different from max_id in that +max_id acts to filter the output of requests to this domain, +whereas this option controls the range of ID assignment. This is a subtle +distinction, but the good general advice would be to have +max_id be greater-than or equal to +ldap_idmap_range_max + + + Default: 2000200000 + + + + + ldap_idmap_range_size (integer) + + + Specifies the number of IDs available for each slice. If the range size +does not divide evenly into the min and max values, it will create as many +complete slices as it can. + + + NOTE: The value of this option must be at least as large as the highest user +RID planned for use on the Active Directory server. User lookups and login +will fail for any user whose RID is greater than this value. + + + For example, if your most recently-added Active Directory user has +objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, +ldap_idmap_range_size must be at least 1108 as range size is +equal to maximal SID minus minimal SID plus one (e.g. 1108 = 1107 - 0 + 1). + + + It is important to plan ahead for future expansion, as changing this value +will result in changing all of the ID mappings on the system, leading to +users with different local IDs than they previously had. + + + Default: 200000 + + + + + ldap_idmap_default_domain_sid (string) + + + Specify the domain SID of the default domain. This will guarantee that this +domain will always be assigned to slice zero in the ID map, bypassing the +murmurhash algorithm described above. + + + Default: not set + + + + + ldap_idmap_default_domain (string) + + + Specify the name of the default domain. + + + Default: not set + + + + + ldap_idmap_autorid_compat (boolean) + + + Changes the behavior of the ID-mapping algorithm to behave more similarly to +winbind's idmap_autorid algorithm. + + + When this option is configured, domains will be allocated starting with +slice zero and increasing monatomically with each additional domain. + + + NOTE: This algorithm is non-deterministic (it depends on the order that +users and groups are requested). If this mode is required for compatibility +with machines running winbind, it is recommended to also use the +ldap_idmap_default_domain_sid option to guarantee that at +least one domain is consistently allocated to slice zero. + + + Default: False + + + + + ldap_idmap_helper_table_size (integer) + + + Maximal number of secondary slices that is tried when performing mapping +from UNIX id to SID. + + + Note: Additional secondary slices might be generated when SID is being +mapped to UNIX id and RID part of SID is out of range for secondary slices +generated so far. If value of ldap_idmap_helper_table_size is equal to 0 +then no additional secondary slices are generated. + + + Default: 10 + + + + + + + + + Well-Known SIDs + + SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a +special hardcoded meaning. Since the generic users and groups related to +those Well-Known SIDs have no equivalent in a Linux/UNIX environment no +POSIX IDs are available for those objects. + + + The SID name space is organized in authorities which can be seen as +different domains. The authorities for the Well-Known SIDs are + + Null Authority + World Authority + Local Authority + Creator Authority + NT Authority + Built-in + + The capitalized version of these names are used as domain names when +returning the fully qualified name of a Well-Known SID. + + + Since some utilities allow to modify SID based access control information +with the help of a name instead of using the SID directly SSSD supports to +look up the SID by the name as well. To avoid collisions only the fully +qualified names can be used to look up Well-Known SIDs. As a result the +domain names NULL AUTHORITY, WORLD AUTHORITY, + LOCAL AUTHORITY, CREATOR AUTHORITY, NT +AUTHORITY and BUILTIN should not be used as domain +names in sssd.conf. + + + + diff --git a/src/man/cs/include/ldap_search_bases.xml b/src/man/cs/include/ldap_search_bases.xml new file mode 100644 index 0000000..189f862 --- /dev/null +++ b/src/man/cs/include/ldap_search_bases.xml @@ -0,0 +1,31 @@ + + + An optional base DN, search scope and LDAP filter to restrict LDAP searches +for this attribute type. + + + syntax: +search_base[?scope?[filter][?search_base?scope?[filter]]*] + + + + The scope can be one of "base", "onelevel" or "subtree". The scope functions +as specified in section 4.5.1.2 of http://tools.ietf.org/html/rfc4511 + + + The filter must be a valid LDAP search filter as specified by +http://www.ietf.org/rfc/rfc2254.txt + + + For examples of this syntax, please refer to the +ldap_search_base examples section. + + + Default: the value of ldap_search_base + + + Please note that specifying scope or filter is not supported for searches +against an Active Directory Server that might yield a large number of +results and trigger the Range Retrieval extension in the response. + + diff --git a/src/man/cs/include/local.xml b/src/man/cs/include/local.xml new file mode 100644 index 0000000..ce849a3 --- /dev/null +++ b/src/man/cs/include/local.xml @@ -0,0 +1,17 @@ + + THE LOCAL DOMAIN + + In order to function correctly, a domain with +id_provider=local must be created and the SSSD must be +running. + + + The administrator might want to use the SSSD local users instead of +traditional UNIX users in cases where the group nesting (see +sss_groupadd 8 +) is needed. The local users are also useful for testing and +development of the SSSD without having to deploy a full remote server. The +sss_user* and sss_group* tools use a +local LDB storage to store users and groups. + + diff --git a/src/man/cs/include/override_homedir.xml b/src/man/cs/include/override_homedir.xml new file mode 100644 index 0000000..94caee1 --- /dev/null +++ b/src/man/cs/include/override_homedir.xml @@ -0,0 +1,63 @@ + +override_homedir (string) + + + Override the user's home directory. You can either provide an absolute value +or a template. In the template, the following sequences are substituted: + + + %u + login name + + + %U + UID number + + + %d + domain name + + + %f + fully qualified user name (user@domain) + + + %l + The first letter of the login name. + + + %P + UPN - User Principal Name (name@REALM) + + + %o + + The original home directory retrieved from the identity provider. + + + + %H + + The value of configure option homedir_substring. + + + + %% + a literal '%' + + + + + + This option can also be set per-domain. + + + example: +override_homedir = /home/%u + + + + Default: Not set (SSSD will use the value retrieved from LDAP) + + + diff --git a/src/man/cs/include/param_help.xml b/src/man/cs/include/param_help.xml new file mode 100644 index 0000000..f4bc454 --- /dev/null +++ b/src/man/cs/include/param_help.xml @@ -0,0 +1,10 @@ + + + , + + + + Zobraz nápovědu a ukonči program. + + + diff --git a/src/man/cs/include/param_help_py.xml b/src/man/cs/include/param_help_py.xml new file mode 100644 index 0000000..5dfb644 --- /dev/null +++ b/src/man/cs/include/param_help_py.xml @@ -0,0 +1,10 @@ + + + , + + + + Zobraz nápovědu a ukonči program. + + + diff --git a/src/man/cs/include/seealso.xml b/src/man/cs/include/seealso.xml new file mode 100644 index 0000000..44c870e --- /dev/null +++ b/src/man/cs/include/seealso.xml @@ -0,0 +1,61 @@ + + VIZ TAKÉ + + sssd8 +, +sssd.conf5 +, +sssd-ldap5 +, +sssd-krb55 +, +sssd-simple5 +, +sssd-ipa5 +, +sssd-ad5 +, +sssd-sudo 5 +, +sssd-secrets 5 +, +sssd-session-recording +5 , +sss_cache8 +, +sss_debuglevel8 +, +sss_groupadd8 +, +sss_groupdel8 +, +sss_groupshow8 +, +sss_groupmod8 +, +sss_useradd8 +, +sss_userdel8 +, +sss_usermod8 +, +sss_obfuscate8 +, +sss_seed8 +, +sssd_krb5_locator_plugin8 +, +sss_ssh_authorizedkeys +8 , +sss_ssh_knownhostsproxy +8 , sssd-ifp +5 , +pam_sss8 +. +sss_rpcidmapd 5 + +sssd-systemtap 5 + + + diff --git a/src/man/cs/include/service_discovery.xml b/src/man/cs/include/service_discovery.xml new file mode 100644 index 0000000..2e417a9 --- /dev/null +++ b/src/man/cs/include/service_discovery.xml @@ -0,0 +1,41 @@ + + SERVICE DISCOVERY + + The service discovery feature allows back ends to automatically find the +appropriate servers to connect to using a special DNS query. This feature is +not supported for backup servers. + + + Configuration + + If no servers are specified, the back end automatically uses service +discovery to try to find a server. Optionally, the user may choose to use +both fixed server addresses and service discovery by inserting a special +keyword, _srv_, in the list of servers. The order of +preference is maintained. This feature is useful if, for example, the user +prefers to use service discovery whenever possible, and fall back to a +specific server when no servers can be discovered using DNS. + + + + The domain name + + Please refer to the dns_discovery_domain parameter in the + sssd.conf +5 manual page for more details. + + + + The protocol + + The queries usually specify _tcp as the protocol. Exceptions are documented +in respective option description. + + + + See Also + + For more information on the service discovery mechanism, refer to RFC 2782. + + + diff --git a/src/man/cs/include/upstream.xml b/src/man/cs/include/upstream.xml new file mode 100644 index 0000000..ba04020 --- /dev/null +++ b/src/man/cs/include/upstream.xml @@ -0,0 +1,3 @@ + +SSSD The SSSD upstream - +https://pagure.io/SSSD/sssd/ diff --git a/src/man/cs/sss_groupdel.8.xml b/src/man/cs/sss_groupdel.8.xml new file mode 100644 index 0000000..7cd529e --- /dev/null +++ b/src/man/cs/sss_groupdel.8.xml @@ -0,0 +1,46 @@ + + + +Manuálové stránky SSSD + + + + + sss_groupdel + 8 + + + + sss_groupdel + vymazat skupinu + + + + +sss_groupdel +volby SKUPINA + + + + POPIS + + sss_groupdel odstraní ze systému skupinu určenou jejím +jménemSKUPINA. + + + + + VOLBY + + + + + + + + + + + diff --git a/src/man/de/include/ad_modified_defaults.xml b/src/man/de/include/ad_modified_defaults.xml new file mode 100644 index 0000000..7c6def2 --- /dev/null +++ b/src/man/de/include/ad_modified_defaults.xml @@ -0,0 +1,77 @@ + + MODIFIED DEFAULT OPTIONS + + Certain option defaults do not match their respective backend provider +defaults, these option names and AD provider-specific defaults are listed +below: + + + KRB5 Provider + + + + krb5_validate = true + + + + + krb5_use_enterprise_principal = true + + + + + + LDAP Provider + + + + ldap_schema = ad + + + + + ldap_force_upper_case_realm = true + + + + + ldap_id_mapping = true + + + + + ldap_sasl_mech = gssapi + + + + + ldap_referrals = false + + + + + ldap_account_expire_policy = ad + + + + + ldap_use_tokengroups = true + + + + + ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM) + + + The AD provider looks for a different principal than the LDAP provider by +default, because in an Active Directory environment the principals are +divided into two groups - User Principals and Service Principals. Only User +Principal can be used to obtain a TGT and by default, computer object's +principal is constructed from its sAMAccountName and the AD realm. The +well-known host/hostname@REALM principal is a Service Principal and thus +cannot be used to get a TGT with. + + + + + diff --git a/src/man/de/include/autofs_restart.xml b/src/man/de/include/autofs_restart.xml new file mode 100644 index 0000000..bcc6868 --- /dev/null +++ b/src/man/de/include/autofs_restart.xml @@ -0,0 +1,6 @@ + + Bitte beachten Sie, dass der Automounter beim Start nur die Master-Abbildung +liest. Daher müssen Sie normalerweise, falls irgendwelche zu Autofs +gehörigen Änderungen in der »sssd.conf« vorgenommen wurden, den +Automounter-Daemon nach dem SSSD-Neustart ebenfalls neu starten. + diff --git a/src/man/de/include/debug_levels.xml b/src/man/de/include/debug_levels.xml new file mode 100644 index 0000000..4433ee8 --- /dev/null +++ b/src/man/de/include/debug_levels.xml @@ -0,0 +1,89 @@ + + + SSSD unterstützt zwei Darstellungsmodi für die Angabe der Debug-Stufe. Die +einfachste ist die Angabe eines Dezimalwerts von 0 bis 9, welche die +Aktivierung der Meldungen der entsprechenden Stufe und aller niederer Stufen +bewirkt. Eine umfassendere Option ist die Angabe einer hexadezimalen +Bitmaske, um spezifische Stufen zu aktivieren oder zu deaktivieren (wenn Sie +beispielsweise eine Stufe unterdrücken wollen). + + + Please note that each SSSD service logs into its own log file. Also please +note that enabling debug_level in the [sssd] +section only enables debugging just for the sssd process itself, not for the +responder or provider processes. The debug_level parameter +should be added to all sections that you wish to produce debug logs from. + + + In addition to changing the log level in the config file using the +debug_level parameter, which is persistent, but requires SSSD +restart, it is also possible to change the debug level on the fly using the + sss_debuglevel +8 tool. + + + derzeit unterstützte Debug-Stufen: + + + 0, 0x0010: Schwerwiegende +Fehler. Alles was SSSD am Start hindern oder es beenden könnte. + + + 1, 0x0020: Critical failures. An +error that doesn't kill SSSD, but one that indicates that at least one major +feature is not going to work properly. + + + 2, 0x0040: Ernsthafte Fehler. Dies +sind Fehler, bei denen eine bestimmte Anfrage oder Operation fehlgeschlagen +ist. + + + 3, 0x0080: Kleinere Fehler. Dies +sind Fehler, die von geringerer Bedeutung als die fehlgeschlagenen +Operationen in der Stufe 2 sind. + + + 4, 0x0100: +Konfigurationseinstellungen. + + + 5, 0x0200: Funktionsdaten. + + + 6, 0x0400: Meldungen aus der +Verfolgung von Operationsfunktionen. + + + 7, 0x1000: Meldungen aus der +Verfolgung interner Kontrollfunktionen. + + + 8, 0x2000: Inhalte +funktionsinterner Variablen, die von Interesse sein könnten. + + + 9, 0x4000: Verfolgungsmeldungen +extrem niederster Ebene. + + + Um die Debug-Stufen nach Bitmaske zu protokollieren, fügen Sie deren Nummern +hinzu, wie in den folgenden Beispielen gezeigt: + + + Beispiel: Um fatale, kritische, schwerwiegende Fehler +und Funktionsdaten zu protokollieren, benutzen Sie 0x0270. + + + Beispiel: Um fatale Fehler, +Konfigurationseinstellungen, Funktionsdaten und Verfolgungsnachrichten für +interne Steuerfunktionen zu protokollieren, benutzen Sie 0x1310. + + + Hinweis: Das Bitmasken-Format der Debug-Level wurde in +1.7.0 eingeführt. + + + Voreinstellung: 0 + + diff --git a/src/man/de/include/debug_levels_tools.xml b/src/man/de/include/debug_levels_tools.xml new file mode 100644 index 0000000..dc3e8a2 --- /dev/null +++ b/src/man/de/include/debug_levels_tools.xml @@ -0,0 +1,75 @@ + + + SSSD unterstützt zwei Darstellungsmodi für die Angabe der Debug-Stufe. Die +einfachste ist die Angabe eines Dezimalwerts von 0 bis 9, welche die +Aktivierung der Meldungen der entsprechenden Stufe und aller niederer Stufen +bewirkt. Eine umfassendere Option ist die Angabe einer hexadezimalen +Bitmaske, um spezifische Stufen zu aktivieren oder zu deaktivieren (wenn Sie +beispielsweise eine Stufe unterdrücken wollen). + + + derzeit unterstützte Debug-Stufen: + + + 0, 0x0010: Schwerwiegende +Fehler. Alles was SSSD am Start hindern oder es beenden könnte. + + + 1, 0x0020: Critical failures. An +error that doesn't kill SSSD, but one that indicates that at least one major +feature is not going to work properly. + + + 2, 0x0040: Ernsthafte Fehler. Dies +sind Fehler, bei denen eine bestimmte Anfrage oder Operation fehlgeschlagen +ist. + + + 3, 0x0080: Kleinere Fehler. Dies +sind Fehler, die von geringerer Bedeutung als die fehlgeschlagenen +Operationen in der Stufe 2 sind. + + + 4, 0x0100: +Konfigurationseinstellungen. + + + 5, 0x0200: Funktionsdaten. + + + 6, 0x0400: Meldungen aus der +Verfolgung von Operationsfunktionen. + + + 7, 0x1000: Meldungen aus der +Verfolgung interner Kontrollfunktionen. + + + 8, 0x2000: Inhalte +funktionsinterner Variablen, die von Interesse sein könnten. + + + 9, 0x4000: Verfolgungsmeldungen +extrem niederster Ebene. + + + Um die Debug-Stufen nach Bitmaske zu protokollieren, fügen Sie deren Nummern +hinzu, wie in den folgenden Beispielen gezeigt: + + + Beispiel: Um fatale, kritische, schwerwiegende Fehler +und Funktionsdaten zu protokollieren, benutzen Sie 0x0270. + + + Beispiel: Um fatale Fehler, +Konfigurationseinstellungen, Funktionsdaten und Verfolgungsnachrichten für +interne Steuerfunktionen zu protokollieren, benutzen Sie 0x1310. + + + Hinweis: Das Bitmasken-Format der Debug-Level wurde in +1.7.0 eingeführt. + + + Voreinstellung: 0 + + diff --git a/src/man/de/include/experimental.xml b/src/man/de/include/experimental.xml new file mode 100644 index 0000000..7103a0e --- /dev/null +++ b/src/man/de/include/experimental.xml @@ -0,0 +1,2 @@ + This is an experimental feature, please use +https://pagure.io/SSSD/sssd/ to report any issues. diff --git a/src/man/de/include/failover.xml b/src/man/de/include/failover.xml new file mode 100644 index 0000000..028b42b --- /dev/null +++ b/src/man/de/include/failover.xml @@ -0,0 +1,102 @@ + + AUSFALLSICHERUNG + + Die Ausfallsicherungsfunktionalität ermöglicht es, dass Backends automatisch +auf einen anderen Server wechseln, falls der aktuelle versagt. + + + AUSFALLSICHERUNGSSYNTAX + + Die Server werden als durch Kommata getrennte Liste angegeben. Um das Komma +herum ist eine beliebige Anzahl von Leerzeichen erlaubt. Die Server werden +in Reihenfolge der Bevorzugung aufgeführt. Die Liste kann eine beliebige +Anzahl von Servern enthalten. + + + Von jeder Konfigurationsoption mit aktivierter Ausfallsicherung existieren +zwei Varianten: primary und +backup. Die Idee dahinter ist, dass Server in der Liste +»primary« bevorzugt werden und nur nach »backup«-Servern gesucht wird, falls +kein »primary«-Server erreichbar ist. Falls ein »backup«-Server ausgewählt +wird, wird eine Dauer von 31 Sekunden bis zur Zeitüberschreitung +festgelegt. Nach dieser Zeit wird SSSD periodisch versuchen, sich mit einem +der primären Server zu verbinden. Ist dies erfolgreich, wird es den derzeit +aktiven (»backup«-)Server ersetzen. + + + + Der Ausfallsicherungsmechanismus + + Der Ausfallsicherungsmechanismus unterscheidet zwischen einer Maschine und +einem Dienst. Das Backend versucht zuerst, den Rechnernamen der angegebenen +Maschine aufzulösen. Falls dieser Versuch scheitert, wird davon ausgegangen, +dass die Maschine offline ist und sie auch für keinen anderen Dienst zur +Verfügung steht. Kann der den Namen erfolgreich aufgelöst werden, versucht +das Backend, sich mit einem Dienst auf dieser Maschine zu verbinden. Ist das +nicht möglich, dann wird nur dieser bestimmte Dienst als offline angesehen +und das Backend wechselt automatisch weiter zum nächsten. Die Maschine wird +weiterhin als online betrachtet und kann immer noch für andere Dienste +herangezogen werden. + + + Weitere Verbindungsversuche zu Maschinen oder Diensten, die als offline +gekennzeichnet sind, werden erst nach einer angegebenen Zeitspanne +unternommen. Diese ist derzeit hart auf 30 Sekunden codiert. + + + Falls es weitere Maschinen durchzuprobieren gibt, wechselt das Backend als +Ganzes in den Offline-Modus und versucht dann alle 30 Sekunden, sich erneut +zu verbinden. + + + + Failover time outs and tuning + + Resolving a server to connect to can be as simple as running a single DNS +query or can involve several steps, such as finding the correct site or +trying out multiple host names in case some of the configured servers are +not reachable. The more complex scenarios can take some time and SSSD needs +to balance between providing enough time to finish the resolution process +but on the other hand, not trying for too long before falling back to +offline mode. If the SSSD debug logs show that the server resolution is +timing out before a live server is contacted, you can consider changing the +time outs. + + + This section lists the available tunables. Please refer to their description +in the +sssd.conf5 +, manual page. + + + dns_resolver_op_timeout + + + + How long would SSSD talk to a single DNS server. + + + + + + dns_resolver_timeout + + + + How long would SSSD try to resolve a failover service. This service +resolution internally might include several steps, such as resolving DNS SRV +queries or locating the site. + + + + + + + For LDAP-based providers, the resolve operation is performed as part of an +LDAP connection operation. Therefore, also the +ldap_opt_timeout> timeout should be set to a larger value +than dns_resolver_timeout which in turn should be set to a +larger value than dns_resolver_op_timeout. + + + diff --git a/src/man/de/include/homedir_substring.xml b/src/man/de/include/homedir_substring.xml new file mode 100644 index 0000000..0b16de4 --- /dev/null +++ b/src/man/de/include/homedir_substring.xml @@ -0,0 +1,18 @@ + + homedir_substring (Zeichenkette) + + + Der Wert dieser Option wird als Auflösung der Option +override_homedir verwendet, falls die Vorlage die +Formatzeichenkette %H enthält. Ein +LDAP-Verzeichniseintrag kann diese Schablone direkt enthalten, so dass diese +Option zum Auflösen des Pfades zum Home-Verzeichnis für jeden Client-Rechner +(oder Betriebssystem) verwendet werden kann. Sie kann pro-Domain oder global +im Abschnitt [nss] gesetzt werden. Ein im Domain-Abschnitt angegebener Wert +setzt jenen im [nss]-Abschnitt außer Kraft. + + + Voreinstellung: /home + + + diff --git a/src/man/de/include/ipa_modified_defaults.xml b/src/man/de/include/ipa_modified_defaults.xml new file mode 100644 index 0000000..4ad4b45 --- /dev/null +++ b/src/man/de/include/ipa_modified_defaults.xml @@ -0,0 +1,123 @@ + + MODIFIED DEFAULT OPTIONS + + Certain option defaults do not match their respective backend provider +defaults, these option names and IPA provider-specific defaults are listed +below: + + + KRB5 Provider + + + + krb5_validate = true + + + + + krb5_use_fast = try + + + + + krb5_canonicalize = true + + + + + + LDAP Provider - General + + + + ldap_schema = ipa_v1 + + + + + ldap_force_upper_case_realm = true + + + + + ldap_sasl_mech = GSSAPI + + + + + ldap_sasl_minssf = 56 + + + + + ldap_account_expire_policy = ipa + + + + + ldap_use_tokengroups = true + + + + + + LDAP Provider - User options + + + + ldap_user_member_of = memberOf + + + + + ldap_user_uuid = ipaUniqueID + + + + + ldap_user_ssh_public_key = ipaSshPubKey + + + + + ldap_user_auth_type = ipaUserAuthType + + + + + + LDAP Provider - Group options + + + + ldap_group_object_class = ipaUserGroup + + + + + ldap_group_object_class_alt = posixGroup + + + + + ldap_group_member = member + + + + + ldap_group_uuid = ipaUniqueID + + + + + ldap_group_objectsid = ipaNTSecurityIdentifier + + + + + ldap_group_external_member = ipaExternalMember + + + + + diff --git a/src/man/de/include/ldap_id_mapping.xml b/src/man/de/include/ldap_id_mapping.xml new file mode 100644 index 0000000..f5cbb97 --- /dev/null +++ b/src/man/de/include/ldap_id_mapping.xml @@ -0,0 +1,290 @@ + + ID-ABBILDUNG + + Die ID-Abbildungsfunktionalität ermöglicht es SSSD, als Client eines Active +Directorys zu agieren, ohne dass Administratoren Benutzerattribute erweitern +müssen, damit POSIX-Attribute für Benutzer- und Gruppenkennzeichner +unterstützt werden. + + + HINWEIS: Wenn ID-Abbildung aktiviert ist, werden die Attribute »uidNumber« +und »gidNumber« ignoriert. Dies geschieht, um mögliche Konflikte zwischen +automatisch und manuell zugewiesenen Werten zu vermeiden. Falls Sie manuell +zugewiesene Werte benutzen müssen, müssen Sie ALLE Werte manuell zuweisen. + + + Bitte beachten Sie, dass die Änderung der die ID-Abbildung betreffenden +Konfigurationsoptionen auch die Änderung der Benutzer- und Gruppen-IDs nach +sich zieht. Momentan unterstützt SSSD die Änderung der IDs nicht, daher muss +die Datenbank entfernt werden. Da auch zwischengespeicherte Passwörter in +der Datenbank enthalten sind, sollte diese nur entfernt werden, während die +Authentifizierungsserver erreichbar sind, anderenfalls könnten Benutzer +ausgesperrt werden. Um das Passwort zwischenzuspeichern, muss eine +Authentifizierung ausgeführt werden. Es reicht nicht aus, +sss_cache 8 + zum Löschen der Datenbank auszuführen, vielmehr sind +folgende Schritte erforderlich: + + + + Stellen Sie sicher, dass entfernte Server erreichbar sind. + + + + + Stoppen Sie den SSSD-Dienst. + + + + + Entfernen Sie die Datenbank. + + + + + Starten Sie den SSSD-Dienst. + + + + Außerdem ist es ratsam, vorauszuplanen und die ID-Abbildung gründlich zu +testen, da die Änderung der IDs Änderungen anderer Systemeigenschaften nach +sich ziehen könnte, wie die Besitzverhältnisse von Dateien und +Verzeichnissen. + + + + Abbildungsalgorithmus + + Active Directory stellt für jedes Benutzer- und Gruppenobjekt im Verzeichnis +eine »objectSID« bereit. Diese »objectSID« kann in Bestandteile zerlegt +werden, die die Active-Directory-Domain-Identität und den relativen +Bezeichner (RID) des Benutzer- oder Gruppenobjekts darstellen. + + + Der ID-Abbildungsalgorithmus von SSSD nimmt einen Bereich verfügbarer UIDs +und teilt sie in gleich große Bestandteile, »Slices« genannt. Jeder Slice +steht für den verfügbaren Speicher einer Active-Directory-Domain. + + + Wenn ein Benutzer- oder Gruppeneintrag für eine bestimmt Domain zum ersten +Mal vorgefunden wird, reserviert der SSSD einen der verfügbaren Slices für +diese Domain. Um eine Slice-Zuteilung auf verschiedenen Client-Maschinen +wiederholbar zu machen, wählen wir den Slice, der auf dem folgenden +Algorithmus basiert: + + + Die Zeichenkette durchläuft den Algorithmus Murmurhash3, um sie in einen +32-Bit-Hash-Wert umzuwandeln. Dann wird der Betrag dieses Werts mit der +Gesamtzahl verfügbarer Slices genommen, um den Slice auszusuchen. + + + HINWEIS: Es ist möglich, dass Kollisionen zwischen dem Hash und +nachfolgenden Beträgen auftreten. In diesen Situationen werden wir den +nächsten verfügbaren Slice auswählen, aber es ist wahrscheinlich nicht +möglich, den genau gleichen Satz von Slices auf anderen Maschinen zu +reproduzieren (da die Reihenfolge, in der sie vorgefunden werden, ihren +Slice bestimmt). In dieser Situtation wird empfohlen, entweder auf die +Verwendung expliziter POSIX-Attribute in Active Directory zu wechseln +(ID-Abbildung deaktivieren) oder eine Standard-Domain zu konfigurieren, um +sicherzustellen, dass wenigstens eine immer beständig ist. Einzelheiten +finden Sie unter »Konfiguration«. + + + + + Konfiguration + + Minimalkonfiguration (im Abschnitt »[domain/DOMAINNAME]«): + + + +ldap_id_mapping = True +ldap_schema = ad + + + + The default configuration results in configuring 10,000 slices, each capable +of holding up to 200,000 IDs, starting from 200,000 and going up to +2,000,200,000. This should be sufficient for most deployments. + + + Fortgeschrittene Konfiguration + + + ldap_idmap_range_min (Ganzzahl) + + + gibt die Untergrenze des Bereichs von POSIX-IDs an, der zum Abbilden von +Active-Directory-Benutzern und Gruppen-SIDs benutzt wird. + + + HINWEIS: Diese Option unterscheidet sich von »min_id«, wobei »min_id« als +Filter für die Ausgabe von Anfragen an diese Domain agiert, wohingegen diese +Option den Bereich der ID-Zuweisung steuert. Dies ist ein feiner +Unterschied, aber es wäre ein allgemein guter Ratschlag, dass »min_id« +kleiner oder gleich »ldap_idmap_range_min« sein sollte. + + + Voreinstellung: 200000 + + + + + ldap_idmap_range_max (Ganzzahl) + + + gibt die Obergrenze des Bereichs von POSIX-IDs an, der zum Abbilden von +Active-Directory-Benutzern und Gruppen-SIDs benutzt wird. + + + HINWEIS: Diese Option unterscheidet sich von »max_id« wobei »max_id« als +Filter für die Ausgabe von Anfragen an diese Domain agiert, wohingegen diese +Option den Bereich der ID-Zuweisung steuert. Dies ist ein feiner +Unterschied, aber es wäre ein allgemein guter Ratschlag, dass »max_id« +größer oder gleich »ldap_idmap_range_max« sein sollte. + + + Voreinstellung: 2000200000 + + + + + ldap_idmap_range_size (Ganzzahl) + + + gibt die Anzahl der für jeden Slice verfügbaren IDs an. Falls sich die +Bereichsgröße nicht gleichmäßig in die minimalen und maximalen Werte teilen +lässt, werden so viele komplette Slices wie möglich erstellt. + + + HINWEIS: Der Wert dieser Option muss mindestens so groß sein wie die größte +Benutzer-RID, die jemals auf dem Active-Directory-Server verwendet werden +soll. Das Nachschlagen und Anmelden von Benutzern wird scheitern, wenn deren +RIDs größer sind als dieser Wert. + + + For example, if your most recently-added Active Directory user has +objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, +ldap_idmap_range_size must be at least 1108 as range size is +equal to maximal SID minus minimal SID plus one (e.g. 1108 = 1107 - 0 + 1). + + + Es ist wichtig, für spätere Erweiterungen vorauszuplanen, da die Änderung +dieses Wertes zur Änderung aller ID-Abbildungen des Systems führt. Dadurch +können Benutzer andere lokale IDs als vorher haben. + + + Voreinstellung: 200000 + + + + + ldap_idmap_default_domain_sid (Zeichenkette) + + + gibt die Domain-SID der Standard-Domain an. Dies wird sicherstellen, dass +diese Domain immer dem Slice null im ID-Abbild zugeordnet wird. Dabei wird +der oben beschriebene Murmurhash-Algorithmus umgangen. + + + Voreinstellung: nicht gesetzt + + + + + ldap_idmap_default_domain (Zeichenkette) + + + gibt den Namen der Standard-Domain an. + + + Voreinstellung: nicht gesetzt + + + + + ldap_idmap_autorid_compat (Boolesch) + + + ändert das Verhalten des ID-Abbildungsalgorithmus so, dass es dem +Algorithmus »idmap_autorid« von Winbind ähnlicher ist. + + + Wenn diese Option konfiguriert wurde, werden Domains beginnend bei Slice +null reserviert und gleichmäßig mit jeder zusätzlichen Domain vergrößert. + + + HINWEIS: Der Algorithmus ist nicht deterministisch (er hängt von der +Reihenfolge ab, in der Benutzer und Gruppen abgefragt werden). Falls dieser +Modus aus Kompatibilitätsgründen mit Maschinen, die Winbind ausführen, +erforderlich ist, wird empfohlen, auch die Option +»ldap_idmap_default_domain_sid« zu verwenden. Dies soll sicherstellen, dass +mindestens eine Domain beständig für den Slice null reserviert ist. + + + Voreinstellung: False + + + + + ldap_idmap_helper_table_size (integer) + + + Maximal number of secondary slices that is tried when performing mapping +from UNIX id to SID. + + + Note: Additional secondary slices might be generated when SID is being +mapped to UNIX id and RID part of SID is out of range for secondary slices +generated so far. If value of ldap_idmap_helper_table_size is equal to 0 +then no additional secondary slices are generated. + + + Voreinstellung: 10 + + + + + + + + + Bekannte Sicherheits-IDs + + SSSD unterstützt das Nachschlagen der Namen sogenannter bekannter +Sicherheits-IDs, die eine spezielle unveränderliche Bedeutung haben. Da +generische Benutzer und Gruppen, die sich auf diese bekannten SIDs beziehen, +keine Entsprechung in einer Linux/UNIX-Umgebung haben, sind für diese +Objekte keine POSIX-IDs verfügbar. + + + Der SID-Namensraum ist in Autoritäten organisiert, die als unterschiedliche +Domains betrachtet werden können. Die Autoritäten für die bekannten SIDs +sind + + Null-Autorität (Null Authority) + Weltweit anerkannte Autorität (World Authority) + Lokale Autorität (Local Authority) + Ersteller-Autorität (Creator Authority) + NT-Autorität (NT Authority) + Eingebaut + + Die mit großem Anfangsbuchstaben geschriebenen Versionen dieser Namen werden +als Domainnamen verwendet, wenn der voll qualifizierte Name einer bekannten +Sicherheits-ID zurückgegeben wird. + + + Da einige Dienstprogramme die Änderung der Sicherheits-ID-basierten +Zugriffskontrollinformationen mit Hilfe des Namens ermöglichen, anstelle die +Sicherheits-ID direkt zu verwenden, unterstützt SSSD die Suche nach der SID +anhand des Namens ebenfalls. Um Überschneidungen zu vermeiden, können nur +voll qualifizierte Namen bei der Suche nach bekannten Sicherheit-IDs +verwendet werden. Daher sollten die Domainnamen NULL +AUTHORITY, WORLD AUTHORITY, LOCAL +AUTHORITY, CREATOR AUTHORITY, NT +AUTHORITY und BUILTIN nicht als Domainnamen in +sssd.conf verwendet werden. + + + + diff --git a/src/man/de/include/ldap_search_bases.xml b/src/man/de/include/ldap_search_bases.xml new file mode 100644 index 0000000..40e2db9 --- /dev/null +++ b/src/man/de/include/ldap_search_bases.xml @@ -0,0 +1,33 @@ + + + ein optionaler Basis-DN, Gültigkeitsbereich für die Suche und LDAP-Filter, +um die LDAP-Suchen für diesen Attributtyp einzuschränken. + + + Syntax: +search_base[?Gültigkeitsbereich?[Filter][?Suchbasis?Gültigkeitsbereich?[Filter]]*] + + + + Der Bereich kann entweder »base«, »onlevel« oder »subtree« sein. Die +Bereiche funktionieren wie im Abschnitt 4.5.1.2 auf +http://tools.ietf.org/html/rfc4511 angegeben. + + + Der Filter muss ein gültiger LDAP-Suchfilter, wie durch +http://www.ietf.org/rfc/rfc2254.txt spezifiziert, sein. + + + Beispiele für diese Syntax finden Sie im Beispielabschnitt von +»ldap_search_base«. + + + Voreinstellung: der Wert von ldap_search_base + + + Bitte beachten Sie, dass die Angabe von Gültigkeitsbereich oder Filter nicht +beim Suchen auf einem Active-Directory-Server unterstützt wird, der +möglicherweise eine große Anzahl an Ergebnissen zurückliefern und in der +Antwort die Erweiterung »Range Retrieval« auslösen könnte. + + diff --git a/src/man/de/include/local.xml b/src/man/de/include/local.xml new file mode 100644 index 0000000..6b9a688 --- /dev/null +++ b/src/man/de/include/local.xml @@ -0,0 +1,18 @@ + + DIE LOKALE DOMAIN + + Für korrektes Funktionieren muss eine Domain mit »id_provider=local« +erstellt sein und SSSD muss laufen. + + + Möglicherweise möchte der Administrator in Fällen, in denen +Gruppenverschachtelung (siehe +sss_groupadd 8 +) benötigt wird, lokale Benutzer anstelle traditioneller +UNIX-Benutzer verwenden. Die lokalen Benutzer sind auch für das Testen und +Entwickeln von SSSD nützlich, ohne dass ein vollständiger ferner Server +bereitgestellt werden muss. Die sss_user*- und +sss_group*-Werkzeuge benutzen einen lokalen LDB-Speicher, +um Benutzer und Gruppen abzulegen. + + diff --git a/src/man/de/include/override_homedir.xml b/src/man/de/include/override_homedir.xml new file mode 100644 index 0000000..46fec02 --- /dev/null +++ b/src/man/de/include/override_homedir.xml @@ -0,0 +1,64 @@ + +override_homedir (Zeichenkette) + + + setzt das Home-Verzeichnis des Benutzers außer Kraft. Sie können entweder +einen absoluten Wert oder eine Schablone bereitstellen. In der Schablone +werden die folgenden Sequenzen ersetzt: + + %u + Anmeldename + + + %U + UID-Nummer + + + %d + Domain-Name + + + %f + voll qualifizierter Benutzername (Benutzer@Domain) + + + %l + The first letter of the login name. + + + %P + UPN - User Principal Name (name@REALM) + + + %o + + das Original-Home-Verzeichnis, das vom Identitätsanbieter geholt wurde + + + + %H + + Der Wert der Konfigurationsoption homedir_substring. + + + + %% + ein buchstäbliches »%« + + + + + + Diese Option kann auch pro Domain gesetzt werden. + + + Beispiel: +override_homedir = /home/%u + + + + Voreinstellung: nicht gesetzt (SSSD wird den von LDAP geholten Wert +benutzen) + + + diff --git a/src/man/de/include/param_help.xml b/src/man/de/include/param_help.xml new file mode 100644 index 0000000..d6b147f --- /dev/null +++ b/src/man/de/include/param_help.xml @@ -0,0 +1,10 @@ + + + , + + + + zeigt den Hilfetext und beendet sich. + + + diff --git a/src/man/de/include/param_help_py.xml b/src/man/de/include/param_help_py.xml new file mode 100644 index 0000000..57fd0ef --- /dev/null +++ b/src/man/de/include/param_help_py.xml @@ -0,0 +1,10 @@ + + + , + + + + zeigt den Hilfetext und beendet sich. + + + diff --git a/src/man/de/include/seealso.xml b/src/man/de/include/seealso.xml new file mode 100644 index 0000000..e1c197d --- /dev/null +++ b/src/man/de/include/seealso.xml @@ -0,0 +1,61 @@ + + SIEHE AUCH + + sssd8 +, +sssd.conf5 +, +sssd-ldap5 +, +sssd-krb55 +, +sssd-simple5 +, +sssd-ipa5 +, +sssd-ad5 +, +sssd-sudo 5 +, +sssd-secrets 5 +, +sssd-session-recording +5 , +sss_cache8 +, +sss_debuglevel8 +, +sss_groupadd8 +, +sss_groupdel8 +, +sss_groupshow8 +, +sss_groupmod8 +, +sss_useradd8 +, +sss_userdel8 +, +sss_usermod8 +, +sss_obfuscate8 +, +sss_seed8 +, +sssd_krb5_locator_plugin8 +, +sss_ssh_authorizedkeys +8 , +sss_ssh_knownhostsproxy +8 , sssd-ifp +5 , +pam_sss8 +. +sss_rpcidmapd 5 + +sssd-systemtap 5 + + + diff --git a/src/man/de/include/service_discovery.xml b/src/man/de/include/service_discovery.xml new file mode 100644 index 0000000..5a2dbbc --- /dev/null +++ b/src/man/de/include/service_discovery.xml @@ -0,0 +1,43 @@ + + DIENSTSUCHE + + Die Dienstsuchfunktionalität ermöglicht es Backends, automatisch mit Hilfe +einer speziellen DNS-Abfrage geeignete Server zu suchen, mit denen sie sich +verbinden können. Diese Funktionalität wird nicht für Datensicherungs-Server +unterstützt. + + + Konfiguration + + Falls keine Server angegeben wurden, benutzt das Backend die Dienstsuche, um +einen Server zu finden. Wahlweise kann der Benutzer sowohl feste +Server-Adressen als auch die Dienstsuche durch Eingabe des speziellen +Schlüsselworts »_srv_« in der Server-Liste auswählen. Die bevorzugte +Reihenfolge wird verwaltet. Diese Funktionalität ist zum Beispiel nützlich, +falls der Anwender es vorzieht, die Dienstsuche zu verwenden, wann immer +dies möglich ist, und auf einen bestimmten Server zurückzugreifen, wenn +mittels DNS keine Server gefunden werden. + + + + Der Domain-Name + + Weitere Einzelheiten finden Sie in der Handbuchseite +sssd.conf 5 + beim Parameter »dns_discovery_domain«. + + + + Das Protokoll + + Die Abfragen geben als Protokoll üblicherweise »_tcp« an. Ausnahmen sind in +der Beschreibung der entsprechenden Option dokumentiert. + + + + Siehe auch + + Weitere Informationen über den Dienstsuchmechanismus finden Sie in RFC 2782. + + + diff --git a/src/man/de/include/upstream.xml b/src/man/de/include/upstream.xml new file mode 100644 index 0000000..ba04020 --- /dev/null +++ b/src/man/de/include/upstream.xml @@ -0,0 +1,3 @@ + +SSSD The SSSD upstream - +https://pagure.io/SSSD/sssd/ diff --git a/src/man/de/sss_groupadd.8.xml b/src/man/de/sss_groupadd.8.xml new file mode 100644 index 0000000..89aa32e --- /dev/null +++ b/src/man/de/sss_groupadd.8.xml @@ -0,0 +1,59 @@ + + + +SSSD-Handbuchseiten + + + + + sss_groupadd + 8 + + + + sss_groupadd + erstellt eine neue Gruppe + + + + +sss_groupadd +Optionen GRUPPE + + + + BESCHREIBUNG + + sss_groupadd erstellt eine neue Gruppe. Diese Gruppen +sind kompatibel mit POSIX-Gruppen mit der zusätzlichen Funktionalität, dass +sie andere Gruppen als Mitglieder enthalten können. + + + + + OPTIONEN + + + + , GID + + + + setzt die GID der Gruppe auf den Wert von +GID. Wurde der Wert nicht angegeben, wird er +automatisch ausgewählt. + + + + + + + + + + + + + diff --git a/src/man/de/sss_groupdel.8.xml b/src/man/de/sss_groupdel.8.xml new file mode 100644 index 0000000..5e93a71 --- /dev/null +++ b/src/man/de/sss_groupdel.8.xml @@ -0,0 +1,46 @@ + + + +SSSD-Handbuchseiten + + + + + sss_groupdel + 8 + + + + sss_groupdel + löscht eine Gruppe + + + + +sss_groupdel +Optionen GRUPPE + + + + BESCHREIBUNG + + sss_groupdel löscht eine Gruppe namens +GRUPPE vom System. + + + + + OPTIONEN + + + + + + + + + + + diff --git a/src/man/de/sss_groupmod.8.xml b/src/man/de/sss_groupmod.8.xml new file mode 100644 index 0000000..7ef1c07 --- /dev/null +++ b/src/man/de/sss_groupmod.8.xml @@ -0,0 +1,72 @@ + + + +SSSD-Handbuchseiten + + + + + sss_groupmod + 8 + + + + sss_groupmod + Ändern einer Gruppe + + + + +sss_groupmod +Optionen GRUPPE + + + + BESCHREIBUNG + + sss_groupmod ändert die Gruppe, um die auf der +Befehlszeile angegebenen Änderungen widerzuspiegeln. + + + + + OPTIONEN + + + + , +GRUPPEN + + + + hängt diese Gruppe an die Gruppen an, die durch den Parameter +GRUPPEN angegeben wurden. Der Parameter +GRUPPEN ist eine durch Kommata getrennte Liste +von Gruppennamen. + + + + + + , +GRUPPEN + + + + entfernt diese Gruppe von den Gruppen, die durch den Parameter +GRUPPEN angegeben wurden. + + + + + + + + + + + + + diff --git a/src/man/de/sss_groupshow.8.xml b/src/man/de/sss_groupshow.8.xml new file mode 100644 index 0000000..9e4db94 --- /dev/null +++ b/src/man/de/sss_groupshow.8.xml @@ -0,0 +1,60 @@ + + + +SSSD-Handbuchseiten + + + + + sss_groupshow + 8 + + + + sss_groupshow + gibt die Eigenschaften einer Gruppe aus. + + + + +sss_groupshow +Optionen GRUPPE + + + + BESCHREIBUNG + + sss_groupshow zeigt Informationen über eine Gruppe namens +GRUPPE an. Die Informationen umfassen die +Gruppen-ID-Nummer, Mitglieder der Gruppe, sowie die übergeordnete Gruppe. + + + + + OPTIONEN + + + + , + + + + gibtt auch indirekte Gruppenmitglieder in einer baumartigen Hierarchie +aus. Beachten Sie, dass dies auch die Ausgabe der übergeordneten Gruppen +beeinflusst – ohne werden nur die unmittelbar +übergeordneten Gruppen ausgegeben. + + + + + + + + + + + + + diff --git a/src/man/de/sss_obfuscate.8.xml b/src/man/de/sss_obfuscate.8.xml new file mode 100644 index 0000000..a11a199 --- /dev/null +++ b/src/man/de/sss_obfuscate.8.xml @@ -0,0 +1,97 @@ + + + +SSSD-Handbuchseiten + + + + + sss_obfuscate + 8 + + + + sss_obfuscate + verschleiert ein Klartextpasswort + + + + +sss_obfuscate +Optionen [PASSWORT] + + + + BESCHREIBUNG + + sss_obfuscate wandelt ein angegebenes Passwort in ein von +Menschen nicht lesbares Format um und legt es in einem geeigneten +Domain-Abschnitt der SSSD-Konfigurationsdatei ab. + + + Das Klartextpasswort wird von der Standardeingabe gelesen oder interaktiv +eingegeben. Das verschleierte Passwort wird in den Parameter +»ldap_default_authtok« einer angegebenen SSSD-Domain abgelegt und der +Parameter »ldap_default_authtok_type« wird auf »obfuscated_password« +gesetzt. Weitere Einzelheiten über diese Parameter finden Sie unter + sssd-ldap +5 . + + + Bitte beachten Sie, dass das Verschleiern von Passwörtern keinen +wirklichen Sicherheitsgewinn bietet, da es einem Angreifer immer +noch möglich ist, das Passwort wieder herzuleiten. Es wird +dringend geraten, bessere Authentifizierungsmechanismen +wie Client-seitige Zertifikate oder GSSAPI zu verwenden. + + + + + OPTIONEN + + + + + , + + + + Das Passwort, das verschleiert werden soll, wird von der Standardeingabe +gelesen. + + + + + + , +DOMAIN + + + + die SSSD-Domain, in der das Passwort benutzt wird. Der Standardname ist +»default«. + + + + + + , DATEI + + + + liest die durch den Positionsparameter angegebene Konfigurationsdatei. + + + Voreinstellung: /etc/sssd/sssd.conf + + + + + + + + + + diff --git a/src/man/de/sss_seed.8.xml b/src/man/de/sss_seed.8.xml new file mode 100644 index 0000000..878f6a8 --- /dev/null +++ b/src/man/de/sss_seed.8.xml @@ -0,0 +1,169 @@ + + + +SSSD-Handbuchseiten + + + + + sss_seed + 8 + + + + sss_seed + füllt den SSSD-Zwischenspeicher mit einem Benutzer + + + + +sss_seed +Optionen -D +DOMAIN -n +BENUTZER + + + + BESCHREIBUNG + + sss_seed füllt den SSSD-Zwischenspeicher mit einem +Benutzereintrag und einem temporären Passwort. Falls bereits ein +Benutzereintrag im SSSD-Zwischenspeicher vorhanden ist, wird der Eintrag mit +dem temporären Passwort aktualisiert. + + + + + + + OPTIONEN + + + + , +DOMAIN + + + + stellt den Namen der Doamin bereit, in der der Benutzer Mitglied ist. Die +Domain wird auch zur Abfrage von Benutzerinformationen verwendet. Sie muss +in der »sssd.conf« konfiguriert sein. Die Option +DOMAIN muss bereitgestellt werden. Von der Domain +geholte Informationen setzen das, was in den Optionen bereitgestellt wurde, +außer Kraft. + + + + + + , +BENUTZER + + + + der Benutzername des Eintrags, der im Zwischenspeicher erstellt oder +verändert werden soll. Die Option BENUTZER muss +bereitgestellt werden. + + + + + + , UID + + + + setzt die UID des Benutzers auf UID. + + + + + + , GID + + + + setzt die GID des Benutzers auf GID. + + + + + + , +KOMMENTAR + + + + irgendeine Zeichenkette, die den Benutzer beschreibt. Dieses Feld wird oft +für den vollständigen Namen des Benutzers verwendet. + + + + + + , +HOME_VERZ + + + + setzt das Home-Verzeichnis des Benutzers auf +HOME_VERZ. + + + + + + , +SHELL + + + + setzt die Anmelde-Shell des Benutzers auf SHELL. + + + + + + , + + + + interaktiver Modus zur Eingabe von Benutzerinformationen. Diese Option wird +nur nach Informationen fragen, die nicht von den Optionen bereitgestellt +oder in der Domain geholt werden. + + + + + + , +PASSWORTDATEI + + + + gibt die Datei an, aus der das Passwort des Benutzers gelesen wird (ist es +nicht angegeben, wird nach dem Passwort gefragt). + + + + + + + + + ANMERKUNGEN + + Die Länge des Passworts (oder die Größe der mit der Option -p oder +--password-file angegebenen Datei) muss kleiner oder gleich PASS_MAX Byte +sein (64 Byte auf Systemen ohne global definiertem Wert für PASS_MAX). + + + + + + + + + + diff --git a/src/man/de/sss_ssh_knownhostsproxy.1.xml b/src/man/de/sss_ssh_knownhostsproxy.1.xml new file mode 100644 index 0000000..9505389 --- /dev/null +++ b/src/man/de/sss_ssh_knownhostsproxy.1.xml @@ -0,0 +1,107 @@ + + + +SSSD-Handbuchseiten + + + + + sss_ssh_knownhostsproxy + 1 + + + + sss_ssh_knownhostsproxy + holt OpenSSH-Rechnerschlüssel + + + + +sss_ssh_knownhostsproxy +Optionen RECHNER PROXY_BEFEHL + + + + BESCHREIBUNG + + sss_ssh_knownhostsproxy acquires SSH host public keys for +host HOST, stores them in a custom OpenSSH +known_hosts file (see the SSH_KNOWN_HOSTS FILE FORMAT section +of sshd +8 for more information) +/var/lib/sss/pubconf/known_hosts and establishes the +connection to the host. + + + Falls ein PROXY_BEFEHL angegeben wurde, wird er +zum Erstellen der Verbindung mit dem Rechner benutzt, anstatt ein Socket zu +öffnen. + + + ssh +1 kann durch Verwendung der folgenden +Richtlinien für die Konfiguration von +ssh +1 so eingerichtet werden, dass es +sss_ssh_knownhostsproxy zur Authentifizierung des +Rechnerschlüssels benutzt: +ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h +GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts + + + + + + OPTIONEN + + + + , PORT + + + + benutzt Port PORT zur Verbindung mit dem +Rechner. Standardmäßig wird Port 22 verwendet. + + + + + + , +DOMAIN + + + + sucht in der SSSD-Domain nach DOMAIN öffentlichen +Schlüsseln für den Rechner. + + + + + + , + + + + Print the host ssh public keys for host HOST. + + + + + + + + + EXIT-STATUS + + Im Erfolgsfall ist der Rückgabewert 0, andernfalls wird 1 zurückgegeben. + + + + + + + diff --git a/src/man/de/sss_useradd.8.xml b/src/man/de/sss_useradd.8.xml new file mode 100644 index 0000000..107c18f --- /dev/null +++ b/src/man/de/sss_useradd.8.xml @@ -0,0 +1,168 @@ + + + +SSSD-Handbuchseiten + + + + + sss_useradd + 8 + + + + sss_useradd + erstellt einen neuen Benutzer + + + + +sss_useradd +Optionen ANMELDUNG + + + + BESCHREIBUNG + + sss_useradd erstellt mittels der auf der Befehlszeile +angegebenen Werte sowie der Standardwerte des Systems ein neues +Benutzerkonto. + + + + + OPTIONEN + + + + , UID + + + + setzt die UID des Benutzers auf den Wert von +UID. Wurde der Wert nicht angegeben, wird er +automatisch ausgewählt. + + + + + + , +KOMMENTAR + + + + irgendeine Zeichenkette, die den Benutzer beschreibt. Dieses Feld wird oft +für den vollständigen Namen des Benutzers verwendet. + + + + + + , +HOME_VERZ + + + + das Home-Verzeichnis des Benutzerkontos. Standardmäßig wird der Name für die +ANMELDUNG an /home angehängt +und dies dann als Home-Verzeichnis benutzt. Das Basisverzeichnis, das +ANMELDUNG vorangestellt wird, ist über die +Einstellung »user_defaults/baseDirectory« in der »sssd.conf« einstellbar. + + + + + + , +SHELL + + + + die Anmelde-Shell des Benutzers. Voreinstellung ist derzeit +/bin/bash. Die Voreinstellung kann über die Einstellung +»user_defaults/defaultShell« in der »sssd.conf« geändert werden. + + + + + + , +GRUPPEN + + + + eine Liste existierender Gruppen, denen dieser Benutzer auch angehört + + + + + + , + + + + erstellt das Home-Verzeichnis des Benutzers, falls es nicht existiert. Die +Dateien und Verzeichnisse, die in der Verzeichnisvorlage (die mit der Option +-k oder in der Konfigurationsdatei definiert werden kann) enthalten sind, +werden in das Home-Verzeichnis kopiert. + + + + + + , + + + + erstellt nicht das Home-Verzeichnis des Benutzers und setzt +Konfigurationseinstellungen außer Kraft. + + + + + + , +SKEL-VERZ + + + + die Verzeichnisvorlage mit Dateien und Verzeichnissen, die in das durch +sss_useradd neu erstellte Home-Verzeichnis des Benutzers +kopiert werden. + + + Spezialdateien (block- und zeichenorientierte Geräte, benannte Pipes und +Unix-Sockets) werden nicht kopiert. + + + Diese Option ist nur gültig, falls die Option (oder +) angegeben wurde oder das Erstellen von +Home-Verzeichnissen in der Konfiguration auf »TRUE« gesetzt ist. + + + + + + , +SELINUX_BENUTZER + + + + der SELinux-Benutzer für die Anmeldung des Benutzers. Ist er nicht +angegeben, wird die Voreinstellung des Systems benutzt. + + + + + + + + + + + + + diff --git a/src/man/de/sss_userdel.8.xml b/src/man/de/sss_userdel.8.xml new file mode 100644 index 0000000..5c929c9 --- /dev/null +++ b/src/man/de/sss_userdel.8.xml @@ -0,0 +1,92 @@ + + + +SSSD-Handbuchseiten + + + + + sss_userdel + 8 + + + + sss_userdel + löscht ein Benutzerkonto + + + + +sss_userdel +Optionen ANMELDUNG + + + + BESCHREIBUNG + + sss_userdel löscht einen Benutzer, der durch den +Anmeldenamen ANMELDUNG vom System erkannt wird. + + + + + OPTIONEN + + + + + , + + + + Dateien im Home-Verzeichnis des Benutzers werden zusammen mit dem +Home-Verzeichnis selbst und der Mail-Warteschlange des Benutzers +entfernt. Dies setzt die Konfiguration außer Kraft. + + + + + + , + + + + Dateien im Home-Verzeichnis des Benutzers werden NICHT zusammen mit dem +Home-Verzeichnis selbst und der Mail-Warteschlange des Benutzers +entfernt. Dies setzt die Konfiguration außer Kraft. + + + + + + , + + + + Diese Option erzwingt, dass sss_userdel das +Home-Verzeichnis des Benutzers und die Mail-Warteschlange sogar dann +entfernt, wenn sie dem angegebenen Nutzer nicht gehören. + + + + + + , + + + + beendet, bevor der Benutzer tatsächlich gelöscht wird, alle seine Prozesse. + + + + + + + + + + + + diff --git a/src/man/de/sss_usermod.8.xml b/src/man/de/sss_usermod.8.xml new file mode 100644 index 0000000..f968632 --- /dev/null +++ b/src/man/de/sss_usermod.8.xml @@ -0,0 +1,170 @@ + + + +SSSD-Handbuchseiten + + + + + sss_usermod + 8 + + + + sss_usermod + ändert ein Benutzerkonto + + + + +sss_usermod +Optionen ANMELDUNG + + + + BESCHREIBUNG + + sss_usermod ändert das durch +ANMELDUNG angegebene Konto, damit es die auf der +Befehlszeile angegebenen Änderungen widerzuspiegelt. + + + + + OPTIONEN + + + + , +KOMMENTAR + + + + irgendeine Zeichenkette, die den Benutzer beschreibt. Dieses Feld wird oft +für den vollständigen Namen des Benutzers verwendet. + + + + + + , +HOME_VERZ + + + + das Home-Verzeichnis des Benutzerkontos + + + + + + , +SHELL + + + + die Anmelde-Shell des Benutzers + + + + + + , +GRUPPEN + + + + hängt diesen Benutzer an die Gruppen an, die durch den Parameter +GRUPPEN angegeben werden. Der Parameter +GRUPPEN ist eine durch Kommata getrennte Liste +von Gruppennamen. + + + + + + , +GRUPPEN + + + + entfernt diesen Benutzer aus Gruppen, die durch den Parameter +GRUPPEN angegeben werden. + + + + + + , + + + + sperrt das Benutzerkonto. Der Benutzer wird sich nicht anmelden können. + + + + + + , + + + + entsperrt das Benutzerkonto. + + + + + + , +SELINUX_BENUTZER + + + + der SELinux-Benutzer für die Anmeldung des Anwenders + + + + + + ATTR_NAME_WERT + + + + Ein Attribut/Wert-Paar hinzufügen. Das Format ist Attributname=Wert. + + + + + + ATTR_NAME_WERT + + + + Ein Attribut auf ein Name/Wert-Paar setzen. Das Format ist +Attributname=Wert. Bei Attributen mit mehreren Werten ersetzt der Befehl die +bereits vorhandenen Werte. + + + + + + ATTR_NAME_WERT + + + + Ein Attribut/Wert-Paar löschen. Das Format ist Attributname=Wert. + + + + + + + + + + + + + diff --git a/src/man/de/sssd-ifp.5.xml b/src/man/de/sssd-ifp.5.xml new file mode 100644 index 0000000..fc3c534 --- /dev/null +++ b/src/man/de/sssd-ifp.5.xml @@ -0,0 +1,141 @@ + + + +SSSD-Handbuchseiten + + + + + sssd-ifp + 5 + Dateiformate und Konventionen + + + + sssd-ifp + SSSD InfoPipe-Responder + + + + BESCHREIBUNG + + Diese Handbuchseite beschreibt die Konfiguration des InfoPipe-Responders für + sssd 8 +. Eine detaillierte Syntaxreferenz finden Sie im Abschnitt +DATEIFORMAT in der Handbuchseite zu +sssd.conf 5 +. + + + Der InfoPipe-Responder stellt eine öffentliche D-Bus-Schnittstelle bereit, +auf die über den Systembus zugegriffen werden kann. Die Schnittstelle +ermöglicht die Abfrage von Informationen zu entfernten Benutzern und Gruppen +über den Systembus. + + + + + KONFIGURATIONSOPTIONEN + + Diese Optionen können zur Konfiguration des InfoPipe-Responders verwendet +werden. + + + + allowed_uids (Zeichenkette) + + + Gibt eine durch Kommata getrennte Liste der Benutzer-ID-Werte oder +Benutzernamen an, denen der Zugriff auf den InfoPipe-Responder erlaubt +ist. Benutzernamen werden beim Start in Benutzer-IDs aufgelöst. + + + Voreinstellung: 0 (nur der Benutzer »root« darf auf den InfoPipe-Responder +zugreifen) + + + Beachten Sie, dass trotz der Verwendung der Benutzer-ID 0 als Voreinstellung +diese durch die Option überschrieben wird. Falls Sie wollen, dass dem +Root-Benutzer der Zugriff auf den InfoPipe-Responder gewährt werden soll, +was der typische Fall ist, müssen Sie 0 ebenfalls zur Liste der erlaubten +Benutzer-IDs hinzufügen. + + + + + + user_attributes (Zeichenkette) + + + Gibt eine durch Kommata getrennte Liste der auf die weiße (erlaubt) +beziehungsweise schwarze Liste (blockiert) gesetzten Attribute an. + + + In der Voreinstellung erlaubt der InfoPipe-Responder nur die Abfrage des +Standardsatzes an POSIX-Attributen. Dieser Satz ist der gleiche, wie er von + getpwnam +3 zurückgegeben wird und enthält +Folgendes: + + name + Anmeldename des Benutzers + + + uidNumber + Benutzer-ID + + + gidNumber + primäre Gruppen-ID + + + gecos + Benutzerinformation, typischerweise der vollständige Name + + + homeDirectory + Home-Verzeichnis + + + loginShell + Benutzershell + + + + + Es ist möglich, ein weiteres Attribut zu diesem Satz hinzuzufügen, indem Sie ++attr_name verwenden. Explizit entfernen lässt sich ein +Attribut mit -attr_name. Um beispielsweise +telephoneNumber zu erlauben, aber loginShell +abzuweisen, können Sie folgende Konfiguration verwenden: +user_attributes = +telephoneNumber, -loginShell + + + + Voreinstellung: Nicht gesetzt. Nur der Standardsatz an POSIX-Attributen ist +erlaubt. + + + + + + wildcard_limit (integer) + + + Specifies an upper limit on the number of entries that are downloaded during +a wildcard lookup that overrides caller-supplied limit. + + + Default: 0 (let the caller set an upper limit) + + + + + + + + + + + diff --git a/src/man/de/sssd-krb5.5.xml b/src/man/de/sssd-krb5.5.xml new file mode 100644 index 0000000..7a9e1da --- /dev/null +++ b/src/man/de/sssd-krb5.5.xml @@ -0,0 +1,555 @@ + + + +SSSD-Handbuchseiten + + + + + sssd-krb5 + 5 + Dateiformate und Konventionen + + + + sssd-krb5 + SSSD Kerberos-Anbieter + + + + BESCHREIBUNG + + Diese Handbuchseite beschreibt die Konfiguration des +Authentifizierungs-Backends Kerberos 5 für +sssd 8 +. Eine ausführliche Syntax-Referenz finden Sie im Abschnitt +»DATEIFORMAT« der Handbuchseite +sssd.conf 5 +. + + + Das Authentifizierungs-Backend Kerberos 5 enthält Authentifizierungs- und +Chpass-Anbieter. Es muss mit einem Identitätsanbieter verbunden werden, +damit es sauber läuft (zum Beispiel »id_provider = ldap«). Einige vom +Kerberos-5-Authentifizierungs-Backend benötigten Informationen wie der +»Kerberos Principal Name« (UPN) des Benutzers müssen durch den +Identitätsanbieter bereitgestellt werden. Die Konfiguration des +Identitätsanbieters sollte einen Eintrag haben, der den UPN +angibt. Einzelheiten, wie dies konfiguriert wird, finden Sie in der +Handbuchseite des entsprechenden Identitätsanbieters. + + + Dieses Backend stellt ebenso eine Zugriffssteuerung bereit, die auf der +Datei .k5login im Home-Verzeichnis des Benutzers basiert. Weitere +Einzelheiten finden Sie unter +.k5login5 +. Bitte beachten Sie, dass eine leere .k5login-Datei jegliche +Zugriffe durch diesen Benutzer verbietet. Verwenden Sie »access_provider = +krb5« in Ihrer SSSD-Konfiguration, um diese Funktionalität zu aktivieren. + + + Im Fall, dass UPN nicht im Identitäts-Backend verfügbar ist, wird +sssd mittels des Formats +Benutzername@Krb5_Realm +einen UPN konstruieren. + + + + + + KONFIGURATIONSOPTIONEN + + Falls das Authentifizierungsmodul Krb5 in einer SSSD-Domain benutzt wird, +müssen die folgenden Optionen verwendet werden. Einzelheiten über die +Konfiguration einer SSSD-Domain finden Sie im Abschnitt »DOMAIN-ABSCHNITTE« +der Handbuchseite sssd.conf +5 . + + krb5_server, krb5_backup_server (Zeichenkette) + + + gibt eine durch Kommata getrennte Liste von IP-Adressen oder Rechnernamen +der Kerberos-Server in der Reihenfolge an, in der sich SSSD mit ihnen +verbinden soll. Weitere Informationen über Ausfallsicherung und Redundanz +finden Sie im Abschnitt »AUSFALLSICHERUNG«. An die Adressen oder +Rechnernamen kann eine optionale Portnummer (der ein Doppelpunkt +vorangestellt ist) angehängt werden. Falls dies leer gelassen wurde, wird +die Dienstsuche aktiviert. Weitere Informationen finden Sie im Abschnitt +»DIENSTSUCHE«. + + + Wenn die Dienstsuche für Schlüsselverwaltungszentralen- (KDC) oder +Kpasswd-Server benutzt wird, durchsucht SSSD zuerst die DNS-Einträge, +die_udp als Protokoll angeben. Falls keine gefunden werden, weicht es auf +_tcp aus. + + + Diese Option hieß in früheren Veröffentlichungen von SSSD +»krb5_kdcip«. Obwohl der alte Name einstweilen noch in Erinnerung ist, wird +Anwendern geraten, ihre Konfigurationsdateien auf die Verwendung von +»krb5_server« zu migrieren. + + + + + + krb5_realm (Zeichenkette) + + + der Name des Kerberos-Realms. Diese Option wird benötigt und muss angegeben +werden. + + + + + + krb5_kpasswd, krb5_backup_kpasswd (Zeichenkette) + + + Falls der Dienst zum Ändern von Passwörtern auf der +Schlüsselverwaltungszentrale (KDC) nicht läuft, können hier alternative +Server definiert werden. An die Adressen oder Rechnernamen kann eine +optionale Portnummer (der ein Doppelpunkt vorangestellt ist) angehängt +werden. + + + Weitere Informationen über Ausfallsicherung und Redundanz finden Sie im +Abschnitt »AUSFALLSICHERUNG«. HINWEIS: Selbst wenn es keine weiteren +»kpasswd«-Server mehr auszuprobieren gibt, wird das Backend nicht offline +gehen, da eine Authentifizierung gegen die Schlüsselverwaltungszentrale +(KDC) immer noch möglich ist. + + + Voreinstellung: KDC benutzen + + + + + + krb5_ccachedir (Zeichenkette) + + + Das Verzeichnis zum Ablegen von Anmeldedaten-Zwischenspeichern. Alle +Ersetzungssequenzen von krb5_ccname_template können hier auch verwendet +werden, außer %d und %P. Das Verzeichnis wird als privat angelegt und ist +Eigentum des Benutzers. Die Zugriffsrechte werden auf 0700 gesetzt. + + + Voreinstellung: /tmp + + + + + + krb5_ccname_template (Zeichenkette) + + + Der Ort für die Zwischenspeicherung der Anmeldedaten des Benutzers. Drei +Zwischenspeichertypen werden derzeit unterstützt: FILE, +DIR und KEYRING:persistent. Der +Zwischenspeicher kann entweder als TYP:REST oder +als absoluter Pfad angegeben werden, wobei Letzteres den Typ +FILE beinhaltet. In der Schablone werden die folgenden +Sequenzen ersetzt: + + %u + Anmeldename + + + %U + Anmelde-UID + + + %p + Principal-Name + + + + %r + Realm-Name + + + %h + Home-Verzeichnis + + + + %d + Wert von krb5_ccachedir + + + + + %P + die Prozess-ID des SSSD-Clients + + + + %% + ein buchstäbliches »%« + + + Falls die +Vorlage mit »XXXXXX« endet, wird mkstemp(3) verwendet, um auf sichere Weise +einen eindeutigen Dateinamen zu erzeugen. + + + Wenn der KEYRING-Typ verwendet wird, ist +KEYRING:persistent:%U der einzige unterstützte +Mechanismus. Hierfür wird der Schlüsselbund des Linux-Kernels zum Speichern +der Anmeldedaten getrennt nach Benutzer-IDs verwendet. Dies wird auch +empfohlen, da es die sicherste und vorausberechenbarste Methode ist. + + + Der Vorgabewert für den Anmeldedaten-Zwischenspeicher wird aus dem im +Abschnitt [libdefaults] der Datei krb5.conf enthaltenen Profil der +systemweiten Konfiguration bezogen. Der Name der Option ist +default_ccache_name. Im Abschnitt PARAMETER EXPANSION der Handbuchseite zu +krb5.conf(5) finden Sie zusätzliche Informationen zu dem in krb5.conf +definierten Format. + + + NOTE: Please be aware that libkrb5 ccache expansion template from + krb5.conf +5 uses different expansion sequences +than SSSD. + + + Voreinstellung: (aus libkrb5) + + + + + + krb5_auth_timeout (Ganzzahl) + + + Zeitüberschreitung in Sekunden, nach der eine Online-Anfrage zur +Authentifizierung oder Passwortänderung gescheitert ist. Falls möglich, wird +die Authentifizierung offline fortgesetzt. + + + Voreinstellung: 6 + + + + + + krb5_validate (Boolesch) + + + prüft mit Hilfe von »krb5_keytab«, ob das erhaltene TGT keine Täuschung +ist. Die Einträge der Keytab werden der Reihe nach kontrolliert und der +erste Eintrag mit einem passenden Realm wird für die Überprüfung +benutzt. Falls keine Einträge dem Realm entsprechen, wird der letzte Eintrag +der Keytab verwendet. Dieser Prozess kann zur Überprüfung von Umgebungen +mittels Realm-übergreifendem Vertrauen benutzt werden, indem der +dazugehörige Keytab-Eintrag als letzter oder einziger Eintrag in der +Keytab-Datei abgelegt wird. + + + Voreinstellung: »false« + + + + + + krb5_keytab (Zeichenkette) + + + der Speicherort der Keytab, der bei der Überprüfung von Berechtigungen +benutzt wird, die von Schlüsselverwaltungszentralen (KDCs) stammen. + + + Voreinstellung: /etc/krb5.keytab + + + + + + krb5_store_password_if_offline (Boolesch) + + + speichert das Passwort des Benutzers, falls der Anbieter offline ist, und +benutzt es zur Abfrage des TGTs, wenn der Anbieter wieder online geht. + + + HINWEIS: Diese Funktionalität ist nur auf Linux verfügbar. Passwörter, die +auf diese Weise gespeichert wurden, werden im Klartext im Schlüsselbund des +Kernels aufbewahrt. Darauf kann unter Umständen (mit Mühe) durch den +Benutzer Root zugegriffen werden. + + + Voreinstellung: »false« + + + + + + krb5_renewable_lifetime (Zeichenkette) + + + fordert ein erneuerbares Ticket mit einer Gesamtlebensdauer an. Es wird als +Ganzzahl, der direkt eine Zeiteinheit folgt, angegeben: + + + s für Sekunden + + + m für Minuten + + + h für Stunden + + + d für Tage + + + Falls keine Einheit angegeben ist, wird s angenommen. + + + HINWEIS: Es ist nicht möglich, Einheiten zu mixen. Um die erneuerbare +Lebensdauer auf eineinhalb Stunden zu setzen, verwenden Sie »90m« statt +»1h30m«. + + + Voreinstellung: nicht gesetzt, d.h. das TGT ist nicht erneuerbar. + + + + + + krb5_lifetime (Zeichenkette) + + + Anforderungsticket mit einer Lebensdauer, angegeben als Ganzzahl, der direkt +eine Zeiteinheit folgt: + + + s für Sekunden + + + m für Minuten + + + h für Stunden + + + d für Tage + + + Falls keine Einheit angegeben ist, wird s angenommen. + + + HINWEIS: Es ist nicht möglich, Einheiten zu mixen. Um die Lebensdauer auf +eineinhalb Stunden zu setzen, verwenden Sie »90m« statt »1h30m«. + + + Voreinstellung: nicht gesetzt, d.h. die Standardlebenszeit des Tickets auf +der Schlüsselverwaltungszentrale (KDC) + + + + + + krb5_renew_interval (Zeichenkette) + + + die Zeit in Sekunden zwischen zwei Prüfungen, ob das TGT erneuert werden +soll. TGTs werden erneuert, wenn ungefähr die Hälfte ihrer Lebensdauer +überschritten ist. Sie wird als Ganzzahl, der unmittelbar eine Zeiteinheit +folgt, angegeben: + + + s für Sekunden + + + m für Minuten + + + h für Stunden + + + d für Tage + + + Falls keine Einheit angegeben ist, wird s angenommen. + + + HINWEIS: Es ist nicht möglich, Einheiten zu mixen. Um die erneuerbare +Lebensdauer auf eineinhalb Stunden zu setzen, verwenden Sie »90m« statt +»1h30m«. + + + Falls diese Option nicht oder auf 0 gesetzt ist, wird die automatische +Erneuerung deaktiviert. + + + Voreinstellung: nicht gesetzt + + + + + + krb5_use_fast (Zeichenkette) + + + Schaltet das flexible Authentifizierungs-Sicherheits-Tunneln (FAST) für die +Vorauthentifizierung von Kerberos ein. Die folgenden Optionen werden +unterstützt: + + + never: FAST wird nie benutzt. Dies ist so, als ob diese +Einstellung gar nicht gemacht würde. + + + try: Es wird versucht, FAST zu benutzen. Falls der +Server kein FAST unterstützt, fährt die Authentifizierung ohne fort. + + + demand: Fragt nach, ob FAST benutzt werden soll. Die +Authentifizierung schlägt fehl, falls der Server kein FAST erfordert. + + + Voreinstellung: nicht gesetzt, d.h. FAST wird nicht benutzt + + + HINWEIS: Zur Benutzung von FAST ist eine Keytab erforderlich. + + + HINWEIS: SSSD unterstützt FAST nur mit MIT-Kerberos-Version 1.8 und +neuer. Falls SSSD mit einer älteren Version von MIT-Kerberos benutzt wird, +ist die Verwendung dieser Option ein Konfigurationsfehler. + + + + + + krb5_fast_principal (Zeichenkette) + + + gibt den Server-Principal zur Benutzung von FAST an. + + + + + + krb5_canonicalize (Boolesch) + + + gibt an, ob der Rechner und User-Principal in die kanonische Form gebracht +werden sollen. Diese Funktionalität ist mit MIT-Kerberos 1.7 und neueren +Versionen verfügbar. + + + + Voreinstellung: »false« + + + + + + krb5_use_kdcinfo (Boolesch) + + + gibt an, ob SSSD die Kerberos-Bibliotheken anweisen soll, welcher Realm und +welche Schlüsselverwaltungszentralen (KDCs) benutzt werden sollen. Diese +Option ist standardmäßig eingeschaltet. Falls Sie sie ausschalten, müssen +Sie die Kerberos-Bibliothek mittels der Konfigurationsdatei +krb5.conf +5 einrichten. + + + Weitere Informationen über die Locator-Erweiterung finden Sie auf der +Handbuchseite +sssd_krb5_locator_plugin +8 . + + + Voreinstellung: »true« + + + + + + krb5_use_enterprise_principal (Boolesch) + + + gibt an, ob der User Principal als Enterprise Principal betrachtet werden +soll. Weitere Informationen über Enterprise Principals finden Sie in +Abschnitt 5 von RFC 6806. + + + + Voreinstellung: falsch (AD-Anbieter: wahr) + + + The IPA provider will set to option to 'true' if it detects that the server +is capable of handling enterprise principals and the option is not set +explicitly in the config file. + + + + + + krb5_map_user (string) + + + The list of mappings is given as a comma-separated list of pairs +username:primary where username is a UNIX user +name and primary is a user part of a kerberos principal. This +mapping is used when user is authenticating using auth_provider = +krb5. + + + + Beispiel: +krb5_realm = REALM +krb5_map_user = joe:juser,dick:richard + + + + joe and dick are UNIX user names and +juser and richard are primaries of kerberos +principals. For user joe resp. dick SSSD will +try to kinit as juser@REALM resp. +richard@REALM. + + + + Voreinstellung: nicht gesetzt + + + + + + + + + + + + + + BEISPIEL + + Das folgende Beispiel geht davon aus, dass SSSD korrekt konfiguriert wurde +und FOO eine der Domains im Abschnitt [sssd] +ist. Dieses Beispiel zeigt nur die Authentifizierung mit Kerberos, sie +umfasst keine Identitätsanbieter. + + + +[domain/FOO] +auth_provider = krb5 +krb5_server = 192.168.1.1 +krb5_realm = EXAMPLE.COM + + + + + + + + diff --git a/src/man/de/sssd-ldap.5.xml b/src/man/de/sssd-ldap.5.xml new file mode 100644 index 0000000..0e06fb4 --- /dev/null +++ b/src/man/de/sssd-ldap.5.xml @@ -0,0 +1,2643 @@ + + + +SSSD-Handbuchseiten + + + + + sssd-ldap + 5 + Dateiformate und Konventionen + + + + sssd-ldap + SSSD LDAP-Anbieter + + + + BESCHREIBUNG + + Diese Handbuchseite beschreibt die Konfiguration von LDAP-Domains für + sssd 8 +. Detaillierte Syntax-Informationen finden Sie im Abschnitt +»DATEIFORMAT« der Handbuchseite +sssd.conf 5 +. + + Sie können SSSD so konfigurieren, dass es mehr als eine LDAP-Domain benutzt. + + + Das LDAP-Backend unterstützt ID-, Authentifizierungs-, Zugriffs- und +Chpass-Anbieter. Falls Sie sich bei einem LDAP-Server authentifizieren +möchten, wird entweder TLS/SSL oder LDAPS benötigt. sssd +unterstützt keine Authentifizierung über einen +unverschlüsselten Kanal. Falls der LDAP-Server nur als Identitätsanbieter +benutzt wird, wird kein verschlüsselter Kanal benötigt. Weitere +Informationen über die Verwendung von LDAP als Zugriffsanbieter finden Sie +unter »ldap_access_filter«. + + + + + KONFIGURATIONSOPTIONEN + + Alle häufigen Konfigurationsoptionen, die für SSSD-Domains gelten, gelten +auch für LDAP-Domains. Umfassende Einzelheiten finden Sie im Abschnitt +»DOMAIN-ABSCHNITTE« der Handbuchseite +sssd.conf 5 +. + + ldap_uri, ldap_backup_uri (Zeichenkette) + + + gibt eine durch Kommata getrennte Liste der LDAP-Server-URIs in der +Reihenfolge an, in der sich SSSD mit ihnen verbinden soll. Weitere +Informationen über Ausfallsicherung und Redundanz finden Sie im Abschnitt +»AUSFALLSICHERUNG«. Falls keine Option angegeben wurde, wird die Dienstsuche +aktiviert. Weitere Informationen finden Sie im Abschnitt »DIENSTSUCHE«. + + + Das Format der URI muss dem in RFC 2732 definierten Format entsprechen: + + + ldap[s]://<Rechner>[:Port] + + + Wenn Sie explizit IPv6-Adressen verwenden möchten, muss <Rechner> in +eckigen Klammern [] stehen. + + + Beispiel: ldap://[fc00::126:25]:389 + + + + + + ldap_chpass_uri, ldap_chpass_backup_uri (Zeichenkette) + + + gibt eine durch Kommata getrennte Liste von URIs der LDAP-Server an, mit +denen SSSD sich in dieser Reihenfolge verbinden soll, um das Passwort eines +Benutzers zu ändern. Weitere Informationen über Ausfallsicherung und +Redundanz finden Sie im Abschnitt »AUSFALLSICHERUNG«. + + + Um die Dienstsuche zu aktivieren, muss »ldap_chpass_dns_service_name« +gesetzt sein. + + + Voreinstellung: leer, d.h., dass »ldap_uri« benutzt wird + + + + + + ldap_search_base (Zeichenkette) + + + der Standardbasis-Domain-Name, der zur Durchführung von +LDAP-Benutzeraktionen benutzt wird + + + Beginnend mit SSSD 1.7.0 unterstützt SSSD mehrere Suchgrundlagen mittels der +Syntax: + + + search_base[?Gültigkeitsbereich?[Filter][?search_base?Gültigkeitsbereich?[Filter]]*] + + + Der Gültigkeitsbereich kann entweder »base«, »onelevel« oder »subtree« sein. + + + Der Filter muss ein gültiger LDAP-Suchfilter, wie durch +http://www.ietf.org/rfc/rfc2254.txt spezifiziert, sein. + + + Beispiele: + + + ldap_search_base = dc=example,dc=com (dies entspricht) ldap_search_base = +dc=example,dc=com?subtree? + + + ldap_search_base = +cn=host_specific,dc=Beispiel,dc=com?Unterverzeichnis?(host=Dieser_Rechner)?dc=example.com?Unterverzeichnis? + + + Hinweis: Mehrere Suchgrundlagen, die sich auf Objekte mit gleichem Namen +beziehen, werden nicht unterstützt (zum Beispiel Gruppen mit demselben Namen +in zwei unterschiedlichen Suchgrundlagen). Dies wird zu unvorhersehbarem +Verhalten auf Client-Rechnern führen. + + + Voreinstellung: Falls nicht gesetzt, wird der Wert der Attribute +»defaultNamingContext« oder »namingContexts« vom RootDSE des LDAP-Servers +benutzt. Falls »defaultNamingContext« nicht existiert oder ihr Wert leer +ist, wird »namingContexts« verwendet. Das Attribut »namingContexts« muss +einen einzelnen Wert mit dem Domain-Namen der Suchgrundlage des LDAP-Servers +haben, damit dies funktioniert. Mehrere Werte werden nicht unterstützt. + + + + + + ldap_schema (Zeichenkette) + + + gibt den Schematyp an, der gerade auf dem Ziel-LDAP-Server benutzt +wird. Abhängig vom ausgewählten Schema können sich die von den Servern +geholten Standardattributnamen stark unterscheiden. Die Art, wie einige +Attribute gehandhabt werden, kann sich ebenfalls unterscheiden. + + + Derzeit werden vier Schematypen unterstützt: + + + + rfc2307 + + + + + rfc2307bis + + + + + IPA + + + + + AD + + + + + + Der Hauptunterschied zwischen diesen Schematypen besteht darin, wie +Gruppenmitgliedschaften auf dem Server aufgezeichnet werden. Mit »rfc2307« +werden Gruppenmitglieder nach Namen im Attribut +memberUid aufgeführt. Mit »rfc2307bis« bis »IPA« werden +die Gruppenmitglieder nach Domain-Namen aufgeführt und im Attribut +member gespeichert. Der Schematyp »AD« setzt die +Attribute passend zu den Werten von Active Directory 2008r2. + + + Voreinstellung: rfc2307 + + + + + + ldap_default_bind_dn (Zeichenkette) + + + der Standard-Bind-Domain-Name, der zum Durchführen von LDAP-Aktionen benutzt +wird + + + + + + ldap_default_authtok_type (Zeichenkette) + + + der Typ des Authentifizierungs-Tokens des Standard-Bind-Domain-Namens + + + Die beiden derzeit unterstützten Mechanismen sind: + + + password + + + obfuscated_password + + + Voreinstellung: password + + + + + + ldap_default_authtok (Zeichenkette) + + + das Authentifizierungs-Token des Standard-Bind-Domain-Namens. Derzeit werden +nur Klartextpasswörter unterstützt. + + + + + + ldap_user_object_class (Zeichenkette) + + + die Objektklasse eines Benutzereintrags in LDAP + + + Voreinstellung: posixAccount + + + + + + ldap_user_name (Zeichenkette) + + + das LDAP-Attribut, das zum Anmeldenamen des Benutzers gehört + + + Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD) + + + + + + ldap_user_uid_number (Zeichenkette) + + + das LDAP-Attribut, das zu der ID des Benutzers gehört + + + Voreinstellung: uidNumber + + + + + + ldap_user_gid_number (Zeichenkette) + + + das LDAP-Attribut, das zu der Hauptgruppen-ID des Benutzers gehört + + + Voreinstellung: gidNumber + + + + + + ldap_user_primary_group (string) + + + Active Directory primary group attribute for ID-mapping. Note that this +attribute should only be set manually if you are running the +ldap provider with ID mapping. + + + Default: unset (LDAP), primaryGroupID (AD) + + + + + + ldap_user_gecos (Zeichenkette) + + + das LDAP-Attribut, das zum Gecos-Feld des Benutzers gehört + + + Voreinstellung: gecos + + + + + + ldap_user_home_directory (Zeichenkette) + + + das LDAP-Attribut, das den Namen des Home-Verzeichnisses des Benutzers +enthält + + + Voreinstellung: homeDirectory + + + + + + ldap_user_shell (Zeichenkette) + + + das LDAP-Attribut, das den Pfad zur Standard-Shell des Benutzers enthält + + + Voreinstellung: loginShell + + + + + + ldap_user_uuid (string) + + + The LDAP attribute that contains the UUID/GUID of an LDAP user object. + + + Default: not set in the general case, objectGUID for AD and ipaUniqueID for +IPA + + + + + + ldap_user_objectsid (Zeichenkette) + + + das LDAP-Attribut, das die objectSID eines LDAP-Benutzerobjekts +enthält. Dies wird normalerweise nur für Active-Directory-Server benötigt. + + + Default: objectSid for ActiveDirectory, not set for other servers. + + + + + + ldap_user_modify_timestamp (Zeichenkette) + + + das LDAP-Attribut, das den Zeitstempel der letzten Änderung im +übergeordneten Objekt enthält + + + Voreinstellung: modifyTimestamp + + + + + + ldap_user_shadow_last_change (Zeichenkette) + + + Wenn »ldap_pwd_policy=shadow« benutzt wird, enthält dieser Parameter den +Namen eines LDAP-Attributs, das zum entsprechenden Gegenstück von + shadow +5 (Datum der letzten +Passwortänderung) gehört. + + + Voreinstellung: shadowLastChange + + + + + + ldap_user_shadow_min (Zeichenkette) + + + Wenn »ldap_pwd_policy=shadow« benutzt wird, enthält dieser Parameter den +Namen eines LDAP-Attributs, das zum entsprechenden Gegenstück von + shadow +5 (Mindestpasswortalter) gehört. + + + Voreinstellung: shadowMin + + + + + + ldap_user_shadow_max (Zeichenkette) + + + Wenn »ldap_pwd_policy=shadow« benutzt wird, enthält dieser Parameter den +Namen eines LDAP-Attributs, das zum entsprechenden Gegenstück von + shadow +5 (maximales Passwortalter) gehört. + + + Voreinstellung: shadowMax + + + + + + ldap_user_shadow_warning (Zeichenkette) + + + Wenn »ldap_pwd_policy=shadow« benutzt wird, enthält dieser Parameter den +Namen eines LDAP-Attributs, das zum entsprechenden Gegenstück von + shadow +5 (Passwortwarnperiode) gehört. + + + Voreinstellung: shadowWarning + + + + + + ldap_user_shadow_inactive (Zeichenkette) + + + Wenn »ldap_pwd_policy=shadow« benutzt wird, enthält dieser Parameter den +Namen eines LDAP-Attributs, das zum entsprechenden Gegenstück von + shadow +5 (Passwortinaktivitätsperiode) +gehört. + + + Voreinstellung: shadowInactive + + + + + + ldap_user_shadow_expire (Zeichenkette) + + + Wenn »ldap_pwd_policy=shadow« benutzt wird, enthält dieser Parameter den +Namen eines LDAP-Attributs, das zum entsprechenden Gegenstück von + shadow +5 (Ablaufdatum des Kontos) gehört. + + + Voreinstellung: shadowExpire + + + + + + ldap_user_krb_last_pwd_change (Zeichenkette) + + + Wenn »ldap_pwd_policy=mit_kerberos« benutzt wird, enthält dieser Parameter +den Namen eines LDAP-Attributs, in dem Datum und Zeit der letzten +Passwortänderung in Kerberos gespeichert sind. + + + Voreinstellung: krbLastPwdChange + + + + + + ldap_user_krb_password_expiration (Zeichenkette) + + + Wenn »ldap_pwd_policy=mit_kerberos« benutzt wird, enthält dieser Parameter +den Namen eines LDAP-Attributs, welches das Datum und die Zeit enthält, wann +das aktuelle Passwort erlischt. + + + Voreinstellung: krbPasswordExpiration + + + + + + ldap_user_ad_account_expires (Zeichenkette) + + + Wenn »ldap_account_expire_policy=ad« benutzt wird, enthält dieser Parameter +den Namen eines LDAP-Attributs, in dem die Zeit gespeichert ist, wann das +Konto erlischt. + + + Voreinstellung: accountExpires + + + + + + ldap_user_ad_user_account_control (Zeichenkette) + + + Wenn »ldap_account_expire_policy=ad« benutzt wird, enthält dieser Parameter +den Namen eines LDAP-Attributs, in dem das Steuer-Bit-Feld des +Benutzerkontos gespeichert ist. + + + Voreinstellung: userAccountControl + + + + + + ldap_ns_account_lock (Zeichenkette) + + + Wenn »ldap_account_expire_policy=rhds« oder Entsprechendes benutzt wird, +legt dieser Parameter fest, ob Zugriff gewährt wird oder nicht. + + + Voreinstellung: nsAccountLock + + + + + + ldap_user_nds_login_disabled (Zeichenkette) + + + Wenn »ldap_account_expire_policy=nds« benutzt wird, legt dieses Attribut +fest, ob Zugriff gewährt wird oder nicht. + + + Voreinstellung: loginDisabled + + + + + + ldap_user_nds_login_expiration_time (Zeichenkette) + + + Wenn »ldap_account_expire_policy=nds« benutzt wird, legt dieser Parameter +fest, bis zu welchem Datum Zugriff gewährt wird. + + + Voreinstellung: loginDisabled + + + + + + ldap_user_nds_login_allowed_time_map (Zeichenkette) + + + Wenn »ldap_account_expire_policy=nds« benutzt wird, legt dieses Attribut die +Stunden eines Wochentages fest, in denen Zugriff gewährt wird. + + + Voreinstellung: loginAllowedTimeMap + + + + + + ldap_user_principal (Zeichenkette) + + + das LDAP-Attribut, das den Kerberos User Principal Name +(UPN/Hauptbenutzername) enthält. + + + Voreinstellung: krbPrincipalName + + + + + + ldap_user_extra_attrs (Zeichenkette) + + + Durch Kommata getrennte Liste der LDAP-Attribute, die SSSD zusammen mit den +üblichen Benutzerattributen holen soll. + + + Die Liste kann entweder nur Namen von LDAP-Attributen enthalten, oder durch +Doppelpunkte getrennte Tupel aus Attributnamen des SSSD-Zwischenspeichers +und Namen von LDAP-Attributen. Wenn nur die Namen von LDAP-Attributen +angegeben werden, wird das Attribut unverändert im Zwischenspeicher +gespeichert. Die Verwendung eines benutzerdefinierten SSSD-Attributnamens +kann in Umgebungen notwendig sein, in denen mehrere SSSD-Domains mit +unterschiedlichen LDAP-Schemata eingerichtet sind. + + + Bitte beachten Sie, dass diverse Attributnamen durch SSSD reserviert sind, +beispielsweise das Attribut name. SSSD würde einen Fehler +melden, falls eines der reservierten Attribute als zusätzlicher Attributname +verwendet wird. + + + Beispiele: + + + ldap_user_extra_attrs = telephoneNumber + + + Speichert das Attribut telephoneNumber von LDAP als +telephoneNumber im Zwischenspeicher. + + + ldap_user_extra_attrs = phone:telephoneNumber + + + Speichert das Attribut telephoneNumber von LDAP als +phone im Zwischenspeicher. + + + Voreinstellung: nicht gesetzt + + + + + + ldap_user_ssh_public_key (Zeichenkette) + + + das LDAP-Attribut, das die öffentlichen SSH-Schlüssel des Benutzers enthält + + + Default: sshPublicKey + + + + + + ldap_force_upper_case_realm (Boolesch) + + + Einige Verzeichnisserver, zum Beispiel Active Directory, könnten den +Realm-Teil der UPN in Kleinbuchstaben liefern, was zum Scheitern der +Authentifizierung führen kann. Setzen Sie diese Option auf einen Wert +ungleich Null, falls Sie einen Realm in Großbuchstaben wünschen. + + + Voreinstellung: »false« + + + + + + ldap_enumeration_refresh_timeout (Ganzzahl) + + + gibt an, wie viele Sekunden lang SSSD warten soll, bevor es seinen +Zwischenspeicher aufgezählter Datensätze aktualisiert. + + + Voreinstellung: 300 + + + + + + ldap_purge_cache_timeout (Ganzzahl) + + + bestimmt, wie oft der Zwischenspeicher auf inaktive Einträge überprüft wird +(wie Gruppen ohne Mitglieder und Benutzer, die sich noch nie angemeldet +haben) und diese entfernt werden, um Platz zu sparen. + + + Setting this option to zero will disable the cache cleanup operation. Please +note that if enumeration is enabled, the cleanup task is required in order +to detect entries removed from the server and can't be disabled. By default, +the cleanup task will run every 3 hours with enumeration enabled. + + + Voreinstellung: 0 (deaktiviert) + + + + + + ldap_user_fullname (Zeichenkette) + + + das LDAP-Attribut, das dem vollständigen Benutzernamen entspricht + + + Voreinstellung: cn + + + + + + ldap_user_member_of (Zeichenkette) + + + das LDAP-Attribut, das die Gruppenmitgliedschaften des Benutzers aufführt + + + Voreinstellung: memberOf + + + + + + ldap_user_authorized_service (Zeichenkette) + + + Falls »access_provider=ldap« und »ldap_access_order=authorized_service« +benutzt werden, wird SSSD die Anwesenheit das Attributs »authorizedService« +im LDAP-Eintrag den Benutzers nutzen, um die Zugriffsrechte zu bestimmen. + + + Ein explizites Verweigern (»!svc«) wird zuerst aufgelöst. Als Zweites sucht +SSSD eine explizite Erlaubnis (»svc«) und zuletzt nach »allow_all« (*). + + + Bitte beachten Sie, dass die Konfigurationsoption »ldap_access_order« +»authorized_service« enthalten muss, damit die Option +»ldap_user_authorized_service« funktioniert. + + + Voreinstellung: authorizedService + + + + + + ldap_user_authorized_host (Zeichenkette) + + + Falls »access_provider=ldap« und »ldap_access_order=host« benutzt werden, +wird SSSD die Anwesenheit das Attributs »host« im LDAP-Eintrag den Benutzers +verwenden, um die Zugriffsrechte zu bestimmen. + + + Ein explizites Verweigern (»!host«) wird zuerst aufgelöst. Als Zweites sucht +SSSD eine explizite Erlaubnis (»host«) und zuletzt nach »allow_all« (*). + + + Bitte beachten Sie, dass die Konfigurationsoption »ldap_access_order« »host« +enthalten muss, damit die Option +»ldap_user_authorized_host« funktioniert. + + + Voreinstellung: host + + + + + + ldap_user_authorized_rhost (string) + + + If access_provider=ldap and ldap_access_order=rhost, SSSD will use the +presence of the rhost attribute in the user's LDAP entry to determine access +privilege. Similarly to host verification process. + + + An explicit deny (!rhost) is resolved first. Second, SSSD searches for +explicit allow (rhost) and finally for allow_all (*). + + + Please note that the ldap_access_order configuration option +must include rhost in order for the +ldap_user_authorized_rhost option to work. + + + Default: rhost + + + + + + ldap_user_certificate (string) + + + Name of the LDAP attribute containing the X509 certificate of the user. + + + Default: userCertificate;binary + + + + + + ldap_user_email (string) + + + Name of the LDAP attribute containing the email address of the user. + + + Note: If an email address of a user conflicts with an email address or fully +qualified name of another user, then SSSD will not be able to serve those +users properly. If for some reason several users need to share the same +email address then set this option to a nonexistent attribute name in order +to disable user lookup/login by email. + + + Default: mail + + + + + + ldap_group_object_class (Zeichenkette) + + + die Objektklasse eines Gruppeneintrags in LDAP + + + Voreinstellung: posixGroup + + + + + + ldap_group_name (Zeichenkette) + + + das LDAP-Attribut, das dem Gruppennamen entspricht + + + Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD) + + + + + + ldap_group_gid_number (Zeichenkette) + + + das LDAP-Attribut, das der Gruppen-ID entspricht + + + Voreinstellung: gidNumber + + + + + + ldap_group_member (Zeichenkette) + + + das LDAP-Attribut, das die Namen der Gruppenmitglieder enthält + + + Voreinstellung: memberuid (rfc2307) / member (rfc2307bis) + + + + + + ldap_group_uuid (string) + + + The LDAP attribute that contains the UUID/GUID of an LDAP group object. + + + Default: not set in the general case, objectGUID for AD and ipaUniqueID for +IPA + + + + + + ldap_group_objectsid (Zeichenkette) + + + das LDAP-Attribut, das die ObjectSID eines LDAP-Gruppenobjekts enthält. Dies +wird normalerweise nur für Active-Directory-Server benötigt. + + + Default: objectSid for ActiveDirectory, not set for other servers. + + + + + + ldap_group_modify_timestamp (Zeichenkette) + + + das LDAP-Attribut, das den Zeitstempel der letzten Änderung im +übergeordneten Objekt enthält + + + Voreinstellung: modifyTimestamp + + + + + + ldap_group_type (Ganzzahl) + + + Das LDAP-Attribut, das einen Ganzzahlwert enthält, der den Gruppentyp und +eventuell weitere Flags enthält. + + + Dieses Attribut wird derzeit nur vom AD-Anbieter verwendet, um zu ermitteln, +ob eine Gruppe eine lokale Domain-Gruppe ist und aus den vertrauenswürdigen +Domains herausgefiltert werden sollte. + + + Default: groupType in the AD provider, otherwise not set + + + + + + ldap_group_external_member (string) + + + The LDAP attribute that references group members that are defined in an +external domain. At the moment, only IPA's external members are supported. + + + Default: ipaExternalMember in the IPA provider, otherwise unset. + + + + + + ldap_group_nesting_level (Ganzzahl) + + + Falls »ldap_schema« auf ein Format gesetzt ist, das verschachtelte Gruppen +(z.B. RFC2307bis) unterstützt, dann steuert diese Option, wie viele Stufen +tief SSSD der Verschachtelung folgt. Diese Option hat keine Auswirkungen auf +das Schema RFC2307. + + + Hinweis: Diese Option gibt die garantierte Tiefe verschachtelter Gruppen an, +die bei Suchvorgängen verarbeitet werden soll. Dennoch +können auch tiefer verschachtelte Gruppen einbezogen +werden, falls bei früheren Suchvorgängen die tieferen Ebenen bereits einmal +berücksichtigt wurden. Außerdem können folgende Suchvorgänge für andere +Gruppen die Ergebnisse des ursprünglichen Suchvorgangs vergrößern, wenn die +Suche erneut erfolgt. + + + If ldap_group_nesting_level is set to 0 then no nested groups are processed +at all. However, when connected to Active-Directory Server 2008 and later +using id_provider=ad it is furthermore required to disable +usage of Token-Groups by setting ldap_use_tokengroups to false in order to +restrict group nesting. + + + Voreinstellung: 2 + + + + + + ldap_groups_use_matching_rule_in_chain + + + Diese Option teilt SSSD mit, dass es den Vorteil einer +Active-Directory-spezifischen Funktionalität nutzen soll, die +Gruppenachschlageoptionen und Bereitstellungen mit komplexen oder tief +verschachtelten Gruppen zu beschleunigen. + + + In den meisten Fällen ist es am besten, diese Option deaktiviert zu +lassen. Normalerweise führt sie nur bei sehr komplexen Verschachtelungen zu +einer Leistungssteigerung. + + + Falls diese Option aktiviert ist und SSSD beim Verbinden feststellt, dass +der Server sie unterstützt, wird SSSD sie verwenden. Daher bedeutet hier +»True« eigentlich »auto-detect«. + + + Hinweis: Es ist bekannt, dass diese Funktionalität derzeit nur mit Active +Directory 2008 R1 und neuer funktioniert. Weitere Einzelheiten finden Sie in +der +MSDN™-Dokumentation. + + + Voreinstellung: False + + + + + + ldap_initgroups_use_matching_rule_in_chain + + + Diese Option teilt SSSD mit, dass es den Vorteil einer +Active-Directory-spezifischen Funktionalität nutzen soll, die möglicherweise +Initgroups-Aktionen beschleunigt (vor allem, beim Umgang mit komplexen oder +verschachtelten Gruppen). + + + Falls diese Option aktiviert ist und SSSD beim Verbinden feststellt, dass +der Server sie unterstützt, wird SSSD sie verwenden. Daher bedeutet hier +»True« eigentlich »auto-detect«. + + + Hinweis: Es ist bekannt, dass diese Funktionalität derzeit nur mit Active +Directory 2008 R1 und neuer funktioniert. Weitere Einzelheiten finden Sie in +der +MSDN™-Dokumentation. + + + Voreinstellung: False + + + + + + ldap_use_tokengroups + + + Diese Optionen aktivieren oder deaktivieren die Verwendung des +Token-Gruppen-Attributs, wenn »initgroup« für Benutzers des Active Directory +Servers 2008 und neuere Versionen ausgeführt wird. + + + Default: True for AD and IPA otherwise False. + + + + + + ldap_netgroup_object_class (Zeichenkette) + + + die Objektklasse eines Netzgruppeneintrags in LDAP + + + Beim IPA-Anbieter sollte stattdessen »ipa_netgroup_object_class« benutzt +werden. + + + Voreinstellung: nisNetgroup + + + + + + ldap_netgroup_name (Zeichenkette) + + + das LDAP-Attribut, das dem Netzgruppennamen entspricht + + + Beim IPA-Anbieter sollte stattdessen »ipa_netgroup_name« benutzt werden. + + + Voreinstellung: cn + + + + + + ldap_netgroup_member (Zeichenkette) + + + das LDAP-Attribut, das die Namen der Netzgruppenmitglieder enthält + + + Beim IPA-Anbieter sollte stattdessen »ipa_netgroup_member« benutzt werden. + + + Voreinstellung: memberNisNetgroup + + + + + + ldap_netgroup_triple (Zeichenkette) + + + das LDAP-Attribut, das die Netzgruppen-Triples (Rechner, Benutzer, Domain) +enthält + + + Diese Option ist für IPA-Anbieter nicht verfügbar. + + + Voreinstellung: nisNetgroupTriple + + + + + + ldap_netgroup_modify_timestamp (Zeichenkette) + + + das LDAP-Attribut, das den Zeitstempel der letzten Änderung im +übergeordneten Objekt enthält + + + Diese Option ist für IPA-Anbieter nicht verfügbar. + + + Voreinstellung: modifyTimestamp + + + + + + ldap_host_object_class (string) + + + The object class of a host entry in LDAP. + + + Voreinstellung: ipService + + + + + + ldap_host_name (string) + + + The LDAP attribute that corresponds to the host's name. + + + Voreinstellung: cn + + + + + + ldap_host_fqdn (string) + + + The LDAP attribute that corresponds to the host's fully-qualified domain +name. + + + Default: fqdn + + + + + + ldap_host_serverhostname (string) + + + The LDAP attribute that corresponds to the host's name. + + + Default: serverHostname + + + + + + ldap_host_member_of (string) + + + The LDAP attribute that lists the host's group memberships. + + + Voreinstellung: memberOf + + + + + + ldap_host_search_base (string) + + + optional, verwendet die angegebene Zeichenkette als Suchgrundlage für +Rechnerobjekte + + + Informationen über das Konfigurieren mehrerer Suchgrundlagen finden Sie +unter »ldap_search_base«. + + + Voreinstellung: der Wert von ldap_search_base + + + + + + ldap_host_ssh_public_key (string) + + + The LDAP attribute that contains the host's SSH public keys. + + + Default: sshPublicKey + + + + + + ldap_host_uuid (string) + + + The LDAP attribute that contains the UUID/GUID of an LDAP host object. + + + Voreinstellung: nicht gesetzt + + + + + + ldap_service_object_class (Zeichenkette) + + + die Objektklasse eines Diensteintrags in LDAP + + + Voreinstellung: ipService + + + + + + ldap_service_name (Zeichenkette) + + + das LDAP-Attribut, das die Namen von Dienstattributen und ihre Alias enthält + + + Voreinstellung: cn + + + + + + ldap_service_port (Zeichenkette) + + + das LDAP-Attribut, das den von diesem Dienst verwalteten Port enthält + + + Voreinstellung: ipServicePort + + + + + + ldap_service_proto (Zeichenkette) + + + das LDAP-Attribut, das die von diesem Dienst verstandenen Protokolle enthält + + + Voreinstellung: ipServiceProtocol + + + + + + ldap_service_search_base (Zeichenkette) + + + + + ldap_search_timeout (Ganzzahl) + + + gibt den Zeitpunkt der Zeitüberschreitung (in Sekunden) an, bis zu dem +LDAP-Suchen laufen dürfen, bevor sie abgebrochen und die +zwischengespeicherten Ergebnisse zurückgegeben werden (und in den +Offline-Modus gegangen wird). + + + Hinweis: Diese Option ist in zukünftigen Versionen von SSSD Gegenstand von +Änderungen. Sie wird wahrscheinlich an einigen Stellen durch Serien von +Zeitüberschreitungspunkten für spezielle Nachschlagetypen ersetzt. + + + Voreinstellung: 6 + + + + + + ldap_enumeration_search_timeout (Ganzzahl) + + + gibt den Zeitpunkt der Zeitüberschreitung (in Sekunden) an, bis zu dem +LDAP-Suchen nach Benutzer- und Gruppenaufzählungen laufen dürfen, bevor sie +abgebrochen und die zwischengespeicherten Ergebnisse zurückgegeben werden +(und in den Offline-Modus gegangen wird). + + + Voreinstellung: 60 + + + + + + ldap_network_timeout (Ganzzahl) + + + gibt den Zeitpunkt der Zeitüberschreitung (in Sekunden) an, nach dem + poll 2 +/ select +2 gefolgt von einem +connect 2 + zurückkehrt, falls keine Aktivität stattfindet. + + + Voreinstellung: 6 + + + + + + ldap_opt_timeout (Ganzzahl) + + + Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs +will abort if no response is received. Also controls the timeout when +communicating with the KDC in case of SASL bind, the timeout of an LDAP bind +operation, password change extended operation and the StartTLS operation. + + + Voreinstellung: 6 + + + + + + ldap_connection_expire_timeout (Ganzzahl) + + + gibt den Zeitpunkt der Zeitüberschreitung (in Sekunden) an, bis zu dem eine +Verbindung zu einem LDAP-Server aufrechterhalten wird. Nach dieser Zeit wird +die Verbindung erneut aufgebaut. Wird dies parallel zu SASL/GSSAPI benutzt, +wird der frühere der beiden Werte (dieser Wert gegenüber der +TGT-Lebensdauer) verwendet. + + + Voreinstellung: 900 (15 Minuten) + + + + + + ldap_page_size (Ganzzahl) + + + gibt die Anzahl der Datensätze an, die in einer einzelnen Anfrage von LDAP +empfangen werden. Einige LDAP-Server erzwingen eine Begrenzung des Maximums +pro Anfrage. + + + Voreinstellung: 1000 + + + + + + ldap_disable_paging (Boolesch) + + + deaktiviert die Seitenadressierungssteuerung von LDAP. Diese Option sollte +benutzt werden, falls der LDAP-Server meldet, dass er die +LDAP-Seitenadressierungssteuerung in seinem RootDSE unterstützt, sie jedoch +deaktiviert ist oder sich nicht ordnungsgemäß verhält. + + + Beispiel: OpenLDAP-Server, bei denen das Seitenadressierungssteuerungsmodul +installiert, aber nicht aktiviert ist, werden es im RootDSE melden, sind +aber nicht in der Lage, es zu benutzen. + + + Beispiel: 389 DS hat einen Fehler, durch den es gleichzeitig nur eine +einzige Seitenadressierungssteuerung für eine einzelne Verbindung benutzen +kann. Bei ausgelasteten Clients kann dies dazu führen, dass manche Anfragen +abgelehnt werden. + + + Voreinstellung: False + + + + + + ldap_disable_range_retrieval (Boolesch) + + + deaktiviert die Bereichsabfrage von Active Directory + + + Active Directory begrenzt die Anzahl der Mitglieder, die in einem einzigen +Nachschlagen mittels der MaxValRange-Richtlinie empfangen werden können (die +Voreinstellung sind 1.500 Mitglieder). Falls eine Gruppe mehr Mitglieder +enthält, wird die Antwort eine AD-spezifische Bereichserweiterung +enthalten. Diese Option deaktiviert das Auswerten der Bereichserweiterung, +daher wird es so aussehen, als ob große Gruppen keine Mitglieder hätten. + + + Voreinstellung: False + + + + + + ldap_sasl_minssf (Ganzzahl) + + + Wenn mittels SASL mit einem LDAP-Server kommuniziert wird, gibt dies die +mindestens nötige Sicherheitsstufe zum Herstellen der Verbindung an. Die +Werte dieser Option werden durch OpenLDAP definiert. + + + Voreinstellung: verwendet die Voreinstellungen des System (normalerweise in +»ldap.conf« angegeben) + + + + + + ldap_deref_threshold (Ganzzahl) + + + gibt die Anzahl der Gruppenmitglieder an, die aus dem internen +Zwischenspeicher fehlen muss, um ein dereferenzierendes Nachschlagen +auszulösen. Falls weniger Mitglieder fehlen, werden sie individuell +nachgeschlagen. + + + Sie können dereferenzierendes Nachschlagen komplett ausschalten, indem Sie +den Wert auf 0 setzen. + + + Dereferenzierendes Nachschlagen ist ein Mittel, um alle Gruppenmitglieder in +einem einzigen LDAP-Aufruf abzuholen. Verschiedene LDAP-Server können +unterschiedliche Methoden zum Dereferenzieren implementieren. Die derzeit +unterstützten Server sind 389/RHDS, OpenLDAP und Active Directory. + + + Hinweis: Falls eine der Suchgrundlagen einen Suchfilter +angibt, wird die Verbesserung der Leistung beim dereferenzierenden +Nachschlagen ohne Rücksicht auf die Einstellung deaktiviert. + + + Voreinstellung: 10 + + + + + + ldap_tls_reqcert (Zeichenkette) + + + gibt an, welche Prüfungen von Server-Zertifikaten in einer TLS-Sitzung +durchgeführt werden, falls vorhanden. Dies kann in Form einer der folgenden +Werte angegeben werden: + + + never = Der Client wird kein Server-Zertifikat prüfen +oder anfordern. + + + allow = Das Server-Zertifikat wird angefordert. Falls +kein Zertifikat bereitgestellt wird, fährt die Sitzung normal fort. Falls +ein ungültiges Zertifikat bereitgestellt wird, wird es ignoriert und die +Sitzung fährt normal fort. + + + try = Das Server-Zertifikat wird angefordert. Falls das +Zertifikat bereitgestellt wird, fährt die Sitzung normal fort. Falls ein +ungültiges Zertifikat bereitgestellt wird, wird die Sitzung sofort beendet. + + + demand = Das Server-Zertifikat wird angefordert. Falls +kein oder ein ungültiges Zertifikat bereitgestellt wird, wird die Sitzung +sofort beendet. + + + hard = entspricht »demand« + + + Voreinstellung: hard + + + + + + ldap_tls_cacert (Zeichenkette) + + + gibt die Datei an, die Zertifikate für alle Zertifizierungstellen enthält, +die sssd erkennen wird. + + + Voreinstellung: verwendet OpenLDAP-Voreinstellungen, normalerweise aus +/etc/openldap/ldap.conf + + + + + + ldap_tls_cacertdir (Zeichenkette) + + + gibt den Pfad eines Verzeichnisses an, das Zertifikate von +Zertifizierungstellen in separaten individuellen Dateien enthält. Die +Dateinamen sollen normalerweise ein Hash-Wert des Zertifikats gefolgt von +».0« sein. Falls verfügbar, kann cacertdir_rehash zum +Erstellen der korrekten Namen verwendet werden. + + + Voreinstellung: verwendet OpenLDAP-Voreinstellungen, normalerweise aus +/etc/openldap/ldap.conf + + + + + + ldap_tls_cert (Zeichenkette) + + + gibt die Datei an, die das Zertifikat für den Schlüssel des Clients enthält. + + + Voreinstellung: nicht gesetzt + + + + + + ldap_tls_key (Zeichenkette) + + + gibt die Datei an, die den Schlüssel des Clients enthält. + + + Voreinstellung: nicht gesetzt + + + + + + ldap_tls_cipher_suite (Zeichenkette) + + + Specifies acceptable cipher suites. Typically this is a colon separated +list. See ldap.conf +5 for format. + + + Voreinstellung: verwendet OpenLDAP-Voreinstellungen, normalerweise aus +/etc/openldap/ldap.conf + + + + + + ldap_id_use_start_tls (Boolesch) + + + gibt an, dass die Verbindung »id_provider« auch tls benutzen muss, um den Kanal abzusichern. + + + Voreinstellung: »false« + + + + + + ldap_id_mapping (Boolesch) + + + gibt an, dass SSSD versuchen soll, die Benutzer- und Gruppen-ID von den +Attributen »ldap_user_objectsid« und »ldap_group_objectsid« abzubilden, +statt sich auf »ldap_user_uid_number« und »ldap_group_gid_number« zu +verlassen. + + + Derzeit unterstützt diese Funktionalität nur das Abbilden von +Active-Directory-ObjectSIDs. + + + Voreinstellung: »false« + + + + + + ldap_min_id, ldap_max_id (integer) + + + Im Gegensatz zum SID-basierten ID-Abbilden, das benutzt wird, falls +»ldap_id_mapping« auf »true« gesetzt ist, ist der erlaubte ID-Bereich für +»ldap_user_uid_number« und »ldap_group_gid_number« offen. In einer +Konfiguration mit Unter-Domains und vertrauenswürdigen Domains könnte dies +zu ID-Kollisionen führen. Um Kollisionen zu vermeiden, können »ldap_min_id« +und »ldap_max_id« zum Begrenzen des erlaubten Bereichs für direkt vom Server +gelesene IDs verwendet werden. Unter-Domains können dann andere Bereiche zur +Abbildung von IDs wählen. + + + Voreinstellung: nicht gesetzt (beide Optionen sind auf 0 gesetzt) + + + + + + ldap_sasl_mech (Zeichenkette) + + + gibt an, welcher SASL-Mechanismus benutzt werden soll. Derzeit ist nur +GSSAPI getestet und wird unterstützt. + + + Voreinstellung: nicht gesetzt + + + + + + ldap_sasl_authid (Zeichenkette) + + + Specify the SASL authorization id to use. When GSSAPI is used, this +represents the Kerberos principal used for authentication to the directory. +This option can either contain the full principal (for example +host/myhost@EXAMPLE.COM) or just the principal name (for example +host/myhost). By default, the value is not set and the following principals +are used: +hostname@REALM +netbiosname$@REALM +host/hostname@REALM +*$@REALM +host/*@REALM +host/* + If none of them are +found, the first principal in keytab is returned. + + + Voreinstellung Rechner/MeinRechner@BEREICH + + + + + + ldap_sasl_realm (Zeichenkette) + + + gibt den SASL-Realm an, der benutzt werden soll. Wurde diese Option nicht +angegeben, ist die Voreinstellung der Wert von »krb5_realm«. Falls +»ldap_sasl_authid« ebenfalls den Realm enthält, wird diese Option ignoriert. + + + Voreinstellung: der Wert von »krb5_realm« + + + + + + ldap_sasl_canonicalize (Boolesch) + + + Falls dies auf »true« gesetzt wäre, würde die LDAP-Bibliothek ein +umgekehrtes Nachschlagen durchführen, um den Rechnernamen während eines +SASL-Bind in eine kanonische Form zu bringen. + + + Voreinstellung: false; + + + + + + ldap_krb5_keytab (Zeichenkette) + + + gibt die Keytab an, wenn SASL/GSSAPI benutzt wird. + + + Voreinstellung: Keytab des Systems, normalerweise +/etc/krb5.keytab + + + + + + ldap_krb5_init_creds (Boolesch) + + + gibt an, dass der »id_provider« Kerberos-Anmeldedaten (TGT) initialisieren +soll. Diese Aktion wird nur durchgeführt, falls SASL benutzt wird und der +ausgewählte Mechnaismus GSSAPI ist. + + + Voreinstellung: »true« + + + + + + ldap_krb5_ticket_lifetime (Ganzzahl) + + + gibt die Lebensdauer eines TGT in Sekunden an, falls GSSAPI benutzt wird. + + + Voreinstellung: 86400 (24 Stunden) + + + + + + krb5_server, krb5_backup_server (Zeichenkette) + + + gibt die durch Kommata getrennte Liste von IP-Adressen bzw. Rechnernamen von +Kerberos-Servern in der Reihenfolge an, in der sich SSSD mit ihnen verbinden +soll. Weitere Informationen über Ausfallsicherung und Redundanz finden Sie +im Abschnitt »AUSFALLSICHERUNG«. An die Adressen oder Rechnernamen kann eine +optionale Portnummer (der ein Doppelpunkt vorangestellt ist) angehängt +werden. Falls dies leer gelassen wurde, wird die Dienstsuche +aktiviert. Weitere Informationen finden Sie im Abschnitt »DIENSTSUCHE«. + + + Wenn die Dienstsuche für Schlüsselverwaltungszentralen- (KDC) oder +Kpasswd-Server benutzt wird, durchsucht SSSD zuerst die DNS-Einträge, +die_udp als Protokoll angeben. Falls keine gefunden werden, weicht es auf +_tcp aus. + + + Diese Option hieß in früheren Veröffentlichungen von SSSD +»krb5_kdcip«. Obwohl der alte Name einstweilen noch in Erinnerung ist, wird +Anwendern geraten, ihre Konfigurationsdateien auf die Verwendung von +»krb5_server« zu migrieren. + + + + + + krb5_realm (Zeichenkette) + + + gibt den Kerberos-REALM an (für SASL/GSSAPI-Authentifizierung). + + + Voreinstellung: Systemvoreinstellungen, siehe +/etc/krb5.conf + + + + + + krb5_canonicalize (Boolesch) + + + gibt an, ob der Host Principal beim Verbinden mit einem LDAP-Server in eine +kanonische Form gebracht werden soll. Diese Funktionalität ist mit MIT +Kerberos >= 1.7 verfügbar. + + + + Voreinstellung: »false« + + + + + + krb5_use_kdcinfo (Boolesch) + + + gibt an, ob SSSD die Kerberos-Bibliotheken anweisen soll, welcher Realm und +welche Schlüsselverwaltungszentralen (KDCs) benutzt werden sollen. Diese +Option ist standardmäßig eingeschaltet. Falls Sie sie ausschalten, müssen +Sie die Kerberos-Bibliothek mittels der Konfigurationsdatei +krb5.conf +5 einrichten. + + + Weitere Informationen über die Locator-Erweiterung finden Sie auf der +Handbuchseite +sssd_krb5_locator_plugin +8 . + + + Voreinstellung: »true« + + + + + + ldap_pwd_policy (Zeichenkette) + + + wählt das Regelwerk, anhand dessen das Client-seitige Erlöschen des +Passworts abgeschätzt werden soll. Die folgenden Werte sind erlaubt: + + + none – keine Client-seitige Abschätzung. Diese Option +kann keine Server-seitigen Passwortregelwerke deaktivieren. + + + shadow – benutzt Attribute im Stil von +shadow +5, um abzuschätzen, ob das Passwort +erloschen ist. + + + mit_kerberos – verwendet die von MIT Kerberos benutzten +Attribute, um zu bestimmen, ob das Passwort erloschen ist. Verwenden Sie +»chpass_provider=krb5«, um diese Attribute zu aktualisieren, wenn das +Passwort geändert wurde. + + + Voreinstellung: none + + + Hinweis: Falls serverseitig eine Passwortregel +konfiguriert ist, hat diese stets Vorrang vor der mit dieser Option +festgelegten Regel. + + + + + + ldap_referrals (Boolesch) + + + gibt an, ob automatische Verweisverfolgung aktiviert werden soll. + + + Bitte beachten Sie, dass SSSD nur Verweisverfolgung unterstützt, falls es +mit OpenLDAP Version 2.4.13 oder höher kompiliert wurde. + + + Verweisverfolgungen können in Umgebungen, die ausgiebig von ihnen Gebrauch +machen, einen Leistungsnachteil erleiden, ein beachtenswertes Beispiel ist +Microsoft Active Directory. Falls ihre Installation Verweisverfolgungen +nicht tatsächlich benötigt, könnte diese Option auf »false« zu setzen eine +merkliche Leistungsverbesserung bringen. + + + Voreinstellung: »true« + + + + + + ldap_dns_service_name (Zeichenkette) + + + gibt an, welcher Dienstname bei aktivierter Dienstsuche benutzt werden soll. + + + Voreinstellung: ldap + + + + + + ldap_chpass_dns_service_name (Zeichenkette) + + + gibt den Dienstnamen an, der zum Finden eines LDAP-Servers benutzt werden +soll, der Passwortänderungen bei aktivierter Dienstsuche ermöglicht. + + + Voreinstellung: nicht gesetzt, d.h. Dienstsuche ist deaktiviert + + + + + + ldap_chpass_update_last_change (Boolesch) + + + gibt an, ob das Attribut »ldap_user_shadow_last_change« nach einer +Passwortänderung mit Unix-Zeit geändert wird. + + + Voreinstellung: False + + + + + + ldap_access_filter (Zeichenkette) + + + Falls access_provider = ldap und ldap_access_order = filter ist +(Voreinstellung), dann ist diese Option obligatorisch. Sie gibt ein +Suchfilterkriterium für LDAP an, dass auf den Benutzer passen muss, damit +diesem Zugriff auf den Host gewährt wird. Falls access_provider = ldap und +ldap_access_order = filter ist und diese Option nicht gesetzt ist, wird +allen Benutzern der Zugriff verweigert. Verwenden Sie access_provider = +permit, um dieses Standardverhalten zu ändern. Bitte beachten Sie, dass +dieser Filter nur auf den LDAP-Benutzereintrag angewendet wird und daher die +auf verschachtelten Gruppen basierende Filterung nicht +funktioniert. Beispielsweise zeigt das Active-Directory-Attribut »memberOf« +nur auf die unmittelbaren Eltern. Falls die Filterung basierend auf +verschachtelten Gruppen erforderlich sein sollte, finden Sie genauere +Anweisungen in der Handbuchseite zu +sssd-simple5 +. + + + Beispiel: + + +access_provider = ldap +ldap_access_filter = (employeeType=admin) + + + In diesem Beispiel wird der Zugriff auf diesen Host auf jene Benutzer +beschränkt, deren employeeType-Attribut auf »admin« gesetzt ist. + + + Offline caching for this feature is limited to determining whether the +user's last online login was granted access permission. If they were granted +access during their last login, they will continue to be granted access +while offline and vice versa. + + + Voreinstellung: leer + + + + + + ldap_account_expire_policy (Zeichenkette) + + + Mit dieser Option kann eine Client-seitige Abschätzung der +Zugriffssteuerungsattribute aktiviert werden. + + + Bitte beachten Sie, dass die Server-seitige Zugriffssteuerung generell +empfohlen wird, d.h. der LDAP-Server sollte die Bind-Abfrage sogar dann mit +einem geeigneten Fehlercode zurückweisen, wenn das Passwort korrekt ist. + + + Die folgenden Werte sind erlaubt: + + + shadow: verwendet den Wert von +»ldap_user_shadow_expire«, um zu bestimmen, ob das Konto abgelaufen ist. + + + ad: verwendet den Wert des 32-Bit-Felds +»ldap_user_ad_user_account_control« und ermöglicht den Zugriff, falls das +zweite Bit nicht gesetzt ist. Falls das Attribut fehlt, wird Zugriff +gewährt. Außerdem wird die Ablaufzeit des Kontos geprüft. + + + rhds, ipa, +389ds: verwenden den Wert von »ldap_ns_account_lock«, +um zu prüfen, ob Zugriff erlaubt wird oder nicht. + + + nds: Die Werte von +»ldap_user_nds_login_allowed_time_map«, »ldap_user_nds_login_disabled« und +»ldap_user_nds_login_expiration_time« werden benutzt, um zu überprüfen, ob +Zugriff gewährt wird. Falls diese Attribute fehlen, wird Zugriff erteilt. + + + + Bitte beachten Sie, dass die Konfigurationsoption »ldap_access_order« +»expire« enthalten muss, damit die Option +»ldap_account_expire_policy« funktioniert. + + + Voreinstellung: leer + + + + + + ldap_access_order (Zeichenkette) + + + durch Kommata getrennte Liste von Zugriffssteuerungsoptionen. Folgende Werte +sind erlaubt: + + + filter: verwendet »ldap_access_filter«. + + + lockout: use account locking. If set, this option +denies access in case that ldap attribute 'pwdAccountLockedTime' is present +and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. +Please note that 'access_provider = ldap' must be set for this feature to +work. + + + Please note that this option is superseded by the +ppolicy option and might be removed in a future release. + + + + ppolicy: use account locking. If set, this option +denies access in case that ldap attribute 'pwdAccountLockedTime' is present +and has value of '000001010000Z' or represents any time in the past. The +value of the 'pwdAccountLockedTime' attribute must end with 'Z', which +denotes the UTC time zone. Other time zones are not currently supported and +will result in "access-denied" when users attempt to log in. Please see the +option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' must +be set for this feature to work. + + + + expire: verwendet »ldap_account_expire_policy«. + + + pwd_expire_policy_reject, pwd_expire_policy_warn, +pwd_expire_policy_renew: These options are useful if users are +interested in being warned that password is about to expire and +authentication is based on using a different method than passwords - for +example SSH keys. + + + The difference between these options is the action taken if user password is +expired: pwd_expire_policy_reject - user is denied to log in, +pwd_expire_policy_warn - user is still able to log in, +pwd_expire_policy_renew - user is prompted to change his password +immediately. + + + Note If user password is expired no explicit message is prompted by SSSD. + + + Please note that 'access_provider = ldap' must be set for this feature to +work. Also 'ldap_pwd_policy' must be set to an appropriate password policy. + + + authorized_service: verwendet das Attribut +»authorizedService«, um zu bestimmen, ob Zugriff gewährt wird. + + + host: verwendet das Attribut »host«, um zu bestimmen, +ob Zugriff gewährt wird. + + + rhost: use the rhost attribute to determine whether +remote host can access + + + Please note, rhost field in pam is set by application, it is better to check +what the application sends to pam, before enabling this access control +option + + + Voreinstellung: filter + + + Bitte beachten Sie, dass es ein Konfigurationsfehler ist, falls ein Wert +mehr als einmal benutzt wird. + + + + + + ldap_pwdlockout_dn (string) + + + This option specifies the DN of password policy entry on LDAP server. Please +note that absence of this option in sssd.conf in case of enabled account +lockout checking will yield access denied as ppolicy attributes on LDAP +server cannot be checked properly. + + + Example: cn=ppolicy,ou=policies,dc=example,dc=com + + + Default: cn=ppolicy,ou=policies,$ldap_search_base + + + + + + ldap_deref (Zeichenkette) + + + gibt an, wie Alias-Dereferenzierung bei einer Suche erledigt wird. Die +folgenden Optionen sind erlaubt: + + + never: Alias werden nie dereferenziert. + + + searching: Alias werden auf Unterebenen des +Basisobjekts dereferenziert, nicht jedoch beim Orten des Basisobjekts der +Suche. + + + finding: Alias werden nur beim Orten des Basisobjekts +der Suche dereferenziert. + + + always: Alias werden sowohl bei der Suche als auch beim +Orten des Basisobjekts der Suche dereferenziert. + + + Voreinstellung: leer (Dies wird durch LDAP-Client-Bibliotheken wie +never gehandhabt.) + + + + + + ldap_rfc2307_fallback_to_local_users (Boolesch) + + + ermöglich, lokale Anwender als Mitglieder einer LDAP-Gruppe für Server +beizubehalten, die das Schema RFC2307 benutzen. + + + In einigen Umgebungen, in denen das Schema RFC2307 verwendet wird, werden +lokale Benutzer zu Mitgliedern einer LDAP-Gruppe gemacht, indem ihre Namen +dem Attribut »memberUid« hinzugefügt werden. Die eigene Stimmigkeit der +Domain wird dabei kompromittiert, daher würde SSSD normalerweise »fehlende« +Anwender aus den zwischengespeicherten Gruppenmitgliedschaften entfernen, +sobald Nsswitch versucht, Informationen über den Anwender durch Aufrufen von +getpw*() oder initgroups() abzurufen. + + + Diese Option greift auf das Prüfen zurück, ob auf lokale Benutzer Bezug +genommen wird und speichert sie, so dass spätere Aufrufe von »initgroups() +die lokalen Benutzer um zusätzliche LDAP-Gruppen erweitert werden. + + + Voreinstellung: »false« + + + + + + wildcard_limit (integer) + + + Specifies an upper limit on the number of entries that are downloaded during +a wildcard lookup. + + + At the moment, only the InfoPipe responder supports wildcard lookups. + + + Default: 1000 (often the size of one page) + + + + + + + + + + SUDO-OPTIONEN + + Detaillierte Anweisungen zur Konfiguration von sudo_provider finden Sie in +der Handbuchseite zu sssd-sudo +5 . + + + + + + ldap_sudorule_object_class (Zeichenkette) + + + die Objektklasse eines Sudo-Regeleintrags in LDAP + + + Voreinstellung: sudoRole + + + + + + ldap_sudorule_name (Zeichenkette) + + + das LDAP-Attribut, das dem Namen der Sudo-Regel entspricht + + + Voreinstellung: cn + + + + + + ldap_sudorule_command (Zeichenkette) + + + das LDAP-Attribut, das dem Namen des Befehls entspricht + + + Voreinstellung: sudoCommand + + + + + + ldap_sudorule_host (Zeichenkette) + + + das LDAP-Attribut, das dem Rechnernamen (oder der IP-Adresse, dem +IP-Netzwerk oder des Netzwerkgruppe des Rechners) entspricht + + + Voreinstellung: sudoHost + + + + + + ldap_sudorule_user (Zeichenkette) + + + das LDAP-Attribut, das dem Benutzernamen (oder der UID, dem Gruppennamen +oder der Netzwerkgruppe des Benutzers) entspricht + + + Voreinstellung: sudoUser + + + + + + ldap_sudorule_option (Zeichenkette) + + + das LDAP-Attribut, das den Sudo-Optionen entspricht + + + Voreinstellung: sudoOption + + + + + + ldap_sudorule_runasuser (Zeichenkette) + + + das LDAP-Attribut, das dem Benutzernamen entspricht, unter dem Befehle +ausgeführt werden können + + + Voreinstellung: sudoRunAsUser + + + + + + ldap_sudorule_runasgroup (Zeichenkette) + + + das LDAP-Attribut, das dem Gruppennamen oder der GID der Gruppe entspricht, +worunter Befehle ausgeführt werden können + + + Voreinstellung: sudoRunAsGroup + + + + + + ldap_sudorule_notbefore (Zeichenkette) + + + das LDAP-Attribut, das dem Startdatum und der Startzeit entpricht, wann die +Sudo-Regel gültig wird. + + + Voreinstellung: sudoNotBefore + + + + + + ldap_sudorule_notafter (Zeichenkette) + + + das LDAP-Attribut, das dem Ablaufdatum und der Ablaufzeit entspricht, nach +der die Sudo-Regel nicht länger gültig ist. + + + Voreinstellung: sudoNotAfter + + + + + + ldap_sudorule_order (Zeichenkette) + + + das LDAP-Attribut, das dem Reihenfolgenindex der Regel entspricht + + + Voreinstellung: sudoOrder + + + + + + ldap_sudo_full_refresh_interval (Ganzzahl) + + + wie viele Sekunden SSSD zwischen einer vollständigen Aktualisierung von +Sudo-Regeln warten wird (wodurch alle auf dem Server gespeicherten Regeln +heruntergeladen werden) + + + Der Wert muss größer als +ldap_sudo_smart_refresh_interval sein. + + + Voreinstellung: 21600 (6 Stunden) + + + + + + ldap_sudo_smart_refresh_interval (Ganzzahl) + + + wie viele Sekunden SSSD warten soll, bevor ein kluges Aktualisieren der +Sudo-Regeln ausgeführt wird (wodurch alle Regeln, die eine höhere USN als +die höchste USN der zwischengespeicherten Regeln haben, heruntergeladen +werden) + + + Falls vom Server keine USN-Attribute unterstützt werden, wird stattdessen +das Attribut »modifyTimestamp« benutzt. + + + Voreinstellung: 900 (15 Minuten) + + + + + + ldap_sudo_use_host_filter (Boolesch) + + + Falls dies auf »true« gesetzt ist, wird SSSD nur die Regeln herunterladen, +die auf diese Maschine angewandt werden können (mittels der IPv4- oder +IPv6-Netzwerkadressen und Rechnernamen). + + + Voreinstellung: »true« + + + + + + ldap_sudo_hostnames (Zeichenkette) + + + durch Leerzeichen getrennte Listen von Rechnernamen oder voll qualifizierten +Domain-Namen, die zum Filtern der Regeln benutzt werden sollen + + + Falls diese Option leer ist, wird SSSD versuchen, den Rechnernamen und den +voll qualifizierten Domain-Namen automatisch herauszufinden. + + + Falls ldap_sudo_use_host_filter +false ist, hat diese Option keine Auswirkungen. + + + Voreinstellung: nicht angegeben + + + + + + ldap_sudo_ip (Zeichenkette) + + + durch Kommata getrennte Liste von IPv4- oder IPv6-Rechner- beziehungsweise +Netzwerkadressen, die zum Filtern der Regeln benutzt werden sollen + + + Falls diese Option leer ist, wird SSSD versuchen, die Adressen automatisch +herauszufinden. + + + Falls ldap_sudo_use_host_filter +false ist, hat diese Option keine Auswirkungen. + + + Voreinstellung: nicht angegeben + + + + + + ldap_sudo_include_netgroups (Boolesch) + + + Falls dies auf »true« gesetzt ist, wird SSSD jede Regel herunterladen, die +eine Netzgruppe im Attribut »sudoHost« enthält. + + + Falls ldap_sudo_use_host_filter +false ist, hat diese Option keine Auswirkungen. + + + Voreinstellung: »true« + + + + + + ldap_sudo_include_regexp (Boolesch) + + + Falls dies auf »true« gesetzt ist, wird SSSD jede Regel herunterladen, die +einen Platzhalter im Attribut »sudoHost« enthält. + + + Falls ldap_sudo_use_host_filter +false ist, hat diese Option keine Auswirkungen. + + + Voreinstellung: »true« + + + + + + + Diese Handbuchseite beschreibt nur das Abbilden von Attributnamen. Eine +umfassende Erklärung der Sudo-bezogenen Attributsemantik finden Sie unter + +sudoers.ldap5 +. + + + + + AUTOFS-OPTIONEN + + Some of the defaults for the parameters below are dependent on the LDAP +schema. + + + + + ldap_autofs_map_master_name (Zeichenkette) + + + Der Name der Automount-Master-Abbildung in LDAP. + + + Voreinstellung: auto.master + + + + + + ldap_autofs_map_object_class (Zeichenkette) + + + die Objektklasse eines Automount-Abbildungseintrags in LDAP + + + Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap + + + + + + ldap_autofs_map_name (Zeichenkette) + + + der Name eines Automount-Abbildungseintrags in LDAP + + + Default: nisMapName (rfc2307, autofs_provider=ad), otherwise +automountMapName + + + + + + ldap_autofs_entry_object_class (Zeichenkette) + + + The object class of an automount entry in LDAP. The entry usually +corresponds to a mount point. + + + Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount + + + + + + ldap_autofs_entry_key (Zeichenkette) + + + der Schlüssel eines Automount-Eintrags in LDAP. Normalerweise entspricht der +Eintrag einem Einhängepunkt. + + + Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey + + + + + + + ldap_autofs_entry_value (Zeichenkette) + + + der Schlüssel eines Automount-Eintrags in LDAP. Normalerweise entspricht der +Eintrag einem Einhängepunkt. + + + Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise +automountInformation + + + + + + + + + + ERWEITERTE OPTIONEN + + These options are supported by LDAP domains, but they should be used with +caution. Please include them in your configuration only if you know what you +are doing. + + ldap_netgroup_search_base (Zeichenkette) + + + + + ldap_user_search_base (Zeichenkette) + + + + + ldap_group_search_base (Zeichenkette) + + + + + + If the option ldap_use_tokengroups is enabled, the searches +against Active Directory will not be restricted and return all groups +memberships, even with no GID mapping. It is recommended to disable this +feature, if group names are not being displayed correctly. + + + + ldap_sudo_search_base (Zeichenkette) + + + + + ldap_autofs_search_base (Zeichenkette) + + + + + + + + + + + + + + + BEISPIEL + + Das folgende Beispiel geht davon aus, dass SSSD korrekt konfiguriert ist und +LDAP auf eine der Domains im Abschnitt [domains] +gesetzt ist. + + + +[domain/LDAP] +id_provider = ldap +auth_provider = ldap +ldap_uri = ldap://ldap.mydomain.org +ldap_search_base = dc=mydomain,dc=org +ldap_tls_reqcert = demand +cache_credentials = true + + + + + LDAP ACCESS FILTER EXAMPLE + + The following example assumes that SSSD is correctly configured and to use +the ldap_access_order=lockout. + + + +[domain/LDAP] +id_provider = ldap +auth_provider = ldap +access_provider = ldap +ldap_access_order = lockout +ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org +ldap_uri = ldap://ldap.mydomain.org +ldap_search_base = dc=mydomain,dc=org +ldap_tls_reqcert = demand +cache_credentials = true + + + + + + ANMERKUNGEN + + Die Beschreibungen einiger Konfigurationsoptionen auf dieser Handbuchseite +basieren auf der Handbuchseite +ldap.conf 5 + der Distribution OpenLDAP 2.4. + + + + + + + diff --git a/src/man/de/sssd-simple.5.xml b/src/man/de/sssd-simple.5.xml new file mode 100644 index 0000000..efb2838 --- /dev/null +++ b/src/man/de/sssd-simple.5.xml @@ -0,0 +1,155 @@ + + + +SSSD-Handbuchseiten + + + + + sssd-simple + 5 + Dateiformate und Konventionen + + + + sssd-simple + die Konfigurationsdatei für den »einfachen« Zugriffssteuerungsanbieter von +SSSD + + + + BESCHREIBUNG + + Diese Handbuchseite beschreibt die Konfiguration des einfachen +Zugriffssteuerungsanbieters für +sssd 8 +. Eine ausführliche Syntax-Referenz finden Sie im Abschnitt +»DATEIFORMAT« der Handbuchseite +sssd.conf 5 +. + + + Der einfache Zugriffsanbieter gewährt oder verweigert den Zugriff auf Basis +einer Zugriffs- oder Verbotsliste von Benutzer- oder Gruppennamen. Es gelten +die folgenden Regeln: + + + Falls alle Listen leer sind, wird Zugriff gewährt. + + + + Falls irgendeine Liste bereitgestellt wird, ist die Reihenfolge der +Auswertung »erlauben,verbieten«. Das heißt, dass eine passende verbietende +Regeln jede passende erlaubende Regel ersetzt. + + + + + Falls eine oder beide »Erlaubnislisten« bereitgestellt werden, ist der +Zugriff allen Benutzern verboten, sofern sie nicht auf der Liste erscheinen. + + + + + Falls nur »Verbotslisten« bereitgestellt werden, wird der Zugriff allen +Benutzern gewährt, sofern sie nicht auf der Liste stehen. + + + + + + + + KONFIGURATIONSOPTIONEN + Einzelheiten über die Konfiguration einer SSSD-Domain finden Sie im +Abschnitt »DOMAIN-ABSCHNITTE« der Handbuchseite +sssd.conf 5 +. + + simple_allow_users (Zeichenkette) + + + Durch Kommata getrennte Liste von Benutzern, die sich anmelden dürfen. + + + + + + simple_deny_users (Zeichenkette) + + + Durch Kommata getrennte Liste von Benutzern, denen der Zugriff explizit +verwehrt wird. + + + + + simple_allow_groups (Zeichenkette) + + + Durch Kommata getrennte Liste von Gruppen, die sich anmelden dürfen. Dies +gilt nur für Gruppen innerhalb dieser SSSD-Domain. Lokale Gruppen werden +nicht ausgewertet. + + + + + + simple_deny_groups (Zeichenkette) + + + Durch Kommata getrennte Liste von Gruppen, denen der Zugriff explizit +verwehrt wird. Dies gilt nur für Gruppen innerhalb dieser +SSSD-Domain. Lokale Gruppen werden nicht ausgewertet. + + + + + + + Keine Werte für eine der Listen anzugeben ist so, als ob sie ganz +übersprungen würde. Hüten Sie sich davor, solange Parameter für den +einfachen Anbieter mittels automatischer Skripte erzeugt werden. + + + Bitte beachten Sie, das es ein Konfigurationsfehler ist, wenn sowohl +»simple_allow_users« als auch »simple_deny_users« definiert sind. + + + + + BEISPIEL + + Das folgende Beispiel geht davon aus, dass SSSD korrekt konfiguriert ist und +example.com eine der im Abschnitt [sssd] +erwähnten Domains ist. Die Beispiele zeigen nur die anbieterspezifischen +Optionen des einfachen Anbieters. + + + +[domain/example.com] +access_provider = simple +simple_allow_users = user1, user2 + + + + + + ANMERKUNGEN + + Die vollständige Hierarchie der Gruppenmitgliedschaft wird aufgelöst, bevor +die Zugriffsprüfung ausgeführt wird. Daher können selbst verschachtelte +Gruppen Teil der Zugriffslisten werden. Bitte beachten Sie, dass die Option +ldap_group_nesting_level die Ergebnisse beeinflussen kann und +daher auf einen ausreichenden Wert gesetzt werden sollte. Siehe +( +sssd-ldap5 +). + + + + + + + diff --git a/src/man/de/sssd-sudo.5.xml b/src/man/de/sssd-sudo.5.xml new file mode 100644 index 0000000..af189d5 --- /dev/null +++ b/src/man/de/sssd-sudo.5.xml @@ -0,0 +1,196 @@ + + + +SSSD-Handbuchseiten + + + + + sssd-sudo + 5 + Dateiformate und Konventionen + + + + sssd-sudo + Sudo mit dem SSSD-Backend konfigurieren + + + + BESCHREIBUNG + + Diese Handbuchseite beschreibt, wie +sudo 8 +konfiguriert wird, damit es zusammen mit +sssd 8 +funktioniert und wie SSSD Sudo-Regeln zwischenspeichert. + + + + + Sudo so konfigurieren, dass es mit SSSD zusammenarbeitet + + Um SSSD als eine Quelle von Sudo-Regeln zu aktivieren, fügen Sie dem Eintrag +sudoers in +nsswitch.conf 5 + sss hinzu. + + + Um zum Beispiel Sudo so zu konfigurieren, dass es zuerst die Regeln in der +Standarddatei sudoers +5 nachschlägt (diese sollten Regeln +umfassen, die für lokale Benutzer gelten) und dann die in SSSD, sollte die +Datei »nsswitch.conf« die folgende Zeile enthalten: + + + +sudoers: files sss + + + + Weitere Informationen über die Konfiguration der Suchreihenfolge der +»sudoers« aus der Datei »nsswitch.conf« sowie das LDAP-Schema, das zum +Speichern von Sudo-Regeln im Verzeichnis benutzt wird, können Sie unter + sudoers.ldap +5 finden. + + + Hinweis: Um Netzgruppen oder IPA-Hostgruppen in +sudo-Regeln verwenden zu können, muss +nisdomainname 1 + korrekt auf den entsprechenden NIS-Domainnamen gesetzt +werden. Dieser entspricht dem IPA-Domainnamen, wenn Hostgruppen verwendet +werden. + + + + + SSSD zum Abrufen von Sudo-Regeln konfigurieren + + Alle auf der SSSD-Seite erforderliche Konfiguration ist die Erweiterung der +Liste der Dienste mit "sudo" im Abschnitt [sssd] der +Handbuchseite zu sssd.conf +5 . Um LDAP-Suchvorgänge zu +beschleunigen, können Sie auch die Suchbasis für sudo-Regeln mit der Option +ldap_sudo_search_base festlegen. + + + Das folgende Beispiel zeigt, wie SSSD konfiguriert wird, damit es die +Sudo-Regeln von einem LDAP-Server herunterlädt. + + + +[sssd] +config_file_version = 2 +services = nss, pam, sudo +domains = EXAMPLE + +[domain/EXAMPLE] +id_provider = ldap +sudo_provider = ldap +ldap_uri = ldap://example.com +ldap_sudo_search_base = ou=sudoers,dc=example,dc=com + It's important to note that on platforms where +systemd is supported there's no need to add the "sudo" provider to the list +of services, as it became optional. However, sssd-sudo.socket must be +enabled instead. + + + When SSSD is configured to use IPA as the ID provider, the sudo provider is +automatically enabled. The sudo search base is configured to use the IPA +native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in +sssd.conf, this value will be used instead. The compat tree +(ou=sudoers,$SUFFIX) is no longer required for IPA sudo functionality. + + + + + Der Zwischenspeichermechanismus für Sudo-Regeln + + Die größte Herausforderung bei der Entwicklung von Sudo-Unterstützung in +SSSD war es, sicherzustellen, dass beim Ausführen von Sudo mit SSSD die +Datenquelle dieselbe Benutzererfahrung bereitstellt und so schnell wie Sudo +ist, aber weiterhin so viele aktuelle Regelsätze wie möglich +bereitstellt. Um diesen Anforderungen zu genügen, verwendet SSSD drei Arten +von Aktualisierungen. Sie werden als vollständiges Aktualisieren, kluges +Aktualisieren und Regelaktualisierung bezeichnet. + + + Das kluge Aktualisieren lädt periodisch Regeln +herunter, die neu sind oder seit der letzten Aktualisierung geändert +wurden. Das Hauptziel hierbei ist es, die Datenbank anwachsen zu lassen, +indem nur kleine Erweiterungen abgerufen werden, die keinen großen +Netzwerkverkehr erzeugen. + + + Das vollständige Aktualisieren löscht einfach alle im +Zwischenspeicher abgelegten Regeln und ersetzt sie durch die auf dem Server +gespeicherten Regeln. Dies wird benutzt, um den Zwischenspeicher dadurch +konsistent zu halten, dass jede von Server gelöschte Regel entfernt +wird. Ein vollständiges Aktualisieren kann jedoch eine hohe Last erzeugen +und sollte daher nur gelegentlich abhängig von der Größe und Stabilität der +Sudo-Regeln ausgeführt werden. + + + Die Regelaktualisierung stellt sicher, dass dem +Benutzer nicht mehr Rechte als definiert gewährt werden. Es wird jedesmal +ausgelöst, wenn der Benutzer Sudo ausführt. Regelaktualisierung wird alle +Regeln suchen, die für diesen Benutzer gelten, ihren Ablaufzeitpunkt prüfen +und sie erneut herunterladen, falls sie erloschen sind. Im Fall, dass +irgendwelche der Regeln auf dem Server fehlen, wird SSSD außer der Reihe ein +vollständiges Aktualisieren durchführen, da möglicherweise weitere Regeln +(die für andere Benutzer gelten) gelöscht wurden. + + + SSSD wird, falls aktiviert, nur Regeln speichern, die auf diese Maschine +angewandt werden können. Das bedeutet, Regeln, die einen der folgenden Werte +im Attribut sudoHost enthalten: + + + + + Schlüsselwort ALL + + + + + Platzhalter + + + + + Netzgruppe (in der Form »+Netzgruppe«) + + + + + Rechnername oder voll qualifizierter Domain-Namen dieser Maschine + + + + + eine der IP-Adressen dieser Maschine + + + + + eine der IP-Adressen des Netzwerks (in der Form »Adresse/Maske«) + + + + + Es gibt viele Konfigurationsoptionen, die benutzt werden können, um das +Verhalten anzupassen. Bitte lesen Sie »ldap_sudo_*« in +sssd-ldap 5 + und "sudo_*" in +sssd.conf 5 +. + + + + + + + diff --git a/src/man/de/sssd.8.xml b/src/man/de/sssd.8.xml new file mode 100644 index 0000000..31127a6 --- /dev/null +++ b/src/man/de/sssd.8.xml @@ -0,0 +1,234 @@ + + + +SSSD-Handbuchseiten + + + + + sssd + 8 + + + + sssd + System Security Services Daemon (Systemsicherheitsdienst-Daemon) + + + + +sssd +Optionen + + + + BESCHREIBUNG + + SSSD stellt einen Satz Daemons bereit, um den Zugriff auf +ferne Verzeichnisse und Authentifizierungsmechanismen zu verwalten. Es +bietet eine NSS- und PAM-Schnittstelle zum System und ein erweiterbares +Backend-System zum Verbinden mit mehreren unterschiedlichen Kontenquellen +sowie der D-Bus-Schnittstelle. Es bildet außerdem die Grundlage für das +Bereitstellen von Client-Überprüfungen und Richtliniendiensten für Projekte +wie FreeIPA. Es stellt eine robustere Datenbank bereit, um lokale Benutzer +sowie erweiterte Benutzerdaten zu speichern. + + + + + OPTIONEN + + + + , +STUFE + + + + + + Modus + + + + 1: Den Debug-Nachrichten wird ein Zeitstempel +hinzugefügt. + + + 0: Zeitstempel in Debug-Nachrichten werden deaktiviert. + + + Voreinstellung: 1 + + + + + + Modus + + + + 1: Dem Zeitstempel in Debug-Nachrichten werden +Millisekunden hinzugefügt. + + + 0: Millisekunden werden in Zeitstempeln deaktiviert + + + Voreinstellung: 0 + + + + + + , + + + + sendet die Ausgabe der Fehlersuche in Dateien statt auf die +Standardfehlerausgabe. Standardmäßig werden die Protokolldateien in +/var/log/sssd gespeichert. Dort gibt es separate +Protokolldateien für jeden SSSD-Dienst und jede Domain. + + + This option is deprecated. It is replaced by +. + + + + + + value + + + + Location where SSSD will send log messages. This option overrides the value +of the deprecated option . The deprecated +option will still work if the is not used. + + + stderr: Redirect debug messages to standard error +output. + + + files: Redirect debug messages to the log files. By +default, the log files are stored in /var/log/sssd and +there are separate log files for every SSSD service and domain. + + + journald: Redirect debug messages to systemd-journald + + + Voreinstellung: nicht gesetzt + + + + + + , + + + + wird nach dem Start ein Daemon. + + + + + + , + + + + läuft im Vordergrund und wird kein Daemon. + + + + + + , + + + + gibt eine Konfigurationsdatei an, die nicht Standard ist. Die Voreinstellung +ist /etc/sssd/sssd.conf. Auskunft über die Syntax und +Optionen der Konfigurationsdatei finden Sie in der Handbuchseite + sssd.conf +5 . + + + + + + + + + + + gibt die Versionsnummer aus und beendet sich. + + + + + + + + Signale + + + SIGTERM/SIGINT + + + Informiert SSSD, dass es anstandslos alle Kindprozesse beenden und dann das +Überwachungsprogramm herunterfahren soll. + + + + + SIGHUP + + + teilt SSSD mit, dass es das Schreiben des aktuellen Dateideskriptors zur +Fehlersuche stoppen, ihn schließen und erneut öffnen soll. Dies ist dazu +gedacht, das Rotieren von Protokolldateien mit Programmen wie Logrotate zu +erleichtern. + + + + + SIGUSR1 + + + Tells the SSSD to simulate offline operation for the duration of the +offline_timeout parameter. This is useful for testing. The +signal can be sent to either the sssd process or any sssd_be process +directly. + + + + + SIGUSR2 + + + Tells the SSSD to go online immediately. This is useful for testing. The +signal can be sent to either the sssd process or any sssd_be process +directly. + + + + + + + + ANMERKUNGEN + + Falls die Umgebungsvariable SSS_NSS_USE_MEMCACHE auf »NO« gesetzt ist, +nutzen Client-Anwendungen den schnellen speicherinternen Zwischenspeicher +nicht. + + + + + + + diff --git a/src/man/de/sssd_krb5_locator_plugin.8.xml b/src/man/de/sssd_krb5_locator_plugin.8.xml new file mode 100644 index 0000000..5fcc759 --- /dev/null +++ b/src/man/de/sssd_krb5_locator_plugin.8.xml @@ -0,0 +1,68 @@ + + + +SSSD-Handbuchseiten + + + + + sssd_krb5_locator_plugin + 8 + + + + sssd_krb5_locator_plugin + Kerberos Locator-Plugin + + + + BESCHREIBUNG + + Das Kerberos Locator-Plugin sssd_krb5_locator_plugin wird +vom Kerberos-Anbieter von sssd +8 verwendet, um für die +Kerberos-Bibliotheken festzulegen, welcher Realm und KDC verwendet werden +soll. Typischerweise geschieht dies in der Datei +krb5.conf 5 +, die immer von den Kerberos-Bibliotheken gelesen wird. Um +die Konfiguration zu vereinfachen, können Realm und KDC in der Datei + sssd.conf +5 definiert werden, so wie es in der +Handbuchseite zu sssd-krb5 +5 beschrieben ist. + + + sssd 8 + legt den Realm und den Namen oder die IP-Adresse der +Schlüsselverwaltungszentrale (KDC) in den Umgebungsvariablen SSSD_KRB5_REALM +beziehungsweise SSSD_KRB5_KDC ab. Wenn +sssd_krb5_locator_plugin durch die Kerberos-Bibliotheken +aufgerufen wird, liest es diese Variablen, wertet sie aus und gibt sie an +die Bibliotheken zurück. + + + + + ANMERKUNGEN + + Nicht alle Kerberos-Implementierungen unterstützen die Verwendung von +Erweiterungen. Falls sssd_krb5_locator_plugin nicht auf +Ihrem System vorhanden ist, müssen Sie /etc/krb5.conf bearbeiten, damit sie +Ihre Kerberos-Einrichtung widerspiegelt. + + + Falls die Umgebungsvariable SSSD_KRB5_LOCATOR_DEBUG auf irgendeinen Wert +gesetzt ist, werden Debug-Nachrichten an »stderr« gesandt. + + + If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value +the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the +caller. + + + + + + + diff --git a/src/man/es/include/ad_modified_defaults.xml b/src/man/es/include/ad_modified_defaults.xml new file mode 100644 index 0000000..7c6def2 --- /dev/null +++ b/src/man/es/include/ad_modified_defaults.xml @@ -0,0 +1,77 @@ + + MODIFIED DEFAULT OPTIONS + + Certain option defaults do not match their respective backend provider +defaults, these option names and AD provider-specific defaults are listed +below: + + + KRB5 Provider + + + + krb5_validate = true + + + + + krb5_use_enterprise_principal = true + + + + + + LDAP Provider + + + + ldap_schema = ad + + + + + ldap_force_upper_case_realm = true + + + + + ldap_id_mapping = true + + + + + ldap_sasl_mech = gssapi + + + + + ldap_referrals = false + + + + + ldap_account_expire_policy = ad + + + + + ldap_use_tokengroups = true + + + + + ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM) + + + The AD provider looks for a different principal than the LDAP provider by +default, because in an Active Directory environment the principals are +divided into two groups - User Principals and Service Principals. Only User +Principal can be used to obtain a TGT and by default, computer object's +principal is constructed from its sAMAccountName and the AD realm. The +well-known host/hostname@REALM principal is a Service Principal and thus +cannot be used to get a TGT with. + + + + + diff --git a/src/man/es/include/autofs_restart.xml b/src/man/es/include/autofs_restart.xml new file mode 100644 index 0000000..1bbd565 --- /dev/null +++ b/src/man/es/include/autofs_restart.xml @@ -0,0 +1,6 @@ + + Por favor advierta que el automontador sólo lee el mapa maestro en el +arranque, se modo que si se hace cualquier cambio relacionado con autofs al +sssd.conf, usted normalmente también necesitará reiniciar el demonio +automontador después de reiniciar el SSSD. + diff --git a/src/man/es/include/debug_levels.xml b/src/man/es/include/debug_levels.xml new file mode 100644 index 0000000..bb4de34 --- /dev/null +++ b/src/man/es/include/debug_levels.xml @@ -0,0 +1,87 @@ + + + SSSD supports two representations for specifying the debug level. The +simplest is to specify a decimal value from 0-9, which represents enabling +that level and all lower-level debug messages. The more comprehensive option +is to specify a hexadecimal bitmask to enable or disable specific levels +(such as if you wish to suppress a level). + + + Please note that each SSSD service logs into its own log file. Also please +note that enabling debug_level in the [sssd] +section only enables debugging just for the sssd process itself, not for the +responder or provider processes. The debug_level parameter +should be added to all sections that you wish to produce debug logs from. + + + In addition to changing the log level in the config file using the +debug_level parameter, which is persistent, but requires SSSD +restart, it is also possible to change the debug level on the fly using the + sss_debuglevel +8 tool. + + + Niveles de depuración actualmente soportados: + + + 0, 0x0010: Fatal +failures. Anything that would prevent SSSD from starting up or causes it to +cease running. + + + 1, 0x0020: Critical failures. An +error that doesn't kill SSSD, but one that indicates that at least one major +feature is not going to work properly. + + + 2, 0x0040: Serious failures. An +error announcing that a particular request or operation has failed. + + + 3, 0x0080: Minor failures. These +are the errors that would percolate down to cause the operation failure of +2. + + + 4, 0x0100: Configuration settings. + + + 5, 0x0200: Function data. + + + 6, 0x0400: Trace messages for +operation functions. + + + 7, 0x1000: Trace messages for +internal control functions. + + + 8, 0x2000: Contents of +function-internal variables that may be interesting. + + + 9, 0x4000: Extremely low-level +tracing information. + + + To log required bitmask debug levels, simply add their numbers together as +shown in following examples: + + + Ejemplo: Para registrar fallos fatales, críticos y +serios y datos de función use 0x0270. + + + Example: Para registrar fallos fatales, ajustes de +configuración, datos de función, mensajes de traza para funciones de control +interno use 0x1310. + + + Note: The bitmask format of debug levels was introduced +in 1.7.0. + + + Default: 0 + + diff --git a/src/man/es/include/debug_levels_tools.xml b/src/man/es/include/debug_levels_tools.xml new file mode 100644 index 0000000..58661c6 --- /dev/null +++ b/src/man/es/include/debug_levels_tools.xml @@ -0,0 +1,73 @@ + + + SSSD supports two representations for specifying the debug level. The +simplest is to specify a decimal value from 0-9, which represents enabling +that level and all lower-level debug messages. The more comprehensive option +is to specify a hexadecimal bitmask to enable or disable specific levels +(such as if you wish to suppress a level). + + + Niveles de depuración actualmente soportados: + + + 0, 0x0010: Fatal +failures. Anything that would prevent SSSD from starting up or causes it to +cease running. + + + 1, 0x0020: Critical failures. An +error that doesn't kill SSSD, but one that indicates that at least one major +feature is not going to work properly. + + + 2, 0x0040: Serious failures. An +error announcing that a particular request or operation has failed. + + + 3, 0x0080: Minor failures. These +are the errors that would percolate down to cause the operation failure of +2. + + + 4, 0x0100: Configuration settings. + + + 5, 0x0200: Function data. + + + 6, 0x0400: Trace messages for +operation functions. + + + 7, 0x1000: Trace messages for +internal control functions. + + + 8, 0x2000: Contents of +function-internal variables that may be interesting. + + + 9, 0x4000: Extremely low-level +tracing information. + + + To log required bitmask debug levels, simply add their numbers together as +shown in following examples: + + + Ejemplo: Para registrar fallos fatales, críticos y +serios y datos de función use 0x0270. + + + Example: Para registrar fallos fatales, ajustes de +configuración, datos de función, mensajes de traza para funciones de control +interno use 0x1310. + + + Note: The bitmask format of debug levels was introduced +in 1.7.0. + + + Default: 0 + + diff --git a/src/man/es/include/experimental.xml b/src/man/es/include/experimental.xml new file mode 100644 index 0000000..7103a0e --- /dev/null +++ b/src/man/es/include/experimental.xml @@ -0,0 +1,2 @@ + This is an experimental feature, please use +https://pagure.io/SSSD/sssd/ to report any issues. diff --git a/src/man/es/include/failover.xml b/src/man/es/include/failover.xml new file mode 100644 index 0000000..5200e79 --- /dev/null +++ b/src/man/es/include/failover.xml @@ -0,0 +1,108 @@ + + CONMUTACIÓN POR ERROR + + La función conmutación en error permite a los finales conmutar +automáticamente a un servidor diferente si el servidor actual falla. + + + Sintaxis de conmutación por error + + La lista de servidores se da como una lista separada por comas; se permite +cualquier número de espacios a los lados de la coma. Los servidores son +listados en orden de preferencia. La lista puede contener cualquier número +de servidores. + + + For each failover-enabled config option, two variants exist: +primary and backup. The idea is +that servers in the primary list are preferred and backup servers are only +searched if no primary servers can be reached. If a backup server is +selected, a timeout of 31 seconds is set. After this timeout SSSD will +periodically try to reconnect to one of the primary servers. If it succeeds, +it will replace the current active (backup) server. + + + + El mecanismo de conmutación por errorEl mecanismo de failover distingue +entre una máquina y un servicio. El punto final intenta primero resolver el +nombre de host de una máquina dada; si el intento de resolución falla, la +máquina es considerada fuera de línea. No se harán más intentos de conexión +con esta máquina para ningún otro servicio. Si el intento de resolución +tiene éxito, el punto final intenta conectar a un servicio en esa +máquina. Si el intento de conexión al servicio falla, entonces sólo se +considera fuera de línea este servicio concreto y el punto final conmutará +automáticamente sobre el siguientes servicio. La máquina se considera que +sigue en línea y se puede intentar el acceso a otros servicios. + + El mecanismo de conmutación por error distingue entre una máquina y un +servicio. El punto final intenta primero resolver el nombre de host de una +máquina dada; si el intento de resolución falla, la máquina es considerada +fuera de línea. No se harán más intentos de conexión con esta máquina para +ningún otro servicio. Si el intento de resolución tiene éxito, el punto +final intenta conectar a un servicio en esa máquina. Si el intento de +conexión al servicio falla, entonces sólo se considera fuera de línea este +servicio concreto y el punto final conmutará automáticamente sobre el +siguientes servicio. La máquina se considera que sigue en línea y se puede +intentar el acceso a otros servicios. + + + Los intentos de conexión adicionales son hechos a máquinas o servicios +marcaros como fuera de línea después de un período de tiempo especificado; +esto está codificado a fuego actualmente en 30 segundos. + + + Si no hay más máquinas para intentarlo, el punto final al completo conmutará +al modo fuera de línea y después intentará reconectar cada 30 segundo. + + + + Failover time outs and tuning + + Resolving a server to connect to can be as simple as running a single DNS +query or can involve several steps, such as finding the correct site or +trying out multiple host names in case some of the configured servers are +not reachable. The more complex scenarios can take some time and SSSD needs +to balance between providing enough time to finish the resolution process +but on the other hand, not trying for too long before falling back to +offline mode. If the SSSD debug logs show that the server resolution is +timing out before a live server is contacted, you can consider changing the +time outs. + + + This section lists the available tunables. Please refer to their description +in the +sssd.conf5 +, manual page. + + + dns_resolver_op_timeout + + + + How long would SSSD talk to a single DNS server. + + + + + + dns_resolver_timeout + + + + How long would SSSD try to resolve a failover service. This service +resolution internally might include several steps, such as resolving DNS SRV +queries or locating the site. + + + + + + + For LDAP-based providers, the resolve operation is performed as part of an +LDAP connection operation. Therefore, also the +ldap_opt_timeout> timeout should be set to a larger value +than dns_resolver_timeout which in turn should be set to a +larger value than dns_resolver_op_timeout. + + + diff --git a/src/man/es/include/homedir_substring.xml b/src/man/es/include/homedir_substring.xml new file mode 100644 index 0000000..d7533de --- /dev/null +++ b/src/man/es/include/homedir_substring.xml @@ -0,0 +1,17 @@ + + homedir_substring (string) + + + The value of this option will be used in the expansion of the +override_homedir option if the template contains the +format string %H. An LDAP directory entry can directly +contain this template so that this option can be used to expand the home +directory path for each client machine (or operating system). It can be set +per-domain or globally in the [nss] section. A value specified in a domain +section will override one set in the [nss] section. + + + Default: /home + + + diff --git a/src/man/es/include/ipa_modified_defaults.xml b/src/man/es/include/ipa_modified_defaults.xml new file mode 100644 index 0000000..4ad4b45 --- /dev/null +++ b/src/man/es/include/ipa_modified_defaults.xml @@ -0,0 +1,123 @@ + + MODIFIED DEFAULT OPTIONS + + Certain option defaults do not match their respective backend provider +defaults, these option names and IPA provider-specific defaults are listed +below: + + + KRB5 Provider + + + + krb5_validate = true + + + + + krb5_use_fast = try + + + + + krb5_canonicalize = true + + + + + + LDAP Provider - General + + + + ldap_schema = ipa_v1 + + + + + ldap_force_upper_case_realm = true + + + + + ldap_sasl_mech = GSSAPI + + + + + ldap_sasl_minssf = 56 + + + + + ldap_account_expire_policy = ipa + + + + + ldap_use_tokengroups = true + + + + + + LDAP Provider - User options + + + + ldap_user_member_of = memberOf + + + + + ldap_user_uuid = ipaUniqueID + + + + + ldap_user_ssh_public_key = ipaSshPubKey + + + + + ldap_user_auth_type = ipaUserAuthType + + + + + + LDAP Provider - Group options + + + + ldap_group_object_class = ipaUserGroup + + + + + ldap_group_object_class_alt = posixGroup + + + + + ldap_group_member = member + + + + + ldap_group_uuid = ipaUniqueID + + + + + ldap_group_objectsid = ipaNTSecurityIdentifier + + + + + ldap_group_external_member = ipaExternalMember + + + + + diff --git a/src/man/es/include/ldap_id_mapping.xml b/src/man/es/include/ldap_id_mapping.xml new file mode 100644 index 0000000..e8007fa --- /dev/null +++ b/src/man/es/include/ldap_id_mapping.xml @@ -0,0 +1,284 @@ + + ASIGNACIÓN DE ID + + La función asignación de ID permite a SSSD actuar como un cliente de Active +Directory sin requerir de administradores para extender los atributos de +usuario para soportar atributos POSIX para los identificadores de usuario y +grupo. + + + NOTA: Cuando asignación de ID está habilitado, los atributos uidNumber y +gidNumber son ignorados. Esto es para evitar la posibilidad de conflictos +entre los valores automáticamente asignados y los asignados manualmente. Si +usted necesita usar los valore asignados manualmente, TODOS los valores +deben ser asignados manualmente. + + + Please note that changing the ID mapping related configuration options will +cause user and group IDs to change. At the moment, SSSD does not support +changing IDs, so the SSSD database must be removed. Because cached passwords +are also stored in the database, removing the database should only be +performed while the authentication servers are reachable, otherwise users +might get locked out. In order to cache the password, an authentication must +be performed. It is not sufficient to use +sss_cache 8 + to remove the database, rather the process consists of: + + + + Making sure the remote servers are reachable + + + + + Stopping the SSSD service + + + + + Removing the database + + + + + Starting the SSSD service + + + + Moreover, as the change of IDs might necessitate the adjustment of other +system properties such as file and directory ownership, it's advisable to +plan ahead and test the ID mapping configuration thoroughly. + + + + Algoritmo de asignación + + Active Directory suministra un objectSID para cada objeto usuario y grupo en +el directorio. El objectSID puede ser dividido en componente que representan +la identidad del dominio Active Directory y le identificador relativo (RID) +del objeto usuario y grupo. + + + El algoritmo de asignación de ID de SSSD tiene un rango de UIDs disponibles +y lo divide en secciones componente de igual tamaño – llamadas “rebanadas” +-. Cada rebanada representa el espacio disponible para un dominio Active +Directory. + + + Cuando se encuentra por primera vez una entrada de usuario o grupo para un +dominio concreto, SSSD asigna una de las rebanadas disponibles para ese +dominio. Con el objetivo de hacer esta asignación de rebanadas repetible +sobre diferentes máquinas clientes, seleccionamos la rebanada en base al +siguiente algoritmo: + + + La cadena SID pasada a través del algoritmo murmurhash3 para convertirlo en +un valor picado de 32 bit. Después tomamos los módulos de este valor con el +número total de rebanadas disponibles para recoger la rebanada. + + + NOTA: Es posible encontrar colisiones en el picadillo y los módulos +subsiguientes. En estas situaciones, seleccionaremos la siguiente rebanada +disponible, pero puede no ser posible reproducir los mismos conjuntos +exactos de rebanadas sobre otras máquinas (puesto que el orden en que se +encuentren desterminará sus rebanadas). En esta situación, se recomienda o +bien conmutar para usar los atributos explícitos POSIX en Active Directory +(deshabilitando la asignación de ID) o configurar un dominio por defecto +para garantizar que al menos uno sea siempre consistente. Vea +Configuración para detalles. + + + + + Configuración + + Configuración mínima (en la sección [domain/DOMAINNAME]): + + + +ldap_id_mapping = True ldap_schema = ad + + + + The default configuration results in configuring 10,000 slices, each capable +of holding up to 200,000 IDs, starting from 200,000 and going up to +2,000,200,000. This should be sufficient for most deployments. + + + Configuración Avanzada + + + ldap_idmap_range_min (entero) + + + Especifica el límite inferior del rango de IDs POXIS a usar para la +asignación de SIDs de usuario y grupo de Active Directory. + + + NOTA: Esta opción es diferente de min_id en esta +min_id actúa para filtrar la salida de las peticiones a este +dominio, mientras esta opción controla el rango de la asignación de ID. Esto +es una sutil diferencia, pero el buen consejo general sería que +min_id fuera menor o igual que +ldap_idmap_range_min + + + Por defecto: 200000 + + + + + ldap_idmap_range_max (entero) + + + Especifica el límite superior del rango de IDs POXIS a usar para la +asignación de SIDs de usuario y grupo por Active Directory. + + + NOTA: Esta opción es diferente de max_id en esta +max_id actúa para filtrar la salida de las peticiones a este +dominio, mientras esta opción controla el rango de la asignación de ID. Esto +es una sutil diferencia, pero el buen consejo general sería que +max_id fuera menor o igual que +ldap_idmap_range_max + + + Por defecto: 2000200000 + + + + + ldap_idmap_range_size (entero) + + + Especifica el número de IDs disponibles para cada rebanada. Si el rango no +se divide de forma igual entre los valores mínimo y máximo, creará tantas +rebanadas completas como sea posible. + + + NOTE: The value of this option must be at least as large as the highest user +RID planned for use on the Active Directory server. User lookups and login +will fail for any user whose RID is greater than this value. + + + For example, if your most recently-added Active Directory user has +objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, +ldap_idmap_range_size must be at least 1108 as range size is +equal to maximal SID minus minimal SID plus one (e.g. 1108 = 1107 - 0 + 1). + + + It is important to plan ahead for future expansion, as changing this value +will result in changing all of the ID mappings on the system, leading to +users with different local IDs than they previously had. + + + Por defecto: 200000 + + + + + ldap_idmap_default_domain_sid (cadena) + + + Especifica el SID de dominio del dominio por defecto. Esto garantizará que +este dominio será asignado siempre a la rebanada cero en el mapa de ID, +sobrepasando el algoritmo murmurhash descrito arriba. + + + Predeterminado: no definido + + + + + ldap_idmap_default_domain (cadena) + + + Especifica el nombre del dominio por defecto. + + + Predeterminado: no definido + + + + + ldap_idmap_autorid_compat (booleano) + + + Cambia el comportamiento del algoritmo de asignación de id para que se +comporte de un modo más similar al algoritmo idmap_autorid de +winbind. + + + Cuando esta opción está configurada, los dominios serán asignados empezando +con la rebanada cero e incrementándose de uno en uno con cada dominio +adicional. + + + NOTA: Este algoritmo no es determinista (depende del orden en que usuario y +grupos son pedidos). Si se requiere este modo para compatibilidad con +máquinas que ejecutan winbind, se recomienda que también use la opción +ldap_idmap_default_domain_sid para garantizar que al menos un +dominio está asignado consistentemente a la rebanada cero. + + + Por defecto: False + + + + + ldap_idmap_helper_table_size (integer) + + + Maximal number of secondary slices that is tried when performing mapping +from UNIX id to SID. + + + Note: Additional secondary slices might be generated when SID is being +mapped to UNIX id and RID part of SID is out of range for secondary slices +generated so far. If value of ldap_idmap_helper_table_size is equal to 0 +then no additional secondary slices are generated. + + + Predeterminado: 10 + + + + + + + + + Well-Known SIDs + + SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a +special hardcoded meaning. Since the generic users and groups related to +those Well-Known SIDs have no equivalent in a Linux/UNIX environment no +POSIX IDs are available for those objects. + + + The SID name space is organized in authorities which can be seen as +different domains. The authorities for the Well-Known SIDs are + + Null Authority + World Authority + Local Authority + Creator Authority + NT Authority + Built-in + + The capitalized version of these names are used as domain names when +returning the fully qualified name of a Well-Known SID. + + + Since some utilities allow to modify SID based access control information +with the help of a name instead of using the SID directly SSSD supports to +look up the SID by the name as well. To avoid collisions only the fully +qualified names can be used to look up Well-Known SIDs. As a result the +domain names NULL AUTHORITY, WORLD AUTHORITY, + LOCAL AUTHORITY, CREATOR AUTHORITY, NT +AUTHORITY and BUILTIN should not be used as domain +names in sssd.conf. + + + + diff --git a/src/man/es/include/ldap_search_bases.xml b/src/man/es/include/ldap_search_bases.xml new file mode 100644 index 0000000..95a6edd --- /dev/null +++ b/src/man/es/include/ldap_search_bases.xml @@ -0,0 +1,33 @@ + + + Una base DN opcional, alcance de la búsqueda y filtro LDAP para búsquedas +LDAP de este tipo de atributo. + + + sintaxis: +search_base[?scope?[filter][?search_base?scope?[filter]]*] + + + + + The scope can be one of "base", "onelevel" or "subtree". The scope functions +as specified in section 4.5.1.2 of http://tools.ietf.org/html/rfc4511 + + + El filtro debe ser un filtro de búsqueda LDAP válido como se especifica en +http://www.ietf.org/rfc/rfc2254.txt + + + Para ejemplos de esta sintaxis, por favor vea la sección de ejemplos de +ldap_search_base + + + Predeterminado: el valor de ldap_search_base + + + Por favor advierta que especificar el alcance o el filtro no está soportado +para búsquedas contra un Active Directory Server que puede ceder un gran +número de resultados y disparar la extensión Range Retrieval en la +respuesta. + + diff --git a/src/man/es/include/local.xml b/src/man/es/include/local.xml new file mode 100644 index 0000000..ebbfa64 --- /dev/null +++ b/src/man/es/include/local.xml @@ -0,0 +1,17 @@ + + EL DOMINIO LOCAL + + Con el objetivo de que funcione correctamente, se debe crear un dominio con +id_provider=local y el SSSD debe estar corriendo. + + + El administrador puede desear usar los usuarios locales SSSD en lugar de los +usuarios tradicionales UNIX en los casos donde los grupos anidados (vea + sss_groupadd +8 ) sean necesarios. Los usuarios +locales son también útiles para la prueba y el desarrollo del SSSD sin tener +que desplegar un servidor remoto completo. Las herramientas +sss_user* y sss_group* usan un +almacenamiento LDB local para almacenar usuarios y grupos. + + diff --git a/src/man/es/include/override_homedir.xml b/src/man/es/include/override_homedir.xml new file mode 100644 index 0000000..bef0f7b --- /dev/null +++ b/src/man/es/include/override_homedir.xml @@ -0,0 +1,63 @@ + +override_homedir (cadena) + + + Anula el directorio home del usuario. Usted puede suministras bien un valor +absoluto o una plantilla. En la plantilla, serán sustituidas las siguientes +secuencias: + + %u + nombre de acceso + + + %U + número UID + + + %d + nombre de dominio + + + %f + nombre totalmente cualificado del usuario (user@domain) + + + %l + The first letter of the login name. + + + %P + UPN - User Principal Name (name@REALM) + + + %o + + El directorio home original recuperado del proveedor de identidad. + + + + %H + + The value of configure option homedir_substring. + + + + %% + un literal ‘%’ + + + + + + Esta opción puede ser también fijada por dominio. + + + ejemplo: +override_homedir = /home/%u + + + + Por defecto: No fijado (SSSD usará el valor recuperado desde LDAP) + + + diff --git a/src/man/es/include/param_help.xml b/src/man/es/include/param_help.xml new file mode 100644 index 0000000..977be27 --- /dev/null +++ b/src/man/es/include/param_help.xml @@ -0,0 +1,10 @@ + + + , + + + + Muestra mensaje de ayuda y sale. + + + diff --git a/src/man/es/include/param_help_py.xml b/src/man/es/include/param_help_py.xml new file mode 100644 index 0000000..5256f44 --- /dev/null +++ b/src/man/es/include/param_help_py.xml @@ -0,0 +1,10 @@ + + + , + + + + Muestra mensaje de ayuda y sale. + + + diff --git a/src/man/es/include/seealso.xml b/src/man/es/include/seealso.xml new file mode 100644 index 0000000..92e48a2 --- /dev/null +++ b/src/man/es/include/seealso.xml @@ -0,0 +1,61 @@ + + VEA TAMBIEN + + sssd8 +, +sssd.conf5 +, +sssd-ldap5 +, +sssd-krb55 +, +sssd-simple5 +, +sssd-ipa5 +, +sssd-ad5 +, +sssd-sudo 5 +, +sssd-secrets 5 +, +sssd-session-recording +5 , +sss_cache8 +, +sss_debuglevel8 +, +sss_groupadd8 +, +sss_groupdel8 +, +sss_groupshow8 +, +sss_groupmod8 +, +sss_useradd8 +, +sss_userdel8 +, +sss_usermod8 +, +sss_obfuscate8 +, +sss_seed8 +, +sssd_krb5_locator_plugin8 +, +sss_ssh_authorizedkeys +8 , +sss_ssh_knownhostsproxy +8 , sssd-ifp +5 , +pam_sss8 +. +sss_rpcidmapd 5 + +sssd-systemtap 5 + + + diff --git a/src/man/es/include/service_discovery.xml b/src/man/es/include/service_discovery.xml new file mode 100644 index 0000000..0c9fb55 --- /dev/null +++ b/src/man/es/include/service_discovery.xml @@ -0,0 +1,44 @@ + + SERVICIO DE DESCUBRIMIENTO + + La función servicio descubridor permite a los puntos finales encontrar +automáticamente los servidores apropiados a conectar para usar una pregunta +especial al DNS. Esta función no está soportada por los servidores de +respaldo. + + + Configuración + + Si no se especifican servidores, el punto final usar automáticamente el +servicio descubridor para intentar encontrar un servidor. Opcionalmente, el +usuario puede elegir utilizar tanto las direcciones de servidor fijadas como +el servicio descubridor para insertar una palabra clave especial, +_srv_, en la lista de servidores. El orden de preferencia se +mantiene. Esta función es útil sí, por ejemplo, el usuario prefiere usar el +servicio descubridor siempre que sea posible, el volver a un servidor +específico cuando no se pueden descubrir servidores usando DNS. + + + + El nombre de dominio + + Por favor vea el parámetro dns_discovery_domain en la página +de manual sssd.conf +5 para más detalles. + + + + El protocolo + + Las consultas normalmente especifican _tcp como protocolo. Las excepciones +se documentan en la descripción de la opción respectiva. + + + + Vea también + + Para más información sobre el mecanismo del servicio descubridor, vea el RFC +2782. + + + diff --git a/src/man/es/include/upstream.xml b/src/man/es/include/upstream.xml new file mode 100644 index 0000000..ba04020 --- /dev/null +++ b/src/man/es/include/upstream.xml @@ -0,0 +1,3 @@ + +SSSD The SSSD upstream - +https://pagure.io/SSSD/sssd/ diff --git a/src/man/es/sss_groupadd.8.xml b/src/man/es/sss_groupadd.8.xml new file mode 100644 index 0000000..3f5c699 --- /dev/null +++ b/src/man/es/sss_groupadd.8.xml @@ -0,0 +1,58 @@ + + + +Páginas de manual de SSSD + + + + + sss_groupadd + 8 + + + + sss_groupadd + Crea un nuevo grupo + + + + +sss_groupadd +options GRUPO + + + + DESCRIPCION + + sss_groupadd cre un nuevo grupo. Estos grupos son +compatibles con grupos POXIS, con la característica adicional que pueden +contener otros grupos como miembros. + + + + + OPCIONES + + + + , GID + + + + Fija el GID del grupo al valor de GID. Si no se +da, se elige automáticamente. + + + + + + + + + + + + + diff --git a/src/man/es/sss_groupdel.8.xml b/src/man/es/sss_groupdel.8.xml new file mode 100644 index 0000000..5c9118b --- /dev/null +++ b/src/man/es/sss_groupdel.8.xml @@ -0,0 +1,46 @@ + + + +Páginas de manual de SSSD + + + + + sss_groupdel + 8 + + + + sss_groupdel + eliminar un grupo + + + + +sss_groupdel +options GRUPO + + + + DESCRIPCION + + sss_groupdel borra del sistema un grupo identificado por +su nombre GROUP. + + + + + OPCIONES + + + + + + + + + + + diff --git a/src/man/es/sss_groupmod.8.xml b/src/man/es/sss_groupmod.8.xml new file mode 100644 index 0000000..5cdf8f1 --- /dev/null +++ b/src/man/es/sss_groupmod.8.xml @@ -0,0 +1,72 @@ + + + +Páginas de manual de SSSD + + + + + sss_groupmod + 8 + + + + sss_groupmod + modifica un grupo + + + + +sss_groupmod +options GROUP + + + + DESCRIPCION + + sss_groupmod modifica el grupo para reflejar los cambios +indicados en la línea de comandos. + + + + + OPCIONES + + + + , +GROUPS + + + + Agrega este grupo a otros grupos que hayan sido indicados con el parámetro +GROUPS. El parámetros +GROUPS es una lista de nombres de grupos +separados por comas. + + + + + + , +GROUPS + + + + Elimina este grupo de los grupos especificados con el parámetro +GROUPS + + + + + + + + + + + + + diff --git a/src/man/es/sss_groupshow.8.xml b/src/man/es/sss_groupshow.8.xml new file mode 100644 index 0000000..4dc5b56 --- /dev/null +++ b/src/man/es/sss_groupshow.8.xml @@ -0,0 +1,59 @@ + + + +Páginas de manual de SSSD + + + + + sss_groupshow + 8 + + + + sss_groupshow + imprime las propiedades de un grupo + + + + +sss_groupshow +options GRUPO + + + + DESCRIPCION + + sss_groupshow muestra información sobre un grupo +identificado por su nombre GROUP. La información +incluye el número de ID del grupo, miembros del grupo y padres del grupo. + + + + + OPCIONES + + + + , + + + + También imprime miembros indirectos del grupo en una jerarquía de +árbol. Advierta que esto también afecta a la impresión de los grupos padres +– sin ,, sólo se imprimirá los padres directos. + + + + + + + + + + + + + diff --git a/src/man/es/sss_obfuscate.8.xml b/src/man/es/sss_obfuscate.8.xml new file mode 100644 index 0000000..db8acdf --- /dev/null +++ b/src/man/es/sss_obfuscate.8.xml @@ -0,0 +1,97 @@ + + + +Páginas de manual de SSSD + + + + + sss_obfuscate + 8 + + + + sss_obfuscate + oscurecer un password en texto claro + + + + +sss_obfuscate +options [CONTRASEÑA] + + + + DESCRIPCION + + sss_obfuscate convierte una contraseña dada en un formato +no legible y la sitúa en la sección apropiada del dominio del fichero de +configuración SSSD. + + + La contraseña en texto claro es leída desde la entrada estándar e +introducida interactivamente. La contraseña ofuscada se pone en el parámetro +ldap_default_authtok de un dominio SSSD dado y el parámetro +ldap_default_authtok_type se fija a +obfuscated_password. Vea +sssd-ldap 5 + para más detalles sobre estos parámetros. + + + Por favor advierta que oscurecer la contraseña no suministra un +beneficio real de seguridad y es posible para un atacante +mediante ingeniería inversa volver atrás la contraseña. Se recomienda +firmemente el uso de mejores mecanismos de +autenticación como certificados en el lado cliente o GSSAPI. + + + + + OPCIONES + + + + + , + + + + La contraseña a oscurecer será leída desde la entrada estándar. + + + + + + , +DOMINIO + + + + El dominio SSSD en el que usar la contraseña. El nombre por defecto es +default. + + + + + + , +ARCHIVO + + + + Lee el fichero de configuración especificado por el parámetro posicional. + + + Predeterminado: /etc/sssd/sssd.conf + + + + + + + + + + diff --git a/src/man/es/sss_seed.8.xml b/src/man/es/sss_seed.8.xml new file mode 100644 index 0000000..76c4e67 --- /dev/null +++ b/src/man/es/sss_seed.8.xml @@ -0,0 +1,165 @@ + + + +Páginas de manual de SSSD + + + + + sss_seed + 8 + + + + sss_seed + alimenta el cache SSSD con un usuario + + + + +sss_seed +options -D +DOMAIN -n +USER + + + + DESCRIPCION + + sss_seed alimenta el cache SSSD con una entrada de +usuario y una contresañe temporal. Si una entrada de usuario está ya +presente en el cache SSSD la entrada se actualiza con la contraseña temporal + + + + + + + OPCIONES + + + + , +DOMAIN + + + + Suministra el nombre del dominio del que el usuario es miembro. El dominio +también se usa para recuperar información del usuario. El dominio debe estar +configurado en sssd.conf. La opción DOMAIN debe +ser suministrada. La información recuperada del dominio anula la que se ha +suministrado en las opciones. + + + + + + , +USER + + + + El nombre de usuario de la entrada a ser creado o modificado en el cache. Se +debe suministrar la opción USER. + + + + + + , UID + + + + Fija la UID del usuario a UID. + + + + + + , GID + + + + Fija la GID del usuario a GID. + + + + + + , +COMENTARIO + + + + Cualquier cadena de texto describiendo al usuario. Frecuentemente se usa +como el campo para el nombre completo del usuario. + + + + + + , +HOME_DIR + + + + Fija el directorio home del usuario a HOME_DIR. + + + + + + , +SHELL + + + + Fija la shell de acceso del usuario a SHELL. + + + + + + , + + + + Modo interactivo de introducir información del usuario. Esta opción sólo +preguntará por la información no suministrada en las opciones o recuperada +del dominio. + + + + + + , +PASS_FILE + + + + Especifica el fichero desde donde leer la contraseña del usuario (si no se +especifica se pregunta por la contraseña) + + + + + + + + + NOTAS + + La longitud de la contraseña (o el tamaño especificado con la opción -p or +--password-file) debe ser menos o igual a PASS_MAX bytes ( 64 bytes en +sistemas sin valor PASS_MAX globalmente definido). + + + + + + + + + + diff --git a/src/man/es/sss_useradd.8.xml b/src/man/es/sss_useradd.8.xml new file mode 100644 index 0000000..4a0f283 --- /dev/null +++ b/src/man/es/sss_useradd.8.xml @@ -0,0 +1,167 @@ + + + +Páginas de manual de SSSD + + + + + sss_useradd + 8 + + + + sss_useradd + Crea un nuevo usuario + + + + +sss_useradd +options LOGIN + + + + DESCRIPCION + + sss_useradd crea una nueva cuenta de usuario usando los +valores especificados en la línea de comandos más los valores por defecto +del sistema. + + + + + OPCIONES + + + + , UID + + + + Fija la UID del usuario al valor de UID. Si no se +da, se elige automáticamente. + + + + + + , +COMENTARIO + + + + Cualquier cadena de texto describiendo al usuario. Frecuentemente se usa +como el campo para el nombre completo del usuario. + + + + + + , +HOME_DIR + + + + El directorio home de la cuenta de usuario. Por defecto se añade el nombre +LOGIN a /home y utiliza esto +como directorio home. La base de que se antepondrá antes +LOGIN es sintonizable con el ajuste +user_defaults/baseDirectory en sssd.conf. + + + + + + , +SHELL + + + + La shell de acceso del usuario. Por defecto es actualmente +/bin/bash. El valor por defecto puede ser cambiado con +el ajuste user_defaults/defaultShell en sssd.conf. + + + + + + , +GRUPOS + + + + Una lista de grupos existentes de los que el usuario también es miembro. + + + + + + , + + + + Crea el directorio home del usuario si no existe. Los ficheros y directorios +contenidos en el directorio esqueleto (que pueden ser definidos con la +opción –k o en el fichero de configuración) serán copiados en el directorio +home. + + + + + + , + + + + No se crear el directorio principal del usuario. Reemplaza los valores de +configuración. + + + + + + , +SKELDIR + + + + El directorio esqueleto, que contiene ficheros y directorios a copiar en el +directorio home del usuario, cuando el directorio home es creado por +sss_useradd. + + + Special files (block devices, character devices, named pipes and unix +sockets) will not be copied. + + + Esta opción sólo es válida si se ha especificado la opción + (o ), o la creación de +directorios home está fijada a TRUE en la configuración. + + + + + + , +SELINUX_USER + + + + El usuario SELinux para el acceso de usuario. Si no se especifica, se usará +el valor por defecto del sistema. + + + + + + + + + + + + + diff --git a/src/man/es/sss_userdel.8.xml b/src/man/es/sss_userdel.8.xml new file mode 100644 index 0000000..5f3334c --- /dev/null +++ b/src/man/es/sss_userdel.8.xml @@ -0,0 +1,92 @@ + + + +Páginas de manual de SSSD + + + + + sss_userdel + 8 + + + + sss_userdel + eliminar una cuenta de usuario + + + + +sss_userdel +options LOGIN + + + + DESCRIPCION + + sss_userdel borra del sistema un usuario identificado por +su nombre de acceso LOGIN. + + + + + OPCIONES + + + + + , + + + + Los ficheros en el directorio home del usuario serán borrados así como el +directorio home mismo y el buzón de correo del usuario. Reescribe la +configuración. + + + + + + , + + + + Los ficheros en el directorio home del usuario NO serán borrados así como el +directorio home mismo y el buzón de correo del usuario. Reescribe la +configuración. + + + + + + , + + + + Esta opción fuerza a sss_userdel a borrar el directorio +home del usuario y el buzón de correo, aunque no sea propiedad del usuario +especificado. + + + + + + , + + + + Antes de realmente eliminar al usuario, terminar todos sus procesos. + + + + + + + + + + + + diff --git a/src/man/es/sss_usermod.8.xml b/src/man/es/sss_usermod.8.xml new file mode 100644 index 0000000..58724ff --- /dev/null +++ b/src/man/es/sss_usermod.8.xml @@ -0,0 +1,169 @@ + + + +Páginas de manual de SSSD + + + + + sss_usermod + 8 + + + + sss_usermod + Modifica una cuenta de usuario + + + + +sss_usermod +options LOGIN + + + + DESCRIPCION + + sss_usermod modifica la cuenta especificada por +LOGIN para reflejar los cambios que se han +especificado en la línea de comando. + + + + + OPCIONES + + + + , +COMENTARIO + + + + Cualquier cadena de texto describiendo al usuario. Frecuentemente se usa +como el campo para el nombre completo del usuario. + + + + + + , +HOME_DIR + + + + El directorio principal de la cuenta de usuario. + + + + + + , +SHELL + + + + Shell de inicio de sesión del usuario. + + + + + + , +GROUPS + + + + Añade este usuario a los grupos especificados por el parámetro +GROUPS. El parámetro +GROUPS es una lista separada por comas de nombres +de grupo. + + + + + + , +GROUPS + + + + Borrar este usuario de los grupos especificados por el parámetro +GROUPS. + + + + + + , + + + + Bloquea la cuenta de usuario. El usuario no será capaz de acceder. + + + + + + , + + + + Desbloquea la cuenta de usuario. + + + + + + , +SELINUX_USER + + + + El usuario SELinux para el acceso del usuario. + + + + + + ATTR_NAME_VAL + + + + Add an attribute/value pair. The format is attrname=value. + + + + + + ATTR_NAME_VAL + + + + Set an attribute to a name/value pair. The format is attrname=value. For +multi-valued attributes, the command replaces the values already present + + + + + + ATTR_NAME_VAL + + + + Delete an attribute/value pair. The format is attrname=value. + + + + + + + + + + + + + diff --git a/src/man/es/sssd-simple.5.xml b/src/man/es/sssd-simple.5.xml new file mode 100644 index 0000000..d047b58 --- /dev/null +++ b/src/man/es/sssd-simple.5.xml @@ -0,0 +1,152 @@ + + + +Páginas de manual de SSSD + + + + + sssd-simple + 5 + Formatos de archivo y convenciones + + + + sssd-simple + el fichero de configuración para en proveedor de control de acceso 'simple' +de SSSD + + + + DESCRIPCION + + Esta página de manual describe la configuración del proveedor de control de +acceso simple para sssd +8 . Para una referencia detallada de +sintaxis, vea la sección FILE FORMAT de la página de manual + sssd.conf +5 . + + + El proveedor de acceso simple otorga o deniega el acceso en base a una lista +de acceso o denegación de usuarios o grupo de nombres. Se aplican las +siguientes reglas: + + + Si todas las listas están vacías, se concede acceso + + + + Si se ha suministrado alguna lista, el orden de evaluación es +permitir,denegar. Esto significa que cualquier regla de denegación será +saltada por cualquier regla de permiso coincidente. + + + + + Si una o ambas listas de "permiso" se suministran, todos los usuarios serán +denegados a no ser que aparezcan en la lista. + + + + + Si sólo se suministran listas de "denegación", todos los usuarios obtendran +acceso a no ser que aparezcan en la lista. + + + + + + + + OPCIONES DE CONFIGURACIÓN + Vea la sección DOMAIN SECTIONS de la página de manual + sssd.conf +5 para detalles sobre la +configuración de un dominio SSSD. + + simple_allow_users (cadena) + + + Lista separada por comas de usuarios a los está permitido el acceso. + + + + + + simple_deny_users (cadena) + + + Lista separada por comas de usuarios a los que explicítamente se les deniega +el acceso. + + + + + simple_allow_groups (cadena) + + + Lista separada por comas de grupos que tienen permitido el acceso. Esto se +aplica sólo a los grupos dentro del dominio SSSD. Los grupos locales no +serán evaluados. + + + + + + simple_deny_groups (cadena) + + + Lista separada por comas de grupos a los que explicítamente se les deniega +el acceso. Esto se aplica sólo a los grupos dentro del dominio SSSD. Los +grupos locales no serán evaluados. + + + + + + + No especificando valores para ninguna de las listas es equivalente a +saltarle totalmente. Tenga cuidado de esto mientras genera parámetros para +el simple proveedor usando secuencias de comandos automatizadas. + + + Por favor advierta que es un error de configuración si tanto, +simple_allow_users como simple_deny_user, están definidos. + + + + + EJEMPLO + + El siguiente ejemplo asume que SSSD está correctamente configurado y +example.com es uno de los dominios en la sección +[sssd]. Este ejemplo muestra sólo las opciones +específicas del proveedor de acceso simple. + + + +[domain/example.com] +access_provider = simple +simple_allow_users = user1, user2 + + + + + + NOTAS + + The complete group membership hierarchy is resolved before the access check, +thus even nested groups can be included in the access lists. Please be +aware that the ldap_group_nesting_level option may impact the +results and should be set to a sufficient value. ( +sssd-ldap5 +) option. + + + + + + + diff --git a/src/man/es/sssd-sudo.5.xml b/src/man/es/sssd-sudo.5.xml new file mode 100644 index 0000000..4c37a77 --- /dev/null +++ b/src/man/es/sssd-sudo.5.xml @@ -0,0 +1,193 @@ + + + +Páginas de manual de SSSD + + + + + sssd-sudo + 5 + Formatos de archivo y convenciones + + + + sssd-sudo + Configuración de sudo con el motor de SSSD + + + + DESCRIPCION + + Esta página de manual describe como configurar +sudo 8 +para trabajar con sssd +8 y como SSSD esconde reglas sudo. + + + + + Configurando sudo para cooperar con SSSD + + Para habilitar SSSD como una fuente de reglas sudo, añada +sss a la entrada sudoers en + nsswitch.conf +5 . + + + Por ejemplo, para configurar sudo para primero buscar reglas en el fichero + sudoers +5 estándar (que contendría reglas +para aplicar al usuario local) y después en SSSD, el fichero nsswitch.conf +contiene la siguiente línea: + + + +sudoers: files sss + + + + Más información sobre la configuración del orden de búsqueda de sudoers +desde el fichero nsswuitch.conf así información sobre el esquema LDAP que se +usa para almacenar reglas sudo en el directorio se puede encontrar en + sudoers.ldap +5 . + + + Note: in order to use netgroups or IPA hostgroups in +sudo rules, you also need to correctly set +nisdomainname 1 + to your NIS domain name (which equals to IPA domain name +when using hostgroups). + + + + + Configurando SSSD para ir a buscar reglas sudo + + All configuration that is needed on SSSD side is to extend the list of +services with "sudo" in [sssd] section of + sssd.conf +5 . To speed up the LDAP lookups, you +can also set search base for sudo rules using +ldap_sudo_search_base option. + + + El siguiente ejemplo muestra como configurar SSSD para descargar reglas sudo +desde un servidor LDAP. + + + +[sssd] +config_file_version = 2 +services = nss, pam, sudo +domains = EXAMPLE + +[domain/EXAMPLE] +id_provider = ldap +sudo_provider = ldap +ldap_uri = ldap://example.com +ldap_sudo_search_base = ou=sudoers,dc=example,dc=com + It's important to note that on platforms where +systemd is supported there's no need to add the "sudo" provider to the list +of services, as it became optional. However, sssd-sudo.socket must be +enabled instead. + + + When SSSD is configured to use IPA as the ID provider, the sudo provider is +automatically enabled. The sudo search base is configured to use the IPA +native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in +sssd.conf, this value will be used instead. The compat tree +(ou=sudoers,$SUFFIX) is no longer required for IPA sudo functionality. + + + + + El mecanismo de almacenamiento en cache de regla SUDO + + El mayor desafío, cuando se desarrolla soporte sudo en SSSD, fue asegurar +que ejecutando sudo con SSSD como la fuente de datos suministre la misma +experiencia de usuario y sea tan rápido como sudo pero se mantenga +proporcionando el conjunto más actual de reglas como sea posible. Para +satisfacer estos requisitos, SSSD usa tres clases de actualizaciones. A +ellas nos referimos como refresco total, refresco inteligente y refresco de +reglas. + + + El refresco inteligente periódicamente descarga reglas +que son nuevas o fueron modificadas desde la última actualización. Su +objetivo principal es mantener la base de datos creciendo mediante la +atracción de pequeños incrementos que no generen grandes cantidades de +tráfico de red. + + + full refresh simplemente refresca todas las reglas sudo +almacenadas en el cache y las reemplaza con las reglas que están almacenadas +en el servidor. Esto se usa para mantener el cache consistente borrando cada +regla que fue borrada del servidor. Sin embargo, un refresco total puede +producir gran cantidad de tráfico y por lo tanto debería ser ejecutado sólo +ocasionalmente dependiendo del tamaño y de la estabilidad de las reglas +sudo. + + + El refresco de reglas asegura que no concedamos más +permisos al usuario que los definidos. Se dispara cada vez que el usuario +ejecuta sudo. El refresco de reglas encontrará todas las reglas que se +apliquen a ese usuario, comprobará su tiempo de expiración y las recargará +si han expirado. En el caso de que alguna de esas reglas estén desaparecidas +del servidor, SSSD hará un refresco total fuera de banda puesto que más +reglas (que apliquen a otros usuarios) pueden haber sido borradas. + + + Si está habilitado, SSSD almacenará sólo las reglas que pueden ser aplicadas +a esa máquina. Esto indica reglas que contienen uno de los siguientes +valores en el atributo sudoHost: + + + + + keyword ALL + + + + + comodines + + + + + netgroup (en la forma "+netgroup") + + + + + nombre de host o nombre de dominio totalmente cualificado de esta máquina + + + + + una de las direcciones IP de esta máquina + + + + + una de las direcciones IP de la red (en la forma "dirección/máscara") + + + + + Hay muchas opciones de configuración que pueden ser usadas para ajustar el +comportamiento. Por favor vea "ldap_sudo_*" en +sssd-ldap 5 + y "sudo_*" en +sssd.conf 5 +. + + + + + + + diff --git a/src/man/es/sssd.8.xml b/src/man/es/sssd.8.xml new file mode 100644 index 0000000..a872f23 --- /dev/null +++ b/src/man/es/sssd.8.xml @@ -0,0 +1,230 @@ + + + +Páginas de manual de SSSD + + + + + sssd + 8 + + + + sssd + System Security Services Daemon + + + + +sssd +options + + + + DESCRIPCION + + SSSD suministra un conjunto de demonios para gestionar el +acceso a directorios remotos y mecanismos de autenticación. Suministra una +interfaz NSS y PAM hacia el sistema y un sistema de parte trasera conectable +para conectar múltiples fuentes de cuentas diferentes así como interfaz +D-Bus. Es también la base para suministrar servicios de auditoría y política +a los clientes para proyectos como FreeIPA. Suministra una base de datos más +robusta para almacenar los usuarios locales así como datos de usuario +extendidos. + + + + + OPCIONES + + + + , +NIVEL + + + + + + mode + + + + 1: Agregar marca de tiempo a mensajes de depuración + + + 0: Desactiva marca de tiempo en mensajes de depuración + + + Predeterminado: 1 + + + + + + mode + + + + 1: Agregar microsegundos a la marca de tiempo en +mensajes de depuración + + + 0: Desactiva microsegundos en marcas de tiempo + + + Predeterminado: 0 + + + + + + , + + + + Envía la salida de depuración a ficheros en lugar de a stderr. Por defecto, +los ficheros de registro se almacenan en /var/log/sssd +y hay ficheros de registro separados para cada servicio y dominio SSSD. + + + This option is deprecated. It is replaced by +. + + + + + + value + + + + Location where SSSD will send log messages. This option overrides the value +of the deprecated option . The deprecated +option will still work if the is not used. + + + stderr: Redirect debug messages to standard error +output. + + + files: Redirect debug messages to the log files. By +default, the log files are stored in /var/log/sssd and +there are separate log files for every SSSD service and domain. + + + journald: Redirect debug messages to systemd-journald + + + Predeterminado: no definido + + + + + + , + + + + Convertido en un demonio después de la puesta en marcha. + + + + + + , + + + + Ejecutar en primer plano, no convertirse en un demonio. + + + + + + , + + + + Especifica un fichero de configuración distinto al de por defecto. El por +defecto es /etc/sssd/sssd.conf. Para referencia sobre +las opciones y sintaxis del fichero de configuración, consulta la página de +manual sssd.conf +5 . + + + + + + + + + + + Imprimir número de versión y salir. + + + + + + + + Señales + + + SIGTERM/SIGINT + + + Informa a SSSD para terminar graciosamente todos sus procesos hijos y +después para el monitor. + + + + + SIGHUP + + + Le dice a SSSD que pare de escribir en su fichero descriptor de depuración +actual y cerrar y reabrirlo. Esto significa facilitar la circulación de +registro con programas como logrotate. + + + + + SIGUSR1 + + + Tells the SSSD to simulate offline operation for the duration of the +offline_timeout parameter. This is useful for testing. The +signal can be sent to either the sssd process or any sssd_be process +directly. + + + + + SIGUSR2 + + + Tells the SSSD to go online immediately. This is useful for testing. The +signal can be sent to either the sssd process or any sssd_be process +directly. + + + + + + + + NOTAS + + If the environment variable SSS_NSS_USE_MEMCACHE is set to "NO", client +applications will not use the fast in memory cache. + + + + + + + diff --git a/src/man/eu/include/ad_modified_defaults.xml b/src/man/eu/include/ad_modified_defaults.xml new file mode 100644 index 0000000..7c6def2 --- /dev/null +++ b/src/man/eu/include/ad_modified_defaults.xml @@ -0,0 +1,77 @@ + + MODIFIED DEFAULT OPTIONS + + Certain option defaults do not match their respective backend provider +defaults, these option names and AD provider-specific defaults are listed +below: + + + KRB5 Provider + + + + krb5_validate = true + + + + + krb5_use_enterprise_principal = true + + + + + + LDAP Provider + + + + ldap_schema = ad + + + + + ldap_force_upper_case_realm = true + + + + + ldap_id_mapping = true + + + + + ldap_sasl_mech = gssapi + + + + + ldap_referrals = false + + + + + ldap_account_expire_policy = ad + + + + + ldap_use_tokengroups = true + + + + + ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM) + + + The AD provider looks for a different principal than the LDAP provider by +default, because in an Active Directory environment the principals are +divided into two groups - User Principals and Service Principals. Only User +Principal can be used to obtain a TGT and by default, computer object's +principal is constructed from its sAMAccountName and the AD realm. The +well-known host/hostname@REALM principal is a Service Principal and thus +cannot be used to get a TGT with. + + + + + diff --git a/src/man/eu/include/autofs_restart.xml b/src/man/eu/include/autofs_restart.xml new file mode 100644 index 0000000..f31efe5 --- /dev/null +++ b/src/man/eu/include/autofs_restart.xml @@ -0,0 +1,5 @@ + + Please note that the automounter only reads the master map on startup, so if +any autofs-related changes are made to the sssd.conf, you typically also +need to restart the automounter daemon after restarting the SSSD. + diff --git a/src/man/eu/include/debug_levels.xml b/src/man/eu/include/debug_levels.xml new file mode 100644 index 0000000..5148252 --- /dev/null +++ b/src/man/eu/include/debug_levels.xml @@ -0,0 +1,86 @@ + + + SSSD supports two representations for specifying the debug level. The +simplest is to specify a decimal value from 0-9, which represents enabling +that level and all lower-level debug messages. The more comprehensive option +is to specify a hexadecimal bitmask to enable or disable specific levels +(such as if you wish to suppress a level). + + + Please note that each SSSD service logs into its own log file. Also please +note that enabling debug_level in the [sssd] +section only enables debugging just for the sssd process itself, not for the +responder or provider processes. The debug_level parameter +should be added to all sections that you wish to produce debug logs from. + + + In addition to changing the log level in the config file using the +debug_level parameter, which is persistent, but requires SSSD +restart, it is also possible to change the debug level on the fly using the + sss_debuglevel +8 tool. + + + Currently supported debug levels: + + + 0, 0x0010: Fatal +failures. Anything that would prevent SSSD from starting up or causes it to +cease running. + + + 1, 0x0020: Critical failures. An +error that doesn't kill SSSD, but one that indicates that at least one major +feature is not going to work properly. + + + 2, 0x0040: Serious failures. An +error announcing that a particular request or operation has failed. + + + 3, 0x0080: Minor failures. These +are the errors that would percolate down to cause the operation failure of +2. + + + 4, 0x0100: Configuration settings. + + + 5, 0x0200: Function data. + + + 6, 0x0400: Trace messages for +operation functions. + + + 7, 0x1000: Trace messages for +internal control functions. + + + 8, 0x2000: Contents of +function-internal variables that may be interesting. + + + 9, 0x4000: Extremely low-level +tracing information. + + + To log required bitmask debug levels, simply add their numbers together as +shown in following examples: + + + Example: To log fatal failures, critical failures, +serious failures and function data use 0x0270. + + + Example: To log fatal failures, configuration settings, +function data, trace messages for internal control functions use 0x1310. + + + Note: The bitmask format of debug levels was introduced +in 1.7.0. + + + Default: 0 + + diff --git a/src/man/eu/include/debug_levels_tools.xml b/src/man/eu/include/debug_levels_tools.xml new file mode 100644 index 0000000..8bc77cf --- /dev/null +++ b/src/man/eu/include/debug_levels_tools.xml @@ -0,0 +1,72 @@ + + + SSSD supports two representations for specifying the debug level. The +simplest is to specify a decimal value from 0-9, which represents enabling +that level and all lower-level debug messages. The more comprehensive option +is to specify a hexadecimal bitmask to enable or disable specific levels +(such as if you wish to suppress a level). + + + Currently supported debug levels: + + + 0, 0x0010: Fatal +failures. Anything that would prevent SSSD from starting up or causes it to +cease running. + + + 1, 0x0020: Critical failures. An +error that doesn't kill SSSD, but one that indicates that at least one major +feature is not going to work properly. + + + 2, 0x0040: Serious failures. An +error announcing that a particular request or operation has failed. + + + 3, 0x0080: Minor failures. These +are the errors that would percolate down to cause the operation failure of +2. + + + 4, 0x0100: Configuration settings. + + + 5, 0x0200: Function data. + + + 6, 0x0400: Trace messages for +operation functions. + + + 7, 0x1000: Trace messages for +internal control functions. + + + 8, 0x2000: Contents of +function-internal variables that may be interesting. + + + 9, 0x4000: Extremely low-level +tracing information. + + + To log required bitmask debug levels, simply add their numbers together as +shown in following examples: + + + Example: To log fatal failures, critical failures, +serious failures and function data use 0x0270. + + + Example: To log fatal failures, configuration settings, +function data, trace messages for internal control functions use 0x1310. + + + Note: The bitmask format of debug levels was introduced +in 1.7.0. + + + Default: 0 + + diff --git a/src/man/eu/include/experimental.xml b/src/man/eu/include/experimental.xml new file mode 100644 index 0000000..7103a0e --- /dev/null +++ b/src/man/eu/include/experimental.xml @@ -0,0 +1,2 @@ + This is an experimental feature, please use +https://pagure.io/SSSD/sssd/ to report any issues. diff --git a/src/man/eu/include/failover.xml b/src/man/eu/include/failover.xml new file mode 100644 index 0000000..ebb7b21 --- /dev/null +++ b/src/man/eu/include/failover.xml @@ -0,0 +1,97 @@ + + FAILOVER + + The failover feature allows back ends to automatically switch to a different +server if the current server fails. + + + Failover Syntax + + The list of servers is given as a comma-separated list; any number of spaces +is allowed around the comma. The servers are listed in order of +preference. The list can contain any number of servers. + + + For each failover-enabled config option, two variants exist: +primary and backup. The idea is +that servers in the primary list are preferred and backup servers are only +searched if no primary servers can be reached. If a backup server is +selected, a timeout of 31 seconds is set. After this timeout SSSD will +periodically try to reconnect to one of the primary servers. If it succeeds, +it will replace the current active (backup) server. + + + + The Failover Mechanism + + The failover mechanism distinguishes between a machine and a service. The +back end first tries to resolve the hostname of a given machine; if this +resolution attempt fails, the machine is considered offline. No further +attempts are made to connect to this machine for any other service. If the +resolution attempt succeeds, the back end tries to connect to a service on +this machine. If the service connection attempt fails, then only this +particular service is considered offline and the back end automatically +switches over to the next service. The machine is still considered online +and might still be tried for another service. + + + Further connection attempts are made to machines or services marked as +offline after a specified period of time; this is currently hard coded to 30 +seconds. + + + If there are no more machines to try, the back end as a whole switches to +offline mode, and then attempts to reconnect every 30 seconds. + + + + Failover time outs and tuning + + Resolving a server to connect to can be as simple as running a single DNS +query or can involve several steps, such as finding the correct site or +trying out multiple host names in case some of the configured servers are +not reachable. The more complex scenarios can take some time and SSSD needs +to balance between providing enough time to finish the resolution process +but on the other hand, not trying for too long before falling back to +offline mode. If the SSSD debug logs show that the server resolution is +timing out before a live server is contacted, you can consider changing the +time outs. + + + This section lists the available tunables. Please refer to their description +in the +sssd.conf5 +, manual page. + + + dns_resolver_op_timeout + + + + How long would SSSD talk to a single DNS server. + + + + + + dns_resolver_timeout + + + + How long would SSSD try to resolve a failover service. This service +resolution internally might include several steps, such as resolving DNS SRV +queries or locating the site. + + + + + + + For LDAP-based providers, the resolve operation is performed as part of an +LDAP connection operation. Therefore, also the +ldap_opt_timeout> timeout should be set to a larger value +than dns_resolver_timeout which in turn should be set to a +larger value than dns_resolver_op_timeout. + + + diff --git a/src/man/eu/include/homedir_substring.xml b/src/man/eu/include/homedir_substring.xml new file mode 100644 index 0000000..d7533de --- /dev/null +++ b/src/man/eu/include/homedir_substring.xml @@ -0,0 +1,17 @@ + + homedir_substring (string) + + + The value of this option will be used in the expansion of the +override_homedir option if the template contains the +format string %H. An LDAP directory entry can directly +contain this template so that this option can be used to expand the home +directory path for each client machine (or operating system). It can be set +per-domain or globally in the [nss] section. A value specified in a domain +section will override one set in the [nss] section. + + + Default: /home + + + diff --git a/src/man/eu/include/ipa_modified_defaults.xml b/src/man/eu/include/ipa_modified_defaults.xml new file mode 100644 index 0000000..4ad4b45 --- /dev/null +++ b/src/man/eu/include/ipa_modified_defaults.xml @@ -0,0 +1,123 @@ + + MODIFIED DEFAULT OPTIONS + + Certain option defaults do not match their respective backend provider +defaults, these option names and IPA provider-specific defaults are listed +below: + + + KRB5 Provider + + + + krb5_validate = true + + + + + krb5_use_fast = try + + + + + krb5_canonicalize = true + + + + + + LDAP Provider - General + + + + ldap_schema = ipa_v1 + + + + + ldap_force_upper_case_realm = true + + + + + ldap_sasl_mech = GSSAPI + + + + + ldap_sasl_minssf = 56 + + + + + ldap_account_expire_policy = ipa + + + + + ldap_use_tokengroups = true + + + + + + LDAP Provider - User options + + + + ldap_user_member_of = memberOf + + + + + ldap_user_uuid = ipaUniqueID + + + + + ldap_user_ssh_public_key = ipaSshPubKey + + + + + ldap_user_auth_type = ipaUserAuthType + + + + + + LDAP Provider - Group options + + + + ldap_group_object_class = ipaUserGroup + + + + + ldap_group_object_class_alt = posixGroup + + + + + ldap_group_member = member + + + + + ldap_group_uuid = ipaUniqueID + + + + + ldap_group_objectsid = ipaNTSecurityIdentifier + + + + + ldap_group_external_member = ipaExternalMember + + + + + diff --git a/src/man/eu/include/ldap_id_mapping.xml b/src/man/eu/include/ldap_id_mapping.xml new file mode 100644 index 0000000..b9be536 --- /dev/null +++ b/src/man/eu/include/ldap_id_mapping.xml @@ -0,0 +1,278 @@ + + ID MAPPING + + The ID-mapping feature allows SSSD to act as a client of Active Directory +without requiring administrators to extend user attributes to support POSIX +attributes for user and group identifiers. + + + NOTE: When ID-mapping is enabled, the uidNumber and gidNumber attributes are +ignored. This is to avoid the possibility of conflicts between +automatically-assigned and manually-assigned values. If you need to use +manually-assigned values, ALL values must be manually-assigned. + + + Please note that changing the ID mapping related configuration options will +cause user and group IDs to change. At the moment, SSSD does not support +changing IDs, so the SSSD database must be removed. Because cached passwords +are also stored in the database, removing the database should only be +performed while the authentication servers are reachable, otherwise users +might get locked out. In order to cache the password, an authentication must +be performed. It is not sufficient to use +sss_cache 8 + to remove the database, rather the process consists of: + + + + Making sure the remote servers are reachable + + + + + Stopping the SSSD service + + + + + Removing the database + + + + + Starting the SSSD service + + + + Moreover, as the change of IDs might necessitate the adjustment of other +system properties such as file and directory ownership, it's advisable to +plan ahead and test the ID mapping configuration thoroughly. + + + + Mapping Algorithm + + Active Directory provides an objectSID for every user and group object in +the directory. This objectSID can be broken up into components that +represent the Active Directory domain identity and the relative identifier +(RID) of the user or group object. + + + The SSSD ID-mapping algorithm takes a range of available UIDs and divides it +into equally-sized component sections - called "slices"-. Each slice +represents the space available to an Active Directory domain. + + + When a user or group entry for a particular domain is encountered for the +first time, the SSSD allocates one of the available slices for that +domain. In order to make this slice-assignment repeatable on different +client machines, we select the slice based on the following algorithm: + + + The SID string is passed through the murmurhash3 algorithm to convert it to +a 32-bit hashed value. We then take the modulus of this value with the total +number of available slices to pick the slice. + + + NOTE: It is possible to encounter collisions in the hash and subsequent +modulus. In these situations, we will select the next available slice, but +it may not be possible to reproduce the same exact set of slices on other +machines (since the order that they are encountered will determine their +slice). In this situation, it is recommended to either switch to using +explicit POSIX attributes in Active Directory (disabling ID-mapping) or +configure a default domain to guarantee that at least one is always +consistent. See Configuration for details. + + + + + Configuration + + Minimum configuration (in the [domain/DOMAINNAME] section): + + + +ldap_id_mapping = True +ldap_schema = ad + + + + The default configuration results in configuring 10,000 slices, each capable +of holding up to 200,000 IDs, starting from 200,000 and going up to +2,000,200,000. This should be sufficient for most deployments. + + + Advanced Configuration + + + ldap_idmap_range_min (integer) + + + Specifies the lower bound of the range of POSIX IDs to use for mapping +Active Directory user and group SIDs. + + + NOTE: This option is different from min_id in that +min_id acts to filter the output of requests to this domain, +whereas this option controls the range of ID assignment. This is a subtle +distinction, but the good general advice would be to have +min_id be less-than or equal to +ldap_idmap_range_min + + + Default: 200000 + + + + + ldap_idmap_range_max (integer) + + + Specifies the upper bound of the range of POSIX IDs to use for mapping +Active Directory user and group SIDs. + + + NOTE: This option is different from max_id in that +max_id acts to filter the output of requests to this domain, +whereas this option controls the range of ID assignment. This is a subtle +distinction, but the good general advice would be to have +max_id be greater-than or equal to +ldap_idmap_range_max + + + Default: 2000200000 + + + + + ldap_idmap_range_size (integer) + + + Specifies the number of IDs available for each slice. If the range size +does not divide evenly into the min and max values, it will create as many +complete slices as it can. + + + NOTE: The value of this option must be at least as large as the highest user +RID planned for use on the Active Directory server. User lookups and login +will fail for any user whose RID is greater than this value. + + + For example, if your most recently-added Active Directory user has +objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, +ldap_idmap_range_size must be at least 1108 as range size is +equal to maximal SID minus minimal SID plus one (e.g. 1108 = 1107 - 0 + 1). + + + It is important to plan ahead for future expansion, as changing this value +will result in changing all of the ID mappings on the system, leading to +users with different local IDs than they previously had. + + + Default: 200000 + + + + + ldap_idmap_default_domain_sid (string) + + + Specify the domain SID of the default domain. This will guarantee that this +domain will always be assigned to slice zero in the ID map, bypassing the +murmurhash algorithm described above. + + + Default: not set + + + + + ldap_idmap_default_domain (string) + + + Specify the name of the default domain. + + + Default: not set + + + + + ldap_idmap_autorid_compat (boolean) + + + Changes the behavior of the ID-mapping algorithm to behave more similarly to +winbind's idmap_autorid algorithm. + + + When this option is configured, domains will be allocated starting with +slice zero and increasing monatomically with each additional domain. + + + NOTE: This algorithm is non-deterministic (it depends on the order that +users and groups are requested). If this mode is required for compatibility +with machines running winbind, it is recommended to also use the +ldap_idmap_default_domain_sid option to guarantee that at +least one domain is consistently allocated to slice zero. + + + Default: False + + + + + ldap_idmap_helper_table_size (integer) + + + Maximal number of secondary slices that is tried when performing mapping +from UNIX id to SID. + + + Note: Additional secondary slices might be generated when SID is being +mapped to UNIX id and RID part of SID is out of range for secondary slices +generated so far. If value of ldap_idmap_helper_table_size is equal to 0 +then no additional secondary slices are generated. + + + Default: 10 + + + + + + + + + Well-Known SIDs + + SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a +special hardcoded meaning. Since the generic users and groups related to +those Well-Known SIDs have no equivalent in a Linux/UNIX environment no +POSIX IDs are available for those objects. + + + The SID name space is organized in authorities which can be seen as +different domains. The authorities for the Well-Known SIDs are + + Null Authority + World Authority + Local Authority + Creator Authority + NT Authority + Built-in + + The capitalized version of these names are used as domain names when +returning the fully qualified name of a Well-Known SID. + + + Since some utilities allow to modify SID based access control information +with the help of a name instead of using the SID directly SSSD supports to +look up the SID by the name as well. To avoid collisions only the fully +qualified names can be used to look up Well-Known SIDs. As a result the +domain names NULL AUTHORITY, WORLD AUTHORITY, + LOCAL AUTHORITY, CREATOR AUTHORITY, NT +AUTHORITY and BUILTIN should not be used as domain +names in sssd.conf. + + + + diff --git a/src/man/eu/include/ldap_search_bases.xml b/src/man/eu/include/ldap_search_bases.xml new file mode 100644 index 0000000..189f862 --- /dev/null +++ b/src/man/eu/include/ldap_search_bases.xml @@ -0,0 +1,31 @@ + + + An optional base DN, search scope and LDAP filter to restrict LDAP searches +for this attribute type. + + + syntax: +search_base[?scope?[filter][?search_base?scope?[filter]]*] + + + + The scope can be one of "base", "onelevel" or "subtree". The scope functions +as specified in section 4.5.1.2 of http://tools.ietf.org/html/rfc4511 + + + The filter must be a valid LDAP search filter as specified by +http://www.ietf.org/rfc/rfc2254.txt + + + For examples of this syntax, please refer to the +ldap_search_base examples section. + + + Default: the value of ldap_search_base + + + Please note that specifying scope or filter is not supported for searches +against an Active Directory Server that might yield a large number of +results and trigger the Range Retrieval extension in the response. + + diff --git a/src/man/eu/include/local.xml b/src/man/eu/include/local.xml new file mode 100644 index 0000000..ce849a3 --- /dev/null +++ b/src/man/eu/include/local.xml @@ -0,0 +1,17 @@ + + THE LOCAL DOMAIN + + In order to function correctly, a domain with +id_provider=local must be created and the SSSD must be +running. + + + The administrator might want to use the SSSD local users instead of +traditional UNIX users in cases where the group nesting (see +sss_groupadd 8 +) is needed. The local users are also useful for testing and +development of the SSSD without having to deploy a full remote server. The +sss_user* and sss_group* tools use a +local LDB storage to store users and groups. + + diff --git a/src/man/eu/include/override_homedir.xml b/src/man/eu/include/override_homedir.xml new file mode 100644 index 0000000..94caee1 --- /dev/null +++ b/src/man/eu/include/override_homedir.xml @@ -0,0 +1,63 @@ + +override_homedir (string) + + + Override the user's home directory. You can either provide an absolute value +or a template. In the template, the following sequences are substituted: + + + %u + login name + + + %U + UID number + + + %d + domain name + + + %f + fully qualified user name (user@domain) + + + %l + The first letter of the login name. + + + %P + UPN - User Principal Name (name@REALM) + + + %o + + The original home directory retrieved from the identity provider. + + + + %H + + The value of configure option homedir_substring. + + + + %% + a literal '%' + + + + + + This option can also be set per-domain. + + + example: +override_homedir = /home/%u + + + + Default: Not set (SSSD will use the value retrieved from LDAP) + + + diff --git a/src/man/eu/include/param_help.xml b/src/man/eu/include/param_help.xml new file mode 100644 index 0000000..d28020b --- /dev/null +++ b/src/man/eu/include/param_help.xml @@ -0,0 +1,10 @@ + + + , + + + + Display help message and exit. + + + diff --git a/src/man/eu/include/param_help_py.xml b/src/man/eu/include/param_help_py.xml new file mode 100644 index 0000000..a2478bf --- /dev/null +++ b/src/man/eu/include/param_help_py.xml @@ -0,0 +1,10 @@ + + + , + + + + Display help message and exit. + + + diff --git a/src/man/eu/include/seealso.xml b/src/man/eu/include/seealso.xml new file mode 100644 index 0000000..9b5b28a --- /dev/null +++ b/src/man/eu/include/seealso.xml @@ -0,0 +1,61 @@ + + SEE ALSO + + sssd8 +, +sssd.conf5 +, +sssd-ldap5 +, +sssd-krb55 +, +sssd-simple5 +, +sssd-ipa5 +, +sssd-ad5 +, +sssd-sudo 5 +, +sssd-secrets 5 +, +sssd-session-recording +5 , +sss_cache8 +, +sss_debuglevel8 +, +sss_groupadd8 +, +sss_groupdel8 +, +sss_groupshow8 +, +sss_groupmod8 +, +sss_useradd8 +, +sss_userdel8 +, +sss_usermod8 +, +sss_obfuscate8 +, +sss_seed8 +, +sssd_krb5_locator_plugin8 +, +sss_ssh_authorizedkeys +8 , +sss_ssh_knownhostsproxy +8 , sssd-ifp +5 , +pam_sss8 +. +sss_rpcidmapd 5 + +sssd-systemtap 5 + + + diff --git a/src/man/eu/include/service_discovery.xml b/src/man/eu/include/service_discovery.xml new file mode 100644 index 0000000..2e417a9 --- /dev/null +++ b/src/man/eu/include/service_discovery.xml @@ -0,0 +1,41 @@ + + SERVICE DISCOVERY + + The service discovery feature allows back ends to automatically find the +appropriate servers to connect to using a special DNS query. This feature is +not supported for backup servers. + + + Configuration + + If no servers are specified, the back end automatically uses service +discovery to try to find a server. Optionally, the user may choose to use +both fixed server addresses and service discovery by inserting a special +keyword, _srv_, in the list of servers. The order of +preference is maintained. This feature is useful if, for example, the user +prefers to use service discovery whenever possible, and fall back to a +specific server when no servers can be discovered using DNS. + + + + The domain name + + Please refer to the dns_discovery_domain parameter in the + sssd.conf +5 manual page for more details. + + + + The protocol + + The queries usually specify _tcp as the protocol. Exceptions are documented +in respective option description. + + + + See Also + + For more information on the service discovery mechanism, refer to RFC 2782. + + + diff --git a/src/man/eu/include/upstream.xml b/src/man/eu/include/upstream.xml new file mode 100644 index 0000000..ba04020 --- /dev/null +++ b/src/man/eu/include/upstream.xml @@ -0,0 +1,3 @@ + +SSSD The SSSD upstream - +https://pagure.io/SSSD/sssd/ diff --git a/src/man/fi/include/ad_modified_defaults.xml b/src/man/fi/include/ad_modified_defaults.xml new file mode 100644 index 0000000..7c6def2 --- /dev/null +++ b/src/man/fi/include/ad_modified_defaults.xml @@ -0,0 +1,77 @@ + + MODIFIED DEFAULT OPTIONS + + Certain option defaults do not match their respective backend provider +defaults, these option names and AD provider-specific defaults are listed +below: + + + KRB5 Provider + + + + krb5_validate = true + + + + + krb5_use_enterprise_principal = true + + + + + + LDAP Provider + + + + ldap_schema = ad + + + + + ldap_force_upper_case_realm = true + + + + + ldap_id_mapping = true + + + + + ldap_sasl_mech = gssapi + + + + + ldap_referrals = false + + + + + ldap_account_expire_policy = ad + + + + + ldap_use_tokengroups = true + + + + + ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM) + + + The AD provider looks for a different principal than the LDAP provider by +default, because in an Active Directory environment the principals are +divided into two groups - User Principals and Service Principals. Only User +Principal can be used to obtain a TGT and by default, computer object's +principal is constructed from its sAMAccountName and the AD realm. The +well-known host/hostname@REALM principal is a Service Principal and thus +cannot be used to get a TGT with. + + + + + diff --git a/src/man/fi/include/autofs_restart.xml b/src/man/fi/include/autofs_restart.xml new file mode 100644 index 0000000..f31efe5 --- /dev/null +++ b/src/man/fi/include/autofs_restart.xml @@ -0,0 +1,5 @@ + + Please note that the automounter only reads the master map on startup, so if +any autofs-related changes are made to the sssd.conf, you typically also +need to restart the automounter daemon after restarting the SSSD. + diff --git a/src/man/fi/include/debug_levels.xml b/src/man/fi/include/debug_levels.xml new file mode 100644 index 0000000..5148252 --- /dev/null +++ b/src/man/fi/include/debug_levels.xml @@ -0,0 +1,86 @@ + + + SSSD supports two representations for specifying the debug level. The +simplest is to specify a decimal value from 0-9, which represents enabling +that level and all lower-level debug messages. The more comprehensive option +is to specify a hexadecimal bitmask to enable or disable specific levels +(such as if you wish to suppress a level). + + + Please note that each SSSD service logs into its own log file. Also please +note that enabling debug_level in the [sssd] +section only enables debugging just for the sssd process itself, not for the +responder or provider processes. The debug_level parameter +should be added to all sections that you wish to produce debug logs from. + + + In addition to changing the log level in the config file using the +debug_level parameter, which is persistent, but requires SSSD +restart, it is also possible to change the debug level on the fly using the + sss_debuglevel +8 tool. + + + Currently supported debug levels: + + + 0, 0x0010: Fatal +failures. Anything that would prevent SSSD from starting up or causes it to +cease running. + + + 1, 0x0020: Critical failures. An +error that doesn't kill SSSD, but one that indicates that at least one major +feature is not going to work properly. + + + 2, 0x0040: Serious failures. An +error announcing that a particular request or operation has failed. + + + 3, 0x0080: Minor failures. These +are the errors that would percolate down to cause the operation failure of +2. + + + 4, 0x0100: Configuration settings. + + + 5, 0x0200: Function data. + + + 6, 0x0400: Trace messages for +operation functions. + + + 7, 0x1000: Trace messages for +internal control functions. + + + 8, 0x2000: Contents of +function-internal variables that may be interesting. + + + 9, 0x4000: Extremely low-level +tracing information. + + + To log required bitmask debug levels, simply add their numbers together as +shown in following examples: + + + Example: To log fatal failures, critical failures, +serious failures and function data use 0x0270. + + + Example: To log fatal failures, configuration settings, +function data, trace messages for internal control functions use 0x1310. + + + Note: The bitmask format of debug levels was introduced +in 1.7.0. + + + Default: 0 + + diff --git a/src/man/fi/include/debug_levels_tools.xml b/src/man/fi/include/debug_levels_tools.xml new file mode 100644 index 0000000..8bc77cf --- /dev/null +++ b/src/man/fi/include/debug_levels_tools.xml @@ -0,0 +1,72 @@ + + + SSSD supports two representations for specifying the debug level. The +simplest is to specify a decimal value from 0-9, which represents enabling +that level and all lower-level debug messages. The more comprehensive option +is to specify a hexadecimal bitmask to enable or disable specific levels +(such as if you wish to suppress a level). + + + Currently supported debug levels: + + + 0, 0x0010: Fatal +failures. Anything that would prevent SSSD from starting up or causes it to +cease running. + + + 1, 0x0020: Critical failures. An +error that doesn't kill SSSD, but one that indicates that at least one major +feature is not going to work properly. + + + 2, 0x0040: Serious failures. An +error announcing that a particular request or operation has failed. + + + 3, 0x0080: Minor failures. These +are the errors that would percolate down to cause the operation failure of +2. + + + 4, 0x0100: Configuration settings. + + + 5, 0x0200: Function data. + + + 6, 0x0400: Trace messages for +operation functions. + + + 7, 0x1000: Trace messages for +internal control functions. + + + 8, 0x2000: Contents of +function-internal variables that may be interesting. + + + 9, 0x4000: Extremely low-level +tracing information. + + + To log required bitmask debug levels, simply add their numbers together as +shown in following examples: + + + Example: To log fatal failures, critical failures, +serious failures and function data use 0x0270. + + + Example: To log fatal failures, configuration settings, +function data, trace messages for internal control functions use 0x1310. + + + Note: The bitmask format of debug levels was introduced +in 1.7.0. + + + Default: 0 + + diff --git a/src/man/fi/include/experimental.xml b/src/man/fi/include/experimental.xml new file mode 100644 index 0000000..7103a0e --- /dev/null +++ b/src/man/fi/include/experimental.xml @@ -0,0 +1,2 @@ + This is an experimental feature, please use +https://pagure.io/SSSD/sssd/ to report any issues. diff --git a/src/man/fi/include/failover.xml b/src/man/fi/include/failover.xml new file mode 100644 index 0000000..ebb7b21 --- /dev/null +++ b/src/man/fi/include/failover.xml @@ -0,0 +1,97 @@ + + FAILOVER + + The failover feature allows back ends to automatically switch to a different +server if the current server fails. + + + Failover Syntax + + The list of servers is given as a comma-separated list; any number of spaces +is allowed around the comma. The servers are listed in order of +preference. The list can contain any number of servers. + + + For each failover-enabled config option, two variants exist: +primary and backup. The idea is +that servers in the primary list are preferred and backup servers are only +searched if no primary servers can be reached. If a backup server is +selected, a timeout of 31 seconds is set. After this timeout SSSD will +periodically try to reconnect to one of the primary servers. If it succeeds, +it will replace the current active (backup) server. + + + + The Failover Mechanism + + The failover mechanism distinguishes between a machine and a service. The +back end first tries to resolve the hostname of a given machine; if this +resolution attempt fails, the machine is considered offline. No further +attempts are made to connect to this machine for any other service. If the +resolution attempt succeeds, the back end tries to connect to a service on +this machine. If the service connection attempt fails, then only this +particular service is considered offline and the back end automatically +switches over to the next service. The machine is still considered online +and might still be tried for another service. + + + Further connection attempts are made to machines or services marked as +offline after a specified period of time; this is currently hard coded to 30 +seconds. + + + If there are no more machines to try, the back end as a whole switches to +offline mode, and then attempts to reconnect every 30 seconds. + + + + Failover time outs and tuning + + Resolving a server to connect to can be as simple as running a single DNS +query or can involve several steps, such as finding the correct site or +trying out multiple host names in case some of the configured servers are +not reachable. The more complex scenarios can take some time and SSSD needs +to balance between providing enough time to finish the resolution process +but on the other hand, not trying for too long before falling back to +offline mode. If the SSSD debug logs show that the server resolution is +timing out before a live server is contacted, you can consider changing the +time outs. + + + This section lists the available tunables. Please refer to their description +in the +sssd.conf5 +, manual page. + + + dns_resolver_op_timeout + + + + How long would SSSD talk to a single DNS server. + + + + + + dns_resolver_timeout + + + + How long would SSSD try to resolve a failover service. This service +resolution internally might include several steps, such as resolving DNS SRV +queries or locating the site. + + + + + + + For LDAP-based providers, the resolve operation is performed as part of an +LDAP connection operation. Therefore, also the +ldap_opt_timeout> timeout should be set to a larger value +than dns_resolver_timeout which in turn should be set to a +larger value than dns_resolver_op_timeout. + + + diff --git a/src/man/fi/include/homedir_substring.xml b/src/man/fi/include/homedir_substring.xml new file mode 100644 index 0000000..d7533de --- /dev/null +++ b/src/man/fi/include/homedir_substring.xml @@ -0,0 +1,17 @@ + + homedir_substring (string) + + + The value of this option will be used in the expansion of the +override_homedir option if the template contains the +format string %H. An LDAP directory entry can directly +contain this template so that this option can be used to expand the home +directory path for each client machine (or operating system). It can be set +per-domain or globally in the [nss] section. A value specified in a domain +section will override one set in the [nss] section. + + + Default: /home + + + diff --git a/src/man/fi/include/ipa_modified_defaults.xml b/src/man/fi/include/ipa_modified_defaults.xml new file mode 100644 index 0000000..4ad4b45 --- /dev/null +++ b/src/man/fi/include/ipa_modified_defaults.xml @@ -0,0 +1,123 @@ + + MODIFIED DEFAULT OPTIONS + + Certain option defaults do not match their respective backend provider +defaults, these option names and IPA provider-specific defaults are listed +below: + + + KRB5 Provider + + + + krb5_validate = true + + + + + krb5_use_fast = try + + + + + krb5_canonicalize = true + + + + + + LDAP Provider - General + + + + ldap_schema = ipa_v1 + + + + + ldap_force_upper_case_realm = true + + + + + ldap_sasl_mech = GSSAPI + + + + + ldap_sasl_minssf = 56 + + + + + ldap_account_expire_policy = ipa + + + + + ldap_use_tokengroups = true + + + + + + LDAP Provider - User options + + + + ldap_user_member_of = memberOf + + + + + ldap_user_uuid = ipaUniqueID + + + + + ldap_user_ssh_public_key = ipaSshPubKey + + + + + ldap_user_auth_type = ipaUserAuthType + + + + + + LDAP Provider - Group options + + + + ldap_group_object_class = ipaUserGroup + + + + + ldap_group_object_class_alt = posixGroup + + + + + ldap_group_member = member + + + + + ldap_group_uuid = ipaUniqueID + + + + + ldap_group_objectsid = ipaNTSecurityIdentifier + + + + + ldap_group_external_member = ipaExternalMember + + + + + diff --git a/src/man/fi/include/ldap_id_mapping.xml b/src/man/fi/include/ldap_id_mapping.xml new file mode 100644 index 0000000..9830f8b --- /dev/null +++ b/src/man/fi/include/ldap_id_mapping.xml @@ -0,0 +1,278 @@ + + ID MAPPING + + The ID-mapping feature allows SSSD to act as a client of Active Directory +without requiring administrators to extend user attributes to support POSIX +attributes for user and group identifiers. + + + NOTE: When ID-mapping is enabled, the uidNumber and gidNumber attributes are +ignored. This is to avoid the possibility of conflicts between +automatically-assigned and manually-assigned values. If you need to use +manually-assigned values, ALL values must be manually-assigned. + + + Please note that changing the ID mapping related configuration options will +cause user and group IDs to change. At the moment, SSSD does not support +changing IDs, so the SSSD database must be removed. Because cached passwords +are also stored in the database, removing the database should only be +performed while the authentication servers are reachable, otherwise users +might get locked out. In order to cache the password, an authentication must +be performed. It is not sufficient to use +sss_cache 8 + to remove the database, rather the process consists of: + + + + Making sure the remote servers are reachable + + + + + Stopping the SSSD service + + + + + Removing the database + + + + + Starting the SSSD service + + + + Moreover, as the change of IDs might necessitate the adjustment of other +system properties such as file and directory ownership, it's advisable to +plan ahead and test the ID mapping configuration thoroughly. + + + + Mapping Algorithm + + Active Directory provides an objectSID for every user and group object in +the directory. This objectSID can be broken up into components that +represent the Active Directory domain identity and the relative identifier +(RID) of the user or group object. + + + The SSSD ID-mapping algorithm takes a range of available UIDs and divides it +into equally-sized component sections - called "slices"-. Each slice +represents the space available to an Active Directory domain. + + + When a user or group entry for a particular domain is encountered for the +first time, the SSSD allocates one of the available slices for that +domain. In order to make this slice-assignment repeatable on different +client machines, we select the slice based on the following algorithm: + + + The SID string is passed through the murmurhash3 algorithm to convert it to +a 32-bit hashed value. We then take the modulus of this value with the total +number of available slices to pick the slice. + + + NOTE: It is possible to encounter collisions in the hash and subsequent +modulus. In these situations, we will select the next available slice, but +it may not be possible to reproduce the same exact set of slices on other +machines (since the order that they are encountered will determine their +slice). In this situation, it is recommended to either switch to using +explicit POSIX attributes in Active Directory (disabling ID-mapping) or +configure a default domain to guarantee that at least one is always +consistent. See Configuration for details. + + + + + Configuration + + Minimum configuration (in the [domain/DOMAINNAME] section): + + + +ldap_id_mapping = True +ldap_schema = ad + + + + The default configuration results in configuring 10,000 slices, each capable +of holding up to 200,000 IDs, starting from 200,000 and going up to +2,000,200,000. This should be sufficient for most deployments. + + + Advanced Configuration + + + ldap_idmap_range_min (integer) + + + Specifies the lower bound of the range of POSIX IDs to use for mapping +Active Directory user and group SIDs. + + + NOTE: This option is different from min_id in that +min_id acts to filter the output of requests to this domain, +whereas this option controls the range of ID assignment. This is a subtle +distinction, but the good general advice would be to have +min_id be less-than or equal to +ldap_idmap_range_min + + + Default: 200000 + + + + + ldap_idmap_range_max (integer) + + + Specifies the upper bound of the range of POSIX IDs to use for mapping +Active Directory user and group SIDs. + + + NOTE: This option is different from max_id in that +max_id acts to filter the output of requests to this domain, +whereas this option controls the range of ID assignment. This is a subtle +distinction, but the good general advice would be to have +max_id be greater-than or equal to +ldap_idmap_range_max + + + Default: 2000200000 + + + + + ldap_idmap_range_size (integer) + + + Specifies the number of IDs available for each slice. If the range size +does not divide evenly into the min and max values, it will create as many +complete slices as it can. + + + NOTE: The value of this option must be at least as large as the highest user +RID planned for use on the Active Directory server. User lookups and login +will fail for any user whose RID is greater than this value. + + + For example, if your most recently-added Active Directory user has +objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, +ldap_idmap_range_size must be at least 1108 as range size is +equal to maximal SID minus minimal SID plus one (e.g. 1108 = 1107 - 0 + 1). + + + It is important to plan ahead for future expansion, as changing this value +will result in changing all of the ID mappings on the system, leading to +users with different local IDs than they previously had. + + + Default: 200000 + + + + + ldap_idmap_default_domain_sid (string) + + + Specify the domain SID of the default domain. This will guarantee that this +domain will always be assigned to slice zero in the ID map, bypassing the +murmurhash algorithm described above. + + + Oletus: ei asetettu + + + + + ldap_idmap_default_domain (string) + + + Specify the name of the default domain. + + + Oletus: ei asetettu + + + + + ldap_idmap_autorid_compat (boolean) + + + Changes the behavior of the ID-mapping algorithm to behave more similarly to +winbind's idmap_autorid algorithm. + + + When this option is configured, domains will be allocated starting with +slice zero and increasing monatomically with each additional domain. + + + NOTE: This algorithm is non-deterministic (it depends on the order that +users and groups are requested). If this mode is required for compatibility +with machines running winbind, it is recommended to also use the +ldap_idmap_default_domain_sid option to guarantee that at +least one domain is consistently allocated to slice zero. + + + Default: False + + + + + ldap_idmap_helper_table_size (integer) + + + Maximal number of secondary slices that is tried when performing mapping +from UNIX id to SID. + + + Note: Additional secondary slices might be generated when SID is being +mapped to UNIX id and RID part of SID is out of range for secondary slices +generated so far. If value of ldap_idmap_helper_table_size is equal to 0 +then no additional secondary slices are generated. + + + Default: 10 + + + + + + + + + Well-Known SIDs + + SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a +special hardcoded meaning. Since the generic users and groups related to +those Well-Known SIDs have no equivalent in a Linux/UNIX environment no +POSIX IDs are available for those objects. + + + The SID name space is organized in authorities which can be seen as +different domains. The authorities for the Well-Known SIDs are + + Null Authority + World Authority + Local Authority + Creator Authority + NT Authority + Built-in + + The capitalized version of these names are used as domain names when +returning the fully qualified name of a Well-Known SID. + + + Since some utilities allow to modify SID based access control information +with the help of a name instead of using the SID directly SSSD supports to +look up the SID by the name as well. To avoid collisions only the fully +qualified names can be used to look up Well-Known SIDs. As a result the +domain names NULL AUTHORITY, WORLD AUTHORITY, + LOCAL AUTHORITY, CREATOR AUTHORITY, NT +AUTHORITY and BUILTIN should not be used as domain +names in sssd.conf. + + + + diff --git a/src/man/fi/include/ldap_search_bases.xml b/src/man/fi/include/ldap_search_bases.xml new file mode 100644 index 0000000..189f862 --- /dev/null +++ b/src/man/fi/include/ldap_search_bases.xml @@ -0,0 +1,31 @@ + + + An optional base DN, search scope and LDAP filter to restrict LDAP searches +for this attribute type. + + + syntax: +search_base[?scope?[filter][?search_base?scope?[filter]]*] + + + + The scope can be one of "base", "onelevel" or "subtree". The scope functions +as specified in section 4.5.1.2 of http://tools.ietf.org/html/rfc4511 + + + The filter must be a valid LDAP search filter as specified by +http://www.ietf.org/rfc/rfc2254.txt + + + For examples of this syntax, please refer to the +ldap_search_base examples section. + + + Default: the value of ldap_search_base + + + Please note that specifying scope or filter is not supported for searches +against an Active Directory Server that might yield a large number of +results and trigger the Range Retrieval extension in the response. + + diff --git a/src/man/fi/include/local.xml b/src/man/fi/include/local.xml new file mode 100644 index 0000000..ce849a3 --- /dev/null +++ b/src/man/fi/include/local.xml @@ -0,0 +1,17 @@ + + THE LOCAL DOMAIN + + In order to function correctly, a domain with +id_provider=local must be created and the SSSD must be +running. + + + The administrator might want to use the SSSD local users instead of +traditional UNIX users in cases where the group nesting (see +sss_groupadd 8 +) is needed. The local users are also useful for testing and +development of the SSSD without having to deploy a full remote server. The +sss_user* and sss_group* tools use a +local LDB storage to store users and groups. + + diff --git a/src/man/fi/include/override_homedir.xml b/src/man/fi/include/override_homedir.xml new file mode 100644 index 0000000..94caee1 --- /dev/null +++ b/src/man/fi/include/override_homedir.xml @@ -0,0 +1,63 @@ + +override_homedir (string) + + + Override the user's home directory. You can either provide an absolute value +or a template. In the template, the following sequences are substituted: + + + %u + login name + + + %U + UID number + + + %d + domain name + + + %f + fully qualified user name (user@domain) + + + %l + The first letter of the login name. + + + %P + UPN - User Principal Name (name@REALM) + + + %o + + The original home directory retrieved from the identity provider. + + + + %H + + The value of configure option homedir_substring. + + + + %% + a literal '%' + + + + + + This option can also be set per-domain. + + + example: +override_homedir = /home/%u + + + + Default: Not set (SSSD will use the value retrieved from LDAP) + + + diff --git a/src/man/fi/include/param_help.xml b/src/man/fi/include/param_help.xml new file mode 100644 index 0000000..d28020b --- /dev/null +++ b/src/man/fi/include/param_help.xml @@ -0,0 +1,10 @@ + + + , + + + + Display help message and exit. + + + diff --git a/src/man/fi/include/param_help_py.xml b/src/man/fi/include/param_help_py.xml new file mode 100644 index 0000000..a2478bf --- /dev/null +++ b/src/man/fi/include/param_help_py.xml @@ -0,0 +1,10 @@ + + + , + + + + Display help message and exit. + + + diff --git a/src/man/fi/include/seealso.xml b/src/man/fi/include/seealso.xml new file mode 100644 index 0000000..9b5b28a --- /dev/null +++ b/src/man/fi/include/seealso.xml @@ -0,0 +1,61 @@ + + SEE ALSO + + sssd8 +, +sssd.conf5 +, +sssd-ldap5 +, +sssd-krb55 +, +sssd-simple5 +, +sssd-ipa5 +, +sssd-ad5 +, +sssd-sudo 5 +, +sssd-secrets 5 +, +sssd-session-recording +5 , +sss_cache8 +, +sss_debuglevel8 +, +sss_groupadd8 +, +sss_groupdel8 +, +sss_groupshow8 +, +sss_groupmod8 +, +sss_useradd8 +, +sss_userdel8 +, +sss_usermod8 +, +sss_obfuscate8 +, +sss_seed8 +, +sssd_krb5_locator_plugin8 +, +sss_ssh_authorizedkeys +8 , +sss_ssh_knownhostsproxy +8 , sssd-ifp +5 , +pam_sss8 +. +sss_rpcidmapd 5 + +sssd-systemtap 5 + + + diff --git a/src/man/fi/include/service_discovery.xml b/src/man/fi/include/service_discovery.xml new file mode 100644 index 0000000..2e417a9 --- /dev/null +++ b/src/man/fi/include/service_discovery.xml @@ -0,0 +1,41 @@ + + SERVICE DISCOVERY + + The service discovery feature allows back ends to automatically find the +appropriate servers to connect to using a special DNS query. This feature is +not supported for backup servers. + + + Configuration + + If no servers are specified, the back end automatically uses service +discovery to try to find a server. Optionally, the user may choose to use +both fixed server addresses and service discovery by inserting a special +keyword, _srv_, in the list of servers. The order of +preference is maintained. This feature is useful if, for example, the user +prefers to use service discovery whenever possible, and fall back to a +specific server when no servers can be discovered using DNS. + + + + The domain name + + Please refer to the dns_discovery_domain parameter in the + sssd.conf +5 manual page for more details. + + + + The protocol + + The queries usually specify _tcp as the protocol. Exceptions are documented +in respective option description. + + + + See Also + + For more information on the service discovery mechanism, refer to RFC 2782. + + + diff --git a/src/man/fi/include/upstream.xml b/src/man/fi/include/upstream.xml new file mode 100644 index 0000000..ba04020 --- /dev/null +++ b/src/man/fi/include/upstream.xml @@ -0,0 +1,3 @@ + +SSSD The SSSD upstream - +https://pagure.io/SSSD/sssd/ diff --git a/src/man/fr/include/ad_modified_defaults.xml b/src/man/fr/include/ad_modified_defaults.xml new file mode 100644 index 0000000..7c6def2 --- /dev/null +++ b/src/man/fr/include/ad_modified_defaults.xml @@ -0,0 +1,77 @@ + + MODIFIED DEFAULT OPTIONS + + Certain option defaults do not match their respective backend provider +defaults, these option names and AD provider-specific defaults are listed +below: + + + KRB5 Provider + + + + krb5_validate = true + + + + + krb5_use_enterprise_principal = true + + + + + + LDAP Provider + + + + ldap_schema = ad + + + + + ldap_force_upper_case_realm = true + + + + + ldap_id_mapping = true + + + + + ldap_sasl_mech = gssapi + + + + + ldap_referrals = false + + + + + ldap_account_expire_policy = ad + + + + + ldap_use_tokengroups = true + + + + + ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM) + + + The AD provider looks for a different principal than the LDAP provider by +default, because in an Active Directory environment the principals are +divided into two groups - User Principals and Service Principals. Only User +Principal can be used to obtain a TGT and by default, computer object's +principal is constructed from its sAMAccountName and the AD realm. The +well-known host/hostname@REALM principal is a Service Principal and thus +cannot be used to get a TGT with. + + + + + diff --git a/src/man/fr/include/autofs_restart.xml b/src/man/fr/include/autofs_restart.xml new file mode 100644 index 0000000..3873c56 --- /dev/null +++ b/src/man/fr/include/autofs_restart.xml @@ -0,0 +1,6 @@ + + Veuillez noter que l'automounter ne lit que la carte maîtresse au +démarrage. Ainsi, si des modifications liées à autofs sont apportées à +sssd.conf, vous devrez généralement redémarrer le démon automounter après le +redémarrage de SSSD + diff --git a/src/man/fr/include/debug_levels.xml b/src/man/fr/include/debug_levels.xml new file mode 100644 index 0000000..ebab7bf --- /dev/null +++ b/src/man/fr/include/debug_levels.xml @@ -0,0 +1,89 @@ + + + SSSD supports two representations for specifying the debug level. The +simplest is to specify a decimal value from 0-9, which represents enabling +that level and all lower-level debug messages. The more comprehensive option +is to specify a hexadecimal bitmask to enable or disable specific levels +(such as if you wish to suppress a level). + + + Please note that each SSSD service logs into its own log file. Also please +note that enabling debug_level in the [sssd] +section only enables debugging just for the sssd process itself, not for the +responder or provider processes. The debug_level parameter +should be added to all sections that you wish to produce debug logs from. + + + In addition to changing the log level in the config file using the +debug_level parameter, which is persistent, but requires SSSD +restart, it is also possible to change the debug level on the fly using the + sss_debuglevel +8 tool. + + + Niveaux de débogage actuellement pris en charge : + + + 0, 0x0010 : défaillances +fatales. Tout ce qui empêcherait SSSD de démarrer ou provoquerait son arrêt. + + + 1, 0x0020: Critical failures. An +error that doesn't kill SSSD, but one that indicates that at least one major +feature is not going to work properly. + + + 2, 0x0040 : défaillances +graves. Une erreur qui annonce qu'une requête particulière ou une opération +a échoué. + + + 3, 0x0080 : erreurs mineures. Ce +sont les erreurs qui seraient susceptibles d'empirer pour provoquer l'erreur +en 2. + + + 4, 0x0100 : paramètres de +configuration. + + + 5, 0x0200 : données de +fonctionnement. + + + 6, 0x0400 : traçage des fonctions +opérationnelles. + + + 7, 0x1000 : traçage des fonctions +de contrôles internes. + + + 8, 0x2000 : contenu des variables +internes de fonctions pouvent être intéressantes. + + + 9, 0x4000 : informations de +traçage de bas niveau. + + + To log required bitmask debug levels, simply add their numbers together as +shown in following examples: + + + Exemple : pour suivre erreurs fatales, critiques, +graves et les données de fonction, utiliser 0x0270. + + + Exemple : pour consigner les erreurs fatales, les +paramètres de configuration, les données de fonction, les messages de trace +pour les fonctions de contrôle interne, utiliser 0x1310. + + + Note : le format des niveaux de débogage a été +introduit dans la version 1.7.0. + + + Par défaut : 0 + + diff --git a/src/man/fr/include/debug_levels_tools.xml b/src/man/fr/include/debug_levels_tools.xml new file mode 100644 index 0000000..44eaec1 --- /dev/null +++ b/src/man/fr/include/debug_levels_tools.xml @@ -0,0 +1,75 @@ + + + SSSD supports two representations for specifying the debug level. The +simplest is to specify a decimal value from 0-9, which represents enabling +that level and all lower-level debug messages. The more comprehensive option +is to specify a hexadecimal bitmask to enable or disable specific levels +(such as if you wish to suppress a level). + + + Niveaux de débogage actuellement pris en charge : + + + 0, 0x0010 : défaillances +fatales. Tout ce qui empêcherait SSSD de démarrer ou provoquerait son arrêt. + + + 1, 0x0020: Critical failures. An +error that doesn't kill SSSD, but one that indicates that at least one major +feature is not going to work properly. + + + 2, 0x0040 : défaillances +graves. Une erreur qui annonce qu'une requête particulière ou une opération +a échoué. + + + 3, 0x0080 : erreurs mineures. Ce +sont les erreurs qui seraient susceptibles d'empirer pour provoquer l'erreur +en 2. + + + 4, 0x0100 : paramètres de +configuration. + + + 5, 0x0200 : données de +fonctionnement. + + + 6, 0x0400 : traçage des fonctions +opérationnelles. + + + 7, 0x1000 : traçage des fonctions +de contrôles internes. + + + 8, 0x2000 : contenu des variables +internes de fonctions pouvent être intéressantes. + + + 9, 0x4000 : informations de +traçage de bas niveau. + + + To log required bitmask debug levels, simply add their numbers together as +shown in following examples: + + + Exemple : pour suivre erreurs fatales, critiques, +graves et les données de fonction, utiliser 0x0270. + + + Exemple : pour consigner les erreurs fatales, les +paramètres de configuration, les données de fonction, les messages de trace +pour les fonctions de contrôle interne, utiliser 0x1310. + + + Note : le format des niveaux de débogage a été +introduit dans la version 1.7.0. + + + Par défaut : 0 + + diff --git a/src/man/fr/include/experimental.xml b/src/man/fr/include/experimental.xml new file mode 100644 index 0000000..7103a0e --- /dev/null +++ b/src/man/fr/include/experimental.xml @@ -0,0 +1,2 @@ + This is an experimental feature, please use +https://pagure.io/SSSD/sssd/ to report any issues. diff --git a/src/man/fr/include/failover.xml b/src/man/fr/include/failover.xml new file mode 100644 index 0000000..671eb09 --- /dev/null +++ b/src/man/fr/include/failover.xml @@ -0,0 +1,103 @@ + + BASCULE + + La fonctionnalité de bascule autorise le moteur à basculer automatiquement +sur un serveur différent si le serveur actuel est défaillant. + + + Syntaxe de bascule + + La liste des serveurs est donnée sous forme de liste séparée par des +virgules ; un nombre quelconque d'espaces est autorisé autour de la +virgule. Les serveurs sont répertoriés par ordre de préférence. La liste +peut contenir un nombre quelconque de serveurs. + + + Pour chaque option de configuration alors que la bascule est activée, il +existe deux variantes : primary et +backup. L'idée est que les serveurs dans la liste +principale sont préférés et les serveurs de secours sont interrogés +uniquement si aucun serveur primaire ne peut être atteint. Si un serveur de +secours est sélectionné, un délai d'attente de 31 secondes est défini. Après +ce délai d'attente, SSSD tentera périodiquement de se reconnecter à un des +serveurs primaires. S'il réussit, il remplacera l'actuel serveur (de +secours) actif. + + + + Mécanisme de bascule + + Le mécanisme de bascule fait la distinction entre une machine et d'un +service. Le moteur tente d'abord de résoudre le nom d'hôte d'un ordinateur +donné ; en cas d'échec de cette tentative de résolution, la machine est +considérée comme hors ligne. Aucune autre tentative n'est faite pour se +connecter à cette machine pour tout autre service. Si la tentative de +résolution réussit, le serveur principal tente de se connecter à un service +sur cette machine. Si la tentative de connexion de service échoue, alors ce +seul service est considéré comme hors ligne et le moteur passe +automatiquement au service suivant. La machine est toujours considérée en +ligne et peut toujours être considérée pour une tentative d'accès à un autre +service. + + + Les tentatives de connexion ultérieures sont faites vers des machines ou des +services marqués comme hors connexion après un délai spécifié ; ce délai est +actuellement spécifié en dur à 30 secondes. + + + S'il n'y a plus aucune machine à essayer, le moteur dans son ensemble +bascule dans le mode hors connexion et tente ensuite de se reconnecter +toutes les 30 secondes. + + + + Failover time outs and tuning + + Resolving a server to connect to can be as simple as running a single DNS +query or can involve several steps, such as finding the correct site or +trying out multiple host names in case some of the configured servers are +not reachable. The more complex scenarios can take some time and SSSD needs +to balance between providing enough time to finish the resolution process +but on the other hand, not trying for too long before falling back to +offline mode. If the SSSD debug logs show that the server resolution is +timing out before a live server is contacted, you can consider changing the +time outs. + + + This section lists the available tunables. Please refer to their description +in the +sssd.conf5 +, manual page. + + + dns_resolver_op_timeout + + + + How long would SSSD talk to a single DNS server. + + + + + + dns_resolver_timeout + + + + How long would SSSD try to resolve a failover service. This service +resolution internally might include several steps, such as resolving DNS SRV +queries or locating the site. + + + + + + + For LDAP-based providers, the resolve operation is performed as part of an +LDAP connection operation. Therefore, also the +ldap_opt_timeout> timeout should be set to a larger value +than dns_resolver_timeout which in turn should be set to a +larger value than dns_resolver_op_timeout. + + + diff --git a/src/man/fr/include/homedir_substring.xml b/src/man/fr/include/homedir_substring.xml new file mode 100644 index 0000000..77e861a --- /dev/null +++ b/src/man/fr/include/homedir_substring.xml @@ -0,0 +1,17 @@ + + homedir_substring (chaîne) + + + The value of this option will be used in the expansion of the +override_homedir option if the template contains the +format string %H. An LDAP directory entry can directly +contain this template so that this option can be used to expand the home +directory path for each client machine (or operating system). It can be set +per-domain or globally in the [nss] section. A value specified in a domain +section will override one set in the [nss] section. + + + Par défaut : /home + + + diff --git a/src/man/fr/include/ipa_modified_defaults.xml b/src/man/fr/include/ipa_modified_defaults.xml new file mode 100644 index 0000000..4ad4b45 --- /dev/null +++ b/src/man/fr/include/ipa_modified_defaults.xml @@ -0,0 +1,123 @@ + + MODIFIED DEFAULT OPTIONS + + Certain option defaults do not match their respective backend provider +defaults, these option names and IPA provider-specific defaults are listed +below: + + + KRB5 Provider + + + + krb5_validate = true + + + + + krb5_use_fast = try + + + + + krb5_canonicalize = true + + + + + + LDAP Provider - General + + + + ldap_schema = ipa_v1 + + + + + ldap_force_upper_case_realm = true + + + + + ldap_sasl_mech = GSSAPI + + + + + ldap_sasl_minssf = 56 + + + + + ldap_account_expire_policy = ipa + + + + + ldap_use_tokengroups = true + + + + + + LDAP Provider - User options + + + + ldap_user_member_of = memberOf + + + + + ldap_user_uuid = ipaUniqueID + + + + + ldap_user_ssh_public_key = ipaSshPubKey + + + + + ldap_user_auth_type = ipaUserAuthType + + + + + + LDAP Provider - Group options + + + + ldap_group_object_class = ipaUserGroup + + + + + ldap_group_object_class_alt = posixGroup + + + + + ldap_group_member = member + + + + + ldap_group_uuid = ipaUniqueID + + + + + ldap_group_objectsid = ipaNTSecurityIdentifier + + + + + ldap_group_external_member = ipaExternalMember + + + + + diff --git a/src/man/fr/include/ldap_id_mapping.xml b/src/man/fr/include/ldap_id_mapping.xml new file mode 100644 index 0000000..e9addd2 --- /dev/null +++ b/src/man/fr/include/ldap_id_mapping.xml @@ -0,0 +1,288 @@ + + CORRESPONDANCE D'IDENTIFIANTS + + La fonctionnalité de correspondance d'ID permet à SSSD d'agir comme un +client de Active Directory sans demander aux administrateurs d'étendre les +attributs utilisateur pour prendre en charge les attributs POSIX pour les +identifiants d'utilisateur et de groupe. + + + Remarque : Lorsque la mise en correspondance des ID est activée, les +attributs uidNumber et gidNumber sont ignorés. Ceci afin d'éviter les +risques de conflit entre les valeurs attribuées automatiquement et assignées +manuellement. Si vous avez besoin d'utiliser des valeurs attribuées +manuellement, TOUTES les valeurs doivent être assignées manuellement. + + + Please note that changing the ID mapping related configuration options will +cause user and group IDs to change. At the moment, SSSD does not support +changing IDs, so the SSSD database must be removed. Because cached passwords +are also stored in the database, removing the database should only be +performed while the authentication servers are reachable, otherwise users +might get locked out. In order to cache the password, an authentication must +be performed. It is not sufficient to use +sss_cache 8 + to remove the database, rather the process consists of: + + + + Making sure the remote servers are reachable + + + + + Arrêter le service SSSD + + + + + Supprimer la base de donnée + + + + + Démarrer le service SSSD + + + + Moreover, as the change of IDs might necessitate the adjustment of other +system properties such as file and directory ownership, it's advisable to +plan ahead and test the ID mapping configuration thoroughly. + + + + Algorithme de correspondance + + Active Directory fournit un objectSID pour chaque objet d'utilisateur et de +groupe dans l'annuaire. Cet objectSID peut être divisé en composants qui +représentent l'identité de domaine Active Directory et l'identificateur +relatif (RID) de l'objet utilisateur ou groupe. + + + L'algorithme de mise en correspondance des ID de SSSD tient un éventail +d'uid disponibles et le divise en sections de même taille, appelées « +tranches ». Chaque tranche représente l'espace disponible dans un domaine +Active Directory. + + + Lorsqu'une entrée d'utilisateur ou de groupe pour un domaine particulier est +rencontrée pour la première fois, SSSD alloue une des plages disponibles +pour ce domaine. Afin de rendre cette affectation de plage reproductible sur +les ordinateurs clients différents, l'algorithme de sélection de plage +suivant est utilisé : + + + La chaîne du SID est passée par l'intermédiaire de l'algorithme murmurhash3 +pour le convertir en une valeur de hachage de 32 bits. Nous prenons ensuite +le modulo de cette valeur avec le nombre total des tranches disponibles pour +prendre la tranche. + + + Remarque : Il est possible de rencontrer les collisions dans le hachage et +le modulo en découlant. Dans ces situations, la tranche suivante disponible +sera sélectionnée, mais il n'est pas possible de reproduire le même jeu +exact des tranches sur d'autres machines (puisque l'ordre dans lequel elles +sont rencontrées déterminera leur tranche). Dans ce cas, il est recommandé +de passer à l'utilisation des attributs POSIX explicites dans Active +Directory (en désactivant la correspondance d'ID) ou configurer un domaine +par défaut afin de garantir qu'au moins un est toujours cohérent. Pour plus +d'informations, voir Configuration. + + + + + Configuration + + Configuration minimale (dans la section [domain/DOMAINNAME]) +: + + + +ldap_id_mapping = True +ldap_schema = ad + + + + The default configuration results in configuring 10,000 slices, each capable +of holding up to 200,000 IDs, starting from 200,000 and going up to +2,000,200,000. This should be sufficient for most deployments. + + + Configuration avancée + + + ldap_idmap_range_min (integer) + + + Spécifie la limite inférieure de la plage d'ID POSIX à utiliser pour la mise +en correspondance d'identifiants utilisateurs et groupes Active Directory. + + + NOTE : Cette option est différente de min_id en ce sens que +min_id agit comme filtre sur le résultat des requêtes vers ce +domaine, alors que cette option contrôle les plages de correspondance +d'ID. Il s'agit d'une distinction subtile, mais les bonnes pratiques +conseillent d'avoir min_id inférieur ou égal à +ldap_idmap_range_min + + + Par défaut : 200000 + + + + + ldap_idmap_range_max (integer) + + + Spécifie la limite supérieure de la plage d'ID POSIX à utiliser pour la mise +en correspondance d'identifiants utilisateurs et groupes Active Directory. + + + NOTE : Cette option est différente de max_id en ce sens que +max_id agit comme filtre sur le résultat des requêtes vers ce +domaine, alors que cette option contrôle les plages de correspondance +d'ID. Il s'agit d'une distinction subtile, mais les bonnes pratiques +conseillent d'avoir max_id supérieur ou égal à +ldap_idmap_range_max + + + Par défaut : 2000200000 + + + + + ldap_idmap_range_size (integer) + + + Spécifie le nombre d'identifiants pour chaque tranche. Si la taille de la +plage ne divise pas uniformément dans les valeurs minimale et maximale, des +tranches complètes seront créées autant que possible. + + + NOTE: The value of this option must be at least as large as the highest user +RID planned for use on the Active Directory server. User lookups and login +will fail for any user whose RID is greater than this value. + + + For example, if your most recently-added Active Directory user has +objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, +ldap_idmap_range_size must be at least 1108 as range size is +equal to maximal SID minus minimal SID plus one (e.g. 1108 = 1107 - 0 + 1). + + + It is important to plan ahead for future expansion, as changing this value +will result in changing all of the ID mappings on the system, leading to +users with different local IDs than they previously had. + + + Par défaut : 200000 + + + + + ldap_idmap_default_domain_sid (chaîne) + + + Spécifier le SID de domaine du domaine par défaut. Cela garantira que ce +domaine est toujours affecté à la tranche zéro dans la carte d'ID, sans +passer par l'algorithme murmurhash décrit ci-dessus. + + + Par défaut : non défini + + + + + ldap_idmap_default_domain (chaîne) + + + Spécifier le nom de domaine par défaut. + + + Par défaut : non défini + + + + + ldap_idmap_autorid_compat (boolean) + + + Modifie le comportement de l'algorithme de mise en correspondance des ID +afin qu'il se comporte de manière identique à celui +idmap_autorid de winbind. + + + Lorsque cette option est configurée, les domaines seront alloués en +commençant par la tranche zéro et augmentant de manière monotone pour chaque +domaine supplémentaire. + + + Remarque : Cet algorithme n'est pas déterministe (il dépend de l'ordre dans +lequel utilisateurs et groupes sont invités). Si ce mode est nécessaire pour +assurer la compatibilité avec les ordinateurs qui utilisent winbind, il est +recommandé d'utiliser également l'option +ldap_idmap_default_domain_sid pour garantir qu'au moins un +domaine est systématiquement alloué à la tranche zéro. + + + Par défaut : False + + + + + ldap_idmap_helper_table_size (integer) + + + Maximal number of secondary slices that is tried when performing mapping +from UNIX id to SID. + + + Note: Additional secondary slices might be generated when SID is being +mapped to UNIX id and RID part of SID is out of range for secondary slices +generated so far. If value of ldap_idmap_helper_table_size is equal to 0 +then no additional secondary slices are generated. + + + Par défaut : 10 + + + + + + + + + SID bien connus + + SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a +special hardcoded meaning. Since the generic users and groups related to +those Well-Known SIDs have no equivalent in a Linux/UNIX environment no +POSIX IDs are available for those objects. + + + The SID name space is organized in authorities which can be seen as +different domains. The authorities for the Well-Known SIDs are + + Null Authority + World Authority + Local Authority + Creator Authority + NT Authority + Built-in + + The capitalized version of these names are used as domain names when +returning the fully qualified name of a Well-Known SID. + + + Since some utilities allow to modify SID based access control information +with the help of a name instead of using the SID directly SSSD supports to +look up the SID by the name as well. To avoid collisions only the fully +qualified names can be used to look up Well-Known SIDs. As a result the +domain names NULL AUTHORITY, WORLD AUTHORITY, + LOCAL AUTHORITY, CREATOR AUTHORITY, NT +AUTHORITY and BUILTIN should not be used as domain +names in sssd.conf. + + + + diff --git a/src/man/fr/include/ldap_search_bases.xml b/src/man/fr/include/ldap_search_bases.xml new file mode 100644 index 0000000..b75b30b --- /dev/null +++ b/src/man/fr/include/ldap_search_bases.xml @@ -0,0 +1,33 @@ + + + Un DN de base facultatif, une étendue de recherche et un filtre LDAP afin de +restreindre les recherches LDAP pour ce type d'attribut. + + + syntaxe : +search_base[?scope?[filter][?search_base?scope?[filter]]*] + + + + La portée peut être l'une des « base », « onelevel » ou « subtree ». Les +fonctions de portée sont spécifiées dans la section 4.5.1.2 de +http://tools.ietf.org/html/rfc4511 + + + Le filtre doit être un filtre de recherche LDAP valide tel que spécifié par +http://www.ietf.org/rfc/rfc2254.txt + + + Pour obtenir des exemples de cette syntaxe, reportez-vous à la section +d'exemples ldap_search_base. + + + Par défaut : la valeur de ldap_search_base + + + Noter que la spécification de portée ou de filtre n'est pas prise en charge +pour les recherches sur un serveur Active Directory qui serait susceptible +de produire un grand nombre de résultats et de déclencher l'extension Range +Retrieval dans sa réponse. + + diff --git a/src/man/fr/include/local.xml b/src/man/fr/include/local.xml new file mode 100644 index 0000000..1a7c8a2 --- /dev/null +++ b/src/man/fr/include/local.xml @@ -0,0 +1,17 @@ + + LE DOMAINE LOCAL + + Pour fonctionner correctement, un domaine avec id_provider = +local doit être créé et SSSD doit s'exécuter. + + + L'administrateur peut vouloir utiliser les utilisateurs locaux SSSD au lieu +des utilisateurs UNIX traditionnels dans les cas où l'imbrication de groupes +(cf. sss_groupadd +8) est nécessaire. Les utilisateurs +locaux sont également utiles pour les tests et le développement de SSSD sans +avoir à déployer un serveur distant complet. Les outils sss_user +* et sss_group * utilisent alors un stockage +local de type LDB pour les utilisateurs et les groupes. + + diff --git a/src/man/fr/include/override_homedir.xml b/src/man/fr/include/override_homedir.xml new file mode 100644 index 0000000..b75901b --- /dev/null +++ b/src/man/fr/include/override_homedir.xml @@ -0,0 +1,64 @@ + +override_homedir (chaîne) + + + Réécrit le répertoire personnel de l'utilisateur. Il est possible de fournir +une valeur absolue ou un patron. Dans le cas d'un patron, les séquences +suivantes sont substituées : + + %u + identifiant de connexion + + + %U + numéro d'UID + + + %d + nom de domaine + + + %f + nom d'utilisateur pleinement qualifié (utilisateur@domaine) + + + %l + The first letter of the login name. + + + %P + UPN - Nom de principal d'utilisateur (User principal name, nom@ROYAUME) + + + %o + + Le répertoire utilisateur original provenant du fournisseur d'identité. + + + + %H + + La valeur de l'option de configuration +homedir_substring. + + + + %% + un « % » littéral + + + + + + Cette option peut aussi être définie pour chaque domaine. + + + exemple : +override_homedir = /home/%u + + + + Par défaut : Indéfini (SSSD utilisera la valeur récupérée de LDAP) + + + diff --git a/src/man/fr/include/param_help.xml b/src/man/fr/include/param_help.xml new file mode 100644 index 0000000..89c1343 --- /dev/null +++ b/src/man/fr/include/param_help.xml @@ -0,0 +1,10 @@ + + + , + + + + Affiche l'aide et quitte. + + + diff --git a/src/man/fr/include/param_help_py.xml b/src/man/fr/include/param_help_py.xml new file mode 100644 index 0000000..22cd5fa --- /dev/null +++ b/src/man/fr/include/param_help_py.xml @@ -0,0 +1,10 @@ + + + , + + + + Affiche l'aide et quitte. + + + diff --git a/src/man/fr/include/seealso.xml b/src/man/fr/include/seealso.xml new file mode 100644 index 0000000..7b0926c --- /dev/null +++ b/src/man/fr/include/seealso.xml @@ -0,0 +1,61 @@ + + VOIR AUSSI + + sssd8 +, +sssd.conf5 +, +sssd-ldap5 +, +sssd-krb55 +, +sssd-simple5 +, +sssd-ipa5 +, +sssd-ad5 +, +sssd-sudo 5 +, +sssd-secrets 5 +, +sssd-session-recording +5 , +sss_cache8 +, +sss_debuglevel8 +, +sss_groupadd8 +, +sss_groupdel8 +, +sss_groupshow8 +, +sss_groupmod8 +, +sss_useradd8 +, +sss_userdel8 +, +sss_usermod8 +, +sss_obfuscate8 +, +sss_seed8 +, +sssd_krb5_locator_plugin8 +, +sss_ssh_authorizedkeys +8 , +sss_ssh_knownhostsproxy +8 , sssd-ifp +5 , +pam_sss8 +. +sss_rpcidmapd 5 + +sssd-systemtap 5 + + + diff --git a/src/man/fr/include/service_discovery.xml b/src/man/fr/include/service_discovery.xml new file mode 100644 index 0000000..6ad86ae --- /dev/null +++ b/src/man/fr/include/service_discovery.xml @@ -0,0 +1,44 @@ + + DÉCOUVERTE DE SERVICE + + La fonctionnalité de découverte de services permet aux moteurs de trouver +automatiquement les serveurs appropriés auxquels se connecter à l'aide d'une +requête DNS spéciale. Cette fonctionnalité n'est pas pris en charge pour sur +les serveurs secondaires. + + + Configuration + + Si aucun serveur n'est spécifié, le moteur utilise automatiquement la +découverte de services pour tenter de trouver un serveur. L'utilisateur peut +aussi choisir d'utiliser des adresses de serveur et de découverte de +services fixes en insérant un mot-clé spécial, _srv_, dans la +liste des serveurs. L'ordre de préférence est maintenu. Cette fonctionnalité +est utile si, par exemple, l'utilisateur préfère utiliser la découverte de +services chaque fois que possible et se replier vers un serveur spécifique +lorsqu'aucun serveur ne peut être découvert à l'aide du DNS. + + + + Le nom de domaine + + Se reporter au paramètre dns_discovery_domain dans la page de +manuel sssd.conf +5 pour plus de détails. + + + + Le protocole + + Les requêtes spécifient généralement _tcp comme protocole. Les exceptions +sont documentées dans les descriptions respectives des options. + + + + Voir aussi + + Pour plus d'informations sur le mécanisme de découverte de services, se +reporter à la RFC 2782. + + + diff --git a/src/man/fr/include/upstream.xml b/src/man/fr/include/upstream.xml new file mode 100644 index 0000000..ba04020 --- /dev/null +++ b/src/man/fr/include/upstream.xml @@ -0,0 +1,3 @@ + +SSSD The SSSD upstream - +https://pagure.io/SSSD/sssd/ diff --git a/src/man/fr/sss_groupadd.8.xml b/src/man/fr/sss_groupadd.8.xml new file mode 100644 index 0000000..2c8678a --- /dev/null +++ b/src/man/fr/sss_groupadd.8.xml @@ -0,0 +1,58 @@ + + + +Pages de manuel de SSSD + + + + + sss_groupadd + 8 + + + + sss_groupadd + Créer un nouveau groupe + + + + +sss_groupadd +options GROUPE + + + + DESCRIPTION + + sss_groupadd crée un nouveau groupe. Ces groupes sont +compatibles avec les groupes POSIX, avec la caractéristique supplémentaire +qu'ils peuvent contenir d'autres groupes comme membres. + + + + + OPTIONS + + + + , GID + + + + Positionne le GID du groupe à la valeur GID. Si +non spécifié, il est choisi automatiquement. + + + + + + + + + + + + + diff --git a/src/man/fr/sss_groupdel.8.xml b/src/man/fr/sss_groupdel.8.xml new file mode 100644 index 0000000..7da38b9 --- /dev/null +++ b/src/man/fr/sss_groupdel.8.xml @@ -0,0 +1,46 @@ + + + +Pages de manuel de SSSD + + + + + sss_groupdel + 8 + + + + sss_groupdel + supprimer un groupe + + + + +sss_groupdel +options GROUPE + + + + DESCRIPTION + + sss_groupdel supprime du système un groupe identifié par +son nom de groupe GROUPE. + + + + + OPTIONS + + + + + + + + + + + diff --git a/src/man/fr/sss_groupmod.8.xml b/src/man/fr/sss_groupmod.8.xml new file mode 100644 index 0000000..88ef0d9 --- /dev/null +++ b/src/man/fr/sss_groupmod.8.xml @@ -0,0 +1,72 @@ + + + +Pages de manuel de SSSD + + + + + sss_groupmod + 8 + + + + sss_groupmod + modifier un groupe + + + + +sss_groupmod +options GROUP + + + + DESCRIPTION + + sss_groupmod modifie le groupe pour refléter les +changements spécifiés sur la ligne de commande. + + + + + OPTIONS + + + + , +GROUPS + + + + Ajouter ce groupe aux groupes spécifiés par le paramètre +GROUPS. Le paramètre +GROUPS est une liste séparée par des virgules de +noms de groupe. + + + + + + , +GROUPS + + + + Supprime ce groupe des groupes spécifiés par le paramètre +GROUPS. + + + + + + + + + + + + + diff --git a/src/man/fr/sss_groupshow.8.xml b/src/man/fr/sss_groupshow.8.xml new file mode 100644 index 0000000..ab21177 --- /dev/null +++ b/src/man/fr/sss_groupshow.8.xml @@ -0,0 +1,60 @@ + + + +Pages de manuel de SSSD + + + + + sss_groupshow + 8 + + + + sss_groupshow + affiche les propriétés d'un groupe + + + + +sss_groupshow +options GROUPE + + + + DESCRIPTION + + sss_groupshow affiche des informations sur un groupe +identifié par son nom GROUPE. Les informations +incluent l'ID de groupe, les membres du groupe ainsi que le groupe parent. + + + + + OPTIONS + + + + , + + + + Affiche aussi les membres indirects de groupe dans une hiérarchie +arborescente. Noter que cela affecte également les affichages de groupes +parents - sans l'option , seul le parent direct sera +affiché. + + + + + + + + + + + + + diff --git a/src/man/fr/sss_obfuscate.8.xml b/src/man/fr/sss_obfuscate.8.xml new file mode 100644 index 0000000..4981237 --- /dev/null +++ b/src/man/fr/sss_obfuscate.8.xml @@ -0,0 +1,97 @@ + + + +Pages de manuel de SSSD + + + + + sss_obfuscate + 8 + + + + sss_obfuscate + obscurcir un mot de passe en clair + + + + +sss_obfuscate +options [PASSWORD] + + + + DESCRIPTION + + sss_obfuscate convertit un mot de passe donné en un +format illisible par un humain et le place dans la section de domaine +appropriée du fichier de configuration SSSD. + + + Le mot de passe en clair est lu dans l'entrée standard ou entré +interactivement. Les mots de passes chiffrés sont mis dans +ldap_default_authtok pour un domaine SSSD donné et le +paramètre ldap_default_authtok_type est défini à +obfuscated_password. Cf. +sssd-ldap 5 + pour plus de détails sur ces paramètres. + + + Veuillez noter que les mots de passe chiffrés ne fournissent aucun +réel bénéfice de sécurité étant donné qu'il est possible de +retrouver le mot de passe par ingénierie-inverse. Utiliser un meilleur +mécanisme d'authentification tel que les certificats côté client ou GSSAPI +est très conseillé. + + + + + OPTIONS + + + + + , + + + + Le mot de passe chiffré sera lu sur l'entrée standard. + + + + + + , +DOMAINE + + + + Le domaine SSSD auquel est lié le mot de passe. Le nom par défaut est +default. + + + + + + , +FICHIER + + + + Lit le fichier de configuration spécifié par le paramètre. + + + Par défaut : /etc/sssd/sssd.conf + + + + + + + + + + diff --git a/src/man/fr/sss_seed.8.xml b/src/man/fr/sss_seed.8.xml new file mode 100644 index 0000000..89634ed --- /dev/null +++ b/src/man/fr/sss_seed.8.xml @@ -0,0 +1,169 @@ + + + +Pages de manuel de SSSD + + + + + sss_seed + 8 + + + + sss_seed + initialise le cache SSSD avec un utilisateur + + + + +sss_seed +options -D +DOMAIN -n +USER + + + + DESCRIPTION + + sss_seed initialise le cache SSSD avec une entrée +d'utilisateur et le mot de passe temporaire. Si une entrée d'utilisateur est +déjà présente dans le cache de SSSD, l'entrée est mise à jour avec le mot de +passe temporaire. + + + + + + + OPTIONS + + + + , +DOMAIN + + + + Indique le nom de domaine duquel l'utilisateur est membre. Le domaine est +également utilisé pour récupérer les informations sur l'utilisateur. Le +domaine doit être configuré dans sssd.conf. L'option +DOMAIN doit être fournie. Les informations +récupérées depuis le domaine prennent le pas sur ce qui est fourni dans les +options. + + + + + + , +USER + + + + Le nom d'utilisateur de l'entrée devant être créée ou modifiée dans le +cache. L'option USER doit être fournie. + + + + + + , UID + + + + Définit l'UID de l'utilisateur à UID. + + + + + + , GID + + + + Définit le GID de l'utilisateur à GID. + + + + + + , +COMMENTAIRE + + + + Toute chaîne de caractère décrivant l'utilisateur. Souvent utilisé comme +champ pour le nom entier de l'utilisateur. + + + + + + , +HOME_DIR + + + + Définit le répertoire de l'utilisateur à +HOME_DIR. + + + + + + , +SHELL + + + + Définit l'interpréteur de commande de l'utilisateur à +SHELL. + + + + + + , + + + + Mode interactif pour la saisie des informations de l'utilisateur. Cette +option invite uniquement à la saisir des renseignements non fournis dans les +options ou non récupérés à partir du domaine. + + + + + + , +PASS_FILE + + + + Spécifie le fichier dans lequel lire le mot de passe de l'utilisateur. (si +aucun mot de passe n'est spécifié, il sera demandé) + + + + + + + + + NOTES + + La taille du mot de passe (ou la taille du fichier spécifié avec l'option -p +ou --password-file) doit être inférieure ou égale à PASS_MAX octets (64 +octets sur les systèmes sans valeur globale définie de PASS_MAX). + + + + + + + + + + diff --git a/src/man/fr/sss_ssh_knownhostsproxy.1.xml b/src/man/fr/sss_ssh_knownhostsproxy.1.xml new file mode 100644 index 0000000..8024ba9 --- /dev/null +++ b/src/man/fr/sss_ssh_knownhostsproxy.1.xml @@ -0,0 +1,107 @@ + + + +Pages de manuel de SSSD + + + + + sss_ssh_knownhostsproxy + 1 + + + + sss_ssh_knownhostsproxy + obtenir les clés d'hôtes OpenSSH + + + + +sss_ssh_knownhostsproxy +options HOST PROXY_COMMAND + + + + DESCRIPTION + + sss_ssh_knownhostsproxy acquires SSH host public keys for +host HOST, stores them in a custom OpenSSH +known_hosts file (see the SSH_KNOWN_HOSTS FILE FORMAT section +of sshd +8 for more information) +/var/lib/sss/pubconf/known_hosts and establishes the +connection to the host. + + + Si PROXY_COMMAND est indiqué, elle est alors +utilisée pour établier la connexion vers le système au lieu d'ouvrir une +socket. + + + ssh +1 peut être configuré pour utiliser +sss_ssh_knownhostsproxy pour l'authentication par clés en +utilisant les directives suivantes pour la configuration de +ssh +1 : +ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h +GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts + + + + + + OPTIONS + + + + , PORT + + + + Utiliser le port PORT pour se connecter au +système. Par défaut, le port 22 est utilisé. + + + + + + , +DOMAINE + + + + Rechercher les clés publiques dans le domaine SSSD +DOMAINE hôte. + + + + + + , + + + + Print the host ssh public keys for host HOST. + + + + + + + + + CODE RETOUR + + Dans le cas d'un opération achevée avec succès, une valeur de retour de 0 +est renvoyée. Dans le cas contraire, 1 est renvoyé. + + + + + + + diff --git a/src/man/fr/sss_useradd.8.xml b/src/man/fr/sss_useradd.8.xml new file mode 100644 index 0000000..25dd40a --- /dev/null +++ b/src/man/fr/sss_useradd.8.xml @@ -0,0 +1,168 @@ + + + +Pages de manuel de SSSD + + + + + sss_useradd + 8 + + + + sss_useradd + créer un utilisateur + + + + +sss_useradd +options UTILISATEUR + + + + DESCRIPTION + + sss_useradd crée un nouveau compte utilisateur en +utilisant les valeurs spécifiées en ligne de commande auquelles sont +ajoutées les valeurs par défaut du système. + + + + + OPTIONS + + + + , UID + + + + Définit l'UID de l'utilisateur à la valeur +UID. Si non précisé, il est choisit +automatiquement. + + + + + + , +COMMENTAIRE + + + + Toute chaîne de caractère décrivant l'utilisateur. Souvent utilisé comme +champ pour le nom entier de l'utilisateur. + + + + + + , +HOME_DIR + + + + Le répertoire personnel du compte utilisateur. Par défaut, on ajoute +LOGIN à /home et on utilise +cela comme dossier personnel. La base précédent +LOGIN est modifiable avec le paramètre +user_defaults/baseDirectory de sssd.conf. + + + + + + , +SHELL + + + + L'interpréteur de commande de l'utilisateur. La valeur par défaut actuelle, +/bin/bash, peut être modifiée avec le paramètre +user_defaults/defaultShell dans sssd.conf. + + + + + + , +GROUPES + + + + Une liste de groupes existants dont l'utilisateur est aussi membre. + + + + + + , + + + + Crée le répertoire personnel de l'utilisateur s'il n'existe pas. Les +fichiers et répertoires inclus dans le répertoire squelette (pouvant être +définis avec l'option -k ou dans le fichier de configuration) sont copiés +dans le dossier personnel. + + + + + + , + + + + Ne pas créer de dossier personnel pour l'utilisateur. Écrase les paramètres +de configuration. + + + + + + , +SKELDIR + + + + Le répertoire squelette, contenant les fichiers et répertoires à copier dans +le répertoire personnel de l'utilisateur, quand le répertoire personnel est +créé par sss_useradd. + + + Les fichiers spéciaux (périphériques blocs, caractères, tubes nommés et +sockets unix) ne seront pas copiés. + + + L'option n'est valide que si l'option (ou +) est utilisée ou si la création de +répertoires personnels est à TRUE dans la configuration. + + + + + + , +UTILISATEUR_SELINUX + + + + L'utilisateur SELinux pour la connexion utilisateur. Si non spécifié, la +valeur par défaut du système est utilisée. + + + + + + + + + + + + + diff --git a/src/man/fr/sss_userdel.8.xml b/src/man/fr/sss_userdel.8.xml new file mode 100644 index 0000000..9cfad5b --- /dev/null +++ b/src/man/fr/sss_userdel.8.xml @@ -0,0 +1,93 @@ + + + +Pages de manuel de SSSD + + + + + sss_userdel + 8 + + + + sss_userdel + Supprimer un compte utilisateur + + + + +sss_userdel +options LOGIN + + + + DESCRIPTION + + sss_userdel supprime du système un utilisateur identifié +par son identifiant de connexion LOGIN. + + + + + OPTIONS + + + + + , + + + + Les fichiers dans le répertoire ainsi que le répertoire lui-même de +l'utilisateur et sa messagerie seront supprimés. Outrepasse la +configuration. + + + + + + , + + + + Les fichiers dans le répertoire ainsi que le répertoire lui-même de +l'utilisateur et sa messagerie ne seront PAS supprimés. Outrepasse la +configuration. + + + + + + , + + + + Cette option oblige sss_userdel à supprimer le répertoire +home de l'utilisateur et sa messagerie, même si ils ne sont pas détenus par +l'utilisateur spécifié. + + + + + + , + + + + Avant de réellement supprimer l'utilisateur, mettre fin à tous ses +processus. + + + + + + + + + + + + diff --git a/src/man/fr/sss_usermod.8.xml b/src/man/fr/sss_usermod.8.xml new file mode 100644 index 0000000..01542a4 --- /dev/null +++ b/src/man/fr/sss_usermod.8.xml @@ -0,0 +1,169 @@ + + + +Pages de manuel de SSSD + + + + + sss_usermod + 8 + + + + sss_usermod + modifier un compte utilisateur + + + + +sss_usermod +options LOGIN + + + + DESCRIPTION + + sss_usermod modifie le compte défini par +LOGIN pour refléter les modifications fournies en +ligne de commande. + + + + + OPTIONS + + + + , +COMMENTAIRE + + + + Toute chaîne de caractère décrivant l'utilisateur. Souvent utilisé comme +champ pour le nom entier de l'utilisateur. + + + + + + , +HOME_DIR + + + + Le répertoire personnel du compte utilisateur. + + + + + + , +SHELL + + + + L'interpréteur de commandes de l'utilisateur. + + + + + + , +GROUPS + + + + Ajouter cet utilisateur aux groupes spécifiés par le paramètre +GROUPS. Le paramètre +GROUPS est une liste séparée par des virgules de +noms de groupes. + + + + + + , +GROUPS + + + + Retirer cet utilisateur de groupes spécifiés par le paramètre +GROUPS. + + + + + + , + + + + Verrouiller le compte utilisateur. Il ne pourra plus se connecter. + + + + + + , + + + + Déverrouiller le compte utilisateur. + + + + + + , +UTILISATEUR_SELINUX + + + + L'utilisateur SELinux pour l'identifiant de connexion de l'utilisateur. + + + + + + ATTR_NAME_VAL + + + + Ajouter une paire attribut/valeur. Le format est nom_attribut=valeur. + + + + + + ATTR_NAME_VAL + + + + Définir une paire attribut/valeur. Le format est nom_attribut=valeur. Pour +les attributs multi-valués, la commande remplace les valeurs déjà présentes. + + + + + + ATTR_NAME_VAL + + + + Supprimer une paire attribut/valeur. Le format est nom_attribut=valeur. + + + + + + + + + + + + + diff --git a/src/man/fr/sssd-krb5.5.xml b/src/man/fr/sssd-krb5.5.xml new file mode 100644 index 0000000..27e1cbc --- /dev/null +++ b/src/man/fr/sssd-krb5.5.xml @@ -0,0 +1,547 @@ + + + +Pages de manuel de SSSD + + + + + sssd-krb5 + 5 + Formats de fichier et conventions + + + + sssd-krb5 + Fournisseur Kerberos SSSD + + + + DESCRIPTION + + Cette page de manuel décrit la configuration du moteur d'authentification de +Kerberos 5 pour sssd +8 . Pour une référence détaillée sur +la syntaex, veuillez vous référer à la section FORMAT DE +FICHIER du manuel de +sssd.conf 5 +. + + + Le moteur d'authentification Kerberos 5 contient les fournisseurs +d'authentification et de changement de mot de passe. Il doit être couplé +avec un fournisseur d'identité de manière à fonctionner proprement (par +exemple, id_provider = ldap). Plusieurs informations requises par le moteur +d'authentification Kerberos 5 doivent être fournies par le fournisseur +d'identité, telles que le nom du principal de l'utilisateur Kerberos +(UPN). La configuration du fournisseur d'identité doit avoir une entrée pour +spécifier l'UPN. Veuillez vous référer aux pages du manuel du fournisseur +d'identité ad-hoc pour pouvoir le configurer. + + + Ce moteur fournit aussi un contrôle d'accès sur le fichier .k5login dans le +répertoire personnel de l'utilisateur. Voir +.k5login5 + pour plus de détails. Veuillez noter qu'un fichier .k5login +vide interdira tout accès pour cet utilisateur. Pour activer cette option, +utilisez « access_provider = krb5 » dans votre configuration de SSSD. + + + Dans le cas où l'UPN n'est pas valide dans le moteur d'identité, +sssd construira un UPN en utilisant le format +utilisateur@krb5_realm. + + + + + + OPTIONS DE CONFIGURATION + + Si le module auth krb5 est utilisé dans un domaine SSSD, les options +suivantes doivent être utilisées. Cf. la page de manuel +sssd.conf +5, section SECTIONS +DOMAINE pour plus de détails sur la configuration d'un domaine +SSSD. + + krb5_server, krb5_backup_server (string) + + + Spécifie la liste séparée par des virgules des adresses IP ou des noms de +systèmes des serveurs Kerberos auquel SSSD doit se connecter, par ordre de +préférence. Pour plus d'informations sur la redondance par bascule et le +serveur, consultez la section de BASCULE. Un numéro de port +facultatif (précédé de deux-points) peut être ajouté aux adresses ou aux +noms de systèmes. Si vide, le service de découverte est activé - pour plus +d'informations, se reporter à la section DÉCOUVERTE DE +SERVICE. + + + Lors de l'utilisation de découverte de services pour le KDC ou les serveurs +kpasswd, SSSD recherche en premier les entrées DNS qui définissent _udp +comme protocole, et passe sur _tcp si aucune entrée n'est trouvée. + + + Cette option s'appelait krb5_kdcip dans les versions +précédentes de SSSD. Bien que ce nom soit toujours reconnu à l'heure +actuelle, il est conseillé de migrer les fichiers de configuration vers +l'utilisation de krb5_server. + + + + + + krb5_realm (chaîne) + + + Le nom du domaine Kerberos. Cette option est nécessaire et doit être +renseignée. + + + + + + krb5_kpasswd, krb5_backup_kpasswd (string) + + + Si le service de changement de mot de passe ne fonctionne pas sur le KDC, +des serveurs de secours peuvent être définis ici. Un numéro de port +facultatif (précédé par un signe deux-points) peut-être être suffixé aux +adresses ou aux noms de systèmes. + + + Pour plus d'information sur la bascule et la redondance de serveurs, voir la +section BASCULE. Noter que même si il n'y a plus de serveurs +kpasswd à essayer, le moteur ne passe pas en mode hors-ligne si +l'authentification KDC est toujours possible. + + + Par défaut : utiliser le KDC + + + + + + krb5_ccachedir (chaîne) + + + Directory to store credential caches. All the substitution sequences of +krb5_ccname_template can be used here, too, except %d and %P. The directory +is created as private and owned by the user, with permissions set to 0700. + + + Par défaut : /tmp + + + + + + krb5_ccname_template (chaîne) + + + Location of the user's credential cache. Three credential cache types are +currently supported: FILE, DIR and +KEYRING:persistent. The cache can be specified either as +TYPE:RESIDUAL, or as an absolute path, which +implies the FILE type. In the template, the following +sequences are substituted: + + %u + identifiant de connexion + + + %U + UID de l'utilisateur + + + %p + nom du principal + + + + %r + nom de domaine + + + %h + répertoire personnel + + + + %d + valeur de krb5_ccachedir + + + + + %P + l'ID de processus du client SSSD + + + + %% + un « % » littéral + + + If the +template ends with 'XXXXXX' mkstemp(3) is used to create a unique filename +in a safe way. + + + When using KEYRING types, the only supported mechanism is +KEYRING:persistent:%U, which uses the Linux kernel keyring to +store credentials on a per-UID basis. This is also the recommended choice, +as it is the most secure and predictable method. + + + The default value for the credential cache name is sourced from the profile +stored in the system wide krb5.conf configuration file in the [libdefaults] +section. The option name is default_ccache_name. See krb5.conf(5)'s +PARAMETER EXPANSION paragraph for additional information on the expansion +format defined by krb5.conf. + + + NOTE: Please be aware that libkrb5 ccache expansion template from + krb5.conf +5 uses different expansion sequences +than SSSD. + + + Par défaut : (valeur provenant de libkrb5) + + + + + + krb5_auth_timeout (entier) + + + Délai d'attente, en secondes, après l'annulation d'une requête +d'authentification en ligne ou de changement de mot de passe. La requête +d'authentification sera effectuée hors-ligne si cela est possible. + + + Par défaut : 6 + + + + + + krb5_validate (booléen) + + + Vérifie à l'aide de krb5_keytab que le TGT obtenu n'a pas été usurpé. Les +entrées d'un fichier keytab sont vérifiées dans l'ordre, et la première +entrée avec un domaine correspondant est utilisée pour la validation. Si +aucune entrée ne correspond au domaine, la dernière entrée dans le fichier +keytab est utilisée. Ce processus peut être utilisé pour valider des +environnements utilisant l'approbation entre domaines en plaçant l'entrée +keytab appropriée comme dernière ou comme seule entrée dans le fichier +keytab. + + + Par défaut : false + + + + + + krb5_keytab (chaîne) + + + L'emplacement du fichier keytab à utiliser pour valider les données +d'identification obtenues à partir de KDC. + + + Par défaut : /etc/krb5.keytab + + + + + + krb5_store_password_if_offline (booléen) + + + Stocke le mot de passe de l'utilisateur si le fournisseur est hors-ligne, +puis l'utilise pour obtenir un TGT lorsque le fournisseur redevient +disponible en ligne. + + + NOTE : cette fonctionnalité n'est actuellement disponible que sur les +plates-formes Linux. Les mots de passe stockés de cette manière sont +conservés en texte brut dans le trousseau de clés du noyau et sont +potentiellement accessibles à l'utilisateur root (avec difficulté). + + + Par défaut : false + + + + + + krb5_renewable_lifetime (chaîne) + + + Demande un ticket renouvelable avec une durée de vie totale, donnée par un +entier immédiatement suivi par une unité de temps : + + + s pour secondes + + + m pour minutes + + + h pour heures + + + d pour jours. + + + Si aucune unité n'est spécifiée, s est utilisé. + + + NOTE : il n'est pas possible de mélanger les unités. Pour indiquer une durée +de vie renouvelable de une heure et trente minutes, utiliser « 90m » au lieu +de « 1h30m ». + + + Par défaut : non défini, c'est-à-dire que le TGT n'est pas renouvelable + + + + + + krb5_lifetime (chaîne) + + + Demande un ticket avec une durée de vie, donnée par un entier immédiatement +suivi par une unité de temps : + + + s pour secondes + + + m pour minutes + + + h pour heures + + + d pour jours. + + + Si aucune unité n'est spécifiée, s est utilisé. + + + NOTE : il n'est pas possible de mélanger les unités. Pour indiquer une durée +de vie de une heure et trente minutes, utiliser « 90m » au lieu de « 1h30m +». + + + Par défaut : non défini, c'est-à-dire la durée de vie par défaut configurée +dans le KDC. + + + + + + krb5_renew_interval (chaîne) + + + La durée, en secondes, entre deux vérifications pour savoir si le TGT doit +être renouvelé. Les TGT sont renouvelés si environ la moitié de leur durée +de vie est dépassée. Indiquée par un entier immédiatement suivi d'une unité +de temps : + + + s pour secondes + + + m pour minutes + + + h pour heures + + + d pour jours. + + + Si aucune unité n'est spécifiée, s est utilisé. + + + NOTE : il n'est pas possible de mélanger les unités. Pour indiquer une durée +de vie renouvelable de une heure et trente minutes, utiliser « 90m » au lieu +de « 1h30m ». + + + Si cette option n'est pas définie ou définie à 0, le renouvellement +automatique est désactivé. + + + Par défaut : non défini + + + + + + krb5_use_fast (chaîne) + + + Active le flexible authentication secure tunneling (FAST) pour la +pré-authentification Kerberos. Les options suivantes sont supportées : + + + never : ne jamais utiliser FAST. Ceci équivaut à ne pas +définir cette option. + + + try : eassyer d'utiliser FAST. Si le serveur ne prend +pas en charge FAST, continuer l'authentification sans. + + + demander  : imposer d'utiliser FAST. L'authentification +échoue si le serveur ne requiert pas FAST. + + + Par défaut : non défini, i.e. FAST n'est pas utilisé. + + + NOTE : un fichier keytab est requis pour utiliser FAST. + + + NOTE : SSSD prend en charge le paramètre FAST uniquement avec MIT Kerberos +version 1.8 et au-delà. L'utilisation de SSSD avec une version antérieure de +MIT Kerberos avec cette option est une erreur de configuration. + + + + + + krb5_fast_principal (chaîne) + + + Spécifie le principal de serveur afin d'utiliser FAST. + + + + + + krb5_canonicalize (booléen) + + + Spécifie si les principaux du système et de l'utilisateur doivent être +rendus canoniques. Cette fonctionnalité est disponible avec MIT Kerberos 1.7 +et versions suivantes. + + + + Par défaut : false + + + + + + krb5_use_kdcinfo (booléen) + + + Indique si SSSD doit préciser aux bibliothèques Kerberos quels domaine et +KDC utiliser. Cette option est activée par défaut, si elle est désactivée, +la bibliothèque Kerberos doit être configurée à l'aide du fichier de +configuration krb5.conf +5 . + + + Consulter la page de manuel de +sssd_krb5_locator_plugin +8 pour plus d'informations sur le +greffon de localisation. + + + Par défaut : true + + + + + + krb5_use_enterprise_principal (booléen) + + + Indique si le principal de l'utilisateur doit être traité comme un principal +d'entreprise. Cf. la section 5 de la RFC 6806 pour plus de détails sur les +principals d'entreprise. + + + + Par défaut : false (AD provider : true) + + + The IPA provider will set to option to 'true' if it detects that the server +is capable of handling enterprise principals and the option is not set +explicitly in the config file. + + + + + + krb5_map_user (chaîne) + + + The list of mappings is given as a comma-separated list of pairs +username:primary where username is a UNIX user +name and primary is a user part of a kerberos principal. This +mapping is used when user is authenticating using auth_provider = +krb5. + + + + exemple : +krb5_realm = REALM +krb5_map_user = joe:juser,dick:richard + + + + joe and dick are UNIX user names and +juser and richard are primaries of kerberos +principals. For user joe resp. dick SSSD will +try to kinit as juser@REALM resp. +richard@REALM. + + + + Par défaut : non défini + + + + + + + + + + + + + + EXEMPLE + + L'exemple suivant suppose que SSSD est correctement configuré et que FOO est +l'un des domaines de la section [sssd]. Cet +exemple montre uniquement la configuration de l'authentification Kerberos, +et n'inclut aucun fournisseur d'identité. + + + +[domain/FOO] +auth_provider = krb5 +krb5_server = 192.168.1.1 +krb5_realm = EXAMPLE.COM + + + + + + + + diff --git a/src/man/fr/sssd-ldap.5.xml b/src/man/fr/sssd-ldap.5.xml new file mode 100644 index 0000000..3ef052d --- /dev/null +++ b/src/man/fr/sssd-ldap.5.xml @@ -0,0 +1,2628 @@ + + + +Pages de manuel de SSSD + + + + + sssd-ldap + 5 + Formats de fichier et conventions + + + + sssd-ldap + Fournisseur LDAP SSSD + + + + DESCRIPTION + + Ce manuel décrit la configuration des domaines LDAP pour +sssd 8 +. Se référer à la section FILE FORMAT du +manuel sssd.conf +5 pour des informations sur la +syntaxe détaillée. + + Il est possible de configurer SSSD pour utiliser plus d'un domaine LDAP. + + + Le moteur de traitement LDAP prend en charge les fournisseurs id, auth, +access et chpass. Si vous voulez vous authentifier sur un serveur LDAP, il +vous faut utiliser TLS/SSL ou LDAPS. sssd ne +prend pas en charge l'authentification sur un canal non +chiffré. Si le serveur LDAP est utilisé seulement comme fournisseur +d'identité, un canal crypté n'est pas nécessaire. Se référer aux options de +configurations ldap_access_filter pour plus d'information sur +l'utilisation en tant que fournisseur d'accès. + + + + + OPTIONS DE CONFIGURATION + + Toutes les options de configuration communes appliquées aux domaines SSSD +s'appliquent aussi aux domaines LDAP. Voir la section des SECTIONS DE +DOMAINE dans la page de manuel +sssd.conf 5 + pour plus de détails. + + ldap_uri, ldap_backup_uri (string) + + + Spécifie par ordre de préférence la liste séparée par des virgules d'URI des +serveurs LDAP auquel doit se connecter SSSD. Se reporter à la section de +BASCULE pour plus d'informations sur le repli et la +redondance de serveurs. Si aucune de ces options n'est spécifiée, la +découverte d'un service est activé. Pour plus d'informations, se reporter à +la section de DÉCOUVERTE DE SERVICE. + + + Le format de l'URI doit correspondre au format définit dans la RFC 2732 : + + + ldap[s]://<host>[:port] + + + Pour les adresses explicitement en IPv6, le composant <host> doit être +entre crochets [] + + + exemple : ldap://[fc00::126:25]:389 + + + + + + ldap_chpass_uri, ldap_chpass_backup_uri (string) + + + Spécifie la liste d'URI séparée par des virgules des serveurs LDAP auquel +doit se connecter DSSD par ordre de préférence pour changer le mot de passe +d'un utilisateur. Reportez-vous à la section de bascule pour +plus d'informations sur le repli et la redondance de serveurs. + + + Pour activer la découverte de services, ldap_chpass_dns_service_name doit +être défini. + + + Par défaut : vide, ldap_uri est donc utilisé. + + + + + + ldap_search_base (chaîne) + + + Le DN de base par défaut à utiliser pour effectuer les opérations LDAP sur +les utilisateurs. + + + À partir de SSSD 1.7.0, SSSD prend en charge plusieurs bases de recherche à +l'aide de la syntaxe : + + + search_base[?scope?[filter][?search_base?scope?[filter]]*] + + + La portée peut être l'une des « base », « onelevel » ou « subtree ». + + + Le filtre doit être un filtre de recherche LDAP valide tel que spécifié par +http://www.ietf.org/rfc/rfc2254.txt + + + Exemples : + + + ldap_search_base = dc=example,dc=com (ce qui équivaut à) ldap_search_base = +dc=example,dc=com?subtree? + + + ldap_search_base = +cn=host_specific,dc=example,dc=com?subtree?(host=thishost)?dc=example.com?subtree? + + + Remarque : Il est n'est pas possible d'avoir plusieurs bases de recherche +qui référencent des objets portant le même nom (par exemple, les groupes +portant le même nom dans deux bases de recherche différents). Cela conduira +à un comportement imprévisible sur les ordinateurs clients. + + + Par défaut : si non définie, les valeurs des attributs defaultNamingContext +ou namingContexts du RootDSE du serveur LDAP sont utilisées. Si +defaultNamingContext n'existe pas ou a une valeur vide, namingContexts est +utilisé. Les attributs namingContexts doivent avoir une seule valeur avec un +DN de base de recherche pour le serveur LDAP pour que cela fonctionne. Des +valeurs multiples ne sont pas permises. + + + + + + ldap_schema (chaîne) + + + Spécifie le type de schéma utilisé sur le serveur LDAP cible. Selon le +schéma sélectionné, les noms d'attributs par défaut provenant des serveurs +peuvent varier. La manière dont certains attributs sont traités peut-être +également différer. + + + Quatre types de schéma sont actuellement pris en charge : + + + + rfc2307 + + + + + rfc2307bis + + + + + IPA + + + + + AD + + + + + + La principale différence entre ces types de schéma est la façon dont les +appartenances aux groupes sont enregistrés dans le serveur. Avec rfc2307, +les membres du groupe sont répertoriées par nom dans l'attribut +memberUid. Avec rfc2307bis et IPA, les membres du +groupe sont répertoriés par DN et stockées dans l'attribut de +member. Le type de schéma AD définit les attributs +correspondant aux valeurs d'Active Directory 2008r2. + + + Par défaut : rfc2307 + + + + + + ldap_default_bind_dn (chaîne) + + + Le DN de connexion par défaut à utiliser pour effectuer les opérations LDAP. + + + + + + ldap_default_authtok_type (chaîne) + + + Le type de jeton d'authentification pour le DN de connexion par défaut. + + + Les deux mécanismes actuellement pris en charge sont : + + + password + + + obfuscated_password + + + Par défaut : password + + + + + + ldap_default_authtok (chaîne) + + + Le jeton d'authentification pour le DN de connexion par défaut. Seuls les +mots de passe en clair sont actuellement pris en charge. + + + + + + ldap_user_object_class (chaîne) + + + La classe d'objet d'une entrée utilisateur dans LDAP. + + + Par défaut : posixAccount + + + + + + ldap_user_name (chaîne) + + + L'attribut LDAP correspondant à l'identifiant de connexion de l'utilisateur. + + + Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD) + + + + + + ldap_user_uid_number (chaîne) + + + L'attribut LDAP correspondant à l'id de l'utilisateur. + + + par défaut : uidNumber + + + + + + ldap_user_gid_number (chaîne) + + + L'attribut LDAP correspondant à l'id du groupe primaire de l'utilisateur. + + + Par défaut : gidNumber + + + + + + ldap_user_primary_group (string) + + + Active Directory primary group attribute for ID-mapping. Note that this +attribute should only be set manually if you are running the +ldap provider with ID mapping. + + + Default: unset (LDAP), primaryGroupID (AD) + + + + + + ldap_user_gecos (chaîne) + + + L'attribut LDAP correspondant au champ gecos de l'utilisateur. + + + Par défaut : gecos + + + + + + ldap_user_home_directory (chaîne) + + + L'attribut LDAP qui contient le nom du répertoire personnel de +l'utilisateur. + + + Par défaut : homeDirectory + + + + + + ldap_user_shell (chaîne) + + + L'attribut LDAP qui contient le chemin vers l'interpréteur de commandes de +l'utilisateur. + + + Par défaut : loginShell + + + + + + ldap_user_uuid (chaîne) + + + The LDAP attribute that contains the UUID/GUID of an LDAP user object. + + + Par défaut : non défini dans le cas général, objectGUID pour AD et +ipaUniqueID pour IPA + + + + + + ldap_user_objectsid (string) + + + L'attribut LDAP qui contient l'objectSID d'un objet d'utilisateur LDAP. Ceci +n'est habituellement nécessaire que pour les serveurs Active Directory. + + + Default: objectSid for ActiveDirectory, not set for other servers. + + + + + + ldap_user_modify_timestamp (chaîne) + + + L'attribut LDAP qui contient l'horodatage de la dernière modification de +l'objet parent. + + + Par défaut : modifyTimestamp + + + + + + ldap_user_shadow_last_change (chaîne) + + + Lors de l'utilisation de ldap_pwd_policy=shadow, ce paramètre contient le +nom de l'attribut LDAP correspondant à sa contrepartie +shadow 5 + (date de changement du dernier mot de passe). + + + Par défaut : shadowLastChange + + + + + + ldap_user_shadow_min (chaîne) + + + Lors de l'utilisation de ldap_pwd_policy=shadow, ce paramètre contient le +nom de l'attribut LDAP correspondant à sa contrepartie +shadow 5 + (durée de validité minimum du mot de passe). + + + Par défaut : shadowMin + + + + + + ldap_user_shadow_max (chaîne) + + + Lors de l'utilisation de ldap_pwd_policy=shadow, ce paramètre contient le +nom de l'attribut LDAP correspondant à sa contrepartie +shadow 5 + (âge maximum du mot de passe). + + + Par défaut : shadowMax + + + + + + ldap_user_shadow_warning (chaîne) + + + Lors de l'utilisation de ldap_pwd_policy=shadow, ce paramètre contient le +nom de l'attribut LDAP correspondant à sa contrepartie +shadow 5 + (période d'avertissement du mot de passe). + + + Par défaut : shadowWarning + + + + + + ldap_user_shadow_inactive (chaîne) + + + Lors de l'utilisation de ldap_pwd_policy=shadow, ce paramètre contient le +nom de l'attribut LDAP correspondant à sa contrepartie +shadow 5 + (période d'inactivité du mot de passe). + + + Par défaut : shadowInactive + + + + + + ldap_user_shadow_expire (chaîne) + + + Lors de l'utilisation de ldap_pwd_policy=shadow ou +ldap_account_expire_policy=shadow, ce paramètre contient le nom de +l'attribut LDAP correspondant à sa contrepartie +shadow 5 + (date d'expiration du compte). + + + Par défaut : shadowExpire + + + + + + ldap_user_krb_last_pwd_change (chaîne) + + + Lors de l'utilisation de ldap_pwd_policy=mit_kerberos, ce paramètre contient +le nom de l'attribut LDAP stockant la date et l'heure du dernier changement +de mot de passe dans kerberos. + + + Par défaut : krbLastPwdChange + + + + + + ldap_user_krb_password_expiration (chaîne) + + + Lors de l'utilisation de ldap_pwd_policy=mit_kerberos, ce paramètre contient +le nom de l'attribut LDAP stockant la date et l'heure d'expiration du mot de +passe actuel. + + + Par défaut : krbPasswordExpiration + + + + + + ldap_user_ad_account_expires (chaîne) + + + Lors de l'utilisation de ldap_account_expire_policy=ad, ce paramètre +contient le nom d'un attribut LDAP stockant la date d'expiration du compte. + + + Par défaut : accountExpires + + + + + + ldap_user_ad_user_account_control (chaîne) + + + Lors de l'utilisation de ldap_account_expire_policy=ad, ce paramètre +contient le nom d'un attribut LDAP stockant le champ de bits de contrôle du +compte utilisateur. + + + Par défaut : userAccountControl + + + + + + ldap_ns_account_lock (chaîne) + + + Lors de l'utilisation de ldap_account_expire_policy=rhds ou équivalent, ce +paramètre détermine si l'accès est autorisé ou non. + + + Par défaut : nsAccountLock + + + + + + ldap_user_nds_login_disabled (chaîne) + + + Lors de l'utilisation de ldap_account_expire_policy=nds, cet attribut +détermine si l'accès est autorisé ou non. + + + Par défaut : loginDisabled + + + + + + ldap_user_nds_login_expiration_time (chaîne) + + + Lors de l'utilisation de ldap_account_expire_policy=nds, cet attribut +détermine jusqu'à quand l'accès est autorisé. + + + Par défaut : loginDisabled + + + + + + ldap_user_nds_login_allowed_time_map (chaîne) + + + Lors de l'utilisation de ldap_account_expire_policy=nds, cet attribut +détermine les heures des jours dans la semaine pendant lesquelles l'accès +est autorisé. + + + Par défaut : loginAllowedTimeMap + + + + + + ldap_user_principal (chaîne) + + + L'attribut LDAP contenant le nom du principal d'utilisateur (UPN) Kerberos +de l'utilisateur. + + + Par défaut : krbPrincipalName + + + + + + ldap_user_extra_attrs (chaîne) + + + Liste séparée par des virgules des attributs LDAP que SSSD va demander en +plus des attributs utilisateur habituels. + + + La liste ne peut contenir que des noms d'attributs LDAP, ou des tuples +séparés par des virgules de nom d'attribut de cache et nom d'attribut +LDAP. Dans le cas où seul le nom d'un attribut LDAP est indiqué, l'attribut +est enregistré tel quel dans le cache. L'utilisation d'un nom d'attribut +SSSD peut être nécessaire pour les environnements configurant plusieurs +domaines SSSD utilisant des schémas LDAP différents. + + + Veuillez noter que plusieurs noms d'attributs sont réservés par SSSD, dont +l'attribut name. SSSD émettrait une erreur si l'un des noms +d'attributs réservés est utilisé par un nom d'attribut supplémentaire. + + + Exemples : + + + ldap_user_extra_attrs = telephoneNumber + + + Enregistrer l'attribut LDAP telephoneNumber en tant que +telephoneNumber dans le cache. + + + ldap_user_extra_attrs = phone:telephoneNumber + + + Enregistrer l'attribut LDAP telephoneNumber en tant que +phone dans le cache. + + + Par défaut : non défini + + + + + + ldap_user_ssh_public_key (chaîne) + + + L'attribut LDAP qui contient les clés publiques SSH de l'utilisateur. + + + Par défaut : sshPublicKey + + + + + + ldap_force_upper_case_realm (booléen) + + + Certains serveurs d'annuaire, comme par exemple Active Directory, peuvent +délivrer la partie domaine de l'UPN en minuscules, ce qui peut faire échouer +l'authentification. Définir cette option à une valeur non nulle pour +utiliser un nom de domaine en majuscules. + + + Par défaut : false + + + + + + ldap_enumeration_refresh_timeout (entier) + + + Spécifie la durée en secondes pendant laquelle SSSD doit attendre avant +d'actualiser son cache d"énumération d'enregistrements. + + + Par défaut : 300 + + + + + + ldap_purge_cache_timeout (entier) + + + Détermine la fréquence de vérification de la présence d'entrées inactives +dans le cache (telles que groupes sans membres et utilisateurs ne s'étant +jamais connectés) et de suppression pour économiser de l'espace. + + + Setting this option to zero will disable the cache cleanup operation. Please +note that if enumeration is enabled, the cleanup task is required in order +to detect entries removed from the server and can't be disabled. By default, +the cleanup task will run every 3 hours with enumeration enabled. + + + Par défaut : 0 (désactivé) + + + + + + ldap_user_fullname (chaîne) + + + L'attribut LDAP correspondant au nom complet de l'utilisateur. + + + Par défaut : cn + + + + + + ldap_user_member_of (chaîne) + + + L'attribut LDAP énumérant les groupes auquel appartient un utilisateur. + + + Par défaut : memberOf + + + + + + ldap_user_authorized_service (chaîne) + + + Lorsque access_provider=ldap et ldap_access_order=authorized_service, SSSD +utilise la présence de l'attribut authorizedService dans l'entrée LDAP de +l'utilisateur pour déterminer les autorisations d'accès. + + + Le refus explicite (!svc) est résolu en premier. Ensuite, SSSD cherche une +autorisation explicite (svc) et enfin allow_all (*). + + + Noter que l'option de configuration ldap_access_order +doit inclure authorized_service de façon +à permettre à l'option ldap_user_authorized_service de fonctionner. + + + Par défaut : authorizedService + + + + + + ldap_user_authorized_host (chaîne) + + + Si access_provider=ldap et ldap_access_order=host, SSSD va utiliser la +présence de l'attribut host dans l'entrée LDAP de l'utilisateur pour +déterminer les autorisations d'accès. + + + Le refus explicite (!host) est résolu en premier. SSSD recherche ensuite les +autorisations explicites (host) et enfin toutes les autorisations (*). + + + Noter que l'option de configuration ldap_access_order +doit inclure host de façon à permettre à +l'option ldap_user_authorized_host de fonctionner. + + + Par défaut : host + + + + + + ldap_user_authorized_rhost (string) + + + If access_provider=ldap and ldap_access_order=rhost, SSSD will use the +presence of the rhost attribute in the user's LDAP entry to determine access +privilege. Similarly to host verification process. + + + An explicit deny (!rhost) is resolved first. Second, SSSD searches for +explicit allow (rhost) and finally for allow_all (*). + + + Please note that the ldap_access_order configuration option +must include rhost in order for the +ldap_user_authorized_rhost option to work. + + + Default: rhost + + + + + + ldap_user_certificate (chaîne) + + + Name of the LDAP attribute containing the X509 certificate of the user. + + + Default: userCertificate;binary + + + + + + ldap_user_email (string) + + + Name of the LDAP attribute containing the email address of the user. + + + Note: If an email address of a user conflicts with an email address or fully +qualified name of another user, then SSSD will not be able to serve those +users properly. If for some reason several users need to share the same +email address then set this option to a nonexistent attribute name in order +to disable user lookup/login by email. + + + Default: mail + + + + + + ldap_group_object_class (chaîne) + + + La classe d'objet d'une entrée de groupe dans LDAP. + + + Par défaut : posixGroup + + + + + + ldap_group_name (chaîne) + + + L'attribut LDAP correspondant au nom du groupe. + + + Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD) + + + + + + ldap_group_gid_number (chaîne) + + + L'attribut LDAP correspondant à l'identifiant de groupe. + + + Par défaut : gidNumber + + + + + + ldap_group_member (chaîne) + + + L'attribut LDAP contenant les noms des membres du groupe. + + + Par défaut : memberuid (rfc2307) / member (rfc2307bis) + + + + + + ldap_group_uuid (chaîne) + + + The LDAP attribute that contains the UUID/GUID of an LDAP group object. + + + Par défaut : non défini dans le cas général, objectGUID pour AD et +ipaUniqueID pour IPA + + + + + + ldap_group_objectsid (string) + + + L'attribut LDAP qui contient l'objectSID d'un objet de groupe LDAP. Ceci +n'est habituellement nécessaire que pour les serveurs Active Directory. + + + Default: objectSid for ActiveDirectory, not set for other servers. + + + + + + ldap_group_modify_timestamp (chaîne) + + + L'attribut LDAP qui contient l'horodatage de la dernière modification de +l'objet parent. + + + Par défaut : modifyTimestamp + + + + + + ldap_group_type (entier) + + + L'attribut LDAP qui contient une valeur entière indiquant le type de groupe +voire d'autres indicateurs. + + + Cet attribut est actuellement utilisé uniquement par le fournisseur AD pour +déterminer si un groupe est un groupe de domaine local et doit être filtré +hors des domaines approuvés. + + + Default: groupType in the AD provider, otherwise not set + + + + + + ldap_group_external_member (string) + + + The LDAP attribute that references group members that are defined in an +external domain. At the moment, only IPA's external members are supported. + + + Default: ipaExternalMember in the IPA provider, otherwise unset. + + + + + + ldap_group_nesting_level (entier) + + + Si ldap_schema est défini comme un format prenant en charge les groupes +imbriqués (par exemple RFC2307bis), alors cette option contrôle le nombre de +niveaux d'imbrication que SSSD suivra. Cette option n'a pas d'effet sur le +schéma RFC2307. + + + Note: This option specifies the guaranteed level of nested groups to be +processed for any lookup. However, nested groups beyond this limit +may be returned if previous lookups already resolved +the deeper nesting levels. Also, subsequent lookups for other groups may +enlarge the result set for original lookup if re-queried. + + + If ldap_group_nesting_level is set to 0 then no nested groups are processed +at all. However, when connected to Active-Directory Server 2008 and later +using id_provider=ad it is furthermore required to disable +usage of Token-Groups by setting ldap_use_tokengroups to false in order to +restrict group nesting. + + + Par défaut : 2 + + + + + + ldap_groups_use_matching_rule_in_chain + + + Cette option indique à SSSD de tirer parti d'une fonctionnalité Active +Directory spécifique qui peut accélérer les opérations de recherche de +groupe sur les déploiements utilisant des groupes profondément imbriqués et +complexes. + + + Dans la plupart des cas, il est préférable de laisser cette option +désactivée. Elle ne fournit une augmentation des performances que sur les +imbrications très complexes. + + + Si cette option est activée, SSSD l'utilisera s'il détecte que le serveur la +prend en charge au cours de la connexion initiale. Ainsi, « true » signifie +essentiellement « auto-detect ». + + + Remarque : Cette fonctionnalité fonctionne uniquement avec Active Directory +2008 R1 et versions suivantes. Consulter la +documentation de MSDN(TM) pour plus de détails. + + + Par défaut : False + + + + + + ldap_initgroups_use_matching_rule_in_chain + + + Cette option indique à SSSD de tirer parti d'une fonctionnalité Active +Directory spécifique qui peut accélérer les opérations initgroups (le plus +souvent lors de l'utilisation de groupes profondément imbriqués ou +complexes). + + + Si cette option est activée, SSSD l'utilisera s'il détecte que le serveur la +prend en charge au cours de la connexion initiale. Ainsi, « true » signifie +essentiellement « auto-detect ». + + + Remarque : Cette fonctionnalité fonctionne uniquement avec Active Directory +2008 R1 et versions suivantes. Consulter la +documentation de MSDN(TM) pour plus de détails. + + + Par défaut : False + + + + + + ldap_use_tokengroups + + + Cette option active ou désactive l'utilisation de l'attribut Token-Groups +lors de l'initialisation des groupes pour les utilisateurs Active Directory +2008 et versions ultérieures. + + + Default: True for AD and IPA otherwise False. + + + + + + ldap_netgroup_object_class (chaîne) + + + La classe d'objet d'une entrée de netgroup dans LDAP. + + + Pour un fournisseur IPA, ipa_netgroup_object_class doit être utilisé à la +place. + + + Par défaut : nisNetgroup + + + + + + ldap_netgroup_name (chaîne) + + + L'attribut LDAP correspondant au nom du netgroup. + + + Dans le fournisseur IPA, ipa_netgroup_name doit être utilisé à la place. + + + Par défaut : cn + + + + + + ldap_netgroup_member (chaîne) + + + L'attribut LDAP contenant les noms des membres du netgroup. + + + Dans le fournisseur IPA, ipa_netgroup_member doit être utilisé à la place. + + + Par défaut : memberNisNetgroup + + + + + + ldap_netgroup_triple (chaîne) + + + L'attribut LDAP contenant les triplets (hôte, utilisateur, domaine) d'un +netgroup. + + + Cette option n'est pas disponible dans le fournisseur IPA. + + + Par défaut : nisNetgroupTriple + + + + + + ldap_netgroup_modify_timestamp (chaîne) + + + L'attribut LDAP qui contient l'horodatage de la dernière modification de +l'objet parent. + + + Cette option n'est pas disponible dans le fournisseur IPA. + + + Par défaut : modifyTimestamp + + + + + + ldap_host_object_class (string) + + + The object class of a host entry in LDAP. + + + Par défaut : ipService + + + + + + ldap_host_name (string) + + + The LDAP attribute that corresponds to the host's name. + + + Par défaut : cn + + + + + + ldap_host_fqdn (string) + + + The LDAP attribute that corresponds to the host's fully-qualified domain +name. + + + Default: fqdn + + + + + + ldap_host_serverhostname (string) + + + The LDAP attribute that corresponds to the host's name. + + + Default: serverHostname + + + + + + ldap_host_member_of (string) + + + The LDAP attribute that lists the host's group memberships. + + + Par défaut : memberOf + + + + + + ldap_host_search_base (string) + + + Facultatif. Utiliser la chaîne donnée comme base de recherche pour héberger +des objets. + + + Cf. ldap_search_base pour plus d'informations sur la +configuration des bases de recherche multiples. + + + Par défaut : la valeur de ldap_search_base + + + + + + ldap_host_ssh_public_key (string) + + + The LDAP attribute that contains the host's SSH public keys. + + + Par défaut : sshPublicKey + + + + + + ldap_host_uuid (string) + + + The LDAP attribute that contains the UUID/GUID of an LDAP host object. + + + Par défaut : non défini + + + + + + ldap_service_object_class (chaîne) + + + La classe d'objet d'une entrée de service LDAP. + + + Par défaut : ipService + + + + + + ldap_service_name (string) + + + L'attribut LDAP qui contient le nom des attributs de service et de leurs +alias. + + + Par défaut : cn + + + + + + ldap_service_port (string) + + + L'attribut LDAP qui contient le port géré par ce service. + + + Par défaut : ipServicePort + + + + + + ldap_service_proto (string) + + + L'attribut LDAP qui contient les protocoles compris par ce service. + + + Par défaut : ipServiceProtocol + + + + + + ldap_service_search_base (string) + + + + + ldap_search_timeout (entier) + + + Définit le délai d'attente (en secondes) autorisé pour les recherches LDAP +avant annulation et utilisation des résultats contenus dans le cache (et +activation du mode hors ligne) + + + Note : cette option est susceptible de changer dans les prochaines version +de SSSD. Elle sera sûrement remplacée par une série de délais d'attente pour +différents types de recherches. + + + Par défaut : 6 + + + + + + ldap_enumeration_search_timeout (entier) + + + Définit le délai d'attente (en secondes) autorisé pour les recherches LDAP +sur les utilisateurs et groupes avant annulation et utilisation des +résultats mis en cache (et activation du mode hors ligne) + + + Par défaut : 60 + + + + + + ldap_network_timeout (entier) + + + Définit le délai d'attente (en secondes) après lequel les fonctions + poll 2 +/ select +2 suivant un +connect 2 + rendent la main en cas d'inactivité. + + + Par défaut : 6 + + + + + + ldap_opt_timeout (entier) + + + Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs +will abort if no response is received. Also controls the timeout when +communicating with the KDC in case of SASL bind, the timeout of an LDAP bind +operation, password change extended operation and the StartTLS operation. + + + Par défaut : 6 + + + + + + ldap_connection_expire_timeout (entier) + + + Spécifie un délai d'attente (en secondes) pendant laquelle une connexion à +un serveur LDAP est maintenue. Passé ce délai, la connexion devra être +rétablie. Si ce paramètre est utilisé en parallèle avec SASL/GSSAPI, la plus +courte des deux valeurs entre celle-ci et la durée de vie TGT sera utilisée. + + + Par défaut : 900 (15 minutes) + + + + + + ldap_page_size (entier) + + + Définit le nombre d'enregistrements à récupérer lors d'une requête +LDAP. Certains serveurs LDAP imposent une limite maximale par requête. + + + Par défaut : 1000 + + + + + + ldap_disable_paging (boolean) + + + Désactiver le contrôle de pagination LDAP. Cette option doit être utilisée +si le serveur LDAP signale qu'il prend en charge le contrôle de pagination +LDAP de l'objet RootDSE, mais qu'il n'est pas activé ou ne se comporte pas +correctement. + + + Exemple : le serveurs OpenLDAP avec le module de contrôle de pagination +installé sur le serveur mais non activé le signaleront dans RootDSE mais il +sera impossible de l'utiliser. + + + Exemple : 389 DS a un bogue où il ne peut que soutenir qu'un seul contrôle +de pagination à la fois sur une connexion donnée. Sur les clients chargés, +cela peut entraîner l'échec de certaines demandes. + + + Par défaut : False + + + + + + ldap_disable_range_retrieval (booléen) + + + Désactiver la récupération de plage Active Directory. + + + Active Directory limite le nombre de membres à récupérer par recherche à +l'aide de la stratégie MaxValRange (qui prend la valeur par défaut de 1500 +membres). Si un groupe contient plus de membres, la réponse inclura une +extension de plage spécifique à Active Directory. Cette option désactive +l'analyse de cette extension de plage, les groupes de grande taille +apparaissant ainsi sans aucun membre. + + + Par défaut : False + + + + + + ldap_sasl_minssf (integer) + + + Lors de la communication avec un serveur LDAP en utilisant SASL, spécifie le +niveau de sécurité minimal nécessaire pour établir la connexion. Les valeurs +de cette option sont définies par OpenLDAP. + + + Par défaut : Utiliser la valeur par défaut du système (généralement spécifié +par ldap.conf) + + + + + + ldap_deref_threshold (entier) + + + Définit le nombre de membres du groupe qui doivent manquer au sein du cache +interne afin de déclencher une recherche de déréférencement. Si le nombre de +membres manquants est inférieur, ils sont recherchés individuellement. + + + Vous pouvez désactiver complètement les recherches de déréférencement en +affectant la valeur 0. + + + Une recherche de déréférencement est un moyen pour récupérer tous les +membres d'un groupe avec un seul appel LDAP. Plusieurs serveurs LDAP peuvent +avoir différentes méthodes de déréférencement. Les serveurs actuellement +acceptés sont 389/RHDS, OpenLDAP et Active Directory. + + + Remarque : Si l'une des bases de recherche spécifie un +filtre de recherche, alors l'amélioration de la performance de recherche de +déréférencement est désactivée indépendamment de ce paramètre. + + + Par défaut : 10 + + + + + + ldap_tls_reqcert (chaîne) + + + Définit les vérifications à effectuer sur les certificats serveur sur une +session TLS, si elle existe. Une des valeurs suivantes est utilisable : + + + never : le client ne demandera ni ne vérifiera un +quelconque certificat du serveur. + + + allow : le certificat serveur est demandé. Si aucun +certificat n'est fournit, la session continue normalement. Si un mauvais +certificat est fourni, il est ignoré et la session continue normalement. + + + try : le certificat serveur est demandé. Si aucun +certificat n'est fourni, la session continue normalement. Si un mauvais +certificat est fourni, la session se termine immédiatement. + + + demand : le certificat serveur est demandé. Si aucun +certificat ou un mauvais certificat est fourni, la session se termine +immédiatement. + + + hard : identique à demand + + + Par défaut : hard + + + + + + ldap_tls_cacert (chaîne) + + + Définit le fichier qui contient les certificats pour toutes les autorités de +certification que sssd reconnaîtra. + + + Par défaut : utilise les paramètres par défaut de OpenLDAP, en général dans +/etc/openldap/ldap.conf + + + + + + ldap_tls_cacertdir (chaîne) + + + Spécifie le chemin d'un dossier qui contient les certificats de l'autorité +de certificats dans des fichiers séparés. Usuellement, les noms de fichiers +sont la somme de contrôle du certificat suivi de « .0 ». Si disponible, +cacertdir_rehash peut être utilisé pour créer les noms +corrects. + + + Par défaut : utilise les paramètres par défaut de OpenLDAP, en général dans +/etc/openldap/ldap.conf + + + + + + ldap_tls_cert (chaîne) + + + Définit le fichier qui contient le certificat pour la clef du client. + + + Par défaut : non défini + + + + + + ldap_tls_key (chaîne) + + + Définit le fichier qui contient la clef du client. + + + Par défaut : non défini + + + + + + ldap_tls_cipher_suite (chaîne) + + + Specifies acceptable cipher suites. Typically this is a colon separated +list. See ldap.conf +5 for format. + + + Par défaut : utilise les paramètres par défaut de OpenLDAP, en général dans +/etc/openldap/ldap.conf + + + + + + ldap_id_use_start_tls (booléen) + + + Définit le fait que le fournisseur d'identité de connexion doit aussi +utiliser tls pour protéger le +canal. + + + Par défaut : false + + + + + + ldap_id_mapping (boolean) + + + Indique que SSSD doit tenter de trouver les correspondances des ID +d'utilisateur et de groupe dans les attributs ldap_user_objectsid et +ldap_group_objectsid au lieu d'utiliser ldap_user_uid_number et +ldap_group_gid_number. + + + Cette fonctionnalité ne prend actuellement en charge que la correspondance +par objectSID avec Active Directory. + + + Par défaut : false + + + + + + ldap_min_id, ldap_max_id (integer) + + + Au contraire de la mise en correspondance d'identifiants s'appuyant sur les +SID utilisée si ldap_id_mapping est positionné à true, les plages +d'identifiants autorisés pour ldap_user_uid_number et ldap_group_gid_number +n'ont pas de limite. Dans une configuration avec des sous-domaines ou des +domaines approuvés, cela peut engendrer des collisions. Pour les éviter, +ldap_min_id et ldap_max_id peuvent être configurés afin de restreindre les +plages d'identifiants autorisées lues directement depuis le serveur. Les +sous-domaines peuvent ensuite choisir d'autres plages pour leurs propres +identifiants. + + + Par défaut : non indiqué (les deux options sont à 0) + + + + + + ldap_sasl_mech (chaîne) + + + Définit le mécanisme SASL à utiliser. Actuellement, seul GSSAPI est testé et +pris en charge. + + + Par défaut : non défini + + + + + + ldap_sasl_authid (chaîne) + + + Specify the SASL authorization id to use. When GSSAPI is used, this +represents the Kerberos principal used for authentication to the directory. +This option can either contain the full principal (for example +host/myhost@EXAMPLE.COM) or just the principal name (for example +host/myhost). By default, the value is not set and the following principals +are used: +hostname@REALM +netbiosname$@REALM +host/hostname@REALM +*$@REALM +host/*@REALM +host/* + If none of them are +found, the first principal in keytab is returned. + + + Par défaut : host/hostname@REALM + + + + + + ldap_sasl_realm (chaîne) + + + Spécifie le domaine SASL à utiliser. Si non spécifié, cette option prend par +défaut la valeur de krb5_realm. Si le ldap_sasl_authid contient aussi le +domaine, cette option est ignorée. + + + Par défaut : la valeur de krb5_realm. + + + + + + ldap_sasl_canonicalize (booléen) + + + Si true, la bibliothèque LDAP effectue une recherche inversée pour canoniser +le nom de l'hôte au cours d'une liaison SASL. + + + Défaut : false; + + + + + + ldap_krb5_keytab (chaîne) + + + Définit le fichier keytab à utiliser pour utiliser SASL/GSSAPI. + + + Par défaut : le fichier keytab du système, normalement +/etc/krb5.keytab + + + + + + ldap_krb5_init_creds (booléen) + + + Définit le fait que le fournisseur d'identité doit initialiser les données +d'identification Kerberos (TGT). Cette action est effectuée seulement si +SASL est utilisé et que le mécanisme choisi est GSSAPI. + + + Par défaut : true + + + + + + ldap_krb5_ticket_lifetime (entier) + + + Définit la durée de vie, en secondes, des TGT si GSSAPI est utilisé. + + + Par défaut : 86400 (24 heures) + + + + + + krb5_server, krb5_backup_server (string) + + + Spécifie par ordre de préférence la liste séparée par des virgules des +adresses IP ou des noms de systèmes des serveurs Kerberos auquel SSSD doit +se connecter. Pour plus d'informations sur la redondance de bascule et la +redondance de serveur, consulter la section BASCULE. Un +numéro de port facultatif (précédé de deux-points) peut être ajouté aux +adresses ou aux noms de systèmes. Si vide, la découverte de services est +activée - pour plus d'informations, se reporter à la section de +DÉCOUVERTE DE SERVICES. + + + Lors de l'utilisation de découverte de services pour le KDC ou les serveurs +kpasswd, SSSD recherche en premier les entrées DNS qui définissent _udp +comme protocole, et passe sur _tcp si aucune entrée n'est trouvée. + + + Cette option s'appelait krb5_kdcip dans les versions +précédentes de SSSD. Bien que ce nom soit toujours reconnu à l'heure +actuelle, il est conseillé de migrer les fichiers de configuration vers +l'utilisation de krb5_server. + + + + + + krb5_realm (chaîne) + + + Définit le DOMAINE de Kerberos (pour l'authentification SASL/GSSAPI). + + + Par défaut : valeur par défaut du système, voir +/etc/krb5.conf + + + + + + krb5_canonicalize (booléen) + + + Spécifie si le principal de l'hôte doit être rendu canonique lors de la +connexion au serveur LDAP. Cette fonctionnalité est disponible avec MIT +Kerberos > = 1.7 + + + + Par défaut : false + + + + + + krb5_use_kdcinfo (booléen) + + + Indique si SSSD doit préciser aux bibliothèques Kerberos quels domaine et +KDC utiliser. Cette option est activée par défaut, si elle est désactivée, +la bibliothèque Kerberos doit être configurée à l'aide du fichier de +configuration krb5.conf +5 . + + + Consulter la page de manuel de +sssd_krb5_locator_plugin +8 pour plus d'informations sur le +greffon de localisation. + + + Par défaut : true + + + + + + ldap_pwd_policy (chaîne) + + + Détermine la politique d'expiration des mots de passe côté client. Les +valeurs suivantes sont acceptées : + + + none : aucun évaluation du côté client. Cette option ne +peut pas désactiver la politique sur les mots de passe du côté serveur. + + + shadow - Utiliser les attributs de style +shadow +5 pour évaluer si le mot de passe a +expiré. + + + mit_kerberos : utilise les attributs utilisés par MIT +Kerberos pour déterminer si le mot de passe a expiré. Utiliser +chpass_provider=krb5 afin de modifier ces attributs lorsque le mot de passe +est changé. + + + Par défaut : aucun + + + Note : si une politique de mots de passe est configurée +côté serveur, elle prend le pas sur la politique indiquée avec cette option. + + + + + + ldap_referrals (booléen) + + + Définit si le déréférencement automatique doit être activé. + + + Veuillez noter que sssd ne supporte que le déréférencement que lorsqu'il est +compilé avec OpenLDAP version 2.4.13 ou supérieur. + + + La déréférenciation de références peut subir une altération notable des +performances dans les environnements qui les utilisent fortement, un exemple +notable étant Microsoft Active Directory. Si votre installation ne nécessite +pas l'utilisation des références, affecter false à cette option devrait +permettre d'améliorer de façon notable les performances. + + + Par défaut : true + + + + + + ldap_dns_service_name (chaîne) + + + Définit le nom de service à utiliser quand la découverte de services est +activée. + + + Par défaut : ldap + + + + + + ldap_chpass_dns_service_name (chaîne) + + + Définit le nom de service à utiliser pour trouver un serveur LDAP autorisant +un changement de mot de passe quand la découverte de services est activée. + + + Par défaut : non défini, c'est-à-dire que le service de découverte est +désactivé. + + + + + + ldap_chpass_update_last_change (bool) + + + Spécifie s'il faut mettre à jour l'attribut ldap_user_shadow_last_change +avec le nombre de jours depuis Epoch après l'opération de changement de mot +de passe. + + + Par défaut : False + + + + + + ldap_access_filter (chaîne) + + + If using access_provider = ldap and ldap_access_order = filter (default), +this option is mandatory. It specifies an LDAP search filter criteria that +must be met for the user to be granted access on this host. If +access_provider = ldap, ldap_access_order = filter and this option is not +set, it will result in all users being denied access. Use access_provider = +permit to change this default behavior. Please note that this filter is +applied on the LDAP user entry only and thus filtering based on nested +groups may not work (e.g. memberOf attribute on AD entries points only to +direct parents). If filtering based on nested groups is required, please see + +sssd-simple5 +. + + + Exemple : + + +access_provider = ldap +ldap_access_filter = (employeeType=admin) + + + Cet exemple signifie que l'accès à cet hôte est restreint aux utilisateurs +dont l'attribut employeeType est « admin ». + + + Offline caching for this feature is limited to determining whether the +user's last online login was granted access permission. If they were granted +access during their last login, they will continue to be granted access +while offline and vice versa. + + + Par défaut : vide + + + + + + ldap_account_expire_policy (chaîne) + + + Avec cette option une évaluation du côté client des contrôles d'accès peut +être activée. + + + Veuillez noter qu'il est toujours recommandé d'utiliser un contrôle d'accès +du côté serveur, c'est-à-dire que le serveur LDAP doit refuser une requête +de connexion avec un code erreur approprié même si le mot de passe est +correct. + + + Les valeurs suivantes sont autorisées : + + + shadow : utiliser la valeur de ldap_user_shadow_expire +pour déterminer si le compte a expiré. + + + ad : utilise la valeur du champ 32 bits +ldap_user_ad_user_account_control et autorise l'accès si le deuxième bit +n'est pas défini. Si l'attribut est manquant, l'accès est autorisé. La date +d'expiration du compte est aussi vérifiée. + + + rhds, ipa, +389ds : utilise la valeur de ldap_ns_account_lock afin +de vérifier si l'accès est autorisé ou non. + + + nds : les valeurs de +ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled et +ldap_user_nds_login_expiration_time sont utilisées pour vérifier si l'accès +est autorisé. Si les deux attributs sont manquants, l'accès est autorisé. + + + + Noter que l'option de configuration ldap_access_order +doit inclure expire de façon à permettre +à l'option ldap_account_expire_policy de fonctionner. + + + Par défaut : vide + + + + + + ldap_access_order (chaîne) + + + Liste séparées par des virgules des options de contrôles d'accès. Les +valeurs autorisées sont : + + + filter : utiliser ldap_access_filter + + + lockout: use account locking. If set, this option +denies access in case that ldap attribute 'pwdAccountLockedTime' is present +and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. +Please note that 'access_provider = ldap' must be set for this feature to +work. + + + Please note that this option is superseded by the +ppolicy option and might be removed in a future release. + + + + ppolicy: use account locking. If set, this option +denies access in case that ldap attribute 'pwdAccountLockedTime' is present +and has value of '000001010000Z' or represents any time in the past. The +value of the 'pwdAccountLockedTime' attribute must end with 'Z', which +denotes the UTC time zone. Other time zones are not currently supported and +will result in "access-denied" when users attempt to log in. Please see the +option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' must +be set for this feature to work. + + + + expire: utiliser ldap_account_expire_policy + + + pwd_expire_policy_reject, pwd_expire_policy_warn, +pwd_expire_policy_renew: These options are useful if users are +interested in being warned that password is about to expire and +authentication is based on using a different method than passwords - for +example SSH keys. + + + The difference between these options is the action taken if user password is +expired: pwd_expire_policy_reject - user is denied to log in, +pwd_expire_policy_warn - user is still able to log in, +pwd_expire_policy_renew - user is prompted to change his password +immediately. + + + Note If user password is expired no explicit message is prompted by SSSD. + + + Please note that 'access_provider = ldap' must be set for this feature to +work. Also 'ldap_pwd_policy' must be set to an appropriate password policy. + + + authorized_service : utiliser l'attribut +authorizedService pour déterminer l'accès + + + host : utilise l'attribut host pour déterminer l'accès + + + rhost: use the rhost attribute to determine whether +remote host can access + + + Please note, rhost field in pam is set by application, it is better to check +what the application sends to pam, before enabling this access control +option + + + Par défaut : filter + + + Veuillez noter qu'une valeur utilisée plusieurs fois résulte en une erreur +de configuration. + + + + + + ldap_pwdlockout_dn (chaîne) + + + This option specifies the DN of password policy entry on LDAP server. Please +note that absence of this option in sssd.conf in case of enabled account +lockout checking will yield access denied as ppolicy attributes on LDAP +server cannot be checked properly. + + + Exemple : cn=ppolicy,ou=policies,dc=example,dc=com + + + Default: cn=ppolicy,ou=policies,$ldap_search_base + + + + + + ldap_deref (chaînes) + + + Définit comment le déréférencement de l'alias est effectué lors d'une +recherche. Les options suivantes sont autorisées : + + + never : les alias ne sont jamais déréférencés. + + + searching : Les alias sont déréférencés comme des +subordonnés de l'objet de base, mais pas en localisant l'objet de base de la +recherche. + + + finding : les alias sont seulement déréférencés lors de +la localisation de l'objet de base de la recherche. + + + always : les alias sont déréférencés à la fois pour la +recherche et et la localisation de l'objet de base de la recherche. + + + Par défaut : vide (ceci est traité comme never par les +bibliothèques clientes LDAP) + + + + + + ldap_rfc2307_fallback_to_local_users (booléen) + + + Permet de conserver les utilisateurs locaux en tant que membres d'un groupe +LDAP pour les serveurs qui utilisent le schéma RFC2307. + + + Dans certains environnements où le schéma RFC2307 est utilisé, les +utilisateurs locaux deviennent membres du groupes LDAP en ajoutant leurs +noms à l'attribut memberUid. La cohérence du domaine est compromise quand +cela est fait, SSSD supprimerait normalement les utilisateurs « disparus » +des appartenances aux groupes mises en cache dès que nsswitch essaie de +récupérer des informations sur l'utilisateur via des appels à getpw*() ou +initgoups(). + + + Cette option vérifie en dernier recours si les utilisateurs locaux sont +référencés et les met en cache afin que des appels ultérieurs à initgoups() +ajoutent les utilisateurs locaux aux groupes LDAP. + + + Par défaut : false + + + + + + wildcard_limit (integer) + + + Specifies an upper limit on the number of entries that are downloaded during +a wildcard lookup. + + + At the moment, only the InfoPipe responder supports wildcard lookups. + + + Default: 1000 (often the size of one page) + + + + + + + + + + OPTIONS DE SUDO + + The detailed instructions for configuration of sudo_provider are in the +manual page sssd-sudo +5 . + + + + + + ldap_sudorule_object_class (string) + + + La classe d'objet d'une entrée de règle de sudo dans LDAP. + + + Par défaut : sudoRole + + + + + + ldap_sudorule_name (string) + + + L'attribut LDAP qui correspond au nom de la règle de sudo. + + + Par défaut : cn + + + + + + ldap_sudorule_command (string) + + + L'attribut LDAP qui correspond au nom de la commande. + + + Par défaut : sudoCommand + + + + + + ldap_sudorule_host (string) + + + L'attribut LDAP qui correspond au nom d'hôte (ou adresse IP de l'hôte, +réseau IP de l'hôte ou netgroup de l'hôte) + + + Par défaut : sudoHost + + + + + + ldap_sudorule_user (string) + + + L'attribut LDAP qui correspond au nom d'utilisateur (ou UID, le nom du +groupe ou netgroup de l'utilisateur) + + + Par défaut : sudoUser + + + + + + ldap_sudorule_option (string) + + + L'attribut LDAP qui correspond aux options sudo. + + + Par défaut : sudoOption + + + + + + ldap_sudorule_runasuser (string) + + + L'attribut LDAP qui correspond aux commandes peuvent être exécutées sous le +nom d'utilisateur. + + + Par défaut : sudoRunAsUser + + + + + + ldap_sudorule_runasgroup (string) + + + L'attribut LDAP qui correspond au nom du groupe ou GID du groupe sous lequel +les commandes seront être exécutées. + + + Par défaut : sudoRunAsGroup + + + + + + ldap_sudorule_notbefore (string) + + + L'attribut LDAP qui correspond à la date/heure de début pour laquelle la +règle sudo est valide. + + + Par défaut : sudoNotBefore + + + + + + ldap_sudorule_notafter (string) + + + L'attribut LDAP qui correspond à la date/heure d'expiration, après quoi la +règle sudo ne sera plus valide. + + + Par défaut : sudoNotAfter + + + + + + ldap_sudorule_order (string) + + + L'attribut LDAP qui correspond à l'index de tri de la règle. + + + Par défaut : sudoOrder + + + + + + ldap_sudo_full_refresh_interval (integer) + + + La durée en secondes pendant laquelle SSSD va attendre entre deux +actualisations complètes des règles de sudo (qui téléchargent toutes les +règles qui sont stockées sur le serveur). + + + La valeur doit être supérieure à +ldap_sudo_smart_refresh_interval + + + Par défaut : 21600 (6 heures) + + + + + + ldap_sudo_smart_refresh_interval (integer) + + + La durée en secondes pendant laquelle SSSD doit attendre avant d'exécuter +une actualisation intelligente des règles sudo (qui télécharge toutes les +règles qui ont un USN supérieur à l'USN le plus élevé des règles mises en +cache). + + + Si les attributs USN ne sont pas pris en charge par le serveur, l'attribut +modifyTimestamp est utilisé à la place. + + + Par défaut : 900 (15 minutes) + + + + + + ldap_sudo_use_host_filter (boolean) + + + Si true, SSSD téléchargera les seules règles qui s'appliquent à cette +machine (à l'aide de l'adresse de système ou de réseau IPv4 ou IPv6 et des +noms de systèmes). + + + Par défaut : true + + + + + + ldap_sudo_hostnames (string) + + + Liste séparés par des espaces des noms de systèmes ou de domaines qui +doivent être utilisés pour filtrer les règles. + + + Si cette option est vide, SSSD va essayer de découvrir automatiquement le +nom de système et le nom de domaine pleinement qualifié. + + + Si ldap_sudo_use_host_filter est +false, alors cette option n'a aucun effet. + + + Par défaut : non spécifié + + + + + + ldap_sudo_ip (string) + + + Liste séparés par des espaces d'adresses de système ou de réseaux IPv4 ou +IPv6 qui doivent être utilisés pour filtrer les règles. + + + Si cette option est vide, SSSD va essayer de découvrir les adresses +automatiquement. + + + Si ldap_sudo_use_host_filter est +false, alors cette option n'a aucun effet. + + + Par défaut : non spécifié + + + + + + ldap_sudo_include_netgroups (boolean) + + + Si elle est vraie alors SSSD téléchargera toutes les règles qui contient un +netgroup dans l'attribut sudoHost. + + + Si ldap_sudo_use_host_filter est +false, alors cette option n'a aucun effet. + + + Par défaut : true + + + + + + ldap_sudo_include_regexp (boolean) + + + Si positionnée à true, SSSD téléchargera toutes les règles qui contiennent +un joker dans l'attribut sudoHost. + + + Si ldap_sudo_use_host_filter est +false, alors cette option n'a aucun effet. + + + Par défaut : true + + + + + + + Cette page de manuel décrit uniquement le mappage de noms d'attribut. Pour +une explication détaillée des sémantiques d'attributs relatives à sudo, +cf. sudoers.ldap +5 + + + + + OPTIONS AUTOFS + + Some of the defaults for the parameters below are dependent on the LDAP +schema. + + + + + ldap_autofs_map_master_name (chaîne) + + + Le nom de la table de montage automatique maîtresse dans LDAP. + + + Par défaut : auto.master + + + + + + ldap_autofs_map_object_class (string) + + + La classe d'objet d'une entrée de table de montage automatique dans LDAP. + + + Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap + + + + + + ldap_autofs_map_name (string) + + + Le nom d'une entrée de table de montage automatique dans LDAP. + + + Default: nisMapName (rfc2307, autofs_provider=ad), otherwise +automountMapName + + + + + + ldap_autofs_entry_object_class (string) + + + The object class of an automount entry in LDAP. The entry usually +corresponds to a mount point. + + + Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount + + + + + + ldap_autofs_entry_key (string) + + + La clé d'une entrée de montage automatique dans LDAP. L'entrée correspond +généralement à un point de montage. + + + Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey + + + + + + + ldap_autofs_entry_value (string) + + + La clé d'une entrée de montage automatique dans LDAP. L'entrée correspond +généralement à un point de montage. + + + Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise +automountInformation + + + + + + + + + + OPTIONS AVANCÉES + + These options are supported by LDAP domains, but they should be used with +caution. Please include them in your configuration only if you know what you +are doing. + + ldap_netgroup_search_base (chaînes) + + + + + ldap_user_search_base (chaînes) + + + + + ldap_group_search_base (chaînes) + + + + + + If the option ldap_use_tokengroups is enabled, the searches +against Active Directory will not be restricted and return all groups +memberships, even with no GID mapping. It is recommended to disable this +feature, if group names are not being displayed correctly. + + + + ldap_sudo_search_base (string) + + + + + ldap_autofs_search_base (string) + + + + + + + + + + + + + + + EXEMPLE + + L'exemple suivant suppose que SSSD est correctement configuré et que LDAP +pointe sur un des domaines de la section +[domains]. + + + +[domain/LDAP] +id_provider = ldap +auth_provider = ldap +ldap_uri = ldap://ldap.mydomain.org +ldap_search_base = dc=mydomain,dc=org +ldap_tls_reqcert = demand +cache_credentials = true + + + + + LDAP ACCESS FILTER EXAMPLE + + The following example assumes that SSSD is correctly configured and to use +the ldap_access_order=lockout. + + + +[domain/LDAP] +id_provider = ldap +auth_provider = ldap +access_provider = ldap +ldap_access_order = lockout +ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org +ldap_uri = ldap://ldap.mydomain.org +ldap_search_base = dc=mydomain,dc=org +ldap_tls_reqcert = demand +cache_credentials = true + + + + + + NOTES + + Les descriptions de quelques unes des options de configuration des pages de +manuel sont basées sur le manuel de +ldap.conf 5 + de la distribution de OpenLDAP 2.4. + + + + + + + diff --git a/src/man/fr/sssd-simple.5.xml b/src/man/fr/sssd-simple.5.xml new file mode 100644 index 0000000..f8ebdc8 --- /dev/null +++ b/src/man/fr/sssd-simple.5.xml @@ -0,0 +1,151 @@ + + + +Pages de manuel de SSSD + + + + + sssd-simple + 5 + Formats de fichier et conventions + + + + sssd-simple + le fichier de configuration pour le fournisseur de contrôle d'accès « +simple » de SSSD. + + + + DESCRIPTION + + Cette page de manuel décrit la configuration du fournisseur de contrôle +d'accès simple de sssd +8 . Pour plus de détails sur la +syntaxe, cf. la section FORMAT DE FICHIER de la page de +manuel sssd.conf +5 . + + + Le fournisseur d'accès simple autorise les accès à partir de listes +d'autorisation ou de refus de noms d'utilisateurs ou de groupes. Les règles +suivantes s'appliquent : + + + Si toutes les listes sont vides, l'accès est autorisé + + + + Si une liste est fournie, quelle qu'elle soit, l'ordre d'évaluation est +allow,deny. Autrement dit une règle de refus écrasera une règle +d'autorisation. + + + + + Si la ou les listes fournies sont seulement de type « allow », tous les +utilisateurs sont refusés à moins qu'ils ne soient dans la liste. + + + + + Si seulement les listes « deny » sont utilisées, tous les utlisateurs sont +autorisés à moins qu'ils ne soient dans la liste. + + + + + + + + OPTIONS DE CONFIGURATION + Se référer à la section SECTIONS DE DOMAINE de la page de +manuel sssd.conf +5 pour les détails sur la +configuration d'un domaine SSSD. + + simple_allow_users (chaîne) + + + Liste séparée par des virgules d'utilisateurs autorisés à se connecter. + + + + + + simple_deny_users (chaîne) + + + Liste séparée par des virgules d'utilisateurs dont l'accès sera refusé. + + + + + simple_allow_groups (chaîne) + + + Liste séparée par des virgules de groupes autorisés à se connecter. Ceci ne +s'applique qu'à des groupes dans un domaine SSSD. Les groupes locaux ne sont +pas pris en compte. + + + + + + simple_deny_groups (chaîne) + + + Liste séparée par des virgules de groupes dont l'accès sera refusé. Ceci ne +s'applique qu'à des groupes dans un domaine SSSD. Les groupes locaux ne sont +pas pris en compte. + + + + + + + Ne spécifier aucune valeur pour aucune des listes revient à l'ignorer +complètement. Se méfier de ceci lors de la création des paramètres pour le +fournisseur simple à l'aide automatique de scripts. + + + Veuillez noter que la configuration simultanée de simple_allow_users et +simple_deny_users est une erreur. + + + + + EXEMPLE + + L'exemple suivant suppose que SSSD est correctement configuré et que +example.com est un des domaines dans la section +[sssd]. Ces exemples montrent seulement les +options spécifiques du fournisseur d'accès simple. + + + +[domain/example.com] +access_provider = simple +simple_allow_users = user1, user2 + + + + + + NOTES + + The complete group membership hierarchy is resolved before the access check, +thus even nested groups can be included in the access lists. Please be +aware that the ldap_group_nesting_level option may impact the +results and should be set to a sufficient value. ( +sssd-ldap5 +) option. + + + + + + + diff --git a/src/man/fr/sssd-sudo.5.xml b/src/man/fr/sssd-sudo.5.xml new file mode 100644 index 0000000..1d56853 --- /dev/null +++ b/src/man/fr/sssd-sudo.5.xml @@ -0,0 +1,196 @@ + + + +Pages de manuel de SSSD + + + + + sssd-sudo + 5 + Formats de fichier et conventions + + + + sssd-sudo + Configuration de sudo avec le moteur SSSD + + + + DESCRIPTION + + Cette page de manuel décrit comment configurer +sudo +8 pour travailler avec +sssd +8 et comment SSSD met en cache les +règles sudo. + + + + + Configuration de sudo pour coopérer avec SSSD + + Pour activer SSSD comme source pour les règles de sudo, ajouter +sss à l'entrée sudoers dans +nsswitch.conf +5. + + + Par exemple, pour configurer sudo pour rechercher d'abord les règles dans le +fichier standard sudoers +5 (qui doit contenir les règles qui +s'appliquent aux utilisateurs locaux) et ensuite dans SSSD, le fichier +nsswitch.conf doit contenir la ligne suivante : + + + +sudoers: files sss + + + + Plus d'informations sur la configuration de l'ordre de recherche de sudoers +depuis le fichier nsswitch.conf, mais aussi les informations sur le schéma +LDAP qui est utilisé pour stocker les règles sudo dans l'annuaire sont +disponibles dans sudoers.ldap +5. + + + Note: in order to use netgroups or IPA hostgroups in +sudo rules, you also need to correctly set +nisdomainname 1 + to your NIS domain name (which equals to IPA domain name +when using hostgroups). + + + + + Configuration de SSSD pour aller chercher les règles de sudo + + All configuration that is needed on SSSD side is to extend the list of +services with "sudo" in [sssd] section of + sssd.conf +5 . To speed up the LDAP lookups, you +can also set search base for sudo rules using +ldap_sudo_search_base option. + + + L'exemple suivant montre comment configurer SSSD pour télécharger les règles +sudo à partir d'un serveur LDAP. + + + +[sssd] +config_file_version = 2 +services = nss, pam, sudo +domains = EXAMPLE + +[domain/EXAMPLE] +id_provider = ldap +sudo_provider = ldap +ldap_uri = ldap://example.com +ldap_sudo_search_base = ou=sudoers,dc=example,dc=com + It's important to note that on platforms where +systemd is supported there's no need to add the "sudo" provider to the list +of services, as it became optional. However, sssd-sudo.socket must be +enabled instead. + + + When SSSD is configured to use IPA as the ID provider, the sudo provider is +automatically enabled. The sudo search base is configured to use the IPA +native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in +sssd.conf, this value will be used instead. The compat tree +(ou=sudoers,$SUFFIX) is no longer required for IPA sudo functionality. + + + + + Le mécanisme de mise en cache de règles SUDO + + Le plus grand défi lors du développement de la prise en charge de sudo dans +SSSD était de de s'assurer que l'utilisation d'un sudo exploitant SSSD comme +source de données fournissait la même expérience utilisateur et était aussi +rapide que sudo, tout en conservant le jeu de règles le plus à jour +possible. Pour satisfaire ces exigences, SSSD utilise trois types de mises à +jour. Elles sont appelées actualisation complète, rafraîchissement +intelligent et rafraîchissement des règles. + + + Le rafraîchissement intelligent télécharge +périodiquement les règles qui sont nouvelles ou qui ont été modifiées après +la dernière mise à jour. Son but premier est d'éviter à la base de données +de grossir en allant chercher de petits incréments qui ne génèrent pas de +gros de trafic réseau. + + + Le rafracîchissement complèt supprime simplement toutes +les règles sudo stockées dans le cache et les remplace par toutes les règles +qui sont stockées sur le serveur. Ceci est utilisé pour assurer la cohérence +de cache en supprimant toutes les règles qui ont été supprimées du +serveur. Cependant, un rafraîchissement complet peut produire beaucoup de +trafic et doit n'être exécuté qu'occasionnellement selon la taille et de la +stabilité des règles sudo. + + + Le rafraîchissement des règles fait en sorte de ne pas +accorder à l'utilisateur plus d'autorisations que défini. Il est déclenché +chaque fois que l'utilisateur exécute sudo. L'actualisation des règles +trouvera toutes les règles qui s'appliquent à cet utilisateur, vérifie leur +date d'expiration et les retéléchargera si elles ont expiré. Dans le cas où +l'une de ces règles est manquante sur le serveur, SSSD programmera en +parallèle un rafraîchissement complet hors ligne car d'autres règles +(s'appliquant à d'autres utilisateurs) peuvent avoir été supprimées. + + + Si activé, SSSD stocke uniquement les règles qui peuvent être appliquées à +cette machine. En d'autres termes, ce sont les règles qui contiennent une +des valeurs suivantes dans l'attribut de sudoHost : + + + + + mot-clé ALL + + + + + joker + + + + + netgroup (sous la forme « +netgroup ») + + + + + nom de système ou le nom de domaine pleinement qualifié de cette machine + + + + + une des adresses IP de cette machine + + + + + une des adresses IP du réseau (sous la forme « adresse/masque ») + + + + + Il existe de nombreuses options de configuration qui peuvent être utilisées +pour ajuster le comportement. Consulter « ldap_sudo_ * » dans +sssd-ldap +5 et « sudo_ * » dans +sssd.conf +5. + + + + + + + diff --git a/src/man/fr/sssd.8.xml b/src/man/fr/sssd.8.xml new file mode 100644 index 0000000..98fa088 --- /dev/null +++ b/src/man/fr/sssd.8.xml @@ -0,0 +1,232 @@ + + + +Pages de manuel de SSSD + + + + + sssd + 8 + + + + sssd + System Security Services Daemon + + + + +sssd +options + + + + DESCRIPTION + + SSSD fournit un jeu de démons pour gérer l'accès à des +dossiers distants et les mécanismes d'authentification. Il fournit une +interface NSS et PAM au travers du système et un moteur système extensible +par greffons pour se connecter à de multiples comptes de sources différentes +en plus d'une interface D-Bus. C'est aussi un moyen de fournir un moyen +d'audit client et une politique de services pour les projets tels que +FreeIPA. Il fournit une base de donnée plus robuste pour stocker les +utilisateurs locaux ainsi que les données étendues des utilisateurs. + + + + + OPTIONS + + + + , +LEVEL + + + + + + mode + + + + 1 : Ajouter un horodatage aux messages de débogage + + + 0 : Désactiver l'horodatage dans les messages de +débogage + + + Par défaut : 1 + + + + + + mode + + + + 1 : Ajouter les microsecondes à l'horodatage dans les +messages de débogage + + + 0 : Désactiver les microsecondes dans l'horodatage + + + Par défaut : 0 + + + + + + , + + + + Envoie la sortie de débogage vers des fichiers plutôt que vers la sortie +d'erreur standard. Par défaut, les fichiers de sortie sont stockés dans +/var/log/sssd et des fichiers différents sont créés +pour chaque service et domaine SSSD. + + + This option is deprecated. It is replaced by +. + + + + + + value + + + + Location where SSSD will send log messages. This option overrides the value +of the deprecated option . The deprecated +option will still work if the is not used. + + + stderr: Redirect debug messages to standard error +output. + + + files: Redirect debug messages to the log files. By +default, the log files are stored in /var/log/sssd and +there are separate log files for every SSSD service and domain. + + + journald: Redirect debug messages to systemd-journald + + + Par défaut : non défini + + + + + + , + + + + Devenir un démon après le démarrage. + + + + + + , + + + + Tourner en avant-plan et ne pas devenir un démon. + + + + + + , + + + + Définit un fichier de configuration autre que celui par défaut +(/etc/sssd/sssd.conf). Pour obtenir des informations +sur la syntaxe et les options du fichier de configuration, consulter les +pages de manuel de sssd.conf +5 . + + + + + + + + + + + Afficher le numéro de version et quitter. + + + + + + + + Signaux + + + SIGTERM/SIGINT + + + Indique à SSSD de fermer normalement tous ses processus fils puis d'arrêter +le moniteur. + + + + + SIGHUP + + + Précise à SSSD de ne plus écrire vers son fichier de débogage actuel, de le +fermer et de le rouvrir. Cela permet de faciliter les rotations de fichiers +de sortie avec des programmes tels que logrotate. + + + + + SIGUSR1 + + + Tells the SSSD to simulate offline operation for the duration of the +offline_timeout parameter. This is useful for testing. The +signal can be sent to either the sssd process or any sssd_be process +directly. + + + + + SIGUSR2 + + + Tells the SSSD to go online immediately. This is useful for testing. The +signal can be sent to either the sssd process or any sssd_be process +directly. + + + + + + + + NOTES + + If the environment variable SSS_NSS_USE_MEMCACHE is set to "NO", client +applications will not use the fast in memory cache. + + + + + + + diff --git a/src/man/fr/sssd_krb5_locator_plugin.8.xml b/src/man/fr/sssd_krb5_locator_plugin.8.xml new file mode 100644 index 0000000..4ea1c4e --- /dev/null +++ b/src/man/fr/sssd_krb5_locator_plugin.8.xml @@ -0,0 +1,70 @@ + + + +Pages de manuel de SSSD + + + + + sssd_krb5_locator_plugin + 8 + + + + sssd_krb5_locator_plugin + Greffon de localisation Kerberos + + + + DESCRIPTION + + Le greffon de localisation Kerberos +sssd_krb5_locator_plugin est utilisé par le fournisseur +Kerberos de sssd +8 pour indiquer aux bibliothèques +Kerberos quel domaine et quel KDC à utiliser. En général, cela se fait en +krb5.conf +5 qui est toujours lu par les +bibliothèques de Kerberos. Pour simplifier la configuration, le Domaine et +le KDC peuvent être définis dans +sssd.conf +5 comme indiqué dans +sssd-krb5.conf +5 + + + SSSD +8 met le nom de domaine et le nom ou +adresse IP du KDC dans les variables d'environnement SSSD_KRB5_REALM et +SSSD_KRB5_KDC respectivement. Lorsque +sssd_krb5_locator_plugin est appelé par les bibliothèques +de kerberos, il lit et évalue ces variables et les transmet aux +bibliothèques. + + + + + NOTES + + Toutes les versions de Kerberos ne prennent en charge l'utilisation de +greffons. Si sssd_krb5_locator_plugin n'est pas présent +sur votre système, il faut modifier /etc/krb5.conf pour s'adapter à la +configuration de Kerberos. + + + Si la variable d'environnement SSSD_KRB5_LOCATOR_DEBUG a une valeur +quelconque, des messages de débogage seront envoyés sur la sortie standard +d'erreur. + + + If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value +the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the +caller. + + + + + + + diff --git a/src/man/idmap_sss.8.xml b/src/man/idmap_sss.8.xml new file mode 100644 index 0000000..b819304 --- /dev/null +++ b/src/man/idmap_sss.8.xml @@ -0,0 +1,62 @@ + + + +SSSD Manual pages + + + + + idmap_sss + 8 + + + + idmap_sss + SSSD's idmap_sss Backend for Winbind + + + + DESCRIPTION + + The idmap_sss module provides a way to call SSSD to map UIDs/GIDs + and SIDs. No database is required in this case as the mapping is + done by SSSD. + + + + + IDMAP OPTIONS + + + + range = low - high + + Defines the available matching UID and GID range for which the + backend is authoritative. + + + + + + + EXAMPLES + + This example shows how to configure idmap_sss as the default mapping + module. + + + +[global] +security = domain +workgroup = MAIN + +idmap config * : backend = sss +idmap config * : range = 200000-2147483647 + + + + + + + diff --git a/src/man/include/ad_modified_defaults.xml b/src/man/include/ad_modified_defaults.xml new file mode 100644 index 0000000..818a2bf --- /dev/null +++ b/src/man/include/ad_modified_defaults.xml @@ -0,0 +1,79 @@ + + MODIFIED DEFAULT OPTIONS + + Certain option defaults do not match their respective backend + provider defaults, these option names and AD provider-specific + defaults are listed below: + + + KRB5 Provider + + + + krb5_validate = true + + + + + krb5_use_enterprise_principal = true + + + + + + LDAP Provider + + + + ldap_schema = ad + + + + + ldap_force_upper_case_realm = true + + + + + ldap_id_mapping = true + + + + + ldap_sasl_mech = gssapi + + + + + ldap_referrals = false + + + + + ldap_account_expire_policy = ad + + + + + ldap_use_tokengroups = true + + + + + ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM) + + + The AD provider looks for a different principal than the + LDAP provider by default, because in an Active Directory + environment the principals are divided into two groups + - User Principals and Service Principals. Only User + Principal can be used to obtain a TGT and by default, + computer object's principal is constructed from + its sAMAccountName and the AD realm. The well-known + host/hostname@REALM principal is a Service Principal + and thus cannot be used to get a TGT with. + + + + + diff --git a/src/man/include/autofs_restart.xml b/src/man/include/autofs_restart.xml new file mode 100644 index 0000000..901855b --- /dev/null +++ b/src/man/include/autofs_restart.xml @@ -0,0 +1,6 @@ + + Please note that the automounter only reads the master + map on startup, so if any autofs-related changes are made + to the sssd.conf, you typically also need to restart the + automounter daemon after restarting the SSSD. + diff --git a/src/man/include/debug_levels.xml b/src/man/include/debug_levels.xml new file mode 100644 index 0000000..93a8ec9 --- /dev/null +++ b/src/man/include/debug_levels.xml @@ -0,0 +1,100 @@ + + + SSSD supports two representations for specifying the debug level. The + simplest is to specify a decimal value from 0-9, which represents + enabling that level and all lower-level debug messages. The more + comprehensive option is to specify a hexadecimal bitmask to enable or + disable specific levels (such as if you wish to suppress a level). + + + Please note that each SSSD service logs into its own log + file. Also please note that enabling debug_level + in the [sssd] section only enables debugging just + for the sssd process itself, not for the responder or provider + processes. The debug_level parameter should be + added to all sections that you wish to produce debug logs from. + + + In addition to changing the log level in the config file using + the debug_level parameter, which is persistent, but + requires SSSD restart, it is also possible to change the debug level + on the fly using the + + sss_debuglevel + 8 + + tool. + + + Currently supported debug levels: + + + 0, + 0x0010: + Fatal failures. Anything that would prevent SSSD from starting up or + causes it to cease running. + + + 1, + 0x0020: + Critical failures. An error that doesn't kill SSSD, but one that + indicates that at least one major feature is not going to work + properly. + + + 2, + 0x0040: Serious failures. An error announcing + that a particular request or operation has failed. + + + 3, + 0x0080: Minor failures. These are the errors that + would percolate down to cause the operation failure of 2. + + + 4, + 0x0100: Configuration settings. + + + 5, + 0x0200: Function data. + + + 6, + 0x0400: Trace messages for operation functions. + + + 7, + 0x1000: Trace messages for internal control + functions. + + + 8, + 0x2000: Contents of function-internal variables + that may be interesting. + + + 9, + 0x4000: Extremely low-level tracing information. + + + To log required bitmask debug levels, simply add their numbers together + as shown in following examples: + + + Example: To log fatal failures, critical failures, + serious failures and function data use 0x0270. + + + Example: To log fatal failures, configuration + settings, function data, trace messages for internal control functions + use 0x1310. + + + Note: The bitmask format of debug levels was + introduced in 1.7.0. + + + Default: 0 + + diff --git a/src/man/include/debug_levels_tools.xml b/src/man/include/debug_levels_tools.xml new file mode 100644 index 0000000..fcc0c2d --- /dev/null +++ b/src/man/include/debug_levels_tools.xml @@ -0,0 +1,81 @@ + + + SSSD supports two representations for specifying the debug level. The + simplest is to specify a decimal value from 0-9, which represents + enabling that level and all lower-level debug messages. The more + comprehensive option is to specify a hexadecimal bitmask to enable or + disable specific levels (such as if you wish to suppress a level). + + + Currently supported debug levels: + + + 0, + 0x0010: + Fatal failures. Anything that would prevent SSSD from starting up or + causes it to cease running. + + + 1, + 0x0020: + Critical failures. An error that doesn't kill SSSD, but one that + indicates that at least one major feature is not going to work + properly. + + + 2, + 0x0040: Serious failures. An error announcing + that a particular request or operation has failed. + + + 3, + 0x0080: Minor failures. These are the errors that + would percolate down to cause the operation failure of 2. + + + 4, + 0x0100: Configuration settings. + + + 5, + 0x0200: Function data. + + + 6, + 0x0400: Trace messages for operation functions. + + + 7, + 0x1000: Trace messages for internal control + functions. + + + 8, + 0x2000: Contents of function-internal variables + that may be interesting. + + + 9, + 0x4000: Extremely low-level tracing information. + + + To log required bitmask debug levels, simply add their numbers together + as shown in following examples: + + + Example: To log fatal failures, critical failures, + serious failures and function data use 0x0270. + + + Example: To log fatal failures, configuration + settings, function data, trace messages for internal control functions + use 0x1310. + + + Note: The bitmask format of debug levels was + introduced in 1.7.0. + + + Default: 0 + + diff --git a/src/man/include/experimental.xml b/src/man/include/experimental.xml new file mode 100644 index 0000000..53b4d36 --- /dev/null +++ b/src/man/include/experimental.xml @@ -0,0 +1,4 @@ + +This is an experimental feature, please use https://pagure.io/SSSD/sssd/ to +report any issues. + diff --git a/src/man/include/failover.xml b/src/man/include/failover.xml new file mode 100644 index 0000000..cd6fd4d --- /dev/null +++ b/src/man/include/failover.xml @@ -0,0 +1,108 @@ + + FAILOVER + + The failover feature allows back ends to automatically switch to + a different server if the current server fails. + + + Failover Syntax + + The list of servers is given as a comma-separated list; any + number of spaces is allowed around the comma. The servers are + listed in order of preference. The list can contain any number + of servers. + + + For each failover-enabled config option, two variants exist: + primary and backup. + The idea is that servers in the primary list are preferred and + backup servers are only searched if no primary servers can be + reached. If a backup server is selected, a timeout of 31 seconds + is set. After this timeout SSSD will periodically try to reconnect + to one of the primary servers. If it succeeds, it will replace + the current active (backup) server. + + + + The Failover Mechanism + + The failover mechanism distinguishes between a machine and a + service. The back end first tries to resolve the hostname of a + given machine; if this resolution attempt fails, the machine is + considered offline. No further attempts are made to connect + to this machine for any other service. If the resolution + attempt succeeds, the back end tries to connect to a service + on this machine. If the service connection attempt fails, + then only this particular service is considered offline and + the back end automatically switches over to the next service. + The machine is still considered online and might still be tried + for another service. + + + Further connection attempts are made to machines or services + marked as offline after a specified period of time; this is + currently hard coded to 30 seconds. + + + If there are no more machines to try, the back end as a whole + switches to offline mode, and then attempts to reconnect + every 30 seconds. + + + + Failover time outs and tuning + + Resolving a server to connect to can be as simple as running + a single DNS query or can involve several steps, such as finding + the correct site or trying out multiple host names in case some + of the configured servers are not reachable. The more complex + scenarios can take some time and SSSD needs to balance between + providing enough time to finish the resolution process but on + the other hand, not trying for too long before falling back + to offline mode. If the SSSD debug logs show that the server + resolution is timing out before a live server is contacted, + you can consider changing the time outs. + + + This section lists the available tunables. Please refer to their + description in the + + sssd.conf5 + , + manual page. + + + + dns_resolver_op_timeout + + + + How long would SSSD talk to a single DNS server. + + + + + + dns_resolver_timeout + + + + How long would SSSD try to resolve a failover + service. This service resolution internally might + include several steps, such as resolving DNS SRV + queries or locating the site. + + + + + + + For LDAP-based providers, the resolve operation is performed + as part of an LDAP connection operation. Therefore, also the + ldap_opt_timeout> timeout should be set to + a larger value than dns_resolver_timeout + which in turn should be set to a larger value than + dns_resolver_op_timeout. + + + diff --git a/src/man/include/homedir_substring.xml b/src/man/include/homedir_substring.xml new file mode 100644 index 0000000..54d9bc9 --- /dev/null +++ b/src/man/include/homedir_substring.xml @@ -0,0 +1,18 @@ + + homedir_substring (string) + + + The value of this option will be used in the expansion of the + override_homedir option if the template + contains the format string %H. An LDAP + directory entry can directly contain this template so that this + option can be used to expand the home directory path for each + client machine (or operating system). It can be set per-domain or + globally in the [nss] section. A value specified in a domain + section will override one set in the [nss] section. + + + Default: /home + + + diff --git a/src/man/include/ipa_modified_defaults.xml b/src/man/include/ipa_modified_defaults.xml new file mode 100644 index 0000000..1f4d48b --- /dev/null +++ b/src/man/include/ipa_modified_defaults.xml @@ -0,0 +1,123 @@ + + MODIFIED DEFAULT OPTIONS + + Certain option defaults do not match their respective backend + provider defaults, these option names and IPA provider-specific + defaults are listed below: + + + KRB5 Provider + + + + krb5_validate = true + + + + + krb5_use_fast = try + + + + + krb5_canonicalize = true + + + + + + LDAP Provider - General + + + + ldap_schema = ipa_v1 + + + + + ldap_force_upper_case_realm = true + + + + + ldap_sasl_mech = GSSAPI + + + + + ldap_sasl_minssf = 56 + + + + + ldap_account_expire_policy = ipa + + + + + ldap_use_tokengroups = true + + + + + + LDAP Provider - User options + + + + ldap_user_member_of = memberOf + + + + + ldap_user_uuid = ipaUniqueID + + + + + ldap_user_ssh_public_key = ipaSshPubKey + + + + + ldap_user_auth_type = ipaUserAuthType + + + + + + LDAP Provider - Group options + + + + ldap_group_object_class = ipaUserGroup + + + + + ldap_group_object_class_alt = posixGroup + + + + + ldap_group_member = member + + + + + ldap_group_uuid = ipaUniqueID + + + + + ldap_group_objectsid = ipaNTSecurityIdentifier + + + + + ldap_group_external_member = ipaExternalMember + + + + + diff --git a/src/man/include/ldap_id_mapping.xml b/src/man/include/ldap_id_mapping.xml new file mode 100644 index 0000000..73c385d --- /dev/null +++ b/src/man/include/ldap_id_mapping.xml @@ -0,0 +1,307 @@ + + ID MAPPING + + The ID-mapping feature allows SSSD to act as a client of Active + Directory without requiring administrators to extend user attributes + to support POSIX attributes for user and group identifiers. + + + NOTE: When ID-mapping is enabled, the uidNumber and gidNumber + attributes are ignored. This is to avoid the possibility of conflicts + between automatically-assigned and manually-assigned values. If you + need to use manually-assigned values, ALL values must be + manually-assigned. + + + Please note that changing the ID mapping related configuration + options will cause user and group IDs to change. At the moment, + SSSD does not support changing IDs, so the SSSD database must + be removed. Because cached passwords are also stored in the + database, removing the database should only be performed while + the authentication servers are reachable, otherwise users might + get locked out. In order to cache the password, an authentication + must be performed. It is not sufficient to use + + sss_cache + 8 + + to remove the database, rather the process + consists of: + + + + Making sure the remote servers are reachable + + + + + Stopping the SSSD service + + + + + Removing the database + + + + + Starting the SSSD service + + + + Moreover, as the change of IDs might necessitate the adjustment + of other system properties such as file and directory ownership, + it's advisable to plan ahead and test the ID mapping configuration + thoroughly. + + + + Mapping Algorithm + + Active Directory provides an objectSID for every user and group + object in the directory. This objectSID can be broken up into + components that represent the Active Directory domain identity and + the relative identifier (RID) of the user or group object. + + + The SSSD ID-mapping algorithm takes a range of available UIDs and + divides it into equally-sized component sections - called + "slices"-. Each slice represents the space available to an Active + Directory domain. + + + When a user or group entry for a particular domain is encountered + for the first time, the SSSD allocates one of the available slices + for that domain. In order to make this slice-assignment repeatable + on different client machines, we select the slice based on the + following algorithm: + + + The SID string is passed through the murmurhash3 algorithm to + convert it to a 32-bit hashed value. We then take the modulus of + this value with the total number of available slices to pick the + slice. + + + NOTE: It is possible to encounter collisions in the hash and + subsequent modulus. In these situations, we will select the next + available slice, but it may not be possible to reproduce the same + exact set of slices on other machines (since the order that they + are encountered will determine their slice). In this situation, it + is recommended to either switch to using explicit POSIX attributes + in Active Directory (disabling ID-mapping) or configure a default + domain to guarantee that at least one is always consistent. See + Configuration for details. + + + + + Configuration + + Minimum configuration (in the [domain/DOMAINNAME] + section): + + + +ldap_id_mapping = True +ldap_schema = ad + + + + The default configuration results in configuring 10,000 slices, + each capable of holding up to 200,000 IDs, starting from 200,000 + and going up to 2,000,200,000. This should be sufficient for + most deployments. + + + Advanced Configuration + + + ldap_idmap_range_min (integer) + + + Specifies the lower bound of the range of POSIX IDs to + use for mapping Active Directory user and group SIDs. + + + NOTE: This option is different from + min_id in that min_id + acts to filter the output of requests to this domain, + whereas this option controls the range of ID + assignment. This is a subtle distinction, but the + good general advice would be to have + min_id be less-than or equal to + ldap_idmap_range_min + + + Default: 200000 + + + + + ldap_idmap_range_max (integer) + + + Specifies the upper bound of the range of POSIX IDs to + use for mapping Active Directory user and group SIDs. + + + NOTE: This option is different from + max_id in that max_id + acts to filter the output of requests to this domain, + whereas this option controls the range of ID + assignment. This is a subtle distinction, but the + good general advice would be to have + max_id be greater-than or equal to + ldap_idmap_range_max + + + Default: 2000200000 + + + + + ldap_idmap_range_size (integer) + + + Specifies the number of IDs available for each slice. + If the range size does not divide evenly into the min + and max values, it will create as many complete slices + as it can. + + + NOTE: The value of this option must be at least as large as the + highest user RID planned for use on the Active Directory server. User + lookups and login will fail for any user whose RID is greater than + this value. + + + For example, if your most recently-added Active Directory user has + objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, + ldap_idmap_range_size must be at least 1108 as + range size is equal to maximal SID minus minimal SID plus one + (e.g. 1108 = 1107 - 0 + 1). + + + It is important to plan ahead for future expansion, as changing this + value will result in changing all of the ID mappings on the system, + leading to users with different local IDs than they previously had. + + + Default: 200000 + + + + + ldap_idmap_default_domain_sid (string) + + + Specify the domain SID of the default domain. This + will guarantee that this domain will always be + assigned to slice zero in the ID map, bypassing + the murmurhash algorithm described above. + + + Default: not set + + + + + ldap_idmap_default_domain (string) + + + Specify the name of the default domain. + + + Default: not set + + + + + ldap_idmap_autorid_compat (boolean) + + + Changes the behavior of the ID-mapping algorithm + to behave more similarly to winbind's + idmap_autorid algorithm. + + + When this option is configured, domains will be + allocated starting with slice zero and increasing + monatomically with each additional domain. + + + NOTE: This algorithm is non-deterministic (it + depends on the order that users and groups are + requested). If this mode is required for + compatibility with machines running winbind, it + is recommended to also use the + ldap_idmap_default_domain_sid + option to guarantee that at least one domain is + consistently allocated to slice zero. + + + Default: False + + + + + ldap_idmap_helper_table_size (integer) + + + Maximal number of secondary slices that is tried when + performing mapping from UNIX id to SID. + + + Note: Additional secondary slices might be generated + when SID is being mapped to UNIX id and RID part of + SID is out of range for secondary slices generated so + far. If value of ldap_idmap_helper_table_size is equal + to 0 then no additional secondary slices are + generated. + + + Default: 10 + + + + + + + + + Well-Known SIDs + + SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs + with a special hardcoded meaning. Since the generic users and groups + related to those Well-Known SIDs have no equivalent in a Linux/UNIX + environment no POSIX IDs are available for those objects. + + + The SID name space is organized in authorities which can be seen as + different domains. The authorities for the Well-Known SIDs are + + Null Authority + World Authority + Local Authority + Creator Authority + NT Authority + Built-in + + The capitalized version of these names are used as domain names when + returning the fully qualified name of a Well-Known SID. + + + Since some utilities allow to modify SID based access control + information with the help of a name instead of using the SID + directly SSSD supports to look up the SID by the name as well. To + avoid collisions only the fully qualified names can be used to look + up Well-Known SIDs. As a result the domain names NULL + AUTHORITY, WORLD AUTHORITY, LOCAL + AUTHORITY, CREATOR AUTHORITY, NT + AUTHORITY and BUILTIN should not be used as + domain names in sssd.conf. + + + + diff --git a/src/man/include/ldap_search_bases.xml b/src/man/include/ldap_search_bases.xml new file mode 100644 index 0000000..49dd940 --- /dev/null +++ b/src/man/include/ldap_search_bases.xml @@ -0,0 +1,36 @@ + + + An optional base DN, search scope and LDAP filter + to restrict LDAP searches for this attribute type. + + + syntax: + +search_base[?scope?[filter][?search_base?scope?[filter]]*] + + + + The scope can be one of "base", "onelevel" or "subtree". The + scope functions as specified in section 4.5.1.2 of + http://tools.ietf.org/html/rfc4511 + + + The filter must be a valid LDAP search + filter as specified by + http://www.ietf.org/rfc/rfc2254.txt + + + For examples of this syntax, please refer to the + ldap_search_base examples section. + + + Default: the value of + ldap_search_base + + + Please note that specifying scope or filter is not supported for + searches against an Active Directory Server that might yield a + large number of results and trigger the Range Retrieval extension + in the response. + + diff --git a/src/man/include/local.xml b/src/man/include/local.xml new file mode 100644 index 0000000..913ed82 --- /dev/null +++ b/src/man/include/local.xml @@ -0,0 +1,20 @@ + + THE LOCAL DOMAIN + + In order to function correctly, a domain with + id_provider=local must be created and the SSSD must + be running. + + + The administrator might want to use the SSSD local users instead + of traditional UNIX users in cases where the group nesting (see + + sss_groupadd + 8 + ) is needed. The local users are also useful for + testing and development of the SSSD without having to deploy + a full remote server. The sss_user* and + sss_group* tools use a local LDB storage to + store users and groups. + + diff --git a/src/man/include/override_homedir.xml b/src/man/include/override_homedir.xml new file mode 100644 index 0000000..803cd19 --- /dev/null +++ b/src/man/include/override_homedir.xml @@ -0,0 +1,69 @@ + +override_homedir (string) + + + Override the user's home directory. You + can either provide an absolute value or a + template. In the template, the following + sequences are substituted: + + + %u + login name + + + %U + UID number + + + %d + domain name + + + %f + fully qualified user name (user@domain) + + + %l + The first letter of the login name. + + + %P + UPN - User Principal Name (name@REALM) + + + %o + + The original home directory retrieved + from the identity provider. + + + + %H + + The value of configure option + homedir_substring. + + + + %% + a literal '%' + + + + + + This option can also be set per-domain. + + + example: + +override_homedir = /home/%u + + + + Default: Not set (SSSD will use the value + retrieved from LDAP) + + + diff --git a/src/man/include/param_help.xml b/src/man/include/param_help.xml new file mode 100644 index 0000000..d28020b --- /dev/null +++ b/src/man/include/param_help.xml @@ -0,0 +1,10 @@ + + + , + + + + Display help message and exit. + + + diff --git a/src/man/include/param_help_py.xml b/src/man/include/param_help_py.xml new file mode 100644 index 0000000..a2478bf --- /dev/null +++ b/src/man/include/param_help_py.xml @@ -0,0 +1,10 @@ + + + , + + + + Display help message and exit. + + + diff --git a/src/man/include/seealso.xml b/src/man/include/seealso.xml new file mode 100644 index 0000000..52798e4 --- /dev/null +++ b/src/man/include/seealso.xml @@ -0,0 +1,107 @@ + + SEE ALSO + + + sssd8 + , + + sssd.conf5 + , + + sssd-ldap5 + , + + sssd-krb55 + , + + sssd-simple5 + , + + sssd-ipa5 + , + + sssd-ad5 + , + + + sssd-sudo + 5 + , + + + + sssd-secrets + 5 + , + + + sssd-session-recording + 5 + , + + sss_cache8 + , + + sss_debuglevel8 + , + + sss_groupadd8 + , + + sss_groupdel8 + , + + sss_groupshow8 + , + + sss_groupmod8 + , + + sss_useradd8 + , + + sss_userdel8 + , + + sss_usermod8 + , + + sss_obfuscate8 + , + + sss_seed8 + , + + sssd_krb5_locator_plugin8 + , + + + sss_ssh_authorizedkeys + 8 + , + + sss_ssh_knownhostsproxy + 8 + , + + + + sssd-ifp + 5 + , + + + pam_sss8 + . + + sss_rpcidmapd + 5 + + + + sssd-systemtap + 5 + + + + diff --git a/src/man/include/service_discovery.xml b/src/man/include/service_discovery.xml new file mode 100644 index 0000000..5b96ad8 --- /dev/null +++ b/src/man/include/service_discovery.xml @@ -0,0 +1,48 @@ + + SERVICE DISCOVERY + + The service discovery feature allows back ends to automatically + find the appropriate servers to connect to using a special DNS + query. This feature is not supported for backup servers. + + + Configuration + + If no servers are specified, the back end automatically + uses service discovery to try to find a server. Optionally, + the user may choose to use both fixed server addresses + and service discovery by inserting a special keyword, + _srv_, in the list of servers. The order + of preference is maintained. This feature is useful if, for + example, the user prefers to use service discovery whenever + possible, and fall back to a specific server when no servers + can be discovered using DNS. + + + + The domain name + + Please refer to the dns_discovery_domain + parameter in the + + sssd.conf + 5 + + manual page for more details. + + + + The protocol + + The queries usually specify _tcp as the protocol. Exceptions + are documented in respective option description. + + + + See Also + + For more information on the service discovery mechanism, + refer to RFC 2782. + + + diff --git a/src/man/include/upstream.xml b/src/man/include/upstream.xml new file mode 100644 index 0000000..d2d8693 --- /dev/null +++ b/src/man/include/upstream.xml @@ -0,0 +1,4 @@ + + SSSD + The SSSD upstream - https://pagure.io/SSSD/sssd/ + diff --git a/src/man/ja/include/ad_modified_defaults.xml b/src/man/ja/include/ad_modified_defaults.xml new file mode 100644 index 0000000..7c6def2 --- /dev/null +++ b/src/man/ja/include/ad_modified_defaults.xml @@ -0,0 +1,77 @@ + + MODIFIED DEFAULT OPTIONS + + Certain option defaults do not match their respective backend provider +defaults, these option names and AD provider-specific defaults are listed +below: + + + KRB5 Provider + + + + krb5_validate = true + + + + + krb5_use_enterprise_principal = true + + + + + + LDAP Provider + + + + ldap_schema = ad + + + + + ldap_force_upper_case_realm = true + + + + + ldap_id_mapping = true + + + + + ldap_sasl_mech = gssapi + + + + + ldap_referrals = false + + + + + ldap_account_expire_policy = ad + + + + + ldap_use_tokengroups = true + + + + + ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM) + + + The AD provider looks for a different principal than the LDAP provider by +default, because in an Active Directory environment the principals are +divided into two groups - User Principals and Service Principals. Only User +Principal can be used to obtain a TGT and by default, computer object's +principal is constructed from its sAMAccountName and the AD realm. The +well-known host/hostname@REALM principal is a Service Principal and thus +cannot be used to get a TGT with. + + + + + diff --git a/src/man/ja/include/autofs_restart.xml b/src/man/ja/include/autofs_restart.xml new file mode 100644 index 0000000..f31efe5 --- /dev/null +++ b/src/man/ja/include/autofs_restart.xml @@ -0,0 +1,5 @@ + + Please note that the automounter only reads the master map on startup, so if +any autofs-related changes are made to the sssd.conf, you typically also +need to restart the automounter daemon after restarting the SSSD. + diff --git a/src/man/ja/include/debug_levels.xml b/src/man/ja/include/debug_levels.xml new file mode 100644 index 0000000..27408d3 --- /dev/null +++ b/src/man/ja/include/debug_levels.xml @@ -0,0 +1,86 @@ + + + SSSD supports two representations for specifying the debug level. The +simplest is to specify a decimal value from 0-9, which represents enabling +that level and all lower-level debug messages. The more comprehensive option +is to specify a hexadecimal bitmask to enable or disable specific levels +(such as if you wish to suppress a level). + + + Please note that each SSSD service logs into its own log file. Also please +note that enabling debug_level in the [sssd] +section only enables debugging just for the sssd process itself, not for the +responder or provider processes. The debug_level parameter +should be added to all sections that you wish to produce debug logs from. + + + In addition to changing the log level in the config file using the +debug_level parameter, which is persistent, but requires SSSD +restart, it is also possible to change the debug level on the fly using the + sss_debuglevel +8 tool. + + + 現在サポートされるデバッグレベル: + + + 0, 0x0010: Fatal +failures. Anything that would prevent SSSD from starting up or causes it to +cease running. + + + 1, 0x0020: Critical failures. An +error that doesn't kill SSSD, but one that indicates that at least one major +feature is not going to work properly. + + + 2, 0x0040: Serious failures. An +error announcing that a particular request or operation has failed. + + + 3, 0x0080: Minor failures. These +are the errors that would percolate down to cause the operation failure of +2. + + + 4, 0x0100: Configuration settings. + + + 5, 0x0200: Function data. + + + 6, 0x0400: Trace messages for +operation functions. + + + 7, 0x1000: Trace messages for +internal control functions. + + + 8, 0x2000: Contents of +function-internal variables that may be interesting. + + + 9, 0x4000: Extremely low-level +tracing information. + + + To log required bitmask debug levels, simply add their numbers together as +shown in following examples: + + + 例: 致命的なエラー、重大なエラー、深刻なエラーおよび関数データをログに取得するには 0x0270 +を使用します。 + + + 例: 致命的なエラー、設定値の設定、関数データ、内部制御関数のトレースメッセージをログに取得するには +0x1310 を使用します。 + + + Note: The bitmask format of debug levels was introduced +in 1.7.0. + + + Default: 0 + + diff --git a/src/man/ja/include/debug_levels_tools.xml b/src/man/ja/include/debug_levels_tools.xml new file mode 100644 index 0000000..0c633f2 --- /dev/null +++ b/src/man/ja/include/debug_levels_tools.xml @@ -0,0 +1,72 @@ + + + SSSD supports two representations for specifying the debug level. The +simplest is to specify a decimal value from 0-9, which represents enabling +that level and all lower-level debug messages. The more comprehensive option +is to specify a hexadecimal bitmask to enable or disable specific levels +(such as if you wish to suppress a level). + + + 現在サポートされるデバッグレベル: + + + 0, 0x0010: Fatal +failures. Anything that would prevent SSSD from starting up or causes it to +cease running. + + + 1, 0x0020: Critical failures. An +error that doesn't kill SSSD, but one that indicates that at least one major +feature is not going to work properly. + + + 2, 0x0040: Serious failures. An +error announcing that a particular request or operation has failed. + + + 3, 0x0080: Minor failures. These +are the errors that would percolate down to cause the operation failure of +2. + + + 4, 0x0100: Configuration settings. + + + 5, 0x0200: Function data. + + + 6, 0x0400: Trace messages for +operation functions. + + + 7, 0x1000: Trace messages for +internal control functions. + + + 8, 0x2000: Contents of +function-internal variables that may be interesting. + + + 9, 0x4000: Extremely low-level +tracing information. + + + To log required bitmask debug levels, simply add their numbers together as +shown in following examples: + + + 例: 致命的なエラー、重大なエラー、深刻なエラーおよび関数データをログに取得するには 0x0270 +を使用します。 + + + 例: 致命的なエラー、設定値の設定、関数データ、内部制御関数のトレースメッセージをログに取得するには +0x1310 を使用します。 + + + Note: The bitmask format of debug levels was introduced +in 1.7.0. + + + Default: 0 + + diff --git a/src/man/ja/include/experimental.xml b/src/man/ja/include/experimental.xml new file mode 100644 index 0000000..7103a0e --- /dev/null +++ b/src/man/ja/include/experimental.xml @@ -0,0 +1,2 @@ + This is an experimental feature, please use +https://pagure.io/SSSD/sssd/ to report any issues. diff --git a/src/man/ja/include/failover.xml b/src/man/ja/include/failover.xml new file mode 100644 index 0000000..ca66e81 --- /dev/null +++ b/src/man/ja/include/failover.xml @@ -0,0 +1,95 @@ + + フェイルオーバー + + The failover feature allows back ends to automatically switch to a different +server if the current server fails. + + + フェイルオーバーの構文 + + サーバーの一覧がカンマ区切り一覧として与えられます。カンマの前後で空白はいくつでも許されます。サーバーは性能の順番で一覧化されます。一覧はサーバーをいくつでも含められます。 + + + For each failover-enabled config option, two variants exist: +primary and backup. The idea is +that servers in the primary list are preferred and backup servers are only +searched if no primary servers can be reached. If a backup server is +selected, a timeout of 31 seconds is set. After this timeout SSSD will +periodically try to reconnect to one of the primary servers. If it succeeds, +it will replace the current active (backup) server. + + + + フェイルオーバーのメカニズム + + The failover mechanism distinguishes between a machine and a service. The +back end first tries to resolve the hostname of a given machine; if this +resolution attempt fails, the machine is considered offline. No further +attempts are made to connect to this machine for any other service. If the +resolution attempt succeeds, the back end tries to connect to a service on +this machine. If the service connection attempt fails, then only this +particular service is considered offline and the back end automatically +switches over to the next service. The machine is still considered online +and might still be tried for another service. + + + Further connection attempts are made to machines or services marked as +offline after a specified period of time; this is currently hard coded to 30 +seconds. + + + If there are no more machines to try, the back end as a whole switches to +offline mode, and then attempts to reconnect every 30 seconds. + + + + Failover time outs and tuning + + Resolving a server to connect to can be as simple as running a single DNS +query or can involve several steps, such as finding the correct site or +trying out multiple host names in case some of the configured servers are +not reachable. The more complex scenarios can take some time and SSSD needs +to balance between providing enough time to finish the resolution process +but on the other hand, not trying for too long before falling back to +offline mode. If the SSSD debug logs show that the server resolution is +timing out before a live server is contacted, you can consider changing the +time outs. + + + This section lists the available tunables. Please refer to their description +in the +sssd.conf5 +, manual page. + + + dns_resolver_op_timeout + + + + How long would SSSD talk to a single DNS server. + + + + + + dns_resolver_timeout + + + + How long would SSSD try to resolve a failover service. This service +resolution internally might include several steps, such as resolving DNS SRV +queries or locating the site. + + + + + + + For LDAP-based providers, the resolve operation is performed as part of an +LDAP connection operation. Therefore, also the +ldap_opt_timeout> timeout should be set to a larger value +than dns_resolver_timeout which in turn should be set to a +larger value than dns_resolver_op_timeout. + + + diff --git a/src/man/ja/include/homedir_substring.xml b/src/man/ja/include/homedir_substring.xml new file mode 100644 index 0000000..d7533de --- /dev/null +++ b/src/man/ja/include/homedir_substring.xml @@ -0,0 +1,17 @@ + + homedir_substring (string) + + + The value of this option will be used in the expansion of the +override_homedir option if the template contains the +format string %H. An LDAP directory entry can directly +contain this template so that this option can be used to expand the home +directory path for each client machine (or operating system). It can be set +per-domain or globally in the [nss] section. A value specified in a domain +section will override one set in the [nss] section. + + + Default: /home + + + diff --git a/src/man/ja/include/ipa_modified_defaults.xml b/src/man/ja/include/ipa_modified_defaults.xml new file mode 100644 index 0000000..4ad4b45 --- /dev/null +++ b/src/man/ja/include/ipa_modified_defaults.xml @@ -0,0 +1,123 @@ + + MODIFIED DEFAULT OPTIONS + + Certain option defaults do not match their respective backend provider +defaults, these option names and IPA provider-specific defaults are listed +below: + + + KRB5 Provider + + + + krb5_validate = true + + + + + krb5_use_fast = try + + + + + krb5_canonicalize = true + + + + + + LDAP Provider - General + + + + ldap_schema = ipa_v1 + + + + + ldap_force_upper_case_realm = true + + + + + ldap_sasl_mech = GSSAPI + + + + + ldap_sasl_minssf = 56 + + + + + ldap_account_expire_policy = ipa + + + + + ldap_use_tokengroups = true + + + + + + LDAP Provider - User options + + + + ldap_user_member_of = memberOf + + + + + ldap_user_uuid = ipaUniqueID + + + + + ldap_user_ssh_public_key = ipaSshPubKey + + + + + ldap_user_auth_type = ipaUserAuthType + + + + + + LDAP Provider - Group options + + + + ldap_group_object_class = ipaUserGroup + + + + + ldap_group_object_class_alt = posixGroup + + + + + ldap_group_member = member + + + + + ldap_group_uuid = ipaUniqueID + + + + + ldap_group_objectsid = ipaNTSecurityIdentifier + + + + + ldap_group_external_member = ipaExternalMember + + + + + diff --git a/src/man/ja/include/ldap_id_mapping.xml b/src/man/ja/include/ldap_id_mapping.xml new file mode 100644 index 0000000..a220091 --- /dev/null +++ b/src/man/ja/include/ldap_id_mapping.xml @@ -0,0 +1,273 @@ + + ID マッピング + + The ID-mapping feature allows SSSD to act as a client of Active Directory +without requiring administrators to extend user attributes to support POSIX +attributes for user and group identifiers. + + + NOTE: When ID-mapping is enabled, the uidNumber and gidNumber attributes are +ignored. This is to avoid the possibility of conflicts between +automatically-assigned and manually-assigned values. If you need to use +manually-assigned values, ALL values must be manually-assigned. + + + Please note that changing the ID mapping related configuration options will +cause user and group IDs to change. At the moment, SSSD does not support +changing IDs, so the SSSD database must be removed. Because cached passwords +are also stored in the database, removing the database should only be +performed while the authentication servers are reachable, otherwise users +might get locked out. In order to cache the password, an authentication must +be performed. It is not sufficient to use +sss_cache 8 + to remove the database, rather the process consists of: + + + + Making sure the remote servers are reachable + + + + + Stopping the SSSD service + + + + + Removing the database + + + + + Starting the SSSD service + + + + Moreover, as the change of IDs might necessitate the adjustment of other +system properties such as file and directory ownership, it's advisable to +plan ahead and test the ID mapping configuration thoroughly. + + + + マッピング・アルゴリズム + + Active Directory provides an objectSID for every user and group object in +the directory. This objectSID can be broken up into components that +represent the Active Directory domain identity and the relative identifier +(RID) of the user or group object. + + + The SSSD ID-mapping algorithm takes a range of available UIDs and divides it +into equally-sized component sections - called "slices"-. Each slice +represents the space available to an Active Directory domain. + + + When a user or group entry for a particular domain is encountered for the +first time, the SSSD allocates one of the available slices for that +domain. In order to make this slice-assignment repeatable on different +client machines, we select the slice based on the following algorithm: + + + The SID string is passed through the murmurhash3 algorithm to convert it to +a 32-bit hashed value. We then take the modulus of this value with the total +number of available slices to pick the slice. + + + NOTE: It is possible to encounter collisions in the hash and subsequent +modulus. In these situations, we will select the next available slice, but +it may not be possible to reproduce the same exact set of slices on other +machines (since the order that they are encountered will determine their +slice). In this situation, it is recommended to either switch to using +explicit POSIX attributes in Active Directory (disabling ID-mapping) or +configure a default domain to guarantee that at least one is always +consistent. See Configuration for details. + + + + + 設定 + + 最小の設定 ([domain/DOMAINNAME] セクションにおいて): + + + +ldap_id_mapping = True +ldap_schema = ad + + + + The default configuration results in configuring 10,000 slices, each capable +of holding up to 200,000 IDs, starting from 200,000 and going up to +2,000,200,000. This should be sufficient for most deployments. + + + 高度な設定 + + + ldap_idmap_range_min (整数) + + + Active Directory ユーザーとグループの SID をマッピングするために使用する POSIX ID の範囲の下限を指定します。 + + + NOTE: This option is different from min_id in that +min_id acts to filter the output of requests to this domain, +whereas this option controls the range of ID assignment. This is a subtle +distinction, but the good general advice would be to have +min_id be less-than or equal to +ldap_idmap_range_min + + + 初期値: 200000 + + + + + ldap_idmap_range_max (整数) + + + Active Directory ユーザーとグループ SID をマッピングするために使用する POSIX ID の範囲の上限を指定します。 + + + NOTE: This option is different from max_id in that +max_id acts to filter the output of requests to this domain, +whereas this option controls the range of ID assignment. This is a subtle +distinction, but the good general advice would be to have +max_id be greater-than or equal to +ldap_idmap_range_max + + + 初期値: 2000200000 + + + + + ldap_idmap_range_size (整数) + + + 各スライスに利用可能な ID +番号を指定します。範囲の大きさが最小値、最大値の中にうまく分けられなければ、できる限り多くの完全なスライスとして作成されます。 + + + NOTE: The value of this option must be at least as large as the highest user +RID planned for use on the Active Directory server. User lookups and login +will fail for any user whose RID is greater than this value. + + + For example, if your most recently-added Active Directory user has +objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, +ldap_idmap_range_size must be at least 1108 as range size is +equal to maximal SID minus minimal SID plus one (e.g. 1108 = 1107 - 0 + 1). + + + It is important to plan ahead for future expansion, as changing this value +will result in changing all of the ID mappings on the system, leading to +users with different local IDs than they previously had. + + + 初期値: 200000 + + + + + ldap_idmap_default_domain_sid (文字列) + + + Specify the domain SID of the default domain. This will guarantee that this +domain will always be assigned to slice zero in the ID map, bypassing the +murmurhash algorithm described above. + + + 初期値: 設定されません + + + + + ldap_idmap_default_domain (文字列) + + + 初期ドメインの名前を指定します。 + + + 初期値: 設定されません + + + + + ldap_idmap_autorid_compat (論理値) + + + winbind の idmap_autorid アルゴリズムとより同じように振る舞うために ID +マッピングのアルゴリズムの振る舞いを変更します。 + + + このオプションが設定されるとき、ドメインはスライス 0 から始まり、各追加ドメインに単原子的に増加するよう割り当てられます。 + + + 注記: このアルゴリズムは非決定的です (ユーザーとグループが要求された順番に依存します)。このモードはマシンが実行中の winbind +と互換性が必要ならば、少なくとも一つのドメインが一貫してスライス 0 +に割り当てられることを保証するために、ldap_idmap_default_domain_sid +オプションも使用することが推奨されます。 + + + 初期値: 偽 + + + + + ldap_idmap_helper_table_size (integer) + + + Maximal number of secondary slices that is tried when performing mapping +from UNIX id to SID. + + + Note: Additional secondary slices might be generated when SID is being +mapped to UNIX id and RID part of SID is out of range for secondary slices +generated so far. If value of ldap_idmap_helper_table_size is equal to 0 +then no additional secondary slices are generated. + + + 初期値: 10 + + + + + + + + + Well-Known SIDs + + SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a +special hardcoded meaning. Since the generic users and groups related to +those Well-Known SIDs have no equivalent in a Linux/UNIX environment no +POSIX IDs are available for those objects. + + + The SID name space is organized in authorities which can be seen as +different domains. The authorities for the Well-Known SIDs are + + Null Authority + World Authority + Local Authority + Creator Authority + NT Authority + Built-in + + The capitalized version of these names are used as domain names when +returning the fully qualified name of a Well-Known SID. + + + Since some utilities allow to modify SID based access control information +with the help of a name instead of using the SID directly SSSD supports to +look up the SID by the name as well. To avoid collisions only the fully +qualified names can be used to look up Well-Known SIDs. As a result the +domain names NULL AUTHORITY, WORLD AUTHORITY, + LOCAL AUTHORITY, CREATOR AUTHORITY, NT +AUTHORITY and BUILTIN should not be used as domain +names in sssd.conf. + + + + diff --git a/src/man/ja/include/ldap_search_bases.xml b/src/man/ja/include/ldap_search_bases.xml new file mode 100644 index 0000000..9b3118b --- /dev/null +++ b/src/man/ja/include/ldap_search_bases.xml @@ -0,0 +1,30 @@ + + + オプションのベース DN。この属性の種別に対する LDAP 検索を制限する、検索範囲および LDAP フィルター。 + + + 構文: +search_base[?scope?[filter][?search_base?scope?[filter]]*] + + + + The scope can be one of "base", "onelevel" or "subtree". The scope functions +as specified in section 4.5.1.2 of http://tools.ietf.org/html/rfc4511 + + + フィルターは http://www.ietf.org/rfc/rfc2254.txt により指定されたような有効な LDAP +検索フィルターである必要があります。 + + + For examples of this syntax, please refer to the +ldap_search_base examples section. + + + 初期値: ldap_search_base の値 + + + Please note that specifying scope or filter is not supported for searches +against an Active Directory Server that might yield a large number of +results and trigger the Range Retrieval extension in the response. + + diff --git a/src/man/ja/include/local.xml b/src/man/ja/include/local.xml new file mode 100644 index 0000000..d293c3b --- /dev/null +++ b/src/man/ja/include/local.xml @@ -0,0 +1,17 @@ + + ローカルドメイン + + In order to function correctly, a domain with +id_provider=local must be created and the SSSD must be +running. + + + The administrator might want to use the SSSD local users instead of +traditional UNIX users in cases where the group nesting (see +sss_groupadd 8 +) is needed. The local users are also useful for testing and +development of the SSSD without having to deploy a full remote server. The +sss_user* and sss_group* tools use a +local LDB storage to store users and groups. + + diff --git a/src/man/ja/include/override_homedir.xml b/src/man/ja/include/override_homedir.xml new file mode 100644 index 0000000..d01bab5 --- /dev/null +++ b/src/man/ja/include/override_homedir.xml @@ -0,0 +1,62 @@ + +override_homedir (文字列) + + + ユーザーのホームディレクトリーを上書きします。絶対パスまたはテンプレートを提供できます。テンプレートでは、以下のシーケンスが置換されます: + + + %u + ログイン名 + + + %U + UID 番号 + + + %d + ドメイン名 + + + %f + 完全修飾ユーザー名 (user@domain) + + + %l + The first letter of the login name. + + + %P + UPN - User Principal Name (name@REALM) + + + %o + + The original home directory retrieved from the identity provider. + + + + %H + + The value of configure option homedir_substring. + + + + %% + 文字 '%' + + + + + + このオプションはドメインごとに設定できます。 + + + 例: +override_homedir = /home/%u + + + + 初期値: 設定なし (SSSD は LDAP から取得された値を使用します) + + + diff --git a/src/man/ja/include/param_help.xml b/src/man/ja/include/param_help.xml new file mode 100644 index 0000000..49af3ff --- /dev/null +++ b/src/man/ja/include/param_help.xml @@ -0,0 +1,10 @@ + + + , + + + + ヘルプメッセージを表示して終了します。 + + + diff --git a/src/man/ja/include/param_help_py.xml b/src/man/ja/include/param_help_py.xml new file mode 100644 index 0000000..c239492 --- /dev/null +++ b/src/man/ja/include/param_help_py.xml @@ -0,0 +1,10 @@ + + + , + + + + ヘルプメッセージを表示して終了します。 + + + diff --git a/src/man/ja/include/seealso.xml b/src/man/ja/include/seealso.xml new file mode 100644 index 0000000..9f8e840 --- /dev/null +++ b/src/man/ja/include/seealso.xml @@ -0,0 +1,61 @@ + + 関連項目 + + sssd8 +, +sssd.conf5 +, +sssd-ldap5 +, +sssd-krb55 +, +sssd-simple5 +, +sssd-ipa5 +, +sssd-ad5 +, +sssd-sudo 5 +, +sssd-secrets 5 +, +sssd-session-recording +5 , +sss_cache8 +, +sss_debuglevel8 +, +sss_groupadd8 +, +sss_groupdel8 +, +sss_groupshow8 +, +sss_groupmod8 +, +sss_useradd8 +, +sss_userdel8 +, +sss_usermod8 +, +sss_obfuscate8 +, +sss_seed8 +, +sssd_krb5_locator_plugin8 +, +sss_ssh_authorizedkeys +8 , +sss_ssh_knownhostsproxy +8 , sssd-ifp +5 , +pam_sss8 +. +sss_rpcidmapd 5 + +sssd-systemtap 5 + + + diff --git a/src/man/ja/include/service_discovery.xml b/src/man/ja/include/service_discovery.xml new file mode 100644 index 0000000..1e0efb9 --- /dev/null +++ b/src/man/ja/include/service_discovery.xml @@ -0,0 +1,37 @@ + + サービス探索 + + The service discovery feature allows back ends to automatically find the +appropriate servers to connect to using a special DNS query. This feature is +not supported for backup servers. + + + 設定 + + 何もサーバーが指定されていなければ、バックエンドがサーバーを見つけようとするために、サービス探索を自動的に使用します。オプションとして、サーバーの一覧に特別なキーワード +_srv_ +を挿入することにより、ユーザーが固定サーバーアドレスおよびサービス探索のどちらも使用することを選択できます。これは設定の順番が維持されます。たとえば、ユーザーができる限りサービス探索を使用し、DNS +を使用してサーバーを探索できないときに特定のサーバーにフォールバックしたい場合、この機能は有用です。 + + + + ドメイン名 + + 詳細は sssd.conf +5 マニュアルページにある +dns_discovery_domain パラメーターを参照してください。 + + + + プロトコル + + 問い合わせは通常プロトコルとして _tcp を指定します。その他はそれぞれのオプションの説明にドキュメント化されています。 + + + + 関連項目 + + サービス検索メカニズムに関する詳細は RFC 2782 を参照してください。 + + + diff --git a/src/man/ja/include/upstream.xml b/src/man/ja/include/upstream.xml new file mode 100644 index 0000000..ba04020 --- /dev/null +++ b/src/man/ja/include/upstream.xml @@ -0,0 +1,3 @@ + +SSSD The SSSD upstream - +https://pagure.io/SSSD/sssd/ diff --git a/src/man/ja/sss_groupadd.8.xml b/src/man/ja/sss_groupadd.8.xml new file mode 100644 index 0000000..ba85afa --- /dev/null +++ b/src/man/ja/sss_groupadd.8.xml @@ -0,0 +1,56 @@ + + + +SSSD マニュアル ページ + + + + + sss_groupadd + 8 + + + + sss_groupadd + 新しいグループを作成する + + + + +sss_groupadd +options GROUP + + + + 概要 + + sss_groupadd が新しいグループを作成します。これらのグループは POSIX +グループと互換性があり、他のグループをメンバーとして含められる追加機能と互換性があります。 + + + + + オプション + + + + , GID + + + + グループの GID を GID の値に設定します。与えられないと、自動的に選択されます。 + + + + + + + + + + + + + diff --git a/src/man/ja/sss_groupdel.8.xml b/src/man/ja/sss_groupdel.8.xml new file mode 100644 index 0000000..353667d --- /dev/null +++ b/src/man/ja/sss_groupdel.8.xml @@ -0,0 +1,46 @@ + + + +SSSD マニュアル ページ + + + + + sss_groupdel + 8 + + + + sss_groupdel + グループを削除する + + + + +sss_groupdel +options GROUP + + + + 概要 + + sss_groupdel は名前 GROUP +により識別されるグループをシステムから削除します。 + + + + + オプション + + + + + + + + + + + diff --git a/src/man/ja/sss_groupmod.8.xml b/src/man/ja/sss_groupmod.8.xml new file mode 100644 index 0000000..bdb068c --- /dev/null +++ b/src/man/ja/sss_groupmod.8.xml @@ -0,0 +1,68 @@ + + + +SSSD マニュアル ページ + + + + + sss_groupmod + 8 + + + + sss_groupmod + グループを変更します。 + + + + +sss_groupmod +options GROUP + + + + 概要 + + sss_groupmod はコマンドラインにおいて指定された変更を反映するようグループを変更します。 + + + + + オプション + + + + , +GROUPS + + + + このグループを GROUPS パラメーターにより指定されたグループに追加します。 +GROUPS パラメーターはグループ名のカンマ区切り一覧です。 + + + + + + , +GROUPS + + + + このグループを GROUPS パラメーターにより指定されたグループから削除します。 + + + + + + + + + + + + + diff --git a/src/man/ja/sss_groupshow.8.xml b/src/man/ja/sss_groupshow.8.xml new file mode 100644 index 0000000..a9c1125 --- /dev/null +++ b/src/man/ja/sss_groupshow.8.xml @@ -0,0 +1,57 @@ + + + +SSSD マニュアル ページ + + + + + sss_groupshow + 8 + + + + sss_groupshow + グループのプロパティーを表示します + + + + +sss_groupshow +options GROUP + + + + 概要 + + sss_groupshow はその名前 GROUP +により識別されるグループに関する情報を表示します。情報はグループ ID 番号、グループのメンバーおよび親グループを含みます。 + + + + + オプション + + + + , + + + + ツリー階層形式で間接的なグループメンバーも表示します。これは親グループの表示にも影響を与えることに注意してください - + を指定しないと、直接の親のみが表示されます。 + + + + + + + + + + + + + diff --git a/src/man/ja/sss_obfuscate.8.xml b/src/man/ja/sss_obfuscate.8.xml new file mode 100644 index 0000000..9bf071f --- /dev/null +++ b/src/man/ja/sss_obfuscate.8.xml @@ -0,0 +1,91 @@ + + + +SSSD マニュアル ページ + + + + + sss_obfuscate + 8 + + + + sss_obfuscate + 平文パスワードをわかりにくくする + + + + +sss_obfuscate +options [PASSWORD] + + + + 概要 + + sss_obfuscate は、与えられたパスワードを人間が読みにくい形式に変換して、SSSD +設定ファイルの適切なドメインセクションに置きます。 + + + 平文のパスワードは、標準入力から読み込まれます、または対話的に入力されます。解読しにくくされたパスワードが指定された SSSD ドメインの +ldap_default_authtok パラメータに置かれます。また +ldap_default_authtok_type パラメーターが +obfuscated_password に設定されます。これらのパラメーターの詳細は +sssd-ldap 5 + を参照してください。 + + + パスワードをわかりにくくすることは、攻撃者がパスワードをリバースエンジニアリングできるので +実際にセキュリティの便益 は提供されません。クライアントサイド証明書や GSSAPI +のようなより良い認証機構を使用することを 強く 推奨します。 + + + + + オプション + + + + + , + + + + 解読しにくくするパスワードが標準入力から読み込まれます。 + + + + + + , +DOMAIN + + + + パスワードに使用する SSSD ドメインです。名前の初期値は default です。 + + + + + + , FILE + + + + 位置パラメーターにより指定された設定ファイルを読み込みます。 + + + 初期値: /etc/sssd/sssd.conf + + + + + + + + + + diff --git a/src/man/ja/sss_ssh_knownhostsproxy.1.xml b/src/man/ja/sss_ssh_knownhostsproxy.1.xml new file mode 100644 index 0000000..802d47d --- /dev/null +++ b/src/man/ja/sss_ssh_knownhostsproxy.1.xml @@ -0,0 +1,103 @@ + + + +SSSD マニュアル ページ + + + + + sss_ssh_knownhostsproxy + 1 + + + + sss_ssh_knownhostsproxy + OpenSSH ホストキーを取得します + + + + +sss_ssh_knownhostsproxy +options HOST PROXY_COMMAND + + + + 概要 + + sss_ssh_knownhostsproxy acquires SSH host public keys for +host HOST, stores them in a custom OpenSSH +known_hosts file (see the SSH_KNOWN_HOSTS FILE FORMAT section +of sshd +8 for more information) +/var/lib/sss/pubconf/known_hosts and establishes the +connection to the host. + + + PROXY_COMMAND +が指定されていると、ソケットを開く代わりにホストへの接続を作成するために使用されます。 + + + ssh +1 は +ssh +1 設定に対して以下のディレクティブを使用することにより、ホストキー認証に +sss_ssh_knownhostsproxy を使用するために設定できます: +ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h +GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts + + + + + + オプション + + + + , PORT + + + + ホストに接続するためにポート PORT を使用します。初期値ではポート 22 が使用されます。 + + + + + + , +DOMAIN + + + + SSSD ドメイン DOMAIN においてホスト公開鍵を検索します。 + + + + + + , + + + + Print the host ssh public keys for host HOST. + + + + + + + + + 終了コード + + In case of success, an exit value of 0 is returned. Otherwise, 1 is +returned. + + + + + + + diff --git a/src/man/ja/sss_useradd.8.xml b/src/man/ja/sss_useradd.8.xml new file mode 100644 index 0000000..d491ed6 --- /dev/null +++ b/src/man/ja/sss_useradd.8.xml @@ -0,0 +1,155 @@ + + + +SSSD マニュアル ページ + + + + + sss_useradd + 8 + + + + sss_useradd + 新しいユーザーを作成する + + + + +sss_useradd +options LOGIN + + + + 概要 + + sss_useradd +は、コマンドラインにおいて指定された値とシステムの初期値を使用して、新しいユーザーを作成します。 + + + + + オプション + + + + , UID + + + + ユーザーの UID を UID の値を設定します。与えられないと、自動的に選択されます。 + + + + + + , +COMMENT + + + + ユーザーを説明している任意のテキスト文字列です。しばしばユーザーの完全名の項目として使用されます。 + + + + + + , +HOME_DIR + + + + ユーザーアカウントのホームディレクトリーです。初期値は /home に +LOGIN の名前を追加して、ホームディレクトリーとして使用します。 +LOGIN の前につけるベースは sssd.conf において +user_defaults/baseDirectory 設定で変更できます。 + + + + + + , +SHELL + + + + ユーザーのログインシェルです。初期値は現在 /bin/bash です。初期値は sssd.conf において +user_defaults/defaultShell で変更できます。 + + + + + + , +GROUPS + + + + このユーザーがメンバーである既存のユーザーの一覧です。 + + + + + + , + + + + ユーザーのホームディレクトリーが存在しなければ、それを作成します。(-k +オプションまたは設定ファイルで定義できる)スケルトンディレクトリーにあるファイルとディレクトリーがホームディレクトリーにコピーされます。 + + + + + + , + + + + ユーザーのホームディレクトリーを作成しません。設定を上書きします。 + + + + + + , +SKELDIR + + + + スケルトンディレクトリーです。ホームディレクトリーが sss_useradd +により作成されるとき、ユーザーのホームディレクトリーにコピーされるファイルとディレクトリーを含みます。 + + + 特殊ファイル (ブロックデバイス、キャラクターデバイス、名前付きパイプおよび UNIX ソケット) はコピーされません。 + + + (または ) +オプションが指定されたとき、またはホームディレクトリーの作成が設定において TRUE に設定されている場合のみ、このオプションが有効です。 + + + + + + , +SELINUX_USER + + + + ユーザーがログインする際の SELinux ユーザーです。未指定の場合、システムの初期値を使います。 + + + + + + + + + + + + + diff --git a/src/man/ja/sss_userdel.8.xml b/src/man/ja/sss_userdel.8.xml new file mode 100644 index 0000000..0dc4d90 --- /dev/null +++ b/src/man/ja/sss_userdel.8.xml @@ -0,0 +1,87 @@ + + + +SSSD マニュアル ページ + + + + + sss_userdel + 8 + + + + sss_userdel + ユーザーアカウントを削除する + + + + +sss_userdel +options LOGIN + + + + 概要 + + sss_userdel はログイン名 LOGIN +により識別されるユーザーをシステムから削除します。 + + + + + オプション + + + + + , + + + + ユーザーのホームディレクトリーにあるファイルは、それ自身のホームディレクトリーとユーザーのメールスプールとともに削除されます。設定が上書きされます。 + + + + + + , + + + + ユーザーのホームディレクトリーにあるファイルは、それ自身のホームディレクトリーとユーザーのメールスプールとともに削除されません。設定が上書きされます。 + + + + + + , + + + + このオプションは、指定されたユーザーにより所有されていないものさえ、sss_userdel +がユーザーのホームディレクトリーとメールスプールを削除するよう強制します。 + + + + + + , + + + + 実際にユーザーを削除する前に、そのプロセスをすべて停止します。 + + + + + + + + + + + + diff --git a/src/man/ja/sss_usermod.8.xml b/src/man/ja/sss_usermod.8.xml new file mode 100644 index 0000000..e105c78 --- /dev/null +++ b/src/man/ja/sss_usermod.8.xml @@ -0,0 +1,164 @@ + + + +SSSD マニュアル ページ + + + + + sss_usermod + 8 + + + + sss_usermod + ユーザーアカウントを修正します + + + + +sss_usermod +options LOGIN + + + + 概要 + + sss_usermod は、コマンドラインにおいて指定された変更を反映するために、 +LOGIN により指定されたアカウントを変更します。 + + + + + オプション + + + + , +COMMENT + + + + ユーザーを説明している任意のテキスト文字列です。しばしばユーザーの完全名の項目として使用されます。 + + + + + + , +HOME_DIR + + + + ユーザーアカウントのホームディレクトリーです。 + + + + + + , +SHELL + + + + ユーザーのログインシェルです。 + + + + + + , +GROUPS + + + + このユーザーを GROUPS パラメーターにより指定されたグループに追加します。 +GROUPS パラメーターはグループ名のカンマ区切り一覧です。 + + + + + + , +GROUPS + + + + GROUPS + + + + + + , + + + + ユーザーアカウントをロックします。ユーザーはログインできなくなります。 + + + + + + , + + + + ユーザーアカウントのロックを解除します。 + + + + + + , +SELINUX_USER + + + + ユーザーのログインのための SELinux ユーザーです。 + + + + + + ATTR_NAME_VAL + + + + Add an attribute/value pair. The format is attrname=value. + + + + + + ATTR_NAME_VAL + + + + Set an attribute to a name/value pair. The format is attrname=value. For +multi-valued attributes, the command replaces the values already present + + + + + + ATTR_NAME_VAL + + + + Delete an attribute/value pair. The format is attrname=value. + + + + + + + + + + + + + diff --git a/src/man/ja/sssd-krb5.5.xml b/src/man/ja/sssd-krb5.5.xml new file mode 100644 index 0000000..42e9337 --- /dev/null +++ b/src/man/ja/sssd-krb5.5.xml @@ -0,0 +1,505 @@ + + + +SSSD マニュアル ページ + + + + + sssd-krb5 + 5 + ファイル形式および変換 + + + + sssd-krb5 + SSSD Kerberos provider + + + + 概要 + + このマニュアルは sssd +8 に対する Kerberos 5 +認証バックエンドの設定を説明しています。詳細な構文の参考資料は、 +sssd.conf 5 + マニュアルページの ファイル形式 セクションを参照してください。 + + + Kerberos 5 +認証バックエンドは認証プロバイダーおよびパスワード変更プロバイダーを含みます。正しく機能するためには識別プロダイバーと組み合わせて使用する必要があります +(たとえば、id_provider = ldap)。Kerberos 5 認証バックエンドにより必要とされるいくつかの情報は、ユーザーの +Kerberos プリンシパル名 (UPN) のような、識別プロバイダーにより提供される必要があります。識別プロバイダーの設定は UPN +を指定するためのエントリーがある必要があります。これを設定する方法に関する詳細は適用可能な識別プロバイダーのマニュアルページを参照してください。 + + + このバックエンドは、ユーザーのホームディレクトリーにある .k5login ファイルに基づいたアクセス制御を提供します。詳細は + +.k5login5 + を参照してください。空の .k5login +ファイルがあると、このユーザーに対するすべてのアクセスが拒否されます。この機能を有効にするには、SSSD 設定において 'access_provider += krb5' を使用します。 + + + UPN が識別バックエンド sssd において利用できない場合は、形式 +username@krb5_realm +を使用して UPN を構築します。 + + + + + + 設定オプション + + 認証モジュール krb5 が SSSD ドメインにおいて使用されていると、以下のオプションを使用する必要があります。 SSSD +ドメインの設定における詳細は sssd.conf +5 マニュアルページの ドメインセクション +を参照してください。 + + krb5_server, krb5_backup_server (文字列) + + + SSSD が接続したい AD サーバー(優先順)の IP +アドレスまたはホスト名のカンマ区切り一覧を指定します。フェールオーバーおよびサーバー冗長化に関する詳細は FAILOVER +セクションを参照してください。ポート番号(コロンの後ろ)をオプションとして、アドレスやホスト名の後ろに付けることもできます。これが無ければ、サービス探索が有効になっています。詳細は +サービス探索 のセクションを参照してください。 + + + KDC または kpasswd サーバーに対してサービス検索を使用するとき、SSSD はまずプロトコルとして _udp を指定する DNS +エントリーを検索して、何も見つからなければ _tcp にフォールバックします。 + + + このオプションは以前の SSSD において krb5_kdcip +という名前でした。古い名前がしばらく認められる間、ユーザーは代わりに krb5_server +を使用するよう設定ファイルを移行することが推奨されます。 + + + + + + krb5_realm (文字列) + + + Kerberos レルムの名前です。このオプションは指定する必要があります。 + + + + + + krb5_kpasswd, krb5_backup_kpasswd (文字列) + + + パスワード変更サービスが KDC +において実行されていなければ、代替サーバーがここで指定できます。オプションのポート番号が(コロンに続けて)アドレスまたはホスト名に追加できます。 + + + フェイルオーバーとサーバー冗長性に関する詳細は、フェイルオーバーのセクションを参照してください。注:KDC +に対する認証がまだ可能であるならば、たとえすべての kpasswd +サーバーがなかったとしても、バックエンドをオフラインに切り替えないことに注意してください。 + + + 初期値: KDC を使用します + + + + + + krb5_ccachedir (文字列) + + + Directory to store credential caches. All the substitution sequences of +krb5_ccname_template can be used here, too, except %d and %P. The directory +is created as private and owned by the user, with permissions set to 0700. + + + 初期値: /tmp + + + + + + krb5_ccname_template (文字列) + + + Location of the user's credential cache. Three credential cache types are +currently supported: FILE, DIR and +KEYRING:persistent. The cache can be specified either as +TYPE:RESIDUAL, or as an absolute path, which +implies the FILE type. In the template, the following +sequences are substituted: + + %u + ログイン名 + + + %U + ログイン UID + + + %p + プリンシパル名 + + + + %r + レルム名 + + + %h + ホームディレクトリー + + + + %d + value of krb5_ccachedir + + + + + %P + SSSD クライアントのプロセス ID + + + + %% + 文字 '%' + + + If the +template ends with 'XXXXXX' mkstemp(3) is used to create a unique filename +in a safe way. + + + When using KEYRING types, the only supported mechanism is +KEYRING:persistent:%U, which uses the Linux kernel keyring to +store credentials on a per-UID basis. This is also the recommended choice, +as it is the most secure and predictable method. + + + The default value for the credential cache name is sourced from the profile +stored in the system wide krb5.conf configuration file in the [libdefaults] +section. The option name is default_ccache_name. See krb5.conf(5)'s +PARAMETER EXPANSION paragraph for additional information on the expansion +format defined by krb5.conf. + + + NOTE: Please be aware that libkrb5 ccache expansion template from + krb5.conf +5 uses different expansion sequences +than SSSD. + + + Default: (from libkrb5) + + + + + + krb5_auth_timeout (整数) + + + オンライン認証またはパスワード変更要求が中止された後の秒単位のタイムアウトです。可能ならば、認証要求がオフラインで継続されます。 + + + 初期値: 6 + + + + + + krb5_validate (論理値) + + + Verify with the help of krb5_keytab that the TGT obtained has not been +spoofed. The keytab is checked for entries sequentially, and the first entry +with a matching realm is used for validation. If no entry matches the realm, +the last entry in the keytab is used. This process can be used to validate +environments using cross-realm trust by placing the appropriate keytab entry +as the last entry or the only entry in the keytab file. + + + 初期値: false + + + + + + krb5_keytab (文字列) + + + KDC から取得したクレディンシャルを検証するときに使用されるキーテーブルの場所です。 + + + 初期値: /etc/krb5.keytab + + + + + + krb5_store_password_if_offline (論理値) + + + Store the password of the user if the provider is offline and use it to +request a TGT when the provider comes online again. + + + NOTE: this feature is only available on Linux. Passwords stored in this way +are kept in plaintext in the kernel keyring and are potentially accessible +by the root user (with difficulty). + + + 初期値: false + + + + + + krb5_renewable_lifetime (文字列) + + + Request a renewable ticket with a total lifetime, given as an integer +immediately followed by a time unit: + + + 秒は s + + + 分は m + + + 時間は h + + + 日は d + + + 単位が指定されていないと、s と仮定されます。 + + + 注: 単位を混在できないことに注意してください。更新可能な生存期間を1時間30分に指定したい場合、'1h30m' の代わりに '90m' を使用します。 + + + 初期値: 設定されません、つまり TGT は更新可能ではありません + + + + + + krb5_lifetime (文字列) + + + Request ticket with a lifetime, given as an integer immediately followed by +a time unit: + + + 秒は s + + + 分は m + + + 時間は h + + + 日は d + + + 単位が指定されていないと、s と仮定されます。 + + + 注: 単位を混在できないことに注意してください。更新可能な生存期間を1時間30分に指定したい場合、'1h30m' の代わりに '90m' +を使用してください。 + + + 初期値: 設定されません、つまり KDC において設定されているチケット有効期間の初期値です。 + + + + + + krb5_renew_interval (文字列) + + + The time in seconds between two checks if the TGT should be renewed. TGTs +are renewed if about half of their lifetime is exceeded, given as an integer +immediately followed by a time unit: + + + 秒は s + + + 分は m + + + 時間は h + + + 日は d + + + 単位が指定されていないと、s と仮定されます。 + + + 注: 単位を混在できないことに注意してください。更新可能な生存期間を1時間30分に指定したい場合、'1h30m' の代わりに '90m' を使用します。 + + + このオプションが設定されていない場合、または 0 に設定されている場合、自動更新は無効になります。 + + + 初期値: 設定されません + + + + + + krb5_use_fast (文字列) + + + Kerberos の事前認証のために flexible authentication secure tunneling (FAST) +を有効化します。以下のオプションがサポートされます: + + + never は FAST を使用します。このオプションを何も設定しないことと同等です。 + + + try は FAST を使用します。サーバーが FAST をサポートしていなければ、FAST +を使用せずに認証を続行します。 + + + demand は FAST を使用します。サーバーが FAST を要求しなければ、認証が失敗します。 + + + 初期値: 設定されません、つまり FAST が使用されません。 + + + 注: キーテーブルは FAST を使用する必要があります。 + + + 注: SSSD は MIT Kerberos バージョン 1.8 およびそれ以降のみで FAST をサポートします。SSSD が古いバージョンの MIT +Kerberos を使用している場合、このオプションを使用すると設定エラーになります。 + + + + + + krb5_fast_principal (文字列) + + + FAST に対して使用するサーバープリンシパルを指定します。 + + + + + + krb5_canonicalize (論理値) + + + ホストとユーザーのプリンシパルが正規化されるかどうかを指定します。この機能は MIT Kerberos 1.7 およびそれ以降で利用可能です。 + + + + 初期値: false + + + + + + krb5_use_kdcinfo (論理値) + + + Specifies if the SSSD should instruct the Kerberos libraries what realm and +which KDCs to use. This option is on by default, if you disable it, you need +to configure the Kerberos library using the +krb5.conf 5 + configuration file. + + + 位置情報プラグインの詳細は +sssd_krb5_locator_plugin +8 マニュアルページを参照ください。 + + + 初期値: true + + + + + + krb5_use_enterprise_principal (論理値) + + + ユーザープリンシパルをエンタープライズプリンシパルとして取り扱うかどうかを指定します。エンタープライズプリンシパルの詳細は RFC 6806 +のセクション 5 を参照してください。 + + + + Default: false (AD provider: true) + + + The IPA provider will set to option to 'true' if it detects that the server +is capable of handling enterprise principals and the option is not set +explicitly in the config file. + + + + + + krb5_map_user (string) + + + The list of mappings is given as a comma-separated list of pairs +username:primary where username is a UNIX user +name and primary is a user part of a kerberos principal. This +mapping is used when user is authenticating using auth_provider = +krb5. + + + + 例: +krb5_realm = REALM +krb5_map_user = joe:juser,dick:richard + + + + joe and dick are UNIX user names and +juser and richard are primaries of kerberos +principals. For user joe resp. dick SSSD will +try to kinit as juser@REALM resp. +richard@REALM. + + + + 初期値: 設定されません + + + + + + + + + + + + + + 例 + + 以下の例は、SSSD が正しく設定され、FOO が [sssd] セクションにあるドメインの 1 +つであると仮定しています。この例は Kerberos 認証の設定のみを示し、識別プロバイダーを何も含みません。 + + + +[domain/FOO] +auth_provider = krb5 +krb5_server = 192.168.1.1 +krb5_realm = EXAMPLE.COM + + + + + + + + diff --git a/src/man/ja/sssd-simple.5.xml b/src/man/ja/sssd-simple.5.xml new file mode 100644 index 0000000..abb4fea --- /dev/null +++ b/src/man/ja/sssd-simple.5.xml @@ -0,0 +1,135 @@ + + + +SSSD マニュアル ページ + + + + + sssd-simple + 5 + ファイル形式および変換 + + + + sssd-simple + SSSD の 'simple' アクセス制御プロバイダーの設定ファイルです。 + + + + 概要 + + このマニュアルは sssd +8 に対して簡単なアクセス制御の設定を説明しています。詳細は + sssd.conf +5 マニュアルページの ファイル形式 +セクションを参照してください。 + + + シンプルアクセスプロバイダーは、ユーザー名またはグループ名のアクセスまたは拒否の一覧に基づいてアクセスを許可または拒否します。以下の例を適用します: + + + すべての一覧が空白ならば、アクセスが認められます + + + + 何らかの一覧が提供されていると、許可(allow)、拒否(deny)の順に評価されます。拒否ルールに一致するすべてのものは、許可ルールに一致するすべてのものを更新することを意味します。 + + + + + "allow" 一覧が提供されていると、すべてのユーザーはこの一覧に表れなければ拒否されます。 + + + + + "deny" 一覧のみが提供されていると、ユーザーがこの一覧に表れない限り、すべてのユーザーがアクセスを許可されます。 + + + + + + + + 設定オプション + SSSD ドメインの設定に関する詳細は sssd.conf +5 マニュアルページの ドメインセクション +のセクションを参照してください。 + + simple_allow_users (文字列) + + + ログインが許可されたユーザーのカンマ区切り一覧です。 + + + + + + simple_deny_users (文字列) + + + アクセスが明示的に拒否されたユーザーのカンマ区切り一覧です。 + + + + + simple_allow_groups (文字列) + + + ログインが許可されたグループのカンマ区切り一覧です。この SSSD ドメインの中のグループのみに適用されます。ローカルグループは評価されません。 + + + + + + simple_deny_groups (文字列) + + + アクセスが明示的に拒否されたグループのカンマ区切り一覧です。この SSSD ドメインの中のグループのみに適用されます。ローカルグループは評価されません。 + + + + + + + Specifying no values for any of the lists is equivalent to skipping it +entirely. Beware of this while generating parameters for the simple provider +using automated scripts. + + + simple_allow_users と simple_deny_users がどちらも定義されると、設定エラーになることに注意してください。 + + + + + 例 + + 以下の例は、SSSD が正しく設定され、example.com が [sssd] +セクションにあるドメインの 1 つであると仮定します。この例はアクセスプロバイダー固有の簡単なオプションのみを示します。 + + + +[domain/example.com] +access_provider = simple +simple_allow_users = user1, user2 + + + + + + 注記 + + The complete group membership hierarchy is resolved before the access check, +thus even nested groups can be included in the access lists. Please be +aware that the ldap_group_nesting_level option may impact the +results and should be set to a sufficient value. ( +sssd-ldap5 +) option. + + + + + + + diff --git a/src/man/ja/sssd.8.xml b/src/man/ja/sssd.8.xml new file mode 100644 index 0000000..34410dc --- /dev/null +++ b/src/man/ja/sssd.8.xml @@ -0,0 +1,221 @@ + + + +SSSD マニュアル ページ + + + + + sssd + 8 + + + + sssd + System Security Services Daemon + + + + +sssd +options + + + + 概要 + + SSSD +はリモートディレクトリーへのアクセスと認証メカニズムを管理するための一組のデーモンを提供します。システムへの NSS と PAM +インターフェースを提供します。また、D-Bus +インターフェースのように複数の異なるアカウントソースに接続するための取り外し可能なバックエンドシステムを提供します。クライアント監査、およびFreeIPA +のようなプロジェクトに対するポリシーサービスを提供する基礎となります。ローカルユーザーだけでなく拡張ユーザーデータを保存するためのより強靭なデータベースを提供します。 + + + + + オプション + + + + , +LEVEL + + + + + + mode + + + + 1: デバッグメッセージに日時を追加します + + + 0: デバッグメッセージで日時を無効にします + + + 初期値: 1 + + + + + + mode + + + + 1: デバッグメッセージにミリ秒をタイムスタンプに追加します + + + 0: 日時でマイクロ秒を無効にします + + + 初期値: 0 + + + + + + , + + + + デバッグ出力を標準エラーの代わりにファイルに送信します。初期状態で、ログファイルは /var/log/sssd +に保存され、すべての SSSD サービスとドメインに対して別々のログファイルがあります。 + + + This option is deprecated. It is replaced by +. + + + + + + value + + + + Location where SSSD will send log messages. This option overrides the value +of the deprecated option . The deprecated +option will still work if the is not used. + + + stderr: Redirect debug messages to standard error +output. + + + files: Redirect debug messages to the log files. By +default, the log files are stored in /var/log/sssd and +there are separate log files for every SSSD service and domain. + + + journald: Redirect debug messages to systemd-journald + + + 初期値: 設定されません + + + + + + , + + + + 起動後にデーモンになります。 + + + + + + , + + + + フォアグラウンドで実行して、デーモンになりません。 + + + + + + , + + + + 非標準の設定ファイルを指定します。初期値は /etc/sssd/sssd.conf +です。設定ファイルの構文とオプションは sssd.conf +5 マニュアルページを参照してください。 + + + + + + + + + + + バージョン番号を表示して終了します。 + + + + + + + + シグナル + + + SIGTERM/SIGINT + + + SSSD にすべての子プロセスを穏やかに停止するよう通知して、モニターをシャットダウンします。 + + + + + SIGHUP + + + SSSD が現在のデバッグファイルディスクリプターに書き込むことを止めて、それらを閉じてから開きなおすよう指示します。これは logrotate +のようなプログラムを用いてログローテーションを促進することを意味します。 + + + + + SIGUSR1 + + + Tells the SSSD to simulate offline operation for the duration of the +offline_timeout parameter. This is useful for testing. The +signal can be sent to either the sssd process or any sssd_be process +directly. + + + + + SIGUSR2 + + + Tells the SSSD to go online immediately. This is useful for testing. The +signal can be sent to either the sssd process or any sssd_be process +directly. + + + + + + + + 注記 + + If the environment variable SSS_NSS_USE_MEMCACHE is set to "NO", client +applications will not use the fast in memory cache. + + + + + + + diff --git a/src/man/lv/include/ad_modified_defaults.xml b/src/man/lv/include/ad_modified_defaults.xml new file mode 100644 index 0000000..7c6def2 --- /dev/null +++ b/src/man/lv/include/ad_modified_defaults.xml @@ -0,0 +1,77 @@ + + MODIFIED DEFAULT OPTIONS + + Certain option defaults do not match their respective backend provider +defaults, these option names and AD provider-specific defaults are listed +below: + + + KRB5 Provider + + + + krb5_validate = true + + + + + krb5_use_enterprise_principal = true + + + + + + LDAP Provider + + + + ldap_schema = ad + + + + + ldap_force_upper_case_realm = true + + + + + ldap_id_mapping = true + + + + + ldap_sasl_mech = gssapi + + + + + ldap_referrals = false + + + + + ldap_account_expire_policy = ad + + + + + ldap_use_tokengroups = true + + + + + ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM) + + + The AD provider looks for a different principal than the LDAP provider by +default, because in an Active Directory environment the principals are +divided into two groups - User Principals and Service Principals. Only User +Principal can be used to obtain a TGT and by default, computer object's +principal is constructed from its sAMAccountName and the AD realm. The +well-known host/hostname@REALM principal is a Service Principal and thus +cannot be used to get a TGT with. + + + + + diff --git a/src/man/lv/include/autofs_restart.xml b/src/man/lv/include/autofs_restart.xml new file mode 100644 index 0000000..f31efe5 --- /dev/null +++ b/src/man/lv/include/autofs_restart.xml @@ -0,0 +1,5 @@ + + Please note that the automounter only reads the master map on startup, so if +any autofs-related changes are made to the sssd.conf, you typically also +need to restart the automounter daemon after restarting the SSSD. + diff --git a/src/man/lv/include/debug_levels.xml b/src/man/lv/include/debug_levels.xml new file mode 100644 index 0000000..5148252 --- /dev/null +++ b/src/man/lv/include/debug_levels.xml @@ -0,0 +1,86 @@ + + + SSSD supports two representations for specifying the debug level. The +simplest is to specify a decimal value from 0-9, which represents enabling +that level and all lower-level debug messages. The more comprehensive option +is to specify a hexadecimal bitmask to enable or disable specific levels +(such as if you wish to suppress a level). + + + Please note that each SSSD service logs into its own log file. Also please +note that enabling debug_level in the [sssd] +section only enables debugging just for the sssd process itself, not for the +responder or provider processes. The debug_level parameter +should be added to all sections that you wish to produce debug logs from. + + + In addition to changing the log level in the config file using the +debug_level parameter, which is persistent, but requires SSSD +restart, it is also possible to change the debug level on the fly using the + sss_debuglevel +8 tool. + + + Currently supported debug levels: + + + 0, 0x0010: Fatal +failures. Anything that would prevent SSSD from starting up or causes it to +cease running. + + + 1, 0x0020: Critical failures. An +error that doesn't kill SSSD, but one that indicates that at least one major +feature is not going to work properly. + + + 2, 0x0040: Serious failures. An +error announcing that a particular request or operation has failed. + + + 3, 0x0080: Minor failures. These +are the errors that would percolate down to cause the operation failure of +2. + + + 4, 0x0100: Configuration settings. + + + 5, 0x0200: Function data. + + + 6, 0x0400: Trace messages for +operation functions. + + + 7, 0x1000: Trace messages for +internal control functions. + + + 8, 0x2000: Contents of +function-internal variables that may be interesting. + + + 9, 0x4000: Extremely low-level +tracing information. + + + To log required bitmask debug levels, simply add their numbers together as +shown in following examples: + + + Example: To log fatal failures, critical failures, +serious failures and function data use 0x0270. + + + Example: To log fatal failures, configuration settings, +function data, trace messages for internal control functions use 0x1310. + + + Note: The bitmask format of debug levels was introduced +in 1.7.0. + + + Default: 0 + + diff --git a/src/man/lv/include/debug_levels_tools.xml b/src/man/lv/include/debug_levels_tools.xml new file mode 100644 index 0000000..8bc77cf --- /dev/null +++ b/src/man/lv/include/debug_levels_tools.xml @@ -0,0 +1,72 @@ + + + SSSD supports two representations for specifying the debug level. The +simplest is to specify a decimal value from 0-9, which represents enabling +that level and all lower-level debug messages. The more comprehensive option +is to specify a hexadecimal bitmask to enable or disable specific levels +(such as if you wish to suppress a level). + + + Currently supported debug levels: + + + 0, 0x0010: Fatal +failures. Anything that would prevent SSSD from starting up or causes it to +cease running. + + + 1, 0x0020: Critical failures. An +error that doesn't kill SSSD, but one that indicates that at least one major +feature is not going to work properly. + + + 2, 0x0040: Serious failures. An +error announcing that a particular request or operation has failed. + + + 3, 0x0080: Minor failures. These +are the errors that would percolate down to cause the operation failure of +2. + + + 4, 0x0100: Configuration settings. + + + 5, 0x0200: Function data. + + + 6, 0x0400: Trace messages for +operation functions. + + + 7, 0x1000: Trace messages for +internal control functions. + + + 8, 0x2000: Contents of +function-internal variables that may be interesting. + + + 9, 0x4000: Extremely low-level +tracing information. + + + To log required bitmask debug levels, simply add their numbers together as +shown in following examples: + + + Example: To log fatal failures, critical failures, +serious failures and function data use 0x0270. + + + Example: To log fatal failures, configuration settings, +function data, trace messages for internal control functions use 0x1310. + + + Note: The bitmask format of debug levels was introduced +in 1.7.0. + + + Default: 0 + + diff --git a/src/man/lv/include/experimental.xml b/src/man/lv/include/experimental.xml new file mode 100644 index 0000000..7103a0e --- /dev/null +++ b/src/man/lv/include/experimental.xml @@ -0,0 +1,2 @@ + This is an experimental feature, please use +https://pagure.io/SSSD/sssd/ to report any issues. diff --git a/src/man/lv/include/failover.xml b/src/man/lv/include/failover.xml new file mode 100644 index 0000000..ebb7b21 --- /dev/null +++ b/src/man/lv/include/failover.xml @@ -0,0 +1,97 @@ + + FAILOVER + + The failover feature allows back ends to automatically switch to a different +server if the current server fails. + + + Failover Syntax + + The list of servers is given as a comma-separated list; any number of spaces +is allowed around the comma. The servers are listed in order of +preference. The list can contain any number of servers. + + + For each failover-enabled config option, two variants exist: +primary and backup. The idea is +that servers in the primary list are preferred and backup servers are only +searched if no primary servers can be reached. If a backup server is +selected, a timeout of 31 seconds is set. After this timeout SSSD will +periodically try to reconnect to one of the primary servers. If it succeeds, +it will replace the current active (backup) server. + + + + The Failover Mechanism + + The failover mechanism distinguishes between a machine and a service. The +back end first tries to resolve the hostname of a given machine; if this +resolution attempt fails, the machine is considered offline. No further +attempts are made to connect to this machine for any other service. If the +resolution attempt succeeds, the back end tries to connect to a service on +this machine. If the service connection attempt fails, then only this +particular service is considered offline and the back end automatically +switches over to the next service. The machine is still considered online +and might still be tried for another service. + + + Further connection attempts are made to machines or services marked as +offline after a specified period of time; this is currently hard coded to 30 +seconds. + + + If there are no more machines to try, the back end as a whole switches to +offline mode, and then attempts to reconnect every 30 seconds. + + + + Failover time outs and tuning + + Resolving a server to connect to can be as simple as running a single DNS +query or can involve several steps, such as finding the correct site or +trying out multiple host names in case some of the configured servers are +not reachable. The more complex scenarios can take some time and SSSD needs +to balance between providing enough time to finish the resolution process +but on the other hand, not trying for too long before falling back to +offline mode. If the SSSD debug logs show that the server resolution is +timing out before a live server is contacted, you can consider changing the +time outs. + + + This section lists the available tunables. Please refer to their description +in the +sssd.conf5 +, manual page. + + + dns_resolver_op_timeout + + + + How long would SSSD talk to a single DNS server. + + + + + + dns_resolver_timeout + + + + How long would SSSD try to resolve a failover service. This service +resolution internally might include several steps, such as resolving DNS SRV +queries or locating the site. + + + + + + + For LDAP-based providers, the resolve operation is performed as part of an +LDAP connection operation. Therefore, also the +ldap_opt_timeout> timeout should be set to a larger value +than dns_resolver_timeout which in turn should be set to a +larger value than dns_resolver_op_timeout. + + + diff --git a/src/man/lv/include/homedir_substring.xml b/src/man/lv/include/homedir_substring.xml new file mode 100644 index 0000000..d7533de --- /dev/null +++ b/src/man/lv/include/homedir_substring.xml @@ -0,0 +1,17 @@ + + homedir_substring (string) + + + The value of this option will be used in the expansion of the +override_homedir option if the template contains the +format string %H. An LDAP directory entry can directly +contain this template so that this option can be used to expand the home +directory path for each client machine (or operating system). It can be set +per-domain or globally in the [nss] section. A value specified in a domain +section will override one set in the [nss] section. + + + Default: /home + + + diff --git a/src/man/lv/include/ipa_modified_defaults.xml b/src/man/lv/include/ipa_modified_defaults.xml new file mode 100644 index 0000000..4ad4b45 --- /dev/null +++ b/src/man/lv/include/ipa_modified_defaults.xml @@ -0,0 +1,123 @@ + + MODIFIED DEFAULT OPTIONS + + Certain option defaults do not match their respective backend provider +defaults, these option names and IPA provider-specific defaults are listed +below: + + + KRB5 Provider + + + + krb5_validate = true + + + + + krb5_use_fast = try + + + + + krb5_canonicalize = true + + + + + + LDAP Provider - General + + + + ldap_schema = ipa_v1 + + + + + ldap_force_upper_case_realm = true + + + + + ldap_sasl_mech = GSSAPI + + + + + ldap_sasl_minssf = 56 + + + + + ldap_account_expire_policy = ipa + + + + + ldap_use_tokengroups = true + + + + + + LDAP Provider - User options + + + + ldap_user_member_of = memberOf + + + + + ldap_user_uuid = ipaUniqueID + + + + + ldap_user_ssh_public_key = ipaSshPubKey + + + + + ldap_user_auth_type = ipaUserAuthType + + + + + + LDAP Provider - Group options + + + + ldap_group_object_class = ipaUserGroup + + + + + ldap_group_object_class_alt = posixGroup + + + + + ldap_group_member = member + + + + + ldap_group_uuid = ipaUniqueID + + + + + ldap_group_objectsid = ipaNTSecurityIdentifier + + + + + ldap_group_external_member = ipaExternalMember + + + + + diff --git a/src/man/lv/include/ldap_id_mapping.xml b/src/man/lv/include/ldap_id_mapping.xml new file mode 100644 index 0000000..279fa93 --- /dev/null +++ b/src/man/lv/include/ldap_id_mapping.xml @@ -0,0 +1,278 @@ + + ID MAPPING + + The ID-mapping feature allows SSSD to act as a client of Active Directory +without requiring administrators to extend user attributes to support POSIX +attributes for user and group identifiers. + + + NOTE: When ID-mapping is enabled, the uidNumber and gidNumber attributes are +ignored. This is to avoid the possibility of conflicts between +automatically-assigned and manually-assigned values. If you need to use +manually-assigned values, ALL values must be manually-assigned. + + + Please note that changing the ID mapping related configuration options will +cause user and group IDs to change. At the moment, SSSD does not support +changing IDs, so the SSSD database must be removed. Because cached passwords +are also stored in the database, removing the database should only be +performed while the authentication servers are reachable, otherwise users +might get locked out. In order to cache the password, an authentication must +be performed. It is not sufficient to use +sss_cache 8 + to remove the database, rather the process consists of: + + + + Making sure the remote servers are reachable + + + + + Stopping the SSSD service + + + + + Removing the database + + + + + Starting the SSSD service + + + + Moreover, as the change of IDs might necessitate the adjustment of other +system properties such as file and directory ownership, it's advisable to +plan ahead and test the ID mapping configuration thoroughly. + + + + Mapping Algorithm + + Active Directory provides an objectSID for every user and group object in +the directory. This objectSID can be broken up into components that +represent the Active Directory domain identity and the relative identifier +(RID) of the user or group object. + + + The SSSD ID-mapping algorithm takes a range of available UIDs and divides it +into equally-sized component sections - called "slices"-. Each slice +represents the space available to an Active Directory domain. + + + When a user or group entry for a particular domain is encountered for the +first time, the SSSD allocates one of the available slices for that +domain. In order to make this slice-assignment repeatable on different +client machines, we select the slice based on the following algorithm: + + + The SID string is passed through the murmurhash3 algorithm to convert it to +a 32-bit hashed value. We then take the modulus of this value with the total +number of available slices to pick the slice. + + + NOTE: It is possible to encounter collisions in the hash and subsequent +modulus. In these situations, we will select the next available slice, but +it may not be possible to reproduce the same exact set of slices on other +machines (since the order that they are encountered will determine their +slice). In this situation, it is recommended to either switch to using +explicit POSIX attributes in Active Directory (disabling ID-mapping) or +configure a default domain to guarantee that at least one is always +consistent. See Configuration for details. + + + + + Configuration + + Minimum configuration (in the [domain/DOMAINNAME] section): + + + +ldap_id_mapping = True +ldap_schema = ad + + + + The default configuration results in configuring 10,000 slices, each capable +of holding up to 200,000 IDs, starting from 200,000 and going up to +2,000,200,000. This should be sufficient for most deployments. + + + Advanced Configuration + + + ldap_idmap_range_min (integer) + + + Specifies the lower bound of the range of POSIX IDs to use for mapping +Active Directory user and group SIDs. + + + NOTE: This option is different from min_id in that +min_id acts to filter the output of requests to this domain, +whereas this option controls the range of ID assignment. This is a subtle +distinction, but the good general advice would be to have +min_id be less-than or equal to +ldap_idmap_range_min + + + Default: 200000 + + + + + ldap_idmap_range_max (integer) + + + Specifies the upper bound of the range of POSIX IDs to use for mapping +Active Directory user and group SIDs. + + + NOTE: This option is different from max_id in that +max_id acts to filter the output of requests to this domain, +whereas this option controls the range of ID assignment. This is a subtle +distinction, but the good general advice would be to have +max_id be greater-than or equal to +ldap_idmap_range_max + + + Default: 2000200000 + + + + + ldap_idmap_range_size (integer) + + + Specifies the number of IDs available for each slice. If the range size +does not divide evenly into the min and max values, it will create as many +complete slices as it can. + + + NOTE: The value of this option must be at least as large as the highest user +RID planned for use on the Active Directory server. User lookups and login +will fail for any user whose RID is greater than this value. + + + For example, if your most recently-added Active Directory user has +objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, +ldap_idmap_range_size must be at least 1108 as range size is +equal to maximal SID minus minimal SID plus one (e.g. 1108 = 1107 - 0 + 1). + + + It is important to plan ahead for future expansion, as changing this value +will result in changing all of the ID mappings on the system, leading to +users with different local IDs than they previously had. + + + Default: 200000 + + + + + ldap_idmap_default_domain_sid (string) + + + Specify the domain SID of the default domain. This will guarantee that this +domain will always be assigned to slice zero in the ID map, bypassing the +murmurhash algorithm described above. + + + Default: not set + + + + + ldap_idmap_default_domain (string) + + + Specify the name of the default domain. + + + Default: not set + + + + + ldap_idmap_autorid_compat (boolean) + + + Changes the behavior of the ID-mapping algorithm to behave more similarly to +winbind's idmap_autorid algorithm. + + + When this option is configured, domains will be allocated starting with +slice zero and increasing monatomically with each additional domain. + + + NOTE: This algorithm is non-deterministic (it depends on the order that +users and groups are requested). If this mode is required for compatibility +with machines running winbind, it is recommended to also use the +ldap_idmap_default_domain_sid option to guarantee that at +least one domain is consistently allocated to slice zero. + + + Default: False + + + + + ldap_idmap_helper_table_size (integer) + + + Maximal number of secondary slices that is tried when performing mapping +from UNIX id to SID. + + + Note: Additional secondary slices might be generated when SID is being +mapped to UNIX id and RID part of SID is out of range for secondary slices +generated so far. If value of ldap_idmap_helper_table_size is equal to 0 +then no additional secondary slices are generated. + + + Noklusējuma: 10 + + + + + + + + + Well-Known SIDs + + SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a +special hardcoded meaning. Since the generic users and groups related to +those Well-Known SIDs have no equivalent in a Linux/UNIX environment no +POSIX IDs are available for those objects. + + + The SID name space is organized in authorities which can be seen as +different domains. The authorities for the Well-Known SIDs are + + Null Authority + World Authority + Local Authority + Creator Authority + NT Authority + Built-in + + The capitalized version of these names are used as domain names when +returning the fully qualified name of a Well-Known SID. + + + Since some utilities allow to modify SID based access control information +with the help of a name instead of using the SID directly SSSD supports to +look up the SID by the name as well. To avoid collisions only the fully +qualified names can be used to look up Well-Known SIDs. As a result the +domain names NULL AUTHORITY, WORLD AUTHORITY, + LOCAL AUTHORITY, CREATOR AUTHORITY, NT +AUTHORITY and BUILTIN should not be used as domain +names in sssd.conf. + + + + diff --git a/src/man/lv/include/ldap_search_bases.xml b/src/man/lv/include/ldap_search_bases.xml new file mode 100644 index 0000000..189f862 --- /dev/null +++ b/src/man/lv/include/ldap_search_bases.xml @@ -0,0 +1,31 @@ + + + An optional base DN, search scope and LDAP filter to restrict LDAP searches +for this attribute type. + + + syntax: +search_base[?scope?[filter][?search_base?scope?[filter]]*] + + + + The scope can be one of "base", "onelevel" or "subtree". The scope functions +as specified in section 4.5.1.2 of http://tools.ietf.org/html/rfc4511 + + + The filter must be a valid LDAP search filter as specified by +http://www.ietf.org/rfc/rfc2254.txt + + + For examples of this syntax, please refer to the +ldap_search_base examples section. + + + Default: the value of ldap_search_base + + + Please note that specifying scope or filter is not supported for searches +against an Active Directory Server that might yield a large number of +results and trigger the Range Retrieval extension in the response. + + diff --git a/src/man/lv/include/local.xml b/src/man/lv/include/local.xml new file mode 100644 index 0000000..ce849a3 --- /dev/null +++ b/src/man/lv/include/local.xml @@ -0,0 +1,17 @@ + + THE LOCAL DOMAIN + + In order to function correctly, a domain with +id_provider=local must be created and the SSSD must be +running. + + + The administrator might want to use the SSSD local users instead of +traditional UNIX users in cases where the group nesting (see +sss_groupadd 8 +) is needed. The local users are also useful for testing and +development of the SSSD without having to deploy a full remote server. The +sss_user* and sss_group* tools use a +local LDB storage to store users and groups. + + diff --git a/src/man/lv/include/override_homedir.xml b/src/man/lv/include/override_homedir.xml new file mode 100644 index 0000000..94caee1 --- /dev/null +++ b/src/man/lv/include/override_homedir.xml @@ -0,0 +1,63 @@ + +override_homedir (string) + + + Override the user's home directory. You can either provide an absolute value +or a template. In the template, the following sequences are substituted: + + + %u + login name + + + %U + UID number + + + %d + domain name + + + %f + fully qualified user name (user@domain) + + + %l + The first letter of the login name. + + + %P + UPN - User Principal Name (name@REALM) + + + %o + + The original home directory retrieved from the identity provider. + + + + %H + + The value of configure option homedir_substring. + + + + %% + a literal '%' + + + + + + This option can also be set per-domain. + + + example: +override_homedir = /home/%u + + + + Default: Not set (SSSD will use the value retrieved from LDAP) + + + diff --git a/src/man/lv/include/param_help.xml b/src/man/lv/include/param_help.xml new file mode 100644 index 0000000..d28020b --- /dev/null +++ b/src/man/lv/include/param_help.xml @@ -0,0 +1,10 @@ + + + , + + + + Display help message and exit. + + + diff --git a/src/man/lv/include/param_help_py.xml b/src/man/lv/include/param_help_py.xml new file mode 100644 index 0000000..a2478bf --- /dev/null +++ b/src/man/lv/include/param_help_py.xml @@ -0,0 +1,10 @@ + + + , + + + + Display help message and exit. + + + diff --git a/src/man/lv/include/seealso.xml b/src/man/lv/include/seealso.xml new file mode 100644 index 0000000..ddc7fe3 --- /dev/null +++ b/src/man/lv/include/seealso.xml @@ -0,0 +1,61 @@ + + SKATĪT ARĪ + + sssd8 +, +sssd.conf5 +, +sssd-ldap5 +, +sssd-krb55 +, +sssd-simple5 +, +sssd-ipa5 +, +sssd-ad5 +, +sssd-sudo 5 +, +sssd-secrets 5 +, +sssd-session-recording +5 , +sss_cache8 +, +sss_debuglevel8 +, +sss_groupadd8 +, +sss_groupdel8 +, +sss_groupshow8 +, +sss_groupmod8 +, +sss_useradd8 +, +sss_userdel8 +, +sss_usermod8 +, +sss_obfuscate8 +, +sss_seed8 +, +sssd_krb5_locator_plugin8 +, +sss_ssh_authorizedkeys +8 , +sss_ssh_knownhostsproxy +8 , sssd-ifp +5 , +pam_sss8 +. +sss_rpcidmapd 5 + +sssd-systemtap 5 + + + diff --git a/src/man/lv/include/service_discovery.xml b/src/man/lv/include/service_discovery.xml new file mode 100644 index 0000000..2e417a9 --- /dev/null +++ b/src/man/lv/include/service_discovery.xml @@ -0,0 +1,41 @@ + + SERVICE DISCOVERY + + The service discovery feature allows back ends to automatically find the +appropriate servers to connect to using a special DNS query. This feature is +not supported for backup servers. + + + Configuration + + If no servers are specified, the back end automatically uses service +discovery to try to find a server. Optionally, the user may choose to use +both fixed server addresses and service discovery by inserting a special +keyword, _srv_, in the list of servers. The order of +preference is maintained. This feature is useful if, for example, the user +prefers to use service discovery whenever possible, and fall back to a +specific server when no servers can be discovered using DNS. + + + + The domain name + + Please refer to the dns_discovery_domain parameter in the + sssd.conf +5 manual page for more details. + + + + The protocol + + The queries usually specify _tcp as the protocol. Exceptions are documented +in respective option description. + + + + See Also + + For more information on the service discovery mechanism, refer to RFC 2782. + + + diff --git a/src/man/lv/include/upstream.xml b/src/man/lv/include/upstream.xml new file mode 100644 index 0000000..ba04020 --- /dev/null +++ b/src/man/lv/include/upstream.xml @@ -0,0 +1,3 @@ + +SSSD The SSSD upstream - +https://pagure.io/SSSD/sssd/ diff --git a/src/man/man.stamp b/src/man/man.stamp new file mode 100644 index 0000000..e69de29 diff --git a/src/man/nl/include/ad_modified_defaults.xml b/src/man/nl/include/ad_modified_defaults.xml new file mode 100644 index 0000000..7c6def2 --- /dev/null +++ b/src/man/nl/include/ad_modified_defaults.xml @@ -0,0 +1,77 @@ + + MODIFIED DEFAULT OPTIONS + + Certain option defaults do not match their respective backend provider +defaults, these option names and AD provider-specific defaults are listed +below: + + + KRB5 Provider + + + + krb5_validate = true + + + + + krb5_use_enterprise_principal = true + + + + + + LDAP Provider + + + + ldap_schema = ad + + + + + ldap_force_upper_case_realm = true + + + + + ldap_id_mapping = true + + + + + ldap_sasl_mech = gssapi + + + + + ldap_referrals = false + + + + + ldap_account_expire_policy = ad + + + + + ldap_use_tokengroups = true + + + + + ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM) + + + The AD provider looks for a different principal than the LDAP provider by +default, because in an Active Directory environment the principals are +divided into two groups - User Principals and Service Principals. Only User +Principal can be used to obtain a TGT and by default, computer object's +principal is constructed from its sAMAccountName and the AD realm. The +well-known host/hostname@REALM principal is a Service Principal and thus +cannot be used to get a TGT with. + + + + + diff --git a/src/man/nl/include/autofs_restart.xml b/src/man/nl/include/autofs_restart.xml new file mode 100644 index 0000000..f31efe5 --- /dev/null +++ b/src/man/nl/include/autofs_restart.xml @@ -0,0 +1,5 @@ + + Please note that the automounter only reads the master map on startup, so if +any autofs-related changes are made to the sssd.conf, you typically also +need to restart the automounter daemon after restarting the SSSD. + diff --git a/src/man/nl/include/debug_levels.xml b/src/man/nl/include/debug_levels.xml new file mode 100644 index 0000000..5148252 --- /dev/null +++ b/src/man/nl/include/debug_levels.xml @@ -0,0 +1,86 @@ + + + SSSD supports two representations for specifying the debug level. The +simplest is to specify a decimal value from 0-9, which represents enabling +that level and all lower-level debug messages. The more comprehensive option +is to specify a hexadecimal bitmask to enable or disable specific levels +(such as if you wish to suppress a level). + + + Please note that each SSSD service logs into its own log file. Also please +note that enabling debug_level in the [sssd] +section only enables debugging just for the sssd process itself, not for the +responder or provider processes. The debug_level parameter +should be added to all sections that you wish to produce debug logs from. + + + In addition to changing the log level in the config file using the +debug_level parameter, which is persistent, but requires SSSD +restart, it is also possible to change the debug level on the fly using the + sss_debuglevel +8 tool. + + + Currently supported debug levels: + + + 0, 0x0010: Fatal +failures. Anything that would prevent SSSD from starting up or causes it to +cease running. + + + 1, 0x0020: Critical failures. An +error that doesn't kill SSSD, but one that indicates that at least one major +feature is not going to work properly. + + + 2, 0x0040: Serious failures. An +error announcing that a particular request or operation has failed. + + + 3, 0x0080: Minor failures. These +are the errors that would percolate down to cause the operation failure of +2. + + + 4, 0x0100: Configuration settings. + + + 5, 0x0200: Function data. + + + 6, 0x0400: Trace messages for +operation functions. + + + 7, 0x1000: Trace messages for +internal control functions. + + + 8, 0x2000: Contents of +function-internal variables that may be interesting. + + + 9, 0x4000: Extremely low-level +tracing information. + + + To log required bitmask debug levels, simply add their numbers together as +shown in following examples: + + + Example: To log fatal failures, critical failures, +serious failures and function data use 0x0270. + + + Example: To log fatal failures, configuration settings, +function data, trace messages for internal control functions use 0x1310. + + + Note: The bitmask format of debug levels was introduced +in 1.7.0. + + + Default: 0 + + diff --git a/src/man/nl/include/debug_levels_tools.xml b/src/man/nl/include/debug_levels_tools.xml new file mode 100644 index 0000000..8bc77cf --- /dev/null +++ b/src/man/nl/include/debug_levels_tools.xml @@ -0,0 +1,72 @@ + + + SSSD supports two representations for specifying the debug level. The +simplest is to specify a decimal value from 0-9, which represents enabling +that level and all lower-level debug messages. The more comprehensive option +is to specify a hexadecimal bitmask to enable or disable specific levels +(such as if you wish to suppress a level). + + + Currently supported debug levels: + + + 0, 0x0010: Fatal +failures. Anything that would prevent SSSD from starting up or causes it to +cease running. + + + 1, 0x0020: Critical failures. An +error that doesn't kill SSSD, but one that indicates that at least one major +feature is not going to work properly. + + + 2, 0x0040: Serious failures. An +error announcing that a particular request or operation has failed. + + + 3, 0x0080: Minor failures. These +are the errors that would percolate down to cause the operation failure of +2. + + + 4, 0x0100: Configuration settings. + + + 5, 0x0200: Function data. + + + 6, 0x0400: Trace messages for +operation functions. + + + 7, 0x1000: Trace messages for +internal control functions. + + + 8, 0x2000: Contents of +function-internal variables that may be interesting. + + + 9, 0x4000: Extremely low-level +tracing information. + + + To log required bitmask debug levels, simply add their numbers together as +shown in following examples: + + + Example: To log fatal failures, critical failures, +serious failures and function data use 0x0270. + + + Example: To log fatal failures, configuration settings, +function data, trace messages for internal control functions use 0x1310. + + + Note: The bitmask format of debug levels was introduced +in 1.7.0. + + + Default: 0 + + diff --git a/src/man/nl/include/experimental.xml b/src/man/nl/include/experimental.xml new file mode 100644 index 0000000..7103a0e --- /dev/null +++ b/src/man/nl/include/experimental.xml @@ -0,0 +1,2 @@ + This is an experimental feature, please use +https://pagure.io/SSSD/sssd/ to report any issues. diff --git a/src/man/nl/include/failover.xml b/src/man/nl/include/failover.xml new file mode 100644 index 0000000..ebb7b21 --- /dev/null +++ b/src/man/nl/include/failover.xml @@ -0,0 +1,97 @@ + + FAILOVER + + The failover feature allows back ends to automatically switch to a different +server if the current server fails. + + + Failover Syntax + + The list of servers is given as a comma-separated list; any number of spaces +is allowed around the comma. The servers are listed in order of +preference. The list can contain any number of servers. + + + For each failover-enabled config option, two variants exist: +primary and backup. The idea is +that servers in the primary list are preferred and backup servers are only +searched if no primary servers can be reached. If a backup server is +selected, a timeout of 31 seconds is set. After this timeout SSSD will +periodically try to reconnect to one of the primary servers. If it succeeds, +it will replace the current active (backup) server. + + + + The Failover Mechanism + + The failover mechanism distinguishes between a machine and a service. The +back end first tries to resolve the hostname of a given machine; if this +resolution attempt fails, the machine is considered offline. No further +attempts are made to connect to this machine for any other service. If the +resolution attempt succeeds, the back end tries to connect to a service on +this machine. If the service connection attempt fails, then only this +particular service is considered offline and the back end automatically +switches over to the next service. The machine is still considered online +and might still be tried for another service. + + + Further connection attempts are made to machines or services marked as +offline after a specified period of time; this is currently hard coded to 30 +seconds. + + + If there are no more machines to try, the back end as a whole switches to +offline mode, and then attempts to reconnect every 30 seconds. + + + + Failover time outs and tuning + + Resolving a server to connect to can be as simple as running a single DNS +query or can involve several steps, such as finding the correct site or +trying out multiple host names in case some of the configured servers are +not reachable. The more complex scenarios can take some time and SSSD needs +to balance between providing enough time to finish the resolution process +but on the other hand, not trying for too long before falling back to +offline mode. If the SSSD debug logs show that the server resolution is +timing out before a live server is contacted, you can consider changing the +time outs. + + + This section lists the available tunables. Please refer to their description +in the +sssd.conf5 +, manual page. + + + dns_resolver_op_timeout + + + + How long would SSSD talk to a single DNS server. + + + + + + dns_resolver_timeout + + + + How long would SSSD try to resolve a failover service. This service +resolution internally might include several steps, such as resolving DNS SRV +queries or locating the site. + + + + + + + For LDAP-based providers, the resolve operation is performed as part of an +LDAP connection operation. Therefore, also the +ldap_opt_timeout> timeout should be set to a larger value +than dns_resolver_timeout which in turn should be set to a +larger value than dns_resolver_op_timeout. + + + diff --git a/src/man/nl/include/homedir_substring.xml b/src/man/nl/include/homedir_substring.xml new file mode 100644 index 0000000..d7533de --- /dev/null +++ b/src/man/nl/include/homedir_substring.xml @@ -0,0 +1,17 @@ + + homedir_substring (string) + + + The value of this option will be used in the expansion of the +override_homedir option if the template contains the +format string %H. An LDAP directory entry can directly +contain this template so that this option can be used to expand the home +directory path for each client machine (or operating system). It can be set +per-domain or globally in the [nss] section. A value specified in a domain +section will override one set in the [nss] section. + + + Default: /home + + + diff --git a/src/man/nl/include/ipa_modified_defaults.xml b/src/man/nl/include/ipa_modified_defaults.xml new file mode 100644 index 0000000..4ad4b45 --- /dev/null +++ b/src/man/nl/include/ipa_modified_defaults.xml @@ -0,0 +1,123 @@ + + MODIFIED DEFAULT OPTIONS + + Certain option defaults do not match their respective backend provider +defaults, these option names and IPA provider-specific defaults are listed +below: + + + KRB5 Provider + + + + krb5_validate = true + + + + + krb5_use_fast = try + + + + + krb5_canonicalize = true + + + + + + LDAP Provider - General + + + + ldap_schema = ipa_v1 + + + + + ldap_force_upper_case_realm = true + + + + + ldap_sasl_mech = GSSAPI + + + + + ldap_sasl_minssf = 56 + + + + + ldap_account_expire_policy = ipa + + + + + ldap_use_tokengroups = true + + + + + + LDAP Provider - User options + + + + ldap_user_member_of = memberOf + + + + + ldap_user_uuid = ipaUniqueID + + + + + ldap_user_ssh_public_key = ipaSshPubKey + + + + + ldap_user_auth_type = ipaUserAuthType + + + + + + LDAP Provider - Group options + + + + ldap_group_object_class = ipaUserGroup + + + + + ldap_group_object_class_alt = posixGroup + + + + + ldap_group_member = member + + + + + ldap_group_uuid = ipaUniqueID + + + + + ldap_group_objectsid = ipaNTSecurityIdentifier + + + + + ldap_group_external_member = ipaExternalMember + + + + + diff --git a/src/man/nl/include/ldap_id_mapping.xml b/src/man/nl/include/ldap_id_mapping.xml new file mode 100644 index 0000000..b9be536 --- /dev/null +++ b/src/man/nl/include/ldap_id_mapping.xml @@ -0,0 +1,278 @@ + + ID MAPPING + + The ID-mapping feature allows SSSD to act as a client of Active Directory +without requiring administrators to extend user attributes to support POSIX +attributes for user and group identifiers. + + + NOTE: When ID-mapping is enabled, the uidNumber and gidNumber attributes are +ignored. This is to avoid the possibility of conflicts between +automatically-assigned and manually-assigned values. If you need to use +manually-assigned values, ALL values must be manually-assigned. + + + Please note that changing the ID mapping related configuration options will +cause user and group IDs to change. At the moment, SSSD does not support +changing IDs, so the SSSD database must be removed. Because cached passwords +are also stored in the database, removing the database should only be +performed while the authentication servers are reachable, otherwise users +might get locked out. In order to cache the password, an authentication must +be performed. It is not sufficient to use +sss_cache 8 + to remove the database, rather the process consists of: + + + + Making sure the remote servers are reachable + + + + + Stopping the SSSD service + + + + + Removing the database + + + + + Starting the SSSD service + + + + Moreover, as the change of IDs might necessitate the adjustment of other +system properties such as file and directory ownership, it's advisable to +plan ahead and test the ID mapping configuration thoroughly. + + + + Mapping Algorithm + + Active Directory provides an objectSID for every user and group object in +the directory. This objectSID can be broken up into components that +represent the Active Directory domain identity and the relative identifier +(RID) of the user or group object. + + + The SSSD ID-mapping algorithm takes a range of available UIDs and divides it +into equally-sized component sections - called "slices"-. Each slice +represents the space available to an Active Directory domain. + + + When a user or group entry for a particular domain is encountered for the +first time, the SSSD allocates one of the available slices for that +domain. In order to make this slice-assignment repeatable on different +client machines, we select the slice based on the following algorithm: + + + The SID string is passed through the murmurhash3 algorithm to convert it to +a 32-bit hashed value. We then take the modulus of this value with the total +number of available slices to pick the slice. + + + NOTE: It is possible to encounter collisions in the hash and subsequent +modulus. In these situations, we will select the next available slice, but +it may not be possible to reproduce the same exact set of slices on other +machines (since the order that they are encountered will determine their +slice). In this situation, it is recommended to either switch to using +explicit POSIX attributes in Active Directory (disabling ID-mapping) or +configure a default domain to guarantee that at least one is always +consistent. See Configuration for details. + + + + + Configuration + + Minimum configuration (in the [domain/DOMAINNAME] section): + + + +ldap_id_mapping = True +ldap_schema = ad + + + + The default configuration results in configuring 10,000 slices, each capable +of holding up to 200,000 IDs, starting from 200,000 and going up to +2,000,200,000. This should be sufficient for most deployments. + + + Advanced Configuration + + + ldap_idmap_range_min (integer) + + + Specifies the lower bound of the range of POSIX IDs to use for mapping +Active Directory user and group SIDs. + + + NOTE: This option is different from min_id in that +min_id acts to filter the output of requests to this domain, +whereas this option controls the range of ID assignment. This is a subtle +distinction, but the good general advice would be to have +min_id be less-than or equal to +ldap_idmap_range_min + + + Default: 200000 + + + + + ldap_idmap_range_max (integer) + + + Specifies the upper bound of the range of POSIX IDs to use for mapping +Active Directory user and group SIDs. + + + NOTE: This option is different from max_id in that +max_id acts to filter the output of requests to this domain, +whereas this option controls the range of ID assignment. This is a subtle +distinction, but the good general advice would be to have +max_id be greater-than or equal to +ldap_idmap_range_max + + + Default: 2000200000 + + + + + ldap_idmap_range_size (integer) + + + Specifies the number of IDs available for each slice. If the range size +does not divide evenly into the min and max values, it will create as many +complete slices as it can. + + + NOTE: The value of this option must be at least as large as the highest user +RID planned for use on the Active Directory server. User lookups and login +will fail for any user whose RID is greater than this value. + + + For example, if your most recently-added Active Directory user has +objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, +ldap_idmap_range_size must be at least 1108 as range size is +equal to maximal SID minus minimal SID plus one (e.g. 1108 = 1107 - 0 + 1). + + + It is important to plan ahead for future expansion, as changing this value +will result in changing all of the ID mappings on the system, leading to +users with different local IDs than they previously had. + + + Default: 200000 + + + + + ldap_idmap_default_domain_sid (string) + + + Specify the domain SID of the default domain. This will guarantee that this +domain will always be assigned to slice zero in the ID map, bypassing the +murmurhash algorithm described above. + + + Default: not set + + + + + ldap_idmap_default_domain (string) + + + Specify the name of the default domain. + + + Default: not set + + + + + ldap_idmap_autorid_compat (boolean) + + + Changes the behavior of the ID-mapping algorithm to behave more similarly to +winbind's idmap_autorid algorithm. + + + When this option is configured, domains will be allocated starting with +slice zero and increasing monatomically with each additional domain. + + + NOTE: This algorithm is non-deterministic (it depends on the order that +users and groups are requested). If this mode is required for compatibility +with machines running winbind, it is recommended to also use the +ldap_idmap_default_domain_sid option to guarantee that at +least one domain is consistently allocated to slice zero. + + + Default: False + + + + + ldap_idmap_helper_table_size (integer) + + + Maximal number of secondary slices that is tried when performing mapping +from UNIX id to SID. + + + Note: Additional secondary slices might be generated when SID is being +mapped to UNIX id and RID part of SID is out of range for secondary slices +generated so far. If value of ldap_idmap_helper_table_size is equal to 0 +then no additional secondary slices are generated. + + + Default: 10 + + + + + + + + + Well-Known SIDs + + SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a +special hardcoded meaning. Since the generic users and groups related to +those Well-Known SIDs have no equivalent in a Linux/UNIX environment no +POSIX IDs are available for those objects. + + + The SID name space is organized in authorities which can be seen as +different domains. The authorities for the Well-Known SIDs are + + Null Authority + World Authority + Local Authority + Creator Authority + NT Authority + Built-in + + The capitalized version of these names are used as domain names when +returning the fully qualified name of a Well-Known SID. + + + Since some utilities allow to modify SID based access control information +with the help of a name instead of using the SID directly SSSD supports to +look up the SID by the name as well. To avoid collisions only the fully +qualified names can be used to look up Well-Known SIDs. As a result the +domain names NULL AUTHORITY, WORLD AUTHORITY, + LOCAL AUTHORITY, CREATOR AUTHORITY, NT +AUTHORITY and BUILTIN should not be used as domain +names in sssd.conf. + + + + diff --git a/src/man/nl/include/ldap_search_bases.xml b/src/man/nl/include/ldap_search_bases.xml new file mode 100644 index 0000000..189f862 --- /dev/null +++ b/src/man/nl/include/ldap_search_bases.xml @@ -0,0 +1,31 @@ + + + An optional base DN, search scope and LDAP filter to restrict LDAP searches +for this attribute type. + + + syntax: +search_base[?scope?[filter][?search_base?scope?[filter]]*] + + + + The scope can be one of "base", "onelevel" or "subtree". The scope functions +as specified in section 4.5.1.2 of http://tools.ietf.org/html/rfc4511 + + + The filter must be a valid LDAP search filter as specified by +http://www.ietf.org/rfc/rfc2254.txt + + + For examples of this syntax, please refer to the +ldap_search_base examples section. + + + Default: the value of ldap_search_base + + + Please note that specifying scope or filter is not supported for searches +against an Active Directory Server that might yield a large number of +results and trigger the Range Retrieval extension in the response. + + diff --git a/src/man/nl/include/local.xml b/src/man/nl/include/local.xml new file mode 100644 index 0000000..ce849a3 --- /dev/null +++ b/src/man/nl/include/local.xml @@ -0,0 +1,17 @@ + + THE LOCAL DOMAIN + + In order to function correctly, a domain with +id_provider=local must be created and the SSSD must be +running. + + + The administrator might want to use the SSSD local users instead of +traditional UNIX users in cases where the group nesting (see +sss_groupadd 8 +) is needed. The local users are also useful for testing and +development of the SSSD without having to deploy a full remote server. The +sss_user* and sss_group* tools use a +local LDB storage to store users and groups. + + diff --git a/src/man/nl/include/override_homedir.xml b/src/man/nl/include/override_homedir.xml new file mode 100644 index 0000000..94caee1 --- /dev/null +++ b/src/man/nl/include/override_homedir.xml @@ -0,0 +1,63 @@ + +override_homedir (string) + + + Override the user's home directory. You can either provide an absolute value +or a template. In the template, the following sequences are substituted: + + + %u + login name + + + %U + UID number + + + %d + domain name + + + %f + fully qualified user name (user@domain) + + + %l + The first letter of the login name. + + + %P + UPN - User Principal Name (name@REALM) + + + %o + + The original home directory retrieved from the identity provider. + + + + %H + + The value of configure option homedir_substring. + + + + %% + a literal '%' + + + + + + This option can also be set per-domain. + + + example: +override_homedir = /home/%u + + + + Default: Not set (SSSD will use the value retrieved from LDAP) + + + diff --git a/src/man/nl/include/param_help.xml b/src/man/nl/include/param_help.xml new file mode 100644 index 0000000..d28020b --- /dev/null +++ b/src/man/nl/include/param_help.xml @@ -0,0 +1,10 @@ + + + , + + + + Display help message and exit. + + + diff --git a/src/man/nl/include/param_help_py.xml b/src/man/nl/include/param_help_py.xml new file mode 100644 index 0000000..a2478bf --- /dev/null +++ b/src/man/nl/include/param_help_py.xml @@ -0,0 +1,10 @@ + + + , + + + + Display help message and exit. + + + diff --git a/src/man/nl/include/seealso.xml b/src/man/nl/include/seealso.xml new file mode 100644 index 0000000..2b75ea2 --- /dev/null +++ b/src/man/nl/include/seealso.xml @@ -0,0 +1,61 @@ + + ZIE OOK + + sssd8 +, +sssd.conf5 +, +sssd-ldap5 +, +sssd-krb55 +, +sssd-simple5 +, +sssd-ipa5 +, +sssd-ad5 +, +sssd-sudo 5 +, +sssd-secrets 5 +, +sssd-session-recording +5 , +sss_cache8 +, +sss_debuglevel8 +, +sss_groupadd8 +, +sss_groupdel8 +, +sss_groupshow8 +, +sss_groupmod8 +, +sss_useradd8 +, +sss_userdel8 +, +sss_usermod8 +, +sss_obfuscate8 +, +sss_seed8 +, +sssd_krb5_locator_plugin8 +, +sss_ssh_authorizedkeys +8 , +sss_ssh_knownhostsproxy +8 , sssd-ifp +5 , +pam_sss8 +. +sss_rpcidmapd 5 + +sssd-systemtap 5 + + + diff --git a/src/man/nl/include/service_discovery.xml b/src/man/nl/include/service_discovery.xml new file mode 100644 index 0000000..2e417a9 --- /dev/null +++ b/src/man/nl/include/service_discovery.xml @@ -0,0 +1,41 @@ + + SERVICE DISCOVERY + + The service discovery feature allows back ends to automatically find the +appropriate servers to connect to using a special DNS query. This feature is +not supported for backup servers. + + + Configuration + + If no servers are specified, the back end automatically uses service +discovery to try to find a server. Optionally, the user may choose to use +both fixed server addresses and service discovery by inserting a special +keyword, _srv_, in the list of servers. The order of +preference is maintained. This feature is useful if, for example, the user +prefers to use service discovery whenever possible, and fall back to a +specific server when no servers can be discovered using DNS. + + + + The domain name + + Please refer to the dns_discovery_domain parameter in the + sssd.conf +5 manual page for more details. + + + + The protocol + + The queries usually specify _tcp as the protocol. Exceptions are documented +in respective option description. + + + + See Also + + For more information on the service discovery mechanism, refer to RFC 2782. + + + diff --git a/src/man/nl/include/upstream.xml b/src/man/nl/include/upstream.xml new file mode 100644 index 0000000..ba04020 --- /dev/null +++ b/src/man/nl/include/upstream.xml @@ -0,0 +1,3 @@ + +SSSD The SSSD upstream - +https://pagure.io/SSSD/sssd/ diff --git a/src/man/nl/sss_groupmod.8.xml b/src/man/nl/sss_groupmod.8.xml new file mode 100644 index 0000000..42edda5 --- /dev/null +++ b/src/man/nl/sss_groupmod.8.xml @@ -0,0 +1,72 @@ + + + +SSSD handleiding + + + + + sss_groupmod + 8 + + + + sss_groupmod + muteer een groep + + + + +sss_groupmod +opties GROEP + + + + OMSCHRIJVING + + sss_groupmod muteert de groep en maakt de aanpassingen +die via de opdrachtregel ingegeven zijn. + + + + + OPTIES + + + + , +GROEPEN + + + + Voeg deze groep toe aan de groepen opgegeven met de +GROEPEN parameter. De +GROEPEN parameter is een kommagescheiden lijst +van groepnamen. + + + + + + , +GROEPEN + + + + Verwijder deze groep uit de groepen opgegeven in de +GROEPEN parameter. + + + + + + + + + + + + + diff --git a/src/man/pam_sss.8.xml b/src/man/pam_sss.8.xml new file mode 100644 index 0000000..d8e6a20 --- /dev/null +++ b/src/man/pam_sss.8.xml @@ -0,0 +1,238 @@ + + + +SSSD Manual pages + + + + + pam_sss + 8 + + + + pam_sss + PAM module for SSSD + + + + + pam_sss.so + + quiet + + + forward_pass + + + use_first_pass + + + use_authtok + + + retry=N + + + ignore_unknown_user + + + ignore_authinfo_unavail + + + domains=X + + + allow_missing_name + + + prompt_always + + + + + + DESCRIPTION + pam_sss.so is the PAM interface to the System + Security Services daemon (SSSD). Errors and results are logged through + syslog(3) with the LOG_AUTHPRIV facility. + + + + OPTIONS + + + + + + + Suppress log messages for unknown users. + + + + + + + + If is set the entered + password is put on the stack for other PAM modules to use. + + + + + + + + + The argument use_first_pass forces the module to use + a previous stacked modules password and will never prompt + the user - if no password is available or the password is + not appropriate, the user will be denied access. + + + + + + + + When password changing enforce the module to set the + new password to the one provided by a previously stacked + password module. + + + + + + + + If specified the user is asked another N times for a + password if authentication fails. Default is 0. + Please note that this option might not work as + expected if the application calling PAM handles the user + dialog on its own. A typical example is + sshd with + . + + + + + + + + If this option is specified and the user does not + exist, the PAM module will return PAM_IGNORE. This causes + the PAM framework to ignore this module. + + + + + + + + + Specifies that the PAM module should return PAM_IGNORE + if it cannot contact the SSSD daemon. This causes + the PAM framework to ignore this module. + + + + + + + + + Allows the administrator to restrict the domains a + particular PAM service is allowed to authenticate + against. The format is a comma-separated list of + SSSD domain names, as specified in the sssd.conf file. + + + NOTE: Must be used in conjunction with the + pam_trusted_users and + pam_public_domains options. + Please see the + + sssd.conf + 5 + manual page for more information + on these two PAM responder options. + + + + + + + + + + The main purpose of this option is to let SSSD determine + the user name based on additional information, e.g. the + certificate from a Smartcard. + + + The current use case are login managers which can + monitor a Smartcard reader for card events. In case a + Smartcard is inserted the login manager will call a PAM + stack which includes a line like + +auth sufficient pam_sss.so allow_missing_name + + In this case SSSD will try to determine the user name + based on the content of the Smartcard, returns it to + pam_sss which will finally put it on the PAM stack. + + + + + + + + + + Always prompt the user for credentials. With this + option credentials requested by other PAM modules, + typically a password, will be ignored and pam_sss will + prompt for credentials again. Based on the pre-auth + reply by SSSD pam_sss might prompt for a password, a + Smartcard PIN or other credentials. + + + + + + + + MODULE TYPES PROVIDED + All module types (, , + and ) are provided. + + + + + FILES + If a password reset by root fails, because the corresponding SSSD + provider does not support password resets, an individual message can be + displayed. This message can e.g. contain instructions about how to reset + a password. + + The message is read from the file + pam_sss_pw_reset_message.LOC where LOC stands for a + locale string returned by + setlocale3 + . If there is no matching file the content of + pam_sss_pw_reset_message.txt is displayed. Root + must be the owner of the files and only root may have read and write + permissions while all other users must have only read + permissions. + + These files are searched in the directory + /etc/sssd/customize/DOMAIN_NAME/. If no matching + file is present a generic message is displayed. + + + + + + diff --git a/src/man/po/br.po b/src/man/po/br.po new file mode 100644 index 0000000..014fe0c --- /dev/null +++ b/src/man/po/br.po @@ -0,0 +1,15636 @@ +# SOME DESCRIPTIVE TITLE +# Copyright (C) YEAR Red Hat +# This file is distributed under the same license as the sssd-docs package. +# +# Translators: +# Fulup , 2012 +msgid "" +msgstr "" +"Project-Id-Version: sssd-docs 1.16.1\n" +"Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" +"POT-Creation-Date: 2018-08-12 13:01+0000\n" +"PO-Revision-Date: 2014-12-14 11:51+0000\n" +"Last-Translator: Copied by Zanata \n" +"Language-Team: Breton (http://www.transifex.com/projects/p/sssd/language/" +"br/)\n" +"Language: br\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" +"X-Generator: Zanata 4.4.5\n" + +#. type: Content of: +#: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5 +#: sssd_krb5_locator_plugin.8.xml:5 sssd-simple.5.xml:5 sss-certmap.5.xml:5 +#: sssd-ipa.5.xml:5 sssd-ad.5.xml:5 sssd-sudo.5.xml:5 sssd.8.xml:5 +#: sss_obfuscate.8.xml:5 sss_override.8.xml:5 sss_useradd.8.xml:5 +#: sssd-krb5.5.xml:5 sss_groupadd.8.xml:5 sss_userdel.8.xml:5 +#: sss_groupdel.8.xml:5 sss_groupshow.8.xml:5 sss_usermod.8.xml:5 +#: sss_cache.8.xml:5 sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5 +#: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 +#: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5 +#: sssd-files.5.xml:5 sssd-secrets.5.xml:5 sssd-session-recording.5.xml:5 +#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 +msgid "SSSD Manual pages" +msgstr "Dornlevr SSSD" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupmod.8.xml:10 sss_groupmod.8.xml:15 +msgid "sss_groupmod" +msgstr "sss_groupmod" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_groupmod.8.xml:11 pam_sss.8.xml:12 sssd_krb5_locator_plugin.8.xml:11 +#: sssd.8.xml:11 sss_obfuscate.8.xml:11 sss_override.8.xml:11 +#: sss_useradd.8.xml:11 sss_groupadd.8.xml:11 sss_userdel.8.xml:11 +#: sss_groupdel.8.xml:11 sss_groupshow.8.xml:11 sss_usermod.8.xml:11 +#: sss_cache.8.xml:11 sss_debuglevel.8.xml:11 sss_seed.8.xml:11 +#: idmap_sss.8.xml:11 sssctl.8.xml:11 sssd-kcm.8.xml:11 +msgid "8" +msgstr "8" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupmod.8.xml:16 +msgid "modify a group" +msgstr "Kemmañur strollad" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupmod.8.xml:21 +msgid "" +"<command>sss_groupmod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" +"<command>sss_groupmod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:57 +#: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sss-certmap.5.xml:21 +#: sssd-ipa.5.xml:21 sssd-ad.5.xml:21 sssd-sudo.5.xml:21 sssd.8.xml:29 +#: sss_obfuscate.8.xml:30 sss_override.8.xml:30 sss_useradd.8.xml:30 +#: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30 +#: sss_groupdel.8.xml:30 sss_groupshow.8.xml:30 sss_usermod.8.xml:30 +#: sss_cache.8.xml:29 sss_debuglevel.8.xml:30 sss_seed.8.xml:31 +#: sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30 +#: sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30 +#: sssd-files.5.xml:21 sssd-secrets.5.xml:21 sssd-session-recording.5.xml:21 +#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 +msgid "DESCRIPTION" +msgstr "DESKRIVADUR" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupmod.8.xml:32 +msgid "" +"<command>sss_groupmod</command> modifies the group to reflect the changes " +"that are specified on the command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_groupmod.8.xml:39 pam_sss.8.xml:64 sssd.8.xml:42 sss_obfuscate.8.xml:58 +#: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39 +#: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39 +#: sss_cache.8.xml:39 sss_seed.8.xml:42 sss_ssh_authorizedkeys.1.xml:123 +#: sss_ssh_knownhostsproxy.1.xml:62 +msgid "OPTIONS" +msgstr "DIBARZHIOÙ" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupmod.8.xml:43 sss_usermod.8.xml:77 +msgid "" +"<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" +"<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupmod.8.xml:48 +msgid "" +"Append this group to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupmod.8.xml:57 sss_usermod.8.xml:91 +msgid "" +"<option>-r</option>,<option>--remove-group</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupmod.8.xml:62 +msgid "" +"Remove this group from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.conf.5.xml:10 sssd.conf.5.xml:16 +msgid "sssd.conf" +msgstr "sssd.conf" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11 +#: sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 +#: sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27 +#: sssd-files.5.xml:11 sssd-secrets.5.xml:11 sssd-session-recording.5.xml:11 +#: sssd-systemtap.5.xml:11 +msgid "5" +msgstr "5" + +#. type: Content of: <reference><refentry><refmeta><refmiscinfo> +#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12 +#: sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 +#: sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28 +#: sssd-files.5.xml:12 sssd-secrets.5.xml:12 sssd-session-recording.5.xml:12 +#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 +msgid "File Formats and Conventions" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.conf.5.xml:17 +msgid "the configuration file for SSSD" +msgstr "Ar restr gefluniañ evit SSSD" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:21 +msgid "FILE FORMAT" +msgstr "FURMAD RESTR" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:29 +#, no-wrap +msgid "" +"<replaceable>[section]</replaceable>\n" +"<replaceable>key</replaceable> = <replaceable>value</replaceable>\n" +"<replaceable>key2</replaceable> = <replaceable>value2,value3</replaceable>\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:24 +msgid "" +"The file has an ini-style syntax and consists of sections and parameters. A " +"section begins with the name of the section in square brackets and continues " +"until the next section begins. An example of section with single and multi-" +"valued parameters: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:36 +msgid "" +"The data types used are string (no quotes needed), integer and bool (with " +"values of <quote>TRUE/FALSE</quote>)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:41 +msgid "" +"A comment line starts with a hash sign (<quote>#</quote>) or a semicolon " +"(<quote>;</quote>). Inline comments are not supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:47 +msgid "" +"All sections can have an optional <replaceable>description</replaceable> " +"parameter. Its function is only as a label for the section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:53 +msgid "" +"<filename>sssd.conf</filename> must be a regular file, owned by root and " +"only root may read from or write to the file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:59 +msgid "CONFIGURATION SNIPPETS FROM INCLUDE DIRECTORY" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:62 +msgid "" +"The configuration file <filename>sssd.conf</filename> will include " +"configuration snippets using the include directory <filename>conf.d</" +"filename>. This feature is available if SSSD was compiled with libini " +"version 1.3.0 or later." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:69 +msgid "" +"Any file placed in <filename>conf.d</filename> that ends in " +"<quote><filename>.conf</filename></quote> and does not begin with a dot " +"(<quote>.</quote>) will be used together with <filename>sssd.conf</filename> " +"to configure SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:77 +msgid "" +"The configuration snippets from <filename>conf.d</filename> have higher " +"priority than <filename>sssd.conf</filename> and will override " +"<filename>sssd.conf</filename> when conflicts occur. If several snippets are " +"present in <filename>conf.d</filename>, then they are included in " +"alphabetical order (based on locale). Files included later have higher " +"priority. Numerical prefixes (<filename>01_snippet.conf</filename>, " +"<filename>02_snippet.conf</filename> etc.) can help visualize the priority " +"(higher number means higher priority)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:91 +msgid "" +"The snippet files require the same owner and permissions as <filename>sssd." +"conf</filename>. Which are by default root:root and 0600." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:98 +msgid "GENERAL OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:100 +msgid "Following options are usable in more than one configuration sections." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:104 +msgid "Options usable in all sections" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:108 +msgid "debug_level (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:112 +msgid "debug (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:115 +msgid "" +"SSSD 1.14 and later also includes the <replaceable>debug</replaceable> alias " +"for <replaceable>debug_level</replaceable> as a convenience feature. If both " +"are specified, the value of <replaceable>debug_level</replaceable> will be " +"used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:125 +msgid "debug_timestamps (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:128 +msgid "" +"Add a timestamp to the debug messages. If journald is enabled for SSSD " +"debug logging this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:133 sssd.conf.5.xml:543 sssd.conf.5.xml:839 +#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1521 sssd-ldap.5.xml:1851 +#: sssd-ldap.5.xml:1948 sssd-ldap.5.xml:2010 sssd-ldap.5.xml:2576 +#: sssd-ldap.5.xml:2641 sssd-ldap.5.xml:2659 sssd-ad.5.xml:227 +#: sssd-ad.5.xml:341 sssd-ad.5.xml:885 sssd-krb5.5.xml:499 +#: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 +msgid "Default: true" +msgstr "Dre ziouer : true" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:138 +msgid "debug_microseconds (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:141 +msgid "" +"Add microseconds to the timestamp in debug messages. If journald is enabled " +"for SSSD debug logging this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:146 sssd.conf.5.xml:540 sssd.conf.5.xml:722 +#: sssd.conf.5.xml:1424 sssd.conf.5.xml:2980 sssd-ldap.5.xml:708 +#: sssd-ldap.5.xml:1714 sssd-ldap.5.xml:1733 sssd-ldap.5.xml:1920 +#: sssd-ldap.5.xml:2346 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238 +#: sssd-ipa.5.xml:559 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300 +#: sssd-krb5.5.xml:471 +msgid "Default: false" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2384 +#: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210 +#: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304 +msgid "<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:155 +msgid "Options usable in SERVICE and DOMAIN sections" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:159 +msgid "timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:162 +msgid "" +"Timeout in seconds between heartbeats for this service. This is used to " +"ensure that the process is alive and capable of answering requests. Note " +"that after three missed heartbeats the process will terminate itself." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:169 sssd.conf.5.xml:1376 sssd.conf.5.xml:2996 +#: sssd-ldap.5.xml:1585 include/ldap_id_mapping.xml:264 +msgid "Default: 10" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:179 +msgid "SPECIAL SECTIONS" +msgstr "RANNOÙ DIBAR" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:182 +msgid "The [sssd] section" +msgstr "Ar rann [sssd]" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sssd.conf.5.xml:191 sssd.conf.5.xml:3085 +msgid "Section parameters" +msgstr "Arventennoù ar rann" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:193 +msgid "config_file_version (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:196 +msgid "" +"Indicates what is the syntax of the config file. SSSD 0.6.0 and later use " +"version 2." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:202 +msgid "services" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:205 +msgid "" +"Comma separated list of services that are started when sssd itself starts. " +"<phrase condition=\"have_systemd\"> The services' list is optional on " +"platforms where systemd is supported, as they will either be socket or D-Bus " +"activated when needed. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:214 +msgid "" +"Supported services: nss, pam <phrase condition=\"with_sudo\">, sudo</phrase> " +"<phrase condition=\"with_autofs\">, autofs</phrase> <phrase condition=" +"\"with_ssh\">, ssh</phrase> <phrase condition=\"with_pac_responder\">, pac</" +"phrase> <phrase condition=\"with_ifp\">, ifp</phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:222 +msgid "" +"<phrase condition=\"have_systemd\"> By default, all services are disabled " +"and the administrator must enable the ones allowed to be used by executing: " +"\"systemctl enable sssd-@service@.socket\". </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:231 sssd.conf.5.xml:614 +msgid "reconnection_retries (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:234 sssd.conf.5.xml:617 +msgid "" +"Number of times services should attempt to reconnect in the event of a Data " +"Provider crash or restart before they give up" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:239 sssd.conf.5.xml:622 +msgid "Default: 3" +msgstr "Dre ziouer : 3" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:244 +msgid "domains" +msgstr "domanioù" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:247 +msgid "" +"A domain is a database containing user information. SSSD can use more " +"domains at the same time, but at least one must be configured or SSSD won't " +"start. This parameter describes the list of domains in the order you want " +"them to be queried. A domain name should only consist of alphanumeric ASCII " +"characters, dashes, dots and underscores." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:259 sssd.conf.5.xml:2597 +msgid "re_expression (string)" +msgstr "re_expression (neudennad)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:262 +msgid "" +"Default regular expression that describes how to parse the string containing " +"user name and domain into these components." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:267 +msgid "" +"Each domain can have an individual regular expression configured. For some " +"ID providers there are also default regular expressions. See DOMAIN SECTIONS " +"for more info on these regular expressions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:276 sssd.conf.5.xml:2645 +msgid "full_name_format (string)" +msgstr "full_name_format (neudennad)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:279 sssd.conf.5.xml:2648 +msgid "" +"A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry>-compatible format that describes how to compose a " +"fully qualified name from user name and domain name components." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:290 sssd.conf.5.xml:2659 +msgid "%1$s" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:291 sssd.conf.5.xml:2660 +msgid "user name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:294 sssd.conf.5.xml:2663 +msgid "%2$s" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:297 sssd.conf.5.xml:2666 +msgid "domain name as specified in the SSSD config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:303 sssd.conf.5.xml:2672 +msgid "%3$s" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:306 sssd.conf.5.xml:2675 +msgid "" +"domain flat name. Mostly usable for Active Directory domains, both directly " +"configured or discovered via IPA trusts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:287 sssd.conf.5.xml:2656 +msgid "" +"The following expansions are supported: <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:316 +msgid "" +"Each domain can have an individual format string configured. see DOMAIN " +"SECTIONS for more info on this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:322 +msgid "try_inotify (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:325 +msgid "" +"SSSD monitors the state of resolv.conf to identify when it needs to update " +"its internal DNS resolver. By default, we will attempt to use inotify for " +"this, and will fall back to polling resolv.conf every five seconds if " +"inotify cannot be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:333 +msgid "" +"There are some limited situations where it is preferred that we should skip " +"even trying to use inotify. In these rare cases, this option should be set " +"to 'false'" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:339 +msgid "" +"Default: true on platforms where inotify is supported. False on other " +"platforms." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:343 +msgid "" +"Note: this option will have no effect on platforms where inotify is " +"unavailable. On these platforms, polling will always be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:350 +msgid "krb5_rcache_dir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:353 +msgid "" +"Directory on the filesystem where SSSD should store Kerberos replay cache " +"files." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:357 +msgid "" +"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct " +"SSSD to let libkrb5 decide the appropriate location for the replay cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:363 +msgid "" +"Default: Distribution-specific and specified at build-time. " +"(__LIBKRB5_DEFAULTS__ if not configured)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:370 +msgid "user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:373 +msgid "" +"The user to drop the privileges to where appropriate to avoid running as the " +"root user. <phrase condition=\"have_systemd\"> This option does not work " +"when running socket-activated services, as the user set up to run the " +"processes is set up during compilation time. The way to override the " +"systemd unit files is by creating the appropriate files in /etc/systemd/" +"system/. Keep in mind that any change in the socket user, group or " +"permissions may result in a non-usable SSSD. The same may occur in case of " +"changes of the user running the NSS responder. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:391 +msgid "Default: not set, process will run as root" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:396 +msgid "default_domain_suffix (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:399 +msgid "" +"This string will be used as a default domain name for all names without a " +"domain name component. The main use case is environments where the primary " +"domain is intended for managing host policies and all users are located in a " +"trusted domain. The option allows those users to log in just with their " +"user name without giving a domain name as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:409 +msgid "" +"Please note that if this option is set all users from the primary domain " +"have to use their fully qualified name, e.g. user@domain.name, to log in. " +"Setting this option changes default of use_fully_qualified_names to True. It " +"is not allowed to use this option together with use_fully_qualified_names " +"set to False." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:418 sssd.conf.5.xml:1165 sssd-ldap.5.xml:679 +#: sssd-ldap.5.xml:1319 sssd-ldap.5.xml:1673 sssd-ldap.5.xml:1685 +#: sssd-ldap.5.xml:1767 sssd-ad.5.xml:690 sssd-ad.5.xml:765 sssd.8.xml:126 +#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:556 sssd-secrets.5.xml:339 +#: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404 +#: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205 +#: include/ldap_id_mapping.xml:216 +msgid "Default: not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:423 +msgid "override_space (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:426 +msgid "" +"This parameter will replace spaces (space bar) with the given character for " +"user and group names. e.g. (_). User name "john doe" will be " +""john_doe" This feature was added to help compatibility with shell " +"scripts that have difficulty handling spaces, due to the default field " +"separator in the shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:435 +msgid "" +"Please note it is a configuration error to use a replacement character that " +"might be used in user or group names. If a name contains the replacement " +"character SSSD tries to return the unmodified name but in general the result " +"of a lookup is undefined." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:443 +msgid "Default: not set (spaces will not be replaced)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:448 +msgid "certificate_verification (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:456 +msgid "no_ocsp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:458 +msgid "" +"Disables Online Certificate Status Protocol (OCSP) checks. This might be " +"needed if the OCSP servers defined in the certificate are not reachable from " +"the client." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:466 +msgid "no_verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:468 +msgid "" +"Disables verification completely. This option should only be used for " +"testing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:474 +msgid "ocsp_default_responder=URL" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:476 +msgid "" +"Sets the OCSP default responder which should be used instead of the one " +"mentioned in the certificate. URL must be replaced with the URL of the OCSP " +"default responder e.g. http://example.com:80/ocsp." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:482 +msgid "" +"This option must be used together with ocsp_default_responder_signing_cert." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:490 +msgid "ocsp_default_responder_signing_cert=NAME" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:492 +msgid "" +"The nickname of the cert to trust (expected) to sign the OCSP responses. " +"The certificate with the given nickname must be available in the systems NSS " +"database." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:497 +msgid "This option must be used together with ocsp_default_responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:451 +msgid "" +"With this parameter the certificate verification can be tuned with a comma " +"separated list of options. Supported options are: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:504 +msgid "Unknown options are reported but ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:507 +msgid "Default: not set, i.e. do not restrict certificate verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:513 +msgid "disable_netlink (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:516 +msgid "" +"SSSD hooks into the netlink interface to monitor changes to routes, " +"addresses, links and trigger certain actions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:521 +msgid "" +"The SSSD state changes caused by netlink events may be undesirable and can " +"be disabled by setting this option to 'true'" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:526 +msgid "Default: false (netlink changes are detected)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:531 +msgid "enable_files_domain (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:534 +msgid "" +"When this option is enabled, SSSD prepends an implicit domain with " +"<quote>id_provider=files</quote> before any explicitly configured domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:548 +msgid "domain_resolution_order" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:551 +msgid "" +"Comma separated list of domains and subdomains representing the lookup order " +"that will be followed. The list doesn't have to include all possible " +"domains as the missing domains will be looked up based on the order they're " +"presented in the <quote>domains</quote> configuration option. The " +"subdomains which are not listed as part of <quote>lookup_order</quote> will " +"be looked up in a random order for each parent domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:563 +msgid "" +"Please, note that when this option is set the output format of all commands " +"is always fully-qualified even when using short names for input, for all " +"users but the ones managed by the files provider. In case the administrator " +"wants the output not fully-qualified, the full_name_format option can be " +"used as shown below: <quote>full_name_format=%1$s</quote> However, keep in " +"mind that during login, login applications often canonicalize the username " +"by calling <citerefentry> <refentrytitle>getpwnam</refentrytitle> " +"<manvolnum>3</manvolnum> </citerefentry> which, if a shortname is returned " +"for a qualified input (while trying to reach a user which exists in multiple " +"domains) might re-route the login attempt into the domain which uses " +"shortnames, making this workaround totally not recommended in cases where " +"usernames may overlap between domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:588 sssd.conf.5.xml:1388 sssd.conf.5.xml:3046 +#: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316 +msgid "Default: Not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:184 +msgid "" +"Individual pieces of SSSD functionality are provided by special SSSD " +"services that are started and stopped together with SSSD. The services are " +"managed by a special service frequently called <quote>monitor</quote>. The " +"<quote>[sssd]</quote> section is used to configure the monitor as well as " +"some other important options like the identity domains. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:599 +msgid "SERVICES SECTIONS" +msgstr "RANNOÙ SERVIJOÙ" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:601 +msgid "" +"Settings that can be used to configure different services are described in " +"this section. They should reside in the [<replaceable>$NAME</replaceable>] " +"section, for example, for NSS service, the section would be <quote>[nss]</" +"quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:608 +msgid "General service configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:610 +msgid "These options can be used to configure any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:627 +msgid "fd_limit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:630 +msgid "" +"This option specifies the maximum number of file descriptors that may be " +"opened at one time by this SSSD process. On systems where SSSD is granted " +"the CAP_SYS_RESOURCE capability, this will be an absolute setting. On " +"systems without this capability, the resulting value will be the lower value " +"of this or the limits.conf \"hard\" limit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:639 +msgid "Default: 8192 (or limits.conf \"hard\" limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:644 +msgid "client_idle_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:647 +msgid "" +"This option specifies the number of seconds that a client of an SSSD process " +"can hold onto a file descriptor without communicating on it. This value is " +"limited in order to avoid resource exhaustion on the system. The timeout " +"can't be shorter than 10 seconds. If a lower value is configured, it will be " +"adjusted to 10 seconds." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:656 sssd.conf.5.xml:688 sssd.conf.5.xml:970 +#: sssd.conf.5.xml:1231 sssd-ldap.5.xml:1412 +msgid "Default: 60" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:661 +msgid "offline_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:664 +msgid "" +"When SSSD switches to offline mode the amount of time before it tries to go " +"back online will increase based upon the time spent disconnected. This " +"value is in seconds and calculated by the following:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:671 +msgid "offline_timeout + random_offset" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:674 +msgid "" +"The random offset can increment up to 30 seconds. After each unsuccessful " +"attempt to go online, the new interval is recalculated by the following:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:679 +msgid "new_interval = old_interval*2 + random_offset" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:682 +msgid "" +"Note that the maximum length of each interval is currently limited to one " +"hour. If the calculated length of new_interval is greater than an hour, it " +"will be forced to one hour." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:693 +msgid "responder_idle_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:696 +msgid "" +"This option specifies the number of seconds that an SSSD responder process " +"can be up without being used. This value is limited in order to avoid " +"resource exhaustion on the system. The minimum acceptable value for this " +"option is 60 seconds. Setting this option to 0 (zero) means that no timeout " +"will be set up to the responder. This option only has effect when SSSD is " +"built with systemd support and when services are either socket or D-Bus " +"activated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:710 sssd.conf.5.xml:983 sssd.conf.5.xml:1616 +#: sssd-ldap.5.xml:722 +msgid "Default: 300" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:715 +msgid "cache_first" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:718 +msgid "" +"This option specifies whether the responder should query all caches before " +"querying the Data Providers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:730 +msgid "NSS configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:732 +msgid "" +"These options can be used to configure the Name Service Switch (NSS) service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:737 +msgid "enum_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:740 +msgid "" +"How many seconds should nss_sss cache enumerations (requests for info about " +"all users)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:744 +msgid "Default: 120" +msgstr "Dre ziouer : 120" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:749 +msgid "entry_cache_nowait_percentage (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:752 +msgid "" +"The entry cache can be set to automatically update entries in the background " +"if they are requested beyond a percentage of the entry_cache_timeout value " +"for the domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:758 +msgid "" +"For example, if the domain's entry_cache_timeout is set to 30s and " +"entry_cache_nowait_percentage is set to 50 (percent), entries that come in " +"after 15 seconds past the last cache update will be returned immediately, " +"but the SSSD will go and update the cache on its own, so that future " +"requests will not need to block waiting for a cache update." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:768 +msgid "" +"Valid values for this option are 0-99 and represent a percentage of the " +"entry_cache_timeout for each domain. For performance reasons, this " +"percentage will never reduce the nowait timeout to less than 10 seconds. (0 " +"disables this feature)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:776 sssd.conf.5.xml:1445 +msgid "Default: 50" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:781 +msgid "entry_negative_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:784 +msgid "" +"Specifies for how many seconds nss_sss should cache negative cache hits " +"(that is, queries for invalid database entries, like nonexistent ones) " +"before asking the back end again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:790 sssd.conf.5.xml:1469 +msgid "Default: 15" +msgstr "Dre ziouer : 15" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:795 +msgid "local_negative_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:798 +msgid "" +"Specifies for how many seconds nss_sss should keep local users and groups in " +"negative cache before trying to look it up in the back end again. Setting " +"the option to 0 disables this feature." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:804 +#, fuzzy +#| msgid "Default: 120" +msgid "Default: 14400 (4 hours)" +msgstr "Dre ziouer : 120" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:809 +msgid "filter_users, filter_groups (string)" +msgstr "filter_users, filter_groups (neudennad)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:812 +msgid "" +"Exclude certain users or groups from being fetched from the sss NSS " +"database. This is particularly useful for system accounts. This option can " +"also be set per-domain or include fully-qualified names to filter only users " +"from the particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:819 +msgid "" +"NOTE: The filter_groups option doesn't affect inheritance of nested group " +"members, since filtering happens after they are propagated for returning via " +"NSS. E.g. a group having a member group filtered out will still have the " +"member users of the latter listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:827 +msgid "Default: root" +msgstr "Dre zoiuer : root" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:832 +msgid "filter_users_in_groups (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:835 +msgid "" +"If you want filtered user still be group members set this option to false." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:846 +msgid "fallback_homedir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:849 +msgid "" +"Set a default template for a user's home directory if one is not specified " +"explicitly by the domain's data provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:854 +msgid "" +"The available values for this option are the same as for override_homedir." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:860 +#, no-wrap +msgid "" +"fallback_homedir = /home/%u\n" +" " +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: sssd.conf.5.xml:858 sssd.conf.5.xml:1298 sssd.conf.5.xml:1317 +#: sssd-krb5.5.xml:539 include/override_homedir.xml:59 +msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:864 +msgid "Default: not set (no substitution for unset home directories)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:870 +msgid "override_shell (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:873 +msgid "" +"Override the login shell for all users. This option supersedes any other " +"shell options if it takes effect and can be set either in the [nss] section " +"or per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:879 +msgid "Default: not set (SSSD will use the value retrieved from LDAP)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:885 +msgid "allowed_shells (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:888 +msgid "" +"Restrict user shell to one of the listed values. The order of evaluation is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:891 +msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:895 +msgid "" +"2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</" +"quote>, use the value of the shell_fallback parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:900 +msgid "" +"3. If the shell is not in the allowed_shells list and not in <quote>/etc/" +"shells</quote>, a nologin shell is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:905 +msgid "The wildcard (*) can be used to allow any shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:908 +msgid "" +"The (*) is useful if you want to use shell_fallback in case that user's " +"shell is not in <quote>/etc/shells</quote> and maintaining list of all " +"allowed shells in allowed_shells would be to much overhead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:915 +msgid "An empty string for shell is passed as-is to libc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:918 +msgid "" +"The <quote>/etc/shells</quote> is only read on SSSD start up, which means " +"that a restart of the SSSD is required in case a new shell is installed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:922 +msgid "Default: Not set. The user shell is automatically used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:927 +msgid "vetoed_shells (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:930 +msgid "Replace any instance of these shells with the shell_fallback" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:935 +msgid "shell_fallback (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:938 +msgid "" +"The default shell to use if an allowed shell is not installed on the machine." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:942 +msgid "Default: /bin/sh" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:947 +msgid "default_shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:950 +msgid "" +"The default shell to use if the provider does not return one during lookup. " +"This option can be specified globally in the [nss] section or per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:956 +msgid "" +"Default: not set (Return NULL if no shell is specified and rely on libc to " +"substitute something sensible when necessary, usually /bin/sh)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:963 sssd.conf.5.xml:1224 +msgid "get_domains_timeout (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:966 sssd.conf.5.xml:1227 +msgid "" +"Specifies time in seconds for which the list of subdomains will be " +"considered valid." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:975 +msgid "memcache_timeout (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:978 +msgid "" +"Specifies time in seconds for which records in the in-memory cache will be " +"valid. Setting this option to zero will disable the in-memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:986 +msgid "" +"WARNING: Disabling the in-memory cache will have significant negative impact " +"on SSSD's performance and should only be used for testing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:992 +msgid "" +"NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", " +"client applications will not use the fast in-memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1000 sssd-ifp.5.xml:74 +msgid "user_attributes (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1003 +msgid "" +"Some of the additional NSS responder requests can return more attributes " +"than just the POSIX ones defined by the NSS interface. The list of " +"attributes is controlled by this option. It is handled the same way as the " +"<quote>user_attributes</quote> option of the InfoPipe responder (see " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for details) but with no default values." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1016 +msgid "" +"To make configuration more easy the NSS responder will check the InfoPipe " +"option if it is not set for the NSS responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1021 +msgid "Default: not set, fallback to InfoPipe option" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1026 +msgid "pwfield (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1029 +msgid "" +"The value that NSS operations that return users or groups will return for " +"the <quote>password</quote> field." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: sssd.conf.5.xml:1034 include/override_homedir.xml:56 +msgid "This option can also be set per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1037 +msgid "" +"Default: <quote>*</quote> (remote domains) or <quote>x</quote> (the files " +"domain)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1045 +msgid "PAM configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1047 +msgid "" +"These options can be used to configure the Pluggable Authentication Module " +"(PAM) service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1052 +msgid "offline_credentials_expiration (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1055 +msgid "" +"If the authentication provider is offline, how long should we allow cached " +"logins (in days since the last successful online login)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1060 sssd.conf.5.xml:1073 +msgid "Default: 0 (No limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1066 +msgid "offline_failed_login_attempts (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1069 +msgid "" +"If the authentication provider is offline, how many failed login attempts " +"are allowed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1079 +msgid "offline_failed_login_delay (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1082 +msgid "" +"The time in minutes which has to pass after offline_failed_login_attempts " +"has been reached before a new login attempt is possible." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1087 +msgid "" +"If set to 0 the user cannot authenticate offline if " +"offline_failed_login_attempts has been reached. Only a successful online " +"authentication can enable offline authentication again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1093 sssd.conf.5.xml:1191 +msgid "Default: 5" +msgstr "Dre zoiuer : 5" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1099 +msgid "pam_verbosity (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1102 +msgid "" +"Controls what kind of messages are shown to the user during authentication. " +"The higher the number to more messages are displayed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1107 +msgid "Currently sssd supports the following values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1110 +msgid "<emphasis>0</emphasis>: do not show any message" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1113 +msgid "<emphasis>1</emphasis>: show only important messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1117 +msgid "<emphasis>2</emphasis>: show informational messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1120 +msgid "<emphasis>3</emphasis>: show all messages and debug information" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1124 sssd.8.xml:63 +msgid "Default: 1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1130 +msgid "pam_response_filter (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1133 +msgid "" +"A comma separated list of strings which allows to remove (filter) data sent " +"by the PAM responder to pam_sss PAM module. There are different kind of " +"responses sent to pam_sss e.g. messages displayed to the user or environment " +"variables which should be set by pam_sss." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1141 +msgid "" +"While messages already can be controlled with the help of the pam_verbosity " +"option this option allows to filter out other kind of responses as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1148 +msgid "ENV" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1149 +msgid "Do not send any environment variables to any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1152 +msgid "ENV:var_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1153 +msgid "Do not send environment variable var_name to any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1157 +msgid "ENV:var_name:service" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1158 +msgid "Do not send environment variable var_name to service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1146 +msgid "" +"Currently the following filters are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1168 +msgid "Example: ENV:KRB5CCNAME:sudo-i" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1174 +msgid "pam_id_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1177 +msgid "" +"For any PAM request while SSSD is online, the SSSD will attempt to " +"immediately update the cached identity information for the user in order to " +"ensure that authentication takes place with the latest information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1183 +msgid "" +"A complete PAM conversation may perform multiple PAM requests, such as " +"account management and session opening. This option controls (on a per-" +"client-application basis) how long (in seconds) we can cache the identity " +"information to avoid excessive round-trips to the identity provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1197 +msgid "pam_pwd_expiration_warning (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2078 +msgid "Display a warning N days before the password expires." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1203 +msgid "" +"Please note that the backend server has to provide information about the " +"expiration time of the password. If this information is missing, sssd " +"cannot display a warning." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1209 sssd.conf.5.xml:2081 +msgid "" +"If zero is set, then this filter is not applied, i.e. if the expiration " +"warning was received from backend server, it will automatically be displayed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1214 +msgid "" +"This setting can be overridden by setting <emphasis>pwd_expiration_warning</" +"emphasis> for a particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1219 sssd.conf.5.xml:2901 sssd.8.xml:79 +msgid "Default: 0" +msgstr "Dre ziouer : 0" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1236 +msgid "pam_trusted_users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1239 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to run PAM conversations against trusted domains. Users not " +"included in this list can only access domains marked as public with " +"<quote>pam_public_domains</quote>. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1249 +msgid "Default: All users are considered trusted by default" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1253 +msgid "" +"Please note that UID 0 is always allowed to access the PAM responder even in " +"case it is not in the pam_trusted_users list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1260 +msgid "pam_public_domains (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1263 +msgid "" +"Specifies the comma-separated list of domain names that are accessible even " +"to untrusted users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1267 +msgid "Two special values for pam_public_domains option are defined:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1271 +msgid "" +"all (Untrusted users are allowed to access all domains in PAM responder.)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1275 +msgid "" +"none (Untrusted users are not allowed to access any domains PAM in " +"responder.)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1279 sssd.conf.5.xml:1304 sssd.conf.5.xml:1323 +#: sssd.conf.5.xml:1875 sssd.conf.5.xml:2837 sssd-ldap.5.xml:1979 +msgid "Default: none" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1284 +msgid "pam_account_expired_message (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1287 +msgid "" +"Allows a custom expiration message to be set, replacing the default " +"'Permission denied' message." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1292 +msgid "" +"Note: Please be aware that message is only printed for the SSH service " +"unless pam_verbosity is set to 3 (show all messages and debug information)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:1300 +#, no-wrap +msgid "" +"pam_account_expired_message = Account expired, please contact help desk.\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1309 +msgid "pam_account_locked_message (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1312 +msgid "" +"Allows a custom lockout message to be set, replacing the default 'Permission " +"denied' message." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:1319 +#, no-wrap +msgid "" +"pam_account_locked_message = Account locked, please contact help desk.\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1328 +msgid "pam_cert_auth (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1331 +msgid "" +"Enable certificate based Smartcard authentication. Since this requires " +"additional communication with the Smartcard which will delay the " +"authentication process this option is disabled by default." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1337 sssd.conf.5.xml:2930 sssd-ldap.5.xml:1087 +#: sssd-ldap.5.xml:1114 sssd-ldap.5.xml:1514 sssd-ldap.5.xml:1535 +#: sssd-ldap.5.xml:2052 include/ldap_id_mapping.xml:244 +msgid "Default: False" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1342 +msgid "pam_cert_db_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1345 +msgid "" +"The path to the certificate database which contain the PKCS#11 modules to " +"access the Smartcard." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1349 sssd.conf.5.xml:1534 +#, fuzzy +#| msgid "Default: 3" +msgid "Default:" +msgstr "Dre ziouer : 3" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1351 sssd.conf.5.xml:1536 +msgid "/etc/pki/nssdb (NSS version, path to a NSS database)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1354 sssd.conf.5.xml:1539 +msgid "" +"/etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a file with " +"trusted CA certificates in PEM format)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1361 sssd.conf.5.xml:1546 +msgid "This man page was generated for the NSS version." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1364 sssd.conf.5.xml:1549 +msgid "This man page was generated for the OpenSSL version." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1369 +msgid "p11_child_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1372 +msgid "How many seconds will pam_sss wait for p11_child to finish." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1381 +msgid "pam_app_services (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1384 +msgid "" +"Which PAM services are permitted to contact domains of type " +"<quote>application</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1397 +msgid "SUDO configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1399 +msgid "" +"These options can be used to configure the sudo service. The detailed " +"instructions for configuration of <citerefentry> <refentrytitle>sudo</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to work with " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> are in the manual page <citerefentry> <refentrytitle>sssd-" +"sudo</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1416 +msgid "sudo_timed (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1419 +msgid "" +"Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes " +"that implement time-dependent sudoers entries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1431 +msgid "sudo_threshold (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1434 +msgid "" +"Maximum number of expired rules that can be refreshed at once. If number of " +"expired rules is below threshold, those rules are refreshed with " +"<quote>rules refresh</quote> mechanism. If the threshold is exceeded a " +"<quote>full refresh</quote> of sudo rules is triggered instead. This " +"threshold number also applies to IPA sudo command and command group searches." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1453 +msgid "AUTOFS configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1455 +msgid "These options can be used to configure the autofs service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1459 +msgid "autofs_negative_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1462 +msgid "" +"Specifies for how many seconds should the autofs responder negative cache " +"hits (that is, queries for invalid map entries, like nonexistent ones) " +"before asking the back end again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1478 +msgid "SSH configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1480 +msgid "These options can be used to configure the SSH service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1484 +msgid "ssh_hash_known_hosts (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1487 +msgid "" +"Whether or not to hash host names and addresses in the managed known_hosts " +"file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1496 +msgid "ssh_known_hosts_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1499 +msgid "" +"How many seconds to keep a host in the managed known_hosts file after its " +"host keys were requested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1503 +msgid "Default: 180" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1508 +msgid "ssh_use_certificate_keys (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1511 +msgid "" +"If set to true the <command>sss_ssh_authorizedkeys</command> will return ssh " +"keys derived from the public key of X.509 certificates stored in the user " +"entry as well. See <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry> for details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1526 +msgid "ca_db (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1529 +msgid "" +"Path to a storage of trusted CA certificates. The option is used to validate " +"user certificates before deriving public ssh keys from them." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1557 +msgid "PAC responder configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1559 +msgid "" +"The PAC responder works together with the authorization data plugin for MIT " +"Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the " +"PAC data during a GSSAPI authentication to the PAC responder. The sub-domain " +"provider collects domain SID and ID ranges of the domain the client is " +"joined to and of remote trusted domains from the local domain controller. If " +"the PAC is decoded and evaluated some of the following operations are done:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1568 +msgid "" +"If the remote user does not exist in the cache, it is created. The UID is " +"determined with the help of the SID, trusted domains will have UPGs and the " +"GID will have the same value as the UID. The home directory is set based on " +"the subdomain_homedir parameter. The shell will be empty by default, i.e. " +"the system defaults are used, but can be overwritten with the default_shell " +"parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1576 +msgid "" +"If there are SIDs of groups from domains sssd knows about, the user will be " +"added to those groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1582 +msgid "These options can be used to configure the PAC responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1586 sssd-ifp.5.xml:50 +msgid "allowed_uids (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1589 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the PAC responder. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1595 +msgid "Default: 0 (only the root user is allowed to access the PAC responder)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1599 +msgid "" +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the PAC responder, which would be the typical case, you have to add 0 " +"to the list of allowed UIDs as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1608 +msgid "pac_lifetime (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1611 +msgid "" +"Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC " +"data can be used to determine the group memberships of a user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1624 +msgid "Session recording configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1626 +msgid "" +"Session recording works in conjunction with <citerefentry> " +"<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>, a part of tlog package, to log what users see and type when " +"they log in on a text terminal. See also <citerefentry> <refentrytitle>sssd-" +"session-recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1639 +msgid "These options can be used to configure session recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1643 sssd-session-recording.5.xml:64 +msgid "scope (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1650 sssd-session-recording.5.xml:71 +msgid "\"none\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1653 sssd-session-recording.5.xml:74 +msgid "No users are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1658 sssd-session-recording.5.xml:79 +msgid "\"some\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1661 sssd-session-recording.5.xml:82 +msgid "" +"Users/groups specified by <replaceable>users</replaceable> and " +"<replaceable>groups</replaceable> options are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1670 sssd-session-recording.5.xml:91 +msgid "\"all\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1673 sssd-session-recording.5.xml:94 +msgid "All users are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1646 sssd-session-recording.5.xml:67 +msgid "" +"One of the following strings specifying the scope of session recording: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1680 sssd-session-recording.5.xml:101 +msgid "Default: \"none\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1685 sssd-session-recording.5.xml:106 +msgid "users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1688 sssd-session-recording.5.xml:109 +msgid "" +"A comma-separated list of users which should have session recording enabled. " +"Matches user names as returned by NSS. I.e. after the possible space " +"replacement, case changes, etc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1694 sssd-session-recording.5.xml:115 +msgid "Default: Empty. Matches no users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1699 sssd-session-recording.5.xml:120 +msgid "groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1702 sssd-session-recording.5.xml:123 +msgid "" +"A comma-separated list of groups, members of which should have session " +"recording enabled. Matches group names as returned by NSS. I.e. after the " +"possible space replacement, case changes, etc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1708 sssd-session-recording.5.xml:129 +msgid "" +"NOTE: using this option (having it set to anything) has a considerable " +"performance cost, because each uncached request for a user requires " +"retrieving and matching the groups the user is member of." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1715 sssd-session-recording.5.xml:136 +msgid "Default: Empty. Matches no groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:1725 +msgid "DOMAIN SECTIONS" +msgstr "RANNOÙ DOMANI" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1732 +msgid "domain_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1735 +msgid "" +"Specifies whether the domain is meant to be used by POSIX-aware clients such " +"as the Name Service Switch or by applications that do not need POSIX data to " +"be present or generated. Only objects from POSIX domains are available to " +"the operating system interfaces and utilities." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1743 +msgid "" +"Allowed values for this option are <quote>posix</quote> and " +"<quote>application</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1747 +msgid "" +"POSIX domains are reachable by all services. Application domains are only " +"reachable from the InfoPipe responder (see <citerefentry> " +"<refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>) and the PAM responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1755 +msgid "" +"NOTE: The application domains are currently well tested with " +"<quote>id_provider=ldap</quote> only." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1759 +msgid "" +"For an easy way to configure a non-POSIX domains, please see the " +"<quote>Application domains</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1763 +msgid "Default: posix" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1769 +msgid "min_id,max_id (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1772 +msgid "" +"UID and GID limits for the domain. If a domain contains an entry that is " +"outside these limits, it is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1777 +msgid "" +"For users, this affects the primary GID limit. The user will not be returned " +"to NSS if either the UID or the primary GID is outside the range. For non-" +"primary group memberships, those that are in range will be reported as " +"expected." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1784 +msgid "" +"These ID limits affect even saving entries to cache, not only returning them " +"by name or ID." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1788 +msgid "Default: 1 for min_id, 0 (no limit) for max_id" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1794 +msgid "enumerate (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1797 +msgid "" +"Determines if a domain can be enumerated, that is, whether the domain can " +"list all the users and group it contains. Note that it is not required to " +"enable enumeration in order for secondary groups to be displayed. This " +"parameter can have one of the following values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1805 +msgid "TRUE = Users and groups are enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1808 +msgid "FALSE = No enumerations for this domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1811 sssd.conf.5.xml:2033 sssd.conf.5.xml:2208 +msgid "Default: FALSE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1814 +msgid "" +"Enumerating a domain requires SSSD to download and store ALL user and group " +"entries from the remote server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1819 +msgid "" +"Note: Enabling enumeration has a moderate performance impact on SSSD while " +"enumeration is running. It may take up to several minutes after SSSD startup " +"to fully complete enumerations. During this time, individual requests for " +"information will go directly to LDAP, though it may be slow, due to the " +"heavy enumeration processing. Saving a large number of entries to cache " +"after the enumeration completes might also be CPU intensive as the " +"memberships have to be recomputed. This can lead to the <quote>sssd_be</" +"quote> process becoming unresponsive or even restarted by the internal " +"watchdog." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1834 +msgid "" +"While the first enumeration is running, requests for the complete user or " +"group lists may return no results until it completes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1839 +msgid "" +"Further, enabling enumeration may increase the time necessary to detect " +"network disconnection, as longer timeouts are required to ensure that " +"enumeration lookups are completed successfully. For more information, refer " +"to the man pages for the specific id_provider in use." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1847 +msgid "" +"For the reasons cited above, enabling enumeration is not recommended, " +"especially in large environments." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1855 +msgid "subdomain_enumerate (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1862 +msgid "all" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1863 +msgid "All discovered trusted domains will be enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1866 +msgid "none" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1867 +msgid "No discovered trusted domains will be enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1858 +msgid "" +"Whether any of autodetected trusted domains should be enumerated. The " +"supported values are: <placeholder type=\"variablelist\" id=\"0\"/> " +"Optionally, a list of one or more domain names can enable enumeration just " +"for these trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1881 +msgid "entry_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1884 +msgid "" +"How many seconds should nss_sss consider entries valid before asking the " +"backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1888 +msgid "" +"The cache expiration timestamps are stored as attributes of individual " +"objects in the cache. Therefore, changing the cache timeout only has effect " +"for newly added or expired entries. You should run the <citerefentry> " +"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry> tool in order to force refresh of entries that have already " +"been cached." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1901 +msgid "Default: 5400" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1907 +msgid "entry_cache_user_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1910 +msgid "" +"How many seconds should nss_sss consider user entries valid before asking " +"the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1914 sssd.conf.5.xml:1927 sssd.conf.5.xml:1940 +#: sssd.conf.5.xml:1953 sssd.conf.5.xml:1966 sssd.conf.5.xml:1980 +#: sssd.conf.5.xml:1994 +msgid "Default: entry_cache_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1920 +msgid "entry_cache_group_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1923 +msgid "" +"How many seconds should nss_sss consider group entries valid before asking " +"the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1933 +msgid "entry_cache_netgroup_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1936 +msgid "" +"How many seconds should nss_sss consider netgroup entries valid before " +"asking the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1946 +msgid "entry_cache_service_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1949 +msgid "" +"How many seconds should nss_sss consider service entries valid before asking " +"the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1959 +msgid "entry_cache_sudo_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1962 +msgid "" +"How many seconds should sudo consider rules valid before asking the backend " +"again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1972 +msgid "entry_cache_autofs_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1975 +msgid "" +"How many seconds should the autofs service consider automounter maps valid " +"before asking the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1986 +msgid "entry_cache_ssh_host_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1989 +msgid "" +"How many seconds to keep a host ssh key after refresh. IE how long to cache " +"the host key for." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2000 +msgid "refresh_expired_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2003 +msgid "" +"Specifies how many seconds SSSD has to wait before triggering a background " +"refresh task which will refresh all expired or nearly expired records." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2008 +msgid "" +"The background refresh will process users, groups and netgroups in the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2012 +msgid "You can consider setting this value to 3/4 * entry_cache_timeout." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2016 sssd-ldap.5.xml:746 sssd-ipa.5.xml:254 +msgid "Default: 0 (disabled)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2022 +msgid "cache_credentials (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2025 +msgid "Determines if user credentials are also cached in the local LDB cache" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2029 +msgid "User credentials are stored in a SHA512 hash, not in plaintext" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2039 +msgid "cache_credentials_minimal_first_factor_length (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2042 +msgid "" +"If 2-Factor-Authentication (2FA) is used and credentials should be saved " +"this value determines the minimal length the first authentication factor " +"(long term password) must have to be saved as SHA512 hash into the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2049 +msgid "" +"This should avoid that the short PINs of a PIN based 2FA scheme are saved in " +"the cache which would make them easy targets for brute-force attacks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2054 +msgid "Default: 8" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2060 +msgid "account_cache_expiration (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2063 +msgid "" +"Number of days entries are left in cache after last successful login before " +"being removed during a cleanup of the cache. 0 means keep forever. The " +"value of this parameter must be greater than or equal to " +"offline_credentials_expiration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2070 +msgid "Default: 0 (unlimited)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2075 +msgid "pwd_expiration_warning (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2086 +msgid "" +"Please note that the backend server has to provide information about the " +"expiration time of the password. If this information is missing, sssd " +"cannot display a warning. Also an auth provider has to be configured for the " +"backend." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2093 +msgid "Default: 7 (Kerberos), 0 (LDAP)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2099 +msgid "id_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2102 +msgid "" +"The identification provider used for the domain. Supported ID providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2106 +msgid "<quote>proxy</quote>: Support a legacy NSS provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2109 +msgid "" +"<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2113 +msgid "" +"<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-" +"files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " +"information on how to mirror local users and groups into SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2121 +msgid "" +"<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " +"information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2129 sssd.conf.5.xml:2234 sssd.conf.5.xml:2289 +#: sssd.conf.5.xml:2352 +msgid "" +"<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management " +"provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " +"FreeIPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2138 sssd.conf.5.xml:2243 sssd.conf.5.xml:2298 +#: sssd.conf.5.xml:2361 +msgid "" +"<quote>ad</quote>: Active Directory provider. See <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Active Directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2149 +msgid "use_fully_qualified_names (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2152 +msgid "" +"Use the full name and domain (as formatted by the domain's full_name_format) " +"as the user's login name reported to NSS." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2157 +msgid "" +"If set to TRUE, all requests to this domain must use fully qualified names. " +"For example, if used in LOCAL domain that contains a \"test\" user, " +"<command>getent passwd test</command> wouldn't find the user while " +"<command>getent passwd test@LOCAL</command> would." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2165 +msgid "" +"NOTE: This option has no effect on netgroup lookups due to their tendency to " +"include nested netgroups without qualified names. For netgroups, all domains " +"will be searched when an unqualified name is requested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2172 +msgid "Default: FALSE (TRUE if default_domain_suffix is used)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2178 +msgid "ignore_group_members (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2181 +msgid "Do not return group members for group lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2184 +msgid "" +"If set to TRUE, the group membership attribute is not requested from the " +"ldap server, and group members are not returned when processing group lookup " +"calls, such as <citerefentry> <refentrytitle>getgrnam</refentrytitle> " +"<manvolnum>3</manvolnum> </citerefentry> or <citerefentry> " +"<refentrytitle>getgrgid</refentrytitle> <manvolnum>3</manvolnum> </" +"citerefentry>. As an effect, <quote>getent group $groupname</quote> would " +"return the requested group as if it was empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2202 +msgid "" +"Enabling this option can also make access provider checks for group " +"membership significantly faster, especially for groups containing many " +"members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2213 +msgid "auth_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2216 +msgid "" +"The authentication provider used for the domain. Supported auth providers " +"are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2220 sssd.conf.5.xml:2282 +msgid "" +"<quote>ldap</quote> for native LDAP authentication. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2227 +msgid "" +"<quote>krb5</quote> for Kerberos authentication. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2251 +msgid "" +"<quote>proxy</quote> for relaying authentication to some other PAM target." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2254 +msgid "<quote>local</quote>: SSSD internal provider for local users" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2258 +msgid "<quote>none</quote> disables authentication explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2261 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can handle " +"authentication requests." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2267 +msgid "access_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2270 +msgid "" +"The access control provider used for the domain. There are two built-in " +"access providers (in addition to any included in installed backends) " +"Internal special providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2276 +msgid "" +"<quote>permit</quote> always allow access. It's the only permitted access " +"provider for a local domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2279 +msgid "<quote>deny</quote> always deny access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2306 +msgid "" +"<quote>simple</quote> access control based on access or deny lists. See " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for more information on configuring the simple " +"access module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2313 +msgid "" +"<quote>krb5</quote>: .k5login based access control. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></" +"citerefentry> for more information on configuring Kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2320 +msgid "<quote>proxy</quote> for relaying access control to another PAM module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2323 +msgid "Default: <quote>permit</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2328 +msgid "chpass_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2331 +msgid "" +"The provider which should handle change password operations for the domain. " +"Supported change password providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2336 +msgid "" +"<quote>ldap</quote> to change a password stored in a LDAP server. See " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2344 +msgid "" +"<quote>krb5</quote> to change the Kerberos password. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2369 +msgid "" +"<quote>proxy</quote> for relaying password changes to some other PAM target." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2373 +msgid "<quote>none</quote> disallows password changes explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2376 +msgid "" +"Default: <quote>auth_provider</quote> is used if it is set and can handle " +"change password requests." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2383 +msgid "sudo_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2386 +msgid "The SUDO provider used for the domain. Supported SUDO providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2390 +msgid "" +"<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2398 +msgid "" +"<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default " +"settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2402 +msgid "" +"<quote>ad</quote> the same as <quote>ldap</quote> but with AD default " +"settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2406 +msgid "<quote>none</quote> disables SUDO explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2409 sssd.conf.5.xml:2495 sssd.conf.5.xml:2565 +#: sssd.conf.5.xml:2590 +msgid "Default: The value of <quote>id_provider</quote> is used if it is set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2413 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>. There are many configuration " +"options that can be used to adjust the behavior. Please refer to " +"\"ldap_sudo_*\" in <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2428 +msgid "" +"<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the " +"background unless the sudo provider is explicitly disabled. Set " +"<emphasis>sudo_provider = None</emphasis> to disable all sudo-related " +"activity in SSSD if you do not want to use sudo with SSSD at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2438 +msgid "selinux_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2441 +msgid "" +"The provider which should handle loading of selinux settings. Note that this " +"provider will be called right after access provider ends. Supported selinux " +"providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2447 +msgid "" +"<quote>ipa</quote> to load selinux settings from an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2455 +msgid "<quote>none</quote> disallows fetching selinux settings explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2458 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can handle " +"selinux loading requests." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2464 +msgid "subdomains_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2467 +msgid "" +"The provider which should handle fetching of subdomains. This value should " +"be always the same as id_provider. Supported subdomain providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2473 +msgid "" +"<quote>ipa</quote> to load a list of subdomains from an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2482 +msgid "" +"<quote>ad</quote> to load a list of subdomains from an Active Directory " +"server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " +"the AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2491 +msgid "<quote>none</quote> disallows fetching subdomains explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2501 +msgid "session_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2504 +msgid "" +"The provider which configures and manages user session related tasks. The " +"only user session task currently provided is the integration with Fleet " +"Commander, which works only with IPA. Supported session providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2511 +msgid "<quote>ipa</quote> to allow performing user session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2515 +msgid "" +"<quote>none</quote> does not perform any kind of user session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2519 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can perform " +"session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2523 +msgid "" +"<emphasis>NOTE:</emphasis> In order to have this feature working as expected " +"SSSD must be running as \"root\" and not as the unprivileged user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2531 +msgid "autofs_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2534 +msgid "" +"The autofs provider used for the domain. Supported autofs providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2538 +msgid "" +"<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2545 +msgid "" +"<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> " +"<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2553 +msgid "" +"<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring the AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2562 +msgid "<quote>none</quote> disables autofs explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2572 +msgid "hostid_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2575 +msgid "" +"The provider used for retrieving host identity information. Supported " +"hostid providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2579 +msgid "" +"<quote>ipa</quote> to load host identity stored in an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2587 +msgid "<quote>none</quote> disables hostid explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2600 +msgid "" +"Regular expression for this domain that describes how to parse the string " +"containing user name and domain into these components. The \"domain\" can " +"match either the SSSD configuration domain name, or, in the case of IPA " +"trust subdomains and Active Directory domains, the flat (NetBIOS) name of " +"the domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2609 +msgid "" +"Default for the AD and IPA provider: <quote>(((?P<domain>[^\\\\]+)\\" +"\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?" +"P<name>[^@\\\\]+)$))</quote> which allows three different styles for " +"user names:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2614 +msgid "username" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2617 +msgid "username@domain.name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2620 +msgid "domain\\username" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2623 +msgid "" +"While the first two correspond to the general default the third one is " +"introduced to allow easy integration of users from Windows domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2628 +msgid "" +"Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> " +"which translates to \"the name is everything up to the <quote>@</quote> " +"sign, the domain everything after that\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2634 +msgid "" +"NOTE: Some Active Directory groups, typically those used for MS Exchange " +"contain an <quote>@</quote> sign in the name, which clashes with the default " +"re_expression value for the AD and IPA providers. To support these groups, " +"consider changing the re_expression value to: <quote>((?P<name>.+)@(?" +"P<domain>[^@]+$))</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2685 +msgid "Default: <quote>%1$s@%2$s</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2691 +msgid "lookup_family_order (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2694 +msgid "" +"Provides the ability to select preferred address family to use when " +"performing DNS lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2698 +msgid "Supported values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2701 +msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2704 +msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2707 +msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2710 +msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2713 +msgid "Default: ipv4_first" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2719 +msgid "dns_resolver_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2722 +msgid "" +"Defines the amount of time (in seconds) to wait for a reply from the " +"internal fail over service before assuming that the service is unreachable. " +"If this timeout is reached, the domain will continue to operate in offline " +"mode." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2729 +msgid "" +"Please see the section <quote>FAILOVER</quote> for more information about " +"the service resolution." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2734 sssd-ldap.5.xml:1396 sssd-ldap.5.xml:1438 +#: sssd-ldap.5.xml:1456 sssd-krb5.5.xml:248 +msgid "Default: 6" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2740 +msgid "dns_discovery_domain (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2743 +msgid "" +"If service discovery is used in the back end, specifies the domain part of " +"the service discovery DNS query." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2747 +msgid "Default: Use the domain part of machine's hostname" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2753 +msgid "override_gid (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2756 +msgid "Override the primary GID value with the one specified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2762 +msgid "case_sensitive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2770 +msgid "True" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2773 +msgid "Case sensitive. This value is invalid for AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2779 +msgid "False" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2781 +msgid "Case insensitive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2785 +msgid "Preserving" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2788 +msgid "" +"Same as False (case insensitive), but does not lowercase names in the result " +"of NSS operations. Note that name aliases (and in case of services also " +"protocol names) are still lowercased in the output." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2765 +msgid "" +"Treat user and group names as case sensitive. At the moment, this option is " +"not supported in the local provider. Possible option values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2800 +msgid "Default: True (False for AD provider)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2806 +msgid "subdomain_inherit (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2809 +msgid "" +"Specifies a list of configuration parameters that should be inherited by a " +"subdomain. Please note that only selected parameters can be inherited. " +"Currently the following options can be inherited:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2815 +msgid "ignore_group_members" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2818 +msgid "ldap_purge_cache_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2821 sssd-ldap.5.xml:1120 +msgid "ldap_use_tokengroups" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2824 +msgid "ldap_user_principal" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2827 +msgid "" +"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab " +"is not set explicitly)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:2833 +#, no-wrap +msgid "" +"subdomain_inherit = ldap_purge_cache_timeout\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2831 sssd-secrets.5.xml:448 +msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2840 +msgid "Note: This option only works with the IPA and AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2847 +msgid "subdomain_homedir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2858 +msgid "%F" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2859 +msgid "flat (NetBIOS) name of a subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2850 +msgid "" +"Use this homedir as default value for all subdomains within this domain in " +"IPA AD trust. See <emphasis>override_homedir</emphasis> for info about " +"possible values. In addition to those, the expansion below can only be used " +"with <emphasis>subdomain_homedir</emphasis>. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2864 +msgid "" +"The value can be overridden by <emphasis>override_homedir</emphasis> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2868 +msgid "Default: <filename>/home/%d/%u</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2873 +msgid "realmd_tags (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2876 +msgid "" +"Various tags stored by the realmd configuration service for this domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2882 +msgid "cached_auth_timeout (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2885 +msgid "" +"Specifies time in seconds since last successful online authentication for " +"which user will be authenticated using cached credentials while SSSD is in " +"the online mode." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2891 +msgid "Special value 0 implies that this feature is disabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2895 +msgid "" +"Please note that if <quote>cached_auth_timeout</quote> is longer than " +"<quote>pam_id_timeout</quote> then the back end could be called to handle " +"<quote>initgroups.</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2906 +msgid "auto_private_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2909 +msgid "" +"If this option is enabled, SSSD will automatically create user private " +"groups based on user's UID number. The GID number is ignored in this case." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2914 +msgid "" +"For POSIX subdomains, setting the option in the main domain is inherited in " +"the subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2918 +msgid "" +"For ID-mapping subdomains, auto_private_groups is already enabled for the " +"subdomains and setting it to false will not have any effect for the " +"subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2923 +msgid "" +"NOTE: Because the GID number and the user private group are inferred from " +"the UID number, it is not supported to have multiple entries with the same " +"UID or GID number with this option. In other words, enabling this option " +"enforces uniqueness across the ID space." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:1727 +msgid "" +"These configuration options can be present in a domain configuration " +"section, that is, in a section called <quote>[domain/<replaceable>NAME</" +"replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2942 +msgid "proxy_pam_target (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2945 +msgid "The proxy target PAM proxies to." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2948 +msgid "" +"Default: not set by default, you have to take an existing pam configuration " +"or create a new one and add the service name here." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2956 +msgid "proxy_lib_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2959 +msgid "" +"The name of the NSS library to use in proxy domains. The NSS functions " +"searched for in the library are in the form of _nss_$(libName)_$(function), " +"for example _nss_files_getpwent." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2969 +msgid "proxy_fast_alias (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2972 +msgid "" +"When a user or group is looked up by name in the proxy provider, a second " +"lookup by ID is performed to \"canonicalize\" the name in case the requested " +"name was an alias. Setting this option to true would cause the SSSD to " +"perform the ID lookup from cache for performance reasons." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2986 +msgid "proxy_max_children (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2989 +msgid "" +"This option specifies the number of pre-forked proxy children. It is useful " +"for high-load SSSD environments where sssd may run out of available child " +"slots, which would cause some issues due to the requests being queued." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:2938 +msgid "" +"Options valid for proxy domains. <placeholder type=\"variablelist\" id=" +"\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:3005 +msgid "Application domains" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3007 +msgid "" +"SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to " +"applications as a gateway to an LDAP directory where users and groups are " +"stored. However, contrary to the traditional SSSD deployment where all users " +"and groups either have POSIX attributes or those attributes can be inferred " +"from the Windows SIDs, in many cases the users and groups in the application " +"support scenario have no POSIX attributes. Instead of setting a " +"<quote>[domain/<replaceable>NAME</replaceable>]</quote> section, the " +"administrator can set up an <quote>[application/<replaceable>NAME</" +"replaceable>]</quote> section that internally represents a domain with type " +"<quote>application</quote> optionally inherits settings from a tradition " +"SSSD domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3027 +msgid "" +"Please note that the application domain must still be explicitly enabled in " +"the <quote>domains</quote> parameter so that the lookup order between the " +"application domain and its POSIX sibling domain is set correctly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sssd.conf.5.xml:3033 +msgid "Application domain parameters" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3035 +msgid "inherit_from (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3038 +msgid "" +"The SSSD POSIX-type domain the application domain inherits all settings " +"from. The application domain can moreover add its own settings to the " +"application settings that augment or override the <quote>sibling</quote> " +"domain settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3052 +msgid "" +"The following example illustrates the use of an application domain. In this " +"setup, the POSIX domain is connected to an LDAP server and is used by the OS " +"through the NSS responder. In addition, the application domain also requests " +"the telephoneNumber attribute, stores it as the phone attribute in the cache " +"and makes the phone attribute reachable through the D-Bus interface." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><programlisting> +#: sssd.conf.5.xml:3060 +#, no-wrap +msgid "" +"[sssd]\n" +"domains = appdom, posixdom\n" +"\n" +"[ifp]\n" +"user_attributes = +phone\n" +"\n" +"[domain/posixdom]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"[application/appdom]\n" +"inherit_from = posixdom\n" +"ldap_user_extra_attrs = phone:telephoneNumber\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:3078 +msgid "The local domain section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3080 +msgid "" +"This section contains settings for domain that stores users and groups in " +"SSSD native database, that is, a domain that uses " +"<replaceable>id_provider=local</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3087 +msgid "default_shell (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3090 +msgid "The default shell for users created with SSSD userspace tools." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3094 +msgid "Default: <filename>/bin/bash</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3099 +msgid "base_directory (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3102 +msgid "" +"The tools append the login name to <replaceable>base_directory</replaceable> " +"and use that as the home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3107 +msgid "Default: <filename>/home</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3112 +msgid "create_homedir (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3115 +msgid "" +"Indicate if a home directory should be created by default for new users. " +"Can be overridden on command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3119 sssd.conf.5.xml:3131 +msgid "Default: TRUE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3124 +msgid "remove_homedir (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3127 +msgid "" +"Indicate if a home directory should be removed by default for deleted " +"users. Can be overridden on command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3136 +msgid "homedir_umask (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3139 +msgid "" +"Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions " +"on a newly created home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3147 +msgid "Default: 077" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3152 +msgid "skel_dir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3155 +msgid "" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<citerefentry> <refentrytitle>sss_useradd</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3165 +msgid "Default: <filename>/etc/skel</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3170 +msgid "mail_dir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3173 +msgid "" +"The mail spool directory. This is needed to manipulate the mailbox when its " +"corresponding user account is modified or deleted. If not specified, a " +"default value is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3180 +msgid "Default: <filename>/var/mail</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3185 +msgid "userdel_cmd (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3188 +msgid "" +"The command that is run after a user is removed. The command us passed the " +"username of the user being removed as the first and only parameter. The " +"return code of the command is not taken into account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3194 +msgid "Default: None, no command is run" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:3204 +msgid "TRUSTED DOMAIN SECTION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3206 +msgid "" +"Some options used in the domain section can also be used in the trusted " +"domain section, that is, in a section called <quote>[domain/" +"<replaceable>DOMAIN_NAME</replaceable>/<replaceable>TRUSTED_DOMAIN_NAME</" +"replaceable>]</quote>. Where DOMAIN_NAME is the actual joined-to base " +"domain. Please refer to examples below for explanation. Currently supported " +"options in the trusted domain section are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3213 +msgid "ldap_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3214 +msgid "ldap_user_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3215 +msgid "ldap_group_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3216 +msgid "ldap_netgroup_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3217 +msgid "ldap_service_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3218 +msgid "ad_server," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3219 +msgid "ad_backup_server," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3220 +msgid "ad_site," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:3221 sssd-ipa.5.xml:782 +msgid "use_fully_qualified_names" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3223 +msgid "" +"For more details about these options see their individual description in the " +"manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:3229 idmap_sss.8.xml:43 +msgid "EXAMPLES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:3235 +#, no-wrap +msgid "" +"[sssd]\n" +"domains = LDAP\n" +"services = nss, pam\n" +"config_file_version = 2\n" +"\n" +"[nss]\n" +"filter_groups = root\n" +"filter_users = root\n" +"\n" +"[pam]\n" +"\n" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"auth_provider = krb5\n" +"krb5_server = kerberos.example.com\n" +"krb5_realm = EXAMPLE.COM\n" +"cache_credentials = true\n" +"\n" +"min_id = 10000\n" +"max_id = 20000\n" +"enumerate = False\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3231 +msgid "" +"1. The following example shows a typical SSSD config. It does not describe " +"configuration of the domains themselves - refer to documentation on " +"configuring domains for more details. <placeholder type=\"programlisting\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:3268 +#, no-wrap +msgid "" +"[domain/ipa.com/child.ad.com]\n" +"use_fully_qualified_names = false\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3262 +msgid "" +"2. The following example shows configuration of IPA AD trust where the AD " +"forest consists of two domains in a parent-child structure. Suppose IPA " +"domain (ipa.com) has trust with AD domain(ad.com). ad.com has child domain " +"(child.ad.com). To enable shortnames in the child domain the following " +"configuration should be used. <placeholder type=\"programlisting\" id=\"0\"/" +">" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ldap.5.xml:10 sssd-ldap.5.xml:16 +msgid "sssd-ldap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ldap.5.xml:17 +msgid "SSSD LDAP provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:23 +msgid "" +"This manual page describes the configuration of LDAP domains for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Refer to the <quote>FILE FORMAT</quote> section of the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for detailed syntax information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:35 +msgid "You can configure SSSD to use more than one LDAP domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:38 +msgid "" +"LDAP back end supports id, auth, access and chpass providers. If you want to " +"authenticate against an LDAP server either TLS/SSL or LDAPS is required. " +"<command>sssd</command> <emphasis>does not</emphasis> support authentication " +"over an unencrypted channel. If the LDAP server is used only as an identity " +"provider, an encrypted channel is not needed. Please refer to " +"<quote>ldap_access_filter</quote> config option for more information about " +"using LDAP as an access provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:115 +#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-files.5.xml:57 +#: sssd-secrets.5.xml:120 sssd-session-recording.5.xml:58 sssd-kcm.8.xml:139 +msgid "CONFIGURATION OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:60 +msgid "ldap_uri, ldap_backup_uri (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:63 +msgid "" +"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " +"should connect in the order of preference. Refer to the <quote>FAILOVER</" +"quote> section for more information on failover and server redundancy. If " +"neither option is specified, service discovery is enabled. For more " +"information, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:264 +msgid "The format of the URI must match the format defined in RFC 2732:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:73 +msgid "ldap[s]://<host>[:port]" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:76 +msgid "" +"For explicit IPv6 addresses, <host> must be enclosed in brackets []" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:79 +msgid "example: ldap://[fc00::126:25]:389" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:85 +msgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:88 +msgid "" +"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " +"should connect in the order of preference to change the password of a user. " +"Refer to the <quote>FAILOVER</quote> section for more information on " +"failover and server redundancy." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:95 +msgid "To enable service discovery ldap_chpass_dns_service_name must be set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:99 +msgid "Default: empty, i.e. ldap_uri is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:105 +msgid "ldap_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:108 +msgid "The default base DN to use for performing LDAP user operations." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:112 +msgid "" +"Starting with SSSD 1.7.0, SSSD supports multiple search bases using the " +"syntax:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:116 +msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:119 +msgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"." +msgstr "" + +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:122 include/ldap_search_bases.xml:18 +msgid "" +"The filter must be a valid LDAP search filter as specified by http://www." +"ietf.org/rfc/rfc2254.txt" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:286 +#: sss_override.8.xml:137 sss_override.8.xml:234 +msgid "Examples:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:129 +msgid "" +"ldap_search_base = dc=example,dc=com (which is equivalent to) " +"ldap_search_base = dc=example,dc=com?subtree?" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:134 +msgid "" +"ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?" +"(host=thishost)?dc=example.com?subtree?" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:137 +msgid "" +"Note: It is unsupported to have multiple search bases which reference " +"identically-named objects (for example, groups with the same name in two " +"different search bases). This will lead to unpredictable behavior on client " +"machines." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:144 +msgid "" +"Default: If not set, the value of the defaultNamingContext or namingContexts " +"attribute from the RootDSE of the LDAP server is used. If " +"defaultNamingContext does not exist or has an empty value namingContexts is " +"used. The namingContexts attribute must have a single value with the DN of " +"the search base of the LDAP server to make this work. Multiple values are " +"are not supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:158 +msgid "ldap_schema (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:161 +msgid "" +"Specifies the Schema Type in use on the target LDAP server. Depending on " +"the selected schema, the default attribute names retrieved from the servers " +"may vary. The way that some attributes are handled may also differ." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:168 +msgid "Four schema types are currently supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:172 +msgid "rfc2307" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:177 +msgid "rfc2307bis" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:182 +msgid "IPA" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:187 +msgid "AD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:193 +msgid "" +"The main difference between these schema types is how group memberships are " +"recorded in the server. With rfc2307, group members are listed by name in " +"the <emphasis>memberUid</emphasis> attribute. With rfc2307bis and IPA, " +"group members are listed by DN and stored in the <emphasis>member</emphasis> " +"attribute. The AD schema type sets the attributes to correspond with Active " +"Directory 2008r2 values." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:203 +msgid "Default: rfc2307" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:209 +msgid "ldap_default_bind_dn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:212 +msgid "The default bind DN to use for performing LDAP operations." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:219 +msgid "ldap_default_authtok_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:222 +msgid "The type of the authentication token of the default bind DN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:226 +msgid "The two mechanisms currently supported are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:229 +msgid "password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:232 +msgid "obfuscated_password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:235 +msgid "Default: password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:241 +msgid "ldap_default_authtok (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:244 +msgid "" +"The authentication token of the default bind DN. Only clear text passwords " +"are currently supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:251 +msgid "ldap_user_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:254 +msgid "The object class of a user entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:257 +msgid "Default: posixAccount" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:263 +msgid "ldap_user_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:266 +msgid "The LDAP attribute that corresponds to the user's login name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:270 +msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:277 +msgid "ldap_user_uid_number (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:280 +msgid "The LDAP attribute that corresponds to the user's id." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:284 +msgid "Default: uidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:290 +msgid "ldap_user_gid_number (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:293 +msgid "The LDAP attribute that corresponds to the user's primary group id." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:297 sssd-ldap.5.xml:929 +msgid "Default: gidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:303 +msgid "ldap_user_primary_group (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:306 +msgid "" +"Active Directory primary group attribute for ID-mapping. Note that this " +"attribute should only be set manually if you are running the <quote>ldap</" +"quote> provider with ID mapping." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:312 +msgid "Default: unset (LDAP), primaryGroupID (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:318 +msgid "ldap_user_gecos (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:321 +msgid "The LDAP attribute that corresponds to the user's gecos field." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:325 +msgid "Default: gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:331 +msgid "ldap_user_home_directory (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:334 +msgid "The LDAP attribute that contains the name of the user's home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:338 +msgid "Default: homeDirectory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:344 +msgid "ldap_user_shell (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:347 +msgid "The LDAP attribute that contains the path to the user's default shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:351 +msgid "Default: loginShell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:357 +msgid "ldap_user_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:360 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:364 sssd-ldap.5.xml:955 +msgid "" +"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " +"IPA" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:371 +msgid "ldap_user_objectsid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:374 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP user object. This " +"is usually only necessary for ActiveDirectory servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:379 sssd-ldap.5.xml:970 +msgid "Default: objectSid for ActiveDirectory, not set for other servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:386 +msgid "ldap_user_modify_timestamp (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:389 sssd-ldap.5.xml:980 sssd-ldap.5.xml:1203 +msgid "" +"The LDAP attribute that contains timestamp of the last modification of the " +"parent object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:393 sssd-ldap.5.xml:984 sssd-ldap.5.xml:1210 +msgid "Default: modifyTimestamp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:399 +msgid "ldap_user_shadow_last_change (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:402 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " +"the last password change)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:412 +msgid "Default: shadowLastChange" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:418 +msgid "ldap_user_shadow_min (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:421 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " +"password age)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:430 +msgid "Default: shadowMin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:436 +msgid "ldap_user_shadow_max (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:439 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " +"password age)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:448 +msgid "Default: shadowMax" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:454 +msgid "ldap_user_shadow_warning (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:457 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password warning period)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:467 +msgid "Default: shadowWarning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:473 +msgid "ldap_user_shadow_inactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:476 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password inactivity period)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:486 +msgid "Default: shadowInactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:492 +msgid "ldap_user_shadow_expire (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:495 +msgid "" +"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " +"parameter contains the name of an LDAP attribute corresponding to its " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> counterpart (account expiration date)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:505 +msgid "Default: shadowExpire" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:511 +msgid "ldap_user_krb_last_pwd_change (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:514 +msgid "" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time of last password change in " +"kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:520 +msgid "Default: krbLastPwdChange" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:526 +msgid "ldap_user_krb_password_expiration (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:529 +msgid "" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time when current password expires." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:535 +msgid "Default: krbPasswordExpiration" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:541 +msgid "ldap_user_ad_account_expires (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:544 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the expiration time of the account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:549 +msgid "Default: accountExpires" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:555 +msgid "ldap_user_ad_user_account_control (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:558 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the user account control bit field." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:563 +msgid "Default: userAccountControl" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:569 +msgid "ldap_ns_account_lock (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:572 +msgid "" +"When using ldap_account_expire_policy=rhds or equivalent, this parameter " +"determines if access is allowed or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:577 +msgid "Default: nsAccountLock" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:583 +msgid "ldap_user_nds_login_disabled (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:586 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines if " +"access is allowed or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:590 sssd-ldap.5.xml:604 +msgid "Default: loginDisabled" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:596 +msgid "ldap_user_nds_login_expiration_time (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:599 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines until " +"which date access is granted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:610 +msgid "ldap_user_nds_login_allowed_time_map (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:613 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines the " +"hours of a day in a week when access is granted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:618 +msgid "Default: loginAllowedTimeMap" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:624 +msgid "ldap_user_principal (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:627 +msgid "" +"The LDAP attribute that contains the user's Kerberos User Principal Name " +"(UPN)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:631 +msgid "Default: krbPrincipalName" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:637 +msgid "ldap_user_extra_attrs (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:640 +msgid "" +"Comma-separated list of LDAP attributes that SSSD would fetch along with the " +"usual set of user attributes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:645 +msgid "" +"The list can either contain LDAP attribute names only, or colon-separated " +"tuples of SSSD cache attribute name and LDAP attribute name. In case only " +"LDAP attribute name is specified, the attribute is saved to the cache " +"verbatim. Using a custom SSSD attribute name might be required by " +"environments that configure several SSSD domains with different LDAP schemas." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:655 +msgid "" +"Please note that several attribute names are reserved by SSSD, notably the " +"<quote>name</quote> attribute. SSSD would report an error if any of the " +"reserved attribute names is used as an extra attribute name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:665 +msgid "ldap_user_extra_attrs = telephoneNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:668 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as " +"<quote>telephoneNumber</quote> to the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:672 +msgid "ldap_user_extra_attrs = phone:telephoneNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:675 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" +"quote> to the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:685 +msgid "ldap_user_ssh_public_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:688 +msgid "The LDAP attribute that contains the user's SSH public keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:692 sssd-ldap.5.xml:1306 +msgid "Default: sshPublicKey" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:698 +msgid "ldap_force_upper_case_realm (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:701 +msgid "" +"Some directory servers, for example Active Directory, might deliver the " +"realm part of the UPN in lower case, which might cause the authentication to " +"fail. Set this option to a non-zero value if you want to use an upper-case " +"realm." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:714 +msgid "ldap_enumeration_refresh_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:717 +msgid "" +"Specifies how many seconds SSSD has to wait before refreshing its cache of " +"enumerated records." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:728 +msgid "ldap_purge_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:731 +msgid "" +"Determine how often to check the cache for inactive entries (such as groups " +"with no members and users who have never logged in) and remove them to save " +"space." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:737 +msgid "" +"Setting this option to zero will disable the cache cleanup operation. Please " +"note that if enumeration is enabled, the cleanup task is required in order " +"to detect entries removed from the server and can't be disabled. By default, " +"the cleanup task will run every 3 hours with enumeration enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:752 +msgid "ldap_user_fullname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:755 +msgid "The LDAP attribute that corresponds to the user's full name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1161 sssd-ldap.5.xml:1235 +#: sssd-ldap.5.xml:1344 sssd-ldap.5.xml:2405 sssd-ipa.5.xml:607 +msgid "Default: cn" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:765 +msgid "ldap_user_member_of (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:768 +msgid "The LDAP attribute that lists the user's group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:772 sssd-ldap.5.xml:1274 +msgid "Default: memberOf" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:778 +msgid "ldap_user_authorized_service (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:781 +msgid "" +"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " +"use the presence of the authorizedService attribute in the user's LDAP entry " +"to determine access privilege." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:788 +msgid "" +"An explicit deny (!svc) is resolved first. Second, SSSD searches for " +"explicit allow (svc) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:793 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>authorized_service</quote> in order for the " +"ldap_user_authorized_service option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:800 +msgid "Default: authorizedService" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:806 +msgid "ldap_user_authorized_host (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:809 +msgid "" +"If access_provider=ldap and ldap_access_order=host, SSSD will use the " +"presence of the host attribute in the user's LDAP entry to determine access " +"privilege." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:815 +msgid "" +"An explicit deny (!host) is resolved first. Second, SSSD searches for " +"explicit allow (host) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:820 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>host</quote> in order for the " +"ldap_user_authorized_host option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:827 +msgid "Default: host" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:833 +msgid "ldap_user_authorized_rhost (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:836 +msgid "" +"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " +"presence of the rhost attribute in the user's LDAP entry to determine access " +"privilege. Similarly to host verification process." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:843 +msgid "" +"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " +"explicit allow (rhost) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:848 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>rhost</quote> in order for the " +"ldap_user_authorized_rhost option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:855 +msgid "Default: rhost" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:861 +msgid "ldap_user_certificate (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:864 +msgid "Name of the LDAP attribute containing the X509 certificate of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:868 +msgid "Default: userCertificate;binary" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:874 +msgid "ldap_user_email (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:877 +msgid "Name of the LDAP attribute containing the email address of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:881 +msgid "" +"Note: If an email address of a user conflicts with an email address or fully " +"qualified name of another user, then SSSD will not be able to serve those " +"users properly. If for some reason several users need to share the same " +"email address then set this option to a nonexistent attribute name in order " +"to disable user lookup/login by email." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:890 +msgid "Default: mail" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:896 +msgid "ldap_group_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:899 +msgid "The object class of a group entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:902 +msgid "Default: posixGroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:908 +msgid "ldap_group_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:911 +msgid "The LDAP attribute that corresponds to the group name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:915 +msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:922 +msgid "ldap_group_gid_number (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:925 +msgid "The LDAP attribute that corresponds to the group's id." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:935 +msgid "ldap_group_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:938 +msgid "The LDAP attribute that contains the names of the group's members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:942 +msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:948 +msgid "ldap_group_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:951 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:962 +msgid "ldap_group_objectsid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:965 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP group object. This " +"is usually only necessary for ActiveDirectory servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:977 +msgid "ldap_group_modify_timestamp (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:990 +msgid "ldap_group_type (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:993 +msgid "" +"The LDAP attribute that contains an integer value indicating the type of the " +"group and maybe other flags." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:998 +msgid "" +"This attribute is currently only used by the AD provider to determine if a " +"group is a domain local groups and has to be filtered out for trusted " +"domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1004 +msgid "Default: groupType in the AD provider, otherwise not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1011 +msgid "ldap_group_external_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1014 +msgid "" +"The LDAP attribute that references group members that are defined in an " +"external domain. At the moment, only IPA's external members are supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1020 +msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1027 +msgid "ldap_group_nesting_level (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1030 +msgid "" +"If ldap_schema is set to a schema format that supports nested groups (e.g. " +"RFC2307bis), then this option controls how many levels of nesting SSSD will " +"follow. This option has no effect on the RFC2307 schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1037 +msgid "" +"Note: This option specifies the guaranteed level of nested groups to be " +"processed for any lookup. However, nested groups beyond this limit " +"<emphasis>may be</emphasis> returned if previous lookups already resolved " +"the deeper nesting levels. Also, subsequent lookups for other groups may " +"enlarge the result set for original lookup if re-queried." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1046 +msgid "" +"If ldap_group_nesting_level is set to 0 then no nested groups are processed " +"at all. However, when connected to Active-Directory Server 2008 and later " +"using <quote>id_provider=ad</quote> it is furthermore required to disable " +"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " +"restrict group nesting." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1055 +msgid "Default: 2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1061 +msgid "ldap_groups_use_matching_rule_in_chain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1064 +msgid "" +"This option tells SSSD to take advantage of an Active Directory-specific " +"feature which may speed up group lookup operations on deployments with " +"complex or deep nested groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1070 +msgid "" +"In most common cases, it is best to leave this option disabled. It generally " +"only provides a performance increase on very complex nestings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1075 sssd-ldap.5.xml:1102 +msgid "" +"If this option is enabled, SSSD will use it if it detects that the server " +"supports it during initial connection. So \"True\" here essentially means " +"\"auto-detect\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1081 sssd-ldap.5.xml:1108 +msgid "" +"Note: This feature is currently known to work only with Active Directory " +"2008 R1 and later. See <ulink url=\"http://msdn.microsoft.com/en-us/library/" +"windows/desktop/aa746475%28v=vs.85%29.aspx\"> MSDN(TM) documentation</ulink> " +"for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1093 +msgid "ldap_initgroups_use_matching_rule_in_chain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1096 +msgid "" +"This option tells SSSD to take advantage of an Active Directory-specific " +"feature which might speed up initgroups operations (most notably when " +"dealing with complex or deep nested groups)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1123 +msgid "" +"This options enables or disables use of Token-Groups attribute when " +"performing initgroup for users from Active Directory Server 2008 and later." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1128 +msgid "Default: True for AD and IPA otherwise False." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1134 +msgid "ldap_netgroup_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1137 +msgid "The object class of a netgroup entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1140 +msgid "In IPA provider, ipa_netgroup_object_class should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1144 +msgid "Default: nisNetgroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1150 +msgid "ldap_netgroup_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1153 +msgid "The LDAP attribute that corresponds to the netgroup name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1157 +msgid "In IPA provider, ipa_netgroup_name should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1167 +msgid "ldap_netgroup_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1170 +msgid "The LDAP attribute that contains the names of the netgroup's members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1174 +msgid "In IPA provider, ipa_netgroup_member should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1178 +msgid "Default: memberNisNetgroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1184 +msgid "ldap_netgroup_triple (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1187 +msgid "" +"The LDAP attribute that contains the (host, user, domain) netgroup triples." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1191 sssd-ldap.5.xml:1207 +msgid "This option is not available in IPA provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1194 +msgid "Default: nisNetgroupTriple" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1200 +msgid "ldap_netgroup_modify_timestamp (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1216 +msgid "ldap_host_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1219 +msgid "The object class of a host entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1222 sssd-ldap.5.xml:1331 +msgid "Default: ipService" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1228 +msgid "ldap_host_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1231 sssd-ldap.5.xml:1257 +msgid "The LDAP attribute that corresponds to the host's name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1241 +msgid "ldap_host_fqdn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1244 +msgid "" +"The LDAP attribute that corresponds to the host's fully-qualified domain " +"name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1248 +msgid "Default: fqdn" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1254 +msgid "ldap_host_serverhostname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1261 +msgid "Default: serverHostname" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1267 +msgid "ldap_host_member_of (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1270 +msgid "The LDAP attribute that lists the host's group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1280 +msgid "ldap_host_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1283 +msgid "Optional. Use the given string as search base for host objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1287 sssd-ipa.5.xml:359 sssd-ipa.5.xml:378 +#: sssd-ipa.5.xml:397 sssd-ipa.5.xml:416 +msgid "" +"See <quote>ldap_search_base</quote> for information about configuring " +"multiple search bases." +msgstr "" + +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:1292 sssd-ipa.5.xml:364 include/ldap_search_bases.xml:27 +msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1299 +msgid "ldap_host_ssh_public_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1302 +msgid "The LDAP attribute that contains the host's SSH public keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1312 +msgid "ldap_host_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1315 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1325 +msgid "ldap_service_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1328 +msgid "The object class of a service entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1337 +msgid "ldap_service_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1340 +msgid "" +"The LDAP attribute that contains the name of service attributes and their " +"aliases." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1350 +msgid "ldap_service_port (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1353 +msgid "The LDAP attribute that contains the port managed by this service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1357 +msgid "Default: ipServicePort" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1363 +msgid "ldap_service_proto (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1366 +msgid "" +"The LDAP attribute that contains the protocols understood by this service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1370 +msgid "Default: ipServiceProtocol" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1376 +msgid "ldap_service_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1381 +msgid "ldap_search_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1384 +msgid "" +"Specifies the timeout (in seconds) that ldap searches are allowed to run " +"before they are cancelled and cached results are returned (and offline mode " +"is entered)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1390 +msgid "" +"Note: this option is subject to change in future versions of the SSSD. It " +"will likely be replaced at some point by a series of timeouts for specific " +"lookup types." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1402 +msgid "ldap_enumeration_search_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1405 +msgid "" +"Specifies the timeout (in seconds) that ldap searches for user and group " +"enumerations are allowed to run before they are cancelled and cached results " +"are returned (and offline mode is entered)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1418 +msgid "ldap_network_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1421 +msgid "" +"Specifies the timeout (in seconds) after which the <citerefentry> " +"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" +"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" +"manvolnum> </citerefentry> following a <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> returns in case of no activity." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1444 +msgid "ldap_opt_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1447 +msgid "" +"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " +"will abort if no response is received. Also controls the timeout when " +"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " +"operation, password change extended operation and the StartTLS operation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1462 +msgid "ldap_connection_expire_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1465 +msgid "" +"Specifies a timeout (in seconds) that a connection to an LDAP server will be " +"maintained. After this time, the connection will be re-established. If used " +"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " +"the TGT lifetime) will be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1473 sssd-ldap.5.xml:2562 +msgid "Default: 900 (15 minutes)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1479 +msgid "ldap_page_size (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1482 +msgid "" +"Specify the number of records to retrieve from LDAP in a single request. " +"Some LDAP servers enforce a maximum limit per-request." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1487 +msgid "Default: 1000" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1493 +msgid "ldap_disable_paging (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1496 +msgid "" +"Disable the LDAP paging control. This option should be used if the LDAP " +"server reports that it supports the LDAP paging control in its RootDSE but " +"it is not enabled or does not behave properly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1502 +msgid "" +"Example: OpenLDAP servers with the paging control module installed on the " +"server but not enabled will report it in the RootDSE but be unable to use it." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1508 +msgid "" +"Example: 389 DS has a bug where it can only support a one paging control at " +"a time on a single connection. On busy clients, this can result in some " +"requests being denied." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1520 +msgid "ldap_disable_range_retrieval (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1523 +msgid "Disable Active Directory range retrieval." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1526 +msgid "" +"Active Directory limits the number of members to be retrieved in a single " +"lookup using the MaxValRange policy (which defaults to 1500 members). If a " +"group contains more members, the reply would include an AD-specific range " +"extension. This option disables parsing of the range extension, therefore " +"large groups will appear as having no members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1541 +msgid "ldap_sasl_minssf (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1544 +msgid "" +"When communicating with an LDAP server using SASL, specify the minimum " +"security level necessary to establish the connection. The values of this " +"option are defined by OpenLDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1550 +msgid "Default: Use the system default (usually specified by ldap.conf)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1557 +msgid "ldap_deref_threshold (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1560 +msgid "" +"Specify the number of group members that must be missing from the internal " +"cache in order to trigger a dereference lookup. If less members are missing, " +"they are looked up individually." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1566 +msgid "" +"You can turn off dereference lookups completely by setting the value to 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1570 +msgid "" +"A dereference lookup is a means of fetching all group members in a single " +"LDAP call. Different LDAP servers may implement different dereference " +"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " +"Directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1578 +msgid "" +"<emphasis>Note:</emphasis> If any of the search bases specifies a search " +"filter, then the dereference lookup performance enhancement will be disabled " +"regardless of this setting." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1591 +msgid "ldap_tls_reqcert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1594 +msgid "" +"Specifies what checks to perform on server certificates in a TLS session, if " +"any. It can be specified as one of the following values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1600 +msgid "" +"<emphasis>never</emphasis> = The client will not request or check any server " +"certificate." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1604 +msgid "" +"<emphasis>allow</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, it will be ignored and the session proceeds normally." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1611 +msgid "" +"<emphasis>try</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, the session is immediately terminated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1617 +msgid "" +"<emphasis>demand</emphasis> = The server certificate is requested. If no " +"certificate is provided, or a bad certificate is provided, the session is " +"immediately terminated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1623 +msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1627 +msgid "Default: hard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1633 +msgid "ldap_tls_cacert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1636 +msgid "" +"Specifies the file that contains certificates for all of the Certificate " +"Authorities that <command>sssd</command> will recognize." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1641 sssd-ldap.5.xml:1659 sssd-ldap.5.xml:1700 +msgid "" +"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." +"conf</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1648 +msgid "ldap_tls_cacertdir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1651 +msgid "" +"Specifies the path of a directory that contains Certificate Authority " +"certificates in separate individual files. Typically the file names need to " +"be the hash of the certificate followed by '.0'. If available, " +"<command>cacertdir_rehash</command> can be used to create the correct names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1666 +msgid "ldap_tls_cert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1669 +msgid "Specifies the file that contains the certificate for the client's key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1679 +msgid "ldap_tls_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1682 +msgid "Specifies the file that contains the client's key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1691 +msgid "ldap_tls_cipher_suite (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1694 +msgid "" +"Specifies acceptable cipher suites. Typically this is a colon separated " +"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1707 +msgid "ldap_id_use_start_tls (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1710 +msgid "" +"Specifies that the id_provider connection must also use <systemitem class=" +"\"protocol\">tls</systemitem> to protect the channel." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1720 +msgid "ldap_id_mapping (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1723 +msgid "" +"Specifies that SSSD should attempt to map user and group IDs from the " +"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " +"on ldap_user_uid_number and ldap_group_gid_number." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1729 +msgid "Currently this feature supports only ActiveDirectory objectSID mapping." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1739 +msgid "ldap_min_id, ldap_max_id (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1742 +msgid "" +"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " +"set to true the allowed ID range for ldap_user_uid_number and " +"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " +"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " +"can be set to restrict the allowed range for the IDs which are read directly " +"from the server. Sub-domains can then pick other ranges to map IDs." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1754 +msgid "Default: not set (both options are set to 0)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1760 +msgid "ldap_sasl_mech (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1763 +msgid "" +"Specify the SASL mechanism to use. Currently only GSSAPI is tested and " +"supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1773 +msgid "ldap_sasl_authid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ldap.5.xml:1784 +#, no-wrap +msgid "" +"hostname@REALM\n" +"netbiosname$@REALM\n" +"host/hostname@REALM\n" +"*$@REALM\n" +"host/*@REALM\n" +"host/*\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1776 +msgid "" +"Specify the SASL authorization id to use. When GSSAPI is used, this " +"represents the Kerberos principal used for authentication to the directory. " +"This option can either contain the full principal (for example host/" +"myhost@EXAMPLE.COM) or just the principal name (for example host/myhost). By " +"default, the value is not set and the following principals are used: " +"<placeholder type=\"programlisting\" id=\"0\"/> If none of them are found, " +"the first principal in keytab is returned." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1795 +msgid "Default: host/hostname@REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1801 +msgid "ldap_sasl_realm (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1804 +msgid "" +"Specify the SASL realm to use. When not specified, this option defaults to " +"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " +"well, this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1810 +msgid "Default: the value of krb5_realm." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1816 +msgid "ldap_sasl_canonicalize (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1819 +msgid "" +"If set to true, the LDAP library would perform a reverse lookup to " +"canonicalize the host name during a SASL bind." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1824 +msgid "Default: false;" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1830 +msgid "ldap_krb5_keytab (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1833 +msgid "Specify the keytab to use when using SASL/GSSAPI." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1836 +msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1842 +msgid "ldap_krb5_init_creds (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1845 +msgid "" +"Specifies that the id_provider should init Kerberos credentials (TGT). This " +"action is performed only if SASL is used and the mechanism selected is " +"GSSAPI." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1857 +msgid "ldap_krb5_ticket_lifetime (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1860 +msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1864 sssd-ad.5.xml:937 +msgid "Default: 86400 (24 hours)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1870 sssd-krb5.5.xml:74 +msgid "krb5_server, krb5_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1873 +msgid "" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled - for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1885 sssd-krb5.5.xml:89 +msgid "" +"When using service discovery for KDC or kpasswd servers, SSSD first searches " +"for DNS entries that specify _udp as the protocol and falls back to _tcp if " +"none are found." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1890 sssd-krb5.5.xml:94 +msgid "" +"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " +"While the legacy name is recognized for the time being, users are advised to " +"migrate their config files to use <quote>krb5_server</quote> instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1899 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103 +msgid "krb5_realm (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1902 +msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1905 +msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1911 sssd-krb5.5.xml:462 +msgid "krb5_canonicalize (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1914 +msgid "" +"Specifies if the host principal should be canonicalized when connecting to " +"LDAP server. This feature is available with MIT Kerberos >= 1.7" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1926 sssd-krb5.5.xml:477 +msgid "krb5_use_kdcinfo (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1929 sssd-krb5.5.xml:480 +msgid "" +"Specifies if the SSSD should instruct the Kerberos libraries what realm and " +"which KDCs to use. This option is on by default, if you disable it, you need " +"to configure the Kerberos library using the <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> configuration file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1940 sssd-krb5.5.xml:491 +msgid "" +"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " +"information on the locator plugin." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1954 +msgid "ldap_pwd_policy (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1957 +msgid "" +"Select the policy to evaluate the password expiration on the client side. " +"The following values are allowed:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1962 +msgid "" +"<emphasis>none</emphasis> - No evaluation on the client side. This option " +"cannot disable server-side password policies." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1967 +msgid "" +"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " +"evaluate if the password has expired." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1973 +msgid "" +"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " +"to determine if the password has expired. Use chpass_provider=krb5 to update " +"these attributes when the password is changed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1982 +msgid "" +"<emphasis>Note</emphasis>: if a password policy is configured on server " +"side, it always takes precedence over policy set with this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1990 +msgid "ldap_referrals (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1993 +msgid "Specifies whether automatic referral chasing should be enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1997 +msgid "" +"Please note that sssd only supports referral chasing when it is compiled " +"with OpenLDAP version 2.4.13 or higher." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2002 +msgid "" +"Chasing referrals may incur a performance penalty in environments that use " +"them heavily, a notable example is Microsoft Active Directory. If your setup " +"does not in fact require the use of referrals, setting this option to false " +"might bring a noticeable performance improvement." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2016 +msgid "ldap_dns_service_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2019 +msgid "Specifies the service name to use when service discovery is enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2023 +msgid "Default: ldap" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2029 +msgid "ldap_chpass_dns_service_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2032 +msgid "" +"Specifies the service name to use to find an LDAP server which allows " +"password changes when service discovery is enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2037 +msgid "Default: not set, i.e. service discovery is disabled" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2043 +msgid "ldap_chpass_update_last_change (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2046 +msgid "" +"Specifies whether to update the ldap_user_shadow_last_change attribute with " +"days since the Epoch after a password change operation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2058 +msgid "ldap_access_filter (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2061 +msgid "" +"If using access_provider = ldap and ldap_access_order = filter (default), " +"this option is mandatory. It specifies an LDAP search filter criteria that " +"must be met for the user to be granted access on this host. If " +"access_provider = ldap, ldap_access_order = filter and this option is not " +"set, it will result in all users being denied access. Use access_provider = " +"permit to change this default behavior. Please note that this filter is " +"applied on the LDAP user entry only and thus filtering based on nested " +"groups may not work (e.g. memberOf attribute on AD entries points only to " +"direct parents). If filtering based on nested groups is required, please see " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2081 +msgid "Example:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ldap.5.xml:2084 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2088 +msgid "" +"This example means that access to this host is restricted to users whose " +"employeeType attribute is set to \"admin\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2093 +msgid "" +"Offline caching for this feature is limited to determining whether the " +"user's last online login was granted access permission. If they were granted " +"access during their last login, they will continue to be granted access " +"while offline and vice versa." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2101 sssd-ldap.5.xml:2158 +msgid "Default: Empty" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2107 +msgid "ldap_account_expire_policy (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2110 +msgid "" +"With this option a client side evaluation of access control attributes can " +"be enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2114 +msgid "" +"Please note that it is always recommended to use server side access control, " +"i.e. the LDAP server should deny the bind request with a suitable error code " +"even if the password is correct." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2121 +msgid "The following values are allowed:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2124 +msgid "" +"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " +"determine if the account is expired." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2129 +msgid "" +"<emphasis>ad</emphasis>: use the value of the 32bit field " +"ldap_user_ad_user_account_control and allow access if the second bit is not " +"set. If the attribute is missing access is granted. Also the expiration time " +"of the account is checked." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2136 +msgid "" +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: use the value of ldap_ns_account_lock to check if access is " +"allowed or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2142 +msgid "" +"<emphasis>nds</emphasis>: the values of " +"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " +"ldap_user_nds_login_expiration_time are used to check if access is allowed. " +"If both attributes are missing access is granted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2151 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>expire</quote> in order for the " +"ldap_account_expire_policy option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2164 +msgid "ldap_access_order (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2167 +msgid "Comma separated list of access control options. Allowed values are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2171 +msgid "<emphasis>filter</emphasis>: use ldap_access_filter" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2174 +msgid "" +"<emphasis>lockout</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " +"Please note that 'access_provider = ldap' must be set for this feature to " +"work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2184 +msgid "" +"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" +"quote> option and might be removed in a future release. </emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2191 +msgid "" +"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z' or represents any time in the past. The " +"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " +"denotes the UTC time zone. Other time zones are not currently supported and " +"will result in \"access-denied\" when users attempt to log in. Please see " +"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " +"must be set for this feature to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2208 +msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2212 +msgid "" +"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " +"pwd_expire_policy_renew: </emphasis> These options are useful if users are " +"interested in being warned that password is about to expire and " +"authentication is based on using a different method than passwords - for " +"example SSH keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2222 +msgid "" +"The difference between these options is the action taken if user password is " +"expired: pwd_expire_policy_reject - user is denied to log in, " +"pwd_expire_policy_warn - user is still able to log in, " +"pwd_expire_policy_renew - user is prompted to change his password " +"immediately." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2230 +msgid "" +"Note If user password is expired no explicit message is prompted by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2234 +msgid "" +"Please note that 'access_provider = ldap' must be set for this feature to " +"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2239 +msgid "" +"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " +"to determine access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2244 +msgid "<emphasis>host</emphasis>: use the host attribute to determine access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2248 +msgid "" +"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " +"remote host can access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2252 +msgid "" +"Please note, rhost field in pam is set by application, it is better to check " +"what the application sends to pam, before enabling this access control option" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2257 +msgid "Default: filter" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2260 +msgid "" +"Please note that it is a configuration error if a value is used more than " +"once." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2267 +msgid "ldap_pwdlockout_dn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2270 +msgid "" +"This option specifies the DN of password policy entry on LDAP server. Please " +"note that absence of this option in sssd.conf in case of enabled account " +"lockout checking will yield access denied as ppolicy attributes on LDAP " +"server cannot be checked properly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2278 +msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2281 +msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2287 +msgid "ldap_deref (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2290 +msgid "" +"Specifies how alias dereferencing is done when performing a search. The " +"following options are allowed:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2295 +msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2299 +msgid "" +"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " +"the base object, but not in locating the base object of the search." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2304 +msgid "" +"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " +"the base object of the search." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2309 +msgid "" +"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " +"in locating the base object of the search." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2314 +msgid "" +"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " +"client libraries)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2322 +msgid "ldap_rfc2307_fallback_to_local_users (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2325 +msgid "" +"Allows to retain local users as members of an LDAP group for servers that " +"use the RFC2307 schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2329 +msgid "" +"In some environments where the RFC2307 schema is used, local users are made " +"members of LDAP groups by adding their names to the memberUid attribute. " +"The self-consistency of the domain is compromised when this is done, so SSSD " +"would normally remove the \"missing\" users from the cached group " +"memberships as soon as nsswitch tries to fetch information about the user " +"via getpw*() or initgroups() calls." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2340 +msgid "" +"This option falls back to checking if local users are referenced, and caches " +"them so that later initgroups() calls will augment the local users with the " +"additional LDAP groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2352 sssd-ifp.5.xml:136 +msgid "wildcard_limit (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2355 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2359 +msgid "At the moment, only the InfoPipe responder supports wildcard lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2363 +msgid "Default: 1000 (often the size of one page)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:51 +msgid "" +"All of the common configuration options that apply to SSSD domains also " +"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for full details. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2373 +msgid "SUDO OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2375 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2386 +msgid "ldap_sudorule_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2389 +msgid "The object class of a sudo rule entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2392 +msgid "Default: sudoRole" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2398 +msgid "ldap_sudorule_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2401 +msgid "The LDAP attribute that corresponds to the sudo rule name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2411 +msgid "ldap_sudorule_command (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2414 +msgid "The LDAP attribute that corresponds to the command name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2418 +msgid "Default: sudoCommand" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2424 +msgid "ldap_sudorule_host (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2427 +msgid "" +"The LDAP attribute that corresponds to the host name (or host IP address, " +"host IP network, or host netgroup)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2432 +msgid "Default: sudoHost" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2438 +msgid "ldap_sudorule_user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2441 +msgid "" +"The LDAP attribute that corresponds to the user name (or UID, group name or " +"user's netgroup)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2445 +msgid "Default: sudoUser" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2451 +msgid "ldap_sudorule_option (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2454 +msgid "The LDAP attribute that corresponds to the sudo options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2458 +msgid "Default: sudoOption" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2464 +msgid "ldap_sudorule_runasuser (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2467 +msgid "" +"The LDAP attribute that corresponds to the user name that commands may be " +"run as." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2471 +msgid "Default: sudoRunAsUser" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2477 +msgid "ldap_sudorule_runasgroup (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2480 +msgid "" +"The LDAP attribute that corresponds to the group name or group GID that " +"commands may be run as." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2484 +msgid "Default: sudoRunAsGroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2490 +msgid "ldap_sudorule_notbefore (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2493 +msgid "" +"The LDAP attribute that corresponds to the start date/time for when the sudo " +"rule is valid." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2497 +msgid "Default: sudoNotBefore" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2503 +msgid "ldap_sudorule_notafter (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2506 +msgid "" +"The LDAP attribute that corresponds to the expiration date/time, after which " +"the sudo rule will no longer be valid." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2511 +msgid "Default: sudoNotAfter" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2517 +msgid "ldap_sudorule_order (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2520 +msgid "The LDAP attribute that corresponds to the ordering index of the rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2524 +msgid "Default: sudoOrder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2530 +msgid "ldap_sudo_full_refresh_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2533 +msgid "" +"How many seconds SSSD will wait between executing a full refresh of sudo " +"rules (which downloads all rules that are stored on the server)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2538 +msgid "" +"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" +"emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2543 +msgid "Default: 21600 (6 hours)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2549 +msgid "ldap_sudo_smart_refresh_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2552 +msgid "" +"How many seconds SSSD has to wait before executing a smart refresh of sudo " +"rules (which downloads all rules that have USN higher than the highest USN " +"of cached rules)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2558 +msgid "" +"If USN attributes are not supported by the server, the modifyTimestamp " +"attribute is used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2568 +msgid "ldap_sudo_use_host_filter (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2571 +msgid "" +"If true, SSSD will download only rules that are applicable to this machine " +"(using the IPv4 or IPv6 host/network addresses and hostnames)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2582 +msgid "ldap_sudo_hostnames (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2585 +msgid "" +"Space separated list of hostnames or fully qualified domain names that " +"should be used to filter the rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2590 +msgid "" +"If this option is empty, SSSD will try to discover the hostname and the " +"fully qualified domain name automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2595 sssd-ldap.5.xml:2618 sssd-ldap.5.xml:2636 +#: sssd-ldap.5.xml:2654 +msgid "" +"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" +"emphasis> then this option has no effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2600 sssd-ldap.5.xml:2623 +msgid "Default: not specified" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2606 +msgid "ldap_sudo_ip (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2609 +msgid "" +"Space separated list of IPv4 or IPv6 host/network addresses that should be " +"used to filter the rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2614 +msgid "" +"If this option is empty, SSSD will try to discover the addresses " +"automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2629 +msgid "ldap_sudo_include_netgroups (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2632 +msgid "" +"If true then SSSD will download every rule that contains a netgroup in " +"sudoHost attribute." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2647 +msgid "ldap_sudo_include_regexp (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2650 +msgid "" +"If true then SSSD will download every rule that contains a wildcard in " +"sudoHost attribute." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2666 +msgid "" +"This manual page only describes attribute name mapping. For detailed " +"explanation of sudo related attribute semantics, see <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2676 +msgid "AUTOFS OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2678 +msgid "" +"Some of the defaults for the parameters below are dependent on the LDAP " +"schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2684 +msgid "ldap_autofs_map_master_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2687 +msgid "The name of the automount master map in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2690 +msgid "Default: auto.master" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2697 +msgid "ldap_autofs_map_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2700 +msgid "The object class of an automount map entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2703 +msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2711 +msgid "ldap_autofs_map_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2714 +msgid "The name of an automount map entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2717 +msgid "" +"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2725 +msgid "ldap_autofs_entry_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2728 +msgid "" +"The object class of an automount entry in LDAP. The entry usually " +"corresponds to a mount point." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2733 +msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2741 +msgid "ldap_autofs_entry_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2744 sssd-ldap.5.xml:2759 +msgid "" +"The key of an automount entry in LDAP. The entry usually corresponds to a " +"mount point." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2748 +msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2756 +msgid "ldap_autofs_entry_value (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2763 +msgid "" +"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " +"automountInformation" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2682 +msgid "" +"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " +"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" +"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2774 +msgid "ADVANCED OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2781 +msgid "ldap_netgroup_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2786 +msgid "ldap_user_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2791 +msgid "ldap_group_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> +#: sssd-ldap.5.xml:2796 +msgid "<note>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> +#: sssd-ldap.5.xml:2798 +msgid "" +"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " +"against Active Directory will not be restricted and return all groups " +"memberships, even with no GID mapping. It is recommended to disable this " +"feature, if group names are not being displayed correctly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist> +#: sssd-ldap.5.xml:2805 +msgid "</note>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2807 +msgid "ldap_sudo_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2812 +msgid "ldap_autofs_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2776 +msgid "" +"These options are supported by LDAP domains, but they should be used with " +"caution. Please include them in your configuration only if you know what you " +"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2827 sssd-simple.5.xml:131 sssd-ipa.5.xml:828 +#: sssd-ad.5.xml:1041 sssd-krb5.5.xml:570 sss_rpcidmapd.5.xml:98 +#: sssd-files.5.xml:103 sssd-session-recording.5.xml:144 +msgid "EXAMPLE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2829 +msgid "" +"The following example assumes that SSSD is correctly configured and LDAP is " +"set to one of the domains in the <replaceable>[domains]</replaceable> " +"section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:2835 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: sssd-ldap.5.xml:2834 sssd-ldap.5.xml:2852 sssd-simple.5.xml:139 +#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1049 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579 +#: sssd-files.5.xml:110 sssd-session-recording.5.xml:150 +#: include/ldap_id_mapping.xml:105 +msgid "<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2846 +msgid "LDAP ACCESS FILTER EXAMPLE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2848 +msgid "" +"The following example assumes that SSSD is correctly configured and to use " +"the ldap_access_order=lockout." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:2853 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"access_provider = ldap\n" +"ldap_access_order = lockout\n" +"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2868 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148 +#: sssd-ad.5.xml:1064 sssd.8.xml:230 sss_seed.8.xml:163 +msgid "NOTES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2870 +msgid "" +"The descriptions of some of the configuration options in this manual page " +"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " +"distribution." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: pam_sss.8.xml:11 pam_sss.8.xml:16 +msgid "pam_sss" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: pam_sss.8.xml:17 +msgid "PAM module for SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: pam_sss.8.xml:22 +msgid "" +"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" +"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" +"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" +"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " +"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " +"choice='opt'> <replaceable>prompt_always</replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:58 +msgid "" +"<command>pam_sss.so</command> is the PAM interface to the System Security " +"Services daemon (SSSD). Errors and results are logged through " +"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:68 +msgid "<option>quiet</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:71 +msgid "Suppress log messages for unknown users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:76 +msgid "<option>forward_pass</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:79 +msgid "" +"If <option>forward_pass</option> is set the entered password is put on the " +"stack for other PAM modules to use." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:86 +msgid "<option>use_first_pass</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:89 +msgid "" +"The argument use_first_pass forces the module to use a previous stacked " +"modules password and will never prompt the user - if no password is " +"available or the password is not appropriate, the user will be denied access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:97 +msgid "<option>use_authtok</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:100 +msgid "" +"When password changing enforce the module to set the new password to the one " +"provided by a previously stacked password module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:107 +msgid "<option>retry=N</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:110 +msgid "" +"If specified the user is asked another N times for a password if " +"authentication fails. Default is 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:112 +msgid "" +"Please note that this option might not work as expected if the application " +"calling PAM handles the user dialog on its own. A typical example is " +"<command>sshd</command> with <option>PasswordAuthentication</option>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:121 +msgid "<option>ignore_unknown_user</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:124 +msgid "" +"If this option is specified and the user does not exist, the PAM module will " +"return PAM_IGNORE. This causes the PAM framework to ignore this module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:131 +msgid "<option>ignore_authinfo_unavail</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:135 +msgid "" +"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " +"the SSSD daemon. This causes the PAM framework to ignore this module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:142 +msgid "<option>domains</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:146 +msgid "" +"Allows the administrator to restrict the domains a particular PAM service is " +"allowed to authenticate against. The format is a comma-separated list of " +"SSSD domain names, as specified in the sssd.conf file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:152 +msgid "" +"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " +"and <quote>pam_public_domains</quote> options. Please see the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more information on these two PAM " +"responder options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:166 +msgid "<option>allow_missing_name</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:170 +msgid "" +"The main purpose of this option is to let SSSD determine the user name based " +"on additional information, e.g. the certificate from a Smartcard." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: pam_sss.8.xml:180 +#, no-wrap +msgid "" +"auth sufficient pam_sss.so allow_missing_name\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:175 +msgid "" +"The current use case are login managers which can monitor a Smartcard reader " +"for card events. In case a Smartcard is inserted the login manager will call " +"a PAM stack which includes a line like <placeholder type=\"programlisting\" " +"id=\"0\"/> In this case SSSD will try to determine the user name based on " +"the content of the Smartcard, returns it to pam_sss which will finally put " +"it on the PAM stack." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:190 +msgid "<option>prompt_always</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:194 +msgid "" +"Always prompt the user for credentials. With this option credentials " +"requested by other PAM modules, typically a password, will be ignored and " +"pam_sss will prompt for credentials again. Based on the pre-auth reply by " +"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " +"credentials." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:207 +msgid "MODULE TYPES PROVIDED" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:208 +msgid "" +"All module types (<option>account</option>, <option>auth</option>, " +"<option>password</option> and <option>session</option>) are provided." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:214 +msgid "FILES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:215 +msgid "" +"If a password reset by root fails, because the corresponding SSSD provider " +"does not support password resets, an individual message can be displayed. " +"This message can e.g. contain instructions about how to reset a password." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:220 +msgid "" +"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" +"filename> where LOC stands for a locale string returned by <citerefentry> " +"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" +"citerefentry>. If there is no matching file the content of " +"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " +"the owner of the files and only root may have read and write permissions " +"while all other users must have only read permissions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:230 +msgid "" +"These files are searched in the directory <filename>/etc/sssd/customize/" +"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " +"displayed." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 +msgid "sssd_krb5_locator_plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd_krb5_locator_plugin.8.xml:16 +msgid "Kerberos locator plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:22 +msgid "" +"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " +"used by the Kerberos provider of <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to tell the Kerberos " +"libraries what Realm and which KDC to use. Typically this is done in " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> which is always read by the Kerberos libraries. " +"To simplify the configuration the Realm and the KDC can be defined in " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> as described in <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:48 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> puts the Realm and the name or IP address of the KDC into " +"the environment variables SSSD_KRB5_REALM and SSSD_KRB5_KDC respectively. " +"When <command>sssd_krb5_locator_plugin</command> is called by the kerberos " +"libraries it reads and evaluates these variables and returns them to the " +"libraries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:63 +msgid "" +"Not all Kerberos implementations support the use of plugins. If " +"<command>sssd_krb5_locator_plugin</command> is not available on your system " +"you have to edit /etc/krb5.conf to reflect your Kerberos setup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:69 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " +"debug messages will be sent to stderr." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:73 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " +"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " +"caller." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 +msgid "sssd-simple" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-simple.5.xml:17 +msgid "the configuration file for SSSD's 'simple' access-control provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:24 +msgid "" +"This manual page describes the configuration of the simple access-control " +"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " +"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:38 +msgid "" +"The simple access provider grants or denies access based on an access or " +"deny list of user or group names. The following rules apply:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:43 +msgid "If all lists are empty, access is granted" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:47 +msgid "" +"If any list is provided, the order of evaluation is allow,deny. This means " +"that any matching deny rule will supersede any matched allow rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:54 +msgid "" +"If either or both \"allow\" lists are provided, all users are denied unless " +"they appear in the list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:60 +msgid "" +"If only \"deny\" lists are provided, all users are granted access unless " +"they appear in the list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:78 +msgid "simple_allow_users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:81 +msgid "Comma separated list of users who are allowed to log in." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:88 +msgid "simple_deny_users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:91 +msgid "Comma separated list of users who are explicitly denied access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:97 +msgid "simple_allow_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:100 +msgid "" +"Comma separated list of groups that are allowed to log in. This applies only " +"to groups within this SSSD domain. Local groups are not evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:108 +msgid "simple_deny_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:111 +msgid "" +"Comma separated list of groups that are explicitly denied access. This " +"applies only to groups within this SSSD domain. Local groups are not " +"evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 +msgid "" +"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:120 +msgid "" +"Specifying no values for any of the lists is equivalent to skipping it " +"entirely. Beware of this while generating parameters for the simple provider " +"using automated scripts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:125 +msgid "" +"Please note that it is an configuration error if both, simple_allow_users " +"and simple_deny_users, are defined." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:133 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the simple access provider-specific options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-simple.5.xml:140 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"access_provider = simple\n" +"simple_allow_users = user1, user2\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:150 +msgid "" +"The complete group membership hierarchy is resolved before the access check, " +"thus even nested groups can be included in the access lists. Please be " +"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " +"results and should be set to a sufficient value. (<citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>) option." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 +msgid "sss-certmap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss-certmap.5.xml:17 +msgid "SSSD Certificate Matching and Mapping Rules" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:23 +msgid "" +"The manual page describes the rules which can be used by SSSD and other " +"components to match X.509 certificates and map them to accounts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:28 +msgid "" +"Each rule has four components, a <quote>priority</quote>, a <quote>matching " +"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" +"quote>. All components are optional. A missing <quote>priority</quote> will " +"add the rule with the lowest priority. The default <quote>matching rule</" +"quote> will match certificates with the digitalSignature key usage and " +"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " +"the certificates will be searched in the userCertificate attribute as DER " +"encoded binary. If no domains are given only the local domain will be " +"searched." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss-certmap.5.xml:41 +msgid "RULE COMPONENTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:43 +msgid "PRIORITY" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:45 +msgid "" +"The rules are processed by priority while the number '0' (zero) indicates " +"the highest priority. The higher the number the lower is the priority. A " +"missing value indicates the lowest priority. The rules processing is stopped " +"when a matched rule is found and no further rules are checked." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:52 +msgid "" +"Internally the priority is treated as unsigned 32bit integer, using a " +"priority value larger than 4294967295 will cause an error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:57 +msgid "MATCHING RULE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:59 +msgid "" +"The matching rule is used to select a certificate to which the mapping rule " +"should be applied. It uses a system similar to the one used by " +"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " +"keyword enclosed by '<' and '>' which identified a certain part of the " +"certificate and a pattern which should be found for the rule to match. " +"Multiple keyword pattern pairs can be either joined with '&&' (and) " +"or '||' (or)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:71 +msgid "<SUBJECT>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:74 +msgid "" +"With this a part or the whole subject name of the certificate can be " +"matched. For the matching POSIX Extended Regular Expression syntax is used, " +"see regex(7) for details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:80 +msgid "" +"For the matching the subject name stored in the certificate in DER encoded " +"ASN.1 is converted into a string according to RFC 4514. This means the most " +"specific name component comes first. Please note that not all possible " +"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " +"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " +"be shown differently on different platform and by different tools. To avoid " +"confusion those attribute names are best not used or covered by a suitable " +"regular-expression." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:93 +msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:98 +msgid "<ISSUER>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:101 +msgid "" +"With this a part or the whole issuer name of the certificate can be matched. " +"All comments for <SUBJECT> apply her as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:106 +msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:111 +msgid "<KU>key-usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:114 +msgid "" +"This option can be used to specify which key usage values the certificate " +"should have. The following values can be used in a comma separated list:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:118 +msgid "digitalSignature" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:119 +msgid "nonRepudiation" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:120 +msgid "keyEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:121 +msgid "dataEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:122 +msgid "keyAgreement" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:123 +msgid "keyCertSign" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:124 +msgid "cRLSign" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:125 +msgid "encipherOnly" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:126 +msgid "decipherOnly" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:130 +msgid "" +"A numerical value in the range of a 32bit unsigned integer can be used as " +"well to cover special use cases." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:134 +msgid "Example: <KU>digitalSignature,keyEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:139 +msgid "<EKU>extended-key-usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:142 +msgid "" +"This option can be used to specify which extended key usage the certificate " +"should have. The following value can be used in a comma separated list:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:146 +msgid "serverAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:147 +msgid "clientAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:148 +msgid "codeSigning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:149 +msgid "emailProtection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:150 +msgid "timeStamping" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:151 +msgid "OCSPSigning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:152 +msgid "KPClientAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:153 +msgid "pkinit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:154 +msgid "msScLogin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:158 +msgid "" +"Extended key usages which are not listed above can be specified with their " +"OID in dotted-decimal notation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:162 +msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:167 +msgid "<SAN>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:170 +msgid "" +"To be compatible with the usage of MIT Kerberos this option will match the " +"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" +"Principal> does." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:175 +msgid "Example: <SAN>.*@MY\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:180 +msgid "<SAN:Principal>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:183 +msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:187 +msgid "Example: <SAN:Principal>.*@MY\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:192 +msgid "<SAN:ntPrincipalName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:195 +msgid "Match the Kerberos principals from the AD NT Principal SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:199 +msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:204 +msgid "<SAN:pkinit>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:207 +msgid "Match the Kerberos principals from the PKINIT SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:210 +msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:215 +msgid "<SAN:dotted-decimal-oid>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:218 +msgid "" +"Take the value of the otherName SAN component given by the OID in dotted-" +"decimal notation, interpret it as string and try to match it against the " +"regular expression." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:224 +msgid "Example: <SAN:1.2.3.4>test" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:229 +msgid "<SAN:otherName>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:232 +msgid "" +"Do a binary match with the base64 encoded blob against all otherName SAN " +"components. With this option it is possible to match against custom " +"otherName components with special encodings which could not be treated as " +"strings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:239 +msgid "Example: <SAN:otherName>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:244 +msgid "<SAN:rfc822Name>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:247 +msgid "Match the value of the rfc822Name SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:250 +msgid "Example: <SAN:rfc822Name>.*@email\\.domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:255 +msgid "<SAN:dNSName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:258 +msgid "Match the value of the dNSName SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:261 +msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:266 +msgid "<SAN:x400Address>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:269 +msgid "Binary match the value of the x400Address SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:272 +msgid "Example: <SAN:x400Address>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:277 +msgid "<SAN:directoryName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:280 +msgid "" +"Match the value of the directoryName SAN. The same comments as given for <" +"ISSUER> and <SUBJECT> apply here as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:285 +msgid "Example: <SAN:directoryName>.*,DC=com" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:290 +msgid "<SAN:ediPartyName>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:293 +msgid "Binary match the value of the ediPartyName SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:296 +msgid "Example: <SAN:ediPartyName>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:301 +msgid "<SAN:uniformResourceIdentifier>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:304 +msgid "Match the value of the uniformResourceIdentifier SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:307 +msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:312 +msgid "<SAN:iPAddress>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:315 +msgid "Match the value of the iPAddress SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:318 +msgid "Example: <SAN:iPAddress>192\\.168\\..*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:323 +msgid "<SAN:registeredID>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:326 +msgid "Match the value of the registeredID SAN as dotted-decimal string." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:330 +msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:68 +msgid "" +"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:338 +msgid "MAPPING RULE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:340 +msgid "" +"The mapping rule is used to associate a certificate with one or more " +"accounts. A Smartcard with the certificate and the matching private key can " +"then be used to authenticate as one of those accounts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:345 +msgid "" +"Currently SSSD basically only supports LDAP to lookup user information (the " +"exception is the proxy provider which is not of relevance here). Because of " +"this the mapping rule is based on LDAP search filter syntax with templates " +"to add certificate content to the filter. It is expected that the filter " +"will only contain the specific data needed for the mapping and that the " +"caller will embed it in another filter to do the actual search. Because of " +"this the filter string should start and stop with '(' and ')' respectively." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:355 +msgid "" +"In general it is recommended to use attributes from the certificate and add " +"them to special attributes to the LDAP user object. E.g. the " +"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " +"for IPA can be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:361 +msgid "" +"This should be preferred to read user specific data from the certificate " +"like e.g. an email address and search for it in the LDAP server. The reason " +"is that the user specific data in LDAP might change for various reasons " +"would break the mapping. On the other hand it would be hard to break the " +"mapping on purpose for a specific user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:376 +msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:379 +msgid "" +"This template will add the full issuer DN converted to a string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +msgid "" +"The conversion options starting with 'ad_' will use attribute names as used " +"by AD, e.g. 'S' instead of 'ST'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +msgid "" +"The conversion options starting with 'nss_' will use attribute names as used " +"by NSS." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +msgid "" +"The default conversion option is 'nss', i.e. attribute names according to " +"NSS and LDAP/RFC 4514 ordering." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:397 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" +"ad})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:402 +msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:405 +msgid "" +"This template will add the full subject DN converted to string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:423 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" +"{subject_dn!nss_x500})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:428 +msgid "{cert[!(bin|base64)]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:431 +msgid "" +"This template will add the whole DER encoded certificate as a string to the " +"search filter. Depending on the conversion option the binary certificate is " +"either converted to an escaped hex sequence '\\xx' or base64. The escaped " +"hex sequence is the default and can e.g. be used with the LDAP attribute " +"'userCertificate;binary'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:439 +msgid "Example: (userCertificate;binary={cert!bin})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:444 +msgid "{subject_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:447 +msgid "" +"This template will add the Kerberos principal which is taken either from the " +"SAN used by pkinit or the one used by AD. The 'short_name' component " +"represents the first part of the principal before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +msgid "" +"Example: (|(userPrincipal={subject_principal})" +"(samAccountName={subject_principal.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:458 +msgid "{subject_pkinit_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:461 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by pkinit. The 'short_name' component represents the first part of the " +"principal before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:467 +msgid "" +"Example: (|(userPrincipal={subject_pkinit_principal})" +"(uid={subject_pkinit_principal.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:472 +msgid "{subject_nt_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:475 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by AD. The 'short_name' component represent the first part of the principal " +"before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:486 +msgid "{subject_rfc822_name[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:489 +msgid "" +"This template will add the string which is stored in the rfc822Name " +"component of the SAN, typically an email address. The 'short_name' component " +"represents the first part of the address before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:495 +msgid "" +"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." +"short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:500 +msgid "{subject_dns_name[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:503 +msgid "" +"This template will add the string which is stored in the dNSName component " +"of the SAN, typically a fully-qualified host name. The 'short_name' " +"component represents the first part of the name before the first '.' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:509 +msgid "" +"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:514 +msgid "{subject_uri}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:517 +msgid "" +"This template will add the string which is stored in the " +"uniformResourceIdentifier component of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:521 +msgid "Example: (uri={subject_uri})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:526 +msgid "{subject_ip_address}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:529 +msgid "" +"This template will add the string which is stored in the iPAddress component " +"of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:533 +msgid "Example: (ip={subject_ip_address})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:538 +msgid "{subject_x400_address}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:541 +msgid "" +"This template will add the value which is stored in the x400Address " +"component of the SAN as escaped hex sequence." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:546 +msgid "Example: (attr:binary={subject_x400_address})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:551 +msgid "" +"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:554 +msgid "" +"This template will add the DN string of the value which is stored in the " +"directoryName component of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:558 +msgid "Example: (orig_dn={subject_directory_name})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:563 +msgid "{subject_ediparty_name}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:566 +msgid "" +"This template will add the value which is stored in the ediPartyName " +"component of the SAN as escaped hex sequence." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:571 +msgid "Example: (attr:binary={subject_ediparty_name})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:576 +msgid "{subject_registered_id}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:579 +msgid "" +"This template will add the OID which is stored in the registeredID component " +"of the SAN as a dotted-decimal string." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:584 +msgid "Example: (oid={subject_registered_id})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:369 +msgid "" +"The templates to add certificate data to the search filter are based on " +"Python-style formatting strings. They consist of a keyword in curly braces " +"with an optional sub-component specifier separated by a '.' or an optional " +"conversion/formatting option separated by a '!'. Allowed values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:592 +msgid "DOMAIN LIST" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:594 +msgid "" +"If the domain list is not empty users mapped to a given certificate are not " +"only searched in the local domain but in the listed domains as well as long " +"as they are know by SSSD. Domains not know to SSSD will be ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 +msgid "sssd-ipa" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ipa.5.xml:17 +msgid "SSSD IPA provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:23 +msgid "" +"This manual page describes the configuration of the IPA provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:36 +msgid "" +"The IPA provider is a back end used to connect to an IPA server. (Refer to " +"the freeipa.org web site for information about IPA servers.) This provider " +"requires that the machine be joined to the IPA domain; configuration is " +"almost entirely self-discovered and obtained directly from the server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:43 +msgid "" +"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for IPA environments. The IPA provider accepts the same " +"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " +"However, it is neither necessary nor recommended to set these options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:57 +msgid "" +"The IPA provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:62 +msgid "" +"As an access provider, the IPA provider uses HBAC (host-based access " +"control) rules. Please refer to freeipa.org for more information about " +"HBAC. No configuration of access provider is required on the client side." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:67 +msgid "" +"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:73 +msgid "" +"The IPA provider will use the PAC responder if the Kerberos tickets of users " +"from trusted realms contain a PAC. To make configuration easier the PAC " +"responder is started automatically if the IPA ID provider is configured." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:89 +msgid "ipa_domain (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:92 +msgid "" +"Specifies the name of the IPA domain. This is optional. If not provided, " +"the configuration domain name is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:100 +msgid "ipa_server, ipa_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:103 +msgid "" +"The comma-separated list of IP addresses or hostnames of the IPA servers to " +"which SSSD should connect in the order of preference. For more information " +"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:116 +msgid "ipa_hostname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:119 +msgid "" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the IPA domain to identify this host. The " +"hostname must be fully qualified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:128 sssd-ad.5.xml:866 +msgid "dyndns_update (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:131 +msgid "" +"Optional. This option tells SSSD to automatically update the DNS server " +"built into FreeIPA with the IP address of this client. The update is secured " +"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " +"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" +"quote> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:140 sssd-ad.5.xml:880 +msgid "" +"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " +"the default Kerberos realm must be set properly in /etc/krb5.conf" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:145 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" +"emphasis> option, users should migrate to using <emphasis>dyndns_update</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:157 sssd-ad.5.xml:891 +msgid "dyndns_ttl (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:160 sssd-ad.5.xml:894 +msgid "" +"The TTL to apply to the client DNS record when updating it. If " +"dyndns_update is false this has no effect. This will override the TTL " +"serverside if set by an administrator." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:165 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" +"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:171 +msgid "Default: 1200 (seconds)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:177 sssd-ad.5.xml:905 +msgid "dyndns_iface (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:180 sssd-ad.5.xml:908 +msgid "" +"Optional. Applicable only when dyndns_update is true. Choose the interface " +"or a list of interfaces whose IP addresses should be used for dynamic DNS " +"updates. Special value <quote>*</quote> implies that IPs from all interfaces " +"should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:187 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" +"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:193 +msgid "" +"Default: Use the IP addresses of the interface which is used for IPA LDAP " +"connection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:197 sssd-ad.5.xml:919 +msgid "Example: dyndns_iface = em1, vnet1, vnet2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:203 sssd-ad.5.xml:970 +msgid "dyndns_auth (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:206 sssd-ad.5.xml:973 +msgid "" +"Whether the nsupdate utility should use GSS-TSIG authentication for secure " +"updates with the DNS server, insecure updates can be sent by setting this " +"option to 'none'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:212 sssd-ad.5.xml:979 +msgid "Default: GSS-TSIG" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:218 +msgid "ipa_enable_dns_sites (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 +msgid "Enables DNS sites - location based service discovery." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:225 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, then the SSSD will first attempt location " +"based discovery using a query that contains \"_location.hostname.example.com" +"\" and then fall back to traditional SRV discovery. If the location based " +"discovery succeeds, the IPA servers located with the location based " +"discovery are treated as primary servers and the IPA servers located using " +"the traditional SRV discovery are used as back up servers" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:244 sssd-ad.5.xml:925 +msgid "dyndns_refresh_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:247 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:260 sssd-ad.5.xml:943 +msgid "dyndns_update_ptr (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:263 sssd-ad.5.xml:946 +msgid "" +"Whether the PTR record should also be explicitly updated when updating the " +"client's DNS records. Applicable only when dyndns_update is true." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:268 +msgid "" +"This option should be False in most IPA deployments as the IPA server " +"generates the PTR records automatically when forward records are changed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:274 +msgid "Default: False (disabled)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:280 sssd-ad.5.xml:957 +msgid "dyndns_force_tcp (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:283 sssd-ad.5.xml:960 +msgid "" +"Whether the nsupdate utility should default to using TCP for communicating " +"with the DNS server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:287 sssd-ad.5.xml:964 +msgid "Default: False (let nsupdate choose the protocol)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:293 sssd-ad.5.xml:985 +msgid "dyndns_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:296 sssd-ad.5.xml:988 +msgid "" +"The DNS server to use when performing a DNS update. In most setups, it's " +"recommended to leave this option unset." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:301 sssd-ad.5.xml:993 +msgid "" +"Setting this option makes sense for environments where the DNS server is " +"different from the identity server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:306 sssd-ad.5.xml:998 +msgid "" +"Please note that this option will be only used in fallback attempt when " +"previous attempt using autodetected settings failed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1003 +msgid "Default: None (let nsupdate choose the server)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:317 +msgid "ipa_deskprofile_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:320 +msgid "" +"Optional. Use the given string as search base for Desktop Profile related " +"objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:324 sssd-ipa.5.xml:337 +msgid "Default: Use base DN" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:330 +msgid "ipa_hbac_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:333 +msgid "Optional. Use the given string as search base for HBAC related objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:343 +msgid "ipa_host_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:346 +msgid "Deprecated. Use ldap_host_search_base instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:352 +msgid "ipa_selinux_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:355 +msgid "Optional. Use the given string as search base for SELinux user maps." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:371 +msgid "ipa_subdomains_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:374 +msgid "Optional. Use the given string as search base for trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:383 +msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:390 +msgid "ipa_master_domain_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:393 +msgid "Optional. Use the given string as search base for master domain object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:402 +msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:409 +msgid "ipa_views_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:412 +msgid "Optional. Use the given string as search base for views containers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:421 +msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:431 +msgid "" +"The name of the Kerberos realm. This is optional and defaults to the value " +"of <quote>ipa_domain</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:435 +msgid "" +"The name of the Kerberos realm has a special meaning in IPA - it is " +"converted into the base DN to use for performing LDAP operations." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1012 +msgid "krb5_confd_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1015 +msgid "" +"Absolute path of a directory where SSSD should place Kerberos configuration " +"snippets." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1019 +msgid "" +"To disable the creation of the configuration snippets set the parameter to " +"'none'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1023 +msgid "" +"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:461 +msgid "ipa_deskprofile_refresh (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:464 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server. This will reduce the latency and load on the IPA server if there " +"are many desktop profiles requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:431 +msgid "Default: 5 (seconds)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:477 +msgid "ipa_deskprofile_request_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:480 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server in case the last request did not return any rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:485 +msgid "Default: 60 (minutes)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:491 +msgid "ipa_hbac_refresh (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:494 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server. " +"This will reduce the latency and load on the IPA server if there are many " +"access-control requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:507 +msgid "ipa_hbac_selinux (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:510 +msgid "" +"The amount of time between lookups of the SELinux maps against the IPA " +"server. This will reduce the latency and load on the IPA server if there are " +"many user login requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:523 +msgid "ipa_server_mode (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:526 +msgid "" +"This option will be set by the IPA installer (ipa-server-install) " +"automatically and denotes if SSSD is running on an IPA server or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:531 +msgid "" +"On an IPA server SSSD will lookup users and groups from trusted domains " +"directly while on a client it will ask an IPA server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:536 +msgid "" +"NOTE: There are currently some assumptions that must be met when SSSD is " +"running on an IPA server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:541 +msgid "" +"The <quote>ipa_server</quote> option must be configured to point to the IPA " +"server itself. This is already the default set by the IPA installer, so no " +"manual change is required." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:550 +msgid "" +"The <quote>full_name_format</quote> option must not be tweaked to only print " +"short names for users from trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:565 +msgid "ipa_automount_location (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:568 +msgid "The automounter location this IPA client will be using" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:571 +msgid "Default: The location named \"default\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:579 +msgid "VIEWS AND OVERRIDES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:588 +msgid "ipa_view_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:591 +msgid "Objectclass of the view container." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:594 +msgid "Default: nsContainer" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:600 +msgid "ipa_view_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:603 +msgid "Name of the attribute holding the name of the view." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:613 +msgid "ipa_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:616 +msgid "Objectclass of the override objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:619 +msgid "Default: ipaOverrideAnchor" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:625 +msgid "ipa_anchor_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:628 +msgid "" +"Name of the attribute containing the reference to the original object in a " +"remote domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:632 +msgid "Default: ipaAnchorUUID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:638 +msgid "ipa_user_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:641 +msgid "" +"Name of the objectclass for user overrides. It is used to determine if the " +"found override object is related to a user or a group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:646 +msgid "User overrides can contain attributes given by" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:649 +msgid "ldap_user_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:652 +msgid "ldap_user_uid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:655 +msgid "ldap_user_gid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:658 +msgid "ldap_user_gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:661 +msgid "ldap_user_home_directory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:664 +msgid "ldap_user_shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:667 +msgid "ldap_user_ssh_public_key" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:672 +msgid "Default: ipaUserOverride" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:678 +msgid "ipa_group_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:681 +msgid "" +"Name of the objectclass for group overrides. It is used to determine if the " +"found override object is related to a user or a group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:686 +msgid "Group overrides can contain attributes given by" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:689 +msgid "ldap_group_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:692 +msgid "ldap_group_gid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:697 +msgid "Default: ipaGroupOverride" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:581 +msgid "" +"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " +"later version. Since all paths and objectclasses are fixed on the server " +"side there is basically no need to configure anything. For completeness the " +"related options are listed here with their default values. <placeholder " +"type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:709 +msgid "SUBDOMAINS PROVIDER" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:711 +msgid "" +"The IPA subdomains provider behaves slightly differently if it is configured " +"explicitly or implicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:715 +msgid "" +"If the option 'subdomains_provider = ipa' is found in the domain section of " +"sssd.conf, the IPA subdomains provider is configured explicitly, and all " +"subdomain requests are sent to the IPA server if necessary." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:721 +msgid "" +"If the option 'subdomains_provider' is not set in the domain section of sssd." +"conf but there is the option 'id_provider = ipa', the IPA subdomains " +"provider is configured implicitly. In this case, if a subdomain request " +"fails and indicates that the server does not support subdomains, i.e. is not " +"configured for trusts, the IPA subdomains provider is disabled. After an " +"hour or after the IPA provider goes online, the subdomains provider is " +"enabled again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:732 +msgid "TRUSTED DOMAINS CONFIGURATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:738 +#, no-wrap +msgid "" +"[domain/ipa.domain.com/ad.domain.com]\n" +"ad_server = dc.ad.domain.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:734 +msgid "" +"Some configuration options can be also set for a trusted domain. A trusted " +"domain configuration can either be done using a subsection, for example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:743 +msgid "" +"In addition, some options can be set in the parent domain and inherited by " +"the trusted domain using the <quote>subdomain_inherit</quote> option. For " +"more details, see the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:753 +msgid "" +"Different configuration options are tunable for a trusted domain depending " +"on whether you are configuring SSSD on an IPA server or an IPA client." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:758 +msgid "OPTIONS TUNABLE ON IPA MASTERS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:760 +msgid "" +"The following options can be set in a subdomain section on an IPA master:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:764 sssd-ipa.5.xml:794 +msgid "ad_server" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:767 +msgid "ad_backup_server" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:770 sssd-ipa.5.xml:797 +msgid "ad_site" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:773 +msgid "ldap_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:776 +msgid "ldap_user_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:779 +msgid "ldap_group_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:788 +msgid "OPTIONS TUNABLE ON IPA CLIENTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:790 +msgid "" +"The following options can be set in a subdomain section on an IPA client:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:802 +msgid "" +"Note that if both options are set, only <quote>ad_server</quote> is " +"evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:806 +msgid "" +"Since any request for a user or a group identity from a trusted domain " +"triggered from an IPA client is resolved by the IPA server, the " +"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " +"which AD DC will the authentication be performed against. In particular, the " +"addresses resolved from these lists will be written to <quote>kdcinfo</" +"quote> files read by the Kerberos locator plugin. Please refer to the " +"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " +"Kerberos locator plugin." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:830 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the ipa provider-specific options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:837 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"id_provider = ipa\n" +"ipa_server = ipaserver.example.com\n" +"ipa_hostname = myhost.example.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 +msgid "sssd-ad" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ad.5.xml:17 +msgid "SSSD Active Directory provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:23 +msgid "" +"This manual page describes the configuration of the AD provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:36 +msgid "" +"The AD provider is a back end used to connect to an Active Directory server. " +"This provider requires that the machine be joined to the AD domain and a " +"keytab is available. Back end communication occurs over a GSSAPI-encrypted " +"channel, SSL/TLS options should not be used with the AD provider and will be " +"superseded by Kerberos usage." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:44 +msgid "" +"The AD provider supports connecting to Active Directory 2008 R2 or later. " +"Earlier versions may work, but are unsupported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:48 +msgid "" +"The AD provider can be used to get user information and authenticate users " +"from trusted domains. Currently only trusted domains in the same forest are " +"recognized. In addition servers from trusted domains are always auto-" +"discovered." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:54 +msgid "" +"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for Active Directory environments. The AD provider accepts the " +"same options used by the sssd-ldap and sssd-krb5 providers with some " +"exceptions. However, it is neither necessary nor recommended to set these " +"options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:69 +msgid "" +"The AD provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:74 +msgid "" +"The AD provider can also be used as an access, chpass, sudo and autofs " +"provider. No configuration of the access provider is required on the client " +"side." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:79 +msgid "" +"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ad</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:91 +#, no-wrap +msgid "" +"ldap_id_mapping = False\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:85 +msgid "" +"By default, the AD provider will map UID and GID values from the objectSID " +"parameter in Active Directory. For details on this, see the <quote>ID " +"MAPPING</quote> section below. If you want to disable ID mapping and instead " +"rely on POSIX attributes defined in Active Directory, you should set " +"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " +"be used, it is recommended for performance reasons that the attributes are " +"also replicated to the Global Catalog. If POSIX attributes are replicated, " +"SSSD will attempt to locate the domain of a requested numerical ID with the " +"help of the Global Catalog and only search that domain. In contrast, if " +"POSIX attributes are not replicated to the Global Catalog, SSSD must search " +"all the domains in the forest sequentially. Please note that the " +"<quote>cache_first</quote> option might be also helpful in speeding up " +"domainless searches. Note that if only a subset of POSIX attributes is " +"present in the Global Catalog, the non-replicated attributes are currently " +"not read from the LDAP port." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:108 +msgid "" +"Users, groups and other entities served by SSSD are always treated as case-" +"insensitive in the AD provider for compatibility with Active Directory's " +"LDAP implementation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:123 +msgid "ad_domain (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:126 +msgid "" +"Specifies the name of the Active Directory domain. This is optional. If not " +"provided, the configuration domain name is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:131 +msgid "" +"For proper operation, this option should be specified as the lower-case " +"version of the long version of the Active Directory domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:136 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) is " +"autodetected by the SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:143 +msgid "ad_enabled_domains (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:146 +msgid "" +"A comma-separated list of enabled Active Directory domains. If provided, " +"SSSD will ignore any domains not listed in this option. If left unset, all " +"domains from the AD forest will be available." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:156 +#, no-wrap +msgid "" +"ad_enabled_domains = sales.example.com, eng.example.com\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:152 +msgid "" +"For proper operation, this option must be specified in all lower-case and as " +"the fully qualified domain name of the Active Directory domain. For example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:160 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) will be " +"autodetected by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:170 +msgid "ad_server, ad_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:173 +msgid "" +"The comma-separated list of hostnames of the AD servers to which SSSD should " +"connect in order of preference. For more information on failover and server " +"redundancy, see the <quote>FAILOVER</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:180 +msgid "" +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:185 +msgid "" +"Note: Trusted domains will always auto-discover servers even if the primary " +"server is explicitly defined in the ad_server option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:193 +msgid "ad_hostname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:196 +msgid "" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the Active Directory domain to identify this " +"host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:202 +msgid "" +"This field is used to determine the host principal in use in the keytab. It " +"must match the hostname for which the keytab was issued." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:210 +msgid "ad_enable_dns_sites (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:217 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, the SSSD will first attempt to discover the " +"Active Directory server to connect to using the Active Directory Site " +"Discovery and fall back to the DNS SRV records if no AD site is found. The " +"DNS SRV configuration, including the discovery domain, is used during site " +"discovery as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:233 +msgid "ad_access_filter (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:236 +msgid "" +"This option specifies LDAP access control filter that the user must match in " +"order to be allowed access. Please note that the <quote>access_provider</" +"quote> option must be explicitly set to <quote>ad</quote> in order for this " +"option to have an effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:244 +msgid "" +"The option also supports specifying different filters per domain or forest. " +"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " +"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " +"missing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:252 +msgid "" +"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" +"quote> specifies the domain or subdomain the filter applies to. If the " +"keyword equals to <quote>FOREST</quote>, then the filter equals to all " +"domains from the forest specified by <quote>NAME</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:260 +msgid "" +"Multiple filters can be separated with the <quote>?</quote> character, " +"similarly to how search bases work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:265 +msgid "" +"Nested group membership must be searched for using a special OID " +"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." +"example.org: syntax to ensure the parser does not attempt to interpret the " +"colon characters associated with the OID. If you do not use this OID then " +"nested group membership will not be resolved. See usage example below and " +"refer here for further information about the OID: <ulink url=\"https://msdn." +"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " +"extensions</ulink>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:278 +msgid "" +"The most specific match is always used. For example, if the option specified " +"filter for a domain the user is a member of and a global filter, the per-" +"domain filter would be applied. If there are more matches with the same " +"specification, the first one is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ad.5.xml:289 +#, no-wrap +msgid "" +"# apply filter on domain called dom1 only:\n" +"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" +"\n" +"# apply filter on domain called dom2 only:\n" +"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" +"\n" +"# apply filter on forest called EXAMPLE.COM only:\n" +"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" +"\n" +"# apply filter for a member of a nested group in dom1:\n" +"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:308 +msgid "ad_site (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:311 +msgid "" +"Specify AD site to which client should try to connect. If this option is " +"not provided, the AD site will be auto-discovered." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:322 +msgid "ad_enable_gc (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:325 +msgid "" +"By default, the SSSD connects to the Global Catalog first to retrieve users " +"from trusted domains and uses the LDAP port to retrieve group memberships or " +"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " +"port of the current AD server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:333 +msgid "" +"Please note that disabling Global Catalog support does not disable " +"retrieving users from trusted domains. The SSSD would connect to the LDAP " +"port of trusted domains instead. However, Global Catalog must be used in " +"order to resolve cross-domain group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:347 +msgid "ad_gpo_access_control (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:350 +msgid "" +"This option specifies the operation mode for GPO-based access control " +"functionality: whether it operates in disabled mode, enforcing mode, or " +"permissive mode. Please note that the <quote>access_provider</quote> option " +"must be explicitly set to <quote>ad</quote> in order for this option to have " +"an effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:359 +msgid "" +"GPO-based access control functionality uses GPO policy settings to determine " +"whether or not a particular user is allowed to logon to a particular host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:365 +msgid "" +"NOTE: The current version of SSSD does not support host (computer) entries " +"in the GPO 'Security Filtering' list. Only user and group entries are " +"supported. Host entries in the list have no effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:372 +msgid "" +"NOTE: If the operation mode is set to enforcing, it is possible that users " +"that were previously allowed logon access will now be denied logon access " +"(as dictated by the GPO policy settings). In order to facilitate a smooth " +"transition for administrators, a permissive mode is available that will not " +"enforce the access control rules, but will evaluate them and will output a " +"syslog message if access would have been denied. By examining the logs, " +"administrators can then make the necessary changes before setting the mode " +"to enforcing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:385 +msgid "There are three supported values for this option:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:389 +msgid "" +"disabled: GPO-based access control rules are neither evaluated nor enforced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:395 +msgid "enforcing: GPO-based access control rules are evaluated and enforced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:401 +msgid "" +"permissive: GPO-based access control rules are evaluated, but not enforced. " +"Instead, a syslog message will be emitted indicating that the user would " +"have been denied access if this option's value were set to enforcing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:412 +msgid "Default: permissive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:415 +msgid "Default: enforcing" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:421 +msgid "ad_gpo_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:424 +msgid "" +"The amount of time between lookups of GPO policy files against the AD " +"server. This will reduce the latency and load on the AD server if there are " +"many access-control requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:437 +msgid "ad_gpo_map_interactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:440 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the InteractiveLogonRight and " +"DenyInteractiveLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:446 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on locally\" and \"Deny log on locally\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:460 +#, no-wrap +msgid "" +"ad_gpo_map_interactive = +my_pam_service, -login\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:451 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>login</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:464 sssd-ad.5.xml:560 sssd-ad.5.xml:606 sssd-ad.5.xml:651 +#: sssd-ad.5.xml:717 +msgid "Default: the default set of PAM service names includes:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:468 +msgid "login" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:473 +msgid "su" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:478 +msgid "su-l" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:483 +msgid "gdm-fingerprint" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:488 +msgid "gdm-password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:493 +msgid "gdm-smartcard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:498 +msgid "kdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:503 +msgid "lightdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:508 +msgid "lxdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:513 +msgid "sddm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:518 +msgid "unity" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:523 +msgid "xdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:532 +msgid "ad_gpo_map_remote_interactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:535 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the RemoteInteractiveLogonRight and " +"DenyRemoteInteractiveLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:541 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on through Remote Desktop Services\" and \"Deny log on through Remote " +"Desktop Services\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:556 +#, no-wrap +msgid "" +"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:547 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>sshd</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:564 +msgid "sshd" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:569 +msgid "cockpit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:578 +msgid "ad_gpo_map_network (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:581 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the NetworkLogonRight and " +"DenyNetworkLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:587 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Access " +"this computer from the network\" and \"Deny access to this computer from the " +"network\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:602 +#, no-wrap +msgid "" +"ad_gpo_map_network = +my_pam_service, -ftp\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:593 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>ftp</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:610 +msgid "ftp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:615 +msgid "samba" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:624 +msgid "ad_gpo_map_batch (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:627 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " +"policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:633 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a batch job\" and \"Deny log on as a batch job\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:647 +#, no-wrap +msgid "" +"ad_gpo_map_batch = +my_pam_service, -crond\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:638 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>crond</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:655 +msgid "crond" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:664 +msgid "ad_gpo_map_service (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:667 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the ServiceLogonRight and " +"DenyServiceLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:673 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a service\" and \"Deny log on as a service\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:686 +#, no-wrap +msgid "" +"ad_gpo_map_service = +my_pam_service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:678 sssd-ad.5.xml:753 +msgid "" +"It is possible to add a PAM service name to the default set by using <quote>" +"+service_name</quote>. Since the default set is empty, it is not possible " +"to remove a PAM service name from the default set. For example, in order to " +"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " +"would use the following configuration: <placeholder type=\"programlisting\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:696 +msgid "ad_gpo_map_permit (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:699 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always granted, regardless of any GPO Logon Rights." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:713 +#, no-wrap +msgid "" +"ad_gpo_map_permit = +my_pam_service, -sudo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:704 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for unconditionally permitted " +"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:721 +msgid "polkit-1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:726 +msgid "sudo" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:731 +msgid "sudo-i" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:736 +msgid "systemd-user" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:745 +msgid "ad_gpo_map_deny (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:748 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always denied, regardless of any GPO Logon Rights." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:761 +#, no-wrap +msgid "" +"ad_gpo_map_deny = +my_pam_service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:771 +msgid "ad_gpo_default_right (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:774 +msgid "" +"This option defines how access control is evaluated for PAM service names " +"that are not explicitly listed in one of the ad_gpo_map_* options. This " +"option can be set in two different manners. First, this option can be set to " +"use a default logon right. For example, if this option is set to " +"'interactive', it means that unmapped PAM service names will be processed " +"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " +"settings. Alternatively, this option can be set to either always permit or " +"always deny access for unmapped PAM service names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:787 +msgid "Supported values for this option include:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:791 +msgid "interactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:796 +msgid "remote_interactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:801 +msgid "network" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:806 +msgid "batch" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:811 +msgid "service" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:816 +msgid "permit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:821 +msgid "deny" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:827 +msgid "Default: deny" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:833 +msgid "ad_maximum_machine_account_password_age (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:836 +msgid "" +"SSSD will check once a day if the machine account password is older than the " +"given age in days and try to renew it. A value of 0 will disable the renewal " +"attempt." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:842 +msgid "Default: 30 days" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:848 +msgid "ad_machine_account_password_renewal_opts (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:851 +msgid "" +"This option should only be used to test the machine account renewal task. " +"The option expects 2 integers separated by a colon (':'). The first integer " +"defines the interval in seconds how often the task is run. The second " +"specifies the initial timeout in seconds before the task is run for the " +"first time after startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:860 +msgid "Default: 86400:750 (24h and 15m)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:869 +msgid "" +"Optional. This option tells SSSD to automatically update the Active " +"Directory DNS server with the IP address of this client. The update is " +"secured using GSS-TSIG. As a consequence, the Active Directory administrator " +"only needs to allow secure updates for the DNS zone. The IP address of the " +"AD LDAP connection is used for the updates, if it is not otherwise specified " +"by using the <quote>dyndns_iface</quote> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:899 +msgid "Default: 3600 (seconds)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:915 +msgid "" +"Default: Use the IP addresses of the interface which is used for AD LDAP " +"connection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:928 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true. Note that the " +"lowest possible value is 60 seconds in-case if value is provided less than " +"60, parameter will assume lowest value only." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:951 sss_rpcidmapd.5.xml:76 +msgid "Default: True" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1043 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This example shows only the AD provider-specific options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1050 +#, no-wrap +msgid "" +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1070 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1066 +msgid "" +"The AD access control provider checks if the account is expired. It has the " +"same effect as the following configuration of the LDAP provider: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1076 +msgid "" +"However, unless the <quote>ad</quote> access control provider is explicitly " +"configured, the default access provider is <quote>permit</quote>. Please " +"note that if you configure an access provider other than <quote>ad</quote>, " +"you need to set all the connection parameters (such as LDAP URIs and " +"encryption details) manually." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1084 +msgid "" +"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " +"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " +"are included in the default Active Directory schema." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 +msgid "sssd-sudo" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-sudo.5.xml:17 +msgid "Configuring sudo with the SSSD back end" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:36 +msgid "Configuring sudo to cooperate with SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:38 +msgid "" +"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " +"the <emphasis>sudoers</emphasis> entry in <citerefentry> " +"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:47 +msgid "" +"For example, to configure sudo to first lookup rules in the standard " +"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> file (which should contain rules that apply to " +"local users) and then in SSSD, the nsswitch.conf file should contain the " +"following line:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:57 +#, no-wrap +msgid "sudoers: files sss\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:61 +msgid "" +"More information about configuring the sudoers search order from the " +"nsswitch.conf file as well as information about the LDAP schema that is used " +"to store sudo rules in the directory can be found in <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:70 +msgid "" +"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " +"sudo rules, you also need to correctly set <citerefentry> " +"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry> to your NIS domain name (which equals to IPA domain name when " +"using hostgroups)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:82 +msgid "Configuring SSSD to fetch sudo rules" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:84 +msgid "" +"All configuration that is needed on SSSD side is to extend the list of " +"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " +"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " +"option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:94 +msgid "" +"The following example shows how to configure SSSD to download sudo rules " +"from an LDAP server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:99 +#, no-wrap +msgid "" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:98 +msgid "" +"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" +"\"have_systemd\"> It's important to note that on platforms where systemd is " +"supported there's no need to add the \"sudo\" provider to the list of " +"services, as it became optional. However, sssd-sudo.socket must be enabled " +"instead. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:118 +msgid "" +"When SSSD is configured to use IPA as the ID provider, the sudo provider is " +"automatically enabled. The sudo search base is configured to use the IPA " +"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " +"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," +"$SUFFIX) is no longer required for IPA sudo functionality." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:128 +msgid "The SUDO rule caching mechanism" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:130 +msgid "" +"The biggest challenge, when developing sudo support in SSSD, was to ensure " +"that running sudo with SSSD as the data source provides the same user " +"experience and is as fast as sudo but keeps providing the most current set " +"of rules as possible. To satisfy these requirements, SSSD uses three kinds " +"of updates. They are referred to as full refresh, smart refresh and rules " +"refresh." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:138 +msgid "" +"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " +"new or were modified after the last update. Its primary goal is to keep the " +"database growing by fetching only small increments that do not generate " +"large amounts of network traffic." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:144 +msgid "" +"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " +"in the cache and replaces them with all rules that are stored on the server. " +"This is used to keep the cache consistent by removing every rule which was " +"deleted from the server. However, full refresh may produce a lot of traffic " +"and thus it should be run only occasionally depending on the size and " +"stability of the sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:152 +msgid "" +"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " +"more permission than defined. It is triggered each time the user runs sudo. " +"Rules refresh will find all rules that apply to this user, check their " +"expiration time and redownload them if expired. In the case that any of " +"these rules are missing on the server, the SSSD will do an out of band full " +"refresh because more rules (that apply to other users) may have been deleted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:161 +msgid "" +"If enabled, SSSD will store only rules that can be applied to this machine. " +"This means rules that contain one of the following values in " +"<emphasis>sudoHost</emphasis> attribute:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:168 +msgid "keyword ALL" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:173 +msgid "wildcard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:178 +msgid "netgroup (in the form \"+netgroup\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:183 +msgid "hostname or fully qualified domain name of this machine" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:188 +msgid "one of the IP addresses of this machine" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:193 +msgid "one of the IP addresses of the network (in the form \"address/mask\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:199 +msgid "" +"There are many configuration options that can be used to adjust the " +"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.8.xml:10 sssd.8.xml:15 +msgid "sssd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.8.xml:16 +msgid "System Security Services Daemon" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssd.8.xml:21 +msgid "" +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:31 +msgid "" +"<command>SSSD</command> provides a set of daemons to manage access to remote " +"directories and authentication mechanisms. It provides an NSS and PAM " +"interface toward the system and a pluggable backend system to connect to " +"multiple different account sources as well as D-Bus interface. It is also " +"the basis to provide client auditing and policy services for projects like " +"FreeIPA. It provides a more robust database to store local users as well as " +"extended user data." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:46 +msgid "" +"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:53 +msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:57 +msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:60 +msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:69 +msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:73 +msgid "" +"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:76 +msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:85 +msgid "<option>-f</option>,<option>--debug-to-files</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:89 +msgid "" +"Send the debug output to files instead of stderr. By default, the log files " +"are stored in <filename>/var/log/sssd</filename> and there are separate log " +"files for every SSSD service and domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:94 +msgid "" +"This option is deprecated. It is replaced by <option>--logger=files</option>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:101 +msgid "<option>--logger=</option><replaceable>value</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:105 +msgid "" +"Location where SSSD will send log messages. This option overrides the value " +"of the deprecated option <option>--debug-to-files</option>. The deprecated " +"option will still work if the <option>--logger</option> is not used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:112 +msgid "" +"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " +"output." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:116 +msgid "" +"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " +"default, the log files are stored in <filename>/var/log/sssd</filename> and " +"there are separate log files for every SSSD service and domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:122 +msgid "" +"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:132 +msgid "<option>-D</option>,<option>--daemon</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:136 +msgid "Become a daemon after starting up." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:142 sss_seed.8.xml:136 +msgid "<option>-i</option>,<option>--interactive</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:146 +msgid "Run in the foreground, don't become a daemon." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:152 +msgid "<option>-c</option>,<option>--config</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:156 +msgid "" +"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." +"conf</filename>. For reference on the config file syntax and options, " +"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:170 +msgid "<option>--version</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:174 +msgid "Print version number and exit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.8.xml:182 +msgid "Signals" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:185 +msgid "SIGTERM/SIGINT" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:188 +msgid "" +"Informs the SSSD to gracefully terminate all of its child processes and then " +"shut down the monitor." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:194 +msgid "SIGHUP" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:197 +msgid "" +"Tells the SSSD to stop writing to its current debug file descriptors and to " +"close and reopen them. This is meant to facilitate log rolling with programs " +"like logrotate." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:205 +msgid "SIGUSR1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:208 +msgid "" +"Tells the SSSD to simulate offline operation for the duration of the " +"<quote>offline_timeout</quote> parameter. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:217 +msgid "SIGUSR2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:220 +msgid "" +"Tells the SSSD to go online immediately. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:232 +msgid "" +"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " +"applications will not use the fast in memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 +msgid "sss_obfuscate" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_obfuscate.8.xml:16 +msgid "obfuscate a clear text password" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_obfuscate.8.xml:21 +msgid "" +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" +"replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:32 +msgid "" +"<command>sss_obfuscate</command> converts a given password into human-" +"unreadable format and places it into appropriate domain section of the SSSD " +"config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:37 +msgid "" +"The cleartext password is read from standard input or entered " +"interactively. The obfuscated password is put into " +"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " +"<quote>ldap_default_authtok_type</quote> parameter is set to " +"<quote>obfuscated_password</quote>. Refer to <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more details on these parameters." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:49 +msgid "" +"Please note that obfuscating the password provides <emphasis>no real " +"security benefit</emphasis> as it is still possible for an attacker to " +"reverse-engineer the password back. Using better authentication mechanisms " +"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " +"advised." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:63 +msgid "<option>-s</option>,<option>--stdin</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:67 +msgid "The password to obfuscate will be read from standard input." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 +#: sss_ssh_knownhostsproxy.1.xml:78 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:79 +msgid "" +"The SSSD domain to use the password in. The default name is <quote>default</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:86 +msgid "" +"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:91 +msgid "Read the config file specified by the positional parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:95 +msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_override.8.xml:10 sss_override.8.xml:15 +msgid "sss_override" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_override.8.xml:16 +msgid "create local overrides of user and group attributes" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_override.8.xml:21 +msgid "" +"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:32 +msgid "" +"<command>sss_override</command> enables to create a client-side view and " +"allows to change selected values of specific user and groups. This change " +"takes effect only on local machine." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:37 +msgid "" +"Overrides data are stored in the SSSD cache. If the cache is deleted, all " +"local overrides are lost. Please note that after the first override is " +"created using any of the following <emphasis>user-add</emphasis>, " +"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " +"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " +"take effect. <emphasis>sss_override</emphasis> prints message when a " +"restart is required." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:50 sssctl.8.xml:41 +msgid "AVAILABLE COMMANDS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:52 +msgid "" +"Argument <emphasis>NAME</emphasis> is the name of original object in all " +"commands. It is not possible to override <emphasis>uid</emphasis> or " +"<emphasis>gid</emphasis> to 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:59 +msgid "" +"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" +"optional> <optional><option>-g,--gid</option> GID</optional> " +"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" +"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" +"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " +"CERTIFICATE</optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:72 +msgid "" +"Override attributes of an user. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:80 +msgid "<option>user-del</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:85 +msgid "" +"Remove user overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:94 +msgid "" +"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:99 +msgid "" +"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " +"is set, only users from the domain are listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:107 +msgid "<option>user-show</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:112 +msgid "Show user overrides." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:118 +msgid "<option>user-import</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:123 +msgid "" +"Import user overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard passwd file. The format is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:128 +msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:131 +msgid "" +"where original_name is original name of the user whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:140 +msgid "ckent:superman::::::" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:143 +msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:149 +msgid "<option>user-export</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:154 +msgid "" +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>user-import</emphasis> for data format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:162 +msgid "" +"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:169 +msgid "" +"Override attributes of a group. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:177 +msgid "<option>group-del</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:182 +msgid "" +"Remove group overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:191 +msgid "" +"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:196 +msgid "" +"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " +"parameter is set, only groups from the domain are listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:204 +msgid "<option>group-show</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:209 +msgid "Show group overrides." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:215 +msgid "<option>group-import</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:220 +msgid "" +"Import group overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard group file. The format is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:225 +msgid "original_name:name:gid" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:228 +msgid "" +"where original_name is original name of the group whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:237 +msgid "admins:administrators:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:240 +msgid "Domain Users:Users:501" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:246 +msgid "<option>group-export</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:251 +msgid "" +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>group-import</emphasis> for data format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:261 sssctl.8.xml:50 +msgid "COMMON OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:263 sssctl.8.xml:52 +msgid "Those options are available with all commands." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:268 sssctl.8.xml:57 +msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 +msgid "sss_useradd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_useradd.8.xml:16 +msgid "create a new user" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_useradd.8.xml:21 +msgid "" +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_useradd.8.xml:32 +msgid "" +"<command>sss_useradd</command> creates a new user account using the values " +"specified on the command line plus the default values from the system." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:43 sss_seed.8.xml:76 +msgid "" +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:48 +msgid "" +"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " +"not given, it is chosen automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +msgid "" +"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 +msgid "" +"Any text string describing the user. Often used as the field for the user's " +"full name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 +msgid "" +"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:72 +msgid "" +"The home directory of the user account. The default is to append the " +"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " +"that as the home directory. The base that is prepended before " +"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" +"baseDirectory</quote> setting in sssd.conf." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 +msgid "" +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:87 +msgid "" +"The user's login shell. The default is currently <filename>/bin/bash</" +"filename>. The default can be changed with <quote>user_defaults/" +"defaultShell</quote> setting in sssd.conf." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:96 +msgid "" +"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:101 +msgid "A list of existing groups this user is also a member of." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:107 +msgid "<option>-m</option>,<option>--create-home</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:111 +msgid "" +"Create the user's home directory if it does not exist. The files and " +"directories contained in the skeleton directory (which can be defined with " +"the -k option or in the config file) will be copied to the home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:121 +msgid "<option>-M</option>,<option>--no-create-home</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:125 +msgid "" +"Do not create the user's home directory. Overrides configuration settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:132 +msgid "" +"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:137 +msgid "" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<command>sss_useradd</command>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:143 +msgid "" +"Special files (block devices, character devices, named pipes and unix " +"sockets) will not be copied." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:147 +msgid "" +"This option is only valid if the <option>-m</option> (or <option>--create-" +"home</option>) option is specified, or creation of home directories is set " +"to TRUE in the configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 +msgid "" +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>SELINUX_USER</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:161 +msgid "" +"The SELinux user for the user's login. If not specified, the system default " +"will be used." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 +msgid "sssd-krb5" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-krb5.5.xml:17 +msgid "SSSD Kerberos provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:23 +msgid "" +"This manual page describes the configuration of the Kerberos 5 " +"authentication backend for <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " +"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:36 +msgid "" +"The Kerberos 5 authentication backend contains auth and chpass providers. It " +"must be paired with an identity provider in order to function properly (for " +"example, id_provider = ldap). Some information required by the Kerberos 5 " +"authentication backend must be provided by the identity provider, such as " +"the user's Kerberos Principal Name (UPN). The configuration of the identity " +"provider should have an entry to specify the UPN. Please refer to the man " +"page for the applicable identity provider for details on how to configure " +"this." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:47 +msgid "" +"This backend also provides access control based on the .k5login file in the " +"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " +"Please note that an empty .k5login file will deny all access to this user. " +"To activate this feature, use 'access_provider = krb5' in your SSSD " +"configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:55 +msgid "" +"In the case where the UPN is not available in the identity backend, " +"<command>sssd</command> will construct a UPN using the format " +"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:77 +msgid "" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect, in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled; for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:106 +msgid "" +"The name of the Kerberos realm. This option is required and must be " +"specified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:113 +msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:116 +msgid "" +"If the change password service is not running on the KDC, alternative " +"servers can be defined here. An optional port number (preceded by a colon) " +"may be appended to the addresses or hostnames." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:122 +msgid "" +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " +"servers to try, the backend is not switched to operate offline if " +"authentication against the KDC is still possible." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:129 +msgid "Default: Use the KDC" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:135 +msgid "krb5_ccachedir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:138 +msgid "" +"Directory to store credential caches. All the substitution sequences of " +"krb5_ccname_template can be used here, too, except %d and %P. The directory " +"is created as private and owned by the user, with permissions set to 0700." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:145 +msgid "Default: /tmp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:151 +msgid "krb5_ccname_template (string)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 +msgid "%u" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 +msgid "login name" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 +msgid "%U" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:170 +msgid "login UID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:173 +msgid "%p" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:174 +msgid "principal name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:178 +msgid "%r" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:179 +msgid "realm name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:182 +msgid "%h" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 +msgid "home directory" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 +msgid "%d" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:188 +msgid "value of krb5_ccachedir" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 +msgid "%P" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:194 +msgid "the process ID of the SSSD client" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 +msgid "%%" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 +msgid "a literal '%'" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:154 +msgid "" +"Location of the user's credential cache. Three credential cache types are " +"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " +"<quote>KEYRING:persistent</quote>. The cache can be specified either as " +"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " +"implies the <quote>FILE</quote> type. In the template, the following " +"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " +"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " +"filename in a safe way." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:208 +msgid "" +"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" +"persistent:%U</quote>, which uses the Linux kernel keyring to store " +"credentials on a per-UID basis. This is also the recommended choice, as it " +"is the most secure and predictable method." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:216 +msgid "" +"The default value for the credential cache name is sourced from the profile " +"stored in the system wide krb5.conf configuration file in the [libdefaults] " +"section. The option name is default_ccache_name. See krb5.conf(5)'s " +"PARAMETER EXPANSION paragraph for additional information on the expansion " +"format defined by krb5.conf." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:225 +msgid "" +"NOTE: Please be aware that libkrb5 ccache expansion template from " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> uses different expansion sequences than SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:234 +msgid "Default: (from libkrb5)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:240 +msgid "krb5_auth_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:243 +msgid "" +"Timeout in seconds after an online authentication request or change password " +"request is aborted. If possible, the authentication request is continued " +"offline." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:254 +msgid "krb5_validate (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:257 +msgid "" +"Verify with the help of krb5_keytab that the TGT obtained has not been " +"spoofed. The keytab is checked for entries sequentially, and the first entry " +"with a matching realm is used for validation. If no entry matches the realm, " +"the last entry in the keytab is used. This process can be used to validate " +"environments using cross-realm trust by placing the appropriate keytab entry " +"as the last entry or the only entry in the keytab file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:272 +msgid "krb5_keytab (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:275 +msgid "" +"The location of the keytab to use when validating credentials obtained from " +"KDCs." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:279 +msgid "Default: /etc/krb5.keytab" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:285 +msgid "krb5_store_password_if_offline (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:288 +msgid "" +"Store the password of the user if the provider is offline and use it to " +"request a TGT when the provider comes online again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:293 +msgid "" +"NOTE: this feature is only available on Linux. Passwords stored in this way " +"are kept in plaintext in the kernel keyring and are potentially accessible " +"by the root user (with difficulty)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:306 +msgid "krb5_renewable_lifetime (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:309 +msgid "" +"Request a renewable ticket with a total lifetime, given as an integer " +"immediately followed by a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 +msgid "<emphasis>s</emphasis> for seconds" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 +msgid "<emphasis>m</emphasis> for minutes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 +msgid "<emphasis>h</emphasis> for hours" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 +msgid "<emphasis>d</emphasis> for days." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 +msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 +msgid "" +"NOTE: It is not possible to mix units. To set the renewable lifetime to one " +"and a half hours, use '90m' instead of '1h30m'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:335 +msgid "Default: not set, i.e. the TGT is not renewable" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:341 +msgid "krb5_lifetime (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:344 +msgid "" +"Request ticket with a lifetime, given as an integer immediately followed by " +"a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:360 +msgid "If there is no unit given <emphasis>s</emphasis> is assumed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:364 +msgid "" +"NOTE: It is not possible to mix units. To set the lifetime to one and a " +"half hours please use '90m' instead of '1h30m'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:369 +msgid "" +"Default: not set, i.e. the default ticket lifetime configured on the KDC." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:376 +msgid "krb5_renew_interval (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:379 +msgid "" +"The time in seconds between two checks if the TGT should be renewed. TGTs " +"are renewed if about half of their lifetime is exceeded, given as an integer " +"immediately followed by a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:406 +msgid "If this option is not set or is 0 the automatic renewal is disabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:416 +msgid "krb5_use_fast (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:419 +msgid "" +"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" +"authentication. The following options are supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:424 +msgid "" +"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " +"option at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:428 +msgid "" +"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " +"continue the authentication without it." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:433 +msgid "" +"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " +"server does not require fast." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:438 +msgid "Default: not set, i.e. FAST is not used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:441 +msgid "NOTE: a keytab is required to use FAST." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:444 +msgid "" +"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " +"SSSD is used with an older version of MIT Kerberos, using this option is a " +"configuration error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:453 +msgid "krb5_fast_principal (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:456 +msgid "Specifies the server principal to use for FAST." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:465 +msgid "" +"Specifies if the host and user principal should be canonicalized. This " +"feature is available with MIT Kerberos 1.7 and later versions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:505 +msgid "krb5_use_enterprise_principal (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:508 +msgid "" +"Specifies if the user principal should be treated as enterprise principal. " +"See section 5 of RFC 6806 for more details about enterprise principals." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:514 +msgid "Default: false (AD provider: true)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:517 +msgid "" +"The IPA provider will set to option to 'true' if it detects that the server " +"is capable of handling enterprise principals and the option is not set " +"explicitly in the config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:526 +msgid "krb5_map_user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:529 +msgid "" +"The list of mappings is given as a comma-separated list of pairs " +"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " +"name and <quote>primary</quote> is a user part of a kerberos principal. This " +"mapping is used when user is authenticating using <quote>auth_provider = " +"krb5</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-krb5.5.xml:541 +#, no-wrap +msgid "" +"krb5_realm = REALM\n" +"krb5_map_user = joe:juser,dick:richard\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:546 +msgid "" +"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " +"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " +"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " +"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:65 +msgid "" +"If the auth-module krb5 is used in an SSSD domain, the following options " +"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " +"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:572 +msgid "" +"The following example assumes that SSSD is correctly configured and FOO is " +"one of the domains in the <replaceable>[sssd]</replaceable> section. This " +"example shows only configuration of Kerberos authentication; it does not " +"include any identity provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-krb5.5.xml:580 +#, no-wrap +msgid "" +"[domain/FOO]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXAMPLE.COM\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 +msgid "sss_groupadd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupadd.8.xml:16 +msgid "create a new group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupadd.8.xml:21 +msgid "" +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupadd.8.xml:32 +msgid "" +"<command>sss_groupadd</command> creates a new group. These groups are " +"compatible with POSIX groups, with the additional feature that they can " +"contain other groups as members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 +msgid "" +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupadd.8.xml:48 +msgid "" +"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " +"not given, it is chosen automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 +msgid "sss_userdel" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_userdel.8.xml:16 +msgid "delete a user account" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_userdel.8.xml:21 +msgid "" +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_userdel.8.xml:32 +msgid "" +"<command>sss_userdel</command> deletes a user identified by login name " +"<replaceable>LOGIN</replaceable> from the system." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:44 +msgid "<option>-r</option>,<option>--remove</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:48 +msgid "" +"Files in the user's home directory will be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:56 +msgid "<option>-R</option>,<option>--no-remove</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:60 +msgid "" +"Files in the user's home directory will NOT be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:68 +msgid "<option>-f</option>,<option>--force</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:72 +msgid "" +"This option forces <command>sss_userdel</command> to remove the user's home " +"directory and mail spool, even if they are not owned by the specified user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:80 +msgid "<option>-k</option>,<option>--kick</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:84 +msgid "Before actually deleting the user, terminate all his processes." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 +msgid "sss_groupdel" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupdel.8.xml:16 +msgid "delete a group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupdel.8.xml:21 +msgid "" +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupdel.8.xml:32 +msgid "" +"<command>sss_groupdel</command> deletes a group identified by its name " +"<replaceable>GROUP</replaceable> from the system." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 +msgid "sss_groupshow" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupshow.8.xml:16 +msgid "print properties of a group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupshow.8.xml:21 +msgid "" +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupshow.8.xml:32 +msgid "" +"<command>sss_groupshow</command> displays information about a group " +"identified by its name <replaceable>GROUP</replaceable>. The information " +"includes the group ID number, members of the group and the parent group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupshow.8.xml:43 +msgid "<option>-R</option>,<option>--recursive</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupshow.8.xml:47 +msgid "" +"Also print indirect group members in a tree-like hierarchy. Note that this " +"also affects printing parent groups - without <option>R</option>, only the " +"direct parent will be printed." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 +msgid "sss_usermod" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_usermod.8.xml:16 +msgid "modify a user account" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_usermod.8.xml:21 +msgid "" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_usermod.8.xml:32 +msgid "" +"<command>sss_usermod</command> modifies the account specified by " +"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " +"on the command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:60 +msgid "The home directory of the user account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:71 +msgid "The user's login shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:82 +msgid "" +"Append this user to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:96 +msgid "" +"Remove this user from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:103 +msgid "<option>-l</option>,<option>--lock</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:107 +msgid "Lock the user account. The user won't be able to log in." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:114 +msgid "<option>-u</option>,<option>--unlock</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:118 +msgid "Unlock the user account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:129 +msgid "The SELinux user for the user's login." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:135 +msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:140 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:147 +msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:152 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:160 +msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:165 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_cache.8.xml:10 sss_cache.8.xml:15 +msgid "sss_cache" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_cache.8.xml:16 +msgid "perform cache cleanup" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_cache.8.xml:21 +msgid "" +"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_cache.8.xml:31 +msgid "" +"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " +"records are forced to be reloaded from server as soon as related SSSD " +"backend is online. Options that invalidate a single object only accept a " +"single provided argument." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:43 +msgid "<option>-E</option>,<option>--everything</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:47 +msgid "Invalidate all cached entries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:53 +msgid "" +"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:58 +msgid "Invalidate specific user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:64 +msgid "<option>-U</option>,<option>--users</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:68 +msgid "" +"Invalidate all user records. This option overrides invalidation of specific " +"user if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:75 +msgid "" +"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:80 +msgid "Invalidate specific group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:86 +msgid "<option>-G</option>,<option>--groups</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:90 +msgid "" +"Invalidate all group records. This option overrides invalidation of specific " +"group if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:97 +msgid "" +"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:102 +msgid "Invalidate specific netgroup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:108 +msgid "<option>-N</option>,<option>--netgroups</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:112 +msgid "" +"Invalidate all netgroup records. This option overrides invalidation of " +"specific netgroup if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:119 +msgid "" +"<option>-s</option>,<option>--service</option> <replaceable>service</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:124 +msgid "Invalidate specific service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:130 +msgid "<option>-S</option>,<option>--services</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:134 +msgid "" +"Invalidate all service records. This option overrides invalidation of " +"specific service if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:141 +msgid "" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:146 +msgid "Invalidate specific autofs maps." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:152 +msgid "<option>-A</option>,<option>--autofs-maps</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:156 +msgid "" +"Invalidate all autofs maps. This option overrides invalidation of specific " +"map if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:163 +msgid "" +"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:168 +msgid "Invalidate SSH public keys of a specific host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:174 +msgid "<option>-H</option>,<option>--ssh-hosts</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:178 +msgid "" +"Invalidate SSH public keys of all hosts. This option overrides invalidation " +"of SSH public keys of specific host if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:186 +msgid "" +"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:191 +msgid "Invalidate particular sudo rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:197 +msgid "<option>-R</option>,<option>--sudo-rules</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:201 +msgid "" +"Invalidate all cached sudo rules. This option overrides invalidation of " +"specific sudo rule if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:209 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>domain</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:214 +msgid "Restrict invalidation process only to a particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 +msgid "sss_debuglevel" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_debuglevel.8.xml:16 +msgid "[DEPRECATED] change debug level while SSSD is running" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_debuglevel.8.xml:21 +msgid "" +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" +"replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_debuglevel.8.xml:32 +msgid "" +"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " +"debug-level command. Please refer to the <command>sssctl</command> man page " +"for more information on sssctl usage." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_seed.8.xml:10 sss_seed.8.xml:15 +msgid "sss_seed" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_seed.8.xml:16 +msgid "seed the SSSD cache with a user" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_seed.8.xml:21 +msgid "" +"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:33 +msgid "" +"<command>sss_seed</command> seeds the SSSD cache with a user entry and " +"temporary password. If a user entry is already present in the SSSD cache " +"then the entry is updated with the temporary password." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:46 +msgid "" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:51 +msgid "" +"Provide the name of the domain in which the user is a member of. The domain " +"is also used to retrieve user information. The domain must be configured in " +"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " +"Information retrieved from the domain overrides what is provided in the " +"options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:63 +msgid "" +"<option>-n</option>,<option>--username</option> <replaceable>USER</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:68 +msgid "" +"The username of the entry to be created or modified in the cache. The " +"<replaceable>USER</replaceable> option must be provided." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:81 +msgid "Set the UID of the user to <replaceable>UID</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:93 +msgid "Set the GID of the user to <replaceable>GID</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:117 +msgid "" +"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:129 +msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:140 +msgid "" +"Interactive mode for entering user information. This option will only prompt " +"for information not provided in the options or retrieved from the domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:148 +msgid "" +"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:153 +msgid "" +"Specify file to read user's password from. (if not specified password is " +"prompted for)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:165 +msgid "" +"The length of the password (or the size of file specified with -p or --" +"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " +"on systems with no globally-defined PASS_MAX value)." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 +msgid "sssd-ifp" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ifp.5.xml:17 +msgid "SSSD InfoPipe responder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:23 +msgid "" +"This manual page describes the configuration of the InfoPipe responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:36 +msgid "" +"The InfoPipe responder provides a public D-Bus interface accessible over the " +"system bus. The interface allows the user to query information about remote " +"users and groups over the system bus." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:46 +msgid "These options can be used to configure the InfoPipe responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:53 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the InfoPipe responder. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:59 +msgid "" +"Default: 0 (only the root user is allowed to access the InfoPipe responder)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:63 +msgid "" +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the InfoPipe responder, which would be the typical case, you have to " +"add 0 to the list of allowed UIDs as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:77 +msgid "Specifies the comma-separated list of white or blacklisted attributes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:91 +msgid "name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:92 +msgid "user's login name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:95 +msgid "uidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:96 +msgid "user ID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:99 +msgid "gidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:100 +msgid "primary group ID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:103 +msgid "gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:104 +msgid "user information, typically full name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:107 +msgid "homeDirectory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:111 +msgid "loginShell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:112 +msgid "user shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:81 +msgid "" +"By default, the InfoPipe responder only allows the default set of POSIX " +"attributes to be requested. This set is the same as returned by " +"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ifp.5.xml:125 +#, no-wrap +msgid "" +"user_attributes = +telephoneNumber, -loginShell\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:117 +msgid "" +"It is possible to add another attribute to this set by using <quote>" +"+attr_name</quote> or explicitly remove an attribute using <quote>-" +"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " +"deny <quote>loginShell</quote>, you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:129 +msgid "Default: not set. Only the default set of POSIX attributes is allowed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:139 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup that overrides caller-supplied limit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:144 +msgid "Default: 0 (let the caller set an upper limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refentryinfo> +#: sss_rpcidmapd.5.xml:8 +msgid "" +"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" +"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " +"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" +"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " +"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" +"author>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 +msgid "sss_rpcidmapd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_rpcidmapd.5.xml:33 +msgid "sss plugin configuration directives for rpc.idmapd" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:37 +msgid "CONFIGURATION FILE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:39 +msgid "" +"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." +"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:49 +msgid "SSS CONFIGURATION EXTENSION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:51 +msgid "Enable SSS plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:53 +msgid "" +"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " +"attribute to contain <emphasis>sss</emphasis>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:59 +msgid "[sss] config section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:61 +msgid "" +"In order to change the default of one of the configuration attributes of the " +"<emphasis>sss</emphasis> plugin listed below you will need to create a " +"config section for it, named <quote>[sss]</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sss_rpcidmapd.5.xml:67 +msgid "Configuration attributes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sss_rpcidmapd.5.xml:69 +msgid "memcache (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sss_rpcidmapd.5.xml:72 +msgid "Indicates whether or not to use memcache optimisation technique." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:85 +msgid "SSSD INTEGRATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:87 +msgid "" +"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " +"in sssd." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:91 +msgid "" +"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " +"all domains (NFSv4 clients expect a fully qualified name to be sent on the " +"wire)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_rpcidmapd.5.xml:103 +#, no-wrap +msgid "" +"[General]\n" +"Verbosity = 2\n" +"# domain must be synced between NFSv4 server and clients\n" +"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:100 +msgid "" +"The following example shows a minimal idmapd.conf which makes use of the sss " +"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:180 include/seealso.xml:2 +msgid "SEE ALSO" +msgstr "GWELET IVEZ" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:122 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 +msgid "sss_ssh_authorizedkeys" +msgstr "" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 +msgid "1" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_authorizedkeys.1.xml:16 +msgid "get OpenSSH authorized keys" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_authorizedkeys.1.xml:21 +msgid "" +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>USER</replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:32 +msgid "" +"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " +"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " +"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> for more information)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:41 +msgid "" +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" +"command> for public key user authentication if it is compiled with support " +"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " +"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> man page for more details about this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_authorizedkeys.1.xml:59 +#, no-wrap +msgid "" +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:52 +msgid "" +"If <quote>AuthorizedKeysCommand</quote> is supported, " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use it by putting the following " +"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" +"\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_ssh_authorizedkeys.1.xml:65 +msgid "KEYS FROM CERTIFICATES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:67 +msgid "" +"In addition to the public SSH keys for user <replaceable>USER</replaceable> " +"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " +"from the public key of a X.509 certificate as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:73 +msgid "" +"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " +"set to true (default) in the [ssh] section of <filename>sssd.conf</" +"filename>. If the user entry contains certificates (see " +"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " +"there is a certificate in an override entry for the user (see " +"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " +"certificate is valid SSSD will extract the public key from the certificate " +"and convert it into the format expected by sshd." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:90 +msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:92 +msgid "ca_db" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:93 +msgid "p11_child_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:94 +msgid "certificate_verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:96 +msgid "" +"can be used to control how the certificates are validated (see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:101 +msgid "" +"The validation is the benefit of using X.509 certificates instead of SSH " +"keys directly because e.g. it gives a better control of the lifetime of the " +"keys. When the ssh client is configured to use the private keys from a " +"Smartcard with the help of a PKCS#11 shared library (see " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> for details) it might be irritating that authentication is " +"still working even if the related X.509 certificate on the Smartcard is " +"already expired because neither <command>ssh</command> nor <command>sshd</" +"command> will look at the certificate at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:114 +msgid "" +"It has to be noted that the derived public SSH key can still be added to the " +"<filename>authorized_keys</filename> file of the user to bypass the " +"certificate validation if the <command>sshd</command> configuration permits " +"this." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:132 +msgid "" +"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 +msgid "EXIT STATUS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 +msgid "" +"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 +msgid "sss_ssh_knownhostsproxy" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_knownhostsproxy.1.xml:16 +msgid "get OpenSSH host keys" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_knownhostsproxy.1.xml:21 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>HOST</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:33 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " +"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " +"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " +"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" +"pubconf/known_hosts</filename> and establishes the connection to the host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:43 +msgid "" +"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " +"create the connection to the host instead of opening a socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_knownhostsproxy.1.xml:55 +#, no-wrap +msgid "" +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:48 +msgid "" +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" +"command> for host key authentication by using the following directives for " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:66 +msgid "" +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:71 +msgid "" +"Use port <replaceable>PORT</replaceable> to connect to the host. By " +"default, port 22 is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:83 +msgid "" +"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:89 +#, fuzzy +#| msgid "" +#| "<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</" +#| "replaceable>" +msgid "<option>-k</option>,<option>--pubkeys</option>" +msgstr "" +"<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:93 +msgid "" +"Print the host ssh public keys for host <replaceable>HOST</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 +msgid "idmap_sss" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: idmap_sss.8.xml:16 +msgid "SSSD's idmap_sss Backend for Winbind" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:22 +msgid "" +"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " +"No database is required in this case as the mapping is done by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: idmap_sss.8.xml:29 +msgid "IDMAP OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: idmap_sss.8.xml:33 +msgid "range = low - high" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: idmap_sss.8.xml:35 +msgid "" +"Defines the available matching UID and GID range for which the backend is " +"authoritative." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:45 +msgid "" +"This example shows how to configure idmap_sss as the default mapping module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: idmap_sss.8.xml:50 +#, no-wrap +msgid "" +"[global]\n" +"security = domain\n" +"workgroup = MAIN\n" +"\n" +"idmap config * : backend = sss\n" +"idmap config * : range = 200000-2147483647\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssctl.8.xml:10 sssctl.8.xml:15 +msgid "sssctl" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssctl.8.xml:16 +msgid "SSSD control and status utility" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssctl.8.xml:21 +msgid "" +"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:32 +msgid "" +"<command>sssctl</command> provides a simple and unified way to obtain " +"information about SSSD status, such as active server, auto-discovered " +"servers, domains and cached objects. In addition, it can manage SSSD data " +"files for troubleshooting in such a way that is safe to manipulate while " +"SSSD is running." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:43 +msgid "" +"To list all available commands run <command>sssctl</command> without any " +"parameters. To print help for selected command run <command>sssctl COMMAND --" +"help</command>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-files.5.xml:10 sssd-files.5.xml:16 +msgid "sssd-files" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-files.5.xml:17 +msgid "SSSD files provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:23 +msgid "" +"This manual page describes the files provider for <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:36 +msgid "" +"The files provider mirrors the content of the <citerefentry> " +"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " +"provider is to make the users and groups traditionally only accessible with " +"NSS interfaces also available through the SSSD interfaces such as " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:69 +#, fuzzy +#| msgid "re_expression (string)" +msgid "passwd_files (string)" +msgstr "re_expression (neudennad)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:72 +msgid "" +"Comma-separated list of one or multiple password filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:78 +#, fuzzy +#| msgid "Default: true" +msgid "Default: /etc/passwd" +msgstr "Dre ziouer : true" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:84 +#, fuzzy +#| msgid "re_expression (string)" +msgid "group_files (string)" +msgstr "re_expression (neudennad)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:87 +msgid "" +"Comma-separated list of one or multiple group filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:93 +#, fuzzy +#| msgid "Default: true" +msgid "Default: /etc/group" +msgstr "Dre ziouer : true" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:59 +msgid "" +"In addition to the options listed below, generic SSSD domain options can be " +"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for details on the configuration of " +"an SSSD domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:105 +msgid "" +"The following example assumes that SSSD is correctly configured and files is " +"one of the domains in the <replaceable>[sssd]</replaceable> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:111 +#, no-wrap +msgid "" +"[domain/files]\n" +"id_provider = files\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 +msgid "sssd-secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-secrets.5.xml:17 +msgid "SSSD Secrets responder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:23 +msgid "" +"This manual page describes the configuration of the Secrets responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:36 +msgid "" +"Many system and user applications need to store private information such as " +"passwords or service keys and have no good way to properly deal with them. " +"The simple approach is to embed these <quote>secrets</quote> into " +"configuration files potentially ending up exposing sensitive key material to " +"backups, config management system and in general making it harder to secure " +"data." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:45 +msgid "" +"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " +"project was born to deal with this problem in cloud like environments, but " +"we found the idea compelling even at a single system level. As a security " +"service, SSSD is ideal to host this capability while offering the same API " +"via a UNIX Socket. This will make it possible to use local calls and have " +"them transparently routed to a local or a remote key management store like " +"IPA Vault for storage, escrow and recovery." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:55 +msgid "" +"The secrets are simple key-value pairs. Each user's secrets are namespaced " +"using their user ID, which means the secrets will never collide between " +"users. Secrets can be stored inside <quote>containers</quote> which can be " +"nested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:69 +msgid "secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:70 +msgid "secrets for general usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:73 +msgid "kcm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:75 +msgid "" +"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:61 +msgid "" +"Since the secrets responder can be used both externally to store general " +"secrets, as described in the rest of this man page, but also internally by " +"other SSSD components to store their secret material, some configuration " +"options, like quotas can be configured per <quote>hive</quote> in a " +"configuration subsection named after the hive. The currently supported hives " +"are: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:89 +msgid "USING THE SECRETS RESPONDER" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:91 +msgid "" +"The UNIX socket the SSSD responder listens on is located at <filename>/var/" +"run/secrets.socket</filename>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:110 +#, no-wrap +msgid "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +"systemctl enable sssd-secrets.service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:95 +msgid "" +"The secrets responder is socket-activated by <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " +"the <quote>secrets</quote> string to the <quote>service</quote> directive. " +"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " +"corresponding service file is called <quote>sssd-secrets.service</quote>. In " +"order for the service to be socket-activated, make sure the socket is " +"enabled and active and the service is enabled: <placeholder type=" +"\"programlisting\" id=\"0\"/> Please note your distribution may already " +"configure the units for you." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:122 +msgid "" +"The generic SSSD responder options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " +"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some secrets-specific options as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:132 +msgid "" +"The secrets responder is configured with a global <quote>[secrets]</quote> " +"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " +"in <filename>sssd.conf</filename>. Please note that some options, notably as " +"the provider type, can only be specified in the per-user subsections." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:141 +msgid "provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:157 +msgid "local" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:160 +msgid "" +"The secrets are stored in a local database, encrypted at rest with a master " +"key. The local provider does not have any additional config options at the " +"moment." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:168 +msgid "proxy" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:171 +msgid "" +"The secrets responder forwards the requests to a Custodia server. The proxy " +"provider supports several additional options (see below)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:144 +msgid "" +"This option specifies where should the secrets be stored. The secrets " +"responder can configure a per-user subsections (e.g. <quote>[secrets/" +"users/123]</quote> - see bottom of this manual page for a full example using " +"Custodia for a particular user) that define which provider store the secrets " +"for this particular user. The per-user subsections should contain all " +"options for that user's provider. Please note that currently the global " +"provider is always local, the proxy provider can only be specified in a per-" +"user section. The following providers are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:180 +msgid "Default: local" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:186 +msgid "" +"The following options affect only the secrets <quote>hive</quote> and " +"therefore should be set in a per-hive subsection. Setting the option to 0 " +"means \"unlimited\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:192 +msgid "containers_nest_level (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:195 +msgid "This option specifies the maximum allowed number of nested containers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:199 +msgid "Default: 4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:204 +msgid "max_secrets (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:207 +msgid "" +"This option specifies the maximum number of secrets that can be stored in " +"the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:211 +msgid "Default: 1024 (secrets hive), 256 (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:216 +msgid "max_uid_secrets (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:219 +msgid "" +"This option specifies the maximum number of secrets that can be stored per-" +"UID in the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:223 +msgid "Default: 256 (secrets hive), 64 (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:228 +msgid "max_payload_size (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:231 +msgid "" +"This option specifies the maximum payload size allowed for a secret payload " +"in kilobytes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:235 +msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:244 +#, no-wrap +msgid "" +"[secrets/secrets]\n" +"max_payload_size = 128\n" +"\n" +"[secrets/kcm]\n" +"max_payload_size = 256\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:241 +msgid "" +"For example, to adjust quotas differently for both the <quote>secrets</" +"quote> and the <quote>kcm</quote> hives, configure the following: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:252 +msgid "" +"The following options are only applicable for configurations that use the " +"<quote>proxy</quote> provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:257 +msgid "proxy_url (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:260 +msgid "" +"The URL the Custodia server is listening on. At the moment, http and https " +"protocols are supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:267 +msgid "http[s]://<host>[:port]" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:270 +msgid "Example: http://localhost:8080" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:275 +msgid "auth_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:278 +msgid "" +"The method to use when authenticating to a Custodia server. The following " +"authentication methods are supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:283 +msgid "basic_auth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:286 +msgid "" +"Authenticate with a username and a password as set in the <quote>username</" +"quote> and <quote>password</quote> options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:293 +msgid "header" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:296 +msgid "" +"Authenticate with HTTP header value as defined in the " +"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " +"configuration options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:307 +msgid "auth_header_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:310 +msgid "" +"If set, the secrets responder would put a header with this name into the " +"HTTP request with the value defined in the <quote>auth_header_value</quote> " +"configuration option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:315 +msgid "Example: MYSECRETNAME" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:320 +msgid "auth_header_value (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:323 +msgid "" +"The value sssd-secrets would use for the <quote>auth_header_name</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:327 +msgid "Example: mysecret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:332 +msgid "forward_headers (list of strings)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:335 +msgid "" +"The list of HTTP headers to forward to the Custodia server together with the " +"request." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:344 +msgid "verify_peer (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:347 +msgid "" +"Whether peer's certificate should be verified and valid if HTTPS protocol is " +"used with the proxy provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:356 +msgid "verify_host (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:359 +msgid "" +"Whether peer's hostname must match with hostname in its certificate if HTTPS " +"protocol is used with the proxy provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:369 +msgid "capath (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:372 +msgid "" +"Path to directory containing stored certificate authority certificates. " +"System default path is used if this option is not set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:382 +msgid "cacert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:385 +msgid "" +"Path to file containing server's certificate authority certificate. If this " +"option is not set then the CA's certificate is looked up in <quote>capath</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:395 +msgid "cert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:398 +msgid "" +"Path to file containing client's certificate if required by the server. This " +"file may also contain private key or the private key may be in separate file " +"set with <quote>key</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:409 +msgid "key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:412 +msgid "Path to file containing client's private key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:422 +msgid "USING THE REST API" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:424 +msgid "" +"This section lists the available commands and includes examples using the " +"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry> utility. All requests towards the proxy provider must set " +"the Content Type header to <quote>application/json</quote>. In addition, the " +"local provider also supports Content Type set to <quote>application/octet-" +"stream</quote>. Secrets stored with requests that set the Content Type " +"header to <quote>application/octet-stream</quote> are base64-encoded when " +"stored and decoded when retrieved, so it's not possible to store a secret " +"with one Content Type and retrieve with another. The secret URI must begin " +"with <filename>/secrets/</filename>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:441 +msgid "Listing secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:444 +msgid "" +"To list the available secrets, send a HTTP GET request with a trailing slash " +"appended to the container path." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:450 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:458 +msgid "Retrieving a secret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:461 +msgid "" +"To read a value of a single secret, send a HTTP GET request without a " +"trailing slash. The last portion of the URI is the name of the secret." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:468 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/foo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:473 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/bar\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:466 +msgid "" +"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:481 +msgid "Setting a secret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:484 +msgid "" +"To set a secret using the <quote>application/json</quote> type, send a HTTP " +"PUT request with a JSON payload that includes type and value. The type " +"should be set to \"simple\" and the value should be set to the secret value. " +"If a secret with that name already exists, the response is a 409 HTTP error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:492 +msgid "" +"The <quote>application/json</quote> type just sends the secret as the " +"message payload." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:501 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/foo \\\n" +" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:507 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/bar \\\n" +" -d'barsecret'\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:496 +msgid "" +"The following example sets a secret named 'foo' to a value of 'foosecret' " +"and a secret named 'bar' to a value of 'barsecret' using a different Content " +"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:516 +msgid "Creating a container" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:519 +msgid "" +"Containers provide an additional namespace for this user's secrets. To " +"create a container, send a HTTP POST request, whose URI ends with the " +"container name. Please note the URI must end with a trailing slash." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:529 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPOST http://localhost/secrets/mycontainer/\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:526 +msgid "" +"The following example creates a container named 'mycontainer': <placeholder " +"type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:538 +#, no-wrap +msgid "" +"http://localhost/secrets/mycontainer/mysecret\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:535 +msgid "" +"To manipulate secrets under this container, just nest the secrets underneath " +"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:544 +msgid "Deleting a secret or a container" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:547 +msgid "" +"To delete a secret or a container, send a HTTP DELETE request with a path to " +"the secret or the container." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:553 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XDELETE http://localhost/secrets/foo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:551 +msgid "" +"The following example deletes a secret named 'foo'. <placeholder type=" +"\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:563 +msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:565 +msgid "" +"For testing the proxy provider, you need to set up a Custodia server to " +"proxy requests to. Please always consult the Custodia documentation, the " +"configuration directives might change with different Custodia versions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:576 +#, no-wrap +msgid "" +"[global]\n" +"server_version = \"Secret/0.0.7\"\n" +"server_url = http://localhost:8080/\n" +"auditlog = /var/log/custodia.log\n" +"debug = True\n" +"\n" +"[store:simple]\n" +"handler = custodia.store.sqlite.SqliteStore\n" +"dburi = /var/lib/custodia.db\n" +"table = secrets\n" +"\n" +"[auth:header]\n" +"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" +"header = MYSECRETNAME\n" +"value = mysecretkey\n" +"\n" +"[authz:paths]\n" +"handler = custodia.httpd.authorizers.SimplePathAuthz\n" +"paths = /secrets\n" +"\n" +"[/]\n" +"handler = custodia.root.Root\n" +"store = simple\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:570 +msgid "" +"This configuration will set up a Custodia server listening on http://" +"localhost:8080, allowing anyone with header named MYSECRETNAME set to " +"mysecretkey to communicate with the Custodia server. Place the contents " +"into a file (for example, <replaceable>custodia.conf</replaceable>): " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:602 +msgid "" +"Then run the <replaceable>custodia</replaceable> command, pointing it at the " +"config file as a command line argument." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:606 +msgid "" +"Please note that currently it's not possible to proxy all requests globally " +"to a Custodia instance. Instead, per-user subsections for user IDs that " +"should proxy requests to Custodia must be defined. The following example " +"illustrates a configuration, where the user with UID 123 would proxy their " +"requests to Custodia, but all other user's requests would be handled by a " +"local provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: sssd-secrets.5.xml:614 +#, no-wrap +msgid "" +"[secrets]\n" +"\n" +"[secrets/users/123]\n" +"provider = proxy\n" +"proxy_url = http://localhost:8080/secrets/\n" +"auth_type = header\n" +"auth_header_name = MYSECRETNAME\n" +"auth_header_value = mysecretkey\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 +msgid "sssd-session-recording" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-session-recording.5.xml:17 +msgid "Configuring session recording with SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " +"implement user session recording on text terminals. For a detailed " +"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " +"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:41 +msgid "" +"SSSD can be set up to enable recording of everything specific users see or " +"type during their sessions on text terminals. E.g. when users log in on the " +"console, or via SSH. SSSD itself doesn't record anything, but makes sure " +"tlog-rec-session is started upon user login, so it can record according to " +"its configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:48 +msgid "" +"For users with session recording enabled, SSSD replaces the user shell with " +"tlog-rec-session in NSS responses, and adds a variable specifying the " +"original shell to the user environment, upon PAM session setup. This way " +"tlog-rec-session can be started in place of the user shell, and know which " +"actual shell to start, once it set up the recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:60 +msgid "These options can be used to configure the session recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:146 +msgid "" +"The following snippet of sssd.conf enables session recording for users " +"\"contractor1\" and \"contractor2\", and group \"students\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-session-recording.5.xml:151 +#, no-wrap +msgid "" +"[session_recording]\n" +"scope = some\n" +"users = contractor1, contractor2\n" +"groups = students\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 +msgid "sssd-kcm" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-kcm.8.xml:17 +msgid "SSSD Kerberos Cache Manager" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:23 +msgid "" +"This manual page describes the configuration of the SSSD Kerberos Cache " +"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " +"credential caches. It originates in the Heimdal Kerberos project, although " +"the MIT Kerberos library also provides client side (more details on that " +"below) support for the KCM credential cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:31 +msgid "" +"In a setup where Kerberos caches are managed by KCM, the Kerberos library " +"(typically used through an application, like e.g., <citerefentry> " +"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" +"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " +"being referred to as a <quote>\"KCM server\"</quote>. The client and server " +"communicate over a UNIX socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:42 +msgid "" +"The KCM server keeps track of each credential caches's owner and performs " +"access check control based on the UID and GID of the KCM client. The root " +"user has access to all credential caches." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:47 +msgid "The KCM credential cache has several interesting properties:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:51 +msgid "" +"since the process runs in userspace, it is subject to UID namespacing, " +"unlike the kernel keyring" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:56 +msgid "" +"unlike the kernel keyring-based cache, which is shared between all " +"containers, the KCM server is a separate process whose entry point is a UNIX " +"socket" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:61 +msgid "" +"the SSSD implementation stores the ccaches in the SSSD <citerefentry> " +"<refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry> secrets store, allowing the ccaches to survive KCM server " +"restarts or machine reboots." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:69 +msgid "" +"This allows the system to use a collection-aware credential cache, yet share " +"the credential cache between some or no containers by bind-mounting the " +"socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:76 +msgid "USING THE KCM CREDENTIAL CACHE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:86 +#, no-wrap +msgid "" +"[libdefaults]\n" +" default_ccache_name = KCM:\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:78 +msgid "" +"In order to use KCM credential cache, it must be selected as the default " +"credential type in <citerefentry> <refentrytitle>krb5.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " +"cache name must be only <quote>KCM:</quote> without any template " +"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:91 +msgid "" +"Next, make sure the Kerberos client libraries and the KCM server must agree " +"on the UNIX socket path. By default, both use the same path <replaceable>/" +"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " +"library, change its <quote>kcm_socket</quote> option which is described in " +"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:113 +#, no-wrap +msgid "" +"systemctl start sssd-kcm.socket\n" +"systemctl enable sssd-kcm.socket\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:102 +msgid "" +"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " +"typically socket-activated by <citerefentry> <refentrytitle>systemd</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " +"services, it cannot be started by adding the <quote>kcm</quote> string to " +"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " +"id=\"0\"/> Please note your distribution may already configure the units for " +"you." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:122 +msgid "THE CREDENTIAL CACHE STORAGE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:131 +#, no-wrap +msgid "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:124 +msgid "" +"The credential caches are stored in the SSSD secrets service (see " +"<citerefentry> <refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> for more details). Therefore it is important that " +"also the sssd-secrets service is enabled and its socket is started: " +"<placeholder type=\"programlisting\" id=\"0\"/> Your distribution should " +"already set the dependencies between the services." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:141 +msgid "" +"The KCM service is configured in the <quote>kcm</quote> section of the sssd." +"conf file. Please note that currently, is it not sufficient to restart the " +"sssd-kcm service, because the sssd configuration is only parsed and read to " +"an internal configuration database by the sssd service. Therefore you must " +"restart the sssd service if you change anything in the <quote>kcm</quote> " +"section of sssd.conf. For a detailed syntax reference, refer to the " +"<quote>FILE FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd." +"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:155 +msgid "" +"The generic SSSD service options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some KCM-specific options as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:166 +msgid "socket_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:169 +msgid "The socket the KCM service will listen on." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:172 +msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:182 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 +msgid "sssd-systemtap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-systemtap.5.xml:17 +msgid "SSSD systemtap information" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:23 +msgid "" +"This manual page provides information about the systemtap functionality in " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:32 +msgid "" +"SystemTap Probe points have been added into various locations in SSSD code " +"to assist in troubleshooting and analyzing performance related issues." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:40 +msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:46 +msgid "" +"Probes and miscellaneous functions are defined in /usr/share/systemtap/" +"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " +"respectively." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:57 +msgid "PROBE POINTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:341 +msgid "" +"The information below lists the probe points and arguments available in the " +"following format:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:64 +msgid "probe $name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:67 +msgid "Description of probe point" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:70 +#, no-wrap +msgid "" +"variable1:datatype\n" +"variable2:datatype\n" +"variable3:datatype\n" +"...\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:80 +msgid "Database Transaction Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:84 +msgid "probe sssd_transaction_start" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:87 +msgid "" +"Start of a sysdb transaction, probes the sysdb_transaction_start() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 +#: sssd-systemtap.5.xml:131 +#, no-wrap +msgid "" +"nesting:integer\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:97 +msgid "probe sssd_transaction_cancel" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:100 +msgid "" +"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " +"function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:111 +msgid "probe sssd_transaction_commit_before" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:114 +msgid "Probes the sysdb_transaction_commit_before() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:124 +msgid "probe sssd_transaction_commit_after" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:127 +msgid "Probes the sysdb_transaction_commit_after() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:141 +msgid "LDAP Search Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:145 +msgid "probe sdap_search_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:148 +msgid "Probes the sdap_get_generic_ext_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:152 sssd-systemtap.5.xml:167 sssd-systemtap.5.xml:196 +#, no-wrap +msgid "" +"base:string\n" +"scope:integer\n" +"filter:string\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:160 +msgid "probe sdap_search_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:163 +msgid "Probes the sdap_get_generic_ext_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:175 +msgid "probe sdap_deref_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:178 +msgid "Probes the sdap_deref_search_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:182 +#, no-wrap +msgid "" +"base_dn:string\n" +"deref_attr:string\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:189 +msgid "probe sdap_deref_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:192 +msgid "Probes the sdap_deref_search_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:208 +msgid "LDAP Account Request Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:212 +msgid "probe sdap_acct_req_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:215 +msgid "Probes the sdap_acct_req_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:219 sssd-systemtap.5.xml:234 +#, no-wrap +msgid "" +"entry_type:int\n" +"filter_type:int\n" +"filter_value:string\n" +"extra_value:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:227 +msgid "probe sdap_acct_req_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:230 +msgid "Probes the sdap_acct_req_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:246 +msgid "LDAP User Search Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:250 +msgid "probe sdap_search_user_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:253 +msgid "Probes the sdap_search_user_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:257 sssd-systemtap.5.xml:269 sssd-systemtap.5.xml:281 +#: sssd-systemtap.5.xml:293 +#, no-wrap +msgid "" +"filter:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:262 +msgid "probe sdap_search_user_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:265 +msgid "Probes the sdap_search_user_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:274 +msgid "probe sdap_search_user_save_begin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:277 +msgid "Probes the sdap_search_user_save_begin() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:286 +msgid "probe sdap_search_user_save_end" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:289 +msgid "Probes the sdap_search_user_save_end() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:302 +msgid "Data Provider Request Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:306 +msgid "probe dp_req_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:309 +msgid "A Data Provider request is submitted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:312 +#, no-wrap +msgid "" +"dp_req_domain:string\n" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:320 +msgid "probe dp_req_done" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:323 +msgid "A Data Provider request is completed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:326 +#, no-wrap +msgid "" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +"dp_ret:int\n" +"dp_errorstr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:339 +msgid "MISCELLANEOUS FUNCTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:346 +msgid "function acct_req_desc(entry_type)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:349 +msgid "Convert entry_type to string and return string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:354 +msgid "" +"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " +"filter_value, extra_value)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:358 +msgid "Create probe string based on filter type" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:363 +msgid "function dp_target_str(target)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:366 +msgid "Convert target to string and return string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:371 +msgid "function dp_method_str(target)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:374 +msgid "Convert method to string and return string" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/service_discovery.xml:2 +msgid "SERVICE DISCOVERY" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/service_discovery.xml:4 +msgid "" +"The service discovery feature allows back ends to automatically find the " +"appropriate servers to connect to using a special DNS query. This feature is " +"not supported for backup servers." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:9 include/ldap_id_mapping.xml:99 +msgid "Configuration" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:11 +msgid "" +"If no servers are specified, the back end automatically uses service " +"discovery to try to find a server. Optionally, the user may choose to use " +"both fixed server addresses and service discovery by inserting a special " +"keyword, <quote>_srv_</quote>, in the list of servers. The order of " +"preference is maintained. This feature is useful if, for example, the user " +"prefers to use service discovery whenever possible, and fall back to a " +"specific server when no servers can be discovered using DNS." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:23 +msgid "The domain name" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:25 +msgid "" +"Please refer to the <quote>dns_discovery_domain</quote> parameter in the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more details." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:35 +msgid "The protocol" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:37 +msgid "" +"The queries usually specify _tcp as the protocol. Exceptions are documented " +"in respective option description." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:42 +msgid "See Also" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:44 +msgid "" +"For more information on the service discovery mechanism, refer to RFC 2782." +msgstr "" + +#. type: Content of: <refentryinfo> +#: include/upstream.xml:2 +msgid "" +"<productname>SSSD</productname> <orgname>The SSSD upstream - https://pagure." +"io/SSSD/sssd/</orgname>" +msgstr "" + +#. type: Content of: outside any tag (error?) +#: include/upstream.xml:1 +msgid "<placeholder type=\"refentryinfo\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/failover.xml:2 +msgid "FAILOVER" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/failover.xml:4 +msgid "" +"The failover feature allows back ends to automatically switch to a different " +"server if the current server fails." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:8 +msgid "Failover Syntax" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:10 +msgid "" +"The list of servers is given as a comma-separated list; any number of spaces " +"is allowed around the comma. The servers are listed in order of preference. " +"The list can contain any number of servers." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:16 +msgid "" +"For each failover-enabled config option, two variants exist: " +"<emphasis>primary</emphasis> and <emphasis>backup</emphasis>. The idea is " +"that servers in the primary list are preferred and backup servers are only " +"searched if no primary servers can be reached. If a backup server is " +"selected, a timeout of 31 seconds is set. After this timeout SSSD will " +"periodically try to reconnect to one of the primary servers. If it succeeds, " +"it will replace the current active (backup) server." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:27 +msgid "The Failover Mechanism" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:29 +msgid "" +"The failover mechanism distinguishes between a machine and a service. The " +"back end first tries to resolve the hostname of a given machine; if this " +"resolution attempt fails, the machine is considered offline. No further " +"attempts are made to connect to this machine for any other service. If the " +"resolution attempt succeeds, the back end tries to connect to a service on " +"this machine. If the service connection attempt fails, then only this " +"particular service is considered offline and the back end automatically " +"switches over to the next service. The machine is still considered online " +"and might still be tried for another service." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:42 +msgid "" +"Further connection attempts are made to machines or services marked as " +"offline after a specified period of time; this is currently hard coded to 30 " +"seconds." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:47 +msgid "" +"If there are no more machines to try, the back end as a whole switches to " +"offline mode, and then attempts to reconnect every 30 seconds." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:53 +msgid "Failover time outs and tuning" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:55 +msgid "" +"Resolving a server to connect to can be as simple as running a single DNS " +"query or can involve several steps, such as finding the correct site or " +"trying out multiple host names in case some of the configured servers are " +"not reachable. The more complex scenarios can take some time and SSSD needs " +"to balance between providing enough time to finish the resolution process " +"but on the other hand, not trying for too long before falling back to " +"offline mode. If the SSSD debug logs show that the server resolution is " +"timing out before a live server is contacted, you can consider changing the " +"time outs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> +#: include/failover.xml:76 +msgid "dns_resolver_op_timeout" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: include/failover.xml:80 +msgid "How long would SSSD talk to a single DNS server." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> +#: include/failover.xml:86 +msgid "dns_resolver_timeout" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: include/failover.xml:90 +msgid "" +"How long would SSSD try to resolve a failover service. This service " +"resolution internally might include several steps, such as resolving DNS SRV " +"queries or locating the site." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:67 +msgid "" +"This section lists the available tunables. Please refer to their description " +"in the <citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>, manual page. <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:100 +msgid "" +"For LDAP-based providers, the resolve operation is performed as part of an " +"LDAP connection operation. Therefore, also the <quote>ldap_opt_timeout></" +"quote> timeout should be set to a larger value than " +"<quote>dns_resolver_timeout</quote> which in turn should be set to a larger " +"value than <quote>dns_resolver_op_timeout</quote>." +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/ldap_id_mapping.xml:2 +msgid "ID MAPPING" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:4 +msgid "" +"The ID-mapping feature allows SSSD to act as a client of Active Directory " +"without requiring administrators to extend user attributes to support POSIX " +"attributes for user and group identifiers." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:9 +msgid "" +"NOTE: When ID-mapping is enabled, the uidNumber and gidNumber attributes are " +"ignored. This is to avoid the possibility of conflicts between automatically-" +"assigned and manually-assigned values. If you need to use manually-assigned " +"values, ALL values must be manually-assigned." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:16 +msgid "" +"Please note that changing the ID mapping related configuration options will " +"cause user and group IDs to change. At the moment, SSSD does not support " +"changing IDs, so the SSSD database must be removed. Because cached passwords " +"are also stored in the database, removing the database should only be " +"performed while the authentication servers are reachable, otherwise users " +"might get locked out. In order to cache the password, an authentication must " +"be performed. It is not sufficient to use <citerefentry> " +"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry> to remove the database, rather the process consists of:" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:33 +msgid "Making sure the remote servers are reachable" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:38 +msgid "Stopping the SSSD service" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:43 +msgid "Removing the database" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:48 +msgid "Starting the SSSD service" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:52 +msgid "" +"Moreover, as the change of IDs might necessitate the adjustment of other " +"system properties such as file and directory ownership, it's advisable to " +"plan ahead and test the ID mapping configuration thoroughly." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ldap_id_mapping.xml:59 +msgid "Mapping Algorithm" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:61 +msgid "" +"Active Directory provides an objectSID for every user and group object in " +"the directory. This objectSID can be broken up into components that " +"represent the Active Directory domain identity and the relative identifier " +"(RID) of the user or group object." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:67 +msgid "" +"The SSSD ID-mapping algorithm takes a range of available UIDs and divides it " +"into equally-sized component sections - called \"slices\"-. Each slice " +"represents the space available to an Active Directory domain." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:73 +msgid "" +"When a user or group entry for a particular domain is encountered for the " +"first time, the SSSD allocates one of the available slices for that domain. " +"In order to make this slice-assignment repeatable on different client " +"machines, we select the slice based on the following algorithm:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:80 +msgid "" +"The SID string is passed through the murmurhash3 algorithm to convert it to " +"a 32-bit hashed value. We then take the modulus of this value with the total " +"number of available slices to pick the slice." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:86 +msgid "" +"NOTE: It is possible to encounter collisions in the hash and subsequent " +"modulus. In these situations, we will select the next available slice, but " +"it may not be possible to reproduce the same exact set of slices on other " +"machines (since the order that they are encountered will determine their " +"slice). In this situation, it is recommended to either switch to using " +"explicit POSIX attributes in Active Directory (disabling ID-mapping) or " +"configure a default domain to guarantee that at least one is always " +"consistent. See <quote>Configuration</quote> for details." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:101 +msgid "" +"Minimum configuration (in the <quote>[domain/DOMAINNAME]</quote> section):" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><programlisting> +#: include/ldap_id_mapping.xml:106 +#, no-wrap +msgid "" +"ldap_id_mapping = True\n" +"ldap_schema = ad\n" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:111 +msgid "" +"The default configuration results in configuring 10,000 slices, each capable " +"of holding up to 200,000 IDs, starting from 200,000 and going up to " +"2,000,200,000. This should be sufficient for most deployments." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><title> +#: include/ldap_id_mapping.xml:117 +msgid "Advanced Configuration" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:120 +msgid "ldap_idmap_range_min (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:123 +msgid "" +"Specifies the lower bound of the range of POSIX IDs to use for mapping " +"Active Directory user and group SIDs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:127 +msgid "" +"NOTE: This option is different from <quote>min_id</quote> in that " +"<quote>min_id</quote> acts to filter the output of requests to this domain, " +"whereas this option controls the range of ID assignment. This is a subtle " +"distinction, but the good general advice would be to have <quote>min_id</" +"quote> be less-than or equal to <quote>ldap_idmap_range_min</quote>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:137 include/ldap_id_mapping.xml:191 +msgid "Default: 200000" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:142 +msgid "ldap_idmap_range_max (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:145 +msgid "" +"Specifies the upper bound of the range of POSIX IDs to use for mapping " +"Active Directory user and group SIDs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:149 +msgid "" +"NOTE: This option is different from <quote>max_id</quote> in that " +"<quote>max_id</quote> acts to filter the output of requests to this domain, " +"whereas this option controls the range of ID assignment. This is a subtle " +"distinction, but the good general advice would be to have <quote>max_id</" +"quote> be greater-than or equal to <quote>ldap_idmap_range_max</quote>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:159 +msgid "Default: 2000200000" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:164 +msgid "ldap_idmap_range_size (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:167 +msgid "" +"Specifies the number of IDs available for each slice. If the range size " +"does not divide evenly into the min and max values, it will create as many " +"complete slices as it can." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:173 +msgid "" +"NOTE: The value of this option must be at least as large as the highest user " +"RID planned for use on the Active Directory server. User lookups and login " +"will fail for any user whose RID is greater than this value." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:179 +msgid "" +"For example, if your most recently-added Active Directory user has " +"objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, " +"<quote>ldap_idmap_range_size</quote> must be at least 1108 as range size is " +"equal to maximal SID minus minimal SID plus one (e.g. 1108 = 1107 - 0 + 1)." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:186 +msgid "" +"It is important to plan ahead for future expansion, as changing this value " +"will result in changing all of the ID mappings on the system, leading to " +"users with different local IDs than they previously had." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:196 +msgid "ldap_idmap_default_domain_sid (string)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:199 +msgid "" +"Specify the domain SID of the default domain. This will guarantee that this " +"domain will always be assigned to slice zero in the ID map, bypassing the " +"murmurhash algorithm described above." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:210 +msgid "ldap_idmap_default_domain (string)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:213 +msgid "Specify the name of the default domain." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:221 +msgid "ldap_idmap_autorid_compat (boolean)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:224 +msgid "" +"Changes the behavior of the ID-mapping algorithm to behave more similarly to " +"winbind's <quote>idmap_autorid</quote> algorithm." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:229 +msgid "" +"When this option is configured, domains will be allocated starting with " +"slice zero and increasing monatomically with each additional domain." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:234 +msgid "" +"NOTE: This algorithm is non-deterministic (it depends on the order that " +"users and groups are requested). If this mode is required for compatibility " +"with machines running winbind, it is recommended to also use the " +"<quote>ldap_idmap_default_domain_sid</quote> option to guarantee that at " +"least one domain is consistently allocated to slice zero." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:249 +msgid "ldap_idmap_helper_table_size (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:252 +msgid "" +"Maximal number of secondary slices that is tried when performing mapping " +"from UNIX id to SID." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:256 +msgid "" +"Note: Additional secondary slices might be generated when SID is being " +"mapped to UNIX id and RID part of SID is out of range for secondary slices " +"generated so far. If value of ldap_idmap_helper_table_size is equal to 0 " +"then no additional secondary slices are generated." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ldap_id_mapping.xml:273 +msgid "Well-Known SIDs" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:275 +msgid "" +"SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a " +"special hardcoded meaning. Since the generic users and groups related to " +"those Well-Known SIDs have no equivalent in a Linux/UNIX environment no " +"POSIX IDs are available for those objects." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:281 +msgid "" +"The SID name space is organized in authorities which can be seen as " +"different domains. The authorities for the Well-Known SIDs are" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:284 +msgid "Null Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:285 +msgid "World Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:286 +msgid "Local Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:287 +msgid "Creator Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:288 +msgid "NT Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:289 +msgid "Built-in" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:291 +msgid "" +"The capitalized version of these names are used as domain names when " +"returning the fully qualified name of a Well-Known SID." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:295 +msgid "" +"Since some utilities allow to modify SID based access control information " +"with the help of a name instead of using the SID directly SSSD supports to " +"look up the SID by the name as well. To avoid collisions only the fully " +"qualified names can be used to look up Well-Known SIDs. As a result the " +"domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, " +"<quote> LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, <quote>NT " +"AUTHORITY</quote> and <quote>BUILTIN</quote> should not be used as domain " +"names in <filename>sssd.conf</filename>." +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/param_help.xml:3 +msgid "<option>-?</option>,<option>--help</option>" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/param_help.xml:7 include/param_help_py.xml:7 +msgid "Display help message and exit." +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/param_help_py.xml:3 +msgid "<option>-h</option>,<option>--help</option>" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:3 include/debug_levels_tools.xml:3 +msgid "" +"SSSD supports two representations for specifying the debug level. The " +"simplest is to specify a decimal value from 0-9, which represents enabling " +"that level and all lower-level debug messages. The more comprehensive option " +"is to specify a hexadecimal bitmask to enable or disable specific levels " +"(such as if you wish to suppress a level)." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:10 +msgid "" +"Please note that each SSSD service logs into its own log file. Also please " +"note that enabling <quote>debug_level</quote> in the <quote>[sssd]</quote> " +"section only enables debugging just for the sssd process itself, not for the " +"responder or provider processes. The <quote>debug_level</quote> parameter " +"should be added to all sections that you wish to produce debug logs from." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:18 +msgid "" +"In addition to changing the log level in the config file using the " +"<quote>debug_level</quote> parameter, which is persistent, but requires SSSD " +"restart, it is also possible to change the debug level on the fly using the " +"<citerefentry> <refentrytitle>sss_debuglevel</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry> tool." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:29 include/debug_levels_tools.xml:10 +msgid "Currently supported debug levels:" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:32 include/debug_levels_tools.xml:13 +msgid "" +"<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fatal failures. " +"Anything that would prevent SSSD from starting up or causes it to cease " +"running." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:38 include/debug_levels_tools.xml:19 +msgid "" +"<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An " +"error that doesn't kill SSSD, but one that indicates that at least one major " +"feature is not going to work properly." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:45 include/debug_levels_tools.xml:26 +msgid "" +"<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Serious failures. An " +"error announcing that a particular request or operation has failed." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:50 include/debug_levels_tools.xml:31 +msgid "" +"<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Minor failures. These " +"are the errors that would percolate down to cause the operation failure of 2." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:55 include/debug_levels_tools.xml:36 +msgid "" +"<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Configuration settings." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:59 include/debug_levels_tools.xml:40 +msgid "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Function data." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:63 include/debug_levels_tools.xml:44 +msgid "" +"<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Trace messages for " +"operation functions." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:67 include/debug_levels_tools.xml:48 +msgid "" +"<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Trace messages for " +"internal control functions." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:72 include/debug_levels_tools.xml:53 +msgid "" +"<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contents of function-" +"internal variables that may be interesting." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:77 include/debug_levels_tools.xml:58 +msgid "" +"<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Extremely low-level " +"tracing information." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:81 include/debug_levels_tools.xml:62 +msgid "" +"To log required bitmask debug levels, simply add their numbers together as " +"shown in following examples:" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:85 include/debug_levels_tools.xml:66 +msgid "" +"<emphasis>Example</emphasis>: To log fatal failures, critical failures, " +"serious failures and function data use 0x0270." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:89 include/debug_levels_tools.xml:70 +msgid "" +"<emphasis>Example</emphasis>: To log fatal failures, configuration settings, " +"function data, trace messages for internal control functions use 0x1310." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:94 include/debug_levels_tools.xml:75 +msgid "" +"<emphasis>Note</emphasis>: The bitmask format of debug levels was introduced " +"in 1.7.0." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:98 include/debug_levels_tools.xml:79 +msgid "<emphasis>Default</emphasis>: 0" +msgstr "" + +#. type: Content of: outside any tag (error?) +#: include/experimental.xml:1 +msgid "" +"<emphasis> This is an experimental feature, please use https://pagure.io/" +"SSSD/sssd/ to report any issues. </emphasis>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/local.xml:2 +msgid "THE LOCAL DOMAIN" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/local.xml:4 +msgid "" +"In order to function correctly, a domain with <quote>id_provider=local</" +"quote> must be created and the SSSD must be running." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/local.xml:9 +msgid "" +"The administrator might want to use the SSSD local users instead of " +"traditional UNIX users in cases where the group nesting (see <citerefentry> " +"<refentrytitle>sss_groupadd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>) is needed. The local users are also useful for testing and " +"development of the SSSD without having to deploy a full remote server. The " +"<command>sss_user*</command> and <command>sss_group*</command> tools use a " +"local LDB storage to store users and groups." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/seealso.xml:4 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd-ipa</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <phrase condition=\"with_sudo\"> <citerefentry> " +"<refentrytitle>sssd-sudo</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>, </phrase> <phrase condition=\"with_secrets\"> <citerefentry> " +"<refentrytitle>sssd-secrets</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>, </phrase> <citerefentry> <refentrytitle>sssd-session-" +"recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, " +"<citerefentry> <refentrytitle>sss_cache</refentrytitle><manvolnum>8</" +"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_debuglevel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_obfuscate</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_seed</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <phrase condition=" +"\"with_ssh\"> <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_ssh_knownhostsproxy</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>, </phrase> <phrase condition=\"with_ifp\"> " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>, </phrase> <citerefentry> <refentrytitle>pam_sss</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>. <citerefentry> " +"<refentrytitle>sss_rpcidmapd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> <phrase condition=\"with_stap\"> <citerefentry> " +"<refentrytitle>sssd-systemtap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> </phrase>" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:3 +msgid "" +"An optional base DN, search scope and LDAP filter to restrict LDAP searches " +"for this attribute type." +msgstr "" + +#. type: Content of: <listitem><para><programlisting> +#: include/ldap_search_bases.xml:9 +#, no-wrap +msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]\n" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:7 +msgid "syntax: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:13 +msgid "" +"The scope can be one of \"base\", \"onelevel\" or \"subtree\". The scope " +"functions as specified in section 4.5.1.2 of http://tools.ietf.org/html/" +"rfc4511" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:23 +msgid "" +"For examples of this syntax, please refer to the <quote>ldap_search_base</" +"quote> examples section." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:31 +msgid "" +"Please note that specifying scope or filter is not supported for searches " +"against an Active Directory Server that might yield a large number of " +"results and trigger the Range Retrieval extension in the response." +msgstr "" + +#. type: Content of: <para> +#: include/autofs_restart.xml:2 +msgid "" +"Please note that the automounter only reads the master map on startup, so if " +"any autofs-related changes are made to the sssd.conf, you typically also " +"need to restart the automounter daemon after restarting the SSSD." +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/override_homedir.xml:2 +msgid "override_homedir (string)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:16 +msgid "UID number" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:20 +msgid "domain name" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:23 +msgid "%f" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:24 +msgid "fully qualified user name (user@domain)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:27 +msgid "%l" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:28 +msgid "The first letter of the login name." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:32 +msgid "UPN - User Principal Name (name@REALM)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:35 +msgid "%o" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:37 +msgid "The original home directory retrieved from the identity provider." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:42 +msgid "%H" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:44 +msgid "The value of configure option <emphasis>homedir_substring</emphasis>." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/override_homedir.xml:5 +msgid "" +"Override the user's home directory. You can either provide an absolute value " +"or a template. In the template, the following sequences are substituted: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><programlisting> +#: include/override_homedir.xml:61 +#, no-wrap +msgid "" +"override_homedir = /home/%u\n" +" " +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/override_homedir.xml:65 +msgid "Default: Not set (SSSD will use the value retrieved from LDAP)" +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/homedir_substring.xml:2 +msgid "homedir_substring (string)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/homedir_substring.xml:5 +msgid "" +"The value of this option will be used in the expansion of the " +"<emphasis>override_homedir</emphasis> option if the template contains the " +"format string <emphasis>%H</emphasis>. An LDAP directory entry can directly " +"contain this template so that this option can be used to expand the home " +"directory path for each client machine (or operating system). It can be set " +"per-domain or globally in the [nss] section. A value specified in a domain " +"section will override one set in the [nss] section." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/homedir_substring.xml:15 +msgid "Default: /home" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/ad_modified_defaults.xml:2 include/ipa_modified_defaults.xml:2 +msgid "MODIFIED DEFAULT OPTIONS" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ad_modified_defaults.xml:4 +msgid "" +"Certain option defaults do not match their respective backend provider " +"defaults, these option names and AD provider-specific defaults are listed " +"below:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ad_modified_defaults.xml:9 include/ipa_modified_defaults.xml:9 +msgid "KRB5 Provider" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:13 include/ipa_modified_defaults.xml:13 +msgid "krb5_validate = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:18 +msgid "krb5_use_enterprise_principal = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ad_modified_defaults.xml:24 +msgid "LDAP Provider" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:28 +msgid "ldap_schema = ad" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:33 include/ipa_modified_defaults.xml:38 +msgid "ldap_force_upper_case_realm = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:38 +msgid "ldap_id_mapping = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:43 +msgid "ldap_sasl_mech = gssapi" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:48 +msgid "ldap_referrals = false" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:53 +msgid "ldap_account_expire_policy = ad" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:58 include/ipa_modified_defaults.xml:58 +msgid "ldap_use_tokengroups = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:63 +msgid "ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:66 +msgid "" +"The AD provider looks for a different principal than the LDAP provider by " +"default, because in an Active Directory environment the principals are " +"divided into two groups - User Principals and Service Principals. Only User " +"Principal can be used to obtain a TGT and by default, computer object's " +"principal is constructed from its sAMAccountName and the AD realm. The well-" +"known host/hostname@REALM principal is a Service Principal and thus cannot " +"be used to get a TGT with." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ipa_modified_defaults.xml:4 +msgid "" +"Certain option defaults do not match their respective backend provider " +"defaults, these option names and IPA provider-specific defaults are listed " +"below:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:18 +msgid "krb5_use_fast = try" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:23 +msgid "krb5_canonicalize = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:29 +msgid "LDAP Provider - General" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:33 +msgid "ldap_schema = ipa_v1" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:43 +msgid "ldap_sasl_mech = GSSAPI" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:48 +msgid "ldap_sasl_minssf = 56" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:53 +msgid "ldap_account_expire_policy = ipa" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:64 +msgid "LDAP Provider - User options" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:68 +msgid "ldap_user_member_of = memberOf" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:73 +msgid "ldap_user_uuid = ipaUniqueID" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:78 +msgid "ldap_user_ssh_public_key = ipaSshPubKey" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:83 +msgid "ldap_user_auth_type = ipaUserAuthType" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:89 +msgid "LDAP Provider - Group options" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:93 +msgid "ldap_group_object_class = ipaUserGroup" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:98 +msgid "ldap_group_object_class_alt = posixGroup" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:103 +msgid "ldap_group_member = member" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:108 +msgid "ldap_group_uuid = ipaUniqueID" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:113 +msgid "ldap_group_objectsid = ipaNTSecurityIdentifier" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:118 +msgid "ldap_group_external_member = ipaExternalMember" +msgstr "" diff --git a/src/man/po/ca.po b/src/man/po/ca.po new file mode 100644 index 0000000..b7767a2 --- /dev/null +++ b/src/man/po/ca.po @@ -0,0 +1,16694 @@ +# SOME DESCRIPTIVE TITLE +# Copyright (C) YEAR Red Hat +# This file is distributed under the same license as the sssd-docs package. +# +# Translators: +# Jordi Mas <jmas@softcatala.org>, 2012 +# Jordi Mas <jmas@softcatala.org>, 2012 +# Jordi Mas <jmas@softcatala.org>, 2014 +# muzzol <muzzol@gmail.com>, 2012 +# muzzol <muzzol@gmail.com>, 2012 +# Robert Antoni Buj i Gelonch, 2013 +# Robert Antoni Buj Gelonch <rbuj@fedoraproject.org>, 2015. #zanata +msgid "" +msgstr "" +"Project-Id-Version: sssd-docs 1.16.1\n" +"Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" +"POT-Creation-Date: 2018-08-12 13:01+0000\n" +"PO-Revision-Date: 2015-10-18 04:13+0000\n" +"Last-Translator: Robert Antoni Buj Gelonch <rbuj@fedoraproject.org>\n" +"Language-Team: Catalan (http://www.transifex.com/projects/p/sssd/language/" +"ca/)\n" +"Language: ca\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" +"X-Generator: Zanata 4.4.5\n" + +#. type: Content of: <reference><title> +#: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5 +#: sssd_krb5_locator_plugin.8.xml:5 sssd-simple.5.xml:5 sss-certmap.5.xml:5 +#: sssd-ipa.5.xml:5 sssd-ad.5.xml:5 sssd-sudo.5.xml:5 sssd.8.xml:5 +#: sss_obfuscate.8.xml:5 sss_override.8.xml:5 sss_useradd.8.xml:5 +#: sssd-krb5.5.xml:5 sss_groupadd.8.xml:5 sss_userdel.8.xml:5 +#: sss_groupdel.8.xml:5 sss_groupshow.8.xml:5 sss_usermod.8.xml:5 +#: sss_cache.8.xml:5 sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5 +#: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 +#: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5 +#: sssd-files.5.xml:5 sssd-secrets.5.xml:5 sssd-session-recording.5.xml:5 +#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 +msgid "SSSD Manual pages" +msgstr "Pàgines del manual de l'SSSD" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupmod.8.xml:10 sss_groupmod.8.xml:15 +msgid "sss_groupmod" +msgstr "sss_groupmod" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_groupmod.8.xml:11 pam_sss.8.xml:12 sssd_krb5_locator_plugin.8.xml:11 +#: sssd.8.xml:11 sss_obfuscate.8.xml:11 sss_override.8.xml:11 +#: sss_useradd.8.xml:11 sss_groupadd.8.xml:11 sss_userdel.8.xml:11 +#: sss_groupdel.8.xml:11 sss_groupshow.8.xml:11 sss_usermod.8.xml:11 +#: sss_cache.8.xml:11 sss_debuglevel.8.xml:11 sss_seed.8.xml:11 +#: idmap_sss.8.xml:11 sssctl.8.xml:11 sssd-kcm.8.xml:11 +msgid "8" +msgstr "8" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupmod.8.xml:16 +msgid "modify a group" +msgstr "modifica un grup" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupmod.8.xml:21 +msgid "" +"<command>sss_groupmod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" +"<command>sss_groupmod</command> <arg choice='opt'> <replaceable>opcions</" +"replaceable></arg> <arg choice='plain'> <replaceable>GRUP</replaceable></arg>" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:57 +#: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sss-certmap.5.xml:21 +#: sssd-ipa.5.xml:21 sssd-ad.5.xml:21 sssd-sudo.5.xml:21 sssd.8.xml:29 +#: sss_obfuscate.8.xml:30 sss_override.8.xml:30 sss_useradd.8.xml:30 +#: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30 +#: sss_groupdel.8.xml:30 sss_groupshow.8.xml:30 sss_usermod.8.xml:30 +#: sss_cache.8.xml:29 sss_debuglevel.8.xml:30 sss_seed.8.xml:31 +#: sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30 +#: sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30 +#: sssd-files.5.xml:21 sssd-secrets.5.xml:21 sssd-session-recording.5.xml:21 +#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 +msgid "DESCRIPTION" +msgstr "DESCRIPCIÓ" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupmod.8.xml:32 +msgid "" +"<command>sss_groupmod</command> modifies the group to reflect the changes " +"that are specified on the command line." +msgstr "" +"<command>sss_groupmod</command> modifica el grup per reflectir els canvis " +"que s'especifiquen a la línia d'ordres." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_groupmod.8.xml:39 pam_sss.8.xml:64 sssd.8.xml:42 sss_obfuscate.8.xml:58 +#: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39 +#: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39 +#: sss_cache.8.xml:39 sss_seed.8.xml:42 sss_ssh_authorizedkeys.1.xml:123 +#: sss_ssh_knownhostsproxy.1.xml:62 +msgid "OPTIONS" +msgstr "OPCIONS" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupmod.8.xml:43 sss_usermod.8.xml:77 +msgid "" +"<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" +"<option>-a</option>,<option>--append-group</option> <replaceable>GRUPS</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupmod.8.xml:48 +msgid "" +"Append this group to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." +msgstr "" +"Afegeix aquest grup als grups especificats amb el paràmetre " +"<replaceable>GRUPS</replaceable>. El paràmetre <replaceable>GRUPS</" +"replaceable> és una llista delimitada per comes dels noms dels grups." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupmod.8.xml:57 sss_usermod.8.xml:91 +msgid "" +"<option>-r</option>,<option>--remove-group</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" +"<option>-r</option>,<option>--remove-group</option> <replaceable>GRUPS</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupmod.8.xml:62 +msgid "" +"Remove this group from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." +msgstr "" +"Suprimeix aquest grup dels grups especificats amb el paràmetre " +"<replaceable>GRUPS</replaceable>." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.conf.5.xml:10 sssd.conf.5.xml:16 +msgid "sssd.conf" +msgstr "sssd.conf" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11 +#: sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 +#: sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27 +#: sssd-files.5.xml:11 sssd-secrets.5.xml:11 sssd-session-recording.5.xml:11 +#: sssd-systemtap.5.xml:11 +msgid "5" +msgstr "5" + +#. type: Content of: <reference><refentry><refmeta><refmiscinfo> +#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12 +#: sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 +#: sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28 +#: sssd-files.5.xml:12 sssd-secrets.5.xml:12 sssd-session-recording.5.xml:12 +#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 +msgid "File Formats and Conventions" +msgstr "Formats i convencions dels fitxers" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.conf.5.xml:17 +msgid "the configuration file for SSSD" +msgstr "el fitxer de configuració per a l'SSSD" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:21 +msgid "FILE FORMAT" +msgstr "FORMAT DEL FITXER" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:29 +#, no-wrap +msgid "" +"<replaceable>[section]</replaceable>\n" +"<replaceable>key</replaceable> = <replaceable>value</replaceable>\n" +"<replaceable>key2</replaceable> = <replaceable>value2,value3</replaceable>\n" +" " +msgstr "" +"<replaceable>[secció]</replaceable>\n" +"<replaceable>clau</replaceable> = <replaceable>valor</replaceable>\n" +"<replaceable>clau2</replaceable> = <replaceable>valor2,valor3</replaceable>\n" +" " + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:24 +msgid "" +"The file has an ini-style syntax and consists of sections and parameters. A " +"section begins with the name of the section in square brackets and continues " +"until the next section begins. An example of section with single and multi-" +"valued parameters: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"El fitxer té un estil de sintaxi del tipus ini i està format per seccions i " +"paràmetres. Una secció comença amb el nom de la secció entre claudàtors i " +"continua fins a l'inici de la següent secció. Un exemple de secció amb " +"paràmetres amb un sol valor i amb valors múltiples: <placeholder type=" +"\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:36 +msgid "" +"The data types used are string (no quotes needed), integer and bool (with " +"values of <quote>TRUE/FALSE</quote>)." +msgstr "" +"Els tipus de dades que s'utilitzen són cadenes (no necessiten cometes), " +"enters i booleans (amb valors <quote>TRUE/FALSE</quote>)." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:41 +#, fuzzy +#| msgid "" +#| "A line comment starts with a hash sign (<quote>#</quote>) or a semicolon " +#| "(<quote>;</quote>). Inline comments are not supported." +msgid "" +"A comment line starts with a hash sign (<quote>#</quote>) or a semicolon " +"(<quote>;</quote>). Inline comments are not supported." +msgstr "" +"Una línia de comentari comença amb un signe de coixinet (<quote>#</quote>) o " +"un signe de punt i coma (<quote>;</quote>). Els comentaris en línia no " +"estan admesos." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:47 +msgid "" +"All sections can have an optional <replaceable>description</replaceable> " +"parameter. Its function is only as a label for the section." +msgstr "" +"Totes les seccions poden tenir un paràmetre opcional de " +"<replaceable>descripció</replaceable>. La seva funció tan sols és una " +"etiqueta per a la secció." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:53 +msgid "" +"<filename>sssd.conf</filename> must be a regular file, owned by root and " +"only root may read from or write to the file." +msgstr "" +"<filename>sssd.conf</filename> ha de ser un fitxer normal, amb root com a " +"propietari i només l'usuari root hi pot llegir o escriure." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:59 +msgid "CONFIGURATION SNIPPETS FROM INCLUDE DIRECTORY" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:62 +msgid "" +"The configuration file <filename>sssd.conf</filename> will include " +"configuration snippets using the include directory <filename>conf.d</" +"filename>. This feature is available if SSSD was compiled with libini " +"version 1.3.0 or later." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:69 +msgid "" +"Any file placed in <filename>conf.d</filename> that ends in " +"<quote><filename>.conf</filename></quote> and does not begin with a dot " +"(<quote>.</quote>) will be used together with <filename>sssd.conf</filename> " +"to configure SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:77 +msgid "" +"The configuration snippets from <filename>conf.d</filename> have higher " +"priority than <filename>sssd.conf</filename> and will override " +"<filename>sssd.conf</filename> when conflicts occur. If several snippets are " +"present in <filename>conf.d</filename>, then they are included in " +"alphabetical order (based on locale). Files included later have higher " +"priority. Numerical prefixes (<filename>01_snippet.conf</filename>, " +"<filename>02_snippet.conf</filename> etc.) can help visualize the priority " +"(higher number means higher priority)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:91 +msgid "" +"The snippet files require the same owner and permissions as <filename>sssd." +"conf</filename>. Which are by default root:root and 0600." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:98 +msgid "GENERAL OPTIONS" +msgstr "OPCIONS GENERALS" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:100 +msgid "Following options are usable in more than one configuration sections." +msgstr "" +"Les següents opcions es poden utilitzar en més d'una secció de configuració." + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:104 +msgid "Options usable in all sections" +msgstr "Opcions que es poden utilitzar en totes les seccions" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:108 +msgid "debug_level (integer)" +msgstr "debug_level (enter)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:112 +msgid "debug (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:115 +msgid "" +"SSSD 1.14 and later also includes the <replaceable>debug</replaceable> alias " +"for <replaceable>debug_level</replaceable> as a convenience feature. If both " +"are specified, the value of <replaceable>debug_level</replaceable> will be " +"used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:125 +msgid "debug_timestamps (bool)" +msgstr "debug_timestamps (booleà)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:128 +msgid "" +"Add a timestamp to the debug messages. If journald is enabled for SSSD " +"debug logging this option is ignored." +msgstr "" +"Afegeix una marca temporal al registre de depuració. Si el journald està " +"habilitat per enregistrar la depuració de l'SSSD, aleshores s'ignora aquesta " +"opció." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:133 sssd.conf.5.xml:543 sssd.conf.5.xml:839 +#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1521 sssd-ldap.5.xml:1851 +#: sssd-ldap.5.xml:1948 sssd-ldap.5.xml:2010 sssd-ldap.5.xml:2576 +#: sssd-ldap.5.xml:2641 sssd-ldap.5.xml:2659 sssd-ad.5.xml:227 +#: sssd-ad.5.xml:341 sssd-ad.5.xml:885 sssd-krb5.5.xml:499 +#: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 +msgid "Default: true" +msgstr "Per defecte: true" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:138 +msgid "debug_microseconds (bool)" +msgstr "debug_microseconds (booleà)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:141 +msgid "" +"Add microseconds to the timestamp in debug messages. If journald is enabled " +"for SSSD debug logging this option is ignored." +msgstr "" +"Afegeix els mil·lisegons a les marques temporals als missatges de depuració. " +"Si el journald està habilitat per enregistrar la depuració de l'SSSD, " +"aleshores s'ignora aquesta opció." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:146 sssd.conf.5.xml:540 sssd.conf.5.xml:722 +#: sssd.conf.5.xml:1424 sssd.conf.5.xml:2980 sssd-ldap.5.xml:708 +#: sssd-ldap.5.xml:1714 sssd-ldap.5.xml:1733 sssd-ldap.5.xml:1920 +#: sssd-ldap.5.xml:2346 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238 +#: sssd-ipa.5.xml:559 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300 +#: sssd-krb5.5.xml:471 +msgid "Default: false" +msgstr "Per defecte: false" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2384 +#: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210 +#: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304 +msgid "<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "<placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:155 +msgid "Options usable in SERVICE and DOMAIN sections" +msgstr "Opcions que es poden utilitzar a les seccions SERVEI i DOMINI" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:159 +msgid "timeout (integer)" +msgstr "timeout (enter)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:162 +msgid "" +"Timeout in seconds between heartbeats for this service. This is used to " +"ensure that the process is alive and capable of answering requests. Note " +"that after three missed heartbeats the process will terminate itself." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:169 sssd.conf.5.xml:1376 sssd.conf.5.xml:2996 +#: sssd-ldap.5.xml:1585 include/ldap_id_mapping.xml:264 +msgid "Default: 10" +msgstr "Per defecte: 10" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:179 +msgid "SPECIAL SECTIONS" +msgstr "SECCIONS ESPECIALS" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:182 +msgid "The [sssd] section" +msgstr "La secció [sssd]" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sssd.conf.5.xml:191 sssd.conf.5.xml:3085 +msgid "Section parameters" +msgstr "Paràmetres de la secció" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:193 +msgid "config_file_version (integer)" +msgstr "config_file_version (enter)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:196 +msgid "" +"Indicates what is the syntax of the config file. SSSD 0.6.0 and later use " +"version 2." +msgstr "" +"Indica quina és la sintaxi del fitxer de configuració. La versió 0.6.0 i les " +"posteriors versions de l'SSSD utilitzen la versió 2." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:202 +msgid "services" +msgstr "services" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:205 +msgid "" +"Comma separated list of services that are started when sssd itself starts. " +"<phrase condition=\"have_systemd\"> The services' list is optional on " +"platforms where systemd is supported, as they will either be socket or D-Bus " +"activated when needed. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:214 +msgid "" +"Supported services: nss, pam <phrase condition=\"with_sudo\">, sudo</phrase> " +"<phrase condition=\"with_autofs\">, autofs</phrase> <phrase condition=" +"\"with_ssh\">, ssh</phrase> <phrase condition=\"with_pac_responder\">, pac</" +"phrase> <phrase condition=\"with_ifp\">, ifp</phrase>" +msgstr "" +"Serveis admesos: nss, pam <phrase condition=\"with_sudo\">, sudo</phrase> " +"<phrase condition=\"with_autofs\">, autofs</phrase> <phrase condition=" +"\"with_ssh\">, ssh</phrase> <phrase condition=\"with_pac_responder\">, pac</" +"phrase> <phrase condition=\"with_ifp\">, ifp</phrase>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:222 +msgid "" +"<phrase condition=\"have_systemd\"> By default, all services are disabled " +"and the administrator must enable the ones allowed to be used by executing: " +"\"systemctl enable sssd-@service@.socket\". </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:231 sssd.conf.5.xml:614 +msgid "reconnection_retries (integer)" +msgstr "reconnection_retries (enter)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:234 sssd.conf.5.xml:617 +msgid "" +"Number of times services should attempt to reconnect in the event of a Data " +"Provider crash or restart before they give up" +msgstr "" +"El nombre de vegades que els serveis haurien d'intentar tornar a connectar " +"en cas de caiguda o reinici del proveïdor de dades abans de donar-se per " +"vençuts" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:239 sssd.conf.5.xml:622 +msgid "Default: 3" +msgstr "Per defecte: 3" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:244 +msgid "domains" +msgstr "domains" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:247 +msgid "" +"A domain is a database containing user information. SSSD can use more " +"domains at the same time, but at least one must be configured or SSSD won't " +"start. This parameter describes the list of domains in the order you want " +"them to be queried. A domain name should only consist of alphanumeric ASCII " +"characters, dashes, dots and underscores." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:259 sssd.conf.5.xml:2597 +msgid "re_expression (string)" +msgstr "re_expression (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:262 +msgid "" +"Default regular expression that describes how to parse the string containing " +"user name and domain into these components." +msgstr "" +"L'expressió regular per defecte que descriu com analitzar la cadena que " +"conté el nom d'usuari i el domini en aquests components." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:267 +msgid "" +"Each domain can have an individual regular expression configured. For some " +"ID providers there are also default regular expressions. See DOMAIN SECTIONS " +"for more info on these regular expressions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:276 sssd.conf.5.xml:2645 +msgid "full_name_format (string)" +msgstr "full_name_format (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:279 sssd.conf.5.xml:2648 +msgid "" +"A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry>-compatible format that describes how to compose a " +"fully qualified name from user name and domain name components." +msgstr "" +"Un format compatible amb <citerefentry> <refentrytitle>printf</" +"refentrytitle> <manvolnum>3</manvolnum> </citerefentry>-que descriu com " +"compondre un FQN des dels components del nom d'usuari i del nom del domini." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:290 sssd.conf.5.xml:2659 +msgid "%1$s" +msgstr "%1$s" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:291 sssd.conf.5.xml:2660 +msgid "user name" +msgstr "nom d'usuari" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:294 sssd.conf.5.xml:2663 +msgid "%2$s" +msgstr "%2$s" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:297 sssd.conf.5.xml:2666 +msgid "domain name as specified in the SSSD config file." +msgstr "" +"el nom del domini tal com s'especifica al fitxer de configuració de l'SSSD." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:303 sssd.conf.5.xml:2672 +msgid "%3$s" +msgstr "%3$s" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:306 sssd.conf.5.xml:2675 +msgid "" +"domain flat name. Mostly usable for Active Directory domains, both directly " +"configured or discovered via IPA trusts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:287 sssd.conf.5.xml:2656 +msgid "" +"The following expansions are supported: <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" +"S'admeten les següents ampliacions: <placeholder type=\"variablelist\" id=" +"\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:316 +msgid "" +"Each domain can have an individual format string configured. see DOMAIN " +"SECTIONS for more info on this option." +msgstr "" +"Cadascun dels dominis pot tenir una cadena del format configurada de forma " +"individual. Vegeu les SECCIONS DELS DOMINIS per a més informació sobre " +"aquesta opció." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:322 +msgid "try_inotify (boolean)" +msgstr "try_inotify (booleà)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:325 +msgid "" +"SSSD monitors the state of resolv.conf to identify when it needs to update " +"its internal DNS resolver. By default, we will attempt to use inotify for " +"this, and will fall back to polling resolv.conf every five seconds if " +"inotify cannot be used." +msgstr "" +"L'SSSD monitora l'estat del resolv.conf per identificar quan cal actualitzar " +"el seu traductor intern de DNS. Per defecte, s'intentarà utilitzar inotify " +"per a això i recaurà en sondejar el resolv.conf cada cinc segons si no es " +"pot utilitzar l'inotify." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:333 +msgid "" +"There are some limited situations where it is preferred that we should skip " +"even trying to use inotify. In these rare cases, this option should be set " +"to 'false'" +msgstr "" +"Hi ha algunes situacions limitades on es prefereix ignorar fins i tot " +"l'intent d'ús de l'inotify. En aquestes estranyes circumstàncies, s'hauria " +"d'establir aquesta opció a «false»" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:339 +msgid "" +"Default: true on platforms where inotify is supported. False on other " +"platforms." +msgstr "" +"Per defecte: true en les plataformes on està suportat l'inotify. Fals en les " +"altres plataformes." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:343 +msgid "" +"Note: this option will have no effect on platforms where inotify is " +"unavailable. On these platforms, polling will always be used." +msgstr "" +"Nota: aquesta opció no afectarà les plataformes on l'inotify no està " +"disponible. En aquestes plataformes, sempre s'utilitzarà el sondeig." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:350 +msgid "krb5_rcache_dir (string)" +msgstr "krb5_rcache_dir (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:353 +msgid "" +"Directory on the filesystem where SSSD should store Kerberos replay cache " +"files." +msgstr "" +"El directori al sistema de fitxers on l'SSSD ha d'emmagatzemar els fitxers " +"cau de repetició del Kerberos." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:357 +msgid "" +"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct " +"SSSD to let libkrb5 decide the appropriate location for the replay cache." +msgstr "" +"Aquesta opció accepta un valor especial __LIBKRB5_DEFAULTS__ que instruirà a " +"l'SSSD per permetre a libkrb5 decidir la ubicació apropiada per a la memòria " +"auxiliar de reproducció." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:363 +msgid "" +"Default: Distribution-specific and specified at build-time. " +"(__LIBKRB5_DEFAULTS__ if not configured)" +msgstr "" +"Per defecte: Específic de la distribució i s'especifica en temps de " +"construcció. (__LIBKRB5_DEFAULTS__ si no està configurat)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:370 +msgid "user (string)" +msgstr "user (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:373 +msgid "" +"The user to drop the privileges to where appropriate to avoid running as the " +"root user. <phrase condition=\"have_systemd\"> This option does not work " +"when running socket-activated services, as the user set up to run the " +"processes is set up during compilation time. The way to override the " +"systemd unit files is by creating the appropriate files in /etc/systemd/" +"system/. Keep in mind that any change in the socket user, group or " +"permissions may result in a non-usable SSSD. The same may occur in case of " +"changes of the user running the NSS responder. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:391 +msgid "Default: not set, process will run as root" +msgstr "Per defecte: sense establir, els processos s'executaran com a root" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:396 +msgid "default_domain_suffix (string)" +msgstr "default_domain_suffix (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:399 +msgid "" +"This string will be used as a default domain name for all names without a " +"domain name component. The main use case is environments where the primary " +"domain is intended for managing host policies and all users are located in a " +"trusted domain. The option allows those users to log in just with their " +"user name without giving a domain name as well." +msgstr "" +"Aquesta cadena s'utilitzarà un nom de domini per defecte per a tots els noms " +"que no tinguin el component del nom del domini. El cas d'ús principal està " +"als entorns on el domini principal està destinat a la gestió de les " +"polítiques dels amfitrions i tots els usuaris es troben en un domini de " +"confiança. L'opció permet que els usuaris iniciïn la sessió sols amb el seu " +"nom d'usuari sense donar també un nom de domini." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:409 +msgid "" +"Please note that if this option is set all users from the primary domain " +"have to use their fully qualified name, e.g. user@domain.name, to log in. " +"Setting this option changes default of use_fully_qualified_names to True. It " +"is not allowed to use this option together with use_fully_qualified_names " +"set to False." +msgstr "" +"Tingueu en compte que si s'estableix aquesta opció per a tots els usuaris " +"des del domini principal, s'han d'utilitzar el seu FQN, p. ex. usuari@nom." +"domini, per iniciar la sessió. En establir aquesta opció es canvia el " +"predeterminat d'use_fully_qualified_names a True. No està permès l'ús " +"d'aquesta opció juntament amb use_fully_qualified_names establert a False." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:418 sssd.conf.5.xml:1165 sssd-ldap.5.xml:679 +#: sssd-ldap.5.xml:1319 sssd-ldap.5.xml:1673 sssd-ldap.5.xml:1685 +#: sssd-ldap.5.xml:1767 sssd-ad.5.xml:690 sssd-ad.5.xml:765 sssd.8.xml:126 +#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:556 sssd-secrets.5.xml:339 +#: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404 +#: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205 +#: include/ldap_id_mapping.xml:216 +msgid "Default: not set" +msgstr "Per defecte: sense establir" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:423 +msgid "override_space (string)" +msgstr "override_space (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:426 +msgid "" +"This parameter will replace spaces (space bar) with the given character for " +"user and group names. e.g. (_). User name "john doe" will be " +""john_doe" This feature was added to help compatibility with shell " +"scripts that have difficulty handling spaces, due to the default field " +"separator in the shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:435 +msgid "" +"Please note it is a configuration error to use a replacement character that " +"might be used in user or group names. If a name contains the replacement " +"character SSSD tries to return the unmodified name but in general the result " +"of a lookup is undefined." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:443 +msgid "Default: not set (spaces will not be replaced)" +msgstr "Per defecte: sense establir (no se substituiran els espais)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:448 +msgid "certificate_verification (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:456 +msgid "no_ocsp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:458 +msgid "" +"Disables Online Certificate Status Protocol (OCSP) checks. This might be " +"needed if the OCSP servers defined in the certificate are not reachable from " +"the client." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:466 +msgid "no_verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:468 +msgid "" +"Disables verification completely. This option should only be used for " +"testing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:474 +msgid "ocsp_default_responder=URL" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:476 +msgid "" +"Sets the OCSP default responder which should be used instead of the one " +"mentioned in the certificate. URL must be replaced with the URL of the OCSP " +"default responder e.g. http://example.com:80/ocsp." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:482 +msgid "" +"This option must be used together with ocsp_default_responder_signing_cert." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:490 +msgid "ocsp_default_responder_signing_cert=NAME" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:492 +msgid "" +"The nickname of the cert to trust (expected) to sign the OCSP responses. " +"The certificate with the given nickname must be available in the systems NSS " +"database." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:497 +msgid "This option must be used together with ocsp_default_responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:451 +msgid "" +"With this parameter the certificate verification can be tuned with a comma " +"separated list of options. Supported options are: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:504 +msgid "Unknown options are reported but ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:507 +msgid "Default: not set, i.e. do not restrict certificate verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:513 +msgid "disable_netlink (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:516 +msgid "" +"SSSD hooks into the netlink interface to monitor changes to routes, " +"addresses, links and trigger certain actions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:521 +msgid "" +"The SSSD state changes caused by netlink events may be undesirable and can " +"be disabled by setting this option to 'true'" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:526 +msgid "Default: false (netlink changes are detected)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:531 +msgid "enable_files_domain (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:534 +msgid "" +"When this option is enabled, SSSD prepends an implicit domain with " +"<quote>id_provider=files</quote> before any explicitly configured domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:548 +msgid "domain_resolution_order" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:551 +msgid "" +"Comma separated list of domains and subdomains representing the lookup order " +"that will be followed. The list doesn't have to include all possible " +"domains as the missing domains will be looked up based on the order they're " +"presented in the <quote>domains</quote> configuration option. The " +"subdomains which are not listed as part of <quote>lookup_order</quote> will " +"be looked up in a random order for each parent domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:563 +msgid "" +"Please, note that when this option is set the output format of all commands " +"is always fully-qualified even when using short names for input, for all " +"users but the ones managed by the files provider. In case the administrator " +"wants the output not fully-qualified, the full_name_format option can be " +"used as shown below: <quote>full_name_format=%1$s</quote> However, keep in " +"mind that during login, login applications often canonicalize the username " +"by calling <citerefentry> <refentrytitle>getpwnam</refentrytitle> " +"<manvolnum>3</manvolnum> </citerefentry> which, if a shortname is returned " +"for a qualified input (while trying to reach a user which exists in multiple " +"domains) might re-route the login attempt into the domain which uses " +"shortnames, making this workaround totally not recommended in cases where " +"usernames may overlap between domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:588 sssd.conf.5.xml:1388 sssd.conf.5.xml:3046 +#: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316 +msgid "Default: Not set" +msgstr "Per defecte: Sense establir" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:184 +msgid "" +"Individual pieces of SSSD functionality are provided by special SSSD " +"services that are started and stopped together with SSSD. The services are " +"managed by a special service frequently called <quote>monitor</quote>. The " +"<quote>[sssd]</quote> section is used to configure the monitor as well as " +"some other important options like the identity domains. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" +"Les peces individuals de la funcionalitat de l'SSSD es proporcionen amb " +"serveis especials que s'inicien i s'aturen juntament amb l'SSSD. Els " +"serveis es gestionen amb un servei especial anomenat <quote>monitor</quote>. " +"La secció <quote>[sssd]</quote> s'utilitza per configurar el monitor així " +"com altres opcions importants com els dominis d'identitats. <placeholder " +"type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:599 +msgid "SERVICES SECTIONS" +msgstr "SECCIONS DELS SERVEIS" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:601 +msgid "" +"Settings that can be used to configure different services are described in " +"this section. They should reside in the [<replaceable>$NAME</replaceable>] " +"section, for example, for NSS service, the section would be <quote>[nss]</" +"quote>" +msgstr "" +"Ajustos que es poden utilitzar per configurar diferents serveis que es " +"descriuen en aquesta secció. Han de residir a la secció [<replaceable>$Nom</" +"replaceable>], per exemple, per a servei NSS, la secció seria <quote>[nss]</" +"quote>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:608 +msgid "General service configuration options" +msgstr "Opcions de configuració del servei general" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:610 +msgid "These options can be used to configure any service." +msgstr "Es poden utilitzar aquestes opcions per configurar qualsevol servei." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:627 +msgid "fd_limit" +msgstr "fd_limit" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:630 +msgid "" +"This option specifies the maximum number of file descriptors that may be " +"opened at one time by this SSSD process. On systems where SSSD is granted " +"the CAP_SYS_RESOURCE capability, this will be an absolute setting. On " +"systems without this capability, the resulting value will be the lower value " +"of this or the limits.conf \"hard\" limit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:639 +msgid "Default: 8192 (or limits.conf \"hard\" limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:644 +msgid "client_idle_timeout" +msgstr "client_idle_timeout" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:647 +msgid "" +"This option specifies the number of seconds that a client of an SSSD process " +"can hold onto a file descriptor without communicating on it. This value is " +"limited in order to avoid resource exhaustion on the system. The timeout " +"can't be shorter than 10 seconds. If a lower value is configured, it will be " +"adjusted to 10 seconds." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:656 sssd.conf.5.xml:688 sssd.conf.5.xml:970 +#: sssd.conf.5.xml:1231 sssd-ldap.5.xml:1412 +msgid "Default: 60" +msgstr "Per defecte: 60" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:661 +msgid "offline_timeout (integer)" +msgstr "offline_timeout (enter)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:664 +msgid "" +"When SSSD switches to offline mode the amount of time before it tries to go " +"back online will increase based upon the time spent disconnected. This " +"value is in seconds and calculated by the following:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:671 +msgid "offline_timeout + random_offset" +msgstr "offline_timeout + random_offset" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:674 +msgid "" +"The random offset can increment up to 30 seconds. After each unsuccessful " +"attempt to go online, the new interval is recalculated by the following:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:679 +msgid "new_interval = old_interval*2 + random_offset" +msgstr "new_interval = old_interval*2 + random_offset" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:682 +msgid "" +"Note that the maximum length of each interval is currently limited to one " +"hour. If the calculated length of new_interval is greater than an hour, it " +"will be forced to one hour." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:693 +msgid "responder_idle_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:696 +msgid "" +"This option specifies the number of seconds that an SSSD responder process " +"can be up without being used. This value is limited in order to avoid " +"resource exhaustion on the system. The minimum acceptable value for this " +"option is 60 seconds. Setting this option to 0 (zero) means that no timeout " +"will be set up to the responder. This option only has effect when SSSD is " +"built with systemd support and when services are either socket or D-Bus " +"activated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:710 sssd.conf.5.xml:983 sssd.conf.5.xml:1616 +#: sssd-ldap.5.xml:722 +msgid "Default: 300" +msgstr "Per defecte: 300" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:715 +msgid "cache_first" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:718 +msgid "" +"This option specifies whether the responder should query all caches before " +"querying the Data Providers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:730 +msgid "NSS configuration options" +msgstr "Opcions de configuració de l'NSS" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:732 +msgid "" +"These options can be used to configure the Name Service Switch (NSS) service." +msgstr "" +"Es poden utilitzar aquestes opcions per configurar el servei del NSS (Name " +"Service Switch)." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:737 +msgid "enum_cache_timeout (integer)" +msgstr "enum_cache_timeout (enter)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:740 +msgid "" +"How many seconds should nss_sss cache enumerations (requests for info about " +"all users)" +msgstr "" +"El número de segons que nss_sss emmagatzema a la meòria cau les enumeracions " +"(peticions d'informació sobre tots els usuaris)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:744 +msgid "Default: 120" +msgstr "Per defecte: 120" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:749 +msgid "entry_cache_nowait_percentage (integer)" +msgstr "entry_cache_nowait_percentage (enter)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:752 +msgid "" +"The entry cache can be set to automatically update entries in the background " +"if they are requested beyond a percentage of the entry_cache_timeout value " +"for the domain." +msgstr "" +"El valor de la memòria cau es pot establir per actualitzar a automàticament " +"les entrades en rerefons, si se sol·liciten més enllà d'un percentatge del " +"valor entry_cache_timeout per al domini." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:758 +msgid "" +"For example, if the domain's entry_cache_timeout is set to 30s and " +"entry_cache_nowait_percentage is set to 50 (percent), entries that come in " +"after 15 seconds past the last cache update will be returned immediately, " +"but the SSSD will go and update the cache on its own, so that future " +"requests will not need to block waiting for a cache update." +msgstr "" +"Per exemple, si s'estableix entry_cache_timeout del domini a 30 s i " +"entry_cache_nowait_percentage està establert a 50 (per cent), les entrades " +"que arriben després de 15 segons més enllà de l'última actualització de la " +"memòria cau es retornaran immediatament, però l'SSSD anirà actualitzant la " +"memòria cau pel seu propi compte, de manera que no caldrà bloquejar les " +"peticions que esperen per a una actualització de la memòria cau." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:768 +msgid "" +"Valid values for this option are 0-99 and represent a percentage of the " +"entry_cache_timeout for each domain. For performance reasons, this " +"percentage will never reduce the nowait timeout to less than 10 seconds. (0 " +"disables this feature)" +msgstr "" +"Els valors vàlids per a aquesta opció són 0-99 i representen un percentatge " +"de la entry_cache_timeout per a cada domini. Per raons de rendiment, aquest " +"percentatge mai reduirà el temps d'espera de nowait a menys de 10 segons. " +"(0 desactiva aquesta característica)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:776 sssd.conf.5.xml:1445 +msgid "Default: 50" +msgstr "Per defecte: 50" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:781 +msgid "entry_negative_timeout (integer)" +msgstr "entry_negative_timeout (enter)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:784 +msgid "" +"Specifies for how many seconds nss_sss should cache negative cache hits " +"(that is, queries for invalid database entries, like nonexistent ones) " +"before asking the back end again." +msgstr "" +"Especifica quants segons nss_sss hauria d'emmagatzemar els intents de la " +"memòria cau negatius (és a dir, consultes per a les entrades incorrectes de " +"la base de dades, com les inexistents) abans de preguntar al rerefons una " +"altra vegada." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:790 sssd.conf.5.xml:1469 +msgid "Default: 15" +msgstr "Per defecte: 15" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:795 +msgid "local_negative_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:798 +msgid "" +"Specifies for how many seconds nss_sss should keep local users and groups in " +"negative cache before trying to look it up in the back end again. Setting " +"the option to 0 disables this feature." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:804 +#, fuzzy +#| msgid "Default: 86400 (24 hours)" +msgid "Default: 14400 (4 hours)" +msgstr "Per defecte: 86400 (24 hores)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:809 +msgid "filter_users, filter_groups (string)" +msgstr "filter_users, filter_groups (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:812 +msgid "" +"Exclude certain users or groups from being fetched from the sss NSS " +"database. This is particularly useful for system accounts. This option can " +"also be set per-domain or include fully-qualified names to filter only users " +"from the particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:819 +msgid "" +"NOTE: The filter_groups option doesn't affect inheritance of nested group " +"members, since filtering happens after they are propagated for returning via " +"NSS. E.g. a group having a member group filtered out will still have the " +"member users of the latter listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:827 +msgid "Default: root" +msgstr "Per defecte: root" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:832 +msgid "filter_users_in_groups (bool)" +msgstr "filter_users_in_groups (booleà)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:835 +msgid "" +"If you want filtered user still be group members set this option to false." +msgstr "" +"Si voleu que els usuaris filtrats encara siguin membres del grup establiu " +"aquesta opció a false." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:846 +msgid "fallback_homedir (string)" +msgstr "fallback_homedir (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:849 +msgid "" +"Set a default template for a user's home directory if one is not specified " +"explicitly by the domain's data provider." +msgstr "" +"Estableix una plantilla predeterminada per al directori inicial de l'usuari " +"si no se n'especifica cap explícitament amb el proveïdor de dades del domini." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:854 +msgid "" +"The available values for this option are the same as for override_homedir." +msgstr "" +"Els valors disponibles per aquesta opció són els mateixos que per " +"override_homedir." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:860 +#, no-wrap +msgid "" +"fallback_homedir = /home/%u\n" +" " +msgstr "" +"fallback_homedir = /home/%u\n" +" " + +#. type: Content of: <varlistentry><listitem><para> +#: sssd.conf.5.xml:858 sssd.conf.5.xml:1298 sssd.conf.5.xml:1317 +#: sssd-krb5.5.xml:539 include/override_homedir.xml:59 +msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "exemple: <placeholder type=\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:864 +msgid "Default: not set (no substitution for unset home directories)" +msgstr "" +"Per defecte: sense establir (cap substitució per als directoris inicials no " +"establerts)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:870 +msgid "override_shell (string)" +msgstr "override_shell (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:873 +msgid "" +"Override the login shell for all users. This option supersedes any other " +"shell options if it takes effect and can be set either in the [nss] section " +"or per-domain." +msgstr "" +"Substitueix el shell d'inici de sessió per a tots els usuaris. Aquesta opció " +"substitueix qualsevol de les altres opcions del shell si entra en vigor i es " +"pot configurar ja sigui en la secció [nss] o per cada domini." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:879 +msgid "Default: not set (SSSD will use the value retrieved from LDAP)" +msgstr "" +"Per defecte: sense establir (SSSD utilitzarà el valor recuperat del LDAP)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:885 +msgid "allowed_shells (string)" +msgstr "allowed_shells (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:888 +msgid "" +"Restrict user shell to one of the listed values. The order of evaluation is:" +msgstr "" +"Restringeix el shell de l'usuari a un dels valors llistats. L'ordre " +"d'avaluació és:" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:891 +msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used." +msgstr "1. Si el shell està present al <quote>/etc/shells</quote>, s'utilitza." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:895 +msgid "" +"2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</" +"quote>, use the value of the shell_fallback parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:900 +msgid "" +"3. If the shell is not in the allowed_shells list and not in <quote>/etc/" +"shells</quote>, a nologin shell is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:905 +msgid "The wildcard (*) can be used to allow any shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:908 +msgid "" +"The (*) is useful if you want to use shell_fallback in case that user's " +"shell is not in <quote>/etc/shells</quote> and maintaining list of all " +"allowed shells in allowed_shells would be to much overhead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:915 +msgid "An empty string for shell is passed as-is to libc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:918 +msgid "" +"The <quote>/etc/shells</quote> is only read on SSSD start up, which means " +"that a restart of the SSSD is required in case a new shell is installed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:922 +msgid "Default: Not set. The user shell is automatically used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:927 +msgid "vetoed_shells (string)" +msgstr "vetoed_shells (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:930 +msgid "Replace any instance of these shells with the shell_fallback" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:935 +msgid "shell_fallback (string)" +msgstr "shell_fallback (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:938 +msgid "" +"The default shell to use if an allowed shell is not installed on the machine." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:942 +msgid "Default: /bin/sh" +msgstr "Per defecte: /bin/sh" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:947 +msgid "default_shell" +msgstr "default_shell" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:950 +msgid "" +"The default shell to use if the provider does not return one during lookup. " +"This option can be specified globally in the [nss] section or per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:956 +msgid "" +"Default: not set (Return NULL if no shell is specified and rely on libc to " +"substitute something sensible when necessary, usually /bin/sh)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:963 sssd.conf.5.xml:1224 +msgid "get_domains_timeout (int)" +msgstr "get_domains_timeout (enter)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:966 sssd.conf.5.xml:1227 +msgid "" +"Specifies time in seconds for which the list of subdomains will be " +"considered valid." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:975 +msgid "memcache_timeout (int)" +msgstr "memcache_timeout (enter)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:978 +msgid "" +"Specifies time in seconds for which records in the in-memory cache will be " +"valid. Setting this option to zero will disable the in-memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:986 +msgid "" +"WARNING: Disabling the in-memory cache will have significant negative impact " +"on SSSD's performance and should only be used for testing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:992 +msgid "" +"NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", " +"client applications will not use the fast in-memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1000 sssd-ifp.5.xml:74 +msgid "user_attributes (string)" +msgstr "user_attributes (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1003 +msgid "" +"Some of the additional NSS responder requests can return more attributes " +"than just the POSIX ones defined by the NSS interface. The list of " +"attributes is controlled by this option. It is handled the same way as the " +"<quote>user_attributes</quote> option of the InfoPipe responder (see " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for details) but with no default values." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1016 +msgid "" +"To make configuration more easy the NSS responder will check the InfoPipe " +"option if it is not set for the NSS responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1021 +msgid "Default: not set, fallback to InfoPipe option" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1026 +msgid "pwfield (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1029 +msgid "" +"The value that NSS operations that return users or groups will return for " +"the <quote>password</quote> field." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: sssd.conf.5.xml:1034 include/override_homedir.xml:56 +msgid "This option can also be set per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1037 +msgid "" +"Default: <quote>*</quote> (remote domains) or <quote>x</quote> (the files " +"domain)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1045 +msgid "PAM configuration options" +msgstr "Opcions de configuració del PAM" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1047 +msgid "" +"These options can be used to configure the Pluggable Authentication Module " +"(PAM) service." +msgstr "" +"Es poden utilitzar aquestes opcions per configurar el servei del PAM " +"(Pluggable Authentication Module)." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1052 +msgid "offline_credentials_expiration (integer)" +msgstr "offline_credentials_expiration (enter)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1055 +msgid "" +"If the authentication provider is offline, how long should we allow cached " +"logins (in days since the last successful online login)." +msgstr "" +"Si el proveïdor d'autenticació està fora de línia, quant de temps s'haurien " +"de permetre inicis de sessió de la memòria cau (en dies des de l'últim inici " +"de sessió)." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1060 sssd.conf.5.xml:1073 +msgid "Default: 0 (No limit)" +msgstr "Per defecte: 0 (sense límit)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1066 +msgid "offline_failed_login_attempts (integer)" +msgstr "offline_failed_login_attempts (enter)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1069 +msgid "" +"If the authentication provider is offline, how many failed login attempts " +"are allowed." +msgstr "" +"Si el proveïdor d'autenticació està fora de línia, quants intents d'accés " +"fallits es permet." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1079 +msgid "offline_failed_login_delay (integer)" +msgstr "offline_failed_login_delay (enter)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1082 +msgid "" +"The time in minutes which has to pass after offline_failed_login_attempts " +"has been reached before a new login attempt is possible." +msgstr "" +"El temps en minuts que ha de passar després que s'ha assolit " +"offline_failed_login_attempts abans que un nou intent de connexió sigui " +"possible." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1087 +msgid "" +"If set to 0 the user cannot authenticate offline if " +"offline_failed_login_attempts has been reached. Only a successful online " +"authentication can enable offline authentication again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1093 sssd.conf.5.xml:1191 +msgid "Default: 5" +msgstr "Per defecte: 5" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1099 +msgid "pam_verbosity (integer)" +msgstr "pam_verbosity (enter)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1102 +msgid "" +"Controls what kind of messages are shown to the user during authentication. " +"The higher the number to more messages are displayed." +msgstr "" +"Controla quin tipus de missatges es mostren a l'usuari durant " +"l'autenticació. Com més gran sigui el nombre més missatges es mostren." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1107 +msgid "Currently sssd supports the following values:" +msgstr "L'sssd actualment admet els següents valors:" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1110 +msgid "<emphasis>0</emphasis>: do not show any message" +msgstr "<emphasis>0</emphasis>: no mostris cap missatge" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1113 +msgid "<emphasis>1</emphasis>: show only important messages" +msgstr "<emphasis>1</emphasis>: Mostra només missatges importants" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1117 +msgid "<emphasis>2</emphasis>: show informational messages" +msgstr "<emphasis>2</emphasis>: Mostra missatges informatius" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1120 +msgid "<emphasis>3</emphasis>: show all messages and debug information" +msgstr "" +"<emphasis>3</emphasis>: Mostra tots els missatges i informació de depuració" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1124 sssd.8.xml:63 +msgid "Default: 1" +msgstr "Per defecte: 1" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1130 +msgid "pam_response_filter (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1133 +msgid "" +"A comma separated list of strings which allows to remove (filter) data sent " +"by the PAM responder to pam_sss PAM module. There are different kind of " +"responses sent to pam_sss e.g. messages displayed to the user or environment " +"variables which should be set by pam_sss." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1141 +msgid "" +"While messages already can be controlled with the help of the pam_verbosity " +"option this option allows to filter out other kind of responses as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1148 +msgid "ENV" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1149 +msgid "Do not send any environment variables to any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1152 +msgid "ENV:var_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1153 +msgid "Do not send environment variable var_name to any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1157 +msgid "ENV:var_name:service" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1158 +msgid "Do not send environment variable var_name to service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1146 +msgid "" +"Currently the following filters are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1168 +msgid "Example: ENV:KRB5CCNAME:sudo-i" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1174 +msgid "pam_id_timeout (integer)" +msgstr "pam_id_timeout (enter)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1177 +msgid "" +"For any PAM request while SSSD is online, the SSSD will attempt to " +"immediately update the cached identity information for the user in order to " +"ensure that authentication takes place with the latest information." +msgstr "" +"Per a qualsevol petició de PAM mentre és en línia, l'SSSD intentarà " +"actualitzar immediatament la informació d'identitat en memòria cau per a " +"l'usuari per tal de garantir que l'autenticació es porta a terme amb " +"l'última informació." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1183 +msgid "" +"A complete PAM conversation may perform multiple PAM requests, such as " +"account management and session opening. This option controls (on a per-" +"client-application basis) how long (in seconds) we can cache the identity " +"information to avoid excessive round-trips to the identity provider." +msgstr "" +"Una conversa completa de PAM pot realitzar múltiples peticions de PAM, com " +"ara la gestió del compte i la sessió d'inici. Aquesta opció controla (en " +"funció d'una aplicació client) quant de temps (en segons) es pot " +"emmagatzemar en memòria cau la informació d'identitat per evitar peticions " +"excessives al proveïdor d'identitat." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1197 +msgid "pam_pwd_expiration_warning (integer)" +msgstr "pam_pwd_expiration_warning (enter)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2078 +msgid "Display a warning N days before the password expires." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1203 +msgid "" +"Please note that the backend server has to provide information about the " +"expiration time of the password. If this information is missing, sssd " +"cannot display a warning." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1209 sssd.conf.5.xml:2081 +msgid "" +"If zero is set, then this filter is not applied, i.e. if the expiration " +"warning was received from backend server, it will automatically be displayed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1214 +msgid "" +"This setting can be overridden by setting <emphasis>pwd_expiration_warning</" +"emphasis> for a particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1219 sssd.conf.5.xml:2901 sssd.8.xml:79 +msgid "Default: 0" +msgstr "Per defecte: 0" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1236 +msgid "pam_trusted_users (string)" +msgstr "pam_trusted_users (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1239 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to run PAM conversations against trusted domains. Users not " +"included in this list can only access domains marked as public with " +"<quote>pam_public_domains</quote>. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1249 +msgid "Default: All users are considered trusted by default" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1253 +msgid "" +"Please note that UID 0 is always allowed to access the PAM responder even in " +"case it is not in the pam_trusted_users list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1260 +msgid "pam_public_domains (string)" +msgstr "pam_public_domains (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1263 +msgid "" +"Specifies the comma-separated list of domain names that are accessible even " +"to untrusted users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1267 +msgid "Two special values for pam_public_domains option are defined:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1271 +msgid "" +"all (Untrusted users are allowed to access all domains in PAM responder.)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1275 +msgid "" +"none (Untrusted users are not allowed to access any domains PAM in " +"responder.)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1279 sssd.conf.5.xml:1304 sssd.conf.5.xml:1323 +#: sssd.conf.5.xml:1875 sssd.conf.5.xml:2837 sssd-ldap.5.xml:1979 +msgid "Default: none" +msgstr "Per defecte: none" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1284 +msgid "pam_account_expired_message (string)" +msgstr "pam_account_expired_message (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1287 +msgid "" +"Allows a custom expiration message to be set, replacing the default " +"'Permission denied' message." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1292 +msgid "" +"Note: Please be aware that message is only printed for the SSH service " +"unless pam_verbosity is set to 3 (show all messages and debug information)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:1300 +#, no-wrap +msgid "" +"pam_account_expired_message = Account expired, please contact help desk.\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1309 +msgid "pam_account_locked_message (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1312 +msgid "" +"Allows a custom lockout message to be set, replacing the default 'Permission " +"denied' message." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:1319 +#, no-wrap +msgid "" +"pam_account_locked_message = Account locked, please contact help desk.\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1328 +msgid "pam_cert_auth (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1331 +msgid "" +"Enable certificate based Smartcard authentication. Since this requires " +"additional communication with the Smartcard which will delay the " +"authentication process this option is disabled by default." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1337 sssd.conf.5.xml:2930 sssd-ldap.5.xml:1087 +#: sssd-ldap.5.xml:1114 sssd-ldap.5.xml:1514 sssd-ldap.5.xml:1535 +#: sssd-ldap.5.xml:2052 include/ldap_id_mapping.xml:244 +msgid "Default: False" +msgstr "Per defecte: False" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1342 +msgid "pam_cert_db_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1345 +msgid "" +"The path to the certificate database which contain the PKCS#11 modules to " +"access the Smartcard." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1349 sssd.conf.5.xml:1534 +#, fuzzy +#| msgid "Default: 3" +msgid "Default:" +msgstr "Per defecte: 3" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1351 sssd.conf.5.xml:1536 +msgid "/etc/pki/nssdb (NSS version, path to a NSS database)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1354 sssd.conf.5.xml:1539 +msgid "" +"/etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a file with " +"trusted CA certificates in PEM format)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1361 sssd.conf.5.xml:1546 +msgid "This man page was generated for the NSS version." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1364 sssd.conf.5.xml:1549 +msgid "This man page was generated for the OpenSSL version." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1369 +msgid "p11_child_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1372 +msgid "How many seconds will pam_sss wait for p11_child to finish." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1381 +msgid "pam_app_services (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1384 +msgid "" +"Which PAM services are permitted to contact domains of type " +"<quote>application</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1397 +msgid "SUDO configuration options" +msgstr "Opcions de configuració de SUDO" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1399 +msgid "" +"These options can be used to configure the sudo service. The detailed " +"instructions for configuration of <citerefentry> <refentrytitle>sudo</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to work with " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> are in the manual page <citerefentry> <refentrytitle>sssd-" +"sudo</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" +"Es poden utilitzar aquestes opcions per configurar el servei del sudo. Les " +"instruccions detallades per la configuració del <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"perquè funcioni amb <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> estan en la pàgina del manual " +"<citerefentry> <refentrytitle>sssd-sudo</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1416 +msgid "sudo_timed (bool)" +msgstr "sudo_timed (booleà)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1419 +msgid "" +"Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes " +"that implement time-dependent sudoers entries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1431 +msgid "sudo_threshold (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1434 +msgid "" +"Maximum number of expired rules that can be refreshed at once. If number of " +"expired rules is below threshold, those rules are refreshed with " +"<quote>rules refresh</quote> mechanism. If the threshold is exceeded a " +"<quote>full refresh</quote> of sudo rules is triggered instead. This " +"threshold number also applies to IPA sudo command and command group searches." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1453 +msgid "AUTOFS configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1455 +msgid "These options can be used to configure the autofs service." +msgstr "" +"Es poden utilitzar aquestes opcions per configurar el servei de l'autofs." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1459 +msgid "autofs_negative_timeout (integer)" +msgstr "autofs_negative_timeout (enter)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1462 +msgid "" +"Specifies for how many seconds should the autofs responder negative cache " +"hits (that is, queries for invalid map entries, like nonexistent ones) " +"before asking the back end again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1478 +msgid "SSH configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1480 +msgid "These options can be used to configure the SSH service." +msgstr "Es poden utilitzar aquestes opcions per configurar el servei de l'SSH." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1484 +msgid "ssh_hash_known_hosts (bool)" +msgstr "ssh_hash_known_hosts (booleà)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1487 +msgid "" +"Whether or not to hash host names and addresses in the managed known_hosts " +"file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1496 +msgid "ssh_known_hosts_timeout (integer)" +msgstr "ssh_known_hosts_timeout (enter)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1499 +msgid "" +"How many seconds to keep a host in the managed known_hosts file after its " +"host keys were requested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1503 +msgid "Default: 180" +msgstr "Per defecte: 180" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1508 +#, fuzzy +#| msgid "ldap_user_certificate (string)" +msgid "ssh_use_certificate_keys (bool)" +msgstr "ldap_user_certificate (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1511 +#, fuzzy +#| msgid "" +#| "The skeleton directory, which contains files and directories to be copied " +#| "in the user's home directory, when the home directory is created by " +#| "<citerefentry> <refentrytitle>sss_useradd</refentrytitle> <manvolnum>8</" +#| "manvolnum> </citerefentry>" +msgid "" +"If set to true the <command>sss_ssh_authorizedkeys</command> will return ssh " +"keys derived from the public key of X.509 certificates stored in the user " +"entry as well. See <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry> for details." +msgstr "" +"El directori esquemàtic que conté els fitxers i els directoris per copiar al " +"directori inicial, quan el directori inicial de l'usuari es crea amb " +"<citerefentry><refentrytitle>sss_useradd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1526 +msgid "ca_db (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1529 +msgid "" +"Path to a storage of trusted CA certificates. The option is used to validate " +"user certificates before deriving public ssh keys from them." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1557 +msgid "PAC responder configuration options" +msgstr "Opcions de configuració del contestador del PAC." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1559 +msgid "" +"The PAC responder works together with the authorization data plugin for MIT " +"Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the " +"PAC data during a GSSAPI authentication to the PAC responder. The sub-domain " +"provider collects domain SID and ID ranges of the domain the client is " +"joined to and of remote trusted domains from the local domain controller. If " +"the PAC is decoded and evaluated some of the following operations are done:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1568 +msgid "" +"If the remote user does not exist in the cache, it is created. The UID is " +"determined with the help of the SID, trusted domains will have UPGs and the " +"GID will have the same value as the UID. The home directory is set based on " +"the subdomain_homedir parameter. The shell will be empty by default, i.e. " +"the system defaults are used, but can be overwritten with the default_shell " +"parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1576 +msgid "" +"If there are SIDs of groups from domains sssd knows about, the user will be " +"added to those groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1582 +msgid "These options can be used to configure the PAC responder." +msgstr "" +"Es poden utilitzar aquestes opcions per configurar el contestador del PAC." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1586 sssd-ifp.5.xml:50 +msgid "allowed_uids (string)" +msgstr "allowed_uids (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1589 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the PAC responder. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1595 +msgid "Default: 0 (only the root user is allowed to access the PAC responder)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1599 +msgid "" +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the PAC responder, which would be the typical case, you have to add 0 " +"to the list of allowed UIDs as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1608 +msgid "pac_lifetime (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1611 +msgid "" +"Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC " +"data can be used to determine the group memberships of a user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1624 +msgid "Session recording configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1626 +msgid "" +"Session recording works in conjunction with <citerefentry> " +"<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>, a part of tlog package, to log what users see and type when " +"they log in on a text terminal. See also <citerefentry> <refentrytitle>sssd-" +"session-recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1639 +msgid "These options can be used to configure session recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1643 sssd-session-recording.5.xml:64 +msgid "scope (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1650 sssd-session-recording.5.xml:71 +msgid "\"none\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1653 sssd-session-recording.5.xml:74 +msgid "No users are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1658 sssd-session-recording.5.xml:79 +msgid "\"some\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1661 sssd-session-recording.5.xml:82 +msgid "" +"Users/groups specified by <replaceable>users</replaceable> and " +"<replaceable>groups</replaceable> options are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1670 sssd-session-recording.5.xml:91 +msgid "\"all\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1673 sssd-session-recording.5.xml:94 +msgid "All users are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1646 sssd-session-recording.5.xml:67 +msgid "" +"One of the following strings specifying the scope of session recording: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1680 sssd-session-recording.5.xml:101 +msgid "Default: \"none\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1685 sssd-session-recording.5.xml:106 +msgid "users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1688 sssd-session-recording.5.xml:109 +msgid "" +"A comma-separated list of users which should have session recording enabled. " +"Matches user names as returned by NSS. I.e. after the possible space " +"replacement, case changes, etc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1694 sssd-session-recording.5.xml:115 +msgid "Default: Empty. Matches no users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1699 sssd-session-recording.5.xml:120 +msgid "groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1702 sssd-session-recording.5.xml:123 +msgid "" +"A comma-separated list of groups, members of which should have session " +"recording enabled. Matches group names as returned by NSS. I.e. after the " +"possible space replacement, case changes, etc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1708 sssd-session-recording.5.xml:129 +msgid "" +"NOTE: using this option (having it set to anything) has a considerable " +"performance cost, because each uncached request for a user requires " +"retrieving and matching the groups the user is member of." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1715 sssd-session-recording.5.xml:136 +msgid "Default: Empty. Matches no groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:1725 +msgid "DOMAIN SECTIONS" +msgstr "SECCIONS DE DOMINI" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1732 +msgid "domain_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1735 +msgid "" +"Specifies whether the domain is meant to be used by POSIX-aware clients such " +"as the Name Service Switch or by applications that do not need POSIX data to " +"be present or generated. Only objects from POSIX domains are available to " +"the operating system interfaces and utilities." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1743 +msgid "" +"Allowed values for this option are <quote>posix</quote> and " +"<quote>application</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1747 +msgid "" +"POSIX domains are reachable by all services. Application domains are only " +"reachable from the InfoPipe responder (see <citerefentry> " +"<refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>) and the PAM responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1755 +msgid "" +"NOTE: The application domains are currently well tested with " +"<quote>id_provider=ldap</quote> only." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1759 +msgid "" +"For an easy way to configure a non-POSIX domains, please see the " +"<quote>Application domains</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1763 +msgid "Default: posix" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1769 +msgid "min_id,max_id (integer)" +msgstr "min_id, max_id (enter)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1772 +msgid "" +"UID and GID limits for the domain. If a domain contains an entry that is " +"outside these limits, it is ignored." +msgstr "" +"Els límits UID i GID per al domini. Si un domini conté una entrada que està " +"fora d'aquests límits, s'ignora." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1777 +msgid "" +"For users, this affects the primary GID limit. The user will not be returned " +"to NSS if either the UID or the primary GID is outside the range. For non-" +"primary group memberships, those that are in range will be reported as " +"expected." +msgstr "" +"Per a usuaris, això afecta el límit del GID primari. L'usuari no es " +"retornarà a l'NSS si l'UID o el GID primari és fora de l'interval. Per als " +"membres dels grups secundaris, els que estan dins l'interval es comunicaran " +"com s'esperava." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1784 +msgid "" +"These ID limits affect even saving entries to cache, not only returning them " +"by name or ID." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1788 +msgid "Default: 1 for min_id, 0 (no limit) for max_id" +msgstr "Per defecte: 1 per a min_id, 0 (sense límit) per a max_id" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1794 +msgid "enumerate (bool)" +msgstr "enumerate (booleà)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1797 +msgid "" +"Determines if a domain can be enumerated, that is, whether the domain can " +"list all the users and group it contains. Note that it is not required to " +"enable enumeration in order for secondary groups to be displayed. This " +"parameter can have one of the following values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1805 +msgid "TRUE = Users and groups are enumerated" +msgstr "TRUE = Els usuaris i grups s'enumeren" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1808 +msgid "FALSE = No enumerations for this domain" +msgstr "FALSE = Cap enumeració per a aquest domini" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1811 sssd.conf.5.xml:2033 sssd.conf.5.xml:2208 +msgid "Default: FALSE" +msgstr "Per defecte: FALSE" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1814 +msgid "" +"Enumerating a domain requires SSSD to download and store ALL user and group " +"entries from the remote server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1819 +msgid "" +"Note: Enabling enumeration has a moderate performance impact on SSSD while " +"enumeration is running. It may take up to several minutes after SSSD startup " +"to fully complete enumerations. During this time, individual requests for " +"information will go directly to LDAP, though it may be slow, due to the " +"heavy enumeration processing. Saving a large number of entries to cache " +"after the enumeration completes might also be CPU intensive as the " +"memberships have to be recomputed. This can lead to the <quote>sssd_be</" +"quote> process becoming unresponsive or even restarted by the internal " +"watchdog." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1834 +msgid "" +"While the first enumeration is running, requests for the complete user or " +"group lists may return no results until it completes." +msgstr "" +"Mentre s'està executant la primera enumeració, les peticions de llistes " +"completes d'usuaris o grups poden no retornar cap resultat fins que aquest " +"finalitzi." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1839 +msgid "" +"Further, enabling enumeration may increase the time necessary to detect " +"network disconnection, as longer timeouts are required to ensure that " +"enumeration lookups are completed successfully. For more information, refer " +"to the man pages for the specific id_provider in use." +msgstr "" +"A més a més, permetre l'enumeració pot augmentar el temps necessari detectar " +"desconnexions de xarxa, ja que temps d'espera més llargs són necessaris per " +"assegurar-se que les cerques de l'enumeració s'han completat amb èxit. Per " +"a més informació, aneu a les pàgines de manual de l'id_provider específic en " +"ús." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1847 +msgid "" +"For the reasons cited above, enabling enumeration is not recommended, " +"especially in large environments." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1855 +msgid "subdomain_enumerate (string)" +msgstr "subdomain_enumerate (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1862 +msgid "all" +msgstr "all" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1863 +msgid "All discovered trusted domains will be enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1866 +msgid "none" +msgstr "none" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1867 +msgid "No discovered trusted domains will be enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1858 +msgid "" +"Whether any of autodetected trusted domains should be enumerated. The " +"supported values are: <placeholder type=\"variablelist\" id=\"0\"/> " +"Optionally, a list of one or more domain names can enable enumeration just " +"for these trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1881 +msgid "entry_cache_timeout (integer)" +msgstr "entry_cache_timeout (enter)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1884 +msgid "" +"How many seconds should nss_sss consider entries valid before asking the " +"backend again" +msgstr "" +"Quants segons el nss_sss hauria de considerar les entrades vàlides abans de " +"demanar al rerefons una altra vegada" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1888 +msgid "" +"The cache expiration timestamps are stored as attributes of individual " +"objects in the cache. Therefore, changing the cache timeout only has effect " +"for newly added or expired entries. You should run the <citerefentry> " +"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry> tool in order to force refresh of entries that have already " +"been cached." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1901 +msgid "Default: 5400" +msgstr "Per defecte: 5400" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1907 +msgid "entry_cache_user_timeout (integer)" +msgstr "entry_cache_user_timeout (enter)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1910 +msgid "" +"How many seconds should nss_sss consider user entries valid before asking " +"the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1914 sssd.conf.5.xml:1927 sssd.conf.5.xml:1940 +#: sssd.conf.5.xml:1953 sssd.conf.5.xml:1966 sssd.conf.5.xml:1980 +#: sssd.conf.5.xml:1994 +msgid "Default: entry_cache_timeout" +msgstr "Per defecte: entry_cache_timeout" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1920 +msgid "entry_cache_group_timeout (integer)" +msgstr "entry_cache_group_timeout (enter)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1923 +msgid "" +"How many seconds should nss_sss consider group entries valid before asking " +"the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1933 +msgid "entry_cache_netgroup_timeout (integer)" +msgstr "entry_cache_netgroup_timeout (enter)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1936 +msgid "" +"How many seconds should nss_sss consider netgroup entries valid before " +"asking the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1946 +msgid "entry_cache_service_timeout (integer)" +msgstr "entry_cache_service_timeout (enter)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1949 +msgid "" +"How many seconds should nss_sss consider service entries valid before asking " +"the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1959 +msgid "entry_cache_sudo_timeout (integer)" +msgstr "entry_cache_sudo_timeout (enter)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1962 +msgid "" +"How many seconds should sudo consider rules valid before asking the backend " +"again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1972 +msgid "entry_cache_autofs_timeout (integer)" +msgstr "entry_cache_autofs_timeout (enter)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1975 +msgid "" +"How many seconds should the autofs service consider automounter maps valid " +"before asking the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1986 +msgid "entry_cache_ssh_host_timeout (integer)" +msgstr "entry_cache_ssh_host_timeout (enter)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1989 +msgid "" +"How many seconds to keep a host ssh key after refresh. IE how long to cache " +"the host key for." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2000 +msgid "refresh_expired_interval (integer)" +msgstr "refresh_expired_interval (enter)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2003 +msgid "" +"Specifies how many seconds SSSD has to wait before triggering a background " +"refresh task which will refresh all expired or nearly expired records." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2008 +msgid "" +"The background refresh will process users, groups and netgroups in the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2012 +msgid "You can consider setting this value to 3/4 * entry_cache_timeout." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2016 sssd-ldap.5.xml:746 sssd-ipa.5.xml:254 +msgid "Default: 0 (disabled)" +msgstr "Per defecte: 0 (inhabilitat)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2022 +msgid "cache_credentials (bool)" +msgstr "cache_credentials (booleà)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2025 +msgid "Determines if user credentials are also cached in the local LDB cache" +msgstr "" +"Determina si les credencials d'usuari també són emmagatzemades en la memòria " +"cau local de LDB" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2029 +msgid "User credentials are stored in a SHA512 hash, not in plaintext" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2039 +msgid "cache_credentials_minimal_first_factor_length (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2042 +msgid "" +"If 2-Factor-Authentication (2FA) is used and credentials should be saved " +"this value determines the minimal length the first authentication factor " +"(long term password) must have to be saved as SHA512 hash into the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2049 +msgid "" +"This should avoid that the short PINs of a PIN based 2FA scheme are saved in " +"the cache which would make them easy targets for brute-force attacks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2054 +msgid "Default: 8" +msgstr "Per defecte: 8" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2060 +msgid "account_cache_expiration (integer)" +msgstr "account_cache_expiration (enter)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2063 +msgid "" +"Number of days entries are left in cache after last successful login before " +"being removed during a cleanup of the cache. 0 means keep forever. The " +"value of this parameter must be greater than or equal to " +"offline_credentials_expiration." +msgstr "" +"Nombre de dies que les entrades es queden a la memòria cau després del " +"darrer inici de sessió vàlid abans de ser eliminat durant una neteja de la " +"memòria cau. 0 significa mantenir per sempre. El valor d'aquest paràmetre " +"ha de ser superior o igual que offline_credentials_expiration." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2070 +msgid "Default: 0 (unlimited)" +msgstr "Per defecte: 0 (sense límit)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2075 +msgid "pwd_expiration_warning (integer)" +msgstr "pwd_expiration_warning (enter)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2086 +msgid "" +"Please note that the backend server has to provide information about the " +"expiration time of the password. If this information is missing, sssd " +"cannot display a warning. Also an auth provider has to be configured for the " +"backend." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2093 +msgid "Default: 7 (Kerberos), 0 (LDAP)" +msgstr "Per defecte: 7 (Kerberos), 0 (LDAP)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2099 +msgid "id_provider (string)" +msgstr "id_provider (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2102 +msgid "" +"The identification provider used for the domain. Supported ID providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2106 +msgid "<quote>proxy</quote>: Support a legacy NSS provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2109 +msgid "" +"<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2113 +#, fuzzy +#| msgid "" +#| "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> " +#| "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +#| "citerefentry> for more information on configuring LDAP." +msgid "" +"<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-" +"files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " +"information on how to mirror local users and groups into SSSD." +msgstr "" +"<quote>ldap</quote> per autenticació nativa LDAP. Vegeu " +"<citerefentry><refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> per a més informació sobre configuració d'LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2121 +msgid "" +"<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " +"information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2129 sssd.conf.5.xml:2234 sssd.conf.5.xml:2289 +#: sssd.conf.5.xml:2352 +msgid "" +"<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management " +"provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " +"FreeIPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2138 sssd.conf.5.xml:2243 sssd.conf.5.xml:2298 +#: sssd.conf.5.xml:2361 +msgid "" +"<quote>ad</quote>: Active Directory provider. See <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Active Directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2149 +msgid "use_fully_qualified_names (bool)" +msgstr "use_fully_qualified_names (booleà)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2152 +msgid "" +"Use the full name and domain (as formatted by the domain's full_name_format) " +"as the user's login name reported to NSS." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2157 +msgid "" +"If set to TRUE, all requests to this domain must use fully qualified names. " +"For example, if used in LOCAL domain that contains a \"test\" user, " +"<command>getent passwd test</command> wouldn't find the user while " +"<command>getent passwd test@LOCAL</command> would." +msgstr "" +"Si s'estableix a TRUE, totes les peticions a aquest domini han d'utilitzar " +"noms de domini qualificats. Per exemple, si s'utilitza a un domini LOCAL que " +"conté un usuari \"test\", <command>getent passwd test</command> no trobaria " +"l'usuari mentre que <command>getent passwd test@LOCAL</command> sí." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2165 +msgid "" +"NOTE: This option has no effect on netgroup lookups due to their tendency to " +"include nested netgroups without qualified names. For netgroups, all domains " +"will be searched when an unqualified name is requested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2172 +msgid "Default: FALSE (TRUE if default_domain_suffix is used)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2178 +msgid "ignore_group_members (bool)" +msgstr "ignore_group_members (booleà)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2181 +msgid "Do not return group members for group lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2184 +msgid "" +"If set to TRUE, the group membership attribute is not requested from the " +"ldap server, and group members are not returned when processing group lookup " +"calls, such as <citerefentry> <refentrytitle>getgrnam</refentrytitle> " +"<manvolnum>3</manvolnum> </citerefentry> or <citerefentry> " +"<refentrytitle>getgrgid</refentrytitle> <manvolnum>3</manvolnum> </" +"citerefentry>. As an effect, <quote>getent group $groupname</quote> would " +"return the requested group as if it was empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2202 +msgid "" +"Enabling this option can also make access provider checks for group " +"membership significantly faster, especially for groups containing many " +"members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2213 +msgid "auth_provider (string)" +msgstr "auth_provider (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2216 +msgid "" +"The authentication provider used for the domain. Supported auth providers " +"are:" +msgstr "" +"El proveïdor d'autenticació utilitzat per al domini. Els proveïdors " +"d'autenticació suportats són:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2220 sssd.conf.5.xml:2282 +msgid "" +"<quote>ldap</quote> for native LDAP authentication. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" +"<quote>ldap</quote> per autenticació nativa LDAP. Vegeu " +"<citerefentry><refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> per a més informació sobre configuració d'LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2227 +msgid "" +"<quote>krb5</quote> for Kerberos authentication. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Kerberos." +msgstr "" +"<quote>krb5</quote> per a l'autenticació Kerberos. Vegeu " +"<citerefentry><refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> per a més informació sobre configurar Kerberos." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2251 +msgid "" +"<quote>proxy</quote> for relaying authentication to some other PAM target." +msgstr "" +"<quote>proxy</quote> per a l'autenticació reenviada a algun altre objectiu " +"de PAM." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2254 +msgid "<quote>local</quote>: SSSD internal provider for local users" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2258 +msgid "<quote>none</quote> disables authentication explicitly." +msgstr "<quote>none</quote> impossibilita l'autenticació explícitament." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2261 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can handle " +"authentication requests." +msgstr "" +"Per defecte: <quote>id_provider</quote> s'utilitza si s'ha establert i pot " +"gestionar les sol·licituds d'autenticació." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2267 +msgid "access_provider (string)" +msgstr "access_provider (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2270 +msgid "" +"The access control provider used for the domain. There are two built-in " +"access providers (in addition to any included in installed backends) " +"Internal special providers are:" +msgstr "" +"El proveïdor d'accés de control utilitzat per al domini. Hi ha dos " +"proveïdors d'accés incorporats (a més de qualsevol dels rerefons " +"instal·lats) Els proveïdors especials interns són:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2276 +msgid "" +"<quote>permit</quote> always allow access. It's the only permitted access " +"provider for a local domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2279 +msgid "<quote>deny</quote> always deny access." +msgstr "<quote>deny</quote> sempre denega l'accés." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2306 +msgid "" +"<quote>simple</quote> access control based on access or deny lists. See " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for more information on configuring the simple " +"access module." +msgstr "" +"<quote>simple</quote> control d'accés basat en llistes d'acceptació o " +"denegació. Vegeu <citerefentry><refentrytitle>sssd-simple</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> per a més informació sobre la " +"configuració del mòdul d'accés simple." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2313 +msgid "" +"<quote>krb5</quote>: .k5login based access control. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></" +"citerefentry> for more information on configuring Kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2320 +msgid "<quote>proxy</quote> for relaying access control to another PAM module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2323 +msgid "Default: <quote>permit</quote>" +msgstr "Per defecte: <quote>permit</quote>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2328 +msgid "chpass_provider (string)" +msgstr "chpass_provider (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2331 +msgid "" +"The provider which should handle change password operations for the domain. " +"Supported change password providers are:" +msgstr "" +"El proveïdor que hauria de gestionar les operacions de canvi contrasenya per " +"al domini. Els proveïdors de canvi de contrasenya compatibles són:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2336 +msgid "" +"<quote>ldap</quote> to change a password stored in a LDAP server. See " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2344 +msgid "" +"<quote>krb5</quote> to change the Kerberos password. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Kerberos." +msgstr "" +"<quote>krb5</quote> per canviar la contrasenya Kerberos. Vegeu " +"<citerefentry><refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> per a més informació sobre configurar Kerberos." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2369 +msgid "" +"<quote>proxy</quote> for relaying password changes to some other PAM target." +msgstr "" +"<quote>proxy</quote> per al canvi de contrasenya reenviat a algun altre " +"objectiu PAM." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2373 +msgid "<quote>none</quote> disallows password changes explicitly." +msgstr "<quote>none</quote> rebutja els canvis de contrasenya explícitament." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2376 +msgid "" +"Default: <quote>auth_provider</quote> is used if it is set and can handle " +"change password requests." +msgstr "" +"Per defecte: <quote>auth_provider</quote> s'utilitza si s'ha establert i pot " +"gestionar peticions de canvi de contrasenya." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2383 +msgid "sudo_provider (string)" +msgstr "sudo_provider (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2386 +msgid "The SUDO provider used for the domain. Supported SUDO providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2390 +msgid "" +"<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2398 +msgid "" +"<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default " +"settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2402 +msgid "" +"<quote>ad</quote> the same as <quote>ldap</quote> but with AD default " +"settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2406 +msgid "<quote>none</quote> disables SUDO explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2409 sssd.conf.5.xml:2495 sssd.conf.5.xml:2565 +#: sssd.conf.5.xml:2590 +msgid "Default: The value of <quote>id_provider</quote> is used if it is set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2413 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>. There are many configuration " +"options that can be used to adjust the behavior. Please refer to " +"\"ldap_sudo_*\" in <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2428 +msgid "" +"<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the " +"background unless the sudo provider is explicitly disabled. Set " +"<emphasis>sudo_provider = None</emphasis> to disable all sudo-related " +"activity in SSSD if you do not want to use sudo with SSSD at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2438 +msgid "selinux_provider (string)" +msgstr "selinux_provider (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2441 +msgid "" +"The provider which should handle loading of selinux settings. Note that this " +"provider will be called right after access provider ends. Supported selinux " +"providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2447 +msgid "" +"<quote>ipa</quote> to load selinux settings from an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2455 +msgid "<quote>none</quote> disallows fetching selinux settings explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2458 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can handle " +"selinux loading requests." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2464 +msgid "subdomains_provider (string)" +msgstr "subdomains_provider (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2467 +msgid "" +"The provider which should handle fetching of subdomains. This value should " +"be always the same as id_provider. Supported subdomain providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2473 +msgid "" +"<quote>ipa</quote> to load a list of subdomains from an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2482 +msgid "" +"<quote>ad</quote> to load a list of subdomains from an Active Directory " +"server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " +"the AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2491 +msgid "<quote>none</quote> disallows fetching subdomains explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2501 +msgid "session_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2504 +msgid "" +"The provider which configures and manages user session related tasks. The " +"only user session task currently provided is the integration with Fleet " +"Commander, which works only with IPA. Supported session providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2511 +msgid "<quote>ipa</quote> to allow performing user session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2515 +msgid "" +"<quote>none</quote> does not perform any kind of user session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2519 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can perform " +"session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2523 +msgid "" +"<emphasis>NOTE:</emphasis> In order to have this feature working as expected " +"SSSD must be running as \"root\" and not as the unprivileged user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2531 +msgid "autofs_provider (string)" +msgstr "autofs_provider (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2534 +msgid "" +"The autofs provider used for the domain. Supported autofs providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2538 +msgid "" +"<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2545 +msgid "" +"<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> " +"<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2553 +msgid "" +"<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring the AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2562 +msgid "<quote>none</quote> disables autofs explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2572 +msgid "hostid_provider (string)" +msgstr "hostid_provider (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2575 +msgid "" +"The provider used for retrieving host identity information. Supported " +"hostid providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2579 +msgid "" +"<quote>ipa</quote> to load host identity stored in an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2587 +msgid "<quote>none</quote> disables hostid explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2600 +msgid "" +"Regular expression for this domain that describes how to parse the string " +"containing user name and domain into these components. The \"domain\" can " +"match either the SSSD configuration domain name, or, in the case of IPA " +"trust subdomains and Active Directory domains, the flat (NetBIOS) name of " +"the domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2609 +msgid "" +"Default for the AD and IPA provider: <quote>(((?P<domain>[^\\\\]+)\\" +"\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?" +"P<name>[^@\\\\]+)$))</quote> which allows three different styles for " +"user names:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2614 +msgid "username" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2617 +msgid "username@domain.name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2620 +msgid "domain\\username" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2623 +msgid "" +"While the first two correspond to the general default the third one is " +"introduced to allow easy integration of users from Windows domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2628 +msgid "" +"Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> " +"which translates to \"the name is everything up to the <quote>@</quote> " +"sign, the domain everything after that\"" +msgstr "" +"Per defecte: <quote>(?P<nom>[^@]+)@?(?P<domini>[^@]*$)</quote> " +"que es tradueix per \"el nom és tot el que hi ha fins al símbol <quote>@</" +"quote> , el domini és tot el que hi ha després\"" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2634 +msgid "" +"NOTE: Some Active Directory groups, typically those used for MS Exchange " +"contain an <quote>@</quote> sign in the name, which clashes with the default " +"re_expression value for the AD and IPA providers. To support these groups, " +"consider changing the re_expression value to: <quote>((?P<name>.+)@(?" +"P<domain>[^@]+$))</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2685 +msgid "Default: <quote>%1$s@%2$s</quote>." +msgstr "Per defecte: <quote>%1$s@%2$s</quote>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2691 +msgid "lookup_family_order (string)" +msgstr "lookup_family_order (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2694 +msgid "" +"Provides the ability to select preferred address family to use when " +"performing DNS lookups." +msgstr "" +"Proporciona la capacitat de seleccionar la família d'adreces preferida en " +"realitzar cerques de DNS." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2698 +msgid "Supported values:" +msgstr "Valors admesos:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2701 +msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6" +msgstr "ipv4_first: Intenta resoldre l'adreça IPv4, si falla, intenta IPv6" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2704 +msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses." +msgstr "ipv4_only: Intenta resoldre només noms màquina a adreces IPv4." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2707 +msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4" +msgstr "ipv6_first: Intenta resoldre l'adreça IPv6, si falla, intenta IPv4" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2710 +msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses." +msgstr "ipv6_only: Intenta resoldre només noms màquina a adreces IPv6." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2713 +msgid "Default: ipv4_first" +msgstr "Per defecte: ipv4_first" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2719 +msgid "dns_resolver_timeout (integer)" +msgstr "dns_resolver_timeout (enter)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2722 +msgid "" +"Defines the amount of time (in seconds) to wait for a reply from the " +"internal fail over service before assuming that the service is unreachable. " +"If this timeout is reached, the domain will continue to operate in offline " +"mode." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2729 +msgid "" +"Please see the section <quote>FAILOVER</quote> for more information about " +"the service resolution." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2734 sssd-ldap.5.xml:1396 sssd-ldap.5.xml:1438 +#: sssd-ldap.5.xml:1456 sssd-krb5.5.xml:248 +msgid "Default: 6" +msgstr "Per defecte: 6" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2740 +msgid "dns_discovery_domain (string)" +msgstr "dns_discovery_domain (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2743 +msgid "" +"If service discovery is used in the back end, specifies the domain part of " +"the service discovery DNS query." +msgstr "" +"Si el servei de descobriment s'utilitza en el rerefons, especifica la part " +"del domini de la consulta DNS del servei de descobriment." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2747 +msgid "Default: Use the domain part of machine's hostname" +msgstr "Per defecte: Utilitza la part del domini del nom de màquina" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2753 +msgid "override_gid (integer)" +msgstr "override_gid (enter)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2756 +msgid "Override the primary GID value with the one specified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2762 +msgid "case_sensitive (string)" +msgstr "case_sensitive (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2770 +msgid "True" +msgstr "True" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2773 +msgid "Case sensitive. This value is invalid for AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2779 +msgid "False" +msgstr "False" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2781 +msgid "Case insensitive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2785 +msgid "Preserving" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2788 +msgid "" +"Same as False (case insensitive), but does not lowercase names in the result " +"of NSS operations. Note that name aliases (and in case of services also " +"protocol names) are still lowercased in the output." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2765 +msgid "" +"Treat user and group names as case sensitive. At the moment, this option is " +"not supported in the local provider. Possible option values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2800 +msgid "Default: True (False for AD provider)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2806 +msgid "subdomain_inherit (string)" +msgstr "subdomain_inherit (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2809 +msgid "" +"Specifies a list of configuration parameters that should be inherited by a " +"subdomain. Please note that only selected parameters can be inherited. " +"Currently the following options can be inherited:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2815 +msgid "ignore_group_members" +msgstr "ignore_group_members" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2818 +msgid "ldap_purge_cache_timeout" +msgstr "ldap_purge_cache_timeout" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2821 sssd-ldap.5.xml:1120 +msgid "ldap_use_tokengroups" +msgstr "ldap_use_tokengroups" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2824 +msgid "ldap_user_principal" +msgstr "ldap_user_principal" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2827 +msgid "" +"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab " +"is not set explicitly)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:2833 +#, no-wrap +msgid "" +"subdomain_inherit = ldap_purge_cache_timeout\n" +" " +msgstr "" +"subdomain_inherit = ldap_purge_cache_timeout\n" +" " + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2831 sssd-secrets.5.xml:448 +msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "Exemple: <placeholder type=\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2840 +msgid "Note: This option only works with the IPA and AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2847 +msgid "subdomain_homedir (string)" +msgstr "subdomain_homedir (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2858 +msgid "%F" +msgstr "%F" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2859 +msgid "flat (NetBIOS) name of a subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2850 +msgid "" +"Use this homedir as default value for all subdomains within this domain in " +"IPA AD trust. See <emphasis>override_homedir</emphasis> for info about " +"possible values. In addition to those, the expansion below can only be used " +"with <emphasis>subdomain_homedir</emphasis>. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2864 +msgid "" +"The value can be overridden by <emphasis>override_homedir</emphasis> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2868 +msgid "Default: <filename>/home/%d/%u</filename>" +msgstr "Per defecte: <filename>/home/%d/%u</filename>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2873 +msgid "realmd_tags (string)" +msgstr "realmd_tags (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2876 +msgid "" +"Various tags stored by the realmd configuration service for this domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2882 +msgid "cached_auth_timeout (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2885 +msgid "" +"Specifies time in seconds since last successful online authentication for " +"which user will be authenticated using cached credentials while SSSD is in " +"the online mode." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2891 +msgid "Special value 0 implies that this feature is disabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2895 +msgid "" +"Please note that if <quote>cached_auth_timeout</quote> is longer than " +"<quote>pam_id_timeout</quote> then the back end could be called to handle " +"<quote>initgroups.</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2906 +msgid "auto_private_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2909 +msgid "" +"If this option is enabled, SSSD will automatically create user private " +"groups based on user's UID number. The GID number is ignored in this case." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2914 +msgid "" +"For POSIX subdomains, setting the option in the main domain is inherited in " +"the subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2918 +msgid "" +"For ID-mapping subdomains, auto_private_groups is already enabled for the " +"subdomains and setting it to false will not have any effect for the " +"subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2923 +msgid "" +"NOTE: Because the GID number and the user private group are inferred from " +"the UID number, it is not supported to have multiple entries with the same " +"UID or GID number with this option. In other words, enabling this option " +"enforces uniqueness across the ID space." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:1727 +msgid "" +"These configuration options can be present in a domain configuration " +"section, that is, in a section called <quote>[domain/<replaceable>NAME</" +"replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" +"Aquestes opcions de configuració poden ser presents a una secció de " +"configuració de domini anomenada <quote>[domain/<replaceable>NAME</" +"replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2942 +msgid "proxy_pam_target (string)" +msgstr "proxy_pam_target (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2945 +msgid "The proxy target PAM proxies to." +msgstr "El servidor intermediari on reenvia PAM." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2948 +msgid "" +"Default: not set by default, you have to take an existing pam configuration " +"or create a new one and add the service name here." +msgstr "" +"Per defecte: No està establit per defecte, heu de prendre una configuració " +"de pam existent o crear-ne una de nova i afegir aquí el nom del servei." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2956 +msgid "proxy_lib_name (string)" +msgstr "proxy_lib_name (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2959 +msgid "" +"The name of the NSS library to use in proxy domains. The NSS functions " +"searched for in the library are in the form of _nss_$(libName)_$(function), " +"for example _nss_files_getpwent." +msgstr "" +"El nom de la biblioteca NSS per utilitzar als dominis del servidor " +"intermediari. Les funcions NSS que se cerquen a la biblioteca tenen el " +"format _nss_$(libName)_$(function), per exemple _nss_files_getpwent." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2969 +msgid "proxy_fast_alias (boolean)" +msgstr "proxy_fast_alias (booleà)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2972 +msgid "" +"When a user or group is looked up by name in the proxy provider, a second " +"lookup by ID is performed to \"canonicalize\" the name in case the requested " +"name was an alias. Setting this option to true would cause the SSSD to " +"perform the ID lookup from cache for performance reasons." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2986 +msgid "proxy_max_children (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2989 +msgid "" +"This option specifies the number of pre-forked proxy children. It is useful " +"for high-load SSSD environments where sssd may run out of available child " +"slots, which would cause some issues due to the requests being queued." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:2938 +msgid "" +"Options valid for proxy domains. <placeholder type=\"variablelist\" id=" +"\"0\"/>" +msgstr "" +"Opcions vàlides per als dominis del servidor intermediari. <placeholder type=" +"\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:3005 +msgid "Application domains" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3007 +msgid "" +"SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to " +"applications as a gateway to an LDAP directory where users and groups are " +"stored. However, contrary to the traditional SSSD deployment where all users " +"and groups either have POSIX attributes or those attributes can be inferred " +"from the Windows SIDs, in many cases the users and groups in the application " +"support scenario have no POSIX attributes. Instead of setting a " +"<quote>[domain/<replaceable>NAME</replaceable>]</quote> section, the " +"administrator can set up an <quote>[application/<replaceable>NAME</" +"replaceable>]</quote> section that internally represents a domain with type " +"<quote>application</quote> optionally inherits settings from a tradition " +"SSSD domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3027 +msgid "" +"Please note that the application domain must still be explicitly enabled in " +"the <quote>domains</quote> parameter so that the lookup order between the " +"application domain and its POSIX sibling domain is set correctly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sssd.conf.5.xml:3033 +msgid "Application domain parameters" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3035 +msgid "inherit_from (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3038 +msgid "" +"The SSSD POSIX-type domain the application domain inherits all settings " +"from. The application domain can moreover add its own settings to the " +"application settings that augment or override the <quote>sibling</quote> " +"domain settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3052 +msgid "" +"The following example illustrates the use of an application domain. In this " +"setup, the POSIX domain is connected to an LDAP server and is used by the OS " +"through the NSS responder. In addition, the application domain also requests " +"the telephoneNumber attribute, stores it as the phone attribute in the cache " +"and makes the phone attribute reachable through the D-Bus interface." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><programlisting> +#: sssd.conf.5.xml:3060 +#, no-wrap +msgid "" +"[sssd]\n" +"domains = appdom, posixdom\n" +"\n" +"[ifp]\n" +"user_attributes = +phone\n" +"\n" +"[domain/posixdom]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"[application/appdom]\n" +"inherit_from = posixdom\n" +"ldap_user_extra_attrs = phone:telephoneNumber\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:3078 +msgid "The local domain section" +msgstr "La secció del domini local" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3080 +msgid "" +"This section contains settings for domain that stores users and groups in " +"SSSD native database, that is, a domain that uses " +"<replaceable>id_provider=local</replaceable>." +msgstr "" +"Aquesta secció conté paràmetres per a dominis que emmagatzemen els usuaris i " +"grups a la base de dades SSSD nadiu de, és a dir, un domini que utilitza " +"<replaceable>id_provider = local</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3087 +msgid "default_shell (string)" +msgstr "default_shell (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3090 +msgid "The default shell for users created with SSSD userspace tools." +msgstr "" +"El shell predeterminat per als usuaris que es creen amb eines de l'espai " +"d'usuari de l'SSSD." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3094 +msgid "Default: <filename>/bin/bash</filename>" +msgstr "Per defecte: <filename>/bin/bash</filename>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3099 +msgid "base_directory (string)" +msgstr "base_directory (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3102 +msgid "" +"The tools append the login name to <replaceable>base_directory</replaceable> " +"and use that as the home directory." +msgstr "" +"Les eines concatenen el nom d'usuari a <replaceable>base_directory</" +"replaceable> i utilitzen aquest com el directori inicial." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3107 +msgid "Default: <filename>/home</filename>" +msgstr "Per defecte: <filename>/home</filename>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3112 +msgid "create_homedir (bool)" +msgstr "create_homedir (booleà)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3115 +msgid "" +"Indicate if a home directory should be created by default for new users. " +"Can be overridden on command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3119 sssd.conf.5.xml:3131 +msgid "Default: TRUE" +msgstr "Per defecte: TRUE" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3124 +msgid "remove_homedir (bool)" +msgstr "remove_homedir (booleà)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3127 +msgid "" +"Indicate if a home directory should be removed by default for deleted " +"users. Can be overridden on command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3136 +msgid "homedir_umask (integer)" +msgstr "homedir_umask (enter)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3139 +msgid "" +"Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions " +"on a newly created home directory." +msgstr "" +"Utilitzat per <citerefentry><refentrytitle>sss_useradd</refentrytitle> " +"<manvolnum>8</manvolnum></citerefentry> per especificar els permisos per " +"defecte en un directori inicial acabat de crear." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3147 +msgid "Default: 077" +msgstr "Per defecte: 077" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3152 +msgid "skel_dir (string)" +msgstr "skel_dir (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3155 +msgid "" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<citerefentry> <refentrytitle>sss_useradd</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>" +msgstr "" +"El directori esquemàtic que conté els fitxers i els directoris per copiar al " +"directori inicial, quan el directori inicial de l'usuari es crea amb " +"<citerefentry><refentrytitle>sss_useradd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3165 +msgid "Default: <filename>/etc/skel</filename>" +msgstr "Per defecte: <filename>/etc/skel</filename>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3170 +msgid "mail_dir (string)" +msgstr "mail_dir (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3173 +msgid "" +"The mail spool directory. This is needed to manipulate the mailbox when its " +"corresponding user account is modified or deleted. If not specified, a " +"default value is used." +msgstr "" +"El directori de gestió de cues del correu. Aquest és necessari per manipular " +"la bústia de correu quan el compte d'usuari corresponent és modificat o " +"suprimit. Si no s'especifica, s'utilitzarà un valor per defecte." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3180 +msgid "Default: <filename>/var/mail</filename>" +msgstr "Per defecte: <filename>/var/correu</filename>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3185 +msgid "userdel_cmd (string)" +msgstr "userdel_cmd (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3188 +msgid "" +"The command that is run after a user is removed. The command us passed the " +"username of the user being removed as the first and only parameter. The " +"return code of the command is not taken into account." +msgstr "" +"L'ordre que s'executa després d'eliminar un usuari. L'ordre passa el nom " +"d'usuari com el primer i únic paràmetre. El codi de retorn de l'ordre no es " +"té en compte." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3194 +msgid "Default: None, no command is run" +msgstr "Per defecte: Cap, no s'executa cap comanda" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:3204 +msgid "TRUSTED DOMAIN SECTION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3206 +msgid "" +"Some options used in the domain section can also be used in the trusted " +"domain section, that is, in a section called <quote>[domain/" +"<replaceable>DOMAIN_NAME</replaceable>/<replaceable>TRUSTED_DOMAIN_NAME</" +"replaceable>]</quote>. Where DOMAIN_NAME is the actual joined-to base " +"domain. Please refer to examples below for explanation. Currently supported " +"options in the trusted domain section are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3213 +msgid "ldap_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3214 +msgid "ldap_user_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3215 +msgid "ldap_group_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3216 +msgid "ldap_netgroup_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3217 +msgid "ldap_service_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3218 +msgid "ad_server," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3219 +msgid "ad_backup_server," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3220 +msgid "ad_site," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:3221 sssd-ipa.5.xml:782 +msgid "use_fully_qualified_names" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3223 +msgid "" +"For more details about these options see their individual description in the " +"manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:3229 idmap_sss.8.xml:43 +msgid "EXAMPLES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:3235 +#, no-wrap +msgid "" +"[sssd]\n" +"domains = LDAP\n" +"services = nss, pam\n" +"config_file_version = 2\n" +"\n" +"[nss]\n" +"filter_groups = root\n" +"filter_users = root\n" +"\n" +"[pam]\n" +"\n" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"auth_provider = krb5\n" +"krb5_server = kerberos.example.com\n" +"krb5_realm = EXAMPLE.COM\n" +"cache_credentials = true\n" +"\n" +"min_id = 10000\n" +"max_id = 20000\n" +"enumerate = False\n" +msgstr "" +"[sssd]\n" +"domains = LDAP\n" +"services = nss, pam\n" +"config_file_version = 2\n" +"\n" +"[nss]\n" +"filter_groups = root\n" +"filter_users = root\n" +"\n" +"[pam]\n" +"\n" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.exemple.com\n" +"ldap_search_base = dc=exemple,dc=com\n" +"\n" +"auth_provider = krb5\n" +"krb5_server = kerberos.exemple.com\n" +"krb5_realm = EXEMPLE.COM\n" +"cache_credentials = true\n" +"\n" +"min_id = 10000\n" +"max_id = 20000\n" +"enumerate = False\n" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3231 +msgid "" +"1. The following example shows a typical SSSD config. It does not describe " +"configuration of the domains themselves - refer to documentation on " +"configuring domains for more details. <placeholder type=\"programlisting\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:3268 +#, no-wrap +msgid "" +"[domain/ipa.com/child.ad.com]\n" +"use_fully_qualified_names = false\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3262 +msgid "" +"2. The following example shows configuration of IPA AD trust where the AD " +"forest consists of two domains in a parent-child structure. Suppose IPA " +"domain (ipa.com) has trust with AD domain(ad.com). ad.com has child domain " +"(child.ad.com). To enable shortnames in the child domain the following " +"configuration should be used. <placeholder type=\"programlisting\" id=\"0\"/" +">" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ldap.5.xml:10 sssd-ldap.5.xml:16 +msgid "sssd-ldap" +msgstr "sssd-ldap" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ldap.5.xml:17 +msgid "SSSD LDAP provider" +msgstr "Proveïdor de LDAP de l'SSSD" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:23 +msgid "" +"This manual page describes the configuration of LDAP domains for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Refer to the <quote>FILE FORMAT</quote> section of the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for detailed syntax information." +msgstr "" +"En aquesta pàgina del manual es descriu la configuració de dominis LDAP per " +"a <citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>. Consulteu la secció <quote>FORMAT DE FITXER</" +"quote> de la pàgina del manual <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> per obtenir " +"informació detallada de la sintaxi." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:35 +msgid "You can configure SSSD to use more than one LDAP domain." +msgstr "Podeu configurar SSSD per utilitzar més d'un domini d'LDAP." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:38 +msgid "" +"LDAP back end supports id, auth, access and chpass providers. If you want to " +"authenticate against an LDAP server either TLS/SSL or LDAPS is required. " +"<command>sssd</command> <emphasis>does not</emphasis> support authentication " +"over an unencrypted channel. If the LDAP server is used only as an identity " +"provider, an encrypted channel is not needed. Please refer to " +"<quote>ldap_access_filter</quote> config option for more information about " +"using LDAP as an access provider." +msgstr "" +"El rerefons LDAP suporta proveïdors d'identificació, autenticació, accés i " +"canvi de contrasenya. Si voleu autenticar contra un servidor LDAP s'exigeix " +"TLS/SSL o LDAPS. L'<command>sssd</command> <emphasis>no</emphasis> suporta " +"autenticació sobre un canal sense xifrar. Si el servidor de LDAP s'utilitza " +"només com a un proveïdor d'identitats, no és necessari un canal xifrat. Si " +"us plau, refereiu-vos a l'opció <quote>ldap_access_filter</quote> per a més " +"informació sobre l'ús d'LDAP com un proveïdor d'accés." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:115 +#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-files.5.xml:57 +#: sssd-secrets.5.xml:120 sssd-session-recording.5.xml:58 sssd-kcm.8.xml:139 +msgid "CONFIGURATION OPTIONS" +msgstr "OPCIONS DE CONFIGURACIÓ" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:60 +msgid "ldap_uri, ldap_backup_uri (string)" +msgstr "ldap_uri, ldap_backup_uri (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:63 +msgid "" +"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " +"should connect in the order of preference. Refer to the <quote>FAILOVER</" +"quote> section for more information on failover and server redundancy. If " +"neither option is specified, service discovery is enabled. For more " +"information, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:264 +msgid "The format of the URI must match the format defined in RFC 2732:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:73 +msgid "ldap[s]://<host>[:port]" +msgstr "ldap[s]://<host>[:port]" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:76 +msgid "" +"For explicit IPv6 addresses, <host> must be enclosed in brackets []" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:79 +msgid "example: ldap://[fc00::126:25]:389" +msgstr "exemple: ldap://[fc00::126:25]:389" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:85 +msgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)" +msgstr "ldap_chpass_uri, ldap_chpass_backup_uri (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:88 +msgid "" +"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " +"should connect in the order of preference to change the password of a user. " +"Refer to the <quote>FAILOVER</quote> section for more information on " +"failover and server redundancy." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:95 +msgid "To enable service discovery ldap_chpass_dns_service_name must be set." +msgstr "" +"Per habilitar el servei descobriment s'ha d'establir " +"ldap_chpass_dns_service_name." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:99 +msgid "Default: empty, i.e. ldap_uri is used." +msgstr "Per defecte: buit, és a dir, s'utilitza ldap_uri." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:105 +msgid "ldap_search_base (string)" +msgstr "ldap_search_base (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:108 +msgid "The default base DN to use for performing LDAP user operations." +msgstr "" +"El DN base per defecte a utilitzar per realitzar operacions d'usuari d'LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:112 +msgid "" +"Starting with SSSD 1.7.0, SSSD supports multiple search bases using the " +"syntax:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:116 +msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:119 +msgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"." +msgstr "" + +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:122 include/ldap_search_bases.xml:18 +msgid "" +"The filter must be a valid LDAP search filter as specified by http://www." +"ietf.org/rfc/rfc2254.txt" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:286 +#: sss_override.8.xml:137 sss_override.8.xml:234 +msgid "Examples:" +msgstr "Exemples:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:129 +msgid "" +"ldap_search_base = dc=example,dc=com (which is equivalent to) " +"ldap_search_base = dc=example,dc=com?subtree?" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:134 +msgid "" +"ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?" +"(host=thishost)?dc=example.com?subtree?" +msgstr "" +"ldap_search_base = cn=host_specific,dc=exemple,dc=com?subtree?" +"(host=thishost)?dc=exemple.com?subtree?" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:137 +msgid "" +"Note: It is unsupported to have multiple search bases which reference " +"identically-named objects (for example, groups with the same name in two " +"different search bases). This will lead to unpredictable behavior on client " +"machines." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:144 +msgid "" +"Default: If not set, the value of the defaultNamingContext or namingContexts " +"attribute from the RootDSE of the LDAP server is used. If " +"defaultNamingContext does not exist or has an empty value namingContexts is " +"used. The namingContexts attribute must have a single value with the DN of " +"the search base of the LDAP server to make this work. Multiple values are " +"are not supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:158 +msgid "ldap_schema (string)" +msgstr "ldap_schema (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:161 +msgid "" +"Specifies the Schema Type in use on the target LDAP server. Depending on " +"the selected schema, the default attribute names retrieved from the servers " +"may vary. The way that some attributes are handled may also differ." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:168 +msgid "Four schema types are currently supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:172 +msgid "rfc2307" +msgstr "rfc2307" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:177 +msgid "rfc2307bis" +msgstr "rfc2307bis" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:182 +msgid "IPA" +msgstr "IPA" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:187 +msgid "AD" +msgstr "AD" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:193 +msgid "" +"The main difference between these schema types is how group memberships are " +"recorded in the server. With rfc2307, group members are listed by name in " +"the <emphasis>memberUid</emphasis> attribute. With rfc2307bis and IPA, " +"group members are listed by DN and stored in the <emphasis>member</emphasis> " +"attribute. The AD schema type sets the attributes to correspond with Active " +"Directory 2008r2 values." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:203 +msgid "Default: rfc2307" +msgstr "Per defecte: rfc2307" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:209 +msgid "ldap_default_bind_dn (string)" +msgstr "ldap_default_bind_dn (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:212 +msgid "The default bind DN to use for performing LDAP operations." +msgstr "" +"El vincle DN per defecte per utilitzar en realitzar les operacions d'LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:219 +msgid "ldap_default_authtok_type (string)" +msgstr "ldap_default_authtok_type (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:222 +msgid "The type of the authentication token of the default bind DN." +msgstr "El tipus de testimoni d'autenticació del vincle DN per defecte." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:226 +msgid "The two mechanisms currently supported are:" +msgstr "Els dos mecanismes suportats actualment són:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:229 +msgid "password" +msgstr "contrasenya" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:232 +msgid "obfuscated_password" +msgstr "obfuscated_password" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:235 +msgid "Default: password" +msgstr "Per defecte: password" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:241 +msgid "ldap_default_authtok (string)" +msgstr "ldap_default_authtok (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:244 +msgid "" +"The authentication token of the default bind DN. Only clear text passwords " +"are currently supported." +msgstr "" +"El testimoni de l'autenticació de l'omissió s'uneixen DN. Només aclarir " +"text contrasenyes estan suportats actualment." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:251 +msgid "ldap_user_object_class (string)" +msgstr "ldap_user_object_class (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:254 +msgid "The object class of a user entry in LDAP." +msgstr "La classe d'objecte d'una entrada d'usuari a LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:257 +msgid "Default: posixAccount" +msgstr "Per defecte: posixAccount" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:263 +msgid "ldap_user_name (string)" +msgstr "ldap_user_name (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:266 +msgid "The LDAP attribute that corresponds to the user's login name." +msgstr "L'atribut LDAP que correspon al nom de compte de l'usuari." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:270 +msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:277 +msgid "ldap_user_uid_number (string)" +msgstr "ldap_user_uid_number (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:280 +msgid "The LDAP attribute that corresponds to the user's id." +msgstr "" +"L'atribut LDAP que correspon al númerdo de l'identificador de l'usuari." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:284 +msgid "Default: uidNumber" +msgstr "Per defecte: uidNumber" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:290 +msgid "ldap_user_gid_number (string)" +msgstr "ldap_user_gid_number (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:293 +msgid "The LDAP attribute that corresponds to the user's primary group id." +msgstr "" +"L'atribut LDAP que correspon a l'identificador del grup primari de l'usuari." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:297 sssd-ldap.5.xml:929 +msgid "Default: gidNumber" +msgstr "Per defecte: gidNumber" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:303 +msgid "ldap_user_primary_group (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:306 +msgid "" +"Active Directory primary group attribute for ID-mapping. Note that this " +"attribute should only be set manually if you are running the <quote>ldap</" +"quote> provider with ID mapping." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:312 +msgid "Default: unset (LDAP), primaryGroupID (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:318 +msgid "ldap_user_gecos (string)" +msgstr "ldap_user_gecos (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:321 +msgid "The LDAP attribute that corresponds to the user's gecos field." +msgstr "L'atribut LDAP que correspon al camp gecos de l'usuari." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:325 +msgid "Default: gecos" +msgstr "Per defecte: gecos" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:331 +msgid "ldap_user_home_directory (string)" +msgstr "ldap_user_home_directory (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:334 +msgid "The LDAP attribute that contains the name of the user's home directory." +msgstr "L'atribut LDAP que conté el nom del directori inicial de l'usuari." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:338 +msgid "Default: homeDirectory" +msgstr "Per defecte: homeDirectory" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:344 +msgid "ldap_user_shell (string)" +msgstr "ldap_user_shell (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:347 +msgid "The LDAP attribute that contains the path to the user's default shell." +msgstr "L'atribut LDAP que conté el camí al shell per defecte de l'usuari." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:351 +msgid "Default: loginShell" +msgstr "Per defecte: loginShell" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:357 +msgid "ldap_user_uuid (string)" +msgstr "ldap_user_uuid (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:360 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:364 sssd-ldap.5.xml:955 +msgid "" +"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " +"IPA" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:371 +msgid "ldap_user_objectsid (string)" +msgstr "ldap_user_objectsid (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:374 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP user object. This " +"is usually only necessary for ActiveDirectory servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:379 sssd-ldap.5.xml:970 +msgid "Default: objectSid for ActiveDirectory, not set for other servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:386 +msgid "ldap_user_modify_timestamp (string)" +msgstr "ldap_user_modify_timestamp (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:389 sssd-ldap.5.xml:980 sssd-ldap.5.xml:1203 +msgid "" +"The LDAP attribute that contains timestamp of the last modification of the " +"parent object." +msgstr "" +"L'atribut LDAP que conté la data i hora de l'última modificació de l'objecte " +"pare." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:393 sssd-ldap.5.xml:984 sssd-ldap.5.xml:1210 +msgid "Default: modifyTimestamp" +msgstr "Per defecte: modifyTimestamp" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:399 +msgid "ldap_user_shadow_last_change (string)" +msgstr "ldap_user_shadow_last_change (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:402 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " +"the last password change)." +msgstr "" +"En utilitzar ldap_pwd_policy=shadow, aquest paràmetre conté el nom d'un " +"atribut d'LDAP corresponent al seu homòleg " +"<citerefentry><refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> (data de l'últim canvi de contrasenya)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:412 +msgid "Default: shadowLastChange" +msgstr "Per defecte: shadowLastChange" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:418 +msgid "ldap_user_shadow_min (string)" +msgstr "ldap_user_shadow_min (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:421 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " +"password age)." +msgstr "" +"En utilitzar ldap_pwd_policy=shadow, aquest paràmetre conté el nom d'un " +"atribut d'LDAP corresponent al seu homòleg " +"<citerefentry><refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> (edat mínima de la contrasenya)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:430 +msgid "Default: shadowMin" +msgstr "Per defecte: shadowMin" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:436 +msgid "ldap_user_shadow_max (string)" +msgstr "ldap_user_shadow_max (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:439 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " +"password age)." +msgstr "" +"En utilitzar ldap_pwd_policy=shadow, aquest paràmetre conté el nom d'un " +"atribut d'LDAP corresponent al seu homòleg " +"<citerefentry><refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> (edat màxima de la contrasenya)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:448 +msgid "Default: shadowMax" +msgstr "Per defecte: shadowMax" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:454 +msgid "ldap_user_shadow_warning (string)" +msgstr "ldap_user_shadow_warning (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:457 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password warning period)." +msgstr "" +"En utilitzar ldap_pwd_policy=shadow, aquest paràmetre conté el nom d'un " +"atribut d'LDAP corresponent al seu homòleg " +"<citerefentry><refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> (període d'advertència de contrasenya)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:467 +msgid "Default: shadowWarning" +msgstr "Per defecte: shadowWarning" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:473 +msgid "ldap_user_shadow_inactive (string)" +msgstr "ldap_user_shadow_inactive (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:476 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password inactivity period)." +msgstr "" +"En utilitzar ldap_pwd_policy=shadow, aquest paràmetre conté el nom d'un " +"atribut d'LDAP corresponent al seu homòleg " +"<citerefentry><refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> (període d'inactivitat de contrasenya)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:486 +msgid "Default: shadowInactive" +msgstr "Per defecte: shadowInactive" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:492 +msgid "ldap_user_shadow_expire (string)" +msgstr "ldap_user_shadow_expire (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:495 +msgid "" +"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " +"parameter contains the name of an LDAP attribute corresponding to its " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> counterpart (account expiration date)." +msgstr "" +"En utilitzar ldap_pwd_policy=shadow o ldap_account_expire_policy=shadow, " +"aquest paràmetre conté el nom d'un atribut d'LDAP corresponent al seu " +"homòleg <citerefentry><refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> (data de caducitat del compte)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:505 +msgid "Default: shadowExpire" +msgstr "Per defecte: shadowExpire" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:511 +msgid "ldap_user_krb_last_pwd_change (string)" +msgstr "ldap_user_krb_last_pwd_change (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:514 +msgid "" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time of last password change in " +"kerberos." +msgstr "" +"En utilitzar ldap_pwd_policy=mit_kerberos, aquest paràmetre conté el nom " +"d'un atribut d'LDAP que emmagatzema la data i hora del darrer canvi de " +"contrasenya en kerberos." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:520 +msgid "Default: krbLastPwdChange" +msgstr "Per defecte: krbLastPwdChange" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:526 +msgid "ldap_user_krb_password_expiration (string)" +msgstr "ldap_user_krb_password_expiration (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:529 +msgid "" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time when current password expires." +msgstr "" +"En utilitzar ldap_pwd_policy=mit_kerberos, aquest paràmetre conté el nom " +"d'un atribut d'LDAP que emmagatzema la data i hora d'expiració de la " +"contrasenya actual." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:535 +msgid "Default: krbPasswordExpiration" +msgstr "Per defecte: krbPasswordExpiration" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:541 +msgid "ldap_user_ad_account_expires (string)" +msgstr "ldap_user_ad_account_expires (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:544 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the expiration time of the account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:549 +msgid "Default: accountExpires" +msgstr "Per defecte: accountExpires" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:555 +msgid "ldap_user_ad_user_account_control (string)" +msgstr "ldap_user_ad_user_account_control (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:558 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the user account control bit field." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:563 +msgid "Default: userAccountControl" +msgstr "Per defecte: userAccountControl" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:569 +msgid "ldap_ns_account_lock (string)" +msgstr "ldap_ns_account_lock (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:572 +msgid "" +"When using ldap_account_expire_policy=rhds or equivalent, this parameter " +"determines if access is allowed or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:577 +msgid "Default: nsAccountLock" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:583 +msgid "ldap_user_nds_login_disabled (string)" +msgstr "ldap_user_nds_login_disabled (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:586 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines if " +"access is allowed or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:590 sssd-ldap.5.xml:604 +msgid "Default: loginDisabled" +msgstr "Per defecte: loginDisabled" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:596 +msgid "ldap_user_nds_login_expiration_time (string)" +msgstr "ldap_user_nds_login_expiration_time (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:599 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines until " +"which date access is granted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:610 +msgid "ldap_user_nds_login_allowed_time_map (string)" +msgstr "ldap_user_nds_login_allowed_time_map (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:613 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines the " +"hours of a day in a week when access is granted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:618 +msgid "Default: loginAllowedTimeMap" +msgstr "Per defecte: loginAllowedTimeMap" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:624 +msgid "ldap_user_principal (string)" +msgstr "ldap_user_principal (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:627 +msgid "" +"The LDAP attribute that contains the user's Kerberos User Principal Name " +"(UPN)." +msgstr "" +"L'atribut LDAP que conté el Nom Principal d'Usuari (UPN) de l'usuari de " +"Kerberos." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:631 +msgid "Default: krbPrincipalName" +msgstr "Per defecte: krbPrincipalName" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:637 +msgid "ldap_user_extra_attrs (string)" +msgstr "ldap_user_extra_attrs (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:640 +msgid "" +"Comma-separated list of LDAP attributes that SSSD would fetch along with the " +"usual set of user attributes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:645 +msgid "" +"The list can either contain LDAP attribute names only, or colon-separated " +"tuples of SSSD cache attribute name and LDAP attribute name. In case only " +"LDAP attribute name is specified, the attribute is saved to the cache " +"verbatim. Using a custom SSSD attribute name might be required by " +"environments that configure several SSSD domains with different LDAP schemas." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:655 +msgid "" +"Please note that several attribute names are reserved by SSSD, notably the " +"<quote>name</quote> attribute. SSSD would report an error if any of the " +"reserved attribute names is used as an extra attribute name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:665 +msgid "ldap_user_extra_attrs = telephoneNumber" +msgstr "ldap_user_extra_attrs = telephoneNumber" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:668 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as " +"<quote>telephoneNumber</quote> to the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:672 +msgid "ldap_user_extra_attrs = phone:telephoneNumber" +msgstr "ldap_user_extra_attrs = phone:telephoneNumber" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:675 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" +"quote> to the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:685 +msgid "ldap_user_ssh_public_key (string)" +msgstr "ldap_user_ssh_public_key (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:688 +msgid "The LDAP attribute that contains the user's SSH public keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:692 sssd-ldap.5.xml:1306 +msgid "Default: sshPublicKey" +msgstr "Per defecte: sshPublicKey" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:698 +msgid "ldap_force_upper_case_realm (boolean)" +msgstr "ldap_force_upper_case_realm (booleà)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:701 +msgid "" +"Some directory servers, for example Active Directory, might deliver the " +"realm part of the UPN in lower case, which might cause the authentication to " +"fail. Set this option to a non-zero value if you want to use an upper-case " +"realm." +msgstr "" +"Alguns servidors de directori, per exemple Active Directory, podria entregar " +"la part de l'àmbit de l'UPN en minúscules, que podria provocar que " +"l'autenticació fallàs. Definiu aquesta opció a un valor diferent de zero si " +"voleu utilitzar un àmbit en majúscules." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:714 +msgid "ldap_enumeration_refresh_timeout (integer)" +msgstr "ldap_enumeration_refresh_timeout (enter)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:717 +msgid "" +"Specifies how many seconds SSSD has to wait before refreshing its cache of " +"enumerated records." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:728 +msgid "ldap_purge_cache_timeout (integer)" +msgstr "ldap_purge_cache_timeout (enter)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:731 +msgid "" +"Determine how often to check the cache for inactive entries (such as groups " +"with no members and users who have never logged in) and remove them to save " +"space." +msgstr "" +"Determina cada quant es comprova la memòria cau per entrades inactives " +"(grups sense membres i usuaris que mai no han iniciat una sessió) i eliminar-" +"los per estalviar espai." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:737 +msgid "" +"Setting this option to zero will disable the cache cleanup operation. Please " +"note that if enumeration is enabled, the cleanup task is required in order " +"to detect entries removed from the server and can't be disabled. By default, " +"the cleanup task will run every 3 hours with enumeration enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:752 +msgid "ldap_user_fullname (string)" +msgstr "ldap_user_fullname (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:755 +msgid "The LDAP attribute that corresponds to the user's full name." +msgstr "L'atribut LDAP que correspon al nom complet de l'usuari." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1161 sssd-ldap.5.xml:1235 +#: sssd-ldap.5.xml:1344 sssd-ldap.5.xml:2405 sssd-ipa.5.xml:607 +msgid "Default: cn" +msgstr "Per defecte: cn" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:765 +msgid "ldap_user_member_of (string)" +msgstr "ldap_user_member_of (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:768 +msgid "The LDAP attribute that lists the user's group memberships." +msgstr "L'atribut LDAP que llista la pertanença a grups de l'usuari." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:772 sssd-ldap.5.xml:1274 +msgid "Default: memberOf" +msgstr "Per defecte: memberOf" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:778 +msgid "ldap_user_authorized_service (string)" +msgstr "ldap_user_authorized_service (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:781 +msgid "" +"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " +"use the presence of the authorizedService attribute in the user's LDAP entry " +"to determine access privilege." +msgstr "" +"Si access_provider=ldap i ldap_access_order=authorized_service, l'SSSD farà " +"servir la presència de l'atribut authorizedService a l'entrada LDAP de " +"l'usuari per determinar els privilegis d'accés." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:788 +msgid "" +"An explicit deny (!svc) is resolved first. Second, SSSD searches for " +"explicit allow (svc) and finally for allow_all (*)." +msgstr "" +"Una denegació explícita (!svc) es resol en primer lloc. En segon lloc, " +"l'SSSD cerca autoritzacions explícites (svc) i, finalment, allow_all (*)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:793 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>authorized_service</quote> in order for the " +"ldap_user_authorized_service option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:800 +msgid "Default: authorizedService" +msgstr "Per defecte: authorizedService" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:806 +msgid "ldap_user_authorized_host (string)" +msgstr "ldap_user_authorized_host (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:809 +msgid "" +"If access_provider=ldap and ldap_access_order=host, SSSD will use the " +"presence of the host attribute in the user's LDAP entry to determine access " +"privilege." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:815 +msgid "" +"An explicit deny (!host) is resolved first. Second, SSSD searches for " +"explicit allow (host) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:820 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>host</quote> in order for the " +"ldap_user_authorized_host option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:827 +msgid "Default: host" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:833 +msgid "ldap_user_authorized_rhost (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:836 +msgid "" +"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " +"presence of the rhost attribute in the user's LDAP entry to determine access " +"privilege. Similarly to host verification process." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:843 +msgid "" +"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " +"explicit allow (rhost) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:848 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>rhost</quote> in order for the " +"ldap_user_authorized_rhost option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:855 +msgid "Default: rhost" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:861 +msgid "ldap_user_certificate (string)" +msgstr "ldap_user_certificate (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:864 +msgid "Name of the LDAP attribute containing the X509 certificate of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:868 +msgid "Default: userCertificate;binary" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:874 +msgid "ldap_user_email (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:877 +msgid "Name of the LDAP attribute containing the email address of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:881 +msgid "" +"Note: If an email address of a user conflicts with an email address or fully " +"qualified name of another user, then SSSD will not be able to serve those " +"users properly. If for some reason several users need to share the same " +"email address then set this option to a nonexistent attribute name in order " +"to disable user lookup/login by email." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:890 +msgid "Default: mail" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:896 +msgid "ldap_group_object_class (string)" +msgstr "ldap_group_object_class (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:899 +msgid "The object class of a group entry in LDAP." +msgstr "La classe d'objecte d'una entrada de grup a LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:902 +msgid "Default: posixGroup" +msgstr "Per defecte: posixGroup" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:908 +msgid "ldap_group_name (string)" +msgstr "ldap_group_name (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:911 +msgid "The LDAP attribute that corresponds to the group name." +msgstr "L'atribut LDAP que es correspon amb el nom del grup." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:915 +msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:922 +msgid "ldap_group_gid_number (string)" +msgstr "ldap_group_gid_number (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:925 +msgid "The LDAP attribute that corresponds to the group's id." +msgstr "L'atribut LDAP que correspon a l'identificador del grup." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:935 +msgid "ldap_group_member (string)" +msgstr "ldap_group_member (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:938 +msgid "The LDAP attribute that contains the names of the group's members." +msgstr "L'atribut LDAP que conté els noms dels membres del grup." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:942 +msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" +msgstr "Per defecte: memberuid (rfc2307) / member (rfc2307bis)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:948 +msgid "ldap_group_uuid (string)" +msgstr "ldap_group_uuid (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:951 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:962 +msgid "ldap_group_objectsid (string)" +msgstr "ldap_group_objectsid (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:965 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP group object. This " +"is usually only necessary for ActiveDirectory servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:977 +msgid "ldap_group_modify_timestamp (string)" +msgstr "ldap_group_modify_timestamp (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:990 +msgid "ldap_group_type (integer)" +msgstr "ldap_group_type (enter)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:993 +msgid "" +"The LDAP attribute that contains an integer value indicating the type of the " +"group and maybe other flags." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:998 +msgid "" +"This attribute is currently only used by the AD provider to determine if a " +"group is a domain local groups and has to be filtered out for trusted " +"domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1004 +msgid "Default: groupType in the AD provider, otherwise not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1011 +msgid "ldap_group_external_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1014 +msgid "" +"The LDAP attribute that references group members that are defined in an " +"external domain. At the moment, only IPA's external members are supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1020 +msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1027 +msgid "ldap_group_nesting_level (integer)" +msgstr "ldap_group_nesting_level (enter)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1030 +msgid "" +"If ldap_schema is set to a schema format that supports nested groups (e.g. " +"RFC2307bis), then this option controls how many levels of nesting SSSD will " +"follow. This option has no effect on the RFC2307 schema." +msgstr "" +"Si ldap_schema s'estableix a un format d'esquema que admeti els grups niats " +"(p. ex. RFC2307bis), llavors aquesta opció controla quants nivells de " +"nidificació seguirà l'SSSD. Aquesta opció no té cap efecte sobre l'esquema " +"RFC2307." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1037 +msgid "" +"Note: This option specifies the guaranteed level of nested groups to be " +"processed for any lookup. However, nested groups beyond this limit " +"<emphasis>may be</emphasis> returned if previous lookups already resolved " +"the deeper nesting levels. Also, subsequent lookups for other groups may " +"enlarge the result set for original lookup if re-queried." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1046 +msgid "" +"If ldap_group_nesting_level is set to 0 then no nested groups are processed " +"at all. However, when connected to Active-Directory Server 2008 and later " +"using <quote>id_provider=ad</quote> it is furthermore required to disable " +"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " +"restrict group nesting." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1055 +msgid "Default: 2" +msgstr "Per defecte: 2" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1061 +msgid "ldap_groups_use_matching_rule_in_chain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1064 +msgid "" +"This option tells SSSD to take advantage of an Active Directory-specific " +"feature which may speed up group lookup operations on deployments with " +"complex or deep nested groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1070 +msgid "" +"In most common cases, it is best to leave this option disabled. It generally " +"only provides a performance increase on very complex nestings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1075 sssd-ldap.5.xml:1102 +msgid "" +"If this option is enabled, SSSD will use it if it detects that the server " +"supports it during initial connection. So \"True\" here essentially means " +"\"auto-detect\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1081 sssd-ldap.5.xml:1108 +msgid "" +"Note: This feature is currently known to work only with Active Directory " +"2008 R1 and later. See <ulink url=\"http://msdn.microsoft.com/en-us/library/" +"windows/desktop/aa746475%28v=vs.85%29.aspx\"> MSDN(TM) documentation</ulink> " +"for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1093 +msgid "ldap_initgroups_use_matching_rule_in_chain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1096 +msgid "" +"This option tells SSSD to take advantage of an Active Directory-specific " +"feature which might speed up initgroups operations (most notably when " +"dealing with complex or deep nested groups)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1123 +msgid "" +"This options enables or disables use of Token-Groups attribute when " +"performing initgroup for users from Active Directory Server 2008 and later." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1128 +msgid "Default: True for AD and IPA otherwise False." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1134 +msgid "ldap_netgroup_object_class (string)" +msgstr "ldap_netgroup_object_class (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1137 +msgid "The object class of a netgroup entry in LDAP." +msgstr "La classe d'objecte d'una entrada de netgroup a LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1140 +msgid "In IPA provider, ipa_netgroup_object_class should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1144 +msgid "Default: nisNetgroup" +msgstr "Per defecte: nisNetgroup" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1150 +msgid "ldap_netgroup_name (string)" +msgstr "ldap_netgroup_name (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1153 +msgid "The LDAP attribute that corresponds to the netgroup name." +msgstr "L'atribut LDAP que es correspon amb el nom del netgroup." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1157 +msgid "In IPA provider, ipa_netgroup_name should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1167 +msgid "ldap_netgroup_member (string)" +msgstr "ldap_netgroup_member (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1170 +msgid "The LDAP attribute that contains the names of the netgroup's members." +msgstr "L'atribut LDAP que conté els noms dels membres del netgroup." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1174 +msgid "In IPA provider, ipa_netgroup_member should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1178 +msgid "Default: memberNisNetgroup" +msgstr "Per defecte: memberNisNetgroup" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1184 +msgid "ldap_netgroup_triple (string)" +msgstr "ldap_netgroup_triple (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1187 +msgid "" +"The LDAP attribute that contains the (host, user, domain) netgroup triples." +msgstr "" +"L'atribut LDAP que conté les tripletes netgroup (maquina, usuari, domini)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1191 sssd-ldap.5.xml:1207 +msgid "This option is not available in IPA provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1194 +msgid "Default: nisNetgroupTriple" +msgstr "Per defecte: nisNetgroupTriple" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1200 +msgid "ldap_netgroup_modify_timestamp (string)" +msgstr "ldap_netgroup_modify_timestamp (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1216 +msgid "ldap_host_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1219 +msgid "The object class of a host entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1222 sssd-ldap.5.xml:1331 +msgid "Default: ipService" +msgstr "Per defecte: ipService" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1228 +msgid "ldap_host_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1231 sssd-ldap.5.xml:1257 +msgid "The LDAP attribute that corresponds to the host's name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1241 +msgid "ldap_host_fqdn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1244 +msgid "" +"The LDAP attribute that corresponds to the host's fully-qualified domain " +"name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1248 +msgid "Default: fqdn" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1254 +msgid "ldap_host_serverhostname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1261 +msgid "Default: serverHostname" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1267 +msgid "ldap_host_member_of (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1270 +msgid "The LDAP attribute that lists the host's group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1280 +msgid "ldap_host_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1283 +msgid "Optional. Use the given string as search base for host objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1287 sssd-ipa.5.xml:359 sssd-ipa.5.xml:378 +#: sssd-ipa.5.xml:397 sssd-ipa.5.xml:416 +msgid "" +"See <quote>ldap_search_base</quote> for information about configuring " +"multiple search bases." +msgstr "" + +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:1292 sssd-ipa.5.xml:364 include/ldap_search_bases.xml:27 +msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" +msgstr "Per defecte: el valor de <emphasis>ldap_search_base</emphasis>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1299 +msgid "ldap_host_ssh_public_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1302 +msgid "The LDAP attribute that contains the host's SSH public keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1312 +msgid "ldap_host_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1315 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1325 +msgid "ldap_service_object_class (string)" +msgstr "ldap_service_object_class (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1328 +msgid "The object class of a service entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1337 +msgid "ldap_service_name (string)" +msgstr "ldap_service_name (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1340 +msgid "" +"The LDAP attribute that contains the name of service attributes and their " +"aliases." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1350 +msgid "ldap_service_port (string)" +msgstr "ldap_service_port (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1353 +msgid "The LDAP attribute that contains the port managed by this service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1357 +msgid "Default: ipServicePort" +msgstr "Per defecte: ipServicePort" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1363 +msgid "ldap_service_proto (string)" +msgstr "ldap_service_proto (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1366 +msgid "" +"The LDAP attribute that contains the protocols understood by this service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1370 +msgid "Default: ipServiceProtocol" +msgstr "Per defecte: ipServiceProtocol" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1376 +msgid "ldap_service_search_base (string)" +msgstr "ldap_service_search_base (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1381 +msgid "ldap_search_timeout (integer)" +msgstr "ldap_search_timeout (enter)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1384 +msgid "" +"Specifies the timeout (in seconds) that ldap searches are allowed to run " +"before they are cancelled and cached results are returned (and offline mode " +"is entered)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1390 +msgid "" +"Note: this option is subject to change in future versions of the SSSD. It " +"will likely be replaced at some point by a series of timeouts for specific " +"lookup types." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1402 +msgid "ldap_enumeration_search_timeout (integer)" +msgstr "ldap_enumeration_search_timeout (enter)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1405 +msgid "" +"Specifies the timeout (in seconds) that ldap searches for user and group " +"enumerations are allowed to run before they are cancelled and cached results " +"are returned (and offline mode is entered)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1418 +msgid "ldap_network_timeout (integer)" +msgstr "ldap_network_timeout (enter)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1421 +msgid "" +"Specifies the timeout (in seconds) after which the <citerefentry> " +"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" +"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" +"manvolnum> </citerefentry> following a <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> returns in case of no activity." +msgstr "" +"Especifica el temps d'espera (en segons) després que el " +"<citerefentry><refentrytitle>sondeig</refentrytitle> <manvolnum>2</" +"manvolnum></citerefentry>/<citerefentry><refentrytitle>selecció</" +"refentrytitle> <manvolnum>2</manvolnum></citerefentry> seguit d'una " +"<citerefentry><refentrytitle>connexió</refentrytitle> <manvolnum>2</" +"manvolnum></citerefentry> retorna en cas de cap activitat." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1444 +msgid "ldap_opt_timeout (integer)" +msgstr "ldap_opt_timeout (enter)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1447 +msgid "" +"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " +"will abort if no response is received. Also controls the timeout when " +"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " +"operation, password change extended operation and the StartTLS operation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1462 +msgid "ldap_connection_expire_timeout (integer)" +msgstr "ldap_connection_expire_timeout (enter)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1465 +msgid "" +"Specifies a timeout (in seconds) that a connection to an LDAP server will be " +"maintained. After this time, the connection will be re-established. If used " +"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " +"the TGT lifetime) will be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1473 sssd-ldap.5.xml:2562 +msgid "Default: 900 (15 minutes)" +msgstr "Per defecte: 900 (15 minuts)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1479 +msgid "ldap_page_size (integer)" +msgstr "ldap_page_size (enter)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1482 +msgid "" +"Specify the number of records to retrieve from LDAP in a single request. " +"Some LDAP servers enforce a maximum limit per-request." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1487 +msgid "Default: 1000" +msgstr "Per defecte: 1000" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1493 +msgid "ldap_disable_paging (boolean)" +msgstr "ldap_disable_paging (booleà)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1496 +msgid "" +"Disable the LDAP paging control. This option should be used if the LDAP " +"server reports that it supports the LDAP paging control in its RootDSE but " +"it is not enabled or does not behave properly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1502 +msgid "" +"Example: OpenLDAP servers with the paging control module installed on the " +"server but not enabled will report it in the RootDSE but be unable to use it." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1508 +msgid "" +"Example: 389 DS has a bug where it can only support a one paging control at " +"a time on a single connection. On busy clients, this can result in some " +"requests being denied." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1520 +msgid "ldap_disable_range_retrieval (boolean)" +msgstr "ldap_disable_range_retrieval (booleà)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1523 +msgid "Disable Active Directory range retrieval." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1526 +msgid "" +"Active Directory limits the number of members to be retrieved in a single " +"lookup using the MaxValRange policy (which defaults to 1500 members). If a " +"group contains more members, the reply would include an AD-specific range " +"extension. This option disables parsing of the range extension, therefore " +"large groups will appear as having no members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1541 +msgid "ldap_sasl_minssf (integer)" +msgstr "ldap_sasl_minssf (enter)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1544 +msgid "" +"When communicating with an LDAP server using SASL, specify the minimum " +"security level necessary to establish the connection. The values of this " +"option are defined by OpenLDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1550 +msgid "Default: Use the system default (usually specified by ldap.conf)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1557 +msgid "ldap_deref_threshold (integer)" +msgstr "ldap_deref_threshold (enter)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1560 +msgid "" +"Specify the number of group members that must be missing from the internal " +"cache in order to trigger a dereference lookup. If less members are missing, " +"they are looked up individually." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1566 +msgid "" +"You can turn off dereference lookups completely by setting the value to 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1570 +msgid "" +"A dereference lookup is a means of fetching all group members in a single " +"LDAP call. Different LDAP servers may implement different dereference " +"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " +"Directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1578 +msgid "" +"<emphasis>Note:</emphasis> If any of the search bases specifies a search " +"filter, then the dereference lookup performance enhancement will be disabled " +"regardless of this setting." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1591 +msgid "ldap_tls_reqcert (string)" +msgstr "ldap_tls_reqcert (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1594 +msgid "" +"Specifies what checks to perform on server certificates in a TLS session, if " +"any. It can be specified as one of the following values:" +msgstr "" +"Especifica quines comprovacions s'han de realitzar sobre els certificats de " +"servidor en una sessió TLS, si s'escau. Es pot especificar com un dels " +"valors següents:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1600 +msgid "" +"<emphasis>never</emphasis> = The client will not request or check any server " +"certificate." +msgstr "" +"<emphasis>never</emphasis> = El client no demanarà o comprovarà cap " +"certificat del servidor." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1604 +msgid "" +"<emphasis>allow</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, it will be ignored and the session proceeds normally." +msgstr "" +"<emphasis>allow</emphasis> = El certificat del servidor se sol·licitarà. Si " +"no es proporciona cap certificat, la sessió avança normalment. Si es " +"proporciona un certificat dolent, s'ignorarà i la sessió procedirà " +"normalment." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1611 +msgid "" +"<emphasis>try</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, the session is immediately terminated." +msgstr "" +"<emphasis>try</emphasis> = El certificat del servidor se sol·licitarà. Si no " +"es proporciona cap certificat, la sessió avança normalment. Si es " +"proporciona un certificat dolent, immediatament s'acaba la sessió." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1617 +msgid "" +"<emphasis>demand</emphasis> = The server certificate is requested. If no " +"certificate is provided, or a bad certificate is provided, the session is " +"immediately terminated." +msgstr "" +"<emphasis>demand</emphasis> = El certificat del servidor se sol·licitarà. Si " +"no es proporciona cap certificat, o se'n proporciona un de dolent, " +"immediatament s'acaba la sessió." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1623 +msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" +msgstr "<emphasis>hard</emphasis> = Igual que <quote>demand</quote>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1627 +msgid "Default: hard" +msgstr "Per defecte: hard" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1633 +msgid "ldap_tls_cacert (string)" +msgstr "ldap_tls_cacert (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1636 +msgid "" +"Specifies the file that contains certificates for all of the Certificate " +"Authorities that <command>sssd</command> will recognize." +msgstr "" +"Especifica el fitxer que conté els certificats per a totes les Autoritats de " +"Certificació que reconeixerà l'<command>sssd</command>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1641 sssd-ldap.5.xml:1659 sssd-ldap.5.xml:1700 +msgid "" +"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." +"conf</filename>" +msgstr "" +"Per defecte: Utilitza els valors per defecte d'OpenLDAP, normalment a " +"<filename>/etc/openldap/ldap.conf</filename>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1648 +msgid "ldap_tls_cacertdir (string)" +msgstr "ldap_tls_cacertdir (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1651 +msgid "" +"Specifies the path of a directory that contains Certificate Authority " +"certificates in separate individual files. Typically the file names need to " +"be the hash of the certificate followed by '.0'. If available, " +"<command>cacertdir_rehash</command> can be used to create the correct names." +msgstr "" +"Especifica el camí al directori que conté els certificats de l'autoritat " +"certificadora en fitxers separats independents. Normalment els noms dels " +"fitxers són el hash del certificat seguit de '. 0'. Si està disponible, " +"<command>cacertdir_rehash</command> es pot utilitzar per crear els noms " +"correctes." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1666 +msgid "ldap_tls_cert (string)" +msgstr "ldap_tls_cert (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1669 +msgid "Specifies the file that contains the certificate for the client's key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1679 +msgid "ldap_tls_key (string)" +msgstr "ldap_tls_key (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1682 +msgid "Specifies the file that contains the client's key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1691 +msgid "ldap_tls_cipher_suite (string)" +msgstr "ldap_tls_cipher_suite (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1694 +msgid "" +"Specifies acceptable cipher suites. Typically this is a colon separated " +"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1707 +msgid "ldap_id_use_start_tls (boolean)" +msgstr "ldap_id_use_start_tls (booleà)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1710 +msgid "" +"Specifies that the id_provider connection must also use <systemitem class=" +"\"protocol\">tls</systemitem> to protect the channel." +msgstr "" +"Especifica que la connexió id_provider també ha d'utilitzar <systemitem " +"class=\"protocol\">tls</systemitem> per a protegir el canal." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1720 +msgid "ldap_id_mapping (boolean)" +msgstr "ldap_id_mapping (booleà)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1723 +msgid "" +"Specifies that SSSD should attempt to map user and group IDs from the " +"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " +"on ldap_user_uid_number and ldap_group_gid_number." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1729 +msgid "Currently this feature supports only ActiveDirectory objectSID mapping." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1739 +msgid "ldap_min_id, ldap_max_id (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1742 +msgid "" +"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " +"set to true the allowed ID range for ldap_user_uid_number and " +"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " +"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " +"can be set to restrict the allowed range for the IDs which are read directly " +"from the server. Sub-domains can then pick other ranges to map IDs." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1754 +msgid "Default: not set (both options are set to 0)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1760 +msgid "ldap_sasl_mech (string)" +msgstr "ldap_sasl_mech (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1763 +msgid "" +"Specify the SASL mechanism to use. Currently only GSSAPI is tested and " +"supported." +msgstr "" +"Especifica el mecanisme SASL a utilitzar. Actualment només GSSAPI és provat " +"i suportat." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1773 +msgid "ldap_sasl_authid (string)" +msgstr "ldap_sasl_authid (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ldap.5.xml:1784 +#, no-wrap +msgid "" +"hostname@REALM\n" +"netbiosname$@REALM\n" +"host/hostname@REALM\n" +"*$@REALM\n" +"host/*@REALM\n" +"host/*\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1776 +msgid "" +"Specify the SASL authorization id to use. When GSSAPI is used, this " +"represents the Kerberos principal used for authentication to the directory. " +"This option can either contain the full principal (for example host/" +"myhost@EXAMPLE.COM) or just the principal name (for example host/myhost). By " +"default, the value is not set and the following principals are used: " +"<placeholder type=\"programlisting\" id=\"0\"/> If none of them are found, " +"the first principal in keytab is returned." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1795 +msgid "Default: host/hostname@REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1801 +msgid "ldap_sasl_realm (string)" +msgstr "ldap_sasl_realm (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1804 +msgid "" +"Specify the SASL realm to use. When not specified, this option defaults to " +"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " +"well, this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1810 +msgid "Default: the value of krb5_realm." +msgstr "Per defecte: el valor de krb5_realm." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1816 +msgid "ldap_sasl_canonicalize (boolean)" +msgstr "ldap_sasl_canonicalize (booleà)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1819 +msgid "" +"If set to true, the LDAP library would perform a reverse lookup to " +"canonicalize the host name during a SASL bind." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1824 +msgid "Default: false;" +msgstr "Per defecte: false;" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1830 +msgid "ldap_krb5_keytab (string)" +msgstr "ldap_krb5_keytab (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1833 +msgid "Specify the keytab to use when using SASL/GSSAPI." +msgstr "Especifica el fitxer keytab a utilitzar quan s'utilitza SASL/GSSAPI." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1836 +msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" +msgstr "" +"Per defecte: Fitxer keytab de sistema, normalment <filename>/etc/krb5." +"keytab</filename>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1842 +msgid "ldap_krb5_init_creds (boolean)" +msgstr "ldap_krb5_init_creds (booleà)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1845 +msgid "" +"Specifies that the id_provider should init Kerberos credentials (TGT). This " +"action is performed only if SASL is used and the mechanism selected is " +"GSSAPI." +msgstr "" +"Especifica que id_provider ha d'iniciar les credencials del Kerberos (TGT). " +"Aquesta acció únicament es realitza si s'utilitza SASL i el mecanisme " +"seleccionat és GSSAPI." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1857 +msgid "ldap_krb5_ticket_lifetime (integer)" +msgstr "ldap_krb5_ticket_lifetime (enter)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1860 +msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used." +msgstr "Especifica el temps de vida en segons de la TGT si s'utilitza GSSAPI." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1864 sssd-ad.5.xml:937 +msgid "Default: 86400 (24 hours)" +msgstr "Per defecte: 86400 (24 hores)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1870 sssd-krb5.5.xml:74 +msgid "krb5_server, krb5_backup_server (string)" +msgstr "krb5_server, krb5_backup_server (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1873 +msgid "" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled - for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1885 sssd-krb5.5.xml:89 +msgid "" +"When using service discovery for KDC or kpasswd servers, SSSD first searches " +"for DNS entries that specify _udp as the protocol and falls back to _tcp if " +"none are found." +msgstr "" +"Quan s'utilitza el servei de descobriment per als servidors KDC o kpasswd, " +"l'SSSD primer cerca les entrades DNS que especifiquen _udp com el protocol i " +"retorna a _tcp si no se'n troba cap." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1890 sssd-krb5.5.xml:94 +msgid "" +"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " +"While the legacy name is recognized for the time being, users are advised to " +"migrate their config files to use <quote>krb5_server</quote> instead." +msgstr "" +"Aquesta opció s'anomenava <quote>krb5_kdcip</quote> en les primeres versions " +"de l'SSSD. Mentre que el nom antic és reconegut de moment, s'aconsella als " +"usuaris que migrin els seus fitxers de configuració per utilitzar " +"<quote>krb5_server</quote>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1899 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103 +msgid "krb5_realm (string)" +msgstr "krb5_realm (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1902 +msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)." +msgstr "Especifica l'àmbit KERBEROS (per a l'autenticació SASL/GSSAPI)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1905 +msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" +msgstr "" +"Per defecte: Paràmetres predeterminats del sistema, vegeu <filename>/etc/" +"krb5.conf</filename>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1911 sssd-krb5.5.xml:462 +msgid "krb5_canonicalize (boolean)" +msgstr "krb5_canonicalize (booleà)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1914 +msgid "" +"Specifies if the host principal should be canonicalized when connecting to " +"LDAP server. This feature is available with MIT Kerberos >= 1.7" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1926 sssd-krb5.5.xml:477 +msgid "krb5_use_kdcinfo (boolean)" +msgstr "krb5_use_kdcinfo (booleà)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1929 sssd-krb5.5.xml:480 +msgid "" +"Specifies if the SSSD should instruct the Kerberos libraries what realm and " +"which KDCs to use. This option is on by default, if you disable it, you need " +"to configure the Kerberos library using the <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> configuration file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1940 sssd-krb5.5.xml:491 +msgid "" +"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " +"information on the locator plugin." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1954 +msgid "ldap_pwd_policy (string)" +msgstr "ldap_pwd_policy (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1957 +msgid "" +"Select the policy to evaluate the password expiration on the client side. " +"The following values are allowed:" +msgstr "" +"Selecciona la política per avaluar la caducitat de la contrasenya en el " +"costat del client. S'admeten els valors següents:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1962 +msgid "" +"<emphasis>none</emphasis> - No evaluation on the client side. This option " +"cannot disable server-side password policies." +msgstr "" +"<emphasis>none</emphasis> - Cap avaluació del costat del client. Aquesta " +"opció no inhabilita les polítiques de contrasenya de servidor." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1967 +msgid "" +"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " +"evaluate if the password has expired." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1973 +msgid "" +"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " +"to determine if the password has expired. Use chpass_provider=krb5 to update " +"these attributes when the password is changed." +msgstr "" +"<emphasis>mit_kerberos</emphasis> - Usa els atributs utilitzats per MIT " +"Kerberos per determinar si la contrasenya ha caducat. Utilitza " +"chpass_provider=krb5 per actualitzar aquests atributs quan es canvia la " +"contrasenya." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1982 +msgid "" +"<emphasis>Note</emphasis>: if a password policy is configured on server " +"side, it always takes precedence over policy set with this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1990 +msgid "ldap_referrals (boolean)" +msgstr "ldap_referrals (booleà)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1993 +msgid "Specifies whether automatic referral chasing should be enabled." +msgstr "" +"Especifica si el seguiment automàtic del referenciador s'hauria d'habilitar." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1997 +msgid "" +"Please note that sssd only supports referral chasing when it is compiled " +"with OpenLDAP version 2.4.13 or higher." +msgstr "" +"Tingueu en compte que l'sssd només admet l'encadenament de les referències " +"quan es compila amb la versió 2.4.13 o superiors d'OpenLDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2002 +msgid "" +"Chasing referrals may incur a performance penalty in environments that use " +"them heavily, a notable example is Microsoft Active Directory. If your setup " +"does not in fact require the use of referrals, setting this option to false " +"might bring a noticeable performance improvement." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2016 +msgid "ldap_dns_service_name (string)" +msgstr "ldap_dns_service_name (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2019 +msgid "Specifies the service name to use when service discovery is enabled." +msgstr "" +"Especifica el nom de servei per utilitzar quan està habilitada la detecció " +"de serveis." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2023 +msgid "Default: ldap" +msgstr "Per defecte: ldap" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2029 +msgid "ldap_chpass_dns_service_name (string)" +msgstr "ldap_chpass_dns_service_name (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2032 +msgid "" +"Specifies the service name to use to find an LDAP server which allows " +"password changes when service discovery is enabled." +msgstr "" +"Especifica el nom del servei a utilitzar per trobar un servidor LDAP que " +"permeti els canvis de contrasenyes quan estigui habilitat el descobriment " +"dels serveis." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2037 +msgid "Default: not set, i.e. service discovery is disabled" +msgstr "" +"Defecte: no definit, és a dir, el descobriment de serveis està inhabilitat" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2043 +msgid "ldap_chpass_update_last_change (bool)" +msgstr "ldap_chpass_update_last_change (booleà)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2046 +msgid "" +"Specifies whether to update the ldap_user_shadow_last_change attribute with " +"days since the Epoch after a password change operation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2058 +msgid "ldap_access_filter (string)" +msgstr "ldap_access_filter (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2061 +msgid "" +"If using access_provider = ldap and ldap_access_order = filter (default), " +"this option is mandatory. It specifies an LDAP search filter criteria that " +"must be met for the user to be granted access on this host. If " +"access_provider = ldap, ldap_access_order = filter and this option is not " +"set, it will result in all users being denied access. Use access_provider = " +"permit to change this default behavior. Please note that this filter is " +"applied on the LDAP user entry only and thus filtering based on nested " +"groups may not work (e.g. memberOf attribute on AD entries points only to " +"direct parents). If filtering based on nested groups is required, please see " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2081 +msgid "Example:" +msgstr "Exemple:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ldap.5.xml:2084 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2088 +msgid "" +"This example means that access to this host is restricted to users whose " +"employeeType attribute is set to \"admin\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2093 +msgid "" +"Offline caching for this feature is limited to determining whether the " +"user's last online login was granted access permission. If they were granted " +"access during their last login, they will continue to be granted access " +"while offline and vice versa." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2101 sssd-ldap.5.xml:2158 +msgid "Default: Empty" +msgstr "Per defecte: Buit" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2107 +msgid "ldap_account_expire_policy (string)" +msgstr "ldap_account_expire_policy (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2110 +msgid "" +"With this option a client side evaluation of access control attributes can " +"be enabled." +msgstr "" +"Amb aquesta opció es pot habilitar una avaluació del costat de client " +"d'atributs de control d'accés." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2114 +msgid "" +"Please note that it is always recommended to use server side access control, " +"i.e. the LDAP server should deny the bind request with a suitable error code " +"even if the password is correct." +msgstr "" +"Si us plau, tingueu en compte que sempre és recomanable utilitzar el control " +"d'accés del costat de servidor, és a dir, el servidor d'LDAP hauria de " +"denegar la petició de vincle amb un codi d'error adequat fins i tot si la " +"contrasenya és correcta." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2121 +msgid "The following values are allowed:" +msgstr "S'admeten els valors següents:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2124 +msgid "" +"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " +"determine if the account is expired." +msgstr "" +"<emphasis>shadow</emphasis>: utilitza el valor ldap_user_shadow_expire per " +"determinar si el compte ha caducat." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2129 +msgid "" +"<emphasis>ad</emphasis>: use the value of the 32bit field " +"ldap_user_ad_user_account_control and allow access if the second bit is not " +"set. If the attribute is missing access is granted. Also the expiration time " +"of the account is checked." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2136 +msgid "" +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: use the value of ldap_ns_account_lock to check if access is " +"allowed or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2142 +msgid "" +"<emphasis>nds</emphasis>: the values of " +"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " +"ldap_user_nds_login_expiration_time are used to check if access is allowed. " +"If both attributes are missing access is granted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2151 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>expire</quote> in order for the " +"ldap_account_expire_policy option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2164 +msgid "ldap_access_order (string)" +msgstr "ldap_access_order (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2167 +msgid "Comma separated list of access control options. Allowed values are:" +msgstr "" +"Llista separada per comes d'opcions de control d'accés. Els valors permesos " +"són:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2171 +msgid "<emphasis>filter</emphasis>: use ldap_access_filter" +msgstr "<emphasis>filter</emphasis>: utilitza ldap_access_filter" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2174 +msgid "" +"<emphasis>lockout</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " +"Please note that 'access_provider = ldap' must be set for this feature to " +"work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2184 +msgid "" +"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" +"quote> option and might be removed in a future release. </emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2191 +msgid "" +"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z' or represents any time in the past. The " +"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " +"denotes the UTC time zone. Other time zones are not currently supported and " +"will result in \"access-denied\" when users attempt to log in. Please see " +"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " +"must be set for this feature to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2208 +msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" +msgstr "<emphasis>expire</emphasis>: utilitza ldap_account_expire_policy" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2212 +msgid "" +"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " +"pwd_expire_policy_renew: </emphasis> These options are useful if users are " +"interested in being warned that password is about to expire and " +"authentication is based on using a different method than passwords - for " +"example SSH keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2222 +msgid "" +"The difference between these options is the action taken if user password is " +"expired: pwd_expire_policy_reject - user is denied to log in, " +"pwd_expire_policy_warn - user is still able to log in, " +"pwd_expire_policy_renew - user is prompted to change his password " +"immediately." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2230 +msgid "" +"Note If user password is expired no explicit message is prompted by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2234 +msgid "" +"Please note that 'access_provider = ldap' must be set for this feature to " +"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2239 +msgid "" +"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " +"to determine access" +msgstr "" +"<emphasis>authorized_service</emphasis>: utilitza l'atribut " +"authorizedService per determinar l'accés" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2244 +msgid "<emphasis>host</emphasis>: use the host attribute to determine access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2248 +msgid "" +"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " +"remote host can access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2252 +msgid "" +"Please note, rhost field in pam is set by application, it is better to check " +"what the application sends to pam, before enabling this access control option" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2257 +msgid "Default: filter" +msgstr "Per defecte: filter" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2260 +msgid "" +"Please note that it is a configuration error if a value is used more than " +"once." +msgstr "" +"Si us plau, tingueu en compte que és un error de configuració si un valor " +"s'utilitza més d'una vegada." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2267 +msgid "ldap_pwdlockout_dn (string)" +msgstr "ldap_pwdlockout_dn (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2270 +msgid "" +"This option specifies the DN of password policy entry on LDAP server. Please " +"note that absence of this option in sssd.conf in case of enabled account " +"lockout checking will yield access denied as ppolicy attributes on LDAP " +"server cannot be checked properly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2278 +msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" +msgstr "Exemple: cn=ppolicy,ou=policies,dc=exemple,dc=com" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2281 +msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" +msgstr "Per defecte: cn=ppolicy,ou=policies,$ldap_search_base" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2287 +msgid "ldap_deref (string)" +msgstr "ldap_deref (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2290 +msgid "" +"Specifies how alias dereferencing is done when performing a search. The " +"following options are allowed:" +msgstr "" +"Especifica com es realitza l'eliminació de les referències dels àlies quan " +"es fa una cerca. S'admeten les opcions següents:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2295 +msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." +msgstr "" +"<emphasis>never</emphasis>: les referències dels àlies mai són eliminades." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2299 +msgid "" +"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " +"the base object, but not in locating the base object of the search." +msgstr "" +"<emphasis>searching</emphasis>: les referències dels àlies són eliminades en " +"subordinats de l'objecte base, però no en la localització de l'objecte base " +"de la cerca." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2304 +msgid "" +"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " +"the base object of the search." +msgstr "" +"<emphasis>finding</emphasis>: les referències dels àlies són eliminades " +"només en localitzar l'objecte base de la cerca." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2309 +msgid "" +"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " +"in locating the base object of the search." +msgstr "" +"<emphasis>always</emphasis>: les referències dels àlies són eliminades tant " +"en la recerca i en la localització de l'objecte base de la cerca." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2314 +msgid "" +"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " +"client libraries)" +msgstr "" +"Per defecte: Buit (això es tractarà com a <emphasis>never</emphasis> amb les " +"biblioteques de client LDAP)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2322 +msgid "ldap_rfc2307_fallback_to_local_users (boolean)" +msgstr "ldap_rfc2307_fallback_to_local_users (booleà)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2325 +msgid "" +"Allows to retain local users as members of an LDAP group for servers that " +"use the RFC2307 schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2329 +msgid "" +"In some environments where the RFC2307 schema is used, local users are made " +"members of LDAP groups by adding their names to the memberUid attribute. " +"The self-consistency of the domain is compromised when this is done, so SSSD " +"would normally remove the \"missing\" users from the cached group " +"memberships as soon as nsswitch tries to fetch information about the user " +"via getpw*() or initgroups() calls." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2340 +msgid "" +"This option falls back to checking if local users are referenced, and caches " +"them so that later initgroups() calls will augment the local users with the " +"additional LDAP groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2352 sssd-ifp.5.xml:136 +msgid "wildcard_limit (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2355 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2359 +msgid "At the moment, only the InfoPipe responder supports wildcard lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2363 +msgid "Default: 1000 (often the size of one page)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:51 +msgid "" +"All of the common configuration options that apply to SSSD domains also " +"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for full details. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" +"Totes les opcions comunes de configuració que s'apliquen als dominis SSD " +"també s'apliquen als dominis LDAP. Referiu-vos a la secció <quote>SECCIONS " +"DE DOMINI</quote> de la pàgina de manual de <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> per a tots els detalls. <placeholder type=\"variablelist\" id=" +"\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2373 +msgid "SUDO OPTIONS" +msgstr "OPCIONS DE SUDO" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2375 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2386 +msgid "ldap_sudorule_object_class (string)" +msgstr "ldap_sudorule_object_class (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2389 +msgid "The object class of a sudo rule entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2392 +msgid "Default: sudoRole" +msgstr "Per defecte: sudoRole" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2398 +msgid "ldap_sudorule_name (string)" +msgstr "ldap_sudorule_name (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2401 +msgid "The LDAP attribute that corresponds to the sudo rule name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2411 +msgid "ldap_sudorule_command (string)" +msgstr "ldap_sudorule_command (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2414 +msgid "The LDAP attribute that corresponds to the command name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2418 +msgid "Default: sudoCommand" +msgstr "Per defecte: sudoCommand" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2424 +msgid "ldap_sudorule_host (string)" +msgstr "ldap_sudorule_host (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2427 +msgid "" +"The LDAP attribute that corresponds to the host name (or host IP address, " +"host IP network, or host netgroup)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2432 +msgid "Default: sudoHost" +msgstr "Per defecte: sudoHost" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2438 +msgid "ldap_sudorule_user (string)" +msgstr "ldap_sudorule_user (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2441 +msgid "" +"The LDAP attribute that corresponds to the user name (or UID, group name or " +"user's netgroup)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2445 +msgid "Default: sudoUser" +msgstr "Per defecte: sudoUser" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2451 +msgid "ldap_sudorule_option (string)" +msgstr "ldap_sudorule_option (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2454 +msgid "The LDAP attribute that corresponds to the sudo options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2458 +msgid "Default: sudoOption" +msgstr "Per defecte: sudoOption" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2464 +msgid "ldap_sudorule_runasuser (string)" +msgstr "ldap_sudorule_runasuser (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2467 +msgid "" +"The LDAP attribute that corresponds to the user name that commands may be " +"run as." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2471 +msgid "Default: sudoRunAsUser" +msgstr "Per defecte: sudoRunAsUser" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2477 +msgid "ldap_sudorule_runasgroup (string)" +msgstr "ldap_sudorule_runasgroup (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2480 +msgid "" +"The LDAP attribute that corresponds to the group name or group GID that " +"commands may be run as." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2484 +msgid "Default: sudoRunAsGroup" +msgstr "Per defecte: sudoRunAsGroup" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2490 +msgid "ldap_sudorule_notbefore (string)" +msgstr "ldap_sudorule_notbefore (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2493 +msgid "" +"The LDAP attribute that corresponds to the start date/time for when the sudo " +"rule is valid." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2497 +msgid "Default: sudoNotBefore" +msgstr "Per defecte: sudoNotBefore" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2503 +msgid "ldap_sudorule_notafter (string)" +msgstr "ldap_sudorule_notafter (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2506 +msgid "" +"The LDAP attribute that corresponds to the expiration date/time, after which " +"the sudo rule will no longer be valid." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2511 +msgid "Default: sudoNotAfter" +msgstr "Per defecte: sudoNotAfter" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2517 +msgid "ldap_sudorule_order (string)" +msgstr "ldap_sudorule_order (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2520 +msgid "The LDAP attribute that corresponds to the ordering index of the rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2524 +msgid "Default: sudoOrder" +msgstr "Per defecte: sudoOrder" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2530 +msgid "ldap_sudo_full_refresh_interval (integer)" +msgstr "ldap_sudo_full_refresh_interval (enter)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2533 +msgid "" +"How many seconds SSSD will wait between executing a full refresh of sudo " +"rules (which downloads all rules that are stored on the server)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2538 +msgid "" +"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" +"emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2543 +msgid "Default: 21600 (6 hours)" +msgstr "Per defecte: 21600 (6 hores)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2549 +msgid "ldap_sudo_smart_refresh_interval (integer)" +msgstr "ldap_sudo_smart_refresh_interval (enter)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2552 +msgid "" +"How many seconds SSSD has to wait before executing a smart refresh of sudo " +"rules (which downloads all rules that have USN higher than the highest USN " +"of cached rules)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2558 +msgid "" +"If USN attributes are not supported by the server, the modifyTimestamp " +"attribute is used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2568 +msgid "ldap_sudo_use_host_filter (boolean)" +msgstr "ldap_sudo_use_host_filter (booleà)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2571 +msgid "" +"If true, SSSD will download only rules that are applicable to this machine " +"(using the IPv4 or IPv6 host/network addresses and hostnames)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2582 +msgid "ldap_sudo_hostnames (string)" +msgstr "ldap_sudo_hostnames (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2585 +msgid "" +"Space separated list of hostnames or fully qualified domain names that " +"should be used to filter the rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2590 +msgid "" +"If this option is empty, SSSD will try to discover the hostname and the " +"fully qualified domain name automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2595 sssd-ldap.5.xml:2618 sssd-ldap.5.xml:2636 +#: sssd-ldap.5.xml:2654 +msgid "" +"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" +"emphasis> then this option has no effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2600 sssd-ldap.5.xml:2623 +msgid "Default: not specified" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2606 +msgid "ldap_sudo_ip (string)" +msgstr "ldap_sudo_ip (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2609 +msgid "" +"Space separated list of IPv4 or IPv6 host/network addresses that should be " +"used to filter the rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2614 +msgid "" +"If this option is empty, SSSD will try to discover the addresses " +"automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2629 +msgid "ldap_sudo_include_netgroups (boolean)" +msgstr "ldap_sudo_include_netgroups (booleà)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2632 +msgid "" +"If true then SSSD will download every rule that contains a netgroup in " +"sudoHost attribute." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2647 +msgid "ldap_sudo_include_regexp (boolean)" +msgstr "ldap_sudo_include_regexp (booleà)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2650 +msgid "" +"If true then SSSD will download every rule that contains a wildcard in " +"sudoHost attribute." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2666 +msgid "" +"This manual page only describes attribute name mapping. For detailed " +"explanation of sudo related attribute semantics, see <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2676 +msgid "AUTOFS OPTIONS" +msgstr "OPCIONS D'AUTOFS" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2678 +msgid "" +"Some of the defaults for the parameters below are dependent on the LDAP " +"schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2684 +msgid "ldap_autofs_map_master_name (string)" +msgstr "ldap_autofs_map_master_name (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2687 +msgid "The name of the automount master map in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2690 +msgid "Default: auto.master" +msgstr "Per defecte: auto.master" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2697 +msgid "ldap_autofs_map_object_class (string)" +msgstr "ldap_autofs_map_object_class (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2700 +msgid "The object class of an automount map entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2703 +msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2711 +msgid "ldap_autofs_map_name (string)" +msgstr "ldap_autofs_map_name (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2714 +msgid "The name of an automount map entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2717 +msgid "" +"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2725 +msgid "ldap_autofs_entry_object_class (string)" +msgstr "ldap_autofs_entry_object_class (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2728 +msgid "" +"The object class of an automount entry in LDAP. The entry usually " +"corresponds to a mount point." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2733 +msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2741 +msgid "ldap_autofs_entry_key (string)" +msgstr "ldap_autofs_entry_key (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2744 sssd-ldap.5.xml:2759 +msgid "" +"The key of an automount entry in LDAP. The entry usually corresponds to a " +"mount point." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2748 +msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2756 +msgid "ldap_autofs_entry_value (string)" +msgstr "ldap_autofs_entry_value (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2763 +msgid "" +"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " +"automountInformation" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2682 +msgid "" +"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " +"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" +"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2774 +msgid "ADVANCED OPTIONS" +msgstr "OPCIONS AVANÇADES" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2781 +msgid "ldap_netgroup_search_base (string)" +msgstr "ldap_netgroup_search_base (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2786 +msgid "ldap_user_search_base (string)" +msgstr "ldap_user_search_base (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2791 +msgid "ldap_group_search_base (string)" +msgstr "ldap_group_search_base (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> +#: sssd-ldap.5.xml:2796 +msgid "<note>" +msgstr "<note>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> +#: sssd-ldap.5.xml:2798 +msgid "" +"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " +"against Active Directory will not be restricted and return all groups " +"memberships, even with no GID mapping. It is recommended to disable this " +"feature, if group names are not being displayed correctly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist> +#: sssd-ldap.5.xml:2805 +msgid "</note>" +msgstr "</note>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2807 +msgid "ldap_sudo_search_base (string)" +msgstr "ldap_sudo_search_base (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2812 +msgid "ldap_autofs_search_base (string)" +msgstr "ldap_autofs_search_base (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2776 +msgid "" +"These options are supported by LDAP domains, but they should be used with " +"caution. Please include them in your configuration only if you know what you " +"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2827 sssd-simple.5.xml:131 sssd-ipa.5.xml:828 +#: sssd-ad.5.xml:1041 sssd-krb5.5.xml:570 sss_rpcidmapd.5.xml:98 +#: sssd-files.5.xml:103 sssd-session-recording.5.xml:144 +msgid "EXAMPLE" +msgstr "EXEMPLE" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2829 +msgid "" +"The following example assumes that SSSD is correctly configured and LDAP is " +"set to one of the domains in the <replaceable>[domains]</replaceable> " +"section." +msgstr "" +"L'exemple següent presuposa que l'SSSD està correctament configurat i l'LDAP " +"està definit com a un dels dominis a la secció <replaceable>[domains]</" +"replaceable>." + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:2835 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: sssd-ldap.5.xml:2834 sssd-ldap.5.xml:2852 sssd-simple.5.xml:139 +#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1049 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579 +#: sssd-files.5.xml:110 sssd-session-recording.5.xml:150 +#: include/ldap_id_mapping.xml:105 +msgid "<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "<placeholder type=\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2846 +msgid "LDAP ACCESS FILTER EXAMPLE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2848 +msgid "" +"The following example assumes that SSSD is correctly configured and to use " +"the ldap_access_order=lockout." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:2853 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"access_provider = ldap\n" +"ldap_access_order = lockout\n" +"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2868 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148 +#: sssd-ad.5.xml:1064 sssd.8.xml:230 sss_seed.8.xml:163 +msgid "NOTES" +msgstr "NOTES" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2870 +msgid "" +"The descriptions of some of the configuration options in this manual page " +"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " +"distribution." +msgstr "" +"Les descripcions d'algunes de les opcions de configuració en aquesta pàgina " +"del manual es basen en la pàgina del manual <citerefentry>de " +"<refentrytitle>ldap.conf</refentrytitle> <manvolnum>5</manvolnum></" +"citerefentry> de la distribució d'OpenLDAP 2.4." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: pam_sss.8.xml:11 pam_sss.8.xml:16 +msgid "pam_sss" +msgstr "pam_sss" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: pam_sss.8.xml:17 +msgid "PAM module for SSSD" +msgstr "Mòdul de PAM per SSSD" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: pam_sss.8.xml:22 +msgid "" +"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" +"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" +"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" +"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " +"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " +"choice='opt'> <replaceable>prompt_always</replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:58 +msgid "" +"<command>pam_sss.so</command> is the PAM interface to the System Security " +"Services daemon (SSSD). Errors and results are logged through " +"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." +msgstr "" +"<command>pam_sss.so</command> és la interfície PAM a l'SSSD (System Security " +"Services daemon). Els errors i els resultats es registren a través de " +"<command>syslog(3)</command> amb el canal LOG_AUTHPRIV." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:68 +msgid "<option>quiet</option>" +msgstr "<option>quiet</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:71 +msgid "Suppress log messages for unknown users." +msgstr "Suprimeix el registre dels missatges per als usuaris desconeguts." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:76 +msgid "<option>forward_pass</option>" +msgstr "<option>forward_pass</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:79 +msgid "" +"If <option>forward_pass</option> is set the entered password is put on the " +"stack for other PAM modules to use." +msgstr "" +"Si s'estableix <option>forward_pass</option>, la contrasenya que " +"s'introdueix es posa a la pila perquè els altres mòduls del PAM l'utilitzin." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:86 +msgid "<option>use_first_pass</option>" +msgstr "<option>use_first_pass</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:89 +msgid "" +"The argument use_first_pass forces the module to use a previous stacked " +"modules password and will never prompt the user - if no password is " +"available or the password is not appropriate, the user will be denied access." +msgstr "" +"L'argument use_first_pass obliga al mòdul que utilitzi una contrasenya " +"apilada anteriorment dels mòduls i mai ho demanarà l'usuari - si no hi ha " +"cap contrasenya o no és correcta, es denegarà l'accés a l'usuari." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:97 +msgid "<option>use_authtok</option>" +msgstr "<option>use_authtok</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:100 +msgid "" +"When password changing enforce the module to set the new password to the one " +"provided by a previously stacked password module." +msgstr "" +"Quan el canvi de contrasenya força al mòdul a establir la nova contrasenya a " +"la proporcionada per un mòdul de contrasenya prèviament apilat." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:107 +msgid "<option>retry=N</option>" +msgstr "<option>retry=N</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:110 +msgid "" +"If specified the user is asked another N times for a password if " +"authentication fails. Default is 0." +msgstr "" +"Si s'especifica, en cas de fallar l'autenticació a l'usuari se li demanarà N " +"vegades més una contrasenya. Per defecte és 0." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:112 +msgid "" +"Please note that this option might not work as expected if the application " +"calling PAM handles the user dialog on its own. A typical example is " +"<command>sshd</command> with <option>PasswordAuthentication</option>." +msgstr "" +"Si us plau, tingueu en compte que aquesta opció podria no funcionar com " +"s'espera si l'aplicació que crida PAM gestiona pel seu compte el diàleg amb " +"l'usuari. Un exemple típic és <command>sshd</command> amb " +"<option>PasswordAuthentication</option>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:121 +msgid "<option>ignore_unknown_user</option>" +msgstr "<option>ignore_unknown_user</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:124 +msgid "" +"If this option is specified and the user does not exist, the PAM module will " +"return PAM_IGNORE. This causes the PAM framework to ignore this module." +msgstr "" +"Si s'especifica aquesta opció i no existeix l'usuari, el mòdul PAM retornarà " +"PAM_IGNORE. Això provoca que el marc de treball del PAM ignori aquest mòdul." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:131 +msgid "<option>ignore_authinfo_unavail</option>" +msgstr "<option>ignore_authinfo_unavail</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:135 +msgid "" +"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " +"the SSSD daemon. This causes the PAM framework to ignore this module." +msgstr "" +"Especifica que el mòdul PAM ha de retornar PAM_IGNORE si no pot contactar " +"amb el domini SSSD. Això provoca que el marc de treball del PAM ignori " +"aquest mòdul." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:142 +msgid "<option>domains</option>" +msgstr "<option>domains</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:146 +msgid "" +"Allows the administrator to restrict the domains a particular PAM service is " +"allowed to authenticate against. The format is a comma-separated list of " +"SSSD domain names, as specified in the sssd.conf file." +msgstr "" +"Permet a l'administrador que restringeixi els dominis que un servei PAM " +"concret pot autentificar-s'hi. El format és una llista separada per comes " +"dels noms dels dominis SSSD, com s'especifica al fitxer sssd.conf." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:152 +msgid "" +"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " +"and <quote>pam_public_domains</quote> options. Please see the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more information on these two PAM " +"responder options." +msgstr "" +"NOTA: Ha d'utilitzar-se juntament amb les opcions <quote>pam_trusted_users</" +"quote> i <quote>pam_public_domains</quote>. Si us plau, vegeu la pàgina del " +"manual de <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> per a més informació sobre aquestes " +"dues opcions del contestador del PAM." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:166 +msgid "<option>allow_missing_name</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:170 +msgid "" +"The main purpose of this option is to let SSSD determine the user name based " +"on additional information, e.g. the certificate from a Smartcard." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: pam_sss.8.xml:180 +#, no-wrap +msgid "" +"auth sufficient pam_sss.so allow_missing_name\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:175 +msgid "" +"The current use case are login managers which can monitor a Smartcard reader " +"for card events. In case a Smartcard is inserted the login manager will call " +"a PAM stack which includes a line like <placeholder type=\"programlisting\" " +"id=\"0\"/> In this case SSSD will try to determine the user name based on " +"the content of the Smartcard, returns it to pam_sss which will finally put " +"it on the PAM stack." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:190 +msgid "<option>prompt_always</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:194 +msgid "" +"Always prompt the user for credentials. With this option credentials " +"requested by other PAM modules, typically a password, will be ignored and " +"pam_sss will prompt for credentials again. Based on the pre-auth reply by " +"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " +"credentials." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:207 +msgid "MODULE TYPES PROVIDED" +msgstr "TIPUS DE MÒDULS PROPORCIONATS" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:208 +msgid "" +"All module types (<option>account</option>, <option>auth</option>, " +"<option>password</option> and <option>session</option>) are provided." +msgstr "" +"Es proporcionen tots els tipus de mòduls (<option>account</option>, " +"<option>auth</option>, <option>password</option> i <option>session</option>)." + +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:214 +msgid "FILES" +msgstr "FITXERS" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:215 +msgid "" +"If a password reset by root fails, because the corresponding SSSD provider " +"does not support password resets, an individual message can be displayed. " +"This message can e.g. contain instructions about how to reset a password." +msgstr "" +"Si falla el restabliment d'una contrasenya per root, perquè el proveïdor " +"SSSD corresponent no admet el restabliment de les contrasenyes, es pot " +"mostrar un missatge concret. Aquest missatge per exemple pot contenir les " +"instruccions sobre com es restableix una contrasenya." + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:220 +msgid "" +"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" +"filename> where LOC stands for a locale string returned by <citerefentry> " +"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" +"citerefentry>. If there is no matching file the content of " +"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " +"the owner of the files and only root may have read and write permissions " +"while all other users must have only read permissions." +msgstr "" +"El missatge es llegeix del fitxer <filename>pam_sss_pw_reset_message.LOC</" +"filename> on LOC representa una cadena de la configuració regional retornada " +"amb <citerefentry> <refentrytitle>setlocale</refentrytitle><manvolnum>3</" +"manvolnum> </citerefentry>. Si no hi ha cap coincidència, es mostra el " +"contingut del fitxer <filename>pam_sss_pw_reset_message.txt</filename>. El " +"propietari dels fitxers ha de ser root i tan sols root ha de tenir els " +"permisos de lectura i escriptura, mentre que tots els altres usuaris " +"únicament han de tenir els permisos de lectura." + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:230 +msgid "" +"These files are searched in the directory <filename>/etc/sssd/customize/" +"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " +"displayed." +msgstr "" +"Aquests fitxers se cerquen al directori <filename>/etc/sssd/customize/" +"NOM_DOMINI/</filename>. Si no hi ha present cap fitxer que hi coincideixi, " +"es mostrarà un missatge genèric." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 +msgid "sssd_krb5_locator_plugin" +msgstr "sssd_krb5_locator_plugin" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd_krb5_locator_plugin.8.xml:16 +msgid "Kerberos locator plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:22 +msgid "" +"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " +"used by the Kerberos provider of <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to tell the Kerberos " +"libraries what Realm and which KDC to use. Typically this is done in " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> which is always read by the Kerberos libraries. " +"To simplify the configuration the Realm and the KDC can be defined in " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> as described in <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:48 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> puts the Realm and the name or IP address of the KDC into " +"the environment variables SSSD_KRB5_REALM and SSSD_KRB5_KDC respectively. " +"When <command>sssd_krb5_locator_plugin</command> is called by the kerberos " +"libraries it reads and evaluates these variables and returns them to the " +"libraries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:63 +msgid "" +"Not all Kerberos implementations support the use of plugins. If " +"<command>sssd_krb5_locator_plugin</command> is not available on your system " +"you have to edit /etc/krb5.conf to reflect your Kerberos setup." +msgstr "" +"No totes les implementacions del Kerberos admeten l'ús de connectors. Si " +"<command>sssd_krb5_locator_plugin</command> no estigués disponible al vostre " +"sistema, heu d'editar /etc/krb5.conf per reflectir la vostra configuració " +"del Kerberos." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:69 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " +"debug messages will be sent to stderr." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:73 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " +"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " +"caller." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 +msgid "sssd-simple" +msgstr "sssd-simple" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-simple.5.xml:17 +msgid "the configuration file for SSSD's 'simple' access-control provider" +msgstr "" +"el fitxer de configuració per al proveïdor de control d'accés 'simple' de " +"l'SSSD" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:24 +msgid "" +"This manual page describes the configuration of the simple access-control " +"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " +"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page." +msgstr "" +"En aquesta pàgina del manual es descriu la configuració del proveïdor de " +"control d'accés simple per a <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum></citerefentry>. Per a una " +"referència detallada de la sintaxi, aneu a la secció <quote>FORMAT DEL " +"FITXER</quote> de la pàgina del manual <citerefentry> <refentrytitle>sssd." +"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:38 +msgid "" +"The simple access provider grants or denies access based on an access or " +"deny list of user or group names. The following rules apply:" +msgstr "" +"El proveïdor d'accés simple concedeix o denega l'accés basat en una llista " +"d'accés o denegació dels noms dels usuaris o dels noms dels grups. " +"S'apliquen les regles següents:" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:43 +msgid "If all lists are empty, access is granted" +msgstr "Si totes les llistes estan buides, es concedeix l'accés" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:47 +msgid "" +"If any list is provided, the order of evaluation is allow,deny. This means " +"that any matching deny rule will supersede any matched allow rule." +msgstr "" +"Si es proporciona alguna llista, l'ordre d'avaluació és permissió, " +"denegació. Això vol dir que qualsevol coincidència amb la regla de denegació " +"reemplaçarà qualsevol coincidència amb la regla de permissió." + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:54 +msgid "" +"If either or both \"allow\" lists are provided, all users are denied unless " +"they appear in the list." +msgstr "" +"Si es proporcionen una o ambdues llistes de \"permissió\", tots els usuaris " +"són denegats excepte els que apareixen a la llista." + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:60 +msgid "" +"If only \"deny\" lists are provided, all users are granted access unless " +"they appear in the list." +msgstr "" +"Si només es proporcionen llistes de \"denegació\", es concedeix l'accés a " +"tots els usuaris excepte els que apareixen a la llista." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:78 +msgid "simple_allow_users (string)" +msgstr "simple_allow_users (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:81 +msgid "Comma separated list of users who are allowed to log in." +msgstr "" +"Llista separada per comes dels usuaris a qui se'ls permet iniciar la sessió." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:88 +msgid "simple_deny_users (string)" +msgstr "simple_deny_users (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:91 +msgid "Comma separated list of users who are explicitly denied access." +msgstr "" +"Llista separada per comes dels usuaris a qui se'ls denega explícitament " +"l'accés." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:97 +msgid "simple_allow_groups (string)" +msgstr "simple_allow_groups (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:100 +msgid "" +"Comma separated list of groups that are allowed to log in. This applies only " +"to groups within this SSSD domain. Local groups are not evaluated." +msgstr "" +"Llista separada per comes dels grups a qui se'ls permet iniciar la sessió. " +"Això s'aplica únicament als grups dins d'aquest domini SSSD. No s'avaluen " +"els grups locals." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:108 +msgid "simple_deny_groups (string)" +msgstr "simple_deny_groups (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:111 +msgid "" +"Comma separated list of groups that are explicitly denied access. This " +"applies only to groups within this SSSD domain. Local groups are not " +"evaluated." +msgstr "" +"Llista separada per comes dels grups a qui se'ls denega explícitament " +"l'accés. Això s'aplica únicament als grups dins d'aquest domini SSSD. No " +"s'avaluen els grups locals." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 +msgid "" +"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" +"Per a més informació sobre la configuració d'un domini SSSD, consulteu la " +"secció <quote>SECCIONS DELS DOMINIS</quote> de la pàgina del manual " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. <placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:120 +msgid "" +"Specifying no values for any of the lists is equivalent to skipping it " +"entirely. Beware of this while generating parameters for the simple provider " +"using automated scripts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:125 +msgid "" +"Please note that it is an configuration error if both, simple_allow_users " +"and simple_deny_users, are defined." +msgstr "" +"Si us plau, tingueu en compte que és un error de configuració si es " +"defineixen alhora simple_allow_users i simple_deny_users." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:133 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the simple access provider-specific options." +msgstr "" +"En el següent exemple s'assumeix que l'SSD està configurat correctament i " +"que exemple.com és un dels dominis de la secció <replaceable>[sssd]</" +"replaceable>. En aquest exemple es mostren únicament les opcions " +"específiques del proveïdor d'accés simple." + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-simple.5.xml:140 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"access_provider = simple\n" +"simple_allow_users = user1, user2\n" +msgstr "" +"[domini/exemple.com]\n" +"access_provider = simple\n" +"simple_allow_users = usuari1, usuari2\n" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:150 +msgid "" +"The complete group membership hierarchy is resolved before the access check, " +"thus even nested groups can be included in the access lists. Please be " +"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " +"results and should be set to a sufficient value. (<citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>) option." +msgstr "" +"La jerarquia completa de la pertinença a un grup es resol abans de la " +"comprovació de l'accés, de manera que fins i tot els grups imbricats es " +"poden incloure a les llistes d'accés. Si us plau, tingueu cura que l'opció " +"<quote>ldap_group_nesting_level</quote> pot influir amb els resultats i s'ha " +"d'establir amb un valor suficient. L'opció (<citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>)." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 +msgid "sss-certmap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss-certmap.5.xml:17 +msgid "SSSD Certificate Matching and Mapping Rules" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:23 +msgid "" +"The manual page describes the rules which can be used by SSSD and other " +"components to match X.509 certificates and map them to accounts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:28 +msgid "" +"Each rule has four components, a <quote>priority</quote>, a <quote>matching " +"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" +"quote>. All components are optional. A missing <quote>priority</quote> will " +"add the rule with the lowest priority. The default <quote>matching rule</" +"quote> will match certificates with the digitalSignature key usage and " +"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " +"the certificates will be searched in the userCertificate attribute as DER " +"encoded binary. If no domains are given only the local domain will be " +"searched." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss-certmap.5.xml:41 +msgid "RULE COMPONENTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:43 +msgid "PRIORITY" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:45 +msgid "" +"The rules are processed by priority while the number '0' (zero) indicates " +"the highest priority. The higher the number the lower is the priority. A " +"missing value indicates the lowest priority. The rules processing is stopped " +"when a matched rule is found and no further rules are checked." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:52 +msgid "" +"Internally the priority is treated as unsigned 32bit integer, using a " +"priority value larger than 4294967295 will cause an error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:57 +msgid "MATCHING RULE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:59 +msgid "" +"The matching rule is used to select a certificate to which the mapping rule " +"should be applied. It uses a system similar to the one used by " +"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " +"keyword enclosed by '<' and '>' which identified a certain part of the " +"certificate and a pattern which should be found for the rule to match. " +"Multiple keyword pattern pairs can be either joined with '&&' (and) " +"or '||' (or)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:71 +msgid "<SUBJECT>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:74 +msgid "" +"With this a part or the whole subject name of the certificate can be " +"matched. For the matching POSIX Extended Regular Expression syntax is used, " +"see regex(7) for details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:80 +msgid "" +"For the matching the subject name stored in the certificate in DER encoded " +"ASN.1 is converted into a string according to RFC 4514. This means the most " +"specific name component comes first. Please note that not all possible " +"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " +"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " +"be shown differently on different platform and by different tools. To avoid " +"confusion those attribute names are best not used or covered by a suitable " +"regular-expression." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:93 +msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:98 +msgid "<ISSUER>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:101 +msgid "" +"With this a part or the whole issuer name of the certificate can be matched. " +"All comments for <SUBJECT> apply her as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:106 +msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:111 +msgid "<KU>key-usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:114 +msgid "" +"This option can be used to specify which key usage values the certificate " +"should have. The following values can be used in a comma separated list:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:118 +msgid "digitalSignature" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:119 +msgid "nonRepudiation" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:120 +msgid "keyEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:121 +msgid "dataEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:122 +msgid "keyAgreement" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:123 +msgid "keyCertSign" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:124 +msgid "cRLSign" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:125 +msgid "encipherOnly" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:126 +msgid "decipherOnly" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:130 +msgid "" +"A numerical value in the range of a 32bit unsigned integer can be used as " +"well to cover special use cases." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:134 +msgid "Example: <KU>digitalSignature,keyEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:139 +msgid "<EKU>extended-key-usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:142 +msgid "" +"This option can be used to specify which extended key usage the certificate " +"should have. The following value can be used in a comma separated list:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:146 +msgid "serverAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:147 +msgid "clientAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:148 +msgid "codeSigning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:149 +msgid "emailProtection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:150 +msgid "timeStamping" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:151 +msgid "OCSPSigning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:152 +msgid "KPClientAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:153 +msgid "pkinit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:154 +msgid "msScLogin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:158 +msgid "" +"Extended key usages which are not listed above can be specified with their " +"OID in dotted-decimal notation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:162 +msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:167 +msgid "<SAN>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:170 +msgid "" +"To be compatible with the usage of MIT Kerberos this option will match the " +"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" +"Principal> does." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:175 +msgid "Example: <SAN>.*@MY\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:180 +msgid "<SAN:Principal>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:183 +msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:187 +msgid "Example: <SAN:Principal>.*@MY\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:192 +msgid "<SAN:ntPrincipalName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:195 +msgid "Match the Kerberos principals from the AD NT Principal SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:199 +msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:204 +msgid "<SAN:pkinit>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:207 +msgid "Match the Kerberos principals from the PKINIT SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:210 +msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:215 +msgid "<SAN:dotted-decimal-oid>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:218 +msgid "" +"Take the value of the otherName SAN component given by the OID in dotted-" +"decimal notation, interpret it as string and try to match it against the " +"regular expression." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:224 +msgid "Example: <SAN:1.2.3.4>test" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:229 +msgid "<SAN:otherName>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:232 +msgid "" +"Do a binary match with the base64 encoded blob against all otherName SAN " +"components. With this option it is possible to match against custom " +"otherName components with special encodings which could not be treated as " +"strings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:239 +msgid "Example: <SAN:otherName>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:244 +msgid "<SAN:rfc822Name>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:247 +msgid "Match the value of the rfc822Name SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:250 +msgid "Example: <SAN:rfc822Name>.*@email\\.domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:255 +msgid "<SAN:dNSName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:258 +msgid "Match the value of the dNSName SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:261 +msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:266 +msgid "<SAN:x400Address>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:269 +msgid "Binary match the value of the x400Address SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:272 +msgid "Example: <SAN:x400Address>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:277 +msgid "<SAN:directoryName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:280 +msgid "" +"Match the value of the directoryName SAN. The same comments as given for <" +"ISSUER> and <SUBJECT> apply here as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:285 +msgid "Example: <SAN:directoryName>.*,DC=com" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:290 +msgid "<SAN:ediPartyName>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:293 +msgid "Binary match the value of the ediPartyName SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:296 +msgid "Example: <SAN:ediPartyName>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:301 +msgid "<SAN:uniformResourceIdentifier>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:304 +msgid "Match the value of the uniformResourceIdentifier SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:307 +msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:312 +msgid "<SAN:iPAddress>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:315 +msgid "Match the value of the iPAddress SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:318 +msgid "Example: <SAN:iPAddress>192\\.168\\..*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:323 +msgid "<SAN:registeredID>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:326 +msgid "Match the value of the registeredID SAN as dotted-decimal string." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:330 +msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:68 +msgid "" +"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:338 +msgid "MAPPING RULE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:340 +msgid "" +"The mapping rule is used to associate a certificate with one or more " +"accounts. A Smartcard with the certificate and the matching private key can " +"then be used to authenticate as one of those accounts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:345 +msgid "" +"Currently SSSD basically only supports LDAP to lookup user information (the " +"exception is the proxy provider which is not of relevance here). Because of " +"this the mapping rule is based on LDAP search filter syntax with templates " +"to add certificate content to the filter. It is expected that the filter " +"will only contain the specific data needed for the mapping and that the " +"caller will embed it in another filter to do the actual search. Because of " +"this the filter string should start and stop with '(' and ')' respectively." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:355 +msgid "" +"In general it is recommended to use attributes from the certificate and add " +"them to special attributes to the LDAP user object. E.g. the " +"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " +"for IPA can be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:361 +msgid "" +"This should be preferred to read user specific data from the certificate " +"like e.g. an email address and search for it in the LDAP server. The reason " +"is that the user specific data in LDAP might change for various reasons " +"would break the mapping. On the other hand it would be hard to break the " +"mapping on purpose for a specific user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:376 +msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:379 +msgid "" +"This template will add the full issuer DN converted to a string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +msgid "" +"The conversion options starting with 'ad_' will use attribute names as used " +"by AD, e.g. 'S' instead of 'ST'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +msgid "" +"The conversion options starting with 'nss_' will use attribute names as used " +"by NSS." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +msgid "" +"The default conversion option is 'nss', i.e. attribute names according to " +"NSS and LDAP/RFC 4514 ordering." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:397 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" +"ad})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:402 +msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:405 +msgid "" +"This template will add the full subject DN converted to string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:423 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" +"{subject_dn!nss_x500})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:428 +msgid "{cert[!(bin|base64)]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:431 +msgid "" +"This template will add the whole DER encoded certificate as a string to the " +"search filter. Depending on the conversion option the binary certificate is " +"either converted to an escaped hex sequence '\\xx' or base64. The escaped " +"hex sequence is the default and can e.g. be used with the LDAP attribute " +"'userCertificate;binary'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:439 +msgid "Example: (userCertificate;binary={cert!bin})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:444 +msgid "{subject_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:447 +msgid "" +"This template will add the Kerberos principal which is taken either from the " +"SAN used by pkinit or the one used by AD. The 'short_name' component " +"represents the first part of the principal before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +msgid "" +"Example: (|(userPrincipal={subject_principal})" +"(samAccountName={subject_principal.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:458 +msgid "{subject_pkinit_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:461 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by pkinit. The 'short_name' component represents the first part of the " +"principal before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:467 +msgid "" +"Example: (|(userPrincipal={subject_pkinit_principal})" +"(uid={subject_pkinit_principal.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:472 +msgid "{subject_nt_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:475 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by AD. The 'short_name' component represent the first part of the principal " +"before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:486 +msgid "{subject_rfc822_name[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:489 +msgid "" +"This template will add the string which is stored in the rfc822Name " +"component of the SAN, typically an email address. The 'short_name' component " +"represents the first part of the address before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:495 +msgid "" +"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." +"short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:500 +msgid "{subject_dns_name[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:503 +msgid "" +"This template will add the string which is stored in the dNSName component " +"of the SAN, typically a fully-qualified host name. The 'short_name' " +"component represents the first part of the name before the first '.' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:509 +msgid "" +"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:514 +msgid "{subject_uri}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:517 +msgid "" +"This template will add the string which is stored in the " +"uniformResourceIdentifier component of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:521 +msgid "Example: (uri={subject_uri})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:526 +msgid "{subject_ip_address}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:529 +msgid "" +"This template will add the string which is stored in the iPAddress component " +"of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:533 +msgid "Example: (ip={subject_ip_address})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:538 +msgid "{subject_x400_address}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:541 +msgid "" +"This template will add the value which is stored in the x400Address " +"component of the SAN as escaped hex sequence." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:546 +msgid "Example: (attr:binary={subject_x400_address})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:551 +msgid "" +"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:554 +msgid "" +"This template will add the DN string of the value which is stored in the " +"directoryName component of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:558 +msgid "Example: (orig_dn={subject_directory_name})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:563 +msgid "{subject_ediparty_name}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:566 +msgid "" +"This template will add the value which is stored in the ediPartyName " +"component of the SAN as escaped hex sequence." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:571 +msgid "Example: (attr:binary={subject_ediparty_name})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:576 +msgid "{subject_registered_id}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:579 +msgid "" +"This template will add the OID which is stored in the registeredID component " +"of the SAN as a dotted-decimal string." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:584 +msgid "Example: (oid={subject_registered_id})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:369 +msgid "" +"The templates to add certificate data to the search filter are based on " +"Python-style formatting strings. They consist of a keyword in curly braces " +"with an optional sub-component specifier separated by a '.' or an optional " +"conversion/formatting option separated by a '!'. Allowed values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:592 +msgid "DOMAIN LIST" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:594 +msgid "" +"If the domain list is not empty users mapped to a given certificate are not " +"only searched in the local domain but in the listed domains as well as long " +"as they are know by SSSD. Domains not know to SSSD will be ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 +msgid "sssd-ipa" +msgstr "sssd-ipa" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ipa.5.xml:17 +msgid "SSSD IPA provider" +msgstr "Proveïdor d'IPA de l'SSSD" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:23 +msgid "" +"This manual page describes the configuration of the IPA provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" +"En aquesta pàgina del manual es descriu la configuració del proveïdor IPA " +"per a <citerefentry><refentrytitle>sssd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry>. Per una referència detallada sintaxi, aneu a la " +"secció de <quote>FORMAT DE FITXER</quote> de la pàgina del manual " +"<citerefentry>d'<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:36 +msgid "" +"The IPA provider is a back end used to connect to an IPA server. (Refer to " +"the freeipa.org web site for information about IPA servers.) This provider " +"requires that the machine be joined to the IPA domain; configuration is " +"almost entirely self-discovered and obtained directly from the server." +msgstr "" +"El proveïdor d'IPA és un programari especialitzat que s'utilitza per " +"connectar a un servidor IPA. (Consulteu el lloc web freeipa.org per obtenir " +"informació sobre els servidors IPA). Aquest proveïdor requereix que " +"s'afegeixi la màquina al domini d'IPA; la configuració s'autodescobreix " +"gairebé totalment i s'obté directament del servidor." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:43 +msgid "" +"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for IPA environments. The IPA provider accepts the same " +"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " +"However, it is neither necessary nor recommended to set these options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:57 +msgid "" +"The IPA provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:62 +msgid "" +"As an access provider, the IPA provider uses HBAC (host-based access " +"control) rules. Please refer to freeipa.org for more information about " +"HBAC. No configuration of access provider is required on the client side." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:67 +msgid "" +"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:73 +msgid "" +"The IPA provider will use the PAC responder if the Kerberos tickets of users " +"from trusted realms contain a PAC. To make configuration easier the PAC " +"responder is started automatically if the IPA ID provider is configured." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:89 +msgid "ipa_domain (string)" +msgstr "ipa_domain (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:92 +msgid "" +"Specifies the name of the IPA domain. This is optional. If not provided, " +"the configuration domain name is used." +msgstr "" +"Especifica el nom del domini IPA. És opcional. Si no se n'especifica cap, " +"s'utilitza el nom de domini de la configuració." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:100 +msgid "ipa_server, ipa_backup_server (string)" +msgstr "ipa_server, ipa_backup_server (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:103 +msgid "" +"The comma-separated list of IP addresses or hostnames of the IPA servers to " +"which SSSD should connect in the order of preference. For more information " +"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:116 +msgid "ipa_hostname (string)" +msgstr "ipa_hostname (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:119 +msgid "" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the IPA domain to identify this host. The " +"hostname must be fully qualified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:128 sssd-ad.5.xml:866 +msgid "dyndns_update (boolean)" +msgstr "dyndns_update (booleà)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:131 +msgid "" +"Optional. This option tells SSSD to automatically update the DNS server " +"built into FreeIPA with the IP address of this client. The update is secured " +"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " +"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" +"quote> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:140 sssd-ad.5.xml:880 +msgid "" +"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " +"the default Kerberos realm must be set properly in /etc/krb5.conf" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:145 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" +"emphasis> option, users should migrate to using <emphasis>dyndns_update</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:157 sssd-ad.5.xml:891 +msgid "dyndns_ttl (integer)" +msgstr "dyndns_ttl (enter)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:160 sssd-ad.5.xml:894 +msgid "" +"The TTL to apply to the client DNS record when updating it. If " +"dyndns_update is false this has no effect. This will override the TTL " +"serverside if set by an administrator." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:165 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" +"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:171 +msgid "Default: 1200 (seconds)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:177 sssd-ad.5.xml:905 +msgid "dyndns_iface (string)" +msgstr "dyndns_iface (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:180 sssd-ad.5.xml:908 +msgid "" +"Optional. Applicable only when dyndns_update is true. Choose the interface " +"or a list of interfaces whose IP addresses should be used for dynamic DNS " +"updates. Special value <quote>*</quote> implies that IPs from all interfaces " +"should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:187 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" +"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:193 +msgid "" +"Default: Use the IP addresses of the interface which is used for IPA LDAP " +"connection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:197 sssd-ad.5.xml:919 +msgid "Example: dyndns_iface = em1, vnet1, vnet2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:203 sssd-ad.5.xml:970 +msgid "dyndns_auth (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:206 sssd-ad.5.xml:973 +msgid "" +"Whether the nsupdate utility should use GSS-TSIG authentication for secure " +"updates with the DNS server, insecure updates can be sent by setting this " +"option to 'none'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:212 sssd-ad.5.xml:979 +msgid "Default: GSS-TSIG" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:218 +msgid "ipa_enable_dns_sites (boolean)" +msgstr "ipa_enable_dns_sites (booleà)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 +msgid "Enables DNS sites - location based service discovery." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:225 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, then the SSSD will first attempt location " +"based discovery using a query that contains \"_location.hostname.example.com" +"\" and then fall back to traditional SRV discovery. If the location based " +"discovery succeeds, the IPA servers located with the location based " +"discovery are treated as primary servers and the IPA servers located using " +"the traditional SRV discovery are used as back up servers" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:244 sssd-ad.5.xml:925 +msgid "dyndns_refresh_interval (integer)" +msgstr "dyndns_refresh_interval (enter)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:247 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:260 sssd-ad.5.xml:943 +msgid "dyndns_update_ptr (bool)" +msgstr "dyndns_update_ptr (booleà)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:263 sssd-ad.5.xml:946 +msgid "" +"Whether the PTR record should also be explicitly updated when updating the " +"client's DNS records. Applicable only when dyndns_update is true." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:268 +msgid "" +"This option should be False in most IPA deployments as the IPA server " +"generates the PTR records automatically when forward records are changed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:274 +msgid "Default: False (disabled)" +msgstr "Per defecte: False (inhabilitat)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:280 sssd-ad.5.xml:957 +msgid "dyndns_force_tcp (bool)" +msgstr "dyndns_force_tcp (booleà)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:283 sssd-ad.5.xml:960 +msgid "" +"Whether the nsupdate utility should default to using TCP for communicating " +"with the DNS server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:287 sssd-ad.5.xml:964 +msgid "Default: False (let nsupdate choose the protocol)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:293 sssd-ad.5.xml:985 +msgid "dyndns_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:296 sssd-ad.5.xml:988 +msgid "" +"The DNS server to use when performing a DNS update. In most setups, it's " +"recommended to leave this option unset." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:301 sssd-ad.5.xml:993 +msgid "" +"Setting this option makes sense for environments where the DNS server is " +"different from the identity server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:306 sssd-ad.5.xml:998 +msgid "" +"Please note that this option will be only used in fallback attempt when " +"previous attempt using autodetected settings failed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1003 +msgid "Default: None (let nsupdate choose the server)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:317 +msgid "ipa_deskprofile_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:320 +msgid "" +"Optional. Use the given string as search base for Desktop Profile related " +"objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:324 sssd-ipa.5.xml:337 +msgid "Default: Use base DN" +msgstr "Per defecte: Utilitza el DN base" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:330 +msgid "ipa_hbac_search_base (string)" +msgstr "ipa_hbac_search_base (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:333 +msgid "Optional. Use the given string as search base for HBAC related objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:343 +msgid "ipa_host_search_base (string)" +msgstr "ipa_host_search_base (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:346 +msgid "Deprecated. Use ldap_host_search_base instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:352 +msgid "ipa_selinux_search_base (string)" +msgstr "ipa_selinux_search_base (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:355 +msgid "Optional. Use the given string as search base for SELinux user maps." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:371 +msgid "ipa_subdomains_search_base (string)" +msgstr "ipa_subdomains_search_base (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:374 +msgid "Optional. Use the given string as search base for trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:383 +msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:390 +msgid "ipa_master_domain_search_base (string)" +msgstr "ipa_master_domain_search_base (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:393 +msgid "Optional. Use the given string as search base for master domain object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:402 +msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:409 +msgid "ipa_views_search_base (string)" +msgstr "ipa_views_search_base (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:412 +msgid "Optional. Use the given string as search base for views containers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:421 +msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:431 +msgid "" +"The name of the Kerberos realm. This is optional and defaults to the value " +"of <quote>ipa_domain</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:435 +msgid "" +"The name of the Kerberos realm has a special meaning in IPA - it is " +"converted into the base DN to use for performing LDAP operations." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1012 +msgid "krb5_confd_path (string)" +msgstr "krb5_confd_path (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1015 +msgid "" +"Absolute path of a directory where SSSD should place Kerberos configuration " +"snippets." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1019 +msgid "" +"To disable the creation of the configuration snippets set the parameter to " +"'none'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1023 +msgid "" +"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:461 +msgid "ipa_deskprofile_refresh (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:464 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server. This will reduce the latency and load on the IPA server if there " +"are many desktop profiles requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:431 +msgid "Default: 5 (seconds)" +msgstr "Per defecte: 5 (segons)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:477 +msgid "ipa_deskprofile_request_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:480 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server in case the last request did not return any rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:485 +msgid "Default: 60 (minutes)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:491 +msgid "ipa_hbac_refresh (integer)" +msgstr "ipa_hbac_refresh (enter)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:494 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server. " +"This will reduce the latency and load on the IPA server if there are many " +"access-control requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:507 +msgid "ipa_hbac_selinux (integer)" +msgstr "ipa_hbac_selinux (enter)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:510 +msgid "" +"The amount of time between lookups of the SELinux maps against the IPA " +"server. This will reduce the latency and load on the IPA server if there are " +"many user login requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:523 +msgid "ipa_server_mode (boolean)" +msgstr "ipa_server_mode (booleà)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:526 +msgid "" +"This option will be set by the IPA installer (ipa-server-install) " +"automatically and denotes if SSSD is running on an IPA server or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:531 +msgid "" +"On an IPA server SSSD will lookup users and groups from trusted domains " +"directly while on a client it will ask an IPA server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:536 +msgid "" +"NOTE: There are currently some assumptions that must be met when SSSD is " +"running on an IPA server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:541 +msgid "" +"The <quote>ipa_server</quote> option must be configured to point to the IPA " +"server itself. This is already the default set by the IPA installer, so no " +"manual change is required." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:550 +msgid "" +"The <quote>full_name_format</quote> option must not be tweaked to only print " +"short names for users from trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:565 +msgid "ipa_automount_location (string)" +msgstr "ipa_automount_location (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:568 +msgid "The automounter location this IPA client will be using" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:571 +msgid "Default: The location named \"default\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:579 +msgid "VIEWS AND OVERRIDES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:588 +msgid "ipa_view_class (string)" +msgstr "ipa_view_class (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:591 +msgid "Objectclass of the view container." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:594 +msgid "Default: nsContainer" +msgstr "Per defecte: nsContainer" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:600 +msgid "ipa_view_name (string)" +msgstr "ipa_view_name (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:603 +msgid "Name of the attribute holding the name of the view." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:613 +msgid "ipa_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:616 +msgid "Objectclass of the override objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:619 +msgid "Default: ipaOverrideAnchor" +msgstr "Per defecte: ipaOverrideAnchor" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:625 +msgid "ipa_anchor_uuid (string)" +msgstr "ipa_anchor_uuid (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:628 +msgid "" +"Name of the attribute containing the reference to the original object in a " +"remote domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:632 +msgid "Default: ipaAnchorUUID" +msgstr "Per defecte: ipaAnchorUUID" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:638 +msgid "ipa_user_override_object_class (string)" +msgstr "ipa_user_override_object_class (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:641 +msgid "" +"Name of the objectclass for user overrides. It is used to determine if the " +"found override object is related to a user or a group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:646 +msgid "User overrides can contain attributes given by" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:649 +msgid "ldap_user_name" +msgstr "ldap_user_name" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:652 +msgid "ldap_user_uid_number" +msgstr "ldap_user_uid_number" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:655 +msgid "ldap_user_gid_number" +msgstr "ldap_user_gid_number" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:658 +msgid "ldap_user_gecos" +msgstr "ldap_user_gecos" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:661 +msgid "ldap_user_home_directory" +msgstr "ldap_user_home_directory" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:664 +msgid "ldap_user_shell" +msgstr "ldap_user_shell" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:667 +msgid "ldap_user_ssh_public_key" +msgstr "ldap_user_ssh_public_key" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:672 +msgid "Default: ipaUserOverride" +msgstr "Per defecte: ipaUserOverride" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:678 +msgid "ipa_group_override_object_class (string)" +msgstr "ipa_group_override_object_class (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:681 +msgid "" +"Name of the objectclass for group overrides. It is used to determine if the " +"found override object is related to a user or a group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:686 +msgid "Group overrides can contain attributes given by" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:689 +msgid "ldap_group_name" +msgstr "ldap_group_name" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:692 +msgid "ldap_group_gid_number" +msgstr "ldap_group_gid_number" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:697 +msgid "Default: ipaGroupOverride" +msgstr "Per defecte: ipaGroupOverride" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:581 +msgid "" +"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " +"later version. Since all paths and objectclasses are fixed on the server " +"side there is basically no need to configure anything. For completeness the " +"related options are listed here with their default values. <placeholder " +"type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:709 +msgid "SUBDOMAINS PROVIDER" +msgstr "PROVEÏDOR DELS SUBDOMINIS" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:711 +msgid "" +"The IPA subdomains provider behaves slightly differently if it is configured " +"explicitly or implicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:715 +msgid "" +"If the option 'subdomains_provider = ipa' is found in the domain section of " +"sssd.conf, the IPA subdomains provider is configured explicitly, and all " +"subdomain requests are sent to the IPA server if necessary." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:721 +msgid "" +"If the option 'subdomains_provider' is not set in the domain section of sssd." +"conf but there is the option 'id_provider = ipa', the IPA subdomains " +"provider is configured implicitly. In this case, if a subdomain request " +"fails and indicates that the server does not support subdomains, i.e. is not " +"configured for trusts, the IPA subdomains provider is disabled. After an " +"hour or after the IPA provider goes online, the subdomains provider is " +"enabled again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:732 +msgid "TRUSTED DOMAINS CONFIGURATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:738 +#, no-wrap +msgid "" +"[domain/ipa.domain.com/ad.domain.com]\n" +"ad_server = dc.ad.domain.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:734 +#, fuzzy +#| msgid "" +#| "These configuration options can be present in a domain configuration " +#| "section, that is, in a section called <quote>[domain/<replaceable>NAME</" +#| "replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>" +msgid "" +"Some configuration options can be also set for a trusted domain. A trusted " +"domain configuration can either be done using a subsection, for example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"Aquestes opcions de configuració poden ser presents a una secció de " +"configuració de domini anomenada <quote>[domain/<replaceable>NAME</" +"replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:743 +#, fuzzy +#| msgid "" +#| "NOTE: Must be used in conjunction with the <quote>pam_trusted_users</" +#| "quote> and <quote>pam_public_domains</quote> options. Please see the " +#| "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +#| "manvolnum> </citerefentry> manual page for more information on these two " +#| "PAM responder options." +msgid "" +"In addition, some options can be set in the parent domain and inherited by " +"the trusted domain using the <quote>subdomain_inherit</quote> option. For " +"more details, see the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" +"NOTA: Ha d'utilitzar-se juntament amb les opcions <quote>pam_trusted_users</" +"quote> i <quote>pam_public_domains</quote>. Si us plau, vegeu la pàgina del " +"manual de <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> per a més informació sobre aquestes " +"dues opcions del contestador del PAM." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:753 +msgid "" +"Different configuration options are tunable for a trusted domain depending " +"on whether you are configuring SSSD on an IPA server or an IPA client." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:758 +msgid "OPTIONS TUNABLE ON IPA MASTERS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:760 +msgid "" +"The following options can be set in a subdomain section on an IPA master:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:764 sssd-ipa.5.xml:794 +msgid "ad_server" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:767 +#, fuzzy +#| msgid "ad_server, ad_backup_server (string)" +msgid "ad_backup_server" +msgstr "ad_server, ad_backup_server (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:770 sssd-ipa.5.xml:797 +#, fuzzy +#| msgid "ad_site (string)" +msgid "ad_site" +msgstr "ad_site (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:773 +#, fuzzy +#| msgid "ldap_search_base (string)" +msgid "ldap_search_base" +msgstr "ldap_search_base (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:776 +#, fuzzy +#| msgid "ldap_user_search_base (string)" +msgid "ldap_user_search_base" +msgstr "ldap_user_search_base (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:779 +#, fuzzy +#| msgid "ldap_group_search_base (string)" +msgid "ldap_group_search_base" +msgstr "ldap_group_search_base (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:788 +msgid "OPTIONS TUNABLE ON IPA CLIENTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:790 +msgid "" +"The following options can be set in a subdomain section on an IPA client:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:802 +msgid "" +"Note that if both options are set, only <quote>ad_server</quote> is " +"evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:806 +msgid "" +"Since any request for a user or a group identity from a trusted domain " +"triggered from an IPA client is resolved by the IPA server, the " +"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " +"which AD DC will the authentication be performed against. In particular, the " +"addresses resolved from these lists will be written to <quote>kdcinfo</" +"quote> files read by the Kerberos locator plugin. Please refer to the " +"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " +"Kerberos locator plugin." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:830 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the ipa provider-specific options." +msgstr "" +"En el següent exemple s'assumeix que l'SSD està configurat correctament i " +"que exemple.com és un dels dominis de la secció <replaceable>[sssd]</" +"replaceable>. En aquest exemple es mostren únicament les opcions " +"específiques del proveïdor IPA." + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:837 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"id_provider = ipa\n" +"ipa_server = ipaserver.example.com\n" +"ipa_hostname = myhost.example.com\n" +msgstr "" +"[domini/exemple.com]\n" +"id_provider = ipa\n" +"ipa_server = servidoripa.exemple.com\n" +"ipa_hostname = elmeuanfitrio.exemple.com\n" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 +msgid "sssd-ad" +msgstr "sssd-ad" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ad.5.xml:17 +msgid "SSSD Active Directory provider" +msgstr "Proveïdor d'Active Directory de l'SSSD" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:23 +msgid "" +"This manual page describes the configuration of the AD provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:36 +msgid "" +"The AD provider is a back end used to connect to an Active Directory server. " +"This provider requires that the machine be joined to the AD domain and a " +"keytab is available. Back end communication occurs over a GSSAPI-encrypted " +"channel, SSL/TLS options should not be used with the AD provider and will be " +"superseded by Kerberos usage." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:44 +msgid "" +"The AD provider supports connecting to Active Directory 2008 R2 or later. " +"Earlier versions may work, but are unsupported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:48 +msgid "" +"The AD provider can be used to get user information and authenticate users " +"from trusted domains. Currently only trusted domains in the same forest are " +"recognized. In addition servers from trusted domains are always auto-" +"discovered." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:54 +msgid "" +"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for Active Directory environments. The AD provider accepts the " +"same options used by the sssd-ldap and sssd-krb5 providers with some " +"exceptions. However, it is neither necessary nor recommended to set these " +"options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:69 +msgid "" +"The AD provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:74 +msgid "" +"The AD provider can also be used as an access, chpass, sudo and autofs " +"provider. No configuration of the access provider is required on the client " +"side." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:79 +msgid "" +"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ad</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:91 +#, no-wrap +msgid "" +"ldap_id_mapping = False\n" +" " +msgstr "" +"ldap_id_mapping = False\n" +" " + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:85 +msgid "" +"By default, the AD provider will map UID and GID values from the objectSID " +"parameter in Active Directory. For details on this, see the <quote>ID " +"MAPPING</quote> section below. If you want to disable ID mapping and instead " +"rely on POSIX attributes defined in Active Directory, you should set " +"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " +"be used, it is recommended for performance reasons that the attributes are " +"also replicated to the Global Catalog. If POSIX attributes are replicated, " +"SSSD will attempt to locate the domain of a requested numerical ID with the " +"help of the Global Catalog and only search that domain. In contrast, if " +"POSIX attributes are not replicated to the Global Catalog, SSSD must search " +"all the domains in the forest sequentially. Please note that the " +"<quote>cache_first</quote> option might be also helpful in speeding up " +"domainless searches. Note that if only a subset of POSIX attributes is " +"present in the Global Catalog, the non-replicated attributes are currently " +"not read from the LDAP port." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:108 +msgid "" +"Users, groups and other entities served by SSSD are always treated as case-" +"insensitive in the AD provider for compatibility with Active Directory's " +"LDAP implementation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:123 +msgid "ad_domain (string)" +msgstr "ad_domain (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:126 +msgid "" +"Specifies the name of the Active Directory domain. This is optional. If not " +"provided, the configuration domain name is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:131 +msgid "" +"For proper operation, this option should be specified as the lower-case " +"version of the long version of the Active Directory domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:136 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) is " +"autodetected by the SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:143 +msgid "ad_enabled_domains (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:146 +msgid "" +"A comma-separated list of enabled Active Directory domains. If provided, " +"SSSD will ignore any domains not listed in this option. If left unset, all " +"domains from the AD forest will be available." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:156 +#, no-wrap +msgid "" +"ad_enabled_domains = sales.example.com, eng.example.com\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:152 +msgid "" +"For proper operation, this option must be specified in all lower-case and as " +"the fully qualified domain name of the Active Directory domain. For example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:160 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) will be " +"autodetected by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:170 +msgid "ad_server, ad_backup_server (string)" +msgstr "ad_server, ad_backup_server (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:173 +msgid "" +"The comma-separated list of hostnames of the AD servers to which SSSD should " +"connect in order of preference. For more information on failover and server " +"redundancy, see the <quote>FAILOVER</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:180 +msgid "" +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:185 +msgid "" +"Note: Trusted domains will always auto-discover servers even if the primary " +"server is explicitly defined in the ad_server option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:193 +msgid "ad_hostname (string)" +msgstr "ad_hostname (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:196 +msgid "" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the Active Directory domain to identify this " +"host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:202 +msgid "" +"This field is used to determine the host principal in use in the keytab. It " +"must match the hostname for which the keytab was issued." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:210 +msgid "ad_enable_dns_sites (boolean)" +msgstr "ad_enable_dns_sites (booleà)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:217 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, the SSSD will first attempt to discover the " +"Active Directory server to connect to using the Active Directory Site " +"Discovery and fall back to the DNS SRV records if no AD site is found. The " +"DNS SRV configuration, including the discovery domain, is used during site " +"discovery as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:233 +msgid "ad_access_filter (string)" +msgstr "ad_access_filter (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:236 +msgid "" +"This option specifies LDAP access control filter that the user must match in " +"order to be allowed access. Please note that the <quote>access_provider</" +"quote> option must be explicitly set to <quote>ad</quote> in order for this " +"option to have an effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:244 +msgid "" +"The option also supports specifying different filters per domain or forest. " +"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " +"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " +"missing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:252 +msgid "" +"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" +"quote> specifies the domain or subdomain the filter applies to. If the " +"keyword equals to <quote>FOREST</quote>, then the filter equals to all " +"domains from the forest specified by <quote>NAME</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:260 +msgid "" +"Multiple filters can be separated with the <quote>?</quote> character, " +"similarly to how search bases work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:265 +msgid "" +"Nested group membership must be searched for using a special OID " +"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." +"example.org: syntax to ensure the parser does not attempt to interpret the " +"colon characters associated with the OID. If you do not use this OID then " +"nested group membership will not be resolved. See usage example below and " +"refer here for further information about the OID: <ulink url=\"https://msdn." +"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " +"extensions</ulink>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:278 +msgid "" +"The most specific match is always used. For example, if the option specified " +"filter for a domain the user is a member of and a global filter, the per-" +"domain filter would be applied. If there are more matches with the same " +"specification, the first one is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ad.5.xml:289 +#, no-wrap +msgid "" +"# apply filter on domain called dom1 only:\n" +"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" +"\n" +"# apply filter on domain called dom2 only:\n" +"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" +"\n" +"# apply filter on forest called EXAMPLE.COM only:\n" +"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" +"\n" +"# apply filter for a member of a nested group in dom1:\n" +"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:308 +msgid "ad_site (string)" +msgstr "ad_site (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:311 +msgid "" +"Specify AD site to which client should try to connect. If this option is " +"not provided, the AD site will be auto-discovered." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:322 +msgid "ad_enable_gc (boolean)" +msgstr "ad_enable_gc (booleà)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:325 +msgid "" +"By default, the SSSD connects to the Global Catalog first to retrieve users " +"from trusted domains and uses the LDAP port to retrieve group memberships or " +"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " +"port of the current AD server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:333 +msgid "" +"Please note that disabling Global Catalog support does not disable " +"retrieving users from trusted domains. The SSSD would connect to the LDAP " +"port of trusted domains instead. However, Global Catalog must be used in " +"order to resolve cross-domain group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:347 +msgid "ad_gpo_access_control (string)" +msgstr "ad_gpo_access_control (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:350 +msgid "" +"This option specifies the operation mode for GPO-based access control " +"functionality: whether it operates in disabled mode, enforcing mode, or " +"permissive mode. Please note that the <quote>access_provider</quote> option " +"must be explicitly set to <quote>ad</quote> in order for this option to have " +"an effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:359 +msgid "" +"GPO-based access control functionality uses GPO policy settings to determine " +"whether or not a particular user is allowed to logon to a particular host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:365 +msgid "" +"NOTE: The current version of SSSD does not support host (computer) entries " +"in the GPO 'Security Filtering' list. Only user and group entries are " +"supported. Host entries in the list have no effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:372 +msgid "" +"NOTE: If the operation mode is set to enforcing, it is possible that users " +"that were previously allowed logon access will now be denied logon access " +"(as dictated by the GPO policy settings). In order to facilitate a smooth " +"transition for administrators, a permissive mode is available that will not " +"enforce the access control rules, but will evaluate them and will output a " +"syslog message if access would have been denied. By examining the logs, " +"administrators can then make the necessary changes before setting the mode " +"to enforcing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:385 +msgid "There are three supported values for this option:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:389 +msgid "" +"disabled: GPO-based access control rules are neither evaluated nor enforced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:395 +msgid "enforcing: GPO-based access control rules are evaluated and enforced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:401 +msgid "" +"permissive: GPO-based access control rules are evaluated, but not enforced. " +"Instead, a syslog message will be emitted indicating that the user would " +"have been denied access if this option's value were set to enforcing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:412 +msgid "Default: permissive" +msgstr "Per defecte: permissive" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:415 +msgid "Default: enforcing" +msgstr "Per defecte: enforcing" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:421 +msgid "ad_gpo_cache_timeout (integer)" +msgstr "ad_gpo_cache_timeout (enter)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:424 +msgid "" +"The amount of time between lookups of GPO policy files against the AD " +"server. This will reduce the latency and load on the AD server if there are " +"many access-control requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:437 +msgid "ad_gpo_map_interactive (string)" +msgstr "ad_gpo_map_interactive (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:440 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the InteractiveLogonRight and " +"DenyInteractiveLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:446 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on locally\" and \"Deny log on locally\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:460 +#, no-wrap +msgid "" +"ad_gpo_map_interactive = +my_pam_service, -login\n" +" " +msgstr "" +"ad_gpo_map_interactive = +my_pam_service, -login\n" +" " + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:451 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>login</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:464 sssd-ad.5.xml:560 sssd-ad.5.xml:606 sssd-ad.5.xml:651 +#: sssd-ad.5.xml:717 +msgid "Default: the default set of PAM service names includes:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:468 +msgid "login" +msgstr "login" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:473 +msgid "su" +msgstr "su" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:478 +msgid "su-l" +msgstr "su-l" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:483 +msgid "gdm-fingerprint" +msgstr "gdm-fingerprint" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:488 +msgid "gdm-password" +msgstr "gdm-password" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:493 +msgid "gdm-smartcard" +msgstr "gdm-smartcard" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:498 +msgid "kdm" +msgstr "kdm" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:503 +msgid "lightdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:508 +msgid "lxdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:513 +msgid "sddm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:518 +msgid "unity" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:523 +msgid "xdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:532 +msgid "ad_gpo_map_remote_interactive (string)" +msgstr "ad_gpo_map_remote_interactive (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:535 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the RemoteInteractiveLogonRight and " +"DenyRemoteInteractiveLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:541 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on through Remote Desktop Services\" and \"Deny log on through Remote " +"Desktop Services\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:556 +#, no-wrap +msgid "" +"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" +" " +msgstr "" +"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" +" " + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:547 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>sshd</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:564 +msgid "sshd" +msgstr "sshd" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:569 +msgid "cockpit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:578 +msgid "ad_gpo_map_network (string)" +msgstr "ad_gpo_map_network (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:581 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the NetworkLogonRight and " +"DenyNetworkLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:587 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Access " +"this computer from the network\" and \"Deny access to this computer from the " +"network\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:602 +#, no-wrap +msgid "" +"ad_gpo_map_network = +my_pam_service, -ftp\n" +" " +msgstr "" +"ad_gpo_map_network = +my_pam_service, -ftp\n" +" " + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:593 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>ftp</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:610 +msgid "ftp" +msgstr "ftp" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:615 +msgid "samba" +msgstr "samba" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:624 +msgid "ad_gpo_map_batch (string)" +msgstr "ad_gpo_map_batch (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:627 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " +"policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:633 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a batch job\" and \"Deny log on as a batch job\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:647 +#, no-wrap +msgid "" +"ad_gpo_map_batch = +my_pam_service, -crond\n" +" " +msgstr "" +"ad_gpo_map_batch = +my_pam_service, -crond\n" +" " + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:638 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>crond</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:655 +msgid "crond" +msgstr "crond" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:664 +msgid "ad_gpo_map_service (string)" +msgstr "ad_gpo_map_service (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:667 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the ServiceLogonRight and " +"DenyServiceLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:673 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a service\" and \"Deny log on as a service\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:686 +#, no-wrap +msgid "" +"ad_gpo_map_service = +my_pam_service\n" +" " +msgstr "" +"ad_gpo_map_service = +my_pam_service\n" +" " + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:678 sssd-ad.5.xml:753 +msgid "" +"It is possible to add a PAM service name to the default set by using <quote>" +"+service_name</quote>. Since the default set is empty, it is not possible " +"to remove a PAM service name from the default set. For example, in order to " +"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " +"would use the following configuration: <placeholder type=\"programlisting\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:696 +msgid "ad_gpo_map_permit (string)" +msgstr "ad_gpo_map_permit (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:699 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always granted, regardless of any GPO Logon Rights." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:713 +#, no-wrap +msgid "" +"ad_gpo_map_permit = +my_pam_service, -sudo\n" +" " +msgstr "" +"ad_gpo_map_permit = +my_pam_service, -sudo\n" +" " + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:704 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for unconditionally permitted " +"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:721 +msgid "polkit-1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:726 +msgid "sudo" +msgstr "sudo" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:731 +msgid "sudo-i" +msgstr "sudo-i" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:736 +msgid "systemd-user" +msgstr "systemd-user" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:745 +msgid "ad_gpo_map_deny (string)" +msgstr "ad_gpo_map_deny (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:748 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always denied, regardless of any GPO Logon Rights." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:761 +#, no-wrap +msgid "" +"ad_gpo_map_deny = +my_pam_service\n" +" " +msgstr "" +"ad_gpo_map_deny = +my_pam_service\n" +" " + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:771 +msgid "ad_gpo_default_right (string)" +msgstr "ad_gpo_default_right (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:774 +msgid "" +"This option defines how access control is evaluated for PAM service names " +"that are not explicitly listed in one of the ad_gpo_map_* options. This " +"option can be set in two different manners. First, this option can be set to " +"use a default logon right. For example, if this option is set to " +"'interactive', it means that unmapped PAM service names will be processed " +"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " +"settings. Alternatively, this option can be set to either always permit or " +"always deny access for unmapped PAM service names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:787 +msgid "Supported values for this option include:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:791 +msgid "interactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:796 +msgid "remote_interactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:801 +msgid "network" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:806 +msgid "batch" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:811 +msgid "service" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:816 +msgid "permit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:821 +msgid "deny" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:827 +msgid "Default: deny" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:833 +msgid "ad_maximum_machine_account_password_age (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:836 +msgid "" +"SSSD will check once a day if the machine account password is older than the " +"given age in days and try to renew it. A value of 0 will disable the renewal " +"attempt." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:842 +msgid "Default: 30 days" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:848 +msgid "ad_machine_account_password_renewal_opts (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:851 +msgid "" +"This option should only be used to test the machine account renewal task. " +"The option expects 2 integers separated by a colon (':'). The first integer " +"defines the interval in seconds how often the task is run. The second " +"specifies the initial timeout in seconds before the task is run for the " +"first time after startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:860 +msgid "Default: 86400:750 (24h and 15m)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:869 +msgid "" +"Optional. This option tells SSSD to automatically update the Active " +"Directory DNS server with the IP address of this client. The update is " +"secured using GSS-TSIG. As a consequence, the Active Directory administrator " +"only needs to allow secure updates for the DNS zone. The IP address of the " +"AD LDAP connection is used for the updates, if it is not otherwise specified " +"by using the <quote>dyndns_iface</quote> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:899 +msgid "Default: 3600 (seconds)" +msgstr "Per defecte: 3600 (segons)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:915 +msgid "" +"Default: Use the IP addresses of the interface which is used for AD LDAP " +"connection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:928 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true. Note that the " +"lowest possible value is 60 seconds in-case if value is provided less than " +"60, parameter will assume lowest value only." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:951 sss_rpcidmapd.5.xml:76 +msgid "Default: True" +msgstr "Per defecte: True" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1043 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This example shows only the AD provider-specific options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1050 +#, no-wrap +msgid "" +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" +msgstr "" +"[domain/EXEMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.exemple.com\n" +"ad_hostname = client.exemple.com\n" +"ad_domain = exemple.com\n" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1070 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" +msgstr "" +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1066 +msgid "" +"The AD access control provider checks if the account is expired. It has the " +"same effect as the following configuration of the LDAP provider: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1076 +msgid "" +"However, unless the <quote>ad</quote> access control provider is explicitly " +"configured, the default access provider is <quote>permit</quote>. Please " +"note that if you configure an access provider other than <quote>ad</quote>, " +"you need to set all the connection parameters (such as LDAP URIs and " +"encryption details) manually." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1084 +msgid "" +"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " +"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " +"are included in the default Active Directory schema." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 +msgid "sssd-sudo" +msgstr "sssd-sudo" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-sudo.5.xml:17 +msgid "Configuring sudo with the SSSD back end" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:36 +msgid "Configuring sudo to cooperate with SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:38 +msgid "" +"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " +"the <emphasis>sudoers</emphasis> entry in <citerefentry> " +"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:47 +msgid "" +"For example, to configure sudo to first lookup rules in the standard " +"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> file (which should contain rules that apply to " +"local users) and then in SSSD, the nsswitch.conf file should contain the " +"following line:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:57 +#, no-wrap +msgid "sudoers: files sss\n" +msgstr "sudoers: files sss\n" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:61 +msgid "" +"More information about configuring the sudoers search order from the " +"nsswitch.conf file as well as information about the LDAP schema that is used " +"to store sudo rules in the directory can be found in <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:70 +msgid "" +"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " +"sudo rules, you also need to correctly set <citerefentry> " +"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry> to your NIS domain name (which equals to IPA domain name when " +"using hostgroups)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:82 +msgid "Configuring SSSD to fetch sudo rules" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:84 +msgid "" +"All configuration that is needed on SSSD side is to extend the list of " +"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " +"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " +"option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:94 +msgid "" +"The following example shows how to configure SSSD to download sudo rules " +"from an LDAP server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:99 +#, no-wrap +msgid "" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +msgstr "" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXEMPLE\n" +"\n" +"[domain/EXEMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://exemple.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=exemple,dc=com\n" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:98 +msgid "" +"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" +"\"have_systemd\"> It's important to note that on platforms where systemd is " +"supported there's no need to add the \"sudo\" provider to the list of " +"services, as it became optional. However, sssd-sudo.socket must be enabled " +"instead. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:118 +msgid "" +"When SSSD is configured to use IPA as the ID provider, the sudo provider is " +"automatically enabled. The sudo search base is configured to use the IPA " +"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " +"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," +"$SUFFIX) is no longer required for IPA sudo functionality." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:128 +msgid "The SUDO rule caching mechanism" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:130 +msgid "" +"The biggest challenge, when developing sudo support in SSSD, was to ensure " +"that running sudo with SSSD as the data source provides the same user " +"experience and is as fast as sudo but keeps providing the most current set " +"of rules as possible. To satisfy these requirements, SSSD uses three kinds " +"of updates. They are referred to as full refresh, smart refresh and rules " +"refresh." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:138 +msgid "" +"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " +"new or were modified after the last update. Its primary goal is to keep the " +"database growing by fetching only small increments that do not generate " +"large amounts of network traffic." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:144 +msgid "" +"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " +"in the cache and replaces them with all rules that are stored on the server. " +"This is used to keep the cache consistent by removing every rule which was " +"deleted from the server. However, full refresh may produce a lot of traffic " +"and thus it should be run only occasionally depending on the size and " +"stability of the sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:152 +msgid "" +"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " +"more permission than defined. It is triggered each time the user runs sudo. " +"Rules refresh will find all rules that apply to this user, check their " +"expiration time and redownload them if expired. In the case that any of " +"these rules are missing on the server, the SSSD will do an out of band full " +"refresh because more rules (that apply to other users) may have been deleted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:161 +msgid "" +"If enabled, SSSD will store only rules that can be applied to this machine. " +"This means rules that contain one of the following values in " +"<emphasis>sudoHost</emphasis> attribute:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:168 +msgid "keyword ALL" +msgstr "paraula clau ALL" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:173 +msgid "wildcard" +msgstr "comodí" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:178 +msgid "netgroup (in the form \"+netgroup\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:183 +msgid "hostname or fully qualified domain name of this machine" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:188 +msgid "one of the IP addresses of this machine" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:193 +msgid "one of the IP addresses of the network (in the form \"address/mask\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:199 +msgid "" +"There are many configuration options that can be used to adjust the " +"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.8.xml:10 sssd.8.xml:15 +msgid "sssd" +msgstr "sssd" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.8.xml:16 +msgid "System Security Services Daemon" +msgstr "" +"dimoni dels serveis de seguretat del sistema (System Security Services " +"Daemon)" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssd.8.xml:21 +msgid "" +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" +msgstr "" +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:31 +msgid "" +"<command>SSSD</command> provides a set of daemons to manage access to remote " +"directories and authentication mechanisms. It provides an NSS and PAM " +"interface toward the system and a pluggable backend system to connect to " +"multiple different account sources as well as D-Bus interface. It is also " +"the basis to provide client auditing and policy services for projects like " +"FreeIPA. It provides a more robust database to store local users as well as " +"extended user data." +msgstr "" +"L'<command>SSSD</command> proporciona un conjunt de dimonis per gestionar " +"l'accés als directoris remots i els mecanismes d'autenticació. Proporciona " +"una interfície NSS i PAM cap al sistema i un sistema d'accés a la capa de " +"dades amb connectors per connectar a orígens múltiples de comptes diferents, " +"com ara la interfície D-Bus. També és la base per proporcionar l'auditoria " +"dels clients i les polítiques dels serveis per a projectes com FreeIPA. " +"Proporciona una base de dades més robusta on emmagatzemar els usuaris " +"locals, així com dades addicionals de l'usuari." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:46 +msgid "" +"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" +"replaceable>" +msgstr "" +"<option>-d</option>,<option>--debug-level</option> <replaceable>NIVELL</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:53 +msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" +msgstr "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:57 +msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" +msgstr "" +"<emphasis>1</emphasis>: Afegeix una marca temporal als registres de depuració" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:60 +msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" +msgstr "" +"<emphasis>0</emphasis>: Inhabilita la marca temporal als registres de " +"depuració" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:69 +msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" +msgstr "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:73 +msgid "" +"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" +msgstr "" +"<emphasis>1</emphasis>: Afegeix els mil·lisegons a les marques temporals als " +"missatges de depuració" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:76 +msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" +msgstr "" +"<emphasis>0</emphasis>: Inhabilita els mil·lisegons a les marques temporals" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:85 +msgid "<option>-f</option>,<option>--debug-to-files</option>" +msgstr "<option>-f</option>,<option>--debug-to-files</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:89 +msgid "" +"Send the debug output to files instead of stderr. By default, the log files " +"are stored in <filename>/var/log/sssd</filename> and there are separate log " +"files for every SSSD service and domain." +msgstr "" +"Envia la sortida de depuració als fitxers en comptes de l'stderr. Per " +"defecte, els fitxers dels registres s'emmagatzemen a <filename>/var/log/" +"sssd</filename> i hi ha fitxers dels registres que se separen per a cadascun " +"dels serveis i dels dominis de l'SSSD." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:94 +msgid "" +"This option is deprecated. It is replaced by <option>--logger=files</option>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:101 +msgid "<option>--logger=</option><replaceable>value</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:105 +msgid "" +"Location where SSSD will send log messages. This option overrides the value " +"of the deprecated option <option>--debug-to-files</option>. The deprecated " +"option will still work if the <option>--logger</option> is not used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:112 +msgid "" +"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " +"output." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:116 +msgid "" +"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " +"default, the log files are stored in <filename>/var/log/sssd</filename> and " +"there are separate log files for every SSSD service and domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:122 +msgid "" +"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:132 +msgid "<option>-D</option>,<option>--daemon</option>" +msgstr "<option>-D</option>,<option>--daemon</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:136 +msgid "Become a daemon after starting up." +msgstr "Esdevé un dimoni després de la posada en marxa." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:142 sss_seed.8.xml:136 +msgid "<option>-i</option>,<option>--interactive</option>" +msgstr "<option>-i</option>,<option>--interactive</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:146 +msgid "Run in the foreground, don't become a daemon." +msgstr "Executa en primer pla, no esdevinguis un dimoni." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:152 +msgid "<option>-c</option>,<option>--config</option>" +msgstr "<option>-c</option>,<option>--config</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:156 +msgid "" +"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." +"conf</filename>. For reference on the config file syntax and options, " +"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" +"Especifica un fitxer de configuració diferent al predeterminat. Per defecte " +"és <filename>/etc/sssd/sssd.conf</filename>. Per consultar la sintaxi del " +"fitxer de configuració i les opcions, aneu a la pàgina del manual del " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:170 +msgid "<option>--version</option>" +msgstr "<option>--version</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:174 +msgid "Print version number and exit." +msgstr "Imprimeix el número de la versió i surt." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.8.xml:182 +msgid "Signals" +msgstr "Senyals" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:185 +msgid "SIGTERM/SIGINT" +msgstr "SIGTERM/SIGINT" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:188 +msgid "" +"Informs the SSSD to gracefully terminate all of its child processes and then " +"shut down the monitor." +msgstr "" +"Informa l'SSSD per finalitzar elegantment tots els seus processos fills i " +"després atura el monitor." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:194 +msgid "SIGHUP" +msgstr "SIGHUP" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:197 +msgid "" +"Tells the SSSD to stop writing to its current debug file descriptors and to " +"close and reopen them. This is meant to facilitate log rolling with programs " +"like logrotate." +msgstr "" +"Diu a l'SSSD que deixi d'escriure als actuals descriptors de fitxers de " +"depuració i que els tanqui i els reobri. Això intenta facilitar la rotació " +"dels registres amb programes com logrotate." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:205 +msgid "SIGUSR1" +msgstr "SIGUSR1" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:208 +msgid "" +"Tells the SSSD to simulate offline operation for the duration of the " +"<quote>offline_timeout</quote> parameter. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." +msgstr "" +"Diu a l'SSSD que simuli l'operació sense connexió pel període del paràmetre " +"<quote>offline_timeout</quote>. Això és útil per fer proves. El senyal es " +"pot enviar directament al procés sssd o sssd_be." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:217 +msgid "SIGUSR2" +msgstr "SIGUSR2" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:220 +msgid "" +"Tells the SSSD to go online immediately. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." +msgstr "" +"Diu a l'SSSD que es desconnecti immediatament. Això és útil per fer proves. " +"El senyal es pot enviar directament al procés sssd o sssd_be." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:232 +msgid "" +"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " +"applications will not use the fast in memory cache." +msgstr "" +"Si la variable d'entorn SSS_NSS_USE_MEMCACHE està establerta a \"NO\", les " +"aplicacions clients no utilitzaran el fast en la memòria cau." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 +msgid "sss_obfuscate" +msgstr "sss_obfuscate" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_obfuscate.8.xml:16 +msgid "obfuscate a clear text password" +msgstr "ofusca una contrasenya en text clar" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_obfuscate.8.xml:21 +msgid "" +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" +"replaceable></arg>" +msgstr "" +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>opcions</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" +"replaceable></arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:32 +msgid "" +"<command>sss_obfuscate</command> converts a given password into human-" +"unreadable format and places it into appropriate domain section of the SSSD " +"config file." +msgstr "" +"<command>sss_obfuscate</command> converteix una contrasenya especificada a " +"un format illegible per als humans i la posa a la secció del domini adequat " +"del fitxer de configuració de l'SSSD." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:37 +msgid "" +"The cleartext password is read from standard input or entered " +"interactively. The obfuscated password is put into " +"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " +"<quote>ldap_default_authtok_type</quote> parameter is set to " +"<quote>obfuscated_password</quote>. Refer to <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more details on these parameters." +msgstr "" +"La contrasenya en text clar es llegeix de l'entrada estàndard o s'introdueix " +"de forma interactiva. La contrasenya ofuscada es fica al paràmetre " +"<quote>ldap_default_authtok</quote> del domini SSSD indicat, i el paràmetre " +"<quote>ldap_default_authtok_type</quote> s'estableix a " +"<quote>obfuscated_password</quote>. Consulteu <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> per a més detalls sobre aquests paràmetres." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:49 +msgid "" +"Please note that obfuscating the password provides <emphasis>no real " +"security benefit</emphasis> as it is still possible for an attacker to " +"reverse-engineer the password back. Using better authentication mechanisms " +"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " +"advised." +msgstr "" +"Tingueu en compte que ofuscar les contrasenyes <emphasis>no proporciona cap " +"benefici real de seguretat</emphasis>, ja que un atacant encara podria " +"extreure la contrasenya amb enginyeria inversa. Es recomana " +"<emphasis>aferrissadament</emphasis> l'ús de mecanismes d'autenticació " +"millors com els certificats al cantó del client o el GSSAPI." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:63 +msgid "<option>-s</option>,<option>--stdin</option>" +msgstr "<option>-s</option>,<option>--stdin</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:67 +msgid "The password to obfuscate will be read from standard input." +msgstr "La contrasenya per ofuscar es llegirà de l'entrada estàndard." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 +#: sss_ssh_knownhostsproxy.1.xml:78 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" +msgstr "" +"<option>-d</option>,<option>--domain</option> <replaceable>DOMINI</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:79 +msgid "" +"The SSSD domain to use the password in. The default name is <quote>default</" +"quote>." +msgstr "" +"El domini SSSD on s'utilitza la contrasenya. El nom per defecte és " +"<quote>default</quote>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:86 +msgid "" +"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" +msgstr "" +"<option>-f</option>,<option>--file</option> <replaceable>FITXER</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:91 +msgid "Read the config file specified by the positional parameter." +msgstr "" +"Llegeix el fitxer de configuració que s'especifica amb el paràmetre " +"posicional." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:95 +msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" +msgstr "Per defecte: <filename>/etc/sssd/sssd.conf</filename>" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_override.8.xml:10 sss_override.8.xml:15 +msgid "sss_override" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_override.8.xml:16 +msgid "create local overrides of user and group attributes" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_override.8.xml:21 +msgid "" +"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:32 +msgid "" +"<command>sss_override</command> enables to create a client-side view and " +"allows to change selected values of specific user and groups. This change " +"takes effect only on local machine." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:37 +msgid "" +"Overrides data are stored in the SSSD cache. If the cache is deleted, all " +"local overrides are lost. Please note that after the first override is " +"created using any of the following <emphasis>user-add</emphasis>, " +"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " +"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " +"take effect. <emphasis>sss_override</emphasis> prints message when a " +"restart is required." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:50 sssctl.8.xml:41 +msgid "AVAILABLE COMMANDS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:52 +msgid "" +"Argument <emphasis>NAME</emphasis> is the name of original object in all " +"commands. It is not possible to override <emphasis>uid</emphasis> or " +"<emphasis>gid</emphasis> to 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:59 +msgid "" +"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" +"optional> <optional><option>-g,--gid</option> GID</optional> " +"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" +"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" +"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " +"CERTIFICATE</optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:72 +msgid "" +"Override attributes of an user. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:80 +msgid "<option>user-del</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:85 +msgid "" +"Remove user overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:94 +msgid "" +"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:99 +msgid "" +"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " +"is set, only users from the domain are listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:107 +msgid "<option>user-show</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:112 +msgid "Show user overrides." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:118 +msgid "<option>user-import</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:123 +msgid "" +"Import user overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard passwd file. The format is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:128 +msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:131 +msgid "" +"where original_name is original name of the user whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:140 +msgid "ckent:superman::::::" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:143 +msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:149 +msgid "<option>user-export</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:154 +msgid "" +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>user-import</emphasis> for data format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:162 +msgid "" +"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:169 +msgid "" +"Override attributes of a group. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:177 +msgid "<option>group-del</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:182 +msgid "" +"Remove group overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:191 +msgid "" +"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:196 +msgid "" +"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " +"parameter is set, only groups from the domain are listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:204 +msgid "<option>group-show</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:209 +msgid "Show group overrides." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:215 +msgid "<option>group-import</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:220 +msgid "" +"Import group overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard group file. The format is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:225 +msgid "original_name:name:gid" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:228 +msgid "" +"where original_name is original name of the group whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:237 +msgid "admins:administrators:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:240 +msgid "Domain Users:Users:501" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:246 +msgid "<option>group-export</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:251 +msgid "" +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>group-import</emphasis> for data format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:261 sssctl.8.xml:50 +msgid "COMMON OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:263 sssctl.8.xml:52 +msgid "Those options are available with all commands." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:268 sssctl.8.xml:57 +msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 +msgid "sss_useradd" +msgstr "sss_useradd" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_useradd.8.xml:16 +msgid "create a new user" +msgstr "crea un nou usuari" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_useradd.8.xml:21 +msgid "" +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>OPCIONS</" +"replaceable></arg> <arg choice='plain'> <replaceable>USUARI</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_useradd.8.xml:32 +msgid "" +"<command>sss_useradd</command> creates a new user account using the values " +"specified on the command line plus the default values from the system." +msgstr "" +"<command>sss_useradd</command> crea un nou compte d'usuari amb els valors " +"que s'especifiquen en la línia d'ordres més els valors per defecte del " +"sistema." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:43 sss_seed.8.xml:76 +msgid "" +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" +msgstr "" +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:48 +msgid "" +"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " +"not given, it is chosen automatically." +msgstr "" +"Estableix l'UID de l'usuari al valor de l'<replaceable>UID</replaceable>. Si " +"no se'n proporciona cap, es tria automàticament." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +msgid "" +"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" +"replaceable>" +msgstr "" +"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENTARI</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 +msgid "" +"Any text string describing the user. Often used as the field for the user's " +"full name." +msgstr "" +"Qualsevol cadena de text amb la descripció de l'usuari. Sovint s'utilitza " +"com a camp per al nom complet de l'usuari." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 +msgid "" +"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"replaceable>" +msgstr "" +"<option>-h</option>,<option>--home</option> <replaceable>DIRECTORI_INICIAL</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:72 +msgid "" +"The home directory of the user account. The default is to append the " +"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " +"that as the home directory. The base that is prepended before " +"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" +"baseDirectory</quote> setting in sssd.conf." +msgstr "" +"El directori inicial del compte de l'usuari. Per defecte s'afegeix " +"l'<replaceable>USUARI</replaceable> a <filename>/home</filename> i " +"s'utilitza aquest com el directori inicial. La base que s'afegeix abans de " +"l'<replaceable>USUARI</replaceable> es pot personalitzar amb l'ajust " +"<quote>user_defaults/baseDirectory</quote> a l'sssd.conf." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 +msgid "" +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" +msgstr "" +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:87 +msgid "" +"The user's login shell. The default is currently <filename>/bin/bash</" +"filename>. The default can be changed with <quote>user_defaults/" +"defaultShell</quote> setting in sssd.conf." +msgstr "" +"El shell d'inici de sessió de l'usuari. Per defecte és <filename>/bin/bash</" +"filename>. Es pot canviar el valor per defecte amb l'ajust " +"<quote>user_defaults/defaultShell</quote> de l'sssd.conf." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:96 +msgid "" +"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" +"<option>-G</option>,<option>--groups</option> <replaceable>GRUPS</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:101 +msgid "A list of existing groups this user is also a member of." +msgstr "Una llista dels grups existents que aquest usuari també n'és membre." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:107 +msgid "<option>-m</option>,<option>--create-home</option>" +msgstr "<option>-m</option>,<option>--create-home</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:111 +msgid "" +"Create the user's home directory if it does not exist. The files and " +"directories contained in the skeleton directory (which can be defined with " +"the -k option or in the config file) will be copied to the home directory." +msgstr "" +"Crea el directori inicial de l'usuari si no existeix. Al directori inicial " +"es copiaran els fitxers i els directoris continguts al directori esquemàtic " +"(que es pot definir amb l'opció -k o al fitxer de configuració)." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:121 +msgid "<option>-M</option>,<option>--no-create-home</option>" +msgstr "<option>-M</option>,<option>--no-create-home</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:125 +msgid "" +"Do not create the user's home directory. Overrides configuration settings." +msgstr "" +"No crea el directori inicial de l'usuari. Substitueix els ajusts de la " +"configuració." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:132 +msgid "" +"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"replaceable>" +msgstr "" +"<option>-k</option>,<option>--skel</option> " +"<replaceable>DIRECTORI_ESQUEMÀTIC</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:137 +msgid "" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<command>sss_useradd</command>." +msgstr "" +"El directori esquemàtic que conté els fitxers i els directoris per copiar al " +"directori inicial de l'usuari, quan es crea el directori inicial amb " +"<command>sss_useradd</command>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:143 +msgid "" +"Special files (block devices, character devices, named pipes and unix " +"sockets) will not be copied." +msgstr "" +"No es copiaran els fitxers especials (dispositius de blocs, dispositius de " +"caràcters, canonades amb noms i sòcols d'UNIX)." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:147 +msgid "" +"This option is only valid if the <option>-m</option> (or <option>--create-" +"home</option>) option is specified, or creation of home directories is set " +"to TRUE in the configuration." +msgstr "" +"Aquesta opció tan sols és vàlida si s'especifica l'opció <option>-m</option> " +"(o <option>--create-home</option>), o bé la creació dels directoris inicials " +"està establerta a TRUE a la configuració." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 +msgid "" +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>SELINUX_USER</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:161 +msgid "" +"The SELinux user for the user's login. If not specified, the system default " +"will be used." +msgstr "" +"L'usuari de SELinux per a l'inici de sessió de l'usuari. Si no s'especifica, " +"s'utilitzarà el predeterminat del sistema." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 +msgid "sssd-krb5" +msgstr "sssd-krb5" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-krb5.5.xml:17 +msgid "SSSD Kerberos provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:23 +msgid "" +"This manual page describes the configuration of the Kerberos 5 " +"authentication backend for <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " +"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:36 +msgid "" +"The Kerberos 5 authentication backend contains auth and chpass providers. It " +"must be paired with an identity provider in order to function properly (for " +"example, id_provider = ldap). Some information required by the Kerberos 5 " +"authentication backend must be provided by the identity provider, such as " +"the user's Kerberos Principal Name (UPN). The configuration of the identity " +"provider should have an entry to specify the UPN. Please refer to the man " +"page for the applicable identity provider for details on how to configure " +"this." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:47 +msgid "" +"This backend also provides access control based on the .k5login file in the " +"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " +"Please note that an empty .k5login file will deny all access to this user. " +"To activate this feature, use 'access_provider = krb5' in your SSSD " +"configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:55 +msgid "" +"In the case where the UPN is not available in the identity backend, " +"<command>sssd</command> will construct a UPN using the format " +"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:77 +msgid "" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect, in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled; for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:106 +msgid "" +"The name of the Kerberos realm. This option is required and must be " +"specified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:113 +msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" +msgstr "krb5_kpasswd, krb5_backup_kpasswd (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:116 +msgid "" +"If the change password service is not running on the KDC, alternative " +"servers can be defined here. An optional port number (preceded by a colon) " +"may be appended to the addresses or hostnames." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:122 +msgid "" +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " +"servers to try, the backend is not switched to operate offline if " +"authentication against the KDC is still possible." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:129 +msgid "Default: Use the KDC" +msgstr "Per defecte: Utilitza el KDC" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:135 +msgid "krb5_ccachedir (string)" +msgstr "krb5_ccachedir (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:138 +msgid "" +"Directory to store credential caches. All the substitution sequences of " +"krb5_ccname_template can be used here, too, except %d and %P. The directory " +"is created as private and owned by the user, with permissions set to 0700." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:145 +msgid "Default: /tmp" +msgstr "Per defecte: /tmp" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:151 +msgid "krb5_ccname_template (string)" +msgstr "krb5_ccname_template (cadena)" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 +msgid "%u" +msgstr "%u" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 +msgid "login name" +msgstr "nom d'usuari" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 +msgid "%U" +msgstr "%U" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:170 +msgid "login UID" +msgstr "UID de l'usuari" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:173 +msgid "%p" +msgstr "%p" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:174 +msgid "principal name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:178 +msgid "%r" +msgstr "%r" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:179 +msgid "realm name" +msgstr "nom real" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:182 +msgid "%h" +msgstr "%h" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 +msgid "home directory" +msgstr "directori inicial" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 +msgid "%d" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:188 +msgid "value of krb5_ccachedir" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 +msgid "%P" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:194 +msgid "the process ID of the SSSD client" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 +msgid "%%" +msgstr "%%" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 +msgid "a literal '%'" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:154 +msgid "" +"Location of the user's credential cache. Three credential cache types are " +"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " +"<quote>KEYRING:persistent</quote>. The cache can be specified either as " +"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " +"implies the <quote>FILE</quote> type. In the template, the following " +"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " +"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " +"filename in a safe way." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:208 +msgid "" +"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" +"persistent:%U</quote>, which uses the Linux kernel keyring to store " +"credentials on a per-UID basis. This is also the recommended choice, as it " +"is the most secure and predictable method." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:216 +msgid "" +"The default value for the credential cache name is sourced from the profile " +"stored in the system wide krb5.conf configuration file in the [libdefaults] " +"section. The option name is default_ccache_name. See krb5.conf(5)'s " +"PARAMETER EXPANSION paragraph for additional information on the expansion " +"format defined by krb5.conf." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:225 +msgid "" +"NOTE: Please be aware that libkrb5 ccache expansion template from " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> uses different expansion sequences than SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:234 +msgid "Default: (from libkrb5)" +msgstr "Per defecte: (del libkrb5)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:240 +msgid "krb5_auth_timeout (integer)" +msgstr "krb5_auth_timeout (enter)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:243 +msgid "" +"Timeout in seconds after an online authentication request or change password " +"request is aborted. If possible, the authentication request is continued " +"offline." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:254 +msgid "krb5_validate (boolean)" +msgstr "krb5_validate (booleà)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:257 +msgid "" +"Verify with the help of krb5_keytab that the TGT obtained has not been " +"spoofed. The keytab is checked for entries sequentially, and the first entry " +"with a matching realm is used for validation. If no entry matches the realm, " +"the last entry in the keytab is used. This process can be used to validate " +"environments using cross-realm trust by placing the appropriate keytab entry " +"as the last entry or the only entry in the keytab file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:272 +msgid "krb5_keytab (string)" +msgstr "krb5_keytab (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:275 +msgid "" +"The location of the keytab to use when validating credentials obtained from " +"KDCs." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:279 +msgid "Default: /etc/krb5.keytab" +msgstr "Per defecte: /etc/krb5.keytab" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:285 +msgid "krb5_store_password_if_offline (boolean)" +msgstr "krb5_store_password_if_offline (booleà)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:288 +msgid "" +"Store the password of the user if the provider is offline and use it to " +"request a TGT when the provider comes online again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:293 +msgid "" +"NOTE: this feature is only available on Linux. Passwords stored in this way " +"are kept in plaintext in the kernel keyring and are potentially accessible " +"by the root user (with difficulty)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:306 +msgid "krb5_renewable_lifetime (string)" +msgstr "krb5_renewable_lifetime (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:309 +msgid "" +"Request a renewable ticket with a total lifetime, given as an integer " +"immediately followed by a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 +msgid "<emphasis>s</emphasis> for seconds" +msgstr "<emphasis>s</emphasis> per segons" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 +msgid "<emphasis>m</emphasis> for minutes" +msgstr "<emphasis>m</emphasis> per minuts" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 +msgid "<emphasis>h</emphasis> for hours" +msgstr "<emphasis>h</emphasis> per hores" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 +msgid "<emphasis>d</emphasis> for days." +msgstr "<emphasis>d</emphasis> per dies." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 +msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 +msgid "" +"NOTE: It is not possible to mix units. To set the renewable lifetime to one " +"and a half hours, use '90m' instead of '1h30m'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:335 +msgid "Default: not set, i.e. the TGT is not renewable" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:341 +msgid "krb5_lifetime (string)" +msgstr "krb5_lifetime (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:344 +msgid "" +"Request ticket with a lifetime, given as an integer immediately followed by " +"a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:360 +msgid "If there is no unit given <emphasis>s</emphasis> is assumed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:364 +msgid "" +"NOTE: It is not possible to mix units. To set the lifetime to one and a " +"half hours please use '90m' instead of '1h30m'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:369 +msgid "" +"Default: not set, i.e. the default ticket lifetime configured on the KDC." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:376 +msgid "krb5_renew_interval (string)" +msgstr "krb5_renew_interval (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:379 +msgid "" +"The time in seconds between two checks if the TGT should be renewed. TGTs " +"are renewed if about half of their lifetime is exceeded, given as an integer " +"immediately followed by a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:406 +msgid "If this option is not set or is 0 the automatic renewal is disabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:416 +msgid "krb5_use_fast (string)" +msgstr "krb5_use_fast (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:419 +msgid "" +"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" +"authentication. The following options are supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:424 +msgid "" +"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " +"option at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:428 +msgid "" +"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " +"continue the authentication without it." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:433 +msgid "" +"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " +"server does not require fast." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:438 +msgid "Default: not set, i.e. FAST is not used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:441 +msgid "NOTE: a keytab is required to use FAST." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:444 +msgid "" +"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " +"SSSD is used with an older version of MIT Kerberos, using this option is a " +"configuration error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:453 +msgid "krb5_fast_principal (string)" +msgstr "krb5_fast_principal (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:456 +msgid "Specifies the server principal to use for FAST." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:465 +msgid "" +"Specifies if the host and user principal should be canonicalized. This " +"feature is available with MIT Kerberos 1.7 and later versions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:505 +msgid "krb5_use_enterprise_principal (boolean)" +msgstr "krb5_use_enterprise_principal (booleà)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:508 +msgid "" +"Specifies if the user principal should be treated as enterprise principal. " +"See section 5 of RFC 6806 for more details about enterprise principals." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:514 +msgid "Default: false (AD provider: true)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:517 +msgid "" +"The IPA provider will set to option to 'true' if it detects that the server " +"is capable of handling enterprise principals and the option is not set " +"explicitly in the config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:526 +msgid "krb5_map_user (string)" +msgstr "krb5_map_user (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:529 +msgid "" +"The list of mappings is given as a comma-separated list of pairs " +"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " +"name and <quote>primary</quote> is a user part of a kerberos principal. This " +"mapping is used when user is authenticating using <quote>auth_provider = " +"krb5</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-krb5.5.xml:541 +#, no-wrap +msgid "" +"krb5_realm = REALM\n" +"krb5_map_user = joe:juser,dick:richard\n" +msgstr "" +"krb5_realm = REALM\n" +"krb5_map_user = joe:juser,dick:richard\n" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:546 +msgid "" +"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " +"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " +"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " +"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:65 +msgid "" +"If the auth-module krb5 is used in an SSSD domain, the following options " +"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " +"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:572 +msgid "" +"The following example assumes that SSSD is correctly configured and FOO is " +"one of the domains in the <replaceable>[sssd]</replaceable> section. This " +"example shows only configuration of Kerberos authentication; it does not " +"include any identity provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-krb5.5.xml:580 +#, no-wrap +msgid "" +"[domain/FOO]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXAMPLE.COM\n" +msgstr "" +"[domain/FOO]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXEMPLE.COM\n" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 +msgid "sss_groupadd" +msgstr "sss_groupadd" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupadd.8.xml:16 +msgid "create a new group" +msgstr "crea un nou grup" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupadd.8.xml:21 +msgid "" +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>opcions</" +"replaceable> </arg> <arg choice='plain'><replaceable>GRUP</replaceable></arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupadd.8.xml:32 +msgid "" +"<command>sss_groupadd</command> creates a new group. These groups are " +"compatible with POSIX groups, with the additional feature that they can " +"contain other groups as members." +msgstr "" +"<command>sss_groupadd</command> crea un nou grup. Aquests grups són " +"compatibles amb els grups POSIX, amb la característica addicional que poden " +"contenir altres grups com a membres." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 +msgid "" +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" +msgstr "" +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupadd.8.xml:48 +msgid "" +"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " +"not given, it is chosen automatically." +msgstr "" +"Estableix el GID del grup al valor del <replaceable>GID</replaceable>. Si no " +"se'n proporciona cap, es tria automàticament." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 +msgid "sss_userdel" +msgstr "sss_userdel" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_userdel.8.xml:16 +msgid "delete a user account" +msgstr "suprimeix el compte d'un usuari" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_userdel.8.xml:21 +msgid "" +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>opcions</" +"replaceable> </arg> <arg choice='plain'><replaceable>USUARI</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_userdel.8.xml:32 +msgid "" +"<command>sss_userdel</command> deletes a user identified by login name " +"<replaceable>LOGIN</replaceable> from the system." +msgstr "" +"<command>sss_userdel</command> suprimeix un usuari identificat amb el nom " +"d'usuari <replaceable>USUARI</replaceable> del sistema." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:44 +msgid "<option>-r</option>,<option>--remove</option>" +msgstr "<option>-r</option>,<option>--remove</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:48 +msgid "" +"Files in the user's home directory will be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." +msgstr "" +"Els fitxers al directori inicial de l'usuari seran eliminats juntament amb " +"el mateix directori inicial i la gestió de cues del correu de l'usuari. " +"Substitueix la configuració." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:56 +msgid "<option>-R</option>,<option>--no-remove</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:60 +msgid "" +"Files in the user's home directory will NOT be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." +msgstr "" +"Els fitxers al directori inicial de l'usuari no seran eliminats juntament " +"amb el mateix directori inicial i la gestió de cues del correu de l'usuari. " +"Substitueix la configuració." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:68 +msgid "<option>-f</option>,<option>--force</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:72 +msgid "" +"This option forces <command>sss_userdel</command> to remove the user's home " +"directory and mail spool, even if they are not owned by the specified user." +msgstr "" +"Aquesta opció obliga a <command>sss_userdel</command> a suprimir el " +"directori inicial i la gestió de cues del correu de l'usuari, encara que no " +"siguin de la propietat de l'usuari especificat." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:80 +msgid "<option>-k</option>,<option>--kick</option>" +msgstr "<option>-k</option>,<option>--kick</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:84 +msgid "Before actually deleting the user, terminate all his processes." +msgstr "Abans d'eliminar realment a l'usuari, acaba tots els seus processos." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 +msgid "sss_groupdel" +msgstr "sss_groupdel" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupdel.8.xml:16 +msgid "delete a group" +msgstr "suprimeix un grup" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupdel.8.xml:21 +msgid "" +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>opcions</" +"replaceable> </arg> <arg choice='plain'><replaceable>GRUP</replaceable></arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupdel.8.xml:32 +msgid "" +"<command>sss_groupdel</command> deletes a group identified by its name " +"<replaceable>GROUP</replaceable> from the system." +msgstr "" +"<command>sss_groupdel</command> suprimeix un grup identificat amb el seu nom " +"de <replaceable>GRUP</replaceable> del sistema." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 +msgid "sss_groupshow" +msgstr "sss_groupshow" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupshow.8.xml:16 +msgid "print properties of a group" +msgstr "imprimeix les propietats d'un grup" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupshow.8.xml:21 +msgid "" +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>opcions</" +"replaceable> </arg> <arg choice='plain'><replaceable>GRUP</replaceable></arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupshow.8.xml:32 +msgid "" +"<command>sss_groupshow</command> displays information about a group " +"identified by its name <replaceable>GROUP</replaceable>. The information " +"includes the group ID number, members of the group and the parent group." +msgstr "" +"<command>sss_groupshow</command> mostra la informació sobre un grup " +"identificat amb el seu nom de <replaceable>GRUP</replaceable>. La informació " +"inclou el número de l'id. del grup, els membres del grup i el grup primari." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupshow.8.xml:43 +msgid "<option>-R</option>,<option>--recursive</option>" +msgstr "<option>-R</option>,<option>--recursive</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupshow.8.xml:47 +msgid "" +"Also print indirect group members in a tree-like hierarchy. Note that this " +"also affects printing parent groups - without <option>R</option>, only the " +"direct parent will be printed." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 +msgid "sss_usermod" +msgstr "sss_usermod" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_usermod.8.xml:16 +msgid "modify a user account" +msgstr "modifica el compte d'un usuari" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_usermod.8.xml:21 +msgid "" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>OPCIONS</" +"replaceable></arg> <arg choice='plain'> <replaceable>USUARI</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_usermod.8.xml:32 +msgid "" +"<command>sss_usermod</command> modifies the account specified by " +"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " +"on the command line." +msgstr "" +"<command>sss_usermod</command> modifica el compte especificat amb " +"<replaceable>USUARI</replaceable> per reflectir els canvis que " +"s'especifiquen a la línia d'ordres." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:60 +msgid "The home directory of the user account." +msgstr "El directori inicial del compte de l'usuari." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:71 +msgid "The user's login shell." +msgstr "El shell d'inici de sessió de l'usuari." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:82 +msgid "" +"Append this user to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." +msgstr "" +"Annexa aquest usuari als grups que s'especifiquen amb el paràmetre dels " +"<replaceable>GRUPS</replaceable>. El paràmetre dels <replaceable>GRUPS</" +"replaceable> és una llista delimitada per comes dels noms dels grups." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:96 +msgid "" +"Remove this user from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:103 +msgid "<option>-l</option>,<option>--lock</option>" +msgstr "<option>-l</option>,<option>--lock</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:107 +msgid "Lock the user account. The user won't be able to log in." +msgstr "Bloqueja el compte de l'usuari. L'usuari no podrà iniciar la sessió." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:114 +msgid "<option>-u</option>,<option>--unlock</option>" +msgstr "<option>-u</option>,<option>--unlock</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:118 +msgid "Unlock the user account." +msgstr "Desbloqueja el compte de l'usuari." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:129 +msgid "The SELinux user for the user's login." +msgstr "L'usuari de SELinux per a l'inici de sessió de l'usuari." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:135 +msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" +"<option>--addattr</option> <replaceable>NOM_ATRIBUT_VALOR</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:140 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "Afegeix una parella atribut/valor. El format és nomatribut=valor." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:147 +msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" +"<option>--setattr</option> <replaceable>NOM_ATRIBUT_VALOR</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:152 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" +"Estableix un atribut a la parella nom/valor. El format és nomatribut=valor. " +"Per als atributs amb múltiples valors, l'ordre substitueix els valors ja " +"presents" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:160 +msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" +"<option>--delattr</option> <replaceable>NOM_ATRIBUT_VALOR</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:165 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "Elimina una parella atribut/valor. El format és nomatribut=valor." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_cache.8.xml:10 sss_cache.8.xml:15 +msgid "sss_cache" +msgstr "sss_cache" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_cache.8.xml:16 +msgid "perform cache cleanup" +msgstr "fa neteja de la memòria cau" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_cache.8.xml:21 +msgid "" +"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" +msgstr "" +"<command>sss_cache</command> <arg choice='opt'> <replaceable>opcions</" +"replaceable> </arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_cache.8.xml:31 +msgid "" +"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " +"records are forced to be reloaded from server as soon as related SSSD " +"backend is online. Options that invalidate a single object only accept a " +"single provided argument." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:43 +msgid "<option>-E</option>,<option>--everything</option>" +msgstr "<option>-E</option>,<option>--everything</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:47 +msgid "Invalidate all cached entries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:53 +msgid "" +"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" +msgstr "" +"<option>-u</option>,<option>--user</option> <replaceable>usuari</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:58 +msgid "Invalidate specific user." +msgstr "Invalida un usuari específic." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:64 +msgid "<option>-U</option>,<option>--users</option>" +msgstr "<option>-U</option>,<option>--users</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:68 +msgid "" +"Invalidate all user records. This option overrides invalidation of specific " +"user if it was also set." +msgstr "" +"Invalida tots els registres dels usuaris. Aquesta opció anul·la la " +"invalidació d'un usuari específic, si també es va especificar." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:75 +msgid "" +"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" +msgstr "" +"<option>-g</option>,<option>--group</option> <replaceable>grup</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:80 +msgid "Invalidate specific group." +msgstr "Invalida un grup específic." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:86 +msgid "<option>-G</option>,<option>--groups</option>" +msgstr "<option>-G</option>,<option>--groups</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:90 +msgid "" +"Invalidate all group records. This option overrides invalidation of specific " +"group if it was also set." +msgstr "" +"Invalida tots els registres dels grups. Aquesta opció anul·la la invalidació " +"d'un grup específic, si també es va especificar." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:97 +msgid "" +"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" +"replaceable>" +msgstr "" +"<option>-n</option>,<option>--netgroup</option> <replaceable>grup-de-xarxa</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:102 +msgid "Invalidate specific netgroup." +msgstr "invalida un grup de xarxa específic." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:108 +msgid "<option>-N</option>,<option>--netgroups</option>" +msgstr "<option>-N</option>,<option>--netgroups</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:112 +msgid "" +"Invalidate all netgroup records. This option overrides invalidation of " +"specific netgroup if it was also set." +msgstr "" +"Invalida tots els registres dels grups de xarxa. Aquesta opció anul·la la " +"invalidació d'un grup de xarxa específic, si també es va especificar." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:119 +msgid "" +"<option>-s</option>,<option>--service</option> <replaceable>service</" +"replaceable>" +msgstr "" +"<option>-s</option>,<option>--service</option> <replaceable>servei</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:124 +msgid "Invalidate specific service." +msgstr "invalida un servei específic." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:130 +msgid "<option>-S</option>,<option>--services</option>" +msgstr "<option>-S</option>,<option>--services</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:134 +msgid "" +"Invalidate all service records. This option overrides invalidation of " +"specific service if it was also set." +msgstr "" +"Invalida tots els registres dels serveis. Aquesta opció anul·la la " +"invalidació d'un servei específic, si també es va especificar." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:141 +msgid "" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" +"replaceable>" +msgstr "" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>assignació-" +"autofs</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:146 +msgid "Invalidate specific autofs maps." +msgstr "Invalida una assignació autofs específica." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:152 +msgid "<option>-A</option>,<option>--autofs-maps</option>" +msgstr "<option>-A</option>,<option>--autofs-maps</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:156 +msgid "" +"Invalidate all autofs maps. This option overrides invalidation of specific " +"map if it was also set." +msgstr "" +"Invalida tots els registres de les assignacions autofs. Aquesta opció " +"anul·la la invalidació d'una assignació autofs específica, si també es va " +"especificar." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:163 +msgid "" +"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" +"replaceable>" +msgstr "" +"<option>-h</option>,<option>--ssh-host</option> <replaceable>nom-amfitrió</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:168 +msgid "Invalidate SSH public keys of a specific host." +msgstr "Invalida les claus públiques SSH d'un amfitrió especific." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:174 +msgid "<option>-H</option>,<option>--ssh-hosts</option>" +msgstr "<option>-H</option>,<option>--ssh-hosts</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:178 +msgid "" +"Invalidate SSH public keys of all hosts. This option overrides invalidation " +"of SSH public keys of specific host if it was also set." +msgstr "" +"Invalida tots els registres de les claus públiques SSH de tots els " +"amfitrions. Aquesta opció anul·la la invalidació d'una clau pública SSH d'un " +"amfitrió específic, si també es va especificar." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:186 +msgid "" +"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:191 +msgid "Invalidate particular sudo rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:197 +msgid "<option>-R</option>,<option>--sudo-rules</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:201 +msgid "" +"Invalidate all cached sudo rules. This option overrides invalidation of " +"specific sudo rule if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:209 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>domain</" +"replaceable>" +msgstr "" +"<option>-d</option>,<option>--domain</option> <replaceable>domini</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:214 +msgid "Restrict invalidation process only to a particular domain." +msgstr "Restringeix el procés d'invalidació a tan sols un domini concret." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 +msgid "sss_debuglevel" +msgstr "sss_debuglevel" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_debuglevel.8.xml:16 +msgid "[DEPRECATED] change debug level while SSSD is running" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_debuglevel.8.xml:21 +msgid "" +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" +"replaceable></arg>" +msgstr "" +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>opcions</" +"replaceable> </arg> <arg " +"choice='plain'><replaceable>NOU_NIVELL_DE_DEPURACIÓ</replaceable></arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_debuglevel.8.xml:32 +msgid "" +"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " +"debug-level command. Please refer to the <command>sssctl</command> man page " +"for more information on sssctl usage." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_seed.8.xml:10 sss_seed.8.xml:15 +msgid "sss_seed" +msgstr "sss_seed" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_seed.8.xml:16 +msgid "seed the SSSD cache with a user" +msgstr "implanta la memòria cau de l'SSSD amb un usuari" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_seed.8.xml:21 +msgid "" +"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" +"arg>" +msgstr "" +"<command>sss_seed</command> <arg choice='opt'> <replaceable>opcions</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMINI</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>USUARI</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:33 +msgid "" +"<command>sss_seed</command> seeds the SSSD cache with a user entry and " +"temporary password. If a user entry is already present in the SSSD cache " +"then the entry is updated with the temporary password." +msgstr "" +"<command>sss_seed</command> implanta la memòria cau de l'SSSD amb una " +"entrada d'un usuari i la contrasenya temporal. Si l'entrada d'un usuari ja " +"està present a la memòria cau de l'SSSD aleshores s'actualitza l'entrada amb " +"la contrasenya temporal." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:46 +msgid "" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" +msgstr "" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMINI</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:51 +msgid "" +"Provide the name of the domain in which the user is a member of. The domain " +"is also used to retrieve user information. The domain must be configured in " +"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " +"Information retrieved from the domain overrides what is provided in the " +"options." +msgstr "" +"Proporciona el nom del domini en el qual l'usuari n'és membre. El domini " +"també s'utilitza per recuperar la informació de l'usuari. El domini ha " +"d'estar configurat a l'sssd.conf. S'ha de proporcionar l'opció del " +"<replaceable>DOMINI</replaceable>. La informació recuperada del domini " +"anul·la aquella que es proporcioni a les opcions." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:63 +msgid "" +"<option>-n</option>,<option>--username</option> <replaceable>USER</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:68 +msgid "" +"The username of the entry to be created or modified in the cache. The " +"<replaceable>USER</replaceable> option must be provided." +msgstr "" +"L'entrada del nom d'usuari a crear o modificar a la memòria cau. S'ha de " +"proporcionar l'opció de l'<replaceable>USUARI</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:81 +msgid "Set the UID of the user to <replaceable>UID</replaceable>." +msgstr "Estableix l'UID de l'usuari a <replaceable>UID</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:93 +msgid "Set the GID of the user to <replaceable>GID</replaceable>." +msgstr "Estableix el GID de l'usuari a <replaceable>GID</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:117 +msgid "" +"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." +msgstr "" +"Establix el directori inicial de l'usuari a <replaceable>DIRECTORI_INICIAL</" +"replaceable>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:129 +msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." +msgstr "" +"Estableix el shell d'inici de sessió de l'usuari a <replaceable>SHELL</" +"replaceable>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:140 +msgid "" +"Interactive mode for entering user information. This option will only prompt " +"for information not provided in the options or retrieved from the domain." +msgstr "" +"Mode interactiu per a la introducció de la informació de l'usuari. Aquesta " +"opció només demanà la informació no proporcionada a les opcions o que no es " +"recuperi del domini." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:148 +msgid "" +"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" +"replaceable>" +msgstr "" +"<option>-p</option>,<option>--password-file</option> " +"<replaceable>FITXER_CONTRASENYA</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:153 +msgid "" +"Specify file to read user's password from. (if not specified password is " +"prompted for)" +msgstr "" +"Especifica el fitxer des d'on llegir la contrasenya de l'usuari. (si no " +"s'especifica, es demana per la contrasenya)" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:165 +msgid "" +"The length of the password (or the size of file specified with -p or --" +"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " +"on systems with no globally-defined PASS_MAX value)." +msgstr "" +"La longitud de la contrasenya (o la mida del fitxer que s'especifica amb " +"l'opció -p o --password-file) ha de ser més petita o igual que PASS_MAX " +"bytes (64 bytes en els sistemes que no defineixen globalment el valor de " +"PASS_MAX)." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 +msgid "sssd-ifp" +msgstr "sssd-ifp" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ifp.5.xml:17 +msgid "SSSD InfoPipe responder" +msgstr "contestador de l'InfoPipe de l'SSSD" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:23 +msgid "" +"This manual page describes the configuration of the InfoPipe responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" +"En aquesta pàgina del manual es descriu la configuració del contestador de " +"l'InfoPipe per a <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. Per a una referència detallada de " +"la sintaxi, consulteu la secció <quote>FORMAT DEL FITXER</quote> de la " +"pàgina del manual <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:36 +msgid "" +"The InfoPipe responder provides a public D-Bus interface accessible over the " +"system bus. The interface allows the user to query information about remote " +"users and groups over the system bus." +msgstr "" +"El contestador de l'InfoPipe proporciona una interfície D-Bus publica que es " +"pot accedir a través del bus del sistema. La interfície permet que l'usuari " +"consulti informació sobre els usuaris i els grups remots a través del bus " +"del sistema." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:46 +msgid "These options can be used to configure the InfoPipe responder." +msgstr "" +"Es poden utilitzar aquestes opcions per configurar el contestador de " +"l'InfoPipe." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:53 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the InfoPipe responder. User names are resolved to UIDs at " +"startup." +msgstr "" +"Especifica una llista separada per comes dels valors dels UID o dels noms " +"d'usuaris que estan assignats per accedir al contestador de l'InfoPipe. Els " +"noms d'usuaris es resolen als UID en la preparació." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:59 +msgid "" +"Default: 0 (only the root user is allowed to access the InfoPipe responder)" +msgstr "" +"Per defecte: 0 (únicament a l'usuari root se li permet l'accés al " +"contestador de l'InfoPipe)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:63 +msgid "" +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the InfoPipe responder, which would be the typical case, you have to " +"add 0 to the list of allowed UIDs as well." +msgstr "" +"Tingueu en compte que encara que s'utilitzi l'UID 0 com a valor per defecte " +"se sobreescriurà amb aquesta opció. Si encara voleu permetre que l'usuari " +"root accedeixi al contestador de l'InfoPipe, el que seria el cas típic, " +"també cal afegir 0 a la llista dels UID permesos." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:77 +msgid "Specifies the comma-separated list of white or blacklisted attributes." +msgstr "" +"Especifica una llista separada per comes dels atributs de la llista negra o " +"blanca." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:91 +msgid "name" +msgstr "name" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:92 +msgid "user's login name" +msgstr "nom d'inici de sessió de l'usuari" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:95 +msgid "uidNumber" +msgstr "uidNumber" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:96 +msgid "user ID" +msgstr "id. de l'usuari" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:99 +msgid "gidNumber" +msgstr "gidNumber" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:100 +msgid "primary group ID" +msgstr "id. del grup primari" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:103 +msgid "gecos" +msgstr "gecos" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:104 +msgid "user information, typically full name" +msgstr "informació de l'usuari, normalment el nom complet " + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:107 +msgid "homeDirectory" +msgstr "homeDirectory" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:111 +msgid "loginShell" +msgstr "loginShell" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:112 +msgid "user shell" +msgstr "shell de l'usuari" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:81 +msgid "" +"By default, the InfoPipe responder only allows the default set of POSIX " +"attributes to be requested. This set is the same as returned by " +"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" +"Per defecte, el contestador de l'InfoPipe únicament permet que se " +"sol·licitin el conjunt per defecte dels atributs POSIX. Aquest conjunt és el " +"mateix que es retorna amb <citerefentry> <refentrytitle>getpwnam</" +"refentrytitle> <manvolnum>3</manvolnum> </citerefentry> i inclou: " +"<placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ifp.5.xml:125 +#, no-wrap +msgid "" +"user_attributes = +telephoneNumber, -loginShell\n" +" " +msgstr "" +"user_attributes = +telephoneNumber, -loginShell\n" +" " + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:117 +msgid "" +"It is possible to add another attribute to this set by using <quote>" +"+attr_name</quote> or explicitly remove an attribute using <quote>-" +"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " +"deny <quote>loginShell</quote>, you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"Es poden afegir altres atributs a aquest conjunt amb <quote>+nom_atribut</" +"quote> o suprimir explícitament un atribut amb <quote>-nom_atribut</quote>. " +"Per exemple, per permetre <quote>telephoneNumber</quote> però denegar " +"<quote>loginShell</quote>, podríeu utilitzar la següent configuració: " +"<placeholder type=\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:129 +msgid "Default: not set. Only the default set of POSIX attributes is allowed." +msgstr "" +"Per defecte: sense establir. Únicament es permet el conjunt per defecte dels " +"atributs POSIX." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:139 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup that overrides caller-supplied limit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:144 +msgid "Default: 0 (let the caller set an upper limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refentryinfo> +#: sss_rpcidmapd.5.xml:8 +msgid "" +"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" +"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " +"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" +"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " +"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" +"author>" +msgstr "" +"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" +"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " +"Inc.</orgname> </affiliation> <contrib>Desenvolupador (2013-2014)</contrib> " +"</author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " +"<contrib>Desenvolupador (2014-)</contrib> <email>tsnoam@gmail.com</email> </" +"author>" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 +msgid "sss_rpcidmapd" +msgstr "sss_rpcidmapd" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_rpcidmapd.5.xml:33 +msgid "sss plugin configuration directives for rpc.idmapd" +msgstr "les directrius de configuració del complement sss per al rpc.idmapd" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:37 +msgid "CONFIGURATION FILE" +msgstr "FITXER DE CONFIGURACIÓ" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:39 +msgid "" +"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." +"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." +msgstr "" +"El fitxer de configuració rpc.idmapd normalment es troba a <emphasis>/etc/" +"idmapd.conf</emphasis>. Vegeu <citerefentry> <refentrytitle>idmapd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> per més informació." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:49 +msgid "SSS CONFIGURATION EXTENSION" +msgstr "AMPLIACIÓ DE LA CONFIGURACIÓ DE L'SSS" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:51 +msgid "Enable SSS plugin" +msgstr "Habilita el complement SSS" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:53 +msgid "" +"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " +"attribute to contain <emphasis>sss</emphasis>." +msgstr "" +"En la secció <quote>[Translation]</quote>, modifiqueu o establiu l'atribut " +"<quote>Method</quote> per abastar <emphasis>sss</emphasis>." + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:59 +msgid "[sss] config section" +msgstr "Secció de configuració [sss]" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:61 +msgid "" +"In order to change the default of one of the configuration attributes of the " +"<emphasis>sss</emphasis> plugin listed below you will need to create a " +"config section for it, named <quote>[sss]</quote>." +msgstr "" +"Per canviar el valor per defecte d'un dels atributs de configuració del " +"connector de l'<emphasis>sss</emphasis> que es llisten a continuació, " +"necessitareu crear-li una secció de configuració, anomenada <quote>[sss]</" +"quote>." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sss_rpcidmapd.5.xml:67 +msgid "Configuration attributes" +msgstr "Atributs de configuració" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sss_rpcidmapd.5.xml:69 +msgid "memcache (bool)" +msgstr "memcache (booleà)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sss_rpcidmapd.5.xml:72 +msgid "Indicates whether or not to use memcache optimisation technique." +msgstr "Indica si s'utilitza o no la tècnica d'optimització de la memòria cau." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:85 +msgid "SSSD INTEGRATION" +msgstr "INTEGRACIÓ DE L'SSSD" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:87 +msgid "" +"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " +"in sssd." +msgstr "" +"El connector sss requereix que s'habiliti el <emphasis>contestador del NSS</" +"emphasis> al sssd." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:91 +msgid "" +"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " +"all domains (NFSv4 clients expect a fully qualified name to be sent on the " +"wire)." +msgstr "" +"L'atribut <quote>use_fully_qualified_names</quote> ha d'estar habilitat en " +"tots els dominis (els clients de NFSv4 esperen un FQN per a ser enviats al " +"cable)." + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_rpcidmapd.5.xml:103 +#, no-wrap +msgid "" +"[General]\n" +"Verbosity = 2\n" +"# domain must be synced between NFSv4 server and clients\n" +"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" +msgstr "" +"[General]\n" +"Verbosity = 2\n" +"# el domini ha de sincronitzar-se entre el servidor i els clients del NFSv4\n" +"# Solaris/Illumos/AIX utilitzen \"localdomain\" com a predeterminat!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:100 +msgid "" +"The following example shows a minimal idmapd.conf which makes use of the sss " +"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"En el següent exemple es mostra un idmapd.conf mínim que fa ús del connector " +"sss. <placeholder type=\"programlisting\" id=\"0\"/>" + +#. type: Content of: <refsect1><title> +#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:180 include/seealso.xml:2 +msgid "SEE ALSO" +msgstr "VEGEU TAMBÉ" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:122 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" +msgstr "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 +msgid "sss_ssh_authorizedkeys" +msgstr "sss_ssh_authorizedkeys" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 +msgid "1" +msgstr "1" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_authorizedkeys.1.xml:16 +msgid "get OpenSSH authorized keys" +msgstr "obté les claus autoritzades de l'OpenSSH" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_authorizedkeys.1.xml:21 +msgid "" +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>USER</replaceable></arg>" +msgstr "" +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>opcions</replaceable> </arg> <arg " +"choice='plain'><replaceable>USUARI</replaceable></arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:32 +msgid "" +"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " +"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " +"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> for more information)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:41 +msgid "" +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" +"command> for public key user authentication if it is compiled with support " +"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " +"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> man page for more details about this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_authorizedkeys.1.xml:59 +#, no-wrap +msgid "" +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" +msgstr "" +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:52 +msgid "" +"If <quote>AuthorizedKeysCommand</quote> is supported, " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use it by putting the following " +"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" +"\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_ssh_authorizedkeys.1.xml:65 +msgid "KEYS FROM CERTIFICATES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:67 +msgid "" +"In addition to the public SSH keys for user <replaceable>USER</replaceable> " +"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " +"from the public key of a X.509 certificate as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:73 +msgid "" +"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " +"set to true (default) in the [ssh] section of <filename>sssd.conf</" +"filename>. If the user entry contains certificates (see " +"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " +"there is a certificate in an override entry for the user (see " +"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " +"certificate is valid SSSD will extract the public key from the certificate " +"and convert it into the format expected by sshd." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:90 +msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:92 +msgid "ca_db" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:93 +#, fuzzy +#| msgid "client_idle_timeout" +msgid "p11_child_timeout" +msgstr "client_idle_timeout" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:94 +msgid "certificate_verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:96 +#, fuzzy +#| msgid "" +#| "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> " +#| "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +#| "citerefentry> for more information on configuring Kerberos." +msgid "" +"can be used to control how the certificates are validated (see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details)." +msgstr "" +"<quote>krb5</quote> per canviar la contrasenya Kerberos. Vegeu " +"<citerefentry><refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> per a més informació sobre configurar Kerberos." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:101 +msgid "" +"The validation is the benefit of using X.509 certificates instead of SSH " +"keys directly because e.g. it gives a better control of the lifetime of the " +"keys. When the ssh client is configured to use the private keys from a " +"Smartcard with the help of a PKCS#11 shared library (see " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> for details) it might be irritating that authentication is " +"still working even if the related X.509 certificate on the Smartcard is " +"already expired because neither <command>ssh</command> nor <command>sshd</" +"command> will look at the certificate at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:114 +msgid "" +"It has to be noted that the derived public SSH key can still be added to the " +"<filename>authorized_keys</filename> file of the user to bypass the " +"certificate validation if the <command>sshd</command> configuration permits " +"this." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:132 +msgid "" +"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 +msgid "EXIT STATUS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 +msgid "" +"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 +msgid "sss_ssh_knownhostsproxy" +msgstr "sss_ssh_knownhostsproxy" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_knownhostsproxy.1.xml:16 +msgid "get OpenSSH host keys" +msgstr "obté les claus de l'amfitrió de l'OpenSSH" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_knownhostsproxy.1.xml:21 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>HOST</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:33 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " +"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " +"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " +"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" +"pubconf/known_hosts</filename> and establishes the connection to the host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:43 +msgid "" +"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " +"create the connection to the host instead of opening a socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_knownhostsproxy.1.xml:55 +#, no-wrap +msgid "" +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:48 +msgid "" +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" +"command> for host key authentication by using the following directives for " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:66 +msgid "" +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" +msgstr "" +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:71 +msgid "" +"Use port <replaceable>PORT</replaceable> to connect to the host. By " +"default, port 22 is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:83 +msgid "" +"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:89 +#, fuzzy +#| msgid "<option>-U</option>,<option>--users</option>" +msgid "<option>-k</option>,<option>--pubkeys</option>" +msgstr "<option>-U</option>,<option>--users</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:93 +#, fuzzy +#| msgid "Set the UID of the user to <replaceable>UID</replaceable>." +msgid "" +"Print the host ssh public keys for host <replaceable>HOST</replaceable>." +msgstr "Estableix l'UID de l'usuari a <replaceable>UID</replaceable>." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 +msgid "idmap_sss" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: idmap_sss.8.xml:16 +msgid "SSSD's idmap_sss Backend for Winbind" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:22 +msgid "" +"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " +"No database is required in this case as the mapping is done by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: idmap_sss.8.xml:29 +msgid "IDMAP OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: idmap_sss.8.xml:33 +msgid "range = low - high" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: idmap_sss.8.xml:35 +msgid "" +"Defines the available matching UID and GID range for which the backend is " +"authoritative." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:45 +msgid "" +"This example shows how to configure idmap_sss as the default mapping module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: idmap_sss.8.xml:50 +#, no-wrap +msgid "" +"[global]\n" +"security = domain\n" +"workgroup = MAIN\n" +"\n" +"idmap config * : backend = sss\n" +"idmap config * : range = 200000-2147483647\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssctl.8.xml:10 sssctl.8.xml:15 +msgid "sssctl" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssctl.8.xml:16 +msgid "SSSD control and status utility" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssctl.8.xml:21 +msgid "" +"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:32 +msgid "" +"<command>sssctl</command> provides a simple and unified way to obtain " +"information about SSSD status, such as active server, auto-discovered " +"servers, domains and cached objects. In addition, it can manage SSSD data " +"files for troubleshooting in such a way that is safe to manipulate while " +"SSSD is running." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:43 +msgid "" +"To list all available commands run <command>sssctl</command> without any " +"parameters. To print help for selected command run <command>sssctl COMMAND --" +"help</command>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-files.5.xml:10 sssd-files.5.xml:16 +msgid "sssd-files" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-files.5.xml:17 +msgid "SSSD files provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:23 +msgid "" +"This manual page describes the files provider for <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:36 +msgid "" +"The files provider mirrors the content of the <citerefentry> " +"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " +"provider is to make the users and groups traditionally only accessible with " +"NSS interfaces also available through the SSSD interfaces such as " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:69 +#, fuzzy +#| msgid "ad_site (string)" +msgid "passwd_files (string)" +msgstr "ad_site (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:72 +msgid "" +"Comma-separated list of one or multiple password filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:78 +#, fuzzy +#| msgid "Default: password" +msgid "Default: /etc/passwd" +msgstr "Per defecte: password" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:84 +#, fuzzy +#| msgid "ldap_netgroup_triple (string)" +msgid "group_files (string)" +msgstr "ldap_netgroup_triple (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:87 +msgid "" +"Comma-separated list of one or multiple group filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:93 +#, fuzzy +#| msgid "Default: nisNetgroup" +msgid "Default: /etc/group" +msgstr "Per defecte: nisNetgroup" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:59 +#, fuzzy +#| msgid "" +#| "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " +#| "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +#| "citerefentry> manual page for details on the configuration of an SSSD " +#| "domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgid "" +"In addition to the options listed below, generic SSSD domain options can be " +"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for details on the configuration of " +"an SSSD domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" +"Per a més informació sobre la configuració d'un domini SSSD, consulteu la " +"secció <quote>SECCIONS DELS DOMINIS</quote> de la pàgina del manual " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. <placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:105 +msgid "" +"The following example assumes that SSSD is correctly configured and files is " +"one of the domains in the <replaceable>[sssd]</replaceable> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:111 +#, no-wrap +msgid "" +"[domain/files]\n" +"id_provider = files\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 +msgid "sssd-secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-secrets.5.xml:17 +msgid "SSSD Secrets responder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:23 +msgid "" +"This manual page describes the configuration of the Secrets responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:36 +msgid "" +"Many system and user applications need to store private information such as " +"passwords or service keys and have no good way to properly deal with them. " +"The simple approach is to embed these <quote>secrets</quote> into " +"configuration files potentially ending up exposing sensitive key material to " +"backups, config management system and in general making it harder to secure " +"data." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:45 +msgid "" +"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " +"project was born to deal with this problem in cloud like environments, but " +"we found the idea compelling even at a single system level. As a security " +"service, SSSD is ideal to host this capability while offering the same API " +"via a UNIX Socket. This will make it possible to use local calls and have " +"them transparently routed to a local or a remote key management store like " +"IPA Vault for storage, escrow and recovery." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:55 +msgid "" +"The secrets are simple key-value pairs. Each user's secrets are namespaced " +"using their user ID, which means the secrets will never collide between " +"users. Secrets can be stored inside <quote>containers</quote> which can be " +"nested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:69 +msgid "secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:70 +msgid "secrets for general usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:73 +msgid "kcm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:75 +msgid "" +"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:61 +msgid "" +"Since the secrets responder can be used both externally to store general " +"secrets, as described in the rest of this man page, but also internally by " +"other SSSD components to store their secret material, some configuration " +"options, like quotas can be configured per <quote>hive</quote> in a " +"configuration subsection named after the hive. The currently supported hives " +"are: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:89 +msgid "USING THE SECRETS RESPONDER" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:91 +msgid "" +"The UNIX socket the SSSD responder listens on is located at <filename>/var/" +"run/secrets.socket</filename>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:110 +#, no-wrap +msgid "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +"systemctl enable sssd-secrets.service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:95 +msgid "" +"The secrets responder is socket-activated by <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " +"the <quote>secrets</quote> string to the <quote>service</quote> directive. " +"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " +"corresponding service file is called <quote>sssd-secrets.service</quote>. In " +"order for the service to be socket-activated, make sure the socket is " +"enabled and active and the service is enabled: <placeholder type=" +"\"programlisting\" id=\"0\"/> Please note your distribution may already " +"configure the units for you." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:122 +msgid "" +"The generic SSSD responder options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " +"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some secrets-specific options as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:132 +msgid "" +"The secrets responder is configured with a global <quote>[secrets]</quote> " +"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " +"in <filename>sssd.conf</filename>. Please note that some options, notably as " +"the provider type, can only be specified in the per-user subsections." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:141 +msgid "provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:157 +msgid "local" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:160 +msgid "" +"The secrets are stored in a local database, encrypted at rest with a master " +"key. The local provider does not have any additional config options at the " +"moment." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:168 +msgid "proxy" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:171 +msgid "" +"The secrets responder forwards the requests to a Custodia server. The proxy " +"provider supports several additional options (see below)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:144 +msgid "" +"This option specifies where should the secrets be stored. The secrets " +"responder can configure a per-user subsections (e.g. <quote>[secrets/" +"users/123]</quote> - see bottom of this manual page for a full example using " +"Custodia for a particular user) that define which provider store the secrets " +"for this particular user. The per-user subsections should contain all " +"options for that user's provider. Please note that currently the global " +"provider is always local, the proxy provider can only be specified in a per-" +"user section. The following providers are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:180 +msgid "Default: local" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:186 +msgid "" +"The following options affect only the secrets <quote>hive</quote> and " +"therefore should be set in a per-hive subsection. Setting the option to 0 " +"means \"unlimited\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:192 +msgid "containers_nest_level (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:195 +msgid "This option specifies the maximum allowed number of nested containers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:199 +msgid "Default: 4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:204 +msgid "max_secrets (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:207 +msgid "" +"This option specifies the maximum number of secrets that can be stored in " +"the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:211 +msgid "Default: 1024 (secrets hive), 256 (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:216 +msgid "max_uid_secrets (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:219 +msgid "" +"This option specifies the maximum number of secrets that can be stored per-" +"UID in the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:223 +msgid "Default: 256 (secrets hive), 64 (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:228 +msgid "max_payload_size (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:231 +msgid "" +"This option specifies the maximum payload size allowed for a secret payload " +"in kilobytes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:235 +msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:244 +#, no-wrap +msgid "" +"[secrets/secrets]\n" +"max_payload_size = 128\n" +"\n" +"[secrets/kcm]\n" +"max_payload_size = 256\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:241 +msgid "" +"For example, to adjust quotas differently for both the <quote>secrets</" +"quote> and the <quote>kcm</quote> hives, configure the following: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:252 +msgid "" +"The following options are only applicable for configurations that use the " +"<quote>proxy</quote> provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:257 +msgid "proxy_url (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:260 +msgid "" +"The URL the Custodia server is listening on. At the moment, http and https " +"protocols are supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:267 +msgid "http[s]://<host>[:port]" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:270 +msgid "Example: http://localhost:8080" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:275 +msgid "auth_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:278 +msgid "" +"The method to use when authenticating to a Custodia server. The following " +"authentication methods are supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:283 +msgid "basic_auth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:286 +msgid "" +"Authenticate with a username and a password as set in the <quote>username</" +"quote> and <quote>password</quote> options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:293 +msgid "header" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:296 +msgid "" +"Authenticate with HTTP header value as defined in the " +"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " +"configuration options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:307 +msgid "auth_header_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:310 +msgid "" +"If set, the secrets responder would put a header with this name into the " +"HTTP request with the value defined in the <quote>auth_header_value</quote> " +"configuration option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:315 +msgid "Example: MYSECRETNAME" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:320 +msgid "auth_header_value (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:323 +msgid "" +"The value sssd-secrets would use for the <quote>auth_header_name</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:327 +msgid "Example: mysecret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:332 +msgid "forward_headers (list of strings)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:335 +msgid "" +"The list of HTTP headers to forward to the Custodia server together with the " +"request." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:344 +msgid "verify_peer (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:347 +msgid "" +"Whether peer's certificate should be verified and valid if HTTPS protocol is " +"used with the proxy provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:356 +msgid "verify_host (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:359 +msgid "" +"Whether peer's hostname must match with hostname in its certificate if HTTPS " +"protocol is used with the proxy provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:369 +msgid "capath (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:372 +msgid "" +"Path to directory containing stored certificate authority certificates. " +"System default path is used if this option is not set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:382 +msgid "cacert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:385 +msgid "" +"Path to file containing server's certificate authority certificate. If this " +"option is not set then the CA's certificate is looked up in <quote>capath</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:395 +msgid "cert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:398 +msgid "" +"Path to file containing client's certificate if required by the server. This " +"file may also contain private key or the private key may be in separate file " +"set with <quote>key</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:409 +msgid "key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:412 +msgid "Path to file containing client's private key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:422 +msgid "USING THE REST API" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:424 +msgid "" +"This section lists the available commands and includes examples using the " +"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry> utility. All requests towards the proxy provider must set " +"the Content Type header to <quote>application/json</quote>. In addition, the " +"local provider also supports Content Type set to <quote>application/octet-" +"stream</quote>. Secrets stored with requests that set the Content Type " +"header to <quote>application/octet-stream</quote> are base64-encoded when " +"stored and decoded when retrieved, so it's not possible to store a secret " +"with one Content Type and retrieve with another. The secret URI must begin " +"with <filename>/secrets/</filename>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:441 +msgid "Listing secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:444 +msgid "" +"To list the available secrets, send a HTTP GET request with a trailing slash " +"appended to the container path." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:450 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:458 +msgid "Retrieving a secret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:461 +msgid "" +"To read a value of a single secret, send a HTTP GET request without a " +"trailing slash. The last portion of the URI is the name of the secret." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:468 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/foo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:473 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/bar\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:466 +msgid "" +"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:481 +msgid "Setting a secret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:484 +msgid "" +"To set a secret using the <quote>application/json</quote> type, send a HTTP " +"PUT request with a JSON payload that includes type and value. The type " +"should be set to \"simple\" and the value should be set to the secret value. " +"If a secret with that name already exists, the response is a 409 HTTP error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:492 +msgid "" +"The <quote>application/json</quote> type just sends the secret as the " +"message payload." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:501 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/foo \\\n" +" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:507 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/bar \\\n" +" -d'barsecret'\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:496 +msgid "" +"The following example sets a secret named 'foo' to a value of 'foosecret' " +"and a secret named 'bar' to a value of 'barsecret' using a different Content " +"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:516 +msgid "Creating a container" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:519 +msgid "" +"Containers provide an additional namespace for this user's secrets. To " +"create a container, send a HTTP POST request, whose URI ends with the " +"container name. Please note the URI must end with a trailing slash." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:529 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPOST http://localhost/secrets/mycontainer/\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:526 +msgid "" +"The following example creates a container named 'mycontainer': <placeholder " +"type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:538 +#, no-wrap +msgid "" +"http://localhost/secrets/mycontainer/mysecret\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:535 +msgid "" +"To manipulate secrets under this container, just nest the secrets underneath " +"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:544 +msgid "Deleting a secret or a container" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:547 +msgid "" +"To delete a secret or a container, send a HTTP DELETE request with a path to " +"the secret or the container." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:553 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XDELETE http://localhost/secrets/foo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:551 +msgid "" +"The following example deletes a secret named 'foo'. <placeholder type=" +"\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:563 +msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:565 +msgid "" +"For testing the proxy provider, you need to set up a Custodia server to " +"proxy requests to. Please always consult the Custodia documentation, the " +"configuration directives might change with different Custodia versions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:576 +#, no-wrap +msgid "" +"[global]\n" +"server_version = \"Secret/0.0.7\"\n" +"server_url = http://localhost:8080/\n" +"auditlog = /var/log/custodia.log\n" +"debug = True\n" +"\n" +"[store:simple]\n" +"handler = custodia.store.sqlite.SqliteStore\n" +"dburi = /var/lib/custodia.db\n" +"table = secrets\n" +"\n" +"[auth:header]\n" +"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" +"header = MYSECRETNAME\n" +"value = mysecretkey\n" +"\n" +"[authz:paths]\n" +"handler = custodia.httpd.authorizers.SimplePathAuthz\n" +"paths = /secrets\n" +"\n" +"[/]\n" +"handler = custodia.root.Root\n" +"store = simple\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:570 +msgid "" +"This configuration will set up a Custodia server listening on http://" +"localhost:8080, allowing anyone with header named MYSECRETNAME set to " +"mysecretkey to communicate with the Custodia server. Place the contents " +"into a file (for example, <replaceable>custodia.conf</replaceable>): " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:602 +msgid "" +"Then run the <replaceable>custodia</replaceable> command, pointing it at the " +"config file as a command line argument." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:606 +msgid "" +"Please note that currently it's not possible to proxy all requests globally " +"to a Custodia instance. Instead, per-user subsections for user IDs that " +"should proxy requests to Custodia must be defined. The following example " +"illustrates a configuration, where the user with UID 123 would proxy their " +"requests to Custodia, but all other user's requests would be handled by a " +"local provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: sssd-secrets.5.xml:614 +#, no-wrap +msgid "" +"[secrets]\n" +"\n" +"[secrets/users/123]\n" +"provider = proxy\n" +"proxy_url = http://localhost:8080/secrets/\n" +"auth_type = header\n" +"auth_header_name = MYSECRETNAME\n" +"auth_header_value = mysecretkey\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 +msgid "sssd-session-recording" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-session-recording.5.xml:17 +msgid "Configuring session recording with SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " +"implement user session recording on text terminals. For a detailed " +"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " +"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:41 +msgid "" +"SSSD can be set up to enable recording of everything specific users see or " +"type during their sessions on text terminals. E.g. when users log in on the " +"console, or via SSH. SSSD itself doesn't record anything, but makes sure " +"tlog-rec-session is started upon user login, so it can record according to " +"its configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:48 +msgid "" +"For users with session recording enabled, SSSD replaces the user shell with " +"tlog-rec-session in NSS responses, and adds a variable specifying the " +"original shell to the user environment, upon PAM session setup. This way " +"tlog-rec-session can be started in place of the user shell, and know which " +"actual shell to start, once it set up the recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:60 +msgid "These options can be used to configure the session recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:146 +msgid "" +"The following snippet of sssd.conf enables session recording for users " +"\"contractor1\" and \"contractor2\", and group \"students\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-session-recording.5.xml:151 +#, no-wrap +msgid "" +"[session_recording]\n" +"scope = some\n" +"users = contractor1, contractor2\n" +"groups = students\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 +msgid "sssd-kcm" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-kcm.8.xml:17 +msgid "SSSD Kerberos Cache Manager" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:23 +msgid "" +"This manual page describes the configuration of the SSSD Kerberos Cache " +"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " +"credential caches. It originates in the Heimdal Kerberos project, although " +"the MIT Kerberos library also provides client side (more details on that " +"below) support for the KCM credential cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:31 +msgid "" +"In a setup where Kerberos caches are managed by KCM, the Kerberos library " +"(typically used through an application, like e.g., <citerefentry> " +"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" +"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " +"being referred to as a <quote>\"KCM server\"</quote>. The client and server " +"communicate over a UNIX socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:42 +msgid "" +"The KCM server keeps track of each credential caches's owner and performs " +"access check control based on the UID and GID of the KCM client. The root " +"user has access to all credential caches." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:47 +msgid "The KCM credential cache has several interesting properties:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:51 +msgid "" +"since the process runs in userspace, it is subject to UID namespacing, " +"unlike the kernel keyring" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:56 +msgid "" +"unlike the kernel keyring-based cache, which is shared between all " +"containers, the KCM server is a separate process whose entry point is a UNIX " +"socket" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:61 +msgid "" +"the SSSD implementation stores the ccaches in the SSSD <citerefentry> " +"<refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry> secrets store, allowing the ccaches to survive KCM server " +"restarts or machine reboots." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:69 +msgid "" +"This allows the system to use a collection-aware credential cache, yet share " +"the credential cache between some or no containers by bind-mounting the " +"socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:76 +msgid "USING THE KCM CREDENTIAL CACHE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:86 +#, no-wrap +msgid "" +"[libdefaults]\n" +" default_ccache_name = KCM:\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:78 +msgid "" +"In order to use KCM credential cache, it must be selected as the default " +"credential type in <citerefentry> <refentrytitle>krb5.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " +"cache name must be only <quote>KCM:</quote> without any template " +"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:91 +msgid "" +"Next, make sure the Kerberos client libraries and the KCM server must agree " +"on the UNIX socket path. By default, both use the same path <replaceable>/" +"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " +"library, change its <quote>kcm_socket</quote> option which is described in " +"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:113 +#, no-wrap +msgid "" +"systemctl start sssd-kcm.socket\n" +"systemctl enable sssd-kcm.socket\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:102 +msgid "" +"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " +"typically socket-activated by <citerefentry> <refentrytitle>systemd</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " +"services, it cannot be started by adding the <quote>kcm</quote> string to " +"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " +"id=\"0\"/> Please note your distribution may already configure the units for " +"you." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:122 +msgid "THE CREDENTIAL CACHE STORAGE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:131 +#, no-wrap +msgid "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:124 +msgid "" +"The credential caches are stored in the SSSD secrets service (see " +"<citerefentry> <refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> for more details). Therefore it is important that " +"also the sssd-secrets service is enabled and its socket is started: " +"<placeholder type=\"programlisting\" id=\"0\"/> Your distribution should " +"already set the dependencies between the services." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:141 +msgid "" +"The KCM service is configured in the <quote>kcm</quote> section of the sssd." +"conf file. Please note that currently, is it not sufficient to restart the " +"sssd-kcm service, because the sssd configuration is only parsed and read to " +"an internal configuration database by the sssd service. Therefore you must " +"restart the sssd service if you change anything in the <quote>kcm</quote> " +"section of sssd.conf. For a detailed syntax reference, refer to the " +"<quote>FILE FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd." +"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:155 +msgid "" +"The generic SSSD service options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some KCM-specific options as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:166 +msgid "socket_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:169 +msgid "The socket the KCM service will listen on." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:172 +msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:182 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 +msgid "sssd-systemtap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-systemtap.5.xml:17 +msgid "SSSD systemtap information" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:23 +msgid "" +"This manual page provides information about the systemtap functionality in " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:32 +msgid "" +"SystemTap Probe points have been added into various locations in SSSD code " +"to assist in troubleshooting and analyzing performance related issues." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:40 +msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:46 +msgid "" +"Probes and miscellaneous functions are defined in /usr/share/systemtap/" +"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " +"respectively." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:57 +msgid "PROBE POINTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:341 +msgid "" +"The information below lists the probe points and arguments available in the " +"following format:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:64 +msgid "probe $name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:67 +msgid "Description of probe point" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:70 +#, no-wrap +msgid "" +"variable1:datatype\n" +"variable2:datatype\n" +"variable3:datatype\n" +"...\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:80 +msgid "Database Transaction Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:84 +msgid "probe sssd_transaction_start" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:87 +msgid "" +"Start of a sysdb transaction, probes the sysdb_transaction_start() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 +#: sssd-systemtap.5.xml:131 +#, no-wrap +msgid "" +"nesting:integer\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:97 +msgid "probe sssd_transaction_cancel" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:100 +msgid "" +"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " +"function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:111 +msgid "probe sssd_transaction_commit_before" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:114 +msgid "Probes the sysdb_transaction_commit_before() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:124 +msgid "probe sssd_transaction_commit_after" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:127 +msgid "Probes the sysdb_transaction_commit_after() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:141 +msgid "LDAP Search Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:145 +msgid "probe sdap_search_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:148 +msgid "Probes the sdap_get_generic_ext_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:152 sssd-systemtap.5.xml:167 sssd-systemtap.5.xml:196 +#, no-wrap +msgid "" +"base:string\n" +"scope:integer\n" +"filter:string\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:160 +msgid "probe sdap_search_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:163 +msgid "Probes the sdap_get_generic_ext_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:175 +msgid "probe sdap_deref_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:178 +msgid "Probes the sdap_deref_search_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:182 +#, no-wrap +msgid "" +"base_dn:string\n" +"deref_attr:string\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:189 +msgid "probe sdap_deref_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:192 +msgid "Probes the sdap_deref_search_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:208 +msgid "LDAP Account Request Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:212 +msgid "probe sdap_acct_req_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:215 +msgid "Probes the sdap_acct_req_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:219 sssd-systemtap.5.xml:234 +#, no-wrap +msgid "" +"entry_type:int\n" +"filter_type:int\n" +"filter_value:string\n" +"extra_value:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:227 +msgid "probe sdap_acct_req_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:230 +msgid "Probes the sdap_acct_req_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:246 +msgid "LDAP User Search Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:250 +msgid "probe sdap_search_user_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:253 +msgid "Probes the sdap_search_user_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:257 sssd-systemtap.5.xml:269 sssd-systemtap.5.xml:281 +#: sssd-systemtap.5.xml:293 +#, no-wrap +msgid "" +"filter:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:262 +msgid "probe sdap_search_user_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:265 +msgid "Probes the sdap_search_user_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:274 +msgid "probe sdap_search_user_save_begin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:277 +msgid "Probes the sdap_search_user_save_begin() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:286 +msgid "probe sdap_search_user_save_end" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:289 +msgid "Probes the sdap_search_user_save_end() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:302 +msgid "Data Provider Request Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:306 +msgid "probe dp_req_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:309 +msgid "A Data Provider request is submitted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:312 +#, no-wrap +msgid "" +"dp_req_domain:string\n" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:320 +msgid "probe dp_req_done" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:323 +msgid "A Data Provider request is completed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:326 +#, no-wrap +msgid "" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +"dp_ret:int\n" +"dp_errorstr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:339 +msgid "MISCELLANEOUS FUNCTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:346 +msgid "function acct_req_desc(entry_type)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:349 +msgid "Convert entry_type to string and return string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:354 +msgid "" +"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " +"filter_value, extra_value)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:358 +msgid "Create probe string based on filter type" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:363 +msgid "function dp_target_str(target)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:366 +msgid "Convert target to string and return string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:371 +msgid "function dp_method_str(target)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:374 +msgid "Convert method to string and return string" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/service_discovery.xml:2 +msgid "SERVICE DISCOVERY" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/service_discovery.xml:4 +msgid "" +"The service discovery feature allows back ends to automatically find the " +"appropriate servers to connect to using a special DNS query. This feature is " +"not supported for backup servers." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:9 include/ldap_id_mapping.xml:99 +msgid "Configuration" +msgstr "Configuració" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:11 +msgid "" +"If no servers are specified, the back end automatically uses service " +"discovery to try to find a server. Optionally, the user may choose to use " +"both fixed server addresses and service discovery by inserting a special " +"keyword, <quote>_srv_</quote>, in the list of servers. The order of " +"preference is maintained. This feature is useful if, for example, the user " +"prefers to use service discovery whenever possible, and fall back to a " +"specific server when no servers can be discovered using DNS." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:23 +msgid "The domain name" +msgstr "El nom del domini" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:25 +msgid "" +"Please refer to the <quote>dns_discovery_domain</quote> parameter in the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more details." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:35 +msgid "The protocol" +msgstr "El protocol" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:37 +msgid "" +"The queries usually specify _tcp as the protocol. Exceptions are documented " +"in respective option description." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:42 +msgid "See Also" +msgstr "Vegeu també" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:44 +msgid "" +"For more information on the service discovery mechanism, refer to RFC 2782." +msgstr "" + +#. type: Content of: <refentryinfo> +#: include/upstream.xml:2 +msgid "" +"<productname>SSSD</productname> <orgname>The SSSD upstream - https://pagure." +"io/SSSD/sssd/</orgname>" +msgstr "" + +#. type: Content of: outside any tag (error?) +#: include/upstream.xml:1 +msgid "<placeholder type=\"refentryinfo\" id=\"0\"/>" +msgstr "<placeholder type=\"refentryinfo\" id=\"0\"/>" + +#. type: Content of: <refsect1><title> +#: include/failover.xml:2 +msgid "FAILOVER" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/failover.xml:4 +msgid "" +"The failover feature allows back ends to automatically switch to a different " +"server if the current server fails." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:8 +msgid "Failover Syntax" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:10 +msgid "" +"The list of servers is given as a comma-separated list; any number of spaces " +"is allowed around the comma. The servers are listed in order of preference. " +"The list can contain any number of servers." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:16 +msgid "" +"For each failover-enabled config option, two variants exist: " +"<emphasis>primary</emphasis> and <emphasis>backup</emphasis>. The idea is " +"that servers in the primary list are preferred and backup servers are only " +"searched if no primary servers can be reached. If a backup server is " +"selected, a timeout of 31 seconds is set. After this timeout SSSD will " +"periodically try to reconnect to one of the primary servers. If it succeeds, " +"it will replace the current active (backup) server." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:27 +msgid "The Failover Mechanism" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:29 +msgid "" +"The failover mechanism distinguishes between a machine and a service. The " +"back end first tries to resolve the hostname of a given machine; if this " +"resolution attempt fails, the machine is considered offline. No further " +"attempts are made to connect to this machine for any other service. If the " +"resolution attempt succeeds, the back end tries to connect to a service on " +"this machine. If the service connection attempt fails, then only this " +"particular service is considered offline and the back end automatically " +"switches over to the next service. The machine is still considered online " +"and might still be tried for another service." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:42 +msgid "" +"Further connection attempts are made to machines or services marked as " +"offline after a specified period of time; this is currently hard coded to 30 " +"seconds." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:47 +msgid "" +"If there are no more machines to try, the back end as a whole switches to " +"offline mode, and then attempts to reconnect every 30 seconds." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:53 +msgid "Failover time outs and tuning" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:55 +msgid "" +"Resolving a server to connect to can be as simple as running a single DNS " +"query or can involve several steps, such as finding the correct site or " +"trying out multiple host names in case some of the configured servers are " +"not reachable. The more complex scenarios can take some time and SSSD needs " +"to balance between providing enough time to finish the resolution process " +"but on the other hand, not trying for too long before falling back to " +"offline mode. If the SSSD debug logs show that the server resolution is " +"timing out before a live server is contacted, you can consider changing the " +"time outs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> +#: include/failover.xml:76 +msgid "dns_resolver_op_timeout" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: include/failover.xml:80 +msgid "How long would SSSD talk to a single DNS server." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> +#: include/failover.xml:86 +msgid "dns_resolver_timeout" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: include/failover.xml:90 +msgid "" +"How long would SSSD try to resolve a failover service. This service " +"resolution internally might include several steps, such as resolving DNS SRV " +"queries or locating the site." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:67 +msgid "" +"This section lists the available tunables. Please refer to their description " +"in the <citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>, manual page. <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:100 +msgid "" +"For LDAP-based providers, the resolve operation is performed as part of an " +"LDAP connection operation. Therefore, also the <quote>ldap_opt_timeout></" +"quote> timeout should be set to a larger value than " +"<quote>dns_resolver_timeout</quote> which in turn should be set to a larger " +"value than <quote>dns_resolver_op_timeout</quote>." +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/ldap_id_mapping.xml:2 +msgid "ID MAPPING" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:4 +msgid "" +"The ID-mapping feature allows SSSD to act as a client of Active Directory " +"without requiring administrators to extend user attributes to support POSIX " +"attributes for user and group identifiers." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:9 +msgid "" +"NOTE: When ID-mapping is enabled, the uidNumber and gidNumber attributes are " +"ignored. This is to avoid the possibility of conflicts between automatically-" +"assigned and manually-assigned values. If you need to use manually-assigned " +"values, ALL values must be manually-assigned." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:16 +msgid "" +"Please note that changing the ID mapping related configuration options will " +"cause user and group IDs to change. At the moment, SSSD does not support " +"changing IDs, so the SSSD database must be removed. Because cached passwords " +"are also stored in the database, removing the database should only be " +"performed while the authentication servers are reachable, otherwise users " +"might get locked out. In order to cache the password, an authentication must " +"be performed. It is not sufficient to use <citerefentry> " +"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry> to remove the database, rather the process consists of:" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:33 +msgid "Making sure the remote servers are reachable" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:38 +msgid "Stopping the SSSD service" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:43 +msgid "Removing the database" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:48 +msgid "Starting the SSSD service" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:52 +msgid "" +"Moreover, as the change of IDs might necessitate the adjustment of other " +"system properties such as file and directory ownership, it's advisable to " +"plan ahead and test the ID mapping configuration thoroughly." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ldap_id_mapping.xml:59 +msgid "Mapping Algorithm" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:61 +msgid "" +"Active Directory provides an objectSID for every user and group object in " +"the directory. This objectSID can be broken up into components that " +"represent the Active Directory domain identity and the relative identifier " +"(RID) of the user or group object." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:67 +msgid "" +"The SSSD ID-mapping algorithm takes a range of available UIDs and divides it " +"into equally-sized component sections - called \"slices\"-. Each slice " +"represents the space available to an Active Directory domain." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:73 +msgid "" +"When a user or group entry for a particular domain is encountered for the " +"first time, the SSSD allocates one of the available slices for that domain. " +"In order to make this slice-assignment repeatable on different client " +"machines, we select the slice based on the following algorithm:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:80 +msgid "" +"The SID string is passed through the murmurhash3 algorithm to convert it to " +"a 32-bit hashed value. We then take the modulus of this value with the total " +"number of available slices to pick the slice." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:86 +msgid "" +"NOTE: It is possible to encounter collisions in the hash and subsequent " +"modulus. In these situations, we will select the next available slice, but " +"it may not be possible to reproduce the same exact set of slices on other " +"machines (since the order that they are encountered will determine their " +"slice). In this situation, it is recommended to either switch to using " +"explicit POSIX attributes in Active Directory (disabling ID-mapping) or " +"configure a default domain to guarantee that at least one is always " +"consistent. See <quote>Configuration</quote> for details." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:101 +msgid "" +"Minimum configuration (in the <quote>[domain/DOMAINNAME]</quote> section):" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><programlisting> +#: include/ldap_id_mapping.xml:106 +#, no-wrap +msgid "" +"ldap_id_mapping = True\n" +"ldap_schema = ad\n" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:111 +msgid "" +"The default configuration results in configuring 10,000 slices, each capable " +"of holding up to 200,000 IDs, starting from 200,000 and going up to " +"2,000,200,000. This should be sufficient for most deployments." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><title> +#: include/ldap_id_mapping.xml:117 +msgid "Advanced Configuration" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:120 +msgid "ldap_idmap_range_min (integer)" +msgstr "ldap_idmap_range_min (enter)" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:123 +msgid "" +"Specifies the lower bound of the range of POSIX IDs to use for mapping " +"Active Directory user and group SIDs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:127 +msgid "" +"NOTE: This option is different from <quote>min_id</quote> in that " +"<quote>min_id</quote> acts to filter the output of requests to this domain, " +"whereas this option controls the range of ID assignment. This is a subtle " +"distinction, but the good general advice would be to have <quote>min_id</" +"quote> be less-than or equal to <quote>ldap_idmap_range_min</quote>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:137 include/ldap_id_mapping.xml:191 +msgid "Default: 200000" +msgstr "Per defecte: 200000" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:142 +msgid "ldap_idmap_range_max (integer)" +msgstr "ldap_idmap_range_max (enter)" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:145 +msgid "" +"Specifies the upper bound of the range of POSIX IDs to use for mapping " +"Active Directory user and group SIDs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:149 +msgid "" +"NOTE: This option is different from <quote>max_id</quote> in that " +"<quote>max_id</quote> acts to filter the output of requests to this domain, " +"whereas this option controls the range of ID assignment. This is a subtle " +"distinction, but the good general advice would be to have <quote>max_id</" +"quote> be greater-than or equal to <quote>ldap_idmap_range_max</quote>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:159 +msgid "Default: 2000200000" +msgstr "Per defecte: 2000200000" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:164 +msgid "ldap_idmap_range_size (integer)" +msgstr "ldap_idmap_range_size (enter)" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:167 +msgid "" +"Specifies the number of IDs available for each slice. If the range size " +"does not divide evenly into the min and max values, it will create as many " +"complete slices as it can." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:173 +msgid "" +"NOTE: The value of this option must be at least as large as the highest user " +"RID planned for use on the Active Directory server. User lookups and login " +"will fail for any user whose RID is greater than this value." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:179 +msgid "" +"For example, if your most recently-added Active Directory user has " +"objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, " +"<quote>ldap_idmap_range_size</quote> must be at least 1108 as range size is " +"equal to maximal SID minus minimal SID plus one (e.g. 1108 = 1107 - 0 + 1)." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:186 +msgid "" +"It is important to plan ahead for future expansion, as changing this value " +"will result in changing all of the ID mappings on the system, leading to " +"users with different local IDs than they previously had." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:196 +msgid "ldap_idmap_default_domain_sid (string)" +msgstr "ldap_idmap_default_domain_sid (cadena)" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:199 +msgid "" +"Specify the domain SID of the default domain. This will guarantee that this " +"domain will always be assigned to slice zero in the ID map, bypassing the " +"murmurhash algorithm described above." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:210 +msgid "ldap_idmap_default_domain (string)" +msgstr "ldap_idmap_default_domain (cadena)" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:213 +msgid "Specify the name of the default domain." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:221 +msgid "ldap_idmap_autorid_compat (boolean)" +msgstr "ldap_idmap_autorid_compat (booleà)" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:224 +msgid "" +"Changes the behavior of the ID-mapping algorithm to behave more similarly to " +"winbind's <quote>idmap_autorid</quote> algorithm." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:229 +msgid "" +"When this option is configured, domains will be allocated starting with " +"slice zero and increasing monatomically with each additional domain." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:234 +msgid "" +"NOTE: This algorithm is non-deterministic (it depends on the order that " +"users and groups are requested). If this mode is required for compatibility " +"with machines running winbind, it is recommended to also use the " +"<quote>ldap_idmap_default_domain_sid</quote> option to guarantee that at " +"least one domain is consistently allocated to slice zero." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:249 +msgid "ldap_idmap_helper_table_size (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:252 +msgid "" +"Maximal number of secondary slices that is tried when performing mapping " +"from UNIX id to SID." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:256 +msgid "" +"Note: Additional secondary slices might be generated when SID is being " +"mapped to UNIX id and RID part of SID is out of range for secondary slices " +"generated so far. If value of ldap_idmap_helper_table_size is equal to 0 " +"then no additional secondary slices are generated." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ldap_id_mapping.xml:273 +msgid "Well-Known SIDs" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:275 +msgid "" +"SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a " +"special hardcoded meaning. Since the generic users and groups related to " +"those Well-Known SIDs have no equivalent in a Linux/UNIX environment no " +"POSIX IDs are available for those objects." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:281 +msgid "" +"The SID name space is organized in authorities which can be seen as " +"different domains. The authorities for the Well-Known SIDs are" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:284 +msgid "Null Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:285 +msgid "World Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:286 +msgid "Local Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:287 +msgid "Creator Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:288 +msgid "NT Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:289 +msgid "Built-in" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:291 +msgid "" +"The capitalized version of these names are used as domain names when " +"returning the fully qualified name of a Well-Known SID." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:295 +msgid "" +"Since some utilities allow to modify SID based access control information " +"with the help of a name instead of using the SID directly SSSD supports to " +"look up the SID by the name as well. To avoid collisions only the fully " +"qualified names can be used to look up Well-Known SIDs. As a result the " +"domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, " +"<quote> LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, <quote>NT " +"AUTHORITY</quote> and <quote>BUILTIN</quote> should not be used as domain " +"names in <filename>sssd.conf</filename>." +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/param_help.xml:3 +msgid "<option>-?</option>,<option>--help</option>" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/param_help.xml:7 include/param_help_py.xml:7 +msgid "Display help message and exit." +msgstr "Mostra el missatge d'ajuda i surt." + +#. type: Content of: <varlistentry><term> +#: include/param_help_py.xml:3 +msgid "<option>-h</option>,<option>--help</option>" +msgstr "<option>-h</option>,<option>--help</option>" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:3 include/debug_levels_tools.xml:3 +msgid "" +"SSSD supports two representations for specifying the debug level. The " +"simplest is to specify a decimal value from 0-9, which represents enabling " +"that level and all lower-level debug messages. The more comprehensive option " +"is to specify a hexadecimal bitmask to enable or disable specific levels " +"(such as if you wish to suppress a level)." +msgstr "" +"L'SSSD admet dues representacions per a l'especificació del nivell de " +"depuració. La més senzilla és especificar un número del 0-9, que representa " +"el que permet cada nivell i tots els missatges de depuració de nivell baix. " +"L'opció més exhaustiva és especificar una màscara de bits en hexadecimal per " +"activar o desactivar els nivells específics (per exemple, si voleu suprimir " +"un nivell)." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:10 +msgid "" +"Please note that each SSSD service logs into its own log file. Also please " +"note that enabling <quote>debug_level</quote> in the <quote>[sssd]</quote> " +"section only enables debugging just for the sssd process itself, not for the " +"responder or provider processes. The <quote>debug_level</quote> parameter " +"should be added to all sections that you wish to produce debug logs from." +msgstr "" +"Si us plau, tingueu en compte que cadascun dels serveis de l'SSSD registra " +"el seu fitxer propi de registre. També tingueu en compte que l'habilitació " +"del <quote>debug_level</quote> a la secció <quote>[sssd]</quote>únicament " +"habilita la depuració del mateix procés de l'sssd, no per al procés del " +"contestador o del proveïdor. El paràmetre <quote>debug_level</quote> s'ha " +"d'afegir en totes les seccions que vulgueu que generin registres." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:18 +msgid "" +"In addition to changing the log level in the config file using the " +"<quote>debug_level</quote> parameter, which is persistent, but requires SSSD " +"restart, it is also possible to change the debug level on the fly using the " +"<citerefentry> <refentrytitle>sss_debuglevel</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry> tool." +msgstr "" +"A més de canviar el nivell del registre al fitxer de configuració amb el " +"paràmetre <quote>debug_level</quote>, que és permanent, però requereix que " +"es reiniciï l'SSSD, també és possible canviar el nivell de depuració al vol " +"amb l'eina <citerefentry> <refentrytitle>sss_debuglevel</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:29 include/debug_levels_tools.xml:10 +msgid "Currently supported debug levels:" +msgstr "Els nivells de depuració que s'admeten actualment:" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:32 include/debug_levels_tools.xml:13 +msgid "" +"<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fatal failures. " +"Anything that would prevent SSSD from starting up or causes it to cease " +"running." +msgstr "" +"<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fallides fatals. " +"Qualsevol cosa que impedeixi la posada en marxa de l'SSSD o provoqui el seu " +"cessament." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:38 include/debug_levels_tools.xml:19 +msgid "" +"<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An " +"error that doesn't kill SSSD, but one that indicates that at least one major " +"feature is not going to work properly." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:45 include/debug_levels_tools.xml:26 +msgid "" +"<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Serious failures. An " +"error announcing that a particular request or operation has failed." +msgstr "" +"<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Fallides serioses. Un " +"error que anuncia que una petició o una operació en particular ha fallat." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:50 include/debug_levels_tools.xml:31 +msgid "" +"<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Minor failures. These " +"are the errors that would percolate down to cause the operation failure of 2." +msgstr "" +"<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Fallides menors. " +"Aquests són els errors que enterboleixen i poden fer fracassar l'operació " +"dels 2." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:55 include/debug_levels_tools.xml:36 +msgid "" +"<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Configuration settings." +msgstr "" +"<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Ajusts de la " +"configuració." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:59 include/debug_levels_tools.xml:40 +msgid "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Function data." +msgstr "" +"<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Dades de les funcions." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:63 include/debug_levels_tools.xml:44 +msgid "" +"<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Trace messages for " +"operation functions." +msgstr "" +"<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Missatges de traça per " +"al funcionament de les funcions." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:67 include/debug_levels_tools.xml:48 +msgid "" +"<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Trace messages for " +"internal control functions." +msgstr "" +"<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Missatges de traça per " +"a les funcions internes de control." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:72 include/debug_levels_tools.xml:53 +msgid "" +"<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contents of function-" +"internal variables that may be interesting." +msgstr "" +"<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contingut de les " +"variables de les funcions internes que poden ser interessants." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:77 include/debug_levels_tools.xml:58 +msgid "" +"<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Extremely low-level " +"tracing information." +msgstr "" +"<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Informació de traçat " +"extremadament de baix nivell." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:81 include/debug_levels_tools.xml:62 +msgid "" +"To log required bitmask debug levels, simply add their numbers together as " +"shown in following examples:" +msgstr "" +"Per registrar els nivells de depuració de la màscara de bits que es " +"requereixi, només heu d'afegir els seus números com es mostra en els " +"següents exemples:" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:85 include/debug_levels_tools.xml:66 +msgid "" +"<emphasis>Example</emphasis>: To log fatal failures, critical failures, " +"serious failures and function data use 0x0270." +msgstr "" +"<emphasis>Exemple</emphasis>: Per registrar les fallides fatals, les " +"fallides crítiques, les fallides serioses i les dades de les funcions, " +"utilitzeu0x0270." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:89 include/debug_levels_tools.xml:70 +msgid "" +"<emphasis>Example</emphasis>: To log fatal failures, configuration settings, " +"function data, trace messages for internal control functions use 0x1310." +msgstr "" +"<emphasis>Exemple</emphasis>: Per registrar les fallides fatals, els ajusts " +"de la configuració, les dades de les funcions, els missatges de traça per a " +"les funcions internes de control, utilitzeu 0x1310." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:94 include/debug_levels_tools.xml:75 +msgid "" +"<emphasis>Note</emphasis>: The bitmask format of debug levels was introduced " +"in 1.7.0." +msgstr "" +"<emphasis>Nota</emphasis>: El format de la màscara de bits dels nivells de " +"depuració es va introduir en la versió 1.7.0." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:98 include/debug_levels_tools.xml:79 +msgid "<emphasis>Default</emphasis>: 0" +msgstr "<emphasis>Per defecte</emphasis>: 0" + +#. type: Content of: outside any tag (error?) +#: include/experimental.xml:1 +msgid "" +"<emphasis> This is an experimental feature, please use https://pagure.io/" +"SSSD/sssd/ to report any issues. </emphasis>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/local.xml:2 +msgid "THE LOCAL DOMAIN" +msgstr "EL DOMINI LOCAL" + +#. type: Content of: <refsect1><para> +#: include/local.xml:4 +msgid "" +"In order to function correctly, a domain with <quote>id_provider=local</" +"quote> must be created and the SSSD must be running." +msgstr "" +"Per a un funcionament correcte, s'ha de crear un domini amb " +"<quote>id_provider=local</quote> i l'SSSD ha d'estar en execució." + +#. type: Content of: <refsect1><para> +#: include/local.xml:9 +msgid "" +"The administrator might want to use the SSSD local users instead of " +"traditional UNIX users in cases where the group nesting (see <citerefentry> " +"<refentrytitle>sss_groupadd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>) is needed. The local users are also useful for testing and " +"development of the SSSD without having to deploy a full remote server. The " +"<command>sss_user*</command> and <command>sss_group*</command> tools use a " +"local LDB storage to store users and groups." +msgstr "" +"L'administrador pot ser que vulgui utilitzar els usuaris locals de l'SSSD en " +"lloc dels usuaris tradicionals d'UNIX en els casos en què es requereixi la " +"imbricació dels grups (vegeu <citerefentry> <refentrytitle>sss_groupadd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>). Els usuaris locals " +"també són útils per provar i desplegar l'SSSD sense haver de desplegar tot " +"un servidor remot. Les eines <command>sss_user*</command> i " +"<command>sss_group*</command> utilitzen l'emmagatzematge LDB local per " +"emmagatzemar els usuaris i els grups." + +#. type: Content of: <refsect1><para> +#: include/seealso.xml:4 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd-ipa</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <phrase condition=\"with_sudo\"> <citerefentry> " +"<refentrytitle>sssd-sudo</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>, </phrase> <phrase condition=\"with_secrets\"> <citerefentry> " +"<refentrytitle>sssd-secrets</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>, </phrase> <citerefentry> <refentrytitle>sssd-session-" +"recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, " +"<citerefentry> <refentrytitle>sss_cache</refentrytitle><manvolnum>8</" +"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_debuglevel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_obfuscate</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_seed</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <phrase condition=" +"\"with_ssh\"> <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_ssh_knownhostsproxy</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>, </phrase> <phrase condition=\"with_ifp\"> " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>, </phrase> <citerefentry> <refentrytitle>pam_sss</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>. <citerefentry> " +"<refentrytitle>sss_rpcidmapd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> <phrase condition=\"with_stap\"> <citerefentry> " +"<refentrytitle>sssd-systemtap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> </phrase>" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:3 +msgid "" +"An optional base DN, search scope and LDAP filter to restrict LDAP searches " +"for this attribute type." +msgstr "" + +#. type: Content of: <listitem><para><programlisting> +#: include/ldap_search_bases.xml:9 +#, no-wrap +msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]\n" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:7 +msgid "syntax: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:13 +msgid "" +"The scope can be one of \"base\", \"onelevel\" or \"subtree\". The scope " +"functions as specified in section 4.5.1.2 of http://tools.ietf.org/html/" +"rfc4511" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:23 +msgid "" +"For examples of this syntax, please refer to the <quote>ldap_search_base</" +"quote> examples section." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:31 +msgid "" +"Please note that specifying scope or filter is not supported for searches " +"against an Active Directory Server that might yield a large number of " +"results and trigger the Range Retrieval extension in the response." +msgstr "" + +#. type: Content of: <para> +#: include/autofs_restart.xml:2 +msgid "" +"Please note that the automounter only reads the master map on startup, so if " +"any autofs-related changes are made to the sssd.conf, you typically also " +"need to restart the automounter daemon after restarting the SSSD." +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/override_homedir.xml:2 +msgid "override_homedir (string)" +msgstr "override_homedir (cadena)" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:16 +msgid "UID number" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:20 +msgid "domain name" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:23 +msgid "%f" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:24 +msgid "fully qualified user name (user@domain)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:27 +msgid "%l" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:28 +msgid "The first letter of the login name." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:32 +msgid "UPN - User Principal Name (name@REALM)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:35 +msgid "%o" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:37 +msgid "The original home directory retrieved from the identity provider." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:42 +msgid "%H" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:44 +msgid "The value of configure option <emphasis>homedir_substring</emphasis>." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/override_homedir.xml:5 +msgid "" +"Override the user's home directory. You can either provide an absolute value " +"or a template. In the template, the following sequences are substituted: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><programlisting> +#: include/override_homedir.xml:61 +#, no-wrap +msgid "" +"override_homedir = /home/%u\n" +" " +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/override_homedir.xml:65 +msgid "Default: Not set (SSSD will use the value retrieved from LDAP)" +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/homedir_substring.xml:2 +msgid "homedir_substring (string)" +msgstr "homedir_substring (cadena)" + +#. type: Content of: <varlistentry><listitem><para> +#: include/homedir_substring.xml:5 +msgid "" +"The value of this option will be used in the expansion of the " +"<emphasis>override_homedir</emphasis> option if the template contains the " +"format string <emphasis>%H</emphasis>. An LDAP directory entry can directly " +"contain this template so that this option can be used to expand the home " +"directory path for each client machine (or operating system). It can be set " +"per-domain or globally in the [nss] section. A value specified in a domain " +"section will override one set in the [nss] section." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/homedir_substring.xml:15 +msgid "Default: /home" +msgstr "Per defecte: /home" + +#. type: Content of: <refsect1><title> +#: include/ad_modified_defaults.xml:2 include/ipa_modified_defaults.xml:2 +msgid "MODIFIED DEFAULT OPTIONS" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ad_modified_defaults.xml:4 +msgid "" +"Certain option defaults do not match their respective backend provider " +"defaults, these option names and AD provider-specific defaults are listed " +"below:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ad_modified_defaults.xml:9 include/ipa_modified_defaults.xml:9 +msgid "KRB5 Provider" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:13 include/ipa_modified_defaults.xml:13 +msgid "krb5_validate = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:18 +msgid "krb5_use_enterprise_principal = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ad_modified_defaults.xml:24 +msgid "LDAP Provider" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:28 +msgid "ldap_schema = ad" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:33 include/ipa_modified_defaults.xml:38 +msgid "ldap_force_upper_case_realm = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:38 +msgid "ldap_id_mapping = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:43 +msgid "ldap_sasl_mech = gssapi" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:48 +msgid "ldap_referrals = false" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:53 +msgid "ldap_account_expire_policy = ad" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:58 include/ipa_modified_defaults.xml:58 +msgid "ldap_use_tokengroups = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:63 +msgid "ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:66 +msgid "" +"The AD provider looks for a different principal than the LDAP provider by " +"default, because in an Active Directory environment the principals are " +"divided into two groups - User Principals and Service Principals. Only User " +"Principal can be used to obtain a TGT and by default, computer object's " +"principal is constructed from its sAMAccountName and the AD realm. The well-" +"known host/hostname@REALM principal is a Service Principal and thus cannot " +"be used to get a TGT with." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ipa_modified_defaults.xml:4 +msgid "" +"Certain option defaults do not match their respective backend provider " +"defaults, these option names and IPA provider-specific defaults are listed " +"below:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:18 +msgid "krb5_use_fast = try" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:23 +msgid "krb5_canonicalize = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:29 +msgid "LDAP Provider - General" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:33 +msgid "ldap_schema = ipa_v1" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:43 +msgid "ldap_sasl_mech = GSSAPI" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:48 +msgid "ldap_sasl_minssf = 56" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:53 +msgid "ldap_account_expire_policy = ipa" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:64 +msgid "LDAP Provider - User options" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:68 +msgid "ldap_user_member_of = memberOf" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:73 +msgid "ldap_user_uuid = ipaUniqueID" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:78 +msgid "ldap_user_ssh_public_key = ipaSshPubKey" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:83 +msgid "ldap_user_auth_type = ipaUserAuthType" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:89 +msgid "LDAP Provider - Group options" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:93 +msgid "ldap_group_object_class = ipaUserGroup" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:98 +msgid "ldap_group_object_class_alt = posixGroup" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:103 +msgid "ldap_group_member = member" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:108 +msgid "ldap_group_uuid = ipaUniqueID" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:113 +msgid "ldap_group_objectsid = ipaNTSecurityIdentifier" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:118 +msgid "ldap_group_external_member = ipaExternalMember" +msgstr "" + +#~ msgid "" +#~ "PLEASE NOTE ALSO: older version of libpcre only support the Python syntax " +#~ "(?P<name>) to label subpatterns." +#~ msgstr "" +#~ "ATENCIÓ SI US PLAU: una versió més antiga de libpcre només suporta la " +#~ "sintaxi Python (?P <name>) a l'etiqueta subpatterns." diff --git a/src/man/po/cs.po b/src/man/po/cs.po new file mode 100644 index 0000000..1029b83 --- /dev/null +++ b/src/man/po/cs.po @@ -0,0 +1,15624 @@ +# SOME DESCRIPTIVE TITLE +# Copyright (C) YEAR Red Hat +# This file is distributed under the same license as the sssd-docs package. +# +# Translators: +# sgallagh <sgallagh@redhat.com>, 2011 +# Zdenek <chmelarz@gmail.com>, 2017. #zanata +msgid "" +msgstr "" +"Project-Id-Version: sssd-docs 1.16.1\n" +"Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" +"POT-Creation-Date: 2018-08-12 13:01+0000\n" +"PO-Revision-Date: 2017-09-11 08:53+0000\n" +"Last-Translator: Zdenek <chmelarz@gmail.com>\n" +"Language-Team: Czech (http://www.transifex.com/projects/p/sssd/language/" +"cs/)\n" +"Language: cs\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" +"X-Generator: Zanata 4.4.5\n" + +#. type: Content of: <reference><title> +#: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5 +#: sssd_krb5_locator_plugin.8.xml:5 sssd-simple.5.xml:5 sss-certmap.5.xml:5 +#: sssd-ipa.5.xml:5 sssd-ad.5.xml:5 sssd-sudo.5.xml:5 sssd.8.xml:5 +#: sss_obfuscate.8.xml:5 sss_override.8.xml:5 sss_useradd.8.xml:5 +#: sssd-krb5.5.xml:5 sss_groupadd.8.xml:5 sss_userdel.8.xml:5 +#: sss_groupdel.8.xml:5 sss_groupshow.8.xml:5 sss_usermod.8.xml:5 +#: sss_cache.8.xml:5 sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5 +#: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 +#: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5 +#: sssd-files.5.xml:5 sssd-secrets.5.xml:5 sssd-session-recording.5.xml:5 +#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 +msgid "SSSD Manual pages" +msgstr "Manuálové stránky SSSD" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupmod.8.xml:10 sss_groupmod.8.xml:15 +msgid "sss_groupmod" +msgstr "" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_groupmod.8.xml:11 pam_sss.8.xml:12 sssd_krb5_locator_plugin.8.xml:11 +#: sssd.8.xml:11 sss_obfuscate.8.xml:11 sss_override.8.xml:11 +#: sss_useradd.8.xml:11 sss_groupadd.8.xml:11 sss_userdel.8.xml:11 +#: sss_groupdel.8.xml:11 sss_groupshow.8.xml:11 sss_usermod.8.xml:11 +#: sss_cache.8.xml:11 sss_debuglevel.8.xml:11 sss_seed.8.xml:11 +#: idmap_sss.8.xml:11 sssctl.8.xml:11 sssd-kcm.8.xml:11 +msgid "8" +msgstr "8" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupmod.8.xml:16 +msgid "modify a group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupmod.8.xml:21 +msgid "" +"<command>sss_groupmod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:57 +#: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sss-certmap.5.xml:21 +#: sssd-ipa.5.xml:21 sssd-ad.5.xml:21 sssd-sudo.5.xml:21 sssd.8.xml:29 +#: sss_obfuscate.8.xml:30 sss_override.8.xml:30 sss_useradd.8.xml:30 +#: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30 +#: sss_groupdel.8.xml:30 sss_groupshow.8.xml:30 sss_usermod.8.xml:30 +#: sss_cache.8.xml:29 sss_debuglevel.8.xml:30 sss_seed.8.xml:31 +#: sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30 +#: sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30 +#: sssd-files.5.xml:21 sssd-secrets.5.xml:21 sssd-session-recording.5.xml:21 +#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 +msgid "DESCRIPTION" +msgstr "POPIS" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupmod.8.xml:32 +msgid "" +"<command>sss_groupmod</command> modifies the group to reflect the changes " +"that are specified on the command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_groupmod.8.xml:39 pam_sss.8.xml:64 sssd.8.xml:42 sss_obfuscate.8.xml:58 +#: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39 +#: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39 +#: sss_cache.8.xml:39 sss_seed.8.xml:42 sss_ssh_authorizedkeys.1.xml:123 +#: sss_ssh_knownhostsproxy.1.xml:62 +msgid "OPTIONS" +msgstr "VOLBY" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupmod.8.xml:43 sss_usermod.8.xml:77 +msgid "" +"<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupmod.8.xml:48 +msgid "" +"Append this group to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupmod.8.xml:57 sss_usermod.8.xml:91 +msgid "" +"<option>-r</option>,<option>--remove-group</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupmod.8.xml:62 +msgid "" +"Remove this group from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.conf.5.xml:10 sssd.conf.5.xml:16 +msgid "sssd.conf" +msgstr "" + +# auto translated by TM merge from project: Fedora Elections Guide, version: master, DocId: Methods +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11 +#: sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 +#: sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27 +#: sssd-files.5.xml:11 sssd-secrets.5.xml:11 sssd-session-recording.5.xml:11 +#: sssd-systemtap.5.xml:11 +msgid "5" +msgstr "5" + +#. type: Content of: <reference><refentry><refmeta><refmiscinfo> +#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12 +#: sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 +#: sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28 +#: sssd-files.5.xml:12 sssd-secrets.5.xml:12 sssd-session-recording.5.xml:12 +#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 +msgid "File Formats and Conventions" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.conf.5.xml:17 +msgid "the configuration file for SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:21 +msgid "FILE FORMAT" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:29 +#, no-wrap +msgid "" +"<replaceable>[section]</replaceable>\n" +"<replaceable>key</replaceable> = <replaceable>value</replaceable>\n" +"<replaceable>key2</replaceable> = <replaceable>value2,value3</replaceable>\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:24 +msgid "" +"The file has an ini-style syntax and consists of sections and parameters. A " +"section begins with the name of the section in square brackets and continues " +"until the next section begins. An example of section with single and multi-" +"valued parameters: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:36 +msgid "" +"The data types used are string (no quotes needed), integer and bool (with " +"values of <quote>TRUE/FALSE</quote>)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:41 +msgid "" +"A comment line starts with a hash sign (<quote>#</quote>) or a semicolon " +"(<quote>;</quote>). Inline comments are not supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:47 +msgid "" +"All sections can have an optional <replaceable>description</replaceable> " +"parameter. Its function is only as a label for the section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:53 +msgid "" +"<filename>sssd.conf</filename> must be a regular file, owned by root and " +"only root may read from or write to the file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:59 +msgid "CONFIGURATION SNIPPETS FROM INCLUDE DIRECTORY" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:62 +msgid "" +"The configuration file <filename>sssd.conf</filename> will include " +"configuration snippets using the include directory <filename>conf.d</" +"filename>. This feature is available if SSSD was compiled with libini " +"version 1.3.0 or later." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:69 +msgid "" +"Any file placed in <filename>conf.d</filename> that ends in " +"<quote><filename>.conf</filename></quote> and does not begin with a dot " +"(<quote>.</quote>) will be used together with <filename>sssd.conf</filename> " +"to configure SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:77 +msgid "" +"The configuration snippets from <filename>conf.d</filename> have higher " +"priority than <filename>sssd.conf</filename> and will override " +"<filename>sssd.conf</filename> when conflicts occur. If several snippets are " +"present in <filename>conf.d</filename>, then they are included in " +"alphabetical order (based on locale). Files included later have higher " +"priority. Numerical prefixes (<filename>01_snippet.conf</filename>, " +"<filename>02_snippet.conf</filename> etc.) can help visualize the priority " +"(higher number means higher priority)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:91 +msgid "" +"The snippet files require the same owner and permissions as <filename>sssd." +"conf</filename>. Which are by default root:root and 0600." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:98 +msgid "GENERAL OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:100 +msgid "Following options are usable in more than one configuration sections." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:104 +msgid "Options usable in all sections" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:108 +msgid "debug_level (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:112 +msgid "debug (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:115 +msgid "" +"SSSD 1.14 and later also includes the <replaceable>debug</replaceable> alias " +"for <replaceable>debug_level</replaceable> as a convenience feature. If both " +"are specified, the value of <replaceable>debug_level</replaceable> will be " +"used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:125 +msgid "debug_timestamps (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:128 +msgid "" +"Add a timestamp to the debug messages. If journald is enabled for SSSD " +"debug logging this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:133 sssd.conf.5.xml:543 sssd.conf.5.xml:839 +#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1521 sssd-ldap.5.xml:1851 +#: sssd-ldap.5.xml:1948 sssd-ldap.5.xml:2010 sssd-ldap.5.xml:2576 +#: sssd-ldap.5.xml:2641 sssd-ldap.5.xml:2659 sssd-ad.5.xml:227 +#: sssd-ad.5.xml:341 sssd-ad.5.xml:885 sssd-krb5.5.xml:499 +#: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 +msgid "Default: true" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:138 +msgid "debug_microseconds (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:141 +msgid "" +"Add microseconds to the timestamp in debug messages. If journald is enabled " +"for SSSD debug logging this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:146 sssd.conf.5.xml:540 sssd.conf.5.xml:722 +#: sssd.conf.5.xml:1424 sssd.conf.5.xml:2980 sssd-ldap.5.xml:708 +#: sssd-ldap.5.xml:1714 sssd-ldap.5.xml:1733 sssd-ldap.5.xml:1920 +#: sssd-ldap.5.xml:2346 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238 +#: sssd-ipa.5.xml:559 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300 +#: sssd-krb5.5.xml:471 +msgid "Default: false" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2384 +#: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210 +#: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304 +msgid "<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:155 +msgid "Options usable in SERVICE and DOMAIN sections" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:159 +msgid "timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:162 +msgid "" +"Timeout in seconds between heartbeats for this service. This is used to " +"ensure that the process is alive and capable of answering requests. Note " +"that after three missed heartbeats the process will terminate itself." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:169 sssd.conf.5.xml:1376 sssd.conf.5.xml:2996 +#: sssd-ldap.5.xml:1585 include/ldap_id_mapping.xml:264 +msgid "Default: 10" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:179 +msgid "SPECIAL SECTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:182 +msgid "The [sssd] section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sssd.conf.5.xml:191 sssd.conf.5.xml:3085 +msgid "Section parameters" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:193 +msgid "config_file_version (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:196 +msgid "" +"Indicates what is the syntax of the config file. SSSD 0.6.0 and later use " +"version 2." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:202 +msgid "services" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:205 +msgid "" +"Comma separated list of services that are started when sssd itself starts. " +"<phrase condition=\"have_systemd\"> The services' list is optional on " +"platforms where systemd is supported, as they will either be socket or D-Bus " +"activated when needed. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:214 +msgid "" +"Supported services: nss, pam <phrase condition=\"with_sudo\">, sudo</phrase> " +"<phrase condition=\"with_autofs\">, autofs</phrase> <phrase condition=" +"\"with_ssh\">, ssh</phrase> <phrase condition=\"with_pac_responder\">, pac</" +"phrase> <phrase condition=\"with_ifp\">, ifp</phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:222 +msgid "" +"<phrase condition=\"have_systemd\"> By default, all services are disabled " +"and the administrator must enable the ones allowed to be used by executing: " +"\"systemctl enable sssd-@service@.socket\". </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:231 sssd.conf.5.xml:614 +msgid "reconnection_retries (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:234 sssd.conf.5.xml:617 +msgid "" +"Number of times services should attempt to reconnect in the event of a Data " +"Provider crash or restart before they give up" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:239 sssd.conf.5.xml:622 +msgid "Default: 3" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:244 +msgid "domains" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:247 +msgid "" +"A domain is a database containing user information. SSSD can use more " +"domains at the same time, but at least one must be configured or SSSD won't " +"start. This parameter describes the list of domains in the order you want " +"them to be queried. A domain name should only consist of alphanumeric ASCII " +"characters, dashes, dots and underscores." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:259 sssd.conf.5.xml:2597 +msgid "re_expression (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:262 +msgid "" +"Default regular expression that describes how to parse the string containing " +"user name and domain into these components." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:267 +msgid "" +"Each domain can have an individual regular expression configured. For some " +"ID providers there are also default regular expressions. See DOMAIN SECTIONS " +"for more info on these regular expressions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:276 sssd.conf.5.xml:2645 +msgid "full_name_format (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:279 sssd.conf.5.xml:2648 +msgid "" +"A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry>-compatible format that describes how to compose a " +"fully qualified name from user name and domain name components." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:290 sssd.conf.5.xml:2659 +msgid "%1$s" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:291 sssd.conf.5.xml:2660 +msgid "user name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:294 sssd.conf.5.xml:2663 +msgid "%2$s" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:297 sssd.conf.5.xml:2666 +msgid "domain name as specified in the SSSD config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:303 sssd.conf.5.xml:2672 +msgid "%3$s" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:306 sssd.conf.5.xml:2675 +msgid "" +"domain flat name. Mostly usable for Active Directory domains, both directly " +"configured or discovered via IPA trusts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:287 sssd.conf.5.xml:2656 +msgid "" +"The following expansions are supported: <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:316 +msgid "" +"Each domain can have an individual format string configured. see DOMAIN " +"SECTIONS for more info on this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:322 +msgid "try_inotify (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:325 +msgid "" +"SSSD monitors the state of resolv.conf to identify when it needs to update " +"its internal DNS resolver. By default, we will attempt to use inotify for " +"this, and will fall back to polling resolv.conf every five seconds if " +"inotify cannot be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:333 +msgid "" +"There are some limited situations where it is preferred that we should skip " +"even trying to use inotify. In these rare cases, this option should be set " +"to 'false'" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:339 +msgid "" +"Default: true on platforms where inotify is supported. False on other " +"platforms." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:343 +msgid "" +"Note: this option will have no effect on platforms where inotify is " +"unavailable. On these platforms, polling will always be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:350 +msgid "krb5_rcache_dir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:353 +msgid "" +"Directory on the filesystem where SSSD should store Kerberos replay cache " +"files." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:357 +msgid "" +"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct " +"SSSD to let libkrb5 decide the appropriate location for the replay cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:363 +msgid "" +"Default: Distribution-specific and specified at build-time. " +"(__LIBKRB5_DEFAULTS__ if not configured)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:370 +msgid "user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:373 +msgid "" +"The user to drop the privileges to where appropriate to avoid running as the " +"root user. <phrase condition=\"have_systemd\"> This option does not work " +"when running socket-activated services, as the user set up to run the " +"processes is set up during compilation time. The way to override the " +"systemd unit files is by creating the appropriate files in /etc/systemd/" +"system/. Keep in mind that any change in the socket user, group or " +"permissions may result in a non-usable SSSD. The same may occur in case of " +"changes of the user running the NSS responder. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:391 +msgid "Default: not set, process will run as root" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:396 +msgid "default_domain_suffix (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:399 +msgid "" +"This string will be used as a default domain name for all names without a " +"domain name component. The main use case is environments where the primary " +"domain is intended for managing host policies and all users are located in a " +"trusted domain. The option allows those users to log in just with their " +"user name without giving a domain name as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:409 +msgid "" +"Please note that if this option is set all users from the primary domain " +"have to use their fully qualified name, e.g. user@domain.name, to log in. " +"Setting this option changes default of use_fully_qualified_names to True. It " +"is not allowed to use this option together with use_fully_qualified_names " +"set to False." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:418 sssd.conf.5.xml:1165 sssd-ldap.5.xml:679 +#: sssd-ldap.5.xml:1319 sssd-ldap.5.xml:1673 sssd-ldap.5.xml:1685 +#: sssd-ldap.5.xml:1767 sssd-ad.5.xml:690 sssd-ad.5.xml:765 sssd.8.xml:126 +#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:556 sssd-secrets.5.xml:339 +#: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404 +#: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205 +#: include/ldap_id_mapping.xml:216 +msgid "Default: not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:423 +msgid "override_space (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:426 +msgid "" +"This parameter will replace spaces (space bar) with the given character for " +"user and group names. e.g. (_). User name "john doe" will be " +""john_doe" This feature was added to help compatibility with shell " +"scripts that have difficulty handling spaces, due to the default field " +"separator in the shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:435 +msgid "" +"Please note it is a configuration error to use a replacement character that " +"might be used in user or group names. If a name contains the replacement " +"character SSSD tries to return the unmodified name but in general the result " +"of a lookup is undefined." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:443 +msgid "Default: not set (spaces will not be replaced)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:448 +msgid "certificate_verification (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:456 +msgid "no_ocsp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:458 +msgid "" +"Disables Online Certificate Status Protocol (OCSP) checks. This might be " +"needed if the OCSP servers defined in the certificate are not reachable from " +"the client." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:466 +msgid "no_verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:468 +msgid "" +"Disables verification completely. This option should only be used for " +"testing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:474 +msgid "ocsp_default_responder=URL" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:476 +msgid "" +"Sets the OCSP default responder which should be used instead of the one " +"mentioned in the certificate. URL must be replaced with the URL of the OCSP " +"default responder e.g. http://example.com:80/ocsp." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:482 +msgid "" +"This option must be used together with ocsp_default_responder_signing_cert." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:490 +msgid "ocsp_default_responder_signing_cert=NAME" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:492 +msgid "" +"The nickname of the cert to trust (expected) to sign the OCSP responses. " +"The certificate with the given nickname must be available in the systems NSS " +"database." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:497 +msgid "This option must be used together with ocsp_default_responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:451 +msgid "" +"With this parameter the certificate verification can be tuned with a comma " +"separated list of options. Supported options are: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:504 +msgid "Unknown options are reported but ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:507 +msgid "Default: not set, i.e. do not restrict certificate verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:513 +msgid "disable_netlink (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:516 +msgid "" +"SSSD hooks into the netlink interface to monitor changes to routes, " +"addresses, links and trigger certain actions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:521 +msgid "" +"The SSSD state changes caused by netlink events may be undesirable and can " +"be disabled by setting this option to 'true'" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:526 +msgid "Default: false (netlink changes are detected)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:531 +msgid "enable_files_domain (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:534 +msgid "" +"When this option is enabled, SSSD prepends an implicit domain with " +"<quote>id_provider=files</quote> before any explicitly configured domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:548 +msgid "domain_resolution_order" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:551 +msgid "" +"Comma separated list of domains and subdomains representing the lookup order " +"that will be followed. The list doesn't have to include all possible " +"domains as the missing domains will be looked up based on the order they're " +"presented in the <quote>domains</quote> configuration option. The " +"subdomains which are not listed as part of <quote>lookup_order</quote> will " +"be looked up in a random order for each parent domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:563 +msgid "" +"Please, note that when this option is set the output format of all commands " +"is always fully-qualified even when using short names for input, for all " +"users but the ones managed by the files provider. In case the administrator " +"wants the output not fully-qualified, the full_name_format option can be " +"used as shown below: <quote>full_name_format=%1$s</quote> However, keep in " +"mind that during login, login applications often canonicalize the username " +"by calling <citerefentry> <refentrytitle>getpwnam</refentrytitle> " +"<manvolnum>3</manvolnum> </citerefentry> which, if a shortname is returned " +"for a qualified input (while trying to reach a user which exists in multiple " +"domains) might re-route the login attempt into the domain which uses " +"shortnames, making this workaround totally not recommended in cases where " +"usernames may overlap between domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:588 sssd.conf.5.xml:1388 sssd.conf.5.xml:3046 +#: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316 +msgid "Default: Not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:184 +msgid "" +"Individual pieces of SSSD functionality are provided by special SSSD " +"services that are started and stopped together with SSSD. The services are " +"managed by a special service frequently called <quote>monitor</quote>. The " +"<quote>[sssd]</quote> section is used to configure the monitor as well as " +"some other important options like the identity domains. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:599 +msgid "SERVICES SECTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:601 +msgid "" +"Settings that can be used to configure different services are described in " +"this section. They should reside in the [<replaceable>$NAME</replaceable>] " +"section, for example, for NSS service, the section would be <quote>[nss]</" +"quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:608 +msgid "General service configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:610 +msgid "These options can be used to configure any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:627 +msgid "fd_limit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:630 +msgid "" +"This option specifies the maximum number of file descriptors that may be " +"opened at one time by this SSSD process. On systems where SSSD is granted " +"the CAP_SYS_RESOURCE capability, this will be an absolute setting. On " +"systems without this capability, the resulting value will be the lower value " +"of this or the limits.conf \"hard\" limit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:639 +msgid "Default: 8192 (or limits.conf \"hard\" limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:644 +msgid "client_idle_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:647 +msgid "" +"This option specifies the number of seconds that a client of an SSSD process " +"can hold onto a file descriptor without communicating on it. This value is " +"limited in order to avoid resource exhaustion on the system. The timeout " +"can't be shorter than 10 seconds. If a lower value is configured, it will be " +"adjusted to 10 seconds." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:656 sssd.conf.5.xml:688 sssd.conf.5.xml:970 +#: sssd.conf.5.xml:1231 sssd-ldap.5.xml:1412 +msgid "Default: 60" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:661 +msgid "offline_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:664 +msgid "" +"When SSSD switches to offline mode the amount of time before it tries to go " +"back online will increase based upon the time spent disconnected. This " +"value is in seconds and calculated by the following:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:671 +msgid "offline_timeout + random_offset" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:674 +msgid "" +"The random offset can increment up to 30 seconds. After each unsuccessful " +"attempt to go online, the new interval is recalculated by the following:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:679 +msgid "new_interval = old_interval*2 + random_offset" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:682 +msgid "" +"Note that the maximum length of each interval is currently limited to one " +"hour. If the calculated length of new_interval is greater than an hour, it " +"will be forced to one hour." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:693 +msgid "responder_idle_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:696 +msgid "" +"This option specifies the number of seconds that an SSSD responder process " +"can be up without being used. This value is limited in order to avoid " +"resource exhaustion on the system. The minimum acceptable value for this " +"option is 60 seconds. Setting this option to 0 (zero) means that no timeout " +"will be set up to the responder. This option only has effect when SSSD is " +"built with systemd support and when services are either socket or D-Bus " +"activated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:710 sssd.conf.5.xml:983 sssd.conf.5.xml:1616 +#: sssd-ldap.5.xml:722 +msgid "Default: 300" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:715 +msgid "cache_first" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:718 +msgid "" +"This option specifies whether the responder should query all caches before " +"querying the Data Providers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:730 +msgid "NSS configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:732 +msgid "" +"These options can be used to configure the Name Service Switch (NSS) service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:737 +msgid "enum_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:740 +msgid "" +"How many seconds should nss_sss cache enumerations (requests for info about " +"all users)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:744 +msgid "Default: 120" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:749 +msgid "entry_cache_nowait_percentage (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:752 +msgid "" +"The entry cache can be set to automatically update entries in the background " +"if they are requested beyond a percentage of the entry_cache_timeout value " +"for the domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:758 +msgid "" +"For example, if the domain's entry_cache_timeout is set to 30s and " +"entry_cache_nowait_percentage is set to 50 (percent), entries that come in " +"after 15 seconds past the last cache update will be returned immediately, " +"but the SSSD will go and update the cache on its own, so that future " +"requests will not need to block waiting for a cache update." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:768 +msgid "" +"Valid values for this option are 0-99 and represent a percentage of the " +"entry_cache_timeout for each domain. For performance reasons, this " +"percentage will never reduce the nowait timeout to less than 10 seconds. (0 " +"disables this feature)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:776 sssd.conf.5.xml:1445 +msgid "Default: 50" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:781 +msgid "entry_negative_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:784 +msgid "" +"Specifies for how many seconds nss_sss should cache negative cache hits " +"(that is, queries for invalid database entries, like nonexistent ones) " +"before asking the back end again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:790 sssd.conf.5.xml:1469 +msgid "Default: 15" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:795 +msgid "local_negative_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:798 +msgid "" +"Specifies for how many seconds nss_sss should keep local users and groups in " +"negative cache before trying to look it up in the back end again. Setting " +"the option to 0 disables this feature." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:804 +msgid "Default: 14400 (4 hours)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:809 +msgid "filter_users, filter_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:812 +msgid "" +"Exclude certain users or groups from being fetched from the sss NSS " +"database. This is particularly useful for system accounts. This option can " +"also be set per-domain or include fully-qualified names to filter only users " +"from the particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:819 +msgid "" +"NOTE: The filter_groups option doesn't affect inheritance of nested group " +"members, since filtering happens after they are propagated for returning via " +"NSS. E.g. a group having a member group filtered out will still have the " +"member users of the latter listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:827 +msgid "Default: root" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:832 +msgid "filter_users_in_groups (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:835 +msgid "" +"If you want filtered user still be group members set this option to false." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:846 +msgid "fallback_homedir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:849 +msgid "" +"Set a default template for a user's home directory if one is not specified " +"explicitly by the domain's data provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:854 +msgid "" +"The available values for this option are the same as for override_homedir." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:860 +#, no-wrap +msgid "" +"fallback_homedir = /home/%u\n" +" " +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: sssd.conf.5.xml:858 sssd.conf.5.xml:1298 sssd.conf.5.xml:1317 +#: sssd-krb5.5.xml:539 include/override_homedir.xml:59 +msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:864 +msgid "Default: not set (no substitution for unset home directories)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:870 +msgid "override_shell (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:873 +msgid "" +"Override the login shell for all users. This option supersedes any other " +"shell options if it takes effect and can be set either in the [nss] section " +"or per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:879 +msgid "Default: not set (SSSD will use the value retrieved from LDAP)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:885 +msgid "allowed_shells (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:888 +msgid "" +"Restrict user shell to one of the listed values. The order of evaluation is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:891 +msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:895 +msgid "" +"2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</" +"quote>, use the value of the shell_fallback parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:900 +msgid "" +"3. If the shell is not in the allowed_shells list and not in <quote>/etc/" +"shells</quote>, a nologin shell is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:905 +msgid "The wildcard (*) can be used to allow any shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:908 +msgid "" +"The (*) is useful if you want to use shell_fallback in case that user's " +"shell is not in <quote>/etc/shells</quote> and maintaining list of all " +"allowed shells in allowed_shells would be to much overhead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:915 +msgid "An empty string for shell is passed as-is to libc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:918 +msgid "" +"The <quote>/etc/shells</quote> is only read on SSSD start up, which means " +"that a restart of the SSSD is required in case a new shell is installed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:922 +msgid "Default: Not set. The user shell is automatically used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:927 +msgid "vetoed_shells (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:930 +msgid "Replace any instance of these shells with the shell_fallback" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:935 +msgid "shell_fallback (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:938 +msgid "" +"The default shell to use if an allowed shell is not installed on the machine." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:942 +msgid "Default: /bin/sh" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:947 +msgid "default_shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:950 +msgid "" +"The default shell to use if the provider does not return one during lookup. " +"This option can be specified globally in the [nss] section or per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:956 +msgid "" +"Default: not set (Return NULL if no shell is specified and rely on libc to " +"substitute something sensible when necessary, usually /bin/sh)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:963 sssd.conf.5.xml:1224 +msgid "get_domains_timeout (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:966 sssd.conf.5.xml:1227 +msgid "" +"Specifies time in seconds for which the list of subdomains will be " +"considered valid." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:975 +msgid "memcache_timeout (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:978 +msgid "" +"Specifies time in seconds for which records in the in-memory cache will be " +"valid. Setting this option to zero will disable the in-memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:986 +msgid "" +"WARNING: Disabling the in-memory cache will have significant negative impact " +"on SSSD's performance and should only be used for testing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:992 +msgid "" +"NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", " +"client applications will not use the fast in-memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1000 sssd-ifp.5.xml:74 +msgid "user_attributes (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1003 +msgid "" +"Some of the additional NSS responder requests can return more attributes " +"than just the POSIX ones defined by the NSS interface. The list of " +"attributes is controlled by this option. It is handled the same way as the " +"<quote>user_attributes</quote> option of the InfoPipe responder (see " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for details) but with no default values." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1016 +msgid "" +"To make configuration more easy the NSS responder will check the InfoPipe " +"option if it is not set for the NSS responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1021 +msgid "Default: not set, fallback to InfoPipe option" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1026 +msgid "pwfield (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1029 +msgid "" +"The value that NSS operations that return users or groups will return for " +"the <quote>password</quote> field." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: sssd.conf.5.xml:1034 include/override_homedir.xml:56 +msgid "This option can also be set per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1037 +msgid "" +"Default: <quote>*</quote> (remote domains) or <quote>x</quote> (the files " +"domain)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1045 +msgid "PAM configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1047 +msgid "" +"These options can be used to configure the Pluggable Authentication Module " +"(PAM) service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1052 +msgid "offline_credentials_expiration (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1055 +msgid "" +"If the authentication provider is offline, how long should we allow cached " +"logins (in days since the last successful online login)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1060 sssd.conf.5.xml:1073 +msgid "Default: 0 (No limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1066 +msgid "offline_failed_login_attempts (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1069 +msgid "" +"If the authentication provider is offline, how many failed login attempts " +"are allowed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1079 +msgid "offline_failed_login_delay (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1082 +msgid "" +"The time in minutes which has to pass after offline_failed_login_attempts " +"has been reached before a new login attempt is possible." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1087 +msgid "" +"If set to 0 the user cannot authenticate offline if " +"offline_failed_login_attempts has been reached. Only a successful online " +"authentication can enable offline authentication again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1093 sssd.conf.5.xml:1191 +msgid "Default: 5" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1099 +msgid "pam_verbosity (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1102 +msgid "" +"Controls what kind of messages are shown to the user during authentication. " +"The higher the number to more messages are displayed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1107 +msgid "Currently sssd supports the following values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1110 +msgid "<emphasis>0</emphasis>: do not show any message" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1113 +msgid "<emphasis>1</emphasis>: show only important messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1117 +msgid "<emphasis>2</emphasis>: show informational messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1120 +msgid "<emphasis>3</emphasis>: show all messages and debug information" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1124 sssd.8.xml:63 +msgid "Default: 1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1130 +msgid "pam_response_filter (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1133 +msgid "" +"A comma separated list of strings which allows to remove (filter) data sent " +"by the PAM responder to pam_sss PAM module. There are different kind of " +"responses sent to pam_sss e.g. messages displayed to the user or environment " +"variables which should be set by pam_sss." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1141 +msgid "" +"While messages already can be controlled with the help of the pam_verbosity " +"option this option allows to filter out other kind of responses as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1148 +msgid "ENV" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1149 +msgid "Do not send any environment variables to any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1152 +msgid "ENV:var_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1153 +msgid "Do not send environment variable var_name to any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1157 +msgid "ENV:var_name:service" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1158 +msgid "Do not send environment variable var_name to service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1146 +msgid "" +"Currently the following filters are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1168 +msgid "Example: ENV:KRB5CCNAME:sudo-i" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1174 +msgid "pam_id_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1177 +msgid "" +"For any PAM request while SSSD is online, the SSSD will attempt to " +"immediately update the cached identity information for the user in order to " +"ensure that authentication takes place with the latest information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1183 +msgid "" +"A complete PAM conversation may perform multiple PAM requests, such as " +"account management and session opening. This option controls (on a per-" +"client-application basis) how long (in seconds) we can cache the identity " +"information to avoid excessive round-trips to the identity provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1197 +msgid "pam_pwd_expiration_warning (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2078 +msgid "Display a warning N days before the password expires." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1203 +msgid "" +"Please note that the backend server has to provide information about the " +"expiration time of the password. If this information is missing, sssd " +"cannot display a warning." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1209 sssd.conf.5.xml:2081 +msgid "" +"If zero is set, then this filter is not applied, i.e. if the expiration " +"warning was received from backend server, it will automatically be displayed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1214 +msgid "" +"This setting can be overridden by setting <emphasis>pwd_expiration_warning</" +"emphasis> for a particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1219 sssd.conf.5.xml:2901 sssd.8.xml:79 +msgid "Default: 0" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1236 +msgid "pam_trusted_users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1239 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to run PAM conversations against trusted domains. Users not " +"included in this list can only access domains marked as public with " +"<quote>pam_public_domains</quote>. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1249 +msgid "Default: All users are considered trusted by default" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1253 +msgid "" +"Please note that UID 0 is always allowed to access the PAM responder even in " +"case it is not in the pam_trusted_users list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1260 +msgid "pam_public_domains (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1263 +msgid "" +"Specifies the comma-separated list of domain names that are accessible even " +"to untrusted users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1267 +msgid "Two special values for pam_public_domains option are defined:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1271 +msgid "" +"all (Untrusted users are allowed to access all domains in PAM responder.)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1275 +msgid "" +"none (Untrusted users are not allowed to access any domains PAM in " +"responder.)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1279 sssd.conf.5.xml:1304 sssd.conf.5.xml:1323 +#: sssd.conf.5.xml:1875 sssd.conf.5.xml:2837 sssd-ldap.5.xml:1979 +msgid "Default: none" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1284 +msgid "pam_account_expired_message (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1287 +msgid "" +"Allows a custom expiration message to be set, replacing the default " +"'Permission denied' message." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1292 +msgid "" +"Note: Please be aware that message is only printed for the SSH service " +"unless pam_verbosity is set to 3 (show all messages and debug information)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:1300 +#, no-wrap +msgid "" +"pam_account_expired_message = Account expired, please contact help desk.\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1309 +msgid "pam_account_locked_message (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1312 +msgid "" +"Allows a custom lockout message to be set, replacing the default 'Permission " +"denied' message." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:1319 +#, no-wrap +msgid "" +"pam_account_locked_message = Account locked, please contact help desk.\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1328 +msgid "pam_cert_auth (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1331 +msgid "" +"Enable certificate based Smartcard authentication. Since this requires " +"additional communication with the Smartcard which will delay the " +"authentication process this option is disabled by default." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1337 sssd.conf.5.xml:2930 sssd-ldap.5.xml:1087 +#: sssd-ldap.5.xml:1114 sssd-ldap.5.xml:1514 sssd-ldap.5.xml:1535 +#: sssd-ldap.5.xml:2052 include/ldap_id_mapping.xml:244 +msgid "Default: False" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1342 +msgid "pam_cert_db_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1345 +msgid "" +"The path to the certificate database which contain the PKCS#11 modules to " +"access the Smartcard." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1349 sssd.conf.5.xml:1534 +msgid "Default:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1351 sssd.conf.5.xml:1536 +msgid "/etc/pki/nssdb (NSS version, path to a NSS database)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1354 sssd.conf.5.xml:1539 +msgid "" +"/etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a file with " +"trusted CA certificates in PEM format)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1361 sssd.conf.5.xml:1546 +msgid "This man page was generated for the NSS version." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1364 sssd.conf.5.xml:1549 +msgid "This man page was generated for the OpenSSL version." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1369 +msgid "p11_child_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1372 +msgid "How many seconds will pam_sss wait for p11_child to finish." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1381 +msgid "pam_app_services (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1384 +msgid "" +"Which PAM services are permitted to contact domains of type " +"<quote>application</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1397 +msgid "SUDO configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1399 +msgid "" +"These options can be used to configure the sudo service. The detailed " +"instructions for configuration of <citerefentry> <refentrytitle>sudo</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to work with " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> are in the manual page <citerefentry> <refentrytitle>sssd-" +"sudo</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1416 +msgid "sudo_timed (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1419 +msgid "" +"Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes " +"that implement time-dependent sudoers entries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1431 +msgid "sudo_threshold (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1434 +msgid "" +"Maximum number of expired rules that can be refreshed at once. If number of " +"expired rules is below threshold, those rules are refreshed with " +"<quote>rules refresh</quote> mechanism. If the threshold is exceeded a " +"<quote>full refresh</quote> of sudo rules is triggered instead. This " +"threshold number also applies to IPA sudo command and command group searches." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1453 +msgid "AUTOFS configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1455 +msgid "These options can be used to configure the autofs service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1459 +msgid "autofs_negative_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1462 +msgid "" +"Specifies for how many seconds should the autofs responder negative cache " +"hits (that is, queries for invalid map entries, like nonexistent ones) " +"before asking the back end again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1478 +msgid "SSH configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1480 +msgid "These options can be used to configure the SSH service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1484 +msgid "ssh_hash_known_hosts (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1487 +msgid "" +"Whether or not to hash host names and addresses in the managed known_hosts " +"file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1496 +msgid "ssh_known_hosts_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1499 +msgid "" +"How many seconds to keep a host in the managed known_hosts file after its " +"host keys were requested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1503 +msgid "Default: 180" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1508 +msgid "ssh_use_certificate_keys (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1511 +msgid "" +"If set to true the <command>sss_ssh_authorizedkeys</command> will return ssh " +"keys derived from the public key of X.509 certificates stored in the user " +"entry as well. See <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry> for details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1526 +msgid "ca_db (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1529 +msgid "" +"Path to a storage of trusted CA certificates. The option is used to validate " +"user certificates before deriving public ssh keys from them." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1557 +msgid "PAC responder configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1559 +msgid "" +"The PAC responder works together with the authorization data plugin for MIT " +"Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the " +"PAC data during a GSSAPI authentication to the PAC responder. The sub-domain " +"provider collects domain SID and ID ranges of the domain the client is " +"joined to and of remote trusted domains from the local domain controller. If " +"the PAC is decoded and evaluated some of the following operations are done:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1568 +msgid "" +"If the remote user does not exist in the cache, it is created. The UID is " +"determined with the help of the SID, trusted domains will have UPGs and the " +"GID will have the same value as the UID. The home directory is set based on " +"the subdomain_homedir parameter. The shell will be empty by default, i.e. " +"the system defaults are used, but can be overwritten with the default_shell " +"parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1576 +msgid "" +"If there are SIDs of groups from domains sssd knows about, the user will be " +"added to those groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1582 +msgid "These options can be used to configure the PAC responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1586 sssd-ifp.5.xml:50 +msgid "allowed_uids (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1589 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the PAC responder. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1595 +msgid "Default: 0 (only the root user is allowed to access the PAC responder)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1599 +msgid "" +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the PAC responder, which would be the typical case, you have to add 0 " +"to the list of allowed UIDs as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1608 +msgid "pac_lifetime (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1611 +msgid "" +"Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC " +"data can be used to determine the group memberships of a user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1624 +msgid "Session recording configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1626 +msgid "" +"Session recording works in conjunction with <citerefentry> " +"<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>, a part of tlog package, to log what users see and type when " +"they log in on a text terminal. See also <citerefentry> <refentrytitle>sssd-" +"session-recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1639 +msgid "These options can be used to configure session recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1643 sssd-session-recording.5.xml:64 +msgid "scope (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1650 sssd-session-recording.5.xml:71 +msgid "\"none\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1653 sssd-session-recording.5.xml:74 +msgid "No users are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1658 sssd-session-recording.5.xml:79 +msgid "\"some\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1661 sssd-session-recording.5.xml:82 +msgid "" +"Users/groups specified by <replaceable>users</replaceable> and " +"<replaceable>groups</replaceable> options are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1670 sssd-session-recording.5.xml:91 +msgid "\"all\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1673 sssd-session-recording.5.xml:94 +msgid "All users are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1646 sssd-session-recording.5.xml:67 +msgid "" +"One of the following strings specifying the scope of session recording: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1680 sssd-session-recording.5.xml:101 +msgid "Default: \"none\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1685 sssd-session-recording.5.xml:106 +msgid "users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1688 sssd-session-recording.5.xml:109 +msgid "" +"A comma-separated list of users which should have session recording enabled. " +"Matches user names as returned by NSS. I.e. after the possible space " +"replacement, case changes, etc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1694 sssd-session-recording.5.xml:115 +msgid "Default: Empty. Matches no users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1699 sssd-session-recording.5.xml:120 +msgid "groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1702 sssd-session-recording.5.xml:123 +msgid "" +"A comma-separated list of groups, members of which should have session " +"recording enabled. Matches group names as returned by NSS. I.e. after the " +"possible space replacement, case changes, etc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1708 sssd-session-recording.5.xml:129 +msgid "" +"NOTE: using this option (having it set to anything) has a considerable " +"performance cost, because each uncached request for a user requires " +"retrieving and matching the groups the user is member of." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1715 sssd-session-recording.5.xml:136 +msgid "Default: Empty. Matches no groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:1725 +msgid "DOMAIN SECTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1732 +msgid "domain_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1735 +msgid "" +"Specifies whether the domain is meant to be used by POSIX-aware clients such " +"as the Name Service Switch or by applications that do not need POSIX data to " +"be present or generated. Only objects from POSIX domains are available to " +"the operating system interfaces and utilities." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1743 +msgid "" +"Allowed values for this option are <quote>posix</quote> and " +"<quote>application</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1747 +msgid "" +"POSIX domains are reachable by all services. Application domains are only " +"reachable from the InfoPipe responder (see <citerefentry> " +"<refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>) and the PAM responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1755 +msgid "" +"NOTE: The application domains are currently well tested with " +"<quote>id_provider=ldap</quote> only." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1759 +msgid "" +"For an easy way to configure a non-POSIX domains, please see the " +"<quote>Application domains</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1763 +msgid "Default: posix" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1769 +msgid "min_id,max_id (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1772 +msgid "" +"UID and GID limits for the domain. If a domain contains an entry that is " +"outside these limits, it is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1777 +msgid "" +"For users, this affects the primary GID limit. The user will not be returned " +"to NSS if either the UID or the primary GID is outside the range. For non-" +"primary group memberships, those that are in range will be reported as " +"expected." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1784 +msgid "" +"These ID limits affect even saving entries to cache, not only returning them " +"by name or ID." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1788 +msgid "Default: 1 for min_id, 0 (no limit) for max_id" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1794 +msgid "enumerate (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1797 +msgid "" +"Determines if a domain can be enumerated, that is, whether the domain can " +"list all the users and group it contains. Note that it is not required to " +"enable enumeration in order for secondary groups to be displayed. This " +"parameter can have one of the following values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1805 +msgid "TRUE = Users and groups are enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1808 +msgid "FALSE = No enumerations for this domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1811 sssd.conf.5.xml:2033 sssd.conf.5.xml:2208 +msgid "Default: FALSE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1814 +msgid "" +"Enumerating a domain requires SSSD to download and store ALL user and group " +"entries from the remote server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1819 +msgid "" +"Note: Enabling enumeration has a moderate performance impact on SSSD while " +"enumeration is running. It may take up to several minutes after SSSD startup " +"to fully complete enumerations. During this time, individual requests for " +"information will go directly to LDAP, though it may be slow, due to the " +"heavy enumeration processing. Saving a large number of entries to cache " +"after the enumeration completes might also be CPU intensive as the " +"memberships have to be recomputed. This can lead to the <quote>sssd_be</" +"quote> process becoming unresponsive or even restarted by the internal " +"watchdog." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1834 +msgid "" +"While the first enumeration is running, requests for the complete user or " +"group lists may return no results until it completes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1839 +msgid "" +"Further, enabling enumeration may increase the time necessary to detect " +"network disconnection, as longer timeouts are required to ensure that " +"enumeration lookups are completed successfully. For more information, refer " +"to the man pages for the specific id_provider in use." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1847 +msgid "" +"For the reasons cited above, enabling enumeration is not recommended, " +"especially in large environments." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1855 +msgid "subdomain_enumerate (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1862 +msgid "all" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1863 +msgid "All discovered trusted domains will be enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1866 +msgid "none" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1867 +msgid "No discovered trusted domains will be enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1858 +msgid "" +"Whether any of autodetected trusted domains should be enumerated. The " +"supported values are: <placeholder type=\"variablelist\" id=\"0\"/> " +"Optionally, a list of one or more domain names can enable enumeration just " +"for these trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1881 +msgid "entry_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1884 +msgid "" +"How many seconds should nss_sss consider entries valid before asking the " +"backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1888 +msgid "" +"The cache expiration timestamps are stored as attributes of individual " +"objects in the cache. Therefore, changing the cache timeout only has effect " +"for newly added or expired entries. You should run the <citerefentry> " +"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry> tool in order to force refresh of entries that have already " +"been cached." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1901 +msgid "Default: 5400" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1907 +msgid "entry_cache_user_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1910 +msgid "" +"How many seconds should nss_sss consider user entries valid before asking " +"the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1914 sssd.conf.5.xml:1927 sssd.conf.5.xml:1940 +#: sssd.conf.5.xml:1953 sssd.conf.5.xml:1966 sssd.conf.5.xml:1980 +#: sssd.conf.5.xml:1994 +msgid "Default: entry_cache_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1920 +msgid "entry_cache_group_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1923 +msgid "" +"How many seconds should nss_sss consider group entries valid before asking " +"the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1933 +msgid "entry_cache_netgroup_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1936 +msgid "" +"How many seconds should nss_sss consider netgroup entries valid before " +"asking the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1946 +msgid "entry_cache_service_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1949 +msgid "" +"How many seconds should nss_sss consider service entries valid before asking " +"the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1959 +msgid "entry_cache_sudo_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1962 +msgid "" +"How many seconds should sudo consider rules valid before asking the backend " +"again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1972 +msgid "entry_cache_autofs_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1975 +msgid "" +"How many seconds should the autofs service consider automounter maps valid " +"before asking the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1986 +msgid "entry_cache_ssh_host_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1989 +msgid "" +"How many seconds to keep a host ssh key after refresh. IE how long to cache " +"the host key for." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2000 +msgid "refresh_expired_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2003 +msgid "" +"Specifies how many seconds SSSD has to wait before triggering a background " +"refresh task which will refresh all expired or nearly expired records." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2008 +msgid "" +"The background refresh will process users, groups and netgroups in the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2012 +msgid "You can consider setting this value to 3/4 * entry_cache_timeout." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2016 sssd-ldap.5.xml:746 sssd-ipa.5.xml:254 +msgid "Default: 0 (disabled)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2022 +msgid "cache_credentials (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2025 +msgid "Determines if user credentials are also cached in the local LDB cache" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2029 +msgid "User credentials are stored in a SHA512 hash, not in plaintext" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2039 +msgid "cache_credentials_minimal_first_factor_length (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2042 +msgid "" +"If 2-Factor-Authentication (2FA) is used and credentials should be saved " +"this value determines the minimal length the first authentication factor " +"(long term password) must have to be saved as SHA512 hash into the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2049 +msgid "" +"This should avoid that the short PINs of a PIN based 2FA scheme are saved in " +"the cache which would make them easy targets for brute-force attacks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2054 +msgid "Default: 8" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2060 +msgid "account_cache_expiration (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2063 +msgid "" +"Number of days entries are left in cache after last successful login before " +"being removed during a cleanup of the cache. 0 means keep forever. The " +"value of this parameter must be greater than or equal to " +"offline_credentials_expiration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2070 +msgid "Default: 0 (unlimited)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2075 +msgid "pwd_expiration_warning (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2086 +msgid "" +"Please note that the backend server has to provide information about the " +"expiration time of the password. If this information is missing, sssd " +"cannot display a warning. Also an auth provider has to be configured for the " +"backend." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2093 +msgid "Default: 7 (Kerberos), 0 (LDAP)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2099 +msgid "id_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2102 +msgid "" +"The identification provider used for the domain. Supported ID providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2106 +msgid "<quote>proxy</quote>: Support a legacy NSS provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2109 +msgid "" +"<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2113 +msgid "" +"<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-" +"files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " +"information on how to mirror local users and groups into SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2121 +msgid "" +"<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " +"information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2129 sssd.conf.5.xml:2234 sssd.conf.5.xml:2289 +#: sssd.conf.5.xml:2352 +msgid "" +"<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management " +"provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " +"FreeIPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2138 sssd.conf.5.xml:2243 sssd.conf.5.xml:2298 +#: sssd.conf.5.xml:2361 +msgid "" +"<quote>ad</quote>: Active Directory provider. See <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Active Directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2149 +msgid "use_fully_qualified_names (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2152 +msgid "" +"Use the full name and domain (as formatted by the domain's full_name_format) " +"as the user's login name reported to NSS." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2157 +msgid "" +"If set to TRUE, all requests to this domain must use fully qualified names. " +"For example, if used in LOCAL domain that contains a \"test\" user, " +"<command>getent passwd test</command> wouldn't find the user while " +"<command>getent passwd test@LOCAL</command> would." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2165 +msgid "" +"NOTE: This option has no effect on netgroup lookups due to their tendency to " +"include nested netgroups without qualified names. For netgroups, all domains " +"will be searched when an unqualified name is requested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2172 +msgid "Default: FALSE (TRUE if default_domain_suffix is used)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2178 +msgid "ignore_group_members (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2181 +msgid "Do not return group members for group lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2184 +msgid "" +"If set to TRUE, the group membership attribute is not requested from the " +"ldap server, and group members are not returned when processing group lookup " +"calls, such as <citerefentry> <refentrytitle>getgrnam</refentrytitle> " +"<manvolnum>3</manvolnum> </citerefentry> or <citerefentry> " +"<refentrytitle>getgrgid</refentrytitle> <manvolnum>3</manvolnum> </" +"citerefentry>. As an effect, <quote>getent group $groupname</quote> would " +"return the requested group as if it was empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2202 +msgid "" +"Enabling this option can also make access provider checks for group " +"membership significantly faster, especially for groups containing many " +"members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2213 +msgid "auth_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2216 +msgid "" +"The authentication provider used for the domain. Supported auth providers " +"are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2220 sssd.conf.5.xml:2282 +msgid "" +"<quote>ldap</quote> for native LDAP authentication. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2227 +msgid "" +"<quote>krb5</quote> for Kerberos authentication. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2251 +msgid "" +"<quote>proxy</quote> for relaying authentication to some other PAM target." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2254 +msgid "<quote>local</quote>: SSSD internal provider for local users" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2258 +msgid "<quote>none</quote> disables authentication explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2261 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can handle " +"authentication requests." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2267 +msgid "access_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2270 +msgid "" +"The access control provider used for the domain. There are two built-in " +"access providers (in addition to any included in installed backends) " +"Internal special providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2276 +msgid "" +"<quote>permit</quote> always allow access. It's the only permitted access " +"provider for a local domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2279 +msgid "<quote>deny</quote> always deny access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2306 +msgid "" +"<quote>simple</quote> access control based on access or deny lists. See " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for more information on configuring the simple " +"access module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2313 +msgid "" +"<quote>krb5</quote>: .k5login based access control. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></" +"citerefentry> for more information on configuring Kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2320 +msgid "<quote>proxy</quote> for relaying access control to another PAM module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2323 +msgid "Default: <quote>permit</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2328 +msgid "chpass_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2331 +msgid "" +"The provider which should handle change password operations for the domain. " +"Supported change password providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2336 +msgid "" +"<quote>ldap</quote> to change a password stored in a LDAP server. See " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2344 +msgid "" +"<quote>krb5</quote> to change the Kerberos password. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2369 +msgid "" +"<quote>proxy</quote> for relaying password changes to some other PAM target." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2373 +msgid "<quote>none</quote> disallows password changes explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2376 +msgid "" +"Default: <quote>auth_provider</quote> is used if it is set and can handle " +"change password requests." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2383 +msgid "sudo_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2386 +msgid "The SUDO provider used for the domain. Supported SUDO providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2390 +msgid "" +"<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2398 +msgid "" +"<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default " +"settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2402 +msgid "" +"<quote>ad</quote> the same as <quote>ldap</quote> but with AD default " +"settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2406 +msgid "<quote>none</quote> disables SUDO explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2409 sssd.conf.5.xml:2495 sssd.conf.5.xml:2565 +#: sssd.conf.5.xml:2590 +msgid "Default: The value of <quote>id_provider</quote> is used if it is set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2413 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>. There are many configuration " +"options that can be used to adjust the behavior. Please refer to " +"\"ldap_sudo_*\" in <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2428 +msgid "" +"<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the " +"background unless the sudo provider is explicitly disabled. Set " +"<emphasis>sudo_provider = None</emphasis> to disable all sudo-related " +"activity in SSSD if you do not want to use sudo with SSSD at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2438 +msgid "selinux_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2441 +msgid "" +"The provider which should handle loading of selinux settings. Note that this " +"provider will be called right after access provider ends. Supported selinux " +"providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2447 +msgid "" +"<quote>ipa</quote> to load selinux settings from an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2455 +msgid "<quote>none</quote> disallows fetching selinux settings explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2458 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can handle " +"selinux loading requests." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2464 +msgid "subdomains_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2467 +msgid "" +"The provider which should handle fetching of subdomains. This value should " +"be always the same as id_provider. Supported subdomain providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2473 +msgid "" +"<quote>ipa</quote> to load a list of subdomains from an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2482 +msgid "" +"<quote>ad</quote> to load a list of subdomains from an Active Directory " +"server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " +"the AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2491 +msgid "<quote>none</quote> disallows fetching subdomains explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2501 +msgid "session_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2504 +msgid "" +"The provider which configures and manages user session related tasks. The " +"only user session task currently provided is the integration with Fleet " +"Commander, which works only with IPA. Supported session providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2511 +msgid "<quote>ipa</quote> to allow performing user session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2515 +msgid "" +"<quote>none</quote> does not perform any kind of user session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2519 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can perform " +"session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2523 +msgid "" +"<emphasis>NOTE:</emphasis> In order to have this feature working as expected " +"SSSD must be running as \"root\" and not as the unprivileged user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2531 +msgid "autofs_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2534 +msgid "" +"The autofs provider used for the domain. Supported autofs providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2538 +msgid "" +"<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2545 +msgid "" +"<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> " +"<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2553 +msgid "" +"<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring the AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2562 +msgid "<quote>none</quote> disables autofs explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2572 +msgid "hostid_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2575 +msgid "" +"The provider used for retrieving host identity information. Supported " +"hostid providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2579 +msgid "" +"<quote>ipa</quote> to load host identity stored in an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2587 +msgid "<quote>none</quote> disables hostid explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2600 +msgid "" +"Regular expression for this domain that describes how to parse the string " +"containing user name and domain into these components. The \"domain\" can " +"match either the SSSD configuration domain name, or, in the case of IPA " +"trust subdomains and Active Directory domains, the flat (NetBIOS) name of " +"the domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2609 +msgid "" +"Default for the AD and IPA provider: <quote>(((?P<domain>[^\\\\]+)\\" +"\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?" +"P<name>[^@\\\\]+)$))</quote> which allows three different styles for " +"user names:" +msgstr "" + +# auto translated by TM merge from project: Fedora Websites, version: fedorahosted.org, DocId: po/fedorahosted +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2614 +msgid "username" +msgstr "username" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2617 +msgid "username@domain.name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2620 +msgid "domain\\username" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2623 +msgid "" +"While the first two correspond to the general default the third one is " +"introduced to allow easy integration of users from Windows domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2628 +msgid "" +"Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> " +"which translates to \"the name is everything up to the <quote>@</quote> " +"sign, the domain everything after that\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2634 +msgid "" +"NOTE: Some Active Directory groups, typically those used for MS Exchange " +"contain an <quote>@</quote> sign in the name, which clashes with the default " +"re_expression value for the AD and IPA providers. To support these groups, " +"consider changing the re_expression value to: <quote>((?P<name>.+)@(?" +"P<domain>[^@]+$))</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2685 +msgid "Default: <quote>%1$s@%2$s</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2691 +msgid "lookup_family_order (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2694 +msgid "" +"Provides the ability to select preferred address family to use when " +"performing DNS lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2698 +msgid "Supported values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2701 +msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2704 +msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2707 +msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2710 +msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2713 +msgid "Default: ipv4_first" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2719 +msgid "dns_resolver_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2722 +msgid "" +"Defines the amount of time (in seconds) to wait for a reply from the " +"internal fail over service before assuming that the service is unreachable. " +"If this timeout is reached, the domain will continue to operate in offline " +"mode." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2729 +msgid "" +"Please see the section <quote>FAILOVER</quote> for more information about " +"the service resolution." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2734 sssd-ldap.5.xml:1396 sssd-ldap.5.xml:1438 +#: sssd-ldap.5.xml:1456 sssd-krb5.5.xml:248 +msgid "Default: 6" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2740 +msgid "dns_discovery_domain (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2743 +msgid "" +"If service discovery is used in the back end, specifies the domain part of " +"the service discovery DNS query." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2747 +msgid "Default: Use the domain part of machine's hostname" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2753 +msgid "override_gid (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2756 +msgid "Override the primary GID value with the one specified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2762 +msgid "case_sensitive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2770 +msgid "True" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2773 +msgid "Case sensitive. This value is invalid for AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2779 +msgid "False" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2781 +msgid "Case insensitive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2785 +msgid "Preserving" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2788 +msgid "" +"Same as False (case insensitive), but does not lowercase names in the result " +"of NSS operations. Note that name aliases (and in case of services also " +"protocol names) are still lowercased in the output." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2765 +msgid "" +"Treat user and group names as case sensitive. At the moment, this option is " +"not supported in the local provider. Possible option values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2800 +msgid "Default: True (False for AD provider)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2806 +msgid "subdomain_inherit (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2809 +msgid "" +"Specifies a list of configuration parameters that should be inherited by a " +"subdomain. Please note that only selected parameters can be inherited. " +"Currently the following options can be inherited:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2815 +msgid "ignore_group_members" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2818 +msgid "ldap_purge_cache_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2821 sssd-ldap.5.xml:1120 +msgid "ldap_use_tokengroups" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2824 +msgid "ldap_user_principal" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2827 +msgid "" +"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab " +"is not set explicitly)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:2833 +#, no-wrap +msgid "" +"subdomain_inherit = ldap_purge_cache_timeout\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2831 sssd-secrets.5.xml:448 +msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2840 +msgid "Note: This option only works with the IPA and AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2847 +msgid "subdomain_homedir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2858 +msgid "%F" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2859 +msgid "flat (NetBIOS) name of a subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2850 +msgid "" +"Use this homedir as default value for all subdomains within this domain in " +"IPA AD trust. See <emphasis>override_homedir</emphasis> for info about " +"possible values. In addition to those, the expansion below can only be used " +"with <emphasis>subdomain_homedir</emphasis>. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2864 +msgid "" +"The value can be overridden by <emphasis>override_homedir</emphasis> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2868 +msgid "Default: <filename>/home/%d/%u</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2873 +msgid "realmd_tags (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2876 +msgid "" +"Various tags stored by the realmd configuration service for this domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2882 +msgid "cached_auth_timeout (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2885 +msgid "" +"Specifies time in seconds since last successful online authentication for " +"which user will be authenticated using cached credentials while SSSD is in " +"the online mode." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2891 +msgid "Special value 0 implies that this feature is disabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2895 +msgid "" +"Please note that if <quote>cached_auth_timeout</quote> is longer than " +"<quote>pam_id_timeout</quote> then the back end could be called to handle " +"<quote>initgroups.</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2906 +msgid "auto_private_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2909 +msgid "" +"If this option is enabled, SSSD will automatically create user private " +"groups based on user's UID number. The GID number is ignored in this case." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2914 +msgid "" +"For POSIX subdomains, setting the option in the main domain is inherited in " +"the subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2918 +msgid "" +"For ID-mapping subdomains, auto_private_groups is already enabled for the " +"subdomains and setting it to false will not have any effect for the " +"subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2923 +msgid "" +"NOTE: Because the GID number and the user private group are inferred from " +"the UID number, it is not supported to have multiple entries with the same " +"UID or GID number with this option. In other words, enabling this option " +"enforces uniqueness across the ID space." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:1727 +msgid "" +"These configuration options can be present in a domain configuration " +"section, that is, in a section called <quote>[domain/<replaceable>NAME</" +"replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2942 +msgid "proxy_pam_target (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2945 +msgid "The proxy target PAM proxies to." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2948 +msgid "" +"Default: not set by default, you have to take an existing pam configuration " +"or create a new one and add the service name here." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2956 +msgid "proxy_lib_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2959 +msgid "" +"The name of the NSS library to use in proxy domains. The NSS functions " +"searched for in the library are in the form of _nss_$(libName)_$(function), " +"for example _nss_files_getpwent." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2969 +msgid "proxy_fast_alias (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2972 +msgid "" +"When a user or group is looked up by name in the proxy provider, a second " +"lookup by ID is performed to \"canonicalize\" the name in case the requested " +"name was an alias. Setting this option to true would cause the SSSD to " +"perform the ID lookup from cache for performance reasons." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2986 +msgid "proxy_max_children (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2989 +msgid "" +"This option specifies the number of pre-forked proxy children. It is useful " +"for high-load SSSD environments where sssd may run out of available child " +"slots, which would cause some issues due to the requests being queued." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:2938 +msgid "" +"Options valid for proxy domains. <placeholder type=\"variablelist\" id=" +"\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:3005 +msgid "Application domains" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3007 +msgid "" +"SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to " +"applications as a gateway to an LDAP directory where users and groups are " +"stored. However, contrary to the traditional SSSD deployment where all users " +"and groups either have POSIX attributes or those attributes can be inferred " +"from the Windows SIDs, in many cases the users and groups in the application " +"support scenario have no POSIX attributes. Instead of setting a " +"<quote>[domain/<replaceable>NAME</replaceable>]</quote> section, the " +"administrator can set up an <quote>[application/<replaceable>NAME</" +"replaceable>]</quote> section that internally represents a domain with type " +"<quote>application</quote> optionally inherits settings from a tradition " +"SSSD domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3027 +msgid "" +"Please note that the application domain must still be explicitly enabled in " +"the <quote>domains</quote> parameter so that the lookup order between the " +"application domain and its POSIX sibling domain is set correctly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sssd.conf.5.xml:3033 +msgid "Application domain parameters" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3035 +msgid "inherit_from (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3038 +msgid "" +"The SSSD POSIX-type domain the application domain inherits all settings " +"from. The application domain can moreover add its own settings to the " +"application settings that augment or override the <quote>sibling</quote> " +"domain settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3052 +msgid "" +"The following example illustrates the use of an application domain. In this " +"setup, the POSIX domain is connected to an LDAP server and is used by the OS " +"through the NSS responder. In addition, the application domain also requests " +"the telephoneNumber attribute, stores it as the phone attribute in the cache " +"and makes the phone attribute reachable through the D-Bus interface." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><programlisting> +#: sssd.conf.5.xml:3060 +#, no-wrap +msgid "" +"[sssd]\n" +"domains = appdom, posixdom\n" +"\n" +"[ifp]\n" +"user_attributes = +phone\n" +"\n" +"[domain/posixdom]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"[application/appdom]\n" +"inherit_from = posixdom\n" +"ldap_user_extra_attrs = phone:telephoneNumber\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:3078 +msgid "The local domain section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3080 +msgid "" +"This section contains settings for domain that stores users and groups in " +"SSSD native database, that is, a domain that uses " +"<replaceable>id_provider=local</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3087 +msgid "default_shell (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3090 +msgid "The default shell for users created with SSSD userspace tools." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3094 +msgid "Default: <filename>/bin/bash</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3099 +msgid "base_directory (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3102 +msgid "" +"The tools append the login name to <replaceable>base_directory</replaceable> " +"and use that as the home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3107 +msgid "Default: <filename>/home</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3112 +msgid "create_homedir (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3115 +msgid "" +"Indicate if a home directory should be created by default for new users. " +"Can be overridden on command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3119 sssd.conf.5.xml:3131 +msgid "Default: TRUE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3124 +msgid "remove_homedir (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3127 +msgid "" +"Indicate if a home directory should be removed by default for deleted " +"users. Can be overridden on command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3136 +msgid "homedir_umask (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3139 +msgid "" +"Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions " +"on a newly created home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3147 +msgid "Default: 077" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3152 +msgid "skel_dir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3155 +msgid "" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<citerefentry> <refentrytitle>sss_useradd</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3165 +msgid "Default: <filename>/etc/skel</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3170 +msgid "mail_dir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3173 +msgid "" +"The mail spool directory. This is needed to manipulate the mailbox when its " +"corresponding user account is modified or deleted. If not specified, a " +"default value is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3180 +msgid "Default: <filename>/var/mail</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3185 +msgid "userdel_cmd (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3188 +msgid "" +"The command that is run after a user is removed. The command us passed the " +"username of the user being removed as the first and only parameter. The " +"return code of the command is not taken into account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3194 +msgid "Default: None, no command is run" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:3204 +msgid "TRUSTED DOMAIN SECTION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3206 +msgid "" +"Some options used in the domain section can also be used in the trusted " +"domain section, that is, in a section called <quote>[domain/" +"<replaceable>DOMAIN_NAME</replaceable>/<replaceable>TRUSTED_DOMAIN_NAME</" +"replaceable>]</quote>. Where DOMAIN_NAME is the actual joined-to base " +"domain. Please refer to examples below for explanation. Currently supported " +"options in the trusted domain section are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3213 +msgid "ldap_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3214 +msgid "ldap_user_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3215 +msgid "ldap_group_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3216 +msgid "ldap_netgroup_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3217 +msgid "ldap_service_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3218 +msgid "ad_server," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3219 +msgid "ad_backup_server," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3220 +msgid "ad_site," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:3221 sssd-ipa.5.xml:782 +msgid "use_fully_qualified_names" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3223 +msgid "" +"For more details about these options see their individual description in the " +"manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:3229 idmap_sss.8.xml:43 +msgid "EXAMPLES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:3235 +#, no-wrap +msgid "" +"[sssd]\n" +"domains = LDAP\n" +"services = nss, pam\n" +"config_file_version = 2\n" +"\n" +"[nss]\n" +"filter_groups = root\n" +"filter_users = root\n" +"\n" +"[pam]\n" +"\n" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"auth_provider = krb5\n" +"krb5_server = kerberos.example.com\n" +"krb5_realm = EXAMPLE.COM\n" +"cache_credentials = true\n" +"\n" +"min_id = 10000\n" +"max_id = 20000\n" +"enumerate = False\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3231 +msgid "" +"1. The following example shows a typical SSSD config. It does not describe " +"configuration of the domains themselves - refer to documentation on " +"configuring domains for more details. <placeholder type=\"programlisting\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:3268 +#, no-wrap +msgid "" +"[domain/ipa.com/child.ad.com]\n" +"use_fully_qualified_names = false\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3262 +msgid "" +"2. The following example shows configuration of IPA AD trust where the AD " +"forest consists of two domains in a parent-child structure. Suppose IPA " +"domain (ipa.com) has trust with AD domain(ad.com). ad.com has child domain " +"(child.ad.com). To enable shortnames in the child domain the following " +"configuration should be used. <placeholder type=\"programlisting\" id=\"0\"/" +">" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ldap.5.xml:10 sssd-ldap.5.xml:16 +msgid "sssd-ldap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ldap.5.xml:17 +msgid "SSSD LDAP provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:23 +msgid "" +"This manual page describes the configuration of LDAP domains for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Refer to the <quote>FILE FORMAT</quote> section of the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for detailed syntax information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:35 +msgid "You can configure SSSD to use more than one LDAP domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:38 +msgid "" +"LDAP back end supports id, auth, access and chpass providers. If you want to " +"authenticate against an LDAP server either TLS/SSL or LDAPS is required. " +"<command>sssd</command> <emphasis>does not</emphasis> support authentication " +"over an unencrypted channel. If the LDAP server is used only as an identity " +"provider, an encrypted channel is not needed. Please refer to " +"<quote>ldap_access_filter</quote> config option for more information about " +"using LDAP as an access provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:115 +#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-files.5.xml:57 +#: sssd-secrets.5.xml:120 sssd-session-recording.5.xml:58 sssd-kcm.8.xml:139 +msgid "CONFIGURATION OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:60 +msgid "ldap_uri, ldap_backup_uri (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:63 +msgid "" +"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " +"should connect in the order of preference. Refer to the <quote>FAILOVER</" +"quote> section for more information on failover and server redundancy. If " +"neither option is specified, service discovery is enabled. For more " +"information, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:264 +msgid "The format of the URI must match the format defined in RFC 2732:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:73 +msgid "ldap[s]://<host>[:port]" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:76 +msgid "" +"For explicit IPv6 addresses, <host> must be enclosed in brackets []" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:79 +msgid "example: ldap://[fc00::126:25]:389" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:85 +msgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:88 +msgid "" +"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " +"should connect in the order of preference to change the password of a user. " +"Refer to the <quote>FAILOVER</quote> section for more information on " +"failover and server redundancy." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:95 +msgid "To enable service discovery ldap_chpass_dns_service_name must be set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:99 +msgid "Default: empty, i.e. ldap_uri is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:105 +msgid "ldap_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:108 +msgid "The default base DN to use for performing LDAP user operations." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:112 +msgid "" +"Starting with SSSD 1.7.0, SSSD supports multiple search bases using the " +"syntax:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:116 +msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:119 +msgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"." +msgstr "" + +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:122 include/ldap_search_bases.xml:18 +msgid "" +"The filter must be a valid LDAP search filter as specified by http://www." +"ietf.org/rfc/rfc2254.txt" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:286 +#: sss_override.8.xml:137 sss_override.8.xml:234 +msgid "Examples:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:129 +msgid "" +"ldap_search_base = dc=example,dc=com (which is equivalent to) " +"ldap_search_base = dc=example,dc=com?subtree?" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:134 +msgid "" +"ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?" +"(host=thishost)?dc=example.com?subtree?" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:137 +msgid "" +"Note: It is unsupported to have multiple search bases which reference " +"identically-named objects (for example, groups with the same name in two " +"different search bases). This will lead to unpredictable behavior on client " +"machines." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:144 +msgid "" +"Default: If not set, the value of the defaultNamingContext or namingContexts " +"attribute from the RootDSE of the LDAP server is used. If " +"defaultNamingContext does not exist or has an empty value namingContexts is " +"used. The namingContexts attribute must have a single value with the DN of " +"the search base of the LDAP server to make this work. Multiple values are " +"are not supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:158 +msgid "ldap_schema (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:161 +msgid "" +"Specifies the Schema Type in use on the target LDAP server. Depending on " +"the selected schema, the default attribute names retrieved from the servers " +"may vary. The way that some attributes are handled may also differ." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:168 +msgid "Four schema types are currently supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:172 +msgid "rfc2307" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:177 +msgid "rfc2307bis" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:182 +msgid "IPA" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:187 +msgid "AD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:193 +msgid "" +"The main difference between these schema types is how group memberships are " +"recorded in the server. With rfc2307, group members are listed by name in " +"the <emphasis>memberUid</emphasis> attribute. With rfc2307bis and IPA, " +"group members are listed by DN and stored in the <emphasis>member</emphasis> " +"attribute. The AD schema type sets the attributes to correspond with Active " +"Directory 2008r2 values." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:203 +msgid "Default: rfc2307" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:209 +msgid "ldap_default_bind_dn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:212 +msgid "The default bind DN to use for performing LDAP operations." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:219 +msgid "ldap_default_authtok_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:222 +msgid "The type of the authentication token of the default bind DN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:226 +msgid "The two mechanisms currently supported are:" +msgstr "" + +# auto translated by TM merge from project: FreeIPA, version: ipa-4-5, DocId: po/ipa +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:229 +msgid "password" +msgstr "heslo" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:232 +msgid "obfuscated_password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:235 +msgid "Default: password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:241 +msgid "ldap_default_authtok (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:244 +msgid "" +"The authentication token of the default bind DN. Only clear text passwords " +"are currently supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:251 +msgid "ldap_user_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:254 +msgid "The object class of a user entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:257 +msgid "Default: posixAccount" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:263 +msgid "ldap_user_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:266 +msgid "The LDAP attribute that corresponds to the user's login name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:270 +msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:277 +msgid "ldap_user_uid_number (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:280 +msgid "The LDAP attribute that corresponds to the user's id." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:284 +msgid "Default: uidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:290 +msgid "ldap_user_gid_number (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:293 +msgid "The LDAP attribute that corresponds to the user's primary group id." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:297 sssd-ldap.5.xml:929 +msgid "Default: gidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:303 +msgid "ldap_user_primary_group (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:306 +msgid "" +"Active Directory primary group attribute for ID-mapping. Note that this " +"attribute should only be set manually if you are running the <quote>ldap</" +"quote> provider with ID mapping." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:312 +msgid "Default: unset (LDAP), primaryGroupID (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:318 +msgid "ldap_user_gecos (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:321 +msgid "The LDAP attribute that corresponds to the user's gecos field." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:325 +msgid "Default: gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:331 +msgid "ldap_user_home_directory (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:334 +msgid "The LDAP attribute that contains the name of the user's home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:338 +msgid "Default: homeDirectory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:344 +msgid "ldap_user_shell (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:347 +msgid "The LDAP attribute that contains the path to the user's default shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:351 +msgid "Default: loginShell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:357 +msgid "ldap_user_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:360 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:364 sssd-ldap.5.xml:955 +msgid "" +"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " +"IPA" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:371 +msgid "ldap_user_objectsid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:374 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP user object. This " +"is usually only necessary for ActiveDirectory servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:379 sssd-ldap.5.xml:970 +msgid "Default: objectSid for ActiveDirectory, not set for other servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:386 +msgid "ldap_user_modify_timestamp (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:389 sssd-ldap.5.xml:980 sssd-ldap.5.xml:1203 +msgid "" +"The LDAP attribute that contains timestamp of the last modification of the " +"parent object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:393 sssd-ldap.5.xml:984 sssd-ldap.5.xml:1210 +msgid "Default: modifyTimestamp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:399 +msgid "ldap_user_shadow_last_change (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:402 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " +"the last password change)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:412 +msgid "Default: shadowLastChange" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:418 +msgid "ldap_user_shadow_min (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:421 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " +"password age)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:430 +msgid "Default: shadowMin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:436 +msgid "ldap_user_shadow_max (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:439 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " +"password age)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:448 +msgid "Default: shadowMax" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:454 +msgid "ldap_user_shadow_warning (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:457 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password warning period)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:467 +msgid "Default: shadowWarning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:473 +msgid "ldap_user_shadow_inactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:476 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password inactivity period)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:486 +msgid "Default: shadowInactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:492 +msgid "ldap_user_shadow_expire (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:495 +msgid "" +"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " +"parameter contains the name of an LDAP attribute corresponding to its " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> counterpart (account expiration date)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:505 +msgid "Default: shadowExpire" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:511 +msgid "ldap_user_krb_last_pwd_change (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:514 +msgid "" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time of last password change in " +"kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:520 +msgid "Default: krbLastPwdChange" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:526 +msgid "ldap_user_krb_password_expiration (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:529 +msgid "" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time when current password expires." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:535 +msgid "Default: krbPasswordExpiration" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:541 +msgid "ldap_user_ad_account_expires (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:544 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the expiration time of the account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:549 +msgid "Default: accountExpires" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:555 +msgid "ldap_user_ad_user_account_control (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:558 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the user account control bit field." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:563 +msgid "Default: userAccountControl" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:569 +msgid "ldap_ns_account_lock (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:572 +msgid "" +"When using ldap_account_expire_policy=rhds or equivalent, this parameter " +"determines if access is allowed or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:577 +msgid "Default: nsAccountLock" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:583 +msgid "ldap_user_nds_login_disabled (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:586 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines if " +"access is allowed or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:590 sssd-ldap.5.xml:604 +msgid "Default: loginDisabled" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:596 +msgid "ldap_user_nds_login_expiration_time (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:599 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines until " +"which date access is granted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:610 +msgid "ldap_user_nds_login_allowed_time_map (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:613 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines the " +"hours of a day in a week when access is granted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:618 +msgid "Default: loginAllowedTimeMap" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:624 +msgid "ldap_user_principal (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:627 +msgid "" +"The LDAP attribute that contains the user's Kerberos User Principal Name " +"(UPN)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:631 +msgid "Default: krbPrincipalName" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:637 +msgid "ldap_user_extra_attrs (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:640 +msgid "" +"Comma-separated list of LDAP attributes that SSSD would fetch along with the " +"usual set of user attributes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:645 +msgid "" +"The list can either contain LDAP attribute names only, or colon-separated " +"tuples of SSSD cache attribute name and LDAP attribute name. In case only " +"LDAP attribute name is specified, the attribute is saved to the cache " +"verbatim. Using a custom SSSD attribute name might be required by " +"environments that configure several SSSD domains with different LDAP schemas." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:655 +msgid "" +"Please note that several attribute names are reserved by SSSD, notably the " +"<quote>name</quote> attribute. SSSD would report an error if any of the " +"reserved attribute names is used as an extra attribute name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:665 +msgid "ldap_user_extra_attrs = telephoneNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:668 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as " +"<quote>telephoneNumber</quote> to the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:672 +msgid "ldap_user_extra_attrs = phone:telephoneNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:675 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" +"quote> to the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:685 +msgid "ldap_user_ssh_public_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:688 +msgid "The LDAP attribute that contains the user's SSH public keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:692 sssd-ldap.5.xml:1306 +msgid "Default: sshPublicKey" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:698 +msgid "ldap_force_upper_case_realm (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:701 +msgid "" +"Some directory servers, for example Active Directory, might deliver the " +"realm part of the UPN in lower case, which might cause the authentication to " +"fail. Set this option to a non-zero value if you want to use an upper-case " +"realm." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:714 +msgid "ldap_enumeration_refresh_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:717 +msgid "" +"Specifies how many seconds SSSD has to wait before refreshing its cache of " +"enumerated records." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:728 +msgid "ldap_purge_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:731 +msgid "" +"Determine how often to check the cache for inactive entries (such as groups " +"with no members and users who have never logged in) and remove them to save " +"space." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:737 +msgid "" +"Setting this option to zero will disable the cache cleanup operation. Please " +"note that if enumeration is enabled, the cleanup task is required in order " +"to detect entries removed from the server and can't be disabled. By default, " +"the cleanup task will run every 3 hours with enumeration enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:752 +msgid "ldap_user_fullname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:755 +msgid "The LDAP attribute that corresponds to the user's full name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1161 sssd-ldap.5.xml:1235 +#: sssd-ldap.5.xml:1344 sssd-ldap.5.xml:2405 sssd-ipa.5.xml:607 +msgid "Default: cn" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:765 +msgid "ldap_user_member_of (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:768 +msgid "The LDAP attribute that lists the user's group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:772 sssd-ldap.5.xml:1274 +msgid "Default: memberOf" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:778 +msgid "ldap_user_authorized_service (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:781 +msgid "" +"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " +"use the presence of the authorizedService attribute in the user's LDAP entry " +"to determine access privilege." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:788 +msgid "" +"An explicit deny (!svc) is resolved first. Second, SSSD searches for " +"explicit allow (svc) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:793 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>authorized_service</quote> in order for the " +"ldap_user_authorized_service option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:800 +msgid "Default: authorizedService" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:806 +msgid "ldap_user_authorized_host (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:809 +msgid "" +"If access_provider=ldap and ldap_access_order=host, SSSD will use the " +"presence of the host attribute in the user's LDAP entry to determine access " +"privilege." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:815 +msgid "" +"An explicit deny (!host) is resolved first. Second, SSSD searches for " +"explicit allow (host) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:820 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>host</quote> in order for the " +"ldap_user_authorized_host option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:827 +msgid "Default: host" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:833 +msgid "ldap_user_authorized_rhost (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:836 +msgid "" +"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " +"presence of the rhost attribute in the user's LDAP entry to determine access " +"privilege. Similarly to host verification process." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:843 +msgid "" +"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " +"explicit allow (rhost) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:848 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>rhost</quote> in order for the " +"ldap_user_authorized_rhost option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:855 +msgid "Default: rhost" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:861 +msgid "ldap_user_certificate (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:864 +msgid "Name of the LDAP attribute containing the X509 certificate of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:868 +msgid "Default: userCertificate;binary" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:874 +msgid "ldap_user_email (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:877 +msgid "Name of the LDAP attribute containing the email address of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:881 +msgid "" +"Note: If an email address of a user conflicts with an email address or fully " +"qualified name of another user, then SSSD will not be able to serve those " +"users properly. If for some reason several users need to share the same " +"email address then set this option to a nonexistent attribute name in order " +"to disable user lookup/login by email." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:890 +msgid "Default: mail" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:896 +msgid "ldap_group_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:899 +msgid "The object class of a group entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:902 +msgid "Default: posixGroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:908 +msgid "ldap_group_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:911 +msgid "The LDAP attribute that corresponds to the group name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:915 +msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:922 +msgid "ldap_group_gid_number (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:925 +msgid "The LDAP attribute that corresponds to the group's id." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:935 +msgid "ldap_group_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:938 +msgid "The LDAP attribute that contains the names of the group's members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:942 +msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:948 +msgid "ldap_group_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:951 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:962 +msgid "ldap_group_objectsid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:965 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP group object. This " +"is usually only necessary for ActiveDirectory servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:977 +msgid "ldap_group_modify_timestamp (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:990 +msgid "ldap_group_type (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:993 +msgid "" +"The LDAP attribute that contains an integer value indicating the type of the " +"group and maybe other flags." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:998 +msgid "" +"This attribute is currently only used by the AD provider to determine if a " +"group is a domain local groups and has to be filtered out for trusted " +"domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1004 +msgid "Default: groupType in the AD provider, otherwise not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1011 +msgid "ldap_group_external_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1014 +msgid "" +"The LDAP attribute that references group members that are defined in an " +"external domain. At the moment, only IPA's external members are supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1020 +msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1027 +msgid "ldap_group_nesting_level (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1030 +msgid "" +"If ldap_schema is set to a schema format that supports nested groups (e.g. " +"RFC2307bis), then this option controls how many levels of nesting SSSD will " +"follow. This option has no effect on the RFC2307 schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1037 +msgid "" +"Note: This option specifies the guaranteed level of nested groups to be " +"processed for any lookup. However, nested groups beyond this limit " +"<emphasis>may be</emphasis> returned if previous lookups already resolved " +"the deeper nesting levels. Also, subsequent lookups for other groups may " +"enlarge the result set for original lookup if re-queried." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1046 +msgid "" +"If ldap_group_nesting_level is set to 0 then no nested groups are processed " +"at all. However, when connected to Active-Directory Server 2008 and later " +"using <quote>id_provider=ad</quote> it is furthermore required to disable " +"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " +"restrict group nesting." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1055 +msgid "Default: 2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1061 +msgid "ldap_groups_use_matching_rule_in_chain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1064 +msgid "" +"This option tells SSSD to take advantage of an Active Directory-specific " +"feature which may speed up group lookup operations on deployments with " +"complex or deep nested groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1070 +msgid "" +"In most common cases, it is best to leave this option disabled. It generally " +"only provides a performance increase on very complex nestings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1075 sssd-ldap.5.xml:1102 +msgid "" +"If this option is enabled, SSSD will use it if it detects that the server " +"supports it during initial connection. So \"True\" here essentially means " +"\"auto-detect\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1081 sssd-ldap.5.xml:1108 +msgid "" +"Note: This feature is currently known to work only with Active Directory " +"2008 R1 and later. See <ulink url=\"http://msdn.microsoft.com/en-us/library/" +"windows/desktop/aa746475%28v=vs.85%29.aspx\"> MSDN(TM) documentation</ulink> " +"for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1093 +msgid "ldap_initgroups_use_matching_rule_in_chain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1096 +msgid "" +"This option tells SSSD to take advantage of an Active Directory-specific " +"feature which might speed up initgroups operations (most notably when " +"dealing with complex or deep nested groups)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1123 +msgid "" +"This options enables or disables use of Token-Groups attribute when " +"performing initgroup for users from Active Directory Server 2008 and later." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1128 +msgid "Default: True for AD and IPA otherwise False." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1134 +msgid "ldap_netgroup_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1137 +msgid "The object class of a netgroup entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1140 +msgid "In IPA provider, ipa_netgroup_object_class should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1144 +msgid "Default: nisNetgroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1150 +msgid "ldap_netgroup_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1153 +msgid "The LDAP attribute that corresponds to the netgroup name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1157 +msgid "In IPA provider, ipa_netgroup_name should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1167 +msgid "ldap_netgroup_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1170 +msgid "The LDAP attribute that contains the names of the netgroup's members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1174 +msgid "In IPA provider, ipa_netgroup_member should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1178 +msgid "Default: memberNisNetgroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1184 +msgid "ldap_netgroup_triple (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1187 +msgid "" +"The LDAP attribute that contains the (host, user, domain) netgroup triples." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1191 sssd-ldap.5.xml:1207 +msgid "This option is not available in IPA provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1194 +msgid "Default: nisNetgroupTriple" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1200 +msgid "ldap_netgroup_modify_timestamp (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1216 +msgid "ldap_host_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1219 +msgid "The object class of a host entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1222 sssd-ldap.5.xml:1331 +msgid "Default: ipService" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1228 +msgid "ldap_host_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1231 sssd-ldap.5.xml:1257 +msgid "The LDAP attribute that corresponds to the host's name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1241 +msgid "ldap_host_fqdn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1244 +msgid "" +"The LDAP attribute that corresponds to the host's fully-qualified domain " +"name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1248 +msgid "Default: fqdn" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1254 +msgid "ldap_host_serverhostname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1261 +msgid "Default: serverHostname" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1267 +msgid "ldap_host_member_of (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1270 +msgid "The LDAP attribute that lists the host's group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1280 +msgid "ldap_host_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1283 +msgid "Optional. Use the given string as search base for host objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1287 sssd-ipa.5.xml:359 sssd-ipa.5.xml:378 +#: sssd-ipa.5.xml:397 sssd-ipa.5.xml:416 +msgid "" +"See <quote>ldap_search_base</quote> for information about configuring " +"multiple search bases." +msgstr "" + +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:1292 sssd-ipa.5.xml:364 include/ldap_search_bases.xml:27 +msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1299 +msgid "ldap_host_ssh_public_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1302 +msgid "The LDAP attribute that contains the host's SSH public keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1312 +msgid "ldap_host_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1315 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1325 +msgid "ldap_service_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1328 +msgid "The object class of a service entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1337 +msgid "ldap_service_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1340 +msgid "" +"The LDAP attribute that contains the name of service attributes and their " +"aliases." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1350 +msgid "ldap_service_port (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1353 +msgid "The LDAP attribute that contains the port managed by this service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1357 +msgid "Default: ipServicePort" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1363 +msgid "ldap_service_proto (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1366 +msgid "" +"The LDAP attribute that contains the protocols understood by this service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1370 +msgid "Default: ipServiceProtocol" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1376 +msgid "ldap_service_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1381 +msgid "ldap_search_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1384 +msgid "" +"Specifies the timeout (in seconds) that ldap searches are allowed to run " +"before they are cancelled and cached results are returned (and offline mode " +"is entered)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1390 +msgid "" +"Note: this option is subject to change in future versions of the SSSD. It " +"will likely be replaced at some point by a series of timeouts for specific " +"lookup types." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1402 +msgid "ldap_enumeration_search_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1405 +msgid "" +"Specifies the timeout (in seconds) that ldap searches for user and group " +"enumerations are allowed to run before they are cancelled and cached results " +"are returned (and offline mode is entered)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1418 +msgid "ldap_network_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1421 +msgid "" +"Specifies the timeout (in seconds) after which the <citerefentry> " +"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" +"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" +"manvolnum> </citerefentry> following a <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> returns in case of no activity." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1444 +msgid "ldap_opt_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1447 +msgid "" +"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " +"will abort if no response is received. Also controls the timeout when " +"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " +"operation, password change extended operation and the StartTLS operation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1462 +msgid "ldap_connection_expire_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1465 +msgid "" +"Specifies a timeout (in seconds) that a connection to an LDAP server will be " +"maintained. After this time, the connection will be re-established. If used " +"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " +"the TGT lifetime) will be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1473 sssd-ldap.5.xml:2562 +msgid "Default: 900 (15 minutes)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1479 +msgid "ldap_page_size (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1482 +msgid "" +"Specify the number of records to retrieve from LDAP in a single request. " +"Some LDAP servers enforce a maximum limit per-request." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1487 +msgid "Default: 1000" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1493 +msgid "ldap_disable_paging (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1496 +msgid "" +"Disable the LDAP paging control. This option should be used if the LDAP " +"server reports that it supports the LDAP paging control in its RootDSE but " +"it is not enabled or does not behave properly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1502 +msgid "" +"Example: OpenLDAP servers with the paging control module installed on the " +"server but not enabled will report it in the RootDSE but be unable to use it." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1508 +msgid "" +"Example: 389 DS has a bug where it can only support a one paging control at " +"a time on a single connection. On busy clients, this can result in some " +"requests being denied." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1520 +msgid "ldap_disable_range_retrieval (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1523 +msgid "Disable Active Directory range retrieval." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1526 +msgid "" +"Active Directory limits the number of members to be retrieved in a single " +"lookup using the MaxValRange policy (which defaults to 1500 members). If a " +"group contains more members, the reply would include an AD-specific range " +"extension. This option disables parsing of the range extension, therefore " +"large groups will appear as having no members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1541 +msgid "ldap_sasl_minssf (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1544 +msgid "" +"When communicating with an LDAP server using SASL, specify the minimum " +"security level necessary to establish the connection. The values of this " +"option are defined by OpenLDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1550 +msgid "Default: Use the system default (usually specified by ldap.conf)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1557 +msgid "ldap_deref_threshold (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1560 +msgid "" +"Specify the number of group members that must be missing from the internal " +"cache in order to trigger a dereference lookup. If less members are missing, " +"they are looked up individually." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1566 +msgid "" +"You can turn off dereference lookups completely by setting the value to 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1570 +msgid "" +"A dereference lookup is a means of fetching all group members in a single " +"LDAP call. Different LDAP servers may implement different dereference " +"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " +"Directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1578 +msgid "" +"<emphasis>Note:</emphasis> If any of the search bases specifies a search " +"filter, then the dereference lookup performance enhancement will be disabled " +"regardless of this setting." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1591 +msgid "ldap_tls_reqcert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1594 +msgid "" +"Specifies what checks to perform on server certificates in a TLS session, if " +"any. It can be specified as one of the following values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1600 +msgid "" +"<emphasis>never</emphasis> = The client will not request or check any server " +"certificate." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1604 +msgid "" +"<emphasis>allow</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, it will be ignored and the session proceeds normally." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1611 +msgid "" +"<emphasis>try</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, the session is immediately terminated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1617 +msgid "" +"<emphasis>demand</emphasis> = The server certificate is requested. If no " +"certificate is provided, or a bad certificate is provided, the session is " +"immediately terminated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1623 +msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1627 +msgid "Default: hard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1633 +msgid "ldap_tls_cacert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1636 +msgid "" +"Specifies the file that contains certificates for all of the Certificate " +"Authorities that <command>sssd</command> will recognize." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1641 sssd-ldap.5.xml:1659 sssd-ldap.5.xml:1700 +msgid "" +"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." +"conf</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1648 +msgid "ldap_tls_cacertdir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1651 +msgid "" +"Specifies the path of a directory that contains Certificate Authority " +"certificates in separate individual files. Typically the file names need to " +"be the hash of the certificate followed by '.0'. If available, " +"<command>cacertdir_rehash</command> can be used to create the correct names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1666 +msgid "ldap_tls_cert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1669 +msgid "Specifies the file that contains the certificate for the client's key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1679 +msgid "ldap_tls_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1682 +msgid "Specifies the file that contains the client's key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1691 +msgid "ldap_tls_cipher_suite (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1694 +msgid "" +"Specifies acceptable cipher suites. Typically this is a colon separated " +"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1707 +msgid "ldap_id_use_start_tls (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1710 +msgid "" +"Specifies that the id_provider connection must also use <systemitem class=" +"\"protocol\">tls</systemitem> to protect the channel." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1720 +msgid "ldap_id_mapping (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1723 +msgid "" +"Specifies that SSSD should attempt to map user and group IDs from the " +"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " +"on ldap_user_uid_number and ldap_group_gid_number." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1729 +msgid "Currently this feature supports only ActiveDirectory objectSID mapping." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1739 +msgid "ldap_min_id, ldap_max_id (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1742 +msgid "" +"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " +"set to true the allowed ID range for ldap_user_uid_number and " +"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " +"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " +"can be set to restrict the allowed range for the IDs which are read directly " +"from the server. Sub-domains can then pick other ranges to map IDs." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1754 +msgid "Default: not set (both options are set to 0)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1760 +msgid "ldap_sasl_mech (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1763 +msgid "" +"Specify the SASL mechanism to use. Currently only GSSAPI is tested and " +"supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1773 +msgid "ldap_sasl_authid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ldap.5.xml:1784 +#, no-wrap +msgid "" +"hostname@REALM\n" +"netbiosname$@REALM\n" +"host/hostname@REALM\n" +"*$@REALM\n" +"host/*@REALM\n" +"host/*\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1776 +msgid "" +"Specify the SASL authorization id to use. When GSSAPI is used, this " +"represents the Kerberos principal used for authentication to the directory. " +"This option can either contain the full principal (for example host/" +"myhost@EXAMPLE.COM) or just the principal name (for example host/myhost). By " +"default, the value is not set and the following principals are used: " +"<placeholder type=\"programlisting\" id=\"0\"/> If none of them are found, " +"the first principal in keytab is returned." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1795 +msgid "Default: host/hostname@REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1801 +msgid "ldap_sasl_realm (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1804 +msgid "" +"Specify the SASL realm to use. When not specified, this option defaults to " +"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " +"well, this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1810 +msgid "Default: the value of krb5_realm." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1816 +msgid "ldap_sasl_canonicalize (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1819 +msgid "" +"If set to true, the LDAP library would perform a reverse lookup to " +"canonicalize the host name during a SASL bind." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1824 +msgid "Default: false;" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1830 +msgid "ldap_krb5_keytab (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1833 +msgid "Specify the keytab to use when using SASL/GSSAPI." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1836 +msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1842 +msgid "ldap_krb5_init_creds (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1845 +msgid "" +"Specifies that the id_provider should init Kerberos credentials (TGT). This " +"action is performed only if SASL is used and the mechanism selected is " +"GSSAPI." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1857 +msgid "ldap_krb5_ticket_lifetime (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1860 +msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1864 sssd-ad.5.xml:937 +msgid "Default: 86400 (24 hours)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1870 sssd-krb5.5.xml:74 +msgid "krb5_server, krb5_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1873 +msgid "" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled - for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1885 sssd-krb5.5.xml:89 +msgid "" +"When using service discovery for KDC or kpasswd servers, SSSD first searches " +"for DNS entries that specify _udp as the protocol and falls back to _tcp if " +"none are found." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1890 sssd-krb5.5.xml:94 +msgid "" +"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " +"While the legacy name is recognized for the time being, users are advised to " +"migrate their config files to use <quote>krb5_server</quote> instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1899 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103 +msgid "krb5_realm (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1902 +msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1905 +msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1911 sssd-krb5.5.xml:462 +msgid "krb5_canonicalize (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1914 +msgid "" +"Specifies if the host principal should be canonicalized when connecting to " +"LDAP server. This feature is available with MIT Kerberos >= 1.7" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1926 sssd-krb5.5.xml:477 +msgid "krb5_use_kdcinfo (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1929 sssd-krb5.5.xml:480 +msgid "" +"Specifies if the SSSD should instruct the Kerberos libraries what realm and " +"which KDCs to use. This option is on by default, if you disable it, you need " +"to configure the Kerberos library using the <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> configuration file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1940 sssd-krb5.5.xml:491 +msgid "" +"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " +"information on the locator plugin." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1954 +msgid "ldap_pwd_policy (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1957 +msgid "" +"Select the policy to evaluate the password expiration on the client side. " +"The following values are allowed:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1962 +msgid "" +"<emphasis>none</emphasis> - No evaluation on the client side. This option " +"cannot disable server-side password policies." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1967 +msgid "" +"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " +"evaluate if the password has expired." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1973 +msgid "" +"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " +"to determine if the password has expired. Use chpass_provider=krb5 to update " +"these attributes when the password is changed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1982 +msgid "" +"<emphasis>Note</emphasis>: if a password policy is configured on server " +"side, it always takes precedence over policy set with this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1990 +msgid "ldap_referrals (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1993 +msgid "Specifies whether automatic referral chasing should be enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1997 +msgid "" +"Please note that sssd only supports referral chasing when it is compiled " +"with OpenLDAP version 2.4.13 or higher." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2002 +msgid "" +"Chasing referrals may incur a performance penalty in environments that use " +"them heavily, a notable example is Microsoft Active Directory. If your setup " +"does not in fact require the use of referrals, setting this option to false " +"might bring a noticeable performance improvement." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2016 +msgid "ldap_dns_service_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2019 +msgid "Specifies the service name to use when service discovery is enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2023 +msgid "Default: ldap" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2029 +msgid "ldap_chpass_dns_service_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2032 +msgid "" +"Specifies the service name to use to find an LDAP server which allows " +"password changes when service discovery is enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2037 +msgid "Default: not set, i.e. service discovery is disabled" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2043 +msgid "ldap_chpass_update_last_change (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2046 +msgid "" +"Specifies whether to update the ldap_user_shadow_last_change attribute with " +"days since the Epoch after a password change operation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2058 +msgid "ldap_access_filter (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2061 +msgid "" +"If using access_provider = ldap and ldap_access_order = filter (default), " +"this option is mandatory. It specifies an LDAP search filter criteria that " +"must be met for the user to be granted access on this host. If " +"access_provider = ldap, ldap_access_order = filter and this option is not " +"set, it will result in all users being denied access. Use access_provider = " +"permit to change this default behavior. Please note that this filter is " +"applied on the LDAP user entry only and thus filtering based on nested " +"groups may not work (e.g. memberOf attribute on AD entries points only to " +"direct parents). If filtering based on nested groups is required, please see " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2081 +msgid "Example:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ldap.5.xml:2084 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2088 +msgid "" +"This example means that access to this host is restricted to users whose " +"employeeType attribute is set to \"admin\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2093 +msgid "" +"Offline caching for this feature is limited to determining whether the " +"user's last online login was granted access permission. If they were granted " +"access during their last login, they will continue to be granted access " +"while offline and vice versa." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2101 sssd-ldap.5.xml:2158 +msgid "Default: Empty" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2107 +msgid "ldap_account_expire_policy (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2110 +msgid "" +"With this option a client side evaluation of access control attributes can " +"be enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2114 +msgid "" +"Please note that it is always recommended to use server side access control, " +"i.e. the LDAP server should deny the bind request with a suitable error code " +"even if the password is correct." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2121 +msgid "The following values are allowed:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2124 +msgid "" +"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " +"determine if the account is expired." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2129 +msgid "" +"<emphasis>ad</emphasis>: use the value of the 32bit field " +"ldap_user_ad_user_account_control and allow access if the second bit is not " +"set. If the attribute is missing access is granted. Also the expiration time " +"of the account is checked." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2136 +msgid "" +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: use the value of ldap_ns_account_lock to check if access is " +"allowed or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2142 +msgid "" +"<emphasis>nds</emphasis>: the values of " +"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " +"ldap_user_nds_login_expiration_time are used to check if access is allowed. " +"If both attributes are missing access is granted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2151 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>expire</quote> in order for the " +"ldap_account_expire_policy option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2164 +msgid "ldap_access_order (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2167 +msgid "Comma separated list of access control options. Allowed values are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2171 +msgid "<emphasis>filter</emphasis>: use ldap_access_filter" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2174 +msgid "" +"<emphasis>lockout</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " +"Please note that 'access_provider = ldap' must be set for this feature to " +"work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2184 +msgid "" +"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" +"quote> option and might be removed in a future release. </emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2191 +msgid "" +"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z' or represents any time in the past. The " +"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " +"denotes the UTC time zone. Other time zones are not currently supported and " +"will result in \"access-denied\" when users attempt to log in. Please see " +"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " +"must be set for this feature to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2208 +msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2212 +msgid "" +"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " +"pwd_expire_policy_renew: </emphasis> These options are useful if users are " +"interested in being warned that password is about to expire and " +"authentication is based on using a different method than passwords - for " +"example SSH keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2222 +msgid "" +"The difference between these options is the action taken if user password is " +"expired: pwd_expire_policy_reject - user is denied to log in, " +"pwd_expire_policy_warn - user is still able to log in, " +"pwd_expire_policy_renew - user is prompted to change his password " +"immediately." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2230 +msgid "" +"Note If user password is expired no explicit message is prompted by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2234 +msgid "" +"Please note that 'access_provider = ldap' must be set for this feature to " +"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2239 +msgid "" +"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " +"to determine access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2244 +msgid "<emphasis>host</emphasis>: use the host attribute to determine access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2248 +msgid "" +"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " +"remote host can access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2252 +msgid "" +"Please note, rhost field in pam is set by application, it is better to check " +"what the application sends to pam, before enabling this access control option" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2257 +msgid "Default: filter" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2260 +msgid "" +"Please note that it is a configuration error if a value is used more than " +"once." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2267 +msgid "ldap_pwdlockout_dn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2270 +msgid "" +"This option specifies the DN of password policy entry on LDAP server. Please " +"note that absence of this option in sssd.conf in case of enabled account " +"lockout checking will yield access denied as ppolicy attributes on LDAP " +"server cannot be checked properly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2278 +msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2281 +msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2287 +msgid "ldap_deref (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2290 +msgid "" +"Specifies how alias dereferencing is done when performing a search. The " +"following options are allowed:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2295 +msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2299 +msgid "" +"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " +"the base object, but not in locating the base object of the search." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2304 +msgid "" +"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " +"the base object of the search." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2309 +msgid "" +"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " +"in locating the base object of the search." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2314 +msgid "" +"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " +"client libraries)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2322 +msgid "ldap_rfc2307_fallback_to_local_users (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2325 +msgid "" +"Allows to retain local users as members of an LDAP group for servers that " +"use the RFC2307 schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2329 +msgid "" +"In some environments where the RFC2307 schema is used, local users are made " +"members of LDAP groups by adding their names to the memberUid attribute. " +"The self-consistency of the domain is compromised when this is done, so SSSD " +"would normally remove the \"missing\" users from the cached group " +"memberships as soon as nsswitch tries to fetch information about the user " +"via getpw*() or initgroups() calls." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2340 +msgid "" +"This option falls back to checking if local users are referenced, and caches " +"them so that later initgroups() calls will augment the local users with the " +"additional LDAP groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2352 sssd-ifp.5.xml:136 +msgid "wildcard_limit (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2355 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2359 +msgid "At the moment, only the InfoPipe responder supports wildcard lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2363 +msgid "Default: 1000 (often the size of one page)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:51 +msgid "" +"All of the common configuration options that apply to SSSD domains also " +"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for full details. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2373 +msgid "SUDO OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2375 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2386 +msgid "ldap_sudorule_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2389 +msgid "The object class of a sudo rule entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2392 +msgid "Default: sudoRole" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2398 +msgid "ldap_sudorule_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2401 +msgid "The LDAP attribute that corresponds to the sudo rule name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2411 +msgid "ldap_sudorule_command (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2414 +msgid "The LDAP attribute that corresponds to the command name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2418 +msgid "Default: sudoCommand" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2424 +msgid "ldap_sudorule_host (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2427 +msgid "" +"The LDAP attribute that corresponds to the host name (or host IP address, " +"host IP network, or host netgroup)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2432 +msgid "Default: sudoHost" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2438 +msgid "ldap_sudorule_user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2441 +msgid "" +"The LDAP attribute that corresponds to the user name (or UID, group name or " +"user's netgroup)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2445 +msgid "Default: sudoUser" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2451 +msgid "ldap_sudorule_option (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2454 +msgid "The LDAP attribute that corresponds to the sudo options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2458 +msgid "Default: sudoOption" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2464 +msgid "ldap_sudorule_runasuser (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2467 +msgid "" +"The LDAP attribute that corresponds to the user name that commands may be " +"run as." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2471 +msgid "Default: sudoRunAsUser" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2477 +msgid "ldap_sudorule_runasgroup (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2480 +msgid "" +"The LDAP attribute that corresponds to the group name or group GID that " +"commands may be run as." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2484 +msgid "Default: sudoRunAsGroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2490 +msgid "ldap_sudorule_notbefore (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2493 +msgid "" +"The LDAP attribute that corresponds to the start date/time for when the sudo " +"rule is valid." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2497 +msgid "Default: sudoNotBefore" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2503 +msgid "ldap_sudorule_notafter (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2506 +msgid "" +"The LDAP attribute that corresponds to the expiration date/time, after which " +"the sudo rule will no longer be valid." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2511 +msgid "Default: sudoNotAfter" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2517 +msgid "ldap_sudorule_order (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2520 +msgid "The LDAP attribute that corresponds to the ordering index of the rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2524 +msgid "Default: sudoOrder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2530 +msgid "ldap_sudo_full_refresh_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2533 +msgid "" +"How many seconds SSSD will wait between executing a full refresh of sudo " +"rules (which downloads all rules that are stored on the server)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2538 +msgid "" +"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" +"emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2543 +msgid "Default: 21600 (6 hours)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2549 +msgid "ldap_sudo_smart_refresh_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2552 +msgid "" +"How many seconds SSSD has to wait before executing a smart refresh of sudo " +"rules (which downloads all rules that have USN higher than the highest USN " +"of cached rules)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2558 +msgid "" +"If USN attributes are not supported by the server, the modifyTimestamp " +"attribute is used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2568 +msgid "ldap_sudo_use_host_filter (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2571 +msgid "" +"If true, SSSD will download only rules that are applicable to this machine " +"(using the IPv4 or IPv6 host/network addresses and hostnames)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2582 +msgid "ldap_sudo_hostnames (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2585 +msgid "" +"Space separated list of hostnames or fully qualified domain names that " +"should be used to filter the rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2590 +msgid "" +"If this option is empty, SSSD will try to discover the hostname and the " +"fully qualified domain name automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2595 sssd-ldap.5.xml:2618 sssd-ldap.5.xml:2636 +#: sssd-ldap.5.xml:2654 +msgid "" +"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" +"emphasis> then this option has no effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2600 sssd-ldap.5.xml:2623 +msgid "Default: not specified" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2606 +msgid "ldap_sudo_ip (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2609 +msgid "" +"Space separated list of IPv4 or IPv6 host/network addresses that should be " +"used to filter the rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2614 +msgid "" +"If this option is empty, SSSD will try to discover the addresses " +"automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2629 +msgid "ldap_sudo_include_netgroups (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2632 +msgid "" +"If true then SSSD will download every rule that contains a netgroup in " +"sudoHost attribute." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2647 +msgid "ldap_sudo_include_regexp (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2650 +msgid "" +"If true then SSSD will download every rule that contains a wildcard in " +"sudoHost attribute." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2666 +msgid "" +"This manual page only describes attribute name mapping. For detailed " +"explanation of sudo related attribute semantics, see <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2676 +msgid "AUTOFS OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2678 +msgid "" +"Some of the defaults for the parameters below are dependent on the LDAP " +"schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2684 +msgid "ldap_autofs_map_master_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2687 +msgid "The name of the automount master map in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2690 +msgid "Default: auto.master" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2697 +msgid "ldap_autofs_map_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2700 +msgid "The object class of an automount map entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2703 +msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2711 +msgid "ldap_autofs_map_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2714 +msgid "The name of an automount map entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2717 +msgid "" +"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2725 +msgid "ldap_autofs_entry_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2728 +msgid "" +"The object class of an automount entry in LDAP. The entry usually " +"corresponds to a mount point." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2733 +msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2741 +msgid "ldap_autofs_entry_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2744 sssd-ldap.5.xml:2759 +msgid "" +"The key of an automount entry in LDAP. The entry usually corresponds to a " +"mount point." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2748 +msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2756 +msgid "ldap_autofs_entry_value (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2763 +msgid "" +"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " +"automountInformation" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2682 +msgid "" +"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " +"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" +"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2774 +msgid "ADVANCED OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2781 +msgid "ldap_netgroup_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2786 +msgid "ldap_user_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2791 +msgid "ldap_group_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> +#: sssd-ldap.5.xml:2796 +msgid "<note>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> +#: sssd-ldap.5.xml:2798 +msgid "" +"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " +"against Active Directory will not be restricted and return all groups " +"memberships, even with no GID mapping. It is recommended to disable this " +"feature, if group names are not being displayed correctly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist> +#: sssd-ldap.5.xml:2805 +msgid "</note>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2807 +msgid "ldap_sudo_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2812 +msgid "ldap_autofs_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2776 +msgid "" +"These options are supported by LDAP domains, but they should be used with " +"caution. Please include them in your configuration only if you know what you " +"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2827 sssd-simple.5.xml:131 sssd-ipa.5.xml:828 +#: sssd-ad.5.xml:1041 sssd-krb5.5.xml:570 sss_rpcidmapd.5.xml:98 +#: sssd-files.5.xml:103 sssd-session-recording.5.xml:144 +msgid "EXAMPLE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2829 +msgid "" +"The following example assumes that SSSD is correctly configured and LDAP is " +"set to one of the domains in the <replaceable>[domains]</replaceable> " +"section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:2835 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: sssd-ldap.5.xml:2834 sssd-ldap.5.xml:2852 sssd-simple.5.xml:139 +#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1049 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579 +#: sssd-files.5.xml:110 sssd-session-recording.5.xml:150 +#: include/ldap_id_mapping.xml:105 +msgid "<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2846 +msgid "LDAP ACCESS FILTER EXAMPLE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2848 +msgid "" +"The following example assumes that SSSD is correctly configured and to use " +"the ldap_access_order=lockout." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:2853 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"access_provider = ldap\n" +"ldap_access_order = lockout\n" +"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2868 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148 +#: sssd-ad.5.xml:1064 sssd.8.xml:230 sss_seed.8.xml:163 +msgid "NOTES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2870 +msgid "" +"The descriptions of some of the configuration options in this manual page " +"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " +"distribution." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: pam_sss.8.xml:11 pam_sss.8.xml:16 +msgid "pam_sss" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: pam_sss.8.xml:17 +msgid "PAM module for SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: pam_sss.8.xml:22 +msgid "" +"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" +"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" +"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" +"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " +"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " +"choice='opt'> <replaceable>prompt_always</replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:58 +msgid "" +"<command>pam_sss.so</command> is the PAM interface to the System Security " +"Services daemon (SSSD). Errors and results are logged through " +"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:68 +msgid "<option>quiet</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:71 +msgid "Suppress log messages for unknown users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:76 +msgid "<option>forward_pass</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:79 +msgid "" +"If <option>forward_pass</option> is set the entered password is put on the " +"stack for other PAM modules to use." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:86 +msgid "<option>use_first_pass</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:89 +msgid "" +"The argument use_first_pass forces the module to use a previous stacked " +"modules password and will never prompt the user - if no password is " +"available or the password is not appropriate, the user will be denied access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:97 +msgid "<option>use_authtok</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:100 +msgid "" +"When password changing enforce the module to set the new password to the one " +"provided by a previously stacked password module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:107 +msgid "<option>retry=N</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:110 +msgid "" +"If specified the user is asked another N times for a password if " +"authentication fails. Default is 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:112 +msgid "" +"Please note that this option might not work as expected if the application " +"calling PAM handles the user dialog on its own. A typical example is " +"<command>sshd</command> with <option>PasswordAuthentication</option>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:121 +msgid "<option>ignore_unknown_user</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:124 +msgid "" +"If this option is specified and the user does not exist, the PAM module will " +"return PAM_IGNORE. This causes the PAM framework to ignore this module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:131 +msgid "<option>ignore_authinfo_unavail</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:135 +msgid "" +"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " +"the SSSD daemon. This causes the PAM framework to ignore this module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:142 +msgid "<option>domains</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:146 +msgid "" +"Allows the administrator to restrict the domains a particular PAM service is " +"allowed to authenticate against. The format is a comma-separated list of " +"SSSD domain names, as specified in the sssd.conf file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:152 +msgid "" +"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " +"and <quote>pam_public_domains</quote> options. Please see the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more information on these two PAM " +"responder options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:166 +msgid "<option>allow_missing_name</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:170 +msgid "" +"The main purpose of this option is to let SSSD determine the user name based " +"on additional information, e.g. the certificate from a Smartcard." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: pam_sss.8.xml:180 +#, no-wrap +msgid "" +"auth sufficient pam_sss.so allow_missing_name\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:175 +msgid "" +"The current use case are login managers which can monitor a Smartcard reader " +"for card events. In case a Smartcard is inserted the login manager will call " +"a PAM stack which includes a line like <placeholder type=\"programlisting\" " +"id=\"0\"/> In this case SSSD will try to determine the user name based on " +"the content of the Smartcard, returns it to pam_sss which will finally put " +"it on the PAM stack." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:190 +msgid "<option>prompt_always</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:194 +msgid "" +"Always prompt the user for credentials. With this option credentials " +"requested by other PAM modules, typically a password, will be ignored and " +"pam_sss will prompt for credentials again. Based on the pre-auth reply by " +"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " +"credentials." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:207 +msgid "MODULE TYPES PROVIDED" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:208 +msgid "" +"All module types (<option>account</option>, <option>auth</option>, " +"<option>password</option> and <option>session</option>) are provided." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:214 +msgid "FILES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:215 +msgid "" +"If a password reset by root fails, because the corresponding SSSD provider " +"does not support password resets, an individual message can be displayed. " +"This message can e.g. contain instructions about how to reset a password." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:220 +msgid "" +"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" +"filename> where LOC stands for a locale string returned by <citerefentry> " +"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" +"citerefentry>. If there is no matching file the content of " +"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " +"the owner of the files and only root may have read and write permissions " +"while all other users must have only read permissions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:230 +msgid "" +"These files are searched in the directory <filename>/etc/sssd/customize/" +"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " +"displayed." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 +msgid "sssd_krb5_locator_plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd_krb5_locator_plugin.8.xml:16 +msgid "Kerberos locator plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:22 +msgid "" +"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " +"used by the Kerberos provider of <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to tell the Kerberos " +"libraries what Realm and which KDC to use. Typically this is done in " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> which is always read by the Kerberos libraries. " +"To simplify the configuration the Realm and the KDC can be defined in " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> as described in <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:48 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> puts the Realm and the name or IP address of the KDC into " +"the environment variables SSSD_KRB5_REALM and SSSD_KRB5_KDC respectively. " +"When <command>sssd_krb5_locator_plugin</command> is called by the kerberos " +"libraries it reads and evaluates these variables and returns them to the " +"libraries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:63 +msgid "" +"Not all Kerberos implementations support the use of plugins. If " +"<command>sssd_krb5_locator_plugin</command> is not available on your system " +"you have to edit /etc/krb5.conf to reflect your Kerberos setup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:69 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " +"debug messages will be sent to stderr." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:73 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " +"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " +"caller." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 +msgid "sssd-simple" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-simple.5.xml:17 +msgid "the configuration file for SSSD's 'simple' access-control provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:24 +msgid "" +"This manual page describes the configuration of the simple access-control " +"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " +"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:38 +msgid "" +"The simple access provider grants or denies access based on an access or " +"deny list of user or group names. The following rules apply:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:43 +msgid "If all lists are empty, access is granted" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:47 +msgid "" +"If any list is provided, the order of evaluation is allow,deny. This means " +"that any matching deny rule will supersede any matched allow rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:54 +msgid "" +"If either or both \"allow\" lists are provided, all users are denied unless " +"they appear in the list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:60 +msgid "" +"If only \"deny\" lists are provided, all users are granted access unless " +"they appear in the list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:78 +msgid "simple_allow_users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:81 +msgid "Comma separated list of users who are allowed to log in." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:88 +msgid "simple_deny_users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:91 +msgid "Comma separated list of users who are explicitly denied access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:97 +msgid "simple_allow_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:100 +msgid "" +"Comma separated list of groups that are allowed to log in. This applies only " +"to groups within this SSSD domain. Local groups are not evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:108 +msgid "simple_deny_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:111 +msgid "" +"Comma separated list of groups that are explicitly denied access. This " +"applies only to groups within this SSSD domain. Local groups are not " +"evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 +msgid "" +"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:120 +msgid "" +"Specifying no values for any of the lists is equivalent to skipping it " +"entirely. Beware of this while generating parameters for the simple provider " +"using automated scripts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:125 +msgid "" +"Please note that it is an configuration error if both, simple_allow_users " +"and simple_deny_users, are defined." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:133 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the simple access provider-specific options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-simple.5.xml:140 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"access_provider = simple\n" +"simple_allow_users = user1, user2\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:150 +msgid "" +"The complete group membership hierarchy is resolved before the access check, " +"thus even nested groups can be included in the access lists. Please be " +"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " +"results and should be set to a sufficient value. (<citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>) option." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 +msgid "sss-certmap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss-certmap.5.xml:17 +msgid "SSSD Certificate Matching and Mapping Rules" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:23 +msgid "" +"The manual page describes the rules which can be used by SSSD and other " +"components to match X.509 certificates and map them to accounts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:28 +msgid "" +"Each rule has four components, a <quote>priority</quote>, a <quote>matching " +"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" +"quote>. All components are optional. A missing <quote>priority</quote> will " +"add the rule with the lowest priority. The default <quote>matching rule</" +"quote> will match certificates with the digitalSignature key usage and " +"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " +"the certificates will be searched in the userCertificate attribute as DER " +"encoded binary. If no domains are given only the local domain will be " +"searched." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss-certmap.5.xml:41 +msgid "RULE COMPONENTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:43 +msgid "PRIORITY" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:45 +msgid "" +"The rules are processed by priority while the number '0' (zero) indicates " +"the highest priority. The higher the number the lower is the priority. A " +"missing value indicates the lowest priority. The rules processing is stopped " +"when a matched rule is found and no further rules are checked." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:52 +msgid "" +"Internally the priority is treated as unsigned 32bit integer, using a " +"priority value larger than 4294967295 will cause an error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:57 +msgid "MATCHING RULE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:59 +msgid "" +"The matching rule is used to select a certificate to which the mapping rule " +"should be applied. It uses a system similar to the one used by " +"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " +"keyword enclosed by '<' and '>' which identified a certain part of the " +"certificate and a pattern which should be found for the rule to match. " +"Multiple keyword pattern pairs can be either joined with '&&' (and) " +"or '||' (or)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:71 +msgid "<SUBJECT>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:74 +msgid "" +"With this a part or the whole subject name of the certificate can be " +"matched. For the matching POSIX Extended Regular Expression syntax is used, " +"see regex(7) for details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:80 +msgid "" +"For the matching the subject name stored in the certificate in DER encoded " +"ASN.1 is converted into a string according to RFC 4514. This means the most " +"specific name component comes first. Please note that not all possible " +"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " +"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " +"be shown differently on different platform and by different tools. To avoid " +"confusion those attribute names are best not used or covered by a suitable " +"regular-expression." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:93 +msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:98 +msgid "<ISSUER>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:101 +msgid "" +"With this a part or the whole issuer name of the certificate can be matched. " +"All comments for <SUBJECT> apply her as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:106 +msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:111 +msgid "<KU>key-usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:114 +msgid "" +"This option can be used to specify which key usage values the certificate " +"should have. The following values can be used in a comma separated list:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:118 +msgid "digitalSignature" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:119 +msgid "nonRepudiation" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:120 +msgid "keyEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:121 +msgid "dataEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:122 +msgid "keyAgreement" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:123 +msgid "keyCertSign" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:124 +msgid "cRLSign" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:125 +msgid "encipherOnly" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:126 +msgid "decipherOnly" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:130 +msgid "" +"A numerical value in the range of a 32bit unsigned integer can be used as " +"well to cover special use cases." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:134 +msgid "Example: <KU>digitalSignature,keyEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:139 +msgid "<EKU>extended-key-usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:142 +msgid "" +"This option can be used to specify which extended key usage the certificate " +"should have. The following value can be used in a comma separated list:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:146 +msgid "serverAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:147 +msgid "clientAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:148 +msgid "codeSigning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:149 +msgid "emailProtection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:150 +msgid "timeStamping" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:151 +msgid "OCSPSigning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:152 +msgid "KPClientAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:153 +msgid "pkinit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:154 +msgid "msScLogin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:158 +msgid "" +"Extended key usages which are not listed above can be specified with their " +"OID in dotted-decimal notation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:162 +msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:167 +msgid "<SAN>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:170 +msgid "" +"To be compatible with the usage of MIT Kerberos this option will match the " +"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" +"Principal> does." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:175 +msgid "Example: <SAN>.*@MY\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:180 +msgid "<SAN:Principal>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:183 +msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:187 +msgid "Example: <SAN:Principal>.*@MY\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:192 +msgid "<SAN:ntPrincipalName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:195 +msgid "Match the Kerberos principals from the AD NT Principal SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:199 +msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:204 +msgid "<SAN:pkinit>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:207 +msgid "Match the Kerberos principals from the PKINIT SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:210 +msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:215 +msgid "<SAN:dotted-decimal-oid>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:218 +msgid "" +"Take the value of the otherName SAN component given by the OID in dotted-" +"decimal notation, interpret it as string and try to match it against the " +"regular expression." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:224 +msgid "Example: <SAN:1.2.3.4>test" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:229 +msgid "<SAN:otherName>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:232 +msgid "" +"Do a binary match with the base64 encoded blob against all otherName SAN " +"components. With this option it is possible to match against custom " +"otherName components with special encodings which could not be treated as " +"strings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:239 +msgid "Example: <SAN:otherName>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:244 +msgid "<SAN:rfc822Name>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:247 +msgid "Match the value of the rfc822Name SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:250 +msgid "Example: <SAN:rfc822Name>.*@email\\.domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:255 +msgid "<SAN:dNSName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:258 +msgid "Match the value of the dNSName SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:261 +msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:266 +msgid "<SAN:x400Address>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:269 +msgid "Binary match the value of the x400Address SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:272 +msgid "Example: <SAN:x400Address>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:277 +msgid "<SAN:directoryName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:280 +msgid "" +"Match the value of the directoryName SAN. The same comments as given for <" +"ISSUER> and <SUBJECT> apply here as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:285 +msgid "Example: <SAN:directoryName>.*,DC=com" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:290 +msgid "<SAN:ediPartyName>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:293 +msgid "Binary match the value of the ediPartyName SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:296 +msgid "Example: <SAN:ediPartyName>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:301 +msgid "<SAN:uniformResourceIdentifier>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:304 +msgid "Match the value of the uniformResourceIdentifier SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:307 +msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:312 +msgid "<SAN:iPAddress>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:315 +msgid "Match the value of the iPAddress SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:318 +msgid "Example: <SAN:iPAddress>192\\.168\\..*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:323 +msgid "<SAN:registeredID>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:326 +msgid "Match the value of the registeredID SAN as dotted-decimal string." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:330 +msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:68 +msgid "" +"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:338 +msgid "MAPPING RULE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:340 +msgid "" +"The mapping rule is used to associate a certificate with one or more " +"accounts. A Smartcard with the certificate and the matching private key can " +"then be used to authenticate as one of those accounts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:345 +msgid "" +"Currently SSSD basically only supports LDAP to lookup user information (the " +"exception is the proxy provider which is not of relevance here). Because of " +"this the mapping rule is based on LDAP search filter syntax with templates " +"to add certificate content to the filter. It is expected that the filter " +"will only contain the specific data needed for the mapping and that the " +"caller will embed it in another filter to do the actual search. Because of " +"this the filter string should start and stop with '(' and ')' respectively." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:355 +msgid "" +"In general it is recommended to use attributes from the certificate and add " +"them to special attributes to the LDAP user object. E.g. the " +"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " +"for IPA can be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:361 +msgid "" +"This should be preferred to read user specific data from the certificate " +"like e.g. an email address and search for it in the LDAP server. The reason " +"is that the user specific data in LDAP might change for various reasons " +"would break the mapping. On the other hand it would be hard to break the " +"mapping on purpose for a specific user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:376 +msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:379 +msgid "" +"This template will add the full issuer DN converted to a string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +msgid "" +"The conversion options starting with 'ad_' will use attribute names as used " +"by AD, e.g. 'S' instead of 'ST'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +msgid "" +"The conversion options starting with 'nss_' will use attribute names as used " +"by NSS." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +msgid "" +"The default conversion option is 'nss', i.e. attribute names according to " +"NSS and LDAP/RFC 4514 ordering." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:397 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" +"ad})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:402 +msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:405 +msgid "" +"This template will add the full subject DN converted to string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:423 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" +"{subject_dn!nss_x500})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:428 +msgid "{cert[!(bin|base64)]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:431 +msgid "" +"This template will add the whole DER encoded certificate as a string to the " +"search filter. Depending on the conversion option the binary certificate is " +"either converted to an escaped hex sequence '\\xx' or base64. The escaped " +"hex sequence is the default and can e.g. be used with the LDAP attribute " +"'userCertificate;binary'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:439 +msgid "Example: (userCertificate;binary={cert!bin})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:444 +msgid "{subject_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:447 +msgid "" +"This template will add the Kerberos principal which is taken either from the " +"SAN used by pkinit or the one used by AD. The 'short_name' component " +"represents the first part of the principal before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +msgid "" +"Example: (|(userPrincipal={subject_principal})" +"(samAccountName={subject_principal.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:458 +msgid "{subject_pkinit_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:461 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by pkinit. The 'short_name' component represents the first part of the " +"principal before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:467 +msgid "" +"Example: (|(userPrincipal={subject_pkinit_principal})" +"(uid={subject_pkinit_principal.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:472 +msgid "{subject_nt_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:475 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by AD. The 'short_name' component represent the first part of the principal " +"before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:486 +msgid "{subject_rfc822_name[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:489 +msgid "" +"This template will add the string which is stored in the rfc822Name " +"component of the SAN, typically an email address. The 'short_name' component " +"represents the first part of the address before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:495 +msgid "" +"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." +"short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:500 +msgid "{subject_dns_name[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:503 +msgid "" +"This template will add the string which is stored in the dNSName component " +"of the SAN, typically a fully-qualified host name. The 'short_name' " +"component represents the first part of the name before the first '.' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:509 +msgid "" +"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:514 +msgid "{subject_uri}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:517 +msgid "" +"This template will add the string which is stored in the " +"uniformResourceIdentifier component of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:521 +msgid "Example: (uri={subject_uri})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:526 +msgid "{subject_ip_address}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:529 +msgid "" +"This template will add the string which is stored in the iPAddress component " +"of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:533 +msgid "Example: (ip={subject_ip_address})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:538 +msgid "{subject_x400_address}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:541 +msgid "" +"This template will add the value which is stored in the x400Address " +"component of the SAN as escaped hex sequence." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:546 +msgid "Example: (attr:binary={subject_x400_address})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:551 +msgid "" +"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:554 +msgid "" +"This template will add the DN string of the value which is stored in the " +"directoryName component of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:558 +msgid "Example: (orig_dn={subject_directory_name})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:563 +msgid "{subject_ediparty_name}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:566 +msgid "" +"This template will add the value which is stored in the ediPartyName " +"component of the SAN as escaped hex sequence." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:571 +msgid "Example: (attr:binary={subject_ediparty_name})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:576 +msgid "{subject_registered_id}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:579 +msgid "" +"This template will add the OID which is stored in the registeredID component " +"of the SAN as a dotted-decimal string." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:584 +msgid "Example: (oid={subject_registered_id})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:369 +msgid "" +"The templates to add certificate data to the search filter are based on " +"Python-style formatting strings. They consist of a keyword in curly braces " +"with an optional sub-component specifier separated by a '.' or an optional " +"conversion/formatting option separated by a '!'. Allowed values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:592 +msgid "DOMAIN LIST" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:594 +msgid "" +"If the domain list is not empty users mapped to a given certificate are not " +"only searched in the local domain but in the listed domains as well as long " +"as they are know by SSSD. Domains not know to SSSD will be ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 +msgid "sssd-ipa" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ipa.5.xml:17 +msgid "SSSD IPA provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:23 +msgid "" +"This manual page describes the configuration of the IPA provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:36 +msgid "" +"The IPA provider is a back end used to connect to an IPA server. (Refer to " +"the freeipa.org web site for information about IPA servers.) This provider " +"requires that the machine be joined to the IPA domain; configuration is " +"almost entirely self-discovered and obtained directly from the server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:43 +msgid "" +"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for IPA environments. The IPA provider accepts the same " +"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " +"However, it is neither necessary nor recommended to set these options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:57 +msgid "" +"The IPA provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:62 +msgid "" +"As an access provider, the IPA provider uses HBAC (host-based access " +"control) rules. Please refer to freeipa.org for more information about " +"HBAC. No configuration of access provider is required on the client side." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:67 +msgid "" +"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:73 +msgid "" +"The IPA provider will use the PAC responder if the Kerberos tickets of users " +"from trusted realms contain a PAC. To make configuration easier the PAC " +"responder is started automatically if the IPA ID provider is configured." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:89 +msgid "ipa_domain (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:92 +msgid "" +"Specifies the name of the IPA domain. This is optional. If not provided, " +"the configuration domain name is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:100 +msgid "ipa_server, ipa_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:103 +msgid "" +"The comma-separated list of IP addresses or hostnames of the IPA servers to " +"which SSSD should connect in the order of preference. For more information " +"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:116 +msgid "ipa_hostname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:119 +msgid "" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the IPA domain to identify this host. The " +"hostname must be fully qualified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:128 sssd-ad.5.xml:866 +msgid "dyndns_update (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:131 +msgid "" +"Optional. This option tells SSSD to automatically update the DNS server " +"built into FreeIPA with the IP address of this client. The update is secured " +"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " +"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" +"quote> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:140 sssd-ad.5.xml:880 +msgid "" +"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " +"the default Kerberos realm must be set properly in /etc/krb5.conf" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:145 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" +"emphasis> option, users should migrate to using <emphasis>dyndns_update</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:157 sssd-ad.5.xml:891 +msgid "dyndns_ttl (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:160 sssd-ad.5.xml:894 +msgid "" +"The TTL to apply to the client DNS record when updating it. If " +"dyndns_update is false this has no effect. This will override the TTL " +"serverside if set by an administrator." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:165 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" +"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:171 +msgid "Default: 1200 (seconds)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:177 sssd-ad.5.xml:905 +msgid "dyndns_iface (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:180 sssd-ad.5.xml:908 +msgid "" +"Optional. Applicable only when dyndns_update is true. Choose the interface " +"or a list of interfaces whose IP addresses should be used for dynamic DNS " +"updates. Special value <quote>*</quote> implies that IPs from all interfaces " +"should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:187 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" +"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:193 +msgid "" +"Default: Use the IP addresses of the interface which is used for IPA LDAP " +"connection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:197 sssd-ad.5.xml:919 +msgid "Example: dyndns_iface = em1, vnet1, vnet2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:203 sssd-ad.5.xml:970 +msgid "dyndns_auth (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:206 sssd-ad.5.xml:973 +msgid "" +"Whether the nsupdate utility should use GSS-TSIG authentication for secure " +"updates with the DNS server, insecure updates can be sent by setting this " +"option to 'none'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:212 sssd-ad.5.xml:979 +msgid "Default: GSS-TSIG" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:218 +msgid "ipa_enable_dns_sites (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 +msgid "Enables DNS sites - location based service discovery." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:225 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, then the SSSD will first attempt location " +"based discovery using a query that contains \"_location.hostname.example.com" +"\" and then fall back to traditional SRV discovery. If the location based " +"discovery succeeds, the IPA servers located with the location based " +"discovery are treated as primary servers and the IPA servers located using " +"the traditional SRV discovery are used as back up servers" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:244 sssd-ad.5.xml:925 +msgid "dyndns_refresh_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:247 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:260 sssd-ad.5.xml:943 +msgid "dyndns_update_ptr (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:263 sssd-ad.5.xml:946 +msgid "" +"Whether the PTR record should also be explicitly updated when updating the " +"client's DNS records. Applicable only when dyndns_update is true." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:268 +msgid "" +"This option should be False in most IPA deployments as the IPA server " +"generates the PTR records automatically when forward records are changed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:274 +msgid "Default: False (disabled)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:280 sssd-ad.5.xml:957 +msgid "dyndns_force_tcp (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:283 sssd-ad.5.xml:960 +msgid "" +"Whether the nsupdate utility should default to using TCP for communicating " +"with the DNS server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:287 sssd-ad.5.xml:964 +msgid "Default: False (let nsupdate choose the protocol)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:293 sssd-ad.5.xml:985 +msgid "dyndns_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:296 sssd-ad.5.xml:988 +msgid "" +"The DNS server to use when performing a DNS update. In most setups, it's " +"recommended to leave this option unset." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:301 sssd-ad.5.xml:993 +msgid "" +"Setting this option makes sense for environments where the DNS server is " +"different from the identity server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:306 sssd-ad.5.xml:998 +msgid "" +"Please note that this option will be only used in fallback attempt when " +"previous attempt using autodetected settings failed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1003 +msgid "Default: None (let nsupdate choose the server)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:317 +msgid "ipa_deskprofile_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:320 +msgid "" +"Optional. Use the given string as search base for Desktop Profile related " +"objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:324 sssd-ipa.5.xml:337 +msgid "Default: Use base DN" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:330 +msgid "ipa_hbac_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:333 +msgid "Optional. Use the given string as search base for HBAC related objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:343 +msgid "ipa_host_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:346 +msgid "Deprecated. Use ldap_host_search_base instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:352 +msgid "ipa_selinux_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:355 +msgid "Optional. Use the given string as search base for SELinux user maps." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:371 +msgid "ipa_subdomains_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:374 +msgid "Optional. Use the given string as search base for trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:383 +msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:390 +msgid "ipa_master_domain_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:393 +msgid "Optional. Use the given string as search base for master domain object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:402 +msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:409 +msgid "ipa_views_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:412 +msgid "Optional. Use the given string as search base for views containers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:421 +msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:431 +msgid "" +"The name of the Kerberos realm. This is optional and defaults to the value " +"of <quote>ipa_domain</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:435 +msgid "" +"The name of the Kerberos realm has a special meaning in IPA - it is " +"converted into the base DN to use for performing LDAP operations." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1012 +msgid "krb5_confd_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1015 +msgid "" +"Absolute path of a directory where SSSD should place Kerberos configuration " +"snippets." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1019 +msgid "" +"To disable the creation of the configuration snippets set the parameter to " +"'none'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1023 +msgid "" +"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:461 +msgid "ipa_deskprofile_refresh (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:464 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server. This will reduce the latency and load on the IPA server if there " +"are many desktop profiles requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:431 +msgid "Default: 5 (seconds)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:477 +msgid "ipa_deskprofile_request_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:480 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server in case the last request did not return any rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:485 +msgid "Default: 60 (minutes)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:491 +msgid "ipa_hbac_refresh (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:494 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server. " +"This will reduce the latency and load on the IPA server if there are many " +"access-control requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:507 +msgid "ipa_hbac_selinux (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:510 +msgid "" +"The amount of time between lookups of the SELinux maps against the IPA " +"server. This will reduce the latency and load on the IPA server if there are " +"many user login requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:523 +msgid "ipa_server_mode (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:526 +msgid "" +"This option will be set by the IPA installer (ipa-server-install) " +"automatically and denotes if SSSD is running on an IPA server or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:531 +msgid "" +"On an IPA server SSSD will lookup users and groups from trusted domains " +"directly while on a client it will ask an IPA server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:536 +msgid "" +"NOTE: There are currently some assumptions that must be met when SSSD is " +"running on an IPA server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:541 +msgid "" +"The <quote>ipa_server</quote> option must be configured to point to the IPA " +"server itself. This is already the default set by the IPA installer, so no " +"manual change is required." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:550 +msgid "" +"The <quote>full_name_format</quote> option must not be tweaked to only print " +"short names for users from trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:565 +msgid "ipa_automount_location (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:568 +msgid "The automounter location this IPA client will be using" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:571 +msgid "Default: The location named \"default\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:579 +msgid "VIEWS AND OVERRIDES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:588 +msgid "ipa_view_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:591 +msgid "Objectclass of the view container." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:594 +msgid "Default: nsContainer" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:600 +msgid "ipa_view_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:603 +msgid "Name of the attribute holding the name of the view." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:613 +msgid "ipa_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:616 +msgid "Objectclass of the override objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:619 +msgid "Default: ipaOverrideAnchor" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:625 +msgid "ipa_anchor_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:628 +msgid "" +"Name of the attribute containing the reference to the original object in a " +"remote domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:632 +msgid "Default: ipaAnchorUUID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:638 +msgid "ipa_user_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:641 +msgid "" +"Name of the objectclass for user overrides. It is used to determine if the " +"found override object is related to a user or a group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:646 +msgid "User overrides can contain attributes given by" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:649 +msgid "ldap_user_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:652 +msgid "ldap_user_uid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:655 +msgid "ldap_user_gid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:658 +msgid "ldap_user_gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:661 +msgid "ldap_user_home_directory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:664 +msgid "ldap_user_shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:667 +msgid "ldap_user_ssh_public_key" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:672 +msgid "Default: ipaUserOverride" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:678 +msgid "ipa_group_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:681 +msgid "" +"Name of the objectclass for group overrides. It is used to determine if the " +"found override object is related to a user or a group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:686 +msgid "Group overrides can contain attributes given by" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:689 +msgid "ldap_group_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:692 +msgid "ldap_group_gid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:697 +msgid "Default: ipaGroupOverride" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:581 +msgid "" +"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " +"later version. Since all paths and objectclasses are fixed on the server " +"side there is basically no need to configure anything. For completeness the " +"related options are listed here with their default values. <placeholder " +"type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:709 +msgid "SUBDOMAINS PROVIDER" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:711 +msgid "" +"The IPA subdomains provider behaves slightly differently if it is configured " +"explicitly or implicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:715 +msgid "" +"If the option 'subdomains_provider = ipa' is found in the domain section of " +"sssd.conf, the IPA subdomains provider is configured explicitly, and all " +"subdomain requests are sent to the IPA server if necessary." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:721 +msgid "" +"If the option 'subdomains_provider' is not set in the domain section of sssd." +"conf but there is the option 'id_provider = ipa', the IPA subdomains " +"provider is configured implicitly. In this case, if a subdomain request " +"fails and indicates that the server does not support subdomains, i.e. is not " +"configured for trusts, the IPA subdomains provider is disabled. After an " +"hour or after the IPA provider goes online, the subdomains provider is " +"enabled again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:732 +msgid "TRUSTED DOMAINS CONFIGURATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:738 +#, no-wrap +msgid "" +"[domain/ipa.domain.com/ad.domain.com]\n" +"ad_server = dc.ad.domain.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:734 +msgid "" +"Some configuration options can be also set for a trusted domain. A trusted " +"domain configuration can either be done using a subsection, for example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:743 +msgid "" +"In addition, some options can be set in the parent domain and inherited by " +"the trusted domain using the <quote>subdomain_inherit</quote> option. For " +"more details, see the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:753 +msgid "" +"Different configuration options are tunable for a trusted domain depending " +"on whether you are configuring SSSD on an IPA server or an IPA client." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:758 +msgid "OPTIONS TUNABLE ON IPA MASTERS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:760 +msgid "" +"The following options can be set in a subdomain section on an IPA master:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:764 sssd-ipa.5.xml:794 +msgid "ad_server" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:767 +msgid "ad_backup_server" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:770 sssd-ipa.5.xml:797 +msgid "ad_site" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:773 +msgid "ldap_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:776 +msgid "ldap_user_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:779 +msgid "ldap_group_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:788 +msgid "OPTIONS TUNABLE ON IPA CLIENTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:790 +msgid "" +"The following options can be set in a subdomain section on an IPA client:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:802 +msgid "" +"Note that if both options are set, only <quote>ad_server</quote> is " +"evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:806 +msgid "" +"Since any request for a user or a group identity from a trusted domain " +"triggered from an IPA client is resolved by the IPA server, the " +"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " +"which AD DC will the authentication be performed against. In particular, the " +"addresses resolved from these lists will be written to <quote>kdcinfo</" +"quote> files read by the Kerberos locator plugin. Please refer to the " +"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " +"Kerberos locator plugin." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:830 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the ipa provider-specific options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:837 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"id_provider = ipa\n" +"ipa_server = ipaserver.example.com\n" +"ipa_hostname = myhost.example.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 +msgid "sssd-ad" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ad.5.xml:17 +msgid "SSSD Active Directory provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:23 +msgid "" +"This manual page describes the configuration of the AD provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:36 +msgid "" +"The AD provider is a back end used to connect to an Active Directory server. " +"This provider requires that the machine be joined to the AD domain and a " +"keytab is available. Back end communication occurs over a GSSAPI-encrypted " +"channel, SSL/TLS options should not be used with the AD provider and will be " +"superseded by Kerberos usage." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:44 +msgid "" +"The AD provider supports connecting to Active Directory 2008 R2 or later. " +"Earlier versions may work, but are unsupported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:48 +msgid "" +"The AD provider can be used to get user information and authenticate users " +"from trusted domains. Currently only trusted domains in the same forest are " +"recognized. In addition servers from trusted domains are always auto-" +"discovered." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:54 +msgid "" +"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for Active Directory environments. The AD provider accepts the " +"same options used by the sssd-ldap and sssd-krb5 providers with some " +"exceptions. However, it is neither necessary nor recommended to set these " +"options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:69 +msgid "" +"The AD provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:74 +msgid "" +"The AD provider can also be used as an access, chpass, sudo and autofs " +"provider. No configuration of the access provider is required on the client " +"side." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:79 +msgid "" +"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ad</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:91 +#, no-wrap +msgid "" +"ldap_id_mapping = False\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:85 +msgid "" +"By default, the AD provider will map UID and GID values from the objectSID " +"parameter in Active Directory. For details on this, see the <quote>ID " +"MAPPING</quote> section below. If you want to disable ID mapping and instead " +"rely on POSIX attributes defined in Active Directory, you should set " +"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " +"be used, it is recommended for performance reasons that the attributes are " +"also replicated to the Global Catalog. If POSIX attributes are replicated, " +"SSSD will attempt to locate the domain of a requested numerical ID with the " +"help of the Global Catalog and only search that domain. In contrast, if " +"POSIX attributes are not replicated to the Global Catalog, SSSD must search " +"all the domains in the forest sequentially. Please note that the " +"<quote>cache_first</quote> option might be also helpful in speeding up " +"domainless searches. Note that if only a subset of POSIX attributes is " +"present in the Global Catalog, the non-replicated attributes are currently " +"not read from the LDAP port." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:108 +msgid "" +"Users, groups and other entities served by SSSD are always treated as case-" +"insensitive in the AD provider for compatibility with Active Directory's " +"LDAP implementation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:123 +msgid "ad_domain (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:126 +msgid "" +"Specifies the name of the Active Directory domain. This is optional. If not " +"provided, the configuration domain name is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:131 +msgid "" +"For proper operation, this option should be specified as the lower-case " +"version of the long version of the Active Directory domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:136 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) is " +"autodetected by the SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:143 +msgid "ad_enabled_domains (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:146 +msgid "" +"A comma-separated list of enabled Active Directory domains. If provided, " +"SSSD will ignore any domains not listed in this option. If left unset, all " +"domains from the AD forest will be available." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:156 +#, no-wrap +msgid "" +"ad_enabled_domains = sales.example.com, eng.example.com\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:152 +msgid "" +"For proper operation, this option must be specified in all lower-case and as " +"the fully qualified domain name of the Active Directory domain. For example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:160 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) will be " +"autodetected by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:170 +msgid "ad_server, ad_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:173 +msgid "" +"The comma-separated list of hostnames of the AD servers to which SSSD should " +"connect in order of preference. For more information on failover and server " +"redundancy, see the <quote>FAILOVER</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:180 +msgid "" +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:185 +msgid "" +"Note: Trusted domains will always auto-discover servers even if the primary " +"server is explicitly defined in the ad_server option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:193 +msgid "ad_hostname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:196 +msgid "" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the Active Directory domain to identify this " +"host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:202 +msgid "" +"This field is used to determine the host principal in use in the keytab. It " +"must match the hostname for which the keytab was issued." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:210 +msgid "ad_enable_dns_sites (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:217 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, the SSSD will first attempt to discover the " +"Active Directory server to connect to using the Active Directory Site " +"Discovery and fall back to the DNS SRV records if no AD site is found. The " +"DNS SRV configuration, including the discovery domain, is used during site " +"discovery as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:233 +msgid "ad_access_filter (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:236 +msgid "" +"This option specifies LDAP access control filter that the user must match in " +"order to be allowed access. Please note that the <quote>access_provider</" +"quote> option must be explicitly set to <quote>ad</quote> in order for this " +"option to have an effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:244 +msgid "" +"The option also supports specifying different filters per domain or forest. " +"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " +"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " +"missing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:252 +msgid "" +"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" +"quote> specifies the domain or subdomain the filter applies to. If the " +"keyword equals to <quote>FOREST</quote>, then the filter equals to all " +"domains from the forest specified by <quote>NAME</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:260 +msgid "" +"Multiple filters can be separated with the <quote>?</quote> character, " +"similarly to how search bases work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:265 +msgid "" +"Nested group membership must be searched for using a special OID " +"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." +"example.org: syntax to ensure the parser does not attempt to interpret the " +"colon characters associated with the OID. If you do not use this OID then " +"nested group membership will not be resolved. See usage example below and " +"refer here for further information about the OID: <ulink url=\"https://msdn." +"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " +"extensions</ulink>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:278 +msgid "" +"The most specific match is always used. For example, if the option specified " +"filter for a domain the user is a member of and a global filter, the per-" +"domain filter would be applied. If there are more matches with the same " +"specification, the first one is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ad.5.xml:289 +#, no-wrap +msgid "" +"# apply filter on domain called dom1 only:\n" +"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" +"\n" +"# apply filter on domain called dom2 only:\n" +"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" +"\n" +"# apply filter on forest called EXAMPLE.COM only:\n" +"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" +"\n" +"# apply filter for a member of a nested group in dom1:\n" +"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:308 +msgid "ad_site (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:311 +msgid "" +"Specify AD site to which client should try to connect. If this option is " +"not provided, the AD site will be auto-discovered." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:322 +msgid "ad_enable_gc (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:325 +msgid "" +"By default, the SSSD connects to the Global Catalog first to retrieve users " +"from trusted domains and uses the LDAP port to retrieve group memberships or " +"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " +"port of the current AD server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:333 +msgid "" +"Please note that disabling Global Catalog support does not disable " +"retrieving users from trusted domains. The SSSD would connect to the LDAP " +"port of trusted domains instead. However, Global Catalog must be used in " +"order to resolve cross-domain group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:347 +msgid "ad_gpo_access_control (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:350 +msgid "" +"This option specifies the operation mode for GPO-based access control " +"functionality: whether it operates in disabled mode, enforcing mode, or " +"permissive mode. Please note that the <quote>access_provider</quote> option " +"must be explicitly set to <quote>ad</quote> in order for this option to have " +"an effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:359 +msgid "" +"GPO-based access control functionality uses GPO policy settings to determine " +"whether or not a particular user is allowed to logon to a particular host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:365 +msgid "" +"NOTE: The current version of SSSD does not support host (computer) entries " +"in the GPO 'Security Filtering' list. Only user and group entries are " +"supported. Host entries in the list have no effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:372 +msgid "" +"NOTE: If the operation mode is set to enforcing, it is possible that users " +"that were previously allowed logon access will now be denied logon access " +"(as dictated by the GPO policy settings). In order to facilitate a smooth " +"transition for administrators, a permissive mode is available that will not " +"enforce the access control rules, but will evaluate them and will output a " +"syslog message if access would have been denied. By examining the logs, " +"administrators can then make the necessary changes before setting the mode " +"to enforcing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:385 +msgid "There are three supported values for this option:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:389 +msgid "" +"disabled: GPO-based access control rules are neither evaluated nor enforced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:395 +msgid "enforcing: GPO-based access control rules are evaluated and enforced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:401 +msgid "" +"permissive: GPO-based access control rules are evaluated, but not enforced. " +"Instead, a syslog message will be emitted indicating that the user would " +"have been denied access if this option's value were set to enforcing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:412 +msgid "Default: permissive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:415 +msgid "Default: enforcing" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:421 +msgid "ad_gpo_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:424 +msgid "" +"The amount of time between lookups of GPO policy files against the AD " +"server. This will reduce the latency and load on the AD server if there are " +"many access-control requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:437 +msgid "ad_gpo_map_interactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:440 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the InteractiveLogonRight and " +"DenyInteractiveLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:446 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on locally\" and \"Deny log on locally\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:460 +#, no-wrap +msgid "" +"ad_gpo_map_interactive = +my_pam_service, -login\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:451 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>login</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:464 sssd-ad.5.xml:560 sssd-ad.5.xml:606 sssd-ad.5.xml:651 +#: sssd-ad.5.xml:717 +msgid "Default: the default set of PAM service names includes:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:468 +msgid "login" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:473 +msgid "su" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:478 +msgid "su-l" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:483 +msgid "gdm-fingerprint" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:488 +msgid "gdm-password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:493 +msgid "gdm-smartcard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:498 +msgid "kdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:503 +msgid "lightdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:508 +msgid "lxdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:513 +msgid "sddm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:518 +msgid "unity" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:523 +msgid "xdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:532 +msgid "ad_gpo_map_remote_interactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:535 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the RemoteInteractiveLogonRight and " +"DenyRemoteInteractiveLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:541 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on through Remote Desktop Services\" and \"Deny log on through Remote " +"Desktop Services\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:556 +#, no-wrap +msgid "" +"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:547 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>sshd</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:564 +msgid "sshd" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:569 +msgid "cockpit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:578 +msgid "ad_gpo_map_network (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:581 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the NetworkLogonRight and " +"DenyNetworkLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:587 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Access " +"this computer from the network\" and \"Deny access to this computer from the " +"network\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:602 +#, no-wrap +msgid "" +"ad_gpo_map_network = +my_pam_service, -ftp\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:593 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>ftp</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:610 +msgid "ftp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:615 +msgid "samba" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:624 +msgid "ad_gpo_map_batch (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:627 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " +"policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:633 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a batch job\" and \"Deny log on as a batch job\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:647 +#, no-wrap +msgid "" +"ad_gpo_map_batch = +my_pam_service, -crond\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:638 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>crond</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:655 +msgid "crond" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:664 +msgid "ad_gpo_map_service (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:667 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the ServiceLogonRight and " +"DenyServiceLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:673 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a service\" and \"Deny log on as a service\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:686 +#, no-wrap +msgid "" +"ad_gpo_map_service = +my_pam_service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:678 sssd-ad.5.xml:753 +msgid "" +"It is possible to add a PAM service name to the default set by using <quote>" +"+service_name</quote>. Since the default set is empty, it is not possible " +"to remove a PAM service name from the default set. For example, in order to " +"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " +"would use the following configuration: <placeholder type=\"programlisting\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:696 +msgid "ad_gpo_map_permit (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:699 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always granted, regardless of any GPO Logon Rights." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:713 +#, no-wrap +msgid "" +"ad_gpo_map_permit = +my_pam_service, -sudo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:704 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for unconditionally permitted " +"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:721 +msgid "polkit-1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:726 +msgid "sudo" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:731 +msgid "sudo-i" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:736 +msgid "systemd-user" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:745 +msgid "ad_gpo_map_deny (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:748 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always denied, regardless of any GPO Logon Rights." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:761 +#, no-wrap +msgid "" +"ad_gpo_map_deny = +my_pam_service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:771 +msgid "ad_gpo_default_right (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:774 +msgid "" +"This option defines how access control is evaluated for PAM service names " +"that are not explicitly listed in one of the ad_gpo_map_* options. This " +"option can be set in two different manners. First, this option can be set to " +"use a default logon right. For example, if this option is set to " +"'interactive', it means that unmapped PAM service names will be processed " +"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " +"settings. Alternatively, this option can be set to either always permit or " +"always deny access for unmapped PAM service names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:787 +msgid "Supported values for this option include:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:791 +msgid "interactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:796 +msgid "remote_interactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:801 +msgid "network" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:806 +msgid "batch" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:811 +msgid "service" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:816 +msgid "permit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:821 +msgid "deny" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:827 +msgid "Default: deny" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:833 +msgid "ad_maximum_machine_account_password_age (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:836 +msgid "" +"SSSD will check once a day if the machine account password is older than the " +"given age in days and try to renew it. A value of 0 will disable the renewal " +"attempt." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:842 +msgid "Default: 30 days" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:848 +msgid "ad_machine_account_password_renewal_opts (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:851 +msgid "" +"This option should only be used to test the machine account renewal task. " +"The option expects 2 integers separated by a colon (':'). The first integer " +"defines the interval in seconds how often the task is run. The second " +"specifies the initial timeout in seconds before the task is run for the " +"first time after startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:860 +msgid "Default: 86400:750 (24h and 15m)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:869 +msgid "" +"Optional. This option tells SSSD to automatically update the Active " +"Directory DNS server with the IP address of this client. The update is " +"secured using GSS-TSIG. As a consequence, the Active Directory administrator " +"only needs to allow secure updates for the DNS zone. The IP address of the " +"AD LDAP connection is used for the updates, if it is not otherwise specified " +"by using the <quote>dyndns_iface</quote> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:899 +msgid "Default: 3600 (seconds)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:915 +msgid "" +"Default: Use the IP addresses of the interface which is used for AD LDAP " +"connection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:928 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true. Note that the " +"lowest possible value is 60 seconds in-case if value is provided less than " +"60, parameter will assume lowest value only." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:951 sss_rpcidmapd.5.xml:76 +msgid "Default: True" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1043 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This example shows only the AD provider-specific options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1050 +#, no-wrap +msgid "" +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1070 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1066 +msgid "" +"The AD access control provider checks if the account is expired. It has the " +"same effect as the following configuration of the LDAP provider: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1076 +msgid "" +"However, unless the <quote>ad</quote> access control provider is explicitly " +"configured, the default access provider is <quote>permit</quote>. Please " +"note that if you configure an access provider other than <quote>ad</quote>, " +"you need to set all the connection parameters (such as LDAP URIs and " +"encryption details) manually." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1084 +msgid "" +"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " +"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " +"are included in the default Active Directory schema." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 +msgid "sssd-sudo" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-sudo.5.xml:17 +msgid "Configuring sudo with the SSSD back end" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:36 +msgid "Configuring sudo to cooperate with SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:38 +msgid "" +"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " +"the <emphasis>sudoers</emphasis> entry in <citerefentry> " +"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:47 +msgid "" +"For example, to configure sudo to first lookup rules in the standard " +"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> file (which should contain rules that apply to " +"local users) and then in SSSD, the nsswitch.conf file should contain the " +"following line:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:57 +#, no-wrap +msgid "sudoers: files sss\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:61 +msgid "" +"More information about configuring the sudoers search order from the " +"nsswitch.conf file as well as information about the LDAP schema that is used " +"to store sudo rules in the directory can be found in <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:70 +msgid "" +"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " +"sudo rules, you also need to correctly set <citerefentry> " +"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry> to your NIS domain name (which equals to IPA domain name when " +"using hostgroups)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:82 +msgid "Configuring SSSD to fetch sudo rules" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:84 +msgid "" +"All configuration that is needed on SSSD side is to extend the list of " +"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " +"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " +"option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:94 +msgid "" +"The following example shows how to configure SSSD to download sudo rules " +"from an LDAP server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:99 +#, no-wrap +msgid "" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:98 +msgid "" +"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" +"\"have_systemd\"> It's important to note that on platforms where systemd is " +"supported there's no need to add the \"sudo\" provider to the list of " +"services, as it became optional. However, sssd-sudo.socket must be enabled " +"instead. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:118 +msgid "" +"When SSSD is configured to use IPA as the ID provider, the sudo provider is " +"automatically enabled. The sudo search base is configured to use the IPA " +"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " +"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," +"$SUFFIX) is no longer required for IPA sudo functionality." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:128 +msgid "The SUDO rule caching mechanism" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:130 +msgid "" +"The biggest challenge, when developing sudo support in SSSD, was to ensure " +"that running sudo with SSSD as the data source provides the same user " +"experience and is as fast as sudo but keeps providing the most current set " +"of rules as possible. To satisfy these requirements, SSSD uses three kinds " +"of updates. They are referred to as full refresh, smart refresh and rules " +"refresh." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:138 +msgid "" +"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " +"new or were modified after the last update. Its primary goal is to keep the " +"database growing by fetching only small increments that do not generate " +"large amounts of network traffic." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:144 +msgid "" +"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " +"in the cache and replaces them with all rules that are stored on the server. " +"This is used to keep the cache consistent by removing every rule which was " +"deleted from the server. However, full refresh may produce a lot of traffic " +"and thus it should be run only occasionally depending on the size and " +"stability of the sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:152 +msgid "" +"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " +"more permission than defined. It is triggered each time the user runs sudo. " +"Rules refresh will find all rules that apply to this user, check their " +"expiration time and redownload them if expired. In the case that any of " +"these rules are missing on the server, the SSSD will do an out of band full " +"refresh because more rules (that apply to other users) may have been deleted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:161 +msgid "" +"If enabled, SSSD will store only rules that can be applied to this machine. " +"This means rules that contain one of the following values in " +"<emphasis>sudoHost</emphasis> attribute:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:168 +msgid "keyword ALL" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:173 +msgid "wildcard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:178 +msgid "netgroup (in the form \"+netgroup\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:183 +msgid "hostname or fully qualified domain name of this machine" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:188 +msgid "one of the IP addresses of this machine" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:193 +msgid "one of the IP addresses of the network (in the form \"address/mask\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:199 +msgid "" +"There are many configuration options that can be used to adjust the " +"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.8.xml:10 sssd.8.xml:15 +msgid "sssd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.8.xml:16 +msgid "System Security Services Daemon" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssd.8.xml:21 +msgid "" +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:31 +msgid "" +"<command>SSSD</command> provides a set of daemons to manage access to remote " +"directories and authentication mechanisms. It provides an NSS and PAM " +"interface toward the system and a pluggable backend system to connect to " +"multiple different account sources as well as D-Bus interface. It is also " +"the basis to provide client auditing and policy services for projects like " +"FreeIPA. It provides a more robust database to store local users as well as " +"extended user data." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:46 +msgid "" +"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:53 +msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:57 +msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:60 +msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:69 +msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:73 +msgid "" +"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:76 +msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:85 +msgid "<option>-f</option>,<option>--debug-to-files</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:89 +msgid "" +"Send the debug output to files instead of stderr. By default, the log files " +"are stored in <filename>/var/log/sssd</filename> and there are separate log " +"files for every SSSD service and domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:94 +msgid "" +"This option is deprecated. It is replaced by <option>--logger=files</option>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:101 +msgid "<option>--logger=</option><replaceable>value</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:105 +msgid "" +"Location where SSSD will send log messages. This option overrides the value " +"of the deprecated option <option>--debug-to-files</option>. The deprecated " +"option will still work if the <option>--logger</option> is not used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:112 +msgid "" +"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " +"output." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:116 +msgid "" +"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " +"default, the log files are stored in <filename>/var/log/sssd</filename> and " +"there are separate log files for every SSSD service and domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:122 +msgid "" +"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:132 +msgid "<option>-D</option>,<option>--daemon</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:136 +msgid "Become a daemon after starting up." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:142 sss_seed.8.xml:136 +msgid "<option>-i</option>,<option>--interactive</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:146 +msgid "Run in the foreground, don't become a daemon." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:152 +msgid "<option>-c</option>,<option>--config</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:156 +msgid "" +"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." +"conf</filename>. For reference on the config file syntax and options, " +"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:170 +msgid "<option>--version</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:174 +msgid "Print version number and exit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.8.xml:182 +msgid "Signals" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:185 +msgid "SIGTERM/SIGINT" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:188 +msgid "" +"Informs the SSSD to gracefully terminate all of its child processes and then " +"shut down the monitor." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:194 +msgid "SIGHUP" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:197 +msgid "" +"Tells the SSSD to stop writing to its current debug file descriptors and to " +"close and reopen them. This is meant to facilitate log rolling with programs " +"like logrotate." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:205 +msgid "SIGUSR1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:208 +msgid "" +"Tells the SSSD to simulate offline operation for the duration of the " +"<quote>offline_timeout</quote> parameter. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:217 +msgid "SIGUSR2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:220 +msgid "" +"Tells the SSSD to go online immediately. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:232 +msgid "" +"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " +"applications will not use the fast in memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 +msgid "sss_obfuscate" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_obfuscate.8.xml:16 +msgid "obfuscate a clear text password" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_obfuscate.8.xml:21 +msgid "" +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" +"replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:32 +msgid "" +"<command>sss_obfuscate</command> converts a given password into human-" +"unreadable format and places it into appropriate domain section of the SSSD " +"config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:37 +msgid "" +"The cleartext password is read from standard input or entered " +"interactively. The obfuscated password is put into " +"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " +"<quote>ldap_default_authtok_type</quote> parameter is set to " +"<quote>obfuscated_password</quote>. Refer to <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more details on these parameters." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:49 +msgid "" +"Please note that obfuscating the password provides <emphasis>no real " +"security benefit</emphasis> as it is still possible for an attacker to " +"reverse-engineer the password back. Using better authentication mechanisms " +"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " +"advised." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:63 +msgid "<option>-s</option>,<option>--stdin</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:67 +msgid "The password to obfuscate will be read from standard input." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 +#: sss_ssh_knownhostsproxy.1.xml:78 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:79 +msgid "" +"The SSSD domain to use the password in. The default name is <quote>default</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:86 +msgid "" +"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:91 +msgid "Read the config file specified by the positional parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:95 +msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_override.8.xml:10 sss_override.8.xml:15 +msgid "sss_override" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_override.8.xml:16 +msgid "create local overrides of user and group attributes" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_override.8.xml:21 +msgid "" +"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:32 +msgid "" +"<command>sss_override</command> enables to create a client-side view and " +"allows to change selected values of specific user and groups. This change " +"takes effect only on local machine." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:37 +msgid "" +"Overrides data are stored in the SSSD cache. If the cache is deleted, all " +"local overrides are lost. Please note that after the first override is " +"created using any of the following <emphasis>user-add</emphasis>, " +"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " +"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " +"take effect. <emphasis>sss_override</emphasis> prints message when a " +"restart is required." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:50 sssctl.8.xml:41 +msgid "AVAILABLE COMMANDS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:52 +msgid "" +"Argument <emphasis>NAME</emphasis> is the name of original object in all " +"commands. It is not possible to override <emphasis>uid</emphasis> or " +"<emphasis>gid</emphasis> to 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:59 +msgid "" +"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" +"optional> <optional><option>-g,--gid</option> GID</optional> " +"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" +"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" +"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " +"CERTIFICATE</optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:72 +msgid "" +"Override attributes of an user. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:80 +msgid "<option>user-del</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:85 +msgid "" +"Remove user overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:94 +msgid "" +"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:99 +msgid "" +"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " +"is set, only users from the domain are listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:107 +msgid "<option>user-show</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:112 +msgid "Show user overrides." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:118 +msgid "<option>user-import</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:123 +msgid "" +"Import user overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard passwd file. The format is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:128 +msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:131 +msgid "" +"where original_name is original name of the user whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:140 +msgid "ckent:superman::::::" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:143 +msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:149 +msgid "<option>user-export</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:154 +msgid "" +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>user-import</emphasis> for data format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:162 +msgid "" +"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:169 +msgid "" +"Override attributes of a group. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:177 +msgid "<option>group-del</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:182 +msgid "" +"Remove group overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:191 +msgid "" +"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:196 +msgid "" +"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " +"parameter is set, only groups from the domain are listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:204 +msgid "<option>group-show</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:209 +msgid "Show group overrides." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:215 +msgid "<option>group-import</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:220 +msgid "" +"Import group overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard group file. The format is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:225 +msgid "original_name:name:gid" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:228 +msgid "" +"where original_name is original name of the group whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:237 +msgid "admins:administrators:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:240 +msgid "Domain Users:Users:501" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:246 +msgid "<option>group-export</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:251 +msgid "" +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>group-import</emphasis> for data format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:261 sssctl.8.xml:50 +msgid "COMMON OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:263 sssctl.8.xml:52 +msgid "Those options are available with all commands." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:268 sssctl.8.xml:57 +msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 +msgid "sss_useradd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_useradd.8.xml:16 +msgid "create a new user" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_useradd.8.xml:21 +msgid "" +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_useradd.8.xml:32 +msgid "" +"<command>sss_useradd</command> creates a new user account using the values " +"specified on the command line plus the default values from the system." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:43 sss_seed.8.xml:76 +msgid "" +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:48 +msgid "" +"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " +"not given, it is chosen automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +msgid "" +"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 +msgid "" +"Any text string describing the user. Often used as the field for the user's " +"full name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 +msgid "" +"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:72 +msgid "" +"The home directory of the user account. The default is to append the " +"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " +"that as the home directory. The base that is prepended before " +"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" +"baseDirectory</quote> setting in sssd.conf." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 +msgid "" +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:87 +msgid "" +"The user's login shell. The default is currently <filename>/bin/bash</" +"filename>. The default can be changed with <quote>user_defaults/" +"defaultShell</quote> setting in sssd.conf." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:96 +msgid "" +"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:101 +msgid "A list of existing groups this user is also a member of." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:107 +msgid "<option>-m</option>,<option>--create-home</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:111 +msgid "" +"Create the user's home directory if it does not exist. The files and " +"directories contained in the skeleton directory (which can be defined with " +"the -k option or in the config file) will be copied to the home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:121 +msgid "<option>-M</option>,<option>--no-create-home</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:125 +msgid "" +"Do not create the user's home directory. Overrides configuration settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:132 +msgid "" +"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:137 +msgid "" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<command>sss_useradd</command>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:143 +msgid "" +"Special files (block devices, character devices, named pipes and unix " +"sockets) will not be copied." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:147 +msgid "" +"This option is only valid if the <option>-m</option> (or <option>--create-" +"home</option>) option is specified, or creation of home directories is set " +"to TRUE in the configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 +msgid "" +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>SELINUX_USER</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:161 +msgid "" +"The SELinux user for the user's login. If not specified, the system default " +"will be used." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 +msgid "sssd-krb5" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-krb5.5.xml:17 +msgid "SSSD Kerberos provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:23 +msgid "" +"This manual page describes the configuration of the Kerberos 5 " +"authentication backend for <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " +"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:36 +msgid "" +"The Kerberos 5 authentication backend contains auth and chpass providers. It " +"must be paired with an identity provider in order to function properly (for " +"example, id_provider = ldap). Some information required by the Kerberos 5 " +"authentication backend must be provided by the identity provider, such as " +"the user's Kerberos Principal Name (UPN). The configuration of the identity " +"provider should have an entry to specify the UPN. Please refer to the man " +"page for the applicable identity provider for details on how to configure " +"this." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:47 +msgid "" +"This backend also provides access control based on the .k5login file in the " +"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " +"Please note that an empty .k5login file will deny all access to this user. " +"To activate this feature, use 'access_provider = krb5' in your SSSD " +"configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:55 +msgid "" +"In the case where the UPN is not available in the identity backend, " +"<command>sssd</command> will construct a UPN using the format " +"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:77 +msgid "" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect, in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled; for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:106 +msgid "" +"The name of the Kerberos realm. This option is required and must be " +"specified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:113 +msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:116 +msgid "" +"If the change password service is not running on the KDC, alternative " +"servers can be defined here. An optional port number (preceded by a colon) " +"may be appended to the addresses or hostnames." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:122 +msgid "" +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " +"servers to try, the backend is not switched to operate offline if " +"authentication against the KDC is still possible." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:129 +msgid "Default: Use the KDC" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:135 +msgid "krb5_ccachedir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:138 +msgid "" +"Directory to store credential caches. All the substitution sequences of " +"krb5_ccname_template can be used here, too, except %d and %P. The directory " +"is created as private and owned by the user, with permissions set to 0700." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:145 +msgid "Default: /tmp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:151 +msgid "krb5_ccname_template (string)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 +msgid "%u" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 +msgid "login name" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 +msgid "%U" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:170 +msgid "login UID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:173 +msgid "%p" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:174 +msgid "principal name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:178 +msgid "%r" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:179 +msgid "realm name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:182 +msgid "%h" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 +msgid "home directory" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 +msgid "%d" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:188 +msgid "value of krb5_ccachedir" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 +msgid "%P" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:194 +msgid "the process ID of the SSSD client" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 +msgid "%%" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 +msgid "a literal '%'" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:154 +msgid "" +"Location of the user's credential cache. Three credential cache types are " +"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " +"<quote>KEYRING:persistent</quote>. The cache can be specified either as " +"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " +"implies the <quote>FILE</quote> type. In the template, the following " +"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " +"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " +"filename in a safe way." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:208 +msgid "" +"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" +"persistent:%U</quote>, which uses the Linux kernel keyring to store " +"credentials on a per-UID basis. This is also the recommended choice, as it " +"is the most secure and predictable method." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:216 +msgid "" +"The default value for the credential cache name is sourced from the profile " +"stored in the system wide krb5.conf configuration file in the [libdefaults] " +"section. The option name is default_ccache_name. See krb5.conf(5)'s " +"PARAMETER EXPANSION paragraph for additional information on the expansion " +"format defined by krb5.conf." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:225 +msgid "" +"NOTE: Please be aware that libkrb5 ccache expansion template from " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> uses different expansion sequences than SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:234 +msgid "Default: (from libkrb5)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:240 +msgid "krb5_auth_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:243 +msgid "" +"Timeout in seconds after an online authentication request or change password " +"request is aborted. If possible, the authentication request is continued " +"offline." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:254 +msgid "krb5_validate (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:257 +msgid "" +"Verify with the help of krb5_keytab that the TGT obtained has not been " +"spoofed. The keytab is checked for entries sequentially, and the first entry " +"with a matching realm is used for validation. If no entry matches the realm, " +"the last entry in the keytab is used. This process can be used to validate " +"environments using cross-realm trust by placing the appropriate keytab entry " +"as the last entry or the only entry in the keytab file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:272 +msgid "krb5_keytab (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:275 +msgid "" +"The location of the keytab to use when validating credentials obtained from " +"KDCs." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:279 +msgid "Default: /etc/krb5.keytab" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:285 +msgid "krb5_store_password_if_offline (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:288 +msgid "" +"Store the password of the user if the provider is offline and use it to " +"request a TGT when the provider comes online again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:293 +msgid "" +"NOTE: this feature is only available on Linux. Passwords stored in this way " +"are kept in plaintext in the kernel keyring and are potentially accessible " +"by the root user (with difficulty)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:306 +msgid "krb5_renewable_lifetime (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:309 +msgid "" +"Request a renewable ticket with a total lifetime, given as an integer " +"immediately followed by a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 +msgid "<emphasis>s</emphasis> for seconds" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 +msgid "<emphasis>m</emphasis> for minutes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 +msgid "<emphasis>h</emphasis> for hours" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 +msgid "<emphasis>d</emphasis> for days." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 +msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 +msgid "" +"NOTE: It is not possible to mix units. To set the renewable lifetime to one " +"and a half hours, use '90m' instead of '1h30m'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:335 +msgid "Default: not set, i.e. the TGT is not renewable" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:341 +msgid "krb5_lifetime (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:344 +msgid "" +"Request ticket with a lifetime, given as an integer immediately followed by " +"a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:360 +msgid "If there is no unit given <emphasis>s</emphasis> is assumed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:364 +msgid "" +"NOTE: It is not possible to mix units. To set the lifetime to one and a " +"half hours please use '90m' instead of '1h30m'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:369 +msgid "" +"Default: not set, i.e. the default ticket lifetime configured on the KDC." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:376 +msgid "krb5_renew_interval (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:379 +msgid "" +"The time in seconds between two checks if the TGT should be renewed. TGTs " +"are renewed if about half of their lifetime is exceeded, given as an integer " +"immediately followed by a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:406 +msgid "If this option is not set or is 0 the automatic renewal is disabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:416 +msgid "krb5_use_fast (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:419 +msgid "" +"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" +"authentication. The following options are supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:424 +msgid "" +"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " +"option at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:428 +msgid "" +"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " +"continue the authentication without it." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:433 +msgid "" +"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " +"server does not require fast." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:438 +msgid "Default: not set, i.e. FAST is not used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:441 +msgid "NOTE: a keytab is required to use FAST." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:444 +msgid "" +"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " +"SSSD is used with an older version of MIT Kerberos, using this option is a " +"configuration error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:453 +msgid "krb5_fast_principal (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:456 +msgid "Specifies the server principal to use for FAST." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:465 +msgid "" +"Specifies if the host and user principal should be canonicalized. This " +"feature is available with MIT Kerberos 1.7 and later versions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:505 +msgid "krb5_use_enterprise_principal (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:508 +msgid "" +"Specifies if the user principal should be treated as enterprise principal. " +"See section 5 of RFC 6806 for more details about enterprise principals." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:514 +msgid "Default: false (AD provider: true)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:517 +msgid "" +"The IPA provider will set to option to 'true' if it detects that the server " +"is capable of handling enterprise principals and the option is not set " +"explicitly in the config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:526 +msgid "krb5_map_user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:529 +msgid "" +"The list of mappings is given as a comma-separated list of pairs " +"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " +"name and <quote>primary</quote> is a user part of a kerberos principal. This " +"mapping is used when user is authenticating using <quote>auth_provider = " +"krb5</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-krb5.5.xml:541 +#, no-wrap +msgid "" +"krb5_realm = REALM\n" +"krb5_map_user = joe:juser,dick:richard\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:546 +msgid "" +"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " +"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " +"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " +"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:65 +msgid "" +"If the auth-module krb5 is used in an SSSD domain, the following options " +"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " +"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:572 +msgid "" +"The following example assumes that SSSD is correctly configured and FOO is " +"one of the domains in the <replaceable>[sssd]</replaceable> section. This " +"example shows only configuration of Kerberos authentication; it does not " +"include any identity provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-krb5.5.xml:580 +#, no-wrap +msgid "" +"[domain/FOO]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXAMPLE.COM\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 +msgid "sss_groupadd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupadd.8.xml:16 +msgid "create a new group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupadd.8.xml:21 +msgid "" +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupadd.8.xml:32 +msgid "" +"<command>sss_groupadd</command> creates a new group. These groups are " +"compatible with POSIX groups, with the additional feature that they can " +"contain other groups as members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 +msgid "" +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupadd.8.xml:48 +msgid "" +"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " +"not given, it is chosen automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 +msgid "sss_userdel" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_userdel.8.xml:16 +msgid "delete a user account" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_userdel.8.xml:21 +msgid "" +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_userdel.8.xml:32 +msgid "" +"<command>sss_userdel</command> deletes a user identified by login name " +"<replaceable>LOGIN</replaceable> from the system." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:44 +msgid "<option>-r</option>,<option>--remove</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:48 +msgid "" +"Files in the user's home directory will be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:56 +msgid "<option>-R</option>,<option>--no-remove</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:60 +msgid "" +"Files in the user's home directory will NOT be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:68 +msgid "<option>-f</option>,<option>--force</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:72 +msgid "" +"This option forces <command>sss_userdel</command> to remove the user's home " +"directory and mail spool, even if they are not owned by the specified user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:80 +msgid "<option>-k</option>,<option>--kick</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:84 +msgid "Before actually deleting the user, terminate all his processes." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 +msgid "sss_groupdel" +msgstr "sss_groupdel" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupdel.8.xml:16 +msgid "delete a group" +msgstr "vymazat skupinu" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupdel.8.xml:21 +msgid "" +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>volby</" +"replaceable> </arg> <arg choice='plain'><replaceable>SKUPINA</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupdel.8.xml:32 +msgid "" +"<command>sss_groupdel</command> deletes a group identified by its name " +"<replaceable>GROUP</replaceable> from the system." +msgstr "" +"<command>sss_groupdel</command> odstraní ze systému skupinu určenou jejím " +"jménem<replaceable>SKUPINA</replaceable>." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 +msgid "sss_groupshow" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupshow.8.xml:16 +msgid "print properties of a group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupshow.8.xml:21 +msgid "" +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupshow.8.xml:32 +msgid "" +"<command>sss_groupshow</command> displays information about a group " +"identified by its name <replaceable>GROUP</replaceable>. The information " +"includes the group ID number, members of the group and the parent group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupshow.8.xml:43 +msgid "<option>-R</option>,<option>--recursive</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupshow.8.xml:47 +msgid "" +"Also print indirect group members in a tree-like hierarchy. Note that this " +"also affects printing parent groups - without <option>R</option>, only the " +"direct parent will be printed." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 +msgid "sss_usermod" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_usermod.8.xml:16 +msgid "modify a user account" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_usermod.8.xml:21 +msgid "" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_usermod.8.xml:32 +msgid "" +"<command>sss_usermod</command> modifies the account specified by " +"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " +"on the command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:60 +msgid "The home directory of the user account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:71 +msgid "The user's login shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:82 +msgid "" +"Append this user to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:96 +msgid "" +"Remove this user from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:103 +msgid "<option>-l</option>,<option>--lock</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:107 +msgid "Lock the user account. The user won't be able to log in." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:114 +msgid "<option>-u</option>,<option>--unlock</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:118 +msgid "Unlock the user account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:129 +msgid "The SELinux user for the user's login." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:135 +msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:140 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:147 +msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:152 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:160 +msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:165 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_cache.8.xml:10 sss_cache.8.xml:15 +msgid "sss_cache" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_cache.8.xml:16 +msgid "perform cache cleanup" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_cache.8.xml:21 +msgid "" +"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_cache.8.xml:31 +msgid "" +"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " +"records are forced to be reloaded from server as soon as related SSSD " +"backend is online. Options that invalidate a single object only accept a " +"single provided argument." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:43 +msgid "<option>-E</option>,<option>--everything</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:47 +msgid "Invalidate all cached entries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:53 +msgid "" +"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:58 +msgid "Invalidate specific user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:64 +msgid "<option>-U</option>,<option>--users</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:68 +msgid "" +"Invalidate all user records. This option overrides invalidation of specific " +"user if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:75 +msgid "" +"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:80 +msgid "Invalidate specific group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:86 +msgid "<option>-G</option>,<option>--groups</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:90 +msgid "" +"Invalidate all group records. This option overrides invalidation of specific " +"group if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:97 +msgid "" +"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:102 +msgid "Invalidate specific netgroup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:108 +msgid "<option>-N</option>,<option>--netgroups</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:112 +msgid "" +"Invalidate all netgroup records. This option overrides invalidation of " +"specific netgroup if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:119 +msgid "" +"<option>-s</option>,<option>--service</option> <replaceable>service</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:124 +msgid "Invalidate specific service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:130 +msgid "<option>-S</option>,<option>--services</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:134 +msgid "" +"Invalidate all service records. This option overrides invalidation of " +"specific service if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:141 +msgid "" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:146 +msgid "Invalidate specific autofs maps." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:152 +msgid "<option>-A</option>,<option>--autofs-maps</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:156 +msgid "" +"Invalidate all autofs maps. This option overrides invalidation of specific " +"map if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:163 +msgid "" +"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:168 +msgid "Invalidate SSH public keys of a specific host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:174 +msgid "<option>-H</option>,<option>--ssh-hosts</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:178 +msgid "" +"Invalidate SSH public keys of all hosts. This option overrides invalidation " +"of SSH public keys of specific host if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:186 +msgid "" +"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:191 +msgid "Invalidate particular sudo rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:197 +msgid "<option>-R</option>,<option>--sudo-rules</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:201 +msgid "" +"Invalidate all cached sudo rules. This option overrides invalidation of " +"specific sudo rule if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:209 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>domain</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:214 +msgid "Restrict invalidation process only to a particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 +msgid "sss_debuglevel" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_debuglevel.8.xml:16 +msgid "[DEPRECATED] change debug level while SSSD is running" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_debuglevel.8.xml:21 +msgid "" +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" +"replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_debuglevel.8.xml:32 +msgid "" +"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " +"debug-level command. Please refer to the <command>sssctl</command> man page " +"for more information on sssctl usage." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_seed.8.xml:10 sss_seed.8.xml:15 +msgid "sss_seed" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_seed.8.xml:16 +msgid "seed the SSSD cache with a user" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_seed.8.xml:21 +msgid "" +"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:33 +msgid "" +"<command>sss_seed</command> seeds the SSSD cache with a user entry and " +"temporary password. If a user entry is already present in the SSSD cache " +"then the entry is updated with the temporary password." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:46 +msgid "" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:51 +msgid "" +"Provide the name of the domain in which the user is a member of. The domain " +"is also used to retrieve user information. The domain must be configured in " +"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " +"Information retrieved from the domain overrides what is provided in the " +"options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:63 +msgid "" +"<option>-n</option>,<option>--username</option> <replaceable>USER</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:68 +msgid "" +"The username of the entry to be created or modified in the cache. The " +"<replaceable>USER</replaceable> option must be provided." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:81 +msgid "Set the UID of the user to <replaceable>UID</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:93 +msgid "Set the GID of the user to <replaceable>GID</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:117 +msgid "" +"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:129 +msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:140 +msgid "" +"Interactive mode for entering user information. This option will only prompt " +"for information not provided in the options or retrieved from the domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:148 +msgid "" +"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:153 +msgid "" +"Specify file to read user's password from. (if not specified password is " +"prompted for)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:165 +msgid "" +"The length of the password (or the size of file specified with -p or --" +"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " +"on systems with no globally-defined PASS_MAX value)." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 +msgid "sssd-ifp" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ifp.5.xml:17 +msgid "SSSD InfoPipe responder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:23 +msgid "" +"This manual page describes the configuration of the InfoPipe responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:36 +msgid "" +"The InfoPipe responder provides a public D-Bus interface accessible over the " +"system bus. The interface allows the user to query information about remote " +"users and groups over the system bus." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:46 +msgid "These options can be used to configure the InfoPipe responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:53 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the InfoPipe responder. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:59 +msgid "" +"Default: 0 (only the root user is allowed to access the InfoPipe responder)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:63 +msgid "" +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the InfoPipe responder, which would be the typical case, you have to " +"add 0 to the list of allowed UIDs as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:77 +msgid "Specifies the comma-separated list of white or blacklisted attributes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:91 +msgid "name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:92 +msgid "user's login name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:95 +msgid "uidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:96 +msgid "user ID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:99 +msgid "gidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:100 +msgid "primary group ID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:103 +msgid "gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:104 +msgid "user information, typically full name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:107 +msgid "homeDirectory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:111 +msgid "loginShell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:112 +msgid "user shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:81 +msgid "" +"By default, the InfoPipe responder only allows the default set of POSIX " +"attributes to be requested. This set is the same as returned by " +"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ifp.5.xml:125 +#, no-wrap +msgid "" +"user_attributes = +telephoneNumber, -loginShell\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:117 +msgid "" +"It is possible to add another attribute to this set by using <quote>" +"+attr_name</quote> or explicitly remove an attribute using <quote>-" +"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " +"deny <quote>loginShell</quote>, you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:129 +msgid "Default: not set. Only the default set of POSIX attributes is allowed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:139 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup that overrides caller-supplied limit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:144 +msgid "Default: 0 (let the caller set an upper limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refentryinfo> +#: sss_rpcidmapd.5.xml:8 +msgid "" +"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" +"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " +"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" +"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " +"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" +"author>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 +msgid "sss_rpcidmapd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_rpcidmapd.5.xml:33 +msgid "sss plugin configuration directives for rpc.idmapd" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:37 +msgid "CONFIGURATION FILE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:39 +msgid "" +"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." +"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:49 +msgid "SSS CONFIGURATION EXTENSION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:51 +msgid "Enable SSS plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:53 +msgid "" +"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " +"attribute to contain <emphasis>sss</emphasis>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:59 +msgid "[sss] config section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:61 +msgid "" +"In order to change the default of one of the configuration attributes of the " +"<emphasis>sss</emphasis> plugin listed below you will need to create a " +"config section for it, named <quote>[sss]</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sss_rpcidmapd.5.xml:67 +msgid "Configuration attributes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sss_rpcidmapd.5.xml:69 +msgid "memcache (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sss_rpcidmapd.5.xml:72 +msgid "Indicates whether or not to use memcache optimisation technique." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:85 +msgid "SSSD INTEGRATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:87 +msgid "" +"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " +"in sssd." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:91 +msgid "" +"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " +"all domains (NFSv4 clients expect a fully qualified name to be sent on the " +"wire)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_rpcidmapd.5.xml:103 +#, no-wrap +msgid "" +"[General]\n" +"Verbosity = 2\n" +"# domain must be synced between NFSv4 server and clients\n" +"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:100 +msgid "" +"The following example shows a minimal idmapd.conf which makes use of the sss " +"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:180 include/seealso.xml:2 +msgid "SEE ALSO" +msgstr "VIZ TAKÉ" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:122 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 +msgid "sss_ssh_authorizedkeys" +msgstr "" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 +msgid "1" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_authorizedkeys.1.xml:16 +msgid "get OpenSSH authorized keys" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_authorizedkeys.1.xml:21 +msgid "" +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>USER</replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:32 +msgid "" +"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " +"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " +"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> for more information)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:41 +msgid "" +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" +"command> for public key user authentication if it is compiled with support " +"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " +"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> man page for more details about this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_authorizedkeys.1.xml:59 +#, no-wrap +msgid "" +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:52 +msgid "" +"If <quote>AuthorizedKeysCommand</quote> is supported, " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use it by putting the following " +"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" +"\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_ssh_authorizedkeys.1.xml:65 +msgid "KEYS FROM CERTIFICATES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:67 +msgid "" +"In addition to the public SSH keys for user <replaceable>USER</replaceable> " +"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " +"from the public key of a X.509 certificate as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:73 +msgid "" +"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " +"set to true (default) in the [ssh] section of <filename>sssd.conf</" +"filename>. If the user entry contains certificates (see " +"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " +"there is a certificate in an override entry for the user (see " +"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " +"certificate is valid SSSD will extract the public key from the certificate " +"and convert it into the format expected by sshd." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:90 +msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:92 +msgid "ca_db" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:93 +msgid "p11_child_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:94 +msgid "certificate_verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:96 +msgid "" +"can be used to control how the certificates are validated (see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:101 +msgid "" +"The validation is the benefit of using X.509 certificates instead of SSH " +"keys directly because e.g. it gives a better control of the lifetime of the " +"keys. When the ssh client is configured to use the private keys from a " +"Smartcard with the help of a PKCS#11 shared library (see " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> for details) it might be irritating that authentication is " +"still working even if the related X.509 certificate on the Smartcard is " +"already expired because neither <command>ssh</command> nor <command>sshd</" +"command> will look at the certificate at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:114 +msgid "" +"It has to be noted that the derived public SSH key can still be added to the " +"<filename>authorized_keys</filename> file of the user to bypass the " +"certificate validation if the <command>sshd</command> configuration permits " +"this." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:132 +msgid "" +"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 +msgid "EXIT STATUS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 +msgid "" +"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 +msgid "sss_ssh_knownhostsproxy" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_knownhostsproxy.1.xml:16 +msgid "get OpenSSH host keys" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_knownhostsproxy.1.xml:21 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>HOST</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:33 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " +"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " +"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " +"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" +"pubconf/known_hosts</filename> and establishes the connection to the host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:43 +msgid "" +"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " +"create the connection to the host instead of opening a socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_knownhostsproxy.1.xml:55 +#, no-wrap +msgid "" +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:48 +msgid "" +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" +"command> for host key authentication by using the following directives for " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:66 +msgid "" +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:71 +msgid "" +"Use port <replaceable>PORT</replaceable> to connect to the host. By " +"default, port 22 is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:83 +msgid "" +"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:89 +#, fuzzy +#| msgid "<option>-h</option>,<option>--help</option>" +msgid "<option>-k</option>,<option>--pubkeys</option>" +msgstr "<option>-h</option>,<option>--help</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:93 +msgid "" +"Print the host ssh public keys for host <replaceable>HOST</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 +msgid "idmap_sss" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: idmap_sss.8.xml:16 +msgid "SSSD's idmap_sss Backend for Winbind" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:22 +msgid "" +"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " +"No database is required in this case as the mapping is done by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: idmap_sss.8.xml:29 +msgid "IDMAP OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: idmap_sss.8.xml:33 +msgid "range = low - high" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: idmap_sss.8.xml:35 +msgid "" +"Defines the available matching UID and GID range for which the backend is " +"authoritative." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:45 +msgid "" +"This example shows how to configure idmap_sss as the default mapping module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: idmap_sss.8.xml:50 +#, no-wrap +msgid "" +"[global]\n" +"security = domain\n" +"workgroup = MAIN\n" +"\n" +"idmap config * : backend = sss\n" +"idmap config * : range = 200000-2147483647\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssctl.8.xml:10 sssctl.8.xml:15 +msgid "sssctl" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssctl.8.xml:16 +msgid "SSSD control and status utility" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssctl.8.xml:21 +msgid "" +"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:32 +msgid "" +"<command>sssctl</command> provides a simple and unified way to obtain " +"information about SSSD status, such as active server, auto-discovered " +"servers, domains and cached objects. In addition, it can manage SSSD data " +"files for troubleshooting in such a way that is safe to manipulate while " +"SSSD is running." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:43 +msgid "" +"To list all available commands run <command>sssctl</command> without any " +"parameters. To print help for selected command run <command>sssctl COMMAND --" +"help</command>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-files.5.xml:10 sssd-files.5.xml:16 +msgid "sssd-files" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-files.5.xml:17 +msgid "SSSD files provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:23 +msgid "" +"This manual page describes the files provider for <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:36 +msgid "" +"The files provider mirrors the content of the <citerefentry> " +"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " +"provider is to make the users and groups traditionally only accessible with " +"NSS interfaces also available through the SSSD interfaces such as " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:69 +msgid "passwd_files (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:72 +msgid "" +"Comma-separated list of one or multiple password filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:78 +msgid "Default: /etc/passwd" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:84 +msgid "group_files (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:87 +msgid "" +"Comma-separated list of one or multiple group filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:93 +msgid "Default: /etc/group" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:59 +msgid "" +"In addition to the options listed below, generic SSSD domain options can be " +"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for details on the configuration of " +"an SSSD domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:105 +msgid "" +"The following example assumes that SSSD is correctly configured and files is " +"one of the domains in the <replaceable>[sssd]</replaceable> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:111 +#, no-wrap +msgid "" +"[domain/files]\n" +"id_provider = files\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 +msgid "sssd-secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-secrets.5.xml:17 +msgid "SSSD Secrets responder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:23 +msgid "" +"This manual page describes the configuration of the Secrets responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:36 +msgid "" +"Many system and user applications need to store private information such as " +"passwords or service keys and have no good way to properly deal with them. " +"The simple approach is to embed these <quote>secrets</quote> into " +"configuration files potentially ending up exposing sensitive key material to " +"backups, config management system and in general making it harder to secure " +"data." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:45 +msgid "" +"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " +"project was born to deal with this problem in cloud like environments, but " +"we found the idea compelling even at a single system level. As a security " +"service, SSSD is ideal to host this capability while offering the same API " +"via a UNIX Socket. This will make it possible to use local calls and have " +"them transparently routed to a local or a remote key management store like " +"IPA Vault for storage, escrow and recovery." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:55 +msgid "" +"The secrets are simple key-value pairs. Each user's secrets are namespaced " +"using their user ID, which means the secrets will never collide between " +"users. Secrets can be stored inside <quote>containers</quote> which can be " +"nested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:69 +msgid "secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:70 +msgid "secrets for general usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:73 +msgid "kcm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:75 +msgid "" +"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:61 +msgid "" +"Since the secrets responder can be used both externally to store general " +"secrets, as described in the rest of this man page, but also internally by " +"other SSSD components to store their secret material, some configuration " +"options, like quotas can be configured per <quote>hive</quote> in a " +"configuration subsection named after the hive. The currently supported hives " +"are: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:89 +msgid "USING THE SECRETS RESPONDER" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:91 +msgid "" +"The UNIX socket the SSSD responder listens on is located at <filename>/var/" +"run/secrets.socket</filename>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:110 +#, no-wrap +msgid "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +"systemctl enable sssd-secrets.service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:95 +msgid "" +"The secrets responder is socket-activated by <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " +"the <quote>secrets</quote> string to the <quote>service</quote> directive. " +"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " +"corresponding service file is called <quote>sssd-secrets.service</quote>. In " +"order for the service to be socket-activated, make sure the socket is " +"enabled and active and the service is enabled: <placeholder type=" +"\"programlisting\" id=\"0\"/> Please note your distribution may already " +"configure the units for you." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:122 +msgid "" +"The generic SSSD responder options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " +"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some secrets-specific options as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:132 +msgid "" +"The secrets responder is configured with a global <quote>[secrets]</quote> " +"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " +"in <filename>sssd.conf</filename>. Please note that some options, notably as " +"the provider type, can only be specified in the per-user subsections." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:141 +msgid "provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:157 +msgid "local" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:160 +msgid "" +"The secrets are stored in a local database, encrypted at rest with a master " +"key. The local provider does not have any additional config options at the " +"moment." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:168 +msgid "proxy" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:171 +msgid "" +"The secrets responder forwards the requests to a Custodia server. The proxy " +"provider supports several additional options (see below)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:144 +msgid "" +"This option specifies where should the secrets be stored. The secrets " +"responder can configure a per-user subsections (e.g. <quote>[secrets/" +"users/123]</quote> - see bottom of this manual page for a full example using " +"Custodia for a particular user) that define which provider store the secrets " +"for this particular user. The per-user subsections should contain all " +"options for that user's provider. Please note that currently the global " +"provider is always local, the proxy provider can only be specified in a per-" +"user section. The following providers are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:180 +msgid "Default: local" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:186 +msgid "" +"The following options affect only the secrets <quote>hive</quote> and " +"therefore should be set in a per-hive subsection. Setting the option to 0 " +"means \"unlimited\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:192 +msgid "containers_nest_level (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:195 +msgid "This option specifies the maximum allowed number of nested containers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:199 +msgid "Default: 4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:204 +msgid "max_secrets (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:207 +msgid "" +"This option specifies the maximum number of secrets that can be stored in " +"the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:211 +msgid "Default: 1024 (secrets hive), 256 (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:216 +msgid "max_uid_secrets (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:219 +msgid "" +"This option specifies the maximum number of secrets that can be stored per-" +"UID in the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:223 +msgid "Default: 256 (secrets hive), 64 (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:228 +msgid "max_payload_size (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:231 +msgid "" +"This option specifies the maximum payload size allowed for a secret payload " +"in kilobytes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:235 +msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:244 +#, no-wrap +msgid "" +"[secrets/secrets]\n" +"max_payload_size = 128\n" +"\n" +"[secrets/kcm]\n" +"max_payload_size = 256\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:241 +msgid "" +"For example, to adjust quotas differently for both the <quote>secrets</" +"quote> and the <quote>kcm</quote> hives, configure the following: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:252 +msgid "" +"The following options are only applicable for configurations that use the " +"<quote>proxy</quote> provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:257 +msgid "proxy_url (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:260 +msgid "" +"The URL the Custodia server is listening on. At the moment, http and https " +"protocols are supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:267 +msgid "http[s]://<host>[:port]" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:270 +msgid "Example: http://localhost:8080" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:275 +msgid "auth_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:278 +msgid "" +"The method to use when authenticating to a Custodia server. The following " +"authentication methods are supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:283 +msgid "basic_auth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:286 +msgid "" +"Authenticate with a username and a password as set in the <quote>username</" +"quote> and <quote>password</quote> options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:293 +msgid "header" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:296 +msgid "" +"Authenticate with HTTP header value as defined in the " +"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " +"configuration options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:307 +msgid "auth_header_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:310 +msgid "" +"If set, the secrets responder would put a header with this name into the " +"HTTP request with the value defined in the <quote>auth_header_value</quote> " +"configuration option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:315 +msgid "Example: MYSECRETNAME" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:320 +msgid "auth_header_value (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:323 +msgid "" +"The value sssd-secrets would use for the <quote>auth_header_name</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:327 +msgid "Example: mysecret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:332 +msgid "forward_headers (list of strings)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:335 +msgid "" +"The list of HTTP headers to forward to the Custodia server together with the " +"request." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:344 +msgid "verify_peer (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:347 +msgid "" +"Whether peer's certificate should be verified and valid if HTTPS protocol is " +"used with the proxy provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:356 +msgid "verify_host (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:359 +msgid "" +"Whether peer's hostname must match with hostname in its certificate if HTTPS " +"protocol is used with the proxy provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:369 +msgid "capath (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:372 +msgid "" +"Path to directory containing stored certificate authority certificates. " +"System default path is used if this option is not set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:382 +msgid "cacert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:385 +msgid "" +"Path to file containing server's certificate authority certificate. If this " +"option is not set then the CA's certificate is looked up in <quote>capath</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:395 +msgid "cert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:398 +msgid "" +"Path to file containing client's certificate if required by the server. This " +"file may also contain private key or the private key may be in separate file " +"set with <quote>key</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:409 +msgid "key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:412 +msgid "Path to file containing client's private key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:422 +msgid "USING THE REST API" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:424 +msgid "" +"This section lists the available commands and includes examples using the " +"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry> utility. All requests towards the proxy provider must set " +"the Content Type header to <quote>application/json</quote>. In addition, the " +"local provider also supports Content Type set to <quote>application/octet-" +"stream</quote>. Secrets stored with requests that set the Content Type " +"header to <quote>application/octet-stream</quote> are base64-encoded when " +"stored and decoded when retrieved, so it's not possible to store a secret " +"with one Content Type and retrieve with another. The secret URI must begin " +"with <filename>/secrets/</filename>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:441 +msgid "Listing secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:444 +msgid "" +"To list the available secrets, send a HTTP GET request with a trailing slash " +"appended to the container path." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:450 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:458 +msgid "Retrieving a secret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:461 +msgid "" +"To read a value of a single secret, send a HTTP GET request without a " +"trailing slash. The last portion of the URI is the name of the secret." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:468 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/foo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:473 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/bar\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:466 +msgid "" +"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:481 +msgid "Setting a secret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:484 +msgid "" +"To set a secret using the <quote>application/json</quote> type, send a HTTP " +"PUT request with a JSON payload that includes type and value. The type " +"should be set to \"simple\" and the value should be set to the secret value. " +"If a secret with that name already exists, the response is a 409 HTTP error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:492 +msgid "" +"The <quote>application/json</quote> type just sends the secret as the " +"message payload." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:501 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/foo \\\n" +" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:507 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/bar \\\n" +" -d'barsecret'\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:496 +msgid "" +"The following example sets a secret named 'foo' to a value of 'foosecret' " +"and a secret named 'bar' to a value of 'barsecret' using a different Content " +"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:516 +msgid "Creating a container" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:519 +msgid "" +"Containers provide an additional namespace for this user's secrets. To " +"create a container, send a HTTP POST request, whose URI ends with the " +"container name. Please note the URI must end with a trailing slash." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:529 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPOST http://localhost/secrets/mycontainer/\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:526 +msgid "" +"The following example creates a container named 'mycontainer': <placeholder " +"type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:538 +#, no-wrap +msgid "" +"http://localhost/secrets/mycontainer/mysecret\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:535 +msgid "" +"To manipulate secrets under this container, just nest the secrets underneath " +"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:544 +msgid "Deleting a secret or a container" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:547 +msgid "" +"To delete a secret or a container, send a HTTP DELETE request with a path to " +"the secret or the container." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:553 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XDELETE http://localhost/secrets/foo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:551 +msgid "" +"The following example deletes a secret named 'foo'. <placeholder type=" +"\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:563 +msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:565 +msgid "" +"For testing the proxy provider, you need to set up a Custodia server to " +"proxy requests to. Please always consult the Custodia documentation, the " +"configuration directives might change with different Custodia versions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:576 +#, no-wrap +msgid "" +"[global]\n" +"server_version = \"Secret/0.0.7\"\n" +"server_url = http://localhost:8080/\n" +"auditlog = /var/log/custodia.log\n" +"debug = True\n" +"\n" +"[store:simple]\n" +"handler = custodia.store.sqlite.SqliteStore\n" +"dburi = /var/lib/custodia.db\n" +"table = secrets\n" +"\n" +"[auth:header]\n" +"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" +"header = MYSECRETNAME\n" +"value = mysecretkey\n" +"\n" +"[authz:paths]\n" +"handler = custodia.httpd.authorizers.SimplePathAuthz\n" +"paths = /secrets\n" +"\n" +"[/]\n" +"handler = custodia.root.Root\n" +"store = simple\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:570 +msgid "" +"This configuration will set up a Custodia server listening on http://" +"localhost:8080, allowing anyone with header named MYSECRETNAME set to " +"mysecretkey to communicate with the Custodia server. Place the contents " +"into a file (for example, <replaceable>custodia.conf</replaceable>): " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:602 +msgid "" +"Then run the <replaceable>custodia</replaceable> command, pointing it at the " +"config file as a command line argument." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:606 +msgid "" +"Please note that currently it's not possible to proxy all requests globally " +"to a Custodia instance. Instead, per-user subsections for user IDs that " +"should proxy requests to Custodia must be defined. The following example " +"illustrates a configuration, where the user with UID 123 would proxy their " +"requests to Custodia, but all other user's requests would be handled by a " +"local provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: sssd-secrets.5.xml:614 +#, no-wrap +msgid "" +"[secrets]\n" +"\n" +"[secrets/users/123]\n" +"provider = proxy\n" +"proxy_url = http://localhost:8080/secrets/\n" +"auth_type = header\n" +"auth_header_name = MYSECRETNAME\n" +"auth_header_value = mysecretkey\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 +msgid "sssd-session-recording" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-session-recording.5.xml:17 +msgid "Configuring session recording with SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " +"implement user session recording on text terminals. For a detailed " +"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " +"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:41 +msgid "" +"SSSD can be set up to enable recording of everything specific users see or " +"type during their sessions on text terminals. E.g. when users log in on the " +"console, or via SSH. SSSD itself doesn't record anything, but makes sure " +"tlog-rec-session is started upon user login, so it can record according to " +"its configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:48 +msgid "" +"For users with session recording enabled, SSSD replaces the user shell with " +"tlog-rec-session in NSS responses, and adds a variable specifying the " +"original shell to the user environment, upon PAM session setup. This way " +"tlog-rec-session can be started in place of the user shell, and know which " +"actual shell to start, once it set up the recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:60 +msgid "These options can be used to configure the session recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:146 +msgid "" +"The following snippet of sssd.conf enables session recording for users " +"\"contractor1\" and \"contractor2\", and group \"students\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-session-recording.5.xml:151 +#, no-wrap +msgid "" +"[session_recording]\n" +"scope = some\n" +"users = contractor1, contractor2\n" +"groups = students\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 +msgid "sssd-kcm" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-kcm.8.xml:17 +msgid "SSSD Kerberos Cache Manager" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:23 +msgid "" +"This manual page describes the configuration of the SSSD Kerberos Cache " +"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " +"credential caches. It originates in the Heimdal Kerberos project, although " +"the MIT Kerberos library also provides client side (more details on that " +"below) support for the KCM credential cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:31 +msgid "" +"In a setup where Kerberos caches are managed by KCM, the Kerberos library " +"(typically used through an application, like e.g., <citerefentry> " +"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" +"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " +"being referred to as a <quote>\"KCM server\"</quote>. The client and server " +"communicate over a UNIX socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:42 +msgid "" +"The KCM server keeps track of each credential caches's owner and performs " +"access check control based on the UID and GID of the KCM client. The root " +"user has access to all credential caches." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:47 +msgid "The KCM credential cache has several interesting properties:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:51 +msgid "" +"since the process runs in userspace, it is subject to UID namespacing, " +"unlike the kernel keyring" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:56 +msgid "" +"unlike the kernel keyring-based cache, which is shared between all " +"containers, the KCM server is a separate process whose entry point is a UNIX " +"socket" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:61 +msgid "" +"the SSSD implementation stores the ccaches in the SSSD <citerefentry> " +"<refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry> secrets store, allowing the ccaches to survive KCM server " +"restarts or machine reboots." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:69 +msgid "" +"This allows the system to use a collection-aware credential cache, yet share " +"the credential cache between some or no containers by bind-mounting the " +"socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:76 +msgid "USING THE KCM CREDENTIAL CACHE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:86 +#, no-wrap +msgid "" +"[libdefaults]\n" +" default_ccache_name = KCM:\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:78 +msgid "" +"In order to use KCM credential cache, it must be selected as the default " +"credential type in <citerefentry> <refentrytitle>krb5.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " +"cache name must be only <quote>KCM:</quote> without any template " +"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:91 +msgid "" +"Next, make sure the Kerberos client libraries and the KCM server must agree " +"on the UNIX socket path. By default, both use the same path <replaceable>/" +"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " +"library, change its <quote>kcm_socket</quote> option which is described in " +"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:113 +#, no-wrap +msgid "" +"systemctl start sssd-kcm.socket\n" +"systemctl enable sssd-kcm.socket\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:102 +msgid "" +"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " +"typically socket-activated by <citerefentry> <refentrytitle>systemd</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " +"services, it cannot be started by adding the <quote>kcm</quote> string to " +"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " +"id=\"0\"/> Please note your distribution may already configure the units for " +"you." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:122 +msgid "THE CREDENTIAL CACHE STORAGE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:131 +#, no-wrap +msgid "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:124 +msgid "" +"The credential caches are stored in the SSSD secrets service (see " +"<citerefentry> <refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> for more details). Therefore it is important that " +"also the sssd-secrets service is enabled and its socket is started: " +"<placeholder type=\"programlisting\" id=\"0\"/> Your distribution should " +"already set the dependencies between the services." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:141 +msgid "" +"The KCM service is configured in the <quote>kcm</quote> section of the sssd." +"conf file. Please note that currently, is it not sufficient to restart the " +"sssd-kcm service, because the sssd configuration is only parsed and read to " +"an internal configuration database by the sssd service. Therefore you must " +"restart the sssd service if you change anything in the <quote>kcm</quote> " +"section of sssd.conf. For a detailed syntax reference, refer to the " +"<quote>FILE FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd." +"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:155 +msgid "" +"The generic SSSD service options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some KCM-specific options as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:166 +msgid "socket_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:169 +msgid "The socket the KCM service will listen on." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:172 +msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:182 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 +msgid "sssd-systemtap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-systemtap.5.xml:17 +msgid "SSSD systemtap information" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:23 +msgid "" +"This manual page provides information about the systemtap functionality in " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:32 +msgid "" +"SystemTap Probe points have been added into various locations in SSSD code " +"to assist in troubleshooting and analyzing performance related issues." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:40 +msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:46 +msgid "" +"Probes and miscellaneous functions are defined in /usr/share/systemtap/" +"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " +"respectively." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:57 +msgid "PROBE POINTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:341 +msgid "" +"The information below lists the probe points and arguments available in the " +"following format:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:64 +msgid "probe $name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:67 +msgid "Description of probe point" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:70 +#, no-wrap +msgid "" +"variable1:datatype\n" +"variable2:datatype\n" +"variable3:datatype\n" +"...\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:80 +msgid "Database Transaction Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:84 +msgid "probe sssd_transaction_start" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:87 +msgid "" +"Start of a sysdb transaction, probes the sysdb_transaction_start() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 +#: sssd-systemtap.5.xml:131 +#, no-wrap +msgid "" +"nesting:integer\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:97 +msgid "probe sssd_transaction_cancel" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:100 +msgid "" +"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " +"function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:111 +msgid "probe sssd_transaction_commit_before" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:114 +msgid "Probes the sysdb_transaction_commit_before() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:124 +msgid "probe sssd_transaction_commit_after" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:127 +msgid "Probes the sysdb_transaction_commit_after() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:141 +msgid "LDAP Search Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:145 +msgid "probe sdap_search_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:148 +msgid "Probes the sdap_get_generic_ext_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:152 sssd-systemtap.5.xml:167 sssd-systemtap.5.xml:196 +#, no-wrap +msgid "" +"base:string\n" +"scope:integer\n" +"filter:string\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:160 +msgid "probe sdap_search_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:163 +msgid "Probes the sdap_get_generic_ext_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:175 +msgid "probe sdap_deref_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:178 +msgid "Probes the sdap_deref_search_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:182 +#, no-wrap +msgid "" +"base_dn:string\n" +"deref_attr:string\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:189 +msgid "probe sdap_deref_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:192 +msgid "Probes the sdap_deref_search_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:208 +msgid "LDAP Account Request Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:212 +msgid "probe sdap_acct_req_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:215 +msgid "Probes the sdap_acct_req_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:219 sssd-systemtap.5.xml:234 +#, no-wrap +msgid "" +"entry_type:int\n" +"filter_type:int\n" +"filter_value:string\n" +"extra_value:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:227 +msgid "probe sdap_acct_req_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:230 +msgid "Probes the sdap_acct_req_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:246 +msgid "LDAP User Search Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:250 +msgid "probe sdap_search_user_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:253 +msgid "Probes the sdap_search_user_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:257 sssd-systemtap.5.xml:269 sssd-systemtap.5.xml:281 +#: sssd-systemtap.5.xml:293 +#, no-wrap +msgid "" +"filter:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:262 +msgid "probe sdap_search_user_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:265 +msgid "Probes the sdap_search_user_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:274 +msgid "probe sdap_search_user_save_begin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:277 +msgid "Probes the sdap_search_user_save_begin() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:286 +msgid "probe sdap_search_user_save_end" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:289 +msgid "Probes the sdap_search_user_save_end() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:302 +msgid "Data Provider Request Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:306 +msgid "probe dp_req_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:309 +msgid "A Data Provider request is submitted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:312 +#, no-wrap +msgid "" +"dp_req_domain:string\n" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:320 +msgid "probe dp_req_done" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:323 +msgid "A Data Provider request is completed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:326 +#, no-wrap +msgid "" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +"dp_ret:int\n" +"dp_errorstr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:339 +msgid "MISCELLANEOUS FUNCTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:346 +msgid "function acct_req_desc(entry_type)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:349 +msgid "Convert entry_type to string and return string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:354 +msgid "" +"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " +"filter_value, extra_value)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:358 +msgid "Create probe string based on filter type" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:363 +msgid "function dp_target_str(target)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:366 +msgid "Convert target to string and return string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:371 +msgid "function dp_method_str(target)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:374 +msgid "Convert method to string and return string" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/service_discovery.xml:2 +msgid "SERVICE DISCOVERY" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/service_discovery.xml:4 +msgid "" +"The service discovery feature allows back ends to automatically find the " +"appropriate servers to connect to using a special DNS query. This feature is " +"not supported for backup servers." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:9 include/ldap_id_mapping.xml:99 +msgid "Configuration" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:11 +msgid "" +"If no servers are specified, the back end automatically uses service " +"discovery to try to find a server. Optionally, the user may choose to use " +"both fixed server addresses and service discovery by inserting a special " +"keyword, <quote>_srv_</quote>, in the list of servers. The order of " +"preference is maintained. This feature is useful if, for example, the user " +"prefers to use service discovery whenever possible, and fall back to a " +"specific server when no servers can be discovered using DNS." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:23 +msgid "The domain name" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:25 +msgid "" +"Please refer to the <quote>dns_discovery_domain</quote> parameter in the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more details." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:35 +msgid "The protocol" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:37 +msgid "" +"The queries usually specify _tcp as the protocol. Exceptions are documented " +"in respective option description." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:42 +msgid "See Also" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:44 +msgid "" +"For more information on the service discovery mechanism, refer to RFC 2782." +msgstr "" + +#. type: Content of: <refentryinfo> +#: include/upstream.xml:2 +msgid "" +"<productname>SSSD</productname> <orgname>The SSSD upstream - https://pagure." +"io/SSSD/sssd/</orgname>" +msgstr "" + +#. type: Content of: outside any tag (error?) +#: include/upstream.xml:1 +msgid "<placeholder type=\"refentryinfo\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/failover.xml:2 +msgid "FAILOVER" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/failover.xml:4 +msgid "" +"The failover feature allows back ends to automatically switch to a different " +"server if the current server fails." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:8 +msgid "Failover Syntax" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:10 +msgid "" +"The list of servers is given as a comma-separated list; any number of spaces " +"is allowed around the comma. The servers are listed in order of preference. " +"The list can contain any number of servers." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:16 +msgid "" +"For each failover-enabled config option, two variants exist: " +"<emphasis>primary</emphasis> and <emphasis>backup</emphasis>. The idea is " +"that servers in the primary list are preferred and backup servers are only " +"searched if no primary servers can be reached. If a backup server is " +"selected, a timeout of 31 seconds is set. After this timeout SSSD will " +"periodically try to reconnect to one of the primary servers. If it succeeds, " +"it will replace the current active (backup) server." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:27 +msgid "The Failover Mechanism" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:29 +msgid "" +"The failover mechanism distinguishes between a machine and a service. The " +"back end first tries to resolve the hostname of a given machine; if this " +"resolution attempt fails, the machine is considered offline. No further " +"attempts are made to connect to this machine for any other service. If the " +"resolution attempt succeeds, the back end tries to connect to a service on " +"this machine. If the service connection attempt fails, then only this " +"particular service is considered offline and the back end automatically " +"switches over to the next service. The machine is still considered online " +"and might still be tried for another service." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:42 +msgid "" +"Further connection attempts are made to machines or services marked as " +"offline after a specified period of time; this is currently hard coded to 30 " +"seconds." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:47 +msgid "" +"If there are no more machines to try, the back end as a whole switches to " +"offline mode, and then attempts to reconnect every 30 seconds." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:53 +msgid "Failover time outs and tuning" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:55 +msgid "" +"Resolving a server to connect to can be as simple as running a single DNS " +"query or can involve several steps, such as finding the correct site or " +"trying out multiple host names in case some of the configured servers are " +"not reachable. The more complex scenarios can take some time and SSSD needs " +"to balance between providing enough time to finish the resolution process " +"but on the other hand, not trying for too long before falling back to " +"offline mode. If the SSSD debug logs show that the server resolution is " +"timing out before a live server is contacted, you can consider changing the " +"time outs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> +#: include/failover.xml:76 +msgid "dns_resolver_op_timeout" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: include/failover.xml:80 +msgid "How long would SSSD talk to a single DNS server." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> +#: include/failover.xml:86 +msgid "dns_resolver_timeout" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: include/failover.xml:90 +msgid "" +"How long would SSSD try to resolve a failover service. This service " +"resolution internally might include several steps, such as resolving DNS SRV " +"queries or locating the site." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:67 +msgid "" +"This section lists the available tunables. Please refer to their description " +"in the <citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>, manual page. <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:100 +msgid "" +"For LDAP-based providers, the resolve operation is performed as part of an " +"LDAP connection operation. Therefore, also the <quote>ldap_opt_timeout></" +"quote> timeout should be set to a larger value than " +"<quote>dns_resolver_timeout</quote> which in turn should be set to a larger " +"value than <quote>dns_resolver_op_timeout</quote>." +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/ldap_id_mapping.xml:2 +msgid "ID MAPPING" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:4 +msgid "" +"The ID-mapping feature allows SSSD to act as a client of Active Directory " +"without requiring administrators to extend user attributes to support POSIX " +"attributes for user and group identifiers." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:9 +msgid "" +"NOTE: When ID-mapping is enabled, the uidNumber and gidNumber attributes are " +"ignored. This is to avoid the possibility of conflicts between automatically-" +"assigned and manually-assigned values. If you need to use manually-assigned " +"values, ALL values must be manually-assigned." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:16 +msgid "" +"Please note that changing the ID mapping related configuration options will " +"cause user and group IDs to change. At the moment, SSSD does not support " +"changing IDs, so the SSSD database must be removed. Because cached passwords " +"are also stored in the database, removing the database should only be " +"performed while the authentication servers are reachable, otherwise users " +"might get locked out. In order to cache the password, an authentication must " +"be performed. It is not sufficient to use <citerefentry> " +"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry> to remove the database, rather the process consists of:" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:33 +msgid "Making sure the remote servers are reachable" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:38 +msgid "Stopping the SSSD service" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:43 +msgid "Removing the database" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:48 +msgid "Starting the SSSD service" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:52 +msgid "" +"Moreover, as the change of IDs might necessitate the adjustment of other " +"system properties such as file and directory ownership, it's advisable to " +"plan ahead and test the ID mapping configuration thoroughly." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ldap_id_mapping.xml:59 +msgid "Mapping Algorithm" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:61 +msgid "" +"Active Directory provides an objectSID for every user and group object in " +"the directory. This objectSID can be broken up into components that " +"represent the Active Directory domain identity and the relative identifier " +"(RID) of the user or group object." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:67 +msgid "" +"The SSSD ID-mapping algorithm takes a range of available UIDs and divides it " +"into equally-sized component sections - called \"slices\"-. Each slice " +"represents the space available to an Active Directory domain." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:73 +msgid "" +"When a user or group entry for a particular domain is encountered for the " +"first time, the SSSD allocates one of the available slices for that domain. " +"In order to make this slice-assignment repeatable on different client " +"machines, we select the slice based on the following algorithm:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:80 +msgid "" +"The SID string is passed through the murmurhash3 algorithm to convert it to " +"a 32-bit hashed value. We then take the modulus of this value with the total " +"number of available slices to pick the slice." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:86 +msgid "" +"NOTE: It is possible to encounter collisions in the hash and subsequent " +"modulus. In these situations, we will select the next available slice, but " +"it may not be possible to reproduce the same exact set of slices on other " +"machines (since the order that they are encountered will determine their " +"slice). In this situation, it is recommended to either switch to using " +"explicit POSIX attributes in Active Directory (disabling ID-mapping) or " +"configure a default domain to guarantee that at least one is always " +"consistent. See <quote>Configuration</quote> for details." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:101 +msgid "" +"Minimum configuration (in the <quote>[domain/DOMAINNAME]</quote> section):" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><programlisting> +#: include/ldap_id_mapping.xml:106 +#, no-wrap +msgid "" +"ldap_id_mapping = True\n" +"ldap_schema = ad\n" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:111 +msgid "" +"The default configuration results in configuring 10,000 slices, each capable " +"of holding up to 200,000 IDs, starting from 200,000 and going up to " +"2,000,200,000. This should be sufficient for most deployments." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><title> +#: include/ldap_id_mapping.xml:117 +msgid "Advanced Configuration" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:120 +msgid "ldap_idmap_range_min (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:123 +msgid "" +"Specifies the lower bound of the range of POSIX IDs to use for mapping " +"Active Directory user and group SIDs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:127 +msgid "" +"NOTE: This option is different from <quote>min_id</quote> in that " +"<quote>min_id</quote> acts to filter the output of requests to this domain, " +"whereas this option controls the range of ID assignment. This is a subtle " +"distinction, but the good general advice would be to have <quote>min_id</" +"quote> be less-than or equal to <quote>ldap_idmap_range_min</quote>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:137 include/ldap_id_mapping.xml:191 +msgid "Default: 200000" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:142 +msgid "ldap_idmap_range_max (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:145 +msgid "" +"Specifies the upper bound of the range of POSIX IDs to use for mapping " +"Active Directory user and group SIDs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:149 +msgid "" +"NOTE: This option is different from <quote>max_id</quote> in that " +"<quote>max_id</quote> acts to filter the output of requests to this domain, " +"whereas this option controls the range of ID assignment. This is a subtle " +"distinction, but the good general advice would be to have <quote>max_id</" +"quote> be greater-than or equal to <quote>ldap_idmap_range_max</quote>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:159 +msgid "Default: 2000200000" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:164 +msgid "ldap_idmap_range_size (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:167 +msgid "" +"Specifies the number of IDs available for each slice. If the range size " +"does not divide evenly into the min and max values, it will create as many " +"complete slices as it can." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:173 +msgid "" +"NOTE: The value of this option must be at least as large as the highest user " +"RID planned for use on the Active Directory server. User lookups and login " +"will fail for any user whose RID is greater than this value." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:179 +msgid "" +"For example, if your most recently-added Active Directory user has " +"objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, " +"<quote>ldap_idmap_range_size</quote> must be at least 1108 as range size is " +"equal to maximal SID minus minimal SID plus one (e.g. 1108 = 1107 - 0 + 1)." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:186 +msgid "" +"It is important to plan ahead for future expansion, as changing this value " +"will result in changing all of the ID mappings on the system, leading to " +"users with different local IDs than they previously had." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:196 +msgid "ldap_idmap_default_domain_sid (string)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:199 +msgid "" +"Specify the domain SID of the default domain. This will guarantee that this " +"domain will always be assigned to slice zero in the ID map, bypassing the " +"murmurhash algorithm described above." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:210 +msgid "ldap_idmap_default_domain (string)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:213 +msgid "Specify the name of the default domain." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:221 +msgid "ldap_idmap_autorid_compat (boolean)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:224 +msgid "" +"Changes the behavior of the ID-mapping algorithm to behave more similarly to " +"winbind's <quote>idmap_autorid</quote> algorithm." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:229 +msgid "" +"When this option is configured, domains will be allocated starting with " +"slice zero and increasing monatomically with each additional domain." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:234 +msgid "" +"NOTE: This algorithm is non-deterministic (it depends on the order that " +"users and groups are requested). If this mode is required for compatibility " +"with machines running winbind, it is recommended to also use the " +"<quote>ldap_idmap_default_domain_sid</quote> option to guarantee that at " +"least one domain is consistently allocated to slice zero." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:249 +msgid "ldap_idmap_helper_table_size (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:252 +msgid "" +"Maximal number of secondary slices that is tried when performing mapping " +"from UNIX id to SID." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:256 +msgid "" +"Note: Additional secondary slices might be generated when SID is being " +"mapped to UNIX id and RID part of SID is out of range for secondary slices " +"generated so far. If value of ldap_idmap_helper_table_size is equal to 0 " +"then no additional secondary slices are generated." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ldap_id_mapping.xml:273 +msgid "Well-Known SIDs" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:275 +msgid "" +"SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a " +"special hardcoded meaning. Since the generic users and groups related to " +"those Well-Known SIDs have no equivalent in a Linux/UNIX environment no " +"POSIX IDs are available for those objects." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:281 +msgid "" +"The SID name space is organized in authorities which can be seen as " +"different domains. The authorities for the Well-Known SIDs are" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:284 +msgid "Null Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:285 +msgid "World Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:286 +msgid "Local Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:287 +msgid "Creator Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:288 +msgid "NT Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:289 +msgid "Built-in" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:291 +msgid "" +"The capitalized version of these names are used as domain names when " +"returning the fully qualified name of a Well-Known SID." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:295 +msgid "" +"Since some utilities allow to modify SID based access control information " +"with the help of a name instead of using the SID directly SSSD supports to " +"look up the SID by the name as well. To avoid collisions only the fully " +"qualified names can be used to look up Well-Known SIDs. As a result the " +"domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, " +"<quote> LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, <quote>NT " +"AUTHORITY</quote> and <quote>BUILTIN</quote> should not be used as domain " +"names in <filename>sssd.conf</filename>." +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/param_help.xml:3 +msgid "<option>-?</option>,<option>--help</option>" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/param_help.xml:7 include/param_help_py.xml:7 +msgid "Display help message and exit." +msgstr "Zobraz nápovědu a ukonči program." + +#. type: Content of: <varlistentry><term> +#: include/param_help_py.xml:3 +msgid "<option>-h</option>,<option>--help</option>" +msgstr "<option>-h</option>,<option>--help</option>" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:3 include/debug_levels_tools.xml:3 +msgid "" +"SSSD supports two representations for specifying the debug level. The " +"simplest is to specify a decimal value from 0-9, which represents enabling " +"that level and all lower-level debug messages. The more comprehensive option " +"is to specify a hexadecimal bitmask to enable or disable specific levels " +"(such as if you wish to suppress a level)." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:10 +msgid "" +"Please note that each SSSD service logs into its own log file. Also please " +"note that enabling <quote>debug_level</quote> in the <quote>[sssd]</quote> " +"section only enables debugging just for the sssd process itself, not for the " +"responder or provider processes. The <quote>debug_level</quote> parameter " +"should be added to all sections that you wish to produce debug logs from." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:18 +msgid "" +"In addition to changing the log level in the config file using the " +"<quote>debug_level</quote> parameter, which is persistent, but requires SSSD " +"restart, it is also possible to change the debug level on the fly using the " +"<citerefentry> <refentrytitle>sss_debuglevel</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry> tool." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:29 include/debug_levels_tools.xml:10 +msgid "Currently supported debug levels:" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:32 include/debug_levels_tools.xml:13 +msgid "" +"<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fatal failures. " +"Anything that would prevent SSSD from starting up or causes it to cease " +"running." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:38 include/debug_levels_tools.xml:19 +msgid "" +"<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An " +"error that doesn't kill SSSD, but one that indicates that at least one major " +"feature is not going to work properly." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:45 include/debug_levels_tools.xml:26 +msgid "" +"<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Serious failures. An " +"error announcing that a particular request or operation has failed." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:50 include/debug_levels_tools.xml:31 +msgid "" +"<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Minor failures. These " +"are the errors that would percolate down to cause the operation failure of 2." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:55 include/debug_levels_tools.xml:36 +msgid "" +"<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Configuration settings." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:59 include/debug_levels_tools.xml:40 +msgid "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Function data." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:63 include/debug_levels_tools.xml:44 +msgid "" +"<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Trace messages for " +"operation functions." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:67 include/debug_levels_tools.xml:48 +msgid "" +"<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Trace messages for " +"internal control functions." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:72 include/debug_levels_tools.xml:53 +msgid "" +"<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contents of function-" +"internal variables that may be interesting." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:77 include/debug_levels_tools.xml:58 +msgid "" +"<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Extremely low-level " +"tracing information." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:81 include/debug_levels_tools.xml:62 +msgid "" +"To log required bitmask debug levels, simply add their numbers together as " +"shown in following examples:" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:85 include/debug_levels_tools.xml:66 +msgid "" +"<emphasis>Example</emphasis>: To log fatal failures, critical failures, " +"serious failures and function data use 0x0270." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:89 include/debug_levels_tools.xml:70 +msgid "" +"<emphasis>Example</emphasis>: To log fatal failures, configuration settings, " +"function data, trace messages for internal control functions use 0x1310." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:94 include/debug_levels_tools.xml:75 +msgid "" +"<emphasis>Note</emphasis>: The bitmask format of debug levels was introduced " +"in 1.7.0." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:98 include/debug_levels_tools.xml:79 +msgid "<emphasis>Default</emphasis>: 0" +msgstr "" + +#. type: Content of: outside any tag (error?) +#: include/experimental.xml:1 +msgid "" +"<emphasis> This is an experimental feature, please use https://pagure.io/" +"SSSD/sssd/ to report any issues. </emphasis>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/local.xml:2 +msgid "THE LOCAL DOMAIN" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/local.xml:4 +msgid "" +"In order to function correctly, a domain with <quote>id_provider=local</" +"quote> must be created and the SSSD must be running." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/local.xml:9 +msgid "" +"The administrator might want to use the SSSD local users instead of " +"traditional UNIX users in cases where the group nesting (see <citerefentry> " +"<refentrytitle>sss_groupadd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>) is needed. The local users are also useful for testing and " +"development of the SSSD without having to deploy a full remote server. The " +"<command>sss_user*</command> and <command>sss_group*</command> tools use a " +"local LDB storage to store users and groups." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/seealso.xml:4 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd-ipa</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <phrase condition=\"with_sudo\"> <citerefentry> " +"<refentrytitle>sssd-sudo</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>, </phrase> <phrase condition=\"with_secrets\"> <citerefentry> " +"<refentrytitle>sssd-secrets</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>, </phrase> <citerefentry> <refentrytitle>sssd-session-" +"recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, " +"<citerefentry> <refentrytitle>sss_cache</refentrytitle><manvolnum>8</" +"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_debuglevel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_obfuscate</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_seed</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <phrase condition=" +"\"with_ssh\"> <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_ssh_knownhostsproxy</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>, </phrase> <phrase condition=\"with_ifp\"> " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>, </phrase> <citerefentry> <refentrytitle>pam_sss</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>. <citerefentry> " +"<refentrytitle>sss_rpcidmapd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> <phrase condition=\"with_stap\"> <citerefentry> " +"<refentrytitle>sssd-systemtap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> </phrase>" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:3 +msgid "" +"An optional base DN, search scope and LDAP filter to restrict LDAP searches " +"for this attribute type." +msgstr "" + +#. type: Content of: <listitem><para><programlisting> +#: include/ldap_search_bases.xml:9 +#, no-wrap +msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]\n" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:7 +msgid "syntax: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:13 +msgid "" +"The scope can be one of \"base\", \"onelevel\" or \"subtree\". The scope " +"functions as specified in section 4.5.1.2 of http://tools.ietf.org/html/" +"rfc4511" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:23 +msgid "" +"For examples of this syntax, please refer to the <quote>ldap_search_base</" +"quote> examples section." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:31 +msgid "" +"Please note that specifying scope or filter is not supported for searches " +"against an Active Directory Server that might yield a large number of " +"results and trigger the Range Retrieval extension in the response." +msgstr "" + +#. type: Content of: <para> +#: include/autofs_restart.xml:2 +msgid "" +"Please note that the automounter only reads the master map on startup, so if " +"any autofs-related changes are made to the sssd.conf, you typically also " +"need to restart the automounter daemon after restarting the SSSD." +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/override_homedir.xml:2 +msgid "override_homedir (string)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:16 +msgid "UID number" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:20 +msgid "domain name" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:23 +msgid "%f" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:24 +msgid "fully qualified user name (user@domain)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:27 +msgid "%l" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:28 +msgid "The first letter of the login name." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:32 +msgid "UPN - User Principal Name (name@REALM)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:35 +msgid "%o" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:37 +msgid "The original home directory retrieved from the identity provider." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:42 +msgid "%H" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:44 +msgid "The value of configure option <emphasis>homedir_substring</emphasis>." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/override_homedir.xml:5 +msgid "" +"Override the user's home directory. You can either provide an absolute value " +"or a template. In the template, the following sequences are substituted: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><programlisting> +#: include/override_homedir.xml:61 +#, no-wrap +msgid "" +"override_homedir = /home/%u\n" +" " +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/override_homedir.xml:65 +msgid "Default: Not set (SSSD will use the value retrieved from LDAP)" +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/homedir_substring.xml:2 +msgid "homedir_substring (string)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/homedir_substring.xml:5 +msgid "" +"The value of this option will be used in the expansion of the " +"<emphasis>override_homedir</emphasis> option if the template contains the " +"format string <emphasis>%H</emphasis>. An LDAP directory entry can directly " +"contain this template so that this option can be used to expand the home " +"directory path for each client machine (or operating system). It can be set " +"per-domain or globally in the [nss] section. A value specified in a domain " +"section will override one set in the [nss] section." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/homedir_substring.xml:15 +msgid "Default: /home" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/ad_modified_defaults.xml:2 include/ipa_modified_defaults.xml:2 +msgid "MODIFIED DEFAULT OPTIONS" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ad_modified_defaults.xml:4 +msgid "" +"Certain option defaults do not match their respective backend provider " +"defaults, these option names and AD provider-specific defaults are listed " +"below:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ad_modified_defaults.xml:9 include/ipa_modified_defaults.xml:9 +msgid "KRB5 Provider" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:13 include/ipa_modified_defaults.xml:13 +msgid "krb5_validate = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:18 +msgid "krb5_use_enterprise_principal = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ad_modified_defaults.xml:24 +msgid "LDAP Provider" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:28 +msgid "ldap_schema = ad" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:33 include/ipa_modified_defaults.xml:38 +msgid "ldap_force_upper_case_realm = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:38 +msgid "ldap_id_mapping = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:43 +msgid "ldap_sasl_mech = gssapi" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:48 +msgid "ldap_referrals = false" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:53 +msgid "ldap_account_expire_policy = ad" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:58 include/ipa_modified_defaults.xml:58 +msgid "ldap_use_tokengroups = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:63 +msgid "ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:66 +msgid "" +"The AD provider looks for a different principal than the LDAP provider by " +"default, because in an Active Directory environment the principals are " +"divided into two groups - User Principals and Service Principals. Only User " +"Principal can be used to obtain a TGT and by default, computer object's " +"principal is constructed from its sAMAccountName and the AD realm. The well-" +"known host/hostname@REALM principal is a Service Principal and thus cannot " +"be used to get a TGT with." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ipa_modified_defaults.xml:4 +msgid "" +"Certain option defaults do not match their respective backend provider " +"defaults, these option names and IPA provider-specific defaults are listed " +"below:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:18 +msgid "krb5_use_fast = try" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:23 +msgid "krb5_canonicalize = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:29 +msgid "LDAP Provider - General" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:33 +msgid "ldap_schema = ipa_v1" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:43 +msgid "ldap_sasl_mech = GSSAPI" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:48 +msgid "ldap_sasl_minssf = 56" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:53 +msgid "ldap_account_expire_policy = ipa" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:64 +msgid "LDAP Provider - User options" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:68 +msgid "ldap_user_member_of = memberOf" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:73 +msgid "ldap_user_uuid = ipaUniqueID" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:78 +msgid "ldap_user_ssh_public_key = ipaSshPubKey" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:83 +msgid "ldap_user_auth_type = ipaUserAuthType" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:89 +msgid "LDAP Provider - Group options" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:93 +msgid "ldap_group_object_class = ipaUserGroup" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:98 +msgid "ldap_group_object_class_alt = posixGroup" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:103 +msgid "ldap_group_member = member" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:108 +msgid "ldap_group_uuid = ipaUniqueID" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:113 +msgid "ldap_group_objectsid = ipaNTSecurityIdentifier" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:118 +msgid "ldap_group_external_member = ipaExternalMember" +msgstr "" diff --git a/src/man/po/de.po b/src/man/po/de.po new file mode 100644 index 0000000..03ae053 --- /dev/null +++ b/src/man/po/de.po @@ -0,0 +1,17789 @@ +# SOME DESCRIPTIVE TITLE +# Copyright (C) YEAR Red Hat +# This file is distributed under the same license as the sssd-docs package. +# +# Translators: +# Chris Leick <c.leick@vollbio.de>, 2013 +# Fabian Affolter <fab@fedoraproject.org>, 2011 +# Mario Blättermann <mario.blaettermann@gmail.com>, 2014 +msgid "" +msgstr "" +"Project-Id-Version: sssd-docs 1.16.1\n" +"Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" +"POT-Creation-Date: 2018-08-12 13:01+0000\n" +"PO-Revision-Date: 2014-12-14 11:53+0000\n" +"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n" +"Language-Team: German (http://www.transifex.com/projects/p/sssd/language/" +"de/)\n" +"Language: de\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" +"X-Generator: Zanata 4.4.5\n" + +#. type: Content of: <reference><title> +#: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5 +#: sssd_krb5_locator_plugin.8.xml:5 sssd-simple.5.xml:5 sss-certmap.5.xml:5 +#: sssd-ipa.5.xml:5 sssd-ad.5.xml:5 sssd-sudo.5.xml:5 sssd.8.xml:5 +#: sss_obfuscate.8.xml:5 sss_override.8.xml:5 sss_useradd.8.xml:5 +#: sssd-krb5.5.xml:5 sss_groupadd.8.xml:5 sss_userdel.8.xml:5 +#: sss_groupdel.8.xml:5 sss_groupshow.8.xml:5 sss_usermod.8.xml:5 +#: sss_cache.8.xml:5 sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5 +#: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 +#: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5 +#: sssd-files.5.xml:5 sssd-secrets.5.xml:5 sssd-session-recording.5.xml:5 +#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 +msgid "SSSD Manual pages" +msgstr "SSSD-Handbuchseiten" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupmod.8.xml:10 sss_groupmod.8.xml:15 +msgid "sss_groupmod" +msgstr "sss_groupmod" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_groupmod.8.xml:11 pam_sss.8.xml:12 sssd_krb5_locator_plugin.8.xml:11 +#: sssd.8.xml:11 sss_obfuscate.8.xml:11 sss_override.8.xml:11 +#: sss_useradd.8.xml:11 sss_groupadd.8.xml:11 sss_userdel.8.xml:11 +#: sss_groupdel.8.xml:11 sss_groupshow.8.xml:11 sss_usermod.8.xml:11 +#: sss_cache.8.xml:11 sss_debuglevel.8.xml:11 sss_seed.8.xml:11 +#: idmap_sss.8.xml:11 sssctl.8.xml:11 sssd-kcm.8.xml:11 +msgid "8" +msgstr "8" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupmod.8.xml:16 +msgid "modify a group" +msgstr "Ändern einer Gruppe" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupmod.8.xml:21 +msgid "" +"<command>sss_groupmod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" +"<command>sss_groupmod</command> <arg choice='opt'> <replaceable>Optionen</" +"replaceable> </arg> <arg choice='plain'><replaceable>GRUPPE</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:57 +#: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sss-certmap.5.xml:21 +#: sssd-ipa.5.xml:21 sssd-ad.5.xml:21 sssd-sudo.5.xml:21 sssd.8.xml:29 +#: sss_obfuscate.8.xml:30 sss_override.8.xml:30 sss_useradd.8.xml:30 +#: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30 +#: sss_groupdel.8.xml:30 sss_groupshow.8.xml:30 sss_usermod.8.xml:30 +#: sss_cache.8.xml:29 sss_debuglevel.8.xml:30 sss_seed.8.xml:31 +#: sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30 +#: sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30 +#: sssd-files.5.xml:21 sssd-secrets.5.xml:21 sssd-session-recording.5.xml:21 +#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 +msgid "DESCRIPTION" +msgstr "BESCHREIBUNG" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupmod.8.xml:32 +msgid "" +"<command>sss_groupmod</command> modifies the group to reflect the changes " +"that are specified on the command line." +msgstr "" +"<command>sss_groupmod</command> ändert die Gruppe, um die auf der " +"Befehlszeile angegebenen Änderungen widerzuspiegeln." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_groupmod.8.xml:39 pam_sss.8.xml:64 sssd.8.xml:42 sss_obfuscate.8.xml:58 +#: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39 +#: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39 +#: sss_cache.8.xml:39 sss_seed.8.xml:42 sss_ssh_authorizedkeys.1.xml:123 +#: sss_ssh_knownhostsproxy.1.xml:62 +msgid "OPTIONS" +msgstr "OPTIONEN" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupmod.8.xml:43 sss_usermod.8.xml:77 +msgid "" +"<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" +"<option>-a</option>,<option>--append-group</option> <replaceable>GRUPPEN</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupmod.8.xml:48 +msgid "" +"Append this group to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." +msgstr "" +"hängt diese Gruppe an die Gruppen an, die durch den Parameter " +"<replaceable>GRUPPEN</replaceable> angegeben wurden. Der Parameter " +"<replaceable>GRUPPEN</replaceable> ist eine durch Kommata getrennte Liste " +"von Gruppennamen." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupmod.8.xml:57 sss_usermod.8.xml:91 +msgid "" +"<option>-r</option>,<option>--remove-group</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" +"<option>-r</option>,<option>--remove-group</option> <replaceable>GRUPPEN</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupmod.8.xml:62 +msgid "" +"Remove this group from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." +msgstr "" +"entfernt diese Gruppe von den Gruppen, die durch den Parameter " +"<replaceable>GRUPPEN</replaceable> angegeben wurden." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.conf.5.xml:10 sssd.conf.5.xml:16 +msgid "sssd.conf" +msgstr "sssd.conf" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11 +#: sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 +#: sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27 +#: sssd-files.5.xml:11 sssd-secrets.5.xml:11 sssd-session-recording.5.xml:11 +#: sssd-systemtap.5.xml:11 +msgid "5" +msgstr "5" + +#. type: Content of: <reference><refentry><refmeta><refmiscinfo> +#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12 +#: sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 +#: sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28 +#: sssd-files.5.xml:12 sssd-secrets.5.xml:12 sssd-session-recording.5.xml:12 +#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 +msgid "File Formats and Conventions" +msgstr "Dateiformate und Konventionen" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.conf.5.xml:17 +msgid "the configuration file for SSSD" +msgstr "die Konfigurationsdatei für SSSD" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:21 +msgid "FILE FORMAT" +msgstr "DATEIFORMAT" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:29 +#, no-wrap +msgid "" +"<replaceable>[section]</replaceable>\n" +"<replaceable>key</replaceable> = <replaceable>value</replaceable>\n" +"<replaceable>key2</replaceable> = <replaceable>value2,value3</replaceable>\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:24 +msgid "" +"The file has an ini-style syntax and consists of sections and parameters. A " +"section begins with the name of the section in square brackets and continues " +"until the next section begins. An example of section with single and multi-" +"valued parameters: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"Die Datei hat eine Syntax im Ini-Stil. Sie besteht aus Abschnitten und " +"Parametern. Ein Abschnitt beginnt mit dem Namen des Abschnitts in eckigen " +"Klammern und dauert bis zum Anfang des nächsten Abschnitts. Ein Beispiel " +"eines Abschnitts mit Parametern, die einzelne und mehrere Werte haben: " +"<placeholder type=\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:36 +msgid "" +"The data types used are string (no quotes needed), integer and bool (with " +"values of <quote>TRUE/FALSE</quote>)." +msgstr "" +"Die benutzten Datentypen sind Zeichenkette (keine Anführungszeichen nötig), " +"Ganzzahl und Boolesch (mit den Werten »TRUE« und »FALSE«)." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:41 +#, fuzzy +#| msgid "" +#| "A line comment starts with a hash sign (<quote>#</quote>) or a semicolon " +#| "(<quote>;</quote>). Inline comments are not supported." +msgid "" +"A comment line starts with a hash sign (<quote>#</quote>) or a semicolon " +"(<quote>;</quote>). Inline comments are not supported." +msgstr "" +"Eine Kommentarzeile beginnt mit einem Rautenzeichen (»#«) oder einem " +"Strichpunkt (»;«). Kommentare innerhalb von Zeilen werden nicht unterstützt." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:47 +msgid "" +"All sections can have an optional <replaceable>description</replaceable> " +"parameter. Its function is only as a label for the section." +msgstr "" +"Alle Abschnitte können einen optionalen Parameter <replaceable>Beschreibung</" +"replaceable> haben. Er dient nur als Beschriftung eines Abschnitts." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:53 +msgid "" +"<filename>sssd.conf</filename> must be a regular file, owned by root and " +"only root may read from or write to the file." +msgstr "" +"<filename>sssd.conf</filename> muss eine normale Datei sein, die Root gehört " +"und die nur von Root gelesen oder geschrieben werden darf." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:59 +msgid "CONFIGURATION SNIPPETS FROM INCLUDE DIRECTORY" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:62 +msgid "" +"The configuration file <filename>sssd.conf</filename> will include " +"configuration snippets using the include directory <filename>conf.d</" +"filename>. This feature is available if SSSD was compiled with libini " +"version 1.3.0 or later." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:69 +msgid "" +"Any file placed in <filename>conf.d</filename> that ends in " +"<quote><filename>.conf</filename></quote> and does not begin with a dot " +"(<quote>.</quote>) will be used together with <filename>sssd.conf</filename> " +"to configure SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:77 +msgid "" +"The configuration snippets from <filename>conf.d</filename> have higher " +"priority than <filename>sssd.conf</filename> and will override " +"<filename>sssd.conf</filename> when conflicts occur. If several snippets are " +"present in <filename>conf.d</filename>, then they are included in " +"alphabetical order (based on locale). Files included later have higher " +"priority. Numerical prefixes (<filename>01_snippet.conf</filename>, " +"<filename>02_snippet.conf</filename> etc.) can help visualize the priority " +"(higher number means higher priority)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:91 +msgid "" +"The snippet files require the same owner and permissions as <filename>sssd." +"conf</filename>. Which are by default root:root and 0600." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:98 +msgid "GENERAL OPTIONS" +msgstr "ALLGEMEINE OPTIONEN" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:100 +msgid "Following options are usable in more than one configuration sections." +msgstr "" +"Die folgenden Optionen sind in mehreren Konfigurationsabschnitten verfügbar." + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:104 +msgid "Options usable in all sections" +msgstr "In allen Abschnitten verfügbare Optionen" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:108 +msgid "debug_level (integer)" +msgstr "debug_level (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:112 +msgid "debug (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:115 +msgid "" +"SSSD 1.14 and later also includes the <replaceable>debug</replaceable> alias " +"for <replaceable>debug_level</replaceable> as a convenience feature. If both " +"are specified, the value of <replaceable>debug_level</replaceable> will be " +"used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:125 +msgid "debug_timestamps (bool)" +msgstr "debug_timestamps (Boolesch)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:128 +msgid "" +"Add a timestamp to the debug messages. If journald is enabled for SSSD " +"debug logging this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:133 sssd.conf.5.xml:543 sssd.conf.5.xml:839 +#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1521 sssd-ldap.5.xml:1851 +#: sssd-ldap.5.xml:1948 sssd-ldap.5.xml:2010 sssd-ldap.5.xml:2576 +#: sssd-ldap.5.xml:2641 sssd-ldap.5.xml:2659 sssd-ad.5.xml:227 +#: sssd-ad.5.xml:341 sssd-ad.5.xml:885 sssd-krb5.5.xml:499 +#: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 +msgid "Default: true" +msgstr "Voreinstellung: »true«" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:138 +msgid "debug_microseconds (bool)" +msgstr "debug_microseconds (Boolesch)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:141 +msgid "" +"Add microseconds to the timestamp in debug messages. If journald is enabled " +"for SSSD debug logging this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:146 sssd.conf.5.xml:540 sssd.conf.5.xml:722 +#: sssd.conf.5.xml:1424 sssd.conf.5.xml:2980 sssd-ldap.5.xml:708 +#: sssd-ldap.5.xml:1714 sssd-ldap.5.xml:1733 sssd-ldap.5.xml:1920 +#: sssd-ldap.5.xml:2346 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238 +#: sssd-ipa.5.xml:559 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300 +#: sssd-krb5.5.xml:471 +msgid "Default: false" +msgstr "Voreinstellung: »false«" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2384 +#: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210 +#: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304 +msgid "<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "<placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:155 +msgid "Options usable in SERVICE and DOMAIN sections" +msgstr "In den Abschnitten SERVICE und DOMAIN verwendbare Optionen" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:159 +msgid "timeout (integer)" +msgstr "timeout (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:162 +msgid "" +"Timeout in seconds between heartbeats for this service. This is used to " +"ensure that the process is alive and capable of answering requests. Note " +"that after three missed heartbeats the process will terminate itself." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:169 sssd.conf.5.xml:1376 sssd.conf.5.xml:2996 +#: sssd-ldap.5.xml:1585 include/ldap_id_mapping.xml:264 +msgid "Default: 10" +msgstr "Voreinstellung: 10" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:179 +msgid "SPECIAL SECTIONS" +msgstr "BESONDERE ABSCHNITTE" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:182 +msgid "The [sssd] section" +msgstr "Der Abschnitt [sssd]" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sssd.conf.5.xml:191 sssd.conf.5.xml:3085 +msgid "Section parameters" +msgstr "Abschnittsparameter" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:193 +msgid "config_file_version (integer)" +msgstr "config_file_version (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:196 +msgid "" +"Indicates what is the syntax of the config file. SSSD 0.6.0 and later use " +"version 2." +msgstr "" +"gibt die Syntax der Konfigurationsdatei an. SSSD 0.6.0 und neuer benutzen " +"Version 2." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:202 +msgid "services" +msgstr "Dienste" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:205 +msgid "" +"Comma separated list of services that are started when sssd itself starts. " +"<phrase condition=\"have_systemd\"> The services' list is optional on " +"platforms where systemd is supported, as they will either be socket or D-Bus " +"activated when needed. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:214 +msgid "" +"Supported services: nss, pam <phrase condition=\"with_sudo\">, sudo</phrase> " +"<phrase condition=\"with_autofs\">, autofs</phrase> <phrase condition=" +"\"with_ssh\">, ssh</phrase> <phrase condition=\"with_pac_responder\">, pac</" +"phrase> <phrase condition=\"with_ifp\">, ifp</phrase>" +msgstr "" +"Unterstützte Dienste sind: nss, pam <phrase condition=\"with_sudo\">, sudo</" +"phrase> <phrase condition=\"with_autofs\">, autofs</phrase> <phrase " +"condition=\"with_ssh\">, ssh</phrase> <phrase condition=\"with_pac_responder" +"\">, pac</phrase> <phrase condition=\"with_ifp\">, ifp</phrase>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:222 +msgid "" +"<phrase condition=\"have_systemd\"> By default, all services are disabled " +"and the administrator must enable the ones allowed to be used by executing: " +"\"systemctl enable sssd-@service@.socket\". </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:231 sssd.conf.5.xml:614 +msgid "reconnection_retries (integer)" +msgstr "reconnection_retries (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:234 sssd.conf.5.xml:617 +msgid "" +"Number of times services should attempt to reconnect in the event of a Data " +"Provider crash or restart before they give up" +msgstr "" +"Anzahl der Versuche, die ein Dienst unternehmen sollte, um sich erneut zu " +"verbinden, bevor er aufgibt, falls ein Datenanbieter abgestürzt ist oder neu " +"startet." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:239 sssd.conf.5.xml:622 +msgid "Default: 3" +msgstr "Voreinstellung: 3" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:244 +msgid "domains" +msgstr "Domains" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:247 +msgid "" +"A domain is a database containing user information. SSSD can use more " +"domains at the same time, but at least one must be configured or SSSD won't " +"start. This parameter describes the list of domains in the order you want " +"them to be queried. A domain name should only consist of alphanumeric ASCII " +"characters, dashes, dots and underscores." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:259 sssd.conf.5.xml:2597 +msgid "re_expression (string)" +msgstr "re_expression (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:262 +msgid "" +"Default regular expression that describes how to parse the string containing " +"user name and domain into these components." +msgstr "" +"voreingestellter regulärer Ausdruck, der beschreibt, in welche Bestandteile " +"die Zeichenkette mit Benutzernamen und Domain bei der Auswertung zerlegt " +"werden sollen." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:267 +msgid "" +"Each domain can have an individual regular expression configured. For some " +"ID providers there are also default regular expressions. See DOMAIN SECTIONS " +"for more info on these regular expressions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:276 sssd.conf.5.xml:2645 +msgid "full_name_format (string)" +msgstr "full_name_format (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:279 sssd.conf.5.xml:2648 +msgid "" +"A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry>-compatible format that describes how to compose a " +"fully qualified name from user name and domain name components." +msgstr "" +"ein mit <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry> kompatibles Format, das beschreibt, wie ein voll " +"qualifizierter Name aus den Bestandteilen Benutzername und Domain-Name " +"zusammengestellt wird." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:290 sssd.conf.5.xml:2659 +msgid "%1$s" +msgstr "%1$s" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:291 sssd.conf.5.xml:2660 +msgid "user name" +msgstr "Benutzername" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:294 sssd.conf.5.xml:2663 +msgid "%2$s" +msgstr "%2$s" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:297 sssd.conf.5.xml:2666 +msgid "domain name as specified in the SSSD config file." +msgstr "Domain-Name, wie er durch die SSSD-Konfigurationsdatei angegeben wird" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:303 sssd.conf.5.xml:2672 +msgid "%3$s" +msgstr "%3$s" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:306 sssd.conf.5.xml:2675 +msgid "" +"domain flat name. Mostly usable for Active Directory domains, both directly " +"configured or discovered via IPA trusts." +msgstr "" +"flacher Name der Domain; meist für Active-Directory-Domains nützlich, sowohl " +"direkt konfiguriert als auch über IPA-Trust" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:287 sssd.conf.5.xml:2656 +msgid "" +"The following expansions are supported: <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" +"Die folgenden Erweiterungen werden unterstützt: <placeholder type=" +"\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:316 +msgid "" +"Each domain can have an individual format string configured. see DOMAIN " +"SECTIONS for more info on this option." +msgstr "" +"Für jede Domain kann eine individuelle Formatzeichenkette konfiguriert " +"werden. Weitere Informationen über diese Option finden Sie unter DOMAIN-" +"ABSCHNITTE." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:322 +msgid "try_inotify (boolean)" +msgstr "try_inotify (Boolesch)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:325 +msgid "" +"SSSD monitors the state of resolv.conf to identify when it needs to update " +"its internal DNS resolver. By default, we will attempt to use inotify for " +"this, and will fall back to polling resolv.conf every five seconds if " +"inotify cannot be used." +msgstr "" +"SSSD überwacht den Status der »resolv.conf«, um festzustellen, wann es " +"seinen internen DNS-Resolver aktualisieren muss. Standardmäßig werden wir " +"versuchen, dafür Inotify zu benutzen. Falls Inotify nicht benutzt werden " +"kann, werden wir darauf zurückgreifen, alle fünf Sekunden »resolv.conf« " +"abzufragen." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:333 +msgid "" +"There are some limited situations where it is preferred that we should skip " +"even trying to use inotify. In these rare cases, this option should be set " +"to 'false'" +msgstr "" +"Es gibt ein paar begrenzte Situationen, in denen wir den Versuch, Inotify zu " +"benutzen, vorzugsweise überspringen sollten. In diesen seltenen Fällen " +"sollte diese Option auf »false« gesetzt werden." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:339 +msgid "" +"Default: true on platforms where inotify is supported. False on other " +"platforms." +msgstr "" +"Voreinstellung: »true« auf Plattformen, auf denen Inotify unterstützt wird, " +"»false« auf anderen Plattformen." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:343 +msgid "" +"Note: this option will have no effect on platforms where inotify is " +"unavailable. On these platforms, polling will always be used." +msgstr "" +"Hinweis: Diese Option wird auf Plattformen, auf denen Inotify nicht " +"verfügbar ist, keine Auswirkungen haben." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:350 +msgid "krb5_rcache_dir (string)" +msgstr "krb5_rcache_dir (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:353 +msgid "" +"Directory on the filesystem where SSSD should store Kerberos replay cache " +"files." +msgstr "" +"Verzeichnis auf dem Dateisystem, auf dem SSSD Dateien des Kerberos-Replay-" +"Zwischenspeichers speichern sollte." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:357 +msgid "" +"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct " +"SSSD to let libkrb5 decide the appropriate location for the replay cache." +msgstr "" +"Diese Option akzeptiert einen besonderen Wert, __LIBKRB5_DEFAULTS__, der " +"SSSD anweisen wird, Libkrb5 die Entscheidung zu überlassen, wo der geeignete " +"Ort für den Replay-Zwischenspeicher ist." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:363 +msgid "" +"Default: Distribution-specific and specified at build-time. " +"(__LIBKRB5_DEFAULTS__ if not configured)" +msgstr "" +"Voreinstellung: ahängig von der Distribution und zur Bauzeit angegeben " +"(__LIBKRB5_DEFAULTS__, falls nicht konfiguriert)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:370 +msgid "user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:373 +msgid "" +"The user to drop the privileges to where appropriate to avoid running as the " +"root user. <phrase condition=\"have_systemd\"> This option does not work " +"when running socket-activated services, as the user set up to run the " +"processes is set up during compilation time. The way to override the " +"systemd unit files is by creating the appropriate files in /etc/systemd/" +"system/. Keep in mind that any change in the socket user, group or " +"permissions may result in a non-usable SSSD. The same may occur in case of " +"changes of the user running the NSS responder. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:391 +msgid "Default: not set, process will run as root" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:396 +msgid "default_domain_suffix (string)" +msgstr "default_domain_suffix (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:399 +msgid "" +"This string will be used as a default domain name for all names without a " +"domain name component. The main use case is environments where the primary " +"domain is intended for managing host policies and all users are located in a " +"trusted domain. The option allows those users to log in just with their " +"user name without giving a domain name as well." +msgstr "" +"Diese Zeichenkette wird als Standard-Domain-Name für alle Namen ohne einen " +"Domain-Namensbestandteil benutzt. Hauptsächlich wird dies in Umgebungen " +"benutzt, in denen die primäre Domain zur Verwaltung von Rechnerrichtlinien " +"gedacht ist und sich alle Anwender in einer vertrauenswürdigen Domain " +"befinden. Die Option ermöglicht diesen Anwendern die Anmeldung allein mit " +"ihrem Benutzernamen ohne auch eine Domain anzugeben." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:409 +msgid "" +"Please note that if this option is set all users from the primary domain " +"have to use their fully qualified name, e.g. user@domain.name, to log in. " +"Setting this option changes default of use_fully_qualified_names to True. It " +"is not allowed to use this option together with use_fully_qualified_names " +"set to False." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:418 sssd.conf.5.xml:1165 sssd-ldap.5.xml:679 +#: sssd-ldap.5.xml:1319 sssd-ldap.5.xml:1673 sssd-ldap.5.xml:1685 +#: sssd-ldap.5.xml:1767 sssd-ad.5.xml:690 sssd-ad.5.xml:765 sssd.8.xml:126 +#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:556 sssd-secrets.5.xml:339 +#: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404 +#: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205 +#: include/ldap_id_mapping.xml:216 +msgid "Default: not set" +msgstr "Voreinstellung: nicht gesetzt" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:423 +msgid "override_space (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:426 +msgid "" +"This parameter will replace spaces (space bar) with the given character for " +"user and group names. e.g. (_). User name "john doe" will be " +""john_doe" This feature was added to help compatibility with shell " +"scripts that have difficulty handling spaces, due to the default field " +"separator in the shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:435 +msgid "" +"Please note it is a configuration error to use a replacement character that " +"might be used in user or group names. If a name contains the replacement " +"character SSSD tries to return the unmodified name but in general the result " +"of a lookup is undefined." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:443 +msgid "Default: not set (spaces will not be replaced)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:448 +msgid "certificate_verification (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:456 +msgid "no_ocsp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:458 +msgid "" +"Disables Online Certificate Status Protocol (OCSP) checks. This might be " +"needed if the OCSP servers defined in the certificate are not reachable from " +"the client." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:466 +msgid "no_verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:468 +msgid "" +"Disables verification completely. This option should only be used for " +"testing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:474 +msgid "ocsp_default_responder=URL" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:476 +msgid "" +"Sets the OCSP default responder which should be used instead of the one " +"mentioned in the certificate. URL must be replaced with the URL of the OCSP " +"default responder e.g. http://example.com:80/ocsp." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:482 +msgid "" +"This option must be used together with ocsp_default_responder_signing_cert." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:490 +msgid "ocsp_default_responder_signing_cert=NAME" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:492 +msgid "" +"The nickname of the cert to trust (expected) to sign the OCSP responses. " +"The certificate with the given nickname must be available in the systems NSS " +"database." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:497 +msgid "This option must be used together with ocsp_default_responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:451 +msgid "" +"With this parameter the certificate verification can be tuned with a comma " +"separated list of options. Supported options are: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:504 +msgid "Unknown options are reported but ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:507 +msgid "Default: not set, i.e. do not restrict certificate verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:513 +msgid "disable_netlink (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:516 +msgid "" +"SSSD hooks into the netlink interface to monitor changes to routes, " +"addresses, links and trigger certain actions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:521 +msgid "" +"The SSSD state changes caused by netlink events may be undesirable and can " +"be disabled by setting this option to 'true'" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:526 +msgid "Default: false (netlink changes are detected)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:531 +msgid "enable_files_domain (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:534 +msgid "" +"When this option is enabled, SSSD prepends an implicit domain with " +"<quote>id_provider=files</quote> before any explicitly configured domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:548 +msgid "domain_resolution_order" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:551 +msgid "" +"Comma separated list of domains and subdomains representing the lookup order " +"that will be followed. The list doesn't have to include all possible " +"domains as the missing domains will be looked up based on the order they're " +"presented in the <quote>domains</quote> configuration option. The " +"subdomains which are not listed as part of <quote>lookup_order</quote> will " +"be looked up in a random order for each parent domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:563 +msgid "" +"Please, note that when this option is set the output format of all commands " +"is always fully-qualified even when using short names for input, for all " +"users but the ones managed by the files provider. In case the administrator " +"wants the output not fully-qualified, the full_name_format option can be " +"used as shown below: <quote>full_name_format=%1$s</quote> However, keep in " +"mind that during login, login applications often canonicalize the username " +"by calling <citerefentry> <refentrytitle>getpwnam</refentrytitle> " +"<manvolnum>3</manvolnum> </citerefentry> which, if a shortname is returned " +"for a qualified input (while trying to reach a user which exists in multiple " +"domains) might re-route the login attempt into the domain which uses " +"shortnames, making this workaround totally not recommended in cases where " +"usernames may overlap between domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:588 sssd.conf.5.xml:1388 sssd.conf.5.xml:3046 +#: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316 +msgid "Default: Not set" +msgstr "Voreinstellung: Nicht gesetzt" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:184 +msgid "" +"Individual pieces of SSSD functionality are provided by special SSSD " +"services that are started and stopped together with SSSD. The services are " +"managed by a special service frequently called <quote>monitor</quote>. The " +"<quote>[sssd]</quote> section is used to configure the monitor as well as " +"some other important options like the identity domains. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" +"Individuelle Teile der SSSD-Funktionalität werden durch spezielle SSSD-" +"Dienste bereitgestellt, die zusammen mit SSSD gestartet und gestoppt werden. " +"Die Dienste werden durch einen speziellen Dienst, oft »Monitor« genannt, " +"verwaltet. Der Abschnitt »[sssd]« wird sowohl zum Konfigurieren des Monitors " +"als auch einiger anderer wichtiger Optionen wie den »Identity Domains« " +"verwendet. <placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:599 +msgid "SERVICES SECTIONS" +msgstr "DIENSTABSCHNITTE" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:601 +msgid "" +"Settings that can be used to configure different services are described in " +"this section. They should reside in the [<replaceable>$NAME</replaceable>] " +"section, for example, for NSS service, the section would be <quote>[nss]</" +"quote>" +msgstr "" +"Dieser Abschnitt beschreibt Einstellungen, die zum Konfigurieren mehrerer " +"unterschiedlicher Dienste benutzt werden. Sie sollten im Abschnitt " +"[<replaceable>$NAME</replaceable>] liegen, für den Dienst NSS wäre der " +"Abschnitt zum Beispiel <quote>[nss]</quote>." + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:608 +msgid "General service configuration options" +msgstr "Allgemeine Optionen zum Konfigurieren von Diensten" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:610 +msgid "These options can be used to configure any service." +msgstr "Diese Optionen können zur Konfiguration jedes Dienstes benutzt werden." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:627 +msgid "fd_limit" +msgstr "fd_limit" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:630 +msgid "" +"This option specifies the maximum number of file descriptors that may be " +"opened at one time by this SSSD process. On systems where SSSD is granted " +"the CAP_SYS_RESOURCE capability, this will be an absolute setting. On " +"systems without this capability, the resulting value will be the lower value " +"of this or the limits.conf \"hard\" limit." +msgstr "" +"Diese Option gibt die maximale Anzahl von Dateideskriptoren an, die " +"gleichzeitig durch diesen SSSD-Prozess geöffnet sein können. Auf Systemen, " +"auf denen SSSD die Fähigkeit CAP_SYS_RESOURCE gewährt wird, wird dies eine " +"absolute Einstellung sein. Auf Systemen ohne diese Fähigkeit wird der " +"resultierende Wert der niedrigere Wert hiervon oder der der »harten« " +"Begrenzung in der »limit.conf« sein." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:639 +msgid "Default: 8192 (or limits.conf \"hard\" limit)" +msgstr "Voreinstellung: 8192 (oder die »harte« Begrenzung der »limit.conf«)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:644 +msgid "client_idle_timeout" +msgstr "client_idle_timeout" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:647 +msgid "" +"This option specifies the number of seconds that a client of an SSSD process " +"can hold onto a file descriptor without communicating on it. This value is " +"limited in order to avoid resource exhaustion on the system. The timeout " +"can't be shorter than 10 seconds. If a lower value is configured, it will be " +"adjusted to 10 seconds." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:656 sssd.conf.5.xml:688 sssd.conf.5.xml:970 +#: sssd.conf.5.xml:1231 sssd-ldap.5.xml:1412 +msgid "Default: 60" +msgstr "Voreinstellung: 60" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:661 +msgid "offline_timeout (integer)" +msgstr "offline_timeout (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:664 +msgid "" +"When SSSD switches to offline mode the amount of time before it tries to go " +"back online will increase based upon the time spent disconnected. This " +"value is in seconds and calculated by the following:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:671 +msgid "offline_timeout + random_offset" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:674 +msgid "" +"The random offset can increment up to 30 seconds. After each unsuccessful " +"attempt to go online, the new interval is recalculated by the following:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:679 +msgid "new_interval = old_interval*2 + random_offset" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:682 +msgid "" +"Note that the maximum length of each interval is currently limited to one " +"hour. If the calculated length of new_interval is greater than an hour, it " +"will be forced to one hour." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:693 +msgid "responder_idle_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:696 +msgid "" +"This option specifies the number of seconds that an SSSD responder process " +"can be up without being used. This value is limited in order to avoid " +"resource exhaustion on the system. The minimum acceptable value for this " +"option is 60 seconds. Setting this option to 0 (zero) means that no timeout " +"will be set up to the responder. This option only has effect when SSSD is " +"built with systemd support and when services are either socket or D-Bus " +"activated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:710 sssd.conf.5.xml:983 sssd.conf.5.xml:1616 +#: sssd-ldap.5.xml:722 +msgid "Default: 300" +msgstr "Voreinstellung: 300" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:715 +msgid "cache_first" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:718 +msgid "" +"This option specifies whether the responder should query all caches before " +"querying the Data Providers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:730 +msgid "NSS configuration options" +msgstr "NSS-Konfigurationsoptionen" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:732 +msgid "" +"These options can be used to configure the Name Service Switch (NSS) service." +msgstr "" +"Diese Optionen können zum Konfigurieren des »Name Service Switch« (NSS) " +"benutzt werden" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:737 +msgid "enum_cache_timeout (integer)" +msgstr "enum_cache_timeout (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:740 +msgid "" +"How many seconds should nss_sss cache enumerations (requests for info about " +"all users)" +msgstr "" +"Wieviele Sekunden soll »nss_sss« Aufzählungen (Abfragen von Informationen " +"über alle Nutzer) zwischenspeichern?" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:744 +msgid "Default: 120" +msgstr "Voreinstellung: 120" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:749 +msgid "entry_cache_nowait_percentage (integer)" +msgstr "entry_cache_nowait_percentage (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:752 +msgid "" +"The entry cache can be set to automatically update entries in the background " +"if they are requested beyond a percentage of the entry_cache_timeout value " +"for the domain." +msgstr "" +"Der Eintragszwischenspeicher kann auf automatisch im Hintergrund " +"aktualisierte Einträge gestellt werden, falls sie jenseits eines " +"Prozentsatzes des Wertes »entry_cache_timeout« für die Domain abgefragt " +"werden." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:758 +msgid "" +"For example, if the domain's entry_cache_timeout is set to 30s and " +"entry_cache_nowait_percentage is set to 50 (percent), entries that come in " +"after 15 seconds past the last cache update will be returned immediately, " +"but the SSSD will go and update the cache on its own, so that future " +"requests will not need to block waiting for a cache update." +msgstr "" +"Falls zum Beispiel die Zeitüberschreitung für den Eintragszwischenspeicher " +"der Domain auf 30s und »entry_cache_nowait_percentage« auf 50 Prozent " +"gesetzt wurde, werden Einträge, die in den letzten 15 Sekunden nach der " +"letzen Zwischenspeicheraktualisierung hereinkamen, sofort zurückgegeben, " +"SSSD wird aber den Zwischenspeicher selbst aktualisieren, so dass zukünftige " +"Abfragen nicht blockiert werden müssen, um auf eine " +"Zwischenspeicheraktualisierung zu warten." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:768 +msgid "" +"Valid values for this option are 0-99 and represent a percentage of the " +"entry_cache_timeout for each domain. For performance reasons, this " +"percentage will never reduce the nowait timeout to less than 10 seconds. (0 " +"disables this feature)" +msgstr "" +"Gültige Werte für diese Option sind 0-99. Sie geben die Prozentzahl des " +"»entry_cache_timeout« für jede Domain an. Aus Leistungsgründen wird diese " +"Prozentzahl die »nowait«-Zeitüberschreitung nie auf weniger als zehn " +"Sekunden senken. (0 schaltet diese Funktionalität aus.)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:776 sssd.conf.5.xml:1445 +msgid "Default: 50" +msgstr "Voreinstellung: 50" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:781 +msgid "entry_negative_timeout (integer)" +msgstr "entry_negative_timeout (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:784 +msgid "" +"Specifies for how many seconds nss_sss should cache negative cache hits " +"(that is, queries for invalid database entries, like nonexistent ones) " +"before asking the back end again." +msgstr "" +"gibt an, für wie viele Sekunden lang »nss_sss« negative " +"Zwischenspeichertreffer zwischenspeichern soll (das heißt, Abfragen " +"ungültiger Datenbankeinträge, wie solche, die nicht existieren), bevor das " +"Backend erneut gefragt wird)." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:790 sssd.conf.5.xml:1469 +msgid "Default: 15" +msgstr "Voreinstellung: 15" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:795 +msgid "local_negative_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:798 +msgid "" +"Specifies for how many seconds nss_sss should keep local users and groups in " +"negative cache before trying to look it up in the back end again. Setting " +"the option to 0 disables this feature." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:804 +#, fuzzy +#| msgid "Default: 86400 (24 hours)" +msgid "Default: 14400 (4 hours)" +msgstr "Voreinstellung: 86400 (24 Stunden)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:809 +msgid "filter_users, filter_groups (string)" +msgstr "filter_users, filter_groups (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:812 +msgid "" +"Exclude certain users or groups from being fetched from the sss NSS " +"database. This is particularly useful for system accounts. This option can " +"also be set per-domain or include fully-qualified names to filter only users " +"from the particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:819 +msgid "" +"NOTE: The filter_groups option doesn't affect inheritance of nested group " +"members, since filtering happens after they are propagated for returning via " +"NSS. E.g. a group having a member group filtered out will still have the " +"member users of the latter listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:827 +msgid "Default: root" +msgstr "Voreinstellung: root" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:832 +msgid "filter_users_in_groups (bool)" +msgstr "filter_users_in_groups (Boolesch)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:835 +msgid "" +"If you want filtered user still be group members set this option to false." +msgstr "" +"Falls Sie möchten, dass gefilterte Nutzer weiterhin Gruppenmitglieder sind, " +"setzen Sie diese Option auf »false«." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:846 +msgid "fallback_homedir (string)" +msgstr "fallback_homedir (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:849 +msgid "" +"Set a default template for a user's home directory if one is not specified " +"explicitly by the domain's data provider." +msgstr "" +"setzt eine Standardschablone für das Home-Verzeichnis eines Nutzers, falls " +"es nicht explizit durch den Datenanbieter der Domain angegeben wurde." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:854 +msgid "" +"The available values for this option are the same as for override_homedir." +msgstr "" +"Die für diese Option verfügbaren Werte sind dieselben wie für " +"»override_homedir«." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:860 +#, no-wrap +msgid "" +"fallback_homedir = /home/%u\n" +" " +msgstr "" +"fallback_homedir = /home/%u\n" +" " + +#. type: Content of: <varlistentry><listitem><para> +#: sssd.conf.5.xml:858 sssd.conf.5.xml:1298 sssd.conf.5.xml:1317 +#: sssd-krb5.5.xml:539 include/override_homedir.xml:59 +msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "Beispiel: <placeholder type=\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:864 +msgid "Default: not set (no substitution for unset home directories)" +msgstr "" +"Voreinstellung: nicht gesetzt (kein Ersetzen nicht gesetzter Home-" +"Verzeichnisse)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:870 +msgid "override_shell (string)" +msgstr "override_shell (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:873 +msgid "" +"Override the login shell for all users. This option supersedes any other " +"shell options if it takes effect and can be set either in the [nss] section " +"or per-domain." +msgstr "" +"Setzt die Anmeldeshell für alle Benutzer außer Kraft. Diese Option genießt " +"Vorrecht vor allen anderen Shell-Optionen, falls sie Wirkung zeigt und kann " +"entweder im Abschnitt [nss] oder für jede Domain gesetzt werden." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:879 +msgid "Default: not set (SSSD will use the value retrieved from LDAP)" +msgstr "" +"Voreinstellung: nicht gesetzt (SSSD wird den von LDAP erhaltenen Wert " +"benutzen)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:885 +msgid "allowed_shells (string)" +msgstr "allowed_shells (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:888 +msgid "" +"Restrict user shell to one of the listed values. The order of evaluation is:" +msgstr "" +"beschränkt die Shell des Nutzers auf eine der aufgeführten Werte. Die " +"Reihenfolge der Auswertung ist:" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:891 +msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used." +msgstr "1. Falls die Shell in »/etc/shells« vorhanden ist, wird sie benutzt." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:895 +msgid "" +"2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</" +"quote>, use the value of the shell_fallback parameter." +msgstr "" +"2. Falls die Shell in der Liste »allowed_shells«, aber nicht in »/etc/" +"shells« steht, wird der Wert des Parameters »shell_fallback« verwendet." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:900 +msgid "" +"3. If the shell is not in the allowed_shells list and not in <quote>/etc/" +"shells</quote>, a nologin shell is used." +msgstr "" +"3. Falls die Shell weder in der Liste »allowed_shells« noch in »/etc/shells« " +"steht, wird eine Nicht-Login-Shell benutzt." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:905 +msgid "The wildcard (*) can be used to allow any shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:908 +msgid "" +"The (*) is useful if you want to use shell_fallback in case that user's " +"shell is not in <quote>/etc/shells</quote> and maintaining list of all " +"allowed shells in allowed_shells would be to much overhead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:915 +msgid "An empty string for shell is passed as-is to libc." +msgstr "" +"Eine leere Zeichenkette als Shell wird, so wie sie ist, an Libc übergeben." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:918 +msgid "" +"The <quote>/etc/shells</quote> is only read on SSSD start up, which means " +"that a restart of the SSSD is required in case a new shell is installed." +msgstr "" +"»/etc/shells« wird nur beim Start von SSSD gelesen. Das bedeutet, dass im " +"Fall einer neu installierten Shell ein Neustart von SSSD nötig ist." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:922 +msgid "Default: Not set. The user shell is automatically used." +msgstr "" +"Voreinstellung: nicht gesetzt. Die Benutzer-Shell wird automatisch verwendet." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:927 +msgid "vetoed_shells (string)" +msgstr "vetoed_shells (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:930 +msgid "Replace any instance of these shells with the shell_fallback" +msgstr "ersetzt jedwede Instanz dieser Shells durch die aus »shell_fallback«." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:935 +msgid "shell_fallback (string)" +msgstr "shell_fallback (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:938 +msgid "" +"The default shell to use if an allowed shell is not installed on the machine." +msgstr "" +"Die Standard-Shell, die benutzt werden soll, falls eine erlaubte Shell nicht " +"auf dem Rechner installiert ist." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:942 +msgid "Default: /bin/sh" +msgstr "Voreinstellung: /bin/sh" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:947 +msgid "default_shell" +msgstr "default_shell" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:950 +msgid "" +"The default shell to use if the provider does not return one during lookup. " +"This option can be specified globally in the [nss] section or per-domain." +msgstr "" +"Die zu verwendende Vorgabeshell, falls der Anbieter während des Suchvorgangs " +"nichts zurückgibt. Diese Option kann entweder im Abschnitt [nss] oder für " +"jede Domain gesetzt werden." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:956 +msgid "" +"Default: not set (Return NULL if no shell is specified and rely on libc to " +"substitute something sensible when necessary, usually /bin/sh)" +msgstr "" +"Voreinstellung: nicht gesetzt (Falls keine Shell angegeben wurde, wird NULL " +"zurückgegeben und darauf vertraut, dass Libc es, wenn nötig, durch etwas " +"Vernünftiges, üblicherweise /bin/sh, ersetzt.)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:963 sssd.conf.5.xml:1224 +msgid "get_domains_timeout (int)" +msgstr "get_domains_timeout (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:966 sssd.conf.5.xml:1227 +msgid "" +"Specifies time in seconds for which the list of subdomains will be " +"considered valid." +msgstr "" +"gibt die Zeit in Sekunden an, während der die Liste der Subdomains als " +"gültig erachtet wird." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:975 +msgid "memcache_timeout (int)" +msgstr "memcache_timeout (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:978 +msgid "" +"Specifies time in seconds for which records in the in-memory cache will be " +"valid. Setting this option to zero will disable the in-memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:986 +msgid "" +"WARNING: Disabling the in-memory cache will have significant negative impact " +"on SSSD's performance and should only be used for testing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:992 +msgid "" +"NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", " +"client applications will not use the fast in-memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1000 sssd-ifp.5.xml:74 +msgid "user_attributes (string)" +msgstr "user_attributes (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1003 +msgid "" +"Some of the additional NSS responder requests can return more attributes " +"than just the POSIX ones defined by the NSS interface. The list of " +"attributes is controlled by this option. It is handled the same way as the " +"<quote>user_attributes</quote> option of the InfoPipe responder (see " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for details) but with no default values." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1016 +msgid "" +"To make configuration more easy the NSS responder will check the InfoPipe " +"option if it is not set for the NSS responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1021 +msgid "Default: not set, fallback to InfoPipe option" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1026 +msgid "pwfield (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1029 +msgid "" +"The value that NSS operations that return users or groups will return for " +"the <quote>password</quote> field." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: sssd.conf.5.xml:1034 include/override_homedir.xml:56 +msgid "This option can also be set per-domain." +msgstr "Diese Option kann auch pro Domain gesetzt werden." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1037 +msgid "" +"Default: <quote>*</quote> (remote domains) or <quote>x</quote> (the files " +"domain)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1045 +msgid "PAM configuration options" +msgstr "PAM-Konfigurationsoptionen" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1047 +msgid "" +"These options can be used to configure the Pluggable Authentication Module " +"(PAM) service." +msgstr "" +"Diese Optionen können benutzt werden, um den Dienst »Pluggable " +"Authentication Module« (PAM) einzurichten." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1052 +msgid "offline_credentials_expiration (integer)" +msgstr "offline_credentials_expiration (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1055 +msgid "" +"If the authentication provider is offline, how long should we allow cached " +"logins (in days since the last successful online login)." +msgstr "" +"Wie lange sollen zwischengespeicherte Anmeldungen erlaubt werden, falls der " +"Authentifizierungsanbieter offline ist (in Tagen seit der letzten " +"erfolgreichen Anmeldung)?" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1060 sssd.conf.5.xml:1073 +msgid "Default: 0 (No limit)" +msgstr "Voreinstellung: 0 (unbegrenzt)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1066 +msgid "offline_failed_login_attempts (integer)" +msgstr "offline_failed_login_attempts (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1069 +msgid "" +"If the authentication provider is offline, how many failed login attempts " +"are allowed." +msgstr "" +"Wieviele fehlgeschlagene Anmeldeversuche sind erlaubt, falls der " +"Authentifizierungsanbieter offline ist?" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1079 +msgid "offline_failed_login_delay (integer)" +msgstr "offline_failed_login_delay (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1082 +msgid "" +"The time in minutes which has to pass after offline_failed_login_attempts " +"has been reached before a new login attempt is possible." +msgstr "" +"die Zeit in Minuten, die nach dem Erreichen von " +"»offline_failed_login_attempts« vergehen muss, bevor ein neuer " +"Anmeldeversuch möglich ist." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1087 +msgid "" +"If set to 0 the user cannot authenticate offline if " +"offline_failed_login_attempts has been reached. Only a successful online " +"authentication can enable offline authentication again." +msgstr "" +"Falls dies auf 0 gesetzt ist, kann der Benutzer sich nicht offline " +"authentifizieren, wenn »offline_failed_login_attempts« erreicht wurde. Nur " +"eine erfolgreiche Online-Authentifizierung kann die Offline-" +"Authentifizierung reaktivieren." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1093 sssd.conf.5.xml:1191 +msgid "Default: 5" +msgstr "Voreinstellung: 5" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1099 +msgid "pam_verbosity (integer)" +msgstr "pam_verbosity (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1102 +msgid "" +"Controls what kind of messages are shown to the user during authentication. " +"The higher the number to more messages are displayed." +msgstr "" +"steuert, welche Arten von Nachrichten während der Benutzerauthentifizierung " +"angezeigt werden. Je höher die Zahl, desto mehr Nachrichten werden angezeigt." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1107 +msgid "Currently sssd supports the following values:" +msgstr "Derzeit unterstützt SSSD folgende Werte:" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1110 +msgid "<emphasis>0</emphasis>: do not show any message" +msgstr "<emphasis>0</emphasis>: keine Nachricht anzeigen" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1113 +msgid "<emphasis>1</emphasis>: show only important messages" +msgstr "<emphasis>1</emphasis>: nur wichtige Nachrichten anzeigen" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1117 +msgid "<emphasis>2</emphasis>: show informational messages" +msgstr "<emphasis>2</emphasis>: nur informative Nachrichten anzeigen" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1120 +msgid "<emphasis>3</emphasis>: show all messages and debug information" +msgstr "" +"<emphasis>3</emphasis>: alle Nachrichten und Debug-Informationen anzeigen" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1124 sssd.8.xml:63 +msgid "Default: 1" +msgstr "Voreinstellung: 1" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1130 +msgid "pam_response_filter (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1133 +msgid "" +"A comma separated list of strings which allows to remove (filter) data sent " +"by the PAM responder to pam_sss PAM module. There are different kind of " +"responses sent to pam_sss e.g. messages displayed to the user or environment " +"variables which should be set by pam_sss." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1141 +msgid "" +"While messages already can be controlled with the help of the pam_verbosity " +"option this option allows to filter out other kind of responses as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1148 +msgid "ENV" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1149 +msgid "Do not send any environment variables to any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1152 +msgid "ENV:var_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1153 +msgid "Do not send environment variable var_name to any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1157 +msgid "ENV:var_name:service" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1158 +msgid "Do not send environment variable var_name to service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1146 +msgid "" +"Currently the following filters are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1168 +msgid "Example: ENV:KRB5CCNAME:sudo-i" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1174 +msgid "pam_id_timeout (integer)" +msgstr "pam_id_timeout (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1177 +msgid "" +"For any PAM request while SSSD is online, the SSSD will attempt to " +"immediately update the cached identity information for the user in order to " +"ensure that authentication takes place with the latest information." +msgstr "" +"Für alle PAM-Anfragen, während SSSD online ist, wird SSSD versuchen, sofort " +"die zwischengespeicherten Identitätsinformationen für den Benutzer zu " +"aktualisieren. Dadurch wird sichergestellt, dass die Authentifizierung mit " +"den neusten Informationen erfolgt." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1183 +msgid "" +"A complete PAM conversation may perform multiple PAM requests, such as " +"account management and session opening. This option controls (on a per-" +"client-application basis) how long (in seconds) we can cache the identity " +"information to avoid excessive round-trips to the identity provider." +msgstr "" +"Eine vollständige PAM-Konversation kann mehrere PAM-Abfragen durchführen, " +"wie die Kontenverwaltung und das Öffnen von Sitzungen. Diese Option steuert " +"(auf Basis von Client-Anwendungen) wie lange (in Sekunden) die " +"Identitätsinformationen zwischengespeichert werden können, um übermäßig " +"viele Abfragen der Identitätsanbieter zu vermeiden." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1197 +msgid "pam_pwd_expiration_warning (integer)" +msgstr "pam_pwd_expiration_warning (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2078 +msgid "Display a warning N days before the password expires." +msgstr "zeigt N Tage vor Ablauf des Passworts eine Warnung an." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1203 +msgid "" +"Please note that the backend server has to provide information about the " +"expiration time of the password. If this information is missing, sssd " +"cannot display a warning." +msgstr "" +"Bitte beachten Sie, dass der Backend-Server Informationen über die " +"Ablaufzeit des Passworts bereitstellen muss. Fehlt diese Information, kann " +"SSSD keine Warnung anzeigen." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1209 sssd.conf.5.xml:2081 +msgid "" +"If zero is set, then this filter is not applied, i.e. if the expiration " +"warning was received from backend server, it will automatically be displayed." +msgstr "" +"Falls dies auf Null gesetzt ist, wird dieser Filter nicht angewendet, d.h., " +"falls die Ablaufwarnung vom Backend-Server empfangen wurde, wird sie " +"automatisch angezeigt." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1214 +msgid "" +"This setting can be overridden by setting <emphasis>pwd_expiration_warning</" +"emphasis> for a particular domain." +msgstr "" +"Diese Einstellung kann durch Setzen von <emphasis>pwd_expiration_warning</" +"emphasis> für eine bestimmte Domain außer Kraft gesetzt werden." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1219 sssd.conf.5.xml:2901 sssd.8.xml:79 +msgid "Default: 0" +msgstr "Voreinstellung: 0" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1236 +msgid "pam_trusted_users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1239 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to run PAM conversations against trusted domains. Users not " +"included in this list can only access domains marked as public with " +"<quote>pam_public_domains</quote>. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1249 +msgid "Default: All users are considered trusted by default" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1253 +msgid "" +"Please note that UID 0 is always allowed to access the PAM responder even in " +"case it is not in the pam_trusted_users list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1260 +msgid "pam_public_domains (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1263 +msgid "" +"Specifies the comma-separated list of domain names that are accessible even " +"to untrusted users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1267 +msgid "Two special values for pam_public_domains option are defined:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1271 +msgid "" +"all (Untrusted users are allowed to access all domains in PAM responder.)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1275 +msgid "" +"none (Untrusted users are not allowed to access any domains PAM in " +"responder.)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1279 sssd.conf.5.xml:1304 sssd.conf.5.xml:1323 +#: sssd.conf.5.xml:1875 sssd.conf.5.xml:2837 sssd-ldap.5.xml:1979 +msgid "Default: none" +msgstr "Voreinstellung: none" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1284 +msgid "pam_account_expired_message (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1287 +msgid "" +"Allows a custom expiration message to be set, replacing the default " +"'Permission denied' message." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1292 +msgid "" +"Note: Please be aware that message is only printed for the SSH service " +"unless pam_verbosity is set to 3 (show all messages and debug information)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:1300 +#, no-wrap +msgid "" +"pam_account_expired_message = Account expired, please contact help desk.\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1309 +msgid "pam_account_locked_message (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1312 +msgid "" +"Allows a custom lockout message to be set, replacing the default 'Permission " +"denied' message." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:1319 +#, no-wrap +msgid "" +"pam_account_locked_message = Account locked, please contact help desk.\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1328 +msgid "pam_cert_auth (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1331 +msgid "" +"Enable certificate based Smartcard authentication. Since this requires " +"additional communication with the Smartcard which will delay the " +"authentication process this option is disabled by default." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1337 sssd.conf.5.xml:2930 sssd-ldap.5.xml:1087 +#: sssd-ldap.5.xml:1114 sssd-ldap.5.xml:1514 sssd-ldap.5.xml:1535 +#: sssd-ldap.5.xml:2052 include/ldap_id_mapping.xml:244 +msgid "Default: False" +msgstr "Voreinstellung: False" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1342 +msgid "pam_cert_db_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1345 +msgid "" +"The path to the certificate database which contain the PKCS#11 modules to " +"access the Smartcard." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1349 sssd.conf.5.xml:1534 +#, fuzzy +#| msgid "Default: 3" +msgid "Default:" +msgstr "Voreinstellung: 3" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1351 sssd.conf.5.xml:1536 +msgid "/etc/pki/nssdb (NSS version, path to a NSS database)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1354 sssd.conf.5.xml:1539 +msgid "" +"/etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a file with " +"trusted CA certificates in PEM format)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1361 sssd.conf.5.xml:1546 +msgid "This man page was generated for the NSS version." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1364 sssd.conf.5.xml:1549 +msgid "This man page was generated for the OpenSSL version." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1369 +msgid "p11_child_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1372 +msgid "How many seconds will pam_sss wait for p11_child to finish." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1381 +msgid "pam_app_services (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1384 +msgid "" +"Which PAM services are permitted to contact domains of type " +"<quote>application</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1397 +msgid "SUDO configuration options" +msgstr "Sudo-Konfigurationsoptionen" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1399 +msgid "" +"These options can be used to configure the sudo service. The detailed " +"instructions for configuration of <citerefentry> <refentrytitle>sudo</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to work with " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> are in the manual page <citerefentry> <refentrytitle>sssd-" +"sudo</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" +"Diese Optionen können zur Konfiguration des Sudo-Dienstes verwendet werden. " +"Detaillierte Informationen zur Konfiguration von <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"zur Verwendung mit <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> finden Sie in der Handbuchseite zu " +"<citerefentry> <refentrytitle>sssd-sudo</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1416 +msgid "sudo_timed (bool)" +msgstr "sudo_timed (Boolesch)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1419 +msgid "" +"Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes " +"that implement time-dependent sudoers entries." +msgstr "" +"bestimmt, ob die Attribute »sudoNotBefore« und »sudoNotAfter«, die " +"zeitabhängige »sudoers«-Einträge implementieren, ausgewertet werden oder " +"nicht." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1431 +msgid "sudo_threshold (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1434 +msgid "" +"Maximum number of expired rules that can be refreshed at once. If number of " +"expired rules is below threshold, those rules are refreshed with " +"<quote>rules refresh</quote> mechanism. If the threshold is exceeded a " +"<quote>full refresh</quote> of sudo rules is triggered instead. This " +"threshold number also applies to IPA sudo command and command group searches." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1453 +msgid "AUTOFS configuration options" +msgstr "AUTOFS-Konfigurationsoptionen" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1455 +msgid "These options can be used to configure the autofs service." +msgstr "" +"Diese Optionen können zum Konfigurieren des Dienstes »autofs« benutzt werden." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1459 +msgid "autofs_negative_timeout (integer)" +msgstr "autofs_negative_timeout (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1462 +msgid "" +"Specifies for how many seconds should the autofs responder negative cache " +"hits (that is, queries for invalid map entries, like nonexistent ones) " +"before asking the back end again." +msgstr "" +"gibt an, wie viele Sekunden der Autofs-Responder negative Treffer " +"zwischenspeichert (das bedeutet, Abfragen ungültiger Abbildeinträge, wie " +"nicht existierende), bevor das Backend erneut befragt wird." + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1478 +msgid "SSH configuration options" +msgstr "SSH-Konfigurationsoptionen" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1480 +msgid "These options can be used to configure the SSH service." +msgstr "" +"Diese Optionen können zum Konfigurieren des SSH-Dienstes benutzt werden." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1484 +msgid "ssh_hash_known_hosts (bool)" +msgstr "ssh_hash_known_hosts (Boolesch)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1487 +msgid "" +"Whether or not to hash host names and addresses in the managed known_hosts " +"file." +msgstr "" +"bestimmt, ob Rechnernamen und Adressen in der verwalteten Datei " +"»known_hosts« zusammengemischt werden oder nicht." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1496 +msgid "ssh_known_hosts_timeout (integer)" +msgstr "ssh_known_hosts_timeout (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1499 +msgid "" +"How many seconds to keep a host in the managed known_hosts file after its " +"host keys were requested." +msgstr "" +"bestimmt, wie viele Sekunden lang ein Rechner in der verwalteten Datei " +"»known_hosts« behalten wird, bevor seine Rechnerschlüssel abgefragt werden." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1503 +msgid "Default: 180" +msgstr "Voreinstellung: 180" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1508 +msgid "ssh_use_certificate_keys (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1511 +#, fuzzy +#| msgid "" +#| "The skeleton directory, which contains files and directories to be copied " +#| "in the user's home directory, when the home directory is created by " +#| "<citerefentry> <refentrytitle>sss_useradd</refentrytitle> <manvolnum>8</" +#| "manvolnum> </citerefentry>" +msgid "" +"If set to true the <command>sss_ssh_authorizedkeys</command> will return ssh " +"keys derived from the public key of X.509 certificates stored in the user " +"entry as well. See <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry> for details." +msgstr "" +"die Verzeichnisvorlage, die Dateien und Verzeichnisse enthält, die in das " +"Home-Verzeichnis des Benutzers kopiert werden, wenn das Home-Verzeichnis " +"durch <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> erstellt wird" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1526 +msgid "ca_db (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1529 +msgid "" +"Path to a storage of trusted CA certificates. The option is used to validate " +"user certificates before deriving public ssh keys from them." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1557 +msgid "PAC responder configuration options" +msgstr "PAC-Responder-Konfigurationsoptionen" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1559 +msgid "" +"The PAC responder works together with the authorization data plugin for MIT " +"Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the " +"PAC data during a GSSAPI authentication to the PAC responder. The sub-domain " +"provider collects domain SID and ID ranges of the domain the client is " +"joined to and of remote trusted domains from the local domain controller. If " +"the PAC is decoded and evaluated some of the following operations are done:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1568 +msgid "" +"If the remote user does not exist in the cache, it is created. The UID is " +"determined with the help of the SID, trusted domains will have UPGs and the " +"GID will have the same value as the UID. The home directory is set based on " +"the subdomain_homedir parameter. The shell will be empty by default, i.e. " +"the system defaults are used, but can be overwritten with the default_shell " +"parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1576 +msgid "" +"If there are SIDs of groups from domains sssd knows about, the user will be " +"added to those groups." +msgstr "" +"Falls es Gruppen-SIDs von Domains gibt, die SSSD kennt, wird der Benutzer zu " +"diesen Gruppen hinzugefügt." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1582 +msgid "These options can be used to configure the PAC responder." +msgstr "" +"Diese Optionen können zur Konfiguration des PAC-Responders verwendet werden." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1586 sssd-ifp.5.xml:50 +msgid "allowed_uids (string)" +msgstr "allowed_uids (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1589 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the PAC responder. User names are resolved to UIDs at " +"startup." +msgstr "" +"gibt die durch Kommata getrennte Liste von UID-Werten oder Benutzernamen an, " +"denen der Zugriff auf den PAC-Responder erlaubt ist. Benutzernamen werden " +"beim Starten zu UIDs aufgelöst." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1595 +msgid "Default: 0 (only the root user is allowed to access the PAC responder)" +msgstr "" +"Voreinstellung: 0 (Nur dem Benutzer Root ist der Zugriff auf den PAC-" +"Responder gestattet.)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1599 +msgid "" +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the PAC responder, which would be the typical case, you have to add 0 " +"to the list of allowed UIDs as well." +msgstr "" +"Bitte beachten Sie, dass, obwohl die UID 0 als Voreinstellung benutzt wird, " +"diese Option sie überschriebt. Falls Sie weiterhin dem Benutzer Root Zugriff " +"auf den PAC-Responder gewähren möchten, was der Normalfall ist, müssen Sie " +"der Liste der erlaubten UIDs auch die 0 hinzufügen." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1608 +msgid "pac_lifetime (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1611 +msgid "" +"Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC " +"data can be used to determine the group memberships of a user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1624 +msgid "Session recording configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1626 +msgid "" +"Session recording works in conjunction with <citerefentry> " +"<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>, a part of tlog package, to log what users see and type when " +"they log in on a text terminal. See also <citerefentry> <refentrytitle>sssd-" +"session-recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1639 +msgid "These options can be used to configure session recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1643 sssd-session-recording.5.xml:64 +msgid "scope (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1650 sssd-session-recording.5.xml:71 +msgid "\"none\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1653 sssd-session-recording.5.xml:74 +msgid "No users are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1658 sssd-session-recording.5.xml:79 +msgid "\"some\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1661 sssd-session-recording.5.xml:82 +msgid "" +"Users/groups specified by <replaceable>users</replaceable> and " +"<replaceable>groups</replaceable> options are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1670 sssd-session-recording.5.xml:91 +msgid "\"all\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1673 sssd-session-recording.5.xml:94 +msgid "All users are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1646 sssd-session-recording.5.xml:67 +msgid "" +"One of the following strings specifying the scope of session recording: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1680 sssd-session-recording.5.xml:101 +msgid "Default: \"none\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1685 sssd-session-recording.5.xml:106 +msgid "users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1688 sssd-session-recording.5.xml:109 +msgid "" +"A comma-separated list of users which should have session recording enabled. " +"Matches user names as returned by NSS. I.e. after the possible space " +"replacement, case changes, etc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1694 sssd-session-recording.5.xml:115 +msgid "Default: Empty. Matches no users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1699 sssd-session-recording.5.xml:120 +msgid "groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1702 sssd-session-recording.5.xml:123 +msgid "" +"A comma-separated list of groups, members of which should have session " +"recording enabled. Matches group names as returned by NSS. I.e. after the " +"possible space replacement, case changes, etc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1708 sssd-session-recording.5.xml:129 +msgid "" +"NOTE: using this option (having it set to anything) has a considerable " +"performance cost, because each uncached request for a user requires " +"retrieving and matching the groups the user is member of." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1715 sssd-session-recording.5.xml:136 +msgid "Default: Empty. Matches no groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:1725 +msgid "DOMAIN SECTIONS" +msgstr "DOMAIN-ABSCHNITTE" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1732 +msgid "domain_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1735 +msgid "" +"Specifies whether the domain is meant to be used by POSIX-aware clients such " +"as the Name Service Switch or by applications that do not need POSIX data to " +"be present or generated. Only objects from POSIX domains are available to " +"the operating system interfaces and utilities." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1743 +msgid "" +"Allowed values for this option are <quote>posix</quote> and " +"<quote>application</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1747 +msgid "" +"POSIX domains are reachable by all services. Application domains are only " +"reachable from the InfoPipe responder (see <citerefentry> " +"<refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>) and the PAM responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1755 +msgid "" +"NOTE: The application domains are currently well tested with " +"<quote>id_provider=ldap</quote> only." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1759 +msgid "" +"For an easy way to configure a non-POSIX domains, please see the " +"<quote>Application domains</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1763 +msgid "Default: posix" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1769 +msgid "min_id,max_id (integer)" +msgstr "min_id,max_id (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1772 +msgid "" +"UID and GID limits for the domain. If a domain contains an entry that is " +"outside these limits, it is ignored." +msgstr "" +"UID- und GID-Beschränkungen für die Domain. Falls eine Domain einen Eintrag " +"enthält, der jenseits dieser Beschränkungen liegt, wird er ignoriert." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1777 +msgid "" +"For users, this affects the primary GID limit. The user will not be returned " +"to NSS if either the UID or the primary GID is outside the range. For non-" +"primary group memberships, those that are in range will be reported as " +"expected." +msgstr "" +"Dies beeinflusst die Haupt-GID-Beschränkung für Benutzer. Der Benutzer wird " +"nicht an NSS zurückgegeben, falls entweder die UID oder die Haupt-GID " +"außerhalb des Bereichs liegt. Bei Mitgliedschaften in Nichthauptgruppen " +"werden jene, die im Bereich liegen, wie erwartet gemeldet." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1784 +msgid "" +"These ID limits affect even saving entries to cache, not only returning them " +"by name or ID." +msgstr "" +"Diese ID-Beschränkungen beeinflussen sogar das Speichern von Einträgen in " +"den Zwischenspeicher und nicht nur ihre Rückgabe über Name oder ID." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1788 +msgid "Default: 1 for min_id, 0 (no limit) for max_id" +msgstr "Voreinstellung: 1 für »min_id«, 0 (keine Beschränkung) für »max_id«" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1794 +msgid "enumerate (bool)" +msgstr "enumerate (Boolesch)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1797 +msgid "" +"Determines if a domain can be enumerated, that is, whether the domain can " +"list all the users and group it contains. Note that it is not required to " +"enable enumeration in order for secondary groups to be displayed. This " +"parameter can have one of the following values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1805 +msgid "TRUE = Users and groups are enumerated" +msgstr "TRUE = Benutzer und Gruppen werden aufgezählt." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1808 +msgid "FALSE = No enumerations for this domain" +msgstr "FALSE = keine Aufzählungen für diese Domain" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1811 sssd.conf.5.xml:2033 sssd.conf.5.xml:2208 +msgid "Default: FALSE" +msgstr "Voreinstellung: FALSE" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1814 +msgid "" +"Enumerating a domain requires SSSD to download and store ALL user and group " +"entries from the remote server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1819 +msgid "" +"Note: Enabling enumeration has a moderate performance impact on SSSD while " +"enumeration is running. It may take up to several minutes after SSSD startup " +"to fully complete enumerations. During this time, individual requests for " +"information will go directly to LDAP, though it may be slow, due to the " +"heavy enumeration processing. Saving a large number of entries to cache " +"after the enumeration completes might also be CPU intensive as the " +"memberships have to be recomputed. This can lead to the <quote>sssd_be</" +"quote> process becoming unresponsive or even restarted by the internal " +"watchdog." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1834 +msgid "" +"While the first enumeration is running, requests for the complete user or " +"group lists may return no results until it completes." +msgstr "" +"Während die erste Aufzählung läuft, geben Anfragen nach vollständigen " +"Benutzer- oder Gruppenlisten möglicherweise bis zur Fertigstellung keine " +"Ergebnisse zurück." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1839 +msgid "" +"Further, enabling enumeration may increase the time necessary to detect " +"network disconnection, as longer timeouts are required to ensure that " +"enumeration lookups are completed successfully. For more information, refer " +"to the man pages for the specific id_provider in use." +msgstr "" +"Darüber hinaus kann das Aktivieren der Aufzählung dazu führen, dass " +"Netzwerkausfälle erst später entdeckt werden. Dies kommt daher, dass längere " +"Zeitüberschreitungen vonnöten sind, um sicherzustellen, dass das " +"Nachschlagen von Aufzählungen vollständig erfolgreich war. Weitere " +"Informationen finden Sie in den Handbuchseiten für den jeweils aktuell " +"benutzten »id_provider«." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1847 +msgid "" +"For the reasons cited above, enabling enumeration is not recommended, " +"especially in large environments." +msgstr "" +"Aus den oben genannten Gründen wird das Aktivieren von Aufzählungen, " +"insbesondere in großen Umgebungen, nicht empfohlen." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1855 +msgid "subdomain_enumerate (string)" +msgstr "subdomain_enumerate (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1862 +msgid "all" +msgstr "all" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1863 +msgid "All discovered trusted domains will be enumerated" +msgstr "Alle entdeckten vertrauenswürdigen Domains werden aufgezählt." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1866 +msgid "none" +msgstr "none" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1867 +msgid "No discovered trusted domains will be enumerated" +msgstr "Keine der entdeckten vertrauenswürdigen Domains wird aufgezählt." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1858 +msgid "" +"Whether any of autodetected trusted domains should be enumerated. The " +"supported values are: <placeholder type=\"variablelist\" id=\"0\"/> " +"Optionally, a list of one or more domain names can enable enumeration just " +"for these trusted domains." +msgstr "" +"Legt fest, ob eventuell automatisch erkannte vertrauenswürdige Domains " +"aufgezählt werden sollen. Folgende Werte werden unterstützt: <placeholder " +"type=\"variablelist\" id=\"0\"/> Optional wird eine Liste aus einer oder " +"mehreren Domain-Namen die Aufzählung für genau diese vertrauenswürdigen " +"Domains aktivieren." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1881 +msgid "entry_cache_timeout (integer)" +msgstr "entry_cache_timeout (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1884 +msgid "" +"How many seconds should nss_sss consider entries valid before asking the " +"backend again" +msgstr "" +"bestimmt, wie viele Sekunden lang »nss_sss« Einträge als gültig betrachten " +"soll, bevor das Backend erneut abgefragt wird." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1888 +msgid "" +"The cache expiration timestamps are stored as attributes of individual " +"objects in the cache. Therefore, changing the cache timeout only has effect " +"for newly added or expired entries. You should run the <citerefentry> " +"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry> tool in order to force refresh of entries that have already " +"been cached." +msgstr "" +"Die Ablaufzeitstempel werden als Attribute individueller Objekte im " +"Zwischenspeicher gespeichert. Daher zeigt die Änderung der Ablaufzeiten im " +"Zwischenspeicher nur Wirkung bei neu hinzugefügten oder abgelaufenen " +"Einträgen. Sie sollten <citerefentry> <refentrytitle>sss_cache</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> ausführen, um die " +"Aktualisierung von Einträgen zu erzwingen, die bereits zwischengespeichert " +"wurden." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1901 +msgid "Default: 5400" +msgstr "Voreinstellung: 5400" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1907 +msgid "entry_cache_user_timeout (integer)" +msgstr "entry_cache_user_timeout (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1910 +msgid "" +"How many seconds should nss_sss consider user entries valid before asking " +"the backend again" +msgstr "" +"bestimmt, wie viele Sekunden lang »nss_sss« Benutzereinträge als gültig " +"betrachten soll, bevor das Backend erneut abgefragt wird." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1914 sssd.conf.5.xml:1927 sssd.conf.5.xml:1940 +#: sssd.conf.5.xml:1953 sssd.conf.5.xml:1966 sssd.conf.5.xml:1980 +#: sssd.conf.5.xml:1994 +msgid "Default: entry_cache_timeout" +msgstr "Voreinstellung: entry_cache_timeout" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1920 +msgid "entry_cache_group_timeout (integer)" +msgstr "entry_cache_group_timeout (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1923 +msgid "" +"How many seconds should nss_sss consider group entries valid before asking " +"the backend again" +msgstr "" +"bestimmt, wie viele Sekunden lang »nss_sss« Gruppeneinträge als gültig " +"betrachten soll, bevor das Backend erneut abgefragt wird." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1933 +msgid "entry_cache_netgroup_timeout (integer)" +msgstr "entry_cache_netgroup_timeout (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1936 +msgid "" +"How many seconds should nss_sss consider netgroup entries valid before " +"asking the backend again" +msgstr "" +"bestimmt, wie viele Sekunden lang »nss_sss« Netzgruppeneinträge als gültig " +"betrachten soll, bevor das Backend erneut abgefragt wird." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1946 +msgid "entry_cache_service_timeout (integer)" +msgstr "entry_cache_service_timeout (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1949 +msgid "" +"How many seconds should nss_sss consider service entries valid before asking " +"the backend again" +msgstr "" +"bestimmt, wie viele Sekunden lang »nss_sss« Diensteinträge als gültig " +"betrachten soll, bevor das Backend erneut abgefragt wird." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1959 +msgid "entry_cache_sudo_timeout (integer)" +msgstr "entry_cache_sudo_timeout (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1962 +msgid "" +"How many seconds should sudo consider rules valid before asking the backend " +"again" +msgstr "" +"bestimmt, wie viele Sekunden lang Sudo Regeln als gültig betrachten soll, " +"bevor das Backend erneut abgefragt wird." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1972 +msgid "entry_cache_autofs_timeout (integer)" +msgstr "entry_cache_autofs_timeout (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1975 +msgid "" +"How many seconds should the autofs service consider automounter maps valid " +"before asking the backend again" +msgstr "" +"bestimmt, wie viele Sekunden lang der Dienst »autofs« Abbilder des " +"Automounters als gültig betrachten soll, bevor das Backend erneut abgefragt " +"wird." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1986 +msgid "entry_cache_ssh_host_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1989 +msgid "" +"How many seconds to keep a host ssh key after refresh. IE how long to cache " +"the host key for." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2000 +msgid "refresh_expired_interval (integer)" +msgstr "refresh_expired_interval (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2003 +msgid "" +"Specifies how many seconds SSSD has to wait before triggering a background " +"refresh task which will refresh all expired or nearly expired records." +msgstr "" +"Legt die Anzahl der Sekunden fest, die SSSD warten soll, bevor eine neuer " +"Prozess der Aktualisierung im Hintergrund ausgelöst wird, bei dem alle " +"abgelaufenen oder beinahe abgelaufenen Daten aktualisiert werden." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2008 +msgid "" +"The background refresh will process users, groups and netgroups in the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2012 +msgid "You can consider setting this value to 3/4 * entry_cache_timeout." +msgstr "" +"Sie können in Betracht ziehen, diesen Wert auf 3/4 * entry_cache_timeout zu " +"setzen." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2016 sssd-ldap.5.xml:746 sssd-ipa.5.xml:254 +msgid "Default: 0 (disabled)" +msgstr "Voreinstellung: 0 (deaktiviert)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2022 +msgid "cache_credentials (bool)" +msgstr "cache_credentials (Boolesch)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2025 +msgid "Determines if user credentials are also cached in the local LDB cache" +msgstr "" +"bestimmt, ob auch Benutzerberechtigungen im lokalen LDB-Zwischenspeicher " +"zwischengespeichert werden." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2029 +msgid "User credentials are stored in a SHA512 hash, not in plaintext" +msgstr "" +"Benutzerberechtigungen werden in einem SHA512-Hash, nicht im Klartext " +"gespeichert." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2039 +msgid "cache_credentials_minimal_first_factor_length (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2042 +msgid "" +"If 2-Factor-Authentication (2FA) is used and credentials should be saved " +"this value determines the minimal length the first authentication factor " +"(long term password) must have to be saved as SHA512 hash into the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2049 +msgid "" +"This should avoid that the short PINs of a PIN based 2FA scheme are saved in " +"the cache which would make them easy targets for brute-force attacks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2054 +msgid "Default: 8" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2060 +msgid "account_cache_expiration (integer)" +msgstr "account_cache_expiration (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2063 +msgid "" +"Number of days entries are left in cache after last successful login before " +"being removed during a cleanup of the cache. 0 means keep forever. The " +"value of this parameter must be greater than or equal to " +"offline_credentials_expiration." +msgstr "" +"Anzahl der Tage, während der Einträge nach einer erfolgreichen Anmeldung im " +"Zwischenspeicher bleiben, bevor sie im Laufe der Zwischenspeicherbereinigung " +"entfernt werden. 0 bedeutet, für immer aufbewahren. Der Wert dieses " +"Parameters muss größer oder gleich »offline_credentials_expiration« sein." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2070 +msgid "Default: 0 (unlimited)" +msgstr "Voreinstellung: 0 (unbegrenzt)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2075 +msgid "pwd_expiration_warning (integer)" +msgstr "pwd_expiration_warning (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2086 +msgid "" +"Please note that the backend server has to provide information about the " +"expiration time of the password. If this information is missing, sssd " +"cannot display a warning. Also an auth provider has to be configured for the " +"backend." +msgstr "" +"Bitte beachten Sie, dass der Backend-Server Informationen über die " +"Ablaufzeit des Passworts bereitstellen muss. Fehlt diese Information, kann " +"SSSD keine Warnung anzeigen. Außerdem muss für das Backend ein " +"Authentifizierungsanbieter konfiguriert werden." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2093 +msgid "Default: 7 (Kerberos), 0 (LDAP)" +msgstr "Voreinstellung: 7 (Kerberos), 0 (LDAP)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2099 +msgid "id_provider (string)" +msgstr "id_provider (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2102 +msgid "" +"The identification provider used for the domain. Supported ID providers are:" +msgstr "" +"der für die Domain benutzte Authentifizierungsanbieter. Folgende ID-Anbieter " +"werden unterstützt:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2106 +#, fuzzy +#| msgid "<quote>proxy</quote>: Support a legacy NSS provider" +msgid "<quote>proxy</quote>: Support a legacy NSS provider." +msgstr "»proxy«: unterstützt einen veralteten NSS-Anbieter." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2109 +#, fuzzy +#| msgid "<quote>local</quote>: SSSD internal provider for local users" +msgid "" +"<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)." +msgstr "»local«: SSSDs interner Anbieter für lokale Benutzer" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2113 +#, fuzzy +#| msgid "" +#| "<quote>ldap</quote>: LDAP provider. See <citerefentry> " +#| "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +#| "citerefentry> for more information on configuring LDAP." +msgid "" +"<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-" +"files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " +"information on how to mirror local users and groups into SSSD." +msgstr "" +"»ldap«: LDAP-Anbieter: Weitere Informationen über die Konfiguration von LDAP " +"finden Sie unter <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2121 +msgid "" +"<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " +"information on configuring LDAP." +msgstr "" +"»ldap«: LDAP-Anbieter: Weitere Informationen über die Konfiguration von LDAP " +"finden Sie unter <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2129 sssd.conf.5.xml:2234 sssd.conf.5.xml:2289 +#: sssd.conf.5.xml:2352 +msgid "" +"<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management " +"provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " +"FreeIPA." +msgstr "" +"»ipa«: Anbieter von FreeIPA und Red Hat Enterprise Identity Management. " +"Weitere Informationen über die Konfiguration von FreeIPA finden Sie unter " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2138 sssd.conf.5.xml:2243 sssd.conf.5.xml:2298 +#: sssd.conf.5.xml:2361 +msgid "" +"<quote>ad</quote>: Active Directory provider. See <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Active Directory." +msgstr "" +"»ad«: Active-Directory-Anbieter: Weitere Informationen über die " +"Konfiguration von Active Directory finden Sie unter <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2149 +msgid "use_fully_qualified_names (bool)" +msgstr "use_fully_qualified_names (Boolesch)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2152 +msgid "" +"Use the full name and domain (as formatted by the domain's full_name_format) " +"as the user's login name reported to NSS." +msgstr "" +"benutzt den vollständigen Namen und die Domain (wie sie durch das " +"»full_name_format« der Domain formatiert wurde) als Anmeldenamen des " +"Benutzers, der an NSS gemeldet wird." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2157 +msgid "" +"If set to TRUE, all requests to this domain must use fully qualified names. " +"For example, if used in LOCAL domain that contains a \"test\" user, " +"<command>getent passwd test</command> wouldn't find the user while " +"<command>getent passwd test@LOCAL</command> would." +msgstr "" +"Ist dies auf TRUE gesetzt, müssen Anfragen an diese Domain voll " +"qualifizierte Namen benutzen. Falls zum Beispiel <command>getent passwd " +"test</command> in der Domain LOCAL benutzt wird, die einen Benutzer »test« " +"enthält, würde der Benutzer nicht gefunden, <command>getent passwd " +"test@LOCAL</command> würde ihn hingegen finden." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2165 +msgid "" +"NOTE: This option has no effect on netgroup lookups due to their tendency to " +"include nested netgroups without qualified names. For netgroups, all domains " +"will be searched when an unqualified name is requested." +msgstr "" +"ACHTUNG: Diese Option ist bei Netzgruppen-Suchanfragen wirkungslos, da diese " +"dazu tendieren, verschachtelte Netzgruppen ohne voll qualifizierte Namen " +"einzubeziehen. Bei Netzgruppen werden alle Domains durchsucht, wenn ein " +"nicht voll qualifizierter Name angefragt wird." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2172 +msgid "Default: FALSE (TRUE if default_domain_suffix is used)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2178 +msgid "ignore_group_members (bool)" +msgstr "ignore_group_members (Boolesch)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2181 +msgid "Do not return group members for group lookups." +msgstr "gibt beim Nachschlagen der Gruppe nicht die Gruppenmitglieder zurück." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2184 +msgid "" +"If set to TRUE, the group membership attribute is not requested from the " +"ldap server, and group members are not returned when processing group lookup " +"calls, such as <citerefentry> <refentrytitle>getgrnam</refentrytitle> " +"<manvolnum>3</manvolnum> </citerefentry> or <citerefentry> " +"<refentrytitle>getgrgid</refentrytitle> <manvolnum>3</manvolnum> </" +"citerefentry>. As an effect, <quote>getent group $groupname</quote> would " +"return the requested group as if it was empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2202 +msgid "" +"Enabling this option can also make access provider checks for group " +"membership significantly faster, especially for groups containing many " +"members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2213 +msgid "auth_provider (string)" +msgstr "auth_provider (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2216 +msgid "" +"The authentication provider used for the domain. Supported auth providers " +"are:" +msgstr "" +"der für diese Domain benutzte Authentifizierungsanbieter. Folgende " +"Authentifizierungsanbieter werden unterstützt:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2220 sssd.conf.5.xml:2282 +msgid "" +"<quote>ldap</quote> for native LDAP authentication. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" +"»ldap« für native LDAP-Authentifizierung. Weitere Informationen über die " +"Konfiguration von LDAP finden Sie unter <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2227 +msgid "" +"<quote>krb5</quote> for Kerberos authentication. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Kerberos." +msgstr "" +"»krb5« für Kerberos-Authentifizierung. Weitere Informationen über die " +"Konfiguration von Kerberos finden Sie unter <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2251 +msgid "" +"<quote>proxy</quote> for relaying authentication to some other PAM target." +msgstr "" +"»proxy« zur Weitergabe der Authentifizierung an irgendein anderes PAM-Ziel" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2254 +msgid "<quote>local</quote>: SSSD internal provider for local users" +msgstr "»local«: SSSDs interner Anbieter für lokale Benutzer" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2258 +msgid "<quote>none</quote> disables authentication explicitly." +msgstr "»none« deaktiviert explizit die Authentifizierung." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2261 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can handle " +"authentication requests." +msgstr "" +"Voreinstellung: »id_provider« wird, falls es gesetzt ist, benutzt und kann " +"mit Authentifizierungsanfragen umgehen." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2267 +msgid "access_provider (string)" +msgstr "access_provider (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2270 +msgid "" +"The access control provider used for the domain. There are two built-in " +"access providers (in addition to any included in installed backends) " +"Internal special providers are:" +msgstr "" +"der für diese Domain benutzte Zugriffssteuerungsanbieter. Es gibt zwei " +"integrierte Zugriffsanbieter (zusätzlich zu denen, die in den installierten " +"Backends enthalten sind). Interne Spezialanbieter sind:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2276 +msgid "" +"<quote>permit</quote> always allow access. It's the only permitted access " +"provider for a local domain." +msgstr "" +"»permit« gibt immer Zugriff. Es ist der einzige erlaubte Zugriffsanbieter " +"für eine lokale Domain." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2279 +msgid "<quote>deny</quote> always deny access." +msgstr "»deny« verweigert dem Zugriff immer." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2306 +msgid "" +"<quote>simple</quote> access control based on access or deny lists. See " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for more information on configuring the simple " +"access module." +msgstr "" +"»simple«: Zugriffssteuerung basierend auf Zugriffs- oder " +"Verweigerungslisten. Weitere Informationen über die Konfiguration des " +"einfachen Zugriffsmoduls finden sie unter <citerefentry> <refentrytitle>sssd-" +"simple</refentrytitle> <manvolnum>5</manvolnum></citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2313 +msgid "" +"<quote>krb5</quote>: .k5login based access control. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></" +"citerefentry> for more information on configuring Kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2320 +msgid "<quote>proxy</quote> for relaying access control to another PAM module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2323 +msgid "Default: <quote>permit</quote>" +msgstr "Voreinstellung: »permit«" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2328 +msgid "chpass_provider (string)" +msgstr "chpass_provider (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2331 +msgid "" +"The provider which should handle change password operations for the domain. " +"Supported change password providers are:" +msgstr "" +"der Anbieter, der Passwortänderungsaktionen für die Domain handhaben soll. " +"Folgende Anbieter von Passwortänderungen werden unterstützt:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2336 +msgid "" +"<quote>ldap</quote> to change a password stored in a LDAP server. See " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2344 +msgid "" +"<quote>krb5</quote> to change the Kerberos password. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Kerberos." +msgstr "" +"»krb5« zum Ändern des Kerberos-Passworts. Weitere Informationen über die " +"Konfiguration von Kerberos finden Sie unter <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2369 +msgid "" +"<quote>proxy</quote> for relaying password changes to some other PAM target." +msgstr "" +"»proxy« zur Weitergabe der Passwortänderung an irgendein anderes PAM-Ziel" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2373 +msgid "<quote>none</quote> disallows password changes explicitly." +msgstr "»none« verbietet explizit Passwortänderungen." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2376 +msgid "" +"Default: <quote>auth_provider</quote> is used if it is set and can handle " +"change password requests." +msgstr "" +"Voreinstellung: »auth_provider« wird, falls es gesetzt ist, benutzt und " +"kann mit Passwortänderungsanfragen umgehen." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2383 +msgid "sudo_provider (string)" +msgstr "sudo_provider (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2386 +msgid "The SUDO provider used for the domain. Supported SUDO providers are:" +msgstr "" +"der für diese Domain benutzte Sudo-Anbieter. Folgende Sudo-Anbieter werden " +"unterstützt:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2390 +msgid "" +"<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" +"»ldap« für die in LDAP gespeicherten Regeln. Weitere Informationen über die " +"Konfiguration von LDAP finden Sie unter <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2398 +msgid "" +"<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default " +"settings." +msgstr "" +"<quote>ipa</quote> ist gleichbedeutend mit <quote>ldap</quote>, aber mit den " +"Vorgabeeinstellungen für IPA." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2402 +msgid "" +"<quote>ad</quote> the same as <quote>ldap</quote> but with AD default " +"settings." +msgstr "" +"<quote>ad</quote> ist gleichbedeutend mit <quote>ldap</quote>, aber mit den " +"Vorgabeeinstellungen für AD." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2406 +msgid "<quote>none</quote> disables SUDO explicitly." +msgstr "»none« deaktiviert explizit Sudo." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2409 sssd.conf.5.xml:2495 sssd.conf.5.xml:2565 +#: sssd.conf.5.xml:2590 +msgid "Default: The value of <quote>id_provider</quote> is used if it is set." +msgstr "" +"Voreinstellung: Falls gesetzt, wird der Wert von »id_provider« benutzt." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2413 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>. There are many configuration " +"options that can be used to adjust the behavior. Please refer to " +"\"ldap_sudo_*\" in <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." +msgstr "" +"Detaillierte Informationen zur Konfiguration von sudo_provider finden Sie in " +"der Handbuchseite zu <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>. Es gibt zahlreiche verwendbare " +"Konfigurationsoptionen, mit denen das Verhalten angepasst werden kann. Siehe " +"»ldap_sudo_*« in <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2428 +msgid "" +"<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the " +"background unless the sudo provider is explicitly disabled. Set " +"<emphasis>sudo_provider = None</emphasis> to disable all sudo-related " +"activity in SSSD if you do not want to use sudo with SSSD at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2438 +msgid "selinux_provider (string)" +msgstr "selinux_provider (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2441 +msgid "" +"The provider which should handle loading of selinux settings. Note that this " +"provider will be called right after access provider ends. Supported selinux " +"providers are:" +msgstr "" +"der Anbieter, der das Laden der SELinux-Einstellungen handhaben soll. " +"Beachten Sie, dass dieser Anbieter direkt aufgerufen wird, nachdem sich der " +"Zugriffsanbieter beendet hat. Folgende SELinux-Anbieter werden unterstützt:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2447 +msgid "" +"<quote>ipa</quote> to load selinux settings from an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" +"»ipa«, um SELinux-Einstellungen von einem IPA-Server zu laden. Weitere " +"Informationen über die Konfiguration von FreeIPA finden Sie unter " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2455 +msgid "<quote>none</quote> disallows fetching selinux settings explicitly." +msgstr "»none« verbietet explizit das Abholen von SELinux-Einstellungen." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2458 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can handle " +"selinux loading requests." +msgstr "" +"Voreinstellung: Falls gesetzt, wird der Wert von »id_provider« benutzt. Er " +"kann SELinux-Ladeanfragen handhaben." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2464 +msgid "subdomains_provider (string)" +msgstr "subdomains_provider (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2467 +msgid "" +"The provider which should handle fetching of subdomains. This value should " +"be always the same as id_provider. Supported subdomain providers are:" +msgstr "" +"der Anbieter, der das Abholen von Subdomains handhaben soll. Dieser Wert " +"sollte immer derselbe sein wie »id_provider«. Folgende Subdomain-Anbieter " +"werden unterstützt:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2473 +msgid "" +"<quote>ipa</quote> to load a list of subdomains from an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" +"»ipa«, um eine Liste mit Subdomains von einem IPA-Server zu laden. Weitere " +"Informationen über die Konfiguration von IPA finden Sie unter <citerefentry> " +"<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2482 +msgid "" +"<quote>ad</quote> to load a list of subdomains from an Active Directory " +"server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " +"the AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2491 +msgid "<quote>none</quote> disallows fetching subdomains explicitly." +msgstr "»none« deaktiviert explizit das Abholen von Subdomains." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2501 +msgid "session_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2504 +msgid "" +"The provider which configures and manages user session related tasks. The " +"only user session task currently provided is the integration with Fleet " +"Commander, which works only with IPA. Supported session providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2511 +msgid "<quote>ipa</quote> to allow performing user session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2515 +msgid "" +"<quote>none</quote> does not perform any kind of user session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2519 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can perform " +"session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2523 +msgid "" +"<emphasis>NOTE:</emphasis> In order to have this feature working as expected " +"SSSD must be running as \"root\" and not as the unprivileged user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2531 +msgid "autofs_provider (string)" +msgstr "autofs_provider (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2534 +msgid "" +"The autofs provider used for the domain. Supported autofs providers are:" +msgstr "" +"der für diese Domain benutzte Anbieter von »autofs«. Folgende Anbieter von " +"»autofs« werden unterstützt:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2538 +msgid "" +"<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" +"»ldap«, um in LDAP gespeicherte Abbilder zu laden. Weitere Informationen " +"über die Konfiguration von LDAP finden Sie unter <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2545 +msgid "" +"<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> " +"<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring IPA." +msgstr "" +"»ipa«, um auf einem IPA-Server gespeicherte Abbilder zu laden. Weitere " +"Informationen über die Konfiguration von IPA finden Sie unter <citerefentry> " +"<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2553 +msgid "" +"<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring the AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2562 +msgid "<quote>none</quote> disables autofs explicitly." +msgstr "»none« deaktiviert explizit »autofs«." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2572 +msgid "hostid_provider (string)" +msgstr "hostid_provider (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2575 +msgid "" +"The provider used for retrieving host identity information. Supported " +"hostid providers are:" +msgstr "" +"der Anbieter, der zum Abfragen der Rechneridentitätsinformationen benutzt " +"wird. Folgende Anbieter von »hostid« werden unterstützt:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2579 +msgid "" +"<quote>ipa</quote> to load host identity stored in an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" +"»ipa«, um die auf einem IPA-Server gespeicherte Rechneridentität zu laden. " +"Weitere Informationen über die Konfiguration von IPA finden Sie unter " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2587 +msgid "<quote>none</quote> disables hostid explicitly." +msgstr "»none« deaktiviert explizit »hostid«." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2600 +msgid "" +"Regular expression for this domain that describes how to parse the string " +"containing user name and domain into these components. The \"domain\" can " +"match either the SSSD configuration domain name, or, in the case of IPA " +"trust subdomains and Active Directory domains, the flat (NetBIOS) name of " +"the domain." +msgstr "" +"regulärer Ausdruck, der beschreibt, in welche Bestandteile die Zeichenkette " +"mit Benutzernamen und Domain bei der Auswertung zerlegt werden soll. Die " +"»Domain« kann entweder dem Domain-Namen der SSSD-Konfiguration oder im Fall " +"vertrauenswürdiger IPA-Subdomains und Active-Directory-Domains dem flachen " +"(NetBIOS-) Namen der Domain entsprechen." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2609 +msgid "" +"Default for the AD and IPA provider: <quote>(((?P<domain>[^\\\\]+)\\" +"\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?" +"P<name>[^@\\\\]+)$))</quote> which allows three different styles for " +"user names:" +msgstr "" +"Voreinstellung für den AD- oder IPA-Anbieter: »(((?P<Domain>[^\\\\]+)\\" +"\\(?P<Name>.+$))|((?P<Name>[^@]+)@(?P<Domain>.+$))|(^(?" +"P<Name>[^@\\\\]+)$))« " + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2614 +msgid "username" +msgstr "Benutzername" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2617 +msgid "username@domain.name" +msgstr "Benutzername@Domain.Name" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2620 +msgid "domain\\username" +msgstr "Domain\\Benutzername" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2623 +msgid "" +"While the first two correspond to the general default the third one is " +"introduced to allow easy integration of users from Windows domains." +msgstr "" +"Während die ersten beiden der allgemeinen Voreinstellung entsprechen, wurde " +"die dritte eingeführt, um eine einfache Eingliederung von Benutzern aus " +"Windows-Domains zu ermöglichen." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2628 +msgid "" +"Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> " +"which translates to \"the name is everything up to the <quote>@</quote> " +"sign, the domain everything after that\"" +msgstr "" +"Voreinstellung: »(?P<Name>[^@]+)@?(?P<Domain>[^@]*$)«, was " +"bedeutet »der Name ist alles bis zum »@«-Zeichen, die Domain alles danach«" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2634 +msgid "" +"NOTE: Some Active Directory groups, typically those used for MS Exchange " +"contain an <quote>@</quote> sign in the name, which clashes with the default " +"re_expression value for the AD and IPA providers. To support these groups, " +"consider changing the re_expression value to: <quote>((?P<name>.+)@(?" +"P<domain>[^@]+$))</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2685 +msgid "Default: <quote>%1$s@%2$s</quote>." +msgstr "Voreinstellung: »%1$s@%2$s«" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2691 +msgid "lookup_family_order (string)" +msgstr "lookup_family_order (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2694 +msgid "" +"Provides the ability to select preferred address family to use when " +"performing DNS lookups." +msgstr "" +"ermöglicht es, die bei DNS-Abfragen zu bevorzugende Adressfamilie zu wählen." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2698 +msgid "Supported values:" +msgstr "unterstützte Werte:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2701 +msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6" +msgstr "" +"ipv4_first: versucht die IPv4- und, falls dies fehlschlägt, die IPv6-Adresse " +"nachzuschlagen" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2704 +msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses." +msgstr "ipv4_only: versucht, nur Rechnernamen zu IPv4-Adressen aufzulösen" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2707 +msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4" +msgstr "" +"ipv6_first: versucht die IPv6- und, falls dies fehlschlägt, die IPv4-Adresse " +"nachzuschlagen" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2710 +msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses." +msgstr "ipv6_only: versucht, nur Rechnernamen zu IPv6-Adressen aufzulösen" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2713 +msgid "Default: ipv4_first" +msgstr "Voreinstellung: ipv4_first" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2719 +msgid "dns_resolver_timeout (integer)" +msgstr "dns_resolver_timeout (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2722 +msgid "" +"Defines the amount of time (in seconds) to wait for a reply from the " +"internal fail over service before assuming that the service is unreachable. " +"If this timeout is reached, the domain will continue to operate in offline " +"mode." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2729 +msgid "" +"Please see the section <quote>FAILOVER</quote> for more information about " +"the service resolution." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2734 sssd-ldap.5.xml:1396 sssd-ldap.5.xml:1438 +#: sssd-ldap.5.xml:1456 sssd-krb5.5.xml:248 +msgid "Default: 6" +msgstr "Voreinstellung: 6" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2740 +msgid "dns_discovery_domain (string)" +msgstr "dns_discovery_domain (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2743 +msgid "" +"If service discovery is used in the back end, specifies the domain part of " +"the service discovery DNS query." +msgstr "" +"Falls die Dienstsuche im Backend benutzt wird, gibt dies den Domain-Teil der " +"DNS-Dienstabfrage an." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2747 +msgid "Default: Use the domain part of machine's hostname" +msgstr "Voreinstellung: Der Domain-Teil des Rechnernamens wird benutzt." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2753 +msgid "override_gid (integer)" +msgstr "override_gid (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2756 +msgid "Override the primary GID value with the one specified." +msgstr "überschreibt die Haupt-GID mit der angegebenen." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2762 +msgid "case_sensitive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2770 +msgid "True" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2773 +msgid "Case sensitive. This value is invalid for AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2779 +msgid "False" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2781 +msgid "Case insensitive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2785 +msgid "Preserving" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2788 +msgid "" +"Same as False (case insensitive), but does not lowercase names in the result " +"of NSS operations. Note that name aliases (and in case of services also " +"protocol names) are still lowercased in the output." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2765 +msgid "" +"Treat user and group names as case sensitive. At the moment, this option is " +"not supported in the local provider. Possible option values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2800 +msgid "Default: True (False for AD provider)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2806 +msgid "subdomain_inherit (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2809 +msgid "" +"Specifies a list of configuration parameters that should be inherited by a " +"subdomain. Please note that only selected parameters can be inherited. " +"Currently the following options can be inherited:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2815 +msgid "ignore_group_members" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2818 +msgid "ldap_purge_cache_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2821 sssd-ldap.5.xml:1120 +msgid "ldap_use_tokengroups" +msgstr "ldap_use_tokengroups" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2824 +msgid "ldap_user_principal" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2827 +msgid "" +"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab " +"is not set explicitly)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:2833 +#, no-wrap +msgid "" +"subdomain_inherit = ldap_purge_cache_timeout\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2831 sssd-secrets.5.xml:448 +msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2840 +msgid "Note: This option only works with the IPA and AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2847 +msgid "subdomain_homedir (string)" +msgstr "subdomain_homedir (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2858 +msgid "%F" +msgstr "%F" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2859 +msgid "flat (NetBIOS) name of a subdomain." +msgstr "flacher (NetBIOS-) Name einer Subdomain" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2850 +msgid "" +"Use this homedir as default value for all subdomains within this domain in " +"IPA AD trust. See <emphasis>override_homedir</emphasis> for info about " +"possible values. In addition to those, the expansion below can only be used " +"with <emphasis>subdomain_homedir</emphasis>. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" +"Dieses Home-Verzeichnis wird als Vorgabewert für alle Subdomains innerhalb " +"dieser Domain im IPA-AD-Trust verwendet. In <emphasis>override_homedir</" +"emphasis> finden Sie Informationen zu möglichen Werten. Außerdem kann die " +"nachfolgende Expansion nur mit <emphasis>subdomain_homedir</emphasis> " +"verwendet werden. <placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2864 +msgid "" +"The value can be overridden by <emphasis>override_homedir</emphasis> option." +msgstr "" +"Der Wert kann mit der Option <emphasis>override_homedir</emphasis> " +"überschrieben werden." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2868 +msgid "Default: <filename>/home/%d/%u</filename>" +msgstr "Voreinstellung: <filename>/home/%d/%u</filename>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2873 +msgid "realmd_tags (string)" +msgstr "realmd_tags (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2876 +msgid "" +"Various tags stored by the realmd configuration service for this domain." +msgstr "" +"verschiedene vom Konfigurationsdienst »realmd« für diese Domain gespeicherte " +"Kennzeichnungen" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2882 +msgid "cached_auth_timeout (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2885 +msgid "" +"Specifies time in seconds since last successful online authentication for " +"which user will be authenticated using cached credentials while SSSD is in " +"the online mode." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2891 +msgid "Special value 0 implies that this feature is disabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2895 +msgid "" +"Please note that if <quote>cached_auth_timeout</quote> is longer than " +"<quote>pam_id_timeout</quote> then the back end could be called to handle " +"<quote>initgroups.</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2906 +msgid "auto_private_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2909 +msgid "" +"If this option is enabled, SSSD will automatically create user private " +"groups based on user's UID number. The GID number is ignored in this case." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2914 +msgid "" +"For POSIX subdomains, setting the option in the main domain is inherited in " +"the subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2918 +msgid "" +"For ID-mapping subdomains, auto_private_groups is already enabled for the " +"subdomains and setting it to false will not have any effect for the " +"subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2923 +msgid "" +"NOTE: Because the GID number and the user private group are inferred from " +"the UID number, it is not supported to have multiple entries with the same " +"UID or GID number with this option. In other words, enabling this option " +"enforces uniqueness across the ID space." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:1727 +msgid "" +"These configuration options can be present in a domain configuration " +"section, that is, in a section called <quote>[domain/<replaceable>NAME</" +"replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" +"Diese Konfigurationsoptionen können in einem Abschnitt einer Domain-" +"Konfiguration vorhanden sein, das heißt, in einem Abschnitt namens " +"<quote>[domain/<replaceable>NAME</replaceable>]</quote> <placeholder type=" +"\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2942 +msgid "proxy_pam_target (string)" +msgstr "proxy_pam_target (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2945 +msgid "The proxy target PAM proxies to." +msgstr "das Proxy-Ziel, an das PAM weiterleitet" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2948 +msgid "" +"Default: not set by default, you have to take an existing pam configuration " +"or create a new one and add the service name here." +msgstr "" +"Voreinstellung: standardmäßig nicht gesetzt, Sie müssen eine bestehende PAM-" +"Konfiguration nehmen oder eine neue erstellen und hier den Dienstnamen " +"hinzufügen." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2956 +msgid "proxy_lib_name (string)" +msgstr "proxy_lib_name (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2959 +msgid "" +"The name of the NSS library to use in proxy domains. The NSS functions " +"searched for in the library are in the form of _nss_$(libName)_$(function), " +"for example _nss_files_getpwent." +msgstr "" +"der Name der NSS-Bibliothek, der für die Proxy-Domains benutzt werden soll. " +"Die in der NSS-Funktionen gesuchten Funktionen haben die Form »_nss_" +"$(libName)_$(function)«, zum Beispiel »_nss_files_getpwent«." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2969 +msgid "proxy_fast_alias (boolean)" +msgstr "proxy_fast_alias (Boolesch)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2972 +msgid "" +"When a user or group is looked up by name in the proxy provider, a second " +"lookup by ID is performed to \"canonicalize\" the name in case the requested " +"name was an alias. Setting this option to true would cause the SSSD to " +"perform the ID lookup from cache for performance reasons." +msgstr "" +"Wenn ein Benutzer oder eine Gruppe anhand des Namen im Anbieter »proxy« " +"nachgeschlagen wird, wird zusätzlich auch die ID aufgelöst. So wird der Name " +"für den Fall, dass er ein Alias ist, in eine »kanonische« Form gebracht. " +"Diese Option auf »True« zu setzen würde SSSD aus Leistungsgründen dazu " +"veranlassen, die ID im Zwischenspeicher nachzuschlagen." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2986 +msgid "proxy_max_children (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2989 +msgid "" +"This option specifies the number of pre-forked proxy children. It is useful " +"for high-load SSSD environments where sssd may run out of available child " +"slots, which would cause some issues due to the requests being queued." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:2938 +msgid "" +"Options valid for proxy domains. <placeholder type=\"variablelist\" id=" +"\"0\"/>" +msgstr "" +"gültige Optionen für Proxy-Domains. <placeholder type=\"variablelist\" id=" +"\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:3005 +msgid "Application domains" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3007 +msgid "" +"SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to " +"applications as a gateway to an LDAP directory where users and groups are " +"stored. However, contrary to the traditional SSSD deployment where all users " +"and groups either have POSIX attributes or those attributes can be inferred " +"from the Windows SIDs, in many cases the users and groups in the application " +"support scenario have no POSIX attributes. Instead of setting a " +"<quote>[domain/<replaceable>NAME</replaceable>]</quote> section, the " +"administrator can set up an <quote>[application/<replaceable>NAME</" +"replaceable>]</quote> section that internally represents a domain with type " +"<quote>application</quote> optionally inherits settings from a tradition " +"SSSD domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3027 +msgid "" +"Please note that the application domain must still be explicitly enabled in " +"the <quote>domains</quote> parameter so that the lookup order between the " +"application domain and its POSIX sibling domain is set correctly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sssd.conf.5.xml:3033 +msgid "Application domain parameters" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3035 +msgid "inherit_from (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3038 +msgid "" +"The SSSD POSIX-type domain the application domain inherits all settings " +"from. The application domain can moreover add its own settings to the " +"application settings that augment or override the <quote>sibling</quote> " +"domain settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3052 +msgid "" +"The following example illustrates the use of an application domain. In this " +"setup, the POSIX domain is connected to an LDAP server and is used by the OS " +"through the NSS responder. In addition, the application domain also requests " +"the telephoneNumber attribute, stores it as the phone attribute in the cache " +"and makes the phone attribute reachable through the D-Bus interface." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><programlisting> +#: sssd.conf.5.xml:3060 +#, no-wrap +msgid "" +"[sssd]\n" +"domains = appdom, posixdom\n" +"\n" +"[ifp]\n" +"user_attributes = +phone\n" +"\n" +"[domain/posixdom]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"[application/appdom]\n" +"inherit_from = posixdom\n" +"ldap_user_extra_attrs = phone:telephoneNumber\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:3078 +msgid "The local domain section" +msgstr "Der Abschnitt lokale Domain" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3080 +msgid "" +"This section contains settings for domain that stores users and groups in " +"SSSD native database, that is, a domain that uses " +"<replaceable>id_provider=local</replaceable>." +msgstr "" +"Dieser Abschnitt enthält Einstellungen für Domains, die Benutzer und Gruppen " +"ein einer nativen SSSD-Datenbank speichern, das heißt eine Domain, die " +"<replaceable>ID_Anbieter=lokal</replaceable> benutzt." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3087 +msgid "default_shell (string)" +msgstr "default_shell (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3090 +msgid "The default shell for users created with SSSD userspace tools." +msgstr "" +"die Standard-Shell für Anwender, die mit den SSSD-Werkzeugen für den " +"Benutzerbereich erstellt wurde." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3094 +msgid "Default: <filename>/bin/bash</filename>" +msgstr "Voreinstellung: <filename>/bin/bash</filename>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3099 +msgid "base_directory (string)" +msgstr "base_directory (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3102 +msgid "" +"The tools append the login name to <replaceable>base_directory</replaceable> " +"and use that as the home directory." +msgstr "" +"Die Werkzeuge hängen den Anmeldenamen an das <replaceable>Basisverzeichnis</" +"replaceable> und benutzen dies als Home-Verzeichnis." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3107 +msgid "Default: <filename>/home</filename>" +msgstr "Voreinstellung: <filename>/home</filename>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3112 +msgid "create_homedir (bool)" +msgstr "create_homedir (Boolesch)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3115 +msgid "" +"Indicate if a home directory should be created by default for new users. " +"Can be overridden on command line." +msgstr "" +"gibt an, ob standardmäßig ein Home-Verzeichnis für neue Benutzer erstellt " +"werden soll; kann auf der Befehlszeile überschrieben werden" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3119 sssd.conf.5.xml:3131 +msgid "Default: TRUE" +msgstr "Voreinstellung: TRUE" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3124 +msgid "remove_homedir (bool)" +msgstr "remove_homedir (Boolesch)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3127 +msgid "" +"Indicate if a home directory should be removed by default for deleted " +"users. Can be overridden on command line." +msgstr "" +"gibt an, ob das Home-Verzeichnis für gelöschte Benutzer standardmäßig " +"entfernt werden soll; kann auf der Befehlszeile überschrieben werden" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3136 +msgid "homedir_umask (integer)" +msgstr "homedir_umask (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3139 +msgid "" +"Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions " +"on a newly created home directory." +msgstr "" +"wird von <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> benutzt, um die " +"Standardzugriffsrechte für ein neu erstelltes Home-Verzeichnis anzugeben." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3147 +msgid "Default: 077" +msgstr "Voreinstellung: 077" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3152 +msgid "skel_dir (string)" +msgstr "skel_dir (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3155 +msgid "" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<citerefentry> <refentrytitle>sss_useradd</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>" +msgstr "" +"die Verzeichnisvorlage, die Dateien und Verzeichnisse enthält, die in das " +"Home-Verzeichnis des Benutzers kopiert werden, wenn das Home-Verzeichnis " +"durch <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> erstellt wird" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3165 +msgid "Default: <filename>/etc/skel</filename>" +msgstr "Voreinstellung: <filename>/etc/skel</filename>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3170 +msgid "mail_dir (string)" +msgstr "mail_dir (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3173 +msgid "" +"The mail spool directory. This is needed to manipulate the mailbox when its " +"corresponding user account is modified or deleted. If not specified, a " +"default value is used." +msgstr "" +"das Spool-Verzeichnis für E-Mails. Dies wird benötigt, um die Mailbox zu " +"manipulieren, wenn das zugehörige Benutzerkonto verändert oder gelöscht " +"wurde. Ist dies nicht angegeben wird ein Standardwert verwendet." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3180 +msgid "Default: <filename>/var/mail</filename>" +msgstr "Voreinstellung: <filename>/var/mail</filename>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3185 +msgid "userdel_cmd (string)" +msgstr "userdel_cmd (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3188 +msgid "" +"The command that is run after a user is removed. The command us passed the " +"username of the user being removed as the first and only parameter. The " +"return code of the command is not taken into account." +msgstr "" +"der Befehl, der nach dem Entfernen eines Benutzers ausgeführt wird. Dem " +"Befehl wird als erster und einziger Parameter der Benutzername des Anwenders " +"übergeben, der entfernt wird. Der Rückgabewert des Befehls wird nicht " +"berücksichtigt." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3194 +msgid "Default: None, no command is run" +msgstr "Voreinstellung: keine, es wird kein Befehl ausgeführt" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:3204 +msgid "TRUSTED DOMAIN SECTION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3206 +msgid "" +"Some options used in the domain section can also be used in the trusted " +"domain section, that is, in a section called <quote>[domain/" +"<replaceable>DOMAIN_NAME</replaceable>/<replaceable>TRUSTED_DOMAIN_NAME</" +"replaceable>]</quote>. Where DOMAIN_NAME is the actual joined-to base " +"domain. Please refer to examples below for explanation. Currently supported " +"options in the trusted domain section are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3213 +msgid "ldap_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3214 +msgid "ldap_user_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3215 +msgid "ldap_group_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3216 +msgid "ldap_netgroup_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3217 +msgid "ldap_service_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3218 +msgid "ad_server," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3219 +msgid "ad_backup_server," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3220 +msgid "ad_site," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:3221 sssd-ipa.5.xml:782 +msgid "use_fully_qualified_names" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3223 +msgid "" +"For more details about these options see their individual description in the " +"manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:3229 idmap_sss.8.xml:43 +msgid "EXAMPLES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:3235 +#, no-wrap +msgid "" +"[sssd]\n" +"domains = LDAP\n" +"services = nss, pam\n" +"config_file_version = 2\n" +"\n" +"[nss]\n" +"filter_groups = root\n" +"filter_users = root\n" +"\n" +"[pam]\n" +"\n" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"auth_provider = krb5\n" +"krb5_server = kerberos.example.com\n" +"krb5_realm = EXAMPLE.COM\n" +"cache_credentials = true\n" +"\n" +"min_id = 10000\n" +"max_id = 20000\n" +"enumerate = False\n" +msgstr "" +"[sssd]\n" +"domains = LDAP\n" +"services = nss, pam\n" +"config_file_version = 2\n" +"\n" +"[nss]\n" +"filter_groups = root\n" +"filter_users = root\n" +"\n" +"[pam]\n" +"\n" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"auth_provider = krb5\n" +"krb5_server = kerberos.example.com\n" +"krb5_realm = EXAMPLE.COM\n" +"cache_credentials = true\n" +"\n" +"min_id = 10000\n" +"max_id = 20000\n" +"enumerate = False\n" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3231 +msgid "" +"1. The following example shows a typical SSSD config. It does not describe " +"configuration of the domains themselves - refer to documentation on " +"configuring domains for more details. <placeholder type=\"programlisting\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:3268 +#, no-wrap +msgid "" +"[domain/ipa.com/child.ad.com]\n" +"use_fully_qualified_names = false\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3262 +msgid "" +"2. The following example shows configuration of IPA AD trust where the AD " +"forest consists of two domains in a parent-child structure. Suppose IPA " +"domain (ipa.com) has trust with AD domain(ad.com). ad.com has child domain " +"(child.ad.com). To enable shortnames in the child domain the following " +"configuration should be used. <placeholder type=\"programlisting\" id=\"0\"/" +">" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ldap.5.xml:10 sssd-ldap.5.xml:16 +msgid "sssd-ldap" +msgstr "sssd-ldap" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ldap.5.xml:17 +msgid "SSSD LDAP provider" +msgstr "SSSD LDAP-Anbieter" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:23 +msgid "" +"This manual page describes the configuration of LDAP domains for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Refer to the <quote>FILE FORMAT</quote> section of the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for detailed syntax information." +msgstr "" +"Diese Handbuchseite beschreibt die Konfiguration von LDAP-Domains für " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Detaillierte Syntax-Informationen finden Sie im Abschnitt " +"»DATEIFORMAT« der Handbuchseite <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:35 +msgid "You can configure SSSD to use more than one LDAP domain." +msgstr "" +"Sie können SSSD so konfigurieren, dass es mehr als eine LDAP-Domain benutzt." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:38 +msgid "" +"LDAP back end supports id, auth, access and chpass providers. If you want to " +"authenticate against an LDAP server either TLS/SSL or LDAPS is required. " +"<command>sssd</command> <emphasis>does not</emphasis> support authentication " +"over an unencrypted channel. If the LDAP server is used only as an identity " +"provider, an encrypted channel is not needed. Please refer to " +"<quote>ldap_access_filter</quote> config option for more information about " +"using LDAP as an access provider." +msgstr "" +"Das LDAP-Backend unterstützt ID-, Authentifizierungs-, Zugriffs- und Chpass-" +"Anbieter. Falls Sie sich bei einem LDAP-Server authentifizieren möchten, " +"wird entweder TLS/SSL oder LDAPS benötigt. <command>sssd</command> " +"unterstützt <emphasis>keine</emphasis> Authentifizierung über einen " +"unverschlüsselten Kanal. Falls der LDAP-Server nur als Identitätsanbieter " +"benutzt wird, wird kein verschlüsselter Kanal benötigt. Weitere " +"Informationen über die Verwendung von LDAP als Zugriffsanbieter finden Sie " +"unter »ldap_access_filter«." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:115 +#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-files.5.xml:57 +#: sssd-secrets.5.xml:120 sssd-session-recording.5.xml:58 sssd-kcm.8.xml:139 +msgid "CONFIGURATION OPTIONS" +msgstr "KONFIGURATIONSOPTIONEN" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:60 +msgid "ldap_uri, ldap_backup_uri (string)" +msgstr "ldap_uri, ldap_backup_uri (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:63 +msgid "" +"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " +"should connect in the order of preference. Refer to the <quote>FAILOVER</" +"quote> section for more information on failover and server redundancy. If " +"neither option is specified, service discovery is enabled. For more " +"information, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" +"gibt eine durch Kommata getrennte Liste der LDAP-Server-URIs in der " +"Reihenfolge an, in der sich SSSD mit ihnen verbinden soll. Weitere " +"Informationen über Ausfallsicherung und Redundanz finden Sie im Abschnitt " +"»AUSFALLSICHERUNG«. Falls keine Option angegeben wurde, wird die Dienstsuche " +"aktiviert. Weitere Informationen finden Sie im Abschnitt »DIENSTSUCHE«." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:264 +msgid "The format of the URI must match the format defined in RFC 2732:" +msgstr "" +"Das Format der URI muss dem in RFC 2732 definierten Format entsprechen:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:73 +msgid "ldap[s]://<host>[:port]" +msgstr "ldap[s]://<Rechner>[:Port]" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:76 +msgid "" +"For explicit IPv6 addresses, <host> must be enclosed in brackets []" +msgstr "" +"Wenn Sie explizit IPv6-Adressen verwenden möchten, muss <Rechner> in " +"eckigen Klammern [] stehen." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:79 +msgid "example: ldap://[fc00::126:25]:389" +msgstr "Beispiel: ldap://[fc00::126:25]:389" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:85 +msgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)" +msgstr "ldap_chpass_uri, ldap_chpass_backup_uri (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:88 +msgid "" +"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " +"should connect in the order of preference to change the password of a user. " +"Refer to the <quote>FAILOVER</quote> section for more information on " +"failover and server redundancy." +msgstr "" +"gibt eine durch Kommata getrennte Liste von URIs der LDAP-Server an, mit " +"denen SSSD sich in dieser Reihenfolge verbinden soll, um das Passwort eines " +"Benutzers zu ändern. Weitere Informationen über Ausfallsicherung und " +"Redundanz finden Sie im Abschnitt »AUSFALLSICHERUNG«. " + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:95 +msgid "To enable service discovery ldap_chpass_dns_service_name must be set." +msgstr "" +"Um die Dienstsuche zu aktivieren, muss »ldap_chpass_dns_service_name« " +"gesetzt sein." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:99 +msgid "Default: empty, i.e. ldap_uri is used." +msgstr "Voreinstellung: leer, d.h., dass »ldap_uri« benutzt wird" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:105 +msgid "ldap_search_base (string)" +msgstr "ldap_search_base (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:108 +msgid "The default base DN to use for performing LDAP user operations." +msgstr "" +"der Standardbasis-Domain-Name, der zur Durchführung von LDAP-" +"Benutzeraktionen benutzt wird" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:112 +msgid "" +"Starting with SSSD 1.7.0, SSSD supports multiple search bases using the " +"syntax:" +msgstr "" +"Beginnend mit SSSD 1.7.0 unterstützt SSSD mehrere Suchgrundlagen mittels der " +"Syntax:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:116 +msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]" +msgstr "" +"search_base[?Gültigkeitsbereich?[Filter][?search_base?Gültigkeitsbereich?" +"[Filter]]*]" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:119 +msgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"." +msgstr "" +"Der Gültigkeitsbereich kann entweder »base«, »onelevel« oder »subtree« sein." + +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:122 include/ldap_search_bases.xml:18 +msgid "" +"The filter must be a valid LDAP search filter as specified by http://www." +"ietf.org/rfc/rfc2254.txt" +msgstr "" +"Der Filter muss ein gültiger LDAP-Suchfilter, wie durch http://www.ietf.org/" +"rfc/rfc2254.txt spezifiziert, sein." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:286 +#: sss_override.8.xml:137 sss_override.8.xml:234 +msgid "Examples:" +msgstr "Beispiele:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:129 +msgid "" +"ldap_search_base = dc=example,dc=com (which is equivalent to) " +"ldap_search_base = dc=example,dc=com?subtree?" +msgstr "" +"ldap_search_base = dc=example,dc=com (dies entspricht) ldap_search_base = " +"dc=example,dc=com?subtree?" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:134 +msgid "" +"ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?" +"(host=thishost)?dc=example.com?subtree?" +msgstr "" +"ldap_search_base = cn=host_specific,dc=Beispiel,dc=com?Unterverzeichnis?" +"(host=Dieser_Rechner)?dc=example.com?Unterverzeichnis?" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:137 +msgid "" +"Note: It is unsupported to have multiple search bases which reference " +"identically-named objects (for example, groups with the same name in two " +"different search bases). This will lead to unpredictable behavior on client " +"machines." +msgstr "" +"Hinweis: Mehrere Suchgrundlagen, die sich auf Objekte mit gleichem Namen " +"beziehen, werden nicht unterstützt (zum Beispiel Gruppen mit demselben Namen " +"in zwei unterschiedlichen Suchgrundlagen). Dies wird zu unvorhersehbarem " +"Verhalten auf Client-Rechnern führen." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:144 +msgid "" +"Default: If not set, the value of the defaultNamingContext or namingContexts " +"attribute from the RootDSE of the LDAP server is used. If " +"defaultNamingContext does not exist or has an empty value namingContexts is " +"used. The namingContexts attribute must have a single value with the DN of " +"the search base of the LDAP server to make this work. Multiple values are " +"are not supported." +msgstr "" +"Voreinstellung: Falls nicht gesetzt, wird der Wert der Attribute " +"»defaultNamingContext« oder »namingContexts« vom RootDSE des LDAP-Servers " +"benutzt. Falls »defaultNamingContext« nicht existiert oder ihr Wert leer " +"ist, wird »namingContexts« verwendet. Das Attribut »namingContexts« muss " +"einen einzelnen Wert mit dem Domain-Namen der Suchgrundlage des LDAP-Servers " +"haben, damit dies funktioniert. Mehrere Werte werden nicht unterstützt." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:158 +msgid "ldap_schema (string)" +msgstr "ldap_schema (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:161 +msgid "" +"Specifies the Schema Type in use on the target LDAP server. Depending on " +"the selected schema, the default attribute names retrieved from the servers " +"may vary. The way that some attributes are handled may also differ." +msgstr "" +"gibt den Schematyp an, der gerade auf dem Ziel-LDAP-Server benutzt wird. " +"Abhängig vom ausgewählten Schema können sich die von den Servern geholten " +"Standardattributnamen stark unterscheiden. Die Art, wie einige Attribute " +"gehandhabt werden, kann sich ebenfalls unterscheiden." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:168 +msgid "Four schema types are currently supported:" +msgstr "Derzeit werden vier Schematypen unterstützt:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:172 +msgid "rfc2307" +msgstr "rfc2307" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:177 +msgid "rfc2307bis" +msgstr "rfc2307bis" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:182 +msgid "IPA" +msgstr "IPA" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:187 +msgid "AD" +msgstr "AD" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:193 +msgid "" +"The main difference between these schema types is how group memberships are " +"recorded in the server. With rfc2307, group members are listed by name in " +"the <emphasis>memberUid</emphasis> attribute. With rfc2307bis and IPA, " +"group members are listed by DN and stored in the <emphasis>member</emphasis> " +"attribute. The AD schema type sets the attributes to correspond with Active " +"Directory 2008r2 values." +msgstr "" +"Der Hauptunterschied zwischen diesen Schematypen besteht darin, wie " +"Gruppenmitgliedschaften auf dem Server aufgezeichnet werden. Mit »rfc2307« " +"werden Gruppenmitglieder nach Namen im Attribut <emphasis>memberUid</" +"emphasis> aufgeführt. Mit »rfc2307bis« bis »IPA« werden die " +"Gruppenmitglieder nach Domain-Namen aufgeführt und im Attribut " +"<emphasis>member</emphasis> gespeichert. Der Schematyp »AD« setzt die " +"Attribute passend zu den Werten von Active Directory 2008r2." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:203 +msgid "Default: rfc2307" +msgstr "Voreinstellung: rfc2307" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:209 +msgid "ldap_default_bind_dn (string)" +msgstr "ldap_default_bind_dn (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:212 +msgid "The default bind DN to use for performing LDAP operations." +msgstr "" +"der Standard-Bind-Domain-Name, der zum Durchführen von LDAP-Aktionen benutzt " +"wird" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:219 +msgid "ldap_default_authtok_type (string)" +msgstr "ldap_default_authtok_type (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:222 +msgid "The type of the authentication token of the default bind DN." +msgstr "der Typ des Authentifizierungs-Tokens des Standard-Bind-Domain-Namens" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:226 +msgid "The two mechanisms currently supported are:" +msgstr "Die beiden derzeit unterstützten Mechanismen sind:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:229 +msgid "password" +msgstr "password" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:232 +msgid "obfuscated_password" +msgstr "obfuscated_password" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:235 +msgid "Default: password" +msgstr "Voreinstellung: password" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:241 +msgid "ldap_default_authtok (string)" +msgstr "ldap_default_authtok (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:244 +msgid "" +"The authentication token of the default bind DN. Only clear text passwords " +"are currently supported." +msgstr "" +"das Authentifizierungs-Token des Standard-Bind-Domain-Namens. Derzeit werden " +"nur Klartextpasswörter unterstützt." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:251 +msgid "ldap_user_object_class (string)" +msgstr "ldap_user_object_class (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:254 +msgid "The object class of a user entry in LDAP." +msgstr "die Objektklasse eines Benutzereintrags in LDAP" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:257 +msgid "Default: posixAccount" +msgstr "Voreinstellung: posixAccount" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:263 +msgid "ldap_user_name (string)" +msgstr "ldap_user_name (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:266 +msgid "The LDAP attribute that corresponds to the user's login name." +msgstr "das LDAP-Attribut, das zum Anmeldenamen des Benutzers gehört" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:270 +msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:277 +msgid "ldap_user_uid_number (string)" +msgstr "ldap_user_uid_number (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:280 +msgid "The LDAP attribute that corresponds to the user's id." +msgstr "das LDAP-Attribut, das zu der ID des Benutzers gehört" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:284 +msgid "Default: uidNumber" +msgstr "Voreinstellung: uidNumber" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:290 +msgid "ldap_user_gid_number (string)" +msgstr "ldap_user_gid_number (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:293 +msgid "The LDAP attribute that corresponds to the user's primary group id." +msgstr "das LDAP-Attribut, das zu der Hauptgruppen-ID des Benutzers gehört" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:297 sssd-ldap.5.xml:929 +msgid "Default: gidNumber" +msgstr "Voreinstellung: gidNumber" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:303 +msgid "ldap_user_primary_group (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:306 +msgid "" +"Active Directory primary group attribute for ID-mapping. Note that this " +"attribute should only be set manually if you are running the <quote>ldap</" +"quote> provider with ID mapping." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:312 +msgid "Default: unset (LDAP), primaryGroupID (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:318 +msgid "ldap_user_gecos (string)" +msgstr "ldap_user_gecos (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:321 +msgid "The LDAP attribute that corresponds to the user's gecos field." +msgstr "das LDAP-Attribut, das zum Gecos-Feld des Benutzers gehört" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:325 +msgid "Default: gecos" +msgstr "Voreinstellung: gecos" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:331 +msgid "ldap_user_home_directory (string)" +msgstr "ldap_user_home_directory (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:334 +msgid "The LDAP attribute that contains the name of the user's home directory." +msgstr "" +"das LDAP-Attribut, das den Namen des Home-Verzeichnisses des Benutzers " +"enthält" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:338 +msgid "Default: homeDirectory" +msgstr "Voreinstellung: homeDirectory" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:344 +msgid "ldap_user_shell (string)" +msgstr "ldap_user_shell (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:347 +msgid "The LDAP attribute that contains the path to the user's default shell." +msgstr "" +"das LDAP-Attribut, das den Pfad zur Standard-Shell des Benutzers enthält" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:351 +msgid "Default: loginShell" +msgstr "Voreinstellung: loginShell" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:357 +msgid "ldap_user_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:360 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:364 sssd-ldap.5.xml:955 +msgid "" +"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " +"IPA" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:371 +msgid "ldap_user_objectsid (string)" +msgstr "ldap_user_objectsid (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:374 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP user object. This " +"is usually only necessary for ActiveDirectory servers." +msgstr "" +"das LDAP-Attribut, das die objectSID eines LDAP-Benutzerobjekts enthält. " +"Dies wird normalerweise nur für Active-Directory-Server benötigt." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:379 sssd-ldap.5.xml:970 +msgid "Default: objectSid for ActiveDirectory, not set for other servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:386 +msgid "ldap_user_modify_timestamp (string)" +msgstr "ldap_user_modify_timestamp (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:389 sssd-ldap.5.xml:980 sssd-ldap.5.xml:1203 +msgid "" +"The LDAP attribute that contains timestamp of the last modification of the " +"parent object." +msgstr "" +"das LDAP-Attribut, das den Zeitstempel der letzten Änderung im " +"übergeordneten Objekt enthält" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:393 sssd-ldap.5.xml:984 sssd-ldap.5.xml:1210 +msgid "Default: modifyTimestamp" +msgstr "Voreinstellung: modifyTimestamp" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:399 +msgid "ldap_user_shadow_last_change (string)" +msgstr "ldap_user_shadow_last_change (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:402 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " +"the last password change)." +msgstr "" +"Wenn »ldap_pwd_policy=shadow« benutzt wird, enthält dieser Parameter den " +"Namen eines LDAP-Attributs, das zum entsprechenden Gegenstück von " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> (Datum der letzten Passwortänderung) gehört." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:412 +msgid "Default: shadowLastChange" +msgstr "Voreinstellung: shadowLastChange" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:418 +msgid "ldap_user_shadow_min (string)" +msgstr "ldap_user_shadow_min (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:421 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " +"password age)." +msgstr "" +"Wenn »ldap_pwd_policy=shadow« benutzt wird, enthält dieser Parameter den " +"Namen eines LDAP-Attributs, das zum entsprechenden Gegenstück von " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> (Mindestpasswortalter) gehört." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:430 +msgid "Default: shadowMin" +msgstr "Voreinstellung: shadowMin" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:436 +msgid "ldap_user_shadow_max (string)" +msgstr "ldap_user_shadow_max (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:439 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " +"password age)." +msgstr "" +"Wenn »ldap_pwd_policy=shadow« benutzt wird, enthält dieser Parameter den " +"Namen eines LDAP-Attributs, das zum entsprechenden Gegenstück von " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> (maximales Passwortalter) gehört." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:448 +msgid "Default: shadowMax" +msgstr "Voreinstellung: shadowMax" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:454 +msgid "ldap_user_shadow_warning (string)" +msgstr "ldap_user_shadow_warning (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:457 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password warning period)." +msgstr "" +"Wenn »ldap_pwd_policy=shadow« benutzt wird, enthält dieser Parameter den " +"Namen eines LDAP-Attributs, das zum entsprechenden Gegenstück von " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> (Passwortwarnperiode) gehört." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:467 +msgid "Default: shadowWarning" +msgstr "Voreinstellung: shadowWarning" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:473 +msgid "ldap_user_shadow_inactive (string)" +msgstr "ldap_user_shadow_inactive (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:476 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password inactivity period)." +msgstr "" +"Wenn »ldap_pwd_policy=shadow« benutzt wird, enthält dieser Parameter den " +"Namen eines LDAP-Attributs, das zum entsprechenden Gegenstück von " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> (Passwortinaktivitätsperiode) gehört." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:486 +msgid "Default: shadowInactive" +msgstr "Voreinstellung: shadowInactive" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:492 +msgid "ldap_user_shadow_expire (string)" +msgstr "ldap_user_shadow_expire (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:495 +msgid "" +"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " +"parameter contains the name of an LDAP attribute corresponding to its " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> counterpart (account expiration date)." +msgstr "" +"Wenn »ldap_pwd_policy=shadow« benutzt wird, enthält dieser Parameter den " +"Namen eines LDAP-Attributs, das zum entsprechenden Gegenstück von " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> (Ablaufdatum des Kontos) gehört." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:505 +msgid "Default: shadowExpire" +msgstr "Voreinstellung: shadowExpire" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:511 +msgid "ldap_user_krb_last_pwd_change (string)" +msgstr "ldap_user_krb_last_pwd_change (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:514 +msgid "" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time of last password change in " +"kerberos." +msgstr "" +"Wenn »ldap_pwd_policy=mit_kerberos« benutzt wird, enthält dieser Parameter " +"den Namen eines LDAP-Attributs, in dem Datum und Zeit der letzten " +"Passwortänderung in Kerberos gespeichert sind." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:520 +msgid "Default: krbLastPwdChange" +msgstr "Voreinstellung: krbLastPwdChange" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:526 +msgid "ldap_user_krb_password_expiration (string)" +msgstr "ldap_user_krb_password_expiration (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:529 +msgid "" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time when current password expires." +msgstr "" +"Wenn »ldap_pwd_policy=mit_kerberos« benutzt wird, enthält dieser Parameter " +"den Namen eines LDAP-Attributs, welches das Datum und die Zeit enthält, wann " +"das aktuelle Passwort erlischt." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:535 +msgid "Default: krbPasswordExpiration" +msgstr "Voreinstellung: krbPasswordExpiration" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:541 +msgid "ldap_user_ad_account_expires (string)" +msgstr "ldap_user_ad_account_expires (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:544 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the expiration time of the account." +msgstr "" +"Wenn »ldap_account_expire_policy=ad« benutzt wird, enthält dieser Parameter " +"den Namen eines LDAP-Attributs, in dem die Zeit gespeichert ist, wann das " +"Konto erlischt." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:549 +msgid "Default: accountExpires" +msgstr "Voreinstellung: accountExpires" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:555 +msgid "ldap_user_ad_user_account_control (string)" +msgstr "ldap_user_ad_user_account_control (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:558 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the user account control bit field." +msgstr "" +"Wenn »ldap_account_expire_policy=ad« benutzt wird, enthält dieser Parameter " +"den Namen eines LDAP-Attributs, in dem das Steuer-Bit-Feld des " +"Benutzerkontos gespeichert ist." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:563 +msgid "Default: userAccountControl" +msgstr "Voreinstellung: userAccountControl" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:569 +msgid "ldap_ns_account_lock (string)" +msgstr "ldap_ns_account_lock (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:572 +msgid "" +"When using ldap_account_expire_policy=rhds or equivalent, this parameter " +"determines if access is allowed or not." +msgstr "" +"Wenn »ldap_account_expire_policy=rhds« oder Entsprechendes benutzt wird, " +"legt dieser Parameter fest, ob Zugriff gewährt wird oder nicht." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:577 +msgid "Default: nsAccountLock" +msgstr "Voreinstellung: nsAccountLock" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:583 +msgid "ldap_user_nds_login_disabled (string)" +msgstr "ldap_user_nds_login_disabled (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:586 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines if " +"access is allowed or not." +msgstr "" +"Wenn »ldap_account_expire_policy=nds« benutzt wird, legt dieses Attribut " +"fest, ob Zugriff gewährt wird oder nicht." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:590 sssd-ldap.5.xml:604 +msgid "Default: loginDisabled" +msgstr "Voreinstellung: loginDisabled" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:596 +msgid "ldap_user_nds_login_expiration_time (string)" +msgstr "ldap_user_nds_login_expiration_time (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:599 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines until " +"which date access is granted." +msgstr "" +"Wenn »ldap_account_expire_policy=nds« benutzt wird, legt dieser Parameter " +"fest, bis zu welchem Datum Zugriff gewährt wird." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:610 +msgid "ldap_user_nds_login_allowed_time_map (string)" +msgstr "ldap_user_nds_login_allowed_time_map (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:613 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines the " +"hours of a day in a week when access is granted." +msgstr "" +"Wenn »ldap_account_expire_policy=nds« benutzt wird, legt dieses Attribut die " +"Stunden eines Wochentages fest, in denen Zugriff gewährt wird." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:618 +msgid "Default: loginAllowedTimeMap" +msgstr "Voreinstellung: loginAllowedTimeMap" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:624 +msgid "ldap_user_principal (string)" +msgstr "ldap_user_principal (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:627 +msgid "" +"The LDAP attribute that contains the user's Kerberos User Principal Name " +"(UPN)." +msgstr "" +"das LDAP-Attribut, das den Kerberos User Principal Name (UPN/" +"Hauptbenutzername) enthält." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:631 +msgid "Default: krbPrincipalName" +msgstr "Voreinstellung: krbPrincipalName" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:637 +msgid "ldap_user_extra_attrs (string)" +msgstr "ldap_user_extra_attrs (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:640 +msgid "" +"Comma-separated list of LDAP attributes that SSSD would fetch along with the " +"usual set of user attributes." +msgstr "" +"Durch Kommata getrennte Liste der LDAP-Attribute, die SSSD zusammen mit den " +"üblichen Benutzerattributen holen soll." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:645 +msgid "" +"The list can either contain LDAP attribute names only, or colon-separated " +"tuples of SSSD cache attribute name and LDAP attribute name. In case only " +"LDAP attribute name is specified, the attribute is saved to the cache " +"verbatim. Using a custom SSSD attribute name might be required by " +"environments that configure several SSSD domains with different LDAP schemas." +msgstr "" +"Die Liste kann entweder nur Namen von LDAP-Attributen enthalten, oder durch " +"Doppelpunkte getrennte Tupel aus Attributnamen des SSSD-Zwischenspeichers " +"und Namen von LDAP-Attributen. Wenn nur die Namen von LDAP-Attributen " +"angegeben werden, wird das Attribut unverändert im Zwischenspeicher " +"gespeichert. Die Verwendung eines benutzerdefinierten SSSD-Attributnamens " +"kann in Umgebungen notwendig sein, in denen mehrere SSSD-Domains mit " +"unterschiedlichen LDAP-Schemata eingerichtet sind." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:655 +msgid "" +"Please note that several attribute names are reserved by SSSD, notably the " +"<quote>name</quote> attribute. SSSD would report an error if any of the " +"reserved attribute names is used as an extra attribute name." +msgstr "" +"Bitte beachten Sie, dass diverse Attributnamen durch SSSD reserviert sind, " +"beispielsweise das Attribut <quote>name</quote>. SSSD würde einen Fehler " +"melden, falls eines der reservierten Attribute als zusätzlicher Attributname " +"verwendet wird." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:665 +msgid "ldap_user_extra_attrs = telephoneNumber" +msgstr "ldap_user_extra_attrs = telephoneNumber" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:668 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as " +"<quote>telephoneNumber</quote> to the cache." +msgstr "" +"Speichert das Attribut <quote>telephoneNumber</quote> von LDAP als " +"<quote>telephoneNumber</quote> im Zwischenspeicher." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:672 +msgid "ldap_user_extra_attrs = phone:telephoneNumber" +msgstr "ldap_user_extra_attrs = phone:telephoneNumber" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:675 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" +"quote> to the cache." +msgstr "" +"Speichert das Attribut <quote>telephoneNumber</quote> von LDAP als " +"<quote>phone</quote> im Zwischenspeicher." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:685 +msgid "ldap_user_ssh_public_key (string)" +msgstr "ldap_user_ssh_public_key (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:688 +msgid "The LDAP attribute that contains the user's SSH public keys." +msgstr "" +"das LDAP-Attribut, das die öffentlichen SSH-Schlüssel des Benutzers enthält" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:692 sssd-ldap.5.xml:1306 +msgid "Default: sshPublicKey" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:698 +msgid "ldap_force_upper_case_realm (boolean)" +msgstr "ldap_force_upper_case_realm (Boolesch)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:701 +msgid "" +"Some directory servers, for example Active Directory, might deliver the " +"realm part of the UPN in lower case, which might cause the authentication to " +"fail. Set this option to a non-zero value if you want to use an upper-case " +"realm." +msgstr "" +"Einige Verzeichnisserver, zum Beispiel Active Directory, könnten den Realm-" +"Teil der UPN in Kleinbuchstaben liefern, was zum Scheitern der " +"Authentifizierung führen kann. Setzen Sie diese Option auf einen Wert " +"ungleich Null, falls Sie einen Realm in Großbuchstaben wünschen." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:714 +msgid "ldap_enumeration_refresh_timeout (integer)" +msgstr "ldap_enumeration_refresh_timeout (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:717 +msgid "" +"Specifies how many seconds SSSD has to wait before refreshing its cache of " +"enumerated records." +msgstr "" +"gibt an, wie viele Sekunden lang SSSD warten soll, bevor es seinen " +"Zwischenspeicher aufgezählter Datensätze aktualisiert." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:728 +msgid "ldap_purge_cache_timeout (integer)" +msgstr "ldap_purge_cache_timeout (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:731 +msgid "" +"Determine how often to check the cache for inactive entries (such as groups " +"with no members and users who have never logged in) and remove them to save " +"space." +msgstr "" +"bestimmt, wie oft der Zwischenspeicher auf inaktive Einträge überprüft wird " +"(wie Gruppen ohne Mitglieder und Benutzer, die sich noch nie angemeldet " +"haben) und diese entfernt werden, um Platz zu sparen." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:737 +msgid "" +"Setting this option to zero will disable the cache cleanup operation. Please " +"note that if enumeration is enabled, the cleanup task is required in order " +"to detect entries removed from the server and can't be disabled. By default, " +"the cleanup task will run every 3 hours with enumeration enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:752 +msgid "ldap_user_fullname (string)" +msgstr "ldap_user_fullname (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:755 +msgid "The LDAP attribute that corresponds to the user's full name." +msgstr "das LDAP-Attribut, das dem vollständigen Benutzernamen entspricht" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1161 sssd-ldap.5.xml:1235 +#: sssd-ldap.5.xml:1344 sssd-ldap.5.xml:2405 sssd-ipa.5.xml:607 +msgid "Default: cn" +msgstr "Voreinstellung: cn" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:765 +msgid "ldap_user_member_of (string)" +msgstr "ldap_user_member_of (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:768 +msgid "The LDAP attribute that lists the user's group memberships." +msgstr "" +"das LDAP-Attribut, das die Gruppenmitgliedschaften des Benutzers aufführt" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:772 sssd-ldap.5.xml:1274 +msgid "Default: memberOf" +msgstr "Voreinstellung: memberOf" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:778 +msgid "ldap_user_authorized_service (string)" +msgstr "ldap_user_authorized_service (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:781 +msgid "" +"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " +"use the presence of the authorizedService attribute in the user's LDAP entry " +"to determine access privilege." +msgstr "" +"Falls »access_provider=ldap« und »ldap_access_order=authorized_service« " +"benutzt werden, wird SSSD die Anwesenheit das Attributs »authorizedService« " +"im LDAP-Eintrag den Benutzers nutzen, um die Zugriffsrechte zu bestimmen." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:788 +msgid "" +"An explicit deny (!svc) is resolved first. Second, SSSD searches for " +"explicit allow (svc) and finally for allow_all (*)." +msgstr "" +"Ein explizites Verweigern (»!svc«) wird zuerst aufgelöst. Als Zweites sucht " +"SSSD eine explizite Erlaubnis (»svc«) und zuletzt nach »allow_all« (*)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:793 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>authorized_service</quote> in order for the " +"ldap_user_authorized_service option to work." +msgstr "" +"Bitte beachten Sie, dass die Konfigurationsoption »ldap_access_order« " +"»authorized_service« enthalten <emphasis>muss</emphasis>, damit die Option " +"»ldap_user_authorized_service« funktioniert." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:800 +msgid "Default: authorizedService" +msgstr "Voreinstellung: authorizedService" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:806 +msgid "ldap_user_authorized_host (string)" +msgstr "ldap_user_authorized_host (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:809 +msgid "" +"If access_provider=ldap and ldap_access_order=host, SSSD will use the " +"presence of the host attribute in the user's LDAP entry to determine access " +"privilege." +msgstr "" +"Falls »access_provider=ldap« und »ldap_access_order=host« benutzt werden, " +"wird SSSD die Anwesenheit das Attributs »host« im LDAP-Eintrag den Benutzers " +"verwenden, um die Zugriffsrechte zu bestimmen." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:815 +msgid "" +"An explicit deny (!host) is resolved first. Second, SSSD searches for " +"explicit allow (host) and finally for allow_all (*)." +msgstr "" +"Ein explizites Verweigern (»!host«) wird zuerst aufgelöst. Als Zweites sucht " +"SSSD eine explizite Erlaubnis (»host«) und zuletzt nach »allow_all« (*)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:820 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>host</quote> in order for the " +"ldap_user_authorized_host option to work." +msgstr "" +"Bitte beachten Sie, dass die Konfigurationsoption »ldap_access_order« »host« " +"enthalten <emphasis>muss</emphasis>, damit die Option " +"»ldap_user_authorized_host« funktioniert." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:827 +msgid "Default: host" +msgstr "Voreinstellung: host" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:833 +msgid "ldap_user_authorized_rhost (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:836 +msgid "" +"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " +"presence of the rhost attribute in the user's LDAP entry to determine access " +"privilege. Similarly to host verification process." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:843 +msgid "" +"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " +"explicit allow (rhost) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:848 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>rhost</quote> in order for the " +"ldap_user_authorized_rhost option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:855 +msgid "Default: rhost" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:861 +msgid "ldap_user_certificate (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:864 +msgid "Name of the LDAP attribute containing the X509 certificate of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:868 +msgid "Default: userCertificate;binary" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:874 +msgid "ldap_user_email (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:877 +msgid "Name of the LDAP attribute containing the email address of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:881 +msgid "" +"Note: If an email address of a user conflicts with an email address or fully " +"qualified name of another user, then SSSD will not be able to serve those " +"users properly. If for some reason several users need to share the same " +"email address then set this option to a nonexistent attribute name in order " +"to disable user lookup/login by email." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:890 +msgid "Default: mail" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:896 +msgid "ldap_group_object_class (string)" +msgstr "ldap_group_object_class (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:899 +msgid "The object class of a group entry in LDAP." +msgstr "die Objektklasse eines Gruppeneintrags in LDAP" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:902 +msgid "Default: posixGroup" +msgstr "Voreinstellung: posixGroup" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:908 +msgid "ldap_group_name (string)" +msgstr "ldap_group_name (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:911 +msgid "The LDAP attribute that corresponds to the group name." +msgstr "das LDAP-Attribut, das dem Gruppennamen entspricht" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:915 +msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:922 +msgid "ldap_group_gid_number (string)" +msgstr "ldap_group_gid_number (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:925 +msgid "The LDAP attribute that corresponds to the group's id." +msgstr "das LDAP-Attribut, das der Gruppen-ID entspricht" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:935 +msgid "ldap_group_member (string)" +msgstr "ldap_group_member (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:938 +msgid "The LDAP attribute that contains the names of the group's members." +msgstr "das LDAP-Attribut, das die Namen der Gruppenmitglieder enthält" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:942 +msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" +msgstr "Voreinstellung: memberuid (rfc2307) / member (rfc2307bis)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:948 +msgid "ldap_group_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:951 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:962 +msgid "ldap_group_objectsid (string)" +msgstr "ldap_group_objectsid (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:965 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP group object. This " +"is usually only necessary for ActiveDirectory servers." +msgstr "" +"das LDAP-Attribut, das die ObjectSID eines LDAP-Gruppenobjekts enthält. Dies " +"wird normalerweise nur für Active-Directory-Server benötigt." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:977 +msgid "ldap_group_modify_timestamp (string)" +msgstr "ldap_group_modify_timestamp (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:990 +msgid "ldap_group_type (integer)" +msgstr "ldap_group_type (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:993 +msgid "" +"The LDAP attribute that contains an integer value indicating the type of the " +"group and maybe other flags." +msgstr "" +"Das LDAP-Attribut, das einen Ganzzahlwert enthält, der den Gruppentyp und " +"eventuell weitere Flags enthält." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:998 +msgid "" +"This attribute is currently only used by the AD provider to determine if a " +"group is a domain local groups and has to be filtered out for trusted " +"domains." +msgstr "" +"Dieses Attribut wird derzeit nur vom AD-Anbieter verwendet, um zu ermitteln, " +"ob eine Gruppe eine lokale Domain-Gruppe ist und aus den vertrauenswürdigen " +"Domains herausgefiltert werden sollte." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1004 +msgid "Default: groupType in the AD provider, otherwise not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1011 +msgid "ldap_group_external_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1014 +msgid "" +"The LDAP attribute that references group members that are defined in an " +"external domain. At the moment, only IPA's external members are supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1020 +msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1027 +msgid "ldap_group_nesting_level (integer)" +msgstr "ldap_group_nesting_level (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1030 +msgid "" +"If ldap_schema is set to a schema format that supports nested groups (e.g. " +"RFC2307bis), then this option controls how many levels of nesting SSSD will " +"follow. This option has no effect on the RFC2307 schema." +msgstr "" +"Falls »ldap_schema« auf ein Format gesetzt ist, das verschachtelte Gruppen " +"(z.B. RFC2307bis) unterstützt, dann steuert diese Option, wie viele Stufen " +"tief SSSD der Verschachtelung folgt. Diese Option hat keine Auswirkungen auf " +"das Schema RFC2307." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1037 +msgid "" +"Note: This option specifies the guaranteed level of nested groups to be " +"processed for any lookup. However, nested groups beyond this limit " +"<emphasis>may be</emphasis> returned if previous lookups already resolved " +"the deeper nesting levels. Also, subsequent lookups for other groups may " +"enlarge the result set for original lookup if re-queried." +msgstr "" +"Hinweis: Diese Option gibt die garantierte Tiefe verschachtelter Gruppen an, " +"die bei Suchvorgängen verarbeitet werden soll. Dennoch <emphasis>können</" +"emphasis> auch tiefer verschachtelte Gruppen einbezogen werden, falls bei " +"früheren Suchvorgängen die tieferen Ebenen bereits einmal berücksichtigt " +"wurden. Außerdem können folgende Suchvorgänge für andere Gruppen die " +"Ergebnisse des ursprünglichen Suchvorgangs vergrößern, wenn die Suche erneut " +"erfolgt." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1046 +msgid "" +"If ldap_group_nesting_level is set to 0 then no nested groups are processed " +"at all. However, when connected to Active-Directory Server 2008 and later " +"using <quote>id_provider=ad</quote> it is furthermore required to disable " +"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " +"restrict group nesting." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1055 +msgid "Default: 2" +msgstr "Voreinstellung: 2" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1061 +msgid "ldap_groups_use_matching_rule_in_chain" +msgstr "ldap_groups_use_matching_rule_in_chain" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1064 +msgid "" +"This option tells SSSD to take advantage of an Active Directory-specific " +"feature which may speed up group lookup operations on deployments with " +"complex or deep nested groups." +msgstr "" +"Diese Option teilt SSSD mit, dass es den Vorteil einer Active-Directory-" +"spezifischen Funktionalität nutzen soll, die Gruppenachschlageoptionen und " +"Bereitstellungen mit komplexen oder tief verschachtelten Gruppen zu " +"beschleunigen." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1070 +msgid "" +"In most common cases, it is best to leave this option disabled. It generally " +"only provides a performance increase on very complex nestings." +msgstr "" +"In den meisten Fällen ist es am besten, diese Option deaktiviert zu lassen. " +"Normalerweise führt sie nur bei sehr komplexen Verschachtelungen zu einer " +"Leistungssteigerung." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1075 sssd-ldap.5.xml:1102 +msgid "" +"If this option is enabled, SSSD will use it if it detects that the server " +"supports it during initial connection. So \"True\" here essentially means " +"\"auto-detect\"." +msgstr "" +"Falls diese Option aktiviert ist und SSSD beim Verbinden feststellt, dass " +"der Server sie unterstützt, wird SSSD sie verwenden. Daher bedeutet hier " +"»True« eigentlich »auto-detect«." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1081 sssd-ldap.5.xml:1108 +msgid "" +"Note: This feature is currently known to work only with Active Directory " +"2008 R1 and later. See <ulink url=\"http://msdn.microsoft.com/en-us/library/" +"windows/desktop/aa746475%28v=vs.85%29.aspx\"> MSDN(TM) documentation</ulink> " +"for more details." +msgstr "" +"Hinweis: Es ist bekannt, dass diese Funktionalität derzeit nur mit Active " +"Directory 2008 R1 und neuer funktioniert. Weitere Einzelheiten finden Sie in " +"der <ulink url=\"http://msdn.microsoft.com/en-us/library/windows/desktop/" +"aa746475%28v=vs.85%29.aspx\"> MSDN™-Dokumentation</ulink>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1093 +msgid "ldap_initgroups_use_matching_rule_in_chain" +msgstr "ldap_initgroups_use_matching_rule_in_chain" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1096 +msgid "" +"This option tells SSSD to take advantage of an Active Directory-specific " +"feature which might speed up initgroups operations (most notably when " +"dealing with complex or deep nested groups)." +msgstr "" +"Diese Option teilt SSSD mit, dass es den Vorteil einer Active-Directory-" +"spezifischen Funktionalität nutzen soll, die möglicherweise Initgroups-" +"Aktionen beschleunigt (vor allem, beim Umgang mit komplexen oder " +"verschachtelten Gruppen)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1123 +msgid "" +"This options enables or disables use of Token-Groups attribute when " +"performing initgroup for users from Active Directory Server 2008 and later." +msgstr "" +"Diese Optionen aktivieren oder deaktivieren die Verwendung des Token-Gruppen-" +"Attributs, wenn »initgroup« für Benutzers des Active Directory Servers 2008 " +"und neuere Versionen ausgeführt wird." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1128 +msgid "Default: True for AD and IPA otherwise False." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1134 +msgid "ldap_netgroup_object_class (string)" +msgstr "ldap_netgroup_object_class (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1137 +msgid "The object class of a netgroup entry in LDAP." +msgstr "die Objektklasse eines Netzgruppeneintrags in LDAP" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1140 +msgid "In IPA provider, ipa_netgroup_object_class should be used instead." +msgstr "" +"Beim IPA-Anbieter sollte stattdessen »ipa_netgroup_object_class« benutzt " +"werden." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1144 +msgid "Default: nisNetgroup" +msgstr "Voreinstellung: nisNetgroup" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1150 +msgid "ldap_netgroup_name (string)" +msgstr "ldap_netgroup_name (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1153 +msgid "The LDAP attribute that corresponds to the netgroup name." +msgstr "das LDAP-Attribut, das dem Netzgruppennamen entspricht" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1157 +msgid "In IPA provider, ipa_netgroup_name should be used instead." +msgstr "" +"Beim IPA-Anbieter sollte stattdessen »ipa_netgroup_name« benutzt werden." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1167 +msgid "ldap_netgroup_member (string)" +msgstr "ldap_netgroup_member (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1170 +msgid "The LDAP attribute that contains the names of the netgroup's members." +msgstr "das LDAP-Attribut, das die Namen der Netzgruppenmitglieder enthält" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1174 +msgid "In IPA provider, ipa_netgroup_member should be used instead." +msgstr "" +"Beim IPA-Anbieter sollte stattdessen »ipa_netgroup_member« benutzt werden." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1178 +msgid "Default: memberNisNetgroup" +msgstr "Voreinstellung: memberNisNetgroup" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1184 +msgid "ldap_netgroup_triple (string)" +msgstr "ldap_netgroup_triple (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1187 +msgid "" +"The LDAP attribute that contains the (host, user, domain) netgroup triples." +msgstr "" +"das LDAP-Attribut, das die Netzgruppen-Triples (Rechner, Benutzer, Domain) " +"enthält" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1191 sssd-ldap.5.xml:1207 +msgid "This option is not available in IPA provider." +msgstr "Diese Option ist für IPA-Anbieter nicht verfügbar." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1194 +msgid "Default: nisNetgroupTriple" +msgstr "Voreinstellung: nisNetgroupTriple" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1200 +msgid "ldap_netgroup_modify_timestamp (string)" +msgstr "ldap_netgroup_modify_timestamp (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1216 +msgid "ldap_host_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1219 +msgid "The object class of a host entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1222 sssd-ldap.5.xml:1331 +msgid "Default: ipService" +msgstr "Voreinstellung: ipService" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1228 +msgid "ldap_host_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1231 sssd-ldap.5.xml:1257 +msgid "The LDAP attribute that corresponds to the host's name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1241 +msgid "ldap_host_fqdn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1244 +msgid "" +"The LDAP attribute that corresponds to the host's fully-qualified domain " +"name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1248 +msgid "Default: fqdn" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1254 +msgid "ldap_host_serverhostname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1261 +msgid "Default: serverHostname" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1267 +msgid "ldap_host_member_of (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1270 +msgid "The LDAP attribute that lists the host's group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1280 +msgid "ldap_host_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1283 +msgid "Optional. Use the given string as search base for host objects." +msgstr "" +"optional, verwendet die angegebene Zeichenkette als Suchgrundlage für " +"Rechnerobjekte" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1287 sssd-ipa.5.xml:359 sssd-ipa.5.xml:378 +#: sssd-ipa.5.xml:397 sssd-ipa.5.xml:416 +msgid "" +"See <quote>ldap_search_base</quote> for information about configuring " +"multiple search bases." +msgstr "" +"Informationen über das Konfigurieren mehrerer Suchgrundlagen finden Sie " +"unter »ldap_search_base«." + +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:1292 sssd-ipa.5.xml:364 include/ldap_search_bases.xml:27 +msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" +msgstr "Voreinstellung: der Wert von <emphasis>ldap_search_base</emphasis>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1299 +msgid "ldap_host_ssh_public_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1302 +msgid "The LDAP attribute that contains the host's SSH public keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1312 +msgid "ldap_host_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1315 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1325 +msgid "ldap_service_object_class (string)" +msgstr "ldap_service_object_class (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1328 +msgid "The object class of a service entry in LDAP." +msgstr "die Objektklasse eines Diensteintrags in LDAP" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1337 +msgid "ldap_service_name (string)" +msgstr "ldap_service_name (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1340 +msgid "" +"The LDAP attribute that contains the name of service attributes and their " +"aliases." +msgstr "" +"das LDAP-Attribut, das die Namen von Dienstattributen und ihre Alias enthält" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1350 +msgid "ldap_service_port (string)" +msgstr "ldap_service_port (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1353 +msgid "The LDAP attribute that contains the port managed by this service." +msgstr "das LDAP-Attribut, das den von diesem Dienst verwalteten Port enthält" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1357 +msgid "Default: ipServicePort" +msgstr "Voreinstellung: ipServicePort" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1363 +msgid "ldap_service_proto (string)" +msgstr "ldap_service_proto (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1366 +msgid "" +"The LDAP attribute that contains the protocols understood by this service." +msgstr "" +"das LDAP-Attribut, das die von diesem Dienst verstandenen Protokolle enthält" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1370 +msgid "Default: ipServiceProtocol" +msgstr "Voreinstellung: ipServiceProtocol" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1376 +msgid "ldap_service_search_base (string)" +msgstr "ldap_service_search_base (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1381 +msgid "ldap_search_timeout (integer)" +msgstr "ldap_search_timeout (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1384 +msgid "" +"Specifies the timeout (in seconds) that ldap searches are allowed to run " +"before they are cancelled and cached results are returned (and offline mode " +"is entered)" +msgstr "" +"gibt den Zeitpunkt der Zeitüberschreitung (in Sekunden) an, bis zu dem LDAP-" +"Suchen laufen dürfen, bevor sie abgebrochen und die zwischengespeicherten " +"Ergebnisse zurückgegeben werden (und in den Offline-Modus gegangen wird)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1390 +msgid "" +"Note: this option is subject to change in future versions of the SSSD. It " +"will likely be replaced at some point by a series of timeouts for specific " +"lookup types." +msgstr "" +"Hinweis: Diese Option ist in zukünftigen Versionen von SSSD Gegenstand von " +"Änderungen. Sie wird wahrscheinlich an einigen Stellen durch Serien von " +"Zeitüberschreitungspunkten für spezielle Nachschlagetypen ersetzt." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1402 +msgid "ldap_enumeration_search_timeout (integer)" +msgstr "ldap_enumeration_search_timeout (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1405 +msgid "" +"Specifies the timeout (in seconds) that ldap searches for user and group " +"enumerations are allowed to run before they are cancelled and cached results " +"are returned (and offline mode is entered)" +msgstr "" +"gibt den Zeitpunkt der Zeitüberschreitung (in Sekunden) an, bis zu dem LDAP-" +"Suchen nach Benutzer- und Gruppenaufzählungen laufen dürfen, bevor sie " +"abgebrochen und die zwischengespeicherten Ergebnisse zurückgegeben werden " +"(und in den Offline-Modus gegangen wird)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1418 +msgid "ldap_network_timeout (integer)" +msgstr "ldap_network_timeout (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1421 +msgid "" +"Specifies the timeout (in seconds) after which the <citerefentry> " +"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" +"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" +"manvolnum> </citerefentry> following a <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> returns in case of no activity." +msgstr "" +"gibt den Zeitpunkt der Zeitüberschreitung (in Sekunden) an, nach dem " +"<citerefentry> <refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> " +"</citerefentry>/<citerefentry> <refentrytitle>select</refentrytitle> " +"<manvolnum>2</manvolnum> </citerefentry> gefolgt von einem <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> zurückkehrt, falls keine Aktivität stattfindet." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1444 +msgid "ldap_opt_timeout (integer)" +msgstr "ldap_opt_timeout (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1447 +msgid "" +"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " +"will abort if no response is received. Also controls the timeout when " +"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " +"operation, password change extended operation and the StartTLS operation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1462 +msgid "ldap_connection_expire_timeout (integer)" +msgstr "ldap_connection_expire_timeout (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1465 +msgid "" +"Specifies a timeout (in seconds) that a connection to an LDAP server will be " +"maintained. After this time, the connection will be re-established. If used " +"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " +"the TGT lifetime) will be used." +msgstr "" +"gibt den Zeitpunkt der Zeitüberschreitung (in Sekunden) an, bis zu dem eine " +"Verbindung zu einem LDAP-Server aufrechterhalten wird. Nach dieser Zeit wird " +"die Verbindung erneut aufgebaut. Wird dies parallel zu SASL/GSSAPI benutzt, " +"wird der frühere der beiden Werte (dieser Wert gegenüber der TGT-" +"Lebensdauer) verwendet." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1473 sssd-ldap.5.xml:2562 +msgid "Default: 900 (15 minutes)" +msgstr "Voreinstellung: 900 (15 Minuten)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1479 +msgid "ldap_page_size (integer)" +msgstr "ldap_page_size (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1482 +msgid "" +"Specify the number of records to retrieve from LDAP in a single request. " +"Some LDAP servers enforce a maximum limit per-request." +msgstr "" +"gibt die Anzahl der Datensätze an, die in einer einzelnen Anfrage von LDAP " +"empfangen werden. Einige LDAP-Server erzwingen eine Begrenzung des Maximums " +"pro Anfrage." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1487 +msgid "Default: 1000" +msgstr "Voreinstellung: 1000" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1493 +msgid "ldap_disable_paging (boolean)" +msgstr "ldap_disable_paging (Boolesch)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1496 +msgid "" +"Disable the LDAP paging control. This option should be used if the LDAP " +"server reports that it supports the LDAP paging control in its RootDSE but " +"it is not enabled or does not behave properly." +msgstr "" +"deaktiviert die Seitenadressierungssteuerung von LDAP. Diese Option sollte " +"benutzt werden, falls der LDAP-Server meldet, dass er die LDAP-" +"Seitenadressierungssteuerung in seinem RootDSE unterstützt, sie jedoch " +"deaktiviert ist oder sich nicht ordnungsgemäß verhält." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1502 +msgid "" +"Example: OpenLDAP servers with the paging control module installed on the " +"server but not enabled will report it in the RootDSE but be unable to use it." +msgstr "" +"Beispiel: OpenLDAP-Server, bei denen das Seitenadressierungssteuerungsmodul " +"installiert, aber nicht aktiviert ist, werden es im RootDSE melden, sind " +"aber nicht in der Lage, es zu benutzen." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1508 +msgid "" +"Example: 389 DS has a bug where it can only support a one paging control at " +"a time on a single connection. On busy clients, this can result in some " +"requests being denied." +msgstr "" +"Beispiel: 389 DS hat einen Fehler, durch den es gleichzeitig nur eine " +"einzige Seitenadressierungssteuerung für eine einzelne Verbindung benutzen " +"kann. Bei ausgelasteten Clients kann dies dazu führen, dass manche Anfragen " +"abgelehnt werden." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1520 +msgid "ldap_disable_range_retrieval (boolean)" +msgstr "ldap_disable_range_retrieval (Boolesch)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1523 +msgid "Disable Active Directory range retrieval." +msgstr "deaktiviert die Bereichsabfrage von Active Directory" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1526 +msgid "" +"Active Directory limits the number of members to be retrieved in a single " +"lookup using the MaxValRange policy (which defaults to 1500 members). If a " +"group contains more members, the reply would include an AD-specific range " +"extension. This option disables parsing of the range extension, therefore " +"large groups will appear as having no members." +msgstr "" +"Active Directory begrenzt die Anzahl der Mitglieder, die in einem einzigen " +"Nachschlagen mittels der MaxValRange-Richtlinie empfangen werden können (die " +"Voreinstellung sind 1.500 Mitglieder). Falls eine Gruppe mehr Mitglieder " +"enthält, wird die Antwort eine AD-spezifische Bereichserweiterung enthalten. " +"Diese Option deaktiviert das Auswerten der Bereichserweiterung, daher wird " +"es so aussehen, als ob große Gruppen keine Mitglieder hätten." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1541 +msgid "ldap_sasl_minssf (integer)" +msgstr "ldap_sasl_minssf (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1544 +msgid "" +"When communicating with an LDAP server using SASL, specify the minimum " +"security level necessary to establish the connection. The values of this " +"option are defined by OpenLDAP." +msgstr "" +"Wenn mittels SASL mit einem LDAP-Server kommuniziert wird, gibt dies die " +"mindestens nötige Sicherheitsstufe zum Herstellen der Verbindung an. Die " +"Werte dieser Option werden durch OpenLDAP definiert." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1550 +msgid "Default: Use the system default (usually specified by ldap.conf)" +msgstr "" +"Voreinstellung: verwendet die Voreinstellungen des System (normalerweise in " +"»ldap.conf« angegeben)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1557 +msgid "ldap_deref_threshold (integer)" +msgstr "ldap_deref_threshold (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1560 +msgid "" +"Specify the number of group members that must be missing from the internal " +"cache in order to trigger a dereference lookup. If less members are missing, " +"they are looked up individually." +msgstr "" +"gibt die Anzahl der Gruppenmitglieder an, die aus dem internen " +"Zwischenspeicher fehlen muss, um ein dereferenzierendes Nachschlagen " +"auszulösen. Falls weniger Mitglieder fehlen, werden sie individuell " +"nachgeschlagen." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1566 +msgid "" +"You can turn off dereference lookups completely by setting the value to 0." +msgstr "" +"Sie können dereferenzierendes Nachschlagen komplett ausschalten, indem Sie " +"den Wert auf 0 setzen." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1570 +msgid "" +"A dereference lookup is a means of fetching all group members in a single " +"LDAP call. Different LDAP servers may implement different dereference " +"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " +"Directory." +msgstr "" +"Dereferenzierendes Nachschlagen ist ein Mittel, um alle Gruppenmitglieder in " +"einem einzigen LDAP-Aufruf abzuholen. Verschiedene LDAP-Server können " +"unterschiedliche Methoden zum Dereferenzieren implementieren. Die derzeit " +"unterstützten Server sind 389/RHDS, OpenLDAP und Active Directory." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1578 +msgid "" +"<emphasis>Note:</emphasis> If any of the search bases specifies a search " +"filter, then the dereference lookup performance enhancement will be disabled " +"regardless of this setting." +msgstr "" +"<emphasis>Hinweis:</emphasis> Falls eine der Suchgrundlagen einen Suchfilter " +"angibt, wird die Verbesserung der Leistung beim dereferenzierenden " +"Nachschlagen ohne Rücksicht auf die Einstellung deaktiviert." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1591 +msgid "ldap_tls_reqcert (string)" +msgstr "ldap_tls_reqcert (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1594 +msgid "" +"Specifies what checks to perform on server certificates in a TLS session, if " +"any. It can be specified as one of the following values:" +msgstr "" +"gibt an, welche Prüfungen von Server-Zertifikaten in einer TLS-Sitzung " +"durchgeführt werden, falls vorhanden. Dies kann in Form einer der folgenden " +"Werte angegeben werden:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1600 +msgid "" +"<emphasis>never</emphasis> = The client will not request or check any server " +"certificate." +msgstr "" +"<emphasis>never</emphasis> = Der Client wird kein Server-Zertifikat prüfen " +"oder anfordern." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1604 +msgid "" +"<emphasis>allow</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, it will be ignored and the session proceeds normally." +msgstr "" +"<emphasis>allow</emphasis> = Das Server-Zertifikat wird angefordert. Falls " +"kein Zertifikat bereitgestellt wird, fährt die Sitzung normal fort. Falls " +"ein ungültiges Zertifikat bereitgestellt wird, wird es ignoriert und die " +"Sitzung fährt normal fort." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1611 +msgid "" +"<emphasis>try</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, the session is immediately terminated." +msgstr "" +"<emphasis>try</emphasis> = Das Server-Zertifikat wird angefordert. Falls das " +"Zertifikat bereitgestellt wird, fährt die Sitzung normal fort. Falls ein " +"ungültiges Zertifikat bereitgestellt wird, wird die Sitzung sofort beendet." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1617 +msgid "" +"<emphasis>demand</emphasis> = The server certificate is requested. If no " +"certificate is provided, or a bad certificate is provided, the session is " +"immediately terminated." +msgstr "" +"<emphasis>demand</emphasis> = Das Server-Zertifikat wird angefordert. Falls " +"kein oder ein ungültiges Zertifikat bereitgestellt wird, wird die Sitzung " +"sofort beendet." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1623 +msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" +msgstr "<emphasis>hard</emphasis> = entspricht »demand«" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1627 +msgid "Default: hard" +msgstr "Voreinstellung: hard" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1633 +msgid "ldap_tls_cacert (string)" +msgstr "ldap_tls_cacert (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1636 +msgid "" +"Specifies the file that contains certificates for all of the Certificate " +"Authorities that <command>sssd</command> will recognize." +msgstr "" +"gibt die Datei an, die Zertifikate für alle Zertifizierungstellen enthält, " +"die <command>sssd</command> erkennen wird." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1641 sssd-ldap.5.xml:1659 sssd-ldap.5.xml:1700 +msgid "" +"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." +"conf</filename>" +msgstr "" +"Voreinstellung: verwendet OpenLDAP-Voreinstellungen, normalerweise aus " +"<filename>/etc/openldap/ldap.conf</filename>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1648 +msgid "ldap_tls_cacertdir (string)" +msgstr "ldap_tls_cacertdir (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1651 +msgid "" +"Specifies the path of a directory that contains Certificate Authority " +"certificates in separate individual files. Typically the file names need to " +"be the hash of the certificate followed by '.0'. If available, " +"<command>cacertdir_rehash</command> can be used to create the correct names." +msgstr "" +"gibt den Pfad eines Verzeichnisses an, das Zertifikate von " +"Zertifizierungstellen in separaten individuellen Dateien enthält. Die " +"Dateinamen sollen normalerweise ein Hash-Wert des Zertifikats gefolgt von " +"».0« sein. Falls verfügbar, kann <command>cacertdir_rehash</command> zum " +"Erstellen der korrekten Namen verwendet werden." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1666 +msgid "ldap_tls_cert (string)" +msgstr "ldap_tls_cert (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1669 +msgid "Specifies the file that contains the certificate for the client's key." +msgstr "" +"gibt die Datei an, die das Zertifikat für den Schlüssel des Clients enthält." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1679 +msgid "ldap_tls_key (string)" +msgstr "ldap_tls_key (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1682 +msgid "Specifies the file that contains the client's key." +msgstr "gibt die Datei an, die den Schlüssel des Clients enthält." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1691 +msgid "ldap_tls_cipher_suite (string)" +msgstr "ldap_tls_cipher_suite (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1694 +msgid "" +"Specifies acceptable cipher suites. Typically this is a colon separated " +"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1707 +msgid "ldap_id_use_start_tls (boolean)" +msgstr "ldap_id_use_start_tls (Boolesch)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1710 +msgid "" +"Specifies that the id_provider connection must also use <systemitem class=" +"\"protocol\">tls</systemitem> to protect the channel." +msgstr "" +"gibt an, dass die Verbindung »id_provider« auch <systemitem class=\"protocol" +"\">tls</systemitem> benutzen muss, um den Kanal abzusichern." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1720 +msgid "ldap_id_mapping (boolean)" +msgstr "ldap_id_mapping (Boolesch)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1723 +msgid "" +"Specifies that SSSD should attempt to map user and group IDs from the " +"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " +"on ldap_user_uid_number and ldap_group_gid_number." +msgstr "" +"gibt an, dass SSSD versuchen soll, die Benutzer- und Gruppen-ID von den " +"Attributen »ldap_user_objectsid« und »ldap_group_objectsid« abzubilden, " +"statt sich auf »ldap_user_uid_number« und »ldap_group_gid_number« zu " +"verlassen." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1729 +msgid "Currently this feature supports only ActiveDirectory objectSID mapping." +msgstr "" +"Derzeit unterstützt diese Funktionalität nur das Abbilden von Active-" +"Directory-ObjectSIDs." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1739 +msgid "ldap_min_id, ldap_max_id (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1742 +msgid "" +"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " +"set to true the allowed ID range for ldap_user_uid_number and " +"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " +"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " +"can be set to restrict the allowed range for the IDs which are read directly " +"from the server. Sub-domains can then pick other ranges to map IDs." +msgstr "" +"Im Gegensatz zum SID-basierten ID-Abbilden, das benutzt wird, falls " +"»ldap_id_mapping« auf »true« gesetzt ist, ist der erlaubte ID-Bereich für " +"»ldap_user_uid_number« und »ldap_group_gid_number« offen. In einer " +"Konfiguration mit Unter-Domains und vertrauenswürdigen Domains könnte dies " +"zu ID-Kollisionen führen. Um Kollisionen zu vermeiden, können »ldap_min_id« " +"und »ldap_max_id« zum Begrenzen des erlaubten Bereichs für direkt vom Server " +"gelesene IDs verwendet werden. Unter-Domains können dann andere Bereiche zur " +"Abbildung von IDs wählen." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1754 +msgid "Default: not set (both options are set to 0)" +msgstr "Voreinstellung: nicht gesetzt (beide Optionen sind auf 0 gesetzt)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1760 +msgid "ldap_sasl_mech (string)" +msgstr "ldap_sasl_mech (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1763 +msgid "" +"Specify the SASL mechanism to use. Currently only GSSAPI is tested and " +"supported." +msgstr "" +"gibt an, welcher SASL-Mechanismus benutzt werden soll. Derzeit ist nur " +"GSSAPI getestet und wird unterstützt." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1773 +msgid "ldap_sasl_authid (string)" +msgstr "ldap_sasl_authid (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ldap.5.xml:1784 +#, no-wrap +msgid "" +"hostname@REALM\n" +"netbiosname$@REALM\n" +"host/hostname@REALM\n" +"*$@REALM\n" +"host/*@REALM\n" +"host/*\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1776 +#, fuzzy +#| msgid "" +#| "Specify the SASL authorization id to use. When GSSAPI is used, this " +#| "represents the Kerberos principal used for authentication to the " +#| "directory. This option can either contain the full principal (for " +#| "example host/myhost@EXAMPLE.COM) or just the principal name (for example " +#| "host/myhost)." +msgid "" +"Specify the SASL authorization id to use. When GSSAPI is used, this " +"represents the Kerberos principal used for authentication to the directory. " +"This option can either contain the full principal (for example host/" +"myhost@EXAMPLE.COM) or just the principal name (for example host/myhost). By " +"default, the value is not set and the following principals are used: " +"<placeholder type=\"programlisting\" id=\"0\"/> If none of them are found, " +"the first principal in keytab is returned." +msgstr "" +"gibt an, welche SASL-Berechtigungs-ID benutzt werden soll. Wenn GSSAPI " +"verwendet wird, steht dies für den Kerberos-Principal, der für die " +"Authentifizierung zum Verzeichnis benutzt wird. Diese Option kann entweder " +"den vollständigen Principal (zum Beispiel Rechner/MeinRechner@EXAMPLE.COM) " +"oder nur den Namen des Principals (zum Beispiel Rechner/MeinRechner) " +"enthalten." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1795 +msgid "Default: host/hostname@REALM" +msgstr "Voreinstellung Rechner/MeinRechner@BEREICH" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1801 +msgid "ldap_sasl_realm (string)" +msgstr "ldap_sasl_realm (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1804 +msgid "" +"Specify the SASL realm to use. When not specified, this option defaults to " +"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " +"well, this option is ignored." +msgstr "" +"gibt den SASL-Realm an, der benutzt werden soll. Wurde diese Option nicht " +"angegeben, ist die Voreinstellung der Wert von »krb5_realm«. Falls " +"»ldap_sasl_authid« ebenfalls den Realm enthält, wird diese Option ignoriert." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1810 +msgid "Default: the value of krb5_realm." +msgstr "Voreinstellung: der Wert von »krb5_realm«" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1816 +msgid "ldap_sasl_canonicalize (boolean)" +msgstr "ldap_sasl_canonicalize (Boolesch)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1819 +msgid "" +"If set to true, the LDAP library would perform a reverse lookup to " +"canonicalize the host name during a SASL bind." +msgstr "" +"Falls dies auf »true« gesetzt wäre, würde die LDAP-Bibliothek ein " +"umgekehrtes Nachschlagen durchführen, um den Rechnernamen während eines SASL-" +"Bind in eine kanonische Form zu bringen." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1824 +msgid "Default: false;" +msgstr "Voreinstellung: false;" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1830 +msgid "ldap_krb5_keytab (string)" +msgstr "ldap_krb5_keytab (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1833 +msgid "Specify the keytab to use when using SASL/GSSAPI." +msgstr "gibt die Keytab an, wenn SASL/GSSAPI benutzt wird." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1836 +msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" +msgstr "" +"Voreinstellung: Keytab des Systems, normalerweise <filename>/etc/krb5." +"keytab</filename>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1842 +msgid "ldap_krb5_init_creds (boolean)" +msgstr "ldap_krb5_init_creds (Boolesch)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1845 +msgid "" +"Specifies that the id_provider should init Kerberos credentials (TGT). This " +"action is performed only if SASL is used and the mechanism selected is " +"GSSAPI." +msgstr "" +"gibt an, dass der »id_provider« Kerberos-Anmeldedaten (TGT) initialisieren " +"soll. Diese Aktion wird nur durchgeführt, falls SASL benutzt wird und der " +"ausgewählte Mechnaismus GSSAPI ist." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1857 +msgid "ldap_krb5_ticket_lifetime (integer)" +msgstr "ldap_krb5_ticket_lifetime (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1860 +msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used." +msgstr "" +"gibt die Lebensdauer eines TGT in Sekunden an, falls GSSAPI benutzt wird." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1864 sssd-ad.5.xml:937 +msgid "Default: 86400 (24 hours)" +msgstr "Voreinstellung: 86400 (24 Stunden)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1870 sssd-krb5.5.xml:74 +msgid "krb5_server, krb5_backup_server (string)" +msgstr "krb5_server, krb5_backup_server (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1873 +msgid "" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled - for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." +msgstr "" +"gibt die durch Kommata getrennte Liste von IP-Adressen bzw. Rechnernamen von " +"Kerberos-Servern in der Reihenfolge an, in der sich SSSD mit ihnen verbinden " +"soll. Weitere Informationen über Ausfallsicherung und Redundanz finden Sie " +"im Abschnitt »AUSFALLSICHERUNG«. An die Adressen oder Rechnernamen kann eine " +"optionale Portnummer (der ein Doppelpunkt vorangestellt ist) angehängt " +"werden. Falls dies leer gelassen wurde, wird die Dienstsuche aktiviert. " +"Weitere Informationen finden Sie im Abschnitt »DIENSTSUCHE«." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1885 sssd-krb5.5.xml:89 +msgid "" +"When using service discovery for KDC or kpasswd servers, SSSD first searches " +"for DNS entries that specify _udp as the protocol and falls back to _tcp if " +"none are found." +msgstr "" +"Wenn die Dienstsuche für Schlüsselverwaltungszentralen- (KDC) oder Kpasswd-" +"Server benutzt wird, durchsucht SSSD zuerst die DNS-Einträge, die_udp als " +"Protokoll angeben. Falls keine gefunden werden, weicht es auf _tcp aus." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1890 sssd-krb5.5.xml:94 +msgid "" +"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " +"While the legacy name is recognized for the time being, users are advised to " +"migrate their config files to use <quote>krb5_server</quote> instead." +msgstr "" +"Diese Option hieß in früheren Veröffentlichungen von SSSD »krb5_kdcip«. " +"Obwohl der alte Name einstweilen noch in Erinnerung ist, wird Anwendern " +"geraten, ihre Konfigurationsdateien auf die Verwendung von »krb5_server« zu " +"migrieren." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1899 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103 +msgid "krb5_realm (string)" +msgstr "krb5_realm (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1902 +msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)." +msgstr "gibt den Kerberos-REALM an (für SASL/GSSAPI-Authentifizierung)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1905 +msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" +msgstr "" +"Voreinstellung: Systemvoreinstellungen, siehe <filename>/etc/krb5.conf</" +"filename>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1911 sssd-krb5.5.xml:462 +msgid "krb5_canonicalize (boolean)" +msgstr "krb5_canonicalize (Boolesch)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1914 +msgid "" +"Specifies if the host principal should be canonicalized when connecting to " +"LDAP server. This feature is available with MIT Kerberos >= 1.7" +msgstr "" +"gibt an, ob der Host Principal beim Verbinden mit einem LDAP-Server in eine " +"kanonische Form gebracht werden soll. Diese Funktionalität ist mit MIT " +"Kerberos >= 1.7 verfügbar." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1926 sssd-krb5.5.xml:477 +msgid "krb5_use_kdcinfo (boolean)" +msgstr "krb5_use_kdcinfo (Boolesch)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1929 sssd-krb5.5.xml:480 +msgid "" +"Specifies if the SSSD should instruct the Kerberos libraries what realm and " +"which KDCs to use. This option is on by default, if you disable it, you need " +"to configure the Kerberos library using the <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> configuration file." +msgstr "" +"gibt an, ob SSSD die Kerberos-Bibliotheken anweisen soll, welcher Realm und " +"welche Schlüsselverwaltungszentralen (KDCs) benutzt werden sollen. Diese " +"Option ist standardmäßig eingeschaltet. Falls Sie sie ausschalten, müssen " +"Sie die Kerberos-Bibliothek mittels der Konfigurationsdatei " +"<citerefentry><refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> einrichten." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1940 sssd-krb5.5.xml:491 +msgid "" +"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " +"information on the locator plugin." +msgstr "" +"Weitere Informationen über die Locator-Erweiterung finden Sie auf der " +"Handbuchseite <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1954 +msgid "ldap_pwd_policy (string)" +msgstr "ldap_pwd_policy (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1957 +msgid "" +"Select the policy to evaluate the password expiration on the client side. " +"The following values are allowed:" +msgstr "" +"wählt das Regelwerk, anhand dessen das Client-seitige Erlöschen des " +"Passworts abgeschätzt werden soll. Die folgenden Werte sind erlaubt:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1962 +msgid "" +"<emphasis>none</emphasis> - No evaluation on the client side. This option " +"cannot disable server-side password policies." +msgstr "" +"<emphasis>none</emphasis> – keine Client-seitige Abschätzung. Diese Option " +"kann keine Server-seitigen Passwortregelwerke deaktivieren." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1967 +msgid "" +"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " +"evaluate if the password has expired." +msgstr "" +"<emphasis>shadow</emphasis> – benutzt Attribute im Stil von " +"<citerefentry><refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry>, um abzuschätzen, ob das Passwort erloschen ist." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1973 +msgid "" +"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " +"to determine if the password has expired. Use chpass_provider=krb5 to update " +"these attributes when the password is changed." +msgstr "" +"<emphasis>mit_kerberos</emphasis> – verwendet die von MIT Kerberos benutzten " +"Attribute, um zu bestimmen, ob das Passwort erloschen ist. Verwenden Sie " +"»chpass_provider=krb5«, um diese Attribute zu aktualisieren, wenn das " +"Passwort geändert wurde." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1982 +msgid "" +"<emphasis>Note</emphasis>: if a password policy is configured on server " +"side, it always takes precedence over policy set with this option." +msgstr "" +"<emphasis>Hinweis</emphasis>: Falls serverseitig eine Passwortregel " +"konfiguriert ist, hat diese stets Vorrang vor der mit dieser Option " +"festgelegten Regel." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1990 +msgid "ldap_referrals (boolean)" +msgstr "ldap_referrals (Boolesch)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1993 +msgid "Specifies whether automatic referral chasing should be enabled." +msgstr "gibt an, ob automatische Verweisverfolgung aktiviert werden soll." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1997 +msgid "" +"Please note that sssd only supports referral chasing when it is compiled " +"with OpenLDAP version 2.4.13 or higher." +msgstr "" +"Bitte beachten Sie, dass SSSD nur Verweisverfolgung unterstützt, falls es " +"mit OpenLDAP Version 2.4.13 oder höher kompiliert wurde." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2002 +msgid "" +"Chasing referrals may incur a performance penalty in environments that use " +"them heavily, a notable example is Microsoft Active Directory. If your setup " +"does not in fact require the use of referrals, setting this option to false " +"might bring a noticeable performance improvement." +msgstr "" +"Verweisverfolgungen können in Umgebungen, die ausgiebig von ihnen Gebrauch " +"machen, einen Leistungsnachteil erleiden, ein beachtenswertes Beispiel ist " +"Microsoft Active Directory. Falls ihre Installation Verweisverfolgungen " +"nicht tatsächlich benötigt, könnte diese Option auf »false« zu setzen eine " +"merkliche Leistungsverbesserung bringen." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2016 +msgid "ldap_dns_service_name (string)" +msgstr "ldap_dns_service_name (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2019 +msgid "Specifies the service name to use when service discovery is enabled." +msgstr "" +"gibt an, welcher Dienstname bei aktivierter Dienstsuche benutzt werden soll." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2023 +msgid "Default: ldap" +msgstr "Voreinstellung: ldap" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2029 +msgid "ldap_chpass_dns_service_name (string)" +msgstr "ldap_chpass_dns_service_name (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2032 +msgid "" +"Specifies the service name to use to find an LDAP server which allows " +"password changes when service discovery is enabled." +msgstr "" +"gibt den Dienstnamen an, der zum Finden eines LDAP-Servers benutzt werden " +"soll, der Passwortänderungen bei aktivierter Dienstsuche ermöglicht." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2037 +msgid "Default: not set, i.e. service discovery is disabled" +msgstr "Voreinstellung: nicht gesetzt, d.h. Dienstsuche ist deaktiviert" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2043 +msgid "ldap_chpass_update_last_change (bool)" +msgstr "ldap_chpass_update_last_change (Boolesch)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2046 +msgid "" +"Specifies whether to update the ldap_user_shadow_last_change attribute with " +"days since the Epoch after a password change operation." +msgstr "" +"gibt an, ob das Attribut »ldap_user_shadow_last_change« nach einer " +"Passwortänderung mit Unix-Zeit geändert wird." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2058 +msgid "ldap_access_filter (string)" +msgstr "ldap_access_filter (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2061 +msgid "" +"If using access_provider = ldap and ldap_access_order = filter (default), " +"this option is mandatory. It specifies an LDAP search filter criteria that " +"must be met for the user to be granted access on this host. If " +"access_provider = ldap, ldap_access_order = filter and this option is not " +"set, it will result in all users being denied access. Use access_provider = " +"permit to change this default behavior. Please note that this filter is " +"applied on the LDAP user entry only and thus filtering based on nested " +"groups may not work (e.g. memberOf attribute on AD entries points only to " +"direct parents). If filtering based on nested groups is required, please see " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>." +msgstr "" +"Falls access_provider = ldap und ldap_access_order = filter ist " +"(Voreinstellung), dann ist diese Option obligatorisch. Sie gibt ein " +"Suchfilterkriterium für LDAP an, dass auf den Benutzer passen muss, damit " +"diesem Zugriff auf den Host gewährt wird. Falls access_provider = ldap und " +"ldap_access_order = filter ist und diese Option nicht gesetzt ist, wird " +"allen Benutzern der Zugriff verweigert. Verwenden Sie access_provider = " +"permit, um dieses Standardverhalten zu ändern. Bitte beachten Sie, dass " +"dieser Filter nur auf den LDAP-Benutzereintrag angewendet wird und daher die " +"auf verschachtelten Gruppen basierende Filterung nicht funktioniert. " +"Beispielsweise zeigt das Active-Directory-Attribut »memberOf« nur auf die " +"unmittelbaren Eltern. Falls die Filterung basierend auf verschachtelten " +"Gruppen erforderlich sein sollte, finden Sie genauere Anweisungen in der " +"Handbuchseite zu <citerefentry> <refentrytitle>sssd-simple</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2081 +msgid "Example:" +msgstr "Beispiel:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ldap.5.xml:2084 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " +msgstr "" +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2088 +msgid "" +"This example means that access to this host is restricted to users whose " +"employeeType attribute is set to \"admin\"." +msgstr "" +"In diesem Beispiel wird der Zugriff auf diesen Host auf jene Benutzer " +"beschränkt, deren employeeType-Attribut auf »admin« gesetzt ist." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2093 +msgid "" +"Offline caching for this feature is limited to determining whether the " +"user's last online login was granted access permission. If they were granted " +"access during their last login, they will continue to be granted access " +"while offline and vice versa." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2101 sssd-ldap.5.xml:2158 +msgid "Default: Empty" +msgstr "Voreinstellung: leer" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2107 +msgid "ldap_account_expire_policy (string)" +msgstr "ldap_account_expire_policy (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2110 +msgid "" +"With this option a client side evaluation of access control attributes can " +"be enabled." +msgstr "" +"Mit dieser Option kann eine Client-seitige Abschätzung der " +"Zugriffssteuerungsattribute aktiviert werden." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2114 +msgid "" +"Please note that it is always recommended to use server side access control, " +"i.e. the LDAP server should deny the bind request with a suitable error code " +"even if the password is correct." +msgstr "" +"Bitte beachten Sie, dass die Server-seitige Zugriffssteuerung generell " +"empfohlen wird, d.h. der LDAP-Server sollte die Bind-Abfrage sogar dann mit " +"einem geeigneten Fehlercode zurückweisen, wenn das Passwort korrekt ist." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2121 +msgid "The following values are allowed:" +msgstr "Die folgenden Werte sind erlaubt:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2124 +msgid "" +"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " +"determine if the account is expired." +msgstr "" +"<emphasis>shadow</emphasis>: verwendet den Wert von " +"»ldap_user_shadow_expire«, um zu bestimmen, ob das Konto abgelaufen ist." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2129 +msgid "" +"<emphasis>ad</emphasis>: use the value of the 32bit field " +"ldap_user_ad_user_account_control and allow access if the second bit is not " +"set. If the attribute is missing access is granted. Also the expiration time " +"of the account is checked." +msgstr "" +"<emphasis>ad</emphasis>: verwendet den Wert des 32-Bit-Felds " +"»ldap_user_ad_user_account_control« und ermöglicht den Zugriff, falls das " +"zweite Bit nicht gesetzt ist. Falls das Attribut fehlt, wird Zugriff " +"gewährt. Außerdem wird die Ablaufzeit des Kontos geprüft." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2136 +msgid "" +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: use the value of ldap_ns_account_lock to check if access is " +"allowed or not." +msgstr "" +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: verwenden den Wert von »ldap_ns_account_lock«, um zu prüfen, ob " +"Zugriff erlaubt wird oder nicht." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2142 +msgid "" +"<emphasis>nds</emphasis>: the values of " +"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " +"ldap_user_nds_login_expiration_time are used to check if access is allowed. " +"If both attributes are missing access is granted." +msgstr "" +"<emphasis>nds</emphasis>: Die Werte von " +"»ldap_user_nds_login_allowed_time_map«, »ldap_user_nds_login_disabled« und " +"»ldap_user_nds_login_expiration_time« werden benutzt, um zu überprüfen, ob " +"Zugriff gewährt wird. Falls diese Attribute fehlen, wird Zugriff erteilt." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2151 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>expire</quote> in order for the " +"ldap_account_expire_policy option to work." +msgstr "" +"Bitte beachten Sie, dass die Konfigurationsoption »ldap_access_order« " +"»expire« enthalten <emphasis>muss</emphasis>, damit die Option " +"»ldap_account_expire_policy« funktioniert." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2164 +msgid "ldap_access_order (string)" +msgstr "ldap_access_order (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2167 +msgid "Comma separated list of access control options. Allowed values are:" +msgstr "" +"durch Kommata getrennte Liste von Zugriffssteuerungsoptionen. Folgende Werte " +"sind erlaubt:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2171 +msgid "<emphasis>filter</emphasis>: use ldap_access_filter" +msgstr "<emphasis>filter</emphasis>: verwendet »ldap_access_filter«." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2174 +msgid "" +"<emphasis>lockout</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " +"Please note that 'access_provider = ldap' must be set for this feature to " +"work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2184 +msgid "" +"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" +"quote> option and might be removed in a future release. </emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2191 +msgid "" +"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z' or represents any time in the past. The " +"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " +"denotes the UTC time zone. Other time zones are not currently supported and " +"will result in \"access-denied\" when users attempt to log in. Please see " +"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " +"must be set for this feature to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2208 +msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" +msgstr "<emphasis>expire</emphasis>: verwendet »ldap_account_expire_policy«." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2212 +msgid "" +"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " +"pwd_expire_policy_renew: </emphasis> These options are useful if users are " +"interested in being warned that password is about to expire and " +"authentication is based on using a different method than passwords - for " +"example SSH keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2222 +msgid "" +"The difference between these options is the action taken if user password is " +"expired: pwd_expire_policy_reject - user is denied to log in, " +"pwd_expire_policy_warn - user is still able to log in, " +"pwd_expire_policy_renew - user is prompted to change his password " +"immediately." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2230 +msgid "" +"Note If user password is expired no explicit message is prompted by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2234 +msgid "" +"Please note that 'access_provider = ldap' must be set for this feature to " +"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2239 +msgid "" +"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " +"to determine access" +msgstr "" +"<emphasis>authorized_service</emphasis>: verwendet das Attribut " +"»authorizedService«, um zu bestimmen, ob Zugriff gewährt wird." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2244 +msgid "<emphasis>host</emphasis>: use the host attribute to determine access" +msgstr "" +"<emphasis>host</emphasis>: verwendet das Attribut »host«, um zu bestimmen, " +"ob Zugriff gewährt wird." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2248 +msgid "" +"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " +"remote host can access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2252 +msgid "" +"Please note, rhost field in pam is set by application, it is better to check " +"what the application sends to pam, before enabling this access control option" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2257 +msgid "Default: filter" +msgstr "Voreinstellung: filter" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2260 +msgid "" +"Please note that it is a configuration error if a value is used more than " +"once." +msgstr "" +"Bitte beachten Sie, dass es ein Konfigurationsfehler ist, falls ein Wert " +"mehr als einmal benutzt wird." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2267 +msgid "ldap_pwdlockout_dn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2270 +msgid "" +"This option specifies the DN of password policy entry on LDAP server. Please " +"note that absence of this option in sssd.conf in case of enabled account " +"lockout checking will yield access denied as ppolicy attributes on LDAP " +"server cannot be checked properly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2278 +msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2281 +msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2287 +msgid "ldap_deref (string)" +msgstr "ldap_deref (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2290 +msgid "" +"Specifies how alias dereferencing is done when performing a search. The " +"following options are allowed:" +msgstr "" +"gibt an, wie Alias-Dereferenzierung bei einer Suche erledigt wird. Die " +"folgenden Optionen sind erlaubt:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2295 +msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." +msgstr "<emphasis>never</emphasis>: Alias werden nie dereferenziert." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2299 +msgid "" +"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " +"the base object, but not in locating the base object of the search." +msgstr "" +"<emphasis>searching</emphasis>: Alias werden auf Unterebenen des " +"Basisobjekts dereferenziert, nicht jedoch beim Orten des Basisobjekts der " +"Suche." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2304 +msgid "" +"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " +"the base object of the search." +msgstr "" +"<emphasis>finding</emphasis>: Alias werden nur beim Orten des Basisobjekts " +"der Suche dereferenziert." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2309 +msgid "" +"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " +"in locating the base object of the search." +msgstr "" +"<emphasis>always</emphasis>: Alias werden sowohl bei der Suche als auch beim " +"Orten des Basisobjekts der Suche dereferenziert." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2314 +msgid "" +"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " +"client libraries)" +msgstr "" +"Voreinstellung: leer (Dies wird durch LDAP-Client-Bibliotheken wie " +"<emphasis>never</emphasis> gehandhabt.)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2322 +msgid "ldap_rfc2307_fallback_to_local_users (boolean)" +msgstr "ldap_rfc2307_fallback_to_local_users (Boolesch)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2325 +msgid "" +"Allows to retain local users as members of an LDAP group for servers that " +"use the RFC2307 schema." +msgstr "" +"ermöglich, lokale Anwender als Mitglieder einer LDAP-Gruppe für Server " +"beizubehalten, die das Schema RFC2307 benutzen." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2329 +msgid "" +"In some environments where the RFC2307 schema is used, local users are made " +"members of LDAP groups by adding their names to the memberUid attribute. " +"The self-consistency of the domain is compromised when this is done, so SSSD " +"would normally remove the \"missing\" users from the cached group " +"memberships as soon as nsswitch tries to fetch information about the user " +"via getpw*() or initgroups() calls." +msgstr "" +"In einigen Umgebungen, in denen das Schema RFC2307 verwendet wird, werden " +"lokale Benutzer zu Mitgliedern einer LDAP-Gruppe gemacht, indem ihre Namen " +"dem Attribut »memberUid« hinzugefügt werden. Die eigene Stimmigkeit der " +"Domain wird dabei kompromittiert, daher würde SSSD normalerweise »fehlende« " +"Anwender aus den zwischengespeicherten Gruppenmitgliedschaften entfernen, " +"sobald Nsswitch versucht, Informationen über den Anwender durch Aufrufen von " +"getpw*() oder initgroups() abzurufen." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2340 +msgid "" +"This option falls back to checking if local users are referenced, and caches " +"them so that later initgroups() calls will augment the local users with the " +"additional LDAP groups." +msgstr "" +"Diese Option greift auf das Prüfen zurück, ob auf lokale Benutzer Bezug " +"genommen wird und speichert sie, so dass spätere Aufrufe von »initgroups() " +"die lokalen Benutzer um zusätzliche LDAP-Gruppen erweitert werden." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2352 sssd-ifp.5.xml:136 +msgid "wildcard_limit (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2355 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2359 +msgid "At the moment, only the InfoPipe responder supports wildcard lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2363 +msgid "Default: 1000 (often the size of one page)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:51 +msgid "" +"All of the common configuration options that apply to SSSD domains also " +"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for full details. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" +"Alle häufigen Konfigurationsoptionen, die für SSSD-Domains gelten, gelten " +"auch für LDAP-Domains. Umfassende Einzelheiten finden Sie im Abschnitt " +"»DOMAIN-ABSCHNITTE« der Handbuchseite <citerefentry> <refentrytitle>sssd." +"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>. <placeholder " +"type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2373 +msgid "SUDO OPTIONS" +msgstr "SUDO-OPTIONEN" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2375 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." +msgstr "" +"Detaillierte Anweisungen zur Konfiguration von sudo_provider finden Sie in " +"der Handbuchseite zu <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2386 +msgid "ldap_sudorule_object_class (string)" +msgstr "ldap_sudorule_object_class (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2389 +msgid "The object class of a sudo rule entry in LDAP." +msgstr "die Objektklasse eines Sudo-Regeleintrags in LDAP" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2392 +msgid "Default: sudoRole" +msgstr "Voreinstellung: sudoRole" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2398 +msgid "ldap_sudorule_name (string)" +msgstr "ldap_sudorule_name (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2401 +msgid "The LDAP attribute that corresponds to the sudo rule name." +msgstr "das LDAP-Attribut, das dem Namen der Sudo-Regel entspricht" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2411 +msgid "ldap_sudorule_command (string)" +msgstr "ldap_sudorule_command (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2414 +msgid "The LDAP attribute that corresponds to the command name." +msgstr "das LDAP-Attribut, das dem Namen des Befehls entspricht" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2418 +msgid "Default: sudoCommand" +msgstr "Voreinstellung: sudoCommand" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2424 +msgid "ldap_sudorule_host (string)" +msgstr "ldap_sudorule_host (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2427 +msgid "" +"The LDAP attribute that corresponds to the host name (or host IP address, " +"host IP network, or host netgroup)" +msgstr "" +"das LDAP-Attribut, das dem Rechnernamen (oder der IP-Adresse, dem IP-" +"Netzwerk oder des Netzwerkgruppe des Rechners) entspricht" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2432 +msgid "Default: sudoHost" +msgstr "Voreinstellung: sudoHost" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2438 +msgid "ldap_sudorule_user (string)" +msgstr "ldap_sudorule_user (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2441 +msgid "" +"The LDAP attribute that corresponds to the user name (or UID, group name or " +"user's netgroup)" +msgstr "" +"das LDAP-Attribut, das dem Benutzernamen (oder der UID, dem Gruppennamen " +"oder der Netzwerkgruppe des Benutzers) entspricht" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2445 +msgid "Default: sudoUser" +msgstr "Voreinstellung: sudoUser" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2451 +msgid "ldap_sudorule_option (string)" +msgstr "ldap_sudorule_option (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2454 +msgid "The LDAP attribute that corresponds to the sudo options." +msgstr "das LDAP-Attribut, das den Sudo-Optionen entspricht" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2458 +msgid "Default: sudoOption" +msgstr "Voreinstellung: sudoOption" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2464 +msgid "ldap_sudorule_runasuser (string)" +msgstr "ldap_sudorule_runasuser (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2467 +msgid "" +"The LDAP attribute that corresponds to the user name that commands may be " +"run as." +msgstr "" +"das LDAP-Attribut, das dem Benutzernamen entspricht, unter dem Befehle " +"ausgeführt werden können" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2471 +msgid "Default: sudoRunAsUser" +msgstr "Voreinstellung: sudoRunAsUser" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2477 +msgid "ldap_sudorule_runasgroup (string)" +msgstr "ldap_sudorule_runasgroup (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2480 +msgid "" +"The LDAP attribute that corresponds to the group name or group GID that " +"commands may be run as." +msgstr "" +"das LDAP-Attribut, das dem Gruppennamen oder der GID der Gruppe entspricht, " +"worunter Befehle ausgeführt werden können" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2484 +msgid "Default: sudoRunAsGroup" +msgstr "Voreinstellung: sudoRunAsGroup" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2490 +msgid "ldap_sudorule_notbefore (string)" +msgstr "ldap_sudorule_notbefore (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2493 +msgid "" +"The LDAP attribute that corresponds to the start date/time for when the sudo " +"rule is valid." +msgstr "" +"das LDAP-Attribut, das dem Startdatum und der Startzeit entpricht, wann die " +"Sudo-Regel gültig wird." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2497 +msgid "Default: sudoNotBefore" +msgstr "Voreinstellung: sudoNotBefore" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2503 +msgid "ldap_sudorule_notafter (string)" +msgstr "ldap_sudorule_notafter (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2506 +msgid "" +"The LDAP attribute that corresponds to the expiration date/time, after which " +"the sudo rule will no longer be valid." +msgstr "" +"das LDAP-Attribut, das dem Ablaufdatum und der Ablaufzeit entspricht, nach " +"der die Sudo-Regel nicht länger gültig ist." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2511 +msgid "Default: sudoNotAfter" +msgstr "Voreinstellung: sudoNotAfter" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2517 +msgid "ldap_sudorule_order (string)" +msgstr "ldap_sudorule_order (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2520 +msgid "The LDAP attribute that corresponds to the ordering index of the rule." +msgstr "das LDAP-Attribut, das dem Reihenfolgenindex der Regel entspricht" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2524 +msgid "Default: sudoOrder" +msgstr "Voreinstellung: sudoOrder" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2530 +msgid "ldap_sudo_full_refresh_interval (integer)" +msgstr "ldap_sudo_full_refresh_interval (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2533 +msgid "" +"How many seconds SSSD will wait between executing a full refresh of sudo " +"rules (which downloads all rules that are stored on the server)." +msgstr "" +"wie viele Sekunden SSSD zwischen einer vollständigen Aktualisierung von Sudo-" +"Regeln warten wird (wodurch alle auf dem Server gespeicherten Regeln " +"heruntergeladen werden)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2538 +msgid "" +"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" +"emphasis>" +msgstr "" +"Der Wert muss größer als <emphasis>ldap_sudo_smart_refresh_interval</" +"emphasis> sein." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2543 +msgid "Default: 21600 (6 hours)" +msgstr "Voreinstellung: 21600 (6 Stunden)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2549 +msgid "ldap_sudo_smart_refresh_interval (integer)" +msgstr "ldap_sudo_smart_refresh_interval (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2552 +msgid "" +"How many seconds SSSD has to wait before executing a smart refresh of sudo " +"rules (which downloads all rules that have USN higher than the highest USN " +"of cached rules)." +msgstr "" +"wie viele Sekunden SSSD warten soll, bevor ein kluges Aktualisieren der Sudo-" +"Regeln ausgeführt wird (wodurch alle Regeln, die eine höhere USN als die " +"höchste USN der zwischengespeicherten Regeln haben, heruntergeladen werden)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2558 +msgid "" +"If USN attributes are not supported by the server, the modifyTimestamp " +"attribute is used instead." +msgstr "" +"Falls vom Server keine USN-Attribute unterstützt werden, wird stattdessen " +"das Attribut »modifyTimestamp« benutzt." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2568 +msgid "ldap_sudo_use_host_filter (boolean)" +msgstr "ldap_sudo_use_host_filter (Boolesch)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2571 +msgid "" +"If true, SSSD will download only rules that are applicable to this machine " +"(using the IPv4 or IPv6 host/network addresses and hostnames)." +msgstr "" +"Falls dies auf »true« gesetzt ist, wird SSSD nur die Regeln herunterladen, " +"die auf diese Maschine angewandt werden können (mittels der IPv4- oder IPv6-" +"Netzwerkadressen und Rechnernamen)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2582 +msgid "ldap_sudo_hostnames (string)" +msgstr "ldap_sudo_hostnames (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2585 +msgid "" +"Space separated list of hostnames or fully qualified domain names that " +"should be used to filter the rules." +msgstr "" +"durch Leerzeichen getrennte Listen von Rechnernamen oder voll qualifizierten " +"Domain-Namen, die zum Filtern der Regeln benutzt werden sollen" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2590 +msgid "" +"If this option is empty, SSSD will try to discover the hostname and the " +"fully qualified domain name automatically." +msgstr "" +"Falls diese Option leer ist, wird SSSD versuchen, den Rechnernamen und den " +"voll qualifizierten Domain-Namen automatisch herauszufinden." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2595 sssd-ldap.5.xml:2618 sssd-ldap.5.xml:2636 +#: sssd-ldap.5.xml:2654 +msgid "" +"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" +"emphasis> then this option has no effect." +msgstr "" +"Falls <emphasis>ldap_sudo_use_host_filter</emphasis> <emphasis>false</" +"emphasis> ist, hat diese Option keine Auswirkungen." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2600 sssd-ldap.5.xml:2623 +msgid "Default: not specified" +msgstr "Voreinstellung: nicht angegeben" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2606 +msgid "ldap_sudo_ip (string)" +msgstr "ldap_sudo_ip (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2609 +msgid "" +"Space separated list of IPv4 or IPv6 host/network addresses that should be " +"used to filter the rules." +msgstr "" +"durch Kommata getrennte Liste von IPv4- oder IPv6-Rechner- beziehungsweise " +"Netzwerkadressen, die zum Filtern der Regeln benutzt werden sollen" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2614 +msgid "" +"If this option is empty, SSSD will try to discover the addresses " +"automatically." +msgstr "" +"Falls diese Option leer ist, wird SSSD versuchen, die Adressen automatisch " +"herauszufinden." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2629 +msgid "ldap_sudo_include_netgroups (boolean)" +msgstr "ldap_sudo_include_netgroups (Boolesch)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2632 +msgid "" +"If true then SSSD will download every rule that contains a netgroup in " +"sudoHost attribute." +msgstr "" +"Falls dies auf »true« gesetzt ist, wird SSSD jede Regel herunterladen, die " +"eine Netzgruppe im Attribut »sudoHost« enthält." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2647 +msgid "ldap_sudo_include_regexp (boolean)" +msgstr "ldap_sudo_include_regexp (Boolesch)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2650 +msgid "" +"If true then SSSD will download every rule that contains a wildcard in " +"sudoHost attribute." +msgstr "" +"Falls dies auf »true« gesetzt ist, wird SSSD jede Regel herunterladen, die " +"einen Platzhalter im Attribut »sudoHost« enthält." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2666 +msgid "" +"This manual page only describes attribute name mapping. For detailed " +"explanation of sudo related attribute semantics, see <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>" +msgstr "" +"Diese Handbuchseite beschreibt nur das Abbilden von Attributnamen. Eine " +"umfassende Erklärung der Sudo-bezogenen Attributsemantik finden Sie unter " +"<citerefentry> <refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2676 +msgid "AUTOFS OPTIONS" +msgstr "AUTOFS-OPTIONEN" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2678 +msgid "" +"Some of the defaults for the parameters below are dependent on the LDAP " +"schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2684 +msgid "ldap_autofs_map_master_name (string)" +msgstr "ldap_autofs_map_master_name (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2687 +msgid "The name of the automount master map in LDAP." +msgstr "Der Name der Automount-Master-Abbildung in LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2690 +msgid "Default: auto.master" +msgstr "Voreinstellung: auto.master" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2697 +msgid "ldap_autofs_map_object_class (string)" +msgstr "ldap_autofs_map_object_class (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2700 +msgid "The object class of an automount map entry in LDAP." +msgstr "die Objektklasse eines Automount-Abbildungseintrags in LDAP" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2703 +msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2711 +msgid "ldap_autofs_map_name (string)" +msgstr "ldap_autofs_map_name (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2714 +msgid "The name of an automount map entry in LDAP." +msgstr "der Name eines Automount-Abbildungseintrags in LDAP" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2717 +msgid "" +"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2725 +msgid "ldap_autofs_entry_object_class (string)" +msgstr "ldap_autofs_entry_object_class (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2728 +msgid "" +"The object class of an automount entry in LDAP. The entry usually " +"corresponds to a mount point." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2733 +msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2741 +msgid "ldap_autofs_entry_key (string)" +msgstr "ldap_autofs_entry_key (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2744 sssd-ldap.5.xml:2759 +msgid "" +"The key of an automount entry in LDAP. The entry usually corresponds to a " +"mount point." +msgstr "" +"der Schlüssel eines Automount-Eintrags in LDAP. Normalerweise entspricht der " +"Eintrag einem Einhängepunkt." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2748 +msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2756 +msgid "ldap_autofs_entry_value (string)" +msgstr "ldap_autofs_entry_value (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2763 +msgid "" +"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " +"automountInformation" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2682 +msgid "" +"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " +"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" +"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" +msgstr "" +"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " +"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" +"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2774 +msgid "ADVANCED OPTIONS" +msgstr "ERWEITERTE OPTIONEN" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2781 +msgid "ldap_netgroup_search_base (string)" +msgstr "ldap_netgroup_search_base (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2786 +msgid "ldap_user_search_base (string)" +msgstr "ldap_user_search_base (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2791 +msgid "ldap_group_search_base (string)" +msgstr "ldap_group_search_base (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> +#: sssd-ldap.5.xml:2796 +msgid "<note>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> +#: sssd-ldap.5.xml:2798 +msgid "" +"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " +"against Active Directory will not be restricted and return all groups " +"memberships, even with no GID mapping. It is recommended to disable this " +"feature, if group names are not being displayed correctly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist> +#: sssd-ldap.5.xml:2805 +msgid "</note>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2807 +msgid "ldap_sudo_search_base (string)" +msgstr "ldap_sudo_search_base (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2812 +msgid "ldap_autofs_search_base (string)" +msgstr "ldap_autofs_search_base (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2776 +msgid "" +"These options are supported by LDAP domains, but they should be used with " +"caution. Please include them in your configuration only if you know what you " +"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2827 sssd-simple.5.xml:131 sssd-ipa.5.xml:828 +#: sssd-ad.5.xml:1041 sssd-krb5.5.xml:570 sss_rpcidmapd.5.xml:98 +#: sssd-files.5.xml:103 sssd-session-recording.5.xml:144 +msgid "EXAMPLE" +msgstr "BEISPIEL" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2829 +msgid "" +"The following example assumes that SSSD is correctly configured and LDAP is " +"set to one of the domains in the <replaceable>[domains]</replaceable> " +"section." +msgstr "" +"Das folgende Beispiel geht davon aus, dass SSSD korrekt konfiguriert ist und " +"LDAP auf eine der Domains im Abschnitt <replaceable>[domains]</replaceable> " +"gesetzt ist." + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:2835 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: sssd-ldap.5.xml:2834 sssd-ldap.5.xml:2852 sssd-simple.5.xml:139 +#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1049 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579 +#: sssd-files.5.xml:110 sssd-session-recording.5.xml:150 +#: include/ldap_id_mapping.xml:105 +msgid "<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "<placeholder type=\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2846 +msgid "LDAP ACCESS FILTER EXAMPLE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2848 +msgid "" +"The following example assumes that SSSD is correctly configured and to use " +"the ldap_access_order=lockout." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:2853 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"access_provider = ldap\n" +"ldap_access_order = lockout\n" +"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2868 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148 +#: sssd-ad.5.xml:1064 sssd.8.xml:230 sss_seed.8.xml:163 +msgid "NOTES" +msgstr "ANMERKUNGEN" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2870 +msgid "" +"The descriptions of some of the configuration options in this manual page " +"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " +"distribution." +msgstr "" +"Die Beschreibungen einiger Konfigurationsoptionen auf dieser Handbuchseite " +"basieren auf der Handbuchseite <citerefentry> <refentrytitle>ldap.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> der Distribution " +"OpenLDAP 2.4." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: pam_sss.8.xml:11 pam_sss.8.xml:16 +msgid "pam_sss" +msgstr "pam_sss" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: pam_sss.8.xml:17 +msgid "PAM module for SSSD" +msgstr "PAM-Modul für SSSD" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: pam_sss.8.xml:22 +msgid "" +"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" +"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" +"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" +"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " +"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " +"choice='opt'> <replaceable>prompt_always</replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:58 +msgid "" +"<command>pam_sss.so</command> is the PAM interface to the System Security " +"Services daemon (SSSD). Errors and results are logged through " +"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." +msgstr "" +"<command>pam_sss.so</command> ist die PAM-Schnittstelle des " +"Systemsicherheitsdienst-Daemons (»System Security Services daemon«/SSSD). " +"Fehler und Ergebnisse werden durch <command>syslog(3)</command> mit der " +"Fertigkeit LOG_AUTHPRIV protokolliert." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:68 +msgid "<option>quiet</option>" +msgstr "<option>quiet</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:71 +msgid "Suppress log messages for unknown users." +msgstr "unterdrückt Protokollnachrichten für unbekannte Benutzer" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:76 +msgid "<option>forward_pass</option>" +msgstr "<option>forward_pass</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:79 +msgid "" +"If <option>forward_pass</option> is set the entered password is put on the " +"stack for other PAM modules to use." +msgstr "" +"Falls <option>forward_pass</option> gesetzt ist, wird das eingegebene " +"Passwort in den Stapelverabeitungsspeicher gelegt, damit andere PAM-Module " +"es nutzen können." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:86 +msgid "<option>use_first_pass</option>" +msgstr "<option>use_first_pass</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:89 +msgid "" +"The argument use_first_pass forces the module to use a previous stacked " +"modules password and will never prompt the user - if no password is " +"available or the password is not appropriate, the user will be denied access." +msgstr "" +"Das Argument »use_first_pass« zwingt das Modul ein vorher im " +"Stapelverabeitungsspeicher abgelegtes Passwort zu benutzen. Es wird den " +"Anwender nie fragen. Falls kein Passwort verfügbar oder das Passwort " +"ungeeignet ist, wird dem Benutzer der Zugriff verwehrt." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:97 +msgid "<option>use_authtok</option>" +msgstr "<option>use_authtok</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:100 +msgid "" +"When password changing enforce the module to set the new password to the one " +"provided by a previously stacked password module." +msgstr "" +"Wenn das Passwort geändert wird, erzwingt das Modul, dass das neue Passwort " +"von einem vorher im Stapelverabeitungsspeicher abgelegten Passwortmodul " +"bereitgestellt wird." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:107 +msgid "<option>retry=N</option>" +msgstr "<option>retry=N</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:110 +msgid "" +"If specified the user is asked another N times for a password if " +"authentication fails. Default is 0." +msgstr "" +"Ist dies angegeben, wird der Benutzer weitere N mal nach einem Passwort " +"gefragt, falls die Authentifizierung fehlschlägt. Voreinstellung ist 0." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:112 +msgid "" +"Please note that this option might not work as expected if the application " +"calling PAM handles the user dialog on its own. A typical example is " +"<command>sshd</command> with <option>PasswordAuthentication</option>." +msgstr "" +"Bitte beachten Sie, dass diese Option möglicherweise nicht wie erwartet " +"funktioniert, falls eine Anwendung, die PAM aufruft, den Benutzerdialog " +"selbst abwickelt. Ein typisches Beispiel ist <command>sshd</command> mit " +"<option>PasswordAuthentication</option>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:121 +msgid "<option>ignore_unknown_user</option>" +msgstr "<option>ignore_unknown_user</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:124 +msgid "" +"If this option is specified and the user does not exist, the PAM module will " +"return PAM_IGNORE. This causes the PAM framework to ignore this module." +msgstr "" +"Falls diese Option angegeben ist, aber der Benutzer nicht existiert, gibt " +"das PAM-Modul den Wert PAM_IGNORE zurück. Dies hat zur Folge, dass das PAM-" +"Framework dieses Modul ignoriert." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:131 +msgid "<option>ignore_authinfo_unavail</option>" +msgstr "<option>ignore_authinfo_unavail</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:135 +msgid "" +"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " +"the SSSD daemon. This causes the PAM framework to ignore this module." +msgstr "" +"Gibt an, dass das PAM-Modul PAM_IGNORE zurückgeben soll, falls der SSSD-" +"Daemon nicht kontaktiert werden kann. Dies hat zur Folge, dass das PAM-" +"Framework dieses Modul ignoriert." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:142 +msgid "<option>domains</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:146 +msgid "" +"Allows the administrator to restrict the domains a particular PAM service is " +"allowed to authenticate against. The format is a comma-separated list of " +"SSSD domain names, as specified in the sssd.conf file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:152 +msgid "" +"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " +"and <quote>pam_public_domains</quote> options. Please see the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more information on these two PAM " +"responder options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:166 +msgid "<option>allow_missing_name</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:170 +msgid "" +"The main purpose of this option is to let SSSD determine the user name based " +"on additional information, e.g. the certificate from a Smartcard." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: pam_sss.8.xml:180 +#, no-wrap +msgid "" +"auth sufficient pam_sss.so allow_missing_name\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:175 +msgid "" +"The current use case are login managers which can monitor a Smartcard reader " +"for card events. In case a Smartcard is inserted the login manager will call " +"a PAM stack which includes a line like <placeholder type=\"programlisting\" " +"id=\"0\"/> In this case SSSD will try to determine the user name based on " +"the content of the Smartcard, returns it to pam_sss which will finally put " +"it on the PAM stack." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:190 +msgid "<option>prompt_always</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:194 +msgid "" +"Always prompt the user for credentials. With this option credentials " +"requested by other PAM modules, typically a password, will be ignored and " +"pam_sss will prompt for credentials again. Based on the pre-auth reply by " +"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " +"credentials." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:207 +msgid "MODULE TYPES PROVIDED" +msgstr "BEREITGESTELLTE MODULTYPEN" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:208 +msgid "" +"All module types (<option>account</option>, <option>auth</option>, " +"<option>password</option> and <option>session</option>) are provided." +msgstr "" +"Alle Modultypen (<option>account</option>, <option>auth</option>, " +"<option>password</option> und <option>session</option>) werden " +"bereitgestellt." + +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:214 +msgid "FILES" +msgstr "DATEIEN" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:215 +msgid "" +"If a password reset by root fails, because the corresponding SSSD provider " +"does not support password resets, an individual message can be displayed. " +"This message can e.g. contain instructions about how to reset a password." +msgstr "" +"Falls ein Zurücksetzen des Passworts durch Root fehlschlägt, weil der " +"zugehörige SSSD-Anbieter das Zurücksetzen von Passwörtern nicht unterstützt, " +"kann eine individuelle Nachricht angezeigt werden. Diese Nachricht kann z.B. " +"Anweisungen enthalten, wie ein Passwort zurückgesetzt wird." + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:220 +msgid "" +"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" +"filename> where LOC stands for a locale string returned by <citerefentry> " +"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" +"citerefentry>. If there is no matching file the content of " +"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " +"the owner of the files and only root may have read and write permissions " +"while all other users must have only read permissions." +msgstr "" +"Die Nachricht wird aus der Datei <filename>pam_sss_pw_reset_message.LOC</" +"filename> gelesen, wobei LOC für eine durch <citerefentry> " +"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" +"citerefentry> zurückgegebene Zeichenkette steht. Falls dort keine passende " +"Datei ist, wird der Inhalt von <filename>pam_sss_pw_reset_message.txt</" +"filename> angezeigt. Root muss der Besitzer der Dateien sein und nur Root " +"kann Lese- und Schreibrechte haben, während alle anderen Anwender nur " +"Leserechte haben dürfen." + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:230 +msgid "" +"These files are searched in the directory <filename>/etc/sssd/customize/" +"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " +"displayed." +msgstr "" +"Diese Dateien werden im Verzeichnis <filename>/etc/sssd/customize/" +"DOMAIN_NAME/</filename> gesucht. Falls keine passende Datei vorhanden ist, " +"wird eine allgemeine Nachricht angezeigt." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 +msgid "sssd_krb5_locator_plugin" +msgstr "sssd_krb5_locator_plugin" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd_krb5_locator_plugin.8.xml:16 +msgid "Kerberos locator plugin" +msgstr "Kerberos Locator-Plugin" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:22 +msgid "" +"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " +"used by the Kerberos provider of <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to tell the Kerberos " +"libraries what Realm and which KDC to use. Typically this is done in " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> which is always read by the Kerberos libraries. " +"To simplify the configuration the Realm and the KDC can be defined in " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> as described in <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>" +msgstr "" +"Das Kerberos Locator-Plugin <command>sssd_krb5_locator_plugin</command> wird " +"vom Kerberos-Anbieter von <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> verwendet, um für die Kerberos-" +"Bibliotheken festzulegen, welcher Realm und KDC verwendet werden soll. " +"Typischerweise geschieht dies in der Datei <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>, die immer von den Kerberos-Bibliotheken gelesen wird. Um die " +"Konfiguration zu vereinfachen, können Realm und KDC in der Datei " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> definiert werden, so wie es in der Handbuchseite " +"zu <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> beschrieben ist." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:48 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> puts the Realm and the name or IP address of the KDC into " +"the environment variables SSSD_KRB5_REALM and SSSD_KRB5_KDC respectively. " +"When <command>sssd_krb5_locator_plugin</command> is called by the kerberos " +"libraries it reads and evaluates these variables and returns them to the " +"libraries." +msgstr "" +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> legt den Realm und den Namen oder die IP-Adresse der " +"Schlüsselverwaltungszentrale (KDC) in den Umgebungsvariablen SSSD_KRB5_REALM " +"beziehungsweise SSSD_KRB5_KDC ab. Wenn <command>sssd_krb5_locator_plugin</" +"command> durch die Kerberos-Bibliotheken aufgerufen wird, liest es diese " +"Variablen, wertet sie aus und gibt sie an die Bibliotheken zurück." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:63 +msgid "" +"Not all Kerberos implementations support the use of plugins. If " +"<command>sssd_krb5_locator_plugin</command> is not available on your system " +"you have to edit /etc/krb5.conf to reflect your Kerberos setup." +msgstr "" +"Nicht alle Kerberos-Implementierungen unterstützen die Verwendung von " +"Erweiterungen. Falls <command>sssd_krb5_locator_plugin</command> nicht auf " +"Ihrem System vorhanden ist, müssen Sie /etc/krb5.conf bearbeiten, damit sie " +"Ihre Kerberos-Einrichtung widerspiegelt." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:69 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " +"debug messages will be sent to stderr." +msgstr "" +"Falls die Umgebungsvariable SSSD_KRB5_LOCATOR_DEBUG auf irgendeinen Wert " +"gesetzt ist, werden Debug-Nachrichten an »stderr« gesandt." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:73 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " +"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " +"caller." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 +msgid "sssd-simple" +msgstr "sssd-simple" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-simple.5.xml:17 +msgid "the configuration file for SSSD's 'simple' access-control provider" +msgstr "" +"die Konfigurationsdatei für den »einfachen« Zugriffssteuerungsanbieter von " +"SSSD" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:24 +msgid "" +"This manual page describes the configuration of the simple access-control " +"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " +"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page." +msgstr "" +"Diese Handbuchseite beschreibt die Konfiguration des einfachen " +"Zugriffssteuerungsanbieters für <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. Eine ausführliche " +"Syntax-Referenz finden Sie im Abschnitt »DATEIFORMAT« der Handbuchseite " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:38 +msgid "" +"The simple access provider grants or denies access based on an access or " +"deny list of user or group names. The following rules apply:" +msgstr "" +"Der einfache Zugriffsanbieter gewährt oder verweigert den Zugriff auf Basis " +"einer Zugriffs- oder Verbotsliste von Benutzer- oder Gruppennamen. Es gelten " +"die folgenden Regeln:" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:43 +msgid "If all lists are empty, access is granted" +msgstr "Falls alle Listen leer sind, wird Zugriff gewährt." + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:47 +msgid "" +"If any list is provided, the order of evaluation is allow,deny. This means " +"that any matching deny rule will supersede any matched allow rule." +msgstr "" +"Falls irgendeine Liste bereitgestellt wird, ist die Reihenfolge der " +"Auswertung »erlauben,verbieten«. Das heißt, dass eine passende verbietende " +"Regeln jede passende erlaubende Regel ersetzt." + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:54 +msgid "" +"If either or both \"allow\" lists are provided, all users are denied unless " +"they appear in the list." +msgstr "" +"Falls eine oder beide »Erlaubnislisten« bereitgestellt werden, ist der " +"Zugriff allen Benutzern verboten, sofern sie nicht auf der Liste erscheinen." + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:60 +msgid "" +"If only \"deny\" lists are provided, all users are granted access unless " +"they appear in the list." +msgstr "" +"Falls nur »Verbotslisten« bereitgestellt werden, wird der Zugriff allen " +"Benutzern gewährt, sofern sie nicht auf der Liste stehen." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:78 +msgid "simple_allow_users (string)" +msgstr "simple_allow_users (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:81 +msgid "Comma separated list of users who are allowed to log in." +msgstr "Durch Kommata getrennte Liste von Benutzern, die sich anmelden dürfen." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:88 +msgid "simple_deny_users (string)" +msgstr "simple_deny_users (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:91 +msgid "Comma separated list of users who are explicitly denied access." +msgstr "" +"Durch Kommata getrennte Liste von Benutzern, denen der Zugriff explizit " +"verwehrt wird." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:97 +msgid "simple_allow_groups (string)" +msgstr "simple_allow_groups (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:100 +msgid "" +"Comma separated list of groups that are allowed to log in. This applies only " +"to groups within this SSSD domain. Local groups are not evaluated." +msgstr "" +"Durch Kommata getrennte Liste von Gruppen, die sich anmelden dürfen. Dies " +"gilt nur für Gruppen innerhalb dieser SSSD-Domain. Lokale Gruppen werden " +"nicht ausgewertet." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:108 +msgid "simple_deny_groups (string)" +msgstr "simple_deny_groups (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:111 +msgid "" +"Comma separated list of groups that are explicitly denied access. This " +"applies only to groups within this SSSD domain. Local groups are not " +"evaluated." +msgstr "" +"Durch Kommata getrennte Liste von Gruppen, denen der Zugriff explizit " +"verwehrt wird. Dies gilt nur für Gruppen innerhalb dieser SSSD-Domain. " +"Lokale Gruppen werden nicht ausgewertet." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 +msgid "" +"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" +"Einzelheiten über die Konfiguration einer SSSD-Domain finden Sie im " +"Abschnitt »DOMAIN-ABSCHNITTE« der Handbuchseite <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>. <placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:120 +msgid "" +"Specifying no values for any of the lists is equivalent to skipping it " +"entirely. Beware of this while generating parameters for the simple provider " +"using automated scripts." +msgstr "" +"Keine Werte für eine der Listen anzugeben ist so, als ob sie ganz " +"übersprungen würde. Hüten Sie sich davor, solange Parameter für den " +"einfachen Anbieter mittels automatischer Skripte erzeugt werden." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:125 +msgid "" +"Please note that it is an configuration error if both, simple_allow_users " +"and simple_deny_users, are defined." +msgstr "" +"Bitte beachten Sie, das es ein Konfigurationsfehler ist, wenn sowohl " +"»simple_allow_users« als auch »simple_deny_users« definiert sind." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:133 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the simple access provider-specific options." +msgstr "" +"Das folgende Beispiel geht davon aus, dass SSSD korrekt konfiguriert ist und " +"example.com eine der im Abschnitt <replaceable>[sssd]</replaceable> " +"erwähnten Domains ist. Die Beispiele zeigen nur die anbieterspezifischen " +"Optionen des einfachen Anbieters." + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-simple.5.xml:140 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"access_provider = simple\n" +"simple_allow_users = user1, user2\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:150 +msgid "" +"The complete group membership hierarchy is resolved before the access check, " +"thus even nested groups can be included in the access lists. Please be " +"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " +"results and should be set to a sufficient value. (<citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>) option." +msgstr "" +"Die vollständige Hierarchie der Gruppenmitgliedschaft wird aufgelöst, bevor " +"die Zugriffsprüfung ausgeführt wird. Daher können selbst verschachtelte " +"Gruppen Teil der Zugriffslisten werden. Bitte beachten Sie, dass die Option " +"<quote>ldap_group_nesting_level</quote> die Ergebnisse beeinflussen kann und " +"daher auf einen ausreichenden Wert gesetzt werden sollte. Siehe " +"(<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>)." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 +msgid "sss-certmap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss-certmap.5.xml:17 +msgid "SSSD Certificate Matching and Mapping Rules" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:23 +msgid "" +"The manual page describes the rules which can be used by SSSD and other " +"components to match X.509 certificates and map them to accounts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:28 +msgid "" +"Each rule has four components, a <quote>priority</quote>, a <quote>matching " +"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" +"quote>. All components are optional. A missing <quote>priority</quote> will " +"add the rule with the lowest priority. The default <quote>matching rule</" +"quote> will match certificates with the digitalSignature key usage and " +"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " +"the certificates will be searched in the userCertificate attribute as DER " +"encoded binary. If no domains are given only the local domain will be " +"searched." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss-certmap.5.xml:41 +msgid "RULE COMPONENTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:43 +msgid "PRIORITY" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:45 +msgid "" +"The rules are processed by priority while the number '0' (zero) indicates " +"the highest priority. The higher the number the lower is the priority. A " +"missing value indicates the lowest priority. The rules processing is stopped " +"when a matched rule is found and no further rules are checked." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:52 +msgid "" +"Internally the priority is treated as unsigned 32bit integer, using a " +"priority value larger than 4294967295 will cause an error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:57 +msgid "MATCHING RULE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:59 +msgid "" +"The matching rule is used to select a certificate to which the mapping rule " +"should be applied. It uses a system similar to the one used by " +"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " +"keyword enclosed by '<' and '>' which identified a certain part of the " +"certificate and a pattern which should be found for the rule to match. " +"Multiple keyword pattern pairs can be either joined with '&&' (and) " +"or '||' (or)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:71 +msgid "<SUBJECT>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:74 +msgid "" +"With this a part or the whole subject name of the certificate can be " +"matched. For the matching POSIX Extended Regular Expression syntax is used, " +"see regex(7) for details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:80 +msgid "" +"For the matching the subject name stored in the certificate in DER encoded " +"ASN.1 is converted into a string according to RFC 4514. This means the most " +"specific name component comes first. Please note that not all possible " +"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " +"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " +"be shown differently on different platform and by different tools. To avoid " +"confusion those attribute names are best not used or covered by a suitable " +"regular-expression." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:93 +msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:98 +msgid "<ISSUER>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:101 +msgid "" +"With this a part or the whole issuer name of the certificate can be matched. " +"All comments for <SUBJECT> apply her as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:106 +msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:111 +msgid "<KU>key-usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:114 +msgid "" +"This option can be used to specify which key usage values the certificate " +"should have. The following values can be used in a comma separated list:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:118 +msgid "digitalSignature" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:119 +msgid "nonRepudiation" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:120 +msgid "keyEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:121 +msgid "dataEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:122 +msgid "keyAgreement" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:123 +msgid "keyCertSign" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:124 +msgid "cRLSign" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:125 +msgid "encipherOnly" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:126 +msgid "decipherOnly" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:130 +msgid "" +"A numerical value in the range of a 32bit unsigned integer can be used as " +"well to cover special use cases." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:134 +msgid "Example: <KU>digitalSignature,keyEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:139 +msgid "<EKU>extended-key-usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:142 +msgid "" +"This option can be used to specify which extended key usage the certificate " +"should have. The following value can be used in a comma separated list:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:146 +msgid "serverAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:147 +msgid "clientAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:148 +msgid "codeSigning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:149 +msgid "emailProtection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:150 +msgid "timeStamping" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:151 +msgid "OCSPSigning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:152 +msgid "KPClientAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:153 +msgid "pkinit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:154 +msgid "msScLogin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:158 +msgid "" +"Extended key usages which are not listed above can be specified with their " +"OID in dotted-decimal notation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:162 +msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:167 +msgid "<SAN>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:170 +msgid "" +"To be compatible with the usage of MIT Kerberos this option will match the " +"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" +"Principal> does." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:175 +msgid "Example: <SAN>.*@MY\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:180 +msgid "<SAN:Principal>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:183 +msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:187 +msgid "Example: <SAN:Principal>.*@MY\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:192 +msgid "<SAN:ntPrincipalName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:195 +msgid "Match the Kerberos principals from the AD NT Principal SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:199 +msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:204 +msgid "<SAN:pkinit>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:207 +msgid "Match the Kerberos principals from the PKINIT SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:210 +msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:215 +msgid "<SAN:dotted-decimal-oid>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:218 +msgid "" +"Take the value of the otherName SAN component given by the OID in dotted-" +"decimal notation, interpret it as string and try to match it against the " +"regular expression." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:224 +msgid "Example: <SAN:1.2.3.4>test" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:229 +msgid "<SAN:otherName>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:232 +msgid "" +"Do a binary match with the base64 encoded blob against all otherName SAN " +"components. With this option it is possible to match against custom " +"otherName components with special encodings which could not be treated as " +"strings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:239 +msgid "Example: <SAN:otherName>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:244 +msgid "<SAN:rfc822Name>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:247 +msgid "Match the value of the rfc822Name SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:250 +msgid "Example: <SAN:rfc822Name>.*@email\\.domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:255 +msgid "<SAN:dNSName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:258 +msgid "Match the value of the dNSName SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:261 +msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:266 +msgid "<SAN:x400Address>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:269 +msgid "Binary match the value of the x400Address SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:272 +msgid "Example: <SAN:x400Address>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:277 +msgid "<SAN:directoryName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:280 +msgid "" +"Match the value of the directoryName SAN. The same comments as given for <" +"ISSUER> and <SUBJECT> apply here as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:285 +msgid "Example: <SAN:directoryName>.*,DC=com" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:290 +msgid "<SAN:ediPartyName>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:293 +msgid "Binary match the value of the ediPartyName SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:296 +msgid "Example: <SAN:ediPartyName>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:301 +msgid "<SAN:uniformResourceIdentifier>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:304 +msgid "Match the value of the uniformResourceIdentifier SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:307 +msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:312 +msgid "<SAN:iPAddress>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:315 +msgid "Match the value of the iPAddress SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:318 +msgid "Example: <SAN:iPAddress>192\\.168\\..*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:323 +msgid "<SAN:registeredID>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:326 +msgid "Match the value of the registeredID SAN as dotted-decimal string." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:330 +msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:68 +msgid "" +"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:338 +msgid "MAPPING RULE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:340 +msgid "" +"The mapping rule is used to associate a certificate with one or more " +"accounts. A Smartcard with the certificate and the matching private key can " +"then be used to authenticate as one of those accounts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:345 +msgid "" +"Currently SSSD basically only supports LDAP to lookup user information (the " +"exception is the proxy provider which is not of relevance here). Because of " +"this the mapping rule is based on LDAP search filter syntax with templates " +"to add certificate content to the filter. It is expected that the filter " +"will only contain the specific data needed for the mapping and that the " +"caller will embed it in another filter to do the actual search. Because of " +"this the filter string should start and stop with '(' and ')' respectively." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:355 +msgid "" +"In general it is recommended to use attributes from the certificate and add " +"them to special attributes to the LDAP user object. E.g. the " +"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " +"for IPA can be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:361 +msgid "" +"This should be preferred to read user specific data from the certificate " +"like e.g. an email address and search for it in the LDAP server. The reason " +"is that the user specific data in LDAP might change for various reasons " +"would break the mapping. On the other hand it would be hard to break the " +"mapping on purpose for a specific user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:376 +msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:379 +msgid "" +"This template will add the full issuer DN converted to a string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +msgid "" +"The conversion options starting with 'ad_' will use attribute names as used " +"by AD, e.g. 'S' instead of 'ST'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +msgid "" +"The conversion options starting with 'nss_' will use attribute names as used " +"by NSS." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +msgid "" +"The default conversion option is 'nss', i.e. attribute names according to " +"NSS and LDAP/RFC 4514 ordering." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:397 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" +"ad})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:402 +msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:405 +msgid "" +"This template will add the full subject DN converted to string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:423 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" +"{subject_dn!nss_x500})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:428 +msgid "{cert[!(bin|base64)]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:431 +msgid "" +"This template will add the whole DER encoded certificate as a string to the " +"search filter. Depending on the conversion option the binary certificate is " +"either converted to an escaped hex sequence '\\xx' or base64. The escaped " +"hex sequence is the default and can e.g. be used with the LDAP attribute " +"'userCertificate;binary'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:439 +msgid "Example: (userCertificate;binary={cert!bin})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:444 +msgid "{subject_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:447 +msgid "" +"This template will add the Kerberos principal which is taken either from the " +"SAN used by pkinit or the one used by AD. The 'short_name' component " +"represents the first part of the principal before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +msgid "" +"Example: (|(userPrincipal={subject_principal})" +"(samAccountName={subject_principal.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:458 +msgid "{subject_pkinit_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:461 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by pkinit. The 'short_name' component represents the first part of the " +"principal before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:467 +msgid "" +"Example: (|(userPrincipal={subject_pkinit_principal})" +"(uid={subject_pkinit_principal.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:472 +msgid "{subject_nt_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:475 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by AD. The 'short_name' component represent the first part of the principal " +"before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:486 +msgid "{subject_rfc822_name[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:489 +msgid "" +"This template will add the string which is stored in the rfc822Name " +"component of the SAN, typically an email address. The 'short_name' component " +"represents the first part of the address before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:495 +msgid "" +"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." +"short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:500 +msgid "{subject_dns_name[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:503 +msgid "" +"This template will add the string which is stored in the dNSName component " +"of the SAN, typically a fully-qualified host name. The 'short_name' " +"component represents the first part of the name before the first '.' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:509 +msgid "" +"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:514 +msgid "{subject_uri}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:517 +msgid "" +"This template will add the string which is stored in the " +"uniformResourceIdentifier component of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:521 +msgid "Example: (uri={subject_uri})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:526 +msgid "{subject_ip_address}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:529 +msgid "" +"This template will add the string which is stored in the iPAddress component " +"of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:533 +msgid "Example: (ip={subject_ip_address})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:538 +msgid "{subject_x400_address}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:541 +msgid "" +"This template will add the value which is stored in the x400Address " +"component of the SAN as escaped hex sequence." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:546 +msgid "Example: (attr:binary={subject_x400_address})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:551 +msgid "" +"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:554 +msgid "" +"This template will add the DN string of the value which is stored in the " +"directoryName component of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:558 +msgid "Example: (orig_dn={subject_directory_name})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:563 +msgid "{subject_ediparty_name}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:566 +msgid "" +"This template will add the value which is stored in the ediPartyName " +"component of the SAN as escaped hex sequence." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:571 +msgid "Example: (attr:binary={subject_ediparty_name})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:576 +msgid "{subject_registered_id}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:579 +msgid "" +"This template will add the OID which is stored in the registeredID component " +"of the SAN as a dotted-decimal string." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:584 +msgid "Example: (oid={subject_registered_id})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:369 +msgid "" +"The templates to add certificate data to the search filter are based on " +"Python-style formatting strings. They consist of a keyword in curly braces " +"with an optional sub-component specifier separated by a '.' or an optional " +"conversion/formatting option separated by a '!'. Allowed values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:592 +msgid "DOMAIN LIST" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:594 +msgid "" +"If the domain list is not empty users mapped to a given certificate are not " +"only searched in the local domain but in the listed domains as well as long " +"as they are know by SSSD. Domains not know to SSSD will be ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 +msgid "sssd-ipa" +msgstr "sssd-ipa" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ipa.5.xml:17 +msgid "SSSD IPA provider" +msgstr "SSSD IPA-Anbieter" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:23 +msgid "" +"This manual page describes the configuration of the IPA provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" +"Diese Handbuchseite beschreibt die Konfiguration des IPA-Anbieters für " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Eine ausführliche Syntax-Referenz finden Sie im Abschnitt " +"»DATEIFORMAT« der Handbuchseite <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:36 +msgid "" +"The IPA provider is a back end used to connect to an IPA server. (Refer to " +"the freeipa.org web site for information about IPA servers.) This provider " +"requires that the machine be joined to the IPA domain; configuration is " +"almost entirely self-discovered and obtained directly from the server." +msgstr "" +"Der IPA-Anbieter ist ein Backend, das zum Verbinden mit einem IPA-Server " +"benutzt wird. (Informationen über IPA-Server finden Sie auf der Website " +"»freeipa.org«.) Dieser Anbieter erfordert, dass der Rechner einer IPA-Domain " +"beitritt. Die Konfiguration wird nahezu vollständig selbst ermittelt und " +"direkt vom Server genommen." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:43 +msgid "" +"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for IPA environments. The IPA provider accepts the same " +"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " +"However, it is neither necessary nor recommended to set these options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:57 +msgid "" +"The IPA provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:62 +msgid "" +"As an access provider, the IPA provider uses HBAC (host-based access " +"control) rules. Please refer to freeipa.org for more information about " +"HBAC. No configuration of access provider is required on the client side." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:67 +msgid "" +"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:73 +msgid "" +"The IPA provider will use the PAC responder if the Kerberos tickets of users " +"from trusted realms contain a PAC. To make configuration easier the PAC " +"responder is started automatically if the IPA ID provider is configured." +msgstr "" +"Der IPA-Anbieter wird den PAC-Responder benutzen, falls die Kerberos-Tickets " +"von Anwendern vertrauenswürdiger Realms ein PAC enthalten. Um die " +"Konfiguration zu vereinfachen, wird der PAC-Responder automatisch gestartet, " +"falls der IPA-ID-Anbieter konfiguriert ist." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:89 +msgid "ipa_domain (string)" +msgstr "ipa_domain (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:92 +msgid "" +"Specifies the name of the IPA domain. This is optional. If not provided, " +"the configuration domain name is used." +msgstr "" +"gibt den Namen der IPA-Domain an. Dies ist optional. Ist er nicht angegeben, " +"wird der Domain-Name der Konfiguration benutzt." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:100 +msgid "ipa_server, ipa_backup_server (string)" +msgstr "ipa_server, ipa_backup_server (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:103 +msgid "" +"The comma-separated list of IP addresses or hostnames of the IPA servers to " +"which SSSD should connect in the order of preference. For more information " +"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" +"Die durch Kommata getrennte Liste von IP-Adressen oder Rechnernamen der IPA-" +"Server in der Reihenfolge, in der sich SSSD mit ihnen verbinden soll. " +"Weitere Informationen über Ausfallsicherung und Redundanz finden Sie im " +"Abschnitt »AUSFALLSICHERUNG«. Falls automatisches Auffinden aktiviert ist, " +"ist dies optional. Weitere Informationen finden Sie im Abschnitt " +"»DIENSTSUCHE«." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:116 +msgid "ipa_hostname (string)" +msgstr "ipa_hostname (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:119 +msgid "" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the IPA domain to identify this host. The " +"hostname must be fully qualified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:128 sssd-ad.5.xml:866 +msgid "dyndns_update (boolean)" +msgstr "dyndns_update (Boolesch)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:131 +msgid "" +"Optional. This option tells SSSD to automatically update the DNS server " +"built into FreeIPA with the IP address of this client. The update is secured " +"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " +"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" +"quote> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:140 sssd-ad.5.xml:880 +msgid "" +"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " +"the default Kerberos realm must be set properly in /etc/krb5.conf" +msgstr "" +"HINWEIS: Auf älteren Systemen (wie RHEL 5) muss der Standard-Kerberos-Realm " +"ordentlich in /etc/krb5.conf gesetzt sein, damit dies zuverlässig " +"funktioniert." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:145 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" +"emphasis> option, users should migrate to using <emphasis>dyndns_update</" +"emphasis> in their config file." +msgstr "" +"HINWEIS: Obwohl es immer noch möglich ist, die alte Option " +"<emphasis>ipa_dyndns_update</emphasis> zu benutzen, sollten Anwender auf die " +"Verwendung von <emphasis>dyndns_update</emphasis> in ihrer " +"Konfigurationsdatei migrieren." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:157 sssd-ad.5.xml:891 +msgid "dyndns_ttl (integer)" +msgstr "dyndns_ttl (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:160 sssd-ad.5.xml:894 +msgid "" +"The TTL to apply to the client DNS record when updating it. If " +"dyndns_update is false this has no effect. This will override the TTL " +"serverside if set by an administrator." +msgstr "" +"die TTL, die beim Aktualisieren auf den Client-DNS-Datensatz angewandt wird. " +"Falls »dyndns_update« »false« ist, hat dies keine Auswirkungen. Diese wird " +"die Server-seitige TTL außer Kraft setzen, falls diese durch einen " +"Administrator gesetzt wurde." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:165 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" +"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" +"emphasis> in their config file." +msgstr "" +"HINWEIS: Obwohl es immer noch möglich ist, die alte Option " +"<emphasis>ipa_dyndns_ttl</emphasis> zu benutzen, sollten Anwender auf die " +"Verwendung von <emphasis>dyndns_ttl</emphasis> in ihrer Konfigurationsdatei " +"migrieren." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:171 +msgid "Default: 1200 (seconds)" +msgstr "Voreinstellung: 1200 (Sekunden)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:177 sssd-ad.5.xml:905 +msgid "dyndns_iface (string)" +msgstr "dyndns_iface (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:180 sssd-ad.5.xml:908 +msgid "" +"Optional. Applicable only when dyndns_update is true. Choose the interface " +"or a list of interfaces whose IP addresses should be used for dynamic DNS " +"updates. Special value <quote>*</quote> implies that IPs from all interfaces " +"should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:187 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" +"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" +"emphasis> in their config file." +msgstr "" +"HINWEIS: Obwohl es immer noch möglich ist, die alte Option " +"<emphasis>ipa_dyndns_iface</emphasis> zu benutzen, sollten Anwender auf die " +"Verwendung von <emphasis>dyndns_iface</emphasis> in ihrer " +"Konfigurationsdatei migrieren." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:193 +msgid "" +"Default: Use the IP addresses of the interface which is used for IPA LDAP " +"connection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:197 sssd-ad.5.xml:919 +msgid "Example: dyndns_iface = em1, vnet1, vnet2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:203 sssd-ad.5.xml:970 +msgid "dyndns_auth (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:206 sssd-ad.5.xml:973 +msgid "" +"Whether the nsupdate utility should use GSS-TSIG authentication for secure " +"updates with the DNS server, insecure updates can be sent by setting this " +"option to 'none'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:212 sssd-ad.5.xml:979 +msgid "Default: GSS-TSIG" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:218 +msgid "ipa_enable_dns_sites (boolean)" +msgstr "ipa_enable_dns_sites (Boolesch)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 +msgid "Enables DNS sites - location based service discovery." +msgstr "aktiviert DNS-Sites – standortbasierte Dienstsuche" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:225 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, then the SSSD will first attempt location " +"based discovery using a query that contains \"_location.hostname.example.com" +"\" and then fall back to traditional SRV discovery. If the location based " +"discovery succeeds, the IPA servers located with the location based " +"discovery are treated as primary servers and the IPA servers located using " +"the traditional SRV discovery are used as back up servers" +msgstr "" +"Ist dies »true« und die Dienstsuche aktiviert (siehe den Abschnitt " +"Dienstsuche am Ende der Handbuchseite), dann wird SSSD zuerst versuchen, " +"eine standortbasierte Suche mittels einer Abfrage, die »_location.hostname." +"example.com« enthält, durchzuführen und dann auf die traditionelle SRV-Suche " +"zurückgreifen. Falls die standortbasierte Suche erfolgreich ist, werden die " +"georteten IPA-Server, die mit der standortbasierten Suche gefunden wurden, " +"als primäre Server betrachtet und die mit der traditionellen SRV-Suche " +"gefundenen als Sicherungsserver." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:244 sssd-ad.5.xml:925 +msgid "dyndns_refresh_interval (integer)" +msgstr "dyndns_refresh_interval (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:247 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true." +msgstr "" +"wie oft das Backend periodische DNS-Aktualisierungen zusätzlich zur " +"automatisch beim Online-Gehen durchgeführten Aktualisierung vornehmen soll. " +"Diese Option ist optional und nur anwendbar, wenn »dyndns_update« »true« ist." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:260 sssd-ad.5.xml:943 +msgid "dyndns_update_ptr (bool)" +msgstr "dyndns_update_ptr (Boolesch)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:263 sssd-ad.5.xml:946 +msgid "" +"Whether the PTR record should also be explicitly updated when updating the " +"client's DNS records. Applicable only when dyndns_update is true." +msgstr "" +"ob der PTR-Datensatz ebenfalls explizit aktualisiert werden soll, wenn die " +"DNS-Datensätze des Clients aktualisiert werden; nur anwendbar, wenn " +"»dyndns_update« »true« ist" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:268 +msgid "" +"This option should be False in most IPA deployments as the IPA server " +"generates the PTR records automatically when forward records are changed." +msgstr "" +"Diese Option sollte in den meisten IPA-Bereitstellungen »False« sein, da der " +"IPA-Server die PTR-Datensätze automatisch erzeugt, wenn sich " +"Weiterleitungsdatensätze ändern." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:274 +msgid "Default: False (disabled)" +msgstr "Voreinstellung: False (deaktiviert)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:280 sssd-ad.5.xml:957 +msgid "dyndns_force_tcp (bool)" +msgstr "dyndns_force_tcp (Boolesch)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:283 sssd-ad.5.xml:960 +msgid "" +"Whether the nsupdate utility should default to using TCP for communicating " +"with the DNS server." +msgstr "" +"ob das Hilfswerkzeug Nsupdate standardmäßig TCP zur Kommunikation mit dem " +"DNS-Server verwenden soll" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:287 sssd-ad.5.xml:964 +msgid "Default: False (let nsupdate choose the protocol)" +msgstr "Voreinstellung: False (lässt Nsupdate das Protokoll auswählen)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:293 sssd-ad.5.xml:985 +msgid "dyndns_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:296 sssd-ad.5.xml:988 +msgid "" +"The DNS server to use when performing a DNS update. In most setups, it's " +"recommended to leave this option unset." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:301 sssd-ad.5.xml:993 +msgid "" +"Setting this option makes sense for environments where the DNS server is " +"different from the identity server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:306 sssd-ad.5.xml:998 +msgid "" +"Please note that this option will be only used in fallback attempt when " +"previous attempt using autodetected settings failed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1003 +msgid "Default: None (let nsupdate choose the server)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:317 +msgid "ipa_deskprofile_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:320 +msgid "" +"Optional. Use the given string as search base for Desktop Profile related " +"objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:324 sssd-ipa.5.xml:337 +msgid "Default: Use base DN" +msgstr "Voreinstellung: verwendet Basis-DN" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:330 +msgid "ipa_hbac_search_base (string)" +msgstr "ipa_hbac_search_base (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:333 +msgid "Optional. Use the given string as search base for HBAC related objects." +msgstr "" +"optional, verwendet die angegebene Zeichenkette als Suchgrundlage für HBAC-" +"bezogene Objekte" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:343 +msgid "ipa_host_search_base (string)" +msgstr "ipa_host_search_base (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:346 +msgid "Deprecated. Use ldap_host_search_base instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:352 +msgid "ipa_selinux_search_base (string)" +msgstr "ipa_selinux_search_base (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:355 +msgid "Optional. Use the given string as search base for SELinux user maps." +msgstr "" +"optional, verwendet die angegebene Zeichenkette als Suchgrundlage für " +"SELinux-Benutzerabbildungen" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:371 +msgid "ipa_subdomains_search_base (string)" +msgstr "ipa_subdomains_search_base (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:374 +msgid "Optional. Use the given string as search base for trusted domains." +msgstr "" +"optional, verwendet die angegebene Zeichenkette als Suchgrundlage für " +"vertrauenswürdige Domains" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:383 +msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" +msgstr "Voreinstellung: der Wert von <emphasis>cn=trusts,%basedn</emphasis>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:390 +msgid "ipa_master_domain_search_base (string)" +msgstr "ipa_master_domain_search_base (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:393 +msgid "Optional. Use the given string as search base for master domain object." +msgstr "" +"optional, verwendet die angegebene Zeichenkette als Suchgrundlage für das " +"Master-Domain-Objekt." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:402 +msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" +msgstr "Voreinstellung: der Wert von <emphasis>cn=ad,cn=etc,%basedn</emphasis>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:409 +msgid "ipa_views_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:412 +msgid "Optional. Use the given string as search base for views containers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:421 +msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:431 +msgid "" +"The name of the Kerberos realm. This is optional and defaults to the value " +"of <quote>ipa_domain</quote>." +msgstr "" +"der Name des Kerberos-Realm. Dieser ist optional. Standardmäßig ist es der " +"Wert von »ipa_domain«." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:435 +msgid "" +"The name of the Kerberos realm has a special meaning in IPA - it is " +"converted into the base DN to use for performing LDAP operations." +msgstr "" +"der Name des Kerberos-Realms hat in IPA eine besondere Bedeutung – er wird " +"in den Basis-DN umgewandelt, um ihn zur Durchführung von LDAP-Transaktionen " +"zu verwenden." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1012 +msgid "krb5_confd_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1015 +msgid "" +"Absolute path of a directory where SSSD should place Kerberos configuration " +"snippets." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1019 +msgid "" +"To disable the creation of the configuration snippets set the parameter to " +"'none'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1023 +msgid "" +"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:461 +msgid "ipa_deskprofile_refresh (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:464 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server. This will reduce the latency and load on the IPA server if there " +"are many desktop profiles requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:431 +msgid "Default: 5 (seconds)" +msgstr "Voreinstellung: 5 (Sekunden)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:477 +msgid "ipa_deskprofile_request_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:480 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server in case the last request did not return any rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:485 +msgid "Default: 60 (minutes)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:491 +msgid "ipa_hbac_refresh (integer)" +msgstr "ipa_hbac_refresh (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:494 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server. " +"This will reduce the latency and load on the IPA server if there are many " +"access-control requests made in a short period." +msgstr "" +"die Zeit zwischen dem Abrufen der HBAC-Regeln beim IPA-Server. Dies wird die " +"Wartezeit und Belastung des IPA-Servers verringern, falls dort viele " +"Zugriffssteuerungsanfragen in einer kurzen Zeitspanne ankommen." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:507 +msgid "ipa_hbac_selinux (integer)" +msgstr "ipa_hbac_selinux (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:510 +msgid "" +"The amount of time between lookups of the SELinux maps against the IPA " +"server. This will reduce the latency and load on the IPA server if there are " +"many user login requests made in a short period." +msgstr "" +"die Zeit zwischen den Abrufen der SELinux-Abbildungen beim IPA-Server. Dies " +"wird die Wartezeit und Belastung des IPA-Servers verringern, falls dort " +"viele Benutzeranmeldeanfragen in einer kurzen Zeitspanne ankommen." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:523 +msgid "ipa_server_mode (boolean)" +msgstr "ipa_server_mode (Boolesch)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:526 +msgid "" +"This option will be set by the IPA installer (ipa-server-install) " +"automatically and denotes if SSSD is running on an IPA server or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:531 +msgid "" +"On an IPA server SSSD will lookup users and groups from trusted domains " +"directly while on a client it will ask an IPA server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:536 +msgid "" +"NOTE: There are currently some assumptions that must be met when SSSD is " +"running on an IPA server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:541 +msgid "" +"The <quote>ipa_server</quote> option must be configured to point to the IPA " +"server itself. This is already the default set by the IPA installer, so no " +"manual change is required." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:550 +msgid "" +"The <quote>full_name_format</quote> option must not be tweaked to only print " +"short names for users from trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:565 +msgid "ipa_automount_location (string)" +msgstr "ipa_automount_location (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:568 +msgid "The automounter location this IPA client will be using" +msgstr "der Ort des Automounters, den dieser IPA-Client benutzen wird" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:571 +msgid "Default: The location named \"default\"" +msgstr "Voreinstellung: der Ort namens »default«" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:579 +msgid "VIEWS AND OVERRIDES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:588 +msgid "ipa_view_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:591 +msgid "Objectclass of the view container." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:594 +msgid "Default: nsContainer" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:600 +msgid "ipa_view_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:603 +msgid "Name of the attribute holding the name of the view." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:613 +msgid "ipa_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:616 +msgid "Objectclass of the override objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:619 +msgid "Default: ipaOverrideAnchor" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:625 +msgid "ipa_anchor_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:628 +msgid "" +"Name of the attribute containing the reference to the original object in a " +"remote domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:632 +msgid "Default: ipaAnchorUUID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:638 +msgid "ipa_user_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:641 +msgid "" +"Name of the objectclass for user overrides. It is used to determine if the " +"found override object is related to a user or a group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:646 +msgid "User overrides can contain attributes given by" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:649 +msgid "ldap_user_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:652 +msgid "ldap_user_uid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:655 +msgid "ldap_user_gid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:658 +msgid "ldap_user_gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:661 +msgid "ldap_user_home_directory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:664 +msgid "ldap_user_shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:667 +msgid "ldap_user_ssh_public_key" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:672 +msgid "Default: ipaUserOverride" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:678 +msgid "ipa_group_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:681 +msgid "" +"Name of the objectclass for group overrides. It is used to determine if the " +"found override object is related to a user or a group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:686 +msgid "Group overrides can contain attributes given by" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:689 +msgid "ldap_group_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:692 +msgid "ldap_group_gid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:697 +msgid "Default: ipaGroupOverride" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:581 +msgid "" +"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " +"later version. Since all paths and objectclasses are fixed on the server " +"side there is basically no need to configure anything. For completeness the " +"related options are listed here with their default values. <placeholder " +"type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:709 +msgid "SUBDOMAINS PROVIDER" +msgstr "ANBIETER VON UNTER-DOMAINS" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:711 +msgid "" +"The IPA subdomains provider behaves slightly differently if it is configured " +"explicitly or implicitly." +msgstr "" +"Der Anbieter für IPA-Subdomains verhält sich geringfügig anders, je nachdem, " +"ob er explizit oder implizit konfiguriert wurde." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:715 +msgid "" +"If the option 'subdomains_provider = ipa' is found in the domain section of " +"sssd.conf, the IPA subdomains provider is configured explicitly, and all " +"subdomain requests are sent to the IPA server if necessary." +msgstr "" +"Falls die Option »subdomains_provider = ipa« im Domain-Abschnitt der »sssd." +"conf« gefunden wird, wird der IPA-Subdomain-Anbieter explizit konfiguriert " +"und alle Subdomain-Anfragen werden, falls nötig, an den IPA-Server gesandt." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:721 +msgid "" +"If the option 'subdomains_provider' is not set in the domain section of sssd." +"conf but there is the option 'id_provider = ipa', the IPA subdomains " +"provider is configured implicitly. In this case, if a subdomain request " +"fails and indicates that the server does not support subdomains, i.e. is not " +"configured for trusts, the IPA subdomains provider is disabled. After an " +"hour or after the IPA provider goes online, the subdomains provider is " +"enabled again." +msgstr "" +"Falls die Option »subdomains_provider« nicht im Domain-Abschnitt der »sssd." +"conf« gesetzt ist, es dort aber die Option »id_provider = ipa« gibt, wird " +"der IPA-Subdomain-Anbieter implizit konfiguriert. In diesem Fall wird der " +"IPA-Anbieter deaktiviert, falls eine Subdomain-Anfrage fehlschlägt und " +"anzeigt, dass der Server keine Subdomains unterstützt, d.h. nicht zum " +"Vertrauen konfiguriert ist. Nach einer Stunde oder nachdem der IPA-Server " +"online gegangen ist, wird der Subdomain-Anbieter erneut aktiviert." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:732 +msgid "TRUSTED DOMAINS CONFIGURATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:738 +#, no-wrap +msgid "" +"[domain/ipa.domain.com/ad.domain.com]\n" +"ad_server = dc.ad.domain.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:734 +#, fuzzy +#| msgid "" +#| "These configuration options can be present in a domain configuration " +#| "section, that is, in a section called <quote>[domain/<replaceable>NAME</" +#| "replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>" +msgid "" +"Some configuration options can be also set for a trusted domain. A trusted " +"domain configuration can either be done using a subsection, for example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"Diese Konfigurationsoptionen können in einem Abschnitt einer Domain-" +"Konfiguration vorhanden sein, das heißt, in einem Abschnitt namens " +"<quote>[domain/<replaceable>NAME</replaceable>]</quote> <placeholder type=" +"\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:743 +#, fuzzy +#| msgid "" +#| "Please refer to the <quote>dns_discovery_domain</quote> parameter in the " +#| "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +#| "manvolnum> </citerefentry> manual page for more details." +msgid "" +"In addition, some options can be set in the parent domain and inherited by " +"the trusted domain using the <quote>subdomain_inherit</quote> option. For " +"more details, see the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" +"Weitere Einzelheiten finden Sie in der Handbuchseite <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> beim Parameter »dns_discovery_domain«." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:753 +msgid "" +"Different configuration options are tunable for a trusted domain depending " +"on whether you are configuring SSSD on an IPA server or an IPA client." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:758 +msgid "OPTIONS TUNABLE ON IPA MASTERS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:760 +msgid "" +"The following options can be set in a subdomain section on an IPA master:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:764 sssd-ipa.5.xml:794 +msgid "ad_server" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:767 +#, fuzzy +#| msgid "ad_server, ad_backup_server (string)" +msgid "ad_backup_server" +msgstr "ad_server, ad_backup_server (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:770 sssd-ipa.5.xml:797 +msgid "ad_site" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:773 +#, fuzzy +#| msgid "ldap_search_base (string)" +msgid "ldap_search_base" +msgstr "ldap_search_base (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:776 +#, fuzzy +#| msgid "ldap_user_search_base (string)" +msgid "ldap_user_search_base" +msgstr "ldap_user_search_base (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:779 +#, fuzzy +#| msgid "ldap_group_search_base (string)" +msgid "ldap_group_search_base" +msgstr "ldap_group_search_base (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:788 +msgid "OPTIONS TUNABLE ON IPA CLIENTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:790 +msgid "" +"The following options can be set in a subdomain section on an IPA client:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:802 +msgid "" +"Note that if both options are set, only <quote>ad_server</quote> is " +"evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:806 +msgid "" +"Since any request for a user or a group identity from a trusted domain " +"triggered from an IPA client is resolved by the IPA server, the " +"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " +"which AD DC will the authentication be performed against. In particular, the " +"addresses resolved from these lists will be written to <quote>kdcinfo</" +"quote> files read by the Kerberos locator plugin. Please refer to the " +"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " +"Kerberos locator plugin." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:830 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the ipa provider-specific options." +msgstr "" +"Das folgende Beispiel geht davon aus, dass SSSD korrekt konfiguriert und " +"example.com eine der im Abschnitt <replaceable>[sssd]</replaceable> " +"erwähnten Domänen ist. Diese Beispiele zeigen nur die anbieterspezifischen " +"Optionen von IPA." + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:837 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"id_provider = ipa\n" +"ipa_server = ipaserver.example.com\n" +"ipa_hostname = myhost.example.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 +msgid "sssd-ad" +msgstr "sssd-ad" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ad.5.xml:17 +msgid "SSSD Active Directory provider" +msgstr "SSSD Active-Directory-Anbieter" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:23 +msgid "" +"This manual page describes the configuration of the AD provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" +"Diese Handbuchseite beschreibt die Konfiguration des AD-Anbieters für " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Eine ausführliche Syntax-Referenz finden Sie im Abschnitt " +"»DATEIFORMAT« der Handbuchseite <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:36 +msgid "" +"The AD provider is a back end used to connect to an Active Directory server. " +"This provider requires that the machine be joined to the AD domain and a " +"keytab is available. Back end communication occurs over a GSSAPI-encrypted " +"channel, SSL/TLS options should not be used with the AD provider and will be " +"superseded by Kerberos usage." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:44 +msgid "" +"The AD provider supports connecting to Active Directory 2008 R2 or later. " +"Earlier versions may work, but are unsupported." +msgstr "" +"Der AD-Anbieter unterstützt das Verbinden mit Active Directory 2008 R2 oder " +"neuer. Frühere Versionen könnten funktionieren, werden aber nicht " +"unterstützt." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:48 +msgid "" +"The AD provider can be used to get user information and authenticate users " +"from trusted domains. Currently only trusted domains in the same forest are " +"recognized. In addition servers from trusted domains are always auto-" +"discovered." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:54 +msgid "" +"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for Active Directory environments. The AD provider accepts the " +"same options used by the sssd-ldap and sssd-krb5 providers with some " +"exceptions. However, it is neither necessary nor recommended to set these " +"options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:69 +msgid "" +"The AD provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:74 +msgid "" +"The AD provider can also be used as an access, chpass, sudo and autofs " +"provider. No configuration of the access provider is required on the client " +"side." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:79 +msgid "" +"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ad</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:91 +#, no-wrap +msgid "" +"ldap_id_mapping = False\n" +" " +msgstr "" +"ldap_id_mapping = False\n" +" " + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:85 +msgid "" +"By default, the AD provider will map UID and GID values from the objectSID " +"parameter in Active Directory. For details on this, see the <quote>ID " +"MAPPING</quote> section below. If you want to disable ID mapping and instead " +"rely on POSIX attributes defined in Active Directory, you should set " +"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " +"be used, it is recommended for performance reasons that the attributes are " +"also replicated to the Global Catalog. If POSIX attributes are replicated, " +"SSSD will attempt to locate the domain of a requested numerical ID with the " +"help of the Global Catalog and only search that domain. In contrast, if " +"POSIX attributes are not replicated to the Global Catalog, SSSD must search " +"all the domains in the forest sequentially. Please note that the " +"<quote>cache_first</quote> option might be also helpful in speeding up " +"domainless searches. Note that if only a subset of POSIX attributes is " +"present in the Global Catalog, the non-replicated attributes are currently " +"not read from the LDAP port." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:108 +msgid "" +"Users, groups and other entities served by SSSD are always treated as case-" +"insensitive in the AD provider for compatibility with Active Directory's " +"LDAP implementation." +msgstr "" +"Für Benutzer, Gruppen und weitere von SSSD bereitgestellt Einträge wird die " +"Groß- oder Kleinschreibung nicht beachtet, um die Kompatibilität zur LDAP-" +"Implementation in Active Directory zu gewährleisten." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:123 +msgid "ad_domain (string)" +msgstr "ad_domain (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:126 +msgid "" +"Specifies the name of the Active Directory domain. This is optional. If not " +"provided, the configuration domain name is used." +msgstr "" +"gibt den Namen der Active-Directory-Domain an. Dieser ist optional. Ist er " +"nicht angegeben, wird der Name der konfigurierten Domain benutzt." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:131 +msgid "" +"For proper operation, this option should be specified as the lower-case " +"version of the long version of the Active Directory domain." +msgstr "" +"Damit dies ordentlich funktioniert, sollte diese Option in der " +"kleingeschriebenen Variante der langen Version der Active-Directory-Domain " +"angegeben werden." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:136 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) is " +"autodetected by the SSSD." +msgstr "" +"Der kurze Domain-Name (auch als NetBIOS- oder flacher Name bekannt) wird von " +"SSSD automatisch ermittelt." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:143 +msgid "ad_enabled_domains (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:146 +msgid "" +"A comma-separated list of enabled Active Directory domains. If provided, " +"SSSD will ignore any domains not listed in this option. If left unset, all " +"domains from the AD forest will be available." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:156 +#, no-wrap +msgid "" +"ad_enabled_domains = sales.example.com, eng.example.com\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:152 +msgid "" +"For proper operation, this option must be specified in all lower-case and as " +"the fully qualified domain name of the Active Directory domain. For example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:160 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) will be " +"autodetected by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:170 +msgid "ad_server, ad_backup_server (string)" +msgstr "ad_server, ad_backup_server (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:173 +msgid "" +"The comma-separated list of hostnames of the AD servers to which SSSD should " +"connect in order of preference. For more information on failover and server " +"redundancy, see the <quote>FAILOVER</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:180 +msgid "" +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:185 +msgid "" +"Note: Trusted domains will always auto-discover servers even if the primary " +"server is explicitly defined in the ad_server option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:193 +msgid "ad_hostname (string)" +msgstr "ad_hostname (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:196 +msgid "" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the Active Directory domain to identify this " +"host." +msgstr "" +"optional, kann auf Maschinen, bei denen »hostname(5)« nicht den voll " +"qualifizierten Namen in der Active-Directory-Domain widerspiegelt, benutzt " +"werden, um sie zu identifizieren." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:202 +msgid "" +"This field is used to determine the host principal in use in the keytab. It " +"must match the hostname for which the keytab was issued." +msgstr "" +"Dieses Feld wird benutzt, um den in der Keytab benutzten Host Principal zu " +"bestimmen. Er muss dem Rechnernamen entsprechen, für die die Keytab " +"ausgegeben wurde." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:210 +msgid "ad_enable_dns_sites (boolean)" +msgstr "ad_enable_dns_sites (Boolesch)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:217 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, the SSSD will first attempt to discover the " +"Active Directory server to connect to using the Active Directory Site " +"Discovery and fall back to the DNS SRV records if no AD site is found. The " +"DNS SRV configuration, including the discovery domain, is used during site " +"discovery as well." +msgstr "" +"Ist dies »true« und die Dienstsuche aktiviert (siehe den Abschnitt " +"Dienstsuche am Ende der Handbuchseite), dann wird SSSD zuerst versuchen, " +"sich mit dem Active-Directory-Server zu verbinden, um die Active Directory " +"Site Discovery zu benutzen und dann auf die DNS-SRV-Datensätze " +"zurückgreifen, falls keine AD-Site gefunden wurde. Die DNS-SRV-Konfiguration " +"wird ebenfalls einschließlich der Domain zur Aufdeckung bei der Site-" +"Aufdeckung verwendet." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:233 +msgid "ad_access_filter (string)" +msgstr "ad_access_filter (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:236 +msgid "" +"This option specifies LDAP access control filter that the user must match in " +"order to be allowed access. Please note that the <quote>access_provider</" +"quote> option must be explicitly set to <quote>ad</quote> in order for this " +"option to have an effect." +msgstr "" +"Diese Option gibt Zugriffskontrollfilter für LDAP an, die auf den Benutzer " +"passen müssen, damit ihm Zugriff gewährt werden kann. Bitte beachten Sie, " +"dass die Option <quote>access_provider</quote> explizit auf <quote>ad</" +"quote> gesetzt werden muss, damit sie wirksam ist." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:244 +msgid "" +"The option also supports specifying different filters per domain or forest. " +"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " +"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " +"missing." +msgstr "" +"Diese Option unterstützt auch die Angabe verschiedener Filter pro Domain " +"oder Wald. Dieser erweiterte Filter würde bestehen aus: <quote>SCHLÜSSELWORT:" +"NAME:FILTER</quote>. Das Schlüsselwort kann entweder <quote>DOM</quote> oder " +"<quote>FOREST</quote> sein oder auch weggelassen werden." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:252 +msgid "" +"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" +"quote> specifies the domain or subdomain the filter applies to. If the " +"keyword equals to <quote>FOREST</quote>, then the filter equals to all " +"domains from the forest specified by <quote>NAME</quote>." +msgstr "" +"Falls das Schlüsselwort <quote>DOM</quote> ist oder fehlt, dann gibt der " +"<quote>NAME</quote> die Domain oder Subdomain an, auf die der Filter " +"angewendet werden soll. Ist das Schlüsselwort <quote>FOREST</quote>, dann " +"gilt der Filter für alle angegebenen Domains aus dem Wald, der in " +"<quote>NAME</quote> angegeben ist." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:260 +msgid "" +"Multiple filters can be separated with the <quote>?</quote> character, " +"similarly to how search bases work." +msgstr "" +"Mehrere Filter können durch Fragezeichen <quote>?</quote> getrennt werden, " +"so wie es auch in Suchmaschinen üblich ist." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:265 +msgid "" +"Nested group membership must be searched for using a special OID " +"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." +"example.org: syntax to ensure the parser does not attempt to interpret the " +"colon characters associated with the OID. If you do not use this OID then " +"nested group membership will not be resolved. See usage example below and " +"refer here for further information about the OID: <ulink url=\"https://msdn." +"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " +"extensions</ulink>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:278 +msgid "" +"The most specific match is always used. For example, if the option specified " +"filter for a domain the user is a member of and a global filter, the per-" +"domain filter would be applied. If there are more matches with the same " +"specification, the first one is used." +msgstr "" +"Es wird stets der spezifischste Treffer verwendet. Wenn zum Beispiel in der " +"den Filter angebenden Option der Benutzer ein Mitglied ist und es sich um " +"einen globalen Filter handelt, wird der pro-Domain-Filter angewendet. Gibt " +"es mehrere Treffer, die der angeforderten Spezifikation entsprechen, wird " +"der erste verwendet." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ad.5.xml:289 +#, no-wrap +msgid "" +"# apply filter on domain called dom1 only:\n" +"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" +"\n" +"# apply filter on domain called dom2 only:\n" +"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" +"\n" +"# apply filter on forest called EXAMPLE.COM only:\n" +"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" +"\n" +"# apply filter for a member of a nested group in dom1:\n" +"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:308 +msgid "ad_site (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:311 +msgid "" +"Specify AD site to which client should try to connect. If this option is " +"not provided, the AD site will be auto-discovered." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:322 +msgid "ad_enable_gc (boolean)" +msgstr "ad_enable_gc (Boolesch)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:325 +msgid "" +"By default, the SSSD connects to the Global Catalog first to retrieve users " +"from trusted domains and uses the LDAP port to retrieve group memberships or " +"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " +"port of the current AD server." +msgstr "" +"Standardmäßig verbindet sich SSSD zuerst mit dem Globalen Katalog, um " +"Benutzer von vertrauenswürdigen Domains abfragen zu können. Der LDAP-Port " +"wird zum Ermitteln von Gruppenmitgliedschaften oder als Ausweichmöglichkeit " +"verwendet. Wenn Sie diese Option deaktivieren, verbindet sich SSSD nur mit " +"dem LDAP-Port des aktuellen Servers." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:333 +msgid "" +"Please note that disabling Global Catalog support does not disable " +"retrieving users from trusted domains. The SSSD would connect to the LDAP " +"port of trusted domains instead. However, Global Catalog must be used in " +"order to resolve cross-domain group memberships." +msgstr "" +"Bitte beachten Sie, dass die Deaktivierung der Unterstützung für den " +"Globalen Katalog die Abfrage von Benutzern von vertrauenswürdigen Domains " +"nicht deaktiviert. SSSD würde sich stattdessen mit dem LDAP-Port der " +"vertrauenswürdigen Domains verbinden. Jedoch muss der Globale Katalog " +"verwendet werden, um domainübergreifende Gruppenmitgliedschaften auflösen zu " +"können." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:347 +msgid "ad_gpo_access_control (string)" +msgstr "ad_gpo_access_control (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:350 +msgid "" +"This option specifies the operation mode for GPO-based access control " +"functionality: whether it operates in disabled mode, enforcing mode, or " +"permissive mode. Please note that the <quote>access_provider</quote> option " +"must be explicitly set to <quote>ad</quote> in order for this option to have " +"an effect." +msgstr "" +"Diese Option legt den Operationsmodus für GPO-basierte Zugriffskontrolle " +"fest. Verfügbar sind die Modi »disabled«, »enforcing« und »permissive«. " +"Bitte beachten Sie, dass die Option <quote>access_provider</quote> explizit " +"auf <quote>ad</quote> gesetzt werden muss, damit sie wirksam ist." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:359 +msgid "" +"GPO-based access control functionality uses GPO policy settings to determine " +"whether or not a particular user is allowed to logon to a particular host." +msgstr "" +"Die GPO-basierte Zugriffskontrolle verwendet gesetzte GPO-Regeln, um zu " +"ermitteln, ob sich ein bestimmter Benutzer an einem bestimmten Rechner " +"anmelden darf." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:365 +msgid "" +"NOTE: The current version of SSSD does not support host (computer) entries " +"in the GPO 'Security Filtering' list. Only user and group entries are " +"supported. Host entries in the list have no effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:372 +msgid "" +"NOTE: If the operation mode is set to enforcing, it is possible that users " +"that were previously allowed logon access will now be denied logon access " +"(as dictated by the GPO policy settings). In order to facilitate a smooth " +"transition for administrators, a permissive mode is available that will not " +"enforce the access control rules, but will evaluate them and will output a " +"syslog message if access would have been denied. By examining the logs, " +"administrators can then make the necessary changes before setting the mode " +"to enforcing." +msgstr "" +"ACHTUNG: Wird der Operationsmodus auf »enforcing« gesetzt, dann ist es " +"möglich, dass Benutzern, denen früher bereits einmal Zugriff gewährt wurde, " +"ihnen dieser nun verweigert wird (sofern dies von den GPO-Regeln " +"vorgeschrieben wird). Um Administratoren einen weichen Übergang zu " +"ermöglichen, ist der Modus »permissive« verfügbar, der die Umsetzung der " +"Zugriffskontrollregeln nicht erzwingt. Diese werden lediglich ausgewertet " +"und eine Meldung geht an das Systemprotokoll, falls tatsächlich der Zugriff " +"verweigert werden würde. Nach dem Untersuchen der Protokolle können " +"Administratoren nun die nötigen Änderungen vornehmen, bevor der Modus auf " +"»enforcing« gesetzt wird." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:385 +msgid "There are three supported values for this option:" +msgstr "Für diese Option werden drei Werte unterstützt:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:389 +msgid "" +"disabled: GPO-based access control rules are neither evaluated nor enforced." +msgstr "" +"disabled: GPO-basierte Zugriffskontrollregeln werden weder ausgewertet noch " +"deren Anwendung erzwungen." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:395 +msgid "enforcing: GPO-based access control rules are evaluated and enforced." +msgstr "" +"enforcing: GPO-basierte Zugriffskontrollregeln werden sowohl ausgewertet als " +"auch deren Anwendung erzwungen." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:401 +msgid "" +"permissive: GPO-based access control rules are evaluated, but not enforced. " +"Instead, a syslog message will be emitted indicating that the user would " +"have been denied access if this option's value were set to enforcing." +msgstr "" +"permissive: GPO-basierte Zugriffskontrollregeln werden zwar ausgewertet, " +"aber deren Anwendung nicht erzwungen. Stattdessen wird eine Meldung an das " +"Systemprotokoll ausgelöst, mit dem Inhalt, dass dem Benutzer der Zugriff " +"verweigert werden würde, wenn die Option auf »enforcing« gesetzt wäre." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:412 +msgid "Default: permissive" +msgstr "Voreinstellung: permissive" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:415 +msgid "Default: enforcing" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:421 +msgid "ad_gpo_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:424 +msgid "" +"The amount of time between lookups of GPO policy files against the AD " +"server. This will reduce the latency and load on the AD server if there are " +"many access-control requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:437 +msgid "ad_gpo_map_interactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:440 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the InteractiveLogonRight and " +"DenyInteractiveLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:446 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on locally\" and \"Deny log on locally\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:460 +#, no-wrap +msgid "" +"ad_gpo_map_interactive = +my_pam_service, -login\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:451 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>login</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:464 sssd-ad.5.xml:560 sssd-ad.5.xml:606 sssd-ad.5.xml:651 +#: sssd-ad.5.xml:717 +msgid "Default: the default set of PAM service names includes:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:468 +msgid "login" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:473 +msgid "su" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:478 +msgid "su-l" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:483 +msgid "gdm-fingerprint" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:488 +msgid "gdm-password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:493 +msgid "gdm-smartcard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:498 +msgid "kdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:503 +msgid "lightdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:508 +msgid "lxdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:513 +msgid "sddm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:518 +msgid "unity" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:523 +msgid "xdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:532 +msgid "ad_gpo_map_remote_interactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:535 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the RemoteInteractiveLogonRight and " +"DenyRemoteInteractiveLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:541 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on through Remote Desktop Services\" and \"Deny log on through Remote " +"Desktop Services\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:556 +#, no-wrap +msgid "" +"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:547 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>sshd</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:564 +msgid "sshd" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:569 +msgid "cockpit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:578 +msgid "ad_gpo_map_network (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:581 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the NetworkLogonRight and " +"DenyNetworkLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:587 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Access " +"this computer from the network\" and \"Deny access to this computer from the " +"network\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:602 +#, no-wrap +msgid "" +"ad_gpo_map_network = +my_pam_service, -ftp\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:593 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>ftp</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:610 +msgid "ftp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:615 +msgid "samba" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:624 +msgid "ad_gpo_map_batch (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:627 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " +"policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:633 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a batch job\" and \"Deny log on as a batch job\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:647 +#, no-wrap +msgid "" +"ad_gpo_map_batch = +my_pam_service, -crond\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:638 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>crond</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:655 +msgid "crond" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:664 +msgid "ad_gpo_map_service (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:667 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the ServiceLogonRight and " +"DenyServiceLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:673 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a service\" and \"Deny log on as a service\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:686 +#, no-wrap +msgid "" +"ad_gpo_map_service = +my_pam_service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:678 sssd-ad.5.xml:753 +msgid "" +"It is possible to add a PAM service name to the default set by using <quote>" +"+service_name</quote>. Since the default set is empty, it is not possible " +"to remove a PAM service name from the default set. For example, in order to " +"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " +"would use the following configuration: <placeholder type=\"programlisting\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:696 +msgid "ad_gpo_map_permit (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:699 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always granted, regardless of any GPO Logon Rights." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:713 +#, no-wrap +msgid "" +"ad_gpo_map_permit = +my_pam_service, -sudo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:704 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for unconditionally permitted " +"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:721 +msgid "polkit-1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:726 +msgid "sudo" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:731 +msgid "sudo-i" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:736 +msgid "systemd-user" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:745 +msgid "ad_gpo_map_deny (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:748 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always denied, regardless of any GPO Logon Rights." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:761 +#, no-wrap +msgid "" +"ad_gpo_map_deny = +my_pam_service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:771 +msgid "ad_gpo_default_right (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:774 +msgid "" +"This option defines how access control is evaluated for PAM service names " +"that are not explicitly listed in one of the ad_gpo_map_* options. This " +"option can be set in two different manners. First, this option can be set to " +"use a default logon right. For example, if this option is set to " +"'interactive', it means that unmapped PAM service names will be processed " +"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " +"settings. Alternatively, this option can be set to either always permit or " +"always deny access for unmapped PAM service names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:787 +msgid "Supported values for this option include:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:791 +msgid "interactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:796 +msgid "remote_interactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:801 +msgid "network" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:806 +msgid "batch" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:811 +msgid "service" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:816 +msgid "permit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:821 +msgid "deny" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:827 +msgid "Default: deny" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:833 +msgid "ad_maximum_machine_account_password_age (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:836 +msgid "" +"SSSD will check once a day if the machine account password is older than the " +"given age in days and try to renew it. A value of 0 will disable the renewal " +"attempt." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:842 +msgid "Default: 30 days" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:848 +msgid "ad_machine_account_password_renewal_opts (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:851 +msgid "" +"This option should only be used to test the machine account renewal task. " +"The option expects 2 integers separated by a colon (':'). The first integer " +"defines the interval in seconds how often the task is run. The second " +"specifies the initial timeout in seconds before the task is run for the " +"first time after startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:860 +msgid "Default: 86400:750 (24h and 15m)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:869 +msgid "" +"Optional. This option tells SSSD to automatically update the Active " +"Directory DNS server with the IP address of this client. The update is " +"secured using GSS-TSIG. As a consequence, the Active Directory administrator " +"only needs to allow secure updates for the DNS zone. The IP address of the " +"AD LDAP connection is used for the updates, if it is not otherwise specified " +"by using the <quote>dyndns_iface</quote> option." +msgstr "" +"Optional. Diese Option teilt SSSD mit, dass es den Active-Directory-DNS-" +"Server mit der IP-Adresse dieses Clients aktualisieren soll. Die " +"Aktualisierung wird mittels GSS-TSIG abgesichert. Infolgedessen muss der " +"Active-Directory-Verwalter nur sichere Aktualisierungen für die DNS-Zone " +"erlauben. Die IP-Adresse der AD-LDAP-Verbindung wird für die " +"Aktualisierungen verwendet, falls sie nicht anderweitig mittels der Option " +"»dyndns_iface« angegeben wurde." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:899 +msgid "Default: 3600 (seconds)" +msgstr "Voreinstellung: 3600 (Sekunden)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:915 +msgid "" +"Default: Use the IP addresses of the interface which is used for AD LDAP " +"connection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:928 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true. Note that the " +"lowest possible value is 60 seconds in-case if value is provided less than " +"60, parameter will assume lowest value only." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:951 sss_rpcidmapd.5.xml:76 +msgid "Default: True" +msgstr "Voreinstellung: True" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1043 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This example shows only the AD provider-specific options." +msgstr "" +"Das folgende Beispiel geht davon aus, dass SSSD korrekt konfiguriert ist und " +"example.com auf eine der Domains im Abschnitt <replaceable>[sssd]</" +"replaceable> gesetzt ist. Dieses Beispiel zeigt nur die anbieterspezifischen " +"Optionen von AD." + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1050 +#, no-wrap +msgid "" +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" +msgstr "" +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1070 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" +msgstr "" +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1066 +msgid "" +"The AD access control provider checks if the account is expired. It has the " +"same effect as the following configuration of the LDAP provider: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"Der AD-Zugriffssteuerungsanbieter prüft, ob das Konto erloschen ist. Es hat " +"dieselben Auswirkungen wie die folgende Konfiguration des LDAP-Anbieters: " +"<placeholder type=\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1076 +msgid "" +"However, unless the <quote>ad</quote> access control provider is explicitly " +"configured, the default access provider is <quote>permit</quote>. Please " +"note that if you configure an access provider other than <quote>ad</quote>, " +"you need to set all the connection parameters (such as LDAP URIs and " +"encryption details) manually." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1084 +msgid "" +"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " +"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " +"are included in the default Active Directory schema." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 +msgid "sssd-sudo" +msgstr "sssd-sudo" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-sudo.5.xml:17 +msgid "Configuring sudo with the SSSD back end" +msgstr "Sudo mit dem SSSD-Backend konfigurieren" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." +msgstr "" +"Diese Handbuchseite beschreibt, wie <citerefentry> <refentrytitle>sudo</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> konfiguriert wird, " +"damit es zusammen mit <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> funktioniert und wie SSSD Sudo-" +"Regeln zwischenspeichert." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:36 +msgid "Configuring sudo to cooperate with SSSD" +msgstr "Sudo so konfigurieren, dass es mit SSSD zusammenarbeitet" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:38 +msgid "" +"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " +"the <emphasis>sudoers</emphasis> entry in <citerefentry> " +"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" +"Um SSSD als eine Quelle von Sudo-Regeln zu aktivieren, fügen Sie dem Eintrag " +"<emphasis>sudoers</emphasis> in <citerefentry> <refentrytitle>nsswitch.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> <emphasis>sss</" +"emphasis> hinzu." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:47 +msgid "" +"For example, to configure sudo to first lookup rules in the standard " +"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> file (which should contain rules that apply to " +"local users) and then in SSSD, the nsswitch.conf file should contain the " +"following line:" +msgstr "" +"Um zum Beispiel Sudo so zu konfigurieren, dass es zuerst die Regeln in der " +"Standarddatei <citerefentry> <refentrytitle>sudoers</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> nachschlägt (diese sollten Regeln " +"umfassen, die für lokale Benutzer gelten) und dann die in SSSD, sollte die " +"Datei »nsswitch.conf« die folgende Zeile enthalten:" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:57 +#, no-wrap +msgid "sudoers: files sss\n" +msgstr "sudoers: files sss\n" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:61 +msgid "" +"More information about configuring the sudoers search order from the " +"nsswitch.conf file as well as information about the LDAP schema that is used " +"to store sudo rules in the directory can be found in <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" +"Weitere Informationen über die Konfiguration der Suchreihenfolge der " +"»sudoers« aus der Datei »nsswitch.conf« sowie das LDAP-Schema, das zum " +"Speichern von Sudo-Regeln im Verzeichnis benutzt wird, können Sie unter " +"<citerefentry> <refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> finden." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:70 +msgid "" +"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " +"sudo rules, you also need to correctly set <citerefentry> " +"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry> to your NIS domain name (which equals to IPA domain name when " +"using hostgroups)." +msgstr "" +"<emphasis>Hinweis</emphasis>: Um Netzgruppen oder IPA-Hostgruppen in sudo-" +"Regeln verwenden zu können, muss <citerefentry> " +"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry> korrekt auf den entsprechenden NIS-Domainnamen gesetzt werden. " +"Dieser entspricht dem IPA-Domainnamen, wenn Hostgruppen verwendet werden." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:82 +msgid "Configuring SSSD to fetch sudo rules" +msgstr "SSSD zum Abrufen von Sudo-Regeln konfigurieren" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:84 +msgid "" +"All configuration that is needed on SSSD side is to extend the list of " +"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " +"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " +"option." +msgstr "" +"Alle auf der SSSD-Seite erforderliche Konfiguration ist die Erweiterung der " +"Liste der <emphasis>Dienste</emphasis> mit \"sudo\" im Abschnitt [sssd] der " +"Handbuchseite zu <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>. Um LDAP-Suchvorgänge zu " +"beschleunigen, können Sie auch die Suchbasis für sudo-Regeln mit der Option " +"<emphasis>ldap_sudo_search_base</emphasis> festlegen." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:94 +msgid "" +"The following example shows how to configure SSSD to download sudo rules " +"from an LDAP server." +msgstr "" +"Das folgende Beispiel zeigt, wie SSSD konfiguriert wird, damit es die Sudo-" +"Regeln von einem LDAP-Server herunterlädt." + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:99 +#, no-wrap +msgid "" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +msgstr "" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:98 +msgid "" +"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" +"\"have_systemd\"> It's important to note that on platforms where systemd is " +"supported there's no need to add the \"sudo\" provider to the list of " +"services, as it became optional. However, sssd-sudo.socket must be enabled " +"instead. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:118 +msgid "" +"When SSSD is configured to use IPA as the ID provider, the sudo provider is " +"automatically enabled. The sudo search base is configured to use the IPA " +"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " +"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," +"$SUFFIX) is no longer required for IPA sudo functionality." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:128 +msgid "The SUDO rule caching mechanism" +msgstr "Der Zwischenspeichermechanismus für Sudo-Regeln" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:130 +msgid "" +"The biggest challenge, when developing sudo support in SSSD, was to ensure " +"that running sudo with SSSD as the data source provides the same user " +"experience and is as fast as sudo but keeps providing the most current set " +"of rules as possible. To satisfy these requirements, SSSD uses three kinds " +"of updates. They are referred to as full refresh, smart refresh and rules " +"refresh." +msgstr "" +"Die größte Herausforderung bei der Entwicklung von Sudo-Unterstützung in " +"SSSD war es, sicherzustellen, dass beim Ausführen von Sudo mit SSSD die " +"Datenquelle dieselbe Benutzererfahrung bereitstellt und so schnell wie Sudo " +"ist, aber weiterhin so viele aktuelle Regelsätze wie möglich bereitstellt. " +"Um diesen Anforderungen zu genügen, verwendet SSSD drei Arten von " +"Aktualisierungen. Sie werden als vollständiges Aktualisieren, kluges " +"Aktualisieren und Regelaktualisierung bezeichnet." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:138 +msgid "" +"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " +"new or were modified after the last update. Its primary goal is to keep the " +"database growing by fetching only small increments that do not generate " +"large amounts of network traffic." +msgstr "" +"Das <emphasis>kluge Aktualisieren</emphasis> lädt periodisch Regeln " +"herunter, die neu sind oder seit der letzten Aktualisierung geändert wurden. " +"Das Hauptziel hierbei ist es, die Datenbank anwachsen zu lassen, indem nur " +"kleine Erweiterungen abgerufen werden, die keinen großen Netzwerkverkehr " +"erzeugen." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:144 +msgid "" +"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " +"in the cache and replaces them with all rules that are stored on the server. " +"This is used to keep the cache consistent by removing every rule which was " +"deleted from the server. However, full refresh may produce a lot of traffic " +"and thus it should be run only occasionally depending on the size and " +"stability of the sudo rules." +msgstr "" +"Das <emphasis>vollständige Aktualisieren</emphasis> löscht einfach alle im " +"Zwischenspeicher abgelegten Regeln und ersetzt sie durch die auf dem Server " +"gespeicherten Regeln. Dies wird benutzt, um den Zwischenspeicher dadurch " +"konsistent zu halten, dass jede von Server gelöschte Regel entfernt wird. " +"Ein vollständiges Aktualisieren kann jedoch eine hohe Last erzeugen und " +"sollte daher nur gelegentlich abhängig von der Größe und Stabilität der Sudo-" +"Regeln ausgeführt werden." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:152 +msgid "" +"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " +"more permission than defined. It is triggered each time the user runs sudo. " +"Rules refresh will find all rules that apply to this user, check their " +"expiration time and redownload them if expired. In the case that any of " +"these rules are missing on the server, the SSSD will do an out of band full " +"refresh because more rules (that apply to other users) may have been deleted." +msgstr "" +"Die <emphasis>Regelaktualisierung</emphasis> stellt sicher, dass dem " +"Benutzer nicht mehr Rechte als definiert gewährt werden. Es wird jedesmal " +"ausgelöst, wenn der Benutzer Sudo ausführt. Regelaktualisierung wird alle " +"Regeln suchen, die für diesen Benutzer gelten, ihren Ablaufzeitpunkt prüfen " +"und sie erneut herunterladen, falls sie erloschen sind. Im Fall, dass " +"irgendwelche der Regeln auf dem Server fehlen, wird SSSD außer der Reihe ein " +"vollständiges Aktualisieren durchführen, da möglicherweise weitere Regeln " +"(die für andere Benutzer gelten) gelöscht wurden." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:161 +msgid "" +"If enabled, SSSD will store only rules that can be applied to this machine. " +"This means rules that contain one of the following values in " +"<emphasis>sudoHost</emphasis> attribute:" +msgstr "" +"SSSD wird, falls aktiviert, nur Regeln speichern, die auf diese Maschine " +"angewandt werden können. Das bedeutet, Regeln, die einen der folgenden Werte " +"im Attribut <emphasis>sudoHost</emphasis> enthalten:" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:168 +msgid "keyword ALL" +msgstr "Schlüsselwort ALL" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:173 +msgid "wildcard" +msgstr "Platzhalter" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:178 +msgid "netgroup (in the form \"+netgroup\")" +msgstr "Netzgruppe (in der Form »+Netzgruppe«)" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:183 +msgid "hostname or fully qualified domain name of this machine" +msgstr "Rechnername oder voll qualifizierter Domain-Namen dieser Maschine" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:188 +msgid "one of the IP addresses of this machine" +msgstr "eine der IP-Adressen dieser Maschine" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:193 +msgid "one of the IP addresses of the network (in the form \"address/mask\")" +msgstr "eine der IP-Adressen des Netzwerks (in der Form »Adresse/Maske«)" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:199 +msgid "" +"There are many configuration options that can be used to adjust the " +"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" +"Es gibt viele Konfigurationsoptionen, die benutzt werden können, um das " +"Verhalten anzupassen. Bitte lesen Sie »ldap_sudo_*« in <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> und \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.8.xml:10 sssd.8.xml:15 +msgid "sssd" +msgstr "sssd" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.8.xml:16 +msgid "System Security Services Daemon" +msgstr "System Security Services Daemon (Systemsicherheitsdienst-Daemon)" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssd.8.xml:21 +msgid "" +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" +msgstr "" +"<command>sssd</command> <arg choice='opt'> <replaceable>Optionen</" +"replaceable> </arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:31 +msgid "" +"<command>SSSD</command> provides a set of daemons to manage access to remote " +"directories and authentication mechanisms. It provides an NSS and PAM " +"interface toward the system and a pluggable backend system to connect to " +"multiple different account sources as well as D-Bus interface. It is also " +"the basis to provide client auditing and policy services for projects like " +"FreeIPA. It provides a more robust database to store local users as well as " +"extended user data." +msgstr "" +"<command>SSSD</command> stellt einen Satz Daemons bereit, um den Zugriff auf " +"ferne Verzeichnisse und Authentifizierungsmechanismen zu verwalten. Es " +"bietet eine NSS- und PAM-Schnittstelle zum System und ein erweiterbares " +"Backend-System zum Verbinden mit mehreren unterschiedlichen Kontenquellen " +"sowie der D-Bus-Schnittstelle. Es bildet außerdem die Grundlage für das " +"Bereitstellen von Client-Überprüfungen und Richtliniendiensten für Projekte " +"wie FreeIPA. Es stellt eine robustere Datenbank bereit, um lokale Benutzer " +"sowie erweiterte Benutzerdaten zu speichern." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:46 +msgid "" +"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" +"replaceable>" +msgstr "" +"<option>-d</option>,<option>--debug-level</option> <replaceable>STUFE</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:53 +msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" +msgstr "<option>--debug-timestamps=</option><replaceable>Modus</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:57 +msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" +msgstr "" +"<emphasis>1</emphasis>: Den Debug-Nachrichten wird ein Zeitstempel " +"hinzugefügt." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:60 +msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" +msgstr "" +"<emphasis>0</emphasis>: Zeitstempel in Debug-Nachrichten werden deaktiviert." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:69 +msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" +msgstr "<option>--debug-microseconds=</option><replaceable>Modus</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:73 +msgid "" +"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" +msgstr "" +"<emphasis>1</emphasis>: Dem Zeitstempel in Debug-Nachrichten werden " +"Millisekunden hinzugefügt." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:76 +msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" +msgstr "" +"<emphasis>0</emphasis>: Millisekunden werden in Zeitstempeln deaktiviert" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:85 +msgid "<option>-f</option>,<option>--debug-to-files</option>" +msgstr "<option>-f</option>,<option>--debug-to-files</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:89 +msgid "" +"Send the debug output to files instead of stderr. By default, the log files " +"are stored in <filename>/var/log/sssd</filename> and there are separate log " +"files for every SSSD service and domain." +msgstr "" +"sendet die Ausgabe der Fehlersuche in Dateien statt auf die " +"Standardfehlerausgabe. Standardmäßig werden die Protokolldateien in " +"<filename>/var/log/sssd</filename> gespeichert. Dort gibt es separate " +"Protokolldateien für jeden SSSD-Dienst und jede Domain." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:94 +msgid "" +"This option is deprecated. It is replaced by <option>--logger=files</option>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:101 +msgid "<option>--logger=</option><replaceable>value</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:105 +msgid "" +"Location where SSSD will send log messages. This option overrides the value " +"of the deprecated option <option>--debug-to-files</option>. The deprecated " +"option will still work if the <option>--logger</option> is not used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:112 +msgid "" +"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " +"output." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:116 +msgid "" +"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " +"default, the log files are stored in <filename>/var/log/sssd</filename> and " +"there are separate log files for every SSSD service and domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:122 +msgid "" +"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:132 +msgid "<option>-D</option>,<option>--daemon</option>" +msgstr "<option>-D</option>,<option>--daemon</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:136 +msgid "Become a daemon after starting up." +msgstr "wird nach dem Start ein Daemon." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:142 sss_seed.8.xml:136 +msgid "<option>-i</option>,<option>--interactive</option>" +msgstr "<option>-i</option>,<option>--interactive</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:146 +msgid "Run in the foreground, don't become a daemon." +msgstr "läuft im Vordergrund und wird kein Daemon." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:152 +msgid "<option>-c</option>,<option>--config</option>" +msgstr "<option>-c</option>,<option>--config</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:156 +msgid "" +"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." +"conf</filename>. For reference on the config file syntax and options, " +"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" +"gibt eine Konfigurationsdatei an, die nicht Standard ist. Die Voreinstellung " +"ist <filename>/etc/sssd/sssd.conf</filename>. Auskunft über die Syntax und " +"Optionen der Konfigurationsdatei finden Sie in der Handbuchseite " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:170 +msgid "<option>--version</option>" +msgstr "<option>--version</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:174 +msgid "Print version number and exit." +msgstr "gibt die Versionsnummer aus und beendet sich." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.8.xml:182 +msgid "Signals" +msgstr "Signale" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:185 +msgid "SIGTERM/SIGINT" +msgstr "SIGTERM/SIGINT" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:188 +msgid "" +"Informs the SSSD to gracefully terminate all of its child processes and then " +"shut down the monitor." +msgstr "" +"Informiert SSSD, dass es anstandslos alle Kindprozesse beenden und dann das " +"Überwachungsprogramm herunterfahren soll." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:194 +msgid "SIGHUP" +msgstr "SIGHUP" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:197 +msgid "" +"Tells the SSSD to stop writing to its current debug file descriptors and to " +"close and reopen them. This is meant to facilitate log rolling with programs " +"like logrotate." +msgstr "" +"teilt SSSD mit, dass es das Schreiben des aktuellen Dateideskriptors zur " +"Fehlersuche stoppen, ihn schließen und erneut öffnen soll. Dies ist dazu " +"gedacht, das Rotieren von Protokolldateien mit Programmen wie Logrotate zu " +"erleichtern." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:205 +msgid "SIGUSR1" +msgstr "SIGUSR1" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:208 +msgid "" +"Tells the SSSD to simulate offline operation for the duration of the " +"<quote>offline_timeout</quote> parameter. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:217 +msgid "SIGUSR2" +msgstr "SIGUSR2" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:220 +msgid "" +"Tells the SSSD to go online immediately. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:232 +msgid "" +"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " +"applications will not use the fast in memory cache." +msgstr "" +"Falls die Umgebungsvariable SSS_NSS_USE_MEMCACHE auf »NO« gesetzt ist, " +"nutzen Client-Anwendungen den schnellen speicherinternen Zwischenspeicher " +"nicht." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 +msgid "sss_obfuscate" +msgstr "sss_obfuscate" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_obfuscate.8.xml:16 +msgid "obfuscate a clear text password" +msgstr "verschleiert ein Klartextpasswort" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_obfuscate.8.xml:21 +msgid "" +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" +"replaceable></arg>" +msgstr "" +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>Optionen</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORT]</" +"replaceable></arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:32 +msgid "" +"<command>sss_obfuscate</command> converts a given password into human-" +"unreadable format and places it into appropriate domain section of the SSSD " +"config file." +msgstr "" +"<command>sss_obfuscate</command> wandelt ein angegebenes Passwort in ein von " +"Menschen nicht lesbares Format um und legt es in einem geeigneten Domain-" +"Abschnitt der SSSD-Konfigurationsdatei ab." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:37 +msgid "" +"The cleartext password is read from standard input or entered " +"interactively. The obfuscated password is put into " +"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " +"<quote>ldap_default_authtok_type</quote> parameter is set to " +"<quote>obfuscated_password</quote>. Refer to <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more details on these parameters." +msgstr "" +"Das Klartextpasswort wird von der Standardeingabe gelesen oder interaktiv " +"eingegeben. Das verschleierte Passwort wird in den Parameter " +"»ldap_default_authtok« einer angegebenen SSSD-Domain abgelegt und der " +"Parameter »ldap_default_authtok_type« wird auf »obfuscated_password« " +"gesetzt. Weitere Einzelheiten über diese Parameter finden Sie unter " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:49 +msgid "" +"Please note that obfuscating the password provides <emphasis>no real " +"security benefit</emphasis> as it is still possible for an attacker to " +"reverse-engineer the password back. Using better authentication mechanisms " +"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " +"advised." +msgstr "" +"Bitte beachten Sie, dass das Verschleiern von Passwörtern <emphasis>keinen " +"wirklichen Sicherheitsgewinn</emphasis> bietet, da es einem Angreifer immer " +"noch möglich ist, das Passwort wieder herzuleiten. Es wird " +"<emphasis>dringend</emphasis> geraten, bessere Authentifizierungsmechanismen " +"wie Client-seitige Zertifikate oder GSSAPI zu verwenden." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:63 +msgid "<option>-s</option>,<option>--stdin</option>" +msgstr "<option>-s</option>,<option>--stdin</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:67 +msgid "The password to obfuscate will be read from standard input." +msgstr "" +"Das Passwort, das verschleiert werden soll, wird von der Standardeingabe " +"gelesen." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 +#: sss_ssh_knownhostsproxy.1.xml:78 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" +msgstr "" +"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:79 +msgid "" +"The SSSD domain to use the password in. The default name is <quote>default</" +"quote>." +msgstr "" +"die SSSD-Domain, in der das Passwort benutzt wird. Der Standardname ist " +"»default«." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:86 +msgid "" +"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" +msgstr "" +"<option>-f</option>,<option>--file</option> <replaceable>DATEI</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:91 +msgid "Read the config file specified by the positional parameter." +msgstr "liest die durch den Positionsparameter angegebene Konfigurationsdatei." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:95 +msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" +msgstr "Voreinstellung: <filename>/etc/sssd/sssd.conf</filename>" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_override.8.xml:10 sss_override.8.xml:15 +msgid "sss_override" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_override.8.xml:16 +msgid "create local overrides of user and group attributes" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_override.8.xml:21 +msgid "" +"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:32 +msgid "" +"<command>sss_override</command> enables to create a client-side view and " +"allows to change selected values of specific user and groups. This change " +"takes effect only on local machine." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:37 +msgid "" +"Overrides data are stored in the SSSD cache. If the cache is deleted, all " +"local overrides are lost. Please note that after the first override is " +"created using any of the following <emphasis>user-add</emphasis>, " +"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " +"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " +"take effect. <emphasis>sss_override</emphasis> prints message when a " +"restart is required." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:50 sssctl.8.xml:41 +msgid "AVAILABLE COMMANDS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:52 +msgid "" +"Argument <emphasis>NAME</emphasis> is the name of original object in all " +"commands. It is not possible to override <emphasis>uid</emphasis> or " +"<emphasis>gid</emphasis> to 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:59 +msgid "" +"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" +"optional> <optional><option>-g,--gid</option> GID</optional> " +"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" +"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" +"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " +"CERTIFICATE</optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:72 +msgid "" +"Override attributes of an user. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:80 +msgid "<option>user-del</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:85 +msgid "" +"Remove user overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:94 +msgid "" +"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:99 +msgid "" +"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " +"is set, only users from the domain are listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:107 +msgid "<option>user-show</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:112 +msgid "Show user overrides." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:118 +msgid "<option>user-import</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:123 +msgid "" +"Import user overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard passwd file. The format is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:128 +msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:131 +msgid "" +"where original_name is original name of the user whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:140 +msgid "ckent:superman::::::" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:143 +msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:149 +msgid "<option>user-export</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:154 +msgid "" +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>user-import</emphasis> for data format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:162 +msgid "" +"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:169 +msgid "" +"Override attributes of a group. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:177 +msgid "<option>group-del</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:182 +msgid "" +"Remove group overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:191 +msgid "" +"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:196 +msgid "" +"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " +"parameter is set, only groups from the domain are listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:204 +msgid "<option>group-show</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:209 +msgid "Show group overrides." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:215 +msgid "<option>group-import</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:220 +msgid "" +"Import group overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard group file. The format is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:225 +msgid "original_name:name:gid" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:228 +msgid "" +"where original_name is original name of the group whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:237 +msgid "admins:administrators:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:240 +msgid "Domain Users:Users:501" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:246 +msgid "<option>group-export</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:251 +msgid "" +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>group-import</emphasis> for data format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:261 sssctl.8.xml:50 +msgid "COMMON OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:263 sssctl.8.xml:52 +msgid "Those options are available with all commands." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:268 sssctl.8.xml:57 +msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 +msgid "sss_useradd" +msgstr "sss_useradd" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_useradd.8.xml:16 +msgid "create a new user" +msgstr "erstellt einen neuen Benutzer" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_useradd.8.xml:21 +msgid "" +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>Optionen</" +"replaceable> </arg> <arg choice='plain'><replaceable>ANMELDUNG</" +"replaceable></arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_useradd.8.xml:32 +msgid "" +"<command>sss_useradd</command> creates a new user account using the values " +"specified on the command line plus the default values from the system." +msgstr "" +"<command>sss_useradd</command> erstellt mittels der auf der Befehlszeile " +"angegebenen Werte sowie der Standardwerte des Systems ein neues " +"Benutzerkonto." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:43 sss_seed.8.xml:76 +msgid "" +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" +msgstr "" +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:48 +msgid "" +"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " +"not given, it is chosen automatically." +msgstr "" +"setzt die UID des Benutzers auf den Wert von <replaceable>UID</replaceable>. " +"Wurde der Wert nicht angegeben, wird er automatisch ausgewählt." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +msgid "" +"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" +"replaceable>" +msgstr "" +"<option>-c</option>,<option>--gecos</option> <replaceable>KOMMENTAR</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 +msgid "" +"Any text string describing the user. Often used as the field for the user's " +"full name." +msgstr "" +"irgendeine Zeichenkette, die den Benutzer beschreibt. Dieses Feld wird oft " +"für den vollständigen Namen des Benutzers verwendet." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 +msgid "" +"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"replaceable>" +msgstr "" +"<option>-h</option>,<option>--home</option> <replaceable>HOME_VERZ</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:72 +msgid "" +"The home directory of the user account. The default is to append the " +"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " +"that as the home directory. The base that is prepended before " +"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" +"baseDirectory</quote> setting in sssd.conf." +msgstr "" +"das Home-Verzeichnis des Benutzerkontos. Standardmäßig wird der Name für die " +"<replaceable>ANMELDUNG</replaceable> an <filename>/home</filename> angehängt " +"und dies dann als Home-Verzeichnis benutzt. Das Basisverzeichnis, das " +"<replaceable>ANMELDUNG</replaceable> vorangestellt wird, ist über die " +"Einstellung »user_defaults/baseDirectory« in der »sssd.conf« einstellbar." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 +msgid "" +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" +msgstr "" +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:87 +msgid "" +"The user's login shell. The default is currently <filename>/bin/bash</" +"filename>. The default can be changed with <quote>user_defaults/" +"defaultShell</quote> setting in sssd.conf." +msgstr "" +"die Anmelde-Shell des Benutzers. Voreinstellung ist derzeit <filename>/bin/" +"bash</filename>. Die Voreinstellung kann über die Einstellung »user_defaults/" +"defaultShell« in der »sssd.conf« geändert werden." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:96 +msgid "" +"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" +"<option>-G</option>,<option>--groups</option> <replaceable>GRUPPEN</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:101 +msgid "A list of existing groups this user is also a member of." +msgstr "eine Liste existierender Gruppen, denen dieser Benutzer auch angehört" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:107 +msgid "<option>-m</option>,<option>--create-home</option>" +msgstr "<option>-m</option>,<option>--create-home</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:111 +msgid "" +"Create the user's home directory if it does not exist. The files and " +"directories contained in the skeleton directory (which can be defined with " +"the -k option or in the config file) will be copied to the home directory." +msgstr "" +"erstellt das Home-Verzeichnis des Benutzers, falls es nicht existiert. Die " +"Dateien und Verzeichnisse, die in der Verzeichnisvorlage (die mit der Option " +"-k oder in der Konfigurationsdatei definiert werden kann) enthalten sind, " +"werden in das Home-Verzeichnis kopiert." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:121 +msgid "<option>-M</option>,<option>--no-create-home</option>" +msgstr "<option>-M</option>,<option>--no-create-home</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:125 +msgid "" +"Do not create the user's home directory. Overrides configuration settings." +msgstr "" +"erstellt nicht das Home-Verzeichnis des Benutzers und setzt " +"Konfigurationseinstellungen außer Kraft." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:132 +msgid "" +"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"replaceable>" +msgstr "" +"<option>-k</option>,<option>--skel</option> <replaceable>SKEL-VERZ</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:137 +msgid "" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<command>sss_useradd</command>." +msgstr "" +"die Verzeichnisvorlage mit Dateien und Verzeichnissen, die in das durch " +"<command>sss_useradd</command> neu erstellte Home-Verzeichnis des Benutzers " +"kopiert werden." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:143 +msgid "" +"Special files (block devices, character devices, named pipes and unix " +"sockets) will not be copied." +msgstr "" +"Spezialdateien (block- und zeichenorientierte Geräte, benannte Pipes und " +"Unix-Sockets) werden nicht kopiert." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:147 +msgid "" +"This option is only valid if the <option>-m</option> (or <option>--create-" +"home</option>) option is specified, or creation of home directories is set " +"to TRUE in the configuration." +msgstr "" +"Diese Option ist nur gültig, falls die Option <option>-m</option> (oder " +"<option>--create-home</option>) angegeben wurde oder das Erstellen von Home-" +"Verzeichnissen in der Konfiguration auf »TRUE« gesetzt ist." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 +msgid "" +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>SELINUX_USER</replaceable>" +msgstr "" +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>SELINUX_BENUTZER</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:161 +msgid "" +"The SELinux user for the user's login. If not specified, the system default " +"will be used." +msgstr "" +"der SELinux-Benutzer für die Anmeldung des Benutzers. Ist er nicht " +"angegeben, wird die Voreinstellung des Systems benutzt." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 +msgid "sssd-krb5" +msgstr "sssd-krb5" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-krb5.5.xml:17 +msgid "SSSD Kerberos provider" +msgstr "SSSD Kerberos-Anbieter" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:23 +msgid "" +"This manual page describes the configuration of the Kerberos 5 " +"authentication backend for <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " +"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." +msgstr "" +"Diese Handbuchseite beschreibt die Konfiguration des Authentifizierungs-" +"Backends Kerberos 5 für <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. Eine ausführliche Syntax-Referenz " +"finden Sie im Abschnitt »DATEIFORMAT« der Handbuchseite <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:36 +msgid "" +"The Kerberos 5 authentication backend contains auth and chpass providers. It " +"must be paired with an identity provider in order to function properly (for " +"example, id_provider = ldap). Some information required by the Kerberos 5 " +"authentication backend must be provided by the identity provider, such as " +"the user's Kerberos Principal Name (UPN). The configuration of the identity " +"provider should have an entry to specify the UPN. Please refer to the man " +"page for the applicable identity provider for details on how to configure " +"this." +msgstr "" +"Das Authentifizierungs-Backend Kerberos 5 enthält Authentifizierungs- und " +"Chpass-Anbieter. Es muss mit einem Identitätsanbieter verbunden werden, " +"damit es sauber läuft (zum Beispiel »id_provider = ldap«). Einige vom " +"Kerberos-5-Authentifizierungs-Backend benötigten Informationen wie der " +"»Kerberos Principal Name« (UPN) des Benutzers müssen durch den " +"Identitätsanbieter bereitgestellt werden. Die Konfiguration des " +"Identitätsanbieters sollte einen Eintrag haben, der den UPN angibt. " +"Einzelheiten, wie dies konfiguriert wird, finden Sie in der Handbuchseite " +"des entsprechenden Identitätsanbieters." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:47 +msgid "" +"This backend also provides access control based on the .k5login file in the " +"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " +"Please note that an empty .k5login file will deny all access to this user. " +"To activate this feature, use 'access_provider = krb5' in your SSSD " +"configuration." +msgstr "" +"Dieses Backend stellt ebenso eine Zugriffssteuerung bereit, die auf der " +"Datei .k5login im Home-Verzeichnis des Benutzers basiert. Weitere " +"Einzelheiten finden Sie unter <citerefentry> <refentrytitle>.k5login</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>. Bitte beachten Sie, " +"dass eine leere .k5login-Datei jegliche Zugriffe durch diesen Benutzer " +"verbietet. Verwenden Sie »access_provider = krb5« in Ihrer SSSD-" +"Konfiguration, um diese Funktionalität zu aktivieren." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:55 +msgid "" +"In the case where the UPN is not available in the identity backend, " +"<command>sssd</command> will construct a UPN using the format " +"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." +msgstr "" +"Im Fall, dass UPN nicht im Identitäts-Backend verfügbar ist, wird " +"<command>sssd</command> mittels des Formats <replaceable>Benutzername</" +"replaceable>@<replaceable>Krb5_Realm</replaceable> einen UPN konstruieren." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:77 +msgid "" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect, in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled; for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." +msgstr "" +"gibt eine durch Kommata getrennte Liste von IP-Adressen oder Rechnernamen " +"der Kerberos-Server in der Reihenfolge an, in der sich SSSD mit ihnen " +"verbinden soll. Weitere Informationen über Ausfallsicherung und Redundanz " +"finden Sie im Abschnitt »AUSFALLSICHERUNG«. An die Adressen oder " +"Rechnernamen kann eine optionale Portnummer (der ein Doppelpunkt " +"vorangestellt ist) angehängt werden. Falls dies leer gelassen wurde, wird " +"die Dienstsuche aktiviert. Weitere Informationen finden Sie im Abschnitt " +"»DIENSTSUCHE«." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:106 +msgid "" +"The name of the Kerberos realm. This option is required and must be " +"specified." +msgstr "" +"der Name des Kerberos-Realms. Diese Option wird benötigt und muss angegeben " +"werden." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:113 +msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" +msgstr "krb5_kpasswd, krb5_backup_kpasswd (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:116 +msgid "" +"If the change password service is not running on the KDC, alternative " +"servers can be defined here. An optional port number (preceded by a colon) " +"may be appended to the addresses or hostnames." +msgstr "" +"Falls der Dienst zum Ändern von Passwörtern auf der " +"Schlüsselverwaltungszentrale (KDC) nicht läuft, können hier alternative " +"Server definiert werden. An die Adressen oder Rechnernamen kann eine " +"optionale Portnummer (der ein Doppelpunkt vorangestellt ist) angehängt " +"werden." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:122 +msgid "" +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " +"servers to try, the backend is not switched to operate offline if " +"authentication against the KDC is still possible." +msgstr "" +"Weitere Informationen über Ausfallsicherung und Redundanz finden Sie im " +"Abschnitt »AUSFALLSICHERUNG«. HINWEIS: Selbst wenn es keine weiteren " +"»kpasswd«-Server mehr auszuprobieren gibt, wird das Backend nicht offline " +"gehen, da eine Authentifizierung gegen die Schlüsselverwaltungszentrale " +"(KDC) immer noch möglich ist." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:129 +msgid "Default: Use the KDC" +msgstr "Voreinstellung: KDC benutzen" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:135 +msgid "krb5_ccachedir (string)" +msgstr "krb5_ccachedir (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:138 +msgid "" +"Directory to store credential caches. All the substitution sequences of " +"krb5_ccname_template can be used here, too, except %d and %P. The directory " +"is created as private and owned by the user, with permissions set to 0700." +msgstr "" +"Das Verzeichnis zum Ablegen von Anmeldedaten-Zwischenspeichern. Alle " +"Ersetzungssequenzen von krb5_ccname_template können hier auch verwendet " +"werden, außer %d und %P. Das Verzeichnis wird als privat angelegt und ist " +"Eigentum des Benutzers. Die Zugriffsrechte werden auf 0700 gesetzt." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:145 +msgid "Default: /tmp" +msgstr "Voreinstellung: /tmp" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:151 +msgid "krb5_ccname_template (string)" +msgstr "krb5_ccname_template (Zeichenkette)" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 +msgid "%u" +msgstr "%u" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 +msgid "login name" +msgstr "Anmeldename" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 +msgid "%U" +msgstr "%U" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:170 +msgid "login UID" +msgstr "Anmelde-UID" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:173 +msgid "%p" +msgstr "%p" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:174 +msgid "principal name" +msgstr "Principal-Name" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:178 +msgid "%r" +msgstr "%r" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:179 +msgid "realm name" +msgstr "Realm-Name" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:182 +msgid "%h" +msgstr "%h" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 +msgid "home directory" +msgstr "Home-Verzeichnis" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 +msgid "%d" +msgstr "%d" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:188 +msgid "value of krb5_ccachedir" +msgstr "Wert von krb5_ccachedir" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 +msgid "%P" +msgstr "%P" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:194 +msgid "the process ID of the SSSD client" +msgstr "die Prozess-ID des SSSD-Clients" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 +msgid "%%" +msgstr "%%" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 +msgid "a literal '%'" +msgstr "ein buchstäbliches »%«" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:154 +msgid "" +"Location of the user's credential cache. Three credential cache types are " +"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " +"<quote>KEYRING:persistent</quote>. The cache can be specified either as " +"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " +"implies the <quote>FILE</quote> type. In the template, the following " +"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " +"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " +"filename in a safe way." +msgstr "" +"Der Ort für die Zwischenspeicherung der Anmeldedaten des Benutzers. Drei " +"Zwischenspeichertypen werden derzeit unterstützt: <quote>FILE</quote>, " +"<quote>DIR</quote> und <quote>KEYRING:persistent</quote>. Der " +"Zwischenspeicher kann entweder als <replaceable>TYP:REST</replaceable> oder " +"als absoluter Pfad angegeben werden, wobei Letzteres den Typ <quote>FILE</" +"quote> beinhaltet. In der Schablone werden die folgenden Sequenzen ersetzt: " +"<placeholder type=\"variablelist\" id=\"0\"/> Falls die Vorlage mit »XXXXXX« " +"endet, wird mkstemp(3) verwendet, um auf sichere Weise einen eindeutigen " +"Dateinamen zu erzeugen." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:208 +msgid "" +"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" +"persistent:%U</quote>, which uses the Linux kernel keyring to store " +"credentials on a per-UID basis. This is also the recommended choice, as it " +"is the most secure and predictable method." +msgstr "" +"Wenn der KEYRING-Typ verwendet wird, ist <quote>KEYRING:persistent:%U</" +"quote> der einzige unterstützte Mechanismus. Hierfür wird der Schlüsselbund " +"des Linux-Kernels zum Speichern der Anmeldedaten getrennt nach Benutzer-IDs " +"verwendet. Dies wird auch empfohlen, da es die sicherste und " +"vorausberechenbarste Methode ist." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:216 +msgid "" +"The default value for the credential cache name is sourced from the profile " +"stored in the system wide krb5.conf configuration file in the [libdefaults] " +"section. The option name is default_ccache_name. See krb5.conf(5)'s " +"PARAMETER EXPANSION paragraph for additional information on the expansion " +"format defined by krb5.conf." +msgstr "" +"Der Vorgabewert für den Anmeldedaten-Zwischenspeicher wird aus dem im " +"Abschnitt [libdefaults] der Datei krb5.conf enthaltenen Profil der " +"systemweiten Konfiguration bezogen. Der Name der Option ist " +"default_ccache_name. Im Abschnitt PARAMETER EXPANSION der Handbuchseite zu " +"krb5.conf(5) finden Sie zusätzliche Informationen zu dem in krb5.conf " +"definierten Format." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:225 +msgid "" +"NOTE: Please be aware that libkrb5 ccache expansion template from " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> uses different expansion sequences than SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:234 +msgid "Default: (from libkrb5)" +msgstr "Voreinstellung: (aus libkrb5)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:240 +msgid "krb5_auth_timeout (integer)" +msgstr "krb5_auth_timeout (Ganzzahl)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:243 +msgid "" +"Timeout in seconds after an online authentication request or change password " +"request is aborted. If possible, the authentication request is continued " +"offline." +msgstr "" +"Zeitüberschreitung in Sekunden, nach der eine Online-Anfrage zur " +"Authentifizierung oder Passwortänderung gescheitert ist. Falls möglich, wird " +"die Authentifizierung offline fortgesetzt." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:254 +msgid "krb5_validate (boolean)" +msgstr "krb5_validate (Boolesch)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:257 +msgid "" +"Verify with the help of krb5_keytab that the TGT obtained has not been " +"spoofed. The keytab is checked for entries sequentially, and the first entry " +"with a matching realm is used for validation. If no entry matches the realm, " +"the last entry in the keytab is used. This process can be used to validate " +"environments using cross-realm trust by placing the appropriate keytab entry " +"as the last entry or the only entry in the keytab file." +msgstr "" +"prüft mit Hilfe von »krb5_keytab«, ob das erhaltene TGT keine Täuschung ist. " +"Die Einträge der Keytab werden der Reihe nach kontrolliert und der erste " +"Eintrag mit einem passenden Realm wird für die Überprüfung benutzt. Falls " +"keine Einträge dem Realm entsprechen, wird der letzte Eintrag der Keytab " +"verwendet. Dieser Prozess kann zur Überprüfung von Umgebungen mittels Realm-" +"übergreifendem Vertrauen benutzt werden, indem der dazugehörige Keytab-" +"Eintrag als letzter oder einziger Eintrag in der Keytab-Datei abgelegt wird." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:272 +msgid "krb5_keytab (string)" +msgstr "krb5_keytab (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:275 +msgid "" +"The location of the keytab to use when validating credentials obtained from " +"KDCs." +msgstr "" +"der Speicherort der Keytab, der bei der Überprüfung von Berechtigungen " +"benutzt wird, die von Schlüsselverwaltungszentralen (KDCs) stammen." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:279 +msgid "Default: /etc/krb5.keytab" +msgstr "Voreinstellung: /etc/krb5.keytab" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:285 +msgid "krb5_store_password_if_offline (boolean)" +msgstr "krb5_store_password_if_offline (Boolesch)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:288 +msgid "" +"Store the password of the user if the provider is offline and use it to " +"request a TGT when the provider comes online again." +msgstr "" +"speichert das Passwort des Benutzers, falls der Anbieter offline ist, und " +"benutzt es zur Abfrage des TGTs, wenn der Anbieter wieder online geht." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:293 +msgid "" +"NOTE: this feature is only available on Linux. Passwords stored in this way " +"are kept in plaintext in the kernel keyring and are potentially accessible " +"by the root user (with difficulty)." +msgstr "" +"HINWEIS: Diese Funktionalität ist nur auf Linux verfügbar. Passwörter, die " +"auf diese Weise gespeichert wurden, werden im Klartext im Schlüsselbund des " +"Kernels aufbewahrt. Darauf kann unter Umständen (mit Mühe) durch den " +"Benutzer Root zugegriffen werden." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:306 +msgid "krb5_renewable_lifetime (string)" +msgstr "krb5_renewable_lifetime (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:309 +msgid "" +"Request a renewable ticket with a total lifetime, given as an integer " +"immediately followed by a time unit:" +msgstr "" +"fordert ein erneuerbares Ticket mit einer Gesamtlebensdauer an. Es wird als " +"Ganzzahl, der direkt eine Zeiteinheit folgt, angegeben:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 +msgid "<emphasis>s</emphasis> for seconds" +msgstr "<emphasis>s</emphasis> für Sekunden" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 +msgid "<emphasis>m</emphasis> for minutes" +msgstr "<emphasis>m</emphasis> für Minuten" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 +msgid "<emphasis>h</emphasis> for hours" +msgstr "<emphasis>h</emphasis> für Stunden" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 +msgid "<emphasis>d</emphasis> for days." +msgstr "<emphasis>d</emphasis> für Tage" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 +msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." +msgstr "" +"Falls keine Einheit angegeben ist, wird <emphasis>s</emphasis> angenommen." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 +msgid "" +"NOTE: It is not possible to mix units. To set the renewable lifetime to one " +"and a half hours, use '90m' instead of '1h30m'." +msgstr "" +"HINWEIS: Es ist nicht möglich, Einheiten zu mixen. Um die erneuerbare " +"Lebensdauer auf eineinhalb Stunden zu setzen, verwenden Sie »90m« statt " +"»1h30m«." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:335 +msgid "Default: not set, i.e. the TGT is not renewable" +msgstr "Voreinstellung: nicht gesetzt, d.h. das TGT ist nicht erneuerbar." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:341 +msgid "krb5_lifetime (string)" +msgstr "krb5_lifetime (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:344 +msgid "" +"Request ticket with a lifetime, given as an integer immediately followed by " +"a time unit:" +msgstr "" +"Anforderungsticket mit einer Lebensdauer, angegeben als Ganzzahl, der direkt " +"eine Zeiteinheit folgt:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:360 +msgid "If there is no unit given <emphasis>s</emphasis> is assumed." +msgstr "" +"Falls keine Einheit angegeben ist, wird <emphasis>s</emphasis> angenommen." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:364 +msgid "" +"NOTE: It is not possible to mix units. To set the lifetime to one and a " +"half hours please use '90m' instead of '1h30m'." +msgstr "" +"HINWEIS: Es ist nicht möglich, Einheiten zu mixen. Um die Lebensdauer auf " +"eineinhalb Stunden zu setzen, verwenden Sie »90m« statt »1h30m«." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:369 +msgid "" +"Default: not set, i.e. the default ticket lifetime configured on the KDC." +msgstr "" +"Voreinstellung: nicht gesetzt, d.h. die Standardlebenszeit des Tickets auf " +"der Schlüsselverwaltungszentrale (KDC)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:376 +msgid "krb5_renew_interval (string)" +msgstr "krb5_renew_interval (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:379 +msgid "" +"The time in seconds between two checks if the TGT should be renewed. TGTs " +"are renewed if about half of their lifetime is exceeded, given as an integer " +"immediately followed by a time unit:" +msgstr "" +"die Zeit in Sekunden zwischen zwei Prüfungen, ob das TGT erneuert werden " +"soll. TGTs werden erneuert, wenn ungefähr die Hälfte ihrer Lebensdauer " +"überschritten ist. Sie wird als Ganzzahl, der unmittelbar eine Zeiteinheit " +"folgt, angegeben:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:406 +msgid "If this option is not set or is 0 the automatic renewal is disabled." +msgstr "" +"Falls diese Option nicht oder auf 0 gesetzt ist, wird die automatische " +"Erneuerung deaktiviert." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:416 +msgid "krb5_use_fast (string)" +msgstr "krb5_use_fast (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:419 +msgid "" +"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" +"authentication. The following options are supported:" +msgstr "" +"Schaltet das flexible Authentifizierungs-Sicherheits-Tunneln (FAST) für die " +"Vorauthentifizierung von Kerberos ein. Die folgenden Optionen werden " +"unterstützt:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:424 +msgid "" +"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " +"option at all." +msgstr "" +"<emphasis>never</emphasis>: FAST wird nie benutzt. Dies ist so, als ob diese " +"Einstellung gar nicht gemacht würde." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:428 +msgid "" +"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " +"continue the authentication without it." +msgstr "" +"<emphasis>try</emphasis>: Es wird versucht, FAST zu benutzen. Falls der " +"Server kein FAST unterstützt, fährt die Authentifizierung ohne fort." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:433 +msgid "" +"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " +"server does not require fast." +msgstr "" +"<emphasis>demand</emphasis>: Fragt nach, ob FAST benutzt werden soll. Die " +"Authentifizierung schlägt fehl, falls der Server kein FAST erfordert." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:438 +msgid "Default: not set, i.e. FAST is not used." +msgstr "Voreinstellung: nicht gesetzt, d.h. FAST wird nicht benutzt" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:441 +msgid "NOTE: a keytab is required to use FAST." +msgstr "HINWEIS: Zur Benutzung von FAST ist eine Keytab erforderlich." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:444 +msgid "" +"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " +"SSSD is used with an older version of MIT Kerberos, using this option is a " +"configuration error." +msgstr "" +"HINWEIS: SSSD unterstützt FAST nur mit MIT-Kerberos-Version 1.8 und neuer. " +"Falls SSSD mit einer älteren Version von MIT-Kerberos benutzt wird, ist die " +"Verwendung dieser Option ein Konfigurationsfehler." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:453 +msgid "krb5_fast_principal (string)" +msgstr "krb5_fast_principal (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:456 +msgid "Specifies the server principal to use for FAST." +msgstr "gibt den Server-Principal zur Benutzung von FAST an." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:465 +msgid "" +"Specifies if the host and user principal should be canonicalized. This " +"feature is available with MIT Kerberos 1.7 and later versions." +msgstr "" +"gibt an, ob der Rechner und User-Principal in die kanonische Form gebracht " +"werden sollen. Diese Funktionalität ist mit MIT-Kerberos 1.7 und neueren " +"Versionen verfügbar." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:505 +msgid "krb5_use_enterprise_principal (boolean)" +msgstr "krb5_use_enterprise_principal (Boolesch)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:508 +msgid "" +"Specifies if the user principal should be treated as enterprise principal. " +"See section 5 of RFC 6806 for more details about enterprise principals." +msgstr "" +"gibt an, ob der User Principal als Enterprise Principal betrachtet werden " +"soll. Weitere Informationen über Enterprise Principals finden Sie in " +"Abschnitt 5 von RFC 6806." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:514 +msgid "Default: false (AD provider: true)" +msgstr "Voreinstellung: falsch (AD-Anbieter: wahr)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:517 +msgid "" +"The IPA provider will set to option to 'true' if it detects that the server " +"is capable of handling enterprise principals and the option is not set " +"explicitly in the config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:526 +msgid "krb5_map_user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:529 +msgid "" +"The list of mappings is given as a comma-separated list of pairs " +"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " +"name and <quote>primary</quote> is a user part of a kerberos principal. This " +"mapping is used when user is authenticating using <quote>auth_provider = " +"krb5</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-krb5.5.xml:541 +#, no-wrap +msgid "" +"krb5_realm = REALM\n" +"krb5_map_user = joe:juser,dick:richard\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:546 +msgid "" +"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " +"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " +"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " +"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:65 +msgid "" +"If the auth-module krb5 is used in an SSSD domain, the following options " +"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " +"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" +"Falls das Authentifizierungsmodul Krb5 in einer SSSD-Domain benutzt wird, " +"müssen die folgenden Optionen verwendet werden. Einzelheiten über die " +"Konfiguration einer SSSD-Domain finden Sie im Abschnitt »DOMAIN-ABSCHNITTE« " +"der Handbuchseite <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>. <placeholder type=\"variablelist\" " +"id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:572 +msgid "" +"The following example assumes that SSSD is correctly configured and FOO is " +"one of the domains in the <replaceable>[sssd]</replaceable> section. This " +"example shows only configuration of Kerberos authentication; it does not " +"include any identity provider." +msgstr "" +"Das folgende Beispiel geht davon aus, dass SSSD korrekt konfiguriert wurde " +"und FOO eine der Domains im Abschnitt <replaceable>[sssd]</replaceable> ist. " +"Dieses Beispiel zeigt nur die Authentifizierung mit Kerberos, sie umfasst " +"keine Identitätsanbieter." + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-krb5.5.xml:580 +#, no-wrap +msgid "" +"[domain/FOO]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXAMPLE.COM\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 +msgid "sss_groupadd" +msgstr "sss_groupadd" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupadd.8.xml:16 +msgid "create a new group" +msgstr "erstellt eine neue Gruppe" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupadd.8.xml:21 +msgid "" +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>Optionen</" +"replaceable> </arg> <arg choice='plain'><replaceable>GRUPPE</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupadd.8.xml:32 +msgid "" +"<command>sss_groupadd</command> creates a new group. These groups are " +"compatible with POSIX groups, with the additional feature that they can " +"contain other groups as members." +msgstr "" +"<command>sss_groupadd</command> erstellt eine neue Gruppe. Diese Gruppen " +"sind kompatibel mit POSIX-Gruppen mit der zusätzlichen Funktionalität, dass " +"sie andere Gruppen als Mitglieder enthalten können." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 +msgid "" +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" +msgstr "" +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupadd.8.xml:48 +msgid "" +"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " +"not given, it is chosen automatically." +msgstr "" +"setzt die GID der Gruppe auf den Wert von <replaceable>GID</replaceable>. " +"Wurde der Wert nicht angegeben, wird er automatisch ausgewählt." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 +msgid "sss_userdel" +msgstr "sss_userdel" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_userdel.8.xml:16 +msgid "delete a user account" +msgstr "löscht ein Benutzerkonto" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_userdel.8.xml:21 +msgid "" +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>Optionen</" +"replaceable> </arg> <arg choice='plain'><replaceable>ANMELDUNG</" +"replaceable></arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_userdel.8.xml:32 +msgid "" +"<command>sss_userdel</command> deletes a user identified by login name " +"<replaceable>LOGIN</replaceable> from the system." +msgstr "" +"<command>sss_userdel</command> löscht einen Benutzer, der durch den " +"Anmeldenamen <replaceable>ANMELDUNG</replaceable> vom System erkannt wird." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:44 +msgid "<option>-r</option>,<option>--remove</option>" +msgstr "<option>-r</option>,<option>--remove</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:48 +msgid "" +"Files in the user's home directory will be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." +msgstr "" +"Dateien im Home-Verzeichnis des Benutzers werden zusammen mit dem Home-" +"Verzeichnis selbst und der Mail-Warteschlange des Benutzers entfernt. Dies " +"setzt die Konfiguration außer Kraft." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:56 +msgid "<option>-R</option>,<option>--no-remove</option>" +msgstr "<option>-R</option>,<option>--no-remove</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:60 +msgid "" +"Files in the user's home directory will NOT be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." +msgstr "" +"Dateien im Home-Verzeichnis des Benutzers werden NICHT zusammen mit dem Home-" +"Verzeichnis selbst und der Mail-Warteschlange des Benutzers entfernt. Dies " +"setzt die Konfiguration außer Kraft." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:68 +msgid "<option>-f</option>,<option>--force</option>" +msgstr "<option>-f</option>,<option>--force</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:72 +msgid "" +"This option forces <command>sss_userdel</command> to remove the user's home " +"directory and mail spool, even if they are not owned by the specified user." +msgstr "" +"Diese Option erzwingt, dass <command>sss_userdel</command> das Home-" +"Verzeichnis des Benutzers und die Mail-Warteschlange sogar dann entfernt, " +"wenn sie dem angegebenen Nutzer nicht gehören." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:80 +msgid "<option>-k</option>,<option>--kick</option>" +msgstr "<option>-k</option>,<option>--kick</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:84 +msgid "Before actually deleting the user, terminate all his processes." +msgstr "" +"beendet, bevor der Benutzer tatsächlich gelöscht wird, alle seine Prozesse." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 +msgid "sss_groupdel" +msgstr "sss_groupdel" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupdel.8.xml:16 +msgid "delete a group" +msgstr "löscht eine Gruppe" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupdel.8.xml:21 +msgid "" +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>Optionen</" +"replaceable> </arg> <arg choice='plain'><replaceable>GRUPPE</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupdel.8.xml:32 +msgid "" +"<command>sss_groupdel</command> deletes a group identified by its name " +"<replaceable>GROUP</replaceable> from the system." +msgstr "" +"<command>sss_groupdel</command> löscht eine Gruppe namens " +"<replaceable>GRUPPE</replaceable> vom System." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 +msgid "sss_groupshow" +msgstr "sss_groupshow" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupshow.8.xml:16 +msgid "print properties of a group" +msgstr "gibt die Eigenschaften einer Gruppe aus." + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupshow.8.xml:21 +msgid "" +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>Optionen</" +"replaceable> </arg> <arg choice='plain'><replaceable>GRUPPE</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupshow.8.xml:32 +msgid "" +"<command>sss_groupshow</command> displays information about a group " +"identified by its name <replaceable>GROUP</replaceable>. The information " +"includes the group ID number, members of the group and the parent group." +msgstr "" +"<command>sss_groupshow</command> zeigt Informationen über eine Gruppe namens " +"<replaceable>GRUPPE</replaceable> an. Die Informationen umfassen die Gruppen-" +"ID-Nummer, Mitglieder der Gruppe, sowie die übergeordnete Gruppe." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupshow.8.xml:43 +msgid "<option>-R</option>,<option>--recursive</option>" +msgstr "<option>-R</option>,<option>--recursive</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupshow.8.xml:47 +msgid "" +"Also print indirect group members in a tree-like hierarchy. Note that this " +"also affects printing parent groups - without <option>R</option>, only the " +"direct parent will be printed." +msgstr "" +"gibtt auch indirekte Gruppenmitglieder in einer baumartigen Hierarchie aus. " +"Beachten Sie, dass dies auch die Ausgabe der übergeordneten Gruppen " +"beeinflusst – ohne <option>R</option> werden nur die unmittelbar " +"übergeordneten Gruppen ausgegeben." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 +msgid "sss_usermod" +msgstr "sss_usermod" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_usermod.8.xml:16 +msgid "modify a user account" +msgstr "ändert ein Benutzerkonto" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_usermod.8.xml:21 +msgid "" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>Optionen</" +"replaceable> </arg> <arg choice='plain'><replaceable>ANMELDUNG</" +"replaceable></arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_usermod.8.xml:32 +msgid "" +"<command>sss_usermod</command> modifies the account specified by " +"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " +"on the command line." +msgstr "" +"<command>sss_usermod</command> ändert das durch <replaceable>ANMELDUNG</" +"replaceable> angegebene Konto, damit es die auf der Befehlszeile angegebenen " +"Änderungen widerzuspiegelt." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:60 +msgid "The home directory of the user account." +msgstr "das Home-Verzeichnis des Benutzerkontos" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:71 +msgid "The user's login shell." +msgstr "die Anmelde-Shell des Benutzers" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:82 +msgid "" +"Append this user to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." +msgstr "" +"hängt diesen Benutzer an die Gruppen an, die durch den Parameter " +"<replaceable>GRUPPEN</replaceable> angegeben werden. Der Parameter " +"<replaceable>GRUPPEN</replaceable> ist eine durch Kommata getrennte Liste " +"von Gruppennamen." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:96 +msgid "" +"Remove this user from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." +msgstr "" +"entfernt diesen Benutzer aus Gruppen, die durch den Parameter " +"<replaceable>GRUPPEN</replaceable> angegeben werden." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:103 +msgid "<option>-l</option>,<option>--lock</option>" +msgstr "<option>-l</option>,<option>--lock</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:107 +msgid "Lock the user account. The user won't be able to log in." +msgstr "" +"sperrt das Benutzerkonto. Der Benutzer wird sich nicht anmelden können." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:114 +msgid "<option>-u</option>,<option>--unlock</option>" +msgstr "<option>-u</option>,<option>--unlock</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:118 +msgid "Unlock the user account." +msgstr "entsperrt das Benutzerkonto." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:129 +msgid "The SELinux user for the user's login." +msgstr "der SELinux-Benutzer für die Anmeldung des Anwenders" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:135 +msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "<option>--addattr</option> <replaceable>ATTR_NAME_WERT</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:140 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "Ein Attribut/Wert-Paar hinzufügen. Das Format ist Attributname=Wert." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:147 +msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "<option>--setattr</option> <replaceable>ATTR_NAME_WERT</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:152 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" +"Ein Attribut auf ein Name/Wert-Paar setzen. Das Format ist " +"Attributname=Wert. Bei Attributen mit mehreren Werten ersetzt der Befehl die " +"bereits vorhandenen Werte." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:160 +msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "<option>--delattr</option> <replaceable>ATTR_NAME_WERT</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:165 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "Ein Attribut/Wert-Paar löschen. Das Format ist Attributname=Wert." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_cache.8.xml:10 sss_cache.8.xml:15 +msgid "sss_cache" +msgstr "sss_cache" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_cache.8.xml:16 +msgid "perform cache cleanup" +msgstr "führt eine Bereinigung des Zwischenspeichers durch." + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_cache.8.xml:21 +msgid "" +"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" +msgstr "" +"<command>sss_cache</command> <arg choice='opt'> <replaceable>Optionen</" +"replaceable> </arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_cache.8.xml:31 +msgid "" +"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " +"records are forced to be reloaded from server as soon as related SSSD " +"backend is online. Options that invalidate a single object only accept a " +"single provided argument." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:43 +msgid "<option>-E</option>,<option>--everything</option>" +msgstr "<option>-E</option>,<option>--everything</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:47 +msgid "Invalidate all cached entries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:53 +msgid "" +"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" +msgstr "" +"<option>-u</option>,<option>--user</option> <replaceable>Anmeldung</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:58 +msgid "Invalidate specific user." +msgstr "annulliert einen bestimmten Benutzer." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:64 +msgid "<option>-U</option>,<option>--users</option>" +msgstr "<option>-U</option>,<option>--users</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:68 +msgid "" +"Invalidate all user records. This option overrides invalidation of specific " +"user if it was also set." +msgstr "" +"annulliert alle Benutzerdatensätze. Diese Option setzt das Annullieren " +"bestimmter Benutzer außer Kraft, falls es ebenfalls gesetzt war." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:75 +msgid "" +"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" +msgstr "" +"<option>-g</option>,<option>--group</option> <replaceable>Gruppe</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:80 +msgid "Invalidate specific group." +msgstr "annulliert eine bestimmte Gruppe." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:86 +msgid "<option>-G</option>,<option>--groups</option>" +msgstr "<option>-G</option>,<option>--groups</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:90 +msgid "" +"Invalidate all group records. This option overrides invalidation of specific " +"group if it was also set." +msgstr "" +"annulliert alle Gruppendatensätze. Diese Option setzt das Annullieren " +"bestimmter Gruppen außer Kraft, falls es ebenfalls gesetzt war." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:97 +msgid "" +"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" +"replaceable>" +msgstr "" +"<option>-n</option>,<option>--netgroup</option> <replaceable>Netzgruppe</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:102 +msgid "Invalidate specific netgroup." +msgstr "annulliert eine bestimmte Netzgruppe." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:108 +msgid "<option>-N</option>,<option>--netgroups</option>" +msgstr "<option>-N</option>,<option>--netgroups</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:112 +msgid "" +"Invalidate all netgroup records. This option overrides invalidation of " +"specific netgroup if it was also set." +msgstr "" +"annulliert alle Netzgruppendatensätze. Diese Option setzt das Annullieren " +"bestimmter Netzgruppen außer Kraft, falls es ebenfalls gesetzt war." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:119 +msgid "" +"<option>-s</option>,<option>--service</option> <replaceable>service</" +"replaceable>" +msgstr "" +"<option>-s</option>,<option>--service</option> <replaceable>Dienst</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:124 +msgid "Invalidate specific service." +msgstr "annulliert einen bestimmten Dienst." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:130 +msgid "<option>-S</option>,<option>--services</option>" +msgstr "<option>-S</option>,<option>--services</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:134 +msgid "" +"Invalidate all service records. This option overrides invalidation of " +"specific service if it was also set." +msgstr "" +"annulliert alle Dienstdatensätze. Diese Option setzt das Annullieren " +"bestimmter Dienste außer Kraft, falls es ebenfalls gesetzt war." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:141 +msgid "" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" +"replaceable>" +msgstr "" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>Autofs-" +"Abbildung</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:146 +msgid "Invalidate specific autofs maps." +msgstr "annulliert eine bestimmte Autofs-Abbildung." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:152 +msgid "<option>-A</option>,<option>--autofs-maps</option>" +msgstr "<option>-A</option>,<option>--autofs-maps</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:156 +msgid "" +"Invalidate all autofs maps. This option overrides invalidation of specific " +"map if it was also set." +msgstr "" +"annulliert alle Autofs-Abbildungen. Diese Option setzt das Annullieren " +"bestimmter Abbildungen außer Kraft, falls es ebenfalls gesetzt war." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:163 +msgid "" +"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:168 +msgid "Invalidate SSH public keys of a specific host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:174 +msgid "<option>-H</option>,<option>--ssh-hosts</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:178 +msgid "" +"Invalidate SSH public keys of all hosts. This option overrides invalidation " +"of SSH public keys of specific host if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:186 +msgid "" +"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:191 +msgid "Invalidate particular sudo rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:197 +msgid "<option>-R</option>,<option>--sudo-rules</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:201 +msgid "" +"Invalidate all cached sudo rules. This option overrides invalidation of " +"specific sudo rule if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:209 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>domain</" +"replaceable>" +msgstr "" +"<option>-d</option>,<option>--domain</option> <replaceable>Domain</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:214 +msgid "Restrict invalidation process only to a particular domain." +msgstr "begrenzt den Annullierungsprozess auf eine bestimmte Domain." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 +msgid "sss_debuglevel" +msgstr "sss_debuglevel" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_debuglevel.8.xml:16 +msgid "[DEPRECATED] change debug level while SSSD is running" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_debuglevel.8.xml:21 +msgid "" +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" +"replaceable></arg>" +msgstr "" +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>Optionen</" +"replaceable> </arg> <arg choice='plain'><replaceable>NEUE_DEBUG_STUFE</" +"replaceable></arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_debuglevel.8.xml:32 +msgid "" +"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " +"debug-level command. Please refer to the <command>sssctl</command> man page " +"for more information on sssctl usage." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_seed.8.xml:10 sss_seed.8.xml:15 +msgid "sss_seed" +msgstr "sss_seed" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_seed.8.xml:16 +msgid "seed the SSSD cache with a user" +msgstr "füllt den SSSD-Zwischenspeicher mit einem Benutzer" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_seed.8.xml:21 +msgid "" +"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" +"arg>" +msgstr "" +"<command>sss_seed</command> <arg choice='opt'> <replaceable>Optionen</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>BENUTZER</" +"replaceable></arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:33 +msgid "" +"<command>sss_seed</command> seeds the SSSD cache with a user entry and " +"temporary password. If a user entry is already present in the SSSD cache " +"then the entry is updated with the temporary password." +msgstr "" +"<command>sss_seed</command> füllt den SSSD-Zwischenspeicher mit einem " +"Benutzereintrag und einem temporären Passwort. Falls bereits ein " +"Benutzereintrag im SSSD-Zwischenspeicher vorhanden ist, wird der Eintrag mit " +"dem temporären Passwort aktualisiert." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:46 +msgid "" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" +msgstr "" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:51 +msgid "" +"Provide the name of the domain in which the user is a member of. The domain " +"is also used to retrieve user information. The domain must be configured in " +"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " +"Information retrieved from the domain overrides what is provided in the " +"options." +msgstr "" +"stellt den Namen der Doamin bereit, in der der Benutzer Mitglied ist. Die " +"Domain wird auch zur Abfrage von Benutzerinformationen verwendet. Sie muss " +"in der »sssd.conf« konfiguriert sein. Die Option <replaceable>DOMAIN</" +"replaceable> muss bereitgestellt werden. Von der Domain geholte " +"Informationen setzen das, was in den Optionen bereitgestellt wurde, außer " +"Kraft." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:63 +msgid "" +"<option>-n</option>,<option>--username</option> <replaceable>USER</" +"replaceable>" +msgstr "" +"<option>-n</option>,<option>--username</option> <replaceable>BENUTZER</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:68 +msgid "" +"The username of the entry to be created or modified in the cache. The " +"<replaceable>USER</replaceable> option must be provided." +msgstr "" +"der Benutzername des Eintrags, der im Zwischenspeicher erstellt oder " +"verändert werden soll. Die Option <replaceable>BENUTZER</replaceable> muss " +"bereitgestellt werden." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:81 +msgid "Set the UID of the user to <replaceable>UID</replaceable>." +msgstr "setzt die UID des Benutzers auf <replaceable>UID</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:93 +msgid "Set the GID of the user to <replaceable>GID</replaceable>." +msgstr "setzt die GID des Benutzers auf <replaceable>GID</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:117 +msgid "" +"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." +msgstr "" +"setzt das Home-Verzeichnis des Benutzers auf <replaceable>HOME_VERZ</" +"replaceable>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:129 +msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." +msgstr "" +"setzt die Anmelde-Shell des Benutzers auf <replaceable>SHELL</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:140 +msgid "" +"Interactive mode for entering user information. This option will only prompt " +"for information not provided in the options or retrieved from the domain." +msgstr "" +"interaktiver Modus zur Eingabe von Benutzerinformationen. Diese Option wird " +"nur nach Informationen fragen, die nicht von den Optionen bereitgestellt " +"oder in der Domain geholt werden." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:148 +msgid "" +"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" +"replaceable>" +msgstr "" +"<option>-p</option>,<option>--password-file</option> " +"<replaceable>PASSWORTDATEI</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:153 +msgid "" +"Specify file to read user's password from. (if not specified password is " +"prompted for)" +msgstr "" +"gibt die Datei an, aus der das Passwort des Benutzers gelesen wird (ist es " +"nicht angegeben, wird nach dem Passwort gefragt)." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:165 +msgid "" +"The length of the password (or the size of file specified with -p or --" +"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " +"on systems with no globally-defined PASS_MAX value)." +msgstr "" +"Die Länge des Passworts (oder die Größe der mit der Option -p oder --" +"password-file angegebenen Datei) muss kleiner oder gleich PASS_MAX Byte sein " +"(64 Byte auf Systemen ohne global definiertem Wert für PASS_MAX)." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 +msgid "sssd-ifp" +msgstr "sssd-ifp" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ifp.5.xml:17 +msgid "SSSD InfoPipe responder" +msgstr "SSSD InfoPipe-Responder" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:23 +msgid "" +"This manual page describes the configuration of the InfoPipe responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" +"Diese Handbuchseite beschreibt die Konfiguration des InfoPipe-Responders für " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Eine detaillierte Syntaxreferenz finden Sie im Abschnitt " +"<quote>DATEIFORMAT</quote> in der Handbuchseite zu <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:36 +msgid "" +"The InfoPipe responder provides a public D-Bus interface accessible over the " +"system bus. The interface allows the user to query information about remote " +"users and groups over the system bus." +msgstr "" +"Der InfoPipe-Responder stellt eine öffentliche D-Bus-Schnittstelle bereit, " +"auf die über den Systembus zugegriffen werden kann. Die Schnittstelle " +"ermöglicht die Abfrage von Informationen zu entfernten Benutzern und Gruppen " +"über den Systembus." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:46 +msgid "These options can be used to configure the InfoPipe responder." +msgstr "" +"Diese Optionen können zur Konfiguration des InfoPipe-Responders verwendet " +"werden." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:53 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the InfoPipe responder. User names are resolved to UIDs at " +"startup." +msgstr "" +"Gibt eine durch Kommata getrennte Liste der Benutzer-ID-Werte oder " +"Benutzernamen an, denen der Zugriff auf den InfoPipe-Responder erlaubt ist. " +"Benutzernamen werden beim Start in Benutzer-IDs aufgelöst." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:59 +msgid "" +"Default: 0 (only the root user is allowed to access the InfoPipe responder)" +msgstr "" +"Voreinstellung: 0 (nur der Benutzer »root« darf auf den InfoPipe-Responder " +"zugreifen)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:63 +msgid "" +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the InfoPipe responder, which would be the typical case, you have to " +"add 0 to the list of allowed UIDs as well." +msgstr "" +"Beachten Sie, dass trotz der Verwendung der Benutzer-ID 0 als Voreinstellung " +"diese durch die Option überschrieben wird. Falls Sie wollen, dass dem Root-" +"Benutzer der Zugriff auf den InfoPipe-Responder gewährt werden soll, was der " +"typische Fall ist, müssen Sie 0 ebenfalls zur Liste der erlaubten Benutzer-" +"IDs hinzufügen." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:77 +msgid "Specifies the comma-separated list of white or blacklisted attributes." +msgstr "" +"Gibt eine durch Kommata getrennte Liste der auf die weiße (erlaubt) " +"beziehungsweise schwarze Liste (blockiert) gesetzten Attribute an." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:91 +msgid "name" +msgstr "name" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:92 +msgid "user's login name" +msgstr "Anmeldename des Benutzers" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:95 +msgid "uidNumber" +msgstr "uidNumber" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:96 +msgid "user ID" +msgstr "Benutzer-ID" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:99 +msgid "gidNumber" +msgstr "gidNumber" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:100 +msgid "primary group ID" +msgstr "primäre Gruppen-ID" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:103 +msgid "gecos" +msgstr "gecos" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:104 +msgid "user information, typically full name" +msgstr "Benutzerinformation, typischerweise der vollständige Name" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:107 +msgid "homeDirectory" +msgstr "homeDirectory" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:111 +msgid "loginShell" +msgstr "loginShell" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:112 +msgid "user shell" +msgstr "Benutzershell" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:81 +msgid "" +"By default, the InfoPipe responder only allows the default set of POSIX " +"attributes to be requested. This set is the same as returned by " +"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" +"In der Voreinstellung erlaubt der InfoPipe-Responder nur die Abfrage des " +"Standardsatzes an POSIX-Attributen. Dieser Satz ist der gleiche, wie er von " +"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry> zurückgegeben wird und enthält Folgendes: " +"<placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ifp.5.xml:125 +#, no-wrap +msgid "" +"user_attributes = +telephoneNumber, -loginShell\n" +" " +msgstr "" +"user_attributes = +telephoneNumber, -loginShell\n" +" " + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:117 +msgid "" +"It is possible to add another attribute to this set by using <quote>" +"+attr_name</quote> or explicitly remove an attribute using <quote>-" +"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " +"deny <quote>loginShell</quote>, you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"Es ist möglich, ein weiteres Attribut zu diesem Satz hinzuzufügen, indem Sie " +"<quote>+attr_name</quote> verwenden. Explizit entfernen lässt sich ein " +"Attribut mit <quote>-attr_name</quote>. Um beispielsweise " +"<quote>telephoneNumber</quote> zu erlauben, aber <quote>loginShell</quote> " +"abzuweisen, können Sie folgende Konfiguration verwenden: <placeholder type=" +"\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:129 +msgid "Default: not set. Only the default set of POSIX attributes is allowed." +msgstr "" +"Voreinstellung: Nicht gesetzt. Nur der Standardsatz an POSIX-Attributen ist " +"erlaubt." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:139 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup that overrides caller-supplied limit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:144 +msgid "Default: 0 (let the caller set an upper limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refentryinfo> +#: sss_rpcidmapd.5.xml:8 +msgid "" +"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" +"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " +"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" +"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " +"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" +"author>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 +msgid "sss_rpcidmapd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_rpcidmapd.5.xml:33 +msgid "sss plugin configuration directives for rpc.idmapd" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:37 +msgid "CONFIGURATION FILE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:39 +msgid "" +"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." +"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:49 +msgid "SSS CONFIGURATION EXTENSION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:51 +msgid "Enable SSS plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:53 +msgid "" +"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " +"attribute to contain <emphasis>sss</emphasis>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:59 +msgid "[sss] config section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:61 +msgid "" +"In order to change the default of one of the configuration attributes of the " +"<emphasis>sss</emphasis> plugin listed below you will need to create a " +"config section for it, named <quote>[sss]</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sss_rpcidmapd.5.xml:67 +msgid "Configuration attributes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sss_rpcidmapd.5.xml:69 +msgid "memcache (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sss_rpcidmapd.5.xml:72 +msgid "Indicates whether or not to use memcache optimisation technique." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:85 +msgid "SSSD INTEGRATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:87 +msgid "" +"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " +"in sssd." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:91 +msgid "" +"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " +"all domains (NFSv4 clients expect a fully qualified name to be sent on the " +"wire)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_rpcidmapd.5.xml:103 +#, no-wrap +msgid "" +"[General]\n" +"Verbosity = 2\n" +"# domain must be synced between NFSv4 server and clients\n" +"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:100 +msgid "" +"The following example shows a minimal idmapd.conf which makes use of the sss " +"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:180 include/seealso.xml:2 +msgid "SEE ALSO" +msgstr "SIEHE AUCH" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:122 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 +msgid "sss_ssh_authorizedkeys" +msgstr "sss_ssh_authorizedkeys" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 +msgid "1" +msgstr "1" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_authorizedkeys.1.xml:16 +msgid "get OpenSSH authorized keys" +msgstr "holt autorisierte OpenSSH-Schlüssel" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_authorizedkeys.1.xml:21 +msgid "" +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>USER</replaceable></arg>" +msgstr "" +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>Optionen</replaceable> </arg> <arg " +"choice='plain'><replaceable>BENUTZER</replaceable></arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:32 +msgid "" +"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " +"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " +"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> for more information)." +msgstr "" +"<command>sss_ssh_authorizedkeys</command> beschafft öffentliche SSH-" +"Schlüssel für den Anwender <replaceable>BENUTZER</replaceable> und gibt sie " +"im OpenSSH-Format »authorized_keys« aus (weitere Informationen finden Sie im " +"Abschnitt »AUTHORIZED_KEYS-DATEIFORMAT« von " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry>)." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:41 +msgid "" +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" +"command> for public key user authentication if it is compiled with support " +"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " +"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> man page for more details about this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_authorizedkeys.1.xml:59 +#, no-wrap +msgid "" +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:52 +msgid "" +"If <quote>AuthorizedKeysCommand</quote> is supported, " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use it by putting the following " +"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" +"\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_ssh_authorizedkeys.1.xml:65 +msgid "KEYS FROM CERTIFICATES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:67 +msgid "" +"In addition to the public SSH keys for user <replaceable>USER</replaceable> " +"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " +"from the public key of a X.509 certificate as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:73 +msgid "" +"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " +"set to true (default) in the [ssh] section of <filename>sssd.conf</" +"filename>. If the user entry contains certificates (see " +"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " +"there is a certificate in an override entry for the user (see " +"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " +"certificate is valid SSSD will extract the public key from the certificate " +"and convert it into the format expected by sshd." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:90 +msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:92 +msgid "ca_db" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:93 +#, fuzzy +#| msgid "client_idle_timeout" +msgid "p11_child_timeout" +msgstr "client_idle_timeout" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:94 +msgid "certificate_verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:96 +#, fuzzy +#| msgid "" +#| "Please refer to the <quote>dns_discovery_domain</quote> parameter in the " +#| "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +#| "manvolnum> </citerefentry> manual page for more details." +msgid "" +"can be used to control how the certificates are validated (see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details)." +msgstr "" +"Weitere Einzelheiten finden Sie in der Handbuchseite <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> beim Parameter »dns_discovery_domain«." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:101 +msgid "" +"The validation is the benefit of using X.509 certificates instead of SSH " +"keys directly because e.g. it gives a better control of the lifetime of the " +"keys. When the ssh client is configured to use the private keys from a " +"Smartcard with the help of a PKCS#11 shared library (see " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> for details) it might be irritating that authentication is " +"still working even if the related X.509 certificate on the Smartcard is " +"already expired because neither <command>ssh</command> nor <command>sshd</" +"command> will look at the certificate at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:114 +msgid "" +"It has to be noted that the derived public SSH key can still be added to the " +"<filename>authorized_keys</filename> file of the user to bypass the " +"certificate validation if the <command>sshd</command> configuration permits " +"this." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:132 +msgid "" +"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +msgstr "" +"sucht nach öffentlichen Schlüsseln von Benutzern in der SSSD-Domain " +"<replaceable>DOMAIN</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 +msgid "EXIT STATUS" +msgstr "EXIT-STATUS" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 +msgid "" +"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." +msgstr "" +"Im Erfolgsfall ist der Rückgabewert 0, andernfalls wird 1 zurückgegeben." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 +msgid "sss_ssh_knownhostsproxy" +msgstr "sss_ssh_knownhostsproxy" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_knownhostsproxy.1.xml:16 +msgid "get OpenSSH host keys" +msgstr "holt OpenSSH-Rechnerschlüssel" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_knownhostsproxy.1.xml:21 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>HOST</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" +msgstr "" +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>Optionen</replaceable> </arg> <arg " +"choice='plain'><replaceable>RECHNER</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_BEFEHL</replaceable></arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:33 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " +"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " +"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " +"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" +"pubconf/known_hosts</filename> and establishes the connection to the host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:43 +msgid "" +"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " +"create the connection to the host instead of opening a socket." +msgstr "" +"Falls ein <replaceable>PROXY_BEFEHL</replaceable> angegeben wurde, wird er " +"zum Erstellen der Verbindung mit dem Rechner benutzt, anstatt ein Socket zu " +"öffnen." + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_knownhostsproxy.1.xml:55 +#, no-wrap +msgid "" +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" +msgstr "" +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:48 +msgid "" +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" +"command> for host key authentication by using the following directives for " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> kann durch Verwendung der folgenden Richtlinien für die " +"Konfiguration von <citerefentry><refentrytitle>ssh</refentrytitle> " +"<manvolnum>1</manvolnum></citerefentry> so eingerichtet werden, dass es " +"<command>sss_ssh_knownhostsproxy</command> zur Authentifizierung des " +"Rechnerschlüssels benutzt: <placeholder type=\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:66 +msgid "" +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" +msgstr "" +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:71 +msgid "" +"Use port <replaceable>PORT</replaceable> to connect to the host. By " +"default, port 22 is used." +msgstr "" +"benutzt Port <replaceable>PORT</replaceable> zur Verbindung mit dem Rechner. " +"Standardmäßig wird Port 22 verwendet." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:83 +msgid "" +"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +msgstr "" +"sucht in der SSSD-Domain nach <replaceable>DOMAIN</replaceable> öffentlichen " +"Schlüsseln für den Rechner." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:89 +#, fuzzy +#| msgid "<option>-U</option>,<option>--users</option>" +msgid "<option>-k</option>,<option>--pubkeys</option>" +msgstr "<option>-U</option>,<option>--users</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:93 +#, fuzzy +#| msgid "" +#| "Search for host public keys in SSSD domain <replaceable>DOMAIN</" +#| "replaceable>." +msgid "" +"Print the host ssh public keys for host <replaceable>HOST</replaceable>." +msgstr "" +"sucht in der SSSD-Domain nach <replaceable>DOMAIN</replaceable> öffentlichen " +"Schlüsseln für den Rechner." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 +msgid "idmap_sss" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: idmap_sss.8.xml:16 +msgid "SSSD's idmap_sss Backend for Winbind" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:22 +msgid "" +"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " +"No database is required in this case as the mapping is done by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: idmap_sss.8.xml:29 +msgid "IDMAP OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: idmap_sss.8.xml:33 +msgid "range = low - high" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: idmap_sss.8.xml:35 +msgid "" +"Defines the available matching UID and GID range for which the backend is " +"authoritative." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:45 +msgid "" +"This example shows how to configure idmap_sss as the default mapping module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: idmap_sss.8.xml:50 +#, no-wrap +msgid "" +"[global]\n" +"security = domain\n" +"workgroup = MAIN\n" +"\n" +"idmap config * : backend = sss\n" +"idmap config * : range = 200000-2147483647\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssctl.8.xml:10 sssctl.8.xml:15 +msgid "sssctl" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssctl.8.xml:16 +msgid "SSSD control and status utility" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssctl.8.xml:21 +msgid "" +"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:32 +msgid "" +"<command>sssctl</command> provides a simple and unified way to obtain " +"information about SSSD status, such as active server, auto-discovered " +"servers, domains and cached objects. In addition, it can manage SSSD data " +"files for troubleshooting in such a way that is safe to manipulate while " +"SSSD is running." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:43 +msgid "" +"To list all available commands run <command>sssctl</command> without any " +"parameters. To print help for selected command run <command>sssctl COMMAND --" +"help</command>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-files.5.xml:10 sssd-files.5.xml:16 +msgid "sssd-files" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-files.5.xml:17 +msgid "SSSD files provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:23 +msgid "" +"This manual page describes the files provider for <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:36 +msgid "" +"The files provider mirrors the content of the <citerefentry> " +"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " +"provider is to make the users and groups traditionally only accessible with " +"NSS interfaces also available through the SSSD interfaces such as " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:69 +#, fuzzy +#| msgid "ldap_access_filter (string)" +msgid "passwd_files (string)" +msgstr "ldap_access_filter (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:72 +msgid "" +"Comma-separated list of one or multiple password filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:78 +#, fuzzy +#| msgid "Default: password" +msgid "Default: /etc/passwd" +msgstr "Voreinstellung: password" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:84 +#, fuzzy +#| msgid "ldap_netgroup_triple (string)" +msgid "group_files (string)" +msgstr "ldap_netgroup_triple (Zeichenkette)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:87 +msgid "" +"Comma-separated list of one or multiple group filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:93 +#, fuzzy +#| msgid "Default: nisNetgroup" +msgid "Default: /etc/group" +msgstr "Voreinstellung: nisNetgroup" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:59 +#, fuzzy +#| msgid "" +#| "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " +#| "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +#| "citerefentry> manual page for details on the configuration of an SSSD " +#| "domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgid "" +"In addition to the options listed below, generic SSSD domain options can be " +"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for details on the configuration of " +"an SSSD domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" +"Einzelheiten über die Konfiguration einer SSSD-Domain finden Sie im " +"Abschnitt »DOMAIN-ABSCHNITTE« der Handbuchseite <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>. <placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:105 +msgid "" +"The following example assumes that SSSD is correctly configured and files is " +"one of the domains in the <replaceable>[sssd]</replaceable> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:111 +#, no-wrap +msgid "" +"[domain/files]\n" +"id_provider = files\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 +msgid "sssd-secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-secrets.5.xml:17 +msgid "SSSD Secrets responder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:23 +msgid "" +"This manual page describes the configuration of the Secrets responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:36 +msgid "" +"Many system and user applications need to store private information such as " +"passwords or service keys and have no good way to properly deal with them. " +"The simple approach is to embed these <quote>secrets</quote> into " +"configuration files potentially ending up exposing sensitive key material to " +"backups, config management system and in general making it harder to secure " +"data." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:45 +msgid "" +"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " +"project was born to deal with this problem in cloud like environments, but " +"we found the idea compelling even at a single system level. As a security " +"service, SSSD is ideal to host this capability while offering the same API " +"via a UNIX Socket. This will make it possible to use local calls and have " +"them transparently routed to a local or a remote key management store like " +"IPA Vault for storage, escrow and recovery." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:55 +msgid "" +"The secrets are simple key-value pairs. Each user's secrets are namespaced " +"using their user ID, which means the secrets will never collide between " +"users. Secrets can be stored inside <quote>containers</quote> which can be " +"nested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:69 +msgid "secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:70 +msgid "secrets for general usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:73 +msgid "kcm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:75 +msgid "" +"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:61 +msgid "" +"Since the secrets responder can be used both externally to store general " +"secrets, as described in the rest of this man page, but also internally by " +"other SSSD components to store their secret material, some configuration " +"options, like quotas can be configured per <quote>hive</quote> in a " +"configuration subsection named after the hive. The currently supported hives " +"are: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:89 +msgid "USING THE SECRETS RESPONDER" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:91 +msgid "" +"The UNIX socket the SSSD responder listens on is located at <filename>/var/" +"run/secrets.socket</filename>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:110 +#, no-wrap +msgid "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +"systemctl enable sssd-secrets.service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:95 +msgid "" +"The secrets responder is socket-activated by <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " +"the <quote>secrets</quote> string to the <quote>service</quote> directive. " +"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " +"corresponding service file is called <quote>sssd-secrets.service</quote>. In " +"order for the service to be socket-activated, make sure the socket is " +"enabled and active and the service is enabled: <placeholder type=" +"\"programlisting\" id=\"0\"/> Please note your distribution may already " +"configure the units for you." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:122 +msgid "" +"The generic SSSD responder options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " +"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some secrets-specific options as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:132 +msgid "" +"The secrets responder is configured with a global <quote>[secrets]</quote> " +"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " +"in <filename>sssd.conf</filename>. Please note that some options, notably as " +"the provider type, can only be specified in the per-user subsections." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:141 +msgid "provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:157 +msgid "local" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:160 +msgid "" +"The secrets are stored in a local database, encrypted at rest with a master " +"key. The local provider does not have any additional config options at the " +"moment." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:168 +msgid "proxy" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:171 +msgid "" +"The secrets responder forwards the requests to a Custodia server. The proxy " +"provider supports several additional options (see below)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:144 +msgid "" +"This option specifies where should the secrets be stored. The secrets " +"responder can configure a per-user subsections (e.g. <quote>[secrets/" +"users/123]</quote> - see bottom of this manual page for a full example using " +"Custodia for a particular user) that define which provider store the secrets " +"for this particular user. The per-user subsections should contain all " +"options for that user's provider. Please note that currently the global " +"provider is always local, the proxy provider can only be specified in a per-" +"user section. The following providers are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:180 +msgid "Default: local" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:186 +msgid "" +"The following options affect only the secrets <quote>hive</quote> and " +"therefore should be set in a per-hive subsection. Setting the option to 0 " +"means \"unlimited\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:192 +msgid "containers_nest_level (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:195 +msgid "This option specifies the maximum allowed number of nested containers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:199 +msgid "Default: 4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:204 +msgid "max_secrets (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:207 +msgid "" +"This option specifies the maximum number of secrets that can be stored in " +"the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:211 +msgid "Default: 1024 (secrets hive), 256 (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:216 +msgid "max_uid_secrets (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:219 +msgid "" +"This option specifies the maximum number of secrets that can be stored per-" +"UID in the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:223 +msgid "Default: 256 (secrets hive), 64 (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:228 +msgid "max_payload_size (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:231 +msgid "" +"This option specifies the maximum payload size allowed for a secret payload " +"in kilobytes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:235 +msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:244 +#, no-wrap +msgid "" +"[secrets/secrets]\n" +"max_payload_size = 128\n" +"\n" +"[secrets/kcm]\n" +"max_payload_size = 256\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:241 +msgid "" +"For example, to adjust quotas differently for both the <quote>secrets</" +"quote> and the <quote>kcm</quote> hives, configure the following: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:252 +msgid "" +"The following options are only applicable for configurations that use the " +"<quote>proxy</quote> provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:257 +msgid "proxy_url (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:260 +msgid "" +"The URL the Custodia server is listening on. At the moment, http and https " +"protocols are supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:267 +msgid "http[s]://<host>[:port]" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:270 +msgid "Example: http://localhost:8080" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:275 +msgid "auth_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:278 +msgid "" +"The method to use when authenticating to a Custodia server. The following " +"authentication methods are supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:283 +msgid "basic_auth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:286 +msgid "" +"Authenticate with a username and a password as set in the <quote>username</" +"quote> and <quote>password</quote> options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:293 +msgid "header" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:296 +msgid "" +"Authenticate with HTTP header value as defined in the " +"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " +"configuration options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:307 +msgid "auth_header_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:310 +msgid "" +"If set, the secrets responder would put a header with this name into the " +"HTTP request with the value defined in the <quote>auth_header_value</quote> " +"configuration option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:315 +msgid "Example: MYSECRETNAME" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:320 +msgid "auth_header_value (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:323 +msgid "" +"The value sssd-secrets would use for the <quote>auth_header_name</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:327 +msgid "Example: mysecret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:332 +msgid "forward_headers (list of strings)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:335 +msgid "" +"The list of HTTP headers to forward to the Custodia server together with the " +"request." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:344 +msgid "verify_peer (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:347 +msgid "" +"Whether peer's certificate should be verified and valid if HTTPS protocol is " +"used with the proxy provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:356 +msgid "verify_host (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:359 +msgid "" +"Whether peer's hostname must match with hostname in its certificate if HTTPS " +"protocol is used with the proxy provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:369 +msgid "capath (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:372 +msgid "" +"Path to directory containing stored certificate authority certificates. " +"System default path is used if this option is not set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:382 +msgid "cacert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:385 +msgid "" +"Path to file containing server's certificate authority certificate. If this " +"option is not set then the CA's certificate is looked up in <quote>capath</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:395 +msgid "cert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:398 +msgid "" +"Path to file containing client's certificate if required by the server. This " +"file may also contain private key or the private key may be in separate file " +"set with <quote>key</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:409 +msgid "key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:412 +msgid "Path to file containing client's private key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:422 +msgid "USING THE REST API" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:424 +msgid "" +"This section lists the available commands and includes examples using the " +"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry> utility. All requests towards the proxy provider must set " +"the Content Type header to <quote>application/json</quote>. In addition, the " +"local provider also supports Content Type set to <quote>application/octet-" +"stream</quote>. Secrets stored with requests that set the Content Type " +"header to <quote>application/octet-stream</quote> are base64-encoded when " +"stored and decoded when retrieved, so it's not possible to store a secret " +"with one Content Type and retrieve with another. The secret URI must begin " +"with <filename>/secrets/</filename>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:441 +msgid "Listing secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:444 +msgid "" +"To list the available secrets, send a HTTP GET request with a trailing slash " +"appended to the container path." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:450 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:458 +msgid "Retrieving a secret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:461 +msgid "" +"To read a value of a single secret, send a HTTP GET request without a " +"trailing slash. The last portion of the URI is the name of the secret." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:468 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/foo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:473 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/bar\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:466 +msgid "" +"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:481 +msgid "Setting a secret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:484 +msgid "" +"To set a secret using the <quote>application/json</quote> type, send a HTTP " +"PUT request with a JSON payload that includes type and value. The type " +"should be set to \"simple\" and the value should be set to the secret value. " +"If a secret with that name already exists, the response is a 409 HTTP error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:492 +msgid "" +"The <quote>application/json</quote> type just sends the secret as the " +"message payload." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:501 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/foo \\\n" +" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:507 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/bar \\\n" +" -d'barsecret'\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:496 +msgid "" +"The following example sets a secret named 'foo' to a value of 'foosecret' " +"and a secret named 'bar' to a value of 'barsecret' using a different Content " +"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:516 +msgid "Creating a container" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:519 +msgid "" +"Containers provide an additional namespace for this user's secrets. To " +"create a container, send a HTTP POST request, whose URI ends with the " +"container name. Please note the URI must end with a trailing slash." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:529 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPOST http://localhost/secrets/mycontainer/\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:526 +msgid "" +"The following example creates a container named 'mycontainer': <placeholder " +"type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:538 +#, no-wrap +msgid "" +"http://localhost/secrets/mycontainer/mysecret\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:535 +msgid "" +"To manipulate secrets under this container, just nest the secrets underneath " +"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:544 +msgid "Deleting a secret or a container" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:547 +msgid "" +"To delete a secret or a container, send a HTTP DELETE request with a path to " +"the secret or the container." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:553 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XDELETE http://localhost/secrets/foo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:551 +msgid "" +"The following example deletes a secret named 'foo'. <placeholder type=" +"\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:563 +msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:565 +msgid "" +"For testing the proxy provider, you need to set up a Custodia server to " +"proxy requests to. Please always consult the Custodia documentation, the " +"configuration directives might change with different Custodia versions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:576 +#, no-wrap +msgid "" +"[global]\n" +"server_version = \"Secret/0.0.7\"\n" +"server_url = http://localhost:8080/\n" +"auditlog = /var/log/custodia.log\n" +"debug = True\n" +"\n" +"[store:simple]\n" +"handler = custodia.store.sqlite.SqliteStore\n" +"dburi = /var/lib/custodia.db\n" +"table = secrets\n" +"\n" +"[auth:header]\n" +"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" +"header = MYSECRETNAME\n" +"value = mysecretkey\n" +"\n" +"[authz:paths]\n" +"handler = custodia.httpd.authorizers.SimplePathAuthz\n" +"paths = /secrets\n" +"\n" +"[/]\n" +"handler = custodia.root.Root\n" +"store = simple\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:570 +msgid "" +"This configuration will set up a Custodia server listening on http://" +"localhost:8080, allowing anyone with header named MYSECRETNAME set to " +"mysecretkey to communicate with the Custodia server. Place the contents " +"into a file (for example, <replaceable>custodia.conf</replaceable>): " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:602 +msgid "" +"Then run the <replaceable>custodia</replaceable> command, pointing it at the " +"config file as a command line argument." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:606 +msgid "" +"Please note that currently it's not possible to proxy all requests globally " +"to a Custodia instance. Instead, per-user subsections for user IDs that " +"should proxy requests to Custodia must be defined. The following example " +"illustrates a configuration, where the user with UID 123 would proxy their " +"requests to Custodia, but all other user's requests would be handled by a " +"local provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: sssd-secrets.5.xml:614 +#, no-wrap +msgid "" +"[secrets]\n" +"\n" +"[secrets/users/123]\n" +"provider = proxy\n" +"proxy_url = http://localhost:8080/secrets/\n" +"auth_type = header\n" +"auth_header_name = MYSECRETNAME\n" +"auth_header_value = mysecretkey\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 +msgid "sssd-session-recording" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-session-recording.5.xml:17 +msgid "Configuring session recording with SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " +"implement user session recording on text terminals. For a detailed " +"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " +"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:41 +msgid "" +"SSSD can be set up to enable recording of everything specific users see or " +"type during their sessions on text terminals. E.g. when users log in on the " +"console, or via SSH. SSSD itself doesn't record anything, but makes sure " +"tlog-rec-session is started upon user login, so it can record according to " +"its configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:48 +msgid "" +"For users with session recording enabled, SSSD replaces the user shell with " +"tlog-rec-session in NSS responses, and adds a variable specifying the " +"original shell to the user environment, upon PAM session setup. This way " +"tlog-rec-session can be started in place of the user shell, and know which " +"actual shell to start, once it set up the recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:60 +msgid "These options can be used to configure the session recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:146 +msgid "" +"The following snippet of sssd.conf enables session recording for users " +"\"contractor1\" and \"contractor2\", and group \"students\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-session-recording.5.xml:151 +#, no-wrap +msgid "" +"[session_recording]\n" +"scope = some\n" +"users = contractor1, contractor2\n" +"groups = students\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 +msgid "sssd-kcm" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-kcm.8.xml:17 +msgid "SSSD Kerberos Cache Manager" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:23 +msgid "" +"This manual page describes the configuration of the SSSD Kerberos Cache " +"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " +"credential caches. It originates in the Heimdal Kerberos project, although " +"the MIT Kerberos library also provides client side (more details on that " +"below) support for the KCM credential cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:31 +msgid "" +"In a setup where Kerberos caches are managed by KCM, the Kerberos library " +"(typically used through an application, like e.g., <citerefentry> " +"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" +"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " +"being referred to as a <quote>\"KCM server\"</quote>. The client and server " +"communicate over a UNIX socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:42 +msgid "" +"The KCM server keeps track of each credential caches's owner and performs " +"access check control based on the UID and GID of the KCM client. The root " +"user has access to all credential caches." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:47 +msgid "The KCM credential cache has several interesting properties:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:51 +msgid "" +"since the process runs in userspace, it is subject to UID namespacing, " +"unlike the kernel keyring" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:56 +msgid "" +"unlike the kernel keyring-based cache, which is shared between all " +"containers, the KCM server is a separate process whose entry point is a UNIX " +"socket" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:61 +msgid "" +"the SSSD implementation stores the ccaches in the SSSD <citerefentry> " +"<refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry> secrets store, allowing the ccaches to survive KCM server " +"restarts or machine reboots." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:69 +msgid "" +"This allows the system to use a collection-aware credential cache, yet share " +"the credential cache between some or no containers by bind-mounting the " +"socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:76 +msgid "USING THE KCM CREDENTIAL CACHE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:86 +#, no-wrap +msgid "" +"[libdefaults]\n" +" default_ccache_name = KCM:\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:78 +msgid "" +"In order to use KCM credential cache, it must be selected as the default " +"credential type in <citerefentry> <refentrytitle>krb5.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " +"cache name must be only <quote>KCM:</quote> without any template " +"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:91 +msgid "" +"Next, make sure the Kerberos client libraries and the KCM server must agree " +"on the UNIX socket path. By default, both use the same path <replaceable>/" +"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " +"library, change its <quote>kcm_socket</quote> option which is described in " +"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:113 +#, no-wrap +msgid "" +"systemctl start sssd-kcm.socket\n" +"systemctl enable sssd-kcm.socket\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:102 +msgid "" +"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " +"typically socket-activated by <citerefentry> <refentrytitle>systemd</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " +"services, it cannot be started by adding the <quote>kcm</quote> string to " +"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " +"id=\"0\"/> Please note your distribution may already configure the units for " +"you." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:122 +msgid "THE CREDENTIAL CACHE STORAGE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:131 +#, no-wrap +msgid "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:124 +msgid "" +"The credential caches are stored in the SSSD secrets service (see " +"<citerefentry> <refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> for more details). Therefore it is important that " +"also the sssd-secrets service is enabled and its socket is started: " +"<placeholder type=\"programlisting\" id=\"0\"/> Your distribution should " +"already set the dependencies between the services." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:141 +msgid "" +"The KCM service is configured in the <quote>kcm</quote> section of the sssd." +"conf file. Please note that currently, is it not sufficient to restart the " +"sssd-kcm service, because the sssd configuration is only parsed and read to " +"an internal configuration database by the sssd service. Therefore you must " +"restart the sssd service if you change anything in the <quote>kcm</quote> " +"section of sssd.conf. For a detailed syntax reference, refer to the " +"<quote>FILE FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd." +"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:155 +msgid "" +"The generic SSSD service options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some KCM-specific options as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:166 +msgid "socket_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:169 +msgid "The socket the KCM service will listen on." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:172 +msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:182 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 +msgid "sssd-systemtap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-systemtap.5.xml:17 +msgid "SSSD systemtap information" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:23 +msgid "" +"This manual page provides information about the systemtap functionality in " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:32 +msgid "" +"SystemTap Probe points have been added into various locations in SSSD code " +"to assist in troubleshooting and analyzing performance related issues." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:40 +msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:46 +msgid "" +"Probes and miscellaneous functions are defined in /usr/share/systemtap/" +"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " +"respectively." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:57 +msgid "PROBE POINTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:341 +msgid "" +"The information below lists the probe points and arguments available in the " +"following format:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:64 +msgid "probe $name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:67 +msgid "Description of probe point" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:70 +#, no-wrap +msgid "" +"variable1:datatype\n" +"variable2:datatype\n" +"variable3:datatype\n" +"...\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:80 +msgid "Database Transaction Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:84 +msgid "probe sssd_transaction_start" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:87 +msgid "" +"Start of a sysdb transaction, probes the sysdb_transaction_start() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 +#: sssd-systemtap.5.xml:131 +#, no-wrap +msgid "" +"nesting:integer\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:97 +msgid "probe sssd_transaction_cancel" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:100 +msgid "" +"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " +"function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:111 +msgid "probe sssd_transaction_commit_before" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:114 +msgid "Probes the sysdb_transaction_commit_before() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:124 +msgid "probe sssd_transaction_commit_after" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:127 +msgid "Probes the sysdb_transaction_commit_after() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:141 +msgid "LDAP Search Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:145 +msgid "probe sdap_search_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:148 +msgid "Probes the sdap_get_generic_ext_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:152 sssd-systemtap.5.xml:167 sssd-systemtap.5.xml:196 +#, no-wrap +msgid "" +"base:string\n" +"scope:integer\n" +"filter:string\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:160 +msgid "probe sdap_search_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:163 +msgid "Probes the sdap_get_generic_ext_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:175 +msgid "probe sdap_deref_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:178 +msgid "Probes the sdap_deref_search_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:182 +#, no-wrap +msgid "" +"base_dn:string\n" +"deref_attr:string\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:189 +msgid "probe sdap_deref_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:192 +msgid "Probes the sdap_deref_search_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:208 +msgid "LDAP Account Request Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:212 +msgid "probe sdap_acct_req_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:215 +msgid "Probes the sdap_acct_req_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:219 sssd-systemtap.5.xml:234 +#, no-wrap +msgid "" +"entry_type:int\n" +"filter_type:int\n" +"filter_value:string\n" +"extra_value:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:227 +msgid "probe sdap_acct_req_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:230 +msgid "Probes the sdap_acct_req_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:246 +msgid "LDAP User Search Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:250 +msgid "probe sdap_search_user_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:253 +msgid "Probes the sdap_search_user_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:257 sssd-systemtap.5.xml:269 sssd-systemtap.5.xml:281 +#: sssd-systemtap.5.xml:293 +#, no-wrap +msgid "" +"filter:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:262 +msgid "probe sdap_search_user_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:265 +msgid "Probes the sdap_search_user_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:274 +msgid "probe sdap_search_user_save_begin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:277 +msgid "Probes the sdap_search_user_save_begin() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:286 +msgid "probe sdap_search_user_save_end" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:289 +msgid "Probes the sdap_search_user_save_end() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:302 +msgid "Data Provider Request Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:306 +msgid "probe dp_req_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:309 +msgid "A Data Provider request is submitted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:312 +#, no-wrap +msgid "" +"dp_req_domain:string\n" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:320 +msgid "probe dp_req_done" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:323 +msgid "A Data Provider request is completed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:326 +#, no-wrap +msgid "" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +"dp_ret:int\n" +"dp_errorstr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:339 +msgid "MISCELLANEOUS FUNCTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:346 +msgid "function acct_req_desc(entry_type)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:349 +msgid "Convert entry_type to string and return string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:354 +msgid "" +"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " +"filter_value, extra_value)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:358 +msgid "Create probe string based on filter type" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:363 +msgid "function dp_target_str(target)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:366 +msgid "Convert target to string and return string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:371 +msgid "function dp_method_str(target)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:374 +msgid "Convert method to string and return string" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/service_discovery.xml:2 +msgid "SERVICE DISCOVERY" +msgstr "DIENSTSUCHE" + +#. type: Content of: <refsect1><para> +#: include/service_discovery.xml:4 +msgid "" +"The service discovery feature allows back ends to automatically find the " +"appropriate servers to connect to using a special DNS query. This feature is " +"not supported for backup servers." +msgstr "" +"Die Dienstsuchfunktionalität ermöglicht es Backends, automatisch mit Hilfe " +"einer speziellen DNS-Abfrage geeignete Server zu suchen, mit denen sie sich " +"verbinden können. Diese Funktionalität wird nicht für Datensicherungs-Server " +"unterstützt." + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:9 include/ldap_id_mapping.xml:99 +msgid "Configuration" +msgstr "Konfiguration" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:11 +msgid "" +"If no servers are specified, the back end automatically uses service " +"discovery to try to find a server. Optionally, the user may choose to use " +"both fixed server addresses and service discovery by inserting a special " +"keyword, <quote>_srv_</quote>, in the list of servers. The order of " +"preference is maintained. This feature is useful if, for example, the user " +"prefers to use service discovery whenever possible, and fall back to a " +"specific server when no servers can be discovered using DNS." +msgstr "" +"Falls keine Server angegeben wurden, benutzt das Backend die Dienstsuche, um " +"einen Server zu finden. Wahlweise kann der Benutzer sowohl feste Server-" +"Adressen als auch die Dienstsuche durch Eingabe des speziellen " +"Schlüsselworts »_srv_« in der Server-Liste auswählen. Die bevorzugte " +"Reihenfolge wird verwaltet. Diese Funktionalität ist zum Beispiel nützlich, " +"falls der Anwender es vorzieht, die Dienstsuche zu verwenden, wann immer " +"dies möglich ist, und auf einen bestimmten Server zurückzugreifen, wenn " +"mittels DNS keine Server gefunden werden." + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:23 +msgid "The domain name" +msgstr "Der Domain-Name" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:25 +msgid "" +"Please refer to the <quote>dns_discovery_domain</quote> parameter in the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more details." +msgstr "" +"Weitere Einzelheiten finden Sie in der Handbuchseite <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> beim Parameter »dns_discovery_domain«." + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:35 +msgid "The protocol" +msgstr "Das Protokoll" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:37 +msgid "" +"The queries usually specify _tcp as the protocol. Exceptions are documented " +"in respective option description." +msgstr "" +"Die Abfragen geben als Protokoll üblicherweise »_tcp« an. Ausnahmen sind in " +"der Beschreibung der entsprechenden Option dokumentiert." + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:42 +msgid "See Also" +msgstr "Siehe auch" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:44 +msgid "" +"For more information on the service discovery mechanism, refer to RFC 2782." +msgstr "" +"Weitere Informationen über den Dienstsuchmechanismus finden Sie in RFC 2782." + +#. type: Content of: <refentryinfo> +#: include/upstream.xml:2 +msgid "" +"<productname>SSSD</productname> <orgname>The SSSD upstream - https://pagure." +"io/SSSD/sssd/</orgname>" +msgstr "" + +#. type: Content of: outside any tag (error?) +#: include/upstream.xml:1 +msgid "<placeholder type=\"refentryinfo\" id=\"0\"/>" +msgstr "<placeholder type=\"refentryinfo\" id=\"0\"/>" + +#. type: Content of: <refsect1><title> +#: include/failover.xml:2 +msgid "FAILOVER" +msgstr "AUSFALLSICHERUNG" + +#. type: Content of: <refsect1><para> +#: include/failover.xml:4 +msgid "" +"The failover feature allows back ends to automatically switch to a different " +"server if the current server fails." +msgstr "" +"Die Ausfallsicherungsfunktionalität ermöglicht es, dass Backends automatisch " +"auf einen anderen Server wechseln, falls der aktuelle versagt." + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:8 +msgid "Failover Syntax" +msgstr "AUSFALLSICHERUNGSSYNTAX" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:10 +msgid "" +"The list of servers is given as a comma-separated list; any number of spaces " +"is allowed around the comma. The servers are listed in order of preference. " +"The list can contain any number of servers." +msgstr "" +"Die Server werden als durch Kommata getrennte Liste angegeben. Um das Komma " +"herum ist eine beliebige Anzahl von Leerzeichen erlaubt. Die Server werden " +"in Reihenfolge der Bevorzugung aufgeführt. Die Liste kann eine beliebige " +"Anzahl von Servern enthalten." + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:16 +msgid "" +"For each failover-enabled config option, two variants exist: " +"<emphasis>primary</emphasis> and <emphasis>backup</emphasis>. The idea is " +"that servers in the primary list are preferred and backup servers are only " +"searched if no primary servers can be reached. If a backup server is " +"selected, a timeout of 31 seconds is set. After this timeout SSSD will " +"periodically try to reconnect to one of the primary servers. If it succeeds, " +"it will replace the current active (backup) server." +msgstr "" +"Von jeder Konfigurationsoption mit aktivierter Ausfallsicherung existieren " +"zwei Varianten: <emphasis>primary</emphasis> und <emphasis>backup</" +"emphasis>. Die Idee dahinter ist, dass Server in der Liste »primary« " +"bevorzugt werden und nur nach »backup«-Servern gesucht wird, falls kein " +"»primary«-Server erreichbar ist. Falls ein »backup«-Server ausgewählt wird, " +"wird eine Dauer von 31 Sekunden bis zur Zeitüberschreitung festgelegt. Nach " +"dieser Zeit wird SSSD periodisch versuchen, sich mit einem der primären " +"Server zu verbinden. Ist dies erfolgreich, wird es den derzeit aktiven " +"(»backup«-)Server ersetzen." + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:27 +msgid "The Failover Mechanism" +msgstr "Der Ausfallsicherungsmechanismus" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:29 +msgid "" +"The failover mechanism distinguishes between a machine and a service. The " +"back end first tries to resolve the hostname of a given machine; if this " +"resolution attempt fails, the machine is considered offline. No further " +"attempts are made to connect to this machine for any other service. If the " +"resolution attempt succeeds, the back end tries to connect to a service on " +"this machine. If the service connection attempt fails, then only this " +"particular service is considered offline and the back end automatically " +"switches over to the next service. The machine is still considered online " +"and might still be tried for another service." +msgstr "" +"Der Ausfallsicherungsmechanismus unterscheidet zwischen einer Maschine und " +"einem Dienst. Das Backend versucht zuerst, den Rechnernamen der angegebenen " +"Maschine aufzulösen. Falls dieser Versuch scheitert, wird davon ausgegangen, " +"dass die Maschine offline ist und sie auch für keinen anderen Dienst zur " +"Verfügung steht. Kann der den Namen erfolgreich aufgelöst werden, versucht " +"das Backend, sich mit einem Dienst auf dieser Maschine zu verbinden. Ist das " +"nicht möglich, dann wird nur dieser bestimmte Dienst als offline angesehen " +"und das Backend wechselt automatisch weiter zum nächsten. Die Maschine wird " +"weiterhin als online betrachtet und kann immer noch für andere Dienste " +"herangezogen werden." + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:42 +msgid "" +"Further connection attempts are made to machines or services marked as " +"offline after a specified period of time; this is currently hard coded to 30 " +"seconds." +msgstr "" +"Weitere Verbindungsversuche zu Maschinen oder Diensten, die als offline " +"gekennzeichnet sind, werden erst nach einer angegebenen Zeitspanne " +"unternommen. Diese ist derzeit hart auf 30 Sekunden codiert." + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:47 +msgid "" +"If there are no more machines to try, the back end as a whole switches to " +"offline mode, and then attempts to reconnect every 30 seconds." +msgstr "" +"Falls es weitere Maschinen durchzuprobieren gibt, wechselt das Backend als " +"Ganzes in den Offline-Modus und versucht dann alle 30 Sekunden, sich erneut " +"zu verbinden." + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:53 +msgid "Failover time outs and tuning" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:55 +msgid "" +"Resolving a server to connect to can be as simple as running a single DNS " +"query or can involve several steps, such as finding the correct site or " +"trying out multiple host names in case some of the configured servers are " +"not reachable. The more complex scenarios can take some time and SSSD needs " +"to balance between providing enough time to finish the resolution process " +"but on the other hand, not trying for too long before falling back to " +"offline mode. If the SSSD debug logs show that the server resolution is " +"timing out before a live server is contacted, you can consider changing the " +"time outs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> +#: include/failover.xml:76 +msgid "dns_resolver_op_timeout" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: include/failover.xml:80 +msgid "How long would SSSD talk to a single DNS server." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> +#: include/failover.xml:86 +msgid "dns_resolver_timeout" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: include/failover.xml:90 +msgid "" +"How long would SSSD try to resolve a failover service. This service " +"resolution internally might include several steps, such as resolving DNS SRV " +"queries or locating the site." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:67 +msgid "" +"This section lists the available tunables. Please refer to their description " +"in the <citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>, manual page. <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:100 +msgid "" +"For LDAP-based providers, the resolve operation is performed as part of an " +"LDAP connection operation. Therefore, also the <quote>ldap_opt_timeout></" +"quote> timeout should be set to a larger value than " +"<quote>dns_resolver_timeout</quote> which in turn should be set to a larger " +"value than <quote>dns_resolver_op_timeout</quote>." +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/ldap_id_mapping.xml:2 +msgid "ID MAPPING" +msgstr "ID-ABBILDUNG" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:4 +msgid "" +"The ID-mapping feature allows SSSD to act as a client of Active Directory " +"without requiring administrators to extend user attributes to support POSIX " +"attributes for user and group identifiers." +msgstr "" +"Die ID-Abbildungsfunktionalität ermöglicht es SSSD, als Client eines Active " +"Directorys zu agieren, ohne dass Administratoren Benutzerattribute erweitern " +"müssen, damit POSIX-Attribute für Benutzer- und Gruppenkennzeichner " +"unterstützt werden." + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:9 +msgid "" +"NOTE: When ID-mapping is enabled, the uidNumber and gidNumber attributes are " +"ignored. This is to avoid the possibility of conflicts between automatically-" +"assigned and manually-assigned values. If you need to use manually-assigned " +"values, ALL values must be manually-assigned." +msgstr "" +"HINWEIS: Wenn ID-Abbildung aktiviert ist, werden die Attribute »uidNumber« " +"und »gidNumber« ignoriert. Dies geschieht, um mögliche Konflikte zwischen " +"automatisch und manuell zugewiesenen Werten zu vermeiden. Falls Sie manuell " +"zugewiesene Werte benutzen müssen, müssen Sie ALLE Werte manuell zuweisen." + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:16 +msgid "" +"Please note that changing the ID mapping related configuration options will " +"cause user and group IDs to change. At the moment, SSSD does not support " +"changing IDs, so the SSSD database must be removed. Because cached passwords " +"are also stored in the database, removing the database should only be " +"performed while the authentication servers are reachable, otherwise users " +"might get locked out. In order to cache the password, an authentication must " +"be performed. It is not sufficient to use <citerefentry> " +"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry> to remove the database, rather the process consists of:" +msgstr "" +"Bitte beachten Sie, dass die Änderung der die ID-Abbildung betreffenden " +"Konfigurationsoptionen auch die Änderung der Benutzer- und Gruppen-IDs nach " +"sich zieht. Momentan unterstützt SSSD die Änderung der IDs nicht, daher muss " +"die Datenbank entfernt werden. Da auch zwischengespeicherte Passwörter in " +"der Datenbank enthalten sind, sollte diese nur entfernt werden, während die " +"Authentifizierungsserver erreichbar sind, anderenfalls könnten Benutzer " +"ausgesperrt werden. Um das Passwort zwischenzuspeichern, muss eine " +"Authentifizierung ausgeführt werden. Es reicht nicht aus, <citerefentry> " +"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry> zum Löschen der Datenbank auszuführen, vielmehr sind folgende " +"Schritte erforderlich:" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:33 +msgid "Making sure the remote servers are reachable" +msgstr "Stellen Sie sicher, dass entfernte Server erreichbar sind." + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:38 +msgid "Stopping the SSSD service" +msgstr "Stoppen Sie den SSSD-Dienst." + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:43 +msgid "Removing the database" +msgstr "Entfernen Sie die Datenbank." + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:48 +msgid "Starting the SSSD service" +msgstr "Starten Sie den SSSD-Dienst." + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:52 +msgid "" +"Moreover, as the change of IDs might necessitate the adjustment of other " +"system properties such as file and directory ownership, it's advisable to " +"plan ahead and test the ID mapping configuration thoroughly." +msgstr "" +"Außerdem ist es ratsam, vorauszuplanen und die ID-Abbildung gründlich zu " +"testen, da die Änderung der IDs Änderungen anderer Systemeigenschaften nach " +"sich ziehen könnte, wie die Besitzverhältnisse von Dateien und " +"Verzeichnissen." + +#. type: Content of: <refsect1><refsect2><title> +#: include/ldap_id_mapping.xml:59 +msgid "Mapping Algorithm" +msgstr "Abbildungsalgorithmus" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:61 +msgid "" +"Active Directory provides an objectSID for every user and group object in " +"the directory. This objectSID can be broken up into components that " +"represent the Active Directory domain identity and the relative identifier " +"(RID) of the user or group object." +msgstr "" +"Active Directory stellt für jedes Benutzer- und Gruppenobjekt im Verzeichnis " +"eine »objectSID« bereit. Diese »objectSID« kann in Bestandteile zerlegt " +"werden, die die Active-Directory-Domain-Identität und den relativen " +"Bezeichner (RID) des Benutzer- oder Gruppenobjekts darstellen." + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:67 +msgid "" +"The SSSD ID-mapping algorithm takes a range of available UIDs and divides it " +"into equally-sized component sections - called \"slices\"-. Each slice " +"represents the space available to an Active Directory domain." +msgstr "" +"Der ID-Abbildungsalgorithmus von SSSD nimmt einen Bereich verfügbarer UIDs " +"und teilt sie in gleich große Bestandteile, »Slices« genannt. Jeder Slice " +"steht für den verfügbaren Speicher einer Active-Directory-Domain." + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:73 +msgid "" +"When a user or group entry for a particular domain is encountered for the " +"first time, the SSSD allocates one of the available slices for that domain. " +"In order to make this slice-assignment repeatable on different client " +"machines, we select the slice based on the following algorithm:" +msgstr "" +"Wenn ein Benutzer- oder Gruppeneintrag für eine bestimmt Domain zum ersten " +"Mal vorgefunden wird, reserviert der SSSD einen der verfügbaren Slices für " +"diese Domain. Um eine Slice-Zuteilung auf verschiedenen Client-Maschinen " +"wiederholbar zu machen, wählen wir den Slice, der auf dem folgenden " +"Algorithmus basiert:" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:80 +msgid "" +"The SID string is passed through the murmurhash3 algorithm to convert it to " +"a 32-bit hashed value. We then take the modulus of this value with the total " +"number of available slices to pick the slice." +msgstr "" +"Die Zeichenkette durchläuft den Algorithmus Murmurhash3, um sie in einen 32-" +"Bit-Hash-Wert umzuwandeln. Dann wird der Betrag dieses Werts mit der " +"Gesamtzahl verfügbarer Slices genommen, um den Slice auszusuchen." + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:86 +msgid "" +"NOTE: It is possible to encounter collisions in the hash and subsequent " +"modulus. In these situations, we will select the next available slice, but " +"it may not be possible to reproduce the same exact set of slices on other " +"machines (since the order that they are encountered will determine their " +"slice). In this situation, it is recommended to either switch to using " +"explicit POSIX attributes in Active Directory (disabling ID-mapping) or " +"configure a default domain to guarantee that at least one is always " +"consistent. See <quote>Configuration</quote> for details." +msgstr "" +"HINWEIS: Es ist möglich, dass Kollisionen zwischen dem Hash und " +"nachfolgenden Beträgen auftreten. In diesen Situationen werden wir den " +"nächsten verfügbaren Slice auswählen, aber es ist wahrscheinlich nicht " +"möglich, den genau gleichen Satz von Slices auf anderen Maschinen zu " +"reproduzieren (da die Reihenfolge, in der sie vorgefunden werden, ihren " +"Slice bestimmt). In dieser Situtation wird empfohlen, entweder auf die " +"Verwendung expliziter POSIX-Attribute in Active Directory zu wechseln (ID-" +"Abbildung deaktivieren) oder eine Standard-Domain zu konfigurieren, um " +"sicherzustellen, dass wenigstens eine immer beständig ist. Einzelheiten " +"finden Sie unter »Konfiguration«." + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:101 +msgid "" +"Minimum configuration (in the <quote>[domain/DOMAINNAME]</quote> section):" +msgstr "Minimalkonfiguration (im Abschnitt »[domain/DOMAINNAME]«):" + +#. type: Content of: <refsect1><refsect2><para><programlisting> +#: include/ldap_id_mapping.xml:106 +#, no-wrap +msgid "" +"ldap_id_mapping = True\n" +"ldap_schema = ad\n" +msgstr "" +"ldap_id_mapping = True\n" +"ldap_schema = ad\n" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:111 +msgid "" +"The default configuration results in configuring 10,000 slices, each capable " +"of holding up to 200,000 IDs, starting from 200,000 and going up to " +"2,000,200,000. This should be sufficient for most deployments." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><title> +#: include/ldap_id_mapping.xml:117 +msgid "Advanced Configuration" +msgstr "Fortgeschrittene Konfiguration" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:120 +msgid "ldap_idmap_range_min (integer)" +msgstr "ldap_idmap_range_min (Ganzzahl)" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:123 +msgid "" +"Specifies the lower bound of the range of POSIX IDs to use for mapping " +"Active Directory user and group SIDs." +msgstr "" +"gibt die Untergrenze des Bereichs von POSIX-IDs an, der zum Abbilden von " +"Active-Directory-Benutzern und Gruppen-SIDs benutzt wird." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:127 +msgid "" +"NOTE: This option is different from <quote>min_id</quote> in that " +"<quote>min_id</quote> acts to filter the output of requests to this domain, " +"whereas this option controls the range of ID assignment. This is a subtle " +"distinction, but the good general advice would be to have <quote>min_id</" +"quote> be less-than or equal to <quote>ldap_idmap_range_min</quote>" +msgstr "" +"HINWEIS: Diese Option unterscheidet sich von »min_id«, wobei »min_id« als " +"Filter für die Ausgabe von Anfragen an diese Domain agiert, wohingegen diese " +"Option den Bereich der ID-Zuweisung steuert. Dies ist ein feiner " +"Unterschied, aber es wäre ein allgemein guter Ratschlag, dass »min_id« " +"kleiner oder gleich »ldap_idmap_range_min« sein sollte." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:137 include/ldap_id_mapping.xml:191 +msgid "Default: 200000" +msgstr "Voreinstellung: 200000" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:142 +msgid "ldap_idmap_range_max (integer)" +msgstr "ldap_idmap_range_max (Ganzzahl)" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:145 +msgid "" +"Specifies the upper bound of the range of POSIX IDs to use for mapping " +"Active Directory user and group SIDs." +msgstr "" +"gibt die Obergrenze des Bereichs von POSIX-IDs an, der zum Abbilden von " +"Active-Directory-Benutzern und Gruppen-SIDs benutzt wird." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:149 +msgid "" +"NOTE: This option is different from <quote>max_id</quote> in that " +"<quote>max_id</quote> acts to filter the output of requests to this domain, " +"whereas this option controls the range of ID assignment. This is a subtle " +"distinction, but the good general advice would be to have <quote>max_id</" +"quote> be greater-than or equal to <quote>ldap_idmap_range_max</quote>" +msgstr "" +"HINWEIS: Diese Option unterscheidet sich von »max_id« wobei »max_id« als " +"Filter für die Ausgabe von Anfragen an diese Domain agiert, wohingegen diese " +"Option den Bereich der ID-Zuweisung steuert. Dies ist ein feiner " +"Unterschied, aber es wäre ein allgemein guter Ratschlag, dass »max_id« " +"größer oder gleich »ldap_idmap_range_max« sein sollte." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:159 +msgid "Default: 2000200000" +msgstr "Voreinstellung: 2000200000" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:164 +msgid "ldap_idmap_range_size (integer)" +msgstr "ldap_idmap_range_size (Ganzzahl)" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:167 +msgid "" +"Specifies the number of IDs available for each slice. If the range size " +"does not divide evenly into the min and max values, it will create as many " +"complete slices as it can." +msgstr "" +"gibt die Anzahl der für jeden Slice verfügbaren IDs an. Falls sich die " +"Bereichsgröße nicht gleichmäßig in die minimalen und maximalen Werte teilen " +"lässt, werden so viele komplette Slices wie möglich erstellt." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:173 +msgid "" +"NOTE: The value of this option must be at least as large as the highest user " +"RID planned for use on the Active Directory server. User lookups and login " +"will fail for any user whose RID is greater than this value." +msgstr "" +"HINWEIS: Der Wert dieser Option muss mindestens so groß sein wie die größte " +"Benutzer-RID, die jemals auf dem Active-Directory-Server verwendet werden " +"soll. Das Nachschlagen und Anmelden von Benutzern wird scheitern, wenn deren " +"RIDs größer sind als dieser Wert." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:179 +msgid "" +"For example, if your most recently-added Active Directory user has " +"objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, " +"<quote>ldap_idmap_range_size</quote> must be at least 1108 as range size is " +"equal to maximal SID minus minimal SID plus one (e.g. 1108 = 1107 - 0 + 1)." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:186 +msgid "" +"It is important to plan ahead for future expansion, as changing this value " +"will result in changing all of the ID mappings on the system, leading to " +"users with different local IDs than they previously had." +msgstr "" +"Es ist wichtig, für spätere Erweiterungen vorauszuplanen, da die Änderung " +"dieses Wertes zur Änderung aller ID-Abbildungen des Systems führt. Dadurch " +"können Benutzer andere lokale IDs als vorher haben." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:196 +msgid "ldap_idmap_default_domain_sid (string)" +msgstr "ldap_idmap_default_domain_sid (Zeichenkette)" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:199 +msgid "" +"Specify the domain SID of the default domain. This will guarantee that this " +"domain will always be assigned to slice zero in the ID map, bypassing the " +"murmurhash algorithm described above." +msgstr "" +"gibt die Domain-SID der Standard-Domain an. Dies wird sicherstellen, dass " +"diese Domain immer dem Slice null im ID-Abbild zugeordnet wird. Dabei wird " +"der oben beschriebene Murmurhash-Algorithmus umgangen." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:210 +msgid "ldap_idmap_default_domain (string)" +msgstr "ldap_idmap_default_domain (Zeichenkette)" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:213 +msgid "Specify the name of the default domain." +msgstr "gibt den Namen der Standard-Domain an." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:221 +msgid "ldap_idmap_autorid_compat (boolean)" +msgstr "ldap_idmap_autorid_compat (Boolesch)" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:224 +msgid "" +"Changes the behavior of the ID-mapping algorithm to behave more similarly to " +"winbind's <quote>idmap_autorid</quote> algorithm." +msgstr "" +"ändert das Verhalten des ID-Abbildungsalgorithmus so, dass es dem " +"Algorithmus »idmap_autorid« von Winbind ähnlicher ist." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:229 +msgid "" +"When this option is configured, domains will be allocated starting with " +"slice zero and increasing monatomically with each additional domain." +msgstr "" +"Wenn diese Option konfiguriert wurde, werden Domains beginnend bei Slice " +"null reserviert und gleichmäßig mit jeder zusätzlichen Domain vergrößert." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:234 +msgid "" +"NOTE: This algorithm is non-deterministic (it depends on the order that " +"users and groups are requested). If this mode is required for compatibility " +"with machines running winbind, it is recommended to also use the " +"<quote>ldap_idmap_default_domain_sid</quote> option to guarantee that at " +"least one domain is consistently allocated to slice zero." +msgstr "" +"HINWEIS: Der Algorithmus ist nicht deterministisch (er hängt von der " +"Reihenfolge ab, in der Benutzer und Gruppen abgefragt werden). Falls dieser " +"Modus aus Kompatibilitätsgründen mit Maschinen, die Winbind ausführen, " +"erforderlich ist, wird empfohlen, auch die Option " +"»ldap_idmap_default_domain_sid« zu verwenden. Dies soll sicherstellen, dass " +"mindestens eine Domain beständig für den Slice null reserviert ist." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:249 +msgid "ldap_idmap_helper_table_size (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:252 +msgid "" +"Maximal number of secondary slices that is tried when performing mapping " +"from UNIX id to SID." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:256 +msgid "" +"Note: Additional secondary slices might be generated when SID is being " +"mapped to UNIX id and RID part of SID is out of range for secondary slices " +"generated so far. If value of ldap_idmap_helper_table_size is equal to 0 " +"then no additional secondary slices are generated." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ldap_id_mapping.xml:273 +msgid "Well-Known SIDs" +msgstr "Bekannte Sicherheits-IDs" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:275 +msgid "" +"SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a " +"special hardcoded meaning. Since the generic users and groups related to " +"those Well-Known SIDs have no equivalent in a Linux/UNIX environment no " +"POSIX IDs are available for those objects." +msgstr "" +"SSSD unterstützt das Nachschlagen der Namen sogenannter bekannter " +"Sicherheits-IDs, die eine spezielle unveränderliche Bedeutung haben. Da " +"generische Benutzer und Gruppen, die sich auf diese bekannten SIDs beziehen, " +"keine Entsprechung in einer Linux/UNIX-Umgebung haben, sind für diese " +"Objekte keine POSIX-IDs verfügbar." + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:281 +msgid "" +"The SID name space is organized in authorities which can be seen as " +"different domains. The authorities for the Well-Known SIDs are" +msgstr "" +"Der SID-Namensraum ist in Autoritäten organisiert, die als unterschiedliche " +"Domains betrachtet werden können. Die Autoritäten für die bekannten SIDs sind" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:284 +msgid "Null Authority" +msgstr "Null-Autorität (Null Authority)" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:285 +msgid "World Authority" +msgstr "Weltweit anerkannte Autorität (World Authority)" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:286 +msgid "Local Authority" +msgstr "Lokale Autorität (Local Authority)" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:287 +msgid "Creator Authority" +msgstr "Ersteller-Autorität (Creator Authority)" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:288 +msgid "NT Authority" +msgstr "NT-Autorität (NT Authority)" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:289 +msgid "Built-in" +msgstr "Eingebaut" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:291 +msgid "" +"The capitalized version of these names are used as domain names when " +"returning the fully qualified name of a Well-Known SID." +msgstr "" +"Die mit großem Anfangsbuchstaben geschriebenen Versionen dieser Namen werden " +"als Domainnamen verwendet, wenn der voll qualifizierte Name einer bekannten " +"Sicherheits-ID zurückgegeben wird." + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:295 +msgid "" +"Since some utilities allow to modify SID based access control information " +"with the help of a name instead of using the SID directly SSSD supports to " +"look up the SID by the name as well. To avoid collisions only the fully " +"qualified names can be used to look up Well-Known SIDs. As a result the " +"domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, " +"<quote> LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, <quote>NT " +"AUTHORITY</quote> and <quote>BUILTIN</quote> should not be used as domain " +"names in <filename>sssd.conf</filename>." +msgstr "" +"Da einige Dienstprogramme die Änderung der Sicherheits-ID-basierten " +"Zugriffskontrollinformationen mit Hilfe des Namens ermöglichen, anstelle die " +"Sicherheits-ID direkt zu verwenden, unterstützt SSSD die Suche nach der SID " +"anhand des Namens ebenfalls. Um Überschneidungen zu vermeiden, können nur " +"voll qualifizierte Namen bei der Suche nach bekannten Sicherheit-IDs " +"verwendet werden. Daher sollten die Domainnamen <quote>NULL AUTHORITY</" +"quote>, <quote>WORLD AUTHORITY</quote>, <quote> LOCAL AUTHORITY</quote>, " +"<quote>CREATOR AUTHORITY</quote>, <quote>NT AUTHORITY</quote> und " +"<quote>BUILTIN</quote> nicht als Domainnamen in <filename>sssd.conf</" +"filename> verwendet werden." + +#. type: Content of: <varlistentry><term> +#: include/param_help.xml:3 +msgid "<option>-?</option>,<option>--help</option>" +msgstr "<option>-?</option>,<option>--help</option>" + +#. type: Content of: <varlistentry><listitem><para> +#: include/param_help.xml:7 include/param_help_py.xml:7 +msgid "Display help message and exit." +msgstr "zeigt den Hilfetext und beendet sich." + +#. type: Content of: <varlistentry><term> +#: include/param_help_py.xml:3 +msgid "<option>-h</option>,<option>--help</option>" +msgstr "<option>-h</option>,<option>--help</option>" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:3 include/debug_levels_tools.xml:3 +msgid "" +"SSSD supports two representations for specifying the debug level. The " +"simplest is to specify a decimal value from 0-9, which represents enabling " +"that level and all lower-level debug messages. The more comprehensive option " +"is to specify a hexadecimal bitmask to enable or disable specific levels " +"(such as if you wish to suppress a level)." +msgstr "" +"SSSD unterstützt zwei Darstellungsmodi für die Angabe der Debug-Stufe. Die " +"einfachste ist die Angabe eines Dezimalwerts von 0 bis 9, welche die " +"Aktivierung der Meldungen der entsprechenden Stufe und aller niederer Stufen " +"bewirkt. Eine umfassendere Option ist die Angabe einer hexadezimalen " +"Bitmaske, um spezifische Stufen zu aktivieren oder zu deaktivieren (wenn Sie " +"beispielsweise eine Stufe unterdrücken wollen)." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:10 +msgid "" +"Please note that each SSSD service logs into its own log file. Also please " +"note that enabling <quote>debug_level</quote> in the <quote>[sssd]</quote> " +"section only enables debugging just for the sssd process itself, not for the " +"responder or provider processes. The <quote>debug_level</quote> parameter " +"should be added to all sections that you wish to produce debug logs from." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:18 +msgid "" +"In addition to changing the log level in the config file using the " +"<quote>debug_level</quote> parameter, which is persistent, but requires SSSD " +"restart, it is also possible to change the debug level on the fly using the " +"<citerefentry> <refentrytitle>sss_debuglevel</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry> tool." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:29 include/debug_levels_tools.xml:10 +msgid "Currently supported debug levels:" +msgstr "derzeit unterstützte Debug-Stufen:" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:32 include/debug_levels_tools.xml:13 +msgid "" +"<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fatal failures. " +"Anything that would prevent SSSD from starting up or causes it to cease " +"running." +msgstr "" +"<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Schwerwiegende Fehler. " +"Alles was SSSD am Start hindern oder es beenden könnte." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:38 include/debug_levels_tools.xml:19 +msgid "" +"<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An " +"error that doesn't kill SSSD, but one that indicates that at least one major " +"feature is not going to work properly." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:45 include/debug_levels_tools.xml:26 +msgid "" +"<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Serious failures. An " +"error announcing that a particular request or operation has failed." +msgstr "" +"<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Ernsthafte Fehler. Dies " +"sind Fehler, bei denen eine bestimmte Anfrage oder Operation fehlgeschlagen " +"ist." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:50 include/debug_levels_tools.xml:31 +msgid "" +"<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Minor failures. These " +"are the errors that would percolate down to cause the operation failure of 2." +msgstr "" +"<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Kleinere Fehler. Dies " +"sind Fehler, die von geringerer Bedeutung als die fehlgeschlagenen " +"Operationen in der Stufe 2 sind." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:55 include/debug_levels_tools.xml:36 +msgid "" +"<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Configuration settings." +msgstr "" +"<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: " +"Konfigurationseinstellungen." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:59 include/debug_levels_tools.xml:40 +msgid "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Function data." +msgstr "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Funktionsdaten." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:63 include/debug_levels_tools.xml:44 +msgid "" +"<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Trace messages for " +"operation functions." +msgstr "" +"<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Meldungen aus der " +"Verfolgung von Operationsfunktionen." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:67 include/debug_levels_tools.xml:48 +msgid "" +"<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Trace messages for " +"internal control functions." +msgstr "" +"<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Meldungen aus der " +"Verfolgung interner Kontrollfunktionen." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:72 include/debug_levels_tools.xml:53 +msgid "" +"<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contents of function-" +"internal variables that may be interesting." +msgstr "" +"<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Inhalte " +"funktionsinterner Variablen, die von Interesse sein könnten." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:77 include/debug_levels_tools.xml:58 +msgid "" +"<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Extremely low-level " +"tracing information." +msgstr "" +"<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Verfolgungsmeldungen " +"extrem niederster Ebene." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:81 include/debug_levels_tools.xml:62 +msgid "" +"To log required bitmask debug levels, simply add their numbers together as " +"shown in following examples:" +msgstr "" +"Um die Debug-Stufen nach Bitmaske zu protokollieren, fügen Sie deren Nummern " +"hinzu, wie in den folgenden Beispielen gezeigt:" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:85 include/debug_levels_tools.xml:66 +msgid "" +"<emphasis>Example</emphasis>: To log fatal failures, critical failures, " +"serious failures and function data use 0x0270." +msgstr "" +"<emphasis>Beispiel</emphasis>: Um fatale, kritische, schwerwiegende Fehler " +"und Funktionsdaten zu protokollieren, benutzen Sie 0x0270." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:89 include/debug_levels_tools.xml:70 +msgid "" +"<emphasis>Example</emphasis>: To log fatal failures, configuration settings, " +"function data, trace messages for internal control functions use 0x1310." +msgstr "" +"<emphasis>Beispiel</emphasis>: Um fatale Fehler, " +"Konfigurationseinstellungen, Funktionsdaten und Verfolgungsnachrichten für " +"interne Steuerfunktionen zu protokollieren, benutzen Sie 0x1310." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:94 include/debug_levels_tools.xml:75 +msgid "" +"<emphasis>Note</emphasis>: The bitmask format of debug levels was introduced " +"in 1.7.0." +msgstr "" +"<emphasis>Hinweis</emphasis>: Das Bitmasken-Format der Debug-Level wurde in " +"1.7.0 eingeführt." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:98 include/debug_levels_tools.xml:79 +msgid "<emphasis>Default</emphasis>: 0" +msgstr "<emphasis>Voreinstellung</emphasis>: 0" + +#. type: Content of: outside any tag (error?) +#: include/experimental.xml:1 +msgid "" +"<emphasis> This is an experimental feature, please use https://pagure.io/" +"SSSD/sssd/ to report any issues. </emphasis>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/local.xml:2 +msgid "THE LOCAL DOMAIN" +msgstr "DIE LOKALE DOMAIN" + +#. type: Content of: <refsect1><para> +#: include/local.xml:4 +msgid "" +"In order to function correctly, a domain with <quote>id_provider=local</" +"quote> must be created and the SSSD must be running." +msgstr "" +"Für korrektes Funktionieren muss eine Domain mit »id_provider=local« " +"erstellt sein und SSSD muss laufen." + +#. type: Content of: <refsect1><para> +#: include/local.xml:9 +msgid "" +"The administrator might want to use the SSSD local users instead of " +"traditional UNIX users in cases where the group nesting (see <citerefentry> " +"<refentrytitle>sss_groupadd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>) is needed. The local users are also useful for testing and " +"development of the SSSD without having to deploy a full remote server. The " +"<command>sss_user*</command> and <command>sss_group*</command> tools use a " +"local LDB storage to store users and groups." +msgstr "" +"Möglicherweise möchte der Administrator in Fällen, in denen " +"Gruppenverschachtelung (siehe <citerefentry> <refentrytitle>sss_groupadd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>) benötigt wird, " +"lokale Benutzer anstelle traditioneller UNIX-Benutzer verwenden. Die lokalen " +"Benutzer sind auch für das Testen und Entwickeln von SSSD nützlich, ohne " +"dass ein vollständiger ferner Server bereitgestellt werden muss. Die " +"<command>sss_user*</command>- und <command>sss_group*</command>-Werkzeuge " +"benutzen einen lokalen LDB-Speicher, um Benutzer und Gruppen abzulegen." + +#. type: Content of: <refsect1><para> +#: include/seealso.xml:4 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd-ipa</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <phrase condition=\"with_sudo\"> <citerefentry> " +"<refentrytitle>sssd-sudo</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>, </phrase> <phrase condition=\"with_secrets\"> <citerefentry> " +"<refentrytitle>sssd-secrets</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>, </phrase> <citerefentry> <refentrytitle>sssd-session-" +"recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, " +"<citerefentry> <refentrytitle>sss_cache</refentrytitle><manvolnum>8</" +"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_debuglevel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_obfuscate</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_seed</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <phrase condition=" +"\"with_ssh\"> <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_ssh_knownhostsproxy</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>, </phrase> <phrase condition=\"with_ifp\"> " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>, </phrase> <citerefentry> <refentrytitle>pam_sss</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>. <citerefentry> " +"<refentrytitle>sss_rpcidmapd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> <phrase condition=\"with_stap\"> <citerefentry> " +"<refentrytitle>sssd-systemtap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> </phrase>" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:3 +msgid "" +"An optional base DN, search scope and LDAP filter to restrict LDAP searches " +"for this attribute type." +msgstr "" +"ein optionaler Basis-DN, Gültigkeitsbereich für die Suche und LDAP-Filter, " +"um die LDAP-Suchen für diesen Attributtyp einzuschränken." + +#. type: Content of: <listitem><para><programlisting> +#: include/ldap_search_bases.xml:9 +#, no-wrap +msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]\n" +msgstr "search_base[?Gültigkeitsbereich?[Filter][?Suchbasis?Gültigkeitsbereich?[Filter]]*]\n" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:7 +msgid "syntax: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "Syntax: <placeholder type=\"programlisting\" id=\"0\"/>" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:13 +msgid "" +"The scope can be one of \"base\", \"onelevel\" or \"subtree\". The scope " +"functions as specified in section 4.5.1.2 of http://tools.ietf.org/html/" +"rfc4511" +msgstr "" +"Der Bereich kann entweder »base«, »onlevel« oder »subtree« sein. Die " +"Bereiche funktionieren wie im Abschnitt 4.5.1.2 auf http://tools.ietf.org/" +"html/rfc4511 angegeben." + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:23 +msgid "" +"For examples of this syntax, please refer to the <quote>ldap_search_base</" +"quote> examples section." +msgstr "" +"Beispiele für diese Syntax finden Sie im Beispielabschnitt von " +"»ldap_search_base«." + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:31 +msgid "" +"Please note that specifying scope or filter is not supported for searches " +"against an Active Directory Server that might yield a large number of " +"results and trigger the Range Retrieval extension in the response." +msgstr "" +"Bitte beachten Sie, dass die Angabe von Gültigkeitsbereich oder Filter nicht " +"beim Suchen auf einem Active-Directory-Server unterstützt wird, der " +"möglicherweise eine große Anzahl an Ergebnissen zurückliefern und in der " +"Antwort die Erweiterung »Range Retrieval« auslösen könnte." + +#. type: Content of: <para> +#: include/autofs_restart.xml:2 +msgid "" +"Please note that the automounter only reads the master map on startup, so if " +"any autofs-related changes are made to the sssd.conf, you typically also " +"need to restart the automounter daemon after restarting the SSSD." +msgstr "" +"Bitte beachten Sie, dass der Automounter beim Start nur die Master-Abbildung " +"liest. Daher müssen Sie normalerweise, falls irgendwelche zu Autofs " +"gehörigen Änderungen in der »sssd.conf« vorgenommen wurden, den Automounter-" +"Daemon nach dem SSSD-Neustart ebenfalls neu starten." + +#. type: Content of: <varlistentry><term> +#: include/override_homedir.xml:2 +msgid "override_homedir (string)" +msgstr "override_homedir (Zeichenkette)" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:16 +msgid "UID number" +msgstr "UID-Nummer" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:20 +msgid "domain name" +msgstr "Domain-Name" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:23 +msgid "%f" +msgstr "%f" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:24 +msgid "fully qualified user name (user@domain)" +msgstr "voll qualifizierter Benutzername (Benutzer@Domain)" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:27 +msgid "%l" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:28 +msgid "The first letter of the login name." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:32 +msgid "UPN - User Principal Name (name@REALM)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:35 +msgid "%o" +msgstr "%o" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:37 +msgid "The original home directory retrieved from the identity provider." +msgstr "das Original-Home-Verzeichnis, das vom Identitätsanbieter geholt wurde" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:42 +msgid "%H" +msgstr "%H" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:44 +msgid "The value of configure option <emphasis>homedir_substring</emphasis>." +msgstr "" +"Der Wert der Konfigurationsoption <emphasis>homedir_substring</emphasis>." + +#. type: Content of: <varlistentry><listitem><para> +#: include/override_homedir.xml:5 +msgid "" +"Override the user's home directory. You can either provide an absolute value " +"or a template. In the template, the following sequences are substituted: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" +"setzt das Home-Verzeichnis des Benutzers außer Kraft. Sie können entweder " +"einen absoluten Wert oder eine Schablone bereitstellen. In der Schablone " +"werden die folgenden Sequenzen ersetzt: <placeholder type=\"variablelist\" " +"id=\"0\"/>" + +#. type: Content of: <varlistentry><listitem><para><programlisting> +#: include/override_homedir.xml:61 +#, no-wrap +msgid "" +"override_homedir = /home/%u\n" +" " +msgstr "" +"override_homedir = /home/%u\n" +" " + +#. type: Content of: <varlistentry><listitem><para> +#: include/override_homedir.xml:65 +msgid "Default: Not set (SSSD will use the value retrieved from LDAP)" +msgstr "" +"Voreinstellung: nicht gesetzt (SSSD wird den von LDAP geholten Wert benutzen)" + +#. type: Content of: <varlistentry><term> +#: include/homedir_substring.xml:2 +msgid "homedir_substring (string)" +msgstr "homedir_substring (Zeichenkette)" + +#. type: Content of: <varlistentry><listitem><para> +#: include/homedir_substring.xml:5 +msgid "" +"The value of this option will be used in the expansion of the " +"<emphasis>override_homedir</emphasis> option if the template contains the " +"format string <emphasis>%H</emphasis>. An LDAP directory entry can directly " +"contain this template so that this option can be used to expand the home " +"directory path for each client machine (or operating system). It can be set " +"per-domain or globally in the [nss] section. A value specified in a domain " +"section will override one set in the [nss] section." +msgstr "" +"Der Wert dieser Option wird als Auflösung der Option " +"<emphasis>override_homedir</emphasis> verwendet, falls die Vorlage die " +"Formatzeichenkette <emphasis>%H</emphasis> enthält. Ein LDAP-" +"Verzeichniseintrag kann diese Schablone direkt enthalten, so dass diese " +"Option zum Auflösen des Pfades zum Home-Verzeichnis für jeden Client-Rechner " +"(oder Betriebssystem) verwendet werden kann. Sie kann pro-Domain oder global " +"im Abschnitt [nss] gesetzt werden. Ein im Domain-Abschnitt angegebener Wert " +"setzt jenen im [nss]-Abschnitt außer Kraft." + +#. type: Content of: <varlistentry><listitem><para> +#: include/homedir_substring.xml:15 +msgid "Default: /home" +msgstr "Voreinstellung: /home" + +#. type: Content of: <refsect1><title> +#: include/ad_modified_defaults.xml:2 include/ipa_modified_defaults.xml:2 +msgid "MODIFIED DEFAULT OPTIONS" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ad_modified_defaults.xml:4 +msgid "" +"Certain option defaults do not match their respective backend provider " +"defaults, these option names and AD provider-specific defaults are listed " +"below:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ad_modified_defaults.xml:9 include/ipa_modified_defaults.xml:9 +msgid "KRB5 Provider" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:13 include/ipa_modified_defaults.xml:13 +msgid "krb5_validate = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:18 +msgid "krb5_use_enterprise_principal = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ad_modified_defaults.xml:24 +msgid "LDAP Provider" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:28 +msgid "ldap_schema = ad" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:33 include/ipa_modified_defaults.xml:38 +msgid "ldap_force_upper_case_realm = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:38 +msgid "ldap_id_mapping = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:43 +msgid "ldap_sasl_mech = gssapi" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:48 +msgid "ldap_referrals = false" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:53 +msgid "ldap_account_expire_policy = ad" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:58 include/ipa_modified_defaults.xml:58 +msgid "ldap_use_tokengroups = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:63 +msgid "ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:66 +msgid "" +"The AD provider looks for a different principal than the LDAP provider by " +"default, because in an Active Directory environment the principals are " +"divided into two groups - User Principals and Service Principals. Only User " +"Principal can be used to obtain a TGT and by default, computer object's " +"principal is constructed from its sAMAccountName and the AD realm. The well-" +"known host/hostname@REALM principal is a Service Principal and thus cannot " +"be used to get a TGT with." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ipa_modified_defaults.xml:4 +msgid "" +"Certain option defaults do not match their respective backend provider " +"defaults, these option names and IPA provider-specific defaults are listed " +"below:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:18 +msgid "krb5_use_fast = try" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:23 +msgid "krb5_canonicalize = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:29 +msgid "LDAP Provider - General" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:33 +msgid "ldap_schema = ipa_v1" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:43 +msgid "ldap_sasl_mech = GSSAPI" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:48 +msgid "ldap_sasl_minssf = 56" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:53 +msgid "ldap_account_expire_policy = ipa" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:64 +msgid "LDAP Provider - User options" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:68 +msgid "ldap_user_member_of = memberOf" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:73 +msgid "ldap_user_uuid = ipaUniqueID" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:78 +msgid "ldap_user_ssh_public_key = ipaSshPubKey" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:83 +msgid "ldap_user_auth_type = ipaUserAuthType" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:89 +msgid "LDAP Provider - Group options" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:93 +msgid "ldap_group_object_class = ipaUserGroup" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:98 +msgid "ldap_group_object_class_alt = posixGroup" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:103 +msgid "ldap_group_member = member" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:108 +msgid "ldap_group_uuid = ipaUniqueID" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:113 +msgid "ldap_group_objectsid = ipaNTSecurityIdentifier" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:118 +msgid "ldap_group_external_member = ipaExternalMember" +msgstr "" + +#~ msgid "" +#~ "PLEASE NOTE: the support for non-unique named subpatterns is not " +#~ "available on all platforms (e.g. RHEL5 and SLES10). Only platforms with " +#~ "libpcre version 7 or higher can support non-unique named subpatterns." +#~ msgstr "" +#~ "BITTE BEACHTEN SIE: Die Unterstützung für nicht eindeutig benannte " +#~ "Musterteile ist nicht auf allen Plattformen (z.B. RHEL5 und SLES10) " +#~ "vorhanden. Nur Plattformen mit Libpcre Version 7 oder höher können nicht " +#~ "eindeutig benannte Musterteile unterstützen." + +#~ msgid "" +#~ "PLEASE NOTE ALSO: older version of libpcre only support the Python syntax " +#~ "(?P<name>) to label subpatterns." +#~ msgstr "" +#~ "BITTE BEACHTEN SIE AUCH: Ältere Versionen von Libpcre unterstützen für " +#~ "Beschriftungsmusterteile nur die Python-Syntax (?P<Name>)." diff --git a/src/man/po/es.po b/src/man/po/es.po new file mode 100644 index 0000000..b8c1c0c --- /dev/null +++ b/src/man/po/es.po @@ -0,0 +1,17192 @@ +# SOME DESCRIPTIVE TITLE +# Copyright (C) YEAR Red Hat +# This file is distributed under the same license as the sssd-docs package. +# +# Translators: +# Adolfo Jayme Barrientos <fito@libreoffice.org>, 2012 +# Carlos Antolín Lucas <carlosantolin@hotmail.es>, 2012 +# beckerde <domingobecker@gmail.com>, 2013 +# Eduardo Villagrán M <gotencool@gmail.com>, 2011 +# Eduardo Villagrán M <gotencool@gmail.com>, 2011 +# vareli <ehespinosa@ya.com>, 2013 +# vareli <ehespinosa@ya.com>, 2013 +# Daniel Cabrera <logan@fedoraproject.org>, 2011 +msgid "" +msgstr "" +"Project-Id-Version: sssd-docs 1.16.1\n" +"Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" +"POT-Creation-Date: 2018-08-12 13:01+0000\n" +"PO-Revision-Date: 2014-12-14 11:54+0000\n" +"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n" +"Language-Team: Spanish (http://www.transifex.com/projects/p/sssd/language/" +"es/)\n" +"Language: es\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" +"X-Generator: Zanata 4.4.5\n" + +#. type: Content of: <reference><title> +#: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5 +#: sssd_krb5_locator_plugin.8.xml:5 sssd-simple.5.xml:5 sss-certmap.5.xml:5 +#: sssd-ipa.5.xml:5 sssd-ad.5.xml:5 sssd-sudo.5.xml:5 sssd.8.xml:5 +#: sss_obfuscate.8.xml:5 sss_override.8.xml:5 sss_useradd.8.xml:5 +#: sssd-krb5.5.xml:5 sss_groupadd.8.xml:5 sss_userdel.8.xml:5 +#: sss_groupdel.8.xml:5 sss_groupshow.8.xml:5 sss_usermod.8.xml:5 +#: sss_cache.8.xml:5 sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5 +#: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 +#: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5 +#: sssd-files.5.xml:5 sssd-secrets.5.xml:5 sssd-session-recording.5.xml:5 +#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 +msgid "SSSD Manual pages" +msgstr "Páginas de manual de SSSD" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupmod.8.xml:10 sss_groupmod.8.xml:15 +msgid "sss_groupmod" +msgstr "sss_groupmod" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_groupmod.8.xml:11 pam_sss.8.xml:12 sssd_krb5_locator_plugin.8.xml:11 +#: sssd.8.xml:11 sss_obfuscate.8.xml:11 sss_override.8.xml:11 +#: sss_useradd.8.xml:11 sss_groupadd.8.xml:11 sss_userdel.8.xml:11 +#: sss_groupdel.8.xml:11 sss_groupshow.8.xml:11 sss_usermod.8.xml:11 +#: sss_cache.8.xml:11 sss_debuglevel.8.xml:11 sss_seed.8.xml:11 +#: idmap_sss.8.xml:11 sssctl.8.xml:11 sssd-kcm.8.xml:11 +msgid "8" +msgstr "8" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupmod.8.xml:16 +msgid "modify a group" +msgstr "modifica un grupo" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupmod.8.xml:21 +msgid "" +"<command>sss_groupmod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" +"<command>sss_groupmod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:57 +#: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sss-certmap.5.xml:21 +#: sssd-ipa.5.xml:21 sssd-ad.5.xml:21 sssd-sudo.5.xml:21 sssd.8.xml:29 +#: sss_obfuscate.8.xml:30 sss_override.8.xml:30 sss_useradd.8.xml:30 +#: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30 +#: sss_groupdel.8.xml:30 sss_groupshow.8.xml:30 sss_usermod.8.xml:30 +#: sss_cache.8.xml:29 sss_debuglevel.8.xml:30 sss_seed.8.xml:31 +#: sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30 +#: sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30 +#: sssd-files.5.xml:21 sssd-secrets.5.xml:21 sssd-session-recording.5.xml:21 +#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 +msgid "DESCRIPTION" +msgstr "DESCRIPCION" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupmod.8.xml:32 +msgid "" +"<command>sss_groupmod</command> modifies the group to reflect the changes " +"that are specified on the command line." +msgstr "" +"<command>sss_groupmod</command> modifica el grupo para reflejar los cambios " +"indicados en la línea de comandos." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_groupmod.8.xml:39 pam_sss.8.xml:64 sssd.8.xml:42 sss_obfuscate.8.xml:58 +#: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39 +#: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39 +#: sss_cache.8.xml:39 sss_seed.8.xml:42 sss_ssh_authorizedkeys.1.xml:123 +#: sss_ssh_knownhostsproxy.1.xml:62 +msgid "OPTIONS" +msgstr "OPCIONES" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupmod.8.xml:43 sss_usermod.8.xml:77 +msgid "" +"<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" +"<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupmod.8.xml:48 +msgid "" +"Append this group to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." +msgstr "" +"Agrega este grupo a otros grupos que hayan sido indicados con el parámetro " +"<replaceable>GROUPS</replaceable>. El parámetros <replaceable>GROUPS</" +"replaceable> es una lista de nombres de grupos separados por comas." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupmod.8.xml:57 sss_usermod.8.xml:91 +msgid "" +"<option>-r</option>,<option>--remove-group</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" +"<option>-r</option>,<option>--remove-group</option> <replaceable>GROUPS</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupmod.8.xml:62 +msgid "" +"Remove this group from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." +msgstr "" +"Elimina este grupo de los grupos especificados con el parámetro " +"<replaceable>GROUPS</replaceable>" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.conf.5.xml:10 sssd.conf.5.xml:16 +msgid "sssd.conf" +msgstr "sssd.conf" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11 +#: sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 +#: sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27 +#: sssd-files.5.xml:11 sssd-secrets.5.xml:11 sssd-session-recording.5.xml:11 +#: sssd-systemtap.5.xml:11 +msgid "5" +msgstr "5" + +#. type: Content of: <reference><refentry><refmeta><refmiscinfo> +#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12 +#: sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 +#: sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28 +#: sssd-files.5.xml:12 sssd-secrets.5.xml:12 sssd-session-recording.5.xml:12 +#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 +msgid "File Formats and Conventions" +msgstr "Formatos de archivo y convenciones" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.conf.5.xml:17 +msgid "the configuration file for SSSD" +msgstr "El archivo de configuración de SSSD" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:21 +msgid "FILE FORMAT" +msgstr "Formato de archivo" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:29 +#, no-wrap +msgid "" +"<replaceable>[section]</replaceable>\n" +"<replaceable>key</replaceable> = <replaceable>value</replaceable>\n" +"<replaceable>key2</replaceable> = <replaceable>value2,value3</replaceable>\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:24 +msgid "" +"The file has an ini-style syntax and consists of sections and parameters. A " +"section begins with the name of the section in square brackets and continues " +"until the next section begins. An example of section with single and multi-" +"valued parameters: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"El archivo posee una sintaxis de tipo ini consistente de secciones y " +"parámetros. Una sección comienza con el nombre de dicha sección colocado " +"entre corchetes, y continua hasta que comienza la próxima sección. Este es " +"un ejemplo de una sección con parámetros de valores simples y múltiples: " +"<placeholder type=\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:36 +msgid "" +"The data types used are string (no quotes needed), integer and bool (with " +"values of <quote>TRUE/FALSE</quote>)." +msgstr "" +"Los tipos de datos utilizados son cadenas (no es necesario ingresarlos entre " +"comillas), enteros o booleanos (cuyos valores son <quote>TRUE/FALSE</quote>)." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:41 +#, fuzzy +#| msgid "" +#| "A line comment starts with a hash sign (<quote>#</quote>) or a semicolon " +#| "(<quote>;</quote>). Inline comments are not supported." +msgid "" +"A comment line starts with a hash sign (<quote>#</quote>) or a semicolon " +"(<quote>;</quote>). Inline comments are not supported." +msgstr "" +"Una línea de comentario comienza con una almohadilla (<quote>#</quote>) o un " +"punto y coma (<quote>;</quote>). No se soportan los comentarios en línea." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:47 +msgid "" +"All sections can have an optional <replaceable>description</replaceable> " +"parameter. Its function is only as a label for the section." +msgstr "" +"Todas las secciones pueden tener un parámetro opcional de " +"<replaceable>descripción</replaceable>. Su función es solo la de servir como " +"etiqueta a tal sección." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:53 +msgid "" +"<filename>sssd.conf</filename> must be a regular file, owned by root and " +"only root may read from or write to the file." +msgstr "" +"<filename>sssd.conf</filename> debe ser un archivo regular, cuyo dueño sea " +"el usuario root, y sólo este usuario podrá tener permisos de lectura y " +"escritura sobre él." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:59 +msgid "CONFIGURATION SNIPPETS FROM INCLUDE DIRECTORY" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:62 +msgid "" +"The configuration file <filename>sssd.conf</filename> will include " +"configuration snippets using the include directory <filename>conf.d</" +"filename>. This feature is available if SSSD was compiled with libini " +"version 1.3.0 or later." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:69 +msgid "" +"Any file placed in <filename>conf.d</filename> that ends in " +"<quote><filename>.conf</filename></quote> and does not begin with a dot " +"(<quote>.</quote>) will be used together with <filename>sssd.conf</filename> " +"to configure SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:77 +msgid "" +"The configuration snippets from <filename>conf.d</filename> have higher " +"priority than <filename>sssd.conf</filename> and will override " +"<filename>sssd.conf</filename> when conflicts occur. If several snippets are " +"present in <filename>conf.d</filename>, then they are included in " +"alphabetical order (based on locale). Files included later have higher " +"priority. Numerical prefixes (<filename>01_snippet.conf</filename>, " +"<filename>02_snippet.conf</filename> etc.) can help visualize the priority " +"(higher number means higher priority)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:91 +msgid "" +"The snippet files require the same owner and permissions as <filename>sssd." +"conf</filename>. Which are by default root:root and 0600." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:98 +msgid "GENERAL OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:100 +msgid "Following options are usable in more than one configuration sections." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:104 +msgid "Options usable in all sections" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:108 +msgid "debug_level (integer)" +msgstr "debug_level (entero)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:112 +msgid "debug (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:115 +msgid "" +"SSSD 1.14 and later also includes the <replaceable>debug</replaceable> alias " +"for <replaceable>debug_level</replaceable> as a convenience feature. If both " +"are specified, the value of <replaceable>debug_level</replaceable> will be " +"used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:125 +msgid "debug_timestamps (bool)" +msgstr "debug_timestamps (bool)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:128 +msgid "" +"Add a timestamp to the debug messages. If journald is enabled for SSSD " +"debug logging this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:133 sssd.conf.5.xml:543 sssd.conf.5.xml:839 +#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1521 sssd-ldap.5.xml:1851 +#: sssd-ldap.5.xml:1948 sssd-ldap.5.xml:2010 sssd-ldap.5.xml:2576 +#: sssd-ldap.5.xml:2641 sssd-ldap.5.xml:2659 sssd-ad.5.xml:227 +#: sssd-ad.5.xml:341 sssd-ad.5.xml:885 sssd-krb5.5.xml:499 +#: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 +msgid "Default: true" +msgstr "Predeterminado: true" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:138 +msgid "debug_microseconds (bool)" +msgstr "debug_microseconds (bool)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:141 +msgid "" +"Add microseconds to the timestamp in debug messages. If journald is enabled " +"for SSSD debug logging this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:146 sssd.conf.5.xml:540 sssd.conf.5.xml:722 +#: sssd.conf.5.xml:1424 sssd.conf.5.xml:2980 sssd-ldap.5.xml:708 +#: sssd-ldap.5.xml:1714 sssd-ldap.5.xml:1733 sssd-ldap.5.xml:1920 +#: sssd-ldap.5.xml:2346 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238 +#: sssd-ipa.5.xml:559 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300 +#: sssd-krb5.5.xml:471 +msgid "Default: false" +msgstr "Predeterminado: false" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2384 +#: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210 +#: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304 +msgid "<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "<placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:155 +msgid "Options usable in SERVICE and DOMAIN sections" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:159 +msgid "timeout (integer)" +msgstr "timeout (entero)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:162 +msgid "" +"Timeout in seconds between heartbeats for this service. This is used to " +"ensure that the process is alive and capable of answering requests. Note " +"that after three missed heartbeats the process will terminate itself." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:169 sssd.conf.5.xml:1376 sssd.conf.5.xml:2996 +#: sssd-ldap.5.xml:1585 include/ldap_id_mapping.xml:264 +msgid "Default: 10" +msgstr "Predeterminado: 10" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:179 +msgid "SPECIAL SECTIONS" +msgstr "SECCIONES ESPECIALES" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:182 +msgid "The [sssd] section" +msgstr "La sección [sssd]" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sssd.conf.5.xml:191 sssd.conf.5.xml:3085 +msgid "Section parameters" +msgstr "Parámetros de sección" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:193 +msgid "config_file_version (integer)" +msgstr "config_file_version (entero)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:196 +msgid "" +"Indicates what is the syntax of the config file. SSSD 0.6.0 and later use " +"version 2." +msgstr "" +"Indica cuál es la sintaxis del archivo de configuración. SSSD 0.6.0 y " +"posteriores utilizan una versión 2." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:202 +msgid "services" +msgstr "servicios" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:205 +msgid "" +"Comma separated list of services that are started when sssd itself starts. " +"<phrase condition=\"have_systemd\"> The services' list is optional on " +"platforms where systemd is supported, as they will either be socket or D-Bus " +"activated when needed. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:214 +msgid "" +"Supported services: nss, pam <phrase condition=\"with_sudo\">, sudo</phrase> " +"<phrase condition=\"with_autofs\">, autofs</phrase> <phrase condition=" +"\"with_ssh\">, ssh</phrase> <phrase condition=\"with_pac_responder\">, pac</" +"phrase> <phrase condition=\"with_ifp\">, ifp</phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:222 +msgid "" +"<phrase condition=\"have_systemd\"> By default, all services are disabled " +"and the administrator must enable the ones allowed to be used by executing: " +"\"systemctl enable sssd-@service@.socket\". </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:231 sssd.conf.5.xml:614 +msgid "reconnection_retries (integer)" +msgstr "reconnection_retries (entero)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:234 sssd.conf.5.xml:617 +msgid "" +"Number of times services should attempt to reconnect in the event of a Data " +"Provider crash or restart before they give up" +msgstr "" +"Cantidad de intentos de reconexión de los servicios ante una eventual caída " +"de datos del proveedor, o de reiniciarse antes de abandonar" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:239 sssd.conf.5.xml:622 +msgid "Default: 3" +msgstr "Predeterminado: 3" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:244 +msgid "domains" +msgstr "dominios" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:247 +msgid "" +"A domain is a database containing user information. SSSD can use more " +"domains at the same time, but at least one must be configured or SSSD won't " +"start. This parameter describes the list of domains in the order you want " +"them to be queried. A domain name should only consist of alphanumeric ASCII " +"characters, dashes, dots and underscores." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:259 sssd.conf.5.xml:2597 +msgid "re_expression (string)" +msgstr "re_expression (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:262 +msgid "" +"Default regular expression that describes how to parse the string containing " +"user name and domain into these components." +msgstr "" +"Expresión regular por defecto que describe como analizar la cadena que " +"contiene el nombre de usuario y el dominio en estos componentes." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:267 +msgid "" +"Each domain can have an individual regular expression configured. For some " +"ID providers there are also default regular expressions. See DOMAIN SECTIONS " +"for more info on these regular expressions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:276 sssd.conf.5.xml:2645 +msgid "full_name_format (string)" +msgstr "full_name_format (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:279 sssd.conf.5.xml:2648 +msgid "" +"A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry>-compatible format that describes how to compose a " +"fully qualified name from user name and domain name components." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:290 sssd.conf.5.xml:2659 +msgid "%1$s" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:291 sssd.conf.5.xml:2660 +msgid "user name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:294 sssd.conf.5.xml:2663 +msgid "%2$s" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:297 sssd.conf.5.xml:2666 +msgid "domain name as specified in the SSSD config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:303 sssd.conf.5.xml:2672 +msgid "%3$s" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:306 sssd.conf.5.xml:2675 +msgid "" +"domain flat name. Mostly usable for Active Directory domains, both directly " +"configured or discovered via IPA trusts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:287 sssd.conf.5.xml:2656 +msgid "" +"The following expansions are supported: <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:316 +msgid "" +"Each domain can have an individual format string configured. see DOMAIN " +"SECTIONS for more info on this option." +msgstr "" +"Cada dominio puede tener una cadena de formato individual configurar. Vea " +"SECCIONES DOMINIO para más información sobre esta opción." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:322 +msgid "try_inotify (boolean)" +msgstr "try_inotify (boolean)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:325 +msgid "" +"SSSD monitors the state of resolv.conf to identify when it needs to update " +"its internal DNS resolver. By default, we will attempt to use inotify for " +"this, and will fall back to polling resolv.conf every five seconds if " +"inotify cannot be used." +msgstr "" +"SSSD monitorea el estado de resolv.conf para saber cuando es necesario " +"actualizar su resolutor DNS interno. Por defecto, intentaremos utilizar para " +"ello la herramienta inotify, quien consultará a resolv.conf cada cinco " +"segundos en caso que inotify no pueda ser utilizado." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:333 +msgid "" +"There are some limited situations where it is preferred that we should skip " +"even trying to use inotify. In these rare cases, this option should be set " +"to 'false'" +msgstr "" +"Existen algunas pocas situaciones en donde lo preferible es evitar el uso de " +"inotify. En estas raras excepciones, la opción debería ser definida en " +"'false' " + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:339 +msgid "" +"Default: true on platforms where inotify is supported. False on other " +"platforms." +msgstr "" +"Predeterminado: 'true' en plataformas donde inotify tenga soporte. 'False' " +"en el resto de las plataformas." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:343 +msgid "" +"Note: this option will have no effect on platforms where inotify is " +"unavailable. On these platforms, polling will always be used." +msgstr "" +"Nota: esta opción no tendrá efecto en plataformas donde inotify no se " +"encuenytre disponible. En estas plataformas, la consulta (polling) será " +"utilizada siempre." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:350 +msgid "krb5_rcache_dir (string)" +msgstr "krb5_rcache_dir (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:353 +msgid "" +"Directory on the filesystem where SSSD should store Kerberos replay cache " +"files." +msgstr "" +"Directorio en el sistema de archivos donde SSSD debería guardar fichero de " +"reproducción de cache de Kerberos." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:357 +msgid "" +"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct " +"SSSD to let libkrb5 decide the appropriate location for the replay cache." +msgstr "" +"Esta opción acepta un valor especial __LIBKRB5_DEFAULTS__ que instruirá a " +"SSSD para dejar a libkrb5 decidir la localización apropiada del escondrijo " +"de respuesta." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:363 +msgid "" +"Default: Distribution-specific and specified at build-time. " +"(__LIBKRB5_DEFAULTS__ if not configured)" +msgstr "" +"Por defecto: Distribución específica y especificado en la acumulación de " +"tiempo. (si no se configura __LIBKRB5_DEFAULTS__)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:370 +msgid "user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:373 +msgid "" +"The user to drop the privileges to where appropriate to avoid running as the " +"root user. <phrase condition=\"have_systemd\"> This option does not work " +"when running socket-activated services, as the user set up to run the " +"processes is set up during compilation time. The way to override the " +"systemd unit files is by creating the appropriate files in /etc/systemd/" +"system/. Keep in mind that any change in the socket user, group or " +"permissions may result in a non-usable SSSD. The same may occur in case of " +"changes of the user running the NSS responder. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:391 +msgid "Default: not set, process will run as root" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:396 +msgid "default_domain_suffix (string)" +msgstr "default_domain_suffix (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:399 +msgid "" +"This string will be used as a default domain name for all names without a " +"domain name component. The main use case is environments where the primary " +"domain is intended for managing host policies and all users are located in a " +"trusted domain. The option allows those users to log in just with their " +"user name without giving a domain name as well." +msgstr "" +"Esta cadena será usada como nombre de dominio por defecto para todos los " +"nombre sin un componente de nombre de dominio. El principal caso de uso es " +"en entornos donde el dominio principal está dirigido a gestionar las " +"políticas de host y todos los usuarios están localizados en un dominio " +"confiable. La opción permite a esos usuarios acceder sólo con su nombre de " +"usuario sin dar también un nombre de dominio." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:409 +msgid "" +"Please note that if this option is set all users from the primary domain " +"have to use their fully qualified name, e.g. user@domain.name, to log in. " +"Setting this option changes default of use_fully_qualified_names to True. It " +"is not allowed to use this option together with use_fully_qualified_names " +"set to False." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:418 sssd.conf.5.xml:1165 sssd-ldap.5.xml:679 +#: sssd-ldap.5.xml:1319 sssd-ldap.5.xml:1673 sssd-ldap.5.xml:1685 +#: sssd-ldap.5.xml:1767 sssd-ad.5.xml:690 sssd-ad.5.xml:765 sssd.8.xml:126 +#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:556 sssd-secrets.5.xml:339 +#: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404 +#: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205 +#: include/ldap_id_mapping.xml:216 +msgid "Default: not set" +msgstr "Predeterminado: no definido" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:423 +msgid "override_space (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:426 +msgid "" +"This parameter will replace spaces (space bar) with the given character for " +"user and group names. e.g. (_). User name "john doe" will be " +""john_doe" This feature was added to help compatibility with shell " +"scripts that have difficulty handling spaces, due to the default field " +"separator in the shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:435 +msgid "" +"Please note it is a configuration error to use a replacement character that " +"might be used in user or group names. If a name contains the replacement " +"character SSSD tries to return the unmodified name but in general the result " +"of a lookup is undefined." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:443 +msgid "Default: not set (spaces will not be replaced)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:448 +msgid "certificate_verification (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:456 +msgid "no_ocsp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:458 +msgid "" +"Disables Online Certificate Status Protocol (OCSP) checks. This might be " +"needed if the OCSP servers defined in the certificate are not reachable from " +"the client." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:466 +msgid "no_verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:468 +msgid "" +"Disables verification completely. This option should only be used for " +"testing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:474 +msgid "ocsp_default_responder=URL" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:476 +msgid "" +"Sets the OCSP default responder which should be used instead of the one " +"mentioned in the certificate. URL must be replaced with the URL of the OCSP " +"default responder e.g. http://example.com:80/ocsp." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:482 +msgid "" +"This option must be used together with ocsp_default_responder_signing_cert." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:490 +msgid "ocsp_default_responder_signing_cert=NAME" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:492 +msgid "" +"The nickname of the cert to trust (expected) to sign the OCSP responses. " +"The certificate with the given nickname must be available in the systems NSS " +"database." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:497 +msgid "This option must be used together with ocsp_default_responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:451 +msgid "" +"With this parameter the certificate verification can be tuned with a comma " +"separated list of options. Supported options are: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:504 +msgid "Unknown options are reported but ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:507 +msgid "Default: not set, i.e. do not restrict certificate verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:513 +msgid "disable_netlink (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:516 +msgid "" +"SSSD hooks into the netlink interface to monitor changes to routes, " +"addresses, links and trigger certain actions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:521 +msgid "" +"The SSSD state changes caused by netlink events may be undesirable and can " +"be disabled by setting this option to 'true'" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:526 +msgid "Default: false (netlink changes are detected)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:531 +msgid "enable_files_domain (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:534 +msgid "" +"When this option is enabled, SSSD prepends an implicit domain with " +"<quote>id_provider=files</quote> before any explicitly configured domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:548 +msgid "domain_resolution_order" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:551 +msgid "" +"Comma separated list of domains and subdomains representing the lookup order " +"that will be followed. The list doesn't have to include all possible " +"domains as the missing domains will be looked up based on the order they're " +"presented in the <quote>domains</quote> configuration option. The " +"subdomains which are not listed as part of <quote>lookup_order</quote> will " +"be looked up in a random order for each parent domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:563 +msgid "" +"Please, note that when this option is set the output format of all commands " +"is always fully-qualified even when using short names for input, for all " +"users but the ones managed by the files provider. In case the administrator " +"wants the output not fully-qualified, the full_name_format option can be " +"used as shown below: <quote>full_name_format=%1$s</quote> However, keep in " +"mind that during login, login applications often canonicalize the username " +"by calling <citerefentry> <refentrytitle>getpwnam</refentrytitle> " +"<manvolnum>3</manvolnum> </citerefentry> which, if a shortname is returned " +"for a qualified input (while trying to reach a user which exists in multiple " +"domains) might re-route the login attempt into the domain which uses " +"shortnames, making this workaround totally not recommended in cases where " +"usernames may overlap between domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:588 sssd.conf.5.xml:1388 sssd.conf.5.xml:3046 +#: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316 +msgid "Default: Not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:184 +msgid "" +"Individual pieces of SSSD functionality are provided by special SSSD " +"services that are started and stopped together with SSSD. The services are " +"managed by a special service frequently called <quote>monitor</quote>. The " +"<quote>[sssd]</quote> section is used to configure the monitor as well as " +"some other important options like the identity domains. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" +"Trozos individuales de funcionalidad SSSD son suministrados por servicios " +"especiales SSSD que se inician y parar junto a SSSD. Los servicios son " +"gestionados por un servicio especial frecuentemente llamado <quote>monitor</" +"quote>. La sección <quote>[sssd]</quote> se usa para configurar el monitor " +"así como algunas otras opciones importantes como la identidad de dominios. " +"<placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:599 +msgid "SERVICES SECTIONS" +msgstr "SECCIONES DE SERVICIOS" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:601 +msgid "" +"Settings that can be used to configure different services are described in " +"this section. They should reside in the [<replaceable>$NAME</replaceable>] " +"section, for example, for NSS service, the section would be <quote>[nss]</" +"quote>" +msgstr "" +"Los ajustes que pueden ser utilizados para configurar diferentes servicios " +"se describe en esta sección. Ellos deben residir en la sección [<replaceable>" +"$NAME</replaceable>], por ejemplo, para el servicio NSS, la sección sería " +"<quote>[nss]</quote>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:608 +msgid "General service configuration options" +msgstr "Opciones de configuración de servicios generales" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:610 +msgid "These options can be used to configure any service." +msgstr "Estas opciones pueden usarse para configurar cualquier servicio." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:627 +msgid "fd_limit" +msgstr "fd_limit" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:630 +msgid "" +"This option specifies the maximum number of file descriptors that may be " +"opened at one time by this SSSD process. On systems where SSSD is granted " +"the CAP_SYS_RESOURCE capability, this will be an absolute setting. On " +"systems without this capability, the resulting value will be the lower value " +"of this or the limits.conf \"hard\" limit." +msgstr "" +"Esta opción especifica el número máximo de descriptores de ficheros que " +"pueden ser abiertos a la vez por este proceso SSSD. Sobre sistemas donde " +"SSSD ha alcanzado la capacidad CAP_SYS_RESOURCE, este será un ajuste " +"absoluto. Sobre sistemas sin esta capacidad, el valor resultante será el " +"valor más bajo de este o de limite “hard” en limits.conf." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:639 +msgid "Default: 8192 (or limits.conf \"hard\" limit)" +msgstr "Por defecto: 8192 (o limite “hard” en limits.conf)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:644 +msgid "client_idle_timeout" +msgstr "client_idle_timeout" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:647 +msgid "" +"This option specifies the number of seconds that a client of an SSSD process " +"can hold onto a file descriptor without communicating on it. This value is " +"limited in order to avoid resource exhaustion on the system. The timeout " +"can't be shorter than 10 seconds. If a lower value is configured, it will be " +"adjusted to 10 seconds." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:656 sssd.conf.5.xml:688 sssd.conf.5.xml:970 +#: sssd.conf.5.xml:1231 sssd-ldap.5.xml:1412 +msgid "Default: 60" +msgstr "Predeterminado: 60" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:661 +msgid "offline_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:664 +msgid "" +"When SSSD switches to offline mode the amount of time before it tries to go " +"back online will increase based upon the time spent disconnected. This " +"value is in seconds and calculated by the following:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:671 +msgid "offline_timeout + random_offset" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:674 +msgid "" +"The random offset can increment up to 30 seconds. After each unsuccessful " +"attempt to go online, the new interval is recalculated by the following:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:679 +msgid "new_interval = old_interval*2 + random_offset" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:682 +msgid "" +"Note that the maximum length of each interval is currently limited to one " +"hour. If the calculated length of new_interval is greater than an hour, it " +"will be forced to one hour." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:693 +msgid "responder_idle_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:696 +msgid "" +"This option specifies the number of seconds that an SSSD responder process " +"can be up without being used. This value is limited in order to avoid " +"resource exhaustion on the system. The minimum acceptable value for this " +"option is 60 seconds. Setting this option to 0 (zero) means that no timeout " +"will be set up to the responder. This option only has effect when SSSD is " +"built with systemd support and when services are either socket or D-Bus " +"activated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:710 sssd.conf.5.xml:983 sssd.conf.5.xml:1616 +#: sssd-ldap.5.xml:722 +msgid "Default: 300" +msgstr "Predeterminado: 300" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:715 +msgid "cache_first" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:718 +msgid "" +"This option specifies whether the responder should query all caches before " +"querying the Data Providers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:730 +msgid "NSS configuration options" +msgstr "Opciones de configuración de NSS" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:732 +msgid "" +"These options can be used to configure the Name Service Switch (NSS) service." +msgstr "" +"Estas opciones pueden ser usadas para configurar el servicio Name Service " +"Switch (NSS)." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:737 +msgid "enum_cache_timeout (integer)" +msgstr "enum_cache_timeout (entero)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:740 +msgid "" +"How many seconds should nss_sss cache enumerations (requests for info about " +"all users)" +msgstr "" +"Cuantos segundos ocultaría enumeraciones nss_sss (peticiones de información " +"sobre todos los usuarios)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:744 +msgid "Default: 120" +msgstr "Predeterminado: 120" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:749 +msgid "entry_cache_nowait_percentage (integer)" +msgstr "entry_cache_nowait_percentage (entero)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:752 +msgid "" +"The entry cache can be set to automatically update entries in the background " +"if they are requested beyond a percentage of the entry_cache_timeout value " +"for the domain." +msgstr "" +"La entrada a la cache puede ser fijada automáticamente para actualizar " +"entradas en segundo plano si hay peticiones más allá de un porcentanje del " +"valor de entry_cache_timeout para el dominio." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:758 +msgid "" +"For example, if the domain's entry_cache_timeout is set to 30s and " +"entry_cache_nowait_percentage is set to 50 (percent), entries that come in " +"after 15 seconds past the last cache update will be returned immediately, " +"but the SSSD will go and update the cache on its own, so that future " +"requests will not need to block waiting for a cache update." +msgstr "" +"Por ejemplo, si entry_cache_timeout del dominio está fijado a 30 y " +"entry_cache_nowait_percentage está fijado a 50 (por ciento), las entradas " +"que vengan después de 15 segundos pasado el último cache serán devueltas " +"inmediatamente, pero SSSD irá y actualizará el cache por el mismo, de modo " +"que las futuras peticiones no necesitarán bloquearse a la espera de una " +"actualización del cache." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:768 +msgid "" +"Valid values for this option are 0-99 and represent a percentage of the " +"entry_cache_timeout for each domain. For performance reasons, this " +"percentage will never reduce the nowait timeout to less than 10 seconds. (0 " +"disables this feature)" +msgstr "" +"Los valores válidos para esta opción son 0-99 y representan un porcentaje de " +"entry_cache_timeout para cada dominio. Por razones de rendimiento, este " +"porcentaje nunca reducirá el tiempo de salida de no espera a menos de 10 " +"segundos. (0 deshabilita esta función)." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:776 sssd.conf.5.xml:1445 +msgid "Default: 50" +msgstr "Predeterminado: 50" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:781 +msgid "entry_negative_timeout (integer)" +msgstr "entry_negative_timeout (entero)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:784 +msgid "" +"Specifies for how many seconds nss_sss should cache negative cache hits " +"(that is, queries for invalid database entries, like nonexistent ones) " +"before asking the back end again." +msgstr "" +"Especifica por cuantos segundos nss_sss escondería golpes negativos al cache " +"(esto es, consultas para entradas no válidas a la base de datos, como " +"entradas no existentes) antes de preguntar al punto final otra vez." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:790 sssd.conf.5.xml:1469 +msgid "Default: 15" +msgstr "Predeterminado: 15" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:795 +msgid "local_negative_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:798 +msgid "" +"Specifies for how many seconds nss_sss should keep local users and groups in " +"negative cache before trying to look it up in the back end again. Setting " +"the option to 0 disables this feature." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:804 +#, fuzzy +#| msgid "Default: 86400 (24 hours)" +msgid "Default: 14400 (4 hours)" +msgstr "Predeterminado: 86400 (24 horas)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:809 +msgid "filter_users, filter_groups (string)" +msgstr "filter_users, filter_groups (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:812 +msgid "" +"Exclude certain users or groups from being fetched from the sss NSS " +"database. This is particularly useful for system accounts. This option can " +"also be set per-domain or include fully-qualified names to filter only users " +"from the particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:819 +msgid "" +"NOTE: The filter_groups option doesn't affect inheritance of nested group " +"members, since filtering happens after they are propagated for returning via " +"NSS. E.g. a group having a member group filtered out will still have the " +"member users of the latter listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:827 +msgid "Default: root" +msgstr "Predeterminado: root" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:832 +msgid "filter_users_in_groups (bool)" +msgstr "filter_users_in_groups (bool)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:835 +msgid "" +"If you want filtered user still be group members set this option to false." +msgstr "" +"Si usted desea filtrar usuarios aunque sean miembros del grupo, fije esta " +"opción a false." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:846 +msgid "fallback_homedir (string)" +msgstr "fallback_homedir (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:849 +msgid "" +"Set a default template for a user's home directory if one is not specified " +"explicitly by the domain's data provider." +msgstr "" +"Fija la plantilla por defecto para el direcorio home del usuario si no se ha " +"especificado una explícitamente por el proveedor de datos del dominio." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:854 +msgid "" +"The available values for this option are the same as for override_homedir." +msgstr "" +"Los valores disponibles para esta opción son los mismos que para " +"override_homedir." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:860 +#, no-wrap +msgid "" +"fallback_homedir = /home/%u\n" +" " +msgstr "" +"fallback_homedir = /home/%u\n" +" " + +#. type: Content of: <varlistentry><listitem><para> +#: sssd.conf.5.xml:858 sssd.conf.5.xml:1298 sssd.conf.5.xml:1317 +#: sssd-krb5.5.xml:539 include/override_homedir.xml:59 +msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "ejemplo: <placeholder type=\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:864 +msgid "Default: not set (no substitution for unset home directories)" +msgstr "" +"Por defecto: no fijado (sin sustitución para los directorios home no fijados)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:870 +msgid "override_shell (string)" +msgstr "override_shell (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:873 +msgid "" +"Override the login shell for all users. This option supersedes any other " +"shell options if it takes effect and can be set either in the [nss] section " +"or per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:879 +msgid "Default: not set (SSSD will use the value retrieved from LDAP)" +msgstr "Por defecto: no fijado (SSSD usará el valor recuperado desde LDAP)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:885 +msgid "allowed_shells (string)" +msgstr "allowed_shells (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:888 +msgid "" +"Restrict user shell to one of the listed values. The order of evaluation is:" +msgstr "" +"Restringe la shell de usuario a uno de los valores listados. El orden de " +"evaluación es:" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:891 +msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used." +msgstr "1. Si el shell está presente en <quote>/etc/shells</quote>, se usa." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:895 +msgid "" +"2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</" +"quote>, use the value of the shell_fallback parameter." +msgstr "" +"2. Si el shell está en la lista allowed_shells pero no en <quote>/etc/" +"shells</quote>, usa el valor del parámetro shell_fallback." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:900 +msgid "" +"3. If the shell is not in the allowed_shells list and not in <quote>/etc/" +"shells</quote>, a nologin shell is used." +msgstr "" +"3. Si el shell no está en la lista allowed_shells y tampoco en <quote>/etc/" +"shells</quote>, se usará un shell de no acceso." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:905 +msgid "The wildcard (*) can be used to allow any shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:908 +msgid "" +"The (*) is useful if you want to use shell_fallback in case that user's " +"shell is not in <quote>/etc/shells</quote> and maintaining list of all " +"allowed shells in allowed_shells would be to much overhead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:915 +msgid "An empty string for shell is passed as-is to libc." +msgstr "Una cadena vacía para el shell se pasa como-es a libc." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:918 +msgid "" +"The <quote>/etc/shells</quote> is only read on SSSD start up, which means " +"that a restart of the SSSD is required in case a new shell is installed." +msgstr "" +"<quote>/etc/shells</quote> es de sólo lectura en el inicio SSSD, lo que " +"significa que se requiere el reinicio del SSSD en el caso de que se instale " +"una nueva shell." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:922 +msgid "Default: Not set. The user shell is automatically used." +msgstr "Por defecto: No fijado. La shell del usuario se usa automáticamente." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:927 +msgid "vetoed_shells (string)" +msgstr "vetoed_shells (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:930 +msgid "Replace any instance of these shells with the shell_fallback" +msgstr "Reemplaza cualquier instancia de estos shells con shell_fallback" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:935 +msgid "shell_fallback (string)" +msgstr "shell_fallback (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:938 +msgid "" +"The default shell to use if an allowed shell is not installed on the machine." +msgstr "" +"La shell por defecto a usar si una shell permitida no está instalada en la " +"máquina." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:942 +msgid "Default: /bin/sh" +msgstr "Predeterminado: /bin/sh" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:947 +msgid "default_shell" +msgstr "default_shell" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:950 +msgid "" +"The default shell to use if the provider does not return one during lookup. " +"This option can be specified globally in the [nss] section or per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:956 +msgid "" +"Default: not set (Return NULL if no shell is specified and rely on libc to " +"substitute something sensible when necessary, usually /bin/sh)" +msgstr "" +"Por defecto: no fijado (Devuelve NULL si no se ha especificado una shell y " +"confía en libc para sustituir algo sensible cuando sea necesario, " +"normalmente /bin/sh)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:963 sssd.conf.5.xml:1224 +msgid "get_domains_timeout (int)" +msgstr "get_domains_timeout (entero)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:966 sssd.conf.5.xml:1227 +msgid "" +"Specifies time in seconds for which the list of subdomains will be " +"considered valid." +msgstr "" +"Especifica el tiempo en segundos por los cuales la lista de subdominios será " +"considerada válida." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:975 +msgid "memcache_timeout (int)" +msgstr "memcache_timeout (entero)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:978 +msgid "" +"Specifies time in seconds for which records in the in-memory cache will be " +"valid. Setting this option to zero will disable the in-memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:986 +msgid "" +"WARNING: Disabling the in-memory cache will have significant negative impact " +"on SSSD's performance and should only be used for testing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:992 +msgid "" +"NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", " +"client applications will not use the fast in-memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1000 sssd-ifp.5.xml:74 +msgid "user_attributes (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1003 +msgid "" +"Some of the additional NSS responder requests can return more attributes " +"than just the POSIX ones defined by the NSS interface. The list of " +"attributes is controlled by this option. It is handled the same way as the " +"<quote>user_attributes</quote> option of the InfoPipe responder (see " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for details) but with no default values." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1016 +msgid "" +"To make configuration more easy the NSS responder will check the InfoPipe " +"option if it is not set for the NSS responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1021 +msgid "Default: not set, fallback to InfoPipe option" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1026 +msgid "pwfield (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1029 +msgid "" +"The value that NSS operations that return users or groups will return for " +"the <quote>password</quote> field." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: sssd.conf.5.xml:1034 include/override_homedir.xml:56 +msgid "This option can also be set per-domain." +msgstr "Esta opción puede ser también fijada por dominio." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1037 +msgid "" +"Default: <quote>*</quote> (remote domains) or <quote>x</quote> (the files " +"domain)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1045 +msgid "PAM configuration options" +msgstr "Opciones de configuración PAM" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1047 +msgid "" +"These options can be used to configure the Pluggable Authentication Module " +"(PAM) service." +msgstr "" +"Estas opciones pueden ser usadas para configurar el servicio Pluggable " +"Authentication Module (PAM)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1052 +msgid "offline_credentials_expiration (integer)" +msgstr "offline_credentials_expiration (entero)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1055 +msgid "" +"If the authentication provider is offline, how long should we allow cached " +"logins (in days since the last successful online login)." +msgstr "" +"Si la autenticación del proveedor es fuera de línea, cuanto permitiríamos " +"los accesos escondidos (en días desde el último login en línea con éxito)." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1060 sssd.conf.5.xml:1073 +msgid "Default: 0 (No limit)" +msgstr "Predeterminado: 0 (Sin límite)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1066 +msgid "offline_failed_login_attempts (integer)" +msgstr "offline_failed_login_attempts (entero)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1069 +msgid "" +"If the authentication provider is offline, how many failed login attempts " +"are allowed." +msgstr "" +"Si la autenticación del proveedor es fuera de línea, cuantos intentos de " +"login fallados están permitidos." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1079 +msgid "offline_failed_login_delay (integer)" +msgstr "offline_failed_login_delay (entero)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1082 +msgid "" +"The time in minutes which has to pass after offline_failed_login_attempts " +"has been reached before a new login attempt is possible." +msgstr "" +"El tiempo en minutos que ha de pasar después de que " +"offline_failed_login_attempts ha sido alcanzado antes de que un nuevo " +"intento de login sea posible." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1087 +msgid "" +"If set to 0 the user cannot authenticate offline if " +"offline_failed_login_attempts has been reached. Only a successful online " +"authentication can enable offline authentication again." +msgstr "" +"Si se fija en 0 el usuario no puede autenticarse fuerta de línea si se ha " +"alcanzado offline_failed_login_attempts. Sólo una autenticación en línea con " +"éxito puede habilitar otra vez la autenticación fuera de línea." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1093 sssd.conf.5.xml:1191 +msgid "Default: 5" +msgstr "Predeterminado: 5" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1099 +msgid "pam_verbosity (integer)" +msgstr "pam_verbosity (entero)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1102 +msgid "" +"Controls what kind of messages are shown to the user during authentication. " +"The higher the number to more messages are displayed." +msgstr "" +"Controla qué tipo de mensajes se muestra al usuario durante la " +"autenticación. Cuanto mayor sea el número de mensajes más aparecen." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1107 +msgid "Currently sssd supports the following values:" +msgstr "Actualmente sssd soporta los siguientes valores:" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1110 +msgid "<emphasis>0</emphasis>: do not show any message" +msgstr "<emphasis>0</emphasis>: no mostrar ningún mensaje" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1113 +msgid "<emphasis>1</emphasis>: show only important messages" +msgstr "<emphasis>1</emphasis>: mostrar sólo mensajes importantes" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1117 +msgid "<emphasis>2</emphasis>: show informational messages" +msgstr "<emphasis>2</emphasis>: mostrar mensajes informativos" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1120 +msgid "<emphasis>3</emphasis>: show all messages and debug information" +msgstr "" +"<emphasis>3</emphasis>: mostrar todos los mensajes e información de " +"depuración" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1124 sssd.8.xml:63 +msgid "Default: 1" +msgstr "Predeterminado: 1" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1130 +msgid "pam_response_filter (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1133 +msgid "" +"A comma separated list of strings which allows to remove (filter) data sent " +"by the PAM responder to pam_sss PAM module. There are different kind of " +"responses sent to pam_sss e.g. messages displayed to the user or environment " +"variables which should be set by pam_sss." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1141 +msgid "" +"While messages already can be controlled with the help of the pam_verbosity " +"option this option allows to filter out other kind of responses as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1148 +msgid "ENV" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1149 +msgid "Do not send any environment variables to any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1152 +msgid "ENV:var_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1153 +msgid "Do not send environment variable var_name to any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1157 +msgid "ENV:var_name:service" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1158 +msgid "Do not send environment variable var_name to service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1146 +msgid "" +"Currently the following filters are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1168 +msgid "Example: ENV:KRB5CCNAME:sudo-i" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1174 +msgid "pam_id_timeout (integer)" +msgstr "pam_id_timeout (entero)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1177 +msgid "" +"For any PAM request while SSSD is online, the SSSD will attempt to " +"immediately update the cached identity information for the user in order to " +"ensure that authentication takes place with the latest information." +msgstr "" +"Para cualquier petición PAM mientras SSSD está en línea, SSSD intentará " +"inmediatamente actualizar la información de identidad escondida por el " +"usuario con el objetivo de asegurar que la autenticación tiene lugar con la " +"información más actual." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1183 +msgid "" +"A complete PAM conversation may perform multiple PAM requests, such as " +"account management and session opening. This option controls (on a per-" +"client-application basis) how long (in seconds) we can cache the identity " +"information to avoid excessive round-trips to the identity provider." +msgstr "" +"Una conversación PAM completa puede llevar a cabo múltiples peticiones PAM, " +"como gestión de cuenta y apertura de sesión. Esta opción controla (sobre una " +"base de por cliente-aplicación) cuanto (en segundos) podemos esconder la " +"información de identidad para evitar excesivos viajes de ida y vuelata al " +"proveedor de identidad." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1197 +msgid "pam_pwd_expiration_warning (integer)" +msgstr "pam_pwd_expiration_warning (entero)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2078 +msgid "Display a warning N days before the password expires." +msgstr "Mostrar una advertencia N días antes que la contraseña caduque." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1203 +msgid "" +"Please note that the backend server has to provide information about the " +"expiration time of the password. If this information is missing, sssd " +"cannot display a warning." +msgstr "" +"Por favor advierta que el servidor de punto final tiene que suministrar " +"información sobre el tiempo de expiración de la contraseña. Si esta " +"información desaparece, sssd no podrá mostrar un aviso." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1209 sssd.conf.5.xml:2081 +msgid "" +"If zero is set, then this filter is not applied, i.e. if the expiration " +"warning was received from backend server, it will automatically be displayed." +msgstr "" +"Si está fijado cero, no se aplicará el filtro, esto es si se recibe una " +"advertencia de expiración desde el servidor final, se mostrará " +"automáticamente." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1214 +msgid "" +"This setting can be overridden by setting <emphasis>pwd_expiration_warning</" +"emphasis> for a particular domain." +msgstr "" +"Este ajuste puede ser anulado por el ajuste " +"<emphasis>pwd_expiration_warning</emphasis> para un dominio concreto." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1219 sssd.conf.5.xml:2901 sssd.8.xml:79 +msgid "Default: 0" +msgstr "Predeterminado: 0" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1236 +msgid "pam_trusted_users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1239 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to run PAM conversations against trusted domains. Users not " +"included in this list can only access domains marked as public with " +"<quote>pam_public_domains</quote>. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1249 +msgid "Default: All users are considered trusted by default" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1253 +msgid "" +"Please note that UID 0 is always allowed to access the PAM responder even in " +"case it is not in the pam_trusted_users list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1260 +msgid "pam_public_domains (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1263 +msgid "" +"Specifies the comma-separated list of domain names that are accessible even " +"to untrusted users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1267 +msgid "Two special values for pam_public_domains option are defined:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1271 +msgid "" +"all (Untrusted users are allowed to access all domains in PAM responder.)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1275 +msgid "" +"none (Untrusted users are not allowed to access any domains PAM in " +"responder.)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1279 sssd.conf.5.xml:1304 sssd.conf.5.xml:1323 +#: sssd.conf.5.xml:1875 sssd.conf.5.xml:2837 sssd-ldap.5.xml:1979 +msgid "Default: none" +msgstr "Predeterminado: none" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1284 +msgid "pam_account_expired_message (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1287 +msgid "" +"Allows a custom expiration message to be set, replacing the default " +"'Permission denied' message." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1292 +msgid "" +"Note: Please be aware that message is only printed for the SSH service " +"unless pam_verbosity is set to 3 (show all messages and debug information)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:1300 +#, no-wrap +msgid "" +"pam_account_expired_message = Account expired, please contact help desk.\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1309 +msgid "pam_account_locked_message (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1312 +msgid "" +"Allows a custom lockout message to be set, replacing the default 'Permission " +"denied' message." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:1319 +#, no-wrap +msgid "" +"pam_account_locked_message = Account locked, please contact help desk.\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1328 +msgid "pam_cert_auth (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1331 +msgid "" +"Enable certificate based Smartcard authentication. Since this requires " +"additional communication with the Smartcard which will delay the " +"authentication process this option is disabled by default." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1337 sssd.conf.5.xml:2930 sssd-ldap.5.xml:1087 +#: sssd-ldap.5.xml:1114 sssd-ldap.5.xml:1514 sssd-ldap.5.xml:1535 +#: sssd-ldap.5.xml:2052 include/ldap_id_mapping.xml:244 +msgid "Default: False" +msgstr "Por defecto: False" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1342 +msgid "pam_cert_db_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1345 +msgid "" +"The path to the certificate database which contain the PKCS#11 modules to " +"access the Smartcard." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1349 sssd.conf.5.xml:1534 +#, fuzzy +#| msgid "Default: 3" +msgid "Default:" +msgstr "Predeterminado: 3" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1351 sssd.conf.5.xml:1536 +msgid "/etc/pki/nssdb (NSS version, path to a NSS database)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1354 sssd.conf.5.xml:1539 +msgid "" +"/etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a file with " +"trusted CA certificates in PEM format)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1361 sssd.conf.5.xml:1546 +msgid "This man page was generated for the NSS version." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1364 sssd.conf.5.xml:1549 +msgid "This man page was generated for the OpenSSL version." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1369 +msgid "p11_child_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1372 +msgid "How many seconds will pam_sss wait for p11_child to finish." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1381 +msgid "pam_app_services (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1384 +msgid "" +"Which PAM services are permitted to contact domains of type " +"<quote>application</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1397 +msgid "SUDO configuration options" +msgstr "SUDO opciones de configuración" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1399 +msgid "" +"These options can be used to configure the sudo service. The detailed " +"instructions for configuration of <citerefentry> <refentrytitle>sudo</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to work with " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> are in the manual page <citerefentry> <refentrytitle>sssd-" +"sudo</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1416 +msgid "sudo_timed (bool)" +msgstr "sudo_timed (booleano)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1419 +msgid "" +"Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes " +"that implement time-dependent sudoers entries." +msgstr "" +"Si se evalúan o no los atributos sudoNotBefore y sudoNotAfter que implementa " +"entradas de sudoers dependientes del tiempo." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1431 +msgid "sudo_threshold (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1434 +msgid "" +"Maximum number of expired rules that can be refreshed at once. If number of " +"expired rules is below threshold, those rules are refreshed with " +"<quote>rules refresh</quote> mechanism. If the threshold is exceeded a " +"<quote>full refresh</quote> of sudo rules is triggered instead. This " +"threshold number also applies to IPA sudo command and command group searches." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1453 +msgid "AUTOFS configuration options" +msgstr "Opciones de configuración AUTOFS" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1455 +msgid "These options can be used to configure the autofs service." +msgstr "Estas opciones pueden ser usadas para configurar el servicio autofs." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1459 +msgid "autofs_negative_timeout (integer)" +msgstr "autofs_negative_timeout (entero)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1462 +msgid "" +"Specifies for how many seconds should the autofs responder negative cache " +"hits (that is, queries for invalid map entries, like nonexistent ones) " +"before asking the back end again." +msgstr "" +"Especifica cuantos segundos debería el respondedor negativo autofs esconder " +"golpes (esto es, consultas a entradas de mapa no válidad, como las no " +"existentes) antes de preguntar al punto final otra vez." + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1478 +msgid "SSH configuration options" +msgstr "Opciones de configuración SSH" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1480 +msgid "These options can be used to configure the SSH service." +msgstr "Estas opciones se pueden usar para configurar el servicio SSH." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1484 +msgid "ssh_hash_known_hosts (bool)" +msgstr "ssh_hash_known_hosts (booleano)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1487 +msgid "" +"Whether or not to hash host names and addresses in the managed known_hosts " +"file." +msgstr "" +"Si se pican o no los nombres y las direcciones de host en fichero gestionado " +"known_host. " + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1496 +msgid "ssh_known_hosts_timeout (integer)" +msgstr "ssh_known_hosts_timeout (entero)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1499 +msgid "" +"How many seconds to keep a host in the managed known_hosts file after its " +"host keys were requested." +msgstr "" +"Cuantos segundos se mantiene un host en el fichero known_hosts gestionados " +"después de que se hayan pedido sus claves de host." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1503 +msgid "Default: 180" +msgstr "Por defecto: 180" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1508 +msgid "ssh_use_certificate_keys (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1511 +#, fuzzy +#| msgid "" +#| "The skeleton directory, which contains files and directories to be copied " +#| "in the user's home directory, when the home directory is created by " +#| "<citerefentry> <refentrytitle>sss_useradd</refentrytitle> <manvolnum>8</" +#| "manvolnum> </citerefentry>" +msgid "" +"If set to true the <command>sss_ssh_authorizedkeys</command> will return ssh " +"keys derived from the public key of X.509 certificates stored in the user " +"entry as well. See <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry> for details." +msgstr "" +"El directorio esqueleto, el cual contiene archivos y directorios a copiarse " +"en el directorio principal del usuario, cuando se crea el directorio " +"principal de <citerefentry><refentrytitle>sss_useradd</refentrytitle> " +"<manvolnum>8</manvolnum></citerefentry>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1526 +msgid "ca_db (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1529 +msgid "" +"Path to a storage of trusted CA certificates. The option is used to validate " +"user certificates before deriving public ssh keys from them." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1557 +msgid "PAC responder configuration options" +msgstr "Opciones de configuración del respondedor PAC" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1559 +msgid "" +"The PAC responder works together with the authorization data plugin for MIT " +"Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the " +"PAC data during a GSSAPI authentication to the PAC responder. The sub-domain " +"provider collects domain SID and ID ranges of the domain the client is " +"joined to and of remote trusted domains from the local domain controller. If " +"the PAC is decoded and evaluated some of the following operations are done:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1568 +msgid "" +"If the remote user does not exist in the cache, it is created. The UID is " +"determined with the help of the SID, trusted domains will have UPGs and the " +"GID will have the same value as the UID. The home directory is set based on " +"the subdomain_homedir parameter. The shell will be empty by default, i.e. " +"the system defaults are used, but can be overwritten with the default_shell " +"parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1576 +msgid "" +"If there are SIDs of groups from domains sssd knows about, the user will be " +"added to those groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1582 +msgid "These options can be used to configure the PAC responder." +msgstr "Estas opciones pueden ser usadas para configurar el respondedor PAC." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1586 sssd-ifp.5.xml:50 +msgid "allowed_uids (string)" +msgstr "allowed_uids (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1589 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the PAC responder. User names are resolved to UIDs at " +"startup." +msgstr "" +"Especifica la lista separada por comas de los valores UID o nombres de " +"usuario que tiene el acceso permitido al respondedor PAC." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1595 +msgid "Default: 0 (only the root user is allowed to access the PAC responder)" +msgstr "" +"Por defecto: 0 (sólo el usuario root tiene permitido el acceso al " +"respondedor PAC)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1599 +msgid "" +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the PAC responder, which would be the typical case, you have to add 0 " +"to the list of allowed UIDs as well." +msgstr "" +"Por favor advierta que aunque la UID 0 se usa por defecto será anulada con " +"esta opción. Si usted deses todavía permitir al usuario root acceder al " +"respondedor PAC, que sería el caso típico, usted tiene que añadir 0 a la " +"lista de UIDs permitidas también." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1608 +msgid "pac_lifetime (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1611 +msgid "" +"Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC " +"data can be used to determine the group memberships of a user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1624 +msgid "Session recording configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1626 +msgid "" +"Session recording works in conjunction with <citerefentry> " +"<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>, a part of tlog package, to log what users see and type when " +"they log in on a text terminal. See also <citerefentry> <refentrytitle>sssd-" +"session-recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1639 +msgid "These options can be used to configure session recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1643 sssd-session-recording.5.xml:64 +msgid "scope (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1650 sssd-session-recording.5.xml:71 +msgid "\"none\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1653 sssd-session-recording.5.xml:74 +msgid "No users are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1658 sssd-session-recording.5.xml:79 +msgid "\"some\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1661 sssd-session-recording.5.xml:82 +msgid "" +"Users/groups specified by <replaceable>users</replaceable> and " +"<replaceable>groups</replaceable> options are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1670 sssd-session-recording.5.xml:91 +msgid "\"all\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1673 sssd-session-recording.5.xml:94 +msgid "All users are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1646 sssd-session-recording.5.xml:67 +msgid "" +"One of the following strings specifying the scope of session recording: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1680 sssd-session-recording.5.xml:101 +msgid "Default: \"none\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1685 sssd-session-recording.5.xml:106 +msgid "users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1688 sssd-session-recording.5.xml:109 +msgid "" +"A comma-separated list of users which should have session recording enabled. " +"Matches user names as returned by NSS. I.e. after the possible space " +"replacement, case changes, etc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1694 sssd-session-recording.5.xml:115 +msgid "Default: Empty. Matches no users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1699 sssd-session-recording.5.xml:120 +msgid "groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1702 sssd-session-recording.5.xml:123 +msgid "" +"A comma-separated list of groups, members of which should have session " +"recording enabled. Matches group names as returned by NSS. I.e. after the " +"possible space replacement, case changes, etc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1708 sssd-session-recording.5.xml:129 +msgid "" +"NOTE: using this option (having it set to anything) has a considerable " +"performance cost, because each uncached request for a user requires " +"retrieving and matching the groups the user is member of." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1715 sssd-session-recording.5.xml:136 +msgid "Default: Empty. Matches no groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:1725 +msgid "DOMAIN SECTIONS" +msgstr "SECCIONES DE DOMINIO" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1732 +msgid "domain_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1735 +msgid "" +"Specifies whether the domain is meant to be used by POSIX-aware clients such " +"as the Name Service Switch or by applications that do not need POSIX data to " +"be present or generated. Only objects from POSIX domains are available to " +"the operating system interfaces and utilities." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1743 +msgid "" +"Allowed values for this option are <quote>posix</quote> and " +"<quote>application</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1747 +msgid "" +"POSIX domains are reachable by all services. Application domains are only " +"reachable from the InfoPipe responder (see <citerefentry> " +"<refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>) and the PAM responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1755 +msgid "" +"NOTE: The application domains are currently well tested with " +"<quote>id_provider=ldap</quote> only." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1759 +msgid "" +"For an easy way to configure a non-POSIX domains, please see the " +"<quote>Application domains</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1763 +msgid "Default: posix" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1769 +msgid "min_id,max_id (integer)" +msgstr "min_id, max_id (entero)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1772 +msgid "" +"UID and GID limits for the domain. If a domain contains an entry that is " +"outside these limits, it is ignored." +msgstr "" +"Límites de UID y GID para el dominio. Si un dominio contiene una entrada que " +"está fuera de estos límites, ésta es ignorada." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1777 +msgid "" +"For users, this affects the primary GID limit. The user will not be returned " +"to NSS if either the UID or the primary GID is outside the range. For non-" +"primary group memberships, those that are in range will be reported as " +"expected." +msgstr "" +"Para usuarios, esto afecta al límite primario GID. El usuario no será " +"devuelto a NSS si bien la UID o el GID primario está fuera de rango. Para " +"los miembros de grupos no primarios, aquellos que estén en rango serán " +"reportados como en espera." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1784 +msgid "" +"These ID limits affect even saving entries to cache, not only returning them " +"by name or ID." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1788 +msgid "Default: 1 for min_id, 0 (no limit) for max_id" +msgstr "Predeterminado: 1 para min_id, 0 (sin límite) para max_id" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1794 +msgid "enumerate (bool)" +msgstr "enumerar (bool)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1797 +msgid "" +"Determines if a domain can be enumerated, that is, whether the domain can " +"list all the users and group it contains. Note that it is not required to " +"enable enumeration in order for secondary groups to be displayed. This " +"parameter can have one of the following values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1805 +msgid "TRUE = Users and groups are enumerated" +msgstr "TRUE = Usuarios y grupos son enumerados" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1808 +msgid "FALSE = No enumerations for this domain" +msgstr "FALSE = Sin enumeraciones para este dominio" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1811 sssd.conf.5.xml:2033 sssd.conf.5.xml:2208 +msgid "Default: FALSE" +msgstr "Predeterminado: FALSE" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1814 +msgid "" +"Enumerating a domain requires SSSD to download and store ALL user and group " +"entries from the remote server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1819 +msgid "" +"Note: Enabling enumeration has a moderate performance impact on SSSD while " +"enumeration is running. It may take up to several minutes after SSSD startup " +"to fully complete enumerations. During this time, individual requests for " +"information will go directly to LDAP, though it may be slow, due to the " +"heavy enumeration processing. Saving a large number of entries to cache " +"after the enumeration completes might also be CPU intensive as the " +"memberships have to be recomputed. This can lead to the <quote>sssd_be</" +"quote> process becoming unresponsive or even restarted by the internal " +"watchdog." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1834 +msgid "" +"While the first enumeration is running, requests for the complete user or " +"group lists may return no results until it completes." +msgstr "" +"Mientras está corriendo la primera enumeración, peticiones para el usuario " +"completo o listas de grupo pueden no devolver resultados hasta que se " +"completen." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1839 +msgid "" +"Further, enabling enumeration may increase the time necessary to detect " +"network disconnection, as longer timeouts are required to ensure that " +"enumeration lookups are completed successfully. For more information, refer " +"to the man pages for the specific id_provider in use." +msgstr "" +"Adicionalmente, la habilitación de la enumeración puede incrementar el " +"tiempo necesario para detectar la desconexión de red, tanto como los tiempos " +"de espera necesarios para asegurar que las búsquedas de enumeración se han " +"completado. Para más información vea las páginas de manual para el " +"específico id_provider en uso." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1847 +msgid "" +"For the reasons cited above, enabling enumeration is not recommended, " +"especially in large environments." +msgstr "" +"Por las razones citadas arriba, no se recomienda habilitar la enumeración, " +"especialmente en entornos grandes." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1855 +msgid "subdomain_enumerate (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1862 +msgid "all" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1863 +msgid "All discovered trusted domains will be enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1866 +msgid "none" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1867 +msgid "No discovered trusted domains will be enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1858 +msgid "" +"Whether any of autodetected trusted domains should be enumerated. The " +"supported values are: <placeholder type=\"variablelist\" id=\"0\"/> " +"Optionally, a list of one or more domain names can enable enumeration just " +"for these trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1881 +msgid "entry_cache_timeout (integer)" +msgstr "entry_cache_timeout (entero)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1884 +msgid "" +"How many seconds should nss_sss consider entries valid before asking the " +"backend again" +msgstr "" +"Cuántos segundos debe considerar nss_sss como válidas las entradas antes de " +"volver a consultar al backend" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1888 +msgid "" +"The cache expiration timestamps are stored as attributes of individual " +"objects in the cache. Therefore, changing the cache timeout only has effect " +"for newly added or expired entries. You should run the <citerefentry> " +"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry> tool in order to force refresh of entries that have already " +"been cached." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1901 +msgid "Default: 5400" +msgstr "Predeterminado: 5400" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1907 +msgid "entry_cache_user_timeout (integer)" +msgstr "entry_cache_user_timeout (entero)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1910 +msgid "" +"How many seconds should nss_sss consider user entries valid before asking " +"the backend again" +msgstr "" +"Cuantos segundos debería nss_sss considerar las entradas de usuario válidas " +"antes de preguntar al punto final otra vez." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1914 sssd.conf.5.xml:1927 sssd.conf.5.xml:1940 +#: sssd.conf.5.xml:1953 sssd.conf.5.xml:1966 sssd.conf.5.xml:1980 +#: sssd.conf.5.xml:1994 +msgid "Default: entry_cache_timeout" +msgstr "Por defecto: entry_cache_timeout" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1920 +msgid "entry_cache_group_timeout (integer)" +msgstr "entry_cache_group_timeout (entero)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1923 +msgid "" +"How many seconds should nss_sss consider group entries valid before asking " +"the backend again" +msgstr "" +"Cuantos segundos debería nss_sss considerar las entradas de grupo válidas " +"antes de preguntar al punto final otra vez." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1933 +msgid "entry_cache_netgroup_timeout (integer)" +msgstr "entry_cache_netgroup_timeout (entero)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1936 +msgid "" +"How many seconds should nss_sss consider netgroup entries valid before " +"asking the backend again" +msgstr "" +"Cuantos segundos debería nss_sss considerar las entradas de grupo de red " +"válidas antes de preguntar al punto final otra vez." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1946 +msgid "entry_cache_service_timeout (integer)" +msgstr "entry_cache_service_timeout (entero)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1949 +msgid "" +"How many seconds should nss_sss consider service entries valid before asking " +"the backend again" +msgstr "" +"Cuantos segundos debería nss_sss considerar las entradas de servicio válidas " +"antes de preguntar al punto final otra vez." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1959 +msgid "entry_cache_sudo_timeout (integer)" +msgstr "entry_cache_sudo_timeout (entero)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1962 +msgid "" +"How many seconds should sudo consider rules valid before asking the backend " +"again" +msgstr "" +"Cuantos segundos debería considerar las regulas sudo válidas antes de " +"preguntar al backend otra vez." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1972 +msgid "entry_cache_autofs_timeout (integer)" +msgstr "entry_cache_autofs_timeout (entero)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1975 +msgid "" +"How many seconds should the autofs service consider automounter maps valid " +"before asking the backend again" +msgstr "" +"Cuantos segundos deberá considerar el servicio autofs los mapas de " +"automontaje válidos antes de preguntar al punto final otra vez." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1986 +msgid "entry_cache_ssh_host_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1989 +msgid "" +"How many seconds to keep a host ssh key after refresh. IE how long to cache " +"the host key for." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2000 +msgid "refresh_expired_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2003 +msgid "" +"Specifies how many seconds SSSD has to wait before triggering a background " +"refresh task which will refresh all expired or nearly expired records." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2008 +msgid "" +"The background refresh will process users, groups and netgroups in the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2012 +msgid "You can consider setting this value to 3/4 * entry_cache_timeout." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2016 sssd-ldap.5.xml:746 sssd-ipa.5.xml:254 +msgid "Default: 0 (disabled)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2022 +msgid "cache_credentials (bool)" +msgstr "cache_credentials (bool)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2025 +msgid "Determines if user credentials are also cached in the local LDB cache" +msgstr "" +"Determina si las credenciales del usuario están también escondidas en el " +"cache LDB local" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2029 +msgid "User credentials are stored in a SHA512 hash, not in plaintext" +msgstr "" +"Las credenciales de usuario son almacenadas en un hash SHA512, no en texto " +"plano" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2039 +msgid "cache_credentials_minimal_first_factor_length (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2042 +msgid "" +"If 2-Factor-Authentication (2FA) is used and credentials should be saved " +"this value determines the minimal length the first authentication factor " +"(long term password) must have to be saved as SHA512 hash into the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2049 +msgid "" +"This should avoid that the short PINs of a PIN based 2FA scheme are saved in " +"the cache which would make them easy targets for brute-force attacks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2054 +msgid "Default: 8" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2060 +msgid "account_cache_expiration (integer)" +msgstr "account_cache_expiration (entero)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2063 +msgid "" +"Number of days entries are left in cache after last successful login before " +"being removed during a cleanup of the cache. 0 means keep forever. The " +"value of this parameter must be greater than or equal to " +"offline_credentials_expiration." +msgstr "" +"Entradas de números de días que son dejadas en el cache después del último " +"login con éxito antes de ser borrado durante la limpieza de la cache. 0 " +"significa mantener para siempre. El valor de este parámetro debe ser más " +"grande o igual que offline_credentials_expiration." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2070 +msgid "Default: 0 (unlimited)" +msgstr "Predeterminado: 0 (ilimitado)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2075 +msgid "pwd_expiration_warning (integer)" +msgstr "pwd_expiration_warning (entero)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2086 +msgid "" +"Please note that the backend server has to provide information about the " +"expiration time of the password. If this information is missing, sssd " +"cannot display a warning. Also an auth provider has to be configured for the " +"backend." +msgstr "" +"Por favor advierta que el servidor de backend tiene que suministrar " +"información sobre la hora expiración de la contraseña. Si esta información " +"está desaparecida, sssd no puede mostrar un aviso. También se tiene que " +"configurar un proveedor de autorización para el backend." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2093 +msgid "Default: 7 (Kerberos), 0 (LDAP)" +msgstr "Por defecto: 7 (Kerberos), 0 (LDAP)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2099 +msgid "id_provider (string)" +msgstr "id_provider (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2102 +msgid "" +"The identification provider used for the domain. Supported ID providers are:" +msgstr "" +"El proveedor de identificación usado por el dominio. Los proveedores de ID " +"soportados son:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2106 +#, fuzzy +#| msgid "<quote>proxy</quote>: Support a legacy NSS provider" +msgid "<quote>proxy</quote>: Support a legacy NSS provider." +msgstr "<quote>proxy</quote>: Soporta un proveedor NSS legado" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2109 +#, fuzzy +#| msgid "<quote>local</quote>: SSSD internal provider for local users" +msgid "" +"<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)." +msgstr "<quote>local</quote>: Proveedor interno SSSD para usuarios locales" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2113 +#, fuzzy +#| msgid "" +#| "<quote>ldap</quote>: LDAP provider. See <citerefentry> " +#| "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +#| "citerefentry> for more information on configuring LDAP." +msgid "" +"<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-" +"files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " +"information on how to mirror local users and groups into SSSD." +msgstr "" +"<quote>ldap</quote>: Proveedor LDAP. Vea <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> para más " +"información sobre la configuración de LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2121 +msgid "" +"<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " +"information on configuring LDAP." +msgstr "" +"<quote>ldap</quote>: Proveedor LDAP. Vea <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> para más " +"información sobre la configuración de LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2129 sssd.conf.5.xml:2234 sssd.conf.5.xml:2289 +#: sssd.conf.5.xml:2352 +msgid "" +"<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management " +"provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " +"FreeIPA." +msgstr "" +"<quote>ipa</quote>: Proveedor FreeIPA y Red Hat Enterprise Identity " +"Management. Vea <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> para más información sobre la " +"configuración de FreeIPA." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2138 sssd.conf.5.xml:2243 sssd.conf.5.xml:2298 +#: sssd.conf.5.xml:2361 +msgid "" +"<quote>ad</quote>: Active Directory provider. See <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Active Directory." +msgstr "" +"<quote>ad</quote>: Proveedor Active Directory. Vea <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> para más información sobre la configuración de Active " +"Directory." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2149 +msgid "use_fully_qualified_names (bool)" +msgstr "use_fully_qualified_names (bool)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2152 +msgid "" +"Use the full name and domain (as formatted by the domain's full_name_format) " +"as the user's login name reported to NSS." +msgstr "" +"Utiliza el nombre completo y el dominio (formateado en el formato " +"nombre_completo de dominio) como el nombre de acceso del usuario reportado a " +"NSS." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2157 +msgid "" +"If set to TRUE, all requests to this domain must use fully qualified names. " +"For example, if used in LOCAL domain that contains a \"test\" user, " +"<command>getent passwd test</command> wouldn't find the user while " +"<command>getent passwd test@LOCAL</command> would." +msgstr "" +"Si es TRUE, todas las peticiones a este dominio deben usar nombres " +"totalmente cualificados. Por ejemplo, si se usa en el dominio LOCAL que " +"contiene un usuario “test”, <command>getent passwd test</command> no " +"encontraría al usuario mientras que <command>getent passwd test@LOCAL</" +"command> lo haría." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2165 +msgid "" +"NOTE: This option has no effect on netgroup lookups due to their tendency to " +"include nested netgroups without qualified names. For netgroups, all domains " +"will be searched when an unqualified name is requested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2172 +msgid "Default: FALSE (TRUE if default_domain_suffix is used)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2178 +msgid "ignore_group_members (bool)" +msgstr "ignore_group_members (bool)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2181 +msgid "Do not return group members for group lookups." +msgstr "No devuelve miembros de grupo para búsquedas de grupo." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2184 +msgid "" +"If set to TRUE, the group membership attribute is not requested from the " +"ldap server, and group members are not returned when processing group lookup " +"calls, such as <citerefentry> <refentrytitle>getgrnam</refentrytitle> " +"<manvolnum>3</manvolnum> </citerefentry> or <citerefentry> " +"<refentrytitle>getgrgid</refentrytitle> <manvolnum>3</manvolnum> </" +"citerefentry>. As an effect, <quote>getent group $groupname</quote> would " +"return the requested group as if it was empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2202 +msgid "" +"Enabling this option can also make access provider checks for group " +"membership significantly faster, especially for groups containing many " +"members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2213 +msgid "auth_provider (string)" +msgstr "auth_provider (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2216 +msgid "" +"The authentication provider used for the domain. Supported auth providers " +"are:" +msgstr "" +"El proveedor de autenticación usado por el dominio. Los proveedores de " +"autenticación soportados son:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2220 sssd.conf.5.xml:2282 +msgid "" +"<quote>ldap</quote> for native LDAP authentication. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" +"<quote>ldap</quote> para autenticación nativa LDAP. Vea <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> para más información sobre la configuración LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2227 +msgid "" +"<quote>krb5</quote> for Kerberos authentication. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Kerberos." +msgstr "" +"<quote>krb5</quote> para autenticación Kerberos. Vea <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> para más información sobre la configuración de Kerberos." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2251 +msgid "" +"<quote>proxy</quote> for relaying authentication to some other PAM target." +msgstr "" +"<quote>proxy</quote> para la reinstalación de la autenticación a algún otro " +"objetivo PAM." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2254 +msgid "<quote>local</quote>: SSSD internal provider for local users" +msgstr "<quote>local</quote>: Proveedor interno SSSD para usuarios locales" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2258 +msgid "<quote>none</quote> disables authentication explicitly." +msgstr "<quote>none</quote> deshabilita la autenticación explícitamente." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2261 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can handle " +"authentication requests." +msgstr "" +"Por defecto: <quote>id_provider</quote> se usa si se ha fijado y puede " +"manejar las peticiones de autenticación." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2267 +msgid "access_provider (string)" +msgstr "access_provider (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2270 +msgid "" +"The access control provider used for the domain. There are two built-in " +"access providers (in addition to any included in installed backends) " +"Internal special providers are:" +msgstr "" +"El proveedor de control de acceso usado por el dominio. Hay dos provedores " +"de acceso integrados (además de cualquiera instalado en los finales). Los " +"proveedores especiales internos son:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2276 +msgid "" +"<quote>permit</quote> always allow access. It's the only permitted access " +"provider for a local domain." +msgstr "" +"<quote>permit</quote> siempre permite el acceso. Es el proveedor de acceso " +"sólo permitido para un dominio local." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2279 +msgid "<quote>deny</quote> always deny access." +msgstr "<quote>deny</quote> siempre niega el acceso." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2306 +msgid "" +"<quote>simple</quote> access control based on access or deny lists. See " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for more information on configuring the simple " +"access module." +msgstr "" +"<quote>simple</quote> control de acceso basado en listas de acceso o " +"denegación. Vea <citerefentry> <refentrytitle>sssd-simple</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> para más información sobre la " +"configuración del módulo de acceso sencillo." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2313 +msgid "" +"<quote>krb5</quote>: .k5login based access control. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></" +"citerefentry> for more information on configuring Kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2320 +msgid "<quote>proxy</quote> for relaying access control to another PAM module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2323 +msgid "Default: <quote>permit</quote>" +msgstr "Predeterminado: <quote>permit</quote>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2328 +msgid "chpass_provider (string)" +msgstr "chpass_provider (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2331 +msgid "" +"The provider which should handle change password operations for the domain. " +"Supported change password providers are:" +msgstr "" +"El proveedor que debería manejar las operaciones de cambio de password para " +"el dominio. Los proveedores de cambio de passweord soportados son:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2336 +msgid "" +"<quote>ldap</quote> to change a password stored in a LDAP server. See " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2344 +msgid "" +"<quote>krb5</quote> to change the Kerberos password. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Kerberos." +msgstr "" +"<quote>krb5</quote> para cambiar una contraseña Kerberos. Vea <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> para más información sobre configurar Kerberos." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2369 +msgid "" +"<quote>proxy</quote> for relaying password changes to some other PAM target." +msgstr "" +"<quote>proxy</quote> para la reinstalación de cambios de password en algunos " +"otros objetivos PAM." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2373 +msgid "<quote>none</quote> disallows password changes explicitly." +msgstr "" +"<quote>none</quote> deniega explícitamente los cambios en la contraseña." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2376 +msgid "" +"Default: <quote>auth_provider</quote> is used if it is set and can handle " +"change password requests." +msgstr "" +"Por defecto: <quote>auth_provider</quote> se utiliza si se ha fijado y se " +"puede manejar las peticiones de cambio de password." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2383 +msgid "sudo_provider (string)" +msgstr "sudo_provider (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2386 +msgid "The SUDO provider used for the domain. Supported SUDO providers are:" +msgstr "" +"El proveedor SUDO usado por el dominio. Los proveedores SUDO soportados son:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2390 +msgid "" +"<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" +"<quote>ldap</quote> para reglas almacenadas en LDAP. Vea <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> para más información sobre la configuración LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2398 +msgid "" +"<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default " +"settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2402 +msgid "" +"<quote>ad</quote> the same as <quote>ldap</quote> but with AD default " +"settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2406 +msgid "<quote>none</quote> disables SUDO explicitly." +msgstr "<quote>none</quote>deshabilita SUDO explícitamente." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2409 sssd.conf.5.xml:2495 sssd.conf.5.xml:2565 +#: sssd.conf.5.xml:2590 +msgid "Default: The value of <quote>id_provider</quote> is used if it is set." +msgstr "" +"Por defecto: el valor de <quote>id_provider</quote> se usa si está fijado." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2413 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>. There are many configuration " +"options that can be used to adjust the behavior. Please refer to " +"\"ldap_sudo_*\" in <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2428 +msgid "" +"<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the " +"background unless the sudo provider is explicitly disabled. Set " +"<emphasis>sudo_provider = None</emphasis> to disable all sudo-related " +"activity in SSSD if you do not want to use sudo with SSSD at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2438 +msgid "selinux_provider (string)" +msgstr "selinux_provider (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2441 +msgid "" +"The provider which should handle loading of selinux settings. Note that this " +"provider will be called right after access provider ends. Supported selinux " +"providers are:" +msgstr "" +"El proveedor que manejaría la carga de los ajustes selinux. Advierta que " +"este proveedor será llamado justo después de que el proveedor de acceso " +"finalice. Los proveedores selinux soportados son:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2447 +msgid "" +"<quote>ipa</quote> to load selinux settings from an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" +"<quote>ipa</quote> para cargar ajustes selinux desde un servidor IPA. Vea " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> para más información sobre la configuración de " +"IPA." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2455 +msgid "<quote>none</quote> disallows fetching selinux settings explicitly." +msgstr "" +"<quote>none</quote> deshabilita ir a buscar los ajustes selinux " +"explícitamente." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2458 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can handle " +"selinux loading requests." +msgstr "" +"Por defecto: <quote>id_provider</quote> se usa si está fijado y puede " +"manejar las peticiones de carga selinux." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2464 +msgid "subdomains_provider (string)" +msgstr "subdomains_provider (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2467 +msgid "" +"The provider which should handle fetching of subdomains. This value should " +"be always the same as id_provider. Supported subdomain providers are:" +msgstr "" +"El proveedor que debería manejar el atractivo de subdominios. Este valor " +"debería ser siempre el mismo que id_provider. Los proveedores de subdominio " +"soportados son:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2473 +msgid "" +"<quote>ipa</quote> to load a list of subdomains from an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" +"<quote>ipa</quote> para cargar una lista de subdominios desde un servidor " +"IPA. Vea <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> para más información sobre la " +"configuración de IPA." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2482 +msgid "" +"<quote>ad</quote> to load a list of subdomains from an Active Directory " +"server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " +"the AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2491 +msgid "<quote>none</quote> disallows fetching subdomains explicitly." +msgstr "" +"<quote>none</quote> deshabilita el buscador de subdominios explícitamente." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2501 +msgid "session_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2504 +msgid "" +"The provider which configures and manages user session related tasks. The " +"only user session task currently provided is the integration with Fleet " +"Commander, which works only with IPA. Supported session providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2511 +msgid "<quote>ipa</quote> to allow performing user session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2515 +msgid "" +"<quote>none</quote> does not perform any kind of user session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2519 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can perform " +"session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2523 +msgid "" +"<emphasis>NOTE:</emphasis> In order to have this feature working as expected " +"SSSD must be running as \"root\" and not as the unprivileged user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2531 +msgid "autofs_provider (string)" +msgstr "autofs_provider (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2534 +msgid "" +"The autofs provider used for the domain. Supported autofs providers are:" +msgstr "" +"El proveedor autofs usado por el dominio. Los proveedores autofs soportados " +"son:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2538 +msgid "" +"<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" +"<quote>ldap</quote> para cargar mapas almacenados en LDAP. Vea " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> para más información sobre la configuración de " +"LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2545 +msgid "" +"<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> " +"<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring IPA." +msgstr "" +"<quote>ipa</quote> para cargar mapas almacenados en un servidor IPA. Vea " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> para más información sobre la configuración de " +"IPA." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2553 +msgid "" +"<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring the AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2562 +msgid "<quote>none</quote> disables autofs explicitly." +msgstr "<quote>none</quote> deshabilita autofs explícitamente." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2572 +msgid "hostid_provider (string)" +msgstr "hostid_provider (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2575 +msgid "" +"The provider used for retrieving host identity information. Supported " +"hostid providers are:" +msgstr "" +"El proveedor usado para recuperar información de identidad de host. Los " +"proveedores de hostid soportados son:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2579 +msgid "" +"<quote>ipa</quote> to load host identity stored in an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" +"<quote>ipa</quote> para cargar la identidad del equipo almacenada en un " +"servidor IPA. Vea <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> para más información sobre la " +"configuración de IPA." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2587 +msgid "<quote>none</quote> disables hostid explicitly." +msgstr "<quote>none</quote> deshabilita hostid explícitamente." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2600 +msgid "" +"Regular expression for this domain that describes how to parse the string " +"containing user name and domain into these components. The \"domain\" can " +"match either the SSSD configuration domain name, or, in the case of IPA " +"trust subdomains and Active Directory domains, the flat (NetBIOS) name of " +"the domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2609 +msgid "" +"Default for the AD and IPA provider: <quote>(((?P<domain>[^\\\\]+)\\" +"\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?" +"P<name>[^@\\\\]+)$))</quote> which allows three different styles for " +"user names:" +msgstr "" +"Por defecto para el proveedor AD e IPA: <quote>(((?P<domain>[^\\\\]+)\\" +"\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?" +"P<name>[^@\\\\]+)$))</quote> que permite tres estilos diferentes de " +"nombres de usuario:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2614 +msgid "username" +msgstr "nombre de usuario" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2617 +msgid "username@domain.name" +msgstr "username@domain.name" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2620 +msgid "domain\\username" +msgstr "dominio/nombre_de_usuario" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2623 +msgid "" +"While the first two correspond to the general default the third one is " +"introduced to allow easy integration of users from Windows domains." +msgstr "" +"Mientras los primeros dos corresponden al valor por defecto general el " +"tercero se introduce para permitir una fácil integración de usuarios desde " +"dominios Windows." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2628 +msgid "" +"Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> " +"which translates to \"the name is everything up to the <quote>@</quote> " +"sign, the domain everything after that\"" +msgstr "" +"Predeterminado: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</" +"quote> que traduce al \"todo lo que hay hasta el signo <quote>@</quote> es " +"el nombre, el dominio es el resto detrás de este signo\"" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2634 +msgid "" +"NOTE: Some Active Directory groups, typically those used for MS Exchange " +"contain an <quote>@</quote> sign in the name, which clashes with the default " +"re_expression value for the AD and IPA providers. To support these groups, " +"consider changing the re_expression value to: <quote>((?P<name>.+)@(?" +"P<domain>[^@]+$))</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2685 +msgid "Default: <quote>%1$s@%2$s</quote>." +msgstr "Predeterminado: <quote>%1$s@%2$s</quote>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2691 +msgid "lookup_family_order (string)" +msgstr "lookup_family_order (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2694 +msgid "" +"Provides the ability to select preferred address family to use when " +"performing DNS lookups." +msgstr "" +"Suministra la capacidad para seleccionar la familia de dirección preferente " +"a usar cuando se lleven a cabo búsquedas DNS." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2698 +msgid "Supported values:" +msgstr "Valores soportados:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2701 +msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6" +msgstr "ipv4_first: Intenta buscar dirección IPv4, si falla, intenta IPv6" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2704 +msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses." +msgstr "ipv4_only: Sólo intenta resolver nombres de host a direccones IPv4." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2707 +msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4" +msgstr "ipv6_first: Intenta buscar dirección IPv6, si falla, intenta IPv4" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2710 +msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses." +msgstr "ipv6_only: Sólo intenta resolver nombres de host a direccones IPv6." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2713 +msgid "Default: ipv4_first" +msgstr "Predeterminado: ipv4_first" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2719 +msgid "dns_resolver_timeout (integer)" +msgstr "dns_resolver_timeout (entero)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2722 +msgid "" +"Defines the amount of time (in seconds) to wait for a reply from the " +"internal fail over service before assuming that the service is unreachable. " +"If this timeout is reached, the domain will continue to operate in offline " +"mode." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2729 +msgid "" +"Please see the section <quote>FAILOVER</quote> for more information about " +"the service resolution." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2734 sssd-ldap.5.xml:1396 sssd-ldap.5.xml:1438 +#: sssd-ldap.5.xml:1456 sssd-krb5.5.xml:248 +msgid "Default: 6" +msgstr "Predeterminado: 6" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2740 +msgid "dns_discovery_domain (string)" +msgstr "dns_discovery_domain (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2743 +msgid "" +"If service discovery is used in the back end, specifies the domain part of " +"the service discovery DNS query." +msgstr "" +"Si el descubridor de servicio se usa en el punto final, especifica la parte " +"de dominio de la pregunta al descubridor de servicio DNS." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2747 +msgid "Default: Use the domain part of machine's hostname" +msgstr "" +"Predeterminado: Utilizar la parte del dominio del nombre de host del equipo" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2753 +msgid "override_gid (integer)" +msgstr "override_gid (entero)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2756 +msgid "Override the primary GID value with the one specified." +msgstr "Anula el valor primario GID con el especificado." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2762 +msgid "case_sensitive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2770 +msgid "True" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2773 +msgid "Case sensitive. This value is invalid for AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2779 +msgid "False" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2781 +msgid "Case insensitive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2785 +msgid "Preserving" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2788 +msgid "" +"Same as False (case insensitive), but does not lowercase names in the result " +"of NSS operations. Note that name aliases (and in case of services also " +"protocol names) are still lowercased in the output." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2765 +msgid "" +"Treat user and group names as case sensitive. At the moment, this option is " +"not supported in the local provider. Possible option values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2800 +msgid "Default: True (False for AD provider)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2806 +msgid "subdomain_inherit (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2809 +msgid "" +"Specifies a list of configuration parameters that should be inherited by a " +"subdomain. Please note that only selected parameters can be inherited. " +"Currently the following options can be inherited:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2815 +msgid "ignore_group_members" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2818 +msgid "ldap_purge_cache_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2821 sssd-ldap.5.xml:1120 +msgid "ldap_use_tokengroups" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2824 +msgid "ldap_user_principal" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2827 +msgid "" +"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab " +"is not set explicitly)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:2833 +#, no-wrap +msgid "" +"subdomain_inherit = ldap_purge_cache_timeout\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2831 sssd-secrets.5.xml:448 +msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2840 +msgid "Note: This option only works with the IPA and AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2847 +msgid "subdomain_homedir (string)" +msgstr "subdomain_homedir (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2858 +msgid "%F" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2859 +msgid "flat (NetBIOS) name of a subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2850 +msgid "" +"Use this homedir as default value for all subdomains within this domain in " +"IPA AD trust. See <emphasis>override_homedir</emphasis> for info about " +"possible values. In addition to those, the expansion below can only be used " +"with <emphasis>subdomain_homedir</emphasis>. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2864 +msgid "" +"The value can be overridden by <emphasis>override_homedir</emphasis> option." +msgstr "" +"Este valor puede ser anulado por la opción <emphasis>override_homedir</" +"emphasis>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2868 +msgid "Default: <filename>/home/%d/%u</filename>" +msgstr "Por defecto: <filename>/home/%d/%u</filename>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2873 +msgid "realmd_tags (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2876 +msgid "" +"Various tags stored by the realmd configuration service for this domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2882 +msgid "cached_auth_timeout (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2885 +msgid "" +"Specifies time in seconds since last successful online authentication for " +"which user will be authenticated using cached credentials while SSSD is in " +"the online mode." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2891 +msgid "Special value 0 implies that this feature is disabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2895 +msgid "" +"Please note that if <quote>cached_auth_timeout</quote> is longer than " +"<quote>pam_id_timeout</quote> then the back end could be called to handle " +"<quote>initgroups.</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2906 +msgid "auto_private_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2909 +msgid "" +"If this option is enabled, SSSD will automatically create user private " +"groups based on user's UID number. The GID number is ignored in this case." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2914 +msgid "" +"For POSIX subdomains, setting the option in the main domain is inherited in " +"the subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2918 +msgid "" +"For ID-mapping subdomains, auto_private_groups is already enabled for the " +"subdomains and setting it to false will not have any effect for the " +"subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2923 +msgid "" +"NOTE: Because the GID number and the user private group are inferred from " +"the UID number, it is not supported to have multiple entries with the same " +"UID or GID number with this option. In other words, enabling this option " +"enforces uniqueness across the ID space." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:1727 +msgid "" +"These configuration options can be present in a domain configuration " +"section, that is, in a section called <quote>[domain/<replaceable>NAME</" +"replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" +"Estas opciones de configuración pueden estar presentes en la sección " +"configuración de dominio, esto es, en una sección llamada <quote>[domain/" +"<replaceable>NAME</replaceable>]</quote> <placeholder type=\"variablelist\" " +"id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2942 +msgid "proxy_pam_target (string)" +msgstr "proxy_pam_target (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2945 +msgid "The proxy target PAM proxies to." +msgstr "El proxy de destino PAM próximo a." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2948 +msgid "" +"Default: not set by default, you have to take an existing pam configuration " +"or create a new one and add the service name here." +msgstr "" +"Por defecto: no se fija por defecto, usted tiene que coger una configuración " +"pam existente o crear una nueva y añadir el nombre de servicio aquí." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2956 +msgid "proxy_lib_name (string)" +msgstr "proxy_lib_name (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2959 +msgid "" +"The name of the NSS library to use in proxy domains. The NSS functions " +"searched for in the library are in the form of _nss_$(libName)_$(function), " +"for example _nss_files_getpwent." +msgstr "" +"El nombre de la librería NSS para usar en los dominios proxy. Las funciones " +"NSS buscadas dentro de la librería están el formato de _nss_$(libName)_" +"$(function), por ejemplo _nss_files_getpwent." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2969 +msgid "proxy_fast_alias (boolean)" +msgstr "proxy_fast_alias (booleano)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2972 +msgid "" +"When a user or group is looked up by name in the proxy provider, a second " +"lookup by ID is performed to \"canonicalize\" the name in case the requested " +"name was an alias. Setting this option to true would cause the SSSD to " +"perform the ID lookup from cache for performance reasons." +msgstr "" +"Cuando un usuario o grupo es buscado por nombre en el proveedor proxy, una " +"segunda búsqueda por ID es llevada a cabo para “estandarizar” el nombre en " +"el caso de que el nombre pedido fuera un alias. Fijando esta opción a true " +"se causaría que SSSD lleve a cabo una búsqueda de ID desde el escondrijo por " +"razones de rendimiento." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2986 +msgid "proxy_max_children (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2989 +msgid "" +"This option specifies the number of pre-forked proxy children. It is useful " +"for high-load SSSD environments where sssd may run out of available child " +"slots, which would cause some issues due to the requests being queued." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:2938 +msgid "" +"Options valid for proxy domains. <placeholder type=\"variablelist\" id=" +"\"0\"/>" +msgstr "" +"Opciones válidas para dominios proxy. <placeholder type=\"variablelist\" id=" +"\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:3005 +msgid "Application domains" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3007 +msgid "" +"SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to " +"applications as a gateway to an LDAP directory where users and groups are " +"stored. However, contrary to the traditional SSSD deployment where all users " +"and groups either have POSIX attributes or those attributes can be inferred " +"from the Windows SIDs, in many cases the users and groups in the application " +"support scenario have no POSIX attributes. Instead of setting a " +"<quote>[domain/<replaceable>NAME</replaceable>]</quote> section, the " +"administrator can set up an <quote>[application/<replaceable>NAME</" +"replaceable>]</quote> section that internally represents a domain with type " +"<quote>application</quote> optionally inherits settings from a tradition " +"SSSD domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3027 +msgid "" +"Please note that the application domain must still be explicitly enabled in " +"the <quote>domains</quote> parameter so that the lookup order between the " +"application domain and its POSIX sibling domain is set correctly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sssd.conf.5.xml:3033 +msgid "Application domain parameters" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3035 +msgid "inherit_from (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3038 +msgid "" +"The SSSD POSIX-type domain the application domain inherits all settings " +"from. The application domain can moreover add its own settings to the " +"application settings that augment or override the <quote>sibling</quote> " +"domain settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3052 +msgid "" +"The following example illustrates the use of an application domain. In this " +"setup, the POSIX domain is connected to an LDAP server and is used by the OS " +"through the NSS responder. In addition, the application domain also requests " +"the telephoneNumber attribute, stores it as the phone attribute in the cache " +"and makes the phone attribute reachable through the D-Bus interface." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><programlisting> +#: sssd.conf.5.xml:3060 +#, no-wrap +msgid "" +"[sssd]\n" +"domains = appdom, posixdom\n" +"\n" +"[ifp]\n" +"user_attributes = +phone\n" +"\n" +"[domain/posixdom]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"[application/appdom]\n" +"inherit_from = posixdom\n" +"ldap_user_extra_attrs = phone:telephoneNumber\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:3078 +msgid "The local domain section" +msgstr "La sección de dominio local" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3080 +msgid "" +"This section contains settings for domain that stores users and groups in " +"SSSD native database, that is, a domain that uses " +"<replaceable>id_provider=local</replaceable>." +msgstr "" +"Esta sección contiene la configuración para dominio que almacena los " +"usuarios y grupos en la base de datos SSSD nativa, es decir, un dominio que " +"utiliza <replaceable>id_provider=local</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3087 +msgid "default_shell (string)" +msgstr "default_shell (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3090 +msgid "The default shell for users created with SSSD userspace tools." +msgstr "" +"El shell predeterminado para los usuarios creados con herramientas de " +"espacio de usuario SSSD." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3094 +msgid "Default: <filename>/bin/bash</filename>" +msgstr "Predeterminado: <filename>/bin/bash</filename>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3099 +msgid "base_directory (string)" +msgstr "base_directory (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3102 +msgid "" +"The tools append the login name to <replaceable>base_directory</replaceable> " +"and use that as the home directory." +msgstr "" +"Las herramientas anexan el nombre de inicio de sesión para " +"<replaceable>base_directory</replaceable> y utilizan éste como el directorio " +"de inicio." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3107 +msgid "Default: <filename>/home</filename>" +msgstr "Predeterminado: <filename>/home</filename>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3112 +msgid "create_homedir (bool)" +msgstr "create_homedir (bool)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3115 +msgid "" +"Indicate if a home directory should be created by default for new users. " +"Can be overridden on command line." +msgstr "" +"Indica si se creará un directorio home por defecto para los nuevos usuarios. " +"Puede ser anulado desde la línea de comando." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3119 sssd.conf.5.xml:3131 +msgid "Default: TRUE" +msgstr "Predeterminado: TRUE" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3124 +msgid "remove_homedir (bool)" +msgstr "remove_homedir (bool)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3127 +msgid "" +"Indicate if a home directory should be removed by default for deleted " +"users. Can be overridden on command line." +msgstr "" +"Indica si el directorio home será borrado por defecto para los usuarios " +"borrados. Puede ser anulado desde la línea de comando." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3136 +msgid "homedir_umask (integer)" +msgstr "homedir_umask (entero)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3139 +msgid "" +"Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions " +"on a newly created home directory." +msgstr "" +"Utilizado por <citerefentry><refentrytitle>sss_useradd</refentrytitle> " +"<manvolnum>8</manvolnum></citerefentry> para especificar los permisos " +"predeterminados en un directorio de inicio recién creado." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3147 +msgid "Default: 077" +msgstr "Predeterminado: 077" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3152 +msgid "skel_dir (string)" +msgstr "skel_dir (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3155 +msgid "" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<citerefentry> <refentrytitle>sss_useradd</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>" +msgstr "" +"El directorio esqueleto, el cual contiene archivos y directorios a copiarse " +"en el directorio principal del usuario, cuando se crea el directorio " +"principal de <citerefentry><refentrytitle>sss_useradd</refentrytitle> " +"<manvolnum>8</manvolnum></citerefentry>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3165 +msgid "Default: <filename>/etc/skel</filename>" +msgstr "Predeterminado: <filename>/etc/skel</filename>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3170 +msgid "mail_dir (string)" +msgstr "mail_dir (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3173 +msgid "" +"The mail spool directory. This is needed to manipulate the mailbox when its " +"corresponding user account is modified or deleted. If not specified, a " +"default value is used." +msgstr "" +"El directorio carreta de correo. Es necesario para manipular el buzón de " +"correo cuando la cuenta de usuario correspondiente es modificada o borrada. " +"Si no se especifica, se utiliza un valor por defecto." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3180 +msgid "Default: <filename>/var/mail</filename>" +msgstr "Predeterminado: <filename>/var/mail</filename>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3185 +msgid "userdel_cmd (string)" +msgstr "userdel_cmd (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3188 +msgid "" +"The command that is run after a user is removed. The command us passed the " +"username of the user being removed as the first and only parameter. The " +"return code of the command is not taken into account." +msgstr "" +"El comando que está corriendo después de que un usuario es borrado. El " +"comando us para el nombre de usuario que está siendo borrado como primer y " +"único parámetro. El código de retorno del comando no es tenido en cuenta." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3194 +msgid "Default: None, no command is run" +msgstr "Predeterminado: None, no se ejecuta comando" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:3204 +msgid "TRUSTED DOMAIN SECTION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3206 +msgid "" +"Some options used in the domain section can also be used in the trusted " +"domain section, that is, in a section called <quote>[domain/" +"<replaceable>DOMAIN_NAME</replaceable>/<replaceable>TRUSTED_DOMAIN_NAME</" +"replaceable>]</quote>. Where DOMAIN_NAME is the actual joined-to base " +"domain. Please refer to examples below for explanation. Currently supported " +"options in the trusted domain section are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3213 +msgid "ldap_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3214 +msgid "ldap_user_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3215 +msgid "ldap_group_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3216 +msgid "ldap_netgroup_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3217 +msgid "ldap_service_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3218 +msgid "ad_server," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3219 +msgid "ad_backup_server," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3220 +msgid "ad_site," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:3221 sssd-ipa.5.xml:782 +msgid "use_fully_qualified_names" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3223 +msgid "" +"For more details about these options see their individual description in the " +"manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:3229 idmap_sss.8.xml:43 +msgid "EXAMPLES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:3235 +#, no-wrap +msgid "" +"[sssd]\n" +"domains = LDAP\n" +"services = nss, pam\n" +"config_file_version = 2\n" +"\n" +"[nss]\n" +"filter_groups = root\n" +"filter_users = root\n" +"\n" +"[pam]\n" +"\n" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"auth_provider = krb5\n" +"krb5_server = kerberos.example.com\n" +"krb5_realm = EXAMPLE.COM\n" +"cache_credentials = true\n" +"\n" +"min_id = 10000\n" +"max_id = 20000\n" +"enumerate = False\n" +msgstr "" +"[sssd]\n" +"domains = LDAP\n" +"services = nss, pam\n" +"config_file_version = 2\n" +"\n" +"[nss]\n" +"filter_groups = root\n" +"filter_users = root\n" +"\n" +"[pam]\n" +"\n" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"auth_provider = krb5\n" +"krb5_server = kerberos.example.com\n" +"krb5_realm = EXAMPLE.COM\n" +"cache_credentials = true\n" +"\n" +"min_id = 10000\n" +"max_id = 20000\n" +"enumerate = False\n" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3231 +msgid "" +"1. The following example shows a typical SSSD config. It does not describe " +"configuration of the domains themselves - refer to documentation on " +"configuring domains for more details. <placeholder type=\"programlisting\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:3268 +#, no-wrap +msgid "" +"[domain/ipa.com/child.ad.com]\n" +"use_fully_qualified_names = false\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3262 +msgid "" +"2. The following example shows configuration of IPA AD trust where the AD " +"forest consists of two domains in a parent-child structure. Suppose IPA " +"domain (ipa.com) has trust with AD domain(ad.com). ad.com has child domain " +"(child.ad.com). To enable shortnames in the child domain the following " +"configuration should be used. <placeholder type=\"programlisting\" id=\"0\"/" +">" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ldap.5.xml:10 sssd-ldap.5.xml:16 +msgid "sssd-ldap" +msgstr "sssd-ldap" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ldap.5.xml:17 +msgid "SSSD LDAP provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:23 +msgid "" +"This manual page describes the configuration of LDAP domains for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Refer to the <quote>FILE FORMAT</quote> section of the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for detailed syntax information." +msgstr "" +"Esta página de manual describe la configuración de dominios LDAP para " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Vea la sección <quote>FILE FORMAT</quote> de la página de " +"manual <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> para información detallada de la sintáxis." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:35 +msgid "You can configure SSSD to use more than one LDAP domain." +msgstr "Puede configurar SSSD para usar más de un dominio LDAP." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:38 +msgid "" +"LDAP back end supports id, auth, access and chpass providers. If you want to " +"authenticate against an LDAP server either TLS/SSL or LDAPS is required. " +"<command>sssd</command> <emphasis>does not</emphasis> support authentication " +"over an unencrypted channel. If the LDAP server is used only as an identity " +"provider, an encrypted channel is not needed. Please refer to " +"<quote>ldap_access_filter</quote> config option for more information about " +"using LDAP as an access provider." +msgstr "" +"El punto final de LDAP soporta proveedores de id, auth, acceso y chpass. Si " +"usted desea autenticarse contra un servidor LDAP se requiere bien TLS/SSL o " +"LDAPS. <command>sssd</command> <emphasis>no</emphasis> soporta autenticación " +"sobre un canal no esncriptado. Si el servidor LDAP se usa sólo como un " +"proveedor de identidad, no se necesita un canal encriptado. Por favor vea la " +"opción de configuración <quote>ldap_access_filter</quote> para más " +"información sobre la utilización de LDAP como proveedor de acceso." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:115 +#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-files.5.xml:57 +#: sssd-secrets.5.xml:120 sssd-session-recording.5.xml:58 sssd-kcm.8.xml:139 +msgid "CONFIGURATION OPTIONS" +msgstr "OPCIONES DE CONFIGURACIÓN" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:60 +msgid "ldap_uri, ldap_backup_uri (string)" +msgstr "ldap_uri, ldap_backup_uri (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:63 +msgid "" +"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " +"should connect in the order of preference. Refer to the <quote>FAILOVER</" +"quote> section for more information on failover and server redundancy. If " +"neither option is specified, service discovery is enabled. For more " +"information, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" +"Especifica una lista separada por comas de URIs del servidor LDAP al que " +"SSSD se conectaría en orden de preferencia. Vea la sección " +"<quote>CONMUTACIÓN EN ERROR</quote> para más información sobre la " +"conmutación en error y la redundancia de servidor. Si no hay opción " +"especificada, se habilita el descubridor de servicio. Para más información, " +"vea la sección <quote>DESCUBRIDOR DE SERVICIOS</quote>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:264 +msgid "The format of the URI must match the format defined in RFC 2732:" +msgstr "" +"El formato de la URI debe coincidir con el formato definido en RFC 2732:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:73 +msgid "ldap[s]://<host>[:port]" +msgstr "ldap[s]://<host>[:port]" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:76 +msgid "" +"For explicit IPv6 addresses, <host> must be enclosed in brackets []" +msgstr "" +"Para direcciones IPv6 explícitas, <host> debe estar entre corchetes []" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:79 +msgid "example: ldap://[fc00::126:25]:389" +msgstr "ejemplo: ldap://[fc00::126:25]:389" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:85 +msgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)" +msgstr "ldap_chpass_uri, ldap_chpass_backup_uri (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:88 +msgid "" +"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " +"should connect in the order of preference to change the password of a user. " +"Refer to the <quote>FAILOVER</quote> section for more information on " +"failover and server redundancy." +msgstr "" +"Especifica la lista separada por comas de URIs de los servidores LDAP a los " +"que SSSD se conectaría con el objetivo preferente de cambiar la contraseña " +"de un usuario. Vea la sección <quote>FAILOVER</quote> para más información " +"sobre failover y redundancia de servidor." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:95 +msgid "To enable service discovery ldap_chpass_dns_service_name must be set." +msgstr "" +"Para habilitar el servicio descubrimiento ldap_chpass_dns_service_name debe " +"ser establecido." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:99 +msgid "Default: empty, i.e. ldap_uri is used." +msgstr "Por defecto: vacio, esto es ldap_uri se está usando." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:105 +msgid "ldap_search_base (string)" +msgstr "ldap_search_base (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:108 +msgid "The default base DN to use for performing LDAP user operations." +msgstr "" +"El DN base por defecto que se usará para realizar operaciones LDAP de " +"usuario." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:112 +msgid "" +"Starting with SSSD 1.7.0, SSSD supports multiple search bases using the " +"syntax:" +msgstr "" +"Desde SSSD 1.7.0, SSSD soporta múltiples bases de búsqueda usando la " +"sintaxis:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:116 +msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]" +msgstr "search_base[?scope?[filter][?search_base?scope?[filter]]*]" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:119 +msgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"." +msgstr "El alcance puede ser uno de “base”, “onlevel” o “subtree”." + +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:122 include/ldap_search_bases.xml:18 +msgid "" +"The filter must be a valid LDAP search filter as specified by http://www." +"ietf.org/rfc/rfc2254.txt" +msgstr "" +"El filtro debe ser un filtro de búsqueda LDAP válido como se especifica en " +"http://www.ietf.org/rfc/rfc2254.txt" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:286 +#: sss_override.8.xml:137 sss_override.8.xml:234 +msgid "Examples:" +msgstr "Ejemplos:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:129 +msgid "" +"ldap_search_base = dc=example,dc=com (which is equivalent to) " +"ldap_search_base = dc=example,dc=com?subtree?" +msgstr "" +"ldap_search_base = dc=example,dc=com (que es equivalente a) ldap_search_base " +"= dc=example,dc=com?subtree?" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:134 +msgid "" +"ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?" +"(host=thishost)?dc=example.com?subtree?" +msgstr "" +"ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?" +"(host=thishost)?dc=example.com?subtree?" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:137 +msgid "" +"Note: It is unsupported to have multiple search bases which reference " +"identically-named objects (for example, groups with the same name in two " +"different search bases). This will lead to unpredictable behavior on client " +"machines." +msgstr "" +"Nota: No está soportado tener múltiples bases de búsqueda que se referencien " +"a objetos nombrados idénticamente (por ejemplo, grupos con el mismo nombre " +"en dos bases de búsqueda diferentes). Esto llevara a comportamientos " +"impredecibles sobre máquinas cliente." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:144 +msgid "" +"Default: If not set, the value of the defaultNamingContext or namingContexts " +"attribute from the RootDSE of the LDAP server is used. If " +"defaultNamingContext does not exist or has an empty value namingContexts is " +"used. The namingContexts attribute must have a single value with the DN of " +"the search base of the LDAP server to make this work. Multiple values are " +"are not supported." +msgstr "" +"Por defecto: no se fija, se usa el valor de los atributos " +"defaultNamingContext o namingContexts de RootDSE del servidor LDAP usado. " +"Si defaultNamingContext no existe o tiene un valor vacío se usa " +"namingContexts. El atributo namingContexts debe tener un único valor con el " +"DN de la base de búsqueda del servidor LDAP para hacer este trabajo. No se " +"soportan múltiples valores." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:158 +msgid "ldap_schema (string)" +msgstr "ldap_schema (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:161 +msgid "" +"Specifies the Schema Type in use on the target LDAP server. Depending on " +"the selected schema, the default attribute names retrieved from the servers " +"may vary. The way that some attributes are handled may also differ." +msgstr "" +"Especifica el Tipo de Esquema en uso en el servidor LDAP objetivo. " +"Dependiendo del esquema seleccionado, los nombres de atributos por defecto " +"que se recuperan de los servidores pueden variar. La manera en que algunos " +"atributos son manejados puede también diferir." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:168 +msgid "Four schema types are currently supported:" +msgstr "Cuatro tipos de esquema son actualmente soportados:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:172 +msgid "rfc2307" +msgstr "rfc2307" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:177 +msgid "rfc2307bis" +msgstr "rfc2307bis" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:182 +msgid "IPA" +msgstr "IPA" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:187 +msgid "AD" +msgstr "AD" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:193 +msgid "" +"The main difference between these schema types is how group memberships are " +"recorded in the server. With rfc2307, group members are listed by name in " +"the <emphasis>memberUid</emphasis> attribute. With rfc2307bis and IPA, " +"group members are listed by DN and stored in the <emphasis>member</emphasis> " +"attribute. The AD schema type sets the attributes to correspond with Active " +"Directory 2008r2 values." +msgstr "" +"La principal diferencia entre estos tipos de esquemas es como las " +"afiliaciones de grupo son grabadas en el servidor. Con rfc2307, los miembros " +"de grupos son listados por nombre en el atributo <emphasis>memberUid</" +"emphasis>. Con rfc2307bis e IPA, los miembros de grupo son listados por DN y " +"almacenados en el atributo <emphasis>member</emphasis>. El tipo de esquema " +"AD fija los atributos para corresponderse con los valores Active Directory " +"2008r2." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:203 +msgid "Default: rfc2307" +msgstr "Predeterminado: rfc2307" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:209 +msgid "ldap_default_bind_dn (string)" +msgstr "ldap_default_bind_dn (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:212 +msgid "The default bind DN to use for performing LDAP operations." +msgstr "" +"El enlazador DN por defecto a usar para llevar a cabo operaciones LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:219 +msgid "ldap_default_authtok_type (string)" +msgstr "ldap_default_authtok_type (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:222 +msgid "The type of the authentication token of the default bind DN." +msgstr "El tipo de ficha de autenticación del enlazador DN por defecto." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:226 +msgid "The two mechanisms currently supported are:" +msgstr "Los dos mecanismos actualmente soportados son:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:229 +msgid "password" +msgstr "contraseña" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:232 +msgid "obfuscated_password" +msgstr "obfuscated_password" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:235 +msgid "Default: password" +msgstr "Por defecto: contraseña" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:241 +msgid "ldap_default_authtok (string)" +msgstr "ldap_default_authtok (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:244 +msgid "" +"The authentication token of the default bind DN. Only clear text passwords " +"are currently supported." +msgstr "" +"La ficha de autenticación del enlazador DN por defecto. Sólo se soportan " +"actualmente password de texto claro." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:251 +msgid "ldap_user_object_class (string)" +msgstr "ldap_user_object_class (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:254 +msgid "The object class of a user entry in LDAP." +msgstr "La clase de objeto de una entrada de usuario en LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:257 +msgid "Default: posixAccount" +msgstr "Predeterminado: posixAccount" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:263 +msgid "ldap_user_name (string)" +msgstr "ldap_user_name (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:266 +msgid "The LDAP attribute that corresponds to the user's login name." +msgstr "" +"El atributo LDAP que corresponde al nombre de inicio de sesión del usuario." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:270 +msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:277 +msgid "ldap_user_uid_number (string)" +msgstr "ldap_user_uid_number (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:280 +msgid "The LDAP attribute that corresponds to the user's id." +msgstr "El atributo LDAP que corresponde al id de usuario." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:284 +msgid "Default: uidNumber" +msgstr "Predeterminado: uidNumber" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:290 +msgid "ldap_user_gid_number (string)" +msgstr "ldap_user_gid_number (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:293 +msgid "The LDAP attribute that corresponds to the user's primary group id." +msgstr "El atributo LDAP que corresponde al id del grupo primario del usuario." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:297 sssd-ldap.5.xml:929 +msgid "Default: gidNumber" +msgstr "Predeterminado: gidNumber" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:303 +msgid "ldap_user_primary_group (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:306 +msgid "" +"Active Directory primary group attribute for ID-mapping. Note that this " +"attribute should only be set manually if you are running the <quote>ldap</" +"quote> provider with ID mapping." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:312 +msgid "Default: unset (LDAP), primaryGroupID (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:318 +msgid "ldap_user_gecos (string)" +msgstr "ldap_user_gecos (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:321 +msgid "The LDAP attribute that corresponds to the user's gecos field." +msgstr "El atributo LDAP que corresponde al campo de gecos del usuario." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:325 +msgid "Default: gecos" +msgstr "Predeterminado: gecos" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:331 +msgid "ldap_user_home_directory (string)" +msgstr "ldap_user_home_directory (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:334 +msgid "The LDAP attribute that contains the name of the user's home directory." +msgstr "" +"El atributo LDAP que contiene el nombre del directorio principal del usuario." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:338 +msgid "Default: homeDirectory" +msgstr "Predeterminado: homeDirectory" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:344 +msgid "ldap_user_shell (string)" +msgstr "ldap_user_shell (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:347 +msgid "The LDAP attribute that contains the path to the user's default shell." +msgstr "" +"El atributo LDAP que contiene la ruta de acceso a la shell predeterminada " +"del usuario." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:351 +msgid "Default: loginShell" +msgstr "Predeterminado: loginShell" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:357 +msgid "ldap_user_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:360 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:364 sssd-ldap.5.xml:955 +msgid "" +"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " +"IPA" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:371 +msgid "ldap_user_objectsid (string)" +msgstr "ldap_user_objectsid (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:374 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP user object. This " +"is usually only necessary for ActiveDirectory servers." +msgstr "" +"El atributo LDAP que contiene el objectSID de un objeto usuario LDAP. Esto " +"es normalmente sólo necesario para servidores ActiveDirectory." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:379 sssd-ldap.5.xml:970 +msgid "Default: objectSid for ActiveDirectory, not set for other servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:386 +msgid "ldap_user_modify_timestamp (string)" +msgstr "ldap_user_modify_timestamp (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:389 sssd-ldap.5.xml:980 sssd-ldap.5.xml:1203 +msgid "" +"The LDAP attribute that contains timestamp of the last modification of the " +"parent object." +msgstr "" +"El atributo LDAP que contiene la fecha y hora de la última modificación del " +"objeto primario." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:393 sssd-ldap.5.xml:984 sssd-ldap.5.xml:1210 +msgid "Default: modifyTimestamp" +msgstr "Predeterminado: modifyTimestamp" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:399 +msgid "ldap_user_shadow_last_change (string)" +msgstr "ldap_user_shadow_last_change (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:402 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " +"the last password change)." +msgstr "" +"Cuando se utiliza ldap_pwd_policy=shadow, este parámetro contiene el nombre " +"de un atributo LDAP correspondiente a su <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> homologo (fecha del último cambio de password)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:412 +msgid "Default: shadowLastChange" +msgstr "Predeterminado: shadowLastChange" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:418 +msgid "ldap_user_shadow_min (string)" +msgstr "ldap_user_shadow_min (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:421 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " +"password age)." +msgstr "" +"Cuando se utiliza ldap_pwd_policy=shadow, este parámetro contiene el nombre " +"de un atributo LDAP correspondiente a su <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> homologo (edad mínima del password)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:430 +msgid "Default: shadowMin" +msgstr "Predeterminado: shadowMin" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:436 +msgid "ldap_user_shadow_max (string)" +msgstr "ldap_user_shadow_max (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:439 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " +"password age)." +msgstr "" +"Cuando se utiliza ldap_pwd_policy=shadow, este parámetro contiene el nombre " +"de un atributo LDAP correspondiente a su <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> homologo (edad máxima del password)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:448 +msgid "Default: shadowMax" +msgstr "Predeterminado: shadowMax" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:454 +msgid "ldap_user_shadow_warning (string)" +msgstr "ldap_user_shadow_warning (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:457 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password warning period)." +msgstr "" +"Cuando se utiliza ldap_pwd_policy=shadow, este parámetro contiene el nombre " +"de un atributo LDAP correspondiente a su <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> homologo (período de aviso de password)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:467 +msgid "Default: shadowWarning" +msgstr "Predeterminado: shadowWarning" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:473 +msgid "ldap_user_shadow_inactive (string)" +msgstr "ldap_user_shadow_inactive (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:476 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password inactivity period)." +msgstr "" +"Cuando se utiliza ldap_pwd_policy=shadow, este parámetro contiene el nombre " +"de un atributo LDAP correspondiente a su <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> homologo (período de inactividad de password)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:486 +msgid "Default: shadowInactive" +msgstr "Predeterminado: shadowInactive" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:492 +msgid "ldap_user_shadow_expire (string)" +msgstr "ldap_user_shadow_expire (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:495 +msgid "" +"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " +"parameter contains the name of an LDAP attribute corresponding to its " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> counterpart (account expiration date)." +msgstr "" +"Cuando se utiliza ldap_pwd_policy=shadow o " +"ldap_account_expire_policy=shadow, este parámetro contiene el nombre de un " +"atributo correspondiente con su <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> homólogo (fecha de " +"expiración de la cuenta)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:505 +msgid "Default: shadowExpire" +msgstr "Predeterminado: shadowExpire" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:511 +msgid "ldap_user_krb_last_pwd_change (string)" +msgstr "ldap_user_krb_last_pwd_change (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:514 +msgid "" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time of last password change in " +"kerberos." +msgstr "" +"Cuando se utiliza ldap_pwd_policy=mit_kerberos, este parámetro contiene el " +"nombre de un atributo LDAP que almacena la fecha y la hora del último cambio " +"de password en kerberos." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:520 +msgid "Default: krbLastPwdChange" +msgstr "Predeterminado: krbLastPwdChange" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:526 +msgid "ldap_user_krb_password_expiration (string)" +msgstr "ldap_user_krb_password_expiration (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:529 +msgid "" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time when current password expires." +msgstr "" +"Cuando se utiliza ldap_pwd_policy=mit_kerberos, este parámetro contiene el " +"nombre de un atributo LDAP que almacena la fecha y la hora en la que expira " +"el password actual." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:535 +msgid "Default: krbPasswordExpiration" +msgstr "Predeterminado: krbPasswordExpiration" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:541 +msgid "ldap_user_ad_account_expires (string)" +msgstr "ldap_user_ad_account_expires (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:544 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the expiration time of the account." +msgstr "" +"Cuando se utiliza ldap_account_expire_policy=ad, este parámetro contiene el " +"nombre de un atributo LDAP que almacena el tiempo de expiración de la cuenta." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:549 +msgid "Default: accountExpires" +msgstr "Predeterminado: accountExpires" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:555 +msgid "ldap_user_ad_user_account_control (string)" +msgstr "ldap_user_ad_user_account_control (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:558 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the user account control bit field." +msgstr "" +"Cuando se usa ldap_account_expire_policy=ad, este parámetro contiene el " +"nombre de un atributo LDAP que almacena el campo bit de control de la cuenta " +"de usuario." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:563 +msgid "Default: userAccountControl" +msgstr "Predeterminado: userAccountControl" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:569 +msgid "ldap_ns_account_lock (string)" +msgstr "ldap_ns_account_lock (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:572 +msgid "" +"When using ldap_account_expire_policy=rhds or equivalent, this parameter " +"determines if access is allowed or not." +msgstr "" +"Cuando se usa ldap_account_expire_policy=rhds o esquivalente, este parámetro " +"determina si el acceso está permitido o no." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:577 +msgid "Default: nsAccountLock" +msgstr "Predeterminado: nsAccountLock" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:583 +msgid "ldap_user_nds_login_disabled (string)" +msgstr "ldap_user_nds_login_disabled (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:586 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines if " +"access is allowed or not." +msgstr "" +"Cuando se usa ldap_account_expire_policy=nds, este atributo determina si el " +"acceso está permitido o no." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:590 sssd-ldap.5.xml:604 +msgid "Default: loginDisabled" +msgstr "Predeterminado: loginDisabled" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:596 +msgid "ldap_user_nds_login_expiration_time (string)" +msgstr "ldap_user_nds_login_expiration_time (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:599 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines until " +"which date access is granted." +msgstr "" +"Cuando se usa ldap_account_expire_policy=nds, este atributo determina hasta " +"que fecha se concede el acceso." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:610 +msgid "ldap_user_nds_login_allowed_time_map (string)" +msgstr "ldap_user_nds_login_allowed_time_map (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:613 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines the " +"hours of a day in a week when access is granted." +msgstr "" +"Cuando se utiliza ldap_account_expire_policy=nds, este atributo determina la " +"hora de un día en la semana cuando se concede el acceso." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:618 +msgid "Default: loginAllowedTimeMap" +msgstr "Predeterminado: loginAllowedTimeMap" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:624 +msgid "ldap_user_principal (string)" +msgstr "ldap_user_principal (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:627 +msgid "" +"The LDAP attribute that contains the user's Kerberos User Principal Name " +"(UPN)." +msgstr "" +"El atributo LDAP que contiene le Nombre Principal de Usuario Kerberos (UPN) " +"del usuario." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:631 +msgid "Default: krbPrincipalName" +msgstr "Predeterminado: krbPrincipalName" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:637 +msgid "ldap_user_extra_attrs (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:640 +msgid "" +"Comma-separated list of LDAP attributes that SSSD would fetch along with the " +"usual set of user attributes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:645 +msgid "" +"The list can either contain LDAP attribute names only, or colon-separated " +"tuples of SSSD cache attribute name and LDAP attribute name. In case only " +"LDAP attribute name is specified, the attribute is saved to the cache " +"verbatim. Using a custom SSSD attribute name might be required by " +"environments that configure several SSSD domains with different LDAP schemas." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:655 +msgid "" +"Please note that several attribute names are reserved by SSSD, notably the " +"<quote>name</quote> attribute. SSSD would report an error if any of the " +"reserved attribute names is used as an extra attribute name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:665 +msgid "ldap_user_extra_attrs = telephoneNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:668 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as " +"<quote>telephoneNumber</quote> to the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:672 +msgid "ldap_user_extra_attrs = phone:telephoneNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:675 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" +"quote> to the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:685 +msgid "ldap_user_ssh_public_key (string)" +msgstr "ldap_user_ssh_public_key (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:688 +msgid "The LDAP attribute that contains the user's SSH public keys." +msgstr "El atributo LDAP que contiene las claves públicas SSH del usuario." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:692 sssd-ldap.5.xml:1306 +msgid "Default: sshPublicKey" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:698 +msgid "ldap_force_upper_case_realm (boolean)" +msgstr "ldap_force_upper_case_realm (boolean)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:701 +msgid "" +"Some directory servers, for example Active Directory, might deliver the " +"realm part of the UPN in lower case, which might cause the authentication to " +"fail. Set this option to a non-zero value if you want to use an upper-case " +"realm." +msgstr "" +"Algunos servidores de directorio, por ejemplo Active Directory, pueden " +"entregar la parte real del UPN en minúsculas, lo que puede causar fallos de " +"autenticación. Fije esta opción en un valor distinto de cero si usted desea " +"usar mayúsculas reales." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:714 +msgid "ldap_enumeration_refresh_timeout (integer)" +msgstr "ldap_enumeration_refresh_timeout (entero)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:717 +msgid "" +"Specifies how many seconds SSSD has to wait before refreshing its cache of " +"enumerated records." +msgstr "" +"Especifica cuantos segundos SSSD tiene que esperar antes de refrescar su " +"escondrijo de los registros enumerados." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:728 +msgid "ldap_purge_cache_timeout (integer)" +msgstr "ldap_purge_cache_timeout (entero)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:731 +msgid "" +"Determine how often to check the cache for inactive entries (such as groups " +"with no members and users who have never logged in) and remove them to save " +"space." +msgstr "" +"Determina la frecuencia de comprobación del cache para entradas inactivas " +"(como grupos sin miembros y usuarios que nunca han accedido) y borrarlos " +"para guardar espacio." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:737 +msgid "" +"Setting this option to zero will disable the cache cleanup operation. Please " +"note that if enumeration is enabled, the cleanup task is required in order " +"to detect entries removed from the server and can't be disabled. By default, " +"the cleanup task will run every 3 hours with enumeration enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:752 +msgid "ldap_user_fullname (string)" +msgstr "ldap_user_fullname (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:755 +msgid "The LDAP attribute that corresponds to the user's full name." +msgstr "El atributo LDAP que corresponde al nombre completo del usuario." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1161 sssd-ldap.5.xml:1235 +#: sssd-ldap.5.xml:1344 sssd-ldap.5.xml:2405 sssd-ipa.5.xml:607 +msgid "Default: cn" +msgstr "Predeterminado: cn" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:765 +msgid "ldap_user_member_of (string)" +msgstr "ldap_user_member_of (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:768 +msgid "The LDAP attribute that lists the user's group memberships." +msgstr "El atributo LDAP que lista los afiliación a grupo de usario." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:772 sssd-ldap.5.xml:1274 +msgid "Default: memberOf" +msgstr "Predeterminado: memberOf" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:778 +msgid "ldap_user_authorized_service (string)" +msgstr "ldap_user_authorized_service (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:781 +msgid "" +"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " +"use the presence of the authorizedService attribute in the user's LDAP entry " +"to determine access privilege." +msgstr "" +"Si access_provider=ldap y ldap_access_order=authorized_service, SSSD " +"utilizará la presencia del atributo authorizedService en la entrada LDAP del " +"usuario para determinar el privilegio de acceso." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:788 +msgid "" +"An explicit deny (!svc) is resolved first. Second, SSSD searches for " +"explicit allow (svc) and finally for allow_all (*)." +msgstr "" +"Una denegación explícita (¡svc) se resuelve primero. Segundo, SSSD busca " +"permiso explícito (svc) y finalmente permitir todo (*)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:793 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>authorized_service</quote> in order for the " +"ldap_user_authorized_service option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:800 +msgid "Default: authorizedService" +msgstr "Predeterminado: iluminada" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:806 +msgid "ldap_user_authorized_host (string)" +msgstr "ldap_user_authorized_host (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:809 +msgid "" +"If access_provider=ldap and ldap_access_order=host, SSSD will use the " +"presence of the host attribute in the user's LDAP entry to determine access " +"privilege." +msgstr "" +"Si access_provider=ldap y ldap_access_order=host, SSSD utilizará la " +"presencia del atributo host en la entrada LDAP del usuario para determinar " +"el privilegio de acceso." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:815 +msgid "" +"An explicit deny (!host) is resolved first. Second, SSSD searches for " +"explicit allow (host) and finally for allow_all (*)." +msgstr "" +"Una denegación explícita (¡host) se resuelve primero. Segundo, la búsqueda " +"SSSD para permiso explícito (host) y finalmente permitir todo (*)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:820 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>host</quote> in order for the " +"ldap_user_authorized_host option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:827 +msgid "Default: host" +msgstr "Default: host" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:833 +msgid "ldap_user_authorized_rhost (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:836 +msgid "" +"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " +"presence of the rhost attribute in the user's LDAP entry to determine access " +"privilege. Similarly to host verification process." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:843 +msgid "" +"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " +"explicit allow (rhost) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:848 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>rhost</quote> in order for the " +"ldap_user_authorized_rhost option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:855 +msgid "Default: rhost" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:861 +msgid "ldap_user_certificate (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:864 +msgid "Name of the LDAP attribute containing the X509 certificate of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:868 +msgid "Default: userCertificate;binary" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:874 +msgid "ldap_user_email (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:877 +msgid "Name of the LDAP attribute containing the email address of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:881 +msgid "" +"Note: If an email address of a user conflicts with an email address or fully " +"qualified name of another user, then SSSD will not be able to serve those " +"users properly. If for some reason several users need to share the same " +"email address then set this option to a nonexistent attribute name in order " +"to disable user lookup/login by email." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:890 +msgid "Default: mail" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:896 +msgid "ldap_group_object_class (string)" +msgstr "ldap_group_object_class (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:899 +msgid "The object class of a group entry in LDAP." +msgstr "La clase de objeto de una entrada de grupo LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:902 +msgid "Default: posixGroup" +msgstr "Por defecto: posixGroup" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:908 +msgid "ldap_group_name (string)" +msgstr "ldap_group_name (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:911 +msgid "The LDAP attribute that corresponds to the group name." +msgstr "El atributo LDAP que corresponde al nombre de grupo." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:915 +msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:922 +msgid "ldap_group_gid_number (string)" +msgstr "ldap_group_gid_number (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:925 +msgid "The LDAP attribute that corresponds to the group's id." +msgstr "El atributo LDAP que corresponde al id del grupo." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:935 +msgid "ldap_group_member (string)" +msgstr "ldap_group_member (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:938 +msgid "The LDAP attribute that contains the names of the group's members." +msgstr "El atributo LDAP que contiene los nombres de los miembros del grupo." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:942 +msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" +msgstr "Valor predeterminado: memberuid (rfc2307) / member (rfc2307bis)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:948 +msgid "ldap_group_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:951 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:962 +msgid "ldap_group_objectsid (string)" +msgstr "ldap_group_objectsid (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:965 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP group object. This " +"is usually only necessary for ActiveDirectory servers." +msgstr "" +"El atributo LDAP que contiene el objectSID de un objeto grupo LDAP. Esto es " +"normalmente sólo necesario para servidores ActiveDirectory." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:977 +msgid "ldap_group_modify_timestamp (string)" +msgstr "ldap_group_modify_timestamp (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:990 +msgid "ldap_group_type (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:993 +msgid "" +"The LDAP attribute that contains an integer value indicating the type of the " +"group and maybe other flags." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:998 +msgid "" +"This attribute is currently only used by the AD provider to determine if a " +"group is a domain local groups and has to be filtered out for trusted " +"domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1004 +msgid "Default: groupType in the AD provider, otherwise not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1011 +msgid "ldap_group_external_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1014 +msgid "" +"The LDAP attribute that references group members that are defined in an " +"external domain. At the moment, only IPA's external members are supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1020 +msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1027 +msgid "ldap_group_nesting_level (integer)" +msgstr "ldap_group_nesting_level (entero)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1030 +msgid "" +"If ldap_schema is set to a schema format that supports nested groups (e.g. " +"RFC2307bis), then this option controls how many levels of nesting SSSD will " +"follow. This option has no effect on the RFC2307 schema." +msgstr "" +"Si ldap_schema está fijado en un formato de esquema que soporte los grupos " +"anidados (por ejemplo, RFC2307bis), entonces esta opción controla cuantos " +"niveles de anidamiento seguirá SSSD. Este opción no tiene efecto en el " +"esquema RFC2307." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1037 +msgid "" +"Note: This option specifies the guaranteed level of nested groups to be " +"processed for any lookup. However, nested groups beyond this limit " +"<emphasis>may be</emphasis> returned if previous lookups already resolved " +"the deeper nesting levels. Also, subsequent lookups for other groups may " +"enlarge the result set for original lookup if re-queried." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1046 +msgid "" +"If ldap_group_nesting_level is set to 0 then no nested groups are processed " +"at all. However, when connected to Active-Directory Server 2008 and later " +"using <quote>id_provider=ad</quote> it is furthermore required to disable " +"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " +"restrict group nesting." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1055 +msgid "Default: 2" +msgstr "Predeterminado: 2" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1061 +msgid "ldap_groups_use_matching_rule_in_chain" +msgstr "ldap_groups_use_matching_rule_in_chain" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1064 +msgid "" +"This option tells SSSD to take advantage of an Active Directory-specific " +"feature which may speed up group lookup operations on deployments with " +"complex or deep nested groups." +msgstr "" +"Esta opción le dice a SSSD como tomar ventajar de una función específica de " +"Active Directory que puede acelerar las operaciones de búsqueda de grupo son " +"despliegues con grupos complejos o profundamente anidados." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1070 +msgid "" +"In most common cases, it is best to leave this option disabled. It generally " +"only provides a performance increase on very complex nestings." +msgstr "" +"En los casos más comunes, es mejor dejar esta opción deshabilitada. " +"Generalmente sólo suministra un incremento de rendimiento en anidamientos " +"muy complejos." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1075 sssd-ldap.5.xml:1102 +msgid "" +"If this option is enabled, SSSD will use it if it detects that the server " +"supports it during initial connection. So \"True\" here essentially means " +"\"auto-detect\"." +msgstr "" +"Si esta opción está habilitada, SSSD la usará si detecta que el servidor la " +"soporta durante la conexión inicial. De modo que “True” aquí significa " +"esencialmente “auto-detect”." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1081 sssd-ldap.5.xml:1108 +msgid "" +"Note: This feature is currently known to work only with Active Directory " +"2008 R1 and later. See <ulink url=\"http://msdn.microsoft.com/en-us/library/" +"windows/desktop/aa746475%28v=vs.85%29.aspx\"> MSDN(TM) documentation</ulink> " +"for more details." +msgstr "" +"Nota: Esta función se sabe que actualmente trabajo sólo con Active Directory " +"2008 R1 y posteriores. Vea <ulink url=\"http://msdn.microsoft.com/en-us/" +"library/windows/desktop/aa746475%28v=vs.85%29.aspx\"> MSDN(TM) " +"documentation</ulink> para más detalles." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1093 +msgid "ldap_initgroups_use_matching_rule_in_chain" +msgstr "ldap_initgroups_use_matching_rule_in_chain" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1096 +msgid "" +"This option tells SSSD to take advantage of an Active Directory-specific " +"feature which might speed up initgroups operations (most notably when " +"dealing with complex or deep nested groups)." +msgstr "" +"Esta opción le dice a SSSD que tome ventaja de una función específica de " +"Active Directory que puede acelerar las operaciones de inicio de grupo (más " +"notable cuando se trata con grupos complejos o profundamente anidados)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1123 +msgid "" +"This options enables or disables use of Token-Groups attribute when " +"performing initgroup for users from Active Directory Server 2008 and later." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1128 +msgid "Default: True for AD and IPA otherwise False." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1134 +msgid "ldap_netgroup_object_class (string)" +msgstr "ldap_netgroup_object_class (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1137 +msgid "The object class of a netgroup entry in LDAP." +msgstr "La clase de objeto de una entrada netgroup en LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1140 +msgid "In IPA provider, ipa_netgroup_object_class should be used instead." +msgstr "En proveedor IPA, ipa_netgroup_object_class, se usaría en su lugar." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1144 +msgid "Default: nisNetgroup" +msgstr "Predeterminado: nisNetgroup" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1150 +msgid "ldap_netgroup_name (string)" +msgstr "ldap_netgroup_name (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1153 +msgid "The LDAP attribute that corresponds to the netgroup name." +msgstr "El atributo LDAP que corresponde al nombre del netgroup." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1157 +msgid "In IPA provider, ipa_netgroup_name should be used instead." +msgstr "Un proveedor IPA, ipa_netgroup_name sería usado en su lugar." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1167 +msgid "ldap_netgroup_member (string)" +msgstr "ldap_netgroup_member (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1170 +msgid "The LDAP attribute that contains the names of the netgroup's members." +msgstr "" +"El atributo LDAP que contiene los nombres de los miembros de grupo de red." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1174 +msgid "In IPA provider, ipa_netgroup_member should be used instead." +msgstr "Un proveedor IPA, ipa_netgroup_member sería usado en su lugar." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1178 +msgid "Default: memberNisNetgroup" +msgstr "Predeterminado: memberNisNetgroup" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1184 +msgid "ldap_netgroup_triple (string)" +msgstr "ldap_netgroup_triple (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1187 +msgid "" +"The LDAP attribute that contains the (host, user, domain) netgroup triples." +msgstr "" +"El atributo LDAP que contiene los (host, usuario, dominio) triples de grupo " +"de red." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1191 sssd-ldap.5.xml:1207 +msgid "This option is not available in IPA provider." +msgstr "Esta opción no está disponible en el proveedor IPA." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1194 +msgid "Default: nisNetgroupTriple" +msgstr "Predeterminado: nisNetgroupTriple" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1200 +msgid "ldap_netgroup_modify_timestamp (string)" +msgstr "ldap_netgroup_modify_timestamp (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1216 +msgid "ldap_host_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1219 +msgid "The object class of a host entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1222 sssd-ldap.5.xml:1331 +msgid "Default: ipService" +msgstr "Por defecto: ipService" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1228 +msgid "ldap_host_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1231 sssd-ldap.5.xml:1257 +msgid "The LDAP attribute that corresponds to the host's name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1241 +msgid "ldap_host_fqdn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1244 +msgid "" +"The LDAP attribute that corresponds to the host's fully-qualified domain " +"name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1248 +msgid "Default: fqdn" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1254 +msgid "ldap_host_serverhostname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1261 +msgid "Default: serverHostname" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1267 +msgid "ldap_host_member_of (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1270 +msgid "The LDAP attribute that lists the host's group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1280 +msgid "ldap_host_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1283 +msgid "Optional. Use the given string as search base for host objects." +msgstr "Opcional. Usa la cadena dada como base de búsqueda para objetos host." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1287 sssd-ipa.5.xml:359 sssd-ipa.5.xml:378 +#: sssd-ipa.5.xml:397 sssd-ipa.5.xml:416 +msgid "" +"See <quote>ldap_search_base</quote> for information about configuring " +"multiple search bases." +msgstr "" +"Vea <quote>ldap_search_base</quote> para información sobre la configuración " +"de múltiples bases de búsqueda." + +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:1292 sssd-ipa.5.xml:364 include/ldap_search_bases.xml:27 +msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" +msgstr "Predeterminado: el valor de <emphasis>ldap_search_base</emphasis>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1299 +msgid "ldap_host_ssh_public_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1302 +msgid "The LDAP attribute that contains the host's SSH public keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1312 +msgid "ldap_host_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1315 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1325 +msgid "ldap_service_object_class (string)" +msgstr "ldap_service_object_class (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1328 +msgid "The object class of a service entry in LDAP." +msgstr "La clase objeto de una entrada de servicio en LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1337 +msgid "ldap_service_name (string)" +msgstr "ldap_service_name (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1340 +msgid "" +"The LDAP attribute that contains the name of service attributes and their " +"aliases." +msgstr "" +"El atributo LDAP que contiene el nombre de servicio de atributos y sus alias." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1350 +msgid "ldap_service_port (string)" +msgstr "ldap_service_port (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1353 +msgid "The LDAP attribute that contains the port managed by this service." +msgstr "El atributo LDAP que contiene el puerto manejado por este servicio." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1357 +msgid "Default: ipServicePort" +msgstr "Por defecto: ipServicePort" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1363 +msgid "ldap_service_proto (string)" +msgstr "ldap_service_proto (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1366 +msgid "" +"The LDAP attribute that contains the protocols understood by this service." +msgstr "" +"El atributo LDAP que contiene los protocolos entendidos por este servicio." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1370 +msgid "Default: ipServiceProtocol" +msgstr "Por defecto: ipServiceProtocol" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1376 +msgid "ldap_service_search_base (string)" +msgstr "ldap_service_search_base (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1381 +msgid "ldap_search_timeout (integer)" +msgstr "ldap_search_timeout (entero)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1384 +msgid "" +"Specifies the timeout (in seconds) that ldap searches are allowed to run " +"before they are cancelled and cached results are returned (and offline mode " +"is entered)" +msgstr "" +"Especifica el tiempo de salida (en segundos) que la búsqueda ldap está " +"permitida para correr antes que de quea cancelada y los resultados " +"escondidos devueltos (y se entra en modo fuera de línea)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1390 +msgid "" +"Note: this option is subject to change in future versions of the SSSD. It " +"will likely be replaced at some point by a series of timeouts for specific " +"lookup types." +msgstr "" +"Nota: esta opción será sujeto de cambios en las futuras versiones del SSSD. " +"Probablemente será sustituido en algunos puntos por una serie de tiempos de " +"espera para tipos específicos de búsqueda." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1402 +msgid "ldap_enumeration_search_timeout (integer)" +msgstr "ldap_enumeration_search_timeout (entero)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1405 +msgid "" +"Specifies the timeout (in seconds) that ldap searches for user and group " +"enumerations are allowed to run before they are cancelled and cached results " +"are returned (and offline mode is entered)" +msgstr "" +"Especifica el tiempo de espera (en segundos) en los que las búsquedas ldap " +"de enumeraciones de usuario y grupo están permitidas de correr antes de que " +"sean canceladas y devueltos los resultados escondidos (y se entra en modo " +"fuera de línea)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1418 +msgid "ldap_network_timeout (integer)" +msgstr "ldap_network_timeout (entero)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1421 +msgid "" +"Specifies the timeout (in seconds) after which the <citerefentry> " +"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" +"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" +"manvolnum> </citerefentry> following a <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> returns in case of no activity." +msgstr "" +"Especifica el tiempo de salida (en segudos) después del cual <citerefentry> " +"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" +"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" +"manvolnum> </citerefentry> siguiendo un <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> vuelve en caso de no actividad." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1444 +msgid "ldap_opt_timeout (integer)" +msgstr "ldap_opt_timeout (entero)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1447 +msgid "" +"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " +"will abort if no response is received. Also controls the timeout when " +"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " +"operation, password change extended operation and the StartTLS operation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1462 +msgid "ldap_connection_expire_timeout (integer)" +msgstr "ldap_connection_expire_timeout (entero)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1465 +msgid "" +"Specifies a timeout (in seconds) that a connection to an LDAP server will be " +"maintained. After this time, the connection will be re-established. If used " +"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " +"the TGT lifetime) will be used." +msgstr "" +"Especifica un tiempo de espera (en segundos) en el que se mantendrá una " +"conexión a un servidor LDAP. Después de este tiempo, la conexión será " +"restablecida. Si su usa en paralelo con SASL/GSSAPI, se usará el valor más " +"temprano (este valor contra el tiempo de vida TGT)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1473 sssd-ldap.5.xml:2562 +msgid "Default: 900 (15 minutes)" +msgstr "Predeterminado: 900 (15 minutos)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1479 +msgid "ldap_page_size (integer)" +msgstr "ldap_page_size (entero)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1482 +msgid "" +"Specify the number of records to retrieve from LDAP in a single request. " +"Some LDAP servers enforce a maximum limit per-request." +msgstr "" +"Especifica el número de registros a recuperar desde una única petición LDAP. " +"Algunos servidores LDAP hacen cumplir un límite máximo por petición." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1487 +msgid "Default: 1000" +msgstr "Predeterminado: 1000" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1493 +msgid "ldap_disable_paging (boolean)" +msgstr "ldap_disable_paging (booleano)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1496 +msgid "" +"Disable the LDAP paging control. This option should be used if the LDAP " +"server reports that it supports the LDAP paging control in its RootDSE but " +"it is not enabled or does not behave properly." +msgstr "" +"Deshabilita el control de paginación LDAP. Esta opción se debería usar si el " +"servidor LDAP reporta que soporta el control de paginación LDAP en sus " +"RootDSE pero no está habilitado o no se comporta apropiadamente." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1502 +msgid "" +"Example: OpenLDAP servers with the paging control module installed on the " +"server but not enabled will report it in the RootDSE but be unable to use it." +msgstr "" +"Ejemplo: los servidores OpenLDAP con el módulo de control de paginación " +"instalado sobre el servidor pero no habilitado lo reportarán en el RootDSE " +"pero es incapaz de usarlo." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1508 +msgid "" +"Example: 389 DS has a bug where it can only support a one paging control at " +"a time on a single connection. On busy clients, this can result in some " +"requests being denied." +msgstr "" +"Ejemplo: 389 DS tiene un bug donde puede sólo soportar un control de " +"paginación a la vez en una única conexión. Sobre clientes ocupados, esto " +"puede ocasionar que algunas peticiones sean denegadas." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1520 +msgid "ldap_disable_range_retrieval (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1523 +msgid "Disable Active Directory range retrieval." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1526 +msgid "" +"Active Directory limits the number of members to be retrieved in a single " +"lookup using the MaxValRange policy (which defaults to 1500 members). If a " +"group contains more members, the reply would include an AD-specific range " +"extension. This option disables parsing of the range extension, therefore " +"large groups will appear as having no members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1541 +msgid "ldap_sasl_minssf (integer)" +msgstr "ldap_sasl_minssf (entero)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1544 +msgid "" +"When communicating with an LDAP server using SASL, specify the minimum " +"security level necessary to establish the connection. The values of this " +"option are defined by OpenLDAP." +msgstr "" +"Cuando se está comunicando con un servidor LDAP usando SASL, especifica el " +"nivel de seguridad mínimo necesario para establecer la conexión. Los valores " +"de esta opción son definidos por OpenLDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1550 +msgid "Default: Use the system default (usually specified by ldap.conf)" +msgstr "" +"Por defecto: Usa el sistema por defecto (normalmente especificado por ldap." +"conf)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1557 +msgid "ldap_deref_threshold (integer)" +msgstr "ldap_deref_threshold (entero)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1560 +msgid "" +"Specify the number of group members that must be missing from the internal " +"cache in order to trigger a dereference lookup. If less members are missing, " +"they are looked up individually." +msgstr "" +"Especifica el número de miembros del grupo que deben estar desaparecidos " +"desde el escondrijo interno con el objetivo de disparar una búsqueda " +"deference. Si hay menos miembros desaparecidos, se buscarán individualmente." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1566 +msgid "" +"You can turn off dereference lookups completely by setting the value to 0." +msgstr "" +"Usted puede quitar las búsquedas dereference completamente fijando el valor " +"a 0." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1570 +msgid "" +"A dereference lookup is a means of fetching all group members in a single " +"LDAP call. Different LDAP servers may implement different dereference " +"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " +"Directory." +msgstr "" +"Una búsqueda dereference es un medio de descargar todos los miembros del " +"grupo en una única llamada LDAP. Servidores diferentes LDAP pueden " +"implementar diferentes métodos dereference. Los servidores actualmente " +"soportados son 389/RHDS, OpenLDAP y Active Directory." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1578 +msgid "" +"<emphasis>Note:</emphasis> If any of the search bases specifies a search " +"filter, then the dereference lookup performance enhancement will be disabled " +"regardless of this setting." +msgstr "" +"<emphasis>Nota:</emphasis> Si alguna de las bases de búsqueda especifica un " +"filtro de búsqueda, la mejora del rendimiento de la búsqueda dereference " +"será deshabilitado sin tener en cuenta este ajuste." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1591 +msgid "ldap_tls_reqcert (string)" +msgstr "ldap_tls_reqcert (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1594 +msgid "" +"Specifies what checks to perform on server certificates in a TLS session, if " +"any. It can be specified as one of the following values:" +msgstr "" +"Especifica que comprobaciones llevar a cabo sobre los certificados del " +"servidor en una sesión TLS, si las hay. Puede ser especificado como uno de " +"los siguientes valores:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1600 +msgid "" +"<emphasis>never</emphasis> = The client will not request or check any server " +"certificate." +msgstr "" +"<emphasis>never</emphasis> = El cliente no pedirá o comprobará ningún " +"certificado de servidor." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1604 +msgid "" +"<emphasis>allow</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, it will be ignored and the session proceeds normally." +msgstr "" +"<emphasis>allow</emphasis> = Se pide el certificado del servidor. Si no se " +"suministra certificado, la sesión sigue normalmente. Si se suministra un " +"certificado malo, será ignorado y la sesión continua normalmente." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1611 +msgid "" +"<emphasis>try</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, the session is immediately terminated." +msgstr "" +"<emphasis>try</emphasis> = Se pide el certificado del servidor. Si no se " +"suministra certificado, la sesión continua normalmente. Si se suministra un " +"certificado malo, la sesión se termina inmediatamente." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1617 +msgid "" +"<emphasis>demand</emphasis> = The server certificate is requested. If no " +"certificate is provided, or a bad certificate is provided, the session is " +"immediately terminated." +msgstr "" +"<emphasis>demand</emphasis> = Se pide el certificado del servidor. Si no se " +"suministra certificado, o se suministra un certificado malo, la sesión se " +"termina inmediatamente." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1623 +msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" +msgstr "<emphasis>hard</emphasis> = Igual que <quote>demand</quote>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1627 +msgid "Default: hard" +msgstr "Predeterminado: hard" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1633 +msgid "ldap_tls_cacert (string)" +msgstr "ldap_tls_cacert (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1636 +msgid "" +"Specifies the file that contains certificates for all of the Certificate " +"Authorities that <command>sssd</command> will recognize." +msgstr "" +"Especifica el fichero que contiene los certificados de todas las Autoridades " +"de Certificación que <command>sssd</command> reconocerá." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1641 sssd-ldap.5.xml:1659 sssd-ldap.5.xml:1700 +msgid "" +"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." +"conf</filename>" +msgstr "" +"Por defecto: use los valores por defecto OpenLDAP, normalmente en <filename>/" +"etc/openldap/ldap.conf</filename>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1648 +msgid "ldap_tls_cacertdir (string)" +msgstr "ldap_tls_cacertdir (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1651 +msgid "" +"Specifies the path of a directory that contains Certificate Authority " +"certificates in separate individual files. Typically the file names need to " +"be the hash of the certificate followed by '.0'. If available, " +"<command>cacertdir_rehash</command> can be used to create the correct names." +msgstr "" +"Especifica la ruta de un directorio que contiene los certificados de las " +"Autoridades de Certificación en ficheros individuales separados. Normalmente " +"los nombres de fichero necesita ser el hash del certificado seguido por " +"‘.0’. si esta disponible <command>cacertdir_rehash</command> puede ser usado " +"para crear los nombres correctos." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1666 +msgid "ldap_tls_cert (string)" +msgstr "ldap_tls_cert (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1669 +msgid "Specifies the file that contains the certificate for the client's key." +msgstr "" +"Especifica el fichero que contiene el certificado para la clave del cliente." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1679 +msgid "ldap_tls_key (string)" +msgstr "ldap_tls_key (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1682 +msgid "Specifies the file that contains the client's key." +msgstr "Especifica el archivo que contiene la clave del cliente." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1691 +msgid "ldap_tls_cipher_suite (string)" +msgstr "ldap_tls_cipher_suite (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1694 +msgid "" +"Specifies acceptable cipher suites. Typically this is a colon separated " +"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1707 +msgid "ldap_id_use_start_tls (boolean)" +msgstr "ldap_id_use_start_tls (booleano)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1710 +msgid "" +"Specifies that the id_provider connection must also use <systemitem class=" +"\"protocol\">tls</systemitem> to protect the channel." +msgstr "" +"Especifica que la id_de proveedor de la conexión debe también utilizar " +"<systemitem class=\"protocol\">tls</systemitem> para proteger el canal." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1720 +msgid "ldap_id_mapping (boolean)" +msgstr "ldap_id_mapping (booleano)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1723 +msgid "" +"Specifies that SSSD should attempt to map user and group IDs from the " +"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " +"on ldap_user_uid_number and ldap_group_gid_number." +msgstr "" +"Especifica que SSSD intentaría mapear las IDs de usuario y grupo desde los " +"atributos ldap_user_objectsid y ldap_group_objectsid en lugar de apoyarse en " +"ldap_user_uid_number y ldap_group_gid_number." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1729 +msgid "Currently this feature supports only ActiveDirectory objectSID mapping." +msgstr "" +"Actualmente está función soporta sólo mapeos de objectSID de ActiveDirectory." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1739 +msgid "ldap_min_id, ldap_max_id (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1742 +msgid "" +"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " +"set to true the allowed ID range for ldap_user_uid_number and " +"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " +"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " +"can be set to restrict the allowed range for the IDs which are read directly " +"from the server. Sub-domains can then pick other ranges to map IDs." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1754 +msgid "Default: not set (both options are set to 0)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1760 +msgid "ldap_sasl_mech (string)" +msgstr "ldap_sasl_mech (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1763 +msgid "" +"Specify the SASL mechanism to use. Currently only GSSAPI is tested and " +"supported." +msgstr "" +"Especifica el mecanismo SASL a emplear. Actualmente sólo GSSAPI está " +"probado y soportado." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1773 +msgid "ldap_sasl_authid (string)" +msgstr "ldap_sasl_authid (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ldap.5.xml:1784 +#, no-wrap +msgid "" +"hostname@REALM\n" +"netbiosname$@REALM\n" +"host/hostname@REALM\n" +"*$@REALM\n" +"host/*@REALM\n" +"host/*\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1776 +#, fuzzy +#| msgid "" +#| "Specify the SASL authorization id to use. When GSSAPI is used, this " +#| "represents the Kerberos principal used for authentication to the " +#| "directory. This option can either contain the full principal (for " +#| "example host/myhost@EXAMPLE.COM) or just the principal name (for example " +#| "host/myhost)." +msgid "" +"Specify the SASL authorization id to use. When GSSAPI is used, this " +"represents the Kerberos principal used for authentication to the directory. " +"This option can either contain the full principal (for example host/" +"myhost@EXAMPLE.COM) or just the principal name (for example host/myhost). By " +"default, the value is not set and the following principals are used: " +"<placeholder type=\"programlisting\" id=\"0\"/> If none of them are found, " +"the first principal in keytab is returned." +msgstr "" +"Especifica la id de autorización SASL a usar. Cuando se usa GSSAPI, esto " +"representa el Kerberos principal usado para autenticación al directorio. " +"Esta opción puede contener el principal completo (por ejemplo host/" +"myhost@EXAMPLE.COM) o sólo en nombre principal (por ejemplo host/myhost)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1795 +msgid "Default: host/hostname@REALM" +msgstr "Por defecto: host/nombre_de_host@REALM" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1801 +msgid "ldap_sasl_realm (string)" +msgstr "ldap_sasl_realm (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1804 +msgid "" +"Specify the SASL realm to use. When not specified, this option defaults to " +"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " +"well, this option is ignored." +msgstr "" +"Especifica el reino SASL a usar. Cuando no se especifica, esta opción se " +"pone por defecto al valor de krb5_realm. Si ldap_sasl_authid contiene el " +"reino también, esta opción se ignora." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1810 +msgid "Default: the value of krb5_realm." +msgstr "Por defecto: el valor de krb5_realm." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1816 +msgid "ldap_sasl_canonicalize (boolean)" +msgstr "ldap_sasl_canonicalize (boolean)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1819 +msgid "" +"If set to true, the LDAP library would perform a reverse lookup to " +"canonicalize the host name during a SASL bind." +msgstr "" +"Si se fija en true, la librería LDAP llevaría a cabo una búsqueda inversa " +"para para canocalizar el nombre de host durante una unión SASL." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1824 +msgid "Default: false;" +msgstr "Predeterminado: false;" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1830 +msgid "ldap_krb5_keytab (string)" +msgstr "ldap_krb5_keytab (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1833 +msgid "Specify the keytab to use when using SASL/GSSAPI." +msgstr "Especifica la keytab a usar cuando se utilice SASL/GSSAPI." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1836 +msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" +msgstr "" +"Por defecto: Keytab del sistema, normalmente <filename>/etc/krb5.keytab</" +"filename>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1842 +msgid "ldap_krb5_init_creds (boolean)" +msgstr "ldap_krb5_init_creds (booleano)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1845 +msgid "" +"Specifies that the id_provider should init Kerberos credentials (TGT). This " +"action is performed only if SASL is used and the mechanism selected is " +"GSSAPI." +msgstr "" +"Especifica la id de proveedor que iniciaría las credenciales Kerberos (TGT). " +"Esta acción se lleva a cabo sólo si SASL se usa y el mecanismo seleccionado " +"es GSSAPI." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1857 +msgid "ldap_krb5_ticket_lifetime (integer)" +msgstr "ldap_krb5_ticket_lifetime (entero)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1860 +msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used." +msgstr "Especifica el tiempo de vida en segundos del TGT si se usa GSSAPI." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1864 sssd-ad.5.xml:937 +msgid "Default: 86400 (24 hours)" +msgstr "Predeterminado: 86400 (24 horas)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1870 sssd-krb5.5.xml:74 +msgid "krb5_server, krb5_backup_server (string)" +msgstr "krb5_server, krb5_backup_server (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1873 +msgid "" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled - for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." +msgstr "" +"Especifica una lista separada por comas de direcciones IP o nombres de host " +"de los servidores Kerberos a los cuales se conectaría SSSD en orden de " +"preferencia. Para más información sobre failover y redundancia de servidor, " +"vea la sección <quote>FAILOVER</quote>. Un número de puerto opcional " +"(precedido de dos puntos) puede ser añadido a las direcciones o nombres de " +"host. Si está vacío, el servicio descubridor está habilitado – para más " +"información, vea la sección <quote>SERVICE DISCOVERY</quote>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1885 sssd-krb5.5.xml:89 +msgid "" +"When using service discovery for KDC or kpasswd servers, SSSD first searches " +"for DNS entries that specify _udp as the protocol and falls back to _tcp if " +"none are found." +msgstr "" +"Cuando se utiliza el servicio descubiertos para servidores KDC o kpasswd, " +"SSSD primero busca entradas DNS que especifiquen _udop como protocolo y " +"regresa a _tcp si no se encuentra nada." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1890 sssd-krb5.5.xml:94 +msgid "" +"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " +"While the legacy name is recognized for the time being, users are advised to " +"migrate their config files to use <quote>krb5_server</quote> instead." +msgstr "" +"Este opción se llamaba <quote>krb5_kdcip</quote> en las revisiones más " +"tempranas de SSSD. Mientras el legado de nombre se reconoce por el tiempo " +"que sea, los usuarios son advertidos para migrar sus ficheros de " +"configuración para usar <quote>krb5_server</quote> en su lugar." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1899 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103 +msgid "krb5_realm (string)" +msgstr "krb5_realm (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1902 +msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)." +msgstr "Especifica el REALM Kerberos (para autorización SASL/GSSAPI)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1905 +msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" +msgstr "" +"Predeterminado: Predeterminados del sistema, vea <filename>/etc/krb5.conf</" +"filename>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1911 sssd-krb5.5.xml:462 +msgid "krb5_canonicalize (boolean)" +msgstr "krb5_canonicalize (boolean)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1914 +msgid "" +"Specifies if the host principal should be canonicalized when connecting to " +"LDAP server. This feature is available with MIT Kerberos >= 1.7" +msgstr "" +"Especifica si el host principal sería estandarizado cuando se conecte a un " +"servidor LDAP. Esta función está disponible con MIT Kerberos >= 1.7" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1926 sssd-krb5.5.xml:477 +msgid "krb5_use_kdcinfo (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1929 sssd-krb5.5.xml:480 +msgid "" +"Specifies if the SSSD should instruct the Kerberos libraries what realm and " +"which KDCs to use. This option is on by default, if you disable it, you need " +"to configure the Kerberos library using the <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> configuration file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1940 sssd-krb5.5.xml:491 +msgid "" +"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " +"information on the locator plugin." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1954 +msgid "ldap_pwd_policy (string)" +msgstr "ldap_pwd_policy (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1957 +msgid "" +"Select the policy to evaluate the password expiration on the client side. " +"The following values are allowed:" +msgstr "" +"Seleccione la política para evaluar la caducidad de la contraseña en el lado " +"del cliente. Los siguientes valores son permitidos:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1962 +msgid "" +"<emphasis>none</emphasis> - No evaluation on the client side. This option " +"cannot disable server-side password policies." +msgstr "" +"<emphasis>none</emphasis> - Sin evaluación en el lado cliente. Esta opción " +"no puede deshabilitar las políticas de password en el lado servidor." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1967 +msgid "" +"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " +"evaluate if the password has expired." +msgstr "" +"<emphasis>shadow</emphasis> - Usa los atributos de estilo " +"<citerefentry><refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> para evaluar si la contraseña ha expirado." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1973 +msgid "" +"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " +"to determine if the password has expired. Use chpass_provider=krb5 to update " +"these attributes when the password is changed." +msgstr "" +"<emphasis>mit_kerberos</emphasis> - Usa los atributos utilizados por MIT " +"Kerberos para determinar si el password ha expirado. Use " +"chpass_provider=krb5 para actualizar estos atributos cuando se cambia el " +"password." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1982 +msgid "" +"<emphasis>Note</emphasis>: if a password policy is configured on server " +"side, it always takes precedence over policy set with this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1990 +msgid "ldap_referrals (boolean)" +msgstr "ldap_referrals (boolean)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1993 +msgid "Specifies whether automatic referral chasing should be enabled." +msgstr "" +"Especifica si el seguimiento de referencias automático debería ser " +"habilitado." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1997 +msgid "" +"Please note that sssd only supports referral chasing when it is compiled " +"with OpenLDAP version 2.4.13 or higher." +msgstr "" +"Por favor advierta que sssd sólo soporta seguimiento de referencias cuando " +"está compilado con OpenLDAP versión 2.4.13 o más alta." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2002 +msgid "" +"Chasing referrals may incur a performance penalty in environments that use " +"them heavily, a notable example is Microsoft Active Directory. If your setup " +"does not in fact require the use of referrals, setting this option to false " +"might bring a noticeable performance improvement." +msgstr "" +"Al perseguir referencia se puede incurrir en una penalización de rendimiento " +"en entornos que lo usen pesadamente, un ejemplo notable es Microsoft Active " +"Directory. Si su ajuste no requieren de hecho el uso de referencias, fijar " +"esta opción a false le llevará a una notable mejora de rendimiento." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2016 +msgid "ldap_dns_service_name (string)" +msgstr "ldap_dns_service_name (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2019 +msgid "Specifies the service name to use when service discovery is enabled." +msgstr "" +"Especifica el nombre del servicio para utilizar cuando está habilitado el " +"servicio de descubrimiento." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2023 +msgid "Default: ldap" +msgstr "Predeterminado: ldap" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2029 +msgid "ldap_chpass_dns_service_name (string)" +msgstr "ldap_chpass_dns_service_name (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2032 +msgid "" +"Specifies the service name to use to find an LDAP server which allows " +"password changes when service discovery is enabled." +msgstr "" +"Especifica el nombre del servicio para utilizar al buscar un servidor LDAP " +"que permita cambios de contraseña cuando está habilitado el servicio de " +"descubrimiento." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2037 +msgid "Default: not set, i.e. service discovery is disabled" +msgstr "Por defecto: no fijado, esto es servicio descubridor deshabilitado." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2043 +msgid "ldap_chpass_update_last_change (bool)" +msgstr "ldap_chpass_update_last_change (booleano)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2046 +msgid "" +"Specifies whether to update the ldap_user_shadow_last_change attribute with " +"days since the Epoch after a password change operation." +msgstr "" +"Especifica si actualizar el atributo ldap_user_shadow_last_change con días " +"desde el Epoch después de una operación de cambio de contraseña." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2058 +msgid "ldap_access_filter (string)" +msgstr "ldap_access_filter (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2061 +msgid "" +"If using access_provider = ldap and ldap_access_order = filter (default), " +"this option is mandatory. It specifies an LDAP search filter criteria that " +"must be met for the user to be granted access on this host. If " +"access_provider = ldap, ldap_access_order = filter and this option is not " +"set, it will result in all users being denied access. Use access_provider = " +"permit to change this default behavior. Please note that this filter is " +"applied on the LDAP user entry only and thus filtering based on nested " +"groups may not work (e.g. memberOf attribute on AD entries points only to " +"direct parents). If filtering based on nested groups is required, please see " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2081 +msgid "Example:" +msgstr "Ejemplo:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ldap.5.xml:2084 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2088 +msgid "" +"This example means that access to this host is restricted to users whose " +"employeeType attribute is set to \"admin\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2093 +msgid "" +"Offline caching for this feature is limited to determining whether the " +"user's last online login was granted access permission. If they were granted " +"access during their last login, they will continue to be granted access " +"while offline and vice versa." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2101 sssd-ldap.5.xml:2158 +msgid "Default: Empty" +msgstr "Predeterminado: vacío" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2107 +msgid "ldap_account_expire_policy (string)" +msgstr "ldap_account_expire_policy (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2110 +msgid "" +"With this option a client side evaluation of access control attributes can " +"be enabled." +msgstr "" +"Con esta opción pueden ser habilitados los atributos de evaluación de " +"control de acceso del lado cliente." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2114 +msgid "" +"Please note that it is always recommended to use server side access control, " +"i.e. the LDAP server should deny the bind request with a suitable error code " +"even if the password is correct." +msgstr "" +"Por favor advierta que siempre se recomienda utilizar el control de acceso " +"del lado servidor, esto es el servidor LDAP denegaría petición de enlace con " +"una código de error definible aunque el password sea correcto." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2121 +msgid "The following values are allowed:" +msgstr "Los siguientes valores están permitidos:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2124 +msgid "" +"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " +"determine if the account is expired." +msgstr "" +"<emphasis>shadow</emphasis>: usa el valor de ldap_user_shadow_expire para " +"determinar si la cuenta ha expirado." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2129 +msgid "" +"<emphasis>ad</emphasis>: use the value of the 32bit field " +"ldap_user_ad_user_account_control and allow access if the second bit is not " +"set. If the attribute is missing access is granted. Also the expiration time " +"of the account is checked." +msgstr "" +"<emphasis>ad</emphasis>: usa el valor del campo de 32 bit " +"ldap_user_ad_user_account_control y permite el acceso si el segundo bit no " +"está fijado. Si el atributo está desaparecido se concede el acceso. También " +"se comprueba el tiempo de expiración de la cuenta." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2136 +msgid "" +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: use the value of ldap_ns_account_lock to check if access is " +"allowed or not." +msgstr "" +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: usa el valor de ldap_ns_account_lock para comprobar si se permite " +"el acceso o no." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2142 +msgid "" +"<emphasis>nds</emphasis>: the values of " +"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " +"ldap_user_nds_login_expiration_time are used to check if access is allowed. " +"If both attributes are missing access is granted." +msgstr "" +"<emphasis>nds</emphasis>: los valores de " +"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled y " +"ldap_user_nds_login_expiration_time se usan para comprobar si el acceso está " +"permitido. Si ambos atributos están desaparecidos se concede el acceso." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2151 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>expire</quote> in order for the " +"ldap_account_expire_policy option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2164 +msgid "ldap_access_order (string)" +msgstr "ldap_access_order (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2167 +msgid "Comma separated list of access control options. Allowed values are:" +msgstr "" +"Lista separada por coma de opciones de control de acceso. Los valores " +"permitidos son:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2171 +msgid "<emphasis>filter</emphasis>: use ldap_access_filter" +msgstr "<emphasis>filtro</emphasis>: utilizar ldap_access_filter" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2174 +msgid "" +"<emphasis>lockout</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " +"Please note that 'access_provider = ldap' must be set for this feature to " +"work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2184 +msgid "" +"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" +"quote> option and might be removed in a future release. </emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2191 +msgid "" +"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z' or represents any time in the past. The " +"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " +"denotes the UTC time zone. Other time zones are not currently supported and " +"will result in \"access-denied\" when users attempt to log in. Please see " +"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " +"must be set for this feature to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2208 +msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" +msgstr "<emphasis>caducar</emphasis>: utilizar ldap_account_expire_policy" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2212 +msgid "" +"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " +"pwd_expire_policy_renew: </emphasis> These options are useful if users are " +"interested in being warned that password is about to expire and " +"authentication is based on using a different method than passwords - for " +"example SSH keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2222 +msgid "" +"The difference between these options is the action taken if user password is " +"expired: pwd_expire_policy_reject - user is denied to log in, " +"pwd_expire_policy_warn - user is still able to log in, " +"pwd_expire_policy_renew - user is prompted to change his password " +"immediately." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2230 +msgid "" +"Note If user password is expired no explicit message is prompted by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2234 +msgid "" +"Please note that 'access_provider = ldap' must be set for this feature to " +"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2239 +msgid "" +"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " +"to determine access" +msgstr "" +"<emphasis>authorized_service</emphasis>: utilizar el atributo " +"autorizedService para determinar el acceso" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2244 +msgid "<emphasis>host</emphasis>: use the host attribute to determine access" +msgstr "" +"<emphasis>host</emphasis>: usa el atributo host para determinar el acceso" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2248 +msgid "" +"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " +"remote host can access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2252 +msgid "" +"Please note, rhost field in pam is set by application, it is better to check " +"what the application sends to pam, before enabling this access control option" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2257 +msgid "Default: filter" +msgstr "Predeterminado: filter" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2260 +msgid "" +"Please note that it is a configuration error if a value is used more than " +"once." +msgstr "" +"Tenga en cuenta que es un error de configuración si un valor es usado más de " +"una vez." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2267 +msgid "ldap_pwdlockout_dn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2270 +msgid "" +"This option specifies the DN of password policy entry on LDAP server. Please " +"note that absence of this option in sssd.conf in case of enabled account " +"lockout checking will yield access denied as ppolicy attributes on LDAP " +"server cannot be checked properly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2278 +msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2281 +msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2287 +msgid "ldap_deref (string)" +msgstr "ldap_deref (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2290 +msgid "" +"Specifies how alias dereferencing is done when performing a search. The " +"following options are allowed:" +msgstr "" +"Especifica cómo se hace la eliminación de referencias al alias cuando se " +"lleva a cabo una búsqueda. Están permitidas las siguientes opciones:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2295 +msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." +msgstr "" +"<emphasis>never</emphasis>: Nunca serán eliminadas las referencias al alias." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2299 +msgid "" +"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " +"the base object, but not in locating the base object of the search." +msgstr "" +"<emphasis>searching</emphasis>: Las referencias al alias son eliminadas en " +"subordinadas del objeto base, pero no en localización del objeto base de la " +"búsqueda." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2304 +msgid "" +"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " +"the base object of the search." +msgstr "" +"<emphasis>finding</emphasis>: Sólo se eliminarán las referencias a alias " +"cuando se localice el objeto base de la búsqueda." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2309 +msgid "" +"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " +"in locating the base object of the search." +msgstr "" +"<emphasis>always</emphasis>: Las referencias al alias se eliminarán tanto " +"para la búsqueda como en la localización del objeto base de la búsqueda." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2314 +msgid "" +"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " +"client libraries)" +msgstr "" +"Por defecto: Vacío (esto es manejado como <emphasis>nunca</emphasis> por las " +"librerías cliente LDAP)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2322 +msgid "ldap_rfc2307_fallback_to_local_users (boolean)" +msgstr "ldap_rfc2307_fallback_to_local_users (boolean)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2325 +msgid "" +"Allows to retain local users as members of an LDAP group for servers that " +"use the RFC2307 schema." +msgstr "" +"Permite retener los usuarios locales como miembros de un grupo LDAP para " +"servidores que usan el esquema RFC2307." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2329 +msgid "" +"In some environments where the RFC2307 schema is used, local users are made " +"members of LDAP groups by adding their names to the memberUid attribute. " +"The self-consistency of the domain is compromised when this is done, so SSSD " +"would normally remove the \"missing\" users from the cached group " +"memberships as soon as nsswitch tries to fetch information about the user " +"via getpw*() or initgroups() calls." +msgstr "" +"En algunos entornos donde se usa el esquema RFC2307, los usuarios locales " +"son hechos miembros de los grupos LDAP añadiendo sus nombres al atributo " +"memberUid. La autoconsistencia del dominio se ve comprometida cuando se hace " +"esto, de modo que SSSD debería normalmente quitar los usuarios " +"“desparecidos” de las afiliaciones a grupos escondidas tan pronto como " +"nsswitch intenta ir a buscar información del usuario por medio de las " +"llamadas getpw*() o initgroups()." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2340 +msgid "" +"This option falls back to checking if local users are referenced, and caches " +"them so that later initgroups() calls will augment the local users with the " +"additional LDAP groups." +msgstr "" +"Esta opción cae de nuevo en comprobar si los usuarios locales están " +"referenciados, y los almacena en caché de manera que más tarde las llamadas " +"initgroups() aumentará los usuarios locales con los grupos LDAP adicionales." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2352 sssd-ifp.5.xml:136 +msgid "wildcard_limit (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2355 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2359 +msgid "At the moment, only the InfoPipe responder supports wildcard lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2363 +msgid "Default: 1000 (often the size of one page)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:51 +msgid "" +"All of the common configuration options that apply to SSSD domains also " +"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for full details. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" +"Todas las opciones de configuración comunes que se aplican a los dominios " +"SSSD también se aplican a los dominios LDAP. Vea la sección <quote>DOMAIN " +"SECTIONS</quote> de la página de manual <citerefentry> <refentrytitle>sssd." +"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> para detalles " +"completos. <placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2373 +msgid "SUDO OPTIONS" +msgstr "OPCIONES SUDO" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2375 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2386 +msgid "ldap_sudorule_object_class (string)" +msgstr "ldap_sudorule_object_class (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2389 +msgid "The object class of a sudo rule entry in LDAP." +msgstr "El objeto clase de una regla de entrada sudo en LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2392 +msgid "Default: sudoRole" +msgstr "Por defecto: sudoRole" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2398 +msgid "ldap_sudorule_name (string)" +msgstr "ldap_sudorule_name (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2401 +msgid "The LDAP attribute that corresponds to the sudo rule name." +msgstr "El atributo LDAP que corresponde a la regla nombre de sudo." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2411 +msgid "ldap_sudorule_command (string)" +msgstr "ldap_sudorule_command (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2414 +msgid "The LDAP attribute that corresponds to the command name." +msgstr "El atributo LDAP que corresponde al nombre de comando." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2418 +msgid "Default: sudoCommand" +msgstr "Por defecto: sudoCommand" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2424 +msgid "ldap_sudorule_host (string)" +msgstr "ldap_sudorule_host (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2427 +msgid "" +"The LDAP attribute that corresponds to the host name (or host IP address, " +"host IP network, or host netgroup)" +msgstr "" +"El atributo LDAP que corresponde al nombre de host (o dirección IP del host, " +"red IP del host o grupo de red del host)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2432 +msgid "Default: sudoHost" +msgstr "Por defecto: sudoHost" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2438 +msgid "ldap_sudorule_user (string)" +msgstr "ldap_sudorule_user (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2441 +msgid "" +"The LDAP attribute that corresponds to the user name (or UID, group name or " +"user's netgroup)" +msgstr "" +"El atributo LDAP que corresponde al nombre de usuario (o UID. nombre de " +"grupo o grupo de red del usuario)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2445 +msgid "Default: sudoUser" +msgstr "Por defecto: sudoUser" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2451 +msgid "ldap_sudorule_option (string)" +msgstr "ldap_sudorule_option (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2454 +msgid "The LDAP attribute that corresponds to the sudo options." +msgstr "El atributo LDAP que corresponde a las opciones sudo." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2458 +msgid "Default: sudoOption" +msgstr "Por defecto: sudoOption" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2464 +msgid "ldap_sudorule_runasuser (string)" +msgstr "ldap_sudorule_runasuser (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2467 +msgid "" +"The LDAP attribute that corresponds to the user name that commands may be " +"run as." +msgstr "" +"El atributo LDAP que corresponde al nombre de usuario que los comandos " +"pueden ejecutar como." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2471 +msgid "Default: sudoRunAsUser" +msgstr "Por defectot: sudoRunAsUser" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2477 +msgid "ldap_sudorule_runasgroup (string)" +msgstr "ldap_sudorule_runasgroup (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2480 +msgid "" +"The LDAP attribute that corresponds to the group name or group GID that " +"commands may be run as." +msgstr "" +"El atributo LDAP que corresponde al nombre de grupo o GID de grupo que puede " +"ejecutar comandos como." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2484 +msgid "Default: sudoRunAsGroup" +msgstr "Por defecto: sudoRunAsGroup" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2490 +msgid "ldap_sudorule_notbefore (string)" +msgstr "ldap_sudorule_notbefore (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2493 +msgid "" +"The LDAP attribute that corresponds to the start date/time for when the sudo " +"rule is valid." +msgstr "" +"El atributo LDAP que corresponde al inicio de fecha/hora para cuando la " +"regla sudo es válida." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2497 +msgid "Default: sudoNotBefore" +msgstr "Por defecto: sudoNotBefore" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2503 +msgid "ldap_sudorule_notafter (string)" +msgstr "ldap_sudorule_notafter (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2506 +msgid "" +"The LDAP attribute that corresponds to the expiration date/time, after which " +"the sudo rule will no longer be valid." +msgstr "" +"El atributo LDAP que corresponde a la fecha/hora final, después de la cual " +"la regla sudo dejará de ser válida." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2511 +msgid "Default: sudoNotAfter" +msgstr "Por defecto: sudoNotAfter" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2517 +msgid "ldap_sudorule_order (string)" +msgstr "ldap_sudorule_order (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2520 +msgid "The LDAP attribute that corresponds to the ordering index of the rule." +msgstr "El atributo LDAP que corresponde al índice de ordenación de la regla." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2524 +msgid "Default: sudoOrder" +msgstr "Por defecto: sudoOrder" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2530 +msgid "ldap_sudo_full_refresh_interval (integer)" +msgstr "ldap_sudo_full_refresh_interval (entero)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2533 +msgid "" +"How many seconds SSSD will wait between executing a full refresh of sudo " +"rules (which downloads all rules that are stored on the server)." +msgstr "" +"Cuantos segundos esperará SSSD entre ejecutar un refresco total de las " +"reglas sudo (que descarga todas las reglas que están almacenadas en el " +"servidor)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2538 +msgid "" +"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" +"emphasis>" +msgstr "" +"El valor debe ser mayor que <emphasis>ldap_sudo_smart_refresh_interval </" +"emphasis>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2543 +msgid "Default: 21600 (6 hours)" +msgstr "Por defecto: 21600 (6 horas)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2549 +msgid "ldap_sudo_smart_refresh_interval (integer)" +msgstr "ldap_sudo_smart_refresh_interval (entero)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2552 +msgid "" +"How many seconds SSSD has to wait before executing a smart refresh of sudo " +"rules (which downloads all rules that have USN higher than the highest USN " +"of cached rules)." +msgstr "" +"Cuantos segundos tiene que esperar SSSD antes de ejecutar una actualización " +"inteligente de las reglas sudo (que descarga todas las reglas que tienen " +"USBN más alto que el USN más alto de las reglas escondidas)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2558 +msgid "" +"If USN attributes are not supported by the server, the modifyTimestamp " +"attribute is used instead." +msgstr "" +"Si los atributos USN no se soportan por el servidor, se usa en su lugar el " +"atributo modifyTimestamp." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2568 +msgid "ldap_sudo_use_host_filter (boolean)" +msgstr "ldap_sudo_use_host_filter (booleano)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2571 +msgid "" +"If true, SSSD will download only rules that are applicable to this machine " +"(using the IPv4 or IPv6 host/network addresses and hostnames)." +msgstr "" +"Si es true, SSSD descargará sólo las reglas que son aplicables a esta " +"máquina (usando las direcciones de host/red y nombres de host IPv4 o IPv6)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2582 +msgid "ldap_sudo_hostnames (string)" +msgstr "ldap_sudo_hostnames (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2585 +msgid "" +"Space separated list of hostnames or fully qualified domain names that " +"should be used to filter the rules." +msgstr "" +"Lista separada por espacios de nombres de host o nombres de dominio " +"totalmente cualificados que sería usada para filtrar las reglas." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2590 +msgid "" +"If this option is empty, SSSD will try to discover the hostname and the " +"fully qualified domain name automatically." +msgstr "" +"Si esta opción está vacía, SSSD intentará descubrir el nombre de host y el " +"nombre de dominio totalmente cualificado automáticamente." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2595 sssd-ldap.5.xml:2618 sssd-ldap.5.xml:2636 +#: sssd-ldap.5.xml:2654 +msgid "" +"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" +"emphasis> then this option has no effect." +msgstr "" +"Si <emphasis>ldap_sudo_use_host_filter</emphasis> es <emphasis>false</" +"emphasis> esta opción no tiene efecto." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2600 sssd-ldap.5.xml:2623 +msgid "Default: not specified" +msgstr "Por defecto: no especificado" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2606 +msgid "ldap_sudo_ip (string)" +msgstr "ldap_sudo_ip (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2609 +msgid "" +"Space separated list of IPv4 or IPv6 host/network addresses that should be " +"used to filter the rules." +msgstr "" +"Lista separada por espacios de direcciones de host/red IPv4 o IPv6 que sería " +"usada para filtrar las reglas." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2614 +msgid "" +"If this option is empty, SSSD will try to discover the addresses " +"automatically." +msgstr "" +"esta opción está vacía, SSSD intentará descrubrir las direcciones " +"automáticamente." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2629 +msgid "ldap_sudo_include_netgroups (boolean)" +msgstr "sudo_include_netgroups (booleano)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2632 +msgid "" +"If true then SSSD will download every rule that contains a netgroup in " +"sudoHost attribute." +msgstr "" +"Si está a true SSSD descargará cada regla que contenga un grupo de red en el " +"atributo sudoHost." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2647 +msgid "ldap_sudo_include_regexp (boolean)" +msgstr "ldap_sudo_include_regexp (booleano)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2650 +msgid "" +"If true then SSSD will download every rule that contains a wildcard in " +"sudoHost attribute." +msgstr "" +"Si es verdad SSSD descargará cada regla que contenga un comodín en el " +"atributo sudoHost." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2666 +msgid "" +"This manual page only describes attribute name mapping. For detailed " +"explanation of sudo related attribute semantics, see <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>" +msgstr "" +"Esta página de manual sólo describe el atributo de nombre mapping. Para una " +"explicación detallada de la semántica del atributo relacionada con sudo, vea " +"<citerefentry> <refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2676 +msgid "AUTOFS OPTIONS" +msgstr "OPCIONES AUTOFS" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2678 +msgid "" +"Some of the defaults for the parameters below are dependent on the LDAP " +"schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2684 +msgid "ldap_autofs_map_master_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2687 +msgid "The name of the automount master map in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2690 +msgid "Default: auto.master" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2697 +msgid "ldap_autofs_map_object_class (string)" +msgstr "ldap_autofs_map_object_class (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2700 +msgid "The object class of an automount map entry in LDAP." +msgstr "El objeto clase de una entrada de mapa de automontaje en LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2703 +msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2711 +msgid "ldap_autofs_map_name (string)" +msgstr "ldap_autofs_map_name (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2714 +msgid "The name of an automount map entry in LDAP." +msgstr "El nombre de una entrada de mapa de automontaje en LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2717 +msgid "" +"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2725 +msgid "ldap_autofs_entry_object_class (string)" +msgstr "ldap_autofs_entry_object_class (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2728 +msgid "" +"The object class of an automount entry in LDAP. The entry usually " +"corresponds to a mount point." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2733 +msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2741 +msgid "ldap_autofs_entry_key (string)" +msgstr "ldap_autofs_entry_key (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2744 sssd-ldap.5.xml:2759 +msgid "" +"The key of an automount entry in LDAP. The entry usually corresponds to a " +"mount point." +msgstr "" +"La clave de una entrada de automontaje en LDAP. La entrada corresponde " +"normalmente a un punto de montaje." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2748 +msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2756 +msgid "ldap_autofs_entry_value (string)" +msgstr "ldap_autofs_entry_value (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2763 +msgid "" +"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " +"automountInformation" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2682 +msgid "" +"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " +"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" +"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2774 +msgid "ADVANCED OPTIONS" +msgstr "OPCIONES AVANZADAS" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2781 +msgid "ldap_netgroup_search_base (string)" +msgstr "ldap_netgroup_search_base (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2786 +msgid "ldap_user_search_base (string)" +msgstr "ldap_user_search_base (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2791 +msgid "ldap_group_search_base (string)" +msgstr "ldap_group_search_base (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> +#: sssd-ldap.5.xml:2796 +msgid "<note>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> +#: sssd-ldap.5.xml:2798 +msgid "" +"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " +"against Active Directory will not be restricted and return all groups " +"memberships, even with no GID mapping. It is recommended to disable this " +"feature, if group names are not being displayed correctly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist> +#: sssd-ldap.5.xml:2805 +msgid "</note>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2807 +msgid "ldap_sudo_search_base (string)" +msgstr "ldap_sudo_search_base (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2812 +msgid "ldap_autofs_search_base (string)" +msgstr "ldap_autofs_search_base (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2776 +msgid "" +"These options are supported by LDAP domains, but they should be used with " +"caution. Please include them in your configuration only if you know what you " +"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2827 sssd-simple.5.xml:131 sssd-ipa.5.xml:828 +#: sssd-ad.5.xml:1041 sssd-krb5.5.xml:570 sss_rpcidmapd.5.xml:98 +#: sssd-files.5.xml:103 sssd-session-recording.5.xml:144 +msgid "EXAMPLE" +msgstr "EJEMPLO" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2829 +msgid "" +"The following example assumes that SSSD is correctly configured and LDAP is " +"set to one of the domains in the <replaceable>[domains]</replaceable> " +"section." +msgstr "" +"El siguiente ejemplo asume que SSSS está configurado correctamente y LDAP " +"está fijado a uno de los dominios de la sección <replaceable>[domains]</" +"replaceable>." + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:2835 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: sssd-ldap.5.xml:2834 sssd-ldap.5.xml:2852 sssd-simple.5.xml:139 +#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1049 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579 +#: sssd-files.5.xml:110 sssd-session-recording.5.xml:150 +#: include/ldap_id_mapping.xml:105 +msgid "<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "<placeholder type=\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2846 +msgid "LDAP ACCESS FILTER EXAMPLE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2848 +msgid "" +"The following example assumes that SSSD is correctly configured and to use " +"the ldap_access_order=lockout." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:2853 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"access_provider = ldap\n" +"ldap_access_order = lockout\n" +"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2868 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148 +#: sssd-ad.5.xml:1064 sssd.8.xml:230 sss_seed.8.xml:163 +msgid "NOTES" +msgstr "NOTAS" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2870 +msgid "" +"The descriptions of some of the configuration options in this manual page " +"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " +"distribution." +msgstr "" +"Las descripciones de algunas de las opciones de configuración en esta página " +"de manual están basadas en la página de manual <citerefentry> " +"<refentrytitle>ldap.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> de la distribución OpenLDAP 2.4." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: pam_sss.8.xml:11 pam_sss.8.xml:16 +msgid "pam_sss" +msgstr "pam_sss" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: pam_sss.8.xml:17 +msgid "PAM module for SSSD" +msgstr "Módulo PAM para SSSD" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: pam_sss.8.xml:22 +msgid "" +"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" +"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" +"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" +"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " +"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " +"choice='opt'> <replaceable>prompt_always</replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:58 +msgid "" +"<command>pam_sss.so</command> is the PAM interface to the System Security " +"Services daemon (SSSD). Errors and results are logged through " +"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." +msgstr "" +"<command>pam_sss.so</command> es la interfaz PAM para el demonio Servicios " +"de Seguridad de Sistema (SSSD). Los errores y resultados son registrados a " +"través de <command>syslog(3)</command> con la facilidad LOG_AUTHPRIV." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:68 +msgid "<option>quiet</option>" +msgstr "<option>quiet</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:71 +msgid "Suppress log messages for unknown users." +msgstr "Suprime el registro de mensajes de usuarios desconocidos." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:76 +msgid "<option>forward_pass</option>" +msgstr "<option>forward_pass</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:79 +msgid "" +"If <option>forward_pass</option> is set the entered password is put on the " +"stack for other PAM modules to use." +msgstr "" +"Si <option>forward_pass</option> está fijada el password introducido se pone " +"en la pila para que lo usen otros módulos PAM." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:86 +msgid "<option>use_first_pass</option>" +msgstr "<option>use_first_pass</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:89 +msgid "" +"The argument use_first_pass forces the module to use a previous stacked " +"modules password and will never prompt the user - if no password is " +"available or the password is not appropriate, the user will be denied access." +msgstr "" +"El argumento use_first_pass fuerza al módulo a usar un módulo de password " +"apilado previamente y nunca preguntará al usuario - si no hay password " +"disponible o el password no es apropiado, se denegará el acceso al usuario." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:97 +msgid "<option>use_authtok</option>" +msgstr "<option>use_authtok</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:100 +msgid "" +"When password changing enforce the module to set the new password to the one " +"provided by a previously stacked password module." +msgstr "" +"Cuando cambia el password fuerza al módulo a fijar el nuevo password a uno " +"suministrado por un módulo de password previamente apilado." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:107 +msgid "<option>retry=N</option>" +msgstr "<option>retry=N</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:110 +msgid "" +"If specified the user is asked another N times for a password if " +"authentication fails. Default is 0." +msgstr "" +"Si el usuario especificado es preguntado N veces por un password si la " +"autenticación falla. Por defecto es 0." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:112 +msgid "" +"Please note that this option might not work as expected if the application " +"calling PAM handles the user dialog on its own. A typical example is " +"<command>sshd</command> with <option>PasswordAuthentication</option>." +msgstr "" +"Por favor advierta que esta opción puede no trabajar como se espera llamando " +"PAM a manejar el diálogo de usuario por el mismo. Un ejecplo típico es " +"<command>sshd</command> con <option>PasswordAuthentication</option>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:121 +msgid "<option>ignore_unknown_user</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:124 +msgid "" +"If this option is specified and the user does not exist, the PAM module will " +"return PAM_IGNORE. This causes the PAM framework to ignore this module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:131 +msgid "<option>ignore_authinfo_unavail</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:135 +msgid "" +"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " +"the SSSD daemon. This causes the PAM framework to ignore this module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:142 +msgid "<option>domains</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:146 +msgid "" +"Allows the administrator to restrict the domains a particular PAM service is " +"allowed to authenticate against. The format is a comma-separated list of " +"SSSD domain names, as specified in the sssd.conf file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:152 +msgid "" +"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " +"and <quote>pam_public_domains</quote> options. Please see the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more information on these two PAM " +"responder options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:166 +msgid "<option>allow_missing_name</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:170 +msgid "" +"The main purpose of this option is to let SSSD determine the user name based " +"on additional information, e.g. the certificate from a Smartcard." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: pam_sss.8.xml:180 +#, no-wrap +msgid "" +"auth sufficient pam_sss.so allow_missing_name\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:175 +msgid "" +"The current use case are login managers which can monitor a Smartcard reader " +"for card events. In case a Smartcard is inserted the login manager will call " +"a PAM stack which includes a line like <placeholder type=\"programlisting\" " +"id=\"0\"/> In this case SSSD will try to determine the user name based on " +"the content of the Smartcard, returns it to pam_sss which will finally put " +"it on the PAM stack." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:190 +msgid "<option>prompt_always</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:194 +msgid "" +"Always prompt the user for credentials. With this option credentials " +"requested by other PAM modules, typically a password, will be ignored and " +"pam_sss will prompt for credentials again. Based on the pre-auth reply by " +"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " +"credentials." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:207 +msgid "MODULE TYPES PROVIDED" +msgstr "TIPOS DE MÓDULOS SUMINISTRADOS" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:208 +msgid "" +"All module types (<option>account</option>, <option>auth</option>, " +"<option>password</option> and <option>session</option>) are provided." +msgstr "" +"Todos los tipos de módulos (<option>account</option>, <option>auth</option>, " +"<option>password</option> y <option>session</option>) son suministrados." + +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:214 +msgid "FILES" +msgstr "ARCHIVOS" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:215 +msgid "" +"If a password reset by root fails, because the corresponding SSSD provider " +"does not support password resets, an individual message can be displayed. " +"This message can e.g. contain instructions about how to reset a password." +msgstr "" +"Si un password se resetea por un fallo de root, como el correspondiente " +"proveedor SSSD no soporta el reseteo de password, se puede mostrar un " +"mensaje individual. Este mensaje puede, por ejemplo, contener instrucciones " +"sobre como resetear un password." + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:220 +msgid "" +"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" +"filename> where LOC stands for a locale string returned by <citerefentry> " +"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" +"citerefentry>. If there is no matching file the content of " +"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " +"the owner of the files and only root may have read and write permissions " +"while all other users must have only read permissions." +msgstr "" +"El mensaje se lee desde el fichero <filename>pam_sss_pw_reset_message.LOC</" +"filename> donde LOC destaca una cadena de lugar devuelta por <citerefentry> " +"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" +"citerefentry>. Si no hay fichero coincidente se muestra el contenido de " +"<filename>pam_sss_pw_reset_message.txt</filename>. Root debe ser el " +"propietario de los ficheros y sólo root puede tener permisos de lectura y " +"escritura mientras que todos los demás usuarios sólo tienen permisos de " +"lectura." + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:230 +msgid "" +"These files are searched in the directory <filename>/etc/sssd/customize/" +"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " +"displayed." +msgstr "" +"Estos ficheros son buscados en el directorio <filename>/etc/sssd/customize/" +"DOMAIN_NAME/</filename>. Si no hay archivos coincidentes se muestra un " +"mensaje genérico." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 +msgid "sssd_krb5_locator_plugin" +msgstr "sssd_krb5_locator_plugin" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd_krb5_locator_plugin.8.xml:16 +msgid "Kerberos locator plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:22 +msgid "" +"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " +"used by the Kerberos provider of <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to tell the Kerberos " +"libraries what Realm and which KDC to use. Typically this is done in " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> which is always read by the Kerberos libraries. " +"To simplify the configuration the Realm and the KDC can be defined in " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> as described in <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:48 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> puts the Realm and the name or IP address of the KDC into " +"the environment variables SSSD_KRB5_REALM and SSSD_KRB5_KDC respectively. " +"When <command>sssd_krb5_locator_plugin</command> is called by the kerberos " +"libraries it reads and evaluates these variables and returns them to the " +"libraries." +msgstr "" +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> pone el Reino y el nombre o dirección IP del KDC en las " +"variables de entorno SSSD_KRB5_REALM y SSSD_KRB5_KDC respectivamente. Cuando " +"<command>sssd_krb5_locator_plugin</command> es llamado por las librerías " +"kerberos lee y evalúa estas variables y se las devuelve a las librerías." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:63 +msgid "" +"Not all Kerberos implementations support the use of plugins. If " +"<command>sssd_krb5_locator_plugin</command> is not available on your system " +"you have to edit /etc/krb5.conf to reflect your Kerberos setup." +msgstr "" +"No todas las implementaciones Kerberos soportan el uso de plugins. Si " +"<command>sssd_krb5_locator_plugin</command> no está disponible en su sistema " +"usted tiene que editar /etc/krb5.conf para reflejar sus ajustes Kerberos." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:69 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " +"debug messages will be sent to stderr." +msgstr "" +"Si la variable de entorno SSSD_KRB5_LOCATOR_DEBUR está fijada a cualquier " +"valor los mensajes de depuración se enviarán a stderr." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:73 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " +"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " +"caller." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 +msgid "sssd-simple" +msgstr "sssd-simple" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-simple.5.xml:17 +msgid "the configuration file for SSSD's 'simple' access-control provider" +msgstr "" +"el fichero de configuración para en proveedor de control de acceso 'simple' " +"de SSSD" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:24 +msgid "" +"This manual page describes the configuration of the simple access-control " +"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " +"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page." +msgstr "" +"Esta página de manual describe la configuración del proveedor de control de " +"acceso simple para <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. Para una referencia detallada de " +"sintaxis, vea la sección <quote>FILE FORMAT</quote> de la página de manual " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:38 +msgid "" +"The simple access provider grants or denies access based on an access or " +"deny list of user or group names. The following rules apply:" +msgstr "" +"El proveedor de acceso simple otorga o deniega el acceso en base a una lista " +"de acceso o denegación de usuarios o grupo de nombres. Se aplican las " +"siguientes reglas:" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:43 +msgid "If all lists are empty, access is granted" +msgstr "Si todas las listas están vacías, se concede acceso" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:47 +msgid "" +"If any list is provided, the order of evaluation is allow,deny. This means " +"that any matching deny rule will supersede any matched allow rule." +msgstr "" +"Si se ha suministrado alguna lista, el orden de evaluación es permitir," +"denegar. Esto significa que cualquier regla de denegación será saltada por " +"cualquier regla de permiso coincidente." + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:54 +msgid "" +"If either or both \"allow\" lists are provided, all users are denied unless " +"they appear in the list." +msgstr "" +"Si una o ambas listas de \"permiso\" se suministran, todos los usuarios " +"serán denegados a no ser que aparezcan en la lista." + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:60 +msgid "" +"If only \"deny\" lists are provided, all users are granted access unless " +"they appear in the list." +msgstr "" +"Si sólo se suministran listas de \"denegación\", todos los usuarios " +"obtendran acceso a no ser que aparezcan en la lista." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:78 +msgid "simple_allow_users (string)" +msgstr "simple_allow_users (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:81 +msgid "Comma separated list of users who are allowed to log in." +msgstr "Lista separada por comas de usuarios a los está permitido el acceso." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:88 +msgid "simple_deny_users (string)" +msgstr "simple_deny_users (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:91 +msgid "Comma separated list of users who are explicitly denied access." +msgstr "" +"Lista separada por comas de usuarios a los que explicítamente se les deniega " +"el acceso." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:97 +msgid "simple_allow_groups (string)" +msgstr "simple_allow_groups (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:100 +msgid "" +"Comma separated list of groups that are allowed to log in. This applies only " +"to groups within this SSSD domain. Local groups are not evaluated." +msgstr "" +"Lista separada por comas de grupos que tienen permitido el acceso. Esto se " +"aplica sólo a los grupos dentro del dominio SSSD. Los grupos locales no " +"serán evaluados." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:108 +msgid "simple_deny_groups (string)" +msgstr "simple_deny_groups (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:111 +msgid "" +"Comma separated list of groups that are explicitly denied access. This " +"applies only to groups within this SSSD domain. Local groups are not " +"evaluated." +msgstr "" +"Lista separada por comas de grupos a los que explicítamente se les deniega " +"el acceso. Esto se aplica sólo a los grupos dentro del dominio SSSD. Los " +"grupos locales no serán evaluados." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 +msgid "" +"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" +"Vea la sección <quote>DOMAIN SECTIONS</quote> de la página de manual " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> para detalles sobre la configuración de un " +"dominio SSSD. <placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:120 +msgid "" +"Specifying no values for any of the lists is equivalent to skipping it " +"entirely. Beware of this while generating parameters for the simple provider " +"using automated scripts." +msgstr "" +"No especificando valores para ninguna de las listas es equivalente a " +"saltarle totalmente. Tenga cuidado de esto mientras genera parámetros para " +"el simple proveedor usando secuencias de comandos automatizadas." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:125 +msgid "" +"Please note that it is an configuration error if both, simple_allow_users " +"and simple_deny_users, are defined." +msgstr "" +"Por favor advierta que es un error de configuración si tanto, " +"simple_allow_users como simple_deny_user, están definidos." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:133 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the simple access provider-specific options." +msgstr "" +"El siguiente ejemplo asume que SSSD está correctamente configurado y example." +"com es uno de los dominios en la sección <replaceable>[sssd]</replaceable>. " +"Este ejemplo muestra sólo las opciones específicas del proveedor de acceso " +"simple." + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-simple.5.xml:140 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"access_provider = simple\n" +"simple_allow_users = user1, user2\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:150 +msgid "" +"The complete group membership hierarchy is resolved before the access check, " +"thus even nested groups can be included in the access lists. Please be " +"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " +"results and should be set to a sufficient value. (<citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>) option." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 +msgid "sss-certmap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss-certmap.5.xml:17 +msgid "SSSD Certificate Matching and Mapping Rules" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:23 +msgid "" +"The manual page describes the rules which can be used by SSSD and other " +"components to match X.509 certificates and map them to accounts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:28 +msgid "" +"Each rule has four components, a <quote>priority</quote>, a <quote>matching " +"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" +"quote>. All components are optional. A missing <quote>priority</quote> will " +"add the rule with the lowest priority. The default <quote>matching rule</" +"quote> will match certificates with the digitalSignature key usage and " +"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " +"the certificates will be searched in the userCertificate attribute as DER " +"encoded binary. If no domains are given only the local domain will be " +"searched." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss-certmap.5.xml:41 +msgid "RULE COMPONENTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:43 +msgid "PRIORITY" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:45 +msgid "" +"The rules are processed by priority while the number '0' (zero) indicates " +"the highest priority. The higher the number the lower is the priority. A " +"missing value indicates the lowest priority. The rules processing is stopped " +"when a matched rule is found and no further rules are checked." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:52 +msgid "" +"Internally the priority is treated as unsigned 32bit integer, using a " +"priority value larger than 4294967295 will cause an error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:57 +msgid "MATCHING RULE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:59 +msgid "" +"The matching rule is used to select a certificate to which the mapping rule " +"should be applied. It uses a system similar to the one used by " +"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " +"keyword enclosed by '<' and '>' which identified a certain part of the " +"certificate and a pattern which should be found for the rule to match. " +"Multiple keyword pattern pairs can be either joined with '&&' (and) " +"or '||' (or)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:71 +msgid "<SUBJECT>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:74 +msgid "" +"With this a part or the whole subject name of the certificate can be " +"matched. For the matching POSIX Extended Regular Expression syntax is used, " +"see regex(7) for details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:80 +msgid "" +"For the matching the subject name stored in the certificate in DER encoded " +"ASN.1 is converted into a string according to RFC 4514. This means the most " +"specific name component comes first. Please note that not all possible " +"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " +"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " +"be shown differently on different platform and by different tools. To avoid " +"confusion those attribute names are best not used or covered by a suitable " +"regular-expression." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:93 +msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:98 +msgid "<ISSUER>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:101 +msgid "" +"With this a part or the whole issuer name of the certificate can be matched. " +"All comments for <SUBJECT> apply her as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:106 +msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:111 +msgid "<KU>key-usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:114 +msgid "" +"This option can be used to specify which key usage values the certificate " +"should have. The following values can be used in a comma separated list:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:118 +msgid "digitalSignature" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:119 +msgid "nonRepudiation" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:120 +msgid "keyEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:121 +msgid "dataEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:122 +msgid "keyAgreement" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:123 +msgid "keyCertSign" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:124 +msgid "cRLSign" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:125 +msgid "encipherOnly" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:126 +msgid "decipherOnly" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:130 +msgid "" +"A numerical value in the range of a 32bit unsigned integer can be used as " +"well to cover special use cases." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:134 +msgid "Example: <KU>digitalSignature,keyEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:139 +msgid "<EKU>extended-key-usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:142 +msgid "" +"This option can be used to specify which extended key usage the certificate " +"should have. The following value can be used in a comma separated list:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:146 +msgid "serverAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:147 +msgid "clientAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:148 +msgid "codeSigning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:149 +msgid "emailProtection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:150 +msgid "timeStamping" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:151 +msgid "OCSPSigning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:152 +msgid "KPClientAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:153 +msgid "pkinit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:154 +msgid "msScLogin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:158 +msgid "" +"Extended key usages which are not listed above can be specified with their " +"OID in dotted-decimal notation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:162 +msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:167 +msgid "<SAN>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:170 +msgid "" +"To be compatible with the usage of MIT Kerberos this option will match the " +"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" +"Principal> does." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:175 +msgid "Example: <SAN>.*@MY\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:180 +msgid "<SAN:Principal>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:183 +msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:187 +msgid "Example: <SAN:Principal>.*@MY\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:192 +msgid "<SAN:ntPrincipalName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:195 +msgid "Match the Kerberos principals from the AD NT Principal SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:199 +msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:204 +msgid "<SAN:pkinit>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:207 +msgid "Match the Kerberos principals from the PKINIT SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:210 +msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:215 +msgid "<SAN:dotted-decimal-oid>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:218 +msgid "" +"Take the value of the otherName SAN component given by the OID in dotted-" +"decimal notation, interpret it as string and try to match it against the " +"regular expression." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:224 +msgid "Example: <SAN:1.2.3.4>test" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:229 +msgid "<SAN:otherName>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:232 +msgid "" +"Do a binary match with the base64 encoded blob against all otherName SAN " +"components. With this option it is possible to match against custom " +"otherName components with special encodings which could not be treated as " +"strings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:239 +msgid "Example: <SAN:otherName>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:244 +msgid "<SAN:rfc822Name>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:247 +msgid "Match the value of the rfc822Name SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:250 +msgid "Example: <SAN:rfc822Name>.*@email\\.domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:255 +msgid "<SAN:dNSName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:258 +msgid "Match the value of the dNSName SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:261 +msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:266 +msgid "<SAN:x400Address>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:269 +msgid "Binary match the value of the x400Address SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:272 +msgid "Example: <SAN:x400Address>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:277 +msgid "<SAN:directoryName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:280 +msgid "" +"Match the value of the directoryName SAN. The same comments as given for <" +"ISSUER> and <SUBJECT> apply here as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:285 +msgid "Example: <SAN:directoryName>.*,DC=com" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:290 +msgid "<SAN:ediPartyName>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:293 +msgid "Binary match the value of the ediPartyName SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:296 +msgid "Example: <SAN:ediPartyName>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:301 +msgid "<SAN:uniformResourceIdentifier>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:304 +msgid "Match the value of the uniformResourceIdentifier SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:307 +msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:312 +msgid "<SAN:iPAddress>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:315 +msgid "Match the value of the iPAddress SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:318 +msgid "Example: <SAN:iPAddress>192\\.168\\..*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:323 +msgid "<SAN:registeredID>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:326 +msgid "Match the value of the registeredID SAN as dotted-decimal string." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:330 +msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:68 +msgid "" +"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:338 +msgid "MAPPING RULE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:340 +msgid "" +"The mapping rule is used to associate a certificate with one or more " +"accounts. A Smartcard with the certificate and the matching private key can " +"then be used to authenticate as one of those accounts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:345 +msgid "" +"Currently SSSD basically only supports LDAP to lookup user information (the " +"exception is the proxy provider which is not of relevance here). Because of " +"this the mapping rule is based on LDAP search filter syntax with templates " +"to add certificate content to the filter. It is expected that the filter " +"will only contain the specific data needed for the mapping and that the " +"caller will embed it in another filter to do the actual search. Because of " +"this the filter string should start and stop with '(' and ')' respectively." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:355 +msgid "" +"In general it is recommended to use attributes from the certificate and add " +"them to special attributes to the LDAP user object. E.g. the " +"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " +"for IPA can be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:361 +msgid "" +"This should be preferred to read user specific data from the certificate " +"like e.g. an email address and search for it in the LDAP server. The reason " +"is that the user specific data in LDAP might change for various reasons " +"would break the mapping. On the other hand it would be hard to break the " +"mapping on purpose for a specific user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:376 +msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:379 +msgid "" +"This template will add the full issuer DN converted to a string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +msgid "" +"The conversion options starting with 'ad_' will use attribute names as used " +"by AD, e.g. 'S' instead of 'ST'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +msgid "" +"The conversion options starting with 'nss_' will use attribute names as used " +"by NSS." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +msgid "" +"The default conversion option is 'nss', i.e. attribute names according to " +"NSS and LDAP/RFC 4514 ordering." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:397 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" +"ad})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:402 +msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:405 +msgid "" +"This template will add the full subject DN converted to string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:423 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" +"{subject_dn!nss_x500})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:428 +msgid "{cert[!(bin|base64)]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:431 +msgid "" +"This template will add the whole DER encoded certificate as a string to the " +"search filter. Depending on the conversion option the binary certificate is " +"either converted to an escaped hex sequence '\\xx' or base64. The escaped " +"hex sequence is the default and can e.g. be used with the LDAP attribute " +"'userCertificate;binary'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:439 +msgid "Example: (userCertificate;binary={cert!bin})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:444 +msgid "{subject_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:447 +msgid "" +"This template will add the Kerberos principal which is taken either from the " +"SAN used by pkinit or the one used by AD. The 'short_name' component " +"represents the first part of the principal before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +msgid "" +"Example: (|(userPrincipal={subject_principal})" +"(samAccountName={subject_principal.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:458 +msgid "{subject_pkinit_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:461 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by pkinit. The 'short_name' component represents the first part of the " +"principal before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:467 +msgid "" +"Example: (|(userPrincipal={subject_pkinit_principal})" +"(uid={subject_pkinit_principal.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:472 +msgid "{subject_nt_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:475 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by AD. The 'short_name' component represent the first part of the principal " +"before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:486 +msgid "{subject_rfc822_name[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:489 +msgid "" +"This template will add the string which is stored in the rfc822Name " +"component of the SAN, typically an email address. The 'short_name' component " +"represents the first part of the address before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:495 +msgid "" +"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." +"short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:500 +msgid "{subject_dns_name[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:503 +msgid "" +"This template will add the string which is stored in the dNSName component " +"of the SAN, typically a fully-qualified host name. The 'short_name' " +"component represents the first part of the name before the first '.' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:509 +msgid "" +"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:514 +msgid "{subject_uri}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:517 +msgid "" +"This template will add the string which is stored in the " +"uniformResourceIdentifier component of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:521 +msgid "Example: (uri={subject_uri})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:526 +msgid "{subject_ip_address}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:529 +msgid "" +"This template will add the string which is stored in the iPAddress component " +"of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:533 +msgid "Example: (ip={subject_ip_address})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:538 +msgid "{subject_x400_address}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:541 +msgid "" +"This template will add the value which is stored in the x400Address " +"component of the SAN as escaped hex sequence." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:546 +msgid "Example: (attr:binary={subject_x400_address})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:551 +msgid "" +"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:554 +msgid "" +"This template will add the DN string of the value which is stored in the " +"directoryName component of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:558 +msgid "Example: (orig_dn={subject_directory_name})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:563 +msgid "{subject_ediparty_name}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:566 +msgid "" +"This template will add the value which is stored in the ediPartyName " +"component of the SAN as escaped hex sequence." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:571 +msgid "Example: (attr:binary={subject_ediparty_name})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:576 +msgid "{subject_registered_id}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:579 +msgid "" +"This template will add the OID which is stored in the registeredID component " +"of the SAN as a dotted-decimal string." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:584 +msgid "Example: (oid={subject_registered_id})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:369 +msgid "" +"The templates to add certificate data to the search filter are based on " +"Python-style formatting strings. They consist of a keyword in curly braces " +"with an optional sub-component specifier separated by a '.' or an optional " +"conversion/formatting option separated by a '!'. Allowed values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:592 +msgid "DOMAIN LIST" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:594 +msgid "" +"If the domain list is not empty users mapped to a given certificate are not " +"only searched in the local domain but in the listed domains as well as long " +"as they are know by SSSD. Domains not know to SSSD will be ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 +msgid "sssd-ipa" +msgstr "sssd-ipa" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ipa.5.xml:17 +msgid "SSSD IPA provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:23 +msgid "" +"This manual page describes the configuration of the IPA provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" +"Este página de manual describe la configuración del proveedor IPA para " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Para una referencia de sintaxis detalladas, vea la sección " +"<quote>FILE FORMAT</quote> de la página de manual <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:36 +msgid "" +"The IPA provider is a back end used to connect to an IPA server. (Refer to " +"the freeipa.org web site for information about IPA servers.) This provider " +"requires that the machine be joined to the IPA domain; configuration is " +"almost entirely self-discovered and obtained directly from the server." +msgstr "" +"El proveedor IPA es un back end usado para conectar a un servidor IPA. (Vea " +"el sitio web freeipa.org para información sobre los servidores IPA). Este " +"proveedor requiere que la máquina este unido al dominio IPA; la " +"configuración es casi enteramente auto descubierta y obtenida directamente " +"del servidor." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:43 +msgid "" +"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for IPA environments. The IPA provider accepts the same " +"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " +"However, it is neither necessary nor recommended to set these options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:57 +msgid "" +"The IPA provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:62 +msgid "" +"As an access provider, the IPA provider uses HBAC (host-based access " +"control) rules. Please refer to freeipa.org for more information about " +"HBAC. No configuration of access provider is required on the client side." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:67 +msgid "" +"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:73 +msgid "" +"The IPA provider will use the PAC responder if the Kerberos tickets of users " +"from trusted realms contain a PAC. To make configuration easier the PAC " +"responder is started automatically if the IPA ID provider is configured." +msgstr "" +"El porveedor IPA usara el respondedor PAC si las entradas Kerberos de los " +"usuario de reinos confiables contienen un PAC. Para hacer la configuración " +"más fácil el respondedor PAC es iniciado automáticamente si la ID del " +"proveedor IPA está configurada." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:89 +msgid "ipa_domain (string)" +msgstr "ipa_domain (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:92 +msgid "" +"Specifies the name of the IPA domain. This is optional. If not provided, " +"the configuration domain name is used." +msgstr "" +"Especifica el nombre del dominio IPA. Esto es opcional. Si no se suministra, " +"se usa el nombre de configuración del dominio." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:100 +msgid "ipa_server, ipa_backup_server (string)" +msgstr "ipa_server, ipa_backup_server (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:103 +msgid "" +"The comma-separated list of IP addresses or hostnames of the IPA servers to " +"which SSSD should connect in the order of preference. For more information " +"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" +"La lista separada por comas de direcciones IP o nombres de host de los " +"servidores IPA a los que SSSD se conectaría en orden de preferencia. Para " +"más información sobre conmutación en error y redundancia de servidores, vea " +"la sección <quote>FAILOVER</quote>. Esto es opcional si autodiscovery está " +"habilitado. Para más información sobre el servicio descubridor, vea la " +"sección <quote>SERVICE DISCOVERY</quote>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:116 +msgid "ipa_hostname (string)" +msgstr "ipa_hostname (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:119 +msgid "" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the IPA domain to identify this host. The " +"hostname must be fully qualified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:128 sssd-ad.5.xml:866 +msgid "dyndns_update (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:131 +msgid "" +"Optional. This option tells SSSD to automatically update the DNS server " +"built into FreeIPA with the IP address of this client. The update is secured " +"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " +"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" +"quote> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:140 sssd-ad.5.xml:880 +msgid "" +"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " +"the default Kerberos realm must be set properly in /etc/krb5.conf" +msgstr "" +"NOTA: Sobre sistemas más antiguos (como RHEL 5), para que este " +"comportamiento trabaje fiablemente, el reino por defecto Kerberos debe ser " +"fijado apropiadamente en /etc/krb5.conf" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:145 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" +"emphasis> option, users should migrate to using <emphasis>dyndns_update</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:157 sssd-ad.5.xml:891 +msgid "dyndns_ttl (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:160 sssd-ad.5.xml:894 +msgid "" +"The TTL to apply to the client DNS record when updating it. If " +"dyndns_update is false this has no effect. This will override the TTL " +"serverside if set by an administrator." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:165 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" +"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:171 +msgid "Default: 1200 (seconds)" +msgstr "Por defecto: 1200 (segundos)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:177 sssd-ad.5.xml:905 +msgid "dyndns_iface (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:180 sssd-ad.5.xml:908 +msgid "" +"Optional. Applicable only when dyndns_update is true. Choose the interface " +"or a list of interfaces whose IP addresses should be used for dynamic DNS " +"updates. Special value <quote>*</quote> implies that IPs from all interfaces " +"should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:187 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" +"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:193 +msgid "" +"Default: Use the IP addresses of the interface which is used for IPA LDAP " +"connection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:197 sssd-ad.5.xml:919 +msgid "Example: dyndns_iface = em1, vnet1, vnet2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:203 sssd-ad.5.xml:970 +msgid "dyndns_auth (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:206 sssd-ad.5.xml:973 +msgid "" +"Whether the nsupdate utility should use GSS-TSIG authentication for secure " +"updates with the DNS server, insecure updates can be sent by setting this " +"option to 'none'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:212 sssd-ad.5.xml:979 +msgid "Default: GSS-TSIG" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:218 +msgid "ipa_enable_dns_sites (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 +msgid "Enables DNS sites - location based service discovery." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:225 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, then the SSSD will first attempt location " +"based discovery using a query that contains \"_location.hostname.example.com" +"\" and then fall back to traditional SRV discovery. If the location based " +"discovery succeeds, the IPA servers located with the location based " +"discovery are treated as primary servers and the IPA servers located using " +"the traditional SRV discovery are used as back up servers" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:244 sssd-ad.5.xml:925 +msgid "dyndns_refresh_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:247 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:260 sssd-ad.5.xml:943 +msgid "dyndns_update_ptr (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:263 sssd-ad.5.xml:946 +msgid "" +"Whether the PTR record should also be explicitly updated when updating the " +"client's DNS records. Applicable only when dyndns_update is true." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:268 +msgid "" +"This option should be False in most IPA deployments as the IPA server " +"generates the PTR records automatically when forward records are changed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:274 +msgid "Default: False (disabled)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:280 sssd-ad.5.xml:957 +msgid "dyndns_force_tcp (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:283 sssd-ad.5.xml:960 +msgid "" +"Whether the nsupdate utility should default to using TCP for communicating " +"with the DNS server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:287 sssd-ad.5.xml:964 +msgid "Default: False (let nsupdate choose the protocol)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:293 sssd-ad.5.xml:985 +msgid "dyndns_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:296 sssd-ad.5.xml:988 +msgid "" +"The DNS server to use when performing a DNS update. In most setups, it's " +"recommended to leave this option unset." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:301 sssd-ad.5.xml:993 +msgid "" +"Setting this option makes sense for environments where the DNS server is " +"different from the identity server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:306 sssd-ad.5.xml:998 +msgid "" +"Please note that this option will be only used in fallback attempt when " +"previous attempt using autodetected settings failed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1003 +msgid "Default: None (let nsupdate choose the server)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:317 +msgid "ipa_deskprofile_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:320 +msgid "" +"Optional. Use the given string as search base for Desktop Profile related " +"objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:324 sssd-ipa.5.xml:337 +msgid "Default: Use base DN" +msgstr "Predeterminado: Utilizar DN base" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:330 +msgid "ipa_hbac_search_base (string)" +msgstr "ipa_hbac_search_base (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:333 +msgid "Optional. Use the given string as search base for HBAC related objects." +msgstr "" +"Opcional. Usa la cadena dada como base de búsqueda para los objetos HBAC " +"relacionados." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:343 +msgid "ipa_host_search_base (string)" +msgstr "ipa_host_search_base (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:346 +msgid "Deprecated. Use ldap_host_search_base instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:352 +msgid "ipa_selinux_search_base (string)" +msgstr "ipa_selinux_search_base (cadena)Opcional. " + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:355 +msgid "Optional. Use the given string as search base for SELinux user maps." +msgstr "" +"Opcional. Usa la cadena dada como base de búsqueda para los mapas de usuario " +"SELinux." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:371 +msgid "ipa_subdomains_search_base (string)" +msgstr "ipa_subdomains_search_base (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:374 +msgid "Optional. Use the given string as search base for trusted domains." +msgstr "" +"Opcional: Usa la cadena dada como base de búsqueda de dominios de confianza." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:383 +msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" +msgstr "Por defecto: el valor de <emphasis>cn=trusts,%basedn</emphasis>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:390 +msgid "ipa_master_domain_search_base (string)" +msgstr "ipa_master_domain_search_base (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:393 +msgid "Optional. Use the given string as search base for master domain object." +msgstr "" +"Opcional: Usa la cadena dada como base de búsqueda para el objeto maestro de " +"dominio." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:402 +msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" +msgstr "Por defecto: el valor de <emphasis>cn=ad,cn=etc,%basedn</emphasis>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:409 +msgid "ipa_views_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:412 +msgid "Optional. Use the given string as search base for views containers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:421 +msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:431 +msgid "" +"The name of the Kerberos realm. This is optional and defaults to the value " +"of <quote>ipa_domain</quote>." +msgstr "" +"El nombre del reino Kerberos. Esto es opcional y por defecto está al valor " +"de <quote>ipa_domain</quote>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:435 +msgid "" +"The name of the Kerberos realm has a special meaning in IPA - it is " +"converted into the base DN to use for performing LDAP operations." +msgstr "" +"El nombre del reino Kerberos tiene un significado especial en IPA – es " +"convertido hacia la base DN para usarlo para llevar a cabo operaciones LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1012 +msgid "krb5_confd_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1015 +msgid "" +"Absolute path of a directory where SSSD should place Kerberos configuration " +"snippets." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1019 +msgid "" +"To disable the creation of the configuration snippets set the parameter to " +"'none'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1023 +msgid "" +"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:461 +msgid "ipa_deskprofile_refresh (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:464 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server. This will reduce the latency and load on the IPA server if there " +"are many desktop profiles requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:431 +msgid "Default: 5 (seconds)" +msgstr "Predeterminado: 5 (segundos)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:477 +msgid "ipa_deskprofile_request_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:480 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server in case the last request did not return any rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:485 +msgid "Default: 60 (minutes)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:491 +msgid "ipa_hbac_refresh (integer)" +msgstr "ipa_hbac_refresh (entero)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:494 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server. " +"This will reduce the latency and load on the IPA server if there are many " +"access-control requests made in a short period." +msgstr "" +"La cantidad de tiempo entre vbúsquedas de las reglas HBAC contra el servidor " +"IPA. Esto reducirá la latencia y la carga sobre el servidor IPA si hay " +"muchas peticiones de control de acceso hechas en un corto período." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:507 +msgid "ipa_hbac_selinux (integer)" +msgstr "ipa_hbac_selinux (entero)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:510 +msgid "" +"The amount of time between lookups of the SELinux maps against the IPA " +"server. This will reduce the latency and load on the IPA server if there are " +"many user login requests made in a short period." +msgstr "" +"La cantidad de tiempo entre búsquedas de los mapas SELinux contra el " +"servidor IPA. Esto reducirá la latencia y la carga sobre el servidor IPA si " +"hay muchas peticiones de acceso de usuario hechas en un corto período." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:523 +msgid "ipa_server_mode (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:526 +msgid "" +"This option will be set by the IPA installer (ipa-server-install) " +"automatically and denotes if SSSD is running on an IPA server or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:531 +msgid "" +"On an IPA server SSSD will lookup users and groups from trusted domains " +"directly while on a client it will ask an IPA server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:536 +msgid "" +"NOTE: There are currently some assumptions that must be met when SSSD is " +"running on an IPA server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:541 +msgid "" +"The <quote>ipa_server</quote> option must be configured to point to the IPA " +"server itself. This is already the default set by the IPA installer, so no " +"manual change is required." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:550 +msgid "" +"The <quote>full_name_format</quote> option must not be tweaked to only print " +"short names for users from trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:565 +msgid "ipa_automount_location (string)" +msgstr "ipa_automount_location (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:568 +msgid "The automounter location this IPA client will be using" +msgstr "La localización del automontador de este cliente IPA que será usada" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:571 +msgid "Default: The location named \"default\"" +msgstr "Por defecto: La localización llamada “default”" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:579 +msgid "VIEWS AND OVERRIDES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:588 +msgid "ipa_view_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:591 +msgid "Objectclass of the view container." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:594 +msgid "Default: nsContainer" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:600 +msgid "ipa_view_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:603 +msgid "Name of the attribute holding the name of the view." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:613 +msgid "ipa_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:616 +msgid "Objectclass of the override objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:619 +msgid "Default: ipaOverrideAnchor" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:625 +msgid "ipa_anchor_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:628 +msgid "" +"Name of the attribute containing the reference to the original object in a " +"remote domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:632 +msgid "Default: ipaAnchorUUID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:638 +msgid "ipa_user_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:641 +msgid "" +"Name of the objectclass for user overrides. It is used to determine if the " +"found override object is related to a user or a group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:646 +msgid "User overrides can contain attributes given by" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:649 +msgid "ldap_user_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:652 +msgid "ldap_user_uid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:655 +msgid "ldap_user_gid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:658 +msgid "ldap_user_gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:661 +msgid "ldap_user_home_directory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:664 +msgid "ldap_user_shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:667 +msgid "ldap_user_ssh_public_key" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:672 +msgid "Default: ipaUserOverride" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:678 +msgid "ipa_group_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:681 +msgid "" +"Name of the objectclass for group overrides. It is used to determine if the " +"found override object is related to a user or a group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:686 +msgid "Group overrides can contain attributes given by" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:689 +msgid "ldap_group_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:692 +msgid "ldap_group_gid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:697 +msgid "Default: ipaGroupOverride" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:581 +msgid "" +"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " +"later version. Since all paths and objectclasses are fixed on the server " +"side there is basically no need to configure anything. For completeness the " +"related options are listed here with their default values. <placeholder " +"type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:709 +msgid "SUBDOMAINS PROVIDER" +msgstr "PROVEEDOR DE SUBDOMINIOS" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:711 +msgid "" +"The IPA subdomains provider behaves slightly differently if it is configured " +"explicitly or implicitly." +msgstr "" +"El proveedor de subdominios IPA se comporta de forma ligeramente diferente " +"si está configurado explícitamente o implícitamente." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:715 +msgid "" +"If the option 'subdomains_provider = ipa' is found in the domain section of " +"sssd.conf, the IPA subdomains provider is configured explicitly, and all " +"subdomain requests are sent to the IPA server if necessary." +msgstr "" +"Si la opción ' subdomains_provider = ipa' se encuentra en la sección de " +"dominio de sssd.conf, el proveedor de subdominios de IPA se configura " +"explícitamente, y todas las peticiones de subdominio se envían al servidor " +"de IPA si es necesario." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:721 +msgid "" +"If the option 'subdomains_provider' is not set in the domain section of sssd." +"conf but there is the option 'id_provider = ipa', the IPA subdomains " +"provider is configured implicitly. In this case, if a subdomain request " +"fails and indicates that the server does not support subdomains, i.e. is not " +"configured for trusts, the IPA subdomains provider is disabled. After an " +"hour or after the IPA provider goes online, the subdomains provider is " +"enabled again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:732 +msgid "TRUSTED DOMAINS CONFIGURATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:738 +#, no-wrap +msgid "" +"[domain/ipa.domain.com/ad.domain.com]\n" +"ad_server = dc.ad.domain.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:734 +#, fuzzy +#| msgid "" +#| "These configuration options can be present in a domain configuration " +#| "section, that is, in a section called <quote>[domain/<replaceable>NAME</" +#| "replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>" +msgid "" +"Some configuration options can be also set for a trusted domain. A trusted " +"domain configuration can either be done using a subsection, for example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"Estas opciones de configuración pueden estar presentes en la sección " +"configuración de dominio, esto es, en una sección llamada <quote>[domain/" +"<replaceable>NAME</replaceable>]</quote> <placeholder type=\"variablelist\" " +"id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:743 +#, fuzzy +#| msgid "" +#| "Please refer to the <quote>dns_discovery_domain</quote> parameter in the " +#| "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +#| "manvolnum> </citerefentry> manual page for more details." +msgid "" +"In addition, some options can be set in the parent domain and inherited by " +"the trusted domain using the <quote>subdomain_inherit</quote> option. For " +"more details, see the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" +"Por favor vea el parámetro <quote>dns_discovery_domain</quote> en la página " +"de manual <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> para más detalles." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:753 +msgid "" +"Different configuration options are tunable for a trusted domain depending " +"on whether you are configuring SSSD on an IPA server or an IPA client." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:758 +msgid "OPTIONS TUNABLE ON IPA MASTERS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:760 +msgid "" +"The following options can be set in a subdomain section on an IPA master:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:764 sssd-ipa.5.xml:794 +msgid "ad_server" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:767 +#, fuzzy +#| msgid "ad_server, ad_backup_server (string)" +msgid "ad_backup_server" +msgstr "ad_server, ad_backup_server (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:770 sssd-ipa.5.xml:797 +msgid "ad_site" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:773 +#, fuzzy +#| msgid "ldap_search_base (string)" +msgid "ldap_search_base" +msgstr "ldap_search_base (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:776 +#, fuzzy +#| msgid "ldap_user_search_base (string)" +msgid "ldap_user_search_base" +msgstr "ldap_user_search_base (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:779 +#, fuzzy +#| msgid "ldap_group_search_base (string)" +msgid "ldap_group_search_base" +msgstr "ldap_group_search_base (cadena)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:788 +msgid "OPTIONS TUNABLE ON IPA CLIENTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:790 +msgid "" +"The following options can be set in a subdomain section on an IPA client:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:802 +msgid "" +"Note that if both options are set, only <quote>ad_server</quote> is " +"evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:806 +msgid "" +"Since any request for a user or a group identity from a trusted domain " +"triggered from an IPA client is resolved by the IPA server, the " +"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " +"which AD DC will the authentication be performed against. In particular, the " +"addresses resolved from these lists will be written to <quote>kdcinfo</" +"quote> files read by the Kerberos locator plugin. Please refer to the " +"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " +"Kerberos locator plugin." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:830 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the ipa provider-specific options." +msgstr "" +"El siguiente ejemplo asume que SSSD está correctamente configurado y example." +"com es uno de los dominios en la sección <replaceable>[sssd]</replaceable>. " +"Este ejemplo muestra sólo las opciones específicas del proveedor ipa." + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:837 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"id_provider = ipa\n" +"ipa_server = ipaserver.example.com\n" +"ipa_hostname = myhost.example.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 +msgid "sssd-ad" +msgstr "sssd-ad" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ad.5.xml:17 +msgid "SSSD Active Directory provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:23 +msgid "" +"This manual page describes the configuration of the AD provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" +"Esta página de manual describe la configuración del proveedor AD para " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Para una referencia detallada de sintaxis, vea la sección " +"<quote>FILE FORMAT</quote> de la página de manual <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:36 +msgid "" +"The AD provider is a back end used to connect to an Active Directory server. " +"This provider requires that the machine be joined to the AD domain and a " +"keytab is available. Back end communication occurs over a GSSAPI-encrypted " +"channel, SSL/TLS options should not be used with the AD provider and will be " +"superseded by Kerberos usage." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:44 +msgid "" +"The AD provider supports connecting to Active Directory 2008 R2 or later. " +"Earlier versions may work, but are unsupported." +msgstr "" +"El proveedor AD soporta la conexión a Active Directory 2008 R2 o " +"posteriores. Las versiones anteriores pueden trabajar, pero no está " +"soportadas." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:48 +msgid "" +"The AD provider can be used to get user information and authenticate users " +"from trusted domains. Currently only trusted domains in the same forest are " +"recognized. In addition servers from trusted domains are always auto-" +"discovered." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:54 +msgid "" +"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for Active Directory environments. The AD provider accepts the " +"same options used by the sssd-ldap and sssd-krb5 providers with some " +"exceptions. However, it is neither necessary nor recommended to set these " +"options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:69 +msgid "" +"The AD provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:74 +msgid "" +"The AD provider can also be used as an access, chpass, sudo and autofs " +"provider. No configuration of the access provider is required on the client " +"side." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:79 +msgid "" +"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ad</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:91 +#, no-wrap +msgid "" +"ldap_id_mapping = False\n" +" " +msgstr "" +"ldap_id_mapping = False\n" +" " + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:85 +msgid "" +"By default, the AD provider will map UID and GID values from the objectSID " +"parameter in Active Directory. For details on this, see the <quote>ID " +"MAPPING</quote> section below. If you want to disable ID mapping and instead " +"rely on POSIX attributes defined in Active Directory, you should set " +"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " +"be used, it is recommended for performance reasons that the attributes are " +"also replicated to the Global Catalog. If POSIX attributes are replicated, " +"SSSD will attempt to locate the domain of a requested numerical ID with the " +"help of the Global Catalog and only search that domain. In contrast, if " +"POSIX attributes are not replicated to the Global Catalog, SSSD must search " +"all the domains in the forest sequentially. Please note that the " +"<quote>cache_first</quote> option might be also helpful in speeding up " +"domainless searches. Note that if only a subset of POSIX attributes is " +"present in the Global Catalog, the non-replicated attributes are currently " +"not read from the LDAP port." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:108 +msgid "" +"Users, groups and other entities served by SSSD are always treated as case-" +"insensitive in the AD provider for compatibility with Active Directory's " +"LDAP implementation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:123 +msgid "ad_domain (string)" +msgstr "ad_domain (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:126 +msgid "" +"Specifies the name of the Active Directory domain. This is optional. If not " +"provided, the configuration domain name is used." +msgstr "" +"Especifica el nombre del dominio Active Directory. Esto es opcional. Si no " +"se suministra, se usa la configuración del nombre de dominio." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:131 +msgid "" +"For proper operation, this option should be specified as the lower-case " +"version of the long version of the Active Directory domain." +msgstr "" +"Para una operativa apropiada, esta opción sería especificada en la versión " +"minúscula de la versión larga del dominio Active Directory." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:136 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) is " +"autodetected by the SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:143 +msgid "ad_enabled_domains (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:146 +msgid "" +"A comma-separated list of enabled Active Directory domains. If provided, " +"SSSD will ignore any domains not listed in this option. If left unset, all " +"domains from the AD forest will be available." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:156 +#, no-wrap +msgid "" +"ad_enabled_domains = sales.example.com, eng.example.com\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:152 +msgid "" +"For proper operation, this option must be specified in all lower-case and as " +"the fully qualified domain name of the Active Directory domain. For example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:160 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) will be " +"autodetected by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:170 +msgid "ad_server, ad_backup_server (string)" +msgstr "ad_server, ad_backup_server (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:173 +msgid "" +"The comma-separated list of hostnames of the AD servers to which SSSD should " +"connect in order of preference. For more information on failover and server " +"redundancy, see the <quote>FAILOVER</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:180 +msgid "" +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:185 +msgid "" +"Note: Trusted domains will always auto-discover servers even if the primary " +"server is explicitly defined in the ad_server option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:193 +msgid "ad_hostname (string)" +msgstr "ad_hostname (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:196 +msgid "" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the Active Directory domain to identify this " +"host." +msgstr "" +"Opcional. Puede ser fijada en máquinas donde el hostname(5) no refleja el " +"nombre totalmente cualificado usaro en el dominio Active Directory para " +"identificar este host." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:202 +msgid "" +"This field is used to determine the host principal in use in the keytab. It " +"must match the hostname for which the keytab was issued." +msgstr "" +"Este campo se usa para determinar el host principal en uso en la keytab. " +"Debe coincidir con el nombre del host desde que se envío la keytab." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:210 +msgid "ad_enable_dns_sites (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:217 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, the SSSD will first attempt to discover the " +"Active Directory server to connect to using the Active Directory Site " +"Discovery and fall back to the DNS SRV records if no AD site is found. The " +"DNS SRV configuration, including the discovery domain, is used during site " +"discovery as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:233 +msgid "ad_access_filter (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:236 +msgid "" +"This option specifies LDAP access control filter that the user must match in " +"order to be allowed access. Please note that the <quote>access_provider</" +"quote> option must be explicitly set to <quote>ad</quote> in order for this " +"option to have an effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:244 +msgid "" +"The option also supports specifying different filters per domain or forest. " +"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " +"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " +"missing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:252 +msgid "" +"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" +"quote> specifies the domain or subdomain the filter applies to. If the " +"keyword equals to <quote>FOREST</quote>, then the filter equals to all " +"domains from the forest specified by <quote>NAME</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:260 +msgid "" +"Multiple filters can be separated with the <quote>?</quote> character, " +"similarly to how search bases work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:265 +msgid "" +"Nested group membership must be searched for using a special OID " +"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." +"example.org: syntax to ensure the parser does not attempt to interpret the " +"colon characters associated with the OID. If you do not use this OID then " +"nested group membership will not be resolved. See usage example below and " +"refer here for further information about the OID: <ulink url=\"https://msdn." +"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " +"extensions</ulink>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:278 +msgid "" +"The most specific match is always used. For example, if the option specified " +"filter for a domain the user is a member of and a global filter, the per-" +"domain filter would be applied. If there are more matches with the same " +"specification, the first one is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ad.5.xml:289 +#, no-wrap +msgid "" +"# apply filter on domain called dom1 only:\n" +"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" +"\n" +"# apply filter on domain called dom2 only:\n" +"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" +"\n" +"# apply filter on forest called EXAMPLE.COM only:\n" +"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" +"\n" +"# apply filter for a member of a nested group in dom1:\n" +"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:308 +msgid "ad_site (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:311 +msgid "" +"Specify AD site to which client should try to connect. If this option is " +"not provided, the AD site will be auto-discovered." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:322 +msgid "ad_enable_gc (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:325 +msgid "" +"By default, the SSSD connects to the Global Catalog first to retrieve users " +"from trusted domains and uses the LDAP port to retrieve group memberships or " +"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " +"port of the current AD server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:333 +msgid "" +"Please note that disabling Global Catalog support does not disable " +"retrieving users from trusted domains. The SSSD would connect to the LDAP " +"port of trusted domains instead. However, Global Catalog must be used in " +"order to resolve cross-domain group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:347 +msgid "ad_gpo_access_control (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:350 +msgid "" +"This option specifies the operation mode for GPO-based access control " +"functionality: whether it operates in disabled mode, enforcing mode, or " +"permissive mode. Please note that the <quote>access_provider</quote> option " +"must be explicitly set to <quote>ad</quote> in order for this option to have " +"an effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:359 +msgid "" +"GPO-based access control functionality uses GPO policy settings to determine " +"whether or not a particular user is allowed to logon to a particular host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:365 +msgid "" +"NOTE: The current version of SSSD does not support host (computer) entries " +"in the GPO 'Security Filtering' list. Only user and group entries are " +"supported. Host entries in the list have no effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:372 +msgid "" +"NOTE: If the operation mode is set to enforcing, it is possible that users " +"that were previously allowed logon access will now be denied logon access " +"(as dictated by the GPO policy settings). In order to facilitate a smooth " +"transition for administrators, a permissive mode is available that will not " +"enforce the access control rules, but will evaluate them and will output a " +"syslog message if access would have been denied. By examining the logs, " +"administrators can then make the necessary changes before setting the mode " +"to enforcing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:385 +msgid "There are three supported values for this option:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:389 +msgid "" +"disabled: GPO-based access control rules are neither evaluated nor enforced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:395 +msgid "enforcing: GPO-based access control rules are evaluated and enforced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:401 +msgid "" +"permissive: GPO-based access control rules are evaluated, but not enforced. " +"Instead, a syslog message will be emitted indicating that the user would " +"have been denied access if this option's value were set to enforcing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:412 +msgid "Default: permissive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:415 +msgid "Default: enforcing" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:421 +msgid "ad_gpo_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:424 +msgid "" +"The amount of time between lookups of GPO policy files against the AD " +"server. This will reduce the latency and load on the AD server if there are " +"many access-control requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:437 +msgid "ad_gpo_map_interactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:440 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the InteractiveLogonRight and " +"DenyInteractiveLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:446 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on locally\" and \"Deny log on locally\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:460 +#, no-wrap +msgid "" +"ad_gpo_map_interactive = +my_pam_service, -login\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:451 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>login</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:464 sssd-ad.5.xml:560 sssd-ad.5.xml:606 sssd-ad.5.xml:651 +#: sssd-ad.5.xml:717 +msgid "Default: the default set of PAM service names includes:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:468 +msgid "login" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:473 +msgid "su" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:478 +msgid "su-l" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:483 +msgid "gdm-fingerprint" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:488 +msgid "gdm-password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:493 +msgid "gdm-smartcard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:498 +msgid "kdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:503 +msgid "lightdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:508 +msgid "lxdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:513 +msgid "sddm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:518 +msgid "unity" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:523 +msgid "xdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:532 +msgid "ad_gpo_map_remote_interactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:535 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the RemoteInteractiveLogonRight and " +"DenyRemoteInteractiveLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:541 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on through Remote Desktop Services\" and \"Deny log on through Remote " +"Desktop Services\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:556 +#, no-wrap +msgid "" +"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:547 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>sshd</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:564 +msgid "sshd" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:569 +msgid "cockpit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:578 +msgid "ad_gpo_map_network (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:581 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the NetworkLogonRight and " +"DenyNetworkLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:587 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Access " +"this computer from the network\" and \"Deny access to this computer from the " +"network\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:602 +#, no-wrap +msgid "" +"ad_gpo_map_network = +my_pam_service, -ftp\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:593 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>ftp</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:610 +msgid "ftp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:615 +msgid "samba" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:624 +msgid "ad_gpo_map_batch (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:627 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " +"policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:633 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a batch job\" and \"Deny log on as a batch job\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:647 +#, no-wrap +msgid "" +"ad_gpo_map_batch = +my_pam_service, -crond\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:638 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>crond</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:655 +msgid "crond" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:664 +msgid "ad_gpo_map_service (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:667 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the ServiceLogonRight and " +"DenyServiceLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:673 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a service\" and \"Deny log on as a service\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:686 +#, no-wrap +msgid "" +"ad_gpo_map_service = +my_pam_service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:678 sssd-ad.5.xml:753 +msgid "" +"It is possible to add a PAM service name to the default set by using <quote>" +"+service_name</quote>. Since the default set is empty, it is not possible " +"to remove a PAM service name from the default set. For example, in order to " +"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " +"would use the following configuration: <placeholder type=\"programlisting\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:696 +msgid "ad_gpo_map_permit (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:699 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always granted, regardless of any GPO Logon Rights." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:713 +#, no-wrap +msgid "" +"ad_gpo_map_permit = +my_pam_service, -sudo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:704 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for unconditionally permitted " +"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:721 +msgid "polkit-1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:726 +msgid "sudo" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:731 +msgid "sudo-i" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:736 +msgid "systemd-user" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:745 +msgid "ad_gpo_map_deny (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:748 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always denied, regardless of any GPO Logon Rights." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:761 +#, no-wrap +msgid "" +"ad_gpo_map_deny = +my_pam_service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:771 +msgid "ad_gpo_default_right (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:774 +msgid "" +"This option defines how access control is evaluated for PAM service names " +"that are not explicitly listed in one of the ad_gpo_map_* options. This " +"option can be set in two different manners. First, this option can be set to " +"use a default logon right. For example, if this option is set to " +"'interactive', it means that unmapped PAM service names will be processed " +"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " +"settings. Alternatively, this option can be set to either always permit or " +"always deny access for unmapped PAM service names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:787 +msgid "Supported values for this option include:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:791 +msgid "interactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:796 +msgid "remote_interactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:801 +msgid "network" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:806 +msgid "batch" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:811 +msgid "service" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:816 +msgid "permit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:821 +msgid "deny" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:827 +msgid "Default: deny" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:833 +msgid "ad_maximum_machine_account_password_age (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:836 +msgid "" +"SSSD will check once a day if the machine account password is older than the " +"given age in days and try to renew it. A value of 0 will disable the renewal " +"attempt." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:842 +msgid "Default: 30 days" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:848 +msgid "ad_machine_account_password_renewal_opts (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:851 +msgid "" +"This option should only be used to test the machine account renewal task. " +"The option expects 2 integers separated by a colon (':'). The first integer " +"defines the interval in seconds how often the task is run. The second " +"specifies the initial timeout in seconds before the task is run for the " +"first time after startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:860 +msgid "Default: 86400:750 (24h and 15m)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:869 +msgid "" +"Optional. This option tells SSSD to automatically update the Active " +"Directory DNS server with the IP address of this client. The update is " +"secured using GSS-TSIG. As a consequence, the Active Directory administrator " +"only needs to allow secure updates for the DNS zone. The IP address of the " +"AD LDAP connection is used for the updates, if it is not otherwise specified " +"by using the <quote>dyndns_iface</quote> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:899 +msgid "Default: 3600 (seconds)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:915 +msgid "" +"Default: Use the IP addresses of the interface which is used for AD LDAP " +"connection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:928 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true. Note that the " +"lowest possible value is 60 seconds in-case if value is provided less than " +"60, parameter will assume lowest value only." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:951 sss_rpcidmapd.5.xml:76 +msgid "Default: True" +msgstr "Predeterminado: True" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1043 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This example shows only the AD provider-specific options." +msgstr "" +"El siguiente ejemplo asume que SSSD está correctamente configurado y example." +"com es uno de los dominios en la sección <replaceable>[sssd]</replaceable>. " +"Este ejemplo muestra sólo las opciones específicas del proveedor AD." + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1050 +#, no-wrap +msgid "" +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" +msgstr "" +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1070 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" +msgstr "" +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1066 +msgid "" +"The AD access control provider checks if the account is expired. It has the " +"same effect as the following configuration of the LDAP provider: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"El proveedor de control de acceso AD comprueba si la cuenta está expirada. " +"Tiene el mismo efecto que la siguiente configuración del proveedor LDAP: " +"<placeholder type=\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1076 +msgid "" +"However, unless the <quote>ad</quote> access control provider is explicitly " +"configured, the default access provider is <quote>permit</quote>. Please " +"note that if you configure an access provider other than <quote>ad</quote>, " +"you need to set all the connection parameters (such as LDAP URIs and " +"encryption details) manually." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1084 +msgid "" +"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " +"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " +"are included in the default Active Directory schema." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 +msgid "sssd-sudo" +msgstr "sssd-sudo" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-sudo.5.xml:17 +msgid "Configuring sudo with the SSSD back end" +msgstr "Configuración de sudo con el motor de SSSD" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." +msgstr "" +"Esta página de manual describe como configurar <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"para trabajar con <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> y como SSSD esconde reglas sudo." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:36 +msgid "Configuring sudo to cooperate with SSSD" +msgstr "Configurando sudo para cooperar con SSSD" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:38 +msgid "" +"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " +"the <emphasis>sudoers</emphasis> entry in <citerefentry> " +"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" +"Para habilitar SSSD como una fuente de reglas sudo, añada <emphasis>sss</" +"emphasis> a la entrada <emphasis>sudoers</emphasis> en <citerefentry> " +"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:47 +msgid "" +"For example, to configure sudo to first lookup rules in the standard " +"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> file (which should contain rules that apply to " +"local users) and then in SSSD, the nsswitch.conf file should contain the " +"following line:" +msgstr "" +"Por ejemplo, para configurar sudo para primero buscar reglas en el fichero " +"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> estándar (que contendría reglas para aplicar al " +"usuario local) y después en SSSD, el fichero nsswitch.conf contiene la " +"siguiente línea:" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:57 +#, no-wrap +msgid "sudoers: files sss\n" +msgstr "sudoers: files sss\n" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:61 +msgid "" +"More information about configuring the sudoers search order from the " +"nsswitch.conf file as well as information about the LDAP schema that is used " +"to store sudo rules in the directory can be found in <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" +"Más información sobre la configuración del orden de búsqueda de sudoers " +"desde el fichero nsswuitch.conf así información sobre el esquema LDAP que se " +"usa para almacenar reglas sudo en el directorio se puede encontrar en " +"<citerefentry> <refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:70 +msgid "" +"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " +"sudo rules, you also need to correctly set <citerefentry> " +"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry> to your NIS domain name (which equals to IPA domain name when " +"using hostgroups)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:82 +msgid "Configuring SSSD to fetch sudo rules" +msgstr "Configurando SSSD para ir a buscar reglas sudo" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:84 +msgid "" +"All configuration that is needed on SSSD side is to extend the list of " +"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " +"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " +"option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:94 +msgid "" +"The following example shows how to configure SSSD to download sudo rules " +"from an LDAP server." +msgstr "" +"El siguiente ejemplo muestra como configurar SSSD para descargar reglas sudo " +"desde un servidor LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:99 +#, no-wrap +msgid "" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +msgstr "" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:98 +msgid "" +"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" +"\"have_systemd\"> It's important to note that on platforms where systemd is " +"supported there's no need to add the \"sudo\" provider to the list of " +"services, as it became optional. However, sssd-sudo.socket must be enabled " +"instead. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:118 +msgid "" +"When SSSD is configured to use IPA as the ID provider, the sudo provider is " +"automatically enabled. The sudo search base is configured to use the IPA " +"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " +"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," +"$SUFFIX) is no longer required for IPA sudo functionality." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:128 +msgid "The SUDO rule caching mechanism" +msgstr "El mecanismo de almacenamiento en cache de regla SUDO" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:130 +msgid "" +"The biggest challenge, when developing sudo support in SSSD, was to ensure " +"that running sudo with SSSD as the data source provides the same user " +"experience and is as fast as sudo but keeps providing the most current set " +"of rules as possible. To satisfy these requirements, SSSD uses three kinds " +"of updates. They are referred to as full refresh, smart refresh and rules " +"refresh." +msgstr "" +"El mayor desafío, cuando se desarrolla soporte sudo en SSSD, fue asegurar " +"que ejecutando sudo con SSSD como la fuente de datos suministre la misma " +"experiencia de usuario y sea tan rápido como sudo pero se mantenga " +"proporcionando el conjunto más actual de reglas como sea posible. Para " +"satisfacer estos requisitos, SSSD usa tres clases de actualizaciones. A " +"ellas nos referimos como refresco total, refresco inteligente y refresco de " +"reglas." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:138 +msgid "" +"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " +"new or were modified after the last update. Its primary goal is to keep the " +"database growing by fetching only small increments that do not generate " +"large amounts of network traffic." +msgstr "" +"El <emphasis>refresco inteligente</emphasis> periódicamente descarga reglas " +"que son nuevas o fueron modificadas desde la última actualización. Su " +"objetivo principal es mantener la base de datos creciendo mediante la " +"atracción de pequeños incrementos que no generen grandes cantidades de " +"tráfico de red." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:144 +msgid "" +"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " +"in the cache and replaces them with all rules that are stored on the server. " +"This is used to keep the cache consistent by removing every rule which was " +"deleted from the server. However, full refresh may produce a lot of traffic " +"and thus it should be run only occasionally depending on the size and " +"stability of the sudo rules." +msgstr "" +"<emphasis>full refresh</emphasis> simplemente refresca todas las reglas sudo " +"almacenadas en el cache y las reemplaza con las reglas que están almacenadas " +"en el servidor. Esto se usa para mantener el cache consistente borrando cada " +"regla que fue borrada del servidor. Sin embargo, un refresco total puede " +"producir gran cantidad de tráfico y por lo tanto debería ser ejecutado sólo " +"ocasionalmente dependiendo del tamaño y de la estabilidad de las reglas sudo." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:152 +msgid "" +"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " +"more permission than defined. It is triggered each time the user runs sudo. " +"Rules refresh will find all rules that apply to this user, check their " +"expiration time and redownload them if expired. In the case that any of " +"these rules are missing on the server, the SSSD will do an out of band full " +"refresh because more rules (that apply to other users) may have been deleted." +msgstr "" +"El <emphasis>refresco de reglas</emphasis> asegura que no concedamos más " +"permisos al usuario que los definidos. Se dispara cada vez que el usuario " +"ejecuta sudo. El refresco de reglas encontrará todas las reglas que se " +"apliquen a ese usuario, comprobará su tiempo de expiración y las recargará " +"si han expirado. En el caso de que alguna de esas reglas estén desaparecidas " +"del servidor, SSSD hará un refresco total fuera de banda puesto que más " +"reglas (que apliquen a otros usuarios) pueden haber sido borradas." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:161 +msgid "" +"If enabled, SSSD will store only rules that can be applied to this machine. " +"This means rules that contain one of the following values in " +"<emphasis>sudoHost</emphasis> attribute:" +msgstr "" +"Si está habilitado, SSSD almacenará sólo las reglas que pueden ser aplicadas " +"a esa máquina. Esto indica reglas que contienen uno de los siguientes " +"valores en el atributo <emphasis>sudoHost</emphasis>:" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:168 +msgid "keyword ALL" +msgstr "keyword ALL" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:173 +msgid "wildcard" +msgstr "comodines" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:178 +msgid "netgroup (in the form \"+netgroup\")" +msgstr "netgroup (en la forma \"+netgroup\")" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:183 +msgid "hostname or fully qualified domain name of this machine" +msgstr "" +"nombre de host o nombre de dominio totalmente cualificado de esta máquina" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:188 +msgid "one of the IP addresses of this machine" +msgstr "una de las direcciones IP de esta máquina" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:193 +msgid "one of the IP addresses of the network (in the form \"address/mask\")" +msgstr "" +"una de las direcciones IP de la red (en la forma \"dirección/máscara\")" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:199 +msgid "" +"There are many configuration options that can be used to adjust the " +"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" +"Hay muchas opciones de configuración que pueden ser usadas para ajustar el " +"comportamiento. Por favor vea \"ldap_sudo_*\" en <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> y \"sudo_*\" en <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.8.xml:10 sssd.8.xml:15 +msgid "sssd" +msgstr "sssd" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.8.xml:16 +msgid "System Security Services Daemon" +msgstr "System Security Services Daemon" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssd.8.xml:21 +msgid "" +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" +msgstr "" +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:31 +msgid "" +"<command>SSSD</command> provides a set of daemons to manage access to remote " +"directories and authentication mechanisms. It provides an NSS and PAM " +"interface toward the system and a pluggable backend system to connect to " +"multiple different account sources as well as D-Bus interface. It is also " +"the basis to provide client auditing and policy services for projects like " +"FreeIPA. It provides a more robust database to store local users as well as " +"extended user data." +msgstr "" +"<command>SSSD</command> suministra un conjunto de demonios para gestionar el " +"acceso a directorios remotos y mecanismos de autenticación. Suministra una " +"interfaz NSS y PAM hacia el sistema y un sistema de parte trasera conectable " +"para conectar múltiples fuentes de cuentas diferentes así como interfaz D-" +"Bus. Es también la base para suministrar servicios de auditoría y política a " +"los clientes para proyectos como FreeIPA. Suministra una base de datos más " +"robusta para almacenar los usuarios locales así como datos de usuario " +"extendidos." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:46 +msgid "" +"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" +"replaceable>" +msgstr "" +"<option>-d</option>,<option>--debug-level</option> <replaceable>NIVEL</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:53 +msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" +msgstr "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:57 +msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" +msgstr "" +"<emphasis>1</emphasis>: Agregar marca de tiempo a mensajes de depuración " + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:60 +msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" +msgstr "" +"<emphasis>0</emphasis>: Desactiva marca de tiempo en mensajes de depuración" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:69 +msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" +msgstr "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:73 +msgid "" +"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" +msgstr "" +"<emphasis>1</emphasis>: Agregar microsegundos a la marca de tiempo en " +"mensajes de depuración" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:76 +msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" +msgstr "<emphasis>0</emphasis>: Desactiva microsegundos en marcas de tiempo" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:85 +msgid "<option>-f</option>,<option>--debug-to-files</option>" +msgstr "<option>-f</option>,<option>--debug-to-files</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:89 +msgid "" +"Send the debug output to files instead of stderr. By default, the log files " +"are stored in <filename>/var/log/sssd</filename> and there are separate log " +"files for every SSSD service and domain." +msgstr "" +"Envía la salida de depuración a ficheros en lugar de a stderr. Por defecto, " +"los ficheros de registro se almacenan en <filename>/var/log/sssd</filename> " +"y hay ficheros de registro separados para cada servicio y dominio SSSD." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:94 +msgid "" +"This option is deprecated. It is replaced by <option>--logger=files</option>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:101 +msgid "<option>--logger=</option><replaceable>value</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:105 +msgid "" +"Location where SSSD will send log messages. This option overrides the value " +"of the deprecated option <option>--debug-to-files</option>. The deprecated " +"option will still work if the <option>--logger</option> is not used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:112 +msgid "" +"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " +"output." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:116 +msgid "" +"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " +"default, the log files are stored in <filename>/var/log/sssd</filename> and " +"there are separate log files for every SSSD service and domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:122 +msgid "" +"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:132 +msgid "<option>-D</option>,<option>--daemon</option>" +msgstr "<option>-D</option>,<option>--daemon</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:136 +msgid "Become a daemon after starting up." +msgstr "Convertido en un demonio después de la puesta en marcha." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:142 sss_seed.8.xml:136 +msgid "<option>-i</option>,<option>--interactive</option>" +msgstr "<option>-i</option>,<option>--interactive</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:146 +msgid "Run in the foreground, don't become a daemon." +msgstr "Ejecutar en primer plano, no convertirse en un demonio." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:152 +msgid "<option>-c</option>,<option>--config</option>" +msgstr "<option>-c</option>,<option>--config</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:156 +msgid "" +"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." +"conf</filename>. For reference on the config file syntax and options, " +"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" +"Especifica un fichero de configuración distinto al de por defecto. El por " +"defecto es <filename>/etc/sssd/sssd.conf</filename>. Para referencia sobre " +"las opciones y sintaxis del fichero de configuración, consulta la página de " +"manual <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:170 +msgid "<option>--version</option>" +msgstr "<option>--version</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:174 +msgid "Print version number and exit." +msgstr "Imprimir número de versión y salir." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.8.xml:182 +msgid "Signals" +msgstr "Señales" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:185 +msgid "SIGTERM/SIGINT" +msgstr "SIGTERM/SIGINT" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:188 +msgid "" +"Informs the SSSD to gracefully terminate all of its child processes and then " +"shut down the monitor." +msgstr "" +"Informa a SSSD para terminar graciosamente todos sus procesos hijos y " +"después para el monitor." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:194 +msgid "SIGHUP" +msgstr "SIGHUP" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:197 +msgid "" +"Tells the SSSD to stop writing to its current debug file descriptors and to " +"close and reopen them. This is meant to facilitate log rolling with programs " +"like logrotate." +msgstr "" +"Le dice a SSSD que pare de escribir en su fichero descriptor de depuración " +"actual y cerrar y reabrirlo. Esto significa facilitar la circulación de " +"registro con programas como logrotate." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:205 +msgid "SIGUSR1" +msgstr "SIGUSR1" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:208 +msgid "" +"Tells the SSSD to simulate offline operation for the duration of the " +"<quote>offline_timeout</quote> parameter. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:217 +msgid "SIGUSR2" +msgstr "SIGUSR2" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:220 +msgid "" +"Tells the SSSD to go online immediately. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:232 +msgid "" +"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " +"applications will not use the fast in memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 +msgid "sss_obfuscate" +msgstr "sss_obfuscate" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_obfuscate.8.xml:16 +msgid "obfuscate a clear text password" +msgstr "oscurecer un password en texto claro" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_obfuscate.8.xml:21 +msgid "" +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" +"replaceable></arg>" +msgstr "" +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>[CONTRASEÑA]</" +"replaceable></arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:32 +msgid "" +"<command>sss_obfuscate</command> converts a given password into human-" +"unreadable format and places it into appropriate domain section of the SSSD " +"config file." +msgstr "" +"<command>sss_obfuscate</command> convierte una contraseña dada en un formato " +"no legible y la sitúa en la sección apropiada del dominio del fichero de " +"configuración SSSD." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:37 +msgid "" +"The cleartext password is read from standard input or entered " +"interactively. The obfuscated password is put into " +"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " +"<quote>ldap_default_authtok_type</quote> parameter is set to " +"<quote>obfuscated_password</quote>. Refer to <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more details on these parameters." +msgstr "" +"La contraseña en texto claro es leída desde la entrada estándar e " +"introducida interactivamente. La contraseña ofuscada se pone en el parámetro " +"<quote>ldap_default_authtok</quote> de un dominio SSSD dado y el parámetro " +"<quote>ldap_default_authtok_type</quote> se fija a " +"<quote>obfuscated_password</quote>. Vea <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> para más " +"detalles sobre estos parámetros." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:49 +msgid "" +"Please note that obfuscating the password provides <emphasis>no real " +"security benefit</emphasis> as it is still possible for an attacker to " +"reverse-engineer the password back. Using better authentication mechanisms " +"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " +"advised." +msgstr "" +"Por favor advierta que oscurecer la contraseña <emphasis>no suministra un " +"beneficio real de seguridad</emphasis> y es posible para un atacante " +"mediante ingeniería inversa volver atrás la contraseña. Se recomienda " +"<emphasis>firmemente</emphasis> el uso de mejores mecanismos de " +"autenticación como certificados en el lado cliente o GSSAPI." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:63 +msgid "<option>-s</option>,<option>--stdin</option>" +msgstr "<option>-s</option>,<option>--stdin</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:67 +msgid "The password to obfuscate will be read from standard input." +msgstr "La contraseña a oscurecer será leída desde la entrada estándar." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 +#: sss_ssh_knownhostsproxy.1.xml:78 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" +msgstr "" +"<option>-d</option>,<option>--domain</option> <replaceable>DOMINIO</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:79 +msgid "" +"The SSSD domain to use the password in. The default name is <quote>default</" +"quote>." +msgstr "" +"El dominio SSSD en el que usar la contraseña. El nombre por defecto es " +"<quote>default</quote>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:86 +msgid "" +"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" +msgstr "" +"<option>-f</option>,<option>--file</option> <replaceable>ARCHIVO</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:91 +msgid "Read the config file specified by the positional parameter." +msgstr "" +"Lee el fichero de configuración especificado por el parámetro posicional." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:95 +msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" +msgstr "Predeterminado: <filename>/etc/sssd/sssd.conf</filename>" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_override.8.xml:10 sss_override.8.xml:15 +msgid "sss_override" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_override.8.xml:16 +msgid "create local overrides of user and group attributes" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_override.8.xml:21 +msgid "" +"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:32 +msgid "" +"<command>sss_override</command> enables to create a client-side view and " +"allows to change selected values of specific user and groups. This change " +"takes effect only on local machine." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:37 +msgid "" +"Overrides data are stored in the SSSD cache. If the cache is deleted, all " +"local overrides are lost. Please note that after the first override is " +"created using any of the following <emphasis>user-add</emphasis>, " +"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " +"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " +"take effect. <emphasis>sss_override</emphasis> prints message when a " +"restart is required." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:50 sssctl.8.xml:41 +msgid "AVAILABLE COMMANDS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:52 +msgid "" +"Argument <emphasis>NAME</emphasis> is the name of original object in all " +"commands. It is not possible to override <emphasis>uid</emphasis> or " +"<emphasis>gid</emphasis> to 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:59 +msgid "" +"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" +"optional> <optional><option>-g,--gid</option> GID</optional> " +"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" +"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" +"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " +"CERTIFICATE</optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:72 +msgid "" +"Override attributes of an user. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:80 +msgid "<option>user-del</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:85 +msgid "" +"Remove user overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:94 +msgid "" +"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:99 +msgid "" +"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " +"is set, only users from the domain are listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:107 +msgid "<option>user-show</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:112 +msgid "Show user overrides." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:118 +msgid "<option>user-import</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:123 +msgid "" +"Import user overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard passwd file. The format is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:128 +msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:131 +msgid "" +"where original_name is original name of the user whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:140 +msgid "ckent:superman::::::" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:143 +msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:149 +msgid "<option>user-export</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:154 +msgid "" +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>user-import</emphasis> for data format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:162 +msgid "" +"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:169 +msgid "" +"Override attributes of a group. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:177 +msgid "<option>group-del</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:182 +msgid "" +"Remove group overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:191 +msgid "" +"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:196 +msgid "" +"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " +"parameter is set, only groups from the domain are listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:204 +msgid "<option>group-show</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:209 +msgid "Show group overrides." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:215 +msgid "<option>group-import</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:220 +msgid "" +"Import group overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard group file. The format is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:225 +msgid "original_name:name:gid" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:228 +msgid "" +"where original_name is original name of the group whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:237 +msgid "admins:administrators:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:240 +msgid "Domain Users:Users:501" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:246 +msgid "<option>group-export</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:251 +msgid "" +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>group-import</emphasis> for data format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:261 sssctl.8.xml:50 +msgid "COMMON OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:263 sssctl.8.xml:52 +msgid "Those options are available with all commands." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:268 sssctl.8.xml:57 +msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 +msgid "sss_useradd" +msgstr "sss_useradd" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_useradd.8.xml:16 +msgid "create a new user" +msgstr "Crea un nuevo usuario" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_useradd.8.xml:21 +msgid "" +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_useradd.8.xml:32 +msgid "" +"<command>sss_useradd</command> creates a new user account using the values " +"specified on the command line plus the default values from the system." +msgstr "" +"<command>sss_useradd</command> crea una nueva cuenta de usuario usando los " +"valores especificados en la línea de comandos más los valores por defecto " +"del sistema." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:43 sss_seed.8.xml:76 +msgid "" +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" +msgstr "" +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:48 +msgid "" +"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " +"not given, it is chosen automatically." +msgstr "" +"Fija la UID del usuario al valor de <replaceable>UID</replaceable>. Si no se " +"da, se elige automáticamente." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +msgid "" +"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" +"replaceable>" +msgstr "" +"<option>-c</option>,<option>--gecos</option> <replaceable>COMENTARIO</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 +msgid "" +"Any text string describing the user. Often used as the field for the user's " +"full name." +msgstr "" +"Cualquier cadena de texto describiendo al usuario. Frecuentemente se usa " +"como el campo para el nombre completo del usuario." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 +msgid "" +"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"replaceable>" +msgstr "" +"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:72 +msgid "" +"The home directory of the user account. The default is to append the " +"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " +"that as the home directory. The base that is prepended before " +"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" +"baseDirectory</quote> setting in sssd.conf." +msgstr "" +"El directorio home de la cuenta de usuario. Por defecto se añade el nombre " +"<replaceable>LOGIN</replaceable> a <filename>/home</filename> y utiliza esto " +"como directorio home. La base de que se antepondrá antes <replaceable>LOGIN</" +"replaceable> es sintonizable con el ajuste <quote>user_defaults/" +"baseDirectory</quote> en sssd.conf." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 +msgid "" +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" +msgstr "" +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:87 +msgid "" +"The user's login shell. The default is currently <filename>/bin/bash</" +"filename>. The default can be changed with <quote>user_defaults/" +"defaultShell</quote> setting in sssd.conf." +msgstr "" +"La shell de acceso del usuario. Por defecto es actualmente <filename>/bin/" +"bash</filename>. El valor por defecto puede ser cambiado con el ajuste " +"<quote>user_defaults/defaultShell</quote> en sssd.conf." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:96 +msgid "" +"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" +"<option>-G</option>,<option>--groups</option> <replaceable>GRUPOS</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:101 +msgid "A list of existing groups this user is also a member of." +msgstr "" +"Una lista de grupos existentes de los que el usuario también es miembro." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:107 +msgid "<option>-m</option>,<option>--create-home</option>" +msgstr "<option>-m</option>,<option>--create-home</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:111 +msgid "" +"Create the user's home directory if it does not exist. The files and " +"directories contained in the skeleton directory (which can be defined with " +"the -k option or in the config file) will be copied to the home directory." +msgstr "" +"Crea el directorio home del usuario si no existe. Los ficheros y directorios " +"contenidos en el directorio esqueleto (que pueden ser definidos con la " +"opción –k o en el fichero de configuración) serán copiados en el directorio " +"home." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:121 +msgid "<option>-M</option>,<option>--no-create-home</option>" +msgstr "<option>-M</option>,<option>--no-create-home</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:125 +msgid "" +"Do not create the user's home directory. Overrides configuration settings." +msgstr "" +"No se crear el directorio principal del usuario. Reemplaza los valores de " +"configuración." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:132 +msgid "" +"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"replaceable>" +msgstr "" +"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:137 +msgid "" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<command>sss_useradd</command>." +msgstr "" +"El directorio esqueleto, que contiene ficheros y directorios a copiar en el " +"directorio home del usuario, cuando el directorio home es creado por " +"<command>sss_useradd</command>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:143 +msgid "" +"Special files (block devices, character devices, named pipes and unix " +"sockets) will not be copied." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:147 +msgid "" +"This option is only valid if the <option>-m</option> (or <option>--create-" +"home</option>) option is specified, or creation of home directories is set " +"to TRUE in the configuration." +msgstr "" +"Esta opción sólo es válida si se ha especificado la opción <option>-m</" +"option> (o <option>--create-home</option>), o la creación de directorios " +"home está fijada a TRUE en la configuración." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 +msgid "" +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>SELINUX_USER</replaceable>" +msgstr "" +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>SELINUX_USER</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:161 +msgid "" +"The SELinux user for the user's login. If not specified, the system default " +"will be used." +msgstr "" +"El usuario SELinux para el acceso de usuario. Si no se especifica, se usará " +"el valor por defecto del sistema." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 +msgid "sssd-krb5" +msgstr "sssd-krb5" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-krb5.5.xml:17 +msgid "SSSD Kerberos provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:23 +msgid "" +"This manual page describes the configuration of the Kerberos 5 " +"authentication backend for <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " +"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." +msgstr "" +"Esta página de manual describe la configuración del motor de autenticación " +"de Kerberos 5 para <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. Para una referencia detallada de " +"la sintaxis, por favor vea la sección <quote>FORMATO DE ARCHIVO</quote> de " +"la página de manual de <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:36 +msgid "" +"The Kerberos 5 authentication backend contains auth and chpass providers. It " +"must be paired with an identity provider in order to function properly (for " +"example, id_provider = ldap). Some information required by the Kerberos 5 " +"authentication backend must be provided by the identity provider, such as " +"the user's Kerberos Principal Name (UPN). The configuration of the identity " +"provider should have an entry to specify the UPN. Please refer to the man " +"page for the applicable identity provider for details on how to configure " +"this." +msgstr "" +"El motor de autenticaciónd e Kerberos 5 contiene proveedores auth y chpass. " +"Debe ir junto con un proveedor de identidad para que funcione adecuadamente " +"(por ejemplo, id_provider = ldap). Algo de información requerida por el " +"motor de autenticación de Kerberos 5 debe ser provista por el proveedor de " +"identidad, tal como el Nombre Principal del usuario de Kerberos (NPU). La " +"configuración del proveedor de identidad debe tener una entrada específica " +"para el NPU. Por favor, vea la página del manual para el proveedor de " +"identidad aplicable, para más detalles sobre cómo configurar esto." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:47 +msgid "" +"This backend also provides access control based on the .k5login file in the " +"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " +"Please note that an empty .k5login file will deny all access to this user. " +"To activate this feature, use 'access_provider = krb5' in your SSSD " +"configuration." +msgstr "" +"Este motor también provee control de acceso basado en el archivo .k5login en " +"el directorio de inicio del usuario. Vea <citerefentry> <refentrytitle>." +"k5login</refentrytitle><manvolnum>5</manvolnum> </citerefentry> para más " +"detalles. Por favor, observe que un archivo .k5login vacío negará todo el " +"acceso a este usaurio. Para activar esta característica, use " +"'access_provider = krb5' en su configuración de SSSD." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:55 +msgid "" +"In the case where the UPN is not available in the identity backend, " +"<command>sssd</command> will construct a UPN using the format " +"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." +msgstr "" +"En el caso de que el NPU no esté disponible en el motor de identidad, " +"<command>sssd</command> construirá un NPU usando el formato " +"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:77 +msgid "" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect, in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled; for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." +msgstr "" +"Especifica una lista separada por comas de direcciones IP o nombres de host " +"de los servidores Kerberos a los cuales se conectaría SSSD en orden de " +"preferencia. Para más información sobre failover y redundancia de servidor, " +"vea la sección <quote>FAILOVER</quote>. Un número de puerto opcional " +"(precedido de dos puntos) puede ser añadido a las direcciones o nombres de " +"host. Si está vacío, el servicio descubridor está habilitado; para más " +"información, vea la sección <quote>SERVICE DISCOVERY</quote>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:106 +msgid "" +"The name of the Kerberos realm. This option is required and must be " +"specified." +msgstr "" +"El nombre del reino Kerberos. Esta opción se requiere y debe ser " +"especificada." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:113 +msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" +msgstr "krb5_kpasswd, krb5_backup_kpasswd (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:116 +msgid "" +"If the change password service is not running on the KDC, alternative " +"servers can be defined here. An optional port number (preceded by a colon) " +"may be appended to the addresses or hostnames." +msgstr "" +"Si el servicio de cambio de contraseña no está corriendo en el KDC, se " +"pueden definir aquí servidores alternativos. Un número de puerto opcional " +"(precedido de dos puntos) debe ser añadido a las direcciones o nombres de " +"host." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:122 +msgid "" +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " +"servers to try, the backend is not switched to operate offline if " +"authentication against the KDC is still possible." +msgstr "" +"Para más información sobre recuperación de fallos y redundancia de servidor, " +"consulte la sección de <quote>conmutación por error</quote>. Nota: incluso " +"si no hay más servidores kpasswd para intentar, y el punto final no está " +"conmutado para trabajar fuera de línea la autenticación contra el KDC es " +"todavía posible." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:129 +msgid "Default: Use the KDC" +msgstr "Predeterminado: Use the KDC" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:135 +msgid "krb5_ccachedir (string)" +msgstr "krb5_ccachedir (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:138 +msgid "" +"Directory to store credential caches. All the substitution sequences of " +"krb5_ccname_template can be used here, too, except %d and %P. The directory " +"is created as private and owned by the user, with permissions set to 0700." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:145 +msgid "Default: /tmp" +msgstr "Predeterminado: /tmp" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:151 +msgid "krb5_ccname_template (string)" +msgstr "krb5_ccname_template (string)" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 +msgid "%u" +msgstr "%u" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 +msgid "login name" +msgstr "nombre de acceso" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 +msgid "%U" +msgstr "%U" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:170 +msgid "login UID" +msgstr "UID de acceso" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:173 +msgid "%p" +msgstr "%p" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:174 +msgid "principal name" +msgstr "nombre principal" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:178 +msgid "%r" +msgstr "%r" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:179 +msgid "realm name" +msgstr "nombre de reino" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:182 +msgid "%h" +msgstr "%h" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 +msgid "home directory" +msgstr "directorio home" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 +msgid "%d" +msgstr "%d" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:188 +msgid "value of krb5_ccachedir" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 +msgid "%P" +msgstr "%P" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:194 +msgid "the process ID of the SSSD client" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 +msgid "%%" +msgstr "%%" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 +msgid "a literal '%'" +msgstr "un literal ‘%’" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:154 +msgid "" +"Location of the user's credential cache. Three credential cache types are " +"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " +"<quote>KEYRING:persistent</quote>. The cache can be specified either as " +"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " +"implies the <quote>FILE</quote> type. In the template, the following " +"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " +"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " +"filename in a safe way." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:208 +msgid "" +"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" +"persistent:%U</quote>, which uses the Linux kernel keyring to store " +"credentials on a per-UID basis. This is also the recommended choice, as it " +"is the most secure and predictable method." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:216 +msgid "" +"The default value for the credential cache name is sourced from the profile " +"stored in the system wide krb5.conf configuration file in the [libdefaults] " +"section. The option name is default_ccache_name. See krb5.conf(5)'s " +"PARAMETER EXPANSION paragraph for additional information on the expansion " +"format defined by krb5.conf." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:225 +msgid "" +"NOTE: Please be aware that libkrb5 ccache expansion template from " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> uses different expansion sequences than SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:234 +msgid "Default: (from libkrb5)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:240 +msgid "krb5_auth_timeout (integer)" +msgstr "krb5_auth_timeout (entero)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:243 +msgid "" +"Timeout in seconds after an online authentication request or change password " +"request is aborted. If possible, the authentication request is continued " +"offline." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:254 +msgid "krb5_validate (boolean)" +msgstr "krb5_validate (boolean)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:257 +msgid "" +"Verify with the help of krb5_keytab that the TGT obtained has not been " +"spoofed. The keytab is checked for entries sequentially, and the first entry " +"with a matching realm is used for validation. If no entry matches the realm, " +"the last entry in the keytab is used. This process can be used to validate " +"environments using cross-realm trust by placing the appropriate keytab entry " +"as the last entry or the only entry in the keytab file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:272 +msgid "krb5_keytab (string)" +msgstr "krb5_keytab (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:275 +msgid "" +"The location of the keytab to use when validating credentials obtained from " +"KDCs." +msgstr "" +"La localización de la keytab a usar cuando son obtenidas credenciales " +"validadas desde KDCs." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:279 +msgid "Default: /etc/krb5.keytab" +msgstr "Predeterminado: /etc/krb5.keytab" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:285 +msgid "krb5_store_password_if_offline (boolean)" +msgstr "krb5_store_password_if_offline (boolean)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:288 +msgid "" +"Store the password of the user if the provider is offline and use it to " +"request a TGT when the provider comes online again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:293 +msgid "" +"NOTE: this feature is only available on Linux. Passwords stored in this way " +"are kept in plaintext in the kernel keyring and are potentially accessible " +"by the root user (with difficulty)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:306 +msgid "krb5_renewable_lifetime (string)" +msgstr "krb5_renewable_lifetime (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:309 +msgid "" +"Request a renewable ticket with a total lifetime, given as an integer " +"immediately followed by a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 +msgid "<emphasis>s</emphasis> for seconds" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 +msgid "<emphasis>m</emphasis> for minutes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 +msgid "<emphasis>h</emphasis> for hours" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 +msgid "<emphasis>d</emphasis> for days." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 +msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 +msgid "" +"NOTE: It is not possible to mix units. To set the renewable lifetime to one " +"and a half hours, use '90m' instead of '1h30m'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:335 +msgid "Default: not set, i.e. the TGT is not renewable" +msgstr "Por defecto: no fijado, esto es el TGT no es renovable" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:341 +msgid "krb5_lifetime (string)" +msgstr "krb5_lifetime (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:344 +msgid "" +"Request ticket with a lifetime, given as an integer immediately followed by " +"a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:360 +msgid "If there is no unit given <emphasis>s</emphasis> is assumed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:364 +msgid "" +"NOTE: It is not possible to mix units. To set the lifetime to one and a " +"half hours please use '90m' instead of '1h30m'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:369 +msgid "" +"Default: not set, i.e. the default ticket lifetime configured on the KDC." +msgstr "" +"Por defecto: no fijado, esto es el tiempo de vida de la entrada por defecto " +"configurado en el KDC." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:376 +msgid "krb5_renew_interval (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:379 +msgid "" +"The time in seconds between two checks if the TGT should be renewed. TGTs " +"are renewed if about half of their lifetime is exceeded, given as an integer " +"immediately followed by a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:406 +msgid "If this option is not set or is 0 the automatic renewal is disabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:416 +msgid "krb5_use_fast (string)" +msgstr "krb5_use_fast (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:419 +msgid "" +"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" +"authentication. The following options are supported:" +msgstr "" +"Habilita la autenticación segura flexible de los túneles (FSAT) para la pre-" +"autenticación Kerberos. Se soportan las siguientes opciones:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:424 +msgid "" +"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " +"option at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:428 +msgid "" +"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " +"continue the authentication without it." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:433 +msgid "" +"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " +"server does not require fast." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:438 +msgid "Default: not set, i.e. FAST is not used." +msgstr "Por defecto: no fijado, esto es no se usa FAST." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:441 +msgid "NOTE: a keytab is required to use FAST." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:444 +msgid "" +"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " +"SSSD is used with an older version of MIT Kerberos, using this option is a " +"configuration error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:453 +msgid "krb5_fast_principal (string)" +msgstr "krb5_fast_principal (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:456 +msgid "Specifies the server principal to use for FAST." +msgstr "Especifica el servidor principal para usar por FAST." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:465 +msgid "" +"Specifies if the host and user principal should be canonicalized. This " +"feature is available with MIT Kerberos 1.7 and later versions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:505 +msgid "krb5_use_enterprise_principal (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:508 +msgid "" +"Specifies if the user principal should be treated as enterprise principal. " +"See section 5 of RFC 6806 for more details about enterprise principals." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:514 +msgid "Default: false (AD provider: true)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:517 +msgid "" +"The IPA provider will set to option to 'true' if it detects that the server " +"is capable of handling enterprise principals and the option is not set " +"explicitly in the config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:526 +msgid "krb5_map_user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:529 +msgid "" +"The list of mappings is given as a comma-separated list of pairs " +"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " +"name and <quote>primary</quote> is a user part of a kerberos principal. This " +"mapping is used when user is authenticating using <quote>auth_provider = " +"krb5</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-krb5.5.xml:541 +#, no-wrap +msgid "" +"krb5_realm = REALM\n" +"krb5_map_user = joe:juser,dick:richard\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:546 +msgid "" +"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " +"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " +"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " +"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:65 +msgid "" +"If the auth-module krb5 is used in an SSSD domain, the following options " +"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " +"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:572 +msgid "" +"The following example assumes that SSSD is correctly configured and FOO is " +"one of the domains in the <replaceable>[sssd]</replaceable> section. This " +"example shows only configuration of Kerberos authentication; it does not " +"include any identity provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-krb5.5.xml:580 +#, no-wrap +msgid "" +"[domain/FOO]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXAMPLE.COM\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 +msgid "sss_groupadd" +msgstr "sss_groupadd" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupadd.8.xml:16 +msgid "create a new group" +msgstr "Crea un nuevo grupo" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupadd.8.xml:21 +msgid "" +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GRUPO</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupadd.8.xml:32 +msgid "" +"<command>sss_groupadd</command> creates a new group. These groups are " +"compatible with POSIX groups, with the additional feature that they can " +"contain other groups as members." +msgstr "" +"<command>sss_groupadd</command> cre un nuevo grupo. Estos grupos son " +"compatibles con grupos POXIS, con la característica adicional que pueden " +"contener otros grupos como miembros." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 +msgid "" +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" +msgstr "" +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupadd.8.xml:48 +msgid "" +"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " +"not given, it is chosen automatically." +msgstr "" +"Fija el GID del grupo al valor de <replaceable>GID</replaceable>. Si no se " +"da, se elige automáticamente." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 +msgid "sss_userdel" +msgstr "sss_userdel" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_userdel.8.xml:16 +msgid "delete a user account" +msgstr "eliminar una cuenta de usuario" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_userdel.8.xml:21 +msgid "" +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_userdel.8.xml:32 +msgid "" +"<command>sss_userdel</command> deletes a user identified by login name " +"<replaceable>LOGIN</replaceable> from the system." +msgstr "" +"<command>sss_userdel</command> borra del sistema un usuario identificado por " +"su nombre de acceso <replaceable>LOGIN</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:44 +msgid "<option>-r</option>,<option>--remove</option>" +msgstr "<option>-r</option>,<option>--remove</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:48 +msgid "" +"Files in the user's home directory will be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." +msgstr "" +"Los ficheros en el directorio home del usuario serán borrados así como el " +"directorio home mismo y el buzón de correo del usuario. Reescribe la " +"configuración." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:56 +msgid "<option>-R</option>,<option>--no-remove</option>" +msgstr "<option>-R</option>,<option>--no-remove</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:60 +msgid "" +"Files in the user's home directory will NOT be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." +msgstr "" +"Los ficheros en el directorio home del usuario NO serán borrados así como el " +"directorio home mismo y el buzón de correo del usuario. Reescribe la " +"configuración." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:68 +msgid "<option>-f</option>,<option>--force</option>" +msgstr "<option>-f</option>,<option>--force</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:72 +msgid "" +"This option forces <command>sss_userdel</command> to remove the user's home " +"directory and mail spool, even if they are not owned by the specified user." +msgstr "" +"Esta opción fuerza a <command>sss_userdel</command> a borrar el directorio " +"home del usuario y el buzón de correo, aunque no sea propiedad del usuario " +"especificado." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:80 +msgid "<option>-k</option>,<option>--kick</option>" +msgstr "<option>-k</option>,<option>--kick</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:84 +msgid "Before actually deleting the user, terminate all his processes." +msgstr "Antes de realmente eliminar al usuario, terminar todos sus procesos." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 +msgid "sss_groupdel" +msgstr "sss_groupdel" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupdel.8.xml:16 +msgid "delete a group" +msgstr "eliminar un grupo" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupdel.8.xml:21 +msgid "" +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GRUPO</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupdel.8.xml:32 +msgid "" +"<command>sss_groupdel</command> deletes a group identified by its name " +"<replaceable>GROUP</replaceable> from the system." +msgstr "" +"<command>sss_groupdel</command> borra del sistema un grupo identificado por " +"su nombre <replaceable>GROUP</replaceable>." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 +msgid "sss_groupshow" +msgstr "sss_groupshow" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupshow.8.xml:16 +msgid "print properties of a group" +msgstr "imprime las propiedades de un grupo" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupshow.8.xml:21 +msgid "" +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GRUPO</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupshow.8.xml:32 +msgid "" +"<command>sss_groupshow</command> displays information about a group " +"identified by its name <replaceable>GROUP</replaceable>. The information " +"includes the group ID number, members of the group and the parent group." +msgstr "" +"<command>sss_groupshow</command> muestra información sobre un grupo " +"identificado por su nombre <replaceable>GROUP</replaceable>. La información " +"incluye el número de ID del grupo, miembros del grupo y padres del grupo." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupshow.8.xml:43 +msgid "<option>-R</option>,<option>--recursive</option>" +msgstr "<option>-R</option>,<option>--recursive</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupshow.8.xml:47 +msgid "" +"Also print indirect group members in a tree-like hierarchy. Note that this " +"also affects printing parent groups - without <option>R</option>, only the " +"direct parent will be printed." +msgstr "" +"También imprime miembros indirectos del grupo en una jerarquía de árbol. " +"Advierta que esto también afecta a la impresión de los grupos padres – sin " +"<option>R</option>,, sólo se imprimirá los padres directos." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 +msgid "sss_usermod" +msgstr "sss_usermod" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_usermod.8.xml:16 +msgid "modify a user account" +msgstr "Modifica una cuenta de usuario" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_usermod.8.xml:21 +msgid "" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_usermod.8.xml:32 +msgid "" +"<command>sss_usermod</command> modifies the account specified by " +"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " +"on the command line." +msgstr "" +"<command>sss_usermod</command> modifica la cuenta especificada por " +"<replaceable>LOGIN</replaceable> para reflejar los cambios que se han " +"especificado en la línea de comando." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:60 +msgid "The home directory of the user account." +msgstr "El directorio principal de la cuenta de usuario." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:71 +msgid "The user's login shell." +msgstr "Shell de inicio de sesión del usuario." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:82 +msgid "" +"Append this user to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." +msgstr "" +"Añade este usuario a los grupos especificados por el parámetro " +"<replaceable>GROUPS</replaceable>. El parámetro <replaceable>GROUPS</" +"replaceable> es una lista separada por comas de nombres de grupo." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:96 +msgid "" +"Remove this user from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." +msgstr "" +"Borrar este usuario de los grupos especificados por el parámetro " +"<replaceable>GROUPS</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:103 +msgid "<option>-l</option>,<option>--lock</option>" +msgstr "<option>-l</option>,<option>--lock</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:107 +msgid "Lock the user account. The user won't be able to log in." +msgstr "Bloquea la cuenta de usuario. El usuario no será capaz de acceder." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:114 +msgid "<option>-u</option>,<option>--unlock</option>" +msgstr "<option>-u</option>,<option>--unlock</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:118 +msgid "Unlock the user account." +msgstr "Desbloquea la cuenta de usuario." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:129 +msgid "The SELinux user for the user's login." +msgstr "El usuario SELinux para el acceso del usuario." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:135 +msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:140 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:147 +msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:152 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:160 +msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:165 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_cache.8.xml:10 sss_cache.8.xml:15 +msgid "sss_cache" +msgstr "sss_cache" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_cache.8.xml:16 +msgid "perform cache cleanup" +msgstr "lleva a cabo la limpieza del escondrijo" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_cache.8.xml:21 +msgid "" +"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" +msgstr "" +"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_cache.8.xml:31 +msgid "" +"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " +"records are forced to be reloaded from server as soon as related SSSD " +"backend is online. Options that invalidate a single object only accept a " +"single provided argument." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:43 +msgid "<option>-E</option>,<option>--everything</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:47 +msgid "Invalidate all cached entries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:53 +msgid "" +"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" +msgstr "" +"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:58 +msgid "Invalidate specific user." +msgstr "Invalida el usuario específico." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:64 +msgid "<option>-U</option>,<option>--users</option>" +msgstr "<option>-U</option>,<option>--users</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:68 +msgid "" +"Invalidate all user records. This option overrides invalidation of specific " +"user if it was also set." +msgstr "" +"Invalida todos los registros de usuario. Esta opción anula la invalidación " +"de usuario específico si también está fijada." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:75 +msgid "" +"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" +msgstr "" +"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:80 +msgid "Invalidate specific group." +msgstr "Invalida grupo específico." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:86 +msgid "<option>-G</option>,<option>--groups</option>" +msgstr "<option>-G</option>,<option>--groups</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:90 +msgid "" +"Invalidate all group records. This option overrides invalidation of specific " +"group if it was also set." +msgstr "" +"Invalida todos los registros de grupo. Esta opción anula la invalidación de " +"grupo específico si también está fijada." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:97 +msgid "" +"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" +"replaceable>" +msgstr "" +"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:102 +msgid "Invalidate specific netgroup." +msgstr "Invalida grupo de red específico." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:108 +msgid "<option>-N</option>,<option>--netgroups</option>" +msgstr "<option>-N</option>,<option>--netgroups</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:112 +msgid "" +"Invalidate all netgroup records. This option overrides invalidation of " +"specific netgroup if it was also set." +msgstr "" +"Invalida todos los registros de grupo de red. Esta opción anula la " +"invalidación de grupo de red específico si también está fijada." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:119 +msgid "" +"<option>-s</option>,<option>--service</option> <replaceable>service</" +"replaceable>" +msgstr "" +"<option>-s</option>,<option>--service</option> <replaceable>service</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:124 +msgid "Invalidate specific service." +msgstr "Invalida servicio específico" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:130 +msgid "<option>-S</option>,<option>--services</option>" +msgstr "<option>-S</option>,<option>--services</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:134 +msgid "" +"Invalidate all service records. This option overrides invalidation of " +"specific service if it was also set." +msgstr "" +"Invalida todos los archivos de servicio. Esta opción anula la invalidación " +"de servicio específico si también fue fijada." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:141 +msgid "" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" +"replaceable>" +msgstr "" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:146 +msgid "Invalidate specific autofs maps." +msgstr "Invalida mapas específicos autofs." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:152 +msgid "<option>-A</option>,<option>--autofs-maps</option>" +msgstr "<option>-A</option>,<option>--autofs-maps</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:156 +msgid "" +"Invalidate all autofs maps. This option overrides invalidation of specific " +"map if it was also set." +msgstr "" +"Invalida todos los mapas autofs. Esta opción anula la invalidación de mapa " +"específico si fue fijada." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:163 +msgid "" +"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:168 +msgid "Invalidate SSH public keys of a specific host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:174 +msgid "<option>-H</option>,<option>--ssh-hosts</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:178 +msgid "" +"Invalidate SSH public keys of all hosts. This option overrides invalidation " +"of SSH public keys of specific host if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:186 +msgid "" +"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:191 +msgid "Invalidate particular sudo rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:197 +msgid "<option>-R</option>,<option>--sudo-rules</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:201 +msgid "" +"Invalidate all cached sudo rules. This option overrides invalidation of " +"specific sudo rule if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:209 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>domain</" +"replaceable>" +msgstr "" +"<option>-d</option>,<option>--domain</option> <replaceable>domain</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:214 +msgid "Restrict invalidation process only to a particular domain." +msgstr "Restringe el proceso de invalidación sólo a un dominio concreto." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 +msgid "sss_debuglevel" +msgstr "sss_debuglevel" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_debuglevel.8.xml:16 +msgid "[DEPRECATED] change debug level while SSSD is running" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_debuglevel.8.xml:21 +msgid "" +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" +"replaceable></arg>" +msgstr "" +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" +"replaceable></arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_debuglevel.8.xml:32 +msgid "" +"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " +"debug-level command. Please refer to the <command>sssctl</command> man page " +"for more information on sssctl usage." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_seed.8.xml:10 sss_seed.8.xml:15 +msgid "sss_seed" +msgstr "sss_seed" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_seed.8.xml:16 +msgid "seed the SSSD cache with a user" +msgstr "alimenta el cache SSSD con un usuario" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_seed.8.xml:21 +msgid "" +"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" +"arg>" +msgstr "" +"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:33 +msgid "" +"<command>sss_seed</command> seeds the SSSD cache with a user entry and " +"temporary password. If a user entry is already present in the SSSD cache " +"then the entry is updated with the temporary password." +msgstr "" +"<command>sss_seed</command> alimenta el cache SSSD con una entrada de " +"usuario y una contresañe temporal. Si una entrada de usuario está ya " +"presente en el cache SSSD la entrada se actualiza con la contraseña temporal" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:46 +msgid "" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" +msgstr "" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:51 +msgid "" +"Provide the name of the domain in which the user is a member of. The domain " +"is also used to retrieve user information. The domain must be configured in " +"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " +"Information retrieved from the domain overrides what is provided in the " +"options." +msgstr "" +"Suministra el nombre del dominio del que el usuario es miembro. El dominio " +"también se usa para recuperar información del usuario. El dominio debe estar " +"configurado en sssd.conf. La opción <replaceable>DOMAIN</replaceable> debe " +"ser suministrada. La información recuperada del dominio anula la que se ha " +"suministrado en las opciones." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:63 +msgid "" +"<option>-n</option>,<option>--username</option> <replaceable>USER</" +"replaceable>" +msgstr "" +"<option>-n</option>,<option>--username</option> <replaceable>USER</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:68 +msgid "" +"The username of the entry to be created or modified in the cache. The " +"<replaceable>USER</replaceable> option must be provided." +msgstr "" +"El nombre de usuario de la entrada a ser creado o modificado en el cache. Se " +"debe suministrar la opción <replaceable>USER</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:81 +msgid "Set the UID of the user to <replaceable>UID</replaceable>." +msgstr "Fija la UID del usuario a <replaceable>UID</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:93 +msgid "Set the GID of the user to <replaceable>GID</replaceable>." +msgstr "Fija la GID del usuario a <replaceable>GID</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:117 +msgid "" +"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." +msgstr "" +"Fija el directorio home del usuario a <replaceable>HOME_DIR</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:129 +msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." +msgstr "" +"Fija la shell de acceso del usuario a <replaceable>SHELL</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:140 +msgid "" +"Interactive mode for entering user information. This option will only prompt " +"for information not provided in the options or retrieved from the domain." +msgstr "" +"Modo interactivo de introducir información del usuario. Esta opción sólo " +"preguntará por la información no suministrada en las opciones o recuperada " +"del dominio." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:148 +msgid "" +"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" +"replaceable>" +msgstr "" +"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:153 +msgid "" +"Specify file to read user's password from. (if not specified password is " +"prompted for)" +msgstr "" +"Especifica el fichero desde donde leer la contraseña del usuario (si no se " +"especifica se pregunta por la contraseña)" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:165 +msgid "" +"The length of the password (or the size of file specified with -p or --" +"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " +"on systems with no globally-defined PASS_MAX value)." +msgstr "" +"La longitud de la contraseña (o el tamaño especificado con la opción -p or --" +"password-file) debe ser menos o igual a PASS_MAX bytes ( 64 bytes en " +"sistemas sin valor PASS_MAX globalmente definido)." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 +msgid "sssd-ifp" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ifp.5.xml:17 +msgid "SSSD InfoPipe responder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:23 +msgid "" +"This manual page describes the configuration of the InfoPipe responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:36 +msgid "" +"The InfoPipe responder provides a public D-Bus interface accessible over the " +"system bus. The interface allows the user to query information about remote " +"users and groups over the system bus." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:46 +msgid "These options can be used to configure the InfoPipe responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:53 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the InfoPipe responder. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:59 +msgid "" +"Default: 0 (only the root user is allowed to access the InfoPipe responder)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:63 +msgid "" +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the InfoPipe responder, which would be the typical case, you have to " +"add 0 to the list of allowed UIDs as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:77 +msgid "Specifies the comma-separated list of white or blacklisted attributes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:91 +msgid "name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:92 +msgid "user's login name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:95 +msgid "uidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:96 +msgid "user ID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:99 +msgid "gidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:100 +msgid "primary group ID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:103 +msgid "gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:104 +msgid "user information, typically full name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:107 +msgid "homeDirectory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:111 +msgid "loginShell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:112 +msgid "user shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:81 +msgid "" +"By default, the InfoPipe responder only allows the default set of POSIX " +"attributes to be requested. This set is the same as returned by " +"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ifp.5.xml:125 +#, no-wrap +msgid "" +"user_attributes = +telephoneNumber, -loginShell\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:117 +msgid "" +"It is possible to add another attribute to this set by using <quote>" +"+attr_name</quote> or explicitly remove an attribute using <quote>-" +"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " +"deny <quote>loginShell</quote>, you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:129 +msgid "Default: not set. Only the default set of POSIX attributes is allowed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:139 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup that overrides caller-supplied limit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:144 +msgid "Default: 0 (let the caller set an upper limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refentryinfo> +#: sss_rpcidmapd.5.xml:8 +msgid "" +"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" +"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " +"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" +"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " +"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" +"author>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 +msgid "sss_rpcidmapd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_rpcidmapd.5.xml:33 +msgid "sss plugin configuration directives for rpc.idmapd" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:37 +msgid "CONFIGURATION FILE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:39 +msgid "" +"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." +"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:49 +msgid "SSS CONFIGURATION EXTENSION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:51 +msgid "Enable SSS plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:53 +msgid "" +"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " +"attribute to contain <emphasis>sss</emphasis>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:59 +msgid "[sss] config section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:61 +msgid "" +"In order to change the default of one of the configuration attributes of the " +"<emphasis>sss</emphasis> plugin listed below you will need to create a " +"config section for it, named <quote>[sss]</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sss_rpcidmapd.5.xml:67 +msgid "Configuration attributes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sss_rpcidmapd.5.xml:69 +msgid "memcache (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sss_rpcidmapd.5.xml:72 +msgid "Indicates whether or not to use memcache optimisation technique." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:85 +msgid "SSSD INTEGRATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:87 +msgid "" +"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " +"in sssd." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:91 +msgid "" +"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " +"all domains (NFSv4 clients expect a fully qualified name to be sent on the " +"wire)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_rpcidmapd.5.xml:103 +#, no-wrap +msgid "" +"[General]\n" +"Verbosity = 2\n" +"# domain must be synced between NFSv4 server and clients\n" +"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:100 +msgid "" +"The following example shows a minimal idmapd.conf which makes use of the sss " +"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:180 include/seealso.xml:2 +msgid "SEE ALSO" +msgstr "VEA TAMBIEN" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:122 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 +msgid "sss_ssh_authorizedkeys" +msgstr "sss_ssh_authorizedkeys" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 +msgid "1" +msgstr "1" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_authorizedkeys.1.xml:16 +msgid "get OpenSSH authorized keys" +msgstr "obtiene las claves OpenSSH autorizadas" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_authorizedkeys.1.xml:21 +msgid "" +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>USER</replaceable></arg>" +msgstr "" +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>USER</replaceable></arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:32 +msgid "" +"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " +"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " +"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> for more information)." +msgstr "" +"<command>sss_ssh_authorizedkeys</command> adquiere la clave pública SSH para " +"el usuario <replaceable>USER</replaceable> y las saca en formato de claves " +"autorizadas OpenSSH (vea la sección <quote>AUTHORIZED_KEYS FILE FORMAT</" +"quote> de <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> para más información)." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:41 +msgid "" +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" +"command> for public key user authentication if it is compiled with support " +"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " +"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> man page for more details about this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_authorizedkeys.1.xml:59 +#, no-wrap +msgid "" +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:52 +msgid "" +"If <quote>AuthorizedKeysCommand</quote> is supported, " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use it by putting the following " +"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" +"\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_ssh_authorizedkeys.1.xml:65 +msgid "KEYS FROM CERTIFICATES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:67 +msgid "" +"In addition to the public SSH keys for user <replaceable>USER</replaceable> " +"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " +"from the public key of a X.509 certificate as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:73 +msgid "" +"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " +"set to true (default) in the [ssh] section of <filename>sssd.conf</" +"filename>. If the user entry contains certificates (see " +"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " +"there is a certificate in an override entry for the user (see " +"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " +"certificate is valid SSSD will extract the public key from the certificate " +"and convert it into the format expected by sshd." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:90 +msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:92 +msgid "ca_db" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:93 +#, fuzzy +#| msgid "client_idle_timeout" +msgid "p11_child_timeout" +msgstr "client_idle_timeout" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:94 +msgid "certificate_verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:96 +#, fuzzy +#| msgid "" +#| "Please refer to the <quote>dns_discovery_domain</quote> parameter in the " +#| "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +#| "manvolnum> </citerefentry> manual page for more details." +msgid "" +"can be used to control how the certificates are validated (see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details)." +msgstr "" +"Por favor vea el parámetro <quote>dns_discovery_domain</quote> en la página " +"de manual <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> para más detalles." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:101 +msgid "" +"The validation is the benefit of using X.509 certificates instead of SSH " +"keys directly because e.g. it gives a better control of the lifetime of the " +"keys. When the ssh client is configured to use the private keys from a " +"Smartcard with the help of a PKCS#11 shared library (see " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> for details) it might be irritating that authentication is " +"still working even if the related X.509 certificate on the Smartcard is " +"already expired because neither <command>ssh</command> nor <command>sshd</" +"command> will look at the certificate at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:114 +msgid "" +"It has to be noted that the derived public SSH key can still be added to the " +"<filename>authorized_keys</filename> file of the user to bypass the " +"certificate validation if the <command>sshd</command> configuration permits " +"this." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:132 +msgid "" +"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +msgstr "" +"Busca las claves públicas del usuario en el dominio SSSD " +"<replaceable>DOMAIN</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 +msgid "EXIT STATUS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 +msgid "" +"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 +msgid "sss_ssh_knownhostsproxy" +msgstr "sss_ssh_knownhostsproxy" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_knownhostsproxy.1.xml:16 +msgid "get OpenSSH host keys" +msgstr "obtiene las claves OpenSSH del host" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_knownhostsproxy.1.xml:21 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>HOST</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" +msgstr "" +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>HOST</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:33 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " +"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " +"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " +"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" +"pubconf/known_hosts</filename> and establishes the connection to the host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:43 +msgid "" +"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " +"create the connection to the host instead of opening a socket." +msgstr "" +"Si se especifica <replaceable>PROXY_COMMAND</replaceable>, se usa para crear " +"la conexión al host en lugar de abrir un socket." + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_knownhostsproxy.1.xml:55 +#, no-wrap +msgid "" +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" +msgstr "" +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:48 +msgid "" +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" +"command> for host key authentication by using the following directives for " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> puede ser configurado para usar " +"<command>sss_ssh_knownhostsproxy</command> para autenticación de la clave " +"del host usando las siguientes directivas <citerefentry><refentrytitle>ssh</" +"refentrytitle> <manvolnum>1</manvolnum></citerefentry> configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/> " + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:66 +msgid "" +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" +msgstr "" +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:71 +msgid "" +"Use port <replaceable>PORT</replaceable> to connect to the host. By " +"default, port 22 is used." +msgstr "" +"Usa el puerto <replaceable>PORT</replaceable> para conectar al host. Por " +"defecto, el puerto usado es el 22." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:83 +msgid "" +"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +msgstr "" +"Busca las claves públicas del host en el dominio SSSD <replaceable>DOMAIN</" +"replaceable>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:89 +#, fuzzy +#| msgid "<option>-U</option>,<option>--users</option>" +msgid "<option>-k</option>,<option>--pubkeys</option>" +msgstr "<option>-U</option>,<option>--users</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:93 +#, fuzzy +#| msgid "" +#| "Search for host public keys in SSSD domain <replaceable>DOMAIN</" +#| "replaceable>." +msgid "" +"Print the host ssh public keys for host <replaceable>HOST</replaceable>." +msgstr "" +"Busca las claves públicas del host en el dominio SSSD <replaceable>DOMAIN</" +"replaceable>." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 +msgid "idmap_sss" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: idmap_sss.8.xml:16 +msgid "SSSD's idmap_sss Backend for Winbind" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:22 +msgid "" +"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " +"No database is required in this case as the mapping is done by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: idmap_sss.8.xml:29 +msgid "IDMAP OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: idmap_sss.8.xml:33 +msgid "range = low - high" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: idmap_sss.8.xml:35 +msgid "" +"Defines the available matching UID and GID range for which the backend is " +"authoritative." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:45 +msgid "" +"This example shows how to configure idmap_sss as the default mapping module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: idmap_sss.8.xml:50 +#, no-wrap +msgid "" +"[global]\n" +"security = domain\n" +"workgroup = MAIN\n" +"\n" +"idmap config * : backend = sss\n" +"idmap config * : range = 200000-2147483647\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssctl.8.xml:10 sssctl.8.xml:15 +msgid "sssctl" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssctl.8.xml:16 +msgid "SSSD control and status utility" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssctl.8.xml:21 +msgid "" +"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:32 +msgid "" +"<command>sssctl</command> provides a simple and unified way to obtain " +"information about SSSD status, such as active server, auto-discovered " +"servers, domains and cached objects. In addition, it can manage SSSD data " +"files for troubleshooting in such a way that is safe to manipulate while " +"SSSD is running." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:43 +msgid "" +"To list all available commands run <command>sssctl</command> without any " +"parameters. To print help for selected command run <command>sssctl COMMAND --" +"help</command>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-files.5.xml:10 sssd-files.5.xml:16 +msgid "sssd-files" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-files.5.xml:17 +msgid "SSSD files provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:23 +msgid "" +"This manual page describes the files provider for <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:36 +msgid "" +"The files provider mirrors the content of the <citerefentry> " +"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " +"provider is to make the users and groups traditionally only accessible with " +"NSS interfaces also available through the SSSD interfaces such as " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:69 +#, fuzzy +#| msgid "ldap_access_filter (string)" +msgid "passwd_files (string)" +msgstr "ldap_access_filter (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:72 +msgid "" +"Comma-separated list of one or multiple password filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:78 +#, fuzzy +#| msgid "Default: password" +msgid "Default: /etc/passwd" +msgstr "Por defecto: contraseña" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:84 +#, fuzzy +#| msgid "ldap_netgroup_triple (string)" +msgid "group_files (string)" +msgstr "ldap_netgroup_triple (cadena)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:87 +msgid "" +"Comma-separated list of one or multiple group filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:93 +#, fuzzy +#| msgid "Default: nisNetgroup" +msgid "Default: /etc/group" +msgstr "Predeterminado: nisNetgroup" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:59 +#, fuzzy +#| msgid "" +#| "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " +#| "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +#| "citerefentry> manual page for details on the configuration of an SSSD " +#| "domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgid "" +"In addition to the options listed below, generic SSSD domain options can be " +"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for details on the configuration of " +"an SSSD domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" +"Vea la sección <quote>DOMAIN SECTIONS</quote> de la página de manual " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> para detalles sobre la configuración de un " +"dominio SSSD. <placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:105 +msgid "" +"The following example assumes that SSSD is correctly configured and files is " +"one of the domains in the <replaceable>[sssd]</replaceable> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:111 +#, no-wrap +msgid "" +"[domain/files]\n" +"id_provider = files\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 +msgid "sssd-secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-secrets.5.xml:17 +msgid "SSSD Secrets responder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:23 +msgid "" +"This manual page describes the configuration of the Secrets responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:36 +msgid "" +"Many system and user applications need to store private information such as " +"passwords or service keys and have no good way to properly deal with them. " +"The simple approach is to embed these <quote>secrets</quote> into " +"configuration files potentially ending up exposing sensitive key material to " +"backups, config management system and in general making it harder to secure " +"data." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:45 +msgid "" +"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " +"project was born to deal with this problem in cloud like environments, but " +"we found the idea compelling even at a single system level. As a security " +"service, SSSD is ideal to host this capability while offering the same API " +"via a UNIX Socket. This will make it possible to use local calls and have " +"them transparently routed to a local or a remote key management store like " +"IPA Vault for storage, escrow and recovery." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:55 +msgid "" +"The secrets are simple key-value pairs. Each user's secrets are namespaced " +"using their user ID, which means the secrets will never collide between " +"users. Secrets can be stored inside <quote>containers</quote> which can be " +"nested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:69 +msgid "secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:70 +msgid "secrets for general usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:73 +msgid "kcm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:75 +msgid "" +"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:61 +msgid "" +"Since the secrets responder can be used both externally to store general " +"secrets, as described in the rest of this man page, but also internally by " +"other SSSD components to store their secret material, some configuration " +"options, like quotas can be configured per <quote>hive</quote> in a " +"configuration subsection named after the hive. The currently supported hives " +"are: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:89 +msgid "USING THE SECRETS RESPONDER" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:91 +msgid "" +"The UNIX socket the SSSD responder listens on is located at <filename>/var/" +"run/secrets.socket</filename>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:110 +#, no-wrap +msgid "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +"systemctl enable sssd-secrets.service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:95 +msgid "" +"The secrets responder is socket-activated by <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " +"the <quote>secrets</quote> string to the <quote>service</quote> directive. " +"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " +"corresponding service file is called <quote>sssd-secrets.service</quote>. In " +"order for the service to be socket-activated, make sure the socket is " +"enabled and active and the service is enabled: <placeholder type=" +"\"programlisting\" id=\"0\"/> Please note your distribution may already " +"configure the units for you." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:122 +msgid "" +"The generic SSSD responder options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " +"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some secrets-specific options as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:132 +msgid "" +"The secrets responder is configured with a global <quote>[secrets]</quote> " +"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " +"in <filename>sssd.conf</filename>. Please note that some options, notably as " +"the provider type, can only be specified in the per-user subsections." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:141 +msgid "provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:157 +msgid "local" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:160 +msgid "" +"The secrets are stored in a local database, encrypted at rest with a master " +"key. The local provider does not have any additional config options at the " +"moment." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:168 +msgid "proxy" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:171 +msgid "" +"The secrets responder forwards the requests to a Custodia server. The proxy " +"provider supports several additional options (see below)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:144 +msgid "" +"This option specifies where should the secrets be stored. The secrets " +"responder can configure a per-user subsections (e.g. <quote>[secrets/" +"users/123]</quote> - see bottom of this manual page for a full example using " +"Custodia for a particular user) that define which provider store the secrets " +"for this particular user. The per-user subsections should contain all " +"options for that user's provider. Please note that currently the global " +"provider is always local, the proxy provider can only be specified in a per-" +"user section. The following providers are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:180 +msgid "Default: local" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:186 +msgid "" +"The following options affect only the secrets <quote>hive</quote> and " +"therefore should be set in a per-hive subsection. Setting the option to 0 " +"means \"unlimited\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:192 +msgid "containers_nest_level (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:195 +msgid "This option specifies the maximum allowed number of nested containers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:199 +msgid "Default: 4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:204 +msgid "max_secrets (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:207 +msgid "" +"This option specifies the maximum number of secrets that can be stored in " +"the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:211 +msgid "Default: 1024 (secrets hive), 256 (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:216 +msgid "max_uid_secrets (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:219 +msgid "" +"This option specifies the maximum number of secrets that can be stored per-" +"UID in the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:223 +msgid "Default: 256 (secrets hive), 64 (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:228 +msgid "max_payload_size (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:231 +msgid "" +"This option specifies the maximum payload size allowed for a secret payload " +"in kilobytes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:235 +msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:244 +#, no-wrap +msgid "" +"[secrets/secrets]\n" +"max_payload_size = 128\n" +"\n" +"[secrets/kcm]\n" +"max_payload_size = 256\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:241 +msgid "" +"For example, to adjust quotas differently for both the <quote>secrets</" +"quote> and the <quote>kcm</quote> hives, configure the following: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:252 +msgid "" +"The following options are only applicable for configurations that use the " +"<quote>proxy</quote> provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:257 +msgid "proxy_url (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:260 +msgid "" +"The URL the Custodia server is listening on. At the moment, http and https " +"protocols are supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:267 +msgid "http[s]://<host>[:port]" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:270 +msgid "Example: http://localhost:8080" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:275 +msgid "auth_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:278 +msgid "" +"The method to use when authenticating to a Custodia server. The following " +"authentication methods are supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:283 +msgid "basic_auth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:286 +msgid "" +"Authenticate with a username and a password as set in the <quote>username</" +"quote> and <quote>password</quote> options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:293 +msgid "header" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:296 +msgid "" +"Authenticate with HTTP header value as defined in the " +"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " +"configuration options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:307 +msgid "auth_header_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:310 +msgid "" +"If set, the secrets responder would put a header with this name into the " +"HTTP request with the value defined in the <quote>auth_header_value</quote> " +"configuration option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:315 +msgid "Example: MYSECRETNAME" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:320 +msgid "auth_header_value (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:323 +msgid "" +"The value sssd-secrets would use for the <quote>auth_header_name</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:327 +msgid "Example: mysecret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:332 +msgid "forward_headers (list of strings)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:335 +msgid "" +"The list of HTTP headers to forward to the Custodia server together with the " +"request." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:344 +msgid "verify_peer (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:347 +msgid "" +"Whether peer's certificate should be verified and valid if HTTPS protocol is " +"used with the proxy provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:356 +msgid "verify_host (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:359 +msgid "" +"Whether peer's hostname must match with hostname in its certificate if HTTPS " +"protocol is used with the proxy provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:369 +msgid "capath (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:372 +msgid "" +"Path to directory containing stored certificate authority certificates. " +"System default path is used if this option is not set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:382 +msgid "cacert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:385 +msgid "" +"Path to file containing server's certificate authority certificate. If this " +"option is not set then the CA's certificate is looked up in <quote>capath</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:395 +msgid "cert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:398 +msgid "" +"Path to file containing client's certificate if required by the server. This " +"file may also contain private key or the private key may be in separate file " +"set with <quote>key</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:409 +msgid "key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:412 +msgid "Path to file containing client's private key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:422 +msgid "USING THE REST API" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:424 +msgid "" +"This section lists the available commands and includes examples using the " +"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry> utility. All requests towards the proxy provider must set " +"the Content Type header to <quote>application/json</quote>. In addition, the " +"local provider also supports Content Type set to <quote>application/octet-" +"stream</quote>. Secrets stored with requests that set the Content Type " +"header to <quote>application/octet-stream</quote> are base64-encoded when " +"stored and decoded when retrieved, so it's not possible to store a secret " +"with one Content Type and retrieve with another. The secret URI must begin " +"with <filename>/secrets/</filename>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:441 +msgid "Listing secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:444 +msgid "" +"To list the available secrets, send a HTTP GET request with a trailing slash " +"appended to the container path." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:450 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:458 +msgid "Retrieving a secret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:461 +msgid "" +"To read a value of a single secret, send a HTTP GET request without a " +"trailing slash. The last portion of the URI is the name of the secret." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:468 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/foo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:473 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/bar\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:466 +msgid "" +"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:481 +msgid "Setting a secret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:484 +msgid "" +"To set a secret using the <quote>application/json</quote> type, send a HTTP " +"PUT request with a JSON payload that includes type and value. The type " +"should be set to \"simple\" and the value should be set to the secret value. " +"If a secret with that name already exists, the response is a 409 HTTP error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:492 +msgid "" +"The <quote>application/json</quote> type just sends the secret as the " +"message payload." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:501 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/foo \\\n" +" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:507 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/bar \\\n" +" -d'barsecret'\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:496 +msgid "" +"The following example sets a secret named 'foo' to a value of 'foosecret' " +"and a secret named 'bar' to a value of 'barsecret' using a different Content " +"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:516 +msgid "Creating a container" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:519 +msgid "" +"Containers provide an additional namespace for this user's secrets. To " +"create a container, send a HTTP POST request, whose URI ends with the " +"container name. Please note the URI must end with a trailing slash." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:529 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPOST http://localhost/secrets/mycontainer/\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:526 +msgid "" +"The following example creates a container named 'mycontainer': <placeholder " +"type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:538 +#, no-wrap +msgid "" +"http://localhost/secrets/mycontainer/mysecret\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:535 +msgid "" +"To manipulate secrets under this container, just nest the secrets underneath " +"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:544 +msgid "Deleting a secret or a container" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:547 +msgid "" +"To delete a secret or a container, send a HTTP DELETE request with a path to " +"the secret or the container." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:553 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XDELETE http://localhost/secrets/foo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:551 +msgid "" +"The following example deletes a secret named 'foo'. <placeholder type=" +"\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:563 +msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:565 +msgid "" +"For testing the proxy provider, you need to set up a Custodia server to " +"proxy requests to. Please always consult the Custodia documentation, the " +"configuration directives might change with different Custodia versions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:576 +#, no-wrap +msgid "" +"[global]\n" +"server_version = \"Secret/0.0.7\"\n" +"server_url = http://localhost:8080/\n" +"auditlog = /var/log/custodia.log\n" +"debug = True\n" +"\n" +"[store:simple]\n" +"handler = custodia.store.sqlite.SqliteStore\n" +"dburi = /var/lib/custodia.db\n" +"table = secrets\n" +"\n" +"[auth:header]\n" +"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" +"header = MYSECRETNAME\n" +"value = mysecretkey\n" +"\n" +"[authz:paths]\n" +"handler = custodia.httpd.authorizers.SimplePathAuthz\n" +"paths = /secrets\n" +"\n" +"[/]\n" +"handler = custodia.root.Root\n" +"store = simple\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:570 +msgid "" +"This configuration will set up a Custodia server listening on http://" +"localhost:8080, allowing anyone with header named MYSECRETNAME set to " +"mysecretkey to communicate with the Custodia server. Place the contents " +"into a file (for example, <replaceable>custodia.conf</replaceable>): " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:602 +msgid "" +"Then run the <replaceable>custodia</replaceable> command, pointing it at the " +"config file as a command line argument." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:606 +msgid "" +"Please note that currently it's not possible to proxy all requests globally " +"to a Custodia instance. Instead, per-user subsections for user IDs that " +"should proxy requests to Custodia must be defined. The following example " +"illustrates a configuration, where the user with UID 123 would proxy their " +"requests to Custodia, but all other user's requests would be handled by a " +"local provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: sssd-secrets.5.xml:614 +#, no-wrap +msgid "" +"[secrets]\n" +"\n" +"[secrets/users/123]\n" +"provider = proxy\n" +"proxy_url = http://localhost:8080/secrets/\n" +"auth_type = header\n" +"auth_header_name = MYSECRETNAME\n" +"auth_header_value = mysecretkey\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 +msgid "sssd-session-recording" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-session-recording.5.xml:17 +msgid "Configuring session recording with SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " +"implement user session recording on text terminals. For a detailed " +"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " +"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:41 +msgid "" +"SSSD can be set up to enable recording of everything specific users see or " +"type during their sessions on text terminals. E.g. when users log in on the " +"console, or via SSH. SSSD itself doesn't record anything, but makes sure " +"tlog-rec-session is started upon user login, so it can record according to " +"its configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:48 +msgid "" +"For users with session recording enabled, SSSD replaces the user shell with " +"tlog-rec-session in NSS responses, and adds a variable specifying the " +"original shell to the user environment, upon PAM session setup. This way " +"tlog-rec-session can be started in place of the user shell, and know which " +"actual shell to start, once it set up the recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:60 +msgid "These options can be used to configure the session recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:146 +msgid "" +"The following snippet of sssd.conf enables session recording for users " +"\"contractor1\" and \"contractor2\", and group \"students\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-session-recording.5.xml:151 +#, no-wrap +msgid "" +"[session_recording]\n" +"scope = some\n" +"users = contractor1, contractor2\n" +"groups = students\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 +msgid "sssd-kcm" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-kcm.8.xml:17 +msgid "SSSD Kerberos Cache Manager" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:23 +msgid "" +"This manual page describes the configuration of the SSSD Kerberos Cache " +"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " +"credential caches. It originates in the Heimdal Kerberos project, although " +"the MIT Kerberos library also provides client side (more details on that " +"below) support for the KCM credential cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:31 +msgid "" +"In a setup where Kerberos caches are managed by KCM, the Kerberos library " +"(typically used through an application, like e.g., <citerefentry> " +"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" +"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " +"being referred to as a <quote>\"KCM server\"</quote>. The client and server " +"communicate over a UNIX socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:42 +msgid "" +"The KCM server keeps track of each credential caches's owner and performs " +"access check control based on the UID and GID of the KCM client. The root " +"user has access to all credential caches." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:47 +msgid "The KCM credential cache has several interesting properties:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:51 +msgid "" +"since the process runs in userspace, it is subject to UID namespacing, " +"unlike the kernel keyring" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:56 +msgid "" +"unlike the kernel keyring-based cache, which is shared between all " +"containers, the KCM server is a separate process whose entry point is a UNIX " +"socket" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:61 +msgid "" +"the SSSD implementation stores the ccaches in the SSSD <citerefentry> " +"<refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry> secrets store, allowing the ccaches to survive KCM server " +"restarts or machine reboots." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:69 +msgid "" +"This allows the system to use a collection-aware credential cache, yet share " +"the credential cache between some or no containers by bind-mounting the " +"socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:76 +msgid "USING THE KCM CREDENTIAL CACHE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:86 +#, no-wrap +msgid "" +"[libdefaults]\n" +" default_ccache_name = KCM:\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:78 +msgid "" +"In order to use KCM credential cache, it must be selected as the default " +"credential type in <citerefentry> <refentrytitle>krb5.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " +"cache name must be only <quote>KCM:</quote> without any template " +"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:91 +msgid "" +"Next, make sure the Kerberos client libraries and the KCM server must agree " +"on the UNIX socket path. By default, both use the same path <replaceable>/" +"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " +"library, change its <quote>kcm_socket</quote> option which is described in " +"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:113 +#, no-wrap +msgid "" +"systemctl start sssd-kcm.socket\n" +"systemctl enable sssd-kcm.socket\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:102 +msgid "" +"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " +"typically socket-activated by <citerefentry> <refentrytitle>systemd</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " +"services, it cannot be started by adding the <quote>kcm</quote> string to " +"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " +"id=\"0\"/> Please note your distribution may already configure the units for " +"you." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:122 +msgid "THE CREDENTIAL CACHE STORAGE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:131 +#, no-wrap +msgid "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:124 +msgid "" +"The credential caches are stored in the SSSD secrets service (see " +"<citerefentry> <refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> for more details). Therefore it is important that " +"also the sssd-secrets service is enabled and its socket is started: " +"<placeholder type=\"programlisting\" id=\"0\"/> Your distribution should " +"already set the dependencies between the services." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:141 +msgid "" +"The KCM service is configured in the <quote>kcm</quote> section of the sssd." +"conf file. Please note that currently, is it not sufficient to restart the " +"sssd-kcm service, because the sssd configuration is only parsed and read to " +"an internal configuration database by the sssd service. Therefore you must " +"restart the sssd service if you change anything in the <quote>kcm</quote> " +"section of sssd.conf. For a detailed syntax reference, refer to the " +"<quote>FILE FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd." +"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:155 +msgid "" +"The generic SSSD service options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some KCM-specific options as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:166 +msgid "socket_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:169 +msgid "The socket the KCM service will listen on." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:172 +msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:182 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 +msgid "sssd-systemtap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-systemtap.5.xml:17 +msgid "SSSD systemtap information" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:23 +msgid "" +"This manual page provides information about the systemtap functionality in " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:32 +msgid "" +"SystemTap Probe points have been added into various locations in SSSD code " +"to assist in troubleshooting and analyzing performance related issues." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:40 +msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:46 +msgid "" +"Probes and miscellaneous functions are defined in /usr/share/systemtap/" +"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " +"respectively." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:57 +msgid "PROBE POINTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:341 +msgid "" +"The information below lists the probe points and arguments available in the " +"following format:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:64 +msgid "probe $name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:67 +msgid "Description of probe point" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:70 +#, no-wrap +msgid "" +"variable1:datatype\n" +"variable2:datatype\n" +"variable3:datatype\n" +"...\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:80 +msgid "Database Transaction Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:84 +msgid "probe sssd_transaction_start" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:87 +msgid "" +"Start of a sysdb transaction, probes the sysdb_transaction_start() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 +#: sssd-systemtap.5.xml:131 +#, no-wrap +msgid "" +"nesting:integer\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:97 +msgid "probe sssd_transaction_cancel" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:100 +msgid "" +"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " +"function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:111 +msgid "probe sssd_transaction_commit_before" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:114 +msgid "Probes the sysdb_transaction_commit_before() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:124 +msgid "probe sssd_transaction_commit_after" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:127 +msgid "Probes the sysdb_transaction_commit_after() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:141 +msgid "LDAP Search Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:145 +msgid "probe sdap_search_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:148 +msgid "Probes the sdap_get_generic_ext_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:152 sssd-systemtap.5.xml:167 sssd-systemtap.5.xml:196 +#, no-wrap +msgid "" +"base:string\n" +"scope:integer\n" +"filter:string\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:160 +msgid "probe sdap_search_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:163 +msgid "Probes the sdap_get_generic_ext_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:175 +msgid "probe sdap_deref_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:178 +msgid "Probes the sdap_deref_search_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:182 +#, no-wrap +msgid "" +"base_dn:string\n" +"deref_attr:string\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:189 +msgid "probe sdap_deref_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:192 +msgid "Probes the sdap_deref_search_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:208 +msgid "LDAP Account Request Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:212 +msgid "probe sdap_acct_req_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:215 +msgid "Probes the sdap_acct_req_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:219 sssd-systemtap.5.xml:234 +#, no-wrap +msgid "" +"entry_type:int\n" +"filter_type:int\n" +"filter_value:string\n" +"extra_value:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:227 +msgid "probe sdap_acct_req_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:230 +msgid "Probes the sdap_acct_req_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:246 +msgid "LDAP User Search Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:250 +msgid "probe sdap_search_user_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:253 +msgid "Probes the sdap_search_user_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:257 sssd-systemtap.5.xml:269 sssd-systemtap.5.xml:281 +#: sssd-systemtap.5.xml:293 +#, no-wrap +msgid "" +"filter:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:262 +msgid "probe sdap_search_user_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:265 +msgid "Probes the sdap_search_user_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:274 +msgid "probe sdap_search_user_save_begin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:277 +msgid "Probes the sdap_search_user_save_begin() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:286 +msgid "probe sdap_search_user_save_end" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:289 +msgid "Probes the sdap_search_user_save_end() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:302 +msgid "Data Provider Request Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:306 +msgid "probe dp_req_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:309 +msgid "A Data Provider request is submitted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:312 +#, no-wrap +msgid "" +"dp_req_domain:string\n" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:320 +msgid "probe dp_req_done" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:323 +msgid "A Data Provider request is completed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:326 +#, no-wrap +msgid "" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +"dp_ret:int\n" +"dp_errorstr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:339 +msgid "MISCELLANEOUS FUNCTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:346 +msgid "function acct_req_desc(entry_type)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:349 +msgid "Convert entry_type to string and return string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:354 +msgid "" +"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " +"filter_value, extra_value)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:358 +msgid "Create probe string based on filter type" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:363 +msgid "function dp_target_str(target)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:366 +msgid "Convert target to string and return string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:371 +msgid "function dp_method_str(target)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:374 +msgid "Convert method to string and return string" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/service_discovery.xml:2 +msgid "SERVICE DISCOVERY" +msgstr "SERVICIO DE DESCUBRIMIENTO" + +#. type: Content of: <refsect1><para> +#: include/service_discovery.xml:4 +msgid "" +"The service discovery feature allows back ends to automatically find the " +"appropriate servers to connect to using a special DNS query. This feature is " +"not supported for backup servers." +msgstr "" +"La función servicio descubridor permite a los puntos finales encontrar " +"automáticamente los servidores apropiados a conectar para usar una pregunta " +"especial al DNS. Esta función no está soportada por los servidores de " +"respaldo." + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:9 include/ldap_id_mapping.xml:99 +msgid "Configuration" +msgstr "Configuración" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:11 +msgid "" +"If no servers are specified, the back end automatically uses service " +"discovery to try to find a server. Optionally, the user may choose to use " +"both fixed server addresses and service discovery by inserting a special " +"keyword, <quote>_srv_</quote>, in the list of servers. The order of " +"preference is maintained. This feature is useful if, for example, the user " +"prefers to use service discovery whenever possible, and fall back to a " +"specific server when no servers can be discovered using DNS." +msgstr "" +"Si no se especifican servidores, el punto final usar automáticamente el " +"servicio descubridor para intentar encontrar un servidor. Opcionalmente, el " +"usuario puede elegir utilizar tanto las direcciones de servidor fijadas como " +"el servicio descubridor para insertar una palabra clave especial, " +"<quote>_srv_</quote>, en la lista de servidores. El orden de preferencia se " +"mantiene. Esta función es útil sí, por ejemplo, el usuario prefiere usar el " +"servicio descubridor siempre que sea posible, el volver a un servidor " +"específico cuando no se pueden descubrir servidores usando DNS." + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:23 +msgid "The domain name" +msgstr "El nombre de dominio" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:25 +msgid "" +"Please refer to the <quote>dns_discovery_domain</quote> parameter in the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more details." +msgstr "" +"Por favor vea el parámetro <quote>dns_discovery_domain</quote> en la página " +"de manual <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> para más detalles." + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:35 +msgid "The protocol" +msgstr "El protocolo" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:37 +msgid "" +"The queries usually specify _tcp as the protocol. Exceptions are documented " +"in respective option description." +msgstr "" +"Las consultas normalmente especifican _tcp como protocolo. Las excepciones " +"se documentan en la descripción de la opción respectiva." + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:42 +msgid "See Also" +msgstr "Vea también" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:44 +msgid "" +"For more information on the service discovery mechanism, refer to RFC 2782." +msgstr "" +"Para más información sobre el mecanismo del servicio descubridor, vea el RFC " +"2782." + +#. type: Content of: <refentryinfo> +#: include/upstream.xml:2 +msgid "" +"<productname>SSSD</productname> <orgname>The SSSD upstream - https://pagure." +"io/SSSD/sssd/</orgname>" +msgstr "" + +#. type: Content of: outside any tag (error?) +#: include/upstream.xml:1 +msgid "<placeholder type=\"refentryinfo\" id=\"0\"/>" +msgstr "<placeholder type=\"refentryinfo\" id=\"0\"/>" + +#. type: Content of: <refsect1><title> +#: include/failover.xml:2 +msgid "FAILOVER" +msgstr "CONMUTACIÓN POR ERROR" + +#. type: Content of: <refsect1><para> +#: include/failover.xml:4 +msgid "" +"The failover feature allows back ends to automatically switch to a different " +"server if the current server fails." +msgstr "" +"La función conmutación en error permite a los finales conmutar " +"automáticamente a un servidor diferente si el servidor actual falla." + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:8 +msgid "Failover Syntax" +msgstr "Sintaxis de conmutación por error" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:10 +msgid "" +"The list of servers is given as a comma-separated list; any number of spaces " +"is allowed around the comma. The servers are listed in order of preference. " +"The list can contain any number of servers." +msgstr "" +"La lista de servidores se da como una lista separada por comas; se permite " +"cualquier número de espacios a los lados de la coma. Los servidores son " +"listados en orden de preferencia. La lista puede contener cualquier número " +"de servidores." + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:16 +msgid "" +"For each failover-enabled config option, two variants exist: " +"<emphasis>primary</emphasis> and <emphasis>backup</emphasis>. The idea is " +"that servers in the primary list are preferred and backup servers are only " +"searched if no primary servers can be reached. If a backup server is " +"selected, a timeout of 31 seconds is set. After this timeout SSSD will " +"periodically try to reconnect to one of the primary servers. If it succeeds, " +"it will replace the current active (backup) server." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:27 +msgid "The Failover Mechanism" +msgstr "" +"El mecanismo de conmutación por errorEl mecanismo de failover distingue " +"entre una máquina y un servicio. El punto final intenta primero resolver el " +"nombre de host de una máquina dada; si el intento de resolución falla, la " +"máquina es considerada fuera de línea. No se harán más intentos de conexión " +"con esta máquina para ningún otro servicio. Si el intento de resolución " +"tiene éxito, el punto final intenta conectar a un servicio en esa máquina. " +"Si el intento de conexión al servicio falla, entonces sólo se considera " +"fuera de línea este servicio concreto y el punto final conmutará " +"automáticamente sobre el siguientes servicio. La máquina se considera que " +"sigue en línea y se puede intentar el acceso a otros servicios." + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:29 +msgid "" +"The failover mechanism distinguishes between a machine and a service. The " +"back end first tries to resolve the hostname of a given machine; if this " +"resolution attempt fails, the machine is considered offline. No further " +"attempts are made to connect to this machine for any other service. If the " +"resolution attempt succeeds, the back end tries to connect to a service on " +"this machine. If the service connection attempt fails, then only this " +"particular service is considered offline and the back end automatically " +"switches over to the next service. The machine is still considered online " +"and might still be tried for another service." +msgstr "" +"El mecanismo de conmutación por error distingue entre una máquina y un " +"servicio. El punto final intenta primero resolver el nombre de host de una " +"máquina dada; si el intento de resolución falla, la máquina es considerada " +"fuera de línea. No se harán más intentos de conexión con esta máquina para " +"ningún otro servicio. Si el intento de resolución tiene éxito, el punto " +"final intenta conectar a un servicio en esa máquina. Si el intento de " +"conexión al servicio falla, entonces sólo se considera fuera de línea este " +"servicio concreto y el punto final conmutará automáticamente sobre el " +"siguientes servicio. La máquina se considera que sigue en línea y se puede " +"intentar el acceso a otros servicios." + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:42 +msgid "" +"Further connection attempts are made to machines or services marked as " +"offline after a specified period of time; this is currently hard coded to 30 " +"seconds." +msgstr "" +"Los intentos de conexión adicionales son hechos a máquinas o servicios " +"marcaros como fuera de línea después de un período de tiempo especificado; " +"esto está codificado a fuego actualmente en 30 segundos." + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:47 +msgid "" +"If there are no more machines to try, the back end as a whole switches to " +"offline mode, and then attempts to reconnect every 30 seconds." +msgstr "" +"Si no hay más máquinas para intentarlo, el punto final al completo conmutará " +"al modo fuera de línea y después intentará reconectar cada 30 segundo." + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:53 +msgid "Failover time outs and tuning" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:55 +msgid "" +"Resolving a server to connect to can be as simple as running a single DNS " +"query or can involve several steps, such as finding the correct site or " +"trying out multiple host names in case some of the configured servers are " +"not reachable. The more complex scenarios can take some time and SSSD needs " +"to balance between providing enough time to finish the resolution process " +"but on the other hand, not trying for too long before falling back to " +"offline mode. If the SSSD debug logs show that the server resolution is " +"timing out before a live server is contacted, you can consider changing the " +"time outs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> +#: include/failover.xml:76 +msgid "dns_resolver_op_timeout" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: include/failover.xml:80 +msgid "How long would SSSD talk to a single DNS server." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> +#: include/failover.xml:86 +msgid "dns_resolver_timeout" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: include/failover.xml:90 +msgid "" +"How long would SSSD try to resolve a failover service. This service " +"resolution internally might include several steps, such as resolving DNS SRV " +"queries or locating the site." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:67 +msgid "" +"This section lists the available tunables. Please refer to their description " +"in the <citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>, manual page. <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:100 +msgid "" +"For LDAP-based providers, the resolve operation is performed as part of an " +"LDAP connection operation. Therefore, also the <quote>ldap_opt_timeout></" +"quote> timeout should be set to a larger value than " +"<quote>dns_resolver_timeout</quote> which in turn should be set to a larger " +"value than <quote>dns_resolver_op_timeout</quote>." +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/ldap_id_mapping.xml:2 +msgid "ID MAPPING" +msgstr "ASIGNACIÓN DE ID" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:4 +msgid "" +"The ID-mapping feature allows SSSD to act as a client of Active Directory " +"without requiring administrators to extend user attributes to support POSIX " +"attributes for user and group identifiers." +msgstr "" +"La función asignación de ID permite a SSSD actuar como un cliente de Active " +"Directory sin requerir de administradores para extender los atributos de " +"usuario para soportar atributos POSIX para los identificadores de usuario y " +"grupo." + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:9 +msgid "" +"NOTE: When ID-mapping is enabled, the uidNumber and gidNumber attributes are " +"ignored. This is to avoid the possibility of conflicts between automatically-" +"assigned and manually-assigned values. If you need to use manually-assigned " +"values, ALL values must be manually-assigned." +msgstr "" +"NOTA: Cuando asignación de ID está habilitado, los atributos uidNumber y " +"gidNumber son ignorados. Esto es para evitar la posibilidad de conflictos " +"entre los valores automáticamente asignados y los asignados manualmente. Si " +"usted necesita usar los valore asignados manualmente, TODOS los valores " +"deben ser asignados manualmente." + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:16 +msgid "" +"Please note that changing the ID mapping related configuration options will " +"cause user and group IDs to change. At the moment, SSSD does not support " +"changing IDs, so the SSSD database must be removed. Because cached passwords " +"are also stored in the database, removing the database should only be " +"performed while the authentication servers are reachable, otherwise users " +"might get locked out. In order to cache the password, an authentication must " +"be performed. It is not sufficient to use <citerefentry> " +"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry> to remove the database, rather the process consists of:" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:33 +msgid "Making sure the remote servers are reachable" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:38 +msgid "Stopping the SSSD service" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:43 +msgid "Removing the database" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:48 +msgid "Starting the SSSD service" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:52 +msgid "" +"Moreover, as the change of IDs might necessitate the adjustment of other " +"system properties such as file and directory ownership, it's advisable to " +"plan ahead and test the ID mapping configuration thoroughly." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ldap_id_mapping.xml:59 +msgid "Mapping Algorithm" +msgstr "Algoritmo de asignación" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:61 +msgid "" +"Active Directory provides an objectSID for every user and group object in " +"the directory. This objectSID can be broken up into components that " +"represent the Active Directory domain identity and the relative identifier " +"(RID) of the user or group object." +msgstr "" +"Active Directory suministra un objectSID para cada objeto usuario y grupo en " +"el directorio. El objectSID puede ser dividido en componente que representan " +"la identidad del dominio Active Directory y le identificador relativo (RID) " +"del objeto usuario y grupo." + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:67 +msgid "" +"The SSSD ID-mapping algorithm takes a range of available UIDs and divides it " +"into equally-sized component sections - called \"slices\"-. Each slice " +"represents the space available to an Active Directory domain." +msgstr "" +"El algoritmo de asignación de ID de SSSD tiene un rango de UIDs disponibles " +"y lo divide en secciones componente de igual tamaño – llamadas “rebanadas” " +"-. Cada rebanada representa el espacio disponible para un dominio Active " +"Directory." + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:73 +msgid "" +"When a user or group entry for a particular domain is encountered for the " +"first time, the SSSD allocates one of the available slices for that domain. " +"In order to make this slice-assignment repeatable on different client " +"machines, we select the slice based on the following algorithm:" +msgstr "" +"Cuando se encuentra por primera vez una entrada de usuario o grupo para un " +"dominio concreto, SSSD asigna una de las rebanadas disponibles para ese " +"dominio. Con el objetivo de hacer esta asignación de rebanadas repetible " +"sobre diferentes máquinas clientes, seleccionamos la rebanada en base al " +"siguiente algoritmo:" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:80 +msgid "" +"The SID string is passed through the murmurhash3 algorithm to convert it to " +"a 32-bit hashed value. We then take the modulus of this value with the total " +"number of available slices to pick the slice." +msgstr "" +"La cadena SID pasada a través del algoritmo murmurhash3 para convertirlo en " +"un valor picado de 32 bit. Después tomamos los módulos de este valor con el " +"número total de rebanadas disponibles para recoger la rebanada." + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:86 +msgid "" +"NOTE: It is possible to encounter collisions in the hash and subsequent " +"modulus. In these situations, we will select the next available slice, but " +"it may not be possible to reproduce the same exact set of slices on other " +"machines (since the order that they are encountered will determine their " +"slice). In this situation, it is recommended to either switch to using " +"explicit POSIX attributes in Active Directory (disabling ID-mapping) or " +"configure a default domain to guarantee that at least one is always " +"consistent. See <quote>Configuration</quote> for details." +msgstr "" +"NOTA: Es posible encontrar colisiones en el picadillo y los módulos " +"subsiguientes. En estas situaciones, seleccionaremos la siguiente rebanada " +"disponible, pero puede no ser posible reproducir los mismos conjuntos " +"exactos de rebanadas sobre otras máquinas (puesto que el orden en que se " +"encuentren desterminará sus rebanadas). En esta situación, se recomienda o " +"bien conmutar para usar los atributos explícitos POSIX en Active Directory " +"(deshabilitando la asignación de ID) o configurar un dominio por defecto " +"para garantizar que al menos uno sea siempre consistente. Vea " +"<quote>Configuración</quote> para detalles." + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:101 +msgid "" +"Minimum configuration (in the <quote>[domain/DOMAINNAME]</quote> section):" +msgstr "" +"Configuración mínima (en la sección <quote>[domain/DOMAINNAME]</quote>):" + +#. type: Content of: <refsect1><refsect2><para><programlisting> +#: include/ldap_id_mapping.xml:106 +#, no-wrap +msgid "" +"ldap_id_mapping = True\n" +"ldap_schema = ad\n" +msgstr "ldap_id_mapping = True ldap_schema = ad \n" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:111 +msgid "" +"The default configuration results in configuring 10,000 slices, each capable " +"of holding up to 200,000 IDs, starting from 200,000 and going up to " +"2,000,200,000. This should be sufficient for most deployments." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><title> +#: include/ldap_id_mapping.xml:117 +msgid "Advanced Configuration" +msgstr "Configuración Avanzada" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:120 +msgid "ldap_idmap_range_min (integer)" +msgstr "ldap_idmap_range_min (entero)" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:123 +msgid "" +"Specifies the lower bound of the range of POSIX IDs to use for mapping " +"Active Directory user and group SIDs." +msgstr "" +"Especifica el límite inferior del rango de IDs POXIS a usar para la " +"asignación de SIDs de usuario y grupo de Active Directory." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:127 +msgid "" +"NOTE: This option is different from <quote>min_id</quote> in that " +"<quote>min_id</quote> acts to filter the output of requests to this domain, " +"whereas this option controls the range of ID assignment. This is a subtle " +"distinction, but the good general advice would be to have <quote>min_id</" +"quote> be less-than or equal to <quote>ldap_idmap_range_min</quote>" +msgstr "" +"NOTA: Esta opción es diferente de <quote>min_id</quote> en esta " +"<quote>min_id</quote> actúa para filtrar la salida de las peticiones a este " +"dominio, mientras esta opción controla el rango de la asignación de ID. Esto " +"es una sutil diferencia, pero el buen consejo general sería que " +"<quote>min_id</quote> fuera menor o igual que <quote>ldap_idmap_range_min</" +"quote>" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:137 include/ldap_id_mapping.xml:191 +msgid "Default: 200000" +msgstr "Por defecto: 200000" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:142 +msgid "ldap_idmap_range_max (integer)" +msgstr "ldap_idmap_range_max (entero)" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:145 +msgid "" +"Specifies the upper bound of the range of POSIX IDs to use for mapping " +"Active Directory user and group SIDs." +msgstr "" +"Especifica el límite superior del rango de IDs POXIS a usar para la " +"asignación de SIDs de usuario y grupo por Active Directory." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:149 +msgid "" +"NOTE: This option is different from <quote>max_id</quote> in that " +"<quote>max_id</quote> acts to filter the output of requests to this domain, " +"whereas this option controls the range of ID assignment. This is a subtle " +"distinction, but the good general advice would be to have <quote>max_id</" +"quote> be greater-than or equal to <quote>ldap_idmap_range_max</quote>" +msgstr "" +"NOTA: Esta opción es diferente de <quote>max_id</quote> en esta " +"<quote>max_id</quote> actúa para filtrar la salida de las peticiones a este " +"dominio, mientras esta opción controla el rango de la asignación de ID. Esto " +"es una sutil diferencia, pero el buen consejo general sería que " +"<quote>max_id</quote> fuera menor o igual que <quote>ldap_idmap_range_max</" +"quote>" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:159 +msgid "Default: 2000200000" +msgstr "Por defecto: 2000200000" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:164 +msgid "ldap_idmap_range_size (integer)" +msgstr "ldap_idmap_range_size (entero)" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:167 +msgid "" +"Specifies the number of IDs available for each slice. If the range size " +"does not divide evenly into the min and max values, it will create as many " +"complete slices as it can." +msgstr "" +"Especifica el número de IDs disponibles para cada rebanada. Si el rango no " +"se divide de forma igual entre los valores mínimo y máximo, creará tantas " +"rebanadas completas como sea posible." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:173 +msgid "" +"NOTE: The value of this option must be at least as large as the highest user " +"RID planned for use on the Active Directory server. User lookups and login " +"will fail for any user whose RID is greater than this value." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:179 +msgid "" +"For example, if your most recently-added Active Directory user has " +"objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, " +"<quote>ldap_idmap_range_size</quote> must be at least 1108 as range size is " +"equal to maximal SID minus minimal SID plus one (e.g. 1108 = 1107 - 0 + 1)." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:186 +msgid "" +"It is important to plan ahead for future expansion, as changing this value " +"will result in changing all of the ID mappings on the system, leading to " +"users with different local IDs than they previously had." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:196 +msgid "ldap_idmap_default_domain_sid (string)" +msgstr "ldap_idmap_default_domain_sid (cadena)" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:199 +msgid "" +"Specify the domain SID of the default domain. This will guarantee that this " +"domain will always be assigned to slice zero in the ID map, bypassing the " +"murmurhash algorithm described above." +msgstr "" +"Especifica el SID de dominio del dominio por defecto. Esto garantizará que " +"este dominio será asignado siempre a la rebanada cero en el mapa de ID, " +"sobrepasando el algoritmo murmurhash descrito arriba." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:210 +msgid "ldap_idmap_default_domain (string)" +msgstr "ldap_idmap_default_domain (cadena)" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:213 +msgid "Specify the name of the default domain." +msgstr "Especifica el nombre del dominio por defecto." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:221 +msgid "ldap_idmap_autorid_compat (boolean)" +msgstr "ldap_idmap_autorid_compat (booleano)" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:224 +msgid "" +"Changes the behavior of the ID-mapping algorithm to behave more similarly to " +"winbind's <quote>idmap_autorid</quote> algorithm." +msgstr "" +"Cambia el comportamiento del algoritmo de asignación de id para que se " +"comporte de un modo más similar al algoritmo <quote>idmap_autorid</quote> de " +"winbind." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:229 +msgid "" +"When this option is configured, domains will be allocated starting with " +"slice zero and increasing monatomically with each additional domain." +msgstr "" +"Cuando esta opción está configurada, los dominios serán asignados empezando " +"con la rebanada cero e incrementándose de uno en uno con cada dominio " +"adicional." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:234 +msgid "" +"NOTE: This algorithm is non-deterministic (it depends on the order that " +"users and groups are requested). If this mode is required for compatibility " +"with machines running winbind, it is recommended to also use the " +"<quote>ldap_idmap_default_domain_sid</quote> option to guarantee that at " +"least one domain is consistently allocated to slice zero." +msgstr "" +"NOTA: Este algoritmo no es determinista (depende del orden en que usuario y " +"grupos son pedidos). Si se requiere este modo para compatibilidad con " +"máquinas que ejecutan winbind, se recomienda que también use la opción " +"<quote>ldap_idmap_default_domain_sid</quote> para garantizar que al menos un " +"dominio está asignado consistentemente a la rebanada cero." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:249 +msgid "ldap_idmap_helper_table_size (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:252 +msgid "" +"Maximal number of secondary slices that is tried when performing mapping " +"from UNIX id to SID." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:256 +msgid "" +"Note: Additional secondary slices might be generated when SID is being " +"mapped to UNIX id and RID part of SID is out of range for secondary slices " +"generated so far. If value of ldap_idmap_helper_table_size is equal to 0 " +"then no additional secondary slices are generated." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ldap_id_mapping.xml:273 +msgid "Well-Known SIDs" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:275 +msgid "" +"SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a " +"special hardcoded meaning. Since the generic users and groups related to " +"those Well-Known SIDs have no equivalent in a Linux/UNIX environment no " +"POSIX IDs are available for those objects." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:281 +msgid "" +"The SID name space is organized in authorities which can be seen as " +"different domains. The authorities for the Well-Known SIDs are" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:284 +msgid "Null Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:285 +msgid "World Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:286 +msgid "Local Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:287 +msgid "Creator Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:288 +msgid "NT Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:289 +msgid "Built-in" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:291 +msgid "" +"The capitalized version of these names are used as domain names when " +"returning the fully qualified name of a Well-Known SID." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:295 +msgid "" +"Since some utilities allow to modify SID based access control information " +"with the help of a name instead of using the SID directly SSSD supports to " +"look up the SID by the name as well. To avoid collisions only the fully " +"qualified names can be used to look up Well-Known SIDs. As a result the " +"domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, " +"<quote> LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, <quote>NT " +"AUTHORITY</quote> and <quote>BUILTIN</quote> should not be used as domain " +"names in <filename>sssd.conf</filename>." +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/param_help.xml:3 +msgid "<option>-?</option>,<option>--help</option>" +msgstr "<option>-?</option>,<option>--help</option>" + +#. type: Content of: <varlistentry><listitem><para> +#: include/param_help.xml:7 include/param_help_py.xml:7 +msgid "Display help message and exit." +msgstr "Muestra mensaje de ayuda y sale." + +#. type: Content of: <varlistentry><term> +#: include/param_help_py.xml:3 +msgid "<option>-h</option>,<option>--help</option>" +msgstr "<option>-h</option>,<option>--help</option>" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:3 include/debug_levels_tools.xml:3 +msgid "" +"SSSD supports two representations for specifying the debug level. The " +"simplest is to specify a decimal value from 0-9, which represents enabling " +"that level and all lower-level debug messages. The more comprehensive option " +"is to specify a hexadecimal bitmask to enable or disable specific levels " +"(such as if you wish to suppress a level)." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:10 +msgid "" +"Please note that each SSSD service logs into its own log file. Also please " +"note that enabling <quote>debug_level</quote> in the <quote>[sssd]</quote> " +"section only enables debugging just for the sssd process itself, not for the " +"responder or provider processes. The <quote>debug_level</quote> parameter " +"should be added to all sections that you wish to produce debug logs from." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:18 +msgid "" +"In addition to changing the log level in the config file using the " +"<quote>debug_level</quote> parameter, which is persistent, but requires SSSD " +"restart, it is also possible to change the debug level on the fly using the " +"<citerefentry> <refentrytitle>sss_debuglevel</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry> tool." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:29 include/debug_levels_tools.xml:10 +msgid "Currently supported debug levels:" +msgstr "Niveles de depuración actualmente soportados:" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:32 include/debug_levels_tools.xml:13 +msgid "" +"<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fatal failures. " +"Anything that would prevent SSSD from starting up or causes it to cease " +"running." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:38 include/debug_levels_tools.xml:19 +msgid "" +"<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An " +"error that doesn't kill SSSD, but one that indicates that at least one major " +"feature is not going to work properly." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:45 include/debug_levels_tools.xml:26 +msgid "" +"<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Serious failures. An " +"error announcing that a particular request or operation has failed." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:50 include/debug_levels_tools.xml:31 +msgid "" +"<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Minor failures. These " +"are the errors that would percolate down to cause the operation failure of 2." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:55 include/debug_levels_tools.xml:36 +msgid "" +"<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Configuration settings." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:59 include/debug_levels_tools.xml:40 +msgid "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Function data." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:63 include/debug_levels_tools.xml:44 +msgid "" +"<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Trace messages for " +"operation functions." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:67 include/debug_levels_tools.xml:48 +msgid "" +"<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Trace messages for " +"internal control functions." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:72 include/debug_levels_tools.xml:53 +msgid "" +"<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contents of function-" +"internal variables that may be interesting." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:77 include/debug_levels_tools.xml:58 +msgid "" +"<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Extremely low-level " +"tracing information." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:81 include/debug_levels_tools.xml:62 +msgid "" +"To log required bitmask debug levels, simply add their numbers together as " +"shown in following examples:" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:85 include/debug_levels_tools.xml:66 +msgid "" +"<emphasis>Example</emphasis>: To log fatal failures, critical failures, " +"serious failures and function data use 0x0270." +msgstr "" +"<emphasis>Ejemplo</emphasis>: Para registrar fallos fatales, críticos y " +"serios y datos de función use 0x0270." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:89 include/debug_levels_tools.xml:70 +msgid "" +"<emphasis>Example</emphasis>: To log fatal failures, configuration settings, " +"function data, trace messages for internal control functions use 0x1310." +msgstr "" +"<emphasis>Example</emphasis>: Para registrar fallos fatales, ajustes de " +"configuración, datos de función, mensajes de traza para funciones de control " +"interno use 0x1310." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:94 include/debug_levels_tools.xml:75 +msgid "" +"<emphasis>Note</emphasis>: The bitmask format of debug levels was introduced " +"in 1.7.0." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:98 include/debug_levels_tools.xml:79 +msgid "<emphasis>Default</emphasis>: 0" +msgstr "" + +#. type: Content of: outside any tag (error?) +#: include/experimental.xml:1 +msgid "" +"<emphasis> This is an experimental feature, please use https://pagure.io/" +"SSSD/sssd/ to report any issues. </emphasis>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/local.xml:2 +msgid "THE LOCAL DOMAIN" +msgstr "EL DOMINIO LOCAL" + +#. type: Content of: <refsect1><para> +#: include/local.xml:4 +msgid "" +"In order to function correctly, a domain with <quote>id_provider=local</" +"quote> must be created and the SSSD must be running." +msgstr "" +"Con el objetivo de que funcione correctamente, se debe crear un dominio con " +"<quote>id_provider=local</quote> y el SSSD debe estar corriendo." + +#. type: Content of: <refsect1><para> +#: include/local.xml:9 +msgid "" +"The administrator might want to use the SSSD local users instead of " +"traditional UNIX users in cases where the group nesting (see <citerefentry> " +"<refentrytitle>sss_groupadd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>) is needed. The local users are also useful for testing and " +"development of the SSSD without having to deploy a full remote server. The " +"<command>sss_user*</command> and <command>sss_group*</command> tools use a " +"local LDB storage to store users and groups." +msgstr "" +"El administrador puede desear usar los usuarios locales SSSD en lugar de los " +"usuarios tradicionales UNIX en los casos donde los grupos anidados (vea " +"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>) sean necesarios. Los usuarios locales son " +"también útiles para la prueba y el desarrollo del SSSD sin tener que " +"desplegar un servidor remoto completo. Las herramientas <command>sss_user*</" +"command> y <command>sss_group*</command> usan un almacenamiento LDB local " +"para almacenar usuarios y grupos." + +#. type: Content of: <refsect1><para> +#: include/seealso.xml:4 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd-ipa</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <phrase condition=\"with_sudo\"> <citerefentry> " +"<refentrytitle>sssd-sudo</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>, </phrase> <phrase condition=\"with_secrets\"> <citerefentry> " +"<refentrytitle>sssd-secrets</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>, </phrase> <citerefentry> <refentrytitle>sssd-session-" +"recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, " +"<citerefentry> <refentrytitle>sss_cache</refentrytitle><manvolnum>8</" +"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_debuglevel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_obfuscate</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_seed</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <phrase condition=" +"\"with_ssh\"> <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_ssh_knownhostsproxy</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>, </phrase> <phrase condition=\"with_ifp\"> " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>, </phrase> <citerefentry> <refentrytitle>pam_sss</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>. <citerefentry> " +"<refentrytitle>sss_rpcidmapd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> <phrase condition=\"with_stap\"> <citerefentry> " +"<refentrytitle>sssd-systemtap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> </phrase>" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:3 +msgid "" +"An optional base DN, search scope and LDAP filter to restrict LDAP searches " +"for this attribute type." +msgstr "" +"Una base DN opcional, alcance de la búsqueda y filtro LDAP para búsquedas " +"LDAP de este tipo de atributo." + +#. type: Content of: <listitem><para><programlisting> +#: include/ldap_search_bases.xml:9 +#, no-wrap +msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]\n" +msgstr "" +"search_base[?scope?[filter][?search_base?scope?[filter]]*]\n" +"\n" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:7 +msgid "syntax: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "sintaxis: <placeholder type=\"programlisting\" id=\"0\"/>" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:13 +msgid "" +"The scope can be one of \"base\", \"onelevel\" or \"subtree\". The scope " +"functions as specified in section 4.5.1.2 of http://tools.ietf.org/html/" +"rfc4511" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:23 +msgid "" +"For examples of this syntax, please refer to the <quote>ldap_search_base</" +"quote> examples section." +msgstr "" +"Para ejemplos de esta sintaxis, por favor vea la sección de ejemplos de " +"<quote>ldap_search_base</quote>" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:31 +msgid "" +"Please note that specifying scope or filter is not supported for searches " +"against an Active Directory Server that might yield a large number of " +"results and trigger the Range Retrieval extension in the response." +msgstr "" +"Por favor advierta que especificar el alcance o el filtro no está soportado " +"para búsquedas contra un Active Directory Server que puede ceder un gran " +"número de resultados y disparar la extensión Range Retrieval en la respuesta." + +#. type: Content of: <para> +#: include/autofs_restart.xml:2 +msgid "" +"Please note that the automounter only reads the master map on startup, so if " +"any autofs-related changes are made to the sssd.conf, you typically also " +"need to restart the automounter daemon after restarting the SSSD." +msgstr "" +"Por favor advierta que el automontador sólo lee el mapa maestro en el " +"arranque, se modo que si se hace cualquier cambio relacionado con autofs al " +"sssd.conf, usted normalmente también necesitará reiniciar el demonio " +"automontador después de reiniciar el SSSD." + +#. type: Content of: <varlistentry><term> +#: include/override_homedir.xml:2 +msgid "override_homedir (string)" +msgstr "override_homedir (cadena)" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:16 +msgid "UID number" +msgstr "número UID" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:20 +msgid "domain name" +msgstr "nombre de dominio" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:23 +msgid "%f" +msgstr "%f" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:24 +msgid "fully qualified user name (user@domain)" +msgstr "nombre totalmente cualificado del usuario (user@domain)" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:27 +msgid "%l" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:28 +msgid "The first letter of the login name." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:32 +msgid "UPN - User Principal Name (name@REALM)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:35 +msgid "%o" +msgstr "%o" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:37 +msgid "The original home directory retrieved from the identity provider." +msgstr "El directorio home original recuperado del proveedor de identidad." + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:42 +msgid "%H" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:44 +msgid "The value of configure option <emphasis>homedir_substring</emphasis>." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/override_homedir.xml:5 +msgid "" +"Override the user's home directory. You can either provide an absolute value " +"or a template. In the template, the following sequences are substituted: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" +"Anula el directorio home del usuario. Usted puede suministras bien un valor " +"absoluto o una plantilla. En la plantilla, serán sustituidas las siguientes " +"secuencias: <placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <varlistentry><listitem><para><programlisting> +#: include/override_homedir.xml:61 +#, no-wrap +msgid "" +"override_homedir = /home/%u\n" +" " +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/override_homedir.xml:65 +msgid "Default: Not set (SSSD will use the value retrieved from LDAP)" +msgstr "Por defecto: No fijado (SSSD usará el valor recuperado desde LDAP)" + +#. type: Content of: <varlistentry><term> +#: include/homedir_substring.xml:2 +msgid "homedir_substring (string)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/homedir_substring.xml:5 +msgid "" +"The value of this option will be used in the expansion of the " +"<emphasis>override_homedir</emphasis> option if the template contains the " +"format string <emphasis>%H</emphasis>. An LDAP directory entry can directly " +"contain this template so that this option can be used to expand the home " +"directory path for each client machine (or operating system). It can be set " +"per-domain or globally in the [nss] section. A value specified in a domain " +"section will override one set in the [nss] section." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/homedir_substring.xml:15 +msgid "Default: /home" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/ad_modified_defaults.xml:2 include/ipa_modified_defaults.xml:2 +msgid "MODIFIED DEFAULT OPTIONS" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ad_modified_defaults.xml:4 +msgid "" +"Certain option defaults do not match their respective backend provider " +"defaults, these option names and AD provider-specific defaults are listed " +"below:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ad_modified_defaults.xml:9 include/ipa_modified_defaults.xml:9 +msgid "KRB5 Provider" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:13 include/ipa_modified_defaults.xml:13 +msgid "krb5_validate = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:18 +msgid "krb5_use_enterprise_principal = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ad_modified_defaults.xml:24 +msgid "LDAP Provider" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:28 +msgid "ldap_schema = ad" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:33 include/ipa_modified_defaults.xml:38 +msgid "ldap_force_upper_case_realm = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:38 +msgid "ldap_id_mapping = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:43 +msgid "ldap_sasl_mech = gssapi" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:48 +msgid "ldap_referrals = false" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:53 +msgid "ldap_account_expire_policy = ad" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:58 include/ipa_modified_defaults.xml:58 +msgid "ldap_use_tokengroups = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:63 +msgid "ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:66 +msgid "" +"The AD provider looks for a different principal than the LDAP provider by " +"default, because in an Active Directory environment the principals are " +"divided into two groups - User Principals and Service Principals. Only User " +"Principal can be used to obtain a TGT and by default, computer object's " +"principal is constructed from its sAMAccountName and the AD realm. The well-" +"known host/hostname@REALM principal is a Service Principal and thus cannot " +"be used to get a TGT with." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ipa_modified_defaults.xml:4 +msgid "" +"Certain option defaults do not match their respective backend provider " +"defaults, these option names and IPA provider-specific defaults are listed " +"below:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:18 +msgid "krb5_use_fast = try" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:23 +msgid "krb5_canonicalize = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:29 +msgid "LDAP Provider - General" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:33 +msgid "ldap_schema = ipa_v1" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:43 +msgid "ldap_sasl_mech = GSSAPI" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:48 +msgid "ldap_sasl_minssf = 56" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:53 +msgid "ldap_account_expire_policy = ipa" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:64 +msgid "LDAP Provider - User options" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:68 +msgid "ldap_user_member_of = memberOf" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:73 +msgid "ldap_user_uuid = ipaUniqueID" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:78 +msgid "ldap_user_ssh_public_key = ipaSshPubKey" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:83 +msgid "ldap_user_auth_type = ipaUserAuthType" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:89 +msgid "LDAP Provider - Group options" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:93 +msgid "ldap_group_object_class = ipaUserGroup" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:98 +msgid "ldap_group_object_class_alt = posixGroup" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:103 +msgid "ldap_group_member = member" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:108 +msgid "ldap_group_uuid = ipaUniqueID" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:113 +msgid "ldap_group_objectsid = ipaNTSecurityIdentifier" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:118 +msgid "ldap_group_external_member = ipaExternalMember" +msgstr "" + +#~ msgid "" +#~ "PLEASE NOTE: the support for non-unique named subpatterns is not " +#~ "available on all platforms (e.g. RHEL5 and SLES10). Only platforms with " +#~ "libpcre version 7 or higher can support non-unique named subpatterns." +#~ msgstr "" +#~ "POR FAVOR ADVIERTA: el soporte para subplantillas sin nombre único no " +#~ "está disponible en todas las plataformas (por ejemplo, RHEL5 y SLES10). " +#~ "Sólo las plataformas con la versión de libpcre 7 o superior pueden " +#~ "soportar las subplantillas sin nombre único." + +#~ msgid "" +#~ "PLEASE NOTE ALSO: older version of libpcre only support the Python syntax " +#~ "(?P<name>) to label subpatterns." +#~ msgstr "" +#~ "POR FAVOR TENGA EN CUENTA ADEMAS: Versiones anteriores de libpcre sólo " +#~ "soportan la sintaxis Python (?P<name>) para identificar " +#~ "subpatrones." diff --git a/src/man/po/eu.po b/src/man/po/eu.po new file mode 100644 index 0000000..30ca7e3 --- /dev/null +++ b/src/man/po/eu.po @@ -0,0 +1,15612 @@ +# SOME DESCRIPTIVE TITLE +# Copyright (C) YEAR Red Hat +# This file is distributed under the same license as the sssd-docs package. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: sssd-docs 1.16.1\n" +"Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" +"POT-Creation-Date: 2018-08-12 13:01+0000\n" +"PO-Revision-Date: 2014-12-14 11:55+0000\n" +"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n" +"Language-Team: Basque (http://www.transifex.com/projects/p/sssd/language/" +"eu/)\n" +"Language: eu\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" +"X-Generator: Zanata 4.4.5\n" + +#. type: Content of: <reference><title> +#: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5 +#: sssd_krb5_locator_plugin.8.xml:5 sssd-simple.5.xml:5 sss-certmap.5.xml:5 +#: sssd-ipa.5.xml:5 sssd-ad.5.xml:5 sssd-sudo.5.xml:5 sssd.8.xml:5 +#: sss_obfuscate.8.xml:5 sss_override.8.xml:5 sss_useradd.8.xml:5 +#: sssd-krb5.5.xml:5 sss_groupadd.8.xml:5 sss_userdel.8.xml:5 +#: sss_groupdel.8.xml:5 sss_groupshow.8.xml:5 sss_usermod.8.xml:5 +#: sss_cache.8.xml:5 sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5 +#: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 +#: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5 +#: sssd-files.5.xml:5 sssd-secrets.5.xml:5 sssd-session-recording.5.xml:5 +#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 +msgid "SSSD Manual pages" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupmod.8.xml:10 sss_groupmod.8.xml:15 +msgid "sss_groupmod" +msgstr "" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_groupmod.8.xml:11 pam_sss.8.xml:12 sssd_krb5_locator_plugin.8.xml:11 +#: sssd.8.xml:11 sss_obfuscate.8.xml:11 sss_override.8.xml:11 +#: sss_useradd.8.xml:11 sss_groupadd.8.xml:11 sss_userdel.8.xml:11 +#: sss_groupdel.8.xml:11 sss_groupshow.8.xml:11 sss_usermod.8.xml:11 +#: sss_cache.8.xml:11 sss_debuglevel.8.xml:11 sss_seed.8.xml:11 +#: idmap_sss.8.xml:11 sssctl.8.xml:11 sssd-kcm.8.xml:11 +msgid "8" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupmod.8.xml:16 +msgid "modify a group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupmod.8.xml:21 +msgid "" +"<command>sss_groupmod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:57 +#: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sss-certmap.5.xml:21 +#: sssd-ipa.5.xml:21 sssd-ad.5.xml:21 sssd-sudo.5.xml:21 sssd.8.xml:29 +#: sss_obfuscate.8.xml:30 sss_override.8.xml:30 sss_useradd.8.xml:30 +#: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30 +#: sss_groupdel.8.xml:30 sss_groupshow.8.xml:30 sss_usermod.8.xml:30 +#: sss_cache.8.xml:29 sss_debuglevel.8.xml:30 sss_seed.8.xml:31 +#: sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30 +#: sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30 +#: sssd-files.5.xml:21 sssd-secrets.5.xml:21 sssd-session-recording.5.xml:21 +#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 +msgid "DESCRIPTION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupmod.8.xml:32 +msgid "" +"<command>sss_groupmod</command> modifies the group to reflect the changes " +"that are specified on the command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_groupmod.8.xml:39 pam_sss.8.xml:64 sssd.8.xml:42 sss_obfuscate.8.xml:58 +#: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39 +#: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39 +#: sss_cache.8.xml:39 sss_seed.8.xml:42 sss_ssh_authorizedkeys.1.xml:123 +#: sss_ssh_knownhostsproxy.1.xml:62 +msgid "OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupmod.8.xml:43 sss_usermod.8.xml:77 +msgid "" +"<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupmod.8.xml:48 +msgid "" +"Append this group to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupmod.8.xml:57 sss_usermod.8.xml:91 +msgid "" +"<option>-r</option>,<option>--remove-group</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupmod.8.xml:62 +msgid "" +"Remove this group from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.conf.5.xml:10 sssd.conf.5.xml:16 +msgid "sssd.conf" +msgstr "" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11 +#: sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 +#: sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27 +#: sssd-files.5.xml:11 sssd-secrets.5.xml:11 sssd-session-recording.5.xml:11 +#: sssd-systemtap.5.xml:11 +msgid "5" +msgstr "" + +#. type: Content of: <reference><refentry><refmeta><refmiscinfo> +#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12 +#: sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 +#: sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28 +#: sssd-files.5.xml:12 sssd-secrets.5.xml:12 sssd-session-recording.5.xml:12 +#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 +msgid "File Formats and Conventions" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.conf.5.xml:17 +msgid "the configuration file for SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:21 +msgid "FILE FORMAT" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:29 +#, no-wrap +msgid "" +"<replaceable>[section]</replaceable>\n" +"<replaceable>key</replaceable> = <replaceable>value</replaceable>\n" +"<replaceable>key2</replaceable> = <replaceable>value2,value3</replaceable>\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:24 +msgid "" +"The file has an ini-style syntax and consists of sections and parameters. A " +"section begins with the name of the section in square brackets and continues " +"until the next section begins. An example of section with single and multi-" +"valued parameters: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:36 +msgid "" +"The data types used are string (no quotes needed), integer and bool (with " +"values of <quote>TRUE/FALSE</quote>)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:41 +msgid "" +"A comment line starts with a hash sign (<quote>#</quote>) or a semicolon " +"(<quote>;</quote>). Inline comments are not supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:47 +msgid "" +"All sections can have an optional <replaceable>description</replaceable> " +"parameter. Its function is only as a label for the section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:53 +msgid "" +"<filename>sssd.conf</filename> must be a regular file, owned by root and " +"only root may read from or write to the file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:59 +msgid "CONFIGURATION SNIPPETS FROM INCLUDE DIRECTORY" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:62 +msgid "" +"The configuration file <filename>sssd.conf</filename> will include " +"configuration snippets using the include directory <filename>conf.d</" +"filename>. This feature is available if SSSD was compiled with libini " +"version 1.3.0 or later." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:69 +msgid "" +"Any file placed in <filename>conf.d</filename> that ends in " +"<quote><filename>.conf</filename></quote> and does not begin with a dot " +"(<quote>.</quote>) will be used together with <filename>sssd.conf</filename> " +"to configure SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:77 +msgid "" +"The configuration snippets from <filename>conf.d</filename> have higher " +"priority than <filename>sssd.conf</filename> and will override " +"<filename>sssd.conf</filename> when conflicts occur. If several snippets are " +"present in <filename>conf.d</filename>, then they are included in " +"alphabetical order (based on locale). Files included later have higher " +"priority. Numerical prefixes (<filename>01_snippet.conf</filename>, " +"<filename>02_snippet.conf</filename> etc.) can help visualize the priority " +"(higher number means higher priority)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:91 +msgid "" +"The snippet files require the same owner and permissions as <filename>sssd." +"conf</filename>. Which are by default root:root and 0600." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:98 +msgid "GENERAL OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:100 +msgid "Following options are usable in more than one configuration sections." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:104 +msgid "Options usable in all sections" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:108 +msgid "debug_level (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:112 +msgid "debug (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:115 +msgid "" +"SSSD 1.14 and later also includes the <replaceable>debug</replaceable> alias " +"for <replaceable>debug_level</replaceable> as a convenience feature. If both " +"are specified, the value of <replaceable>debug_level</replaceable> will be " +"used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:125 +msgid "debug_timestamps (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:128 +msgid "" +"Add a timestamp to the debug messages. If journald is enabled for SSSD " +"debug logging this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:133 sssd.conf.5.xml:543 sssd.conf.5.xml:839 +#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1521 sssd-ldap.5.xml:1851 +#: sssd-ldap.5.xml:1948 sssd-ldap.5.xml:2010 sssd-ldap.5.xml:2576 +#: sssd-ldap.5.xml:2641 sssd-ldap.5.xml:2659 sssd-ad.5.xml:227 +#: sssd-ad.5.xml:341 sssd-ad.5.xml:885 sssd-krb5.5.xml:499 +#: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 +msgid "Default: true" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:138 +msgid "debug_microseconds (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:141 +msgid "" +"Add microseconds to the timestamp in debug messages. If journald is enabled " +"for SSSD debug logging this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:146 sssd.conf.5.xml:540 sssd.conf.5.xml:722 +#: sssd.conf.5.xml:1424 sssd.conf.5.xml:2980 sssd-ldap.5.xml:708 +#: sssd-ldap.5.xml:1714 sssd-ldap.5.xml:1733 sssd-ldap.5.xml:1920 +#: sssd-ldap.5.xml:2346 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238 +#: sssd-ipa.5.xml:559 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300 +#: sssd-krb5.5.xml:471 +msgid "Default: false" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2384 +#: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210 +#: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304 +msgid "<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:155 +msgid "Options usable in SERVICE and DOMAIN sections" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:159 +msgid "timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:162 +msgid "" +"Timeout in seconds between heartbeats for this service. This is used to " +"ensure that the process is alive and capable of answering requests. Note " +"that after three missed heartbeats the process will terminate itself." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:169 sssd.conf.5.xml:1376 sssd.conf.5.xml:2996 +#: sssd-ldap.5.xml:1585 include/ldap_id_mapping.xml:264 +msgid "Default: 10" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:179 +msgid "SPECIAL SECTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:182 +msgid "The [sssd] section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sssd.conf.5.xml:191 sssd.conf.5.xml:3085 +msgid "Section parameters" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:193 +msgid "config_file_version (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:196 +msgid "" +"Indicates what is the syntax of the config file. SSSD 0.6.0 and later use " +"version 2." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:202 +msgid "services" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:205 +msgid "" +"Comma separated list of services that are started when sssd itself starts. " +"<phrase condition=\"have_systemd\"> The services' list is optional on " +"platforms where systemd is supported, as they will either be socket or D-Bus " +"activated when needed. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:214 +msgid "" +"Supported services: nss, pam <phrase condition=\"with_sudo\">, sudo</phrase> " +"<phrase condition=\"with_autofs\">, autofs</phrase> <phrase condition=" +"\"with_ssh\">, ssh</phrase> <phrase condition=\"with_pac_responder\">, pac</" +"phrase> <phrase condition=\"with_ifp\">, ifp</phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:222 +msgid "" +"<phrase condition=\"have_systemd\"> By default, all services are disabled " +"and the administrator must enable the ones allowed to be used by executing: " +"\"systemctl enable sssd-@service@.socket\". </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:231 sssd.conf.5.xml:614 +msgid "reconnection_retries (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:234 sssd.conf.5.xml:617 +msgid "" +"Number of times services should attempt to reconnect in the event of a Data " +"Provider crash or restart before they give up" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:239 sssd.conf.5.xml:622 +msgid "Default: 3" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:244 +msgid "domains" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:247 +msgid "" +"A domain is a database containing user information. SSSD can use more " +"domains at the same time, but at least one must be configured or SSSD won't " +"start. This parameter describes the list of domains in the order you want " +"them to be queried. A domain name should only consist of alphanumeric ASCII " +"characters, dashes, dots and underscores." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:259 sssd.conf.5.xml:2597 +msgid "re_expression (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:262 +msgid "" +"Default regular expression that describes how to parse the string containing " +"user name and domain into these components." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:267 +msgid "" +"Each domain can have an individual regular expression configured. For some " +"ID providers there are also default regular expressions. See DOMAIN SECTIONS " +"for more info on these regular expressions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:276 sssd.conf.5.xml:2645 +msgid "full_name_format (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:279 sssd.conf.5.xml:2648 +msgid "" +"A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry>-compatible format that describes how to compose a " +"fully qualified name from user name and domain name components." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:290 sssd.conf.5.xml:2659 +msgid "%1$s" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:291 sssd.conf.5.xml:2660 +msgid "user name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:294 sssd.conf.5.xml:2663 +msgid "%2$s" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:297 sssd.conf.5.xml:2666 +msgid "domain name as specified in the SSSD config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:303 sssd.conf.5.xml:2672 +msgid "%3$s" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:306 sssd.conf.5.xml:2675 +msgid "" +"domain flat name. Mostly usable for Active Directory domains, both directly " +"configured or discovered via IPA trusts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:287 sssd.conf.5.xml:2656 +msgid "" +"The following expansions are supported: <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:316 +msgid "" +"Each domain can have an individual format string configured. see DOMAIN " +"SECTIONS for more info on this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:322 +msgid "try_inotify (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:325 +msgid "" +"SSSD monitors the state of resolv.conf to identify when it needs to update " +"its internal DNS resolver. By default, we will attempt to use inotify for " +"this, and will fall back to polling resolv.conf every five seconds if " +"inotify cannot be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:333 +msgid "" +"There are some limited situations where it is preferred that we should skip " +"even trying to use inotify. In these rare cases, this option should be set " +"to 'false'" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:339 +msgid "" +"Default: true on platforms where inotify is supported. False on other " +"platforms." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:343 +msgid "" +"Note: this option will have no effect on platforms where inotify is " +"unavailable. On these platforms, polling will always be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:350 +msgid "krb5_rcache_dir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:353 +msgid "" +"Directory on the filesystem where SSSD should store Kerberos replay cache " +"files." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:357 +msgid "" +"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct " +"SSSD to let libkrb5 decide the appropriate location for the replay cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:363 +msgid "" +"Default: Distribution-specific and specified at build-time. " +"(__LIBKRB5_DEFAULTS__ if not configured)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:370 +msgid "user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:373 +msgid "" +"The user to drop the privileges to where appropriate to avoid running as the " +"root user. <phrase condition=\"have_systemd\"> This option does not work " +"when running socket-activated services, as the user set up to run the " +"processes is set up during compilation time. The way to override the " +"systemd unit files is by creating the appropriate files in /etc/systemd/" +"system/. Keep in mind that any change in the socket user, group or " +"permissions may result in a non-usable SSSD. The same may occur in case of " +"changes of the user running the NSS responder. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:391 +msgid "Default: not set, process will run as root" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:396 +msgid "default_domain_suffix (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:399 +msgid "" +"This string will be used as a default domain name for all names without a " +"domain name component. The main use case is environments where the primary " +"domain is intended for managing host policies and all users are located in a " +"trusted domain. The option allows those users to log in just with their " +"user name without giving a domain name as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:409 +msgid "" +"Please note that if this option is set all users from the primary domain " +"have to use their fully qualified name, e.g. user@domain.name, to log in. " +"Setting this option changes default of use_fully_qualified_names to True. It " +"is not allowed to use this option together with use_fully_qualified_names " +"set to False." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:418 sssd.conf.5.xml:1165 sssd-ldap.5.xml:679 +#: sssd-ldap.5.xml:1319 sssd-ldap.5.xml:1673 sssd-ldap.5.xml:1685 +#: sssd-ldap.5.xml:1767 sssd-ad.5.xml:690 sssd-ad.5.xml:765 sssd.8.xml:126 +#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:556 sssd-secrets.5.xml:339 +#: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404 +#: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205 +#: include/ldap_id_mapping.xml:216 +msgid "Default: not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:423 +msgid "override_space (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:426 +msgid "" +"This parameter will replace spaces (space bar) with the given character for " +"user and group names. e.g. (_). User name "john doe" will be " +""john_doe" This feature was added to help compatibility with shell " +"scripts that have difficulty handling spaces, due to the default field " +"separator in the shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:435 +msgid "" +"Please note it is a configuration error to use a replacement character that " +"might be used in user or group names. If a name contains the replacement " +"character SSSD tries to return the unmodified name but in general the result " +"of a lookup is undefined." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:443 +msgid "Default: not set (spaces will not be replaced)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:448 +msgid "certificate_verification (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:456 +msgid "no_ocsp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:458 +msgid "" +"Disables Online Certificate Status Protocol (OCSP) checks. This might be " +"needed if the OCSP servers defined in the certificate are not reachable from " +"the client." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:466 +msgid "no_verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:468 +msgid "" +"Disables verification completely. This option should only be used for " +"testing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:474 +msgid "ocsp_default_responder=URL" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:476 +msgid "" +"Sets the OCSP default responder which should be used instead of the one " +"mentioned in the certificate. URL must be replaced with the URL of the OCSP " +"default responder e.g. http://example.com:80/ocsp." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:482 +msgid "" +"This option must be used together with ocsp_default_responder_signing_cert." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:490 +msgid "ocsp_default_responder_signing_cert=NAME" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:492 +msgid "" +"The nickname of the cert to trust (expected) to sign the OCSP responses. " +"The certificate with the given nickname must be available in the systems NSS " +"database." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:497 +msgid "This option must be used together with ocsp_default_responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:451 +msgid "" +"With this parameter the certificate verification can be tuned with a comma " +"separated list of options. Supported options are: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:504 +msgid "Unknown options are reported but ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:507 +msgid "Default: not set, i.e. do not restrict certificate verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:513 +msgid "disable_netlink (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:516 +msgid "" +"SSSD hooks into the netlink interface to monitor changes to routes, " +"addresses, links and trigger certain actions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:521 +msgid "" +"The SSSD state changes caused by netlink events may be undesirable and can " +"be disabled by setting this option to 'true'" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:526 +msgid "Default: false (netlink changes are detected)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:531 +msgid "enable_files_domain (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:534 +msgid "" +"When this option is enabled, SSSD prepends an implicit domain with " +"<quote>id_provider=files</quote> before any explicitly configured domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:548 +msgid "domain_resolution_order" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:551 +msgid "" +"Comma separated list of domains and subdomains representing the lookup order " +"that will be followed. The list doesn't have to include all possible " +"domains as the missing domains will be looked up based on the order they're " +"presented in the <quote>domains</quote> configuration option. The " +"subdomains which are not listed as part of <quote>lookup_order</quote> will " +"be looked up in a random order for each parent domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:563 +msgid "" +"Please, note that when this option is set the output format of all commands " +"is always fully-qualified even when using short names for input, for all " +"users but the ones managed by the files provider. In case the administrator " +"wants the output not fully-qualified, the full_name_format option can be " +"used as shown below: <quote>full_name_format=%1$s</quote> However, keep in " +"mind that during login, login applications often canonicalize the username " +"by calling <citerefentry> <refentrytitle>getpwnam</refentrytitle> " +"<manvolnum>3</manvolnum> </citerefentry> which, if a shortname is returned " +"for a qualified input (while trying to reach a user which exists in multiple " +"domains) might re-route the login attempt into the domain which uses " +"shortnames, making this workaround totally not recommended in cases where " +"usernames may overlap between domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:588 sssd.conf.5.xml:1388 sssd.conf.5.xml:3046 +#: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316 +msgid "Default: Not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:184 +msgid "" +"Individual pieces of SSSD functionality are provided by special SSSD " +"services that are started and stopped together with SSSD. The services are " +"managed by a special service frequently called <quote>monitor</quote>. The " +"<quote>[sssd]</quote> section is used to configure the monitor as well as " +"some other important options like the identity domains. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:599 +msgid "SERVICES SECTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:601 +msgid "" +"Settings that can be used to configure different services are described in " +"this section. They should reside in the [<replaceable>$NAME</replaceable>] " +"section, for example, for NSS service, the section would be <quote>[nss]</" +"quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:608 +msgid "General service configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:610 +msgid "These options can be used to configure any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:627 +msgid "fd_limit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:630 +msgid "" +"This option specifies the maximum number of file descriptors that may be " +"opened at one time by this SSSD process. On systems where SSSD is granted " +"the CAP_SYS_RESOURCE capability, this will be an absolute setting. On " +"systems without this capability, the resulting value will be the lower value " +"of this or the limits.conf \"hard\" limit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:639 +msgid "Default: 8192 (or limits.conf \"hard\" limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:644 +msgid "client_idle_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:647 +msgid "" +"This option specifies the number of seconds that a client of an SSSD process " +"can hold onto a file descriptor without communicating on it. This value is " +"limited in order to avoid resource exhaustion on the system. The timeout " +"can't be shorter than 10 seconds. If a lower value is configured, it will be " +"adjusted to 10 seconds." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:656 sssd.conf.5.xml:688 sssd.conf.5.xml:970 +#: sssd.conf.5.xml:1231 sssd-ldap.5.xml:1412 +msgid "Default: 60" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:661 +msgid "offline_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:664 +msgid "" +"When SSSD switches to offline mode the amount of time before it tries to go " +"back online will increase based upon the time spent disconnected. This " +"value is in seconds and calculated by the following:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:671 +msgid "offline_timeout + random_offset" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:674 +msgid "" +"The random offset can increment up to 30 seconds. After each unsuccessful " +"attempt to go online, the new interval is recalculated by the following:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:679 +msgid "new_interval = old_interval*2 + random_offset" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:682 +msgid "" +"Note that the maximum length of each interval is currently limited to one " +"hour. If the calculated length of new_interval is greater than an hour, it " +"will be forced to one hour." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:693 +msgid "responder_idle_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:696 +msgid "" +"This option specifies the number of seconds that an SSSD responder process " +"can be up without being used. This value is limited in order to avoid " +"resource exhaustion on the system. The minimum acceptable value for this " +"option is 60 seconds. Setting this option to 0 (zero) means that no timeout " +"will be set up to the responder. This option only has effect when SSSD is " +"built with systemd support and when services are either socket or D-Bus " +"activated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:710 sssd.conf.5.xml:983 sssd.conf.5.xml:1616 +#: sssd-ldap.5.xml:722 +msgid "Default: 300" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:715 +msgid "cache_first" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:718 +msgid "" +"This option specifies whether the responder should query all caches before " +"querying the Data Providers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:730 +msgid "NSS configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:732 +msgid "" +"These options can be used to configure the Name Service Switch (NSS) service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:737 +msgid "enum_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:740 +msgid "" +"How many seconds should nss_sss cache enumerations (requests for info about " +"all users)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:744 +msgid "Default: 120" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:749 +msgid "entry_cache_nowait_percentage (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:752 +msgid "" +"The entry cache can be set to automatically update entries in the background " +"if they are requested beyond a percentage of the entry_cache_timeout value " +"for the domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:758 +msgid "" +"For example, if the domain's entry_cache_timeout is set to 30s and " +"entry_cache_nowait_percentage is set to 50 (percent), entries that come in " +"after 15 seconds past the last cache update will be returned immediately, " +"but the SSSD will go and update the cache on its own, so that future " +"requests will not need to block waiting for a cache update." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:768 +msgid "" +"Valid values for this option are 0-99 and represent a percentage of the " +"entry_cache_timeout for each domain. For performance reasons, this " +"percentage will never reduce the nowait timeout to less than 10 seconds. (0 " +"disables this feature)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:776 sssd.conf.5.xml:1445 +msgid "Default: 50" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:781 +msgid "entry_negative_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:784 +msgid "" +"Specifies for how many seconds nss_sss should cache negative cache hits " +"(that is, queries for invalid database entries, like nonexistent ones) " +"before asking the back end again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:790 sssd.conf.5.xml:1469 +msgid "Default: 15" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:795 +msgid "local_negative_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:798 +msgid "" +"Specifies for how many seconds nss_sss should keep local users and groups in " +"negative cache before trying to look it up in the back end again. Setting " +"the option to 0 disables this feature." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:804 +msgid "Default: 14400 (4 hours)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:809 +msgid "filter_users, filter_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:812 +msgid "" +"Exclude certain users or groups from being fetched from the sss NSS " +"database. This is particularly useful for system accounts. This option can " +"also be set per-domain or include fully-qualified names to filter only users " +"from the particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:819 +msgid "" +"NOTE: The filter_groups option doesn't affect inheritance of nested group " +"members, since filtering happens after they are propagated for returning via " +"NSS. E.g. a group having a member group filtered out will still have the " +"member users of the latter listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:827 +msgid "Default: root" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:832 +msgid "filter_users_in_groups (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:835 +msgid "" +"If you want filtered user still be group members set this option to false." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:846 +msgid "fallback_homedir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:849 +msgid "" +"Set a default template for a user's home directory if one is not specified " +"explicitly by the domain's data provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:854 +msgid "" +"The available values for this option are the same as for override_homedir." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:860 +#, no-wrap +msgid "" +"fallback_homedir = /home/%u\n" +" " +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: sssd.conf.5.xml:858 sssd.conf.5.xml:1298 sssd.conf.5.xml:1317 +#: sssd-krb5.5.xml:539 include/override_homedir.xml:59 +msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:864 +msgid "Default: not set (no substitution for unset home directories)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:870 +msgid "override_shell (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:873 +msgid "" +"Override the login shell for all users. This option supersedes any other " +"shell options if it takes effect and can be set either in the [nss] section " +"or per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:879 +msgid "Default: not set (SSSD will use the value retrieved from LDAP)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:885 +msgid "allowed_shells (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:888 +msgid "" +"Restrict user shell to one of the listed values. The order of evaluation is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:891 +msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:895 +msgid "" +"2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</" +"quote>, use the value of the shell_fallback parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:900 +msgid "" +"3. If the shell is not in the allowed_shells list and not in <quote>/etc/" +"shells</quote>, a nologin shell is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:905 +msgid "The wildcard (*) can be used to allow any shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:908 +msgid "" +"The (*) is useful if you want to use shell_fallback in case that user's " +"shell is not in <quote>/etc/shells</quote> and maintaining list of all " +"allowed shells in allowed_shells would be to much overhead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:915 +msgid "An empty string for shell is passed as-is to libc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:918 +msgid "" +"The <quote>/etc/shells</quote> is only read on SSSD start up, which means " +"that a restart of the SSSD is required in case a new shell is installed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:922 +msgid "Default: Not set. The user shell is automatically used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:927 +msgid "vetoed_shells (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:930 +msgid "Replace any instance of these shells with the shell_fallback" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:935 +msgid "shell_fallback (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:938 +msgid "" +"The default shell to use if an allowed shell is not installed on the machine." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:942 +msgid "Default: /bin/sh" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:947 +msgid "default_shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:950 +msgid "" +"The default shell to use if the provider does not return one during lookup. " +"This option can be specified globally in the [nss] section or per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:956 +msgid "" +"Default: not set (Return NULL if no shell is specified and rely on libc to " +"substitute something sensible when necessary, usually /bin/sh)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:963 sssd.conf.5.xml:1224 +msgid "get_domains_timeout (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:966 sssd.conf.5.xml:1227 +msgid "" +"Specifies time in seconds for which the list of subdomains will be " +"considered valid." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:975 +msgid "memcache_timeout (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:978 +msgid "" +"Specifies time in seconds for which records in the in-memory cache will be " +"valid. Setting this option to zero will disable the in-memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:986 +msgid "" +"WARNING: Disabling the in-memory cache will have significant negative impact " +"on SSSD's performance and should only be used for testing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:992 +msgid "" +"NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", " +"client applications will not use the fast in-memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1000 sssd-ifp.5.xml:74 +msgid "user_attributes (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1003 +msgid "" +"Some of the additional NSS responder requests can return more attributes " +"than just the POSIX ones defined by the NSS interface. The list of " +"attributes is controlled by this option. It is handled the same way as the " +"<quote>user_attributes</quote> option of the InfoPipe responder (see " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for details) but with no default values." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1016 +msgid "" +"To make configuration more easy the NSS responder will check the InfoPipe " +"option if it is not set for the NSS responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1021 +msgid "Default: not set, fallback to InfoPipe option" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1026 +msgid "pwfield (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1029 +msgid "" +"The value that NSS operations that return users or groups will return for " +"the <quote>password</quote> field." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: sssd.conf.5.xml:1034 include/override_homedir.xml:56 +msgid "This option can also be set per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1037 +msgid "" +"Default: <quote>*</quote> (remote domains) or <quote>x</quote> (the files " +"domain)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1045 +msgid "PAM configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1047 +msgid "" +"These options can be used to configure the Pluggable Authentication Module " +"(PAM) service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1052 +msgid "offline_credentials_expiration (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1055 +msgid "" +"If the authentication provider is offline, how long should we allow cached " +"logins (in days since the last successful online login)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1060 sssd.conf.5.xml:1073 +msgid "Default: 0 (No limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1066 +msgid "offline_failed_login_attempts (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1069 +msgid "" +"If the authentication provider is offline, how many failed login attempts " +"are allowed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1079 +msgid "offline_failed_login_delay (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1082 +msgid "" +"The time in minutes which has to pass after offline_failed_login_attempts " +"has been reached before a new login attempt is possible." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1087 +msgid "" +"If set to 0 the user cannot authenticate offline if " +"offline_failed_login_attempts has been reached. Only a successful online " +"authentication can enable offline authentication again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1093 sssd.conf.5.xml:1191 +msgid "Default: 5" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1099 +msgid "pam_verbosity (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1102 +msgid "" +"Controls what kind of messages are shown to the user during authentication. " +"The higher the number to more messages are displayed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1107 +msgid "Currently sssd supports the following values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1110 +msgid "<emphasis>0</emphasis>: do not show any message" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1113 +msgid "<emphasis>1</emphasis>: show only important messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1117 +msgid "<emphasis>2</emphasis>: show informational messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1120 +msgid "<emphasis>3</emphasis>: show all messages and debug information" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1124 sssd.8.xml:63 +msgid "Default: 1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1130 +msgid "pam_response_filter (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1133 +msgid "" +"A comma separated list of strings which allows to remove (filter) data sent " +"by the PAM responder to pam_sss PAM module. There are different kind of " +"responses sent to pam_sss e.g. messages displayed to the user or environment " +"variables which should be set by pam_sss." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1141 +msgid "" +"While messages already can be controlled with the help of the pam_verbosity " +"option this option allows to filter out other kind of responses as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1148 +msgid "ENV" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1149 +msgid "Do not send any environment variables to any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1152 +msgid "ENV:var_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1153 +msgid "Do not send environment variable var_name to any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1157 +msgid "ENV:var_name:service" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1158 +msgid "Do not send environment variable var_name to service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1146 +msgid "" +"Currently the following filters are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1168 +msgid "Example: ENV:KRB5CCNAME:sudo-i" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1174 +msgid "pam_id_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1177 +msgid "" +"For any PAM request while SSSD is online, the SSSD will attempt to " +"immediately update the cached identity information for the user in order to " +"ensure that authentication takes place with the latest information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1183 +msgid "" +"A complete PAM conversation may perform multiple PAM requests, such as " +"account management and session opening. This option controls (on a per-" +"client-application basis) how long (in seconds) we can cache the identity " +"information to avoid excessive round-trips to the identity provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1197 +msgid "pam_pwd_expiration_warning (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2078 +msgid "Display a warning N days before the password expires." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1203 +msgid "" +"Please note that the backend server has to provide information about the " +"expiration time of the password. If this information is missing, sssd " +"cannot display a warning." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1209 sssd.conf.5.xml:2081 +msgid "" +"If zero is set, then this filter is not applied, i.e. if the expiration " +"warning was received from backend server, it will automatically be displayed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1214 +msgid "" +"This setting can be overridden by setting <emphasis>pwd_expiration_warning</" +"emphasis> for a particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1219 sssd.conf.5.xml:2901 sssd.8.xml:79 +msgid "Default: 0" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1236 +msgid "pam_trusted_users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1239 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to run PAM conversations against trusted domains. Users not " +"included in this list can only access domains marked as public with " +"<quote>pam_public_domains</quote>. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1249 +msgid "Default: All users are considered trusted by default" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1253 +msgid "" +"Please note that UID 0 is always allowed to access the PAM responder even in " +"case it is not in the pam_trusted_users list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1260 +msgid "pam_public_domains (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1263 +msgid "" +"Specifies the comma-separated list of domain names that are accessible even " +"to untrusted users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1267 +msgid "Two special values for pam_public_domains option are defined:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1271 +msgid "" +"all (Untrusted users are allowed to access all domains in PAM responder.)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1275 +msgid "" +"none (Untrusted users are not allowed to access any domains PAM in " +"responder.)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1279 sssd.conf.5.xml:1304 sssd.conf.5.xml:1323 +#: sssd.conf.5.xml:1875 sssd.conf.5.xml:2837 sssd-ldap.5.xml:1979 +msgid "Default: none" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1284 +msgid "pam_account_expired_message (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1287 +msgid "" +"Allows a custom expiration message to be set, replacing the default " +"'Permission denied' message." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1292 +msgid "" +"Note: Please be aware that message is only printed for the SSH service " +"unless pam_verbosity is set to 3 (show all messages and debug information)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:1300 +#, no-wrap +msgid "" +"pam_account_expired_message = Account expired, please contact help desk.\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1309 +msgid "pam_account_locked_message (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1312 +msgid "" +"Allows a custom lockout message to be set, replacing the default 'Permission " +"denied' message." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:1319 +#, no-wrap +msgid "" +"pam_account_locked_message = Account locked, please contact help desk.\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1328 +msgid "pam_cert_auth (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1331 +msgid "" +"Enable certificate based Smartcard authentication. Since this requires " +"additional communication with the Smartcard which will delay the " +"authentication process this option is disabled by default." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1337 sssd.conf.5.xml:2930 sssd-ldap.5.xml:1087 +#: sssd-ldap.5.xml:1114 sssd-ldap.5.xml:1514 sssd-ldap.5.xml:1535 +#: sssd-ldap.5.xml:2052 include/ldap_id_mapping.xml:244 +msgid "Default: False" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1342 +msgid "pam_cert_db_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1345 +msgid "" +"The path to the certificate database which contain the PKCS#11 modules to " +"access the Smartcard." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1349 sssd.conf.5.xml:1534 +msgid "Default:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1351 sssd.conf.5.xml:1536 +msgid "/etc/pki/nssdb (NSS version, path to a NSS database)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1354 sssd.conf.5.xml:1539 +msgid "" +"/etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a file with " +"trusted CA certificates in PEM format)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1361 sssd.conf.5.xml:1546 +msgid "This man page was generated for the NSS version." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1364 sssd.conf.5.xml:1549 +msgid "This man page was generated for the OpenSSL version." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1369 +msgid "p11_child_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1372 +msgid "How many seconds will pam_sss wait for p11_child to finish." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1381 +msgid "pam_app_services (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1384 +msgid "" +"Which PAM services are permitted to contact domains of type " +"<quote>application</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1397 +msgid "SUDO configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1399 +msgid "" +"These options can be used to configure the sudo service. The detailed " +"instructions for configuration of <citerefentry> <refentrytitle>sudo</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to work with " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> are in the manual page <citerefentry> <refentrytitle>sssd-" +"sudo</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1416 +msgid "sudo_timed (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1419 +msgid "" +"Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes " +"that implement time-dependent sudoers entries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1431 +msgid "sudo_threshold (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1434 +msgid "" +"Maximum number of expired rules that can be refreshed at once. If number of " +"expired rules is below threshold, those rules are refreshed with " +"<quote>rules refresh</quote> mechanism. If the threshold is exceeded a " +"<quote>full refresh</quote> of sudo rules is triggered instead. This " +"threshold number also applies to IPA sudo command and command group searches." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1453 +msgid "AUTOFS configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1455 +msgid "These options can be used to configure the autofs service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1459 +msgid "autofs_negative_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1462 +msgid "" +"Specifies for how many seconds should the autofs responder negative cache " +"hits (that is, queries for invalid map entries, like nonexistent ones) " +"before asking the back end again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1478 +msgid "SSH configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1480 +msgid "These options can be used to configure the SSH service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1484 +msgid "ssh_hash_known_hosts (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1487 +msgid "" +"Whether or not to hash host names and addresses in the managed known_hosts " +"file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1496 +msgid "ssh_known_hosts_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1499 +msgid "" +"How many seconds to keep a host in the managed known_hosts file after its " +"host keys were requested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1503 +msgid "Default: 180" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1508 +msgid "ssh_use_certificate_keys (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1511 +msgid "" +"If set to true the <command>sss_ssh_authorizedkeys</command> will return ssh " +"keys derived from the public key of X.509 certificates stored in the user " +"entry as well. See <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry> for details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1526 +msgid "ca_db (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1529 +msgid "" +"Path to a storage of trusted CA certificates. The option is used to validate " +"user certificates before deriving public ssh keys from them." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1557 +msgid "PAC responder configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1559 +msgid "" +"The PAC responder works together with the authorization data plugin for MIT " +"Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the " +"PAC data during a GSSAPI authentication to the PAC responder. The sub-domain " +"provider collects domain SID and ID ranges of the domain the client is " +"joined to and of remote trusted domains from the local domain controller. If " +"the PAC is decoded and evaluated some of the following operations are done:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1568 +msgid "" +"If the remote user does not exist in the cache, it is created. The UID is " +"determined with the help of the SID, trusted domains will have UPGs and the " +"GID will have the same value as the UID. The home directory is set based on " +"the subdomain_homedir parameter. The shell will be empty by default, i.e. " +"the system defaults are used, but can be overwritten with the default_shell " +"parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1576 +msgid "" +"If there are SIDs of groups from domains sssd knows about, the user will be " +"added to those groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1582 +msgid "These options can be used to configure the PAC responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1586 sssd-ifp.5.xml:50 +msgid "allowed_uids (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1589 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the PAC responder. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1595 +msgid "Default: 0 (only the root user is allowed to access the PAC responder)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1599 +msgid "" +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the PAC responder, which would be the typical case, you have to add 0 " +"to the list of allowed UIDs as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1608 +msgid "pac_lifetime (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1611 +msgid "" +"Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC " +"data can be used to determine the group memberships of a user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1624 +msgid "Session recording configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1626 +msgid "" +"Session recording works in conjunction with <citerefentry> " +"<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>, a part of tlog package, to log what users see and type when " +"they log in on a text terminal. See also <citerefentry> <refentrytitle>sssd-" +"session-recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1639 +msgid "These options can be used to configure session recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1643 sssd-session-recording.5.xml:64 +msgid "scope (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1650 sssd-session-recording.5.xml:71 +msgid "\"none\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1653 sssd-session-recording.5.xml:74 +msgid "No users are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1658 sssd-session-recording.5.xml:79 +msgid "\"some\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1661 sssd-session-recording.5.xml:82 +msgid "" +"Users/groups specified by <replaceable>users</replaceable> and " +"<replaceable>groups</replaceable> options are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1670 sssd-session-recording.5.xml:91 +msgid "\"all\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1673 sssd-session-recording.5.xml:94 +msgid "All users are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1646 sssd-session-recording.5.xml:67 +msgid "" +"One of the following strings specifying the scope of session recording: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1680 sssd-session-recording.5.xml:101 +msgid "Default: \"none\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1685 sssd-session-recording.5.xml:106 +msgid "users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1688 sssd-session-recording.5.xml:109 +msgid "" +"A comma-separated list of users which should have session recording enabled. " +"Matches user names as returned by NSS. I.e. after the possible space " +"replacement, case changes, etc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1694 sssd-session-recording.5.xml:115 +msgid "Default: Empty. Matches no users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1699 sssd-session-recording.5.xml:120 +msgid "groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1702 sssd-session-recording.5.xml:123 +msgid "" +"A comma-separated list of groups, members of which should have session " +"recording enabled. Matches group names as returned by NSS. I.e. after the " +"possible space replacement, case changes, etc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1708 sssd-session-recording.5.xml:129 +msgid "" +"NOTE: using this option (having it set to anything) has a considerable " +"performance cost, because each uncached request for a user requires " +"retrieving and matching the groups the user is member of." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1715 sssd-session-recording.5.xml:136 +msgid "Default: Empty. Matches no groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:1725 +msgid "DOMAIN SECTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1732 +msgid "domain_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1735 +msgid "" +"Specifies whether the domain is meant to be used by POSIX-aware clients such " +"as the Name Service Switch or by applications that do not need POSIX data to " +"be present or generated. Only objects from POSIX domains are available to " +"the operating system interfaces and utilities." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1743 +msgid "" +"Allowed values for this option are <quote>posix</quote> and " +"<quote>application</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1747 +msgid "" +"POSIX domains are reachable by all services. Application domains are only " +"reachable from the InfoPipe responder (see <citerefentry> " +"<refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>) and the PAM responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1755 +msgid "" +"NOTE: The application domains are currently well tested with " +"<quote>id_provider=ldap</quote> only." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1759 +msgid "" +"For an easy way to configure a non-POSIX domains, please see the " +"<quote>Application domains</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1763 +msgid "Default: posix" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1769 +msgid "min_id,max_id (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1772 +msgid "" +"UID and GID limits for the domain. If a domain contains an entry that is " +"outside these limits, it is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1777 +msgid "" +"For users, this affects the primary GID limit. The user will not be returned " +"to NSS if either the UID or the primary GID is outside the range. For non-" +"primary group memberships, those that are in range will be reported as " +"expected." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1784 +msgid "" +"These ID limits affect even saving entries to cache, not only returning them " +"by name or ID." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1788 +msgid "Default: 1 for min_id, 0 (no limit) for max_id" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1794 +msgid "enumerate (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1797 +msgid "" +"Determines if a domain can be enumerated, that is, whether the domain can " +"list all the users and group it contains. Note that it is not required to " +"enable enumeration in order for secondary groups to be displayed. This " +"parameter can have one of the following values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1805 +msgid "TRUE = Users and groups are enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1808 +msgid "FALSE = No enumerations for this domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1811 sssd.conf.5.xml:2033 sssd.conf.5.xml:2208 +msgid "Default: FALSE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1814 +msgid "" +"Enumerating a domain requires SSSD to download and store ALL user and group " +"entries from the remote server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1819 +msgid "" +"Note: Enabling enumeration has a moderate performance impact on SSSD while " +"enumeration is running. It may take up to several minutes after SSSD startup " +"to fully complete enumerations. During this time, individual requests for " +"information will go directly to LDAP, though it may be slow, due to the " +"heavy enumeration processing. Saving a large number of entries to cache " +"after the enumeration completes might also be CPU intensive as the " +"memberships have to be recomputed. This can lead to the <quote>sssd_be</" +"quote> process becoming unresponsive or even restarted by the internal " +"watchdog." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1834 +msgid "" +"While the first enumeration is running, requests for the complete user or " +"group lists may return no results until it completes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1839 +msgid "" +"Further, enabling enumeration may increase the time necessary to detect " +"network disconnection, as longer timeouts are required to ensure that " +"enumeration lookups are completed successfully. For more information, refer " +"to the man pages for the specific id_provider in use." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1847 +msgid "" +"For the reasons cited above, enabling enumeration is not recommended, " +"especially in large environments." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1855 +msgid "subdomain_enumerate (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1862 +msgid "all" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1863 +msgid "All discovered trusted domains will be enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1866 +msgid "none" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1867 +msgid "No discovered trusted domains will be enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1858 +msgid "" +"Whether any of autodetected trusted domains should be enumerated. The " +"supported values are: <placeholder type=\"variablelist\" id=\"0\"/> " +"Optionally, a list of one or more domain names can enable enumeration just " +"for these trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1881 +msgid "entry_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1884 +msgid "" +"How many seconds should nss_sss consider entries valid before asking the " +"backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1888 +msgid "" +"The cache expiration timestamps are stored as attributes of individual " +"objects in the cache. Therefore, changing the cache timeout only has effect " +"for newly added or expired entries. You should run the <citerefentry> " +"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry> tool in order to force refresh of entries that have already " +"been cached." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1901 +msgid "Default: 5400" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1907 +msgid "entry_cache_user_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1910 +msgid "" +"How many seconds should nss_sss consider user entries valid before asking " +"the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1914 sssd.conf.5.xml:1927 sssd.conf.5.xml:1940 +#: sssd.conf.5.xml:1953 sssd.conf.5.xml:1966 sssd.conf.5.xml:1980 +#: sssd.conf.5.xml:1994 +msgid "Default: entry_cache_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1920 +msgid "entry_cache_group_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1923 +msgid "" +"How many seconds should nss_sss consider group entries valid before asking " +"the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1933 +msgid "entry_cache_netgroup_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1936 +msgid "" +"How many seconds should nss_sss consider netgroup entries valid before " +"asking the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1946 +msgid "entry_cache_service_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1949 +msgid "" +"How many seconds should nss_sss consider service entries valid before asking " +"the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1959 +msgid "entry_cache_sudo_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1962 +msgid "" +"How many seconds should sudo consider rules valid before asking the backend " +"again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1972 +msgid "entry_cache_autofs_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1975 +msgid "" +"How many seconds should the autofs service consider automounter maps valid " +"before asking the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1986 +msgid "entry_cache_ssh_host_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1989 +msgid "" +"How many seconds to keep a host ssh key after refresh. IE how long to cache " +"the host key for." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2000 +msgid "refresh_expired_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2003 +msgid "" +"Specifies how many seconds SSSD has to wait before triggering a background " +"refresh task which will refresh all expired or nearly expired records." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2008 +msgid "" +"The background refresh will process users, groups and netgroups in the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2012 +msgid "You can consider setting this value to 3/4 * entry_cache_timeout." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2016 sssd-ldap.5.xml:746 sssd-ipa.5.xml:254 +msgid "Default: 0 (disabled)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2022 +msgid "cache_credentials (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2025 +msgid "Determines if user credentials are also cached in the local LDB cache" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2029 +msgid "User credentials are stored in a SHA512 hash, not in plaintext" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2039 +msgid "cache_credentials_minimal_first_factor_length (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2042 +msgid "" +"If 2-Factor-Authentication (2FA) is used and credentials should be saved " +"this value determines the minimal length the first authentication factor " +"(long term password) must have to be saved as SHA512 hash into the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2049 +msgid "" +"This should avoid that the short PINs of a PIN based 2FA scheme are saved in " +"the cache which would make them easy targets for brute-force attacks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2054 +msgid "Default: 8" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2060 +msgid "account_cache_expiration (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2063 +msgid "" +"Number of days entries are left in cache after last successful login before " +"being removed during a cleanup of the cache. 0 means keep forever. The " +"value of this parameter must be greater than or equal to " +"offline_credentials_expiration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2070 +msgid "Default: 0 (unlimited)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2075 +msgid "pwd_expiration_warning (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2086 +msgid "" +"Please note that the backend server has to provide information about the " +"expiration time of the password. If this information is missing, sssd " +"cannot display a warning. Also an auth provider has to be configured for the " +"backend." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2093 +msgid "Default: 7 (Kerberos), 0 (LDAP)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2099 +msgid "id_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2102 +msgid "" +"The identification provider used for the domain. Supported ID providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2106 +msgid "<quote>proxy</quote>: Support a legacy NSS provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2109 +msgid "" +"<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2113 +msgid "" +"<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-" +"files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " +"information on how to mirror local users and groups into SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2121 +msgid "" +"<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " +"information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2129 sssd.conf.5.xml:2234 sssd.conf.5.xml:2289 +#: sssd.conf.5.xml:2352 +msgid "" +"<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management " +"provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " +"FreeIPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2138 sssd.conf.5.xml:2243 sssd.conf.5.xml:2298 +#: sssd.conf.5.xml:2361 +msgid "" +"<quote>ad</quote>: Active Directory provider. See <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Active Directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2149 +msgid "use_fully_qualified_names (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2152 +msgid "" +"Use the full name and domain (as formatted by the domain's full_name_format) " +"as the user's login name reported to NSS." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2157 +msgid "" +"If set to TRUE, all requests to this domain must use fully qualified names. " +"For example, if used in LOCAL domain that contains a \"test\" user, " +"<command>getent passwd test</command> wouldn't find the user while " +"<command>getent passwd test@LOCAL</command> would." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2165 +msgid "" +"NOTE: This option has no effect on netgroup lookups due to their tendency to " +"include nested netgroups without qualified names. For netgroups, all domains " +"will be searched when an unqualified name is requested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2172 +msgid "Default: FALSE (TRUE if default_domain_suffix is used)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2178 +msgid "ignore_group_members (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2181 +msgid "Do not return group members for group lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2184 +msgid "" +"If set to TRUE, the group membership attribute is not requested from the " +"ldap server, and group members are not returned when processing group lookup " +"calls, such as <citerefentry> <refentrytitle>getgrnam</refentrytitle> " +"<manvolnum>3</manvolnum> </citerefentry> or <citerefentry> " +"<refentrytitle>getgrgid</refentrytitle> <manvolnum>3</manvolnum> </" +"citerefentry>. As an effect, <quote>getent group $groupname</quote> would " +"return the requested group as if it was empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2202 +msgid "" +"Enabling this option can also make access provider checks for group " +"membership significantly faster, especially for groups containing many " +"members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2213 +msgid "auth_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2216 +msgid "" +"The authentication provider used for the domain. Supported auth providers " +"are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2220 sssd.conf.5.xml:2282 +msgid "" +"<quote>ldap</quote> for native LDAP authentication. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2227 +msgid "" +"<quote>krb5</quote> for Kerberos authentication. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2251 +msgid "" +"<quote>proxy</quote> for relaying authentication to some other PAM target." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2254 +msgid "<quote>local</quote>: SSSD internal provider for local users" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2258 +msgid "<quote>none</quote> disables authentication explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2261 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can handle " +"authentication requests." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2267 +msgid "access_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2270 +msgid "" +"The access control provider used for the domain. There are two built-in " +"access providers (in addition to any included in installed backends) " +"Internal special providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2276 +msgid "" +"<quote>permit</quote> always allow access. It's the only permitted access " +"provider for a local domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2279 +msgid "<quote>deny</quote> always deny access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2306 +msgid "" +"<quote>simple</quote> access control based on access or deny lists. See " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for more information on configuring the simple " +"access module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2313 +msgid "" +"<quote>krb5</quote>: .k5login based access control. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></" +"citerefentry> for more information on configuring Kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2320 +msgid "<quote>proxy</quote> for relaying access control to another PAM module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2323 +msgid "Default: <quote>permit</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2328 +msgid "chpass_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2331 +msgid "" +"The provider which should handle change password operations for the domain. " +"Supported change password providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2336 +msgid "" +"<quote>ldap</quote> to change a password stored in a LDAP server. See " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2344 +msgid "" +"<quote>krb5</quote> to change the Kerberos password. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2369 +msgid "" +"<quote>proxy</quote> for relaying password changes to some other PAM target." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2373 +msgid "<quote>none</quote> disallows password changes explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2376 +msgid "" +"Default: <quote>auth_provider</quote> is used if it is set and can handle " +"change password requests." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2383 +msgid "sudo_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2386 +msgid "The SUDO provider used for the domain. Supported SUDO providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2390 +msgid "" +"<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2398 +msgid "" +"<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default " +"settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2402 +msgid "" +"<quote>ad</quote> the same as <quote>ldap</quote> but with AD default " +"settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2406 +msgid "<quote>none</quote> disables SUDO explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2409 sssd.conf.5.xml:2495 sssd.conf.5.xml:2565 +#: sssd.conf.5.xml:2590 +msgid "Default: The value of <quote>id_provider</quote> is used if it is set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2413 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>. There are many configuration " +"options that can be used to adjust the behavior. Please refer to " +"\"ldap_sudo_*\" in <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2428 +msgid "" +"<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the " +"background unless the sudo provider is explicitly disabled. Set " +"<emphasis>sudo_provider = None</emphasis> to disable all sudo-related " +"activity in SSSD if you do not want to use sudo with SSSD at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2438 +msgid "selinux_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2441 +msgid "" +"The provider which should handle loading of selinux settings. Note that this " +"provider will be called right after access provider ends. Supported selinux " +"providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2447 +msgid "" +"<quote>ipa</quote> to load selinux settings from an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2455 +msgid "<quote>none</quote> disallows fetching selinux settings explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2458 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can handle " +"selinux loading requests." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2464 +msgid "subdomains_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2467 +msgid "" +"The provider which should handle fetching of subdomains. This value should " +"be always the same as id_provider. Supported subdomain providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2473 +msgid "" +"<quote>ipa</quote> to load a list of subdomains from an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2482 +msgid "" +"<quote>ad</quote> to load a list of subdomains from an Active Directory " +"server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " +"the AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2491 +msgid "<quote>none</quote> disallows fetching subdomains explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2501 +msgid "session_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2504 +msgid "" +"The provider which configures and manages user session related tasks. The " +"only user session task currently provided is the integration with Fleet " +"Commander, which works only with IPA. Supported session providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2511 +msgid "<quote>ipa</quote> to allow performing user session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2515 +msgid "" +"<quote>none</quote> does not perform any kind of user session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2519 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can perform " +"session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2523 +msgid "" +"<emphasis>NOTE:</emphasis> In order to have this feature working as expected " +"SSSD must be running as \"root\" and not as the unprivileged user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2531 +msgid "autofs_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2534 +msgid "" +"The autofs provider used for the domain. Supported autofs providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2538 +msgid "" +"<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2545 +msgid "" +"<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> " +"<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2553 +msgid "" +"<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring the AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2562 +msgid "<quote>none</quote> disables autofs explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2572 +msgid "hostid_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2575 +msgid "" +"The provider used for retrieving host identity information. Supported " +"hostid providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2579 +msgid "" +"<quote>ipa</quote> to load host identity stored in an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2587 +msgid "<quote>none</quote> disables hostid explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2600 +msgid "" +"Regular expression for this domain that describes how to parse the string " +"containing user name and domain into these components. The \"domain\" can " +"match either the SSSD configuration domain name, or, in the case of IPA " +"trust subdomains and Active Directory domains, the flat (NetBIOS) name of " +"the domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2609 +msgid "" +"Default for the AD and IPA provider: <quote>(((?P<domain>[^\\\\]+)\\" +"\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?" +"P<name>[^@\\\\]+)$))</quote> which allows three different styles for " +"user names:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2614 +msgid "username" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2617 +msgid "username@domain.name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2620 +msgid "domain\\username" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2623 +msgid "" +"While the first two correspond to the general default the third one is " +"introduced to allow easy integration of users from Windows domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2628 +msgid "" +"Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> " +"which translates to \"the name is everything up to the <quote>@</quote> " +"sign, the domain everything after that\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2634 +msgid "" +"NOTE: Some Active Directory groups, typically those used for MS Exchange " +"contain an <quote>@</quote> sign in the name, which clashes with the default " +"re_expression value for the AD and IPA providers. To support these groups, " +"consider changing the re_expression value to: <quote>((?P<name>.+)@(?" +"P<domain>[^@]+$))</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2685 +msgid "Default: <quote>%1$s@%2$s</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2691 +msgid "lookup_family_order (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2694 +msgid "" +"Provides the ability to select preferred address family to use when " +"performing DNS lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2698 +msgid "Supported values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2701 +msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2704 +msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2707 +msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2710 +msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2713 +msgid "Default: ipv4_first" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2719 +msgid "dns_resolver_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2722 +msgid "" +"Defines the amount of time (in seconds) to wait for a reply from the " +"internal fail over service before assuming that the service is unreachable. " +"If this timeout is reached, the domain will continue to operate in offline " +"mode." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2729 +msgid "" +"Please see the section <quote>FAILOVER</quote> for more information about " +"the service resolution." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2734 sssd-ldap.5.xml:1396 sssd-ldap.5.xml:1438 +#: sssd-ldap.5.xml:1456 sssd-krb5.5.xml:248 +msgid "Default: 6" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2740 +msgid "dns_discovery_domain (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2743 +msgid "" +"If service discovery is used in the back end, specifies the domain part of " +"the service discovery DNS query." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2747 +msgid "Default: Use the domain part of machine's hostname" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2753 +msgid "override_gid (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2756 +msgid "Override the primary GID value with the one specified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2762 +msgid "case_sensitive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2770 +msgid "True" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2773 +msgid "Case sensitive. This value is invalid for AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2779 +msgid "False" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2781 +msgid "Case insensitive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2785 +msgid "Preserving" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2788 +msgid "" +"Same as False (case insensitive), but does not lowercase names in the result " +"of NSS operations. Note that name aliases (and in case of services also " +"protocol names) are still lowercased in the output." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2765 +msgid "" +"Treat user and group names as case sensitive. At the moment, this option is " +"not supported in the local provider. Possible option values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2800 +msgid "Default: True (False for AD provider)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2806 +msgid "subdomain_inherit (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2809 +msgid "" +"Specifies a list of configuration parameters that should be inherited by a " +"subdomain. Please note that only selected parameters can be inherited. " +"Currently the following options can be inherited:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2815 +msgid "ignore_group_members" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2818 +msgid "ldap_purge_cache_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2821 sssd-ldap.5.xml:1120 +msgid "ldap_use_tokengroups" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2824 +msgid "ldap_user_principal" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2827 +msgid "" +"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab " +"is not set explicitly)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:2833 +#, no-wrap +msgid "" +"subdomain_inherit = ldap_purge_cache_timeout\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2831 sssd-secrets.5.xml:448 +msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2840 +msgid "Note: This option only works with the IPA and AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2847 +msgid "subdomain_homedir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2858 +msgid "%F" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2859 +msgid "flat (NetBIOS) name of a subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2850 +msgid "" +"Use this homedir as default value for all subdomains within this domain in " +"IPA AD trust. See <emphasis>override_homedir</emphasis> for info about " +"possible values. In addition to those, the expansion below can only be used " +"with <emphasis>subdomain_homedir</emphasis>. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2864 +msgid "" +"The value can be overridden by <emphasis>override_homedir</emphasis> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2868 +msgid "Default: <filename>/home/%d/%u</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2873 +msgid "realmd_tags (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2876 +msgid "" +"Various tags stored by the realmd configuration service for this domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2882 +msgid "cached_auth_timeout (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2885 +msgid "" +"Specifies time in seconds since last successful online authentication for " +"which user will be authenticated using cached credentials while SSSD is in " +"the online mode." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2891 +msgid "Special value 0 implies that this feature is disabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2895 +msgid "" +"Please note that if <quote>cached_auth_timeout</quote> is longer than " +"<quote>pam_id_timeout</quote> then the back end could be called to handle " +"<quote>initgroups.</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2906 +msgid "auto_private_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2909 +msgid "" +"If this option is enabled, SSSD will automatically create user private " +"groups based on user's UID number. The GID number is ignored in this case." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2914 +msgid "" +"For POSIX subdomains, setting the option in the main domain is inherited in " +"the subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2918 +msgid "" +"For ID-mapping subdomains, auto_private_groups is already enabled for the " +"subdomains and setting it to false will not have any effect for the " +"subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2923 +msgid "" +"NOTE: Because the GID number and the user private group are inferred from " +"the UID number, it is not supported to have multiple entries with the same " +"UID or GID number with this option. In other words, enabling this option " +"enforces uniqueness across the ID space." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:1727 +msgid "" +"These configuration options can be present in a domain configuration " +"section, that is, in a section called <quote>[domain/<replaceable>NAME</" +"replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2942 +msgid "proxy_pam_target (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2945 +msgid "The proxy target PAM proxies to." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2948 +msgid "" +"Default: not set by default, you have to take an existing pam configuration " +"or create a new one and add the service name here." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2956 +msgid "proxy_lib_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2959 +msgid "" +"The name of the NSS library to use in proxy domains. The NSS functions " +"searched for in the library are in the form of _nss_$(libName)_$(function), " +"for example _nss_files_getpwent." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2969 +msgid "proxy_fast_alias (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2972 +msgid "" +"When a user or group is looked up by name in the proxy provider, a second " +"lookup by ID is performed to \"canonicalize\" the name in case the requested " +"name was an alias. Setting this option to true would cause the SSSD to " +"perform the ID lookup from cache for performance reasons." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2986 +msgid "proxy_max_children (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2989 +msgid "" +"This option specifies the number of pre-forked proxy children. It is useful " +"for high-load SSSD environments where sssd may run out of available child " +"slots, which would cause some issues due to the requests being queued." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:2938 +msgid "" +"Options valid for proxy domains. <placeholder type=\"variablelist\" id=" +"\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:3005 +msgid "Application domains" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3007 +msgid "" +"SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to " +"applications as a gateway to an LDAP directory where users and groups are " +"stored. However, contrary to the traditional SSSD deployment where all users " +"and groups either have POSIX attributes or those attributes can be inferred " +"from the Windows SIDs, in many cases the users and groups in the application " +"support scenario have no POSIX attributes. Instead of setting a " +"<quote>[domain/<replaceable>NAME</replaceable>]</quote> section, the " +"administrator can set up an <quote>[application/<replaceable>NAME</" +"replaceable>]</quote> section that internally represents a domain with type " +"<quote>application</quote> optionally inherits settings from a tradition " +"SSSD domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3027 +msgid "" +"Please note that the application domain must still be explicitly enabled in " +"the <quote>domains</quote> parameter so that the lookup order between the " +"application domain and its POSIX sibling domain is set correctly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sssd.conf.5.xml:3033 +msgid "Application domain parameters" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3035 +msgid "inherit_from (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3038 +msgid "" +"The SSSD POSIX-type domain the application domain inherits all settings " +"from. The application domain can moreover add its own settings to the " +"application settings that augment or override the <quote>sibling</quote> " +"domain settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3052 +msgid "" +"The following example illustrates the use of an application domain. In this " +"setup, the POSIX domain is connected to an LDAP server and is used by the OS " +"through the NSS responder. In addition, the application domain also requests " +"the telephoneNumber attribute, stores it as the phone attribute in the cache " +"and makes the phone attribute reachable through the D-Bus interface." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><programlisting> +#: sssd.conf.5.xml:3060 +#, no-wrap +msgid "" +"[sssd]\n" +"domains = appdom, posixdom\n" +"\n" +"[ifp]\n" +"user_attributes = +phone\n" +"\n" +"[domain/posixdom]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"[application/appdom]\n" +"inherit_from = posixdom\n" +"ldap_user_extra_attrs = phone:telephoneNumber\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:3078 +msgid "The local domain section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3080 +msgid "" +"This section contains settings for domain that stores users and groups in " +"SSSD native database, that is, a domain that uses " +"<replaceable>id_provider=local</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3087 +msgid "default_shell (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3090 +msgid "The default shell for users created with SSSD userspace tools." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3094 +msgid "Default: <filename>/bin/bash</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3099 +msgid "base_directory (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3102 +msgid "" +"The tools append the login name to <replaceable>base_directory</replaceable> " +"and use that as the home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3107 +msgid "Default: <filename>/home</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3112 +msgid "create_homedir (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3115 +msgid "" +"Indicate if a home directory should be created by default for new users. " +"Can be overridden on command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3119 sssd.conf.5.xml:3131 +msgid "Default: TRUE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3124 +msgid "remove_homedir (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3127 +msgid "" +"Indicate if a home directory should be removed by default for deleted " +"users. Can be overridden on command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3136 +msgid "homedir_umask (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3139 +msgid "" +"Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions " +"on a newly created home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3147 +msgid "Default: 077" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3152 +msgid "skel_dir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3155 +msgid "" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<citerefentry> <refentrytitle>sss_useradd</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3165 +msgid "Default: <filename>/etc/skel</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3170 +msgid "mail_dir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3173 +msgid "" +"The mail spool directory. This is needed to manipulate the mailbox when its " +"corresponding user account is modified or deleted. If not specified, a " +"default value is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3180 +msgid "Default: <filename>/var/mail</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3185 +msgid "userdel_cmd (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3188 +msgid "" +"The command that is run after a user is removed. The command us passed the " +"username of the user being removed as the first and only parameter. The " +"return code of the command is not taken into account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3194 +msgid "Default: None, no command is run" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:3204 +msgid "TRUSTED DOMAIN SECTION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3206 +msgid "" +"Some options used in the domain section can also be used in the trusted " +"domain section, that is, in a section called <quote>[domain/" +"<replaceable>DOMAIN_NAME</replaceable>/<replaceable>TRUSTED_DOMAIN_NAME</" +"replaceable>]</quote>. Where DOMAIN_NAME is the actual joined-to base " +"domain. Please refer to examples below for explanation. Currently supported " +"options in the trusted domain section are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3213 +msgid "ldap_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3214 +msgid "ldap_user_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3215 +msgid "ldap_group_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3216 +msgid "ldap_netgroup_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3217 +msgid "ldap_service_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3218 +msgid "ad_server," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3219 +msgid "ad_backup_server," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3220 +msgid "ad_site," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:3221 sssd-ipa.5.xml:782 +msgid "use_fully_qualified_names" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3223 +msgid "" +"For more details about these options see their individual description in the " +"manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:3229 idmap_sss.8.xml:43 +msgid "EXAMPLES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:3235 +#, no-wrap +msgid "" +"[sssd]\n" +"domains = LDAP\n" +"services = nss, pam\n" +"config_file_version = 2\n" +"\n" +"[nss]\n" +"filter_groups = root\n" +"filter_users = root\n" +"\n" +"[pam]\n" +"\n" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"auth_provider = krb5\n" +"krb5_server = kerberos.example.com\n" +"krb5_realm = EXAMPLE.COM\n" +"cache_credentials = true\n" +"\n" +"min_id = 10000\n" +"max_id = 20000\n" +"enumerate = False\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3231 +msgid "" +"1. The following example shows a typical SSSD config. It does not describe " +"configuration of the domains themselves - refer to documentation on " +"configuring domains for more details. <placeholder type=\"programlisting\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:3268 +#, no-wrap +msgid "" +"[domain/ipa.com/child.ad.com]\n" +"use_fully_qualified_names = false\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3262 +msgid "" +"2. The following example shows configuration of IPA AD trust where the AD " +"forest consists of two domains in a parent-child structure. Suppose IPA " +"domain (ipa.com) has trust with AD domain(ad.com). ad.com has child domain " +"(child.ad.com). To enable shortnames in the child domain the following " +"configuration should be used. <placeholder type=\"programlisting\" id=\"0\"/" +">" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ldap.5.xml:10 sssd-ldap.5.xml:16 +msgid "sssd-ldap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ldap.5.xml:17 +msgid "SSSD LDAP provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:23 +msgid "" +"This manual page describes the configuration of LDAP domains for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Refer to the <quote>FILE FORMAT</quote> section of the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for detailed syntax information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:35 +msgid "You can configure SSSD to use more than one LDAP domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:38 +msgid "" +"LDAP back end supports id, auth, access and chpass providers. If you want to " +"authenticate against an LDAP server either TLS/SSL or LDAPS is required. " +"<command>sssd</command> <emphasis>does not</emphasis> support authentication " +"over an unencrypted channel. If the LDAP server is used only as an identity " +"provider, an encrypted channel is not needed. Please refer to " +"<quote>ldap_access_filter</quote> config option for more information about " +"using LDAP as an access provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:115 +#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-files.5.xml:57 +#: sssd-secrets.5.xml:120 sssd-session-recording.5.xml:58 sssd-kcm.8.xml:139 +msgid "CONFIGURATION OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:60 +msgid "ldap_uri, ldap_backup_uri (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:63 +msgid "" +"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " +"should connect in the order of preference. Refer to the <quote>FAILOVER</" +"quote> section for more information on failover and server redundancy. If " +"neither option is specified, service discovery is enabled. For more " +"information, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:264 +msgid "The format of the URI must match the format defined in RFC 2732:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:73 +msgid "ldap[s]://<host>[:port]" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:76 +msgid "" +"For explicit IPv6 addresses, <host> must be enclosed in brackets []" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:79 +msgid "example: ldap://[fc00::126:25]:389" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:85 +msgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:88 +msgid "" +"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " +"should connect in the order of preference to change the password of a user. " +"Refer to the <quote>FAILOVER</quote> section for more information on " +"failover and server redundancy." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:95 +msgid "To enable service discovery ldap_chpass_dns_service_name must be set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:99 +msgid "Default: empty, i.e. ldap_uri is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:105 +msgid "ldap_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:108 +msgid "The default base DN to use for performing LDAP user operations." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:112 +msgid "" +"Starting with SSSD 1.7.0, SSSD supports multiple search bases using the " +"syntax:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:116 +msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:119 +msgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"." +msgstr "" + +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:122 include/ldap_search_bases.xml:18 +msgid "" +"The filter must be a valid LDAP search filter as specified by http://www." +"ietf.org/rfc/rfc2254.txt" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:286 +#: sss_override.8.xml:137 sss_override.8.xml:234 +msgid "Examples:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:129 +msgid "" +"ldap_search_base = dc=example,dc=com (which is equivalent to) " +"ldap_search_base = dc=example,dc=com?subtree?" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:134 +msgid "" +"ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?" +"(host=thishost)?dc=example.com?subtree?" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:137 +msgid "" +"Note: It is unsupported to have multiple search bases which reference " +"identically-named objects (for example, groups with the same name in two " +"different search bases). This will lead to unpredictable behavior on client " +"machines." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:144 +msgid "" +"Default: If not set, the value of the defaultNamingContext or namingContexts " +"attribute from the RootDSE of the LDAP server is used. If " +"defaultNamingContext does not exist or has an empty value namingContexts is " +"used. The namingContexts attribute must have a single value with the DN of " +"the search base of the LDAP server to make this work. Multiple values are " +"are not supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:158 +msgid "ldap_schema (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:161 +msgid "" +"Specifies the Schema Type in use on the target LDAP server. Depending on " +"the selected schema, the default attribute names retrieved from the servers " +"may vary. The way that some attributes are handled may also differ." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:168 +msgid "Four schema types are currently supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:172 +msgid "rfc2307" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:177 +msgid "rfc2307bis" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:182 +msgid "IPA" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:187 +msgid "AD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:193 +msgid "" +"The main difference between these schema types is how group memberships are " +"recorded in the server. With rfc2307, group members are listed by name in " +"the <emphasis>memberUid</emphasis> attribute. With rfc2307bis and IPA, " +"group members are listed by DN and stored in the <emphasis>member</emphasis> " +"attribute. The AD schema type sets the attributes to correspond with Active " +"Directory 2008r2 values." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:203 +msgid "Default: rfc2307" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:209 +msgid "ldap_default_bind_dn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:212 +msgid "The default bind DN to use for performing LDAP operations." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:219 +msgid "ldap_default_authtok_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:222 +msgid "The type of the authentication token of the default bind DN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:226 +msgid "The two mechanisms currently supported are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:229 +msgid "password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:232 +msgid "obfuscated_password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:235 +msgid "Default: password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:241 +msgid "ldap_default_authtok (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:244 +msgid "" +"The authentication token of the default bind DN. Only clear text passwords " +"are currently supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:251 +msgid "ldap_user_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:254 +msgid "The object class of a user entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:257 +msgid "Default: posixAccount" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:263 +msgid "ldap_user_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:266 +msgid "The LDAP attribute that corresponds to the user's login name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:270 +msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:277 +msgid "ldap_user_uid_number (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:280 +msgid "The LDAP attribute that corresponds to the user's id." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:284 +msgid "Default: uidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:290 +msgid "ldap_user_gid_number (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:293 +msgid "The LDAP attribute that corresponds to the user's primary group id." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:297 sssd-ldap.5.xml:929 +msgid "Default: gidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:303 +msgid "ldap_user_primary_group (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:306 +msgid "" +"Active Directory primary group attribute for ID-mapping. Note that this " +"attribute should only be set manually if you are running the <quote>ldap</" +"quote> provider with ID mapping." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:312 +msgid "Default: unset (LDAP), primaryGroupID (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:318 +msgid "ldap_user_gecos (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:321 +msgid "The LDAP attribute that corresponds to the user's gecos field." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:325 +msgid "Default: gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:331 +msgid "ldap_user_home_directory (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:334 +msgid "The LDAP attribute that contains the name of the user's home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:338 +msgid "Default: homeDirectory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:344 +msgid "ldap_user_shell (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:347 +msgid "The LDAP attribute that contains the path to the user's default shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:351 +msgid "Default: loginShell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:357 +msgid "ldap_user_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:360 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:364 sssd-ldap.5.xml:955 +msgid "" +"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " +"IPA" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:371 +msgid "ldap_user_objectsid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:374 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP user object. This " +"is usually only necessary for ActiveDirectory servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:379 sssd-ldap.5.xml:970 +msgid "Default: objectSid for ActiveDirectory, not set for other servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:386 +msgid "ldap_user_modify_timestamp (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:389 sssd-ldap.5.xml:980 sssd-ldap.5.xml:1203 +msgid "" +"The LDAP attribute that contains timestamp of the last modification of the " +"parent object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:393 sssd-ldap.5.xml:984 sssd-ldap.5.xml:1210 +msgid "Default: modifyTimestamp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:399 +msgid "ldap_user_shadow_last_change (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:402 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " +"the last password change)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:412 +msgid "Default: shadowLastChange" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:418 +msgid "ldap_user_shadow_min (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:421 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " +"password age)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:430 +msgid "Default: shadowMin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:436 +msgid "ldap_user_shadow_max (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:439 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " +"password age)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:448 +msgid "Default: shadowMax" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:454 +msgid "ldap_user_shadow_warning (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:457 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password warning period)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:467 +msgid "Default: shadowWarning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:473 +msgid "ldap_user_shadow_inactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:476 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password inactivity period)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:486 +msgid "Default: shadowInactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:492 +msgid "ldap_user_shadow_expire (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:495 +msgid "" +"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " +"parameter contains the name of an LDAP attribute corresponding to its " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> counterpart (account expiration date)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:505 +msgid "Default: shadowExpire" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:511 +msgid "ldap_user_krb_last_pwd_change (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:514 +msgid "" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time of last password change in " +"kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:520 +msgid "Default: krbLastPwdChange" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:526 +msgid "ldap_user_krb_password_expiration (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:529 +msgid "" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time when current password expires." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:535 +msgid "Default: krbPasswordExpiration" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:541 +msgid "ldap_user_ad_account_expires (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:544 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the expiration time of the account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:549 +msgid "Default: accountExpires" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:555 +msgid "ldap_user_ad_user_account_control (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:558 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the user account control bit field." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:563 +msgid "Default: userAccountControl" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:569 +msgid "ldap_ns_account_lock (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:572 +msgid "" +"When using ldap_account_expire_policy=rhds or equivalent, this parameter " +"determines if access is allowed or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:577 +msgid "Default: nsAccountLock" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:583 +msgid "ldap_user_nds_login_disabled (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:586 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines if " +"access is allowed or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:590 sssd-ldap.5.xml:604 +msgid "Default: loginDisabled" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:596 +msgid "ldap_user_nds_login_expiration_time (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:599 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines until " +"which date access is granted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:610 +msgid "ldap_user_nds_login_allowed_time_map (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:613 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines the " +"hours of a day in a week when access is granted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:618 +msgid "Default: loginAllowedTimeMap" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:624 +msgid "ldap_user_principal (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:627 +msgid "" +"The LDAP attribute that contains the user's Kerberos User Principal Name " +"(UPN)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:631 +msgid "Default: krbPrincipalName" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:637 +msgid "ldap_user_extra_attrs (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:640 +msgid "" +"Comma-separated list of LDAP attributes that SSSD would fetch along with the " +"usual set of user attributes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:645 +msgid "" +"The list can either contain LDAP attribute names only, or colon-separated " +"tuples of SSSD cache attribute name and LDAP attribute name. In case only " +"LDAP attribute name is specified, the attribute is saved to the cache " +"verbatim. Using a custom SSSD attribute name might be required by " +"environments that configure several SSSD domains with different LDAP schemas." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:655 +msgid "" +"Please note that several attribute names are reserved by SSSD, notably the " +"<quote>name</quote> attribute. SSSD would report an error if any of the " +"reserved attribute names is used as an extra attribute name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:665 +msgid "ldap_user_extra_attrs = telephoneNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:668 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as " +"<quote>telephoneNumber</quote> to the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:672 +msgid "ldap_user_extra_attrs = phone:telephoneNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:675 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" +"quote> to the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:685 +msgid "ldap_user_ssh_public_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:688 +msgid "The LDAP attribute that contains the user's SSH public keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:692 sssd-ldap.5.xml:1306 +msgid "Default: sshPublicKey" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:698 +msgid "ldap_force_upper_case_realm (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:701 +msgid "" +"Some directory servers, for example Active Directory, might deliver the " +"realm part of the UPN in lower case, which might cause the authentication to " +"fail. Set this option to a non-zero value if you want to use an upper-case " +"realm." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:714 +msgid "ldap_enumeration_refresh_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:717 +msgid "" +"Specifies how many seconds SSSD has to wait before refreshing its cache of " +"enumerated records." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:728 +msgid "ldap_purge_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:731 +msgid "" +"Determine how often to check the cache for inactive entries (such as groups " +"with no members and users who have never logged in) and remove them to save " +"space." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:737 +msgid "" +"Setting this option to zero will disable the cache cleanup operation. Please " +"note that if enumeration is enabled, the cleanup task is required in order " +"to detect entries removed from the server and can't be disabled. By default, " +"the cleanup task will run every 3 hours with enumeration enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:752 +msgid "ldap_user_fullname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:755 +msgid "The LDAP attribute that corresponds to the user's full name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1161 sssd-ldap.5.xml:1235 +#: sssd-ldap.5.xml:1344 sssd-ldap.5.xml:2405 sssd-ipa.5.xml:607 +msgid "Default: cn" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:765 +msgid "ldap_user_member_of (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:768 +msgid "The LDAP attribute that lists the user's group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:772 sssd-ldap.5.xml:1274 +msgid "Default: memberOf" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:778 +msgid "ldap_user_authorized_service (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:781 +msgid "" +"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " +"use the presence of the authorizedService attribute in the user's LDAP entry " +"to determine access privilege." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:788 +msgid "" +"An explicit deny (!svc) is resolved first. Second, SSSD searches for " +"explicit allow (svc) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:793 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>authorized_service</quote> in order for the " +"ldap_user_authorized_service option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:800 +msgid "Default: authorizedService" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:806 +msgid "ldap_user_authorized_host (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:809 +msgid "" +"If access_provider=ldap and ldap_access_order=host, SSSD will use the " +"presence of the host attribute in the user's LDAP entry to determine access " +"privilege." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:815 +msgid "" +"An explicit deny (!host) is resolved first. Second, SSSD searches for " +"explicit allow (host) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:820 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>host</quote> in order for the " +"ldap_user_authorized_host option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:827 +msgid "Default: host" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:833 +msgid "ldap_user_authorized_rhost (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:836 +msgid "" +"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " +"presence of the rhost attribute in the user's LDAP entry to determine access " +"privilege. Similarly to host verification process." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:843 +msgid "" +"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " +"explicit allow (rhost) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:848 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>rhost</quote> in order for the " +"ldap_user_authorized_rhost option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:855 +msgid "Default: rhost" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:861 +msgid "ldap_user_certificate (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:864 +msgid "Name of the LDAP attribute containing the X509 certificate of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:868 +msgid "Default: userCertificate;binary" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:874 +msgid "ldap_user_email (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:877 +msgid "Name of the LDAP attribute containing the email address of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:881 +msgid "" +"Note: If an email address of a user conflicts with an email address or fully " +"qualified name of another user, then SSSD will not be able to serve those " +"users properly. If for some reason several users need to share the same " +"email address then set this option to a nonexistent attribute name in order " +"to disable user lookup/login by email." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:890 +msgid "Default: mail" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:896 +msgid "ldap_group_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:899 +msgid "The object class of a group entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:902 +msgid "Default: posixGroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:908 +msgid "ldap_group_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:911 +msgid "The LDAP attribute that corresponds to the group name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:915 +msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:922 +msgid "ldap_group_gid_number (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:925 +msgid "The LDAP attribute that corresponds to the group's id." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:935 +msgid "ldap_group_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:938 +msgid "The LDAP attribute that contains the names of the group's members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:942 +msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:948 +msgid "ldap_group_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:951 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:962 +msgid "ldap_group_objectsid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:965 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP group object. This " +"is usually only necessary for ActiveDirectory servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:977 +msgid "ldap_group_modify_timestamp (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:990 +msgid "ldap_group_type (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:993 +msgid "" +"The LDAP attribute that contains an integer value indicating the type of the " +"group and maybe other flags." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:998 +msgid "" +"This attribute is currently only used by the AD provider to determine if a " +"group is a domain local groups and has to be filtered out for trusted " +"domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1004 +msgid "Default: groupType in the AD provider, otherwise not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1011 +msgid "ldap_group_external_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1014 +msgid "" +"The LDAP attribute that references group members that are defined in an " +"external domain. At the moment, only IPA's external members are supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1020 +msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1027 +msgid "ldap_group_nesting_level (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1030 +msgid "" +"If ldap_schema is set to a schema format that supports nested groups (e.g. " +"RFC2307bis), then this option controls how many levels of nesting SSSD will " +"follow. This option has no effect on the RFC2307 schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1037 +msgid "" +"Note: This option specifies the guaranteed level of nested groups to be " +"processed for any lookup. However, nested groups beyond this limit " +"<emphasis>may be</emphasis> returned if previous lookups already resolved " +"the deeper nesting levels. Also, subsequent lookups for other groups may " +"enlarge the result set for original lookup if re-queried." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1046 +msgid "" +"If ldap_group_nesting_level is set to 0 then no nested groups are processed " +"at all. However, when connected to Active-Directory Server 2008 and later " +"using <quote>id_provider=ad</quote> it is furthermore required to disable " +"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " +"restrict group nesting." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1055 +msgid "Default: 2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1061 +msgid "ldap_groups_use_matching_rule_in_chain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1064 +msgid "" +"This option tells SSSD to take advantage of an Active Directory-specific " +"feature which may speed up group lookup operations on deployments with " +"complex or deep nested groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1070 +msgid "" +"In most common cases, it is best to leave this option disabled. It generally " +"only provides a performance increase on very complex nestings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1075 sssd-ldap.5.xml:1102 +msgid "" +"If this option is enabled, SSSD will use it if it detects that the server " +"supports it during initial connection. So \"True\" here essentially means " +"\"auto-detect\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1081 sssd-ldap.5.xml:1108 +msgid "" +"Note: This feature is currently known to work only with Active Directory " +"2008 R1 and later. See <ulink url=\"http://msdn.microsoft.com/en-us/library/" +"windows/desktop/aa746475%28v=vs.85%29.aspx\"> MSDN(TM) documentation</ulink> " +"for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1093 +msgid "ldap_initgroups_use_matching_rule_in_chain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1096 +msgid "" +"This option tells SSSD to take advantage of an Active Directory-specific " +"feature which might speed up initgroups operations (most notably when " +"dealing with complex or deep nested groups)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1123 +msgid "" +"This options enables or disables use of Token-Groups attribute when " +"performing initgroup for users from Active Directory Server 2008 and later." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1128 +msgid "Default: True for AD and IPA otherwise False." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1134 +msgid "ldap_netgroup_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1137 +msgid "The object class of a netgroup entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1140 +msgid "In IPA provider, ipa_netgroup_object_class should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1144 +msgid "Default: nisNetgroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1150 +msgid "ldap_netgroup_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1153 +msgid "The LDAP attribute that corresponds to the netgroup name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1157 +msgid "In IPA provider, ipa_netgroup_name should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1167 +msgid "ldap_netgroup_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1170 +msgid "The LDAP attribute that contains the names of the netgroup's members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1174 +msgid "In IPA provider, ipa_netgroup_member should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1178 +msgid "Default: memberNisNetgroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1184 +msgid "ldap_netgroup_triple (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1187 +msgid "" +"The LDAP attribute that contains the (host, user, domain) netgroup triples." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1191 sssd-ldap.5.xml:1207 +msgid "This option is not available in IPA provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1194 +msgid "Default: nisNetgroupTriple" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1200 +msgid "ldap_netgroup_modify_timestamp (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1216 +msgid "ldap_host_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1219 +msgid "The object class of a host entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1222 sssd-ldap.5.xml:1331 +msgid "Default: ipService" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1228 +msgid "ldap_host_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1231 sssd-ldap.5.xml:1257 +msgid "The LDAP attribute that corresponds to the host's name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1241 +msgid "ldap_host_fqdn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1244 +msgid "" +"The LDAP attribute that corresponds to the host's fully-qualified domain " +"name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1248 +msgid "Default: fqdn" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1254 +msgid "ldap_host_serverhostname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1261 +msgid "Default: serverHostname" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1267 +msgid "ldap_host_member_of (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1270 +msgid "The LDAP attribute that lists the host's group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1280 +msgid "ldap_host_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1283 +msgid "Optional. Use the given string as search base for host objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1287 sssd-ipa.5.xml:359 sssd-ipa.5.xml:378 +#: sssd-ipa.5.xml:397 sssd-ipa.5.xml:416 +msgid "" +"See <quote>ldap_search_base</quote> for information about configuring " +"multiple search bases." +msgstr "" + +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:1292 sssd-ipa.5.xml:364 include/ldap_search_bases.xml:27 +msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1299 +msgid "ldap_host_ssh_public_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1302 +msgid "The LDAP attribute that contains the host's SSH public keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1312 +msgid "ldap_host_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1315 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1325 +msgid "ldap_service_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1328 +msgid "The object class of a service entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1337 +msgid "ldap_service_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1340 +msgid "" +"The LDAP attribute that contains the name of service attributes and their " +"aliases." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1350 +msgid "ldap_service_port (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1353 +msgid "The LDAP attribute that contains the port managed by this service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1357 +msgid "Default: ipServicePort" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1363 +msgid "ldap_service_proto (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1366 +msgid "" +"The LDAP attribute that contains the protocols understood by this service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1370 +msgid "Default: ipServiceProtocol" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1376 +msgid "ldap_service_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1381 +msgid "ldap_search_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1384 +msgid "" +"Specifies the timeout (in seconds) that ldap searches are allowed to run " +"before they are cancelled and cached results are returned (and offline mode " +"is entered)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1390 +msgid "" +"Note: this option is subject to change in future versions of the SSSD. It " +"will likely be replaced at some point by a series of timeouts for specific " +"lookup types." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1402 +msgid "ldap_enumeration_search_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1405 +msgid "" +"Specifies the timeout (in seconds) that ldap searches for user and group " +"enumerations are allowed to run before they are cancelled and cached results " +"are returned (and offline mode is entered)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1418 +msgid "ldap_network_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1421 +msgid "" +"Specifies the timeout (in seconds) after which the <citerefentry> " +"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" +"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" +"manvolnum> </citerefentry> following a <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> returns in case of no activity." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1444 +msgid "ldap_opt_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1447 +msgid "" +"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " +"will abort if no response is received. Also controls the timeout when " +"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " +"operation, password change extended operation and the StartTLS operation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1462 +msgid "ldap_connection_expire_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1465 +msgid "" +"Specifies a timeout (in seconds) that a connection to an LDAP server will be " +"maintained. After this time, the connection will be re-established. If used " +"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " +"the TGT lifetime) will be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1473 sssd-ldap.5.xml:2562 +msgid "Default: 900 (15 minutes)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1479 +msgid "ldap_page_size (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1482 +msgid "" +"Specify the number of records to retrieve from LDAP in a single request. " +"Some LDAP servers enforce a maximum limit per-request." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1487 +msgid "Default: 1000" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1493 +msgid "ldap_disable_paging (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1496 +msgid "" +"Disable the LDAP paging control. This option should be used if the LDAP " +"server reports that it supports the LDAP paging control in its RootDSE but " +"it is not enabled or does not behave properly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1502 +msgid "" +"Example: OpenLDAP servers with the paging control module installed on the " +"server but not enabled will report it in the RootDSE but be unable to use it." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1508 +msgid "" +"Example: 389 DS has a bug where it can only support a one paging control at " +"a time on a single connection. On busy clients, this can result in some " +"requests being denied." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1520 +msgid "ldap_disable_range_retrieval (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1523 +msgid "Disable Active Directory range retrieval." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1526 +msgid "" +"Active Directory limits the number of members to be retrieved in a single " +"lookup using the MaxValRange policy (which defaults to 1500 members). If a " +"group contains more members, the reply would include an AD-specific range " +"extension. This option disables parsing of the range extension, therefore " +"large groups will appear as having no members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1541 +msgid "ldap_sasl_minssf (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1544 +msgid "" +"When communicating with an LDAP server using SASL, specify the minimum " +"security level necessary to establish the connection. The values of this " +"option are defined by OpenLDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1550 +msgid "Default: Use the system default (usually specified by ldap.conf)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1557 +msgid "ldap_deref_threshold (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1560 +msgid "" +"Specify the number of group members that must be missing from the internal " +"cache in order to trigger a dereference lookup. If less members are missing, " +"they are looked up individually." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1566 +msgid "" +"You can turn off dereference lookups completely by setting the value to 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1570 +msgid "" +"A dereference lookup is a means of fetching all group members in a single " +"LDAP call. Different LDAP servers may implement different dereference " +"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " +"Directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1578 +msgid "" +"<emphasis>Note:</emphasis> If any of the search bases specifies a search " +"filter, then the dereference lookup performance enhancement will be disabled " +"regardless of this setting." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1591 +msgid "ldap_tls_reqcert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1594 +msgid "" +"Specifies what checks to perform on server certificates in a TLS session, if " +"any. It can be specified as one of the following values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1600 +msgid "" +"<emphasis>never</emphasis> = The client will not request or check any server " +"certificate." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1604 +msgid "" +"<emphasis>allow</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, it will be ignored and the session proceeds normally." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1611 +msgid "" +"<emphasis>try</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, the session is immediately terminated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1617 +msgid "" +"<emphasis>demand</emphasis> = The server certificate is requested. If no " +"certificate is provided, or a bad certificate is provided, the session is " +"immediately terminated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1623 +msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1627 +msgid "Default: hard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1633 +msgid "ldap_tls_cacert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1636 +msgid "" +"Specifies the file that contains certificates for all of the Certificate " +"Authorities that <command>sssd</command> will recognize." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1641 sssd-ldap.5.xml:1659 sssd-ldap.5.xml:1700 +msgid "" +"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." +"conf</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1648 +msgid "ldap_tls_cacertdir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1651 +msgid "" +"Specifies the path of a directory that contains Certificate Authority " +"certificates in separate individual files. Typically the file names need to " +"be the hash of the certificate followed by '.0'. If available, " +"<command>cacertdir_rehash</command> can be used to create the correct names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1666 +msgid "ldap_tls_cert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1669 +msgid "Specifies the file that contains the certificate for the client's key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1679 +msgid "ldap_tls_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1682 +msgid "Specifies the file that contains the client's key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1691 +msgid "ldap_tls_cipher_suite (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1694 +msgid "" +"Specifies acceptable cipher suites. Typically this is a colon separated " +"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1707 +msgid "ldap_id_use_start_tls (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1710 +msgid "" +"Specifies that the id_provider connection must also use <systemitem class=" +"\"protocol\">tls</systemitem> to protect the channel." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1720 +msgid "ldap_id_mapping (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1723 +msgid "" +"Specifies that SSSD should attempt to map user and group IDs from the " +"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " +"on ldap_user_uid_number and ldap_group_gid_number." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1729 +msgid "Currently this feature supports only ActiveDirectory objectSID mapping." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1739 +msgid "ldap_min_id, ldap_max_id (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1742 +msgid "" +"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " +"set to true the allowed ID range for ldap_user_uid_number and " +"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " +"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " +"can be set to restrict the allowed range for the IDs which are read directly " +"from the server. Sub-domains can then pick other ranges to map IDs." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1754 +msgid "Default: not set (both options are set to 0)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1760 +msgid "ldap_sasl_mech (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1763 +msgid "" +"Specify the SASL mechanism to use. Currently only GSSAPI is tested and " +"supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1773 +msgid "ldap_sasl_authid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ldap.5.xml:1784 +#, no-wrap +msgid "" +"hostname@REALM\n" +"netbiosname$@REALM\n" +"host/hostname@REALM\n" +"*$@REALM\n" +"host/*@REALM\n" +"host/*\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1776 +msgid "" +"Specify the SASL authorization id to use. When GSSAPI is used, this " +"represents the Kerberos principal used for authentication to the directory. " +"This option can either contain the full principal (for example host/" +"myhost@EXAMPLE.COM) or just the principal name (for example host/myhost). By " +"default, the value is not set and the following principals are used: " +"<placeholder type=\"programlisting\" id=\"0\"/> If none of them are found, " +"the first principal in keytab is returned." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1795 +msgid "Default: host/hostname@REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1801 +msgid "ldap_sasl_realm (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1804 +msgid "" +"Specify the SASL realm to use. When not specified, this option defaults to " +"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " +"well, this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1810 +msgid "Default: the value of krb5_realm." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1816 +msgid "ldap_sasl_canonicalize (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1819 +msgid "" +"If set to true, the LDAP library would perform a reverse lookup to " +"canonicalize the host name during a SASL bind." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1824 +msgid "Default: false;" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1830 +msgid "ldap_krb5_keytab (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1833 +msgid "Specify the keytab to use when using SASL/GSSAPI." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1836 +msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1842 +msgid "ldap_krb5_init_creds (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1845 +msgid "" +"Specifies that the id_provider should init Kerberos credentials (TGT). This " +"action is performed only if SASL is used and the mechanism selected is " +"GSSAPI." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1857 +msgid "ldap_krb5_ticket_lifetime (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1860 +msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1864 sssd-ad.5.xml:937 +msgid "Default: 86400 (24 hours)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1870 sssd-krb5.5.xml:74 +msgid "krb5_server, krb5_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1873 +msgid "" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled - for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1885 sssd-krb5.5.xml:89 +msgid "" +"When using service discovery for KDC or kpasswd servers, SSSD first searches " +"for DNS entries that specify _udp as the protocol and falls back to _tcp if " +"none are found." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1890 sssd-krb5.5.xml:94 +msgid "" +"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " +"While the legacy name is recognized for the time being, users are advised to " +"migrate their config files to use <quote>krb5_server</quote> instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1899 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103 +msgid "krb5_realm (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1902 +msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1905 +msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1911 sssd-krb5.5.xml:462 +msgid "krb5_canonicalize (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1914 +msgid "" +"Specifies if the host principal should be canonicalized when connecting to " +"LDAP server. This feature is available with MIT Kerberos >= 1.7" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1926 sssd-krb5.5.xml:477 +msgid "krb5_use_kdcinfo (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1929 sssd-krb5.5.xml:480 +msgid "" +"Specifies if the SSSD should instruct the Kerberos libraries what realm and " +"which KDCs to use. This option is on by default, if you disable it, you need " +"to configure the Kerberos library using the <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> configuration file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1940 sssd-krb5.5.xml:491 +msgid "" +"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " +"information on the locator plugin." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1954 +msgid "ldap_pwd_policy (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1957 +msgid "" +"Select the policy to evaluate the password expiration on the client side. " +"The following values are allowed:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1962 +msgid "" +"<emphasis>none</emphasis> - No evaluation on the client side. This option " +"cannot disable server-side password policies." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1967 +msgid "" +"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " +"evaluate if the password has expired." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1973 +msgid "" +"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " +"to determine if the password has expired. Use chpass_provider=krb5 to update " +"these attributes when the password is changed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1982 +msgid "" +"<emphasis>Note</emphasis>: if a password policy is configured on server " +"side, it always takes precedence over policy set with this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1990 +msgid "ldap_referrals (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1993 +msgid "Specifies whether automatic referral chasing should be enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1997 +msgid "" +"Please note that sssd only supports referral chasing when it is compiled " +"with OpenLDAP version 2.4.13 or higher." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2002 +msgid "" +"Chasing referrals may incur a performance penalty in environments that use " +"them heavily, a notable example is Microsoft Active Directory. If your setup " +"does not in fact require the use of referrals, setting this option to false " +"might bring a noticeable performance improvement." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2016 +msgid "ldap_dns_service_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2019 +msgid "Specifies the service name to use when service discovery is enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2023 +msgid "Default: ldap" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2029 +msgid "ldap_chpass_dns_service_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2032 +msgid "" +"Specifies the service name to use to find an LDAP server which allows " +"password changes when service discovery is enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2037 +msgid "Default: not set, i.e. service discovery is disabled" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2043 +msgid "ldap_chpass_update_last_change (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2046 +msgid "" +"Specifies whether to update the ldap_user_shadow_last_change attribute with " +"days since the Epoch after a password change operation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2058 +msgid "ldap_access_filter (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2061 +msgid "" +"If using access_provider = ldap and ldap_access_order = filter (default), " +"this option is mandatory. It specifies an LDAP search filter criteria that " +"must be met for the user to be granted access on this host. If " +"access_provider = ldap, ldap_access_order = filter and this option is not " +"set, it will result in all users being denied access. Use access_provider = " +"permit to change this default behavior. Please note that this filter is " +"applied on the LDAP user entry only and thus filtering based on nested " +"groups may not work (e.g. memberOf attribute on AD entries points only to " +"direct parents). If filtering based on nested groups is required, please see " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2081 +msgid "Example:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ldap.5.xml:2084 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2088 +msgid "" +"This example means that access to this host is restricted to users whose " +"employeeType attribute is set to \"admin\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2093 +msgid "" +"Offline caching for this feature is limited to determining whether the " +"user's last online login was granted access permission. If they were granted " +"access during their last login, they will continue to be granted access " +"while offline and vice versa." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2101 sssd-ldap.5.xml:2158 +msgid "Default: Empty" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2107 +msgid "ldap_account_expire_policy (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2110 +msgid "" +"With this option a client side evaluation of access control attributes can " +"be enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2114 +msgid "" +"Please note that it is always recommended to use server side access control, " +"i.e. the LDAP server should deny the bind request with a suitable error code " +"even if the password is correct." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2121 +msgid "The following values are allowed:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2124 +msgid "" +"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " +"determine if the account is expired." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2129 +msgid "" +"<emphasis>ad</emphasis>: use the value of the 32bit field " +"ldap_user_ad_user_account_control and allow access if the second bit is not " +"set. If the attribute is missing access is granted. Also the expiration time " +"of the account is checked." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2136 +msgid "" +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: use the value of ldap_ns_account_lock to check if access is " +"allowed or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2142 +msgid "" +"<emphasis>nds</emphasis>: the values of " +"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " +"ldap_user_nds_login_expiration_time are used to check if access is allowed. " +"If both attributes are missing access is granted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2151 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>expire</quote> in order for the " +"ldap_account_expire_policy option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2164 +msgid "ldap_access_order (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2167 +msgid "Comma separated list of access control options. Allowed values are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2171 +msgid "<emphasis>filter</emphasis>: use ldap_access_filter" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2174 +msgid "" +"<emphasis>lockout</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " +"Please note that 'access_provider = ldap' must be set for this feature to " +"work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2184 +msgid "" +"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" +"quote> option and might be removed in a future release. </emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2191 +msgid "" +"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z' or represents any time in the past. The " +"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " +"denotes the UTC time zone. Other time zones are not currently supported and " +"will result in \"access-denied\" when users attempt to log in. Please see " +"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " +"must be set for this feature to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2208 +msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2212 +msgid "" +"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " +"pwd_expire_policy_renew: </emphasis> These options are useful if users are " +"interested in being warned that password is about to expire and " +"authentication is based on using a different method than passwords - for " +"example SSH keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2222 +msgid "" +"The difference between these options is the action taken if user password is " +"expired: pwd_expire_policy_reject - user is denied to log in, " +"pwd_expire_policy_warn - user is still able to log in, " +"pwd_expire_policy_renew - user is prompted to change his password " +"immediately." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2230 +msgid "" +"Note If user password is expired no explicit message is prompted by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2234 +msgid "" +"Please note that 'access_provider = ldap' must be set for this feature to " +"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2239 +msgid "" +"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " +"to determine access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2244 +msgid "<emphasis>host</emphasis>: use the host attribute to determine access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2248 +msgid "" +"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " +"remote host can access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2252 +msgid "" +"Please note, rhost field in pam is set by application, it is better to check " +"what the application sends to pam, before enabling this access control option" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2257 +msgid "Default: filter" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2260 +msgid "" +"Please note that it is a configuration error if a value is used more than " +"once." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2267 +msgid "ldap_pwdlockout_dn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2270 +msgid "" +"This option specifies the DN of password policy entry on LDAP server. Please " +"note that absence of this option in sssd.conf in case of enabled account " +"lockout checking will yield access denied as ppolicy attributes on LDAP " +"server cannot be checked properly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2278 +msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2281 +msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2287 +msgid "ldap_deref (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2290 +msgid "" +"Specifies how alias dereferencing is done when performing a search. The " +"following options are allowed:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2295 +msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2299 +msgid "" +"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " +"the base object, but not in locating the base object of the search." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2304 +msgid "" +"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " +"the base object of the search." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2309 +msgid "" +"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " +"in locating the base object of the search." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2314 +msgid "" +"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " +"client libraries)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2322 +msgid "ldap_rfc2307_fallback_to_local_users (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2325 +msgid "" +"Allows to retain local users as members of an LDAP group for servers that " +"use the RFC2307 schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2329 +msgid "" +"In some environments where the RFC2307 schema is used, local users are made " +"members of LDAP groups by adding their names to the memberUid attribute. " +"The self-consistency of the domain is compromised when this is done, so SSSD " +"would normally remove the \"missing\" users from the cached group " +"memberships as soon as nsswitch tries to fetch information about the user " +"via getpw*() or initgroups() calls." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2340 +msgid "" +"This option falls back to checking if local users are referenced, and caches " +"them so that later initgroups() calls will augment the local users with the " +"additional LDAP groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2352 sssd-ifp.5.xml:136 +msgid "wildcard_limit (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2355 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2359 +msgid "At the moment, only the InfoPipe responder supports wildcard lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2363 +msgid "Default: 1000 (often the size of one page)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:51 +msgid "" +"All of the common configuration options that apply to SSSD domains also " +"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for full details. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2373 +msgid "SUDO OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2375 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2386 +msgid "ldap_sudorule_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2389 +msgid "The object class of a sudo rule entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2392 +msgid "Default: sudoRole" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2398 +msgid "ldap_sudorule_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2401 +msgid "The LDAP attribute that corresponds to the sudo rule name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2411 +msgid "ldap_sudorule_command (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2414 +msgid "The LDAP attribute that corresponds to the command name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2418 +msgid "Default: sudoCommand" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2424 +msgid "ldap_sudorule_host (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2427 +msgid "" +"The LDAP attribute that corresponds to the host name (or host IP address, " +"host IP network, or host netgroup)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2432 +msgid "Default: sudoHost" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2438 +msgid "ldap_sudorule_user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2441 +msgid "" +"The LDAP attribute that corresponds to the user name (or UID, group name or " +"user's netgroup)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2445 +msgid "Default: sudoUser" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2451 +msgid "ldap_sudorule_option (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2454 +msgid "The LDAP attribute that corresponds to the sudo options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2458 +msgid "Default: sudoOption" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2464 +msgid "ldap_sudorule_runasuser (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2467 +msgid "" +"The LDAP attribute that corresponds to the user name that commands may be " +"run as." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2471 +msgid "Default: sudoRunAsUser" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2477 +msgid "ldap_sudorule_runasgroup (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2480 +msgid "" +"The LDAP attribute that corresponds to the group name or group GID that " +"commands may be run as." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2484 +msgid "Default: sudoRunAsGroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2490 +msgid "ldap_sudorule_notbefore (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2493 +msgid "" +"The LDAP attribute that corresponds to the start date/time for when the sudo " +"rule is valid." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2497 +msgid "Default: sudoNotBefore" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2503 +msgid "ldap_sudorule_notafter (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2506 +msgid "" +"The LDAP attribute that corresponds to the expiration date/time, after which " +"the sudo rule will no longer be valid." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2511 +msgid "Default: sudoNotAfter" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2517 +msgid "ldap_sudorule_order (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2520 +msgid "The LDAP attribute that corresponds to the ordering index of the rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2524 +msgid "Default: sudoOrder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2530 +msgid "ldap_sudo_full_refresh_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2533 +msgid "" +"How many seconds SSSD will wait between executing a full refresh of sudo " +"rules (which downloads all rules that are stored on the server)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2538 +msgid "" +"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" +"emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2543 +msgid "Default: 21600 (6 hours)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2549 +msgid "ldap_sudo_smart_refresh_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2552 +msgid "" +"How many seconds SSSD has to wait before executing a smart refresh of sudo " +"rules (which downloads all rules that have USN higher than the highest USN " +"of cached rules)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2558 +msgid "" +"If USN attributes are not supported by the server, the modifyTimestamp " +"attribute is used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2568 +msgid "ldap_sudo_use_host_filter (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2571 +msgid "" +"If true, SSSD will download only rules that are applicable to this machine " +"(using the IPv4 or IPv6 host/network addresses and hostnames)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2582 +msgid "ldap_sudo_hostnames (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2585 +msgid "" +"Space separated list of hostnames or fully qualified domain names that " +"should be used to filter the rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2590 +msgid "" +"If this option is empty, SSSD will try to discover the hostname and the " +"fully qualified domain name automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2595 sssd-ldap.5.xml:2618 sssd-ldap.5.xml:2636 +#: sssd-ldap.5.xml:2654 +msgid "" +"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" +"emphasis> then this option has no effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2600 sssd-ldap.5.xml:2623 +msgid "Default: not specified" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2606 +msgid "ldap_sudo_ip (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2609 +msgid "" +"Space separated list of IPv4 or IPv6 host/network addresses that should be " +"used to filter the rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2614 +msgid "" +"If this option is empty, SSSD will try to discover the addresses " +"automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2629 +msgid "ldap_sudo_include_netgroups (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2632 +msgid "" +"If true then SSSD will download every rule that contains a netgroup in " +"sudoHost attribute." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2647 +msgid "ldap_sudo_include_regexp (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2650 +msgid "" +"If true then SSSD will download every rule that contains a wildcard in " +"sudoHost attribute." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2666 +msgid "" +"This manual page only describes attribute name mapping. For detailed " +"explanation of sudo related attribute semantics, see <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2676 +msgid "AUTOFS OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2678 +msgid "" +"Some of the defaults for the parameters below are dependent on the LDAP " +"schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2684 +msgid "ldap_autofs_map_master_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2687 +msgid "The name of the automount master map in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2690 +msgid "Default: auto.master" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2697 +msgid "ldap_autofs_map_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2700 +msgid "The object class of an automount map entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2703 +msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2711 +msgid "ldap_autofs_map_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2714 +msgid "The name of an automount map entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2717 +msgid "" +"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2725 +msgid "ldap_autofs_entry_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2728 +msgid "" +"The object class of an automount entry in LDAP. The entry usually " +"corresponds to a mount point." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2733 +msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2741 +msgid "ldap_autofs_entry_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2744 sssd-ldap.5.xml:2759 +msgid "" +"The key of an automount entry in LDAP. The entry usually corresponds to a " +"mount point." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2748 +msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2756 +msgid "ldap_autofs_entry_value (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2763 +msgid "" +"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " +"automountInformation" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2682 +msgid "" +"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " +"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" +"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2774 +msgid "ADVANCED OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2781 +msgid "ldap_netgroup_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2786 +msgid "ldap_user_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2791 +msgid "ldap_group_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> +#: sssd-ldap.5.xml:2796 +msgid "<note>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> +#: sssd-ldap.5.xml:2798 +msgid "" +"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " +"against Active Directory will not be restricted and return all groups " +"memberships, even with no GID mapping. It is recommended to disable this " +"feature, if group names are not being displayed correctly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist> +#: sssd-ldap.5.xml:2805 +msgid "</note>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2807 +msgid "ldap_sudo_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2812 +msgid "ldap_autofs_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2776 +msgid "" +"These options are supported by LDAP domains, but they should be used with " +"caution. Please include them in your configuration only if you know what you " +"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2827 sssd-simple.5.xml:131 sssd-ipa.5.xml:828 +#: sssd-ad.5.xml:1041 sssd-krb5.5.xml:570 sss_rpcidmapd.5.xml:98 +#: sssd-files.5.xml:103 sssd-session-recording.5.xml:144 +msgid "EXAMPLE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2829 +msgid "" +"The following example assumes that SSSD is correctly configured and LDAP is " +"set to one of the domains in the <replaceable>[domains]</replaceable> " +"section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:2835 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: sssd-ldap.5.xml:2834 sssd-ldap.5.xml:2852 sssd-simple.5.xml:139 +#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1049 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579 +#: sssd-files.5.xml:110 sssd-session-recording.5.xml:150 +#: include/ldap_id_mapping.xml:105 +msgid "<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2846 +msgid "LDAP ACCESS FILTER EXAMPLE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2848 +msgid "" +"The following example assumes that SSSD is correctly configured and to use " +"the ldap_access_order=lockout." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:2853 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"access_provider = ldap\n" +"ldap_access_order = lockout\n" +"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2868 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148 +#: sssd-ad.5.xml:1064 sssd.8.xml:230 sss_seed.8.xml:163 +msgid "NOTES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2870 +msgid "" +"The descriptions of some of the configuration options in this manual page " +"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " +"distribution." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: pam_sss.8.xml:11 pam_sss.8.xml:16 +msgid "pam_sss" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: pam_sss.8.xml:17 +msgid "PAM module for SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: pam_sss.8.xml:22 +msgid "" +"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" +"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" +"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" +"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " +"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " +"choice='opt'> <replaceable>prompt_always</replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:58 +msgid "" +"<command>pam_sss.so</command> is the PAM interface to the System Security " +"Services daemon (SSSD). Errors and results are logged through " +"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:68 +msgid "<option>quiet</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:71 +msgid "Suppress log messages for unknown users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:76 +msgid "<option>forward_pass</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:79 +msgid "" +"If <option>forward_pass</option> is set the entered password is put on the " +"stack for other PAM modules to use." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:86 +msgid "<option>use_first_pass</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:89 +msgid "" +"The argument use_first_pass forces the module to use a previous stacked " +"modules password and will never prompt the user - if no password is " +"available or the password is not appropriate, the user will be denied access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:97 +msgid "<option>use_authtok</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:100 +msgid "" +"When password changing enforce the module to set the new password to the one " +"provided by a previously stacked password module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:107 +msgid "<option>retry=N</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:110 +msgid "" +"If specified the user is asked another N times for a password if " +"authentication fails. Default is 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:112 +msgid "" +"Please note that this option might not work as expected if the application " +"calling PAM handles the user dialog on its own. A typical example is " +"<command>sshd</command> with <option>PasswordAuthentication</option>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:121 +msgid "<option>ignore_unknown_user</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:124 +msgid "" +"If this option is specified and the user does not exist, the PAM module will " +"return PAM_IGNORE. This causes the PAM framework to ignore this module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:131 +msgid "<option>ignore_authinfo_unavail</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:135 +msgid "" +"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " +"the SSSD daemon. This causes the PAM framework to ignore this module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:142 +msgid "<option>domains</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:146 +msgid "" +"Allows the administrator to restrict the domains a particular PAM service is " +"allowed to authenticate against. The format is a comma-separated list of " +"SSSD domain names, as specified in the sssd.conf file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:152 +msgid "" +"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " +"and <quote>pam_public_domains</quote> options. Please see the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more information on these two PAM " +"responder options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:166 +msgid "<option>allow_missing_name</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:170 +msgid "" +"The main purpose of this option is to let SSSD determine the user name based " +"on additional information, e.g. the certificate from a Smartcard." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: pam_sss.8.xml:180 +#, no-wrap +msgid "" +"auth sufficient pam_sss.so allow_missing_name\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:175 +msgid "" +"The current use case are login managers which can monitor a Smartcard reader " +"for card events. In case a Smartcard is inserted the login manager will call " +"a PAM stack which includes a line like <placeholder type=\"programlisting\" " +"id=\"0\"/> In this case SSSD will try to determine the user name based on " +"the content of the Smartcard, returns it to pam_sss which will finally put " +"it on the PAM stack." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:190 +msgid "<option>prompt_always</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:194 +msgid "" +"Always prompt the user for credentials. With this option credentials " +"requested by other PAM modules, typically a password, will be ignored and " +"pam_sss will prompt for credentials again. Based on the pre-auth reply by " +"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " +"credentials." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:207 +msgid "MODULE TYPES PROVIDED" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:208 +msgid "" +"All module types (<option>account</option>, <option>auth</option>, " +"<option>password</option> and <option>session</option>) are provided." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:214 +msgid "FILES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:215 +msgid "" +"If a password reset by root fails, because the corresponding SSSD provider " +"does not support password resets, an individual message can be displayed. " +"This message can e.g. contain instructions about how to reset a password." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:220 +msgid "" +"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" +"filename> where LOC stands for a locale string returned by <citerefentry> " +"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" +"citerefentry>. If there is no matching file the content of " +"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " +"the owner of the files and only root may have read and write permissions " +"while all other users must have only read permissions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:230 +msgid "" +"These files are searched in the directory <filename>/etc/sssd/customize/" +"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " +"displayed." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 +msgid "sssd_krb5_locator_plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd_krb5_locator_plugin.8.xml:16 +msgid "Kerberos locator plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:22 +msgid "" +"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " +"used by the Kerberos provider of <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to tell the Kerberos " +"libraries what Realm and which KDC to use. Typically this is done in " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> which is always read by the Kerberos libraries. " +"To simplify the configuration the Realm and the KDC can be defined in " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> as described in <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:48 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> puts the Realm and the name or IP address of the KDC into " +"the environment variables SSSD_KRB5_REALM and SSSD_KRB5_KDC respectively. " +"When <command>sssd_krb5_locator_plugin</command> is called by the kerberos " +"libraries it reads and evaluates these variables and returns them to the " +"libraries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:63 +msgid "" +"Not all Kerberos implementations support the use of plugins. If " +"<command>sssd_krb5_locator_plugin</command> is not available on your system " +"you have to edit /etc/krb5.conf to reflect your Kerberos setup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:69 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " +"debug messages will be sent to stderr." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:73 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " +"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " +"caller." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 +msgid "sssd-simple" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-simple.5.xml:17 +msgid "the configuration file for SSSD's 'simple' access-control provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:24 +msgid "" +"This manual page describes the configuration of the simple access-control " +"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " +"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:38 +msgid "" +"The simple access provider grants or denies access based on an access or " +"deny list of user or group names. The following rules apply:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:43 +msgid "If all lists are empty, access is granted" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:47 +msgid "" +"If any list is provided, the order of evaluation is allow,deny. This means " +"that any matching deny rule will supersede any matched allow rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:54 +msgid "" +"If either or both \"allow\" lists are provided, all users are denied unless " +"they appear in the list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:60 +msgid "" +"If only \"deny\" lists are provided, all users are granted access unless " +"they appear in the list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:78 +msgid "simple_allow_users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:81 +msgid "Comma separated list of users who are allowed to log in." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:88 +msgid "simple_deny_users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:91 +msgid "Comma separated list of users who are explicitly denied access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:97 +msgid "simple_allow_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:100 +msgid "" +"Comma separated list of groups that are allowed to log in. This applies only " +"to groups within this SSSD domain. Local groups are not evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:108 +msgid "simple_deny_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:111 +msgid "" +"Comma separated list of groups that are explicitly denied access. This " +"applies only to groups within this SSSD domain. Local groups are not " +"evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 +msgid "" +"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:120 +msgid "" +"Specifying no values for any of the lists is equivalent to skipping it " +"entirely. Beware of this while generating parameters for the simple provider " +"using automated scripts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:125 +msgid "" +"Please note that it is an configuration error if both, simple_allow_users " +"and simple_deny_users, are defined." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:133 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the simple access provider-specific options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-simple.5.xml:140 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"access_provider = simple\n" +"simple_allow_users = user1, user2\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:150 +msgid "" +"The complete group membership hierarchy is resolved before the access check, " +"thus even nested groups can be included in the access lists. Please be " +"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " +"results and should be set to a sufficient value. (<citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>) option." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 +msgid "sss-certmap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss-certmap.5.xml:17 +msgid "SSSD Certificate Matching and Mapping Rules" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:23 +msgid "" +"The manual page describes the rules which can be used by SSSD and other " +"components to match X.509 certificates and map them to accounts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:28 +msgid "" +"Each rule has four components, a <quote>priority</quote>, a <quote>matching " +"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" +"quote>. All components are optional. A missing <quote>priority</quote> will " +"add the rule with the lowest priority. The default <quote>matching rule</" +"quote> will match certificates with the digitalSignature key usage and " +"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " +"the certificates will be searched in the userCertificate attribute as DER " +"encoded binary. If no domains are given only the local domain will be " +"searched." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss-certmap.5.xml:41 +msgid "RULE COMPONENTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:43 +msgid "PRIORITY" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:45 +msgid "" +"The rules are processed by priority while the number '0' (zero) indicates " +"the highest priority. The higher the number the lower is the priority. A " +"missing value indicates the lowest priority. The rules processing is stopped " +"when a matched rule is found and no further rules are checked." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:52 +msgid "" +"Internally the priority is treated as unsigned 32bit integer, using a " +"priority value larger than 4294967295 will cause an error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:57 +msgid "MATCHING RULE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:59 +msgid "" +"The matching rule is used to select a certificate to which the mapping rule " +"should be applied. It uses a system similar to the one used by " +"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " +"keyword enclosed by '<' and '>' which identified a certain part of the " +"certificate and a pattern which should be found for the rule to match. " +"Multiple keyword pattern pairs can be either joined with '&&' (and) " +"or '||' (or)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:71 +msgid "<SUBJECT>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:74 +msgid "" +"With this a part or the whole subject name of the certificate can be " +"matched. For the matching POSIX Extended Regular Expression syntax is used, " +"see regex(7) for details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:80 +msgid "" +"For the matching the subject name stored in the certificate in DER encoded " +"ASN.1 is converted into a string according to RFC 4514. This means the most " +"specific name component comes first. Please note that not all possible " +"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " +"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " +"be shown differently on different platform and by different tools. To avoid " +"confusion those attribute names are best not used or covered by a suitable " +"regular-expression." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:93 +msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:98 +msgid "<ISSUER>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:101 +msgid "" +"With this a part or the whole issuer name of the certificate can be matched. " +"All comments for <SUBJECT> apply her as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:106 +msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:111 +msgid "<KU>key-usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:114 +msgid "" +"This option can be used to specify which key usage values the certificate " +"should have. The following values can be used in a comma separated list:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:118 +msgid "digitalSignature" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:119 +msgid "nonRepudiation" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:120 +msgid "keyEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:121 +msgid "dataEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:122 +msgid "keyAgreement" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:123 +msgid "keyCertSign" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:124 +msgid "cRLSign" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:125 +msgid "encipherOnly" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:126 +msgid "decipherOnly" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:130 +msgid "" +"A numerical value in the range of a 32bit unsigned integer can be used as " +"well to cover special use cases." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:134 +msgid "Example: <KU>digitalSignature,keyEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:139 +msgid "<EKU>extended-key-usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:142 +msgid "" +"This option can be used to specify which extended key usage the certificate " +"should have. The following value can be used in a comma separated list:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:146 +msgid "serverAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:147 +msgid "clientAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:148 +msgid "codeSigning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:149 +msgid "emailProtection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:150 +msgid "timeStamping" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:151 +msgid "OCSPSigning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:152 +msgid "KPClientAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:153 +msgid "pkinit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:154 +msgid "msScLogin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:158 +msgid "" +"Extended key usages which are not listed above can be specified with their " +"OID in dotted-decimal notation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:162 +msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:167 +msgid "<SAN>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:170 +msgid "" +"To be compatible with the usage of MIT Kerberos this option will match the " +"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" +"Principal> does." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:175 +msgid "Example: <SAN>.*@MY\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:180 +msgid "<SAN:Principal>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:183 +msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:187 +msgid "Example: <SAN:Principal>.*@MY\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:192 +msgid "<SAN:ntPrincipalName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:195 +msgid "Match the Kerberos principals from the AD NT Principal SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:199 +msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:204 +msgid "<SAN:pkinit>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:207 +msgid "Match the Kerberos principals from the PKINIT SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:210 +msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:215 +msgid "<SAN:dotted-decimal-oid>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:218 +msgid "" +"Take the value of the otherName SAN component given by the OID in dotted-" +"decimal notation, interpret it as string and try to match it against the " +"regular expression." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:224 +msgid "Example: <SAN:1.2.3.4>test" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:229 +msgid "<SAN:otherName>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:232 +msgid "" +"Do a binary match with the base64 encoded blob against all otherName SAN " +"components. With this option it is possible to match against custom " +"otherName components with special encodings which could not be treated as " +"strings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:239 +msgid "Example: <SAN:otherName>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:244 +msgid "<SAN:rfc822Name>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:247 +msgid "Match the value of the rfc822Name SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:250 +msgid "Example: <SAN:rfc822Name>.*@email\\.domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:255 +msgid "<SAN:dNSName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:258 +msgid "Match the value of the dNSName SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:261 +msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:266 +msgid "<SAN:x400Address>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:269 +msgid "Binary match the value of the x400Address SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:272 +msgid "Example: <SAN:x400Address>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:277 +msgid "<SAN:directoryName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:280 +msgid "" +"Match the value of the directoryName SAN. The same comments as given for <" +"ISSUER> and <SUBJECT> apply here as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:285 +msgid "Example: <SAN:directoryName>.*,DC=com" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:290 +msgid "<SAN:ediPartyName>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:293 +msgid "Binary match the value of the ediPartyName SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:296 +msgid "Example: <SAN:ediPartyName>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:301 +msgid "<SAN:uniformResourceIdentifier>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:304 +msgid "Match the value of the uniformResourceIdentifier SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:307 +msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:312 +msgid "<SAN:iPAddress>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:315 +msgid "Match the value of the iPAddress SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:318 +msgid "Example: <SAN:iPAddress>192\\.168\\..*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:323 +msgid "<SAN:registeredID>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:326 +msgid "Match the value of the registeredID SAN as dotted-decimal string." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:330 +msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:68 +msgid "" +"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:338 +msgid "MAPPING RULE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:340 +msgid "" +"The mapping rule is used to associate a certificate with one or more " +"accounts. A Smartcard with the certificate and the matching private key can " +"then be used to authenticate as one of those accounts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:345 +msgid "" +"Currently SSSD basically only supports LDAP to lookup user information (the " +"exception is the proxy provider which is not of relevance here). Because of " +"this the mapping rule is based on LDAP search filter syntax with templates " +"to add certificate content to the filter. It is expected that the filter " +"will only contain the specific data needed for the mapping and that the " +"caller will embed it in another filter to do the actual search. Because of " +"this the filter string should start and stop with '(' and ')' respectively." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:355 +msgid "" +"In general it is recommended to use attributes from the certificate and add " +"them to special attributes to the LDAP user object. E.g. the " +"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " +"for IPA can be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:361 +msgid "" +"This should be preferred to read user specific data from the certificate " +"like e.g. an email address and search for it in the LDAP server. The reason " +"is that the user specific data in LDAP might change for various reasons " +"would break the mapping. On the other hand it would be hard to break the " +"mapping on purpose for a specific user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:376 +msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:379 +msgid "" +"This template will add the full issuer DN converted to a string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +msgid "" +"The conversion options starting with 'ad_' will use attribute names as used " +"by AD, e.g. 'S' instead of 'ST'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +msgid "" +"The conversion options starting with 'nss_' will use attribute names as used " +"by NSS." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +msgid "" +"The default conversion option is 'nss', i.e. attribute names according to " +"NSS and LDAP/RFC 4514 ordering." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:397 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" +"ad})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:402 +msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:405 +msgid "" +"This template will add the full subject DN converted to string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:423 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" +"{subject_dn!nss_x500})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:428 +msgid "{cert[!(bin|base64)]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:431 +msgid "" +"This template will add the whole DER encoded certificate as a string to the " +"search filter. Depending on the conversion option the binary certificate is " +"either converted to an escaped hex sequence '\\xx' or base64. The escaped " +"hex sequence is the default and can e.g. be used with the LDAP attribute " +"'userCertificate;binary'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:439 +msgid "Example: (userCertificate;binary={cert!bin})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:444 +msgid "{subject_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:447 +msgid "" +"This template will add the Kerberos principal which is taken either from the " +"SAN used by pkinit or the one used by AD. The 'short_name' component " +"represents the first part of the principal before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +msgid "" +"Example: (|(userPrincipal={subject_principal})" +"(samAccountName={subject_principal.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:458 +msgid "{subject_pkinit_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:461 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by pkinit. The 'short_name' component represents the first part of the " +"principal before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:467 +msgid "" +"Example: (|(userPrincipal={subject_pkinit_principal})" +"(uid={subject_pkinit_principal.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:472 +msgid "{subject_nt_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:475 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by AD. The 'short_name' component represent the first part of the principal " +"before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:486 +msgid "{subject_rfc822_name[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:489 +msgid "" +"This template will add the string which is stored in the rfc822Name " +"component of the SAN, typically an email address. The 'short_name' component " +"represents the first part of the address before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:495 +msgid "" +"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." +"short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:500 +msgid "{subject_dns_name[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:503 +msgid "" +"This template will add the string which is stored in the dNSName component " +"of the SAN, typically a fully-qualified host name. The 'short_name' " +"component represents the first part of the name before the first '.' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:509 +msgid "" +"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:514 +msgid "{subject_uri}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:517 +msgid "" +"This template will add the string which is stored in the " +"uniformResourceIdentifier component of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:521 +msgid "Example: (uri={subject_uri})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:526 +msgid "{subject_ip_address}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:529 +msgid "" +"This template will add the string which is stored in the iPAddress component " +"of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:533 +msgid "Example: (ip={subject_ip_address})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:538 +msgid "{subject_x400_address}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:541 +msgid "" +"This template will add the value which is stored in the x400Address " +"component of the SAN as escaped hex sequence." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:546 +msgid "Example: (attr:binary={subject_x400_address})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:551 +msgid "" +"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:554 +msgid "" +"This template will add the DN string of the value which is stored in the " +"directoryName component of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:558 +msgid "Example: (orig_dn={subject_directory_name})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:563 +msgid "{subject_ediparty_name}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:566 +msgid "" +"This template will add the value which is stored in the ediPartyName " +"component of the SAN as escaped hex sequence." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:571 +msgid "Example: (attr:binary={subject_ediparty_name})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:576 +msgid "{subject_registered_id}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:579 +msgid "" +"This template will add the OID which is stored in the registeredID component " +"of the SAN as a dotted-decimal string." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:584 +msgid "Example: (oid={subject_registered_id})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:369 +msgid "" +"The templates to add certificate data to the search filter are based on " +"Python-style formatting strings. They consist of a keyword in curly braces " +"with an optional sub-component specifier separated by a '.' or an optional " +"conversion/formatting option separated by a '!'. Allowed values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:592 +msgid "DOMAIN LIST" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:594 +msgid "" +"If the domain list is not empty users mapped to a given certificate are not " +"only searched in the local domain but in the listed domains as well as long " +"as they are know by SSSD. Domains not know to SSSD will be ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 +msgid "sssd-ipa" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ipa.5.xml:17 +msgid "SSSD IPA provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:23 +msgid "" +"This manual page describes the configuration of the IPA provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:36 +msgid "" +"The IPA provider is a back end used to connect to an IPA server. (Refer to " +"the freeipa.org web site for information about IPA servers.) This provider " +"requires that the machine be joined to the IPA domain; configuration is " +"almost entirely self-discovered and obtained directly from the server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:43 +msgid "" +"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for IPA environments. The IPA provider accepts the same " +"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " +"However, it is neither necessary nor recommended to set these options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:57 +msgid "" +"The IPA provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:62 +msgid "" +"As an access provider, the IPA provider uses HBAC (host-based access " +"control) rules. Please refer to freeipa.org for more information about " +"HBAC. No configuration of access provider is required on the client side." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:67 +msgid "" +"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:73 +msgid "" +"The IPA provider will use the PAC responder if the Kerberos tickets of users " +"from trusted realms contain a PAC. To make configuration easier the PAC " +"responder is started automatically if the IPA ID provider is configured." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:89 +msgid "ipa_domain (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:92 +msgid "" +"Specifies the name of the IPA domain. This is optional. If not provided, " +"the configuration domain name is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:100 +msgid "ipa_server, ipa_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:103 +msgid "" +"The comma-separated list of IP addresses or hostnames of the IPA servers to " +"which SSSD should connect in the order of preference. For more information " +"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:116 +msgid "ipa_hostname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:119 +msgid "" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the IPA domain to identify this host. The " +"hostname must be fully qualified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:128 sssd-ad.5.xml:866 +msgid "dyndns_update (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:131 +msgid "" +"Optional. This option tells SSSD to automatically update the DNS server " +"built into FreeIPA with the IP address of this client. The update is secured " +"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " +"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" +"quote> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:140 sssd-ad.5.xml:880 +msgid "" +"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " +"the default Kerberos realm must be set properly in /etc/krb5.conf" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:145 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" +"emphasis> option, users should migrate to using <emphasis>dyndns_update</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:157 sssd-ad.5.xml:891 +msgid "dyndns_ttl (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:160 sssd-ad.5.xml:894 +msgid "" +"The TTL to apply to the client DNS record when updating it. If " +"dyndns_update is false this has no effect. This will override the TTL " +"serverside if set by an administrator." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:165 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" +"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:171 +msgid "Default: 1200 (seconds)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:177 sssd-ad.5.xml:905 +msgid "dyndns_iface (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:180 sssd-ad.5.xml:908 +msgid "" +"Optional. Applicable only when dyndns_update is true. Choose the interface " +"or a list of interfaces whose IP addresses should be used for dynamic DNS " +"updates. Special value <quote>*</quote> implies that IPs from all interfaces " +"should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:187 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" +"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:193 +msgid "" +"Default: Use the IP addresses of the interface which is used for IPA LDAP " +"connection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:197 sssd-ad.5.xml:919 +msgid "Example: dyndns_iface = em1, vnet1, vnet2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:203 sssd-ad.5.xml:970 +msgid "dyndns_auth (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:206 sssd-ad.5.xml:973 +msgid "" +"Whether the nsupdate utility should use GSS-TSIG authentication for secure " +"updates with the DNS server, insecure updates can be sent by setting this " +"option to 'none'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:212 sssd-ad.5.xml:979 +msgid "Default: GSS-TSIG" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:218 +msgid "ipa_enable_dns_sites (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 +msgid "Enables DNS sites - location based service discovery." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:225 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, then the SSSD will first attempt location " +"based discovery using a query that contains \"_location.hostname.example.com" +"\" and then fall back to traditional SRV discovery. If the location based " +"discovery succeeds, the IPA servers located with the location based " +"discovery are treated as primary servers and the IPA servers located using " +"the traditional SRV discovery are used as back up servers" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:244 sssd-ad.5.xml:925 +msgid "dyndns_refresh_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:247 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:260 sssd-ad.5.xml:943 +msgid "dyndns_update_ptr (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:263 sssd-ad.5.xml:946 +msgid "" +"Whether the PTR record should also be explicitly updated when updating the " +"client's DNS records. Applicable only when dyndns_update is true." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:268 +msgid "" +"This option should be False in most IPA deployments as the IPA server " +"generates the PTR records automatically when forward records are changed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:274 +msgid "Default: False (disabled)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:280 sssd-ad.5.xml:957 +msgid "dyndns_force_tcp (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:283 sssd-ad.5.xml:960 +msgid "" +"Whether the nsupdate utility should default to using TCP for communicating " +"with the DNS server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:287 sssd-ad.5.xml:964 +msgid "Default: False (let nsupdate choose the protocol)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:293 sssd-ad.5.xml:985 +msgid "dyndns_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:296 sssd-ad.5.xml:988 +msgid "" +"The DNS server to use when performing a DNS update. In most setups, it's " +"recommended to leave this option unset." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:301 sssd-ad.5.xml:993 +msgid "" +"Setting this option makes sense for environments where the DNS server is " +"different from the identity server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:306 sssd-ad.5.xml:998 +msgid "" +"Please note that this option will be only used in fallback attempt when " +"previous attempt using autodetected settings failed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1003 +msgid "Default: None (let nsupdate choose the server)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:317 +msgid "ipa_deskprofile_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:320 +msgid "" +"Optional. Use the given string as search base for Desktop Profile related " +"objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:324 sssd-ipa.5.xml:337 +msgid "Default: Use base DN" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:330 +msgid "ipa_hbac_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:333 +msgid "Optional. Use the given string as search base for HBAC related objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:343 +msgid "ipa_host_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:346 +msgid "Deprecated. Use ldap_host_search_base instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:352 +msgid "ipa_selinux_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:355 +msgid "Optional. Use the given string as search base for SELinux user maps." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:371 +msgid "ipa_subdomains_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:374 +msgid "Optional. Use the given string as search base for trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:383 +msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:390 +msgid "ipa_master_domain_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:393 +msgid "Optional. Use the given string as search base for master domain object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:402 +msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:409 +msgid "ipa_views_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:412 +msgid "Optional. Use the given string as search base for views containers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:421 +msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:431 +msgid "" +"The name of the Kerberos realm. This is optional and defaults to the value " +"of <quote>ipa_domain</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:435 +msgid "" +"The name of the Kerberos realm has a special meaning in IPA - it is " +"converted into the base DN to use for performing LDAP operations." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1012 +msgid "krb5_confd_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1015 +msgid "" +"Absolute path of a directory where SSSD should place Kerberos configuration " +"snippets." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1019 +msgid "" +"To disable the creation of the configuration snippets set the parameter to " +"'none'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1023 +msgid "" +"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:461 +msgid "ipa_deskprofile_refresh (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:464 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server. This will reduce the latency and load on the IPA server if there " +"are many desktop profiles requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:431 +msgid "Default: 5 (seconds)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:477 +msgid "ipa_deskprofile_request_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:480 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server in case the last request did not return any rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:485 +msgid "Default: 60 (minutes)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:491 +msgid "ipa_hbac_refresh (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:494 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server. " +"This will reduce the latency and load on the IPA server if there are many " +"access-control requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:507 +msgid "ipa_hbac_selinux (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:510 +msgid "" +"The amount of time between lookups of the SELinux maps against the IPA " +"server. This will reduce the latency and load on the IPA server if there are " +"many user login requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:523 +msgid "ipa_server_mode (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:526 +msgid "" +"This option will be set by the IPA installer (ipa-server-install) " +"automatically and denotes if SSSD is running on an IPA server or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:531 +msgid "" +"On an IPA server SSSD will lookup users and groups from trusted domains " +"directly while on a client it will ask an IPA server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:536 +msgid "" +"NOTE: There are currently some assumptions that must be met when SSSD is " +"running on an IPA server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:541 +msgid "" +"The <quote>ipa_server</quote> option must be configured to point to the IPA " +"server itself. This is already the default set by the IPA installer, so no " +"manual change is required." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:550 +msgid "" +"The <quote>full_name_format</quote> option must not be tweaked to only print " +"short names for users from trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:565 +msgid "ipa_automount_location (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:568 +msgid "The automounter location this IPA client will be using" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:571 +msgid "Default: The location named \"default\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:579 +msgid "VIEWS AND OVERRIDES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:588 +msgid "ipa_view_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:591 +msgid "Objectclass of the view container." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:594 +msgid "Default: nsContainer" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:600 +msgid "ipa_view_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:603 +msgid "Name of the attribute holding the name of the view." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:613 +msgid "ipa_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:616 +msgid "Objectclass of the override objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:619 +msgid "Default: ipaOverrideAnchor" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:625 +msgid "ipa_anchor_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:628 +msgid "" +"Name of the attribute containing the reference to the original object in a " +"remote domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:632 +msgid "Default: ipaAnchorUUID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:638 +msgid "ipa_user_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:641 +msgid "" +"Name of the objectclass for user overrides. It is used to determine if the " +"found override object is related to a user or a group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:646 +msgid "User overrides can contain attributes given by" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:649 +msgid "ldap_user_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:652 +msgid "ldap_user_uid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:655 +msgid "ldap_user_gid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:658 +msgid "ldap_user_gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:661 +msgid "ldap_user_home_directory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:664 +msgid "ldap_user_shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:667 +msgid "ldap_user_ssh_public_key" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:672 +msgid "Default: ipaUserOverride" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:678 +msgid "ipa_group_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:681 +msgid "" +"Name of the objectclass for group overrides. It is used to determine if the " +"found override object is related to a user or a group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:686 +msgid "Group overrides can contain attributes given by" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:689 +msgid "ldap_group_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:692 +msgid "ldap_group_gid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:697 +msgid "Default: ipaGroupOverride" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:581 +msgid "" +"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " +"later version. Since all paths and objectclasses are fixed on the server " +"side there is basically no need to configure anything. For completeness the " +"related options are listed here with their default values. <placeholder " +"type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:709 +msgid "SUBDOMAINS PROVIDER" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:711 +msgid "" +"The IPA subdomains provider behaves slightly differently if it is configured " +"explicitly or implicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:715 +msgid "" +"If the option 'subdomains_provider = ipa' is found in the domain section of " +"sssd.conf, the IPA subdomains provider is configured explicitly, and all " +"subdomain requests are sent to the IPA server if necessary." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:721 +msgid "" +"If the option 'subdomains_provider' is not set in the domain section of sssd." +"conf but there is the option 'id_provider = ipa', the IPA subdomains " +"provider is configured implicitly. In this case, if a subdomain request " +"fails and indicates that the server does not support subdomains, i.e. is not " +"configured for trusts, the IPA subdomains provider is disabled. After an " +"hour or after the IPA provider goes online, the subdomains provider is " +"enabled again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:732 +msgid "TRUSTED DOMAINS CONFIGURATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:738 +#, no-wrap +msgid "" +"[domain/ipa.domain.com/ad.domain.com]\n" +"ad_server = dc.ad.domain.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:734 +msgid "" +"Some configuration options can be also set for a trusted domain. A trusted " +"domain configuration can either be done using a subsection, for example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:743 +msgid "" +"In addition, some options can be set in the parent domain and inherited by " +"the trusted domain using the <quote>subdomain_inherit</quote> option. For " +"more details, see the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:753 +msgid "" +"Different configuration options are tunable for a trusted domain depending " +"on whether you are configuring SSSD on an IPA server or an IPA client." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:758 +msgid "OPTIONS TUNABLE ON IPA MASTERS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:760 +msgid "" +"The following options can be set in a subdomain section on an IPA master:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:764 sssd-ipa.5.xml:794 +msgid "ad_server" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:767 +msgid "ad_backup_server" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:770 sssd-ipa.5.xml:797 +msgid "ad_site" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:773 +msgid "ldap_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:776 +msgid "ldap_user_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:779 +msgid "ldap_group_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:788 +msgid "OPTIONS TUNABLE ON IPA CLIENTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:790 +msgid "" +"The following options can be set in a subdomain section on an IPA client:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:802 +msgid "" +"Note that if both options are set, only <quote>ad_server</quote> is " +"evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:806 +msgid "" +"Since any request for a user or a group identity from a trusted domain " +"triggered from an IPA client is resolved by the IPA server, the " +"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " +"which AD DC will the authentication be performed against. In particular, the " +"addresses resolved from these lists will be written to <quote>kdcinfo</" +"quote> files read by the Kerberos locator plugin. Please refer to the " +"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " +"Kerberos locator plugin." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:830 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the ipa provider-specific options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:837 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"id_provider = ipa\n" +"ipa_server = ipaserver.example.com\n" +"ipa_hostname = myhost.example.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 +msgid "sssd-ad" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ad.5.xml:17 +msgid "SSSD Active Directory provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:23 +msgid "" +"This manual page describes the configuration of the AD provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:36 +msgid "" +"The AD provider is a back end used to connect to an Active Directory server. " +"This provider requires that the machine be joined to the AD domain and a " +"keytab is available. Back end communication occurs over a GSSAPI-encrypted " +"channel, SSL/TLS options should not be used with the AD provider and will be " +"superseded by Kerberos usage." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:44 +msgid "" +"The AD provider supports connecting to Active Directory 2008 R2 or later. " +"Earlier versions may work, but are unsupported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:48 +msgid "" +"The AD provider can be used to get user information and authenticate users " +"from trusted domains. Currently only trusted domains in the same forest are " +"recognized. In addition servers from trusted domains are always auto-" +"discovered." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:54 +msgid "" +"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for Active Directory environments. The AD provider accepts the " +"same options used by the sssd-ldap and sssd-krb5 providers with some " +"exceptions. However, it is neither necessary nor recommended to set these " +"options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:69 +msgid "" +"The AD provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:74 +msgid "" +"The AD provider can also be used as an access, chpass, sudo and autofs " +"provider. No configuration of the access provider is required on the client " +"side." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:79 +msgid "" +"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ad</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:91 +#, no-wrap +msgid "" +"ldap_id_mapping = False\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:85 +msgid "" +"By default, the AD provider will map UID and GID values from the objectSID " +"parameter in Active Directory. For details on this, see the <quote>ID " +"MAPPING</quote> section below. If you want to disable ID mapping and instead " +"rely on POSIX attributes defined in Active Directory, you should set " +"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " +"be used, it is recommended for performance reasons that the attributes are " +"also replicated to the Global Catalog. If POSIX attributes are replicated, " +"SSSD will attempt to locate the domain of a requested numerical ID with the " +"help of the Global Catalog and only search that domain. In contrast, if " +"POSIX attributes are not replicated to the Global Catalog, SSSD must search " +"all the domains in the forest sequentially. Please note that the " +"<quote>cache_first</quote> option might be also helpful in speeding up " +"domainless searches. Note that if only a subset of POSIX attributes is " +"present in the Global Catalog, the non-replicated attributes are currently " +"not read from the LDAP port." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:108 +msgid "" +"Users, groups and other entities served by SSSD are always treated as case-" +"insensitive in the AD provider for compatibility with Active Directory's " +"LDAP implementation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:123 +msgid "ad_domain (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:126 +msgid "" +"Specifies the name of the Active Directory domain. This is optional. If not " +"provided, the configuration domain name is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:131 +msgid "" +"For proper operation, this option should be specified as the lower-case " +"version of the long version of the Active Directory domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:136 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) is " +"autodetected by the SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:143 +msgid "ad_enabled_domains (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:146 +msgid "" +"A comma-separated list of enabled Active Directory domains. If provided, " +"SSSD will ignore any domains not listed in this option. If left unset, all " +"domains from the AD forest will be available." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:156 +#, no-wrap +msgid "" +"ad_enabled_domains = sales.example.com, eng.example.com\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:152 +msgid "" +"For proper operation, this option must be specified in all lower-case and as " +"the fully qualified domain name of the Active Directory domain. For example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:160 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) will be " +"autodetected by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:170 +msgid "ad_server, ad_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:173 +msgid "" +"The comma-separated list of hostnames of the AD servers to which SSSD should " +"connect in order of preference. For more information on failover and server " +"redundancy, see the <quote>FAILOVER</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:180 +msgid "" +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:185 +msgid "" +"Note: Trusted domains will always auto-discover servers even if the primary " +"server is explicitly defined in the ad_server option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:193 +msgid "ad_hostname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:196 +msgid "" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the Active Directory domain to identify this " +"host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:202 +msgid "" +"This field is used to determine the host principal in use in the keytab. It " +"must match the hostname for which the keytab was issued." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:210 +msgid "ad_enable_dns_sites (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:217 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, the SSSD will first attempt to discover the " +"Active Directory server to connect to using the Active Directory Site " +"Discovery and fall back to the DNS SRV records if no AD site is found. The " +"DNS SRV configuration, including the discovery domain, is used during site " +"discovery as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:233 +msgid "ad_access_filter (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:236 +msgid "" +"This option specifies LDAP access control filter that the user must match in " +"order to be allowed access. Please note that the <quote>access_provider</" +"quote> option must be explicitly set to <quote>ad</quote> in order for this " +"option to have an effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:244 +msgid "" +"The option also supports specifying different filters per domain or forest. " +"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " +"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " +"missing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:252 +msgid "" +"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" +"quote> specifies the domain or subdomain the filter applies to. If the " +"keyword equals to <quote>FOREST</quote>, then the filter equals to all " +"domains from the forest specified by <quote>NAME</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:260 +msgid "" +"Multiple filters can be separated with the <quote>?</quote> character, " +"similarly to how search bases work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:265 +msgid "" +"Nested group membership must be searched for using a special OID " +"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." +"example.org: syntax to ensure the parser does not attempt to interpret the " +"colon characters associated with the OID. If you do not use this OID then " +"nested group membership will not be resolved. See usage example below and " +"refer here for further information about the OID: <ulink url=\"https://msdn." +"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " +"extensions</ulink>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:278 +msgid "" +"The most specific match is always used. For example, if the option specified " +"filter for a domain the user is a member of and a global filter, the per-" +"domain filter would be applied. If there are more matches with the same " +"specification, the first one is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ad.5.xml:289 +#, no-wrap +msgid "" +"# apply filter on domain called dom1 only:\n" +"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" +"\n" +"# apply filter on domain called dom2 only:\n" +"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" +"\n" +"# apply filter on forest called EXAMPLE.COM only:\n" +"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" +"\n" +"# apply filter for a member of a nested group in dom1:\n" +"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:308 +msgid "ad_site (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:311 +msgid "" +"Specify AD site to which client should try to connect. If this option is " +"not provided, the AD site will be auto-discovered." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:322 +msgid "ad_enable_gc (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:325 +msgid "" +"By default, the SSSD connects to the Global Catalog first to retrieve users " +"from trusted domains and uses the LDAP port to retrieve group memberships or " +"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " +"port of the current AD server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:333 +msgid "" +"Please note that disabling Global Catalog support does not disable " +"retrieving users from trusted domains. The SSSD would connect to the LDAP " +"port of trusted domains instead. However, Global Catalog must be used in " +"order to resolve cross-domain group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:347 +msgid "ad_gpo_access_control (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:350 +msgid "" +"This option specifies the operation mode for GPO-based access control " +"functionality: whether it operates in disabled mode, enforcing mode, or " +"permissive mode. Please note that the <quote>access_provider</quote> option " +"must be explicitly set to <quote>ad</quote> in order for this option to have " +"an effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:359 +msgid "" +"GPO-based access control functionality uses GPO policy settings to determine " +"whether or not a particular user is allowed to logon to a particular host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:365 +msgid "" +"NOTE: The current version of SSSD does not support host (computer) entries " +"in the GPO 'Security Filtering' list. Only user and group entries are " +"supported. Host entries in the list have no effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:372 +msgid "" +"NOTE: If the operation mode is set to enforcing, it is possible that users " +"that were previously allowed logon access will now be denied logon access " +"(as dictated by the GPO policy settings). In order to facilitate a smooth " +"transition for administrators, a permissive mode is available that will not " +"enforce the access control rules, but will evaluate them and will output a " +"syslog message if access would have been denied. By examining the logs, " +"administrators can then make the necessary changes before setting the mode " +"to enforcing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:385 +msgid "There are three supported values for this option:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:389 +msgid "" +"disabled: GPO-based access control rules are neither evaluated nor enforced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:395 +msgid "enforcing: GPO-based access control rules are evaluated and enforced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:401 +msgid "" +"permissive: GPO-based access control rules are evaluated, but not enforced. " +"Instead, a syslog message will be emitted indicating that the user would " +"have been denied access if this option's value were set to enforcing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:412 +msgid "Default: permissive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:415 +msgid "Default: enforcing" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:421 +msgid "ad_gpo_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:424 +msgid "" +"The amount of time between lookups of GPO policy files against the AD " +"server. This will reduce the latency and load on the AD server if there are " +"many access-control requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:437 +msgid "ad_gpo_map_interactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:440 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the InteractiveLogonRight and " +"DenyInteractiveLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:446 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on locally\" and \"Deny log on locally\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:460 +#, no-wrap +msgid "" +"ad_gpo_map_interactive = +my_pam_service, -login\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:451 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>login</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:464 sssd-ad.5.xml:560 sssd-ad.5.xml:606 sssd-ad.5.xml:651 +#: sssd-ad.5.xml:717 +msgid "Default: the default set of PAM service names includes:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:468 +msgid "login" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:473 +msgid "su" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:478 +msgid "su-l" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:483 +msgid "gdm-fingerprint" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:488 +msgid "gdm-password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:493 +msgid "gdm-smartcard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:498 +msgid "kdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:503 +msgid "lightdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:508 +msgid "lxdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:513 +msgid "sddm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:518 +msgid "unity" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:523 +msgid "xdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:532 +msgid "ad_gpo_map_remote_interactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:535 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the RemoteInteractiveLogonRight and " +"DenyRemoteInteractiveLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:541 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on through Remote Desktop Services\" and \"Deny log on through Remote " +"Desktop Services\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:556 +#, no-wrap +msgid "" +"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:547 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>sshd</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:564 +msgid "sshd" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:569 +msgid "cockpit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:578 +msgid "ad_gpo_map_network (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:581 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the NetworkLogonRight and " +"DenyNetworkLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:587 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Access " +"this computer from the network\" and \"Deny access to this computer from the " +"network\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:602 +#, no-wrap +msgid "" +"ad_gpo_map_network = +my_pam_service, -ftp\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:593 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>ftp</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:610 +msgid "ftp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:615 +msgid "samba" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:624 +msgid "ad_gpo_map_batch (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:627 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " +"policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:633 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a batch job\" and \"Deny log on as a batch job\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:647 +#, no-wrap +msgid "" +"ad_gpo_map_batch = +my_pam_service, -crond\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:638 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>crond</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:655 +msgid "crond" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:664 +msgid "ad_gpo_map_service (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:667 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the ServiceLogonRight and " +"DenyServiceLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:673 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a service\" and \"Deny log on as a service\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:686 +#, no-wrap +msgid "" +"ad_gpo_map_service = +my_pam_service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:678 sssd-ad.5.xml:753 +msgid "" +"It is possible to add a PAM service name to the default set by using <quote>" +"+service_name</quote>. Since the default set is empty, it is not possible " +"to remove a PAM service name from the default set. For example, in order to " +"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " +"would use the following configuration: <placeholder type=\"programlisting\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:696 +msgid "ad_gpo_map_permit (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:699 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always granted, regardless of any GPO Logon Rights." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:713 +#, no-wrap +msgid "" +"ad_gpo_map_permit = +my_pam_service, -sudo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:704 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for unconditionally permitted " +"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:721 +msgid "polkit-1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:726 +msgid "sudo" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:731 +msgid "sudo-i" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:736 +msgid "systemd-user" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:745 +msgid "ad_gpo_map_deny (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:748 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always denied, regardless of any GPO Logon Rights." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:761 +#, no-wrap +msgid "" +"ad_gpo_map_deny = +my_pam_service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:771 +msgid "ad_gpo_default_right (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:774 +msgid "" +"This option defines how access control is evaluated for PAM service names " +"that are not explicitly listed in one of the ad_gpo_map_* options. This " +"option can be set in two different manners. First, this option can be set to " +"use a default logon right. For example, if this option is set to " +"'interactive', it means that unmapped PAM service names will be processed " +"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " +"settings. Alternatively, this option can be set to either always permit or " +"always deny access for unmapped PAM service names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:787 +msgid "Supported values for this option include:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:791 +msgid "interactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:796 +msgid "remote_interactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:801 +msgid "network" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:806 +msgid "batch" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:811 +msgid "service" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:816 +msgid "permit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:821 +msgid "deny" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:827 +msgid "Default: deny" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:833 +msgid "ad_maximum_machine_account_password_age (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:836 +msgid "" +"SSSD will check once a day if the machine account password is older than the " +"given age in days and try to renew it. A value of 0 will disable the renewal " +"attempt." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:842 +msgid "Default: 30 days" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:848 +msgid "ad_machine_account_password_renewal_opts (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:851 +msgid "" +"This option should only be used to test the machine account renewal task. " +"The option expects 2 integers separated by a colon (':'). The first integer " +"defines the interval in seconds how often the task is run. The second " +"specifies the initial timeout in seconds before the task is run for the " +"first time after startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:860 +msgid "Default: 86400:750 (24h and 15m)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:869 +msgid "" +"Optional. This option tells SSSD to automatically update the Active " +"Directory DNS server with the IP address of this client. The update is " +"secured using GSS-TSIG. As a consequence, the Active Directory administrator " +"only needs to allow secure updates for the DNS zone. The IP address of the " +"AD LDAP connection is used for the updates, if it is not otherwise specified " +"by using the <quote>dyndns_iface</quote> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:899 +msgid "Default: 3600 (seconds)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:915 +msgid "" +"Default: Use the IP addresses of the interface which is used for AD LDAP " +"connection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:928 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true. Note that the " +"lowest possible value is 60 seconds in-case if value is provided less than " +"60, parameter will assume lowest value only." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:951 sss_rpcidmapd.5.xml:76 +msgid "Default: True" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1043 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This example shows only the AD provider-specific options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1050 +#, no-wrap +msgid "" +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1070 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1066 +msgid "" +"The AD access control provider checks if the account is expired. It has the " +"same effect as the following configuration of the LDAP provider: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1076 +msgid "" +"However, unless the <quote>ad</quote> access control provider is explicitly " +"configured, the default access provider is <quote>permit</quote>. Please " +"note that if you configure an access provider other than <quote>ad</quote>, " +"you need to set all the connection parameters (such as LDAP URIs and " +"encryption details) manually." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1084 +msgid "" +"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " +"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " +"are included in the default Active Directory schema." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 +msgid "sssd-sudo" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-sudo.5.xml:17 +msgid "Configuring sudo with the SSSD back end" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:36 +msgid "Configuring sudo to cooperate with SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:38 +msgid "" +"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " +"the <emphasis>sudoers</emphasis> entry in <citerefentry> " +"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:47 +msgid "" +"For example, to configure sudo to first lookup rules in the standard " +"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> file (which should contain rules that apply to " +"local users) and then in SSSD, the nsswitch.conf file should contain the " +"following line:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:57 +#, no-wrap +msgid "sudoers: files sss\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:61 +msgid "" +"More information about configuring the sudoers search order from the " +"nsswitch.conf file as well as information about the LDAP schema that is used " +"to store sudo rules in the directory can be found in <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:70 +msgid "" +"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " +"sudo rules, you also need to correctly set <citerefentry> " +"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry> to your NIS domain name (which equals to IPA domain name when " +"using hostgroups)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:82 +msgid "Configuring SSSD to fetch sudo rules" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:84 +msgid "" +"All configuration that is needed on SSSD side is to extend the list of " +"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " +"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " +"option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:94 +msgid "" +"The following example shows how to configure SSSD to download sudo rules " +"from an LDAP server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:99 +#, no-wrap +msgid "" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:98 +msgid "" +"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" +"\"have_systemd\"> It's important to note that on platforms where systemd is " +"supported there's no need to add the \"sudo\" provider to the list of " +"services, as it became optional. However, sssd-sudo.socket must be enabled " +"instead. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:118 +msgid "" +"When SSSD is configured to use IPA as the ID provider, the sudo provider is " +"automatically enabled. The sudo search base is configured to use the IPA " +"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " +"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," +"$SUFFIX) is no longer required for IPA sudo functionality." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:128 +msgid "The SUDO rule caching mechanism" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:130 +msgid "" +"The biggest challenge, when developing sudo support in SSSD, was to ensure " +"that running sudo with SSSD as the data source provides the same user " +"experience and is as fast as sudo but keeps providing the most current set " +"of rules as possible. To satisfy these requirements, SSSD uses three kinds " +"of updates. They are referred to as full refresh, smart refresh and rules " +"refresh." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:138 +msgid "" +"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " +"new or were modified after the last update. Its primary goal is to keep the " +"database growing by fetching only small increments that do not generate " +"large amounts of network traffic." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:144 +msgid "" +"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " +"in the cache and replaces them with all rules that are stored on the server. " +"This is used to keep the cache consistent by removing every rule which was " +"deleted from the server. However, full refresh may produce a lot of traffic " +"and thus it should be run only occasionally depending on the size and " +"stability of the sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:152 +msgid "" +"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " +"more permission than defined. It is triggered each time the user runs sudo. " +"Rules refresh will find all rules that apply to this user, check their " +"expiration time and redownload them if expired. In the case that any of " +"these rules are missing on the server, the SSSD will do an out of band full " +"refresh because more rules (that apply to other users) may have been deleted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:161 +msgid "" +"If enabled, SSSD will store only rules that can be applied to this machine. " +"This means rules that contain one of the following values in " +"<emphasis>sudoHost</emphasis> attribute:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:168 +msgid "keyword ALL" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:173 +msgid "wildcard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:178 +msgid "netgroup (in the form \"+netgroup\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:183 +msgid "hostname or fully qualified domain name of this machine" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:188 +msgid "one of the IP addresses of this machine" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:193 +msgid "one of the IP addresses of the network (in the form \"address/mask\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:199 +msgid "" +"There are many configuration options that can be used to adjust the " +"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.8.xml:10 sssd.8.xml:15 +msgid "sssd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.8.xml:16 +msgid "System Security Services Daemon" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssd.8.xml:21 +msgid "" +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:31 +msgid "" +"<command>SSSD</command> provides a set of daemons to manage access to remote " +"directories and authentication mechanisms. It provides an NSS and PAM " +"interface toward the system and a pluggable backend system to connect to " +"multiple different account sources as well as D-Bus interface. It is also " +"the basis to provide client auditing and policy services for projects like " +"FreeIPA. It provides a more robust database to store local users as well as " +"extended user data." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:46 +msgid "" +"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:53 +msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:57 +msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:60 +msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:69 +msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:73 +msgid "" +"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:76 +msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:85 +msgid "<option>-f</option>,<option>--debug-to-files</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:89 +msgid "" +"Send the debug output to files instead of stderr. By default, the log files " +"are stored in <filename>/var/log/sssd</filename> and there are separate log " +"files for every SSSD service and domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:94 +msgid "" +"This option is deprecated. It is replaced by <option>--logger=files</option>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:101 +msgid "<option>--logger=</option><replaceable>value</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:105 +msgid "" +"Location where SSSD will send log messages. This option overrides the value " +"of the deprecated option <option>--debug-to-files</option>. The deprecated " +"option will still work if the <option>--logger</option> is not used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:112 +msgid "" +"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " +"output." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:116 +msgid "" +"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " +"default, the log files are stored in <filename>/var/log/sssd</filename> and " +"there are separate log files for every SSSD service and domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:122 +msgid "" +"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:132 +msgid "<option>-D</option>,<option>--daemon</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:136 +msgid "Become a daemon after starting up." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:142 sss_seed.8.xml:136 +msgid "<option>-i</option>,<option>--interactive</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:146 +msgid "Run in the foreground, don't become a daemon." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:152 +msgid "<option>-c</option>,<option>--config</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:156 +msgid "" +"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." +"conf</filename>. For reference on the config file syntax and options, " +"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:170 +msgid "<option>--version</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:174 +msgid "Print version number and exit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.8.xml:182 +msgid "Signals" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:185 +msgid "SIGTERM/SIGINT" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:188 +msgid "" +"Informs the SSSD to gracefully terminate all of its child processes and then " +"shut down the monitor." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:194 +msgid "SIGHUP" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:197 +msgid "" +"Tells the SSSD to stop writing to its current debug file descriptors and to " +"close and reopen them. This is meant to facilitate log rolling with programs " +"like logrotate." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:205 +msgid "SIGUSR1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:208 +msgid "" +"Tells the SSSD to simulate offline operation for the duration of the " +"<quote>offline_timeout</quote> parameter. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:217 +msgid "SIGUSR2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:220 +msgid "" +"Tells the SSSD to go online immediately. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:232 +msgid "" +"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " +"applications will not use the fast in memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 +msgid "sss_obfuscate" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_obfuscate.8.xml:16 +msgid "obfuscate a clear text password" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_obfuscate.8.xml:21 +msgid "" +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" +"replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:32 +msgid "" +"<command>sss_obfuscate</command> converts a given password into human-" +"unreadable format and places it into appropriate domain section of the SSSD " +"config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:37 +msgid "" +"The cleartext password is read from standard input or entered " +"interactively. The obfuscated password is put into " +"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " +"<quote>ldap_default_authtok_type</quote> parameter is set to " +"<quote>obfuscated_password</quote>. Refer to <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more details on these parameters." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:49 +msgid "" +"Please note that obfuscating the password provides <emphasis>no real " +"security benefit</emphasis> as it is still possible for an attacker to " +"reverse-engineer the password back. Using better authentication mechanisms " +"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " +"advised." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:63 +msgid "<option>-s</option>,<option>--stdin</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:67 +msgid "The password to obfuscate will be read from standard input." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 +#: sss_ssh_knownhostsproxy.1.xml:78 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:79 +msgid "" +"The SSSD domain to use the password in. The default name is <quote>default</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:86 +msgid "" +"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:91 +msgid "Read the config file specified by the positional parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:95 +msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_override.8.xml:10 sss_override.8.xml:15 +msgid "sss_override" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_override.8.xml:16 +msgid "create local overrides of user and group attributes" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_override.8.xml:21 +msgid "" +"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:32 +msgid "" +"<command>sss_override</command> enables to create a client-side view and " +"allows to change selected values of specific user and groups. This change " +"takes effect only on local machine." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:37 +msgid "" +"Overrides data are stored in the SSSD cache. If the cache is deleted, all " +"local overrides are lost. Please note that after the first override is " +"created using any of the following <emphasis>user-add</emphasis>, " +"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " +"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " +"take effect. <emphasis>sss_override</emphasis> prints message when a " +"restart is required." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:50 sssctl.8.xml:41 +msgid "AVAILABLE COMMANDS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:52 +msgid "" +"Argument <emphasis>NAME</emphasis> is the name of original object in all " +"commands. It is not possible to override <emphasis>uid</emphasis> or " +"<emphasis>gid</emphasis> to 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:59 +msgid "" +"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" +"optional> <optional><option>-g,--gid</option> GID</optional> " +"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" +"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" +"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " +"CERTIFICATE</optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:72 +msgid "" +"Override attributes of an user. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:80 +msgid "<option>user-del</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:85 +msgid "" +"Remove user overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:94 +msgid "" +"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:99 +msgid "" +"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " +"is set, only users from the domain are listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:107 +msgid "<option>user-show</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:112 +msgid "Show user overrides." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:118 +msgid "<option>user-import</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:123 +msgid "" +"Import user overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard passwd file. The format is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:128 +msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:131 +msgid "" +"where original_name is original name of the user whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:140 +msgid "ckent:superman::::::" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:143 +msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:149 +msgid "<option>user-export</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:154 +msgid "" +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>user-import</emphasis> for data format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:162 +msgid "" +"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:169 +msgid "" +"Override attributes of a group. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:177 +msgid "<option>group-del</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:182 +msgid "" +"Remove group overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:191 +msgid "" +"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:196 +msgid "" +"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " +"parameter is set, only groups from the domain are listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:204 +msgid "<option>group-show</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:209 +msgid "Show group overrides." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:215 +msgid "<option>group-import</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:220 +msgid "" +"Import group overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard group file. The format is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:225 +msgid "original_name:name:gid" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:228 +msgid "" +"where original_name is original name of the group whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:237 +msgid "admins:administrators:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:240 +msgid "Domain Users:Users:501" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:246 +msgid "<option>group-export</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:251 +msgid "" +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>group-import</emphasis> for data format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:261 sssctl.8.xml:50 +msgid "COMMON OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:263 sssctl.8.xml:52 +msgid "Those options are available with all commands." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:268 sssctl.8.xml:57 +msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 +msgid "sss_useradd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_useradd.8.xml:16 +msgid "create a new user" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_useradd.8.xml:21 +msgid "" +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_useradd.8.xml:32 +msgid "" +"<command>sss_useradd</command> creates a new user account using the values " +"specified on the command line plus the default values from the system." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:43 sss_seed.8.xml:76 +msgid "" +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:48 +msgid "" +"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " +"not given, it is chosen automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +msgid "" +"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 +msgid "" +"Any text string describing the user. Often used as the field for the user's " +"full name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 +msgid "" +"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:72 +msgid "" +"The home directory of the user account. The default is to append the " +"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " +"that as the home directory. The base that is prepended before " +"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" +"baseDirectory</quote> setting in sssd.conf." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 +msgid "" +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:87 +msgid "" +"The user's login shell. The default is currently <filename>/bin/bash</" +"filename>. The default can be changed with <quote>user_defaults/" +"defaultShell</quote> setting in sssd.conf." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:96 +msgid "" +"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:101 +msgid "A list of existing groups this user is also a member of." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:107 +msgid "<option>-m</option>,<option>--create-home</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:111 +msgid "" +"Create the user's home directory if it does not exist. The files and " +"directories contained in the skeleton directory (which can be defined with " +"the -k option or in the config file) will be copied to the home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:121 +msgid "<option>-M</option>,<option>--no-create-home</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:125 +msgid "" +"Do not create the user's home directory. Overrides configuration settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:132 +msgid "" +"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:137 +msgid "" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<command>sss_useradd</command>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:143 +msgid "" +"Special files (block devices, character devices, named pipes and unix " +"sockets) will not be copied." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:147 +msgid "" +"This option is only valid if the <option>-m</option> (or <option>--create-" +"home</option>) option is specified, or creation of home directories is set " +"to TRUE in the configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 +msgid "" +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>SELINUX_USER</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:161 +msgid "" +"The SELinux user for the user's login. If not specified, the system default " +"will be used." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 +msgid "sssd-krb5" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-krb5.5.xml:17 +msgid "SSSD Kerberos provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:23 +msgid "" +"This manual page describes the configuration of the Kerberos 5 " +"authentication backend for <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " +"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:36 +msgid "" +"The Kerberos 5 authentication backend contains auth and chpass providers. It " +"must be paired with an identity provider in order to function properly (for " +"example, id_provider = ldap). Some information required by the Kerberos 5 " +"authentication backend must be provided by the identity provider, such as " +"the user's Kerberos Principal Name (UPN). The configuration of the identity " +"provider should have an entry to specify the UPN. Please refer to the man " +"page for the applicable identity provider for details on how to configure " +"this." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:47 +msgid "" +"This backend also provides access control based on the .k5login file in the " +"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " +"Please note that an empty .k5login file will deny all access to this user. " +"To activate this feature, use 'access_provider = krb5' in your SSSD " +"configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:55 +msgid "" +"In the case where the UPN is not available in the identity backend, " +"<command>sssd</command> will construct a UPN using the format " +"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:77 +msgid "" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect, in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled; for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:106 +msgid "" +"The name of the Kerberos realm. This option is required and must be " +"specified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:113 +msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:116 +msgid "" +"If the change password service is not running on the KDC, alternative " +"servers can be defined here. An optional port number (preceded by a colon) " +"may be appended to the addresses or hostnames." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:122 +msgid "" +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " +"servers to try, the backend is not switched to operate offline if " +"authentication against the KDC is still possible." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:129 +msgid "Default: Use the KDC" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:135 +msgid "krb5_ccachedir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:138 +msgid "" +"Directory to store credential caches. All the substitution sequences of " +"krb5_ccname_template can be used here, too, except %d and %P. The directory " +"is created as private and owned by the user, with permissions set to 0700." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:145 +msgid "Default: /tmp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:151 +msgid "krb5_ccname_template (string)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 +msgid "%u" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 +msgid "login name" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 +msgid "%U" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:170 +msgid "login UID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:173 +msgid "%p" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:174 +msgid "principal name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:178 +msgid "%r" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:179 +msgid "realm name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:182 +msgid "%h" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 +msgid "home directory" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 +msgid "%d" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:188 +msgid "value of krb5_ccachedir" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 +msgid "%P" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:194 +msgid "the process ID of the SSSD client" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 +msgid "%%" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 +msgid "a literal '%'" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:154 +msgid "" +"Location of the user's credential cache. Three credential cache types are " +"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " +"<quote>KEYRING:persistent</quote>. The cache can be specified either as " +"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " +"implies the <quote>FILE</quote> type. In the template, the following " +"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " +"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " +"filename in a safe way." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:208 +msgid "" +"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" +"persistent:%U</quote>, which uses the Linux kernel keyring to store " +"credentials on a per-UID basis. This is also the recommended choice, as it " +"is the most secure and predictable method." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:216 +msgid "" +"The default value for the credential cache name is sourced from the profile " +"stored in the system wide krb5.conf configuration file in the [libdefaults] " +"section. The option name is default_ccache_name. See krb5.conf(5)'s " +"PARAMETER EXPANSION paragraph for additional information on the expansion " +"format defined by krb5.conf." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:225 +msgid "" +"NOTE: Please be aware that libkrb5 ccache expansion template from " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> uses different expansion sequences than SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:234 +msgid "Default: (from libkrb5)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:240 +msgid "krb5_auth_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:243 +msgid "" +"Timeout in seconds after an online authentication request or change password " +"request is aborted. If possible, the authentication request is continued " +"offline." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:254 +msgid "krb5_validate (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:257 +msgid "" +"Verify with the help of krb5_keytab that the TGT obtained has not been " +"spoofed. The keytab is checked for entries sequentially, and the first entry " +"with a matching realm is used for validation. If no entry matches the realm, " +"the last entry in the keytab is used. This process can be used to validate " +"environments using cross-realm trust by placing the appropriate keytab entry " +"as the last entry or the only entry in the keytab file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:272 +msgid "krb5_keytab (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:275 +msgid "" +"The location of the keytab to use when validating credentials obtained from " +"KDCs." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:279 +msgid "Default: /etc/krb5.keytab" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:285 +msgid "krb5_store_password_if_offline (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:288 +msgid "" +"Store the password of the user if the provider is offline and use it to " +"request a TGT when the provider comes online again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:293 +msgid "" +"NOTE: this feature is only available on Linux. Passwords stored in this way " +"are kept in plaintext in the kernel keyring and are potentially accessible " +"by the root user (with difficulty)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:306 +msgid "krb5_renewable_lifetime (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:309 +msgid "" +"Request a renewable ticket with a total lifetime, given as an integer " +"immediately followed by a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 +msgid "<emphasis>s</emphasis> for seconds" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 +msgid "<emphasis>m</emphasis> for minutes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 +msgid "<emphasis>h</emphasis> for hours" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 +msgid "<emphasis>d</emphasis> for days." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 +msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 +msgid "" +"NOTE: It is not possible to mix units. To set the renewable lifetime to one " +"and a half hours, use '90m' instead of '1h30m'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:335 +msgid "Default: not set, i.e. the TGT is not renewable" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:341 +msgid "krb5_lifetime (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:344 +msgid "" +"Request ticket with a lifetime, given as an integer immediately followed by " +"a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:360 +msgid "If there is no unit given <emphasis>s</emphasis> is assumed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:364 +msgid "" +"NOTE: It is not possible to mix units. To set the lifetime to one and a " +"half hours please use '90m' instead of '1h30m'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:369 +msgid "" +"Default: not set, i.e. the default ticket lifetime configured on the KDC." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:376 +msgid "krb5_renew_interval (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:379 +msgid "" +"The time in seconds between two checks if the TGT should be renewed. TGTs " +"are renewed if about half of their lifetime is exceeded, given as an integer " +"immediately followed by a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:406 +msgid "If this option is not set or is 0 the automatic renewal is disabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:416 +msgid "krb5_use_fast (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:419 +msgid "" +"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" +"authentication. The following options are supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:424 +msgid "" +"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " +"option at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:428 +msgid "" +"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " +"continue the authentication without it." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:433 +msgid "" +"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " +"server does not require fast." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:438 +msgid "Default: not set, i.e. FAST is not used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:441 +msgid "NOTE: a keytab is required to use FAST." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:444 +msgid "" +"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " +"SSSD is used with an older version of MIT Kerberos, using this option is a " +"configuration error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:453 +msgid "krb5_fast_principal (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:456 +msgid "Specifies the server principal to use for FAST." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:465 +msgid "" +"Specifies if the host and user principal should be canonicalized. This " +"feature is available with MIT Kerberos 1.7 and later versions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:505 +msgid "krb5_use_enterprise_principal (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:508 +msgid "" +"Specifies if the user principal should be treated as enterprise principal. " +"See section 5 of RFC 6806 for more details about enterprise principals." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:514 +msgid "Default: false (AD provider: true)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:517 +msgid "" +"The IPA provider will set to option to 'true' if it detects that the server " +"is capable of handling enterprise principals and the option is not set " +"explicitly in the config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:526 +msgid "krb5_map_user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:529 +msgid "" +"The list of mappings is given as a comma-separated list of pairs " +"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " +"name and <quote>primary</quote> is a user part of a kerberos principal. This " +"mapping is used when user is authenticating using <quote>auth_provider = " +"krb5</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-krb5.5.xml:541 +#, no-wrap +msgid "" +"krb5_realm = REALM\n" +"krb5_map_user = joe:juser,dick:richard\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:546 +msgid "" +"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " +"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " +"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " +"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:65 +msgid "" +"If the auth-module krb5 is used in an SSSD domain, the following options " +"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " +"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:572 +msgid "" +"The following example assumes that SSSD is correctly configured and FOO is " +"one of the domains in the <replaceable>[sssd]</replaceable> section. This " +"example shows only configuration of Kerberos authentication; it does not " +"include any identity provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-krb5.5.xml:580 +#, no-wrap +msgid "" +"[domain/FOO]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXAMPLE.COM\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 +msgid "sss_groupadd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupadd.8.xml:16 +msgid "create a new group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupadd.8.xml:21 +msgid "" +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupadd.8.xml:32 +msgid "" +"<command>sss_groupadd</command> creates a new group. These groups are " +"compatible with POSIX groups, with the additional feature that they can " +"contain other groups as members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 +msgid "" +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupadd.8.xml:48 +msgid "" +"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " +"not given, it is chosen automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 +msgid "sss_userdel" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_userdel.8.xml:16 +msgid "delete a user account" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_userdel.8.xml:21 +msgid "" +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_userdel.8.xml:32 +msgid "" +"<command>sss_userdel</command> deletes a user identified by login name " +"<replaceable>LOGIN</replaceable> from the system." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:44 +msgid "<option>-r</option>,<option>--remove</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:48 +msgid "" +"Files in the user's home directory will be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:56 +msgid "<option>-R</option>,<option>--no-remove</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:60 +msgid "" +"Files in the user's home directory will NOT be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:68 +msgid "<option>-f</option>,<option>--force</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:72 +msgid "" +"This option forces <command>sss_userdel</command> to remove the user's home " +"directory and mail spool, even if they are not owned by the specified user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:80 +msgid "<option>-k</option>,<option>--kick</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:84 +msgid "Before actually deleting the user, terminate all his processes." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 +msgid "sss_groupdel" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupdel.8.xml:16 +msgid "delete a group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupdel.8.xml:21 +msgid "" +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupdel.8.xml:32 +msgid "" +"<command>sss_groupdel</command> deletes a group identified by its name " +"<replaceable>GROUP</replaceable> from the system." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 +msgid "sss_groupshow" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupshow.8.xml:16 +msgid "print properties of a group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupshow.8.xml:21 +msgid "" +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupshow.8.xml:32 +msgid "" +"<command>sss_groupshow</command> displays information about a group " +"identified by its name <replaceable>GROUP</replaceable>. The information " +"includes the group ID number, members of the group and the parent group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupshow.8.xml:43 +msgid "<option>-R</option>,<option>--recursive</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupshow.8.xml:47 +msgid "" +"Also print indirect group members in a tree-like hierarchy. Note that this " +"also affects printing parent groups - without <option>R</option>, only the " +"direct parent will be printed." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 +msgid "sss_usermod" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_usermod.8.xml:16 +msgid "modify a user account" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_usermod.8.xml:21 +msgid "" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_usermod.8.xml:32 +msgid "" +"<command>sss_usermod</command> modifies the account specified by " +"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " +"on the command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:60 +msgid "The home directory of the user account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:71 +msgid "The user's login shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:82 +msgid "" +"Append this user to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:96 +msgid "" +"Remove this user from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:103 +msgid "<option>-l</option>,<option>--lock</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:107 +msgid "Lock the user account. The user won't be able to log in." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:114 +msgid "<option>-u</option>,<option>--unlock</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:118 +msgid "Unlock the user account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:129 +msgid "The SELinux user for the user's login." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:135 +msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:140 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:147 +msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:152 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:160 +msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:165 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_cache.8.xml:10 sss_cache.8.xml:15 +msgid "sss_cache" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_cache.8.xml:16 +msgid "perform cache cleanup" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_cache.8.xml:21 +msgid "" +"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_cache.8.xml:31 +msgid "" +"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " +"records are forced to be reloaded from server as soon as related SSSD " +"backend is online. Options that invalidate a single object only accept a " +"single provided argument." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:43 +msgid "<option>-E</option>,<option>--everything</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:47 +msgid "Invalidate all cached entries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:53 +msgid "" +"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:58 +msgid "Invalidate specific user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:64 +msgid "<option>-U</option>,<option>--users</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:68 +msgid "" +"Invalidate all user records. This option overrides invalidation of specific " +"user if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:75 +msgid "" +"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:80 +msgid "Invalidate specific group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:86 +msgid "<option>-G</option>,<option>--groups</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:90 +msgid "" +"Invalidate all group records. This option overrides invalidation of specific " +"group if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:97 +msgid "" +"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:102 +msgid "Invalidate specific netgroup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:108 +msgid "<option>-N</option>,<option>--netgroups</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:112 +msgid "" +"Invalidate all netgroup records. This option overrides invalidation of " +"specific netgroup if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:119 +msgid "" +"<option>-s</option>,<option>--service</option> <replaceable>service</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:124 +msgid "Invalidate specific service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:130 +msgid "<option>-S</option>,<option>--services</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:134 +msgid "" +"Invalidate all service records. This option overrides invalidation of " +"specific service if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:141 +msgid "" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:146 +msgid "Invalidate specific autofs maps." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:152 +msgid "<option>-A</option>,<option>--autofs-maps</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:156 +msgid "" +"Invalidate all autofs maps. This option overrides invalidation of specific " +"map if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:163 +msgid "" +"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:168 +msgid "Invalidate SSH public keys of a specific host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:174 +msgid "<option>-H</option>,<option>--ssh-hosts</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:178 +msgid "" +"Invalidate SSH public keys of all hosts. This option overrides invalidation " +"of SSH public keys of specific host if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:186 +msgid "" +"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:191 +msgid "Invalidate particular sudo rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:197 +msgid "<option>-R</option>,<option>--sudo-rules</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:201 +msgid "" +"Invalidate all cached sudo rules. This option overrides invalidation of " +"specific sudo rule if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:209 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>domain</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:214 +msgid "Restrict invalidation process only to a particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 +msgid "sss_debuglevel" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_debuglevel.8.xml:16 +msgid "[DEPRECATED] change debug level while SSSD is running" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_debuglevel.8.xml:21 +msgid "" +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" +"replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_debuglevel.8.xml:32 +msgid "" +"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " +"debug-level command. Please refer to the <command>sssctl</command> man page " +"for more information on sssctl usage." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_seed.8.xml:10 sss_seed.8.xml:15 +msgid "sss_seed" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_seed.8.xml:16 +msgid "seed the SSSD cache with a user" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_seed.8.xml:21 +msgid "" +"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:33 +msgid "" +"<command>sss_seed</command> seeds the SSSD cache with a user entry and " +"temporary password. If a user entry is already present in the SSSD cache " +"then the entry is updated with the temporary password." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:46 +msgid "" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:51 +msgid "" +"Provide the name of the domain in which the user is a member of. The domain " +"is also used to retrieve user information. The domain must be configured in " +"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " +"Information retrieved from the domain overrides what is provided in the " +"options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:63 +msgid "" +"<option>-n</option>,<option>--username</option> <replaceable>USER</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:68 +msgid "" +"The username of the entry to be created or modified in the cache. The " +"<replaceable>USER</replaceable> option must be provided." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:81 +msgid "Set the UID of the user to <replaceable>UID</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:93 +msgid "Set the GID of the user to <replaceable>GID</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:117 +msgid "" +"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:129 +msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:140 +msgid "" +"Interactive mode for entering user information. This option will only prompt " +"for information not provided in the options or retrieved from the domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:148 +msgid "" +"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:153 +msgid "" +"Specify file to read user's password from. (if not specified password is " +"prompted for)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:165 +msgid "" +"The length of the password (or the size of file specified with -p or --" +"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " +"on systems with no globally-defined PASS_MAX value)." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 +msgid "sssd-ifp" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ifp.5.xml:17 +msgid "SSSD InfoPipe responder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:23 +msgid "" +"This manual page describes the configuration of the InfoPipe responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:36 +msgid "" +"The InfoPipe responder provides a public D-Bus interface accessible over the " +"system bus. The interface allows the user to query information about remote " +"users and groups over the system bus." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:46 +msgid "These options can be used to configure the InfoPipe responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:53 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the InfoPipe responder. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:59 +msgid "" +"Default: 0 (only the root user is allowed to access the InfoPipe responder)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:63 +msgid "" +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the InfoPipe responder, which would be the typical case, you have to " +"add 0 to the list of allowed UIDs as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:77 +msgid "Specifies the comma-separated list of white or blacklisted attributes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:91 +msgid "name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:92 +msgid "user's login name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:95 +msgid "uidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:96 +msgid "user ID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:99 +msgid "gidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:100 +msgid "primary group ID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:103 +msgid "gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:104 +msgid "user information, typically full name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:107 +msgid "homeDirectory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:111 +msgid "loginShell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:112 +msgid "user shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:81 +msgid "" +"By default, the InfoPipe responder only allows the default set of POSIX " +"attributes to be requested. This set is the same as returned by " +"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ifp.5.xml:125 +#, no-wrap +msgid "" +"user_attributes = +telephoneNumber, -loginShell\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:117 +msgid "" +"It is possible to add another attribute to this set by using <quote>" +"+attr_name</quote> or explicitly remove an attribute using <quote>-" +"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " +"deny <quote>loginShell</quote>, you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:129 +msgid "Default: not set. Only the default set of POSIX attributes is allowed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:139 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup that overrides caller-supplied limit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:144 +msgid "Default: 0 (let the caller set an upper limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refentryinfo> +#: sss_rpcidmapd.5.xml:8 +msgid "" +"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" +"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " +"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" +"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " +"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" +"author>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 +msgid "sss_rpcidmapd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_rpcidmapd.5.xml:33 +msgid "sss plugin configuration directives for rpc.idmapd" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:37 +msgid "CONFIGURATION FILE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:39 +msgid "" +"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." +"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:49 +msgid "SSS CONFIGURATION EXTENSION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:51 +msgid "Enable SSS plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:53 +msgid "" +"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " +"attribute to contain <emphasis>sss</emphasis>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:59 +msgid "[sss] config section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:61 +msgid "" +"In order to change the default of one of the configuration attributes of the " +"<emphasis>sss</emphasis> plugin listed below you will need to create a " +"config section for it, named <quote>[sss]</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sss_rpcidmapd.5.xml:67 +msgid "Configuration attributes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sss_rpcidmapd.5.xml:69 +msgid "memcache (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sss_rpcidmapd.5.xml:72 +msgid "Indicates whether or not to use memcache optimisation technique." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:85 +msgid "SSSD INTEGRATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:87 +msgid "" +"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " +"in sssd." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:91 +msgid "" +"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " +"all domains (NFSv4 clients expect a fully qualified name to be sent on the " +"wire)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_rpcidmapd.5.xml:103 +#, no-wrap +msgid "" +"[General]\n" +"Verbosity = 2\n" +"# domain must be synced between NFSv4 server and clients\n" +"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:100 +msgid "" +"The following example shows a minimal idmapd.conf which makes use of the sss " +"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:180 include/seealso.xml:2 +msgid "SEE ALSO" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:122 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 +msgid "sss_ssh_authorizedkeys" +msgstr "" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 +msgid "1" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_authorizedkeys.1.xml:16 +msgid "get OpenSSH authorized keys" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_authorizedkeys.1.xml:21 +msgid "" +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>USER</replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:32 +msgid "" +"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " +"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " +"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> for more information)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:41 +msgid "" +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" +"command> for public key user authentication if it is compiled with support " +"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " +"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> man page for more details about this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_authorizedkeys.1.xml:59 +#, no-wrap +msgid "" +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:52 +msgid "" +"If <quote>AuthorizedKeysCommand</quote> is supported, " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use it by putting the following " +"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" +"\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_ssh_authorizedkeys.1.xml:65 +msgid "KEYS FROM CERTIFICATES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:67 +msgid "" +"In addition to the public SSH keys for user <replaceable>USER</replaceable> " +"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " +"from the public key of a X.509 certificate as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:73 +msgid "" +"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " +"set to true (default) in the [ssh] section of <filename>sssd.conf</" +"filename>. If the user entry contains certificates (see " +"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " +"there is a certificate in an override entry for the user (see " +"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " +"certificate is valid SSSD will extract the public key from the certificate " +"and convert it into the format expected by sshd." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:90 +msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:92 +msgid "ca_db" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:93 +msgid "p11_child_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:94 +msgid "certificate_verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:96 +msgid "" +"can be used to control how the certificates are validated (see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:101 +msgid "" +"The validation is the benefit of using X.509 certificates instead of SSH " +"keys directly because e.g. it gives a better control of the lifetime of the " +"keys. When the ssh client is configured to use the private keys from a " +"Smartcard with the help of a PKCS#11 shared library (see " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> for details) it might be irritating that authentication is " +"still working even if the related X.509 certificate on the Smartcard is " +"already expired because neither <command>ssh</command> nor <command>sshd</" +"command> will look at the certificate at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:114 +msgid "" +"It has to be noted that the derived public SSH key can still be added to the " +"<filename>authorized_keys</filename> file of the user to bypass the " +"certificate validation if the <command>sshd</command> configuration permits " +"this." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:132 +msgid "" +"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 +msgid "EXIT STATUS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 +msgid "" +"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 +msgid "sss_ssh_knownhostsproxy" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_knownhostsproxy.1.xml:16 +msgid "get OpenSSH host keys" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_knownhostsproxy.1.xml:21 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>HOST</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:33 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " +"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " +"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " +"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" +"pubconf/known_hosts</filename> and establishes the connection to the host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:43 +msgid "" +"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " +"create the connection to the host instead of opening a socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_knownhostsproxy.1.xml:55 +#, no-wrap +msgid "" +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:48 +msgid "" +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" +"command> for host key authentication by using the following directives for " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:66 +msgid "" +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:71 +msgid "" +"Use port <replaceable>PORT</replaceable> to connect to the host. By " +"default, port 22 is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:83 +msgid "" +"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:89 +msgid "<option>-k</option>,<option>--pubkeys</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:93 +msgid "" +"Print the host ssh public keys for host <replaceable>HOST</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 +msgid "idmap_sss" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: idmap_sss.8.xml:16 +msgid "SSSD's idmap_sss Backend for Winbind" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:22 +msgid "" +"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " +"No database is required in this case as the mapping is done by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: idmap_sss.8.xml:29 +msgid "IDMAP OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: idmap_sss.8.xml:33 +msgid "range = low - high" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: idmap_sss.8.xml:35 +msgid "" +"Defines the available matching UID and GID range for which the backend is " +"authoritative." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:45 +msgid "" +"This example shows how to configure idmap_sss as the default mapping module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: idmap_sss.8.xml:50 +#, no-wrap +msgid "" +"[global]\n" +"security = domain\n" +"workgroup = MAIN\n" +"\n" +"idmap config * : backend = sss\n" +"idmap config * : range = 200000-2147483647\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssctl.8.xml:10 sssctl.8.xml:15 +msgid "sssctl" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssctl.8.xml:16 +msgid "SSSD control and status utility" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssctl.8.xml:21 +msgid "" +"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:32 +msgid "" +"<command>sssctl</command> provides a simple and unified way to obtain " +"information about SSSD status, such as active server, auto-discovered " +"servers, domains and cached objects. In addition, it can manage SSSD data " +"files for troubleshooting in such a way that is safe to manipulate while " +"SSSD is running." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:43 +msgid "" +"To list all available commands run <command>sssctl</command> without any " +"parameters. To print help for selected command run <command>sssctl COMMAND --" +"help</command>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-files.5.xml:10 sssd-files.5.xml:16 +msgid "sssd-files" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-files.5.xml:17 +msgid "SSSD files provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:23 +msgid "" +"This manual page describes the files provider for <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:36 +msgid "" +"The files provider mirrors the content of the <citerefentry> " +"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " +"provider is to make the users and groups traditionally only accessible with " +"NSS interfaces also available through the SSSD interfaces such as " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:69 +msgid "passwd_files (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:72 +msgid "" +"Comma-separated list of one or multiple password filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:78 +msgid "Default: /etc/passwd" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:84 +msgid "group_files (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:87 +msgid "" +"Comma-separated list of one or multiple group filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:93 +msgid "Default: /etc/group" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:59 +msgid "" +"In addition to the options listed below, generic SSSD domain options can be " +"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for details on the configuration of " +"an SSSD domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:105 +msgid "" +"The following example assumes that SSSD is correctly configured and files is " +"one of the domains in the <replaceable>[sssd]</replaceable> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:111 +#, no-wrap +msgid "" +"[domain/files]\n" +"id_provider = files\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 +msgid "sssd-secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-secrets.5.xml:17 +msgid "SSSD Secrets responder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:23 +msgid "" +"This manual page describes the configuration of the Secrets responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:36 +msgid "" +"Many system and user applications need to store private information such as " +"passwords or service keys and have no good way to properly deal with them. " +"The simple approach is to embed these <quote>secrets</quote> into " +"configuration files potentially ending up exposing sensitive key material to " +"backups, config management system and in general making it harder to secure " +"data." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:45 +msgid "" +"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " +"project was born to deal with this problem in cloud like environments, but " +"we found the idea compelling even at a single system level. As a security " +"service, SSSD is ideal to host this capability while offering the same API " +"via a UNIX Socket. This will make it possible to use local calls and have " +"them transparently routed to a local or a remote key management store like " +"IPA Vault for storage, escrow and recovery." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:55 +msgid "" +"The secrets are simple key-value pairs. Each user's secrets are namespaced " +"using their user ID, which means the secrets will never collide between " +"users. Secrets can be stored inside <quote>containers</quote> which can be " +"nested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:69 +msgid "secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:70 +msgid "secrets for general usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:73 +msgid "kcm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:75 +msgid "" +"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:61 +msgid "" +"Since the secrets responder can be used both externally to store general " +"secrets, as described in the rest of this man page, but also internally by " +"other SSSD components to store their secret material, some configuration " +"options, like quotas can be configured per <quote>hive</quote> in a " +"configuration subsection named after the hive. The currently supported hives " +"are: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:89 +msgid "USING THE SECRETS RESPONDER" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:91 +msgid "" +"The UNIX socket the SSSD responder listens on is located at <filename>/var/" +"run/secrets.socket</filename>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:110 +#, no-wrap +msgid "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +"systemctl enable sssd-secrets.service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:95 +msgid "" +"The secrets responder is socket-activated by <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " +"the <quote>secrets</quote> string to the <quote>service</quote> directive. " +"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " +"corresponding service file is called <quote>sssd-secrets.service</quote>. In " +"order for the service to be socket-activated, make sure the socket is " +"enabled and active and the service is enabled: <placeholder type=" +"\"programlisting\" id=\"0\"/> Please note your distribution may already " +"configure the units for you." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:122 +msgid "" +"The generic SSSD responder options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " +"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some secrets-specific options as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:132 +msgid "" +"The secrets responder is configured with a global <quote>[secrets]</quote> " +"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " +"in <filename>sssd.conf</filename>. Please note that some options, notably as " +"the provider type, can only be specified in the per-user subsections." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:141 +msgid "provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:157 +msgid "local" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:160 +msgid "" +"The secrets are stored in a local database, encrypted at rest with a master " +"key. The local provider does not have any additional config options at the " +"moment." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:168 +msgid "proxy" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:171 +msgid "" +"The secrets responder forwards the requests to a Custodia server. The proxy " +"provider supports several additional options (see below)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:144 +msgid "" +"This option specifies where should the secrets be stored. The secrets " +"responder can configure a per-user subsections (e.g. <quote>[secrets/" +"users/123]</quote> - see bottom of this manual page for a full example using " +"Custodia for a particular user) that define which provider store the secrets " +"for this particular user. The per-user subsections should contain all " +"options for that user's provider. Please note that currently the global " +"provider is always local, the proxy provider can only be specified in a per-" +"user section. The following providers are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:180 +msgid "Default: local" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:186 +msgid "" +"The following options affect only the secrets <quote>hive</quote> and " +"therefore should be set in a per-hive subsection. Setting the option to 0 " +"means \"unlimited\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:192 +msgid "containers_nest_level (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:195 +msgid "This option specifies the maximum allowed number of nested containers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:199 +msgid "Default: 4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:204 +msgid "max_secrets (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:207 +msgid "" +"This option specifies the maximum number of secrets that can be stored in " +"the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:211 +msgid "Default: 1024 (secrets hive), 256 (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:216 +msgid "max_uid_secrets (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:219 +msgid "" +"This option specifies the maximum number of secrets that can be stored per-" +"UID in the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:223 +msgid "Default: 256 (secrets hive), 64 (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:228 +msgid "max_payload_size (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:231 +msgid "" +"This option specifies the maximum payload size allowed for a secret payload " +"in kilobytes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:235 +msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:244 +#, no-wrap +msgid "" +"[secrets/secrets]\n" +"max_payload_size = 128\n" +"\n" +"[secrets/kcm]\n" +"max_payload_size = 256\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:241 +msgid "" +"For example, to adjust quotas differently for both the <quote>secrets</" +"quote> and the <quote>kcm</quote> hives, configure the following: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:252 +msgid "" +"The following options are only applicable for configurations that use the " +"<quote>proxy</quote> provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:257 +msgid "proxy_url (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:260 +msgid "" +"The URL the Custodia server is listening on. At the moment, http and https " +"protocols are supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:267 +msgid "http[s]://<host>[:port]" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:270 +msgid "Example: http://localhost:8080" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:275 +msgid "auth_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:278 +msgid "" +"The method to use when authenticating to a Custodia server. The following " +"authentication methods are supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:283 +msgid "basic_auth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:286 +msgid "" +"Authenticate with a username and a password as set in the <quote>username</" +"quote> and <quote>password</quote> options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:293 +msgid "header" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:296 +msgid "" +"Authenticate with HTTP header value as defined in the " +"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " +"configuration options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:307 +msgid "auth_header_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:310 +msgid "" +"If set, the secrets responder would put a header with this name into the " +"HTTP request with the value defined in the <quote>auth_header_value</quote> " +"configuration option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:315 +msgid "Example: MYSECRETNAME" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:320 +msgid "auth_header_value (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:323 +msgid "" +"The value sssd-secrets would use for the <quote>auth_header_name</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:327 +msgid "Example: mysecret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:332 +msgid "forward_headers (list of strings)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:335 +msgid "" +"The list of HTTP headers to forward to the Custodia server together with the " +"request." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:344 +msgid "verify_peer (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:347 +msgid "" +"Whether peer's certificate should be verified and valid if HTTPS protocol is " +"used with the proxy provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:356 +msgid "verify_host (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:359 +msgid "" +"Whether peer's hostname must match with hostname in its certificate if HTTPS " +"protocol is used with the proxy provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:369 +msgid "capath (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:372 +msgid "" +"Path to directory containing stored certificate authority certificates. " +"System default path is used if this option is not set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:382 +msgid "cacert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:385 +msgid "" +"Path to file containing server's certificate authority certificate. If this " +"option is not set then the CA's certificate is looked up in <quote>capath</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:395 +msgid "cert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:398 +msgid "" +"Path to file containing client's certificate if required by the server. This " +"file may also contain private key or the private key may be in separate file " +"set with <quote>key</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:409 +msgid "key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:412 +msgid "Path to file containing client's private key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:422 +msgid "USING THE REST API" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:424 +msgid "" +"This section lists the available commands and includes examples using the " +"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry> utility. All requests towards the proxy provider must set " +"the Content Type header to <quote>application/json</quote>. In addition, the " +"local provider also supports Content Type set to <quote>application/octet-" +"stream</quote>. Secrets stored with requests that set the Content Type " +"header to <quote>application/octet-stream</quote> are base64-encoded when " +"stored and decoded when retrieved, so it's not possible to store a secret " +"with one Content Type and retrieve with another. The secret URI must begin " +"with <filename>/secrets/</filename>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:441 +msgid "Listing secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:444 +msgid "" +"To list the available secrets, send a HTTP GET request with a trailing slash " +"appended to the container path." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:450 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:458 +msgid "Retrieving a secret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:461 +msgid "" +"To read a value of a single secret, send a HTTP GET request without a " +"trailing slash. The last portion of the URI is the name of the secret." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:468 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/foo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:473 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/bar\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:466 +msgid "" +"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:481 +msgid "Setting a secret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:484 +msgid "" +"To set a secret using the <quote>application/json</quote> type, send a HTTP " +"PUT request with a JSON payload that includes type and value. The type " +"should be set to \"simple\" and the value should be set to the secret value. " +"If a secret with that name already exists, the response is a 409 HTTP error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:492 +msgid "" +"The <quote>application/json</quote> type just sends the secret as the " +"message payload." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:501 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/foo \\\n" +" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:507 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/bar \\\n" +" -d'barsecret'\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:496 +msgid "" +"The following example sets a secret named 'foo' to a value of 'foosecret' " +"and a secret named 'bar' to a value of 'barsecret' using a different Content " +"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:516 +msgid "Creating a container" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:519 +msgid "" +"Containers provide an additional namespace for this user's secrets. To " +"create a container, send a HTTP POST request, whose URI ends with the " +"container name. Please note the URI must end with a trailing slash." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:529 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPOST http://localhost/secrets/mycontainer/\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:526 +msgid "" +"The following example creates a container named 'mycontainer': <placeholder " +"type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:538 +#, no-wrap +msgid "" +"http://localhost/secrets/mycontainer/mysecret\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:535 +msgid "" +"To manipulate secrets under this container, just nest the secrets underneath " +"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:544 +msgid "Deleting a secret or a container" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:547 +msgid "" +"To delete a secret or a container, send a HTTP DELETE request with a path to " +"the secret or the container." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:553 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XDELETE http://localhost/secrets/foo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:551 +msgid "" +"The following example deletes a secret named 'foo'. <placeholder type=" +"\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:563 +msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:565 +msgid "" +"For testing the proxy provider, you need to set up a Custodia server to " +"proxy requests to. Please always consult the Custodia documentation, the " +"configuration directives might change with different Custodia versions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:576 +#, no-wrap +msgid "" +"[global]\n" +"server_version = \"Secret/0.0.7\"\n" +"server_url = http://localhost:8080/\n" +"auditlog = /var/log/custodia.log\n" +"debug = True\n" +"\n" +"[store:simple]\n" +"handler = custodia.store.sqlite.SqliteStore\n" +"dburi = /var/lib/custodia.db\n" +"table = secrets\n" +"\n" +"[auth:header]\n" +"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" +"header = MYSECRETNAME\n" +"value = mysecretkey\n" +"\n" +"[authz:paths]\n" +"handler = custodia.httpd.authorizers.SimplePathAuthz\n" +"paths = /secrets\n" +"\n" +"[/]\n" +"handler = custodia.root.Root\n" +"store = simple\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:570 +msgid "" +"This configuration will set up a Custodia server listening on http://" +"localhost:8080, allowing anyone with header named MYSECRETNAME set to " +"mysecretkey to communicate with the Custodia server. Place the contents " +"into a file (for example, <replaceable>custodia.conf</replaceable>): " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:602 +msgid "" +"Then run the <replaceable>custodia</replaceable> command, pointing it at the " +"config file as a command line argument." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:606 +msgid "" +"Please note that currently it's not possible to proxy all requests globally " +"to a Custodia instance. Instead, per-user subsections for user IDs that " +"should proxy requests to Custodia must be defined. The following example " +"illustrates a configuration, where the user with UID 123 would proxy their " +"requests to Custodia, but all other user's requests would be handled by a " +"local provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: sssd-secrets.5.xml:614 +#, no-wrap +msgid "" +"[secrets]\n" +"\n" +"[secrets/users/123]\n" +"provider = proxy\n" +"proxy_url = http://localhost:8080/secrets/\n" +"auth_type = header\n" +"auth_header_name = MYSECRETNAME\n" +"auth_header_value = mysecretkey\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 +msgid "sssd-session-recording" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-session-recording.5.xml:17 +msgid "Configuring session recording with SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " +"implement user session recording on text terminals. For a detailed " +"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " +"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:41 +msgid "" +"SSSD can be set up to enable recording of everything specific users see or " +"type during their sessions on text terminals. E.g. when users log in on the " +"console, or via SSH. SSSD itself doesn't record anything, but makes sure " +"tlog-rec-session is started upon user login, so it can record according to " +"its configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:48 +msgid "" +"For users with session recording enabled, SSSD replaces the user shell with " +"tlog-rec-session in NSS responses, and adds a variable specifying the " +"original shell to the user environment, upon PAM session setup. This way " +"tlog-rec-session can be started in place of the user shell, and know which " +"actual shell to start, once it set up the recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:60 +msgid "These options can be used to configure the session recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:146 +msgid "" +"The following snippet of sssd.conf enables session recording for users " +"\"contractor1\" and \"contractor2\", and group \"students\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-session-recording.5.xml:151 +#, no-wrap +msgid "" +"[session_recording]\n" +"scope = some\n" +"users = contractor1, contractor2\n" +"groups = students\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 +msgid "sssd-kcm" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-kcm.8.xml:17 +msgid "SSSD Kerberos Cache Manager" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:23 +msgid "" +"This manual page describes the configuration of the SSSD Kerberos Cache " +"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " +"credential caches. It originates in the Heimdal Kerberos project, although " +"the MIT Kerberos library also provides client side (more details on that " +"below) support for the KCM credential cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:31 +msgid "" +"In a setup where Kerberos caches are managed by KCM, the Kerberos library " +"(typically used through an application, like e.g., <citerefentry> " +"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" +"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " +"being referred to as a <quote>\"KCM server\"</quote>. The client and server " +"communicate over a UNIX socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:42 +msgid "" +"The KCM server keeps track of each credential caches's owner and performs " +"access check control based on the UID and GID of the KCM client. The root " +"user has access to all credential caches." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:47 +msgid "The KCM credential cache has several interesting properties:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:51 +msgid "" +"since the process runs in userspace, it is subject to UID namespacing, " +"unlike the kernel keyring" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:56 +msgid "" +"unlike the kernel keyring-based cache, which is shared between all " +"containers, the KCM server is a separate process whose entry point is a UNIX " +"socket" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:61 +msgid "" +"the SSSD implementation stores the ccaches in the SSSD <citerefentry> " +"<refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry> secrets store, allowing the ccaches to survive KCM server " +"restarts or machine reboots." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:69 +msgid "" +"This allows the system to use a collection-aware credential cache, yet share " +"the credential cache between some or no containers by bind-mounting the " +"socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:76 +msgid "USING THE KCM CREDENTIAL CACHE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:86 +#, no-wrap +msgid "" +"[libdefaults]\n" +" default_ccache_name = KCM:\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:78 +msgid "" +"In order to use KCM credential cache, it must be selected as the default " +"credential type in <citerefentry> <refentrytitle>krb5.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " +"cache name must be only <quote>KCM:</quote> without any template " +"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:91 +msgid "" +"Next, make sure the Kerberos client libraries and the KCM server must agree " +"on the UNIX socket path. By default, both use the same path <replaceable>/" +"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " +"library, change its <quote>kcm_socket</quote> option which is described in " +"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:113 +#, no-wrap +msgid "" +"systemctl start sssd-kcm.socket\n" +"systemctl enable sssd-kcm.socket\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:102 +msgid "" +"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " +"typically socket-activated by <citerefentry> <refentrytitle>systemd</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " +"services, it cannot be started by adding the <quote>kcm</quote> string to " +"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " +"id=\"0\"/> Please note your distribution may already configure the units for " +"you." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:122 +msgid "THE CREDENTIAL CACHE STORAGE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:131 +#, no-wrap +msgid "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:124 +msgid "" +"The credential caches are stored in the SSSD secrets service (see " +"<citerefentry> <refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> for more details). Therefore it is important that " +"also the sssd-secrets service is enabled and its socket is started: " +"<placeholder type=\"programlisting\" id=\"0\"/> Your distribution should " +"already set the dependencies between the services." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:141 +msgid "" +"The KCM service is configured in the <quote>kcm</quote> section of the sssd." +"conf file. Please note that currently, is it not sufficient to restart the " +"sssd-kcm service, because the sssd configuration is only parsed and read to " +"an internal configuration database by the sssd service. Therefore you must " +"restart the sssd service if you change anything in the <quote>kcm</quote> " +"section of sssd.conf. For a detailed syntax reference, refer to the " +"<quote>FILE FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd." +"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:155 +msgid "" +"The generic SSSD service options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some KCM-specific options as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:166 +msgid "socket_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:169 +msgid "The socket the KCM service will listen on." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:172 +msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:182 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 +msgid "sssd-systemtap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-systemtap.5.xml:17 +msgid "SSSD systemtap information" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:23 +msgid "" +"This manual page provides information about the systemtap functionality in " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:32 +msgid "" +"SystemTap Probe points have been added into various locations in SSSD code " +"to assist in troubleshooting and analyzing performance related issues." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:40 +msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:46 +msgid "" +"Probes and miscellaneous functions are defined in /usr/share/systemtap/" +"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " +"respectively." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:57 +msgid "PROBE POINTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:341 +msgid "" +"The information below lists the probe points and arguments available in the " +"following format:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:64 +msgid "probe $name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:67 +msgid "Description of probe point" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:70 +#, no-wrap +msgid "" +"variable1:datatype\n" +"variable2:datatype\n" +"variable3:datatype\n" +"...\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:80 +msgid "Database Transaction Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:84 +msgid "probe sssd_transaction_start" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:87 +msgid "" +"Start of a sysdb transaction, probes the sysdb_transaction_start() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 +#: sssd-systemtap.5.xml:131 +#, no-wrap +msgid "" +"nesting:integer\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:97 +msgid "probe sssd_transaction_cancel" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:100 +msgid "" +"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " +"function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:111 +msgid "probe sssd_transaction_commit_before" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:114 +msgid "Probes the sysdb_transaction_commit_before() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:124 +msgid "probe sssd_transaction_commit_after" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:127 +msgid "Probes the sysdb_transaction_commit_after() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:141 +msgid "LDAP Search Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:145 +msgid "probe sdap_search_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:148 +msgid "Probes the sdap_get_generic_ext_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:152 sssd-systemtap.5.xml:167 sssd-systemtap.5.xml:196 +#, no-wrap +msgid "" +"base:string\n" +"scope:integer\n" +"filter:string\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:160 +msgid "probe sdap_search_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:163 +msgid "Probes the sdap_get_generic_ext_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:175 +msgid "probe sdap_deref_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:178 +msgid "Probes the sdap_deref_search_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:182 +#, no-wrap +msgid "" +"base_dn:string\n" +"deref_attr:string\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:189 +msgid "probe sdap_deref_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:192 +msgid "Probes the sdap_deref_search_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:208 +msgid "LDAP Account Request Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:212 +msgid "probe sdap_acct_req_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:215 +msgid "Probes the sdap_acct_req_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:219 sssd-systemtap.5.xml:234 +#, no-wrap +msgid "" +"entry_type:int\n" +"filter_type:int\n" +"filter_value:string\n" +"extra_value:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:227 +msgid "probe sdap_acct_req_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:230 +msgid "Probes the sdap_acct_req_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:246 +msgid "LDAP User Search Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:250 +msgid "probe sdap_search_user_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:253 +msgid "Probes the sdap_search_user_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:257 sssd-systemtap.5.xml:269 sssd-systemtap.5.xml:281 +#: sssd-systemtap.5.xml:293 +#, no-wrap +msgid "" +"filter:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:262 +msgid "probe sdap_search_user_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:265 +msgid "Probes the sdap_search_user_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:274 +msgid "probe sdap_search_user_save_begin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:277 +msgid "Probes the sdap_search_user_save_begin() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:286 +msgid "probe sdap_search_user_save_end" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:289 +msgid "Probes the sdap_search_user_save_end() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:302 +msgid "Data Provider Request Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:306 +msgid "probe dp_req_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:309 +msgid "A Data Provider request is submitted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:312 +#, no-wrap +msgid "" +"dp_req_domain:string\n" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:320 +msgid "probe dp_req_done" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:323 +msgid "A Data Provider request is completed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:326 +#, no-wrap +msgid "" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +"dp_ret:int\n" +"dp_errorstr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:339 +msgid "MISCELLANEOUS FUNCTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:346 +msgid "function acct_req_desc(entry_type)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:349 +msgid "Convert entry_type to string and return string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:354 +msgid "" +"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " +"filter_value, extra_value)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:358 +msgid "Create probe string based on filter type" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:363 +msgid "function dp_target_str(target)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:366 +msgid "Convert target to string and return string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:371 +msgid "function dp_method_str(target)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:374 +msgid "Convert method to string and return string" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/service_discovery.xml:2 +msgid "SERVICE DISCOVERY" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/service_discovery.xml:4 +msgid "" +"The service discovery feature allows back ends to automatically find the " +"appropriate servers to connect to using a special DNS query. This feature is " +"not supported for backup servers." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:9 include/ldap_id_mapping.xml:99 +msgid "Configuration" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:11 +msgid "" +"If no servers are specified, the back end automatically uses service " +"discovery to try to find a server. Optionally, the user may choose to use " +"both fixed server addresses and service discovery by inserting a special " +"keyword, <quote>_srv_</quote>, in the list of servers. The order of " +"preference is maintained. This feature is useful if, for example, the user " +"prefers to use service discovery whenever possible, and fall back to a " +"specific server when no servers can be discovered using DNS." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:23 +msgid "The domain name" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:25 +msgid "" +"Please refer to the <quote>dns_discovery_domain</quote> parameter in the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more details." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:35 +msgid "The protocol" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:37 +msgid "" +"The queries usually specify _tcp as the protocol. Exceptions are documented " +"in respective option description." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:42 +msgid "See Also" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:44 +msgid "" +"For more information on the service discovery mechanism, refer to RFC 2782." +msgstr "" + +#. type: Content of: <refentryinfo> +#: include/upstream.xml:2 +msgid "" +"<productname>SSSD</productname> <orgname>The SSSD upstream - https://pagure." +"io/SSSD/sssd/</orgname>" +msgstr "" + +#. type: Content of: outside any tag (error?) +#: include/upstream.xml:1 +msgid "<placeholder type=\"refentryinfo\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/failover.xml:2 +msgid "FAILOVER" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/failover.xml:4 +msgid "" +"The failover feature allows back ends to automatically switch to a different " +"server if the current server fails." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:8 +msgid "Failover Syntax" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:10 +msgid "" +"The list of servers is given as a comma-separated list; any number of spaces " +"is allowed around the comma. The servers are listed in order of preference. " +"The list can contain any number of servers." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:16 +msgid "" +"For each failover-enabled config option, two variants exist: " +"<emphasis>primary</emphasis> and <emphasis>backup</emphasis>. The idea is " +"that servers in the primary list are preferred and backup servers are only " +"searched if no primary servers can be reached. If a backup server is " +"selected, a timeout of 31 seconds is set. After this timeout SSSD will " +"periodically try to reconnect to one of the primary servers. If it succeeds, " +"it will replace the current active (backup) server." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:27 +msgid "The Failover Mechanism" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:29 +msgid "" +"The failover mechanism distinguishes between a machine and a service. The " +"back end first tries to resolve the hostname of a given machine; if this " +"resolution attempt fails, the machine is considered offline. No further " +"attempts are made to connect to this machine for any other service. If the " +"resolution attempt succeeds, the back end tries to connect to a service on " +"this machine. If the service connection attempt fails, then only this " +"particular service is considered offline and the back end automatically " +"switches over to the next service. The machine is still considered online " +"and might still be tried for another service." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:42 +msgid "" +"Further connection attempts are made to machines or services marked as " +"offline after a specified period of time; this is currently hard coded to 30 " +"seconds." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:47 +msgid "" +"If there are no more machines to try, the back end as a whole switches to " +"offline mode, and then attempts to reconnect every 30 seconds." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:53 +msgid "Failover time outs and tuning" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:55 +msgid "" +"Resolving a server to connect to can be as simple as running a single DNS " +"query or can involve several steps, such as finding the correct site or " +"trying out multiple host names in case some of the configured servers are " +"not reachable. The more complex scenarios can take some time and SSSD needs " +"to balance between providing enough time to finish the resolution process " +"but on the other hand, not trying for too long before falling back to " +"offline mode. If the SSSD debug logs show that the server resolution is " +"timing out before a live server is contacted, you can consider changing the " +"time outs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> +#: include/failover.xml:76 +msgid "dns_resolver_op_timeout" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: include/failover.xml:80 +msgid "How long would SSSD talk to a single DNS server." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> +#: include/failover.xml:86 +msgid "dns_resolver_timeout" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: include/failover.xml:90 +msgid "" +"How long would SSSD try to resolve a failover service. This service " +"resolution internally might include several steps, such as resolving DNS SRV " +"queries or locating the site." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:67 +msgid "" +"This section lists the available tunables. Please refer to their description " +"in the <citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>, manual page. <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:100 +msgid "" +"For LDAP-based providers, the resolve operation is performed as part of an " +"LDAP connection operation. Therefore, also the <quote>ldap_opt_timeout></" +"quote> timeout should be set to a larger value than " +"<quote>dns_resolver_timeout</quote> which in turn should be set to a larger " +"value than <quote>dns_resolver_op_timeout</quote>." +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/ldap_id_mapping.xml:2 +msgid "ID MAPPING" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:4 +msgid "" +"The ID-mapping feature allows SSSD to act as a client of Active Directory " +"without requiring administrators to extend user attributes to support POSIX " +"attributes for user and group identifiers." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:9 +msgid "" +"NOTE: When ID-mapping is enabled, the uidNumber and gidNumber attributes are " +"ignored. This is to avoid the possibility of conflicts between automatically-" +"assigned and manually-assigned values. If you need to use manually-assigned " +"values, ALL values must be manually-assigned." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:16 +msgid "" +"Please note that changing the ID mapping related configuration options will " +"cause user and group IDs to change. At the moment, SSSD does not support " +"changing IDs, so the SSSD database must be removed. Because cached passwords " +"are also stored in the database, removing the database should only be " +"performed while the authentication servers are reachable, otherwise users " +"might get locked out. In order to cache the password, an authentication must " +"be performed. It is not sufficient to use <citerefentry> " +"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry> to remove the database, rather the process consists of:" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:33 +msgid "Making sure the remote servers are reachable" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:38 +msgid "Stopping the SSSD service" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:43 +msgid "Removing the database" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:48 +msgid "Starting the SSSD service" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:52 +msgid "" +"Moreover, as the change of IDs might necessitate the adjustment of other " +"system properties such as file and directory ownership, it's advisable to " +"plan ahead and test the ID mapping configuration thoroughly." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ldap_id_mapping.xml:59 +msgid "Mapping Algorithm" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:61 +msgid "" +"Active Directory provides an objectSID for every user and group object in " +"the directory. This objectSID can be broken up into components that " +"represent the Active Directory domain identity and the relative identifier " +"(RID) of the user or group object." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:67 +msgid "" +"The SSSD ID-mapping algorithm takes a range of available UIDs and divides it " +"into equally-sized component sections - called \"slices\"-. Each slice " +"represents the space available to an Active Directory domain." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:73 +msgid "" +"When a user or group entry for a particular domain is encountered for the " +"first time, the SSSD allocates one of the available slices for that domain. " +"In order to make this slice-assignment repeatable on different client " +"machines, we select the slice based on the following algorithm:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:80 +msgid "" +"The SID string is passed through the murmurhash3 algorithm to convert it to " +"a 32-bit hashed value. We then take the modulus of this value with the total " +"number of available slices to pick the slice." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:86 +msgid "" +"NOTE: It is possible to encounter collisions in the hash and subsequent " +"modulus. In these situations, we will select the next available slice, but " +"it may not be possible to reproduce the same exact set of slices on other " +"machines (since the order that they are encountered will determine their " +"slice). In this situation, it is recommended to either switch to using " +"explicit POSIX attributes in Active Directory (disabling ID-mapping) or " +"configure a default domain to guarantee that at least one is always " +"consistent. See <quote>Configuration</quote> for details." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:101 +msgid "" +"Minimum configuration (in the <quote>[domain/DOMAINNAME]</quote> section):" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><programlisting> +#: include/ldap_id_mapping.xml:106 +#, no-wrap +msgid "" +"ldap_id_mapping = True\n" +"ldap_schema = ad\n" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:111 +msgid "" +"The default configuration results in configuring 10,000 slices, each capable " +"of holding up to 200,000 IDs, starting from 200,000 and going up to " +"2,000,200,000. This should be sufficient for most deployments." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><title> +#: include/ldap_id_mapping.xml:117 +msgid "Advanced Configuration" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:120 +msgid "ldap_idmap_range_min (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:123 +msgid "" +"Specifies the lower bound of the range of POSIX IDs to use for mapping " +"Active Directory user and group SIDs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:127 +msgid "" +"NOTE: This option is different from <quote>min_id</quote> in that " +"<quote>min_id</quote> acts to filter the output of requests to this domain, " +"whereas this option controls the range of ID assignment. This is a subtle " +"distinction, but the good general advice would be to have <quote>min_id</" +"quote> be less-than or equal to <quote>ldap_idmap_range_min</quote>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:137 include/ldap_id_mapping.xml:191 +msgid "Default: 200000" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:142 +msgid "ldap_idmap_range_max (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:145 +msgid "" +"Specifies the upper bound of the range of POSIX IDs to use for mapping " +"Active Directory user and group SIDs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:149 +msgid "" +"NOTE: This option is different from <quote>max_id</quote> in that " +"<quote>max_id</quote> acts to filter the output of requests to this domain, " +"whereas this option controls the range of ID assignment. This is a subtle " +"distinction, but the good general advice would be to have <quote>max_id</" +"quote> be greater-than or equal to <quote>ldap_idmap_range_max</quote>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:159 +msgid "Default: 2000200000" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:164 +msgid "ldap_idmap_range_size (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:167 +msgid "" +"Specifies the number of IDs available for each slice. If the range size " +"does not divide evenly into the min and max values, it will create as many " +"complete slices as it can." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:173 +msgid "" +"NOTE: The value of this option must be at least as large as the highest user " +"RID planned for use on the Active Directory server. User lookups and login " +"will fail for any user whose RID is greater than this value." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:179 +msgid "" +"For example, if your most recently-added Active Directory user has " +"objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, " +"<quote>ldap_idmap_range_size</quote> must be at least 1108 as range size is " +"equal to maximal SID minus minimal SID plus one (e.g. 1108 = 1107 - 0 + 1)." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:186 +msgid "" +"It is important to plan ahead for future expansion, as changing this value " +"will result in changing all of the ID mappings on the system, leading to " +"users with different local IDs than they previously had." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:196 +msgid "ldap_idmap_default_domain_sid (string)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:199 +msgid "" +"Specify the domain SID of the default domain. This will guarantee that this " +"domain will always be assigned to slice zero in the ID map, bypassing the " +"murmurhash algorithm described above." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:210 +msgid "ldap_idmap_default_domain (string)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:213 +msgid "Specify the name of the default domain." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:221 +msgid "ldap_idmap_autorid_compat (boolean)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:224 +msgid "" +"Changes the behavior of the ID-mapping algorithm to behave more similarly to " +"winbind's <quote>idmap_autorid</quote> algorithm." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:229 +msgid "" +"When this option is configured, domains will be allocated starting with " +"slice zero and increasing monatomically with each additional domain." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:234 +msgid "" +"NOTE: This algorithm is non-deterministic (it depends on the order that " +"users and groups are requested). If this mode is required for compatibility " +"with machines running winbind, it is recommended to also use the " +"<quote>ldap_idmap_default_domain_sid</quote> option to guarantee that at " +"least one domain is consistently allocated to slice zero." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:249 +msgid "ldap_idmap_helper_table_size (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:252 +msgid "" +"Maximal number of secondary slices that is tried when performing mapping " +"from UNIX id to SID." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:256 +msgid "" +"Note: Additional secondary slices might be generated when SID is being " +"mapped to UNIX id and RID part of SID is out of range for secondary slices " +"generated so far. If value of ldap_idmap_helper_table_size is equal to 0 " +"then no additional secondary slices are generated." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ldap_id_mapping.xml:273 +msgid "Well-Known SIDs" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:275 +msgid "" +"SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a " +"special hardcoded meaning. Since the generic users and groups related to " +"those Well-Known SIDs have no equivalent in a Linux/UNIX environment no " +"POSIX IDs are available for those objects." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:281 +msgid "" +"The SID name space is organized in authorities which can be seen as " +"different domains. The authorities for the Well-Known SIDs are" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:284 +msgid "Null Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:285 +msgid "World Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:286 +msgid "Local Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:287 +msgid "Creator Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:288 +msgid "NT Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:289 +msgid "Built-in" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:291 +msgid "" +"The capitalized version of these names are used as domain names when " +"returning the fully qualified name of a Well-Known SID." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:295 +msgid "" +"Since some utilities allow to modify SID based access control information " +"with the help of a name instead of using the SID directly SSSD supports to " +"look up the SID by the name as well. To avoid collisions only the fully " +"qualified names can be used to look up Well-Known SIDs. As a result the " +"domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, " +"<quote> LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, <quote>NT " +"AUTHORITY</quote> and <quote>BUILTIN</quote> should not be used as domain " +"names in <filename>sssd.conf</filename>." +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/param_help.xml:3 +msgid "<option>-?</option>,<option>--help</option>" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/param_help.xml:7 include/param_help_py.xml:7 +msgid "Display help message and exit." +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/param_help_py.xml:3 +msgid "<option>-h</option>,<option>--help</option>" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:3 include/debug_levels_tools.xml:3 +msgid "" +"SSSD supports two representations for specifying the debug level. The " +"simplest is to specify a decimal value from 0-9, which represents enabling " +"that level and all lower-level debug messages. The more comprehensive option " +"is to specify a hexadecimal bitmask to enable or disable specific levels " +"(such as if you wish to suppress a level)." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:10 +msgid "" +"Please note that each SSSD service logs into its own log file. Also please " +"note that enabling <quote>debug_level</quote> in the <quote>[sssd]</quote> " +"section only enables debugging just for the sssd process itself, not for the " +"responder or provider processes. The <quote>debug_level</quote> parameter " +"should be added to all sections that you wish to produce debug logs from." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:18 +msgid "" +"In addition to changing the log level in the config file using the " +"<quote>debug_level</quote> parameter, which is persistent, but requires SSSD " +"restart, it is also possible to change the debug level on the fly using the " +"<citerefentry> <refentrytitle>sss_debuglevel</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry> tool." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:29 include/debug_levels_tools.xml:10 +msgid "Currently supported debug levels:" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:32 include/debug_levels_tools.xml:13 +msgid "" +"<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fatal failures. " +"Anything that would prevent SSSD from starting up or causes it to cease " +"running." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:38 include/debug_levels_tools.xml:19 +msgid "" +"<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An " +"error that doesn't kill SSSD, but one that indicates that at least one major " +"feature is not going to work properly." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:45 include/debug_levels_tools.xml:26 +msgid "" +"<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Serious failures. An " +"error announcing that a particular request or operation has failed." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:50 include/debug_levels_tools.xml:31 +msgid "" +"<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Minor failures. These " +"are the errors that would percolate down to cause the operation failure of 2." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:55 include/debug_levels_tools.xml:36 +msgid "" +"<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Configuration settings." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:59 include/debug_levels_tools.xml:40 +msgid "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Function data." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:63 include/debug_levels_tools.xml:44 +msgid "" +"<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Trace messages for " +"operation functions." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:67 include/debug_levels_tools.xml:48 +msgid "" +"<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Trace messages for " +"internal control functions." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:72 include/debug_levels_tools.xml:53 +msgid "" +"<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contents of function-" +"internal variables that may be interesting." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:77 include/debug_levels_tools.xml:58 +msgid "" +"<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Extremely low-level " +"tracing information." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:81 include/debug_levels_tools.xml:62 +msgid "" +"To log required bitmask debug levels, simply add their numbers together as " +"shown in following examples:" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:85 include/debug_levels_tools.xml:66 +msgid "" +"<emphasis>Example</emphasis>: To log fatal failures, critical failures, " +"serious failures and function data use 0x0270." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:89 include/debug_levels_tools.xml:70 +msgid "" +"<emphasis>Example</emphasis>: To log fatal failures, configuration settings, " +"function data, trace messages for internal control functions use 0x1310." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:94 include/debug_levels_tools.xml:75 +msgid "" +"<emphasis>Note</emphasis>: The bitmask format of debug levels was introduced " +"in 1.7.0." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:98 include/debug_levels_tools.xml:79 +msgid "<emphasis>Default</emphasis>: 0" +msgstr "" + +#. type: Content of: outside any tag (error?) +#: include/experimental.xml:1 +msgid "" +"<emphasis> This is an experimental feature, please use https://pagure.io/" +"SSSD/sssd/ to report any issues. </emphasis>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/local.xml:2 +msgid "THE LOCAL DOMAIN" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/local.xml:4 +msgid "" +"In order to function correctly, a domain with <quote>id_provider=local</" +"quote> must be created and the SSSD must be running." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/local.xml:9 +msgid "" +"The administrator might want to use the SSSD local users instead of " +"traditional UNIX users in cases where the group nesting (see <citerefentry> " +"<refentrytitle>sss_groupadd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>) is needed. The local users are also useful for testing and " +"development of the SSSD without having to deploy a full remote server. The " +"<command>sss_user*</command> and <command>sss_group*</command> tools use a " +"local LDB storage to store users and groups." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/seealso.xml:4 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd-ipa</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <phrase condition=\"with_sudo\"> <citerefentry> " +"<refentrytitle>sssd-sudo</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>, </phrase> <phrase condition=\"with_secrets\"> <citerefentry> " +"<refentrytitle>sssd-secrets</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>, </phrase> <citerefentry> <refentrytitle>sssd-session-" +"recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, " +"<citerefentry> <refentrytitle>sss_cache</refentrytitle><manvolnum>8</" +"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_debuglevel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_obfuscate</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_seed</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <phrase condition=" +"\"with_ssh\"> <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_ssh_knownhostsproxy</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>, </phrase> <phrase condition=\"with_ifp\"> " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>, </phrase> <citerefentry> <refentrytitle>pam_sss</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>. <citerefentry> " +"<refentrytitle>sss_rpcidmapd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> <phrase condition=\"with_stap\"> <citerefentry> " +"<refentrytitle>sssd-systemtap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> </phrase>" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:3 +msgid "" +"An optional base DN, search scope and LDAP filter to restrict LDAP searches " +"for this attribute type." +msgstr "" + +#. type: Content of: <listitem><para><programlisting> +#: include/ldap_search_bases.xml:9 +#, no-wrap +msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]\n" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:7 +msgid "syntax: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:13 +msgid "" +"The scope can be one of \"base\", \"onelevel\" or \"subtree\". The scope " +"functions as specified in section 4.5.1.2 of http://tools.ietf.org/html/" +"rfc4511" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:23 +msgid "" +"For examples of this syntax, please refer to the <quote>ldap_search_base</" +"quote> examples section." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:31 +msgid "" +"Please note that specifying scope or filter is not supported for searches " +"against an Active Directory Server that might yield a large number of " +"results and trigger the Range Retrieval extension in the response." +msgstr "" + +#. type: Content of: <para> +#: include/autofs_restart.xml:2 +msgid "" +"Please note that the automounter only reads the master map on startup, so if " +"any autofs-related changes are made to the sssd.conf, you typically also " +"need to restart the automounter daemon after restarting the SSSD." +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/override_homedir.xml:2 +msgid "override_homedir (string)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:16 +msgid "UID number" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:20 +msgid "domain name" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:23 +msgid "%f" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:24 +msgid "fully qualified user name (user@domain)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:27 +msgid "%l" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:28 +msgid "The first letter of the login name." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:32 +msgid "UPN - User Principal Name (name@REALM)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:35 +msgid "%o" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:37 +msgid "The original home directory retrieved from the identity provider." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:42 +msgid "%H" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:44 +msgid "The value of configure option <emphasis>homedir_substring</emphasis>." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/override_homedir.xml:5 +msgid "" +"Override the user's home directory. You can either provide an absolute value " +"or a template. In the template, the following sequences are substituted: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><programlisting> +#: include/override_homedir.xml:61 +#, no-wrap +msgid "" +"override_homedir = /home/%u\n" +" " +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/override_homedir.xml:65 +msgid "Default: Not set (SSSD will use the value retrieved from LDAP)" +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/homedir_substring.xml:2 +msgid "homedir_substring (string)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/homedir_substring.xml:5 +msgid "" +"The value of this option will be used in the expansion of the " +"<emphasis>override_homedir</emphasis> option if the template contains the " +"format string <emphasis>%H</emphasis>. An LDAP directory entry can directly " +"contain this template so that this option can be used to expand the home " +"directory path for each client machine (or operating system). It can be set " +"per-domain or globally in the [nss] section. A value specified in a domain " +"section will override one set in the [nss] section." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/homedir_substring.xml:15 +msgid "Default: /home" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/ad_modified_defaults.xml:2 include/ipa_modified_defaults.xml:2 +msgid "MODIFIED DEFAULT OPTIONS" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ad_modified_defaults.xml:4 +msgid "" +"Certain option defaults do not match their respective backend provider " +"defaults, these option names and AD provider-specific defaults are listed " +"below:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ad_modified_defaults.xml:9 include/ipa_modified_defaults.xml:9 +msgid "KRB5 Provider" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:13 include/ipa_modified_defaults.xml:13 +msgid "krb5_validate = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:18 +msgid "krb5_use_enterprise_principal = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ad_modified_defaults.xml:24 +msgid "LDAP Provider" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:28 +msgid "ldap_schema = ad" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:33 include/ipa_modified_defaults.xml:38 +msgid "ldap_force_upper_case_realm = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:38 +msgid "ldap_id_mapping = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:43 +msgid "ldap_sasl_mech = gssapi" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:48 +msgid "ldap_referrals = false" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:53 +msgid "ldap_account_expire_policy = ad" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:58 include/ipa_modified_defaults.xml:58 +msgid "ldap_use_tokengroups = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:63 +msgid "ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:66 +msgid "" +"The AD provider looks for a different principal than the LDAP provider by " +"default, because in an Active Directory environment the principals are " +"divided into two groups - User Principals and Service Principals. Only User " +"Principal can be used to obtain a TGT and by default, computer object's " +"principal is constructed from its sAMAccountName and the AD realm. The well-" +"known host/hostname@REALM principal is a Service Principal and thus cannot " +"be used to get a TGT with." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ipa_modified_defaults.xml:4 +msgid "" +"Certain option defaults do not match their respective backend provider " +"defaults, these option names and IPA provider-specific defaults are listed " +"below:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:18 +msgid "krb5_use_fast = try" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:23 +msgid "krb5_canonicalize = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:29 +msgid "LDAP Provider - General" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:33 +msgid "ldap_schema = ipa_v1" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:43 +msgid "ldap_sasl_mech = GSSAPI" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:48 +msgid "ldap_sasl_minssf = 56" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:53 +msgid "ldap_account_expire_policy = ipa" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:64 +msgid "LDAP Provider - User options" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:68 +msgid "ldap_user_member_of = memberOf" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:73 +msgid "ldap_user_uuid = ipaUniqueID" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:78 +msgid "ldap_user_ssh_public_key = ipaSshPubKey" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:83 +msgid "ldap_user_auth_type = ipaUserAuthType" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:89 +msgid "LDAP Provider - Group options" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:93 +msgid "ldap_group_object_class = ipaUserGroup" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:98 +msgid "ldap_group_object_class_alt = posixGroup" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:103 +msgid "ldap_group_member = member" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:108 +msgid "ldap_group_uuid = ipaUniqueID" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:113 +msgid "ldap_group_objectsid = ipaNTSecurityIdentifier" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:118 +msgid "ldap_group_external_member = ipaExternalMember" +msgstr "" diff --git a/src/man/po/fi.po b/src/man/po/fi.po new file mode 100644 index 0000000..d73bfbe --- /dev/null +++ b/src/man/po/fi.po @@ -0,0 +1,15619 @@ +# Toni Rantala <trantalafilo@gmail.com>, 2017. #zanata +msgid "" +msgstr "" +"Project-Id-Version: sssd-docs 1.16.1\n" +"Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" +"POT-Creation-Date: 2018-08-12 13:01+0000\n" +"PO-Revision-Date: 2017-03-24 08:46+0000\n" +"Last-Translator: Toni Rantala <trantalafilo@gmail.com>\n" +"Language-Team: Finnish\n" +"Language: fi\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: Zanata 4.4.5\n" +"Plural-Forms: nplurals=2; plural=(n != 1)\n" + +#. type: Content of: <reference><title> +#: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5 +#: sssd_krb5_locator_plugin.8.xml:5 sssd-simple.5.xml:5 sss-certmap.5.xml:5 +#: sssd-ipa.5.xml:5 sssd-ad.5.xml:5 sssd-sudo.5.xml:5 sssd.8.xml:5 +#: sss_obfuscate.8.xml:5 sss_override.8.xml:5 sss_useradd.8.xml:5 +#: sssd-krb5.5.xml:5 sss_groupadd.8.xml:5 sss_userdel.8.xml:5 +#: sss_groupdel.8.xml:5 sss_groupshow.8.xml:5 sss_usermod.8.xml:5 +#: sss_cache.8.xml:5 sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5 +#: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 +#: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5 +#: sssd-files.5.xml:5 sssd-secrets.5.xml:5 sssd-session-recording.5.xml:5 +#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 +msgid "SSSD Manual pages" +msgstr "SSSD ohjesivut" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupmod.8.xml:10 sss_groupmod.8.xml:15 +msgid "sss_groupmod" +msgstr "sss_groupmod" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_groupmod.8.xml:11 pam_sss.8.xml:12 sssd_krb5_locator_plugin.8.xml:11 +#: sssd.8.xml:11 sss_obfuscate.8.xml:11 sss_override.8.xml:11 +#: sss_useradd.8.xml:11 sss_groupadd.8.xml:11 sss_userdel.8.xml:11 +#: sss_groupdel.8.xml:11 sss_groupshow.8.xml:11 sss_usermod.8.xml:11 +#: sss_cache.8.xml:11 sss_debuglevel.8.xml:11 sss_seed.8.xml:11 +#: idmap_sss.8.xml:11 sssctl.8.xml:11 sssd-kcm.8.xml:11 +msgid "8" +msgstr "8" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupmod.8.xml:16 +msgid "modify a group" +msgstr "muokkaa ryhmää" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupmod.8.xml:21 +msgid "" +"<command>sss_groupmod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:57 +#: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sss-certmap.5.xml:21 +#: sssd-ipa.5.xml:21 sssd-ad.5.xml:21 sssd-sudo.5.xml:21 sssd.8.xml:29 +#: sss_obfuscate.8.xml:30 sss_override.8.xml:30 sss_useradd.8.xml:30 +#: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30 +#: sss_groupdel.8.xml:30 sss_groupshow.8.xml:30 sss_usermod.8.xml:30 +#: sss_cache.8.xml:29 sss_debuglevel.8.xml:30 sss_seed.8.xml:31 +#: sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30 +#: sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30 +#: sssd-files.5.xml:21 sssd-secrets.5.xml:21 sssd-session-recording.5.xml:21 +#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 +msgid "DESCRIPTION" +msgstr "KUVAUS" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupmod.8.xml:32 +msgid "" +"<command>sss_groupmod</command> modifies the group to reflect the changes " +"that are specified on the command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_groupmod.8.xml:39 pam_sss.8.xml:64 sssd.8.xml:42 sss_obfuscate.8.xml:58 +#: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39 +#: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39 +#: sss_cache.8.xml:39 sss_seed.8.xml:42 sss_ssh_authorizedkeys.1.xml:123 +#: sss_ssh_knownhostsproxy.1.xml:62 +msgid "OPTIONS" +msgstr "VALINNAT" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupmod.8.xml:43 sss_usermod.8.xml:77 +msgid "" +"<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupmod.8.xml:48 +msgid "" +"Append this group to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupmod.8.xml:57 sss_usermod.8.xml:91 +msgid "" +"<option>-r</option>,<option>--remove-group</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupmod.8.xml:62 +msgid "" +"Remove this group from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.conf.5.xml:10 sssd.conf.5.xml:16 +msgid "sssd.conf" +msgstr "sssd.conf" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11 +#: sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 +#: sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27 +#: sssd-files.5.xml:11 sssd-secrets.5.xml:11 sssd-session-recording.5.xml:11 +#: sssd-systemtap.5.xml:11 +msgid "5" +msgstr "5" + +#. type: Content of: <reference><refentry><refmeta><refmiscinfo> +#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12 +#: sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 +#: sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28 +#: sssd-files.5.xml:12 sssd-secrets.5.xml:12 sssd-session-recording.5.xml:12 +#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 +msgid "File Formats and Conventions" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.conf.5.xml:17 +msgid "the configuration file for SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:21 +msgid "FILE FORMAT" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:29 +#, no-wrap +msgid "" +"<replaceable>[section]</replaceable>\n" +"<replaceable>key</replaceable> = <replaceable>value</replaceable>\n" +"<replaceable>key2</replaceable> = <replaceable>value2,value3</replaceable>\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:24 +msgid "" +"The file has an ini-style syntax and consists of sections and parameters. A " +"section begins with the name of the section in square brackets and continues " +"until the next section begins. An example of section with single and multi-" +"valued parameters: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:36 +msgid "" +"The data types used are string (no quotes needed), integer and bool (with " +"values of <quote>TRUE/FALSE</quote>)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:41 +msgid "" +"A comment line starts with a hash sign (<quote>#</quote>) or a semicolon " +"(<quote>;</quote>). Inline comments are not supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:47 +msgid "" +"All sections can have an optional <replaceable>description</replaceable> " +"parameter. Its function is only as a label for the section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:53 +msgid "" +"<filename>sssd.conf</filename> must be a regular file, owned by root and " +"only root may read from or write to the file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:59 +msgid "CONFIGURATION SNIPPETS FROM INCLUDE DIRECTORY" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:62 +msgid "" +"The configuration file <filename>sssd.conf</filename> will include " +"configuration snippets using the include directory <filename>conf.d</" +"filename>. This feature is available if SSSD was compiled with libini " +"version 1.3.0 or later." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:69 +msgid "" +"Any file placed in <filename>conf.d</filename> that ends in " +"<quote><filename>.conf</filename></quote> and does not begin with a dot " +"(<quote>.</quote>) will be used together with <filename>sssd.conf</filename> " +"to configure SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:77 +msgid "" +"The configuration snippets from <filename>conf.d</filename> have higher " +"priority than <filename>sssd.conf</filename> and will override " +"<filename>sssd.conf</filename> when conflicts occur. If several snippets are " +"present in <filename>conf.d</filename>, then they are included in " +"alphabetical order (based on locale). Files included later have higher " +"priority. Numerical prefixes (<filename>01_snippet.conf</filename>, " +"<filename>02_snippet.conf</filename> etc.) can help visualize the priority " +"(higher number means higher priority)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:91 +msgid "" +"The snippet files require the same owner and permissions as <filename>sssd." +"conf</filename>. Which are by default root:root and 0600." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:98 +msgid "GENERAL OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:100 +msgid "Following options are usable in more than one configuration sections." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:104 +msgid "Options usable in all sections" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:108 +msgid "debug_level (integer)" +msgstr "debug_level (integer)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:112 +msgid "debug (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:115 +msgid "" +"SSSD 1.14 and later also includes the <replaceable>debug</replaceable> alias " +"for <replaceable>debug_level</replaceable> as a convenience feature. If both " +"are specified, the value of <replaceable>debug_level</replaceable> will be " +"used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:125 +msgid "debug_timestamps (bool)" +msgstr "debug_timestamps (bool)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:128 +msgid "" +"Add a timestamp to the debug messages. If journald is enabled for SSSD " +"debug logging this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:133 sssd.conf.5.xml:543 sssd.conf.5.xml:839 +#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1521 sssd-ldap.5.xml:1851 +#: sssd-ldap.5.xml:1948 sssd-ldap.5.xml:2010 sssd-ldap.5.xml:2576 +#: sssd-ldap.5.xml:2641 sssd-ldap.5.xml:2659 sssd-ad.5.xml:227 +#: sssd-ad.5.xml:341 sssd-ad.5.xml:885 sssd-krb5.5.xml:499 +#: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 +msgid "Default: true" +msgstr "Oletus:tosi" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:138 +msgid "debug_microseconds (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:141 +msgid "" +"Add microseconds to the timestamp in debug messages. If journald is enabled " +"for SSSD debug logging this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:146 sssd.conf.5.xml:540 sssd.conf.5.xml:722 +#: sssd.conf.5.xml:1424 sssd.conf.5.xml:2980 sssd-ldap.5.xml:708 +#: sssd-ldap.5.xml:1714 sssd-ldap.5.xml:1733 sssd-ldap.5.xml:1920 +#: sssd-ldap.5.xml:2346 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238 +#: sssd-ipa.5.xml:559 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300 +#: sssd-krb5.5.xml:471 +msgid "Default: false" +msgstr "Oletus:epätosi" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2384 +#: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210 +#: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304 +msgid "<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "<placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:155 +msgid "Options usable in SERVICE and DOMAIN sections" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:159 +msgid "timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:162 +msgid "" +"Timeout in seconds between heartbeats for this service. This is used to " +"ensure that the process is alive and capable of answering requests. Note " +"that after three missed heartbeats the process will terminate itself." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:169 sssd.conf.5.xml:1376 sssd.conf.5.xml:2996 +#: sssd-ldap.5.xml:1585 include/ldap_id_mapping.xml:264 +msgid "Default: 10" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:179 +msgid "SPECIAL SECTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:182 +msgid "The [sssd] section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sssd.conf.5.xml:191 sssd.conf.5.xml:3085 +msgid "Section parameters" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:193 +msgid "config_file_version (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:196 +msgid "" +"Indicates what is the syntax of the config file. SSSD 0.6.0 and later use " +"version 2." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:202 +msgid "services" +msgstr "palvelut" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:205 +msgid "" +"Comma separated list of services that are started when sssd itself starts. " +"<phrase condition=\"have_systemd\"> The services' list is optional on " +"platforms where systemd is supported, as they will either be socket or D-Bus " +"activated when needed. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:214 +msgid "" +"Supported services: nss, pam <phrase condition=\"with_sudo\">, sudo</phrase> " +"<phrase condition=\"with_autofs\">, autofs</phrase> <phrase condition=" +"\"with_ssh\">, ssh</phrase> <phrase condition=\"with_pac_responder\">, pac</" +"phrase> <phrase condition=\"with_ifp\">, ifp</phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:222 +msgid "" +"<phrase condition=\"have_systemd\"> By default, all services are disabled " +"and the administrator must enable the ones allowed to be used by executing: " +"\"systemctl enable sssd-@service@.socket\". </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:231 sssd.conf.5.xml:614 +msgid "reconnection_retries (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:234 sssd.conf.5.xml:617 +msgid "" +"Number of times services should attempt to reconnect in the event of a Data " +"Provider crash or restart before they give up" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:239 sssd.conf.5.xml:622 +msgid "Default: 3" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:244 +msgid "domains" +msgstr "toimialueet" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:247 +msgid "" +"A domain is a database containing user information. SSSD can use more " +"domains at the same time, but at least one must be configured or SSSD won't " +"start. This parameter describes the list of domains in the order you want " +"them to be queried. A domain name should only consist of alphanumeric ASCII " +"characters, dashes, dots and underscores." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:259 sssd.conf.5.xml:2597 +msgid "re_expression (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:262 +msgid "" +"Default regular expression that describes how to parse the string containing " +"user name and domain into these components." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:267 +msgid "" +"Each domain can have an individual regular expression configured. For some " +"ID providers there are also default regular expressions. See DOMAIN SECTIONS " +"for more info on these regular expressions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:276 sssd.conf.5.xml:2645 +msgid "full_name_format (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:279 sssd.conf.5.xml:2648 +msgid "" +"A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry>-compatible format that describes how to compose a " +"fully qualified name from user name and domain name components." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:290 sssd.conf.5.xml:2659 +msgid "%1$s" +msgstr "%1$s" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:291 sssd.conf.5.xml:2660 +msgid "user name" +msgstr "käyttäjänimi" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:294 sssd.conf.5.xml:2663 +msgid "%2$s" +msgstr "%2$s" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:297 sssd.conf.5.xml:2666 +msgid "domain name as specified in the SSSD config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:303 sssd.conf.5.xml:2672 +msgid "%3$s" +msgstr "%3$s" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:306 sssd.conf.5.xml:2675 +msgid "" +"domain flat name. Mostly usable for Active Directory domains, both directly " +"configured or discovered via IPA trusts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:287 sssd.conf.5.xml:2656 +msgid "" +"The following expansions are supported: <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:316 +msgid "" +"Each domain can have an individual format string configured. see DOMAIN " +"SECTIONS for more info on this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:322 +msgid "try_inotify (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:325 +msgid "" +"SSSD monitors the state of resolv.conf to identify when it needs to update " +"its internal DNS resolver. By default, we will attempt to use inotify for " +"this, and will fall back to polling resolv.conf every five seconds if " +"inotify cannot be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:333 +msgid "" +"There are some limited situations where it is preferred that we should skip " +"even trying to use inotify. In these rare cases, this option should be set " +"to 'false'" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:339 +msgid "" +"Default: true on platforms where inotify is supported. False on other " +"platforms." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:343 +msgid "" +"Note: this option will have no effect on platforms where inotify is " +"unavailable. On these platforms, polling will always be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:350 +msgid "krb5_rcache_dir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:353 +msgid "" +"Directory on the filesystem where SSSD should store Kerberos replay cache " +"files." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:357 +msgid "" +"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct " +"SSSD to let libkrb5 decide the appropriate location for the replay cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:363 +msgid "" +"Default: Distribution-specific and specified at build-time. " +"(__LIBKRB5_DEFAULTS__ if not configured)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:370 +msgid "user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:373 +msgid "" +"The user to drop the privileges to where appropriate to avoid running as the " +"root user. <phrase condition=\"have_systemd\"> This option does not work " +"when running socket-activated services, as the user set up to run the " +"processes is set up during compilation time. The way to override the " +"systemd unit files is by creating the appropriate files in /etc/systemd/" +"system/. Keep in mind that any change in the socket user, group or " +"permissions may result in a non-usable SSSD. The same may occur in case of " +"changes of the user running the NSS responder. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:391 +msgid "Default: not set, process will run as root" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:396 +msgid "default_domain_suffix (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:399 +msgid "" +"This string will be used as a default domain name for all names without a " +"domain name component. The main use case is environments where the primary " +"domain is intended for managing host policies and all users are located in a " +"trusted domain. The option allows those users to log in just with their " +"user name without giving a domain name as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:409 +msgid "" +"Please note that if this option is set all users from the primary domain " +"have to use their fully qualified name, e.g. user@domain.name, to log in. " +"Setting this option changes default of use_fully_qualified_names to True. It " +"is not allowed to use this option together with use_fully_qualified_names " +"set to False." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:418 sssd.conf.5.xml:1165 sssd-ldap.5.xml:679 +#: sssd-ldap.5.xml:1319 sssd-ldap.5.xml:1673 sssd-ldap.5.xml:1685 +#: sssd-ldap.5.xml:1767 sssd-ad.5.xml:690 sssd-ad.5.xml:765 sssd.8.xml:126 +#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:556 sssd-secrets.5.xml:339 +#: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404 +#: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205 +#: include/ldap_id_mapping.xml:216 +msgid "Default: not set" +msgstr "Oletus: ei asetettu" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:423 +msgid "override_space (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:426 +msgid "" +"This parameter will replace spaces (space bar) with the given character for " +"user and group names. e.g. (_). User name "john doe" will be " +""john_doe" This feature was added to help compatibility with shell " +"scripts that have difficulty handling spaces, due to the default field " +"separator in the shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:435 +msgid "" +"Please note it is a configuration error to use a replacement character that " +"might be used in user or group names. If a name contains the replacement " +"character SSSD tries to return the unmodified name but in general the result " +"of a lookup is undefined." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:443 +msgid "Default: not set (spaces will not be replaced)" +msgstr "Oletus: ei asetettu(välilyöntejä ei korvata)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:448 +msgid "certificate_verification (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:456 +msgid "no_ocsp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:458 +msgid "" +"Disables Online Certificate Status Protocol (OCSP) checks. This might be " +"needed if the OCSP servers defined in the certificate are not reachable from " +"the client." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:466 +msgid "no_verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:468 +msgid "" +"Disables verification completely. This option should only be used for " +"testing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:474 +msgid "ocsp_default_responder=URL" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:476 +msgid "" +"Sets the OCSP default responder which should be used instead of the one " +"mentioned in the certificate. URL must be replaced with the URL of the OCSP " +"default responder e.g. http://example.com:80/ocsp." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:482 +msgid "" +"This option must be used together with ocsp_default_responder_signing_cert." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:490 +msgid "ocsp_default_responder_signing_cert=NAME" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:492 +msgid "" +"The nickname of the cert to trust (expected) to sign the OCSP responses. " +"The certificate with the given nickname must be available in the systems NSS " +"database." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:497 +msgid "This option must be used together with ocsp_default_responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:451 +msgid "" +"With this parameter the certificate verification can be tuned with a comma " +"separated list of options. Supported options are: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:504 +msgid "Unknown options are reported but ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:507 +msgid "Default: not set, i.e. do not restrict certificate verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:513 +msgid "disable_netlink (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:516 +msgid "" +"SSSD hooks into the netlink interface to monitor changes to routes, " +"addresses, links and trigger certain actions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:521 +msgid "" +"The SSSD state changes caused by netlink events may be undesirable and can " +"be disabled by setting this option to 'true'" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:526 +msgid "Default: false (netlink changes are detected)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:531 +msgid "enable_files_domain (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:534 +msgid "" +"When this option is enabled, SSSD prepends an implicit domain with " +"<quote>id_provider=files</quote> before any explicitly configured domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:548 +msgid "domain_resolution_order" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:551 +msgid "" +"Comma separated list of domains and subdomains representing the lookup order " +"that will be followed. The list doesn't have to include all possible " +"domains as the missing domains will be looked up based on the order they're " +"presented in the <quote>domains</quote> configuration option. The " +"subdomains which are not listed as part of <quote>lookup_order</quote> will " +"be looked up in a random order for each parent domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:563 +msgid "" +"Please, note that when this option is set the output format of all commands " +"is always fully-qualified even when using short names for input, for all " +"users but the ones managed by the files provider. In case the administrator " +"wants the output not fully-qualified, the full_name_format option can be " +"used as shown below: <quote>full_name_format=%1$s</quote> However, keep in " +"mind that during login, login applications often canonicalize the username " +"by calling <citerefentry> <refentrytitle>getpwnam</refentrytitle> " +"<manvolnum>3</manvolnum> </citerefentry> which, if a shortname is returned " +"for a qualified input (while trying to reach a user which exists in multiple " +"domains) might re-route the login attempt into the domain which uses " +"shortnames, making this workaround totally not recommended in cases where " +"usernames may overlap between domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:588 sssd.conf.5.xml:1388 sssd.conf.5.xml:3046 +#: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316 +msgid "Default: Not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:184 +msgid "" +"Individual pieces of SSSD functionality are provided by special SSSD " +"services that are started and stopped together with SSSD. The services are " +"managed by a special service frequently called <quote>monitor</quote>. The " +"<quote>[sssd]</quote> section is used to configure the monitor as well as " +"some other important options like the identity domains. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:599 +msgid "SERVICES SECTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:601 +msgid "" +"Settings that can be used to configure different services are described in " +"this section. They should reside in the [<replaceable>$NAME</replaceable>] " +"section, for example, for NSS service, the section would be <quote>[nss]</" +"quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:608 +msgid "General service configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:610 +msgid "These options can be used to configure any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:627 +msgid "fd_limit" +msgstr "fd_limit" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:630 +msgid "" +"This option specifies the maximum number of file descriptors that may be " +"opened at one time by this SSSD process. On systems where SSSD is granted " +"the CAP_SYS_RESOURCE capability, this will be an absolute setting. On " +"systems without this capability, the resulting value will be the lower value " +"of this or the limits.conf \"hard\" limit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:639 +msgid "Default: 8192 (or limits.conf \"hard\" limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:644 +msgid "client_idle_timeout" +msgstr "client_idle_timeout" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:647 +msgid "" +"This option specifies the number of seconds that a client of an SSSD process " +"can hold onto a file descriptor without communicating on it. This value is " +"limited in order to avoid resource exhaustion on the system. The timeout " +"can't be shorter than 10 seconds. If a lower value is configured, it will be " +"adjusted to 10 seconds." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:656 sssd.conf.5.xml:688 sssd.conf.5.xml:970 +#: sssd.conf.5.xml:1231 sssd-ldap.5.xml:1412 +msgid "Default: 60" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:661 +msgid "offline_timeout (integer)" +msgstr "offline_timeout (integer)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:664 +msgid "" +"When SSSD switches to offline mode the amount of time before it tries to go " +"back online will increase based upon the time spent disconnected. This " +"value is in seconds and calculated by the following:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:671 +msgid "offline_timeout + random_offset" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:674 +msgid "" +"The random offset can increment up to 30 seconds. After each unsuccessful " +"attempt to go online, the new interval is recalculated by the following:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:679 +msgid "new_interval = old_interval*2 + random_offset" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:682 +msgid "" +"Note that the maximum length of each interval is currently limited to one " +"hour. If the calculated length of new_interval is greater than an hour, it " +"will be forced to one hour." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:693 +msgid "responder_idle_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:696 +msgid "" +"This option specifies the number of seconds that an SSSD responder process " +"can be up without being used. This value is limited in order to avoid " +"resource exhaustion on the system. The minimum acceptable value for this " +"option is 60 seconds. Setting this option to 0 (zero) means that no timeout " +"will be set up to the responder. This option only has effect when SSSD is " +"built with systemd support and when services are either socket or D-Bus " +"activated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:710 sssd.conf.5.xml:983 sssd.conf.5.xml:1616 +#: sssd-ldap.5.xml:722 +msgid "Default: 300" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:715 +msgid "cache_first" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:718 +msgid "" +"This option specifies whether the responder should query all caches before " +"querying the Data Providers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:730 +msgid "NSS configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:732 +msgid "" +"These options can be used to configure the Name Service Switch (NSS) service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:737 +msgid "enum_cache_timeout (integer)" +msgstr "enum_cache_timeout (integer)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:740 +msgid "" +"How many seconds should nss_sss cache enumerations (requests for info about " +"all users)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:744 +msgid "Default: 120" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:749 +msgid "entry_cache_nowait_percentage (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:752 +msgid "" +"The entry cache can be set to automatically update entries in the background " +"if they are requested beyond a percentage of the entry_cache_timeout value " +"for the domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:758 +msgid "" +"For example, if the domain's entry_cache_timeout is set to 30s and " +"entry_cache_nowait_percentage is set to 50 (percent), entries that come in " +"after 15 seconds past the last cache update will be returned immediately, " +"but the SSSD will go and update the cache on its own, so that future " +"requests will not need to block waiting for a cache update." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:768 +msgid "" +"Valid values for this option are 0-99 and represent a percentage of the " +"entry_cache_timeout for each domain. For performance reasons, this " +"percentage will never reduce the nowait timeout to less than 10 seconds. (0 " +"disables this feature)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:776 sssd.conf.5.xml:1445 +msgid "Default: 50" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:781 +msgid "entry_negative_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:784 +msgid "" +"Specifies for how many seconds nss_sss should cache negative cache hits " +"(that is, queries for invalid database entries, like nonexistent ones) " +"before asking the back end again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:790 sssd.conf.5.xml:1469 +msgid "Default: 15" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:795 +msgid "local_negative_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:798 +msgid "" +"Specifies for how many seconds nss_sss should keep local users and groups in " +"negative cache before trying to look it up in the back end again. Setting " +"the option to 0 disables this feature." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:804 +msgid "Default: 14400 (4 hours)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:809 +msgid "filter_users, filter_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:812 +msgid "" +"Exclude certain users or groups from being fetched from the sss NSS " +"database. This is particularly useful for system accounts. This option can " +"also be set per-domain or include fully-qualified names to filter only users " +"from the particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:819 +msgid "" +"NOTE: The filter_groups option doesn't affect inheritance of nested group " +"members, since filtering happens after they are propagated for returning via " +"NSS. E.g. a group having a member group filtered out will still have the " +"member users of the latter listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:827 +msgid "Default: root" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:832 +msgid "filter_users_in_groups (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:835 +msgid "" +"If you want filtered user still be group members set this option to false." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:846 +msgid "fallback_homedir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:849 +msgid "" +"Set a default template for a user's home directory if one is not specified " +"explicitly by the domain's data provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:854 +msgid "" +"The available values for this option are the same as for override_homedir." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:860 +#, no-wrap +msgid "" +"fallback_homedir = /home/%u\n" +" " +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: sssd.conf.5.xml:858 sssd.conf.5.xml:1298 sssd.conf.5.xml:1317 +#: sssd-krb5.5.xml:539 include/override_homedir.xml:59 +msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:864 +msgid "Default: not set (no substitution for unset home directories)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:870 +msgid "override_shell (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:873 +msgid "" +"Override the login shell for all users. This option supersedes any other " +"shell options if it takes effect and can be set either in the [nss] section " +"or per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:879 +msgid "Default: not set (SSSD will use the value retrieved from LDAP)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:885 +msgid "allowed_shells (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:888 +msgid "" +"Restrict user shell to one of the listed values. The order of evaluation is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:891 +msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:895 +msgid "" +"2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</" +"quote>, use the value of the shell_fallback parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:900 +msgid "" +"3. If the shell is not in the allowed_shells list and not in <quote>/etc/" +"shells</quote>, a nologin shell is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:905 +msgid "The wildcard (*) can be used to allow any shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:908 +msgid "" +"The (*) is useful if you want to use shell_fallback in case that user's " +"shell is not in <quote>/etc/shells</quote> and maintaining list of all " +"allowed shells in allowed_shells would be to much overhead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:915 +msgid "An empty string for shell is passed as-is to libc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:918 +msgid "" +"The <quote>/etc/shells</quote> is only read on SSSD start up, which means " +"that a restart of the SSSD is required in case a new shell is installed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:922 +msgid "Default: Not set. The user shell is automatically used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:927 +msgid "vetoed_shells (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:930 +msgid "Replace any instance of these shells with the shell_fallback" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:935 +msgid "shell_fallback (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:938 +msgid "" +"The default shell to use if an allowed shell is not installed on the machine." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:942 +msgid "Default: /bin/sh" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:947 +msgid "default_shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:950 +msgid "" +"The default shell to use if the provider does not return one during lookup. " +"This option can be specified globally in the [nss] section or per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:956 +msgid "" +"Default: not set (Return NULL if no shell is specified and rely on libc to " +"substitute something sensible when necessary, usually /bin/sh)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:963 sssd.conf.5.xml:1224 +msgid "get_domains_timeout (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:966 sssd.conf.5.xml:1227 +msgid "" +"Specifies time in seconds for which the list of subdomains will be " +"considered valid." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:975 +msgid "memcache_timeout (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:978 +msgid "" +"Specifies time in seconds for which records in the in-memory cache will be " +"valid. Setting this option to zero will disable the in-memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:986 +msgid "" +"WARNING: Disabling the in-memory cache will have significant negative impact " +"on SSSD's performance and should only be used for testing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:992 +msgid "" +"NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", " +"client applications will not use the fast in-memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1000 sssd-ifp.5.xml:74 +msgid "user_attributes (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1003 +msgid "" +"Some of the additional NSS responder requests can return more attributes " +"than just the POSIX ones defined by the NSS interface. The list of " +"attributes is controlled by this option. It is handled the same way as the " +"<quote>user_attributes</quote> option of the InfoPipe responder (see " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for details) but with no default values." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1016 +msgid "" +"To make configuration more easy the NSS responder will check the InfoPipe " +"option if it is not set for the NSS responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1021 +msgid "Default: not set, fallback to InfoPipe option" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1026 +msgid "pwfield (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1029 +msgid "" +"The value that NSS operations that return users or groups will return for " +"the <quote>password</quote> field." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: sssd.conf.5.xml:1034 include/override_homedir.xml:56 +msgid "This option can also be set per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1037 +msgid "" +"Default: <quote>*</quote> (remote domains) or <quote>x</quote> (the files " +"domain)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1045 +msgid "PAM configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1047 +msgid "" +"These options can be used to configure the Pluggable Authentication Module " +"(PAM) service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1052 +msgid "offline_credentials_expiration (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1055 +msgid "" +"If the authentication provider is offline, how long should we allow cached " +"logins (in days since the last successful online login)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1060 sssd.conf.5.xml:1073 +msgid "Default: 0 (No limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1066 +msgid "offline_failed_login_attempts (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1069 +msgid "" +"If the authentication provider is offline, how many failed login attempts " +"are allowed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1079 +msgid "offline_failed_login_delay (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1082 +msgid "" +"The time in minutes which has to pass after offline_failed_login_attempts " +"has been reached before a new login attempt is possible." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1087 +msgid "" +"If set to 0 the user cannot authenticate offline if " +"offline_failed_login_attempts has been reached. Only a successful online " +"authentication can enable offline authentication again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1093 sssd.conf.5.xml:1191 +msgid "Default: 5" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1099 +msgid "pam_verbosity (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1102 +msgid "" +"Controls what kind of messages are shown to the user during authentication. " +"The higher the number to more messages are displayed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1107 +msgid "Currently sssd supports the following values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1110 +msgid "<emphasis>0</emphasis>: do not show any message" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1113 +msgid "<emphasis>1</emphasis>: show only important messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1117 +msgid "<emphasis>2</emphasis>: show informational messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1120 +msgid "<emphasis>3</emphasis>: show all messages and debug information" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1124 sssd.8.xml:63 +msgid "Default: 1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1130 +msgid "pam_response_filter (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1133 +msgid "" +"A comma separated list of strings which allows to remove (filter) data sent " +"by the PAM responder to pam_sss PAM module. There are different kind of " +"responses sent to pam_sss e.g. messages displayed to the user or environment " +"variables which should be set by pam_sss." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1141 +msgid "" +"While messages already can be controlled with the help of the pam_verbosity " +"option this option allows to filter out other kind of responses as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1148 +msgid "ENV" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1149 +msgid "Do not send any environment variables to any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1152 +msgid "ENV:var_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1153 +msgid "Do not send environment variable var_name to any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1157 +msgid "ENV:var_name:service" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1158 +msgid "Do not send environment variable var_name to service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1146 +msgid "" +"Currently the following filters are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1168 +msgid "Example: ENV:KRB5CCNAME:sudo-i" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1174 +msgid "pam_id_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1177 +msgid "" +"For any PAM request while SSSD is online, the SSSD will attempt to " +"immediately update the cached identity information for the user in order to " +"ensure that authentication takes place with the latest information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1183 +msgid "" +"A complete PAM conversation may perform multiple PAM requests, such as " +"account management and session opening. This option controls (on a per-" +"client-application basis) how long (in seconds) we can cache the identity " +"information to avoid excessive round-trips to the identity provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1197 +msgid "pam_pwd_expiration_warning (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2078 +msgid "Display a warning N days before the password expires." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1203 +msgid "" +"Please note that the backend server has to provide information about the " +"expiration time of the password. If this information is missing, sssd " +"cannot display a warning." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1209 sssd.conf.5.xml:2081 +msgid "" +"If zero is set, then this filter is not applied, i.e. if the expiration " +"warning was received from backend server, it will automatically be displayed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1214 +msgid "" +"This setting can be overridden by setting <emphasis>pwd_expiration_warning</" +"emphasis> for a particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1219 sssd.conf.5.xml:2901 sssd.8.xml:79 +msgid "Default: 0" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1236 +msgid "pam_trusted_users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1239 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to run PAM conversations against trusted domains. Users not " +"included in this list can only access domains marked as public with " +"<quote>pam_public_domains</quote>. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1249 +msgid "Default: All users are considered trusted by default" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1253 +msgid "" +"Please note that UID 0 is always allowed to access the PAM responder even in " +"case it is not in the pam_trusted_users list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1260 +msgid "pam_public_domains (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1263 +msgid "" +"Specifies the comma-separated list of domain names that are accessible even " +"to untrusted users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1267 +msgid "Two special values for pam_public_domains option are defined:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1271 +msgid "" +"all (Untrusted users are allowed to access all domains in PAM responder.)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1275 +msgid "" +"none (Untrusted users are not allowed to access any domains PAM in " +"responder.)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1279 sssd.conf.5.xml:1304 sssd.conf.5.xml:1323 +#: sssd.conf.5.xml:1875 sssd.conf.5.xml:2837 sssd-ldap.5.xml:1979 +msgid "Default: none" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1284 +msgid "pam_account_expired_message (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1287 +msgid "" +"Allows a custom expiration message to be set, replacing the default " +"'Permission denied' message." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1292 +msgid "" +"Note: Please be aware that message is only printed for the SSH service " +"unless pam_verbosity is set to 3 (show all messages and debug information)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:1300 +#, no-wrap +msgid "" +"pam_account_expired_message = Account expired, please contact help desk.\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1309 +msgid "pam_account_locked_message (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1312 +msgid "" +"Allows a custom lockout message to be set, replacing the default 'Permission " +"denied' message." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:1319 +#, no-wrap +msgid "" +"pam_account_locked_message = Account locked, please contact help desk.\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1328 +msgid "pam_cert_auth (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1331 +msgid "" +"Enable certificate based Smartcard authentication. Since this requires " +"additional communication with the Smartcard which will delay the " +"authentication process this option is disabled by default." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1337 sssd.conf.5.xml:2930 sssd-ldap.5.xml:1087 +#: sssd-ldap.5.xml:1114 sssd-ldap.5.xml:1514 sssd-ldap.5.xml:1535 +#: sssd-ldap.5.xml:2052 include/ldap_id_mapping.xml:244 +msgid "Default: False" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1342 +msgid "pam_cert_db_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1345 +msgid "" +"The path to the certificate database which contain the PKCS#11 modules to " +"access the Smartcard." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1349 sssd.conf.5.xml:1534 +#, fuzzy +#| msgid "Default: true" +msgid "Default:" +msgstr "Oletus:tosi" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1351 sssd.conf.5.xml:1536 +msgid "/etc/pki/nssdb (NSS version, path to a NSS database)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1354 sssd.conf.5.xml:1539 +msgid "" +"/etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a file with " +"trusted CA certificates in PEM format)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1361 sssd.conf.5.xml:1546 +msgid "This man page was generated for the NSS version." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1364 sssd.conf.5.xml:1549 +msgid "This man page was generated for the OpenSSL version." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1369 +msgid "p11_child_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1372 +msgid "How many seconds will pam_sss wait for p11_child to finish." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1381 +msgid "pam_app_services (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1384 +msgid "" +"Which PAM services are permitted to contact domains of type " +"<quote>application</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1397 +msgid "SUDO configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1399 +msgid "" +"These options can be used to configure the sudo service. The detailed " +"instructions for configuration of <citerefentry> <refentrytitle>sudo</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to work with " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> are in the manual page <citerefentry> <refentrytitle>sssd-" +"sudo</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1416 +msgid "sudo_timed (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1419 +msgid "" +"Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes " +"that implement time-dependent sudoers entries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1431 +msgid "sudo_threshold (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1434 +msgid "" +"Maximum number of expired rules that can be refreshed at once. If number of " +"expired rules is below threshold, those rules are refreshed with " +"<quote>rules refresh</quote> mechanism. If the threshold is exceeded a " +"<quote>full refresh</quote> of sudo rules is triggered instead. This " +"threshold number also applies to IPA sudo command and command group searches." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1453 +msgid "AUTOFS configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1455 +msgid "These options can be used to configure the autofs service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1459 +msgid "autofs_negative_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1462 +msgid "" +"Specifies for how many seconds should the autofs responder negative cache " +"hits (that is, queries for invalid map entries, like nonexistent ones) " +"before asking the back end again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1478 +msgid "SSH configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1480 +msgid "These options can be used to configure the SSH service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1484 +msgid "ssh_hash_known_hosts (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1487 +msgid "" +"Whether or not to hash host names and addresses in the managed known_hosts " +"file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1496 +msgid "ssh_known_hosts_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1499 +msgid "" +"How many seconds to keep a host in the managed known_hosts file after its " +"host keys were requested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1503 +msgid "Default: 180" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1508 +msgid "ssh_use_certificate_keys (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1511 +msgid "" +"If set to true the <command>sss_ssh_authorizedkeys</command> will return ssh " +"keys derived from the public key of X.509 certificates stored in the user " +"entry as well. See <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry> for details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1526 +msgid "ca_db (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1529 +msgid "" +"Path to a storage of trusted CA certificates. The option is used to validate " +"user certificates before deriving public ssh keys from them." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1557 +msgid "PAC responder configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1559 +msgid "" +"The PAC responder works together with the authorization data plugin for MIT " +"Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the " +"PAC data during a GSSAPI authentication to the PAC responder. The sub-domain " +"provider collects domain SID and ID ranges of the domain the client is " +"joined to and of remote trusted domains from the local domain controller. If " +"the PAC is decoded and evaluated some of the following operations are done:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1568 +msgid "" +"If the remote user does not exist in the cache, it is created. The UID is " +"determined with the help of the SID, trusted domains will have UPGs and the " +"GID will have the same value as the UID. The home directory is set based on " +"the subdomain_homedir parameter. The shell will be empty by default, i.e. " +"the system defaults are used, but can be overwritten with the default_shell " +"parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1576 +msgid "" +"If there are SIDs of groups from domains sssd knows about, the user will be " +"added to those groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1582 +msgid "These options can be used to configure the PAC responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1586 sssd-ifp.5.xml:50 +msgid "allowed_uids (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1589 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the PAC responder. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1595 +msgid "Default: 0 (only the root user is allowed to access the PAC responder)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1599 +msgid "" +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the PAC responder, which would be the typical case, you have to add 0 " +"to the list of allowed UIDs as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1608 +msgid "pac_lifetime (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1611 +msgid "" +"Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC " +"data can be used to determine the group memberships of a user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1624 +msgid "Session recording configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1626 +msgid "" +"Session recording works in conjunction with <citerefentry> " +"<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>, a part of tlog package, to log what users see and type when " +"they log in on a text terminal. See also <citerefentry> <refentrytitle>sssd-" +"session-recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1639 +msgid "These options can be used to configure session recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1643 sssd-session-recording.5.xml:64 +msgid "scope (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1650 sssd-session-recording.5.xml:71 +msgid "\"none\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1653 sssd-session-recording.5.xml:74 +msgid "No users are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1658 sssd-session-recording.5.xml:79 +msgid "\"some\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1661 sssd-session-recording.5.xml:82 +msgid "" +"Users/groups specified by <replaceable>users</replaceable> and " +"<replaceable>groups</replaceable> options are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1670 sssd-session-recording.5.xml:91 +msgid "\"all\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1673 sssd-session-recording.5.xml:94 +msgid "All users are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1646 sssd-session-recording.5.xml:67 +msgid "" +"One of the following strings specifying the scope of session recording: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1680 sssd-session-recording.5.xml:101 +msgid "Default: \"none\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1685 sssd-session-recording.5.xml:106 +msgid "users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1688 sssd-session-recording.5.xml:109 +msgid "" +"A comma-separated list of users which should have session recording enabled. " +"Matches user names as returned by NSS. I.e. after the possible space " +"replacement, case changes, etc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1694 sssd-session-recording.5.xml:115 +msgid "Default: Empty. Matches no users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1699 sssd-session-recording.5.xml:120 +msgid "groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1702 sssd-session-recording.5.xml:123 +msgid "" +"A comma-separated list of groups, members of which should have session " +"recording enabled. Matches group names as returned by NSS. I.e. after the " +"possible space replacement, case changes, etc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1708 sssd-session-recording.5.xml:129 +msgid "" +"NOTE: using this option (having it set to anything) has a considerable " +"performance cost, because each uncached request for a user requires " +"retrieving and matching the groups the user is member of." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1715 sssd-session-recording.5.xml:136 +msgid "Default: Empty. Matches no groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:1725 +msgid "DOMAIN SECTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1732 +msgid "domain_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1735 +msgid "" +"Specifies whether the domain is meant to be used by POSIX-aware clients such " +"as the Name Service Switch or by applications that do not need POSIX data to " +"be present or generated. Only objects from POSIX domains are available to " +"the operating system interfaces and utilities." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1743 +msgid "" +"Allowed values for this option are <quote>posix</quote> and " +"<quote>application</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1747 +msgid "" +"POSIX domains are reachable by all services. Application domains are only " +"reachable from the InfoPipe responder (see <citerefentry> " +"<refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>) and the PAM responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1755 +msgid "" +"NOTE: The application domains are currently well tested with " +"<quote>id_provider=ldap</quote> only." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1759 +msgid "" +"For an easy way to configure a non-POSIX domains, please see the " +"<quote>Application domains</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1763 +msgid "Default: posix" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1769 +msgid "min_id,max_id (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1772 +msgid "" +"UID and GID limits for the domain. If a domain contains an entry that is " +"outside these limits, it is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1777 +msgid "" +"For users, this affects the primary GID limit. The user will not be returned " +"to NSS if either the UID or the primary GID is outside the range. For non-" +"primary group memberships, those that are in range will be reported as " +"expected." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1784 +msgid "" +"These ID limits affect even saving entries to cache, not only returning them " +"by name or ID." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1788 +msgid "Default: 1 for min_id, 0 (no limit) for max_id" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1794 +msgid "enumerate (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1797 +msgid "" +"Determines if a domain can be enumerated, that is, whether the domain can " +"list all the users and group it contains. Note that it is not required to " +"enable enumeration in order for secondary groups to be displayed. This " +"parameter can have one of the following values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1805 +msgid "TRUE = Users and groups are enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1808 +msgid "FALSE = No enumerations for this domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1811 sssd.conf.5.xml:2033 sssd.conf.5.xml:2208 +msgid "Default: FALSE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1814 +msgid "" +"Enumerating a domain requires SSSD to download and store ALL user and group " +"entries from the remote server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1819 +msgid "" +"Note: Enabling enumeration has a moderate performance impact on SSSD while " +"enumeration is running. It may take up to several minutes after SSSD startup " +"to fully complete enumerations. During this time, individual requests for " +"information will go directly to LDAP, though it may be slow, due to the " +"heavy enumeration processing. Saving a large number of entries to cache " +"after the enumeration completes might also be CPU intensive as the " +"memberships have to be recomputed. This can lead to the <quote>sssd_be</" +"quote> process becoming unresponsive or even restarted by the internal " +"watchdog." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1834 +msgid "" +"While the first enumeration is running, requests for the complete user or " +"group lists may return no results until it completes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1839 +msgid "" +"Further, enabling enumeration may increase the time necessary to detect " +"network disconnection, as longer timeouts are required to ensure that " +"enumeration lookups are completed successfully. For more information, refer " +"to the man pages for the specific id_provider in use." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1847 +msgid "" +"For the reasons cited above, enabling enumeration is not recommended, " +"especially in large environments." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1855 +msgid "subdomain_enumerate (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1862 +msgid "all" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1863 +msgid "All discovered trusted domains will be enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1866 +msgid "none" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1867 +msgid "No discovered trusted domains will be enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1858 +msgid "" +"Whether any of autodetected trusted domains should be enumerated. The " +"supported values are: <placeholder type=\"variablelist\" id=\"0\"/> " +"Optionally, a list of one or more domain names can enable enumeration just " +"for these trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1881 +msgid "entry_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1884 +msgid "" +"How many seconds should nss_sss consider entries valid before asking the " +"backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1888 +msgid "" +"The cache expiration timestamps are stored as attributes of individual " +"objects in the cache. Therefore, changing the cache timeout only has effect " +"for newly added or expired entries. You should run the <citerefentry> " +"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry> tool in order to force refresh of entries that have already " +"been cached." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1901 +msgid "Default: 5400" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1907 +msgid "entry_cache_user_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1910 +msgid "" +"How many seconds should nss_sss consider user entries valid before asking " +"the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1914 sssd.conf.5.xml:1927 sssd.conf.5.xml:1940 +#: sssd.conf.5.xml:1953 sssd.conf.5.xml:1966 sssd.conf.5.xml:1980 +#: sssd.conf.5.xml:1994 +msgid "Default: entry_cache_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1920 +msgid "entry_cache_group_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1923 +msgid "" +"How many seconds should nss_sss consider group entries valid before asking " +"the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1933 +msgid "entry_cache_netgroup_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1936 +msgid "" +"How many seconds should nss_sss consider netgroup entries valid before " +"asking the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1946 +msgid "entry_cache_service_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1949 +msgid "" +"How many seconds should nss_sss consider service entries valid before asking " +"the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1959 +msgid "entry_cache_sudo_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1962 +msgid "" +"How many seconds should sudo consider rules valid before asking the backend " +"again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1972 +msgid "entry_cache_autofs_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1975 +msgid "" +"How many seconds should the autofs service consider automounter maps valid " +"before asking the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1986 +msgid "entry_cache_ssh_host_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1989 +msgid "" +"How many seconds to keep a host ssh key after refresh. IE how long to cache " +"the host key for." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2000 +msgid "refresh_expired_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2003 +msgid "" +"Specifies how many seconds SSSD has to wait before triggering a background " +"refresh task which will refresh all expired or nearly expired records." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2008 +msgid "" +"The background refresh will process users, groups and netgroups in the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2012 +msgid "You can consider setting this value to 3/4 * entry_cache_timeout." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2016 sssd-ldap.5.xml:746 sssd-ipa.5.xml:254 +msgid "Default: 0 (disabled)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2022 +msgid "cache_credentials (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2025 +msgid "Determines if user credentials are also cached in the local LDB cache" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2029 +msgid "User credentials are stored in a SHA512 hash, not in plaintext" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2039 +msgid "cache_credentials_minimal_first_factor_length (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2042 +msgid "" +"If 2-Factor-Authentication (2FA) is used and credentials should be saved " +"this value determines the minimal length the first authentication factor " +"(long term password) must have to be saved as SHA512 hash into the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2049 +msgid "" +"This should avoid that the short PINs of a PIN based 2FA scheme are saved in " +"the cache which would make them easy targets for brute-force attacks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2054 +msgid "Default: 8" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2060 +msgid "account_cache_expiration (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2063 +msgid "" +"Number of days entries are left in cache after last successful login before " +"being removed during a cleanup of the cache. 0 means keep forever. The " +"value of this parameter must be greater than or equal to " +"offline_credentials_expiration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2070 +msgid "Default: 0 (unlimited)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2075 +msgid "pwd_expiration_warning (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2086 +msgid "" +"Please note that the backend server has to provide information about the " +"expiration time of the password. If this information is missing, sssd " +"cannot display a warning. Also an auth provider has to be configured for the " +"backend." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2093 +msgid "Default: 7 (Kerberos), 0 (LDAP)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2099 +msgid "id_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2102 +msgid "" +"The identification provider used for the domain. Supported ID providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2106 +msgid "<quote>proxy</quote>: Support a legacy NSS provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2109 +msgid "" +"<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2113 +msgid "" +"<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-" +"files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " +"information on how to mirror local users and groups into SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2121 +msgid "" +"<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " +"information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2129 sssd.conf.5.xml:2234 sssd.conf.5.xml:2289 +#: sssd.conf.5.xml:2352 +msgid "" +"<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management " +"provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " +"FreeIPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2138 sssd.conf.5.xml:2243 sssd.conf.5.xml:2298 +#: sssd.conf.5.xml:2361 +msgid "" +"<quote>ad</quote>: Active Directory provider. See <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Active Directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2149 +msgid "use_fully_qualified_names (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2152 +msgid "" +"Use the full name and domain (as formatted by the domain's full_name_format) " +"as the user's login name reported to NSS." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2157 +msgid "" +"If set to TRUE, all requests to this domain must use fully qualified names. " +"For example, if used in LOCAL domain that contains a \"test\" user, " +"<command>getent passwd test</command> wouldn't find the user while " +"<command>getent passwd test@LOCAL</command> would." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2165 +msgid "" +"NOTE: This option has no effect on netgroup lookups due to their tendency to " +"include nested netgroups without qualified names. For netgroups, all domains " +"will be searched when an unqualified name is requested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2172 +msgid "Default: FALSE (TRUE if default_domain_suffix is used)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2178 +msgid "ignore_group_members (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2181 +msgid "Do not return group members for group lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2184 +msgid "" +"If set to TRUE, the group membership attribute is not requested from the " +"ldap server, and group members are not returned when processing group lookup " +"calls, such as <citerefentry> <refentrytitle>getgrnam</refentrytitle> " +"<manvolnum>3</manvolnum> </citerefentry> or <citerefentry> " +"<refentrytitle>getgrgid</refentrytitle> <manvolnum>3</manvolnum> </" +"citerefentry>. As an effect, <quote>getent group $groupname</quote> would " +"return the requested group as if it was empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2202 +msgid "" +"Enabling this option can also make access provider checks for group " +"membership significantly faster, especially for groups containing many " +"members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2213 +msgid "auth_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2216 +msgid "" +"The authentication provider used for the domain. Supported auth providers " +"are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2220 sssd.conf.5.xml:2282 +msgid "" +"<quote>ldap</quote> for native LDAP authentication. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2227 +msgid "" +"<quote>krb5</quote> for Kerberos authentication. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2251 +msgid "" +"<quote>proxy</quote> for relaying authentication to some other PAM target." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2254 +msgid "<quote>local</quote>: SSSD internal provider for local users" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2258 +msgid "<quote>none</quote> disables authentication explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2261 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can handle " +"authentication requests." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2267 +msgid "access_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2270 +msgid "" +"The access control provider used for the domain. There are two built-in " +"access providers (in addition to any included in installed backends) " +"Internal special providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2276 +msgid "" +"<quote>permit</quote> always allow access. It's the only permitted access " +"provider for a local domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2279 +msgid "<quote>deny</quote> always deny access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2306 +msgid "" +"<quote>simple</quote> access control based on access or deny lists. See " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for more information on configuring the simple " +"access module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2313 +msgid "" +"<quote>krb5</quote>: .k5login based access control. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></" +"citerefentry> for more information on configuring Kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2320 +msgid "<quote>proxy</quote> for relaying access control to another PAM module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2323 +msgid "Default: <quote>permit</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2328 +msgid "chpass_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2331 +msgid "" +"The provider which should handle change password operations for the domain. " +"Supported change password providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2336 +msgid "" +"<quote>ldap</quote> to change a password stored in a LDAP server. See " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2344 +msgid "" +"<quote>krb5</quote> to change the Kerberos password. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2369 +msgid "" +"<quote>proxy</quote> for relaying password changes to some other PAM target." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2373 +msgid "<quote>none</quote> disallows password changes explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2376 +msgid "" +"Default: <quote>auth_provider</quote> is used if it is set and can handle " +"change password requests." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2383 +msgid "sudo_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2386 +msgid "The SUDO provider used for the domain. Supported SUDO providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2390 +msgid "" +"<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2398 +msgid "" +"<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default " +"settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2402 +msgid "" +"<quote>ad</quote> the same as <quote>ldap</quote> but with AD default " +"settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2406 +msgid "<quote>none</quote> disables SUDO explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2409 sssd.conf.5.xml:2495 sssd.conf.5.xml:2565 +#: sssd.conf.5.xml:2590 +msgid "Default: The value of <quote>id_provider</quote> is used if it is set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2413 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>. There are many configuration " +"options that can be used to adjust the behavior. Please refer to " +"\"ldap_sudo_*\" in <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2428 +msgid "" +"<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the " +"background unless the sudo provider is explicitly disabled. Set " +"<emphasis>sudo_provider = None</emphasis> to disable all sudo-related " +"activity in SSSD if you do not want to use sudo with SSSD at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2438 +msgid "selinux_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2441 +msgid "" +"The provider which should handle loading of selinux settings. Note that this " +"provider will be called right after access provider ends. Supported selinux " +"providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2447 +msgid "" +"<quote>ipa</quote> to load selinux settings from an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2455 +msgid "<quote>none</quote> disallows fetching selinux settings explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2458 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can handle " +"selinux loading requests." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2464 +msgid "subdomains_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2467 +msgid "" +"The provider which should handle fetching of subdomains. This value should " +"be always the same as id_provider. Supported subdomain providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2473 +msgid "" +"<quote>ipa</quote> to load a list of subdomains from an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2482 +msgid "" +"<quote>ad</quote> to load a list of subdomains from an Active Directory " +"server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " +"the AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2491 +msgid "<quote>none</quote> disallows fetching subdomains explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2501 +msgid "session_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2504 +msgid "" +"The provider which configures and manages user session related tasks. The " +"only user session task currently provided is the integration with Fleet " +"Commander, which works only with IPA. Supported session providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2511 +msgid "<quote>ipa</quote> to allow performing user session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2515 +msgid "" +"<quote>none</quote> does not perform any kind of user session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2519 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can perform " +"session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2523 +msgid "" +"<emphasis>NOTE:</emphasis> In order to have this feature working as expected " +"SSSD must be running as \"root\" and not as the unprivileged user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2531 +msgid "autofs_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2534 +msgid "" +"The autofs provider used for the domain. Supported autofs providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2538 +msgid "" +"<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2545 +msgid "" +"<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> " +"<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2553 +msgid "" +"<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring the AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2562 +msgid "<quote>none</quote> disables autofs explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2572 +msgid "hostid_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2575 +msgid "" +"The provider used for retrieving host identity information. Supported " +"hostid providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2579 +msgid "" +"<quote>ipa</quote> to load host identity stored in an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2587 +msgid "<quote>none</quote> disables hostid explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2600 +msgid "" +"Regular expression for this domain that describes how to parse the string " +"containing user name and domain into these components. The \"domain\" can " +"match either the SSSD configuration domain name, or, in the case of IPA " +"trust subdomains and Active Directory domains, the flat (NetBIOS) name of " +"the domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2609 +msgid "" +"Default for the AD and IPA provider: <quote>(((?P<domain>[^\\\\]+)\\" +"\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?" +"P<name>[^@\\\\]+)$))</quote> which allows three different styles for " +"user names:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2614 +msgid "username" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2617 +msgid "username@domain.name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2620 +msgid "domain\\username" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2623 +msgid "" +"While the first two correspond to the general default the third one is " +"introduced to allow easy integration of users from Windows domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2628 +msgid "" +"Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> " +"which translates to \"the name is everything up to the <quote>@</quote> " +"sign, the domain everything after that\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2634 +msgid "" +"NOTE: Some Active Directory groups, typically those used for MS Exchange " +"contain an <quote>@</quote> sign in the name, which clashes with the default " +"re_expression value for the AD and IPA providers. To support these groups, " +"consider changing the re_expression value to: <quote>((?P<name>.+)@(?" +"P<domain>[^@]+$))</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2685 +msgid "Default: <quote>%1$s@%2$s</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2691 +msgid "lookup_family_order (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2694 +msgid "" +"Provides the ability to select preferred address family to use when " +"performing DNS lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2698 +msgid "Supported values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2701 +msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2704 +msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2707 +msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2710 +msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2713 +msgid "Default: ipv4_first" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2719 +msgid "dns_resolver_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2722 +msgid "" +"Defines the amount of time (in seconds) to wait for a reply from the " +"internal fail over service before assuming that the service is unreachable. " +"If this timeout is reached, the domain will continue to operate in offline " +"mode." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2729 +msgid "" +"Please see the section <quote>FAILOVER</quote> for more information about " +"the service resolution." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2734 sssd-ldap.5.xml:1396 sssd-ldap.5.xml:1438 +#: sssd-ldap.5.xml:1456 sssd-krb5.5.xml:248 +msgid "Default: 6" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2740 +msgid "dns_discovery_domain (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2743 +msgid "" +"If service discovery is used in the back end, specifies the domain part of " +"the service discovery DNS query." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2747 +msgid "Default: Use the domain part of machine's hostname" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2753 +msgid "override_gid (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2756 +msgid "Override the primary GID value with the one specified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2762 +msgid "case_sensitive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2770 +msgid "True" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2773 +msgid "Case sensitive. This value is invalid for AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2779 +msgid "False" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2781 +msgid "Case insensitive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2785 +msgid "Preserving" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2788 +msgid "" +"Same as False (case insensitive), but does not lowercase names in the result " +"of NSS operations. Note that name aliases (and in case of services also " +"protocol names) are still lowercased in the output." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2765 +msgid "" +"Treat user and group names as case sensitive. At the moment, this option is " +"not supported in the local provider. Possible option values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2800 +msgid "Default: True (False for AD provider)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2806 +msgid "subdomain_inherit (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2809 +msgid "" +"Specifies a list of configuration parameters that should be inherited by a " +"subdomain. Please note that only selected parameters can be inherited. " +"Currently the following options can be inherited:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2815 +msgid "ignore_group_members" +msgstr "ignore_group_members" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2818 +msgid "ldap_purge_cache_timeout" +msgstr "ldap_purge_cache_timeout" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2821 sssd-ldap.5.xml:1120 +msgid "ldap_use_tokengroups" +msgstr "ldap_use_tokengroups" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2824 +msgid "ldap_user_principal" +msgstr "ldap_user_principal" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2827 +msgid "" +"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab " +"is not set explicitly)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:2833 +#, no-wrap +msgid "" +"subdomain_inherit = ldap_purge_cache_timeout\n" +" " +msgstr "" +"subdomain_inherit = ldap_purge_cache_timeout\n" +" " + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2831 sssd-secrets.5.xml:448 +msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "Esimerkki: <placeholder type=\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2840 +msgid "Note: This option only works with the IPA and AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2847 +msgid "subdomain_homedir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2858 +msgid "%F" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2859 +msgid "flat (NetBIOS) name of a subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2850 +msgid "" +"Use this homedir as default value for all subdomains within this domain in " +"IPA AD trust. See <emphasis>override_homedir</emphasis> for info about " +"possible values. In addition to those, the expansion below can only be used " +"with <emphasis>subdomain_homedir</emphasis>. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2864 +msgid "" +"The value can be overridden by <emphasis>override_homedir</emphasis> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2868 +msgid "Default: <filename>/home/%d/%u</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2873 +msgid "realmd_tags (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2876 +msgid "" +"Various tags stored by the realmd configuration service for this domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2882 +msgid "cached_auth_timeout (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2885 +msgid "" +"Specifies time in seconds since last successful online authentication for " +"which user will be authenticated using cached credentials while SSSD is in " +"the online mode." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2891 +msgid "Special value 0 implies that this feature is disabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2895 +msgid "" +"Please note that if <quote>cached_auth_timeout</quote> is longer than " +"<quote>pam_id_timeout</quote> then the back end could be called to handle " +"<quote>initgroups.</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2906 +msgid "auto_private_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2909 +msgid "" +"If this option is enabled, SSSD will automatically create user private " +"groups based on user's UID number. The GID number is ignored in this case." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2914 +msgid "" +"For POSIX subdomains, setting the option in the main domain is inherited in " +"the subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2918 +msgid "" +"For ID-mapping subdomains, auto_private_groups is already enabled for the " +"subdomains and setting it to false will not have any effect for the " +"subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2923 +msgid "" +"NOTE: Because the GID number and the user private group are inferred from " +"the UID number, it is not supported to have multiple entries with the same " +"UID or GID number with this option. In other words, enabling this option " +"enforces uniqueness across the ID space." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:1727 +msgid "" +"These configuration options can be present in a domain configuration " +"section, that is, in a section called <quote>[domain/<replaceable>NAME</" +"replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2942 +msgid "proxy_pam_target (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2945 +msgid "The proxy target PAM proxies to." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2948 +msgid "" +"Default: not set by default, you have to take an existing pam configuration " +"or create a new one and add the service name here." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2956 +msgid "proxy_lib_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2959 +msgid "" +"The name of the NSS library to use in proxy domains. The NSS functions " +"searched for in the library are in the form of _nss_$(libName)_$(function), " +"for example _nss_files_getpwent." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2969 +msgid "proxy_fast_alias (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2972 +msgid "" +"When a user or group is looked up by name in the proxy provider, a second " +"lookup by ID is performed to \"canonicalize\" the name in case the requested " +"name was an alias. Setting this option to true would cause the SSSD to " +"perform the ID lookup from cache for performance reasons." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2986 +msgid "proxy_max_children (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2989 +msgid "" +"This option specifies the number of pre-forked proxy children. It is useful " +"for high-load SSSD environments where sssd may run out of available child " +"slots, which would cause some issues due to the requests being queued." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:2938 +msgid "" +"Options valid for proxy domains. <placeholder type=\"variablelist\" id=" +"\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:3005 +msgid "Application domains" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3007 +msgid "" +"SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to " +"applications as a gateway to an LDAP directory where users and groups are " +"stored. However, contrary to the traditional SSSD deployment where all users " +"and groups either have POSIX attributes or those attributes can be inferred " +"from the Windows SIDs, in many cases the users and groups in the application " +"support scenario have no POSIX attributes. Instead of setting a " +"<quote>[domain/<replaceable>NAME</replaceable>]</quote> section, the " +"administrator can set up an <quote>[application/<replaceable>NAME</" +"replaceable>]</quote> section that internally represents a domain with type " +"<quote>application</quote> optionally inherits settings from a tradition " +"SSSD domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3027 +msgid "" +"Please note that the application domain must still be explicitly enabled in " +"the <quote>domains</quote> parameter so that the lookup order between the " +"application domain and its POSIX sibling domain is set correctly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sssd.conf.5.xml:3033 +msgid "Application domain parameters" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3035 +msgid "inherit_from (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3038 +msgid "" +"The SSSD POSIX-type domain the application domain inherits all settings " +"from. The application domain can moreover add its own settings to the " +"application settings that augment or override the <quote>sibling</quote> " +"domain settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3052 +msgid "" +"The following example illustrates the use of an application domain. In this " +"setup, the POSIX domain is connected to an LDAP server and is used by the OS " +"through the NSS responder. In addition, the application domain also requests " +"the telephoneNumber attribute, stores it as the phone attribute in the cache " +"and makes the phone attribute reachable through the D-Bus interface." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><programlisting> +#: sssd.conf.5.xml:3060 +#, no-wrap +msgid "" +"[sssd]\n" +"domains = appdom, posixdom\n" +"\n" +"[ifp]\n" +"user_attributes = +phone\n" +"\n" +"[domain/posixdom]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"[application/appdom]\n" +"inherit_from = posixdom\n" +"ldap_user_extra_attrs = phone:telephoneNumber\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:3078 +msgid "The local domain section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3080 +msgid "" +"This section contains settings for domain that stores users and groups in " +"SSSD native database, that is, a domain that uses " +"<replaceable>id_provider=local</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3087 +msgid "default_shell (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3090 +msgid "The default shell for users created with SSSD userspace tools." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3094 +msgid "Default: <filename>/bin/bash</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3099 +msgid "base_directory (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3102 +msgid "" +"The tools append the login name to <replaceable>base_directory</replaceable> " +"and use that as the home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3107 +msgid "Default: <filename>/home</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3112 +msgid "create_homedir (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3115 +msgid "" +"Indicate if a home directory should be created by default for new users. " +"Can be overridden on command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3119 sssd.conf.5.xml:3131 +msgid "Default: TRUE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3124 +msgid "remove_homedir (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3127 +msgid "" +"Indicate if a home directory should be removed by default for deleted " +"users. Can be overridden on command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3136 +msgid "homedir_umask (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3139 +msgid "" +"Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions " +"on a newly created home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3147 +msgid "Default: 077" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3152 +msgid "skel_dir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3155 +msgid "" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<citerefentry> <refentrytitle>sss_useradd</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3165 +msgid "Default: <filename>/etc/skel</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3170 +msgid "mail_dir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3173 +msgid "" +"The mail spool directory. This is needed to manipulate the mailbox when its " +"corresponding user account is modified or deleted. If not specified, a " +"default value is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3180 +msgid "Default: <filename>/var/mail</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3185 +msgid "userdel_cmd (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3188 +msgid "" +"The command that is run after a user is removed. The command us passed the " +"username of the user being removed as the first and only parameter. The " +"return code of the command is not taken into account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3194 +msgid "Default: None, no command is run" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:3204 +msgid "TRUSTED DOMAIN SECTION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3206 +msgid "" +"Some options used in the domain section can also be used in the trusted " +"domain section, that is, in a section called <quote>[domain/" +"<replaceable>DOMAIN_NAME</replaceable>/<replaceable>TRUSTED_DOMAIN_NAME</" +"replaceable>]</quote>. Where DOMAIN_NAME is the actual joined-to base " +"domain. Please refer to examples below for explanation. Currently supported " +"options in the trusted domain section are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3213 +msgid "ldap_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3214 +msgid "ldap_user_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3215 +msgid "ldap_group_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3216 +msgid "ldap_netgroup_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3217 +msgid "ldap_service_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3218 +msgid "ad_server," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3219 +msgid "ad_backup_server," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3220 +msgid "ad_site," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:3221 sssd-ipa.5.xml:782 +msgid "use_fully_qualified_names" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3223 +msgid "" +"For more details about these options see their individual description in the " +"manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:3229 idmap_sss.8.xml:43 +msgid "EXAMPLES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:3235 +#, no-wrap +msgid "" +"[sssd]\n" +"domains = LDAP\n" +"services = nss, pam\n" +"config_file_version = 2\n" +"\n" +"[nss]\n" +"filter_groups = root\n" +"filter_users = root\n" +"\n" +"[pam]\n" +"\n" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"auth_provider = krb5\n" +"krb5_server = kerberos.example.com\n" +"krb5_realm = EXAMPLE.COM\n" +"cache_credentials = true\n" +"\n" +"min_id = 10000\n" +"max_id = 20000\n" +"enumerate = False\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3231 +msgid "" +"1. The following example shows a typical SSSD config. It does not describe " +"configuration of the domains themselves - refer to documentation on " +"configuring domains for more details. <placeholder type=\"programlisting\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:3268 +#, no-wrap +msgid "" +"[domain/ipa.com/child.ad.com]\n" +"use_fully_qualified_names = false\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3262 +msgid "" +"2. The following example shows configuration of IPA AD trust where the AD " +"forest consists of two domains in a parent-child structure. Suppose IPA " +"domain (ipa.com) has trust with AD domain(ad.com). ad.com has child domain " +"(child.ad.com). To enable shortnames in the child domain the following " +"configuration should be used. <placeholder type=\"programlisting\" id=\"0\"/" +">" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ldap.5.xml:10 sssd-ldap.5.xml:16 +msgid "sssd-ldap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ldap.5.xml:17 +msgid "SSSD LDAP provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:23 +msgid "" +"This manual page describes the configuration of LDAP domains for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Refer to the <quote>FILE FORMAT</quote> section of the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for detailed syntax information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:35 +msgid "You can configure SSSD to use more than one LDAP domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:38 +msgid "" +"LDAP back end supports id, auth, access and chpass providers. If you want to " +"authenticate against an LDAP server either TLS/SSL or LDAPS is required. " +"<command>sssd</command> <emphasis>does not</emphasis> support authentication " +"over an unencrypted channel. If the LDAP server is used only as an identity " +"provider, an encrypted channel is not needed. Please refer to " +"<quote>ldap_access_filter</quote> config option for more information about " +"using LDAP as an access provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:115 +#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-files.5.xml:57 +#: sssd-secrets.5.xml:120 sssd-session-recording.5.xml:58 sssd-kcm.8.xml:139 +msgid "CONFIGURATION OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:60 +msgid "ldap_uri, ldap_backup_uri (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:63 +msgid "" +"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " +"should connect in the order of preference. Refer to the <quote>FAILOVER</" +"quote> section for more information on failover and server redundancy. If " +"neither option is specified, service discovery is enabled. For more " +"information, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:264 +msgid "The format of the URI must match the format defined in RFC 2732:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:73 +msgid "ldap[s]://<host>[:port]" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:76 +msgid "" +"For explicit IPv6 addresses, <host> must be enclosed in brackets []" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:79 +msgid "example: ldap://[fc00::126:25]:389" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:85 +msgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:88 +msgid "" +"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " +"should connect in the order of preference to change the password of a user. " +"Refer to the <quote>FAILOVER</quote> section for more information on " +"failover and server redundancy." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:95 +msgid "To enable service discovery ldap_chpass_dns_service_name must be set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:99 +msgid "Default: empty, i.e. ldap_uri is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:105 +msgid "ldap_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:108 +msgid "The default base DN to use for performing LDAP user operations." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:112 +msgid "" +"Starting with SSSD 1.7.0, SSSD supports multiple search bases using the " +"syntax:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:116 +msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:119 +msgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"." +msgstr "" + +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:122 include/ldap_search_bases.xml:18 +msgid "" +"The filter must be a valid LDAP search filter as specified by http://www." +"ietf.org/rfc/rfc2254.txt" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:286 +#: sss_override.8.xml:137 sss_override.8.xml:234 +msgid "Examples:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:129 +msgid "" +"ldap_search_base = dc=example,dc=com (which is equivalent to) " +"ldap_search_base = dc=example,dc=com?subtree?" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:134 +msgid "" +"ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?" +"(host=thishost)?dc=example.com?subtree?" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:137 +msgid "" +"Note: It is unsupported to have multiple search bases which reference " +"identically-named objects (for example, groups with the same name in two " +"different search bases). This will lead to unpredictable behavior on client " +"machines." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:144 +msgid "" +"Default: If not set, the value of the defaultNamingContext or namingContexts " +"attribute from the RootDSE of the LDAP server is used. If " +"defaultNamingContext does not exist or has an empty value namingContexts is " +"used. The namingContexts attribute must have a single value with the DN of " +"the search base of the LDAP server to make this work. Multiple values are " +"are not supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:158 +msgid "ldap_schema (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:161 +msgid "" +"Specifies the Schema Type in use on the target LDAP server. Depending on " +"the selected schema, the default attribute names retrieved from the servers " +"may vary. The way that some attributes are handled may also differ." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:168 +msgid "Four schema types are currently supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:172 +msgid "rfc2307" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:177 +msgid "rfc2307bis" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:182 +msgid "IPA" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:187 +msgid "AD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:193 +msgid "" +"The main difference between these schema types is how group memberships are " +"recorded in the server. With rfc2307, group members are listed by name in " +"the <emphasis>memberUid</emphasis> attribute. With rfc2307bis and IPA, " +"group members are listed by DN and stored in the <emphasis>member</emphasis> " +"attribute. The AD schema type sets the attributes to correspond with Active " +"Directory 2008r2 values." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:203 +msgid "Default: rfc2307" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:209 +msgid "ldap_default_bind_dn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:212 +msgid "The default bind DN to use for performing LDAP operations." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:219 +msgid "ldap_default_authtok_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:222 +msgid "The type of the authentication token of the default bind DN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:226 +msgid "The two mechanisms currently supported are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:229 +msgid "password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:232 +msgid "obfuscated_password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:235 +msgid "Default: password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:241 +msgid "ldap_default_authtok (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:244 +msgid "" +"The authentication token of the default bind DN. Only clear text passwords " +"are currently supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:251 +msgid "ldap_user_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:254 +msgid "The object class of a user entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:257 +msgid "Default: posixAccount" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:263 +msgid "ldap_user_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:266 +msgid "The LDAP attribute that corresponds to the user's login name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:270 +msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:277 +msgid "ldap_user_uid_number (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:280 +msgid "The LDAP attribute that corresponds to the user's id." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:284 +msgid "Default: uidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:290 +msgid "ldap_user_gid_number (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:293 +msgid "The LDAP attribute that corresponds to the user's primary group id." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:297 sssd-ldap.5.xml:929 +msgid "Default: gidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:303 +msgid "ldap_user_primary_group (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:306 +msgid "" +"Active Directory primary group attribute for ID-mapping. Note that this " +"attribute should only be set manually if you are running the <quote>ldap</" +"quote> provider with ID mapping." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:312 +msgid "Default: unset (LDAP), primaryGroupID (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:318 +msgid "ldap_user_gecos (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:321 +msgid "The LDAP attribute that corresponds to the user's gecos field." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:325 +msgid "Default: gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:331 +msgid "ldap_user_home_directory (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:334 +msgid "The LDAP attribute that contains the name of the user's home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:338 +msgid "Default: homeDirectory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:344 +msgid "ldap_user_shell (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:347 +msgid "The LDAP attribute that contains the path to the user's default shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:351 +msgid "Default: loginShell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:357 +msgid "ldap_user_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:360 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:364 sssd-ldap.5.xml:955 +msgid "" +"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " +"IPA" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:371 +msgid "ldap_user_objectsid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:374 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP user object. This " +"is usually only necessary for ActiveDirectory servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:379 sssd-ldap.5.xml:970 +msgid "Default: objectSid for ActiveDirectory, not set for other servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:386 +msgid "ldap_user_modify_timestamp (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:389 sssd-ldap.5.xml:980 sssd-ldap.5.xml:1203 +msgid "" +"The LDAP attribute that contains timestamp of the last modification of the " +"parent object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:393 sssd-ldap.5.xml:984 sssd-ldap.5.xml:1210 +msgid "Default: modifyTimestamp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:399 +msgid "ldap_user_shadow_last_change (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:402 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " +"the last password change)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:412 +msgid "Default: shadowLastChange" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:418 +msgid "ldap_user_shadow_min (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:421 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " +"password age)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:430 +msgid "Default: shadowMin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:436 +msgid "ldap_user_shadow_max (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:439 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " +"password age)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:448 +msgid "Default: shadowMax" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:454 +msgid "ldap_user_shadow_warning (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:457 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password warning period)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:467 +msgid "Default: shadowWarning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:473 +msgid "ldap_user_shadow_inactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:476 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password inactivity period)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:486 +msgid "Default: shadowInactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:492 +msgid "ldap_user_shadow_expire (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:495 +msgid "" +"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " +"parameter contains the name of an LDAP attribute corresponding to its " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> counterpart (account expiration date)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:505 +msgid "Default: shadowExpire" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:511 +msgid "ldap_user_krb_last_pwd_change (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:514 +msgid "" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time of last password change in " +"kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:520 +msgid "Default: krbLastPwdChange" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:526 +msgid "ldap_user_krb_password_expiration (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:529 +msgid "" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time when current password expires." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:535 +msgid "Default: krbPasswordExpiration" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:541 +msgid "ldap_user_ad_account_expires (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:544 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the expiration time of the account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:549 +msgid "Default: accountExpires" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:555 +msgid "ldap_user_ad_user_account_control (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:558 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the user account control bit field." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:563 +msgid "Default: userAccountControl" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:569 +msgid "ldap_ns_account_lock (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:572 +msgid "" +"When using ldap_account_expire_policy=rhds or equivalent, this parameter " +"determines if access is allowed or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:577 +msgid "Default: nsAccountLock" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:583 +msgid "ldap_user_nds_login_disabled (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:586 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines if " +"access is allowed or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:590 sssd-ldap.5.xml:604 +msgid "Default: loginDisabled" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:596 +msgid "ldap_user_nds_login_expiration_time (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:599 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines until " +"which date access is granted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:610 +msgid "ldap_user_nds_login_allowed_time_map (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:613 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines the " +"hours of a day in a week when access is granted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:618 +msgid "Default: loginAllowedTimeMap" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:624 +msgid "ldap_user_principal (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:627 +msgid "" +"The LDAP attribute that contains the user's Kerberos User Principal Name " +"(UPN)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:631 +msgid "Default: krbPrincipalName" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:637 +msgid "ldap_user_extra_attrs (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:640 +msgid "" +"Comma-separated list of LDAP attributes that SSSD would fetch along with the " +"usual set of user attributes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:645 +msgid "" +"The list can either contain LDAP attribute names only, or colon-separated " +"tuples of SSSD cache attribute name and LDAP attribute name. In case only " +"LDAP attribute name is specified, the attribute is saved to the cache " +"verbatim. Using a custom SSSD attribute name might be required by " +"environments that configure several SSSD domains with different LDAP schemas." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:655 +msgid "" +"Please note that several attribute names are reserved by SSSD, notably the " +"<quote>name</quote> attribute. SSSD would report an error if any of the " +"reserved attribute names is used as an extra attribute name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:665 +msgid "ldap_user_extra_attrs = telephoneNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:668 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as " +"<quote>telephoneNumber</quote> to the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:672 +msgid "ldap_user_extra_attrs = phone:telephoneNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:675 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" +"quote> to the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:685 +msgid "ldap_user_ssh_public_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:688 +msgid "The LDAP attribute that contains the user's SSH public keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:692 sssd-ldap.5.xml:1306 +msgid "Default: sshPublicKey" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:698 +msgid "ldap_force_upper_case_realm (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:701 +msgid "" +"Some directory servers, for example Active Directory, might deliver the " +"realm part of the UPN in lower case, which might cause the authentication to " +"fail. Set this option to a non-zero value if you want to use an upper-case " +"realm." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:714 +msgid "ldap_enumeration_refresh_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:717 +msgid "" +"Specifies how many seconds SSSD has to wait before refreshing its cache of " +"enumerated records." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:728 +msgid "ldap_purge_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:731 +msgid "" +"Determine how often to check the cache for inactive entries (such as groups " +"with no members and users who have never logged in) and remove them to save " +"space." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:737 +msgid "" +"Setting this option to zero will disable the cache cleanup operation. Please " +"note that if enumeration is enabled, the cleanup task is required in order " +"to detect entries removed from the server and can't be disabled. By default, " +"the cleanup task will run every 3 hours with enumeration enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:752 +msgid "ldap_user_fullname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:755 +msgid "The LDAP attribute that corresponds to the user's full name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1161 sssd-ldap.5.xml:1235 +#: sssd-ldap.5.xml:1344 sssd-ldap.5.xml:2405 sssd-ipa.5.xml:607 +msgid "Default: cn" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:765 +msgid "ldap_user_member_of (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:768 +msgid "The LDAP attribute that lists the user's group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:772 sssd-ldap.5.xml:1274 +msgid "Default: memberOf" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:778 +msgid "ldap_user_authorized_service (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:781 +msgid "" +"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " +"use the presence of the authorizedService attribute in the user's LDAP entry " +"to determine access privilege." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:788 +msgid "" +"An explicit deny (!svc) is resolved first. Second, SSSD searches for " +"explicit allow (svc) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:793 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>authorized_service</quote> in order for the " +"ldap_user_authorized_service option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:800 +msgid "Default: authorizedService" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:806 +msgid "ldap_user_authorized_host (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:809 +msgid "" +"If access_provider=ldap and ldap_access_order=host, SSSD will use the " +"presence of the host attribute in the user's LDAP entry to determine access " +"privilege." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:815 +msgid "" +"An explicit deny (!host) is resolved first. Second, SSSD searches for " +"explicit allow (host) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:820 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>host</quote> in order for the " +"ldap_user_authorized_host option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:827 +msgid "Default: host" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:833 +msgid "ldap_user_authorized_rhost (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:836 +msgid "" +"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " +"presence of the rhost attribute in the user's LDAP entry to determine access " +"privilege. Similarly to host verification process." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:843 +msgid "" +"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " +"explicit allow (rhost) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:848 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>rhost</quote> in order for the " +"ldap_user_authorized_rhost option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:855 +msgid "Default: rhost" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:861 +msgid "ldap_user_certificate (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:864 +msgid "Name of the LDAP attribute containing the X509 certificate of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:868 +msgid "Default: userCertificate;binary" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:874 +msgid "ldap_user_email (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:877 +msgid "Name of the LDAP attribute containing the email address of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:881 +msgid "" +"Note: If an email address of a user conflicts with an email address or fully " +"qualified name of another user, then SSSD will not be able to serve those " +"users properly. If for some reason several users need to share the same " +"email address then set this option to a nonexistent attribute name in order " +"to disable user lookup/login by email." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:890 +msgid "Default: mail" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:896 +msgid "ldap_group_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:899 +msgid "The object class of a group entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:902 +msgid "Default: posixGroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:908 +msgid "ldap_group_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:911 +msgid "The LDAP attribute that corresponds to the group name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:915 +msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:922 +msgid "ldap_group_gid_number (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:925 +msgid "The LDAP attribute that corresponds to the group's id." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:935 +msgid "ldap_group_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:938 +msgid "The LDAP attribute that contains the names of the group's members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:942 +msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:948 +msgid "ldap_group_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:951 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:962 +msgid "ldap_group_objectsid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:965 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP group object. This " +"is usually only necessary for ActiveDirectory servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:977 +msgid "ldap_group_modify_timestamp (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:990 +msgid "ldap_group_type (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:993 +msgid "" +"The LDAP attribute that contains an integer value indicating the type of the " +"group and maybe other flags." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:998 +msgid "" +"This attribute is currently only used by the AD provider to determine if a " +"group is a domain local groups and has to be filtered out for trusted " +"domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1004 +msgid "Default: groupType in the AD provider, otherwise not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1011 +msgid "ldap_group_external_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1014 +msgid "" +"The LDAP attribute that references group members that are defined in an " +"external domain. At the moment, only IPA's external members are supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1020 +msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1027 +msgid "ldap_group_nesting_level (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1030 +msgid "" +"If ldap_schema is set to a schema format that supports nested groups (e.g. " +"RFC2307bis), then this option controls how many levels of nesting SSSD will " +"follow. This option has no effect on the RFC2307 schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1037 +msgid "" +"Note: This option specifies the guaranteed level of nested groups to be " +"processed for any lookup. However, nested groups beyond this limit " +"<emphasis>may be</emphasis> returned if previous lookups already resolved " +"the deeper nesting levels. Also, subsequent lookups for other groups may " +"enlarge the result set for original lookup if re-queried." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1046 +msgid "" +"If ldap_group_nesting_level is set to 0 then no nested groups are processed " +"at all. However, when connected to Active-Directory Server 2008 and later " +"using <quote>id_provider=ad</quote> it is furthermore required to disable " +"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " +"restrict group nesting." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1055 +msgid "Default: 2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1061 +msgid "ldap_groups_use_matching_rule_in_chain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1064 +msgid "" +"This option tells SSSD to take advantage of an Active Directory-specific " +"feature which may speed up group lookup operations on deployments with " +"complex or deep nested groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1070 +msgid "" +"In most common cases, it is best to leave this option disabled. It generally " +"only provides a performance increase on very complex nestings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1075 sssd-ldap.5.xml:1102 +msgid "" +"If this option is enabled, SSSD will use it if it detects that the server " +"supports it during initial connection. So \"True\" here essentially means " +"\"auto-detect\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1081 sssd-ldap.5.xml:1108 +msgid "" +"Note: This feature is currently known to work only with Active Directory " +"2008 R1 and later. See <ulink url=\"http://msdn.microsoft.com/en-us/library/" +"windows/desktop/aa746475%28v=vs.85%29.aspx\"> MSDN(TM) documentation</ulink> " +"for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1093 +msgid "ldap_initgroups_use_matching_rule_in_chain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1096 +msgid "" +"This option tells SSSD to take advantage of an Active Directory-specific " +"feature which might speed up initgroups operations (most notably when " +"dealing with complex or deep nested groups)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1123 +msgid "" +"This options enables or disables use of Token-Groups attribute when " +"performing initgroup for users from Active Directory Server 2008 and later." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1128 +msgid "Default: True for AD and IPA otherwise False." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1134 +msgid "ldap_netgroup_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1137 +msgid "The object class of a netgroup entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1140 +msgid "In IPA provider, ipa_netgroup_object_class should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1144 +msgid "Default: nisNetgroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1150 +msgid "ldap_netgroup_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1153 +msgid "The LDAP attribute that corresponds to the netgroup name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1157 +msgid "In IPA provider, ipa_netgroup_name should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1167 +msgid "ldap_netgroup_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1170 +msgid "The LDAP attribute that contains the names of the netgroup's members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1174 +msgid "In IPA provider, ipa_netgroup_member should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1178 +msgid "Default: memberNisNetgroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1184 +msgid "ldap_netgroup_triple (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1187 +msgid "" +"The LDAP attribute that contains the (host, user, domain) netgroup triples." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1191 sssd-ldap.5.xml:1207 +msgid "This option is not available in IPA provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1194 +msgid "Default: nisNetgroupTriple" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1200 +msgid "ldap_netgroup_modify_timestamp (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1216 +msgid "ldap_host_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1219 +msgid "The object class of a host entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1222 sssd-ldap.5.xml:1331 +msgid "Default: ipService" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1228 +msgid "ldap_host_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1231 sssd-ldap.5.xml:1257 +msgid "The LDAP attribute that corresponds to the host's name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1241 +msgid "ldap_host_fqdn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1244 +msgid "" +"The LDAP attribute that corresponds to the host's fully-qualified domain " +"name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1248 +msgid "Default: fqdn" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1254 +msgid "ldap_host_serverhostname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1261 +msgid "Default: serverHostname" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1267 +msgid "ldap_host_member_of (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1270 +msgid "The LDAP attribute that lists the host's group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1280 +msgid "ldap_host_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1283 +msgid "Optional. Use the given string as search base for host objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1287 sssd-ipa.5.xml:359 sssd-ipa.5.xml:378 +#: sssd-ipa.5.xml:397 sssd-ipa.5.xml:416 +msgid "" +"See <quote>ldap_search_base</quote> for information about configuring " +"multiple search bases." +msgstr "" + +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:1292 sssd-ipa.5.xml:364 include/ldap_search_bases.xml:27 +msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1299 +msgid "ldap_host_ssh_public_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1302 +msgid "The LDAP attribute that contains the host's SSH public keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1312 +msgid "ldap_host_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1315 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1325 +msgid "ldap_service_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1328 +msgid "The object class of a service entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1337 +msgid "ldap_service_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1340 +msgid "" +"The LDAP attribute that contains the name of service attributes and their " +"aliases." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1350 +msgid "ldap_service_port (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1353 +msgid "The LDAP attribute that contains the port managed by this service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1357 +msgid "Default: ipServicePort" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1363 +msgid "ldap_service_proto (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1366 +msgid "" +"The LDAP attribute that contains the protocols understood by this service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1370 +msgid "Default: ipServiceProtocol" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1376 +msgid "ldap_service_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1381 +msgid "ldap_search_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1384 +msgid "" +"Specifies the timeout (in seconds) that ldap searches are allowed to run " +"before they are cancelled and cached results are returned (and offline mode " +"is entered)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1390 +msgid "" +"Note: this option is subject to change in future versions of the SSSD. It " +"will likely be replaced at some point by a series of timeouts for specific " +"lookup types." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1402 +msgid "ldap_enumeration_search_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1405 +msgid "" +"Specifies the timeout (in seconds) that ldap searches for user and group " +"enumerations are allowed to run before they are cancelled and cached results " +"are returned (and offline mode is entered)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1418 +msgid "ldap_network_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1421 +msgid "" +"Specifies the timeout (in seconds) after which the <citerefentry> " +"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" +"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" +"manvolnum> </citerefentry> following a <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> returns in case of no activity." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1444 +msgid "ldap_opt_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1447 +msgid "" +"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " +"will abort if no response is received. Also controls the timeout when " +"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " +"operation, password change extended operation and the StartTLS operation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1462 +msgid "ldap_connection_expire_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1465 +msgid "" +"Specifies a timeout (in seconds) that a connection to an LDAP server will be " +"maintained. After this time, the connection will be re-established. If used " +"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " +"the TGT lifetime) will be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1473 sssd-ldap.5.xml:2562 +msgid "Default: 900 (15 minutes)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1479 +msgid "ldap_page_size (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1482 +msgid "" +"Specify the number of records to retrieve from LDAP in a single request. " +"Some LDAP servers enforce a maximum limit per-request." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1487 +msgid "Default: 1000" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1493 +msgid "ldap_disable_paging (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1496 +msgid "" +"Disable the LDAP paging control. This option should be used if the LDAP " +"server reports that it supports the LDAP paging control in its RootDSE but " +"it is not enabled or does not behave properly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1502 +msgid "" +"Example: OpenLDAP servers with the paging control module installed on the " +"server but not enabled will report it in the RootDSE but be unable to use it." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1508 +msgid "" +"Example: 389 DS has a bug where it can only support a one paging control at " +"a time on a single connection. On busy clients, this can result in some " +"requests being denied." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1520 +msgid "ldap_disable_range_retrieval (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1523 +msgid "Disable Active Directory range retrieval." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1526 +msgid "" +"Active Directory limits the number of members to be retrieved in a single " +"lookup using the MaxValRange policy (which defaults to 1500 members). If a " +"group contains more members, the reply would include an AD-specific range " +"extension. This option disables parsing of the range extension, therefore " +"large groups will appear as having no members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1541 +msgid "ldap_sasl_minssf (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1544 +msgid "" +"When communicating with an LDAP server using SASL, specify the minimum " +"security level necessary to establish the connection. The values of this " +"option are defined by OpenLDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1550 +msgid "Default: Use the system default (usually specified by ldap.conf)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1557 +msgid "ldap_deref_threshold (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1560 +msgid "" +"Specify the number of group members that must be missing from the internal " +"cache in order to trigger a dereference lookup. If less members are missing, " +"they are looked up individually." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1566 +msgid "" +"You can turn off dereference lookups completely by setting the value to 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1570 +msgid "" +"A dereference lookup is a means of fetching all group members in a single " +"LDAP call. Different LDAP servers may implement different dereference " +"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " +"Directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1578 +msgid "" +"<emphasis>Note:</emphasis> If any of the search bases specifies a search " +"filter, then the dereference lookup performance enhancement will be disabled " +"regardless of this setting." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1591 +msgid "ldap_tls_reqcert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1594 +msgid "" +"Specifies what checks to perform on server certificates in a TLS session, if " +"any. It can be specified as one of the following values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1600 +msgid "" +"<emphasis>never</emphasis> = The client will not request or check any server " +"certificate." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1604 +msgid "" +"<emphasis>allow</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, it will be ignored and the session proceeds normally." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1611 +msgid "" +"<emphasis>try</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, the session is immediately terminated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1617 +msgid "" +"<emphasis>demand</emphasis> = The server certificate is requested. If no " +"certificate is provided, or a bad certificate is provided, the session is " +"immediately terminated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1623 +msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1627 +msgid "Default: hard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1633 +msgid "ldap_tls_cacert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1636 +msgid "" +"Specifies the file that contains certificates for all of the Certificate " +"Authorities that <command>sssd</command> will recognize." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1641 sssd-ldap.5.xml:1659 sssd-ldap.5.xml:1700 +msgid "" +"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." +"conf</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1648 +msgid "ldap_tls_cacertdir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1651 +msgid "" +"Specifies the path of a directory that contains Certificate Authority " +"certificates in separate individual files. Typically the file names need to " +"be the hash of the certificate followed by '.0'. If available, " +"<command>cacertdir_rehash</command> can be used to create the correct names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1666 +msgid "ldap_tls_cert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1669 +msgid "Specifies the file that contains the certificate for the client's key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1679 +msgid "ldap_tls_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1682 +msgid "Specifies the file that contains the client's key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1691 +msgid "ldap_tls_cipher_suite (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1694 +msgid "" +"Specifies acceptable cipher suites. Typically this is a colon separated " +"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1707 +msgid "ldap_id_use_start_tls (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1710 +msgid "" +"Specifies that the id_provider connection must also use <systemitem class=" +"\"protocol\">tls</systemitem> to protect the channel." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1720 +msgid "ldap_id_mapping (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1723 +msgid "" +"Specifies that SSSD should attempt to map user and group IDs from the " +"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " +"on ldap_user_uid_number and ldap_group_gid_number." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1729 +msgid "Currently this feature supports only ActiveDirectory objectSID mapping." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1739 +msgid "ldap_min_id, ldap_max_id (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1742 +msgid "" +"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " +"set to true the allowed ID range for ldap_user_uid_number and " +"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " +"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " +"can be set to restrict the allowed range for the IDs which are read directly " +"from the server. Sub-domains can then pick other ranges to map IDs." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1754 +msgid "Default: not set (both options are set to 0)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1760 +msgid "ldap_sasl_mech (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1763 +msgid "" +"Specify the SASL mechanism to use. Currently only GSSAPI is tested and " +"supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1773 +msgid "ldap_sasl_authid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ldap.5.xml:1784 +#, no-wrap +msgid "" +"hostname@REALM\n" +"netbiosname$@REALM\n" +"host/hostname@REALM\n" +"*$@REALM\n" +"host/*@REALM\n" +"host/*\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1776 +msgid "" +"Specify the SASL authorization id to use. When GSSAPI is used, this " +"represents the Kerberos principal used for authentication to the directory. " +"This option can either contain the full principal (for example host/" +"myhost@EXAMPLE.COM) or just the principal name (for example host/myhost). By " +"default, the value is not set and the following principals are used: " +"<placeholder type=\"programlisting\" id=\"0\"/> If none of them are found, " +"the first principal in keytab is returned." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1795 +msgid "Default: host/hostname@REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1801 +msgid "ldap_sasl_realm (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1804 +msgid "" +"Specify the SASL realm to use. When not specified, this option defaults to " +"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " +"well, this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1810 +msgid "Default: the value of krb5_realm." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1816 +msgid "ldap_sasl_canonicalize (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1819 +msgid "" +"If set to true, the LDAP library would perform a reverse lookup to " +"canonicalize the host name during a SASL bind." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1824 +msgid "Default: false;" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1830 +msgid "ldap_krb5_keytab (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1833 +msgid "Specify the keytab to use when using SASL/GSSAPI." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1836 +msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1842 +msgid "ldap_krb5_init_creds (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1845 +msgid "" +"Specifies that the id_provider should init Kerberos credentials (TGT). This " +"action is performed only if SASL is used and the mechanism selected is " +"GSSAPI." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1857 +msgid "ldap_krb5_ticket_lifetime (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1860 +msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1864 sssd-ad.5.xml:937 +msgid "Default: 86400 (24 hours)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1870 sssd-krb5.5.xml:74 +msgid "krb5_server, krb5_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1873 +msgid "" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled - for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1885 sssd-krb5.5.xml:89 +msgid "" +"When using service discovery for KDC or kpasswd servers, SSSD first searches " +"for DNS entries that specify _udp as the protocol and falls back to _tcp if " +"none are found." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1890 sssd-krb5.5.xml:94 +msgid "" +"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " +"While the legacy name is recognized for the time being, users are advised to " +"migrate their config files to use <quote>krb5_server</quote> instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1899 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103 +msgid "krb5_realm (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1902 +msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1905 +msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1911 sssd-krb5.5.xml:462 +msgid "krb5_canonicalize (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1914 +msgid "" +"Specifies if the host principal should be canonicalized when connecting to " +"LDAP server. This feature is available with MIT Kerberos >= 1.7" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1926 sssd-krb5.5.xml:477 +msgid "krb5_use_kdcinfo (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1929 sssd-krb5.5.xml:480 +msgid "" +"Specifies if the SSSD should instruct the Kerberos libraries what realm and " +"which KDCs to use. This option is on by default, if you disable it, you need " +"to configure the Kerberos library using the <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> configuration file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1940 sssd-krb5.5.xml:491 +msgid "" +"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " +"information on the locator plugin." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1954 +msgid "ldap_pwd_policy (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1957 +msgid "" +"Select the policy to evaluate the password expiration on the client side. " +"The following values are allowed:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1962 +msgid "" +"<emphasis>none</emphasis> - No evaluation on the client side. This option " +"cannot disable server-side password policies." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1967 +msgid "" +"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " +"evaluate if the password has expired." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1973 +msgid "" +"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " +"to determine if the password has expired. Use chpass_provider=krb5 to update " +"these attributes when the password is changed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1982 +msgid "" +"<emphasis>Note</emphasis>: if a password policy is configured on server " +"side, it always takes precedence over policy set with this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1990 +msgid "ldap_referrals (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1993 +msgid "Specifies whether automatic referral chasing should be enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1997 +msgid "" +"Please note that sssd only supports referral chasing when it is compiled " +"with OpenLDAP version 2.4.13 or higher." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2002 +msgid "" +"Chasing referrals may incur a performance penalty in environments that use " +"them heavily, a notable example is Microsoft Active Directory. If your setup " +"does not in fact require the use of referrals, setting this option to false " +"might bring a noticeable performance improvement." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2016 +msgid "ldap_dns_service_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2019 +msgid "Specifies the service name to use when service discovery is enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2023 +msgid "Default: ldap" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2029 +msgid "ldap_chpass_dns_service_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2032 +msgid "" +"Specifies the service name to use to find an LDAP server which allows " +"password changes when service discovery is enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2037 +msgid "Default: not set, i.e. service discovery is disabled" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2043 +msgid "ldap_chpass_update_last_change (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2046 +msgid "" +"Specifies whether to update the ldap_user_shadow_last_change attribute with " +"days since the Epoch after a password change operation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2058 +msgid "ldap_access_filter (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2061 +msgid "" +"If using access_provider = ldap and ldap_access_order = filter (default), " +"this option is mandatory. It specifies an LDAP search filter criteria that " +"must be met for the user to be granted access on this host. If " +"access_provider = ldap, ldap_access_order = filter and this option is not " +"set, it will result in all users being denied access. Use access_provider = " +"permit to change this default behavior. Please note that this filter is " +"applied on the LDAP user entry only and thus filtering based on nested " +"groups may not work (e.g. memberOf attribute on AD entries points only to " +"direct parents). If filtering based on nested groups is required, please see " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2081 +msgid "Example:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ldap.5.xml:2084 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2088 +msgid "" +"This example means that access to this host is restricted to users whose " +"employeeType attribute is set to \"admin\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2093 +msgid "" +"Offline caching for this feature is limited to determining whether the " +"user's last online login was granted access permission. If they were granted " +"access during their last login, they will continue to be granted access " +"while offline and vice versa." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2101 sssd-ldap.5.xml:2158 +msgid "Default: Empty" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2107 +msgid "ldap_account_expire_policy (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2110 +msgid "" +"With this option a client side evaluation of access control attributes can " +"be enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2114 +msgid "" +"Please note that it is always recommended to use server side access control, " +"i.e. the LDAP server should deny the bind request with a suitable error code " +"even if the password is correct." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2121 +msgid "The following values are allowed:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2124 +msgid "" +"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " +"determine if the account is expired." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2129 +msgid "" +"<emphasis>ad</emphasis>: use the value of the 32bit field " +"ldap_user_ad_user_account_control and allow access if the second bit is not " +"set. If the attribute is missing access is granted. Also the expiration time " +"of the account is checked." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2136 +msgid "" +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: use the value of ldap_ns_account_lock to check if access is " +"allowed or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2142 +msgid "" +"<emphasis>nds</emphasis>: the values of " +"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " +"ldap_user_nds_login_expiration_time are used to check if access is allowed. " +"If both attributes are missing access is granted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2151 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>expire</quote> in order for the " +"ldap_account_expire_policy option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2164 +msgid "ldap_access_order (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2167 +msgid "Comma separated list of access control options. Allowed values are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2171 +msgid "<emphasis>filter</emphasis>: use ldap_access_filter" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2174 +msgid "" +"<emphasis>lockout</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " +"Please note that 'access_provider = ldap' must be set for this feature to " +"work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2184 +msgid "" +"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" +"quote> option and might be removed in a future release. </emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2191 +msgid "" +"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z' or represents any time in the past. The " +"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " +"denotes the UTC time zone. Other time zones are not currently supported and " +"will result in \"access-denied\" when users attempt to log in. Please see " +"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " +"must be set for this feature to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2208 +msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2212 +msgid "" +"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " +"pwd_expire_policy_renew: </emphasis> These options are useful if users are " +"interested in being warned that password is about to expire and " +"authentication is based on using a different method than passwords - for " +"example SSH keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2222 +msgid "" +"The difference between these options is the action taken if user password is " +"expired: pwd_expire_policy_reject - user is denied to log in, " +"pwd_expire_policy_warn - user is still able to log in, " +"pwd_expire_policy_renew - user is prompted to change his password " +"immediately." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2230 +msgid "" +"Note If user password is expired no explicit message is prompted by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2234 +msgid "" +"Please note that 'access_provider = ldap' must be set for this feature to " +"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2239 +msgid "" +"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " +"to determine access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2244 +msgid "<emphasis>host</emphasis>: use the host attribute to determine access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2248 +msgid "" +"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " +"remote host can access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2252 +msgid "" +"Please note, rhost field in pam is set by application, it is better to check " +"what the application sends to pam, before enabling this access control option" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2257 +msgid "Default: filter" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2260 +msgid "" +"Please note that it is a configuration error if a value is used more than " +"once." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2267 +msgid "ldap_pwdlockout_dn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2270 +msgid "" +"This option specifies the DN of password policy entry on LDAP server. Please " +"note that absence of this option in sssd.conf in case of enabled account " +"lockout checking will yield access denied as ppolicy attributes on LDAP " +"server cannot be checked properly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2278 +msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2281 +msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2287 +msgid "ldap_deref (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2290 +msgid "" +"Specifies how alias dereferencing is done when performing a search. The " +"following options are allowed:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2295 +msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2299 +msgid "" +"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " +"the base object, but not in locating the base object of the search." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2304 +msgid "" +"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " +"the base object of the search." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2309 +msgid "" +"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " +"in locating the base object of the search." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2314 +msgid "" +"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " +"client libraries)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2322 +msgid "ldap_rfc2307_fallback_to_local_users (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2325 +msgid "" +"Allows to retain local users as members of an LDAP group for servers that " +"use the RFC2307 schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2329 +msgid "" +"In some environments where the RFC2307 schema is used, local users are made " +"members of LDAP groups by adding their names to the memberUid attribute. " +"The self-consistency of the domain is compromised when this is done, so SSSD " +"would normally remove the \"missing\" users from the cached group " +"memberships as soon as nsswitch tries to fetch information about the user " +"via getpw*() or initgroups() calls." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2340 +msgid "" +"This option falls back to checking if local users are referenced, and caches " +"them so that later initgroups() calls will augment the local users with the " +"additional LDAP groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2352 sssd-ifp.5.xml:136 +msgid "wildcard_limit (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2355 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2359 +msgid "At the moment, only the InfoPipe responder supports wildcard lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2363 +msgid "Default: 1000 (often the size of one page)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:51 +msgid "" +"All of the common configuration options that apply to SSSD domains also " +"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for full details. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2373 +msgid "SUDO OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2375 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2386 +msgid "ldap_sudorule_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2389 +msgid "The object class of a sudo rule entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2392 +msgid "Default: sudoRole" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2398 +msgid "ldap_sudorule_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2401 +msgid "The LDAP attribute that corresponds to the sudo rule name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2411 +msgid "ldap_sudorule_command (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2414 +msgid "The LDAP attribute that corresponds to the command name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2418 +msgid "Default: sudoCommand" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2424 +msgid "ldap_sudorule_host (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2427 +msgid "" +"The LDAP attribute that corresponds to the host name (or host IP address, " +"host IP network, or host netgroup)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2432 +msgid "Default: sudoHost" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2438 +msgid "ldap_sudorule_user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2441 +msgid "" +"The LDAP attribute that corresponds to the user name (or UID, group name or " +"user's netgroup)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2445 +msgid "Default: sudoUser" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2451 +msgid "ldap_sudorule_option (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2454 +msgid "The LDAP attribute that corresponds to the sudo options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2458 +msgid "Default: sudoOption" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2464 +msgid "ldap_sudorule_runasuser (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2467 +msgid "" +"The LDAP attribute that corresponds to the user name that commands may be " +"run as." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2471 +msgid "Default: sudoRunAsUser" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2477 +msgid "ldap_sudorule_runasgroup (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2480 +msgid "" +"The LDAP attribute that corresponds to the group name or group GID that " +"commands may be run as." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2484 +msgid "Default: sudoRunAsGroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2490 +msgid "ldap_sudorule_notbefore (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2493 +msgid "" +"The LDAP attribute that corresponds to the start date/time for when the sudo " +"rule is valid." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2497 +msgid "Default: sudoNotBefore" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2503 +msgid "ldap_sudorule_notafter (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2506 +msgid "" +"The LDAP attribute that corresponds to the expiration date/time, after which " +"the sudo rule will no longer be valid." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2511 +msgid "Default: sudoNotAfter" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2517 +msgid "ldap_sudorule_order (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2520 +msgid "The LDAP attribute that corresponds to the ordering index of the rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2524 +msgid "Default: sudoOrder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2530 +msgid "ldap_sudo_full_refresh_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2533 +msgid "" +"How many seconds SSSD will wait between executing a full refresh of sudo " +"rules (which downloads all rules that are stored on the server)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2538 +msgid "" +"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" +"emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2543 +msgid "Default: 21600 (6 hours)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2549 +msgid "ldap_sudo_smart_refresh_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2552 +msgid "" +"How many seconds SSSD has to wait before executing a smart refresh of sudo " +"rules (which downloads all rules that have USN higher than the highest USN " +"of cached rules)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2558 +msgid "" +"If USN attributes are not supported by the server, the modifyTimestamp " +"attribute is used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2568 +msgid "ldap_sudo_use_host_filter (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2571 +msgid "" +"If true, SSSD will download only rules that are applicable to this machine " +"(using the IPv4 or IPv6 host/network addresses and hostnames)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2582 +msgid "ldap_sudo_hostnames (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2585 +msgid "" +"Space separated list of hostnames or fully qualified domain names that " +"should be used to filter the rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2590 +msgid "" +"If this option is empty, SSSD will try to discover the hostname and the " +"fully qualified domain name automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2595 sssd-ldap.5.xml:2618 sssd-ldap.5.xml:2636 +#: sssd-ldap.5.xml:2654 +msgid "" +"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" +"emphasis> then this option has no effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2600 sssd-ldap.5.xml:2623 +msgid "Default: not specified" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2606 +msgid "ldap_sudo_ip (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2609 +msgid "" +"Space separated list of IPv4 or IPv6 host/network addresses that should be " +"used to filter the rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2614 +msgid "" +"If this option is empty, SSSD will try to discover the addresses " +"automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2629 +msgid "ldap_sudo_include_netgroups (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2632 +msgid "" +"If true then SSSD will download every rule that contains a netgroup in " +"sudoHost attribute." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2647 +msgid "ldap_sudo_include_regexp (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2650 +msgid "" +"If true then SSSD will download every rule that contains a wildcard in " +"sudoHost attribute." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2666 +msgid "" +"This manual page only describes attribute name mapping. For detailed " +"explanation of sudo related attribute semantics, see <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2676 +msgid "AUTOFS OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2678 +msgid "" +"Some of the defaults for the parameters below are dependent on the LDAP " +"schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2684 +msgid "ldap_autofs_map_master_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2687 +msgid "The name of the automount master map in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2690 +msgid "Default: auto.master" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2697 +msgid "ldap_autofs_map_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2700 +msgid "The object class of an automount map entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2703 +msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2711 +msgid "ldap_autofs_map_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2714 +msgid "The name of an automount map entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2717 +msgid "" +"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2725 +msgid "ldap_autofs_entry_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2728 +msgid "" +"The object class of an automount entry in LDAP. The entry usually " +"corresponds to a mount point." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2733 +msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2741 +msgid "ldap_autofs_entry_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2744 sssd-ldap.5.xml:2759 +msgid "" +"The key of an automount entry in LDAP. The entry usually corresponds to a " +"mount point." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2748 +msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2756 +msgid "ldap_autofs_entry_value (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2763 +msgid "" +"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " +"automountInformation" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2682 +msgid "" +"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " +"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" +"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2774 +msgid "ADVANCED OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2781 +msgid "ldap_netgroup_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2786 +msgid "ldap_user_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2791 +msgid "ldap_group_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> +#: sssd-ldap.5.xml:2796 +msgid "<note>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> +#: sssd-ldap.5.xml:2798 +msgid "" +"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " +"against Active Directory will not be restricted and return all groups " +"memberships, even with no GID mapping. It is recommended to disable this " +"feature, if group names are not being displayed correctly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist> +#: sssd-ldap.5.xml:2805 +msgid "</note>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2807 +msgid "ldap_sudo_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2812 +msgid "ldap_autofs_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2776 +msgid "" +"These options are supported by LDAP domains, but they should be used with " +"caution. Please include them in your configuration only if you know what you " +"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2827 sssd-simple.5.xml:131 sssd-ipa.5.xml:828 +#: sssd-ad.5.xml:1041 sssd-krb5.5.xml:570 sss_rpcidmapd.5.xml:98 +#: sssd-files.5.xml:103 sssd-session-recording.5.xml:144 +msgid "EXAMPLE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2829 +msgid "" +"The following example assumes that SSSD is correctly configured and LDAP is " +"set to one of the domains in the <replaceable>[domains]</replaceable> " +"section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:2835 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: sssd-ldap.5.xml:2834 sssd-ldap.5.xml:2852 sssd-simple.5.xml:139 +#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1049 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579 +#: sssd-files.5.xml:110 sssd-session-recording.5.xml:150 +#: include/ldap_id_mapping.xml:105 +msgid "<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2846 +msgid "LDAP ACCESS FILTER EXAMPLE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2848 +msgid "" +"The following example assumes that SSSD is correctly configured and to use " +"the ldap_access_order=lockout." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:2853 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"access_provider = ldap\n" +"ldap_access_order = lockout\n" +"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2868 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148 +#: sssd-ad.5.xml:1064 sssd.8.xml:230 sss_seed.8.xml:163 +msgid "NOTES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2870 +msgid "" +"The descriptions of some of the configuration options in this manual page " +"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " +"distribution." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: pam_sss.8.xml:11 pam_sss.8.xml:16 +msgid "pam_sss" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: pam_sss.8.xml:17 +msgid "PAM module for SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: pam_sss.8.xml:22 +msgid "" +"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" +"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" +"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" +"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " +"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " +"choice='opt'> <replaceable>prompt_always</replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:58 +msgid "" +"<command>pam_sss.so</command> is the PAM interface to the System Security " +"Services daemon (SSSD). Errors and results are logged through " +"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:68 +msgid "<option>quiet</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:71 +msgid "Suppress log messages for unknown users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:76 +msgid "<option>forward_pass</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:79 +msgid "" +"If <option>forward_pass</option> is set the entered password is put on the " +"stack for other PAM modules to use." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:86 +msgid "<option>use_first_pass</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:89 +msgid "" +"The argument use_first_pass forces the module to use a previous stacked " +"modules password and will never prompt the user - if no password is " +"available or the password is not appropriate, the user will be denied access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:97 +msgid "<option>use_authtok</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:100 +msgid "" +"When password changing enforce the module to set the new password to the one " +"provided by a previously stacked password module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:107 +msgid "<option>retry=N</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:110 +msgid "" +"If specified the user is asked another N times for a password if " +"authentication fails. Default is 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:112 +msgid "" +"Please note that this option might not work as expected if the application " +"calling PAM handles the user dialog on its own. A typical example is " +"<command>sshd</command> with <option>PasswordAuthentication</option>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:121 +msgid "<option>ignore_unknown_user</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:124 +msgid "" +"If this option is specified and the user does not exist, the PAM module will " +"return PAM_IGNORE. This causes the PAM framework to ignore this module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:131 +msgid "<option>ignore_authinfo_unavail</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:135 +msgid "" +"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " +"the SSSD daemon. This causes the PAM framework to ignore this module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:142 +msgid "<option>domains</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:146 +msgid "" +"Allows the administrator to restrict the domains a particular PAM service is " +"allowed to authenticate against. The format is a comma-separated list of " +"SSSD domain names, as specified in the sssd.conf file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:152 +msgid "" +"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " +"and <quote>pam_public_domains</quote> options. Please see the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more information on these two PAM " +"responder options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:166 +msgid "<option>allow_missing_name</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:170 +msgid "" +"The main purpose of this option is to let SSSD determine the user name based " +"on additional information, e.g. the certificate from a Smartcard." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: pam_sss.8.xml:180 +#, no-wrap +msgid "" +"auth sufficient pam_sss.so allow_missing_name\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:175 +msgid "" +"The current use case are login managers which can monitor a Smartcard reader " +"for card events. In case a Smartcard is inserted the login manager will call " +"a PAM stack which includes a line like <placeholder type=\"programlisting\" " +"id=\"0\"/> In this case SSSD will try to determine the user name based on " +"the content of the Smartcard, returns it to pam_sss which will finally put " +"it on the PAM stack." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:190 +msgid "<option>prompt_always</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:194 +msgid "" +"Always prompt the user for credentials. With this option credentials " +"requested by other PAM modules, typically a password, will be ignored and " +"pam_sss will prompt for credentials again. Based on the pre-auth reply by " +"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " +"credentials." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:207 +msgid "MODULE TYPES PROVIDED" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:208 +msgid "" +"All module types (<option>account</option>, <option>auth</option>, " +"<option>password</option> and <option>session</option>) are provided." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:214 +msgid "FILES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:215 +msgid "" +"If a password reset by root fails, because the corresponding SSSD provider " +"does not support password resets, an individual message can be displayed. " +"This message can e.g. contain instructions about how to reset a password." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:220 +msgid "" +"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" +"filename> where LOC stands for a locale string returned by <citerefentry> " +"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" +"citerefentry>. If there is no matching file the content of " +"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " +"the owner of the files and only root may have read and write permissions " +"while all other users must have only read permissions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:230 +msgid "" +"These files are searched in the directory <filename>/etc/sssd/customize/" +"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " +"displayed." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 +msgid "sssd_krb5_locator_plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd_krb5_locator_plugin.8.xml:16 +msgid "Kerberos locator plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:22 +msgid "" +"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " +"used by the Kerberos provider of <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to tell the Kerberos " +"libraries what Realm and which KDC to use. Typically this is done in " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> which is always read by the Kerberos libraries. " +"To simplify the configuration the Realm and the KDC can be defined in " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> as described in <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:48 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> puts the Realm and the name or IP address of the KDC into " +"the environment variables SSSD_KRB5_REALM and SSSD_KRB5_KDC respectively. " +"When <command>sssd_krb5_locator_plugin</command> is called by the kerberos " +"libraries it reads and evaluates these variables and returns them to the " +"libraries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:63 +msgid "" +"Not all Kerberos implementations support the use of plugins. If " +"<command>sssd_krb5_locator_plugin</command> is not available on your system " +"you have to edit /etc/krb5.conf to reflect your Kerberos setup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:69 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " +"debug messages will be sent to stderr." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:73 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " +"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " +"caller." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 +msgid "sssd-simple" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-simple.5.xml:17 +msgid "the configuration file for SSSD's 'simple' access-control provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:24 +msgid "" +"This manual page describes the configuration of the simple access-control " +"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " +"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:38 +msgid "" +"The simple access provider grants or denies access based on an access or " +"deny list of user or group names. The following rules apply:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:43 +msgid "If all lists are empty, access is granted" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:47 +msgid "" +"If any list is provided, the order of evaluation is allow,deny. This means " +"that any matching deny rule will supersede any matched allow rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:54 +msgid "" +"If either or both \"allow\" lists are provided, all users are denied unless " +"they appear in the list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:60 +msgid "" +"If only \"deny\" lists are provided, all users are granted access unless " +"they appear in the list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:78 +msgid "simple_allow_users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:81 +msgid "Comma separated list of users who are allowed to log in." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:88 +msgid "simple_deny_users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:91 +msgid "Comma separated list of users who are explicitly denied access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:97 +msgid "simple_allow_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:100 +msgid "" +"Comma separated list of groups that are allowed to log in. This applies only " +"to groups within this SSSD domain. Local groups are not evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:108 +msgid "simple_deny_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:111 +msgid "" +"Comma separated list of groups that are explicitly denied access. This " +"applies only to groups within this SSSD domain. Local groups are not " +"evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 +msgid "" +"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:120 +msgid "" +"Specifying no values for any of the lists is equivalent to skipping it " +"entirely. Beware of this while generating parameters for the simple provider " +"using automated scripts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:125 +msgid "" +"Please note that it is an configuration error if both, simple_allow_users " +"and simple_deny_users, are defined." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:133 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the simple access provider-specific options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-simple.5.xml:140 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"access_provider = simple\n" +"simple_allow_users = user1, user2\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:150 +msgid "" +"The complete group membership hierarchy is resolved before the access check, " +"thus even nested groups can be included in the access lists. Please be " +"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " +"results and should be set to a sufficient value. (<citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>) option." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 +msgid "sss-certmap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss-certmap.5.xml:17 +msgid "SSSD Certificate Matching and Mapping Rules" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:23 +msgid "" +"The manual page describes the rules which can be used by SSSD and other " +"components to match X.509 certificates and map them to accounts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:28 +msgid "" +"Each rule has four components, a <quote>priority</quote>, a <quote>matching " +"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" +"quote>. All components are optional. A missing <quote>priority</quote> will " +"add the rule with the lowest priority. The default <quote>matching rule</" +"quote> will match certificates with the digitalSignature key usage and " +"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " +"the certificates will be searched in the userCertificate attribute as DER " +"encoded binary. If no domains are given only the local domain will be " +"searched." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss-certmap.5.xml:41 +msgid "RULE COMPONENTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:43 +msgid "PRIORITY" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:45 +msgid "" +"The rules are processed by priority while the number '0' (zero) indicates " +"the highest priority. The higher the number the lower is the priority. A " +"missing value indicates the lowest priority. The rules processing is stopped " +"when a matched rule is found and no further rules are checked." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:52 +msgid "" +"Internally the priority is treated as unsigned 32bit integer, using a " +"priority value larger than 4294967295 will cause an error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:57 +msgid "MATCHING RULE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:59 +msgid "" +"The matching rule is used to select a certificate to which the mapping rule " +"should be applied. It uses a system similar to the one used by " +"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " +"keyword enclosed by '<' and '>' which identified a certain part of the " +"certificate and a pattern which should be found for the rule to match. " +"Multiple keyword pattern pairs can be either joined with '&&' (and) " +"or '||' (or)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:71 +msgid "<SUBJECT>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:74 +msgid "" +"With this a part or the whole subject name of the certificate can be " +"matched. For the matching POSIX Extended Regular Expression syntax is used, " +"see regex(7) for details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:80 +msgid "" +"For the matching the subject name stored in the certificate in DER encoded " +"ASN.1 is converted into a string according to RFC 4514. This means the most " +"specific name component comes first. Please note that not all possible " +"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " +"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " +"be shown differently on different platform and by different tools. To avoid " +"confusion those attribute names are best not used or covered by a suitable " +"regular-expression." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:93 +msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:98 +msgid "<ISSUER>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:101 +msgid "" +"With this a part or the whole issuer name of the certificate can be matched. " +"All comments for <SUBJECT> apply her as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:106 +msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:111 +msgid "<KU>key-usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:114 +msgid "" +"This option can be used to specify which key usage values the certificate " +"should have. The following values can be used in a comma separated list:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:118 +msgid "digitalSignature" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:119 +msgid "nonRepudiation" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:120 +msgid "keyEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:121 +msgid "dataEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:122 +msgid "keyAgreement" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:123 +msgid "keyCertSign" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:124 +msgid "cRLSign" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:125 +msgid "encipherOnly" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:126 +msgid "decipherOnly" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:130 +msgid "" +"A numerical value in the range of a 32bit unsigned integer can be used as " +"well to cover special use cases." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:134 +msgid "Example: <KU>digitalSignature,keyEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:139 +msgid "<EKU>extended-key-usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:142 +msgid "" +"This option can be used to specify which extended key usage the certificate " +"should have. The following value can be used in a comma separated list:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:146 +msgid "serverAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:147 +msgid "clientAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:148 +msgid "codeSigning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:149 +msgid "emailProtection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:150 +msgid "timeStamping" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:151 +msgid "OCSPSigning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:152 +msgid "KPClientAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:153 +msgid "pkinit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:154 +msgid "msScLogin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:158 +msgid "" +"Extended key usages which are not listed above can be specified with their " +"OID in dotted-decimal notation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:162 +msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:167 +msgid "<SAN>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:170 +msgid "" +"To be compatible with the usage of MIT Kerberos this option will match the " +"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" +"Principal> does." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:175 +msgid "Example: <SAN>.*@MY\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:180 +msgid "<SAN:Principal>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:183 +msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:187 +msgid "Example: <SAN:Principal>.*@MY\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:192 +msgid "<SAN:ntPrincipalName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:195 +msgid "Match the Kerberos principals from the AD NT Principal SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:199 +msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:204 +msgid "<SAN:pkinit>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:207 +msgid "Match the Kerberos principals from the PKINIT SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:210 +msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:215 +msgid "<SAN:dotted-decimal-oid>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:218 +msgid "" +"Take the value of the otherName SAN component given by the OID in dotted-" +"decimal notation, interpret it as string and try to match it against the " +"regular expression." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:224 +msgid "Example: <SAN:1.2.3.4>test" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:229 +msgid "<SAN:otherName>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:232 +msgid "" +"Do a binary match with the base64 encoded blob against all otherName SAN " +"components. With this option it is possible to match against custom " +"otherName components with special encodings which could not be treated as " +"strings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:239 +msgid "Example: <SAN:otherName>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:244 +msgid "<SAN:rfc822Name>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:247 +msgid "Match the value of the rfc822Name SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:250 +msgid "Example: <SAN:rfc822Name>.*@email\\.domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:255 +msgid "<SAN:dNSName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:258 +msgid "Match the value of the dNSName SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:261 +msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:266 +msgid "<SAN:x400Address>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:269 +msgid "Binary match the value of the x400Address SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:272 +msgid "Example: <SAN:x400Address>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:277 +msgid "<SAN:directoryName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:280 +msgid "" +"Match the value of the directoryName SAN. The same comments as given for <" +"ISSUER> and <SUBJECT> apply here as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:285 +msgid "Example: <SAN:directoryName>.*,DC=com" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:290 +msgid "<SAN:ediPartyName>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:293 +msgid "Binary match the value of the ediPartyName SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:296 +msgid "Example: <SAN:ediPartyName>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:301 +msgid "<SAN:uniformResourceIdentifier>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:304 +msgid "Match the value of the uniformResourceIdentifier SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:307 +msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:312 +msgid "<SAN:iPAddress>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:315 +msgid "Match the value of the iPAddress SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:318 +msgid "Example: <SAN:iPAddress>192\\.168\\..*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:323 +msgid "<SAN:registeredID>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:326 +msgid "Match the value of the registeredID SAN as dotted-decimal string." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:330 +msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:68 +msgid "" +"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:338 +msgid "MAPPING RULE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:340 +msgid "" +"The mapping rule is used to associate a certificate with one or more " +"accounts. A Smartcard with the certificate and the matching private key can " +"then be used to authenticate as one of those accounts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:345 +msgid "" +"Currently SSSD basically only supports LDAP to lookup user information (the " +"exception is the proxy provider which is not of relevance here). Because of " +"this the mapping rule is based on LDAP search filter syntax with templates " +"to add certificate content to the filter. It is expected that the filter " +"will only contain the specific data needed for the mapping and that the " +"caller will embed it in another filter to do the actual search. Because of " +"this the filter string should start and stop with '(' and ')' respectively." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:355 +msgid "" +"In general it is recommended to use attributes from the certificate and add " +"them to special attributes to the LDAP user object. E.g. the " +"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " +"for IPA can be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:361 +msgid "" +"This should be preferred to read user specific data from the certificate " +"like e.g. an email address and search for it in the LDAP server. The reason " +"is that the user specific data in LDAP might change for various reasons " +"would break the mapping. On the other hand it would be hard to break the " +"mapping on purpose for a specific user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:376 +msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:379 +msgid "" +"This template will add the full issuer DN converted to a string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +msgid "" +"The conversion options starting with 'ad_' will use attribute names as used " +"by AD, e.g. 'S' instead of 'ST'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +msgid "" +"The conversion options starting with 'nss_' will use attribute names as used " +"by NSS." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +msgid "" +"The default conversion option is 'nss', i.e. attribute names according to " +"NSS and LDAP/RFC 4514 ordering." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:397 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" +"ad})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:402 +msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:405 +msgid "" +"This template will add the full subject DN converted to string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:423 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" +"{subject_dn!nss_x500})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:428 +msgid "{cert[!(bin|base64)]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:431 +msgid "" +"This template will add the whole DER encoded certificate as a string to the " +"search filter. Depending on the conversion option the binary certificate is " +"either converted to an escaped hex sequence '\\xx' or base64. The escaped " +"hex sequence is the default and can e.g. be used with the LDAP attribute " +"'userCertificate;binary'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:439 +msgid "Example: (userCertificate;binary={cert!bin})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:444 +msgid "{subject_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:447 +msgid "" +"This template will add the Kerberos principal which is taken either from the " +"SAN used by pkinit or the one used by AD. The 'short_name' component " +"represents the first part of the principal before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +msgid "" +"Example: (|(userPrincipal={subject_principal})" +"(samAccountName={subject_principal.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:458 +msgid "{subject_pkinit_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:461 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by pkinit. The 'short_name' component represents the first part of the " +"principal before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:467 +msgid "" +"Example: (|(userPrincipal={subject_pkinit_principal})" +"(uid={subject_pkinit_principal.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:472 +msgid "{subject_nt_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:475 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by AD. The 'short_name' component represent the first part of the principal " +"before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:486 +msgid "{subject_rfc822_name[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:489 +msgid "" +"This template will add the string which is stored in the rfc822Name " +"component of the SAN, typically an email address. The 'short_name' component " +"represents the first part of the address before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:495 +msgid "" +"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." +"short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:500 +msgid "{subject_dns_name[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:503 +msgid "" +"This template will add the string which is stored in the dNSName component " +"of the SAN, typically a fully-qualified host name. The 'short_name' " +"component represents the first part of the name before the first '.' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:509 +msgid "" +"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:514 +msgid "{subject_uri}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:517 +msgid "" +"This template will add the string which is stored in the " +"uniformResourceIdentifier component of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:521 +msgid "Example: (uri={subject_uri})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:526 +msgid "{subject_ip_address}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:529 +msgid "" +"This template will add the string which is stored in the iPAddress component " +"of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:533 +msgid "Example: (ip={subject_ip_address})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:538 +msgid "{subject_x400_address}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:541 +msgid "" +"This template will add the value which is stored in the x400Address " +"component of the SAN as escaped hex sequence." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:546 +msgid "Example: (attr:binary={subject_x400_address})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:551 +msgid "" +"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:554 +msgid "" +"This template will add the DN string of the value which is stored in the " +"directoryName component of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:558 +msgid "Example: (orig_dn={subject_directory_name})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:563 +msgid "{subject_ediparty_name}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:566 +msgid "" +"This template will add the value which is stored in the ediPartyName " +"component of the SAN as escaped hex sequence." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:571 +msgid "Example: (attr:binary={subject_ediparty_name})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:576 +msgid "{subject_registered_id}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:579 +msgid "" +"This template will add the OID which is stored in the registeredID component " +"of the SAN as a dotted-decimal string." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:584 +msgid "Example: (oid={subject_registered_id})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:369 +msgid "" +"The templates to add certificate data to the search filter are based on " +"Python-style formatting strings. They consist of a keyword in curly braces " +"with an optional sub-component specifier separated by a '.' or an optional " +"conversion/formatting option separated by a '!'. Allowed values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:592 +msgid "DOMAIN LIST" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:594 +msgid "" +"If the domain list is not empty users mapped to a given certificate are not " +"only searched in the local domain but in the listed domains as well as long " +"as they are know by SSSD. Domains not know to SSSD will be ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 +msgid "sssd-ipa" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ipa.5.xml:17 +msgid "SSSD IPA provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:23 +msgid "" +"This manual page describes the configuration of the IPA provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:36 +msgid "" +"The IPA provider is a back end used to connect to an IPA server. (Refer to " +"the freeipa.org web site for information about IPA servers.) This provider " +"requires that the machine be joined to the IPA domain; configuration is " +"almost entirely self-discovered and obtained directly from the server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:43 +msgid "" +"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for IPA environments. The IPA provider accepts the same " +"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " +"However, it is neither necessary nor recommended to set these options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:57 +msgid "" +"The IPA provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:62 +msgid "" +"As an access provider, the IPA provider uses HBAC (host-based access " +"control) rules. Please refer to freeipa.org for more information about " +"HBAC. No configuration of access provider is required on the client side." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:67 +msgid "" +"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:73 +msgid "" +"The IPA provider will use the PAC responder if the Kerberos tickets of users " +"from trusted realms contain a PAC. To make configuration easier the PAC " +"responder is started automatically if the IPA ID provider is configured." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:89 +msgid "ipa_domain (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:92 +msgid "" +"Specifies the name of the IPA domain. This is optional. If not provided, " +"the configuration domain name is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:100 +msgid "ipa_server, ipa_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:103 +msgid "" +"The comma-separated list of IP addresses or hostnames of the IPA servers to " +"which SSSD should connect in the order of preference. For more information " +"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:116 +msgid "ipa_hostname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:119 +msgid "" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the IPA domain to identify this host. The " +"hostname must be fully qualified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:128 sssd-ad.5.xml:866 +msgid "dyndns_update (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:131 +msgid "" +"Optional. This option tells SSSD to automatically update the DNS server " +"built into FreeIPA with the IP address of this client. The update is secured " +"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " +"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" +"quote> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:140 sssd-ad.5.xml:880 +msgid "" +"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " +"the default Kerberos realm must be set properly in /etc/krb5.conf" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:145 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" +"emphasis> option, users should migrate to using <emphasis>dyndns_update</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:157 sssd-ad.5.xml:891 +msgid "dyndns_ttl (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:160 sssd-ad.5.xml:894 +msgid "" +"The TTL to apply to the client DNS record when updating it. If " +"dyndns_update is false this has no effect. This will override the TTL " +"serverside if set by an administrator." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:165 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" +"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:171 +msgid "Default: 1200 (seconds)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:177 sssd-ad.5.xml:905 +msgid "dyndns_iface (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:180 sssd-ad.5.xml:908 +msgid "" +"Optional. Applicable only when dyndns_update is true. Choose the interface " +"or a list of interfaces whose IP addresses should be used for dynamic DNS " +"updates. Special value <quote>*</quote> implies that IPs from all interfaces " +"should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:187 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" +"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:193 +msgid "" +"Default: Use the IP addresses of the interface which is used for IPA LDAP " +"connection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:197 sssd-ad.5.xml:919 +msgid "Example: dyndns_iface = em1, vnet1, vnet2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:203 sssd-ad.5.xml:970 +msgid "dyndns_auth (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:206 sssd-ad.5.xml:973 +msgid "" +"Whether the nsupdate utility should use GSS-TSIG authentication for secure " +"updates with the DNS server, insecure updates can be sent by setting this " +"option to 'none'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:212 sssd-ad.5.xml:979 +msgid "Default: GSS-TSIG" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:218 +msgid "ipa_enable_dns_sites (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 +msgid "Enables DNS sites - location based service discovery." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:225 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, then the SSSD will first attempt location " +"based discovery using a query that contains \"_location.hostname.example.com" +"\" and then fall back to traditional SRV discovery. If the location based " +"discovery succeeds, the IPA servers located with the location based " +"discovery are treated as primary servers and the IPA servers located using " +"the traditional SRV discovery are used as back up servers" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:244 sssd-ad.5.xml:925 +msgid "dyndns_refresh_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:247 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:260 sssd-ad.5.xml:943 +msgid "dyndns_update_ptr (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:263 sssd-ad.5.xml:946 +msgid "" +"Whether the PTR record should also be explicitly updated when updating the " +"client's DNS records. Applicable only when dyndns_update is true." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:268 +msgid "" +"This option should be False in most IPA deployments as the IPA server " +"generates the PTR records automatically when forward records are changed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:274 +msgid "Default: False (disabled)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:280 sssd-ad.5.xml:957 +msgid "dyndns_force_tcp (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:283 sssd-ad.5.xml:960 +msgid "" +"Whether the nsupdate utility should default to using TCP for communicating " +"with the DNS server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:287 sssd-ad.5.xml:964 +msgid "Default: False (let nsupdate choose the protocol)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:293 sssd-ad.5.xml:985 +msgid "dyndns_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:296 sssd-ad.5.xml:988 +msgid "" +"The DNS server to use when performing a DNS update. In most setups, it's " +"recommended to leave this option unset." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:301 sssd-ad.5.xml:993 +msgid "" +"Setting this option makes sense for environments where the DNS server is " +"different from the identity server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:306 sssd-ad.5.xml:998 +msgid "" +"Please note that this option will be only used in fallback attempt when " +"previous attempt using autodetected settings failed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1003 +msgid "Default: None (let nsupdate choose the server)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:317 +msgid "ipa_deskprofile_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:320 +msgid "" +"Optional. Use the given string as search base for Desktop Profile related " +"objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:324 sssd-ipa.5.xml:337 +msgid "Default: Use base DN" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:330 +msgid "ipa_hbac_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:333 +msgid "Optional. Use the given string as search base for HBAC related objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:343 +msgid "ipa_host_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:346 +msgid "Deprecated. Use ldap_host_search_base instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:352 +msgid "ipa_selinux_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:355 +msgid "Optional. Use the given string as search base for SELinux user maps." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:371 +msgid "ipa_subdomains_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:374 +msgid "Optional. Use the given string as search base for trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:383 +msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:390 +msgid "ipa_master_domain_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:393 +msgid "Optional. Use the given string as search base for master domain object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:402 +msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:409 +msgid "ipa_views_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:412 +msgid "Optional. Use the given string as search base for views containers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:421 +msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:431 +msgid "" +"The name of the Kerberos realm. This is optional and defaults to the value " +"of <quote>ipa_domain</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:435 +msgid "" +"The name of the Kerberos realm has a special meaning in IPA - it is " +"converted into the base DN to use for performing LDAP operations." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1012 +msgid "krb5_confd_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1015 +msgid "" +"Absolute path of a directory where SSSD should place Kerberos configuration " +"snippets." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1019 +msgid "" +"To disable the creation of the configuration snippets set the parameter to " +"'none'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1023 +msgid "" +"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:461 +msgid "ipa_deskprofile_refresh (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:464 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server. This will reduce the latency and load on the IPA server if there " +"are many desktop profiles requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:431 +msgid "Default: 5 (seconds)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:477 +msgid "ipa_deskprofile_request_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:480 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server in case the last request did not return any rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:485 +msgid "Default: 60 (minutes)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:491 +msgid "ipa_hbac_refresh (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:494 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server. " +"This will reduce the latency and load on the IPA server if there are many " +"access-control requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:507 +msgid "ipa_hbac_selinux (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:510 +msgid "" +"The amount of time between lookups of the SELinux maps against the IPA " +"server. This will reduce the latency and load on the IPA server if there are " +"many user login requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:523 +msgid "ipa_server_mode (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:526 +msgid "" +"This option will be set by the IPA installer (ipa-server-install) " +"automatically and denotes if SSSD is running on an IPA server or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:531 +msgid "" +"On an IPA server SSSD will lookup users and groups from trusted domains " +"directly while on a client it will ask an IPA server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:536 +msgid "" +"NOTE: There are currently some assumptions that must be met when SSSD is " +"running on an IPA server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:541 +msgid "" +"The <quote>ipa_server</quote> option must be configured to point to the IPA " +"server itself. This is already the default set by the IPA installer, so no " +"manual change is required." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:550 +msgid "" +"The <quote>full_name_format</quote> option must not be tweaked to only print " +"short names for users from trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:565 +msgid "ipa_automount_location (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:568 +msgid "The automounter location this IPA client will be using" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:571 +msgid "Default: The location named \"default\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:579 +msgid "VIEWS AND OVERRIDES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:588 +msgid "ipa_view_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:591 +msgid "Objectclass of the view container." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:594 +msgid "Default: nsContainer" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:600 +msgid "ipa_view_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:603 +msgid "Name of the attribute holding the name of the view." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:613 +msgid "ipa_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:616 +msgid "Objectclass of the override objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:619 +msgid "Default: ipaOverrideAnchor" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:625 +msgid "ipa_anchor_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:628 +msgid "" +"Name of the attribute containing the reference to the original object in a " +"remote domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:632 +msgid "Default: ipaAnchorUUID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:638 +msgid "ipa_user_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:641 +msgid "" +"Name of the objectclass for user overrides. It is used to determine if the " +"found override object is related to a user or a group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:646 +msgid "User overrides can contain attributes given by" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:649 +msgid "ldap_user_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:652 +msgid "ldap_user_uid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:655 +msgid "ldap_user_gid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:658 +msgid "ldap_user_gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:661 +msgid "ldap_user_home_directory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:664 +msgid "ldap_user_shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:667 +msgid "ldap_user_ssh_public_key" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:672 +msgid "Default: ipaUserOverride" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:678 +msgid "ipa_group_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:681 +msgid "" +"Name of the objectclass for group overrides. It is used to determine if the " +"found override object is related to a user or a group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:686 +msgid "Group overrides can contain attributes given by" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:689 +msgid "ldap_group_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:692 +msgid "ldap_group_gid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:697 +msgid "Default: ipaGroupOverride" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:581 +msgid "" +"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " +"later version. Since all paths and objectclasses are fixed on the server " +"side there is basically no need to configure anything. For completeness the " +"related options are listed here with their default values. <placeholder " +"type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:709 +msgid "SUBDOMAINS PROVIDER" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:711 +msgid "" +"The IPA subdomains provider behaves slightly differently if it is configured " +"explicitly or implicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:715 +msgid "" +"If the option 'subdomains_provider = ipa' is found in the domain section of " +"sssd.conf, the IPA subdomains provider is configured explicitly, and all " +"subdomain requests are sent to the IPA server if necessary." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:721 +msgid "" +"If the option 'subdomains_provider' is not set in the domain section of sssd." +"conf but there is the option 'id_provider = ipa', the IPA subdomains " +"provider is configured implicitly. In this case, if a subdomain request " +"fails and indicates that the server does not support subdomains, i.e. is not " +"configured for trusts, the IPA subdomains provider is disabled. After an " +"hour or after the IPA provider goes online, the subdomains provider is " +"enabled again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:732 +msgid "TRUSTED DOMAINS CONFIGURATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:738 +#, no-wrap +msgid "" +"[domain/ipa.domain.com/ad.domain.com]\n" +"ad_server = dc.ad.domain.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:734 +msgid "" +"Some configuration options can be also set for a trusted domain. A trusted " +"domain configuration can either be done using a subsection, for example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:743 +msgid "" +"In addition, some options can be set in the parent domain and inherited by " +"the trusted domain using the <quote>subdomain_inherit</quote> option. For " +"more details, see the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:753 +msgid "" +"Different configuration options are tunable for a trusted domain depending " +"on whether you are configuring SSSD on an IPA server or an IPA client." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:758 +msgid "OPTIONS TUNABLE ON IPA MASTERS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:760 +msgid "" +"The following options can be set in a subdomain section on an IPA master:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:764 sssd-ipa.5.xml:794 +msgid "ad_server" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:767 +msgid "ad_backup_server" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:770 sssd-ipa.5.xml:797 +msgid "ad_site" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:773 +msgid "ldap_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:776 +#, fuzzy +#| msgid "ldap_user_principal" +msgid "ldap_user_search_base" +msgstr "ldap_user_principal" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:779 +msgid "ldap_group_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:788 +msgid "OPTIONS TUNABLE ON IPA CLIENTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:790 +msgid "" +"The following options can be set in a subdomain section on an IPA client:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:802 +msgid "" +"Note that if both options are set, only <quote>ad_server</quote> is " +"evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:806 +msgid "" +"Since any request for a user or a group identity from a trusted domain " +"triggered from an IPA client is resolved by the IPA server, the " +"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " +"which AD DC will the authentication be performed against. In particular, the " +"addresses resolved from these lists will be written to <quote>kdcinfo</" +"quote> files read by the Kerberos locator plugin. Please refer to the " +"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " +"Kerberos locator plugin." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:830 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the ipa provider-specific options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:837 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"id_provider = ipa\n" +"ipa_server = ipaserver.example.com\n" +"ipa_hostname = myhost.example.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 +msgid "sssd-ad" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ad.5.xml:17 +msgid "SSSD Active Directory provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:23 +msgid "" +"This manual page describes the configuration of the AD provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:36 +msgid "" +"The AD provider is a back end used to connect to an Active Directory server. " +"This provider requires that the machine be joined to the AD domain and a " +"keytab is available. Back end communication occurs over a GSSAPI-encrypted " +"channel, SSL/TLS options should not be used with the AD provider and will be " +"superseded by Kerberos usage." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:44 +msgid "" +"The AD provider supports connecting to Active Directory 2008 R2 or later. " +"Earlier versions may work, but are unsupported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:48 +msgid "" +"The AD provider can be used to get user information and authenticate users " +"from trusted domains. Currently only trusted domains in the same forest are " +"recognized. In addition servers from trusted domains are always auto-" +"discovered." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:54 +msgid "" +"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for Active Directory environments. The AD provider accepts the " +"same options used by the sssd-ldap and sssd-krb5 providers with some " +"exceptions. However, it is neither necessary nor recommended to set these " +"options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:69 +msgid "" +"The AD provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:74 +msgid "" +"The AD provider can also be used as an access, chpass, sudo and autofs " +"provider. No configuration of the access provider is required on the client " +"side." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:79 +msgid "" +"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ad</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:91 +#, no-wrap +msgid "" +"ldap_id_mapping = False\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:85 +msgid "" +"By default, the AD provider will map UID and GID values from the objectSID " +"parameter in Active Directory. For details on this, see the <quote>ID " +"MAPPING</quote> section below. If you want to disable ID mapping and instead " +"rely on POSIX attributes defined in Active Directory, you should set " +"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " +"be used, it is recommended for performance reasons that the attributes are " +"also replicated to the Global Catalog. If POSIX attributes are replicated, " +"SSSD will attempt to locate the domain of a requested numerical ID with the " +"help of the Global Catalog and only search that domain. In contrast, if " +"POSIX attributes are not replicated to the Global Catalog, SSSD must search " +"all the domains in the forest sequentially. Please note that the " +"<quote>cache_first</quote> option might be also helpful in speeding up " +"domainless searches. Note that if only a subset of POSIX attributes is " +"present in the Global Catalog, the non-replicated attributes are currently " +"not read from the LDAP port." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:108 +msgid "" +"Users, groups and other entities served by SSSD are always treated as case-" +"insensitive in the AD provider for compatibility with Active Directory's " +"LDAP implementation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:123 +msgid "ad_domain (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:126 +msgid "" +"Specifies the name of the Active Directory domain. This is optional. If not " +"provided, the configuration domain name is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:131 +msgid "" +"For proper operation, this option should be specified as the lower-case " +"version of the long version of the Active Directory domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:136 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) is " +"autodetected by the SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:143 +msgid "ad_enabled_domains (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:146 +msgid "" +"A comma-separated list of enabled Active Directory domains. If provided, " +"SSSD will ignore any domains not listed in this option. If left unset, all " +"domains from the AD forest will be available." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:156 +#, no-wrap +msgid "" +"ad_enabled_domains = sales.example.com, eng.example.com\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:152 +msgid "" +"For proper operation, this option must be specified in all lower-case and as " +"the fully qualified domain name of the Active Directory domain. For example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:160 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) will be " +"autodetected by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:170 +msgid "ad_server, ad_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:173 +msgid "" +"The comma-separated list of hostnames of the AD servers to which SSSD should " +"connect in order of preference. For more information on failover and server " +"redundancy, see the <quote>FAILOVER</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:180 +msgid "" +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:185 +msgid "" +"Note: Trusted domains will always auto-discover servers even if the primary " +"server is explicitly defined in the ad_server option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:193 +msgid "ad_hostname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:196 +msgid "" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the Active Directory domain to identify this " +"host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:202 +msgid "" +"This field is used to determine the host principal in use in the keytab. It " +"must match the hostname for which the keytab was issued." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:210 +msgid "ad_enable_dns_sites (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:217 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, the SSSD will first attempt to discover the " +"Active Directory server to connect to using the Active Directory Site " +"Discovery and fall back to the DNS SRV records if no AD site is found. The " +"DNS SRV configuration, including the discovery domain, is used during site " +"discovery as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:233 +msgid "ad_access_filter (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:236 +msgid "" +"This option specifies LDAP access control filter that the user must match in " +"order to be allowed access. Please note that the <quote>access_provider</" +"quote> option must be explicitly set to <quote>ad</quote> in order for this " +"option to have an effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:244 +msgid "" +"The option also supports specifying different filters per domain or forest. " +"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " +"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " +"missing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:252 +msgid "" +"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" +"quote> specifies the domain or subdomain the filter applies to. If the " +"keyword equals to <quote>FOREST</quote>, then the filter equals to all " +"domains from the forest specified by <quote>NAME</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:260 +msgid "" +"Multiple filters can be separated with the <quote>?</quote> character, " +"similarly to how search bases work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:265 +msgid "" +"Nested group membership must be searched for using a special OID " +"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." +"example.org: syntax to ensure the parser does not attempt to interpret the " +"colon characters associated with the OID. If you do not use this OID then " +"nested group membership will not be resolved. See usage example below and " +"refer here for further information about the OID: <ulink url=\"https://msdn." +"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " +"extensions</ulink>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:278 +msgid "" +"The most specific match is always used. For example, if the option specified " +"filter for a domain the user is a member of and a global filter, the per-" +"domain filter would be applied. If there are more matches with the same " +"specification, the first one is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ad.5.xml:289 +#, no-wrap +msgid "" +"# apply filter on domain called dom1 only:\n" +"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" +"\n" +"# apply filter on domain called dom2 only:\n" +"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" +"\n" +"# apply filter on forest called EXAMPLE.COM only:\n" +"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" +"\n" +"# apply filter for a member of a nested group in dom1:\n" +"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:308 +msgid "ad_site (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:311 +msgid "" +"Specify AD site to which client should try to connect. If this option is " +"not provided, the AD site will be auto-discovered." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:322 +msgid "ad_enable_gc (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:325 +msgid "" +"By default, the SSSD connects to the Global Catalog first to retrieve users " +"from trusted domains and uses the LDAP port to retrieve group memberships or " +"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " +"port of the current AD server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:333 +msgid "" +"Please note that disabling Global Catalog support does not disable " +"retrieving users from trusted domains. The SSSD would connect to the LDAP " +"port of trusted domains instead. However, Global Catalog must be used in " +"order to resolve cross-domain group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:347 +msgid "ad_gpo_access_control (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:350 +msgid "" +"This option specifies the operation mode for GPO-based access control " +"functionality: whether it operates in disabled mode, enforcing mode, or " +"permissive mode. Please note that the <quote>access_provider</quote> option " +"must be explicitly set to <quote>ad</quote> in order for this option to have " +"an effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:359 +msgid "" +"GPO-based access control functionality uses GPO policy settings to determine " +"whether or not a particular user is allowed to logon to a particular host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:365 +msgid "" +"NOTE: The current version of SSSD does not support host (computer) entries " +"in the GPO 'Security Filtering' list. Only user and group entries are " +"supported. Host entries in the list have no effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:372 +msgid "" +"NOTE: If the operation mode is set to enforcing, it is possible that users " +"that were previously allowed logon access will now be denied logon access " +"(as dictated by the GPO policy settings). In order to facilitate a smooth " +"transition for administrators, a permissive mode is available that will not " +"enforce the access control rules, but will evaluate them and will output a " +"syslog message if access would have been denied. By examining the logs, " +"administrators can then make the necessary changes before setting the mode " +"to enforcing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:385 +msgid "There are three supported values for this option:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:389 +msgid "" +"disabled: GPO-based access control rules are neither evaluated nor enforced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:395 +msgid "enforcing: GPO-based access control rules are evaluated and enforced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:401 +msgid "" +"permissive: GPO-based access control rules are evaluated, but not enforced. " +"Instead, a syslog message will be emitted indicating that the user would " +"have been denied access if this option's value were set to enforcing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:412 +msgid "Default: permissive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:415 +msgid "Default: enforcing" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:421 +msgid "ad_gpo_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:424 +msgid "" +"The amount of time between lookups of GPO policy files against the AD " +"server. This will reduce the latency and load on the AD server if there are " +"many access-control requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:437 +msgid "ad_gpo_map_interactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:440 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the InteractiveLogonRight and " +"DenyInteractiveLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:446 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on locally\" and \"Deny log on locally\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:460 +#, no-wrap +msgid "" +"ad_gpo_map_interactive = +my_pam_service, -login\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:451 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>login</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:464 sssd-ad.5.xml:560 sssd-ad.5.xml:606 sssd-ad.5.xml:651 +#: sssd-ad.5.xml:717 +msgid "Default: the default set of PAM service names includes:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:468 +msgid "login" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:473 +msgid "su" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:478 +msgid "su-l" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:483 +msgid "gdm-fingerprint" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:488 +msgid "gdm-password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:493 +msgid "gdm-smartcard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:498 +msgid "kdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:503 +msgid "lightdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:508 +msgid "lxdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:513 +msgid "sddm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:518 +msgid "unity" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:523 +msgid "xdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:532 +msgid "ad_gpo_map_remote_interactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:535 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the RemoteInteractiveLogonRight and " +"DenyRemoteInteractiveLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:541 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on through Remote Desktop Services\" and \"Deny log on through Remote " +"Desktop Services\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:556 +#, no-wrap +msgid "" +"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:547 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>sshd</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:564 +msgid "sshd" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:569 +msgid "cockpit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:578 +msgid "ad_gpo_map_network (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:581 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the NetworkLogonRight and " +"DenyNetworkLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:587 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Access " +"this computer from the network\" and \"Deny access to this computer from the " +"network\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:602 +#, no-wrap +msgid "" +"ad_gpo_map_network = +my_pam_service, -ftp\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:593 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>ftp</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:610 +msgid "ftp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:615 +msgid "samba" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:624 +msgid "ad_gpo_map_batch (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:627 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " +"policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:633 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a batch job\" and \"Deny log on as a batch job\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:647 +#, no-wrap +msgid "" +"ad_gpo_map_batch = +my_pam_service, -crond\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:638 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>crond</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:655 +msgid "crond" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:664 +msgid "ad_gpo_map_service (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:667 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the ServiceLogonRight and " +"DenyServiceLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:673 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a service\" and \"Deny log on as a service\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:686 +#, no-wrap +msgid "" +"ad_gpo_map_service = +my_pam_service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:678 sssd-ad.5.xml:753 +msgid "" +"It is possible to add a PAM service name to the default set by using <quote>" +"+service_name</quote>. Since the default set is empty, it is not possible " +"to remove a PAM service name from the default set. For example, in order to " +"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " +"would use the following configuration: <placeholder type=\"programlisting\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:696 +msgid "ad_gpo_map_permit (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:699 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always granted, regardless of any GPO Logon Rights." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:713 +#, no-wrap +msgid "" +"ad_gpo_map_permit = +my_pam_service, -sudo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:704 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for unconditionally permitted " +"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:721 +msgid "polkit-1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:726 +msgid "sudo" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:731 +msgid "sudo-i" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:736 +msgid "systemd-user" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:745 +msgid "ad_gpo_map_deny (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:748 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always denied, regardless of any GPO Logon Rights." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:761 +#, no-wrap +msgid "" +"ad_gpo_map_deny = +my_pam_service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:771 +msgid "ad_gpo_default_right (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:774 +msgid "" +"This option defines how access control is evaluated for PAM service names " +"that are not explicitly listed in one of the ad_gpo_map_* options. This " +"option can be set in two different manners. First, this option can be set to " +"use a default logon right. For example, if this option is set to " +"'interactive', it means that unmapped PAM service names will be processed " +"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " +"settings. Alternatively, this option can be set to either always permit or " +"always deny access for unmapped PAM service names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:787 +msgid "Supported values for this option include:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:791 +msgid "interactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:796 +msgid "remote_interactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:801 +msgid "network" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:806 +msgid "batch" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:811 +msgid "service" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:816 +msgid "permit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:821 +msgid "deny" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:827 +msgid "Default: deny" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:833 +msgid "ad_maximum_machine_account_password_age (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:836 +msgid "" +"SSSD will check once a day if the machine account password is older than the " +"given age in days and try to renew it. A value of 0 will disable the renewal " +"attempt." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:842 +msgid "Default: 30 days" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:848 +msgid "ad_machine_account_password_renewal_opts (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:851 +msgid "" +"This option should only be used to test the machine account renewal task. " +"The option expects 2 integers separated by a colon (':'). The first integer " +"defines the interval in seconds how often the task is run. The second " +"specifies the initial timeout in seconds before the task is run for the " +"first time after startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:860 +msgid "Default: 86400:750 (24h and 15m)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:869 +msgid "" +"Optional. This option tells SSSD to automatically update the Active " +"Directory DNS server with the IP address of this client. The update is " +"secured using GSS-TSIG. As a consequence, the Active Directory administrator " +"only needs to allow secure updates for the DNS zone. The IP address of the " +"AD LDAP connection is used for the updates, if it is not otherwise specified " +"by using the <quote>dyndns_iface</quote> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:899 +msgid "Default: 3600 (seconds)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:915 +msgid "" +"Default: Use the IP addresses of the interface which is used for AD LDAP " +"connection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:928 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true. Note that the " +"lowest possible value is 60 seconds in-case if value is provided less than " +"60, parameter will assume lowest value only." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:951 sss_rpcidmapd.5.xml:76 +msgid "Default: True" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1043 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This example shows only the AD provider-specific options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1050 +#, no-wrap +msgid "" +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1070 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1066 +msgid "" +"The AD access control provider checks if the account is expired. It has the " +"same effect as the following configuration of the LDAP provider: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1076 +msgid "" +"However, unless the <quote>ad</quote> access control provider is explicitly " +"configured, the default access provider is <quote>permit</quote>. Please " +"note that if you configure an access provider other than <quote>ad</quote>, " +"you need to set all the connection parameters (such as LDAP URIs and " +"encryption details) manually." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1084 +msgid "" +"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " +"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " +"are included in the default Active Directory schema." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 +msgid "sssd-sudo" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-sudo.5.xml:17 +msgid "Configuring sudo with the SSSD back end" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:36 +msgid "Configuring sudo to cooperate with SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:38 +msgid "" +"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " +"the <emphasis>sudoers</emphasis> entry in <citerefentry> " +"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:47 +msgid "" +"For example, to configure sudo to first lookup rules in the standard " +"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> file (which should contain rules that apply to " +"local users) and then in SSSD, the nsswitch.conf file should contain the " +"following line:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:57 +#, no-wrap +msgid "sudoers: files sss\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:61 +msgid "" +"More information about configuring the sudoers search order from the " +"nsswitch.conf file as well as information about the LDAP schema that is used " +"to store sudo rules in the directory can be found in <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:70 +msgid "" +"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " +"sudo rules, you also need to correctly set <citerefentry> " +"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry> to your NIS domain name (which equals to IPA domain name when " +"using hostgroups)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:82 +msgid "Configuring SSSD to fetch sudo rules" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:84 +msgid "" +"All configuration that is needed on SSSD side is to extend the list of " +"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " +"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " +"option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:94 +msgid "" +"The following example shows how to configure SSSD to download sudo rules " +"from an LDAP server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:99 +#, no-wrap +msgid "" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:98 +msgid "" +"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" +"\"have_systemd\"> It's important to note that on platforms where systemd is " +"supported there's no need to add the \"sudo\" provider to the list of " +"services, as it became optional. However, sssd-sudo.socket must be enabled " +"instead. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:118 +msgid "" +"When SSSD is configured to use IPA as the ID provider, the sudo provider is " +"automatically enabled. The sudo search base is configured to use the IPA " +"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " +"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," +"$SUFFIX) is no longer required for IPA sudo functionality." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:128 +msgid "The SUDO rule caching mechanism" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:130 +msgid "" +"The biggest challenge, when developing sudo support in SSSD, was to ensure " +"that running sudo with SSSD as the data source provides the same user " +"experience and is as fast as sudo but keeps providing the most current set " +"of rules as possible. To satisfy these requirements, SSSD uses three kinds " +"of updates. They are referred to as full refresh, smart refresh and rules " +"refresh." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:138 +msgid "" +"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " +"new or were modified after the last update. Its primary goal is to keep the " +"database growing by fetching only small increments that do not generate " +"large amounts of network traffic." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:144 +msgid "" +"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " +"in the cache and replaces them with all rules that are stored on the server. " +"This is used to keep the cache consistent by removing every rule which was " +"deleted from the server. However, full refresh may produce a lot of traffic " +"and thus it should be run only occasionally depending on the size and " +"stability of the sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:152 +msgid "" +"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " +"more permission than defined. It is triggered each time the user runs sudo. " +"Rules refresh will find all rules that apply to this user, check their " +"expiration time and redownload them if expired. In the case that any of " +"these rules are missing on the server, the SSSD will do an out of band full " +"refresh because more rules (that apply to other users) may have been deleted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:161 +msgid "" +"If enabled, SSSD will store only rules that can be applied to this machine. " +"This means rules that contain one of the following values in " +"<emphasis>sudoHost</emphasis> attribute:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:168 +msgid "keyword ALL" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:173 +msgid "wildcard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:178 +msgid "netgroup (in the form \"+netgroup\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:183 +msgid "hostname or fully qualified domain name of this machine" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:188 +msgid "one of the IP addresses of this machine" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:193 +msgid "one of the IP addresses of the network (in the form \"address/mask\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:199 +msgid "" +"There are many configuration options that can be used to adjust the " +"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.8.xml:10 sssd.8.xml:15 +msgid "sssd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.8.xml:16 +msgid "System Security Services Daemon" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssd.8.xml:21 +msgid "" +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:31 +msgid "" +"<command>SSSD</command> provides a set of daemons to manage access to remote " +"directories and authentication mechanisms. It provides an NSS and PAM " +"interface toward the system and a pluggable backend system to connect to " +"multiple different account sources as well as D-Bus interface. It is also " +"the basis to provide client auditing and policy services for projects like " +"FreeIPA. It provides a more robust database to store local users as well as " +"extended user data." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:46 +msgid "" +"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:53 +msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:57 +msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:60 +msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:69 +msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:73 +msgid "" +"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:76 +msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:85 +msgid "<option>-f</option>,<option>--debug-to-files</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:89 +msgid "" +"Send the debug output to files instead of stderr. By default, the log files " +"are stored in <filename>/var/log/sssd</filename> and there are separate log " +"files for every SSSD service and domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:94 +msgid "" +"This option is deprecated. It is replaced by <option>--logger=files</option>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:101 +msgid "<option>--logger=</option><replaceable>value</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:105 +msgid "" +"Location where SSSD will send log messages. This option overrides the value " +"of the deprecated option <option>--debug-to-files</option>. The deprecated " +"option will still work if the <option>--logger</option> is not used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:112 +msgid "" +"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " +"output." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:116 +msgid "" +"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " +"default, the log files are stored in <filename>/var/log/sssd</filename> and " +"there are separate log files for every SSSD service and domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:122 +msgid "" +"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:132 +msgid "<option>-D</option>,<option>--daemon</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:136 +msgid "Become a daemon after starting up." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:142 sss_seed.8.xml:136 +msgid "<option>-i</option>,<option>--interactive</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:146 +msgid "Run in the foreground, don't become a daemon." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:152 +msgid "<option>-c</option>,<option>--config</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:156 +msgid "" +"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." +"conf</filename>. For reference on the config file syntax and options, " +"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:170 +msgid "<option>--version</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:174 +msgid "Print version number and exit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.8.xml:182 +msgid "Signals" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:185 +msgid "SIGTERM/SIGINT" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:188 +msgid "" +"Informs the SSSD to gracefully terminate all of its child processes and then " +"shut down the monitor." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:194 +msgid "SIGHUP" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:197 +msgid "" +"Tells the SSSD to stop writing to its current debug file descriptors and to " +"close and reopen them. This is meant to facilitate log rolling with programs " +"like logrotate." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:205 +msgid "SIGUSR1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:208 +msgid "" +"Tells the SSSD to simulate offline operation for the duration of the " +"<quote>offline_timeout</quote> parameter. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:217 +msgid "SIGUSR2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:220 +msgid "" +"Tells the SSSD to go online immediately. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:232 +msgid "" +"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " +"applications will not use the fast in memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 +msgid "sss_obfuscate" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_obfuscate.8.xml:16 +msgid "obfuscate a clear text password" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_obfuscate.8.xml:21 +msgid "" +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" +"replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:32 +msgid "" +"<command>sss_obfuscate</command> converts a given password into human-" +"unreadable format and places it into appropriate domain section of the SSSD " +"config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:37 +msgid "" +"The cleartext password is read from standard input or entered " +"interactively. The obfuscated password is put into " +"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " +"<quote>ldap_default_authtok_type</quote> parameter is set to " +"<quote>obfuscated_password</quote>. Refer to <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more details on these parameters." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:49 +msgid "" +"Please note that obfuscating the password provides <emphasis>no real " +"security benefit</emphasis> as it is still possible for an attacker to " +"reverse-engineer the password back. Using better authentication mechanisms " +"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " +"advised." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:63 +msgid "<option>-s</option>,<option>--stdin</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:67 +msgid "The password to obfuscate will be read from standard input." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 +#: sss_ssh_knownhostsproxy.1.xml:78 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:79 +msgid "" +"The SSSD domain to use the password in. The default name is <quote>default</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:86 +msgid "" +"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:91 +msgid "Read the config file specified by the positional parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:95 +msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_override.8.xml:10 sss_override.8.xml:15 +msgid "sss_override" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_override.8.xml:16 +msgid "create local overrides of user and group attributes" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_override.8.xml:21 +msgid "" +"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:32 +msgid "" +"<command>sss_override</command> enables to create a client-side view and " +"allows to change selected values of specific user and groups. This change " +"takes effect only on local machine." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:37 +msgid "" +"Overrides data are stored in the SSSD cache. If the cache is deleted, all " +"local overrides are lost. Please note that after the first override is " +"created using any of the following <emphasis>user-add</emphasis>, " +"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " +"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " +"take effect. <emphasis>sss_override</emphasis> prints message when a " +"restart is required." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:50 sssctl.8.xml:41 +msgid "AVAILABLE COMMANDS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:52 +msgid "" +"Argument <emphasis>NAME</emphasis> is the name of original object in all " +"commands. It is not possible to override <emphasis>uid</emphasis> or " +"<emphasis>gid</emphasis> to 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:59 +msgid "" +"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" +"optional> <optional><option>-g,--gid</option> GID</optional> " +"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" +"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" +"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " +"CERTIFICATE</optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:72 +msgid "" +"Override attributes of an user. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:80 +msgid "<option>user-del</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:85 +msgid "" +"Remove user overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:94 +msgid "" +"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:99 +msgid "" +"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " +"is set, only users from the domain are listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:107 +msgid "<option>user-show</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:112 +msgid "Show user overrides." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:118 +msgid "<option>user-import</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:123 +msgid "" +"Import user overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard passwd file. The format is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:128 +msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:131 +msgid "" +"where original_name is original name of the user whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:140 +msgid "ckent:superman::::::" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:143 +msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:149 +msgid "<option>user-export</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:154 +msgid "" +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>user-import</emphasis> for data format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:162 +msgid "" +"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:169 +msgid "" +"Override attributes of a group. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:177 +msgid "<option>group-del</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:182 +msgid "" +"Remove group overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:191 +msgid "" +"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:196 +msgid "" +"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " +"parameter is set, only groups from the domain are listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:204 +msgid "<option>group-show</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:209 +msgid "Show group overrides." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:215 +msgid "<option>group-import</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:220 +msgid "" +"Import group overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard group file. The format is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:225 +msgid "original_name:name:gid" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:228 +msgid "" +"where original_name is original name of the group whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:237 +msgid "admins:administrators:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:240 +msgid "Domain Users:Users:501" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:246 +msgid "<option>group-export</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:251 +msgid "" +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>group-import</emphasis> for data format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:261 sssctl.8.xml:50 +msgid "COMMON OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:263 sssctl.8.xml:52 +msgid "Those options are available with all commands." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:268 sssctl.8.xml:57 +msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 +msgid "sss_useradd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_useradd.8.xml:16 +msgid "create a new user" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_useradd.8.xml:21 +msgid "" +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_useradd.8.xml:32 +msgid "" +"<command>sss_useradd</command> creates a new user account using the values " +"specified on the command line plus the default values from the system." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:43 sss_seed.8.xml:76 +msgid "" +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:48 +msgid "" +"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " +"not given, it is chosen automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +msgid "" +"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 +msgid "" +"Any text string describing the user. Often used as the field for the user's " +"full name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 +msgid "" +"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:72 +msgid "" +"The home directory of the user account. The default is to append the " +"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " +"that as the home directory. The base that is prepended before " +"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" +"baseDirectory</quote> setting in sssd.conf." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 +msgid "" +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:87 +msgid "" +"The user's login shell. The default is currently <filename>/bin/bash</" +"filename>. The default can be changed with <quote>user_defaults/" +"defaultShell</quote> setting in sssd.conf." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:96 +msgid "" +"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:101 +msgid "A list of existing groups this user is also a member of." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:107 +msgid "<option>-m</option>,<option>--create-home</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:111 +msgid "" +"Create the user's home directory if it does not exist. The files and " +"directories contained in the skeleton directory (which can be defined with " +"the -k option or in the config file) will be copied to the home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:121 +msgid "<option>-M</option>,<option>--no-create-home</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:125 +msgid "" +"Do not create the user's home directory. Overrides configuration settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:132 +msgid "" +"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:137 +msgid "" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<command>sss_useradd</command>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:143 +msgid "" +"Special files (block devices, character devices, named pipes and unix " +"sockets) will not be copied." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:147 +msgid "" +"This option is only valid if the <option>-m</option> (or <option>--create-" +"home</option>) option is specified, or creation of home directories is set " +"to TRUE in the configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 +msgid "" +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>SELINUX_USER</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:161 +msgid "" +"The SELinux user for the user's login. If not specified, the system default " +"will be used." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 +msgid "sssd-krb5" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-krb5.5.xml:17 +msgid "SSSD Kerberos provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:23 +msgid "" +"This manual page describes the configuration of the Kerberos 5 " +"authentication backend for <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " +"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:36 +msgid "" +"The Kerberos 5 authentication backend contains auth and chpass providers. It " +"must be paired with an identity provider in order to function properly (for " +"example, id_provider = ldap). Some information required by the Kerberos 5 " +"authentication backend must be provided by the identity provider, such as " +"the user's Kerberos Principal Name (UPN). The configuration of the identity " +"provider should have an entry to specify the UPN. Please refer to the man " +"page for the applicable identity provider for details on how to configure " +"this." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:47 +msgid "" +"This backend also provides access control based on the .k5login file in the " +"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " +"Please note that an empty .k5login file will deny all access to this user. " +"To activate this feature, use 'access_provider = krb5' in your SSSD " +"configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:55 +msgid "" +"In the case where the UPN is not available in the identity backend, " +"<command>sssd</command> will construct a UPN using the format " +"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:77 +msgid "" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect, in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled; for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:106 +msgid "" +"The name of the Kerberos realm. This option is required and must be " +"specified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:113 +msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:116 +msgid "" +"If the change password service is not running on the KDC, alternative " +"servers can be defined here. An optional port number (preceded by a colon) " +"may be appended to the addresses or hostnames." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:122 +msgid "" +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " +"servers to try, the backend is not switched to operate offline if " +"authentication against the KDC is still possible." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:129 +msgid "Default: Use the KDC" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:135 +msgid "krb5_ccachedir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:138 +msgid "" +"Directory to store credential caches. All the substitution sequences of " +"krb5_ccname_template can be used here, too, except %d and %P. The directory " +"is created as private and owned by the user, with permissions set to 0700." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:145 +msgid "Default: /tmp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:151 +msgid "krb5_ccname_template (string)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 +msgid "%u" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 +msgid "login name" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 +msgid "%U" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:170 +msgid "login UID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:173 +msgid "%p" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:174 +msgid "principal name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:178 +msgid "%r" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:179 +msgid "realm name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:182 +msgid "%h" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 +msgid "home directory" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 +msgid "%d" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:188 +msgid "value of krb5_ccachedir" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 +msgid "%P" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:194 +msgid "the process ID of the SSSD client" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 +msgid "%%" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 +msgid "a literal '%'" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:154 +msgid "" +"Location of the user's credential cache. Three credential cache types are " +"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " +"<quote>KEYRING:persistent</quote>. The cache can be specified either as " +"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " +"implies the <quote>FILE</quote> type. In the template, the following " +"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " +"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " +"filename in a safe way." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:208 +msgid "" +"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" +"persistent:%U</quote>, which uses the Linux kernel keyring to store " +"credentials on a per-UID basis. This is also the recommended choice, as it " +"is the most secure and predictable method." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:216 +msgid "" +"The default value for the credential cache name is sourced from the profile " +"stored in the system wide krb5.conf configuration file in the [libdefaults] " +"section. The option name is default_ccache_name. See krb5.conf(5)'s " +"PARAMETER EXPANSION paragraph for additional information on the expansion " +"format defined by krb5.conf." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:225 +msgid "" +"NOTE: Please be aware that libkrb5 ccache expansion template from " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> uses different expansion sequences than SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:234 +msgid "Default: (from libkrb5)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:240 +msgid "krb5_auth_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:243 +msgid "" +"Timeout in seconds after an online authentication request or change password " +"request is aborted. If possible, the authentication request is continued " +"offline." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:254 +msgid "krb5_validate (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:257 +msgid "" +"Verify with the help of krb5_keytab that the TGT obtained has not been " +"spoofed. The keytab is checked for entries sequentially, and the first entry " +"with a matching realm is used for validation. If no entry matches the realm, " +"the last entry in the keytab is used. This process can be used to validate " +"environments using cross-realm trust by placing the appropriate keytab entry " +"as the last entry or the only entry in the keytab file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:272 +msgid "krb5_keytab (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:275 +msgid "" +"The location of the keytab to use when validating credentials obtained from " +"KDCs." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:279 +msgid "Default: /etc/krb5.keytab" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:285 +msgid "krb5_store_password_if_offline (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:288 +msgid "" +"Store the password of the user if the provider is offline and use it to " +"request a TGT when the provider comes online again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:293 +msgid "" +"NOTE: this feature is only available on Linux. Passwords stored in this way " +"are kept in plaintext in the kernel keyring and are potentially accessible " +"by the root user (with difficulty)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:306 +msgid "krb5_renewable_lifetime (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:309 +msgid "" +"Request a renewable ticket with a total lifetime, given as an integer " +"immediately followed by a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 +msgid "<emphasis>s</emphasis> for seconds" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 +msgid "<emphasis>m</emphasis> for minutes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 +msgid "<emphasis>h</emphasis> for hours" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 +msgid "<emphasis>d</emphasis> for days." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 +msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 +msgid "" +"NOTE: It is not possible to mix units. To set the renewable lifetime to one " +"and a half hours, use '90m' instead of '1h30m'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:335 +msgid "Default: not set, i.e. the TGT is not renewable" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:341 +msgid "krb5_lifetime (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:344 +msgid "" +"Request ticket with a lifetime, given as an integer immediately followed by " +"a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:360 +msgid "If there is no unit given <emphasis>s</emphasis> is assumed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:364 +msgid "" +"NOTE: It is not possible to mix units. To set the lifetime to one and a " +"half hours please use '90m' instead of '1h30m'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:369 +msgid "" +"Default: not set, i.e. the default ticket lifetime configured on the KDC." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:376 +msgid "krb5_renew_interval (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:379 +msgid "" +"The time in seconds between two checks if the TGT should be renewed. TGTs " +"are renewed if about half of their lifetime is exceeded, given as an integer " +"immediately followed by a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:406 +msgid "If this option is not set or is 0 the automatic renewal is disabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:416 +msgid "krb5_use_fast (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:419 +msgid "" +"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" +"authentication. The following options are supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:424 +msgid "" +"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " +"option at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:428 +msgid "" +"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " +"continue the authentication without it." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:433 +msgid "" +"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " +"server does not require fast." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:438 +msgid "Default: not set, i.e. FAST is not used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:441 +msgid "NOTE: a keytab is required to use FAST." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:444 +msgid "" +"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " +"SSSD is used with an older version of MIT Kerberos, using this option is a " +"configuration error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:453 +msgid "krb5_fast_principal (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:456 +msgid "Specifies the server principal to use for FAST." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:465 +msgid "" +"Specifies if the host and user principal should be canonicalized. This " +"feature is available with MIT Kerberos 1.7 and later versions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:505 +msgid "krb5_use_enterprise_principal (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:508 +msgid "" +"Specifies if the user principal should be treated as enterprise principal. " +"See section 5 of RFC 6806 for more details about enterprise principals." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:514 +msgid "Default: false (AD provider: true)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:517 +msgid "" +"The IPA provider will set to option to 'true' if it detects that the server " +"is capable of handling enterprise principals and the option is not set " +"explicitly in the config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:526 +msgid "krb5_map_user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:529 +msgid "" +"The list of mappings is given as a comma-separated list of pairs " +"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " +"name and <quote>primary</quote> is a user part of a kerberos principal. This " +"mapping is used when user is authenticating using <quote>auth_provider = " +"krb5</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-krb5.5.xml:541 +#, no-wrap +msgid "" +"krb5_realm = REALM\n" +"krb5_map_user = joe:juser,dick:richard\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:546 +msgid "" +"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " +"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " +"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " +"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:65 +msgid "" +"If the auth-module krb5 is used in an SSSD domain, the following options " +"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " +"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:572 +msgid "" +"The following example assumes that SSSD is correctly configured and FOO is " +"one of the domains in the <replaceable>[sssd]</replaceable> section. This " +"example shows only configuration of Kerberos authentication; it does not " +"include any identity provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-krb5.5.xml:580 +#, no-wrap +msgid "" +"[domain/FOO]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXAMPLE.COM\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 +msgid "sss_groupadd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupadd.8.xml:16 +msgid "create a new group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupadd.8.xml:21 +msgid "" +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupadd.8.xml:32 +msgid "" +"<command>sss_groupadd</command> creates a new group. These groups are " +"compatible with POSIX groups, with the additional feature that they can " +"contain other groups as members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 +msgid "" +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupadd.8.xml:48 +msgid "" +"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " +"not given, it is chosen automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 +msgid "sss_userdel" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_userdel.8.xml:16 +msgid "delete a user account" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_userdel.8.xml:21 +msgid "" +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_userdel.8.xml:32 +msgid "" +"<command>sss_userdel</command> deletes a user identified by login name " +"<replaceable>LOGIN</replaceable> from the system." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:44 +msgid "<option>-r</option>,<option>--remove</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:48 +msgid "" +"Files in the user's home directory will be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:56 +msgid "<option>-R</option>,<option>--no-remove</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:60 +msgid "" +"Files in the user's home directory will NOT be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:68 +msgid "<option>-f</option>,<option>--force</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:72 +msgid "" +"This option forces <command>sss_userdel</command> to remove the user's home " +"directory and mail spool, even if they are not owned by the specified user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:80 +msgid "<option>-k</option>,<option>--kick</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:84 +msgid "Before actually deleting the user, terminate all his processes." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 +msgid "sss_groupdel" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupdel.8.xml:16 +msgid "delete a group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupdel.8.xml:21 +msgid "" +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupdel.8.xml:32 +msgid "" +"<command>sss_groupdel</command> deletes a group identified by its name " +"<replaceable>GROUP</replaceable> from the system." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 +msgid "sss_groupshow" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupshow.8.xml:16 +msgid "print properties of a group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupshow.8.xml:21 +msgid "" +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupshow.8.xml:32 +msgid "" +"<command>sss_groupshow</command> displays information about a group " +"identified by its name <replaceable>GROUP</replaceable>. The information " +"includes the group ID number, members of the group and the parent group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupshow.8.xml:43 +msgid "<option>-R</option>,<option>--recursive</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupshow.8.xml:47 +msgid "" +"Also print indirect group members in a tree-like hierarchy. Note that this " +"also affects printing parent groups - without <option>R</option>, only the " +"direct parent will be printed." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 +msgid "sss_usermod" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_usermod.8.xml:16 +msgid "modify a user account" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_usermod.8.xml:21 +msgid "" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_usermod.8.xml:32 +msgid "" +"<command>sss_usermod</command> modifies the account specified by " +"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " +"on the command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:60 +msgid "The home directory of the user account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:71 +msgid "The user's login shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:82 +msgid "" +"Append this user to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:96 +msgid "" +"Remove this user from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:103 +msgid "<option>-l</option>,<option>--lock</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:107 +msgid "Lock the user account. The user won't be able to log in." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:114 +msgid "<option>-u</option>,<option>--unlock</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:118 +msgid "Unlock the user account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:129 +msgid "The SELinux user for the user's login." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:135 +msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:140 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:147 +msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:152 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:160 +msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:165 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_cache.8.xml:10 sss_cache.8.xml:15 +msgid "sss_cache" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_cache.8.xml:16 +msgid "perform cache cleanup" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_cache.8.xml:21 +msgid "" +"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_cache.8.xml:31 +msgid "" +"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " +"records are forced to be reloaded from server as soon as related SSSD " +"backend is online. Options that invalidate a single object only accept a " +"single provided argument." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:43 +msgid "<option>-E</option>,<option>--everything</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:47 +msgid "Invalidate all cached entries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:53 +msgid "" +"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:58 +msgid "Invalidate specific user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:64 +msgid "<option>-U</option>,<option>--users</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:68 +msgid "" +"Invalidate all user records. This option overrides invalidation of specific " +"user if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:75 +msgid "" +"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:80 +msgid "Invalidate specific group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:86 +msgid "<option>-G</option>,<option>--groups</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:90 +msgid "" +"Invalidate all group records. This option overrides invalidation of specific " +"group if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:97 +msgid "" +"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:102 +msgid "Invalidate specific netgroup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:108 +msgid "<option>-N</option>,<option>--netgroups</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:112 +msgid "" +"Invalidate all netgroup records. This option overrides invalidation of " +"specific netgroup if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:119 +msgid "" +"<option>-s</option>,<option>--service</option> <replaceable>service</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:124 +msgid "Invalidate specific service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:130 +msgid "<option>-S</option>,<option>--services</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:134 +msgid "" +"Invalidate all service records. This option overrides invalidation of " +"specific service if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:141 +msgid "" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:146 +msgid "Invalidate specific autofs maps." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:152 +msgid "<option>-A</option>,<option>--autofs-maps</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:156 +msgid "" +"Invalidate all autofs maps. This option overrides invalidation of specific " +"map if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:163 +msgid "" +"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:168 +msgid "Invalidate SSH public keys of a specific host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:174 +msgid "<option>-H</option>,<option>--ssh-hosts</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:178 +msgid "" +"Invalidate SSH public keys of all hosts. This option overrides invalidation " +"of SSH public keys of specific host if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:186 +msgid "" +"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:191 +msgid "Invalidate particular sudo rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:197 +msgid "<option>-R</option>,<option>--sudo-rules</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:201 +msgid "" +"Invalidate all cached sudo rules. This option overrides invalidation of " +"specific sudo rule if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:209 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>domain</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:214 +msgid "Restrict invalidation process only to a particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 +msgid "sss_debuglevel" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_debuglevel.8.xml:16 +msgid "[DEPRECATED] change debug level while SSSD is running" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_debuglevel.8.xml:21 +msgid "" +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" +"replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_debuglevel.8.xml:32 +msgid "" +"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " +"debug-level command. Please refer to the <command>sssctl</command> man page " +"for more information on sssctl usage." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_seed.8.xml:10 sss_seed.8.xml:15 +msgid "sss_seed" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_seed.8.xml:16 +msgid "seed the SSSD cache with a user" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_seed.8.xml:21 +msgid "" +"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:33 +msgid "" +"<command>sss_seed</command> seeds the SSSD cache with a user entry and " +"temporary password. If a user entry is already present in the SSSD cache " +"then the entry is updated with the temporary password." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:46 +msgid "" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:51 +msgid "" +"Provide the name of the domain in which the user is a member of. The domain " +"is also used to retrieve user information. The domain must be configured in " +"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " +"Information retrieved from the domain overrides what is provided in the " +"options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:63 +msgid "" +"<option>-n</option>,<option>--username</option> <replaceable>USER</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:68 +msgid "" +"The username of the entry to be created or modified in the cache. The " +"<replaceable>USER</replaceable> option must be provided." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:81 +msgid "Set the UID of the user to <replaceable>UID</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:93 +msgid "Set the GID of the user to <replaceable>GID</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:117 +msgid "" +"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:129 +msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:140 +msgid "" +"Interactive mode for entering user information. This option will only prompt " +"for information not provided in the options or retrieved from the domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:148 +msgid "" +"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:153 +msgid "" +"Specify file to read user's password from. (if not specified password is " +"prompted for)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:165 +msgid "" +"The length of the password (or the size of file specified with -p or --" +"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " +"on systems with no globally-defined PASS_MAX value)." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 +msgid "sssd-ifp" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ifp.5.xml:17 +msgid "SSSD InfoPipe responder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:23 +msgid "" +"This manual page describes the configuration of the InfoPipe responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:36 +msgid "" +"The InfoPipe responder provides a public D-Bus interface accessible over the " +"system bus. The interface allows the user to query information about remote " +"users and groups over the system bus." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:46 +msgid "These options can be used to configure the InfoPipe responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:53 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the InfoPipe responder. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:59 +msgid "" +"Default: 0 (only the root user is allowed to access the InfoPipe responder)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:63 +msgid "" +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the InfoPipe responder, which would be the typical case, you have to " +"add 0 to the list of allowed UIDs as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:77 +msgid "Specifies the comma-separated list of white or blacklisted attributes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:91 +msgid "name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:92 +msgid "user's login name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:95 +msgid "uidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:96 +msgid "user ID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:99 +msgid "gidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:100 +msgid "primary group ID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:103 +msgid "gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:104 +msgid "user information, typically full name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:107 +msgid "homeDirectory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:111 +msgid "loginShell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:112 +msgid "user shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:81 +msgid "" +"By default, the InfoPipe responder only allows the default set of POSIX " +"attributes to be requested. This set is the same as returned by " +"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ifp.5.xml:125 +#, no-wrap +msgid "" +"user_attributes = +telephoneNumber, -loginShell\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:117 +msgid "" +"It is possible to add another attribute to this set by using <quote>" +"+attr_name</quote> or explicitly remove an attribute using <quote>-" +"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " +"deny <quote>loginShell</quote>, you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:129 +msgid "Default: not set. Only the default set of POSIX attributes is allowed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:139 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup that overrides caller-supplied limit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:144 +msgid "Default: 0 (let the caller set an upper limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refentryinfo> +#: sss_rpcidmapd.5.xml:8 +msgid "" +"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" +"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " +"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" +"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " +"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" +"author>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 +msgid "sss_rpcidmapd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_rpcidmapd.5.xml:33 +msgid "sss plugin configuration directives for rpc.idmapd" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:37 +msgid "CONFIGURATION FILE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:39 +msgid "" +"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." +"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:49 +msgid "SSS CONFIGURATION EXTENSION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:51 +msgid "Enable SSS plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:53 +msgid "" +"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " +"attribute to contain <emphasis>sss</emphasis>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:59 +msgid "[sss] config section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:61 +msgid "" +"In order to change the default of one of the configuration attributes of the " +"<emphasis>sss</emphasis> plugin listed below you will need to create a " +"config section for it, named <quote>[sss]</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sss_rpcidmapd.5.xml:67 +msgid "Configuration attributes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sss_rpcidmapd.5.xml:69 +msgid "memcache (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sss_rpcidmapd.5.xml:72 +msgid "Indicates whether or not to use memcache optimisation technique." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:85 +msgid "SSSD INTEGRATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:87 +msgid "" +"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " +"in sssd." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:91 +msgid "" +"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " +"all domains (NFSv4 clients expect a fully qualified name to be sent on the " +"wire)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_rpcidmapd.5.xml:103 +#, no-wrap +msgid "" +"[General]\n" +"Verbosity = 2\n" +"# domain must be synced between NFSv4 server and clients\n" +"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:100 +msgid "" +"The following example shows a minimal idmapd.conf which makes use of the sss " +"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:180 include/seealso.xml:2 +msgid "SEE ALSO" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:122 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 +msgid "sss_ssh_authorizedkeys" +msgstr "" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 +msgid "1" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_authorizedkeys.1.xml:16 +msgid "get OpenSSH authorized keys" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_authorizedkeys.1.xml:21 +msgid "" +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>USER</replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:32 +msgid "" +"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " +"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " +"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> for more information)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:41 +msgid "" +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" +"command> for public key user authentication if it is compiled with support " +"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " +"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> man page for more details about this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_authorizedkeys.1.xml:59 +#, no-wrap +msgid "" +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:52 +msgid "" +"If <quote>AuthorizedKeysCommand</quote> is supported, " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use it by putting the following " +"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" +"\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_ssh_authorizedkeys.1.xml:65 +msgid "KEYS FROM CERTIFICATES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:67 +msgid "" +"In addition to the public SSH keys for user <replaceable>USER</replaceable> " +"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " +"from the public key of a X.509 certificate as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:73 +msgid "" +"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " +"set to true (default) in the [ssh] section of <filename>sssd.conf</" +"filename>. If the user entry contains certificates (see " +"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " +"there is a certificate in an override entry for the user (see " +"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " +"certificate is valid SSSD will extract the public key from the certificate " +"and convert it into the format expected by sshd." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:90 +msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:92 +msgid "ca_db" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:93 +#, fuzzy +#| msgid "client_idle_timeout" +msgid "p11_child_timeout" +msgstr "client_idle_timeout" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:94 +msgid "certificate_verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:96 +msgid "" +"can be used to control how the certificates are validated (see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:101 +msgid "" +"The validation is the benefit of using X.509 certificates instead of SSH " +"keys directly because e.g. it gives a better control of the lifetime of the " +"keys. When the ssh client is configured to use the private keys from a " +"Smartcard with the help of a PKCS#11 shared library (see " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> for details) it might be irritating that authentication is " +"still working even if the related X.509 certificate on the Smartcard is " +"already expired because neither <command>ssh</command> nor <command>sshd</" +"command> will look at the certificate at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:114 +msgid "" +"It has to be noted that the derived public SSH key can still be added to the " +"<filename>authorized_keys</filename> file of the user to bypass the " +"certificate validation if the <command>sshd</command> configuration permits " +"this." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:132 +msgid "" +"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 +msgid "EXIT STATUS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 +msgid "" +"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 +msgid "sss_ssh_knownhostsproxy" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_knownhostsproxy.1.xml:16 +msgid "get OpenSSH host keys" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_knownhostsproxy.1.xml:21 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>HOST</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:33 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " +"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " +"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " +"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" +"pubconf/known_hosts</filename> and establishes the connection to the host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:43 +msgid "" +"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " +"create the connection to the host instead of opening a socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_knownhostsproxy.1.xml:55 +#, no-wrap +msgid "" +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:48 +msgid "" +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" +"command> for host key authentication by using the following directives for " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:66 +msgid "" +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:71 +msgid "" +"Use port <replaceable>PORT</replaceable> to connect to the host. By " +"default, port 22 is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:83 +msgid "" +"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:89 +msgid "<option>-k</option>,<option>--pubkeys</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:93 +msgid "" +"Print the host ssh public keys for host <replaceable>HOST</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 +msgid "idmap_sss" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: idmap_sss.8.xml:16 +msgid "SSSD's idmap_sss Backend for Winbind" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:22 +msgid "" +"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " +"No database is required in this case as the mapping is done by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: idmap_sss.8.xml:29 +msgid "IDMAP OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: idmap_sss.8.xml:33 +msgid "range = low - high" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: idmap_sss.8.xml:35 +msgid "" +"Defines the available matching UID and GID range for which the backend is " +"authoritative." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:45 +msgid "" +"This example shows how to configure idmap_sss as the default mapping module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: idmap_sss.8.xml:50 +#, no-wrap +msgid "" +"[global]\n" +"security = domain\n" +"workgroup = MAIN\n" +"\n" +"idmap config * : backend = sss\n" +"idmap config * : range = 200000-2147483647\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssctl.8.xml:10 sssctl.8.xml:15 +msgid "sssctl" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssctl.8.xml:16 +msgid "SSSD control and status utility" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssctl.8.xml:21 +msgid "" +"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:32 +msgid "" +"<command>sssctl</command> provides a simple and unified way to obtain " +"information about SSSD status, such as active server, auto-discovered " +"servers, domains and cached objects. In addition, it can manage SSSD data " +"files for troubleshooting in such a way that is safe to manipulate while " +"SSSD is running." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:43 +msgid "" +"To list all available commands run <command>sssctl</command> without any " +"parameters. To print help for selected command run <command>sssctl COMMAND --" +"help</command>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-files.5.xml:10 sssd-files.5.xml:16 +msgid "sssd-files" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-files.5.xml:17 +msgid "SSSD files provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:23 +msgid "" +"This manual page describes the files provider for <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:36 +msgid "" +"The files provider mirrors the content of the <citerefentry> " +"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " +"provider is to make the users and groups traditionally only accessible with " +"NSS interfaces also available through the SSSD interfaces such as " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:69 +msgid "passwd_files (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:72 +msgid "" +"Comma-separated list of one or multiple password filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:78 +#, fuzzy +#| msgid "Default: false" +msgid "Default: /etc/passwd" +msgstr "Oletus:epätosi" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:84 +msgid "group_files (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:87 +msgid "" +"Comma-separated list of one or multiple group filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:93 +#, fuzzy +#| msgid "Default: true" +msgid "Default: /etc/group" +msgstr "Oletus:tosi" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:59 +msgid "" +"In addition to the options listed below, generic SSSD domain options can be " +"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for details on the configuration of " +"an SSSD domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:105 +msgid "" +"The following example assumes that SSSD is correctly configured and files is " +"one of the domains in the <replaceable>[sssd]</replaceable> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:111 +#, no-wrap +msgid "" +"[domain/files]\n" +"id_provider = files\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 +msgid "sssd-secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-secrets.5.xml:17 +msgid "SSSD Secrets responder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:23 +msgid "" +"This manual page describes the configuration of the Secrets responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:36 +msgid "" +"Many system and user applications need to store private information such as " +"passwords or service keys and have no good way to properly deal with them. " +"The simple approach is to embed these <quote>secrets</quote> into " +"configuration files potentially ending up exposing sensitive key material to " +"backups, config management system and in general making it harder to secure " +"data." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:45 +msgid "" +"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " +"project was born to deal with this problem in cloud like environments, but " +"we found the idea compelling even at a single system level. As a security " +"service, SSSD is ideal to host this capability while offering the same API " +"via a UNIX Socket. This will make it possible to use local calls and have " +"them transparently routed to a local or a remote key management store like " +"IPA Vault for storage, escrow and recovery." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:55 +msgid "" +"The secrets are simple key-value pairs. Each user's secrets are namespaced " +"using their user ID, which means the secrets will never collide between " +"users. Secrets can be stored inside <quote>containers</quote> which can be " +"nested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:69 +msgid "secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:70 +msgid "secrets for general usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:73 +msgid "kcm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:75 +msgid "" +"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:61 +msgid "" +"Since the secrets responder can be used both externally to store general " +"secrets, as described in the rest of this man page, but also internally by " +"other SSSD components to store their secret material, some configuration " +"options, like quotas can be configured per <quote>hive</quote> in a " +"configuration subsection named after the hive. The currently supported hives " +"are: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:89 +msgid "USING THE SECRETS RESPONDER" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:91 +msgid "" +"The UNIX socket the SSSD responder listens on is located at <filename>/var/" +"run/secrets.socket</filename>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:110 +#, no-wrap +msgid "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +"systemctl enable sssd-secrets.service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:95 +msgid "" +"The secrets responder is socket-activated by <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " +"the <quote>secrets</quote> string to the <quote>service</quote> directive. " +"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " +"corresponding service file is called <quote>sssd-secrets.service</quote>. In " +"order for the service to be socket-activated, make sure the socket is " +"enabled and active and the service is enabled: <placeholder type=" +"\"programlisting\" id=\"0\"/> Please note your distribution may already " +"configure the units for you." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:122 +msgid "" +"The generic SSSD responder options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " +"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some secrets-specific options as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:132 +msgid "" +"The secrets responder is configured with a global <quote>[secrets]</quote> " +"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " +"in <filename>sssd.conf</filename>. Please note that some options, notably as " +"the provider type, can only be specified in the per-user subsections." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:141 +msgid "provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:157 +msgid "local" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:160 +msgid "" +"The secrets are stored in a local database, encrypted at rest with a master " +"key. The local provider does not have any additional config options at the " +"moment." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:168 +msgid "proxy" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:171 +msgid "" +"The secrets responder forwards the requests to a Custodia server. The proxy " +"provider supports several additional options (see below)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:144 +msgid "" +"This option specifies where should the secrets be stored. The secrets " +"responder can configure a per-user subsections (e.g. <quote>[secrets/" +"users/123]</quote> - see bottom of this manual page for a full example using " +"Custodia for a particular user) that define which provider store the secrets " +"for this particular user. The per-user subsections should contain all " +"options for that user's provider. Please note that currently the global " +"provider is always local, the proxy provider can only be specified in a per-" +"user section. The following providers are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:180 +msgid "Default: local" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:186 +msgid "" +"The following options affect only the secrets <quote>hive</quote> and " +"therefore should be set in a per-hive subsection. Setting the option to 0 " +"means \"unlimited\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:192 +msgid "containers_nest_level (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:195 +msgid "This option specifies the maximum allowed number of nested containers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:199 +msgid "Default: 4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:204 +msgid "max_secrets (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:207 +msgid "" +"This option specifies the maximum number of secrets that can be stored in " +"the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:211 +msgid "Default: 1024 (secrets hive), 256 (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:216 +msgid "max_uid_secrets (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:219 +msgid "" +"This option specifies the maximum number of secrets that can be stored per-" +"UID in the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:223 +msgid "Default: 256 (secrets hive), 64 (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:228 +msgid "max_payload_size (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:231 +msgid "" +"This option specifies the maximum payload size allowed for a secret payload " +"in kilobytes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:235 +msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:244 +#, no-wrap +msgid "" +"[secrets/secrets]\n" +"max_payload_size = 128\n" +"\n" +"[secrets/kcm]\n" +"max_payload_size = 256\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:241 +msgid "" +"For example, to adjust quotas differently for both the <quote>secrets</" +"quote> and the <quote>kcm</quote> hives, configure the following: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:252 +msgid "" +"The following options are only applicable for configurations that use the " +"<quote>proxy</quote> provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:257 +msgid "proxy_url (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:260 +msgid "" +"The URL the Custodia server is listening on. At the moment, http and https " +"protocols are supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:267 +msgid "http[s]://<host>[:port]" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:270 +msgid "Example: http://localhost:8080" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:275 +msgid "auth_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:278 +msgid "" +"The method to use when authenticating to a Custodia server. The following " +"authentication methods are supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:283 +msgid "basic_auth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:286 +msgid "" +"Authenticate with a username and a password as set in the <quote>username</" +"quote> and <quote>password</quote> options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:293 +msgid "header" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:296 +msgid "" +"Authenticate with HTTP header value as defined in the " +"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " +"configuration options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:307 +msgid "auth_header_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:310 +msgid "" +"If set, the secrets responder would put a header with this name into the " +"HTTP request with the value defined in the <quote>auth_header_value</quote> " +"configuration option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:315 +msgid "Example: MYSECRETNAME" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:320 +msgid "auth_header_value (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:323 +msgid "" +"The value sssd-secrets would use for the <quote>auth_header_name</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:327 +msgid "Example: mysecret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:332 +msgid "forward_headers (list of strings)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:335 +msgid "" +"The list of HTTP headers to forward to the Custodia server together with the " +"request." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:344 +msgid "verify_peer (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:347 +msgid "" +"Whether peer's certificate should be verified and valid if HTTPS protocol is " +"used with the proxy provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:356 +msgid "verify_host (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:359 +msgid "" +"Whether peer's hostname must match with hostname in its certificate if HTTPS " +"protocol is used with the proxy provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:369 +msgid "capath (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:372 +msgid "" +"Path to directory containing stored certificate authority certificates. " +"System default path is used if this option is not set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:382 +msgid "cacert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:385 +msgid "" +"Path to file containing server's certificate authority certificate. If this " +"option is not set then the CA's certificate is looked up in <quote>capath</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:395 +msgid "cert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:398 +msgid "" +"Path to file containing client's certificate if required by the server. This " +"file may also contain private key or the private key may be in separate file " +"set with <quote>key</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:409 +msgid "key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:412 +msgid "Path to file containing client's private key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:422 +msgid "USING THE REST API" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:424 +msgid "" +"This section lists the available commands and includes examples using the " +"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry> utility. All requests towards the proxy provider must set " +"the Content Type header to <quote>application/json</quote>. In addition, the " +"local provider also supports Content Type set to <quote>application/octet-" +"stream</quote>. Secrets stored with requests that set the Content Type " +"header to <quote>application/octet-stream</quote> are base64-encoded when " +"stored and decoded when retrieved, so it's not possible to store a secret " +"with one Content Type and retrieve with another. The secret URI must begin " +"with <filename>/secrets/</filename>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:441 +msgid "Listing secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:444 +msgid "" +"To list the available secrets, send a HTTP GET request with a trailing slash " +"appended to the container path." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:450 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:458 +msgid "Retrieving a secret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:461 +msgid "" +"To read a value of a single secret, send a HTTP GET request without a " +"trailing slash. The last portion of the URI is the name of the secret." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:468 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/foo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:473 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/bar\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:466 +msgid "" +"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:481 +msgid "Setting a secret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:484 +msgid "" +"To set a secret using the <quote>application/json</quote> type, send a HTTP " +"PUT request with a JSON payload that includes type and value. The type " +"should be set to \"simple\" and the value should be set to the secret value. " +"If a secret with that name already exists, the response is a 409 HTTP error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:492 +msgid "" +"The <quote>application/json</quote> type just sends the secret as the " +"message payload." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:501 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/foo \\\n" +" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:507 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/bar \\\n" +" -d'barsecret'\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:496 +msgid "" +"The following example sets a secret named 'foo' to a value of 'foosecret' " +"and a secret named 'bar' to a value of 'barsecret' using a different Content " +"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:516 +msgid "Creating a container" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:519 +msgid "" +"Containers provide an additional namespace for this user's secrets. To " +"create a container, send a HTTP POST request, whose URI ends with the " +"container name. Please note the URI must end with a trailing slash." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:529 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPOST http://localhost/secrets/mycontainer/\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:526 +msgid "" +"The following example creates a container named 'mycontainer': <placeholder " +"type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:538 +#, no-wrap +msgid "" +"http://localhost/secrets/mycontainer/mysecret\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:535 +msgid "" +"To manipulate secrets under this container, just nest the secrets underneath " +"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:544 +msgid "Deleting a secret or a container" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:547 +msgid "" +"To delete a secret or a container, send a HTTP DELETE request with a path to " +"the secret or the container." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:553 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XDELETE http://localhost/secrets/foo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:551 +msgid "" +"The following example deletes a secret named 'foo'. <placeholder type=" +"\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:563 +msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:565 +msgid "" +"For testing the proxy provider, you need to set up a Custodia server to " +"proxy requests to. Please always consult the Custodia documentation, the " +"configuration directives might change with different Custodia versions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:576 +#, no-wrap +msgid "" +"[global]\n" +"server_version = \"Secret/0.0.7\"\n" +"server_url = http://localhost:8080/\n" +"auditlog = /var/log/custodia.log\n" +"debug = True\n" +"\n" +"[store:simple]\n" +"handler = custodia.store.sqlite.SqliteStore\n" +"dburi = /var/lib/custodia.db\n" +"table = secrets\n" +"\n" +"[auth:header]\n" +"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" +"header = MYSECRETNAME\n" +"value = mysecretkey\n" +"\n" +"[authz:paths]\n" +"handler = custodia.httpd.authorizers.SimplePathAuthz\n" +"paths = /secrets\n" +"\n" +"[/]\n" +"handler = custodia.root.Root\n" +"store = simple\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:570 +msgid "" +"This configuration will set up a Custodia server listening on http://" +"localhost:8080, allowing anyone with header named MYSECRETNAME set to " +"mysecretkey to communicate with the Custodia server. Place the contents " +"into a file (for example, <replaceable>custodia.conf</replaceable>): " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:602 +msgid "" +"Then run the <replaceable>custodia</replaceable> command, pointing it at the " +"config file as a command line argument." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:606 +msgid "" +"Please note that currently it's not possible to proxy all requests globally " +"to a Custodia instance. Instead, per-user subsections for user IDs that " +"should proxy requests to Custodia must be defined. The following example " +"illustrates a configuration, where the user with UID 123 would proxy their " +"requests to Custodia, but all other user's requests would be handled by a " +"local provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: sssd-secrets.5.xml:614 +#, no-wrap +msgid "" +"[secrets]\n" +"\n" +"[secrets/users/123]\n" +"provider = proxy\n" +"proxy_url = http://localhost:8080/secrets/\n" +"auth_type = header\n" +"auth_header_name = MYSECRETNAME\n" +"auth_header_value = mysecretkey\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 +msgid "sssd-session-recording" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-session-recording.5.xml:17 +msgid "Configuring session recording with SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " +"implement user session recording on text terminals. For a detailed " +"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " +"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:41 +msgid "" +"SSSD can be set up to enable recording of everything specific users see or " +"type during their sessions on text terminals. E.g. when users log in on the " +"console, or via SSH. SSSD itself doesn't record anything, but makes sure " +"tlog-rec-session is started upon user login, so it can record according to " +"its configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:48 +msgid "" +"For users with session recording enabled, SSSD replaces the user shell with " +"tlog-rec-session in NSS responses, and adds a variable specifying the " +"original shell to the user environment, upon PAM session setup. This way " +"tlog-rec-session can be started in place of the user shell, and know which " +"actual shell to start, once it set up the recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:60 +msgid "These options can be used to configure the session recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:146 +msgid "" +"The following snippet of sssd.conf enables session recording for users " +"\"contractor1\" and \"contractor2\", and group \"students\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-session-recording.5.xml:151 +#, no-wrap +msgid "" +"[session_recording]\n" +"scope = some\n" +"users = contractor1, contractor2\n" +"groups = students\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 +msgid "sssd-kcm" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-kcm.8.xml:17 +msgid "SSSD Kerberos Cache Manager" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:23 +msgid "" +"This manual page describes the configuration of the SSSD Kerberos Cache " +"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " +"credential caches. It originates in the Heimdal Kerberos project, although " +"the MIT Kerberos library also provides client side (more details on that " +"below) support for the KCM credential cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:31 +msgid "" +"In a setup where Kerberos caches are managed by KCM, the Kerberos library " +"(typically used through an application, like e.g., <citerefentry> " +"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" +"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " +"being referred to as a <quote>\"KCM server\"</quote>. The client and server " +"communicate over a UNIX socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:42 +msgid "" +"The KCM server keeps track of each credential caches's owner and performs " +"access check control based on the UID and GID of the KCM client. The root " +"user has access to all credential caches." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:47 +msgid "The KCM credential cache has several interesting properties:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:51 +msgid "" +"since the process runs in userspace, it is subject to UID namespacing, " +"unlike the kernel keyring" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:56 +msgid "" +"unlike the kernel keyring-based cache, which is shared between all " +"containers, the KCM server is a separate process whose entry point is a UNIX " +"socket" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:61 +msgid "" +"the SSSD implementation stores the ccaches in the SSSD <citerefentry> " +"<refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry> secrets store, allowing the ccaches to survive KCM server " +"restarts or machine reboots." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:69 +msgid "" +"This allows the system to use a collection-aware credential cache, yet share " +"the credential cache between some or no containers by bind-mounting the " +"socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:76 +msgid "USING THE KCM CREDENTIAL CACHE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:86 +#, no-wrap +msgid "" +"[libdefaults]\n" +" default_ccache_name = KCM:\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:78 +msgid "" +"In order to use KCM credential cache, it must be selected as the default " +"credential type in <citerefentry> <refentrytitle>krb5.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " +"cache name must be only <quote>KCM:</quote> without any template " +"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:91 +msgid "" +"Next, make sure the Kerberos client libraries and the KCM server must agree " +"on the UNIX socket path. By default, both use the same path <replaceable>/" +"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " +"library, change its <quote>kcm_socket</quote> option which is described in " +"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:113 +#, no-wrap +msgid "" +"systemctl start sssd-kcm.socket\n" +"systemctl enable sssd-kcm.socket\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:102 +msgid "" +"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " +"typically socket-activated by <citerefentry> <refentrytitle>systemd</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " +"services, it cannot be started by adding the <quote>kcm</quote> string to " +"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " +"id=\"0\"/> Please note your distribution may already configure the units for " +"you." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:122 +msgid "THE CREDENTIAL CACHE STORAGE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:131 +#, no-wrap +msgid "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:124 +msgid "" +"The credential caches are stored in the SSSD secrets service (see " +"<citerefentry> <refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> for more details). Therefore it is important that " +"also the sssd-secrets service is enabled and its socket is started: " +"<placeholder type=\"programlisting\" id=\"0\"/> Your distribution should " +"already set the dependencies between the services." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:141 +msgid "" +"The KCM service is configured in the <quote>kcm</quote> section of the sssd." +"conf file. Please note that currently, is it not sufficient to restart the " +"sssd-kcm service, because the sssd configuration is only parsed and read to " +"an internal configuration database by the sssd service. Therefore you must " +"restart the sssd service if you change anything in the <quote>kcm</quote> " +"section of sssd.conf. For a detailed syntax reference, refer to the " +"<quote>FILE FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd." +"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:155 +msgid "" +"The generic SSSD service options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some KCM-specific options as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:166 +msgid "socket_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:169 +msgid "The socket the KCM service will listen on." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:172 +msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:182 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 +msgid "sssd-systemtap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-systemtap.5.xml:17 +msgid "SSSD systemtap information" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:23 +msgid "" +"This manual page provides information about the systemtap functionality in " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:32 +msgid "" +"SystemTap Probe points have been added into various locations in SSSD code " +"to assist in troubleshooting and analyzing performance related issues." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:40 +msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:46 +msgid "" +"Probes and miscellaneous functions are defined in /usr/share/systemtap/" +"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " +"respectively." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:57 +msgid "PROBE POINTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:341 +msgid "" +"The information below lists the probe points and arguments available in the " +"following format:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:64 +msgid "probe $name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:67 +msgid "Description of probe point" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:70 +#, no-wrap +msgid "" +"variable1:datatype\n" +"variable2:datatype\n" +"variable3:datatype\n" +"...\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:80 +msgid "Database Transaction Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:84 +msgid "probe sssd_transaction_start" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:87 +msgid "" +"Start of a sysdb transaction, probes the sysdb_transaction_start() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 +#: sssd-systemtap.5.xml:131 +#, no-wrap +msgid "" +"nesting:integer\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:97 +msgid "probe sssd_transaction_cancel" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:100 +msgid "" +"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " +"function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:111 +msgid "probe sssd_transaction_commit_before" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:114 +msgid "Probes the sysdb_transaction_commit_before() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:124 +msgid "probe sssd_transaction_commit_after" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:127 +msgid "Probes the sysdb_transaction_commit_after() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:141 +msgid "LDAP Search Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:145 +msgid "probe sdap_search_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:148 +msgid "Probes the sdap_get_generic_ext_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:152 sssd-systemtap.5.xml:167 sssd-systemtap.5.xml:196 +#, no-wrap +msgid "" +"base:string\n" +"scope:integer\n" +"filter:string\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:160 +msgid "probe sdap_search_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:163 +msgid "Probes the sdap_get_generic_ext_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:175 +msgid "probe sdap_deref_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:178 +msgid "Probes the sdap_deref_search_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:182 +#, no-wrap +msgid "" +"base_dn:string\n" +"deref_attr:string\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:189 +msgid "probe sdap_deref_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:192 +msgid "Probes the sdap_deref_search_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:208 +msgid "LDAP Account Request Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:212 +msgid "probe sdap_acct_req_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:215 +msgid "Probes the sdap_acct_req_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:219 sssd-systemtap.5.xml:234 +#, no-wrap +msgid "" +"entry_type:int\n" +"filter_type:int\n" +"filter_value:string\n" +"extra_value:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:227 +msgid "probe sdap_acct_req_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:230 +msgid "Probes the sdap_acct_req_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:246 +msgid "LDAP User Search Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:250 +msgid "probe sdap_search_user_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:253 +msgid "Probes the sdap_search_user_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:257 sssd-systemtap.5.xml:269 sssd-systemtap.5.xml:281 +#: sssd-systemtap.5.xml:293 +#, no-wrap +msgid "" +"filter:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:262 +msgid "probe sdap_search_user_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:265 +msgid "Probes the sdap_search_user_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:274 +msgid "probe sdap_search_user_save_begin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:277 +msgid "Probes the sdap_search_user_save_begin() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:286 +msgid "probe sdap_search_user_save_end" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:289 +msgid "Probes the sdap_search_user_save_end() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:302 +msgid "Data Provider Request Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:306 +msgid "probe dp_req_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:309 +msgid "A Data Provider request is submitted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:312 +#, no-wrap +msgid "" +"dp_req_domain:string\n" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:320 +msgid "probe dp_req_done" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:323 +msgid "A Data Provider request is completed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:326 +#, no-wrap +msgid "" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +"dp_ret:int\n" +"dp_errorstr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:339 +msgid "MISCELLANEOUS FUNCTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:346 +msgid "function acct_req_desc(entry_type)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:349 +msgid "Convert entry_type to string and return string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:354 +msgid "" +"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " +"filter_value, extra_value)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:358 +msgid "Create probe string based on filter type" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:363 +msgid "function dp_target_str(target)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:366 +msgid "Convert target to string and return string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:371 +msgid "function dp_method_str(target)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:374 +msgid "Convert method to string and return string" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/service_discovery.xml:2 +msgid "SERVICE DISCOVERY" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/service_discovery.xml:4 +msgid "" +"The service discovery feature allows back ends to automatically find the " +"appropriate servers to connect to using a special DNS query. This feature is " +"not supported for backup servers." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:9 include/ldap_id_mapping.xml:99 +msgid "Configuration" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:11 +msgid "" +"If no servers are specified, the back end automatically uses service " +"discovery to try to find a server. Optionally, the user may choose to use " +"both fixed server addresses and service discovery by inserting a special " +"keyword, <quote>_srv_</quote>, in the list of servers. The order of " +"preference is maintained. This feature is useful if, for example, the user " +"prefers to use service discovery whenever possible, and fall back to a " +"specific server when no servers can be discovered using DNS." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:23 +msgid "The domain name" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:25 +msgid "" +"Please refer to the <quote>dns_discovery_domain</quote> parameter in the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more details." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:35 +msgid "The protocol" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:37 +msgid "" +"The queries usually specify _tcp as the protocol. Exceptions are documented " +"in respective option description." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:42 +msgid "See Also" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:44 +msgid "" +"For more information on the service discovery mechanism, refer to RFC 2782." +msgstr "" + +#. type: Content of: <refentryinfo> +#: include/upstream.xml:2 +msgid "" +"<productname>SSSD</productname> <orgname>The SSSD upstream - https://pagure." +"io/SSSD/sssd/</orgname>" +msgstr "" + +#. type: Content of: outside any tag (error?) +#: include/upstream.xml:1 +msgid "<placeholder type=\"refentryinfo\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/failover.xml:2 +msgid "FAILOVER" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/failover.xml:4 +msgid "" +"The failover feature allows back ends to automatically switch to a different " +"server if the current server fails." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:8 +msgid "Failover Syntax" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:10 +msgid "" +"The list of servers is given as a comma-separated list; any number of spaces " +"is allowed around the comma. The servers are listed in order of preference. " +"The list can contain any number of servers." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:16 +msgid "" +"For each failover-enabled config option, two variants exist: " +"<emphasis>primary</emphasis> and <emphasis>backup</emphasis>. The idea is " +"that servers in the primary list are preferred and backup servers are only " +"searched if no primary servers can be reached. If a backup server is " +"selected, a timeout of 31 seconds is set. After this timeout SSSD will " +"periodically try to reconnect to one of the primary servers. If it succeeds, " +"it will replace the current active (backup) server." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:27 +msgid "The Failover Mechanism" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:29 +msgid "" +"The failover mechanism distinguishes between a machine and a service. The " +"back end first tries to resolve the hostname of a given machine; if this " +"resolution attempt fails, the machine is considered offline. No further " +"attempts are made to connect to this machine for any other service. If the " +"resolution attempt succeeds, the back end tries to connect to a service on " +"this machine. If the service connection attempt fails, then only this " +"particular service is considered offline and the back end automatically " +"switches over to the next service. The machine is still considered online " +"and might still be tried for another service." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:42 +msgid "" +"Further connection attempts are made to machines or services marked as " +"offline after a specified period of time; this is currently hard coded to 30 " +"seconds." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:47 +msgid "" +"If there are no more machines to try, the back end as a whole switches to " +"offline mode, and then attempts to reconnect every 30 seconds." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:53 +msgid "Failover time outs and tuning" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:55 +msgid "" +"Resolving a server to connect to can be as simple as running a single DNS " +"query or can involve several steps, such as finding the correct site or " +"trying out multiple host names in case some of the configured servers are " +"not reachable. The more complex scenarios can take some time and SSSD needs " +"to balance between providing enough time to finish the resolution process " +"but on the other hand, not trying for too long before falling back to " +"offline mode. If the SSSD debug logs show that the server resolution is " +"timing out before a live server is contacted, you can consider changing the " +"time outs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> +#: include/failover.xml:76 +msgid "dns_resolver_op_timeout" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: include/failover.xml:80 +msgid "How long would SSSD talk to a single DNS server." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> +#: include/failover.xml:86 +msgid "dns_resolver_timeout" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: include/failover.xml:90 +msgid "" +"How long would SSSD try to resolve a failover service. This service " +"resolution internally might include several steps, such as resolving DNS SRV " +"queries or locating the site." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:67 +msgid "" +"This section lists the available tunables. Please refer to their description " +"in the <citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>, manual page. <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:100 +msgid "" +"For LDAP-based providers, the resolve operation is performed as part of an " +"LDAP connection operation. Therefore, also the <quote>ldap_opt_timeout></" +"quote> timeout should be set to a larger value than " +"<quote>dns_resolver_timeout</quote> which in turn should be set to a larger " +"value than <quote>dns_resolver_op_timeout</quote>." +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/ldap_id_mapping.xml:2 +msgid "ID MAPPING" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:4 +msgid "" +"The ID-mapping feature allows SSSD to act as a client of Active Directory " +"without requiring administrators to extend user attributes to support POSIX " +"attributes for user and group identifiers." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:9 +msgid "" +"NOTE: When ID-mapping is enabled, the uidNumber and gidNumber attributes are " +"ignored. This is to avoid the possibility of conflicts between automatically-" +"assigned and manually-assigned values. If you need to use manually-assigned " +"values, ALL values must be manually-assigned." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:16 +msgid "" +"Please note that changing the ID mapping related configuration options will " +"cause user and group IDs to change. At the moment, SSSD does not support " +"changing IDs, so the SSSD database must be removed. Because cached passwords " +"are also stored in the database, removing the database should only be " +"performed while the authentication servers are reachable, otherwise users " +"might get locked out. In order to cache the password, an authentication must " +"be performed. It is not sufficient to use <citerefentry> " +"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry> to remove the database, rather the process consists of:" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:33 +msgid "Making sure the remote servers are reachable" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:38 +msgid "Stopping the SSSD service" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:43 +msgid "Removing the database" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:48 +msgid "Starting the SSSD service" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:52 +msgid "" +"Moreover, as the change of IDs might necessitate the adjustment of other " +"system properties such as file and directory ownership, it's advisable to " +"plan ahead and test the ID mapping configuration thoroughly." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ldap_id_mapping.xml:59 +msgid "Mapping Algorithm" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:61 +msgid "" +"Active Directory provides an objectSID for every user and group object in " +"the directory. This objectSID can be broken up into components that " +"represent the Active Directory domain identity and the relative identifier " +"(RID) of the user or group object." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:67 +msgid "" +"The SSSD ID-mapping algorithm takes a range of available UIDs and divides it " +"into equally-sized component sections - called \"slices\"-. Each slice " +"represents the space available to an Active Directory domain." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:73 +msgid "" +"When a user or group entry for a particular domain is encountered for the " +"first time, the SSSD allocates one of the available slices for that domain. " +"In order to make this slice-assignment repeatable on different client " +"machines, we select the slice based on the following algorithm:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:80 +msgid "" +"The SID string is passed through the murmurhash3 algorithm to convert it to " +"a 32-bit hashed value. We then take the modulus of this value with the total " +"number of available slices to pick the slice." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:86 +msgid "" +"NOTE: It is possible to encounter collisions in the hash and subsequent " +"modulus. In these situations, we will select the next available slice, but " +"it may not be possible to reproduce the same exact set of slices on other " +"machines (since the order that they are encountered will determine their " +"slice). In this situation, it is recommended to either switch to using " +"explicit POSIX attributes in Active Directory (disabling ID-mapping) or " +"configure a default domain to guarantee that at least one is always " +"consistent. See <quote>Configuration</quote> for details." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:101 +msgid "" +"Minimum configuration (in the <quote>[domain/DOMAINNAME]</quote> section):" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><programlisting> +#: include/ldap_id_mapping.xml:106 +#, no-wrap +msgid "" +"ldap_id_mapping = True\n" +"ldap_schema = ad\n" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:111 +msgid "" +"The default configuration results in configuring 10,000 slices, each capable " +"of holding up to 200,000 IDs, starting from 200,000 and going up to " +"2,000,200,000. This should be sufficient for most deployments." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><title> +#: include/ldap_id_mapping.xml:117 +msgid "Advanced Configuration" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:120 +msgid "ldap_idmap_range_min (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:123 +msgid "" +"Specifies the lower bound of the range of POSIX IDs to use for mapping " +"Active Directory user and group SIDs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:127 +msgid "" +"NOTE: This option is different from <quote>min_id</quote> in that " +"<quote>min_id</quote> acts to filter the output of requests to this domain, " +"whereas this option controls the range of ID assignment. This is a subtle " +"distinction, but the good general advice would be to have <quote>min_id</" +"quote> be less-than or equal to <quote>ldap_idmap_range_min</quote>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:137 include/ldap_id_mapping.xml:191 +msgid "Default: 200000" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:142 +msgid "ldap_idmap_range_max (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:145 +msgid "" +"Specifies the upper bound of the range of POSIX IDs to use for mapping " +"Active Directory user and group SIDs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:149 +msgid "" +"NOTE: This option is different from <quote>max_id</quote> in that " +"<quote>max_id</quote> acts to filter the output of requests to this domain, " +"whereas this option controls the range of ID assignment. This is a subtle " +"distinction, but the good general advice would be to have <quote>max_id</" +"quote> be greater-than or equal to <quote>ldap_idmap_range_max</quote>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:159 +msgid "Default: 2000200000" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:164 +msgid "ldap_idmap_range_size (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:167 +msgid "" +"Specifies the number of IDs available for each slice. If the range size " +"does not divide evenly into the min and max values, it will create as many " +"complete slices as it can." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:173 +msgid "" +"NOTE: The value of this option must be at least as large as the highest user " +"RID planned for use on the Active Directory server. User lookups and login " +"will fail for any user whose RID is greater than this value." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:179 +msgid "" +"For example, if your most recently-added Active Directory user has " +"objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, " +"<quote>ldap_idmap_range_size</quote> must be at least 1108 as range size is " +"equal to maximal SID minus minimal SID plus one (e.g. 1108 = 1107 - 0 + 1)." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:186 +msgid "" +"It is important to plan ahead for future expansion, as changing this value " +"will result in changing all of the ID mappings on the system, leading to " +"users with different local IDs than they previously had." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:196 +msgid "ldap_idmap_default_domain_sid (string)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:199 +msgid "" +"Specify the domain SID of the default domain. This will guarantee that this " +"domain will always be assigned to slice zero in the ID map, bypassing the " +"murmurhash algorithm described above." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:210 +msgid "ldap_idmap_default_domain (string)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:213 +msgid "Specify the name of the default domain." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:221 +msgid "ldap_idmap_autorid_compat (boolean)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:224 +msgid "" +"Changes the behavior of the ID-mapping algorithm to behave more similarly to " +"winbind's <quote>idmap_autorid</quote> algorithm." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:229 +msgid "" +"When this option is configured, domains will be allocated starting with " +"slice zero and increasing monatomically with each additional domain." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:234 +msgid "" +"NOTE: This algorithm is non-deterministic (it depends on the order that " +"users and groups are requested). If this mode is required for compatibility " +"with machines running winbind, it is recommended to also use the " +"<quote>ldap_idmap_default_domain_sid</quote> option to guarantee that at " +"least one domain is consistently allocated to slice zero." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:249 +msgid "ldap_idmap_helper_table_size (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:252 +msgid "" +"Maximal number of secondary slices that is tried when performing mapping " +"from UNIX id to SID." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:256 +msgid "" +"Note: Additional secondary slices might be generated when SID is being " +"mapped to UNIX id and RID part of SID is out of range for secondary slices " +"generated so far. If value of ldap_idmap_helper_table_size is equal to 0 " +"then no additional secondary slices are generated." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ldap_id_mapping.xml:273 +msgid "Well-Known SIDs" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:275 +msgid "" +"SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a " +"special hardcoded meaning. Since the generic users and groups related to " +"those Well-Known SIDs have no equivalent in a Linux/UNIX environment no " +"POSIX IDs are available for those objects." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:281 +msgid "" +"The SID name space is organized in authorities which can be seen as " +"different domains. The authorities for the Well-Known SIDs are" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:284 +msgid "Null Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:285 +msgid "World Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:286 +msgid "Local Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:287 +msgid "Creator Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:288 +msgid "NT Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:289 +msgid "Built-in" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:291 +msgid "" +"The capitalized version of these names are used as domain names when " +"returning the fully qualified name of a Well-Known SID." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:295 +msgid "" +"Since some utilities allow to modify SID based access control information " +"with the help of a name instead of using the SID directly SSSD supports to " +"look up the SID by the name as well. To avoid collisions only the fully " +"qualified names can be used to look up Well-Known SIDs. As a result the " +"domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, " +"<quote> LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, <quote>NT " +"AUTHORITY</quote> and <quote>BUILTIN</quote> should not be used as domain " +"names in <filename>sssd.conf</filename>." +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/param_help.xml:3 +msgid "<option>-?</option>,<option>--help</option>" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/param_help.xml:7 include/param_help_py.xml:7 +msgid "Display help message and exit." +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/param_help_py.xml:3 +msgid "<option>-h</option>,<option>--help</option>" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:3 include/debug_levels_tools.xml:3 +msgid "" +"SSSD supports two representations for specifying the debug level. The " +"simplest is to specify a decimal value from 0-9, which represents enabling " +"that level and all lower-level debug messages. The more comprehensive option " +"is to specify a hexadecimal bitmask to enable or disable specific levels " +"(such as if you wish to suppress a level)." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:10 +msgid "" +"Please note that each SSSD service logs into its own log file. Also please " +"note that enabling <quote>debug_level</quote> in the <quote>[sssd]</quote> " +"section only enables debugging just for the sssd process itself, not for the " +"responder or provider processes. The <quote>debug_level</quote> parameter " +"should be added to all sections that you wish to produce debug logs from." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:18 +msgid "" +"In addition to changing the log level in the config file using the " +"<quote>debug_level</quote> parameter, which is persistent, but requires SSSD " +"restart, it is also possible to change the debug level on the fly using the " +"<citerefentry> <refentrytitle>sss_debuglevel</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry> tool." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:29 include/debug_levels_tools.xml:10 +msgid "Currently supported debug levels:" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:32 include/debug_levels_tools.xml:13 +msgid "" +"<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fatal failures. " +"Anything that would prevent SSSD from starting up or causes it to cease " +"running." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:38 include/debug_levels_tools.xml:19 +msgid "" +"<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An " +"error that doesn't kill SSSD, but one that indicates that at least one major " +"feature is not going to work properly." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:45 include/debug_levels_tools.xml:26 +msgid "" +"<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Serious failures. An " +"error announcing that a particular request or operation has failed." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:50 include/debug_levels_tools.xml:31 +msgid "" +"<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Minor failures. These " +"are the errors that would percolate down to cause the operation failure of 2." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:55 include/debug_levels_tools.xml:36 +msgid "" +"<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Configuration settings." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:59 include/debug_levels_tools.xml:40 +msgid "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Function data." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:63 include/debug_levels_tools.xml:44 +msgid "" +"<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Trace messages for " +"operation functions." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:67 include/debug_levels_tools.xml:48 +msgid "" +"<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Trace messages for " +"internal control functions." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:72 include/debug_levels_tools.xml:53 +msgid "" +"<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contents of function-" +"internal variables that may be interesting." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:77 include/debug_levels_tools.xml:58 +msgid "" +"<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Extremely low-level " +"tracing information." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:81 include/debug_levels_tools.xml:62 +msgid "" +"To log required bitmask debug levels, simply add their numbers together as " +"shown in following examples:" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:85 include/debug_levels_tools.xml:66 +msgid "" +"<emphasis>Example</emphasis>: To log fatal failures, critical failures, " +"serious failures and function data use 0x0270." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:89 include/debug_levels_tools.xml:70 +msgid "" +"<emphasis>Example</emphasis>: To log fatal failures, configuration settings, " +"function data, trace messages for internal control functions use 0x1310." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:94 include/debug_levels_tools.xml:75 +msgid "" +"<emphasis>Note</emphasis>: The bitmask format of debug levels was introduced " +"in 1.7.0." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:98 include/debug_levels_tools.xml:79 +msgid "<emphasis>Default</emphasis>: 0" +msgstr "" + +#. type: Content of: outside any tag (error?) +#: include/experimental.xml:1 +msgid "" +"<emphasis> This is an experimental feature, please use https://pagure.io/" +"SSSD/sssd/ to report any issues. </emphasis>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/local.xml:2 +msgid "THE LOCAL DOMAIN" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/local.xml:4 +msgid "" +"In order to function correctly, a domain with <quote>id_provider=local</" +"quote> must be created and the SSSD must be running." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/local.xml:9 +msgid "" +"The administrator might want to use the SSSD local users instead of " +"traditional UNIX users in cases where the group nesting (see <citerefentry> " +"<refentrytitle>sss_groupadd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>) is needed. The local users are also useful for testing and " +"development of the SSSD without having to deploy a full remote server. The " +"<command>sss_user*</command> and <command>sss_group*</command> tools use a " +"local LDB storage to store users and groups." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/seealso.xml:4 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd-ipa</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <phrase condition=\"with_sudo\"> <citerefentry> " +"<refentrytitle>sssd-sudo</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>, </phrase> <phrase condition=\"with_secrets\"> <citerefentry> " +"<refentrytitle>sssd-secrets</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>, </phrase> <citerefentry> <refentrytitle>sssd-session-" +"recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, " +"<citerefentry> <refentrytitle>sss_cache</refentrytitle><manvolnum>8</" +"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_debuglevel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_obfuscate</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_seed</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <phrase condition=" +"\"with_ssh\"> <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_ssh_knownhostsproxy</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>, </phrase> <phrase condition=\"with_ifp\"> " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>, </phrase> <citerefentry> <refentrytitle>pam_sss</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>. <citerefentry> " +"<refentrytitle>sss_rpcidmapd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> <phrase condition=\"with_stap\"> <citerefentry> " +"<refentrytitle>sssd-systemtap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> </phrase>" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:3 +msgid "" +"An optional base DN, search scope and LDAP filter to restrict LDAP searches " +"for this attribute type." +msgstr "" + +#. type: Content of: <listitem><para><programlisting> +#: include/ldap_search_bases.xml:9 +#, no-wrap +msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]\n" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:7 +msgid "syntax: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:13 +msgid "" +"The scope can be one of \"base\", \"onelevel\" or \"subtree\". The scope " +"functions as specified in section 4.5.1.2 of http://tools.ietf.org/html/" +"rfc4511" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:23 +msgid "" +"For examples of this syntax, please refer to the <quote>ldap_search_base</" +"quote> examples section." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:31 +msgid "" +"Please note that specifying scope or filter is not supported for searches " +"against an Active Directory Server that might yield a large number of " +"results and trigger the Range Retrieval extension in the response." +msgstr "" + +#. type: Content of: <para> +#: include/autofs_restart.xml:2 +msgid "" +"Please note that the automounter only reads the master map on startup, so if " +"any autofs-related changes are made to the sssd.conf, you typically also " +"need to restart the automounter daemon after restarting the SSSD." +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/override_homedir.xml:2 +msgid "override_homedir (string)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:16 +msgid "UID number" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:20 +msgid "domain name" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:23 +msgid "%f" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:24 +msgid "fully qualified user name (user@domain)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:27 +msgid "%l" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:28 +msgid "The first letter of the login name." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:32 +msgid "UPN - User Principal Name (name@REALM)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:35 +msgid "%o" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:37 +msgid "The original home directory retrieved from the identity provider." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:42 +msgid "%H" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:44 +msgid "The value of configure option <emphasis>homedir_substring</emphasis>." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/override_homedir.xml:5 +msgid "" +"Override the user's home directory. You can either provide an absolute value " +"or a template. In the template, the following sequences are substituted: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><programlisting> +#: include/override_homedir.xml:61 +#, no-wrap +msgid "" +"override_homedir = /home/%u\n" +" " +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/override_homedir.xml:65 +msgid "Default: Not set (SSSD will use the value retrieved from LDAP)" +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/homedir_substring.xml:2 +msgid "homedir_substring (string)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/homedir_substring.xml:5 +msgid "" +"The value of this option will be used in the expansion of the " +"<emphasis>override_homedir</emphasis> option if the template contains the " +"format string <emphasis>%H</emphasis>. An LDAP directory entry can directly " +"contain this template so that this option can be used to expand the home " +"directory path for each client machine (or operating system). It can be set " +"per-domain or globally in the [nss] section. A value specified in a domain " +"section will override one set in the [nss] section." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/homedir_substring.xml:15 +msgid "Default: /home" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/ad_modified_defaults.xml:2 include/ipa_modified_defaults.xml:2 +msgid "MODIFIED DEFAULT OPTIONS" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ad_modified_defaults.xml:4 +msgid "" +"Certain option defaults do not match their respective backend provider " +"defaults, these option names and AD provider-specific defaults are listed " +"below:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ad_modified_defaults.xml:9 include/ipa_modified_defaults.xml:9 +msgid "KRB5 Provider" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:13 include/ipa_modified_defaults.xml:13 +msgid "krb5_validate = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:18 +msgid "krb5_use_enterprise_principal = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ad_modified_defaults.xml:24 +msgid "LDAP Provider" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:28 +msgid "ldap_schema = ad" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:33 include/ipa_modified_defaults.xml:38 +msgid "ldap_force_upper_case_realm = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:38 +msgid "ldap_id_mapping = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:43 +msgid "ldap_sasl_mech = gssapi" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:48 +msgid "ldap_referrals = false" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:53 +msgid "ldap_account_expire_policy = ad" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:58 include/ipa_modified_defaults.xml:58 +msgid "ldap_use_tokengroups = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:63 +msgid "ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:66 +msgid "" +"The AD provider looks for a different principal than the LDAP provider by " +"default, because in an Active Directory environment the principals are " +"divided into two groups - User Principals and Service Principals. Only User " +"Principal can be used to obtain a TGT and by default, computer object's " +"principal is constructed from its sAMAccountName and the AD realm. The well-" +"known host/hostname@REALM principal is a Service Principal and thus cannot " +"be used to get a TGT with." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ipa_modified_defaults.xml:4 +msgid "" +"Certain option defaults do not match their respective backend provider " +"defaults, these option names and IPA provider-specific defaults are listed " +"below:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:18 +msgid "krb5_use_fast = try" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:23 +msgid "krb5_canonicalize = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:29 +msgid "LDAP Provider - General" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:33 +msgid "ldap_schema = ipa_v1" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:43 +msgid "ldap_sasl_mech = GSSAPI" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:48 +msgid "ldap_sasl_minssf = 56" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:53 +msgid "ldap_account_expire_policy = ipa" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:64 +msgid "LDAP Provider - User options" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:68 +msgid "ldap_user_member_of = memberOf" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:73 +msgid "ldap_user_uuid = ipaUniqueID" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:78 +msgid "ldap_user_ssh_public_key = ipaSshPubKey" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:83 +msgid "ldap_user_auth_type = ipaUserAuthType" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:89 +msgid "LDAP Provider - Group options" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:93 +msgid "ldap_group_object_class = ipaUserGroup" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:98 +msgid "ldap_group_object_class_alt = posixGroup" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:103 +msgid "ldap_group_member = member" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:108 +msgid "ldap_group_uuid = ipaUniqueID" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:113 +msgid "ldap_group_objectsid = ipaNTSecurityIdentifier" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:118 +msgid "ldap_group_external_member = ipaExternalMember" +msgstr "" diff --git a/src/man/po/fr.po b/src/man/po/fr.po new file mode 100644 index 0000000..0b23694 --- /dev/null +++ b/src/man/po/fr.po @@ -0,0 +1,17659 @@ +# SOME DESCRIPTIVE TITLE +# Copyright (C) YEAR Red Hat +# This file is distributed under the same license as the sssd-docs package. +# +# Translators: +# Fabien Archambault <marbolangos@gmail.com>, 2012 +# Jérôme Fenal <jfenal@gmail.com>, 2012-2014 +# jhrozek <jhrozek@redhat.com>, 2014 +# Fabien Archambault <marbolangos@gmail.com>, 2012 +# sgallagh <sgallagh@redhat.com>, 2012 +# sgallagh <sgallagh@redhat.com>, 2012 +# Jérôme Fenal <jfenal@gmail.com>, 2015. #zanata +# Jean-Baptiste Holcroft <jean-baptiste@holcroft.fr>, 2016. #zanata +# Jérôme Fenal <jfenal@gmail.com>, 2016. #zanata +msgid "" +msgstr "" +"Project-Id-Version: sssd-docs 1.16.1\n" +"Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" +"POT-Creation-Date: 2018-08-12 13:01+0000\n" +"PO-Revision-Date: 2016-03-19 03:04+0000\n" +"Last-Translator: Jean-Baptiste Holcroft <jean-baptiste@holcroft.fr>\n" +"Language-Team: French (http://www.transifex.com/projects/p/sssd/language/" +"fr/)\n" +"Language: fr\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=2; plural=(n > 1);\n" +"X-Generator: Zanata 4.4.5\n" + +#. type: Content of: <reference><title> +#: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5 +#: sssd_krb5_locator_plugin.8.xml:5 sssd-simple.5.xml:5 sss-certmap.5.xml:5 +#: sssd-ipa.5.xml:5 sssd-ad.5.xml:5 sssd-sudo.5.xml:5 sssd.8.xml:5 +#: sss_obfuscate.8.xml:5 sss_override.8.xml:5 sss_useradd.8.xml:5 +#: sssd-krb5.5.xml:5 sss_groupadd.8.xml:5 sss_userdel.8.xml:5 +#: sss_groupdel.8.xml:5 sss_groupshow.8.xml:5 sss_usermod.8.xml:5 +#: sss_cache.8.xml:5 sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5 +#: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 +#: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5 +#: sssd-files.5.xml:5 sssd-secrets.5.xml:5 sssd-session-recording.5.xml:5 +#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 +msgid "SSSD Manual pages" +msgstr "Pages de manuel de SSSD" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupmod.8.xml:10 sss_groupmod.8.xml:15 +msgid "sss_groupmod" +msgstr "sss_groupmod" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_groupmod.8.xml:11 pam_sss.8.xml:12 sssd_krb5_locator_plugin.8.xml:11 +#: sssd.8.xml:11 sss_obfuscate.8.xml:11 sss_override.8.xml:11 +#: sss_useradd.8.xml:11 sss_groupadd.8.xml:11 sss_userdel.8.xml:11 +#: sss_groupdel.8.xml:11 sss_groupshow.8.xml:11 sss_usermod.8.xml:11 +#: sss_cache.8.xml:11 sss_debuglevel.8.xml:11 sss_seed.8.xml:11 +#: idmap_sss.8.xml:11 sssctl.8.xml:11 sssd-kcm.8.xml:11 +msgid "8" +msgstr "8" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupmod.8.xml:16 +msgid "modify a group" +msgstr "modifier un groupe" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupmod.8.xml:21 +msgid "" +"<command>sss_groupmod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" +"<command>sss_groupmod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:57 +#: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sss-certmap.5.xml:21 +#: sssd-ipa.5.xml:21 sssd-ad.5.xml:21 sssd-sudo.5.xml:21 sssd.8.xml:29 +#: sss_obfuscate.8.xml:30 sss_override.8.xml:30 sss_useradd.8.xml:30 +#: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30 +#: sss_groupdel.8.xml:30 sss_groupshow.8.xml:30 sss_usermod.8.xml:30 +#: sss_cache.8.xml:29 sss_debuglevel.8.xml:30 sss_seed.8.xml:31 +#: sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30 +#: sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30 +#: sssd-files.5.xml:21 sssd-secrets.5.xml:21 sssd-session-recording.5.xml:21 +#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 +msgid "DESCRIPTION" +msgstr "DESCRIPTION" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupmod.8.xml:32 +msgid "" +"<command>sss_groupmod</command> modifies the group to reflect the changes " +"that are specified on the command line." +msgstr "" +"<command>sss_groupmod</command> modifie le groupe pour refléter les " +"changements spécifiés sur la ligne de commande." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_groupmod.8.xml:39 pam_sss.8.xml:64 sssd.8.xml:42 sss_obfuscate.8.xml:58 +#: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39 +#: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39 +#: sss_cache.8.xml:39 sss_seed.8.xml:42 sss_ssh_authorizedkeys.1.xml:123 +#: sss_ssh_knownhostsproxy.1.xml:62 +msgid "OPTIONS" +msgstr "OPTIONS" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupmod.8.xml:43 sss_usermod.8.xml:77 +msgid "" +"<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" +"<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupmod.8.xml:48 +msgid "" +"Append this group to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." +msgstr "" +"Ajouter ce groupe aux groupes spécifiés par le paramètre " +"<replaceable>GROUPS</replaceable>. Le paramètre <replaceable>GROUPS</" +"replaceable> est une liste séparée par des virgules de noms de groupe." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupmod.8.xml:57 sss_usermod.8.xml:91 +msgid "" +"<option>-r</option>,<option>--remove-group</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" +"<option>-r</option>,<option>--remove-group</option> <replaceable>GROUPS</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupmod.8.xml:62 +msgid "" +"Remove this group from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." +msgstr "" +"Supprime ce groupe des groupes spécifiés par le paramètre " +"<replaceable>GROUPS</replaceable>." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.conf.5.xml:10 sssd.conf.5.xml:16 +msgid "sssd.conf" +msgstr "sssd.conf" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11 +#: sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 +#: sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27 +#: sssd-files.5.xml:11 sssd-secrets.5.xml:11 sssd-session-recording.5.xml:11 +#: sssd-systemtap.5.xml:11 +msgid "5" +msgstr "5" + +#. type: Content of: <reference><refentry><refmeta><refmiscinfo> +#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12 +#: sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 +#: sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28 +#: sssd-files.5.xml:12 sssd-secrets.5.xml:12 sssd-session-recording.5.xml:12 +#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 +msgid "File Formats and Conventions" +msgstr "Formats de fichier et conventions" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.conf.5.xml:17 +msgid "the configuration file for SSSD" +msgstr "Le fichier de configuration pour SSSD" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:21 +msgid "FILE FORMAT" +msgstr "FORMAT DE FICHIER" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:29 +#, no-wrap +msgid "" +"<replaceable>[section]</replaceable>\n" +"<replaceable>key</replaceable> = <replaceable>value</replaceable>\n" +"<replaceable>key2</replaceable> = <replaceable>value2,value3</replaceable>\n" +" " +msgstr "" +"<replaceable>[section]</replaceable>\n" +"<replaceable>key</replaceable> = <replaceable>value</replaceable>\n" +"<replaceable>key2</replaceable> = <replaceable>value2,value3</replaceable>\n" +" " + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:24 +msgid "" +"The file has an ini-style syntax and consists of sections and parameters. A " +"section begins with the name of the section in square brackets and continues " +"until the next section begins. An example of section with single and multi-" +"valued parameters: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"Ce fichier utilise la syntaxe de style « .ini » et est constituée de " +"sections et de paramètres. Une section commence par le nom de la section " +"entre crochets et continue jusqu'à la section suivante. Un exemple de " +"section avec des paramètres mono et multi-valués : <placeholder type=" +"\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:36 +msgid "" +"The data types used are string (no quotes needed), integer and bool (with " +"values of <quote>TRUE/FALSE</quote>)." +msgstr "" +"Les types de données utilisées sont des chaînes (pas de guillemets " +"nécessaires), des entiers et des booléens (ayant pour valeur <quote>TRUE/" +"FALSE</quote>)." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:41 +#, fuzzy +#| msgid "" +#| "A line comment starts with a hash sign (<quote>#</quote>) or a semicolon " +#| "(<quote>;</quote>). Inline comments are not supported." +msgid "" +"A comment line starts with a hash sign (<quote>#</quote>) or a semicolon " +"(<quote>;</quote>). Inline comments are not supported." +msgstr "" +"Un commentaire de ligne commence par un octothorpe (<quote>#</quote>) ou un " +"point-virgule (<quote>;</quote>). Les commentaires au sein d'une ligne ne " +"sont pas pris en charge." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:47 +msgid "" +"All sections can have an optional <replaceable>description</replaceable> " +"parameter. Its function is only as a label for the section." +msgstr "" +"Toutes les sections peuvent avoir un paramètre facultatif de " +"<replaceable>description</replaceable>. Sa fonction ne sert qu'à nommer la " +"section." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:53 +msgid "" +"<filename>sssd.conf</filename> must be a regular file, owned by root and " +"only root may read from or write to the file." +msgstr "" +"<filename>sssd.conf</filename> doit être un fichier normal, appartenant à " +"root, et seul root doit pouvoir écrire et lire ce fichier." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:59 +msgid "CONFIGURATION SNIPPETS FROM INCLUDE DIRECTORY" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:62 +msgid "" +"The configuration file <filename>sssd.conf</filename> will include " +"configuration snippets using the include directory <filename>conf.d</" +"filename>. This feature is available if SSSD was compiled with libini " +"version 1.3.0 or later." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:69 +msgid "" +"Any file placed in <filename>conf.d</filename> that ends in " +"<quote><filename>.conf</filename></quote> and does not begin with a dot " +"(<quote>.</quote>) will be used together with <filename>sssd.conf</filename> " +"to configure SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:77 +msgid "" +"The configuration snippets from <filename>conf.d</filename> have higher " +"priority than <filename>sssd.conf</filename> and will override " +"<filename>sssd.conf</filename> when conflicts occur. If several snippets are " +"present in <filename>conf.d</filename>, then they are included in " +"alphabetical order (based on locale). Files included later have higher " +"priority. Numerical prefixes (<filename>01_snippet.conf</filename>, " +"<filename>02_snippet.conf</filename> etc.) can help visualize the priority " +"(higher number means higher priority)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:91 +msgid "" +"The snippet files require the same owner and permissions as <filename>sssd." +"conf</filename>. Which are by default root:root and 0600." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:98 +msgid "GENERAL OPTIONS" +msgstr "OPTIONS GÉNÉRALES" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:100 +msgid "Following options are usable in more than one configuration sections." +msgstr "" +"Les options qui suivent peuvent être utilisées dans plus d'une section de " +"configuration." + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:104 +msgid "Options usable in all sections" +msgstr "Options utilisables dans toutes les sections" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:108 +msgid "debug_level (integer)" +msgstr "debug_level (entier)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:112 +msgid "debug (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:115 +msgid "" +"SSSD 1.14 and later also includes the <replaceable>debug</replaceable> alias " +"for <replaceable>debug_level</replaceable> as a convenience feature. If both " +"are specified, the value of <replaceable>debug_level</replaceable> will be " +"used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:125 +msgid "debug_timestamps (bool)" +msgstr "debug_timestamps (booléen)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:128 +msgid "" +"Add a timestamp to the debug messages. If journald is enabled for SSSD " +"debug logging this option is ignored." +msgstr "" +"Ajoute un horodatage aux messages de débogage. Si journald est activé pour " +"la journalisation de débogage de SSSD, cette option sera ignorée." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:133 sssd.conf.5.xml:543 sssd.conf.5.xml:839 +#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1521 sssd-ldap.5.xml:1851 +#: sssd-ldap.5.xml:1948 sssd-ldap.5.xml:2010 sssd-ldap.5.xml:2576 +#: sssd-ldap.5.xml:2641 sssd-ldap.5.xml:2659 sssd-ad.5.xml:227 +#: sssd-ad.5.xml:341 sssd-ad.5.xml:885 sssd-krb5.5.xml:499 +#: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 +msgid "Default: true" +msgstr "Par défaut : true" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:138 +msgid "debug_microseconds (bool)" +msgstr "debug_microseconds (booléen)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:141 +msgid "" +"Add microseconds to the timestamp in debug messages. If journald is enabled " +"for SSSD debug logging this option is ignored." +msgstr "" +"Ajouter les microsecondes à l'horodatage dans les messages de débogage. Si " +"journald est activé pour la journalisation de débogage de SSSD, cette option " +"sera ignorée." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:146 sssd.conf.5.xml:540 sssd.conf.5.xml:722 +#: sssd.conf.5.xml:1424 sssd.conf.5.xml:2980 sssd-ldap.5.xml:708 +#: sssd-ldap.5.xml:1714 sssd-ldap.5.xml:1733 sssd-ldap.5.xml:1920 +#: sssd-ldap.5.xml:2346 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238 +#: sssd-ipa.5.xml:559 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300 +#: sssd-krb5.5.xml:471 +msgid "Default: false" +msgstr "Par défaut : false" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2384 +#: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210 +#: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304 +msgid "<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "<placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:155 +msgid "Options usable in SERVICE and DOMAIN sections" +msgstr "Options utilisables dans les sections SERVICE et DOMAIN" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:159 +msgid "timeout (integer)" +msgstr "timeout (entier)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:162 +msgid "" +"Timeout in seconds between heartbeats for this service. This is used to " +"ensure that the process is alive and capable of answering requests. Note " +"that after three missed heartbeats the process will terminate itself." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:169 sssd.conf.5.xml:1376 sssd.conf.5.xml:2996 +#: sssd-ldap.5.xml:1585 include/ldap_id_mapping.xml:264 +msgid "Default: 10" +msgstr "Par défaut : 10" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:179 +msgid "SPECIAL SECTIONS" +msgstr "SECTIONS SPÉCIALES" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:182 +msgid "The [sssd] section" +msgstr "La section [sssd]" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sssd.conf.5.xml:191 sssd.conf.5.xml:3085 +msgid "Section parameters" +msgstr "Paramètres de sections" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:193 +msgid "config_file_version (integer)" +msgstr "config_file_version (entier)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:196 +msgid "" +"Indicates what is the syntax of the config file. SSSD 0.6.0 and later use " +"version 2." +msgstr "" +"Indique la syntaxe du fichier de configuration. Pour SSSD 0.6.0 ou " +"supérieure utiliser la version 2." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:202 +msgid "services" +msgstr "services" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:205 +msgid "" +"Comma separated list of services that are started when sssd itself starts. " +"<phrase condition=\"have_systemd\"> The services' list is optional on " +"platforms where systemd is supported, as they will either be socket or D-Bus " +"activated when needed. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:214 +msgid "" +"Supported services: nss, pam <phrase condition=\"with_sudo\">, sudo</phrase> " +"<phrase condition=\"with_autofs\">, autofs</phrase> <phrase condition=" +"\"with_ssh\">, ssh</phrase> <phrase condition=\"with_pac_responder\">, pac</" +"phrase> <phrase condition=\"with_ifp\">, ifp</phrase>" +msgstr "" +"Les services pris en charge : nss, pam <phrase condition=\"with_sudo\">, " +"sudo</phrase> <phrase condition=\"with_autofs\"> ,autofs</phrase> <phrase " +"condition=\"with_ssh\">, ssh</phrase> <phrase condition=\"with_pac_responder" +"\">, pac</phrase> <phrase condition=\"with_ifp\">, ifp</phrase>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:222 +msgid "" +"<phrase condition=\"have_systemd\"> By default, all services are disabled " +"and the administrator must enable the ones allowed to be used by executing: " +"\"systemctl enable sssd-@service@.socket\". </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:231 sssd.conf.5.xml:614 +msgid "reconnection_retries (integer)" +msgstr "reconnection_retries (entier)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:234 sssd.conf.5.xml:617 +msgid "" +"Number of times services should attempt to reconnect in the event of a Data " +"Provider crash or restart before they give up" +msgstr "" +"Nombre d'essais de reconnection ou de redémarrage que les services doivent " +"effectuer dans le cas d'un plantage du fournisseur de données avant " +"d'abandonner" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:239 sssd.conf.5.xml:622 +msgid "Default: 3" +msgstr "Par défaut : 3" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:244 +msgid "domains" +msgstr "domaines" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:247 +msgid "" +"A domain is a database containing user information. SSSD can use more " +"domains at the same time, but at least one must be configured or SSSD won't " +"start. This parameter describes the list of domains in the order you want " +"them to be queried. A domain name should only consist of alphanumeric ASCII " +"characters, dashes, dots and underscores." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:259 sssd.conf.5.xml:2597 +msgid "re_expression (string)" +msgstr "re_expression (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:262 +msgid "" +"Default regular expression that describes how to parse the string containing " +"user name and domain into these components." +msgstr "" +"L'expression régulière par défaut qui décrit la manière d'analyser la chaîne " +"contenant le nom d'utilisateur et de domaine dans ces composants." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:267 +msgid "" +"Each domain can have an individual regular expression configured. For some " +"ID providers there are also default regular expressions. See DOMAIN SECTIONS " +"for more info on these regular expressions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:276 sssd.conf.5.xml:2645 +msgid "full_name_format (string)" +msgstr "full_name_format (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:279 sssd.conf.5.xml:2648 +msgid "" +"A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry>-compatible format that describes how to compose a " +"fully qualified name from user name and domain name components." +msgstr "" +"Un format compatible avec<citerefentry> <refentrytitle>printf</" +"refentrytitle> <manvolnum>3</manvolnum> </citerefentry> décrivant comment " +"composer un domaine pleinement qualifé à partir des noms d'utilisateur et de " +"domaine." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:290 sssd.conf.5.xml:2659 +msgid "%1$s" +msgstr "%1$s" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:291 sssd.conf.5.xml:2660 +msgid "user name" +msgstr "nom d'utilisateur" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:294 sssd.conf.5.xml:2663 +msgid "%2$s" +msgstr "%2$s" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:297 sssd.conf.5.xml:2666 +msgid "domain name as specified in the SSSD config file." +msgstr "" +"nom de domaine tel qu'indiqué dans le fichier de configuration de SSSD." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:303 sssd.conf.5.xml:2672 +msgid "%3$s" +msgstr "%3$s" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:306 sssd.conf.5.xml:2675 +msgid "" +"domain flat name. Mostly usable for Active Directory domains, both directly " +"configured or discovered via IPA trusts." +msgstr "" +"nom de domaine à plat. Utilisable principalement pour les domaines Active " +"Directory, configurés directement ou découverts via les relations " +"d'approbation IPA." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:287 sssd.conf.5.xml:2656 +msgid "" +"The following expansions are supported: <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" +"Les expansions suivantes sont prises en charge : <placeholder type=" +"\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:316 +msgid "" +"Each domain can have an individual format string configured. see DOMAIN " +"SECTIONS for more info on this option." +msgstr "" +"Chaque domaine peut avoir une chaîne de format individuelle configurée. " +"Voir les SECTIONS DOMAINE pour plus d'informations sur cette option." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:322 +msgid "try_inotify (boolean)" +msgstr "try_inotify (booléen)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:325 +msgid "" +"SSSD monitors the state of resolv.conf to identify when it needs to update " +"its internal DNS resolver. By default, we will attempt to use inotify for " +"this, and will fall back to polling resolv.conf every five seconds if " +"inotify cannot be used." +msgstr "" +"SSSD gère l'état de resolv.conf pour identifier les besoins de mise à jour " +"des résolutions DNS internes. Par défaut, l'utilisation de inotify sera " +"tentée, et reviendra à une interrogation de resolv.conf toutes les cinq " +"secondes si inotify échoue." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:333 +msgid "" +"There are some limited situations where it is preferred that we should skip " +"even trying to use inotify. In these rare cases, this option should be set " +"to 'false'" +msgstr "" +"Il existe quelques cas spécifiques où l'utilisation de inotify n'est pas " +"conseillée. Dans ces rares cas, cette option devrait être définie à « false »" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:339 +msgid "" +"Default: true on platforms where inotify is supported. False on other " +"platforms." +msgstr "" +"Par défaut : true sur les plates-formes où inotify est pris en charge. False " +"sur les autres plates-formes." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:343 +msgid "" +"Note: this option will have no effect on platforms where inotify is " +"unavailable. On these platforms, polling will always be used." +msgstr "" +"Note : cette option n'aura aucun effet sur les plateformes où inotify n'est " +"pas disponible. Sur celles-ci, l'interrogation régulière sera toujours " +"utilisée." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:350 +msgid "krb5_rcache_dir (string)" +msgstr "krb5_rcache_dir (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:353 +msgid "" +"Directory on the filesystem where SSSD should store Kerberos replay cache " +"files." +msgstr "" +"Répertoire du système de fichiers où SSSD doit stocker les fichiers de cache " +"de rejeu Kerberos." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:357 +msgid "" +"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct " +"SSSD to let libkrb5 decide the appropriate location for the replay cache." +msgstr "" +"Cette option accepte une valeur spéciale __LIBKRB5_DEFAULTS__ qui indiquera " +"à SSSD de laisser libkrb5 décider l'emplacement approprié pour le cache de " +"relecture." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:363 +msgid "" +"Default: Distribution-specific and specified at build-time. " +"(__LIBKRB5_DEFAULTS__ if not configured)" +msgstr "" +"Par défaut : paramètre spécifique à la distribution et spécifié au moment de " +"la construction du logiciel. (__LIBKRB5_DEFAULTS__ si non configuré)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:370 +msgid "user (string)" +msgstr "user (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:373 +msgid "" +"The user to drop the privileges to where appropriate to avoid running as the " +"root user. <phrase condition=\"have_systemd\"> This option does not work " +"when running socket-activated services, as the user set up to run the " +"processes is set up during compilation time. The way to override the " +"systemd unit files is by creating the appropriate files in /etc/systemd/" +"system/. Keep in mind that any change in the socket user, group or " +"permissions may result in a non-usable SSSD. The same may occur in case of " +"changes of the user running the NSS responder. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:391 +msgid "Default: not set, process will run as root" +msgstr "Par défaut : non défini, le processus tourne en tant que root" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:396 +msgid "default_domain_suffix (string)" +msgstr "default_domain_suffix (string)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:399 +msgid "" +"This string will be used as a default domain name for all names without a " +"domain name component. The main use case is environments where the primary " +"domain is intended for managing host policies and all users are located in a " +"trusted domain. The option allows those users to log in just with their " +"user name without giving a domain name as well." +msgstr "" +"Cette chaîne servira comme nom de domaine par défaut pour tous les noms sans " +"composant de nom de domaine. Les principaux cas d'utilisation sont les " +"environnements où le domaine principal va permettre de gérer les politiques " +"de systèmes ainsi que tous les utilisateur provenant d'un domaine approuvé. " +"L'option permet à ces utilisateurs de se connecter sans fournir un nom de " +"domaine." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:409 +msgid "" +"Please note that if this option is set all users from the primary domain " +"have to use their fully qualified name, e.g. user@domain.name, to log in. " +"Setting this option changes default of use_fully_qualified_names to True. It " +"is not allowed to use this option together with use_fully_qualified_names " +"set to False." +msgstr "" +"Noter que, si cette option est définie, tous les utilisateurs du domaine " +"principal doivent utiliser leur nom pleinement qualifié, par exemple " +"user@domain.name, pour se connecter. L'utilisation de cette option modifie " +"la valeur par défaut de use_fully_qualified_names à True. Il n'est pas " +"possible ni autorisé d'utiliser cette option avec l'option " +"use_fully_qualified_names à False." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:418 sssd.conf.5.xml:1165 sssd-ldap.5.xml:679 +#: sssd-ldap.5.xml:1319 sssd-ldap.5.xml:1673 sssd-ldap.5.xml:1685 +#: sssd-ldap.5.xml:1767 sssd-ad.5.xml:690 sssd-ad.5.xml:765 sssd.8.xml:126 +#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:556 sssd-secrets.5.xml:339 +#: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404 +#: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205 +#: include/ldap_id_mapping.xml:216 +msgid "Default: not set" +msgstr "Par défaut : non défini" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:423 +msgid "override_space (string)" +msgstr "override_space (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:426 +msgid "" +"This parameter will replace spaces (space bar) with the given character for " +"user and group names. e.g. (_). User name "john doe" will be " +""john_doe" This feature was added to help compatibility with shell " +"scripts that have difficulty handling spaces, due to the default field " +"separator in the shell." +msgstr "" +"Ce paramètre remplace les espaces avec le caractère indiqués pour les noms " +"d'utilisateurs et de groupes, par ex. (_). Ainsi, le nom "john " +"doe" deviendra "john_doe". Cette fonctionnalité a été ajoutée " +"pour aider à la compatibilité avec les scripts shells qui ont des " +"difficultés à gérer les espaces, du fait que l'espace est le séparateur par " +"défaut de l'interpréteur de commande." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:435 +msgid "" +"Please note it is a configuration error to use a replacement character that " +"might be used in user or group names. If a name contains the replacement " +"character SSSD tries to return the unmodified name but in general the result " +"of a lookup is undefined." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:443 +msgid "Default: not set (spaces will not be replaced)" +msgstr "Par défaut : non défini (les espaces ne seront pas remplacées)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:448 +msgid "certificate_verification (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:456 +msgid "no_ocsp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:458 +msgid "" +"Disables Online Certificate Status Protocol (OCSP) checks. This might be " +"needed if the OCSP servers defined in the certificate are not reachable from " +"the client." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:466 +msgid "no_verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:468 +msgid "" +"Disables verification completely. This option should only be used for " +"testing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:474 +msgid "ocsp_default_responder=URL" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:476 +msgid "" +"Sets the OCSP default responder which should be used instead of the one " +"mentioned in the certificate. URL must be replaced with the URL of the OCSP " +"default responder e.g. http://example.com:80/ocsp." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:482 +msgid "" +"This option must be used together with ocsp_default_responder_signing_cert." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:490 +msgid "ocsp_default_responder_signing_cert=NAME" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:492 +msgid "" +"The nickname of the cert to trust (expected) to sign the OCSP responses. " +"The certificate with the given nickname must be available in the systems NSS " +"database." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:497 +msgid "This option must be used together with ocsp_default_responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:451 +msgid "" +"With this parameter the certificate verification can be tuned with a comma " +"separated list of options. Supported options are: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:504 +msgid "Unknown options are reported but ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:507 +msgid "Default: not set, i.e. do not restrict certificate verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:513 +msgid "disable_netlink (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:516 +msgid "" +"SSSD hooks into the netlink interface to monitor changes to routes, " +"addresses, links and trigger certain actions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:521 +msgid "" +"The SSSD state changes caused by netlink events may be undesirable and can " +"be disabled by setting this option to 'true'" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:526 +msgid "Default: false (netlink changes are detected)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:531 +msgid "enable_files_domain (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:534 +msgid "" +"When this option is enabled, SSSD prepends an implicit domain with " +"<quote>id_provider=files</quote> before any explicitly configured domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:548 +msgid "domain_resolution_order" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:551 +msgid "" +"Comma separated list of domains and subdomains representing the lookup order " +"that will be followed. The list doesn't have to include all possible " +"domains as the missing domains will be looked up based on the order they're " +"presented in the <quote>domains</quote> configuration option. The " +"subdomains which are not listed as part of <quote>lookup_order</quote> will " +"be looked up in a random order for each parent domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:563 +msgid "" +"Please, note that when this option is set the output format of all commands " +"is always fully-qualified even when using short names for input, for all " +"users but the ones managed by the files provider. In case the administrator " +"wants the output not fully-qualified, the full_name_format option can be " +"used as shown below: <quote>full_name_format=%1$s</quote> However, keep in " +"mind that during login, login applications often canonicalize the username " +"by calling <citerefentry> <refentrytitle>getpwnam</refentrytitle> " +"<manvolnum>3</manvolnum> </citerefentry> which, if a shortname is returned " +"for a qualified input (while trying to reach a user which exists in multiple " +"domains) might re-route the login attempt into the domain which uses " +"shortnames, making this workaround totally not recommended in cases where " +"usernames may overlap between domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:588 sssd.conf.5.xml:1388 sssd.conf.5.xml:3046 +#: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316 +msgid "Default: Not set" +msgstr "Par défaut : non défini" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:184 +msgid "" +"Individual pieces of SSSD functionality are provided by special SSSD " +"services that are started and stopped together with SSSD. The services are " +"managed by a special service frequently called <quote>monitor</quote>. The " +"<quote>[sssd]</quote> section is used to configure the monitor as well as " +"some other important options like the identity domains. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" +"Les fonctionnalités propres à SSSD sont fournies par des services " +"spécifiques SSSD, qui sont démarrés et arrêtés en même temps que SSSD. Les " +"services sont gérés par un service spécifique souvent appelé le " +"<quote>moniteur</quote>. La section <quote>[sssd]</quote> est utilisée pour " +"configurer le moniteur ainsi que certaines options importantes comme " +"l'identité des domaines. <placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:599 +msgid "SERVICES SECTIONS" +msgstr "SECTIONS DE SERVICES" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:601 +msgid "" +"Settings that can be used to configure different services are described in " +"this section. They should reside in the [<replaceable>$NAME</replaceable>] " +"section, for example, for NSS service, the section would be <quote>[nss]</" +"quote>" +msgstr "" +"Les options utilisables pour configurer les différents services sont " +"décrites dans cette section. Ils doivent être situés dans la section " +"[<replaceable>$NAME</replaceable>], par exemple pour le service NSS, la " +"section doit être <quote>[nss]</quote>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:608 +msgid "General service configuration options" +msgstr "Options générales de configuration de service" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:610 +msgid "These options can be used to configure any service." +msgstr "Ces options peuvent être utilisées pour configurer les services." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:627 +msgid "fd_limit" +msgstr "fd_limit" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:630 +msgid "" +"This option specifies the maximum number of file descriptors that may be " +"opened at one time by this SSSD process. On systems where SSSD is granted " +"the CAP_SYS_RESOURCE capability, this will be an absolute setting. On " +"systems without this capability, the resulting value will be the lower value " +"of this or the limits.conf \"hard\" limit." +msgstr "" +"Cette option spécifie le nombre maximal de descripteurs de fichiers qui " +"peuvent être ouverts en même temps par ce processus SSSD. Sur les systèmes " +"où SSSD se voit accorder la capacité CAP_SYS_RESOURCE, ce sera une limite " +"absolue. Sur les systèmes sans cette capacité, la valeur résultante sera la " +"valeur inférieure ou la limite « hard » de limits.conf." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:639 +msgid "Default: 8192 (or limits.conf \"hard\" limit)" +msgstr "Par défault : 8192 (ou la limite « hard » de limits.conf)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:644 +msgid "client_idle_timeout" +msgstr "client_idle_timeout" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:647 +msgid "" +"This option specifies the number of seconds that a client of an SSSD process " +"can hold onto a file descriptor without communicating on it. This value is " +"limited in order to avoid resource exhaustion on the system. The timeout " +"can't be shorter than 10 seconds. If a lower value is configured, it will be " +"adjusted to 10 seconds." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:656 sssd.conf.5.xml:688 sssd.conf.5.xml:970 +#: sssd.conf.5.xml:1231 sssd-ldap.5.xml:1412 +msgid "Default: 60" +msgstr "Par défaut : 60" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:661 +msgid "offline_timeout (integer)" +msgstr "offline_timeout (entier)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:664 +msgid "" +"When SSSD switches to offline mode the amount of time before it tries to go " +"back online will increase based upon the time spent disconnected. This " +"value is in seconds and calculated by the following:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:671 +msgid "offline_timeout + random_offset" +msgstr "offline_timeout + random_offset" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:674 +msgid "" +"The random offset can increment up to 30 seconds. After each unsuccessful " +"attempt to go online, the new interval is recalculated by the following:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:679 +msgid "new_interval = old_interval*2 + random_offset" +msgstr "new_interval = old_interval*2 + random_offset" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:682 +msgid "" +"Note that the maximum length of each interval is currently limited to one " +"hour. If the calculated length of new_interval is greater than an hour, it " +"will be forced to one hour." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:693 +msgid "responder_idle_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:696 +msgid "" +"This option specifies the number of seconds that an SSSD responder process " +"can be up without being used. This value is limited in order to avoid " +"resource exhaustion on the system. The minimum acceptable value for this " +"option is 60 seconds. Setting this option to 0 (zero) means that no timeout " +"will be set up to the responder. This option only has effect when SSSD is " +"built with systemd support and when services are either socket or D-Bus " +"activated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:710 sssd.conf.5.xml:983 sssd.conf.5.xml:1616 +#: sssd-ldap.5.xml:722 +msgid "Default: 300" +msgstr "Par défaut : 300" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:715 +msgid "cache_first" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:718 +msgid "" +"This option specifies whether the responder should query all caches before " +"querying the Data Providers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:730 +msgid "NSS configuration options" +msgstr "Options de configuration NSS" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:732 +msgid "" +"These options can be used to configure the Name Service Switch (NSS) service." +msgstr "" +"Ces options peuvent être utilisées pour configurer le service Name Service " +"Switch (NSS)." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:737 +msgid "enum_cache_timeout (integer)" +msgstr "enum_cache_timeout (entier)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:740 +msgid "" +"How many seconds should nss_sss cache enumerations (requests for info about " +"all users)" +msgstr "" +"La durée en secondes pendant laquelle nss_sss doit mettre en cache les " +"énumérations (requêtes sur les informations de tous les utilisateurs)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:744 +msgid "Default: 120" +msgstr "Par défaut : 120" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:749 +msgid "entry_cache_nowait_percentage (integer)" +msgstr "entry_cache_nowait_percentage (entier)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:752 +msgid "" +"The entry cache can be set to automatically update entries in the background " +"if they are requested beyond a percentage of the entry_cache_timeout value " +"for the domain." +msgstr "" +"La valeur du cache peut être définie pour mettre à jour automatiquement les " +"entrées en arrière plan si la requête ne dépasse pas un pourcentage de la " +"valeur de entry_cache_timeout pour le domaine." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:758 +msgid "" +"For example, if the domain's entry_cache_timeout is set to 30s and " +"entry_cache_nowait_percentage is set to 50 (percent), entries that come in " +"after 15 seconds past the last cache update will be returned immediately, " +"but the SSSD will go and update the cache on its own, so that future " +"requests will not need to block waiting for a cache update." +msgstr "" +"Par exemple, si la valeur entry_cache_timeout du domaine est à 30 secondes " +"et que entry_cache_nowait_percentage est à 50 (%), les entrées qui veulent " +"mettre à jour le cache après 15 secondes seront renvoyées immédiatement, " +"mais SSSD continuera et mettra à jour le cache de lui-même. Ainsi, les " +"prochaines requêtes ne seront pas bloquées en attendant une mise à jour du " +"cache." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:768 +msgid "" +"Valid values for this option are 0-99 and represent a percentage of the " +"entry_cache_timeout for each domain. For performance reasons, this " +"percentage will never reduce the nowait timeout to less than 10 seconds. (0 " +"disables this feature)" +msgstr "" +"Les valeurs autorisées pour cette option vont de 0 à 99 et représentent un " +"pourcentage de la valeur entry_cache_timeout pour chaque domaine. Pour des " +"raisons de performance, ce pourcentage ne réduira jamais le délai d'attente " +"de non réponse à moins de 10 secondes (0 pour désactiver l'option)." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:776 sssd.conf.5.xml:1445 +msgid "Default: 50" +msgstr "Par défaut : 50" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:781 +msgid "entry_negative_timeout (integer)" +msgstr "entry_negative_timeout (entier)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:784 +msgid "" +"Specifies for how many seconds nss_sss should cache negative cache hits " +"(that is, queries for invalid database entries, like nonexistent ones) " +"before asking the back end again." +msgstr "" +"Spécifie le temps, en secondes, pendant lequel nss_sss doit mettre en cache " +"les résultats négatifs du cache (c'est-à-dire les requêtes pour les bases de " +"données invalides, comme celles qui n'existent pas) avant de faire à nouveau " +"appel au moteur." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:790 sssd.conf.5.xml:1469 +msgid "Default: 15" +msgstr "Par défaut : 15" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:795 +msgid "local_negative_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:798 +msgid "" +"Specifies for how many seconds nss_sss should keep local users and groups in " +"negative cache before trying to look it up in the back end again. Setting " +"the option to 0 disables this feature." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:804 +#, fuzzy +#| msgid "Default: 86400 (24 hours)" +msgid "Default: 14400 (4 hours)" +msgstr "Par défaut : 86400 (24 heures)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:809 +msgid "filter_users, filter_groups (string)" +msgstr "filter_users, filter_groups (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:812 +msgid "" +"Exclude certain users or groups from being fetched from the sss NSS " +"database. This is particularly useful for system accounts. This option can " +"also be set per-domain or include fully-qualified names to filter only users " +"from the particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:819 +msgid "" +"NOTE: The filter_groups option doesn't affect inheritance of nested group " +"members, since filtering happens after they are propagated for returning via " +"NSS. E.g. a group having a member group filtered out will still have the " +"member users of the latter listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:827 +msgid "Default: root" +msgstr "Par défaut : root" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:832 +msgid "filter_users_in_groups (bool)" +msgstr "filter_users_in_groups (booléen)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:835 +msgid "" +"If you want filtered user still be group members set this option to false." +msgstr "" +"Mettre cette option à « false » si les utilisateurs filtrés doivent rester " +"membres de groupes." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:846 +msgid "fallback_homedir (string)" +msgstr "fallback_homedir (string)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:849 +msgid "" +"Set a default template for a user's home directory if one is not specified " +"explicitly by the domain's data provider." +msgstr "" +"Définir un modèle par défaut pour un répertoire utilisateur si aucun n'est " +"explicitement spécifié par le fournisseur de données du domaine." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:854 +msgid "" +"The available values for this option are the same as for override_homedir." +msgstr "" +"Les valeurs disponibles pour cette option sont les mêmes que pour " +"override_homedir." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:860 +#, no-wrap +msgid "" +"fallback_homedir = /home/%u\n" +" " +msgstr "" +"fallback_homedir = /home/%u\n" +" " + +#. type: Content of: <varlistentry><listitem><para> +#: sssd.conf.5.xml:858 sssd.conf.5.xml:1298 sssd.conf.5.xml:1317 +#: sssd-krb5.5.xml:539 include/override_homedir.xml:59 +msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "exemple : <placeholder type=\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:864 +msgid "Default: not set (no substitution for unset home directories)" +msgstr "" +"Par défaut : non défini (aucune substitution pour les répertoires d'accueil " +"non définis)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:870 +msgid "override_shell (string)" +msgstr "override_shell (string)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:873 +msgid "" +"Override the login shell for all users. This option supersedes any other " +"shell options if it takes effect and can be set either in the [nss] section " +"or per-domain." +msgstr "" +"Écrase l'interpréteur de commande à utiliser pour tous les utilisateurs. " +"Cette option prend le pas sur toutes les autres options d'interpréteur de " +"commande si elle est en action, et peut être indiquée au choix soit dans la " +"section [nss], soit par domaine." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:879 +msgid "Default: not set (SSSD will use the value retrieved from LDAP)" +msgstr "Par défaut : indéfini (SSSD utilisera la valeur récupérée de LDAP)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:885 +msgid "allowed_shells (string)" +msgstr "allowed_shells (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:888 +msgid "" +"Restrict user shell to one of the listed values. The order of evaluation is:" +msgstr "" +"Restreindre l'interpréteur de commandes de l'utilisateur à l'une des valeurs " +"indiquées. L'ordre d'évaluation est :" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:891 +msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used." +msgstr "" +"1. Si l'interpréteur de commandes est présent dans <quote>/etc/shells</" +"quote>, il est utilisé." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:895 +msgid "" +"2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</" +"quote>, use the value of the shell_fallback parameter." +msgstr "" +"2. Si l'interpréteur de commandes est dans la liste « allowed_shells » mais " +"n'est pas dans <quote>/etc/shells</quote>, la valeur de repli de « " +"shell_fallback » sera utilisée." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:900 +msgid "" +"3. If the shell is not in the allowed_shells list and not in <quote>/etc/" +"shells</quote>, a nologin shell is used." +msgstr "" +"3. Si l'interpréteur de commandes n'est ni dans la liste « allowed_shells » " +"ni dans <quote>/etc/shells</quote>, une connexion sans shell est utilisée." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:905 +msgid "The wildcard (*) can be used to allow any shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:908 +msgid "" +"The (*) is useful if you want to use shell_fallback in case that user's " +"shell is not in <quote>/etc/shells</quote> and maintaining list of all " +"allowed shells in allowed_shells would be to much overhead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:915 +msgid "An empty string for shell is passed as-is to libc." +msgstr "" +"Une chaîne vide pour l'interpréteur de commandes est passée telle quelle est " +"à la libc." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:918 +msgid "" +"The <quote>/etc/shells</quote> is only read on SSSD start up, which means " +"that a restart of the SSSD is required in case a new shell is installed." +msgstr "" +"Le fichier <quote>/etc/shells</quote> n'est lu qu'au démarrage de SSSD. Un " +"redémarrage de SSSD est nécessaire si un nouvel interpréteur de commandes " +"est installé." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:922 +msgid "Default: Not set. The user shell is automatically used." +msgstr "" +"Par défaut : non défini. L'interpréteur de commandes de l'utilisateur est " +"utilisé automatiquement." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:927 +msgid "vetoed_shells (string)" +msgstr "vetoed_shells (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:930 +msgid "Replace any instance of these shells with the shell_fallback" +msgstr "" +"Remplace toutes les occurences de ces interpréteurs de commandes par " +"l'interpréteur de commandes par défaut" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:935 +msgid "shell_fallback (string)" +msgstr "shell_fallback (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:938 +msgid "" +"The default shell to use if an allowed shell is not installed on the machine." +msgstr "" +"L'interpréteur de commandes par défaut à utiliser si un interpréteur de " +"commandes autorisé n'est pas installé sur la machine." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:942 +msgid "Default: /bin/sh" +msgstr "Par défaut : /bin/sh" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:947 +msgid "default_shell" +msgstr "default_shell" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:950 +msgid "" +"The default shell to use if the provider does not return one during lookup. " +"This option can be specified globally in the [nss] section or per-domain." +msgstr "" +"L'interpréteur de commande par défaut à utiliser si le fournisseur n'en " +"renvoie pas un lors de la recherche. Cette option peut être indiquée au " +"choix soit dans la section [nss], soit par domaine." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:956 +msgid "" +"Default: not set (Return NULL if no shell is specified and rely on libc to " +"substitute something sensible when necessary, usually /bin/sh)" +msgstr "" +"Par défaut : non défini (retourne NULL si aucun shell n'est spécifié et " +"s'appuyer sur la libc pour remplacer par quelque chose de sensé lorsque " +"nécessaire, habituellement /bin/sh)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:963 sssd.conf.5.xml:1224 +msgid "get_domains_timeout (int)" +msgstr "get_domains_timeout (int)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:966 sssd.conf.5.xml:1227 +msgid "" +"Specifies time in seconds for which the list of subdomains will be " +"considered valid." +msgstr "" +"Spécifie la durée en secondes pendant laquelle la liste de sous-domaines est " +"jugée valide." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:975 +msgid "memcache_timeout (int)" +msgstr "memcache_timeout (int)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:978 +msgid "" +"Specifies time in seconds for which records in the in-memory cache will be " +"valid. Setting this option to zero will disable the in-memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:986 +msgid "" +"WARNING: Disabling the in-memory cache will have significant negative impact " +"on SSSD's performance and should only be used for testing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:992 +msgid "" +"NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", " +"client applications will not use the fast in-memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1000 sssd-ifp.5.xml:74 +msgid "user_attributes (string)" +msgstr "user_attributes (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1003 +msgid "" +"Some of the additional NSS responder requests can return more attributes " +"than just the POSIX ones defined by the NSS interface. The list of " +"attributes is controlled by this option. It is handled the same way as the " +"<quote>user_attributes</quote> option of the InfoPipe responder (see " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for details) but with no default values." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1016 +msgid "" +"To make configuration more easy the NSS responder will check the InfoPipe " +"option if it is not set for the NSS responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1021 +msgid "Default: not set, fallback to InfoPipe option" +msgstr "Par défaut : non défini, repli sur l'option InfoPipe" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1026 +msgid "pwfield (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1029 +msgid "" +"The value that NSS operations that return users or groups will return for " +"the <quote>password</quote> field." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: sssd.conf.5.xml:1034 include/override_homedir.xml:56 +msgid "This option can also be set per-domain." +msgstr "Cette option peut aussi être définie pour chaque domaine." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1037 +msgid "" +"Default: <quote>*</quote> (remote domains) or <quote>x</quote> (the files " +"domain)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1045 +msgid "PAM configuration options" +msgstr "Options de configuration de PAM" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1047 +msgid "" +"These options can be used to configure the Pluggable Authentication Module " +"(PAM) service." +msgstr "" +"Ces options permettent de configurer le service Pluggable Authentication " +"Module (PAM)." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1052 +msgid "offline_credentials_expiration (integer)" +msgstr "offline_credentials_expiration (entier)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1055 +msgid "" +"If the authentication provider is offline, how long should we allow cached " +"logins (in days since the last successful online login)." +msgstr "" +"Si le fournisseur d'authentification est déconnecté, combien de temps " +"autoriser les connexions à partir du cache (en jours depuis la dernière " +"connexion réussie)." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1060 sssd.conf.5.xml:1073 +msgid "Default: 0 (No limit)" +msgstr "Par défaut : 0 (pas de limite)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1066 +msgid "offline_failed_login_attempts (integer)" +msgstr "offline_failed_login_attempts (entier)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1069 +msgid "" +"If the authentication provider is offline, how many failed login attempts " +"are allowed." +msgstr "" +"Si le fournisseur d'authentification est déconnecté, combien de connexions " +"échouées sont autorisées." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1079 +msgid "offline_failed_login_delay (integer)" +msgstr "offline_failed_login_delay (entier)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1082 +msgid "" +"The time in minutes which has to pass after offline_failed_login_attempts " +"has been reached before a new login attempt is possible." +msgstr "" +"Le temps en minutes à attendre après avoir atteint " +"offline_failed_login_attempts avant qu'une nouvelle tentative de connexion " +"soit possible." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1087 +msgid "" +"If set to 0 the user cannot authenticate offline if " +"offline_failed_login_attempts has been reached. Only a successful online " +"authentication can enable offline authentication again." +msgstr "" +"Si la valeur est à 0, l'utilisateur ne peut s'authentifier en mode " +"déconnecté si offline_failed_login_attempts est atteint. Seulement une " +"connexion réussie en ligne peut réactiver l'authentification." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1093 sssd.conf.5.xml:1191 +msgid "Default: 5" +msgstr "Par défaut : 5" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1099 +msgid "pam_verbosity (integer)" +msgstr "pam_verbosity (entier)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1102 +msgid "" +"Controls what kind of messages are shown to the user during authentication. " +"The higher the number to more messages are displayed." +msgstr "" +"Contrôle le type de messages affichés à l'utilisateur pendant le processus " +"d'authentification. Plus le nombre est grand, plus le nombre de messages " +"affichés sera important." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1107 +msgid "Currently sssd supports the following values:" +msgstr "Actuellement sssd supporte les valeurs suivantes :" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1110 +msgid "<emphasis>0</emphasis>: do not show any message" +msgstr "<emphasis>0</emphasis> : ne pas afficher de message" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1113 +msgid "<emphasis>1</emphasis>: show only important messages" +msgstr "<emphasis>1</emphasis> : afficher seulement les messages importants" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1117 +msgid "<emphasis>2</emphasis>: show informational messages" +msgstr "<emphasis>2</emphasis> : afficher les messages d'information" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1120 +msgid "<emphasis>3</emphasis>: show all messages and debug information" +msgstr "" +"<emphasis>3</emphasis> : afficher tous les messages et informations de " +"débogage" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1124 sssd.8.xml:63 +msgid "Default: 1" +msgstr "Par défaut : 1" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1130 +msgid "pam_response_filter (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1133 +msgid "" +"A comma separated list of strings which allows to remove (filter) data sent " +"by the PAM responder to pam_sss PAM module. There are different kind of " +"responses sent to pam_sss e.g. messages displayed to the user or environment " +"variables which should be set by pam_sss." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1141 +msgid "" +"While messages already can be controlled with the help of the pam_verbosity " +"option this option allows to filter out other kind of responses as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1148 +msgid "ENV" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1149 +msgid "Do not send any environment variables to any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1152 +msgid "ENV:var_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1153 +msgid "Do not send environment variable var_name to any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1157 +msgid "ENV:var_name:service" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1158 +msgid "Do not send environment variable var_name to service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1146 +msgid "" +"Currently the following filters are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1168 +msgid "Example: ENV:KRB5CCNAME:sudo-i" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1174 +msgid "pam_id_timeout (integer)" +msgstr "pam_id_timeout (entier)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1177 +msgid "" +"For any PAM request while SSSD is online, the SSSD will attempt to " +"immediately update the cached identity information for the user in order to " +"ensure that authentication takes place with the latest information." +msgstr "" +"Lors de chaque requête PAM quand SSSD est en mode connecté, SSSD tentera de " +"mettre à jour immédiatement les informations d'identité mises en cache pour " +"l'utilisateur de manière à s'assurer que l'authentification se fasse avec " +"les dernières informations." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1183 +msgid "" +"A complete PAM conversation may perform multiple PAM requests, such as " +"account management and session opening. This option controls (on a per-" +"client-application basis) how long (in seconds) we can cache the identity " +"information to avoid excessive round-trips to the identity provider." +msgstr "" +"Une conversation PAM complète peut effectuer plusieurs requêtes PAM, comme " +"la gestion de compte et l'ouverture de session. Cette option contrôle (par " +"client et par application) la durée (en secondes) de mise en cache des " +"informations d'identité afin d'éviter de nombreux aller-retour avec le " +"fournisseur d'identité." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1197 +msgid "pam_pwd_expiration_warning (integer)" +msgstr "pam_pwd_expiration_warning (entier)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2078 +msgid "Display a warning N days before the password expires." +msgstr "Afficher une alerte N jours avant l'expiration du mot de passe." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1203 +msgid "" +"Please note that the backend server has to provide information about the " +"expiration time of the password. If this information is missing, sssd " +"cannot display a warning." +msgstr "" +"Noter que le moteur du service doit fournir des informations à propos du " +"délai d'expiration du mot de passe. Si cette information est manquante, sssd " +"ne peut afficher de message d'alerte." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1209 sssd.conf.5.xml:2081 +msgid "" +"If zero is set, then this filter is not applied, i.e. if the expiration " +"warning was received from backend server, it will automatically be displayed." +msgstr "" +"Si la valeur est zéro, ce filtre n'est pas appliqué, c'est-à-dire que si " +"l'avertissement d'expiration est reçu de la part du moteur du serveur, il " +"sera automatiquement affiché." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1214 +msgid "" +"This setting can be overridden by setting <emphasis>pwd_expiration_warning</" +"emphasis> for a particular domain." +msgstr "" +"Ce paramètre peut être surchargé par le paramètre " +"<emphasis>pwd_expiration_warning</emphasis> pour un domaine particulier." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1219 sssd.conf.5.xml:2901 sssd.8.xml:79 +msgid "Default: 0" +msgstr "Par défaut : 0" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1236 +msgid "pam_trusted_users (string)" +msgstr "pam_trusted_users (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1239 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to run PAM conversations against trusted domains. Users not " +"included in this list can only access domains marked as public with " +"<quote>pam_public_domains</quote>. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1249 +msgid "Default: All users are considered trusted by default" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1253 +msgid "" +"Please note that UID 0 is always allowed to access the PAM responder even in " +"case it is not in the pam_trusted_users list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1260 +msgid "pam_public_domains (string)" +msgstr "pam_public_domains (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1263 +msgid "" +"Specifies the comma-separated list of domain names that are accessible even " +"to untrusted users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1267 +msgid "Two special values for pam_public_domains option are defined:" +msgstr "" +"Deux valeurs spéciales pour l'option pam_public_domains sont définies :" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1271 +msgid "" +"all (Untrusted users are allowed to access all domains in PAM responder.)" +msgstr "" +"all (tous les utilisateurs non dignes de confiance sont autorisés à accéder " +"à tous les domaines PAM dans le répondeur.)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1275 +msgid "" +"none (Untrusted users are not allowed to access any domains PAM in " +"responder.)" +msgstr "" +"none (les utilisateurs non dignes de confiance, Untrusted, ne sont pas " +"autorisés à accéder à un des domaines PAM dans le répondeur.)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1279 sssd.conf.5.xml:1304 sssd.conf.5.xml:1323 +#: sssd.conf.5.xml:1875 sssd.conf.5.xml:2837 sssd-ldap.5.xml:1979 +msgid "Default: none" +msgstr "Par défaut : aucun" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1284 +msgid "pam_account_expired_message (string)" +msgstr "pam_account_expired_message (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1287 +msgid "" +"Allows a custom expiration message to be set, replacing the default " +"'Permission denied' message." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1292 +msgid "" +"Note: Please be aware that message is only printed for the SSH service " +"unless pam_verbosity is set to 3 (show all messages and debug information)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:1300 +#, no-wrap +msgid "" +"pam_account_expired_message = Account expired, please contact help desk.\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1309 +msgid "pam_account_locked_message (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1312 +msgid "" +"Allows a custom lockout message to be set, replacing the default 'Permission " +"denied' message." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:1319 +#, no-wrap +msgid "" +"pam_account_locked_message = Account locked, please contact help desk.\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1328 +msgid "pam_cert_auth (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1331 +msgid "" +"Enable certificate based Smartcard authentication. Since this requires " +"additional communication with the Smartcard which will delay the " +"authentication process this option is disabled by default." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1337 sssd.conf.5.xml:2930 sssd-ldap.5.xml:1087 +#: sssd-ldap.5.xml:1114 sssd-ldap.5.xml:1514 sssd-ldap.5.xml:1535 +#: sssd-ldap.5.xml:2052 include/ldap_id_mapping.xml:244 +msgid "Default: False" +msgstr "Par défaut : False" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1342 +msgid "pam_cert_db_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1345 +msgid "" +"The path to the certificate database which contain the PKCS#11 modules to " +"access the Smartcard." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1349 sssd.conf.5.xml:1534 +#, fuzzy +#| msgid "Default: 3" +msgid "Default:" +msgstr "Par défaut : 3" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1351 sssd.conf.5.xml:1536 +msgid "/etc/pki/nssdb (NSS version, path to a NSS database)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1354 sssd.conf.5.xml:1539 +msgid "" +"/etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a file with " +"trusted CA certificates in PEM format)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1361 sssd.conf.5.xml:1546 +msgid "This man page was generated for the NSS version." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1364 sssd.conf.5.xml:1549 +msgid "This man page was generated for the OpenSSL version." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1369 +msgid "p11_child_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1372 +msgid "How many seconds will pam_sss wait for p11_child to finish." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1381 +msgid "pam_app_services (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1384 +msgid "" +"Which PAM services are permitted to contact domains of type " +"<quote>application</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1397 +msgid "SUDO configuration options" +msgstr "Options de configuration de SUDO" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1399 +msgid "" +"These options can be used to configure the sudo service. The detailed " +"instructions for configuration of <citerefentry> <refentrytitle>sudo</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to work with " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> are in the manual page <citerefentry> <refentrytitle>sssd-" +"sudo</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" +"Ces options peuvent être utilisées pour configurer le service sudo. Les " +"directives de configuration de <citerefentry> <refentrytitle>sudo</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> dans <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"sont détaillées dans la page de manuel <citerefentry> <refentrytitle>sssd-" +"sudo</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1416 +msgid "sudo_timed (bool)" +msgstr "sudo_timed (booléen)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1419 +msgid "" +"Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes " +"that implement time-dependent sudoers entries." +msgstr "" +"Évaluation ou non des attributs sudoNotBefore et sudoNotAfter qui utilisent " +"les entrées sudoers sensibles au temps." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1431 +msgid "sudo_threshold (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1434 +msgid "" +"Maximum number of expired rules that can be refreshed at once. If number of " +"expired rules is below threshold, those rules are refreshed with " +"<quote>rules refresh</quote> mechanism. If the threshold is exceeded a " +"<quote>full refresh</quote> of sudo rules is triggered instead. This " +"threshold number also applies to IPA sudo command and command group searches." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1453 +msgid "AUTOFS configuration options" +msgstr "Options de configuration AUTOFS" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1455 +msgid "These options can be used to configure the autofs service." +msgstr "Ces options peuvent être utilisées pour configurer le service autofs." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1459 +msgid "autofs_negative_timeout (integer)" +msgstr "autofs_negative_timeout (entier)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1462 +msgid "" +"Specifies for how many seconds should the autofs responder negative cache " +"hits (that is, queries for invalid map entries, like nonexistent ones) " +"before asking the back end again." +msgstr "" +"Spécifie le délai en secondes pendant lequel le répondeur autofs stocke les " +"réponses négatives (autrement dit, les requêtes pour les entrées de mappage " +"non valide, comme celles qui n'existent pas) avant de demander à nouveau au " +"moteur." + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1478 +msgid "SSH configuration options" +msgstr "Options de configuration SSH" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1480 +msgid "These options can be used to configure the SSH service." +msgstr "" +"Les options suivantes peuvent être utilisées pour configurer le service SSH." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1484 +msgid "ssh_hash_known_hosts (bool)" +msgstr "ssh_hash_known_hosts (bool)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1487 +msgid "" +"Whether or not to hash host names and addresses in the managed known_hosts " +"file." +msgstr "" +"Condenser ou non les noms de systèmes et adresses du fichier known_hosts" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1496 +msgid "ssh_known_hosts_timeout (integer)" +msgstr "ssh_known_hosts_timeout (integer)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1499 +msgid "" +"How many seconds to keep a host in the managed known_hosts file after its " +"host keys were requested." +msgstr "" +"La durée en secondes pendant laquelle conserver un système dans le fichier " +"known_hosts géré après que ses clés de système ont été demandés." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1503 +msgid "Default: 180" +msgstr "Par défaut : 180" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1508 +#, fuzzy +#| msgid "ldap_user_certificate (string)" +msgid "ssh_use_certificate_keys (bool)" +msgstr "ldap_user_certificate (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1511 +#, fuzzy +#| msgid "" +#| "The skeleton directory, which contains files and directories to be copied " +#| "in the user's home directory, when the home directory is created by " +#| "<citerefentry> <refentrytitle>sss_useradd</refentrytitle> <manvolnum>8</" +#| "manvolnum> </citerefentry>" +msgid "" +"If set to true the <command>sss_ssh_authorizedkeys</command> will return ssh " +"keys derived from the public key of X.509 certificates stored in the user " +"entry as well. See <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry> for details." +msgstr "" +"Le répertoire squelette contenant les fichiers et répertoires à copier dans " +"le répertoire personnel de l'utilisateur une fois ce répertoire créé par " +"<citerefentry> <refentrytitle>sss_useradd</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1526 +msgid "ca_db (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1529 +msgid "" +"Path to a storage of trusted CA certificates. The option is used to validate " +"user certificates before deriving public ssh keys from them." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1557 +msgid "PAC responder configuration options" +msgstr "Options de configuration du répondeur PAC" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1559 +msgid "" +"The PAC responder works together with the authorization data plugin for MIT " +"Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the " +"PAC data during a GSSAPI authentication to the PAC responder. The sub-domain " +"provider collects domain SID and ID ranges of the domain the client is " +"joined to and of remote trusted domains from the local domain controller. If " +"the PAC is decoded and evaluated some of the following operations are done:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1568 +msgid "" +"If the remote user does not exist in the cache, it is created. The UID is " +"determined with the help of the SID, trusted domains will have UPGs and the " +"GID will have the same value as the UID. The home directory is set based on " +"the subdomain_homedir parameter. The shell will be empty by default, i.e. " +"the system defaults are used, but can be overwritten with the default_shell " +"parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1576 +msgid "" +"If there are SIDs of groups from domains sssd knows about, the user will be " +"added to those groups." +msgstr "" +"S'il y a des SID de groupes des domaines connus de sssd, l'utilisateur sera " +"ajouté à ces groupes." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1582 +msgid "These options can be used to configure the PAC responder." +msgstr "" +"Les options suivantes peuvent être utilisées pour configurer le répondeur " +"PAC." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1586 sssd-ifp.5.xml:50 +msgid "allowed_uids (string)" +msgstr "allowed_uids (string)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1589 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the PAC responder. User names are resolved to UIDs at " +"startup." +msgstr "" +"Spécifie la liste séparée par des virgules des UID ou noms d'utilisateurs " +"qui sont autorisés à accéder au répondeur PAC. Les noms d'utilisateurs " +"seront résolus en UID au démarrage." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1595 +msgid "Default: 0 (only the root user is allowed to access the PAC responder)" +msgstr "" +"Par défaut : 0 (seul l'utilisateur root est autorisé à accéder au répondeur " +"PAC)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1599 +msgid "" +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the PAC responder, which would be the typical case, you have to add 0 " +"to the list of allowed UIDs as well." +msgstr "" +"Noter que bien que l'UID 0 est utilisé par défaut, il sera remplacé par " +"cette option. Si vous voulez continuer à permettre à l'utilisateur root à " +"accéder au répondeur PAC, ce qui serait un cas habituel, vous devez ajouter " +"0 à la liste des UID d'utilisateurs autorisés." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1608 +msgid "pac_lifetime (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1611 +msgid "" +"Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC " +"data can be used to determine the group memberships of a user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1624 +msgid "Session recording configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1626 +msgid "" +"Session recording works in conjunction with <citerefentry> " +"<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>, a part of tlog package, to log what users see and type when " +"they log in on a text terminal. See also <citerefentry> <refentrytitle>sssd-" +"session-recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1639 +msgid "These options can be used to configure session recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1643 sssd-session-recording.5.xml:64 +msgid "scope (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1650 sssd-session-recording.5.xml:71 +msgid "\"none\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1653 sssd-session-recording.5.xml:74 +msgid "No users are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1658 sssd-session-recording.5.xml:79 +msgid "\"some\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1661 sssd-session-recording.5.xml:82 +msgid "" +"Users/groups specified by <replaceable>users</replaceable> and " +"<replaceable>groups</replaceable> options are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1670 sssd-session-recording.5.xml:91 +msgid "\"all\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1673 sssd-session-recording.5.xml:94 +msgid "All users are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1646 sssd-session-recording.5.xml:67 +msgid "" +"One of the following strings specifying the scope of session recording: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1680 sssd-session-recording.5.xml:101 +msgid "Default: \"none\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1685 sssd-session-recording.5.xml:106 +msgid "users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1688 sssd-session-recording.5.xml:109 +msgid "" +"A comma-separated list of users which should have session recording enabled. " +"Matches user names as returned by NSS. I.e. after the possible space " +"replacement, case changes, etc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1694 sssd-session-recording.5.xml:115 +msgid "Default: Empty. Matches no users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1699 sssd-session-recording.5.xml:120 +msgid "groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1702 sssd-session-recording.5.xml:123 +msgid "" +"A comma-separated list of groups, members of which should have session " +"recording enabled. Matches group names as returned by NSS. I.e. after the " +"possible space replacement, case changes, etc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1708 sssd-session-recording.5.xml:129 +msgid "" +"NOTE: using this option (having it set to anything) has a considerable " +"performance cost, because each uncached request for a user requires " +"retrieving and matching the groups the user is member of." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1715 sssd-session-recording.5.xml:136 +msgid "Default: Empty. Matches no groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:1725 +msgid "DOMAIN SECTIONS" +msgstr "SECTIONS DOMAINES" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1732 +msgid "domain_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1735 +msgid "" +"Specifies whether the domain is meant to be used by POSIX-aware clients such " +"as the Name Service Switch or by applications that do not need POSIX data to " +"be present or generated. Only objects from POSIX domains are available to " +"the operating system interfaces and utilities." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1743 +msgid "" +"Allowed values for this option are <quote>posix</quote> and " +"<quote>application</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1747 +msgid "" +"POSIX domains are reachable by all services. Application domains are only " +"reachable from the InfoPipe responder (see <citerefentry> " +"<refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>) and the PAM responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1755 +msgid "" +"NOTE: The application domains are currently well tested with " +"<quote>id_provider=ldap</quote> only." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1759 +msgid "" +"For an easy way to configure a non-POSIX domains, please see the " +"<quote>Application domains</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1763 +msgid "Default: posix" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1769 +msgid "min_id,max_id (integer)" +msgstr "min_id,max_id (entier)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1772 +msgid "" +"UID and GID limits for the domain. If a domain contains an entry that is " +"outside these limits, it is ignored." +msgstr "" +"Limites UID et GID pour le domaine. Si un domaine contient une entrée en " +"dehors de ces limites, elle est ignorée." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1777 +msgid "" +"For users, this affects the primary GID limit. The user will not be returned " +"to NSS if either the UID or the primary GID is outside the range. For non-" +"primary group memberships, those that are in range will be reported as " +"expected." +msgstr "" +"Pour les utilisateurs, cela affecte la limite des GID primaires. " +"L'utilisateur ne sera pas renvoyé vers NSS si l'UID ou le GID primaire sont " +"en dehors de la plage. Pour l'appartenance à un groupe non primaire, ceux " +"qui sont dans la plage seront rapportés comme prévu." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1784 +msgid "" +"These ID limits affect even saving entries to cache, not only returning them " +"by name or ID." +msgstr "" +"Ces limites d'identifiants affecte aussi les mises en cache des entrées, et " +"pas seulement leur recherche par nom ou identifiant." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1788 +msgid "Default: 1 for min_id, 0 (no limit) for max_id" +msgstr "Default: 1 for min_id, 0 (no limit) for max_id" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1794 +msgid "enumerate (bool)" +msgstr "enumerate (booléen)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1797 +msgid "" +"Determines if a domain can be enumerated, that is, whether the domain can " +"list all the users and group it contains. Note that it is not required to " +"enable enumeration in order for secondary groups to be displayed. This " +"parameter can have one of the following values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1805 +msgid "TRUE = Users and groups are enumerated" +msgstr "TRUE = utilisateurs et groupes sont énumérés" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1808 +msgid "FALSE = No enumerations for this domain" +msgstr "FALSE = aucune énumération pour ce domaine" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1811 sssd.conf.5.xml:2033 sssd.conf.5.xml:2208 +msgid "Default: FALSE" +msgstr "Par défaut : FALSE" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1814 +msgid "" +"Enumerating a domain requires SSSD to download and store ALL user and group " +"entries from the remote server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1819 +msgid "" +"Note: Enabling enumeration has a moderate performance impact on SSSD while " +"enumeration is running. It may take up to several minutes after SSSD startup " +"to fully complete enumerations. During this time, individual requests for " +"information will go directly to LDAP, though it may be slow, due to the " +"heavy enumeration processing. Saving a large number of entries to cache " +"after the enumeration completes might also be CPU intensive as the " +"memberships have to be recomputed. This can lead to the <quote>sssd_be</" +"quote> process becoming unresponsive or even restarted by the internal " +"watchdog." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1834 +msgid "" +"While the first enumeration is running, requests for the complete user or " +"group lists may return no results until it completes." +msgstr "" +"Lorsque la première énumération est en cours, les requêtes pour des listes " +"utilisateurs ou de groupes peuvent retourner des résultats vides avant que " +"l'énumération ne se termine." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1839 +msgid "" +"Further, enabling enumeration may increase the time necessary to detect " +"network disconnection, as longer timeouts are required to ensure that " +"enumeration lookups are completed successfully. For more information, refer " +"to the man pages for the specific id_provider in use." +msgstr "" +"De plus, activer l'énumération peut augmenter le temps nécessaire pour " +"détecter la déconnexion d'un réseau, puisque des délais d'attente supérieurs " +"sont nécessaires pour s'assurer que les requêtes d'énumération se terminent " +"avec succès. Pour plus d'informations, se référer au manuel pour le " +"fournisseur d'identité spécifique utilisé." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1847 +msgid "" +"For the reasons cited above, enabling enumeration is not recommended, " +"especially in large environments." +msgstr "" +"Pour les raisons citées plus haut, l'activation de l'énumération est " +"déconseillée, surtout dans les environnements de grande taille." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1855 +msgid "subdomain_enumerate (string)" +msgstr "subdomain_enumerate (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1862 +msgid "all" +msgstr "all" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1863 +msgid "All discovered trusted domains will be enumerated" +msgstr "Tous les domaines approuvés découverts seront énumérés" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1866 +msgid "none" +msgstr "none" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1867 +msgid "No discovered trusted domains will be enumerated" +msgstr "Aucun domaine approuvé découvert ne sera énuméré" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1858 +msgid "" +"Whether any of autodetected trusted domains should be enumerated. The " +"supported values are: <placeholder type=\"variablelist\" id=\"0\"/> " +"Optionally, a list of one or more domain names can enable enumeration just " +"for these trusted domains." +msgstr "" +"Les domaines approuvés auto-détectés doivent-ils être énumérés ?\n" +"Les valeurs prises en charge sont : <placeholder type=\"variablelist\" id=" +"\"0\"/> \n" +"De manière facultative, une liste d'un ou plusieurs noms de domaines peut " +"activer l'énumération pour ces seuls domaines." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1881 +msgid "entry_cache_timeout (integer)" +msgstr "entry_cache_timeout (entier)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1884 +msgid "" +"How many seconds should nss_sss consider entries valid before asking the " +"backend again" +msgstr "" +"La durée en secondes pendant laquelle nss_sss doit considérer les entrées " +"comme valides avant de les redemander au moteur" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1888 +msgid "" +"The cache expiration timestamps are stored as attributes of individual " +"objects in the cache. Therefore, changing the cache timeout only has effect " +"for newly added or expired entries. You should run the <citerefentry> " +"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry> tool in order to force refresh of entries that have already " +"been cached." +msgstr "" +"Les horodatages d'expiration de cache sont stockés en tant qu'attributs des " +"objets individuels dans le cache. Il en découle que la modification du délai " +"d'expiration du cache ne sera pris en compte que pour les entrées qui y sont " +"nouvellement ajoutées, ou pour celles qui ont expiré. Vous devriez utiliser " +"l'outil <citerefentry> <refentrytitle>sss_cache</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> de manière à forcer un " +"rafraîchissement des entrées qui sont déjà en cache." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1901 +msgid "Default: 5400" +msgstr "Par défaut : 5400" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1907 +msgid "entry_cache_user_timeout (integer)" +msgstr "entry_cache_user_timeout (entier)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1910 +msgid "" +"How many seconds should nss_sss consider user entries valid before asking " +"the backend again" +msgstr "" +"La durée en secondes pendant laquelle nss_sss doit considérer les entrées " +"d'utilisateurs comme valides avant de les redemander au moteur." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1914 sssd.conf.5.xml:1927 sssd.conf.5.xml:1940 +#: sssd.conf.5.xml:1953 sssd.conf.5.xml:1966 sssd.conf.5.xml:1980 +#: sssd.conf.5.xml:1994 +msgid "Default: entry_cache_timeout" +msgstr "Par défaut : entry_cache_timeout" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1920 +msgid "entry_cache_group_timeout (integer)" +msgstr "entry_cache_group_timeout (entier)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1923 +msgid "" +"How many seconds should nss_sss consider group entries valid before asking " +"the backend again" +msgstr "" +"La durée en secondes pendant laquelle nss_sss doit considérer les entrées de " +"groupes comme valides avant de les redemander au moteur." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1933 +msgid "entry_cache_netgroup_timeout (integer)" +msgstr "entry_cache_netgroup_timeout (entier)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1936 +msgid "" +"How many seconds should nss_sss consider netgroup entries valid before " +"asking the backend again" +msgstr "" +"La durée en secondes pendant laquelle nss_sss doit considérer les entrées de " +"netgroup comme valides avant de les redemander au moteur." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1946 +msgid "entry_cache_service_timeout (integer)" +msgstr "entry_cache_service_timeout (entier)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1949 +msgid "" +"How many seconds should nss_sss consider service entries valid before asking " +"the backend again" +msgstr "" +"La durée en secondes pendant laquelle nss_sss doit considérer les entrées de " +"service valides avant de les redemander au moteur" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1959 +msgid "entry_cache_sudo_timeout (integer)" +msgstr "entry_cache_sudo_timeout (integer)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1962 +msgid "" +"How many seconds should sudo consider rules valid before asking the backend " +"again" +msgstr "" +"La durée en secondes pendant laquelle sudo doit considérer les règles comme " +"valides avant de les redemander au moteur" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1972 +msgid "entry_cache_autofs_timeout (integer)" +msgstr "entry_cache_autofs_timeout (integer)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1975 +msgid "" +"How many seconds should the autofs service consider automounter maps valid " +"before asking the backend again" +msgstr "" +"La durée en secondes pendant laquelle le service autofs doit considérer les " +"cartes d'automontage comme valides avant de les redemander au moteur" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1986 +msgid "entry_cache_ssh_host_timeout (integer)" +msgstr "entry_cache_ssh_host_timeout (entier)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1989 +msgid "" +"How many seconds to keep a host ssh key after refresh. IE how long to cache " +"the host key for." +msgstr "" +"La durée en secondes pendant laquelle conserver une clé ssh d'hôte après " +"rafraichissement. I.e. combien de temps mettre la clé en cache." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2000 +msgid "refresh_expired_interval (integer)" +msgstr "refresh_expired_interval (entier)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2003 +msgid "" +"Specifies how many seconds SSSD has to wait before triggering a background " +"refresh task which will refresh all expired or nearly expired records." +msgstr "" +"Indique la durée en secondes pendant laquelle SSSD doit attendre avant de " +"déclencher une tâche en arrière-plan qui rafraichira tous les " +"enregistrements expirés ou sur le point de l'être." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2008 +msgid "" +"The background refresh will process users, groups and netgroups in the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2012 +msgid "You can consider setting this value to 3/4 * entry_cache_timeout." +msgstr "" +"Il est envisageable de configurer cette valeur à 3/4 * entry_cache_timeout." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2016 sssd-ldap.5.xml:746 sssd-ipa.5.xml:254 +msgid "Default: 0 (disabled)" +msgstr "Par défaut : 0 (désactivé)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2022 +msgid "cache_credentials (bool)" +msgstr "cache_credentials (booléen)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2025 +msgid "Determines if user credentials are also cached in the local LDB cache" +msgstr "" +"Détermine si les données d'identification de l'utilisateur sont aussi mis en " +"cache dans le cache LDB local" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2029 +msgid "User credentials are stored in a SHA512 hash, not in plaintext" +msgstr "" +"Les informations d'identification utilisateur sont stockées dans une table " +"de hachage SHA512, et non en texte brut" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2039 +msgid "cache_credentials_minimal_first_factor_length (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2042 +msgid "" +"If 2-Factor-Authentication (2FA) is used and credentials should be saved " +"this value determines the minimal length the first authentication factor " +"(long term password) must have to be saved as SHA512 hash into the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2049 +msgid "" +"This should avoid that the short PINs of a PIN based 2FA scheme are saved in " +"the cache which would make them easy targets for brute-force attacks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2054 +msgid "Default: 8" +msgstr "Par défaut : 8" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2060 +msgid "account_cache_expiration (integer)" +msgstr "account_cache_expiration (entier)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2063 +msgid "" +"Number of days entries are left in cache after last successful login before " +"being removed during a cleanup of the cache. 0 means keep forever. The " +"value of this parameter must be greater than or equal to " +"offline_credentials_expiration." +msgstr "" +"Durée en jours pendant laquelle les entrées sont stockées dans le cache " +"après la dernière connexion réussie, avant d'être enlevées lors du nettoyage " +"du cache. 0 signifie qu'elles sont conservées indéfiniment. La valeur de ce " +"paramètre doit être supérieur ou égal à offline_credentials_expiration." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2070 +msgid "Default: 0 (unlimited)" +msgstr "Par défaut : 0 (illimité)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2075 +msgid "pwd_expiration_warning (integer)" +msgstr "pwd_expiration_warning (integer)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2086 +msgid "" +"Please note that the backend server has to provide information about the " +"expiration time of the password. If this information is missing, sssd " +"cannot display a warning. Also an auth provider has to be configured for the " +"backend." +msgstr "" +"Veuillez noter que le moteur du service doit fournir des informations à " +"propos du délai d'expiration du mot de passe. Si cette information est " +"manquante, sssd ne peut afficher de message d'alerte. De plus, un " +"fournisseur oauth doit être configuré pour le moteur." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2093 +msgid "Default: 7 (Kerberos), 0 (LDAP)" +msgstr "Par défaut : 7 (Kerberos), 0 (LDAP)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2099 +msgid "id_provider (string)" +msgstr "id_provider (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2102 +msgid "" +"The identification provider used for the domain. Supported ID providers are:" +msgstr "" +"Le fournisseur d'identification utilisé pour le domaine. Les fournisseurs " +"d'identification pris en charge sont :" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2106 +#, fuzzy +#| msgid "<quote>proxy</quote>: Support a legacy NSS provider" +msgid "<quote>proxy</quote>: Support a legacy NSS provider." +msgstr "<quote>proxy</quote> : prise en charge de l'ancien fournisseur NSS" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2109 +#, fuzzy +#| msgid "<quote>local</quote>: SSSD internal provider for local users" +msgid "" +"<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)." +msgstr "" +"<quote>local</quote> : Fournisseur interne SSSD pour les utilisateurs locaux" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2113 +#, fuzzy +#| msgid "" +#| "<quote>ldap</quote>: LDAP provider. See <citerefentry> " +#| "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +#| "citerefentry> for more information on configuring LDAP." +msgid "" +"<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-" +"files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " +"information on how to mirror local users and groups into SSSD." +msgstr "" +"<quote>ldap</quote> : fournisseur LDAP. Cf. " +"<citerefentry><refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> pour plus d'informations sur la configuration de " +"LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2121 +msgid "" +"<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " +"information on configuring LDAP." +msgstr "" +"<quote>ldap</quote> : fournisseur LDAP. Cf. " +"<citerefentry><refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> pour plus d'informations sur la configuration de " +"LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2129 sssd.conf.5.xml:2234 sssd.conf.5.xml:2289 +#: sssd.conf.5.xml:2352 +msgid "" +"<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management " +"provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " +"FreeIPA." +msgstr "" +"<quote>ipa</quote> : fournisseur FreeIPA et Red Hat Enterprise Identity " +"Management. Cf. <citerefentry><refentrytitle>sssd-ipa</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> pour plus d'informations sur la " +"configuration de FreeIPA." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2138 sssd.conf.5.xml:2243 sssd.conf.5.xml:2298 +#: sssd.conf.5.xml:2361 +msgid "" +"<quote>ad</quote>: Active Directory provider. See <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Active Directory." +msgstr "" +"<quote>ad</quote> : fournisseur Active Directory. Cf. " +"<citerefentry><refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> pour plus d'informations sur la configuration " +"d'Active Directory." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2149 +msgid "use_fully_qualified_names (bool)" +msgstr "use_fully_qualified_names (booléen)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2152 +msgid "" +"Use the full name and domain (as formatted by the domain's full_name_format) " +"as the user's login name reported to NSS." +msgstr "" +"Utiliser le nom complet et le domaine (comme formaté par le paramètre " +"full_name_format du domaine) comme nom de connexion de l'utilisateur " +"communiqué à NSS." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2157 +msgid "" +"If set to TRUE, all requests to this domain must use fully qualified names. " +"For example, if used in LOCAL domain that contains a \"test\" user, " +"<command>getent passwd test</command> wouldn't find the user while " +"<command>getent passwd test@LOCAL</command> would." +msgstr "" +"Si défini à TRUE, toutes les requêtes pour ce domaine doivent utiliser des " +"noms pleinement qualifiés. Par exemple, pour un utilisateur « test » dans un " +"domaine LOCAL, <command>getent passwd test</command> ne trouvera pas " +"l'utilisateur avant que <command>getent passwd test@LOCAL</command> ne le " +"trouve." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2165 +msgid "" +"NOTE: This option has no effect on netgroup lookups due to their tendency to " +"include nested netgroups without qualified names. For netgroups, all domains " +"will be searched when an unqualified name is requested." +msgstr "" +"NOTE : Cette option n'a pas d'effet sur les recherches de netgroups, du fait " +"de leur tendance à inclure des groupes imbriqués sans noms qualifiés. Pour " +"les netgroups, la recherche se fera dans tous les domaines lorsqu'un nom non " +"qualifié sera demandé." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2172 +msgid "Default: FALSE (TRUE if default_domain_suffix is used)" +msgstr "Par défaut : false (true si default_domain_suffix est utilisée)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2178 +msgid "ignore_group_members (bool)" +msgstr "ignore_group_members (booléen)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2181 +msgid "Do not return group members for group lookups." +msgstr "Ne pas envoyer les membres des groupes sur les recherches de groupes." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2184 +msgid "" +"If set to TRUE, the group membership attribute is not requested from the " +"ldap server, and group members are not returned when processing group lookup " +"calls, such as <citerefentry> <refentrytitle>getgrnam</refentrytitle> " +"<manvolnum>3</manvolnum> </citerefentry> or <citerefentry> " +"<refentrytitle>getgrgid</refentrytitle> <manvolnum>3</manvolnum> </" +"citerefentry>. As an effect, <quote>getent group $groupname</quote> would " +"return the requested group as if it was empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2202 +msgid "" +"Enabling this option can also make access provider checks for group " +"membership significantly faster, especially for groups containing many " +"members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2213 +msgid "auth_provider (string)" +msgstr "auth_provider (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2216 +msgid "" +"The authentication provider used for the domain. Supported auth providers " +"are:" +msgstr "" +"Le fournisseur d'authentification utilisé pour le domaine. Les fournisseurs " +"pris en charge sont :" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2220 sssd.conf.5.xml:2282 +msgid "" +"<quote>ldap</quote> for native LDAP authentication. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" +"<quote>ldap</quote> pour une authentification LDAP native. Cf. " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> pour plus d'informations sur la configuration de " +"LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2227 +msgid "" +"<quote>krb5</quote> for Kerberos authentication. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Kerberos." +msgstr "" +"<quote>krb5</quote> pour une authentification Kerberos. Cf. <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> pour plus d'informations sur la configuration de Kerberos." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2251 +msgid "" +"<quote>proxy</quote> for relaying authentication to some other PAM target." +msgstr "" +"<quote>proxy</quote> pour relayer l'authentification vers d'autres cibles " +"PAM." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2254 +msgid "<quote>local</quote>: SSSD internal provider for local users" +msgstr "" +"<quote>local</quote> : Fournisseur interne SSSD pour les utilisateurs locaux" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2258 +msgid "<quote>none</quote> disables authentication explicitly." +msgstr "<quote>none</quote> désactive l'authentification explicitement." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2261 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can handle " +"authentication requests." +msgstr "" +"Par défaut : <quote>id_provider</quote> est utilisé s'il est défini et peut " +"gérer les requêtes d'authentification." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2267 +msgid "access_provider (string)" +msgstr "access_provider (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2270 +msgid "" +"The access control provider used for the domain. There are two built-in " +"access providers (in addition to any included in installed backends) " +"Internal special providers are:" +msgstr "" +"Le fournisseur de contrôle d'accès utilisé pour le domaine. Il y a deux " +"fournisseurs d'accès natifs (en plus de ceux disponibles dans les moteurs " +"installés). Les fournisseurs internes spécifiques sont :" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2276 +msgid "" +"<quote>permit</quote> always allow access. It's the only permitted access " +"provider for a local domain." +msgstr "" +"<quote>permit</quote> toujours autoriser l'accès. C'est le seul fournisseur " +"d'accès autorisé pour un domaine local." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2279 +msgid "<quote>deny</quote> always deny access." +msgstr "<quote>deny</quote> toujours refuser les accès." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2306 +msgid "" +"<quote>simple</quote> access control based on access or deny lists. See " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for more information on configuring the simple " +"access module." +msgstr "" +"Contrôle d'accès <quote>simple</quote> basé sur des listes d'autorisations " +"ou de refus d'accès. Cf. <citerefentry> <refentrytitle>sssd-simple</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> pour plus " +"d'informations sur la configuration du module d'accès simple." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2313 +msgid "" +"<quote>krb5</quote>: .k5login based access control. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></" +"citerefentry> for more information on configuring Kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2320 +msgid "<quote>proxy</quote> for relaying access control to another PAM module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2323 +msgid "Default: <quote>permit</quote>" +msgstr "Par défaut : <quote>permit</quote>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2328 +msgid "chpass_provider (string)" +msgstr "chpass_provider (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2331 +msgid "" +"The provider which should handle change password operations for the domain. " +"Supported change password providers are:" +msgstr "" +"Le fournisseur qui doit gérer le changement des mots de passe pour le " +"domaine. Les fournisseurs pris en charge sont :" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2336 +msgid "" +"<quote>ldap</quote> to change a password stored in a LDAP server. See " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2344 +msgid "" +"<quote>krb5</quote> to change the Kerberos password. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Kerberos." +msgstr "" +"<quote>krb5</quote> pour changer le mot de passe Kerberos. Cf. " +"<citerefentry> <refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> pour plus d'informations sur la configuration de " +"Kerberos." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2369 +msgid "" +"<quote>proxy</quote> for relaying password changes to some other PAM target." +msgstr "" +"<quote>proxy</quote> pour relayer le changement de mot de passe vers une " +"autre cible PAM." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2373 +msgid "<quote>none</quote> disallows password changes explicitly." +msgstr "" +"<quote>none</quote> pour désactiver explicitement le changement de mot de " +"passe." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2376 +msgid "" +"Default: <quote>auth_provider</quote> is used if it is set and can handle " +"change password requests." +msgstr "" +"Par défaut : <quote>auth_provider</quote> est utilisé si il est défini et " +"peut gérer les changements de mot de passe." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2383 +msgid "sudo_provider (string)" +msgstr "sudo_provider (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2386 +msgid "The SUDO provider used for the domain. Supported SUDO providers are:" +msgstr "" +"Le fournisseur SUDO, utilisé pour le domaine. Les fournisseurs SUDO pris en " +"charge sont :" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2390 +msgid "" +"<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" +"<quote>ldap</quote> pour les règles stockés dans LDAP. Voir " +"<citerefentry><refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> pour plus d'informations sur la configuration de " +"LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2398 +msgid "" +"<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default " +"settings." +msgstr "" +"<quote>ipa</quote> identiqué à <quote>ldap</quote> mais avec les paramètres " +"par défaut pour IPA." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2402 +msgid "" +"<quote>ad</quote> the same as <quote>ldap</quote> but with AD default " +"settings." +msgstr "" +"<quote>ipa</quote> identiqué à <quote>ldap</quote> mais avec les paramètres " +"par défaut pour AD." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2406 +msgid "<quote>none</quote> disables SUDO explicitly." +msgstr "<quote>none</quote> désactive explicitement SUDO." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2409 sssd.conf.5.xml:2495 sssd.conf.5.xml:2565 +#: sssd.conf.5.xml:2590 +msgid "Default: The value of <quote>id_provider</quote> is used if it is set." +msgstr "" +"Par défaut : La valeur de <quote>id_provider</quote> est utilisée si elle " +"est définie." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2413 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>. There are many configuration " +"options that can be used to adjust the behavior. Please refer to " +"\"ldap_sudo_*\" in <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2428 +msgid "" +"<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the " +"background unless the sudo provider is explicitly disabled. Set " +"<emphasis>sudo_provider = None</emphasis> to disable all sudo-related " +"activity in SSSD if you do not want to use sudo with SSSD at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2438 +msgid "selinux_provider (string)" +msgstr "selinux_provider (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2441 +msgid "" +"The provider which should handle loading of selinux settings. Note that this " +"provider will be called right after access provider ends. Supported selinux " +"providers are:" +msgstr "" +"Le fournisseur qui doit gérer le chargement des paramètres de selinux. " +"Remarque : ce fournisseur sera appelé juste après la fin de l'appel au " +"fournisseur d'accès. Les fournisseurs selinux pris en charge sont :" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2447 +msgid "" +"<quote>ipa</quote> to load selinux settings from an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" +"<quote>ipa</quote> pour charger les paramètres selinux depuis un serveur " +"IPA. Cf. <citerefentry><refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> pour plus d'informations sur la configuration de " +"IPA." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2455 +msgid "<quote>none</quote> disallows fetching selinux settings explicitly." +msgstr "" +"<quote>none</quote> n'autorise pas la récupération explicite des paramètres " +"selinux." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2458 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can handle " +"selinux loading requests." +msgstr "" +"Par défaut : <quote>id_provider</quote> est utilisé s'il est défini et peut " +"gérer le chargement selinux" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2464 +msgid "subdomains_provider (string)" +msgstr "subdomains_provider (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2467 +msgid "" +"The provider which should handle fetching of subdomains. This value should " +"be always the same as id_provider. Supported subdomain providers are:" +msgstr "" +"Le fournisseur doit être capable de gérer la récupération des sous-" +"domaines. Cette valeur doit être toujours identique à id_provider. Les " +"fournisseurs de sous-domaine pris en charge sont :" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2473 +msgid "" +"<quote>ipa</quote> to load a list of subdomains from an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" +"<quote>ipa</quote> pour charger une liste de sous-domaines depuis un serveur " +"IPA. Cf. <citerefentry><refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> pour plus d'informations sur la configuration de " +"IPA." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2482 +msgid "" +"<quote>ad</quote> to load a list of subdomains from an Active Directory " +"server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " +"the AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2491 +msgid "<quote>none</quote> disallows fetching subdomains explicitly." +msgstr "" +"<quote>none</quote> désactive la récupération explicite des sous-domaines." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2501 +msgid "session_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2504 +msgid "" +"The provider which configures and manages user session related tasks. The " +"only user session task currently provided is the integration with Fleet " +"Commander, which works only with IPA. Supported session providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2511 +msgid "<quote>ipa</quote> to allow performing user session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2515 +msgid "" +"<quote>none</quote> does not perform any kind of user session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2519 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can perform " +"session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2523 +msgid "" +"<emphasis>NOTE:</emphasis> In order to have this feature working as expected " +"SSSD must be running as \"root\" and not as the unprivileged user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2531 +msgid "autofs_provider (string)" +msgstr "autofs_provider (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2534 +msgid "" +"The autofs provider used for the domain. Supported autofs providers are:" +msgstr "" +"Le fournisseur autofs utilisé pour le domaine. Les fournisseurs autofs pris " +"en charge sont :" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2538 +msgid "" +"<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" +"<quote>ldap</quote> pour charger les cartes stockées dans LDAP. Cf. " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> pour plus d'informations sur la configuration de " +"LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2545 +msgid "" +"<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> " +"<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring IPA." +msgstr "" +"<quote>ipa</quote> pour charger les cartes stockées sur un serveur IPA. Cf. " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> pour plus d'information sur la configuration de " +"IPA." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2553 +msgid "" +"<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring the AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2562 +msgid "<quote>none</quote> disables autofs explicitly." +msgstr "<quote>none</quote> désactive explicitement autofs." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2572 +msgid "hostid_provider (string)" +msgstr "hostid_provider (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2575 +msgid "" +"The provider used for retrieving host identity information. Supported " +"hostid providers are:" +msgstr "" +"Le fournisseur utilisé pour récupérer les informations d'identité des " +"systèmes. Les fournisseurs de hostid pris en charge sont :" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2579 +msgid "" +"<quote>ipa</quote> to load host identity stored in an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" +"<quote>ipa</quote> pour charge l'identité du système stockée sur un serveur " +"IPA. Cf. <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> pour plus d'informations sur la " +"configuration de IPA." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2587 +msgid "<quote>none</quote> disables hostid explicitly." +msgstr "<quote>none</quote> désactive explicitement hostid." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2600 +msgid "" +"Regular expression for this domain that describes how to parse the string " +"containing user name and domain into these components. The \"domain\" can " +"match either the SSSD configuration domain name, or, in the case of IPA " +"trust subdomains and Active Directory domains, the flat (NetBIOS) name of " +"the domain." +msgstr "" +"L'expression rationnelle pour ce domaine qui décrit comment analyser la " +"chaîne contenant le nom d'utilisateur et domaine et en extraire ces " +"composants. Le « domaine » peut correspondre à soit au nom de domaine de la " +"configuration SSSD, ou, dans le cas de relations d'approbations avec des " +"sous-domaines IPA ou des domaines Active Directory, le nom plat (NetBIOS) du " +"domaine." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2609 +msgid "" +"Default for the AD and IPA provider: <quote>(((?P<domain>[^\\\\]+)\\" +"\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?" +"P<name>[^@\\\\]+)$))</quote> which allows three different styles for " +"user names:" +msgstr "" +"Valeur par défaut pour les fournisseurs AD et IPA : <quote>(((?P<" +"domain>[^\\\\]+)\\\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<" +"domain>.+$))|(^(?P<name>[^@\\\\]+)$))</quote> qui utilisent trois " +"styles différents pour les noms d'utilisateurs :" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2614 +msgid "username" +msgstr "username" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2617 +msgid "username@domain.name" +msgstr "username@domain.name" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2620 +msgid "domain\\username" +msgstr "domain\\username" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2623 +msgid "" +"While the first two correspond to the general default the third one is " +"introduced to allow easy integration of users from Windows domains." +msgstr "" +"Bien que les deux premiers correspondent à la valeur par défaut en général " +"le troisième est introduit pour permettre une intégration facile des " +"utilisateurs de domaines Windows." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2628 +msgid "" +"Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> " +"which translates to \"the name is everything up to the <quote>@</quote> " +"sign, the domain everything after that\"" +msgstr "" +"Par défaut : <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> " +"qui se traduit par « peu importe le nom jusqu'au <quote>@</quote>, peu " +"importe le domaine après »" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2634 +msgid "" +"NOTE: Some Active Directory groups, typically those used for MS Exchange " +"contain an <quote>@</quote> sign in the name, which clashes with the default " +"re_expression value for the AD and IPA providers. To support these groups, " +"consider changing the re_expression value to: <quote>((?P<name>.+)@(?" +"P<domain>[^@]+$))</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2685 +msgid "Default: <quote>%1$s@%2$s</quote>." +msgstr "Par défaut : <quote>%1$s@%2$s</quote>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2691 +msgid "lookup_family_order (string)" +msgstr "lookup_family_order (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2694 +msgid "" +"Provides the ability to select preferred address family to use when " +"performing DNS lookups." +msgstr "" +"Fournit la possibilité de sélectionner la famille d'adresse préférée à " +"utiliser pour effectuer les requêtes DNS." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2698 +msgid "Supported values:" +msgstr "Valeurs prises en charge :" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2701 +msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6" +msgstr "" +"ipv4_first : essayer de chercher une adresse IPv4, et en cas d'échec, " +"essayer IPv6." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2704 +msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses." +msgstr "" +"ipv4_only : ne tenter de résoudre les noms de systèmes qu'en adresses IPv4." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2707 +msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4" +msgstr "" +"ipv6_first : essayer de chercher une adresse IPv6, et en cas d'échec, tenter " +"IPv4." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2710 +msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses." +msgstr "" +"ipv6_only : ne tenter de résoudre les noms de systèmes qu'en adresses IPv6." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2713 +msgid "Default: ipv4_first" +msgstr "Par défaut : ipv4_first" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2719 +msgid "dns_resolver_timeout (integer)" +msgstr "dns_resolver_timeout (entier)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2722 +msgid "" +"Defines the amount of time (in seconds) to wait for a reply from the " +"internal fail over service before assuming that the service is unreachable. " +"If this timeout is reached, the domain will continue to operate in offline " +"mode." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2729 +msgid "" +"Please see the section <quote>FAILOVER</quote> for more information about " +"the service resolution." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2734 sssd-ldap.5.xml:1396 sssd-ldap.5.xml:1438 +#: sssd-ldap.5.xml:1456 sssd-krb5.5.xml:248 +msgid "Default: 6" +msgstr "Par défaut : 6" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2740 +msgid "dns_discovery_domain (string)" +msgstr "dns_discovery_domain (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2743 +msgid "" +"If service discovery is used in the back end, specifies the domain part of " +"the service discovery DNS query." +msgstr "" +"Si la découverte de services est utilisé par le moteur, spécifie la partie " +"du domaine faisant partie de la requête DNS de découverte de services." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2747 +msgid "Default: Use the domain part of machine's hostname" +msgstr "" +"Par défaut : utiliser la partie du domaine qui est dans le nom de système de " +"la machine." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2753 +msgid "override_gid (integer)" +msgstr "override_gid (entier)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2756 +msgid "Override the primary GID value with the one specified." +msgstr "Redéfinit le GID primaire avec la valeur spécifiée." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2762 +msgid "case_sensitive (string)" +msgstr "case_sensitive (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2770 +msgid "True" +msgstr "True" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2773 +msgid "Case sensitive. This value is invalid for AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2779 +msgid "False" +msgstr "False" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2781 +msgid "Case insensitive." +msgstr "Insensible à la casse." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2785 +msgid "Preserving" +msgstr "Preserving" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2788 +msgid "" +"Same as False (case insensitive), but does not lowercase names in the result " +"of NSS operations. Note that name aliases (and in case of services also " +"protocol names) are still lowercased in the output." +msgstr "" +"Comme False (insensible à la casse), mais ne convertit pas les noms en " +"minuscules lors des opérations NSS. Notez que les alias de noms (et dans le " +"cas des services les noms de protocoles) sont toujours en minuscule dans la " +"sortie." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2765 +msgid "" +"Treat user and group names as case sensitive. At the moment, this option is " +"not supported in the local provider. Possible option values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2800 +msgid "Default: True (False for AD provider)" +msgstr "Par défaut : true (false pour le fournisseur AD)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2806 +msgid "subdomain_inherit (string)" +msgstr "subdomain_inherit (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2809 +msgid "" +"Specifies a list of configuration parameters that should be inherited by a " +"subdomain. Please note that only selected parameters can be inherited. " +"Currently the following options can be inherited:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2815 +msgid "ignore_group_members" +msgstr "ignore_group_members" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2818 +msgid "ldap_purge_cache_timeout" +msgstr "ldap_purge_cache_timeout" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2821 sssd-ldap.5.xml:1120 +msgid "ldap_use_tokengroups" +msgstr "ldap_use_tokengroups" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2824 +msgid "ldap_user_principal" +msgstr "ldap_user_principal" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2827 +msgid "" +"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab " +"is not set explicitly)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:2833 +#, no-wrap +msgid "" +"subdomain_inherit = ldap_purge_cache_timeout\n" +" " +msgstr "" +"subdomain_inherit = ldap_purge_cache_timeout\n" +" " + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2831 sssd-secrets.5.xml:448 +msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "Exemple : <placeholder type=\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2840 +msgid "Note: This option only works with the IPA and AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2847 +msgid "subdomain_homedir (string)" +msgstr "subdomain_homedir (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2858 +msgid "%F" +msgstr "%F" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2859 +msgid "flat (NetBIOS) name of a subdomain." +msgstr "nom plat (NetBIOS) d'un sous-domaine." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2850 +msgid "" +"Use this homedir as default value for all subdomains within this domain in " +"IPA AD trust. See <emphasis>override_homedir</emphasis> for info about " +"possible values. In addition to those, the expansion below can only be used " +"with <emphasis>subdomain_homedir</emphasis>. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" +"Utiliser ce répertoire utilisateur comme valeur par défaut pour tous les " +"sous-domaines dans cette relation d'approbation Active Directory. Voir " +"<emphasis>override_homedir</emphasis> pour des informations sur les valeurs " +"possibles. En plus de celles-ci, le remplacement ci-dessous ne peut être " +"utilisé qu'avec <emphasis>subdomain_homedir</emphasis>. <placeholder type=" +"\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2864 +msgid "" +"The value can be overridden by <emphasis>override_homedir</emphasis> option." +msgstr "" +"La valeur peut être surchargée par l'option <emphasis>override_homedir</" +"emphasis>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2868 +msgid "Default: <filename>/home/%d/%u</filename>" +msgstr "Par défaut : <filename>/home/%d/%u</filename>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2873 +msgid "realmd_tags (string)" +msgstr "realmd_tags (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2876 +msgid "" +"Various tags stored by the realmd configuration service for this domain." +msgstr "" +"Étiquettes diverses stockées par le service de configuration de realmd pour " +"ce domaine." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2882 +msgid "cached_auth_timeout (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2885 +msgid "" +"Specifies time in seconds since last successful online authentication for " +"which user will be authenticated using cached credentials while SSSD is in " +"the online mode." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2891 +msgid "Special value 0 implies that this feature is disabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2895 +msgid "" +"Please note that if <quote>cached_auth_timeout</quote> is longer than " +"<quote>pam_id_timeout</quote> then the back end could be called to handle " +"<quote>initgroups.</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2906 +msgid "auto_private_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2909 +msgid "" +"If this option is enabled, SSSD will automatically create user private " +"groups based on user's UID number. The GID number is ignored in this case." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2914 +msgid "" +"For POSIX subdomains, setting the option in the main domain is inherited in " +"the subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2918 +msgid "" +"For ID-mapping subdomains, auto_private_groups is already enabled for the " +"subdomains and setting it to false will not have any effect for the " +"subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2923 +msgid "" +"NOTE: Because the GID number and the user private group are inferred from " +"the UID number, it is not supported to have multiple entries with the same " +"UID or GID number with this option. In other words, enabling this option " +"enforces uniqueness across the ID space." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:1727 +msgid "" +"These configuration options can be present in a domain configuration " +"section, that is, in a section called <quote>[domain/<replaceable>NAME</" +"replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" +"Ces options de configuration peuvent être présentes dans la section de " +"configuration du domaine, c'est-à-dire dans la section nommée <quote>[domain/" +"<replaceable>NAME</replaceable>]</quote> <placeholder type=\"variablelist\" " +"id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2942 +msgid "proxy_pam_target (string)" +msgstr "proxy_pam_target (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2945 +msgid "The proxy target PAM proxies to." +msgstr "Le proxy cible duquel PAM devient mandataire." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2948 +msgid "" +"Default: not set by default, you have to take an existing pam configuration " +"or create a new one and add the service name here." +msgstr "" +"Par défaut : non défini, il faut utiliser une configuration de pam existante " +"ou en créer une nouvelle et ajouter le nom de service ici." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2956 +msgid "proxy_lib_name (string)" +msgstr "proxy_lib_name (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2959 +msgid "" +"The name of the NSS library to use in proxy domains. The NSS functions " +"searched for in the library are in the form of _nss_$(libName)_$(function), " +"for example _nss_files_getpwent." +msgstr "" +"Le nom de la bibliothèque NSS à utiliser dans les domaines proxy. Les " +"recherches de fonctions NSS dans la bibliothèque sont sous la forme _nss_" +"$(libName)_$(function), par exemple _nss_files_getpwent." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2969 +msgid "proxy_fast_alias (boolean)" +msgstr "proxy_fast_alias (boolean)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2972 +msgid "" +"When a user or group is looked up by name in the proxy provider, a second " +"lookup by ID is performed to \"canonicalize\" the name in case the requested " +"name was an alias. Setting this option to true would cause the SSSD to " +"perform the ID lookup from cache for performance reasons." +msgstr "" +"Quand un utilisateur ou un groupe est recherché par son nom dans le " +"fournisseur proxy, une deuxième recherche par ID est effectuée pour " +"récupérer le nom canonique, dans le cas où le nom demandé serait un alias. " +"Cette option positionnée à true active la recherche par l'ID dans le cache " +"afin d'améliorer les performances." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2986 +msgid "proxy_max_children (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2989 +msgid "" +"This option specifies the number of pre-forked proxy children. It is useful " +"for high-load SSSD environments where sssd may run out of available child " +"slots, which would cause some issues due to the requests being queued." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:2938 +msgid "" +"Options valid for proxy domains. <placeholder type=\"variablelist\" id=" +"\"0\"/>" +msgstr "" +"Options valides pour les domaines proxy. <placeholder type=\"variablelist\" " +"id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:3005 +msgid "Application domains" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3007 +msgid "" +"SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to " +"applications as a gateway to an LDAP directory where users and groups are " +"stored. However, contrary to the traditional SSSD deployment where all users " +"and groups either have POSIX attributes or those attributes can be inferred " +"from the Windows SIDs, in many cases the users and groups in the application " +"support scenario have no POSIX attributes. Instead of setting a " +"<quote>[domain/<replaceable>NAME</replaceable>]</quote> section, the " +"administrator can set up an <quote>[application/<replaceable>NAME</" +"replaceable>]</quote> section that internally represents a domain with type " +"<quote>application</quote> optionally inherits settings from a tradition " +"SSSD domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3027 +msgid "" +"Please note that the application domain must still be explicitly enabled in " +"the <quote>domains</quote> parameter so that the lookup order between the " +"application domain and its POSIX sibling domain is set correctly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sssd.conf.5.xml:3033 +msgid "Application domain parameters" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3035 +msgid "inherit_from (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3038 +msgid "" +"The SSSD POSIX-type domain the application domain inherits all settings " +"from. The application domain can moreover add its own settings to the " +"application settings that augment or override the <quote>sibling</quote> " +"domain settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3052 +msgid "" +"The following example illustrates the use of an application domain. In this " +"setup, the POSIX domain is connected to an LDAP server and is used by the OS " +"through the NSS responder. In addition, the application domain also requests " +"the telephoneNumber attribute, stores it as the phone attribute in the cache " +"and makes the phone attribute reachable through the D-Bus interface." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><programlisting> +#: sssd.conf.5.xml:3060 +#, no-wrap +msgid "" +"[sssd]\n" +"domains = appdom, posixdom\n" +"\n" +"[ifp]\n" +"user_attributes = +phone\n" +"\n" +"[domain/posixdom]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"[application/appdom]\n" +"inherit_from = posixdom\n" +"ldap_user_extra_attrs = phone:telephoneNumber\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:3078 +msgid "The local domain section" +msgstr "La section du domaine local" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3080 +msgid "" +"This section contains settings for domain that stores users and groups in " +"SSSD native database, that is, a domain that uses " +"<replaceable>id_provider=local</replaceable>." +msgstr "" +"Cette section contient les paramètres pour le domaine qui stocke les " +"utilisateurs et les groupes dans la base de données native SSSD, c'est-à-" +"dire un domaine qui utilise <replaceable>id_provider=local</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3087 +msgid "default_shell (string)" +msgstr "default_shell (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3090 +msgid "The default shell for users created with SSSD userspace tools." +msgstr "" +"L'interpréteur de commandes par défaut pour les utilisateurs créés avec les " +"outils en espace utilisateur SSSD." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3094 +msgid "Default: <filename>/bin/bash</filename>" +msgstr "Par défaut : <filename>/bin/bash</filename>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3099 +msgid "base_directory (string)" +msgstr "base_directory (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3102 +msgid "" +"The tools append the login name to <replaceable>base_directory</replaceable> " +"and use that as the home directory." +msgstr "" +"Les outils ajoutent le nom d'utilisateur à <replaceable>base_directory</" +"replaceable> et l'utilisent comme dossier personnel." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3107 +msgid "Default: <filename>/home</filename>" +msgstr "Par défaut : <filename>/home</filename>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3112 +msgid "create_homedir (bool)" +msgstr "create_homedir (booléen)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3115 +msgid "" +"Indicate if a home directory should be created by default for new users. " +"Can be overridden on command line." +msgstr "" +"Indique si un dossier personnel doit être créé par défaut pour les nouveaux " +"utilisateurs. Peut être outrepassé par la ligne de commande." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3119 sssd.conf.5.xml:3131 +msgid "Default: TRUE" +msgstr "Par défaut : TRUE" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3124 +msgid "remove_homedir (bool)" +msgstr "remove_homedir (booléen)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3127 +msgid "" +"Indicate if a home directory should be removed by default for deleted " +"users. Can be overridden on command line." +msgstr "" +"Indiquer si un dossier personnel doit par défaut être supprimé à la " +"suppression des utilisateurs. Peut être outrepassé par la ligne de commande." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3136 +msgid "homedir_umask (integer)" +msgstr "homedir_umask (entier)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3139 +msgid "" +"Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions " +"on a newly created home directory." +msgstr "" +"Utilisé par <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> pour spécifier les permissions par " +"défaut sur un répertoire personnel nouvellement créé." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3147 +msgid "Default: 077" +msgstr "Par défaut : 077" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3152 +msgid "skel_dir (string)" +msgstr "skel_dir (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3155 +msgid "" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<citerefentry> <refentrytitle>sss_useradd</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>" +msgstr "" +"Le répertoire squelette contenant les fichiers et répertoires à copier dans " +"le répertoire personnel de l'utilisateur une fois ce répertoire créé par " +"<citerefentry> <refentrytitle>sss_useradd</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3165 +msgid "Default: <filename>/etc/skel</filename>" +msgstr "Par défaut : <filename>/etc/skel</filename>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3170 +msgid "mail_dir (string)" +msgstr "mail_dir (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3173 +msgid "" +"The mail spool directory. This is needed to manipulate the mailbox when its " +"corresponding user account is modified or deleted. If not specified, a " +"default value is used." +msgstr "" +"Le répertoire de gestion des e-mails. Nécessaire pour manipuler les boîtes e-" +"mail quand les comptes utilisateurs sont modifiés ou supprimés. Si non " +"précisé, la valeur par défaut est utilisée." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3180 +msgid "Default: <filename>/var/mail</filename>" +msgstr "Par défaut : <filename>/var/mail</filename>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3185 +msgid "userdel_cmd (string)" +msgstr "userdel_cmd (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3188 +msgid "" +"The command that is run after a user is removed. The command us passed the " +"username of the user being removed as the first and only parameter. The " +"return code of the command is not taken into account." +msgstr "" +"La commande qui est exécutée quand un utilisateur est supprimé. La commande " +"a comme seul argument le nom de l'utilisateur qui doit être supprimé. Le " +"code en retour de la commande n'est pas pris en compte." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3194 +msgid "Default: None, no command is run" +msgstr "Par défaut : None, aucune commande lancée" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:3204 +msgid "TRUSTED DOMAIN SECTION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3206 +msgid "" +"Some options used in the domain section can also be used in the trusted " +"domain section, that is, in a section called <quote>[domain/" +"<replaceable>DOMAIN_NAME</replaceable>/<replaceable>TRUSTED_DOMAIN_NAME</" +"replaceable>]</quote>. Where DOMAIN_NAME is the actual joined-to base " +"domain. Please refer to examples below for explanation. Currently supported " +"options in the trusted domain section are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3213 +msgid "ldap_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3214 +msgid "ldap_user_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3215 +msgid "ldap_group_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3216 +msgid "ldap_netgroup_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3217 +msgid "ldap_service_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3218 +msgid "ad_server," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3219 +msgid "ad_backup_server," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3220 +msgid "ad_site," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:3221 sssd-ipa.5.xml:782 +msgid "use_fully_qualified_names" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3223 +msgid "" +"For more details about these options see their individual description in the " +"manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:3229 idmap_sss.8.xml:43 +msgid "EXAMPLES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:3235 +#, no-wrap +msgid "" +"[sssd]\n" +"domains = LDAP\n" +"services = nss, pam\n" +"config_file_version = 2\n" +"\n" +"[nss]\n" +"filter_groups = root\n" +"filter_users = root\n" +"\n" +"[pam]\n" +"\n" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"auth_provider = krb5\n" +"krb5_server = kerberos.example.com\n" +"krb5_realm = EXAMPLE.COM\n" +"cache_credentials = true\n" +"\n" +"min_id = 10000\n" +"max_id = 20000\n" +"enumerate = False\n" +msgstr "" +"[sssd]\n" +"domains = LDAP\n" +"services = nss, pam\n" +"config_file_version = 2\n" +"\n" +"[nss]\n" +"filter_groups = root\n" +"filter_users = root\n" +"\n" +"[pam]\n" +"\n" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"auth_provider = krb5\n" +"krb5_server = kerberos.example.com\n" +"krb5_realm = EXAMPLE.COM\n" +"cache_credentials = true\n" +"\n" +"min_id = 10000\n" +"max_id = 20000\n" +"enumerate = False\n" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3231 +msgid "" +"1. The following example shows a typical SSSD config. It does not describe " +"configuration of the domains themselves - refer to documentation on " +"configuring domains for more details. <placeholder type=\"programlisting\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:3268 +#, no-wrap +msgid "" +"[domain/ipa.com/child.ad.com]\n" +"use_fully_qualified_names = false\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3262 +msgid "" +"2. The following example shows configuration of IPA AD trust where the AD " +"forest consists of two domains in a parent-child structure. Suppose IPA " +"domain (ipa.com) has trust with AD domain(ad.com). ad.com has child domain " +"(child.ad.com). To enable shortnames in the child domain the following " +"configuration should be used. <placeholder type=\"programlisting\" id=\"0\"/" +">" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ldap.5.xml:10 sssd-ldap.5.xml:16 +msgid "sssd-ldap" +msgstr "sssd-ldap" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ldap.5.xml:17 +msgid "SSSD LDAP provider" +msgstr "Fournisseur LDAP SSSD" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:23 +msgid "" +"This manual page describes the configuration of LDAP domains for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Refer to the <quote>FILE FORMAT</quote> section of the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for detailed syntax information." +msgstr "" +"Ce manuel décrit la configuration des domaines LDAP pour <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>. Se référer à la section <quote>FILE FORMAT</quote> du manuel " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> pour des informations sur la syntaxe détaillée." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:35 +msgid "You can configure SSSD to use more than one LDAP domain." +msgstr "" +"Il est possible de configurer SSSD pour utiliser plus d'un domaine LDAP." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:38 +msgid "" +"LDAP back end supports id, auth, access and chpass providers. If you want to " +"authenticate against an LDAP server either TLS/SSL or LDAPS is required. " +"<command>sssd</command> <emphasis>does not</emphasis> support authentication " +"over an unencrypted channel. If the LDAP server is used only as an identity " +"provider, an encrypted channel is not needed. Please refer to " +"<quote>ldap_access_filter</quote> config option for more information about " +"using LDAP as an access provider." +msgstr "" +"Le moteur de traitement LDAP prend en charge les fournisseurs id, auth, " +"access et chpass. Si vous voulez vous authentifier sur un serveur LDAP, il " +"vous faut utiliser TLS/SSL ou LDAPS. <command>sssd</command> <emphasis>ne " +"prend pas en charge</emphasis> l'authentification sur un canal non chiffré. " +"Si le serveur LDAP est utilisé seulement comme fournisseur d'identité, un " +"canal crypté n'est pas nécessaire. Se référer aux options de configurations " +"<quote>ldap_access_filter</quote> pour plus d'information sur l'utilisation " +"en tant que fournisseur d'accès." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:115 +#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-files.5.xml:57 +#: sssd-secrets.5.xml:120 sssd-session-recording.5.xml:58 sssd-kcm.8.xml:139 +msgid "CONFIGURATION OPTIONS" +msgstr "OPTIONS DE CONFIGURATION" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:60 +msgid "ldap_uri, ldap_backup_uri (string)" +msgstr "ldap_uri, ldap_backup_uri (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:63 +msgid "" +"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " +"should connect in the order of preference. Refer to the <quote>FAILOVER</" +"quote> section for more information on failover and server redundancy. If " +"neither option is specified, service discovery is enabled. For more " +"information, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" +"Spécifie par ordre de préférence la liste séparée par des virgules d'URI des " +"serveurs LDAP auquel doit se connecter SSSD. Se reporter à la section de " +"<quote>BASCULE</quote> pour plus d'informations sur le repli et la " +"redondance de serveurs. Si aucune de ces options n'est spécifiée, la " +"découverte d'un service est activé. Pour plus d'informations, se reporter à " +"la section de <quote>DÉCOUVERTE DE SERVICE</quote>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:264 +msgid "The format of the URI must match the format defined in RFC 2732:" +msgstr "" +"Le format de l'URI doit correspondre au format définit dans la RFC 2732 :" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:73 +msgid "ldap[s]://<host>[:port]" +msgstr "ldap[s]://<host>[:port]" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:76 +msgid "" +"For explicit IPv6 addresses, <host> must be enclosed in brackets []" +msgstr "" +"Pour les adresses explicitement en IPv6, le composant <host> doit être " +"entre crochets []" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:79 +msgid "example: ldap://[fc00::126:25]:389" +msgstr "exemple : ldap://[fc00::126:25]:389" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:85 +msgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)" +msgstr "ldap_chpass_uri, ldap_chpass_backup_uri (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:88 +msgid "" +"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " +"should connect in the order of preference to change the password of a user. " +"Refer to the <quote>FAILOVER</quote> section for more information on " +"failover and server redundancy." +msgstr "" +"Spécifie la liste d'URI séparée par des virgules des serveurs LDAP auquel " +"doit se connecter DSSD par ordre de préférence pour changer le mot de passe " +"d'un utilisateur. Reportez-vous à la section de <quote>bascule</quote> pour " +"plus d'informations sur le repli et la redondance de serveurs." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:95 +msgid "To enable service discovery ldap_chpass_dns_service_name must be set." +msgstr "" +"Pour activer la découverte de services, ldap_chpass_dns_service_name doit " +"être défini." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:99 +msgid "Default: empty, i.e. ldap_uri is used." +msgstr "Par défaut : vide, ldap_uri est donc utilisé." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:105 +msgid "ldap_search_base (string)" +msgstr "ldap_search_base (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:108 +msgid "The default base DN to use for performing LDAP user operations." +msgstr "" +"Le DN de base par défaut à utiliser pour effectuer les opérations LDAP sur " +"les utilisateurs." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:112 +msgid "" +"Starting with SSSD 1.7.0, SSSD supports multiple search bases using the " +"syntax:" +msgstr "" +"À partir de SSSD 1.7.0, SSSD prend en charge plusieurs bases de recherche à " +"l'aide de la syntaxe :" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:116 +msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]" +msgstr "search_base[?scope?[filter][?search_base?scope?[filter]]*]" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:119 +msgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"." +msgstr "La portée peut être l'une des « base », « onelevel » ou « subtree »." + +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:122 include/ldap_search_bases.xml:18 +msgid "" +"The filter must be a valid LDAP search filter as specified by http://www." +"ietf.org/rfc/rfc2254.txt" +msgstr "" +"Le filtre doit être un filtre de recherche LDAP valide tel que spécifié par " +"http://www.ietf.org/rfc/rfc2254.txt" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:286 +#: sss_override.8.xml:137 sss_override.8.xml:234 +msgid "Examples:" +msgstr "Exemples :" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:129 +msgid "" +"ldap_search_base = dc=example,dc=com (which is equivalent to) " +"ldap_search_base = dc=example,dc=com?subtree?" +msgstr "" +"ldap_search_base = dc=example,dc=com (ce qui équivaut à) ldap_search_base = " +"dc=example,dc=com?subtree?" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:134 +msgid "" +"ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?" +"(host=thishost)?dc=example.com?subtree?" +msgstr "" +"ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?" +"(host=thishost)?dc=example.com?subtree?" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:137 +msgid "" +"Note: It is unsupported to have multiple search bases which reference " +"identically-named objects (for example, groups with the same name in two " +"different search bases). This will lead to unpredictable behavior on client " +"machines." +msgstr "" +"Remarque : Il est n'est pas possible d'avoir plusieurs bases de recherche " +"qui référencent des objets portant le même nom (par exemple, les groupes " +"portant le même nom dans deux bases de recherche différents). Cela conduira " +"à un comportement imprévisible sur les ordinateurs clients." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:144 +msgid "" +"Default: If not set, the value of the defaultNamingContext or namingContexts " +"attribute from the RootDSE of the LDAP server is used. If " +"defaultNamingContext does not exist or has an empty value namingContexts is " +"used. The namingContexts attribute must have a single value with the DN of " +"the search base of the LDAP server to make this work. Multiple values are " +"are not supported." +msgstr "" +"Par défaut : si non définie, les valeurs des attributs defaultNamingContext " +"ou namingContexts du RootDSE du serveur LDAP sont utilisées. Si " +"defaultNamingContext n'existe pas ou a une valeur vide, namingContexts est " +"utilisé. Les attributs namingContexts doivent avoir une seule valeur avec un " +"DN de base de recherche pour le serveur LDAP pour que cela fonctionne. Des " +"valeurs multiples ne sont pas permises." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:158 +msgid "ldap_schema (string)" +msgstr "ldap_schema (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:161 +msgid "" +"Specifies the Schema Type in use on the target LDAP server. Depending on " +"the selected schema, the default attribute names retrieved from the servers " +"may vary. The way that some attributes are handled may also differ." +msgstr "" +"Spécifie le type de schéma utilisé sur le serveur LDAP cible. Selon le " +"schéma sélectionné, les noms d'attributs par défaut provenant des serveurs " +"peuvent varier. La manière dont certains attributs sont traités peut-être " +"également différer." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:168 +msgid "Four schema types are currently supported:" +msgstr "Quatre types de schéma sont actuellement pris en charge :" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:172 +msgid "rfc2307" +msgstr "rfc2307" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:177 +msgid "rfc2307bis" +msgstr "rfc2307bis" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:182 +msgid "IPA" +msgstr "IPA" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:187 +msgid "AD" +msgstr "AD" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:193 +msgid "" +"The main difference between these schema types is how group memberships are " +"recorded in the server. With rfc2307, group members are listed by name in " +"the <emphasis>memberUid</emphasis> attribute. With rfc2307bis and IPA, " +"group members are listed by DN and stored in the <emphasis>member</emphasis> " +"attribute. The AD schema type sets the attributes to correspond with Active " +"Directory 2008r2 values." +msgstr "" +"La principale différence entre ces types de schéma est la façon dont les " +"appartenances aux groupes sont enregistrés dans le serveur. Avec rfc2307, " +"les membres du groupe sont répertoriées par nom dans l'attribut " +"<emphasis>memberUid</emphasis>. Avec rfc2307bis et IPA, les membres du " +"groupe sont répertoriés par DN et stockées dans l'attribut de " +"<emphasis>member</emphasis>. Le type de schéma AD définit les attributs " +"correspondant aux valeurs d'Active Directory 2008r2." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:203 +msgid "Default: rfc2307" +msgstr "Par défaut : rfc2307" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:209 +msgid "ldap_default_bind_dn (string)" +msgstr "ldap_default_bind_dn (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:212 +msgid "The default bind DN to use for performing LDAP operations." +msgstr "" +"Le DN de connexion par défaut à utiliser pour effectuer les opérations LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:219 +msgid "ldap_default_authtok_type (string)" +msgstr "ldap_default_authtok_type (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:222 +msgid "The type of the authentication token of the default bind DN." +msgstr "" +"Le type de jeton d'authentification pour le DN de connexion par défaut." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:226 +msgid "The two mechanisms currently supported are:" +msgstr "Les deux mécanismes actuellement pris en charge sont :" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:229 +msgid "password" +msgstr "password" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:232 +msgid "obfuscated_password" +msgstr "obfuscated_password" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:235 +msgid "Default: password" +msgstr "Par défaut : password" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:241 +msgid "ldap_default_authtok (string)" +msgstr "ldap_default_authtok (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:244 +msgid "" +"The authentication token of the default bind DN. Only clear text passwords " +"are currently supported." +msgstr "" +"Le jeton d'authentification pour le DN de connexion par défaut. Seuls les " +"mots de passe en clair sont actuellement pris en charge." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:251 +msgid "ldap_user_object_class (string)" +msgstr "ldap_user_object_class (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:254 +msgid "The object class of a user entry in LDAP." +msgstr "La classe d'objet d'une entrée utilisateur dans LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:257 +msgid "Default: posixAccount" +msgstr "Par défaut : posixAccount" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:263 +msgid "ldap_user_name (string)" +msgstr "ldap_user_name (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:266 +msgid "The LDAP attribute that corresponds to the user's login name." +msgstr "" +"L'attribut LDAP correspondant à l'identifiant de connexion de l'utilisateur." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:270 +msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:277 +msgid "ldap_user_uid_number (string)" +msgstr "ldap_user_uid_number (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:280 +msgid "The LDAP attribute that corresponds to the user's id." +msgstr "L'attribut LDAP correspondant à l'id de l'utilisateur." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:284 +msgid "Default: uidNumber" +msgstr "par défaut : uidNumber" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:290 +msgid "ldap_user_gid_number (string)" +msgstr "ldap_user_gid_number (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:293 +msgid "The LDAP attribute that corresponds to the user's primary group id." +msgstr "" +"L'attribut LDAP correspondant à l'id du groupe primaire de l'utilisateur." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:297 sssd-ldap.5.xml:929 +msgid "Default: gidNumber" +msgstr "Par défaut : gidNumber" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:303 +msgid "ldap_user_primary_group (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:306 +msgid "" +"Active Directory primary group attribute for ID-mapping. Note that this " +"attribute should only be set manually if you are running the <quote>ldap</" +"quote> provider with ID mapping." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:312 +msgid "Default: unset (LDAP), primaryGroupID (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:318 +msgid "ldap_user_gecos (string)" +msgstr "ldap_user_gecos (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:321 +msgid "The LDAP attribute that corresponds to the user's gecos field." +msgstr "L'attribut LDAP correspondant au champ gecos de l'utilisateur." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:325 +msgid "Default: gecos" +msgstr "Par défaut : gecos" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:331 +msgid "ldap_user_home_directory (string)" +msgstr "ldap_user_home_directory (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:334 +msgid "The LDAP attribute that contains the name of the user's home directory." +msgstr "" +"L'attribut LDAP qui contient le nom du répertoire personnel de l'utilisateur." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:338 +msgid "Default: homeDirectory" +msgstr "Par défaut : homeDirectory" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:344 +msgid "ldap_user_shell (string)" +msgstr "ldap_user_shell (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:347 +msgid "The LDAP attribute that contains the path to the user's default shell." +msgstr "" +"L'attribut LDAP qui contient le chemin vers l'interpréteur de commandes de " +"l'utilisateur." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:351 +msgid "Default: loginShell" +msgstr "Par défaut : loginShell" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:357 +msgid "ldap_user_uuid (string)" +msgstr "ldap_user_uuid (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:360 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:364 sssd-ldap.5.xml:955 +msgid "" +"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " +"IPA" +msgstr "" +"Par défaut : non défini dans le cas général, objectGUID pour AD et " +"ipaUniqueID pour IPA" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:371 +msgid "ldap_user_objectsid (string)" +msgstr "ldap_user_objectsid (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:374 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP user object. This " +"is usually only necessary for ActiveDirectory servers." +msgstr "" +"L'attribut LDAP qui contient l'objectSID d'un objet d'utilisateur LDAP. Ceci " +"n'est habituellement nécessaire que pour les serveurs Active Directory." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:379 sssd-ldap.5.xml:970 +msgid "Default: objectSid for ActiveDirectory, not set for other servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:386 +msgid "ldap_user_modify_timestamp (string)" +msgstr "ldap_user_modify_timestamp (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:389 sssd-ldap.5.xml:980 sssd-ldap.5.xml:1203 +msgid "" +"The LDAP attribute that contains timestamp of the last modification of the " +"parent object." +msgstr "" +"L'attribut LDAP qui contient l'horodatage de la dernière modification de " +"l'objet parent." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:393 sssd-ldap.5.xml:984 sssd-ldap.5.xml:1210 +msgid "Default: modifyTimestamp" +msgstr "Par défaut : modifyTimestamp" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:399 +msgid "ldap_user_shadow_last_change (string)" +msgstr "ldap_user_shadow_last_change (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:402 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " +"the last password change)." +msgstr "" +"Lors de l'utilisation de ldap_pwd_policy=shadow, ce paramètre contient le " +"nom de l'attribut LDAP correspondant à sa contrepartie <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> (date de changement du dernier mot de passe)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:412 +msgid "Default: shadowLastChange" +msgstr "Par défaut : shadowLastChange" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:418 +msgid "ldap_user_shadow_min (string)" +msgstr "ldap_user_shadow_min (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:421 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " +"password age)." +msgstr "" +"Lors de l'utilisation de ldap_pwd_policy=shadow, ce paramètre contient le " +"nom de l'attribut LDAP correspondant à sa contrepartie<citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> (durée de validité minimum du mot de passe)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:430 +msgid "Default: shadowMin" +msgstr "Par défaut : shadowMin" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:436 +msgid "ldap_user_shadow_max (string)" +msgstr "ldap_user_shadow_max (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:439 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " +"password age)." +msgstr "" +"Lors de l'utilisation de ldap_pwd_policy=shadow, ce paramètre contient le " +"nom de l'attribut LDAP correspondant à sa contrepartie <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> (âge maximum du mot de passe)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:448 +msgid "Default: shadowMax" +msgstr "Par défaut : shadowMax" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:454 +msgid "ldap_user_shadow_warning (string)" +msgstr "ldap_user_shadow_warning (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:457 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password warning period)." +msgstr "" +"Lors de l'utilisation de ldap_pwd_policy=shadow, ce paramètre contient le " +"nom de l'attribut LDAP correspondant à sa contrepartie <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> (période d'avertissement du mot de passe)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:467 +msgid "Default: shadowWarning" +msgstr "Par défaut : shadowWarning" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:473 +msgid "ldap_user_shadow_inactive (string)" +msgstr "ldap_user_shadow_inactive (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:476 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password inactivity period)." +msgstr "" +"Lors de l'utilisation de ldap_pwd_policy=shadow, ce paramètre contient le " +"nom de l'attribut LDAP correspondant à sa contrepartie <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> (période d'inactivité du mot de passe)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:486 +msgid "Default: shadowInactive" +msgstr "Par défaut : shadowInactive" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:492 +msgid "ldap_user_shadow_expire (string)" +msgstr "ldap_user_shadow_expire (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:495 +msgid "" +"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " +"parameter contains the name of an LDAP attribute corresponding to its " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> counterpart (account expiration date)." +msgstr "" +"Lors de l'utilisation de ldap_pwd_policy=shadow ou " +"ldap_account_expire_policy=shadow, ce paramètre contient le nom de " +"l'attribut LDAP correspondant à sa contrepartie <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> (date d'expiration du compte)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:505 +msgid "Default: shadowExpire" +msgstr "Par défaut : shadowExpire" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:511 +msgid "ldap_user_krb_last_pwd_change (string)" +msgstr "ldap_user_krb_last_pwd_change (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:514 +msgid "" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time of last password change in " +"kerberos." +msgstr "" +"Lors de l'utilisation de ldap_pwd_policy=mit_kerberos, ce paramètre contient " +"le nom de l'attribut LDAP stockant la date et l'heure du dernier changement " +"de mot de passe dans kerberos." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:520 +msgid "Default: krbLastPwdChange" +msgstr "Par défaut : krbLastPwdChange" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:526 +msgid "ldap_user_krb_password_expiration (string)" +msgstr "ldap_user_krb_password_expiration (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:529 +msgid "" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time when current password expires." +msgstr "" +"Lors de l'utilisation de ldap_pwd_policy=mit_kerberos, ce paramètre contient " +"le nom de l'attribut LDAP stockant la date et l'heure d'expiration du mot de " +"passe actuel." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:535 +msgid "Default: krbPasswordExpiration" +msgstr "Par défaut : krbPasswordExpiration" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:541 +msgid "ldap_user_ad_account_expires (string)" +msgstr "ldap_user_ad_account_expires (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:544 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the expiration time of the account." +msgstr "" +"Lors de l'utilisation de ldap_account_expire_policy=ad, ce paramètre " +"contient le nom d'un attribut LDAP stockant la date d'expiration du compte." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:549 +msgid "Default: accountExpires" +msgstr "Par défaut : accountExpires" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:555 +msgid "ldap_user_ad_user_account_control (string)" +msgstr "ldap_user_ad_user_account_control (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:558 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the user account control bit field." +msgstr "" +"Lors de l'utilisation de ldap_account_expire_policy=ad, ce paramètre " +"contient le nom d'un attribut LDAP stockant le champ de bits de contrôle du " +"compte utilisateur." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:563 +msgid "Default: userAccountControl" +msgstr "Par défaut : userAccountControl" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:569 +msgid "ldap_ns_account_lock (string)" +msgstr "ldap_ns_account_lock (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:572 +msgid "" +"When using ldap_account_expire_policy=rhds or equivalent, this parameter " +"determines if access is allowed or not." +msgstr "" +"Lors de l'utilisation de ldap_account_expire_policy=rhds ou équivalent, ce " +"paramètre détermine si l'accès est autorisé ou non." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:577 +msgid "Default: nsAccountLock" +msgstr "Par défaut : nsAccountLock" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:583 +msgid "ldap_user_nds_login_disabled (string)" +msgstr "ldap_user_nds_login_disabled (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:586 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines if " +"access is allowed or not." +msgstr "" +"Lors de l'utilisation de ldap_account_expire_policy=nds, cet attribut " +"détermine si l'accès est autorisé ou non." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:590 sssd-ldap.5.xml:604 +msgid "Default: loginDisabled" +msgstr "Par défaut : loginDisabled" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:596 +msgid "ldap_user_nds_login_expiration_time (string)" +msgstr "ldap_user_nds_login_expiration_time (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:599 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines until " +"which date access is granted." +msgstr "" +"Lors de l'utilisation de ldap_account_expire_policy=nds, cet attribut " +"détermine jusqu'à quand l'accès est autorisé." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:610 +msgid "ldap_user_nds_login_allowed_time_map (string)" +msgstr "ldap_user_nds_login_allowed_time_map (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:613 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines the " +"hours of a day in a week when access is granted." +msgstr "" +"Lors de l'utilisation de ldap_account_expire_policy=nds, cet attribut " +"détermine les heures des jours dans la semaine pendant lesquelles l'accès " +"est autorisé." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:618 +msgid "Default: loginAllowedTimeMap" +msgstr "Par défaut : loginAllowedTimeMap" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:624 +msgid "ldap_user_principal (string)" +msgstr "ldap_user_principal (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:627 +msgid "" +"The LDAP attribute that contains the user's Kerberos User Principal Name " +"(UPN)." +msgstr "" +"L'attribut LDAP contenant le nom du principal d'utilisateur (UPN) Kerberos " +"de l'utilisateur." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:631 +msgid "Default: krbPrincipalName" +msgstr "Par défaut : krbPrincipalName" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:637 +msgid "ldap_user_extra_attrs (string)" +msgstr "ldap_user_extra_attrs (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:640 +msgid "" +"Comma-separated list of LDAP attributes that SSSD would fetch along with the " +"usual set of user attributes." +msgstr "" +"Liste séparée par des virgules des attributs LDAP que SSSD va demander en " +"plus des attributs utilisateur habituels." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:645 +msgid "" +"The list can either contain LDAP attribute names only, or colon-separated " +"tuples of SSSD cache attribute name and LDAP attribute name. In case only " +"LDAP attribute name is specified, the attribute is saved to the cache " +"verbatim. Using a custom SSSD attribute name might be required by " +"environments that configure several SSSD domains with different LDAP schemas." +msgstr "" +"La liste ne peut contenir que des noms d'attributs LDAP, ou des tuples " +"séparés par des virgules de nom d'attribut de cache et nom d'attribut LDAP. " +"Dans le cas où seul le nom d'un attribut LDAP est indiqué, l'attribut est " +"enregistré tel quel dans le cache. L'utilisation d'un nom d'attribut SSSD " +"peut être nécessaire pour les environnements configurant plusieurs domaines " +"SSSD utilisant des schémas LDAP différents." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:655 +msgid "" +"Please note that several attribute names are reserved by SSSD, notably the " +"<quote>name</quote> attribute. SSSD would report an error if any of the " +"reserved attribute names is used as an extra attribute name." +msgstr "" +"Veuillez noter que plusieurs noms d'attributs sont réservés par SSSD, dont " +"l'attribut <quote>name</quote>. SSSD émettrait une erreur si l'un des noms " +"d'attributs réservés est utilisé par un nom d'attribut supplémentaire." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:665 +msgid "ldap_user_extra_attrs = telephoneNumber" +msgstr "ldap_user_extra_attrs = telephoneNumber" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:668 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as " +"<quote>telephoneNumber</quote> to the cache." +msgstr "" +"Enregistrer l'attribut LDAP <quote>telephoneNumber</quote> en tant que " +"<quote>telephoneNumber</quote> dans le cache." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:672 +msgid "ldap_user_extra_attrs = phone:telephoneNumber" +msgstr "ldap_user_extra_attrs = phone:telephoneNumber" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:675 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" +"quote> to the cache." +msgstr "" +"Enregistrer l'attribut LDAP <quote>telephoneNumber</quote> en tant que " +"<quote>phone</quote> dans le cache." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:685 +msgid "ldap_user_ssh_public_key (string)" +msgstr "ldap_user_ssh_public_key (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:688 +msgid "The LDAP attribute that contains the user's SSH public keys." +msgstr "L'attribut LDAP qui contient les clés publiques SSH de l'utilisateur." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:692 sssd-ldap.5.xml:1306 +msgid "Default: sshPublicKey" +msgstr "Par défaut : sshPublicKey" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:698 +msgid "ldap_force_upper_case_realm (boolean)" +msgstr "ldap_force_upper_case_realm (booléen)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:701 +msgid "" +"Some directory servers, for example Active Directory, might deliver the " +"realm part of the UPN in lower case, which might cause the authentication to " +"fail. Set this option to a non-zero value if you want to use an upper-case " +"realm." +msgstr "" +"Certains serveurs d'annuaire, comme par exemple Active Directory, peuvent " +"délivrer la partie domaine de l'UPN en minuscules, ce qui peut faire échouer " +"l'authentification. Définir cette option à une valeur non nulle pour " +"utiliser un nom de domaine en majuscules." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:714 +msgid "ldap_enumeration_refresh_timeout (integer)" +msgstr "ldap_enumeration_refresh_timeout (entier)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:717 +msgid "" +"Specifies how many seconds SSSD has to wait before refreshing its cache of " +"enumerated records." +msgstr "" +"Spécifie la durée en secondes pendant laquelle SSSD doit attendre avant " +"d'actualiser son cache d\"énumération d'enregistrements." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:728 +msgid "ldap_purge_cache_timeout (integer)" +msgstr "ldap_purge_cache_timeout (entier)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:731 +msgid "" +"Determine how often to check the cache for inactive entries (such as groups " +"with no members and users who have never logged in) and remove them to save " +"space." +msgstr "" +"Détermine la fréquence de vérification de la présence d'entrées inactives " +"dans le cache (telles que groupes sans membres et utilisateurs ne s'étant " +"jamais connectés) et de suppression pour économiser de l'espace." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:737 +msgid "" +"Setting this option to zero will disable the cache cleanup operation. Please " +"note that if enumeration is enabled, the cleanup task is required in order " +"to detect entries removed from the server and can't be disabled. By default, " +"the cleanup task will run every 3 hours with enumeration enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:752 +msgid "ldap_user_fullname (string)" +msgstr "ldap_user_fullname (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:755 +msgid "The LDAP attribute that corresponds to the user's full name." +msgstr "L'attribut LDAP correspondant au nom complet de l'utilisateur." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1161 sssd-ldap.5.xml:1235 +#: sssd-ldap.5.xml:1344 sssd-ldap.5.xml:2405 sssd-ipa.5.xml:607 +msgid "Default: cn" +msgstr "Par défaut : cn" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:765 +msgid "ldap_user_member_of (string)" +msgstr "ldap_user_member_of (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:768 +msgid "The LDAP attribute that lists the user's group memberships." +msgstr "" +"L'attribut LDAP énumérant les groupes auquel appartient un utilisateur." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:772 sssd-ldap.5.xml:1274 +msgid "Default: memberOf" +msgstr "Par défaut : memberOf" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:778 +msgid "ldap_user_authorized_service (string)" +msgstr "ldap_user_authorized_service (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:781 +msgid "" +"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " +"use the presence of the authorizedService attribute in the user's LDAP entry " +"to determine access privilege." +msgstr "" +"Lorsque access_provider=ldap et ldap_access_order=authorized_service, SSSD " +"utilise la présence de l'attribut authorizedService dans l'entrée LDAP de " +"l'utilisateur pour déterminer les autorisations d'accès." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:788 +msgid "" +"An explicit deny (!svc) is resolved first. Second, SSSD searches for " +"explicit allow (svc) and finally for allow_all (*)." +msgstr "" +"Le refus explicite (!svc) est résolu en premier. Ensuite, SSSD cherche une " +"autorisation explicite (svc) et enfin allow_all (*)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:793 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>authorized_service</quote> in order for the " +"ldap_user_authorized_service option to work." +msgstr "" +"Noter que l'option de configuration ldap_access_order <emphasis>doit</" +"emphasis> inclure <quote>authorized_service</quote> de façon à permettre à " +"l'option ldap_user_authorized_service de fonctionner." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:800 +msgid "Default: authorizedService" +msgstr "Par défaut : authorizedService" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:806 +msgid "ldap_user_authorized_host (string)" +msgstr "ldap_user_authorized_host (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:809 +msgid "" +"If access_provider=ldap and ldap_access_order=host, SSSD will use the " +"presence of the host attribute in the user's LDAP entry to determine access " +"privilege." +msgstr "" +"Si access_provider=ldap et ldap_access_order=host, SSSD va utiliser la " +"présence de l'attribut host dans l'entrée LDAP de l'utilisateur pour " +"déterminer les autorisations d'accès." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:815 +msgid "" +"An explicit deny (!host) is resolved first. Second, SSSD searches for " +"explicit allow (host) and finally for allow_all (*)." +msgstr "" +"Le refus explicite (!host) est résolu en premier. SSSD recherche ensuite les " +"autorisations explicites (host) et enfin toutes les autorisations (*)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:820 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>host</quote> in order for the " +"ldap_user_authorized_host option to work." +msgstr "" +"Noter que l'option de configuration ldap_access_order <emphasis>doit</" +"emphasis> inclure <quote>host</quote> de façon à permettre à l'option " +"ldap_user_authorized_host de fonctionner." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:827 +msgid "Default: host" +msgstr "Par défaut : host" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:833 +msgid "ldap_user_authorized_rhost (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:836 +msgid "" +"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " +"presence of the rhost attribute in the user's LDAP entry to determine access " +"privilege. Similarly to host verification process." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:843 +msgid "" +"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " +"explicit allow (rhost) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:848 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>rhost</quote> in order for the " +"ldap_user_authorized_rhost option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:855 +msgid "Default: rhost" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:861 +msgid "ldap_user_certificate (string)" +msgstr "ldap_user_certificate (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:864 +msgid "Name of the LDAP attribute containing the X509 certificate of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:868 +msgid "Default: userCertificate;binary" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:874 +msgid "ldap_user_email (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:877 +msgid "Name of the LDAP attribute containing the email address of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:881 +msgid "" +"Note: If an email address of a user conflicts with an email address or fully " +"qualified name of another user, then SSSD will not be able to serve those " +"users properly. If for some reason several users need to share the same " +"email address then set this option to a nonexistent attribute name in order " +"to disable user lookup/login by email." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:890 +msgid "Default: mail" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:896 +msgid "ldap_group_object_class (string)" +msgstr "ldap_group_object_class (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:899 +msgid "The object class of a group entry in LDAP." +msgstr "La classe d'objet d'une entrée de groupe dans LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:902 +msgid "Default: posixGroup" +msgstr "Par défaut : posixGroup" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:908 +msgid "ldap_group_name (string)" +msgstr "ldap_group_name (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:911 +msgid "The LDAP attribute that corresponds to the group name." +msgstr "L'attribut LDAP correspondant au nom du groupe." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:915 +msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:922 +msgid "ldap_group_gid_number (string)" +msgstr "ldap_group_gid_number (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:925 +msgid "The LDAP attribute that corresponds to the group's id." +msgstr "L'attribut LDAP correspondant à l'identifiant de groupe." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:935 +msgid "ldap_group_member (string)" +msgstr "ldap_group_member (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:938 +msgid "The LDAP attribute that contains the names of the group's members." +msgstr "L'attribut LDAP contenant les noms des membres du groupe." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:942 +msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" +msgstr "Par défaut : memberuid (rfc2307) / member (rfc2307bis)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:948 +msgid "ldap_group_uuid (string)" +msgstr "ldap_group_uuid (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:951 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:962 +msgid "ldap_group_objectsid (string)" +msgstr "ldap_group_objectsid (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:965 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP group object. This " +"is usually only necessary for ActiveDirectory servers." +msgstr "" +"L'attribut LDAP qui contient l'objectSID d'un objet de groupe LDAP. Ceci " +"n'est habituellement nécessaire que pour les serveurs Active Directory." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:977 +msgid "ldap_group_modify_timestamp (string)" +msgstr "ldap_group_modify_timestamp (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:990 +msgid "ldap_group_type (integer)" +msgstr "ldap_group_type (entier)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:993 +msgid "" +"The LDAP attribute that contains an integer value indicating the type of the " +"group and maybe other flags." +msgstr "" +"L'attribut LDAP qui contient une valeur entière indiquant le type de groupe " +"voire d'autres indicateurs." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:998 +msgid "" +"This attribute is currently only used by the AD provider to determine if a " +"group is a domain local groups and has to be filtered out for trusted " +"domains." +msgstr "" +"Cet attribut est actuellement utilisé uniquement par le fournisseur AD pour " +"déterminer si un groupe est un groupe de domaine local et doit être filtré " +"hors des domaines approuvés." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1004 +msgid "Default: groupType in the AD provider, otherwise not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1011 +msgid "ldap_group_external_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1014 +msgid "" +"The LDAP attribute that references group members that are defined in an " +"external domain. At the moment, only IPA's external members are supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1020 +msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1027 +msgid "ldap_group_nesting_level (integer)" +msgstr "ldap_group_nesting_level (entier)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1030 +msgid "" +"If ldap_schema is set to a schema format that supports nested groups (e.g. " +"RFC2307bis), then this option controls how many levels of nesting SSSD will " +"follow. This option has no effect on the RFC2307 schema." +msgstr "" +"Si ldap_schema est défini comme un format prenant en charge les groupes " +"imbriqués (par exemple RFC2307bis), alors cette option contrôle le nombre de " +"niveaux d'imbrication que SSSD suivra. Cette option n'a pas d'effet sur le " +"schéma RFC2307." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1037 +msgid "" +"Note: This option specifies the guaranteed level of nested groups to be " +"processed for any lookup. However, nested groups beyond this limit " +"<emphasis>may be</emphasis> returned if previous lookups already resolved " +"the deeper nesting levels. Also, subsequent lookups for other groups may " +"enlarge the result set for original lookup if re-queried." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1046 +msgid "" +"If ldap_group_nesting_level is set to 0 then no nested groups are processed " +"at all. However, when connected to Active-Directory Server 2008 and later " +"using <quote>id_provider=ad</quote> it is furthermore required to disable " +"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " +"restrict group nesting." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1055 +msgid "Default: 2" +msgstr "Par défaut : 2" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1061 +msgid "ldap_groups_use_matching_rule_in_chain" +msgstr "ldap_groups_use_matching_rule_in_chain" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1064 +msgid "" +"This option tells SSSD to take advantage of an Active Directory-specific " +"feature which may speed up group lookup operations on deployments with " +"complex or deep nested groups." +msgstr "" +"Cette option indique à SSSD de tirer parti d'une fonctionnalité Active " +"Directory spécifique qui peut accélérer les opérations de recherche de " +"groupe sur les déploiements utilisant des groupes profondément imbriqués et " +"complexes." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1070 +msgid "" +"In most common cases, it is best to leave this option disabled. It generally " +"only provides a performance increase on very complex nestings." +msgstr "" +"Dans la plupart des cas, il est préférable de laisser cette option " +"désactivée. Elle ne fournit une augmentation des performances que sur les " +"imbrications très complexes." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1075 sssd-ldap.5.xml:1102 +msgid "" +"If this option is enabled, SSSD will use it if it detects that the server " +"supports it during initial connection. So \"True\" here essentially means " +"\"auto-detect\"." +msgstr "" +"Si cette option est activée, SSSD l'utilisera s'il détecte que le serveur la " +"prend en charge au cours de la connexion initiale. Ainsi, « true » signifie " +"essentiellement « auto-detect »." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1081 sssd-ldap.5.xml:1108 +msgid "" +"Note: This feature is currently known to work only with Active Directory " +"2008 R1 and later. See <ulink url=\"http://msdn.microsoft.com/en-us/library/" +"windows/desktop/aa746475%28v=vs.85%29.aspx\"> MSDN(TM) documentation</ulink> " +"for more details." +msgstr "" +"Remarque : Cette fonctionnalité fonctionne uniquement avec Active Directory " +"2008 R1 et versions suivantes. Consulter <ulink url=\"http://msdn.microsoft." +"com/en-us/library/windows/desktop/aa746475%28v=vs.85%29.aspx\">la " +"documentation de MSDN(TM)</ulink> pour plus de détails." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1093 +msgid "ldap_initgroups_use_matching_rule_in_chain" +msgstr "ldap_initgroups_use_matching_rule_in_chain" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1096 +msgid "" +"This option tells SSSD to take advantage of an Active Directory-specific " +"feature which might speed up initgroups operations (most notably when " +"dealing with complex or deep nested groups)." +msgstr "" +"Cette option indique à SSSD de tirer parti d'une fonctionnalité Active " +"Directory spécifique qui peut accélérer les opérations initgroups (le plus " +"souvent lors de l'utilisation de groupes profondément imbriqués ou " +"complexes)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1123 +msgid "" +"This options enables or disables use of Token-Groups attribute when " +"performing initgroup for users from Active Directory Server 2008 and later." +msgstr "" +"Cette option active ou désactive l'utilisation de l'attribut Token-Groups " +"lors de l'initialisation des groupes pour les utilisateurs Active Directory " +"2008 et versions ultérieures." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1128 +msgid "Default: True for AD and IPA otherwise False." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1134 +msgid "ldap_netgroup_object_class (string)" +msgstr "ldap_netgroup_object_class (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1137 +msgid "The object class of a netgroup entry in LDAP." +msgstr "La classe d'objet d'une entrée de netgroup dans LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1140 +msgid "In IPA provider, ipa_netgroup_object_class should be used instead." +msgstr "" +"Pour un fournisseur IPA, ipa_netgroup_object_class doit être utilisé à la " +"place." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1144 +msgid "Default: nisNetgroup" +msgstr "Par défaut : nisNetgroup" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1150 +msgid "ldap_netgroup_name (string)" +msgstr "ldap_netgroup_name (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1153 +msgid "The LDAP attribute that corresponds to the netgroup name." +msgstr "L'attribut LDAP correspondant au nom du netgroup." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1157 +msgid "In IPA provider, ipa_netgroup_name should be used instead." +msgstr "" +"Dans le fournisseur IPA, ipa_netgroup_name doit être utilisé à la place." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1167 +msgid "ldap_netgroup_member (string)" +msgstr "ldap_netgroup_member (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1170 +msgid "The LDAP attribute that contains the names of the netgroup's members." +msgstr "L'attribut LDAP contenant les noms des membres du netgroup." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1174 +msgid "In IPA provider, ipa_netgroup_member should be used instead." +msgstr "" +"Dans le fournisseur IPA, ipa_netgroup_member doit être utilisé à la place." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1178 +msgid "Default: memberNisNetgroup" +msgstr "Par défaut : memberNisNetgroup" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1184 +msgid "ldap_netgroup_triple (string)" +msgstr "ldap_netgroup_triple (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1187 +msgid "" +"The LDAP attribute that contains the (host, user, domain) netgroup triples." +msgstr "" +"L'attribut LDAP contenant les triplets (hôte, utilisateur, domaine) d'un " +"netgroup." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1191 sssd-ldap.5.xml:1207 +msgid "This option is not available in IPA provider." +msgstr "Cette option n'est pas disponible dans le fournisseur IPA." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1194 +msgid "Default: nisNetgroupTriple" +msgstr "Par défaut : nisNetgroupTriple" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1200 +msgid "ldap_netgroup_modify_timestamp (string)" +msgstr "ldap_netgroup_modify_timestamp (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1216 +msgid "ldap_host_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1219 +msgid "The object class of a host entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1222 sssd-ldap.5.xml:1331 +msgid "Default: ipService" +msgstr "Par défaut : ipService" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1228 +msgid "ldap_host_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1231 sssd-ldap.5.xml:1257 +msgid "The LDAP attribute that corresponds to the host's name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1241 +msgid "ldap_host_fqdn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1244 +msgid "" +"The LDAP attribute that corresponds to the host's fully-qualified domain " +"name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1248 +msgid "Default: fqdn" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1254 +msgid "ldap_host_serverhostname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1261 +msgid "Default: serverHostname" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1267 +msgid "ldap_host_member_of (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1270 +msgid "The LDAP attribute that lists the host's group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1280 +msgid "ldap_host_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1283 +msgid "Optional. Use the given string as search base for host objects." +msgstr "" +"Facultatif. Utiliser la chaîne donnée comme base de recherche pour héberger " +"des objets." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1287 sssd-ipa.5.xml:359 sssd-ipa.5.xml:378 +#: sssd-ipa.5.xml:397 sssd-ipa.5.xml:416 +msgid "" +"See <quote>ldap_search_base</quote> for information about configuring " +"multiple search bases." +msgstr "" +"Cf. <quote>ldap_search_base</quote> pour plus d'informations sur la " +"configuration des bases de recherche multiples." + +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:1292 sssd-ipa.5.xml:364 include/ldap_search_bases.xml:27 +msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" +msgstr "Par défaut : la valeur de <emphasis>ldap_search_base</emphasis>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1299 +msgid "ldap_host_ssh_public_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1302 +msgid "The LDAP attribute that contains the host's SSH public keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1312 +msgid "ldap_host_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1315 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1325 +msgid "ldap_service_object_class (string)" +msgstr "ldap_service_object_class (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1328 +msgid "The object class of a service entry in LDAP." +msgstr "La classe d'objet d'une entrée de service LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1337 +msgid "ldap_service_name (string)" +msgstr "ldap_service_name (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1340 +msgid "" +"The LDAP attribute that contains the name of service attributes and their " +"aliases." +msgstr "" +"L'attribut LDAP qui contient le nom des attributs de service et de leurs " +"alias." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1350 +msgid "ldap_service_port (string)" +msgstr "ldap_service_port (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1353 +msgid "The LDAP attribute that contains the port managed by this service." +msgstr "L'attribut LDAP qui contient le port géré par ce service." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1357 +msgid "Default: ipServicePort" +msgstr "Par défaut : ipServicePort" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1363 +msgid "ldap_service_proto (string)" +msgstr "ldap_service_proto (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1366 +msgid "" +"The LDAP attribute that contains the protocols understood by this service." +msgstr "L'attribut LDAP qui contient les protocoles compris par ce service." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1370 +msgid "Default: ipServiceProtocol" +msgstr "Par défaut : ipServiceProtocol" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1376 +msgid "ldap_service_search_base (string)" +msgstr "ldap_service_search_base (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1381 +msgid "ldap_search_timeout (integer)" +msgstr "ldap_search_timeout (entier)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1384 +msgid "" +"Specifies the timeout (in seconds) that ldap searches are allowed to run " +"before they are cancelled and cached results are returned (and offline mode " +"is entered)" +msgstr "" +"Définit le délai d'attente (en secondes) autorisé pour les recherches LDAP " +"avant annulation et utilisation des résultats contenus dans le cache (et " +"activation du mode hors ligne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1390 +msgid "" +"Note: this option is subject to change in future versions of the SSSD. It " +"will likely be replaced at some point by a series of timeouts for specific " +"lookup types." +msgstr "" +"Note : cette option est susceptible de changer dans les prochaines version " +"de SSSD. Elle sera sûrement remplacée par une série de délais d'attente pour " +"différents types de recherches." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1402 +msgid "ldap_enumeration_search_timeout (integer)" +msgstr "ldap_enumeration_search_timeout (entier)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1405 +msgid "" +"Specifies the timeout (in seconds) that ldap searches for user and group " +"enumerations are allowed to run before they are cancelled and cached results " +"are returned (and offline mode is entered)" +msgstr "" +"Définit le délai d'attente (en secondes) autorisé pour les recherches LDAP " +"sur les utilisateurs et groupes avant annulation et utilisation des " +"résultats mis en cache (et activation du mode hors ligne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1418 +msgid "ldap_network_timeout (integer)" +msgstr "ldap_network_timeout (entier)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1421 +msgid "" +"Specifies the timeout (in seconds) after which the <citerefentry> " +"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" +"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" +"manvolnum> </citerefentry> following a <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> returns in case of no activity." +msgstr "" +"Définit le délai d'attente (en secondes) après lequel les fonctions " +"<citerefentry> <refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> " +"</citerefentry>/<citerefentry> <refentrytitle>select</refentrytitle> " +"<manvolnum>2</manvolnum> </citerefentry> suivant un <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> rendent la main en cas d'inactivité." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1444 +msgid "ldap_opt_timeout (integer)" +msgstr "ldap_opt_timeout (entier)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1447 +msgid "" +"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " +"will abort if no response is received. Also controls the timeout when " +"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " +"operation, password change extended operation and the StartTLS operation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1462 +msgid "ldap_connection_expire_timeout (integer)" +msgstr "ldap_connection_expire_timeout (entier)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1465 +msgid "" +"Specifies a timeout (in seconds) that a connection to an LDAP server will be " +"maintained. After this time, the connection will be re-established. If used " +"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " +"the TGT lifetime) will be used." +msgstr "" +"Spécifie un délai d'attente (en secondes) pendant laquelle une connexion à " +"un serveur LDAP est maintenue. Passé ce délai, la connexion devra être " +"rétablie. Si ce paramètre est utilisé en parallèle avec SASL/GSSAPI, la plus " +"courte des deux valeurs entre celle-ci et la durée de vie TGT sera utilisée." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1473 sssd-ldap.5.xml:2562 +msgid "Default: 900 (15 minutes)" +msgstr "Par défaut : 900 (15 minutes)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1479 +msgid "ldap_page_size (integer)" +msgstr "ldap_page_size (entier)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1482 +msgid "" +"Specify the number of records to retrieve from LDAP in a single request. " +"Some LDAP servers enforce a maximum limit per-request." +msgstr "" +"Définit le nombre d'enregistrements à récupérer lors d'une requête LDAP. " +"Certains serveurs LDAP imposent une limite maximale par requête." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1487 +msgid "Default: 1000" +msgstr "Par défaut : 1000" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1493 +msgid "ldap_disable_paging (boolean)" +msgstr "ldap_disable_paging (boolean)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1496 +msgid "" +"Disable the LDAP paging control. This option should be used if the LDAP " +"server reports that it supports the LDAP paging control in its RootDSE but " +"it is not enabled or does not behave properly." +msgstr "" +"Désactiver le contrôle de pagination LDAP. Cette option doit être utilisée " +"si le serveur LDAP signale qu'il prend en charge le contrôle de pagination " +"LDAP de l'objet RootDSE, mais qu'il n'est pas activé ou ne se comporte pas " +"correctement." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1502 +msgid "" +"Example: OpenLDAP servers with the paging control module installed on the " +"server but not enabled will report it in the RootDSE but be unable to use it." +msgstr "" +"Exemple : le serveurs OpenLDAP avec le module de contrôle de pagination " +"installé sur le serveur mais non activé le signaleront dans RootDSE mais il " +"sera impossible de l'utiliser." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1508 +msgid "" +"Example: 389 DS has a bug where it can only support a one paging control at " +"a time on a single connection. On busy clients, this can result in some " +"requests being denied." +msgstr "" +"Exemple : 389 DS a un bogue où il ne peut que soutenir qu'un seul contrôle " +"de pagination à la fois sur une connexion donnée. Sur les clients chargés, " +"cela peut entraîner l'échec de certaines demandes." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1520 +msgid "ldap_disable_range_retrieval (boolean)" +msgstr "ldap_disable_range_retrieval (booléen)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1523 +msgid "Disable Active Directory range retrieval." +msgstr "Désactiver la récupération de plage Active Directory." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1526 +msgid "" +"Active Directory limits the number of members to be retrieved in a single " +"lookup using the MaxValRange policy (which defaults to 1500 members). If a " +"group contains more members, the reply would include an AD-specific range " +"extension. This option disables parsing of the range extension, therefore " +"large groups will appear as having no members." +msgstr "" +"Active Directory limite le nombre de membres à récupérer par recherche à " +"l'aide de la stratégie MaxValRange (qui prend la valeur par défaut de 1500 " +"membres). Si un groupe contient plus de membres, la réponse inclura une " +"extension de plage spécifique à Active Directory. Cette option désactive " +"l'analyse de cette extension de plage, les groupes de grande taille " +"apparaissant ainsi sans aucun membre." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1541 +msgid "ldap_sasl_minssf (integer)" +msgstr "ldap_sasl_minssf (integer)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1544 +msgid "" +"When communicating with an LDAP server using SASL, specify the minimum " +"security level necessary to establish the connection. The values of this " +"option are defined by OpenLDAP." +msgstr "" +"Lors de la communication avec un serveur LDAP en utilisant SASL, spécifie le " +"niveau de sécurité minimal nécessaire pour établir la connexion. Les valeurs " +"de cette option sont définies par OpenLDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1550 +msgid "Default: Use the system default (usually specified by ldap.conf)" +msgstr "" +"Par défaut : Utiliser la valeur par défaut du système (généralement spécifié " +"par ldap.conf)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1557 +msgid "ldap_deref_threshold (integer)" +msgstr "ldap_deref_threshold (entier)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1560 +msgid "" +"Specify the number of group members that must be missing from the internal " +"cache in order to trigger a dereference lookup. If less members are missing, " +"they are looked up individually." +msgstr "" +"Définit le nombre de membres du groupe qui doivent manquer au sein du cache " +"interne afin de déclencher une recherche de déréférencement. Si le nombre de " +"membres manquants est inférieur, ils sont recherchés individuellement." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1566 +msgid "" +"You can turn off dereference lookups completely by setting the value to 0." +msgstr "" +"Vous pouvez désactiver complètement les recherches de déréférencement en " +"affectant la valeur 0." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1570 +msgid "" +"A dereference lookup is a means of fetching all group members in a single " +"LDAP call. Different LDAP servers may implement different dereference " +"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " +"Directory." +msgstr "" +"Une recherche de déréférencement est un moyen pour récupérer tous les " +"membres d'un groupe avec un seul appel LDAP. Plusieurs serveurs LDAP peuvent " +"avoir différentes méthodes de déréférencement. Les serveurs actuellement " +"acceptés sont 389/RHDS, OpenLDAP et Active Directory." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1578 +msgid "" +"<emphasis>Note:</emphasis> If any of the search bases specifies a search " +"filter, then the dereference lookup performance enhancement will be disabled " +"regardless of this setting." +msgstr "" +"<emphasis>Remarque :</emphasis> Si l'une des bases de recherche spécifie un " +"filtre de recherche, alors l'amélioration de la performance de recherche de " +"déréférencement est désactivée indépendamment de ce paramètre." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1591 +msgid "ldap_tls_reqcert (string)" +msgstr "ldap_tls_reqcert (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1594 +msgid "" +"Specifies what checks to perform on server certificates in a TLS session, if " +"any. It can be specified as one of the following values:" +msgstr "" +"Définit les vérifications à effectuer sur les certificats serveur sur une " +"session TLS, si elle existe. Une des valeurs suivantes est utilisable :" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1600 +msgid "" +"<emphasis>never</emphasis> = The client will not request or check any server " +"certificate." +msgstr "" +"<emphasis>never</emphasis> : le client ne demandera ni ne vérifiera un " +"quelconque certificat du serveur." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1604 +msgid "" +"<emphasis>allow</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, it will be ignored and the session proceeds normally." +msgstr "" +"<emphasis>allow</emphasis> : le certificat serveur est demandé. Si aucun " +"certificat n'est fournit, la session continue normalement. Si un mauvais " +"certificat est fourni, il est ignoré et la session continue normalement." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1611 +msgid "" +"<emphasis>try</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, the session is immediately terminated." +msgstr "" +"<emphasis>try</emphasis> : le certificat serveur est demandé. Si aucun " +"certificat n'est fourni, la session continue normalement. Si un mauvais " +"certificat est fourni, la session se termine immédiatement." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1617 +msgid "" +"<emphasis>demand</emphasis> = The server certificate is requested. If no " +"certificate is provided, or a bad certificate is provided, the session is " +"immediately terminated." +msgstr "" +"<emphasis>demand</emphasis> : le certificat serveur est demandé. Si aucun " +"certificat ou un mauvais certificat est fourni, la session se termine " +"immédiatement." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1623 +msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" +msgstr "<emphasis>hard</emphasis> : identique à <quote>demand</quote>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1627 +msgid "Default: hard" +msgstr "Par défaut : hard" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1633 +msgid "ldap_tls_cacert (string)" +msgstr "ldap_tls_cacert (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1636 +msgid "" +"Specifies the file that contains certificates for all of the Certificate " +"Authorities that <command>sssd</command> will recognize." +msgstr "" +"Définit le fichier qui contient les certificats pour toutes les autorités de " +"certification que <command>sssd</command> reconnaîtra." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1641 sssd-ldap.5.xml:1659 sssd-ldap.5.xml:1700 +msgid "" +"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." +"conf</filename>" +msgstr "" +"Par défaut : utilise les paramètres par défaut de OpenLDAP, en général dans " +"<filename>/etc/openldap/ldap.conf</filename>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1648 +msgid "ldap_tls_cacertdir (string)" +msgstr "ldap_tls_cacertdir (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1651 +msgid "" +"Specifies the path of a directory that contains Certificate Authority " +"certificates in separate individual files. Typically the file names need to " +"be the hash of the certificate followed by '.0'. If available, " +"<command>cacertdir_rehash</command> can be used to create the correct names." +msgstr "" +"Spécifie le chemin d'un dossier qui contient les certificats de l'autorité " +"de certificats dans des fichiers séparés. Usuellement, les noms de fichiers " +"sont la somme de contrôle du certificat suivi de « .0 ». Si disponible, " +"<command>cacertdir_rehash</command> peut être utilisé pour créer les noms " +"corrects." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1666 +msgid "ldap_tls_cert (string)" +msgstr "ldap_tls_cert (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1669 +msgid "Specifies the file that contains the certificate for the client's key." +msgstr "Définit le fichier qui contient le certificat pour la clef du client." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1679 +msgid "ldap_tls_key (string)" +msgstr "ldap_tls_key (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1682 +msgid "Specifies the file that contains the client's key." +msgstr "Définit le fichier qui contient la clef du client." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1691 +msgid "ldap_tls_cipher_suite (string)" +msgstr "ldap_tls_cipher_suite (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1694 +msgid "" +"Specifies acceptable cipher suites. Typically this is a colon separated " +"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1707 +msgid "ldap_id_use_start_tls (boolean)" +msgstr "ldap_id_use_start_tls (booléen)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1710 +msgid "" +"Specifies that the id_provider connection must also use <systemitem class=" +"\"protocol\">tls</systemitem> to protect the channel." +msgstr "" +"Définit le fait que le fournisseur d'identité de connexion doit aussi " +"utiliser <systemitem class=\"protocol\">tls</systemitem> pour protéger le " +"canal." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1720 +msgid "ldap_id_mapping (boolean)" +msgstr "ldap_id_mapping (boolean)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1723 +msgid "" +"Specifies that SSSD should attempt to map user and group IDs from the " +"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " +"on ldap_user_uid_number and ldap_group_gid_number." +msgstr "" +"Indique que SSSD doit tenter de trouver les correspondances des ID " +"d'utilisateur et de groupe dans les attributs ldap_user_objectsid et " +"ldap_group_objectsid au lieu d'utiliser ldap_user_uid_number et " +"ldap_group_gid_number." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1729 +msgid "Currently this feature supports only ActiveDirectory objectSID mapping." +msgstr "" +"Cette fonctionnalité ne prend actuellement en charge que la correspondance " +"par objectSID avec Active Directory." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1739 +msgid "ldap_min_id, ldap_max_id (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1742 +msgid "" +"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " +"set to true the allowed ID range for ldap_user_uid_number and " +"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " +"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " +"can be set to restrict the allowed range for the IDs which are read directly " +"from the server. Sub-domains can then pick other ranges to map IDs." +msgstr "" +"Au contraire de la mise en correspondance d'identifiants s'appuyant sur les " +"SID utilisée si ldap_id_mapping est positionné à true, les plages " +"d'identifiants autorisés pour ldap_user_uid_number et ldap_group_gid_number " +"n'ont pas de limite. Dans une configuration avec des sous-domaines ou des " +"domaines approuvés, cela peut engendrer des collisions. Pour les éviter, " +"ldap_min_id et ldap_max_id peuvent être configurés afin de restreindre les " +"plages d'identifiants autorisées lues directement depuis le serveur. Les " +"sous-domaines peuvent ensuite choisir d'autres plages pour leurs propres " +"identifiants." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1754 +msgid "Default: not set (both options are set to 0)" +msgstr "Par défaut : non indiqué (les deux options sont à 0)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1760 +msgid "ldap_sasl_mech (string)" +msgstr "ldap_sasl_mech (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1763 +msgid "" +"Specify the SASL mechanism to use. Currently only GSSAPI is tested and " +"supported." +msgstr "" +"Définit le mécanisme SASL à utiliser. Actuellement, seul GSSAPI est testé et " +"pris en charge." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1773 +msgid "ldap_sasl_authid (string)" +msgstr "ldap_sasl_authid (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ldap.5.xml:1784 +#, no-wrap +msgid "" +"hostname@REALM\n" +"netbiosname$@REALM\n" +"host/hostname@REALM\n" +"*$@REALM\n" +"host/*@REALM\n" +"host/*\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1776 +#, fuzzy +#| msgid "" +#| "Specify the SASL authorization id to use. When GSSAPI is used, this " +#| "represents the Kerberos principal used for authentication to the " +#| "directory. This option can either contain the full principal (for " +#| "example host/myhost@EXAMPLE.COM) or just the principal name (for example " +#| "host/myhost)." +msgid "" +"Specify the SASL authorization id to use. When GSSAPI is used, this " +"represents the Kerberos principal used for authentication to the directory. " +"This option can either contain the full principal (for example host/" +"myhost@EXAMPLE.COM) or just the principal name (for example host/myhost). By " +"default, the value is not set and the following principals are used: " +"<placeholder type=\"programlisting\" id=\"0\"/> If none of them are found, " +"the first principal in keytab is returned." +msgstr "" +"Définit l'identité à utiliser pour l'autorisation SASL. Lorsque GSSAPI est " +"utilisé, c'est l'identifiant Kerberos principal utilisé pour s'authentifier " +"à l'annuaire. Cette option peut soit contenir le principal complet (par " +"exemple host/myhost@EXAMPLE.COM), soit juste le nom du principal (par " +"exemple host/myhost)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1795 +msgid "Default: host/hostname@REALM" +msgstr "Par défaut : host/hostname@REALM" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1801 +msgid "ldap_sasl_realm (string)" +msgstr "ldap_sasl_realm (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1804 +msgid "" +"Specify the SASL realm to use. When not specified, this option defaults to " +"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " +"well, this option is ignored." +msgstr "" +"Spécifie le domaine SASL à utiliser. Si non spécifié, cette option prend par " +"défaut la valeur de krb5_realm. Si le ldap_sasl_authid contient aussi le " +"domaine, cette option est ignorée." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1810 +msgid "Default: the value of krb5_realm." +msgstr "Par défaut : la valeur de krb5_realm." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1816 +msgid "ldap_sasl_canonicalize (boolean)" +msgstr "ldap_sasl_canonicalize (booléen)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1819 +msgid "" +"If set to true, the LDAP library would perform a reverse lookup to " +"canonicalize the host name during a SASL bind." +msgstr "" +"Si true, la bibliothèque LDAP effectue une recherche inversée pour canoniser " +"le nom de l'hôte au cours d'une liaison SASL." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1824 +msgid "Default: false;" +msgstr "Défaut : false;" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1830 +msgid "ldap_krb5_keytab (string)" +msgstr "ldap_krb5_keytab (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1833 +msgid "Specify the keytab to use when using SASL/GSSAPI." +msgstr "Définit le fichier keytab à utiliser pour utiliser SASL/GSSAPI." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1836 +msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" +msgstr "" +"Par défaut : le fichier keytab du système, normalement <filename>/etc/krb5." +"keytab</filename>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1842 +msgid "ldap_krb5_init_creds (boolean)" +msgstr "ldap_krb5_init_creds (booléen)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1845 +msgid "" +"Specifies that the id_provider should init Kerberos credentials (TGT). This " +"action is performed only if SASL is used and the mechanism selected is " +"GSSAPI." +msgstr "" +"Définit le fait que le fournisseur d'identité doit initialiser les données " +"d'identification Kerberos (TGT). Cette action est effectuée seulement si " +"SASL est utilisé et que le mécanisme choisi est GSSAPI." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1857 +msgid "ldap_krb5_ticket_lifetime (integer)" +msgstr "ldap_krb5_ticket_lifetime (entier)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1860 +msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used." +msgstr "Définit la durée de vie, en secondes, des TGT si GSSAPI est utilisé." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1864 sssd-ad.5.xml:937 +msgid "Default: 86400 (24 hours)" +msgstr "Par défaut : 86400 (24 heures)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1870 sssd-krb5.5.xml:74 +msgid "krb5_server, krb5_backup_server (string)" +msgstr "krb5_server, krb5_backup_server (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1873 +msgid "" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled - for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." +msgstr "" +"Spécifie par ordre de préférence la liste séparée par des virgules des " +"adresses IP ou des noms de systèmes des serveurs Kerberos auquel SSSD doit " +"se connecter. Pour plus d'informations sur la redondance de bascule et la " +"redondance de serveur, consulter la section <quote>BASCULE</quote>. Un " +"numéro de port facultatif (précédé de deux-points) peut être ajouté aux " +"adresses ou aux noms de systèmes. Si vide, la découverte de services est " +"activée - pour plus d'informations, se reporter à la section de " +"<quote>DÉCOUVERTE DE SERVICES</quote>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1885 sssd-krb5.5.xml:89 +msgid "" +"When using service discovery for KDC or kpasswd servers, SSSD first searches " +"for DNS entries that specify _udp as the protocol and falls back to _tcp if " +"none are found." +msgstr "" +"Lors de l'utilisation de découverte de services pour le KDC ou les serveurs " +"kpasswd, SSSD recherche en premier les entrées DNS qui définissent _udp " +"comme protocole, et passe sur _tcp si aucune entrée n'est trouvée." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1890 sssd-krb5.5.xml:94 +msgid "" +"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " +"While the legacy name is recognized for the time being, users are advised to " +"migrate their config files to use <quote>krb5_server</quote> instead." +msgstr "" +"Cette option s'appelait <quote>krb5_kdcip</quote> dans les versions " +"précédentes de SSSD. Bien que ce nom soit toujours reconnu à l'heure " +"actuelle, il est conseillé de migrer les fichiers de configuration vers " +"l'utilisation de <quote>krb5_server</quote>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1899 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103 +msgid "krb5_realm (string)" +msgstr "krb5_realm (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1902 +msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)." +msgstr "Définit le DOMAINE de Kerberos (pour l'authentification SASL/GSSAPI)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1905 +msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" +msgstr "" +"Par défaut : valeur par défaut du système, voir <filename>/etc/krb5.conf</" +"filename>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1911 sssd-krb5.5.xml:462 +msgid "krb5_canonicalize (boolean)" +msgstr "krb5_canonicalize (booléen)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1914 +msgid "" +"Specifies if the host principal should be canonicalized when connecting to " +"LDAP server. This feature is available with MIT Kerberos >= 1.7" +msgstr "" +"Spécifie si le principal de l'hôte doit être rendu canonique lors de la " +"connexion au serveur LDAP. Cette fonctionnalité est disponible avec MIT " +"Kerberos > = 1.7" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1926 sssd-krb5.5.xml:477 +msgid "krb5_use_kdcinfo (boolean)" +msgstr "krb5_use_kdcinfo (booléen)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1929 sssd-krb5.5.xml:480 +msgid "" +"Specifies if the SSSD should instruct the Kerberos libraries what realm and " +"which KDCs to use. This option is on by default, if you disable it, you need " +"to configure the Kerberos library using the <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> configuration file." +msgstr "" +"Indique si SSSD doit préciser aux bibliothèques Kerberos quels domaine et " +"KDC utiliser. Cette option est activée par défaut, si elle est désactivée, " +"la bibliothèque Kerberos doit être configurée à l'aide du fichier de " +"configuration <citerefentry> <refentrytitle>krb5.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1940 sssd-krb5.5.xml:491 +msgid "" +"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " +"information on the locator plugin." +msgstr "" +"Consulter la page de manuel de <citerefentry> " +"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry> pour plus d'informations sur le greffon de " +"localisation." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1954 +msgid "ldap_pwd_policy (string)" +msgstr "ldap_pwd_policy (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1957 +msgid "" +"Select the policy to evaluate the password expiration on the client side. " +"The following values are allowed:" +msgstr "" +"Détermine la politique d'expiration des mots de passe côté client. Les " +"valeurs suivantes sont acceptées :" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1962 +msgid "" +"<emphasis>none</emphasis> - No evaluation on the client side. This option " +"cannot disable server-side password policies." +msgstr "" +"<emphasis>none</emphasis> : aucun évaluation du côté client. Cette option ne " +"peut pas désactiver la politique sur les mots de passe du côté serveur." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1967 +msgid "" +"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " +"evaluate if the password has expired." +msgstr "" +"<emphasis>shadow</emphasis> - Utiliser les attributs de style " +"<citerefentry><refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> pour évaluer si le mot de passe a expiré." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1973 +msgid "" +"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " +"to determine if the password has expired. Use chpass_provider=krb5 to update " +"these attributes when the password is changed." +msgstr "" +"<emphasis>mit_kerberos</emphasis> : utilise les attributs utilisés par MIT " +"Kerberos pour déterminer si le mot de passe a expiré. Utiliser " +"chpass_provider=krb5 afin de modifier ces attributs lorsque le mot de passe " +"est changé." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1982 +msgid "" +"<emphasis>Note</emphasis>: if a password policy is configured on server " +"side, it always takes precedence over policy set with this option." +msgstr "" +"<emphasis>Note</emphasis> : si une politique de mots de passe est configurée " +"côté serveur, elle prend le pas sur la politique indiquée avec cette option." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1990 +msgid "ldap_referrals (boolean)" +msgstr "ldap_referrals (booléen)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1993 +msgid "Specifies whether automatic referral chasing should be enabled." +msgstr "Définit si le déréférencement automatique doit être activé." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1997 +msgid "" +"Please note that sssd only supports referral chasing when it is compiled " +"with OpenLDAP version 2.4.13 or higher." +msgstr "" +"Veuillez noter que sssd ne supporte que le déréférencement que lorsqu'il est " +"compilé avec OpenLDAP version 2.4.13 ou supérieur." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2002 +msgid "" +"Chasing referrals may incur a performance penalty in environments that use " +"them heavily, a notable example is Microsoft Active Directory. If your setup " +"does not in fact require the use of referrals, setting this option to false " +"might bring a noticeable performance improvement." +msgstr "" +"La déréférenciation de références peut subir une altération notable des " +"performances dans les environnements qui les utilisent fortement, un exemple " +"notable étant Microsoft Active Directory. Si votre installation ne nécessite " +"pas l'utilisation des références, affecter false à cette option devrait " +"permettre d'améliorer de façon notable les performances." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2016 +msgid "ldap_dns_service_name (string)" +msgstr "ldap_dns_service_name (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2019 +msgid "Specifies the service name to use when service discovery is enabled." +msgstr "" +"Définit le nom de service à utiliser quand la découverte de services est " +"activée." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2023 +msgid "Default: ldap" +msgstr "Par défaut : ldap" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2029 +msgid "ldap_chpass_dns_service_name (string)" +msgstr "ldap_chpass_dns_service_name (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2032 +msgid "" +"Specifies the service name to use to find an LDAP server which allows " +"password changes when service discovery is enabled." +msgstr "" +"Définit le nom de service à utiliser pour trouver un serveur LDAP autorisant " +"un changement de mot de passe quand la découverte de services est activée." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2037 +msgid "Default: not set, i.e. service discovery is disabled" +msgstr "" +"Par défaut : non défini, c'est-à-dire que le service de découverte est " +"désactivé." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2043 +msgid "ldap_chpass_update_last_change (bool)" +msgstr "ldap_chpass_update_last_change (bool)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2046 +msgid "" +"Specifies whether to update the ldap_user_shadow_last_change attribute with " +"days since the Epoch after a password change operation." +msgstr "" +"Spécifie s'il faut mettre à jour l'attribut ldap_user_shadow_last_change " +"avec le nombre de jours depuis Epoch après l'opération de changement de mot " +"de passe." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2058 +msgid "ldap_access_filter (string)" +msgstr "ldap_access_filter (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2061 +msgid "" +"If using access_provider = ldap and ldap_access_order = filter (default), " +"this option is mandatory. It specifies an LDAP search filter criteria that " +"must be met for the user to be granted access on this host. If " +"access_provider = ldap, ldap_access_order = filter and this option is not " +"set, it will result in all users being denied access. Use access_provider = " +"permit to change this default behavior. Please note that this filter is " +"applied on the LDAP user entry only and thus filtering based on nested " +"groups may not work (e.g. memberOf attribute on AD entries points only to " +"direct parents). If filtering based on nested groups is required, please see " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2081 +msgid "Example:" +msgstr "Exemple :" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ldap.5.xml:2084 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " +msgstr "" +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2088 +msgid "" +"This example means that access to this host is restricted to users whose " +"employeeType attribute is set to \"admin\"." +msgstr "" +"Cet exemple signifie que l'accès à cet hôte est restreint aux utilisateurs " +"dont l'attribut employeeType est « admin »." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2093 +msgid "" +"Offline caching for this feature is limited to determining whether the " +"user's last online login was granted access permission. If they were granted " +"access during their last login, they will continue to be granted access " +"while offline and vice versa." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2101 sssd-ldap.5.xml:2158 +msgid "Default: Empty" +msgstr "Par défaut : vide" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2107 +msgid "ldap_account_expire_policy (string)" +msgstr "ldap_account_expire_policy (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2110 +msgid "" +"With this option a client side evaluation of access control attributes can " +"be enabled." +msgstr "" +"Avec cette option une évaluation du côté client des contrôles d'accès peut " +"être activée." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2114 +msgid "" +"Please note that it is always recommended to use server side access control, " +"i.e. the LDAP server should deny the bind request with a suitable error code " +"even if the password is correct." +msgstr "" +"Veuillez noter qu'il est toujours recommandé d'utiliser un contrôle d'accès " +"du côté serveur, c'est-à-dire que le serveur LDAP doit refuser une requête " +"de connexion avec un code erreur approprié même si le mot de passe est " +"correct." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2121 +msgid "The following values are allowed:" +msgstr "Les valeurs suivantes sont autorisées :" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2124 +msgid "" +"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " +"determine if the account is expired." +msgstr "" +"<emphasis>shadow</emphasis> : utiliser la valeur de ldap_user_shadow_expire " +"pour déterminer si le compte a expiré." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2129 +msgid "" +"<emphasis>ad</emphasis>: use the value of the 32bit field " +"ldap_user_ad_user_account_control and allow access if the second bit is not " +"set. If the attribute is missing access is granted. Also the expiration time " +"of the account is checked." +msgstr "" +"<emphasis>ad</emphasis> : utilise la valeur du champ 32 bits " +"ldap_user_ad_user_account_control et autorise l'accès si le deuxième bit " +"n'est pas défini. Si l'attribut est manquant, l'accès est autorisé. La date " +"d'expiration du compte est aussi vérifiée." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2136 +msgid "" +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: use the value of ldap_ns_account_lock to check if access is " +"allowed or not." +msgstr "" +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis> : utilise la valeur de ldap_ns_account_lock afin de vérifier si " +"l'accès est autorisé ou non." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2142 +msgid "" +"<emphasis>nds</emphasis>: the values of " +"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " +"ldap_user_nds_login_expiration_time are used to check if access is allowed. " +"If both attributes are missing access is granted." +msgstr "" +"<emphasis>nds</emphasis> : les valeurs de " +"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled et " +"ldap_user_nds_login_expiration_time sont utilisées pour vérifier si l'accès " +"est autorisé. Si les deux attributs sont manquants, l'accès est autorisé." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2151 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>expire</quote> in order for the " +"ldap_account_expire_policy option to work." +msgstr "" +"Noter que l'option de configuration ldap_access_order <emphasis>doit</" +"emphasis> inclure <quote>expire</quote> de façon à permettre à l'option " +"ldap_account_expire_policy de fonctionner." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2164 +msgid "ldap_access_order (string)" +msgstr "ldap_access_order (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2167 +msgid "Comma separated list of access control options. Allowed values are:" +msgstr "" +"Liste séparées par des virgules des options de contrôles d'accès. Les " +"valeurs autorisées sont :" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2171 +msgid "<emphasis>filter</emphasis>: use ldap_access_filter" +msgstr "<emphasis>filter</emphasis> : utiliser ldap_access_filter" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2174 +msgid "" +"<emphasis>lockout</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " +"Please note that 'access_provider = ldap' must be set for this feature to " +"work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2184 +msgid "" +"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" +"quote> option and might be removed in a future release. </emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2191 +msgid "" +"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z' or represents any time in the past. The " +"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " +"denotes the UTC time zone. Other time zones are not currently supported and " +"will result in \"access-denied\" when users attempt to log in. Please see " +"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " +"must be set for this feature to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2208 +msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" +msgstr "<emphasis>expire</emphasis>: utiliser ldap_account_expire_policy" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2212 +msgid "" +"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " +"pwd_expire_policy_renew: </emphasis> These options are useful if users are " +"interested in being warned that password is about to expire and " +"authentication is based on using a different method than passwords - for " +"example SSH keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2222 +msgid "" +"The difference between these options is the action taken if user password is " +"expired: pwd_expire_policy_reject - user is denied to log in, " +"pwd_expire_policy_warn - user is still able to log in, " +"pwd_expire_policy_renew - user is prompted to change his password " +"immediately." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2230 +msgid "" +"Note If user password is expired no explicit message is prompted by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2234 +msgid "" +"Please note that 'access_provider = ldap' must be set for this feature to " +"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2239 +msgid "" +"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " +"to determine access" +msgstr "" +"<emphasis>authorized_service</emphasis> : utiliser l'attribut " +"authorizedService pour déterminer l'accès" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2244 +msgid "<emphasis>host</emphasis>: use the host attribute to determine access" +msgstr "" +"<emphasis>host</emphasis> : utilise l'attribut host pour déterminer l'accès" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2248 +msgid "" +"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " +"remote host can access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2252 +msgid "" +"Please note, rhost field in pam is set by application, it is better to check " +"what the application sends to pam, before enabling this access control option" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2257 +msgid "Default: filter" +msgstr "Par défaut : filter" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2260 +msgid "" +"Please note that it is a configuration error if a value is used more than " +"once." +msgstr "" +"Veuillez noter qu'une valeur utilisée plusieurs fois résulte en une erreur " +"de configuration." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2267 +msgid "ldap_pwdlockout_dn (string)" +msgstr "ldap_pwdlockout_dn (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2270 +msgid "" +"This option specifies the DN of password policy entry on LDAP server. Please " +"note that absence of this option in sssd.conf in case of enabled account " +"lockout checking will yield access denied as ppolicy attributes on LDAP " +"server cannot be checked properly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2278 +msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" +msgstr "Exemple : cn=ppolicy,ou=policies,dc=example,dc=com" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2281 +msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2287 +msgid "ldap_deref (string)" +msgstr "ldap_deref (chaînes)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2290 +msgid "" +"Specifies how alias dereferencing is done when performing a search. The " +"following options are allowed:" +msgstr "" +"Définit comment le déréférencement de l'alias est effectué lors d'une " +"recherche. Les options suivantes sont autorisées :" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2295 +msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." +msgstr "<emphasis>never</emphasis> : les alias ne sont jamais déréférencés." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2299 +msgid "" +"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " +"the base object, but not in locating the base object of the search." +msgstr "" +"<emphasis>searching</emphasis> : Les alias sont déréférencés comme des " +"subordonnés de l'objet de base, mais pas en localisant l'objet de base de la " +"recherche." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2304 +msgid "" +"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " +"the base object of the search." +msgstr "" +"<emphasis>finding</emphasis> : les alias sont seulement déréférencés lors de " +"la localisation de l'objet de base de la recherche." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2309 +msgid "" +"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " +"in locating the base object of the search." +msgstr "" +"<emphasis>always</emphasis> : les alias sont déréférencés à la fois pour la " +"recherche et et la localisation de l'objet de base de la recherche." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2314 +msgid "" +"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " +"client libraries)" +msgstr "" +"Par défaut : vide (ceci est traité comme <emphasis>never</emphasis> par les " +"bibliothèques clientes LDAP)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2322 +msgid "ldap_rfc2307_fallback_to_local_users (boolean)" +msgstr "ldap_rfc2307_fallback_to_local_users (booléen)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2325 +msgid "" +"Allows to retain local users as members of an LDAP group for servers that " +"use the RFC2307 schema." +msgstr "" +"Permet de conserver les utilisateurs locaux en tant que membres d'un groupe " +"LDAP pour les serveurs qui utilisent le schéma RFC2307." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2329 +msgid "" +"In some environments where the RFC2307 schema is used, local users are made " +"members of LDAP groups by adding their names to the memberUid attribute. " +"The self-consistency of the domain is compromised when this is done, so SSSD " +"would normally remove the \"missing\" users from the cached group " +"memberships as soon as nsswitch tries to fetch information about the user " +"via getpw*() or initgroups() calls." +msgstr "" +"Dans certains environnements où le schéma RFC2307 est utilisé, les " +"utilisateurs locaux deviennent membres du groupes LDAP en ajoutant leurs " +"noms à l'attribut memberUid. La cohérence du domaine est compromise quand " +"cela est fait, SSSD supprimerait normalement les utilisateurs « disparus » " +"des appartenances aux groupes mises en cache dès que nsswitch essaie de " +"récupérer des informations sur l'utilisateur via des appels à getpw*() ou " +"initgoups()." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2340 +msgid "" +"This option falls back to checking if local users are referenced, and caches " +"them so that later initgroups() calls will augment the local users with the " +"additional LDAP groups." +msgstr "" +"Cette option vérifie en dernier recours si les utilisateurs locaux sont " +"référencés et les met en cache afin que des appels ultérieurs à initgoups() " +"ajoutent les utilisateurs locaux aux groupes LDAP." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2352 sssd-ifp.5.xml:136 +msgid "wildcard_limit (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2355 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2359 +msgid "At the moment, only the InfoPipe responder supports wildcard lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2363 +msgid "Default: 1000 (often the size of one page)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:51 +msgid "" +"All of the common configuration options that apply to SSSD domains also " +"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for full details. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" +"Toutes les options de configuration communes appliquées aux domaines SSSD " +"s'appliquent aussi aux domaines LDAP. Voir la section des <quote>SECTIONS DE " +"DOMAINE</quote> dans la page de manuel <citerefentry> <refentrytitle>sssd." +"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> pour plus de " +"détails. <placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2373 +msgid "SUDO OPTIONS" +msgstr "OPTIONS DE SUDO" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2375 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2386 +msgid "ldap_sudorule_object_class (string)" +msgstr "ldap_sudorule_object_class (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2389 +msgid "The object class of a sudo rule entry in LDAP." +msgstr "La classe d'objet d'une entrée de règle de sudo dans LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2392 +msgid "Default: sudoRole" +msgstr "Par défaut : sudoRole" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2398 +msgid "ldap_sudorule_name (string)" +msgstr "ldap_sudorule_name (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2401 +msgid "The LDAP attribute that corresponds to the sudo rule name." +msgstr "L'attribut LDAP qui correspond au nom de la règle de sudo." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2411 +msgid "ldap_sudorule_command (string)" +msgstr "ldap_sudorule_command (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2414 +msgid "The LDAP attribute that corresponds to the command name." +msgstr "L'attribut LDAP qui correspond au nom de la commande." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2418 +msgid "Default: sudoCommand" +msgstr "Par défaut : sudoCommand" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2424 +msgid "ldap_sudorule_host (string)" +msgstr "ldap_sudorule_host (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2427 +msgid "" +"The LDAP attribute that corresponds to the host name (or host IP address, " +"host IP network, or host netgroup)" +msgstr "" +"L'attribut LDAP qui correspond au nom d'hôte (ou adresse IP de l'hôte, " +"réseau IP de l'hôte ou netgroup de l'hôte)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2432 +msgid "Default: sudoHost" +msgstr "Par défaut : sudoHost" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2438 +msgid "ldap_sudorule_user (string)" +msgstr "ldap_sudorule_user (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2441 +msgid "" +"The LDAP attribute that corresponds to the user name (or UID, group name or " +"user's netgroup)" +msgstr "" +"L'attribut LDAP qui correspond au nom d'utilisateur (ou UID, le nom du " +"groupe ou netgroup de l'utilisateur)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2445 +msgid "Default: sudoUser" +msgstr "Par défaut : sudoUser" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2451 +msgid "ldap_sudorule_option (string)" +msgstr "ldap_sudorule_option (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2454 +msgid "The LDAP attribute that corresponds to the sudo options." +msgstr "L'attribut LDAP qui correspond aux options sudo." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2458 +msgid "Default: sudoOption" +msgstr "Par défaut : sudoOption" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2464 +msgid "ldap_sudorule_runasuser (string)" +msgstr "ldap_sudorule_runasuser (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2467 +msgid "" +"The LDAP attribute that corresponds to the user name that commands may be " +"run as." +msgstr "" +"L'attribut LDAP qui correspond aux commandes peuvent être exécutées sous le " +"nom d'utilisateur." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2471 +msgid "Default: sudoRunAsUser" +msgstr "Par défaut : sudoRunAsUser" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2477 +msgid "ldap_sudorule_runasgroup (string)" +msgstr "ldap_sudorule_runasgroup (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2480 +msgid "" +"The LDAP attribute that corresponds to the group name or group GID that " +"commands may be run as." +msgstr "" +"L'attribut LDAP qui correspond au nom du groupe ou GID du groupe sous lequel " +"les commandes seront être exécutées." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2484 +msgid "Default: sudoRunAsGroup" +msgstr "Par défaut : sudoRunAsGroup" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2490 +msgid "ldap_sudorule_notbefore (string)" +msgstr "ldap_sudorule_notbefore (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2493 +msgid "" +"The LDAP attribute that corresponds to the start date/time for when the sudo " +"rule is valid." +msgstr "" +"L'attribut LDAP qui correspond à la date/heure de début pour laquelle la " +"règle sudo est valide." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2497 +msgid "Default: sudoNotBefore" +msgstr "Par défaut : sudoNotBefore" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2503 +msgid "ldap_sudorule_notafter (string)" +msgstr "ldap_sudorule_notafter (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2506 +msgid "" +"The LDAP attribute that corresponds to the expiration date/time, after which " +"the sudo rule will no longer be valid." +msgstr "" +"L'attribut LDAP qui correspond à la date/heure d'expiration, après quoi la " +"règle sudo ne sera plus valide." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2511 +msgid "Default: sudoNotAfter" +msgstr "Par défaut : sudoNotAfter" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2517 +msgid "ldap_sudorule_order (string)" +msgstr "ldap_sudorule_order (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2520 +msgid "The LDAP attribute that corresponds to the ordering index of the rule." +msgstr "L'attribut LDAP qui correspond à l'index de tri de la règle." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2524 +msgid "Default: sudoOrder" +msgstr "Par défaut : sudoOrder" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2530 +msgid "ldap_sudo_full_refresh_interval (integer)" +msgstr "ldap_sudo_full_refresh_interval (integer)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2533 +msgid "" +"How many seconds SSSD will wait between executing a full refresh of sudo " +"rules (which downloads all rules that are stored on the server)." +msgstr "" +"La durée en secondes pendant laquelle SSSD va attendre entre deux " +"actualisations complètes des règles de sudo (qui téléchargent toutes les " +"règles qui sont stockées sur le serveur)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2538 +msgid "" +"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" +"emphasis>" +msgstr "" +"La valeur doit être supérieure à <emphasis>ldap_sudo_smart_refresh_interval</" +"emphasis>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2543 +msgid "Default: 21600 (6 hours)" +msgstr "Par défaut : 21600 (6 heures)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2549 +msgid "ldap_sudo_smart_refresh_interval (integer)" +msgstr "ldap_sudo_smart_refresh_interval (integer)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2552 +msgid "" +"How many seconds SSSD has to wait before executing a smart refresh of sudo " +"rules (which downloads all rules that have USN higher than the highest USN " +"of cached rules)." +msgstr "" +"La durée en secondes pendant laquelle SSSD doit attendre avant d'exécuter " +"une actualisation intelligente des règles sudo (qui télécharge toutes les " +"règles qui ont un USN supérieur à l'USN le plus élevé des règles mises en " +"cache)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2558 +msgid "" +"If USN attributes are not supported by the server, the modifyTimestamp " +"attribute is used instead." +msgstr "" +"Si les attributs USN ne sont pas pris en charge par le serveur, l'attribut " +"modifyTimestamp est utilisé à la place." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2568 +msgid "ldap_sudo_use_host_filter (boolean)" +msgstr "ldap_sudo_use_host_filter (boolean)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2571 +msgid "" +"If true, SSSD will download only rules that are applicable to this machine " +"(using the IPv4 or IPv6 host/network addresses and hostnames)." +msgstr "" +"Si true, SSSD téléchargera les seules règles qui s'appliquent à cette " +"machine (à l'aide de l'adresse de système ou de réseau IPv4 ou IPv6 et des " +"noms de systèmes)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2582 +msgid "ldap_sudo_hostnames (string)" +msgstr "ldap_sudo_hostnames (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2585 +msgid "" +"Space separated list of hostnames or fully qualified domain names that " +"should be used to filter the rules." +msgstr "" +"Liste séparés par des espaces des noms de systèmes ou de domaines qui " +"doivent être utilisés pour filtrer les règles." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2590 +msgid "" +"If this option is empty, SSSD will try to discover the hostname and the " +"fully qualified domain name automatically." +msgstr "" +"Si cette option est vide, SSSD va essayer de découvrir automatiquement le " +"nom de système et le nom de domaine pleinement qualifié." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2595 sssd-ldap.5.xml:2618 sssd-ldap.5.xml:2636 +#: sssd-ldap.5.xml:2654 +msgid "" +"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" +"emphasis> then this option has no effect." +msgstr "" +"Si <emphasis>ldap_sudo_use_host_filter</emphasis> est <emphasis>false</" +"emphasis>, alors cette option n'a aucun effet." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2600 sssd-ldap.5.xml:2623 +msgid "Default: not specified" +msgstr "Par défaut : non spécifié" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2606 +msgid "ldap_sudo_ip (string)" +msgstr "ldap_sudo_ip (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2609 +msgid "" +"Space separated list of IPv4 or IPv6 host/network addresses that should be " +"used to filter the rules." +msgstr "" +"Liste séparés par des espaces d'adresses de système ou de réseaux IPv4 ou " +"IPv6 qui doivent être utilisés pour filtrer les règles." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2614 +msgid "" +"If this option is empty, SSSD will try to discover the addresses " +"automatically." +msgstr "" +"Si cette option est vide, SSSD va essayer de découvrir les adresses " +"automatiquement." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2629 +msgid "ldap_sudo_include_netgroups (boolean)" +msgstr "ldap_sudo_include_netgroups (boolean)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2632 +msgid "" +"If true then SSSD will download every rule that contains a netgroup in " +"sudoHost attribute." +msgstr "" +"Si elle est vraie alors SSSD téléchargera toutes les règles qui contient un " +"netgroup dans l'attribut sudoHost." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2647 +msgid "ldap_sudo_include_regexp (boolean)" +msgstr "ldap_sudo_include_regexp (boolean)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2650 +msgid "" +"If true then SSSD will download every rule that contains a wildcard in " +"sudoHost attribute." +msgstr "" +"Si positionnée à true, SSSD téléchargera toutes les règles qui contiennent " +"un joker dans l'attribut sudoHost." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2666 +msgid "" +"This manual page only describes attribute name mapping. For detailed " +"explanation of sudo related attribute semantics, see <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>" +msgstr "" +"Cette page de manuel décrit uniquement le mappage de noms d'attribut. Pour " +"une explication détaillée des sémantiques d'attributs relatives à sudo, cf. " +"<citerefentry><refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry>" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2676 +msgid "AUTOFS OPTIONS" +msgstr "OPTIONS AUTOFS" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2678 +msgid "" +"Some of the defaults for the parameters below are dependent on the LDAP " +"schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2684 +msgid "ldap_autofs_map_master_name (string)" +msgstr "ldap_autofs_map_master_name (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2687 +msgid "The name of the automount master map in LDAP." +msgstr "Le nom de la table de montage automatique maîtresse dans LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2690 +msgid "Default: auto.master" +msgstr "Par défaut : auto.master" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2697 +msgid "ldap_autofs_map_object_class (string)" +msgstr "ldap_autofs_map_object_class (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2700 +msgid "The object class of an automount map entry in LDAP." +msgstr "" +"La classe d'objet d'une entrée de table de montage automatique dans LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2703 +msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2711 +msgid "ldap_autofs_map_name (string)" +msgstr "ldap_autofs_map_name (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2714 +msgid "The name of an automount map entry in LDAP." +msgstr "Le nom d'une entrée de table de montage automatique dans LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2717 +msgid "" +"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2725 +msgid "ldap_autofs_entry_object_class (string)" +msgstr "ldap_autofs_entry_object_class (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2728 +msgid "" +"The object class of an automount entry in LDAP. The entry usually " +"corresponds to a mount point." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2733 +msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2741 +msgid "ldap_autofs_entry_key (string)" +msgstr "ldap_autofs_entry_key (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2744 sssd-ldap.5.xml:2759 +msgid "" +"The key of an automount entry in LDAP. The entry usually corresponds to a " +"mount point." +msgstr "" +"La clé d'une entrée de montage automatique dans LDAP. L'entrée correspond " +"généralement à un point de montage." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2748 +msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2756 +msgid "ldap_autofs_entry_value (string)" +msgstr "ldap_autofs_entry_value (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2763 +msgid "" +"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " +"automountInformation" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2682 +msgid "" +"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " +"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" +"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" +msgstr "" +"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " +"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" +"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2774 +msgid "ADVANCED OPTIONS" +msgstr "OPTIONS AVANCÉES" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2781 +msgid "ldap_netgroup_search_base (string)" +msgstr "ldap_netgroup_search_base (chaînes)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2786 +msgid "ldap_user_search_base (string)" +msgstr "ldap_user_search_base (chaînes)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2791 +msgid "ldap_group_search_base (string)" +msgstr "ldap_group_search_base (chaînes)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> +#: sssd-ldap.5.xml:2796 +msgid "<note>" +msgstr "<note>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> +#: sssd-ldap.5.xml:2798 +msgid "" +"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " +"against Active Directory will not be restricted and return all groups " +"memberships, even with no GID mapping. It is recommended to disable this " +"feature, if group names are not being displayed correctly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist> +#: sssd-ldap.5.xml:2805 +msgid "</note>" +msgstr "</note>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2807 +msgid "ldap_sudo_search_base (string)" +msgstr "ldap_sudo_search_base (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2812 +msgid "ldap_autofs_search_base (string)" +msgstr "ldap_autofs_search_base (string)" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2776 +msgid "" +"These options are supported by LDAP domains, but they should be used with " +"caution. Please include them in your configuration only if you know what you " +"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2827 sssd-simple.5.xml:131 sssd-ipa.5.xml:828 +#: sssd-ad.5.xml:1041 sssd-krb5.5.xml:570 sss_rpcidmapd.5.xml:98 +#: sssd-files.5.xml:103 sssd-session-recording.5.xml:144 +msgid "EXAMPLE" +msgstr "EXEMPLE" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2829 +msgid "" +"The following example assumes that SSSD is correctly configured and LDAP is " +"set to one of the domains in the <replaceable>[domains]</replaceable> " +"section." +msgstr "" +"L'exemple suivant suppose que SSSD est correctement configuré et que LDAP " +"pointe sur un des domaines de la section <replaceable>[domains]</" +"replaceable>." + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:2835 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" +msgstr "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" + +#. type: Content of: <refsect1><refsect2><para> +#: sssd-ldap.5.xml:2834 sssd-ldap.5.xml:2852 sssd-simple.5.xml:139 +#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1049 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579 +#: sssd-files.5.xml:110 sssd-session-recording.5.xml:150 +#: include/ldap_id_mapping.xml:105 +msgid "<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "<placeholder type=\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2846 +msgid "LDAP ACCESS FILTER EXAMPLE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2848 +msgid "" +"The following example assumes that SSSD is correctly configured and to use " +"the ldap_access_order=lockout." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:2853 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"access_provider = ldap\n" +"ldap_access_order = lockout\n" +"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" +msgstr "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"access_provider = ldap\n" +"ldap_access_order = lockout\n" +"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2868 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148 +#: sssd-ad.5.xml:1064 sssd.8.xml:230 sss_seed.8.xml:163 +msgid "NOTES" +msgstr "NOTES" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2870 +msgid "" +"The descriptions of some of the configuration options in this manual page " +"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " +"distribution." +msgstr "" +"Les descriptions de quelques unes des options de configuration des pages de " +"manuel sont basées sur le manuel de <citerefentry> <refentrytitle>ldap.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> de la distribution " +"de OpenLDAP 2.4." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: pam_sss.8.xml:11 pam_sss.8.xml:16 +msgid "pam_sss" +msgstr "pam_sss" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: pam_sss.8.xml:17 +msgid "PAM module for SSSD" +msgstr "Module PAM pour SSSD" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: pam_sss.8.xml:22 +msgid "" +"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" +"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" +"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" +"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " +"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " +"choice='opt'> <replaceable>prompt_always</replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:58 +msgid "" +"<command>pam_sss.so</command> is the PAM interface to the System Security " +"Services daemon (SSSD). Errors and results are logged through " +"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." +msgstr "" +"<command>pam_sss.so</command> est l'interface PAM pour le démon des services " +"de sécurité système (SSSD). Les erreurs et résultats sont journalisés par " +"<command>syslog(3)</command> avec l'argument LOG_AUTHPRIV." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:68 +msgid "<option>quiet</option>" +msgstr "<option>quiet</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:71 +msgid "Suppress log messages for unknown users." +msgstr "Supprimer les messages de journal pour les utilisateurs inconnus." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:76 +msgid "<option>forward_pass</option>" +msgstr "<option>forward_pass</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:79 +msgid "" +"If <option>forward_pass</option> is set the entered password is put on the " +"stack for other PAM modules to use." +msgstr "" +"Si <option>forward_pass</option> est défini, le mot de passe saisi est " +"inséré en mémoire pour les autres modules PAM utilisés." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:86 +msgid "<option>use_first_pass</option>" +msgstr "<option>use_first_pass</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:89 +msgid "" +"The argument use_first_pass forces the module to use a previous stacked " +"modules password and will never prompt the user - if no password is " +"available or the password is not appropriate, the user will be denied access." +msgstr "" +"L'argument use_first_pass force le module à utliser un module de mot de " +"passe déjà en mémoire et n'en fera jamais la demande à l'utilisateur. Si " +"aucun mot de passe n'est disponible ou que celui-ci n'est pas approprié, " +"l'utilisateur verra son accès refusé." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:97 +msgid "<option>use_authtok</option>" +msgstr "<option>use_authtok</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:100 +msgid "" +"When password changing enforce the module to set the new password to the one " +"provided by a previously stacked password module." +msgstr "" +"Lorsque le changement de mot de passe force le module à modifier le mot de " +"passe par celui fourni par un module de mot de passe déjà chargé en mémoire." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:107 +msgid "<option>retry=N</option>" +msgstr "<option>retry=N</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:110 +msgid "" +"If specified the user is asked another N times for a password if " +"authentication fails. Default is 0." +msgstr "" +"Si définit, on demande le mot de passe à l'utilisateur encore N fois si " +"l'authentification échoue. Par défaut : 0." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:112 +msgid "" +"Please note that this option might not work as expected if the application " +"calling PAM handles the user dialog on its own. A typical example is " +"<command>sshd</command> with <option>PasswordAuthentication</option>." +msgstr "" +"Veuillez noter que cette option peut ne pas fonctionner comme attendu si " +"l'application qui appelle PAM gère lui-même les dialogues avec " +"l'utilisateur. Un exemple typique est <command>sshd</command> avec " +"<option>PasswordAuthentication</option>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:121 +msgid "<option>ignore_unknown_user</option>" +msgstr "<option>ignore_unknown_user</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:124 +msgid "" +"If this option is specified and the user does not exist, the PAM module will " +"return PAM_IGNORE. This causes the PAM framework to ignore this module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:131 +msgid "<option>ignore_authinfo_unavail</option>" +msgstr "<option>ignore_authinfo_unavail</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:135 +msgid "" +"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " +"the SSSD daemon. This causes the PAM framework to ignore this module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:142 +msgid "<option>domains</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:146 +msgid "" +"Allows the administrator to restrict the domains a particular PAM service is " +"allowed to authenticate against. The format is a comma-separated list of " +"SSSD domain names, as specified in the sssd.conf file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:152 +msgid "" +"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " +"and <quote>pam_public_domains</quote> options. Please see the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more information on these two PAM " +"responder options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:166 +msgid "<option>allow_missing_name</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:170 +msgid "" +"The main purpose of this option is to let SSSD determine the user name based " +"on additional information, e.g. the certificate from a Smartcard." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: pam_sss.8.xml:180 +#, no-wrap +msgid "" +"auth sufficient pam_sss.so allow_missing_name\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:175 +msgid "" +"The current use case are login managers which can monitor a Smartcard reader " +"for card events. In case a Smartcard is inserted the login manager will call " +"a PAM stack which includes a line like <placeholder type=\"programlisting\" " +"id=\"0\"/> In this case SSSD will try to determine the user name based on " +"the content of the Smartcard, returns it to pam_sss which will finally put " +"it on the PAM stack." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:190 +msgid "<option>prompt_always</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:194 +msgid "" +"Always prompt the user for credentials. With this option credentials " +"requested by other PAM modules, typically a password, will be ignored and " +"pam_sss will prompt for credentials again. Based on the pre-auth reply by " +"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " +"credentials." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:207 +msgid "MODULE TYPES PROVIDED" +msgstr "TYPES DE MODULES FOURNIS" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:208 +msgid "" +"All module types (<option>account</option>, <option>auth</option>, " +"<option>password</option> and <option>session</option>) are provided." +msgstr "" +"Tous les types de module (<option>account</option>, <option>auth</option>, " +"<option>password</option> et <option>session</option>) sont fournis." + +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:214 +msgid "FILES" +msgstr "FICHIERS" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:215 +msgid "" +"If a password reset by root fails, because the corresponding SSSD provider " +"does not support password resets, an individual message can be displayed. " +"This message can e.g. contain instructions about how to reset a password." +msgstr "" +"Si une réinitialisation par root d'un mot de passe échoue parce que le " +"fournisseur SSSD correspondant ne prend pas en charge la réinitialisation de " +"mot de passe, un message spécifique peut être affiché. Ce message peut, par " +"exemple, contenir les instructions permettant la réinitialisation." + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:220 +msgid "" +"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" +"filename> where LOC stands for a locale string returned by <citerefentry> " +"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" +"citerefentry>. If there is no matching file the content of " +"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " +"the owner of the files and only root may have read and write permissions " +"while all other users must have only read permissions." +msgstr "" +"Le message est lu depuis le fichier <filename>pam_sss_pw_reset_message.LOC</" +"filename> où LOC représente une chaîne de paramètres régionaux retournée par " +"<citerefentry><refentrytitle>setlocale</refentrytitle> <manvolnum>3</" +"manvolnum></citerefentry>. Si il n'y a aucun fichier correspondant, le " +"contenu de <filename>pam_sss_pw_reset_message.txt</filename> est affiché. " +"L'utilisateur root doit être le propriétaire des fichiers et seul root peut " +"avoir les autorisations en lecture et en écriture alors que tous les autres " +"utilisateurs doivent avoir les autorisations en lecture seule." + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:230 +msgid "" +"These files are searched in the directory <filename>/etc/sssd/customize/" +"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " +"displayed." +msgstr "" +"Ces fichiers sont recherchés dans le dossier <filename>/etc/sssd/customize/" +"NOM_DE_DOMAINE/</filename>. Si aucun fichier correspondant n'est présent, un " +"message spécifique est affiché." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 +msgid "sssd_krb5_locator_plugin" +msgstr "sssd_krb5_locator_plugin" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd_krb5_locator_plugin.8.xml:16 +msgid "Kerberos locator plugin" +msgstr "Greffon de localisation Kerberos" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:22 +msgid "" +"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " +"used by the Kerberos provider of <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to tell the Kerberos " +"libraries what Realm and which KDC to use. Typically this is done in " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> which is always read by the Kerberos libraries. " +"To simplify the configuration the Realm and the KDC can be defined in " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> as described in <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>" +msgstr "" +"Le greffon de localisation Kerberos <command>sssd_krb5_locator_plugin</" +"command> est utilisé par le fournisseur Kerberos de " +"<citerefentry><refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> pour indiquer aux bibliothèques Kerberos quel domaine et quel " +"KDC à utiliser. En général, cela se fait en " +"<citerefentry><refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> qui est toujours lu par les bibliothèques de " +"Kerberos. Pour simplifier la configuration, le Domaine et le KDC peuvent " +"être définis dans <citerefentry><refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> comme indiqué dans " +"<citerefentry><refentrytitle>sssd-krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:48 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> puts the Realm and the name or IP address of the KDC into " +"the environment variables SSSD_KRB5_REALM and SSSD_KRB5_KDC respectively. " +"When <command>sssd_krb5_locator_plugin</command> is called by the kerberos " +"libraries it reads and evaluates these variables and returns them to the " +"libraries." +msgstr "" +"<citerefentry><refentrytitle>SSSD</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> met le nom de domaine et le nom ou adresse IP du KDC dans les " +"variables d'environnement SSSD_KRB5_REALM et SSSD_KRB5_KDC respectivement. " +"Lorsque <command>sssd_krb5_locator_plugin</command> est appelé par les " +"bibliothèques de kerberos, il lit et évalue ces variables et les transmet " +"aux bibliothèques." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:63 +msgid "" +"Not all Kerberos implementations support the use of plugins. If " +"<command>sssd_krb5_locator_plugin</command> is not available on your system " +"you have to edit /etc/krb5.conf to reflect your Kerberos setup." +msgstr "" +"Toutes les versions de Kerberos ne prennent en charge l'utilisation de " +"greffons. Si <command>sssd_krb5_locator_plugin</command> n'est pas présent " +"sur votre système, il faut modifier /etc/krb5.conf pour s'adapter à la " +"configuration de Kerberos." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:69 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " +"debug messages will be sent to stderr." +msgstr "" +"Si la variable d'environnement SSSD_KRB5_LOCATOR_DEBUG a une valeur " +"quelconque, des messages de débogage seront envoyés sur la sortie standard " +"d'erreur." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:73 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " +"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " +"caller." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 +msgid "sssd-simple" +msgstr "sssd-simple" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-simple.5.xml:17 +msgid "the configuration file for SSSD's 'simple' access-control provider" +msgstr "" +"le fichier de configuration pour le fournisseur de contrôle d'accès « " +"simple » de SSSD." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:24 +msgid "" +"This manual page describes the configuration of the simple access-control " +"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " +"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page." +msgstr "" +"Cette page de manuel décrit la configuration du fournisseur de contrôle " +"d'accès simple de <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. Pour plus de détails sur la " +"syntaxe, cf. la section <quote>FORMAT DE FICHIER</quote> de la page de " +"manuel <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:38 +msgid "" +"The simple access provider grants or denies access based on an access or " +"deny list of user or group names. The following rules apply:" +msgstr "" +"Le fournisseur d'accès simple autorise les accès à partir de listes " +"d'autorisation ou de refus de noms d'utilisateurs ou de groupes. Les règles " +"suivantes s'appliquent :" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:43 +msgid "If all lists are empty, access is granted" +msgstr "Si toutes les listes sont vides, l'accès est autorisé" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:47 +msgid "" +"If any list is provided, the order of evaluation is allow,deny. This means " +"that any matching deny rule will supersede any matched allow rule." +msgstr "" +"Si une liste est fournie, quelle qu'elle soit, l'ordre d'évaluation est " +"allow,deny. Autrement dit une règle de refus écrasera une règle " +"d'autorisation." + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:54 +msgid "" +"If either or both \"allow\" lists are provided, all users are denied unless " +"they appear in the list." +msgstr "" +"Si la ou les listes fournies sont seulement de type « allow », tous les " +"utilisateurs sont refusés à moins qu'ils ne soient dans la liste." + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:60 +msgid "" +"If only \"deny\" lists are provided, all users are granted access unless " +"they appear in the list." +msgstr "" +"Si seulement les listes « deny » sont utilisées, tous les utlisateurs sont " +"autorisés à moins qu'ils ne soient dans la liste." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:78 +msgid "simple_allow_users (string)" +msgstr "simple_allow_users (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:81 +msgid "Comma separated list of users who are allowed to log in." +msgstr "" +"Liste séparée par des virgules d'utilisateurs autorisés à se connecter." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:88 +msgid "simple_deny_users (string)" +msgstr "simple_deny_users (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:91 +msgid "Comma separated list of users who are explicitly denied access." +msgstr "" +"Liste séparée par des virgules d'utilisateurs dont l'accès sera refusé." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:97 +msgid "simple_allow_groups (string)" +msgstr "simple_allow_groups (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:100 +msgid "" +"Comma separated list of groups that are allowed to log in. This applies only " +"to groups within this SSSD domain. Local groups are not evaluated." +msgstr "" +"Liste séparée par des virgules de groupes autorisés à se connecter. Ceci ne " +"s'applique qu'à des groupes dans un domaine SSSD. Les groupes locaux ne sont " +"pas pris en compte." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:108 +msgid "simple_deny_groups (string)" +msgstr "simple_deny_groups (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:111 +msgid "" +"Comma separated list of groups that are explicitly denied access. This " +"applies only to groups within this SSSD domain. Local groups are not " +"evaluated." +msgstr "" +"Liste séparée par des virgules de groupes dont l'accès sera refusé. Ceci ne " +"s'applique qu'à des groupes dans un domaine SSSD. Les groupes locaux ne sont " +"pas pris en compte." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 +msgid "" +"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" +"Se référer à la section <quote>SECTIONS DE DOMAINE</quote> de la page de " +"manuel <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> pour les détails sur la configuration d'un " +"domaine SSSD. <placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:120 +msgid "" +"Specifying no values for any of the lists is equivalent to skipping it " +"entirely. Beware of this while generating parameters for the simple provider " +"using automated scripts." +msgstr "" +"Ne spécifier aucune valeur pour aucune des listes revient à l'ignorer " +"complètement. Se méfier de ceci lors de la création des paramètres pour le " +"fournisseur simple à l'aide automatique de scripts." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:125 +msgid "" +"Please note that it is an configuration error if both, simple_allow_users " +"and simple_deny_users, are defined." +msgstr "" +"Veuillez noter que la configuration simultanée de simple_allow_users et " +"simple_deny_users est une erreur." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:133 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the simple access provider-specific options." +msgstr "" +"L'exemple suivant suppose que SSSD est correctement configuré et que example." +"com est un des domaines dans la section <replaceable>[sssd]</replaceable>. " +"Ces exemples montrent seulement les options spécifiques du fournisseur " +"d'accès simple." + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-simple.5.xml:140 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"access_provider = simple\n" +"simple_allow_users = user1, user2\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:150 +msgid "" +"The complete group membership hierarchy is resolved before the access check, " +"thus even nested groups can be included in the access lists. Please be " +"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " +"results and should be set to a sufficient value. (<citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>) option." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 +msgid "sss-certmap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss-certmap.5.xml:17 +msgid "SSSD Certificate Matching and Mapping Rules" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:23 +msgid "" +"The manual page describes the rules which can be used by SSSD and other " +"components to match X.509 certificates and map them to accounts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:28 +msgid "" +"Each rule has four components, a <quote>priority</quote>, a <quote>matching " +"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" +"quote>. All components are optional. A missing <quote>priority</quote> will " +"add the rule with the lowest priority. The default <quote>matching rule</" +"quote> will match certificates with the digitalSignature key usage and " +"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " +"the certificates will be searched in the userCertificate attribute as DER " +"encoded binary. If no domains are given only the local domain will be " +"searched." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss-certmap.5.xml:41 +msgid "RULE COMPONENTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:43 +msgid "PRIORITY" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:45 +msgid "" +"The rules are processed by priority while the number '0' (zero) indicates " +"the highest priority. The higher the number the lower is the priority. A " +"missing value indicates the lowest priority. The rules processing is stopped " +"when a matched rule is found and no further rules are checked." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:52 +msgid "" +"Internally the priority is treated as unsigned 32bit integer, using a " +"priority value larger than 4294967295 will cause an error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:57 +msgid "MATCHING RULE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:59 +msgid "" +"The matching rule is used to select a certificate to which the mapping rule " +"should be applied. It uses a system similar to the one used by " +"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " +"keyword enclosed by '<' and '>' which identified a certain part of the " +"certificate and a pattern which should be found for the rule to match. " +"Multiple keyword pattern pairs can be either joined with '&&' (and) " +"or '||' (or)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:71 +msgid "<SUBJECT>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:74 +msgid "" +"With this a part or the whole subject name of the certificate can be " +"matched. For the matching POSIX Extended Regular Expression syntax is used, " +"see regex(7) for details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:80 +msgid "" +"For the matching the subject name stored in the certificate in DER encoded " +"ASN.1 is converted into a string according to RFC 4514. This means the most " +"specific name component comes first. Please note that not all possible " +"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " +"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " +"be shown differently on different platform and by different tools. To avoid " +"confusion those attribute names are best not used or covered by a suitable " +"regular-expression." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:93 +msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:98 +msgid "<ISSUER>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:101 +msgid "" +"With this a part or the whole issuer name of the certificate can be matched. " +"All comments for <SUBJECT> apply her as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:106 +msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:111 +msgid "<KU>key-usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:114 +msgid "" +"This option can be used to specify which key usage values the certificate " +"should have. The following values can be used in a comma separated list:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:118 +msgid "digitalSignature" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:119 +msgid "nonRepudiation" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:120 +msgid "keyEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:121 +msgid "dataEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:122 +msgid "keyAgreement" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:123 +msgid "keyCertSign" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:124 +msgid "cRLSign" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:125 +msgid "encipherOnly" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:126 +msgid "decipherOnly" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:130 +msgid "" +"A numerical value in the range of a 32bit unsigned integer can be used as " +"well to cover special use cases." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:134 +msgid "Example: <KU>digitalSignature,keyEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:139 +msgid "<EKU>extended-key-usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:142 +msgid "" +"This option can be used to specify which extended key usage the certificate " +"should have. The following value can be used in a comma separated list:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:146 +msgid "serverAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:147 +msgid "clientAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:148 +msgid "codeSigning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:149 +msgid "emailProtection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:150 +msgid "timeStamping" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:151 +msgid "OCSPSigning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:152 +msgid "KPClientAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:153 +msgid "pkinit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:154 +msgid "msScLogin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:158 +msgid "" +"Extended key usages which are not listed above can be specified with their " +"OID in dotted-decimal notation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:162 +msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:167 +msgid "<SAN>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:170 +msgid "" +"To be compatible with the usage of MIT Kerberos this option will match the " +"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" +"Principal> does." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:175 +msgid "Example: <SAN>.*@MY\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:180 +msgid "<SAN:Principal>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:183 +msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:187 +msgid "Example: <SAN:Principal>.*@MY\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:192 +msgid "<SAN:ntPrincipalName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:195 +msgid "Match the Kerberos principals from the AD NT Principal SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:199 +msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:204 +msgid "<SAN:pkinit>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:207 +msgid "Match the Kerberos principals from the PKINIT SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:210 +msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:215 +msgid "<SAN:dotted-decimal-oid>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:218 +msgid "" +"Take the value of the otherName SAN component given by the OID in dotted-" +"decimal notation, interpret it as string and try to match it against the " +"regular expression." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:224 +msgid "Example: <SAN:1.2.3.4>test" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:229 +msgid "<SAN:otherName>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:232 +msgid "" +"Do a binary match with the base64 encoded blob against all otherName SAN " +"components. With this option it is possible to match against custom " +"otherName components with special encodings which could not be treated as " +"strings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:239 +msgid "Example: <SAN:otherName>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:244 +msgid "<SAN:rfc822Name>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:247 +msgid "Match the value of the rfc822Name SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:250 +msgid "Example: <SAN:rfc822Name>.*@email\\.domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:255 +msgid "<SAN:dNSName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:258 +msgid "Match the value of the dNSName SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:261 +msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:266 +msgid "<SAN:x400Address>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:269 +msgid "Binary match the value of the x400Address SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:272 +msgid "Example: <SAN:x400Address>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:277 +msgid "<SAN:directoryName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:280 +msgid "" +"Match the value of the directoryName SAN. The same comments as given for <" +"ISSUER> and <SUBJECT> apply here as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:285 +msgid "Example: <SAN:directoryName>.*,DC=com" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:290 +msgid "<SAN:ediPartyName>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:293 +msgid "Binary match the value of the ediPartyName SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:296 +msgid "Example: <SAN:ediPartyName>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:301 +msgid "<SAN:uniformResourceIdentifier>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:304 +msgid "Match the value of the uniformResourceIdentifier SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:307 +msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:312 +msgid "<SAN:iPAddress>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:315 +msgid "Match the value of the iPAddress SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:318 +msgid "Example: <SAN:iPAddress>192\\.168\\..*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:323 +msgid "<SAN:registeredID>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:326 +msgid "Match the value of the registeredID SAN as dotted-decimal string." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:330 +msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:68 +msgid "" +"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:338 +msgid "MAPPING RULE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:340 +msgid "" +"The mapping rule is used to associate a certificate with one or more " +"accounts. A Smartcard with the certificate and the matching private key can " +"then be used to authenticate as one of those accounts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:345 +msgid "" +"Currently SSSD basically only supports LDAP to lookup user information (the " +"exception is the proxy provider which is not of relevance here). Because of " +"this the mapping rule is based on LDAP search filter syntax with templates " +"to add certificate content to the filter. It is expected that the filter " +"will only contain the specific data needed for the mapping and that the " +"caller will embed it in another filter to do the actual search. Because of " +"this the filter string should start and stop with '(' and ')' respectively." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:355 +msgid "" +"In general it is recommended to use attributes from the certificate and add " +"them to special attributes to the LDAP user object. E.g. the " +"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " +"for IPA can be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:361 +msgid "" +"This should be preferred to read user specific data from the certificate " +"like e.g. an email address and search for it in the LDAP server. The reason " +"is that the user specific data in LDAP might change for various reasons " +"would break the mapping. On the other hand it would be hard to break the " +"mapping on purpose for a specific user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:376 +msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:379 +msgid "" +"This template will add the full issuer DN converted to a string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +msgid "" +"The conversion options starting with 'ad_' will use attribute names as used " +"by AD, e.g. 'S' instead of 'ST'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +msgid "" +"The conversion options starting with 'nss_' will use attribute names as used " +"by NSS." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +msgid "" +"The default conversion option is 'nss', i.e. attribute names according to " +"NSS and LDAP/RFC 4514 ordering." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:397 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" +"ad})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:402 +msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:405 +msgid "" +"This template will add the full subject DN converted to string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:423 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" +"{subject_dn!nss_x500})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:428 +msgid "{cert[!(bin|base64)]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:431 +msgid "" +"This template will add the whole DER encoded certificate as a string to the " +"search filter. Depending on the conversion option the binary certificate is " +"either converted to an escaped hex sequence '\\xx' or base64. The escaped " +"hex sequence is the default and can e.g. be used with the LDAP attribute " +"'userCertificate;binary'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:439 +msgid "Example: (userCertificate;binary={cert!bin})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:444 +msgid "{subject_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:447 +msgid "" +"This template will add the Kerberos principal which is taken either from the " +"SAN used by pkinit or the one used by AD. The 'short_name' component " +"represents the first part of the principal before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +msgid "" +"Example: (|(userPrincipal={subject_principal})" +"(samAccountName={subject_principal.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:458 +msgid "{subject_pkinit_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:461 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by pkinit. The 'short_name' component represents the first part of the " +"principal before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:467 +msgid "" +"Example: (|(userPrincipal={subject_pkinit_principal})" +"(uid={subject_pkinit_principal.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:472 +msgid "{subject_nt_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:475 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by AD. The 'short_name' component represent the first part of the principal " +"before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:486 +msgid "{subject_rfc822_name[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:489 +msgid "" +"This template will add the string which is stored in the rfc822Name " +"component of the SAN, typically an email address. The 'short_name' component " +"represents the first part of the address before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:495 +msgid "" +"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." +"short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:500 +msgid "{subject_dns_name[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:503 +msgid "" +"This template will add the string which is stored in the dNSName component " +"of the SAN, typically a fully-qualified host name. The 'short_name' " +"component represents the first part of the name before the first '.' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:509 +msgid "" +"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:514 +msgid "{subject_uri}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:517 +msgid "" +"This template will add the string which is stored in the " +"uniformResourceIdentifier component of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:521 +msgid "Example: (uri={subject_uri})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:526 +msgid "{subject_ip_address}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:529 +msgid "" +"This template will add the string which is stored in the iPAddress component " +"of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:533 +msgid "Example: (ip={subject_ip_address})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:538 +msgid "{subject_x400_address}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:541 +msgid "" +"This template will add the value which is stored in the x400Address " +"component of the SAN as escaped hex sequence." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:546 +msgid "Example: (attr:binary={subject_x400_address})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:551 +msgid "" +"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:554 +msgid "" +"This template will add the DN string of the value which is stored in the " +"directoryName component of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:558 +msgid "Example: (orig_dn={subject_directory_name})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:563 +msgid "{subject_ediparty_name}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:566 +msgid "" +"This template will add the value which is stored in the ediPartyName " +"component of the SAN as escaped hex sequence." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:571 +msgid "Example: (attr:binary={subject_ediparty_name})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:576 +msgid "{subject_registered_id}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:579 +msgid "" +"This template will add the OID which is stored in the registeredID component " +"of the SAN as a dotted-decimal string." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:584 +msgid "Example: (oid={subject_registered_id})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:369 +msgid "" +"The templates to add certificate data to the search filter are based on " +"Python-style formatting strings. They consist of a keyword in curly braces " +"with an optional sub-component specifier separated by a '.' or an optional " +"conversion/formatting option separated by a '!'. Allowed values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:592 +msgid "DOMAIN LIST" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:594 +msgid "" +"If the domain list is not empty users mapped to a given certificate are not " +"only searched in the local domain but in the listed domains as well as long " +"as they are know by SSSD. Domains not know to SSSD will be ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 +msgid "sssd-ipa" +msgstr "sssd-ipa" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ipa.5.xml:17 +msgid "SSSD IPA provider" +msgstr "Fournisseur IPA SSSD" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:23 +msgid "" +"This manual page describes the configuration of the IPA provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" +"Cette page de manuel décrit la configuration du fournisseur IPA pour " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Pour une référence détaillée sur la syntaxe, veuillez " +"regarder la section <quote>FORMAT DE FICHIER</quote> de la page de manuel " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:36 +msgid "" +"The IPA provider is a back end used to connect to an IPA server. (Refer to " +"the freeipa.org web site for information about IPA servers.) This provider " +"requires that the machine be joined to the IPA domain; configuration is " +"almost entirely self-discovered and obtained directly from the server." +msgstr "" +"Le fournisseur IPA est le moteur pour se connecter à un serveur IPA. (Cf. le " +"site freeipa.org pour plus d'informations sur les serveurs IPA). Ce " +"fournisseur nécessite que la machine soit joignable pour le domaine IPA ; la " +"configuration est presque entièrement obtenue et auto-découverte à partir du " +"serveur." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:43 +msgid "" +"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for IPA environments. The IPA provider accepts the same " +"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " +"However, it is neither necessary nor recommended to set these options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:57 +msgid "" +"The IPA provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:62 +msgid "" +"As an access provider, the IPA provider uses HBAC (host-based access " +"control) rules. Please refer to freeipa.org for more information about " +"HBAC. No configuration of access provider is required on the client side." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:67 +msgid "" +"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:73 +msgid "" +"The IPA provider will use the PAC responder if the Kerberos tickets of users " +"from trusted realms contain a PAC. To make configuration easier the PAC " +"responder is started automatically if the IPA ID provider is configured." +msgstr "" +"Le fournisseur IPA utilisera le répondeur PAC si les tickets Kerberos " +"d'utilisateurs de domaines Kerberos approuvés contiennent un PAC. Pour " +"rendre la configuration plus facile, le répondeur PAC est démarré " +"automatiquement si le fournisseur d'ID de IPA est configuré." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:89 +msgid "ipa_domain (string)" +msgstr "ipa_domain (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:92 +msgid "" +"Specifies the name of the IPA domain. This is optional. If not provided, " +"the configuration domain name is used." +msgstr "" +"Définit le nom du domaine IPA. Facultatif, s'il n'est pas fourni, le nom de " +"domaine de la configuration est utilisé." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:100 +msgid "ipa_server, ipa_backup_server (string)" +msgstr "ipa_server, ipa_backup_server (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:103 +msgid "" +"The comma-separated list of IP addresses or hostnames of the IPA servers to " +"which SSSD should connect in the order of preference. For more information " +"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" +"La liste par ordre de préférence séparée par des virgules des adresses IP ou " +"des noms de systèmes des serveurs IPA auxquels SSSD doit se connecter . Pour " +"plus d'informations sur la redondance de serveurs et la bascule, consulter " +"la section <quote>BASCULE</quote>. Ceci est facultatif si la découverte " +"automatique est activée. Pour plus d'informations sur la découverte de " +"services, se reporter à la section de <quote>DÉCOUVERTE DE SERVICE</quote>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:116 +msgid "ipa_hostname (string)" +msgstr "ipa_hostname (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:119 +msgid "" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the IPA domain to identify this host. The " +"hostname must be fully qualified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:128 sssd-ad.5.xml:866 +msgid "dyndns_update (boolean)" +msgstr "dyndns_update (booléen)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:131 +msgid "" +"Optional. This option tells SSSD to automatically update the DNS server " +"built into FreeIPA with the IP address of this client. The update is secured " +"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " +"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" +"quote> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:140 sssd-ad.5.xml:880 +msgid "" +"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " +"the default Kerberos realm must be set properly in /etc/krb5.conf" +msgstr "" +"NOTE : Sur les systèmes plus anciens (tels que RHEL 5), afin que ce " +"comportement fonctionne de façon fiable, le domaine Kerberos par défaut doit " +"être défini correctement dans /etc/krb5.conf" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:145 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" +"emphasis> option, users should migrate to using <emphasis>dyndns_update</" +"emphasis> in their config file." +msgstr "" +"REMARQUE : Bien qu'il soit toujours possible d'utiliser l'ancienne option " +"<emphasis>ipa_dyndns_update</emphasis>, les utilisateurs doivent maintenant " +"utiliser <emphasis>dyndns_update</emphasis> dans leur fichier de " +"configuration." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:157 sssd-ad.5.xml:891 +msgid "dyndns_ttl (integer)" +msgstr "dyndns_ttl (entier)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:160 sssd-ad.5.xml:894 +msgid "" +"The TTL to apply to the client DNS record when updating it. If " +"dyndns_update is false this has no effect. This will override the TTL " +"serverside if set by an administrator." +msgstr "" +"Le TTL à appliquer à l'enregistrement du client DNS lors de sa mise à jour. " +"Si dyndns_update a la valeur false, cela n'a aucun effet. Cela remplacera le " +"TTL côté serveur s'il est défini par un administrateur." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:165 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" +"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" +"emphasis> in their config file." +msgstr "" +"REMARQUE : Bien qu'il soit toujours possible d'utiliser l'ancienne option " +"<emphasis>ipa_dyndns_ttl</emphasis>, les utilisateurs doivent maintenant " +"utiliser <emphasis>dyndns_ttl</emphasis> dans leur fichier de configuration." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:171 +msgid "Default: 1200 (seconds)" +msgstr "Par défaut : 1200 (secondes)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:177 sssd-ad.5.xml:905 +msgid "dyndns_iface (string)" +msgstr "dyndns_iface (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:180 sssd-ad.5.xml:908 +msgid "" +"Optional. Applicable only when dyndns_update is true. Choose the interface " +"or a list of interfaces whose IP addresses should be used for dynamic DNS " +"updates. Special value <quote>*</quote> implies that IPs from all interfaces " +"should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:187 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" +"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" +"emphasis> in their config file." +msgstr "" +"REMARQUE : Bien qu'il soit toujours possible d'utiliser l'ancienne option " +"<emphasis>ipa_dyndns_iface</emphasis>, les utilisateurs doivent maintenant " +"utiliser <emphasis>dyndns_iface</emphasis> dans leur fichier de " +"configuration." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:193 +msgid "" +"Default: Use the IP addresses of the interface which is used for IPA LDAP " +"connection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:197 sssd-ad.5.xml:919 +msgid "Example: dyndns_iface = em1, vnet1, vnet2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:203 sssd-ad.5.xml:970 +msgid "dyndns_auth (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:206 sssd-ad.5.xml:973 +msgid "" +"Whether the nsupdate utility should use GSS-TSIG authentication for secure " +"updates with the DNS server, insecure updates can be sent by setting this " +"option to 'none'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:212 sssd-ad.5.xml:979 +msgid "Default: GSS-TSIG" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:218 +msgid "ipa_enable_dns_sites (boolean)" +msgstr "ipa_enable_dns_sites (booléen)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 +msgid "Enables DNS sites - location based service discovery." +msgstr "Active les sites DNS - découverte de service basée sur l'emplacement" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:225 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, then the SSSD will first attempt location " +"based discovery using a query that contains \"_location.hostname.example.com" +"\" and then fall back to traditional SRV discovery. If the location based " +"discovery succeeds, the IPA servers located with the location based " +"discovery are treated as primary servers and the IPA servers located using " +"the traditional SRV discovery are used as back up servers" +msgstr "" +"Si true et que la découverte de service (cf. le paragraphe Découverte de " +"service au bas de la page de manuel) est activée, alors SSSD tentera d'abord " +"une découverte basée sur l'emplacement en utilisant une requête contenant " +"« _location.hostname.example.com », puis reviendra à une découverte SRV " +"traditionnelle. Si la découverte basée sur l'emplacement réussit, les " +"serveurs IPA ainsi découverts sont traités comme serveurs primaires, et les " +"serveurs identifiés via la découverte basée sur les enregistrements SRV " +"seront utilisés comme serveurs de repli" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:244 sssd-ad.5.xml:925 +msgid "dyndns_refresh_interval (integer)" +msgstr "dyndns_refresh_interval (entier)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:247 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true." +msgstr "" +"Fréquence de mise à jour des DNS par le moteur en plus des mises à jour " +"automatiques effectuées lorsque le moteur arrive en ligne. Cette option est " +"facultative, et n'est applicable que lorsque l'option dyndns_update est " +"configurée à true." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:260 sssd-ad.5.xml:943 +msgid "dyndns_update_ptr (bool)" +msgstr "dyndns_update_ptr (booléen)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:263 sssd-ad.5.xml:946 +msgid "" +"Whether the PTR record should also be explicitly updated when updating the " +"client's DNS records. Applicable only when dyndns_update is true." +msgstr "" +"Selon que l'enregistrement PTR doit être explicitement mis à jour lors de la " +"mise à jour des enregistrements DNS du client. Applicable uniquement lorsque " +"l'option dyndns_update est configurée à true." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:268 +msgid "" +"This option should be False in most IPA deployments as the IPA server " +"generates the PTR records automatically when forward records are changed." +msgstr "" +"Cette option doit être positionnée à False pour la plupart des déploiements " +"IPA, puisque le serveur IPA crée les enregistrements PTR automatiquement " +"quand les enregistrements directs sont modifiés." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:274 +msgid "Default: False (disabled)" +msgstr "Par défaut : False (désactivé)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:280 sssd-ad.5.xml:957 +msgid "dyndns_force_tcp (bool)" +msgstr "dyndns_force_tcp (booléen)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:283 sssd-ad.5.xml:960 +msgid "" +"Whether the nsupdate utility should default to using TCP for communicating " +"with the DNS server." +msgstr "" +"Selon que l'utilitaire nsupdate doit utiliser TCP par défaut pour la " +"communication avec le serveur DNS." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:287 sssd-ad.5.xml:964 +msgid "Default: False (let nsupdate choose the protocol)" +msgstr "Par défaut : False (laisser nsupdate choisir le protocole)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:293 sssd-ad.5.xml:985 +msgid "dyndns_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:296 sssd-ad.5.xml:988 +msgid "" +"The DNS server to use when performing a DNS update. In most setups, it's " +"recommended to leave this option unset." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:301 sssd-ad.5.xml:993 +msgid "" +"Setting this option makes sense for environments where the DNS server is " +"different from the identity server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:306 sssd-ad.5.xml:998 +msgid "" +"Please note that this option will be only used in fallback attempt when " +"previous attempt using autodetected settings failed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1003 +msgid "Default: None (let nsupdate choose the server)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:317 +msgid "ipa_deskprofile_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:320 +msgid "" +"Optional. Use the given string as search base for Desktop Profile related " +"objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:324 sssd-ipa.5.xml:337 +msgid "Default: Use base DN" +msgstr "Par défaut : utilise le DN de base" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:330 +msgid "ipa_hbac_search_base (string)" +msgstr "ipa_hbac_search_base (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:333 +msgid "Optional. Use the given string as search base for HBAC related objects." +msgstr "" +"Facultatif. Utilise la chaîne donnée comme base de recherche pour les objets " +"HBAC associés." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:343 +msgid "ipa_host_search_base (string)" +msgstr "ipa_host_search_base (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:346 +msgid "Deprecated. Use ldap_host_search_base instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:352 +msgid "ipa_selinux_search_base (string)" +msgstr "ipa_selinux_search_base (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:355 +msgid "Optional. Use the given string as search base for SELinux user maps." +msgstr "" +"Facultatif. Utiliser la chaîne donnée comme base de recherche pour les " +"mappages utilisateur SELinux." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:371 +msgid "ipa_subdomains_search_base (string)" +msgstr "ipa_subdomains_search_base (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:374 +msgid "Optional. Use the given string as search base for trusted domains." +msgstr "" +"Facultatif. Utiliser la chaîne donnée comme base de recherche pour les " +"domaines approuvés." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:383 +msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" +msgstr "Par défaut : la valeur de <emphasis>cn=trusts,%basedn</emphasis>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:390 +msgid "ipa_master_domain_search_base (string)" +msgstr "ipa_master_domain_search_base (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:393 +msgid "Optional. Use the given string as search base for master domain object." +msgstr "" +"Facultatif. Utiliser la chaîne donnée comme base de recherche objet de " +"domaine maître." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:402 +msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" +msgstr "Par défaut : la valeur de <emphasis>cn=ad,cn=etc,%basedn</emphasis>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:409 +msgid "ipa_views_search_base (string)" +msgstr "ipa_views_search_base (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:412 +msgid "Optional. Use the given string as search base for views containers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:421 +msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:431 +msgid "" +"The name of the Kerberos realm. This is optional and defaults to the value " +"of <quote>ipa_domain</quote>." +msgstr "" +"Le nom du domaine Kerberos. Facultatif, prend comme valeur par défaut la " +"valeur de <quote>ipa_domain</quote>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:435 +msgid "" +"The name of the Kerberos realm has a special meaning in IPA - it is " +"converted into the base DN to use for performing LDAP operations." +msgstr "" +"Le nom du domaine Kerberos a une signification spéciale dans IPA. Il est " +"convertit en DN de base pour effectuer les opérations LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1012 +msgid "krb5_confd_path (string)" +msgstr "krb5_confd_path (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1015 +msgid "" +"Absolute path of a directory where SSSD should place Kerberos configuration " +"snippets." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1019 +msgid "" +"To disable the creation of the configuration snippets set the parameter to " +"'none'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1023 +msgid "" +"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:461 +msgid "ipa_deskprofile_refresh (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:464 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server. This will reduce the latency and load on the IPA server if there " +"are many desktop profiles requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:431 +msgid "Default: 5 (seconds)" +msgstr "Par défaut : 5 (secondes)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:477 +msgid "ipa_deskprofile_request_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:480 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server in case the last request did not return any rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:485 +msgid "Default: 60 (minutes)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:491 +msgid "ipa_hbac_refresh (integer)" +msgstr "ipa_hbac_refresh (entier)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:494 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server. " +"This will reduce the latency and load on the IPA server if there are many " +"access-control requests made in a short period." +msgstr "" +"Le temps entre deux recherches de règles HBAC sur un serveur IPA. Cela " +"permet de réduire le temps de latence et la charge du serveur IPA si il y a " +"beaucoup de requêtes de contrôle d'accès sur une courte période." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:507 +msgid "ipa_hbac_selinux (integer)" +msgstr "ipa_hbac_selinux (entier)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:510 +msgid "" +"The amount of time between lookups of the SELinux maps against the IPA " +"server. This will reduce the latency and load on the IPA server if there are " +"many user login requests made in a short period." +msgstr "" +"Le temps entre les recherches de cartes SELinux sur un serveur IPA. Cela " +"réduit le temps de latence et la charge du serveur IPA s'il y a beaucoup de " +"requêtes de connexions utilisateurs sur une courte période." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:523 +msgid "ipa_server_mode (boolean)" +msgstr "ipa_server_mode (booléen)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:526 +msgid "" +"This option will be set by the IPA installer (ipa-server-install) " +"automatically and denotes if SSSD is running on an IPA server or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:531 +msgid "" +"On an IPA server SSSD will lookup users and groups from trusted domains " +"directly while on a client it will ask an IPA server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:536 +msgid "" +"NOTE: There are currently some assumptions that must be met when SSSD is " +"running on an IPA server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:541 +msgid "" +"The <quote>ipa_server</quote> option must be configured to point to the IPA " +"server itself. This is already the default set by the IPA installer, so no " +"manual change is required." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:550 +msgid "" +"The <quote>full_name_format</quote> option must not be tweaked to only print " +"short names for users from trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:565 +msgid "ipa_automount_location (string)" +msgstr "ipa_automount_location (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:568 +msgid "The automounter location this IPA client will be using" +msgstr "L'emplacement à automonter qu'utilisera ce client IPA" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:571 +msgid "Default: The location named \"default\"" +msgstr "Par défaut : Le lieu nommé « default »" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:579 +msgid "VIEWS AND OVERRIDES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:588 +msgid "ipa_view_class (string)" +msgstr "ipa_view_class (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:591 +msgid "Objectclass of the view container." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:594 +msgid "Default: nsContainer" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:600 +msgid "ipa_view_name (string)" +msgstr "ipa_view_name (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:603 +msgid "Name of the attribute holding the name of the view." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:613 +msgid "ipa_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:616 +msgid "Objectclass of the override objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:619 +msgid "Default: ipaOverrideAnchor" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:625 +msgid "ipa_anchor_uuid (string)" +msgstr "ipa_anchor_uuid (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:628 +msgid "" +"Name of the attribute containing the reference to the original object in a " +"remote domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:632 +msgid "Default: ipaAnchorUUID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:638 +msgid "ipa_user_override_object_class (string)" +msgstr "ipa_user_override_object_class (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:641 +msgid "" +"Name of the objectclass for user overrides. It is used to determine if the " +"found override object is related to a user or a group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:646 +msgid "User overrides can contain attributes given by" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:649 +msgid "ldap_user_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:652 +msgid "ldap_user_uid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:655 +msgid "ldap_user_gid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:658 +msgid "ldap_user_gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:661 +msgid "ldap_user_home_directory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:664 +msgid "ldap_user_shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:667 +msgid "ldap_user_ssh_public_key" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:672 +msgid "Default: ipaUserOverride" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:678 +msgid "ipa_group_override_object_class (string)" +msgstr "ipa_group_override_object_class (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:681 +msgid "" +"Name of the objectclass for group overrides. It is used to determine if the " +"found override object is related to a user or a group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:686 +msgid "Group overrides can contain attributes given by" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:689 +msgid "ldap_group_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:692 +msgid "ldap_group_gid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:697 +msgid "Default: ipaGroupOverride" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:581 +msgid "" +"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " +"later version. Since all paths and objectclasses are fixed on the server " +"side there is basically no need to configure anything. For completeness the " +"related options are listed here with their default values. <placeholder " +"type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:709 +msgid "SUBDOMAINS PROVIDER" +msgstr "FOURNISSEURS DE SOUS-DOMAINES" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:711 +msgid "" +"The IPA subdomains provider behaves slightly differently if it is configured " +"explicitly or implicitly." +msgstr "" +"Le fournisseur de sous-domaines IPA se comporte un peu différemment s'il est " +"configuré explicitement ou implicitement." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:715 +msgid "" +"If the option 'subdomains_provider = ipa' is found in the domain section of " +"sssd.conf, the IPA subdomains provider is configured explicitly, and all " +"subdomain requests are sent to the IPA server if necessary." +msgstr "" +"Si l'option « subdomains_provider = ipa » se trouve dans la section domaine " +"de sssd.conf, le fournisseur de sous-domaines d'IPA est configuré " +"explicitement, et toutes les demandes de sous-domaines sont envoyées au " +"serveur IPA si nécessaire." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:721 +msgid "" +"If the option 'subdomains_provider' is not set in the domain section of sssd." +"conf but there is the option 'id_provider = ipa', the IPA subdomains " +"provider is configured implicitly. In this case, if a subdomain request " +"fails and indicates that the server does not support subdomains, i.e. is not " +"configured for trusts, the IPA subdomains provider is disabled. After an " +"hour or after the IPA provider goes online, the subdomains provider is " +"enabled again." +msgstr "" +"Si l'option « subdomains_provider » n'est pas définie dans la section " +"domaine de sssd.conf, mais qu'il y a l'option « id_provider = ipa », le " +"fournisseur de sous-domaines IPA est configuré implicitement. Dans ce cas, " +"si une demande de sous-domaine échoue et indique que le serveur ne prend pas " +"en charge les sous-domaines, c'est-à-dire qu'il n'est pas configuré pour les " +"relations d'approbations, le fournisseur de sous-domaines IPA est désactivé. " +"Après une heure ou après que le fournisseur IPA arrive en ligne, le " +"fournisseur de sous-domaines est à nouveau activé." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:732 +msgid "TRUSTED DOMAINS CONFIGURATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:738 +#, no-wrap +msgid "" +"[domain/ipa.domain.com/ad.domain.com]\n" +"ad_server = dc.ad.domain.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:734 +#, fuzzy +#| msgid "" +#| "These configuration options can be present in a domain configuration " +#| "section, that is, in a section called <quote>[domain/<replaceable>NAME</" +#| "replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>" +msgid "" +"Some configuration options can be also set for a trusted domain. A trusted " +"domain configuration can either be done using a subsection, for example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"Ces options de configuration peuvent être présentes dans la section de " +"configuration du domaine, c'est-à-dire dans la section nommée <quote>[domain/" +"<replaceable>NAME</replaceable>]</quote> <placeholder type=\"variablelist\" " +"id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:743 +#, fuzzy +#| msgid "" +#| "Please refer to the <quote>dns_discovery_domain</quote> parameter in the " +#| "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +#| "manvolnum> </citerefentry> manual page for more details." +msgid "" +"In addition, some options can be set in the parent domain and inherited by " +"the trusted domain using the <quote>subdomain_inherit</quote> option. For " +"more details, see the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" +"Se reporter au paramètre <quote>dns_discovery_domain</quote> dans la page de " +"manuel <citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> pour plus de détails." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:753 +msgid "" +"Different configuration options are tunable for a trusted domain depending " +"on whether you are configuring SSSD on an IPA server or an IPA client." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:758 +msgid "OPTIONS TUNABLE ON IPA MASTERS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:760 +msgid "" +"The following options can be set in a subdomain section on an IPA master:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:764 sssd-ipa.5.xml:794 +msgid "ad_server" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:767 +#, fuzzy +#| msgid "ad_server, ad_backup_server (string)" +msgid "ad_backup_server" +msgstr "ad_server, ad_backup_server (string)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:770 sssd-ipa.5.xml:797 +#, fuzzy +#| msgid "ad_site (string)" +msgid "ad_site" +msgstr "ad_site (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:773 +#, fuzzy +#| msgid "ldap_search_base (string)" +msgid "ldap_search_base" +msgstr "ldap_search_base (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:776 +#, fuzzy +#| msgid "ldap_user_search_base (string)" +msgid "ldap_user_search_base" +msgstr "ldap_user_search_base (chaînes)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:779 +#, fuzzy +#| msgid "ldap_group_search_base (string)" +msgid "ldap_group_search_base" +msgstr "ldap_group_search_base (chaînes)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:788 +msgid "OPTIONS TUNABLE ON IPA CLIENTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:790 +msgid "" +"The following options can be set in a subdomain section on an IPA client:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:802 +msgid "" +"Note that if both options are set, only <quote>ad_server</quote> is " +"evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:806 +msgid "" +"Since any request for a user or a group identity from a trusted domain " +"triggered from an IPA client is resolved by the IPA server, the " +"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " +"which AD DC will the authentication be performed against. In particular, the " +"addresses resolved from these lists will be written to <quote>kdcinfo</" +"quote> files read by the Kerberos locator plugin. Please refer to the " +"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " +"Kerberos locator plugin." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:830 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the ipa provider-specific options." +msgstr "" +"L'exemple suivant suppose que SSSD est correctement configuré et example.com " +"est un des domaines de la section <replaceable>[sssd]</replaceable>. Ces " +"exemples montrent seulement les options spécifiques au fournisseur IPA." + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:837 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"id_provider = ipa\n" +"ipa_server = ipaserver.example.com\n" +"ipa_hostname = myhost.example.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 +msgid "sssd-ad" +msgstr "sssd-ad" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ad.5.xml:17 +msgid "SSSD Active Directory provider" +msgstr "Fournisseur Active Directory SSSD" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:23 +msgid "" +"This manual page describes the configuration of the AD provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" +"Cette page de manuel décrit la configuration du fournisseur AD pour " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Pour une référence détaillée sur la syntaxe, cf. la section " +"<quote>FORMAT DE FICHIER</quote> de la page de manuel <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:36 +msgid "" +"The AD provider is a back end used to connect to an Active Directory server. " +"This provider requires that the machine be joined to the AD domain and a " +"keytab is available. Back end communication occurs over a GSSAPI-encrypted " +"channel, SSL/TLS options should not be used with the AD provider and will be " +"superseded by Kerberos usage." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:44 +msgid "" +"The AD provider supports connecting to Active Directory 2008 R2 or later. " +"Earlier versions may work, but are unsupported." +msgstr "" +"Le fournisseur AD prend en charge la connexion à Active Directory 2008 R2 ou " +"ultérieures. Les versions antérieures peuvent fonctionner, mais ne sont pas " +"supportées." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:48 +msgid "" +"The AD provider can be used to get user information and authenticate users " +"from trusted domains. Currently only trusted domains in the same forest are " +"recognized. In addition servers from trusted domains are always auto-" +"discovered." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:54 +msgid "" +"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for Active Directory environments. The AD provider accepts the " +"same options used by the sssd-ldap and sssd-krb5 providers with some " +"exceptions. However, it is neither necessary nor recommended to set these " +"options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:69 +msgid "" +"The AD provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:74 +msgid "" +"The AD provider can also be used as an access, chpass, sudo and autofs " +"provider. No configuration of the access provider is required on the client " +"side." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:79 +msgid "" +"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ad</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:91 +#, no-wrap +msgid "" +"ldap_id_mapping = False\n" +" " +msgstr "" +"ldap_id_mapping = False\n" +" " + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:85 +msgid "" +"By default, the AD provider will map UID and GID values from the objectSID " +"parameter in Active Directory. For details on this, see the <quote>ID " +"MAPPING</quote> section below. If you want to disable ID mapping and instead " +"rely on POSIX attributes defined in Active Directory, you should set " +"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " +"be used, it is recommended for performance reasons that the attributes are " +"also replicated to the Global Catalog. If POSIX attributes are replicated, " +"SSSD will attempt to locate the domain of a requested numerical ID with the " +"help of the Global Catalog and only search that domain. In contrast, if " +"POSIX attributes are not replicated to the Global Catalog, SSSD must search " +"all the domains in the forest sequentially. Please note that the " +"<quote>cache_first</quote> option might be also helpful in speeding up " +"domainless searches. Note that if only a subset of POSIX attributes is " +"present in the Global Catalog, the non-replicated attributes are currently " +"not read from the LDAP port." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:108 +msgid "" +"Users, groups and other entities served by SSSD are always treated as case-" +"insensitive in the AD provider for compatibility with Active Directory's " +"LDAP implementation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:123 +msgid "ad_domain (string)" +msgstr "ad_domain (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:126 +msgid "" +"Specifies the name of the Active Directory domain. This is optional. If not " +"provided, the configuration domain name is used." +msgstr "" +"Spécifie le nom du domaine Active Directory. Ceci est facultatif. S'il " +"n'est pas fourni, le nom de domaine de la configuration est utilisé." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:131 +msgid "" +"For proper operation, this option should be specified as the lower-case " +"version of the long version of the Active Directory domain." +msgstr "" +"Pour un fonctionnement correct, cette option doit être le nom long du " +"domaine Active Directory, spécifié en minuscules." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:136 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) is " +"autodetected by the SSSD." +msgstr "" +"Le nom de domaine court (aussi connu comme le nom NetBIOS ou nom plat) est " +"autodétecté par SSSD." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:143 +msgid "ad_enabled_domains (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:146 +msgid "" +"A comma-separated list of enabled Active Directory domains. If provided, " +"SSSD will ignore any domains not listed in this option. If left unset, all " +"domains from the AD forest will be available." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:156 +#, no-wrap +msgid "" +"ad_enabled_domains = sales.example.com, eng.example.com\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:152 +msgid "" +"For proper operation, this option must be specified in all lower-case and as " +"the fully qualified domain name of the Active Directory domain. For example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:160 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) will be " +"autodetected by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:170 +msgid "ad_server, ad_backup_server (string)" +msgstr "ad_server, ad_backup_server (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:173 +msgid "" +"The comma-separated list of hostnames of the AD servers to which SSSD should " +"connect in order of preference. For more information on failover and server " +"redundancy, see the <quote>FAILOVER</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:180 +msgid "" +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:185 +msgid "" +"Note: Trusted domains will always auto-discover servers even if the primary " +"server is explicitly defined in the ad_server option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:193 +msgid "ad_hostname (string)" +msgstr "ad_hostname (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:196 +msgid "" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the Active Directory domain to identify this " +"host." +msgstr "" +"Facultatif. Peut être défini sur les machines où le hostname(5) ne reflète " +"pas le nom pleinenent qualifié utilisé dans le domaine Active Directory pour " +"identifier ce système." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:202 +msgid "" +"This field is used to determine the host principal in use in the keytab. It " +"must match the hostname for which the keytab was issued." +msgstr "" +"Ce champ est utilisé pour déterminer le principal d'hôte utilisé dans un " +"fichier keytab. Elle doit correspondre au nom du système pour lequel a été " +"publié un fichier keytab." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:210 +msgid "ad_enable_dns_sites (boolean)" +msgstr "ad_enable_dns_sites (booléen)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:217 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, the SSSD will first attempt to discover the " +"Active Directory server to connect to using the Active Directory Site " +"Discovery and fall back to the DNS SRV records if no AD site is found. The " +"DNS SRV configuration, including the discovery domain, is used during site " +"discovery as well." +msgstr "" +"Si configuré à true et que la découverte de service (cf. le paragraphe " +"Découverte de service au bas de la page de manuel) est activée, SSSD tentera " +"d'abord de découvrir le serveur Active Directory auquel se connecter en " +"utilisant Active Directory Site Discovery, puis se repliera sur " +"l'utilisation des enregistrements DNS SRV si aucun site AD n'est trouvé. La " +"configuration SRV du DNS, incluant la découverte de domaine, est aussi " +"utilisée pendant la découverte de site." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:233 +msgid "ad_access_filter (string)" +msgstr "ad_access_filter (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:236 +msgid "" +"This option specifies LDAP access control filter that the user must match in " +"order to be allowed access. Please note that the <quote>access_provider</" +"quote> option must be explicitly set to <quote>ad</quote> in order for this " +"option to have an effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:244 +msgid "" +"The option also supports specifying different filters per domain or forest. " +"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " +"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " +"missing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:252 +msgid "" +"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" +"quote> specifies the domain or subdomain the filter applies to. If the " +"keyword equals to <quote>FOREST</quote>, then the filter equals to all " +"domains from the forest specified by <quote>NAME</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:260 +msgid "" +"Multiple filters can be separated with the <quote>?</quote> character, " +"similarly to how search bases work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:265 +msgid "" +"Nested group membership must be searched for using a special OID " +"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." +"example.org: syntax to ensure the parser does not attempt to interpret the " +"colon characters associated with the OID. If you do not use this OID then " +"nested group membership will not be resolved. See usage example below and " +"refer here for further information about the OID: <ulink url=\"https://msdn." +"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " +"extensions</ulink>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:278 +msgid "" +"The most specific match is always used. For example, if the option specified " +"filter for a domain the user is a member of and a global filter, the per-" +"domain filter would be applied. If there are more matches with the same " +"specification, the first one is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ad.5.xml:289 +#, no-wrap +msgid "" +"# apply filter on domain called dom1 only:\n" +"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" +"\n" +"# apply filter on domain called dom2 only:\n" +"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" +"\n" +"# apply filter on forest called EXAMPLE.COM only:\n" +"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" +"\n" +"# apply filter for a member of a nested group in dom1:\n" +"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:308 +msgid "ad_site (string)" +msgstr "ad_site (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:311 +msgid "" +"Specify AD site to which client should try to connect. If this option is " +"not provided, the AD site will be auto-discovered." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:322 +msgid "ad_enable_gc (boolean)" +msgstr "ad_enable_gc (booléen)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:325 +msgid "" +"By default, the SSSD connects to the Global Catalog first to retrieve users " +"from trusted domains and uses the LDAP port to retrieve group memberships or " +"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " +"port of the current AD server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:333 +msgid "" +"Please note that disabling Global Catalog support does not disable " +"retrieving users from trusted domains. The SSSD would connect to the LDAP " +"port of trusted domains instead. However, Global Catalog must be used in " +"order to resolve cross-domain group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:347 +msgid "ad_gpo_access_control (string)" +msgstr "ad_gpo_access_control (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:350 +msgid "" +"This option specifies the operation mode for GPO-based access control " +"functionality: whether it operates in disabled mode, enforcing mode, or " +"permissive mode. Please note that the <quote>access_provider</quote> option " +"must be explicitly set to <quote>ad</quote> in order for this option to have " +"an effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:359 +msgid "" +"GPO-based access control functionality uses GPO policy settings to determine " +"whether or not a particular user is allowed to logon to a particular host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:365 +msgid "" +"NOTE: The current version of SSSD does not support host (computer) entries " +"in the GPO 'Security Filtering' list. Only user and group entries are " +"supported. Host entries in the list have no effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:372 +msgid "" +"NOTE: If the operation mode is set to enforcing, it is possible that users " +"that were previously allowed logon access will now be denied logon access " +"(as dictated by the GPO policy settings). In order to facilitate a smooth " +"transition for administrators, a permissive mode is available that will not " +"enforce the access control rules, but will evaluate them and will output a " +"syslog message if access would have been denied. By examining the logs, " +"administrators can then make the necessary changes before setting the mode " +"to enforcing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:385 +msgid "There are three supported values for this option:" +msgstr "Il existe trois valeurs prises en charge pour cette option :" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:389 +msgid "" +"disabled: GPO-based access control rules are neither evaluated nor enforced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:395 +msgid "enforcing: GPO-based access control rules are evaluated and enforced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:401 +msgid "" +"permissive: GPO-based access control rules are evaluated, but not enforced. " +"Instead, a syslog message will be emitted indicating that the user would " +"have been denied access if this option's value were set to enforcing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:412 +msgid "Default: permissive" +msgstr "Par défaut : permissive" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:415 +msgid "Default: enforcing" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:421 +msgid "ad_gpo_cache_timeout (integer)" +msgstr "ad_gpo_cache_timeout (entier)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:424 +msgid "" +"The amount of time between lookups of GPO policy files against the AD " +"server. This will reduce the latency and load on the AD server if there are " +"many access-control requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:437 +msgid "ad_gpo_map_interactive (string)" +msgstr "ad_gpo_map_interactive (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:440 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the InteractiveLogonRight and " +"DenyInteractiveLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:446 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on locally\" and \"Deny log on locally\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:460 +#, no-wrap +msgid "" +"ad_gpo_map_interactive = +my_pam_service, -login\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:451 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>login</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:464 sssd-ad.5.xml:560 sssd-ad.5.xml:606 sssd-ad.5.xml:651 +#: sssd-ad.5.xml:717 +msgid "Default: the default set of PAM service names includes:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:468 +msgid "login" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:473 +msgid "su" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:478 +msgid "su-l" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:483 +msgid "gdm-fingerprint" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:488 +msgid "gdm-password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:493 +msgid "gdm-smartcard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:498 +msgid "kdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:503 +msgid "lightdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:508 +msgid "lxdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:513 +msgid "sddm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:518 +msgid "unity" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:523 +msgid "xdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:532 +msgid "ad_gpo_map_remote_interactive (string)" +msgstr "ad_gpo_map_remote_interactive (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:535 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the RemoteInteractiveLogonRight and " +"DenyRemoteInteractiveLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:541 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on through Remote Desktop Services\" and \"Deny log on through Remote " +"Desktop Services\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:556 +#, no-wrap +msgid "" +"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:547 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>sshd</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:564 +msgid "sshd" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:569 +msgid "cockpit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:578 +msgid "ad_gpo_map_network (string)" +msgstr "ad_gpo_map_network (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:581 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the NetworkLogonRight and " +"DenyNetworkLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:587 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Access " +"this computer from the network\" and \"Deny access to this computer from the " +"network\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:602 +#, no-wrap +msgid "" +"ad_gpo_map_network = +my_pam_service, -ftp\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:593 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>ftp</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:610 +msgid "ftp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:615 +msgid "samba" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:624 +msgid "ad_gpo_map_batch (string)" +msgstr "ad_gpo_map_batch (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:627 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " +"policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:633 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a batch job\" and \"Deny log on as a batch job\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:647 +#, no-wrap +msgid "" +"ad_gpo_map_batch = +my_pam_service, -crond\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:638 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>crond</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:655 +msgid "crond" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:664 +msgid "ad_gpo_map_service (string)" +msgstr "ad_gpo_map_service (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:667 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the ServiceLogonRight and " +"DenyServiceLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:673 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a service\" and \"Deny log on as a service\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:686 +#, no-wrap +msgid "" +"ad_gpo_map_service = +my_pam_service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:678 sssd-ad.5.xml:753 +msgid "" +"It is possible to add a PAM service name to the default set by using <quote>" +"+service_name</quote>. Since the default set is empty, it is not possible " +"to remove a PAM service name from the default set. For example, in order to " +"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " +"would use the following configuration: <placeholder type=\"programlisting\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:696 +msgid "ad_gpo_map_permit (string)" +msgstr "ad_gpo_map_permit (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:699 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always granted, regardless of any GPO Logon Rights." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:713 +#, no-wrap +msgid "" +"ad_gpo_map_permit = +my_pam_service, -sudo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:704 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for unconditionally permitted " +"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:721 +msgid "polkit-1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:726 +msgid "sudo" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:731 +msgid "sudo-i" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:736 +msgid "systemd-user" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:745 +msgid "ad_gpo_map_deny (string)" +msgstr "ad_gpo_map_deny (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:748 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always denied, regardless of any GPO Logon Rights." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:761 +#, no-wrap +msgid "" +"ad_gpo_map_deny = +my_pam_service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:771 +msgid "ad_gpo_default_right (string)" +msgstr "ad_gpo_default_right (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:774 +msgid "" +"This option defines how access control is evaluated for PAM service names " +"that are not explicitly listed in one of the ad_gpo_map_* options. This " +"option can be set in two different manners. First, this option can be set to " +"use a default logon right. For example, if this option is set to " +"'interactive', it means that unmapped PAM service names will be processed " +"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " +"settings. Alternatively, this option can be set to either always permit or " +"always deny access for unmapped PAM service names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:787 +msgid "Supported values for this option include:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:791 +msgid "interactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:796 +msgid "remote_interactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:801 +msgid "network" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:806 +msgid "batch" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:811 +msgid "service" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:816 +msgid "permit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:821 +msgid "deny" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:827 +msgid "Default: deny" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:833 +msgid "ad_maximum_machine_account_password_age (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:836 +msgid "" +"SSSD will check once a day if the machine account password is older than the " +"given age in days and try to renew it. A value of 0 will disable the renewal " +"attempt." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:842 +msgid "Default: 30 days" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:848 +msgid "ad_machine_account_password_renewal_opts (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:851 +msgid "" +"This option should only be used to test the machine account renewal task. " +"The option expects 2 integers separated by a colon (':'). The first integer " +"defines the interval in seconds how often the task is run. The second " +"specifies the initial timeout in seconds before the task is run for the " +"first time after startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:860 +msgid "Default: 86400:750 (24h and 15m)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:869 +msgid "" +"Optional. This option tells SSSD to automatically update the Active " +"Directory DNS server with the IP address of this client. The update is " +"secured using GSS-TSIG. As a consequence, the Active Directory administrator " +"only needs to allow secure updates for the DNS zone. The IP address of the " +"AD LDAP connection is used for the updates, if it is not otherwise specified " +"by using the <quote>dyndns_iface</quote> option." +msgstr "" +"Facultatif. Cette option indique à SSSD de mettre à jour automatiquement le " +"serveur DNS intégré à IPA v2 avec l'adresse IP de ce client. La mise à jour " +"est sécurisée avec GSS-TSIG. Ainsi, l'administrateur Active Directory a " +"uniquement besoin d'activer les mises à jour sécurisées pour la zone DNS. " +"L'adresse IP de la connexion LDAP AD est utilisée pour les mises à jour, à " +"moins qu'elle ne soit spécifiée par l'utilisation de l'option " +"<quote>dyndns_iface</quote>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:899 +msgid "Default: 3600 (seconds)" +msgstr "Par défaut : 3600 (secondes)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:915 +msgid "" +"Default: Use the IP addresses of the interface which is used for AD LDAP " +"connection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:928 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true. Note that the " +"lowest possible value is 60 seconds in-case if value is provided less than " +"60, parameter will assume lowest value only." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:951 sss_rpcidmapd.5.xml:76 +msgid "Default: True" +msgstr "Par défaut : True" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1043 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This example shows only the AD provider-specific options." +msgstr "" +"L'exemple suivant suppose que SSSD est correctement configuré et example.com " +"est un des domaines de la section <replaceable>[sssd]</replaceable>. Ces " +"exemples montrent seulement les options spécifiques au fournisseur AD." + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1050 +#, no-wrap +msgid "" +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" +msgstr "" +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1070 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" +msgstr "" +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1066 +msgid "" +"The AD access control provider checks if the account is expired. It has the " +"same effect as the following configuration of the LDAP provider: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"Le fournisseur de contrôle d'accès AD vérifie si le compte a expiré. Cela a " +"le même effet que la configuration suivante du fournisseur LDAP : " +"<placeholder type=\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1076 +msgid "" +"However, unless the <quote>ad</quote> access control provider is explicitly " +"configured, the default access provider is <quote>permit</quote>. Please " +"note that if you configure an access provider other than <quote>ad</quote>, " +"you need to set all the connection parameters (such as LDAP URIs and " +"encryption details) manually." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1084 +msgid "" +"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " +"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " +"are included in the default Active Directory schema." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 +msgid "sssd-sudo" +msgstr "sssd-sudo" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-sudo.5.xml:17 +msgid "Configuring sudo with the SSSD back end" +msgstr "Configuration de sudo avec le moteur SSSD" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." +msgstr "" +"Cette page de manuel décrit comment configurer " +"<citerefentry><refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> pour travailler avec <citerefentry><refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum></citerefentry> et comment SSSD met " +"en cache les règles sudo." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:36 +msgid "Configuring sudo to cooperate with SSSD" +msgstr "Configuration de sudo pour coopérer avec SSSD" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:38 +msgid "" +"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " +"the <emphasis>sudoers</emphasis> entry in <citerefentry> " +"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" +"Pour activer SSSD comme source pour les règles de sudo, ajouter " +"<emphasis>sss</emphasis> à l'entrée <emphasis>sudoers</emphasis> dans " +"<citerefentry><refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:47 +msgid "" +"For example, to configure sudo to first lookup rules in the standard " +"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> file (which should contain rules that apply to " +"local users) and then in SSSD, the nsswitch.conf file should contain the " +"following line:" +msgstr "" +"Par exemple, pour configurer sudo pour rechercher d'abord les règles dans le " +"fichier standard <citerefentry><refentrytitle>sudoers</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> (qui doit contenir les règles qui " +"s'appliquent aux utilisateurs locaux) et ensuite dans SSSD, le fichier " +"nsswitch.conf doit contenir la ligne suivante :" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:57 +#, no-wrap +msgid "sudoers: files sss\n" +msgstr "sudoers: files sss\n" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:61 +msgid "" +"More information about configuring the sudoers search order from the " +"nsswitch.conf file as well as information about the LDAP schema that is used " +"to store sudo rules in the directory can be found in <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" +"Plus d'informations sur la configuration de l'ordre de recherche de sudoers " +"depuis le fichier nsswitch.conf, mais aussi les informations sur le schéma " +"LDAP qui est utilisé pour stocker les règles sudo dans l'annuaire sont " +"disponibles dans <citerefentry><refentrytitle>sudoers.ldap</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:70 +msgid "" +"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " +"sudo rules, you also need to correctly set <citerefentry> " +"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry> to your NIS domain name (which equals to IPA domain name when " +"using hostgroups)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:82 +msgid "Configuring SSSD to fetch sudo rules" +msgstr "Configuration de SSSD pour aller chercher les règles de sudo" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:84 +msgid "" +"All configuration that is needed on SSSD side is to extend the list of " +"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " +"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " +"option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:94 +msgid "" +"The following example shows how to configure SSSD to download sudo rules " +"from an LDAP server." +msgstr "" +"L'exemple suivant montre comment configurer SSSD pour télécharger les règles " +"sudo à partir d'un serveur LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:99 +#, no-wrap +msgid "" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +msgstr "" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:98 +msgid "" +"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" +"\"have_systemd\"> It's important to note that on platforms where systemd is " +"supported there's no need to add the \"sudo\" provider to the list of " +"services, as it became optional. However, sssd-sudo.socket must be enabled " +"instead. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:118 +msgid "" +"When SSSD is configured to use IPA as the ID provider, the sudo provider is " +"automatically enabled. The sudo search base is configured to use the IPA " +"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " +"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," +"$SUFFIX) is no longer required for IPA sudo functionality." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:128 +msgid "The SUDO rule caching mechanism" +msgstr "Le mécanisme de mise en cache de règles SUDO" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:130 +msgid "" +"The biggest challenge, when developing sudo support in SSSD, was to ensure " +"that running sudo with SSSD as the data source provides the same user " +"experience and is as fast as sudo but keeps providing the most current set " +"of rules as possible. To satisfy these requirements, SSSD uses three kinds " +"of updates. They are referred to as full refresh, smart refresh and rules " +"refresh." +msgstr "" +"Le plus grand défi lors du développement de la prise en charge de sudo dans " +"SSSD était de de s'assurer que l'utilisation d'un sudo exploitant SSSD comme " +"source de données fournissait la même expérience utilisateur et était aussi " +"rapide que sudo, tout en conservant le jeu de règles le plus à jour " +"possible. Pour satisfaire ces exigences, SSSD utilise trois types de mises à " +"jour. Elles sont appelées actualisation complète, rafraîchissement " +"intelligent et rafraîchissement des règles." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:138 +msgid "" +"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " +"new or were modified after the last update. Its primary goal is to keep the " +"database growing by fetching only small increments that do not generate " +"large amounts of network traffic." +msgstr "" +"Le <emphasis>rafraîchissement intelligent</emphasis> télécharge " +"périodiquement les règles qui sont nouvelles ou qui ont été modifiées après " +"la dernière mise à jour. Son but premier est d'éviter à la base de données " +"de grossir en allant chercher de petits incréments qui ne génèrent pas de " +"gros de trafic réseau." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:144 +msgid "" +"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " +"in the cache and replaces them with all rules that are stored on the server. " +"This is used to keep the cache consistent by removing every rule which was " +"deleted from the server. However, full refresh may produce a lot of traffic " +"and thus it should be run only occasionally depending on the size and " +"stability of the sudo rules." +msgstr "" +"Le <emphasis>rafracîchissement complèt</emphasis> supprime simplement toutes " +"les règles sudo stockées dans le cache et les remplace par toutes les règles " +"qui sont stockées sur le serveur. Ceci est utilisé pour assurer la cohérence " +"de cache en supprimant toutes les règles qui ont été supprimées du serveur. " +"Cependant, un rafraîchissement complet peut produire beaucoup de trafic et " +"doit n'être exécuté qu'occasionnellement selon la taille et de la stabilité " +"des règles sudo." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:152 +msgid "" +"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " +"more permission than defined. It is triggered each time the user runs sudo. " +"Rules refresh will find all rules that apply to this user, check their " +"expiration time and redownload them if expired. In the case that any of " +"these rules are missing on the server, the SSSD will do an out of band full " +"refresh because more rules (that apply to other users) may have been deleted." +msgstr "" +"Le <emphasis>rafraîchissement des règles</emphasis> fait en sorte de ne pas " +"accorder à l'utilisateur plus d'autorisations que défini. Il est déclenché " +"chaque fois que l'utilisateur exécute sudo. L'actualisation des règles " +"trouvera toutes les règles qui s'appliquent à cet utilisateur, vérifie leur " +"date d'expiration et les retéléchargera si elles ont expiré. Dans le cas où " +"l'une de ces règles est manquante sur le serveur, SSSD programmera en " +"parallèle un rafraîchissement complet hors ligne car d'autres règles " +"(s'appliquant à d'autres utilisateurs) peuvent avoir été supprimées." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:161 +msgid "" +"If enabled, SSSD will store only rules that can be applied to this machine. " +"This means rules that contain one of the following values in " +"<emphasis>sudoHost</emphasis> attribute:" +msgstr "" +"Si activé, SSSD stocke uniquement les règles qui peuvent être appliquées à " +"cette machine. En d'autres termes, ce sont les règles qui contiennent une " +"des valeurs suivantes dans l'attribut de <emphasis>sudoHost</emphasis> :" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:168 +msgid "keyword ALL" +msgstr "mot-clé ALL" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:173 +msgid "wildcard" +msgstr "joker" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:178 +msgid "netgroup (in the form \"+netgroup\")" +msgstr "netgroup (sous la forme « +netgroup »)" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:183 +msgid "hostname or fully qualified domain name of this machine" +msgstr "" +"nom de système ou le nom de domaine pleinement qualifié de cette machine" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:188 +msgid "one of the IP addresses of this machine" +msgstr "une des adresses IP de cette machine" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:193 +msgid "one of the IP addresses of the network (in the form \"address/mask\")" +msgstr "une des adresses IP du réseau (sous la forme « adresse/masque »)" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:199 +msgid "" +"There are many configuration options that can be used to adjust the " +"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" +"Il existe de nombreuses options de configuration qui peuvent être utilisées " +"pour ajuster le comportement. Consulter « ldap_sudo_ * » dans " +"<citerefentry><refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> et « sudo_ * » dans " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry>." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.8.xml:10 sssd.8.xml:15 +msgid "sssd" +msgstr "sssd" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.8.xml:16 +msgid "System Security Services Daemon" +msgstr "System Security Services Daemon" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssd.8.xml:21 +msgid "" +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" +msgstr "" +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:31 +msgid "" +"<command>SSSD</command> provides a set of daemons to manage access to remote " +"directories and authentication mechanisms. It provides an NSS and PAM " +"interface toward the system and a pluggable backend system to connect to " +"multiple different account sources as well as D-Bus interface. It is also " +"the basis to provide client auditing and policy services for projects like " +"FreeIPA. It provides a more robust database to store local users as well as " +"extended user data." +msgstr "" +"<command>SSSD</command> fournit un jeu de démons pour gérer l'accès à des " +"dossiers distants et les mécanismes d'authentification. Il fournit une " +"interface NSS et PAM au travers du système et un moteur système extensible " +"par greffons pour se connecter à de multiples comptes de sources différentes " +"en plus d'une interface D-Bus. C'est aussi un moyen de fournir un moyen " +"d'audit client et une politique de services pour les projets tels que " +"FreeIPA. Il fournit une base de donnée plus robuste pour stocker les " +"utilisateurs locaux ainsi que les données étendues des utilisateurs." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:46 +msgid "" +"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" +"replaceable>" +msgstr "" +"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:53 +msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" +msgstr "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:57 +msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" +msgstr "" +"<emphasis>1</emphasis> : Ajouter un horodatage aux messages de débogage" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:60 +msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" +msgstr "" +"<emphasis>0</emphasis> : Désactiver l'horodatage dans les messages de " +"débogage" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:69 +msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" +msgstr "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:73 +msgid "" +"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" +msgstr "" +"<emphasis>1</emphasis> : Ajouter les microsecondes à l'horodatage dans les " +"messages de débogage" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:76 +msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" +msgstr "" +"<emphasis>0</emphasis> : Désactiver les microsecondes dans l'horodatage" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:85 +msgid "<option>-f</option>,<option>--debug-to-files</option>" +msgstr "<option>-f</option>,<option>--debug-to-files</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:89 +msgid "" +"Send the debug output to files instead of stderr. By default, the log files " +"are stored in <filename>/var/log/sssd</filename> and there are separate log " +"files for every SSSD service and domain." +msgstr "" +"Envoie la sortie de débogage vers des fichiers plutôt que vers la sortie " +"d'erreur standard. Par défaut, les fichiers de sortie sont stockés dans " +"<filename>/var/log/sssd</filename> et des fichiers différents sont créés " +"pour chaque service et domaine SSSD." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:94 +msgid "" +"This option is deprecated. It is replaced by <option>--logger=files</option>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:101 +msgid "<option>--logger=</option><replaceable>value</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:105 +msgid "" +"Location where SSSD will send log messages. This option overrides the value " +"of the deprecated option <option>--debug-to-files</option>. The deprecated " +"option will still work if the <option>--logger</option> is not used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:112 +msgid "" +"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " +"output." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:116 +msgid "" +"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " +"default, the log files are stored in <filename>/var/log/sssd</filename> and " +"there are separate log files for every SSSD service and domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:122 +msgid "" +"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:132 +msgid "<option>-D</option>,<option>--daemon</option>" +msgstr "<option>-D</option>,<option>--daemon</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:136 +msgid "Become a daemon after starting up." +msgstr "Devenir un démon après le démarrage." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:142 sss_seed.8.xml:136 +msgid "<option>-i</option>,<option>--interactive</option>" +msgstr "<option>-i</option>,<option>--interactive</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:146 +msgid "Run in the foreground, don't become a daemon." +msgstr "Tourner en avant-plan et ne pas devenir un démon." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:152 +msgid "<option>-c</option>,<option>--config</option>" +msgstr "<option>-c</option>,<option>--config</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:156 +msgid "" +"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." +"conf</filename>. For reference on the config file syntax and options, " +"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" +"Définit un fichier de configuration autre que celui par défaut (<filename>/" +"etc/sssd/sssd.conf</filename>). Pour obtenir des informations sur la syntaxe " +"et les options du fichier de configuration, consulter les pages de manuel de " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:170 +msgid "<option>--version</option>" +msgstr "<option>--version</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:174 +msgid "Print version number and exit." +msgstr "Afficher le numéro de version et quitter." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.8.xml:182 +msgid "Signals" +msgstr "Signaux" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:185 +msgid "SIGTERM/SIGINT" +msgstr "SIGTERM/SIGINT" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:188 +msgid "" +"Informs the SSSD to gracefully terminate all of its child processes and then " +"shut down the monitor." +msgstr "" +"Indique à SSSD de fermer normalement tous ses processus fils puis d'arrêter " +"le moniteur." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:194 +msgid "SIGHUP" +msgstr "SIGHUP" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:197 +msgid "" +"Tells the SSSD to stop writing to its current debug file descriptors and to " +"close and reopen them. This is meant to facilitate log rolling with programs " +"like logrotate." +msgstr "" +"Précise à SSSD de ne plus écrire vers son fichier de débogage actuel, de le " +"fermer et de le rouvrir. Cela permet de faciliter les rotations de fichiers " +"de sortie avec des programmes tels que logrotate." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:205 +msgid "SIGUSR1" +msgstr "SIGUSR1" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:208 +msgid "" +"Tells the SSSD to simulate offline operation for the duration of the " +"<quote>offline_timeout</quote> parameter. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:217 +msgid "SIGUSR2" +msgstr "SIGUSR2" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:220 +msgid "" +"Tells the SSSD to go online immediately. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:232 +msgid "" +"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " +"applications will not use the fast in memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 +msgid "sss_obfuscate" +msgstr "sss_obfuscate" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_obfuscate.8.xml:16 +msgid "obfuscate a clear text password" +msgstr "obscurcir un mot de passe en clair" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_obfuscate.8.xml:21 +msgid "" +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" +"replaceable></arg>" +msgstr "" +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" +"replaceable></arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:32 +msgid "" +"<command>sss_obfuscate</command> converts a given password into human-" +"unreadable format and places it into appropriate domain section of the SSSD " +"config file." +msgstr "" +"<command>sss_obfuscate</command> convertit un mot de passe donné en un " +"format illisible par un humain et le place dans la section de domaine " +"appropriée du fichier de configuration SSSD." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:37 +msgid "" +"The cleartext password is read from standard input or entered " +"interactively. The obfuscated password is put into " +"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " +"<quote>ldap_default_authtok_type</quote> parameter is set to " +"<quote>obfuscated_password</quote>. Refer to <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more details on these parameters." +msgstr "" +"Le mot de passe en clair est lu dans l'entrée standard ou entré " +"interactivement. Les mots de passes chiffrés sont mis dans " +"<quote>ldap_default_authtok</quote> pour un domaine SSSD donné et le " +"paramètre <quote>ldap_default_authtok_type</quote> est défini à " +"<quote>obfuscated_password</quote>. Cf. <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> pour plus de " +"détails sur ces paramètres." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:49 +msgid "" +"Please note that obfuscating the password provides <emphasis>no real " +"security benefit</emphasis> as it is still possible for an attacker to " +"reverse-engineer the password back. Using better authentication mechanisms " +"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " +"advised." +msgstr "" +"Veuillez noter que les mots de passe chiffrés ne fournissent <emphasis>aucun " +"réel bénéfice de sécurité</emphasis> étant donné qu'il est possible de " +"retrouver le mot de passe par ingénierie-inverse. Utiliser un meilleur " +"mécanisme d'authentification tel que les certificats côté client ou GSSAPI " +"est <emphasis>très</emphasis> conseillé." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:63 +msgid "<option>-s</option>,<option>--stdin</option>" +msgstr "<option>-s</option>,<option>--stdin</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:67 +msgid "The password to obfuscate will be read from standard input." +msgstr "Le mot de passe chiffré sera lu sur l'entrée standard." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 +#: sss_ssh_knownhostsproxy.1.xml:78 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" +msgstr "" +"<option>-d</option>,<option>--domain</option> <replaceable>DOMAINE</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:79 +msgid "" +"The SSSD domain to use the password in. The default name is <quote>default</" +"quote>." +msgstr "" +"Le domaine SSSD auquel est lié le mot de passe. Le nom par défaut est " +"<quote>default</quote>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:86 +msgid "" +"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" +msgstr "" +"<option>-f</option>,<option>--file</option> <replaceable>FICHIER</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:91 +msgid "Read the config file specified by the positional parameter." +msgstr "Lit le fichier de configuration spécifié par le paramètre." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:95 +msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" +msgstr "Par défaut : <filename>/etc/sssd/sssd.conf</filename>" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_override.8.xml:10 sss_override.8.xml:15 +msgid "sss_override" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_override.8.xml:16 +msgid "create local overrides of user and group attributes" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_override.8.xml:21 +msgid "" +"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:32 +msgid "" +"<command>sss_override</command> enables to create a client-side view and " +"allows to change selected values of specific user and groups. This change " +"takes effect only on local machine." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:37 +msgid "" +"Overrides data are stored in the SSSD cache. If the cache is deleted, all " +"local overrides are lost. Please note that after the first override is " +"created using any of the following <emphasis>user-add</emphasis>, " +"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " +"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " +"take effect. <emphasis>sss_override</emphasis> prints message when a " +"restart is required." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:50 sssctl.8.xml:41 +msgid "AVAILABLE COMMANDS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:52 +msgid "" +"Argument <emphasis>NAME</emphasis> is the name of original object in all " +"commands. It is not possible to override <emphasis>uid</emphasis> or " +"<emphasis>gid</emphasis> to 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:59 +msgid "" +"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" +"optional> <optional><option>-g,--gid</option> GID</optional> " +"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" +"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" +"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " +"CERTIFICATE</optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:72 +msgid "" +"Override attributes of an user. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:80 +msgid "<option>user-del</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:85 +msgid "" +"Remove user overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:94 +msgid "" +"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:99 +msgid "" +"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " +"is set, only users from the domain are listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:107 +msgid "<option>user-show</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:112 +msgid "Show user overrides." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:118 +msgid "<option>user-import</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:123 +msgid "" +"Import user overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard passwd file. The format is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:128 +msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:131 +msgid "" +"where original_name is original name of the user whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:140 +msgid "ckent:superman::::::" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:143 +msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:149 +msgid "<option>user-export</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:154 +msgid "" +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>user-import</emphasis> for data format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:162 +msgid "" +"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:169 +msgid "" +"Override attributes of a group. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:177 +msgid "<option>group-del</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:182 +msgid "" +"Remove group overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:191 +msgid "" +"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:196 +msgid "" +"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " +"parameter is set, only groups from the domain are listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:204 +msgid "<option>group-show</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:209 +msgid "Show group overrides." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:215 +msgid "<option>group-import</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:220 +msgid "" +"Import group overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard group file. The format is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:225 +msgid "original_name:name:gid" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:228 +msgid "" +"where original_name is original name of the group whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:237 +msgid "admins:administrators:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:240 +msgid "Domain Users:Users:501" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:246 +msgid "<option>group-export</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:251 +msgid "" +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>group-import</emphasis> for data format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:261 sssctl.8.xml:50 +msgid "COMMON OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:263 sssctl.8.xml:52 +msgid "Those options are available with all commands." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:268 sssctl.8.xml:57 +msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 +msgid "sss_useradd" +msgstr "sss_useradd" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_useradd.8.xml:16 +msgid "create a new user" +msgstr "créer un utilisateur" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_useradd.8.xml:21 +msgid "" +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>UTILISATEUR</" +"replaceable></arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_useradd.8.xml:32 +msgid "" +"<command>sss_useradd</command> creates a new user account using the values " +"specified on the command line plus the default values from the system." +msgstr "" +"<command>sss_useradd</command> crée un nouveau compte utilisateur en " +"utilisant les valeurs spécifiées en ligne de commande auquelles sont " +"ajoutées les valeurs par défaut du système." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:43 sss_seed.8.xml:76 +msgid "" +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" +msgstr "" +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:48 +msgid "" +"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " +"not given, it is chosen automatically." +msgstr "" +"Définit l'UID de l'utilisateur à la valeur <replaceable>UID</replaceable>. " +"Si non précisé, il est choisit automatiquement." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +msgid "" +"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" +"replaceable>" +msgstr "" +"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENTAIRE</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 +msgid "" +"Any text string describing the user. Often used as the field for the user's " +"full name." +msgstr "" +"Toute chaîne de caractère décrivant l'utilisateur. Souvent utilisé comme " +"champ pour le nom entier de l'utilisateur." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 +msgid "" +"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"replaceable>" +msgstr "" +"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:72 +msgid "" +"The home directory of the user account. The default is to append the " +"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " +"that as the home directory. The base that is prepended before " +"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" +"baseDirectory</quote> setting in sssd.conf." +msgstr "" +"Le répertoire personnel du compte utilisateur. Par défaut, on ajoute " +"<replaceable>LOGIN</replaceable> à <filename>/home</filename> et on utilise " +"cela comme dossier personnel. La base précédent <replaceable>LOGIN</" +"replaceable> est modifiable avec le paramètre <quote>user_defaults/" +"baseDirectory</quote> de sssd.conf." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 +msgid "" +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" +msgstr "" +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:87 +msgid "" +"The user's login shell. The default is currently <filename>/bin/bash</" +"filename>. The default can be changed with <quote>user_defaults/" +"defaultShell</quote> setting in sssd.conf." +msgstr "" +"L'interpréteur de commande de l'utilisateur. La valeur par défaut actuelle, " +"<filename>/bin/bash</filename>, peut être modifiée avec le paramètre " +"<quote>user_defaults/defaultShell</quote> dans sssd.conf." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:96 +msgid "" +"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" +"<option>-G</option>,<option>--groups</option> <replaceable>GROUPES</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:101 +msgid "A list of existing groups this user is also a member of." +msgstr "Une liste de groupes existants dont l'utilisateur est aussi membre." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:107 +msgid "<option>-m</option>,<option>--create-home</option>" +msgstr "<option>-m</option>,<option>--create-home</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:111 +msgid "" +"Create the user's home directory if it does not exist. The files and " +"directories contained in the skeleton directory (which can be defined with " +"the -k option or in the config file) will be copied to the home directory." +msgstr "" +"Crée le répertoire personnel de l'utilisateur s'il n'existe pas. Les " +"fichiers et répertoires inclus dans le répertoire squelette (pouvant être " +"définis avec l'option -k ou dans le fichier de configuration) sont copiés " +"dans le dossier personnel." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:121 +msgid "<option>-M</option>,<option>--no-create-home</option>" +msgstr "<option>-M</option>,<option>--no-create-home</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:125 +msgid "" +"Do not create the user's home directory. Overrides configuration settings." +msgstr "" +"Ne pas créer de dossier personnel pour l'utilisateur. Écrase les paramètres " +"de configuration." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:132 +msgid "" +"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"replaceable>" +msgstr "" +"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:137 +msgid "" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<command>sss_useradd</command>." +msgstr "" +"Le répertoire squelette, contenant les fichiers et répertoires à copier dans " +"le répertoire personnel de l'utilisateur, quand le répertoire personnel est " +"créé par <command>sss_useradd</command>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:143 +msgid "" +"Special files (block devices, character devices, named pipes and unix " +"sockets) will not be copied." +msgstr "" +"Les fichiers spéciaux (périphériques blocs, caractères, tubes nommés et " +"sockets unix) ne seront pas copiés." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:147 +msgid "" +"This option is only valid if the <option>-m</option> (or <option>--create-" +"home</option>) option is specified, or creation of home directories is set " +"to TRUE in the configuration." +msgstr "" +"L'option n'est valide que si l'option <option>-m</option> (ou <option>--" +"create-home</option>) est utilisée ou si la création de répertoires " +"personnels est à TRUE dans la configuration." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 +msgid "" +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>SELINUX_USER</replaceable>" +msgstr "" +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>UTILISATEUR_SELINUX</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:161 +msgid "" +"The SELinux user for the user's login. If not specified, the system default " +"will be used." +msgstr "" +"L'utilisateur SELinux pour la connexion utilisateur. Si non spécifié, la " +"valeur par défaut du système est utilisée." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 +msgid "sssd-krb5" +msgstr "sssd-krb5" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-krb5.5.xml:17 +msgid "SSSD Kerberos provider" +msgstr "Fournisseur Kerberos SSSD" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:23 +msgid "" +"This manual page describes the configuration of the Kerberos 5 " +"authentication backend for <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " +"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." +msgstr "" +"Cette page de manuel décrit la configuration du moteur d'authentification de " +"Kerberos 5 pour <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. Pour une référence détaillée sur " +"la syntaex, veuillez vous référer à la section <quote>FORMAT DE FICHIER</" +"quote> du manuel de <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:36 +msgid "" +"The Kerberos 5 authentication backend contains auth and chpass providers. It " +"must be paired with an identity provider in order to function properly (for " +"example, id_provider = ldap). Some information required by the Kerberos 5 " +"authentication backend must be provided by the identity provider, such as " +"the user's Kerberos Principal Name (UPN). The configuration of the identity " +"provider should have an entry to specify the UPN. Please refer to the man " +"page for the applicable identity provider for details on how to configure " +"this." +msgstr "" +"Le moteur d'authentification Kerberos 5 contient les fournisseurs " +"d'authentification et de changement de mot de passe. Il doit être couplé " +"avec un fournisseur d'identité de manière à fonctionner proprement (par " +"exemple, id_provider = ldap). Plusieurs informations requises par le moteur " +"d'authentification Kerberos 5 doivent être fournies par le fournisseur " +"d'identité, telles que le nom du principal de l'utilisateur Kerberos (UPN). " +"La configuration du fournisseur d'identité doit avoir une entrée pour " +"spécifier l'UPN. Veuillez vous référer aux pages du manuel du fournisseur " +"d'identité ad-hoc pour pouvoir le configurer." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:47 +msgid "" +"This backend also provides access control based on the .k5login file in the " +"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " +"Please note that an empty .k5login file will deny all access to this user. " +"To activate this feature, use 'access_provider = krb5' in your SSSD " +"configuration." +msgstr "" +"Ce moteur fournit aussi un contrôle d'accès sur le fichier .k5login dans le " +"répertoire personnel de l'utilisateur. Voir <citerefentry> <refentrytitle>." +"k5login</refentrytitle><manvolnum>5</manvolnum> </citerefentry> pour plus de " +"détails. Veuillez noter qu'un fichier .k5login vide interdira tout accès " +"pour cet utilisateur. Pour activer cette option, utilisez « access_provider " +"= krb5 » dans votre configuration de SSSD." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:55 +msgid "" +"In the case where the UPN is not available in the identity backend, " +"<command>sssd</command> will construct a UPN using the format " +"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." +msgstr "" +"Dans le cas où l'UPN n'est pas valide dans le moteur d'identité, " +"<command>sssd</command> construira un UPN en utilisant le format " +"<replaceable>utilisateur</replaceable>@<replaceable>krb5_realm</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:77 +msgid "" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect, in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled; for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." +msgstr "" +"Spécifie la liste séparée par des virgules des adresses IP ou des noms de " +"systèmes des serveurs Kerberos auquel SSSD doit se connecter, par ordre de " +"préférence. Pour plus d'informations sur la redondance par bascule et le " +"serveur, consultez la section de <quote>BASCULE</quote>. Un numéro de port " +"facultatif (précédé de deux-points) peut être ajouté aux adresses ou aux " +"noms de systèmes. Si vide, le service de découverte est activé - pour plus " +"d'informations, se reporter à la section <quote>DÉCOUVERTE DE SERVICE</" +"quote>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:106 +msgid "" +"The name of the Kerberos realm. This option is required and must be " +"specified." +msgstr "" +"Le nom du domaine Kerberos. Cette option est nécessaire et doit être " +"renseignée." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:113 +msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" +msgstr "krb5_kpasswd, krb5_backup_kpasswd (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:116 +msgid "" +"If the change password service is not running on the KDC, alternative " +"servers can be defined here. An optional port number (preceded by a colon) " +"may be appended to the addresses or hostnames." +msgstr "" +"Si le service de changement de mot de passe ne fonctionne pas sur le KDC, " +"des serveurs de secours peuvent être définis ici. Un numéro de port " +"facultatif (précédé par un signe deux-points) peut-être être suffixé aux " +"adresses ou aux noms de systèmes." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:122 +msgid "" +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " +"servers to try, the backend is not switched to operate offline if " +"authentication against the KDC is still possible." +msgstr "" +"Pour plus d'information sur la bascule et la redondance de serveurs, voir la " +"section <quote>BASCULE</quote>. Noter que même si il n'y a plus de serveurs " +"kpasswd à essayer, le moteur ne passe pas en mode hors-ligne si " +"l'authentification KDC est toujours possible." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:129 +msgid "Default: Use the KDC" +msgstr "Par défaut : utiliser le KDC" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:135 +msgid "krb5_ccachedir (string)" +msgstr "krb5_ccachedir (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:138 +msgid "" +"Directory to store credential caches. All the substitution sequences of " +"krb5_ccname_template can be used here, too, except %d and %P. The directory " +"is created as private and owned by the user, with permissions set to 0700." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:145 +msgid "Default: /tmp" +msgstr "Par défaut : /tmp" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:151 +msgid "krb5_ccname_template (string)" +msgstr "krb5_ccname_template (chaîne)" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 +msgid "%u" +msgstr "%u" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 +msgid "login name" +msgstr "identifiant de connexion" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 +msgid "%U" +msgstr "%U" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:170 +msgid "login UID" +msgstr "UID de l'utilisateur" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:173 +msgid "%p" +msgstr "%p" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:174 +msgid "principal name" +msgstr "nom du principal" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:178 +msgid "%r" +msgstr "%r" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:179 +msgid "realm name" +msgstr "nom de domaine" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:182 +msgid "%h" +msgstr "%h" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 +msgid "home directory" +msgstr "répertoire personnel" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 +msgid "%d" +msgstr "%d" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:188 +msgid "value of krb5_ccachedir" +msgstr "valeur de krb5_ccachedir" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 +msgid "%P" +msgstr "%P" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:194 +msgid "the process ID of the SSSD client" +msgstr "l'ID de processus du client SSSD" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 +msgid "%%" +msgstr "%%" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 +msgid "a literal '%'" +msgstr "un « % » littéral" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:154 +msgid "" +"Location of the user's credential cache. Three credential cache types are " +"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " +"<quote>KEYRING:persistent</quote>. The cache can be specified either as " +"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " +"implies the <quote>FILE</quote> type. In the template, the following " +"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " +"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " +"filename in a safe way." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:208 +msgid "" +"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" +"persistent:%U</quote>, which uses the Linux kernel keyring to store " +"credentials on a per-UID basis. This is also the recommended choice, as it " +"is the most secure and predictable method." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:216 +msgid "" +"The default value for the credential cache name is sourced from the profile " +"stored in the system wide krb5.conf configuration file in the [libdefaults] " +"section. The option name is default_ccache_name. See krb5.conf(5)'s " +"PARAMETER EXPANSION paragraph for additional information on the expansion " +"format defined by krb5.conf." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:225 +msgid "" +"NOTE: Please be aware that libkrb5 ccache expansion template from " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> uses different expansion sequences than SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:234 +msgid "Default: (from libkrb5)" +msgstr "Par défaut : (valeur provenant de libkrb5)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:240 +msgid "krb5_auth_timeout (integer)" +msgstr "krb5_auth_timeout (entier)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:243 +msgid "" +"Timeout in seconds after an online authentication request or change password " +"request is aborted. If possible, the authentication request is continued " +"offline." +msgstr "" +"Délai d'attente, en secondes, après l'annulation d'une requête " +"d'authentification en ligne ou de changement de mot de passe. La requête " +"d'authentification sera effectuée hors-ligne si cela est possible." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:254 +msgid "krb5_validate (boolean)" +msgstr "krb5_validate (booléen)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:257 +msgid "" +"Verify with the help of krb5_keytab that the TGT obtained has not been " +"spoofed. The keytab is checked for entries sequentially, and the first entry " +"with a matching realm is used for validation. If no entry matches the realm, " +"the last entry in the keytab is used. This process can be used to validate " +"environments using cross-realm trust by placing the appropriate keytab entry " +"as the last entry or the only entry in the keytab file." +msgstr "" +"Vérifie à l'aide de krb5_keytab que le TGT obtenu n'a pas été usurpé. Les " +"entrées d'un fichier keytab sont vérifiées dans l'ordre, et la première " +"entrée avec un domaine correspondant est utilisée pour la validation. Si " +"aucune entrée ne correspond au domaine, la dernière entrée dans le fichier " +"keytab est utilisée. Ce processus peut être utilisé pour valider des " +"environnements utilisant l'approbation entre domaines en plaçant l'entrée " +"keytab appropriée comme dernière ou comme seule entrée dans le fichier " +"keytab." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:272 +msgid "krb5_keytab (string)" +msgstr "krb5_keytab (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:275 +msgid "" +"The location of the keytab to use when validating credentials obtained from " +"KDCs." +msgstr "" +"L'emplacement du fichier keytab à utiliser pour valider les données " +"d'identification obtenues à partir de KDC." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:279 +msgid "Default: /etc/krb5.keytab" +msgstr "Par défaut : /etc/krb5.keytab" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:285 +msgid "krb5_store_password_if_offline (boolean)" +msgstr "krb5_store_password_if_offline (booléen)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:288 +msgid "" +"Store the password of the user if the provider is offline and use it to " +"request a TGT when the provider comes online again." +msgstr "" +"Stocke le mot de passe de l'utilisateur si le fournisseur est hors-ligne, " +"puis l'utilise pour obtenir un TGT lorsque le fournisseur redevient " +"disponible en ligne." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:293 +msgid "" +"NOTE: this feature is only available on Linux. Passwords stored in this way " +"are kept in plaintext in the kernel keyring and are potentially accessible " +"by the root user (with difficulty)." +msgstr "" +"NOTE : cette fonctionnalité n'est actuellement disponible que sur les plates-" +"formes Linux. Les mots de passe stockés de cette manière sont conservés en " +"texte brut dans le trousseau de clés du noyau et sont potentiellement " +"accessibles à l'utilisateur root (avec difficulté)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:306 +msgid "krb5_renewable_lifetime (string)" +msgstr "krb5_renewable_lifetime (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:309 +msgid "" +"Request a renewable ticket with a total lifetime, given as an integer " +"immediately followed by a time unit:" +msgstr "" +"Demande un ticket renouvelable avec une durée de vie totale, donnée par un " +"entier immédiatement suivi par une unité de temps :" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 +msgid "<emphasis>s</emphasis> for seconds" +msgstr "<emphasis>s</emphasis> pour secondes" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 +msgid "<emphasis>m</emphasis> for minutes" +msgstr "<emphasis>m</emphasis> pour minutes" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 +msgid "<emphasis>h</emphasis> for hours" +msgstr "<emphasis>h</emphasis> pour heures" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 +msgid "<emphasis>d</emphasis> for days." +msgstr "<emphasis>d</emphasis> pour jours." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 +msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." +msgstr "Si aucune unité n'est spécifiée, <emphasis>s</emphasis> est utilisé." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 +msgid "" +"NOTE: It is not possible to mix units. To set the renewable lifetime to one " +"and a half hours, use '90m' instead of '1h30m'." +msgstr "" +"NOTE : il n'est pas possible de mélanger les unités. Pour indiquer une durée " +"de vie renouvelable de une heure et trente minutes, utiliser « 90m » au lieu " +"de « 1h30m »." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:335 +msgid "Default: not set, i.e. the TGT is not renewable" +msgstr "" +"Par défaut : non défini, c'est-à-dire que le TGT n'est pas renouvelable" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:341 +msgid "krb5_lifetime (string)" +msgstr "krb5_lifetime (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:344 +msgid "" +"Request ticket with a lifetime, given as an integer immediately followed by " +"a time unit:" +msgstr "" +"Demande un ticket avec une durée de vie, donnée par un entier immédiatement " +"suivi par une unité de temps :" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:360 +msgid "If there is no unit given <emphasis>s</emphasis> is assumed." +msgstr "Si aucune unité n'est spécifiée, <emphasis>s</emphasis> est utilisé." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:364 +msgid "" +"NOTE: It is not possible to mix units. To set the lifetime to one and a " +"half hours please use '90m' instead of '1h30m'." +msgstr "" +"NOTE : il n'est pas possible de mélanger les unités. Pour indiquer une durée " +"de vie de une heure et trente minutes, utiliser « 90m » au lieu de « 1h30m »." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:369 +msgid "" +"Default: not set, i.e. the default ticket lifetime configured on the KDC." +msgstr "" +"Par défaut : non défini, c'est-à-dire la durée de vie par défaut configurée " +"dans le KDC." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:376 +msgid "krb5_renew_interval (string)" +msgstr "krb5_renew_interval (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:379 +msgid "" +"The time in seconds between two checks if the TGT should be renewed. TGTs " +"are renewed if about half of their lifetime is exceeded, given as an integer " +"immediately followed by a time unit:" +msgstr "" +"La durée, en secondes, entre deux vérifications pour savoir si le TGT doit " +"être renouvelé. Les TGT sont renouvelés si environ la moitié de leur durée " +"de vie est dépassée. Indiquée par un entier immédiatement suivi d'une unité " +"de temps :" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:406 +msgid "If this option is not set or is 0 the automatic renewal is disabled." +msgstr "" +"Si cette option n'est pas définie ou définie à 0, le renouvellement " +"automatique est désactivé." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:416 +msgid "krb5_use_fast (string)" +msgstr "krb5_use_fast (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:419 +msgid "" +"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" +"authentication. The following options are supported:" +msgstr "" +"Active le flexible authentication secure tunneling (FAST) pour la pré-" +"authentification Kerberos. Les options suivantes sont supportées :" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:424 +msgid "" +"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " +"option at all." +msgstr "" +"<emphasis>never</emphasis> : ne jamais utiliser FAST. Ceci équivaut à ne pas " +"définir cette option." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:428 +msgid "" +"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " +"continue the authentication without it." +msgstr "" +"<emphasis>try</emphasis> : eassyer d'utiliser FAST. Si le serveur ne prend " +"pas en charge FAST, continuer l'authentification sans." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:433 +msgid "" +"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " +"server does not require fast." +msgstr "" +"<emphasis>demander</emphasis>  : imposer d'utiliser FAST. L'authentification " +"échoue si le serveur ne requiert pas FAST." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:438 +msgid "Default: not set, i.e. FAST is not used." +msgstr "Par défaut : non défini, i.e. FAST n'est pas utilisé." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:441 +msgid "NOTE: a keytab is required to use FAST." +msgstr "NOTE : un fichier keytab est requis pour utiliser FAST." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:444 +msgid "" +"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " +"SSSD is used with an older version of MIT Kerberos, using this option is a " +"configuration error." +msgstr "" +"NOTE : SSSD prend en charge le paramètre FAST uniquement avec MIT Kerberos " +"version 1.8 et au-delà. L'utilisation de SSSD avec une version antérieure de " +"MIT Kerberos avec cette option est une erreur de configuration." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:453 +msgid "krb5_fast_principal (string)" +msgstr "krb5_fast_principal (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:456 +msgid "Specifies the server principal to use for FAST." +msgstr "Spécifie le principal de serveur afin d'utiliser FAST." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:465 +msgid "" +"Specifies if the host and user principal should be canonicalized. This " +"feature is available with MIT Kerberos 1.7 and later versions." +msgstr "" +"Spécifie si les principaux du système et de l'utilisateur doivent être " +"rendus canoniques. Cette fonctionnalité est disponible avec MIT Kerberos 1.7 " +"et versions suivantes." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:505 +msgid "krb5_use_enterprise_principal (boolean)" +msgstr "krb5_use_enterprise_principal (booléen)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:508 +msgid "" +"Specifies if the user principal should be treated as enterprise principal. " +"See section 5 of RFC 6806 for more details about enterprise principals." +msgstr "" +"Indique si le principal de l'utilisateur doit être traité comme un principal " +"d'entreprise. Cf. la section 5 de la RFC 6806 pour plus de détails sur les " +"principals d'entreprise." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:514 +msgid "Default: false (AD provider: true)" +msgstr "Par défaut : false (AD provider : true)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:517 +msgid "" +"The IPA provider will set to option to 'true' if it detects that the server " +"is capable of handling enterprise principals and the option is not set " +"explicitly in the config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:526 +msgid "krb5_map_user (string)" +msgstr "krb5_map_user (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:529 +msgid "" +"The list of mappings is given as a comma-separated list of pairs " +"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " +"name and <quote>primary</quote> is a user part of a kerberos principal. This " +"mapping is used when user is authenticating using <quote>auth_provider = " +"krb5</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-krb5.5.xml:541 +#, no-wrap +msgid "" +"krb5_realm = REALM\n" +"krb5_map_user = joe:juser,dick:richard\n" +msgstr "" +"krb5_realm = REALM\n" +"krb5_map_user = joe:juser,dick:richard\n" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:546 +msgid "" +"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " +"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " +"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " +"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:65 +msgid "" +"If the auth-module krb5 is used in an SSSD domain, the following options " +"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " +"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" +"Si le module auth krb5 est utilisé dans un domaine SSSD, les options " +"suivantes doivent être utilisées. Cf. la page de manuel " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry>, section <quote>SECTIONS DOMAINE</quote> pour plus " +"de détails sur la configuration d'un domaine SSSD. <placeholder type=" +"\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:572 +msgid "" +"The following example assumes that SSSD is correctly configured and FOO is " +"one of the domains in the <replaceable>[sssd]</replaceable> section. This " +"example shows only configuration of Kerberos authentication; it does not " +"include any identity provider." +msgstr "" +"L'exemple suivant suppose que SSSD est correctement configuré et que FOO est " +"l'un des domaines de la section <replaceable>[sssd]</replaceable>. Cet " +"exemple montre uniquement la configuration de l'authentification Kerberos, " +"et n'inclut aucun fournisseur d'identité." + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-krb5.5.xml:580 +#, no-wrap +msgid "" +"[domain/FOO]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXAMPLE.COM\n" +msgstr "" +"[domain/FOO]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXAMPLE.COM\n" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 +msgid "sss_groupadd" +msgstr "sss_groupadd" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupadd.8.xml:16 +msgid "create a new group" +msgstr "Créer un nouveau groupe" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupadd.8.xml:21 +msgid "" +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUPE</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupadd.8.xml:32 +msgid "" +"<command>sss_groupadd</command> creates a new group. These groups are " +"compatible with POSIX groups, with the additional feature that they can " +"contain other groups as members." +msgstr "" +"<command>sss_groupadd</command> crée un nouveau groupe. Ces groupes sont " +"compatibles avec les groupes POSIX, avec la caractéristique supplémentaire " +"qu'ils peuvent contenir d'autres groupes comme membres." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 +msgid "" +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" +msgstr "" +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupadd.8.xml:48 +msgid "" +"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " +"not given, it is chosen automatically." +msgstr "" +"Positionne le GID du groupe à la valeur <replaceable>GID</replaceable>. Si " +"non spécifié, il est choisi automatiquement." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 +msgid "sss_userdel" +msgstr "sss_userdel" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_userdel.8.xml:16 +msgid "delete a user account" +msgstr "Supprimer un compte utilisateur" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_userdel.8.xml:21 +msgid "" +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_userdel.8.xml:32 +msgid "" +"<command>sss_userdel</command> deletes a user identified by login name " +"<replaceable>LOGIN</replaceable> from the system." +msgstr "" +"<command>sss_userdel</command> supprime du système un utilisateur identifié " +"par son identifiant de connexion <replaceable>LOGIN</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:44 +msgid "<option>-r</option>,<option>--remove</option>" +msgstr "<option>-r</option>,<option>--remove</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:48 +msgid "" +"Files in the user's home directory will be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." +msgstr "" +"Les fichiers dans le répertoire ainsi que le répertoire lui-même de " +"l'utilisateur et sa messagerie seront supprimés. Outrepasse la configuration." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:56 +msgid "<option>-R</option>,<option>--no-remove</option>" +msgstr "<option>-R</option>,<option>--no-remove</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:60 +msgid "" +"Files in the user's home directory will NOT be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." +msgstr "" +"Les fichiers dans le répertoire ainsi que le répertoire lui-même de " +"l'utilisateur et sa messagerie ne seront PAS supprimés. Outrepasse la " +"configuration." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:68 +msgid "<option>-f</option>,<option>--force</option>" +msgstr "<option>-f</option>,<option>--force</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:72 +msgid "" +"This option forces <command>sss_userdel</command> to remove the user's home " +"directory and mail spool, even if they are not owned by the specified user." +msgstr "" +"Cette option oblige <command>sss_userdel</command> à supprimer le répertoire " +"home de l'utilisateur et sa messagerie, même si ils ne sont pas détenus par " +"l'utilisateur spécifié." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:80 +msgid "<option>-k</option>,<option>--kick</option>" +msgstr "<option>-k</option>,<option>--kick</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:84 +msgid "Before actually deleting the user, terminate all his processes." +msgstr "" +"Avant de réellement supprimer l'utilisateur, mettre fin à tous ses processus." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 +msgid "sss_groupdel" +msgstr "sss_groupdel" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupdel.8.xml:16 +msgid "delete a group" +msgstr "supprimer un groupe" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupdel.8.xml:21 +msgid "" +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUPE</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupdel.8.xml:32 +msgid "" +"<command>sss_groupdel</command> deletes a group identified by its name " +"<replaceable>GROUP</replaceable> from the system." +msgstr "" +"<command>sss_groupdel</command> supprime du système un groupe identifié par " +"son nom de groupe <replaceable>GROUPE</replaceable>." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 +msgid "sss_groupshow" +msgstr "sss_groupshow" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupshow.8.xml:16 +msgid "print properties of a group" +msgstr "affiche les propriétés d'un groupe" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupshow.8.xml:21 +msgid "" +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUPE</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupshow.8.xml:32 +msgid "" +"<command>sss_groupshow</command> displays information about a group " +"identified by its name <replaceable>GROUP</replaceable>. The information " +"includes the group ID number, members of the group and the parent group." +msgstr "" +"<command>sss_groupshow</command> affiche des informations sur un groupe " +"identifié par son nom <replaceable>GROUPE</replaceable>. Les informations " +"incluent l'ID de groupe, les membres du groupe ainsi que le groupe parent." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupshow.8.xml:43 +msgid "<option>-R</option>,<option>--recursive</option>" +msgstr "<option>-R</option>,<option>--recursive</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupshow.8.xml:47 +msgid "" +"Also print indirect group members in a tree-like hierarchy. Note that this " +"also affects printing parent groups - without <option>R</option>, only the " +"direct parent will be printed." +msgstr "" +"Affiche aussi les membres indirects de groupe dans une hiérarchie " +"arborescente. Noter que cela affecte également les affichages de groupes " +"parents - sans l'option <option>R</option>, seul le parent direct sera " +"affiché." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 +msgid "sss_usermod" +msgstr "sss_usermod" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_usermod.8.xml:16 +msgid "modify a user account" +msgstr "modifier un compte utilisateur" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_usermod.8.xml:21 +msgid "" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_usermod.8.xml:32 +msgid "" +"<command>sss_usermod</command> modifies the account specified by " +"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " +"on the command line." +msgstr "" +"<command>sss_usermod</command> modifie le compte défini par " +"<replaceable>LOGIN</replaceable> pour refléter les modifications fournies en " +"ligne de commande." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:60 +msgid "The home directory of the user account." +msgstr "Le répertoire personnel du compte utilisateur." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:71 +msgid "The user's login shell." +msgstr "L'interpréteur de commandes de l'utilisateur." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:82 +msgid "" +"Append this user to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." +msgstr "" +"Ajouter cet utilisateur aux groupes spécifiés par le paramètre " +"<replaceable>GROUPS</replaceable>. Le paramètre <replaceable>GROUPS</" +"replaceable> est une liste séparée par des virgules de noms de groupes." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:96 +msgid "" +"Remove this user from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." +msgstr "" +"Retirer cet utilisateur de groupes spécifiés par le paramètre " +"<replaceable>GROUPS</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:103 +msgid "<option>-l</option>,<option>--lock</option>" +msgstr "<option>-l</option>,<option>--lock</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:107 +msgid "Lock the user account. The user won't be able to log in." +msgstr "Verrouiller le compte utilisateur. Il ne pourra plus se connecter." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:114 +msgid "<option>-u</option>,<option>--unlock</option>" +msgstr "<option>-u</option>,<option>--unlock</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:118 +msgid "Unlock the user account." +msgstr "Déverrouiller le compte utilisateur." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:129 +msgid "The SELinux user for the user's login." +msgstr "" +"L'utilisateur SELinux pour l'identifiant de connexion de l'utilisateur." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:135 +msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:140 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "Ajouter une paire attribut/valeur. Le format est nom_attribut=valeur." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:147 +msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:152 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" +"Définir une paire attribut/valeur. Le format est nom_attribut=valeur. Pour " +"les attributs multi-valués, la commande remplace les valeurs déjà présentes." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:160 +msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:165 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "" +"Supprimer une paire attribut/valeur. Le format est nom_attribut=valeur." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_cache.8.xml:10 sss_cache.8.xml:15 +msgid "sss_cache" +msgstr "sss_cache" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_cache.8.xml:16 +msgid "perform cache cleanup" +msgstr "effectue le nettoyage du cache" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_cache.8.xml:21 +msgid "" +"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" +msgstr "" +"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_cache.8.xml:31 +msgid "" +"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " +"records are forced to be reloaded from server as soon as related SSSD " +"backend is online. Options that invalidate a single object only accept a " +"single provided argument." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:43 +msgid "<option>-E</option>,<option>--everything</option>" +msgstr "<option>-E</option>,<option>--everything</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:47 +msgid "Invalidate all cached entries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:53 +msgid "" +"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" +msgstr "" +"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:58 +msgid "Invalidate specific user." +msgstr "Invalider un utilisateur spécifique." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:64 +msgid "<option>-U</option>,<option>--users</option>" +msgstr "<option>-U</option>,<option>--users</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:68 +msgid "" +"Invalidate all user records. This option overrides invalidation of specific " +"user if it was also set." +msgstr "" +"L'annulation de tous les enregistrements d'utilisateur. Cette option prend " +"le pas sur l'invalidation d'un utilisateur spécifique, si elle a été " +"également configuré." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:75 +msgid "" +"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" +msgstr "" +"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:80 +msgid "Invalidate specific group." +msgstr "L'annulation de groupe spécifique." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:86 +msgid "<option>-G</option>,<option>--groups</option>" +msgstr "<option>-G</option>,<option>--groups</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:90 +msgid "" +"Invalidate all group records. This option overrides invalidation of specific " +"group if it was also set." +msgstr "" +"L'annulation de tous les enregistrements de groupe. Cette option prend le " +"pas sur l'invalidation d'un groupe spécifique si elle a été également " +"définie." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:97 +msgid "" +"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" +"replaceable>" +msgstr "" +"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:102 +msgid "Invalidate specific netgroup." +msgstr "Invalide un netgroup spécifique." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:108 +msgid "<option>-N</option>,<option>--netgroups</option>" +msgstr "<option>-N</option>,<option>--netgroups</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:112 +msgid "" +"Invalidate all netgroup records. This option overrides invalidation of " +"specific netgroup if it was also set." +msgstr "" +"Invalider tous les enregistrements de netgroup. Cette option prend le pas " +"sur l'invalidation de netgroup spécifiques s'il a été également définie." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:119 +msgid "" +"<option>-s</option>,<option>--service</option> <replaceable>service</" +"replaceable>" +msgstr "" +"<option>-s</option>,<option>--service</option> <replaceable>service</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:124 +msgid "Invalidate specific service." +msgstr "Invalider le service spécifique." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:130 +msgid "<option>-S</option>,<option>--services</option>" +msgstr "<option>-S</option>,<option>--services</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:134 +msgid "" +"Invalidate all service records. This option overrides invalidation of " +"specific service if it was also set." +msgstr "" +"Invalider tous les enregistrements de service. Cette option se substitue à " +"l'invalidation de service spécifique s'elle a également été définie." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:141 +msgid "" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" +"replaceable>" +msgstr "" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:146 +msgid "Invalidate specific autofs maps." +msgstr "Invalider des cartes autofs spécifiques." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:152 +msgid "<option>-A</option>,<option>--autofs-maps</option>" +msgstr "<option>-A</option>,<option>--autofs-maps</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:156 +msgid "" +"Invalidate all autofs maps. This option overrides invalidation of specific " +"map if it was also set." +msgstr "" +"Invalider toutes les cartes autofs. Cette option remplace l'invalidation de " +"carte spécifique s'elle a également été définie." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:163 +msgid "" +"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:168 +msgid "Invalidate SSH public keys of a specific host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:174 +msgid "<option>-H</option>,<option>--ssh-hosts</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:178 +msgid "" +"Invalidate SSH public keys of all hosts. This option overrides invalidation " +"of SSH public keys of specific host if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:186 +msgid "" +"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:191 +msgid "Invalidate particular sudo rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:197 +msgid "<option>-R</option>,<option>--sudo-rules</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:201 +msgid "" +"Invalidate all cached sudo rules. This option overrides invalidation of " +"specific sudo rule if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:209 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>domain</" +"replaceable>" +msgstr "" +"<option>-d</option>,<option>--domain</option> <replaceable>domain</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:214 +msgid "Restrict invalidation process only to a particular domain." +msgstr "Restreindre le processus d'invalidation à un domaine particulier." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 +msgid "sss_debuglevel" +msgstr "sss_debuglevel" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_debuglevel.8.xml:16 +msgid "[DEPRECATED] change debug level while SSSD is running" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_debuglevel.8.xml:21 +msgid "" +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" +"replaceable></arg>" +msgstr "" +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" +"replaceable></arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_debuglevel.8.xml:32 +msgid "" +"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " +"debug-level command. Please refer to the <command>sssctl</command> man page " +"for more information on sssctl usage." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_seed.8.xml:10 sss_seed.8.xml:15 +msgid "sss_seed" +msgstr "sss_seed" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_seed.8.xml:16 +msgid "seed the SSSD cache with a user" +msgstr "initialise le cache SSSD avec un utilisateur" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_seed.8.xml:21 +msgid "" +"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" +"arg>" +msgstr "" +"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:33 +msgid "" +"<command>sss_seed</command> seeds the SSSD cache with a user entry and " +"temporary password. If a user entry is already present in the SSSD cache " +"then the entry is updated with the temporary password." +msgstr "" +"<command>sss_seed</command> initialise le cache SSSD avec une entrée " +"d'utilisateur et le mot de passe temporaire. Si une entrée d'utilisateur est " +"déjà présente dans le cache de SSSD, l'entrée est mise à jour avec le mot de " +"passe temporaire." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:46 +msgid "" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" +msgstr "" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:51 +msgid "" +"Provide the name of the domain in which the user is a member of. The domain " +"is also used to retrieve user information. The domain must be configured in " +"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " +"Information retrieved from the domain overrides what is provided in the " +"options." +msgstr "" +"Indique le nom de domaine duquel l'utilisateur est membre. Le domaine est " +"également utilisé pour récupérer les informations sur l'utilisateur. Le " +"domaine doit être configuré dans sssd.conf. L'option <replaceable>DOMAIN</" +"replaceable> doit être fournie. Les informations récupérées depuis le " +"domaine prennent le pas sur ce qui est fourni dans les options." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:63 +msgid "" +"<option>-n</option>,<option>--username</option> <replaceable>USER</" +"replaceable>" +msgstr "" +"<option>-n</option>,<option>--username</option> <replaceable>USER</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:68 +msgid "" +"The username of the entry to be created or modified in the cache. The " +"<replaceable>USER</replaceable> option must be provided." +msgstr "" +"Le nom d'utilisateur de l'entrée devant être créée ou modifiée dans le " +"cache. L'option <replaceable>USER</replaceable> doit être fournie." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:81 +msgid "Set the UID of the user to <replaceable>UID</replaceable>." +msgstr "Définit l'UID de l'utilisateur à <replaceable>UID</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:93 +msgid "Set the GID of the user to <replaceable>GID</replaceable>." +msgstr "Définit le GID de l'utilisateur à <replaceable>GID</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:117 +msgid "" +"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." +msgstr "" +"Définit le répertoire de l'utilisateur à <replaceable>HOME_DIR</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:129 +msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." +msgstr "" +"Définit l'interpréteur de commande de l'utilisateur à <replaceable>SHELL</" +"replaceable>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:140 +msgid "" +"Interactive mode for entering user information. This option will only prompt " +"for information not provided in the options or retrieved from the domain." +msgstr "" +"Mode interactif pour la saisie des informations de l'utilisateur. Cette " +"option invite uniquement à la saisir des renseignements non fournis dans les " +"options ou non récupérés à partir du domaine." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:148 +msgid "" +"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" +"replaceable>" +msgstr "" +"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:153 +msgid "" +"Specify file to read user's password from. (if not specified password is " +"prompted for)" +msgstr "" +"Spécifie le fichier dans lequel lire le mot de passe de l'utilisateur. (si " +"aucun mot de passe n'est spécifié, il sera demandé)" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:165 +msgid "" +"The length of the password (or the size of file specified with -p or --" +"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " +"on systems with no globally-defined PASS_MAX value)." +msgstr "" +"La taille du mot de passe (ou la taille du fichier spécifié avec l'option -p " +"ou --password-file) doit être inférieure ou égale à PASS_MAX octets (64 " +"octets sur les systèmes sans valeur globale définie de PASS_MAX)." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 +msgid "sssd-ifp" +msgstr "sssd-ifp" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ifp.5.xml:17 +msgid "SSSD InfoPipe responder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:23 +msgid "" +"This manual page describes the configuration of the InfoPipe responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:36 +msgid "" +"The InfoPipe responder provides a public D-Bus interface accessible over the " +"system bus. The interface allows the user to query information about remote " +"users and groups over the system bus." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:46 +msgid "These options can be used to configure the InfoPipe responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:53 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the InfoPipe responder. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:59 +msgid "" +"Default: 0 (only the root user is allowed to access the InfoPipe responder)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:63 +msgid "" +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the InfoPipe responder, which would be the typical case, you have to " +"add 0 to the list of allowed UIDs as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:77 +msgid "Specifies the comma-separated list of white or blacklisted attributes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:91 +msgid "name" +msgstr "name" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:92 +msgid "user's login name" +msgstr "identifiant de connexion de l'utilisateur" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:95 +msgid "uidNumber" +msgstr "uidNumber" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:96 +msgid "user ID" +msgstr "identifiant de l'utilisateur" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:99 +msgid "gidNumber" +msgstr "gidNumber" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:100 +msgid "primary group ID" +msgstr "identifiant de groupe primaire" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:103 +msgid "gecos" +msgstr "gecos" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:104 +msgid "user information, typically full name" +msgstr "informations utilisateur, généralement le nom complet" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:107 +msgid "homeDirectory" +msgstr "homeDirectory" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:111 +msgid "loginShell" +msgstr "loginShell" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:112 +msgid "user shell" +msgstr "interpréteur de commande" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:81 +msgid "" +"By default, the InfoPipe responder only allows the default set of POSIX " +"attributes to be requested. This set is the same as returned by " +"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ifp.5.xml:125 +#, no-wrap +msgid "" +"user_attributes = +telephoneNumber, -loginShell\n" +" " +msgstr "" +"user_attributes = +telephoneNumber, -loginShell\n" +" " + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:117 +msgid "" +"It is possible to add another attribute to this set by using <quote>" +"+attr_name</quote> or explicitly remove an attribute using <quote>-" +"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " +"deny <quote>loginShell</quote>, you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:129 +msgid "Default: not set. Only the default set of POSIX attributes is allowed." +msgstr "" +"Par défaut : non défini. Seul le jeu d'attributs POSIX par défaut est " +"autorisé." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:139 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup that overrides caller-supplied limit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:144 +msgid "Default: 0 (let the caller set an upper limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refentryinfo> +#: sss_rpcidmapd.5.xml:8 +msgid "" +"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" +"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " +"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" +"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " +"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" +"author>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 +msgid "sss_rpcidmapd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_rpcidmapd.5.xml:33 +msgid "sss plugin configuration directives for rpc.idmapd" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:37 +msgid "CONFIGURATION FILE" +msgstr "FICHIER DE CONFIGURATION" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:39 +msgid "" +"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." +"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:49 +msgid "SSS CONFIGURATION EXTENSION" +msgstr "EXTENSION DE CONFIGURATION SSS" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:51 +msgid "Enable SSS plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:53 +msgid "" +"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " +"attribute to contain <emphasis>sss</emphasis>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:59 +msgid "[sss] config section" +msgstr "Section de configuration [sss]" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:61 +msgid "" +"In order to change the default of one of the configuration attributes of the " +"<emphasis>sss</emphasis> plugin listed below you will need to create a " +"config section for it, named <quote>[sss]</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sss_rpcidmapd.5.xml:67 +msgid "Configuration attributes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sss_rpcidmapd.5.xml:69 +msgid "memcache (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sss_rpcidmapd.5.xml:72 +msgid "Indicates whether or not to use memcache optimisation technique." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:85 +msgid "SSSD INTEGRATION" +msgstr "INTÉGRATION SSSD" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:87 +msgid "" +"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " +"in sssd." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:91 +msgid "" +"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " +"all domains (NFSv4 clients expect a fully qualified name to be sent on the " +"wire)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_rpcidmapd.5.xml:103 +#, no-wrap +msgid "" +"[General]\n" +"Verbosity = 2\n" +"# domain must be synced between NFSv4 server and clients\n" +"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" +msgstr "" +"[General]\n" +"Verbosity = 2\n" +"# domain must be synced between NFSv4 server and clients\n" +"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:100 +msgid "" +"The following example shows a minimal idmapd.conf which makes use of the sss " +"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:180 include/seealso.xml:2 +msgid "SEE ALSO" +msgstr "VOIR AUSSI" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:122 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" +msgstr "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 +msgid "sss_ssh_authorizedkeys" +msgstr "sss_ssh_authorizedkeys" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 +msgid "1" +msgstr "1" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_authorizedkeys.1.xml:16 +msgid "get OpenSSH authorized keys" +msgstr "obtient les clés OpenSSH autorisées" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_authorizedkeys.1.xml:21 +msgid "" +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>USER</replaceable></arg>" +msgstr "" +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>USER</replaceable></arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:32 +msgid "" +"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " +"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " +"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> for more information)." +msgstr "" +"<command>sss_ssh_authorizedkeys</command> acquiert les clés publiques SSH " +"pour <replaceable>USER</replaceable> et les renvoie dans le format " +"authorized_keys de OpenSSH (cf. la section <quote>FORMAT DE FICHIER " +"AUTHORIZED_KEYS</quote> de <citerefentry><refentrytitle>sshd</refentrytitle> " +"<manvolnum>8</manvolnum></citerefentry> pour plus d'informations)." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:41 +msgid "" +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" +"command> for public key user authentication if it is compiled with support " +"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " +"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> man page for more details about this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_authorizedkeys.1.xml:59 +#, no-wrap +msgid "" +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" +msgstr "" +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:52 +msgid "" +"If <quote>AuthorizedKeysCommand</quote> is supported, " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use it by putting the following " +"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" +"\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_ssh_authorizedkeys.1.xml:65 +msgid "KEYS FROM CERTIFICATES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:67 +msgid "" +"In addition to the public SSH keys for user <replaceable>USER</replaceable> " +"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " +"from the public key of a X.509 certificate as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:73 +msgid "" +"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " +"set to true (default) in the [ssh] section of <filename>sssd.conf</" +"filename>. If the user entry contains certificates (see " +"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " +"there is a certificate in an override entry for the user (see " +"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " +"certificate is valid SSSD will extract the public key from the certificate " +"and convert it into the format expected by sshd." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:90 +msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:92 +msgid "ca_db" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:93 +#, fuzzy +#| msgid "client_idle_timeout" +msgid "p11_child_timeout" +msgstr "client_idle_timeout" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:94 +msgid "certificate_verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:96 +#, fuzzy +#| msgid "" +#| "Please refer to the <quote>dns_discovery_domain</quote> parameter in the " +#| "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +#| "manvolnum> </citerefentry> manual page for more details." +msgid "" +"can be used to control how the certificates are validated (see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details)." +msgstr "" +"Se reporter au paramètre <quote>dns_discovery_domain</quote> dans la page de " +"manuel <citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> pour plus de détails." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:101 +msgid "" +"The validation is the benefit of using X.509 certificates instead of SSH " +"keys directly because e.g. it gives a better control of the lifetime of the " +"keys. When the ssh client is configured to use the private keys from a " +"Smartcard with the help of a PKCS#11 shared library (see " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> for details) it might be irritating that authentication is " +"still working even if the related X.509 certificate on the Smartcard is " +"already expired because neither <command>ssh</command> nor <command>sshd</" +"command> will look at the certificate at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:114 +msgid "" +"It has to be noted that the derived public SSH key can still be added to the " +"<filename>authorized_keys</filename> file of the user to bypass the " +"certificate validation if the <command>sshd</command> configuration permits " +"this." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:132 +msgid "" +"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +msgstr "" +"Rechercher des clés publiques dans le domaine SSSD <replaceable>DOMAIN</" +"replaceable>." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 +msgid "EXIT STATUS" +msgstr "CODE RETOUR" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 +msgid "" +"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." +msgstr "" +"Dans le cas d'un opération achevée avec succès, une valeur de retour de 0 " +"est renvoyée. Dans le cas contraire, 1 est renvoyé." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 +msgid "sss_ssh_knownhostsproxy" +msgstr "sss_ssh_knownhostsproxy" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_knownhostsproxy.1.xml:16 +msgid "get OpenSSH host keys" +msgstr "obtenir les clés d'hôtes OpenSSH" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_knownhostsproxy.1.xml:21 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>HOST</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" +msgstr "" +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>HOST</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:33 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " +"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " +"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " +"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" +"pubconf/known_hosts</filename> and establishes the connection to the host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:43 +msgid "" +"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " +"create the connection to the host instead of opening a socket." +msgstr "" +"Si <replaceable>PROXY_COMMAND</replaceable> est indiqué, elle est alors " +"utilisée pour établier la connexion vers le système au lieu d'ouvrir une " +"socket." + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_knownhostsproxy.1.xml:55 +#, no-wrap +msgid "" +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" +msgstr "" +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:48 +msgid "" +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" +"command> for host key authentication by using the following directives for " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> peut être configuré pour utiliser " +"<command>sss_ssh_knownhostsproxy</command> pour l'authentication par clés en " +"utilisant les directives suivantes pour la configuration de " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> : <placeholder type=\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:66 +msgid "" +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" +msgstr "" +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:71 +msgid "" +"Use port <replaceable>PORT</replaceable> to connect to the host. By " +"default, port 22 is used." +msgstr "" +"Utiliser le port <replaceable>PORT</replaceable> pour se connecter au " +"système. Par défaut, le port 22 est utilisé." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:83 +msgid "" +"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +msgstr "" +"Rechercher les clés publiques dans le domaine SSSD <replaceable>DOMAINE</" +"replaceable> hôte." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:89 +#, fuzzy +#| msgid "<option>-U</option>,<option>--users</option>" +msgid "<option>-k</option>,<option>--pubkeys</option>" +msgstr "<option>-U</option>,<option>--users</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:93 +#, fuzzy +#| msgid "" +#| "Search for host public keys in SSSD domain <replaceable>DOMAIN</" +#| "replaceable>." +msgid "" +"Print the host ssh public keys for host <replaceable>HOST</replaceable>." +msgstr "" +"Rechercher les clés publiques dans le domaine SSSD <replaceable>DOMAINE</" +"replaceable> hôte." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 +msgid "idmap_sss" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: idmap_sss.8.xml:16 +msgid "SSSD's idmap_sss Backend for Winbind" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:22 +msgid "" +"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " +"No database is required in this case as the mapping is done by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: idmap_sss.8.xml:29 +msgid "IDMAP OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: idmap_sss.8.xml:33 +msgid "range = low - high" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: idmap_sss.8.xml:35 +msgid "" +"Defines the available matching UID and GID range for which the backend is " +"authoritative." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:45 +msgid "" +"This example shows how to configure idmap_sss as the default mapping module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: idmap_sss.8.xml:50 +#, no-wrap +msgid "" +"[global]\n" +"security = domain\n" +"workgroup = MAIN\n" +"\n" +"idmap config * : backend = sss\n" +"idmap config * : range = 200000-2147483647\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssctl.8.xml:10 sssctl.8.xml:15 +msgid "sssctl" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssctl.8.xml:16 +msgid "SSSD control and status utility" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssctl.8.xml:21 +msgid "" +"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:32 +msgid "" +"<command>sssctl</command> provides a simple and unified way to obtain " +"information about SSSD status, such as active server, auto-discovered " +"servers, domains and cached objects. In addition, it can manage SSSD data " +"files for troubleshooting in such a way that is safe to manipulate while " +"SSSD is running." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:43 +msgid "" +"To list all available commands run <command>sssctl</command> without any " +"parameters. To print help for selected command run <command>sssctl COMMAND --" +"help</command>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-files.5.xml:10 sssd-files.5.xml:16 +msgid "sssd-files" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-files.5.xml:17 +msgid "SSSD files provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:23 +msgid "" +"This manual page describes the files provider for <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:36 +msgid "" +"The files provider mirrors the content of the <citerefentry> " +"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " +"provider is to make the users and groups traditionally only accessible with " +"NSS interfaces also available through the SSSD interfaces such as " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:69 +#, fuzzy +#| msgid "ad_site (string)" +msgid "passwd_files (string)" +msgstr "ad_site (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:72 +msgid "" +"Comma-separated list of one or multiple password filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:78 +#, fuzzy +#| msgid "Default: password" +msgid "Default: /etc/passwd" +msgstr "Par défaut : password" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:84 +#, fuzzy +#| msgid "ldap_netgroup_triple (string)" +msgid "group_files (string)" +msgstr "ldap_netgroup_triple (chaîne)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:87 +msgid "" +"Comma-separated list of one or multiple group filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:93 +#, fuzzy +#| msgid "Default: nisNetgroup" +msgid "Default: /etc/group" +msgstr "Par défaut : nisNetgroup" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:59 +#, fuzzy +#| msgid "" +#| "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " +#| "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +#| "citerefentry> manual page for details on the configuration of an SSSD " +#| "domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgid "" +"In addition to the options listed below, generic SSSD domain options can be " +"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for details on the configuration of " +"an SSSD domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" +"Se référer à la section <quote>SECTIONS DE DOMAINE</quote> de la page de " +"manuel <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> pour les détails sur la configuration d'un " +"domaine SSSD. <placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:105 +msgid "" +"The following example assumes that SSSD is correctly configured and files is " +"one of the domains in the <replaceable>[sssd]</replaceable> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:111 +#, no-wrap +msgid "" +"[domain/files]\n" +"id_provider = files\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 +msgid "sssd-secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-secrets.5.xml:17 +msgid "SSSD Secrets responder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:23 +msgid "" +"This manual page describes the configuration of the Secrets responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:36 +msgid "" +"Many system and user applications need to store private information such as " +"passwords or service keys and have no good way to properly deal with them. " +"The simple approach is to embed these <quote>secrets</quote> into " +"configuration files potentially ending up exposing sensitive key material to " +"backups, config management system and in general making it harder to secure " +"data." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:45 +msgid "" +"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " +"project was born to deal with this problem in cloud like environments, but " +"we found the idea compelling even at a single system level. As a security " +"service, SSSD is ideal to host this capability while offering the same API " +"via a UNIX Socket. This will make it possible to use local calls and have " +"them transparently routed to a local or a remote key management store like " +"IPA Vault for storage, escrow and recovery." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:55 +msgid "" +"The secrets are simple key-value pairs. Each user's secrets are namespaced " +"using their user ID, which means the secrets will never collide between " +"users. Secrets can be stored inside <quote>containers</quote> which can be " +"nested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:69 +msgid "secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:70 +msgid "secrets for general usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:73 +msgid "kcm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:75 +msgid "" +"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:61 +msgid "" +"Since the secrets responder can be used both externally to store general " +"secrets, as described in the rest of this man page, but also internally by " +"other SSSD components to store their secret material, some configuration " +"options, like quotas can be configured per <quote>hive</quote> in a " +"configuration subsection named after the hive. The currently supported hives " +"are: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:89 +msgid "USING THE SECRETS RESPONDER" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:91 +msgid "" +"The UNIX socket the SSSD responder listens on is located at <filename>/var/" +"run/secrets.socket</filename>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:110 +#, no-wrap +msgid "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +"systemctl enable sssd-secrets.service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:95 +msgid "" +"The secrets responder is socket-activated by <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " +"the <quote>secrets</quote> string to the <quote>service</quote> directive. " +"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " +"corresponding service file is called <quote>sssd-secrets.service</quote>. In " +"order for the service to be socket-activated, make sure the socket is " +"enabled and active and the service is enabled: <placeholder type=" +"\"programlisting\" id=\"0\"/> Please note your distribution may already " +"configure the units for you." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:122 +msgid "" +"The generic SSSD responder options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " +"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some secrets-specific options as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:132 +msgid "" +"The secrets responder is configured with a global <quote>[secrets]</quote> " +"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " +"in <filename>sssd.conf</filename>. Please note that some options, notably as " +"the provider type, can only be specified in the per-user subsections." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:141 +msgid "provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:157 +msgid "local" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:160 +msgid "" +"The secrets are stored in a local database, encrypted at rest with a master " +"key. The local provider does not have any additional config options at the " +"moment." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:168 +msgid "proxy" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:171 +msgid "" +"The secrets responder forwards the requests to a Custodia server. The proxy " +"provider supports several additional options (see below)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:144 +msgid "" +"This option specifies where should the secrets be stored. The secrets " +"responder can configure a per-user subsections (e.g. <quote>[secrets/" +"users/123]</quote> - see bottom of this manual page for a full example using " +"Custodia for a particular user) that define which provider store the secrets " +"for this particular user. The per-user subsections should contain all " +"options for that user's provider. Please note that currently the global " +"provider is always local, the proxy provider can only be specified in a per-" +"user section. The following providers are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:180 +msgid "Default: local" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:186 +msgid "" +"The following options affect only the secrets <quote>hive</quote> and " +"therefore should be set in a per-hive subsection. Setting the option to 0 " +"means \"unlimited\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:192 +msgid "containers_nest_level (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:195 +msgid "This option specifies the maximum allowed number of nested containers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:199 +msgid "Default: 4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:204 +msgid "max_secrets (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:207 +msgid "" +"This option specifies the maximum number of secrets that can be stored in " +"the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:211 +msgid "Default: 1024 (secrets hive), 256 (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:216 +msgid "max_uid_secrets (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:219 +msgid "" +"This option specifies the maximum number of secrets that can be stored per-" +"UID in the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:223 +msgid "Default: 256 (secrets hive), 64 (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:228 +msgid "max_payload_size (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:231 +msgid "" +"This option specifies the maximum payload size allowed for a secret payload " +"in kilobytes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:235 +msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:244 +#, no-wrap +msgid "" +"[secrets/secrets]\n" +"max_payload_size = 128\n" +"\n" +"[secrets/kcm]\n" +"max_payload_size = 256\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:241 +msgid "" +"For example, to adjust quotas differently for both the <quote>secrets</" +"quote> and the <quote>kcm</quote> hives, configure the following: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:252 +msgid "" +"The following options are only applicable for configurations that use the " +"<quote>proxy</quote> provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:257 +msgid "proxy_url (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:260 +msgid "" +"The URL the Custodia server is listening on. At the moment, http and https " +"protocols are supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:267 +msgid "http[s]://<host>[:port]" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:270 +msgid "Example: http://localhost:8080" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:275 +msgid "auth_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:278 +msgid "" +"The method to use when authenticating to a Custodia server. The following " +"authentication methods are supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:283 +msgid "basic_auth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:286 +msgid "" +"Authenticate with a username and a password as set in the <quote>username</" +"quote> and <quote>password</quote> options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:293 +msgid "header" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:296 +msgid "" +"Authenticate with HTTP header value as defined in the " +"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " +"configuration options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:307 +msgid "auth_header_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:310 +msgid "" +"If set, the secrets responder would put a header with this name into the " +"HTTP request with the value defined in the <quote>auth_header_value</quote> " +"configuration option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:315 +msgid "Example: MYSECRETNAME" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:320 +msgid "auth_header_value (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:323 +msgid "" +"The value sssd-secrets would use for the <quote>auth_header_name</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:327 +msgid "Example: mysecret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:332 +msgid "forward_headers (list of strings)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:335 +msgid "" +"The list of HTTP headers to forward to the Custodia server together with the " +"request." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:344 +msgid "verify_peer (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:347 +msgid "" +"Whether peer's certificate should be verified and valid if HTTPS protocol is " +"used with the proxy provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:356 +msgid "verify_host (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:359 +msgid "" +"Whether peer's hostname must match with hostname in its certificate if HTTPS " +"protocol is used with the proxy provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:369 +msgid "capath (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:372 +msgid "" +"Path to directory containing stored certificate authority certificates. " +"System default path is used if this option is not set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:382 +msgid "cacert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:385 +msgid "" +"Path to file containing server's certificate authority certificate. If this " +"option is not set then the CA's certificate is looked up in <quote>capath</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:395 +msgid "cert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:398 +msgid "" +"Path to file containing client's certificate if required by the server. This " +"file may also contain private key or the private key may be in separate file " +"set with <quote>key</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:409 +msgid "key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:412 +msgid "Path to file containing client's private key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:422 +msgid "USING THE REST API" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:424 +msgid "" +"This section lists the available commands and includes examples using the " +"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry> utility. All requests towards the proxy provider must set " +"the Content Type header to <quote>application/json</quote>. In addition, the " +"local provider also supports Content Type set to <quote>application/octet-" +"stream</quote>. Secrets stored with requests that set the Content Type " +"header to <quote>application/octet-stream</quote> are base64-encoded when " +"stored and decoded when retrieved, so it's not possible to store a secret " +"with one Content Type and retrieve with another. The secret URI must begin " +"with <filename>/secrets/</filename>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:441 +msgid "Listing secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:444 +msgid "" +"To list the available secrets, send a HTTP GET request with a trailing slash " +"appended to the container path." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:450 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:458 +msgid "Retrieving a secret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:461 +msgid "" +"To read a value of a single secret, send a HTTP GET request without a " +"trailing slash. The last portion of the URI is the name of the secret." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:468 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/foo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:473 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/bar\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:466 +msgid "" +"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:481 +msgid "Setting a secret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:484 +msgid "" +"To set a secret using the <quote>application/json</quote> type, send a HTTP " +"PUT request with a JSON payload that includes type and value. The type " +"should be set to \"simple\" and the value should be set to the secret value. " +"If a secret with that name already exists, the response is a 409 HTTP error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:492 +msgid "" +"The <quote>application/json</quote> type just sends the secret as the " +"message payload." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:501 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/foo \\\n" +" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:507 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/bar \\\n" +" -d'barsecret'\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:496 +msgid "" +"The following example sets a secret named 'foo' to a value of 'foosecret' " +"and a secret named 'bar' to a value of 'barsecret' using a different Content " +"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:516 +msgid "Creating a container" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:519 +msgid "" +"Containers provide an additional namespace for this user's secrets. To " +"create a container, send a HTTP POST request, whose URI ends with the " +"container name. Please note the URI must end with a trailing slash." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:529 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPOST http://localhost/secrets/mycontainer/\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:526 +msgid "" +"The following example creates a container named 'mycontainer': <placeholder " +"type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:538 +#, no-wrap +msgid "" +"http://localhost/secrets/mycontainer/mysecret\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:535 +msgid "" +"To manipulate secrets under this container, just nest the secrets underneath " +"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:544 +msgid "Deleting a secret or a container" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:547 +msgid "" +"To delete a secret or a container, send a HTTP DELETE request with a path to " +"the secret or the container." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:553 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XDELETE http://localhost/secrets/foo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:551 +msgid "" +"The following example deletes a secret named 'foo'. <placeholder type=" +"\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:563 +msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:565 +msgid "" +"For testing the proxy provider, you need to set up a Custodia server to " +"proxy requests to. Please always consult the Custodia documentation, the " +"configuration directives might change with different Custodia versions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:576 +#, no-wrap +msgid "" +"[global]\n" +"server_version = \"Secret/0.0.7\"\n" +"server_url = http://localhost:8080/\n" +"auditlog = /var/log/custodia.log\n" +"debug = True\n" +"\n" +"[store:simple]\n" +"handler = custodia.store.sqlite.SqliteStore\n" +"dburi = /var/lib/custodia.db\n" +"table = secrets\n" +"\n" +"[auth:header]\n" +"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" +"header = MYSECRETNAME\n" +"value = mysecretkey\n" +"\n" +"[authz:paths]\n" +"handler = custodia.httpd.authorizers.SimplePathAuthz\n" +"paths = /secrets\n" +"\n" +"[/]\n" +"handler = custodia.root.Root\n" +"store = simple\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:570 +msgid "" +"This configuration will set up a Custodia server listening on http://" +"localhost:8080, allowing anyone with header named MYSECRETNAME set to " +"mysecretkey to communicate with the Custodia server. Place the contents " +"into a file (for example, <replaceable>custodia.conf</replaceable>): " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:602 +msgid "" +"Then run the <replaceable>custodia</replaceable> command, pointing it at the " +"config file as a command line argument." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:606 +msgid "" +"Please note that currently it's not possible to proxy all requests globally " +"to a Custodia instance. Instead, per-user subsections for user IDs that " +"should proxy requests to Custodia must be defined. The following example " +"illustrates a configuration, where the user with UID 123 would proxy their " +"requests to Custodia, but all other user's requests would be handled by a " +"local provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: sssd-secrets.5.xml:614 +#, no-wrap +msgid "" +"[secrets]\n" +"\n" +"[secrets/users/123]\n" +"provider = proxy\n" +"proxy_url = http://localhost:8080/secrets/\n" +"auth_type = header\n" +"auth_header_name = MYSECRETNAME\n" +"auth_header_value = mysecretkey\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 +msgid "sssd-session-recording" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-session-recording.5.xml:17 +msgid "Configuring session recording with SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " +"implement user session recording on text terminals. For a detailed " +"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " +"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:41 +msgid "" +"SSSD can be set up to enable recording of everything specific users see or " +"type during their sessions on text terminals. E.g. when users log in on the " +"console, or via SSH. SSSD itself doesn't record anything, but makes sure " +"tlog-rec-session is started upon user login, so it can record according to " +"its configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:48 +msgid "" +"For users with session recording enabled, SSSD replaces the user shell with " +"tlog-rec-session in NSS responses, and adds a variable specifying the " +"original shell to the user environment, upon PAM session setup. This way " +"tlog-rec-session can be started in place of the user shell, and know which " +"actual shell to start, once it set up the recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:60 +msgid "These options can be used to configure the session recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:146 +msgid "" +"The following snippet of sssd.conf enables session recording for users " +"\"contractor1\" and \"contractor2\", and group \"students\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-session-recording.5.xml:151 +#, no-wrap +msgid "" +"[session_recording]\n" +"scope = some\n" +"users = contractor1, contractor2\n" +"groups = students\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 +msgid "sssd-kcm" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-kcm.8.xml:17 +msgid "SSSD Kerberos Cache Manager" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:23 +msgid "" +"This manual page describes the configuration of the SSSD Kerberos Cache " +"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " +"credential caches. It originates in the Heimdal Kerberos project, although " +"the MIT Kerberos library also provides client side (more details on that " +"below) support for the KCM credential cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:31 +msgid "" +"In a setup where Kerberos caches are managed by KCM, the Kerberos library " +"(typically used through an application, like e.g., <citerefentry> " +"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" +"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " +"being referred to as a <quote>\"KCM server\"</quote>. The client and server " +"communicate over a UNIX socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:42 +msgid "" +"The KCM server keeps track of each credential caches's owner and performs " +"access check control based on the UID and GID of the KCM client. The root " +"user has access to all credential caches." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:47 +msgid "The KCM credential cache has several interesting properties:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:51 +msgid "" +"since the process runs in userspace, it is subject to UID namespacing, " +"unlike the kernel keyring" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:56 +msgid "" +"unlike the kernel keyring-based cache, which is shared between all " +"containers, the KCM server is a separate process whose entry point is a UNIX " +"socket" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:61 +msgid "" +"the SSSD implementation stores the ccaches in the SSSD <citerefentry> " +"<refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry> secrets store, allowing the ccaches to survive KCM server " +"restarts or machine reboots." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:69 +msgid "" +"This allows the system to use a collection-aware credential cache, yet share " +"the credential cache between some or no containers by bind-mounting the " +"socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:76 +msgid "USING THE KCM CREDENTIAL CACHE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:86 +#, no-wrap +msgid "" +"[libdefaults]\n" +" default_ccache_name = KCM:\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:78 +msgid "" +"In order to use KCM credential cache, it must be selected as the default " +"credential type in <citerefentry> <refentrytitle>krb5.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " +"cache name must be only <quote>KCM:</quote> without any template " +"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:91 +msgid "" +"Next, make sure the Kerberos client libraries and the KCM server must agree " +"on the UNIX socket path. By default, both use the same path <replaceable>/" +"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " +"library, change its <quote>kcm_socket</quote> option which is described in " +"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:113 +#, no-wrap +msgid "" +"systemctl start sssd-kcm.socket\n" +"systemctl enable sssd-kcm.socket\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:102 +msgid "" +"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " +"typically socket-activated by <citerefentry> <refentrytitle>systemd</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " +"services, it cannot be started by adding the <quote>kcm</quote> string to " +"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " +"id=\"0\"/> Please note your distribution may already configure the units for " +"you." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:122 +msgid "THE CREDENTIAL CACHE STORAGE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:131 +#, no-wrap +msgid "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:124 +msgid "" +"The credential caches are stored in the SSSD secrets service (see " +"<citerefentry> <refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> for more details). Therefore it is important that " +"also the sssd-secrets service is enabled and its socket is started: " +"<placeholder type=\"programlisting\" id=\"0\"/> Your distribution should " +"already set the dependencies between the services." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:141 +msgid "" +"The KCM service is configured in the <quote>kcm</quote> section of the sssd." +"conf file. Please note that currently, is it not sufficient to restart the " +"sssd-kcm service, because the sssd configuration is only parsed and read to " +"an internal configuration database by the sssd service. Therefore you must " +"restart the sssd service if you change anything in the <quote>kcm</quote> " +"section of sssd.conf. For a detailed syntax reference, refer to the " +"<quote>FILE FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd." +"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:155 +msgid "" +"The generic SSSD service options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some KCM-specific options as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:166 +msgid "socket_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:169 +msgid "The socket the KCM service will listen on." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:172 +msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:182 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 +msgid "sssd-systemtap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-systemtap.5.xml:17 +msgid "SSSD systemtap information" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:23 +msgid "" +"This manual page provides information about the systemtap functionality in " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:32 +msgid "" +"SystemTap Probe points have been added into various locations in SSSD code " +"to assist in troubleshooting and analyzing performance related issues." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:40 +msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:46 +msgid "" +"Probes and miscellaneous functions are defined in /usr/share/systemtap/" +"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " +"respectively." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:57 +msgid "PROBE POINTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:341 +msgid "" +"The information below lists the probe points and arguments available in the " +"following format:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:64 +msgid "probe $name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:67 +msgid "Description of probe point" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:70 +#, no-wrap +msgid "" +"variable1:datatype\n" +"variable2:datatype\n" +"variable3:datatype\n" +"...\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:80 +msgid "Database Transaction Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:84 +msgid "probe sssd_transaction_start" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:87 +msgid "" +"Start of a sysdb transaction, probes the sysdb_transaction_start() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 +#: sssd-systemtap.5.xml:131 +#, no-wrap +msgid "" +"nesting:integer\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:97 +msgid "probe sssd_transaction_cancel" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:100 +msgid "" +"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " +"function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:111 +msgid "probe sssd_transaction_commit_before" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:114 +msgid "Probes the sysdb_transaction_commit_before() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:124 +msgid "probe sssd_transaction_commit_after" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:127 +msgid "Probes the sysdb_transaction_commit_after() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:141 +msgid "LDAP Search Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:145 +msgid "probe sdap_search_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:148 +msgid "Probes the sdap_get_generic_ext_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:152 sssd-systemtap.5.xml:167 sssd-systemtap.5.xml:196 +#, no-wrap +msgid "" +"base:string\n" +"scope:integer\n" +"filter:string\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:160 +msgid "probe sdap_search_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:163 +msgid "Probes the sdap_get_generic_ext_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:175 +msgid "probe sdap_deref_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:178 +msgid "Probes the sdap_deref_search_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:182 +#, no-wrap +msgid "" +"base_dn:string\n" +"deref_attr:string\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:189 +msgid "probe sdap_deref_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:192 +msgid "Probes the sdap_deref_search_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:208 +msgid "LDAP Account Request Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:212 +msgid "probe sdap_acct_req_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:215 +msgid "Probes the sdap_acct_req_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:219 sssd-systemtap.5.xml:234 +#, no-wrap +msgid "" +"entry_type:int\n" +"filter_type:int\n" +"filter_value:string\n" +"extra_value:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:227 +msgid "probe sdap_acct_req_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:230 +msgid "Probes the sdap_acct_req_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:246 +msgid "LDAP User Search Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:250 +msgid "probe sdap_search_user_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:253 +msgid "Probes the sdap_search_user_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:257 sssd-systemtap.5.xml:269 sssd-systemtap.5.xml:281 +#: sssd-systemtap.5.xml:293 +#, no-wrap +msgid "" +"filter:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:262 +msgid "probe sdap_search_user_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:265 +msgid "Probes the sdap_search_user_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:274 +msgid "probe sdap_search_user_save_begin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:277 +msgid "Probes the sdap_search_user_save_begin() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:286 +msgid "probe sdap_search_user_save_end" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:289 +msgid "Probes the sdap_search_user_save_end() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:302 +msgid "Data Provider Request Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:306 +msgid "probe dp_req_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:309 +msgid "A Data Provider request is submitted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:312 +#, no-wrap +msgid "" +"dp_req_domain:string\n" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:320 +msgid "probe dp_req_done" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:323 +msgid "A Data Provider request is completed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:326 +#, no-wrap +msgid "" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +"dp_ret:int\n" +"dp_errorstr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:339 +msgid "MISCELLANEOUS FUNCTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:346 +msgid "function acct_req_desc(entry_type)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:349 +msgid "Convert entry_type to string and return string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:354 +msgid "" +"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " +"filter_value, extra_value)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:358 +msgid "Create probe string based on filter type" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:363 +msgid "function dp_target_str(target)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:366 +msgid "Convert target to string and return string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:371 +msgid "function dp_method_str(target)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:374 +msgid "Convert method to string and return string" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/service_discovery.xml:2 +msgid "SERVICE DISCOVERY" +msgstr "DÉCOUVERTE DE SERVICE" + +#. type: Content of: <refsect1><para> +#: include/service_discovery.xml:4 +msgid "" +"The service discovery feature allows back ends to automatically find the " +"appropriate servers to connect to using a special DNS query. This feature is " +"not supported for backup servers." +msgstr "" +"La fonctionnalité de découverte de services permet aux moteurs de trouver " +"automatiquement les serveurs appropriés auxquels se connecter à l'aide d'une " +"requête DNS spéciale. Cette fonctionnalité n'est pas pris en charge pour sur " +"les serveurs secondaires." + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:9 include/ldap_id_mapping.xml:99 +msgid "Configuration" +msgstr "Configuration" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:11 +msgid "" +"If no servers are specified, the back end automatically uses service " +"discovery to try to find a server. Optionally, the user may choose to use " +"both fixed server addresses and service discovery by inserting a special " +"keyword, <quote>_srv_</quote>, in the list of servers. The order of " +"preference is maintained. This feature is useful if, for example, the user " +"prefers to use service discovery whenever possible, and fall back to a " +"specific server when no servers can be discovered using DNS." +msgstr "" +"Si aucun serveur n'est spécifié, le moteur utilise automatiquement la " +"découverte de services pour tenter de trouver un serveur. L'utilisateur peut " +"aussi choisir d'utiliser des adresses de serveur et de découverte de " +"services fixes en insérant un mot-clé spécial, <quote>_srv_</quote>, dans la " +"liste des serveurs. L'ordre de préférence est maintenu. Cette fonctionnalité " +"est utile si, par exemple, l'utilisateur préfère utiliser la découverte de " +"services chaque fois que possible et se replier vers un serveur spécifique " +"lorsqu'aucun serveur ne peut être découvert à l'aide du DNS." + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:23 +msgid "The domain name" +msgstr "Le nom de domaine" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:25 +msgid "" +"Please refer to the <quote>dns_discovery_domain</quote> parameter in the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more details." +msgstr "" +"Se reporter au paramètre <quote>dns_discovery_domain</quote> dans la page de " +"manuel <citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> pour plus de détails." + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:35 +msgid "The protocol" +msgstr "Le protocole" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:37 +msgid "" +"The queries usually specify _tcp as the protocol. Exceptions are documented " +"in respective option description." +msgstr "" +"Les requêtes spécifient généralement _tcp comme protocole. Les exceptions " +"sont documentées dans les descriptions respectives des options." + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:42 +msgid "See Also" +msgstr "Voir aussi" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:44 +msgid "" +"For more information on the service discovery mechanism, refer to RFC 2782." +msgstr "" +"Pour plus d'informations sur le mécanisme de découverte de services, se " +"reporter à la RFC 2782." + +#. type: Content of: <refentryinfo> +#: include/upstream.xml:2 +msgid "" +"<productname>SSSD</productname> <orgname>The SSSD upstream - https://pagure." +"io/SSSD/sssd/</orgname>" +msgstr "" + +#. type: Content of: outside any tag (error?) +#: include/upstream.xml:1 +msgid "<placeholder type=\"refentryinfo\" id=\"0\"/>" +msgstr "<placeholder type=\"refentryinfo\" id=\"0\"/>" + +#. type: Content of: <refsect1><title> +#: include/failover.xml:2 +msgid "FAILOVER" +msgstr "BASCULE" + +#. type: Content of: <refsect1><para> +#: include/failover.xml:4 +msgid "" +"The failover feature allows back ends to automatically switch to a different " +"server if the current server fails." +msgstr "" +"La fonctionnalité de bascule autorise le moteur à basculer automatiquement " +"sur un serveur différent si le serveur actuel est défaillant." + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:8 +msgid "Failover Syntax" +msgstr "Syntaxe de bascule" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:10 +msgid "" +"The list of servers is given as a comma-separated list; any number of spaces " +"is allowed around the comma. The servers are listed in order of preference. " +"The list can contain any number of servers." +msgstr "" +"La liste des serveurs est donnée sous forme de liste séparée par des " +"virgules ; un nombre quelconque d'espaces est autorisé autour de la virgule. " +"Les serveurs sont répertoriés par ordre de préférence. La liste peut " +"contenir un nombre quelconque de serveurs." + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:16 +msgid "" +"For each failover-enabled config option, two variants exist: " +"<emphasis>primary</emphasis> and <emphasis>backup</emphasis>. The idea is " +"that servers in the primary list are preferred and backup servers are only " +"searched if no primary servers can be reached. If a backup server is " +"selected, a timeout of 31 seconds is set. After this timeout SSSD will " +"periodically try to reconnect to one of the primary servers. If it succeeds, " +"it will replace the current active (backup) server." +msgstr "" +"Pour chaque option de configuration alors que la bascule est activée, il " +"existe deux variantes : <emphasis>primary</emphasis> et <emphasis>backup</" +"emphasis>. L'idée est que les serveurs dans la liste principale sont " +"préférés et les serveurs de secours sont interrogés uniquement si aucun " +"serveur primaire ne peut être atteint. Si un serveur de secours est " +"sélectionné, un délai d'attente de 31 secondes est défini. Après ce délai " +"d'attente, SSSD tentera périodiquement de se reconnecter à un des serveurs " +"primaires. S'il réussit, il remplacera l'actuel serveur (de secours) actif." + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:27 +msgid "The Failover Mechanism" +msgstr "Mécanisme de bascule" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:29 +msgid "" +"The failover mechanism distinguishes between a machine and a service. The " +"back end first tries to resolve the hostname of a given machine; if this " +"resolution attempt fails, the machine is considered offline. No further " +"attempts are made to connect to this machine for any other service. If the " +"resolution attempt succeeds, the back end tries to connect to a service on " +"this machine. If the service connection attempt fails, then only this " +"particular service is considered offline and the back end automatically " +"switches over to the next service. The machine is still considered online " +"and might still be tried for another service." +msgstr "" +"Le mécanisme de bascule fait la distinction entre une machine et d'un " +"service. Le moteur tente d'abord de résoudre le nom d'hôte d'un ordinateur " +"donné ; en cas d'échec de cette tentative de résolution, la machine est " +"considérée comme hors ligne. Aucune autre tentative n'est faite pour se " +"connecter à cette machine pour tout autre service. Si la tentative de " +"résolution réussit, le serveur principal tente de se connecter à un service " +"sur cette machine. Si la tentative de connexion de service échoue, alors ce " +"seul service est considéré comme hors ligne et le moteur passe " +"automatiquement au service suivant. La machine est toujours considérée en " +"ligne et peut toujours être considérée pour une tentative d'accès à un autre " +"service." + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:42 +msgid "" +"Further connection attempts are made to machines or services marked as " +"offline after a specified period of time; this is currently hard coded to 30 " +"seconds." +msgstr "" +"Les tentatives de connexion ultérieures sont faites vers des machines ou des " +"services marqués comme hors connexion après un délai spécifié ; ce délai est " +"actuellement spécifié en dur à 30 secondes." + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:47 +msgid "" +"If there are no more machines to try, the back end as a whole switches to " +"offline mode, and then attempts to reconnect every 30 seconds." +msgstr "" +"S'il n'y a plus aucune machine à essayer, le moteur dans son ensemble " +"bascule dans le mode hors connexion et tente ensuite de se reconnecter " +"toutes les 30 secondes." + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:53 +msgid "Failover time outs and tuning" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:55 +msgid "" +"Resolving a server to connect to can be as simple as running a single DNS " +"query or can involve several steps, such as finding the correct site or " +"trying out multiple host names in case some of the configured servers are " +"not reachable. The more complex scenarios can take some time and SSSD needs " +"to balance between providing enough time to finish the resolution process " +"but on the other hand, not trying for too long before falling back to " +"offline mode. If the SSSD debug logs show that the server resolution is " +"timing out before a live server is contacted, you can consider changing the " +"time outs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> +#: include/failover.xml:76 +msgid "dns_resolver_op_timeout" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: include/failover.xml:80 +msgid "How long would SSSD talk to a single DNS server." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> +#: include/failover.xml:86 +msgid "dns_resolver_timeout" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: include/failover.xml:90 +msgid "" +"How long would SSSD try to resolve a failover service. This service " +"resolution internally might include several steps, such as resolving DNS SRV " +"queries or locating the site." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:67 +msgid "" +"This section lists the available tunables. Please refer to their description " +"in the <citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>, manual page. <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:100 +msgid "" +"For LDAP-based providers, the resolve operation is performed as part of an " +"LDAP connection operation. Therefore, also the <quote>ldap_opt_timeout></" +"quote> timeout should be set to a larger value than " +"<quote>dns_resolver_timeout</quote> which in turn should be set to a larger " +"value than <quote>dns_resolver_op_timeout</quote>." +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/ldap_id_mapping.xml:2 +msgid "ID MAPPING" +msgstr "CORRESPONDANCE D'IDENTIFIANTS" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:4 +msgid "" +"The ID-mapping feature allows SSSD to act as a client of Active Directory " +"without requiring administrators to extend user attributes to support POSIX " +"attributes for user and group identifiers." +msgstr "" +"La fonctionnalité de correspondance d'ID permet à SSSD d'agir comme un " +"client de Active Directory sans demander aux administrateurs d'étendre les " +"attributs utilisateur pour prendre en charge les attributs POSIX pour les " +"identifiants d'utilisateur et de groupe." + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:9 +msgid "" +"NOTE: When ID-mapping is enabled, the uidNumber and gidNumber attributes are " +"ignored. This is to avoid the possibility of conflicts between automatically-" +"assigned and manually-assigned values. If you need to use manually-assigned " +"values, ALL values must be manually-assigned." +msgstr "" +"Remarque : Lorsque la mise en correspondance des ID est activée, les " +"attributs uidNumber et gidNumber sont ignorés. Ceci afin d'éviter les " +"risques de conflit entre les valeurs attribuées automatiquement et assignées " +"manuellement. Si vous avez besoin d'utiliser des valeurs attribuées " +"manuellement, TOUTES les valeurs doivent être assignées manuellement." + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:16 +msgid "" +"Please note that changing the ID mapping related configuration options will " +"cause user and group IDs to change. At the moment, SSSD does not support " +"changing IDs, so the SSSD database must be removed. Because cached passwords " +"are also stored in the database, removing the database should only be " +"performed while the authentication servers are reachable, otherwise users " +"might get locked out. In order to cache the password, an authentication must " +"be performed. It is not sufficient to use <citerefentry> " +"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry> to remove the database, rather the process consists of:" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:33 +msgid "Making sure the remote servers are reachable" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:38 +msgid "Stopping the SSSD service" +msgstr "Arrêter le service SSSD" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:43 +msgid "Removing the database" +msgstr "Supprimer la base de donnée" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:48 +msgid "Starting the SSSD service" +msgstr "Démarrer le service SSSD" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:52 +msgid "" +"Moreover, as the change of IDs might necessitate the adjustment of other " +"system properties such as file and directory ownership, it's advisable to " +"plan ahead and test the ID mapping configuration thoroughly." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ldap_id_mapping.xml:59 +msgid "Mapping Algorithm" +msgstr "Algorithme de correspondance" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:61 +msgid "" +"Active Directory provides an objectSID for every user and group object in " +"the directory. This objectSID can be broken up into components that " +"represent the Active Directory domain identity and the relative identifier " +"(RID) of the user or group object." +msgstr "" +"Active Directory fournit un objectSID pour chaque objet d'utilisateur et de " +"groupe dans l'annuaire. Cet objectSID peut être divisé en composants qui " +"représentent l'identité de domaine Active Directory et l'identificateur " +"relatif (RID) de l'objet utilisateur ou groupe." + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:67 +msgid "" +"The SSSD ID-mapping algorithm takes a range of available UIDs and divides it " +"into equally-sized component sections - called \"slices\"-. Each slice " +"represents the space available to an Active Directory domain." +msgstr "" +"L'algorithme de mise en correspondance des ID de SSSD tient un éventail " +"d'uid disponibles et le divise en sections de même taille, appelées « " +"tranches ». Chaque tranche représente l'espace disponible dans un domaine " +"Active Directory." + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:73 +msgid "" +"When a user or group entry for a particular domain is encountered for the " +"first time, the SSSD allocates one of the available slices for that domain. " +"In order to make this slice-assignment repeatable on different client " +"machines, we select the slice based on the following algorithm:" +msgstr "" +"Lorsqu'une entrée d'utilisateur ou de groupe pour un domaine particulier est " +"rencontrée pour la première fois, SSSD alloue une des plages disponibles " +"pour ce domaine. Afin de rendre cette affectation de plage reproductible sur " +"les ordinateurs clients différents, l'algorithme de sélection de plage " +"suivant est utilisé :" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:80 +msgid "" +"The SID string is passed through the murmurhash3 algorithm to convert it to " +"a 32-bit hashed value. We then take the modulus of this value with the total " +"number of available slices to pick the slice." +msgstr "" +"La chaîne du SID est passée par l'intermédiaire de l'algorithme murmurhash3 " +"pour le convertir en une valeur de hachage de 32 bits. Nous prenons ensuite " +"le modulo de cette valeur avec le nombre total des tranches disponibles pour " +"prendre la tranche." + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:86 +msgid "" +"NOTE: It is possible to encounter collisions in the hash and subsequent " +"modulus. In these situations, we will select the next available slice, but " +"it may not be possible to reproduce the same exact set of slices on other " +"machines (since the order that they are encountered will determine their " +"slice). In this situation, it is recommended to either switch to using " +"explicit POSIX attributes in Active Directory (disabling ID-mapping) or " +"configure a default domain to guarantee that at least one is always " +"consistent. See <quote>Configuration</quote> for details." +msgstr "" +"Remarque : Il est possible de rencontrer les collisions dans le hachage et " +"le modulo en découlant. Dans ces situations, la tranche suivante disponible " +"sera sélectionnée, mais il n'est pas possible de reproduire le même jeu " +"exact des tranches sur d'autres machines (puisque l'ordre dans lequel elles " +"sont rencontrées déterminera leur tranche). Dans ce cas, il est recommandé " +"de passer à l'utilisation des attributs POSIX explicites dans Active " +"Directory (en désactivant la correspondance d'ID) ou configurer un domaine " +"par défaut afin de garantir qu'au moins un est toujours cohérent. Pour plus " +"d'informations, voir <quote>Configuration</quote>." + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:101 +msgid "" +"Minimum configuration (in the <quote>[domain/DOMAINNAME]</quote> section):" +msgstr "" +"Configuration minimale (dans la section <quote>[domain/DOMAINNAME]</" +"quote>) :" + +#. type: Content of: <refsect1><refsect2><para><programlisting> +#: include/ldap_id_mapping.xml:106 +#, no-wrap +msgid "" +"ldap_id_mapping = True\n" +"ldap_schema = ad\n" +msgstr "" +"ldap_id_mapping = True\n" +"ldap_schema = ad\n" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:111 +msgid "" +"The default configuration results in configuring 10,000 slices, each capable " +"of holding up to 200,000 IDs, starting from 200,000 and going up to " +"2,000,200,000. This should be sufficient for most deployments." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><title> +#: include/ldap_id_mapping.xml:117 +msgid "Advanced Configuration" +msgstr "Configuration avancée" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:120 +msgid "ldap_idmap_range_min (integer)" +msgstr "ldap_idmap_range_min (integer)" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:123 +msgid "" +"Specifies the lower bound of the range of POSIX IDs to use for mapping " +"Active Directory user and group SIDs." +msgstr "" +"Spécifie la limite inférieure de la plage d'ID POSIX à utiliser pour la mise " +"en correspondance d'identifiants utilisateurs et groupes Active Directory." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:127 +msgid "" +"NOTE: This option is different from <quote>min_id</quote> in that " +"<quote>min_id</quote> acts to filter the output of requests to this domain, " +"whereas this option controls the range of ID assignment. This is a subtle " +"distinction, but the good general advice would be to have <quote>min_id</" +"quote> be less-than or equal to <quote>ldap_idmap_range_min</quote>" +msgstr "" +"NOTE : Cette option est différente de <quote>min_id</quote> en ce sens que " +"<quote>min_id</quote> agit comme filtre sur le résultat des requêtes vers ce " +"domaine, alors que cette option contrôle les plages de correspondance d'ID. " +"Il s'agit d'une distinction subtile, mais les bonnes pratiques conseillent " +"d'avoir <quote>min_id</quote> inférieur ou égal à " +"<quote>ldap_idmap_range_min</quote>" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:137 include/ldap_id_mapping.xml:191 +msgid "Default: 200000" +msgstr "Par défaut : 200000" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:142 +msgid "ldap_idmap_range_max (integer)" +msgstr "ldap_idmap_range_max (integer)" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:145 +msgid "" +"Specifies the upper bound of the range of POSIX IDs to use for mapping " +"Active Directory user and group SIDs." +msgstr "" +"Spécifie la limite supérieure de la plage d'ID POSIX à utiliser pour la mise " +"en correspondance d'identifiants utilisateurs et groupes Active Directory." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:149 +msgid "" +"NOTE: This option is different from <quote>max_id</quote> in that " +"<quote>max_id</quote> acts to filter the output of requests to this domain, " +"whereas this option controls the range of ID assignment. This is a subtle " +"distinction, but the good general advice would be to have <quote>max_id</" +"quote> be greater-than or equal to <quote>ldap_idmap_range_max</quote>" +msgstr "" +"NOTE : Cette option est différente de <quote>max_id</quote> en ce sens que " +"<quote>max_id</quote> agit comme filtre sur le résultat des requêtes vers ce " +"domaine, alors que cette option contrôle les plages de correspondance d'ID. " +"Il s'agit d'une distinction subtile, mais les bonnes pratiques conseillent " +"d'avoir <quote>max_id</quote> supérieur ou égal à " +"<quote>ldap_idmap_range_max</quote>" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:159 +msgid "Default: 2000200000" +msgstr "Par défaut : 2000200000" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:164 +msgid "ldap_idmap_range_size (integer)" +msgstr "ldap_idmap_range_size (integer)" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:167 +msgid "" +"Specifies the number of IDs available for each slice. If the range size " +"does not divide evenly into the min and max values, it will create as many " +"complete slices as it can." +msgstr "" +"Spécifie le nombre d'identifiants pour chaque tranche. Si la taille de la " +"plage ne divise pas uniformément dans les valeurs minimale et maximale, des " +"tranches complètes seront créées autant que possible." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:173 +msgid "" +"NOTE: The value of this option must be at least as large as the highest user " +"RID planned for use on the Active Directory server. User lookups and login " +"will fail for any user whose RID is greater than this value." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:179 +msgid "" +"For example, if your most recently-added Active Directory user has " +"objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, " +"<quote>ldap_idmap_range_size</quote> must be at least 1108 as range size is " +"equal to maximal SID minus minimal SID plus one (e.g. 1108 = 1107 - 0 + 1)." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:186 +msgid "" +"It is important to plan ahead for future expansion, as changing this value " +"will result in changing all of the ID mappings on the system, leading to " +"users with different local IDs than they previously had." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:196 +msgid "ldap_idmap_default_domain_sid (string)" +msgstr "ldap_idmap_default_domain_sid (chaîne)" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:199 +msgid "" +"Specify the domain SID of the default domain. This will guarantee that this " +"domain will always be assigned to slice zero in the ID map, bypassing the " +"murmurhash algorithm described above." +msgstr "" +"Spécifier le SID de domaine du domaine par défaut. Cela garantira que ce " +"domaine est toujours affecté à la tranche zéro dans la carte d'ID, sans " +"passer par l'algorithme murmurhash décrit ci-dessus." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:210 +msgid "ldap_idmap_default_domain (string)" +msgstr "ldap_idmap_default_domain (chaîne)" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:213 +msgid "Specify the name of the default domain." +msgstr "Spécifier le nom de domaine par défaut." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:221 +msgid "ldap_idmap_autorid_compat (boolean)" +msgstr "ldap_idmap_autorid_compat (boolean)" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:224 +msgid "" +"Changes the behavior of the ID-mapping algorithm to behave more similarly to " +"winbind's <quote>idmap_autorid</quote> algorithm." +msgstr "" +"Modifie le comportement de l'algorithme de mise en correspondance des ID " +"afin qu'il se comporte de manière identique à celui <quote>idmap_autorid</" +"quote> de winbind." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:229 +msgid "" +"When this option is configured, domains will be allocated starting with " +"slice zero and increasing monatomically with each additional domain." +msgstr "" +"Lorsque cette option est configurée, les domaines seront alloués en " +"commençant par la tranche zéro et augmentant de manière monotone pour chaque " +"domaine supplémentaire." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:234 +msgid "" +"NOTE: This algorithm is non-deterministic (it depends on the order that " +"users and groups are requested). If this mode is required for compatibility " +"with machines running winbind, it is recommended to also use the " +"<quote>ldap_idmap_default_domain_sid</quote> option to guarantee that at " +"least one domain is consistently allocated to slice zero." +msgstr "" +"Remarque : Cet algorithme n'est pas déterministe (il dépend de l'ordre dans " +"lequel utilisateurs et groupes sont invités). Si ce mode est nécessaire pour " +"assurer la compatibilité avec les ordinateurs qui utilisent winbind, il est " +"recommandé d'utiliser également l'option " +"<quote>ldap_idmap_default_domain_sid</quote> pour garantir qu'au moins un " +"domaine est systématiquement alloué à la tranche zéro." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:249 +msgid "ldap_idmap_helper_table_size (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:252 +msgid "" +"Maximal number of secondary slices that is tried when performing mapping " +"from UNIX id to SID." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:256 +msgid "" +"Note: Additional secondary slices might be generated when SID is being " +"mapped to UNIX id and RID part of SID is out of range for secondary slices " +"generated so far. If value of ldap_idmap_helper_table_size is equal to 0 " +"then no additional secondary slices are generated." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ldap_id_mapping.xml:273 +msgid "Well-Known SIDs" +msgstr "SID bien connus" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:275 +msgid "" +"SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a " +"special hardcoded meaning. Since the generic users and groups related to " +"those Well-Known SIDs have no equivalent in a Linux/UNIX environment no " +"POSIX IDs are available for those objects." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:281 +msgid "" +"The SID name space is organized in authorities which can be seen as " +"different domains. The authorities for the Well-Known SIDs are" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:284 +msgid "Null Authority" +msgstr "Null Authority" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:285 +msgid "World Authority" +msgstr "World Authority" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:286 +msgid "Local Authority" +msgstr "Local Authority" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:287 +msgid "Creator Authority" +msgstr "Creator Authority" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:288 +msgid "NT Authority" +msgstr "NT Authority" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:289 +msgid "Built-in" +msgstr "Built-in" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:291 +msgid "" +"The capitalized version of these names are used as domain names when " +"returning the fully qualified name of a Well-Known SID." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:295 +msgid "" +"Since some utilities allow to modify SID based access control information " +"with the help of a name instead of using the SID directly SSSD supports to " +"look up the SID by the name as well. To avoid collisions only the fully " +"qualified names can be used to look up Well-Known SIDs. As a result the " +"domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, " +"<quote> LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, <quote>NT " +"AUTHORITY</quote> and <quote>BUILTIN</quote> should not be used as domain " +"names in <filename>sssd.conf</filename>." +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/param_help.xml:3 +msgid "<option>-?</option>,<option>--help</option>" +msgstr "<option>-?</option>,<option>--help</option>" + +#. type: Content of: <varlistentry><listitem><para> +#: include/param_help.xml:7 include/param_help_py.xml:7 +msgid "Display help message and exit." +msgstr "Affiche l'aide et quitte." + +#. type: Content of: <varlistentry><term> +#: include/param_help_py.xml:3 +msgid "<option>-h</option>,<option>--help</option>" +msgstr "<option>-h</option>,<option>--help</option>" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:3 include/debug_levels_tools.xml:3 +msgid "" +"SSSD supports two representations for specifying the debug level. The " +"simplest is to specify a decimal value from 0-9, which represents enabling " +"that level and all lower-level debug messages. The more comprehensive option " +"is to specify a hexadecimal bitmask to enable or disable specific levels " +"(such as if you wish to suppress a level)." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:10 +msgid "" +"Please note that each SSSD service logs into its own log file. Also please " +"note that enabling <quote>debug_level</quote> in the <quote>[sssd]</quote> " +"section only enables debugging just for the sssd process itself, not for the " +"responder or provider processes. The <quote>debug_level</quote> parameter " +"should be added to all sections that you wish to produce debug logs from." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:18 +msgid "" +"In addition to changing the log level in the config file using the " +"<quote>debug_level</quote> parameter, which is persistent, but requires SSSD " +"restart, it is also possible to change the debug level on the fly using the " +"<citerefentry> <refentrytitle>sss_debuglevel</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry> tool." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:29 include/debug_levels_tools.xml:10 +msgid "Currently supported debug levels:" +msgstr "Niveaux de débogage actuellement pris en charge :" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:32 include/debug_levels_tools.xml:13 +msgid "" +"<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fatal failures. " +"Anything that would prevent SSSD from starting up or causes it to cease " +"running." +msgstr "" +"<emphasis>0</emphasis>, <emphasis>0x0010</emphasis> : défaillances fatales. " +"Tout ce qui empêcherait SSSD de démarrer ou provoquerait son arrêt." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:38 include/debug_levels_tools.xml:19 +msgid "" +"<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An " +"error that doesn't kill SSSD, but one that indicates that at least one major " +"feature is not going to work properly." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:45 include/debug_levels_tools.xml:26 +msgid "" +"<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Serious failures. An " +"error announcing that a particular request or operation has failed." +msgstr "" +"<emphasis>2</emphasis>, <emphasis>0x0040</emphasis> : défaillances graves. " +"Une erreur qui annonce qu'une requête particulière ou une opération a échoué." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:50 include/debug_levels_tools.xml:31 +msgid "" +"<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Minor failures. These " +"are the errors that would percolate down to cause the operation failure of 2." +msgstr "" +"<emphasis>3</emphasis>, <emphasis>0x0080</emphasis> : erreurs mineures. Ce " +"sont les erreurs qui seraient susceptibles d'empirer pour provoquer l'erreur " +"en 2." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:55 include/debug_levels_tools.xml:36 +msgid "" +"<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Configuration settings." +msgstr "" +"<emphasis>4</emphasis>, <emphasis>0x0100</emphasis> : paramètres de " +"configuration." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:59 include/debug_levels_tools.xml:40 +msgid "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Function data." +msgstr "" +"<emphasis>5</emphasis>, <emphasis>0x0200</emphasis> : données de " +"fonctionnement." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:63 include/debug_levels_tools.xml:44 +msgid "" +"<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Trace messages for " +"operation functions." +msgstr "" +"<emphasis>6</emphasis>, <emphasis>0x0400</emphasis> : traçage des fonctions " +"opérationnelles." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:67 include/debug_levels_tools.xml:48 +msgid "" +"<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Trace messages for " +"internal control functions." +msgstr "" +"<emphasis>7</emphasis>, <emphasis>0x1000</emphasis> : traçage des fonctions " +"de contrôles internes." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:72 include/debug_levels_tools.xml:53 +msgid "" +"<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contents of function-" +"internal variables that may be interesting." +msgstr "" +"<emphasis>8</emphasis>, <emphasis>0x2000</emphasis> : contenu des variables " +"internes de fonctions pouvent être intéressantes." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:77 include/debug_levels_tools.xml:58 +msgid "" +"<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Extremely low-level " +"tracing information." +msgstr "" +"<emphasis>9</emphasis>, <emphasis>0x4000</emphasis> : informations de " +"traçage de bas niveau." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:81 include/debug_levels_tools.xml:62 +msgid "" +"To log required bitmask debug levels, simply add their numbers together as " +"shown in following examples:" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:85 include/debug_levels_tools.xml:66 +msgid "" +"<emphasis>Example</emphasis>: To log fatal failures, critical failures, " +"serious failures and function data use 0x0270." +msgstr "" +"<emphasis>Exemple</emphasis> : pour suivre erreurs fatales, critiques, " +"graves et les données de fonction, utiliser 0x0270." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:89 include/debug_levels_tools.xml:70 +msgid "" +"<emphasis>Example</emphasis>: To log fatal failures, configuration settings, " +"function data, trace messages for internal control functions use 0x1310." +msgstr "" +"<emphasis>Exemple</emphasis> : pour consigner les erreurs fatales, les " +"paramètres de configuration, les données de fonction, les messages de trace " +"pour les fonctions de contrôle interne, utiliser 0x1310." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:94 include/debug_levels_tools.xml:75 +msgid "" +"<emphasis>Note</emphasis>: The bitmask format of debug levels was introduced " +"in 1.7.0." +msgstr "" +"<emphasis>Note</emphasis> : le format des niveaux de débogage a été " +"introduit dans la version 1.7.0." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:98 include/debug_levels_tools.xml:79 +msgid "<emphasis>Default</emphasis>: 0" +msgstr "<emphasis>Par défaut</emphasis> : 0" + +#. type: Content of: outside any tag (error?) +#: include/experimental.xml:1 +msgid "" +"<emphasis> This is an experimental feature, please use https://pagure.io/" +"SSSD/sssd/ to report any issues. </emphasis>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/local.xml:2 +msgid "THE LOCAL DOMAIN" +msgstr "LE DOMAINE LOCAL" + +#. type: Content of: <refsect1><para> +#: include/local.xml:4 +msgid "" +"In order to function correctly, a domain with <quote>id_provider=local</" +"quote> must be created and the SSSD must be running." +msgstr "" +"Pour fonctionner correctement, un domaine avec <quote>id_provider = local</" +"quote> doit être créé et SSSD doit s'exécuter." + +#. type: Content of: <refsect1><para> +#: include/local.xml:9 +msgid "" +"The administrator might want to use the SSSD local users instead of " +"traditional UNIX users in cases where the group nesting (see <citerefentry> " +"<refentrytitle>sss_groupadd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>) is needed. The local users are also useful for testing and " +"development of the SSSD without having to deploy a full remote server. The " +"<command>sss_user*</command> and <command>sss_group*</command> tools use a " +"local LDB storage to store users and groups." +msgstr "" +"L'administrateur peut vouloir utiliser les utilisateurs locaux SSSD au lieu " +"des utilisateurs UNIX traditionnels dans les cas où l'imbrication de groupes " +"(cf. <citerefentry><refentrytitle>sss_groupadd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry>) est nécessaire. Les utilisateurs locaux sont " +"également utiles pour les tests et le développement de SSSD sans avoir à " +"déployer un serveur distant complet. Les outils <command>sss_user *</" +"command> et <command>sss_group *</command> utilisent alors un stockage local " +"de type LDB pour les utilisateurs et les groupes." + +#. type: Content of: <refsect1><para> +#: include/seealso.xml:4 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd-ipa</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <phrase condition=\"with_sudo\"> <citerefentry> " +"<refentrytitle>sssd-sudo</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>, </phrase> <phrase condition=\"with_secrets\"> <citerefentry> " +"<refentrytitle>sssd-secrets</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>, </phrase> <citerefentry> <refentrytitle>sssd-session-" +"recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, " +"<citerefentry> <refentrytitle>sss_cache</refentrytitle><manvolnum>8</" +"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_debuglevel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_obfuscate</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_seed</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <phrase condition=" +"\"with_ssh\"> <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_ssh_knownhostsproxy</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>, </phrase> <phrase condition=\"with_ifp\"> " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>, </phrase> <citerefentry> <refentrytitle>pam_sss</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>. <citerefentry> " +"<refentrytitle>sss_rpcidmapd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> <phrase condition=\"with_stap\"> <citerefentry> " +"<refentrytitle>sssd-systemtap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> </phrase>" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:3 +msgid "" +"An optional base DN, search scope and LDAP filter to restrict LDAP searches " +"for this attribute type." +msgstr "" +"Un DN de base facultatif, une étendue de recherche et un filtre LDAP afin de " +"restreindre les recherches LDAP pour ce type d'attribut." + +#. type: Content of: <listitem><para><programlisting> +#: include/ldap_search_bases.xml:9 +#, no-wrap +msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]\n" +msgstr "search_base[?scope?[filter][?search_base?scope?[filter]]*]\n" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:7 +msgid "syntax: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "syntaxe : <placeholder type=\"programlisting\" id=\"0\"/>" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:13 +msgid "" +"The scope can be one of \"base\", \"onelevel\" or \"subtree\". The scope " +"functions as specified in section 4.5.1.2 of http://tools.ietf.org/html/" +"rfc4511" +msgstr "" +"La portée peut être l'une des « base », « onelevel » ou « subtree ». Les " +"fonctions de portée sont spécifiées dans la section 4.5.1.2 de http://tools." +"ietf.org/html/rfc4511" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:23 +msgid "" +"For examples of this syntax, please refer to the <quote>ldap_search_base</" +"quote> examples section." +msgstr "" +"Pour obtenir des exemples de cette syntaxe, reportez-vous à la section " +"d'exemples <quote>ldap_search_base</quote>." + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:31 +msgid "" +"Please note that specifying scope or filter is not supported for searches " +"against an Active Directory Server that might yield a large number of " +"results and trigger the Range Retrieval extension in the response." +msgstr "" +"Noter que la spécification de portée ou de filtre n'est pas prise en charge " +"pour les recherches sur un serveur Active Directory qui serait susceptible " +"de produire un grand nombre de résultats et de déclencher l'extension Range " +"Retrieval dans sa réponse." + +#. type: Content of: <para> +#: include/autofs_restart.xml:2 +msgid "" +"Please note that the automounter only reads the master map on startup, so if " +"any autofs-related changes are made to the sssd.conf, you typically also " +"need to restart the automounter daemon after restarting the SSSD." +msgstr "" +"Veuillez noter que l'automounter ne lit que la carte maîtresse au démarrage. " +"Ainsi, si des modifications liées à autofs sont apportées à sssd.conf, vous " +"devrez généralement redémarrer le démon automounter après le redémarrage de " +"SSSD" + +#. type: Content of: <varlistentry><term> +#: include/override_homedir.xml:2 +msgid "override_homedir (string)" +msgstr "override_homedir (chaîne)" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:16 +msgid "UID number" +msgstr "numéro d'UID" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:20 +msgid "domain name" +msgstr "nom de domaine" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:23 +msgid "%f" +msgstr "%f" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:24 +msgid "fully qualified user name (user@domain)" +msgstr "nom d'utilisateur pleinement qualifié (utilisateur@domaine)" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:27 +msgid "%l" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:28 +msgid "The first letter of the login name." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:32 +msgid "UPN - User Principal Name (name@REALM)" +msgstr "" +"UPN - Nom de principal d'utilisateur (User principal name, nom@ROYAUME)" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:35 +msgid "%o" +msgstr "%o" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:37 +msgid "The original home directory retrieved from the identity provider." +msgstr "" +"Le répertoire utilisateur original provenant du fournisseur d'identité." + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:42 +msgid "%H" +msgstr "%H" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:44 +msgid "The value of configure option <emphasis>homedir_substring</emphasis>." +msgstr "" +"La valeur de l'option de configuration <emphasis>homedir_substring</" +"emphasis>." + +#. type: Content of: <varlistentry><listitem><para> +#: include/override_homedir.xml:5 +msgid "" +"Override the user's home directory. You can either provide an absolute value " +"or a template. In the template, the following sequences are substituted: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" +"Réécrit le répertoire personnel de l'utilisateur. Il est possible de fournir " +"une valeur absolue ou un patron. Dans le cas d'un patron, les séquences " +"suivantes sont substituées :<placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <varlistentry><listitem><para><programlisting> +#: include/override_homedir.xml:61 +#, no-wrap +msgid "" +"override_homedir = /home/%u\n" +" " +msgstr "" +"override_homedir = /home/%u\n" +" " + +#. type: Content of: <varlistentry><listitem><para> +#: include/override_homedir.xml:65 +msgid "Default: Not set (SSSD will use the value retrieved from LDAP)" +msgstr "Par défaut : Indéfini (SSSD utilisera la valeur récupérée de LDAP)" + +#. type: Content of: <varlistentry><term> +#: include/homedir_substring.xml:2 +msgid "homedir_substring (string)" +msgstr "homedir_substring (chaîne)" + +#. type: Content of: <varlistentry><listitem><para> +#: include/homedir_substring.xml:5 +msgid "" +"The value of this option will be used in the expansion of the " +"<emphasis>override_homedir</emphasis> option if the template contains the " +"format string <emphasis>%H</emphasis>. An LDAP directory entry can directly " +"contain this template so that this option can be used to expand the home " +"directory path for each client machine (or operating system). It can be set " +"per-domain or globally in the [nss] section. A value specified in a domain " +"section will override one set in the [nss] section." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/homedir_substring.xml:15 +msgid "Default: /home" +msgstr "Par défaut : /home" + +#. type: Content of: <refsect1><title> +#: include/ad_modified_defaults.xml:2 include/ipa_modified_defaults.xml:2 +msgid "MODIFIED DEFAULT OPTIONS" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ad_modified_defaults.xml:4 +msgid "" +"Certain option defaults do not match their respective backend provider " +"defaults, these option names and AD provider-specific defaults are listed " +"below:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ad_modified_defaults.xml:9 include/ipa_modified_defaults.xml:9 +msgid "KRB5 Provider" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:13 include/ipa_modified_defaults.xml:13 +msgid "krb5_validate = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:18 +msgid "krb5_use_enterprise_principal = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ad_modified_defaults.xml:24 +msgid "LDAP Provider" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:28 +msgid "ldap_schema = ad" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:33 include/ipa_modified_defaults.xml:38 +msgid "ldap_force_upper_case_realm = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:38 +msgid "ldap_id_mapping = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:43 +msgid "ldap_sasl_mech = gssapi" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:48 +msgid "ldap_referrals = false" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:53 +msgid "ldap_account_expire_policy = ad" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:58 include/ipa_modified_defaults.xml:58 +msgid "ldap_use_tokengroups = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:63 +msgid "ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:66 +msgid "" +"The AD provider looks for a different principal than the LDAP provider by " +"default, because in an Active Directory environment the principals are " +"divided into two groups - User Principals and Service Principals. Only User " +"Principal can be used to obtain a TGT and by default, computer object's " +"principal is constructed from its sAMAccountName and the AD realm. The well-" +"known host/hostname@REALM principal is a Service Principal and thus cannot " +"be used to get a TGT with." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ipa_modified_defaults.xml:4 +msgid "" +"Certain option defaults do not match their respective backend provider " +"defaults, these option names and IPA provider-specific defaults are listed " +"below:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:18 +msgid "krb5_use_fast = try" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:23 +msgid "krb5_canonicalize = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:29 +msgid "LDAP Provider - General" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:33 +msgid "ldap_schema = ipa_v1" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:43 +msgid "ldap_sasl_mech = GSSAPI" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:48 +msgid "ldap_sasl_minssf = 56" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:53 +msgid "ldap_account_expire_policy = ipa" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:64 +msgid "LDAP Provider - User options" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:68 +msgid "ldap_user_member_of = memberOf" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:73 +msgid "ldap_user_uuid = ipaUniqueID" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:78 +msgid "ldap_user_ssh_public_key = ipaSshPubKey" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:83 +msgid "ldap_user_auth_type = ipaUserAuthType" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:89 +msgid "LDAP Provider - Group options" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:93 +msgid "ldap_group_object_class = ipaUserGroup" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:98 +msgid "ldap_group_object_class_alt = posixGroup" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:103 +msgid "ldap_group_member = member" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:108 +msgid "ldap_group_uuid = ipaUniqueID" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:113 +msgid "ldap_group_objectsid = ipaNTSecurityIdentifier" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:118 +msgid "ldap_group_external_member = ipaExternalMember" +msgstr "" + +#~ msgid "" +#~ "PLEASE NOTE: the support for non-unique named subpatterns is not " +#~ "available on all platforms (e.g. RHEL5 and SLES10). Only platforms with " +#~ "libpcre version 7 or higher can support non-unique named subpatterns." +#~ msgstr "" +#~ "REMARQUE : la prise en charge de sous-motifs nommés multiples n'est pas " +#~ "disponible sur certaines plates-formes (par exemple, RHEL5 et SLES10). " +#~ "Seules les plates-formes avec libpcre version 7 ou supérieure peuvent " +#~ "prendre en charge les sous-motifs nommés multiples." + +#~ msgid "" +#~ "PLEASE NOTE ALSO: older version of libpcre only support the Python syntax " +#~ "(?P<name>) to label subpatterns." +#~ msgstr "" +#~ "REMARQUE ADDITIONNELLE : les anciennes versions de libpcre ne supportent " +#~ "que la syntaxe Python (?P<name>) pour nommer les sous-motifs." diff --git a/src/man/po/ja.po b/src/man/po/ja.po new file mode 100644 index 0000000..7de2b8d --- /dev/null +++ b/src/man/po/ja.po @@ -0,0 +1,16668 @@ +# SOME DESCRIPTIVE TITLE +# Copyright (C) YEAR Red Hat +# This file is distributed under the same license as the sssd-docs package. +# +# Translators: +# Tadashi Jokagi <elf@poyo.jp>, 2012 +# Tomoyuki KATO <tomo@dream.daynight.jp>, 2012-2013 +# carrotsoft <www.carrotsoft@gmail.com>, 2012 +msgid "" +msgstr "" +"Project-Id-Version: sssd-docs 1.16.1\n" +"Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" +"POT-Creation-Date: 2018-08-12 13:01+0000\n" +"PO-Revision-Date: 2014-12-14 11:59+0000\n" +"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n" +"Language-Team: Japanese (http://www.transifex.com/projects/p/sssd/language/" +"ja/)\n" +"Language: ja\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=1; plural=0;\n" +"X-Generator: Zanata 4.4.5\n" + +#. type: Content of: <reference><title> +#: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5 +#: sssd_krb5_locator_plugin.8.xml:5 sssd-simple.5.xml:5 sss-certmap.5.xml:5 +#: sssd-ipa.5.xml:5 sssd-ad.5.xml:5 sssd-sudo.5.xml:5 sssd.8.xml:5 +#: sss_obfuscate.8.xml:5 sss_override.8.xml:5 sss_useradd.8.xml:5 +#: sssd-krb5.5.xml:5 sss_groupadd.8.xml:5 sss_userdel.8.xml:5 +#: sss_groupdel.8.xml:5 sss_groupshow.8.xml:5 sss_usermod.8.xml:5 +#: sss_cache.8.xml:5 sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5 +#: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 +#: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5 +#: sssd-files.5.xml:5 sssd-secrets.5.xml:5 sssd-session-recording.5.xml:5 +#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 +msgid "SSSD Manual pages" +msgstr "SSSD マニュアル ページ" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupmod.8.xml:10 sss_groupmod.8.xml:15 +msgid "sss_groupmod" +msgstr "sss_groupmod" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_groupmod.8.xml:11 pam_sss.8.xml:12 sssd_krb5_locator_plugin.8.xml:11 +#: sssd.8.xml:11 sss_obfuscate.8.xml:11 sss_override.8.xml:11 +#: sss_useradd.8.xml:11 sss_groupadd.8.xml:11 sss_userdel.8.xml:11 +#: sss_groupdel.8.xml:11 sss_groupshow.8.xml:11 sss_usermod.8.xml:11 +#: sss_cache.8.xml:11 sss_debuglevel.8.xml:11 sss_seed.8.xml:11 +#: idmap_sss.8.xml:11 sssctl.8.xml:11 sssd-kcm.8.xml:11 +msgid "8" +msgstr "8" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupmod.8.xml:16 +msgid "modify a group" +msgstr "グループを変更します。" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupmod.8.xml:21 +msgid "" +"<command>sss_groupmod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" +"<command>sss_groupmod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:57 +#: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sss-certmap.5.xml:21 +#: sssd-ipa.5.xml:21 sssd-ad.5.xml:21 sssd-sudo.5.xml:21 sssd.8.xml:29 +#: sss_obfuscate.8.xml:30 sss_override.8.xml:30 sss_useradd.8.xml:30 +#: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30 +#: sss_groupdel.8.xml:30 sss_groupshow.8.xml:30 sss_usermod.8.xml:30 +#: sss_cache.8.xml:29 sss_debuglevel.8.xml:30 sss_seed.8.xml:31 +#: sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30 +#: sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30 +#: sssd-files.5.xml:21 sssd-secrets.5.xml:21 sssd-session-recording.5.xml:21 +#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 +msgid "DESCRIPTION" +msgstr "概要" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupmod.8.xml:32 +msgid "" +"<command>sss_groupmod</command> modifies the group to reflect the changes " +"that are specified on the command line." +msgstr "" +"<command>sss_groupmod</command> はコマンドラインにおいて指定された変更を反映" +"するようグループを変更します。" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_groupmod.8.xml:39 pam_sss.8.xml:64 sssd.8.xml:42 sss_obfuscate.8.xml:58 +#: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39 +#: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39 +#: sss_cache.8.xml:39 sss_seed.8.xml:42 sss_ssh_authorizedkeys.1.xml:123 +#: sss_ssh_knownhostsproxy.1.xml:62 +msgid "OPTIONS" +msgstr "オプション" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupmod.8.xml:43 sss_usermod.8.xml:77 +msgid "" +"<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" +"<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupmod.8.xml:48 +msgid "" +"Append this group to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." +msgstr "" +"このグループを <replaceable>GROUPS</replaceable> パラメーターにより指定された" +"グループに追加します。 <replaceable>GROUPS</replaceable> パラメーターはグルー" +"プ名のカンマ区切り一覧です。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupmod.8.xml:57 sss_usermod.8.xml:91 +msgid "" +"<option>-r</option>,<option>--remove-group</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" +"<option>-r</option>,<option>--remove-group</option> <replaceable>GROUPS</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupmod.8.xml:62 +msgid "" +"Remove this group from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." +msgstr "" +"このグループを <replaceable>GROUPS</replaceable> パラメーターにより指定された" +"グループから削除します。" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.conf.5.xml:10 sssd.conf.5.xml:16 +msgid "sssd.conf" +msgstr "sssd.conf" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11 +#: sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 +#: sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27 +#: sssd-files.5.xml:11 sssd-secrets.5.xml:11 sssd-session-recording.5.xml:11 +#: sssd-systemtap.5.xml:11 +msgid "5" +msgstr "5" + +#. type: Content of: <reference><refentry><refmeta><refmiscinfo> +#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12 +#: sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 +#: sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28 +#: sssd-files.5.xml:12 sssd-secrets.5.xml:12 sssd-session-recording.5.xml:12 +#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 +msgid "File Formats and Conventions" +msgstr "ファイル形式および変換" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.conf.5.xml:17 +msgid "the configuration file for SSSD" +msgstr "SSSD の設定ファイル" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:21 +msgid "FILE FORMAT" +msgstr "ファイルフォーマット" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:29 +#, no-wrap +msgid "" +"<replaceable>[section]</replaceable>\n" +"<replaceable>key</replaceable> = <replaceable>value</replaceable>\n" +"<replaceable>key2</replaceable> = <replaceable>value2,value3</replaceable>\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:24 +msgid "" +"The file has an ini-style syntax and consists of sections and parameters. A " +"section begins with the name of the section in square brackets and continues " +"until the next section begins. An example of section with single and multi-" +"valued parameters: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"ファイルは ini 形式の構文を持ち、セクションとパラメーターから構成されます。セ" +"クションは角括弧にあるセクション名から始まり、次のセクションが始まるまで続き" +"ます。 1 つセクションと複数の値を持つパラメーターの例: <placeholder type=" +"\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:36 +msgid "" +"The data types used are string (no quotes needed), integer and bool (with " +"values of <quote>TRUE/FALSE</quote>)." +msgstr "" +"使用されるデータ形式は、文字列(引用符は不要)、整数および論理値" +"(<quote>TRUE/FALSE</quote> の値)です。" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:41 +msgid "" +"A comment line starts with a hash sign (<quote>#</quote>) or a semicolon " +"(<quote>;</quote>). Inline comments are not supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:47 +msgid "" +"All sections can have an optional <replaceable>description</replaceable> " +"parameter. Its function is only as a label for the section." +msgstr "" +"すべてのセクションはオプションの <replaceable>description</replaceable> パラ" +"メーターを持てます。その機能はセクションのラベルとしてのみです。" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:53 +msgid "" +"<filename>sssd.conf</filename> must be a regular file, owned by root and " +"only root may read from or write to the file." +msgstr "" +"<filename>sssd.conf</filename> は、root により所有され、root のみが読み書きで" +"きる、通常のファイルである必要があります。" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:59 +msgid "CONFIGURATION SNIPPETS FROM INCLUDE DIRECTORY" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:62 +msgid "" +"The configuration file <filename>sssd.conf</filename> will include " +"configuration snippets using the include directory <filename>conf.d</" +"filename>. This feature is available if SSSD was compiled with libini " +"version 1.3.0 or later." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:69 +msgid "" +"Any file placed in <filename>conf.d</filename> that ends in " +"<quote><filename>.conf</filename></quote> and does not begin with a dot " +"(<quote>.</quote>) will be used together with <filename>sssd.conf</filename> " +"to configure SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:77 +msgid "" +"The configuration snippets from <filename>conf.d</filename> have higher " +"priority than <filename>sssd.conf</filename> and will override " +"<filename>sssd.conf</filename> when conflicts occur. If several snippets are " +"present in <filename>conf.d</filename>, then they are included in " +"alphabetical order (based on locale). Files included later have higher " +"priority. Numerical prefixes (<filename>01_snippet.conf</filename>, " +"<filename>02_snippet.conf</filename> etc.) can help visualize the priority " +"(higher number means higher priority)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:91 +msgid "" +"The snippet files require the same owner and permissions as <filename>sssd." +"conf</filename>. Which are by default root:root and 0600." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:98 +msgid "GENERAL OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:100 +msgid "Following options are usable in more than one configuration sections." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:104 +msgid "Options usable in all sections" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:108 +msgid "debug_level (integer)" +msgstr "debug_level (整数)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:112 +msgid "debug (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:115 +msgid "" +"SSSD 1.14 and later also includes the <replaceable>debug</replaceable> alias " +"for <replaceable>debug_level</replaceable> as a convenience feature. If both " +"are specified, the value of <replaceable>debug_level</replaceable> will be " +"used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:125 +msgid "debug_timestamps (bool)" +msgstr "debug_timestamps (論理値)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:128 +msgid "" +"Add a timestamp to the debug messages. If journald is enabled for SSSD " +"debug logging this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:133 sssd.conf.5.xml:543 sssd.conf.5.xml:839 +#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1521 sssd-ldap.5.xml:1851 +#: sssd-ldap.5.xml:1948 sssd-ldap.5.xml:2010 sssd-ldap.5.xml:2576 +#: sssd-ldap.5.xml:2641 sssd-ldap.5.xml:2659 sssd-ad.5.xml:227 +#: sssd-ad.5.xml:341 sssd-ad.5.xml:885 sssd-krb5.5.xml:499 +#: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 +msgid "Default: true" +msgstr "初期値: true" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:138 +msgid "debug_microseconds (bool)" +msgstr "debug_microseconds (論理値)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:141 +msgid "" +"Add microseconds to the timestamp in debug messages. If journald is enabled " +"for SSSD debug logging this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:146 sssd.conf.5.xml:540 sssd.conf.5.xml:722 +#: sssd.conf.5.xml:1424 sssd.conf.5.xml:2980 sssd-ldap.5.xml:708 +#: sssd-ldap.5.xml:1714 sssd-ldap.5.xml:1733 sssd-ldap.5.xml:1920 +#: sssd-ldap.5.xml:2346 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238 +#: sssd-ipa.5.xml:559 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300 +#: sssd-krb5.5.xml:471 +msgid "Default: false" +msgstr "初期値: false" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2384 +#: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210 +#: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304 +msgid "<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "<placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:155 +msgid "Options usable in SERVICE and DOMAIN sections" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:159 +msgid "timeout (integer)" +msgstr "timeout (整数)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:162 +msgid "" +"Timeout in seconds between heartbeats for this service. This is used to " +"ensure that the process is alive and capable of answering requests. Note " +"that after three missed heartbeats the process will terminate itself." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:169 sssd.conf.5.xml:1376 sssd.conf.5.xml:2996 +#: sssd-ldap.5.xml:1585 include/ldap_id_mapping.xml:264 +msgid "Default: 10" +msgstr "初期値: 10" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:179 +msgid "SPECIAL SECTIONS" +msgstr "特別セクション" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:182 +msgid "The [sssd] section" +msgstr "[sssd] セクション" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sssd.conf.5.xml:191 sssd.conf.5.xml:3085 +msgid "Section parameters" +msgstr "セクションのパラメーター" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:193 +msgid "config_file_version (integer)" +msgstr "config_file_version (整数)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:196 +msgid "" +"Indicates what is the syntax of the config file. SSSD 0.6.0 and later use " +"version 2." +msgstr "" +"設定ファイルの構文が何であるカを指示します。SSSD 0.6.0 およびそれ以降はバー" +"ジョン 2 を使用します。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:202 +msgid "services" +msgstr "services" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:205 +msgid "" +"Comma separated list of services that are started when sssd itself starts. " +"<phrase condition=\"have_systemd\"> The services' list is optional on " +"platforms where systemd is supported, as they will either be socket or D-Bus " +"activated when needed. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:214 +msgid "" +"Supported services: nss, pam <phrase condition=\"with_sudo\">, sudo</phrase> " +"<phrase condition=\"with_autofs\">, autofs</phrase> <phrase condition=" +"\"with_ssh\">, ssh</phrase> <phrase condition=\"with_pac_responder\">, pac</" +"phrase> <phrase condition=\"with_ifp\">, ifp</phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:222 +msgid "" +"<phrase condition=\"have_systemd\"> By default, all services are disabled " +"and the administrator must enable the ones allowed to be used by executing: " +"\"systemctl enable sssd-@service@.socket\". </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:231 sssd.conf.5.xml:614 +msgid "reconnection_retries (integer)" +msgstr "reconnection_retries (整数)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:234 sssd.conf.5.xml:617 +msgid "" +"Number of times services should attempt to reconnect in the event of a Data " +"Provider crash or restart before they give up" +msgstr "" +"データプロバイダーがクラッシュまたは再起動した場合、サービスが再接続をあきら" +"める前に試行する回数です。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:239 sssd.conf.5.xml:622 +msgid "Default: 3" +msgstr "初期値: 3" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:244 +msgid "domains" +msgstr "domains" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:247 +msgid "" +"A domain is a database containing user information. SSSD can use more " +"domains at the same time, but at least one must be configured or SSSD won't " +"start. This parameter describes the list of domains in the order you want " +"them to be queried. A domain name should only consist of alphanumeric ASCII " +"characters, dashes, dots and underscores." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:259 sssd.conf.5.xml:2597 +msgid "re_expression (string)" +msgstr "re_expression (文字列)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:262 +msgid "" +"Default regular expression that describes how to parse the string containing " +"user name and domain into these components." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:267 +msgid "" +"Each domain can have an individual regular expression configured. For some " +"ID providers there are also default regular expressions. See DOMAIN SECTIONS " +"for more info on these regular expressions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:276 sssd.conf.5.xml:2645 +msgid "full_name_format (string)" +msgstr "full_name_format (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:279 sssd.conf.5.xml:2648 +msgid "" +"A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry>-compatible format that describes how to compose a " +"fully qualified name from user name and domain name components." +msgstr "" +"ユーザー名とドメイン名のコンポーネントから完全修飾名を表現する方法を表す " +"<citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry> 互換形式。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:290 sssd.conf.5.xml:2659 +msgid "%1$s" +msgstr "%1$s" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:291 sssd.conf.5.xml:2660 +msgid "user name" +msgstr "ユーザー名" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:294 sssd.conf.5.xml:2663 +msgid "%2$s" +msgstr "%2$s" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:297 sssd.conf.5.xml:2666 +msgid "domain name as specified in the SSSD config file." +msgstr "SSSD 設定ファイルにおいて指定されるドメイン名。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:303 sssd.conf.5.xml:2672 +msgid "%3$s" +msgstr "%3$s" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:306 sssd.conf.5.xml:2675 +msgid "" +"domain flat name. Mostly usable for Active Directory domains, both directly " +"configured or discovered via IPA trusts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:287 sssd.conf.5.xml:2656 +msgid "" +"The following expansions are supported: <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" +"以下の拡張モジュールがサポートされます: <placeholder type=\"variablelist\" " +"id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:316 +msgid "" +"Each domain can have an individual format string configured. see DOMAIN " +"SECTIONS for more info on this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:322 +msgid "try_inotify (boolean)" +msgstr "try_inotify (論理値)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:325 +msgid "" +"SSSD monitors the state of resolv.conf to identify when it needs to update " +"its internal DNS resolver. By default, we will attempt to use inotify for " +"this, and will fall back to polling resolv.conf every five seconds if " +"inotify cannot be used." +msgstr "" +"SSSD は、内部 DNS リゾルバーを更新する必要となるときを認識するために、resolv." +"conf の状態を監視します。初期状態では、このために inotify を使用しようとしま" +"す。inotify が使用できない場合 5 秒ごとに resolv.conf をポーリングするよう" +"フォールバックします。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:333 +msgid "" +"There are some limited situations where it is preferred that we should skip " +"even trying to use inotify. In these rare cases, this option should be set " +"to 'false'" +msgstr "" +"inotify を使用することをスキップすることが望ましい、いくつかの制限された状況" +"があります。これらの珍しい場合では、このオプションが 'false' に設定されるべき" +"です" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:339 +msgid "" +"Default: true on platforms where inotify is supported. False on other " +"platforms." +msgstr "" +"初期値: inotify がサポートされるプラットフォームにおいては真です。他のプラッ" +"トフォームにおいては偽です。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:343 +msgid "" +"Note: this option will have no effect on platforms where inotify is " +"unavailable. On these platforms, polling will always be used." +msgstr "" +"注: このオプションは inotify が利用不可能なプラットフォームにおいて効果があり" +"ません。これらのプラットフォームにおいては、ポーリングが常に使用されます。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:350 +msgid "krb5_rcache_dir (string)" +msgstr "krb5_rcache_dir (文字列)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:353 +msgid "" +"Directory on the filesystem where SSSD should store Kerberos replay cache " +"files." +msgstr "" +"SSSD が Kerberos リプレイキャッシュファイルを保存するファイルシステムのディレ" +"クトリーです。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:357 +msgid "" +"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct " +"SSSD to let libkrb5 decide the appropriate location for the replay cache." +msgstr "" +"このオプションは、libkrb5 がリプレイキャッシュに対する適切な場所を決められる" +"よう SSSD に指示する、特別な値 __LIBKRB5_DEFAULTS__ を受け付けます。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:363 +msgid "" +"Default: Distribution-specific and specified at build-time. " +"(__LIBKRB5_DEFAULTS__ if not configured)" +msgstr "" +"初期値: ディストリビューション固有かつ構築時に指定されます。 (設定されていな" +"ければ __LIBKRB5_DEFAULTS__ です)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:370 +msgid "user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:373 +msgid "" +"The user to drop the privileges to where appropriate to avoid running as the " +"root user. <phrase condition=\"have_systemd\"> This option does not work " +"when running socket-activated services, as the user set up to run the " +"processes is set up during compilation time. The way to override the " +"systemd unit files is by creating the appropriate files in /etc/systemd/" +"system/. Keep in mind that any change in the socket user, group or " +"permissions may result in a non-usable SSSD. The same may occur in case of " +"changes of the user running the NSS responder. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:391 +msgid "Default: not set, process will run as root" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:396 +msgid "default_domain_suffix (string)" +msgstr "default_domain_suffix (文字列)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:399 +msgid "" +"This string will be used as a default domain name for all names without a " +"domain name component. The main use case is environments where the primary " +"domain is intended for managing host policies and all users are located in a " +"trusted domain. The option allows those users to log in just with their " +"user name without giving a domain name as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:409 +msgid "" +"Please note that if this option is set all users from the primary domain " +"have to use their fully qualified name, e.g. user@domain.name, to log in. " +"Setting this option changes default of use_fully_qualified_names to True. It " +"is not allowed to use this option together with use_fully_qualified_names " +"set to False." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:418 sssd.conf.5.xml:1165 sssd-ldap.5.xml:679 +#: sssd-ldap.5.xml:1319 sssd-ldap.5.xml:1673 sssd-ldap.5.xml:1685 +#: sssd-ldap.5.xml:1767 sssd-ad.5.xml:690 sssd-ad.5.xml:765 sssd.8.xml:126 +#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:556 sssd-secrets.5.xml:339 +#: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404 +#: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205 +#: include/ldap_id_mapping.xml:216 +msgid "Default: not set" +msgstr "初期値: 設定されません" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:423 +msgid "override_space (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:426 +msgid "" +"This parameter will replace spaces (space bar) with the given character for " +"user and group names. e.g. (_). User name "john doe" will be " +""john_doe" This feature was added to help compatibility with shell " +"scripts that have difficulty handling spaces, due to the default field " +"separator in the shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:435 +msgid "" +"Please note it is a configuration error to use a replacement character that " +"might be used in user or group names. If a name contains the replacement " +"character SSSD tries to return the unmodified name but in general the result " +"of a lookup is undefined." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:443 +msgid "Default: not set (spaces will not be replaced)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:448 +msgid "certificate_verification (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:456 +msgid "no_ocsp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:458 +msgid "" +"Disables Online Certificate Status Protocol (OCSP) checks. This might be " +"needed if the OCSP servers defined in the certificate are not reachable from " +"the client." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:466 +msgid "no_verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:468 +msgid "" +"Disables verification completely. This option should only be used for " +"testing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:474 +msgid "ocsp_default_responder=URL" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:476 +msgid "" +"Sets the OCSP default responder which should be used instead of the one " +"mentioned in the certificate. URL must be replaced with the URL of the OCSP " +"default responder e.g. http://example.com:80/ocsp." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:482 +msgid "" +"This option must be used together with ocsp_default_responder_signing_cert." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:490 +msgid "ocsp_default_responder_signing_cert=NAME" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:492 +msgid "" +"The nickname of the cert to trust (expected) to sign the OCSP responses. " +"The certificate with the given nickname must be available in the systems NSS " +"database." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:497 +msgid "This option must be used together with ocsp_default_responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:451 +msgid "" +"With this parameter the certificate verification can be tuned with a comma " +"separated list of options. Supported options are: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:504 +msgid "Unknown options are reported but ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:507 +msgid "Default: not set, i.e. do not restrict certificate verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:513 +msgid "disable_netlink (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:516 +msgid "" +"SSSD hooks into the netlink interface to monitor changes to routes, " +"addresses, links and trigger certain actions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:521 +msgid "" +"The SSSD state changes caused by netlink events may be undesirable and can " +"be disabled by setting this option to 'true'" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:526 +msgid "Default: false (netlink changes are detected)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:531 +msgid "enable_files_domain (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:534 +msgid "" +"When this option is enabled, SSSD prepends an implicit domain with " +"<quote>id_provider=files</quote> before any explicitly configured domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:548 +msgid "domain_resolution_order" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:551 +msgid "" +"Comma separated list of domains and subdomains representing the lookup order " +"that will be followed. The list doesn't have to include all possible " +"domains as the missing domains will be looked up based on the order they're " +"presented in the <quote>domains</quote> configuration option. The " +"subdomains which are not listed as part of <quote>lookup_order</quote> will " +"be looked up in a random order for each parent domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:563 +msgid "" +"Please, note that when this option is set the output format of all commands " +"is always fully-qualified even when using short names for input, for all " +"users but the ones managed by the files provider. In case the administrator " +"wants the output not fully-qualified, the full_name_format option can be " +"used as shown below: <quote>full_name_format=%1$s</quote> However, keep in " +"mind that during login, login applications often canonicalize the username " +"by calling <citerefentry> <refentrytitle>getpwnam</refentrytitle> " +"<manvolnum>3</manvolnum> </citerefentry> which, if a shortname is returned " +"for a qualified input (while trying to reach a user which exists in multiple " +"domains) might re-route the login attempt into the domain which uses " +"shortnames, making this workaround totally not recommended in cases where " +"usernames may overlap between domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:588 sssd.conf.5.xml:1388 sssd.conf.5.xml:3046 +#: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316 +msgid "Default: Not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:184 +msgid "" +"Individual pieces of SSSD functionality are provided by special SSSD " +"services that are started and stopped together with SSSD. The services are " +"managed by a special service frequently called <quote>monitor</quote>. The " +"<quote>[sssd]</quote> section is used to configure the monitor as well as " +"some other important options like the identity domains. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" +"SSSD の機能の各部分は SSSD と一緒に開始および停止される特別な SSSD サービスに" +"より提供されます。特別なサービスにより管理されるサービスはよく<quote>モニター" +"</quote>と呼ばれます。<quote>[sssd]</quote> セクションは、モニターだけでな" +"く、識別ドメインのような他の重要なオプションを設定するために使用されます。 " +"<placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:599 +msgid "SERVICES SECTIONS" +msgstr "サービスセクション" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:601 +msgid "" +"Settings that can be used to configure different services are described in " +"this section. They should reside in the [<replaceable>$NAME</replaceable>] " +"section, for example, for NSS service, the section would be <quote>[nss]</" +"quote>" +msgstr "" +"異なるサービスを設定するために使用される設定がこのセクションに記述されます。" +"それらは [<replaceable>$NAME</replaceable>] セクションに置かれます。たとえ" +"ば、NSS サービスは <quote>[nss]</quote> セクションです" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:608 +msgid "General service configuration options" +msgstr "サービス設定の全体オプション" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:610 +msgid "These options can be used to configure any service." +msgstr "これらのオプションはすべてのサービスを設定するために使用できます。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:627 +msgid "fd_limit" +msgstr "fd_limit" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:630 +msgid "" +"This option specifies the maximum number of file descriptors that may be " +"opened at one time by this SSSD process. On systems where SSSD is granted " +"the CAP_SYS_RESOURCE capability, this will be an absolute setting. On " +"systems without this capability, the resulting value will be the lower value " +"of this or the limits.conf \"hard\" limit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:639 +msgid "Default: 8192 (or limits.conf \"hard\" limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:644 +msgid "client_idle_timeout" +msgstr "client_idle_timeout" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:647 +msgid "" +"This option specifies the number of seconds that a client of an SSSD process " +"can hold onto a file descriptor without communicating on it. This value is " +"limited in order to avoid resource exhaustion on the system. The timeout " +"can't be shorter than 10 seconds. If a lower value is configured, it will be " +"adjusted to 10 seconds." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:656 sssd.conf.5.xml:688 sssd.conf.5.xml:970 +#: sssd.conf.5.xml:1231 sssd-ldap.5.xml:1412 +msgid "Default: 60" +msgstr "初期値: 60" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:661 +msgid "offline_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:664 +msgid "" +"When SSSD switches to offline mode the amount of time before it tries to go " +"back online will increase based upon the time spent disconnected. This " +"value is in seconds and calculated by the following:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:671 +msgid "offline_timeout + random_offset" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:674 +msgid "" +"The random offset can increment up to 30 seconds. After each unsuccessful " +"attempt to go online, the new interval is recalculated by the following:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:679 +msgid "new_interval = old_interval*2 + random_offset" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:682 +msgid "" +"Note that the maximum length of each interval is currently limited to one " +"hour. If the calculated length of new_interval is greater than an hour, it " +"will be forced to one hour." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:693 +msgid "responder_idle_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:696 +msgid "" +"This option specifies the number of seconds that an SSSD responder process " +"can be up without being used. This value is limited in order to avoid " +"resource exhaustion on the system. The minimum acceptable value for this " +"option is 60 seconds. Setting this option to 0 (zero) means that no timeout " +"will be set up to the responder. This option only has effect when SSSD is " +"built with systemd support and when services are either socket or D-Bus " +"activated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:710 sssd.conf.5.xml:983 sssd.conf.5.xml:1616 +#: sssd-ldap.5.xml:722 +msgid "Default: 300" +msgstr "初期値: 300" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:715 +msgid "cache_first" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:718 +msgid "" +"This option specifies whether the responder should query all caches before " +"querying the Data Providers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:730 +msgid "NSS configuration options" +msgstr "NSS 設定オプション" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:732 +msgid "" +"These options can be used to configure the Name Service Switch (NSS) service." +msgstr "" +"これらのオプションは Name Service Switch (NSS) サービスを設定するために使用で" +"きます。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:737 +msgid "enum_cache_timeout (integer)" +msgstr "enum_cache_timeout (整数)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:740 +msgid "" +"How many seconds should nss_sss cache enumerations (requests for info about " +"all users)" +msgstr "" +"nss_sss が列挙をキャッシュする秒数です(すべてのユーザーに関する情報に対する" +"要求)。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:744 +msgid "Default: 120" +msgstr "初期値: 120" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:749 +msgid "entry_cache_nowait_percentage (integer)" +msgstr "entry_cache_nowait_percentage (整数)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:752 +msgid "" +"The entry cache can be set to automatically update entries in the background " +"if they are requested beyond a percentage of the entry_cache_timeout value " +"for the domain." +msgstr "" +"エントリーキャッシュは、ドメインに対して entry_cache_timeout の値を超えて要求" +"された場合に、バックグラウンドでエントリーを自動的に更新するよう設定できま" +"す。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:758 +msgid "" +"For example, if the domain's entry_cache_timeout is set to 30s and " +"entry_cache_nowait_percentage is set to 50 (percent), entries that come in " +"after 15 seconds past the last cache update will be returned immediately, " +"but the SSSD will go and update the cache on its own, so that future " +"requests will not need to block waiting for a cache update." +msgstr "" +"たとえば、ドメインの entry_cache_timeout が 30s に設定され、" +"entry_cache_nowait_percentage が 50 (%) に設定されていると、エントリーが 15 " +"秒経過後にきて、最新の更新キャッシュが直ちに返されます。しかし、SSSD が自身に" +"キャッシュされ、更新されます。そのため、その先の要求はキャッシュ更新を待つこ" +"とをブロックする必要がありません。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:768 +msgid "" +"Valid values for this option are 0-99 and represent a percentage of the " +"entry_cache_timeout for each domain. For performance reasons, this " +"percentage will never reduce the nowait timeout to less than 10 seconds. (0 " +"disables this feature)" +msgstr "" +"このオプションに対して有効な値は 0-99 です。各ドメインに対する " +"entry_cache_timeout のパーセンテージを表します。性能上の理由から、このパーセ" +"ンテージは 10 秒よりも小さく nowait タイムアウトを減らすべきではありません。" +"(0 はこの機能を無効にします)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:776 sssd.conf.5.xml:1445 +msgid "Default: 50" +msgstr "初期値: 50" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:781 +msgid "entry_negative_timeout (integer)" +msgstr "entry_negative_timeout (整数)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:784 +msgid "" +"Specifies for how many seconds nss_sss should cache negative cache hits " +"(that is, queries for invalid database entries, like nonexistent ones) " +"before asking the back end again." +msgstr "" +"nss_sss が再びバックエンドに問い合わせる前にネガティブキャッシュヒット(つま" +"り、存在しないドメインのように、無効なデータベースエントリーに対する問い合わ" +"せ)をキャッシュする秒数を指定します。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:790 sssd.conf.5.xml:1469 +msgid "Default: 15" +msgstr "初期値: 15" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:795 +msgid "local_negative_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:798 +msgid "" +"Specifies for how many seconds nss_sss should keep local users and groups in " +"negative cache before trying to look it up in the back end again. Setting " +"the option to 0 disables this feature." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:804 +#, fuzzy +#| msgid "Default: 86400 (24 hours)" +msgid "Default: 14400 (4 hours)" +msgstr "初期値: 86400 (24 時間)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:809 +msgid "filter_users, filter_groups (string)" +msgstr "filter_users, filter_groups (文字列)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:812 +msgid "" +"Exclude certain users or groups from being fetched from the sss NSS " +"database. This is particularly useful for system accounts. This option can " +"also be set per-domain or include fully-qualified names to filter only users " +"from the particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:819 +msgid "" +"NOTE: The filter_groups option doesn't affect inheritance of nested group " +"members, since filtering happens after they are propagated for returning via " +"NSS. E.g. a group having a member group filtered out will still have the " +"member users of the latter listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:827 +msgid "Default: root" +msgstr "初期値: root" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:832 +msgid "filter_users_in_groups (bool)" +msgstr "filter_users_in_groups (論理値)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:835 +msgid "" +"If you want filtered user still be group members set this option to false." +msgstr "" +"フィルターされたユーザーがまだグループメンバーのままにしたいならば、このオプ" +"ションを偽に設定します。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:846 +msgid "fallback_homedir (string)" +msgstr "fallback_homedir (文字列)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:849 +msgid "" +"Set a default template for a user's home directory if one is not specified " +"explicitly by the domain's data provider." +msgstr "" +"ドメインのデータプロバイダーにより明示的に指定されていない場合に、ユーザーの" +"ホームディレクトリーの標準テンプレートを設定します。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:854 +msgid "" +"The available values for this option are the same as for override_homedir." +msgstr "" +"このオプションに対して利用可能なオプションは override_homedir に対するものと" +"同じです。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:860 +#, no-wrap +msgid "" +"fallback_homedir = /home/%u\n" +" " +msgstr "" +"fallback_homedir = /home/%u\n" +" " + +#. type: Content of: <varlistentry><listitem><para> +#: sssd.conf.5.xml:858 sssd.conf.5.xml:1298 sssd.conf.5.xml:1317 +#: sssd-krb5.5.xml:539 include/override_homedir.xml:59 +msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "例: <placeholder type=\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:864 +msgid "Default: not set (no substitution for unset home directories)" +msgstr "初期値: 設定なし (ホームディレクトリーの設定がない場合は代替なし)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:870 +msgid "override_shell (string)" +msgstr "override_shell (文字列)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:873 +msgid "" +"Override the login shell for all users. This option supersedes any other " +"shell options if it takes effect and can be set either in the [nss] section " +"or per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:879 +msgid "Default: not set (SSSD will use the value retrieved from LDAP)" +msgstr "初期値: 設定なし (SSSD は LDAP から取得された値を使用します)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:885 +msgid "allowed_shells (string)" +msgstr "allowed_shells (文字列)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:888 +msgid "" +"Restrict user shell to one of the listed values. The order of evaluation is:" +msgstr "" +"ユーザーのシェルを一覧にある値のどれかに制限します。評価の順番は次のとおりで" +"す:" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:891 +msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used." +msgstr "" +"1. シェルが <quote>/etc/shells</quote> に存在すると、それが使用されます。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:895 +msgid "" +"2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</" +"quote>, use the value of the shell_fallback parameter." +msgstr "" +"2. シェルが allowed_shells 一覧にあるが、<quote>/etc/shells</quote> になけれ" +"ば、shell_fallback パラメーターの値を使用します。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:900 +msgid "" +"3. If the shell is not in the allowed_shells list and not in <quote>/etc/" +"shells</quote>, a nologin shell is used." +msgstr "" +"3. シェルが allowed_shells 一覧になく、<quote>/etc/shells</quote> にもなけれ" +"ば、nologin シェルが使用されます。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:905 +msgid "The wildcard (*) can be used to allow any shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:908 +msgid "" +"The (*) is useful if you want to use shell_fallback in case that user's " +"shell is not in <quote>/etc/shells</quote> and maintaining list of all " +"allowed shells in allowed_shells would be to much overhead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:915 +msgid "An empty string for shell is passed as-is to libc." +msgstr "シェルの空文字列は libc にそのまま渡されます。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:918 +msgid "" +"The <quote>/etc/shells</quote> is only read on SSSD start up, which means " +"that a restart of the SSSD is required in case a new shell is installed." +msgstr "" +"<quote>/etc/shells</quote> は SSSD が開始されるときにのみ読み込まれます。これ" +"は新しいシェルがインストールされた場合 SSSD の再起動が必要になることを意味し" +"ます。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:922 +msgid "Default: Not set. The user shell is automatically used." +msgstr "初期値: 設定されません。ユーザーシェルが自動的に使用されます。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:927 +msgid "vetoed_shells (string)" +msgstr "vetoed_shells (文字列)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:930 +msgid "Replace any instance of these shells with the shell_fallback" +msgstr "これらのシェルのインスタンスをすべて shell_fallback に置き換えます" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:935 +msgid "shell_fallback (string)" +msgstr "shell_fallback (文字列)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:938 +msgid "" +"The default shell to use if an allowed shell is not installed on the machine." +msgstr "" +"許可されたシェルがマシンにインストールされていない場合に使用する標準シェルで" +"す。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:942 +msgid "Default: /bin/sh" +msgstr "初期値: /bin/sh" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:947 +msgid "default_shell" +msgstr "default_shell" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:950 +msgid "" +"The default shell to use if the provider does not return one during lookup. " +"This option can be specified globally in the [nss] section or per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:956 +msgid "" +"Default: not set (Return NULL if no shell is specified and rely on libc to " +"substitute something sensible when necessary, usually /bin/sh)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:963 sssd.conf.5.xml:1224 +msgid "get_domains_timeout (int)" +msgstr "get_domains_timeout (整数)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:966 sssd.conf.5.xml:1227 +msgid "" +"Specifies time in seconds for which the list of subdomains will be " +"considered valid." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:975 +msgid "memcache_timeout (int)" +msgstr "memcache_timeout (整数)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:978 +msgid "" +"Specifies time in seconds for which records in the in-memory cache will be " +"valid. Setting this option to zero will disable the in-memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:986 +msgid "" +"WARNING: Disabling the in-memory cache will have significant negative impact " +"on SSSD's performance and should only be used for testing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:992 +msgid "" +"NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", " +"client applications will not use the fast in-memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1000 sssd-ifp.5.xml:74 +msgid "user_attributes (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1003 +msgid "" +"Some of the additional NSS responder requests can return more attributes " +"than just the POSIX ones defined by the NSS interface. The list of " +"attributes is controlled by this option. It is handled the same way as the " +"<quote>user_attributes</quote> option of the InfoPipe responder (see " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for details) but with no default values." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1016 +msgid "" +"To make configuration more easy the NSS responder will check the InfoPipe " +"option if it is not set for the NSS responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1021 +msgid "Default: not set, fallback to InfoPipe option" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1026 +msgid "pwfield (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1029 +msgid "" +"The value that NSS operations that return users or groups will return for " +"the <quote>password</quote> field." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: sssd.conf.5.xml:1034 include/override_homedir.xml:56 +msgid "This option can also be set per-domain." +msgstr "このオプションはドメインごとに設定できます。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1037 +msgid "" +"Default: <quote>*</quote> (remote domains) or <quote>x</quote> (the files " +"domain)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1045 +msgid "PAM configuration options" +msgstr "PAM 設定オプション" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1047 +msgid "" +"These options can be used to configure the Pluggable Authentication Module " +"(PAM) service." +msgstr "" +"これらのオプションは Pluggable Authentication Module (PAM) サービスを設定する" +"ために使用できます。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1052 +msgid "offline_credentials_expiration (integer)" +msgstr "offline_credentials_expiration (整数)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1055 +msgid "" +"If the authentication provider is offline, how long should we allow cached " +"logins (in days since the last successful online login)." +msgstr "" +"認証プロバイダーがオフラインの場合に、キャッシュログインを許可する時間(オン" +"ラインログインの最終成功からの日数)です。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1060 sssd.conf.5.xml:1073 +msgid "Default: 0 (No limit)" +msgstr "初期値: 0 (無制限)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1066 +msgid "offline_failed_login_attempts (integer)" +msgstr "offline_failed_login_attempts (整数)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1069 +msgid "" +"If the authentication provider is offline, how many failed login attempts " +"are allowed." +msgstr "" +"認証プロバイダーがオフラインの場合、ログイン試行の失敗が許容される回数です。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1079 +msgid "offline_failed_login_delay (integer)" +msgstr "offline_failed_login_delay (整数)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1082 +msgid "" +"The time in minutes which has to pass after offline_failed_login_attempts " +"has been reached before a new login attempt is possible." +msgstr "" +"新しいログイン試行が可能になる前に offline_failed_login_attempts に達した後に" +"渡される分単位の時間です。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1087 +msgid "" +"If set to 0 the user cannot authenticate offline if " +"offline_failed_login_attempts has been reached. Only a successful online " +"authentication can enable offline authentication again." +msgstr "" +"0 に設定されていると、offline_failed_login_attempts に達した場合、ユーザーが" +"オフライン認証できません。オンライン認証に成功すると、再びオフライン認証を有" +"効にできます。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1093 sssd.conf.5.xml:1191 +msgid "Default: 5" +msgstr "初期値: 5" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1099 +msgid "pam_verbosity (integer)" +msgstr "pam_verbosity (整数)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1102 +msgid "" +"Controls what kind of messages are shown to the user during authentication. " +"The higher the number to more messages are displayed." +msgstr "" +"認証中にユーザーに表示されるメッセージの種類を制御します。数字が大きければ大" +"きいほどメッセージが表示されます。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1107 +msgid "Currently sssd supports the following values:" +msgstr "現在 sssd は以下の値をサポートします:" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1110 +msgid "<emphasis>0</emphasis>: do not show any message" +msgstr "<emphasis>0</emphasis>: 何もメッセージを表示しない" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1113 +msgid "<emphasis>1</emphasis>: show only important messages" +msgstr "<emphasis>1</emphasis>: 重要なメッセージのみを表示する" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1117 +msgid "<emphasis>2</emphasis>: show informational messages" +msgstr "<emphasis>2</emphasis>: 情報レベルのメッセージを表示する" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1120 +msgid "<emphasis>3</emphasis>: show all messages and debug information" +msgstr "<emphasis>3</emphasis>: すべてのメッセージとデバッグ情報を表示する" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1124 sssd.8.xml:63 +msgid "Default: 1" +msgstr "初期値: 1" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1130 +msgid "pam_response_filter (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1133 +msgid "" +"A comma separated list of strings which allows to remove (filter) data sent " +"by the PAM responder to pam_sss PAM module. There are different kind of " +"responses sent to pam_sss e.g. messages displayed to the user or environment " +"variables which should be set by pam_sss." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1141 +msgid "" +"While messages already can be controlled with the help of the pam_verbosity " +"option this option allows to filter out other kind of responses as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1148 +msgid "ENV" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1149 +msgid "Do not send any environment variables to any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1152 +msgid "ENV:var_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1153 +msgid "Do not send environment variable var_name to any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1157 +msgid "ENV:var_name:service" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1158 +msgid "Do not send environment variable var_name to service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1146 +msgid "" +"Currently the following filters are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1168 +msgid "Example: ENV:KRB5CCNAME:sudo-i" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1174 +msgid "pam_id_timeout (integer)" +msgstr "pam_id_timeout (整数)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1177 +msgid "" +"For any PAM request while SSSD is online, the SSSD will attempt to " +"immediately update the cached identity information for the user in order to " +"ensure that authentication takes place with the latest information." +msgstr "" +"SSSD がオンラインの間はすべての PAM 要求に対して、ユーザーが最新の情報で認証" +"されるよう、SSSD は直ちにキャッシュされた識別情報を更新しようとします。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1183 +msgid "" +"A complete PAM conversation may perform multiple PAM requests, such as " +"account management and session opening. This option controls (on a per-" +"client-application basis) how long (in seconds) we can cache the identity " +"information to avoid excessive round-trips to the identity provider." +msgstr "" +"完全な PAM のやりとりは、アカウント管理やセッション開始のように、複数の PAM " +"要求を実行できます。このオプションは、識別プロバイダーに対する過剰なラウンド" +"トリップを避けるために識別情報をキャッシュできる時間(秒数)を(クライアント" +"アプリケーションごとに)制御します。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1197 +msgid "pam_pwd_expiration_warning (integer)" +msgstr "pam_pwd_expiration_warning (整数)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2078 +msgid "Display a warning N days before the password expires." +msgstr "パスワードの期限が切れる前に N 日間警告を表示します。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1203 +msgid "" +"Please note that the backend server has to provide information about the " +"expiration time of the password. If this information is missing, sssd " +"cannot display a warning." +msgstr "" +"バックエンドのサーバーがパスワードの有効期間に関する情報を提供する必要がある" +"ことに注意してください。この情報がなければ、sssd は警告を表示します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1209 sssd.conf.5.xml:2081 +msgid "" +"If zero is set, then this filter is not applied, i.e. if the expiration " +"warning was received from backend server, it will automatically be displayed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1214 +msgid "" +"This setting can be overridden by setting <emphasis>pwd_expiration_warning</" +"emphasis> for a particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1219 sssd.conf.5.xml:2901 sssd.8.xml:79 +msgid "Default: 0" +msgstr "初期値: 0" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1236 +msgid "pam_trusted_users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1239 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to run PAM conversations against trusted domains. Users not " +"included in this list can only access domains marked as public with " +"<quote>pam_public_domains</quote>. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1249 +msgid "Default: All users are considered trusted by default" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1253 +msgid "" +"Please note that UID 0 is always allowed to access the PAM responder even in " +"case it is not in the pam_trusted_users list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1260 +msgid "pam_public_domains (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1263 +msgid "" +"Specifies the comma-separated list of domain names that are accessible even " +"to untrusted users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1267 +msgid "Two special values for pam_public_domains option are defined:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1271 +msgid "" +"all (Untrusted users are allowed to access all domains in PAM responder.)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1275 +msgid "" +"none (Untrusted users are not allowed to access any domains PAM in " +"responder.)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1279 sssd.conf.5.xml:1304 sssd.conf.5.xml:1323 +#: sssd.conf.5.xml:1875 sssd.conf.5.xml:2837 sssd-ldap.5.xml:1979 +msgid "Default: none" +msgstr "初期値: none" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1284 +msgid "pam_account_expired_message (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1287 +msgid "" +"Allows a custom expiration message to be set, replacing the default " +"'Permission denied' message." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1292 +msgid "" +"Note: Please be aware that message is only printed for the SSH service " +"unless pam_verbosity is set to 3 (show all messages and debug information)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:1300 +#, no-wrap +msgid "" +"pam_account_expired_message = Account expired, please contact help desk.\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1309 +msgid "pam_account_locked_message (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1312 +msgid "" +"Allows a custom lockout message to be set, replacing the default 'Permission " +"denied' message." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:1319 +#, no-wrap +msgid "" +"pam_account_locked_message = Account locked, please contact help desk.\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1328 +msgid "pam_cert_auth (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1331 +msgid "" +"Enable certificate based Smartcard authentication. Since this requires " +"additional communication with the Smartcard which will delay the " +"authentication process this option is disabled by default." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1337 sssd.conf.5.xml:2930 sssd-ldap.5.xml:1087 +#: sssd-ldap.5.xml:1114 sssd-ldap.5.xml:1514 sssd-ldap.5.xml:1535 +#: sssd-ldap.5.xml:2052 include/ldap_id_mapping.xml:244 +msgid "Default: False" +msgstr "初期値: 偽" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1342 +msgid "pam_cert_db_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1345 +msgid "" +"The path to the certificate database which contain the PKCS#11 modules to " +"access the Smartcard." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1349 sssd.conf.5.xml:1534 +#, fuzzy +#| msgid "Default: 3" +msgid "Default:" +msgstr "初期値: 3" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1351 sssd.conf.5.xml:1536 +msgid "/etc/pki/nssdb (NSS version, path to a NSS database)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1354 sssd.conf.5.xml:1539 +msgid "" +"/etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a file with " +"trusted CA certificates in PEM format)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1361 sssd.conf.5.xml:1546 +msgid "This man page was generated for the NSS version." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1364 sssd.conf.5.xml:1549 +msgid "This man page was generated for the OpenSSL version." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1369 +msgid "p11_child_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1372 +msgid "How many seconds will pam_sss wait for p11_child to finish." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1381 +msgid "pam_app_services (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1384 +msgid "" +"Which PAM services are permitted to contact domains of type " +"<quote>application</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1397 +msgid "SUDO configuration options" +msgstr "SUDO 設定オプション" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1399 +msgid "" +"These options can be used to configure the sudo service. The detailed " +"instructions for configuration of <citerefentry> <refentrytitle>sudo</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to work with " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> are in the manual page <citerefentry> <refentrytitle>sssd-" +"sudo</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1416 +msgid "sudo_timed (bool)" +msgstr "sudo_timed (論理値)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1419 +msgid "" +"Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes " +"that implement time-dependent sudoers entries." +msgstr "" +"時間依存の sudoers エントリーを実装する sudoNotBefore と sudoNotAfter の属性" +"を評価するかしないかです。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1431 +msgid "sudo_threshold (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1434 +msgid "" +"Maximum number of expired rules that can be refreshed at once. If number of " +"expired rules is below threshold, those rules are refreshed with " +"<quote>rules refresh</quote> mechanism. If the threshold is exceeded a " +"<quote>full refresh</quote> of sudo rules is triggered instead. This " +"threshold number also applies to IPA sudo command and command group searches." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1453 +msgid "AUTOFS configuration options" +msgstr "Autofs 設定オプション" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1455 +msgid "These options can be used to configure the autofs service." +msgstr "これらのオプションが autofs サービスを設定するために使用されます。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1459 +msgid "autofs_negative_timeout (integer)" +msgstr "autofs_negative_timeout (整数)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1462 +msgid "" +"Specifies for how many seconds should the autofs responder negative cache " +"hits (that is, queries for invalid map entries, like nonexistent ones) " +"before asking the back end again." +msgstr "" +"autofs レスポンダーのネガティブキャッシュ(つまり、存在しないもののように、無" +"効なマップエントリーに対する問い合わせ)が再びバックエンドに問い合わせる前に" +"ヒットする秒数を指定します。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1478 +msgid "SSH configuration options" +msgstr "SSH 設定オプション" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1480 +msgid "These options can be used to configure the SSH service." +msgstr "これらのオプションは SSH サービスを設定するために使用されます。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1484 +msgid "ssh_hash_known_hosts (bool)" +msgstr "ssh_hash_known_hosts (論理値)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1487 +msgid "" +"Whether or not to hash host names and addresses in the managed known_hosts " +"file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1496 +msgid "ssh_known_hosts_timeout (integer)" +msgstr "ssh_known_hosts_timeout (整数)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1499 +msgid "" +"How many seconds to keep a host in the managed known_hosts file after its " +"host keys were requested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1503 +msgid "Default: 180" +msgstr "初期値: 180" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1508 +msgid "ssh_use_certificate_keys (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1511 +#, fuzzy +#| msgid "" +#| "The skeleton directory, which contains files and directories to be copied " +#| "in the user's home directory, when the home directory is created by " +#| "<citerefentry> <refentrytitle>sss_useradd</refentrytitle> <manvolnum>8</" +#| "manvolnum> </citerefentry>" +msgid "" +"If set to true the <command>sss_ssh_authorizedkeys</command> will return ssh " +"keys derived from the public key of X.509 certificates stored in the user " +"entry as well. See <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry> for details." +msgstr "" +"ホームディレクトリーが <citerefentry> <refentrytitle>sss_useradd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> により作成されると" +"き、ユーザーのホームディレクトリーにコピーされるファイルおよびディレクトリー" +"を含む、スケルトンディレクトリーです。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1526 +msgid "ca_db (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1529 +msgid "" +"Path to a storage of trusted CA certificates. The option is used to validate " +"user certificates before deriving public ssh keys from them." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1557 +msgid "PAC responder configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1559 +msgid "" +"The PAC responder works together with the authorization data plugin for MIT " +"Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the " +"PAC data during a GSSAPI authentication to the PAC responder. The sub-domain " +"provider collects domain SID and ID ranges of the domain the client is " +"joined to and of remote trusted domains from the local domain controller. If " +"the PAC is decoded and evaluated some of the following operations are done:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1568 +msgid "" +"If the remote user does not exist in the cache, it is created. The UID is " +"determined with the help of the SID, trusted domains will have UPGs and the " +"GID will have the same value as the UID. The home directory is set based on " +"the subdomain_homedir parameter. The shell will be empty by default, i.e. " +"the system defaults are used, but can be overwritten with the default_shell " +"parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1576 +msgid "" +"If there are SIDs of groups from domains sssd knows about, the user will be " +"added to those groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1582 +msgid "These options can be used to configure the PAC responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1586 sssd-ifp.5.xml:50 +msgid "allowed_uids (string)" +msgstr "allowed_uids (文字列)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1589 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the PAC responder. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1595 +msgid "Default: 0 (only the root user is allowed to access the PAC responder)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1599 +msgid "" +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the PAC responder, which would be the typical case, you have to add 0 " +"to the list of allowed UIDs as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1608 +msgid "pac_lifetime (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1611 +msgid "" +"Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC " +"data can be used to determine the group memberships of a user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1624 +msgid "Session recording configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1626 +msgid "" +"Session recording works in conjunction with <citerefentry> " +"<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>, a part of tlog package, to log what users see and type when " +"they log in on a text terminal. See also <citerefentry> <refentrytitle>sssd-" +"session-recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1639 +msgid "These options can be used to configure session recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1643 sssd-session-recording.5.xml:64 +msgid "scope (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1650 sssd-session-recording.5.xml:71 +msgid "\"none\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1653 sssd-session-recording.5.xml:74 +msgid "No users are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1658 sssd-session-recording.5.xml:79 +msgid "\"some\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1661 sssd-session-recording.5.xml:82 +msgid "" +"Users/groups specified by <replaceable>users</replaceable> and " +"<replaceable>groups</replaceable> options are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1670 sssd-session-recording.5.xml:91 +msgid "\"all\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1673 sssd-session-recording.5.xml:94 +msgid "All users are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1646 sssd-session-recording.5.xml:67 +msgid "" +"One of the following strings specifying the scope of session recording: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1680 sssd-session-recording.5.xml:101 +msgid "Default: \"none\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1685 sssd-session-recording.5.xml:106 +msgid "users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1688 sssd-session-recording.5.xml:109 +msgid "" +"A comma-separated list of users which should have session recording enabled. " +"Matches user names as returned by NSS. I.e. after the possible space " +"replacement, case changes, etc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1694 sssd-session-recording.5.xml:115 +msgid "Default: Empty. Matches no users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1699 sssd-session-recording.5.xml:120 +msgid "groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1702 sssd-session-recording.5.xml:123 +msgid "" +"A comma-separated list of groups, members of which should have session " +"recording enabled. Matches group names as returned by NSS. I.e. after the " +"possible space replacement, case changes, etc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1708 sssd-session-recording.5.xml:129 +msgid "" +"NOTE: using this option (having it set to anything) has a considerable " +"performance cost, because each uncached request for a user requires " +"retrieving and matching the groups the user is member of." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1715 sssd-session-recording.5.xml:136 +msgid "Default: Empty. Matches no groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:1725 +msgid "DOMAIN SECTIONS" +msgstr "ドメインセクション" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1732 +msgid "domain_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1735 +msgid "" +"Specifies whether the domain is meant to be used by POSIX-aware clients such " +"as the Name Service Switch or by applications that do not need POSIX data to " +"be present or generated. Only objects from POSIX domains are available to " +"the operating system interfaces and utilities." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1743 +msgid "" +"Allowed values for this option are <quote>posix</quote> and " +"<quote>application</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1747 +msgid "" +"POSIX domains are reachable by all services. Application domains are only " +"reachable from the InfoPipe responder (see <citerefentry> " +"<refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>) and the PAM responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1755 +msgid "" +"NOTE: The application domains are currently well tested with " +"<quote>id_provider=ldap</quote> only." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1759 +msgid "" +"For an easy way to configure a non-POSIX domains, please see the " +"<quote>Application domains</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1763 +msgid "Default: posix" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1769 +msgid "min_id,max_id (integer)" +msgstr "min_id,max_id (整数)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1772 +msgid "" +"UID and GID limits for the domain. If a domain contains an entry that is " +"outside these limits, it is ignored." +msgstr "" +"ドメインに対する UID と GID の制限です。ドメインがこれらの制限の外にあるエン" +"トリーを含む場合、それは無視されます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1777 +msgid "" +"For users, this affects the primary GID limit. The user will not be returned " +"to NSS if either the UID or the primary GID is outside the range. For non-" +"primary group memberships, those that are in range will be reported as " +"expected." +msgstr "" +"ユーザーに対して、これはプライマリー GID 制限に影響します。 UID またはプライ" +"マリー GID が範囲外ならば、ユーザーは NSS に返されません。非プライマリーメン" +"バーに対して、範囲内にあるものは予期されたものとして報告されます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1784 +msgid "" +"These ID limits affect even saving entries to cache, not only returning them " +"by name or ID." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1788 +msgid "Default: 1 for min_id, 0 (no limit) for max_id" +msgstr "初期値: min_id は 1, max_id は 0 (無制限)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1794 +msgid "enumerate (bool)" +msgstr "enumerate (論理値)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1797 +msgid "" +"Determines if a domain can be enumerated, that is, whether the domain can " +"list all the users and group it contains. Note that it is not required to " +"enable enumeration in order for secondary groups to be displayed. This " +"parameter can have one of the following values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1805 +msgid "TRUE = Users and groups are enumerated" +msgstr "TRUE = ユーザーとグループが列挙されます" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1808 +msgid "FALSE = No enumerations for this domain" +msgstr "FALSE = このドメインに対して列挙しません" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1811 sssd.conf.5.xml:2033 sssd.conf.5.xml:2208 +msgid "Default: FALSE" +msgstr "初期値: FALSE" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1814 +msgid "" +"Enumerating a domain requires SSSD to download and store ALL user and group " +"entries from the remote server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1819 +msgid "" +"Note: Enabling enumeration has a moderate performance impact on SSSD while " +"enumeration is running. It may take up to several minutes after SSSD startup " +"to fully complete enumerations. During this time, individual requests for " +"information will go directly to LDAP, though it may be slow, due to the " +"heavy enumeration processing. Saving a large number of entries to cache " +"after the enumeration completes might also be CPU intensive as the " +"memberships have to be recomputed. This can lead to the <quote>sssd_be</" +"quote> process becoming unresponsive or even restarted by the internal " +"watchdog." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1834 +msgid "" +"While the first enumeration is running, requests for the complete user or " +"group lists may return no results until it completes." +msgstr "" +"最初の列挙が実行中の間、完全なユーザーまたはグループの一覧に対する要求は、そ" +"れが完了するまで結果を返しません。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1839 +msgid "" +"Further, enabling enumeration may increase the time necessary to detect " +"network disconnection, as longer timeouts are required to ensure that " +"enumeration lookups are completed successfully. For more information, refer " +"to the man pages for the specific id_provider in use." +msgstr "" +"さらに、列挙を有効にすることにより、挙の検索が確実に正しく完了するよりも長く" +"する必要があるので、ネットワーク切断を検知するために必要な時間が増える可能性" +"があります。詳細は使用している具体的な id_provider のマニュアルページを参照し" +"てください。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1847 +msgid "" +"For the reasons cited above, enabling enumeration is not recommended, " +"especially in large environments." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1855 +msgid "subdomain_enumerate (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1862 +msgid "all" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1863 +msgid "All discovered trusted domains will be enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1866 +msgid "none" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1867 +msgid "No discovered trusted domains will be enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1858 +msgid "" +"Whether any of autodetected trusted domains should be enumerated. The " +"supported values are: <placeholder type=\"variablelist\" id=\"0\"/> " +"Optionally, a list of one or more domain names can enable enumeration just " +"for these trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1881 +msgid "entry_cache_timeout (integer)" +msgstr "entry_cache_timeout (整数)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1884 +msgid "" +"How many seconds should nss_sss consider entries valid before asking the " +"backend again" +msgstr "" +"nss_sss が再びバックエンドに問い合わせる前にエントリーを有効であると考える秒" +"数です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1888 +msgid "" +"The cache expiration timestamps are stored as attributes of individual " +"objects in the cache. Therefore, changing the cache timeout only has effect " +"for newly added or expired entries. You should run the <citerefentry> " +"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry> tool in order to force refresh of entries that have already " +"been cached." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1901 +msgid "Default: 5400" +msgstr "初期値: 5400" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1907 +msgid "entry_cache_user_timeout (integer)" +msgstr "entry_cache_user_timeout (整数)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1910 +msgid "" +"How many seconds should nss_sss consider user entries valid before asking " +"the backend again" +msgstr "" +"nss_sss が再びバックエンドに問い合わせる前にユーザーエントリーを有効であると" +"考える秒数です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1914 sssd.conf.5.xml:1927 sssd.conf.5.xml:1940 +#: sssd.conf.5.xml:1953 sssd.conf.5.xml:1966 sssd.conf.5.xml:1980 +#: sssd.conf.5.xml:1994 +msgid "Default: entry_cache_timeout" +msgstr "初期値: entry_cache_timeout" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1920 +msgid "entry_cache_group_timeout (integer)" +msgstr "entry_cache_group_timeout (整数)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1923 +msgid "" +"How many seconds should nss_sss consider group entries valid before asking " +"the backend again" +msgstr "" +"nss_sss が再びバックエンドに問い合わせる前にグループエントリーを有効であると" +"考える秒数です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1933 +msgid "entry_cache_netgroup_timeout (integer)" +msgstr "entry_cache_netgroup_timeout (整数)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1936 +msgid "" +"How many seconds should nss_sss consider netgroup entries valid before " +"asking the backend again" +msgstr "" +"nss_sss が再びバックエンドに問い合わせる前にネットワークグループエントリーを" +"有効であると考える秒数です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1946 +msgid "entry_cache_service_timeout (integer)" +msgstr "entry_cache_service_timeout (整数)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1949 +msgid "" +"How many seconds should nss_sss consider service entries valid before asking " +"the backend again" +msgstr "" +"nss_sss が再びバックエンドに問い合わせる前にサービスエントリーを有効であると" +"考える秒数です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1959 +msgid "entry_cache_sudo_timeout (integer)" +msgstr "entry_cache_sudo_timeout (integer)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1962 +msgid "" +"How many seconds should sudo consider rules valid before asking the backend " +"again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1972 +msgid "entry_cache_autofs_timeout (integer)" +msgstr "entry_cache_autofs_timeout (整数)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1975 +msgid "" +"How many seconds should the autofs service consider automounter maps valid " +"before asking the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1986 +msgid "entry_cache_ssh_host_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1989 +msgid "" +"How many seconds to keep a host ssh key after refresh. IE how long to cache " +"the host key for." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2000 +msgid "refresh_expired_interval (integer)" +msgstr "refresh_expired_interval (整数)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2003 +msgid "" +"Specifies how many seconds SSSD has to wait before triggering a background " +"refresh task which will refresh all expired or nearly expired records." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2008 +msgid "" +"The background refresh will process users, groups and netgroups in the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2012 +msgid "You can consider setting this value to 3/4 * entry_cache_timeout." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2016 sssd-ldap.5.xml:746 sssd-ipa.5.xml:254 +msgid "Default: 0 (disabled)" +msgstr "初期値: 0 (無効)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2022 +msgid "cache_credentials (bool)" +msgstr "cache_credentials (論理値)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2025 +msgid "Determines if user credentials are also cached in the local LDB cache" +msgstr "" +"ユーザーのクレディンシャルがローカル LDB キャッシュにキャッシュされるかどうか" +"を決めます" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2029 +msgid "User credentials are stored in a SHA512 hash, not in plaintext" +msgstr "" +"ユーザーのクレディンシャルが、平文ではなく SHA512 ハッシュで保存されます" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2039 +msgid "cache_credentials_minimal_first_factor_length (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2042 +msgid "" +"If 2-Factor-Authentication (2FA) is used and credentials should be saved " +"this value determines the minimal length the first authentication factor " +"(long term password) must have to be saved as SHA512 hash into the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2049 +msgid "" +"This should avoid that the short PINs of a PIN based 2FA scheme are saved in " +"the cache which would make them easy targets for brute-force attacks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2054 +msgid "Default: 8" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2060 +msgid "account_cache_expiration (integer)" +msgstr "account_cache_expiration (整数)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2063 +msgid "" +"Number of days entries are left in cache after last successful login before " +"being removed during a cleanup of the cache. 0 means keep forever. The " +"value of this parameter must be greater than or equal to " +"offline_credentials_expiration." +msgstr "" +"正常にログイン後、キャッシュのクリーンアップ中にエントリーが削除される前の日" +"数です。 0 は永久に保持することを意味します。このパラメーターの値は " +"offline_credentials_expiration と同等以上でなければいけません。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2070 +msgid "Default: 0 (unlimited)" +msgstr "初期値: 0 (無制限)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2075 +msgid "pwd_expiration_warning (integer)" +msgstr "pwd_expiration_warning (整数)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2086 +msgid "" +"Please note that the backend server has to provide information about the " +"expiration time of the password. If this information is missing, sssd " +"cannot display a warning. Also an auth provider has to be configured for the " +"backend." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2093 +msgid "Default: 7 (Kerberos), 0 (LDAP)" +msgstr "初期値: 7 (Kerberos), 0 (LDAP)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2099 +msgid "id_provider (string)" +msgstr "id_provider (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2102 +msgid "" +"The identification provider used for the domain. Supported ID providers are:" +msgstr "" +"ドメインに対して使用される識別子プロバイダーです。サポートされる ID プロバイ" +"ダーは次のとおりです:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2106 +#, fuzzy +#| msgid "<quote>proxy</quote>: Support a legacy NSS provider" +msgid "<quote>proxy</quote>: Support a legacy NSS provider." +msgstr "<quote>proxy</quote>: レガシーな NSS プロバイダーのサポート" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2109 +#, fuzzy +#| msgid "<quote>local</quote>: SSSD internal provider for local users" +msgid "" +"<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)." +msgstr "<quote>local</quote>: ローカルユーザー向け SSSD 内部プロバイダー" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2113 +#, fuzzy +#| msgid "" +#| "<quote>ldap</quote>: LDAP provider. See <citerefentry> " +#| "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +#| "citerefentry> for more information on configuring LDAP." +msgid "" +"<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-" +"files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " +"information on how to mirror local users and groups into SSSD." +msgstr "" +"<quote>ldap</quote>: LDAP プロバイダー。LDAP の設定に関する詳細は " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> を参照してください。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2121 +msgid "" +"<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " +"information on configuring LDAP." +msgstr "" +"<quote>ldap</quote>: LDAP プロバイダー。LDAP の設定に関する詳細は " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> を参照してください。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2129 sssd.conf.5.xml:2234 sssd.conf.5.xml:2289 +#: sssd.conf.5.xml:2352 +msgid "" +"<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management " +"provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " +"FreeIPA." +msgstr "" +"<quote>ipa</quote>: FreeIPA および Red Hat Enterprise Identity Management プ" +"ロバイダー。FreeIPA の設定に関する詳細は <citerefentry> <refentrytitle>sssd-" +"ipa</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> を参照してくださ" +"い。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2138 sssd.conf.5.xml:2243 sssd.conf.5.xml:2298 +#: sssd.conf.5.xml:2361 +msgid "" +"<quote>ad</quote>: Active Directory provider. See <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Active Directory." +msgstr "" +"<quote>ad</quote>: Active Directory プロバイダー。Active Directory の設定に関" +"する詳細は <citerefentry> <refentrytitle>sssd-ad</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> を参照してください。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2149 +msgid "use_fully_qualified_names (bool)" +msgstr "use_fully_qualified_names (論理値)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2152 +msgid "" +"Use the full name and domain (as formatted by the domain's full_name_format) " +"as the user's login name reported to NSS." +msgstr "" +"NSS に報告するユーザーのログイン名としてフルネームとドメイン (ドメインの完全" +"名形式により整形されたように) を使用します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2157 +msgid "" +"If set to TRUE, all requests to this domain must use fully qualified names. " +"For example, if used in LOCAL domain that contains a \"test\" user, " +"<command>getent passwd test</command> wouldn't find the user while " +"<command>getent passwd test@LOCAL</command> would." +msgstr "" +"TRUE に設定されていると、このドメインへのすべての要求は完全修飾名を使用する必" +"要があります。たとえば、 \"test\" ユーザーを含む LOCAL ドメインにおいて使用さ" +"れていると、<command>getent passwd test</command> はユーザーを見つけられませ" +"んが、<command>getent passwd test@LOCAL</command> は見つけられます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2165 +msgid "" +"NOTE: This option has no effect on netgroup lookups due to their tendency to " +"include nested netgroups without qualified names. For netgroups, all domains " +"will be searched when an unqualified name is requested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2172 +msgid "Default: FALSE (TRUE if default_domain_suffix is used)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2178 +msgid "ignore_group_members (bool)" +msgstr "ignore_group_members (論理値)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2181 +msgid "Do not return group members for group lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2184 +msgid "" +"If set to TRUE, the group membership attribute is not requested from the " +"ldap server, and group members are not returned when processing group lookup " +"calls, such as <citerefentry> <refentrytitle>getgrnam</refentrytitle> " +"<manvolnum>3</manvolnum> </citerefentry> or <citerefentry> " +"<refentrytitle>getgrgid</refentrytitle> <manvolnum>3</manvolnum> </" +"citerefentry>. As an effect, <quote>getent group $groupname</quote> would " +"return the requested group as if it was empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2202 +msgid "" +"Enabling this option can also make access provider checks for group " +"membership significantly faster, especially for groups containing many " +"members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2213 +msgid "auth_provider (string)" +msgstr "auth_provider (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2216 +msgid "" +"The authentication provider used for the domain. Supported auth providers " +"are:" +msgstr "" +"ドメインに対して使用される認証プロバイダーです。サポートされる認証プロバイ" +"ダーは次のとおりです:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2220 sssd.conf.5.xml:2282 +msgid "" +"<quote>ldap</quote> for native LDAP authentication. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" +"<quote>ldap</quote> は本来の LDAP 認証向けです。LDAP の設定に関する詳細は " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> を参照してください。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2227 +msgid "" +"<quote>krb5</quote> for Kerberos authentication. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Kerberos." +msgstr "" +"<quote>krb5</quote> は Kerberos 認証向けです。Kerberos の設定に関する詳細は " +"<citerefentry> <refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> を参照してください。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2251 +msgid "" +"<quote>proxy</quote> for relaying authentication to some other PAM target." +msgstr "" +"<quote>proxy</quote> はいくつかの他の PAM ターゲットに認証を中継します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2254 +msgid "<quote>local</quote>: SSSD internal provider for local users" +msgstr "<quote>local</quote>: ローカルユーザー向け SSSD 内部プロバイダー" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2258 +msgid "<quote>none</quote> disables authentication explicitly." +msgstr "<quote>none</quote> は明示的に認証を無効化します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2261 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can handle " +"authentication requests." +msgstr "" +"初期値: <quote>id_provider</quote> が設定され、認証要求を取り扱うことができる" +"ならば、それが使用されます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2267 +msgid "access_provider (string)" +msgstr "access_provider (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2270 +msgid "" +"The access control provider used for the domain. There are two built-in " +"access providers (in addition to any included in installed backends) " +"Internal special providers are:" +msgstr "" +"ドメインに対して使用されるアクセス制御プロバイダーです。 2 つの組み込みアクセ" +"スプロバイダーがあります(インストールされたバックエンドに含まれるすべてを加" +"えます)。内部の特別プロバイダーは次のとおりです:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2276 +msgid "" +"<quote>permit</quote> always allow access. It's the only permitted access " +"provider for a local domain." +msgstr "" +"<quote>permit</quote> は常にアクセスを許可します。ローカルドメインに対するプ" +"ロバイダーのみアクセスが許可されます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2279 +msgid "<quote>deny</quote> always deny access." +msgstr "<quote>deny</quote> は常にアクセスを拒否します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2306 +msgid "" +"<quote>simple</quote> access control based on access or deny lists. See " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for more information on configuring the simple " +"access module." +msgstr "" +"<quote>simple</quote> アクセス制御はアクセスまたは拒否の一覧に基づきます。" +"simple アクセスモジュールの設定に関する詳細は <citerefentry> " +"<refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</manvolnum></" +"citerefentry> を参照してください。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2313 +msgid "" +"<quote>krb5</quote>: .k5login based access control. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></" +"citerefentry> for more information on configuring Kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2320 +msgid "<quote>proxy</quote> for relaying access control to another PAM module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2323 +msgid "Default: <quote>permit</quote>" +msgstr "初期値: <quote>permit</quote>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2328 +msgid "chpass_provider (string)" +msgstr "chpass_provider (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2331 +msgid "" +"The provider which should handle change password operations for the domain. " +"Supported change password providers are:" +msgstr "" +"ドメインに対するパスワード変更操作を取り扱うプロバイダーです。サポートされる" +"パスワード変更プロバイダーは次のとおりです:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2336 +msgid "" +"<quote>ldap</quote> to change a password stored in a LDAP server. See " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2344 +msgid "" +"<quote>krb5</quote> to change the Kerberos password. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Kerberos." +msgstr "" +"<quote>krb5</quote> は Kerberos のパスワードを変更します。 Kerberos の設定に" +"関する詳細は <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> を参照してください。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2369 +msgid "" +"<quote>proxy</quote> for relaying password changes to some other PAM target." +msgstr "" +"<quote>proxy</quote> はいくつかの他の PAM ターゲットにパスワードの変更を中継" +"します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2373 +msgid "<quote>none</quote> disallows password changes explicitly." +msgstr "<quote>none</quote> は明示的にパスワードの変更を無効化します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2376 +msgid "" +"Default: <quote>auth_provider</quote> is used if it is set and can handle " +"change password requests." +msgstr "" +"初期値: <quote>auth_provider</quote> が設定され、パスワードの変更要求を取り扱" +"うことができるならば、それが使用されます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2383 +msgid "sudo_provider (string)" +msgstr "sudo_provider (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2386 +msgid "The SUDO provider used for the domain. Supported SUDO providers are:" +msgstr "" +"ドメインに使用される SUDO プロバイダーです。サポートされる SUDO プロバイダー" +"は次のとおりです:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2390 +msgid "" +"<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" +"<quote>ldap</quote> は LDAP に保存されているルールのためです。LDAP の設定に関" +"する詳細は <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> を参照します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2398 +msgid "" +"<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default " +"settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2402 +msgid "" +"<quote>ad</quote> the same as <quote>ldap</quote> but with AD default " +"settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2406 +msgid "<quote>none</quote> disables SUDO explicitly." +msgstr "<quote>none</quote> は SUDO を明示的に無効化します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2409 sssd.conf.5.xml:2495 sssd.conf.5.xml:2565 +#: sssd.conf.5.xml:2590 +msgid "Default: The value of <quote>id_provider</quote> is used if it is set." +msgstr "" +"初期値: <quote>id_provider</quote> の値が設定されていると使用されます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2413 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>. There are many configuration " +"options that can be used to adjust the behavior. Please refer to " +"\"ldap_sudo_*\" in <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2428 +msgid "" +"<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the " +"background unless the sudo provider is explicitly disabled. Set " +"<emphasis>sudo_provider = None</emphasis> to disable all sudo-related " +"activity in SSSD if you do not want to use sudo with SSSD at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2438 +msgid "selinux_provider (string)" +msgstr "selinux_provider (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2441 +msgid "" +"The provider which should handle loading of selinux settings. Note that this " +"provider will be called right after access provider ends. Supported selinux " +"providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2447 +msgid "" +"<quote>ipa</quote> to load selinux settings from an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2455 +msgid "<quote>none</quote> disallows fetching selinux settings explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2458 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can handle " +"selinux loading requests." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2464 +msgid "subdomains_provider (string)" +msgstr "subdomains_provider (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2467 +msgid "" +"The provider which should handle fetching of subdomains. This value should " +"be always the same as id_provider. Supported subdomain providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2473 +msgid "" +"<quote>ipa</quote> to load a list of subdomains from an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2482 +msgid "" +"<quote>ad</quote> to load a list of subdomains from an Active Directory " +"server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " +"the AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2491 +msgid "<quote>none</quote> disallows fetching subdomains explicitly." +msgstr "<quote>none</quote> はサブドメインの取り出しを明示的に無効化します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2501 +msgid "session_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2504 +msgid "" +"The provider which configures and manages user session related tasks. The " +"only user session task currently provided is the integration with Fleet " +"Commander, which works only with IPA. Supported session providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2511 +msgid "<quote>ipa</quote> to allow performing user session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2515 +msgid "" +"<quote>none</quote> does not perform any kind of user session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2519 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can perform " +"session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2523 +msgid "" +"<emphasis>NOTE:</emphasis> In order to have this feature working as expected " +"SSSD must be running as \"root\" and not as the unprivileged user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2531 +msgid "autofs_provider (string)" +msgstr "autofs_provider (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2534 +msgid "" +"The autofs provider used for the domain. Supported autofs providers are:" +msgstr "" +"ドメインに対して使用される autofs プロバイダーです。 サポートされる autofs " +"プロバイダーは次のとおりです:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2538 +msgid "" +"<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" +"<quote>ldap</quote> は LDAP に保存されているマップを読み込みます。LDAP の設定" +"に関する詳細は <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> を参照してください。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2545 +msgid "" +"<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> " +"<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring IPA." +msgstr "" +"<quote>ipa</quote> は IPA サーバーに保存されているマップを読み込みます。IPA " +"の設定に関する詳細は <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> を参照してください。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2553 +msgid "" +"<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring the AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2562 +msgid "<quote>none</quote> disables autofs explicitly." +msgstr "<quote>none</quote> は明示的に autofs を無効にします。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2572 +msgid "hostid_provider (string)" +msgstr "hostid_provider (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2575 +msgid "" +"The provider used for retrieving host identity information. Supported " +"hostid providers are:" +msgstr "" +"ホスト識別情報を取得するために使用されるプロバイダーです。 サポートされる " +"hostid プロバイダーは次のとおりです:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2579 +msgid "" +"<quote>ipa</quote> to load host identity stored in an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" +"<quote>ipa</quote> は IPA サーバーに保存されているホスト識別子を読み込みま" +"す。IPA の設定に関する詳細は <citerefentry> <refentrytitle>sssd-ipa</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> を参照してください。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2587 +msgid "<quote>none</quote> disables hostid explicitly." +msgstr "<quote>none</quote> は明示的に hostid を無効にします。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2600 +msgid "" +"Regular expression for this domain that describes how to parse the string " +"containing user name and domain into these components. The \"domain\" can " +"match either the SSSD configuration domain name, or, in the case of IPA " +"trust subdomains and Active Directory domains, the flat (NetBIOS) name of " +"the domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2609 +msgid "" +"Default for the AD and IPA provider: <quote>(((?P<domain>[^\\\\]+)\\" +"\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?" +"P<name>[^@\\\\]+)$))</quote> which allows three different styles for " +"user names:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2614 +msgid "username" +msgstr "username" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2617 +msgid "username@domain.name" +msgstr "username@domain.name" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2620 +msgid "domain\\username" +msgstr "domain\\username" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2623 +msgid "" +"While the first two correspond to the general default the third one is " +"introduced to allow easy integration of users from Windows domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2628 +msgid "" +"Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> " +"which translates to \"the name is everything up to the <quote>@</quote> " +"sign, the domain everything after that\"" +msgstr "" +"初期値: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> で" +"す。\"the name is everything up to the <quote>@</quote> sign, the domain " +"everything after that\" に解釈されます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2634 +msgid "" +"NOTE: Some Active Directory groups, typically those used for MS Exchange " +"contain an <quote>@</quote> sign in the name, which clashes with the default " +"re_expression value for the AD and IPA providers. To support these groups, " +"consider changing the re_expression value to: <quote>((?P<name>.+)@(?" +"P<domain>[^@]+$))</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2685 +msgid "Default: <quote>%1$s@%2$s</quote>." +msgstr "初期値: <quote>%1$s@%2$s</quote>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2691 +msgid "lookup_family_order (string)" +msgstr "lookup_family_order (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2694 +msgid "" +"Provides the ability to select preferred address family to use when " +"performing DNS lookups." +msgstr "" +"DNS 検索を実行するときに使用する、優先アドレスファミリーを選択する機能を提供" +"します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2698 +msgid "Supported values:" +msgstr "サポートする値:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2701 +msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6" +msgstr "" +"ipv4_first: IPv4 アドレスの検索を試行します。失敗すると IPv6 を試行します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2704 +msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses." +msgstr "" +"ipv4_only: ホスト名を IPv4 アドレスに名前解決することのみを試行します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2707 +msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4" +msgstr "" +"ipv6_first: IPv6 アドレスの検索を試行します。失敗すると IPv4 を試行します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2710 +msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses." +msgstr "" +"ipv6_only: ホスト名を IPv6 アドレスに名前解決することのみを試行します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2713 +msgid "Default: ipv4_first" +msgstr "初期値: ipv4_first" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2719 +msgid "dns_resolver_timeout (integer)" +msgstr "dns_resolver_timeout (整数)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2722 +msgid "" +"Defines the amount of time (in seconds) to wait for a reply from the " +"internal fail over service before assuming that the service is unreachable. " +"If this timeout is reached, the domain will continue to operate in offline " +"mode." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2729 +msgid "" +"Please see the section <quote>FAILOVER</quote> for more information about " +"the service resolution." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2734 sssd-ldap.5.xml:1396 sssd-ldap.5.xml:1438 +#: sssd-ldap.5.xml:1456 sssd-krb5.5.xml:248 +msgid "Default: 6" +msgstr "初期値: 6" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2740 +msgid "dns_discovery_domain (string)" +msgstr "dns_discovery_domain (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2743 +msgid "" +"If service discovery is used in the back end, specifies the domain part of " +"the service discovery DNS query." +msgstr "" +"サービス検索がバックエンドで使用されていると、サービス検索 DNS クエリーのドメ" +"イン部分を指定します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2747 +msgid "Default: Use the domain part of machine's hostname" +msgstr "初期値: マシンのホスト名のドメイン部分を使用します" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2753 +msgid "override_gid (integer)" +msgstr "override_gid (整数)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2756 +msgid "Override the primary GID value with the one specified." +msgstr "プライマリー GID の値を指定されたもので上書きします。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2762 +msgid "case_sensitive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2770 +msgid "True" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2773 +msgid "Case sensitive. This value is invalid for AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2779 +msgid "False" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2781 +msgid "Case insensitive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2785 +msgid "Preserving" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2788 +msgid "" +"Same as False (case insensitive), but does not lowercase names in the result " +"of NSS operations. Note that name aliases (and in case of services also " +"protocol names) are still lowercased in the output." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2765 +msgid "" +"Treat user and group names as case sensitive. At the moment, this option is " +"not supported in the local provider. Possible option values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2800 +msgid "Default: True (False for AD provider)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2806 +msgid "subdomain_inherit (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2809 +msgid "" +"Specifies a list of configuration parameters that should be inherited by a " +"subdomain. Please note that only selected parameters can be inherited. " +"Currently the following options can be inherited:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2815 +msgid "ignore_group_members" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2818 +msgid "ldap_purge_cache_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2821 sssd-ldap.5.xml:1120 +msgid "ldap_use_tokengroups" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2824 +msgid "ldap_user_principal" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2827 +msgid "" +"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab " +"is not set explicitly)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:2833 +#, no-wrap +msgid "" +"subdomain_inherit = ldap_purge_cache_timeout\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2831 sssd-secrets.5.xml:448 +msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2840 +msgid "Note: This option only works with the IPA and AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2847 +msgid "subdomain_homedir (string)" +msgstr "subdomain_homedir (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2858 +msgid "%F" +msgstr "%F" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2859 +msgid "flat (NetBIOS) name of a subdomain." +msgstr "サブドメインのフラット (NetBIOS) 名。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2850 +msgid "" +"Use this homedir as default value for all subdomains within this domain in " +"IPA AD trust. See <emphasis>override_homedir</emphasis> for info about " +"possible values. In addition to those, the expansion below can only be used " +"with <emphasis>subdomain_homedir</emphasis>. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2864 +msgid "" +"The value can be overridden by <emphasis>override_homedir</emphasis> option." +msgstr "" +"値は <emphasis>override_homedir</emphasis> オプションにより上書きできます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2868 +msgid "Default: <filename>/home/%d/%u</filename>" +msgstr "初期値: <filename>/home/%d/%u</filename>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2873 +msgid "realmd_tags (string)" +msgstr "realmd_tags (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2876 +msgid "" +"Various tags stored by the realmd configuration service for this domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2882 +msgid "cached_auth_timeout (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2885 +msgid "" +"Specifies time in seconds since last successful online authentication for " +"which user will be authenticated using cached credentials while SSSD is in " +"the online mode." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2891 +msgid "Special value 0 implies that this feature is disabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2895 +msgid "" +"Please note that if <quote>cached_auth_timeout</quote> is longer than " +"<quote>pam_id_timeout</quote> then the back end could be called to handle " +"<quote>initgroups.</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2906 +msgid "auto_private_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2909 +msgid "" +"If this option is enabled, SSSD will automatically create user private " +"groups based on user's UID number. The GID number is ignored in this case." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2914 +msgid "" +"For POSIX subdomains, setting the option in the main domain is inherited in " +"the subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2918 +msgid "" +"For ID-mapping subdomains, auto_private_groups is already enabled for the " +"subdomains and setting it to false will not have any effect for the " +"subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2923 +msgid "" +"NOTE: Because the GID number and the user private group are inferred from " +"the UID number, it is not supported to have multiple entries with the same " +"UID or GID number with this option. In other words, enabling this option " +"enforces uniqueness across the ID space." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:1727 +msgid "" +"These configuration options can be present in a domain configuration " +"section, that is, in a section called <quote>[domain/<replaceable>NAME</" +"replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" +"これらの設定オプションはドメイン設定のセクション、つまり <quote>[domain/" +"<replaceable>NAME</replaceable>]</quote> に存在します <placeholder type=" +"\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2942 +msgid "proxy_pam_target (string)" +msgstr "proxy_pam_target (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2945 +msgid "The proxy target PAM proxies to." +msgstr "中継するプロキシターゲット PAM です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2948 +msgid "" +"Default: not set by default, you have to take an existing pam configuration " +"or create a new one and add the service name here." +msgstr "" +"初期値: 設定されません。既存の PAM 設定を使用するか、新しく作成してサービス名" +"をここに追加する必要があります。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2956 +msgid "proxy_lib_name (string)" +msgstr "proxy_lib_name (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2959 +msgid "" +"The name of the NSS library to use in proxy domains. The NSS functions " +"searched for in the library are in the form of _nss_$(libName)_$(function), " +"for example _nss_files_getpwent." +msgstr "" +"プロキシードメインにおいて使用する NSS ライブラリーの名前です。ライブラリーに" +"おいて検索する NSS 関数は _nss_$(libName)_$(function) の形式です。たとえば " +"_nss_files_getpwent です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2969 +msgid "proxy_fast_alias (boolean)" +msgstr "proxy_fast_alias (論理値)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2972 +msgid "" +"When a user or group is looked up by name in the proxy provider, a second " +"lookup by ID is performed to \"canonicalize\" the name in case the requested " +"name was an alias. Setting this option to true would cause the SSSD to " +"perform the ID lookup from cache for performance reasons." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2986 +msgid "proxy_max_children (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2989 +msgid "" +"This option specifies the number of pre-forked proxy children. It is useful " +"for high-load SSSD environments where sssd may run out of available child " +"slots, which would cause some issues due to the requests being queued." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:2938 +msgid "" +"Options valid for proxy domains. <placeholder type=\"variablelist\" id=" +"\"0\"/>" +msgstr "" +"プロキシドメインに対して有効なオプションです。 <placeholder type=" +"\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:3005 +msgid "Application domains" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3007 +msgid "" +"SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to " +"applications as a gateway to an LDAP directory where users and groups are " +"stored. However, contrary to the traditional SSSD deployment where all users " +"and groups either have POSIX attributes or those attributes can be inferred " +"from the Windows SIDs, in many cases the users and groups in the application " +"support scenario have no POSIX attributes. Instead of setting a " +"<quote>[domain/<replaceable>NAME</replaceable>]</quote> section, the " +"administrator can set up an <quote>[application/<replaceable>NAME</" +"replaceable>]</quote> section that internally represents a domain with type " +"<quote>application</quote> optionally inherits settings from a tradition " +"SSSD domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3027 +msgid "" +"Please note that the application domain must still be explicitly enabled in " +"the <quote>domains</quote> parameter so that the lookup order between the " +"application domain and its POSIX sibling domain is set correctly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sssd.conf.5.xml:3033 +msgid "Application domain parameters" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3035 +msgid "inherit_from (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3038 +msgid "" +"The SSSD POSIX-type domain the application domain inherits all settings " +"from. The application domain can moreover add its own settings to the " +"application settings that augment or override the <quote>sibling</quote> " +"domain settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3052 +msgid "" +"The following example illustrates the use of an application domain. In this " +"setup, the POSIX domain is connected to an LDAP server and is used by the OS " +"through the NSS responder. In addition, the application domain also requests " +"the telephoneNumber attribute, stores it as the phone attribute in the cache " +"and makes the phone attribute reachable through the D-Bus interface." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><programlisting> +#: sssd.conf.5.xml:3060 +#, no-wrap +msgid "" +"[sssd]\n" +"domains = appdom, posixdom\n" +"\n" +"[ifp]\n" +"user_attributes = +phone\n" +"\n" +"[domain/posixdom]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"[application/appdom]\n" +"inherit_from = posixdom\n" +"ldap_user_extra_attrs = phone:telephoneNumber\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:3078 +msgid "The local domain section" +msgstr "ローカルドメインのセクション" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3080 +msgid "" +"This section contains settings for domain that stores users and groups in " +"SSSD native database, that is, a domain that uses " +"<replaceable>id_provider=local</replaceable>." +msgstr "" +"このセクションは、ユーザーとグループを SSSD ネイティブデータベースに保存する" +"ドメイン、つまり、 <replaceable>id_provider=local</replaceable> を使用するド" +"メインに対する設定を含みます。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3087 +msgid "default_shell (string)" +msgstr "default_shell (文字列)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3090 +msgid "The default shell for users created with SSSD userspace tools." +msgstr "SSSD ユーザー空間ツールを用いて作成されたユーザーの初期シェルです。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3094 +msgid "Default: <filename>/bin/bash</filename>" +msgstr "初期値: <filename>/bin/bash</filename>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3099 +msgid "base_directory (string)" +msgstr "base_directory (文字列)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3102 +msgid "" +"The tools append the login name to <replaceable>base_directory</replaceable> " +"and use that as the home directory." +msgstr "" +"ツールがログイン名を <replaceable>base_directory</replaceable> に追加して、" +"ホームディレクトリーとして使用します。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3107 +msgid "Default: <filename>/home</filename>" +msgstr "初期値: <filename>/home</filename>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3112 +msgid "create_homedir (bool)" +msgstr "create_homedir (論理値)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3115 +msgid "" +"Indicate if a home directory should be created by default for new users. " +"Can be overridden on command line." +msgstr "" +"初期状態で新規ユーザーに対するホームディレクトリーが作成されるかを指示しま" +"す。コマンドラインにおいて上書きできます。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3119 sssd.conf.5.xml:3131 +msgid "Default: TRUE" +msgstr "初期値: TRUE" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3124 +msgid "remove_homedir (bool)" +msgstr "remove_homedir (論理値)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3127 +msgid "" +"Indicate if a home directory should be removed by default for deleted " +"users. Can be overridden on command line." +msgstr "" +"初期状態で新規ユーザーに対するホームディレクトリーが削除されるかを指示しま" +"す。コマンドラインにおいて上書きできます。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3136 +msgid "homedir_umask (integer)" +msgstr "homedir_umask (整数)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3139 +msgid "" +"Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions " +"on a newly created home directory." +msgstr "" +"新規に作成されるホームディレクトリーにパーミッションの初期値を指定するために " +"<citerefentry> <refentrytitle>sss_useradd</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry> により使用されます。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3147 +msgid "Default: 077" +msgstr "初期値: 077" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3152 +msgid "skel_dir (string)" +msgstr "skel_dir (文字列)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3155 +msgid "" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<citerefentry> <refentrytitle>sss_useradd</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>" +msgstr "" +"ホームディレクトリーが <citerefentry> <refentrytitle>sss_useradd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> により作成されると" +"き、ユーザーのホームディレクトリーにコピーされるファイルおよびディレクトリー" +"を含む、スケルトンディレクトリーです。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3165 +msgid "Default: <filename>/etc/skel</filename>" +msgstr "初期値: <filename>/etc/skel</filename>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3170 +msgid "mail_dir (string)" +msgstr "mail_dir (文字列)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3173 +msgid "" +"The mail spool directory. This is needed to manipulate the mailbox when its " +"corresponding user account is modified or deleted. If not specified, a " +"default value is used." +msgstr "" +"メールスプールディレクトリーです。これに対応するユーザーアカウントが変更また" +"は削除されたとき、これを操作する必要があります。指定されていなければ、初期値" +"が使用されます。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3180 +msgid "Default: <filename>/var/mail</filename>" +msgstr "初期値: <filename>/var/mail</filename>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3185 +msgid "userdel_cmd (string)" +msgstr "userdel_cmd (文字列)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3188 +msgid "" +"The command that is run after a user is removed. The command us passed the " +"username of the user being removed as the first and only parameter. The " +"return code of the command is not taken into account." +msgstr "" +"ユーザーの削除後に実行されるコマンドです。コマンドは最初の唯一のパラメーター" +"として削除されるユーザーのユーザー名を渡します。コマンドの返り値は考慮されま" +"せん。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3194 +msgid "Default: None, no command is run" +msgstr "初期値: なし、コマンドを実行しません" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:3204 +msgid "TRUSTED DOMAIN SECTION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3206 +msgid "" +"Some options used in the domain section can also be used in the trusted " +"domain section, that is, in a section called <quote>[domain/" +"<replaceable>DOMAIN_NAME</replaceable>/<replaceable>TRUSTED_DOMAIN_NAME</" +"replaceable>]</quote>. Where DOMAIN_NAME is the actual joined-to base " +"domain. Please refer to examples below for explanation. Currently supported " +"options in the trusted domain section are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3213 +msgid "ldap_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3214 +msgid "ldap_user_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3215 +msgid "ldap_group_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3216 +msgid "ldap_netgroup_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3217 +msgid "ldap_service_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3218 +msgid "ad_server," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3219 +msgid "ad_backup_server," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3220 +msgid "ad_site," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:3221 sssd-ipa.5.xml:782 +msgid "use_fully_qualified_names" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3223 +msgid "" +"For more details about these options see their individual description in the " +"manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:3229 idmap_sss.8.xml:43 +msgid "EXAMPLES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:3235 +#, no-wrap +msgid "" +"[sssd]\n" +"domains = LDAP\n" +"services = nss, pam\n" +"config_file_version = 2\n" +"\n" +"[nss]\n" +"filter_groups = root\n" +"filter_users = root\n" +"\n" +"[pam]\n" +"\n" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"auth_provider = krb5\n" +"krb5_server = kerberos.example.com\n" +"krb5_realm = EXAMPLE.COM\n" +"cache_credentials = true\n" +"\n" +"min_id = 10000\n" +"max_id = 20000\n" +"enumerate = False\n" +msgstr "" +"[sssd]\n" +"domains = LDAP\n" +"services = nss, pam\n" +"config_file_version = 2\n" +"\n" +"[nss]\n" +"filter_groups = root\n" +"filter_users = root\n" +"\n" +"[pam]\n" +"\n" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"auth_provider = krb5\n" +"krb5_server = kerberos.example.com\n" +"krb5_realm = EXAMPLE.COM\n" +"cache_credentials = true\n" +"\n" +"min_id = 10000\n" +"max_id = 20000\n" +"enumerate = False\n" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3231 +msgid "" +"1. The following example shows a typical SSSD config. It does not describe " +"configuration of the domains themselves - refer to documentation on " +"configuring domains for more details. <placeholder type=\"programlisting\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:3268 +#, no-wrap +msgid "" +"[domain/ipa.com/child.ad.com]\n" +"use_fully_qualified_names = false\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3262 +msgid "" +"2. The following example shows configuration of IPA AD trust where the AD " +"forest consists of two domains in a parent-child structure. Suppose IPA " +"domain (ipa.com) has trust with AD domain(ad.com). ad.com has child domain " +"(child.ad.com). To enable shortnames in the child domain the following " +"configuration should be used. <placeholder type=\"programlisting\" id=\"0\"/" +">" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ldap.5.xml:10 sssd-ldap.5.xml:16 +msgid "sssd-ldap" +msgstr "sssd-ldap" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ldap.5.xml:17 +msgid "SSSD LDAP provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:23 +msgid "" +"This manual page describes the configuration of LDAP domains for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Refer to the <quote>FILE FORMAT</quote> section of the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for detailed syntax information." +msgstr "" +"このマニュアルページは <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> 向けの LDAP ドメインの設定を説明して" +"います。詳細な構文については <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> マニュアルページの " +"<quote>ファイル形式</quote> セクションを参照してください。" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:35 +msgid "You can configure SSSD to use more than one LDAP domain." +msgstr "SSSD が複数の LDAP ドメインを使用するよう設定できます。" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:38 +msgid "" +"LDAP back end supports id, auth, access and chpass providers. If you want to " +"authenticate against an LDAP server either TLS/SSL or LDAPS is required. " +"<command>sssd</command> <emphasis>does not</emphasis> support authentication " +"over an unencrypted channel. If the LDAP server is used only as an identity " +"provider, an encrypted channel is not needed. Please refer to " +"<quote>ldap_access_filter</quote> config option for more information about " +"using LDAP as an access provider." +msgstr "" +"LDAP バックエンドは id, auth, access および chpass プロバイダーをサポートしま" +"す。 LDAP サーバーに対して認証したければ、 TLS/SSL または LDAPS のどちらかが" +"必要になります。 <command>sssd</command> は暗号化されないチャネルにおける認証" +"はサポート<emphasis>されません</emphasis>。 LDAP サーバーが識別プロバイダーと" +"してのみ使用されるならば、暗号化チャネルは必要ありません。アクセスプロバイ" +"ダーとして LDAP を使用することの詳細は <quote>ldap_access_filter</quote> 設定" +"オプションを参照してください。" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:115 +#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-files.5.xml:57 +#: sssd-secrets.5.xml:120 sssd-session-recording.5.xml:58 sssd-kcm.8.xml:139 +msgid "CONFIGURATION OPTIONS" +msgstr "設定オプション" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:60 +msgid "ldap_uri, ldap_backup_uri (string)" +msgstr "ldap_uri, ldap_backup_uri (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:63 +msgid "" +"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " +"should connect in the order of preference. Refer to the <quote>FAILOVER</" +"quote> section for more information on failover and server redundancy. If " +"neither option is specified, service discovery is enabled. For more " +"information, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:264 +msgid "The format of the URI must match the format defined in RFC 2732:" +msgstr "URI の形式は RFC 2732 に決められている形式と一致しなければいけません:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:73 +msgid "ldap[s]://<host>[:port]" +msgstr "ldap[s]://<host>[:port]" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:76 +msgid "" +"For explicit IPv6 addresses, <host> must be enclosed in brackets []" +msgstr "" +"IPv6 アドレスを明示するために、<host> を角括弧 [] でくくる必要がありま" +"す。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:79 +msgid "example: ldap://[fc00::126:25]:389" +msgstr "例: ldap://[fc00::126:25]:389" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:85 +msgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)" +msgstr "ldap_chpass_uri, ldap_chpass_backup_uri (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:88 +msgid "" +"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " +"should connect in the order of preference to change the password of a user. " +"Refer to the <quote>FAILOVER</quote> section for more information on " +"failover and server redundancy." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:95 +msgid "To enable service discovery ldap_chpass_dns_service_name must be set." +msgstr "" +"サービス discovery ldap_chpass_dns_service_name を有効にするには、設定する必" +"要があります。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:99 +msgid "Default: empty, i.e. ldap_uri is used." +msgstr "初期値: 空、つまり ldap_uri が使用されます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:105 +msgid "ldap_search_base (string)" +msgstr "ldap_search_base (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:108 +msgid "The default base DN to use for performing LDAP user operations." +msgstr "LDAP ユーザー操作を実行するために使用される初期ベース DN です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:112 +msgid "" +"Starting with SSSD 1.7.0, SSSD supports multiple search bases using the " +"syntax:" +msgstr "" +"SSSD 1.7.0 以降、SSSD は次の構文を使用して複数の検索ベースをサポートします:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:116 +msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]" +msgstr "search_base[?scope?[filter][?search_base?scope?[filter]]*]" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:119 +msgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"." +msgstr "範囲は \"base\", \"onelevel\" または \"subtree\" のどれかです。" + +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:122 include/ldap_search_bases.xml:18 +msgid "" +"The filter must be a valid LDAP search filter as specified by http://www." +"ietf.org/rfc/rfc2254.txt" +msgstr "" +"フィルターは http://www.ietf.org/rfc/rfc2254.txt により指定されたような有効" +"な LDAP 検索フィルターである必要があります。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:286 +#: sss_override.8.xml:137 sss_override.8.xml:234 +msgid "Examples:" +msgstr "例:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:129 +msgid "" +"ldap_search_base = dc=example,dc=com (which is equivalent to) " +"ldap_search_base = dc=example,dc=com?subtree?" +msgstr "" +"ldap_search_base = dc=example,dc=com (which is equivalent to) " +"ldap_search_base = dc=example,dc=com?subtree?" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:134 +msgid "" +"ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?" +"(host=thishost)?dc=example.com?subtree?" +msgstr "" +"ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?" +"(host=thishost)?dc=example.com?subtree?" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:137 +msgid "" +"Note: It is unsupported to have multiple search bases which reference " +"identically-named objects (for example, groups with the same name in two " +"different search bases). This will lead to unpredictable behavior on client " +"machines." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:144 +msgid "" +"Default: If not set, the value of the defaultNamingContext or namingContexts " +"attribute from the RootDSE of the LDAP server is used. If " +"defaultNamingContext does not exist or has an empty value namingContexts is " +"used. The namingContexts attribute must have a single value with the DN of " +"the search base of the LDAP server to make this work. Multiple values are " +"are not supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:158 +msgid "ldap_schema (string)" +msgstr "ldap_schema (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:161 +msgid "" +"Specifies the Schema Type in use on the target LDAP server. Depending on " +"the selected schema, the default attribute names retrieved from the servers " +"may vary. The way that some attributes are handled may also differ." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:168 +msgid "Four schema types are currently supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:172 +msgid "rfc2307" +msgstr "rfc2307" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:177 +msgid "rfc2307bis" +msgstr "rfc2307bis" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:182 +msgid "IPA" +msgstr "IPA" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:187 +msgid "AD" +msgstr "AD" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:193 +msgid "" +"The main difference between these schema types is how group memberships are " +"recorded in the server. With rfc2307, group members are listed by name in " +"the <emphasis>memberUid</emphasis> attribute. With rfc2307bis and IPA, " +"group members are listed by DN and stored in the <emphasis>member</emphasis> " +"attribute. The AD schema type sets the attributes to correspond with Active " +"Directory 2008r2 values." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:203 +msgid "Default: rfc2307" +msgstr "初期値: rfc2307" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:209 +msgid "ldap_default_bind_dn (string)" +msgstr "ldap_default_bind_dn (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:212 +msgid "The default bind DN to use for performing LDAP operations." +msgstr "LDAP ユーザー操作を実行するために使用される初期バインド DN です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:219 +msgid "ldap_default_authtok_type (string)" +msgstr "ldap_default_authtok_type (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:222 +msgid "The type of the authentication token of the default bind DN." +msgstr "初期バインド DN の認証トークンの形式です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:226 +msgid "The two mechanisms currently supported are:" +msgstr "現在 2 つのメカニズムがサポートされます:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:229 +msgid "password" +msgstr "password" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:232 +msgid "obfuscated_password" +msgstr "obfuscated_password" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:235 +msgid "Default: password" +msgstr "初期値: password" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:241 +msgid "ldap_default_authtok (string)" +msgstr "ldap_default_authtok (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:244 +msgid "" +"The authentication token of the default bind DN. Only clear text passwords " +"are currently supported." +msgstr "" +"デフォルトのバインド DN の認証トークンです。平文テキストのパスワードのみが現" +"在サポートされます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:251 +msgid "ldap_user_object_class (string)" +msgstr "ldap_user_object_class (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:254 +msgid "The object class of a user entry in LDAP." +msgstr "LDAP にあるユーザーエントリーのオブジェクトクラスです。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:257 +msgid "Default: posixAccount" +msgstr "初期値: posixAccount" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:263 +msgid "ldap_user_name (string)" +msgstr "ldap_user_name (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:266 +msgid "The LDAP attribute that corresponds to the user's login name." +msgstr "ユーザーのログイン名に対応する LDAP の属性です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:270 +msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:277 +msgid "ldap_user_uid_number (string)" +msgstr "ldap_user_uid_number (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:280 +msgid "The LDAP attribute that corresponds to the user's id." +msgstr "ユーザーの ID に対応する LDAP の属性です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:284 +msgid "Default: uidNumber" +msgstr "初期値: uidNumber" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:290 +msgid "ldap_user_gid_number (string)" +msgstr "ldap_user_gid_number (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:293 +msgid "The LDAP attribute that corresponds to the user's primary group id." +msgstr "ユーザーのプライマリーグループ ID に対応する LDAP の属性です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:297 sssd-ldap.5.xml:929 +msgid "Default: gidNumber" +msgstr "初期値: gidNumber" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:303 +msgid "ldap_user_primary_group (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:306 +msgid "" +"Active Directory primary group attribute for ID-mapping. Note that this " +"attribute should only be set manually if you are running the <quote>ldap</" +"quote> provider with ID mapping." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:312 +msgid "Default: unset (LDAP), primaryGroupID (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:318 +msgid "ldap_user_gecos (string)" +msgstr "ldap_user_gecos (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:321 +msgid "The LDAP attribute that corresponds to the user's gecos field." +msgstr "ユーザーの gecos 項目に対応する LDAP の属性です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:325 +msgid "Default: gecos" +msgstr "初期値: gecos" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:331 +msgid "ldap_user_home_directory (string)" +msgstr "ldap_user_home_directory (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:334 +msgid "The LDAP attribute that contains the name of the user's home directory." +msgstr "ユーザーのホームディレクトリーの名前を含む LDAP の属性です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:338 +msgid "Default: homeDirectory" +msgstr "初期値: homeDirectory" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:344 +msgid "ldap_user_shell (string)" +msgstr "ldap_user_shell (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:347 +msgid "The LDAP attribute that contains the path to the user's default shell." +msgstr "ユーザーの初期シェルのパスを含む LDAP の属性です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:351 +msgid "Default: loginShell" +msgstr "初期値: loginShell" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:357 +msgid "ldap_user_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:360 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:364 sssd-ldap.5.xml:955 +msgid "" +"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " +"IPA" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:371 +msgid "ldap_user_objectsid (string)" +msgstr "ldap_user_objectsid (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:374 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP user object. This " +"is usually only necessary for ActiveDirectory servers." +msgstr "" +"LDAP ユーザーオブジェクトの objectSID を含む LDAP 属性です。これは通常 " +"ActiveDirectory サーバーに対してのみ必要です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:379 sssd-ldap.5.xml:970 +msgid "Default: objectSid for ActiveDirectory, not set for other servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:386 +msgid "ldap_user_modify_timestamp (string)" +msgstr "ldap_user_modify_timestamp (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:389 sssd-ldap.5.xml:980 sssd-ldap.5.xml:1203 +msgid "" +"The LDAP attribute that contains timestamp of the last modification of the " +"parent object." +msgstr "親オブジェクトの最終変更のタイムスタンプを含む LDAP 属性です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:393 sssd-ldap.5.xml:984 sssd-ldap.5.xml:1210 +msgid "Default: modifyTimestamp" +msgstr "初期値: modifyTimestamp" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:399 +msgid "ldap_user_shadow_last_change (string)" +msgstr "ldap_user_shadow_last_change (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:402 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " +"the last password change)." +msgstr "" +"ldap_pwd_policy=shadow を使用するとき、このパラメーターは <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> の対応部分(最終パスワード変更日)に対応する LDAP 属性の名前を" +"含みます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:412 +msgid "Default: shadowLastChange" +msgstr "初期値: shadowLastChange" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:418 +msgid "ldap_user_shadow_min (string)" +msgstr "ldap_user_shadow_min (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:421 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " +"password age)." +msgstr "" +"ldap_pwd_policy=shadow を使用するとき、このパラメーターは <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> の対応部分(最小パスワード期限)に対応する LDAP 属性の名前を含" +"みます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:430 +msgid "Default: shadowMin" +msgstr "初期値: shadowMin" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:436 +msgid "ldap_user_shadow_max (string)" +msgstr "ldap_user_shadow_max (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:439 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " +"password age)." +msgstr "" +"ldap_pwd_policy=shadow を使用するとき、このパラメーターは <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> の対応部分(最大パスワード期限)に対応する LDAP 属性の名前を含" +"みます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:448 +msgid "Default: shadowMax" +msgstr "初期値: shadowMax" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:454 +msgid "ldap_user_shadow_warning (string)" +msgstr "ldap_user_shadow_warning (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:457 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password warning period)." +msgstr "" +"ldap_pwd_policy=shadow を使用するとき、このパラメーターは <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> の対応部分(パスワード警告期間)に対応する LDAP 属性の名前を含" +"みます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:467 +msgid "Default: shadowWarning" +msgstr "初期値: shadowWarning" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:473 +msgid "ldap_user_shadow_inactive (string)" +msgstr "ldap_user_shadow_inactive (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:476 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password inactivity period)." +msgstr "" +"ldap_pwd_policy=shadow を使用するとき、このパラメーターは <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> の対応部分(パスワード無効期間)に対応する LDAP 属性の名前を含" +"みます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:486 +msgid "Default: shadowInactive" +msgstr "初期値: shadowInactive" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:492 +msgid "ldap_user_shadow_expire (string)" +msgstr "ldap_user_shadow_expire (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:495 +msgid "" +"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " +"parameter contains the name of an LDAP attribute corresponding to its " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> counterpart (account expiration date)." +msgstr "" +"ldap_pwd_policy=shadow を使用するとき、このパラメーターは <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> の対応部分(アカウント失効日)に対応する LDAP 属性の名前を含み" +"ます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:505 +msgid "Default: shadowExpire" +msgstr "初期値: shadowExpire" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:511 +msgid "ldap_user_krb_last_pwd_change (string)" +msgstr "ldap_user_krb_last_pwd_change (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:514 +msgid "" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time of last password change in " +"kerberos." +msgstr "" +"ldap_pwd_policy=mit_kerberos を使用しているとき、このパラメーターは Kerberos " +"の最終パスワード変更日時を保存する LDAP 属性の名前を含みます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:520 +msgid "Default: krbLastPwdChange" +msgstr "初期値: krbLastPwdChange" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:526 +msgid "ldap_user_krb_password_expiration (string)" +msgstr "ldap_user_krb_password_expiration (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:529 +msgid "" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time when current password expires." +msgstr "" +"ldap_pwd_policy=mit_kerberos を使用しているとき、このパラメーターは現在のパス" +"ワード失効日時を保存する LDAP 属性の名前を含みます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:535 +msgid "Default: krbPasswordExpiration" +msgstr "初期値: krbPasswordExpiration" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:541 +msgid "ldap_user_ad_account_expires (string)" +msgstr "ldap_user_ad_account_expires (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:544 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the expiration time of the account." +msgstr "" +"ldap_account_expire_policy=ad を使用するとき、このパラメーターはアカウントの" +"失効日時を保存する LDAP 属性の名前を含みます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:549 +msgid "Default: accountExpires" +msgstr "初期値: accountExpires" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:555 +msgid "ldap_user_ad_user_account_control (string)" +msgstr "ldap_user_ad_user_account_control (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:558 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the user account control bit field." +msgstr "" +"ldap_account_expire_policy=ad を使用するとき、このパラメーターはユーザーアカ" +"ウントの制御ビット項目を保存する LDAP 属性の名前を含みます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:563 +msgid "Default: userAccountControl" +msgstr "初期値: userAccountControl" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:569 +msgid "ldap_ns_account_lock (string)" +msgstr "ldap_ns_account_lock (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:572 +msgid "" +"When using ldap_account_expire_policy=rhds or equivalent, this parameter " +"determines if access is allowed or not." +msgstr "" +"ldap_account_expire_policy=rhds または同等のものを使用するとき、このパラメー" +"ターがアクセスが許可されるかされないかを決定します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:577 +msgid "Default: nsAccountLock" +msgstr "初期値: nsAccountLock" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:583 +msgid "ldap_user_nds_login_disabled (string)" +msgstr "ldap_user_nds_login_disabled (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:586 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines if " +"access is allowed or not." +msgstr "" +"ldap_account_expire_policy=nds を使用するとき、アクセスが許可されるかされない" +"かをこの属性が決定します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:590 sssd-ldap.5.xml:604 +msgid "Default: loginDisabled" +msgstr "初期値: loginDisabled" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:596 +msgid "ldap_user_nds_login_expiration_time (string)" +msgstr "ldap_user_nds_login_expiration_time (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:599 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines until " +"which date access is granted." +msgstr "" +"ldap_account_expire_policy=nds を使用しているとき、この属性はデータアクセスが" +"いつまで許可されるのかを決定します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:610 +msgid "ldap_user_nds_login_allowed_time_map (string)" +msgstr "ldap_user_nds_login_allowed_time_map (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:613 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines the " +"hours of a day in a week when access is granted." +msgstr "" +"ldap_account_expire_policy=nds を使用しているとき、この属性はアクセスが許可さ" +"れるときの一週間の日の時間を決定します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:618 +msgid "Default: loginAllowedTimeMap" +msgstr "初期値: loginAllowedTimeMap" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:624 +msgid "ldap_user_principal (string)" +msgstr "ldap_user_principal (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:627 +msgid "" +"The LDAP attribute that contains the user's Kerberos User Principal Name " +"(UPN)." +msgstr "ユーザーの Kerberos User Principal Name (UPN) を含む LDAP 属性です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:631 +msgid "Default: krbPrincipalName" +msgstr "初期値: krbPrincipalName" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:637 +msgid "ldap_user_extra_attrs (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:640 +msgid "" +"Comma-separated list of LDAP attributes that SSSD would fetch along with the " +"usual set of user attributes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:645 +msgid "" +"The list can either contain LDAP attribute names only, or colon-separated " +"tuples of SSSD cache attribute name and LDAP attribute name. In case only " +"LDAP attribute name is specified, the attribute is saved to the cache " +"verbatim. Using a custom SSSD attribute name might be required by " +"environments that configure several SSSD domains with different LDAP schemas." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:655 +msgid "" +"Please note that several attribute names are reserved by SSSD, notably the " +"<quote>name</quote> attribute. SSSD would report an error if any of the " +"reserved attribute names is used as an extra attribute name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:665 +msgid "ldap_user_extra_attrs = telephoneNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:668 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as " +"<quote>telephoneNumber</quote> to the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:672 +msgid "ldap_user_extra_attrs = phone:telephoneNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:675 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" +"quote> to the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:685 +msgid "ldap_user_ssh_public_key (string)" +msgstr "ldap_user_ssh_public_key (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:688 +msgid "The LDAP attribute that contains the user's SSH public keys." +msgstr "ユーザーの SSH 公開鍵を含む LDAP 属性です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:692 sssd-ldap.5.xml:1306 +msgid "Default: sshPublicKey" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:698 +msgid "ldap_force_upper_case_realm (boolean)" +msgstr "ldap_force_upper_case_realm (論理値)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:701 +msgid "" +"Some directory servers, for example Active Directory, might deliver the " +"realm part of the UPN in lower case, which might cause the authentication to " +"fail. Set this option to a non-zero value if you want to use an upper-case " +"realm." +msgstr "" +"いくつかのディレクトリーサーバー、たとえば Active Directory、は小文字のレルム" +"を転送しません。それにより、認証が失敗します。もし大文字のレルムを使用したい" +"場合、このオプションを 0 以外に設定します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:714 +msgid "ldap_enumeration_refresh_timeout (integer)" +msgstr "ldap_enumeration_refresh_timeout (整数)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:717 +msgid "" +"Specifies how many seconds SSSD has to wait before refreshing its cache of " +"enumerated records." +msgstr "" +"SSSD が列挙レコードのキャッシュを更新する前に待つ必要がある秒数を指定します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:728 +msgid "ldap_purge_cache_timeout (integer)" +msgstr "ldap_purge_cache_timeout (整数)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:731 +msgid "" +"Determine how often to check the cache for inactive entries (such as groups " +"with no members and users who have never logged in) and remove them to save " +"space." +msgstr "" +"使用していないエントリー(メンバーのいないグループやログインしたことがない" +"ユーザーなど)に対してキャッシュを確認して、保存領域を節約するためにそれらを" +"削除する間隔を決めます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:737 +msgid "" +"Setting this option to zero will disable the cache cleanup operation. Please " +"note that if enumeration is enabled, the cleanup task is required in order " +"to detect entries removed from the server and can't be disabled. By default, " +"the cleanup task will run every 3 hours with enumeration enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:752 +msgid "ldap_user_fullname (string)" +msgstr "ldap_user_fullname (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:755 +msgid "The LDAP attribute that corresponds to the user's full name." +msgstr "ユーザーの完全名に対応する LDAP 属性です。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1161 sssd-ldap.5.xml:1235 +#: sssd-ldap.5.xml:1344 sssd-ldap.5.xml:2405 sssd-ipa.5.xml:607 +msgid "Default: cn" +msgstr "初期値: cn" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:765 +msgid "ldap_user_member_of (string)" +msgstr "ldap_user_member_of (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:768 +msgid "The LDAP attribute that lists the user's group memberships." +msgstr "ユーザーのグループメンバーを一覧にする LDAP 属性です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:772 sssd-ldap.5.xml:1274 +msgid "Default: memberOf" +msgstr "初期値: memberOf" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:778 +msgid "ldap_user_authorized_service (string)" +msgstr "ldap_user_authorized_service (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:781 +msgid "" +"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " +"use the presence of the authorizedService attribute in the user's LDAP entry " +"to determine access privilege." +msgstr "" +"もし access_provider=ldap かつ ldap_access_order=authorized_service ならば、" +"SSSD はアクセス権限を決定するために、ユーザーの LDAP エントリーにある " +"authorizedService 属性を使用します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:788 +msgid "" +"An explicit deny (!svc) is resolved first. Second, SSSD searches for " +"explicit allow (svc) and finally for allow_all (*)." +msgstr "" +"明示的な拒否 (!svc) が始めに解決されます。次に SSSD は明示的な許可 (svc) を検" +"索します。最後にすべて許可 (*) を検索します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:793 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>authorized_service</quote> in order for the " +"ldap_user_authorized_service option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:800 +msgid "Default: authorizedService" +msgstr "初期値: authorizedService" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:806 +msgid "ldap_user_authorized_host (string)" +msgstr "ldap_user_authorized_host (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:809 +msgid "" +"If access_provider=ldap and ldap_access_order=host, SSSD will use the " +"presence of the host attribute in the user's LDAP entry to determine access " +"privilege." +msgstr "" +"access_provider=ldap かつ ldap_access_order=host ならば、 SSSD はアクセス権限" +"を決めるために、ユーザーの LDAP エントリーにあるホスト属性の存在を使用しま" +"す。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:815 +msgid "" +"An explicit deny (!host) is resolved first. Second, SSSD searches for " +"explicit allow (host) and finally for allow_all (*)." +msgstr "" +"明示的な拒否 (!host) がまず解決されます。次に SSSD が明示的な許可 (host) を検" +"索します。最後にすべて許可 (*) が検索されます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:820 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>host</quote> in order for the " +"ldap_user_authorized_host option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:827 +msgid "Default: host" +msgstr "初期値: host" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:833 +msgid "ldap_user_authorized_rhost (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:836 +msgid "" +"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " +"presence of the rhost attribute in the user's LDAP entry to determine access " +"privilege. Similarly to host verification process." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:843 +msgid "" +"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " +"explicit allow (rhost) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:848 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>rhost</quote> in order for the " +"ldap_user_authorized_rhost option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:855 +msgid "Default: rhost" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:861 +msgid "ldap_user_certificate (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:864 +msgid "Name of the LDAP attribute containing the X509 certificate of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:868 +msgid "Default: userCertificate;binary" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:874 +msgid "ldap_user_email (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:877 +msgid "Name of the LDAP attribute containing the email address of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:881 +msgid "" +"Note: If an email address of a user conflicts with an email address or fully " +"qualified name of another user, then SSSD will not be able to serve those " +"users properly. If for some reason several users need to share the same " +"email address then set this option to a nonexistent attribute name in order " +"to disable user lookup/login by email." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:890 +msgid "Default: mail" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:896 +msgid "ldap_group_object_class (string)" +msgstr "ldap_group_object_class (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:899 +msgid "The object class of a group entry in LDAP." +msgstr "LDAP にあるグループエントリーのオブジェクトクラスです。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:902 +msgid "Default: posixGroup" +msgstr "初期値: posixGroup" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:908 +msgid "ldap_group_name (string)" +msgstr "ldap_group_name (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:911 +msgid "The LDAP attribute that corresponds to the group name." +msgstr "グループ名に対応する LDAP 属性です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:915 +msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:922 +msgid "ldap_group_gid_number (string)" +msgstr "ldap_group_gid_number (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:925 +msgid "The LDAP attribute that corresponds to the group's id." +msgstr "グループの ID に対応する LDAP 属性です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:935 +msgid "ldap_group_member (string)" +msgstr "ldap_group_member (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:938 +msgid "The LDAP attribute that contains the names of the group's members." +msgstr "グループのメンバーの名前を含む LDAP の属性です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:942 +msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" +msgstr "初期値: memberuid (rfc2307) / member (rfc2307bis)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:948 +msgid "ldap_group_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:951 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:962 +msgid "ldap_group_objectsid (string)" +msgstr "ldap_group_objectsid (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:965 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP group object. This " +"is usually only necessary for ActiveDirectory servers." +msgstr "" +"LDAP グループオブジェクトの objectSID を含む LDAP 属性です。これは通常 " +"ActiveDirectory サーバーに対してのみ必要です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:977 +msgid "ldap_group_modify_timestamp (string)" +msgstr "ldap_group_modify_timestamp (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:990 +msgid "ldap_group_type (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:993 +msgid "" +"The LDAP attribute that contains an integer value indicating the type of the " +"group and maybe other flags." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:998 +msgid "" +"This attribute is currently only used by the AD provider to determine if a " +"group is a domain local groups and has to be filtered out for trusted " +"domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1004 +msgid "Default: groupType in the AD provider, otherwise not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1011 +msgid "ldap_group_external_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1014 +msgid "" +"The LDAP attribute that references group members that are defined in an " +"external domain. At the moment, only IPA's external members are supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1020 +msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1027 +msgid "ldap_group_nesting_level (integer)" +msgstr "ldap_group_nesting_level (整数)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1030 +msgid "" +"If ldap_schema is set to a schema format that supports nested groups (e.g. " +"RFC2307bis), then this option controls how many levels of nesting SSSD will " +"follow. This option has no effect on the RFC2307 schema." +msgstr "" +"ldap_schema が入れ子グループ (例: RFC2307bis) をサポートするスキーマ形式に設" +"定されていると、このオプションが入れ子 SSSD がしたがうレベルを制御します。こ" +"のオプションは RFC2307 スキーマにおいて効果がありません。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1037 +msgid "" +"Note: This option specifies the guaranteed level of nested groups to be " +"processed for any lookup. However, nested groups beyond this limit " +"<emphasis>may be</emphasis> returned if previous lookups already resolved " +"the deeper nesting levels. Also, subsequent lookups for other groups may " +"enlarge the result set for original lookup if re-queried." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1046 +msgid "" +"If ldap_group_nesting_level is set to 0 then no nested groups are processed " +"at all. However, when connected to Active-Directory Server 2008 and later " +"using <quote>id_provider=ad</quote> it is furthermore required to disable " +"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " +"restrict group nesting." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1055 +msgid "Default: 2" +msgstr "初期値: 2" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1061 +msgid "ldap_groups_use_matching_rule_in_chain" +msgstr "ldap_groups_use_matching_rule_in_chain" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1064 +msgid "" +"This option tells SSSD to take advantage of an Active Directory-specific " +"feature which may speed up group lookup operations on deployments with " +"complex or deep nested groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1070 +msgid "" +"In most common cases, it is best to leave this option disabled. It generally " +"only provides a performance increase on very complex nestings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1075 sssd-ldap.5.xml:1102 +msgid "" +"If this option is enabled, SSSD will use it if it detects that the server " +"supports it during initial connection. So \"True\" here essentially means " +"\"auto-detect\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1081 sssd-ldap.5.xml:1108 +msgid "" +"Note: This feature is currently known to work only with Active Directory " +"2008 R1 and later. See <ulink url=\"http://msdn.microsoft.com/en-us/library/" +"windows/desktop/aa746475%28v=vs.85%29.aspx\"> MSDN(TM) documentation</ulink> " +"for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1093 +msgid "ldap_initgroups_use_matching_rule_in_chain" +msgstr "ldap_initgroups_use_matching_rule_in_chain" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1096 +msgid "" +"This option tells SSSD to take advantage of an Active Directory-specific " +"feature which might speed up initgroups operations (most notably when " +"dealing with complex or deep nested groups)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1123 +msgid "" +"This options enables or disables use of Token-Groups attribute when " +"performing initgroup for users from Active Directory Server 2008 and later." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1128 +msgid "Default: True for AD and IPA otherwise False." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1134 +msgid "ldap_netgroup_object_class (string)" +msgstr "ldap_netgroup_object_class (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1137 +msgid "The object class of a netgroup entry in LDAP." +msgstr "LDAP にあるネットワークグループエントリーのオブジェクトクラスです。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1140 +msgid "In IPA provider, ipa_netgroup_object_class should be used instead." +msgstr "" +"IPA プロバイダーにおいては ipa_netgroup_object_class が代わりに使用されます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1144 +msgid "Default: nisNetgroup" +msgstr "初期値: nisNetgroup" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1150 +msgid "ldap_netgroup_name (string)" +msgstr "ldap_netgroup_name (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1153 +msgid "The LDAP attribute that corresponds to the netgroup name." +msgstr "ネットワークグループ名に対応する LDAP 属性です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1157 +msgid "In IPA provider, ipa_netgroup_name should be used instead." +msgstr "IPA プロバイダーにおいては ipa_netgroup_name が代わりに使用されます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1167 +msgid "ldap_netgroup_member (string)" +msgstr "ldap_netgroup_member (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1170 +msgid "The LDAP attribute that contains the names of the netgroup's members." +msgstr "ネットワークグループのメンバーの名前を含む LDAP 属性です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1174 +msgid "In IPA provider, ipa_netgroup_member should be used instead." +msgstr "" +"IPA プロバイダーにおいては ipa_netgroup_member が代わりに使用されます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1178 +msgid "Default: memberNisNetgroup" +msgstr "初期値: memberNisNetgroup" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1184 +msgid "ldap_netgroup_triple (string)" +msgstr "ldap_netgroup_triple (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1187 +msgid "" +"The LDAP attribute that contains the (host, user, domain) netgroup triples." +msgstr "" +"ネットワークグループの三つ組(ホスト、ユーザー、ドメイン)を含む LDAP 属性で" +"す。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1191 sssd-ldap.5.xml:1207 +msgid "This option is not available in IPA provider." +msgstr "このオプションは IPA プロバイダーにおいて利用可能ではありません。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1194 +msgid "Default: nisNetgroupTriple" +msgstr "初期値: nisNetgroupTriple" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1200 +msgid "ldap_netgroup_modify_timestamp (string)" +msgstr "ldap_netgroup_modify_timestamp (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1216 +msgid "ldap_host_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1219 +msgid "The object class of a host entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1222 sssd-ldap.5.xml:1331 +msgid "Default: ipService" +msgstr "初期値: ipService" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1228 +msgid "ldap_host_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1231 sssd-ldap.5.xml:1257 +msgid "The LDAP attribute that corresponds to the host's name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1241 +msgid "ldap_host_fqdn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1244 +msgid "" +"The LDAP attribute that corresponds to the host's fully-qualified domain " +"name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1248 +msgid "Default: fqdn" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1254 +msgid "ldap_host_serverhostname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1261 +msgid "Default: serverHostname" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1267 +msgid "ldap_host_member_of (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1270 +msgid "The LDAP attribute that lists the host's group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1280 +msgid "ldap_host_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1283 +msgid "Optional. Use the given string as search base for host objects." +msgstr "" +"オプションです。ホストオブジェクトの検索ベースとして与えられた文字列を使用し" +"ます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1287 sssd-ipa.5.xml:359 sssd-ipa.5.xml:378 +#: sssd-ipa.5.xml:397 sssd-ipa.5.xml:416 +msgid "" +"See <quote>ldap_search_base</quote> for information about configuring " +"multiple search bases." +msgstr "" +"複数の検索ベースを設定することの詳細は <quote>ldap_search_base</quote> を参照" +"してください。" + +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:1292 sssd-ipa.5.xml:364 include/ldap_search_bases.xml:27 +msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" +msgstr "初期値: <emphasis>ldap_search_base</emphasis> の値" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1299 +msgid "ldap_host_ssh_public_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1302 +msgid "The LDAP attribute that contains the host's SSH public keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1312 +msgid "ldap_host_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1315 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1325 +msgid "ldap_service_object_class (string)" +msgstr "ldap_service_object_class (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1328 +msgid "The object class of a service entry in LDAP." +msgstr "LDAP にあるサービスエントリーのオブジェクトクラスです。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1337 +msgid "ldap_service_name (string)" +msgstr "ldap_service_name (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1340 +msgid "" +"The LDAP attribute that contains the name of service attributes and their " +"aliases." +msgstr "サービス属性の名前とそのエイリアスを含む LDAP 属性です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1350 +msgid "ldap_service_port (string)" +msgstr "ldap_service_port (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1353 +msgid "The LDAP attribute that contains the port managed by this service." +msgstr "このサービスにより管理されるポートを含む LDAP 属性です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1357 +msgid "Default: ipServicePort" +msgstr "初期値: ipServicePort" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1363 +msgid "ldap_service_proto (string)" +msgstr "ldap_service_proto (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1366 +msgid "" +"The LDAP attribute that contains the protocols understood by this service." +msgstr "このサービスにより認識されるプロトコルを含む LDAP 属性です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1370 +msgid "Default: ipServiceProtocol" +msgstr "初期値: ipServiceProtocol" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1376 +msgid "ldap_service_search_base (string)" +msgstr "ldap_service_search_base (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1381 +msgid "ldap_search_timeout (integer)" +msgstr "ldap_search_timeout (整数)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1384 +msgid "" +"Specifies the timeout (in seconds) that ldap searches are allowed to run " +"before they are cancelled and cached results are returned (and offline mode " +"is entered)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1390 +msgid "" +"Note: this option is subject to change in future versions of the SSSD. It " +"will likely be replaced at some point by a series of timeouts for specific " +"lookup types." +msgstr "" +"注: このオプションは SSSD の将来のバージョンにおいて変更される可能性がありま" +"す。特定の種類の検索のために一連のタイムアウトによりある時点に置き換えられる" +"かもしれません。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1402 +msgid "ldap_enumeration_search_timeout (integer)" +msgstr "ldap_enumeration_search_timeout (整数)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1405 +msgid "" +"Specifies the timeout (in seconds) that ldap searches for user and group " +"enumerations are allowed to run before they are cancelled and cached results " +"are returned (and offline mode is entered)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1418 +msgid "ldap_network_timeout (integer)" +msgstr "ldap_network_timeout (整数)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1421 +msgid "" +"Specifies the timeout (in seconds) after which the <citerefentry> " +"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" +"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" +"manvolnum> </citerefentry> following a <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> returns in case of no activity." +msgstr "" +"<citerefentry> <refentrytitle>connect</refentrytitle> <manvolnum>2</" +"manvolnum> </citerefentry> に続けて <citerefentry> <refentrytitle>poll</" +"refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/<citerefentry> " +"<refentrytitle>select</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> が未使用を返した後のタイムアウト(秒単位)を指定します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1444 +msgid "ldap_opt_timeout (integer)" +msgstr "ldap_opt_timeout (整数)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1447 +msgid "" +"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " +"will abort if no response is received. Also controls the timeout when " +"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " +"operation, password change extended operation and the StartTLS operation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1462 +msgid "ldap_connection_expire_timeout (integer)" +msgstr "ldap_connection_expire_timeout (整数)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1465 +msgid "" +"Specifies a timeout (in seconds) that a connection to an LDAP server will be " +"maintained. After this time, the connection will be re-established. If used " +"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " +"the TGT lifetime) will be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1473 sssd-ldap.5.xml:2562 +msgid "Default: 900 (15 minutes)" +msgstr "初期値: 900 (15 分)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1479 +msgid "ldap_page_size (integer)" +msgstr "ldap_page_size (整数)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1482 +msgid "" +"Specify the number of records to retrieve from LDAP in a single request. " +"Some LDAP servers enforce a maximum limit per-request." +msgstr "" +"1 回の要求で LDAP から取得するレコード数を指定します。いくつかの LDAP サー" +"バーは 1 要求あたりの最大数の制限を強制します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1487 +msgid "Default: 1000" +msgstr "初期値: 1000" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1493 +msgid "ldap_disable_paging (boolean)" +msgstr "ldap_disable_paging (論理値)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1496 +msgid "" +"Disable the LDAP paging control. This option should be used if the LDAP " +"server reports that it supports the LDAP paging control in its RootDSE but " +"it is not enabled or does not behave properly." +msgstr "" +"LDAP ページング制御を無効にします。LDAP サーバーがその RootDSE において LDAP " +"ページング制御をサポートするが、有効化されていない、もしくは正しく動作しない" +"ことを報告する場合に、このオプションが使用されます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1502 +msgid "" +"Example: OpenLDAP servers with the paging control module installed on the " +"server but not enabled will report it in the RootDSE but be unable to use it." +msgstr "" +"例: サーバーにページング制御モジュールがインストールされているが、RootDSE に" +"おいて有効化されていないと報告され、それを使用できない OpenLDAP サーバーで" +"す。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1508 +msgid "" +"Example: 389 DS has a bug where it can only support a one paging control at " +"a time on a single connection. On busy clients, this can result in some " +"requests being denied." +msgstr "" +"例: 389 DS は単一の接続において同時に 1 つのページ制御のみをサポートします。" +"負荷の高いクライアントにおいては、いくつかの要求が拒否される結果になる可能性" +"があります。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1520 +msgid "ldap_disable_range_retrieval (boolean)" +msgstr "ldap_disable_range_retrieval (論理値)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1523 +msgid "Disable Active Directory range retrieval." +msgstr "Active Directory の範囲の取得を無効化します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1526 +msgid "" +"Active Directory limits the number of members to be retrieved in a single " +"lookup using the MaxValRange policy (which defaults to 1500 members). If a " +"group contains more members, the reply would include an AD-specific range " +"extension. This option disables parsing of the range extension, therefore " +"large groups will appear as having no members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1541 +msgid "ldap_sasl_minssf (integer)" +msgstr "ldap_sasl_minssf (整数)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1544 +msgid "" +"When communicating with an LDAP server using SASL, specify the minimum " +"security level necessary to establish the connection. The values of this " +"option are defined by OpenLDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1550 +msgid "Default: Use the system default (usually specified by ldap.conf)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1557 +msgid "ldap_deref_threshold (integer)" +msgstr "ldap_deref_threshold (整数)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1560 +msgid "" +"Specify the number of group members that must be missing from the internal " +"cache in order to trigger a dereference lookup. If less members are missing, " +"they are looked up individually." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1566 +msgid "" +"You can turn off dereference lookups completely by setting the value to 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1570 +msgid "" +"A dereference lookup is a means of fetching all group members in a single " +"LDAP call. Different LDAP servers may implement different dereference " +"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " +"Directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1578 +msgid "" +"<emphasis>Note:</emphasis> If any of the search bases specifies a search " +"filter, then the dereference lookup performance enhancement will be disabled " +"regardless of this setting." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1591 +msgid "ldap_tls_reqcert (string)" +msgstr "ldap_tls_reqcert (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1594 +msgid "" +"Specifies what checks to perform on server certificates in a TLS session, if " +"any. It can be specified as one of the following values:" +msgstr "" +"もしあれば、 TLS セッションにおいてサーバー証明書において実行するためにチェッ" +"クするものを指定します。以下の値のうち 1 つを指定できます:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1600 +msgid "" +"<emphasis>never</emphasis> = The client will not request or check any server " +"certificate." +msgstr "" +"<emphasis>never</emphasis> = クライアントがすべてのサーバー証明書を要求または" +"確認しません。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1604 +msgid "" +"<emphasis>allow</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, it will be ignored and the session proceeds normally." +msgstr "" +"<emphasis>allow</emphasis> = サーバー証明書が要求されます。証明書が提供されな" +"ければ、セッションが通常通り進められます。不正な証明書が提供されると、それは" +"無視され、セッションが通常通り進められます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1611 +msgid "" +"<emphasis>try</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, the session is immediately terminated." +msgstr "" +"<emphasis>try</emphasis> = サーバー証明書が要求されます。証明書が提供されなけ" +"れば、セッションが通常通り進められます。不正な証明書が提供されると、セッショ" +"ンが直ちに終了します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1617 +msgid "" +"<emphasis>demand</emphasis> = The server certificate is requested. If no " +"certificate is provided, or a bad certificate is provided, the session is " +"immediately terminated." +msgstr "" +"<emphasis>demand</emphasis> = サーバー証明書が要求されます。証明書が提供され" +"なければ、もしくは不正な証明書が提供されれば、セッションが直ちに終了します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1623 +msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" +msgstr "<emphasis>hard</emphasis> = <quote>demand</quote> と同じです" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1627 +msgid "Default: hard" +msgstr "初期値: hard" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1633 +msgid "ldap_tls_cacert (string)" +msgstr "ldap_tls_cacert (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1636 +msgid "" +"Specifies the file that contains certificates for all of the Certificate " +"Authorities that <command>sssd</command> will recognize." +msgstr "" +"Specifies the file that contains certificates for all of the Certificate " +"Authorities that <command>sssd</command> が認識するすべての認証局に対する証明" +"書を含むファイルを指定します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1641 sssd-ldap.5.xml:1659 sssd-ldap.5.xml:1700 +msgid "" +"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." +"conf</filename>" +msgstr "" +"初期値: OpenLDAP の初期値の使用、一般的に <filename>/etc/openldap/ldap.conf</" +"filename> にあります" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1648 +msgid "ldap_tls_cacertdir (string)" +msgstr "ldap_tls_cacertdir (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1651 +msgid "" +"Specifies the path of a directory that contains Certificate Authority " +"certificates in separate individual files. Typically the file names need to " +"be the hash of the certificate followed by '.0'. If available, " +"<command>cacertdir_rehash</command> can be used to create the correct names." +msgstr "" +"個別のファイルに CA 証明書を含むディレクトリーのパスを指定します。一般的に" +"ファイル名は '.0' で終わる証明書のハッシュである必要があります。利用可能なら" +"ば、<command>cacertdir_rehash</command> は正しい名前を作成するために使用でき" +"ます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1666 +msgid "ldap_tls_cert (string)" +msgstr "ldap_tls_cert (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1669 +msgid "Specifies the file that contains the certificate for the client's key." +msgstr "クライアントのキーに対する証明書を含むファイルを指定します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1679 +msgid "ldap_tls_key (string)" +msgstr "ldap_tls_key (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1682 +msgid "Specifies the file that contains the client's key." +msgstr "クライアントのキーを含むファイルを指定します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1691 +msgid "ldap_tls_cipher_suite (string)" +msgstr "ldap_tls_cipher_suite (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1694 +msgid "" +"Specifies acceptable cipher suites. Typically this is a colon separated " +"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1707 +msgid "ldap_id_use_start_tls (boolean)" +msgstr "ldap_id_use_start_tls (論理値)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1710 +msgid "" +"Specifies that the id_provider connection must also use <systemitem class=" +"\"protocol\">tls</systemitem> to protect the channel." +msgstr "" +"チャネルを保護するために <systemitem class=\"protocol\">tls</systemitem> も使" +"用する必要がある id_provider 接続を指定します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1720 +msgid "ldap_id_mapping (boolean)" +msgstr "ldap_id_mapping (論理値)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1723 +msgid "" +"Specifies that SSSD should attempt to map user and group IDs from the " +"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " +"on ldap_user_uid_number and ldap_group_gid_number." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1729 +msgid "Currently this feature supports only ActiveDirectory objectSID mapping." +msgstr "" +"この機能は現在 ActiveDirectory objectSID マッピングのみサポートします。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1739 +msgid "ldap_min_id, ldap_max_id (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1742 +msgid "" +"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " +"set to true the allowed ID range for ldap_user_uid_number and " +"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " +"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " +"can be set to restrict the allowed range for the IDs which are read directly " +"from the server. Sub-domains can then pick other ranges to map IDs." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1754 +msgid "Default: not set (both options are set to 0)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1760 +msgid "ldap_sasl_mech (string)" +msgstr "ldap_sasl_mech (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1763 +msgid "" +"Specify the SASL mechanism to use. Currently only GSSAPI is tested and " +"supported." +msgstr "" +"使用する SASL メカニズムを指定します。現在 GSSAPI のみがテストされサポートさ" +"れます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1773 +msgid "ldap_sasl_authid (string)" +msgstr "ldap_sasl_authid (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ldap.5.xml:1784 +#, no-wrap +msgid "" +"hostname@REALM\n" +"netbiosname$@REALM\n" +"host/hostname@REALM\n" +"*$@REALM\n" +"host/*@REALM\n" +"host/*\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1776 +msgid "" +"Specify the SASL authorization id to use. When GSSAPI is used, this " +"represents the Kerberos principal used for authentication to the directory. " +"This option can either contain the full principal (for example host/" +"myhost@EXAMPLE.COM) or just the principal name (for example host/myhost). By " +"default, the value is not set and the following principals are used: " +"<placeholder type=\"programlisting\" id=\"0\"/> If none of them are found, " +"the first principal in keytab is returned." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1795 +msgid "Default: host/hostname@REALM" +msgstr "初期値: host/hostname@REALM" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1801 +msgid "ldap_sasl_realm (string)" +msgstr "ldap_sasl_realm (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1804 +msgid "" +"Specify the SASL realm to use. When not specified, this option defaults to " +"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " +"well, this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1810 +msgid "Default: the value of krb5_realm." +msgstr "初期値: krb5_realm の値" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1816 +msgid "ldap_sasl_canonicalize (boolean)" +msgstr "ldap_sasl_canonicalize (論理値)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1819 +msgid "" +"If set to true, the LDAP library would perform a reverse lookup to " +"canonicalize the host name during a SASL bind." +msgstr "" +"真に設定されていると、 LDAP ライブラリーは SASL バインド中にホスト名を正規化" +"するために逆引きを実行します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1824 +msgid "Default: false;" +msgstr "初期値: false;" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1830 +msgid "ldap_krb5_keytab (string)" +msgstr "ldap_krb5_keytab (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1833 +msgid "Specify the keytab to use when using SASL/GSSAPI." +msgstr "SASL/GSSAPI を使用するときに使用するキーテーブルを指定します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1836 +msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" +msgstr "" +"初期値: システムのキーテーブル、通常 <filename>/etc/krb5.keytab</filename>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1842 +msgid "ldap_krb5_init_creds (boolean)" +msgstr "ldap_krb5_init_creds (論理値)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1845 +msgid "" +"Specifies that the id_provider should init Kerberos credentials (TGT). This " +"action is performed only if SASL is used and the mechanism selected is " +"GSSAPI." +msgstr "" +"Kerberos クレディンシャル (TGT) を初期化する id_provider を指定します。この操" +"作は、 SASL が使用され、選択されたメカニズムが GSSAPI である場合のみ実行され" +"ます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1857 +msgid "ldap_krb5_ticket_lifetime (integer)" +msgstr "ldap_krb5_ticket_lifetime (整数)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1860 +msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used." +msgstr "GSSAPI が使用されている場合、TGT の有効期間を秒単位で指定します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1864 sssd-ad.5.xml:937 +msgid "Default: 86400 (24 hours)" +msgstr "初期値: 86400 (24 時間)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1870 sssd-krb5.5.xml:74 +msgid "krb5_server, krb5_backup_server (string)" +msgstr "krb5_server, krb5_backup_server (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1873 +msgid "" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled - for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1885 sssd-krb5.5.xml:89 +msgid "" +"When using service discovery for KDC or kpasswd servers, SSSD first searches " +"for DNS entries that specify _udp as the protocol and falls back to _tcp if " +"none are found." +msgstr "" +"KDC または kpasswd サーバーに対してサービス検索を使用するとき、SSSD はまずプ" +"ロトコルとして _udp を指定する DNS エントリーを検索して、何も見つからなけれ" +"ば _tcp にフォールバックします。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1890 sssd-krb5.5.xml:94 +msgid "" +"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " +"While the legacy name is recognized for the time being, users are advised to " +"migrate their config files to use <quote>krb5_server</quote> instead." +msgstr "" +"このオプションは以前の SSSD において <quote>krb5_kdcip</quote> という名前でし" +"た。古い名前がしばらく認められる間、ユーザーは代わりに <quote>krb5_server</" +"quote> を使用するよう設定ファイルを移行することが推奨されます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1899 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103 +msgid "krb5_realm (string)" +msgstr "krb5_realm (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1902 +msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)." +msgstr "(SASL/GSSAPI 認証向け) Kerberos レルムを指定します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1905 +msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" +msgstr "初期値: システムの初期値、<filename>/etc/krb5.conf</filename> 参照。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1911 sssd-krb5.5.xml:462 +msgid "krb5_canonicalize (boolean)" +msgstr "krb5_canonicalize (論理値)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1914 +msgid "" +"Specifies if the host principal should be canonicalized when connecting to " +"LDAP server. This feature is available with MIT Kerberos >= 1.7" +msgstr "" +"LDAP サーバーに接続するとき、ホストのプリンシパルが正規化されるかどうかを指定" +"します。この機能は MIT Kerberos >= 1.7 で利用可能です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1926 sssd-krb5.5.xml:477 +msgid "krb5_use_kdcinfo (boolean)" +msgstr "krb5_use_kdcinfo (論理値)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1929 sssd-krb5.5.xml:480 +msgid "" +"Specifies if the SSSD should instruct the Kerberos libraries what realm and " +"which KDCs to use. This option is on by default, if you disable it, you need " +"to configure the Kerberos library using the <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> configuration file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1940 sssd-krb5.5.xml:491 +msgid "" +"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " +"information on the locator plugin." +msgstr "" +"位置情報プラグインの詳細は <citerefentry> " +"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry> マニュアルページを参照ください。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1954 +msgid "ldap_pwd_policy (string)" +msgstr "ldap_pwd_policy (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1957 +msgid "" +"Select the policy to evaluate the password expiration on the client side. " +"The following values are allowed:" +msgstr "" +"クライアント側においてパスワード期限切れを評価するためのポリシーを選択しま" +"す。以下の値が許容されます:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1962 +msgid "" +"<emphasis>none</emphasis> - No evaluation on the client side. This option " +"cannot disable server-side password policies." +msgstr "" +"<emphasis>none</emphasis> - クライアント側において評価しません。このオプショ" +"ンはサーバー側のパスワードポリシーを無効にできません。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1967 +msgid "" +"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " +"evaluate if the password has expired." +msgstr "" +"<emphasis>shadow</emphasis> - パスワードが失効したかを評価するために " +"<citerefentry><refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> 形式の属性を使用します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1973 +msgid "" +"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " +"to determine if the password has expired. Use chpass_provider=krb5 to update " +"these attributes when the password is changed." +msgstr "" +"<emphasis>mit_kerberos</emphasis> - パスワードが期限切れしているかを決定する" +"ために MIT Kerberos により使用される属性を使用します。パスワードが変更される" +"とき、これらの属性を更新するために chpass_provider=krb5 を使用します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1982 +msgid "" +"<emphasis>Note</emphasis>: if a password policy is configured on server " +"side, it always takes precedence over policy set with this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1990 +msgid "ldap_referrals (boolean)" +msgstr "ldap_referrals (論理値)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1993 +msgid "Specifies whether automatic referral chasing should be enabled." +msgstr "自動参照追跡が有効化されるかを指定します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1997 +msgid "" +"Please note that sssd only supports referral chasing when it is compiled " +"with OpenLDAP version 2.4.13 or higher." +msgstr "" +"OpenLDAP バージョン 2.4.13 およびそれ以降とともにコンパイルされているとき、 " +"sssd のみが参照追跡をサポートすることに注意してください。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2002 +msgid "" +"Chasing referrals may incur a performance penalty in environments that use " +"them heavily, a notable example is Microsoft Active Directory. If your setup " +"does not in fact require the use of referrals, setting this option to false " +"might bring a noticeable performance improvement." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2016 +msgid "ldap_dns_service_name (string)" +msgstr "ldap_dns_service_name (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2019 +msgid "Specifies the service name to use when service discovery is enabled." +msgstr "" +"サービス検索が有効にされているときに使用するサービスの名前を指定します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2023 +msgid "Default: ldap" +msgstr "初期値: ldap" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2029 +msgid "ldap_chpass_dns_service_name (string)" +msgstr "ldap_chpass_dns_service_name (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2032 +msgid "" +"Specifies the service name to use to find an LDAP server which allows " +"password changes when service discovery is enabled." +msgstr "" +"サービス検索が有効にされているときに、パスワード変更を許可する LDAP サーバー" +"を検索するために使用するサービスの名前を指定します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2037 +msgid "Default: not set, i.e. service discovery is disabled" +msgstr "初期値: 設定されていません、つまりサービス検索が無効にされています" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2043 +msgid "ldap_chpass_update_last_change (bool)" +msgstr "ldap_chpass_update_last_change (論理値)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2046 +msgid "" +"Specifies whether to update the ldap_user_shadow_last_change attribute with " +"days since the Epoch after a password change operation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2058 +msgid "ldap_access_filter (string)" +msgstr "ldap_access_filter (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2061 +msgid "" +"If using access_provider = ldap and ldap_access_order = filter (default), " +"this option is mandatory. It specifies an LDAP search filter criteria that " +"must be met for the user to be granted access on this host. If " +"access_provider = ldap, ldap_access_order = filter and this option is not " +"set, it will result in all users being denied access. Use access_provider = " +"permit to change this default behavior. Please note that this filter is " +"applied on the LDAP user entry only and thus filtering based on nested " +"groups may not work (e.g. memberOf attribute on AD entries points only to " +"direct parents). If filtering based on nested groups is required, please see " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2081 +msgid "Example:" +msgstr "例:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ldap.5.xml:2084 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2088 +msgid "" +"This example means that access to this host is restricted to users whose " +"employeeType attribute is set to \"admin\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2093 +msgid "" +"Offline caching for this feature is limited to determining whether the " +"user's last online login was granted access permission. If they were granted " +"access during their last login, they will continue to be granted access " +"while offline and vice versa." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2101 sssd-ldap.5.xml:2158 +msgid "Default: Empty" +msgstr "初期値: 空白" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2107 +msgid "ldap_account_expire_policy (string)" +msgstr "ldap_account_expire_policy (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2110 +msgid "" +"With this option a client side evaluation of access control attributes can " +"be enabled." +msgstr "" +"このオプションを使用すると、アクセス制御属性のクライアント側評価が有効になり" +"ます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2114 +msgid "" +"Please note that it is always recommended to use server side access control, " +"i.e. the LDAP server should deny the bind request with a suitable error code " +"even if the password is correct." +msgstr "" +"必ずサーバー側のアクセス制御を使用することが推奨されることに注意してくださ" +"い。つまり、パスワードが正しいときさえ、適切なエラーコードでバインド要求を拒" +"否します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2121 +msgid "The following values are allowed:" +msgstr "以下の値が許可されます:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2124 +msgid "" +"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " +"determine if the account is expired." +msgstr "" +"<emphasis>shadow</emphasis>: アカウントが失効しているかを決めるために " +"ldap_user_shadow_expire の値を使用します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2129 +msgid "" +"<emphasis>ad</emphasis>: use the value of the 32bit field " +"ldap_user_ad_user_account_control and allow access if the second bit is not " +"set. If the attribute is missing access is granted. Also the expiration time " +"of the account is checked." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2136 +msgid "" +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: use the value of ldap_ns_account_lock to check if access is " +"allowed or not." +msgstr "" +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: アクセスが許可されるかされないかを確認するために " +"ldap_ns_account_lock の値を使用します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2142 +msgid "" +"<emphasis>nds</emphasis>: the values of " +"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " +"ldap_user_nds_login_expiration_time are used to check if access is allowed. " +"If both attributes are missing access is granted." +msgstr "" +"<emphasis>nds</emphasis>: アクセスが許可されるかを確認するために the values " +"of ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled および " +"ldap_user_nds_login_expiration_time の値が使用されます。どの値もなければ、ア" +"クセスが許可されます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2151 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>expire</quote> in order for the " +"ldap_account_expire_policy option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2164 +msgid "ldap_access_order (string)" +msgstr "ldap_access_order (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2167 +msgid "Comma separated list of access control options. Allowed values are:" +msgstr "" +"アクセス制御オプションのカンマ区切り一覧です。許可される値は次のとおりです:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2171 +msgid "<emphasis>filter</emphasis>: use ldap_access_filter" +msgstr "<emphasis>filter</emphasis>: ldap_access_filter を使用します" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2174 +msgid "" +"<emphasis>lockout</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " +"Please note that 'access_provider = ldap' must be set for this feature to " +"work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2184 +msgid "" +"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" +"quote> option and might be removed in a future release. </emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2191 +msgid "" +"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z' or represents any time in the past. The " +"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " +"denotes the UTC time zone. Other time zones are not currently supported and " +"will result in \"access-denied\" when users attempt to log in. Please see " +"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " +"must be set for this feature to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2208 +msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" +msgstr "<emphasis>expire</emphasis>: ldap_account_expire_policy を使用します" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2212 +msgid "" +"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " +"pwd_expire_policy_renew: </emphasis> These options are useful if users are " +"interested in being warned that password is about to expire and " +"authentication is based on using a different method than passwords - for " +"example SSH keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2222 +msgid "" +"The difference between these options is the action taken if user password is " +"expired: pwd_expire_policy_reject - user is denied to log in, " +"pwd_expire_policy_warn - user is still able to log in, " +"pwd_expire_policy_renew - user is prompted to change his password " +"immediately." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2230 +msgid "" +"Note If user password is expired no explicit message is prompted by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2234 +msgid "" +"Please note that 'access_provider = ldap' must be set for this feature to " +"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2239 +msgid "" +"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " +"to determine access" +msgstr "" +"<emphasis>authorized_service</emphasis>: アクセス権を決定するために " +"authorizedService 属性を使用します" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2244 +msgid "<emphasis>host</emphasis>: use the host attribute to determine access" +msgstr "" +"<emphasis>host</emphasis>: アクセス権を決めるために host 属性を使用します" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2248 +msgid "" +"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " +"remote host can access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2252 +msgid "" +"Please note, rhost field in pam is set by application, it is better to check " +"what the application sends to pam, before enabling this access control option" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2257 +msgid "Default: filter" +msgstr "初期値: filter" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2260 +msgid "" +"Please note that it is a configuration error if a value is used more than " +"once." +msgstr "値が複数使用されていると設定エラーになることに注意してください。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2267 +msgid "ldap_pwdlockout_dn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2270 +msgid "" +"This option specifies the DN of password policy entry on LDAP server. Please " +"note that absence of this option in sssd.conf in case of enabled account " +"lockout checking will yield access denied as ppolicy attributes on LDAP " +"server cannot be checked properly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2278 +msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2281 +msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2287 +msgid "ldap_deref (string)" +msgstr "ldap_deref (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2290 +msgid "" +"Specifies how alias dereferencing is done when performing a search. The " +"following options are allowed:" +msgstr "" +"検索を実行するときにどのように参照解決を実行するかを指定します。以下のオプ" +"ションが許容されます:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2295 +msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." +msgstr "<emphasis>never</emphasis>: エイリアスが参照解決されません。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2299 +msgid "" +"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " +"the base object, but not in locating the base object of the search." +msgstr "" +"<emphasis>searching</emphasis>: エイリアスはベースオブジェクトの下位に参照解" +"決されますが、検索のベースオブジェクトの位置を探すときはされません。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2304 +msgid "" +"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " +"the base object of the search." +msgstr "" +"<emphasis>finding</emphasis>: エイリアスは検索のベースオブジェクトの位置を探" +"すときのみ参照解決されます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2309 +msgid "" +"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " +"in locating the base object of the search." +msgstr "" +"<emphasis>always</emphasis>: エイリアスは検索のベースオブジェクトを検索すると" +"きも位置を検索するときも参照解決されます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2314 +msgid "" +"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " +"client libraries)" +msgstr "" +"初期値: 空白(LDAP クライアントライブラリにより <emphasis>never</emphasis> と" +"して取り扱われます)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2322 +msgid "ldap_rfc2307_fallback_to_local_users (boolean)" +msgstr "ldap_rfc2307_fallback_to_local_users (論理値)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2325 +msgid "" +"Allows to retain local users as members of an LDAP group for servers that " +"use the RFC2307 schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2329 +msgid "" +"In some environments where the RFC2307 schema is used, local users are made " +"members of LDAP groups by adding their names to the memberUid attribute. " +"The self-consistency of the domain is compromised when this is done, so SSSD " +"would normally remove the \"missing\" users from the cached group " +"memberships as soon as nsswitch tries to fetch information about the user " +"via getpw*() or initgroups() calls." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2340 +msgid "" +"This option falls back to checking if local users are referenced, and caches " +"them so that later initgroups() calls will augment the local users with the " +"additional LDAP groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2352 sssd-ifp.5.xml:136 +msgid "wildcard_limit (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2355 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2359 +msgid "At the moment, only the InfoPipe responder supports wildcard lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2363 +msgid "Default: 1000 (often the size of one page)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:51 +msgid "" +"All of the common configuration options that apply to SSSD domains also " +"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for full details. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" +"SSSD ドメインに適用するすべての全体設定オプションを LDAP ドメインに適用しま" +"す。完全な詳細は <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> マニュアルページの <quote>ドメインセ" +"クション</quote> を参照してください。 <placeholder type=\"variablelist\" id=" +"\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2373 +msgid "SUDO OPTIONS" +msgstr "SUDO オプション" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2375 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2386 +msgid "ldap_sudorule_object_class (string)" +msgstr "ldap_sudorule_object_class (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2389 +msgid "The object class of a sudo rule entry in LDAP." +msgstr "LDAP にある sudo ルールエントリーのオブジェクトクラスです。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2392 +msgid "Default: sudoRole" +msgstr "初期値: sudoRole" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2398 +msgid "ldap_sudorule_name (string)" +msgstr "ldap_sudorule_name (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2401 +msgid "The LDAP attribute that corresponds to the sudo rule name." +msgstr "sudo ルール名に対応する LDAP 属性です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2411 +msgid "ldap_sudorule_command (string)" +msgstr "ldap_sudorule_command (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2414 +msgid "The LDAP attribute that corresponds to the command name." +msgstr "コマンド名に対応する LDAP 属性です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2418 +msgid "Default: sudoCommand" +msgstr "初期値: sudoCommand" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2424 +msgid "ldap_sudorule_host (string)" +msgstr "ldap_sudorule_host (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2427 +msgid "" +"The LDAP attribute that corresponds to the host name (or host IP address, " +"host IP network, or host netgroup)" +msgstr "" +"ホスト名(またはホスト IP アドレス、ホスト IP ネットワーク、ホストネットワー" +"クグループ)に対応する LDAP 属性です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2432 +msgid "Default: sudoHost" +msgstr "初期値: sudoHost" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2438 +msgid "ldap_sudorule_user (string)" +msgstr "ldap_sudorule_user (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2441 +msgid "" +"The LDAP attribute that corresponds to the user name (or UID, group name or " +"user's netgroup)" +msgstr "" +"ユーザー名(または UID、グループ名、ユーザーのネットワークグループ)に対応す" +"る LDAP 属性です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2445 +msgid "Default: sudoUser" +msgstr "初期値: sudoUser" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2451 +msgid "ldap_sudorule_option (string)" +msgstr "ldap_sudorule_option (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2454 +msgid "The LDAP attribute that corresponds to the sudo options." +msgstr "sudo オプションに対応する LDAP 属性です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2458 +msgid "Default: sudoOption" +msgstr "初期値: sudoOption" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2464 +msgid "ldap_sudorule_runasuser (string)" +msgstr "ldap_sudorule_runasuser (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2467 +msgid "" +"The LDAP attribute that corresponds to the user name that commands may be " +"run as." +msgstr "コマンドを実行するユーザー名に対応する LDAP 属性です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2471 +msgid "Default: sudoRunAsUser" +msgstr "初期値: sudoRunAsUser" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2477 +msgid "ldap_sudorule_runasgroup (string)" +msgstr "ldap_sudorule_runasgroup (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2480 +msgid "" +"The LDAP attribute that corresponds to the group name or group GID that " +"commands may be run as." +msgstr "" +"コマンドを実行するグループ名またはグループの GID に対応する LDAP 属性です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2484 +msgid "Default: sudoRunAsGroup" +msgstr "初期値: sudoRunAsGroup" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2490 +msgid "ldap_sudorule_notbefore (string)" +msgstr "ldap_sudorule_notbefore (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2493 +msgid "" +"The LDAP attribute that corresponds to the start date/time for when the sudo " +"rule is valid." +msgstr "sudo ルールが有効になる開始日時に対応する LDAP 属性です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2497 +msgid "Default: sudoNotBefore" +msgstr "初期値: sudoNotBefore" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2503 +msgid "ldap_sudorule_notafter (string)" +msgstr "ldap_sudorule_notafter (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2506 +msgid "" +"The LDAP attribute that corresponds to the expiration date/time, after which " +"the sudo rule will no longer be valid." +msgstr "" +"sudo ルールが有効ではなくなった後に、期限切れとなる日時に対応する LDAP 属性で" +"す。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2511 +msgid "Default: sudoNotAfter" +msgstr "初期値: sudoNotAfter" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2517 +msgid "ldap_sudorule_order (string)" +msgstr "ldap_sudorule_order (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2520 +msgid "The LDAP attribute that corresponds to the ordering index of the rule." +msgstr "ルールの並び替えインデックスに対応する LDAP 属性です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2524 +msgid "Default: sudoOrder" +msgstr "初期値: sudoOrder" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2530 +msgid "ldap_sudo_full_refresh_interval (integer)" +msgstr "ldap_sudo_full_refresh_interval (整数)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2533 +msgid "" +"How many seconds SSSD will wait between executing a full refresh of sudo " +"rules (which downloads all rules that are stored on the server)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2538 +msgid "" +"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" +"emphasis>" +msgstr "" +"値は <emphasis>ldap_sudo_smart_refresh_interval</emphasis> より大きい必要があ" +"ります" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2543 +msgid "Default: 21600 (6 hours)" +msgstr "初期値: 21600 (6 時間)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2549 +msgid "ldap_sudo_smart_refresh_interval (integer)" +msgstr "ldap_sudo_smart_refresh_interval (整数)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2552 +msgid "" +"How many seconds SSSD has to wait before executing a smart refresh of sudo " +"rules (which downloads all rules that have USN higher than the highest USN " +"of cached rules)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2558 +msgid "" +"If USN attributes are not supported by the server, the modifyTimestamp " +"attribute is used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2568 +msgid "ldap_sudo_use_host_filter (boolean)" +msgstr "ldap_sudo_use_host_filter (論理値)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2571 +msgid "" +"If true, SSSD will download only rules that are applicable to this machine " +"(using the IPv4 or IPv6 host/network addresses and hostnames)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2582 +msgid "ldap_sudo_hostnames (string)" +msgstr "ldap_sudo_hostnames (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2585 +msgid "" +"Space separated list of hostnames or fully qualified domain names that " +"should be used to filter the rules." +msgstr "" +"ルールをフィルターするために使用されるホスト名または完全修飾ドメイン名の空白" +"区切り一覧です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2590 +msgid "" +"If this option is empty, SSSD will try to discover the hostname and the " +"fully qualified domain name automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2595 sssd-ldap.5.xml:2618 sssd-ldap.5.xml:2636 +#: sssd-ldap.5.xml:2654 +msgid "" +"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" +"emphasis> then this option has no effect." +msgstr "" +"<emphasis>ldap_sudo_use_host_filter</emphasis> が <emphasis>false</emphasis> " +"ならば、このオプションは効果を持ちません。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2600 sssd-ldap.5.xml:2623 +msgid "Default: not specified" +msgstr "初期値: 指定なし" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2606 +msgid "ldap_sudo_ip (string)" +msgstr "ldap_sudo_ip (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2609 +msgid "" +"Space separated list of IPv4 or IPv6 host/network addresses that should be " +"used to filter the rules." +msgstr "" +"ルールをフィルターするために使用される、IPv4 または IPv6 ホスト/ネットワーク" +"アドレスの空白区切り一覧です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2614 +msgid "" +"If this option is empty, SSSD will try to discover the addresses " +"automatically." +msgstr "" +"このオプションが空白ならば、SSSD は自動的にアドレスを検索しようとします。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2629 +msgid "ldap_sudo_include_netgroups (boolean)" +msgstr "ldap_sudo_include_netgroups (論理値)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2632 +msgid "" +"If true then SSSD will download every rule that contains a netgroup in " +"sudoHost attribute." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2647 +msgid "ldap_sudo_include_regexp (boolean)" +msgstr "ldap_sudo_include_regexp (論理値)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2650 +msgid "" +"If true then SSSD will download every rule that contains a wildcard in " +"sudoHost attribute." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2666 +msgid "" +"This manual page only describes attribute name mapping. For detailed " +"explanation of sudo related attribute semantics, see <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>" +msgstr "" +"このマニュアルページは属性名マッピングのみを説明します。 sudo に関連する属性" +"セマンティックの詳細な説明は <citerefentry> <refentrytitle>sudoers.ldap</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry> を参照してください" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2676 +msgid "AUTOFS OPTIONS" +msgstr "AUTOFS オプション" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2678 +msgid "" +"Some of the defaults for the parameters below are dependent on the LDAP " +"schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2684 +msgid "ldap_autofs_map_master_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2687 +msgid "The name of the automount master map in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2690 +msgid "Default: auto.master" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2697 +msgid "ldap_autofs_map_object_class (string)" +msgstr "ldap_autofs_map_object_class (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2700 +msgid "The object class of an automount map entry in LDAP." +msgstr "LDAP にある automount マップエントリーのオブジェクトクラスです。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2703 +msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2711 +msgid "ldap_autofs_map_name (string)" +msgstr "ldap_autofs_map_name (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2714 +msgid "The name of an automount map entry in LDAP." +msgstr "LDAP における automount のマップエントリーの名前です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2717 +msgid "" +"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2725 +msgid "ldap_autofs_entry_object_class (string)" +msgstr "ldap_autofs_entry_object_class (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2728 +msgid "" +"The object class of an automount entry in LDAP. The entry usually " +"corresponds to a mount point." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2733 +msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2741 +msgid "ldap_autofs_entry_key (string)" +msgstr "ldap_autofs_entry_key (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2744 sssd-ldap.5.xml:2759 +msgid "" +"The key of an automount entry in LDAP. The entry usually corresponds to a " +"mount point." +msgstr "" +"LDAP にある automount エントリーのキーです。エントリーは一般的にマウントポイ" +"ントと対応します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2748 +msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2756 +msgid "ldap_autofs_entry_value (string)" +msgstr "ldap_autofs_entry_value (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2763 +msgid "" +"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " +"automountInformation" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2682 +msgid "" +"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " +"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" +"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2774 +msgid "ADVANCED OPTIONS" +msgstr "高度なオプション" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2781 +msgid "ldap_netgroup_search_base (string)" +msgstr "ldap_netgroup_search_base (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2786 +msgid "ldap_user_search_base (string)" +msgstr "ldap_user_search_base (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2791 +msgid "ldap_group_search_base (string)" +msgstr "ldap_group_search_base (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> +#: sssd-ldap.5.xml:2796 +msgid "<note>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> +#: sssd-ldap.5.xml:2798 +msgid "" +"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " +"against Active Directory will not be restricted and return all groups " +"memberships, even with no GID mapping. It is recommended to disable this " +"feature, if group names are not being displayed correctly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist> +#: sssd-ldap.5.xml:2805 +msgid "</note>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2807 +msgid "ldap_sudo_search_base (string)" +msgstr "ldap_sudo_search_base (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2812 +msgid "ldap_autofs_search_base (string)" +msgstr "ldap_autofs_search_base (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2776 +msgid "" +"These options are supported by LDAP domains, but they should be used with " +"caution. Please include them in your configuration only if you know what you " +"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2827 sssd-simple.5.xml:131 sssd-ipa.5.xml:828 +#: sssd-ad.5.xml:1041 sssd-krb5.5.xml:570 sss_rpcidmapd.5.xml:98 +#: sssd-files.5.xml:103 sssd-session-recording.5.xml:144 +msgid "EXAMPLE" +msgstr "例" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2829 +msgid "" +"The following example assumes that SSSD is correctly configured and LDAP is " +"set to one of the domains in the <replaceable>[domains]</replaceable> " +"section." +msgstr "" +"以下の例は、SSSD が正しく設定され、LDAP が <replaceable>[domains]</" +"replaceable> セクションにあるドメインのどれかに設定されていると仮定していま" +"す。" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:2835 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: sssd-ldap.5.xml:2834 sssd-ldap.5.xml:2852 sssd-simple.5.xml:139 +#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1049 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579 +#: sssd-files.5.xml:110 sssd-session-recording.5.xml:150 +#: include/ldap_id_mapping.xml:105 +msgid "<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "<placeholder type=\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2846 +msgid "LDAP ACCESS FILTER EXAMPLE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2848 +msgid "" +"The following example assumes that SSSD is correctly configured and to use " +"the ldap_access_order=lockout." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:2853 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"access_provider = ldap\n" +"ldap_access_order = lockout\n" +"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2868 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148 +#: sssd-ad.5.xml:1064 sssd.8.xml:230 sss_seed.8.xml:163 +msgid "NOTES" +msgstr "注記" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2870 +msgid "" +"The descriptions of some of the configuration options in this manual page " +"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " +"distribution." +msgstr "" +"このマニュアルページにある設定オプションのいくつかの説明は、OpenLDAP 2.4 ディ" +"ストリビューションから <citerefentry> <refentrytitle>ldap.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> マニュアルページに基" +"づいています。" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: pam_sss.8.xml:11 pam_sss.8.xml:16 +msgid "pam_sss" +msgstr "pam_sss" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: pam_sss.8.xml:17 +msgid "PAM module for SSSD" +msgstr "SSSD の PAM モジュール" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: pam_sss.8.xml:22 +msgid "" +"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" +"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" +"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" +"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " +"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " +"choice='opt'> <replaceable>prompt_always</replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:58 +msgid "" +"<command>pam_sss.so</command> is the PAM interface to the System Security " +"Services daemon (SSSD). Errors and results are logged through " +"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." +msgstr "" +"<command>pam_sss.so</command> は System Security Services daemon (SSSD) への " +"PAM インターフェースです。エラーと結果は <command>syslog(3)</command> を通し" +"て LOG_AUTHPRIV ファシリティでログ記録されます。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:68 +msgid "<option>quiet</option>" +msgstr "<option>quiet</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:71 +msgid "Suppress log messages for unknown users." +msgstr "不明なユーザーのログメッセージを抑制します。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:76 +msgid "<option>forward_pass</option>" +msgstr "<option>forward_pass</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:79 +msgid "" +"If <option>forward_pass</option> is set the entered password is put on the " +"stack for other PAM modules to use." +msgstr "" +"<option>forward_pass</option> が設定されていると、他の PAM モジュールが使用す" +"るために、入力されたパスワードがスタックに置かれます。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:86 +msgid "<option>use_first_pass</option>" +msgstr "<option>use_first_pass</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:89 +msgid "" +"The argument use_first_pass forces the module to use a previous stacked " +"modules password and will never prompt the user - if no password is " +"available or the password is not appropriate, the user will be denied access." +msgstr "" +"引数 use_first_pass は強制的にモジュールが前にスタックされたモジュールのパス" +"ワードを使用して、ユーザーに入力させません。パスワードが何も利用可能ではな" +"い、またはパスワードが適切でなければ、ユーザーがアクセスを拒否されます。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:97 +msgid "<option>use_authtok</option>" +msgstr "<option>use_authtok</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:100 +msgid "" +"When password changing enforce the module to set the new password to the one " +"provided by a previously stacked password module." +msgstr "" +"パスワードを変更するとき、モジュールが強制的に新しいパスワードを、前にスタッ" +"クされたパスワードモジュールに設定します。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:107 +msgid "<option>retry=N</option>" +msgstr "<option>retry=N</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:110 +msgid "" +"If specified the user is asked another N times for a password if " +"authentication fails. Default is 0." +msgstr "" +"指定されていると、認証に失敗した場合にパスワードをあと N 回ユーザーに問い合わ" +"せます。初期値は 0 です。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:112 +msgid "" +"Please note that this option might not work as expected if the application " +"calling PAM handles the user dialog on its own. A typical example is " +"<command>sshd</command> with <option>PasswordAuthentication</option>." +msgstr "" +"このオプションは、アプリケーションが呼び出す PAM が自身においてユーザーダイア" +"ログを処理すると仮定して動作しません。典型的な例は " +"<option>PasswordAuthentication</option> を用いた <command>sshd</command> で" +"す。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:121 +msgid "<option>ignore_unknown_user</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:124 +msgid "" +"If this option is specified and the user does not exist, the PAM module will " +"return PAM_IGNORE. This causes the PAM framework to ignore this module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:131 +msgid "<option>ignore_authinfo_unavail</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:135 +msgid "" +"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " +"the SSSD daemon. This causes the PAM framework to ignore this module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:142 +msgid "<option>domains</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:146 +msgid "" +"Allows the administrator to restrict the domains a particular PAM service is " +"allowed to authenticate against. The format is a comma-separated list of " +"SSSD domain names, as specified in the sssd.conf file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:152 +msgid "" +"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " +"and <quote>pam_public_domains</quote> options. Please see the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more information on these two PAM " +"responder options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:166 +msgid "<option>allow_missing_name</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:170 +msgid "" +"The main purpose of this option is to let SSSD determine the user name based " +"on additional information, e.g. the certificate from a Smartcard." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: pam_sss.8.xml:180 +#, no-wrap +msgid "" +"auth sufficient pam_sss.so allow_missing_name\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:175 +msgid "" +"The current use case are login managers which can monitor a Smartcard reader " +"for card events. In case a Smartcard is inserted the login manager will call " +"a PAM stack which includes a line like <placeholder type=\"programlisting\" " +"id=\"0\"/> In this case SSSD will try to determine the user name based on " +"the content of the Smartcard, returns it to pam_sss which will finally put " +"it on the PAM stack." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:190 +msgid "<option>prompt_always</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:194 +msgid "" +"Always prompt the user for credentials. With this option credentials " +"requested by other PAM modules, typically a password, will be ignored and " +"pam_sss will prompt for credentials again. Based on the pre-auth reply by " +"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " +"credentials." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:207 +msgid "MODULE TYPES PROVIDED" +msgstr "提供されるモジュール形式" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:208 +msgid "" +"All module types (<option>account</option>, <option>auth</option>, " +"<option>password</option> and <option>session</option>) are provided." +msgstr "" +"すべてのモジュール形式 (<option>account</option>, <option>auth</option>, " +"<option>password</option> および <option>session</option>) が提供されます。" + +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:214 +msgid "FILES" +msgstr "ファイル" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:215 +msgid "" +"If a password reset by root fails, because the corresponding SSSD provider " +"does not support password resets, an individual message can be displayed. " +"This message can e.g. contain instructions about how to reset a password." +msgstr "" +"対応する SSSD プロバイダーがパスワードリセットをサポートしないため、root によ" +"るパスワードリセットが失敗すると、それぞれのメッセージが表示されます。たとえ" +"ば、このメッセージはパスワードをリセットする方法に関する説明があります。" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:220 +msgid "" +"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" +"filename> where LOC stands for a locale string returned by <citerefentry> " +"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" +"citerefentry>. If there is no matching file the content of " +"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " +"the owner of the files and only root may have read and write permissions " +"while all other users must have only read permissions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:230 +msgid "" +"These files are searched in the directory <filename>/etc/sssd/customize/" +"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " +"displayed." +msgstr "" +"これらのファイルがディレクトリー <filename>/etc/sssd/customize/DOMAIN_NAME/</" +"filename> において検索されます。一致するファイルがなければ、一般的なメッセー" +"ジが表示されます。" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 +msgid "sssd_krb5_locator_plugin" +msgstr "sssd_krb5_locator_plugin" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd_krb5_locator_plugin.8.xml:16 +msgid "Kerberos locator plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:22 +msgid "" +"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " +"used by the Kerberos provider of <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to tell the Kerberos " +"libraries what Realm and which KDC to use. Typically this is done in " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> which is always read by the Kerberos libraries. " +"To simplify the configuration the Realm and the KDC can be defined in " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> as described in <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:48 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> puts the Realm and the name or IP address of the KDC into " +"the environment variables SSSD_KRB5_REALM and SSSD_KRB5_KDC respectively. " +"When <command>sssd_krb5_locator_plugin</command> is called by the kerberos " +"libraries it reads and evaluates these variables and returns them to the " +"libraries." +msgstr "" +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> は、レルム、および KDC の名前または IP アドレスを、それぞれ " +"SSSD_KRB5_REALM および SSSD_KRB5_KDC の中に置きます。" +"<command>sssd_krb5_locator_plugin</command> が Kerberos ライブラリーにより呼" +"び出されるとき、それがこれらの変数を読み込み、評価し、ライブラリーに返しま" +"す。" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:63 +msgid "" +"Not all Kerberos implementations support the use of plugins. If " +"<command>sssd_krb5_locator_plugin</command> is not available on your system " +"you have to edit /etc/krb5.conf to reflect your Kerberos setup." +msgstr "" +"すべての Kerberos 実装がプラグインの使用をサポートしているとは限りません。 " +"<command>sssd_krb5_locator_plugin</command> がシステムにおいて利用可能でなけ" +"れば、Kerberos の構築を反映するように /etc/krb5.conf を編集する必要がありま" +"す。" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:69 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " +"debug messages will be sent to stderr." +msgstr "" +"環境変数 SSSD_KRB5_LOCATOR_DEBUG に何らかの値が設定されていると、デバッグメッ" +"セージが標準エラーに送られます。" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:73 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " +"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " +"caller." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 +msgid "sssd-simple" +msgstr "sssd-simple" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-simple.5.xml:17 +msgid "the configuration file for SSSD's 'simple' access-control provider" +msgstr "SSSD の 'simple' アクセス制御プロバイダーの設定ファイルです。" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:24 +msgid "" +"This manual page describes the configuration of the simple access-control " +"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " +"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page." +msgstr "" +"このマニュアルは <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> に対して簡単なアクセス制御の設定を説" +"明しています。詳細は <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> マニュアルページの <quote>ファイル形" +"式</quote> セクションを参照してください。" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:38 +msgid "" +"The simple access provider grants or denies access based on an access or " +"deny list of user or group names. The following rules apply:" +msgstr "" +"シンプルアクセスプロバイダーは、ユーザー名またはグループ名のアクセスまたは拒" +"否の一覧に基づいてアクセスを許可または拒否します。以下の例を適用します:" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:43 +msgid "If all lists are empty, access is granted" +msgstr "すべての一覧が空白ならば、アクセスが認められます" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:47 +msgid "" +"If any list is provided, the order of evaluation is allow,deny. This means " +"that any matching deny rule will supersede any matched allow rule." +msgstr "" +"何らかの一覧が提供されていると、許可(allow)、拒否(deny)の順に評価されま" +"す。拒否ルールに一致するすべてのものは、許可ルールに一致するすべてのものを更" +"新することを意味します。" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:54 +msgid "" +"If either or both \"allow\" lists are provided, all users are denied unless " +"they appear in the list." +msgstr "" +"\"allow\" 一覧が提供されていると、すべてのユーザーはこの一覧に表れなければ拒" +"否されます。" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:60 +msgid "" +"If only \"deny\" lists are provided, all users are granted access unless " +"they appear in the list." +msgstr "" +"\"deny\" 一覧のみが提供されていると、ユーザーがこの一覧に表れない限り、すべて" +"のユーザーがアクセスを許可されます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:78 +msgid "simple_allow_users (string)" +msgstr "simple_allow_users (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:81 +msgid "Comma separated list of users who are allowed to log in." +msgstr "ログインが許可されたユーザーのカンマ区切り一覧です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:88 +msgid "simple_deny_users (string)" +msgstr "simple_deny_users (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:91 +msgid "Comma separated list of users who are explicitly denied access." +msgstr "アクセスが明示的に拒否されたユーザーのカンマ区切り一覧です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:97 +msgid "simple_allow_groups (string)" +msgstr "simple_allow_groups (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:100 +msgid "" +"Comma separated list of groups that are allowed to log in. This applies only " +"to groups within this SSSD domain. Local groups are not evaluated." +msgstr "" +"ログインが許可されたグループのカンマ区切り一覧です。この SSSD ドメインの中の" +"グループのみに適用されます。ローカルグループは評価されません。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:108 +msgid "simple_deny_groups (string)" +msgstr "simple_deny_groups (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:111 +msgid "" +"Comma separated list of groups that are explicitly denied access. This " +"applies only to groups within this SSSD domain. Local groups are not " +"evaluated." +msgstr "" +"アクセスが明示的に拒否されたグループのカンマ区切り一覧です。この SSSD ドメイ" +"ンの中のグループのみに適用されます。ローカルグループは評価されません。" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 +msgid "" +"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" +"SSSD ドメインの設定に関する詳細は <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> マニュアルページの " +"<quote>ドメインセクション</quote> のセクションを参照してください。 " +"<placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:120 +msgid "" +"Specifying no values for any of the lists is equivalent to skipping it " +"entirely. Beware of this while generating parameters for the simple provider " +"using automated scripts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:125 +msgid "" +"Please note that it is an configuration error if both, simple_allow_users " +"and simple_deny_users, are defined." +msgstr "" +"simple_allow_users と simple_deny_users がどちらも定義されると、設定エラーに" +"なることに注意してください。" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:133 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the simple access provider-specific options." +msgstr "" +"以下の例は、SSSD が正しく設定され、example.com が <replaceable>[sssd]</" +"replaceable> セクションにあるドメインの 1 つであると仮定します。この例はアク" +"セスプロバイダー固有の簡単なオプションのみを示します。" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-simple.5.xml:140 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"access_provider = simple\n" +"simple_allow_users = user1, user2\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:150 +msgid "" +"The complete group membership hierarchy is resolved before the access check, " +"thus even nested groups can be included in the access lists. Please be " +"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " +"results and should be set to a sufficient value. (<citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>) option." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 +msgid "sss-certmap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss-certmap.5.xml:17 +msgid "SSSD Certificate Matching and Mapping Rules" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:23 +msgid "" +"The manual page describes the rules which can be used by SSSD and other " +"components to match X.509 certificates and map them to accounts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:28 +msgid "" +"Each rule has four components, a <quote>priority</quote>, a <quote>matching " +"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" +"quote>. All components are optional. A missing <quote>priority</quote> will " +"add the rule with the lowest priority. The default <quote>matching rule</" +"quote> will match certificates with the digitalSignature key usage and " +"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " +"the certificates will be searched in the userCertificate attribute as DER " +"encoded binary. If no domains are given only the local domain will be " +"searched." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss-certmap.5.xml:41 +msgid "RULE COMPONENTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:43 +msgid "PRIORITY" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:45 +msgid "" +"The rules are processed by priority while the number '0' (zero) indicates " +"the highest priority. The higher the number the lower is the priority. A " +"missing value indicates the lowest priority. The rules processing is stopped " +"when a matched rule is found and no further rules are checked." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:52 +msgid "" +"Internally the priority is treated as unsigned 32bit integer, using a " +"priority value larger than 4294967295 will cause an error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:57 +msgid "MATCHING RULE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:59 +msgid "" +"The matching rule is used to select a certificate to which the mapping rule " +"should be applied. It uses a system similar to the one used by " +"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " +"keyword enclosed by '<' and '>' which identified a certain part of the " +"certificate and a pattern which should be found for the rule to match. " +"Multiple keyword pattern pairs can be either joined with '&&' (and) " +"or '||' (or)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:71 +msgid "<SUBJECT>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:74 +msgid "" +"With this a part or the whole subject name of the certificate can be " +"matched. For the matching POSIX Extended Regular Expression syntax is used, " +"see regex(7) for details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:80 +msgid "" +"For the matching the subject name stored in the certificate in DER encoded " +"ASN.1 is converted into a string according to RFC 4514. This means the most " +"specific name component comes first. Please note that not all possible " +"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " +"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " +"be shown differently on different platform and by different tools. To avoid " +"confusion those attribute names are best not used or covered by a suitable " +"regular-expression." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:93 +msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:98 +msgid "<ISSUER>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:101 +msgid "" +"With this a part or the whole issuer name of the certificate can be matched. " +"All comments for <SUBJECT> apply her as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:106 +msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:111 +msgid "<KU>key-usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:114 +msgid "" +"This option can be used to specify which key usage values the certificate " +"should have. The following values can be used in a comma separated list:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:118 +msgid "digitalSignature" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:119 +msgid "nonRepudiation" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:120 +msgid "keyEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:121 +msgid "dataEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:122 +msgid "keyAgreement" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:123 +msgid "keyCertSign" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:124 +msgid "cRLSign" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:125 +msgid "encipherOnly" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:126 +msgid "decipherOnly" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:130 +msgid "" +"A numerical value in the range of a 32bit unsigned integer can be used as " +"well to cover special use cases." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:134 +msgid "Example: <KU>digitalSignature,keyEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:139 +msgid "<EKU>extended-key-usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:142 +msgid "" +"This option can be used to specify which extended key usage the certificate " +"should have. The following value can be used in a comma separated list:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:146 +msgid "serverAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:147 +msgid "clientAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:148 +msgid "codeSigning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:149 +msgid "emailProtection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:150 +msgid "timeStamping" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:151 +msgid "OCSPSigning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:152 +msgid "KPClientAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:153 +msgid "pkinit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:154 +msgid "msScLogin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:158 +msgid "" +"Extended key usages which are not listed above can be specified with their " +"OID in dotted-decimal notation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:162 +msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:167 +msgid "<SAN>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:170 +msgid "" +"To be compatible with the usage of MIT Kerberos this option will match the " +"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" +"Principal> does." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:175 +msgid "Example: <SAN>.*@MY\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:180 +msgid "<SAN:Principal>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:183 +msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:187 +msgid "Example: <SAN:Principal>.*@MY\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:192 +msgid "<SAN:ntPrincipalName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:195 +msgid "Match the Kerberos principals from the AD NT Principal SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:199 +msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:204 +msgid "<SAN:pkinit>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:207 +msgid "Match the Kerberos principals from the PKINIT SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:210 +msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:215 +msgid "<SAN:dotted-decimal-oid>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:218 +msgid "" +"Take the value of the otherName SAN component given by the OID in dotted-" +"decimal notation, interpret it as string and try to match it against the " +"regular expression." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:224 +msgid "Example: <SAN:1.2.3.4>test" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:229 +msgid "<SAN:otherName>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:232 +msgid "" +"Do a binary match with the base64 encoded blob against all otherName SAN " +"components. With this option it is possible to match against custom " +"otherName components with special encodings which could not be treated as " +"strings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:239 +msgid "Example: <SAN:otherName>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:244 +msgid "<SAN:rfc822Name>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:247 +msgid "Match the value of the rfc822Name SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:250 +msgid "Example: <SAN:rfc822Name>.*@email\\.domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:255 +msgid "<SAN:dNSName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:258 +msgid "Match the value of the dNSName SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:261 +msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:266 +msgid "<SAN:x400Address>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:269 +msgid "Binary match the value of the x400Address SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:272 +msgid "Example: <SAN:x400Address>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:277 +msgid "<SAN:directoryName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:280 +msgid "" +"Match the value of the directoryName SAN. The same comments as given for <" +"ISSUER> and <SUBJECT> apply here as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:285 +msgid "Example: <SAN:directoryName>.*,DC=com" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:290 +msgid "<SAN:ediPartyName>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:293 +msgid "Binary match the value of the ediPartyName SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:296 +msgid "Example: <SAN:ediPartyName>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:301 +msgid "<SAN:uniformResourceIdentifier>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:304 +msgid "Match the value of the uniformResourceIdentifier SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:307 +msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:312 +msgid "<SAN:iPAddress>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:315 +msgid "Match the value of the iPAddress SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:318 +msgid "Example: <SAN:iPAddress>192\\.168\\..*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:323 +msgid "<SAN:registeredID>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:326 +msgid "Match the value of the registeredID SAN as dotted-decimal string." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:330 +msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:68 +msgid "" +"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:338 +msgid "MAPPING RULE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:340 +msgid "" +"The mapping rule is used to associate a certificate with one or more " +"accounts. A Smartcard with the certificate and the matching private key can " +"then be used to authenticate as one of those accounts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:345 +msgid "" +"Currently SSSD basically only supports LDAP to lookup user information (the " +"exception is the proxy provider which is not of relevance here). Because of " +"this the mapping rule is based on LDAP search filter syntax with templates " +"to add certificate content to the filter. It is expected that the filter " +"will only contain the specific data needed for the mapping and that the " +"caller will embed it in another filter to do the actual search. Because of " +"this the filter string should start and stop with '(' and ')' respectively." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:355 +msgid "" +"In general it is recommended to use attributes from the certificate and add " +"them to special attributes to the LDAP user object. E.g. the " +"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " +"for IPA can be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:361 +msgid "" +"This should be preferred to read user specific data from the certificate " +"like e.g. an email address and search for it in the LDAP server. The reason " +"is that the user specific data in LDAP might change for various reasons " +"would break the mapping. On the other hand it would be hard to break the " +"mapping on purpose for a specific user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:376 +msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:379 +msgid "" +"This template will add the full issuer DN converted to a string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +msgid "" +"The conversion options starting with 'ad_' will use attribute names as used " +"by AD, e.g. 'S' instead of 'ST'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +msgid "" +"The conversion options starting with 'nss_' will use attribute names as used " +"by NSS." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +msgid "" +"The default conversion option is 'nss', i.e. attribute names according to " +"NSS and LDAP/RFC 4514 ordering." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:397 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" +"ad})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:402 +msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:405 +msgid "" +"This template will add the full subject DN converted to string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:423 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" +"{subject_dn!nss_x500})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:428 +msgid "{cert[!(bin|base64)]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:431 +msgid "" +"This template will add the whole DER encoded certificate as a string to the " +"search filter. Depending on the conversion option the binary certificate is " +"either converted to an escaped hex sequence '\\xx' or base64. The escaped " +"hex sequence is the default and can e.g. be used with the LDAP attribute " +"'userCertificate;binary'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:439 +msgid "Example: (userCertificate;binary={cert!bin})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:444 +msgid "{subject_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:447 +msgid "" +"This template will add the Kerberos principal which is taken either from the " +"SAN used by pkinit or the one used by AD. The 'short_name' component " +"represents the first part of the principal before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +msgid "" +"Example: (|(userPrincipal={subject_principal})" +"(samAccountName={subject_principal.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:458 +msgid "{subject_pkinit_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:461 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by pkinit. The 'short_name' component represents the first part of the " +"principal before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:467 +msgid "" +"Example: (|(userPrincipal={subject_pkinit_principal})" +"(uid={subject_pkinit_principal.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:472 +msgid "{subject_nt_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:475 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by AD. The 'short_name' component represent the first part of the principal " +"before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:486 +msgid "{subject_rfc822_name[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:489 +msgid "" +"This template will add the string which is stored in the rfc822Name " +"component of the SAN, typically an email address. The 'short_name' component " +"represents the first part of the address before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:495 +msgid "" +"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." +"short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:500 +msgid "{subject_dns_name[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:503 +msgid "" +"This template will add the string which is stored in the dNSName component " +"of the SAN, typically a fully-qualified host name. The 'short_name' " +"component represents the first part of the name before the first '.' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:509 +msgid "" +"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:514 +msgid "{subject_uri}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:517 +msgid "" +"This template will add the string which is stored in the " +"uniformResourceIdentifier component of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:521 +msgid "Example: (uri={subject_uri})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:526 +msgid "{subject_ip_address}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:529 +msgid "" +"This template will add the string which is stored in the iPAddress component " +"of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:533 +msgid "Example: (ip={subject_ip_address})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:538 +msgid "{subject_x400_address}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:541 +msgid "" +"This template will add the value which is stored in the x400Address " +"component of the SAN as escaped hex sequence." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:546 +msgid "Example: (attr:binary={subject_x400_address})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:551 +msgid "" +"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:554 +msgid "" +"This template will add the DN string of the value which is stored in the " +"directoryName component of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:558 +msgid "Example: (orig_dn={subject_directory_name})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:563 +msgid "{subject_ediparty_name}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:566 +msgid "" +"This template will add the value which is stored in the ediPartyName " +"component of the SAN as escaped hex sequence." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:571 +msgid "Example: (attr:binary={subject_ediparty_name})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:576 +msgid "{subject_registered_id}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:579 +msgid "" +"This template will add the OID which is stored in the registeredID component " +"of the SAN as a dotted-decimal string." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:584 +msgid "Example: (oid={subject_registered_id})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:369 +msgid "" +"The templates to add certificate data to the search filter are based on " +"Python-style formatting strings. They consist of a keyword in curly braces " +"with an optional sub-component specifier separated by a '.' or an optional " +"conversion/formatting option separated by a '!'. Allowed values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:592 +msgid "DOMAIN LIST" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:594 +msgid "" +"If the domain list is not empty users mapped to a given certificate are not " +"only searched in the local domain but in the listed domains as well as long " +"as they are know by SSSD. Domains not know to SSSD will be ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 +msgid "sssd-ipa" +msgstr "sssd-ipa" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ipa.5.xml:17 +msgid "SSSD IPA provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:23 +msgid "" +"This manual page describes the configuration of the IPA provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" +"このマニュアルページは <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> に対する IPA プロバイダーの設定を説" +"明しています。詳細な構文の参考資料は <citerefentry> <refentrytitle>sssd." +"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> マニュアルペー" +"ジの <quote>ファイル形式</quote> を参照してください。" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:36 +msgid "" +"The IPA provider is a back end used to connect to an IPA server. (Refer to " +"the freeipa.org web site for information about IPA servers.) This provider " +"requires that the machine be joined to the IPA domain; configuration is " +"almost entirely self-discovered and obtained directly from the server." +msgstr "" +"IPA プロバイダーは IPA サーバーに接続するために使用されるバックエンドです。" +"(IPA サーバーに関する詳細は freeipa.org のウェブサイトを参照してください。)" +"このプロバイダーは、マシンが IPA ドメインに参加していて、設定がすでに全体的に" +"自己検索され、サーバーから直接取得されている必要があります。" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:43 +msgid "" +"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for IPA environments. The IPA provider accepts the same " +"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " +"However, it is neither necessary nor recommended to set these options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:57 +msgid "" +"The IPA provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:62 +msgid "" +"As an access provider, the IPA provider uses HBAC (host-based access " +"control) rules. Please refer to freeipa.org for more information about " +"HBAC. No configuration of access provider is required on the client side." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:67 +msgid "" +"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:73 +msgid "" +"The IPA provider will use the PAC responder if the Kerberos tickets of users " +"from trusted realms contain a PAC. To make configuration easier the PAC " +"responder is started automatically if the IPA ID provider is configured." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:89 +msgid "ipa_domain (string)" +msgstr "ipa_domain (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:92 +msgid "" +"Specifies the name of the IPA domain. This is optional. If not provided, " +"the configuration domain name is used." +msgstr "" +"IPA ドメインの名前を指定します。これはオプションです。提供されなければ、設定" +"ドメイン名が使用されます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:100 +msgid "ipa_server, ipa_backup_server (string)" +msgstr "ipa_server, ipa_backup_server (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:103 +msgid "" +"The comma-separated list of IP addresses or hostnames of the IPA servers to " +"which SSSD should connect in the order of preference. For more information " +"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:116 +msgid "ipa_hostname (string)" +msgstr "ipa_hostname (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:119 +msgid "" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the IPA domain to identify this host. The " +"hostname must be fully qualified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:128 sssd-ad.5.xml:866 +msgid "dyndns_update (boolean)" +msgstr "dyndns_update (論理値)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:131 +msgid "" +"Optional. This option tells SSSD to automatically update the DNS server " +"built into FreeIPA with the IP address of this client. The update is secured " +"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " +"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" +"quote> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:140 sssd-ad.5.xml:880 +msgid "" +"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " +"the default Kerberos realm must be set properly in /etc/krb5.conf" +msgstr "" +"注: (RHEL5 のような) 古いシステムにおいて、この動作が正しく機能するためには、" +"デフォルトの Kerberos レルムが /etc/krb5.conf において正しく設定されている必" +"要があります" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:145 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" +"emphasis> option, users should migrate to using <emphasis>dyndns_update</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:157 sssd-ad.5.xml:891 +msgid "dyndns_ttl (integer)" +msgstr "dyndns_ttl (整数)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:160 sssd-ad.5.xml:894 +msgid "" +"The TTL to apply to the client DNS record when updating it. If " +"dyndns_update is false this has no effect. This will override the TTL " +"serverside if set by an administrator." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:165 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" +"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:171 +msgid "Default: 1200 (seconds)" +msgstr "初期値: 1200 (秒)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:177 sssd-ad.5.xml:905 +msgid "dyndns_iface (string)" +msgstr "dyndns_iface (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:180 sssd-ad.5.xml:908 +msgid "" +"Optional. Applicable only when dyndns_update is true. Choose the interface " +"or a list of interfaces whose IP addresses should be used for dynamic DNS " +"updates. Special value <quote>*</quote> implies that IPs from all interfaces " +"should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:187 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" +"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:193 +msgid "" +"Default: Use the IP addresses of the interface which is used for IPA LDAP " +"connection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:197 sssd-ad.5.xml:919 +msgid "Example: dyndns_iface = em1, vnet1, vnet2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:203 sssd-ad.5.xml:970 +msgid "dyndns_auth (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:206 sssd-ad.5.xml:973 +msgid "" +"Whether the nsupdate utility should use GSS-TSIG authentication for secure " +"updates with the DNS server, insecure updates can be sent by setting this " +"option to 'none'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:212 sssd-ad.5.xml:979 +msgid "Default: GSS-TSIG" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:218 +msgid "ipa_enable_dns_sites (boolean)" +msgstr "ipa_enable_dns_sites (論理値)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 +msgid "Enables DNS sites - location based service discovery." +msgstr "DNS サイトの有効化 - 位置情報に基づいたサービス探索。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:225 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, then the SSSD will first attempt location " +"based discovery using a query that contains \"_location.hostname.example.com" +"\" and then fall back to traditional SRV discovery. If the location based " +"discovery succeeds, the IPA servers located with the location based " +"discovery are treated as primary servers and the IPA servers located using " +"the traditional SRV discovery are used as back up servers" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:244 sssd-ad.5.xml:925 +msgid "dyndns_refresh_interval (integer)" +msgstr "dyndns_refresh_interval (整数)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:247 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:260 sssd-ad.5.xml:943 +msgid "dyndns_update_ptr (bool)" +msgstr "dyndns_update_ptr (論理値)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:263 sssd-ad.5.xml:946 +msgid "" +"Whether the PTR record should also be explicitly updated when updating the " +"client's DNS records. Applicable only when dyndns_update is true." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:268 +msgid "" +"This option should be False in most IPA deployments as the IPA server " +"generates the PTR records automatically when forward records are changed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:274 +msgid "Default: False (disabled)" +msgstr "初期値: False (無効)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:280 sssd-ad.5.xml:957 +msgid "dyndns_force_tcp (bool)" +msgstr "dyndns_force_tcp (論理値)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:283 sssd-ad.5.xml:960 +msgid "" +"Whether the nsupdate utility should default to using TCP for communicating " +"with the DNS server." +msgstr "" +"nsupdate ユーティリティが DNS サーバーと通信するために TCP を標準で使用するか" +"どうか。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:287 sssd-ad.5.xml:964 +msgid "Default: False (let nsupdate choose the protocol)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:293 sssd-ad.5.xml:985 +msgid "dyndns_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:296 sssd-ad.5.xml:988 +msgid "" +"The DNS server to use when performing a DNS update. In most setups, it's " +"recommended to leave this option unset." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:301 sssd-ad.5.xml:993 +msgid "" +"Setting this option makes sense for environments where the DNS server is " +"different from the identity server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:306 sssd-ad.5.xml:998 +msgid "" +"Please note that this option will be only used in fallback attempt when " +"previous attempt using autodetected settings failed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1003 +msgid "Default: None (let nsupdate choose the server)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:317 +msgid "ipa_deskprofile_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:320 +msgid "" +"Optional. Use the given string as search base for Desktop Profile related " +"objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:324 sssd-ipa.5.xml:337 +msgid "Default: Use base DN" +msgstr "初期値: ベース DN を使用します" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:330 +msgid "ipa_hbac_search_base (string)" +msgstr "ipa_hbac_search_base (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:333 +msgid "Optional. Use the given string as search base for HBAC related objects." +msgstr "" +"オプションです。与えられた文字列を HBAC 関連オブジェクトに対する検索ベースと" +"して使用します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:343 +msgid "ipa_host_search_base (string)" +msgstr "ipa_host_search_base (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:346 +msgid "Deprecated. Use ldap_host_search_base instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:352 +msgid "ipa_selinux_search_base (string)" +msgstr "ipa_selinux_search_base (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:355 +msgid "Optional. Use the given string as search base for SELinux user maps." +msgstr "" +"オプションです。与えられた文字列を SELinux ユーザーマップに対する検索ベースと" +"して使用します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:371 +msgid "ipa_subdomains_search_base (string)" +msgstr "ipa_subdomains_search_base (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:374 +msgid "Optional. Use the given string as search base for trusted domains." +msgstr "" +"オプションです。信頼されたドメインに対する検索ベースとして、与えられた文字列" +"を使用します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:383 +msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" +msgstr "初期値: <emphasis>cn=trusts,%basedn</emphasis> の値" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:390 +msgid "ipa_master_domain_search_base (string)" +msgstr "ipa_master_domain_search_base (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:393 +msgid "Optional. Use the given string as search base for master domain object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:402 +msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" +msgstr "初期値: <emphasis>cn=ad,cn=etc,%basedn</emphasis> の値" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:409 +msgid "ipa_views_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:412 +msgid "Optional. Use the given string as search base for views containers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:421 +msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:431 +msgid "" +"The name of the Kerberos realm. This is optional and defaults to the value " +"of <quote>ipa_domain</quote>." +msgstr "" +"Kerberos レルムの名前です。これはオプションで、初期値は <quote>ipa_domain</" +"quote> の値です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:435 +msgid "" +"The name of the Kerberos realm has a special meaning in IPA - it is " +"converted into the base DN to use for performing LDAP operations." +msgstr "" +"IPA において特別な意味を持つ Kerberos レルムの名前です。LDAP 操作を実行するた" +"めに使用するベース DN に変換されます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1012 +msgid "krb5_confd_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1015 +msgid "" +"Absolute path of a directory where SSSD should place Kerberos configuration " +"snippets." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1019 +msgid "" +"To disable the creation of the configuration snippets set the parameter to " +"'none'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1023 +msgid "" +"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:461 +msgid "ipa_deskprofile_refresh (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:464 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server. This will reduce the latency and load on the IPA server if there " +"are many desktop profiles requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:431 +msgid "Default: 5 (seconds)" +msgstr "初期値: 5 (秒)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:477 +msgid "ipa_deskprofile_request_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:480 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server in case the last request did not return any rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:485 +msgid "Default: 60 (minutes)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:491 +msgid "ipa_hbac_refresh (integer)" +msgstr "ipa_hbac_refresh (整数)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:494 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server. " +"This will reduce the latency and load on the IPA server if there are many " +"access-control requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:507 +msgid "ipa_hbac_selinux (integer)" +msgstr "ipa_hbac_selinux (整数)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:510 +msgid "" +"The amount of time between lookups of the SELinux maps against the IPA " +"server. This will reduce the latency and load on the IPA server if there are " +"many user login requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:523 +msgid "ipa_server_mode (boolean)" +msgstr "ipa_server_mode (論理値)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:526 +msgid "" +"This option will be set by the IPA installer (ipa-server-install) " +"automatically and denotes if SSSD is running on an IPA server or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:531 +msgid "" +"On an IPA server SSSD will lookup users and groups from trusted domains " +"directly while on a client it will ask an IPA server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:536 +msgid "" +"NOTE: There are currently some assumptions that must be met when SSSD is " +"running on an IPA server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:541 +msgid "" +"The <quote>ipa_server</quote> option must be configured to point to the IPA " +"server itself. This is already the default set by the IPA installer, so no " +"manual change is required." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:550 +msgid "" +"The <quote>full_name_format</quote> option must not be tweaked to only print " +"short names for users from trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:565 +msgid "ipa_automount_location (string)" +msgstr "ipa_automount_location (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:568 +msgid "The automounter location this IPA client will be using" +msgstr "この IPA クライアントが使用する automounter の場所です" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:571 +msgid "Default: The location named \"default\"" +msgstr "初期値: \"default\" という名前の場所" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:579 +msgid "VIEWS AND OVERRIDES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:588 +msgid "ipa_view_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:591 +msgid "Objectclass of the view container." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:594 +msgid "Default: nsContainer" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:600 +msgid "ipa_view_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:603 +msgid "Name of the attribute holding the name of the view." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:613 +msgid "ipa_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:616 +msgid "Objectclass of the override objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:619 +msgid "Default: ipaOverrideAnchor" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:625 +msgid "ipa_anchor_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:628 +msgid "" +"Name of the attribute containing the reference to the original object in a " +"remote domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:632 +msgid "Default: ipaAnchorUUID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:638 +msgid "ipa_user_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:641 +msgid "" +"Name of the objectclass for user overrides. It is used to determine if the " +"found override object is related to a user or a group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:646 +msgid "User overrides can contain attributes given by" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:649 +msgid "ldap_user_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:652 +msgid "ldap_user_uid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:655 +msgid "ldap_user_gid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:658 +msgid "ldap_user_gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:661 +msgid "ldap_user_home_directory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:664 +msgid "ldap_user_shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:667 +msgid "ldap_user_ssh_public_key" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:672 +msgid "Default: ipaUserOverride" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:678 +msgid "ipa_group_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:681 +msgid "" +"Name of the objectclass for group overrides. It is used to determine if the " +"found override object is related to a user or a group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:686 +msgid "Group overrides can contain attributes given by" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:689 +msgid "ldap_group_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:692 +msgid "ldap_group_gid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:697 +msgid "Default: ipaGroupOverride" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:581 +msgid "" +"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " +"later version. Since all paths and objectclasses are fixed on the server " +"side there is basically no need to configure anything. For completeness the " +"related options are listed here with their default values. <placeholder " +"type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:709 +msgid "SUBDOMAINS PROVIDER" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:711 +msgid "" +"The IPA subdomains provider behaves slightly differently if it is configured " +"explicitly or implicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:715 +msgid "" +"If the option 'subdomains_provider = ipa' is found in the domain section of " +"sssd.conf, the IPA subdomains provider is configured explicitly, and all " +"subdomain requests are sent to the IPA server if necessary." +msgstr "" +"'subdomains_provider = ipa' オプションが sssd.conf のドメインのセクションに見" +"つかれば、IPA サブドメインプロバイダーが明示的に設定されます。すべてのサブド" +"メインのリクエストが必要に応じて IPA サーバーに送られます。" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:721 +msgid "" +"If the option 'subdomains_provider' is not set in the domain section of sssd." +"conf but there is the option 'id_provider = ipa', the IPA subdomains " +"provider is configured implicitly. In this case, if a subdomain request " +"fails and indicates that the server does not support subdomains, i.e. is not " +"configured for trusts, the IPA subdomains provider is disabled. After an " +"hour or after the IPA provider goes online, the subdomains provider is " +"enabled again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:732 +msgid "TRUSTED DOMAINS CONFIGURATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:738 +#, no-wrap +msgid "" +"[domain/ipa.domain.com/ad.domain.com]\n" +"ad_server = dc.ad.domain.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:734 +#, fuzzy +#| msgid "" +#| "These configuration options can be present in a domain configuration " +#| "section, that is, in a section called <quote>[domain/<replaceable>NAME</" +#| "replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>" +msgid "" +"Some configuration options can be also set for a trusted domain. A trusted " +"domain configuration can either be done using a subsection, for example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"これらの設定オプションはドメイン設定のセクション、つまり <quote>[domain/" +"<replaceable>NAME</replaceable>]</quote> に存在します <placeholder type=" +"\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:743 +#, fuzzy +#| msgid "" +#| "Please refer to the <quote>dns_discovery_domain</quote> parameter in the " +#| "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +#| "manvolnum> </citerefentry> manual page for more details." +msgid "" +"In addition, some options can be set in the parent domain and inherited by " +"the trusted domain using the <quote>subdomain_inherit</quote> option. For " +"more details, see the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" +"詳細は <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> マニュアルページにある " +"<quote>dns_discovery_domain</quote> パラメーターを参照してください。" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:753 +msgid "" +"Different configuration options are tunable for a trusted domain depending " +"on whether you are configuring SSSD on an IPA server or an IPA client." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:758 +msgid "OPTIONS TUNABLE ON IPA MASTERS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:760 +msgid "" +"The following options can be set in a subdomain section on an IPA master:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:764 sssd-ipa.5.xml:794 +msgid "ad_server" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:767 +#, fuzzy +#| msgid "ad_server, ad_backup_server (string)" +msgid "ad_backup_server" +msgstr "ad_server, ad_backup_server (文字列)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:770 sssd-ipa.5.xml:797 +msgid "ad_site" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:773 +#, fuzzy +#| msgid "ldap_search_base (string)" +msgid "ldap_search_base" +msgstr "ldap_search_base (文字列)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:776 +#, fuzzy +#| msgid "ldap_user_search_base (string)" +msgid "ldap_user_search_base" +msgstr "ldap_user_search_base (文字列)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:779 +#, fuzzy +#| msgid "ldap_group_search_base (string)" +msgid "ldap_group_search_base" +msgstr "ldap_group_search_base (文字列)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:788 +msgid "OPTIONS TUNABLE ON IPA CLIENTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:790 +msgid "" +"The following options can be set in a subdomain section on an IPA client:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:802 +msgid "" +"Note that if both options are set, only <quote>ad_server</quote> is " +"evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:806 +msgid "" +"Since any request for a user or a group identity from a trusted domain " +"triggered from an IPA client is resolved by the IPA server, the " +"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " +"which AD DC will the authentication be performed against. In particular, the " +"addresses resolved from these lists will be written to <quote>kdcinfo</" +"quote> files read by the Kerberos locator plugin. Please refer to the " +"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " +"Kerberos locator plugin." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:830 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the ipa provider-specific options." +msgstr "" +"以下の例は、SSSD が正しく設定され、example.com が <replaceable>[sssd]</" +"replaceable> セクションにあるドメインの 1 つであることを仮定しています。この" +"例は IPA プロバイダー固有のオプションのみを示しています。" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:837 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"id_provider = ipa\n" +"ipa_server = ipaserver.example.com\n" +"ipa_hostname = myhost.example.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 +msgid "sssd-ad" +msgstr "sssd-ad" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ad.5.xml:17 +msgid "SSSD Active Directory provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:23 +msgid "" +"This manual page describes the configuration of the AD provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:36 +msgid "" +"The AD provider is a back end used to connect to an Active Directory server. " +"This provider requires that the machine be joined to the AD domain and a " +"keytab is available. Back end communication occurs over a GSSAPI-encrypted " +"channel, SSL/TLS options should not be used with the AD provider and will be " +"superseded by Kerberos usage." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:44 +msgid "" +"The AD provider supports connecting to Active Directory 2008 R2 or later. " +"Earlier versions may work, but are unsupported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:48 +msgid "" +"The AD provider can be used to get user information and authenticate users " +"from trusted domains. Currently only trusted domains in the same forest are " +"recognized. In addition servers from trusted domains are always auto-" +"discovered." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:54 +msgid "" +"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for Active Directory environments. The AD provider accepts the " +"same options used by the sssd-ldap and sssd-krb5 providers with some " +"exceptions. However, it is neither necessary nor recommended to set these " +"options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:69 +msgid "" +"The AD provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:74 +msgid "" +"The AD provider can also be used as an access, chpass, sudo and autofs " +"provider. No configuration of the access provider is required on the client " +"side." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:79 +msgid "" +"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ad</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:91 +#, no-wrap +msgid "" +"ldap_id_mapping = False\n" +" " +msgstr "" +"ldap_id_mapping = False\n" +" " + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:85 +msgid "" +"By default, the AD provider will map UID and GID values from the objectSID " +"parameter in Active Directory. For details on this, see the <quote>ID " +"MAPPING</quote> section below. If you want to disable ID mapping and instead " +"rely on POSIX attributes defined in Active Directory, you should set " +"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " +"be used, it is recommended for performance reasons that the attributes are " +"also replicated to the Global Catalog. If POSIX attributes are replicated, " +"SSSD will attempt to locate the domain of a requested numerical ID with the " +"help of the Global Catalog and only search that domain. In contrast, if " +"POSIX attributes are not replicated to the Global Catalog, SSSD must search " +"all the domains in the forest sequentially. Please note that the " +"<quote>cache_first</quote> option might be also helpful in speeding up " +"domainless searches. Note that if only a subset of POSIX attributes is " +"present in the Global Catalog, the non-replicated attributes are currently " +"not read from the LDAP port." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:108 +msgid "" +"Users, groups and other entities served by SSSD are always treated as case-" +"insensitive in the AD provider for compatibility with Active Directory's " +"LDAP implementation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:123 +msgid "ad_domain (string)" +msgstr "ad_domain (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:126 +msgid "" +"Specifies the name of the Active Directory domain. This is optional. If not " +"provided, the configuration domain name is used." +msgstr "" +"Active Directory ドメインの名前を指定します。これはオプションです。指定されな" +"ければ、設定のドメイン名が使用されます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:131 +msgid "" +"For proper operation, this option should be specified as the lower-case " +"version of the long version of the Active Directory domain." +msgstr "" +"正しい動作のために、このオプションは Active Directory ドメインの長いバージョ" +"ンの小文字バージョンとして指定されます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:136 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) is " +"autodetected by the SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:143 +msgid "ad_enabled_domains (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:146 +msgid "" +"A comma-separated list of enabled Active Directory domains. If provided, " +"SSSD will ignore any domains not listed in this option. If left unset, all " +"domains from the AD forest will be available." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:156 +#, no-wrap +msgid "" +"ad_enabled_domains = sales.example.com, eng.example.com\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:152 +msgid "" +"For proper operation, this option must be specified in all lower-case and as " +"the fully qualified domain name of the Active Directory domain. For example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:160 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) will be " +"autodetected by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:170 +msgid "ad_server, ad_backup_server (string)" +msgstr "ad_server, ad_backup_server (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:173 +msgid "" +"The comma-separated list of hostnames of the AD servers to which SSSD should " +"connect in order of preference. For more information on failover and server " +"redundancy, see the <quote>FAILOVER</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:180 +msgid "" +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:185 +msgid "" +"Note: Trusted domains will always auto-discover servers even if the primary " +"server is explicitly defined in the ad_server option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:193 +msgid "ad_hostname (string)" +msgstr "ad_hostname (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:196 +msgid "" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the Active Directory domain to identify this " +"host." +msgstr "" +"オプションです。hostname(5) が Active Directory ドメインにおいて使用される完" +"全修飾名を反映しないマシンにおいてマシンに設定されるかもしれません。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:202 +msgid "" +"This field is used to determine the host principal in use in the keytab. It " +"must match the hostname for which the keytab was issued." +msgstr "" +"この項目はキーテーブルにおいて使用中のホストプリンシパルを決定するために使用" +"されます。キーテーブルが発行されたホスト名と一致する必要があります。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:210 +msgid "ad_enable_dns_sites (boolean)" +msgstr "ad_enable_dns_sites (論理値)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:217 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, the SSSD will first attempt to discover the " +"Active Directory server to connect to using the Active Directory Site " +"Discovery and fall back to the DNS SRV records if no AD site is found. The " +"DNS SRV configuration, including the discovery domain, is used during site " +"discovery as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:233 +msgid "ad_access_filter (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:236 +msgid "" +"This option specifies LDAP access control filter that the user must match in " +"order to be allowed access. Please note that the <quote>access_provider</" +"quote> option must be explicitly set to <quote>ad</quote> in order for this " +"option to have an effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:244 +msgid "" +"The option also supports specifying different filters per domain or forest. " +"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " +"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " +"missing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:252 +msgid "" +"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" +"quote> specifies the domain or subdomain the filter applies to. If the " +"keyword equals to <quote>FOREST</quote>, then the filter equals to all " +"domains from the forest specified by <quote>NAME</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:260 +msgid "" +"Multiple filters can be separated with the <quote>?</quote> character, " +"similarly to how search bases work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:265 +msgid "" +"Nested group membership must be searched for using a special OID " +"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." +"example.org: syntax to ensure the parser does not attempt to interpret the " +"colon characters associated with the OID. If you do not use this OID then " +"nested group membership will not be resolved. See usage example below and " +"refer here for further information about the OID: <ulink url=\"https://msdn." +"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " +"extensions</ulink>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:278 +msgid "" +"The most specific match is always used. For example, if the option specified " +"filter for a domain the user is a member of and a global filter, the per-" +"domain filter would be applied. If there are more matches with the same " +"specification, the first one is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ad.5.xml:289 +#, no-wrap +msgid "" +"# apply filter on domain called dom1 only:\n" +"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" +"\n" +"# apply filter on domain called dom2 only:\n" +"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" +"\n" +"# apply filter on forest called EXAMPLE.COM only:\n" +"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" +"\n" +"# apply filter for a member of a nested group in dom1:\n" +"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:308 +msgid "ad_site (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:311 +msgid "" +"Specify AD site to which client should try to connect. If this option is " +"not provided, the AD site will be auto-discovered." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:322 +msgid "ad_enable_gc (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:325 +msgid "" +"By default, the SSSD connects to the Global Catalog first to retrieve users " +"from trusted domains and uses the LDAP port to retrieve group memberships or " +"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " +"port of the current AD server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:333 +msgid "" +"Please note that disabling Global Catalog support does not disable " +"retrieving users from trusted domains. The SSSD would connect to the LDAP " +"port of trusted domains instead. However, Global Catalog must be used in " +"order to resolve cross-domain group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:347 +msgid "ad_gpo_access_control (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:350 +msgid "" +"This option specifies the operation mode for GPO-based access control " +"functionality: whether it operates in disabled mode, enforcing mode, or " +"permissive mode. Please note that the <quote>access_provider</quote> option " +"must be explicitly set to <quote>ad</quote> in order for this option to have " +"an effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:359 +msgid "" +"GPO-based access control functionality uses GPO policy settings to determine " +"whether or not a particular user is allowed to logon to a particular host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:365 +msgid "" +"NOTE: The current version of SSSD does not support host (computer) entries " +"in the GPO 'Security Filtering' list. Only user and group entries are " +"supported. Host entries in the list have no effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:372 +msgid "" +"NOTE: If the operation mode is set to enforcing, it is possible that users " +"that were previously allowed logon access will now be denied logon access " +"(as dictated by the GPO policy settings). In order to facilitate a smooth " +"transition for administrators, a permissive mode is available that will not " +"enforce the access control rules, but will evaluate them and will output a " +"syslog message if access would have been denied. By examining the logs, " +"administrators can then make the necessary changes before setting the mode " +"to enforcing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:385 +msgid "There are three supported values for this option:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:389 +msgid "" +"disabled: GPO-based access control rules are neither evaluated nor enforced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:395 +msgid "enforcing: GPO-based access control rules are evaluated and enforced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:401 +msgid "" +"permissive: GPO-based access control rules are evaluated, but not enforced. " +"Instead, a syslog message will be emitted indicating that the user would " +"have been denied access if this option's value were set to enforcing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:412 +msgid "Default: permissive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:415 +msgid "Default: enforcing" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:421 +msgid "ad_gpo_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:424 +msgid "" +"The amount of time between lookups of GPO policy files against the AD " +"server. This will reduce the latency and load on the AD server if there are " +"many access-control requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:437 +msgid "ad_gpo_map_interactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:440 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the InteractiveLogonRight and " +"DenyInteractiveLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:446 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on locally\" and \"Deny log on locally\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:460 +#, no-wrap +msgid "" +"ad_gpo_map_interactive = +my_pam_service, -login\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:451 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>login</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:464 sssd-ad.5.xml:560 sssd-ad.5.xml:606 sssd-ad.5.xml:651 +#: sssd-ad.5.xml:717 +msgid "Default: the default set of PAM service names includes:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:468 +msgid "login" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:473 +msgid "su" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:478 +msgid "su-l" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:483 +msgid "gdm-fingerprint" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:488 +msgid "gdm-password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:493 +msgid "gdm-smartcard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:498 +msgid "kdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:503 +msgid "lightdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:508 +msgid "lxdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:513 +msgid "sddm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:518 +msgid "unity" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:523 +msgid "xdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:532 +msgid "ad_gpo_map_remote_interactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:535 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the RemoteInteractiveLogonRight and " +"DenyRemoteInteractiveLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:541 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on through Remote Desktop Services\" and \"Deny log on through Remote " +"Desktop Services\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:556 +#, no-wrap +msgid "" +"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:547 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>sshd</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:564 +msgid "sshd" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:569 +msgid "cockpit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:578 +msgid "ad_gpo_map_network (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:581 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the NetworkLogonRight and " +"DenyNetworkLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:587 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Access " +"this computer from the network\" and \"Deny access to this computer from the " +"network\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:602 +#, no-wrap +msgid "" +"ad_gpo_map_network = +my_pam_service, -ftp\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:593 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>ftp</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:610 +msgid "ftp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:615 +msgid "samba" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:624 +msgid "ad_gpo_map_batch (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:627 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " +"policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:633 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a batch job\" and \"Deny log on as a batch job\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:647 +#, no-wrap +msgid "" +"ad_gpo_map_batch = +my_pam_service, -crond\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:638 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>crond</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:655 +msgid "crond" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:664 +msgid "ad_gpo_map_service (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:667 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the ServiceLogonRight and " +"DenyServiceLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:673 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a service\" and \"Deny log on as a service\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:686 +#, no-wrap +msgid "" +"ad_gpo_map_service = +my_pam_service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:678 sssd-ad.5.xml:753 +msgid "" +"It is possible to add a PAM service name to the default set by using <quote>" +"+service_name</quote>. Since the default set is empty, it is not possible " +"to remove a PAM service name from the default set. For example, in order to " +"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " +"would use the following configuration: <placeholder type=\"programlisting\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:696 +msgid "ad_gpo_map_permit (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:699 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always granted, regardless of any GPO Logon Rights." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:713 +#, no-wrap +msgid "" +"ad_gpo_map_permit = +my_pam_service, -sudo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:704 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for unconditionally permitted " +"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:721 +msgid "polkit-1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:726 +msgid "sudo" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:731 +msgid "sudo-i" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:736 +msgid "systemd-user" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:745 +msgid "ad_gpo_map_deny (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:748 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always denied, regardless of any GPO Logon Rights." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:761 +#, no-wrap +msgid "" +"ad_gpo_map_deny = +my_pam_service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:771 +msgid "ad_gpo_default_right (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:774 +msgid "" +"This option defines how access control is evaluated for PAM service names " +"that are not explicitly listed in one of the ad_gpo_map_* options. This " +"option can be set in two different manners. First, this option can be set to " +"use a default logon right. For example, if this option is set to " +"'interactive', it means that unmapped PAM service names will be processed " +"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " +"settings. Alternatively, this option can be set to either always permit or " +"always deny access for unmapped PAM service names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:787 +msgid "Supported values for this option include:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:791 +msgid "interactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:796 +msgid "remote_interactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:801 +msgid "network" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:806 +msgid "batch" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:811 +msgid "service" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:816 +msgid "permit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:821 +msgid "deny" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:827 +msgid "Default: deny" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:833 +msgid "ad_maximum_machine_account_password_age (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:836 +msgid "" +"SSSD will check once a day if the machine account password is older than the " +"given age in days and try to renew it. A value of 0 will disable the renewal " +"attempt." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:842 +msgid "Default: 30 days" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:848 +msgid "ad_machine_account_password_renewal_opts (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:851 +msgid "" +"This option should only be used to test the machine account renewal task. " +"The option expects 2 integers separated by a colon (':'). The first integer " +"defines the interval in seconds how often the task is run. The second " +"specifies the initial timeout in seconds before the task is run for the " +"first time after startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:860 +msgid "Default: 86400:750 (24h and 15m)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:869 +msgid "" +"Optional. This option tells SSSD to automatically update the Active " +"Directory DNS server with the IP address of this client. The update is " +"secured using GSS-TSIG. As a consequence, the Active Directory administrator " +"only needs to allow secure updates for the DNS zone. The IP address of the " +"AD LDAP connection is used for the updates, if it is not otherwise specified " +"by using the <quote>dyndns_iface</quote> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:899 +msgid "Default: 3600 (seconds)" +msgstr "初期値: 3600 (秒)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:915 +msgid "" +"Default: Use the IP addresses of the interface which is used for AD LDAP " +"connection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:928 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true. Note that the " +"lowest possible value is 60 seconds in-case if value is provided less than " +"60, parameter will assume lowest value only." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:951 sss_rpcidmapd.5.xml:76 +msgid "Default: True" +msgstr "初期値: True" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1043 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This example shows only the AD provider-specific options." +msgstr "" +"以下の例は SSSD が正しく設定され、example.com が <replaceable>[sssd]</" +"replaceable> セクションにあるドメインの一つであると仮定しています。この例は " +"AD プロバイダー固有のオプションのみ示してします。" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1050 +#, no-wrap +msgid "" +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" +msgstr "" +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1070 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" +msgstr "" +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1066 +msgid "" +"The AD access control provider checks if the account is expired. It has the " +"same effect as the following configuration of the LDAP provider: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1076 +msgid "" +"However, unless the <quote>ad</quote> access control provider is explicitly " +"configured, the default access provider is <quote>permit</quote>. Please " +"note that if you configure an access provider other than <quote>ad</quote>, " +"you need to set all the connection parameters (such as LDAP URIs and " +"encryption details) manually." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1084 +msgid "" +"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " +"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " +"are included in the default Active Directory schema." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 +msgid "sssd-sudo" +msgstr "sssd-sudo" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-sudo.5.xml:17 +msgid "Configuring sudo with the SSSD back end" +msgstr "SSSD バックエンドを用いた sudo の設定法" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:36 +msgid "Configuring sudo to cooperate with SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:38 +msgid "" +"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " +"the <emphasis>sudoers</emphasis> entry in <citerefentry> " +"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:47 +msgid "" +"For example, to configure sudo to first lookup rules in the standard " +"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> file (which should contain rules that apply to " +"local users) and then in SSSD, the nsswitch.conf file should contain the " +"following line:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:57 +#, no-wrap +msgid "sudoers: files sss\n" +msgstr "sudoers: files sss\n" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:61 +msgid "" +"More information about configuring the sudoers search order from the " +"nsswitch.conf file as well as information about the LDAP schema that is used " +"to store sudo rules in the directory can be found in <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:70 +msgid "" +"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " +"sudo rules, you also need to correctly set <citerefentry> " +"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry> to your NIS domain name (which equals to IPA domain name when " +"using hostgroups)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:82 +msgid "Configuring SSSD to fetch sudo rules" +msgstr "sudo ルールを取得するよう SSSD を設定する方法" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:84 +msgid "" +"All configuration that is needed on SSSD side is to extend the list of " +"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " +"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " +"option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:94 +msgid "" +"The following example shows how to configure SSSD to download sudo rules " +"from an LDAP server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:99 +#, no-wrap +msgid "" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +msgstr "" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:98 +msgid "" +"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" +"\"have_systemd\"> It's important to note that on platforms where systemd is " +"supported there's no need to add the \"sudo\" provider to the list of " +"services, as it became optional. However, sssd-sudo.socket must be enabled " +"instead. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:118 +msgid "" +"When SSSD is configured to use IPA as the ID provider, the sudo provider is " +"automatically enabled. The sudo search base is configured to use the IPA " +"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " +"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," +"$SUFFIX) is no longer required for IPA sudo functionality." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:128 +msgid "The SUDO rule caching mechanism" +msgstr "SUDO ルールキャッシュメカニズム" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:130 +msgid "" +"The biggest challenge, when developing sudo support in SSSD, was to ensure " +"that running sudo with SSSD as the data source provides the same user " +"experience and is as fast as sudo but keeps providing the most current set " +"of rules as possible. To satisfy these requirements, SSSD uses three kinds " +"of updates. They are referred to as full refresh, smart refresh and rules " +"refresh." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:138 +msgid "" +"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " +"new or were modified after the last update. Its primary goal is to keep the " +"database growing by fetching only small increments that do not generate " +"large amounts of network traffic." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:144 +msgid "" +"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " +"in the cache and replaces them with all rules that are stored on the server. " +"This is used to keep the cache consistent by removing every rule which was " +"deleted from the server. However, full refresh may produce a lot of traffic " +"and thus it should be run only occasionally depending on the size and " +"stability of the sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:152 +msgid "" +"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " +"more permission than defined. It is triggered each time the user runs sudo. " +"Rules refresh will find all rules that apply to this user, check their " +"expiration time and redownload them if expired. In the case that any of " +"these rules are missing on the server, the SSSD will do an out of band full " +"refresh because more rules (that apply to other users) may have been deleted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:161 +msgid "" +"If enabled, SSSD will store only rules that can be applied to this machine. " +"This means rules that contain one of the following values in " +"<emphasis>sudoHost</emphasis> attribute:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:168 +msgid "keyword ALL" +msgstr "keyword ALL" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:173 +msgid "wildcard" +msgstr "ワイルドカード" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:178 +msgid "netgroup (in the form \"+netgroup\")" +msgstr "netgroup (\"+netgroup\" の形式)" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:183 +msgid "hostname or fully qualified domain name of this machine" +msgstr "このマシンのホスト名または完全修飾ドメイン名" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:188 +msgid "one of the IP addresses of this machine" +msgstr "このマシンの IP アドレスのどれか" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:193 +msgid "one of the IP addresses of the network (in the form \"address/mask\")" +msgstr "ネットワークの IP アドレスのどれか (\"address/mask\" 形式)" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:199 +msgid "" +"There are many configuration options that can be used to adjust the " +"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.8.xml:10 sssd.8.xml:15 +msgid "sssd" +msgstr "sssd" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.8.xml:16 +msgid "System Security Services Daemon" +msgstr "System Security Services Daemon" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssd.8.xml:21 +msgid "" +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" +msgstr "" +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:31 +msgid "" +"<command>SSSD</command> provides a set of daemons to manage access to remote " +"directories and authentication mechanisms. It provides an NSS and PAM " +"interface toward the system and a pluggable backend system to connect to " +"multiple different account sources as well as D-Bus interface. It is also " +"the basis to provide client auditing and policy services for projects like " +"FreeIPA. It provides a more robust database to store local users as well as " +"extended user data." +msgstr "" +"<command>SSSD</command> はリモートディレクトリーへのアクセスと認証メカニズム" +"を管理するための一組のデーモンを提供します。システムへの NSS と PAM インター" +"フェースを提供します。また、D-Bus インターフェースのように複数の異なるアカウ" +"ントソースに接続するための取り外し可能なバックエンドシステムを提供します。ク" +"ライアント監査、およびFreeIPA のようなプロジェクトに対するポリシーサービスを" +"提供する基礎となります。ローカルユーザーだけでなく拡張ユーザーデータを保存す" +"るためのより強靭なデータベースを提供します。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:46 +msgid "" +"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" +"replaceable>" +msgstr "" +"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:53 +msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" +msgstr "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:57 +msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" +msgstr "<emphasis>1</emphasis>: デバッグメッセージに日時を追加します" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:60 +msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" +msgstr "<emphasis>0</emphasis>: デバッグメッセージで日時を無効にします" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:69 +msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" +msgstr "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:73 +msgid "" +"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" +msgstr "" +"<emphasis>1</emphasis>: デバッグメッセージにミリ秒をタイムスタンプに追加しま" +"す" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:76 +msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" +msgstr "<emphasis>0</emphasis>: 日時でマイクロ秒を無効にします" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:85 +msgid "<option>-f</option>,<option>--debug-to-files</option>" +msgstr "<option>-f</option>,<option>--debug-to-files</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:89 +msgid "" +"Send the debug output to files instead of stderr. By default, the log files " +"are stored in <filename>/var/log/sssd</filename> and there are separate log " +"files for every SSSD service and domain." +msgstr "" +"デバッグ出力を標準エラーの代わりにファイルに送信します。初期状態で、ログファ" +"イルは <filename>/var/log/sssd</filename> に保存され、すべての SSSD サービス" +"とドメインに対して別々のログファイルがあります。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:94 +msgid "" +"This option is deprecated. It is replaced by <option>--logger=files</option>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:101 +msgid "<option>--logger=</option><replaceable>value</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:105 +msgid "" +"Location where SSSD will send log messages. This option overrides the value " +"of the deprecated option <option>--debug-to-files</option>. The deprecated " +"option will still work if the <option>--logger</option> is not used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:112 +msgid "" +"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " +"output." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:116 +msgid "" +"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " +"default, the log files are stored in <filename>/var/log/sssd</filename> and " +"there are separate log files for every SSSD service and domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:122 +msgid "" +"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:132 +msgid "<option>-D</option>,<option>--daemon</option>" +msgstr "<option>-D</option>,<option>--daemon</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:136 +msgid "Become a daemon after starting up." +msgstr "起動後にデーモンになります。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:142 sss_seed.8.xml:136 +msgid "<option>-i</option>,<option>--interactive</option>" +msgstr "<option>-i</option>,<option>--interactive</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:146 +msgid "Run in the foreground, don't become a daemon." +msgstr "フォアグラウンドで実行して、デーモンになりません。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:152 +msgid "<option>-c</option>,<option>--config</option>" +msgstr "<option>-c</option>,<option>--config</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:156 +msgid "" +"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." +"conf</filename>. For reference on the config file syntax and options, " +"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" +"非標準の設定ファイルを指定します。初期値は <filename>/etc/sssd/sssd.conf</" +"filename> です。設定ファイルの構文とオプションは <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> マニュアルページを参照してください。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:170 +msgid "<option>--version</option>" +msgstr "<option>--version</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:174 +msgid "Print version number and exit." +msgstr "バージョン番号を表示して終了します。" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.8.xml:182 +msgid "Signals" +msgstr "シグナル" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:185 +msgid "SIGTERM/SIGINT" +msgstr "SIGTERM/SIGINT" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:188 +msgid "" +"Informs the SSSD to gracefully terminate all of its child processes and then " +"shut down the monitor." +msgstr "" +"SSSD にすべての子プロセスを穏やかに停止するよう通知して、モニターをシャットダ" +"ウンします。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:194 +msgid "SIGHUP" +msgstr "SIGHUP" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:197 +msgid "" +"Tells the SSSD to stop writing to its current debug file descriptors and to " +"close and reopen them. This is meant to facilitate log rolling with programs " +"like logrotate." +msgstr "" +"SSSD が現在のデバッグファイルディスクリプターに書き込むことを止めて、それらを" +"閉じてから開きなおすよう指示します。これは logrotate のようなプログラムを用い" +"てログローテーションを促進することを意味します。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:205 +msgid "SIGUSR1" +msgstr "SIGUSR1" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:208 +msgid "" +"Tells the SSSD to simulate offline operation for the duration of the " +"<quote>offline_timeout</quote> parameter. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:217 +msgid "SIGUSR2" +msgstr "SIGUSR2" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:220 +msgid "" +"Tells the SSSD to go online immediately. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:232 +msgid "" +"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " +"applications will not use the fast in memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 +msgid "sss_obfuscate" +msgstr "sss_obfuscate" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_obfuscate.8.xml:16 +msgid "obfuscate a clear text password" +msgstr "平文パスワードをわかりにくくする" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_obfuscate.8.xml:21 +msgid "" +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" +"replaceable></arg>" +msgstr "" +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" +"replaceable></arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:32 +msgid "" +"<command>sss_obfuscate</command> converts a given password into human-" +"unreadable format and places it into appropriate domain section of the SSSD " +"config file." +msgstr "" +"<command>sss_obfuscate</command> は、与えられたパスワードを人間が読みにくい形" +"式に変換して、SSSD 設定ファイルの適切なドメインセクションに置きます。" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:37 +msgid "" +"The cleartext password is read from standard input or entered " +"interactively. The obfuscated password is put into " +"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " +"<quote>ldap_default_authtok_type</quote> parameter is set to " +"<quote>obfuscated_password</quote>. Refer to <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more details on these parameters." +msgstr "" +"平文のパスワードは、標準入力から読み込まれます、または対話的に入力されます。" +"解読しにくくされたパスワードが指定された SSSD ドメインの " +"<quote>ldap_default_authtok</quote> パラメータに置かれます。また " +"<quote>ldap_default_authtok_type</quote> パラメーターが " +"<quote>obfuscated_password</quote> に設定されます。これらのパラメーターの詳細" +"は <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> を参照してください。" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:49 +msgid "" +"Please note that obfuscating the password provides <emphasis>no real " +"security benefit</emphasis> as it is still possible for an attacker to " +"reverse-engineer the password back. Using better authentication mechanisms " +"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " +"advised." +msgstr "" +"パスワードをわかりにくくすることは、攻撃者がパスワードをリバースエンジニアリ" +"ングできるので <emphasis>実際にセキュリティの便益</emphasis> は提供されませ" +"ん。クライアントサイド証明書や GSSAPI のようなより良い認証機構を使用すること" +"を <emphasis>強く</emphasis> 推奨します。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:63 +msgid "<option>-s</option>,<option>--stdin</option>" +msgstr "<option>-s</option>,<option>--stdin</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:67 +msgid "The password to obfuscate will be read from standard input." +msgstr "解読しにくくするパスワードが標準入力から読み込まれます。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 +#: sss_ssh_knownhostsproxy.1.xml:78 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" +msgstr "" +"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:79 +msgid "" +"The SSSD domain to use the password in. The default name is <quote>default</" +"quote>." +msgstr "" +"パスワードに使用する SSSD ドメインです。名前の初期値は <quote>default</" +"quote> です。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:86 +msgid "" +"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" +msgstr "" +"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:91 +msgid "Read the config file specified by the positional parameter." +msgstr "位置パラメーターにより指定された設定ファイルを読み込みます。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:95 +msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" +msgstr "初期値: <filename>/etc/sssd/sssd.conf</filename>" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_override.8.xml:10 sss_override.8.xml:15 +msgid "sss_override" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_override.8.xml:16 +msgid "create local overrides of user and group attributes" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_override.8.xml:21 +msgid "" +"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:32 +msgid "" +"<command>sss_override</command> enables to create a client-side view and " +"allows to change selected values of specific user and groups. This change " +"takes effect only on local machine." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:37 +msgid "" +"Overrides data are stored in the SSSD cache. If the cache is deleted, all " +"local overrides are lost. Please note that after the first override is " +"created using any of the following <emphasis>user-add</emphasis>, " +"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " +"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " +"take effect. <emphasis>sss_override</emphasis> prints message when a " +"restart is required." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:50 sssctl.8.xml:41 +msgid "AVAILABLE COMMANDS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:52 +msgid "" +"Argument <emphasis>NAME</emphasis> is the name of original object in all " +"commands. It is not possible to override <emphasis>uid</emphasis> or " +"<emphasis>gid</emphasis> to 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:59 +msgid "" +"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" +"optional> <optional><option>-g,--gid</option> GID</optional> " +"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" +"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" +"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " +"CERTIFICATE</optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:72 +msgid "" +"Override attributes of an user. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:80 +msgid "<option>user-del</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:85 +msgid "" +"Remove user overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:94 +msgid "" +"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:99 +msgid "" +"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " +"is set, only users from the domain are listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:107 +msgid "<option>user-show</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:112 +msgid "Show user overrides." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:118 +msgid "<option>user-import</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:123 +msgid "" +"Import user overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard passwd file. The format is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:128 +msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:131 +msgid "" +"where original_name is original name of the user whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:140 +msgid "ckent:superman::::::" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:143 +msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:149 +msgid "<option>user-export</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:154 +msgid "" +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>user-import</emphasis> for data format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:162 +msgid "" +"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:169 +msgid "" +"Override attributes of a group. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:177 +msgid "<option>group-del</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:182 +msgid "" +"Remove group overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:191 +msgid "" +"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:196 +msgid "" +"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " +"parameter is set, only groups from the domain are listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:204 +msgid "<option>group-show</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:209 +msgid "Show group overrides." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:215 +msgid "<option>group-import</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:220 +msgid "" +"Import group overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard group file. The format is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:225 +msgid "original_name:name:gid" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:228 +msgid "" +"where original_name is original name of the group whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:237 +msgid "admins:administrators:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:240 +msgid "Domain Users:Users:501" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:246 +msgid "<option>group-export</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:251 +msgid "" +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>group-import</emphasis> for data format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:261 sssctl.8.xml:50 +msgid "COMMON OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:263 sssctl.8.xml:52 +msgid "Those options are available with all commands." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:268 sssctl.8.xml:57 +msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 +msgid "sss_useradd" +msgstr "sss_useradd" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_useradd.8.xml:16 +msgid "create a new user" +msgstr "新しいユーザーを作成する" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_useradd.8.xml:21 +msgid "" +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_useradd.8.xml:32 +msgid "" +"<command>sss_useradd</command> creates a new user account using the values " +"specified on the command line plus the default values from the system." +msgstr "" +"<command>sss_useradd</command> は、コマンドラインにおいて指定された値とシステ" +"ムの初期値を使用して、新しいユーザーを作成します。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:43 sss_seed.8.xml:76 +msgid "" +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" +msgstr "" +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:48 +msgid "" +"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " +"not given, it is chosen automatically." +msgstr "" +"ユーザーの UID を <replaceable>UID</replaceable> の値を設定します。与えられな" +"いと、自動的に選択されます。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +msgid "" +"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" +"replaceable>" +msgstr "" +"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 +msgid "" +"Any text string describing the user. Often used as the field for the user's " +"full name." +msgstr "" +"ユーザーを説明している任意のテキスト文字列です。しばしばユーザーの完全名の項" +"目として使用されます。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 +msgid "" +"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"replaceable>" +msgstr "" +"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:72 +msgid "" +"The home directory of the user account. The default is to append the " +"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " +"that as the home directory. The base that is prepended before " +"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" +"baseDirectory</quote> setting in sssd.conf." +msgstr "" +"ユーザーアカウントのホームディレクトリーです。初期値は <filename>/home</" +"filename> に <replaceable>LOGIN</replaceable> の名前を追加して、ホームディレ" +"クトリーとして使用します。 <replaceable>LOGIN</replaceable> の前につけるベー" +"スは sssd.conf において <quote>user_defaults/baseDirectory</quote> 設定で変更" +"できます。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 +msgid "" +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" +msgstr "" +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:87 +msgid "" +"The user's login shell. The default is currently <filename>/bin/bash</" +"filename>. The default can be changed with <quote>user_defaults/" +"defaultShell</quote> setting in sssd.conf." +msgstr "" +"ユーザーのログインシェルです。初期値は現在 <filename>/bin/bash</filename> で" +"す。初期値は sssd.conf において <quote>user_defaults/defaultShell</quote> で" +"変更できます。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:96 +msgid "" +"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" +"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:101 +msgid "A list of existing groups this user is also a member of." +msgstr "このユーザーがメンバーである既存のユーザーの一覧です。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:107 +msgid "<option>-m</option>,<option>--create-home</option>" +msgstr "<option>-m</option>,<option>--create-home</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:111 +msgid "" +"Create the user's home directory if it does not exist. The files and " +"directories contained in the skeleton directory (which can be defined with " +"the -k option or in the config file) will be copied to the home directory." +msgstr "" +"ユーザーのホームディレクトリーが存在しなければ、それを作成します。(-k オプ" +"ションまたは設定ファイルで定義できる)スケルトンディレクトリーにあるファイル" +"とディレクトリーがホームディレクトリーにコピーされます。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:121 +msgid "<option>-M</option>,<option>--no-create-home</option>" +msgstr "<option>-M</option>,<option>--no-create-home</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:125 +msgid "" +"Do not create the user's home directory. Overrides configuration settings." +msgstr "ユーザーのホームディレクトリーを作成しません。設定を上書きします。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:132 +msgid "" +"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"replaceable>" +msgstr "" +"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:137 +msgid "" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<command>sss_useradd</command>." +msgstr "" +"スケルトンディレクトリーです。ホームディレクトリーが <command>sss_useradd</" +"command> により作成されるとき、ユーザーのホームディレクトリーにコピーされる" +"ファイルとディレクトリーを含みます。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:143 +msgid "" +"Special files (block devices, character devices, named pipes and unix " +"sockets) will not be copied." +msgstr "" +"特殊ファイル (ブロックデバイス、キャラクターデバイス、名前付きパイプおよび " +"UNIX ソケット) はコピーされません。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:147 +msgid "" +"This option is only valid if the <option>-m</option> (or <option>--create-" +"home</option>) option is specified, or creation of home directories is set " +"to TRUE in the configuration." +msgstr "" +"<option>-m</option> (または <option>--create-home</option>) オプションが指定" +"されたとき、またはホームディレクトリーの作成が設定において TRUE に設定されて" +"いる場合のみ、このオプションが有効です。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 +msgid "" +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>SELINUX_USER</replaceable>" +msgstr "" +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>SELINUX_USER</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:161 +msgid "" +"The SELinux user for the user's login. If not specified, the system default " +"will be used." +msgstr "" +"ユーザーがログインする際の SELinux ユーザーです。未指定の場合、システムの初期" +"値を使います。" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 +msgid "sssd-krb5" +msgstr "sssd-krb5" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-krb5.5.xml:17 +msgid "SSSD Kerberos provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:23 +msgid "" +"This manual page describes the configuration of the Kerberos 5 " +"authentication backend for <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " +"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." +msgstr "" +"このマニュアルは <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> に対する Kerberos 5 認証バックエンド" +"の設定を説明しています。詳細な構文の参考資料は、<citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> マニュアルページの <quote>ファイル形式</quote> セクションを参照" +"してください。" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:36 +msgid "" +"The Kerberos 5 authentication backend contains auth and chpass providers. It " +"must be paired with an identity provider in order to function properly (for " +"example, id_provider = ldap). Some information required by the Kerberos 5 " +"authentication backend must be provided by the identity provider, such as " +"the user's Kerberos Principal Name (UPN). The configuration of the identity " +"provider should have an entry to specify the UPN. Please refer to the man " +"page for the applicable identity provider for details on how to configure " +"this." +msgstr "" +"Kerberos 5 認証バックエンドは認証プロバイダーおよびパスワード変更プロバイダー" +"を含みます。正しく機能するためには識別プロダイバーと組み合わせて使用する必要" +"があります (たとえば、id_provider = ldap)。Kerberos 5 認証バックエンドにより" +"必要とされるいくつかの情報は、ユーザーの Kerberos プリンシパル名 (UPN) のよう" +"な、識別プロバイダーにより提供される必要があります。識別プロバイダーの設定は " +"UPN を指定するためのエントリーがある必要があります。これを設定する方法に関す" +"る詳細は適用可能な識別プロバイダーのマニュアルページを参照してください。" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:47 +msgid "" +"This backend also provides access control based on the .k5login file in the " +"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " +"Please note that an empty .k5login file will deny all access to this user. " +"To activate this feature, use 'access_provider = krb5' in your SSSD " +"configuration." +msgstr "" +"このバックエンドは、ユーザーのホームディレクトリーにある .k5login ファイルに" +"基づいたアクセス制御を提供します。詳細は <citerefentry> <refentrytitle>." +"k5login</refentrytitle><manvolnum>5</manvolnum> </citerefentry> を参照してく" +"ださい。空の .k5login ファイルがあると、このユーザーに対するすべてのアクセス" +"が拒否されます。この機能を有効にするには、SSSD 設定において 'access_provider " +"= krb5' を使用します。" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:55 +msgid "" +"In the case where the UPN is not available in the identity backend, " +"<command>sssd</command> will construct a UPN using the format " +"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." +msgstr "" +"UPN が識別バックエンド <command>sssd</command> において利用できない場合は、形" +"式 <replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable> " +"を使用して UPN を構築します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:77 +msgid "" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect, in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled; for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." +msgstr "" +"SSSD が接続したい AD サーバー(優先順)の IP アドレスまたはホスト名のカンマ区" +"切り一覧を指定します。フェールオーバーおよびサーバー冗長化に関する詳細は " +"<quote>FAILOVER</quote> セクションを参照してください。ポート番号(コロンの後" +"ろ)をオプションとして、アドレスやホスト名の後ろに付けることもできます。これ" +"が無ければ、サービス探索が有効になっています。詳細は <quote>サービス探索</" +"quote> のセクションを参照してください。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:106 +msgid "" +"The name of the Kerberos realm. This option is required and must be " +"specified." +msgstr "Kerberos レルムの名前です。このオプションは指定する必要があります。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:113 +msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" +msgstr "krb5_kpasswd, krb5_backup_kpasswd (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:116 +msgid "" +"If the change password service is not running on the KDC, alternative " +"servers can be defined here. An optional port number (preceded by a colon) " +"may be appended to the addresses or hostnames." +msgstr "" +"パスワード変更サービスが KDC において実行されていなければ、代替サーバーがここ" +"で指定できます。オプションのポート番号が(コロンに続けて)アドレスまたはホス" +"ト名に追加できます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:122 +msgid "" +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " +"servers to try, the backend is not switched to operate offline if " +"authentication against the KDC is still possible." +msgstr "" +"フェイルオーバーとサーバー冗長性に関する詳細は、<quote>フェイルオーバー</" +"quote>のセクションを参照してください。注:KDC に対する認証がまだ可能であるな" +"らば、たとえすべての kpasswd サーバーがなかったとしても、バックエンドをオフラ" +"インに切り替えないことに注意してください。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:129 +msgid "Default: Use the KDC" +msgstr "初期値: KDC を使用します" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:135 +msgid "krb5_ccachedir (string)" +msgstr "krb5_ccachedir (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:138 +msgid "" +"Directory to store credential caches. All the substitution sequences of " +"krb5_ccname_template can be used here, too, except %d and %P. The directory " +"is created as private and owned by the user, with permissions set to 0700." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:145 +msgid "Default: /tmp" +msgstr "初期値: /tmp" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:151 +msgid "krb5_ccname_template (string)" +msgstr "krb5_ccname_template (文字列)" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 +msgid "%u" +msgstr "%u" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 +msgid "login name" +msgstr "ログイン名" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 +msgid "%U" +msgstr "%U" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:170 +msgid "login UID" +msgstr "ログイン UID" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:173 +msgid "%p" +msgstr "%p" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:174 +msgid "principal name" +msgstr "プリンシパル名" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:178 +msgid "%r" +msgstr "%r" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:179 +msgid "realm name" +msgstr "レルム名" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:182 +msgid "%h" +msgstr "%h" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 +msgid "home directory" +msgstr "ホームディレクトリー" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 +msgid "%d" +msgstr "%d" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:188 +msgid "value of krb5_ccachedir" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 +msgid "%P" +msgstr "%P" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:194 +msgid "the process ID of the SSSD client" +msgstr "SSSD クライアントのプロセス ID" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 +msgid "%%" +msgstr "%%" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 +msgid "a literal '%'" +msgstr "文字 '%'" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:154 +msgid "" +"Location of the user's credential cache. Three credential cache types are " +"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " +"<quote>KEYRING:persistent</quote>. The cache can be specified either as " +"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " +"implies the <quote>FILE</quote> type. In the template, the following " +"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " +"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " +"filename in a safe way." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:208 +msgid "" +"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" +"persistent:%U</quote>, which uses the Linux kernel keyring to store " +"credentials on a per-UID basis. This is also the recommended choice, as it " +"is the most secure and predictable method." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:216 +msgid "" +"The default value for the credential cache name is sourced from the profile " +"stored in the system wide krb5.conf configuration file in the [libdefaults] " +"section. The option name is default_ccache_name. See krb5.conf(5)'s " +"PARAMETER EXPANSION paragraph for additional information on the expansion " +"format defined by krb5.conf." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:225 +msgid "" +"NOTE: Please be aware that libkrb5 ccache expansion template from " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> uses different expansion sequences than SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:234 +msgid "Default: (from libkrb5)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:240 +msgid "krb5_auth_timeout (integer)" +msgstr "krb5_auth_timeout (整数)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:243 +msgid "" +"Timeout in seconds after an online authentication request or change password " +"request is aborted. If possible, the authentication request is continued " +"offline." +msgstr "" +"オンライン認証またはパスワード変更要求が中止された後の秒単位のタイムアウトで" +"す。可能ならば、認証要求がオフラインで継続されます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:254 +msgid "krb5_validate (boolean)" +msgstr "krb5_validate (論理値)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:257 +msgid "" +"Verify with the help of krb5_keytab that the TGT obtained has not been " +"spoofed. The keytab is checked for entries sequentially, and the first entry " +"with a matching realm is used for validation. If no entry matches the realm, " +"the last entry in the keytab is used. This process can be used to validate " +"environments using cross-realm trust by placing the appropriate keytab entry " +"as the last entry or the only entry in the keytab file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:272 +msgid "krb5_keytab (string)" +msgstr "krb5_keytab (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:275 +msgid "" +"The location of the keytab to use when validating credentials obtained from " +"KDCs." +msgstr "" +"KDC から取得したクレディンシャルを検証するときに使用されるキーテーブルの場所" +"です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:279 +msgid "Default: /etc/krb5.keytab" +msgstr "初期値: /etc/krb5.keytab" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:285 +msgid "krb5_store_password_if_offline (boolean)" +msgstr "krb5_store_password_if_offline (論理値)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:288 +msgid "" +"Store the password of the user if the provider is offline and use it to " +"request a TGT when the provider comes online again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:293 +msgid "" +"NOTE: this feature is only available on Linux. Passwords stored in this way " +"are kept in plaintext in the kernel keyring and are potentially accessible " +"by the root user (with difficulty)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:306 +msgid "krb5_renewable_lifetime (string)" +msgstr "krb5_renewable_lifetime (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:309 +msgid "" +"Request a renewable ticket with a total lifetime, given as an integer " +"immediately followed by a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 +msgid "<emphasis>s</emphasis> for seconds" +msgstr "秒は <emphasis>s</emphasis>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 +msgid "<emphasis>m</emphasis> for minutes" +msgstr "分は <emphasis>m</emphasis>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 +msgid "<emphasis>h</emphasis> for hours" +msgstr "時間は <emphasis>h</emphasis>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 +msgid "<emphasis>d</emphasis> for days." +msgstr "日は <emphasis>d</emphasis>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 +msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." +msgstr "単位が指定されていないと、<emphasis>s</emphasis> と仮定されます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 +msgid "" +"NOTE: It is not possible to mix units. To set the renewable lifetime to one " +"and a half hours, use '90m' instead of '1h30m'." +msgstr "" +"注: 単位を混在できないことに注意してください。更新可能な生存期間を1時間30分に" +"指定したい場合、'1h30m' の代わりに '90m' を使用します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:335 +msgid "Default: not set, i.e. the TGT is not renewable" +msgstr "初期値: 設定されません、つまり TGT は更新可能ではありません" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:341 +msgid "krb5_lifetime (string)" +msgstr "krb5_lifetime (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:344 +msgid "" +"Request ticket with a lifetime, given as an integer immediately followed by " +"a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:360 +msgid "If there is no unit given <emphasis>s</emphasis> is assumed." +msgstr "単位が指定されていないと、<emphasis>s</emphasis> と仮定されます。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:364 +msgid "" +"NOTE: It is not possible to mix units. To set the lifetime to one and a " +"half hours please use '90m' instead of '1h30m'." +msgstr "" +"注: 単位を混在できないことに注意してください。更新可能な生存期間を1時間30分に" +"指定したい場合、'1h30m' の代わりに '90m' を使用してください。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:369 +msgid "" +"Default: not set, i.e. the default ticket lifetime configured on the KDC." +msgstr "" +"初期値: 設定されません、つまり KDC において設定されているチケット有効期間の初" +"期値です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:376 +msgid "krb5_renew_interval (string)" +msgstr "krb5_renew_interval (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:379 +msgid "" +"The time in seconds between two checks if the TGT should be renewed. TGTs " +"are renewed if about half of their lifetime is exceeded, given as an integer " +"immediately followed by a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:406 +msgid "If this option is not set or is 0 the automatic renewal is disabled." +msgstr "" +"このオプションが設定されていない場合、または 0 に設定されている場合、自動更新" +"は無効になります。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:416 +msgid "krb5_use_fast (string)" +msgstr "krb5_use_fast (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:419 +msgid "" +"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" +"authentication. The following options are supported:" +msgstr "" +"Kerberos の事前認証のために flexible authentication secure tunneling (FAST) " +"を有効化します。以下のオプションがサポートされます:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:424 +msgid "" +"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " +"option at all." +msgstr "" +"<emphasis>never</emphasis> は FAST を使用します。このオプションを何も設定しな" +"いことと同等です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:428 +msgid "" +"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " +"continue the authentication without it." +msgstr "" +"<emphasis>try</emphasis> は FAST を使用します。サーバーが FAST をサポートして" +"いなければ、FAST を使用せずに認証を続行します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:433 +msgid "" +"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " +"server does not require fast." +msgstr "" +"<emphasis>demand</emphasis> は FAST を使用します。サーバーが FAST を要求しな" +"ければ、認証が失敗します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:438 +msgid "Default: not set, i.e. FAST is not used." +msgstr "初期値: 設定されません、つまり FAST が使用されません。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:441 +msgid "NOTE: a keytab is required to use FAST." +msgstr "注: キーテーブルは FAST を使用する必要があります。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:444 +msgid "" +"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " +"SSSD is used with an older version of MIT Kerberos, using this option is a " +"configuration error." +msgstr "" +"注: SSSD は MIT Kerberos バージョン 1.8 およびそれ以降のみで FAST をサポート" +"します。SSSD が古いバージョンの MIT Kerberos を使用している場合、このオプショ" +"ンを使用すると設定エラーになります。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:453 +msgid "krb5_fast_principal (string)" +msgstr "krb5_fast_principal (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:456 +msgid "Specifies the server principal to use for FAST." +msgstr "FAST に対して使用するサーバープリンシパルを指定します。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:465 +msgid "" +"Specifies if the host and user principal should be canonicalized. This " +"feature is available with MIT Kerberos 1.7 and later versions." +msgstr "" +"ホストとユーザーのプリンシパルが正規化されるかどうかを指定します。この機能は " +"MIT Kerberos 1.7 およびそれ以降で利用可能です。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:505 +msgid "krb5_use_enterprise_principal (boolean)" +msgstr "krb5_use_enterprise_principal (論理値)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:508 +msgid "" +"Specifies if the user principal should be treated as enterprise principal. " +"See section 5 of RFC 6806 for more details about enterprise principals." +msgstr "" +"ユーザープリンシパルをエンタープライズプリンシパルとして取り扱うかどうかを指" +"定します。エンタープライズプリンシパルの詳細は RFC 6806 のセクション 5 を参照" +"してください。" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:514 +msgid "Default: false (AD provider: true)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:517 +msgid "" +"The IPA provider will set to option to 'true' if it detects that the server " +"is capable of handling enterprise principals and the option is not set " +"explicitly in the config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:526 +msgid "krb5_map_user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:529 +msgid "" +"The list of mappings is given as a comma-separated list of pairs " +"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " +"name and <quote>primary</quote> is a user part of a kerberos principal. This " +"mapping is used when user is authenticating using <quote>auth_provider = " +"krb5</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-krb5.5.xml:541 +#, no-wrap +msgid "" +"krb5_realm = REALM\n" +"krb5_map_user = joe:juser,dick:richard\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:546 +msgid "" +"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " +"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " +"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " +"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:65 +msgid "" +"If the auth-module krb5 is used in an SSSD domain, the following options " +"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " +"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" +"認証モジュール krb5 が SSSD ドメインにおいて使用されていると、以下のオプショ" +"ンを使用する必要があります。 SSSD ドメインの設定における詳細は " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> マニュアルページの <quote>ドメインセクション</" +"quote> を参照してください。 <placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:572 +msgid "" +"The following example assumes that SSSD is correctly configured and FOO is " +"one of the domains in the <replaceable>[sssd]</replaceable> section. This " +"example shows only configuration of Kerberos authentication; it does not " +"include any identity provider." +msgstr "" +"以下の例は、SSSD が正しく設定され、FOO が <replaceable>[sssd]</replaceable> " +"セクションにあるドメインの 1 つであると仮定しています。この例は Kerberos 認証" +"の設定のみを示し、識別プロバイダーを何も含みません。" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-krb5.5.xml:580 +#, no-wrap +msgid "" +"[domain/FOO]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXAMPLE.COM\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 +msgid "sss_groupadd" +msgstr "sss_groupadd" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupadd.8.xml:16 +msgid "create a new group" +msgstr "新しいグループを作成する" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupadd.8.xml:21 +msgid "" +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupadd.8.xml:32 +msgid "" +"<command>sss_groupadd</command> creates a new group. These groups are " +"compatible with POSIX groups, with the additional feature that they can " +"contain other groups as members." +msgstr "" +"<command>sss_groupadd</command> が新しいグループを作成します。これらのグルー" +"プは POSIX グループと互換性があり、他のグループをメンバーとして含められる追加" +"機能と互換性があります。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 +msgid "" +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" +msgstr "" +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupadd.8.xml:48 +msgid "" +"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " +"not given, it is chosen automatically." +msgstr "" +"グループの GID を <replaceable>GID</replaceable> の値に設定します。与えられな" +"いと、自動的に選択されます。" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 +msgid "sss_userdel" +msgstr "sss_userdel" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_userdel.8.xml:16 +msgid "delete a user account" +msgstr "ユーザーアカウントを削除する" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_userdel.8.xml:21 +msgid "" +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_userdel.8.xml:32 +msgid "" +"<command>sss_userdel</command> deletes a user identified by login name " +"<replaceable>LOGIN</replaceable> from the system." +msgstr "" +"<command>sss_userdel</command> はログイン名 <replaceable>LOGIN</replaceable> " +"により識別されるユーザーをシステムから削除します。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:44 +msgid "<option>-r</option>,<option>--remove</option>" +msgstr "<option>-r</option>,<option>--remove</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:48 +msgid "" +"Files in the user's home directory will be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." +msgstr "" +"ユーザーのホームディレクトリーにあるファイルは、それ自身のホームディレクト" +"リーとユーザーのメールスプールとともに削除されます。設定が上書きされます。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:56 +msgid "<option>-R</option>,<option>--no-remove</option>" +msgstr "<option>-R</option>,<option>--no-remove</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:60 +msgid "" +"Files in the user's home directory will NOT be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." +msgstr "" +"ユーザーのホームディレクトリーにあるファイルは、それ自身のホームディレクト" +"リーとユーザーのメールスプールとともに削除されません。設定が上書きされます。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:68 +msgid "<option>-f</option>,<option>--force</option>" +msgstr "<option>-f</option>,<option>--force</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:72 +msgid "" +"This option forces <command>sss_userdel</command> to remove the user's home " +"directory and mail spool, even if they are not owned by the specified user." +msgstr "" +"このオプションは、指定されたユーザーにより所有されていないものさえ、" +"<command>sss_userdel</command> がユーザーのホームディレクトリーとメールスプー" +"ルを削除するよう強制します。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:80 +msgid "<option>-k</option>,<option>--kick</option>" +msgstr "<option>-k</option>,<option>--kick</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:84 +msgid "Before actually deleting the user, terminate all his processes." +msgstr "実際にユーザーを削除する前に、そのプロセスをすべて停止します。" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 +msgid "sss_groupdel" +msgstr "sss_groupdel" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupdel.8.xml:16 +msgid "delete a group" +msgstr "グループを削除する" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupdel.8.xml:21 +msgid "" +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupdel.8.xml:32 +msgid "" +"<command>sss_groupdel</command> deletes a group identified by its name " +"<replaceable>GROUP</replaceable> from the system." +msgstr "" +"<command>sss_groupdel</command> は名前 <replaceable>GROUP</replaceable> によ" +"り識別されるグループをシステムから削除します。" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 +msgid "sss_groupshow" +msgstr "sss_groupshow" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupshow.8.xml:16 +msgid "print properties of a group" +msgstr "グループのプロパティーを表示します" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupshow.8.xml:21 +msgid "" +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupshow.8.xml:32 +msgid "" +"<command>sss_groupshow</command> displays information about a group " +"identified by its name <replaceable>GROUP</replaceable>. The information " +"includes the group ID number, members of the group and the parent group." +msgstr "" +"<command>sss_groupshow</command> はその名前 <replaceable>GROUP</replaceable> " +"により識別されるグループに関する情報を表示します。情報はグループ ID 番号、グ" +"ループのメンバーおよび親グループを含みます。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupshow.8.xml:43 +msgid "<option>-R</option>,<option>--recursive</option>" +msgstr "<option>-R</option>,<option>--recursive</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupshow.8.xml:47 +msgid "" +"Also print indirect group members in a tree-like hierarchy. Note that this " +"also affects printing parent groups - without <option>R</option>, only the " +"direct parent will be printed." +msgstr "" +"ツリー階層形式で間接的なグループメンバーも表示します。これは親グループの表示" +"にも影響を与えることに注意してください - <option>R</option> を指定しないと、" +"直接の親のみが表示されます。" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 +msgid "sss_usermod" +msgstr "sss_usermod" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_usermod.8.xml:16 +msgid "modify a user account" +msgstr "ユーザーアカウントを修正します" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_usermod.8.xml:21 +msgid "" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_usermod.8.xml:32 +msgid "" +"<command>sss_usermod</command> modifies the account specified by " +"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " +"on the command line." +msgstr "" +"<command>sss_usermod</command> は、コマンドラインにおいて指定された変更を反映" +"するために、 <replaceable>LOGIN</replaceable> により指定されたアカウントを変" +"更します。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:60 +msgid "The home directory of the user account." +msgstr "ユーザーアカウントのホームディレクトリーです。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:71 +msgid "The user's login shell." +msgstr "ユーザーのログインシェルです。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:82 +msgid "" +"Append this user to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." +msgstr "" +"このユーザーを <replaceable>GROUPS</replaceable> パラメーターにより指定された" +"グループに追加します。 <replaceable>GROUPS</replaceable> パラメーターはグルー" +"プ名のカンマ区切り一覧です。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:96 +msgid "" +"Remove this user from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." +msgstr "<replaceable>GROUPS</replaceable> " + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:103 +msgid "<option>-l</option>,<option>--lock</option>" +msgstr "<option>-l</option>,<option>--lock</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:107 +msgid "Lock the user account. The user won't be able to log in." +msgstr "ユーザーアカウントをロックします。ユーザーはログインできなくなります。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:114 +msgid "<option>-u</option>,<option>--unlock</option>" +msgstr "<option>-u</option>,<option>--unlock</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:118 +msgid "Unlock the user account." +msgstr "ユーザーアカウントのロックを解除します。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:129 +msgid "The SELinux user for the user's login." +msgstr "ユーザーのログインのための SELinux ユーザーです。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:135 +msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:140 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:147 +msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:152 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:160 +msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:165 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_cache.8.xml:10 sss_cache.8.xml:15 +msgid "sss_cache" +msgstr "sss_cache" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_cache.8.xml:16 +msgid "perform cache cleanup" +msgstr "キャッシュクリーンアップを実行する" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_cache.8.xml:21 +msgid "" +"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" +msgstr "" +"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_cache.8.xml:31 +msgid "" +"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " +"records are forced to be reloaded from server as soon as related SSSD " +"backend is online. Options that invalidate a single object only accept a " +"single provided argument." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:43 +msgid "<option>-E</option>,<option>--everything</option>" +msgstr "<option>-E</option>,<option>--everything</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:47 +msgid "Invalidate all cached entries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:53 +msgid "" +"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" +msgstr "" +"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:58 +msgid "Invalidate specific user." +msgstr "特定のユーザーを無効にします。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:64 +msgid "<option>-U</option>,<option>--users</option>" +msgstr "<option>-U</option>,<option>--users</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:68 +msgid "" +"Invalidate all user records. This option overrides invalidation of specific " +"user if it was also set." +msgstr "" +"すべてのユーザーレコードを無効にします。このオプションも設定されていると、こ" +"れが特定のユーザーの無効化を上書きします。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:75 +msgid "" +"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" +msgstr "" +"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:80 +msgid "Invalidate specific group." +msgstr "特定のグループを無効にします。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:86 +msgid "<option>-G</option>,<option>--groups</option>" +msgstr "<option>-G</option>,<option>--groups</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:90 +msgid "" +"Invalidate all group records. This option overrides invalidation of specific " +"group if it was also set." +msgstr "" +"すべてのグループレコードを無効にします。このオプションも設定されていると、こ" +"れが特定のグループの無効化を上書きします。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:97 +msgid "" +"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" +"replaceable>" +msgstr "" +"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:102 +msgid "Invalidate specific netgroup." +msgstr "特定のネットワークグループを無効にします。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:108 +msgid "<option>-N</option>,<option>--netgroups</option>" +msgstr "<option>-N</option>,<option>--netgroups</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:112 +msgid "" +"Invalidate all netgroup records. This option overrides invalidation of " +"specific netgroup if it was also set." +msgstr "" +"すべてのネットワークグループレコードを無効にします。このオプションが設定され" +"ていると、これが特定のネットワークグループの無効化を上書きします。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:119 +msgid "" +"<option>-s</option>,<option>--service</option> <replaceable>service</" +"replaceable>" +msgstr "" +"<option>-s</option>,<option>--service</option> <replaceable>service</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:124 +msgid "Invalidate specific service." +msgstr "特定のサービスを無効化します。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:130 +msgid "<option>-S</option>,<option>--services</option>" +msgstr "<option>-S</option>,<option>--services</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:134 +msgid "" +"Invalidate all service records. This option overrides invalidation of " +"specific service if it was also set." +msgstr "" +"すべてのサービスレコードを無効にします。このオプションも設定されていると、こ" +"れが特定のサービスの無効化を上書きします。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:141 +msgid "" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" +"replaceable>" +msgstr "" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:146 +msgid "Invalidate specific autofs maps." +msgstr "特定の autofs マップを無効化します。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:152 +msgid "<option>-A</option>,<option>--autofs-maps</option>" +msgstr "<option>-A</option>,<option>--autofs-maps</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:156 +msgid "" +"Invalidate all autofs maps. This option overrides invalidation of specific " +"map if it was also set." +msgstr "" +"すべての autofs マップを無効化します。このオプションは特定のマップが設定され" +"ていても、その無効化を上書きします。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:163 +msgid "" +"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:168 +msgid "Invalidate SSH public keys of a specific host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:174 +msgid "<option>-H</option>,<option>--ssh-hosts</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:178 +msgid "" +"Invalidate SSH public keys of all hosts. This option overrides invalidation " +"of SSH public keys of specific host if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:186 +msgid "" +"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:191 +msgid "Invalidate particular sudo rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:197 +msgid "<option>-R</option>,<option>--sudo-rules</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:201 +msgid "" +"Invalidate all cached sudo rules. This option overrides invalidation of " +"specific sudo rule if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:209 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>domain</" +"replaceable>" +msgstr "" +"<option>-d</option>,<option>--domain</option> <replaceable>domain</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:214 +msgid "Restrict invalidation process only to a particular domain." +msgstr "無効化プロセスを特定のドメインのみに制限します。" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 +msgid "sss_debuglevel" +msgstr "sss_debuglevel" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_debuglevel.8.xml:16 +msgid "[DEPRECATED] change debug level while SSSD is running" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_debuglevel.8.xml:21 +msgid "" +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" +"replaceable></arg>" +msgstr "" +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" +"replaceable></arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_debuglevel.8.xml:32 +msgid "" +"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " +"debug-level command. Please refer to the <command>sssctl</command> man page " +"for more information on sssctl usage." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_seed.8.xml:10 sss_seed.8.xml:15 +msgid "sss_seed" +msgstr "sss_seed" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_seed.8.xml:16 +msgid "seed the SSSD cache with a user" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_seed.8.xml:21 +msgid "" +"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" +"arg>" +msgstr "" +"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:33 +msgid "" +"<command>sss_seed</command> seeds the SSSD cache with a user entry and " +"temporary password. If a user entry is already present in the SSSD cache " +"then the entry is updated with the temporary password." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:46 +msgid "" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" +msgstr "" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:51 +msgid "" +"Provide the name of the domain in which the user is a member of. The domain " +"is also used to retrieve user information. The domain must be configured in " +"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " +"Information retrieved from the domain overrides what is provided in the " +"options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:63 +msgid "" +"<option>-n</option>,<option>--username</option> <replaceable>USER</" +"replaceable>" +msgstr "" +"<option>-n</option>,<option>--username</option> <replaceable>USER</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:68 +msgid "" +"The username of the entry to be created or modified in the cache. The " +"<replaceable>USER</replaceable> option must be provided." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:81 +msgid "Set the UID of the user to <replaceable>UID</replaceable>." +msgstr "ユーザーの UID を <replaceable>UID</replaceable> に設定します。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:93 +msgid "Set the GID of the user to <replaceable>GID</replaceable>." +msgstr "ユーザーの GID を <replaceable>GID</replaceable> に設定します。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:117 +msgid "" +"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." +msgstr "" +"ユーザーのホームディレクトリーを <replaceable>HOME_DIR</replaceable> に設定し" +"ます。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:129 +msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:140 +msgid "" +"Interactive mode for entering user information. This option will only prompt " +"for information not provided in the options or retrieved from the domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:148 +msgid "" +"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" +"replaceable>" +msgstr "" +"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:153 +msgid "" +"Specify file to read user's password from. (if not specified password is " +"prompted for)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:165 +msgid "" +"The length of the password (or the size of file specified with -p or --" +"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " +"on systems with no globally-defined PASS_MAX value)." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 +msgid "sssd-ifp" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ifp.5.xml:17 +msgid "SSSD InfoPipe responder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:23 +msgid "" +"This manual page describes the configuration of the InfoPipe responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:36 +msgid "" +"The InfoPipe responder provides a public D-Bus interface accessible over the " +"system bus. The interface allows the user to query information about remote " +"users and groups over the system bus." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:46 +msgid "These options can be used to configure the InfoPipe responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:53 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the InfoPipe responder. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:59 +msgid "" +"Default: 0 (only the root user is allowed to access the InfoPipe responder)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:63 +msgid "" +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the InfoPipe responder, which would be the typical case, you have to " +"add 0 to the list of allowed UIDs as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:77 +msgid "Specifies the comma-separated list of white or blacklisted attributes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:91 +msgid "name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:92 +msgid "user's login name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:95 +msgid "uidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:96 +msgid "user ID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:99 +msgid "gidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:100 +msgid "primary group ID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:103 +msgid "gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:104 +msgid "user information, typically full name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:107 +msgid "homeDirectory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:111 +msgid "loginShell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:112 +msgid "user shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:81 +msgid "" +"By default, the InfoPipe responder only allows the default set of POSIX " +"attributes to be requested. This set is the same as returned by " +"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ifp.5.xml:125 +#, no-wrap +msgid "" +"user_attributes = +telephoneNumber, -loginShell\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:117 +msgid "" +"It is possible to add another attribute to this set by using <quote>" +"+attr_name</quote> or explicitly remove an attribute using <quote>-" +"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " +"deny <quote>loginShell</quote>, you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:129 +msgid "Default: not set. Only the default set of POSIX attributes is allowed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:139 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup that overrides caller-supplied limit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:144 +msgid "Default: 0 (let the caller set an upper limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refentryinfo> +#: sss_rpcidmapd.5.xml:8 +msgid "" +"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" +"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " +"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" +"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " +"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" +"author>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 +msgid "sss_rpcidmapd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_rpcidmapd.5.xml:33 +msgid "sss plugin configuration directives for rpc.idmapd" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:37 +msgid "CONFIGURATION FILE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:39 +msgid "" +"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." +"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:49 +msgid "SSS CONFIGURATION EXTENSION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:51 +msgid "Enable SSS plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:53 +msgid "" +"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " +"attribute to contain <emphasis>sss</emphasis>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:59 +msgid "[sss] config section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:61 +msgid "" +"In order to change the default of one of the configuration attributes of the " +"<emphasis>sss</emphasis> plugin listed below you will need to create a " +"config section for it, named <quote>[sss]</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sss_rpcidmapd.5.xml:67 +msgid "Configuration attributes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sss_rpcidmapd.5.xml:69 +msgid "memcache (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sss_rpcidmapd.5.xml:72 +msgid "Indicates whether or not to use memcache optimisation technique." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:85 +msgid "SSSD INTEGRATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:87 +msgid "" +"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " +"in sssd." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:91 +msgid "" +"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " +"all domains (NFSv4 clients expect a fully qualified name to be sent on the " +"wire)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_rpcidmapd.5.xml:103 +#, no-wrap +msgid "" +"[General]\n" +"Verbosity = 2\n" +"# domain must be synced between NFSv4 server and clients\n" +"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:100 +msgid "" +"The following example shows a minimal idmapd.conf which makes use of the sss " +"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:180 include/seealso.xml:2 +msgid "SEE ALSO" +msgstr "関連項目" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:122 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 +msgid "sss_ssh_authorizedkeys" +msgstr "sss_ssh_authorizedkeys" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 +msgid "1" +msgstr "1" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_authorizedkeys.1.xml:16 +msgid "get OpenSSH authorized keys" +msgstr "OpenSSH 認可キーを取得する" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_authorizedkeys.1.xml:21 +msgid "" +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>USER</replaceable></arg>" +msgstr "" +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>USER</replaceable></arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:32 +msgid "" +"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " +"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " +"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> for more information)." +msgstr "" +"<command>sss_ssh_authorizedkeys</command> はユーザー <replaceable>USER</" +"replaceable> の SSH 公開鍵を取得して、 OpenSSH authorized_keys 形式に出力しま" +"す (詳細は <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> の <quote>AUTHORIZED_KEYS FILE FORMAT</quote> セク" +"ションを参照してください)。" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:41 +msgid "" +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" +"command> for public key user authentication if it is compiled with support " +"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " +"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> man page for more details about this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_authorizedkeys.1.xml:59 +#, no-wrap +msgid "" +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:52 +msgid "" +"If <quote>AuthorizedKeysCommand</quote> is supported, " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use it by putting the following " +"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" +"\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_ssh_authorizedkeys.1.xml:65 +msgid "KEYS FROM CERTIFICATES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:67 +msgid "" +"In addition to the public SSH keys for user <replaceable>USER</replaceable> " +"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " +"from the public key of a X.509 certificate as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:73 +msgid "" +"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " +"set to true (default) in the [ssh] section of <filename>sssd.conf</" +"filename>. If the user entry contains certificates (see " +"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " +"there is a certificate in an override entry for the user (see " +"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " +"certificate is valid SSSD will extract the public key from the certificate " +"and convert it into the format expected by sshd." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:90 +msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:92 +msgid "ca_db" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:93 +#, fuzzy +#| msgid "client_idle_timeout" +msgid "p11_child_timeout" +msgstr "client_idle_timeout" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:94 +msgid "certificate_verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:96 +#, fuzzy +#| msgid "" +#| "Please refer to the <quote>dns_discovery_domain</quote> parameter in the " +#| "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +#| "manvolnum> </citerefentry> manual page for more details." +msgid "" +"can be used to control how the certificates are validated (see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details)." +msgstr "" +"詳細は <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> マニュアルページにある " +"<quote>dns_discovery_domain</quote> パラメーターを参照してください。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:101 +msgid "" +"The validation is the benefit of using X.509 certificates instead of SSH " +"keys directly because e.g. it gives a better control of the lifetime of the " +"keys. When the ssh client is configured to use the private keys from a " +"Smartcard with the help of a PKCS#11 shared library (see " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> for details) it might be irritating that authentication is " +"still working even if the related X.509 certificate on the Smartcard is " +"already expired because neither <command>ssh</command> nor <command>sshd</" +"command> will look at the certificate at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:114 +msgid "" +"It has to be noted that the derived public SSH key can still be added to the " +"<filename>authorized_keys</filename> file of the user to bypass the " +"certificate validation if the <command>sshd</command> configuration permits " +"this." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:132 +msgid "" +"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +msgstr "" +"SSSD ドメイン <replaceable>DOMAIN</replaceable> にあるユーザーの公開鍵を検索" +"します。" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 +msgid "EXIT STATUS" +msgstr "終了コード" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 +msgid "" +"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 +msgid "sss_ssh_knownhostsproxy" +msgstr "sss_ssh_knownhostsproxy" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_knownhostsproxy.1.xml:16 +msgid "get OpenSSH host keys" +msgstr "OpenSSH ホストキーを取得します" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_knownhostsproxy.1.xml:21 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>HOST</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" +msgstr "" +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>HOST</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:33 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " +"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " +"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " +"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" +"pubconf/known_hosts</filename> and establishes the connection to the host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:43 +msgid "" +"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " +"create the connection to the host instead of opening a socket." +msgstr "" +"<replaceable>PROXY_COMMAND</replaceable> が指定されていると、ソケットを開く代" +"わりにホストへの接続を作成するために使用されます。" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_knownhostsproxy.1.xml:55 +#, no-wrap +msgid "" +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" +msgstr "" +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:48 +msgid "" +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" +"command> for host key authentication by using the following directives for " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> は <citerefentry><refentrytitle>ssh</refentrytitle> " +"<manvolnum>1</manvolnum></citerefentry> 設定に対して以下のディレクティブを使" +"用することにより、ホストキー認証に <command>sss_ssh_knownhostsproxy</" +"command> を使用するために設定できます: <placeholder type=\"programlisting\" " +"id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:66 +msgid "" +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" +msgstr "" +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:71 +msgid "" +"Use port <replaceable>PORT</replaceable> to connect to the host. By " +"default, port 22 is used." +msgstr "" +"ホストに接続するためにポート <replaceable>PORT</replaceable> を使用します。初" +"期値ではポート 22 が使用されます。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:83 +msgid "" +"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +msgstr "" +"SSSD ドメイン <replaceable>DOMAIN</replaceable> においてホスト公開鍵を検索し" +"ます。" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:89 +#, fuzzy +#| msgid "<option>-U</option>,<option>--users</option>" +msgid "<option>-k</option>,<option>--pubkeys</option>" +msgstr "<option>-U</option>,<option>--users</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:93 +#, fuzzy +#| msgid "" +#| "Search for host public keys in SSSD domain <replaceable>DOMAIN</" +#| "replaceable>." +msgid "" +"Print the host ssh public keys for host <replaceable>HOST</replaceable>." +msgstr "" +"SSSD ドメイン <replaceable>DOMAIN</replaceable> においてホスト公開鍵を検索し" +"ます。" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 +msgid "idmap_sss" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: idmap_sss.8.xml:16 +msgid "SSSD's idmap_sss Backend for Winbind" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:22 +msgid "" +"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " +"No database is required in this case as the mapping is done by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: idmap_sss.8.xml:29 +msgid "IDMAP OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: idmap_sss.8.xml:33 +msgid "range = low - high" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: idmap_sss.8.xml:35 +msgid "" +"Defines the available matching UID and GID range for which the backend is " +"authoritative." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:45 +msgid "" +"This example shows how to configure idmap_sss as the default mapping module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: idmap_sss.8.xml:50 +#, no-wrap +msgid "" +"[global]\n" +"security = domain\n" +"workgroup = MAIN\n" +"\n" +"idmap config * : backend = sss\n" +"idmap config * : range = 200000-2147483647\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssctl.8.xml:10 sssctl.8.xml:15 +msgid "sssctl" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssctl.8.xml:16 +msgid "SSSD control and status utility" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssctl.8.xml:21 +msgid "" +"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:32 +msgid "" +"<command>sssctl</command> provides a simple and unified way to obtain " +"information about SSSD status, such as active server, auto-discovered " +"servers, domains and cached objects. In addition, it can manage SSSD data " +"files for troubleshooting in such a way that is safe to manipulate while " +"SSSD is running." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:43 +msgid "" +"To list all available commands run <command>sssctl</command> without any " +"parameters. To print help for selected command run <command>sssctl COMMAND --" +"help</command>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-files.5.xml:10 sssd-files.5.xml:16 +msgid "sssd-files" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-files.5.xml:17 +msgid "SSSD files provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:23 +msgid "" +"This manual page describes the files provider for <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:36 +msgid "" +"The files provider mirrors the content of the <citerefentry> " +"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " +"provider is to make the users and groups traditionally only accessible with " +"NSS interfaces also available through the SSSD interfaces such as " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:69 +#, fuzzy +#| msgid "ldap_access_filter (string)" +msgid "passwd_files (string)" +msgstr "ldap_access_filter (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:72 +msgid "" +"Comma-separated list of one or multiple password filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:78 +#, fuzzy +#| msgid "Default: password" +msgid "Default: /etc/passwd" +msgstr "初期値: password" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:84 +#, fuzzy +#| msgid "ldap_netgroup_triple (string)" +msgid "group_files (string)" +msgstr "ldap_netgroup_triple (文字列)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:87 +msgid "" +"Comma-separated list of one or multiple group filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:93 +#, fuzzy +#| msgid "Default: nisNetgroup" +msgid "Default: /etc/group" +msgstr "初期値: nisNetgroup" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:59 +#, fuzzy +#| msgid "" +#| "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " +#| "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +#| "citerefentry> manual page for details on the configuration of an SSSD " +#| "domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgid "" +"In addition to the options listed below, generic SSSD domain options can be " +"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for details on the configuration of " +"an SSSD domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" +"SSSD ドメインの設定に関する詳細は <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> マニュアルページの " +"<quote>ドメインセクション</quote> のセクションを参照してください。 " +"<placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:105 +msgid "" +"The following example assumes that SSSD is correctly configured and files is " +"one of the domains in the <replaceable>[sssd]</replaceable> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:111 +#, no-wrap +msgid "" +"[domain/files]\n" +"id_provider = files\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 +msgid "sssd-secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-secrets.5.xml:17 +msgid "SSSD Secrets responder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:23 +msgid "" +"This manual page describes the configuration of the Secrets responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:36 +msgid "" +"Many system and user applications need to store private information such as " +"passwords or service keys and have no good way to properly deal with them. " +"The simple approach is to embed these <quote>secrets</quote> into " +"configuration files potentially ending up exposing sensitive key material to " +"backups, config management system and in general making it harder to secure " +"data." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:45 +msgid "" +"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " +"project was born to deal with this problem in cloud like environments, but " +"we found the idea compelling even at a single system level. As a security " +"service, SSSD is ideal to host this capability while offering the same API " +"via a UNIX Socket. This will make it possible to use local calls and have " +"them transparently routed to a local or a remote key management store like " +"IPA Vault for storage, escrow and recovery." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:55 +msgid "" +"The secrets are simple key-value pairs. Each user's secrets are namespaced " +"using their user ID, which means the secrets will never collide between " +"users. Secrets can be stored inside <quote>containers</quote> which can be " +"nested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:69 +msgid "secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:70 +msgid "secrets for general usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:73 +msgid "kcm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:75 +msgid "" +"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:61 +msgid "" +"Since the secrets responder can be used both externally to store general " +"secrets, as described in the rest of this man page, but also internally by " +"other SSSD components to store their secret material, some configuration " +"options, like quotas can be configured per <quote>hive</quote> in a " +"configuration subsection named after the hive. The currently supported hives " +"are: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:89 +msgid "USING THE SECRETS RESPONDER" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:91 +msgid "" +"The UNIX socket the SSSD responder listens on is located at <filename>/var/" +"run/secrets.socket</filename>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:110 +#, no-wrap +msgid "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +"systemctl enable sssd-secrets.service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:95 +msgid "" +"The secrets responder is socket-activated by <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " +"the <quote>secrets</quote> string to the <quote>service</quote> directive. " +"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " +"corresponding service file is called <quote>sssd-secrets.service</quote>. In " +"order for the service to be socket-activated, make sure the socket is " +"enabled and active and the service is enabled: <placeholder type=" +"\"programlisting\" id=\"0\"/> Please note your distribution may already " +"configure the units for you." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:122 +msgid "" +"The generic SSSD responder options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " +"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some secrets-specific options as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:132 +msgid "" +"The secrets responder is configured with a global <quote>[secrets]</quote> " +"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " +"in <filename>sssd.conf</filename>. Please note that some options, notably as " +"the provider type, can only be specified in the per-user subsections." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:141 +msgid "provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:157 +msgid "local" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:160 +msgid "" +"The secrets are stored in a local database, encrypted at rest with a master " +"key. The local provider does not have any additional config options at the " +"moment." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:168 +msgid "proxy" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:171 +msgid "" +"The secrets responder forwards the requests to a Custodia server. The proxy " +"provider supports several additional options (see below)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:144 +msgid "" +"This option specifies where should the secrets be stored. The secrets " +"responder can configure a per-user subsections (e.g. <quote>[secrets/" +"users/123]</quote> - see bottom of this manual page for a full example using " +"Custodia for a particular user) that define which provider store the secrets " +"for this particular user. The per-user subsections should contain all " +"options for that user's provider. Please note that currently the global " +"provider is always local, the proxy provider can only be specified in a per-" +"user section. The following providers are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:180 +msgid "Default: local" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:186 +msgid "" +"The following options affect only the secrets <quote>hive</quote> and " +"therefore should be set in a per-hive subsection. Setting the option to 0 " +"means \"unlimited\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:192 +msgid "containers_nest_level (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:195 +msgid "This option specifies the maximum allowed number of nested containers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:199 +msgid "Default: 4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:204 +msgid "max_secrets (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:207 +msgid "" +"This option specifies the maximum number of secrets that can be stored in " +"the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:211 +msgid "Default: 1024 (secrets hive), 256 (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:216 +msgid "max_uid_secrets (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:219 +msgid "" +"This option specifies the maximum number of secrets that can be stored per-" +"UID in the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:223 +msgid "Default: 256 (secrets hive), 64 (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:228 +msgid "max_payload_size (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:231 +msgid "" +"This option specifies the maximum payload size allowed for a secret payload " +"in kilobytes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:235 +msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:244 +#, no-wrap +msgid "" +"[secrets/secrets]\n" +"max_payload_size = 128\n" +"\n" +"[secrets/kcm]\n" +"max_payload_size = 256\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:241 +msgid "" +"For example, to adjust quotas differently for both the <quote>secrets</" +"quote> and the <quote>kcm</quote> hives, configure the following: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:252 +msgid "" +"The following options are only applicable for configurations that use the " +"<quote>proxy</quote> provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:257 +msgid "proxy_url (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:260 +msgid "" +"The URL the Custodia server is listening on. At the moment, http and https " +"protocols are supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:267 +msgid "http[s]://<host>[:port]" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:270 +msgid "Example: http://localhost:8080" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:275 +msgid "auth_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:278 +msgid "" +"The method to use when authenticating to a Custodia server. The following " +"authentication methods are supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:283 +msgid "basic_auth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:286 +msgid "" +"Authenticate with a username and a password as set in the <quote>username</" +"quote> and <quote>password</quote> options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:293 +msgid "header" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:296 +msgid "" +"Authenticate with HTTP header value as defined in the " +"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " +"configuration options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:307 +msgid "auth_header_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:310 +msgid "" +"If set, the secrets responder would put a header with this name into the " +"HTTP request with the value defined in the <quote>auth_header_value</quote> " +"configuration option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:315 +msgid "Example: MYSECRETNAME" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:320 +msgid "auth_header_value (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:323 +msgid "" +"The value sssd-secrets would use for the <quote>auth_header_name</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:327 +msgid "Example: mysecret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:332 +msgid "forward_headers (list of strings)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:335 +msgid "" +"The list of HTTP headers to forward to the Custodia server together with the " +"request." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:344 +msgid "verify_peer (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:347 +msgid "" +"Whether peer's certificate should be verified and valid if HTTPS protocol is " +"used with the proxy provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:356 +msgid "verify_host (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:359 +msgid "" +"Whether peer's hostname must match with hostname in its certificate if HTTPS " +"protocol is used with the proxy provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:369 +msgid "capath (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:372 +msgid "" +"Path to directory containing stored certificate authority certificates. " +"System default path is used if this option is not set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:382 +msgid "cacert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:385 +msgid "" +"Path to file containing server's certificate authority certificate. If this " +"option is not set then the CA's certificate is looked up in <quote>capath</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:395 +msgid "cert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:398 +msgid "" +"Path to file containing client's certificate if required by the server. This " +"file may also contain private key or the private key may be in separate file " +"set with <quote>key</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:409 +msgid "key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:412 +msgid "Path to file containing client's private key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:422 +msgid "USING THE REST API" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:424 +msgid "" +"This section lists the available commands and includes examples using the " +"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry> utility. All requests towards the proxy provider must set " +"the Content Type header to <quote>application/json</quote>. In addition, the " +"local provider also supports Content Type set to <quote>application/octet-" +"stream</quote>. Secrets stored with requests that set the Content Type " +"header to <quote>application/octet-stream</quote> are base64-encoded when " +"stored and decoded when retrieved, so it's not possible to store a secret " +"with one Content Type and retrieve with another. The secret URI must begin " +"with <filename>/secrets/</filename>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:441 +msgid "Listing secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:444 +msgid "" +"To list the available secrets, send a HTTP GET request with a trailing slash " +"appended to the container path." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:450 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:458 +msgid "Retrieving a secret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:461 +msgid "" +"To read a value of a single secret, send a HTTP GET request without a " +"trailing slash. The last portion of the URI is the name of the secret." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:468 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/foo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:473 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/bar\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:466 +msgid "" +"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:481 +msgid "Setting a secret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:484 +msgid "" +"To set a secret using the <quote>application/json</quote> type, send a HTTP " +"PUT request with a JSON payload that includes type and value. The type " +"should be set to \"simple\" and the value should be set to the secret value. " +"If a secret with that name already exists, the response is a 409 HTTP error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:492 +msgid "" +"The <quote>application/json</quote> type just sends the secret as the " +"message payload." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:501 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/foo \\\n" +" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:507 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/bar \\\n" +" -d'barsecret'\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:496 +msgid "" +"The following example sets a secret named 'foo' to a value of 'foosecret' " +"and a secret named 'bar' to a value of 'barsecret' using a different Content " +"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:516 +msgid "Creating a container" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:519 +msgid "" +"Containers provide an additional namespace for this user's secrets. To " +"create a container, send a HTTP POST request, whose URI ends with the " +"container name. Please note the URI must end with a trailing slash." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:529 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPOST http://localhost/secrets/mycontainer/\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:526 +msgid "" +"The following example creates a container named 'mycontainer': <placeholder " +"type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:538 +#, no-wrap +msgid "" +"http://localhost/secrets/mycontainer/mysecret\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:535 +msgid "" +"To manipulate secrets under this container, just nest the secrets underneath " +"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:544 +msgid "Deleting a secret or a container" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:547 +msgid "" +"To delete a secret or a container, send a HTTP DELETE request with a path to " +"the secret or the container." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:553 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XDELETE http://localhost/secrets/foo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:551 +msgid "" +"The following example deletes a secret named 'foo'. <placeholder type=" +"\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:563 +msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:565 +msgid "" +"For testing the proxy provider, you need to set up a Custodia server to " +"proxy requests to. Please always consult the Custodia documentation, the " +"configuration directives might change with different Custodia versions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:576 +#, no-wrap +msgid "" +"[global]\n" +"server_version = \"Secret/0.0.7\"\n" +"server_url = http://localhost:8080/\n" +"auditlog = /var/log/custodia.log\n" +"debug = True\n" +"\n" +"[store:simple]\n" +"handler = custodia.store.sqlite.SqliteStore\n" +"dburi = /var/lib/custodia.db\n" +"table = secrets\n" +"\n" +"[auth:header]\n" +"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" +"header = MYSECRETNAME\n" +"value = mysecretkey\n" +"\n" +"[authz:paths]\n" +"handler = custodia.httpd.authorizers.SimplePathAuthz\n" +"paths = /secrets\n" +"\n" +"[/]\n" +"handler = custodia.root.Root\n" +"store = simple\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:570 +msgid "" +"This configuration will set up a Custodia server listening on http://" +"localhost:8080, allowing anyone with header named MYSECRETNAME set to " +"mysecretkey to communicate with the Custodia server. Place the contents " +"into a file (for example, <replaceable>custodia.conf</replaceable>): " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:602 +msgid "" +"Then run the <replaceable>custodia</replaceable> command, pointing it at the " +"config file as a command line argument." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:606 +msgid "" +"Please note that currently it's not possible to proxy all requests globally " +"to a Custodia instance. Instead, per-user subsections for user IDs that " +"should proxy requests to Custodia must be defined. The following example " +"illustrates a configuration, where the user with UID 123 would proxy their " +"requests to Custodia, but all other user's requests would be handled by a " +"local provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: sssd-secrets.5.xml:614 +#, no-wrap +msgid "" +"[secrets]\n" +"\n" +"[secrets/users/123]\n" +"provider = proxy\n" +"proxy_url = http://localhost:8080/secrets/\n" +"auth_type = header\n" +"auth_header_name = MYSECRETNAME\n" +"auth_header_value = mysecretkey\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 +msgid "sssd-session-recording" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-session-recording.5.xml:17 +msgid "Configuring session recording with SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " +"implement user session recording on text terminals. For a detailed " +"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " +"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:41 +msgid "" +"SSSD can be set up to enable recording of everything specific users see or " +"type during their sessions on text terminals. E.g. when users log in on the " +"console, or via SSH. SSSD itself doesn't record anything, but makes sure " +"tlog-rec-session is started upon user login, so it can record according to " +"its configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:48 +msgid "" +"For users with session recording enabled, SSSD replaces the user shell with " +"tlog-rec-session in NSS responses, and adds a variable specifying the " +"original shell to the user environment, upon PAM session setup. This way " +"tlog-rec-session can be started in place of the user shell, and know which " +"actual shell to start, once it set up the recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:60 +msgid "These options can be used to configure the session recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:146 +msgid "" +"The following snippet of sssd.conf enables session recording for users " +"\"contractor1\" and \"contractor2\", and group \"students\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-session-recording.5.xml:151 +#, no-wrap +msgid "" +"[session_recording]\n" +"scope = some\n" +"users = contractor1, contractor2\n" +"groups = students\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 +msgid "sssd-kcm" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-kcm.8.xml:17 +msgid "SSSD Kerberos Cache Manager" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:23 +msgid "" +"This manual page describes the configuration of the SSSD Kerberos Cache " +"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " +"credential caches. It originates in the Heimdal Kerberos project, although " +"the MIT Kerberos library also provides client side (more details on that " +"below) support for the KCM credential cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:31 +msgid "" +"In a setup where Kerberos caches are managed by KCM, the Kerberos library " +"(typically used through an application, like e.g., <citerefentry> " +"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" +"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " +"being referred to as a <quote>\"KCM server\"</quote>. The client and server " +"communicate over a UNIX socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:42 +msgid "" +"The KCM server keeps track of each credential caches's owner and performs " +"access check control based on the UID and GID of the KCM client. The root " +"user has access to all credential caches." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:47 +msgid "The KCM credential cache has several interesting properties:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:51 +msgid "" +"since the process runs in userspace, it is subject to UID namespacing, " +"unlike the kernel keyring" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:56 +msgid "" +"unlike the kernel keyring-based cache, which is shared between all " +"containers, the KCM server is a separate process whose entry point is a UNIX " +"socket" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:61 +msgid "" +"the SSSD implementation stores the ccaches in the SSSD <citerefentry> " +"<refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry> secrets store, allowing the ccaches to survive KCM server " +"restarts or machine reboots." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:69 +msgid "" +"This allows the system to use a collection-aware credential cache, yet share " +"the credential cache between some or no containers by bind-mounting the " +"socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:76 +msgid "USING THE KCM CREDENTIAL CACHE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:86 +#, no-wrap +msgid "" +"[libdefaults]\n" +" default_ccache_name = KCM:\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:78 +msgid "" +"In order to use KCM credential cache, it must be selected as the default " +"credential type in <citerefentry> <refentrytitle>krb5.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " +"cache name must be only <quote>KCM:</quote> without any template " +"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:91 +msgid "" +"Next, make sure the Kerberos client libraries and the KCM server must agree " +"on the UNIX socket path. By default, both use the same path <replaceable>/" +"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " +"library, change its <quote>kcm_socket</quote> option which is described in " +"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:113 +#, no-wrap +msgid "" +"systemctl start sssd-kcm.socket\n" +"systemctl enable sssd-kcm.socket\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:102 +msgid "" +"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " +"typically socket-activated by <citerefentry> <refentrytitle>systemd</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " +"services, it cannot be started by adding the <quote>kcm</quote> string to " +"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " +"id=\"0\"/> Please note your distribution may already configure the units for " +"you." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:122 +msgid "THE CREDENTIAL CACHE STORAGE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:131 +#, no-wrap +msgid "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:124 +msgid "" +"The credential caches are stored in the SSSD secrets service (see " +"<citerefentry> <refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> for more details). Therefore it is important that " +"also the sssd-secrets service is enabled and its socket is started: " +"<placeholder type=\"programlisting\" id=\"0\"/> Your distribution should " +"already set the dependencies between the services." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:141 +msgid "" +"The KCM service is configured in the <quote>kcm</quote> section of the sssd." +"conf file. Please note that currently, is it not sufficient to restart the " +"sssd-kcm service, because the sssd configuration is only parsed and read to " +"an internal configuration database by the sssd service. Therefore you must " +"restart the sssd service if you change anything in the <quote>kcm</quote> " +"section of sssd.conf. For a detailed syntax reference, refer to the " +"<quote>FILE FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd." +"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:155 +msgid "" +"The generic SSSD service options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some KCM-specific options as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:166 +msgid "socket_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:169 +msgid "The socket the KCM service will listen on." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:172 +msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:182 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 +msgid "sssd-systemtap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-systemtap.5.xml:17 +msgid "SSSD systemtap information" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:23 +msgid "" +"This manual page provides information about the systemtap functionality in " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:32 +msgid "" +"SystemTap Probe points have been added into various locations in SSSD code " +"to assist in troubleshooting and analyzing performance related issues." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:40 +msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:46 +msgid "" +"Probes and miscellaneous functions are defined in /usr/share/systemtap/" +"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " +"respectively." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:57 +msgid "PROBE POINTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:341 +msgid "" +"The information below lists the probe points and arguments available in the " +"following format:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:64 +msgid "probe $name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:67 +msgid "Description of probe point" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:70 +#, no-wrap +msgid "" +"variable1:datatype\n" +"variable2:datatype\n" +"variable3:datatype\n" +"...\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:80 +msgid "Database Transaction Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:84 +msgid "probe sssd_transaction_start" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:87 +msgid "" +"Start of a sysdb transaction, probes the sysdb_transaction_start() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 +#: sssd-systemtap.5.xml:131 +#, no-wrap +msgid "" +"nesting:integer\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:97 +msgid "probe sssd_transaction_cancel" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:100 +msgid "" +"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " +"function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:111 +msgid "probe sssd_transaction_commit_before" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:114 +msgid "Probes the sysdb_transaction_commit_before() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:124 +msgid "probe sssd_transaction_commit_after" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:127 +msgid "Probes the sysdb_transaction_commit_after() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:141 +msgid "LDAP Search Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:145 +msgid "probe sdap_search_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:148 +msgid "Probes the sdap_get_generic_ext_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:152 sssd-systemtap.5.xml:167 sssd-systemtap.5.xml:196 +#, no-wrap +msgid "" +"base:string\n" +"scope:integer\n" +"filter:string\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:160 +msgid "probe sdap_search_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:163 +msgid "Probes the sdap_get_generic_ext_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:175 +msgid "probe sdap_deref_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:178 +msgid "Probes the sdap_deref_search_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:182 +#, no-wrap +msgid "" +"base_dn:string\n" +"deref_attr:string\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:189 +msgid "probe sdap_deref_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:192 +msgid "Probes the sdap_deref_search_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:208 +msgid "LDAP Account Request Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:212 +msgid "probe sdap_acct_req_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:215 +msgid "Probes the sdap_acct_req_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:219 sssd-systemtap.5.xml:234 +#, no-wrap +msgid "" +"entry_type:int\n" +"filter_type:int\n" +"filter_value:string\n" +"extra_value:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:227 +msgid "probe sdap_acct_req_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:230 +msgid "Probes the sdap_acct_req_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:246 +msgid "LDAP User Search Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:250 +msgid "probe sdap_search_user_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:253 +msgid "Probes the sdap_search_user_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:257 sssd-systemtap.5.xml:269 sssd-systemtap.5.xml:281 +#: sssd-systemtap.5.xml:293 +#, no-wrap +msgid "" +"filter:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:262 +msgid "probe sdap_search_user_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:265 +msgid "Probes the sdap_search_user_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:274 +msgid "probe sdap_search_user_save_begin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:277 +msgid "Probes the sdap_search_user_save_begin() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:286 +msgid "probe sdap_search_user_save_end" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:289 +msgid "Probes the sdap_search_user_save_end() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:302 +msgid "Data Provider Request Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:306 +msgid "probe dp_req_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:309 +msgid "A Data Provider request is submitted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:312 +#, no-wrap +msgid "" +"dp_req_domain:string\n" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:320 +msgid "probe dp_req_done" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:323 +msgid "A Data Provider request is completed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:326 +#, no-wrap +msgid "" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +"dp_ret:int\n" +"dp_errorstr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:339 +msgid "MISCELLANEOUS FUNCTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:346 +msgid "function acct_req_desc(entry_type)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:349 +msgid "Convert entry_type to string and return string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:354 +msgid "" +"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " +"filter_value, extra_value)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:358 +msgid "Create probe string based on filter type" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:363 +msgid "function dp_target_str(target)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:366 +msgid "Convert target to string and return string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:371 +msgid "function dp_method_str(target)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:374 +msgid "Convert method to string and return string" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/service_discovery.xml:2 +msgid "SERVICE DISCOVERY" +msgstr "サービス探索" + +#. type: Content of: <refsect1><para> +#: include/service_discovery.xml:4 +msgid "" +"The service discovery feature allows back ends to automatically find the " +"appropriate servers to connect to using a special DNS query. This feature is " +"not supported for backup servers." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:9 include/ldap_id_mapping.xml:99 +msgid "Configuration" +msgstr "設定" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:11 +msgid "" +"If no servers are specified, the back end automatically uses service " +"discovery to try to find a server. Optionally, the user may choose to use " +"both fixed server addresses and service discovery by inserting a special " +"keyword, <quote>_srv_</quote>, in the list of servers. The order of " +"preference is maintained. This feature is useful if, for example, the user " +"prefers to use service discovery whenever possible, and fall back to a " +"specific server when no servers can be discovered using DNS." +msgstr "" +"何もサーバーが指定されていなければ、バックエンドがサーバーを見つけようとする" +"ために、サービス探索を自動的に使用します。オプションとして、サーバーの一覧に" +"特別なキーワード <quote>_srv_</quote> を挿入することにより、ユーザーが固定" +"サーバーアドレスおよびサービス探索のどちらも使用することを選択できます。これ" +"は設定の順番が維持されます。たとえば、ユーザーができる限りサービス探索を使用" +"し、DNS を使用してサーバーを探索できないときに特定のサーバーにフォールバック" +"したい場合、この機能は有用です。" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:23 +msgid "The domain name" +msgstr "ドメイン名" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:25 +msgid "" +"Please refer to the <quote>dns_discovery_domain</quote> parameter in the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more details." +msgstr "" +"詳細は <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> マニュアルページにある " +"<quote>dns_discovery_domain</quote> パラメーターを参照してください。" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:35 +msgid "The protocol" +msgstr "プロトコル" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:37 +msgid "" +"The queries usually specify _tcp as the protocol. Exceptions are documented " +"in respective option description." +msgstr "" +"問い合わせは通常プロトコルとして _tcp を指定します。その他はそれぞれのオプ" +"ションの説明にドキュメント化されています。" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:42 +msgid "See Also" +msgstr "関連項目" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:44 +msgid "" +"For more information on the service discovery mechanism, refer to RFC 2782." +msgstr "サービス検索メカニズムに関する詳細は RFC 2782 を参照してください。" + +#. type: Content of: <refentryinfo> +#: include/upstream.xml:2 +msgid "" +"<productname>SSSD</productname> <orgname>The SSSD upstream - https://pagure." +"io/SSSD/sssd/</orgname>" +msgstr "" + +#. type: Content of: outside any tag (error?) +#: include/upstream.xml:1 +msgid "<placeholder type=\"refentryinfo\" id=\"0\"/>" +msgstr "<placeholder type=\"refentryinfo\" id=\"0\"/>" + +#. type: Content of: <refsect1><title> +#: include/failover.xml:2 +msgid "FAILOVER" +msgstr "フェイルオーバー" + +#. type: Content of: <refsect1><para> +#: include/failover.xml:4 +msgid "" +"The failover feature allows back ends to automatically switch to a different " +"server if the current server fails." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:8 +msgid "Failover Syntax" +msgstr "フェイルオーバーの構文" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:10 +msgid "" +"The list of servers is given as a comma-separated list; any number of spaces " +"is allowed around the comma. The servers are listed in order of preference. " +"The list can contain any number of servers." +msgstr "" +"サーバーの一覧がカンマ区切り一覧として与えられます。カンマの前後で空白はいく" +"つでも許されます。サーバーは性能の順番で一覧化されます。一覧はサーバーをいく" +"つでも含められます。" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:16 +msgid "" +"For each failover-enabled config option, two variants exist: " +"<emphasis>primary</emphasis> and <emphasis>backup</emphasis>. The idea is " +"that servers in the primary list are preferred and backup servers are only " +"searched if no primary servers can be reached. If a backup server is " +"selected, a timeout of 31 seconds is set. After this timeout SSSD will " +"periodically try to reconnect to one of the primary servers. If it succeeds, " +"it will replace the current active (backup) server." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:27 +msgid "The Failover Mechanism" +msgstr "フェイルオーバーのメカニズム" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:29 +msgid "" +"The failover mechanism distinguishes between a machine and a service. The " +"back end first tries to resolve the hostname of a given machine; if this " +"resolution attempt fails, the machine is considered offline. No further " +"attempts are made to connect to this machine for any other service. If the " +"resolution attempt succeeds, the back end tries to connect to a service on " +"this machine. If the service connection attempt fails, then only this " +"particular service is considered offline and the back end automatically " +"switches over to the next service. The machine is still considered online " +"and might still be tried for another service." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:42 +msgid "" +"Further connection attempts are made to machines or services marked as " +"offline after a specified period of time; this is currently hard coded to 30 " +"seconds." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:47 +msgid "" +"If there are no more machines to try, the back end as a whole switches to " +"offline mode, and then attempts to reconnect every 30 seconds." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:53 +msgid "Failover time outs and tuning" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:55 +msgid "" +"Resolving a server to connect to can be as simple as running a single DNS " +"query or can involve several steps, such as finding the correct site or " +"trying out multiple host names in case some of the configured servers are " +"not reachable. The more complex scenarios can take some time and SSSD needs " +"to balance between providing enough time to finish the resolution process " +"but on the other hand, not trying for too long before falling back to " +"offline mode. If the SSSD debug logs show that the server resolution is " +"timing out before a live server is contacted, you can consider changing the " +"time outs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> +#: include/failover.xml:76 +msgid "dns_resolver_op_timeout" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: include/failover.xml:80 +msgid "How long would SSSD talk to a single DNS server." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> +#: include/failover.xml:86 +msgid "dns_resolver_timeout" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: include/failover.xml:90 +msgid "" +"How long would SSSD try to resolve a failover service. This service " +"resolution internally might include several steps, such as resolving DNS SRV " +"queries or locating the site." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:67 +msgid "" +"This section lists the available tunables. Please refer to their description " +"in the <citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>, manual page. <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:100 +msgid "" +"For LDAP-based providers, the resolve operation is performed as part of an " +"LDAP connection operation. Therefore, also the <quote>ldap_opt_timeout></" +"quote> timeout should be set to a larger value than " +"<quote>dns_resolver_timeout</quote> which in turn should be set to a larger " +"value than <quote>dns_resolver_op_timeout</quote>." +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/ldap_id_mapping.xml:2 +msgid "ID MAPPING" +msgstr "ID マッピング" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:4 +msgid "" +"The ID-mapping feature allows SSSD to act as a client of Active Directory " +"without requiring administrators to extend user attributes to support POSIX " +"attributes for user and group identifiers." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:9 +msgid "" +"NOTE: When ID-mapping is enabled, the uidNumber and gidNumber attributes are " +"ignored. This is to avoid the possibility of conflicts between automatically-" +"assigned and manually-assigned values. If you need to use manually-assigned " +"values, ALL values must be manually-assigned." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:16 +msgid "" +"Please note that changing the ID mapping related configuration options will " +"cause user and group IDs to change. At the moment, SSSD does not support " +"changing IDs, so the SSSD database must be removed. Because cached passwords " +"are also stored in the database, removing the database should only be " +"performed while the authentication servers are reachable, otherwise users " +"might get locked out. In order to cache the password, an authentication must " +"be performed. It is not sufficient to use <citerefentry> " +"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry> to remove the database, rather the process consists of:" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:33 +msgid "Making sure the remote servers are reachable" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:38 +msgid "Stopping the SSSD service" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:43 +msgid "Removing the database" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:48 +msgid "Starting the SSSD service" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:52 +msgid "" +"Moreover, as the change of IDs might necessitate the adjustment of other " +"system properties such as file and directory ownership, it's advisable to " +"plan ahead and test the ID mapping configuration thoroughly." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ldap_id_mapping.xml:59 +msgid "Mapping Algorithm" +msgstr "マッピング・アルゴリズム" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:61 +msgid "" +"Active Directory provides an objectSID for every user and group object in " +"the directory. This objectSID can be broken up into components that " +"represent the Active Directory domain identity and the relative identifier " +"(RID) of the user or group object." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:67 +msgid "" +"The SSSD ID-mapping algorithm takes a range of available UIDs and divides it " +"into equally-sized component sections - called \"slices\"-. Each slice " +"represents the space available to an Active Directory domain." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:73 +msgid "" +"When a user or group entry for a particular domain is encountered for the " +"first time, the SSSD allocates one of the available slices for that domain. " +"In order to make this slice-assignment repeatable on different client " +"machines, we select the slice based on the following algorithm:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:80 +msgid "" +"The SID string is passed through the murmurhash3 algorithm to convert it to " +"a 32-bit hashed value. We then take the modulus of this value with the total " +"number of available slices to pick the slice." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:86 +msgid "" +"NOTE: It is possible to encounter collisions in the hash and subsequent " +"modulus. In these situations, we will select the next available slice, but " +"it may not be possible to reproduce the same exact set of slices on other " +"machines (since the order that they are encountered will determine their " +"slice). In this situation, it is recommended to either switch to using " +"explicit POSIX attributes in Active Directory (disabling ID-mapping) or " +"configure a default domain to guarantee that at least one is always " +"consistent. See <quote>Configuration</quote> for details." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:101 +msgid "" +"Minimum configuration (in the <quote>[domain/DOMAINNAME]</quote> section):" +msgstr "最小の設定 (<quote>[domain/DOMAINNAME]</quote> セクションにおいて):" + +#. type: Content of: <refsect1><refsect2><para><programlisting> +#: include/ldap_id_mapping.xml:106 +#, no-wrap +msgid "" +"ldap_id_mapping = True\n" +"ldap_schema = ad\n" +msgstr "" +"ldap_id_mapping = True\n" +"ldap_schema = ad\n" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:111 +msgid "" +"The default configuration results in configuring 10,000 slices, each capable " +"of holding up to 200,000 IDs, starting from 200,000 and going up to " +"2,000,200,000. This should be sufficient for most deployments." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><title> +#: include/ldap_id_mapping.xml:117 +msgid "Advanced Configuration" +msgstr "高度な設定" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:120 +msgid "ldap_idmap_range_min (integer)" +msgstr "ldap_idmap_range_min (整数)" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:123 +msgid "" +"Specifies the lower bound of the range of POSIX IDs to use for mapping " +"Active Directory user and group SIDs." +msgstr "" +"Active Directory ユーザーとグループの SID をマッピングするために使用する " +"POSIX ID の範囲の下限を指定します。" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:127 +msgid "" +"NOTE: This option is different from <quote>min_id</quote> in that " +"<quote>min_id</quote> acts to filter the output of requests to this domain, " +"whereas this option controls the range of ID assignment. This is a subtle " +"distinction, but the good general advice would be to have <quote>min_id</" +"quote> be less-than or equal to <quote>ldap_idmap_range_min</quote>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:137 include/ldap_id_mapping.xml:191 +msgid "Default: 200000" +msgstr "初期値: 200000" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:142 +msgid "ldap_idmap_range_max (integer)" +msgstr "ldap_idmap_range_max (整数)" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:145 +msgid "" +"Specifies the upper bound of the range of POSIX IDs to use for mapping " +"Active Directory user and group SIDs." +msgstr "" +"Active Directory ユーザーとグループ SID をマッピングするために使用する POSIX " +"ID の範囲の上限を指定します。" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:149 +msgid "" +"NOTE: This option is different from <quote>max_id</quote> in that " +"<quote>max_id</quote> acts to filter the output of requests to this domain, " +"whereas this option controls the range of ID assignment. This is a subtle " +"distinction, but the good general advice would be to have <quote>max_id</" +"quote> be greater-than or equal to <quote>ldap_idmap_range_max</quote>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:159 +msgid "Default: 2000200000" +msgstr "初期値: 2000200000" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:164 +msgid "ldap_idmap_range_size (integer)" +msgstr "ldap_idmap_range_size (整数)" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:167 +msgid "" +"Specifies the number of IDs available for each slice. If the range size " +"does not divide evenly into the min and max values, it will create as many " +"complete slices as it can." +msgstr "" +"各スライスに利用可能な ID 番号を指定します。範囲の大きさが最小値、最大値の中" +"にうまく分けられなければ、できる限り多くの完全なスライスとして作成されます。" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:173 +msgid "" +"NOTE: The value of this option must be at least as large as the highest user " +"RID planned for use on the Active Directory server. User lookups and login " +"will fail for any user whose RID is greater than this value." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:179 +msgid "" +"For example, if your most recently-added Active Directory user has " +"objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, " +"<quote>ldap_idmap_range_size</quote> must be at least 1108 as range size is " +"equal to maximal SID minus minimal SID plus one (e.g. 1108 = 1107 - 0 + 1)." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:186 +msgid "" +"It is important to plan ahead for future expansion, as changing this value " +"will result in changing all of the ID mappings on the system, leading to " +"users with different local IDs than they previously had." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:196 +msgid "ldap_idmap_default_domain_sid (string)" +msgstr "ldap_idmap_default_domain_sid (文字列)" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:199 +msgid "" +"Specify the domain SID of the default domain. This will guarantee that this " +"domain will always be assigned to slice zero in the ID map, bypassing the " +"murmurhash algorithm described above." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:210 +msgid "ldap_idmap_default_domain (string)" +msgstr "ldap_idmap_default_domain (文字列)" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:213 +msgid "Specify the name of the default domain." +msgstr "初期ドメインの名前を指定します。" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:221 +msgid "ldap_idmap_autorid_compat (boolean)" +msgstr "ldap_idmap_autorid_compat (論理値)" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:224 +msgid "" +"Changes the behavior of the ID-mapping algorithm to behave more similarly to " +"winbind's <quote>idmap_autorid</quote> algorithm." +msgstr "" +"winbind の <quote>idmap_autorid</quote> アルゴリズムとより同じように振る舞う" +"ために ID マッピングのアルゴリズムの振る舞いを変更します。" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:229 +msgid "" +"When this option is configured, domains will be allocated starting with " +"slice zero and increasing monatomically with each additional domain." +msgstr "" +"このオプションが設定されるとき、ドメインはスライス 0 から始まり、各追加ドメイ" +"ンに単原子的に増加するよう割り当てられます。" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:234 +msgid "" +"NOTE: This algorithm is non-deterministic (it depends on the order that " +"users and groups are requested). If this mode is required for compatibility " +"with machines running winbind, it is recommended to also use the " +"<quote>ldap_idmap_default_domain_sid</quote> option to guarantee that at " +"least one domain is consistently allocated to slice zero." +msgstr "" +"注記: このアルゴリズムは非決定的です (ユーザーとグループが要求された順番に依" +"存します)。このモードはマシンが実行中の winbind と互換性が必要ならば、少なく" +"とも一つのドメインが一貫してスライス 0 に割り当てられることを保証するために、" +"<quote>ldap_idmap_default_domain_sid</quote> オプションも使用することが推奨さ" +"れます。" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:249 +msgid "ldap_idmap_helper_table_size (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:252 +msgid "" +"Maximal number of secondary slices that is tried when performing mapping " +"from UNIX id to SID." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:256 +msgid "" +"Note: Additional secondary slices might be generated when SID is being " +"mapped to UNIX id and RID part of SID is out of range for secondary slices " +"generated so far. If value of ldap_idmap_helper_table_size is equal to 0 " +"then no additional secondary slices are generated." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ldap_id_mapping.xml:273 +msgid "Well-Known SIDs" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:275 +msgid "" +"SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a " +"special hardcoded meaning. Since the generic users and groups related to " +"those Well-Known SIDs have no equivalent in a Linux/UNIX environment no " +"POSIX IDs are available for those objects." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:281 +msgid "" +"The SID name space is organized in authorities which can be seen as " +"different domains. The authorities for the Well-Known SIDs are" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:284 +msgid "Null Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:285 +msgid "World Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:286 +msgid "Local Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:287 +msgid "Creator Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:288 +msgid "NT Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:289 +msgid "Built-in" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:291 +msgid "" +"The capitalized version of these names are used as domain names when " +"returning the fully qualified name of a Well-Known SID." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:295 +msgid "" +"Since some utilities allow to modify SID based access control information " +"with the help of a name instead of using the SID directly SSSD supports to " +"look up the SID by the name as well. To avoid collisions only the fully " +"qualified names can be used to look up Well-Known SIDs. As a result the " +"domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, " +"<quote> LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, <quote>NT " +"AUTHORITY</quote> and <quote>BUILTIN</quote> should not be used as domain " +"names in <filename>sssd.conf</filename>." +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/param_help.xml:3 +msgid "<option>-?</option>,<option>--help</option>" +msgstr "<option>-?</option>,<option>--help</option>" + +#. type: Content of: <varlistentry><listitem><para> +#: include/param_help.xml:7 include/param_help_py.xml:7 +msgid "Display help message and exit." +msgstr "ヘルプメッセージを表示して終了します。" + +#. type: Content of: <varlistentry><term> +#: include/param_help_py.xml:3 +msgid "<option>-h</option>,<option>--help</option>" +msgstr "<option>-h</option>,<option>--help</option>" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:3 include/debug_levels_tools.xml:3 +msgid "" +"SSSD supports two representations for specifying the debug level. The " +"simplest is to specify a decimal value from 0-9, which represents enabling " +"that level and all lower-level debug messages. The more comprehensive option " +"is to specify a hexadecimal bitmask to enable or disable specific levels " +"(such as if you wish to suppress a level)." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:10 +msgid "" +"Please note that each SSSD service logs into its own log file. Also please " +"note that enabling <quote>debug_level</quote> in the <quote>[sssd]</quote> " +"section only enables debugging just for the sssd process itself, not for the " +"responder or provider processes. The <quote>debug_level</quote> parameter " +"should be added to all sections that you wish to produce debug logs from." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:18 +msgid "" +"In addition to changing the log level in the config file using the " +"<quote>debug_level</quote> parameter, which is persistent, but requires SSSD " +"restart, it is also possible to change the debug level on the fly using the " +"<citerefentry> <refentrytitle>sss_debuglevel</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry> tool." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:29 include/debug_levels_tools.xml:10 +msgid "Currently supported debug levels:" +msgstr "現在サポートされるデバッグレベル:" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:32 include/debug_levels_tools.xml:13 +msgid "" +"<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fatal failures. " +"Anything that would prevent SSSD from starting up or causes it to cease " +"running." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:38 include/debug_levels_tools.xml:19 +msgid "" +"<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An " +"error that doesn't kill SSSD, but one that indicates that at least one major " +"feature is not going to work properly." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:45 include/debug_levels_tools.xml:26 +msgid "" +"<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Serious failures. An " +"error announcing that a particular request or operation has failed." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:50 include/debug_levels_tools.xml:31 +msgid "" +"<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Minor failures. These " +"are the errors that would percolate down to cause the operation failure of 2." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:55 include/debug_levels_tools.xml:36 +msgid "" +"<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Configuration settings." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:59 include/debug_levels_tools.xml:40 +msgid "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Function data." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:63 include/debug_levels_tools.xml:44 +msgid "" +"<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Trace messages for " +"operation functions." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:67 include/debug_levels_tools.xml:48 +msgid "" +"<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Trace messages for " +"internal control functions." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:72 include/debug_levels_tools.xml:53 +msgid "" +"<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contents of function-" +"internal variables that may be interesting." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:77 include/debug_levels_tools.xml:58 +msgid "" +"<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Extremely low-level " +"tracing information." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:81 include/debug_levels_tools.xml:62 +msgid "" +"To log required bitmask debug levels, simply add their numbers together as " +"shown in following examples:" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:85 include/debug_levels_tools.xml:66 +msgid "" +"<emphasis>Example</emphasis>: To log fatal failures, critical failures, " +"serious failures and function data use 0x0270." +msgstr "" +"<emphasis>例</emphasis>: 致命的なエラー、重大なエラー、深刻なエラーおよび関数" +"データをログに取得するには 0x0270 を使用します。" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:89 include/debug_levels_tools.xml:70 +msgid "" +"<emphasis>Example</emphasis>: To log fatal failures, configuration settings, " +"function data, trace messages for internal control functions use 0x1310." +msgstr "" +"<emphasis>例</emphasis>: 致命的なエラー、設定値の設定、関数データ、内部制御関" +"数のトレースメッセージをログに取得するには 0x1310 を使用します。" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:94 include/debug_levels_tools.xml:75 +msgid "" +"<emphasis>Note</emphasis>: The bitmask format of debug levels was introduced " +"in 1.7.0." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:98 include/debug_levels_tools.xml:79 +msgid "<emphasis>Default</emphasis>: 0" +msgstr "" + +#. type: Content of: outside any tag (error?) +#: include/experimental.xml:1 +msgid "" +"<emphasis> This is an experimental feature, please use https://pagure.io/" +"SSSD/sssd/ to report any issues. </emphasis>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/local.xml:2 +msgid "THE LOCAL DOMAIN" +msgstr "ローカルドメイン" + +#. type: Content of: <refsect1><para> +#: include/local.xml:4 +msgid "" +"In order to function correctly, a domain with <quote>id_provider=local</" +"quote> must be created and the SSSD must be running." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/local.xml:9 +msgid "" +"The administrator might want to use the SSSD local users instead of " +"traditional UNIX users in cases where the group nesting (see <citerefentry> " +"<refentrytitle>sss_groupadd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>) is needed. The local users are also useful for testing and " +"development of the SSSD without having to deploy a full remote server. The " +"<command>sss_user*</command> and <command>sss_group*</command> tools use a " +"local LDB storage to store users and groups." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/seealso.xml:4 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd-ipa</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <phrase condition=\"with_sudo\"> <citerefentry> " +"<refentrytitle>sssd-sudo</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>, </phrase> <phrase condition=\"with_secrets\"> <citerefentry> " +"<refentrytitle>sssd-secrets</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>, </phrase> <citerefentry> <refentrytitle>sssd-session-" +"recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, " +"<citerefentry> <refentrytitle>sss_cache</refentrytitle><manvolnum>8</" +"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_debuglevel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_obfuscate</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_seed</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <phrase condition=" +"\"with_ssh\"> <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_ssh_knownhostsproxy</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>, </phrase> <phrase condition=\"with_ifp\"> " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>, </phrase> <citerefentry> <refentrytitle>pam_sss</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>. <citerefentry> " +"<refentrytitle>sss_rpcidmapd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> <phrase condition=\"with_stap\"> <citerefentry> " +"<refentrytitle>sssd-systemtap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> </phrase>" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:3 +msgid "" +"An optional base DN, search scope and LDAP filter to restrict LDAP searches " +"for this attribute type." +msgstr "" +"オプションのベース DN。この属性の種別に対する LDAP 検索を制限する、検索範囲お" +"よび LDAP フィルター。" + +#. type: Content of: <listitem><para><programlisting> +#: include/ldap_search_bases.xml:9 +#, no-wrap +msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]\n" +msgstr "search_base[?scope?[filter][?search_base?scope?[filter]]*]\n" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:7 +msgid "syntax: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "構文: <placeholder type=\"programlisting\" id=\"0\"/>" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:13 +msgid "" +"The scope can be one of \"base\", \"onelevel\" or \"subtree\". The scope " +"functions as specified in section 4.5.1.2 of http://tools.ietf.org/html/" +"rfc4511" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:23 +msgid "" +"For examples of this syntax, please refer to the <quote>ldap_search_base</" +"quote> examples section." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:31 +msgid "" +"Please note that specifying scope or filter is not supported for searches " +"against an Active Directory Server that might yield a large number of " +"results and trigger the Range Retrieval extension in the response." +msgstr "" + +#. type: Content of: <para> +#: include/autofs_restart.xml:2 +msgid "" +"Please note that the automounter only reads the master map on startup, so if " +"any autofs-related changes are made to the sssd.conf, you typically also " +"need to restart the automounter daemon after restarting the SSSD." +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/override_homedir.xml:2 +msgid "override_homedir (string)" +msgstr "override_homedir (文字列)" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:16 +msgid "UID number" +msgstr "UID 番号" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:20 +msgid "domain name" +msgstr "ドメイン名" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:23 +msgid "%f" +msgstr "%f" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:24 +msgid "fully qualified user name (user@domain)" +msgstr "完全修飾ユーザー名 (user@domain)" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:27 +msgid "%l" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:28 +msgid "The first letter of the login name." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:32 +msgid "UPN - User Principal Name (name@REALM)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:35 +msgid "%o" +msgstr "%o" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:37 +msgid "The original home directory retrieved from the identity provider." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:42 +msgid "%H" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:44 +msgid "The value of configure option <emphasis>homedir_substring</emphasis>." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/override_homedir.xml:5 +msgid "" +"Override the user's home directory. You can either provide an absolute value " +"or a template. In the template, the following sequences are substituted: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" +"ユーザーのホームディレクトリーを上書きします。絶対パスまたはテンプレートを提" +"供できます。テンプレートでは、以下のシーケンスが置換されます: <placeholder " +"type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <varlistentry><listitem><para><programlisting> +#: include/override_homedir.xml:61 +#, no-wrap +msgid "" +"override_homedir = /home/%u\n" +" " +msgstr "" +"override_homedir = /home/%u\n" +" " + +#. type: Content of: <varlistentry><listitem><para> +#: include/override_homedir.xml:65 +msgid "Default: Not set (SSSD will use the value retrieved from LDAP)" +msgstr "初期値: 設定なし (SSSD は LDAP から取得された値を使用します)" + +#. type: Content of: <varlistentry><term> +#: include/homedir_substring.xml:2 +msgid "homedir_substring (string)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/homedir_substring.xml:5 +msgid "" +"The value of this option will be used in the expansion of the " +"<emphasis>override_homedir</emphasis> option if the template contains the " +"format string <emphasis>%H</emphasis>. An LDAP directory entry can directly " +"contain this template so that this option can be used to expand the home " +"directory path for each client machine (or operating system). It can be set " +"per-domain or globally in the [nss] section. A value specified in a domain " +"section will override one set in the [nss] section." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/homedir_substring.xml:15 +msgid "Default: /home" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/ad_modified_defaults.xml:2 include/ipa_modified_defaults.xml:2 +msgid "MODIFIED DEFAULT OPTIONS" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ad_modified_defaults.xml:4 +msgid "" +"Certain option defaults do not match their respective backend provider " +"defaults, these option names and AD provider-specific defaults are listed " +"below:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ad_modified_defaults.xml:9 include/ipa_modified_defaults.xml:9 +msgid "KRB5 Provider" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:13 include/ipa_modified_defaults.xml:13 +msgid "krb5_validate = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:18 +msgid "krb5_use_enterprise_principal = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ad_modified_defaults.xml:24 +msgid "LDAP Provider" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:28 +msgid "ldap_schema = ad" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:33 include/ipa_modified_defaults.xml:38 +msgid "ldap_force_upper_case_realm = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:38 +msgid "ldap_id_mapping = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:43 +msgid "ldap_sasl_mech = gssapi" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:48 +msgid "ldap_referrals = false" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:53 +msgid "ldap_account_expire_policy = ad" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:58 include/ipa_modified_defaults.xml:58 +msgid "ldap_use_tokengroups = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:63 +msgid "ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:66 +msgid "" +"The AD provider looks for a different principal than the LDAP provider by " +"default, because in an Active Directory environment the principals are " +"divided into two groups - User Principals and Service Principals. Only User " +"Principal can be used to obtain a TGT and by default, computer object's " +"principal is constructed from its sAMAccountName and the AD realm. The well-" +"known host/hostname@REALM principal is a Service Principal and thus cannot " +"be used to get a TGT with." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ipa_modified_defaults.xml:4 +msgid "" +"Certain option defaults do not match their respective backend provider " +"defaults, these option names and IPA provider-specific defaults are listed " +"below:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:18 +msgid "krb5_use_fast = try" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:23 +msgid "krb5_canonicalize = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:29 +msgid "LDAP Provider - General" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:33 +msgid "ldap_schema = ipa_v1" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:43 +msgid "ldap_sasl_mech = GSSAPI" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:48 +msgid "ldap_sasl_minssf = 56" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:53 +msgid "ldap_account_expire_policy = ipa" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:64 +msgid "LDAP Provider - User options" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:68 +msgid "ldap_user_member_of = memberOf" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:73 +msgid "ldap_user_uuid = ipaUniqueID" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:78 +msgid "ldap_user_ssh_public_key = ipaSshPubKey" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:83 +msgid "ldap_user_auth_type = ipaUserAuthType" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:89 +msgid "LDAP Provider - Group options" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:93 +msgid "ldap_group_object_class = ipaUserGroup" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:98 +msgid "ldap_group_object_class_alt = posixGroup" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:103 +msgid "ldap_group_member = member" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:108 +msgid "ldap_group_uuid = ipaUniqueID" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:113 +msgid "ldap_group_objectsid = ipaNTSecurityIdentifier" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:118 +msgid "ldap_group_external_member = ipaExternalMember" +msgstr "" + +#~ msgid "" +#~ "PLEASE NOTE ALSO: older version of libpcre only support the Python syntax " +#~ "(?P<name>) to label subpatterns." +#~ msgstr "" +#~ "関連注記: 古いバージョンの libpcre はサブパターンをラベル付けするために " +#~ "Python 構文 (?P<name>) のみをサポートします。" diff --git a/src/man/po/lv.po b/src/man/po/lv.po new file mode 100644 index 0000000..6474cdc --- /dev/null +++ b/src/man/po/lv.po @@ -0,0 +1,15623 @@ +# SOME DESCRIPTIVE TITLE +# Copyright (C) YEAR Red Hat +# This file is distributed under the same license as the sssd-docs package. +# +# Translators: +# Kristaps, 2012 +# Kristaps, 2012 +msgid "" +msgstr "" +"Project-Id-Version: sssd-docs 1.16.1\n" +"Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" +"POT-Creation-Date: 2018-08-12 13:01+0000\n" +"PO-Revision-Date: 2014-12-15 12:00+0000\n" +"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n" +"Language-Team: Latvian (http://www.transifex.com/projects/p/sssd/language/" +"lv/)\n" +"Language: lv\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n != 0 ? 1 : " +"2);\n" +"X-Generator: Zanata 4.4.5\n" + +#. type: Content of: <reference><title> +#: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5 +#: sssd_krb5_locator_plugin.8.xml:5 sssd-simple.5.xml:5 sss-certmap.5.xml:5 +#: sssd-ipa.5.xml:5 sssd-ad.5.xml:5 sssd-sudo.5.xml:5 sssd.8.xml:5 +#: sss_obfuscate.8.xml:5 sss_override.8.xml:5 sss_useradd.8.xml:5 +#: sssd-krb5.5.xml:5 sss_groupadd.8.xml:5 sss_userdel.8.xml:5 +#: sss_groupdel.8.xml:5 sss_groupshow.8.xml:5 sss_usermod.8.xml:5 +#: sss_cache.8.xml:5 sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5 +#: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 +#: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5 +#: sssd-files.5.xml:5 sssd-secrets.5.xml:5 sssd-session-recording.5.xml:5 +#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 +msgid "SSSD Manual pages" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupmod.8.xml:10 sss_groupmod.8.xml:15 +msgid "sss_groupmod" +msgstr "" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_groupmod.8.xml:11 pam_sss.8.xml:12 sssd_krb5_locator_plugin.8.xml:11 +#: sssd.8.xml:11 sss_obfuscate.8.xml:11 sss_override.8.xml:11 +#: sss_useradd.8.xml:11 sss_groupadd.8.xml:11 sss_userdel.8.xml:11 +#: sss_groupdel.8.xml:11 sss_groupshow.8.xml:11 sss_usermod.8.xml:11 +#: sss_cache.8.xml:11 sss_debuglevel.8.xml:11 sss_seed.8.xml:11 +#: idmap_sss.8.xml:11 sssctl.8.xml:11 sssd-kcm.8.xml:11 +msgid "8" +msgstr "8" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupmod.8.xml:16 +msgid "modify a group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupmod.8.xml:21 +msgid "" +"<command>sss_groupmod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:57 +#: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sss-certmap.5.xml:21 +#: sssd-ipa.5.xml:21 sssd-ad.5.xml:21 sssd-sudo.5.xml:21 sssd.8.xml:29 +#: sss_obfuscate.8.xml:30 sss_override.8.xml:30 sss_useradd.8.xml:30 +#: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30 +#: sss_groupdel.8.xml:30 sss_groupshow.8.xml:30 sss_usermod.8.xml:30 +#: sss_cache.8.xml:29 sss_debuglevel.8.xml:30 sss_seed.8.xml:31 +#: sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30 +#: sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30 +#: sssd-files.5.xml:21 sssd-secrets.5.xml:21 sssd-session-recording.5.xml:21 +#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 +msgid "DESCRIPTION" +msgstr "APRAKSTS" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupmod.8.xml:32 +msgid "" +"<command>sss_groupmod</command> modifies the group to reflect the changes " +"that are specified on the command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_groupmod.8.xml:39 pam_sss.8.xml:64 sssd.8.xml:42 sss_obfuscate.8.xml:58 +#: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39 +#: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39 +#: sss_cache.8.xml:39 sss_seed.8.xml:42 sss_ssh_authorizedkeys.1.xml:123 +#: sss_ssh_knownhostsproxy.1.xml:62 +msgid "OPTIONS" +msgstr "IESPĒJAS" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupmod.8.xml:43 sss_usermod.8.xml:77 +msgid "" +"<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupmod.8.xml:48 +msgid "" +"Append this group to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupmod.8.xml:57 sss_usermod.8.xml:91 +msgid "" +"<option>-r</option>,<option>--remove-group</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupmod.8.xml:62 +msgid "" +"Remove this group from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.conf.5.xml:10 sssd.conf.5.xml:16 +msgid "sssd.conf" +msgstr "sssd.conf" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11 +#: sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 +#: sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27 +#: sssd-files.5.xml:11 sssd-secrets.5.xml:11 sssd-session-recording.5.xml:11 +#: sssd-systemtap.5.xml:11 +msgid "5" +msgstr "5" + +#. type: Content of: <reference><refentry><refmeta><refmiscinfo> +#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12 +#: sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 +#: sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28 +#: sssd-files.5.xml:12 sssd-secrets.5.xml:12 sssd-session-recording.5.xml:12 +#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 +msgid "File Formats and Conventions" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.conf.5.xml:17 +msgid "the configuration file for SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:21 +msgid "FILE FORMAT" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:29 +#, no-wrap +msgid "" +"<replaceable>[section]</replaceable>\n" +"<replaceable>key</replaceable> = <replaceable>value</replaceable>\n" +"<replaceable>key2</replaceable> = <replaceable>value2,value3</replaceable>\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:24 +msgid "" +"The file has an ini-style syntax and consists of sections and parameters. A " +"section begins with the name of the section in square brackets and continues " +"until the next section begins. An example of section with single and multi-" +"valued parameters: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:36 +msgid "" +"The data types used are string (no quotes needed), integer and bool (with " +"values of <quote>TRUE/FALSE</quote>)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:41 +msgid "" +"A comment line starts with a hash sign (<quote>#</quote>) or a semicolon " +"(<quote>;</quote>). Inline comments are not supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:47 +msgid "" +"All sections can have an optional <replaceable>description</replaceable> " +"parameter. Its function is only as a label for the section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:53 +msgid "" +"<filename>sssd.conf</filename> must be a regular file, owned by root and " +"only root may read from or write to the file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:59 +msgid "CONFIGURATION SNIPPETS FROM INCLUDE DIRECTORY" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:62 +msgid "" +"The configuration file <filename>sssd.conf</filename> will include " +"configuration snippets using the include directory <filename>conf.d</" +"filename>. This feature is available if SSSD was compiled with libini " +"version 1.3.0 or later." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:69 +msgid "" +"Any file placed in <filename>conf.d</filename> that ends in " +"<quote><filename>.conf</filename></quote> and does not begin with a dot " +"(<quote>.</quote>) will be used together with <filename>sssd.conf</filename> " +"to configure SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:77 +msgid "" +"The configuration snippets from <filename>conf.d</filename> have higher " +"priority than <filename>sssd.conf</filename> and will override " +"<filename>sssd.conf</filename> when conflicts occur. If several snippets are " +"present in <filename>conf.d</filename>, then they are included in " +"alphabetical order (based on locale). Files included later have higher " +"priority. Numerical prefixes (<filename>01_snippet.conf</filename>, " +"<filename>02_snippet.conf</filename> etc.) can help visualize the priority " +"(higher number means higher priority)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:91 +msgid "" +"The snippet files require the same owner and permissions as <filename>sssd." +"conf</filename>. Which are by default root:root and 0600." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:98 +msgid "GENERAL OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:100 +msgid "Following options are usable in more than one configuration sections." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:104 +msgid "Options usable in all sections" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:108 +msgid "debug_level (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:112 +msgid "debug (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:115 +msgid "" +"SSSD 1.14 and later also includes the <replaceable>debug</replaceable> alias " +"for <replaceable>debug_level</replaceable> as a convenience feature. If both " +"are specified, the value of <replaceable>debug_level</replaceable> will be " +"used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:125 +msgid "debug_timestamps (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:128 +msgid "" +"Add a timestamp to the debug messages. If journald is enabled for SSSD " +"debug logging this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:133 sssd.conf.5.xml:543 sssd.conf.5.xml:839 +#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1521 sssd-ldap.5.xml:1851 +#: sssd-ldap.5.xml:1948 sssd-ldap.5.xml:2010 sssd-ldap.5.xml:2576 +#: sssd-ldap.5.xml:2641 sssd-ldap.5.xml:2659 sssd-ad.5.xml:227 +#: sssd-ad.5.xml:341 sssd-ad.5.xml:885 sssd-krb5.5.xml:499 +#: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 +msgid "Default: true" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:138 +msgid "debug_microseconds (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:141 +msgid "" +"Add microseconds to the timestamp in debug messages. If journald is enabled " +"for SSSD debug logging this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:146 sssd.conf.5.xml:540 sssd.conf.5.xml:722 +#: sssd.conf.5.xml:1424 sssd.conf.5.xml:2980 sssd-ldap.5.xml:708 +#: sssd-ldap.5.xml:1714 sssd-ldap.5.xml:1733 sssd-ldap.5.xml:1920 +#: sssd-ldap.5.xml:2346 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238 +#: sssd-ipa.5.xml:559 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300 +#: sssd-krb5.5.xml:471 +msgid "Default: false" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2384 +#: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210 +#: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304 +msgid "<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:155 +msgid "Options usable in SERVICE and DOMAIN sections" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:159 +msgid "timeout (integer)" +msgstr "noildze (vesels skaitlis)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:162 +msgid "" +"Timeout in seconds between heartbeats for this service. This is used to " +"ensure that the process is alive and capable of answering requests. Note " +"that after three missed heartbeats the process will terminate itself." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:169 sssd.conf.5.xml:1376 sssd.conf.5.xml:2996 +#: sssd-ldap.5.xml:1585 include/ldap_id_mapping.xml:264 +msgid "Default: 10" +msgstr "Noklusējuma: 10" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:179 +msgid "SPECIAL SECTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:182 +msgid "The [sssd] section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sssd.conf.5.xml:191 sssd.conf.5.xml:3085 +msgid "Section parameters" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:193 +msgid "config_file_version (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:196 +msgid "" +"Indicates what is the syntax of the config file. SSSD 0.6.0 and later use " +"version 2." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:202 +msgid "services" +msgstr "pakalpojumi" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:205 +msgid "" +"Comma separated list of services that are started when sssd itself starts. " +"<phrase condition=\"have_systemd\"> The services' list is optional on " +"platforms where systemd is supported, as they will either be socket or D-Bus " +"activated when needed. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:214 +msgid "" +"Supported services: nss, pam <phrase condition=\"with_sudo\">, sudo</phrase> " +"<phrase condition=\"with_autofs\">, autofs</phrase> <phrase condition=" +"\"with_ssh\">, ssh</phrase> <phrase condition=\"with_pac_responder\">, pac</" +"phrase> <phrase condition=\"with_ifp\">, ifp</phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:222 +msgid "" +"<phrase condition=\"have_systemd\"> By default, all services are disabled " +"and the administrator must enable the ones allowed to be used by executing: " +"\"systemctl enable sssd-@service@.socket\". </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:231 sssd.conf.5.xml:614 +msgid "reconnection_retries (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:234 sssd.conf.5.xml:617 +msgid "" +"Number of times services should attempt to reconnect in the event of a Data " +"Provider crash or restart before they give up" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:239 sssd.conf.5.xml:622 +msgid "Default: 3" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:244 +msgid "domains" +msgstr "domēni" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:247 +msgid "" +"A domain is a database containing user information. SSSD can use more " +"domains at the same time, but at least one must be configured or SSSD won't " +"start. This parameter describes the list of domains in the order you want " +"them to be queried. A domain name should only consist of alphanumeric ASCII " +"characters, dashes, dots and underscores." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:259 sssd.conf.5.xml:2597 +msgid "re_expression (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:262 +msgid "" +"Default regular expression that describes how to parse the string containing " +"user name and domain into these components." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:267 +msgid "" +"Each domain can have an individual regular expression configured. For some " +"ID providers there are also default regular expressions. See DOMAIN SECTIONS " +"for more info on these regular expressions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:276 sssd.conf.5.xml:2645 +msgid "full_name_format (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:279 sssd.conf.5.xml:2648 +msgid "" +"A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry>-compatible format that describes how to compose a " +"fully qualified name from user name and domain name components." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:290 sssd.conf.5.xml:2659 +msgid "%1$s" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:291 sssd.conf.5.xml:2660 +msgid "user name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:294 sssd.conf.5.xml:2663 +msgid "%2$s" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:297 sssd.conf.5.xml:2666 +msgid "domain name as specified in the SSSD config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:303 sssd.conf.5.xml:2672 +msgid "%3$s" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:306 sssd.conf.5.xml:2675 +msgid "" +"domain flat name. Mostly usable for Active Directory domains, both directly " +"configured or discovered via IPA trusts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:287 sssd.conf.5.xml:2656 +msgid "" +"The following expansions are supported: <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:316 +msgid "" +"Each domain can have an individual format string configured. see DOMAIN " +"SECTIONS for more info on this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:322 +msgid "try_inotify (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:325 +msgid "" +"SSSD monitors the state of resolv.conf to identify when it needs to update " +"its internal DNS resolver. By default, we will attempt to use inotify for " +"this, and will fall back to polling resolv.conf every five seconds if " +"inotify cannot be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:333 +msgid "" +"There are some limited situations where it is preferred that we should skip " +"even trying to use inotify. In these rare cases, this option should be set " +"to 'false'" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:339 +msgid "" +"Default: true on platforms where inotify is supported. False on other " +"platforms." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:343 +msgid "" +"Note: this option will have no effect on platforms where inotify is " +"unavailable. On these platforms, polling will always be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:350 +msgid "krb5_rcache_dir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:353 +msgid "" +"Directory on the filesystem where SSSD should store Kerberos replay cache " +"files." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:357 +msgid "" +"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct " +"SSSD to let libkrb5 decide the appropriate location for the replay cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:363 +msgid "" +"Default: Distribution-specific and specified at build-time. " +"(__LIBKRB5_DEFAULTS__ if not configured)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:370 +msgid "user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:373 +msgid "" +"The user to drop the privileges to where appropriate to avoid running as the " +"root user. <phrase condition=\"have_systemd\"> This option does not work " +"when running socket-activated services, as the user set up to run the " +"processes is set up during compilation time. The way to override the " +"systemd unit files is by creating the appropriate files in /etc/systemd/" +"system/. Keep in mind that any change in the socket user, group or " +"permissions may result in a non-usable SSSD. The same may occur in case of " +"changes of the user running the NSS responder. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:391 +msgid "Default: not set, process will run as root" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:396 +msgid "default_domain_suffix (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:399 +msgid "" +"This string will be used as a default domain name for all names without a " +"domain name component. The main use case is environments where the primary " +"domain is intended for managing host policies and all users are located in a " +"trusted domain. The option allows those users to log in just with their " +"user name without giving a domain name as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:409 +msgid "" +"Please note that if this option is set all users from the primary domain " +"have to use their fully qualified name, e.g. user@domain.name, to log in. " +"Setting this option changes default of use_fully_qualified_names to True. It " +"is not allowed to use this option together with use_fully_qualified_names " +"set to False." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:418 sssd.conf.5.xml:1165 sssd-ldap.5.xml:679 +#: sssd-ldap.5.xml:1319 sssd-ldap.5.xml:1673 sssd-ldap.5.xml:1685 +#: sssd-ldap.5.xml:1767 sssd-ad.5.xml:690 sssd-ad.5.xml:765 sssd.8.xml:126 +#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:556 sssd-secrets.5.xml:339 +#: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404 +#: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205 +#: include/ldap_id_mapping.xml:216 +msgid "Default: not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:423 +msgid "override_space (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:426 +msgid "" +"This parameter will replace spaces (space bar) with the given character for " +"user and group names. e.g. (_). User name "john doe" will be " +""john_doe" This feature was added to help compatibility with shell " +"scripts that have difficulty handling spaces, due to the default field " +"separator in the shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:435 +msgid "" +"Please note it is a configuration error to use a replacement character that " +"might be used in user or group names. If a name contains the replacement " +"character SSSD tries to return the unmodified name but in general the result " +"of a lookup is undefined." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:443 +msgid "Default: not set (spaces will not be replaced)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:448 +msgid "certificate_verification (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:456 +msgid "no_ocsp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:458 +msgid "" +"Disables Online Certificate Status Protocol (OCSP) checks. This might be " +"needed if the OCSP servers defined in the certificate are not reachable from " +"the client." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:466 +msgid "no_verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:468 +msgid "" +"Disables verification completely. This option should only be used for " +"testing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:474 +msgid "ocsp_default_responder=URL" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:476 +msgid "" +"Sets the OCSP default responder which should be used instead of the one " +"mentioned in the certificate. URL must be replaced with the URL of the OCSP " +"default responder e.g. http://example.com:80/ocsp." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:482 +msgid "" +"This option must be used together with ocsp_default_responder_signing_cert." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:490 +msgid "ocsp_default_responder_signing_cert=NAME" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:492 +msgid "" +"The nickname of the cert to trust (expected) to sign the OCSP responses. " +"The certificate with the given nickname must be available in the systems NSS " +"database." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:497 +msgid "This option must be used together with ocsp_default_responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:451 +msgid "" +"With this parameter the certificate verification can be tuned with a comma " +"separated list of options. Supported options are: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:504 +msgid "Unknown options are reported but ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:507 +msgid "Default: not set, i.e. do not restrict certificate verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:513 +msgid "disable_netlink (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:516 +msgid "" +"SSSD hooks into the netlink interface to monitor changes to routes, " +"addresses, links and trigger certain actions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:521 +msgid "" +"The SSSD state changes caused by netlink events may be undesirable and can " +"be disabled by setting this option to 'true'" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:526 +msgid "Default: false (netlink changes are detected)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:531 +msgid "enable_files_domain (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:534 +msgid "" +"When this option is enabled, SSSD prepends an implicit domain with " +"<quote>id_provider=files</quote> before any explicitly configured domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:548 +msgid "domain_resolution_order" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:551 +msgid "" +"Comma separated list of domains and subdomains representing the lookup order " +"that will be followed. The list doesn't have to include all possible " +"domains as the missing domains will be looked up based on the order they're " +"presented in the <quote>domains</quote> configuration option. The " +"subdomains which are not listed as part of <quote>lookup_order</quote> will " +"be looked up in a random order for each parent domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:563 +msgid "" +"Please, note that when this option is set the output format of all commands " +"is always fully-qualified even when using short names for input, for all " +"users but the ones managed by the files provider. In case the administrator " +"wants the output not fully-qualified, the full_name_format option can be " +"used as shown below: <quote>full_name_format=%1$s</quote> However, keep in " +"mind that during login, login applications often canonicalize the username " +"by calling <citerefentry> <refentrytitle>getpwnam</refentrytitle> " +"<manvolnum>3</manvolnum> </citerefentry> which, if a shortname is returned " +"for a qualified input (while trying to reach a user which exists in multiple " +"domains) might re-route the login attempt into the domain which uses " +"shortnames, making this workaround totally not recommended in cases where " +"usernames may overlap between domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:588 sssd.conf.5.xml:1388 sssd.conf.5.xml:3046 +#: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316 +msgid "Default: Not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:184 +msgid "" +"Individual pieces of SSSD functionality are provided by special SSSD " +"services that are started and stopped together with SSSD. The services are " +"managed by a special service frequently called <quote>monitor</quote>. The " +"<quote>[sssd]</quote> section is used to configure the monitor as well as " +"some other important options like the identity domains. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:599 +msgid "SERVICES SECTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:601 +msgid "" +"Settings that can be used to configure different services are described in " +"this section. They should reside in the [<replaceable>$NAME</replaceable>] " +"section, for example, for NSS service, the section would be <quote>[nss]</" +"quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:608 +msgid "General service configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:610 +msgid "These options can be used to configure any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:627 +msgid "fd_limit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:630 +msgid "" +"This option specifies the maximum number of file descriptors that may be " +"opened at one time by this SSSD process. On systems where SSSD is granted " +"the CAP_SYS_RESOURCE capability, this will be an absolute setting. On " +"systems without this capability, the resulting value will be the lower value " +"of this or the limits.conf \"hard\" limit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:639 +msgid "Default: 8192 (or limits.conf \"hard\" limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:644 +msgid "client_idle_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:647 +msgid "" +"This option specifies the number of seconds that a client of an SSSD process " +"can hold onto a file descriptor without communicating on it. This value is " +"limited in order to avoid resource exhaustion on the system. The timeout " +"can't be shorter than 10 seconds. If a lower value is configured, it will be " +"adjusted to 10 seconds." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:656 sssd.conf.5.xml:688 sssd.conf.5.xml:970 +#: sssd.conf.5.xml:1231 sssd-ldap.5.xml:1412 +msgid "Default: 60" +msgstr "Noklusējuma: 60" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:661 +msgid "offline_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:664 +msgid "" +"When SSSD switches to offline mode the amount of time before it tries to go " +"back online will increase based upon the time spent disconnected. This " +"value is in seconds and calculated by the following:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:671 +msgid "offline_timeout + random_offset" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:674 +msgid "" +"The random offset can increment up to 30 seconds. After each unsuccessful " +"attempt to go online, the new interval is recalculated by the following:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:679 +msgid "new_interval = old_interval*2 + random_offset" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:682 +msgid "" +"Note that the maximum length of each interval is currently limited to one " +"hour. If the calculated length of new_interval is greater than an hour, it " +"will be forced to one hour." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:693 +msgid "responder_idle_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:696 +msgid "" +"This option specifies the number of seconds that an SSSD responder process " +"can be up without being used. This value is limited in order to avoid " +"resource exhaustion on the system. The minimum acceptable value for this " +"option is 60 seconds. Setting this option to 0 (zero) means that no timeout " +"will be set up to the responder. This option only has effect when SSSD is " +"built with systemd support and when services are either socket or D-Bus " +"activated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:710 sssd.conf.5.xml:983 sssd.conf.5.xml:1616 +#: sssd-ldap.5.xml:722 +msgid "Default: 300" +msgstr "Noklusējuma: 300" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:715 +msgid "cache_first" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:718 +msgid "" +"This option specifies whether the responder should query all caches before " +"querying the Data Providers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:730 +msgid "NSS configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:732 +msgid "" +"These options can be used to configure the Name Service Switch (NSS) service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:737 +msgid "enum_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:740 +msgid "" +"How many seconds should nss_sss cache enumerations (requests for info about " +"all users)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:744 +msgid "Default: 120" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:749 +msgid "entry_cache_nowait_percentage (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:752 +msgid "" +"The entry cache can be set to automatically update entries in the background " +"if they are requested beyond a percentage of the entry_cache_timeout value " +"for the domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:758 +msgid "" +"For example, if the domain's entry_cache_timeout is set to 30s and " +"entry_cache_nowait_percentage is set to 50 (percent), entries that come in " +"after 15 seconds past the last cache update will be returned immediately, " +"but the SSSD will go and update the cache on its own, so that future " +"requests will not need to block waiting for a cache update." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:768 +msgid "" +"Valid values for this option are 0-99 and represent a percentage of the " +"entry_cache_timeout for each domain. For performance reasons, this " +"percentage will never reduce the nowait timeout to less than 10 seconds. (0 " +"disables this feature)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:776 sssd.conf.5.xml:1445 +msgid "Default: 50" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:781 +msgid "entry_negative_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:784 +msgid "" +"Specifies for how many seconds nss_sss should cache negative cache hits " +"(that is, queries for invalid database entries, like nonexistent ones) " +"before asking the back end again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:790 sssd.conf.5.xml:1469 +msgid "Default: 15" +msgstr "Noklusējuma: 15" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:795 +msgid "local_negative_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:798 +msgid "" +"Specifies for how many seconds nss_sss should keep local users and groups in " +"negative cache before trying to look it up in the back end again. Setting " +"the option to 0 disables this feature." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:804 +#, fuzzy +#| msgid "Default: 86400 (24 hours)" +msgid "Default: 14400 (4 hours)" +msgstr "Noklusējuma: 86400 (24 stundas)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:809 +msgid "filter_users, filter_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:812 +msgid "" +"Exclude certain users or groups from being fetched from the sss NSS " +"database. This is particularly useful for system accounts. This option can " +"also be set per-domain or include fully-qualified names to filter only users " +"from the particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:819 +msgid "" +"NOTE: The filter_groups option doesn't affect inheritance of nested group " +"members, since filtering happens after they are propagated for returning via " +"NSS. E.g. a group having a member group filtered out will still have the " +"member users of the latter listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:827 +msgid "Default: root" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:832 +msgid "filter_users_in_groups (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:835 +msgid "" +"If you want filtered user still be group members set this option to false." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:846 +msgid "fallback_homedir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:849 +msgid "" +"Set a default template for a user's home directory if one is not specified " +"explicitly by the domain's data provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:854 +msgid "" +"The available values for this option are the same as for override_homedir." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:860 +#, no-wrap +msgid "" +"fallback_homedir = /home/%u\n" +" " +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: sssd.conf.5.xml:858 sssd.conf.5.xml:1298 sssd.conf.5.xml:1317 +#: sssd-krb5.5.xml:539 include/override_homedir.xml:59 +msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:864 +msgid "Default: not set (no substitution for unset home directories)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:870 +msgid "override_shell (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:873 +msgid "" +"Override the login shell for all users. This option supersedes any other " +"shell options if it takes effect and can be set either in the [nss] section " +"or per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:879 +msgid "Default: not set (SSSD will use the value retrieved from LDAP)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:885 +msgid "allowed_shells (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:888 +msgid "" +"Restrict user shell to one of the listed values. The order of evaluation is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:891 +msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:895 +msgid "" +"2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</" +"quote>, use the value of the shell_fallback parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:900 +msgid "" +"3. If the shell is not in the allowed_shells list and not in <quote>/etc/" +"shells</quote>, a nologin shell is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:905 +msgid "The wildcard (*) can be used to allow any shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:908 +msgid "" +"The (*) is useful if you want to use shell_fallback in case that user's " +"shell is not in <quote>/etc/shells</quote> and maintaining list of all " +"allowed shells in allowed_shells would be to much overhead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:915 +msgid "An empty string for shell is passed as-is to libc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:918 +msgid "" +"The <quote>/etc/shells</quote> is only read on SSSD start up, which means " +"that a restart of the SSSD is required in case a new shell is installed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:922 +msgid "Default: Not set. The user shell is automatically used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:927 +msgid "vetoed_shells (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:930 +msgid "Replace any instance of these shells with the shell_fallback" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:935 +msgid "shell_fallback (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:938 +msgid "" +"The default shell to use if an allowed shell is not installed on the machine." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:942 +msgid "Default: /bin/sh" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:947 +msgid "default_shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:950 +msgid "" +"The default shell to use if the provider does not return one during lookup. " +"This option can be specified globally in the [nss] section or per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:956 +msgid "" +"Default: not set (Return NULL if no shell is specified and rely on libc to " +"substitute something sensible when necessary, usually /bin/sh)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:963 sssd.conf.5.xml:1224 +msgid "get_domains_timeout (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:966 sssd.conf.5.xml:1227 +msgid "" +"Specifies time in seconds for which the list of subdomains will be " +"considered valid." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:975 +msgid "memcache_timeout (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:978 +msgid "" +"Specifies time in seconds for which records in the in-memory cache will be " +"valid. Setting this option to zero will disable the in-memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:986 +msgid "" +"WARNING: Disabling the in-memory cache will have significant negative impact " +"on SSSD's performance and should only be used for testing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:992 +msgid "" +"NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", " +"client applications will not use the fast in-memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1000 sssd-ifp.5.xml:74 +msgid "user_attributes (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1003 +msgid "" +"Some of the additional NSS responder requests can return more attributes " +"than just the POSIX ones defined by the NSS interface. The list of " +"attributes is controlled by this option. It is handled the same way as the " +"<quote>user_attributes</quote> option of the InfoPipe responder (see " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for details) but with no default values." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1016 +msgid "" +"To make configuration more easy the NSS responder will check the InfoPipe " +"option if it is not set for the NSS responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1021 +msgid "Default: not set, fallback to InfoPipe option" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1026 +msgid "pwfield (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1029 +msgid "" +"The value that NSS operations that return users or groups will return for " +"the <quote>password</quote> field." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: sssd.conf.5.xml:1034 include/override_homedir.xml:56 +msgid "This option can also be set per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1037 +msgid "" +"Default: <quote>*</quote> (remote domains) or <quote>x</quote> (the files " +"domain)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1045 +msgid "PAM configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1047 +msgid "" +"These options can be used to configure the Pluggable Authentication Module " +"(PAM) service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1052 +msgid "offline_credentials_expiration (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1055 +msgid "" +"If the authentication provider is offline, how long should we allow cached " +"logins (in days since the last successful online login)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1060 sssd.conf.5.xml:1073 +msgid "Default: 0 (No limit)" +msgstr "Noklusējuma: 0 (bez ierobežojuma)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1066 +msgid "offline_failed_login_attempts (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1069 +msgid "" +"If the authentication provider is offline, how many failed login attempts " +"are allowed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1079 +msgid "offline_failed_login_delay (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1082 +msgid "" +"The time in minutes which has to pass after offline_failed_login_attempts " +"has been reached before a new login attempt is possible." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1087 +msgid "" +"If set to 0 the user cannot authenticate offline if " +"offline_failed_login_attempts has been reached. Only a successful online " +"authentication can enable offline authentication again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1093 sssd.conf.5.xml:1191 +msgid "Default: 5" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1099 +msgid "pam_verbosity (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1102 +msgid "" +"Controls what kind of messages are shown to the user during authentication. " +"The higher the number to more messages are displayed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1107 +msgid "Currently sssd supports the following values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1110 +msgid "<emphasis>0</emphasis>: do not show any message" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1113 +msgid "<emphasis>1</emphasis>: show only important messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1117 +msgid "<emphasis>2</emphasis>: show informational messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1120 +msgid "<emphasis>3</emphasis>: show all messages and debug information" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1124 sssd.8.xml:63 +msgid "Default: 1" +msgstr "Noklusējuma: 1" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1130 +msgid "pam_response_filter (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1133 +msgid "" +"A comma separated list of strings which allows to remove (filter) data sent " +"by the PAM responder to pam_sss PAM module. There are different kind of " +"responses sent to pam_sss e.g. messages displayed to the user or environment " +"variables which should be set by pam_sss." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1141 +msgid "" +"While messages already can be controlled with the help of the pam_verbosity " +"option this option allows to filter out other kind of responses as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1148 +msgid "ENV" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1149 +msgid "Do not send any environment variables to any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1152 +msgid "ENV:var_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1153 +msgid "Do not send environment variable var_name to any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1157 +msgid "ENV:var_name:service" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1158 +msgid "Do not send environment variable var_name to service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1146 +msgid "" +"Currently the following filters are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1168 +msgid "Example: ENV:KRB5CCNAME:sudo-i" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1174 +msgid "pam_id_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1177 +msgid "" +"For any PAM request while SSSD is online, the SSSD will attempt to " +"immediately update the cached identity information for the user in order to " +"ensure that authentication takes place with the latest information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1183 +msgid "" +"A complete PAM conversation may perform multiple PAM requests, such as " +"account management and session opening. This option controls (on a per-" +"client-application basis) how long (in seconds) we can cache the identity " +"information to avoid excessive round-trips to the identity provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1197 +msgid "pam_pwd_expiration_warning (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2078 +msgid "Display a warning N days before the password expires." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1203 +msgid "" +"Please note that the backend server has to provide information about the " +"expiration time of the password. If this information is missing, sssd " +"cannot display a warning." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1209 sssd.conf.5.xml:2081 +msgid "" +"If zero is set, then this filter is not applied, i.e. if the expiration " +"warning was received from backend server, it will automatically be displayed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1214 +msgid "" +"This setting can be overridden by setting <emphasis>pwd_expiration_warning</" +"emphasis> for a particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1219 sssd.conf.5.xml:2901 sssd.8.xml:79 +msgid "Default: 0" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1236 +msgid "pam_trusted_users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1239 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to run PAM conversations against trusted domains. Users not " +"included in this list can only access domains marked as public with " +"<quote>pam_public_domains</quote>. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1249 +msgid "Default: All users are considered trusted by default" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1253 +msgid "" +"Please note that UID 0 is always allowed to access the PAM responder even in " +"case it is not in the pam_trusted_users list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1260 +msgid "pam_public_domains (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1263 +msgid "" +"Specifies the comma-separated list of domain names that are accessible even " +"to untrusted users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1267 +msgid "Two special values for pam_public_domains option are defined:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1271 +msgid "" +"all (Untrusted users are allowed to access all domains in PAM responder.)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1275 +msgid "" +"none (Untrusted users are not allowed to access any domains PAM in " +"responder.)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1279 sssd.conf.5.xml:1304 sssd.conf.5.xml:1323 +#: sssd.conf.5.xml:1875 sssd.conf.5.xml:2837 sssd-ldap.5.xml:1979 +msgid "Default: none" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1284 +msgid "pam_account_expired_message (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1287 +msgid "" +"Allows a custom expiration message to be set, replacing the default " +"'Permission denied' message." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1292 +msgid "" +"Note: Please be aware that message is only printed for the SSH service " +"unless pam_verbosity is set to 3 (show all messages and debug information)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:1300 +#, no-wrap +msgid "" +"pam_account_expired_message = Account expired, please contact help desk.\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1309 +msgid "pam_account_locked_message (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1312 +msgid "" +"Allows a custom lockout message to be set, replacing the default 'Permission " +"denied' message." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:1319 +#, no-wrap +msgid "" +"pam_account_locked_message = Account locked, please contact help desk.\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1328 +msgid "pam_cert_auth (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1331 +msgid "" +"Enable certificate based Smartcard authentication. Since this requires " +"additional communication with the Smartcard which will delay the " +"authentication process this option is disabled by default." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1337 sssd.conf.5.xml:2930 sssd-ldap.5.xml:1087 +#: sssd-ldap.5.xml:1114 sssd-ldap.5.xml:1514 sssd-ldap.5.xml:1535 +#: sssd-ldap.5.xml:2052 include/ldap_id_mapping.xml:244 +msgid "Default: False" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1342 +msgid "pam_cert_db_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1345 +msgid "" +"The path to the certificate database which contain the PKCS#11 modules to " +"access the Smartcard." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1349 sssd.conf.5.xml:1534 +#, fuzzy +#| msgid "Default: 1" +msgid "Default:" +msgstr "Noklusējuma: 1" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1351 sssd.conf.5.xml:1536 +msgid "/etc/pki/nssdb (NSS version, path to a NSS database)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1354 sssd.conf.5.xml:1539 +msgid "" +"/etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a file with " +"trusted CA certificates in PEM format)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1361 sssd.conf.5.xml:1546 +msgid "This man page was generated for the NSS version." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1364 sssd.conf.5.xml:1549 +msgid "This man page was generated for the OpenSSL version." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1369 +msgid "p11_child_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1372 +msgid "How many seconds will pam_sss wait for p11_child to finish." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1381 +msgid "pam_app_services (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1384 +msgid "" +"Which PAM services are permitted to contact domains of type " +"<quote>application</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1397 +msgid "SUDO configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1399 +msgid "" +"These options can be used to configure the sudo service. The detailed " +"instructions for configuration of <citerefentry> <refentrytitle>sudo</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to work with " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> are in the manual page <citerefentry> <refentrytitle>sssd-" +"sudo</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1416 +msgid "sudo_timed (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1419 +msgid "" +"Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes " +"that implement time-dependent sudoers entries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1431 +msgid "sudo_threshold (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1434 +msgid "" +"Maximum number of expired rules that can be refreshed at once. If number of " +"expired rules is below threshold, those rules are refreshed with " +"<quote>rules refresh</quote> mechanism. If the threshold is exceeded a " +"<quote>full refresh</quote> of sudo rules is triggered instead. This " +"threshold number also applies to IPA sudo command and command group searches." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1453 +msgid "AUTOFS configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1455 +msgid "These options can be used to configure the autofs service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1459 +msgid "autofs_negative_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1462 +msgid "" +"Specifies for how many seconds should the autofs responder negative cache " +"hits (that is, queries for invalid map entries, like nonexistent ones) " +"before asking the back end again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1478 +msgid "SSH configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1480 +msgid "These options can be used to configure the SSH service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1484 +msgid "ssh_hash_known_hosts (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1487 +msgid "" +"Whether or not to hash host names and addresses in the managed known_hosts " +"file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1496 +msgid "ssh_known_hosts_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1499 +msgid "" +"How many seconds to keep a host in the managed known_hosts file after its " +"host keys were requested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1503 +msgid "Default: 180" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1508 +msgid "ssh_use_certificate_keys (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1511 +msgid "" +"If set to true the <command>sss_ssh_authorizedkeys</command> will return ssh " +"keys derived from the public key of X.509 certificates stored in the user " +"entry as well. See <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry> for details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1526 +msgid "ca_db (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1529 +msgid "" +"Path to a storage of trusted CA certificates. The option is used to validate " +"user certificates before deriving public ssh keys from them." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1557 +msgid "PAC responder configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1559 +msgid "" +"The PAC responder works together with the authorization data plugin for MIT " +"Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the " +"PAC data during a GSSAPI authentication to the PAC responder. The sub-domain " +"provider collects domain SID and ID ranges of the domain the client is " +"joined to and of remote trusted domains from the local domain controller. If " +"the PAC is decoded and evaluated some of the following operations are done:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1568 +msgid "" +"If the remote user does not exist in the cache, it is created. The UID is " +"determined with the help of the SID, trusted domains will have UPGs and the " +"GID will have the same value as the UID. The home directory is set based on " +"the subdomain_homedir parameter. The shell will be empty by default, i.e. " +"the system defaults are used, but can be overwritten with the default_shell " +"parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1576 +msgid "" +"If there are SIDs of groups from domains sssd knows about, the user will be " +"added to those groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1582 +msgid "These options can be used to configure the PAC responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1586 sssd-ifp.5.xml:50 +msgid "allowed_uids (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1589 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the PAC responder. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1595 +msgid "Default: 0 (only the root user is allowed to access the PAC responder)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1599 +msgid "" +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the PAC responder, which would be the typical case, you have to add 0 " +"to the list of allowed UIDs as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1608 +msgid "pac_lifetime (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1611 +msgid "" +"Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC " +"data can be used to determine the group memberships of a user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1624 +msgid "Session recording configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1626 +msgid "" +"Session recording works in conjunction with <citerefentry> " +"<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>, a part of tlog package, to log what users see and type when " +"they log in on a text terminal. See also <citerefentry> <refentrytitle>sssd-" +"session-recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1639 +msgid "These options can be used to configure session recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1643 sssd-session-recording.5.xml:64 +msgid "scope (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1650 sssd-session-recording.5.xml:71 +msgid "\"none\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1653 sssd-session-recording.5.xml:74 +msgid "No users are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1658 sssd-session-recording.5.xml:79 +msgid "\"some\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1661 sssd-session-recording.5.xml:82 +msgid "" +"Users/groups specified by <replaceable>users</replaceable> and " +"<replaceable>groups</replaceable> options are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1670 sssd-session-recording.5.xml:91 +msgid "\"all\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1673 sssd-session-recording.5.xml:94 +msgid "All users are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1646 sssd-session-recording.5.xml:67 +msgid "" +"One of the following strings specifying the scope of session recording: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1680 sssd-session-recording.5.xml:101 +msgid "Default: \"none\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1685 sssd-session-recording.5.xml:106 +msgid "users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1688 sssd-session-recording.5.xml:109 +msgid "" +"A comma-separated list of users which should have session recording enabled. " +"Matches user names as returned by NSS. I.e. after the possible space " +"replacement, case changes, etc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1694 sssd-session-recording.5.xml:115 +msgid "Default: Empty. Matches no users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1699 sssd-session-recording.5.xml:120 +msgid "groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1702 sssd-session-recording.5.xml:123 +msgid "" +"A comma-separated list of groups, members of which should have session " +"recording enabled. Matches group names as returned by NSS. I.e. after the " +"possible space replacement, case changes, etc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1708 sssd-session-recording.5.xml:129 +msgid "" +"NOTE: using this option (having it set to anything) has a considerable " +"performance cost, because each uncached request for a user requires " +"retrieving and matching the groups the user is member of." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1715 sssd-session-recording.5.xml:136 +msgid "Default: Empty. Matches no groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:1725 +msgid "DOMAIN SECTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1732 +msgid "domain_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1735 +msgid "" +"Specifies whether the domain is meant to be used by POSIX-aware clients such " +"as the Name Service Switch or by applications that do not need POSIX data to " +"be present or generated. Only objects from POSIX domains are available to " +"the operating system interfaces and utilities." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1743 +msgid "" +"Allowed values for this option are <quote>posix</quote> and " +"<quote>application</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1747 +msgid "" +"POSIX domains are reachable by all services. Application domains are only " +"reachable from the InfoPipe responder (see <citerefentry> " +"<refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>) and the PAM responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1755 +msgid "" +"NOTE: The application domains are currently well tested with " +"<quote>id_provider=ldap</quote> only." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1759 +msgid "" +"For an easy way to configure a non-POSIX domains, please see the " +"<quote>Application domains</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1763 +msgid "Default: posix" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1769 +msgid "min_id,max_id (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1772 +msgid "" +"UID and GID limits for the domain. If a domain contains an entry that is " +"outside these limits, it is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1777 +msgid "" +"For users, this affects the primary GID limit. The user will not be returned " +"to NSS if either the UID or the primary GID is outside the range. For non-" +"primary group memberships, those that are in range will be reported as " +"expected." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1784 +msgid "" +"These ID limits affect even saving entries to cache, not only returning them " +"by name or ID." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1788 +msgid "Default: 1 for min_id, 0 (no limit) for max_id" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1794 +msgid "enumerate (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1797 +msgid "" +"Determines if a domain can be enumerated, that is, whether the domain can " +"list all the users and group it contains. Note that it is not required to " +"enable enumeration in order for secondary groups to be displayed. This " +"parameter can have one of the following values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1805 +msgid "TRUE = Users and groups are enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1808 +msgid "FALSE = No enumerations for this domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1811 sssd.conf.5.xml:2033 sssd.conf.5.xml:2208 +msgid "Default: FALSE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1814 +msgid "" +"Enumerating a domain requires SSSD to download and store ALL user and group " +"entries from the remote server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1819 +msgid "" +"Note: Enabling enumeration has a moderate performance impact on SSSD while " +"enumeration is running. It may take up to several minutes after SSSD startup " +"to fully complete enumerations. During this time, individual requests for " +"information will go directly to LDAP, though it may be slow, due to the " +"heavy enumeration processing. Saving a large number of entries to cache " +"after the enumeration completes might also be CPU intensive as the " +"memberships have to be recomputed. This can lead to the <quote>sssd_be</" +"quote> process becoming unresponsive or even restarted by the internal " +"watchdog." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1834 +msgid "" +"While the first enumeration is running, requests for the complete user or " +"group lists may return no results until it completes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1839 +msgid "" +"Further, enabling enumeration may increase the time necessary to detect " +"network disconnection, as longer timeouts are required to ensure that " +"enumeration lookups are completed successfully. For more information, refer " +"to the man pages for the specific id_provider in use." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1847 +msgid "" +"For the reasons cited above, enabling enumeration is not recommended, " +"especially in large environments." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1855 +msgid "subdomain_enumerate (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1862 +msgid "all" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1863 +msgid "All discovered trusted domains will be enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1866 +msgid "none" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1867 +msgid "No discovered trusted domains will be enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1858 +msgid "" +"Whether any of autodetected trusted domains should be enumerated. The " +"supported values are: <placeholder type=\"variablelist\" id=\"0\"/> " +"Optionally, a list of one or more domain names can enable enumeration just " +"for these trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1881 +msgid "entry_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1884 +msgid "" +"How many seconds should nss_sss consider entries valid before asking the " +"backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1888 +msgid "" +"The cache expiration timestamps are stored as attributes of individual " +"objects in the cache. Therefore, changing the cache timeout only has effect " +"for newly added or expired entries. You should run the <citerefentry> " +"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry> tool in order to force refresh of entries that have already " +"been cached." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1901 +msgid "Default: 5400" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1907 +msgid "entry_cache_user_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1910 +msgid "" +"How many seconds should nss_sss consider user entries valid before asking " +"the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1914 sssd.conf.5.xml:1927 sssd.conf.5.xml:1940 +#: sssd.conf.5.xml:1953 sssd.conf.5.xml:1966 sssd.conf.5.xml:1980 +#: sssd.conf.5.xml:1994 +msgid "Default: entry_cache_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1920 +msgid "entry_cache_group_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1923 +msgid "" +"How many seconds should nss_sss consider group entries valid before asking " +"the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1933 +msgid "entry_cache_netgroup_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1936 +msgid "" +"How many seconds should nss_sss consider netgroup entries valid before " +"asking the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1946 +msgid "entry_cache_service_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1949 +msgid "" +"How many seconds should nss_sss consider service entries valid before asking " +"the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1959 +msgid "entry_cache_sudo_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1962 +msgid "" +"How many seconds should sudo consider rules valid before asking the backend " +"again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1972 +msgid "entry_cache_autofs_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1975 +msgid "" +"How many seconds should the autofs service consider automounter maps valid " +"before asking the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1986 +msgid "entry_cache_ssh_host_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1989 +msgid "" +"How many seconds to keep a host ssh key after refresh. IE how long to cache " +"the host key for." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2000 +msgid "refresh_expired_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2003 +msgid "" +"Specifies how many seconds SSSD has to wait before triggering a background " +"refresh task which will refresh all expired or nearly expired records." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2008 +msgid "" +"The background refresh will process users, groups and netgroups in the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2012 +msgid "You can consider setting this value to 3/4 * entry_cache_timeout." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2016 sssd-ldap.5.xml:746 sssd-ipa.5.xml:254 +msgid "Default: 0 (disabled)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2022 +msgid "cache_credentials (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2025 +msgid "Determines if user credentials are also cached in the local LDB cache" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2029 +msgid "User credentials are stored in a SHA512 hash, not in plaintext" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2039 +msgid "cache_credentials_minimal_first_factor_length (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2042 +msgid "" +"If 2-Factor-Authentication (2FA) is used and credentials should be saved " +"this value determines the minimal length the first authentication factor " +"(long term password) must have to be saved as SHA512 hash into the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2049 +msgid "" +"This should avoid that the short PINs of a PIN based 2FA scheme are saved in " +"the cache which would make them easy targets for brute-force attacks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2054 +msgid "Default: 8" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2060 +msgid "account_cache_expiration (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2063 +msgid "" +"Number of days entries are left in cache after last successful login before " +"being removed during a cleanup of the cache. 0 means keep forever. The " +"value of this parameter must be greater than or equal to " +"offline_credentials_expiration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2070 +msgid "Default: 0 (unlimited)" +msgstr "Noklusējuma: 0 (neierobežots)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2075 +msgid "pwd_expiration_warning (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2086 +msgid "" +"Please note that the backend server has to provide information about the " +"expiration time of the password. If this information is missing, sssd " +"cannot display a warning. Also an auth provider has to be configured for the " +"backend." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2093 +msgid "Default: 7 (Kerberos), 0 (LDAP)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2099 +msgid "id_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2102 +msgid "" +"The identification provider used for the domain. Supported ID providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2106 +msgid "<quote>proxy</quote>: Support a legacy NSS provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2109 +msgid "" +"<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2113 +msgid "" +"<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-" +"files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " +"information on how to mirror local users and groups into SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2121 +msgid "" +"<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " +"information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2129 sssd.conf.5.xml:2234 sssd.conf.5.xml:2289 +#: sssd.conf.5.xml:2352 +msgid "" +"<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management " +"provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " +"FreeIPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2138 sssd.conf.5.xml:2243 sssd.conf.5.xml:2298 +#: sssd.conf.5.xml:2361 +msgid "" +"<quote>ad</quote>: Active Directory provider. See <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Active Directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2149 +msgid "use_fully_qualified_names (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2152 +msgid "" +"Use the full name and domain (as formatted by the domain's full_name_format) " +"as the user's login name reported to NSS." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2157 +msgid "" +"If set to TRUE, all requests to this domain must use fully qualified names. " +"For example, if used in LOCAL domain that contains a \"test\" user, " +"<command>getent passwd test</command> wouldn't find the user while " +"<command>getent passwd test@LOCAL</command> would." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2165 +msgid "" +"NOTE: This option has no effect on netgroup lookups due to their tendency to " +"include nested netgroups without qualified names. For netgroups, all domains " +"will be searched when an unqualified name is requested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2172 +msgid "Default: FALSE (TRUE if default_domain_suffix is used)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2178 +msgid "ignore_group_members (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2181 +msgid "Do not return group members for group lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2184 +msgid "" +"If set to TRUE, the group membership attribute is not requested from the " +"ldap server, and group members are not returned when processing group lookup " +"calls, such as <citerefentry> <refentrytitle>getgrnam</refentrytitle> " +"<manvolnum>3</manvolnum> </citerefentry> or <citerefentry> " +"<refentrytitle>getgrgid</refentrytitle> <manvolnum>3</manvolnum> </" +"citerefentry>. As an effect, <quote>getent group $groupname</quote> would " +"return the requested group as if it was empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2202 +msgid "" +"Enabling this option can also make access provider checks for group " +"membership significantly faster, especially for groups containing many " +"members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2213 +msgid "auth_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2216 +msgid "" +"The authentication provider used for the domain. Supported auth providers " +"are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2220 sssd.conf.5.xml:2282 +msgid "" +"<quote>ldap</quote> for native LDAP authentication. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2227 +msgid "" +"<quote>krb5</quote> for Kerberos authentication. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2251 +msgid "" +"<quote>proxy</quote> for relaying authentication to some other PAM target." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2254 +msgid "<quote>local</quote>: SSSD internal provider for local users" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2258 +msgid "<quote>none</quote> disables authentication explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2261 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can handle " +"authentication requests." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2267 +msgid "access_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2270 +msgid "" +"The access control provider used for the domain. There are two built-in " +"access providers (in addition to any included in installed backends) " +"Internal special providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2276 +msgid "" +"<quote>permit</quote> always allow access. It's the only permitted access " +"provider for a local domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2279 +msgid "<quote>deny</quote> always deny access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2306 +msgid "" +"<quote>simple</quote> access control based on access or deny lists. See " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for more information on configuring the simple " +"access module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2313 +msgid "" +"<quote>krb5</quote>: .k5login based access control. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></" +"citerefentry> for more information on configuring Kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2320 +msgid "<quote>proxy</quote> for relaying access control to another PAM module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2323 +msgid "Default: <quote>permit</quote>" +msgstr "Noklusējuma: <quote>atļaut</quote>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2328 +msgid "chpass_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2331 +msgid "" +"The provider which should handle change password operations for the domain. " +"Supported change password providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2336 +msgid "" +"<quote>ldap</quote> to change a password stored in a LDAP server. See " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2344 +msgid "" +"<quote>krb5</quote> to change the Kerberos password. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2369 +msgid "" +"<quote>proxy</quote> for relaying password changes to some other PAM target." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2373 +msgid "<quote>none</quote> disallows password changes explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2376 +msgid "" +"Default: <quote>auth_provider</quote> is used if it is set and can handle " +"change password requests." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2383 +msgid "sudo_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2386 +msgid "The SUDO provider used for the domain. Supported SUDO providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2390 +msgid "" +"<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2398 +msgid "" +"<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default " +"settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2402 +msgid "" +"<quote>ad</quote> the same as <quote>ldap</quote> but with AD default " +"settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2406 +msgid "<quote>none</quote> disables SUDO explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2409 sssd.conf.5.xml:2495 sssd.conf.5.xml:2565 +#: sssd.conf.5.xml:2590 +msgid "Default: The value of <quote>id_provider</quote> is used if it is set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2413 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>. There are many configuration " +"options that can be used to adjust the behavior. Please refer to " +"\"ldap_sudo_*\" in <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2428 +msgid "" +"<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the " +"background unless the sudo provider is explicitly disabled. Set " +"<emphasis>sudo_provider = None</emphasis> to disable all sudo-related " +"activity in SSSD if you do not want to use sudo with SSSD at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2438 +msgid "selinux_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2441 +msgid "" +"The provider which should handle loading of selinux settings. Note that this " +"provider will be called right after access provider ends. Supported selinux " +"providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2447 +msgid "" +"<quote>ipa</quote> to load selinux settings from an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2455 +msgid "<quote>none</quote> disallows fetching selinux settings explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2458 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can handle " +"selinux loading requests." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2464 +msgid "subdomains_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2467 +msgid "" +"The provider which should handle fetching of subdomains. This value should " +"be always the same as id_provider. Supported subdomain providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2473 +msgid "" +"<quote>ipa</quote> to load a list of subdomains from an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2482 +msgid "" +"<quote>ad</quote> to load a list of subdomains from an Active Directory " +"server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " +"the AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2491 +msgid "<quote>none</quote> disallows fetching subdomains explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2501 +msgid "session_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2504 +msgid "" +"The provider which configures and manages user session related tasks. The " +"only user session task currently provided is the integration with Fleet " +"Commander, which works only with IPA. Supported session providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2511 +msgid "<quote>ipa</quote> to allow performing user session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2515 +msgid "" +"<quote>none</quote> does not perform any kind of user session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2519 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can perform " +"session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2523 +msgid "" +"<emphasis>NOTE:</emphasis> In order to have this feature working as expected " +"SSSD must be running as \"root\" and not as the unprivileged user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2531 +msgid "autofs_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2534 +msgid "" +"The autofs provider used for the domain. Supported autofs providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2538 +msgid "" +"<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2545 +msgid "" +"<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> " +"<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2553 +msgid "" +"<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring the AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2562 +msgid "<quote>none</quote> disables autofs explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2572 +msgid "hostid_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2575 +msgid "" +"The provider used for retrieving host identity information. Supported " +"hostid providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2579 +msgid "" +"<quote>ipa</quote> to load host identity stored in an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2587 +msgid "<quote>none</quote> disables hostid explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2600 +msgid "" +"Regular expression for this domain that describes how to parse the string " +"containing user name and domain into these components. The \"domain\" can " +"match either the SSSD configuration domain name, or, in the case of IPA " +"trust subdomains and Active Directory domains, the flat (NetBIOS) name of " +"the domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2609 +msgid "" +"Default for the AD and IPA provider: <quote>(((?P<domain>[^\\\\]+)\\" +"\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?" +"P<name>[^@\\\\]+)$))</quote> which allows three different styles for " +"user names:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2614 +msgid "username" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2617 +msgid "username@domain.name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2620 +msgid "domain\\username" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2623 +msgid "" +"While the first two correspond to the general default the third one is " +"introduced to allow easy integration of users from Windows domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2628 +msgid "" +"Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> " +"which translates to \"the name is everything up to the <quote>@</quote> " +"sign, the domain everything after that\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2634 +msgid "" +"NOTE: Some Active Directory groups, typically those used for MS Exchange " +"contain an <quote>@</quote> sign in the name, which clashes with the default " +"re_expression value for the AD and IPA providers. To support these groups, " +"consider changing the re_expression value to: <quote>((?P<name>.+)@(?" +"P<domain>[^@]+$))</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2685 +msgid "Default: <quote>%1$s@%2$s</quote>." +msgstr "Noklusējuma: <quote>%1$s@%2$s</quote>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2691 +msgid "lookup_family_order (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2694 +msgid "" +"Provides the ability to select preferred address family to use when " +"performing DNS lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2698 +msgid "Supported values:" +msgstr "Atbalstītās vērtības:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2701 +msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2704 +msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2707 +msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2710 +msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2713 +msgid "Default: ipv4_first" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2719 +msgid "dns_resolver_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2722 +msgid "" +"Defines the amount of time (in seconds) to wait for a reply from the " +"internal fail over service before assuming that the service is unreachable. " +"If this timeout is reached, the domain will continue to operate in offline " +"mode." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2729 +msgid "" +"Please see the section <quote>FAILOVER</quote> for more information about " +"the service resolution." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2734 sssd-ldap.5.xml:1396 sssd-ldap.5.xml:1438 +#: sssd-ldap.5.xml:1456 sssd-krb5.5.xml:248 +msgid "Default: 6" +msgstr "Noklusējuma: 6" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2740 +msgid "dns_discovery_domain (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2743 +msgid "" +"If service discovery is used in the back end, specifies the domain part of " +"the service discovery DNS query." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2747 +msgid "Default: Use the domain part of machine's hostname" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2753 +msgid "override_gid (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2756 +msgid "Override the primary GID value with the one specified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2762 +msgid "case_sensitive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2770 +msgid "True" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2773 +msgid "Case sensitive. This value is invalid for AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2779 +msgid "False" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2781 +msgid "Case insensitive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2785 +msgid "Preserving" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2788 +msgid "" +"Same as False (case insensitive), but does not lowercase names in the result " +"of NSS operations. Note that name aliases (and in case of services also " +"protocol names) are still lowercased in the output." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2765 +msgid "" +"Treat user and group names as case sensitive. At the moment, this option is " +"not supported in the local provider. Possible option values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2800 +msgid "Default: True (False for AD provider)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2806 +msgid "subdomain_inherit (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2809 +msgid "" +"Specifies a list of configuration parameters that should be inherited by a " +"subdomain. Please note that only selected parameters can be inherited. " +"Currently the following options can be inherited:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2815 +msgid "ignore_group_members" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2818 +msgid "ldap_purge_cache_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2821 sssd-ldap.5.xml:1120 +msgid "ldap_use_tokengroups" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2824 +msgid "ldap_user_principal" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2827 +msgid "" +"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab " +"is not set explicitly)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:2833 +#, no-wrap +msgid "" +"subdomain_inherit = ldap_purge_cache_timeout\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2831 sssd-secrets.5.xml:448 +msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2840 +msgid "Note: This option only works with the IPA and AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2847 +msgid "subdomain_homedir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2858 +msgid "%F" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2859 +msgid "flat (NetBIOS) name of a subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2850 +msgid "" +"Use this homedir as default value for all subdomains within this domain in " +"IPA AD trust. See <emphasis>override_homedir</emphasis> for info about " +"possible values. In addition to those, the expansion below can only be used " +"with <emphasis>subdomain_homedir</emphasis>. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2864 +msgid "" +"The value can be overridden by <emphasis>override_homedir</emphasis> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2868 +msgid "Default: <filename>/home/%d/%u</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2873 +msgid "realmd_tags (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2876 +msgid "" +"Various tags stored by the realmd configuration service for this domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2882 +msgid "cached_auth_timeout (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2885 +msgid "" +"Specifies time in seconds since last successful online authentication for " +"which user will be authenticated using cached credentials while SSSD is in " +"the online mode." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2891 +msgid "Special value 0 implies that this feature is disabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2895 +msgid "" +"Please note that if <quote>cached_auth_timeout</quote> is longer than " +"<quote>pam_id_timeout</quote> then the back end could be called to handle " +"<quote>initgroups.</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2906 +msgid "auto_private_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2909 +msgid "" +"If this option is enabled, SSSD will automatically create user private " +"groups based on user's UID number. The GID number is ignored in this case." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2914 +msgid "" +"For POSIX subdomains, setting the option in the main domain is inherited in " +"the subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2918 +msgid "" +"For ID-mapping subdomains, auto_private_groups is already enabled for the " +"subdomains and setting it to false will not have any effect for the " +"subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2923 +msgid "" +"NOTE: Because the GID number and the user private group are inferred from " +"the UID number, it is not supported to have multiple entries with the same " +"UID or GID number with this option. In other words, enabling this option " +"enforces uniqueness across the ID space." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:1727 +msgid "" +"These configuration options can be present in a domain configuration " +"section, that is, in a section called <quote>[domain/<replaceable>NAME</" +"replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2942 +msgid "proxy_pam_target (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2945 +msgid "The proxy target PAM proxies to." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2948 +msgid "" +"Default: not set by default, you have to take an existing pam configuration " +"or create a new one and add the service name here." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2956 +msgid "proxy_lib_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2959 +msgid "" +"The name of the NSS library to use in proxy domains. The NSS functions " +"searched for in the library are in the form of _nss_$(libName)_$(function), " +"for example _nss_files_getpwent." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2969 +msgid "proxy_fast_alias (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2972 +msgid "" +"When a user or group is looked up by name in the proxy provider, a second " +"lookup by ID is performed to \"canonicalize\" the name in case the requested " +"name was an alias. Setting this option to true would cause the SSSD to " +"perform the ID lookup from cache for performance reasons." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2986 +msgid "proxy_max_children (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2989 +msgid "" +"This option specifies the number of pre-forked proxy children. It is useful " +"for high-load SSSD environments where sssd may run out of available child " +"slots, which would cause some issues due to the requests being queued." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:2938 +msgid "" +"Options valid for proxy domains. <placeholder type=\"variablelist\" id=" +"\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:3005 +msgid "Application domains" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3007 +msgid "" +"SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to " +"applications as a gateway to an LDAP directory where users and groups are " +"stored. However, contrary to the traditional SSSD deployment where all users " +"and groups either have POSIX attributes or those attributes can be inferred " +"from the Windows SIDs, in many cases the users and groups in the application " +"support scenario have no POSIX attributes. Instead of setting a " +"<quote>[domain/<replaceable>NAME</replaceable>]</quote> section, the " +"administrator can set up an <quote>[application/<replaceable>NAME</" +"replaceable>]</quote> section that internally represents a domain with type " +"<quote>application</quote> optionally inherits settings from a tradition " +"SSSD domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3027 +msgid "" +"Please note that the application domain must still be explicitly enabled in " +"the <quote>domains</quote> parameter so that the lookup order between the " +"application domain and its POSIX sibling domain is set correctly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sssd.conf.5.xml:3033 +msgid "Application domain parameters" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3035 +msgid "inherit_from (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3038 +msgid "" +"The SSSD POSIX-type domain the application domain inherits all settings " +"from. The application domain can moreover add its own settings to the " +"application settings that augment or override the <quote>sibling</quote> " +"domain settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3052 +msgid "" +"The following example illustrates the use of an application domain. In this " +"setup, the POSIX domain is connected to an LDAP server and is used by the OS " +"through the NSS responder. In addition, the application domain also requests " +"the telephoneNumber attribute, stores it as the phone attribute in the cache " +"and makes the phone attribute reachable through the D-Bus interface." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><programlisting> +#: sssd.conf.5.xml:3060 +#, no-wrap +msgid "" +"[sssd]\n" +"domains = appdom, posixdom\n" +"\n" +"[ifp]\n" +"user_attributes = +phone\n" +"\n" +"[domain/posixdom]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"[application/appdom]\n" +"inherit_from = posixdom\n" +"ldap_user_extra_attrs = phone:telephoneNumber\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:3078 +msgid "The local domain section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3080 +msgid "" +"This section contains settings for domain that stores users and groups in " +"SSSD native database, that is, a domain that uses " +"<replaceable>id_provider=local</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3087 +msgid "default_shell (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3090 +msgid "The default shell for users created with SSSD userspace tools." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3094 +msgid "Default: <filename>/bin/bash</filename>" +msgstr "Noklusējuma: <filename>/bin/bash</filename>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3099 +msgid "base_directory (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3102 +msgid "" +"The tools append the login name to <replaceable>base_directory</replaceable> " +"and use that as the home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3107 +msgid "Default: <filename>/home</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3112 +msgid "create_homedir (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3115 +msgid "" +"Indicate if a home directory should be created by default for new users. " +"Can be overridden on command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3119 sssd.conf.5.xml:3131 +msgid "Default: TRUE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3124 +msgid "remove_homedir (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3127 +msgid "" +"Indicate if a home directory should be removed by default for deleted " +"users. Can be overridden on command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3136 +msgid "homedir_umask (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3139 +msgid "" +"Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions " +"on a newly created home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3147 +msgid "Default: 077" +msgstr "Noklusējuma: 077" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3152 +msgid "skel_dir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3155 +msgid "" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<citerefentry> <refentrytitle>sss_useradd</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3165 +msgid "Default: <filename>/etc/skel</filename>" +msgstr "Noklusējuma: <filename>/etc/skel</filename>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3170 +msgid "mail_dir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3173 +msgid "" +"The mail spool directory. This is needed to manipulate the mailbox when its " +"corresponding user account is modified or deleted. If not specified, a " +"default value is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3180 +msgid "Default: <filename>/var/mail</filename>" +msgstr "Noklusējuma: <filename>/var/mail</filename>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3185 +msgid "userdel_cmd (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3188 +msgid "" +"The command that is run after a user is removed. The command us passed the " +"username of the user being removed as the first and only parameter. The " +"return code of the command is not taken into account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3194 +msgid "Default: None, no command is run" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:3204 +msgid "TRUSTED DOMAIN SECTION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3206 +msgid "" +"Some options used in the domain section can also be used in the trusted " +"domain section, that is, in a section called <quote>[domain/" +"<replaceable>DOMAIN_NAME</replaceable>/<replaceable>TRUSTED_DOMAIN_NAME</" +"replaceable>]</quote>. Where DOMAIN_NAME is the actual joined-to base " +"domain. Please refer to examples below for explanation. Currently supported " +"options in the trusted domain section are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3213 +msgid "ldap_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3214 +msgid "ldap_user_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3215 +msgid "ldap_group_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3216 +msgid "ldap_netgroup_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3217 +msgid "ldap_service_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3218 +msgid "ad_server," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3219 +msgid "ad_backup_server," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3220 +msgid "ad_site," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:3221 sssd-ipa.5.xml:782 +msgid "use_fully_qualified_names" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3223 +msgid "" +"For more details about these options see their individual description in the " +"manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:3229 idmap_sss.8.xml:43 +msgid "EXAMPLES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:3235 +#, no-wrap +msgid "" +"[sssd]\n" +"domains = LDAP\n" +"services = nss, pam\n" +"config_file_version = 2\n" +"\n" +"[nss]\n" +"filter_groups = root\n" +"filter_users = root\n" +"\n" +"[pam]\n" +"\n" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"auth_provider = krb5\n" +"krb5_server = kerberos.example.com\n" +"krb5_realm = EXAMPLE.COM\n" +"cache_credentials = true\n" +"\n" +"min_id = 10000\n" +"max_id = 20000\n" +"enumerate = False\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3231 +msgid "" +"1. The following example shows a typical SSSD config. It does not describe " +"configuration of the domains themselves - refer to documentation on " +"configuring domains for more details. <placeholder type=\"programlisting\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:3268 +#, no-wrap +msgid "" +"[domain/ipa.com/child.ad.com]\n" +"use_fully_qualified_names = false\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3262 +msgid "" +"2. The following example shows configuration of IPA AD trust where the AD " +"forest consists of two domains in a parent-child structure. Suppose IPA " +"domain (ipa.com) has trust with AD domain(ad.com). ad.com has child domain " +"(child.ad.com). To enable shortnames in the child domain the following " +"configuration should be used. <placeholder type=\"programlisting\" id=\"0\"/" +">" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ldap.5.xml:10 sssd-ldap.5.xml:16 +msgid "sssd-ldap" +msgstr "sssd-ldap" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ldap.5.xml:17 +msgid "SSSD LDAP provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:23 +msgid "" +"This manual page describes the configuration of LDAP domains for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Refer to the <quote>FILE FORMAT</quote> section of the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for detailed syntax information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:35 +msgid "You can configure SSSD to use more than one LDAP domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:38 +msgid "" +"LDAP back end supports id, auth, access and chpass providers. If you want to " +"authenticate against an LDAP server either TLS/SSL or LDAPS is required. " +"<command>sssd</command> <emphasis>does not</emphasis> support authentication " +"over an unencrypted channel. If the LDAP server is used only as an identity " +"provider, an encrypted channel is not needed. Please refer to " +"<quote>ldap_access_filter</quote> config option for more information about " +"using LDAP as an access provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:115 +#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-files.5.xml:57 +#: sssd-secrets.5.xml:120 sssd-session-recording.5.xml:58 sssd-kcm.8.xml:139 +msgid "CONFIGURATION OPTIONS" +msgstr "KONFIGURĒŠANAS IESPĒJAS" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:60 +msgid "ldap_uri, ldap_backup_uri (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:63 +msgid "" +"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " +"should connect in the order of preference. Refer to the <quote>FAILOVER</" +"quote> section for more information on failover and server redundancy. If " +"neither option is specified, service discovery is enabled. For more " +"information, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:264 +msgid "The format of the URI must match the format defined in RFC 2732:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:73 +msgid "ldap[s]://<host>[:port]" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:76 +msgid "" +"For explicit IPv6 addresses, <host> must be enclosed in brackets []" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:79 +msgid "example: ldap://[fc00::126:25]:389" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:85 +msgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:88 +msgid "" +"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " +"should connect in the order of preference to change the password of a user. " +"Refer to the <quote>FAILOVER</quote> section for more information on " +"failover and server redundancy." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:95 +msgid "To enable service discovery ldap_chpass_dns_service_name must be set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:99 +msgid "Default: empty, i.e. ldap_uri is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:105 +msgid "ldap_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:108 +msgid "The default base DN to use for performing LDAP user operations." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:112 +msgid "" +"Starting with SSSD 1.7.0, SSSD supports multiple search bases using the " +"syntax:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:116 +msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:119 +msgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"." +msgstr "" + +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:122 include/ldap_search_bases.xml:18 +msgid "" +"The filter must be a valid LDAP search filter as specified by http://www." +"ietf.org/rfc/rfc2254.txt" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:286 +#: sss_override.8.xml:137 sss_override.8.xml:234 +msgid "Examples:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:129 +msgid "" +"ldap_search_base = dc=example,dc=com (which is equivalent to) " +"ldap_search_base = dc=example,dc=com?subtree?" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:134 +msgid "" +"ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?" +"(host=thishost)?dc=example.com?subtree?" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:137 +msgid "" +"Note: It is unsupported to have multiple search bases which reference " +"identically-named objects (for example, groups with the same name in two " +"different search bases). This will lead to unpredictable behavior on client " +"machines." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:144 +msgid "" +"Default: If not set, the value of the defaultNamingContext or namingContexts " +"attribute from the RootDSE of the LDAP server is used. If " +"defaultNamingContext does not exist or has an empty value namingContexts is " +"used. The namingContexts attribute must have a single value with the DN of " +"the search base of the LDAP server to make this work. Multiple values are " +"are not supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:158 +msgid "ldap_schema (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:161 +msgid "" +"Specifies the Schema Type in use on the target LDAP server. Depending on " +"the selected schema, the default attribute names retrieved from the servers " +"may vary. The way that some attributes are handled may also differ." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:168 +msgid "Four schema types are currently supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:172 +msgid "rfc2307" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:177 +msgid "rfc2307bis" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:182 +msgid "IPA" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:187 +msgid "AD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:193 +msgid "" +"The main difference between these schema types is how group memberships are " +"recorded in the server. With rfc2307, group members are listed by name in " +"the <emphasis>memberUid</emphasis> attribute. With rfc2307bis and IPA, " +"group members are listed by DN and stored in the <emphasis>member</emphasis> " +"attribute. The AD schema type sets the attributes to correspond with Active " +"Directory 2008r2 values." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:203 +msgid "Default: rfc2307" +msgstr "Noklusējuma: rfc2307" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:209 +msgid "ldap_default_bind_dn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:212 +msgid "The default bind DN to use for performing LDAP operations." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:219 +msgid "ldap_default_authtok_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:222 +msgid "The type of the authentication token of the default bind DN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:226 +msgid "The two mechanisms currently supported are:" +msgstr "Divi pašlaik atbalstītie mehānismi ir:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:229 +msgid "password" +msgstr "parole" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:232 +msgid "obfuscated_password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:235 +msgid "Default: password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:241 +msgid "ldap_default_authtok (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:244 +msgid "" +"The authentication token of the default bind DN. Only clear text passwords " +"are currently supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:251 +msgid "ldap_user_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:254 +msgid "The object class of a user entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:257 +msgid "Default: posixAccount" +msgstr "Noklusējuma: posixAccount" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:263 +msgid "ldap_user_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:266 +msgid "The LDAP attribute that corresponds to the user's login name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:270 +msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:277 +msgid "ldap_user_uid_number (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:280 +msgid "The LDAP attribute that corresponds to the user's id." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:284 +msgid "Default: uidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:290 +msgid "ldap_user_gid_number (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:293 +msgid "The LDAP attribute that corresponds to the user's primary group id." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:297 sssd-ldap.5.xml:929 +msgid "Default: gidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:303 +msgid "ldap_user_primary_group (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:306 +msgid "" +"Active Directory primary group attribute for ID-mapping. Note that this " +"attribute should only be set manually if you are running the <quote>ldap</" +"quote> provider with ID mapping." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:312 +msgid "Default: unset (LDAP), primaryGroupID (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:318 +msgid "ldap_user_gecos (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:321 +msgid "The LDAP attribute that corresponds to the user's gecos field." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:325 +msgid "Default: gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:331 +msgid "ldap_user_home_directory (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:334 +msgid "The LDAP attribute that contains the name of the user's home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:338 +msgid "Default: homeDirectory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:344 +msgid "ldap_user_shell (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:347 +msgid "The LDAP attribute that contains the path to the user's default shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:351 +msgid "Default: loginShell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:357 +msgid "ldap_user_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:360 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:364 sssd-ldap.5.xml:955 +msgid "" +"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " +"IPA" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:371 +msgid "ldap_user_objectsid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:374 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP user object. This " +"is usually only necessary for ActiveDirectory servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:379 sssd-ldap.5.xml:970 +msgid "Default: objectSid for ActiveDirectory, not set for other servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:386 +msgid "ldap_user_modify_timestamp (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:389 sssd-ldap.5.xml:980 sssd-ldap.5.xml:1203 +msgid "" +"The LDAP attribute that contains timestamp of the last modification of the " +"parent object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:393 sssd-ldap.5.xml:984 sssd-ldap.5.xml:1210 +msgid "Default: modifyTimestamp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:399 +msgid "ldap_user_shadow_last_change (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:402 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " +"the last password change)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:412 +msgid "Default: shadowLastChange" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:418 +msgid "ldap_user_shadow_min (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:421 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " +"password age)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:430 +msgid "Default: shadowMin" +msgstr "Noklusējuma: shadowMin" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:436 +msgid "ldap_user_shadow_max (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:439 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " +"password age)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:448 +msgid "Default: shadowMax" +msgstr "Noklusējuma: shadowMax" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:454 +msgid "ldap_user_shadow_warning (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:457 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password warning period)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:467 +msgid "Default: shadowWarning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:473 +msgid "ldap_user_shadow_inactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:476 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password inactivity period)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:486 +msgid "Default: shadowInactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:492 +msgid "ldap_user_shadow_expire (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:495 +msgid "" +"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " +"parameter contains the name of an LDAP attribute corresponding to its " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> counterpart (account expiration date)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:505 +msgid "Default: shadowExpire" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:511 +msgid "ldap_user_krb_last_pwd_change (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:514 +msgid "" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time of last password change in " +"kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:520 +msgid "Default: krbLastPwdChange" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:526 +msgid "ldap_user_krb_password_expiration (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:529 +msgid "" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time when current password expires." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:535 +msgid "Default: krbPasswordExpiration" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:541 +msgid "ldap_user_ad_account_expires (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:544 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the expiration time of the account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:549 +msgid "Default: accountExpires" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:555 +msgid "ldap_user_ad_user_account_control (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:558 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the user account control bit field." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:563 +msgid "Default: userAccountControl" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:569 +msgid "ldap_ns_account_lock (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:572 +msgid "" +"When using ldap_account_expire_policy=rhds or equivalent, this parameter " +"determines if access is allowed or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:577 +msgid "Default: nsAccountLock" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:583 +msgid "ldap_user_nds_login_disabled (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:586 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines if " +"access is allowed or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:590 sssd-ldap.5.xml:604 +msgid "Default: loginDisabled" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:596 +msgid "ldap_user_nds_login_expiration_time (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:599 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines until " +"which date access is granted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:610 +msgid "ldap_user_nds_login_allowed_time_map (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:613 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines the " +"hours of a day in a week when access is granted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:618 +msgid "Default: loginAllowedTimeMap" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:624 +msgid "ldap_user_principal (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:627 +msgid "" +"The LDAP attribute that contains the user's Kerberos User Principal Name " +"(UPN)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:631 +msgid "Default: krbPrincipalName" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:637 +msgid "ldap_user_extra_attrs (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:640 +msgid "" +"Comma-separated list of LDAP attributes that SSSD would fetch along with the " +"usual set of user attributes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:645 +msgid "" +"The list can either contain LDAP attribute names only, or colon-separated " +"tuples of SSSD cache attribute name and LDAP attribute name. In case only " +"LDAP attribute name is specified, the attribute is saved to the cache " +"verbatim. Using a custom SSSD attribute name might be required by " +"environments that configure several SSSD domains with different LDAP schemas." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:655 +msgid "" +"Please note that several attribute names are reserved by SSSD, notably the " +"<quote>name</quote> attribute. SSSD would report an error if any of the " +"reserved attribute names is used as an extra attribute name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:665 +msgid "ldap_user_extra_attrs = telephoneNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:668 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as " +"<quote>telephoneNumber</quote> to the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:672 +msgid "ldap_user_extra_attrs = phone:telephoneNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:675 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" +"quote> to the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:685 +msgid "ldap_user_ssh_public_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:688 +msgid "The LDAP attribute that contains the user's SSH public keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:692 sssd-ldap.5.xml:1306 +msgid "Default: sshPublicKey" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:698 +msgid "ldap_force_upper_case_realm (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:701 +msgid "" +"Some directory servers, for example Active Directory, might deliver the " +"realm part of the UPN in lower case, which might cause the authentication to " +"fail. Set this option to a non-zero value if you want to use an upper-case " +"realm." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:714 +msgid "ldap_enumeration_refresh_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:717 +msgid "" +"Specifies how many seconds SSSD has to wait before refreshing its cache of " +"enumerated records." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:728 +msgid "ldap_purge_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:731 +msgid "" +"Determine how often to check the cache for inactive entries (such as groups " +"with no members and users who have never logged in) and remove them to save " +"space." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:737 +msgid "" +"Setting this option to zero will disable the cache cleanup operation. Please " +"note that if enumeration is enabled, the cleanup task is required in order " +"to detect entries removed from the server and can't be disabled. By default, " +"the cleanup task will run every 3 hours with enumeration enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:752 +msgid "ldap_user_fullname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:755 +msgid "The LDAP attribute that corresponds to the user's full name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1161 sssd-ldap.5.xml:1235 +#: sssd-ldap.5.xml:1344 sssd-ldap.5.xml:2405 sssd-ipa.5.xml:607 +msgid "Default: cn" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:765 +msgid "ldap_user_member_of (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:768 +msgid "The LDAP attribute that lists the user's group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:772 sssd-ldap.5.xml:1274 +msgid "Default: memberOf" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:778 +msgid "ldap_user_authorized_service (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:781 +msgid "" +"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " +"use the presence of the authorizedService attribute in the user's LDAP entry " +"to determine access privilege." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:788 +msgid "" +"An explicit deny (!svc) is resolved first. Second, SSSD searches for " +"explicit allow (svc) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:793 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>authorized_service</quote> in order for the " +"ldap_user_authorized_service option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:800 +msgid "Default: authorizedService" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:806 +msgid "ldap_user_authorized_host (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:809 +msgid "" +"If access_provider=ldap and ldap_access_order=host, SSSD will use the " +"presence of the host attribute in the user's LDAP entry to determine access " +"privilege." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:815 +msgid "" +"An explicit deny (!host) is resolved first. Second, SSSD searches for " +"explicit allow (host) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:820 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>host</quote> in order for the " +"ldap_user_authorized_host option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:827 +msgid "Default: host" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:833 +msgid "ldap_user_authorized_rhost (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:836 +msgid "" +"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " +"presence of the rhost attribute in the user's LDAP entry to determine access " +"privilege. Similarly to host verification process." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:843 +msgid "" +"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " +"explicit allow (rhost) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:848 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>rhost</quote> in order for the " +"ldap_user_authorized_rhost option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:855 +msgid "Default: rhost" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:861 +msgid "ldap_user_certificate (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:864 +msgid "Name of the LDAP attribute containing the X509 certificate of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:868 +msgid "Default: userCertificate;binary" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:874 +msgid "ldap_user_email (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:877 +msgid "Name of the LDAP attribute containing the email address of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:881 +msgid "" +"Note: If an email address of a user conflicts with an email address or fully " +"qualified name of another user, then SSSD will not be able to serve those " +"users properly. If for some reason several users need to share the same " +"email address then set this option to a nonexistent attribute name in order " +"to disable user lookup/login by email." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:890 +msgid "Default: mail" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:896 +msgid "ldap_group_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:899 +msgid "The object class of a group entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:902 +msgid "Default: posixGroup" +msgstr "Noklusējuma: posixGroup" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:908 +msgid "ldap_group_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:911 +msgid "The LDAP attribute that corresponds to the group name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:915 +msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:922 +msgid "ldap_group_gid_number (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:925 +msgid "The LDAP attribute that corresponds to the group's id." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:935 +msgid "ldap_group_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:938 +msgid "The LDAP attribute that contains the names of the group's members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:942 +msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:948 +msgid "ldap_group_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:951 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:962 +msgid "ldap_group_objectsid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:965 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP group object. This " +"is usually only necessary for ActiveDirectory servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:977 +msgid "ldap_group_modify_timestamp (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:990 +msgid "ldap_group_type (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:993 +msgid "" +"The LDAP attribute that contains an integer value indicating the type of the " +"group and maybe other flags." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:998 +msgid "" +"This attribute is currently only used by the AD provider to determine if a " +"group is a domain local groups and has to be filtered out for trusted " +"domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1004 +msgid "Default: groupType in the AD provider, otherwise not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1011 +msgid "ldap_group_external_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1014 +msgid "" +"The LDAP attribute that references group members that are defined in an " +"external domain. At the moment, only IPA's external members are supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1020 +msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1027 +msgid "ldap_group_nesting_level (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1030 +msgid "" +"If ldap_schema is set to a schema format that supports nested groups (e.g. " +"RFC2307bis), then this option controls how many levels of nesting SSSD will " +"follow. This option has no effect on the RFC2307 schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1037 +msgid "" +"Note: This option specifies the guaranteed level of nested groups to be " +"processed for any lookup. However, nested groups beyond this limit " +"<emphasis>may be</emphasis> returned if previous lookups already resolved " +"the deeper nesting levels. Also, subsequent lookups for other groups may " +"enlarge the result set for original lookup if re-queried." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1046 +msgid "" +"If ldap_group_nesting_level is set to 0 then no nested groups are processed " +"at all. However, when connected to Active-Directory Server 2008 and later " +"using <quote>id_provider=ad</quote> it is furthermore required to disable " +"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " +"restrict group nesting." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1055 +msgid "Default: 2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1061 +msgid "ldap_groups_use_matching_rule_in_chain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1064 +msgid "" +"This option tells SSSD to take advantage of an Active Directory-specific " +"feature which may speed up group lookup operations on deployments with " +"complex or deep nested groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1070 +msgid "" +"In most common cases, it is best to leave this option disabled. It generally " +"only provides a performance increase on very complex nestings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1075 sssd-ldap.5.xml:1102 +msgid "" +"If this option is enabled, SSSD will use it if it detects that the server " +"supports it during initial connection. So \"True\" here essentially means " +"\"auto-detect\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1081 sssd-ldap.5.xml:1108 +msgid "" +"Note: This feature is currently known to work only with Active Directory " +"2008 R1 and later. See <ulink url=\"http://msdn.microsoft.com/en-us/library/" +"windows/desktop/aa746475%28v=vs.85%29.aspx\"> MSDN(TM) documentation</ulink> " +"for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1093 +msgid "ldap_initgroups_use_matching_rule_in_chain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1096 +msgid "" +"This option tells SSSD to take advantage of an Active Directory-specific " +"feature which might speed up initgroups operations (most notably when " +"dealing with complex or deep nested groups)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1123 +msgid "" +"This options enables or disables use of Token-Groups attribute when " +"performing initgroup for users from Active Directory Server 2008 and later." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1128 +msgid "Default: True for AD and IPA otherwise False." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1134 +msgid "ldap_netgroup_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1137 +msgid "The object class of a netgroup entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1140 +msgid "In IPA provider, ipa_netgroup_object_class should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1144 +msgid "Default: nisNetgroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1150 +msgid "ldap_netgroup_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1153 +msgid "The LDAP attribute that corresponds to the netgroup name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1157 +msgid "In IPA provider, ipa_netgroup_name should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1167 +msgid "ldap_netgroup_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1170 +msgid "The LDAP attribute that contains the names of the netgroup's members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1174 +msgid "In IPA provider, ipa_netgroup_member should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1178 +msgid "Default: memberNisNetgroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1184 +msgid "ldap_netgroup_triple (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1187 +msgid "" +"The LDAP attribute that contains the (host, user, domain) netgroup triples." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1191 sssd-ldap.5.xml:1207 +msgid "This option is not available in IPA provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1194 +msgid "Default: nisNetgroupTriple" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1200 +msgid "ldap_netgroup_modify_timestamp (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1216 +msgid "ldap_host_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1219 +msgid "The object class of a host entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1222 sssd-ldap.5.xml:1331 +msgid "Default: ipService" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1228 +msgid "ldap_host_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1231 sssd-ldap.5.xml:1257 +msgid "The LDAP attribute that corresponds to the host's name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1241 +msgid "ldap_host_fqdn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1244 +msgid "" +"The LDAP attribute that corresponds to the host's fully-qualified domain " +"name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1248 +msgid "Default: fqdn" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1254 +msgid "ldap_host_serverhostname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1261 +msgid "Default: serverHostname" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1267 +msgid "ldap_host_member_of (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1270 +msgid "The LDAP attribute that lists the host's group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1280 +msgid "ldap_host_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1283 +msgid "Optional. Use the given string as search base for host objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1287 sssd-ipa.5.xml:359 sssd-ipa.5.xml:378 +#: sssd-ipa.5.xml:397 sssd-ipa.5.xml:416 +msgid "" +"See <quote>ldap_search_base</quote> for information about configuring " +"multiple search bases." +msgstr "" + +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:1292 sssd-ipa.5.xml:364 include/ldap_search_bases.xml:27 +msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1299 +msgid "ldap_host_ssh_public_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1302 +msgid "The LDAP attribute that contains the host's SSH public keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1312 +msgid "ldap_host_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1315 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1325 +msgid "ldap_service_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1328 +msgid "The object class of a service entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1337 +msgid "ldap_service_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1340 +msgid "" +"The LDAP attribute that contains the name of service attributes and their " +"aliases." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1350 +msgid "ldap_service_port (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1353 +msgid "The LDAP attribute that contains the port managed by this service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1357 +msgid "Default: ipServicePort" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1363 +msgid "ldap_service_proto (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1366 +msgid "" +"The LDAP attribute that contains the protocols understood by this service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1370 +msgid "Default: ipServiceProtocol" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1376 +msgid "ldap_service_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1381 +msgid "ldap_search_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1384 +msgid "" +"Specifies the timeout (in seconds) that ldap searches are allowed to run " +"before they are cancelled and cached results are returned (and offline mode " +"is entered)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1390 +msgid "" +"Note: this option is subject to change in future versions of the SSSD. It " +"will likely be replaced at some point by a series of timeouts for specific " +"lookup types." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1402 +msgid "ldap_enumeration_search_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1405 +msgid "" +"Specifies the timeout (in seconds) that ldap searches for user and group " +"enumerations are allowed to run before they are cancelled and cached results " +"are returned (and offline mode is entered)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1418 +msgid "ldap_network_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1421 +msgid "" +"Specifies the timeout (in seconds) after which the <citerefentry> " +"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" +"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" +"manvolnum> </citerefentry> following a <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> returns in case of no activity." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1444 +msgid "ldap_opt_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1447 +msgid "" +"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " +"will abort if no response is received. Also controls the timeout when " +"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " +"operation, password change extended operation and the StartTLS operation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1462 +msgid "ldap_connection_expire_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1465 +msgid "" +"Specifies a timeout (in seconds) that a connection to an LDAP server will be " +"maintained. After this time, the connection will be re-established. If used " +"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " +"the TGT lifetime) will be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1473 sssd-ldap.5.xml:2562 +msgid "Default: 900 (15 minutes)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1479 +msgid "ldap_page_size (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1482 +msgid "" +"Specify the number of records to retrieve from LDAP in a single request. " +"Some LDAP servers enforce a maximum limit per-request." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1487 +msgid "Default: 1000" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1493 +msgid "ldap_disable_paging (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1496 +msgid "" +"Disable the LDAP paging control. This option should be used if the LDAP " +"server reports that it supports the LDAP paging control in its RootDSE but " +"it is not enabled or does not behave properly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1502 +msgid "" +"Example: OpenLDAP servers with the paging control module installed on the " +"server but not enabled will report it in the RootDSE but be unable to use it." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1508 +msgid "" +"Example: 389 DS has a bug where it can only support a one paging control at " +"a time on a single connection. On busy clients, this can result in some " +"requests being denied." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1520 +msgid "ldap_disable_range_retrieval (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1523 +msgid "Disable Active Directory range retrieval." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1526 +msgid "" +"Active Directory limits the number of members to be retrieved in a single " +"lookup using the MaxValRange policy (which defaults to 1500 members). If a " +"group contains more members, the reply would include an AD-specific range " +"extension. This option disables parsing of the range extension, therefore " +"large groups will appear as having no members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1541 +msgid "ldap_sasl_minssf (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1544 +msgid "" +"When communicating with an LDAP server using SASL, specify the minimum " +"security level necessary to establish the connection. The values of this " +"option are defined by OpenLDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1550 +msgid "Default: Use the system default (usually specified by ldap.conf)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1557 +msgid "ldap_deref_threshold (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1560 +msgid "" +"Specify the number of group members that must be missing from the internal " +"cache in order to trigger a dereference lookup. If less members are missing, " +"they are looked up individually." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1566 +msgid "" +"You can turn off dereference lookups completely by setting the value to 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1570 +msgid "" +"A dereference lookup is a means of fetching all group members in a single " +"LDAP call. Different LDAP servers may implement different dereference " +"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " +"Directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1578 +msgid "" +"<emphasis>Note:</emphasis> If any of the search bases specifies a search " +"filter, then the dereference lookup performance enhancement will be disabled " +"regardless of this setting." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1591 +msgid "ldap_tls_reqcert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1594 +msgid "" +"Specifies what checks to perform on server certificates in a TLS session, if " +"any. It can be specified as one of the following values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1600 +msgid "" +"<emphasis>never</emphasis> = The client will not request or check any server " +"certificate." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1604 +msgid "" +"<emphasis>allow</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, it will be ignored and the session proceeds normally." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1611 +msgid "" +"<emphasis>try</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, the session is immediately terminated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1617 +msgid "" +"<emphasis>demand</emphasis> = The server certificate is requested. If no " +"certificate is provided, or a bad certificate is provided, the session is " +"immediately terminated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1623 +msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1627 +msgid "Default: hard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1633 +msgid "ldap_tls_cacert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1636 +msgid "" +"Specifies the file that contains certificates for all of the Certificate " +"Authorities that <command>sssd</command> will recognize." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1641 sssd-ldap.5.xml:1659 sssd-ldap.5.xml:1700 +msgid "" +"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." +"conf</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1648 +msgid "ldap_tls_cacertdir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1651 +msgid "" +"Specifies the path of a directory that contains Certificate Authority " +"certificates in separate individual files. Typically the file names need to " +"be the hash of the certificate followed by '.0'. If available, " +"<command>cacertdir_rehash</command> can be used to create the correct names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1666 +msgid "ldap_tls_cert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1669 +msgid "Specifies the file that contains the certificate for the client's key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1679 +msgid "ldap_tls_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1682 +msgid "Specifies the file that contains the client's key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1691 +msgid "ldap_tls_cipher_suite (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1694 +msgid "" +"Specifies acceptable cipher suites. Typically this is a colon separated " +"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1707 +msgid "ldap_id_use_start_tls (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1710 +msgid "" +"Specifies that the id_provider connection must also use <systemitem class=" +"\"protocol\">tls</systemitem> to protect the channel." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1720 +msgid "ldap_id_mapping (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1723 +msgid "" +"Specifies that SSSD should attempt to map user and group IDs from the " +"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " +"on ldap_user_uid_number and ldap_group_gid_number." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1729 +msgid "Currently this feature supports only ActiveDirectory objectSID mapping." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1739 +msgid "ldap_min_id, ldap_max_id (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1742 +msgid "" +"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " +"set to true the allowed ID range for ldap_user_uid_number and " +"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " +"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " +"can be set to restrict the allowed range for the IDs which are read directly " +"from the server. Sub-domains can then pick other ranges to map IDs." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1754 +msgid "Default: not set (both options are set to 0)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1760 +msgid "ldap_sasl_mech (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1763 +msgid "" +"Specify the SASL mechanism to use. Currently only GSSAPI is tested and " +"supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1773 +msgid "ldap_sasl_authid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ldap.5.xml:1784 +#, no-wrap +msgid "" +"hostname@REALM\n" +"netbiosname$@REALM\n" +"host/hostname@REALM\n" +"*$@REALM\n" +"host/*@REALM\n" +"host/*\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1776 +msgid "" +"Specify the SASL authorization id to use. When GSSAPI is used, this " +"represents the Kerberos principal used for authentication to the directory. " +"This option can either contain the full principal (for example host/" +"myhost@EXAMPLE.COM) or just the principal name (for example host/myhost). By " +"default, the value is not set and the following principals are used: " +"<placeholder type=\"programlisting\" id=\"0\"/> If none of them are found, " +"the first principal in keytab is returned." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1795 +msgid "Default: host/hostname@REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1801 +msgid "ldap_sasl_realm (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1804 +msgid "" +"Specify the SASL realm to use. When not specified, this option defaults to " +"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " +"well, this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1810 +msgid "Default: the value of krb5_realm." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1816 +msgid "ldap_sasl_canonicalize (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1819 +msgid "" +"If set to true, the LDAP library would perform a reverse lookup to " +"canonicalize the host name during a SASL bind." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1824 +msgid "Default: false;" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1830 +msgid "ldap_krb5_keytab (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1833 +msgid "Specify the keytab to use when using SASL/GSSAPI." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1836 +msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1842 +msgid "ldap_krb5_init_creds (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1845 +msgid "" +"Specifies that the id_provider should init Kerberos credentials (TGT). This " +"action is performed only if SASL is used and the mechanism selected is " +"GSSAPI." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1857 +msgid "ldap_krb5_ticket_lifetime (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1860 +msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1864 sssd-ad.5.xml:937 +msgid "Default: 86400 (24 hours)" +msgstr "Noklusējuma: 86400 (24 stundas)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1870 sssd-krb5.5.xml:74 +msgid "krb5_server, krb5_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1873 +msgid "" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled - for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1885 sssd-krb5.5.xml:89 +msgid "" +"When using service discovery for KDC or kpasswd servers, SSSD first searches " +"for DNS entries that specify _udp as the protocol and falls back to _tcp if " +"none are found." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1890 sssd-krb5.5.xml:94 +msgid "" +"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " +"While the legacy name is recognized for the time being, users are advised to " +"migrate their config files to use <quote>krb5_server</quote> instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1899 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103 +msgid "krb5_realm (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1902 +msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1905 +msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1911 sssd-krb5.5.xml:462 +msgid "krb5_canonicalize (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1914 +msgid "" +"Specifies if the host principal should be canonicalized when connecting to " +"LDAP server. This feature is available with MIT Kerberos >= 1.7" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1926 sssd-krb5.5.xml:477 +msgid "krb5_use_kdcinfo (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1929 sssd-krb5.5.xml:480 +msgid "" +"Specifies if the SSSD should instruct the Kerberos libraries what realm and " +"which KDCs to use. This option is on by default, if you disable it, you need " +"to configure the Kerberos library using the <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> configuration file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1940 sssd-krb5.5.xml:491 +msgid "" +"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " +"information on the locator plugin." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1954 +msgid "ldap_pwd_policy (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1957 +msgid "" +"Select the policy to evaluate the password expiration on the client side. " +"The following values are allowed:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1962 +msgid "" +"<emphasis>none</emphasis> - No evaluation on the client side. This option " +"cannot disable server-side password policies." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1967 +msgid "" +"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " +"evaluate if the password has expired." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1973 +msgid "" +"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " +"to determine if the password has expired. Use chpass_provider=krb5 to update " +"these attributes when the password is changed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1982 +msgid "" +"<emphasis>Note</emphasis>: if a password policy is configured on server " +"side, it always takes precedence over policy set with this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1990 +msgid "ldap_referrals (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1993 +msgid "Specifies whether automatic referral chasing should be enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1997 +msgid "" +"Please note that sssd only supports referral chasing when it is compiled " +"with OpenLDAP version 2.4.13 or higher." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2002 +msgid "" +"Chasing referrals may incur a performance penalty in environments that use " +"them heavily, a notable example is Microsoft Active Directory. If your setup " +"does not in fact require the use of referrals, setting this option to false " +"might bring a noticeable performance improvement." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2016 +msgid "ldap_dns_service_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2019 +msgid "Specifies the service name to use when service discovery is enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2023 +msgid "Default: ldap" +msgstr "Noklusējuma: ldap" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2029 +msgid "ldap_chpass_dns_service_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2032 +msgid "" +"Specifies the service name to use to find an LDAP server which allows " +"password changes when service discovery is enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2037 +msgid "Default: not set, i.e. service discovery is disabled" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2043 +msgid "ldap_chpass_update_last_change (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2046 +msgid "" +"Specifies whether to update the ldap_user_shadow_last_change attribute with " +"days since the Epoch after a password change operation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2058 +msgid "ldap_access_filter (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2061 +msgid "" +"If using access_provider = ldap and ldap_access_order = filter (default), " +"this option is mandatory. It specifies an LDAP search filter criteria that " +"must be met for the user to be granted access on this host. If " +"access_provider = ldap, ldap_access_order = filter and this option is not " +"set, it will result in all users being denied access. Use access_provider = " +"permit to change this default behavior. Please note that this filter is " +"applied on the LDAP user entry only and thus filtering based on nested " +"groups may not work (e.g. memberOf attribute on AD entries points only to " +"direct parents). If filtering based on nested groups is required, please see " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2081 +msgid "Example:" +msgstr "Piemērs:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ldap.5.xml:2084 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2088 +msgid "" +"This example means that access to this host is restricted to users whose " +"employeeType attribute is set to \"admin\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2093 +msgid "" +"Offline caching for this feature is limited to determining whether the " +"user's last online login was granted access permission. If they were granted " +"access during their last login, they will continue to be granted access " +"while offline and vice versa." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2101 sssd-ldap.5.xml:2158 +msgid "Default: Empty" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2107 +msgid "ldap_account_expire_policy (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2110 +msgid "" +"With this option a client side evaluation of access control attributes can " +"be enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2114 +msgid "" +"Please note that it is always recommended to use server side access control, " +"i.e. the LDAP server should deny the bind request with a suitable error code " +"even if the password is correct." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2121 +msgid "The following values are allowed:" +msgstr "Atļautas šādas vērtības:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2124 +msgid "" +"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " +"determine if the account is expired." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2129 +msgid "" +"<emphasis>ad</emphasis>: use the value of the 32bit field " +"ldap_user_ad_user_account_control and allow access if the second bit is not " +"set. If the attribute is missing access is granted. Also the expiration time " +"of the account is checked." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2136 +msgid "" +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: use the value of ldap_ns_account_lock to check if access is " +"allowed or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2142 +msgid "" +"<emphasis>nds</emphasis>: the values of " +"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " +"ldap_user_nds_login_expiration_time are used to check if access is allowed. " +"If both attributes are missing access is granted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2151 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>expire</quote> in order for the " +"ldap_account_expire_policy option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2164 +msgid "ldap_access_order (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2167 +msgid "Comma separated list of access control options. Allowed values are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2171 +msgid "<emphasis>filter</emphasis>: use ldap_access_filter" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2174 +msgid "" +"<emphasis>lockout</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " +"Please note that 'access_provider = ldap' must be set for this feature to " +"work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2184 +msgid "" +"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" +"quote> option and might be removed in a future release. </emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2191 +msgid "" +"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z' or represents any time in the past. The " +"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " +"denotes the UTC time zone. Other time zones are not currently supported and " +"will result in \"access-denied\" when users attempt to log in. Please see " +"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " +"must be set for this feature to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2208 +msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2212 +msgid "" +"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " +"pwd_expire_policy_renew: </emphasis> These options are useful if users are " +"interested in being warned that password is about to expire and " +"authentication is based on using a different method than passwords - for " +"example SSH keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2222 +msgid "" +"The difference between these options is the action taken if user password is " +"expired: pwd_expire_policy_reject - user is denied to log in, " +"pwd_expire_policy_warn - user is still able to log in, " +"pwd_expire_policy_renew - user is prompted to change his password " +"immediately." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2230 +msgid "" +"Note If user password is expired no explicit message is prompted by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2234 +msgid "" +"Please note that 'access_provider = ldap' must be set for this feature to " +"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2239 +msgid "" +"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " +"to determine access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2244 +msgid "<emphasis>host</emphasis>: use the host attribute to determine access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2248 +msgid "" +"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " +"remote host can access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2252 +msgid "" +"Please note, rhost field in pam is set by application, it is better to check " +"what the application sends to pam, before enabling this access control option" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2257 +msgid "Default: filter" +msgstr "Noklusējuma: filtrēt" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2260 +msgid "" +"Please note that it is a configuration error if a value is used more than " +"once." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2267 +msgid "ldap_pwdlockout_dn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2270 +msgid "" +"This option specifies the DN of password policy entry on LDAP server. Please " +"note that absence of this option in sssd.conf in case of enabled account " +"lockout checking will yield access denied as ppolicy attributes on LDAP " +"server cannot be checked properly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2278 +msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2281 +msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2287 +msgid "ldap_deref (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2290 +msgid "" +"Specifies how alias dereferencing is done when performing a search. The " +"following options are allowed:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2295 +msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2299 +msgid "" +"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " +"the base object, but not in locating the base object of the search." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2304 +msgid "" +"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " +"the base object of the search." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2309 +msgid "" +"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " +"in locating the base object of the search." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2314 +msgid "" +"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " +"client libraries)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2322 +msgid "ldap_rfc2307_fallback_to_local_users (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2325 +msgid "" +"Allows to retain local users as members of an LDAP group for servers that " +"use the RFC2307 schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2329 +msgid "" +"In some environments where the RFC2307 schema is used, local users are made " +"members of LDAP groups by adding their names to the memberUid attribute. " +"The self-consistency of the domain is compromised when this is done, so SSSD " +"would normally remove the \"missing\" users from the cached group " +"memberships as soon as nsswitch tries to fetch information about the user " +"via getpw*() or initgroups() calls." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2340 +msgid "" +"This option falls back to checking if local users are referenced, and caches " +"them so that later initgroups() calls will augment the local users with the " +"additional LDAP groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2352 sssd-ifp.5.xml:136 +msgid "wildcard_limit (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2355 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2359 +msgid "At the moment, only the InfoPipe responder supports wildcard lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2363 +msgid "Default: 1000 (often the size of one page)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:51 +msgid "" +"All of the common configuration options that apply to SSSD domains also " +"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for full details. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2373 +msgid "SUDO OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2375 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2386 +msgid "ldap_sudorule_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2389 +msgid "The object class of a sudo rule entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2392 +msgid "Default: sudoRole" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2398 +msgid "ldap_sudorule_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2401 +msgid "The LDAP attribute that corresponds to the sudo rule name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2411 +msgid "ldap_sudorule_command (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2414 +msgid "The LDAP attribute that corresponds to the command name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2418 +msgid "Default: sudoCommand" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2424 +msgid "ldap_sudorule_host (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2427 +msgid "" +"The LDAP attribute that corresponds to the host name (or host IP address, " +"host IP network, or host netgroup)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2432 +msgid "Default: sudoHost" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2438 +msgid "ldap_sudorule_user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2441 +msgid "" +"The LDAP attribute that corresponds to the user name (or UID, group name or " +"user's netgroup)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2445 +msgid "Default: sudoUser" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2451 +msgid "ldap_sudorule_option (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2454 +msgid "The LDAP attribute that corresponds to the sudo options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2458 +msgid "Default: sudoOption" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2464 +msgid "ldap_sudorule_runasuser (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2467 +msgid "" +"The LDAP attribute that corresponds to the user name that commands may be " +"run as." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2471 +msgid "Default: sudoRunAsUser" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2477 +msgid "ldap_sudorule_runasgroup (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2480 +msgid "" +"The LDAP attribute that corresponds to the group name or group GID that " +"commands may be run as." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2484 +msgid "Default: sudoRunAsGroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2490 +msgid "ldap_sudorule_notbefore (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2493 +msgid "" +"The LDAP attribute that corresponds to the start date/time for when the sudo " +"rule is valid." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2497 +msgid "Default: sudoNotBefore" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2503 +msgid "ldap_sudorule_notafter (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2506 +msgid "" +"The LDAP attribute that corresponds to the expiration date/time, after which " +"the sudo rule will no longer be valid." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2511 +msgid "Default: sudoNotAfter" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2517 +msgid "ldap_sudorule_order (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2520 +msgid "The LDAP attribute that corresponds to the ordering index of the rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2524 +msgid "Default: sudoOrder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2530 +msgid "ldap_sudo_full_refresh_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2533 +msgid "" +"How many seconds SSSD will wait between executing a full refresh of sudo " +"rules (which downloads all rules that are stored on the server)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2538 +msgid "" +"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" +"emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2543 +msgid "Default: 21600 (6 hours)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2549 +msgid "ldap_sudo_smart_refresh_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2552 +msgid "" +"How many seconds SSSD has to wait before executing a smart refresh of sudo " +"rules (which downloads all rules that have USN higher than the highest USN " +"of cached rules)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2558 +msgid "" +"If USN attributes are not supported by the server, the modifyTimestamp " +"attribute is used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2568 +msgid "ldap_sudo_use_host_filter (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2571 +msgid "" +"If true, SSSD will download only rules that are applicable to this machine " +"(using the IPv4 or IPv6 host/network addresses and hostnames)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2582 +msgid "ldap_sudo_hostnames (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2585 +msgid "" +"Space separated list of hostnames or fully qualified domain names that " +"should be used to filter the rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2590 +msgid "" +"If this option is empty, SSSD will try to discover the hostname and the " +"fully qualified domain name automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2595 sssd-ldap.5.xml:2618 sssd-ldap.5.xml:2636 +#: sssd-ldap.5.xml:2654 +msgid "" +"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" +"emphasis> then this option has no effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2600 sssd-ldap.5.xml:2623 +msgid "Default: not specified" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2606 +msgid "ldap_sudo_ip (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2609 +msgid "" +"Space separated list of IPv4 or IPv6 host/network addresses that should be " +"used to filter the rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2614 +msgid "" +"If this option is empty, SSSD will try to discover the addresses " +"automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2629 +msgid "ldap_sudo_include_netgroups (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2632 +msgid "" +"If true then SSSD will download every rule that contains a netgroup in " +"sudoHost attribute." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2647 +msgid "ldap_sudo_include_regexp (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2650 +msgid "" +"If true then SSSD will download every rule that contains a wildcard in " +"sudoHost attribute." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2666 +msgid "" +"This manual page only describes attribute name mapping. For detailed " +"explanation of sudo related attribute semantics, see <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2676 +msgid "AUTOFS OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2678 +msgid "" +"Some of the defaults for the parameters below are dependent on the LDAP " +"schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2684 +msgid "ldap_autofs_map_master_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2687 +msgid "The name of the automount master map in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2690 +msgid "Default: auto.master" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2697 +msgid "ldap_autofs_map_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2700 +msgid "The object class of an automount map entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2703 +msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2711 +msgid "ldap_autofs_map_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2714 +msgid "The name of an automount map entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2717 +msgid "" +"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2725 +msgid "ldap_autofs_entry_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2728 +msgid "" +"The object class of an automount entry in LDAP. The entry usually " +"corresponds to a mount point." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2733 +msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2741 +msgid "ldap_autofs_entry_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2744 sssd-ldap.5.xml:2759 +msgid "" +"The key of an automount entry in LDAP. The entry usually corresponds to a " +"mount point." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2748 +msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2756 +msgid "ldap_autofs_entry_value (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2763 +msgid "" +"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " +"automountInformation" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2682 +msgid "" +"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " +"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" +"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2774 +msgid "ADVANCED OPTIONS" +msgstr "PAPLAŠINĀTĀS IESPĒJAS" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2781 +msgid "ldap_netgroup_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2786 +msgid "ldap_user_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2791 +msgid "ldap_group_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> +#: sssd-ldap.5.xml:2796 +msgid "<note>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> +#: sssd-ldap.5.xml:2798 +msgid "" +"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " +"against Active Directory will not be restricted and return all groups " +"memberships, even with no GID mapping. It is recommended to disable this " +"feature, if group names are not being displayed correctly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist> +#: sssd-ldap.5.xml:2805 +msgid "</note>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2807 +msgid "ldap_sudo_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2812 +msgid "ldap_autofs_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2776 +msgid "" +"These options are supported by LDAP domains, but they should be used with " +"caution. Please include them in your configuration only if you know what you " +"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2827 sssd-simple.5.xml:131 sssd-ipa.5.xml:828 +#: sssd-ad.5.xml:1041 sssd-krb5.5.xml:570 sss_rpcidmapd.5.xml:98 +#: sssd-files.5.xml:103 sssd-session-recording.5.xml:144 +msgid "EXAMPLE" +msgstr "PIEMĒRS" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2829 +msgid "" +"The following example assumes that SSSD is correctly configured and LDAP is " +"set to one of the domains in the <replaceable>[domains]</replaceable> " +"section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:2835 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: sssd-ldap.5.xml:2834 sssd-ldap.5.xml:2852 sssd-simple.5.xml:139 +#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1049 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579 +#: sssd-files.5.xml:110 sssd-session-recording.5.xml:150 +#: include/ldap_id_mapping.xml:105 +msgid "<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2846 +msgid "LDAP ACCESS FILTER EXAMPLE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2848 +msgid "" +"The following example assumes that SSSD is correctly configured and to use " +"the ldap_access_order=lockout." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:2853 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"access_provider = ldap\n" +"ldap_access_order = lockout\n" +"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2868 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148 +#: sssd-ad.5.xml:1064 sssd.8.xml:230 sss_seed.8.xml:163 +msgid "NOTES" +msgstr "PIEZĪMES" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2870 +msgid "" +"The descriptions of some of the configuration options in this manual page " +"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " +"distribution." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: pam_sss.8.xml:11 pam_sss.8.xml:16 +msgid "pam_sss" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: pam_sss.8.xml:17 +msgid "PAM module for SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: pam_sss.8.xml:22 +msgid "" +"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" +"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" +"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" +"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " +"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " +"choice='opt'> <replaceable>prompt_always</replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:58 +msgid "" +"<command>pam_sss.so</command> is the PAM interface to the System Security " +"Services daemon (SSSD). Errors and results are logged through " +"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:68 +msgid "<option>quiet</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:71 +msgid "Suppress log messages for unknown users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:76 +msgid "<option>forward_pass</option>" +msgstr "<option>forward_pass</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:79 +msgid "" +"If <option>forward_pass</option> is set the entered password is put on the " +"stack for other PAM modules to use." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:86 +msgid "<option>use_first_pass</option>" +msgstr "<option>use_first_pass</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:89 +msgid "" +"The argument use_first_pass forces the module to use a previous stacked " +"modules password and will never prompt the user - if no password is " +"available or the password is not appropriate, the user will be denied access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:97 +msgid "<option>use_authtok</option>" +msgstr "<option>use_authtok</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:100 +msgid "" +"When password changing enforce the module to set the new password to the one " +"provided by a previously stacked password module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:107 +msgid "<option>retry=N</option>" +msgstr "<option>retry=N</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:110 +msgid "" +"If specified the user is asked another N times for a password if " +"authentication fails. Default is 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:112 +msgid "" +"Please note that this option might not work as expected if the application " +"calling PAM handles the user dialog on its own. A typical example is " +"<command>sshd</command> with <option>PasswordAuthentication</option>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:121 +msgid "<option>ignore_unknown_user</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:124 +msgid "" +"If this option is specified and the user does not exist, the PAM module will " +"return PAM_IGNORE. This causes the PAM framework to ignore this module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:131 +msgid "<option>ignore_authinfo_unavail</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:135 +msgid "" +"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " +"the SSSD daemon. This causes the PAM framework to ignore this module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:142 +msgid "<option>domains</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:146 +msgid "" +"Allows the administrator to restrict the domains a particular PAM service is " +"allowed to authenticate against. The format is a comma-separated list of " +"SSSD domain names, as specified in the sssd.conf file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:152 +msgid "" +"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " +"and <quote>pam_public_domains</quote> options. Please see the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more information on these two PAM " +"responder options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:166 +msgid "<option>allow_missing_name</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:170 +msgid "" +"The main purpose of this option is to let SSSD determine the user name based " +"on additional information, e.g. the certificate from a Smartcard." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: pam_sss.8.xml:180 +#, no-wrap +msgid "" +"auth sufficient pam_sss.so allow_missing_name\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:175 +msgid "" +"The current use case are login managers which can monitor a Smartcard reader " +"for card events. In case a Smartcard is inserted the login manager will call " +"a PAM stack which includes a line like <placeholder type=\"programlisting\" " +"id=\"0\"/> In this case SSSD will try to determine the user name based on " +"the content of the Smartcard, returns it to pam_sss which will finally put " +"it on the PAM stack." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:190 +msgid "<option>prompt_always</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:194 +msgid "" +"Always prompt the user for credentials. With this option credentials " +"requested by other PAM modules, typically a password, will be ignored and " +"pam_sss will prompt for credentials again. Based on the pre-auth reply by " +"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " +"credentials." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:207 +msgid "MODULE TYPES PROVIDED" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:208 +msgid "" +"All module types (<option>account</option>, <option>auth</option>, " +"<option>password</option> and <option>session</option>) are provided." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:214 +msgid "FILES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:215 +msgid "" +"If a password reset by root fails, because the corresponding SSSD provider " +"does not support password resets, an individual message can be displayed. " +"This message can e.g. contain instructions about how to reset a password." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:220 +msgid "" +"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" +"filename> where LOC stands for a locale string returned by <citerefentry> " +"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" +"citerefentry>. If there is no matching file the content of " +"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " +"the owner of the files and only root may have read and write permissions " +"while all other users must have only read permissions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:230 +msgid "" +"These files are searched in the directory <filename>/etc/sssd/customize/" +"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " +"displayed." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 +msgid "sssd_krb5_locator_plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd_krb5_locator_plugin.8.xml:16 +msgid "Kerberos locator plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:22 +msgid "" +"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " +"used by the Kerberos provider of <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to tell the Kerberos " +"libraries what Realm and which KDC to use. Typically this is done in " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> which is always read by the Kerberos libraries. " +"To simplify the configuration the Realm and the KDC can be defined in " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> as described in <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:48 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> puts the Realm and the name or IP address of the KDC into " +"the environment variables SSSD_KRB5_REALM and SSSD_KRB5_KDC respectively. " +"When <command>sssd_krb5_locator_plugin</command> is called by the kerberos " +"libraries it reads and evaluates these variables and returns them to the " +"libraries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:63 +msgid "" +"Not all Kerberos implementations support the use of plugins. If " +"<command>sssd_krb5_locator_plugin</command> is not available on your system " +"you have to edit /etc/krb5.conf to reflect your Kerberos setup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:69 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " +"debug messages will be sent to stderr." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:73 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " +"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " +"caller." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 +msgid "sssd-simple" +msgstr "sssd-simple" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-simple.5.xml:17 +msgid "the configuration file for SSSD's 'simple' access-control provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:24 +msgid "" +"This manual page describes the configuration of the simple access-control " +"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " +"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:38 +msgid "" +"The simple access provider grants or denies access based on an access or " +"deny list of user or group names. The following rules apply:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:43 +msgid "If all lists are empty, access is granted" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:47 +msgid "" +"If any list is provided, the order of evaluation is allow,deny. This means " +"that any matching deny rule will supersede any matched allow rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:54 +msgid "" +"If either or both \"allow\" lists are provided, all users are denied unless " +"they appear in the list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:60 +msgid "" +"If only \"deny\" lists are provided, all users are granted access unless " +"they appear in the list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:78 +msgid "simple_allow_users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:81 +msgid "Comma separated list of users who are allowed to log in." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:88 +msgid "simple_deny_users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:91 +msgid "Comma separated list of users who are explicitly denied access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:97 +msgid "simple_allow_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:100 +msgid "" +"Comma separated list of groups that are allowed to log in. This applies only " +"to groups within this SSSD domain. Local groups are not evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:108 +msgid "simple_deny_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:111 +msgid "" +"Comma separated list of groups that are explicitly denied access. This " +"applies only to groups within this SSSD domain. Local groups are not " +"evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 +msgid "" +"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:120 +msgid "" +"Specifying no values for any of the lists is equivalent to skipping it " +"entirely. Beware of this while generating parameters for the simple provider " +"using automated scripts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:125 +msgid "" +"Please note that it is an configuration error if both, simple_allow_users " +"and simple_deny_users, are defined." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:133 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the simple access provider-specific options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-simple.5.xml:140 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"access_provider = simple\n" +"simple_allow_users = user1, user2\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:150 +msgid "" +"The complete group membership hierarchy is resolved before the access check, " +"thus even nested groups can be included in the access lists. Please be " +"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " +"results and should be set to a sufficient value. (<citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>) option." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 +msgid "sss-certmap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss-certmap.5.xml:17 +msgid "SSSD Certificate Matching and Mapping Rules" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:23 +msgid "" +"The manual page describes the rules which can be used by SSSD and other " +"components to match X.509 certificates and map them to accounts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:28 +msgid "" +"Each rule has four components, a <quote>priority</quote>, a <quote>matching " +"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" +"quote>. All components are optional. A missing <quote>priority</quote> will " +"add the rule with the lowest priority. The default <quote>matching rule</" +"quote> will match certificates with the digitalSignature key usage and " +"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " +"the certificates will be searched in the userCertificate attribute as DER " +"encoded binary. If no domains are given only the local domain will be " +"searched." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss-certmap.5.xml:41 +msgid "RULE COMPONENTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:43 +msgid "PRIORITY" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:45 +msgid "" +"The rules are processed by priority while the number '0' (zero) indicates " +"the highest priority. The higher the number the lower is the priority. A " +"missing value indicates the lowest priority. The rules processing is stopped " +"when a matched rule is found and no further rules are checked." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:52 +msgid "" +"Internally the priority is treated as unsigned 32bit integer, using a " +"priority value larger than 4294967295 will cause an error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:57 +msgid "MATCHING RULE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:59 +msgid "" +"The matching rule is used to select a certificate to which the mapping rule " +"should be applied. It uses a system similar to the one used by " +"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " +"keyword enclosed by '<' and '>' which identified a certain part of the " +"certificate and a pattern which should be found for the rule to match. " +"Multiple keyword pattern pairs can be either joined with '&&' (and) " +"or '||' (or)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:71 +msgid "<SUBJECT>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:74 +msgid "" +"With this a part or the whole subject name of the certificate can be " +"matched. For the matching POSIX Extended Regular Expression syntax is used, " +"see regex(7) for details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:80 +msgid "" +"For the matching the subject name stored in the certificate in DER encoded " +"ASN.1 is converted into a string according to RFC 4514. This means the most " +"specific name component comes first. Please note that not all possible " +"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " +"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " +"be shown differently on different platform and by different tools. To avoid " +"confusion those attribute names are best not used or covered by a suitable " +"regular-expression." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:93 +msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:98 +msgid "<ISSUER>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:101 +msgid "" +"With this a part or the whole issuer name of the certificate can be matched. " +"All comments for <SUBJECT> apply her as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:106 +msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:111 +msgid "<KU>key-usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:114 +msgid "" +"This option can be used to specify which key usage values the certificate " +"should have. The following values can be used in a comma separated list:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:118 +msgid "digitalSignature" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:119 +msgid "nonRepudiation" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:120 +msgid "keyEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:121 +msgid "dataEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:122 +msgid "keyAgreement" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:123 +msgid "keyCertSign" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:124 +msgid "cRLSign" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:125 +msgid "encipherOnly" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:126 +msgid "decipherOnly" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:130 +msgid "" +"A numerical value in the range of a 32bit unsigned integer can be used as " +"well to cover special use cases." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:134 +msgid "Example: <KU>digitalSignature,keyEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:139 +msgid "<EKU>extended-key-usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:142 +msgid "" +"This option can be used to specify which extended key usage the certificate " +"should have. The following value can be used in a comma separated list:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:146 +msgid "serverAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:147 +msgid "clientAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:148 +msgid "codeSigning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:149 +msgid "emailProtection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:150 +msgid "timeStamping" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:151 +msgid "OCSPSigning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:152 +msgid "KPClientAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:153 +msgid "pkinit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:154 +msgid "msScLogin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:158 +msgid "" +"Extended key usages which are not listed above can be specified with their " +"OID in dotted-decimal notation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:162 +msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:167 +msgid "<SAN>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:170 +msgid "" +"To be compatible with the usage of MIT Kerberos this option will match the " +"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" +"Principal> does." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:175 +msgid "Example: <SAN>.*@MY\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:180 +msgid "<SAN:Principal>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:183 +msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:187 +msgid "Example: <SAN:Principal>.*@MY\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:192 +msgid "<SAN:ntPrincipalName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:195 +msgid "Match the Kerberos principals from the AD NT Principal SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:199 +msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:204 +msgid "<SAN:pkinit>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:207 +msgid "Match the Kerberos principals from the PKINIT SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:210 +msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:215 +msgid "<SAN:dotted-decimal-oid>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:218 +msgid "" +"Take the value of the otherName SAN component given by the OID in dotted-" +"decimal notation, interpret it as string and try to match it against the " +"regular expression." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:224 +msgid "Example: <SAN:1.2.3.4>test" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:229 +msgid "<SAN:otherName>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:232 +msgid "" +"Do a binary match with the base64 encoded blob against all otherName SAN " +"components. With this option it is possible to match against custom " +"otherName components with special encodings which could not be treated as " +"strings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:239 +msgid "Example: <SAN:otherName>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:244 +msgid "<SAN:rfc822Name>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:247 +msgid "Match the value of the rfc822Name SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:250 +msgid "Example: <SAN:rfc822Name>.*@email\\.domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:255 +msgid "<SAN:dNSName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:258 +msgid "Match the value of the dNSName SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:261 +msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:266 +msgid "<SAN:x400Address>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:269 +msgid "Binary match the value of the x400Address SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:272 +msgid "Example: <SAN:x400Address>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:277 +msgid "<SAN:directoryName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:280 +msgid "" +"Match the value of the directoryName SAN. The same comments as given for <" +"ISSUER> and <SUBJECT> apply here as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:285 +msgid "Example: <SAN:directoryName>.*,DC=com" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:290 +msgid "<SAN:ediPartyName>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:293 +msgid "Binary match the value of the ediPartyName SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:296 +msgid "Example: <SAN:ediPartyName>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:301 +msgid "<SAN:uniformResourceIdentifier>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:304 +msgid "Match the value of the uniformResourceIdentifier SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:307 +msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:312 +msgid "<SAN:iPAddress>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:315 +msgid "Match the value of the iPAddress SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:318 +msgid "Example: <SAN:iPAddress>192\\.168\\..*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:323 +msgid "<SAN:registeredID>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:326 +msgid "Match the value of the registeredID SAN as dotted-decimal string." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:330 +msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:68 +msgid "" +"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:338 +msgid "MAPPING RULE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:340 +msgid "" +"The mapping rule is used to associate a certificate with one or more " +"accounts. A Smartcard with the certificate and the matching private key can " +"then be used to authenticate as one of those accounts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:345 +msgid "" +"Currently SSSD basically only supports LDAP to lookup user information (the " +"exception is the proxy provider which is not of relevance here). Because of " +"this the mapping rule is based on LDAP search filter syntax with templates " +"to add certificate content to the filter. It is expected that the filter " +"will only contain the specific data needed for the mapping and that the " +"caller will embed it in another filter to do the actual search. Because of " +"this the filter string should start and stop with '(' and ')' respectively." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:355 +msgid "" +"In general it is recommended to use attributes from the certificate and add " +"them to special attributes to the LDAP user object. E.g. the " +"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " +"for IPA can be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:361 +msgid "" +"This should be preferred to read user specific data from the certificate " +"like e.g. an email address and search for it in the LDAP server. The reason " +"is that the user specific data in LDAP might change for various reasons " +"would break the mapping. On the other hand it would be hard to break the " +"mapping on purpose for a specific user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:376 +msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:379 +msgid "" +"This template will add the full issuer DN converted to a string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +msgid "" +"The conversion options starting with 'ad_' will use attribute names as used " +"by AD, e.g. 'S' instead of 'ST'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +msgid "" +"The conversion options starting with 'nss_' will use attribute names as used " +"by NSS." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +msgid "" +"The default conversion option is 'nss', i.e. attribute names according to " +"NSS and LDAP/RFC 4514 ordering." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:397 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" +"ad})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:402 +msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:405 +msgid "" +"This template will add the full subject DN converted to string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:423 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" +"{subject_dn!nss_x500})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:428 +msgid "{cert[!(bin|base64)]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:431 +msgid "" +"This template will add the whole DER encoded certificate as a string to the " +"search filter. Depending on the conversion option the binary certificate is " +"either converted to an escaped hex sequence '\\xx' or base64. The escaped " +"hex sequence is the default and can e.g. be used with the LDAP attribute " +"'userCertificate;binary'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:439 +msgid "Example: (userCertificate;binary={cert!bin})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:444 +msgid "{subject_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:447 +msgid "" +"This template will add the Kerberos principal which is taken either from the " +"SAN used by pkinit or the one used by AD. The 'short_name' component " +"represents the first part of the principal before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +msgid "" +"Example: (|(userPrincipal={subject_principal})" +"(samAccountName={subject_principal.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:458 +msgid "{subject_pkinit_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:461 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by pkinit. The 'short_name' component represents the first part of the " +"principal before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:467 +msgid "" +"Example: (|(userPrincipal={subject_pkinit_principal})" +"(uid={subject_pkinit_principal.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:472 +msgid "{subject_nt_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:475 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by AD. The 'short_name' component represent the first part of the principal " +"before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:486 +msgid "{subject_rfc822_name[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:489 +msgid "" +"This template will add the string which is stored in the rfc822Name " +"component of the SAN, typically an email address. The 'short_name' component " +"represents the first part of the address before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:495 +msgid "" +"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." +"short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:500 +msgid "{subject_dns_name[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:503 +msgid "" +"This template will add the string which is stored in the dNSName component " +"of the SAN, typically a fully-qualified host name. The 'short_name' " +"component represents the first part of the name before the first '.' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:509 +msgid "" +"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:514 +msgid "{subject_uri}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:517 +msgid "" +"This template will add the string which is stored in the " +"uniformResourceIdentifier component of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:521 +msgid "Example: (uri={subject_uri})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:526 +msgid "{subject_ip_address}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:529 +msgid "" +"This template will add the string which is stored in the iPAddress component " +"of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:533 +msgid "Example: (ip={subject_ip_address})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:538 +msgid "{subject_x400_address}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:541 +msgid "" +"This template will add the value which is stored in the x400Address " +"component of the SAN as escaped hex sequence." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:546 +msgid "Example: (attr:binary={subject_x400_address})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:551 +msgid "" +"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:554 +msgid "" +"This template will add the DN string of the value which is stored in the " +"directoryName component of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:558 +msgid "Example: (orig_dn={subject_directory_name})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:563 +msgid "{subject_ediparty_name}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:566 +msgid "" +"This template will add the value which is stored in the ediPartyName " +"component of the SAN as escaped hex sequence." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:571 +msgid "Example: (attr:binary={subject_ediparty_name})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:576 +msgid "{subject_registered_id}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:579 +msgid "" +"This template will add the OID which is stored in the registeredID component " +"of the SAN as a dotted-decimal string." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:584 +msgid "Example: (oid={subject_registered_id})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:369 +msgid "" +"The templates to add certificate data to the search filter are based on " +"Python-style formatting strings. They consist of a keyword in curly braces " +"with an optional sub-component specifier separated by a '.' or an optional " +"conversion/formatting option separated by a '!'. Allowed values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:592 +msgid "DOMAIN LIST" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:594 +msgid "" +"If the domain list is not empty users mapped to a given certificate are not " +"only searched in the local domain but in the listed domains as well as long " +"as they are know by SSSD. Domains not know to SSSD will be ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 +msgid "sssd-ipa" +msgstr "sssd-ipa" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ipa.5.xml:17 +msgid "SSSD IPA provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:23 +msgid "" +"This manual page describes the configuration of the IPA provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:36 +msgid "" +"The IPA provider is a back end used to connect to an IPA server. (Refer to " +"the freeipa.org web site for information about IPA servers.) This provider " +"requires that the machine be joined to the IPA domain; configuration is " +"almost entirely self-discovered and obtained directly from the server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:43 +msgid "" +"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for IPA environments. The IPA provider accepts the same " +"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " +"However, it is neither necessary nor recommended to set these options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:57 +msgid "" +"The IPA provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:62 +msgid "" +"As an access provider, the IPA provider uses HBAC (host-based access " +"control) rules. Please refer to freeipa.org for more information about " +"HBAC. No configuration of access provider is required on the client side." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:67 +msgid "" +"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:73 +msgid "" +"The IPA provider will use the PAC responder if the Kerberos tickets of users " +"from trusted realms contain a PAC. To make configuration easier the PAC " +"responder is started automatically if the IPA ID provider is configured." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:89 +msgid "ipa_domain (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:92 +msgid "" +"Specifies the name of the IPA domain. This is optional. If not provided, " +"the configuration domain name is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:100 +msgid "ipa_server, ipa_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:103 +msgid "" +"The comma-separated list of IP addresses or hostnames of the IPA servers to " +"which SSSD should connect in the order of preference. For more information " +"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:116 +msgid "ipa_hostname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:119 +msgid "" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the IPA domain to identify this host. The " +"hostname must be fully qualified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:128 sssd-ad.5.xml:866 +msgid "dyndns_update (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:131 +msgid "" +"Optional. This option tells SSSD to automatically update the DNS server " +"built into FreeIPA with the IP address of this client. The update is secured " +"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " +"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" +"quote> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:140 sssd-ad.5.xml:880 +msgid "" +"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " +"the default Kerberos realm must be set properly in /etc/krb5.conf" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:145 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" +"emphasis> option, users should migrate to using <emphasis>dyndns_update</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:157 sssd-ad.5.xml:891 +msgid "dyndns_ttl (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:160 sssd-ad.5.xml:894 +msgid "" +"The TTL to apply to the client DNS record when updating it. If " +"dyndns_update is false this has no effect. This will override the TTL " +"serverside if set by an administrator." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:165 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" +"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:171 +msgid "Default: 1200 (seconds)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:177 sssd-ad.5.xml:905 +msgid "dyndns_iface (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:180 sssd-ad.5.xml:908 +msgid "" +"Optional. Applicable only when dyndns_update is true. Choose the interface " +"or a list of interfaces whose IP addresses should be used for dynamic DNS " +"updates. Special value <quote>*</quote> implies that IPs from all interfaces " +"should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:187 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" +"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:193 +msgid "" +"Default: Use the IP addresses of the interface which is used for IPA LDAP " +"connection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:197 sssd-ad.5.xml:919 +msgid "Example: dyndns_iface = em1, vnet1, vnet2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:203 sssd-ad.5.xml:970 +msgid "dyndns_auth (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:206 sssd-ad.5.xml:973 +msgid "" +"Whether the nsupdate utility should use GSS-TSIG authentication for secure " +"updates with the DNS server, insecure updates can be sent by setting this " +"option to 'none'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:212 sssd-ad.5.xml:979 +msgid "Default: GSS-TSIG" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:218 +msgid "ipa_enable_dns_sites (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 +msgid "Enables DNS sites - location based service discovery." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:225 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, then the SSSD will first attempt location " +"based discovery using a query that contains \"_location.hostname.example.com" +"\" and then fall back to traditional SRV discovery. If the location based " +"discovery succeeds, the IPA servers located with the location based " +"discovery are treated as primary servers and the IPA servers located using " +"the traditional SRV discovery are used as back up servers" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:244 sssd-ad.5.xml:925 +msgid "dyndns_refresh_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:247 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:260 sssd-ad.5.xml:943 +msgid "dyndns_update_ptr (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:263 sssd-ad.5.xml:946 +msgid "" +"Whether the PTR record should also be explicitly updated when updating the " +"client's DNS records. Applicable only when dyndns_update is true." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:268 +msgid "" +"This option should be False in most IPA deployments as the IPA server " +"generates the PTR records automatically when forward records are changed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:274 +msgid "Default: False (disabled)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:280 sssd-ad.5.xml:957 +msgid "dyndns_force_tcp (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:283 sssd-ad.5.xml:960 +msgid "" +"Whether the nsupdate utility should default to using TCP for communicating " +"with the DNS server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:287 sssd-ad.5.xml:964 +msgid "Default: False (let nsupdate choose the protocol)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:293 sssd-ad.5.xml:985 +msgid "dyndns_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:296 sssd-ad.5.xml:988 +msgid "" +"The DNS server to use when performing a DNS update. In most setups, it's " +"recommended to leave this option unset." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:301 sssd-ad.5.xml:993 +msgid "" +"Setting this option makes sense for environments where the DNS server is " +"different from the identity server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:306 sssd-ad.5.xml:998 +msgid "" +"Please note that this option will be only used in fallback attempt when " +"previous attempt using autodetected settings failed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1003 +msgid "Default: None (let nsupdate choose the server)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:317 +msgid "ipa_deskprofile_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:320 +msgid "" +"Optional. Use the given string as search base for Desktop Profile related " +"objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:324 sssd-ipa.5.xml:337 +msgid "Default: Use base DN" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:330 +msgid "ipa_hbac_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:333 +msgid "Optional. Use the given string as search base for HBAC related objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:343 +msgid "ipa_host_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:346 +msgid "Deprecated. Use ldap_host_search_base instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:352 +msgid "ipa_selinux_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:355 +msgid "Optional. Use the given string as search base for SELinux user maps." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:371 +msgid "ipa_subdomains_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:374 +msgid "Optional. Use the given string as search base for trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:383 +msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:390 +msgid "ipa_master_domain_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:393 +msgid "Optional. Use the given string as search base for master domain object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:402 +msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:409 +msgid "ipa_views_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:412 +msgid "Optional. Use the given string as search base for views containers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:421 +msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:431 +msgid "" +"The name of the Kerberos realm. This is optional and defaults to the value " +"of <quote>ipa_domain</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:435 +msgid "" +"The name of the Kerberos realm has a special meaning in IPA - it is " +"converted into the base DN to use for performing LDAP operations." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1012 +msgid "krb5_confd_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1015 +msgid "" +"Absolute path of a directory where SSSD should place Kerberos configuration " +"snippets." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1019 +msgid "" +"To disable the creation of the configuration snippets set the parameter to " +"'none'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1023 +msgid "" +"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:461 +msgid "ipa_deskprofile_refresh (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:464 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server. This will reduce the latency and load on the IPA server if there " +"are many desktop profiles requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:431 +msgid "Default: 5 (seconds)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:477 +msgid "ipa_deskprofile_request_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:480 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server in case the last request did not return any rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:485 +msgid "Default: 60 (minutes)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:491 +msgid "ipa_hbac_refresh (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:494 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server. " +"This will reduce the latency and load on the IPA server if there are many " +"access-control requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:507 +msgid "ipa_hbac_selinux (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:510 +msgid "" +"The amount of time between lookups of the SELinux maps against the IPA " +"server. This will reduce the latency and load on the IPA server if there are " +"many user login requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:523 +msgid "ipa_server_mode (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:526 +msgid "" +"This option will be set by the IPA installer (ipa-server-install) " +"automatically and denotes if SSSD is running on an IPA server or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:531 +msgid "" +"On an IPA server SSSD will lookup users and groups from trusted domains " +"directly while on a client it will ask an IPA server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:536 +msgid "" +"NOTE: There are currently some assumptions that must be met when SSSD is " +"running on an IPA server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:541 +msgid "" +"The <quote>ipa_server</quote> option must be configured to point to the IPA " +"server itself. This is already the default set by the IPA installer, so no " +"manual change is required." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:550 +msgid "" +"The <quote>full_name_format</quote> option must not be tweaked to only print " +"short names for users from trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:565 +msgid "ipa_automount_location (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:568 +msgid "The automounter location this IPA client will be using" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:571 +msgid "Default: The location named \"default\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:579 +msgid "VIEWS AND OVERRIDES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:588 +msgid "ipa_view_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:591 +msgid "Objectclass of the view container." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:594 +msgid "Default: nsContainer" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:600 +msgid "ipa_view_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:603 +msgid "Name of the attribute holding the name of the view." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:613 +msgid "ipa_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:616 +msgid "Objectclass of the override objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:619 +msgid "Default: ipaOverrideAnchor" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:625 +msgid "ipa_anchor_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:628 +msgid "" +"Name of the attribute containing the reference to the original object in a " +"remote domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:632 +msgid "Default: ipaAnchorUUID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:638 +msgid "ipa_user_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:641 +msgid "" +"Name of the objectclass for user overrides. It is used to determine if the " +"found override object is related to a user or a group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:646 +msgid "User overrides can contain attributes given by" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:649 +msgid "ldap_user_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:652 +msgid "ldap_user_uid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:655 +msgid "ldap_user_gid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:658 +msgid "ldap_user_gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:661 +msgid "ldap_user_home_directory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:664 +msgid "ldap_user_shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:667 +msgid "ldap_user_ssh_public_key" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:672 +msgid "Default: ipaUserOverride" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:678 +msgid "ipa_group_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:681 +msgid "" +"Name of the objectclass for group overrides. It is used to determine if the " +"found override object is related to a user or a group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:686 +msgid "Group overrides can contain attributes given by" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:689 +msgid "ldap_group_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:692 +msgid "ldap_group_gid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:697 +msgid "Default: ipaGroupOverride" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:581 +msgid "" +"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " +"later version. Since all paths and objectclasses are fixed on the server " +"side there is basically no need to configure anything. For completeness the " +"related options are listed here with their default values. <placeholder " +"type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:709 +msgid "SUBDOMAINS PROVIDER" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:711 +msgid "" +"The IPA subdomains provider behaves slightly differently if it is configured " +"explicitly or implicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:715 +msgid "" +"If the option 'subdomains_provider = ipa' is found in the domain section of " +"sssd.conf, the IPA subdomains provider is configured explicitly, and all " +"subdomain requests are sent to the IPA server if necessary." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:721 +msgid "" +"If the option 'subdomains_provider' is not set in the domain section of sssd." +"conf but there is the option 'id_provider = ipa', the IPA subdomains " +"provider is configured implicitly. In this case, if a subdomain request " +"fails and indicates that the server does not support subdomains, i.e. is not " +"configured for trusts, the IPA subdomains provider is disabled. After an " +"hour or after the IPA provider goes online, the subdomains provider is " +"enabled again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:732 +msgid "TRUSTED DOMAINS CONFIGURATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:738 +#, no-wrap +msgid "" +"[domain/ipa.domain.com/ad.domain.com]\n" +"ad_server = dc.ad.domain.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:734 +msgid "" +"Some configuration options can be also set for a trusted domain. A trusted " +"domain configuration can either be done using a subsection, for example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:743 +msgid "" +"In addition, some options can be set in the parent domain and inherited by " +"the trusted domain using the <quote>subdomain_inherit</quote> option. For " +"more details, see the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:753 +msgid "" +"Different configuration options are tunable for a trusted domain depending " +"on whether you are configuring SSSD on an IPA server or an IPA client." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:758 +msgid "OPTIONS TUNABLE ON IPA MASTERS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:760 +msgid "" +"The following options can be set in a subdomain section on an IPA master:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:764 sssd-ipa.5.xml:794 +msgid "ad_server" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:767 +msgid "ad_backup_server" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:770 sssd-ipa.5.xml:797 +msgid "ad_site" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:773 +msgid "ldap_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:776 +msgid "ldap_user_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:779 +msgid "ldap_group_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:788 +msgid "OPTIONS TUNABLE ON IPA CLIENTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:790 +msgid "" +"The following options can be set in a subdomain section on an IPA client:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:802 +msgid "" +"Note that if both options are set, only <quote>ad_server</quote> is " +"evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:806 +msgid "" +"Since any request for a user or a group identity from a trusted domain " +"triggered from an IPA client is resolved by the IPA server, the " +"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " +"which AD DC will the authentication be performed against. In particular, the " +"addresses resolved from these lists will be written to <quote>kdcinfo</" +"quote> files read by the Kerberos locator plugin. Please refer to the " +"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " +"Kerberos locator plugin." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:830 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the ipa provider-specific options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:837 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"id_provider = ipa\n" +"ipa_server = ipaserver.example.com\n" +"ipa_hostname = myhost.example.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 +msgid "sssd-ad" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ad.5.xml:17 +msgid "SSSD Active Directory provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:23 +msgid "" +"This manual page describes the configuration of the AD provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:36 +msgid "" +"The AD provider is a back end used to connect to an Active Directory server. " +"This provider requires that the machine be joined to the AD domain and a " +"keytab is available. Back end communication occurs over a GSSAPI-encrypted " +"channel, SSL/TLS options should not be used with the AD provider and will be " +"superseded by Kerberos usage." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:44 +msgid "" +"The AD provider supports connecting to Active Directory 2008 R2 or later. " +"Earlier versions may work, but are unsupported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:48 +msgid "" +"The AD provider can be used to get user information and authenticate users " +"from trusted domains. Currently only trusted domains in the same forest are " +"recognized. In addition servers from trusted domains are always auto-" +"discovered." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:54 +msgid "" +"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for Active Directory environments. The AD provider accepts the " +"same options used by the sssd-ldap and sssd-krb5 providers with some " +"exceptions. However, it is neither necessary nor recommended to set these " +"options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:69 +msgid "" +"The AD provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:74 +msgid "" +"The AD provider can also be used as an access, chpass, sudo and autofs " +"provider. No configuration of the access provider is required on the client " +"side." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:79 +msgid "" +"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ad</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:91 +#, no-wrap +msgid "" +"ldap_id_mapping = False\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:85 +msgid "" +"By default, the AD provider will map UID and GID values from the objectSID " +"parameter in Active Directory. For details on this, see the <quote>ID " +"MAPPING</quote> section below. If you want to disable ID mapping and instead " +"rely on POSIX attributes defined in Active Directory, you should set " +"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " +"be used, it is recommended for performance reasons that the attributes are " +"also replicated to the Global Catalog. If POSIX attributes are replicated, " +"SSSD will attempt to locate the domain of a requested numerical ID with the " +"help of the Global Catalog and only search that domain. In contrast, if " +"POSIX attributes are not replicated to the Global Catalog, SSSD must search " +"all the domains in the forest sequentially. Please note that the " +"<quote>cache_first</quote> option might be also helpful in speeding up " +"domainless searches. Note that if only a subset of POSIX attributes is " +"present in the Global Catalog, the non-replicated attributes are currently " +"not read from the LDAP port." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:108 +msgid "" +"Users, groups and other entities served by SSSD are always treated as case-" +"insensitive in the AD provider for compatibility with Active Directory's " +"LDAP implementation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:123 +msgid "ad_domain (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:126 +msgid "" +"Specifies the name of the Active Directory domain. This is optional. If not " +"provided, the configuration domain name is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:131 +msgid "" +"For proper operation, this option should be specified as the lower-case " +"version of the long version of the Active Directory domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:136 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) is " +"autodetected by the SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:143 +msgid "ad_enabled_domains (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:146 +msgid "" +"A comma-separated list of enabled Active Directory domains. If provided, " +"SSSD will ignore any domains not listed in this option. If left unset, all " +"domains from the AD forest will be available." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:156 +#, no-wrap +msgid "" +"ad_enabled_domains = sales.example.com, eng.example.com\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:152 +msgid "" +"For proper operation, this option must be specified in all lower-case and as " +"the fully qualified domain name of the Active Directory domain. For example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:160 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) will be " +"autodetected by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:170 +msgid "ad_server, ad_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:173 +msgid "" +"The comma-separated list of hostnames of the AD servers to which SSSD should " +"connect in order of preference. For more information on failover and server " +"redundancy, see the <quote>FAILOVER</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:180 +msgid "" +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:185 +msgid "" +"Note: Trusted domains will always auto-discover servers even if the primary " +"server is explicitly defined in the ad_server option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:193 +msgid "ad_hostname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:196 +msgid "" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the Active Directory domain to identify this " +"host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:202 +msgid "" +"This field is used to determine the host principal in use in the keytab. It " +"must match the hostname for which the keytab was issued." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:210 +msgid "ad_enable_dns_sites (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:217 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, the SSSD will first attempt to discover the " +"Active Directory server to connect to using the Active Directory Site " +"Discovery and fall back to the DNS SRV records if no AD site is found. The " +"DNS SRV configuration, including the discovery domain, is used during site " +"discovery as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:233 +msgid "ad_access_filter (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:236 +msgid "" +"This option specifies LDAP access control filter that the user must match in " +"order to be allowed access. Please note that the <quote>access_provider</" +"quote> option must be explicitly set to <quote>ad</quote> in order for this " +"option to have an effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:244 +msgid "" +"The option also supports specifying different filters per domain or forest. " +"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " +"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " +"missing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:252 +msgid "" +"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" +"quote> specifies the domain or subdomain the filter applies to. If the " +"keyword equals to <quote>FOREST</quote>, then the filter equals to all " +"domains from the forest specified by <quote>NAME</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:260 +msgid "" +"Multiple filters can be separated with the <quote>?</quote> character, " +"similarly to how search bases work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:265 +msgid "" +"Nested group membership must be searched for using a special OID " +"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." +"example.org: syntax to ensure the parser does not attempt to interpret the " +"colon characters associated with the OID. If you do not use this OID then " +"nested group membership will not be resolved. See usage example below and " +"refer here for further information about the OID: <ulink url=\"https://msdn." +"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " +"extensions</ulink>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:278 +msgid "" +"The most specific match is always used. For example, if the option specified " +"filter for a domain the user is a member of and a global filter, the per-" +"domain filter would be applied. If there are more matches with the same " +"specification, the first one is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ad.5.xml:289 +#, no-wrap +msgid "" +"# apply filter on domain called dom1 only:\n" +"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" +"\n" +"# apply filter on domain called dom2 only:\n" +"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" +"\n" +"# apply filter on forest called EXAMPLE.COM only:\n" +"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" +"\n" +"# apply filter for a member of a nested group in dom1:\n" +"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:308 +msgid "ad_site (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:311 +msgid "" +"Specify AD site to which client should try to connect. If this option is " +"not provided, the AD site will be auto-discovered." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:322 +msgid "ad_enable_gc (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:325 +msgid "" +"By default, the SSSD connects to the Global Catalog first to retrieve users " +"from trusted domains and uses the LDAP port to retrieve group memberships or " +"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " +"port of the current AD server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:333 +msgid "" +"Please note that disabling Global Catalog support does not disable " +"retrieving users from trusted domains. The SSSD would connect to the LDAP " +"port of trusted domains instead. However, Global Catalog must be used in " +"order to resolve cross-domain group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:347 +msgid "ad_gpo_access_control (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:350 +msgid "" +"This option specifies the operation mode for GPO-based access control " +"functionality: whether it operates in disabled mode, enforcing mode, or " +"permissive mode. Please note that the <quote>access_provider</quote> option " +"must be explicitly set to <quote>ad</quote> in order for this option to have " +"an effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:359 +msgid "" +"GPO-based access control functionality uses GPO policy settings to determine " +"whether or not a particular user is allowed to logon to a particular host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:365 +msgid "" +"NOTE: The current version of SSSD does not support host (computer) entries " +"in the GPO 'Security Filtering' list. Only user and group entries are " +"supported. Host entries in the list have no effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:372 +msgid "" +"NOTE: If the operation mode is set to enforcing, it is possible that users " +"that were previously allowed logon access will now be denied logon access " +"(as dictated by the GPO policy settings). In order to facilitate a smooth " +"transition for administrators, a permissive mode is available that will not " +"enforce the access control rules, but will evaluate them and will output a " +"syslog message if access would have been denied. By examining the logs, " +"administrators can then make the necessary changes before setting the mode " +"to enforcing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:385 +msgid "There are three supported values for this option:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:389 +msgid "" +"disabled: GPO-based access control rules are neither evaluated nor enforced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:395 +msgid "enforcing: GPO-based access control rules are evaluated and enforced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:401 +msgid "" +"permissive: GPO-based access control rules are evaluated, but not enforced. " +"Instead, a syslog message will be emitted indicating that the user would " +"have been denied access if this option's value were set to enforcing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:412 +msgid "Default: permissive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:415 +msgid "Default: enforcing" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:421 +msgid "ad_gpo_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:424 +msgid "" +"The amount of time between lookups of GPO policy files against the AD " +"server. This will reduce the latency and load on the AD server if there are " +"many access-control requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:437 +msgid "ad_gpo_map_interactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:440 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the InteractiveLogonRight and " +"DenyInteractiveLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:446 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on locally\" and \"Deny log on locally\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:460 +#, no-wrap +msgid "" +"ad_gpo_map_interactive = +my_pam_service, -login\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:451 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>login</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:464 sssd-ad.5.xml:560 sssd-ad.5.xml:606 sssd-ad.5.xml:651 +#: sssd-ad.5.xml:717 +msgid "Default: the default set of PAM service names includes:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:468 +msgid "login" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:473 +msgid "su" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:478 +msgid "su-l" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:483 +msgid "gdm-fingerprint" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:488 +msgid "gdm-password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:493 +msgid "gdm-smartcard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:498 +msgid "kdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:503 +msgid "lightdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:508 +msgid "lxdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:513 +msgid "sddm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:518 +msgid "unity" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:523 +msgid "xdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:532 +msgid "ad_gpo_map_remote_interactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:535 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the RemoteInteractiveLogonRight and " +"DenyRemoteInteractiveLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:541 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on through Remote Desktop Services\" and \"Deny log on through Remote " +"Desktop Services\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:556 +#, no-wrap +msgid "" +"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:547 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>sshd</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:564 +msgid "sshd" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:569 +msgid "cockpit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:578 +msgid "ad_gpo_map_network (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:581 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the NetworkLogonRight and " +"DenyNetworkLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:587 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Access " +"this computer from the network\" and \"Deny access to this computer from the " +"network\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:602 +#, no-wrap +msgid "" +"ad_gpo_map_network = +my_pam_service, -ftp\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:593 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>ftp</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:610 +msgid "ftp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:615 +msgid "samba" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:624 +msgid "ad_gpo_map_batch (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:627 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " +"policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:633 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a batch job\" and \"Deny log on as a batch job\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:647 +#, no-wrap +msgid "" +"ad_gpo_map_batch = +my_pam_service, -crond\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:638 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>crond</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:655 +msgid "crond" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:664 +msgid "ad_gpo_map_service (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:667 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the ServiceLogonRight and " +"DenyServiceLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:673 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a service\" and \"Deny log on as a service\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:686 +#, no-wrap +msgid "" +"ad_gpo_map_service = +my_pam_service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:678 sssd-ad.5.xml:753 +msgid "" +"It is possible to add a PAM service name to the default set by using <quote>" +"+service_name</quote>. Since the default set is empty, it is not possible " +"to remove a PAM service name from the default set. For example, in order to " +"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " +"would use the following configuration: <placeholder type=\"programlisting\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:696 +msgid "ad_gpo_map_permit (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:699 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always granted, regardless of any GPO Logon Rights." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:713 +#, no-wrap +msgid "" +"ad_gpo_map_permit = +my_pam_service, -sudo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:704 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for unconditionally permitted " +"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:721 +msgid "polkit-1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:726 +msgid "sudo" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:731 +msgid "sudo-i" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:736 +msgid "systemd-user" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:745 +msgid "ad_gpo_map_deny (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:748 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always denied, regardless of any GPO Logon Rights." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:761 +#, no-wrap +msgid "" +"ad_gpo_map_deny = +my_pam_service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:771 +msgid "ad_gpo_default_right (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:774 +msgid "" +"This option defines how access control is evaluated for PAM service names " +"that are not explicitly listed in one of the ad_gpo_map_* options. This " +"option can be set in two different manners. First, this option can be set to " +"use a default logon right. For example, if this option is set to " +"'interactive', it means that unmapped PAM service names will be processed " +"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " +"settings. Alternatively, this option can be set to either always permit or " +"always deny access for unmapped PAM service names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:787 +msgid "Supported values for this option include:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:791 +msgid "interactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:796 +msgid "remote_interactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:801 +msgid "network" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:806 +msgid "batch" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:811 +msgid "service" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:816 +msgid "permit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:821 +msgid "deny" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:827 +msgid "Default: deny" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:833 +msgid "ad_maximum_machine_account_password_age (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:836 +msgid "" +"SSSD will check once a day if the machine account password is older than the " +"given age in days and try to renew it. A value of 0 will disable the renewal " +"attempt." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:842 +msgid "Default: 30 days" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:848 +msgid "ad_machine_account_password_renewal_opts (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:851 +msgid "" +"This option should only be used to test the machine account renewal task. " +"The option expects 2 integers separated by a colon (':'). The first integer " +"defines the interval in seconds how often the task is run. The second " +"specifies the initial timeout in seconds before the task is run for the " +"first time after startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:860 +msgid "Default: 86400:750 (24h and 15m)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:869 +msgid "" +"Optional. This option tells SSSD to automatically update the Active " +"Directory DNS server with the IP address of this client. The update is " +"secured using GSS-TSIG. As a consequence, the Active Directory administrator " +"only needs to allow secure updates for the DNS zone. The IP address of the " +"AD LDAP connection is used for the updates, if it is not otherwise specified " +"by using the <quote>dyndns_iface</quote> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:899 +msgid "Default: 3600 (seconds)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:915 +msgid "" +"Default: Use the IP addresses of the interface which is used for AD LDAP " +"connection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:928 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true. Note that the " +"lowest possible value is 60 seconds in-case if value is provided less than " +"60, parameter will assume lowest value only." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:951 sss_rpcidmapd.5.xml:76 +msgid "Default: True" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1043 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This example shows only the AD provider-specific options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1050 +#, no-wrap +msgid "" +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1070 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1066 +msgid "" +"The AD access control provider checks if the account is expired. It has the " +"same effect as the following configuration of the LDAP provider: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1076 +msgid "" +"However, unless the <quote>ad</quote> access control provider is explicitly " +"configured, the default access provider is <quote>permit</quote>. Please " +"note that if you configure an access provider other than <quote>ad</quote>, " +"you need to set all the connection parameters (such as LDAP URIs and " +"encryption details) manually." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1084 +msgid "" +"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " +"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " +"are included in the default Active Directory schema." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 +msgid "sssd-sudo" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-sudo.5.xml:17 +msgid "Configuring sudo with the SSSD back end" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:36 +msgid "Configuring sudo to cooperate with SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:38 +msgid "" +"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " +"the <emphasis>sudoers</emphasis> entry in <citerefentry> " +"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:47 +msgid "" +"For example, to configure sudo to first lookup rules in the standard " +"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> file (which should contain rules that apply to " +"local users) and then in SSSD, the nsswitch.conf file should contain the " +"following line:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:57 +#, no-wrap +msgid "sudoers: files sss\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:61 +msgid "" +"More information about configuring the sudoers search order from the " +"nsswitch.conf file as well as information about the LDAP schema that is used " +"to store sudo rules in the directory can be found in <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:70 +msgid "" +"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " +"sudo rules, you also need to correctly set <citerefentry> " +"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry> to your NIS domain name (which equals to IPA domain name when " +"using hostgroups)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:82 +msgid "Configuring SSSD to fetch sudo rules" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:84 +msgid "" +"All configuration that is needed on SSSD side is to extend the list of " +"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " +"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " +"option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:94 +msgid "" +"The following example shows how to configure SSSD to download sudo rules " +"from an LDAP server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:99 +#, no-wrap +msgid "" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:98 +msgid "" +"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" +"\"have_systemd\"> It's important to note that on platforms where systemd is " +"supported there's no need to add the \"sudo\" provider to the list of " +"services, as it became optional. However, sssd-sudo.socket must be enabled " +"instead. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:118 +msgid "" +"When SSSD is configured to use IPA as the ID provider, the sudo provider is " +"automatically enabled. The sudo search base is configured to use the IPA " +"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " +"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," +"$SUFFIX) is no longer required for IPA sudo functionality." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:128 +msgid "The SUDO rule caching mechanism" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:130 +msgid "" +"The biggest challenge, when developing sudo support in SSSD, was to ensure " +"that running sudo with SSSD as the data source provides the same user " +"experience and is as fast as sudo but keeps providing the most current set " +"of rules as possible. To satisfy these requirements, SSSD uses three kinds " +"of updates. They are referred to as full refresh, smart refresh and rules " +"refresh." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:138 +msgid "" +"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " +"new or were modified after the last update. Its primary goal is to keep the " +"database growing by fetching only small increments that do not generate " +"large amounts of network traffic." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:144 +msgid "" +"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " +"in the cache and replaces them with all rules that are stored on the server. " +"This is used to keep the cache consistent by removing every rule which was " +"deleted from the server. However, full refresh may produce a lot of traffic " +"and thus it should be run only occasionally depending on the size and " +"stability of the sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:152 +msgid "" +"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " +"more permission than defined. It is triggered each time the user runs sudo. " +"Rules refresh will find all rules that apply to this user, check their " +"expiration time and redownload them if expired. In the case that any of " +"these rules are missing on the server, the SSSD will do an out of band full " +"refresh because more rules (that apply to other users) may have been deleted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:161 +msgid "" +"If enabled, SSSD will store only rules that can be applied to this machine. " +"This means rules that contain one of the following values in " +"<emphasis>sudoHost</emphasis> attribute:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:168 +msgid "keyword ALL" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:173 +msgid "wildcard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:178 +msgid "netgroup (in the form \"+netgroup\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:183 +msgid "hostname or fully qualified domain name of this machine" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:188 +msgid "one of the IP addresses of this machine" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:193 +msgid "one of the IP addresses of the network (in the form \"address/mask\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:199 +msgid "" +"There are many configuration options that can be used to adjust the " +"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.8.xml:10 sssd.8.xml:15 +msgid "sssd" +msgstr "sssd" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.8.xml:16 +msgid "System Security Services Daemon" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssd.8.xml:21 +msgid "" +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:31 +msgid "" +"<command>SSSD</command> provides a set of daemons to manage access to remote " +"directories and authentication mechanisms. It provides an NSS and PAM " +"interface toward the system and a pluggable backend system to connect to " +"multiple different account sources as well as D-Bus interface. It is also " +"the basis to provide client auditing and policy services for projects like " +"FreeIPA. It provides a more robust database to store local users as well as " +"extended user data." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:46 +msgid "" +"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:53 +msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:57 +msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:60 +msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:69 +msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:73 +msgid "" +"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:76 +msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:85 +msgid "<option>-f</option>,<option>--debug-to-files</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:89 +msgid "" +"Send the debug output to files instead of stderr. By default, the log files " +"are stored in <filename>/var/log/sssd</filename> and there are separate log " +"files for every SSSD service and domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:94 +msgid "" +"This option is deprecated. It is replaced by <option>--logger=files</option>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:101 +msgid "<option>--logger=</option><replaceable>value</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:105 +msgid "" +"Location where SSSD will send log messages. This option overrides the value " +"of the deprecated option <option>--debug-to-files</option>. The deprecated " +"option will still work if the <option>--logger</option> is not used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:112 +msgid "" +"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " +"output." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:116 +msgid "" +"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " +"default, the log files are stored in <filename>/var/log/sssd</filename> and " +"there are separate log files for every SSSD service and domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:122 +msgid "" +"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:132 +msgid "<option>-D</option>,<option>--daemon</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:136 +msgid "Become a daemon after starting up." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:142 sss_seed.8.xml:136 +msgid "<option>-i</option>,<option>--interactive</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:146 +msgid "Run in the foreground, don't become a daemon." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:152 +msgid "<option>-c</option>,<option>--config</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:156 +msgid "" +"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." +"conf</filename>. For reference on the config file syntax and options, " +"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:170 +msgid "<option>--version</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:174 +msgid "Print version number and exit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.8.xml:182 +msgid "Signals" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:185 +msgid "SIGTERM/SIGINT" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:188 +msgid "" +"Informs the SSSD to gracefully terminate all of its child processes and then " +"shut down the monitor." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:194 +msgid "SIGHUP" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:197 +msgid "" +"Tells the SSSD to stop writing to its current debug file descriptors and to " +"close and reopen them. This is meant to facilitate log rolling with programs " +"like logrotate." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:205 +msgid "SIGUSR1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:208 +msgid "" +"Tells the SSSD to simulate offline operation for the duration of the " +"<quote>offline_timeout</quote> parameter. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:217 +msgid "SIGUSR2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:220 +msgid "" +"Tells the SSSD to go online immediately. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:232 +msgid "" +"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " +"applications will not use the fast in memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 +msgid "sss_obfuscate" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_obfuscate.8.xml:16 +msgid "obfuscate a clear text password" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_obfuscate.8.xml:21 +msgid "" +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" +"replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:32 +msgid "" +"<command>sss_obfuscate</command> converts a given password into human-" +"unreadable format and places it into appropriate domain section of the SSSD " +"config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:37 +msgid "" +"The cleartext password is read from standard input or entered " +"interactively. The obfuscated password is put into " +"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " +"<quote>ldap_default_authtok_type</quote> parameter is set to " +"<quote>obfuscated_password</quote>. Refer to <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more details on these parameters." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:49 +msgid "" +"Please note that obfuscating the password provides <emphasis>no real " +"security benefit</emphasis> as it is still possible for an attacker to " +"reverse-engineer the password back. Using better authentication mechanisms " +"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " +"advised." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:63 +msgid "<option>-s</option>,<option>--stdin</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:67 +msgid "The password to obfuscate will be read from standard input." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 +#: sss_ssh_knownhostsproxy.1.xml:78 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:79 +msgid "" +"The SSSD domain to use the password in. The default name is <quote>default</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:86 +msgid "" +"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:91 +msgid "Read the config file specified by the positional parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:95 +msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_override.8.xml:10 sss_override.8.xml:15 +msgid "sss_override" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_override.8.xml:16 +msgid "create local overrides of user and group attributes" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_override.8.xml:21 +msgid "" +"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:32 +msgid "" +"<command>sss_override</command> enables to create a client-side view and " +"allows to change selected values of specific user and groups. This change " +"takes effect only on local machine." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:37 +msgid "" +"Overrides data are stored in the SSSD cache. If the cache is deleted, all " +"local overrides are lost. Please note that after the first override is " +"created using any of the following <emphasis>user-add</emphasis>, " +"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " +"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " +"take effect. <emphasis>sss_override</emphasis> prints message when a " +"restart is required." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:50 sssctl.8.xml:41 +msgid "AVAILABLE COMMANDS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:52 +msgid "" +"Argument <emphasis>NAME</emphasis> is the name of original object in all " +"commands. It is not possible to override <emphasis>uid</emphasis> or " +"<emphasis>gid</emphasis> to 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:59 +msgid "" +"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" +"optional> <optional><option>-g,--gid</option> GID</optional> " +"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" +"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" +"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " +"CERTIFICATE</optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:72 +msgid "" +"Override attributes of an user. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:80 +msgid "<option>user-del</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:85 +msgid "" +"Remove user overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:94 +msgid "" +"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:99 +msgid "" +"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " +"is set, only users from the domain are listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:107 +msgid "<option>user-show</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:112 +msgid "Show user overrides." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:118 +msgid "<option>user-import</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:123 +msgid "" +"Import user overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard passwd file. The format is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:128 +msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:131 +msgid "" +"where original_name is original name of the user whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:140 +msgid "ckent:superman::::::" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:143 +msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:149 +msgid "<option>user-export</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:154 +msgid "" +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>user-import</emphasis> for data format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:162 +msgid "" +"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:169 +msgid "" +"Override attributes of a group. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:177 +msgid "<option>group-del</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:182 +msgid "" +"Remove group overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:191 +msgid "" +"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:196 +msgid "" +"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " +"parameter is set, only groups from the domain are listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:204 +msgid "<option>group-show</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:209 +msgid "Show group overrides." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:215 +msgid "<option>group-import</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:220 +msgid "" +"Import group overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard group file. The format is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:225 +msgid "original_name:name:gid" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:228 +msgid "" +"where original_name is original name of the group whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:237 +msgid "admins:administrators:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:240 +msgid "Domain Users:Users:501" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:246 +msgid "<option>group-export</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:251 +msgid "" +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>group-import</emphasis> for data format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:261 sssctl.8.xml:50 +msgid "COMMON OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:263 sssctl.8.xml:52 +msgid "Those options are available with all commands." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:268 sssctl.8.xml:57 +msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 +msgid "sss_useradd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_useradd.8.xml:16 +msgid "create a new user" +msgstr "create a new user" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_useradd.8.xml:21 +msgid "" +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_useradd.8.xml:32 +msgid "" +"<command>sss_useradd</command> creates a new user account using the values " +"specified on the command line plus the default values from the system." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:43 sss_seed.8.xml:76 +msgid "" +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:48 +msgid "" +"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " +"not given, it is chosen automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +msgid "" +"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 +msgid "" +"Any text string describing the user. Often used as the field for the user's " +"full name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 +msgid "" +"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:72 +msgid "" +"The home directory of the user account. The default is to append the " +"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " +"that as the home directory. The base that is prepended before " +"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" +"baseDirectory</quote> setting in sssd.conf." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 +msgid "" +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:87 +msgid "" +"The user's login shell. The default is currently <filename>/bin/bash</" +"filename>. The default can be changed with <quote>user_defaults/" +"defaultShell</quote> setting in sssd.conf." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:96 +msgid "" +"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:101 +msgid "A list of existing groups this user is also a member of." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:107 +msgid "<option>-m</option>,<option>--create-home</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:111 +msgid "" +"Create the user's home directory if it does not exist. The files and " +"directories contained in the skeleton directory (which can be defined with " +"the -k option or in the config file) will be copied to the home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:121 +msgid "<option>-M</option>,<option>--no-create-home</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:125 +msgid "" +"Do not create the user's home directory. Overrides configuration settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:132 +msgid "" +"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:137 +msgid "" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<command>sss_useradd</command>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:143 +msgid "" +"Special files (block devices, character devices, named pipes and unix " +"sockets) will not be copied." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:147 +msgid "" +"This option is only valid if the <option>-m</option> (or <option>--create-" +"home</option>) option is specified, or creation of home directories is set " +"to TRUE in the configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 +msgid "" +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>SELINUX_USER</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:161 +msgid "" +"The SELinux user for the user's login. If not specified, the system default " +"will be used." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 +msgid "sssd-krb5" +msgstr "sssd-krb5" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-krb5.5.xml:17 +msgid "SSSD Kerberos provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:23 +msgid "" +"This manual page describes the configuration of the Kerberos 5 " +"authentication backend for <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " +"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:36 +msgid "" +"The Kerberos 5 authentication backend contains auth and chpass providers. It " +"must be paired with an identity provider in order to function properly (for " +"example, id_provider = ldap). Some information required by the Kerberos 5 " +"authentication backend must be provided by the identity provider, such as " +"the user's Kerberos Principal Name (UPN). The configuration of the identity " +"provider should have an entry to specify the UPN. Please refer to the man " +"page for the applicable identity provider for details on how to configure " +"this." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:47 +msgid "" +"This backend also provides access control based on the .k5login file in the " +"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " +"Please note that an empty .k5login file will deny all access to this user. " +"To activate this feature, use 'access_provider = krb5' in your SSSD " +"configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:55 +msgid "" +"In the case where the UPN is not available in the identity backend, " +"<command>sssd</command> will construct a UPN using the format " +"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:77 +msgid "" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect, in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled; for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:106 +msgid "" +"The name of the Kerberos realm. This option is required and must be " +"specified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:113 +msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:116 +msgid "" +"If the change password service is not running on the KDC, alternative " +"servers can be defined here. An optional port number (preceded by a colon) " +"may be appended to the addresses or hostnames." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:122 +msgid "" +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " +"servers to try, the backend is not switched to operate offline if " +"authentication against the KDC is still possible." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:129 +msgid "Default: Use the KDC" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:135 +msgid "krb5_ccachedir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:138 +msgid "" +"Directory to store credential caches. All the substitution sequences of " +"krb5_ccname_template can be used here, too, except %d and %P. The directory " +"is created as private and owned by the user, with permissions set to 0700." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:145 +msgid "Default: /tmp" +msgstr "Noklusējuma: / tmp" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:151 +msgid "krb5_ccname_template (string)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 +msgid "%u" +msgstr "%u" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 +msgid "login name" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 +msgid "%U" +msgstr "%U" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:170 +msgid "login UID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:173 +msgid "%p" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:174 +msgid "principal name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:178 +msgid "%r" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:179 +msgid "realm name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:182 +msgid "%h" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 +msgid "home directory" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 +msgid "%d" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:188 +msgid "value of krb5_ccachedir" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 +msgid "%P" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:194 +msgid "the process ID of the SSSD client" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 +msgid "%%" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 +msgid "a literal '%'" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:154 +msgid "" +"Location of the user's credential cache. Three credential cache types are " +"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " +"<quote>KEYRING:persistent</quote>. The cache can be specified either as " +"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " +"implies the <quote>FILE</quote> type. In the template, the following " +"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " +"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " +"filename in a safe way." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:208 +msgid "" +"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" +"persistent:%U</quote>, which uses the Linux kernel keyring to store " +"credentials on a per-UID basis. This is also the recommended choice, as it " +"is the most secure and predictable method." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:216 +msgid "" +"The default value for the credential cache name is sourced from the profile " +"stored in the system wide krb5.conf configuration file in the [libdefaults] " +"section. The option name is default_ccache_name. See krb5.conf(5)'s " +"PARAMETER EXPANSION paragraph for additional information on the expansion " +"format defined by krb5.conf." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:225 +msgid "" +"NOTE: Please be aware that libkrb5 ccache expansion template from " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> uses different expansion sequences than SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:234 +msgid "Default: (from libkrb5)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:240 +msgid "krb5_auth_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:243 +msgid "" +"Timeout in seconds after an online authentication request or change password " +"request is aborted. If possible, the authentication request is continued " +"offline." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:254 +msgid "krb5_validate (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:257 +msgid "" +"Verify with the help of krb5_keytab that the TGT obtained has not been " +"spoofed. The keytab is checked for entries sequentially, and the first entry " +"with a matching realm is used for validation. If no entry matches the realm, " +"the last entry in the keytab is used. This process can be used to validate " +"environments using cross-realm trust by placing the appropriate keytab entry " +"as the last entry or the only entry in the keytab file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:272 +msgid "krb5_keytab (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:275 +msgid "" +"The location of the keytab to use when validating credentials obtained from " +"KDCs." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:279 +msgid "Default: /etc/krb5.keytab" +msgstr "Noklusējuma: /etc/krb5.keytab" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:285 +msgid "krb5_store_password_if_offline (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:288 +msgid "" +"Store the password of the user if the provider is offline and use it to " +"request a TGT when the provider comes online again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:293 +msgid "" +"NOTE: this feature is only available on Linux. Passwords stored in this way " +"are kept in plaintext in the kernel keyring and are potentially accessible " +"by the root user (with difficulty)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:306 +msgid "krb5_renewable_lifetime (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:309 +msgid "" +"Request a renewable ticket with a total lifetime, given as an integer " +"immediately followed by a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 +msgid "<emphasis>s</emphasis> for seconds" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 +msgid "<emphasis>m</emphasis> for minutes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 +msgid "<emphasis>h</emphasis> for hours" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 +msgid "<emphasis>d</emphasis> for days." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 +msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 +msgid "" +"NOTE: It is not possible to mix units. To set the renewable lifetime to one " +"and a half hours, use '90m' instead of '1h30m'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:335 +msgid "Default: not set, i.e. the TGT is not renewable" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:341 +msgid "krb5_lifetime (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:344 +msgid "" +"Request ticket with a lifetime, given as an integer immediately followed by " +"a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:360 +msgid "If there is no unit given <emphasis>s</emphasis> is assumed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:364 +msgid "" +"NOTE: It is not possible to mix units. To set the lifetime to one and a " +"half hours please use '90m' instead of '1h30m'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:369 +msgid "" +"Default: not set, i.e. the default ticket lifetime configured on the KDC." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:376 +msgid "krb5_renew_interval (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:379 +msgid "" +"The time in seconds between two checks if the TGT should be renewed. TGTs " +"are renewed if about half of their lifetime is exceeded, given as an integer " +"immediately followed by a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:406 +msgid "If this option is not set or is 0 the automatic renewal is disabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:416 +msgid "krb5_use_fast (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:419 +msgid "" +"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" +"authentication. The following options are supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:424 +msgid "" +"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " +"option at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:428 +msgid "" +"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " +"continue the authentication without it." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:433 +msgid "" +"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " +"server does not require fast." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:438 +msgid "Default: not set, i.e. FAST is not used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:441 +msgid "NOTE: a keytab is required to use FAST." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:444 +msgid "" +"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " +"SSSD is used with an older version of MIT Kerberos, using this option is a " +"configuration error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:453 +msgid "krb5_fast_principal (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:456 +msgid "Specifies the server principal to use for FAST." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:465 +msgid "" +"Specifies if the host and user principal should be canonicalized. This " +"feature is available with MIT Kerberos 1.7 and later versions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:505 +msgid "krb5_use_enterprise_principal (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:508 +msgid "" +"Specifies if the user principal should be treated as enterprise principal. " +"See section 5 of RFC 6806 for more details about enterprise principals." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:514 +msgid "Default: false (AD provider: true)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:517 +msgid "" +"The IPA provider will set to option to 'true' if it detects that the server " +"is capable of handling enterprise principals and the option is not set " +"explicitly in the config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:526 +msgid "krb5_map_user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:529 +msgid "" +"The list of mappings is given as a comma-separated list of pairs " +"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " +"name and <quote>primary</quote> is a user part of a kerberos principal. This " +"mapping is used when user is authenticating using <quote>auth_provider = " +"krb5</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-krb5.5.xml:541 +#, no-wrap +msgid "" +"krb5_realm = REALM\n" +"krb5_map_user = joe:juser,dick:richard\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:546 +msgid "" +"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " +"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " +"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " +"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:65 +msgid "" +"If the auth-module krb5 is used in an SSSD domain, the following options " +"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " +"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:572 +msgid "" +"The following example assumes that SSSD is correctly configured and FOO is " +"one of the domains in the <replaceable>[sssd]</replaceable> section. This " +"example shows only configuration of Kerberos authentication; it does not " +"include any identity provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-krb5.5.xml:580 +#, no-wrap +msgid "" +"[domain/FOO]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXAMPLE.COM\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 +msgid "sss_groupadd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupadd.8.xml:16 +msgid "create a new group" +msgstr "izveidot jaunu grupu" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupadd.8.xml:21 +msgid "" +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupadd.8.xml:32 +msgid "" +"<command>sss_groupadd</command> creates a new group. These groups are " +"compatible with POSIX groups, with the additional feature that they can " +"contain other groups as members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 +msgid "" +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupadd.8.xml:48 +msgid "" +"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " +"not given, it is chosen automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 +msgid "sss_userdel" +msgstr "sss_userdel" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_userdel.8.xml:16 +msgid "delete a user account" +msgstr "dzēst lietotāja kontu" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_userdel.8.xml:21 +msgid "" +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_userdel.8.xml:32 +msgid "" +"<command>sss_userdel</command> deletes a user identified by login name " +"<replaceable>LOGIN</replaceable> from the system." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:44 +msgid "<option>-r</option>,<option>--remove</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:48 +msgid "" +"Files in the user's home directory will be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:56 +msgid "<option>-R</option>,<option>--no-remove</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:60 +msgid "" +"Files in the user's home directory will NOT be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:68 +msgid "<option>-f</option>,<option>--force</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:72 +msgid "" +"This option forces <command>sss_userdel</command> to remove the user's home " +"directory and mail spool, even if they are not owned by the specified user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:80 +msgid "<option>-k</option>,<option>--kick</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:84 +msgid "Before actually deleting the user, terminate all his processes." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 +msgid "sss_groupdel" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupdel.8.xml:16 +msgid "delete a group" +msgstr "dzēst grupu" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupdel.8.xml:21 +msgid "" +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupdel.8.xml:32 +msgid "" +"<command>sss_groupdel</command> deletes a group identified by its name " +"<replaceable>GROUP</replaceable> from the system." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 +msgid "sss_groupshow" +msgstr "sss_groupshow" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupshow.8.xml:16 +msgid "print properties of a group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupshow.8.xml:21 +msgid "" +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupshow.8.xml:32 +msgid "" +"<command>sss_groupshow</command> displays information about a group " +"identified by its name <replaceable>GROUP</replaceable>. The information " +"includes the group ID number, members of the group and the parent group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupshow.8.xml:43 +msgid "<option>-R</option>,<option>--recursive</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupshow.8.xml:47 +msgid "" +"Also print indirect group members in a tree-like hierarchy. Note that this " +"also affects printing parent groups - without <option>R</option>, only the " +"direct parent will be printed." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 +msgid "sss_usermod" +msgstr "sss_usermod" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_usermod.8.xml:16 +msgid "modify a user account" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_usermod.8.xml:21 +msgid "" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_usermod.8.xml:32 +msgid "" +"<command>sss_usermod</command> modifies the account specified by " +"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " +"on the command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:60 +msgid "The home directory of the user account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:71 +msgid "The user's login shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:82 +msgid "" +"Append this user to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:96 +msgid "" +"Remove this user from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:103 +msgid "<option>-l</option>,<option>--lock</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:107 +msgid "Lock the user account. The user won't be able to log in." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:114 +msgid "<option>-u</option>,<option>--unlock</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:118 +msgid "Unlock the user account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:129 +msgid "The SELinux user for the user's login." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:135 +msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:140 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:147 +msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:152 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:160 +msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:165 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_cache.8.xml:10 sss_cache.8.xml:15 +msgid "sss_cache" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_cache.8.xml:16 +msgid "perform cache cleanup" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_cache.8.xml:21 +msgid "" +"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_cache.8.xml:31 +msgid "" +"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " +"records are forced to be reloaded from server as soon as related SSSD " +"backend is online. Options that invalidate a single object only accept a " +"single provided argument." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:43 +msgid "<option>-E</option>,<option>--everything</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:47 +msgid "Invalidate all cached entries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:53 +msgid "" +"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:58 +msgid "Invalidate specific user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:64 +msgid "<option>-U</option>,<option>--users</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:68 +msgid "" +"Invalidate all user records. This option overrides invalidation of specific " +"user if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:75 +msgid "" +"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:80 +msgid "Invalidate specific group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:86 +msgid "<option>-G</option>,<option>--groups</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:90 +msgid "" +"Invalidate all group records. This option overrides invalidation of specific " +"group if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:97 +msgid "" +"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:102 +msgid "Invalidate specific netgroup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:108 +msgid "<option>-N</option>,<option>--netgroups</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:112 +msgid "" +"Invalidate all netgroup records. This option overrides invalidation of " +"specific netgroup if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:119 +msgid "" +"<option>-s</option>,<option>--service</option> <replaceable>service</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:124 +msgid "Invalidate specific service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:130 +msgid "<option>-S</option>,<option>--services</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:134 +msgid "" +"Invalidate all service records. This option overrides invalidation of " +"specific service if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:141 +msgid "" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:146 +msgid "Invalidate specific autofs maps." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:152 +msgid "<option>-A</option>,<option>--autofs-maps</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:156 +msgid "" +"Invalidate all autofs maps. This option overrides invalidation of specific " +"map if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:163 +msgid "" +"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:168 +msgid "Invalidate SSH public keys of a specific host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:174 +msgid "<option>-H</option>,<option>--ssh-hosts</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:178 +msgid "" +"Invalidate SSH public keys of all hosts. This option overrides invalidation " +"of SSH public keys of specific host if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:186 +msgid "" +"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:191 +msgid "Invalidate particular sudo rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:197 +msgid "<option>-R</option>,<option>--sudo-rules</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:201 +msgid "" +"Invalidate all cached sudo rules. This option overrides invalidation of " +"specific sudo rule if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:209 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>domain</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:214 +msgid "Restrict invalidation process only to a particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 +msgid "sss_debuglevel" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_debuglevel.8.xml:16 +msgid "[DEPRECATED] change debug level while SSSD is running" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_debuglevel.8.xml:21 +msgid "" +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" +"replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_debuglevel.8.xml:32 +msgid "" +"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " +"debug-level command. Please refer to the <command>sssctl</command> man page " +"for more information on sssctl usage." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_seed.8.xml:10 sss_seed.8.xml:15 +msgid "sss_seed" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_seed.8.xml:16 +msgid "seed the SSSD cache with a user" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_seed.8.xml:21 +msgid "" +"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:33 +msgid "" +"<command>sss_seed</command> seeds the SSSD cache with a user entry and " +"temporary password. If a user entry is already present in the SSSD cache " +"then the entry is updated with the temporary password." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:46 +msgid "" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:51 +msgid "" +"Provide the name of the domain in which the user is a member of. The domain " +"is also used to retrieve user information. The domain must be configured in " +"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " +"Information retrieved from the domain overrides what is provided in the " +"options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:63 +msgid "" +"<option>-n</option>,<option>--username</option> <replaceable>USER</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:68 +msgid "" +"The username of the entry to be created or modified in the cache. The " +"<replaceable>USER</replaceable> option must be provided." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:81 +msgid "Set the UID of the user to <replaceable>UID</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:93 +msgid "Set the GID of the user to <replaceable>GID</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:117 +msgid "" +"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:129 +msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:140 +msgid "" +"Interactive mode for entering user information. This option will only prompt " +"for information not provided in the options or retrieved from the domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:148 +msgid "" +"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:153 +msgid "" +"Specify file to read user's password from. (if not specified password is " +"prompted for)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:165 +msgid "" +"The length of the password (or the size of file specified with -p or --" +"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " +"on systems with no globally-defined PASS_MAX value)." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 +msgid "sssd-ifp" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ifp.5.xml:17 +msgid "SSSD InfoPipe responder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:23 +msgid "" +"This manual page describes the configuration of the InfoPipe responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:36 +msgid "" +"The InfoPipe responder provides a public D-Bus interface accessible over the " +"system bus. The interface allows the user to query information about remote " +"users and groups over the system bus." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:46 +msgid "These options can be used to configure the InfoPipe responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:53 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the InfoPipe responder. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:59 +msgid "" +"Default: 0 (only the root user is allowed to access the InfoPipe responder)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:63 +msgid "" +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the InfoPipe responder, which would be the typical case, you have to " +"add 0 to the list of allowed UIDs as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:77 +msgid "Specifies the comma-separated list of white or blacklisted attributes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:91 +msgid "name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:92 +msgid "user's login name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:95 +msgid "uidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:96 +msgid "user ID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:99 +msgid "gidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:100 +msgid "primary group ID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:103 +msgid "gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:104 +msgid "user information, typically full name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:107 +msgid "homeDirectory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:111 +msgid "loginShell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:112 +msgid "user shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:81 +msgid "" +"By default, the InfoPipe responder only allows the default set of POSIX " +"attributes to be requested. This set is the same as returned by " +"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ifp.5.xml:125 +#, no-wrap +msgid "" +"user_attributes = +telephoneNumber, -loginShell\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:117 +msgid "" +"It is possible to add another attribute to this set by using <quote>" +"+attr_name</quote> or explicitly remove an attribute using <quote>-" +"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " +"deny <quote>loginShell</quote>, you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:129 +msgid "Default: not set. Only the default set of POSIX attributes is allowed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:139 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup that overrides caller-supplied limit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:144 +msgid "Default: 0 (let the caller set an upper limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refentryinfo> +#: sss_rpcidmapd.5.xml:8 +msgid "" +"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" +"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " +"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" +"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " +"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" +"author>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 +msgid "sss_rpcidmapd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_rpcidmapd.5.xml:33 +msgid "sss plugin configuration directives for rpc.idmapd" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:37 +msgid "CONFIGURATION FILE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:39 +msgid "" +"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." +"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:49 +msgid "SSS CONFIGURATION EXTENSION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:51 +msgid "Enable SSS plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:53 +msgid "" +"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " +"attribute to contain <emphasis>sss</emphasis>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:59 +msgid "[sss] config section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:61 +msgid "" +"In order to change the default of one of the configuration attributes of the " +"<emphasis>sss</emphasis> plugin listed below you will need to create a " +"config section for it, named <quote>[sss]</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sss_rpcidmapd.5.xml:67 +msgid "Configuration attributes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sss_rpcidmapd.5.xml:69 +msgid "memcache (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sss_rpcidmapd.5.xml:72 +msgid "Indicates whether or not to use memcache optimisation technique." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:85 +msgid "SSSD INTEGRATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:87 +msgid "" +"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " +"in sssd." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:91 +msgid "" +"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " +"all domains (NFSv4 clients expect a fully qualified name to be sent on the " +"wire)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_rpcidmapd.5.xml:103 +#, no-wrap +msgid "" +"[General]\n" +"Verbosity = 2\n" +"# domain must be synced between NFSv4 server and clients\n" +"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:100 +msgid "" +"The following example shows a minimal idmapd.conf which makes use of the sss " +"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:180 include/seealso.xml:2 +msgid "SEE ALSO" +msgstr "SKATĪT ARĪ" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:122 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 +msgid "sss_ssh_authorizedkeys" +msgstr "" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 +msgid "1" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_authorizedkeys.1.xml:16 +msgid "get OpenSSH authorized keys" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_authorizedkeys.1.xml:21 +msgid "" +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>USER</replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:32 +msgid "" +"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " +"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " +"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> for more information)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:41 +msgid "" +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" +"command> for public key user authentication if it is compiled with support " +"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " +"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> man page for more details about this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_authorizedkeys.1.xml:59 +#, no-wrap +msgid "" +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:52 +msgid "" +"If <quote>AuthorizedKeysCommand</quote> is supported, " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use it by putting the following " +"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" +"\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_ssh_authorizedkeys.1.xml:65 +msgid "KEYS FROM CERTIFICATES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:67 +msgid "" +"In addition to the public SSH keys for user <replaceable>USER</replaceable> " +"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " +"from the public key of a X.509 certificate as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:73 +msgid "" +"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " +"set to true (default) in the [ssh] section of <filename>sssd.conf</" +"filename>. If the user entry contains certificates (see " +"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " +"there is a certificate in an override entry for the user (see " +"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " +"certificate is valid SSSD will extract the public key from the certificate " +"and convert it into the format expected by sshd." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:90 +msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:92 +msgid "ca_db" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:93 +msgid "p11_child_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:94 +msgid "certificate_verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:96 +msgid "" +"can be used to control how the certificates are validated (see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:101 +msgid "" +"The validation is the benefit of using X.509 certificates instead of SSH " +"keys directly because e.g. it gives a better control of the lifetime of the " +"keys. When the ssh client is configured to use the private keys from a " +"Smartcard with the help of a PKCS#11 shared library (see " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> for details) it might be irritating that authentication is " +"still working even if the related X.509 certificate on the Smartcard is " +"already expired because neither <command>ssh</command> nor <command>sshd</" +"command> will look at the certificate at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:114 +msgid "" +"It has to be noted that the derived public SSH key can still be added to the " +"<filename>authorized_keys</filename> file of the user to bypass the " +"certificate validation if the <command>sshd</command> configuration permits " +"this." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:132 +msgid "" +"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 +msgid "EXIT STATUS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 +msgid "" +"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 +msgid "sss_ssh_knownhostsproxy" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_knownhostsproxy.1.xml:16 +msgid "get OpenSSH host keys" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_knownhostsproxy.1.xml:21 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>HOST</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:33 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " +"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " +"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " +"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" +"pubconf/known_hosts</filename> and establishes the connection to the host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:43 +msgid "" +"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " +"create the connection to the host instead of opening a socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_knownhostsproxy.1.xml:55 +#, no-wrap +msgid "" +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:48 +msgid "" +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" +"command> for host key authentication by using the following directives for " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:66 +msgid "" +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:71 +msgid "" +"Use port <replaceable>PORT</replaceable> to connect to the host. By " +"default, port 22 is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:83 +msgid "" +"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:89 +msgid "<option>-k</option>,<option>--pubkeys</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:93 +msgid "" +"Print the host ssh public keys for host <replaceable>HOST</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 +msgid "idmap_sss" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: idmap_sss.8.xml:16 +msgid "SSSD's idmap_sss Backend for Winbind" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:22 +msgid "" +"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " +"No database is required in this case as the mapping is done by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: idmap_sss.8.xml:29 +msgid "IDMAP OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: idmap_sss.8.xml:33 +msgid "range = low - high" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: idmap_sss.8.xml:35 +msgid "" +"Defines the available matching UID and GID range for which the backend is " +"authoritative." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:45 +msgid "" +"This example shows how to configure idmap_sss as the default mapping module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: idmap_sss.8.xml:50 +#, no-wrap +msgid "" +"[global]\n" +"security = domain\n" +"workgroup = MAIN\n" +"\n" +"idmap config * : backend = sss\n" +"idmap config * : range = 200000-2147483647\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssctl.8.xml:10 sssctl.8.xml:15 +msgid "sssctl" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssctl.8.xml:16 +msgid "SSSD control and status utility" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssctl.8.xml:21 +msgid "" +"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:32 +msgid "" +"<command>sssctl</command> provides a simple and unified way to obtain " +"information about SSSD status, such as active server, auto-discovered " +"servers, domains and cached objects. In addition, it can manage SSSD data " +"files for troubleshooting in such a way that is safe to manipulate while " +"SSSD is running." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:43 +msgid "" +"To list all available commands run <command>sssctl</command> without any " +"parameters. To print help for selected command run <command>sssctl COMMAND --" +"help</command>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-files.5.xml:10 sssd-files.5.xml:16 +msgid "sssd-files" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-files.5.xml:17 +msgid "SSSD files provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:23 +msgid "" +"This manual page describes the files provider for <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:36 +msgid "" +"The files provider mirrors the content of the <citerefentry> " +"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " +"provider is to make the users and groups traditionally only accessible with " +"NSS interfaces also available through the SSSD interfaces such as " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:69 +msgid "passwd_files (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:72 +msgid "" +"Comma-separated list of one or multiple password filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:78 +#, fuzzy +#| msgid "Default: /tmp" +msgid "Default: /etc/passwd" +msgstr "Noklusējuma: / tmp" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:84 +msgid "group_files (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:87 +msgid "" +"Comma-separated list of one or multiple group filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:93 +#, fuzzy +#| msgid "Default: /tmp" +msgid "Default: /etc/group" +msgstr "Noklusējuma: / tmp" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:59 +msgid "" +"In addition to the options listed below, generic SSSD domain options can be " +"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for details on the configuration of " +"an SSSD domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:105 +msgid "" +"The following example assumes that SSSD is correctly configured and files is " +"one of the domains in the <replaceable>[sssd]</replaceable> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:111 +#, no-wrap +msgid "" +"[domain/files]\n" +"id_provider = files\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 +msgid "sssd-secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-secrets.5.xml:17 +msgid "SSSD Secrets responder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:23 +msgid "" +"This manual page describes the configuration of the Secrets responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:36 +msgid "" +"Many system and user applications need to store private information such as " +"passwords or service keys and have no good way to properly deal with them. " +"The simple approach is to embed these <quote>secrets</quote> into " +"configuration files potentially ending up exposing sensitive key material to " +"backups, config management system and in general making it harder to secure " +"data." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:45 +msgid "" +"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " +"project was born to deal with this problem in cloud like environments, but " +"we found the idea compelling even at a single system level. As a security " +"service, SSSD is ideal to host this capability while offering the same API " +"via a UNIX Socket. This will make it possible to use local calls and have " +"them transparently routed to a local or a remote key management store like " +"IPA Vault for storage, escrow and recovery." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:55 +msgid "" +"The secrets are simple key-value pairs. Each user's secrets are namespaced " +"using their user ID, which means the secrets will never collide between " +"users. Secrets can be stored inside <quote>containers</quote> which can be " +"nested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:69 +msgid "secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:70 +msgid "secrets for general usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:73 +msgid "kcm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:75 +msgid "" +"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:61 +msgid "" +"Since the secrets responder can be used both externally to store general " +"secrets, as described in the rest of this man page, but also internally by " +"other SSSD components to store their secret material, some configuration " +"options, like quotas can be configured per <quote>hive</quote> in a " +"configuration subsection named after the hive. The currently supported hives " +"are: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:89 +msgid "USING THE SECRETS RESPONDER" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:91 +msgid "" +"The UNIX socket the SSSD responder listens on is located at <filename>/var/" +"run/secrets.socket</filename>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:110 +#, no-wrap +msgid "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +"systemctl enable sssd-secrets.service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:95 +msgid "" +"The secrets responder is socket-activated by <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " +"the <quote>secrets</quote> string to the <quote>service</quote> directive. " +"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " +"corresponding service file is called <quote>sssd-secrets.service</quote>. In " +"order for the service to be socket-activated, make sure the socket is " +"enabled and active and the service is enabled: <placeholder type=" +"\"programlisting\" id=\"0\"/> Please note your distribution may already " +"configure the units for you." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:122 +msgid "" +"The generic SSSD responder options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " +"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some secrets-specific options as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:132 +msgid "" +"The secrets responder is configured with a global <quote>[secrets]</quote> " +"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " +"in <filename>sssd.conf</filename>. Please note that some options, notably as " +"the provider type, can only be specified in the per-user subsections." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:141 +msgid "provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:157 +msgid "local" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:160 +msgid "" +"The secrets are stored in a local database, encrypted at rest with a master " +"key. The local provider does not have any additional config options at the " +"moment." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:168 +msgid "proxy" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:171 +msgid "" +"The secrets responder forwards the requests to a Custodia server. The proxy " +"provider supports several additional options (see below)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:144 +msgid "" +"This option specifies where should the secrets be stored. The secrets " +"responder can configure a per-user subsections (e.g. <quote>[secrets/" +"users/123]</quote> - see bottom of this manual page for a full example using " +"Custodia for a particular user) that define which provider store the secrets " +"for this particular user. The per-user subsections should contain all " +"options for that user's provider. Please note that currently the global " +"provider is always local, the proxy provider can only be specified in a per-" +"user section. The following providers are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:180 +msgid "Default: local" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:186 +msgid "" +"The following options affect only the secrets <quote>hive</quote> and " +"therefore should be set in a per-hive subsection. Setting the option to 0 " +"means \"unlimited\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:192 +msgid "containers_nest_level (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:195 +msgid "This option specifies the maximum allowed number of nested containers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:199 +msgid "Default: 4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:204 +msgid "max_secrets (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:207 +msgid "" +"This option specifies the maximum number of secrets that can be stored in " +"the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:211 +msgid "Default: 1024 (secrets hive), 256 (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:216 +msgid "max_uid_secrets (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:219 +msgid "" +"This option specifies the maximum number of secrets that can be stored per-" +"UID in the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:223 +msgid "Default: 256 (secrets hive), 64 (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:228 +msgid "max_payload_size (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:231 +msgid "" +"This option specifies the maximum payload size allowed for a secret payload " +"in kilobytes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:235 +msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:244 +#, no-wrap +msgid "" +"[secrets/secrets]\n" +"max_payload_size = 128\n" +"\n" +"[secrets/kcm]\n" +"max_payload_size = 256\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:241 +msgid "" +"For example, to adjust quotas differently for both the <quote>secrets</" +"quote> and the <quote>kcm</quote> hives, configure the following: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:252 +msgid "" +"The following options are only applicable for configurations that use the " +"<quote>proxy</quote> provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:257 +msgid "proxy_url (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:260 +msgid "" +"The URL the Custodia server is listening on. At the moment, http and https " +"protocols are supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:267 +msgid "http[s]://<host>[:port]" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:270 +msgid "Example: http://localhost:8080" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:275 +msgid "auth_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:278 +msgid "" +"The method to use when authenticating to a Custodia server. The following " +"authentication methods are supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:283 +msgid "basic_auth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:286 +msgid "" +"Authenticate with a username and a password as set in the <quote>username</" +"quote> and <quote>password</quote> options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:293 +msgid "header" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:296 +msgid "" +"Authenticate with HTTP header value as defined in the " +"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " +"configuration options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:307 +msgid "auth_header_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:310 +msgid "" +"If set, the secrets responder would put a header with this name into the " +"HTTP request with the value defined in the <quote>auth_header_value</quote> " +"configuration option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:315 +msgid "Example: MYSECRETNAME" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:320 +msgid "auth_header_value (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:323 +msgid "" +"The value sssd-secrets would use for the <quote>auth_header_name</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:327 +msgid "Example: mysecret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:332 +msgid "forward_headers (list of strings)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:335 +msgid "" +"The list of HTTP headers to forward to the Custodia server together with the " +"request." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:344 +msgid "verify_peer (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:347 +msgid "" +"Whether peer's certificate should be verified and valid if HTTPS protocol is " +"used with the proxy provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:356 +msgid "verify_host (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:359 +msgid "" +"Whether peer's hostname must match with hostname in its certificate if HTTPS " +"protocol is used with the proxy provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:369 +msgid "capath (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:372 +msgid "" +"Path to directory containing stored certificate authority certificates. " +"System default path is used if this option is not set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:382 +msgid "cacert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:385 +msgid "" +"Path to file containing server's certificate authority certificate. If this " +"option is not set then the CA's certificate is looked up in <quote>capath</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:395 +msgid "cert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:398 +msgid "" +"Path to file containing client's certificate if required by the server. This " +"file may also contain private key or the private key may be in separate file " +"set with <quote>key</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:409 +msgid "key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:412 +msgid "Path to file containing client's private key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:422 +msgid "USING THE REST API" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:424 +msgid "" +"This section lists the available commands and includes examples using the " +"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry> utility. All requests towards the proxy provider must set " +"the Content Type header to <quote>application/json</quote>. In addition, the " +"local provider also supports Content Type set to <quote>application/octet-" +"stream</quote>. Secrets stored with requests that set the Content Type " +"header to <quote>application/octet-stream</quote> are base64-encoded when " +"stored and decoded when retrieved, so it's not possible to store a secret " +"with one Content Type and retrieve with another. The secret URI must begin " +"with <filename>/secrets/</filename>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:441 +msgid "Listing secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:444 +msgid "" +"To list the available secrets, send a HTTP GET request with a trailing slash " +"appended to the container path." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:450 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:458 +msgid "Retrieving a secret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:461 +msgid "" +"To read a value of a single secret, send a HTTP GET request without a " +"trailing slash. The last portion of the URI is the name of the secret." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:468 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/foo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:473 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/bar\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:466 +msgid "" +"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:481 +msgid "Setting a secret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:484 +msgid "" +"To set a secret using the <quote>application/json</quote> type, send a HTTP " +"PUT request with a JSON payload that includes type and value. The type " +"should be set to \"simple\" and the value should be set to the secret value. " +"If a secret with that name already exists, the response is a 409 HTTP error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:492 +msgid "" +"The <quote>application/json</quote> type just sends the secret as the " +"message payload." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:501 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/foo \\\n" +" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:507 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/bar \\\n" +" -d'barsecret'\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:496 +msgid "" +"The following example sets a secret named 'foo' to a value of 'foosecret' " +"and a secret named 'bar' to a value of 'barsecret' using a different Content " +"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:516 +msgid "Creating a container" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:519 +msgid "" +"Containers provide an additional namespace for this user's secrets. To " +"create a container, send a HTTP POST request, whose URI ends with the " +"container name. Please note the URI must end with a trailing slash." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:529 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPOST http://localhost/secrets/mycontainer/\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:526 +msgid "" +"The following example creates a container named 'mycontainer': <placeholder " +"type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:538 +#, no-wrap +msgid "" +"http://localhost/secrets/mycontainer/mysecret\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:535 +msgid "" +"To manipulate secrets under this container, just nest the secrets underneath " +"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:544 +msgid "Deleting a secret or a container" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:547 +msgid "" +"To delete a secret or a container, send a HTTP DELETE request with a path to " +"the secret or the container." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:553 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XDELETE http://localhost/secrets/foo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:551 +msgid "" +"The following example deletes a secret named 'foo'. <placeholder type=" +"\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:563 +msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:565 +msgid "" +"For testing the proxy provider, you need to set up a Custodia server to " +"proxy requests to. Please always consult the Custodia documentation, the " +"configuration directives might change with different Custodia versions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:576 +#, no-wrap +msgid "" +"[global]\n" +"server_version = \"Secret/0.0.7\"\n" +"server_url = http://localhost:8080/\n" +"auditlog = /var/log/custodia.log\n" +"debug = True\n" +"\n" +"[store:simple]\n" +"handler = custodia.store.sqlite.SqliteStore\n" +"dburi = /var/lib/custodia.db\n" +"table = secrets\n" +"\n" +"[auth:header]\n" +"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" +"header = MYSECRETNAME\n" +"value = mysecretkey\n" +"\n" +"[authz:paths]\n" +"handler = custodia.httpd.authorizers.SimplePathAuthz\n" +"paths = /secrets\n" +"\n" +"[/]\n" +"handler = custodia.root.Root\n" +"store = simple\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:570 +msgid "" +"This configuration will set up a Custodia server listening on http://" +"localhost:8080, allowing anyone with header named MYSECRETNAME set to " +"mysecretkey to communicate with the Custodia server. Place the contents " +"into a file (for example, <replaceable>custodia.conf</replaceable>): " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:602 +msgid "" +"Then run the <replaceable>custodia</replaceable> command, pointing it at the " +"config file as a command line argument." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:606 +msgid "" +"Please note that currently it's not possible to proxy all requests globally " +"to a Custodia instance. Instead, per-user subsections for user IDs that " +"should proxy requests to Custodia must be defined. The following example " +"illustrates a configuration, where the user with UID 123 would proxy their " +"requests to Custodia, but all other user's requests would be handled by a " +"local provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: sssd-secrets.5.xml:614 +#, no-wrap +msgid "" +"[secrets]\n" +"\n" +"[secrets/users/123]\n" +"provider = proxy\n" +"proxy_url = http://localhost:8080/secrets/\n" +"auth_type = header\n" +"auth_header_name = MYSECRETNAME\n" +"auth_header_value = mysecretkey\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 +msgid "sssd-session-recording" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-session-recording.5.xml:17 +msgid "Configuring session recording with SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " +"implement user session recording on text terminals. For a detailed " +"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " +"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:41 +msgid "" +"SSSD can be set up to enable recording of everything specific users see or " +"type during their sessions on text terminals. E.g. when users log in on the " +"console, or via SSH. SSSD itself doesn't record anything, but makes sure " +"tlog-rec-session is started upon user login, so it can record according to " +"its configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:48 +msgid "" +"For users with session recording enabled, SSSD replaces the user shell with " +"tlog-rec-session in NSS responses, and adds a variable specifying the " +"original shell to the user environment, upon PAM session setup. This way " +"tlog-rec-session can be started in place of the user shell, and know which " +"actual shell to start, once it set up the recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:60 +msgid "These options can be used to configure the session recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:146 +msgid "" +"The following snippet of sssd.conf enables session recording for users " +"\"contractor1\" and \"contractor2\", and group \"students\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-session-recording.5.xml:151 +#, no-wrap +msgid "" +"[session_recording]\n" +"scope = some\n" +"users = contractor1, contractor2\n" +"groups = students\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 +msgid "sssd-kcm" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-kcm.8.xml:17 +msgid "SSSD Kerberos Cache Manager" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:23 +msgid "" +"This manual page describes the configuration of the SSSD Kerberos Cache " +"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " +"credential caches. It originates in the Heimdal Kerberos project, although " +"the MIT Kerberos library also provides client side (more details on that " +"below) support for the KCM credential cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:31 +msgid "" +"In a setup where Kerberos caches are managed by KCM, the Kerberos library " +"(typically used through an application, like e.g., <citerefentry> " +"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" +"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " +"being referred to as a <quote>\"KCM server\"</quote>. The client and server " +"communicate over a UNIX socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:42 +msgid "" +"The KCM server keeps track of each credential caches's owner and performs " +"access check control based on the UID and GID of the KCM client. The root " +"user has access to all credential caches." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:47 +msgid "The KCM credential cache has several interesting properties:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:51 +msgid "" +"since the process runs in userspace, it is subject to UID namespacing, " +"unlike the kernel keyring" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:56 +msgid "" +"unlike the kernel keyring-based cache, which is shared between all " +"containers, the KCM server is a separate process whose entry point is a UNIX " +"socket" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:61 +msgid "" +"the SSSD implementation stores the ccaches in the SSSD <citerefentry> " +"<refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry> secrets store, allowing the ccaches to survive KCM server " +"restarts or machine reboots." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:69 +msgid "" +"This allows the system to use a collection-aware credential cache, yet share " +"the credential cache between some or no containers by bind-mounting the " +"socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:76 +msgid "USING THE KCM CREDENTIAL CACHE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:86 +#, no-wrap +msgid "" +"[libdefaults]\n" +" default_ccache_name = KCM:\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:78 +msgid "" +"In order to use KCM credential cache, it must be selected as the default " +"credential type in <citerefentry> <refentrytitle>krb5.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " +"cache name must be only <quote>KCM:</quote> without any template " +"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:91 +msgid "" +"Next, make sure the Kerberos client libraries and the KCM server must agree " +"on the UNIX socket path. By default, both use the same path <replaceable>/" +"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " +"library, change its <quote>kcm_socket</quote> option which is described in " +"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:113 +#, no-wrap +msgid "" +"systemctl start sssd-kcm.socket\n" +"systemctl enable sssd-kcm.socket\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:102 +msgid "" +"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " +"typically socket-activated by <citerefentry> <refentrytitle>systemd</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " +"services, it cannot be started by adding the <quote>kcm</quote> string to " +"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " +"id=\"0\"/> Please note your distribution may already configure the units for " +"you." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:122 +msgid "THE CREDENTIAL CACHE STORAGE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:131 +#, no-wrap +msgid "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:124 +msgid "" +"The credential caches are stored in the SSSD secrets service (see " +"<citerefentry> <refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> for more details). Therefore it is important that " +"also the sssd-secrets service is enabled and its socket is started: " +"<placeholder type=\"programlisting\" id=\"0\"/> Your distribution should " +"already set the dependencies between the services." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:141 +msgid "" +"The KCM service is configured in the <quote>kcm</quote> section of the sssd." +"conf file. Please note that currently, is it not sufficient to restart the " +"sssd-kcm service, because the sssd configuration is only parsed and read to " +"an internal configuration database by the sssd service. Therefore you must " +"restart the sssd service if you change anything in the <quote>kcm</quote> " +"section of sssd.conf. For a detailed syntax reference, refer to the " +"<quote>FILE FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd." +"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:155 +msgid "" +"The generic SSSD service options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some KCM-specific options as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:166 +msgid "socket_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:169 +msgid "The socket the KCM service will listen on." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:172 +msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:182 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 +msgid "sssd-systemtap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-systemtap.5.xml:17 +msgid "SSSD systemtap information" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:23 +msgid "" +"This manual page provides information about the systemtap functionality in " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:32 +msgid "" +"SystemTap Probe points have been added into various locations in SSSD code " +"to assist in troubleshooting and analyzing performance related issues." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:40 +msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:46 +msgid "" +"Probes and miscellaneous functions are defined in /usr/share/systemtap/" +"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " +"respectively." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:57 +msgid "PROBE POINTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:341 +msgid "" +"The information below lists the probe points and arguments available in the " +"following format:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:64 +msgid "probe $name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:67 +msgid "Description of probe point" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:70 +#, no-wrap +msgid "" +"variable1:datatype\n" +"variable2:datatype\n" +"variable3:datatype\n" +"...\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:80 +msgid "Database Transaction Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:84 +msgid "probe sssd_transaction_start" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:87 +msgid "" +"Start of a sysdb transaction, probes the sysdb_transaction_start() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 +#: sssd-systemtap.5.xml:131 +#, no-wrap +msgid "" +"nesting:integer\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:97 +msgid "probe sssd_transaction_cancel" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:100 +msgid "" +"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " +"function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:111 +msgid "probe sssd_transaction_commit_before" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:114 +msgid "Probes the sysdb_transaction_commit_before() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:124 +msgid "probe sssd_transaction_commit_after" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:127 +msgid "Probes the sysdb_transaction_commit_after() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:141 +msgid "LDAP Search Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:145 +msgid "probe sdap_search_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:148 +msgid "Probes the sdap_get_generic_ext_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:152 sssd-systemtap.5.xml:167 sssd-systemtap.5.xml:196 +#, no-wrap +msgid "" +"base:string\n" +"scope:integer\n" +"filter:string\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:160 +msgid "probe sdap_search_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:163 +msgid "Probes the sdap_get_generic_ext_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:175 +msgid "probe sdap_deref_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:178 +msgid "Probes the sdap_deref_search_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:182 +#, no-wrap +msgid "" +"base_dn:string\n" +"deref_attr:string\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:189 +msgid "probe sdap_deref_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:192 +msgid "Probes the sdap_deref_search_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:208 +msgid "LDAP Account Request Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:212 +msgid "probe sdap_acct_req_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:215 +msgid "Probes the sdap_acct_req_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:219 sssd-systemtap.5.xml:234 +#, no-wrap +msgid "" +"entry_type:int\n" +"filter_type:int\n" +"filter_value:string\n" +"extra_value:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:227 +msgid "probe sdap_acct_req_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:230 +msgid "Probes the sdap_acct_req_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:246 +msgid "LDAP User Search Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:250 +msgid "probe sdap_search_user_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:253 +msgid "Probes the sdap_search_user_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:257 sssd-systemtap.5.xml:269 sssd-systemtap.5.xml:281 +#: sssd-systemtap.5.xml:293 +#, no-wrap +msgid "" +"filter:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:262 +msgid "probe sdap_search_user_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:265 +msgid "Probes the sdap_search_user_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:274 +msgid "probe sdap_search_user_save_begin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:277 +msgid "Probes the sdap_search_user_save_begin() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:286 +msgid "probe sdap_search_user_save_end" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:289 +msgid "Probes the sdap_search_user_save_end() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:302 +msgid "Data Provider Request Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:306 +msgid "probe dp_req_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:309 +msgid "A Data Provider request is submitted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:312 +#, no-wrap +msgid "" +"dp_req_domain:string\n" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:320 +msgid "probe dp_req_done" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:323 +msgid "A Data Provider request is completed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:326 +#, no-wrap +msgid "" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +"dp_ret:int\n" +"dp_errorstr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:339 +msgid "MISCELLANEOUS FUNCTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:346 +msgid "function acct_req_desc(entry_type)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:349 +msgid "Convert entry_type to string and return string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:354 +msgid "" +"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " +"filter_value, extra_value)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:358 +msgid "Create probe string based on filter type" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:363 +msgid "function dp_target_str(target)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:366 +msgid "Convert target to string and return string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:371 +msgid "function dp_method_str(target)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:374 +msgid "Convert method to string and return string" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/service_discovery.xml:2 +msgid "SERVICE DISCOVERY" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/service_discovery.xml:4 +msgid "" +"The service discovery feature allows back ends to automatically find the " +"appropriate servers to connect to using a special DNS query. This feature is " +"not supported for backup servers." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:9 include/ldap_id_mapping.xml:99 +msgid "Configuration" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:11 +msgid "" +"If no servers are specified, the back end automatically uses service " +"discovery to try to find a server. Optionally, the user may choose to use " +"both fixed server addresses and service discovery by inserting a special " +"keyword, <quote>_srv_</quote>, in the list of servers. The order of " +"preference is maintained. This feature is useful if, for example, the user " +"prefers to use service discovery whenever possible, and fall back to a " +"specific server when no servers can be discovered using DNS." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:23 +msgid "The domain name" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:25 +msgid "" +"Please refer to the <quote>dns_discovery_domain</quote> parameter in the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more details." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:35 +msgid "The protocol" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:37 +msgid "" +"The queries usually specify _tcp as the protocol. Exceptions are documented " +"in respective option description." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:42 +msgid "See Also" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:44 +msgid "" +"For more information on the service discovery mechanism, refer to RFC 2782." +msgstr "" + +#. type: Content of: <refentryinfo> +#: include/upstream.xml:2 +msgid "" +"<productname>SSSD</productname> <orgname>The SSSD upstream - https://pagure." +"io/SSSD/sssd/</orgname>" +msgstr "" + +#. type: Content of: outside any tag (error?) +#: include/upstream.xml:1 +msgid "<placeholder type=\"refentryinfo\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/failover.xml:2 +msgid "FAILOVER" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/failover.xml:4 +msgid "" +"The failover feature allows back ends to automatically switch to a different " +"server if the current server fails." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:8 +msgid "Failover Syntax" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:10 +msgid "" +"The list of servers is given as a comma-separated list; any number of spaces " +"is allowed around the comma. The servers are listed in order of preference. " +"The list can contain any number of servers." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:16 +msgid "" +"For each failover-enabled config option, two variants exist: " +"<emphasis>primary</emphasis> and <emphasis>backup</emphasis>. The idea is " +"that servers in the primary list are preferred and backup servers are only " +"searched if no primary servers can be reached. If a backup server is " +"selected, a timeout of 31 seconds is set. After this timeout SSSD will " +"periodically try to reconnect to one of the primary servers. If it succeeds, " +"it will replace the current active (backup) server." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:27 +msgid "The Failover Mechanism" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:29 +msgid "" +"The failover mechanism distinguishes between a machine and a service. The " +"back end first tries to resolve the hostname of a given machine; if this " +"resolution attempt fails, the machine is considered offline. No further " +"attempts are made to connect to this machine for any other service. If the " +"resolution attempt succeeds, the back end tries to connect to a service on " +"this machine. If the service connection attempt fails, then only this " +"particular service is considered offline and the back end automatically " +"switches over to the next service. The machine is still considered online " +"and might still be tried for another service." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:42 +msgid "" +"Further connection attempts are made to machines or services marked as " +"offline after a specified period of time; this is currently hard coded to 30 " +"seconds." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:47 +msgid "" +"If there are no more machines to try, the back end as a whole switches to " +"offline mode, and then attempts to reconnect every 30 seconds." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:53 +msgid "Failover time outs and tuning" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:55 +msgid "" +"Resolving a server to connect to can be as simple as running a single DNS " +"query or can involve several steps, such as finding the correct site or " +"trying out multiple host names in case some of the configured servers are " +"not reachable. The more complex scenarios can take some time and SSSD needs " +"to balance between providing enough time to finish the resolution process " +"but on the other hand, not trying for too long before falling back to " +"offline mode. If the SSSD debug logs show that the server resolution is " +"timing out before a live server is contacted, you can consider changing the " +"time outs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> +#: include/failover.xml:76 +msgid "dns_resolver_op_timeout" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: include/failover.xml:80 +msgid "How long would SSSD talk to a single DNS server." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> +#: include/failover.xml:86 +msgid "dns_resolver_timeout" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: include/failover.xml:90 +msgid "" +"How long would SSSD try to resolve a failover service. This service " +"resolution internally might include several steps, such as resolving DNS SRV " +"queries or locating the site." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:67 +msgid "" +"This section lists the available tunables. Please refer to their description " +"in the <citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>, manual page. <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:100 +msgid "" +"For LDAP-based providers, the resolve operation is performed as part of an " +"LDAP connection operation. Therefore, also the <quote>ldap_opt_timeout></" +"quote> timeout should be set to a larger value than " +"<quote>dns_resolver_timeout</quote> which in turn should be set to a larger " +"value than <quote>dns_resolver_op_timeout</quote>." +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/ldap_id_mapping.xml:2 +msgid "ID MAPPING" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:4 +msgid "" +"The ID-mapping feature allows SSSD to act as a client of Active Directory " +"without requiring administrators to extend user attributes to support POSIX " +"attributes for user and group identifiers." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:9 +msgid "" +"NOTE: When ID-mapping is enabled, the uidNumber and gidNumber attributes are " +"ignored. This is to avoid the possibility of conflicts between automatically-" +"assigned and manually-assigned values. If you need to use manually-assigned " +"values, ALL values must be manually-assigned." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:16 +msgid "" +"Please note that changing the ID mapping related configuration options will " +"cause user and group IDs to change. At the moment, SSSD does not support " +"changing IDs, so the SSSD database must be removed. Because cached passwords " +"are also stored in the database, removing the database should only be " +"performed while the authentication servers are reachable, otherwise users " +"might get locked out. In order to cache the password, an authentication must " +"be performed. It is not sufficient to use <citerefentry> " +"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry> to remove the database, rather the process consists of:" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:33 +msgid "Making sure the remote servers are reachable" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:38 +msgid "Stopping the SSSD service" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:43 +msgid "Removing the database" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:48 +msgid "Starting the SSSD service" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:52 +msgid "" +"Moreover, as the change of IDs might necessitate the adjustment of other " +"system properties such as file and directory ownership, it's advisable to " +"plan ahead and test the ID mapping configuration thoroughly." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ldap_id_mapping.xml:59 +msgid "Mapping Algorithm" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:61 +msgid "" +"Active Directory provides an objectSID for every user and group object in " +"the directory. This objectSID can be broken up into components that " +"represent the Active Directory domain identity and the relative identifier " +"(RID) of the user or group object." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:67 +msgid "" +"The SSSD ID-mapping algorithm takes a range of available UIDs and divides it " +"into equally-sized component sections - called \"slices\"-. Each slice " +"represents the space available to an Active Directory domain." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:73 +msgid "" +"When a user or group entry for a particular domain is encountered for the " +"first time, the SSSD allocates one of the available slices for that domain. " +"In order to make this slice-assignment repeatable on different client " +"machines, we select the slice based on the following algorithm:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:80 +msgid "" +"The SID string is passed through the murmurhash3 algorithm to convert it to " +"a 32-bit hashed value. We then take the modulus of this value with the total " +"number of available slices to pick the slice." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:86 +msgid "" +"NOTE: It is possible to encounter collisions in the hash and subsequent " +"modulus. In these situations, we will select the next available slice, but " +"it may not be possible to reproduce the same exact set of slices on other " +"machines (since the order that they are encountered will determine their " +"slice). In this situation, it is recommended to either switch to using " +"explicit POSIX attributes in Active Directory (disabling ID-mapping) or " +"configure a default domain to guarantee that at least one is always " +"consistent. See <quote>Configuration</quote> for details." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:101 +msgid "" +"Minimum configuration (in the <quote>[domain/DOMAINNAME]</quote> section):" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><programlisting> +#: include/ldap_id_mapping.xml:106 +#, no-wrap +msgid "" +"ldap_id_mapping = True\n" +"ldap_schema = ad\n" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:111 +msgid "" +"The default configuration results in configuring 10,000 slices, each capable " +"of holding up to 200,000 IDs, starting from 200,000 and going up to " +"2,000,200,000. This should be sufficient for most deployments." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><title> +#: include/ldap_id_mapping.xml:117 +msgid "Advanced Configuration" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:120 +msgid "ldap_idmap_range_min (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:123 +msgid "" +"Specifies the lower bound of the range of POSIX IDs to use for mapping " +"Active Directory user and group SIDs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:127 +msgid "" +"NOTE: This option is different from <quote>min_id</quote> in that " +"<quote>min_id</quote> acts to filter the output of requests to this domain, " +"whereas this option controls the range of ID assignment. This is a subtle " +"distinction, but the good general advice would be to have <quote>min_id</" +"quote> be less-than or equal to <quote>ldap_idmap_range_min</quote>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:137 include/ldap_id_mapping.xml:191 +msgid "Default: 200000" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:142 +msgid "ldap_idmap_range_max (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:145 +msgid "" +"Specifies the upper bound of the range of POSIX IDs to use for mapping " +"Active Directory user and group SIDs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:149 +msgid "" +"NOTE: This option is different from <quote>max_id</quote> in that " +"<quote>max_id</quote> acts to filter the output of requests to this domain, " +"whereas this option controls the range of ID assignment. This is a subtle " +"distinction, but the good general advice would be to have <quote>max_id</" +"quote> be greater-than or equal to <quote>ldap_idmap_range_max</quote>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:159 +msgid "Default: 2000200000" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:164 +msgid "ldap_idmap_range_size (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:167 +msgid "" +"Specifies the number of IDs available for each slice. If the range size " +"does not divide evenly into the min and max values, it will create as many " +"complete slices as it can." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:173 +msgid "" +"NOTE: The value of this option must be at least as large as the highest user " +"RID planned for use on the Active Directory server. User lookups and login " +"will fail for any user whose RID is greater than this value." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:179 +msgid "" +"For example, if your most recently-added Active Directory user has " +"objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, " +"<quote>ldap_idmap_range_size</quote> must be at least 1108 as range size is " +"equal to maximal SID minus minimal SID plus one (e.g. 1108 = 1107 - 0 + 1)." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:186 +msgid "" +"It is important to plan ahead for future expansion, as changing this value " +"will result in changing all of the ID mappings on the system, leading to " +"users with different local IDs than they previously had." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:196 +msgid "ldap_idmap_default_domain_sid (string)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:199 +msgid "" +"Specify the domain SID of the default domain. This will guarantee that this " +"domain will always be assigned to slice zero in the ID map, bypassing the " +"murmurhash algorithm described above." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:210 +msgid "ldap_idmap_default_domain (string)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:213 +msgid "Specify the name of the default domain." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:221 +msgid "ldap_idmap_autorid_compat (boolean)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:224 +msgid "" +"Changes the behavior of the ID-mapping algorithm to behave more similarly to " +"winbind's <quote>idmap_autorid</quote> algorithm." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:229 +msgid "" +"When this option is configured, domains will be allocated starting with " +"slice zero and increasing monatomically with each additional domain." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:234 +msgid "" +"NOTE: This algorithm is non-deterministic (it depends on the order that " +"users and groups are requested). If this mode is required for compatibility " +"with machines running winbind, it is recommended to also use the " +"<quote>ldap_idmap_default_domain_sid</quote> option to guarantee that at " +"least one domain is consistently allocated to slice zero." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:249 +msgid "ldap_idmap_helper_table_size (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:252 +msgid "" +"Maximal number of secondary slices that is tried when performing mapping " +"from UNIX id to SID." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:256 +msgid "" +"Note: Additional secondary slices might be generated when SID is being " +"mapped to UNIX id and RID part of SID is out of range for secondary slices " +"generated so far. If value of ldap_idmap_helper_table_size is equal to 0 " +"then no additional secondary slices are generated." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ldap_id_mapping.xml:273 +msgid "Well-Known SIDs" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:275 +msgid "" +"SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a " +"special hardcoded meaning. Since the generic users and groups related to " +"those Well-Known SIDs have no equivalent in a Linux/UNIX environment no " +"POSIX IDs are available for those objects." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:281 +msgid "" +"The SID name space is organized in authorities which can be seen as " +"different domains. The authorities for the Well-Known SIDs are" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:284 +msgid "Null Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:285 +msgid "World Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:286 +msgid "Local Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:287 +msgid "Creator Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:288 +msgid "NT Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:289 +msgid "Built-in" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:291 +msgid "" +"The capitalized version of these names are used as domain names when " +"returning the fully qualified name of a Well-Known SID." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:295 +msgid "" +"Since some utilities allow to modify SID based access control information " +"with the help of a name instead of using the SID directly SSSD supports to " +"look up the SID by the name as well. To avoid collisions only the fully " +"qualified names can be used to look up Well-Known SIDs. As a result the " +"domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, " +"<quote> LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, <quote>NT " +"AUTHORITY</quote> and <quote>BUILTIN</quote> should not be used as domain " +"names in <filename>sssd.conf</filename>." +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/param_help.xml:3 +msgid "<option>-?</option>,<option>--help</option>" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/param_help.xml:7 include/param_help_py.xml:7 +msgid "Display help message and exit." +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/param_help_py.xml:3 +msgid "<option>-h</option>,<option>--help</option>" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:3 include/debug_levels_tools.xml:3 +msgid "" +"SSSD supports two representations for specifying the debug level. The " +"simplest is to specify a decimal value from 0-9, which represents enabling " +"that level and all lower-level debug messages. The more comprehensive option " +"is to specify a hexadecimal bitmask to enable or disable specific levels " +"(such as if you wish to suppress a level)." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:10 +msgid "" +"Please note that each SSSD service logs into its own log file. Also please " +"note that enabling <quote>debug_level</quote> in the <quote>[sssd]</quote> " +"section only enables debugging just for the sssd process itself, not for the " +"responder or provider processes. The <quote>debug_level</quote> parameter " +"should be added to all sections that you wish to produce debug logs from." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:18 +msgid "" +"In addition to changing the log level in the config file using the " +"<quote>debug_level</quote> parameter, which is persistent, but requires SSSD " +"restart, it is also possible to change the debug level on the fly using the " +"<citerefentry> <refentrytitle>sss_debuglevel</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry> tool." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:29 include/debug_levels_tools.xml:10 +msgid "Currently supported debug levels:" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:32 include/debug_levels_tools.xml:13 +msgid "" +"<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fatal failures. " +"Anything that would prevent SSSD from starting up or causes it to cease " +"running." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:38 include/debug_levels_tools.xml:19 +msgid "" +"<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An " +"error that doesn't kill SSSD, but one that indicates that at least one major " +"feature is not going to work properly." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:45 include/debug_levels_tools.xml:26 +msgid "" +"<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Serious failures. An " +"error announcing that a particular request or operation has failed." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:50 include/debug_levels_tools.xml:31 +msgid "" +"<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Minor failures. These " +"are the errors that would percolate down to cause the operation failure of 2." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:55 include/debug_levels_tools.xml:36 +msgid "" +"<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Configuration settings." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:59 include/debug_levels_tools.xml:40 +msgid "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Function data." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:63 include/debug_levels_tools.xml:44 +msgid "" +"<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Trace messages for " +"operation functions." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:67 include/debug_levels_tools.xml:48 +msgid "" +"<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Trace messages for " +"internal control functions." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:72 include/debug_levels_tools.xml:53 +msgid "" +"<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contents of function-" +"internal variables that may be interesting." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:77 include/debug_levels_tools.xml:58 +msgid "" +"<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Extremely low-level " +"tracing information." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:81 include/debug_levels_tools.xml:62 +msgid "" +"To log required bitmask debug levels, simply add their numbers together as " +"shown in following examples:" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:85 include/debug_levels_tools.xml:66 +msgid "" +"<emphasis>Example</emphasis>: To log fatal failures, critical failures, " +"serious failures and function data use 0x0270." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:89 include/debug_levels_tools.xml:70 +msgid "" +"<emphasis>Example</emphasis>: To log fatal failures, configuration settings, " +"function data, trace messages for internal control functions use 0x1310." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:94 include/debug_levels_tools.xml:75 +msgid "" +"<emphasis>Note</emphasis>: The bitmask format of debug levels was introduced " +"in 1.7.0." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:98 include/debug_levels_tools.xml:79 +msgid "<emphasis>Default</emphasis>: 0" +msgstr "" + +#. type: Content of: outside any tag (error?) +#: include/experimental.xml:1 +msgid "" +"<emphasis> This is an experimental feature, please use https://pagure.io/" +"SSSD/sssd/ to report any issues. </emphasis>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/local.xml:2 +msgid "THE LOCAL DOMAIN" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/local.xml:4 +msgid "" +"In order to function correctly, a domain with <quote>id_provider=local</" +"quote> must be created and the SSSD must be running." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/local.xml:9 +msgid "" +"The administrator might want to use the SSSD local users instead of " +"traditional UNIX users in cases where the group nesting (see <citerefentry> " +"<refentrytitle>sss_groupadd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>) is needed. The local users are also useful for testing and " +"development of the SSSD without having to deploy a full remote server. The " +"<command>sss_user*</command> and <command>sss_group*</command> tools use a " +"local LDB storage to store users and groups." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/seealso.xml:4 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd-ipa</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <phrase condition=\"with_sudo\"> <citerefentry> " +"<refentrytitle>sssd-sudo</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>, </phrase> <phrase condition=\"with_secrets\"> <citerefentry> " +"<refentrytitle>sssd-secrets</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>, </phrase> <citerefentry> <refentrytitle>sssd-session-" +"recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, " +"<citerefentry> <refentrytitle>sss_cache</refentrytitle><manvolnum>8</" +"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_debuglevel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_obfuscate</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_seed</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <phrase condition=" +"\"with_ssh\"> <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_ssh_knownhostsproxy</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>, </phrase> <phrase condition=\"with_ifp\"> " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>, </phrase> <citerefentry> <refentrytitle>pam_sss</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>. <citerefentry> " +"<refentrytitle>sss_rpcidmapd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> <phrase condition=\"with_stap\"> <citerefentry> " +"<refentrytitle>sssd-systemtap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> </phrase>" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:3 +msgid "" +"An optional base DN, search scope and LDAP filter to restrict LDAP searches " +"for this attribute type." +msgstr "" + +#. type: Content of: <listitem><para><programlisting> +#: include/ldap_search_bases.xml:9 +#, no-wrap +msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]\n" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:7 +msgid "syntax: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:13 +msgid "" +"The scope can be one of \"base\", \"onelevel\" or \"subtree\". The scope " +"functions as specified in section 4.5.1.2 of http://tools.ietf.org/html/" +"rfc4511" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:23 +msgid "" +"For examples of this syntax, please refer to the <quote>ldap_search_base</" +"quote> examples section." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:31 +msgid "" +"Please note that specifying scope or filter is not supported for searches " +"against an Active Directory Server that might yield a large number of " +"results and trigger the Range Retrieval extension in the response." +msgstr "" + +#. type: Content of: <para> +#: include/autofs_restart.xml:2 +msgid "" +"Please note that the automounter only reads the master map on startup, so if " +"any autofs-related changes are made to the sssd.conf, you typically also " +"need to restart the automounter daemon after restarting the SSSD." +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/override_homedir.xml:2 +msgid "override_homedir (string)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:16 +msgid "UID number" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:20 +msgid "domain name" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:23 +msgid "%f" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:24 +msgid "fully qualified user name (user@domain)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:27 +msgid "%l" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:28 +msgid "The first letter of the login name." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:32 +msgid "UPN - User Principal Name (name@REALM)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:35 +msgid "%o" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:37 +msgid "The original home directory retrieved from the identity provider." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:42 +msgid "%H" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:44 +msgid "The value of configure option <emphasis>homedir_substring</emphasis>." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/override_homedir.xml:5 +msgid "" +"Override the user's home directory. You can either provide an absolute value " +"or a template. In the template, the following sequences are substituted: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><programlisting> +#: include/override_homedir.xml:61 +#, no-wrap +msgid "" +"override_homedir = /home/%u\n" +" " +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/override_homedir.xml:65 +msgid "Default: Not set (SSSD will use the value retrieved from LDAP)" +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/homedir_substring.xml:2 +msgid "homedir_substring (string)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/homedir_substring.xml:5 +msgid "" +"The value of this option will be used in the expansion of the " +"<emphasis>override_homedir</emphasis> option if the template contains the " +"format string <emphasis>%H</emphasis>. An LDAP directory entry can directly " +"contain this template so that this option can be used to expand the home " +"directory path for each client machine (or operating system). It can be set " +"per-domain or globally in the [nss] section. A value specified in a domain " +"section will override one set in the [nss] section." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/homedir_substring.xml:15 +msgid "Default: /home" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/ad_modified_defaults.xml:2 include/ipa_modified_defaults.xml:2 +msgid "MODIFIED DEFAULT OPTIONS" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ad_modified_defaults.xml:4 +msgid "" +"Certain option defaults do not match their respective backend provider " +"defaults, these option names and AD provider-specific defaults are listed " +"below:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ad_modified_defaults.xml:9 include/ipa_modified_defaults.xml:9 +msgid "KRB5 Provider" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:13 include/ipa_modified_defaults.xml:13 +msgid "krb5_validate = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:18 +msgid "krb5_use_enterprise_principal = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ad_modified_defaults.xml:24 +msgid "LDAP Provider" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:28 +msgid "ldap_schema = ad" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:33 include/ipa_modified_defaults.xml:38 +msgid "ldap_force_upper_case_realm = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:38 +msgid "ldap_id_mapping = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:43 +msgid "ldap_sasl_mech = gssapi" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:48 +msgid "ldap_referrals = false" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:53 +msgid "ldap_account_expire_policy = ad" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:58 include/ipa_modified_defaults.xml:58 +msgid "ldap_use_tokengroups = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:63 +msgid "ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:66 +msgid "" +"The AD provider looks for a different principal than the LDAP provider by " +"default, because in an Active Directory environment the principals are " +"divided into two groups - User Principals and Service Principals. Only User " +"Principal can be used to obtain a TGT and by default, computer object's " +"principal is constructed from its sAMAccountName and the AD realm. The well-" +"known host/hostname@REALM principal is a Service Principal and thus cannot " +"be used to get a TGT with." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ipa_modified_defaults.xml:4 +msgid "" +"Certain option defaults do not match their respective backend provider " +"defaults, these option names and IPA provider-specific defaults are listed " +"below:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:18 +msgid "krb5_use_fast = try" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:23 +msgid "krb5_canonicalize = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:29 +msgid "LDAP Provider - General" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:33 +msgid "ldap_schema = ipa_v1" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:43 +msgid "ldap_sasl_mech = GSSAPI" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:48 +msgid "ldap_sasl_minssf = 56" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:53 +msgid "ldap_account_expire_policy = ipa" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:64 +msgid "LDAP Provider - User options" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:68 +msgid "ldap_user_member_of = memberOf" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:73 +msgid "ldap_user_uuid = ipaUniqueID" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:78 +msgid "ldap_user_ssh_public_key = ipaSshPubKey" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:83 +msgid "ldap_user_auth_type = ipaUserAuthType" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:89 +msgid "LDAP Provider - Group options" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:93 +msgid "ldap_group_object_class = ipaUserGroup" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:98 +msgid "ldap_group_object_class_alt = posixGroup" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:103 +msgid "ldap_group_member = member" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:108 +msgid "ldap_group_uuid = ipaUniqueID" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:113 +msgid "ldap_group_objectsid = ipaNTSecurityIdentifier" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:118 +msgid "ldap_group_external_member = ipaExternalMember" +msgstr "" diff --git a/src/man/po/nl.po b/src/man/po/nl.po new file mode 100644 index 0000000..fe29d7b --- /dev/null +++ b/src/man/po/nl.po @@ -0,0 +1,15688 @@ +# SOME DESCRIPTIVE TITLE +# Copyright (C) YEAR Red Hat +# This file is distributed under the same license as the sssd-docs package. +# +# Translators: +# Wijnand Modderman-Lenstra <accounts-transifex@maze.io>, 2011 +msgid "" +msgstr "" +"Project-Id-Version: sssd-docs 1.16.1\n" +"Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" +"POT-Creation-Date: 2018-08-12 13:01+0000\n" +"PO-Revision-Date: 2014-12-15 12:02+0000\n" +"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n" +"Language-Team: Dutch (http://www.transifex.com/projects/p/sssd/language/" +"nl/)\n" +"Language: nl\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" +"X-Generator: Zanata 4.4.5\n" + +#. type: Content of: <reference><title> +#: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5 +#: sssd_krb5_locator_plugin.8.xml:5 sssd-simple.5.xml:5 sss-certmap.5.xml:5 +#: sssd-ipa.5.xml:5 sssd-ad.5.xml:5 sssd-sudo.5.xml:5 sssd.8.xml:5 +#: sss_obfuscate.8.xml:5 sss_override.8.xml:5 sss_useradd.8.xml:5 +#: sssd-krb5.5.xml:5 sss_groupadd.8.xml:5 sss_userdel.8.xml:5 +#: sss_groupdel.8.xml:5 sss_groupshow.8.xml:5 sss_usermod.8.xml:5 +#: sss_cache.8.xml:5 sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5 +#: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 +#: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5 +#: sssd-files.5.xml:5 sssd-secrets.5.xml:5 sssd-session-recording.5.xml:5 +#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 +msgid "SSSD Manual pages" +msgstr "SSSD handleiding" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupmod.8.xml:10 sss_groupmod.8.xml:15 +msgid "sss_groupmod" +msgstr "sss_groupmod" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_groupmod.8.xml:11 pam_sss.8.xml:12 sssd_krb5_locator_plugin.8.xml:11 +#: sssd.8.xml:11 sss_obfuscate.8.xml:11 sss_override.8.xml:11 +#: sss_useradd.8.xml:11 sss_groupadd.8.xml:11 sss_userdel.8.xml:11 +#: sss_groupdel.8.xml:11 sss_groupshow.8.xml:11 sss_usermod.8.xml:11 +#: sss_cache.8.xml:11 sss_debuglevel.8.xml:11 sss_seed.8.xml:11 +#: idmap_sss.8.xml:11 sssctl.8.xml:11 sssd-kcm.8.xml:11 +msgid "8" +msgstr "8" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupmod.8.xml:16 +msgid "modify a group" +msgstr "muteer een groep" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupmod.8.xml:21 +msgid "" +"<command>sss_groupmod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" +"<command>sss_groupmod</command> <arg choice='opt'> <replaceable>opties</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROEP</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:57 +#: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sss-certmap.5.xml:21 +#: sssd-ipa.5.xml:21 sssd-ad.5.xml:21 sssd-sudo.5.xml:21 sssd.8.xml:29 +#: sss_obfuscate.8.xml:30 sss_override.8.xml:30 sss_useradd.8.xml:30 +#: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30 +#: sss_groupdel.8.xml:30 sss_groupshow.8.xml:30 sss_usermod.8.xml:30 +#: sss_cache.8.xml:29 sss_debuglevel.8.xml:30 sss_seed.8.xml:31 +#: sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30 +#: sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30 +#: sssd-files.5.xml:21 sssd-secrets.5.xml:21 sssd-session-recording.5.xml:21 +#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 +msgid "DESCRIPTION" +msgstr "OMSCHRIJVING" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupmod.8.xml:32 +msgid "" +"<command>sss_groupmod</command> modifies the group to reflect the changes " +"that are specified on the command line." +msgstr "" +"<command>sss_groupmod</command> muteert de groep en maakt de aanpassingen " +"die via de opdrachtregel ingegeven zijn." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_groupmod.8.xml:39 pam_sss.8.xml:64 sssd.8.xml:42 sss_obfuscate.8.xml:58 +#: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39 +#: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39 +#: sss_cache.8.xml:39 sss_seed.8.xml:42 sss_ssh_authorizedkeys.1.xml:123 +#: sss_ssh_knownhostsproxy.1.xml:62 +msgid "OPTIONS" +msgstr "OPTIES" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupmod.8.xml:43 sss_usermod.8.xml:77 +msgid "" +"<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" +"<option>-a</option>,<option>--append-group</option> <replaceable>GROEPEN</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupmod.8.xml:48 +msgid "" +"Append this group to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." +msgstr "" +"Voeg deze groep toe aan de groepen opgegeven met de <replaceable>GROEPEN</" +"replaceable> parameter. De <replaceable>GROEPEN</replaceable> parameter is " +"een kommagescheiden lijst van groepnamen." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupmod.8.xml:57 sss_usermod.8.xml:91 +msgid "" +"<option>-r</option>,<option>--remove-group</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" +"<option>-r</option>,<option>--remove-group</option> <replaceable>GROEPEN</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupmod.8.xml:62 +msgid "" +"Remove this group from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." +msgstr "" +"Verwijder deze groep uit de groepen opgegeven in de <replaceable>GROEPEN</" +"replaceable> parameter." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.conf.5.xml:10 sssd.conf.5.xml:16 +msgid "sssd.conf" +msgstr "sssd.conf" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11 +#: sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 +#: sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27 +#: sssd-files.5.xml:11 sssd-secrets.5.xml:11 sssd-session-recording.5.xml:11 +#: sssd-systemtap.5.xml:11 +msgid "5" +msgstr "5" + +#. type: Content of: <reference><refentry><refmeta><refmiscinfo> +#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12 +#: sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 +#: sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28 +#: sssd-files.5.xml:12 sssd-secrets.5.xml:12 sssd-session-recording.5.xml:12 +#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 +msgid "File Formats and Conventions" +msgstr "Bestandsformaten en conventies" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.conf.5.xml:17 +msgid "the configuration file for SSSD" +msgstr "het configuratiebestand voor SSSD" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:21 +msgid "FILE FORMAT" +msgstr "BESTANDSFORMAAT" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:29 +#, no-wrap +msgid "" +"<replaceable>[section]</replaceable>\n" +"<replaceable>key</replaceable> = <replaceable>value</replaceable>\n" +"<replaceable>key2</replaceable> = <replaceable>value2,value3</replaceable>\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:24 +msgid "" +"The file has an ini-style syntax and consists of sections and parameters. A " +"section begins with the name of the section in square brackets and continues " +"until the next section begins. An example of section with single and multi-" +"valued parameters: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"Het bestand heeft een ini-stijl syntaxis en bestaat uit secties en " +"parameters. Een sectie begint met de naam van de sectie in rechte haken en " +"gaat verder totdat de volgende sectie begint. Een voorbeeld van een sectie " +"met een enkele en een meervoudige parameter: <placeholder type=" +"\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:36 +msgid "" +"The data types used are string (no quotes needed), integer and bool (with " +"values of <quote>TRUE/FALSE</quote>)." +msgstr "" +"De datatypes gebruikt zijn tekst (geen quotes vereisd), numeriek en " +"booleaans (met de waardes <quote>TRUE/FALSE</quote>)." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:41 +msgid "" +"A comment line starts with a hash sign (<quote>#</quote>) or a semicolon " +"(<quote>;</quote>). Inline comments are not supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:47 +msgid "" +"All sections can have an optional <replaceable>description</replaceable> " +"parameter. Its function is only as a label for the section." +msgstr "" +"Alle secties kunnen een optionele <replaceable>description</replaceable> " +"parameter bevatten. Dit fungeert slechts als label voor de sectie." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:53 +msgid "" +"<filename>sssd.conf</filename> must be a regular file, owned by root and " +"only root may read from or write to the file." +msgstr "" +"<filename>sssd.conf</filename> moet een standaardbestand zijn, de eigenaar " +"moet root zijn en alleen root mag hem lezen en schrijven." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:59 +msgid "CONFIGURATION SNIPPETS FROM INCLUDE DIRECTORY" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:62 +msgid "" +"The configuration file <filename>sssd.conf</filename> will include " +"configuration snippets using the include directory <filename>conf.d</" +"filename>. This feature is available if SSSD was compiled with libini " +"version 1.3.0 or later." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:69 +msgid "" +"Any file placed in <filename>conf.d</filename> that ends in " +"<quote><filename>.conf</filename></quote> and does not begin with a dot " +"(<quote>.</quote>) will be used together with <filename>sssd.conf</filename> " +"to configure SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:77 +msgid "" +"The configuration snippets from <filename>conf.d</filename> have higher " +"priority than <filename>sssd.conf</filename> and will override " +"<filename>sssd.conf</filename> when conflicts occur. If several snippets are " +"present in <filename>conf.d</filename>, then they are included in " +"alphabetical order (based on locale). Files included later have higher " +"priority. Numerical prefixes (<filename>01_snippet.conf</filename>, " +"<filename>02_snippet.conf</filename> etc.) can help visualize the priority " +"(higher number means higher priority)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:91 +msgid "" +"The snippet files require the same owner and permissions as <filename>sssd." +"conf</filename>. Which are by default root:root and 0600." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:98 +msgid "GENERAL OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:100 +msgid "Following options are usable in more than one configuration sections." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:104 +msgid "Options usable in all sections" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:108 +msgid "debug_level (integer)" +msgstr "debug_level (numeriek)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:112 +msgid "debug (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:115 +msgid "" +"SSSD 1.14 and later also includes the <replaceable>debug</replaceable> alias " +"for <replaceable>debug_level</replaceable> as a convenience feature. If both " +"are specified, the value of <replaceable>debug_level</replaceable> will be " +"used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:125 +msgid "debug_timestamps (bool)" +msgstr "debug_timestamps (bool)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:128 +msgid "" +"Add a timestamp to the debug messages. If journald is enabled for SSSD " +"debug logging this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:133 sssd.conf.5.xml:543 sssd.conf.5.xml:839 +#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1521 sssd-ldap.5.xml:1851 +#: sssd-ldap.5.xml:1948 sssd-ldap.5.xml:2010 sssd-ldap.5.xml:2576 +#: sssd-ldap.5.xml:2641 sssd-ldap.5.xml:2659 sssd-ad.5.xml:227 +#: sssd-ad.5.xml:341 sssd-ad.5.xml:885 sssd-krb5.5.xml:499 +#: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 +msgid "Default: true" +msgstr "Standaard: true" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:138 +msgid "debug_microseconds (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:141 +msgid "" +"Add microseconds to the timestamp in debug messages. If journald is enabled " +"for SSSD debug logging this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:146 sssd.conf.5.xml:540 sssd.conf.5.xml:722 +#: sssd.conf.5.xml:1424 sssd.conf.5.xml:2980 sssd-ldap.5.xml:708 +#: sssd-ldap.5.xml:1714 sssd-ldap.5.xml:1733 sssd-ldap.5.xml:1920 +#: sssd-ldap.5.xml:2346 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238 +#: sssd-ipa.5.xml:559 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300 +#: sssd-krb5.5.xml:471 +msgid "Default: false" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2384 +#: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210 +#: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304 +msgid "<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:155 +msgid "Options usable in SERVICE and DOMAIN sections" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:159 +msgid "timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:162 +msgid "" +"Timeout in seconds between heartbeats for this service. This is used to " +"ensure that the process is alive and capable of answering requests. Note " +"that after three missed heartbeats the process will terminate itself." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:169 sssd.conf.5.xml:1376 sssd.conf.5.xml:2996 +#: sssd-ldap.5.xml:1585 include/ldap_id_mapping.xml:264 +msgid "Default: 10" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:179 +msgid "SPECIAL SECTIONS" +msgstr "SPECIALE SECTIES" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:182 +msgid "The [sssd] section" +msgstr "De [sssd] sectie" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sssd.conf.5.xml:191 sssd.conf.5.xml:3085 +msgid "Section parameters" +msgstr "Sectie parameters" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:193 +msgid "config_file_version (integer)" +msgstr "config_file_version (numeriek)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:196 +msgid "" +"Indicates what is the syntax of the config file. SSSD 0.6.0 and later use " +"version 2." +msgstr "" +"Geeft aan welke syntaxis de configuratie gebruikt. SSSD 0.6.0 en hoger " +"gebruiken versie 2." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:202 +msgid "services" +msgstr "diensten" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:205 +msgid "" +"Comma separated list of services that are started when sssd itself starts. " +"<phrase condition=\"have_systemd\"> The services' list is optional on " +"platforms where systemd is supported, as they will either be socket or D-Bus " +"activated when needed. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:214 +msgid "" +"Supported services: nss, pam <phrase condition=\"with_sudo\">, sudo</phrase> " +"<phrase condition=\"with_autofs\">, autofs</phrase> <phrase condition=" +"\"with_ssh\">, ssh</phrase> <phrase condition=\"with_pac_responder\">, pac</" +"phrase> <phrase condition=\"with_ifp\">, ifp</phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:222 +msgid "" +"<phrase condition=\"have_systemd\"> By default, all services are disabled " +"and the administrator must enable the ones allowed to be used by executing: " +"\"systemctl enable sssd-@service@.socket\". </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:231 sssd.conf.5.xml:614 +msgid "reconnection_retries (integer)" +msgstr "reconnection_retries (numeriek)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:234 sssd.conf.5.xml:617 +msgid "" +"Number of times services should attempt to reconnect in the event of a Data " +"Provider crash or restart before they give up" +msgstr "" +"Aantal keer dat de service moet proberen om opnieuw te verbinden indien een " +"Data Aanbieder crashed of opnieuw start voordat dit opgegeven wordt" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:239 sssd.conf.5.xml:622 +msgid "Default: 3" +msgstr "Standaard: 3" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:244 +msgid "domains" +msgstr "domeinen" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:247 +msgid "" +"A domain is a database containing user information. SSSD can use more " +"domains at the same time, but at least one must be configured or SSSD won't " +"start. This parameter describes the list of domains in the order you want " +"them to be queried. A domain name should only consist of alphanumeric ASCII " +"characters, dashes, dots and underscores." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:259 sssd.conf.5.xml:2597 +msgid "re_expression (string)" +msgstr "re_expression (tekst)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:262 +msgid "" +"Default regular expression that describes how to parse the string containing " +"user name and domain into these components." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:267 +msgid "" +"Each domain can have an individual regular expression configured. For some " +"ID providers there are also default regular expressions. See DOMAIN SECTIONS " +"for more info on these regular expressions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:276 sssd.conf.5.xml:2645 +msgid "full_name_format (string)" +msgstr "full_name_format (tekst)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:279 sssd.conf.5.xml:2648 +msgid "" +"A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry>-compatible format that describes how to compose a " +"fully qualified name from user name and domain name components." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:290 sssd.conf.5.xml:2659 +msgid "%1$s" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:291 sssd.conf.5.xml:2660 +msgid "user name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:294 sssd.conf.5.xml:2663 +msgid "%2$s" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:297 sssd.conf.5.xml:2666 +msgid "domain name as specified in the SSSD config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:303 sssd.conf.5.xml:2672 +msgid "%3$s" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:306 sssd.conf.5.xml:2675 +msgid "" +"domain flat name. Mostly usable for Active Directory domains, both directly " +"configured or discovered via IPA trusts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:287 sssd.conf.5.xml:2656 +msgid "" +"The following expansions are supported: <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:316 +msgid "" +"Each domain can have an individual format string configured. see DOMAIN " +"SECTIONS for more info on this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:322 +msgid "try_inotify (boolean)" +msgstr "try_inotify (bool)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:325 +msgid "" +"SSSD monitors the state of resolv.conf to identify when it needs to update " +"its internal DNS resolver. By default, we will attempt to use inotify for " +"this, and will fall back to polling resolv.conf every five seconds if " +"inotify cannot be used." +msgstr "" +"SSSD houdt de stat van resolv.conf in de gaten om te zien wanneer de interne " +"DNS-resolver bijgewerkt moet worden. Standaard wordt er geprobeerd om " +"inotify te gebruiken en er wordt teruggevallen op iedere vijf seconden " +"kijken of resolv.conf gewijzigd is als er geen inotify beschikbaar is." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:333 +msgid "" +"There are some limited situations where it is preferred that we should skip " +"even trying to use inotify. In these rare cases, this option should be set " +"to 'false'" +msgstr "" +"Er zijn een aantal situaties waarin het de voorkeur heeft dat we het gebruik " +"van inotify uitschakelen. In deze zeldzame gevallen kan de optie op 'false' " +"gezet worden" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:339 +msgid "" +"Default: true on platforms where inotify is supported. False on other " +"platforms." +msgstr "" +"Standaard: true op systemen waar inotify is ondersteund. False op andere " +"systemen." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:343 +msgid "" +"Note: this option will have no effect on platforms where inotify is " +"unavailable. On these platforms, polling will always be used." +msgstr "" +"Merk op: deze optie heeft geen effect op systemen waar inotify niet " +"beschikbaar is. Op deze systemen wordt altijd periodiek gekeken naar resolv." +"conf." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:350 +msgid "krb5_rcache_dir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:353 +msgid "" +"Directory on the filesystem where SSSD should store Kerberos replay cache " +"files." +msgstr "" +"Map in het bestandssysteem waarin SSSD Kerberos replay cache bestanden moet " +"opslaan." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:357 +msgid "" +"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct " +"SSSD to let libkrb5 decide the appropriate location for the replay cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:363 +msgid "" +"Default: Distribution-specific and specified at build-time. " +"(__LIBKRB5_DEFAULTS__ if not configured)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:370 +msgid "user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:373 +msgid "" +"The user to drop the privileges to where appropriate to avoid running as the " +"root user. <phrase condition=\"have_systemd\"> This option does not work " +"when running socket-activated services, as the user set up to run the " +"processes is set up during compilation time. The way to override the " +"systemd unit files is by creating the appropriate files in /etc/systemd/" +"system/. Keep in mind that any change in the socket user, group or " +"permissions may result in a non-usable SSSD. The same may occur in case of " +"changes of the user running the NSS responder. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:391 +msgid "Default: not set, process will run as root" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:396 +msgid "default_domain_suffix (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:399 +msgid "" +"This string will be used as a default domain name for all names without a " +"domain name component. The main use case is environments where the primary " +"domain is intended for managing host policies and all users are located in a " +"trusted domain. The option allows those users to log in just with their " +"user name without giving a domain name as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:409 +msgid "" +"Please note that if this option is set all users from the primary domain " +"have to use their fully qualified name, e.g. user@domain.name, to log in. " +"Setting this option changes default of use_fully_qualified_names to True. It " +"is not allowed to use this option together with use_fully_qualified_names " +"set to False." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:418 sssd.conf.5.xml:1165 sssd-ldap.5.xml:679 +#: sssd-ldap.5.xml:1319 sssd-ldap.5.xml:1673 sssd-ldap.5.xml:1685 +#: sssd-ldap.5.xml:1767 sssd-ad.5.xml:690 sssd-ad.5.xml:765 sssd.8.xml:126 +#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:556 sssd-secrets.5.xml:339 +#: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404 +#: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205 +#: include/ldap_id_mapping.xml:216 +msgid "Default: not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:423 +msgid "override_space (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:426 +msgid "" +"This parameter will replace spaces (space bar) with the given character for " +"user and group names. e.g. (_). User name "john doe" will be " +""john_doe" This feature was added to help compatibility with shell " +"scripts that have difficulty handling spaces, due to the default field " +"separator in the shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:435 +msgid "" +"Please note it is a configuration error to use a replacement character that " +"might be used in user or group names. If a name contains the replacement " +"character SSSD tries to return the unmodified name but in general the result " +"of a lookup is undefined." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:443 +msgid "Default: not set (spaces will not be replaced)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:448 +msgid "certificate_verification (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:456 +msgid "no_ocsp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:458 +msgid "" +"Disables Online Certificate Status Protocol (OCSP) checks. This might be " +"needed if the OCSP servers defined in the certificate are not reachable from " +"the client." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:466 +msgid "no_verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:468 +msgid "" +"Disables verification completely. This option should only be used for " +"testing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:474 +msgid "ocsp_default_responder=URL" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:476 +msgid "" +"Sets the OCSP default responder which should be used instead of the one " +"mentioned in the certificate. URL must be replaced with the URL of the OCSP " +"default responder e.g. http://example.com:80/ocsp." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:482 +msgid "" +"This option must be used together with ocsp_default_responder_signing_cert." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:490 +msgid "ocsp_default_responder_signing_cert=NAME" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:492 +msgid "" +"The nickname of the cert to trust (expected) to sign the OCSP responses. " +"The certificate with the given nickname must be available in the systems NSS " +"database." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:497 +msgid "This option must be used together with ocsp_default_responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:451 +msgid "" +"With this parameter the certificate verification can be tuned with a comma " +"separated list of options. Supported options are: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:504 +msgid "Unknown options are reported but ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:507 +msgid "Default: not set, i.e. do not restrict certificate verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:513 +msgid "disable_netlink (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:516 +msgid "" +"SSSD hooks into the netlink interface to monitor changes to routes, " +"addresses, links and trigger certain actions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:521 +msgid "" +"The SSSD state changes caused by netlink events may be undesirable and can " +"be disabled by setting this option to 'true'" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:526 +msgid "Default: false (netlink changes are detected)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:531 +msgid "enable_files_domain (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:534 +msgid "" +"When this option is enabled, SSSD prepends an implicit domain with " +"<quote>id_provider=files</quote> before any explicitly configured domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:548 +msgid "domain_resolution_order" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:551 +msgid "" +"Comma separated list of domains and subdomains representing the lookup order " +"that will be followed. The list doesn't have to include all possible " +"domains as the missing domains will be looked up based on the order they're " +"presented in the <quote>domains</quote> configuration option. The " +"subdomains which are not listed as part of <quote>lookup_order</quote> will " +"be looked up in a random order for each parent domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:563 +msgid "" +"Please, note that when this option is set the output format of all commands " +"is always fully-qualified even when using short names for input, for all " +"users but the ones managed by the files provider. In case the administrator " +"wants the output not fully-qualified, the full_name_format option can be " +"used as shown below: <quote>full_name_format=%1$s</quote> However, keep in " +"mind that during login, login applications often canonicalize the username " +"by calling <citerefentry> <refentrytitle>getpwnam</refentrytitle> " +"<manvolnum>3</manvolnum> </citerefentry> which, if a shortname is returned " +"for a qualified input (while trying to reach a user which exists in multiple " +"domains) might re-route the login attempt into the domain which uses " +"shortnames, making this workaround totally not recommended in cases where " +"usernames may overlap between domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:588 sssd.conf.5.xml:1388 sssd.conf.5.xml:3046 +#: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316 +msgid "Default: Not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:184 +msgid "" +"Individual pieces of SSSD functionality are provided by special SSSD " +"services that are started and stopped together with SSSD. The services are " +"managed by a special service frequently called <quote>monitor</quote>. The " +"<quote>[sssd]</quote> section is used to configure the monitor as well as " +"some other important options like the identity domains. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:599 +msgid "SERVICES SECTIONS" +msgstr "SERVICES SECTIE" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:601 +msgid "" +"Settings that can be used to configure different services are described in " +"this section. They should reside in the [<replaceable>$NAME</replaceable>] " +"section, for example, for NSS service, the section would be <quote>[nss]</" +"quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:608 +msgid "General service configuration options" +msgstr "Algemene service configuratie-opties" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:610 +msgid "These options can be used to configure any service." +msgstr "Deze opties kunnen gebruikt worden om services te configureren." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:627 +msgid "fd_limit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:630 +msgid "" +"This option specifies the maximum number of file descriptors that may be " +"opened at one time by this SSSD process. On systems where SSSD is granted " +"the CAP_SYS_RESOURCE capability, this will be an absolute setting. On " +"systems without this capability, the resulting value will be the lower value " +"of this or the limits.conf \"hard\" limit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:639 +msgid "Default: 8192 (or limits.conf \"hard\" limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:644 +msgid "client_idle_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:647 +msgid "" +"This option specifies the number of seconds that a client of an SSSD process " +"can hold onto a file descriptor without communicating on it. This value is " +"limited in order to avoid resource exhaustion on the system. The timeout " +"can't be shorter than 10 seconds. If a lower value is configured, it will be " +"adjusted to 10 seconds." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:656 sssd.conf.5.xml:688 sssd.conf.5.xml:970 +#: sssd.conf.5.xml:1231 sssd-ldap.5.xml:1412 +msgid "Default: 60" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:661 +msgid "offline_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:664 +msgid "" +"When SSSD switches to offline mode the amount of time before it tries to go " +"back online will increase based upon the time spent disconnected. This " +"value is in seconds and calculated by the following:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:671 +msgid "offline_timeout + random_offset" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:674 +msgid "" +"The random offset can increment up to 30 seconds. After each unsuccessful " +"attempt to go online, the new interval is recalculated by the following:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:679 +msgid "new_interval = old_interval*2 + random_offset" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:682 +msgid "" +"Note that the maximum length of each interval is currently limited to one " +"hour. If the calculated length of new_interval is greater than an hour, it " +"will be forced to one hour." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:693 +msgid "responder_idle_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:696 +msgid "" +"This option specifies the number of seconds that an SSSD responder process " +"can be up without being used. This value is limited in order to avoid " +"resource exhaustion on the system. The minimum acceptable value for this " +"option is 60 seconds. Setting this option to 0 (zero) means that no timeout " +"will be set up to the responder. This option only has effect when SSSD is " +"built with systemd support and when services are either socket or D-Bus " +"activated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:710 sssd.conf.5.xml:983 sssd.conf.5.xml:1616 +#: sssd-ldap.5.xml:722 +msgid "Default: 300" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:715 +msgid "cache_first" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:718 +msgid "" +"This option specifies whether the responder should query all caches before " +"querying the Data Providers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:730 +msgid "NSS configuration options" +msgstr "NSS configuratie-opties" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:732 +msgid "" +"These options can be used to configure the Name Service Switch (NSS) service." +msgstr "" +"Deze opties kunnen worden gebruikt om de Name Serice Switch (NSS) service te " +"configurere." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:737 +msgid "enum_cache_timeout (integer)" +msgstr "enum_cache_timeout (numeriek)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:740 +msgid "" +"How many seconds should nss_sss cache enumerations (requests for info about " +"all users)" +msgstr "" +"Hoeveel seconden zouden nss_sss cache enumeraties (verzoeken om informatie " +"over alle gebruikers)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:744 +msgid "Default: 120" +msgstr "Standaard: 120" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:749 +msgid "entry_cache_nowait_percentage (integer)" +msgstr "entry_cache_nowait_percentage (numeriek)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:752 +msgid "" +"The entry cache can be set to automatically update entries in the background " +"if they are requested beyond a percentage of the entry_cache_timeout value " +"for the domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:758 +msgid "" +"For example, if the domain's entry_cache_timeout is set to 30s and " +"entry_cache_nowait_percentage is set to 50 (percent), entries that come in " +"after 15 seconds past the last cache update will be returned immediately, " +"but the SSSD will go and update the cache on its own, so that future " +"requests will not need to block waiting for a cache update." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:768 +msgid "" +"Valid values for this option are 0-99 and represent a percentage of the " +"entry_cache_timeout for each domain. For performance reasons, this " +"percentage will never reduce the nowait timeout to less than 10 seconds. (0 " +"disables this feature)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:776 sssd.conf.5.xml:1445 +msgid "Default: 50" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:781 +msgid "entry_negative_timeout (integer)" +msgstr "entry_negative_timeout (numeriek)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:784 +msgid "" +"Specifies for how many seconds nss_sss should cache negative cache hits " +"(that is, queries for invalid database entries, like nonexistent ones) " +"before asking the back end again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:790 sssd.conf.5.xml:1469 +msgid "Default: 15" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:795 +msgid "local_negative_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:798 +msgid "" +"Specifies for how many seconds nss_sss should keep local users and groups in " +"negative cache before trying to look it up in the back end again. Setting " +"the option to 0 disables this feature." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:804 +#, fuzzy +#| msgid "Default: 120" +msgid "Default: 14400 (4 hours)" +msgstr "Standaard: 120" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:809 +msgid "filter_users, filter_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:812 +msgid "" +"Exclude certain users or groups from being fetched from the sss NSS " +"database. This is particularly useful for system accounts. This option can " +"also be set per-domain or include fully-qualified names to filter only users " +"from the particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:819 +msgid "" +"NOTE: The filter_groups option doesn't affect inheritance of nested group " +"members, since filtering happens after they are propagated for returning via " +"NSS. E.g. a group having a member group filtered out will still have the " +"member users of the latter listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:827 +msgid "Default: root" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:832 +msgid "filter_users_in_groups (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:835 +msgid "" +"If you want filtered user still be group members set this option to false." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:846 +msgid "fallback_homedir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:849 +msgid "" +"Set a default template for a user's home directory if one is not specified " +"explicitly by the domain's data provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:854 +msgid "" +"The available values for this option are the same as for override_homedir." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:860 +#, no-wrap +msgid "" +"fallback_homedir = /home/%u\n" +" " +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: sssd.conf.5.xml:858 sssd.conf.5.xml:1298 sssd.conf.5.xml:1317 +#: sssd-krb5.5.xml:539 include/override_homedir.xml:59 +msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:864 +msgid "Default: not set (no substitution for unset home directories)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:870 +msgid "override_shell (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:873 +msgid "" +"Override the login shell for all users. This option supersedes any other " +"shell options if it takes effect and can be set either in the [nss] section " +"or per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:879 +msgid "Default: not set (SSSD will use the value retrieved from LDAP)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:885 +msgid "allowed_shells (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:888 +msgid "" +"Restrict user shell to one of the listed values. The order of evaluation is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:891 +msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:895 +msgid "" +"2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</" +"quote>, use the value of the shell_fallback parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:900 +msgid "" +"3. If the shell is not in the allowed_shells list and not in <quote>/etc/" +"shells</quote>, a nologin shell is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:905 +msgid "The wildcard (*) can be used to allow any shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:908 +msgid "" +"The (*) is useful if you want to use shell_fallback in case that user's " +"shell is not in <quote>/etc/shells</quote> and maintaining list of all " +"allowed shells in allowed_shells would be to much overhead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:915 +msgid "An empty string for shell is passed as-is to libc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:918 +msgid "" +"The <quote>/etc/shells</quote> is only read on SSSD start up, which means " +"that a restart of the SSSD is required in case a new shell is installed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:922 +msgid "Default: Not set. The user shell is automatically used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:927 +msgid "vetoed_shells (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:930 +msgid "Replace any instance of these shells with the shell_fallback" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:935 +msgid "shell_fallback (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:938 +msgid "" +"The default shell to use if an allowed shell is not installed on the machine." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:942 +msgid "Default: /bin/sh" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:947 +msgid "default_shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:950 +msgid "" +"The default shell to use if the provider does not return one during lookup. " +"This option can be specified globally in the [nss] section or per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:956 +msgid "" +"Default: not set (Return NULL if no shell is specified and rely on libc to " +"substitute something sensible when necessary, usually /bin/sh)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:963 sssd.conf.5.xml:1224 +msgid "get_domains_timeout (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:966 sssd.conf.5.xml:1227 +msgid "" +"Specifies time in seconds for which the list of subdomains will be " +"considered valid." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:975 +msgid "memcache_timeout (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:978 +msgid "" +"Specifies time in seconds for which records in the in-memory cache will be " +"valid. Setting this option to zero will disable the in-memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:986 +msgid "" +"WARNING: Disabling the in-memory cache will have significant negative impact " +"on SSSD's performance and should only be used for testing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:992 +msgid "" +"NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", " +"client applications will not use the fast in-memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1000 sssd-ifp.5.xml:74 +msgid "user_attributes (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1003 +msgid "" +"Some of the additional NSS responder requests can return more attributes " +"than just the POSIX ones defined by the NSS interface. The list of " +"attributes is controlled by this option. It is handled the same way as the " +"<quote>user_attributes</quote> option of the InfoPipe responder (see " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for details) but with no default values." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1016 +msgid "" +"To make configuration more easy the NSS responder will check the InfoPipe " +"option if it is not set for the NSS responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1021 +msgid "Default: not set, fallback to InfoPipe option" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1026 +msgid "pwfield (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1029 +msgid "" +"The value that NSS operations that return users or groups will return for " +"the <quote>password</quote> field." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: sssd.conf.5.xml:1034 include/override_homedir.xml:56 +msgid "This option can also be set per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1037 +msgid "" +"Default: <quote>*</quote> (remote domains) or <quote>x</quote> (the files " +"domain)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1045 +msgid "PAM configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1047 +msgid "" +"These options can be used to configure the Pluggable Authentication Module " +"(PAM) service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1052 +msgid "offline_credentials_expiration (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1055 +msgid "" +"If the authentication provider is offline, how long should we allow cached " +"logins (in days since the last successful online login)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1060 sssd.conf.5.xml:1073 +msgid "Default: 0 (No limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1066 +msgid "offline_failed_login_attempts (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1069 +msgid "" +"If the authentication provider is offline, how many failed login attempts " +"are allowed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1079 +msgid "offline_failed_login_delay (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1082 +msgid "" +"The time in minutes which has to pass after offline_failed_login_attempts " +"has been reached before a new login attempt is possible." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1087 +msgid "" +"If set to 0 the user cannot authenticate offline if " +"offline_failed_login_attempts has been reached. Only a successful online " +"authentication can enable offline authentication again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1093 sssd.conf.5.xml:1191 +msgid "Default: 5" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1099 +msgid "pam_verbosity (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1102 +msgid "" +"Controls what kind of messages are shown to the user during authentication. " +"The higher the number to more messages are displayed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1107 +msgid "Currently sssd supports the following values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1110 +msgid "<emphasis>0</emphasis>: do not show any message" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1113 +msgid "<emphasis>1</emphasis>: show only important messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1117 +msgid "<emphasis>2</emphasis>: show informational messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1120 +msgid "<emphasis>3</emphasis>: show all messages and debug information" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1124 sssd.8.xml:63 +msgid "Default: 1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1130 +msgid "pam_response_filter (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1133 +msgid "" +"A comma separated list of strings which allows to remove (filter) data sent " +"by the PAM responder to pam_sss PAM module. There are different kind of " +"responses sent to pam_sss e.g. messages displayed to the user or environment " +"variables which should be set by pam_sss." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1141 +msgid "" +"While messages already can be controlled with the help of the pam_verbosity " +"option this option allows to filter out other kind of responses as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1148 +msgid "ENV" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1149 +msgid "Do not send any environment variables to any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1152 +msgid "ENV:var_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1153 +msgid "Do not send environment variable var_name to any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1157 +msgid "ENV:var_name:service" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1158 +msgid "Do not send environment variable var_name to service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1146 +msgid "" +"Currently the following filters are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1168 +msgid "Example: ENV:KRB5CCNAME:sudo-i" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1174 +msgid "pam_id_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1177 +msgid "" +"For any PAM request while SSSD is online, the SSSD will attempt to " +"immediately update the cached identity information for the user in order to " +"ensure that authentication takes place with the latest information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1183 +msgid "" +"A complete PAM conversation may perform multiple PAM requests, such as " +"account management and session opening. This option controls (on a per-" +"client-application basis) how long (in seconds) we can cache the identity " +"information to avoid excessive round-trips to the identity provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1197 +msgid "pam_pwd_expiration_warning (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2078 +msgid "Display a warning N days before the password expires." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1203 +msgid "" +"Please note that the backend server has to provide information about the " +"expiration time of the password. If this information is missing, sssd " +"cannot display a warning." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1209 sssd.conf.5.xml:2081 +msgid "" +"If zero is set, then this filter is not applied, i.e. if the expiration " +"warning was received from backend server, it will automatically be displayed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1214 +msgid "" +"This setting can be overridden by setting <emphasis>pwd_expiration_warning</" +"emphasis> for a particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1219 sssd.conf.5.xml:2901 sssd.8.xml:79 +msgid "Default: 0" +msgstr "Standaard: 0" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1236 +msgid "pam_trusted_users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1239 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to run PAM conversations against trusted domains. Users not " +"included in this list can only access domains marked as public with " +"<quote>pam_public_domains</quote>. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1249 +msgid "Default: All users are considered trusted by default" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1253 +msgid "" +"Please note that UID 0 is always allowed to access the PAM responder even in " +"case it is not in the pam_trusted_users list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1260 +msgid "pam_public_domains (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1263 +msgid "" +"Specifies the comma-separated list of domain names that are accessible even " +"to untrusted users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1267 +msgid "Two special values for pam_public_domains option are defined:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1271 +msgid "" +"all (Untrusted users are allowed to access all domains in PAM responder.)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1275 +msgid "" +"none (Untrusted users are not allowed to access any domains PAM in " +"responder.)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1279 sssd.conf.5.xml:1304 sssd.conf.5.xml:1323 +#: sssd.conf.5.xml:1875 sssd.conf.5.xml:2837 sssd-ldap.5.xml:1979 +msgid "Default: none" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1284 +msgid "pam_account_expired_message (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1287 +msgid "" +"Allows a custom expiration message to be set, replacing the default " +"'Permission denied' message." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1292 +msgid "" +"Note: Please be aware that message is only printed for the SSH service " +"unless pam_verbosity is set to 3 (show all messages and debug information)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:1300 +#, no-wrap +msgid "" +"pam_account_expired_message = Account expired, please contact help desk.\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1309 +msgid "pam_account_locked_message (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1312 +msgid "" +"Allows a custom lockout message to be set, replacing the default 'Permission " +"denied' message." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:1319 +#, no-wrap +msgid "" +"pam_account_locked_message = Account locked, please contact help desk.\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1328 +msgid "pam_cert_auth (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1331 +msgid "" +"Enable certificate based Smartcard authentication. Since this requires " +"additional communication with the Smartcard which will delay the " +"authentication process this option is disabled by default." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1337 sssd.conf.5.xml:2930 sssd-ldap.5.xml:1087 +#: sssd-ldap.5.xml:1114 sssd-ldap.5.xml:1514 sssd-ldap.5.xml:1535 +#: sssd-ldap.5.xml:2052 include/ldap_id_mapping.xml:244 +msgid "Default: False" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1342 +msgid "pam_cert_db_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1345 +msgid "" +"The path to the certificate database which contain the PKCS#11 modules to " +"access the Smartcard." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1349 sssd.conf.5.xml:1534 +#, fuzzy +#| msgid "Default: 3" +msgid "Default:" +msgstr "Standaard: 3" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1351 sssd.conf.5.xml:1536 +msgid "/etc/pki/nssdb (NSS version, path to a NSS database)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1354 sssd.conf.5.xml:1539 +msgid "" +"/etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a file with " +"trusted CA certificates in PEM format)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1361 sssd.conf.5.xml:1546 +msgid "This man page was generated for the NSS version." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1364 sssd.conf.5.xml:1549 +msgid "This man page was generated for the OpenSSL version." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1369 +msgid "p11_child_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1372 +msgid "How many seconds will pam_sss wait for p11_child to finish." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1381 +msgid "pam_app_services (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1384 +msgid "" +"Which PAM services are permitted to contact domains of type " +"<quote>application</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1397 +msgid "SUDO configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1399 +msgid "" +"These options can be used to configure the sudo service. The detailed " +"instructions for configuration of <citerefentry> <refentrytitle>sudo</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to work with " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> are in the manual page <citerefentry> <refentrytitle>sssd-" +"sudo</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1416 +msgid "sudo_timed (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1419 +msgid "" +"Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes " +"that implement time-dependent sudoers entries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1431 +msgid "sudo_threshold (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1434 +msgid "" +"Maximum number of expired rules that can be refreshed at once. If number of " +"expired rules is below threshold, those rules are refreshed with " +"<quote>rules refresh</quote> mechanism. If the threshold is exceeded a " +"<quote>full refresh</quote> of sudo rules is triggered instead. This " +"threshold number also applies to IPA sudo command and command group searches." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1453 +msgid "AUTOFS configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1455 +msgid "These options can be used to configure the autofs service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1459 +msgid "autofs_negative_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1462 +msgid "" +"Specifies for how many seconds should the autofs responder negative cache " +"hits (that is, queries for invalid map entries, like nonexistent ones) " +"before asking the back end again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1478 +msgid "SSH configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1480 +msgid "These options can be used to configure the SSH service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1484 +msgid "ssh_hash_known_hosts (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1487 +msgid "" +"Whether or not to hash host names and addresses in the managed known_hosts " +"file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1496 +msgid "ssh_known_hosts_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1499 +msgid "" +"How many seconds to keep a host in the managed known_hosts file after its " +"host keys were requested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1503 +msgid "Default: 180" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1508 +msgid "ssh_use_certificate_keys (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1511 +msgid "" +"If set to true the <command>sss_ssh_authorizedkeys</command> will return ssh " +"keys derived from the public key of X.509 certificates stored in the user " +"entry as well. See <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry> for details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1526 +msgid "ca_db (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1529 +msgid "" +"Path to a storage of trusted CA certificates. The option is used to validate " +"user certificates before deriving public ssh keys from them." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1557 +msgid "PAC responder configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1559 +msgid "" +"The PAC responder works together with the authorization data plugin for MIT " +"Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the " +"PAC data during a GSSAPI authentication to the PAC responder. The sub-domain " +"provider collects domain SID and ID ranges of the domain the client is " +"joined to and of remote trusted domains from the local domain controller. If " +"the PAC is decoded and evaluated some of the following operations are done:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1568 +msgid "" +"If the remote user does not exist in the cache, it is created. The UID is " +"determined with the help of the SID, trusted domains will have UPGs and the " +"GID will have the same value as the UID. The home directory is set based on " +"the subdomain_homedir parameter. The shell will be empty by default, i.e. " +"the system defaults are used, but can be overwritten with the default_shell " +"parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1576 +msgid "" +"If there are SIDs of groups from domains sssd knows about, the user will be " +"added to those groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1582 +msgid "These options can be used to configure the PAC responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1586 sssd-ifp.5.xml:50 +msgid "allowed_uids (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1589 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the PAC responder. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1595 +msgid "Default: 0 (only the root user is allowed to access the PAC responder)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1599 +msgid "" +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the PAC responder, which would be the typical case, you have to add 0 " +"to the list of allowed UIDs as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1608 +msgid "pac_lifetime (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1611 +msgid "" +"Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC " +"data can be used to determine the group memberships of a user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1624 +msgid "Session recording configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1626 +msgid "" +"Session recording works in conjunction with <citerefentry> " +"<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>, a part of tlog package, to log what users see and type when " +"they log in on a text terminal. See also <citerefentry> <refentrytitle>sssd-" +"session-recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1639 +msgid "These options can be used to configure session recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1643 sssd-session-recording.5.xml:64 +msgid "scope (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1650 sssd-session-recording.5.xml:71 +msgid "\"none\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1653 sssd-session-recording.5.xml:74 +msgid "No users are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1658 sssd-session-recording.5.xml:79 +msgid "\"some\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1661 sssd-session-recording.5.xml:82 +msgid "" +"Users/groups specified by <replaceable>users</replaceable> and " +"<replaceable>groups</replaceable> options are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1670 sssd-session-recording.5.xml:91 +msgid "\"all\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1673 sssd-session-recording.5.xml:94 +msgid "All users are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1646 sssd-session-recording.5.xml:67 +msgid "" +"One of the following strings specifying the scope of session recording: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1680 sssd-session-recording.5.xml:101 +msgid "Default: \"none\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1685 sssd-session-recording.5.xml:106 +msgid "users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1688 sssd-session-recording.5.xml:109 +msgid "" +"A comma-separated list of users which should have session recording enabled. " +"Matches user names as returned by NSS. I.e. after the possible space " +"replacement, case changes, etc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1694 sssd-session-recording.5.xml:115 +msgid "Default: Empty. Matches no users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1699 sssd-session-recording.5.xml:120 +msgid "groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1702 sssd-session-recording.5.xml:123 +msgid "" +"A comma-separated list of groups, members of which should have session " +"recording enabled. Matches group names as returned by NSS. I.e. after the " +"possible space replacement, case changes, etc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1708 sssd-session-recording.5.xml:129 +msgid "" +"NOTE: using this option (having it set to anything) has a considerable " +"performance cost, because each uncached request for a user requires " +"retrieving and matching the groups the user is member of." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1715 sssd-session-recording.5.xml:136 +msgid "Default: Empty. Matches no groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:1725 +msgid "DOMAIN SECTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1732 +msgid "domain_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1735 +msgid "" +"Specifies whether the domain is meant to be used by POSIX-aware clients such " +"as the Name Service Switch or by applications that do not need POSIX data to " +"be present or generated. Only objects from POSIX domains are available to " +"the operating system interfaces and utilities." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1743 +msgid "" +"Allowed values for this option are <quote>posix</quote> and " +"<quote>application</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1747 +msgid "" +"POSIX domains are reachable by all services. Application domains are only " +"reachable from the InfoPipe responder (see <citerefentry> " +"<refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>) and the PAM responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1755 +msgid "" +"NOTE: The application domains are currently well tested with " +"<quote>id_provider=ldap</quote> only." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1759 +msgid "" +"For an easy way to configure a non-POSIX domains, please see the " +"<quote>Application domains</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1763 +msgid "Default: posix" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1769 +msgid "min_id,max_id (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1772 +msgid "" +"UID and GID limits for the domain. If a domain contains an entry that is " +"outside these limits, it is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1777 +msgid "" +"For users, this affects the primary GID limit. The user will not be returned " +"to NSS if either the UID or the primary GID is outside the range. For non-" +"primary group memberships, those that are in range will be reported as " +"expected." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1784 +msgid "" +"These ID limits affect even saving entries to cache, not only returning them " +"by name or ID." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1788 +msgid "Default: 1 for min_id, 0 (no limit) for max_id" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1794 +msgid "enumerate (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1797 +msgid "" +"Determines if a domain can be enumerated, that is, whether the domain can " +"list all the users and group it contains. Note that it is not required to " +"enable enumeration in order for secondary groups to be displayed. This " +"parameter can have one of the following values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1805 +msgid "TRUE = Users and groups are enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1808 +msgid "FALSE = No enumerations for this domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1811 sssd.conf.5.xml:2033 sssd.conf.5.xml:2208 +msgid "Default: FALSE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1814 +msgid "" +"Enumerating a domain requires SSSD to download and store ALL user and group " +"entries from the remote server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1819 +msgid "" +"Note: Enabling enumeration has a moderate performance impact on SSSD while " +"enumeration is running. It may take up to several minutes after SSSD startup " +"to fully complete enumerations. During this time, individual requests for " +"information will go directly to LDAP, though it may be slow, due to the " +"heavy enumeration processing. Saving a large number of entries to cache " +"after the enumeration completes might also be CPU intensive as the " +"memberships have to be recomputed. This can lead to the <quote>sssd_be</" +"quote> process becoming unresponsive or even restarted by the internal " +"watchdog." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1834 +msgid "" +"While the first enumeration is running, requests for the complete user or " +"group lists may return no results until it completes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1839 +msgid "" +"Further, enabling enumeration may increase the time necessary to detect " +"network disconnection, as longer timeouts are required to ensure that " +"enumeration lookups are completed successfully. For more information, refer " +"to the man pages for the specific id_provider in use." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1847 +msgid "" +"For the reasons cited above, enabling enumeration is not recommended, " +"especially in large environments." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1855 +msgid "subdomain_enumerate (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1862 +msgid "all" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1863 +msgid "All discovered trusted domains will be enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1866 +msgid "none" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1867 +msgid "No discovered trusted domains will be enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1858 +msgid "" +"Whether any of autodetected trusted domains should be enumerated. The " +"supported values are: <placeholder type=\"variablelist\" id=\"0\"/> " +"Optionally, a list of one or more domain names can enable enumeration just " +"for these trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1881 +msgid "entry_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1884 +msgid "" +"How many seconds should nss_sss consider entries valid before asking the " +"backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1888 +msgid "" +"The cache expiration timestamps are stored as attributes of individual " +"objects in the cache. Therefore, changing the cache timeout only has effect " +"for newly added or expired entries. You should run the <citerefentry> " +"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry> tool in order to force refresh of entries that have already " +"been cached." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1901 +msgid "Default: 5400" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1907 +msgid "entry_cache_user_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1910 +msgid "" +"How many seconds should nss_sss consider user entries valid before asking " +"the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1914 sssd.conf.5.xml:1927 sssd.conf.5.xml:1940 +#: sssd.conf.5.xml:1953 sssd.conf.5.xml:1966 sssd.conf.5.xml:1980 +#: sssd.conf.5.xml:1994 +msgid "Default: entry_cache_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1920 +msgid "entry_cache_group_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1923 +msgid "" +"How many seconds should nss_sss consider group entries valid before asking " +"the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1933 +msgid "entry_cache_netgroup_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1936 +msgid "" +"How many seconds should nss_sss consider netgroup entries valid before " +"asking the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1946 +msgid "entry_cache_service_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1949 +msgid "" +"How many seconds should nss_sss consider service entries valid before asking " +"the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1959 +msgid "entry_cache_sudo_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1962 +msgid "" +"How many seconds should sudo consider rules valid before asking the backend " +"again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1972 +msgid "entry_cache_autofs_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1975 +msgid "" +"How many seconds should the autofs service consider automounter maps valid " +"before asking the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1986 +msgid "entry_cache_ssh_host_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1989 +msgid "" +"How many seconds to keep a host ssh key after refresh. IE how long to cache " +"the host key for." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2000 +msgid "refresh_expired_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2003 +msgid "" +"Specifies how many seconds SSSD has to wait before triggering a background " +"refresh task which will refresh all expired or nearly expired records." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2008 +msgid "" +"The background refresh will process users, groups and netgroups in the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2012 +msgid "You can consider setting this value to 3/4 * entry_cache_timeout." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2016 sssd-ldap.5.xml:746 sssd-ipa.5.xml:254 +msgid "Default: 0 (disabled)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2022 +msgid "cache_credentials (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2025 +msgid "Determines if user credentials are also cached in the local LDB cache" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2029 +msgid "User credentials are stored in a SHA512 hash, not in plaintext" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2039 +msgid "cache_credentials_minimal_first_factor_length (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2042 +msgid "" +"If 2-Factor-Authentication (2FA) is used and credentials should be saved " +"this value determines the minimal length the first authentication factor " +"(long term password) must have to be saved as SHA512 hash into the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2049 +msgid "" +"This should avoid that the short PINs of a PIN based 2FA scheme are saved in " +"the cache which would make them easy targets for brute-force attacks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2054 +msgid "Default: 8" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2060 +msgid "account_cache_expiration (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2063 +msgid "" +"Number of days entries are left in cache after last successful login before " +"being removed during a cleanup of the cache. 0 means keep forever. The " +"value of this parameter must be greater than or equal to " +"offline_credentials_expiration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2070 +msgid "Default: 0 (unlimited)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2075 +msgid "pwd_expiration_warning (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2086 +msgid "" +"Please note that the backend server has to provide information about the " +"expiration time of the password. If this information is missing, sssd " +"cannot display a warning. Also an auth provider has to be configured for the " +"backend." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2093 +msgid "Default: 7 (Kerberos), 0 (LDAP)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2099 +msgid "id_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2102 +msgid "" +"The identification provider used for the domain. Supported ID providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2106 +msgid "<quote>proxy</quote>: Support a legacy NSS provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2109 +msgid "" +"<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2113 +msgid "" +"<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-" +"files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " +"information on how to mirror local users and groups into SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2121 +msgid "" +"<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " +"information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2129 sssd.conf.5.xml:2234 sssd.conf.5.xml:2289 +#: sssd.conf.5.xml:2352 +msgid "" +"<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management " +"provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " +"FreeIPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2138 sssd.conf.5.xml:2243 sssd.conf.5.xml:2298 +#: sssd.conf.5.xml:2361 +msgid "" +"<quote>ad</quote>: Active Directory provider. See <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Active Directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2149 +msgid "use_fully_qualified_names (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2152 +msgid "" +"Use the full name and domain (as formatted by the domain's full_name_format) " +"as the user's login name reported to NSS." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2157 +msgid "" +"If set to TRUE, all requests to this domain must use fully qualified names. " +"For example, if used in LOCAL domain that contains a \"test\" user, " +"<command>getent passwd test</command> wouldn't find the user while " +"<command>getent passwd test@LOCAL</command> would." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2165 +msgid "" +"NOTE: This option has no effect on netgroup lookups due to their tendency to " +"include nested netgroups without qualified names. For netgroups, all domains " +"will be searched when an unqualified name is requested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2172 +msgid "Default: FALSE (TRUE if default_domain_suffix is used)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2178 +msgid "ignore_group_members (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2181 +msgid "Do not return group members for group lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2184 +msgid "" +"If set to TRUE, the group membership attribute is not requested from the " +"ldap server, and group members are not returned when processing group lookup " +"calls, such as <citerefentry> <refentrytitle>getgrnam</refentrytitle> " +"<manvolnum>3</manvolnum> </citerefentry> or <citerefentry> " +"<refentrytitle>getgrgid</refentrytitle> <manvolnum>3</manvolnum> </" +"citerefentry>. As an effect, <quote>getent group $groupname</quote> would " +"return the requested group as if it was empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2202 +msgid "" +"Enabling this option can also make access provider checks for group " +"membership significantly faster, especially for groups containing many " +"members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2213 +msgid "auth_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2216 +msgid "" +"The authentication provider used for the domain. Supported auth providers " +"are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2220 sssd.conf.5.xml:2282 +msgid "" +"<quote>ldap</quote> for native LDAP authentication. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2227 +msgid "" +"<quote>krb5</quote> for Kerberos authentication. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2251 +msgid "" +"<quote>proxy</quote> for relaying authentication to some other PAM target." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2254 +msgid "<quote>local</quote>: SSSD internal provider for local users" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2258 +msgid "<quote>none</quote> disables authentication explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2261 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can handle " +"authentication requests." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2267 +msgid "access_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2270 +msgid "" +"The access control provider used for the domain. There are two built-in " +"access providers (in addition to any included in installed backends) " +"Internal special providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2276 +msgid "" +"<quote>permit</quote> always allow access. It's the only permitted access " +"provider for a local domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2279 +msgid "<quote>deny</quote> always deny access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2306 +msgid "" +"<quote>simple</quote> access control based on access or deny lists. See " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for more information on configuring the simple " +"access module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2313 +msgid "" +"<quote>krb5</quote>: .k5login based access control. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></" +"citerefentry> for more information on configuring Kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2320 +msgid "<quote>proxy</quote> for relaying access control to another PAM module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2323 +msgid "Default: <quote>permit</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2328 +msgid "chpass_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2331 +msgid "" +"The provider which should handle change password operations for the domain. " +"Supported change password providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2336 +msgid "" +"<quote>ldap</quote> to change a password stored in a LDAP server. See " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2344 +msgid "" +"<quote>krb5</quote> to change the Kerberos password. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2369 +msgid "" +"<quote>proxy</quote> for relaying password changes to some other PAM target." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2373 +msgid "<quote>none</quote> disallows password changes explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2376 +msgid "" +"Default: <quote>auth_provider</quote> is used if it is set and can handle " +"change password requests." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2383 +msgid "sudo_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2386 +msgid "The SUDO provider used for the domain. Supported SUDO providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2390 +msgid "" +"<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2398 +msgid "" +"<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default " +"settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2402 +msgid "" +"<quote>ad</quote> the same as <quote>ldap</quote> but with AD default " +"settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2406 +msgid "<quote>none</quote> disables SUDO explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2409 sssd.conf.5.xml:2495 sssd.conf.5.xml:2565 +#: sssd.conf.5.xml:2590 +msgid "Default: The value of <quote>id_provider</quote> is used if it is set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2413 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>. There are many configuration " +"options that can be used to adjust the behavior. Please refer to " +"\"ldap_sudo_*\" in <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2428 +msgid "" +"<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the " +"background unless the sudo provider is explicitly disabled. Set " +"<emphasis>sudo_provider = None</emphasis> to disable all sudo-related " +"activity in SSSD if you do not want to use sudo with SSSD at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2438 +msgid "selinux_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2441 +msgid "" +"The provider which should handle loading of selinux settings. Note that this " +"provider will be called right after access provider ends. Supported selinux " +"providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2447 +msgid "" +"<quote>ipa</quote> to load selinux settings from an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2455 +msgid "<quote>none</quote> disallows fetching selinux settings explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2458 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can handle " +"selinux loading requests." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2464 +msgid "subdomains_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2467 +msgid "" +"The provider which should handle fetching of subdomains. This value should " +"be always the same as id_provider. Supported subdomain providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2473 +msgid "" +"<quote>ipa</quote> to load a list of subdomains from an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2482 +msgid "" +"<quote>ad</quote> to load a list of subdomains from an Active Directory " +"server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " +"the AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2491 +msgid "<quote>none</quote> disallows fetching subdomains explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2501 +msgid "session_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2504 +msgid "" +"The provider which configures and manages user session related tasks. The " +"only user session task currently provided is the integration with Fleet " +"Commander, which works only with IPA. Supported session providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2511 +msgid "<quote>ipa</quote> to allow performing user session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2515 +msgid "" +"<quote>none</quote> does not perform any kind of user session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2519 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can perform " +"session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2523 +msgid "" +"<emphasis>NOTE:</emphasis> In order to have this feature working as expected " +"SSSD must be running as \"root\" and not as the unprivileged user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2531 +msgid "autofs_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2534 +msgid "" +"The autofs provider used for the domain. Supported autofs providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2538 +msgid "" +"<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2545 +msgid "" +"<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> " +"<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2553 +msgid "" +"<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring the AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2562 +msgid "<quote>none</quote> disables autofs explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2572 +msgid "hostid_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2575 +msgid "" +"The provider used for retrieving host identity information. Supported " +"hostid providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2579 +msgid "" +"<quote>ipa</quote> to load host identity stored in an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2587 +msgid "<quote>none</quote> disables hostid explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2600 +msgid "" +"Regular expression for this domain that describes how to parse the string " +"containing user name and domain into these components. The \"domain\" can " +"match either the SSSD configuration domain name, or, in the case of IPA " +"trust subdomains and Active Directory domains, the flat (NetBIOS) name of " +"the domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2609 +msgid "" +"Default for the AD and IPA provider: <quote>(((?P<domain>[^\\\\]+)\\" +"\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?" +"P<name>[^@\\\\]+)$))</quote> which allows three different styles for " +"user names:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2614 +msgid "username" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2617 +msgid "username@domain.name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2620 +msgid "domain\\username" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2623 +msgid "" +"While the first two correspond to the general default the third one is " +"introduced to allow easy integration of users from Windows domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2628 +msgid "" +"Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> " +"which translates to \"the name is everything up to the <quote>@</quote> " +"sign, the domain everything after that\"" +msgstr "" +"Standaard: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> " +"wat zich vertaalt tot \"de gebruikersnaam is alles tot <quote>@</quote> , " +"het domein alles daarna\"" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2634 +msgid "" +"NOTE: Some Active Directory groups, typically those used for MS Exchange " +"contain an <quote>@</quote> sign in the name, which clashes with the default " +"re_expression value for the AD and IPA providers. To support these groups, " +"consider changing the re_expression value to: <quote>((?P<name>.+)@(?" +"P<domain>[^@]+$))</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2685 +msgid "Default: <quote>%1$s@%2$s</quote>." +msgstr "Standaard: <quote>%1$s@%2$s</quote>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2691 +msgid "lookup_family_order (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2694 +msgid "" +"Provides the ability to select preferred address family to use when " +"performing DNS lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2698 +msgid "Supported values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2701 +msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2704 +msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2707 +msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2710 +msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2713 +msgid "Default: ipv4_first" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2719 +msgid "dns_resolver_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2722 +msgid "" +"Defines the amount of time (in seconds) to wait for a reply from the " +"internal fail over service before assuming that the service is unreachable. " +"If this timeout is reached, the domain will continue to operate in offline " +"mode." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2729 +msgid "" +"Please see the section <quote>FAILOVER</quote> for more information about " +"the service resolution." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2734 sssd-ldap.5.xml:1396 sssd-ldap.5.xml:1438 +#: sssd-ldap.5.xml:1456 sssd-krb5.5.xml:248 +msgid "Default: 6" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2740 +msgid "dns_discovery_domain (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2743 +msgid "" +"If service discovery is used in the back end, specifies the domain part of " +"the service discovery DNS query." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2747 +msgid "Default: Use the domain part of machine's hostname" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2753 +msgid "override_gid (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2756 +msgid "Override the primary GID value with the one specified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2762 +msgid "case_sensitive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2770 +msgid "True" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2773 +msgid "Case sensitive. This value is invalid for AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2779 +msgid "False" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2781 +msgid "Case insensitive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2785 +msgid "Preserving" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2788 +msgid "" +"Same as False (case insensitive), but does not lowercase names in the result " +"of NSS operations. Note that name aliases (and in case of services also " +"protocol names) are still lowercased in the output." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2765 +msgid "" +"Treat user and group names as case sensitive. At the moment, this option is " +"not supported in the local provider. Possible option values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2800 +msgid "Default: True (False for AD provider)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2806 +msgid "subdomain_inherit (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2809 +msgid "" +"Specifies a list of configuration parameters that should be inherited by a " +"subdomain. Please note that only selected parameters can be inherited. " +"Currently the following options can be inherited:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2815 +msgid "ignore_group_members" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2818 +msgid "ldap_purge_cache_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2821 sssd-ldap.5.xml:1120 +msgid "ldap_use_tokengroups" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2824 +msgid "ldap_user_principal" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2827 +msgid "" +"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab " +"is not set explicitly)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:2833 +#, no-wrap +msgid "" +"subdomain_inherit = ldap_purge_cache_timeout\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2831 sssd-secrets.5.xml:448 +msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2840 +msgid "Note: This option only works with the IPA and AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2847 +msgid "subdomain_homedir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2858 +msgid "%F" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2859 +msgid "flat (NetBIOS) name of a subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2850 +msgid "" +"Use this homedir as default value for all subdomains within this domain in " +"IPA AD trust. See <emphasis>override_homedir</emphasis> for info about " +"possible values. In addition to those, the expansion below can only be used " +"with <emphasis>subdomain_homedir</emphasis>. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2864 +msgid "" +"The value can be overridden by <emphasis>override_homedir</emphasis> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2868 +msgid "Default: <filename>/home/%d/%u</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2873 +msgid "realmd_tags (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2876 +msgid "" +"Various tags stored by the realmd configuration service for this domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2882 +msgid "cached_auth_timeout (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2885 +msgid "" +"Specifies time in seconds since last successful online authentication for " +"which user will be authenticated using cached credentials while SSSD is in " +"the online mode." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2891 +msgid "Special value 0 implies that this feature is disabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2895 +msgid "" +"Please note that if <quote>cached_auth_timeout</quote> is longer than " +"<quote>pam_id_timeout</quote> then the back end could be called to handle " +"<quote>initgroups.</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2906 +msgid "auto_private_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2909 +msgid "" +"If this option is enabled, SSSD will automatically create user private " +"groups based on user's UID number. The GID number is ignored in this case." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2914 +msgid "" +"For POSIX subdomains, setting the option in the main domain is inherited in " +"the subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2918 +msgid "" +"For ID-mapping subdomains, auto_private_groups is already enabled for the " +"subdomains and setting it to false will not have any effect for the " +"subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2923 +msgid "" +"NOTE: Because the GID number and the user private group are inferred from " +"the UID number, it is not supported to have multiple entries with the same " +"UID or GID number with this option. In other words, enabling this option " +"enforces uniqueness across the ID space." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:1727 +msgid "" +"These configuration options can be present in a domain configuration " +"section, that is, in a section called <quote>[domain/<replaceable>NAME</" +"replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2942 +msgid "proxy_pam_target (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2945 +msgid "The proxy target PAM proxies to." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2948 +msgid "" +"Default: not set by default, you have to take an existing pam configuration " +"or create a new one and add the service name here." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2956 +msgid "proxy_lib_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2959 +msgid "" +"The name of the NSS library to use in proxy domains. The NSS functions " +"searched for in the library are in the form of _nss_$(libName)_$(function), " +"for example _nss_files_getpwent." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2969 +msgid "proxy_fast_alias (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2972 +msgid "" +"When a user or group is looked up by name in the proxy provider, a second " +"lookup by ID is performed to \"canonicalize\" the name in case the requested " +"name was an alias. Setting this option to true would cause the SSSD to " +"perform the ID lookup from cache for performance reasons." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2986 +msgid "proxy_max_children (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2989 +msgid "" +"This option specifies the number of pre-forked proxy children. It is useful " +"for high-load SSSD environments where sssd may run out of available child " +"slots, which would cause some issues due to the requests being queued." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:2938 +msgid "" +"Options valid for proxy domains. <placeholder type=\"variablelist\" id=" +"\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:3005 +msgid "Application domains" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3007 +msgid "" +"SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to " +"applications as a gateway to an LDAP directory where users and groups are " +"stored. However, contrary to the traditional SSSD deployment where all users " +"and groups either have POSIX attributes or those attributes can be inferred " +"from the Windows SIDs, in many cases the users and groups in the application " +"support scenario have no POSIX attributes. Instead of setting a " +"<quote>[domain/<replaceable>NAME</replaceable>]</quote> section, the " +"administrator can set up an <quote>[application/<replaceable>NAME</" +"replaceable>]</quote> section that internally represents a domain with type " +"<quote>application</quote> optionally inherits settings from a tradition " +"SSSD domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3027 +msgid "" +"Please note that the application domain must still be explicitly enabled in " +"the <quote>domains</quote> parameter so that the lookup order between the " +"application domain and its POSIX sibling domain is set correctly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sssd.conf.5.xml:3033 +msgid "Application domain parameters" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3035 +msgid "inherit_from (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3038 +msgid "" +"The SSSD POSIX-type domain the application domain inherits all settings " +"from. The application domain can moreover add its own settings to the " +"application settings that augment or override the <quote>sibling</quote> " +"domain settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3052 +msgid "" +"The following example illustrates the use of an application domain. In this " +"setup, the POSIX domain is connected to an LDAP server and is used by the OS " +"through the NSS responder. In addition, the application domain also requests " +"the telephoneNumber attribute, stores it as the phone attribute in the cache " +"and makes the phone attribute reachable through the D-Bus interface." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><programlisting> +#: sssd.conf.5.xml:3060 +#, no-wrap +msgid "" +"[sssd]\n" +"domains = appdom, posixdom\n" +"\n" +"[ifp]\n" +"user_attributes = +phone\n" +"\n" +"[domain/posixdom]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"[application/appdom]\n" +"inherit_from = posixdom\n" +"ldap_user_extra_attrs = phone:telephoneNumber\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:3078 +msgid "The local domain section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3080 +msgid "" +"This section contains settings for domain that stores users and groups in " +"SSSD native database, that is, a domain that uses " +"<replaceable>id_provider=local</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3087 +msgid "default_shell (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3090 +msgid "The default shell for users created with SSSD userspace tools." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3094 +msgid "Default: <filename>/bin/bash</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3099 +msgid "base_directory (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3102 +msgid "" +"The tools append the login name to <replaceable>base_directory</replaceable> " +"and use that as the home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3107 +msgid "Default: <filename>/home</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3112 +msgid "create_homedir (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3115 +msgid "" +"Indicate if a home directory should be created by default for new users. " +"Can be overridden on command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3119 sssd.conf.5.xml:3131 +msgid "Default: TRUE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3124 +msgid "remove_homedir (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3127 +msgid "" +"Indicate if a home directory should be removed by default for deleted " +"users. Can be overridden on command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3136 +msgid "homedir_umask (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3139 +msgid "" +"Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions " +"on a newly created home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3147 +msgid "Default: 077" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3152 +msgid "skel_dir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3155 +msgid "" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<citerefentry> <refentrytitle>sss_useradd</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3165 +msgid "Default: <filename>/etc/skel</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3170 +msgid "mail_dir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3173 +msgid "" +"The mail spool directory. This is needed to manipulate the mailbox when its " +"corresponding user account is modified or deleted. If not specified, a " +"default value is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3180 +msgid "Default: <filename>/var/mail</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3185 +msgid "userdel_cmd (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3188 +msgid "" +"The command that is run after a user is removed. The command us passed the " +"username of the user being removed as the first and only parameter. The " +"return code of the command is not taken into account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3194 +msgid "Default: None, no command is run" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:3204 +msgid "TRUSTED DOMAIN SECTION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3206 +msgid "" +"Some options used in the domain section can also be used in the trusted " +"domain section, that is, in a section called <quote>[domain/" +"<replaceable>DOMAIN_NAME</replaceable>/<replaceable>TRUSTED_DOMAIN_NAME</" +"replaceable>]</quote>. Where DOMAIN_NAME is the actual joined-to base " +"domain. Please refer to examples below for explanation. Currently supported " +"options in the trusted domain section are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3213 +msgid "ldap_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3214 +msgid "ldap_user_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3215 +msgid "ldap_group_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3216 +msgid "ldap_netgroup_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3217 +msgid "ldap_service_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3218 +msgid "ad_server," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3219 +msgid "ad_backup_server," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3220 +msgid "ad_site," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:3221 sssd-ipa.5.xml:782 +msgid "use_fully_qualified_names" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3223 +msgid "" +"For more details about these options see their individual description in the " +"manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:3229 idmap_sss.8.xml:43 +msgid "EXAMPLES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:3235 +#, no-wrap +msgid "" +"[sssd]\n" +"domains = LDAP\n" +"services = nss, pam\n" +"config_file_version = 2\n" +"\n" +"[nss]\n" +"filter_groups = root\n" +"filter_users = root\n" +"\n" +"[pam]\n" +"\n" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"auth_provider = krb5\n" +"krb5_server = kerberos.example.com\n" +"krb5_realm = EXAMPLE.COM\n" +"cache_credentials = true\n" +"\n" +"min_id = 10000\n" +"max_id = 20000\n" +"enumerate = False\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3231 +msgid "" +"1. The following example shows a typical SSSD config. It does not describe " +"configuration of the domains themselves - refer to documentation on " +"configuring domains for more details. <placeholder type=\"programlisting\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:3268 +#, no-wrap +msgid "" +"[domain/ipa.com/child.ad.com]\n" +"use_fully_qualified_names = false\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3262 +msgid "" +"2. The following example shows configuration of IPA AD trust where the AD " +"forest consists of two domains in a parent-child structure. Suppose IPA " +"domain (ipa.com) has trust with AD domain(ad.com). ad.com has child domain " +"(child.ad.com). To enable shortnames in the child domain the following " +"configuration should be used. <placeholder type=\"programlisting\" id=\"0\"/" +">" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ldap.5.xml:10 sssd-ldap.5.xml:16 +msgid "sssd-ldap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ldap.5.xml:17 +msgid "SSSD LDAP provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:23 +msgid "" +"This manual page describes the configuration of LDAP domains for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Refer to the <quote>FILE FORMAT</quote> section of the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for detailed syntax information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:35 +msgid "You can configure SSSD to use more than one LDAP domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:38 +msgid "" +"LDAP back end supports id, auth, access and chpass providers. If you want to " +"authenticate against an LDAP server either TLS/SSL or LDAPS is required. " +"<command>sssd</command> <emphasis>does not</emphasis> support authentication " +"over an unencrypted channel. If the LDAP server is used only as an identity " +"provider, an encrypted channel is not needed. Please refer to " +"<quote>ldap_access_filter</quote> config option for more information about " +"using LDAP as an access provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:115 +#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-files.5.xml:57 +#: sssd-secrets.5.xml:120 sssd-session-recording.5.xml:58 sssd-kcm.8.xml:139 +msgid "CONFIGURATION OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:60 +msgid "ldap_uri, ldap_backup_uri (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:63 +msgid "" +"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " +"should connect in the order of preference. Refer to the <quote>FAILOVER</" +"quote> section for more information on failover and server redundancy. If " +"neither option is specified, service discovery is enabled. For more " +"information, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:264 +msgid "The format of the URI must match the format defined in RFC 2732:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:73 +msgid "ldap[s]://<host>[:port]" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:76 +msgid "" +"For explicit IPv6 addresses, <host> must be enclosed in brackets []" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:79 +msgid "example: ldap://[fc00::126:25]:389" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:85 +msgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:88 +msgid "" +"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " +"should connect in the order of preference to change the password of a user. " +"Refer to the <quote>FAILOVER</quote> section for more information on " +"failover and server redundancy." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:95 +msgid "To enable service discovery ldap_chpass_dns_service_name must be set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:99 +msgid "Default: empty, i.e. ldap_uri is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:105 +msgid "ldap_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:108 +msgid "The default base DN to use for performing LDAP user operations." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:112 +msgid "" +"Starting with SSSD 1.7.0, SSSD supports multiple search bases using the " +"syntax:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:116 +msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:119 +msgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"." +msgstr "" + +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:122 include/ldap_search_bases.xml:18 +msgid "" +"The filter must be a valid LDAP search filter as specified by http://www." +"ietf.org/rfc/rfc2254.txt" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:286 +#: sss_override.8.xml:137 sss_override.8.xml:234 +msgid "Examples:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:129 +msgid "" +"ldap_search_base = dc=example,dc=com (which is equivalent to) " +"ldap_search_base = dc=example,dc=com?subtree?" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:134 +msgid "" +"ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?" +"(host=thishost)?dc=example.com?subtree?" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:137 +msgid "" +"Note: It is unsupported to have multiple search bases which reference " +"identically-named objects (for example, groups with the same name in two " +"different search bases). This will lead to unpredictable behavior on client " +"machines." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:144 +msgid "" +"Default: If not set, the value of the defaultNamingContext or namingContexts " +"attribute from the RootDSE of the LDAP server is used. If " +"defaultNamingContext does not exist or has an empty value namingContexts is " +"used. The namingContexts attribute must have a single value with the DN of " +"the search base of the LDAP server to make this work. Multiple values are " +"are not supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:158 +msgid "ldap_schema (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:161 +msgid "" +"Specifies the Schema Type in use on the target LDAP server. Depending on " +"the selected schema, the default attribute names retrieved from the servers " +"may vary. The way that some attributes are handled may also differ." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:168 +msgid "Four schema types are currently supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:172 +msgid "rfc2307" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:177 +msgid "rfc2307bis" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:182 +msgid "IPA" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:187 +msgid "AD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:193 +msgid "" +"The main difference between these schema types is how group memberships are " +"recorded in the server. With rfc2307, group members are listed by name in " +"the <emphasis>memberUid</emphasis> attribute. With rfc2307bis and IPA, " +"group members are listed by DN and stored in the <emphasis>member</emphasis> " +"attribute. The AD schema type sets the attributes to correspond with Active " +"Directory 2008r2 values." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:203 +msgid "Default: rfc2307" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:209 +msgid "ldap_default_bind_dn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:212 +msgid "The default bind DN to use for performing LDAP operations." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:219 +msgid "ldap_default_authtok_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:222 +msgid "The type of the authentication token of the default bind DN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:226 +msgid "The two mechanisms currently supported are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:229 +msgid "password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:232 +msgid "obfuscated_password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:235 +msgid "Default: password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:241 +msgid "ldap_default_authtok (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:244 +msgid "" +"The authentication token of the default bind DN. Only clear text passwords " +"are currently supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:251 +msgid "ldap_user_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:254 +msgid "The object class of a user entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:257 +msgid "Default: posixAccount" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:263 +msgid "ldap_user_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:266 +msgid "The LDAP attribute that corresponds to the user's login name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:270 +msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:277 +msgid "ldap_user_uid_number (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:280 +msgid "The LDAP attribute that corresponds to the user's id." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:284 +msgid "Default: uidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:290 +msgid "ldap_user_gid_number (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:293 +msgid "The LDAP attribute that corresponds to the user's primary group id." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:297 sssd-ldap.5.xml:929 +msgid "Default: gidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:303 +msgid "ldap_user_primary_group (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:306 +msgid "" +"Active Directory primary group attribute for ID-mapping. Note that this " +"attribute should only be set manually if you are running the <quote>ldap</" +"quote> provider with ID mapping." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:312 +msgid "Default: unset (LDAP), primaryGroupID (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:318 +msgid "ldap_user_gecos (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:321 +msgid "The LDAP attribute that corresponds to the user's gecos field." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:325 +msgid "Default: gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:331 +msgid "ldap_user_home_directory (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:334 +msgid "The LDAP attribute that contains the name of the user's home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:338 +msgid "Default: homeDirectory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:344 +msgid "ldap_user_shell (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:347 +msgid "The LDAP attribute that contains the path to the user's default shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:351 +msgid "Default: loginShell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:357 +msgid "ldap_user_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:360 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:364 sssd-ldap.5.xml:955 +msgid "" +"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " +"IPA" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:371 +msgid "ldap_user_objectsid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:374 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP user object. This " +"is usually only necessary for ActiveDirectory servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:379 sssd-ldap.5.xml:970 +msgid "Default: objectSid for ActiveDirectory, not set for other servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:386 +msgid "ldap_user_modify_timestamp (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:389 sssd-ldap.5.xml:980 sssd-ldap.5.xml:1203 +msgid "" +"The LDAP attribute that contains timestamp of the last modification of the " +"parent object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:393 sssd-ldap.5.xml:984 sssd-ldap.5.xml:1210 +msgid "Default: modifyTimestamp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:399 +msgid "ldap_user_shadow_last_change (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:402 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " +"the last password change)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:412 +msgid "Default: shadowLastChange" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:418 +msgid "ldap_user_shadow_min (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:421 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " +"password age)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:430 +msgid "Default: shadowMin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:436 +msgid "ldap_user_shadow_max (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:439 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " +"password age)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:448 +msgid "Default: shadowMax" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:454 +msgid "ldap_user_shadow_warning (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:457 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password warning period)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:467 +msgid "Default: shadowWarning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:473 +msgid "ldap_user_shadow_inactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:476 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password inactivity period)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:486 +msgid "Default: shadowInactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:492 +msgid "ldap_user_shadow_expire (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:495 +msgid "" +"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " +"parameter contains the name of an LDAP attribute corresponding to its " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> counterpart (account expiration date)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:505 +msgid "Default: shadowExpire" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:511 +msgid "ldap_user_krb_last_pwd_change (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:514 +msgid "" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time of last password change in " +"kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:520 +msgid "Default: krbLastPwdChange" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:526 +msgid "ldap_user_krb_password_expiration (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:529 +msgid "" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time when current password expires." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:535 +msgid "Default: krbPasswordExpiration" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:541 +msgid "ldap_user_ad_account_expires (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:544 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the expiration time of the account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:549 +msgid "Default: accountExpires" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:555 +msgid "ldap_user_ad_user_account_control (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:558 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the user account control bit field." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:563 +msgid "Default: userAccountControl" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:569 +msgid "ldap_ns_account_lock (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:572 +msgid "" +"When using ldap_account_expire_policy=rhds or equivalent, this parameter " +"determines if access is allowed or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:577 +msgid "Default: nsAccountLock" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:583 +msgid "ldap_user_nds_login_disabled (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:586 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines if " +"access is allowed or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:590 sssd-ldap.5.xml:604 +msgid "Default: loginDisabled" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:596 +msgid "ldap_user_nds_login_expiration_time (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:599 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines until " +"which date access is granted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:610 +msgid "ldap_user_nds_login_allowed_time_map (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:613 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines the " +"hours of a day in a week when access is granted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:618 +msgid "Default: loginAllowedTimeMap" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:624 +msgid "ldap_user_principal (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:627 +msgid "" +"The LDAP attribute that contains the user's Kerberos User Principal Name " +"(UPN)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:631 +msgid "Default: krbPrincipalName" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:637 +msgid "ldap_user_extra_attrs (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:640 +msgid "" +"Comma-separated list of LDAP attributes that SSSD would fetch along with the " +"usual set of user attributes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:645 +msgid "" +"The list can either contain LDAP attribute names only, or colon-separated " +"tuples of SSSD cache attribute name and LDAP attribute name. In case only " +"LDAP attribute name is specified, the attribute is saved to the cache " +"verbatim. Using a custom SSSD attribute name might be required by " +"environments that configure several SSSD domains with different LDAP schemas." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:655 +msgid "" +"Please note that several attribute names are reserved by SSSD, notably the " +"<quote>name</quote> attribute. SSSD would report an error if any of the " +"reserved attribute names is used as an extra attribute name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:665 +msgid "ldap_user_extra_attrs = telephoneNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:668 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as " +"<quote>telephoneNumber</quote> to the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:672 +msgid "ldap_user_extra_attrs = phone:telephoneNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:675 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" +"quote> to the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:685 +msgid "ldap_user_ssh_public_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:688 +msgid "The LDAP attribute that contains the user's SSH public keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:692 sssd-ldap.5.xml:1306 +msgid "Default: sshPublicKey" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:698 +msgid "ldap_force_upper_case_realm (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:701 +msgid "" +"Some directory servers, for example Active Directory, might deliver the " +"realm part of the UPN in lower case, which might cause the authentication to " +"fail. Set this option to a non-zero value if you want to use an upper-case " +"realm." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:714 +msgid "ldap_enumeration_refresh_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:717 +msgid "" +"Specifies how many seconds SSSD has to wait before refreshing its cache of " +"enumerated records." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:728 +msgid "ldap_purge_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:731 +msgid "" +"Determine how often to check the cache for inactive entries (such as groups " +"with no members and users who have never logged in) and remove them to save " +"space." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:737 +msgid "" +"Setting this option to zero will disable the cache cleanup operation. Please " +"note that if enumeration is enabled, the cleanup task is required in order " +"to detect entries removed from the server and can't be disabled. By default, " +"the cleanup task will run every 3 hours with enumeration enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:752 +msgid "ldap_user_fullname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:755 +msgid "The LDAP attribute that corresponds to the user's full name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1161 sssd-ldap.5.xml:1235 +#: sssd-ldap.5.xml:1344 sssd-ldap.5.xml:2405 sssd-ipa.5.xml:607 +msgid "Default: cn" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:765 +msgid "ldap_user_member_of (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:768 +msgid "The LDAP attribute that lists the user's group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:772 sssd-ldap.5.xml:1274 +msgid "Default: memberOf" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:778 +msgid "ldap_user_authorized_service (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:781 +msgid "" +"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " +"use the presence of the authorizedService attribute in the user's LDAP entry " +"to determine access privilege." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:788 +msgid "" +"An explicit deny (!svc) is resolved first. Second, SSSD searches for " +"explicit allow (svc) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:793 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>authorized_service</quote> in order for the " +"ldap_user_authorized_service option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:800 +msgid "Default: authorizedService" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:806 +msgid "ldap_user_authorized_host (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:809 +msgid "" +"If access_provider=ldap and ldap_access_order=host, SSSD will use the " +"presence of the host attribute in the user's LDAP entry to determine access " +"privilege." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:815 +msgid "" +"An explicit deny (!host) is resolved first. Second, SSSD searches for " +"explicit allow (host) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:820 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>host</quote> in order for the " +"ldap_user_authorized_host option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:827 +msgid "Default: host" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:833 +msgid "ldap_user_authorized_rhost (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:836 +msgid "" +"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " +"presence of the rhost attribute in the user's LDAP entry to determine access " +"privilege. Similarly to host verification process." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:843 +msgid "" +"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " +"explicit allow (rhost) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:848 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>rhost</quote> in order for the " +"ldap_user_authorized_rhost option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:855 +msgid "Default: rhost" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:861 +msgid "ldap_user_certificate (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:864 +msgid "Name of the LDAP attribute containing the X509 certificate of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:868 +msgid "Default: userCertificate;binary" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:874 +msgid "ldap_user_email (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:877 +msgid "Name of the LDAP attribute containing the email address of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:881 +msgid "" +"Note: If an email address of a user conflicts with an email address or fully " +"qualified name of another user, then SSSD will not be able to serve those " +"users properly. If for some reason several users need to share the same " +"email address then set this option to a nonexistent attribute name in order " +"to disable user lookup/login by email." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:890 +msgid "Default: mail" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:896 +msgid "ldap_group_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:899 +msgid "The object class of a group entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:902 +msgid "Default: posixGroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:908 +msgid "ldap_group_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:911 +msgid "The LDAP attribute that corresponds to the group name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:915 +msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:922 +msgid "ldap_group_gid_number (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:925 +msgid "The LDAP attribute that corresponds to the group's id." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:935 +msgid "ldap_group_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:938 +msgid "The LDAP attribute that contains the names of the group's members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:942 +msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:948 +msgid "ldap_group_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:951 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:962 +msgid "ldap_group_objectsid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:965 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP group object. This " +"is usually only necessary for ActiveDirectory servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:977 +msgid "ldap_group_modify_timestamp (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:990 +msgid "ldap_group_type (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:993 +msgid "" +"The LDAP attribute that contains an integer value indicating the type of the " +"group and maybe other flags." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:998 +msgid "" +"This attribute is currently only used by the AD provider to determine if a " +"group is a domain local groups and has to be filtered out for trusted " +"domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1004 +msgid "Default: groupType in the AD provider, otherwise not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1011 +msgid "ldap_group_external_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1014 +msgid "" +"The LDAP attribute that references group members that are defined in an " +"external domain. At the moment, only IPA's external members are supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1020 +msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1027 +msgid "ldap_group_nesting_level (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1030 +msgid "" +"If ldap_schema is set to a schema format that supports nested groups (e.g. " +"RFC2307bis), then this option controls how many levels of nesting SSSD will " +"follow. This option has no effect on the RFC2307 schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1037 +msgid "" +"Note: This option specifies the guaranteed level of nested groups to be " +"processed for any lookup. However, nested groups beyond this limit " +"<emphasis>may be</emphasis> returned if previous lookups already resolved " +"the deeper nesting levels. Also, subsequent lookups for other groups may " +"enlarge the result set for original lookup if re-queried." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1046 +msgid "" +"If ldap_group_nesting_level is set to 0 then no nested groups are processed " +"at all. However, when connected to Active-Directory Server 2008 and later " +"using <quote>id_provider=ad</quote> it is furthermore required to disable " +"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " +"restrict group nesting." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1055 +msgid "Default: 2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1061 +msgid "ldap_groups_use_matching_rule_in_chain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1064 +msgid "" +"This option tells SSSD to take advantage of an Active Directory-specific " +"feature which may speed up group lookup operations on deployments with " +"complex or deep nested groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1070 +msgid "" +"In most common cases, it is best to leave this option disabled. It generally " +"only provides a performance increase on very complex nestings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1075 sssd-ldap.5.xml:1102 +msgid "" +"If this option is enabled, SSSD will use it if it detects that the server " +"supports it during initial connection. So \"True\" here essentially means " +"\"auto-detect\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1081 sssd-ldap.5.xml:1108 +msgid "" +"Note: This feature is currently known to work only with Active Directory " +"2008 R1 and later. See <ulink url=\"http://msdn.microsoft.com/en-us/library/" +"windows/desktop/aa746475%28v=vs.85%29.aspx\"> MSDN(TM) documentation</ulink> " +"for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1093 +msgid "ldap_initgroups_use_matching_rule_in_chain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1096 +msgid "" +"This option tells SSSD to take advantage of an Active Directory-specific " +"feature which might speed up initgroups operations (most notably when " +"dealing with complex or deep nested groups)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1123 +msgid "" +"This options enables or disables use of Token-Groups attribute when " +"performing initgroup for users from Active Directory Server 2008 and later." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1128 +msgid "Default: True for AD and IPA otherwise False." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1134 +msgid "ldap_netgroup_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1137 +msgid "The object class of a netgroup entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1140 +msgid "In IPA provider, ipa_netgroup_object_class should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1144 +msgid "Default: nisNetgroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1150 +msgid "ldap_netgroup_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1153 +msgid "The LDAP attribute that corresponds to the netgroup name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1157 +msgid "In IPA provider, ipa_netgroup_name should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1167 +msgid "ldap_netgroup_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1170 +msgid "The LDAP attribute that contains the names of the netgroup's members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1174 +msgid "In IPA provider, ipa_netgroup_member should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1178 +msgid "Default: memberNisNetgroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1184 +msgid "ldap_netgroup_triple (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1187 +msgid "" +"The LDAP attribute that contains the (host, user, domain) netgroup triples." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1191 sssd-ldap.5.xml:1207 +msgid "This option is not available in IPA provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1194 +msgid "Default: nisNetgroupTriple" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1200 +msgid "ldap_netgroup_modify_timestamp (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1216 +msgid "ldap_host_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1219 +msgid "The object class of a host entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1222 sssd-ldap.5.xml:1331 +msgid "Default: ipService" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1228 +msgid "ldap_host_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1231 sssd-ldap.5.xml:1257 +msgid "The LDAP attribute that corresponds to the host's name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1241 +msgid "ldap_host_fqdn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1244 +msgid "" +"The LDAP attribute that corresponds to the host's fully-qualified domain " +"name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1248 +msgid "Default: fqdn" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1254 +msgid "ldap_host_serverhostname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1261 +msgid "Default: serverHostname" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1267 +msgid "ldap_host_member_of (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1270 +msgid "The LDAP attribute that lists the host's group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1280 +msgid "ldap_host_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1283 +msgid "Optional. Use the given string as search base for host objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1287 sssd-ipa.5.xml:359 sssd-ipa.5.xml:378 +#: sssd-ipa.5.xml:397 sssd-ipa.5.xml:416 +msgid "" +"See <quote>ldap_search_base</quote> for information about configuring " +"multiple search bases." +msgstr "" + +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:1292 sssd-ipa.5.xml:364 include/ldap_search_bases.xml:27 +msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1299 +msgid "ldap_host_ssh_public_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1302 +msgid "The LDAP attribute that contains the host's SSH public keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1312 +msgid "ldap_host_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1315 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1325 +msgid "ldap_service_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1328 +msgid "The object class of a service entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1337 +msgid "ldap_service_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1340 +msgid "" +"The LDAP attribute that contains the name of service attributes and their " +"aliases." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1350 +msgid "ldap_service_port (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1353 +msgid "The LDAP attribute that contains the port managed by this service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1357 +msgid "Default: ipServicePort" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1363 +msgid "ldap_service_proto (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1366 +msgid "" +"The LDAP attribute that contains the protocols understood by this service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1370 +msgid "Default: ipServiceProtocol" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1376 +msgid "ldap_service_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1381 +msgid "ldap_search_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1384 +msgid "" +"Specifies the timeout (in seconds) that ldap searches are allowed to run " +"before they are cancelled and cached results are returned (and offline mode " +"is entered)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1390 +msgid "" +"Note: this option is subject to change in future versions of the SSSD. It " +"will likely be replaced at some point by a series of timeouts for specific " +"lookup types." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1402 +msgid "ldap_enumeration_search_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1405 +msgid "" +"Specifies the timeout (in seconds) that ldap searches for user and group " +"enumerations are allowed to run before they are cancelled and cached results " +"are returned (and offline mode is entered)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1418 +msgid "ldap_network_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1421 +msgid "" +"Specifies the timeout (in seconds) after which the <citerefentry> " +"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" +"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" +"manvolnum> </citerefentry> following a <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> returns in case of no activity." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1444 +msgid "ldap_opt_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1447 +msgid "" +"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " +"will abort if no response is received. Also controls the timeout when " +"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " +"operation, password change extended operation and the StartTLS operation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1462 +msgid "ldap_connection_expire_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1465 +msgid "" +"Specifies a timeout (in seconds) that a connection to an LDAP server will be " +"maintained. After this time, the connection will be re-established. If used " +"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " +"the TGT lifetime) will be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1473 sssd-ldap.5.xml:2562 +msgid "Default: 900 (15 minutes)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1479 +msgid "ldap_page_size (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1482 +msgid "" +"Specify the number of records to retrieve from LDAP in a single request. " +"Some LDAP servers enforce a maximum limit per-request." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1487 +msgid "Default: 1000" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1493 +msgid "ldap_disable_paging (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1496 +msgid "" +"Disable the LDAP paging control. This option should be used if the LDAP " +"server reports that it supports the LDAP paging control in its RootDSE but " +"it is not enabled or does not behave properly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1502 +msgid "" +"Example: OpenLDAP servers with the paging control module installed on the " +"server but not enabled will report it in the RootDSE but be unable to use it." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1508 +msgid "" +"Example: 389 DS has a bug where it can only support a one paging control at " +"a time on a single connection. On busy clients, this can result in some " +"requests being denied." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1520 +msgid "ldap_disable_range_retrieval (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1523 +msgid "Disable Active Directory range retrieval." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1526 +msgid "" +"Active Directory limits the number of members to be retrieved in a single " +"lookup using the MaxValRange policy (which defaults to 1500 members). If a " +"group contains more members, the reply would include an AD-specific range " +"extension. This option disables parsing of the range extension, therefore " +"large groups will appear as having no members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1541 +msgid "ldap_sasl_minssf (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1544 +msgid "" +"When communicating with an LDAP server using SASL, specify the minimum " +"security level necessary to establish the connection. The values of this " +"option are defined by OpenLDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1550 +msgid "Default: Use the system default (usually specified by ldap.conf)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1557 +msgid "ldap_deref_threshold (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1560 +msgid "" +"Specify the number of group members that must be missing from the internal " +"cache in order to trigger a dereference lookup. If less members are missing, " +"they are looked up individually." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1566 +msgid "" +"You can turn off dereference lookups completely by setting the value to 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1570 +msgid "" +"A dereference lookup is a means of fetching all group members in a single " +"LDAP call. Different LDAP servers may implement different dereference " +"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " +"Directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1578 +msgid "" +"<emphasis>Note:</emphasis> If any of the search bases specifies a search " +"filter, then the dereference lookup performance enhancement will be disabled " +"regardless of this setting." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1591 +msgid "ldap_tls_reqcert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1594 +msgid "" +"Specifies what checks to perform on server certificates in a TLS session, if " +"any. It can be specified as one of the following values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1600 +msgid "" +"<emphasis>never</emphasis> = The client will not request or check any server " +"certificate." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1604 +msgid "" +"<emphasis>allow</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, it will be ignored and the session proceeds normally." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1611 +msgid "" +"<emphasis>try</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, the session is immediately terminated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1617 +msgid "" +"<emphasis>demand</emphasis> = The server certificate is requested. If no " +"certificate is provided, or a bad certificate is provided, the session is " +"immediately terminated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1623 +msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1627 +msgid "Default: hard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1633 +msgid "ldap_tls_cacert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1636 +msgid "" +"Specifies the file that contains certificates for all of the Certificate " +"Authorities that <command>sssd</command> will recognize." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1641 sssd-ldap.5.xml:1659 sssd-ldap.5.xml:1700 +msgid "" +"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." +"conf</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1648 +msgid "ldap_tls_cacertdir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1651 +msgid "" +"Specifies the path of a directory that contains Certificate Authority " +"certificates in separate individual files. Typically the file names need to " +"be the hash of the certificate followed by '.0'. If available, " +"<command>cacertdir_rehash</command> can be used to create the correct names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1666 +msgid "ldap_tls_cert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1669 +msgid "Specifies the file that contains the certificate for the client's key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1679 +msgid "ldap_tls_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1682 +msgid "Specifies the file that contains the client's key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1691 +msgid "ldap_tls_cipher_suite (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1694 +msgid "" +"Specifies acceptable cipher suites. Typically this is a colon separated " +"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1707 +msgid "ldap_id_use_start_tls (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1710 +msgid "" +"Specifies that the id_provider connection must also use <systemitem class=" +"\"protocol\">tls</systemitem> to protect the channel." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1720 +msgid "ldap_id_mapping (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1723 +msgid "" +"Specifies that SSSD should attempt to map user and group IDs from the " +"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " +"on ldap_user_uid_number and ldap_group_gid_number." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1729 +msgid "Currently this feature supports only ActiveDirectory objectSID mapping." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1739 +msgid "ldap_min_id, ldap_max_id (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1742 +msgid "" +"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " +"set to true the allowed ID range for ldap_user_uid_number and " +"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " +"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " +"can be set to restrict the allowed range for the IDs which are read directly " +"from the server. Sub-domains can then pick other ranges to map IDs." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1754 +msgid "Default: not set (both options are set to 0)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1760 +msgid "ldap_sasl_mech (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1763 +msgid "" +"Specify the SASL mechanism to use. Currently only GSSAPI is tested and " +"supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1773 +msgid "ldap_sasl_authid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ldap.5.xml:1784 +#, no-wrap +msgid "" +"hostname@REALM\n" +"netbiosname$@REALM\n" +"host/hostname@REALM\n" +"*$@REALM\n" +"host/*@REALM\n" +"host/*\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1776 +msgid "" +"Specify the SASL authorization id to use. When GSSAPI is used, this " +"represents the Kerberos principal used for authentication to the directory. " +"This option can either contain the full principal (for example host/" +"myhost@EXAMPLE.COM) or just the principal name (for example host/myhost). By " +"default, the value is not set and the following principals are used: " +"<placeholder type=\"programlisting\" id=\"0\"/> If none of them are found, " +"the first principal in keytab is returned." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1795 +msgid "Default: host/hostname@REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1801 +msgid "ldap_sasl_realm (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1804 +msgid "" +"Specify the SASL realm to use. When not specified, this option defaults to " +"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " +"well, this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1810 +msgid "Default: the value of krb5_realm." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1816 +msgid "ldap_sasl_canonicalize (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1819 +msgid "" +"If set to true, the LDAP library would perform a reverse lookup to " +"canonicalize the host name during a SASL bind." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1824 +msgid "Default: false;" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1830 +msgid "ldap_krb5_keytab (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1833 +msgid "Specify the keytab to use when using SASL/GSSAPI." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1836 +msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1842 +msgid "ldap_krb5_init_creds (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1845 +msgid "" +"Specifies that the id_provider should init Kerberos credentials (TGT). This " +"action is performed only if SASL is used and the mechanism selected is " +"GSSAPI." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1857 +msgid "ldap_krb5_ticket_lifetime (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1860 +msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1864 sssd-ad.5.xml:937 +msgid "Default: 86400 (24 hours)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1870 sssd-krb5.5.xml:74 +msgid "krb5_server, krb5_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1873 +msgid "" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled - for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1885 sssd-krb5.5.xml:89 +msgid "" +"When using service discovery for KDC or kpasswd servers, SSSD first searches " +"for DNS entries that specify _udp as the protocol and falls back to _tcp if " +"none are found." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1890 sssd-krb5.5.xml:94 +msgid "" +"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " +"While the legacy name is recognized for the time being, users are advised to " +"migrate their config files to use <quote>krb5_server</quote> instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1899 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103 +msgid "krb5_realm (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1902 +msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1905 +msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1911 sssd-krb5.5.xml:462 +msgid "krb5_canonicalize (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1914 +msgid "" +"Specifies if the host principal should be canonicalized when connecting to " +"LDAP server. This feature is available with MIT Kerberos >= 1.7" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1926 sssd-krb5.5.xml:477 +msgid "krb5_use_kdcinfo (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1929 sssd-krb5.5.xml:480 +msgid "" +"Specifies if the SSSD should instruct the Kerberos libraries what realm and " +"which KDCs to use. This option is on by default, if you disable it, you need " +"to configure the Kerberos library using the <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> configuration file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1940 sssd-krb5.5.xml:491 +msgid "" +"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " +"information on the locator plugin." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1954 +msgid "ldap_pwd_policy (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1957 +msgid "" +"Select the policy to evaluate the password expiration on the client side. " +"The following values are allowed:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1962 +msgid "" +"<emphasis>none</emphasis> - No evaluation on the client side. This option " +"cannot disable server-side password policies." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1967 +msgid "" +"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " +"evaluate if the password has expired." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1973 +msgid "" +"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " +"to determine if the password has expired. Use chpass_provider=krb5 to update " +"these attributes when the password is changed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1982 +msgid "" +"<emphasis>Note</emphasis>: if a password policy is configured on server " +"side, it always takes precedence over policy set with this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1990 +msgid "ldap_referrals (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1993 +msgid "Specifies whether automatic referral chasing should be enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1997 +msgid "" +"Please note that sssd only supports referral chasing when it is compiled " +"with OpenLDAP version 2.4.13 or higher." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2002 +msgid "" +"Chasing referrals may incur a performance penalty in environments that use " +"them heavily, a notable example is Microsoft Active Directory. If your setup " +"does not in fact require the use of referrals, setting this option to false " +"might bring a noticeable performance improvement." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2016 +msgid "ldap_dns_service_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2019 +msgid "Specifies the service name to use when service discovery is enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2023 +msgid "Default: ldap" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2029 +msgid "ldap_chpass_dns_service_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2032 +msgid "" +"Specifies the service name to use to find an LDAP server which allows " +"password changes when service discovery is enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2037 +msgid "Default: not set, i.e. service discovery is disabled" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2043 +msgid "ldap_chpass_update_last_change (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2046 +msgid "" +"Specifies whether to update the ldap_user_shadow_last_change attribute with " +"days since the Epoch after a password change operation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2058 +msgid "ldap_access_filter (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2061 +msgid "" +"If using access_provider = ldap and ldap_access_order = filter (default), " +"this option is mandatory. It specifies an LDAP search filter criteria that " +"must be met for the user to be granted access on this host. If " +"access_provider = ldap, ldap_access_order = filter and this option is not " +"set, it will result in all users being denied access. Use access_provider = " +"permit to change this default behavior. Please note that this filter is " +"applied on the LDAP user entry only and thus filtering based on nested " +"groups may not work (e.g. memberOf attribute on AD entries points only to " +"direct parents). If filtering based on nested groups is required, please see " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2081 +msgid "Example:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ldap.5.xml:2084 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2088 +msgid "" +"This example means that access to this host is restricted to users whose " +"employeeType attribute is set to \"admin\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2093 +msgid "" +"Offline caching for this feature is limited to determining whether the " +"user's last online login was granted access permission. If they were granted " +"access during their last login, they will continue to be granted access " +"while offline and vice versa." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2101 sssd-ldap.5.xml:2158 +msgid "Default: Empty" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2107 +msgid "ldap_account_expire_policy (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2110 +msgid "" +"With this option a client side evaluation of access control attributes can " +"be enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2114 +msgid "" +"Please note that it is always recommended to use server side access control, " +"i.e. the LDAP server should deny the bind request with a suitable error code " +"even if the password is correct." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2121 +msgid "The following values are allowed:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2124 +msgid "" +"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " +"determine if the account is expired." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2129 +msgid "" +"<emphasis>ad</emphasis>: use the value of the 32bit field " +"ldap_user_ad_user_account_control and allow access if the second bit is not " +"set. If the attribute is missing access is granted. Also the expiration time " +"of the account is checked." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2136 +msgid "" +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: use the value of ldap_ns_account_lock to check if access is " +"allowed or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2142 +msgid "" +"<emphasis>nds</emphasis>: the values of " +"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " +"ldap_user_nds_login_expiration_time are used to check if access is allowed. " +"If both attributes are missing access is granted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2151 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>expire</quote> in order for the " +"ldap_account_expire_policy option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2164 +msgid "ldap_access_order (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2167 +msgid "Comma separated list of access control options. Allowed values are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2171 +msgid "<emphasis>filter</emphasis>: use ldap_access_filter" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2174 +msgid "" +"<emphasis>lockout</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " +"Please note that 'access_provider = ldap' must be set for this feature to " +"work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2184 +msgid "" +"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" +"quote> option and might be removed in a future release. </emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2191 +msgid "" +"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z' or represents any time in the past. The " +"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " +"denotes the UTC time zone. Other time zones are not currently supported and " +"will result in \"access-denied\" when users attempt to log in. Please see " +"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " +"must be set for this feature to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2208 +msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2212 +msgid "" +"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " +"pwd_expire_policy_renew: </emphasis> These options are useful if users are " +"interested in being warned that password is about to expire and " +"authentication is based on using a different method than passwords - for " +"example SSH keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2222 +msgid "" +"The difference between these options is the action taken if user password is " +"expired: pwd_expire_policy_reject - user is denied to log in, " +"pwd_expire_policy_warn - user is still able to log in, " +"pwd_expire_policy_renew - user is prompted to change his password " +"immediately." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2230 +msgid "" +"Note If user password is expired no explicit message is prompted by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2234 +msgid "" +"Please note that 'access_provider = ldap' must be set for this feature to " +"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2239 +msgid "" +"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " +"to determine access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2244 +msgid "<emphasis>host</emphasis>: use the host attribute to determine access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2248 +msgid "" +"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " +"remote host can access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2252 +msgid "" +"Please note, rhost field in pam is set by application, it is better to check " +"what the application sends to pam, before enabling this access control option" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2257 +msgid "Default: filter" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2260 +msgid "" +"Please note that it is a configuration error if a value is used more than " +"once." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2267 +msgid "ldap_pwdlockout_dn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2270 +msgid "" +"This option specifies the DN of password policy entry on LDAP server. Please " +"note that absence of this option in sssd.conf in case of enabled account " +"lockout checking will yield access denied as ppolicy attributes on LDAP " +"server cannot be checked properly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2278 +msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2281 +msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2287 +msgid "ldap_deref (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2290 +msgid "" +"Specifies how alias dereferencing is done when performing a search. The " +"following options are allowed:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2295 +msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2299 +msgid "" +"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " +"the base object, but not in locating the base object of the search." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2304 +msgid "" +"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " +"the base object of the search." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2309 +msgid "" +"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " +"in locating the base object of the search." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2314 +msgid "" +"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " +"client libraries)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2322 +msgid "ldap_rfc2307_fallback_to_local_users (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2325 +msgid "" +"Allows to retain local users as members of an LDAP group for servers that " +"use the RFC2307 schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2329 +msgid "" +"In some environments where the RFC2307 schema is used, local users are made " +"members of LDAP groups by adding their names to the memberUid attribute. " +"The self-consistency of the domain is compromised when this is done, so SSSD " +"would normally remove the \"missing\" users from the cached group " +"memberships as soon as nsswitch tries to fetch information about the user " +"via getpw*() or initgroups() calls." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2340 +msgid "" +"This option falls back to checking if local users are referenced, and caches " +"them so that later initgroups() calls will augment the local users with the " +"additional LDAP groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2352 sssd-ifp.5.xml:136 +msgid "wildcard_limit (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2355 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2359 +msgid "At the moment, only the InfoPipe responder supports wildcard lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2363 +msgid "Default: 1000 (often the size of one page)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:51 +msgid "" +"All of the common configuration options that apply to SSSD domains also " +"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for full details. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2373 +msgid "SUDO OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2375 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2386 +msgid "ldap_sudorule_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2389 +msgid "The object class of a sudo rule entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2392 +msgid "Default: sudoRole" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2398 +msgid "ldap_sudorule_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2401 +msgid "The LDAP attribute that corresponds to the sudo rule name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2411 +msgid "ldap_sudorule_command (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2414 +msgid "The LDAP attribute that corresponds to the command name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2418 +msgid "Default: sudoCommand" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2424 +msgid "ldap_sudorule_host (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2427 +msgid "" +"The LDAP attribute that corresponds to the host name (or host IP address, " +"host IP network, or host netgroup)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2432 +msgid "Default: sudoHost" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2438 +msgid "ldap_sudorule_user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2441 +msgid "" +"The LDAP attribute that corresponds to the user name (or UID, group name or " +"user's netgroup)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2445 +msgid "Default: sudoUser" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2451 +msgid "ldap_sudorule_option (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2454 +msgid "The LDAP attribute that corresponds to the sudo options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2458 +msgid "Default: sudoOption" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2464 +msgid "ldap_sudorule_runasuser (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2467 +msgid "" +"The LDAP attribute that corresponds to the user name that commands may be " +"run as." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2471 +msgid "Default: sudoRunAsUser" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2477 +msgid "ldap_sudorule_runasgroup (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2480 +msgid "" +"The LDAP attribute that corresponds to the group name or group GID that " +"commands may be run as." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2484 +msgid "Default: sudoRunAsGroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2490 +msgid "ldap_sudorule_notbefore (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2493 +msgid "" +"The LDAP attribute that corresponds to the start date/time for when the sudo " +"rule is valid." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2497 +msgid "Default: sudoNotBefore" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2503 +msgid "ldap_sudorule_notafter (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2506 +msgid "" +"The LDAP attribute that corresponds to the expiration date/time, after which " +"the sudo rule will no longer be valid." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2511 +msgid "Default: sudoNotAfter" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2517 +msgid "ldap_sudorule_order (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2520 +msgid "The LDAP attribute that corresponds to the ordering index of the rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2524 +msgid "Default: sudoOrder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2530 +msgid "ldap_sudo_full_refresh_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2533 +msgid "" +"How many seconds SSSD will wait between executing a full refresh of sudo " +"rules (which downloads all rules that are stored on the server)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2538 +msgid "" +"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" +"emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2543 +msgid "Default: 21600 (6 hours)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2549 +msgid "ldap_sudo_smart_refresh_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2552 +msgid "" +"How many seconds SSSD has to wait before executing a smart refresh of sudo " +"rules (which downloads all rules that have USN higher than the highest USN " +"of cached rules)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2558 +msgid "" +"If USN attributes are not supported by the server, the modifyTimestamp " +"attribute is used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2568 +msgid "ldap_sudo_use_host_filter (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2571 +msgid "" +"If true, SSSD will download only rules that are applicable to this machine " +"(using the IPv4 or IPv6 host/network addresses and hostnames)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2582 +msgid "ldap_sudo_hostnames (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2585 +msgid "" +"Space separated list of hostnames or fully qualified domain names that " +"should be used to filter the rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2590 +msgid "" +"If this option is empty, SSSD will try to discover the hostname and the " +"fully qualified domain name automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2595 sssd-ldap.5.xml:2618 sssd-ldap.5.xml:2636 +#: sssd-ldap.5.xml:2654 +msgid "" +"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" +"emphasis> then this option has no effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2600 sssd-ldap.5.xml:2623 +msgid "Default: not specified" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2606 +msgid "ldap_sudo_ip (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2609 +msgid "" +"Space separated list of IPv4 or IPv6 host/network addresses that should be " +"used to filter the rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2614 +msgid "" +"If this option is empty, SSSD will try to discover the addresses " +"automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2629 +msgid "ldap_sudo_include_netgroups (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2632 +msgid "" +"If true then SSSD will download every rule that contains a netgroup in " +"sudoHost attribute." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2647 +msgid "ldap_sudo_include_regexp (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2650 +msgid "" +"If true then SSSD will download every rule that contains a wildcard in " +"sudoHost attribute." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2666 +msgid "" +"This manual page only describes attribute name mapping. For detailed " +"explanation of sudo related attribute semantics, see <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2676 +msgid "AUTOFS OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2678 +msgid "" +"Some of the defaults for the parameters below are dependent on the LDAP " +"schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2684 +msgid "ldap_autofs_map_master_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2687 +msgid "The name of the automount master map in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2690 +msgid "Default: auto.master" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2697 +msgid "ldap_autofs_map_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2700 +msgid "The object class of an automount map entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2703 +msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2711 +msgid "ldap_autofs_map_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2714 +msgid "The name of an automount map entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2717 +msgid "" +"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2725 +msgid "ldap_autofs_entry_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2728 +msgid "" +"The object class of an automount entry in LDAP. The entry usually " +"corresponds to a mount point." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2733 +msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2741 +msgid "ldap_autofs_entry_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2744 sssd-ldap.5.xml:2759 +msgid "" +"The key of an automount entry in LDAP. The entry usually corresponds to a " +"mount point." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2748 +msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2756 +msgid "ldap_autofs_entry_value (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2763 +msgid "" +"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " +"automountInformation" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2682 +msgid "" +"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " +"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" +"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2774 +msgid "ADVANCED OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2781 +msgid "ldap_netgroup_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2786 +msgid "ldap_user_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2791 +msgid "ldap_group_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> +#: sssd-ldap.5.xml:2796 +msgid "<note>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> +#: sssd-ldap.5.xml:2798 +msgid "" +"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " +"against Active Directory will not be restricted and return all groups " +"memberships, even with no GID mapping. It is recommended to disable this " +"feature, if group names are not being displayed correctly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist> +#: sssd-ldap.5.xml:2805 +msgid "</note>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2807 +msgid "ldap_sudo_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2812 +msgid "ldap_autofs_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2776 +msgid "" +"These options are supported by LDAP domains, but they should be used with " +"caution. Please include them in your configuration only if you know what you " +"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2827 sssd-simple.5.xml:131 sssd-ipa.5.xml:828 +#: sssd-ad.5.xml:1041 sssd-krb5.5.xml:570 sss_rpcidmapd.5.xml:98 +#: sssd-files.5.xml:103 sssd-session-recording.5.xml:144 +msgid "EXAMPLE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2829 +msgid "" +"The following example assumes that SSSD is correctly configured and LDAP is " +"set to one of the domains in the <replaceable>[domains]</replaceable> " +"section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:2835 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: sssd-ldap.5.xml:2834 sssd-ldap.5.xml:2852 sssd-simple.5.xml:139 +#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1049 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579 +#: sssd-files.5.xml:110 sssd-session-recording.5.xml:150 +#: include/ldap_id_mapping.xml:105 +msgid "<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2846 +msgid "LDAP ACCESS FILTER EXAMPLE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2848 +msgid "" +"The following example assumes that SSSD is correctly configured and to use " +"the ldap_access_order=lockout." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:2853 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"access_provider = ldap\n" +"ldap_access_order = lockout\n" +"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2868 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148 +#: sssd-ad.5.xml:1064 sssd.8.xml:230 sss_seed.8.xml:163 +msgid "NOTES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2870 +msgid "" +"The descriptions of some of the configuration options in this manual page " +"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " +"distribution." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: pam_sss.8.xml:11 pam_sss.8.xml:16 +msgid "pam_sss" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: pam_sss.8.xml:17 +msgid "PAM module for SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: pam_sss.8.xml:22 +msgid "" +"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" +"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" +"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" +"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " +"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " +"choice='opt'> <replaceable>prompt_always</replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:58 +msgid "" +"<command>pam_sss.so</command> is the PAM interface to the System Security " +"Services daemon (SSSD). Errors and results are logged through " +"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:68 +msgid "<option>quiet</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:71 +msgid "Suppress log messages for unknown users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:76 +msgid "<option>forward_pass</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:79 +msgid "" +"If <option>forward_pass</option> is set the entered password is put on the " +"stack for other PAM modules to use." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:86 +msgid "<option>use_first_pass</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:89 +msgid "" +"The argument use_first_pass forces the module to use a previous stacked " +"modules password and will never prompt the user - if no password is " +"available or the password is not appropriate, the user will be denied access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:97 +msgid "<option>use_authtok</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:100 +msgid "" +"When password changing enforce the module to set the new password to the one " +"provided by a previously stacked password module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:107 +msgid "<option>retry=N</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:110 +msgid "" +"If specified the user is asked another N times for a password if " +"authentication fails. Default is 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:112 +msgid "" +"Please note that this option might not work as expected if the application " +"calling PAM handles the user dialog on its own. A typical example is " +"<command>sshd</command> with <option>PasswordAuthentication</option>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:121 +msgid "<option>ignore_unknown_user</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:124 +msgid "" +"If this option is specified and the user does not exist, the PAM module will " +"return PAM_IGNORE. This causes the PAM framework to ignore this module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:131 +msgid "<option>ignore_authinfo_unavail</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:135 +msgid "" +"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " +"the SSSD daemon. This causes the PAM framework to ignore this module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:142 +msgid "<option>domains</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:146 +msgid "" +"Allows the administrator to restrict the domains a particular PAM service is " +"allowed to authenticate against. The format is a comma-separated list of " +"SSSD domain names, as specified in the sssd.conf file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:152 +msgid "" +"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " +"and <quote>pam_public_domains</quote> options. Please see the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more information on these two PAM " +"responder options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:166 +msgid "<option>allow_missing_name</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:170 +msgid "" +"The main purpose of this option is to let SSSD determine the user name based " +"on additional information, e.g. the certificate from a Smartcard." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: pam_sss.8.xml:180 +#, no-wrap +msgid "" +"auth sufficient pam_sss.so allow_missing_name\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:175 +msgid "" +"The current use case are login managers which can monitor a Smartcard reader " +"for card events. In case a Smartcard is inserted the login manager will call " +"a PAM stack which includes a line like <placeholder type=\"programlisting\" " +"id=\"0\"/> In this case SSSD will try to determine the user name based on " +"the content of the Smartcard, returns it to pam_sss which will finally put " +"it on the PAM stack." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:190 +msgid "<option>prompt_always</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:194 +msgid "" +"Always prompt the user for credentials. With this option credentials " +"requested by other PAM modules, typically a password, will be ignored and " +"pam_sss will prompt for credentials again. Based on the pre-auth reply by " +"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " +"credentials." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:207 +msgid "MODULE TYPES PROVIDED" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:208 +msgid "" +"All module types (<option>account</option>, <option>auth</option>, " +"<option>password</option> and <option>session</option>) are provided." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:214 +msgid "FILES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:215 +msgid "" +"If a password reset by root fails, because the corresponding SSSD provider " +"does not support password resets, an individual message can be displayed. " +"This message can e.g. contain instructions about how to reset a password." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:220 +msgid "" +"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" +"filename> where LOC stands for a locale string returned by <citerefentry> " +"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" +"citerefentry>. If there is no matching file the content of " +"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " +"the owner of the files and only root may have read and write permissions " +"while all other users must have only read permissions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:230 +msgid "" +"These files are searched in the directory <filename>/etc/sssd/customize/" +"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " +"displayed." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 +msgid "sssd_krb5_locator_plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd_krb5_locator_plugin.8.xml:16 +msgid "Kerberos locator plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:22 +msgid "" +"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " +"used by the Kerberos provider of <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to tell the Kerberos " +"libraries what Realm and which KDC to use. Typically this is done in " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> which is always read by the Kerberos libraries. " +"To simplify the configuration the Realm and the KDC can be defined in " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> as described in <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:48 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> puts the Realm and the name or IP address of the KDC into " +"the environment variables SSSD_KRB5_REALM and SSSD_KRB5_KDC respectively. " +"When <command>sssd_krb5_locator_plugin</command> is called by the kerberos " +"libraries it reads and evaluates these variables and returns them to the " +"libraries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:63 +msgid "" +"Not all Kerberos implementations support the use of plugins. If " +"<command>sssd_krb5_locator_plugin</command> is not available on your system " +"you have to edit /etc/krb5.conf to reflect your Kerberos setup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:69 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " +"debug messages will be sent to stderr." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:73 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " +"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " +"caller." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 +msgid "sssd-simple" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-simple.5.xml:17 +msgid "the configuration file for SSSD's 'simple' access-control provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:24 +msgid "" +"This manual page describes the configuration of the simple access-control " +"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " +"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:38 +msgid "" +"The simple access provider grants or denies access based on an access or " +"deny list of user or group names. The following rules apply:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:43 +msgid "If all lists are empty, access is granted" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:47 +msgid "" +"If any list is provided, the order of evaluation is allow,deny. This means " +"that any matching deny rule will supersede any matched allow rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:54 +msgid "" +"If either or both \"allow\" lists are provided, all users are denied unless " +"they appear in the list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:60 +msgid "" +"If only \"deny\" lists are provided, all users are granted access unless " +"they appear in the list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:78 +msgid "simple_allow_users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:81 +msgid "Comma separated list of users who are allowed to log in." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:88 +msgid "simple_deny_users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:91 +msgid "Comma separated list of users who are explicitly denied access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:97 +msgid "simple_allow_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:100 +msgid "" +"Comma separated list of groups that are allowed to log in. This applies only " +"to groups within this SSSD domain. Local groups are not evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:108 +msgid "simple_deny_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:111 +msgid "" +"Comma separated list of groups that are explicitly denied access. This " +"applies only to groups within this SSSD domain. Local groups are not " +"evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 +msgid "" +"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:120 +msgid "" +"Specifying no values for any of the lists is equivalent to skipping it " +"entirely. Beware of this while generating parameters for the simple provider " +"using automated scripts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:125 +msgid "" +"Please note that it is an configuration error if both, simple_allow_users " +"and simple_deny_users, are defined." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:133 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the simple access provider-specific options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-simple.5.xml:140 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"access_provider = simple\n" +"simple_allow_users = user1, user2\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:150 +msgid "" +"The complete group membership hierarchy is resolved before the access check, " +"thus even nested groups can be included in the access lists. Please be " +"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " +"results and should be set to a sufficient value. (<citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>) option." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 +msgid "sss-certmap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss-certmap.5.xml:17 +msgid "SSSD Certificate Matching and Mapping Rules" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:23 +msgid "" +"The manual page describes the rules which can be used by SSSD and other " +"components to match X.509 certificates and map them to accounts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:28 +msgid "" +"Each rule has four components, a <quote>priority</quote>, a <quote>matching " +"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" +"quote>. All components are optional. A missing <quote>priority</quote> will " +"add the rule with the lowest priority. The default <quote>matching rule</" +"quote> will match certificates with the digitalSignature key usage and " +"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " +"the certificates will be searched in the userCertificate attribute as DER " +"encoded binary. If no domains are given only the local domain will be " +"searched." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss-certmap.5.xml:41 +msgid "RULE COMPONENTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:43 +msgid "PRIORITY" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:45 +msgid "" +"The rules are processed by priority while the number '0' (zero) indicates " +"the highest priority. The higher the number the lower is the priority. A " +"missing value indicates the lowest priority. The rules processing is stopped " +"when a matched rule is found and no further rules are checked." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:52 +msgid "" +"Internally the priority is treated as unsigned 32bit integer, using a " +"priority value larger than 4294967295 will cause an error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:57 +msgid "MATCHING RULE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:59 +msgid "" +"The matching rule is used to select a certificate to which the mapping rule " +"should be applied. It uses a system similar to the one used by " +"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " +"keyword enclosed by '<' and '>' which identified a certain part of the " +"certificate and a pattern which should be found for the rule to match. " +"Multiple keyword pattern pairs can be either joined with '&&' (and) " +"or '||' (or)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:71 +msgid "<SUBJECT>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:74 +msgid "" +"With this a part or the whole subject name of the certificate can be " +"matched. For the matching POSIX Extended Regular Expression syntax is used, " +"see regex(7) for details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:80 +msgid "" +"For the matching the subject name stored in the certificate in DER encoded " +"ASN.1 is converted into a string according to RFC 4514. This means the most " +"specific name component comes first. Please note that not all possible " +"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " +"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " +"be shown differently on different platform and by different tools. To avoid " +"confusion those attribute names are best not used or covered by a suitable " +"regular-expression." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:93 +msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:98 +msgid "<ISSUER>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:101 +msgid "" +"With this a part or the whole issuer name of the certificate can be matched. " +"All comments for <SUBJECT> apply her as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:106 +msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:111 +msgid "<KU>key-usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:114 +msgid "" +"This option can be used to specify which key usage values the certificate " +"should have. The following values can be used in a comma separated list:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:118 +msgid "digitalSignature" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:119 +msgid "nonRepudiation" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:120 +msgid "keyEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:121 +msgid "dataEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:122 +msgid "keyAgreement" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:123 +msgid "keyCertSign" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:124 +msgid "cRLSign" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:125 +msgid "encipherOnly" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:126 +msgid "decipherOnly" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:130 +msgid "" +"A numerical value in the range of a 32bit unsigned integer can be used as " +"well to cover special use cases." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:134 +msgid "Example: <KU>digitalSignature,keyEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:139 +msgid "<EKU>extended-key-usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:142 +msgid "" +"This option can be used to specify which extended key usage the certificate " +"should have. The following value can be used in a comma separated list:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:146 +msgid "serverAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:147 +msgid "clientAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:148 +msgid "codeSigning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:149 +msgid "emailProtection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:150 +msgid "timeStamping" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:151 +msgid "OCSPSigning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:152 +msgid "KPClientAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:153 +msgid "pkinit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:154 +msgid "msScLogin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:158 +msgid "" +"Extended key usages which are not listed above can be specified with their " +"OID in dotted-decimal notation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:162 +msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:167 +msgid "<SAN>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:170 +msgid "" +"To be compatible with the usage of MIT Kerberos this option will match the " +"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" +"Principal> does." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:175 +msgid "Example: <SAN>.*@MY\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:180 +msgid "<SAN:Principal>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:183 +msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:187 +msgid "Example: <SAN:Principal>.*@MY\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:192 +msgid "<SAN:ntPrincipalName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:195 +msgid "Match the Kerberos principals from the AD NT Principal SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:199 +msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:204 +msgid "<SAN:pkinit>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:207 +msgid "Match the Kerberos principals from the PKINIT SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:210 +msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:215 +msgid "<SAN:dotted-decimal-oid>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:218 +msgid "" +"Take the value of the otherName SAN component given by the OID in dotted-" +"decimal notation, interpret it as string and try to match it against the " +"regular expression." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:224 +msgid "Example: <SAN:1.2.3.4>test" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:229 +msgid "<SAN:otherName>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:232 +msgid "" +"Do a binary match with the base64 encoded blob against all otherName SAN " +"components. With this option it is possible to match against custom " +"otherName components with special encodings which could not be treated as " +"strings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:239 +msgid "Example: <SAN:otherName>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:244 +msgid "<SAN:rfc822Name>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:247 +msgid "Match the value of the rfc822Name SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:250 +msgid "Example: <SAN:rfc822Name>.*@email\\.domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:255 +msgid "<SAN:dNSName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:258 +msgid "Match the value of the dNSName SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:261 +msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:266 +msgid "<SAN:x400Address>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:269 +msgid "Binary match the value of the x400Address SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:272 +msgid "Example: <SAN:x400Address>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:277 +msgid "<SAN:directoryName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:280 +msgid "" +"Match the value of the directoryName SAN. The same comments as given for <" +"ISSUER> and <SUBJECT> apply here as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:285 +msgid "Example: <SAN:directoryName>.*,DC=com" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:290 +msgid "<SAN:ediPartyName>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:293 +msgid "Binary match the value of the ediPartyName SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:296 +msgid "Example: <SAN:ediPartyName>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:301 +msgid "<SAN:uniformResourceIdentifier>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:304 +msgid "Match the value of the uniformResourceIdentifier SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:307 +msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:312 +msgid "<SAN:iPAddress>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:315 +msgid "Match the value of the iPAddress SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:318 +msgid "Example: <SAN:iPAddress>192\\.168\\..*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:323 +msgid "<SAN:registeredID>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:326 +msgid "Match the value of the registeredID SAN as dotted-decimal string." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:330 +msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:68 +msgid "" +"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:338 +msgid "MAPPING RULE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:340 +msgid "" +"The mapping rule is used to associate a certificate with one or more " +"accounts. A Smartcard with the certificate and the matching private key can " +"then be used to authenticate as one of those accounts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:345 +msgid "" +"Currently SSSD basically only supports LDAP to lookup user information (the " +"exception is the proxy provider which is not of relevance here). Because of " +"this the mapping rule is based on LDAP search filter syntax with templates " +"to add certificate content to the filter. It is expected that the filter " +"will only contain the specific data needed for the mapping and that the " +"caller will embed it in another filter to do the actual search. Because of " +"this the filter string should start and stop with '(' and ')' respectively." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:355 +msgid "" +"In general it is recommended to use attributes from the certificate and add " +"them to special attributes to the LDAP user object. E.g. the " +"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " +"for IPA can be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:361 +msgid "" +"This should be preferred to read user specific data from the certificate " +"like e.g. an email address and search for it in the LDAP server. The reason " +"is that the user specific data in LDAP might change for various reasons " +"would break the mapping. On the other hand it would be hard to break the " +"mapping on purpose for a specific user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:376 +msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:379 +msgid "" +"This template will add the full issuer DN converted to a string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +msgid "" +"The conversion options starting with 'ad_' will use attribute names as used " +"by AD, e.g. 'S' instead of 'ST'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +msgid "" +"The conversion options starting with 'nss_' will use attribute names as used " +"by NSS." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +msgid "" +"The default conversion option is 'nss', i.e. attribute names according to " +"NSS and LDAP/RFC 4514 ordering." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:397 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" +"ad})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:402 +msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:405 +msgid "" +"This template will add the full subject DN converted to string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:423 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" +"{subject_dn!nss_x500})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:428 +msgid "{cert[!(bin|base64)]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:431 +msgid "" +"This template will add the whole DER encoded certificate as a string to the " +"search filter. Depending on the conversion option the binary certificate is " +"either converted to an escaped hex sequence '\\xx' or base64. The escaped " +"hex sequence is the default and can e.g. be used with the LDAP attribute " +"'userCertificate;binary'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:439 +msgid "Example: (userCertificate;binary={cert!bin})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:444 +msgid "{subject_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:447 +msgid "" +"This template will add the Kerberos principal which is taken either from the " +"SAN used by pkinit or the one used by AD. The 'short_name' component " +"represents the first part of the principal before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +msgid "" +"Example: (|(userPrincipal={subject_principal})" +"(samAccountName={subject_principal.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:458 +msgid "{subject_pkinit_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:461 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by pkinit. The 'short_name' component represents the first part of the " +"principal before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:467 +msgid "" +"Example: (|(userPrincipal={subject_pkinit_principal})" +"(uid={subject_pkinit_principal.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:472 +msgid "{subject_nt_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:475 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by AD. The 'short_name' component represent the first part of the principal " +"before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:486 +msgid "{subject_rfc822_name[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:489 +msgid "" +"This template will add the string which is stored in the rfc822Name " +"component of the SAN, typically an email address. The 'short_name' component " +"represents the first part of the address before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:495 +msgid "" +"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." +"short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:500 +msgid "{subject_dns_name[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:503 +msgid "" +"This template will add the string which is stored in the dNSName component " +"of the SAN, typically a fully-qualified host name. The 'short_name' " +"component represents the first part of the name before the first '.' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:509 +msgid "" +"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:514 +msgid "{subject_uri}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:517 +msgid "" +"This template will add the string which is stored in the " +"uniformResourceIdentifier component of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:521 +msgid "Example: (uri={subject_uri})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:526 +msgid "{subject_ip_address}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:529 +msgid "" +"This template will add the string which is stored in the iPAddress component " +"of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:533 +msgid "Example: (ip={subject_ip_address})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:538 +msgid "{subject_x400_address}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:541 +msgid "" +"This template will add the value which is stored in the x400Address " +"component of the SAN as escaped hex sequence." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:546 +msgid "Example: (attr:binary={subject_x400_address})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:551 +msgid "" +"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:554 +msgid "" +"This template will add the DN string of the value which is stored in the " +"directoryName component of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:558 +msgid "Example: (orig_dn={subject_directory_name})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:563 +msgid "{subject_ediparty_name}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:566 +msgid "" +"This template will add the value which is stored in the ediPartyName " +"component of the SAN as escaped hex sequence." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:571 +msgid "Example: (attr:binary={subject_ediparty_name})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:576 +msgid "{subject_registered_id}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:579 +msgid "" +"This template will add the OID which is stored in the registeredID component " +"of the SAN as a dotted-decimal string." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:584 +msgid "Example: (oid={subject_registered_id})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:369 +msgid "" +"The templates to add certificate data to the search filter are based on " +"Python-style formatting strings. They consist of a keyword in curly braces " +"with an optional sub-component specifier separated by a '.' or an optional " +"conversion/formatting option separated by a '!'. Allowed values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:592 +msgid "DOMAIN LIST" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:594 +msgid "" +"If the domain list is not empty users mapped to a given certificate are not " +"only searched in the local domain but in the listed domains as well as long " +"as they are know by SSSD. Domains not know to SSSD will be ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 +msgid "sssd-ipa" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ipa.5.xml:17 +msgid "SSSD IPA provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:23 +msgid "" +"This manual page describes the configuration of the IPA provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:36 +msgid "" +"The IPA provider is a back end used to connect to an IPA server. (Refer to " +"the freeipa.org web site for information about IPA servers.) This provider " +"requires that the machine be joined to the IPA domain; configuration is " +"almost entirely self-discovered and obtained directly from the server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:43 +msgid "" +"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for IPA environments. The IPA provider accepts the same " +"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " +"However, it is neither necessary nor recommended to set these options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:57 +msgid "" +"The IPA provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:62 +msgid "" +"As an access provider, the IPA provider uses HBAC (host-based access " +"control) rules. Please refer to freeipa.org for more information about " +"HBAC. No configuration of access provider is required on the client side." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:67 +msgid "" +"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:73 +msgid "" +"The IPA provider will use the PAC responder if the Kerberos tickets of users " +"from trusted realms contain a PAC. To make configuration easier the PAC " +"responder is started automatically if the IPA ID provider is configured." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:89 +msgid "ipa_domain (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:92 +msgid "" +"Specifies the name of the IPA domain. This is optional. If not provided, " +"the configuration domain name is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:100 +msgid "ipa_server, ipa_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:103 +msgid "" +"The comma-separated list of IP addresses or hostnames of the IPA servers to " +"which SSSD should connect in the order of preference. For more information " +"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:116 +msgid "ipa_hostname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:119 +msgid "" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the IPA domain to identify this host. The " +"hostname must be fully qualified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:128 sssd-ad.5.xml:866 +msgid "dyndns_update (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:131 +msgid "" +"Optional. This option tells SSSD to automatically update the DNS server " +"built into FreeIPA with the IP address of this client. The update is secured " +"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " +"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" +"quote> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:140 sssd-ad.5.xml:880 +msgid "" +"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " +"the default Kerberos realm must be set properly in /etc/krb5.conf" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:145 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" +"emphasis> option, users should migrate to using <emphasis>dyndns_update</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:157 sssd-ad.5.xml:891 +msgid "dyndns_ttl (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:160 sssd-ad.5.xml:894 +msgid "" +"The TTL to apply to the client DNS record when updating it. If " +"dyndns_update is false this has no effect. This will override the TTL " +"serverside if set by an administrator." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:165 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" +"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:171 +msgid "Default: 1200 (seconds)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:177 sssd-ad.5.xml:905 +msgid "dyndns_iface (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:180 sssd-ad.5.xml:908 +msgid "" +"Optional. Applicable only when dyndns_update is true. Choose the interface " +"or a list of interfaces whose IP addresses should be used for dynamic DNS " +"updates. Special value <quote>*</quote> implies that IPs from all interfaces " +"should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:187 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" +"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:193 +msgid "" +"Default: Use the IP addresses of the interface which is used for IPA LDAP " +"connection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:197 sssd-ad.5.xml:919 +msgid "Example: dyndns_iface = em1, vnet1, vnet2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:203 sssd-ad.5.xml:970 +msgid "dyndns_auth (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:206 sssd-ad.5.xml:973 +msgid "" +"Whether the nsupdate utility should use GSS-TSIG authentication for secure " +"updates with the DNS server, insecure updates can be sent by setting this " +"option to 'none'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:212 sssd-ad.5.xml:979 +msgid "Default: GSS-TSIG" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:218 +msgid "ipa_enable_dns_sites (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 +msgid "Enables DNS sites - location based service discovery." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:225 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, then the SSSD will first attempt location " +"based discovery using a query that contains \"_location.hostname.example.com" +"\" and then fall back to traditional SRV discovery. If the location based " +"discovery succeeds, the IPA servers located with the location based " +"discovery are treated as primary servers and the IPA servers located using " +"the traditional SRV discovery are used as back up servers" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:244 sssd-ad.5.xml:925 +msgid "dyndns_refresh_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:247 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:260 sssd-ad.5.xml:943 +msgid "dyndns_update_ptr (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:263 sssd-ad.5.xml:946 +msgid "" +"Whether the PTR record should also be explicitly updated when updating the " +"client's DNS records. Applicable only when dyndns_update is true." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:268 +msgid "" +"This option should be False in most IPA deployments as the IPA server " +"generates the PTR records automatically when forward records are changed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:274 +msgid "Default: False (disabled)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:280 sssd-ad.5.xml:957 +msgid "dyndns_force_tcp (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:283 sssd-ad.5.xml:960 +msgid "" +"Whether the nsupdate utility should default to using TCP for communicating " +"with the DNS server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:287 sssd-ad.5.xml:964 +msgid "Default: False (let nsupdate choose the protocol)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:293 sssd-ad.5.xml:985 +msgid "dyndns_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:296 sssd-ad.5.xml:988 +msgid "" +"The DNS server to use when performing a DNS update. In most setups, it's " +"recommended to leave this option unset." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:301 sssd-ad.5.xml:993 +msgid "" +"Setting this option makes sense for environments where the DNS server is " +"different from the identity server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:306 sssd-ad.5.xml:998 +msgid "" +"Please note that this option will be only used in fallback attempt when " +"previous attempt using autodetected settings failed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1003 +msgid "Default: None (let nsupdate choose the server)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:317 +msgid "ipa_deskprofile_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:320 +msgid "" +"Optional. Use the given string as search base for Desktop Profile related " +"objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:324 sssd-ipa.5.xml:337 +msgid "Default: Use base DN" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:330 +msgid "ipa_hbac_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:333 +msgid "Optional. Use the given string as search base for HBAC related objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:343 +msgid "ipa_host_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:346 +msgid "Deprecated. Use ldap_host_search_base instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:352 +msgid "ipa_selinux_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:355 +msgid "Optional. Use the given string as search base for SELinux user maps." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:371 +msgid "ipa_subdomains_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:374 +msgid "Optional. Use the given string as search base for trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:383 +msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:390 +msgid "ipa_master_domain_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:393 +msgid "Optional. Use the given string as search base for master domain object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:402 +msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:409 +msgid "ipa_views_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:412 +msgid "Optional. Use the given string as search base for views containers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:421 +msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:431 +msgid "" +"The name of the Kerberos realm. This is optional and defaults to the value " +"of <quote>ipa_domain</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:435 +msgid "" +"The name of the Kerberos realm has a special meaning in IPA - it is " +"converted into the base DN to use for performing LDAP operations." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1012 +msgid "krb5_confd_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1015 +msgid "" +"Absolute path of a directory where SSSD should place Kerberos configuration " +"snippets." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1019 +msgid "" +"To disable the creation of the configuration snippets set the parameter to " +"'none'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1023 +msgid "" +"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:461 +msgid "ipa_deskprofile_refresh (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:464 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server. This will reduce the latency and load on the IPA server if there " +"are many desktop profiles requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:431 +msgid "Default: 5 (seconds)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:477 +msgid "ipa_deskprofile_request_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:480 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server in case the last request did not return any rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:485 +msgid "Default: 60 (minutes)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:491 +msgid "ipa_hbac_refresh (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:494 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server. " +"This will reduce the latency and load on the IPA server if there are many " +"access-control requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:507 +msgid "ipa_hbac_selinux (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:510 +msgid "" +"The amount of time between lookups of the SELinux maps against the IPA " +"server. This will reduce the latency and load on the IPA server if there are " +"many user login requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:523 +msgid "ipa_server_mode (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:526 +msgid "" +"This option will be set by the IPA installer (ipa-server-install) " +"automatically and denotes if SSSD is running on an IPA server or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:531 +msgid "" +"On an IPA server SSSD will lookup users and groups from trusted domains " +"directly while on a client it will ask an IPA server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:536 +msgid "" +"NOTE: There are currently some assumptions that must be met when SSSD is " +"running on an IPA server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:541 +msgid "" +"The <quote>ipa_server</quote> option must be configured to point to the IPA " +"server itself. This is already the default set by the IPA installer, so no " +"manual change is required." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:550 +msgid "" +"The <quote>full_name_format</quote> option must not be tweaked to only print " +"short names for users from trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:565 +msgid "ipa_automount_location (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:568 +msgid "The automounter location this IPA client will be using" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:571 +msgid "Default: The location named \"default\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:579 +msgid "VIEWS AND OVERRIDES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:588 +msgid "ipa_view_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:591 +msgid "Objectclass of the view container." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:594 +msgid "Default: nsContainer" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:600 +msgid "ipa_view_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:603 +msgid "Name of the attribute holding the name of the view." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:613 +msgid "ipa_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:616 +msgid "Objectclass of the override objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:619 +msgid "Default: ipaOverrideAnchor" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:625 +msgid "ipa_anchor_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:628 +msgid "" +"Name of the attribute containing the reference to the original object in a " +"remote domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:632 +msgid "Default: ipaAnchorUUID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:638 +msgid "ipa_user_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:641 +msgid "" +"Name of the objectclass for user overrides. It is used to determine if the " +"found override object is related to a user or a group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:646 +msgid "User overrides can contain attributes given by" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:649 +msgid "ldap_user_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:652 +msgid "ldap_user_uid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:655 +msgid "ldap_user_gid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:658 +msgid "ldap_user_gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:661 +msgid "ldap_user_home_directory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:664 +msgid "ldap_user_shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:667 +msgid "ldap_user_ssh_public_key" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:672 +msgid "Default: ipaUserOverride" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:678 +msgid "ipa_group_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:681 +msgid "" +"Name of the objectclass for group overrides. It is used to determine if the " +"found override object is related to a user or a group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:686 +msgid "Group overrides can contain attributes given by" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:689 +msgid "ldap_group_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:692 +msgid "ldap_group_gid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:697 +msgid "Default: ipaGroupOverride" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:581 +msgid "" +"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " +"later version. Since all paths and objectclasses are fixed on the server " +"side there is basically no need to configure anything. For completeness the " +"related options are listed here with their default values. <placeholder " +"type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:709 +msgid "SUBDOMAINS PROVIDER" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:711 +msgid "" +"The IPA subdomains provider behaves slightly differently if it is configured " +"explicitly or implicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:715 +msgid "" +"If the option 'subdomains_provider = ipa' is found in the domain section of " +"sssd.conf, the IPA subdomains provider is configured explicitly, and all " +"subdomain requests are sent to the IPA server if necessary." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:721 +msgid "" +"If the option 'subdomains_provider' is not set in the domain section of sssd." +"conf but there is the option 'id_provider = ipa', the IPA subdomains " +"provider is configured implicitly. In this case, if a subdomain request " +"fails and indicates that the server does not support subdomains, i.e. is not " +"configured for trusts, the IPA subdomains provider is disabled. After an " +"hour or after the IPA provider goes online, the subdomains provider is " +"enabled again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:732 +msgid "TRUSTED DOMAINS CONFIGURATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:738 +#, no-wrap +msgid "" +"[domain/ipa.domain.com/ad.domain.com]\n" +"ad_server = dc.ad.domain.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:734 +msgid "" +"Some configuration options can be also set for a trusted domain. A trusted " +"domain configuration can either be done using a subsection, for example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:743 +msgid "" +"In addition, some options can be set in the parent domain and inherited by " +"the trusted domain using the <quote>subdomain_inherit</quote> option. For " +"more details, see the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:753 +msgid "" +"Different configuration options are tunable for a trusted domain depending " +"on whether you are configuring SSSD on an IPA server or an IPA client." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:758 +msgid "OPTIONS TUNABLE ON IPA MASTERS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:760 +msgid "" +"The following options can be set in a subdomain section on an IPA master:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:764 sssd-ipa.5.xml:794 +msgid "ad_server" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:767 +msgid "ad_backup_server" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:770 sssd-ipa.5.xml:797 +msgid "ad_site" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:773 +msgid "ldap_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:776 +msgid "ldap_user_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:779 +msgid "ldap_group_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:788 +msgid "OPTIONS TUNABLE ON IPA CLIENTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:790 +msgid "" +"The following options can be set in a subdomain section on an IPA client:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:802 +msgid "" +"Note that if both options are set, only <quote>ad_server</quote> is " +"evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:806 +msgid "" +"Since any request for a user or a group identity from a trusted domain " +"triggered from an IPA client is resolved by the IPA server, the " +"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " +"which AD DC will the authentication be performed against. In particular, the " +"addresses resolved from these lists will be written to <quote>kdcinfo</" +"quote> files read by the Kerberos locator plugin. Please refer to the " +"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " +"Kerberos locator plugin." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:830 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the ipa provider-specific options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:837 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"id_provider = ipa\n" +"ipa_server = ipaserver.example.com\n" +"ipa_hostname = myhost.example.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 +msgid "sssd-ad" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ad.5.xml:17 +msgid "SSSD Active Directory provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:23 +msgid "" +"This manual page describes the configuration of the AD provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:36 +msgid "" +"The AD provider is a back end used to connect to an Active Directory server. " +"This provider requires that the machine be joined to the AD domain and a " +"keytab is available. Back end communication occurs over a GSSAPI-encrypted " +"channel, SSL/TLS options should not be used with the AD provider and will be " +"superseded by Kerberos usage." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:44 +msgid "" +"The AD provider supports connecting to Active Directory 2008 R2 or later. " +"Earlier versions may work, but are unsupported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:48 +msgid "" +"The AD provider can be used to get user information and authenticate users " +"from trusted domains. Currently only trusted domains in the same forest are " +"recognized. In addition servers from trusted domains are always auto-" +"discovered." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:54 +msgid "" +"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for Active Directory environments. The AD provider accepts the " +"same options used by the sssd-ldap and sssd-krb5 providers with some " +"exceptions. However, it is neither necessary nor recommended to set these " +"options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:69 +msgid "" +"The AD provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:74 +msgid "" +"The AD provider can also be used as an access, chpass, sudo and autofs " +"provider. No configuration of the access provider is required on the client " +"side." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:79 +msgid "" +"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ad</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:91 +#, no-wrap +msgid "" +"ldap_id_mapping = False\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:85 +msgid "" +"By default, the AD provider will map UID and GID values from the objectSID " +"parameter in Active Directory. For details on this, see the <quote>ID " +"MAPPING</quote> section below. If you want to disable ID mapping and instead " +"rely on POSIX attributes defined in Active Directory, you should set " +"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " +"be used, it is recommended for performance reasons that the attributes are " +"also replicated to the Global Catalog. If POSIX attributes are replicated, " +"SSSD will attempt to locate the domain of a requested numerical ID with the " +"help of the Global Catalog and only search that domain. In contrast, if " +"POSIX attributes are not replicated to the Global Catalog, SSSD must search " +"all the domains in the forest sequentially. Please note that the " +"<quote>cache_first</quote> option might be also helpful in speeding up " +"domainless searches. Note that if only a subset of POSIX attributes is " +"present in the Global Catalog, the non-replicated attributes are currently " +"not read from the LDAP port." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:108 +msgid "" +"Users, groups and other entities served by SSSD are always treated as case-" +"insensitive in the AD provider for compatibility with Active Directory's " +"LDAP implementation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:123 +msgid "ad_domain (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:126 +msgid "" +"Specifies the name of the Active Directory domain. This is optional. If not " +"provided, the configuration domain name is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:131 +msgid "" +"For proper operation, this option should be specified as the lower-case " +"version of the long version of the Active Directory domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:136 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) is " +"autodetected by the SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:143 +msgid "ad_enabled_domains (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:146 +msgid "" +"A comma-separated list of enabled Active Directory domains. If provided, " +"SSSD will ignore any domains not listed in this option. If left unset, all " +"domains from the AD forest will be available." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:156 +#, no-wrap +msgid "" +"ad_enabled_domains = sales.example.com, eng.example.com\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:152 +msgid "" +"For proper operation, this option must be specified in all lower-case and as " +"the fully qualified domain name of the Active Directory domain. For example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:160 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) will be " +"autodetected by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:170 +msgid "ad_server, ad_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:173 +msgid "" +"The comma-separated list of hostnames of the AD servers to which SSSD should " +"connect in order of preference. For more information on failover and server " +"redundancy, see the <quote>FAILOVER</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:180 +msgid "" +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:185 +msgid "" +"Note: Trusted domains will always auto-discover servers even if the primary " +"server is explicitly defined in the ad_server option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:193 +msgid "ad_hostname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:196 +msgid "" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the Active Directory domain to identify this " +"host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:202 +msgid "" +"This field is used to determine the host principal in use in the keytab. It " +"must match the hostname for which the keytab was issued." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:210 +msgid "ad_enable_dns_sites (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:217 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, the SSSD will first attempt to discover the " +"Active Directory server to connect to using the Active Directory Site " +"Discovery and fall back to the DNS SRV records if no AD site is found. The " +"DNS SRV configuration, including the discovery domain, is used during site " +"discovery as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:233 +msgid "ad_access_filter (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:236 +msgid "" +"This option specifies LDAP access control filter that the user must match in " +"order to be allowed access. Please note that the <quote>access_provider</" +"quote> option must be explicitly set to <quote>ad</quote> in order for this " +"option to have an effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:244 +msgid "" +"The option also supports specifying different filters per domain or forest. " +"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " +"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " +"missing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:252 +msgid "" +"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" +"quote> specifies the domain or subdomain the filter applies to. If the " +"keyword equals to <quote>FOREST</quote>, then the filter equals to all " +"domains from the forest specified by <quote>NAME</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:260 +msgid "" +"Multiple filters can be separated with the <quote>?</quote> character, " +"similarly to how search bases work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:265 +msgid "" +"Nested group membership must be searched for using a special OID " +"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." +"example.org: syntax to ensure the parser does not attempt to interpret the " +"colon characters associated with the OID. If you do not use this OID then " +"nested group membership will not be resolved. See usage example below and " +"refer here for further information about the OID: <ulink url=\"https://msdn." +"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " +"extensions</ulink>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:278 +msgid "" +"The most specific match is always used. For example, if the option specified " +"filter for a domain the user is a member of and a global filter, the per-" +"domain filter would be applied. If there are more matches with the same " +"specification, the first one is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ad.5.xml:289 +#, no-wrap +msgid "" +"# apply filter on domain called dom1 only:\n" +"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" +"\n" +"# apply filter on domain called dom2 only:\n" +"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" +"\n" +"# apply filter on forest called EXAMPLE.COM only:\n" +"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" +"\n" +"# apply filter for a member of a nested group in dom1:\n" +"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:308 +msgid "ad_site (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:311 +msgid "" +"Specify AD site to which client should try to connect. If this option is " +"not provided, the AD site will be auto-discovered." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:322 +msgid "ad_enable_gc (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:325 +msgid "" +"By default, the SSSD connects to the Global Catalog first to retrieve users " +"from trusted domains and uses the LDAP port to retrieve group memberships or " +"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " +"port of the current AD server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:333 +msgid "" +"Please note that disabling Global Catalog support does not disable " +"retrieving users from trusted domains. The SSSD would connect to the LDAP " +"port of trusted domains instead. However, Global Catalog must be used in " +"order to resolve cross-domain group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:347 +msgid "ad_gpo_access_control (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:350 +msgid "" +"This option specifies the operation mode for GPO-based access control " +"functionality: whether it operates in disabled mode, enforcing mode, or " +"permissive mode. Please note that the <quote>access_provider</quote> option " +"must be explicitly set to <quote>ad</quote> in order for this option to have " +"an effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:359 +msgid "" +"GPO-based access control functionality uses GPO policy settings to determine " +"whether or not a particular user is allowed to logon to a particular host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:365 +msgid "" +"NOTE: The current version of SSSD does not support host (computer) entries " +"in the GPO 'Security Filtering' list. Only user and group entries are " +"supported. Host entries in the list have no effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:372 +msgid "" +"NOTE: If the operation mode is set to enforcing, it is possible that users " +"that were previously allowed logon access will now be denied logon access " +"(as dictated by the GPO policy settings). In order to facilitate a smooth " +"transition for administrators, a permissive mode is available that will not " +"enforce the access control rules, but will evaluate them and will output a " +"syslog message if access would have been denied. By examining the logs, " +"administrators can then make the necessary changes before setting the mode " +"to enforcing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:385 +msgid "There are three supported values for this option:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:389 +msgid "" +"disabled: GPO-based access control rules are neither evaluated nor enforced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:395 +msgid "enforcing: GPO-based access control rules are evaluated and enforced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:401 +msgid "" +"permissive: GPO-based access control rules are evaluated, but not enforced. " +"Instead, a syslog message will be emitted indicating that the user would " +"have been denied access if this option's value were set to enforcing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:412 +msgid "Default: permissive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:415 +msgid "Default: enforcing" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:421 +msgid "ad_gpo_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:424 +msgid "" +"The amount of time between lookups of GPO policy files against the AD " +"server. This will reduce the latency and load on the AD server if there are " +"many access-control requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:437 +msgid "ad_gpo_map_interactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:440 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the InteractiveLogonRight and " +"DenyInteractiveLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:446 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on locally\" and \"Deny log on locally\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:460 +#, no-wrap +msgid "" +"ad_gpo_map_interactive = +my_pam_service, -login\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:451 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>login</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:464 sssd-ad.5.xml:560 sssd-ad.5.xml:606 sssd-ad.5.xml:651 +#: sssd-ad.5.xml:717 +msgid "Default: the default set of PAM service names includes:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:468 +msgid "login" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:473 +msgid "su" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:478 +msgid "su-l" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:483 +msgid "gdm-fingerprint" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:488 +msgid "gdm-password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:493 +msgid "gdm-smartcard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:498 +msgid "kdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:503 +msgid "lightdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:508 +msgid "lxdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:513 +msgid "sddm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:518 +msgid "unity" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:523 +msgid "xdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:532 +msgid "ad_gpo_map_remote_interactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:535 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the RemoteInteractiveLogonRight and " +"DenyRemoteInteractiveLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:541 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on through Remote Desktop Services\" and \"Deny log on through Remote " +"Desktop Services\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:556 +#, no-wrap +msgid "" +"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:547 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>sshd</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:564 +msgid "sshd" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:569 +msgid "cockpit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:578 +msgid "ad_gpo_map_network (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:581 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the NetworkLogonRight and " +"DenyNetworkLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:587 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Access " +"this computer from the network\" and \"Deny access to this computer from the " +"network\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:602 +#, no-wrap +msgid "" +"ad_gpo_map_network = +my_pam_service, -ftp\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:593 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>ftp</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:610 +msgid "ftp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:615 +msgid "samba" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:624 +msgid "ad_gpo_map_batch (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:627 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " +"policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:633 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a batch job\" and \"Deny log on as a batch job\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:647 +#, no-wrap +msgid "" +"ad_gpo_map_batch = +my_pam_service, -crond\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:638 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>crond</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:655 +msgid "crond" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:664 +msgid "ad_gpo_map_service (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:667 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the ServiceLogonRight and " +"DenyServiceLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:673 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a service\" and \"Deny log on as a service\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:686 +#, no-wrap +msgid "" +"ad_gpo_map_service = +my_pam_service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:678 sssd-ad.5.xml:753 +msgid "" +"It is possible to add a PAM service name to the default set by using <quote>" +"+service_name</quote>. Since the default set is empty, it is not possible " +"to remove a PAM service name from the default set. For example, in order to " +"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " +"would use the following configuration: <placeholder type=\"programlisting\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:696 +msgid "ad_gpo_map_permit (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:699 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always granted, regardless of any GPO Logon Rights." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:713 +#, no-wrap +msgid "" +"ad_gpo_map_permit = +my_pam_service, -sudo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:704 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for unconditionally permitted " +"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:721 +msgid "polkit-1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:726 +msgid "sudo" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:731 +msgid "sudo-i" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:736 +msgid "systemd-user" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:745 +msgid "ad_gpo_map_deny (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:748 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always denied, regardless of any GPO Logon Rights." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:761 +#, no-wrap +msgid "" +"ad_gpo_map_deny = +my_pam_service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:771 +msgid "ad_gpo_default_right (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:774 +msgid "" +"This option defines how access control is evaluated for PAM service names " +"that are not explicitly listed in one of the ad_gpo_map_* options. This " +"option can be set in two different manners. First, this option can be set to " +"use a default logon right. For example, if this option is set to " +"'interactive', it means that unmapped PAM service names will be processed " +"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " +"settings. Alternatively, this option can be set to either always permit or " +"always deny access for unmapped PAM service names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:787 +msgid "Supported values for this option include:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:791 +msgid "interactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:796 +msgid "remote_interactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:801 +msgid "network" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:806 +msgid "batch" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:811 +msgid "service" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:816 +msgid "permit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:821 +msgid "deny" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:827 +msgid "Default: deny" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:833 +msgid "ad_maximum_machine_account_password_age (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:836 +msgid "" +"SSSD will check once a day if the machine account password is older than the " +"given age in days and try to renew it. A value of 0 will disable the renewal " +"attempt." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:842 +msgid "Default: 30 days" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:848 +msgid "ad_machine_account_password_renewal_opts (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:851 +msgid "" +"This option should only be used to test the machine account renewal task. " +"The option expects 2 integers separated by a colon (':'). The first integer " +"defines the interval in seconds how often the task is run. The second " +"specifies the initial timeout in seconds before the task is run for the " +"first time after startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:860 +msgid "Default: 86400:750 (24h and 15m)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:869 +msgid "" +"Optional. This option tells SSSD to automatically update the Active " +"Directory DNS server with the IP address of this client. The update is " +"secured using GSS-TSIG. As a consequence, the Active Directory administrator " +"only needs to allow secure updates for the DNS zone. The IP address of the " +"AD LDAP connection is used for the updates, if it is not otherwise specified " +"by using the <quote>dyndns_iface</quote> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:899 +msgid "Default: 3600 (seconds)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:915 +msgid "" +"Default: Use the IP addresses of the interface which is used for AD LDAP " +"connection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:928 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true. Note that the " +"lowest possible value is 60 seconds in-case if value is provided less than " +"60, parameter will assume lowest value only." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:951 sss_rpcidmapd.5.xml:76 +msgid "Default: True" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1043 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This example shows only the AD provider-specific options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1050 +#, no-wrap +msgid "" +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1070 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1066 +msgid "" +"The AD access control provider checks if the account is expired. It has the " +"same effect as the following configuration of the LDAP provider: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1076 +msgid "" +"However, unless the <quote>ad</quote> access control provider is explicitly " +"configured, the default access provider is <quote>permit</quote>. Please " +"note that if you configure an access provider other than <quote>ad</quote>, " +"you need to set all the connection parameters (such as LDAP URIs and " +"encryption details) manually." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1084 +msgid "" +"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " +"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " +"are included in the default Active Directory schema." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 +msgid "sssd-sudo" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-sudo.5.xml:17 +msgid "Configuring sudo with the SSSD back end" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:36 +msgid "Configuring sudo to cooperate with SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:38 +msgid "" +"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " +"the <emphasis>sudoers</emphasis> entry in <citerefentry> " +"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:47 +msgid "" +"For example, to configure sudo to first lookup rules in the standard " +"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> file (which should contain rules that apply to " +"local users) and then in SSSD, the nsswitch.conf file should contain the " +"following line:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:57 +#, no-wrap +msgid "sudoers: files sss\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:61 +msgid "" +"More information about configuring the sudoers search order from the " +"nsswitch.conf file as well as information about the LDAP schema that is used " +"to store sudo rules in the directory can be found in <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:70 +msgid "" +"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " +"sudo rules, you also need to correctly set <citerefentry> " +"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry> to your NIS domain name (which equals to IPA domain name when " +"using hostgroups)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:82 +msgid "Configuring SSSD to fetch sudo rules" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:84 +msgid "" +"All configuration that is needed on SSSD side is to extend the list of " +"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " +"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " +"option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:94 +msgid "" +"The following example shows how to configure SSSD to download sudo rules " +"from an LDAP server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:99 +#, no-wrap +msgid "" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:98 +msgid "" +"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" +"\"have_systemd\"> It's important to note that on platforms where systemd is " +"supported there's no need to add the \"sudo\" provider to the list of " +"services, as it became optional. However, sssd-sudo.socket must be enabled " +"instead. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:118 +msgid "" +"When SSSD is configured to use IPA as the ID provider, the sudo provider is " +"automatically enabled. The sudo search base is configured to use the IPA " +"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " +"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," +"$SUFFIX) is no longer required for IPA sudo functionality." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:128 +msgid "The SUDO rule caching mechanism" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:130 +msgid "" +"The biggest challenge, when developing sudo support in SSSD, was to ensure " +"that running sudo with SSSD as the data source provides the same user " +"experience and is as fast as sudo but keeps providing the most current set " +"of rules as possible. To satisfy these requirements, SSSD uses three kinds " +"of updates. They are referred to as full refresh, smart refresh and rules " +"refresh." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:138 +msgid "" +"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " +"new or were modified after the last update. Its primary goal is to keep the " +"database growing by fetching only small increments that do not generate " +"large amounts of network traffic." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:144 +msgid "" +"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " +"in the cache and replaces them with all rules that are stored on the server. " +"This is used to keep the cache consistent by removing every rule which was " +"deleted from the server. However, full refresh may produce a lot of traffic " +"and thus it should be run only occasionally depending on the size and " +"stability of the sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:152 +msgid "" +"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " +"more permission than defined. It is triggered each time the user runs sudo. " +"Rules refresh will find all rules that apply to this user, check their " +"expiration time and redownload them if expired. In the case that any of " +"these rules are missing on the server, the SSSD will do an out of band full " +"refresh because more rules (that apply to other users) may have been deleted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:161 +msgid "" +"If enabled, SSSD will store only rules that can be applied to this machine. " +"This means rules that contain one of the following values in " +"<emphasis>sudoHost</emphasis> attribute:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:168 +msgid "keyword ALL" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:173 +msgid "wildcard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:178 +msgid "netgroup (in the form \"+netgroup\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:183 +msgid "hostname or fully qualified domain name of this machine" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:188 +msgid "one of the IP addresses of this machine" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:193 +msgid "one of the IP addresses of the network (in the form \"address/mask\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:199 +msgid "" +"There are many configuration options that can be used to adjust the " +"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.8.xml:10 sssd.8.xml:15 +msgid "sssd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.8.xml:16 +msgid "System Security Services Daemon" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssd.8.xml:21 +msgid "" +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:31 +msgid "" +"<command>SSSD</command> provides a set of daemons to manage access to remote " +"directories and authentication mechanisms. It provides an NSS and PAM " +"interface toward the system and a pluggable backend system to connect to " +"multiple different account sources as well as D-Bus interface. It is also " +"the basis to provide client auditing and policy services for projects like " +"FreeIPA. It provides a more robust database to store local users as well as " +"extended user data." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:46 +msgid "" +"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:53 +msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:57 +msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:60 +msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:69 +msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:73 +msgid "" +"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:76 +msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:85 +msgid "<option>-f</option>,<option>--debug-to-files</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:89 +msgid "" +"Send the debug output to files instead of stderr. By default, the log files " +"are stored in <filename>/var/log/sssd</filename> and there are separate log " +"files for every SSSD service and domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:94 +msgid "" +"This option is deprecated. It is replaced by <option>--logger=files</option>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:101 +msgid "<option>--logger=</option><replaceable>value</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:105 +msgid "" +"Location where SSSD will send log messages. This option overrides the value " +"of the deprecated option <option>--debug-to-files</option>. The deprecated " +"option will still work if the <option>--logger</option> is not used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:112 +msgid "" +"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " +"output." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:116 +msgid "" +"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " +"default, the log files are stored in <filename>/var/log/sssd</filename> and " +"there are separate log files for every SSSD service and domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:122 +msgid "" +"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:132 +msgid "<option>-D</option>,<option>--daemon</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:136 +msgid "Become a daemon after starting up." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:142 sss_seed.8.xml:136 +msgid "<option>-i</option>,<option>--interactive</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:146 +msgid "Run in the foreground, don't become a daemon." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:152 +msgid "<option>-c</option>,<option>--config</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:156 +msgid "" +"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." +"conf</filename>. For reference on the config file syntax and options, " +"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:170 +msgid "<option>--version</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:174 +msgid "Print version number and exit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.8.xml:182 +msgid "Signals" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:185 +msgid "SIGTERM/SIGINT" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:188 +msgid "" +"Informs the SSSD to gracefully terminate all of its child processes and then " +"shut down the monitor." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:194 +msgid "SIGHUP" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:197 +msgid "" +"Tells the SSSD to stop writing to its current debug file descriptors and to " +"close and reopen them. This is meant to facilitate log rolling with programs " +"like logrotate." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:205 +msgid "SIGUSR1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:208 +msgid "" +"Tells the SSSD to simulate offline operation for the duration of the " +"<quote>offline_timeout</quote> parameter. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:217 +msgid "SIGUSR2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:220 +msgid "" +"Tells the SSSD to go online immediately. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:232 +msgid "" +"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " +"applications will not use the fast in memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 +msgid "sss_obfuscate" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_obfuscate.8.xml:16 +msgid "obfuscate a clear text password" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_obfuscate.8.xml:21 +msgid "" +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" +"replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:32 +msgid "" +"<command>sss_obfuscate</command> converts a given password into human-" +"unreadable format and places it into appropriate domain section of the SSSD " +"config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:37 +msgid "" +"The cleartext password is read from standard input or entered " +"interactively. The obfuscated password is put into " +"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " +"<quote>ldap_default_authtok_type</quote> parameter is set to " +"<quote>obfuscated_password</quote>. Refer to <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more details on these parameters." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:49 +msgid "" +"Please note that obfuscating the password provides <emphasis>no real " +"security benefit</emphasis> as it is still possible for an attacker to " +"reverse-engineer the password back. Using better authentication mechanisms " +"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " +"advised." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:63 +msgid "<option>-s</option>,<option>--stdin</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:67 +msgid "The password to obfuscate will be read from standard input." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 +#: sss_ssh_knownhostsproxy.1.xml:78 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:79 +msgid "" +"The SSSD domain to use the password in. The default name is <quote>default</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:86 +msgid "" +"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:91 +msgid "Read the config file specified by the positional parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:95 +msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_override.8.xml:10 sss_override.8.xml:15 +msgid "sss_override" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_override.8.xml:16 +msgid "create local overrides of user and group attributes" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_override.8.xml:21 +msgid "" +"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:32 +msgid "" +"<command>sss_override</command> enables to create a client-side view and " +"allows to change selected values of specific user and groups. This change " +"takes effect only on local machine." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:37 +msgid "" +"Overrides data are stored in the SSSD cache. If the cache is deleted, all " +"local overrides are lost. Please note that after the first override is " +"created using any of the following <emphasis>user-add</emphasis>, " +"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " +"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " +"take effect. <emphasis>sss_override</emphasis> prints message when a " +"restart is required." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:50 sssctl.8.xml:41 +msgid "AVAILABLE COMMANDS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:52 +msgid "" +"Argument <emphasis>NAME</emphasis> is the name of original object in all " +"commands. It is not possible to override <emphasis>uid</emphasis> or " +"<emphasis>gid</emphasis> to 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:59 +msgid "" +"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" +"optional> <optional><option>-g,--gid</option> GID</optional> " +"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" +"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" +"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " +"CERTIFICATE</optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:72 +msgid "" +"Override attributes of an user. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:80 +msgid "<option>user-del</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:85 +msgid "" +"Remove user overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:94 +msgid "" +"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:99 +msgid "" +"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " +"is set, only users from the domain are listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:107 +msgid "<option>user-show</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:112 +msgid "Show user overrides." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:118 +msgid "<option>user-import</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:123 +msgid "" +"Import user overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard passwd file. The format is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:128 +msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:131 +msgid "" +"where original_name is original name of the user whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:140 +msgid "ckent:superman::::::" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:143 +msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:149 +msgid "<option>user-export</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:154 +msgid "" +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>user-import</emphasis> for data format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:162 +msgid "" +"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:169 +msgid "" +"Override attributes of a group. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:177 +msgid "<option>group-del</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:182 +msgid "" +"Remove group overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:191 +msgid "" +"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:196 +msgid "" +"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " +"parameter is set, only groups from the domain are listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:204 +msgid "<option>group-show</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:209 +msgid "Show group overrides." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:215 +msgid "<option>group-import</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:220 +msgid "" +"Import group overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard group file. The format is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:225 +msgid "original_name:name:gid" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:228 +msgid "" +"where original_name is original name of the group whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:237 +msgid "admins:administrators:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:240 +msgid "Domain Users:Users:501" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:246 +msgid "<option>group-export</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:251 +msgid "" +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>group-import</emphasis> for data format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:261 sssctl.8.xml:50 +msgid "COMMON OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:263 sssctl.8.xml:52 +msgid "Those options are available with all commands." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:268 sssctl.8.xml:57 +msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 +msgid "sss_useradd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_useradd.8.xml:16 +msgid "create a new user" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_useradd.8.xml:21 +msgid "" +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_useradd.8.xml:32 +msgid "" +"<command>sss_useradd</command> creates a new user account using the values " +"specified on the command line plus the default values from the system." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:43 sss_seed.8.xml:76 +msgid "" +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:48 +msgid "" +"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " +"not given, it is chosen automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +msgid "" +"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 +msgid "" +"Any text string describing the user. Often used as the field for the user's " +"full name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 +msgid "" +"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:72 +msgid "" +"The home directory of the user account. The default is to append the " +"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " +"that as the home directory. The base that is prepended before " +"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" +"baseDirectory</quote> setting in sssd.conf." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 +msgid "" +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:87 +msgid "" +"The user's login shell. The default is currently <filename>/bin/bash</" +"filename>. The default can be changed with <quote>user_defaults/" +"defaultShell</quote> setting in sssd.conf." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:96 +msgid "" +"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:101 +msgid "A list of existing groups this user is also a member of." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:107 +msgid "<option>-m</option>,<option>--create-home</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:111 +msgid "" +"Create the user's home directory if it does not exist. The files and " +"directories contained in the skeleton directory (which can be defined with " +"the -k option or in the config file) will be copied to the home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:121 +msgid "<option>-M</option>,<option>--no-create-home</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:125 +msgid "" +"Do not create the user's home directory. Overrides configuration settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:132 +msgid "" +"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:137 +msgid "" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<command>sss_useradd</command>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:143 +msgid "" +"Special files (block devices, character devices, named pipes and unix " +"sockets) will not be copied." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:147 +msgid "" +"This option is only valid if the <option>-m</option> (or <option>--create-" +"home</option>) option is specified, or creation of home directories is set " +"to TRUE in the configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 +msgid "" +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>SELINUX_USER</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:161 +msgid "" +"The SELinux user for the user's login. If not specified, the system default " +"will be used." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 +msgid "sssd-krb5" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-krb5.5.xml:17 +msgid "SSSD Kerberos provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:23 +msgid "" +"This manual page describes the configuration of the Kerberos 5 " +"authentication backend for <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " +"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:36 +msgid "" +"The Kerberos 5 authentication backend contains auth and chpass providers. It " +"must be paired with an identity provider in order to function properly (for " +"example, id_provider = ldap). Some information required by the Kerberos 5 " +"authentication backend must be provided by the identity provider, such as " +"the user's Kerberos Principal Name (UPN). The configuration of the identity " +"provider should have an entry to specify the UPN. Please refer to the man " +"page for the applicable identity provider for details on how to configure " +"this." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:47 +msgid "" +"This backend also provides access control based on the .k5login file in the " +"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " +"Please note that an empty .k5login file will deny all access to this user. " +"To activate this feature, use 'access_provider = krb5' in your SSSD " +"configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:55 +msgid "" +"In the case where the UPN is not available in the identity backend, " +"<command>sssd</command> will construct a UPN using the format " +"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:77 +msgid "" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect, in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled; for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:106 +msgid "" +"The name of the Kerberos realm. This option is required and must be " +"specified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:113 +msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:116 +msgid "" +"If the change password service is not running on the KDC, alternative " +"servers can be defined here. An optional port number (preceded by a colon) " +"may be appended to the addresses or hostnames." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:122 +msgid "" +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " +"servers to try, the backend is not switched to operate offline if " +"authentication against the KDC is still possible." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:129 +msgid "Default: Use the KDC" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:135 +msgid "krb5_ccachedir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:138 +msgid "" +"Directory to store credential caches. All the substitution sequences of " +"krb5_ccname_template can be used here, too, except %d and %P. The directory " +"is created as private and owned by the user, with permissions set to 0700." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:145 +msgid "Default: /tmp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:151 +msgid "krb5_ccname_template (string)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 +msgid "%u" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 +msgid "login name" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 +msgid "%U" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:170 +msgid "login UID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:173 +msgid "%p" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:174 +msgid "principal name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:178 +msgid "%r" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:179 +msgid "realm name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:182 +msgid "%h" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 +msgid "home directory" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 +msgid "%d" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:188 +msgid "value of krb5_ccachedir" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 +msgid "%P" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:194 +msgid "the process ID of the SSSD client" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 +msgid "%%" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 +msgid "a literal '%'" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:154 +msgid "" +"Location of the user's credential cache. Three credential cache types are " +"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " +"<quote>KEYRING:persistent</quote>. The cache can be specified either as " +"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " +"implies the <quote>FILE</quote> type. In the template, the following " +"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " +"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " +"filename in a safe way." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:208 +msgid "" +"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" +"persistent:%U</quote>, which uses the Linux kernel keyring to store " +"credentials on a per-UID basis. This is also the recommended choice, as it " +"is the most secure and predictable method." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:216 +msgid "" +"The default value for the credential cache name is sourced from the profile " +"stored in the system wide krb5.conf configuration file in the [libdefaults] " +"section. The option name is default_ccache_name. See krb5.conf(5)'s " +"PARAMETER EXPANSION paragraph for additional information on the expansion " +"format defined by krb5.conf." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:225 +msgid "" +"NOTE: Please be aware that libkrb5 ccache expansion template from " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> uses different expansion sequences than SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:234 +msgid "Default: (from libkrb5)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:240 +msgid "krb5_auth_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:243 +msgid "" +"Timeout in seconds after an online authentication request or change password " +"request is aborted. If possible, the authentication request is continued " +"offline." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:254 +msgid "krb5_validate (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:257 +msgid "" +"Verify with the help of krb5_keytab that the TGT obtained has not been " +"spoofed. The keytab is checked for entries sequentially, and the first entry " +"with a matching realm is used for validation. If no entry matches the realm, " +"the last entry in the keytab is used. This process can be used to validate " +"environments using cross-realm trust by placing the appropriate keytab entry " +"as the last entry or the only entry in the keytab file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:272 +msgid "krb5_keytab (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:275 +msgid "" +"The location of the keytab to use when validating credentials obtained from " +"KDCs." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:279 +msgid "Default: /etc/krb5.keytab" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:285 +msgid "krb5_store_password_if_offline (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:288 +msgid "" +"Store the password of the user if the provider is offline and use it to " +"request a TGT when the provider comes online again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:293 +msgid "" +"NOTE: this feature is only available on Linux. Passwords stored in this way " +"are kept in plaintext in the kernel keyring and are potentially accessible " +"by the root user (with difficulty)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:306 +msgid "krb5_renewable_lifetime (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:309 +msgid "" +"Request a renewable ticket with a total lifetime, given as an integer " +"immediately followed by a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 +msgid "<emphasis>s</emphasis> for seconds" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 +msgid "<emphasis>m</emphasis> for minutes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 +msgid "<emphasis>h</emphasis> for hours" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 +msgid "<emphasis>d</emphasis> for days." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 +msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 +msgid "" +"NOTE: It is not possible to mix units. To set the renewable lifetime to one " +"and a half hours, use '90m' instead of '1h30m'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:335 +msgid "Default: not set, i.e. the TGT is not renewable" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:341 +msgid "krb5_lifetime (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:344 +msgid "" +"Request ticket with a lifetime, given as an integer immediately followed by " +"a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:360 +msgid "If there is no unit given <emphasis>s</emphasis> is assumed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:364 +msgid "" +"NOTE: It is not possible to mix units. To set the lifetime to one and a " +"half hours please use '90m' instead of '1h30m'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:369 +msgid "" +"Default: not set, i.e. the default ticket lifetime configured on the KDC." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:376 +msgid "krb5_renew_interval (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:379 +msgid "" +"The time in seconds between two checks if the TGT should be renewed. TGTs " +"are renewed if about half of their lifetime is exceeded, given as an integer " +"immediately followed by a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:406 +msgid "If this option is not set or is 0 the automatic renewal is disabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:416 +msgid "krb5_use_fast (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:419 +msgid "" +"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" +"authentication. The following options are supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:424 +msgid "" +"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " +"option at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:428 +msgid "" +"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " +"continue the authentication without it." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:433 +msgid "" +"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " +"server does not require fast." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:438 +msgid "Default: not set, i.e. FAST is not used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:441 +msgid "NOTE: a keytab is required to use FAST." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:444 +msgid "" +"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " +"SSSD is used with an older version of MIT Kerberos, using this option is a " +"configuration error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:453 +msgid "krb5_fast_principal (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:456 +msgid "Specifies the server principal to use for FAST." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:465 +msgid "" +"Specifies if the host and user principal should be canonicalized. This " +"feature is available with MIT Kerberos 1.7 and later versions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:505 +msgid "krb5_use_enterprise_principal (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:508 +msgid "" +"Specifies if the user principal should be treated as enterprise principal. " +"See section 5 of RFC 6806 for more details about enterprise principals." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:514 +msgid "Default: false (AD provider: true)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:517 +msgid "" +"The IPA provider will set to option to 'true' if it detects that the server " +"is capable of handling enterprise principals and the option is not set " +"explicitly in the config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:526 +msgid "krb5_map_user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:529 +msgid "" +"The list of mappings is given as a comma-separated list of pairs " +"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " +"name and <quote>primary</quote> is a user part of a kerberos principal. This " +"mapping is used when user is authenticating using <quote>auth_provider = " +"krb5</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-krb5.5.xml:541 +#, no-wrap +msgid "" +"krb5_realm = REALM\n" +"krb5_map_user = joe:juser,dick:richard\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:546 +msgid "" +"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " +"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " +"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " +"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:65 +msgid "" +"If the auth-module krb5 is used in an SSSD domain, the following options " +"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " +"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:572 +msgid "" +"The following example assumes that SSSD is correctly configured and FOO is " +"one of the domains in the <replaceable>[sssd]</replaceable> section. This " +"example shows only configuration of Kerberos authentication; it does not " +"include any identity provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-krb5.5.xml:580 +#, no-wrap +msgid "" +"[domain/FOO]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXAMPLE.COM\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 +msgid "sss_groupadd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupadd.8.xml:16 +msgid "create a new group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupadd.8.xml:21 +msgid "" +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupadd.8.xml:32 +msgid "" +"<command>sss_groupadd</command> creates a new group. These groups are " +"compatible with POSIX groups, with the additional feature that they can " +"contain other groups as members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 +msgid "" +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupadd.8.xml:48 +msgid "" +"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " +"not given, it is chosen automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 +msgid "sss_userdel" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_userdel.8.xml:16 +msgid "delete a user account" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_userdel.8.xml:21 +msgid "" +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_userdel.8.xml:32 +msgid "" +"<command>sss_userdel</command> deletes a user identified by login name " +"<replaceable>LOGIN</replaceable> from the system." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:44 +msgid "<option>-r</option>,<option>--remove</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:48 +msgid "" +"Files in the user's home directory will be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:56 +msgid "<option>-R</option>,<option>--no-remove</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:60 +msgid "" +"Files in the user's home directory will NOT be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:68 +msgid "<option>-f</option>,<option>--force</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:72 +msgid "" +"This option forces <command>sss_userdel</command> to remove the user's home " +"directory and mail spool, even if they are not owned by the specified user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:80 +msgid "<option>-k</option>,<option>--kick</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:84 +msgid "Before actually deleting the user, terminate all his processes." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 +msgid "sss_groupdel" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupdel.8.xml:16 +msgid "delete a group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupdel.8.xml:21 +msgid "" +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupdel.8.xml:32 +msgid "" +"<command>sss_groupdel</command> deletes a group identified by its name " +"<replaceable>GROUP</replaceable> from the system." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 +msgid "sss_groupshow" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupshow.8.xml:16 +msgid "print properties of a group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupshow.8.xml:21 +msgid "" +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupshow.8.xml:32 +msgid "" +"<command>sss_groupshow</command> displays information about a group " +"identified by its name <replaceable>GROUP</replaceable>. The information " +"includes the group ID number, members of the group and the parent group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupshow.8.xml:43 +msgid "<option>-R</option>,<option>--recursive</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupshow.8.xml:47 +msgid "" +"Also print indirect group members in a tree-like hierarchy. Note that this " +"also affects printing parent groups - without <option>R</option>, only the " +"direct parent will be printed." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 +msgid "sss_usermod" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_usermod.8.xml:16 +msgid "modify a user account" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_usermod.8.xml:21 +msgid "" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_usermod.8.xml:32 +msgid "" +"<command>sss_usermod</command> modifies the account specified by " +"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " +"on the command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:60 +msgid "The home directory of the user account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:71 +msgid "The user's login shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:82 +msgid "" +"Append this user to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:96 +msgid "" +"Remove this user from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:103 +msgid "<option>-l</option>,<option>--lock</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:107 +msgid "Lock the user account. The user won't be able to log in." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:114 +msgid "<option>-u</option>,<option>--unlock</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:118 +msgid "Unlock the user account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:129 +msgid "The SELinux user for the user's login." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:135 +msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:140 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:147 +msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:152 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:160 +msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:165 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_cache.8.xml:10 sss_cache.8.xml:15 +msgid "sss_cache" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_cache.8.xml:16 +msgid "perform cache cleanup" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_cache.8.xml:21 +msgid "" +"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_cache.8.xml:31 +msgid "" +"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " +"records are forced to be reloaded from server as soon as related SSSD " +"backend is online. Options that invalidate a single object only accept a " +"single provided argument." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:43 +msgid "<option>-E</option>,<option>--everything</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:47 +msgid "Invalidate all cached entries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:53 +msgid "" +"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:58 +msgid "Invalidate specific user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:64 +msgid "<option>-U</option>,<option>--users</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:68 +msgid "" +"Invalidate all user records. This option overrides invalidation of specific " +"user if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:75 +msgid "" +"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:80 +msgid "Invalidate specific group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:86 +msgid "<option>-G</option>,<option>--groups</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:90 +msgid "" +"Invalidate all group records. This option overrides invalidation of specific " +"group if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:97 +msgid "" +"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:102 +msgid "Invalidate specific netgroup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:108 +msgid "<option>-N</option>,<option>--netgroups</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:112 +msgid "" +"Invalidate all netgroup records. This option overrides invalidation of " +"specific netgroup if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:119 +msgid "" +"<option>-s</option>,<option>--service</option> <replaceable>service</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:124 +msgid "Invalidate specific service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:130 +msgid "<option>-S</option>,<option>--services</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:134 +msgid "" +"Invalidate all service records. This option overrides invalidation of " +"specific service if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:141 +msgid "" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:146 +msgid "Invalidate specific autofs maps." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:152 +msgid "<option>-A</option>,<option>--autofs-maps</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:156 +msgid "" +"Invalidate all autofs maps. This option overrides invalidation of specific " +"map if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:163 +msgid "" +"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:168 +msgid "Invalidate SSH public keys of a specific host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:174 +msgid "<option>-H</option>,<option>--ssh-hosts</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:178 +msgid "" +"Invalidate SSH public keys of all hosts. This option overrides invalidation " +"of SSH public keys of specific host if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:186 +msgid "" +"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:191 +msgid "Invalidate particular sudo rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:197 +msgid "<option>-R</option>,<option>--sudo-rules</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:201 +msgid "" +"Invalidate all cached sudo rules. This option overrides invalidation of " +"specific sudo rule if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:209 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>domain</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:214 +msgid "Restrict invalidation process only to a particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 +msgid "sss_debuglevel" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_debuglevel.8.xml:16 +msgid "[DEPRECATED] change debug level while SSSD is running" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_debuglevel.8.xml:21 +msgid "" +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" +"replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_debuglevel.8.xml:32 +msgid "" +"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " +"debug-level command. Please refer to the <command>sssctl</command> man page " +"for more information on sssctl usage." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_seed.8.xml:10 sss_seed.8.xml:15 +msgid "sss_seed" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_seed.8.xml:16 +msgid "seed the SSSD cache with a user" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_seed.8.xml:21 +msgid "" +"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:33 +msgid "" +"<command>sss_seed</command> seeds the SSSD cache with a user entry and " +"temporary password. If a user entry is already present in the SSSD cache " +"then the entry is updated with the temporary password." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:46 +msgid "" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:51 +msgid "" +"Provide the name of the domain in which the user is a member of. The domain " +"is also used to retrieve user information. The domain must be configured in " +"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " +"Information retrieved from the domain overrides what is provided in the " +"options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:63 +msgid "" +"<option>-n</option>,<option>--username</option> <replaceable>USER</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:68 +msgid "" +"The username of the entry to be created or modified in the cache. The " +"<replaceable>USER</replaceable> option must be provided." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:81 +msgid "Set the UID of the user to <replaceable>UID</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:93 +msgid "Set the GID of the user to <replaceable>GID</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:117 +msgid "" +"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:129 +msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:140 +msgid "" +"Interactive mode for entering user information. This option will only prompt " +"for information not provided in the options or retrieved from the domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:148 +msgid "" +"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:153 +msgid "" +"Specify file to read user's password from. (if not specified password is " +"prompted for)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:165 +msgid "" +"The length of the password (or the size of file specified with -p or --" +"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " +"on systems with no globally-defined PASS_MAX value)." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 +msgid "sssd-ifp" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ifp.5.xml:17 +msgid "SSSD InfoPipe responder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:23 +msgid "" +"This manual page describes the configuration of the InfoPipe responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:36 +msgid "" +"The InfoPipe responder provides a public D-Bus interface accessible over the " +"system bus. The interface allows the user to query information about remote " +"users and groups over the system bus." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:46 +msgid "These options can be used to configure the InfoPipe responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:53 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the InfoPipe responder. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:59 +msgid "" +"Default: 0 (only the root user is allowed to access the InfoPipe responder)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:63 +msgid "" +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the InfoPipe responder, which would be the typical case, you have to " +"add 0 to the list of allowed UIDs as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:77 +msgid "Specifies the comma-separated list of white or blacklisted attributes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:91 +msgid "name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:92 +msgid "user's login name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:95 +msgid "uidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:96 +msgid "user ID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:99 +msgid "gidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:100 +msgid "primary group ID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:103 +msgid "gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:104 +msgid "user information, typically full name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:107 +msgid "homeDirectory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:111 +msgid "loginShell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:112 +msgid "user shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:81 +msgid "" +"By default, the InfoPipe responder only allows the default set of POSIX " +"attributes to be requested. This set is the same as returned by " +"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ifp.5.xml:125 +#, no-wrap +msgid "" +"user_attributes = +telephoneNumber, -loginShell\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:117 +msgid "" +"It is possible to add another attribute to this set by using <quote>" +"+attr_name</quote> or explicitly remove an attribute using <quote>-" +"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " +"deny <quote>loginShell</quote>, you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:129 +msgid "Default: not set. Only the default set of POSIX attributes is allowed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:139 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup that overrides caller-supplied limit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:144 +msgid "Default: 0 (let the caller set an upper limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refentryinfo> +#: sss_rpcidmapd.5.xml:8 +msgid "" +"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" +"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " +"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" +"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " +"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" +"author>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 +msgid "sss_rpcidmapd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_rpcidmapd.5.xml:33 +msgid "sss plugin configuration directives for rpc.idmapd" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:37 +msgid "CONFIGURATION FILE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:39 +msgid "" +"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." +"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:49 +msgid "SSS CONFIGURATION EXTENSION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:51 +msgid "Enable SSS plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:53 +msgid "" +"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " +"attribute to contain <emphasis>sss</emphasis>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:59 +msgid "[sss] config section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:61 +msgid "" +"In order to change the default of one of the configuration attributes of the " +"<emphasis>sss</emphasis> plugin listed below you will need to create a " +"config section for it, named <quote>[sss]</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sss_rpcidmapd.5.xml:67 +msgid "Configuration attributes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sss_rpcidmapd.5.xml:69 +msgid "memcache (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sss_rpcidmapd.5.xml:72 +msgid "Indicates whether or not to use memcache optimisation technique." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:85 +msgid "SSSD INTEGRATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:87 +msgid "" +"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " +"in sssd." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:91 +msgid "" +"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " +"all domains (NFSv4 clients expect a fully qualified name to be sent on the " +"wire)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_rpcidmapd.5.xml:103 +#, no-wrap +msgid "" +"[General]\n" +"Verbosity = 2\n" +"# domain must be synced between NFSv4 server and clients\n" +"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:100 +msgid "" +"The following example shows a minimal idmapd.conf which makes use of the sss " +"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:180 include/seealso.xml:2 +msgid "SEE ALSO" +msgstr "ZIE OOK" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:122 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 +msgid "sss_ssh_authorizedkeys" +msgstr "" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 +msgid "1" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_authorizedkeys.1.xml:16 +msgid "get OpenSSH authorized keys" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_authorizedkeys.1.xml:21 +msgid "" +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>USER</replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:32 +msgid "" +"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " +"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " +"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> for more information)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:41 +msgid "" +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" +"command> for public key user authentication if it is compiled with support " +"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " +"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> man page for more details about this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_authorizedkeys.1.xml:59 +#, no-wrap +msgid "" +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:52 +msgid "" +"If <quote>AuthorizedKeysCommand</quote> is supported, " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use it by putting the following " +"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" +"\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_ssh_authorizedkeys.1.xml:65 +msgid "KEYS FROM CERTIFICATES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:67 +msgid "" +"In addition to the public SSH keys for user <replaceable>USER</replaceable> " +"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " +"from the public key of a X.509 certificate as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:73 +msgid "" +"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " +"set to true (default) in the [ssh] section of <filename>sssd.conf</" +"filename>. If the user entry contains certificates (see " +"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " +"there is a certificate in an override entry for the user (see " +"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " +"certificate is valid SSSD will extract the public key from the certificate " +"and convert it into the format expected by sshd." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:90 +msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:92 +msgid "ca_db" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:93 +msgid "p11_child_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:94 +msgid "certificate_verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:96 +msgid "" +"can be used to control how the certificates are validated (see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:101 +msgid "" +"The validation is the benefit of using X.509 certificates instead of SSH " +"keys directly because e.g. it gives a better control of the lifetime of the " +"keys. When the ssh client is configured to use the private keys from a " +"Smartcard with the help of a PKCS#11 shared library (see " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> for details) it might be irritating that authentication is " +"still working even if the related X.509 certificate on the Smartcard is " +"already expired because neither <command>ssh</command> nor <command>sshd</" +"command> will look at the certificate at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:114 +msgid "" +"It has to be noted that the derived public SSH key can still be added to the " +"<filename>authorized_keys</filename> file of the user to bypass the " +"certificate validation if the <command>sshd</command> configuration permits " +"this." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:132 +msgid "" +"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 +msgid "EXIT STATUS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 +msgid "" +"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 +msgid "sss_ssh_knownhostsproxy" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_knownhostsproxy.1.xml:16 +msgid "get OpenSSH host keys" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_knownhostsproxy.1.xml:21 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>HOST</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:33 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " +"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " +"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " +"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" +"pubconf/known_hosts</filename> and establishes the connection to the host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:43 +msgid "" +"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " +"create the connection to the host instead of opening a socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_knownhostsproxy.1.xml:55 +#, no-wrap +msgid "" +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:48 +msgid "" +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" +"command> for host key authentication by using the following directives for " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:66 +msgid "" +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:71 +msgid "" +"Use port <replaceable>PORT</replaceable> to connect to the host. By " +"default, port 22 is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:83 +msgid "" +"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:89 +#, fuzzy +#| msgid "" +#| "<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</" +#| "replaceable>" +msgid "<option>-k</option>,<option>--pubkeys</option>" +msgstr "" +"<option>-a</option>,<option>--append-group</option> <replaceable>GROEPEN</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:93 +msgid "" +"Print the host ssh public keys for host <replaceable>HOST</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 +msgid "idmap_sss" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: idmap_sss.8.xml:16 +msgid "SSSD's idmap_sss Backend for Winbind" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:22 +msgid "" +"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " +"No database is required in this case as the mapping is done by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: idmap_sss.8.xml:29 +msgid "IDMAP OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: idmap_sss.8.xml:33 +msgid "range = low - high" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: idmap_sss.8.xml:35 +msgid "" +"Defines the available matching UID and GID range for which the backend is " +"authoritative." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:45 +msgid "" +"This example shows how to configure idmap_sss as the default mapping module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: idmap_sss.8.xml:50 +#, no-wrap +msgid "" +"[global]\n" +"security = domain\n" +"workgroup = MAIN\n" +"\n" +"idmap config * : backend = sss\n" +"idmap config * : range = 200000-2147483647\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssctl.8.xml:10 sssctl.8.xml:15 +msgid "sssctl" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssctl.8.xml:16 +msgid "SSSD control and status utility" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssctl.8.xml:21 +msgid "" +"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:32 +msgid "" +"<command>sssctl</command> provides a simple and unified way to obtain " +"information about SSSD status, such as active server, auto-discovered " +"servers, domains and cached objects. In addition, it can manage SSSD data " +"files for troubleshooting in such a way that is safe to manipulate while " +"SSSD is running." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:43 +msgid "" +"To list all available commands run <command>sssctl</command> without any " +"parameters. To print help for selected command run <command>sssctl COMMAND --" +"help</command>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-files.5.xml:10 sssd-files.5.xml:16 +msgid "sssd-files" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-files.5.xml:17 +msgid "SSSD files provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:23 +msgid "" +"This manual page describes the files provider for <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:36 +msgid "" +"The files provider mirrors the content of the <citerefentry> " +"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " +"provider is to make the users and groups traditionally only accessible with " +"NSS interfaces also available through the SSSD interfaces such as " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:69 +#, fuzzy +#| msgid "re_expression (string)" +msgid "passwd_files (string)" +msgstr "re_expression (tekst)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:72 +msgid "" +"Comma-separated list of one or multiple password filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:78 +#, fuzzy +#| msgid "Default: true" +msgid "Default: /etc/passwd" +msgstr "Standaard: true" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:84 +#, fuzzy +#| msgid "re_expression (string)" +msgid "group_files (string)" +msgstr "re_expression (tekst)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:87 +msgid "" +"Comma-separated list of one or multiple group filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:93 +#, fuzzy +#| msgid "Default: true" +msgid "Default: /etc/group" +msgstr "Standaard: true" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:59 +msgid "" +"In addition to the options listed below, generic SSSD domain options can be " +"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for details on the configuration of " +"an SSSD domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:105 +msgid "" +"The following example assumes that SSSD is correctly configured and files is " +"one of the domains in the <replaceable>[sssd]</replaceable> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:111 +#, no-wrap +msgid "" +"[domain/files]\n" +"id_provider = files\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 +msgid "sssd-secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-secrets.5.xml:17 +msgid "SSSD Secrets responder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:23 +msgid "" +"This manual page describes the configuration of the Secrets responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:36 +msgid "" +"Many system and user applications need to store private information such as " +"passwords or service keys and have no good way to properly deal with them. " +"The simple approach is to embed these <quote>secrets</quote> into " +"configuration files potentially ending up exposing sensitive key material to " +"backups, config management system and in general making it harder to secure " +"data." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:45 +msgid "" +"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " +"project was born to deal with this problem in cloud like environments, but " +"we found the idea compelling even at a single system level. As a security " +"service, SSSD is ideal to host this capability while offering the same API " +"via a UNIX Socket. This will make it possible to use local calls and have " +"them transparently routed to a local or a remote key management store like " +"IPA Vault for storage, escrow and recovery." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:55 +msgid "" +"The secrets are simple key-value pairs. Each user's secrets are namespaced " +"using their user ID, which means the secrets will never collide between " +"users. Secrets can be stored inside <quote>containers</quote> which can be " +"nested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:69 +msgid "secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:70 +msgid "secrets for general usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:73 +msgid "kcm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:75 +msgid "" +"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:61 +msgid "" +"Since the secrets responder can be used both externally to store general " +"secrets, as described in the rest of this man page, but also internally by " +"other SSSD components to store their secret material, some configuration " +"options, like quotas can be configured per <quote>hive</quote> in a " +"configuration subsection named after the hive. The currently supported hives " +"are: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:89 +msgid "USING THE SECRETS RESPONDER" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:91 +msgid "" +"The UNIX socket the SSSD responder listens on is located at <filename>/var/" +"run/secrets.socket</filename>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:110 +#, no-wrap +msgid "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +"systemctl enable sssd-secrets.service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:95 +msgid "" +"The secrets responder is socket-activated by <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " +"the <quote>secrets</quote> string to the <quote>service</quote> directive. " +"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " +"corresponding service file is called <quote>sssd-secrets.service</quote>. In " +"order for the service to be socket-activated, make sure the socket is " +"enabled and active and the service is enabled: <placeholder type=" +"\"programlisting\" id=\"0\"/> Please note your distribution may already " +"configure the units for you." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:122 +msgid "" +"The generic SSSD responder options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " +"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some secrets-specific options as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:132 +msgid "" +"The secrets responder is configured with a global <quote>[secrets]</quote> " +"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " +"in <filename>sssd.conf</filename>. Please note that some options, notably as " +"the provider type, can only be specified in the per-user subsections." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:141 +msgid "provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:157 +msgid "local" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:160 +msgid "" +"The secrets are stored in a local database, encrypted at rest with a master " +"key. The local provider does not have any additional config options at the " +"moment." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:168 +msgid "proxy" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:171 +msgid "" +"The secrets responder forwards the requests to a Custodia server. The proxy " +"provider supports several additional options (see below)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:144 +msgid "" +"This option specifies where should the secrets be stored. The secrets " +"responder can configure a per-user subsections (e.g. <quote>[secrets/" +"users/123]</quote> - see bottom of this manual page for a full example using " +"Custodia for a particular user) that define which provider store the secrets " +"for this particular user. The per-user subsections should contain all " +"options for that user's provider. Please note that currently the global " +"provider is always local, the proxy provider can only be specified in a per-" +"user section. The following providers are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:180 +msgid "Default: local" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:186 +msgid "" +"The following options affect only the secrets <quote>hive</quote> and " +"therefore should be set in a per-hive subsection. Setting the option to 0 " +"means \"unlimited\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:192 +msgid "containers_nest_level (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:195 +msgid "This option specifies the maximum allowed number of nested containers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:199 +msgid "Default: 4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:204 +msgid "max_secrets (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:207 +msgid "" +"This option specifies the maximum number of secrets that can be stored in " +"the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:211 +msgid "Default: 1024 (secrets hive), 256 (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:216 +msgid "max_uid_secrets (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:219 +msgid "" +"This option specifies the maximum number of secrets that can be stored per-" +"UID in the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:223 +msgid "Default: 256 (secrets hive), 64 (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:228 +msgid "max_payload_size (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:231 +msgid "" +"This option specifies the maximum payload size allowed for a secret payload " +"in kilobytes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:235 +msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:244 +#, no-wrap +msgid "" +"[secrets/secrets]\n" +"max_payload_size = 128\n" +"\n" +"[secrets/kcm]\n" +"max_payload_size = 256\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:241 +msgid "" +"For example, to adjust quotas differently for both the <quote>secrets</" +"quote> and the <quote>kcm</quote> hives, configure the following: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:252 +msgid "" +"The following options are only applicable for configurations that use the " +"<quote>proxy</quote> provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:257 +msgid "proxy_url (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:260 +msgid "" +"The URL the Custodia server is listening on. At the moment, http and https " +"protocols are supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:267 +msgid "http[s]://<host>[:port]" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:270 +msgid "Example: http://localhost:8080" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:275 +msgid "auth_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:278 +msgid "" +"The method to use when authenticating to a Custodia server. The following " +"authentication methods are supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:283 +msgid "basic_auth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:286 +msgid "" +"Authenticate with a username and a password as set in the <quote>username</" +"quote> and <quote>password</quote> options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:293 +msgid "header" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:296 +msgid "" +"Authenticate with HTTP header value as defined in the " +"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " +"configuration options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:307 +msgid "auth_header_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:310 +msgid "" +"If set, the secrets responder would put a header with this name into the " +"HTTP request with the value defined in the <quote>auth_header_value</quote> " +"configuration option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:315 +msgid "Example: MYSECRETNAME" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:320 +msgid "auth_header_value (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:323 +msgid "" +"The value sssd-secrets would use for the <quote>auth_header_name</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:327 +msgid "Example: mysecret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:332 +msgid "forward_headers (list of strings)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:335 +msgid "" +"The list of HTTP headers to forward to the Custodia server together with the " +"request." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:344 +msgid "verify_peer (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:347 +msgid "" +"Whether peer's certificate should be verified and valid if HTTPS protocol is " +"used with the proxy provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:356 +msgid "verify_host (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:359 +msgid "" +"Whether peer's hostname must match with hostname in its certificate if HTTPS " +"protocol is used with the proxy provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:369 +msgid "capath (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:372 +msgid "" +"Path to directory containing stored certificate authority certificates. " +"System default path is used if this option is not set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:382 +msgid "cacert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:385 +msgid "" +"Path to file containing server's certificate authority certificate. If this " +"option is not set then the CA's certificate is looked up in <quote>capath</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:395 +msgid "cert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:398 +msgid "" +"Path to file containing client's certificate if required by the server. This " +"file may also contain private key or the private key may be in separate file " +"set with <quote>key</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:409 +msgid "key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:412 +msgid "Path to file containing client's private key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:422 +msgid "USING THE REST API" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:424 +msgid "" +"This section lists the available commands and includes examples using the " +"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry> utility. All requests towards the proxy provider must set " +"the Content Type header to <quote>application/json</quote>. In addition, the " +"local provider also supports Content Type set to <quote>application/octet-" +"stream</quote>. Secrets stored with requests that set the Content Type " +"header to <quote>application/octet-stream</quote> are base64-encoded when " +"stored and decoded when retrieved, so it's not possible to store a secret " +"with one Content Type and retrieve with another. The secret URI must begin " +"with <filename>/secrets/</filename>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:441 +msgid "Listing secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:444 +msgid "" +"To list the available secrets, send a HTTP GET request with a trailing slash " +"appended to the container path." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:450 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:458 +msgid "Retrieving a secret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:461 +msgid "" +"To read a value of a single secret, send a HTTP GET request without a " +"trailing slash. The last portion of the URI is the name of the secret." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:468 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/foo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:473 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/bar\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:466 +msgid "" +"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:481 +msgid "Setting a secret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:484 +msgid "" +"To set a secret using the <quote>application/json</quote> type, send a HTTP " +"PUT request with a JSON payload that includes type and value. The type " +"should be set to \"simple\" and the value should be set to the secret value. " +"If a secret with that name already exists, the response is a 409 HTTP error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:492 +msgid "" +"The <quote>application/json</quote> type just sends the secret as the " +"message payload." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:501 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/foo \\\n" +" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:507 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/bar \\\n" +" -d'barsecret'\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:496 +msgid "" +"The following example sets a secret named 'foo' to a value of 'foosecret' " +"and a secret named 'bar' to a value of 'barsecret' using a different Content " +"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:516 +msgid "Creating a container" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:519 +msgid "" +"Containers provide an additional namespace for this user's secrets. To " +"create a container, send a HTTP POST request, whose URI ends with the " +"container name. Please note the URI must end with a trailing slash." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:529 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPOST http://localhost/secrets/mycontainer/\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:526 +msgid "" +"The following example creates a container named 'mycontainer': <placeholder " +"type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:538 +#, no-wrap +msgid "" +"http://localhost/secrets/mycontainer/mysecret\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:535 +msgid "" +"To manipulate secrets under this container, just nest the secrets underneath " +"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:544 +msgid "Deleting a secret or a container" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:547 +msgid "" +"To delete a secret or a container, send a HTTP DELETE request with a path to " +"the secret or the container." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:553 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XDELETE http://localhost/secrets/foo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:551 +msgid "" +"The following example deletes a secret named 'foo'. <placeholder type=" +"\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:563 +msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:565 +msgid "" +"For testing the proxy provider, you need to set up a Custodia server to " +"proxy requests to. Please always consult the Custodia documentation, the " +"configuration directives might change with different Custodia versions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:576 +#, no-wrap +msgid "" +"[global]\n" +"server_version = \"Secret/0.0.7\"\n" +"server_url = http://localhost:8080/\n" +"auditlog = /var/log/custodia.log\n" +"debug = True\n" +"\n" +"[store:simple]\n" +"handler = custodia.store.sqlite.SqliteStore\n" +"dburi = /var/lib/custodia.db\n" +"table = secrets\n" +"\n" +"[auth:header]\n" +"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" +"header = MYSECRETNAME\n" +"value = mysecretkey\n" +"\n" +"[authz:paths]\n" +"handler = custodia.httpd.authorizers.SimplePathAuthz\n" +"paths = /secrets\n" +"\n" +"[/]\n" +"handler = custodia.root.Root\n" +"store = simple\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:570 +msgid "" +"This configuration will set up a Custodia server listening on http://" +"localhost:8080, allowing anyone with header named MYSECRETNAME set to " +"mysecretkey to communicate with the Custodia server. Place the contents " +"into a file (for example, <replaceable>custodia.conf</replaceable>): " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:602 +msgid "" +"Then run the <replaceable>custodia</replaceable> command, pointing it at the " +"config file as a command line argument." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:606 +msgid "" +"Please note that currently it's not possible to proxy all requests globally " +"to a Custodia instance. Instead, per-user subsections for user IDs that " +"should proxy requests to Custodia must be defined. The following example " +"illustrates a configuration, where the user with UID 123 would proxy their " +"requests to Custodia, but all other user's requests would be handled by a " +"local provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: sssd-secrets.5.xml:614 +#, no-wrap +msgid "" +"[secrets]\n" +"\n" +"[secrets/users/123]\n" +"provider = proxy\n" +"proxy_url = http://localhost:8080/secrets/\n" +"auth_type = header\n" +"auth_header_name = MYSECRETNAME\n" +"auth_header_value = mysecretkey\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 +msgid "sssd-session-recording" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-session-recording.5.xml:17 +msgid "Configuring session recording with SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " +"implement user session recording on text terminals. For a detailed " +"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " +"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:41 +msgid "" +"SSSD can be set up to enable recording of everything specific users see or " +"type during their sessions on text terminals. E.g. when users log in on the " +"console, or via SSH. SSSD itself doesn't record anything, but makes sure " +"tlog-rec-session is started upon user login, so it can record according to " +"its configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:48 +msgid "" +"For users with session recording enabled, SSSD replaces the user shell with " +"tlog-rec-session in NSS responses, and adds a variable specifying the " +"original shell to the user environment, upon PAM session setup. This way " +"tlog-rec-session can be started in place of the user shell, and know which " +"actual shell to start, once it set up the recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:60 +msgid "These options can be used to configure the session recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:146 +msgid "" +"The following snippet of sssd.conf enables session recording for users " +"\"contractor1\" and \"contractor2\", and group \"students\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-session-recording.5.xml:151 +#, no-wrap +msgid "" +"[session_recording]\n" +"scope = some\n" +"users = contractor1, contractor2\n" +"groups = students\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 +msgid "sssd-kcm" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-kcm.8.xml:17 +msgid "SSSD Kerberos Cache Manager" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:23 +msgid "" +"This manual page describes the configuration of the SSSD Kerberos Cache " +"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " +"credential caches. It originates in the Heimdal Kerberos project, although " +"the MIT Kerberos library also provides client side (more details on that " +"below) support for the KCM credential cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:31 +msgid "" +"In a setup where Kerberos caches are managed by KCM, the Kerberos library " +"(typically used through an application, like e.g., <citerefentry> " +"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" +"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " +"being referred to as a <quote>\"KCM server\"</quote>. The client and server " +"communicate over a UNIX socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:42 +msgid "" +"The KCM server keeps track of each credential caches's owner and performs " +"access check control based on the UID and GID of the KCM client. The root " +"user has access to all credential caches." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:47 +msgid "The KCM credential cache has several interesting properties:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:51 +msgid "" +"since the process runs in userspace, it is subject to UID namespacing, " +"unlike the kernel keyring" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:56 +msgid "" +"unlike the kernel keyring-based cache, which is shared between all " +"containers, the KCM server is a separate process whose entry point is a UNIX " +"socket" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:61 +msgid "" +"the SSSD implementation stores the ccaches in the SSSD <citerefentry> " +"<refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry> secrets store, allowing the ccaches to survive KCM server " +"restarts or machine reboots." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:69 +msgid "" +"This allows the system to use a collection-aware credential cache, yet share " +"the credential cache between some or no containers by bind-mounting the " +"socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:76 +msgid "USING THE KCM CREDENTIAL CACHE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:86 +#, no-wrap +msgid "" +"[libdefaults]\n" +" default_ccache_name = KCM:\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:78 +msgid "" +"In order to use KCM credential cache, it must be selected as the default " +"credential type in <citerefentry> <refentrytitle>krb5.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " +"cache name must be only <quote>KCM:</quote> without any template " +"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:91 +msgid "" +"Next, make sure the Kerberos client libraries and the KCM server must agree " +"on the UNIX socket path. By default, both use the same path <replaceable>/" +"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " +"library, change its <quote>kcm_socket</quote> option which is described in " +"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:113 +#, no-wrap +msgid "" +"systemctl start sssd-kcm.socket\n" +"systemctl enable sssd-kcm.socket\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:102 +msgid "" +"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " +"typically socket-activated by <citerefentry> <refentrytitle>systemd</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " +"services, it cannot be started by adding the <quote>kcm</quote> string to " +"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " +"id=\"0\"/> Please note your distribution may already configure the units for " +"you." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:122 +msgid "THE CREDENTIAL CACHE STORAGE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:131 +#, no-wrap +msgid "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:124 +msgid "" +"The credential caches are stored in the SSSD secrets service (see " +"<citerefentry> <refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> for more details). Therefore it is important that " +"also the sssd-secrets service is enabled and its socket is started: " +"<placeholder type=\"programlisting\" id=\"0\"/> Your distribution should " +"already set the dependencies between the services." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:141 +msgid "" +"The KCM service is configured in the <quote>kcm</quote> section of the sssd." +"conf file. Please note that currently, is it not sufficient to restart the " +"sssd-kcm service, because the sssd configuration is only parsed and read to " +"an internal configuration database by the sssd service. Therefore you must " +"restart the sssd service if you change anything in the <quote>kcm</quote> " +"section of sssd.conf. For a detailed syntax reference, refer to the " +"<quote>FILE FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd." +"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:155 +msgid "" +"The generic SSSD service options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some KCM-specific options as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:166 +msgid "socket_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:169 +msgid "The socket the KCM service will listen on." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:172 +msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:182 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 +msgid "sssd-systemtap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-systemtap.5.xml:17 +msgid "SSSD systemtap information" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:23 +msgid "" +"This manual page provides information about the systemtap functionality in " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:32 +msgid "" +"SystemTap Probe points have been added into various locations in SSSD code " +"to assist in troubleshooting and analyzing performance related issues." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:40 +msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:46 +msgid "" +"Probes and miscellaneous functions are defined in /usr/share/systemtap/" +"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " +"respectively." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:57 +msgid "PROBE POINTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:341 +msgid "" +"The information below lists the probe points and arguments available in the " +"following format:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:64 +msgid "probe $name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:67 +msgid "Description of probe point" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:70 +#, no-wrap +msgid "" +"variable1:datatype\n" +"variable2:datatype\n" +"variable3:datatype\n" +"...\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:80 +msgid "Database Transaction Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:84 +msgid "probe sssd_transaction_start" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:87 +msgid "" +"Start of a sysdb transaction, probes the sysdb_transaction_start() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 +#: sssd-systemtap.5.xml:131 +#, no-wrap +msgid "" +"nesting:integer\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:97 +msgid "probe sssd_transaction_cancel" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:100 +msgid "" +"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " +"function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:111 +msgid "probe sssd_transaction_commit_before" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:114 +msgid "Probes the sysdb_transaction_commit_before() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:124 +msgid "probe sssd_transaction_commit_after" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:127 +msgid "Probes the sysdb_transaction_commit_after() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:141 +msgid "LDAP Search Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:145 +msgid "probe sdap_search_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:148 +msgid "Probes the sdap_get_generic_ext_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:152 sssd-systemtap.5.xml:167 sssd-systemtap.5.xml:196 +#, no-wrap +msgid "" +"base:string\n" +"scope:integer\n" +"filter:string\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:160 +msgid "probe sdap_search_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:163 +msgid "Probes the sdap_get_generic_ext_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:175 +msgid "probe sdap_deref_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:178 +msgid "Probes the sdap_deref_search_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:182 +#, no-wrap +msgid "" +"base_dn:string\n" +"deref_attr:string\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:189 +msgid "probe sdap_deref_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:192 +msgid "Probes the sdap_deref_search_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:208 +msgid "LDAP Account Request Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:212 +msgid "probe sdap_acct_req_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:215 +msgid "Probes the sdap_acct_req_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:219 sssd-systemtap.5.xml:234 +#, no-wrap +msgid "" +"entry_type:int\n" +"filter_type:int\n" +"filter_value:string\n" +"extra_value:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:227 +msgid "probe sdap_acct_req_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:230 +msgid "Probes the sdap_acct_req_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:246 +msgid "LDAP User Search Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:250 +msgid "probe sdap_search_user_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:253 +msgid "Probes the sdap_search_user_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:257 sssd-systemtap.5.xml:269 sssd-systemtap.5.xml:281 +#: sssd-systemtap.5.xml:293 +#, no-wrap +msgid "" +"filter:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:262 +msgid "probe sdap_search_user_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:265 +msgid "Probes the sdap_search_user_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:274 +msgid "probe sdap_search_user_save_begin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:277 +msgid "Probes the sdap_search_user_save_begin() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:286 +msgid "probe sdap_search_user_save_end" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:289 +msgid "Probes the sdap_search_user_save_end() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:302 +msgid "Data Provider Request Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:306 +msgid "probe dp_req_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:309 +msgid "A Data Provider request is submitted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:312 +#, no-wrap +msgid "" +"dp_req_domain:string\n" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:320 +msgid "probe dp_req_done" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:323 +msgid "A Data Provider request is completed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:326 +#, no-wrap +msgid "" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +"dp_ret:int\n" +"dp_errorstr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:339 +msgid "MISCELLANEOUS FUNCTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:346 +msgid "function acct_req_desc(entry_type)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:349 +msgid "Convert entry_type to string and return string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:354 +msgid "" +"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " +"filter_value, extra_value)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:358 +msgid "Create probe string based on filter type" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:363 +msgid "function dp_target_str(target)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:366 +msgid "Convert target to string and return string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:371 +msgid "function dp_method_str(target)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:374 +msgid "Convert method to string and return string" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/service_discovery.xml:2 +msgid "SERVICE DISCOVERY" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/service_discovery.xml:4 +msgid "" +"The service discovery feature allows back ends to automatically find the " +"appropriate servers to connect to using a special DNS query. This feature is " +"not supported for backup servers." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:9 include/ldap_id_mapping.xml:99 +msgid "Configuration" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:11 +msgid "" +"If no servers are specified, the back end automatically uses service " +"discovery to try to find a server. Optionally, the user may choose to use " +"both fixed server addresses and service discovery by inserting a special " +"keyword, <quote>_srv_</quote>, in the list of servers. The order of " +"preference is maintained. This feature is useful if, for example, the user " +"prefers to use service discovery whenever possible, and fall back to a " +"specific server when no servers can be discovered using DNS." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:23 +msgid "The domain name" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:25 +msgid "" +"Please refer to the <quote>dns_discovery_domain</quote> parameter in the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more details." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:35 +msgid "The protocol" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:37 +msgid "" +"The queries usually specify _tcp as the protocol. Exceptions are documented " +"in respective option description." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:42 +msgid "See Also" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:44 +msgid "" +"For more information on the service discovery mechanism, refer to RFC 2782." +msgstr "" + +#. type: Content of: <refentryinfo> +#: include/upstream.xml:2 +msgid "" +"<productname>SSSD</productname> <orgname>The SSSD upstream - https://pagure." +"io/SSSD/sssd/</orgname>" +msgstr "" + +#. type: Content of: outside any tag (error?) +#: include/upstream.xml:1 +msgid "<placeholder type=\"refentryinfo\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/failover.xml:2 +msgid "FAILOVER" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/failover.xml:4 +msgid "" +"The failover feature allows back ends to automatically switch to a different " +"server if the current server fails." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:8 +msgid "Failover Syntax" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:10 +msgid "" +"The list of servers is given as a comma-separated list; any number of spaces " +"is allowed around the comma. The servers are listed in order of preference. " +"The list can contain any number of servers." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:16 +msgid "" +"For each failover-enabled config option, two variants exist: " +"<emphasis>primary</emphasis> and <emphasis>backup</emphasis>. The idea is " +"that servers in the primary list are preferred and backup servers are only " +"searched if no primary servers can be reached. If a backup server is " +"selected, a timeout of 31 seconds is set. After this timeout SSSD will " +"periodically try to reconnect to one of the primary servers. If it succeeds, " +"it will replace the current active (backup) server." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:27 +msgid "The Failover Mechanism" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:29 +msgid "" +"The failover mechanism distinguishes between a machine and a service. The " +"back end first tries to resolve the hostname of a given machine; if this " +"resolution attempt fails, the machine is considered offline. No further " +"attempts are made to connect to this machine for any other service. If the " +"resolution attempt succeeds, the back end tries to connect to a service on " +"this machine. If the service connection attempt fails, then only this " +"particular service is considered offline and the back end automatically " +"switches over to the next service. The machine is still considered online " +"and might still be tried for another service." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:42 +msgid "" +"Further connection attempts are made to machines or services marked as " +"offline after a specified period of time; this is currently hard coded to 30 " +"seconds." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:47 +msgid "" +"If there are no more machines to try, the back end as a whole switches to " +"offline mode, and then attempts to reconnect every 30 seconds." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:53 +msgid "Failover time outs and tuning" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:55 +msgid "" +"Resolving a server to connect to can be as simple as running a single DNS " +"query or can involve several steps, such as finding the correct site or " +"trying out multiple host names in case some of the configured servers are " +"not reachable. The more complex scenarios can take some time and SSSD needs " +"to balance between providing enough time to finish the resolution process " +"but on the other hand, not trying for too long before falling back to " +"offline mode. If the SSSD debug logs show that the server resolution is " +"timing out before a live server is contacted, you can consider changing the " +"time outs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> +#: include/failover.xml:76 +msgid "dns_resolver_op_timeout" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: include/failover.xml:80 +msgid "How long would SSSD talk to a single DNS server." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> +#: include/failover.xml:86 +msgid "dns_resolver_timeout" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: include/failover.xml:90 +msgid "" +"How long would SSSD try to resolve a failover service. This service " +"resolution internally might include several steps, such as resolving DNS SRV " +"queries or locating the site." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:67 +msgid "" +"This section lists the available tunables. Please refer to their description " +"in the <citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>, manual page. <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:100 +msgid "" +"For LDAP-based providers, the resolve operation is performed as part of an " +"LDAP connection operation. Therefore, also the <quote>ldap_opt_timeout></" +"quote> timeout should be set to a larger value than " +"<quote>dns_resolver_timeout</quote> which in turn should be set to a larger " +"value than <quote>dns_resolver_op_timeout</quote>." +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/ldap_id_mapping.xml:2 +msgid "ID MAPPING" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:4 +msgid "" +"The ID-mapping feature allows SSSD to act as a client of Active Directory " +"without requiring administrators to extend user attributes to support POSIX " +"attributes for user and group identifiers." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:9 +msgid "" +"NOTE: When ID-mapping is enabled, the uidNumber and gidNumber attributes are " +"ignored. This is to avoid the possibility of conflicts between automatically-" +"assigned and manually-assigned values. If you need to use manually-assigned " +"values, ALL values must be manually-assigned." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:16 +msgid "" +"Please note that changing the ID mapping related configuration options will " +"cause user and group IDs to change. At the moment, SSSD does not support " +"changing IDs, so the SSSD database must be removed. Because cached passwords " +"are also stored in the database, removing the database should only be " +"performed while the authentication servers are reachable, otherwise users " +"might get locked out. In order to cache the password, an authentication must " +"be performed. It is not sufficient to use <citerefentry> " +"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry> to remove the database, rather the process consists of:" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:33 +msgid "Making sure the remote servers are reachable" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:38 +msgid "Stopping the SSSD service" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:43 +msgid "Removing the database" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:48 +msgid "Starting the SSSD service" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:52 +msgid "" +"Moreover, as the change of IDs might necessitate the adjustment of other " +"system properties such as file and directory ownership, it's advisable to " +"plan ahead and test the ID mapping configuration thoroughly." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ldap_id_mapping.xml:59 +msgid "Mapping Algorithm" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:61 +msgid "" +"Active Directory provides an objectSID for every user and group object in " +"the directory. This objectSID can be broken up into components that " +"represent the Active Directory domain identity and the relative identifier " +"(RID) of the user or group object." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:67 +msgid "" +"The SSSD ID-mapping algorithm takes a range of available UIDs and divides it " +"into equally-sized component sections - called \"slices\"-. Each slice " +"represents the space available to an Active Directory domain." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:73 +msgid "" +"When a user or group entry for a particular domain is encountered for the " +"first time, the SSSD allocates one of the available slices for that domain. " +"In order to make this slice-assignment repeatable on different client " +"machines, we select the slice based on the following algorithm:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:80 +msgid "" +"The SID string is passed through the murmurhash3 algorithm to convert it to " +"a 32-bit hashed value. We then take the modulus of this value with the total " +"number of available slices to pick the slice." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:86 +msgid "" +"NOTE: It is possible to encounter collisions in the hash and subsequent " +"modulus. In these situations, we will select the next available slice, but " +"it may not be possible to reproduce the same exact set of slices on other " +"machines (since the order that they are encountered will determine their " +"slice). In this situation, it is recommended to either switch to using " +"explicit POSIX attributes in Active Directory (disabling ID-mapping) or " +"configure a default domain to guarantee that at least one is always " +"consistent. See <quote>Configuration</quote> for details." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:101 +msgid "" +"Minimum configuration (in the <quote>[domain/DOMAINNAME]</quote> section):" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><programlisting> +#: include/ldap_id_mapping.xml:106 +#, no-wrap +msgid "" +"ldap_id_mapping = True\n" +"ldap_schema = ad\n" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:111 +msgid "" +"The default configuration results in configuring 10,000 slices, each capable " +"of holding up to 200,000 IDs, starting from 200,000 and going up to " +"2,000,200,000. This should be sufficient for most deployments." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><title> +#: include/ldap_id_mapping.xml:117 +msgid "Advanced Configuration" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:120 +msgid "ldap_idmap_range_min (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:123 +msgid "" +"Specifies the lower bound of the range of POSIX IDs to use for mapping " +"Active Directory user and group SIDs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:127 +msgid "" +"NOTE: This option is different from <quote>min_id</quote> in that " +"<quote>min_id</quote> acts to filter the output of requests to this domain, " +"whereas this option controls the range of ID assignment. This is a subtle " +"distinction, but the good general advice would be to have <quote>min_id</" +"quote> be less-than or equal to <quote>ldap_idmap_range_min</quote>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:137 include/ldap_id_mapping.xml:191 +msgid "Default: 200000" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:142 +msgid "ldap_idmap_range_max (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:145 +msgid "" +"Specifies the upper bound of the range of POSIX IDs to use for mapping " +"Active Directory user and group SIDs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:149 +msgid "" +"NOTE: This option is different from <quote>max_id</quote> in that " +"<quote>max_id</quote> acts to filter the output of requests to this domain, " +"whereas this option controls the range of ID assignment. This is a subtle " +"distinction, but the good general advice would be to have <quote>max_id</" +"quote> be greater-than or equal to <quote>ldap_idmap_range_max</quote>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:159 +msgid "Default: 2000200000" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:164 +msgid "ldap_idmap_range_size (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:167 +msgid "" +"Specifies the number of IDs available for each slice. If the range size " +"does not divide evenly into the min and max values, it will create as many " +"complete slices as it can." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:173 +msgid "" +"NOTE: The value of this option must be at least as large as the highest user " +"RID planned for use on the Active Directory server. User lookups and login " +"will fail for any user whose RID is greater than this value." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:179 +msgid "" +"For example, if your most recently-added Active Directory user has " +"objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, " +"<quote>ldap_idmap_range_size</quote> must be at least 1108 as range size is " +"equal to maximal SID minus minimal SID plus one (e.g. 1108 = 1107 - 0 + 1)." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:186 +msgid "" +"It is important to plan ahead for future expansion, as changing this value " +"will result in changing all of the ID mappings on the system, leading to " +"users with different local IDs than they previously had." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:196 +msgid "ldap_idmap_default_domain_sid (string)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:199 +msgid "" +"Specify the domain SID of the default domain. This will guarantee that this " +"domain will always be assigned to slice zero in the ID map, bypassing the " +"murmurhash algorithm described above." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:210 +msgid "ldap_idmap_default_domain (string)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:213 +msgid "Specify the name of the default domain." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:221 +msgid "ldap_idmap_autorid_compat (boolean)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:224 +msgid "" +"Changes the behavior of the ID-mapping algorithm to behave more similarly to " +"winbind's <quote>idmap_autorid</quote> algorithm." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:229 +msgid "" +"When this option is configured, domains will be allocated starting with " +"slice zero and increasing monatomically with each additional domain." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:234 +msgid "" +"NOTE: This algorithm is non-deterministic (it depends on the order that " +"users and groups are requested). If this mode is required for compatibility " +"with machines running winbind, it is recommended to also use the " +"<quote>ldap_idmap_default_domain_sid</quote> option to guarantee that at " +"least one domain is consistently allocated to slice zero." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:249 +msgid "ldap_idmap_helper_table_size (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:252 +msgid "" +"Maximal number of secondary slices that is tried when performing mapping " +"from UNIX id to SID." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:256 +msgid "" +"Note: Additional secondary slices might be generated when SID is being " +"mapped to UNIX id and RID part of SID is out of range for secondary slices " +"generated so far. If value of ldap_idmap_helper_table_size is equal to 0 " +"then no additional secondary slices are generated." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ldap_id_mapping.xml:273 +msgid "Well-Known SIDs" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:275 +msgid "" +"SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a " +"special hardcoded meaning. Since the generic users and groups related to " +"those Well-Known SIDs have no equivalent in a Linux/UNIX environment no " +"POSIX IDs are available for those objects." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:281 +msgid "" +"The SID name space is organized in authorities which can be seen as " +"different domains. The authorities for the Well-Known SIDs are" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:284 +msgid "Null Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:285 +msgid "World Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:286 +msgid "Local Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:287 +msgid "Creator Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:288 +msgid "NT Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:289 +msgid "Built-in" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:291 +msgid "" +"The capitalized version of these names are used as domain names when " +"returning the fully qualified name of a Well-Known SID." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:295 +msgid "" +"Since some utilities allow to modify SID based access control information " +"with the help of a name instead of using the SID directly SSSD supports to " +"look up the SID by the name as well. To avoid collisions only the fully " +"qualified names can be used to look up Well-Known SIDs. As a result the " +"domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, " +"<quote> LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, <quote>NT " +"AUTHORITY</quote> and <quote>BUILTIN</quote> should not be used as domain " +"names in <filename>sssd.conf</filename>." +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/param_help.xml:3 +msgid "<option>-?</option>,<option>--help</option>" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/param_help.xml:7 include/param_help_py.xml:7 +msgid "Display help message and exit." +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/param_help_py.xml:3 +msgid "<option>-h</option>,<option>--help</option>" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:3 include/debug_levels_tools.xml:3 +msgid "" +"SSSD supports two representations for specifying the debug level. The " +"simplest is to specify a decimal value from 0-9, which represents enabling " +"that level and all lower-level debug messages. The more comprehensive option " +"is to specify a hexadecimal bitmask to enable or disable specific levels " +"(such as if you wish to suppress a level)." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:10 +msgid "" +"Please note that each SSSD service logs into its own log file. Also please " +"note that enabling <quote>debug_level</quote> in the <quote>[sssd]</quote> " +"section only enables debugging just for the sssd process itself, not for the " +"responder or provider processes. The <quote>debug_level</quote> parameter " +"should be added to all sections that you wish to produce debug logs from." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:18 +msgid "" +"In addition to changing the log level in the config file using the " +"<quote>debug_level</quote> parameter, which is persistent, but requires SSSD " +"restart, it is also possible to change the debug level on the fly using the " +"<citerefentry> <refentrytitle>sss_debuglevel</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry> tool." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:29 include/debug_levels_tools.xml:10 +msgid "Currently supported debug levels:" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:32 include/debug_levels_tools.xml:13 +msgid "" +"<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fatal failures. " +"Anything that would prevent SSSD from starting up or causes it to cease " +"running." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:38 include/debug_levels_tools.xml:19 +msgid "" +"<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An " +"error that doesn't kill SSSD, but one that indicates that at least one major " +"feature is not going to work properly." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:45 include/debug_levels_tools.xml:26 +msgid "" +"<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Serious failures. An " +"error announcing that a particular request or operation has failed." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:50 include/debug_levels_tools.xml:31 +msgid "" +"<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Minor failures. These " +"are the errors that would percolate down to cause the operation failure of 2." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:55 include/debug_levels_tools.xml:36 +msgid "" +"<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Configuration settings." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:59 include/debug_levels_tools.xml:40 +msgid "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Function data." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:63 include/debug_levels_tools.xml:44 +msgid "" +"<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Trace messages for " +"operation functions." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:67 include/debug_levels_tools.xml:48 +msgid "" +"<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Trace messages for " +"internal control functions." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:72 include/debug_levels_tools.xml:53 +msgid "" +"<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contents of function-" +"internal variables that may be interesting." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:77 include/debug_levels_tools.xml:58 +msgid "" +"<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Extremely low-level " +"tracing information." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:81 include/debug_levels_tools.xml:62 +msgid "" +"To log required bitmask debug levels, simply add their numbers together as " +"shown in following examples:" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:85 include/debug_levels_tools.xml:66 +msgid "" +"<emphasis>Example</emphasis>: To log fatal failures, critical failures, " +"serious failures and function data use 0x0270." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:89 include/debug_levels_tools.xml:70 +msgid "" +"<emphasis>Example</emphasis>: To log fatal failures, configuration settings, " +"function data, trace messages for internal control functions use 0x1310." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:94 include/debug_levels_tools.xml:75 +msgid "" +"<emphasis>Note</emphasis>: The bitmask format of debug levels was introduced " +"in 1.7.0." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:98 include/debug_levels_tools.xml:79 +msgid "<emphasis>Default</emphasis>: 0" +msgstr "" + +#. type: Content of: outside any tag (error?) +#: include/experimental.xml:1 +msgid "" +"<emphasis> This is an experimental feature, please use https://pagure.io/" +"SSSD/sssd/ to report any issues. </emphasis>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/local.xml:2 +msgid "THE LOCAL DOMAIN" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/local.xml:4 +msgid "" +"In order to function correctly, a domain with <quote>id_provider=local</" +"quote> must be created and the SSSD must be running." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/local.xml:9 +msgid "" +"The administrator might want to use the SSSD local users instead of " +"traditional UNIX users in cases where the group nesting (see <citerefentry> " +"<refentrytitle>sss_groupadd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>) is needed. The local users are also useful for testing and " +"development of the SSSD without having to deploy a full remote server. The " +"<command>sss_user*</command> and <command>sss_group*</command> tools use a " +"local LDB storage to store users and groups." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/seealso.xml:4 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd-ipa</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <phrase condition=\"with_sudo\"> <citerefentry> " +"<refentrytitle>sssd-sudo</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>, </phrase> <phrase condition=\"with_secrets\"> <citerefentry> " +"<refentrytitle>sssd-secrets</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>, </phrase> <citerefentry> <refentrytitle>sssd-session-" +"recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, " +"<citerefentry> <refentrytitle>sss_cache</refentrytitle><manvolnum>8</" +"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_debuglevel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_obfuscate</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_seed</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <phrase condition=" +"\"with_ssh\"> <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_ssh_knownhostsproxy</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>, </phrase> <phrase condition=\"with_ifp\"> " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>, </phrase> <citerefentry> <refentrytitle>pam_sss</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>. <citerefentry> " +"<refentrytitle>sss_rpcidmapd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> <phrase condition=\"with_stap\"> <citerefentry> " +"<refentrytitle>sssd-systemtap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> </phrase>" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:3 +msgid "" +"An optional base DN, search scope and LDAP filter to restrict LDAP searches " +"for this attribute type." +msgstr "" + +#. type: Content of: <listitem><para><programlisting> +#: include/ldap_search_bases.xml:9 +#, no-wrap +msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]\n" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:7 +msgid "syntax: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:13 +msgid "" +"The scope can be one of \"base\", \"onelevel\" or \"subtree\". The scope " +"functions as specified in section 4.5.1.2 of http://tools.ietf.org/html/" +"rfc4511" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:23 +msgid "" +"For examples of this syntax, please refer to the <quote>ldap_search_base</" +"quote> examples section." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:31 +msgid "" +"Please note that specifying scope or filter is not supported for searches " +"against an Active Directory Server that might yield a large number of " +"results and trigger the Range Retrieval extension in the response." +msgstr "" + +#. type: Content of: <para> +#: include/autofs_restart.xml:2 +msgid "" +"Please note that the automounter only reads the master map on startup, so if " +"any autofs-related changes are made to the sssd.conf, you typically also " +"need to restart the automounter daemon after restarting the SSSD." +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/override_homedir.xml:2 +msgid "override_homedir (string)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:16 +msgid "UID number" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:20 +msgid "domain name" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:23 +msgid "%f" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:24 +msgid "fully qualified user name (user@domain)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:27 +msgid "%l" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:28 +msgid "The first letter of the login name." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:32 +msgid "UPN - User Principal Name (name@REALM)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:35 +msgid "%o" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:37 +msgid "The original home directory retrieved from the identity provider." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:42 +msgid "%H" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:44 +msgid "The value of configure option <emphasis>homedir_substring</emphasis>." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/override_homedir.xml:5 +msgid "" +"Override the user's home directory. You can either provide an absolute value " +"or a template. In the template, the following sequences are substituted: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><programlisting> +#: include/override_homedir.xml:61 +#, no-wrap +msgid "" +"override_homedir = /home/%u\n" +" " +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/override_homedir.xml:65 +msgid "Default: Not set (SSSD will use the value retrieved from LDAP)" +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/homedir_substring.xml:2 +msgid "homedir_substring (string)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/homedir_substring.xml:5 +msgid "" +"The value of this option will be used in the expansion of the " +"<emphasis>override_homedir</emphasis> option if the template contains the " +"format string <emphasis>%H</emphasis>. An LDAP directory entry can directly " +"contain this template so that this option can be used to expand the home " +"directory path for each client machine (or operating system). It can be set " +"per-domain or globally in the [nss] section. A value specified in a domain " +"section will override one set in the [nss] section." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/homedir_substring.xml:15 +msgid "Default: /home" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/ad_modified_defaults.xml:2 include/ipa_modified_defaults.xml:2 +msgid "MODIFIED DEFAULT OPTIONS" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ad_modified_defaults.xml:4 +msgid "" +"Certain option defaults do not match their respective backend provider " +"defaults, these option names and AD provider-specific defaults are listed " +"below:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ad_modified_defaults.xml:9 include/ipa_modified_defaults.xml:9 +msgid "KRB5 Provider" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:13 include/ipa_modified_defaults.xml:13 +msgid "krb5_validate = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:18 +msgid "krb5_use_enterprise_principal = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ad_modified_defaults.xml:24 +msgid "LDAP Provider" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:28 +msgid "ldap_schema = ad" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:33 include/ipa_modified_defaults.xml:38 +msgid "ldap_force_upper_case_realm = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:38 +msgid "ldap_id_mapping = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:43 +msgid "ldap_sasl_mech = gssapi" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:48 +msgid "ldap_referrals = false" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:53 +msgid "ldap_account_expire_policy = ad" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:58 include/ipa_modified_defaults.xml:58 +msgid "ldap_use_tokengroups = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:63 +msgid "ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:66 +msgid "" +"The AD provider looks for a different principal than the LDAP provider by " +"default, because in an Active Directory environment the principals are " +"divided into two groups - User Principals and Service Principals. Only User " +"Principal can be used to obtain a TGT and by default, computer object's " +"principal is constructed from its sAMAccountName and the AD realm. The well-" +"known host/hostname@REALM principal is a Service Principal and thus cannot " +"be used to get a TGT with." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ipa_modified_defaults.xml:4 +msgid "" +"Certain option defaults do not match their respective backend provider " +"defaults, these option names and IPA provider-specific defaults are listed " +"below:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:18 +msgid "krb5_use_fast = try" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:23 +msgid "krb5_canonicalize = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:29 +msgid "LDAP Provider - General" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:33 +msgid "ldap_schema = ipa_v1" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:43 +msgid "ldap_sasl_mech = GSSAPI" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:48 +msgid "ldap_sasl_minssf = 56" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:53 +msgid "ldap_account_expire_policy = ipa" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:64 +msgid "LDAP Provider - User options" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:68 +msgid "ldap_user_member_of = memberOf" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:73 +msgid "ldap_user_uuid = ipaUniqueID" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:78 +msgid "ldap_user_ssh_public_key = ipaSshPubKey" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:83 +msgid "ldap_user_auth_type = ipaUserAuthType" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:89 +msgid "LDAP Provider - Group options" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:93 +msgid "ldap_group_object_class = ipaUserGroup" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:98 +msgid "ldap_group_object_class_alt = posixGroup" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:103 +msgid "ldap_group_member = member" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:108 +msgid "ldap_group_uuid = ipaUniqueID" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:113 +msgid "ldap_group_objectsid = ipaNTSecurityIdentifier" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:118 +msgid "ldap_group_external_member = ipaExternalMember" +msgstr "" + +#~ msgid "" +#~ "PLEASE NOTE ALSO: older version of libpcre only support the Python syntax " +#~ "(?P<name>) to label subpatterns." +#~ msgstr "" +#~ "MER OOK OP: oudere versies van libpcre ondersteunen alleen de Pyton " +#~ "syntaxis (?P<name>) om subpatronen aan te geven." diff --git a/src/man/po/po4a.cfg b/src/man/po/po4a.cfg new file mode 100644 index 0000000..a3ab241 --- /dev/null +++ b/src/man/po/po4a.cfg @@ -0,0 +1,53 @@ +[po4a_langs] br ca cs de eu es fi fr ja lv nl pt pt_BR ru sv tg uk zh_CN +[po4a_paths] po/sssd-docs.pot $lang:po/$lang.po +[type:docbook] sss_groupmod.8.xml $lang:$(builddir)/$lang/sss_groupmod.8.xml +[type:docbook] sssd.conf.5.xml $lang:$(builddir)/$lang/sssd.conf.5.xml +[type:docbook] sssd-ldap.5.xml $lang:$(builddir)/$lang/sssd-ldap.5.xml +[type:docbook] pam_sss.8.xml $lang:$(builddir)/$lang/pam_sss.8.xml +[type:docbook] sssd_krb5_locator_plugin.8.xml $lang:$(builddir)/$lang/sssd_krb5_locator_plugin.8.xml +[type:docbook] sssd-simple.5.xml $lang:$(builddir)/$lang/sssd-simple.5.xml +[type:docbook] sss-certmap.5.xml $lang:$(builddir)/$lang/sss-certmap.5.xml +[type:docbook] sssd-ipa.5.xml $lang:$(builddir)/$lang/sssd-ipa.5.xml +[type:docbook] sssd-ad.5.xml $lang:$(builddir)/$lang/sssd-ad.5.xml +[type:docbook] sssd-sudo.5.xml $lang:$(builddir)/$lang/sssd-sudo.5.xml +[type:docbook] sssd.8.xml $lang:$(builddir)/$lang/sssd.8.xml +[type:docbook] sss_obfuscate.8.xml $lang:$(builddir)/$lang/sss_obfuscate.8.xml +[type:docbook] sss_override.8.xml $lang:$(builddir)/$lang/sss_override.8.xml +[type:docbook] sss_useradd.8.xml $lang:$(builddir)/$lang/sss_useradd.8.xml +[type:docbook] sssd-krb5.5.xml $lang:$(builddir)/$lang/sssd-krb5.5.xml +[type:docbook] sss_groupadd.8.xml $lang:$(builddir)/$lang/sss_groupadd.8.xml +[type:docbook] sss_userdel.8.xml $lang:$(builddir)/$lang/sss_userdel.8.xml +[type:docbook] sss_groupdel.8.xml $lang:$(builddir)/$lang/sss_groupdel.8.xml +[type:docbook] sss_groupshow.8.xml $lang:$(builddir)/$lang/sss_groupshow.8.xml +[type:docbook] sss_usermod.8.xml $lang:$(builddir)/$lang/sss_usermod.8.xml +[type:docbook] sss_cache.8.xml $lang:$(builddir)/$lang/sss_cache.8.xml +[type:docbook] sss_debuglevel.8.xml $lang:$(builddir)/$lang/sss_debuglevel.8.xml +[type:docbook] sss_seed.8.xml $lang:$(builddir)/$lang/sss_seed.8.xml +[type:docbook] sssd-ifp.5.xml $lang:$(builddir)/$lang/sssd-ifp.5.xml +[type:docbook] sss_rpcidmapd.5.xml $lang:$(builddir)/$lang/sss_rpcidmapd.5.xml +[type:docbook] sss_ssh_authorizedkeys.1.xml $lang:$(builddir)/$lang/sss_ssh_authorizedkeys.1.xml +[type:docbook] sss_ssh_knownhostsproxy.1.xml $lang:$(builddir)/$lang/sss_ssh_knownhostsproxy.1.xml +[type:docbook] idmap_sss.8.xml $lang:$(builddir)/$lang/idmap_sss.8.xml +[type:docbook] sssctl.8.xml $lang:$(builddir)/$lang/sssctl.8.xml +[type:docbook] sssd-files.5.xml $lang:$(builddir)/$lang/sssd-files.5.xml +[type:docbook] sssd-secrets.5.xml $lang:$(builddir)/$lang/sssd-secrets.5.xml +[type:docbook] sssd-session-recording.5.xml $lang:$(builddir)/$lang/sssd-session-recording.5.xml +[type:docbook] sssd-kcm.8.xml $lang:$(builddir)/$lang/sssd-kcm.8.xml +[type:docbook] sssd-systemtap.5.xml $lang:$(builddir)/$lang/sssd-systemtap.5.xml +[type:docbook] include/service_discovery.xml $lang:$(builddir)/$lang/include/service_discovery.xml opt:"-k 0" +[type:docbook] include/upstream.xml $lang:$(builddir)/$lang/include/upstream.xml opt:"-k 0" +[type:docbook] include/failover.xml $lang:$(builddir)/$lang/include/failover.xml opt:"-k 0" +[type:docbook] include/ldap_id_mapping.xml $lang:$(builddir)/$lang/include/ldap_id_mapping.xml opt:"-k 0" +[type:docbook] include/param_help.xml $lang:$(builddir)/$lang/include/param_help.xml opt:"-k 0" +[type:docbook] include/param_help_py.xml $lang:$(builddir)/$lang/include/param_help_py.xml opt:"-k 0" +[type:docbook] include/debug_levels.xml $lang:$(builddir)/$lang/include/debug_levels.xml opt:"-k 0" +[type:docbook] include/debug_levels_tools.xml $lang:$(builddir)/$lang/include/debug_levels_tools.xml opt:"-k 0" +[type:docbook] include/experimental.xml $lang:$(builddir)/$lang/include/experimental.xml opt:"-k 0" +[type:docbook] include/local.xml $lang:$(builddir)/$lang/include/local.xml opt:"-k 0" +[type:docbook] include/seealso.xml $lang:$(builddir)/$lang/include/seealso.xml opt:"-k 0" +[type:docbook] include/ldap_search_bases.xml $lang:$(builddir)/$lang/include/ldap_search_bases.xml opt:"-k 0" +[type:docbook] include/autofs_restart.xml $lang:$(builddir)/$lang/include/autofs_restart.xml opt:"-k 0" +[type:docbook] include/override_homedir.xml $lang:$(builddir)/$lang/include/override_homedir.xml opt:"-k 0" +[type:docbook] include/homedir_substring.xml $lang:$(builddir)/$lang/include/homedir_substring.xml opt:"-k 0" +[type:docbook] include/ad_modified_defaults.xml $lang:$(builddir)/$lang/include/ad_modified_defaults.xml opt:"-k 0" +[type:docbook] include/ipa_modified_defaults.xml $lang:$(builddir)/$lang/include/ipa_modified_defaults.xml opt:"-k 0" diff --git a/src/man/po/pt.po b/src/man/po/pt.po new file mode 100644 index 0000000..ee23e91 --- /dev/null +++ b/src/man/po/pt.po @@ -0,0 +1,15708 @@ +# SOME DESCRIPTIVE TITLE +# Copyright (C) YEAR Red Hat +# This file is distributed under the same license as the sssd-docs package. +# +# Translators: +# Miguel Sousa <migueljorgesousa@sapo.pt>, 2011 +msgid "" +msgstr "" +"Project-Id-Version: sssd-docs 1.16.1\n" +"Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" +"POT-Creation-Date: 2018-08-12 13:01+0000\n" +"PO-Revision-Date: 2014-12-15 12:05+0000\n" +"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n" +"Language-Team: Portuguese (http://www.transifex.com/projects/p/sssd/language/" +"pt/)\n" +"Language: pt\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" +"X-Generator: Zanata 4.4.5\n" + +#. type: Content of: <reference><title> +#: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5 +#: sssd_krb5_locator_plugin.8.xml:5 sssd-simple.5.xml:5 sss-certmap.5.xml:5 +#: sssd-ipa.5.xml:5 sssd-ad.5.xml:5 sssd-sudo.5.xml:5 sssd.8.xml:5 +#: sss_obfuscate.8.xml:5 sss_override.8.xml:5 sss_useradd.8.xml:5 +#: sssd-krb5.5.xml:5 sss_groupadd.8.xml:5 sss_userdel.8.xml:5 +#: sss_groupdel.8.xml:5 sss_groupshow.8.xml:5 sss_usermod.8.xml:5 +#: sss_cache.8.xml:5 sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5 +#: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 +#: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5 +#: sssd-files.5.xml:5 sssd-secrets.5.xml:5 sssd-session-recording.5.xml:5 +#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 +msgid "SSSD Manual pages" +msgstr "Páginas de Manual de SSSD" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupmod.8.xml:10 sss_groupmod.8.xml:15 +msgid "sss_groupmod" +msgstr "sss_groupmod" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_groupmod.8.xml:11 pam_sss.8.xml:12 sssd_krb5_locator_plugin.8.xml:11 +#: sssd.8.xml:11 sss_obfuscate.8.xml:11 sss_override.8.xml:11 +#: sss_useradd.8.xml:11 sss_groupadd.8.xml:11 sss_userdel.8.xml:11 +#: sss_groupdel.8.xml:11 sss_groupshow.8.xml:11 sss_usermod.8.xml:11 +#: sss_cache.8.xml:11 sss_debuglevel.8.xml:11 sss_seed.8.xml:11 +#: idmap_sss.8.xml:11 sssctl.8.xml:11 sssd-kcm.8.xml:11 +msgid "8" +msgstr "8" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupmod.8.xml:16 +msgid "modify a group" +msgstr "modificar um grupo" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupmod.8.xml:21 +msgid "" +"<command>sss_groupmod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" +"<command>sss_groupmod</command> <arg choice='opt'> <replaceable>Opções</" +"replaceable></arg> <arg choice='plain'> <replaceable>grupo</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:57 +#: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sss-certmap.5.xml:21 +#: sssd-ipa.5.xml:21 sssd-ad.5.xml:21 sssd-sudo.5.xml:21 sssd.8.xml:29 +#: sss_obfuscate.8.xml:30 sss_override.8.xml:30 sss_useradd.8.xml:30 +#: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30 +#: sss_groupdel.8.xml:30 sss_groupshow.8.xml:30 sss_usermod.8.xml:30 +#: sss_cache.8.xml:29 sss_debuglevel.8.xml:30 sss_seed.8.xml:31 +#: sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30 +#: sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30 +#: sssd-files.5.xml:21 sssd-secrets.5.xml:21 sssd-session-recording.5.xml:21 +#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 +msgid "DESCRIPTION" +msgstr "DESCRIÇÃO" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupmod.8.xml:32 +msgid "" +"<command>sss_groupmod</command> modifies the group to reflect the changes " +"that are specified on the command line." +msgstr "" +"<command>sss_groupmod</command> modifica o grupo para refletir as alterações " +"que são especificadas na linha de comando." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_groupmod.8.xml:39 pam_sss.8.xml:64 sssd.8.xml:42 sss_obfuscate.8.xml:58 +#: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39 +#: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39 +#: sss_cache.8.xml:39 sss_seed.8.xml:42 sss_ssh_authorizedkeys.1.xml:123 +#: sss_ssh_knownhostsproxy.1.xml:62 +msgid "OPTIONS" +msgstr "Opções" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupmod.8.xml:43 sss_usermod.8.xml:77 +msgid "" +"<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" +"<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupmod.8.xml:48 +msgid "" +"Append this group to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." +msgstr "" +"Acrescente este grupo para grupos especificados pelo parâmetro de " +"<replaceable>GROUPS</replaceable>. O parâmetro de <replaceable>GROUPS</" +"replaceable> é uma lista separada por vírgulas de nomes de grupo." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupmod.8.xml:57 sss_usermod.8.xml:91 +msgid "" +"<option>-r</option>,<option>--remove-group</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" +"<option>-r</option>,<option>--remove-group</option> <replaceable>GROUPS</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupmod.8.xml:62 +msgid "" +"Remove this group from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." +msgstr "" +"Remova este grupo de grupos especificados pelo parâmetro de " +"<replaceable>GROUPS</replaceable>." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.conf.5.xml:10 sssd.conf.5.xml:16 +msgid "sssd.conf" +msgstr "sssd.conf" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11 +#: sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 +#: sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27 +#: sssd-files.5.xml:11 sssd-secrets.5.xml:11 sssd-session-recording.5.xml:11 +#: sssd-systemtap.5.xml:11 +msgid "5" +msgstr "5" + +#. type: Content of: <reference><refentry><refmeta><refmiscinfo> +#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12 +#: sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 +#: sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28 +#: sssd-files.5.xml:12 sssd-secrets.5.xml:12 sssd-session-recording.5.xml:12 +#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 +msgid "File Formats and Conventions" +msgstr "Formatos de ficheiros e convenções" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.conf.5.xml:17 +msgid "the configuration file for SSSD" +msgstr "o ficheiro de configuração para SSSD" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:21 +msgid "FILE FORMAT" +msgstr "FORMATAR FICHEIRO" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:29 +#, no-wrap +msgid "" +"<replaceable>[section]</replaceable>\n" +"<replaceable>key</replaceable> = <replaceable>value</replaceable>\n" +"<replaceable>key2</replaceable> = <replaceable>value2,value3</replaceable>\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:24 +msgid "" +"The file has an ini-style syntax and consists of sections and parameters. A " +"section begins with the name of the section in square brackets and continues " +"until the next section begins. An example of section with single and multi-" +"valued parameters: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:36 +msgid "" +"The data types used are string (no quotes needed), integer and bool (with " +"values of <quote>TRUE/FALSE</quote>)." +msgstr "" +"Os tipos de dados usados são cadeia de caracteres (sem aspas necessárias), " +"inteiro e bool (com valores de <quote>TRUE/FALSE</quote>)." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:41 +msgid "" +"A comment line starts with a hash sign (<quote>#</quote>) or a semicolon " +"(<quote>;</quote>). Inline comments are not supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:47 +msgid "" +"All sections can have an optional <replaceable>description</replaceable> " +"parameter. Its function is only as a label for the section." +msgstr "" +"Todas as seções podem ter um parâmetro opcional <replaceable>description</" +"replaceable>. Sua função é apenas como um rótulo para a secção." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:53 +msgid "" +"<filename>sssd.conf</filename> must be a regular file, owned by root and " +"only root may read from or write to the file." +msgstr "" +"<filename>sssd.conf</filename> deve ser um ficheiro regular, pertencente a " +"raiz e somente raiz pode ler ou gravar o arquivo." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:59 +msgid "CONFIGURATION SNIPPETS FROM INCLUDE DIRECTORY" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:62 +msgid "" +"The configuration file <filename>sssd.conf</filename> will include " +"configuration snippets using the include directory <filename>conf.d</" +"filename>. This feature is available if SSSD was compiled with libini " +"version 1.3.0 or later." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:69 +msgid "" +"Any file placed in <filename>conf.d</filename> that ends in " +"<quote><filename>.conf</filename></quote> and does not begin with a dot " +"(<quote>.</quote>) will be used together with <filename>sssd.conf</filename> " +"to configure SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:77 +msgid "" +"The configuration snippets from <filename>conf.d</filename> have higher " +"priority than <filename>sssd.conf</filename> and will override " +"<filename>sssd.conf</filename> when conflicts occur. If several snippets are " +"present in <filename>conf.d</filename>, then they are included in " +"alphabetical order (based on locale). Files included later have higher " +"priority. Numerical prefixes (<filename>01_snippet.conf</filename>, " +"<filename>02_snippet.conf</filename> etc.) can help visualize the priority " +"(higher number means higher priority)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:91 +msgid "" +"The snippet files require the same owner and permissions as <filename>sssd." +"conf</filename>. Which are by default root:root and 0600." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:98 +msgid "GENERAL OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:100 +msgid "Following options are usable in more than one configuration sections." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:104 +msgid "Options usable in all sections" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:108 +msgid "debug_level (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:112 +msgid "debug (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:115 +msgid "" +"SSSD 1.14 and later also includes the <replaceable>debug</replaceable> alias " +"for <replaceable>debug_level</replaceable> as a convenience feature. If both " +"are specified, the value of <replaceable>debug_level</replaceable> will be " +"used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:125 +msgid "debug_timestamps (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:128 +msgid "" +"Add a timestamp to the debug messages. If journald is enabled for SSSD " +"debug logging this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:133 sssd.conf.5.xml:543 sssd.conf.5.xml:839 +#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1521 sssd-ldap.5.xml:1851 +#: sssd-ldap.5.xml:1948 sssd-ldap.5.xml:2010 sssd-ldap.5.xml:2576 +#: sssd-ldap.5.xml:2641 sssd-ldap.5.xml:2659 sssd-ad.5.xml:227 +#: sssd-ad.5.xml:341 sssd-ad.5.xml:885 sssd-krb5.5.xml:499 +#: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 +msgid "Default: true" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:138 +msgid "debug_microseconds (bool)" +msgstr "debug_microseconds (bool)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:141 +msgid "" +"Add microseconds to the timestamp in debug messages. If journald is enabled " +"for SSSD debug logging this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:146 sssd.conf.5.xml:540 sssd.conf.5.xml:722 +#: sssd.conf.5.xml:1424 sssd.conf.5.xml:2980 sssd-ldap.5.xml:708 +#: sssd-ldap.5.xml:1714 sssd-ldap.5.xml:1733 sssd-ldap.5.xml:1920 +#: sssd-ldap.5.xml:2346 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238 +#: sssd-ipa.5.xml:559 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300 +#: sssd-krb5.5.xml:471 +msgid "Default: false" +msgstr "Padrão: false" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2384 +#: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210 +#: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304 +msgid "<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:155 +msgid "Options usable in SERVICE and DOMAIN sections" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:159 +msgid "timeout (integer)" +msgstr "timeout (integer)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:162 +msgid "" +"Timeout in seconds between heartbeats for this service. This is used to " +"ensure that the process is alive and capable of answering requests. Note " +"that after three missed heartbeats the process will terminate itself." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:169 sssd.conf.5.xml:1376 sssd.conf.5.xml:2996 +#: sssd-ldap.5.xml:1585 include/ldap_id_mapping.xml:264 +msgid "Default: 10" +msgstr "Padrão: 10" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:179 +msgid "SPECIAL SECTIONS" +msgstr "SECÇÕES ESPECIAIS" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:182 +msgid "The [sssd] section" +msgstr "A seção [SSSD]" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sssd.conf.5.xml:191 sssd.conf.5.xml:3085 +msgid "Section parameters" +msgstr "Parâmetros de secção" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:193 +msgid "config_file_version (integer)" +msgstr "config_file_version (integer)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:196 +msgid "" +"Indicates what is the syntax of the config file. SSSD 0.6.0 and later use " +"version 2." +msgstr "" +"Indica qual é a sintaxe do arquivo config. SSSD 0.6.0 e posterior utilização " +"versão 2." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:202 +msgid "services" +msgstr "serviços" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:205 +msgid "" +"Comma separated list of services that are started when sssd itself starts. " +"<phrase condition=\"have_systemd\"> The services' list is optional on " +"platforms where systemd is supported, as they will either be socket or D-Bus " +"activated when needed. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:214 +msgid "" +"Supported services: nss, pam <phrase condition=\"with_sudo\">, sudo</phrase> " +"<phrase condition=\"with_autofs\">, autofs</phrase> <phrase condition=" +"\"with_ssh\">, ssh</phrase> <phrase condition=\"with_pac_responder\">, pac</" +"phrase> <phrase condition=\"with_ifp\">, ifp</phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:222 +msgid "" +"<phrase condition=\"have_systemd\"> By default, all services are disabled " +"and the administrator must enable the ones allowed to be used by executing: " +"\"systemctl enable sssd-@service@.socket\". </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:231 sssd.conf.5.xml:614 +msgid "reconnection_retries (integer)" +msgstr "reconnection_retries (integer)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:234 sssd.conf.5.xml:617 +msgid "" +"Number of times services should attempt to reconnect in the event of a Data " +"Provider crash or restart before they give up" +msgstr "" +"Número de vezes que os serviços devem tentar reconectar-se no caso de uma " +"falha do provedor de dados ou reiniciar antes de eles desistirem" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:239 sssd.conf.5.xml:622 +msgid "Default: 3" +msgstr "Padrão: 3" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:244 +msgid "domains" +msgstr "domínios" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:247 +msgid "" +"A domain is a database containing user information. SSSD can use more " +"domains at the same time, but at least one must be configured or SSSD won't " +"start. This parameter describes the list of domains in the order you want " +"them to be queried. A domain name should only consist of alphanumeric ASCII " +"characters, dashes, dots and underscores." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:259 sssd.conf.5.xml:2597 +msgid "re_expression (string)" +msgstr "re_expression (string)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:262 +msgid "" +"Default regular expression that describes how to parse the string containing " +"user name and domain into these components." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:267 +msgid "" +"Each domain can have an individual regular expression configured. For some " +"ID providers there are also default regular expressions. See DOMAIN SECTIONS " +"for more info on these regular expressions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:276 sssd.conf.5.xml:2645 +msgid "full_name_format (string)" +msgstr "full_name_format (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:279 sssd.conf.5.xml:2648 +msgid "" +"A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry>-compatible format that describes how to compose a " +"fully qualified name from user name and domain name components." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:290 sssd.conf.5.xml:2659 +msgid "%1$s" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:291 sssd.conf.5.xml:2660 +msgid "user name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:294 sssd.conf.5.xml:2663 +msgid "%2$s" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:297 sssd.conf.5.xml:2666 +msgid "domain name as specified in the SSSD config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:303 sssd.conf.5.xml:2672 +msgid "%3$s" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:306 sssd.conf.5.xml:2675 +msgid "" +"domain flat name. Mostly usable for Active Directory domains, both directly " +"configured or discovered via IPA trusts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:287 sssd.conf.5.xml:2656 +msgid "" +"The following expansions are supported: <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:316 +msgid "" +"Each domain can have an individual format string configured. see DOMAIN " +"SECTIONS for more info on this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:322 +msgid "try_inotify (boolean)" +msgstr "try_inotify (boolean)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:325 +msgid "" +"SSSD monitors the state of resolv.conf to identify when it needs to update " +"its internal DNS resolver. By default, we will attempt to use inotify for " +"this, and will fall back to polling resolv.conf every five seconds if " +"inotify cannot be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:333 +msgid "" +"There are some limited situations where it is preferred that we should skip " +"even trying to use inotify. In these rare cases, this option should be set " +"to 'false'" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:339 +msgid "" +"Default: true on platforms where inotify is supported. False on other " +"platforms." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:343 +msgid "" +"Note: this option will have no effect on platforms where inotify is " +"unavailable. On these platforms, polling will always be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:350 +msgid "krb5_rcache_dir (string)" +msgstr "krb5_rcache_dir (string)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:353 +msgid "" +"Directory on the filesystem where SSSD should store Kerberos replay cache " +"files." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:357 +msgid "" +"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct " +"SSSD to let libkrb5 decide the appropriate location for the replay cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:363 +msgid "" +"Default: Distribution-specific and specified at build-time. " +"(__LIBKRB5_DEFAULTS__ if not configured)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:370 +msgid "user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:373 +msgid "" +"The user to drop the privileges to where appropriate to avoid running as the " +"root user. <phrase condition=\"have_systemd\"> This option does not work " +"when running socket-activated services, as the user set up to run the " +"processes is set up during compilation time. The way to override the " +"systemd unit files is by creating the appropriate files in /etc/systemd/" +"system/. Keep in mind that any change in the socket user, group or " +"permissions may result in a non-usable SSSD. The same may occur in case of " +"changes of the user running the NSS responder. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:391 +msgid "Default: not set, process will run as root" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:396 +msgid "default_domain_suffix (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:399 +msgid "" +"This string will be used as a default domain name for all names without a " +"domain name component. The main use case is environments where the primary " +"domain is intended for managing host policies and all users are located in a " +"trusted domain. The option allows those users to log in just with their " +"user name without giving a domain name as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:409 +msgid "" +"Please note that if this option is set all users from the primary domain " +"have to use their fully qualified name, e.g. user@domain.name, to log in. " +"Setting this option changes default of use_fully_qualified_names to True. It " +"is not allowed to use this option together with use_fully_qualified_names " +"set to False." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:418 sssd.conf.5.xml:1165 sssd-ldap.5.xml:679 +#: sssd-ldap.5.xml:1319 sssd-ldap.5.xml:1673 sssd-ldap.5.xml:1685 +#: sssd-ldap.5.xml:1767 sssd-ad.5.xml:690 sssd-ad.5.xml:765 sssd.8.xml:126 +#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:556 sssd-secrets.5.xml:339 +#: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404 +#: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205 +#: include/ldap_id_mapping.xml:216 +msgid "Default: not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:423 +msgid "override_space (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:426 +msgid "" +"This parameter will replace spaces (space bar) with the given character for " +"user and group names. e.g. (_). User name "john doe" will be " +""john_doe" This feature was added to help compatibility with shell " +"scripts that have difficulty handling spaces, due to the default field " +"separator in the shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:435 +msgid "" +"Please note it is a configuration error to use a replacement character that " +"might be used in user or group names. If a name contains the replacement " +"character SSSD tries to return the unmodified name but in general the result " +"of a lookup is undefined." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:443 +msgid "Default: not set (spaces will not be replaced)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:448 +msgid "certificate_verification (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:456 +msgid "no_ocsp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:458 +msgid "" +"Disables Online Certificate Status Protocol (OCSP) checks. This might be " +"needed if the OCSP servers defined in the certificate are not reachable from " +"the client." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:466 +msgid "no_verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:468 +msgid "" +"Disables verification completely. This option should only be used for " +"testing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:474 +msgid "ocsp_default_responder=URL" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:476 +msgid "" +"Sets the OCSP default responder which should be used instead of the one " +"mentioned in the certificate. URL must be replaced with the URL of the OCSP " +"default responder e.g. http://example.com:80/ocsp." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:482 +msgid "" +"This option must be used together with ocsp_default_responder_signing_cert." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:490 +msgid "ocsp_default_responder_signing_cert=NAME" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:492 +msgid "" +"The nickname of the cert to trust (expected) to sign the OCSP responses. " +"The certificate with the given nickname must be available in the systems NSS " +"database." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:497 +msgid "This option must be used together with ocsp_default_responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:451 +msgid "" +"With this parameter the certificate verification can be tuned with a comma " +"separated list of options. Supported options are: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:504 +msgid "Unknown options are reported but ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:507 +msgid "Default: not set, i.e. do not restrict certificate verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:513 +msgid "disable_netlink (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:516 +msgid "" +"SSSD hooks into the netlink interface to monitor changes to routes, " +"addresses, links and trigger certain actions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:521 +msgid "" +"The SSSD state changes caused by netlink events may be undesirable and can " +"be disabled by setting this option to 'true'" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:526 +msgid "Default: false (netlink changes are detected)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:531 +msgid "enable_files_domain (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:534 +msgid "" +"When this option is enabled, SSSD prepends an implicit domain with " +"<quote>id_provider=files</quote> before any explicitly configured domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:548 +msgid "domain_resolution_order" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:551 +msgid "" +"Comma separated list of domains and subdomains representing the lookup order " +"that will be followed. The list doesn't have to include all possible " +"domains as the missing domains will be looked up based on the order they're " +"presented in the <quote>domains</quote> configuration option. The " +"subdomains which are not listed as part of <quote>lookup_order</quote> will " +"be looked up in a random order for each parent domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:563 +msgid "" +"Please, note that when this option is set the output format of all commands " +"is always fully-qualified even when using short names for input, for all " +"users but the ones managed by the files provider. In case the administrator " +"wants the output not fully-qualified, the full_name_format option can be " +"used as shown below: <quote>full_name_format=%1$s</quote> However, keep in " +"mind that during login, login applications often canonicalize the username " +"by calling <citerefentry> <refentrytitle>getpwnam</refentrytitle> " +"<manvolnum>3</manvolnum> </citerefentry> which, if a shortname is returned " +"for a qualified input (while trying to reach a user which exists in multiple " +"domains) might re-route the login attempt into the domain which uses " +"shortnames, making this workaround totally not recommended in cases where " +"usernames may overlap between domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:588 sssd.conf.5.xml:1388 sssd.conf.5.xml:3046 +#: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316 +msgid "Default: Not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:184 +msgid "" +"Individual pieces of SSSD functionality are provided by special SSSD " +"services that are started and stopped together with SSSD. The services are " +"managed by a special service frequently called <quote>monitor</quote>. The " +"<quote>[sssd]</quote> section is used to configure the monitor as well as " +"some other important options like the identity domains. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:599 +msgid "SERVICES SECTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:601 +msgid "" +"Settings that can be used to configure different services are described in " +"this section. They should reside in the [<replaceable>$NAME</replaceable>] " +"section, for example, for NSS service, the section would be <quote>[nss]</" +"quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:608 +msgid "General service configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:610 +msgid "These options can be used to configure any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:627 +msgid "fd_limit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:630 +msgid "" +"This option specifies the maximum number of file descriptors that may be " +"opened at one time by this SSSD process. On systems where SSSD is granted " +"the CAP_SYS_RESOURCE capability, this will be an absolute setting. On " +"systems without this capability, the resulting value will be the lower value " +"of this or the limits.conf \"hard\" limit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:639 +msgid "Default: 8192 (or limits.conf \"hard\" limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:644 +msgid "client_idle_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:647 +msgid "" +"This option specifies the number of seconds that a client of an SSSD process " +"can hold onto a file descriptor without communicating on it. This value is " +"limited in order to avoid resource exhaustion on the system. The timeout " +"can't be shorter than 10 seconds. If a lower value is configured, it will be " +"adjusted to 10 seconds." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:656 sssd.conf.5.xml:688 sssd.conf.5.xml:970 +#: sssd.conf.5.xml:1231 sssd-ldap.5.xml:1412 +msgid "Default: 60" +msgstr "Padrão: 60" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:661 +msgid "offline_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:664 +msgid "" +"When SSSD switches to offline mode the amount of time before it tries to go " +"back online will increase based upon the time spent disconnected. This " +"value is in seconds and calculated by the following:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:671 +msgid "offline_timeout + random_offset" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:674 +msgid "" +"The random offset can increment up to 30 seconds. After each unsuccessful " +"attempt to go online, the new interval is recalculated by the following:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:679 +msgid "new_interval = old_interval*2 + random_offset" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:682 +msgid "" +"Note that the maximum length of each interval is currently limited to one " +"hour. If the calculated length of new_interval is greater than an hour, it " +"will be forced to one hour." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:693 +msgid "responder_idle_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:696 +msgid "" +"This option specifies the number of seconds that an SSSD responder process " +"can be up without being used. This value is limited in order to avoid " +"resource exhaustion on the system. The minimum acceptable value for this " +"option is 60 seconds. Setting this option to 0 (zero) means that no timeout " +"will be set up to the responder. This option only has effect when SSSD is " +"built with systemd support and when services are either socket or D-Bus " +"activated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:710 sssd.conf.5.xml:983 sssd.conf.5.xml:1616 +#: sssd-ldap.5.xml:722 +msgid "Default: 300" +msgstr "Padrão: 300" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:715 +msgid "cache_first" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:718 +msgid "" +"This option specifies whether the responder should query all caches before " +"querying the Data Providers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:730 +msgid "NSS configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:732 +msgid "" +"These options can be used to configure the Name Service Switch (NSS) service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:737 +msgid "enum_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:740 +msgid "" +"How many seconds should nss_sss cache enumerations (requests for info about " +"all users)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:744 +msgid "Default: 120" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:749 +msgid "entry_cache_nowait_percentage (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:752 +msgid "" +"The entry cache can be set to automatically update entries in the background " +"if they are requested beyond a percentage of the entry_cache_timeout value " +"for the domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:758 +msgid "" +"For example, if the domain's entry_cache_timeout is set to 30s and " +"entry_cache_nowait_percentage is set to 50 (percent), entries that come in " +"after 15 seconds past the last cache update will be returned immediately, " +"but the SSSD will go and update the cache on its own, so that future " +"requests will not need to block waiting for a cache update." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:768 +msgid "" +"Valid values for this option are 0-99 and represent a percentage of the " +"entry_cache_timeout for each domain. For performance reasons, this " +"percentage will never reduce the nowait timeout to less than 10 seconds. (0 " +"disables this feature)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:776 sssd.conf.5.xml:1445 +msgid "Default: 50" +msgstr "Padrão: 50" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:781 +msgid "entry_negative_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:784 +msgid "" +"Specifies for how many seconds nss_sss should cache negative cache hits " +"(that is, queries for invalid database entries, like nonexistent ones) " +"before asking the back end again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:790 sssd.conf.5.xml:1469 +msgid "Default: 15" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:795 +msgid "local_negative_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:798 +msgid "" +"Specifies for how many seconds nss_sss should keep local users and groups in " +"negative cache before trying to look it up in the back end again. Setting " +"the option to 0 disables this feature." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:804 +#, fuzzy +#| msgid "Default: 86400 (24 hours)" +msgid "Default: 14400 (4 hours)" +msgstr "Padrão: 86400 (24 horas)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:809 +msgid "filter_users, filter_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:812 +msgid "" +"Exclude certain users or groups from being fetched from the sss NSS " +"database. This is particularly useful for system accounts. This option can " +"also be set per-domain or include fully-qualified names to filter only users " +"from the particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:819 +msgid "" +"NOTE: The filter_groups option doesn't affect inheritance of nested group " +"members, since filtering happens after they are propagated for returning via " +"NSS. E.g. a group having a member group filtered out will still have the " +"member users of the latter listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:827 +msgid "Default: root" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:832 +msgid "filter_users_in_groups (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:835 +msgid "" +"If you want filtered user still be group members set this option to false." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:846 +msgid "fallback_homedir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:849 +msgid "" +"Set a default template for a user's home directory if one is not specified " +"explicitly by the domain's data provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:854 +msgid "" +"The available values for this option are the same as for override_homedir." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:860 +#, no-wrap +msgid "" +"fallback_homedir = /home/%u\n" +" " +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: sssd.conf.5.xml:858 sssd.conf.5.xml:1298 sssd.conf.5.xml:1317 +#: sssd-krb5.5.xml:539 include/override_homedir.xml:59 +msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:864 +msgid "Default: not set (no substitution for unset home directories)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:870 +msgid "override_shell (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:873 +msgid "" +"Override the login shell for all users. This option supersedes any other " +"shell options if it takes effect and can be set either in the [nss] section " +"or per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:879 +msgid "Default: not set (SSSD will use the value retrieved from LDAP)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:885 +msgid "allowed_shells (string)" +msgstr "allowed_shells (string)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:888 +msgid "" +"Restrict user shell to one of the listed values. The order of evaluation is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:891 +msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:895 +msgid "" +"2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</" +"quote>, use the value of the shell_fallback parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:900 +msgid "" +"3. If the shell is not in the allowed_shells list and not in <quote>/etc/" +"shells</quote>, a nologin shell is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:905 +msgid "The wildcard (*) can be used to allow any shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:908 +msgid "" +"The (*) is useful if you want to use shell_fallback in case that user's " +"shell is not in <quote>/etc/shells</quote> and maintaining list of all " +"allowed shells in allowed_shells would be to much overhead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:915 +msgid "An empty string for shell is passed as-is to libc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:918 +msgid "" +"The <quote>/etc/shells</quote> is only read on SSSD start up, which means " +"that a restart of the SSSD is required in case a new shell is installed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:922 +msgid "Default: Not set. The user shell is automatically used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:927 +msgid "vetoed_shells (string)" +msgstr "vetoed_shells (string)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:930 +msgid "Replace any instance of these shells with the shell_fallback" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:935 +msgid "shell_fallback (string)" +msgstr "shell_fallback (string)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:938 +msgid "" +"The default shell to use if an allowed shell is not installed on the machine." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:942 +msgid "Default: /bin/sh" +msgstr "Padrão: /bin/sh" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:947 +msgid "default_shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:950 +msgid "" +"The default shell to use if the provider does not return one during lookup. " +"This option can be specified globally in the [nss] section or per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:956 +msgid "" +"Default: not set (Return NULL if no shell is specified and rely on libc to " +"substitute something sensible when necessary, usually /bin/sh)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:963 sssd.conf.5.xml:1224 +msgid "get_domains_timeout (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:966 sssd.conf.5.xml:1227 +msgid "" +"Specifies time in seconds for which the list of subdomains will be " +"considered valid." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:975 +msgid "memcache_timeout (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:978 +msgid "" +"Specifies time in seconds for which records in the in-memory cache will be " +"valid. Setting this option to zero will disable the in-memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:986 +msgid "" +"WARNING: Disabling the in-memory cache will have significant negative impact " +"on SSSD's performance and should only be used for testing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:992 +msgid "" +"NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", " +"client applications will not use the fast in-memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1000 sssd-ifp.5.xml:74 +msgid "user_attributes (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1003 +msgid "" +"Some of the additional NSS responder requests can return more attributes " +"than just the POSIX ones defined by the NSS interface. The list of " +"attributes is controlled by this option. It is handled the same way as the " +"<quote>user_attributes</quote> option of the InfoPipe responder (see " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for details) but with no default values." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1016 +msgid "" +"To make configuration more easy the NSS responder will check the InfoPipe " +"option if it is not set for the NSS responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1021 +msgid "Default: not set, fallback to InfoPipe option" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1026 +msgid "pwfield (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1029 +msgid "" +"The value that NSS operations that return users or groups will return for " +"the <quote>password</quote> field." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: sssd.conf.5.xml:1034 include/override_homedir.xml:56 +msgid "This option can also be set per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1037 +msgid "" +"Default: <quote>*</quote> (remote domains) or <quote>x</quote> (the files " +"domain)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1045 +msgid "PAM configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1047 +msgid "" +"These options can be used to configure the Pluggable Authentication Module " +"(PAM) service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1052 +msgid "offline_credentials_expiration (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1055 +msgid "" +"If the authentication provider is offline, how long should we allow cached " +"logins (in days since the last successful online login)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1060 sssd.conf.5.xml:1073 +msgid "Default: 0 (No limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1066 +msgid "offline_failed_login_attempts (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1069 +msgid "" +"If the authentication provider is offline, how many failed login attempts " +"are allowed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1079 +msgid "offline_failed_login_delay (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1082 +msgid "" +"The time in minutes which has to pass after offline_failed_login_attempts " +"has been reached before a new login attempt is possible." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1087 +msgid "" +"If set to 0 the user cannot authenticate offline if " +"offline_failed_login_attempts has been reached. Only a successful online " +"authentication can enable offline authentication again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1093 sssd.conf.5.xml:1191 +msgid "Default: 5" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1099 +msgid "pam_verbosity (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1102 +msgid "" +"Controls what kind of messages are shown to the user during authentication. " +"The higher the number to more messages are displayed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1107 +msgid "Currently sssd supports the following values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1110 +msgid "<emphasis>0</emphasis>: do not show any message" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1113 +msgid "<emphasis>1</emphasis>: show only important messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1117 +msgid "<emphasis>2</emphasis>: show informational messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1120 +msgid "<emphasis>3</emphasis>: show all messages and debug information" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1124 sssd.8.xml:63 +msgid "Default: 1" +msgstr "Padrão: 1" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1130 +msgid "pam_response_filter (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1133 +msgid "" +"A comma separated list of strings which allows to remove (filter) data sent " +"by the PAM responder to pam_sss PAM module. There are different kind of " +"responses sent to pam_sss e.g. messages displayed to the user or environment " +"variables which should be set by pam_sss." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1141 +msgid "" +"While messages already can be controlled with the help of the pam_verbosity " +"option this option allows to filter out other kind of responses as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1148 +msgid "ENV" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1149 +msgid "Do not send any environment variables to any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1152 +msgid "ENV:var_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1153 +msgid "Do not send environment variable var_name to any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1157 +msgid "ENV:var_name:service" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1158 +msgid "Do not send environment variable var_name to service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1146 +msgid "" +"Currently the following filters are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1168 +msgid "Example: ENV:KRB5CCNAME:sudo-i" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1174 +msgid "pam_id_timeout (integer)" +msgstr "pam_id_timeout (integer)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1177 +msgid "" +"For any PAM request while SSSD is online, the SSSD will attempt to " +"immediately update the cached identity information for the user in order to " +"ensure that authentication takes place with the latest information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1183 +msgid "" +"A complete PAM conversation may perform multiple PAM requests, such as " +"account management and session opening. This option controls (on a per-" +"client-application basis) how long (in seconds) we can cache the identity " +"information to avoid excessive round-trips to the identity provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1197 +msgid "pam_pwd_expiration_warning (integer)" +msgstr "pam_pwd_expiration_warning (integer)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2078 +msgid "Display a warning N days before the password expires." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1203 +msgid "" +"Please note that the backend server has to provide information about the " +"expiration time of the password. If this information is missing, sssd " +"cannot display a warning." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1209 sssd.conf.5.xml:2081 +msgid "" +"If zero is set, then this filter is not applied, i.e. if the expiration " +"warning was received from backend server, it will automatically be displayed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1214 +msgid "" +"This setting can be overridden by setting <emphasis>pwd_expiration_warning</" +"emphasis> for a particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1219 sssd.conf.5.xml:2901 sssd.8.xml:79 +msgid "Default: 0" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1236 +msgid "pam_trusted_users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1239 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to run PAM conversations against trusted domains. Users not " +"included in this list can only access domains marked as public with " +"<quote>pam_public_domains</quote>. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1249 +msgid "Default: All users are considered trusted by default" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1253 +msgid "" +"Please note that UID 0 is always allowed to access the PAM responder even in " +"case it is not in the pam_trusted_users list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1260 +msgid "pam_public_domains (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1263 +msgid "" +"Specifies the comma-separated list of domain names that are accessible even " +"to untrusted users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1267 +msgid "Two special values for pam_public_domains option are defined:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1271 +msgid "" +"all (Untrusted users are allowed to access all domains in PAM responder.)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1275 +msgid "" +"none (Untrusted users are not allowed to access any domains PAM in " +"responder.)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1279 sssd.conf.5.xml:1304 sssd.conf.5.xml:1323 +#: sssd.conf.5.xml:1875 sssd.conf.5.xml:2837 sssd-ldap.5.xml:1979 +msgid "Default: none" +msgstr "Padrão: none" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1284 +msgid "pam_account_expired_message (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1287 +msgid "" +"Allows a custom expiration message to be set, replacing the default " +"'Permission denied' message." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1292 +msgid "" +"Note: Please be aware that message is only printed for the SSH service " +"unless pam_verbosity is set to 3 (show all messages and debug information)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:1300 +#, no-wrap +msgid "" +"pam_account_expired_message = Account expired, please contact help desk.\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1309 +msgid "pam_account_locked_message (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1312 +msgid "" +"Allows a custom lockout message to be set, replacing the default 'Permission " +"denied' message." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:1319 +#, no-wrap +msgid "" +"pam_account_locked_message = Account locked, please contact help desk.\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1328 +msgid "pam_cert_auth (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1331 +msgid "" +"Enable certificate based Smartcard authentication. Since this requires " +"additional communication with the Smartcard which will delay the " +"authentication process this option is disabled by default." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1337 sssd.conf.5.xml:2930 sssd-ldap.5.xml:1087 +#: sssd-ldap.5.xml:1114 sssd-ldap.5.xml:1514 sssd-ldap.5.xml:1535 +#: sssd-ldap.5.xml:2052 include/ldap_id_mapping.xml:244 +msgid "Default: False" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1342 +msgid "pam_cert_db_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1345 +msgid "" +"The path to the certificate database which contain the PKCS#11 modules to " +"access the Smartcard." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1349 sssd.conf.5.xml:1534 +#, fuzzy +#| msgid "Default: 3" +msgid "Default:" +msgstr "Padrão: 3" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1351 sssd.conf.5.xml:1536 +msgid "/etc/pki/nssdb (NSS version, path to a NSS database)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1354 sssd.conf.5.xml:1539 +msgid "" +"/etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a file with " +"trusted CA certificates in PEM format)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1361 sssd.conf.5.xml:1546 +msgid "This man page was generated for the NSS version." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1364 sssd.conf.5.xml:1549 +msgid "This man page was generated for the OpenSSL version." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1369 +msgid "p11_child_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1372 +msgid "How many seconds will pam_sss wait for p11_child to finish." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1381 +msgid "pam_app_services (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1384 +msgid "" +"Which PAM services are permitted to contact domains of type " +"<quote>application</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1397 +msgid "SUDO configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1399 +msgid "" +"These options can be used to configure the sudo service. The detailed " +"instructions for configuration of <citerefentry> <refentrytitle>sudo</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to work with " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> are in the manual page <citerefentry> <refentrytitle>sssd-" +"sudo</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1416 +msgid "sudo_timed (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1419 +msgid "" +"Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes " +"that implement time-dependent sudoers entries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1431 +msgid "sudo_threshold (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1434 +msgid "" +"Maximum number of expired rules that can be refreshed at once. If number of " +"expired rules is below threshold, those rules are refreshed with " +"<quote>rules refresh</quote> mechanism. If the threshold is exceeded a " +"<quote>full refresh</quote> of sudo rules is triggered instead. This " +"threshold number also applies to IPA sudo command and command group searches." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1453 +msgid "AUTOFS configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1455 +msgid "These options can be used to configure the autofs service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1459 +msgid "autofs_negative_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1462 +msgid "" +"Specifies for how many seconds should the autofs responder negative cache " +"hits (that is, queries for invalid map entries, like nonexistent ones) " +"before asking the back end again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1478 +msgid "SSH configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1480 +msgid "These options can be used to configure the SSH service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1484 +msgid "ssh_hash_known_hosts (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1487 +msgid "" +"Whether or not to hash host names and addresses in the managed known_hosts " +"file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1496 +msgid "ssh_known_hosts_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1499 +msgid "" +"How many seconds to keep a host in the managed known_hosts file after its " +"host keys were requested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1503 +msgid "Default: 180" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1508 +msgid "ssh_use_certificate_keys (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1511 +msgid "" +"If set to true the <command>sss_ssh_authorizedkeys</command> will return ssh " +"keys derived from the public key of X.509 certificates stored in the user " +"entry as well. See <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry> for details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1526 +msgid "ca_db (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1529 +msgid "" +"Path to a storage of trusted CA certificates. The option is used to validate " +"user certificates before deriving public ssh keys from them." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1557 +msgid "PAC responder configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1559 +msgid "" +"The PAC responder works together with the authorization data plugin for MIT " +"Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the " +"PAC data during a GSSAPI authentication to the PAC responder. The sub-domain " +"provider collects domain SID and ID ranges of the domain the client is " +"joined to and of remote trusted domains from the local domain controller. If " +"the PAC is decoded and evaluated some of the following operations are done:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1568 +msgid "" +"If the remote user does not exist in the cache, it is created. The UID is " +"determined with the help of the SID, trusted domains will have UPGs and the " +"GID will have the same value as the UID. The home directory is set based on " +"the subdomain_homedir parameter. The shell will be empty by default, i.e. " +"the system defaults are used, but can be overwritten with the default_shell " +"parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1576 +msgid "" +"If there are SIDs of groups from domains sssd knows about, the user will be " +"added to those groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1582 +msgid "These options can be used to configure the PAC responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1586 sssd-ifp.5.xml:50 +msgid "allowed_uids (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1589 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the PAC responder. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1595 +msgid "Default: 0 (only the root user is allowed to access the PAC responder)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1599 +msgid "" +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the PAC responder, which would be the typical case, you have to add 0 " +"to the list of allowed UIDs as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1608 +msgid "pac_lifetime (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1611 +msgid "" +"Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC " +"data can be used to determine the group memberships of a user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1624 +msgid "Session recording configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1626 +msgid "" +"Session recording works in conjunction with <citerefentry> " +"<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>, a part of tlog package, to log what users see and type when " +"they log in on a text terminal. See also <citerefentry> <refentrytitle>sssd-" +"session-recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1639 +msgid "These options can be used to configure session recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1643 sssd-session-recording.5.xml:64 +msgid "scope (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1650 sssd-session-recording.5.xml:71 +msgid "\"none\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1653 sssd-session-recording.5.xml:74 +msgid "No users are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1658 sssd-session-recording.5.xml:79 +msgid "\"some\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1661 sssd-session-recording.5.xml:82 +msgid "" +"Users/groups specified by <replaceable>users</replaceable> and " +"<replaceable>groups</replaceable> options are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1670 sssd-session-recording.5.xml:91 +msgid "\"all\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1673 sssd-session-recording.5.xml:94 +msgid "All users are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1646 sssd-session-recording.5.xml:67 +msgid "" +"One of the following strings specifying the scope of session recording: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1680 sssd-session-recording.5.xml:101 +msgid "Default: \"none\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1685 sssd-session-recording.5.xml:106 +msgid "users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1688 sssd-session-recording.5.xml:109 +msgid "" +"A comma-separated list of users which should have session recording enabled. " +"Matches user names as returned by NSS. I.e. after the possible space " +"replacement, case changes, etc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1694 sssd-session-recording.5.xml:115 +msgid "Default: Empty. Matches no users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1699 sssd-session-recording.5.xml:120 +msgid "groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1702 sssd-session-recording.5.xml:123 +msgid "" +"A comma-separated list of groups, members of which should have session " +"recording enabled. Matches group names as returned by NSS. I.e. after the " +"possible space replacement, case changes, etc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1708 sssd-session-recording.5.xml:129 +msgid "" +"NOTE: using this option (having it set to anything) has a considerable " +"performance cost, because each uncached request for a user requires " +"retrieving and matching the groups the user is member of." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1715 sssd-session-recording.5.xml:136 +msgid "Default: Empty. Matches no groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:1725 +msgid "DOMAIN SECTIONS" +msgstr "SECÇÕES DE DOMÍNIO" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1732 +msgid "domain_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1735 +msgid "" +"Specifies whether the domain is meant to be used by POSIX-aware clients such " +"as the Name Service Switch or by applications that do not need POSIX data to " +"be present or generated. Only objects from POSIX domains are available to " +"the operating system interfaces and utilities." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1743 +msgid "" +"Allowed values for this option are <quote>posix</quote> and " +"<quote>application</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1747 +msgid "" +"POSIX domains are reachable by all services. Application domains are only " +"reachable from the InfoPipe responder (see <citerefentry> " +"<refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>) and the PAM responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1755 +msgid "" +"NOTE: The application domains are currently well tested with " +"<quote>id_provider=ldap</quote> only." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1759 +msgid "" +"For an easy way to configure a non-POSIX domains, please see the " +"<quote>Application domains</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1763 +msgid "Default: posix" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1769 +msgid "min_id,max_id (integer)" +msgstr "min_id,max_id (integer)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1772 +msgid "" +"UID and GID limits for the domain. If a domain contains an entry that is " +"outside these limits, it is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1777 +msgid "" +"For users, this affects the primary GID limit. The user will not be returned " +"to NSS if either the UID or the primary GID is outside the range. For non-" +"primary group memberships, those that are in range will be reported as " +"expected." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1784 +msgid "" +"These ID limits affect even saving entries to cache, not only returning them " +"by name or ID." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1788 +msgid "Default: 1 for min_id, 0 (no limit) for max_id" +msgstr "Padrão: 1 para min_id, 0 (sem limite) para max_id" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1794 +msgid "enumerate (bool)" +msgstr "enumerate (bool)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1797 +msgid "" +"Determines if a domain can be enumerated, that is, whether the domain can " +"list all the users and group it contains. Note that it is not required to " +"enable enumeration in order for secondary groups to be displayed. This " +"parameter can have one of the following values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1805 +msgid "TRUE = Users and groups are enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1808 +msgid "FALSE = No enumerations for this domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1811 sssd.conf.5.xml:2033 sssd.conf.5.xml:2208 +msgid "Default: FALSE" +msgstr "Padrão: FALSE" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1814 +msgid "" +"Enumerating a domain requires SSSD to download and store ALL user and group " +"entries from the remote server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1819 +msgid "" +"Note: Enabling enumeration has a moderate performance impact on SSSD while " +"enumeration is running. It may take up to several minutes after SSSD startup " +"to fully complete enumerations. During this time, individual requests for " +"information will go directly to LDAP, though it may be slow, due to the " +"heavy enumeration processing. Saving a large number of entries to cache " +"after the enumeration completes might also be CPU intensive as the " +"memberships have to be recomputed. This can lead to the <quote>sssd_be</" +"quote> process becoming unresponsive or even restarted by the internal " +"watchdog." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1834 +msgid "" +"While the first enumeration is running, requests for the complete user or " +"group lists may return no results until it completes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1839 +msgid "" +"Further, enabling enumeration may increase the time necessary to detect " +"network disconnection, as longer timeouts are required to ensure that " +"enumeration lookups are completed successfully. For more information, refer " +"to the man pages for the specific id_provider in use." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1847 +msgid "" +"For the reasons cited above, enabling enumeration is not recommended, " +"especially in large environments." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1855 +msgid "subdomain_enumerate (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1862 +msgid "all" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1863 +msgid "All discovered trusted domains will be enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1866 +msgid "none" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1867 +msgid "No discovered trusted domains will be enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1858 +msgid "" +"Whether any of autodetected trusted domains should be enumerated. The " +"supported values are: <placeholder type=\"variablelist\" id=\"0\"/> " +"Optionally, a list of one or more domain names can enable enumeration just " +"for these trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1881 +msgid "entry_cache_timeout (integer)" +msgstr "entry_cache_timeout (integer)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1884 +msgid "" +"How many seconds should nss_sss consider entries valid before asking the " +"backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1888 +msgid "" +"The cache expiration timestamps are stored as attributes of individual " +"objects in the cache. Therefore, changing the cache timeout only has effect " +"for newly added or expired entries. You should run the <citerefentry> " +"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry> tool in order to force refresh of entries that have already " +"been cached." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1901 +msgid "Default: 5400" +msgstr "Padrão: 5400" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1907 +msgid "entry_cache_user_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1910 +msgid "" +"How many seconds should nss_sss consider user entries valid before asking " +"the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1914 sssd.conf.5.xml:1927 sssd.conf.5.xml:1940 +#: sssd.conf.5.xml:1953 sssd.conf.5.xml:1966 sssd.conf.5.xml:1980 +#: sssd.conf.5.xml:1994 +msgid "Default: entry_cache_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1920 +msgid "entry_cache_group_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1923 +msgid "" +"How many seconds should nss_sss consider group entries valid before asking " +"the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1933 +msgid "entry_cache_netgroup_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1936 +msgid "" +"How many seconds should nss_sss consider netgroup entries valid before " +"asking the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1946 +msgid "entry_cache_service_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1949 +msgid "" +"How many seconds should nss_sss consider service entries valid before asking " +"the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1959 +msgid "entry_cache_sudo_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1962 +msgid "" +"How many seconds should sudo consider rules valid before asking the backend " +"again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1972 +msgid "entry_cache_autofs_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1975 +msgid "" +"How many seconds should the autofs service consider automounter maps valid " +"before asking the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1986 +msgid "entry_cache_ssh_host_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1989 +msgid "" +"How many seconds to keep a host ssh key after refresh. IE how long to cache " +"the host key for." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2000 +msgid "refresh_expired_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2003 +msgid "" +"Specifies how many seconds SSSD has to wait before triggering a background " +"refresh task which will refresh all expired or nearly expired records." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2008 +msgid "" +"The background refresh will process users, groups and netgroups in the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2012 +msgid "You can consider setting this value to 3/4 * entry_cache_timeout." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2016 sssd-ldap.5.xml:746 sssd-ipa.5.xml:254 +msgid "Default: 0 (disabled)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2022 +msgid "cache_credentials (bool)" +msgstr "cache_credentials (bool)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2025 +msgid "Determines if user credentials are also cached in the local LDB cache" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2029 +msgid "User credentials are stored in a SHA512 hash, not in plaintext" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2039 +msgid "cache_credentials_minimal_first_factor_length (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2042 +msgid "" +"If 2-Factor-Authentication (2FA) is used and credentials should be saved " +"this value determines the minimal length the first authentication factor " +"(long term password) must have to be saved as SHA512 hash into the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2049 +msgid "" +"This should avoid that the short PINs of a PIN based 2FA scheme are saved in " +"the cache which would make them easy targets for brute-force attacks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2054 +msgid "Default: 8" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2060 +msgid "account_cache_expiration (integer)" +msgstr "account_cache_expiration (integer)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2063 +msgid "" +"Number of days entries are left in cache after last successful login before " +"being removed during a cleanup of the cache. 0 means keep forever. The " +"value of this parameter must be greater than or equal to " +"offline_credentials_expiration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2070 +msgid "Default: 0 (unlimited)" +msgstr "Padrão: 0 (ilimitado)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2075 +msgid "pwd_expiration_warning (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2086 +msgid "" +"Please note that the backend server has to provide information about the " +"expiration time of the password. If this information is missing, sssd " +"cannot display a warning. Also an auth provider has to be configured for the " +"backend." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2093 +msgid "Default: 7 (Kerberos), 0 (LDAP)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2099 +msgid "id_provider (string)" +msgstr "id_provider (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2102 +msgid "" +"The identification provider used for the domain. Supported ID providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2106 +msgid "<quote>proxy</quote>: Support a legacy NSS provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2109 +msgid "" +"<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2113 +msgid "" +"<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-" +"files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " +"information on how to mirror local users and groups into SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2121 +msgid "" +"<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " +"information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2129 sssd.conf.5.xml:2234 sssd.conf.5.xml:2289 +#: sssd.conf.5.xml:2352 +msgid "" +"<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management " +"provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " +"FreeIPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2138 sssd.conf.5.xml:2243 sssd.conf.5.xml:2298 +#: sssd.conf.5.xml:2361 +msgid "" +"<quote>ad</quote>: Active Directory provider. See <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Active Directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2149 +msgid "use_fully_qualified_names (bool)" +msgstr "use_fully_qualified_names (bool)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2152 +msgid "" +"Use the full name and domain (as formatted by the domain's full_name_format) " +"as the user's login name reported to NSS." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2157 +msgid "" +"If set to TRUE, all requests to this domain must use fully qualified names. " +"For example, if used in LOCAL domain that contains a \"test\" user, " +"<command>getent passwd test</command> wouldn't find the user while " +"<command>getent passwd test@LOCAL</command> would." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2165 +msgid "" +"NOTE: This option has no effect on netgroup lookups due to their tendency to " +"include nested netgroups without qualified names. For netgroups, all domains " +"will be searched when an unqualified name is requested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2172 +msgid "Default: FALSE (TRUE if default_domain_suffix is used)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2178 +msgid "ignore_group_members (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2181 +msgid "Do not return group members for group lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2184 +msgid "" +"If set to TRUE, the group membership attribute is not requested from the " +"ldap server, and group members are not returned when processing group lookup " +"calls, such as <citerefentry> <refentrytitle>getgrnam</refentrytitle> " +"<manvolnum>3</manvolnum> </citerefentry> or <citerefentry> " +"<refentrytitle>getgrgid</refentrytitle> <manvolnum>3</manvolnum> </" +"citerefentry>. As an effect, <quote>getent group $groupname</quote> would " +"return the requested group as if it was empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2202 +msgid "" +"Enabling this option can also make access provider checks for group " +"membership significantly faster, especially for groups containing many " +"members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2213 +msgid "auth_provider (string)" +msgstr "auth_provider (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2216 +msgid "" +"The authentication provider used for the domain. Supported auth providers " +"are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2220 sssd.conf.5.xml:2282 +msgid "" +"<quote>ldap</quote> for native LDAP authentication. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2227 +msgid "" +"<quote>krb5</quote> for Kerberos authentication. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2251 +msgid "" +"<quote>proxy</quote> for relaying authentication to some other PAM target." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2254 +msgid "<quote>local</quote>: SSSD internal provider for local users" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2258 +msgid "<quote>none</quote> disables authentication explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2261 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can handle " +"authentication requests." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2267 +msgid "access_provider (string)" +msgstr "access_provider (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2270 +msgid "" +"The access control provider used for the domain. There are two built-in " +"access providers (in addition to any included in installed backends) " +"Internal special providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2276 +msgid "" +"<quote>permit</quote> always allow access. It's the only permitted access " +"provider for a local domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2279 +msgid "<quote>deny</quote> always deny access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2306 +msgid "" +"<quote>simple</quote> access control based on access or deny lists. See " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for more information on configuring the simple " +"access module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2313 +msgid "" +"<quote>krb5</quote>: .k5login based access control. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></" +"citerefentry> for more information on configuring Kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2320 +msgid "<quote>proxy</quote> for relaying access control to another PAM module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2323 +msgid "Default: <quote>permit</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2328 +msgid "chpass_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2331 +msgid "" +"The provider which should handle change password operations for the domain. " +"Supported change password providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2336 +msgid "" +"<quote>ldap</quote> to change a password stored in a LDAP server. See " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2344 +msgid "" +"<quote>krb5</quote> to change the Kerberos password. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2369 +msgid "" +"<quote>proxy</quote> for relaying password changes to some other PAM target." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2373 +msgid "<quote>none</quote> disallows password changes explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2376 +msgid "" +"Default: <quote>auth_provider</quote> is used if it is set and can handle " +"change password requests." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2383 +msgid "sudo_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2386 +msgid "The SUDO provider used for the domain. Supported SUDO providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2390 +msgid "" +"<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2398 +msgid "" +"<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default " +"settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2402 +msgid "" +"<quote>ad</quote> the same as <quote>ldap</quote> but with AD default " +"settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2406 +msgid "<quote>none</quote> disables SUDO explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2409 sssd.conf.5.xml:2495 sssd.conf.5.xml:2565 +#: sssd.conf.5.xml:2590 +msgid "Default: The value of <quote>id_provider</quote> is used if it is set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2413 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>. There are many configuration " +"options that can be used to adjust the behavior. Please refer to " +"\"ldap_sudo_*\" in <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2428 +msgid "" +"<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the " +"background unless the sudo provider is explicitly disabled. Set " +"<emphasis>sudo_provider = None</emphasis> to disable all sudo-related " +"activity in SSSD if you do not want to use sudo with SSSD at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2438 +msgid "selinux_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2441 +msgid "" +"The provider which should handle loading of selinux settings. Note that this " +"provider will be called right after access provider ends. Supported selinux " +"providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2447 +msgid "" +"<quote>ipa</quote> to load selinux settings from an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2455 +msgid "<quote>none</quote> disallows fetching selinux settings explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2458 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can handle " +"selinux loading requests." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2464 +msgid "subdomains_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2467 +msgid "" +"The provider which should handle fetching of subdomains. This value should " +"be always the same as id_provider. Supported subdomain providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2473 +msgid "" +"<quote>ipa</quote> to load a list of subdomains from an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2482 +msgid "" +"<quote>ad</quote> to load a list of subdomains from an Active Directory " +"server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " +"the AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2491 +msgid "<quote>none</quote> disallows fetching subdomains explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2501 +msgid "session_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2504 +msgid "" +"The provider which configures and manages user session related tasks. The " +"only user session task currently provided is the integration with Fleet " +"Commander, which works only with IPA. Supported session providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2511 +msgid "<quote>ipa</quote> to allow performing user session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2515 +msgid "" +"<quote>none</quote> does not perform any kind of user session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2519 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can perform " +"session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2523 +msgid "" +"<emphasis>NOTE:</emphasis> In order to have this feature working as expected " +"SSSD must be running as \"root\" and not as the unprivileged user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2531 +msgid "autofs_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2534 +msgid "" +"The autofs provider used for the domain. Supported autofs providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2538 +msgid "" +"<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2545 +msgid "" +"<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> " +"<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2553 +msgid "" +"<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring the AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2562 +msgid "<quote>none</quote> disables autofs explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2572 +msgid "hostid_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2575 +msgid "" +"The provider used for retrieving host identity information. Supported " +"hostid providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2579 +msgid "" +"<quote>ipa</quote> to load host identity stored in an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2587 +msgid "<quote>none</quote> disables hostid explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2600 +msgid "" +"Regular expression for this domain that describes how to parse the string " +"containing user name and domain into these components. The \"domain\" can " +"match either the SSSD configuration domain name, or, in the case of IPA " +"trust subdomains and Active Directory domains, the flat (NetBIOS) name of " +"the domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2609 +msgid "" +"Default for the AD and IPA provider: <quote>(((?P<domain>[^\\\\]+)\\" +"\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?" +"P<name>[^@\\\\]+)$))</quote> which allows three different styles for " +"user names:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2614 +msgid "username" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2617 +msgid "username@domain.name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2620 +msgid "domain\\username" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2623 +msgid "" +"While the first two correspond to the general default the third one is " +"introduced to allow easy integration of users from Windows domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2628 +msgid "" +"Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> " +"which translates to \"the name is everything up to the <quote>@</quote> " +"sign, the domain everything after that\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2634 +msgid "" +"NOTE: Some Active Directory groups, typically those used for MS Exchange " +"contain an <quote>@</quote> sign in the name, which clashes with the default " +"re_expression value for the AD and IPA providers. To support these groups, " +"consider changing the re_expression value to: <quote>((?P<name>.+)@(?" +"P<domain>[^@]+$))</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2685 +msgid "Default: <quote>%1$s@%2$s</quote>." +msgstr "Default: <quote>%1$s@%2$s</quote>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2691 +msgid "lookup_family_order (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2694 +msgid "" +"Provides the ability to select preferred address family to use when " +"performing DNS lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2698 +msgid "Supported values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2701 +msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2704 +msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2707 +msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2710 +msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2713 +msgid "Default: ipv4_first" +msgstr "Default: ipv4_first" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2719 +msgid "dns_resolver_timeout (integer)" +msgstr "dns_resolver_timeout (integer)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2722 +msgid "" +"Defines the amount of time (in seconds) to wait for a reply from the " +"internal fail over service before assuming that the service is unreachable. " +"If this timeout is reached, the domain will continue to operate in offline " +"mode." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2729 +msgid "" +"Please see the section <quote>FAILOVER</quote> for more information about " +"the service resolution." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2734 sssd-ldap.5.xml:1396 sssd-ldap.5.xml:1438 +#: sssd-ldap.5.xml:1456 sssd-krb5.5.xml:248 +msgid "Default: 6" +msgstr "Padrão: 6" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2740 +msgid "dns_discovery_domain (string)" +msgstr "dns_discovery_domain (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2743 +msgid "" +"If service discovery is used in the back end, specifies the domain part of " +"the service discovery DNS query." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2747 +msgid "Default: Use the domain part of machine's hostname" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2753 +msgid "override_gid (integer)" +msgstr "override_gid (integer)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2756 +msgid "Override the primary GID value with the one specified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2762 +msgid "case_sensitive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2770 +msgid "True" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2773 +msgid "Case sensitive. This value is invalid for AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2779 +msgid "False" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2781 +msgid "Case insensitive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2785 +msgid "Preserving" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2788 +msgid "" +"Same as False (case insensitive), but does not lowercase names in the result " +"of NSS operations. Note that name aliases (and in case of services also " +"protocol names) are still lowercased in the output." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2765 +msgid "" +"Treat user and group names as case sensitive. At the moment, this option is " +"not supported in the local provider. Possible option values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2800 +msgid "Default: True (False for AD provider)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2806 +msgid "subdomain_inherit (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2809 +msgid "" +"Specifies a list of configuration parameters that should be inherited by a " +"subdomain. Please note that only selected parameters can be inherited. " +"Currently the following options can be inherited:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2815 +msgid "ignore_group_members" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2818 +msgid "ldap_purge_cache_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2821 sssd-ldap.5.xml:1120 +msgid "ldap_use_tokengroups" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2824 +msgid "ldap_user_principal" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2827 +msgid "" +"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab " +"is not set explicitly)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:2833 +#, no-wrap +msgid "" +"subdomain_inherit = ldap_purge_cache_timeout\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2831 sssd-secrets.5.xml:448 +msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2840 +msgid "Note: This option only works with the IPA and AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2847 +msgid "subdomain_homedir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2858 +msgid "%F" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2859 +msgid "flat (NetBIOS) name of a subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2850 +msgid "" +"Use this homedir as default value for all subdomains within this domain in " +"IPA AD trust. See <emphasis>override_homedir</emphasis> for info about " +"possible values. In addition to those, the expansion below can only be used " +"with <emphasis>subdomain_homedir</emphasis>. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2864 +msgid "" +"The value can be overridden by <emphasis>override_homedir</emphasis> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2868 +msgid "Default: <filename>/home/%d/%u</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2873 +msgid "realmd_tags (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2876 +msgid "" +"Various tags stored by the realmd configuration service for this domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2882 +msgid "cached_auth_timeout (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2885 +msgid "" +"Specifies time in seconds since last successful online authentication for " +"which user will be authenticated using cached credentials while SSSD is in " +"the online mode." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2891 +msgid "Special value 0 implies that this feature is disabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2895 +msgid "" +"Please note that if <quote>cached_auth_timeout</quote> is longer than " +"<quote>pam_id_timeout</quote> then the back end could be called to handle " +"<quote>initgroups.</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2906 +msgid "auto_private_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2909 +msgid "" +"If this option is enabled, SSSD will automatically create user private " +"groups based on user's UID number. The GID number is ignored in this case." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2914 +msgid "" +"For POSIX subdomains, setting the option in the main domain is inherited in " +"the subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2918 +msgid "" +"For ID-mapping subdomains, auto_private_groups is already enabled for the " +"subdomains and setting it to false will not have any effect for the " +"subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2923 +msgid "" +"NOTE: Because the GID number and the user private group are inferred from " +"the UID number, it is not supported to have multiple entries with the same " +"UID or GID number with this option. In other words, enabling this option " +"enforces uniqueness across the ID space." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:1727 +msgid "" +"These configuration options can be present in a domain configuration " +"section, that is, in a section called <quote>[domain/<replaceable>NAME</" +"replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2942 +msgid "proxy_pam_target (string)" +msgstr "proxy_pam_target (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2945 +msgid "The proxy target PAM proxies to." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2948 +msgid "" +"Default: not set by default, you have to take an existing pam configuration " +"or create a new one and add the service name here." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2956 +msgid "proxy_lib_name (string)" +msgstr "proxy_lib_name (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2959 +msgid "" +"The name of the NSS library to use in proxy domains. The NSS functions " +"searched for in the library are in the form of _nss_$(libName)_$(function), " +"for example _nss_files_getpwent." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2969 +msgid "proxy_fast_alias (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2972 +msgid "" +"When a user or group is looked up by name in the proxy provider, a second " +"lookup by ID is performed to \"canonicalize\" the name in case the requested " +"name was an alias. Setting this option to true would cause the SSSD to " +"perform the ID lookup from cache for performance reasons." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2986 +msgid "proxy_max_children (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2989 +msgid "" +"This option specifies the number of pre-forked proxy children. It is useful " +"for high-load SSSD environments where sssd may run out of available child " +"slots, which would cause some issues due to the requests being queued." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:2938 +msgid "" +"Options valid for proxy domains. <placeholder type=\"variablelist\" id=" +"\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:3005 +msgid "Application domains" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3007 +msgid "" +"SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to " +"applications as a gateway to an LDAP directory where users and groups are " +"stored. However, contrary to the traditional SSSD deployment where all users " +"and groups either have POSIX attributes or those attributes can be inferred " +"from the Windows SIDs, in many cases the users and groups in the application " +"support scenario have no POSIX attributes. Instead of setting a " +"<quote>[domain/<replaceable>NAME</replaceable>]</quote> section, the " +"administrator can set up an <quote>[application/<replaceable>NAME</" +"replaceable>]</quote> section that internally represents a domain with type " +"<quote>application</quote> optionally inherits settings from a tradition " +"SSSD domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3027 +msgid "" +"Please note that the application domain must still be explicitly enabled in " +"the <quote>domains</quote> parameter so that the lookup order between the " +"application domain and its POSIX sibling domain is set correctly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sssd.conf.5.xml:3033 +msgid "Application domain parameters" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3035 +msgid "inherit_from (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3038 +msgid "" +"The SSSD POSIX-type domain the application domain inherits all settings " +"from. The application domain can moreover add its own settings to the " +"application settings that augment or override the <quote>sibling</quote> " +"domain settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3052 +msgid "" +"The following example illustrates the use of an application domain. In this " +"setup, the POSIX domain is connected to an LDAP server and is used by the OS " +"through the NSS responder. In addition, the application domain also requests " +"the telephoneNumber attribute, stores it as the phone attribute in the cache " +"and makes the phone attribute reachable through the D-Bus interface." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><programlisting> +#: sssd.conf.5.xml:3060 +#, no-wrap +msgid "" +"[sssd]\n" +"domains = appdom, posixdom\n" +"\n" +"[ifp]\n" +"user_attributes = +phone\n" +"\n" +"[domain/posixdom]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"[application/appdom]\n" +"inherit_from = posixdom\n" +"ldap_user_extra_attrs = phone:telephoneNumber\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:3078 +msgid "The local domain section" +msgstr "A secção de domínio local" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3080 +msgid "" +"This section contains settings for domain that stores users and groups in " +"SSSD native database, that is, a domain that uses " +"<replaceable>id_provider=local</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3087 +msgid "default_shell (string)" +msgstr "default_shell (string)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3090 +msgid "The default shell for users created with SSSD userspace tools." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3094 +msgid "Default: <filename>/bin/bash</filename>" +msgstr "Padrão: <filename>bash/bin/bash</filename>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3099 +msgid "base_directory (string)" +msgstr "base_directory (string)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3102 +msgid "" +"The tools append the login name to <replaceable>base_directory</replaceable> " +"and use that as the home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3107 +msgid "Default: <filename>/home</filename>" +msgstr "Padrão: <filename>/ home</filename>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3112 +msgid "create_homedir (bool)" +msgstr "create_homedir (bool)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3115 +msgid "" +"Indicate if a home directory should be created by default for new users. " +"Can be overridden on command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3119 sssd.conf.5.xml:3131 +msgid "Default: TRUE" +msgstr "Padrão: TRUE" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3124 +msgid "remove_homedir (bool)" +msgstr "remove_homedir (bool)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3127 +msgid "" +"Indicate if a home directory should be removed by default for deleted " +"users. Can be overridden on command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3136 +msgid "homedir_umask (integer)" +msgstr "homedir_umask (integer)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3139 +msgid "" +"Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions " +"on a newly created home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3147 +msgid "Default: 077" +msgstr "Padrão: 077" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3152 +msgid "skel_dir (string)" +msgstr "skel_dir (string)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3155 +msgid "" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<citerefentry> <refentrytitle>sss_useradd</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3165 +msgid "Default: <filename>/etc/skel</filename>" +msgstr "Padrão: <filename>skel/etc/skel</filename>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3170 +msgid "mail_dir (string)" +msgstr "mail_dir (string)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3173 +msgid "" +"The mail spool directory. This is needed to manipulate the mailbox when its " +"corresponding user account is modified or deleted. If not specified, a " +"default value is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3180 +msgid "Default: <filename>/var/mail</filename>" +msgstr "Padrão: <filename>mail/var/mail</filename>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3185 +msgid "userdel_cmd (string)" +msgstr "userdel_cmd (string)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3188 +msgid "" +"The command that is run after a user is removed. The command us passed the " +"username of the user being removed as the first and only parameter. The " +"return code of the command is not taken into account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3194 +msgid "Default: None, no command is run" +msgstr "Padrão: None, nenhum comando é executado" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:3204 +msgid "TRUSTED DOMAIN SECTION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3206 +msgid "" +"Some options used in the domain section can also be used in the trusted " +"domain section, that is, in a section called <quote>[domain/" +"<replaceable>DOMAIN_NAME</replaceable>/<replaceable>TRUSTED_DOMAIN_NAME</" +"replaceable>]</quote>. Where DOMAIN_NAME is the actual joined-to base " +"domain. Please refer to examples below for explanation. Currently supported " +"options in the trusted domain section are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3213 +msgid "ldap_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3214 +msgid "ldap_user_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3215 +msgid "ldap_group_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3216 +msgid "ldap_netgroup_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3217 +msgid "ldap_service_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3218 +msgid "ad_server," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3219 +msgid "ad_backup_server," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3220 +msgid "ad_site," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:3221 sssd-ipa.5.xml:782 +msgid "use_fully_qualified_names" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3223 +msgid "" +"For more details about these options see their individual description in the " +"manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:3229 idmap_sss.8.xml:43 +msgid "EXAMPLES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:3235 +#, no-wrap +msgid "" +"[sssd]\n" +"domains = LDAP\n" +"services = nss, pam\n" +"config_file_version = 2\n" +"\n" +"[nss]\n" +"filter_groups = root\n" +"filter_users = root\n" +"\n" +"[pam]\n" +"\n" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"auth_provider = krb5\n" +"krb5_server = kerberos.example.com\n" +"krb5_realm = EXAMPLE.COM\n" +"cache_credentials = true\n" +"\n" +"min_id = 10000\n" +"max_id = 20000\n" +"enumerate = False\n" +msgstr "" +"[sssd]\n" +"domains = LDAP\n" +"services = nss, pam\n" +"config_file_version = 2\n" +"\n" +"[nss]\n" +"filter_groups = root\n" +"filter_users = root\n" +"\n" +"[pam]\n" +"\n" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"auth_provider = krb5\n" +"krb5_server = kerberos.example.com\n" +"krb5_realm = EXAMPLE.COM\n" +"cache_credentials = true\n" +"\n" +"min_id = 10000\n" +"max_id = 20000\n" +"enumerate = False\n" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3231 +msgid "" +"1. The following example shows a typical SSSD config. It does not describe " +"configuration of the domains themselves - refer to documentation on " +"configuring domains for more details. <placeholder type=\"programlisting\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:3268 +#, no-wrap +msgid "" +"[domain/ipa.com/child.ad.com]\n" +"use_fully_qualified_names = false\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3262 +msgid "" +"2. The following example shows configuration of IPA AD trust where the AD " +"forest consists of two domains in a parent-child structure. Suppose IPA " +"domain (ipa.com) has trust with AD domain(ad.com). ad.com has child domain " +"(child.ad.com). To enable shortnames in the child domain the following " +"configuration should be used. <placeholder type=\"programlisting\" id=\"0\"/" +">" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ldap.5.xml:10 sssd-ldap.5.xml:16 +msgid "sssd-ldap" +msgstr "sssd-ldap" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ldap.5.xml:17 +msgid "SSSD LDAP provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:23 +msgid "" +"This manual page describes the configuration of LDAP domains for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Refer to the <quote>FILE FORMAT</quote> section of the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for detailed syntax information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:35 +msgid "You can configure SSSD to use more than one LDAP domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:38 +msgid "" +"LDAP back end supports id, auth, access and chpass providers. If you want to " +"authenticate against an LDAP server either TLS/SSL or LDAPS is required. " +"<command>sssd</command> <emphasis>does not</emphasis> support authentication " +"over an unencrypted channel. If the LDAP server is used only as an identity " +"provider, an encrypted channel is not needed. Please refer to " +"<quote>ldap_access_filter</quote> config option for more information about " +"using LDAP as an access provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:115 +#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-files.5.xml:57 +#: sssd-secrets.5.xml:120 sssd-session-recording.5.xml:58 sssd-kcm.8.xml:139 +msgid "CONFIGURATION OPTIONS" +msgstr "OPÇÕES DE CONFIGURAÇÃO" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:60 +msgid "ldap_uri, ldap_backup_uri (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:63 +msgid "" +"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " +"should connect in the order of preference. Refer to the <quote>FAILOVER</" +"quote> section for more information on failover and server redundancy. If " +"neither option is specified, service discovery is enabled. For more " +"information, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:264 +msgid "The format of the URI must match the format defined in RFC 2732:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:73 +msgid "ldap[s]://<host>[:port]" +msgstr "ldap[s]://<host>[:port]" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:76 +msgid "" +"For explicit IPv6 addresses, <host> must be enclosed in brackets []" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:79 +msgid "example: ldap://[fc00::126:25]:389" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:85 +msgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:88 +msgid "" +"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " +"should connect in the order of preference to change the password of a user. " +"Refer to the <quote>FAILOVER</quote> section for more information on " +"failover and server redundancy." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:95 +msgid "To enable service discovery ldap_chpass_dns_service_name must be set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:99 +msgid "Default: empty, i.e. ldap_uri is used." +msgstr "Padrão: empty, ou seja, ldap_uri é usado." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:105 +msgid "ldap_search_base (string)" +msgstr "ldap_search_base (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:108 +msgid "The default base DN to use for performing LDAP user operations." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:112 +msgid "" +"Starting with SSSD 1.7.0, SSSD supports multiple search bases using the " +"syntax:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:116 +msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]" +msgstr "search_base[?scope?[filter][?search_base?scope?[filter]]*]" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:119 +msgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"." +msgstr "" + +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:122 include/ldap_search_bases.xml:18 +msgid "" +"The filter must be a valid LDAP search filter as specified by http://www." +"ietf.org/rfc/rfc2254.txt" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:286 +#: sss_override.8.xml:137 sss_override.8.xml:234 +msgid "Examples:" +msgstr "Exemplos:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:129 +msgid "" +"ldap_search_base = dc=example,dc=com (which is equivalent to) " +"ldap_search_base = dc=example,dc=com?subtree?" +msgstr "" +"ldap_search_base = dc=example,dc=com (which is equivalent to) " +"ldap_search_base = dc=example,dc=com?subtree?" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:134 +msgid "" +"ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?" +"(host=thishost)?dc=example.com?subtree?" +msgstr "" +"ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?" +"(host=thishost)?dc=example.com?subtree?" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:137 +msgid "" +"Note: It is unsupported to have multiple search bases which reference " +"identically-named objects (for example, groups with the same name in two " +"different search bases). This will lead to unpredictable behavior on client " +"machines." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:144 +msgid "" +"Default: If not set, the value of the defaultNamingContext or namingContexts " +"attribute from the RootDSE of the LDAP server is used. If " +"defaultNamingContext does not exist or has an empty value namingContexts is " +"used. The namingContexts attribute must have a single value with the DN of " +"the search base of the LDAP server to make this work. Multiple values are " +"are not supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:158 +msgid "ldap_schema (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:161 +msgid "" +"Specifies the Schema Type in use on the target LDAP server. Depending on " +"the selected schema, the default attribute names retrieved from the servers " +"may vary. The way that some attributes are handled may also differ." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:168 +msgid "Four schema types are currently supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:172 +msgid "rfc2307" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:177 +msgid "rfc2307bis" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:182 +msgid "IPA" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:187 +msgid "AD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:193 +msgid "" +"The main difference between these schema types is how group memberships are " +"recorded in the server. With rfc2307, group members are listed by name in " +"the <emphasis>memberUid</emphasis> attribute. With rfc2307bis and IPA, " +"group members are listed by DN and stored in the <emphasis>member</emphasis> " +"attribute. The AD schema type sets the attributes to correspond with Active " +"Directory 2008r2 values." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:203 +msgid "Default: rfc2307" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:209 +msgid "ldap_default_bind_dn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:212 +msgid "The default bind DN to use for performing LDAP operations." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:219 +msgid "ldap_default_authtok_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:222 +msgid "The type of the authentication token of the default bind DN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:226 +msgid "The two mechanisms currently supported are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:229 +msgid "password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:232 +msgid "obfuscated_password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:235 +msgid "Default: password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:241 +msgid "ldap_default_authtok (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:244 +msgid "" +"The authentication token of the default bind DN. Only clear text passwords " +"are currently supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:251 +msgid "ldap_user_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:254 +msgid "The object class of a user entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:257 +msgid "Default: posixAccount" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:263 +msgid "ldap_user_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:266 +msgid "The LDAP attribute that corresponds to the user's login name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:270 +msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:277 +msgid "ldap_user_uid_number (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:280 +msgid "The LDAP attribute that corresponds to the user's id." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:284 +msgid "Default: uidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:290 +msgid "ldap_user_gid_number (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:293 +msgid "The LDAP attribute that corresponds to the user's primary group id." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:297 sssd-ldap.5.xml:929 +msgid "Default: gidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:303 +msgid "ldap_user_primary_group (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:306 +msgid "" +"Active Directory primary group attribute for ID-mapping. Note that this " +"attribute should only be set manually if you are running the <quote>ldap</" +"quote> provider with ID mapping." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:312 +msgid "Default: unset (LDAP), primaryGroupID (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:318 +msgid "ldap_user_gecos (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:321 +msgid "The LDAP attribute that corresponds to the user's gecos field." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:325 +msgid "Default: gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:331 +msgid "ldap_user_home_directory (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:334 +msgid "The LDAP attribute that contains the name of the user's home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:338 +msgid "Default: homeDirectory" +msgstr "Padrão: homeDirectory" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:344 +msgid "ldap_user_shell (string)" +msgstr "ldap_user_shell (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:347 +msgid "The LDAP attribute that contains the path to the user's default shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:351 +msgid "Default: loginShell" +msgstr "Padrão: diret" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:357 +msgid "ldap_user_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:360 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:364 sssd-ldap.5.xml:955 +msgid "" +"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " +"IPA" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:371 +msgid "ldap_user_objectsid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:374 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP user object. This " +"is usually only necessary for ActiveDirectory servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:379 sssd-ldap.5.xml:970 +msgid "Default: objectSid for ActiveDirectory, not set for other servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:386 +msgid "ldap_user_modify_timestamp (string)" +msgstr "ldap_user_modify_timestamp (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:389 sssd-ldap.5.xml:980 sssd-ldap.5.xml:1203 +msgid "" +"The LDAP attribute that contains timestamp of the last modification of the " +"parent object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:393 sssd-ldap.5.xml:984 sssd-ldap.5.xml:1210 +msgid "Default: modifyTimestamp" +msgstr "Padrão: modifyTimestamp" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:399 +msgid "ldap_user_shadow_last_change (string)" +msgstr "ldap_user_shadow_last_change (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:402 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " +"the last password change)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:412 +msgid "Default: shadowLastChange" +msgstr "Padrão: shadowLastChange" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:418 +msgid "ldap_user_shadow_min (string)" +msgstr "ldap_user_shadow_min (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:421 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " +"password age)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:430 +msgid "Default: shadowMin" +msgstr "Padrão: shadowMin" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:436 +msgid "ldap_user_shadow_max (string)" +msgstr "ldap_user_shadow_max (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:439 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " +"password age)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:448 +msgid "Default: shadowMax" +msgstr "Padrão: shadowMax" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:454 +msgid "ldap_user_shadow_warning (string)" +msgstr "ldap_user_shadow_warning (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:457 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password warning period)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:467 +msgid "Default: shadowWarning" +msgstr "Padrão: shadowWarning" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:473 +msgid "ldap_user_shadow_inactive (string)" +msgstr "ldap_user_shadow_inactive (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:476 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password inactivity period)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:486 +msgid "Default: shadowInactive" +msgstr "Padrão: shadowInactive" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:492 +msgid "ldap_user_shadow_expire (string)" +msgstr "ldap_user_shadow_expire (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:495 +msgid "" +"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " +"parameter contains the name of an LDAP attribute corresponding to its " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> counterpart (account expiration date)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:505 +msgid "Default: shadowExpire" +msgstr "Padrão: shadowExpire" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:511 +msgid "ldap_user_krb_last_pwd_change (string)" +msgstr "ldap_user_krb_last_pwd_change (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:514 +msgid "" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time of last password change in " +"kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:520 +msgid "Default: krbLastPwdChange" +msgstr "Padrão: krbLastPwdChange" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:526 +msgid "ldap_user_krb_password_expiration (string)" +msgstr "ldap_user_krb_password_expiration (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:529 +msgid "" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time when current password expires." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:535 +msgid "Default: krbPasswordExpiration" +msgstr "Padrão: krbPasswordExpiration" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:541 +msgid "ldap_user_ad_account_expires (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:544 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the expiration time of the account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:549 +msgid "Default: accountExpires" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:555 +msgid "ldap_user_ad_user_account_control (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:558 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the user account control bit field." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:563 +msgid "Default: userAccountControl" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:569 +msgid "ldap_ns_account_lock (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:572 +msgid "" +"When using ldap_account_expire_policy=rhds or equivalent, this parameter " +"determines if access is allowed or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:577 +msgid "Default: nsAccountLock" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:583 +msgid "ldap_user_nds_login_disabled (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:586 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines if " +"access is allowed or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:590 sssd-ldap.5.xml:604 +msgid "Default: loginDisabled" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:596 +msgid "ldap_user_nds_login_expiration_time (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:599 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines until " +"which date access is granted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:610 +msgid "ldap_user_nds_login_allowed_time_map (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:613 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines the " +"hours of a day in a week when access is granted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:618 +msgid "Default: loginAllowedTimeMap" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:624 +msgid "ldap_user_principal (string)" +msgstr "ldap_user_principal (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:627 +msgid "" +"The LDAP attribute that contains the user's Kerberos User Principal Name " +"(UPN)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:631 +msgid "Default: krbPrincipalName" +msgstr "Padrão: krbPrincipalName" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:637 +msgid "ldap_user_extra_attrs (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:640 +msgid "" +"Comma-separated list of LDAP attributes that SSSD would fetch along with the " +"usual set of user attributes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:645 +msgid "" +"The list can either contain LDAP attribute names only, or colon-separated " +"tuples of SSSD cache attribute name and LDAP attribute name. In case only " +"LDAP attribute name is specified, the attribute is saved to the cache " +"verbatim. Using a custom SSSD attribute name might be required by " +"environments that configure several SSSD domains with different LDAP schemas." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:655 +msgid "" +"Please note that several attribute names are reserved by SSSD, notably the " +"<quote>name</quote> attribute. SSSD would report an error if any of the " +"reserved attribute names is used as an extra attribute name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:665 +msgid "ldap_user_extra_attrs = telephoneNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:668 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as " +"<quote>telephoneNumber</quote> to the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:672 +msgid "ldap_user_extra_attrs = phone:telephoneNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:675 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" +"quote> to the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:685 +msgid "ldap_user_ssh_public_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:688 +msgid "The LDAP attribute that contains the user's SSH public keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:692 sssd-ldap.5.xml:1306 +msgid "Default: sshPublicKey" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:698 +msgid "ldap_force_upper_case_realm (boolean)" +msgstr "ldap_force_upper_case_realm (boolean)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:701 +msgid "" +"Some directory servers, for example Active Directory, might deliver the " +"realm part of the UPN in lower case, which might cause the authentication to " +"fail. Set this option to a non-zero value if you want to use an upper-case " +"realm." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:714 +msgid "ldap_enumeration_refresh_timeout (integer)" +msgstr "ldap_enumeration_refresh_timeout (integer)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:717 +msgid "" +"Specifies how many seconds SSSD has to wait before refreshing its cache of " +"enumerated records." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:728 +msgid "ldap_purge_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:731 +msgid "" +"Determine how often to check the cache for inactive entries (such as groups " +"with no members and users who have never logged in) and remove them to save " +"space." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:737 +msgid "" +"Setting this option to zero will disable the cache cleanup operation. Please " +"note that if enumeration is enabled, the cleanup task is required in order " +"to detect entries removed from the server and can't be disabled. By default, " +"the cleanup task will run every 3 hours with enumeration enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:752 +msgid "ldap_user_fullname (string)" +msgstr "ldap_user_fullname (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:755 +msgid "The LDAP attribute that corresponds to the user's full name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1161 sssd-ldap.5.xml:1235 +#: sssd-ldap.5.xml:1344 sssd-ldap.5.xml:2405 sssd-ipa.5.xml:607 +msgid "Default: cn" +msgstr "Padrão: NC" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:765 +msgid "ldap_user_member_of (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:768 +msgid "The LDAP attribute that lists the user's group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:772 sssd-ldap.5.xml:1274 +msgid "Default: memberOf" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:778 +msgid "ldap_user_authorized_service (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:781 +msgid "" +"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " +"use the presence of the authorizedService attribute in the user's LDAP entry " +"to determine access privilege." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:788 +msgid "" +"An explicit deny (!svc) is resolved first. Second, SSSD searches for " +"explicit allow (svc) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:793 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>authorized_service</quote> in order for the " +"ldap_user_authorized_service option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:800 +msgid "Default: authorizedService" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:806 +msgid "ldap_user_authorized_host (string)" +msgstr "ldap_user_authorized_host (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:809 +msgid "" +"If access_provider=ldap and ldap_access_order=host, SSSD will use the " +"presence of the host attribute in the user's LDAP entry to determine access " +"privilege." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:815 +msgid "" +"An explicit deny (!host) is resolved first. Second, SSSD searches for " +"explicit allow (host) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:820 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>host</quote> in order for the " +"ldap_user_authorized_host option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:827 +msgid "Default: host" +msgstr "Padrão: host" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:833 +msgid "ldap_user_authorized_rhost (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:836 +msgid "" +"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " +"presence of the rhost attribute in the user's LDAP entry to determine access " +"privilege. Similarly to host verification process." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:843 +msgid "" +"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " +"explicit allow (rhost) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:848 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>rhost</quote> in order for the " +"ldap_user_authorized_rhost option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:855 +msgid "Default: rhost" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:861 +msgid "ldap_user_certificate (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:864 +msgid "Name of the LDAP attribute containing the X509 certificate of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:868 +msgid "Default: userCertificate;binary" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:874 +msgid "ldap_user_email (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:877 +msgid "Name of the LDAP attribute containing the email address of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:881 +msgid "" +"Note: If an email address of a user conflicts with an email address or fully " +"qualified name of another user, then SSSD will not be able to serve those " +"users properly. If for some reason several users need to share the same " +"email address then set this option to a nonexistent attribute name in order " +"to disable user lookup/login by email." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:890 +msgid "Default: mail" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:896 +msgid "ldap_group_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:899 +msgid "The object class of a group entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:902 +msgid "Default: posixGroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:908 +msgid "ldap_group_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:911 +msgid "The LDAP attribute that corresponds to the group name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:915 +msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:922 +msgid "ldap_group_gid_number (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:925 +msgid "The LDAP attribute that corresponds to the group's id." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:935 +msgid "ldap_group_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:938 +msgid "The LDAP attribute that contains the names of the group's members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:942 +msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:948 +msgid "ldap_group_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:951 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:962 +msgid "ldap_group_objectsid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:965 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP group object. This " +"is usually only necessary for ActiveDirectory servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:977 +msgid "ldap_group_modify_timestamp (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:990 +msgid "ldap_group_type (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:993 +msgid "" +"The LDAP attribute that contains an integer value indicating the type of the " +"group and maybe other flags." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:998 +msgid "" +"This attribute is currently only used by the AD provider to determine if a " +"group is a domain local groups and has to be filtered out for trusted " +"domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1004 +msgid "Default: groupType in the AD provider, otherwise not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1011 +msgid "ldap_group_external_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1014 +msgid "" +"The LDAP attribute that references group members that are defined in an " +"external domain. At the moment, only IPA's external members are supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1020 +msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1027 +msgid "ldap_group_nesting_level (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1030 +msgid "" +"If ldap_schema is set to a schema format that supports nested groups (e.g. " +"RFC2307bis), then this option controls how many levels of nesting SSSD will " +"follow. This option has no effect on the RFC2307 schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1037 +msgid "" +"Note: This option specifies the guaranteed level of nested groups to be " +"processed for any lookup. However, nested groups beyond this limit " +"<emphasis>may be</emphasis> returned if previous lookups already resolved " +"the deeper nesting levels. Also, subsequent lookups for other groups may " +"enlarge the result set for original lookup if re-queried." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1046 +msgid "" +"If ldap_group_nesting_level is set to 0 then no nested groups are processed " +"at all. However, when connected to Active-Directory Server 2008 and later " +"using <quote>id_provider=ad</quote> it is furthermore required to disable " +"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " +"restrict group nesting." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1055 +msgid "Default: 2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1061 +msgid "ldap_groups_use_matching_rule_in_chain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1064 +msgid "" +"This option tells SSSD to take advantage of an Active Directory-specific " +"feature which may speed up group lookup operations on deployments with " +"complex or deep nested groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1070 +msgid "" +"In most common cases, it is best to leave this option disabled. It generally " +"only provides a performance increase on very complex nestings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1075 sssd-ldap.5.xml:1102 +msgid "" +"If this option is enabled, SSSD will use it if it detects that the server " +"supports it during initial connection. So \"True\" here essentially means " +"\"auto-detect\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1081 sssd-ldap.5.xml:1108 +msgid "" +"Note: This feature is currently known to work only with Active Directory " +"2008 R1 and later. See <ulink url=\"http://msdn.microsoft.com/en-us/library/" +"windows/desktop/aa746475%28v=vs.85%29.aspx\"> MSDN(TM) documentation</ulink> " +"for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1093 +msgid "ldap_initgroups_use_matching_rule_in_chain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1096 +msgid "" +"This option tells SSSD to take advantage of an Active Directory-specific " +"feature which might speed up initgroups operations (most notably when " +"dealing with complex or deep nested groups)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1123 +msgid "" +"This options enables or disables use of Token-Groups attribute when " +"performing initgroup for users from Active Directory Server 2008 and later." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1128 +msgid "Default: True for AD and IPA otherwise False." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1134 +msgid "ldap_netgroup_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1137 +msgid "The object class of a netgroup entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1140 +msgid "In IPA provider, ipa_netgroup_object_class should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1144 +msgid "Default: nisNetgroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1150 +msgid "ldap_netgroup_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1153 +msgid "The LDAP attribute that corresponds to the netgroup name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1157 +msgid "In IPA provider, ipa_netgroup_name should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1167 +msgid "ldap_netgroup_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1170 +msgid "The LDAP attribute that contains the names of the netgroup's members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1174 +msgid "In IPA provider, ipa_netgroup_member should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1178 +msgid "Default: memberNisNetgroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1184 +msgid "ldap_netgroup_triple (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1187 +msgid "" +"The LDAP attribute that contains the (host, user, domain) netgroup triples." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1191 sssd-ldap.5.xml:1207 +msgid "This option is not available in IPA provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1194 +msgid "Default: nisNetgroupTriple" +msgstr "Padrão: nisNetgroupTriple" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1200 +msgid "ldap_netgroup_modify_timestamp (string)" +msgstr "ldap_netgroup_modify_timestamp (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1216 +msgid "ldap_host_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1219 +msgid "The object class of a host entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1222 sssd-ldap.5.xml:1331 +msgid "Default: ipService" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1228 +msgid "ldap_host_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1231 sssd-ldap.5.xml:1257 +msgid "The LDAP attribute that corresponds to the host's name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1241 +msgid "ldap_host_fqdn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1244 +msgid "" +"The LDAP attribute that corresponds to the host's fully-qualified domain " +"name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1248 +msgid "Default: fqdn" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1254 +msgid "ldap_host_serverhostname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1261 +msgid "Default: serverHostname" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1267 +msgid "ldap_host_member_of (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1270 +msgid "The LDAP attribute that lists the host's group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1280 +msgid "ldap_host_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1283 +msgid "Optional. Use the given string as search base for host objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1287 sssd-ipa.5.xml:359 sssd-ipa.5.xml:378 +#: sssd-ipa.5.xml:397 sssd-ipa.5.xml:416 +msgid "" +"See <quote>ldap_search_base</quote> for information about configuring " +"multiple search bases." +msgstr "" + +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:1292 sssd-ipa.5.xml:364 include/ldap_search_bases.xml:27 +msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1299 +msgid "ldap_host_ssh_public_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1302 +msgid "The LDAP attribute that contains the host's SSH public keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1312 +msgid "ldap_host_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1315 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1325 +msgid "ldap_service_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1328 +msgid "The object class of a service entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1337 +msgid "ldap_service_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1340 +msgid "" +"The LDAP attribute that contains the name of service attributes and their " +"aliases." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1350 +msgid "ldap_service_port (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1353 +msgid "The LDAP attribute that contains the port managed by this service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1357 +msgid "Default: ipServicePort" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1363 +msgid "ldap_service_proto (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1366 +msgid "" +"The LDAP attribute that contains the protocols understood by this service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1370 +msgid "Default: ipServiceProtocol" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1376 +msgid "ldap_service_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1381 +msgid "ldap_search_timeout (integer)" +msgstr "ldap_search_timeout (integer)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1384 +msgid "" +"Specifies the timeout (in seconds) that ldap searches are allowed to run " +"before they are cancelled and cached results are returned (and offline mode " +"is entered)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1390 +msgid "" +"Note: this option is subject to change in future versions of the SSSD. It " +"will likely be replaced at some point by a series of timeouts for specific " +"lookup types." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1402 +msgid "ldap_enumeration_search_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1405 +msgid "" +"Specifies the timeout (in seconds) that ldap searches for user and group " +"enumerations are allowed to run before they are cancelled and cached results " +"are returned (and offline mode is entered)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1418 +msgid "ldap_network_timeout (integer)" +msgstr "ldap_network_timeout (integer)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1421 +msgid "" +"Specifies the timeout (in seconds) after which the <citerefentry> " +"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" +"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" +"manvolnum> </citerefentry> following a <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> returns in case of no activity." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1444 +msgid "ldap_opt_timeout (integer)" +msgstr "ldap_opt_timeout (integer)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1447 +msgid "" +"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " +"will abort if no response is received. Also controls the timeout when " +"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " +"operation, password change extended operation and the StartTLS operation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1462 +msgid "ldap_connection_expire_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1465 +msgid "" +"Specifies a timeout (in seconds) that a connection to an LDAP server will be " +"maintained. After this time, the connection will be re-established. If used " +"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " +"the TGT lifetime) will be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1473 sssd-ldap.5.xml:2562 +msgid "Default: 900 (15 minutes)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1479 +msgid "ldap_page_size (integer)" +msgstr "ldap_page_size (integer)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1482 +msgid "" +"Specify the number of records to retrieve from LDAP in a single request. " +"Some LDAP servers enforce a maximum limit per-request." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1487 +msgid "Default: 1000" +msgstr "Padrão: 1000" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1493 +msgid "ldap_disable_paging (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1496 +msgid "" +"Disable the LDAP paging control. This option should be used if the LDAP " +"server reports that it supports the LDAP paging control in its RootDSE but " +"it is not enabled or does not behave properly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1502 +msgid "" +"Example: OpenLDAP servers with the paging control module installed on the " +"server but not enabled will report it in the RootDSE but be unable to use it." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1508 +msgid "" +"Example: 389 DS has a bug where it can only support a one paging control at " +"a time on a single connection. On busy clients, this can result in some " +"requests being denied." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1520 +msgid "ldap_disable_range_retrieval (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1523 +msgid "Disable Active Directory range retrieval." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1526 +msgid "" +"Active Directory limits the number of members to be retrieved in a single " +"lookup using the MaxValRange policy (which defaults to 1500 members). If a " +"group contains more members, the reply would include an AD-specific range " +"extension. This option disables parsing of the range extension, therefore " +"large groups will appear as having no members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1541 +msgid "ldap_sasl_minssf (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1544 +msgid "" +"When communicating with an LDAP server using SASL, specify the minimum " +"security level necessary to establish the connection. The values of this " +"option are defined by OpenLDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1550 +msgid "Default: Use the system default (usually specified by ldap.conf)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1557 +msgid "ldap_deref_threshold (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1560 +msgid "" +"Specify the number of group members that must be missing from the internal " +"cache in order to trigger a dereference lookup. If less members are missing, " +"they are looked up individually." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1566 +msgid "" +"You can turn off dereference lookups completely by setting the value to 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1570 +msgid "" +"A dereference lookup is a means of fetching all group members in a single " +"LDAP call. Different LDAP servers may implement different dereference " +"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " +"Directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1578 +msgid "" +"<emphasis>Note:</emphasis> If any of the search bases specifies a search " +"filter, then the dereference lookup performance enhancement will be disabled " +"regardless of this setting." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1591 +msgid "ldap_tls_reqcert (string)" +msgstr "ldap_tls_reqcert (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1594 +msgid "" +"Specifies what checks to perform on server certificates in a TLS session, if " +"any. It can be specified as one of the following values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1600 +msgid "" +"<emphasis>never</emphasis> = The client will not request or check any server " +"certificate." +msgstr "" +"<emphasis>never</emphasis> = O cliente não irá solicitar ou verificar " +"qualquer certificado de servidor." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1604 +msgid "" +"<emphasis>allow</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, it will be ignored and the session proceeds normally." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1611 +msgid "" +"<emphasis>try</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, the session is immediately terminated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1617 +msgid "" +"<emphasis>demand</emphasis> = The server certificate is requested. If no " +"certificate is provided, or a bad certificate is provided, the session is " +"immediately terminated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1623 +msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1627 +msgid "Default: hard" +msgstr "Padrão: hard" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1633 +msgid "ldap_tls_cacert (string)" +msgstr "ldap_tls_cacert (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1636 +msgid "" +"Specifies the file that contains certificates for all of the Certificate " +"Authorities that <command>sssd</command> will recognize." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1641 sssd-ldap.5.xml:1659 sssd-ldap.5.xml:1700 +msgid "" +"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." +"conf</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1648 +msgid "ldap_tls_cacertdir (string)" +msgstr "ldap_tls_cacertdir (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1651 +msgid "" +"Specifies the path of a directory that contains Certificate Authority " +"certificates in separate individual files. Typically the file names need to " +"be the hash of the certificate followed by '.0'. If available, " +"<command>cacertdir_rehash</command> can be used to create the correct names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1666 +msgid "ldap_tls_cert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1669 +msgid "Specifies the file that contains the certificate for the client's key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1679 +msgid "ldap_tls_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1682 +msgid "Specifies the file that contains the client's key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1691 +msgid "ldap_tls_cipher_suite (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1694 +msgid "" +"Specifies acceptable cipher suites. Typically this is a colon separated " +"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1707 +msgid "ldap_id_use_start_tls (boolean)" +msgstr "ldap_id_use_start_tls (boolean)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1710 +msgid "" +"Specifies that the id_provider connection must also use <systemitem class=" +"\"protocol\">tls</systemitem> to protect the channel." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1720 +msgid "ldap_id_mapping (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1723 +msgid "" +"Specifies that SSSD should attempt to map user and group IDs from the " +"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " +"on ldap_user_uid_number and ldap_group_gid_number." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1729 +msgid "Currently this feature supports only ActiveDirectory objectSID mapping." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1739 +msgid "ldap_min_id, ldap_max_id (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1742 +msgid "" +"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " +"set to true the allowed ID range for ldap_user_uid_number and " +"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " +"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " +"can be set to restrict the allowed range for the IDs which are read directly " +"from the server. Sub-domains can then pick other ranges to map IDs." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1754 +msgid "Default: not set (both options are set to 0)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1760 +msgid "ldap_sasl_mech (string)" +msgstr "ldap_sasl_mech (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1763 +msgid "" +"Specify the SASL mechanism to use. Currently only GSSAPI is tested and " +"supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1773 +msgid "ldap_sasl_authid (string)" +msgstr "ldap_sasl_authid (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ldap.5.xml:1784 +#, no-wrap +msgid "" +"hostname@REALM\n" +"netbiosname$@REALM\n" +"host/hostname@REALM\n" +"*$@REALM\n" +"host/*@REALM\n" +"host/*\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1776 +msgid "" +"Specify the SASL authorization id to use. When GSSAPI is used, this " +"represents the Kerberos principal used for authentication to the directory. " +"This option can either contain the full principal (for example host/" +"myhost@EXAMPLE.COM) or just the principal name (for example host/myhost). By " +"default, the value is not set and the following principals are used: " +"<placeholder type=\"programlisting\" id=\"0\"/> If none of them are found, " +"the first principal in keytab is returned." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1795 +msgid "Default: host/hostname@REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1801 +msgid "ldap_sasl_realm (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1804 +msgid "" +"Specify the SASL realm to use. When not specified, this option defaults to " +"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " +"well, this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1810 +msgid "Default: the value of krb5_realm." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1816 +msgid "ldap_sasl_canonicalize (boolean)" +msgstr "ldap_sasl_canonicalize (boolean)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1819 +msgid "" +"If set to true, the LDAP library would perform a reverse lookup to " +"canonicalize the host name during a SASL bind." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1824 +msgid "Default: false;" +msgstr "Padrão: false;" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1830 +msgid "ldap_krb5_keytab (string)" +msgstr "ldap_krb5_keytab (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1833 +msgid "Specify the keytab to use when using SASL/GSSAPI." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1836 +msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" +msgstr "" +"Padrão: Sistema keytab, normalmente <filename>/etc/krb5.keytab</filename>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1842 +msgid "ldap_krb5_init_creds (boolean)" +msgstr "ldap_krb5_init_creds (boolean)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1845 +msgid "" +"Specifies that the id_provider should init Kerberos credentials (TGT). This " +"action is performed only if SASL is used and the mechanism selected is " +"GSSAPI." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1857 +msgid "ldap_krb5_ticket_lifetime (integer)" +msgstr "ldap_krb5_ticket_lifetime (integer)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1860 +msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1864 sssd-ad.5.xml:937 +msgid "Default: 86400 (24 hours)" +msgstr "Padrão: 86400 (24 horas)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1870 sssd-krb5.5.xml:74 +msgid "krb5_server, krb5_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1873 +msgid "" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled - for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1885 sssd-krb5.5.xml:89 +msgid "" +"When using service discovery for KDC or kpasswd servers, SSSD first searches " +"for DNS entries that specify _udp as the protocol and falls back to _tcp if " +"none are found." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1890 sssd-krb5.5.xml:94 +msgid "" +"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " +"While the legacy name is recognized for the time being, users are advised to " +"migrate their config files to use <quote>krb5_server</quote> instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1899 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103 +msgid "krb5_realm (string)" +msgstr "krb5_realm (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1902 +msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1905 +msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1911 sssd-krb5.5.xml:462 +msgid "krb5_canonicalize (boolean)" +msgstr "krb5_canonicalize (boolean)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1914 +msgid "" +"Specifies if the host principal should be canonicalized when connecting to " +"LDAP server. This feature is available with MIT Kerberos >= 1.7" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1926 sssd-krb5.5.xml:477 +msgid "krb5_use_kdcinfo (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1929 sssd-krb5.5.xml:480 +msgid "" +"Specifies if the SSSD should instruct the Kerberos libraries what realm and " +"which KDCs to use. This option is on by default, if you disable it, you need " +"to configure the Kerberos library using the <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> configuration file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1940 sssd-krb5.5.xml:491 +msgid "" +"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " +"information on the locator plugin." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1954 +msgid "ldap_pwd_policy (string)" +msgstr "ldap_pwd_policy (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1957 +msgid "" +"Select the policy to evaluate the password expiration on the client side. " +"The following values are allowed:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1962 +msgid "" +"<emphasis>none</emphasis> - No evaluation on the client side. This option " +"cannot disable server-side password policies." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1967 +msgid "" +"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " +"evaluate if the password has expired." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1973 +msgid "" +"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " +"to determine if the password has expired. Use chpass_provider=krb5 to update " +"these attributes when the password is changed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1982 +msgid "" +"<emphasis>Note</emphasis>: if a password policy is configured on server " +"side, it always takes precedence over policy set with this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1990 +msgid "ldap_referrals (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1993 +msgid "Specifies whether automatic referral chasing should be enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1997 +msgid "" +"Please note that sssd only supports referral chasing when it is compiled " +"with OpenLDAP version 2.4.13 or higher." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2002 +msgid "" +"Chasing referrals may incur a performance penalty in environments that use " +"them heavily, a notable example is Microsoft Active Directory. If your setup " +"does not in fact require the use of referrals, setting this option to false " +"might bring a noticeable performance improvement." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2016 +msgid "ldap_dns_service_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2019 +msgid "Specifies the service name to use when service discovery is enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2023 +msgid "Default: ldap" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2029 +msgid "ldap_chpass_dns_service_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2032 +msgid "" +"Specifies the service name to use to find an LDAP server which allows " +"password changes when service discovery is enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2037 +msgid "Default: not set, i.e. service discovery is disabled" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2043 +msgid "ldap_chpass_update_last_change (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2046 +msgid "" +"Specifies whether to update the ldap_user_shadow_last_change attribute with " +"days since the Epoch after a password change operation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2058 +msgid "ldap_access_filter (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2061 +msgid "" +"If using access_provider = ldap and ldap_access_order = filter (default), " +"this option is mandatory. It specifies an LDAP search filter criteria that " +"must be met for the user to be granted access on this host. If " +"access_provider = ldap, ldap_access_order = filter and this option is not " +"set, it will result in all users being denied access. Use access_provider = " +"permit to change this default behavior. Please note that this filter is " +"applied on the LDAP user entry only and thus filtering based on nested " +"groups may not work (e.g. memberOf attribute on AD entries points only to " +"direct parents). If filtering based on nested groups is required, please see " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2081 +msgid "Example:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ldap.5.xml:2084 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2088 +msgid "" +"This example means that access to this host is restricted to users whose " +"employeeType attribute is set to \"admin\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2093 +msgid "" +"Offline caching for this feature is limited to determining whether the " +"user's last online login was granted access permission. If they were granted " +"access during their last login, they will continue to be granted access " +"while offline and vice versa." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2101 sssd-ldap.5.xml:2158 +msgid "Default: Empty" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2107 +msgid "ldap_account_expire_policy (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2110 +msgid "" +"With this option a client side evaluation of access control attributes can " +"be enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2114 +msgid "" +"Please note that it is always recommended to use server side access control, " +"i.e. the LDAP server should deny the bind request with a suitable error code " +"even if the password is correct." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2121 +msgid "The following values are allowed:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2124 +msgid "" +"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " +"determine if the account is expired." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2129 +msgid "" +"<emphasis>ad</emphasis>: use the value of the 32bit field " +"ldap_user_ad_user_account_control and allow access if the second bit is not " +"set. If the attribute is missing access is granted. Also the expiration time " +"of the account is checked." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2136 +msgid "" +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: use the value of ldap_ns_account_lock to check if access is " +"allowed or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2142 +msgid "" +"<emphasis>nds</emphasis>: the values of " +"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " +"ldap_user_nds_login_expiration_time are used to check if access is allowed. " +"If both attributes are missing access is granted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2151 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>expire</quote> in order for the " +"ldap_account_expire_policy option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2164 +msgid "ldap_access_order (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2167 +msgid "Comma separated list of access control options. Allowed values are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2171 +msgid "<emphasis>filter</emphasis>: use ldap_access_filter" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2174 +msgid "" +"<emphasis>lockout</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " +"Please note that 'access_provider = ldap' must be set for this feature to " +"work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2184 +msgid "" +"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" +"quote> option and might be removed in a future release. </emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2191 +msgid "" +"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z' or represents any time in the past. The " +"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " +"denotes the UTC time zone. Other time zones are not currently supported and " +"will result in \"access-denied\" when users attempt to log in. Please see " +"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " +"must be set for this feature to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2208 +msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2212 +msgid "" +"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " +"pwd_expire_policy_renew: </emphasis> These options are useful if users are " +"interested in being warned that password is about to expire and " +"authentication is based on using a different method than passwords - for " +"example SSH keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2222 +msgid "" +"The difference between these options is the action taken if user password is " +"expired: pwd_expire_policy_reject - user is denied to log in, " +"pwd_expire_policy_warn - user is still able to log in, " +"pwd_expire_policy_renew - user is prompted to change his password " +"immediately." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2230 +msgid "" +"Note If user password is expired no explicit message is prompted by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2234 +msgid "" +"Please note that 'access_provider = ldap' must be set for this feature to " +"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2239 +msgid "" +"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " +"to determine access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2244 +msgid "<emphasis>host</emphasis>: use the host attribute to determine access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2248 +msgid "" +"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " +"remote host can access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2252 +msgid "" +"Please note, rhost field in pam is set by application, it is better to check " +"what the application sends to pam, before enabling this access control option" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2257 +msgid "Default: filter" +msgstr "Padrão: filter" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2260 +msgid "" +"Please note that it is a configuration error if a value is used more than " +"once." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2267 +msgid "ldap_pwdlockout_dn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2270 +msgid "" +"This option specifies the DN of password policy entry on LDAP server. Please " +"note that absence of this option in sssd.conf in case of enabled account " +"lockout checking will yield access denied as ppolicy attributes on LDAP " +"server cannot be checked properly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2278 +msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2281 +msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2287 +msgid "ldap_deref (string)" +msgstr "ldap_deref (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2290 +msgid "" +"Specifies how alias dereferencing is done when performing a search. The " +"following options are allowed:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2295 +msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2299 +msgid "" +"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " +"the base object, but not in locating the base object of the search." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2304 +msgid "" +"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " +"the base object of the search." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2309 +msgid "" +"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " +"in locating the base object of the search." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2314 +msgid "" +"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " +"client libraries)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2322 +msgid "ldap_rfc2307_fallback_to_local_users (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2325 +msgid "" +"Allows to retain local users as members of an LDAP group for servers that " +"use the RFC2307 schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2329 +msgid "" +"In some environments where the RFC2307 schema is used, local users are made " +"members of LDAP groups by adding their names to the memberUid attribute. " +"The self-consistency of the domain is compromised when this is done, so SSSD " +"would normally remove the \"missing\" users from the cached group " +"memberships as soon as nsswitch tries to fetch information about the user " +"via getpw*() or initgroups() calls." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2340 +msgid "" +"This option falls back to checking if local users are referenced, and caches " +"them so that later initgroups() calls will augment the local users with the " +"additional LDAP groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2352 sssd-ifp.5.xml:136 +msgid "wildcard_limit (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2355 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2359 +msgid "At the moment, only the InfoPipe responder supports wildcard lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2363 +msgid "Default: 1000 (often the size of one page)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:51 +msgid "" +"All of the common configuration options that apply to SSSD domains also " +"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for full details. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2373 +msgid "SUDO OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2375 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2386 +msgid "ldap_sudorule_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2389 +msgid "The object class of a sudo rule entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2392 +msgid "Default: sudoRole" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2398 +msgid "ldap_sudorule_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2401 +msgid "The LDAP attribute that corresponds to the sudo rule name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2411 +msgid "ldap_sudorule_command (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2414 +msgid "The LDAP attribute that corresponds to the command name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2418 +msgid "Default: sudoCommand" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2424 +msgid "ldap_sudorule_host (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2427 +msgid "" +"The LDAP attribute that corresponds to the host name (or host IP address, " +"host IP network, or host netgroup)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2432 +msgid "Default: sudoHost" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2438 +msgid "ldap_sudorule_user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2441 +msgid "" +"The LDAP attribute that corresponds to the user name (or UID, group name or " +"user's netgroup)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2445 +msgid "Default: sudoUser" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2451 +msgid "ldap_sudorule_option (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2454 +msgid "The LDAP attribute that corresponds to the sudo options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2458 +msgid "Default: sudoOption" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2464 +msgid "ldap_sudorule_runasuser (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2467 +msgid "" +"The LDAP attribute that corresponds to the user name that commands may be " +"run as." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2471 +msgid "Default: sudoRunAsUser" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2477 +msgid "ldap_sudorule_runasgroup (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2480 +msgid "" +"The LDAP attribute that corresponds to the group name or group GID that " +"commands may be run as." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2484 +msgid "Default: sudoRunAsGroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2490 +msgid "ldap_sudorule_notbefore (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2493 +msgid "" +"The LDAP attribute that corresponds to the start date/time for when the sudo " +"rule is valid." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2497 +msgid "Default: sudoNotBefore" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2503 +msgid "ldap_sudorule_notafter (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2506 +msgid "" +"The LDAP attribute that corresponds to the expiration date/time, after which " +"the sudo rule will no longer be valid." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2511 +msgid "Default: sudoNotAfter" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2517 +msgid "ldap_sudorule_order (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2520 +msgid "The LDAP attribute that corresponds to the ordering index of the rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2524 +msgid "Default: sudoOrder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2530 +msgid "ldap_sudo_full_refresh_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2533 +msgid "" +"How many seconds SSSD will wait between executing a full refresh of sudo " +"rules (which downloads all rules that are stored on the server)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2538 +msgid "" +"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" +"emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2543 +msgid "Default: 21600 (6 hours)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2549 +msgid "ldap_sudo_smart_refresh_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2552 +msgid "" +"How many seconds SSSD has to wait before executing a smart refresh of sudo " +"rules (which downloads all rules that have USN higher than the highest USN " +"of cached rules)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2558 +msgid "" +"If USN attributes are not supported by the server, the modifyTimestamp " +"attribute is used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2568 +msgid "ldap_sudo_use_host_filter (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2571 +msgid "" +"If true, SSSD will download only rules that are applicable to this machine " +"(using the IPv4 or IPv6 host/network addresses and hostnames)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2582 +msgid "ldap_sudo_hostnames (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2585 +msgid "" +"Space separated list of hostnames or fully qualified domain names that " +"should be used to filter the rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2590 +msgid "" +"If this option is empty, SSSD will try to discover the hostname and the " +"fully qualified domain name automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2595 sssd-ldap.5.xml:2618 sssd-ldap.5.xml:2636 +#: sssd-ldap.5.xml:2654 +msgid "" +"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" +"emphasis> then this option has no effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2600 sssd-ldap.5.xml:2623 +msgid "Default: not specified" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2606 +msgid "ldap_sudo_ip (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2609 +msgid "" +"Space separated list of IPv4 or IPv6 host/network addresses that should be " +"used to filter the rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2614 +msgid "" +"If this option is empty, SSSD will try to discover the addresses " +"automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2629 +msgid "ldap_sudo_include_netgroups (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2632 +msgid "" +"If true then SSSD will download every rule that contains a netgroup in " +"sudoHost attribute." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2647 +msgid "ldap_sudo_include_regexp (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2650 +msgid "" +"If true then SSSD will download every rule that contains a wildcard in " +"sudoHost attribute." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2666 +msgid "" +"This manual page only describes attribute name mapping. For detailed " +"explanation of sudo related attribute semantics, see <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2676 +msgid "AUTOFS OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2678 +msgid "" +"Some of the defaults for the parameters below are dependent on the LDAP " +"schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2684 +msgid "ldap_autofs_map_master_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2687 +msgid "The name of the automount master map in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2690 +msgid "Default: auto.master" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2697 +msgid "ldap_autofs_map_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2700 +msgid "The object class of an automount map entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2703 +msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2711 +msgid "ldap_autofs_map_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2714 +msgid "The name of an automount map entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2717 +msgid "" +"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2725 +msgid "ldap_autofs_entry_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2728 +msgid "" +"The object class of an automount entry in LDAP. The entry usually " +"corresponds to a mount point." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2733 +msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2741 +msgid "ldap_autofs_entry_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2744 sssd-ldap.5.xml:2759 +msgid "" +"The key of an automount entry in LDAP. The entry usually corresponds to a " +"mount point." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2748 +msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2756 +msgid "ldap_autofs_entry_value (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2763 +msgid "" +"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " +"automountInformation" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2682 +msgid "" +"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " +"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" +"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2774 +msgid "ADVANCED OPTIONS" +msgstr "OPÇÕES AVANÇADAS" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2781 +msgid "ldap_netgroup_search_base (string)" +msgstr "ldap_netgroup_search_base (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2786 +msgid "ldap_user_search_base (string)" +msgstr "ldap_user_search_base (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2791 +msgid "ldap_group_search_base (string)" +msgstr "ldap_group_search_base (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> +#: sssd-ldap.5.xml:2796 +msgid "<note>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> +#: sssd-ldap.5.xml:2798 +msgid "" +"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " +"against Active Directory will not be restricted and return all groups " +"memberships, even with no GID mapping. It is recommended to disable this " +"feature, if group names are not being displayed correctly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist> +#: sssd-ldap.5.xml:2805 +msgid "</note>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2807 +msgid "ldap_sudo_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2812 +msgid "ldap_autofs_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2776 +msgid "" +"These options are supported by LDAP domains, but they should be used with " +"caution. Please include them in your configuration only if you know what you " +"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2827 sssd-simple.5.xml:131 sssd-ipa.5.xml:828 +#: sssd-ad.5.xml:1041 sssd-krb5.5.xml:570 sss_rpcidmapd.5.xml:98 +#: sssd-files.5.xml:103 sssd-session-recording.5.xml:144 +msgid "EXAMPLE" +msgstr "EXEMPLO" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2829 +msgid "" +"The following example assumes that SSSD is correctly configured and LDAP is " +"set to one of the domains in the <replaceable>[domains]</replaceable> " +"section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:2835 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: sssd-ldap.5.xml:2834 sssd-ldap.5.xml:2852 sssd-simple.5.xml:139 +#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1049 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579 +#: sssd-files.5.xml:110 sssd-session-recording.5.xml:150 +#: include/ldap_id_mapping.xml:105 +msgid "<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "<placeholder type=\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2846 +msgid "LDAP ACCESS FILTER EXAMPLE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2848 +msgid "" +"The following example assumes that SSSD is correctly configured and to use " +"the ldap_access_order=lockout." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:2853 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"access_provider = ldap\n" +"ldap_access_order = lockout\n" +"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2868 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148 +#: sssd-ad.5.xml:1064 sssd.8.xml:230 sss_seed.8.xml:163 +msgid "NOTES" +msgstr "NOTAS" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2870 +msgid "" +"The descriptions of some of the configuration options in this manual page " +"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " +"distribution." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: pam_sss.8.xml:11 pam_sss.8.xml:16 +msgid "pam_sss" +msgstr "pam_sss" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: pam_sss.8.xml:17 +msgid "PAM module for SSSD" +msgstr "Módulo PAM para SSSD" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: pam_sss.8.xml:22 +msgid "" +"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" +"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" +"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" +"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " +"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " +"choice='opt'> <replaceable>prompt_always</replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:58 +msgid "" +"<command>pam_sss.so</command> is the PAM interface to the System Security " +"Services daemon (SSSD). Errors and results are logged through " +"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:68 +msgid "<option>quiet</option>" +msgstr "<option>quiet</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:71 +msgid "Suppress log messages for unknown users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:76 +msgid "<option>forward_pass</option>" +msgstr "<option>forward_pass</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:79 +msgid "" +"If <option>forward_pass</option> is set the entered password is put on the " +"stack for other PAM modules to use." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:86 +msgid "<option>use_first_pass</option>" +msgstr "<option>use_first_pass</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:89 +msgid "" +"The argument use_first_pass forces the module to use a previous stacked " +"modules password and will never prompt the user - if no password is " +"available or the password is not appropriate, the user will be denied access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:97 +msgid "<option>use_authtok</option>" +msgstr "<option>use_authtok</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:100 +msgid "" +"When password changing enforce the module to set the new password to the one " +"provided by a previously stacked password module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:107 +msgid "<option>retry=N</option>" +msgstr "<option>retry=N</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:110 +msgid "" +"If specified the user is asked another N times for a password if " +"authentication fails. Default is 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:112 +msgid "" +"Please note that this option might not work as expected if the application " +"calling PAM handles the user dialog on its own. A typical example is " +"<command>sshd</command> with <option>PasswordAuthentication</option>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:121 +msgid "<option>ignore_unknown_user</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:124 +msgid "" +"If this option is specified and the user does not exist, the PAM module will " +"return PAM_IGNORE. This causes the PAM framework to ignore this module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:131 +msgid "<option>ignore_authinfo_unavail</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:135 +msgid "" +"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " +"the SSSD daemon. This causes the PAM framework to ignore this module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:142 +msgid "<option>domains</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:146 +msgid "" +"Allows the administrator to restrict the domains a particular PAM service is " +"allowed to authenticate against. The format is a comma-separated list of " +"SSSD domain names, as specified in the sssd.conf file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:152 +msgid "" +"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " +"and <quote>pam_public_domains</quote> options. Please see the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more information on these two PAM " +"responder options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:166 +msgid "<option>allow_missing_name</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:170 +msgid "" +"The main purpose of this option is to let SSSD determine the user name based " +"on additional information, e.g. the certificate from a Smartcard." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: pam_sss.8.xml:180 +#, no-wrap +msgid "" +"auth sufficient pam_sss.so allow_missing_name\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:175 +msgid "" +"The current use case are login managers which can monitor a Smartcard reader " +"for card events. In case a Smartcard is inserted the login manager will call " +"a PAM stack which includes a line like <placeholder type=\"programlisting\" " +"id=\"0\"/> In this case SSSD will try to determine the user name based on " +"the content of the Smartcard, returns it to pam_sss which will finally put " +"it on the PAM stack." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:190 +msgid "<option>prompt_always</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:194 +msgid "" +"Always prompt the user for credentials. With this option credentials " +"requested by other PAM modules, typically a password, will be ignored and " +"pam_sss will prompt for credentials again. Based on the pre-auth reply by " +"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " +"credentials." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:207 +msgid "MODULE TYPES PROVIDED" +msgstr "MÓDULOS TIPO FORNECIDOS" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:208 +msgid "" +"All module types (<option>account</option>, <option>auth</option>, " +"<option>password</option> and <option>session</option>) are provided." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:214 +msgid "FILES" +msgstr "FICHEIROS" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:215 +msgid "" +"If a password reset by root fails, because the corresponding SSSD provider " +"does not support password resets, an individual message can be displayed. " +"This message can e.g. contain instructions about how to reset a password." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:220 +msgid "" +"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" +"filename> where LOC stands for a locale string returned by <citerefentry> " +"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" +"citerefentry>. If there is no matching file the content of " +"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " +"the owner of the files and only root may have read and write permissions " +"while all other users must have only read permissions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:230 +msgid "" +"These files are searched in the directory <filename>/etc/sssd/customize/" +"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " +"displayed." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 +msgid "sssd_krb5_locator_plugin" +msgstr "sssd_krb5_locator_plugin" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd_krb5_locator_plugin.8.xml:16 +msgid "Kerberos locator plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:22 +msgid "" +"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " +"used by the Kerberos provider of <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to tell the Kerberos " +"libraries what Realm and which KDC to use. Typically this is done in " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> which is always read by the Kerberos libraries. " +"To simplify the configuration the Realm and the KDC can be defined in " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> as described in <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:48 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> puts the Realm and the name or IP address of the KDC into " +"the environment variables SSSD_KRB5_REALM and SSSD_KRB5_KDC respectively. " +"When <command>sssd_krb5_locator_plugin</command> is called by the kerberos " +"libraries it reads and evaluates these variables and returns them to the " +"libraries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:63 +msgid "" +"Not all Kerberos implementations support the use of plugins. If " +"<command>sssd_krb5_locator_plugin</command> is not available on your system " +"you have to edit /etc/krb5.conf to reflect your Kerberos setup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:69 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " +"debug messages will be sent to stderr." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:73 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " +"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " +"caller." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 +msgid "sssd-simple" +msgstr "sssd-simple" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-simple.5.xml:17 +msgid "the configuration file for SSSD's 'simple' access-control provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:24 +msgid "" +"This manual page describes the configuration of the simple access-control " +"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " +"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:38 +msgid "" +"The simple access provider grants or denies access based on an access or " +"deny list of user or group names. The following rules apply:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:43 +msgid "If all lists are empty, access is granted" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:47 +msgid "" +"If any list is provided, the order of evaluation is allow,deny. This means " +"that any matching deny rule will supersede any matched allow rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:54 +msgid "" +"If either or both \"allow\" lists are provided, all users are denied unless " +"they appear in the list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:60 +msgid "" +"If only \"deny\" lists are provided, all users are granted access unless " +"they appear in the list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:78 +msgid "simple_allow_users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:81 +msgid "Comma separated list of users who are allowed to log in." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:88 +msgid "simple_deny_users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:91 +msgid "Comma separated list of users who are explicitly denied access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:97 +msgid "simple_allow_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:100 +msgid "" +"Comma separated list of groups that are allowed to log in. This applies only " +"to groups within this SSSD domain. Local groups are not evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:108 +msgid "simple_deny_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:111 +msgid "" +"Comma separated list of groups that are explicitly denied access. This " +"applies only to groups within this SSSD domain. Local groups are not " +"evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 +msgid "" +"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:120 +msgid "" +"Specifying no values for any of the lists is equivalent to skipping it " +"entirely. Beware of this while generating parameters for the simple provider " +"using automated scripts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:125 +msgid "" +"Please note that it is an configuration error if both, simple_allow_users " +"and simple_deny_users, are defined." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:133 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the simple access provider-specific options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-simple.5.xml:140 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"access_provider = simple\n" +"simple_allow_users = user1, user2\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:150 +msgid "" +"The complete group membership hierarchy is resolved before the access check, " +"thus even nested groups can be included in the access lists. Please be " +"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " +"results and should be set to a sufficient value. (<citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>) option." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 +msgid "sss-certmap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss-certmap.5.xml:17 +msgid "SSSD Certificate Matching and Mapping Rules" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:23 +msgid "" +"The manual page describes the rules which can be used by SSSD and other " +"components to match X.509 certificates and map them to accounts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:28 +msgid "" +"Each rule has four components, a <quote>priority</quote>, a <quote>matching " +"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" +"quote>. All components are optional. A missing <quote>priority</quote> will " +"add the rule with the lowest priority. The default <quote>matching rule</" +"quote> will match certificates with the digitalSignature key usage and " +"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " +"the certificates will be searched in the userCertificate attribute as DER " +"encoded binary. If no domains are given only the local domain will be " +"searched." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss-certmap.5.xml:41 +msgid "RULE COMPONENTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:43 +msgid "PRIORITY" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:45 +msgid "" +"The rules are processed by priority while the number '0' (zero) indicates " +"the highest priority. The higher the number the lower is the priority. A " +"missing value indicates the lowest priority. The rules processing is stopped " +"when a matched rule is found and no further rules are checked." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:52 +msgid "" +"Internally the priority is treated as unsigned 32bit integer, using a " +"priority value larger than 4294967295 will cause an error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:57 +msgid "MATCHING RULE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:59 +msgid "" +"The matching rule is used to select a certificate to which the mapping rule " +"should be applied. It uses a system similar to the one used by " +"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " +"keyword enclosed by '<' and '>' which identified a certain part of the " +"certificate and a pattern which should be found for the rule to match. " +"Multiple keyword pattern pairs can be either joined with '&&' (and) " +"or '||' (or)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:71 +msgid "<SUBJECT>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:74 +msgid "" +"With this a part or the whole subject name of the certificate can be " +"matched. For the matching POSIX Extended Regular Expression syntax is used, " +"see regex(7) for details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:80 +msgid "" +"For the matching the subject name stored in the certificate in DER encoded " +"ASN.1 is converted into a string according to RFC 4514. This means the most " +"specific name component comes first. Please note that not all possible " +"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " +"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " +"be shown differently on different platform and by different tools. To avoid " +"confusion those attribute names are best not used or covered by a suitable " +"regular-expression." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:93 +msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:98 +msgid "<ISSUER>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:101 +msgid "" +"With this a part or the whole issuer name of the certificate can be matched. " +"All comments for <SUBJECT> apply her as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:106 +msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:111 +msgid "<KU>key-usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:114 +msgid "" +"This option can be used to specify which key usage values the certificate " +"should have. The following values can be used in a comma separated list:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:118 +msgid "digitalSignature" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:119 +msgid "nonRepudiation" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:120 +msgid "keyEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:121 +msgid "dataEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:122 +msgid "keyAgreement" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:123 +msgid "keyCertSign" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:124 +msgid "cRLSign" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:125 +msgid "encipherOnly" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:126 +msgid "decipherOnly" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:130 +msgid "" +"A numerical value in the range of a 32bit unsigned integer can be used as " +"well to cover special use cases." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:134 +msgid "Example: <KU>digitalSignature,keyEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:139 +msgid "<EKU>extended-key-usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:142 +msgid "" +"This option can be used to specify which extended key usage the certificate " +"should have. The following value can be used in a comma separated list:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:146 +msgid "serverAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:147 +msgid "clientAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:148 +msgid "codeSigning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:149 +msgid "emailProtection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:150 +msgid "timeStamping" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:151 +msgid "OCSPSigning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:152 +msgid "KPClientAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:153 +msgid "pkinit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:154 +msgid "msScLogin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:158 +msgid "" +"Extended key usages which are not listed above can be specified with their " +"OID in dotted-decimal notation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:162 +msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:167 +msgid "<SAN>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:170 +msgid "" +"To be compatible with the usage of MIT Kerberos this option will match the " +"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" +"Principal> does." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:175 +msgid "Example: <SAN>.*@MY\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:180 +msgid "<SAN:Principal>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:183 +msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:187 +msgid "Example: <SAN:Principal>.*@MY\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:192 +msgid "<SAN:ntPrincipalName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:195 +msgid "Match the Kerberos principals from the AD NT Principal SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:199 +msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:204 +msgid "<SAN:pkinit>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:207 +msgid "Match the Kerberos principals from the PKINIT SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:210 +msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:215 +msgid "<SAN:dotted-decimal-oid>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:218 +msgid "" +"Take the value of the otherName SAN component given by the OID in dotted-" +"decimal notation, interpret it as string and try to match it against the " +"regular expression." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:224 +msgid "Example: <SAN:1.2.3.4>test" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:229 +msgid "<SAN:otherName>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:232 +msgid "" +"Do a binary match with the base64 encoded blob against all otherName SAN " +"components. With this option it is possible to match against custom " +"otherName components with special encodings which could not be treated as " +"strings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:239 +msgid "Example: <SAN:otherName>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:244 +msgid "<SAN:rfc822Name>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:247 +msgid "Match the value of the rfc822Name SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:250 +msgid "Example: <SAN:rfc822Name>.*@email\\.domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:255 +msgid "<SAN:dNSName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:258 +msgid "Match the value of the dNSName SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:261 +msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:266 +msgid "<SAN:x400Address>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:269 +msgid "Binary match the value of the x400Address SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:272 +msgid "Example: <SAN:x400Address>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:277 +msgid "<SAN:directoryName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:280 +msgid "" +"Match the value of the directoryName SAN. The same comments as given for <" +"ISSUER> and <SUBJECT> apply here as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:285 +msgid "Example: <SAN:directoryName>.*,DC=com" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:290 +msgid "<SAN:ediPartyName>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:293 +msgid "Binary match the value of the ediPartyName SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:296 +msgid "Example: <SAN:ediPartyName>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:301 +msgid "<SAN:uniformResourceIdentifier>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:304 +msgid "Match the value of the uniformResourceIdentifier SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:307 +msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:312 +msgid "<SAN:iPAddress>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:315 +msgid "Match the value of the iPAddress SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:318 +msgid "Example: <SAN:iPAddress>192\\.168\\..*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:323 +msgid "<SAN:registeredID>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:326 +msgid "Match the value of the registeredID SAN as dotted-decimal string." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:330 +msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:68 +msgid "" +"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:338 +msgid "MAPPING RULE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:340 +msgid "" +"The mapping rule is used to associate a certificate with one or more " +"accounts. A Smartcard with the certificate and the matching private key can " +"then be used to authenticate as one of those accounts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:345 +msgid "" +"Currently SSSD basically only supports LDAP to lookup user information (the " +"exception is the proxy provider which is not of relevance here). Because of " +"this the mapping rule is based on LDAP search filter syntax with templates " +"to add certificate content to the filter. It is expected that the filter " +"will only contain the specific data needed for the mapping and that the " +"caller will embed it in another filter to do the actual search. Because of " +"this the filter string should start and stop with '(' and ')' respectively." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:355 +msgid "" +"In general it is recommended to use attributes from the certificate and add " +"them to special attributes to the LDAP user object. E.g. the " +"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " +"for IPA can be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:361 +msgid "" +"This should be preferred to read user specific data from the certificate " +"like e.g. an email address and search for it in the LDAP server. The reason " +"is that the user specific data in LDAP might change for various reasons " +"would break the mapping. On the other hand it would be hard to break the " +"mapping on purpose for a specific user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:376 +msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:379 +msgid "" +"This template will add the full issuer DN converted to a string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +msgid "" +"The conversion options starting with 'ad_' will use attribute names as used " +"by AD, e.g. 'S' instead of 'ST'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +msgid "" +"The conversion options starting with 'nss_' will use attribute names as used " +"by NSS." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +msgid "" +"The default conversion option is 'nss', i.e. attribute names according to " +"NSS and LDAP/RFC 4514 ordering." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:397 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" +"ad})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:402 +msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:405 +msgid "" +"This template will add the full subject DN converted to string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:423 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" +"{subject_dn!nss_x500})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:428 +msgid "{cert[!(bin|base64)]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:431 +msgid "" +"This template will add the whole DER encoded certificate as a string to the " +"search filter. Depending on the conversion option the binary certificate is " +"either converted to an escaped hex sequence '\\xx' or base64. The escaped " +"hex sequence is the default and can e.g. be used with the LDAP attribute " +"'userCertificate;binary'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:439 +msgid "Example: (userCertificate;binary={cert!bin})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:444 +msgid "{subject_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:447 +msgid "" +"This template will add the Kerberos principal which is taken either from the " +"SAN used by pkinit or the one used by AD. The 'short_name' component " +"represents the first part of the principal before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +msgid "" +"Example: (|(userPrincipal={subject_principal})" +"(samAccountName={subject_principal.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:458 +msgid "{subject_pkinit_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:461 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by pkinit. The 'short_name' component represents the first part of the " +"principal before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:467 +msgid "" +"Example: (|(userPrincipal={subject_pkinit_principal})" +"(uid={subject_pkinit_principal.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:472 +msgid "{subject_nt_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:475 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by AD. The 'short_name' component represent the first part of the principal " +"before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:486 +msgid "{subject_rfc822_name[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:489 +msgid "" +"This template will add the string which is stored in the rfc822Name " +"component of the SAN, typically an email address. The 'short_name' component " +"represents the first part of the address before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:495 +msgid "" +"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." +"short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:500 +msgid "{subject_dns_name[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:503 +msgid "" +"This template will add the string which is stored in the dNSName component " +"of the SAN, typically a fully-qualified host name. The 'short_name' " +"component represents the first part of the name before the first '.' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:509 +msgid "" +"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:514 +msgid "{subject_uri}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:517 +msgid "" +"This template will add the string which is stored in the " +"uniformResourceIdentifier component of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:521 +msgid "Example: (uri={subject_uri})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:526 +msgid "{subject_ip_address}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:529 +msgid "" +"This template will add the string which is stored in the iPAddress component " +"of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:533 +msgid "Example: (ip={subject_ip_address})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:538 +msgid "{subject_x400_address}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:541 +msgid "" +"This template will add the value which is stored in the x400Address " +"component of the SAN as escaped hex sequence." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:546 +msgid "Example: (attr:binary={subject_x400_address})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:551 +msgid "" +"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:554 +msgid "" +"This template will add the DN string of the value which is stored in the " +"directoryName component of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:558 +msgid "Example: (orig_dn={subject_directory_name})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:563 +msgid "{subject_ediparty_name}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:566 +msgid "" +"This template will add the value which is stored in the ediPartyName " +"component of the SAN as escaped hex sequence." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:571 +msgid "Example: (attr:binary={subject_ediparty_name})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:576 +msgid "{subject_registered_id}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:579 +msgid "" +"This template will add the OID which is stored in the registeredID component " +"of the SAN as a dotted-decimal string." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:584 +msgid "Example: (oid={subject_registered_id})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:369 +msgid "" +"The templates to add certificate data to the search filter are based on " +"Python-style formatting strings. They consist of a keyword in curly braces " +"with an optional sub-component specifier separated by a '.' or an optional " +"conversion/formatting option separated by a '!'. Allowed values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:592 +msgid "DOMAIN LIST" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:594 +msgid "" +"If the domain list is not empty users mapped to a given certificate are not " +"only searched in the local domain but in the listed domains as well as long " +"as they are know by SSSD. Domains not know to SSSD will be ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 +msgid "sssd-ipa" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ipa.5.xml:17 +msgid "SSSD IPA provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:23 +msgid "" +"This manual page describes the configuration of the IPA provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:36 +msgid "" +"The IPA provider is a back end used to connect to an IPA server. (Refer to " +"the freeipa.org web site for information about IPA servers.) This provider " +"requires that the machine be joined to the IPA domain; configuration is " +"almost entirely self-discovered and obtained directly from the server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:43 +msgid "" +"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for IPA environments. The IPA provider accepts the same " +"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " +"However, it is neither necessary nor recommended to set these options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:57 +msgid "" +"The IPA provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:62 +msgid "" +"As an access provider, the IPA provider uses HBAC (host-based access " +"control) rules. Please refer to freeipa.org for more information about " +"HBAC. No configuration of access provider is required on the client side." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:67 +msgid "" +"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:73 +msgid "" +"The IPA provider will use the PAC responder if the Kerberos tickets of users " +"from trusted realms contain a PAC. To make configuration easier the PAC " +"responder is started automatically if the IPA ID provider is configured." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:89 +msgid "ipa_domain (string)" +msgstr "ipa_domain (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:92 +msgid "" +"Specifies the name of the IPA domain. This is optional. If not provided, " +"the configuration domain name is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:100 +msgid "ipa_server, ipa_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:103 +msgid "" +"The comma-separated list of IP addresses or hostnames of the IPA servers to " +"which SSSD should connect in the order of preference. For more information " +"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:116 +msgid "ipa_hostname (string)" +msgstr "ipa_hostname (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:119 +msgid "" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the IPA domain to identify this host. The " +"hostname must be fully qualified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:128 sssd-ad.5.xml:866 +msgid "dyndns_update (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:131 +msgid "" +"Optional. This option tells SSSD to automatically update the DNS server " +"built into FreeIPA with the IP address of this client. The update is secured " +"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " +"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" +"quote> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:140 sssd-ad.5.xml:880 +msgid "" +"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " +"the default Kerberos realm must be set properly in /etc/krb5.conf" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:145 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" +"emphasis> option, users should migrate to using <emphasis>dyndns_update</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:157 sssd-ad.5.xml:891 +msgid "dyndns_ttl (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:160 sssd-ad.5.xml:894 +msgid "" +"The TTL to apply to the client DNS record when updating it. If " +"dyndns_update is false this has no effect. This will override the TTL " +"serverside if set by an administrator." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:165 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" +"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:171 +msgid "Default: 1200 (seconds)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:177 sssd-ad.5.xml:905 +msgid "dyndns_iface (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:180 sssd-ad.5.xml:908 +msgid "" +"Optional. Applicable only when dyndns_update is true. Choose the interface " +"or a list of interfaces whose IP addresses should be used for dynamic DNS " +"updates. Special value <quote>*</quote> implies that IPs from all interfaces " +"should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:187 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" +"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:193 +msgid "" +"Default: Use the IP addresses of the interface which is used for IPA LDAP " +"connection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:197 sssd-ad.5.xml:919 +msgid "Example: dyndns_iface = em1, vnet1, vnet2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:203 sssd-ad.5.xml:970 +msgid "dyndns_auth (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:206 sssd-ad.5.xml:973 +msgid "" +"Whether the nsupdate utility should use GSS-TSIG authentication for secure " +"updates with the DNS server, insecure updates can be sent by setting this " +"option to 'none'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:212 sssd-ad.5.xml:979 +msgid "Default: GSS-TSIG" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:218 +msgid "ipa_enable_dns_sites (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 +msgid "Enables DNS sites - location based service discovery." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:225 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, then the SSSD will first attempt location " +"based discovery using a query that contains \"_location.hostname.example.com" +"\" and then fall back to traditional SRV discovery. If the location based " +"discovery succeeds, the IPA servers located with the location based " +"discovery are treated as primary servers and the IPA servers located using " +"the traditional SRV discovery are used as back up servers" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:244 sssd-ad.5.xml:925 +msgid "dyndns_refresh_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:247 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:260 sssd-ad.5.xml:943 +msgid "dyndns_update_ptr (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:263 sssd-ad.5.xml:946 +msgid "" +"Whether the PTR record should also be explicitly updated when updating the " +"client's DNS records. Applicable only when dyndns_update is true." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:268 +msgid "" +"This option should be False in most IPA deployments as the IPA server " +"generates the PTR records automatically when forward records are changed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:274 +msgid "Default: False (disabled)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:280 sssd-ad.5.xml:957 +msgid "dyndns_force_tcp (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:283 sssd-ad.5.xml:960 +msgid "" +"Whether the nsupdate utility should default to using TCP for communicating " +"with the DNS server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:287 sssd-ad.5.xml:964 +msgid "Default: False (let nsupdate choose the protocol)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:293 sssd-ad.5.xml:985 +msgid "dyndns_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:296 sssd-ad.5.xml:988 +msgid "" +"The DNS server to use when performing a DNS update. In most setups, it's " +"recommended to leave this option unset." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:301 sssd-ad.5.xml:993 +msgid "" +"Setting this option makes sense for environments where the DNS server is " +"different from the identity server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:306 sssd-ad.5.xml:998 +msgid "" +"Please note that this option will be only used in fallback attempt when " +"previous attempt using autodetected settings failed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1003 +msgid "Default: None (let nsupdate choose the server)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:317 +msgid "ipa_deskprofile_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:320 +msgid "" +"Optional. Use the given string as search base for Desktop Profile related " +"objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:324 sssd-ipa.5.xml:337 +msgid "Default: Use base DN" +msgstr "Default: Use base DN" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:330 +msgid "ipa_hbac_search_base (string)" +msgstr "ipa_hbac_search_base (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:333 +msgid "Optional. Use the given string as search base for HBAC related objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:343 +msgid "ipa_host_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:346 +msgid "Deprecated. Use ldap_host_search_base instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:352 +msgid "ipa_selinux_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:355 +msgid "Optional. Use the given string as search base for SELinux user maps." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:371 +msgid "ipa_subdomains_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:374 +msgid "Optional. Use the given string as search base for trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:383 +msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:390 +msgid "ipa_master_domain_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:393 +msgid "Optional. Use the given string as search base for master domain object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:402 +msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:409 +msgid "ipa_views_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:412 +msgid "Optional. Use the given string as search base for views containers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:421 +msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:431 +msgid "" +"The name of the Kerberos realm. This is optional and defaults to the value " +"of <quote>ipa_domain</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:435 +msgid "" +"The name of the Kerberos realm has a special meaning in IPA - it is " +"converted into the base DN to use for performing LDAP operations." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1012 +msgid "krb5_confd_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1015 +msgid "" +"Absolute path of a directory where SSSD should place Kerberos configuration " +"snippets." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1019 +msgid "" +"To disable the creation of the configuration snippets set the parameter to " +"'none'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1023 +msgid "" +"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:461 +msgid "ipa_deskprofile_refresh (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:464 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server. This will reduce the latency and load on the IPA server if there " +"are many desktop profiles requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:431 +msgid "Default: 5 (seconds)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:477 +msgid "ipa_deskprofile_request_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:480 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server in case the last request did not return any rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:485 +msgid "Default: 60 (minutes)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:491 +msgid "ipa_hbac_refresh (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:494 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server. " +"This will reduce the latency and load on the IPA server if there are many " +"access-control requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:507 +msgid "ipa_hbac_selinux (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:510 +msgid "" +"The amount of time between lookups of the SELinux maps against the IPA " +"server. This will reduce the latency and load on the IPA server if there are " +"many user login requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:523 +msgid "ipa_server_mode (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:526 +msgid "" +"This option will be set by the IPA installer (ipa-server-install) " +"automatically and denotes if SSSD is running on an IPA server or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:531 +msgid "" +"On an IPA server SSSD will lookup users and groups from trusted domains " +"directly while on a client it will ask an IPA server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:536 +msgid "" +"NOTE: There are currently some assumptions that must be met when SSSD is " +"running on an IPA server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:541 +msgid "" +"The <quote>ipa_server</quote> option must be configured to point to the IPA " +"server itself. This is already the default set by the IPA installer, so no " +"manual change is required." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:550 +msgid "" +"The <quote>full_name_format</quote> option must not be tweaked to only print " +"short names for users from trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:565 +msgid "ipa_automount_location (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:568 +msgid "The automounter location this IPA client will be using" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:571 +msgid "Default: The location named \"default\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:579 +msgid "VIEWS AND OVERRIDES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:588 +msgid "ipa_view_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:591 +msgid "Objectclass of the view container." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:594 +msgid "Default: nsContainer" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:600 +msgid "ipa_view_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:603 +msgid "Name of the attribute holding the name of the view." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:613 +msgid "ipa_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:616 +msgid "Objectclass of the override objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:619 +msgid "Default: ipaOverrideAnchor" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:625 +msgid "ipa_anchor_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:628 +msgid "" +"Name of the attribute containing the reference to the original object in a " +"remote domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:632 +msgid "Default: ipaAnchorUUID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:638 +msgid "ipa_user_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:641 +msgid "" +"Name of the objectclass for user overrides. It is used to determine if the " +"found override object is related to a user or a group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:646 +msgid "User overrides can contain attributes given by" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:649 +msgid "ldap_user_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:652 +msgid "ldap_user_uid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:655 +msgid "ldap_user_gid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:658 +msgid "ldap_user_gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:661 +msgid "ldap_user_home_directory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:664 +msgid "ldap_user_shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:667 +msgid "ldap_user_ssh_public_key" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:672 +msgid "Default: ipaUserOverride" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:678 +msgid "ipa_group_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:681 +msgid "" +"Name of the objectclass for group overrides. It is used to determine if the " +"found override object is related to a user or a group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:686 +msgid "Group overrides can contain attributes given by" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:689 +msgid "ldap_group_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:692 +msgid "ldap_group_gid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:697 +msgid "Default: ipaGroupOverride" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:581 +msgid "" +"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " +"later version. Since all paths and objectclasses are fixed on the server " +"side there is basically no need to configure anything. For completeness the " +"related options are listed here with their default values. <placeholder " +"type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:709 +msgid "SUBDOMAINS PROVIDER" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:711 +msgid "" +"The IPA subdomains provider behaves slightly differently if it is configured " +"explicitly or implicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:715 +msgid "" +"If the option 'subdomains_provider = ipa' is found in the domain section of " +"sssd.conf, the IPA subdomains provider is configured explicitly, and all " +"subdomain requests are sent to the IPA server if necessary." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:721 +msgid "" +"If the option 'subdomains_provider' is not set in the domain section of sssd." +"conf but there is the option 'id_provider = ipa', the IPA subdomains " +"provider is configured implicitly. In this case, if a subdomain request " +"fails and indicates that the server does not support subdomains, i.e. is not " +"configured for trusts, the IPA subdomains provider is disabled. After an " +"hour or after the IPA provider goes online, the subdomains provider is " +"enabled again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:732 +msgid "TRUSTED DOMAINS CONFIGURATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:738 +#, no-wrap +msgid "" +"[domain/ipa.domain.com/ad.domain.com]\n" +"ad_server = dc.ad.domain.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:734 +msgid "" +"Some configuration options can be also set for a trusted domain. A trusted " +"domain configuration can either be done using a subsection, for example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:743 +msgid "" +"In addition, some options can be set in the parent domain and inherited by " +"the trusted domain using the <quote>subdomain_inherit</quote> option. For " +"more details, see the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:753 +msgid "" +"Different configuration options are tunable for a trusted domain depending " +"on whether you are configuring SSSD on an IPA server or an IPA client." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:758 +msgid "OPTIONS TUNABLE ON IPA MASTERS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:760 +msgid "" +"The following options can be set in a subdomain section on an IPA master:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:764 sssd-ipa.5.xml:794 +msgid "ad_server" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:767 +msgid "ad_backup_server" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:770 sssd-ipa.5.xml:797 +msgid "ad_site" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:773 +#, fuzzy +#| msgid "ldap_search_base (string)" +msgid "ldap_search_base" +msgstr "ldap_search_base (string)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:776 +#, fuzzy +#| msgid "ldap_user_search_base (string)" +msgid "ldap_user_search_base" +msgstr "ldap_user_search_base (string)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:779 +#, fuzzy +#| msgid "ldap_group_search_base (string)" +msgid "ldap_group_search_base" +msgstr "ldap_group_search_base (string)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:788 +msgid "OPTIONS TUNABLE ON IPA CLIENTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:790 +msgid "" +"The following options can be set in a subdomain section on an IPA client:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:802 +msgid "" +"Note that if both options are set, only <quote>ad_server</quote> is " +"evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:806 +msgid "" +"Since any request for a user or a group identity from a trusted domain " +"triggered from an IPA client is resolved by the IPA server, the " +"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " +"which AD DC will the authentication be performed against. In particular, the " +"addresses resolved from these lists will be written to <quote>kdcinfo</" +"quote> files read by the Kerberos locator plugin. Please refer to the " +"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " +"Kerberos locator plugin." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:830 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the ipa provider-specific options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:837 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"id_provider = ipa\n" +"ipa_server = ipaserver.example.com\n" +"ipa_hostname = myhost.example.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 +msgid "sssd-ad" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ad.5.xml:17 +msgid "SSSD Active Directory provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:23 +msgid "" +"This manual page describes the configuration of the AD provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:36 +msgid "" +"The AD provider is a back end used to connect to an Active Directory server. " +"This provider requires that the machine be joined to the AD domain and a " +"keytab is available. Back end communication occurs over a GSSAPI-encrypted " +"channel, SSL/TLS options should not be used with the AD provider and will be " +"superseded by Kerberos usage." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:44 +msgid "" +"The AD provider supports connecting to Active Directory 2008 R2 or later. " +"Earlier versions may work, but are unsupported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:48 +msgid "" +"The AD provider can be used to get user information and authenticate users " +"from trusted domains. Currently only trusted domains in the same forest are " +"recognized. In addition servers from trusted domains are always auto-" +"discovered." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:54 +msgid "" +"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for Active Directory environments. The AD provider accepts the " +"same options used by the sssd-ldap and sssd-krb5 providers with some " +"exceptions. However, it is neither necessary nor recommended to set these " +"options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:69 +msgid "" +"The AD provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:74 +msgid "" +"The AD provider can also be used as an access, chpass, sudo and autofs " +"provider. No configuration of the access provider is required on the client " +"side." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:79 +msgid "" +"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ad</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:91 +#, no-wrap +msgid "" +"ldap_id_mapping = False\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:85 +msgid "" +"By default, the AD provider will map UID and GID values from the objectSID " +"parameter in Active Directory. For details on this, see the <quote>ID " +"MAPPING</quote> section below. If you want to disable ID mapping and instead " +"rely on POSIX attributes defined in Active Directory, you should set " +"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " +"be used, it is recommended for performance reasons that the attributes are " +"also replicated to the Global Catalog. If POSIX attributes are replicated, " +"SSSD will attempt to locate the domain of a requested numerical ID with the " +"help of the Global Catalog and only search that domain. In contrast, if " +"POSIX attributes are not replicated to the Global Catalog, SSSD must search " +"all the domains in the forest sequentially. Please note that the " +"<quote>cache_first</quote> option might be also helpful in speeding up " +"domainless searches. Note that if only a subset of POSIX attributes is " +"present in the Global Catalog, the non-replicated attributes are currently " +"not read from the LDAP port." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:108 +msgid "" +"Users, groups and other entities served by SSSD are always treated as case-" +"insensitive in the AD provider for compatibility with Active Directory's " +"LDAP implementation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:123 +msgid "ad_domain (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:126 +msgid "" +"Specifies the name of the Active Directory domain. This is optional. If not " +"provided, the configuration domain name is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:131 +msgid "" +"For proper operation, this option should be specified as the lower-case " +"version of the long version of the Active Directory domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:136 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) is " +"autodetected by the SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:143 +msgid "ad_enabled_domains (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:146 +msgid "" +"A comma-separated list of enabled Active Directory domains. If provided, " +"SSSD will ignore any domains not listed in this option. If left unset, all " +"domains from the AD forest will be available." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:156 +#, no-wrap +msgid "" +"ad_enabled_domains = sales.example.com, eng.example.com\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:152 +msgid "" +"For proper operation, this option must be specified in all lower-case and as " +"the fully qualified domain name of the Active Directory domain. For example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:160 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) will be " +"autodetected by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:170 +msgid "ad_server, ad_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:173 +msgid "" +"The comma-separated list of hostnames of the AD servers to which SSSD should " +"connect in order of preference. For more information on failover and server " +"redundancy, see the <quote>FAILOVER</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:180 +msgid "" +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:185 +msgid "" +"Note: Trusted domains will always auto-discover servers even if the primary " +"server is explicitly defined in the ad_server option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:193 +msgid "ad_hostname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:196 +msgid "" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the Active Directory domain to identify this " +"host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:202 +msgid "" +"This field is used to determine the host principal in use in the keytab. It " +"must match the hostname for which the keytab was issued." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:210 +msgid "ad_enable_dns_sites (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:217 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, the SSSD will first attempt to discover the " +"Active Directory server to connect to using the Active Directory Site " +"Discovery and fall back to the DNS SRV records if no AD site is found. The " +"DNS SRV configuration, including the discovery domain, is used during site " +"discovery as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:233 +msgid "ad_access_filter (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:236 +msgid "" +"This option specifies LDAP access control filter that the user must match in " +"order to be allowed access. Please note that the <quote>access_provider</" +"quote> option must be explicitly set to <quote>ad</quote> in order for this " +"option to have an effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:244 +msgid "" +"The option also supports specifying different filters per domain or forest. " +"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " +"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " +"missing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:252 +msgid "" +"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" +"quote> specifies the domain or subdomain the filter applies to. If the " +"keyword equals to <quote>FOREST</quote>, then the filter equals to all " +"domains from the forest specified by <quote>NAME</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:260 +msgid "" +"Multiple filters can be separated with the <quote>?</quote> character, " +"similarly to how search bases work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:265 +msgid "" +"Nested group membership must be searched for using a special OID " +"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." +"example.org: syntax to ensure the parser does not attempt to interpret the " +"colon characters associated with the OID. If you do not use this OID then " +"nested group membership will not be resolved. See usage example below and " +"refer here for further information about the OID: <ulink url=\"https://msdn." +"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " +"extensions</ulink>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:278 +msgid "" +"The most specific match is always used. For example, if the option specified " +"filter for a domain the user is a member of and a global filter, the per-" +"domain filter would be applied. If there are more matches with the same " +"specification, the first one is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ad.5.xml:289 +#, no-wrap +msgid "" +"# apply filter on domain called dom1 only:\n" +"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" +"\n" +"# apply filter on domain called dom2 only:\n" +"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" +"\n" +"# apply filter on forest called EXAMPLE.COM only:\n" +"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" +"\n" +"# apply filter for a member of a nested group in dom1:\n" +"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:308 +msgid "ad_site (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:311 +msgid "" +"Specify AD site to which client should try to connect. If this option is " +"not provided, the AD site will be auto-discovered." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:322 +msgid "ad_enable_gc (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:325 +msgid "" +"By default, the SSSD connects to the Global Catalog first to retrieve users " +"from trusted domains and uses the LDAP port to retrieve group memberships or " +"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " +"port of the current AD server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:333 +msgid "" +"Please note that disabling Global Catalog support does not disable " +"retrieving users from trusted domains. The SSSD would connect to the LDAP " +"port of trusted domains instead. However, Global Catalog must be used in " +"order to resolve cross-domain group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:347 +msgid "ad_gpo_access_control (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:350 +msgid "" +"This option specifies the operation mode for GPO-based access control " +"functionality: whether it operates in disabled mode, enforcing mode, or " +"permissive mode. Please note that the <quote>access_provider</quote> option " +"must be explicitly set to <quote>ad</quote> in order for this option to have " +"an effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:359 +msgid "" +"GPO-based access control functionality uses GPO policy settings to determine " +"whether or not a particular user is allowed to logon to a particular host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:365 +msgid "" +"NOTE: The current version of SSSD does not support host (computer) entries " +"in the GPO 'Security Filtering' list. Only user and group entries are " +"supported. Host entries in the list have no effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:372 +msgid "" +"NOTE: If the operation mode is set to enforcing, it is possible that users " +"that were previously allowed logon access will now be denied logon access " +"(as dictated by the GPO policy settings). In order to facilitate a smooth " +"transition for administrators, a permissive mode is available that will not " +"enforce the access control rules, but will evaluate them and will output a " +"syslog message if access would have been denied. By examining the logs, " +"administrators can then make the necessary changes before setting the mode " +"to enforcing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:385 +msgid "There are three supported values for this option:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:389 +msgid "" +"disabled: GPO-based access control rules are neither evaluated nor enforced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:395 +msgid "enforcing: GPO-based access control rules are evaluated and enforced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:401 +msgid "" +"permissive: GPO-based access control rules are evaluated, but not enforced. " +"Instead, a syslog message will be emitted indicating that the user would " +"have been denied access if this option's value were set to enforcing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:412 +msgid "Default: permissive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:415 +msgid "Default: enforcing" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:421 +msgid "ad_gpo_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:424 +msgid "" +"The amount of time between lookups of GPO policy files against the AD " +"server. This will reduce the latency and load on the AD server if there are " +"many access-control requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:437 +msgid "ad_gpo_map_interactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:440 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the InteractiveLogonRight and " +"DenyInteractiveLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:446 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on locally\" and \"Deny log on locally\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:460 +#, no-wrap +msgid "" +"ad_gpo_map_interactive = +my_pam_service, -login\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:451 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>login</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:464 sssd-ad.5.xml:560 sssd-ad.5.xml:606 sssd-ad.5.xml:651 +#: sssd-ad.5.xml:717 +msgid "Default: the default set of PAM service names includes:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:468 +msgid "login" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:473 +msgid "su" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:478 +msgid "su-l" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:483 +msgid "gdm-fingerprint" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:488 +msgid "gdm-password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:493 +msgid "gdm-smartcard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:498 +msgid "kdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:503 +msgid "lightdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:508 +msgid "lxdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:513 +msgid "sddm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:518 +msgid "unity" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:523 +msgid "xdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:532 +msgid "ad_gpo_map_remote_interactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:535 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the RemoteInteractiveLogonRight and " +"DenyRemoteInteractiveLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:541 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on through Remote Desktop Services\" and \"Deny log on through Remote " +"Desktop Services\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:556 +#, no-wrap +msgid "" +"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:547 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>sshd</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:564 +msgid "sshd" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:569 +msgid "cockpit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:578 +msgid "ad_gpo_map_network (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:581 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the NetworkLogonRight and " +"DenyNetworkLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:587 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Access " +"this computer from the network\" and \"Deny access to this computer from the " +"network\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:602 +#, no-wrap +msgid "" +"ad_gpo_map_network = +my_pam_service, -ftp\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:593 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>ftp</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:610 +msgid "ftp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:615 +msgid "samba" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:624 +msgid "ad_gpo_map_batch (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:627 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " +"policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:633 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a batch job\" and \"Deny log on as a batch job\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:647 +#, no-wrap +msgid "" +"ad_gpo_map_batch = +my_pam_service, -crond\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:638 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>crond</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:655 +msgid "crond" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:664 +msgid "ad_gpo_map_service (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:667 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the ServiceLogonRight and " +"DenyServiceLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:673 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a service\" and \"Deny log on as a service\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:686 +#, no-wrap +msgid "" +"ad_gpo_map_service = +my_pam_service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:678 sssd-ad.5.xml:753 +msgid "" +"It is possible to add a PAM service name to the default set by using <quote>" +"+service_name</quote>. Since the default set is empty, it is not possible " +"to remove a PAM service name from the default set. For example, in order to " +"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " +"would use the following configuration: <placeholder type=\"programlisting\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:696 +msgid "ad_gpo_map_permit (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:699 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always granted, regardless of any GPO Logon Rights." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:713 +#, no-wrap +msgid "" +"ad_gpo_map_permit = +my_pam_service, -sudo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:704 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for unconditionally permitted " +"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:721 +msgid "polkit-1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:726 +msgid "sudo" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:731 +msgid "sudo-i" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:736 +msgid "systemd-user" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:745 +msgid "ad_gpo_map_deny (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:748 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always denied, regardless of any GPO Logon Rights." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:761 +#, no-wrap +msgid "" +"ad_gpo_map_deny = +my_pam_service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:771 +msgid "ad_gpo_default_right (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:774 +msgid "" +"This option defines how access control is evaluated for PAM service names " +"that are not explicitly listed in one of the ad_gpo_map_* options. This " +"option can be set in two different manners. First, this option can be set to " +"use a default logon right. For example, if this option is set to " +"'interactive', it means that unmapped PAM service names will be processed " +"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " +"settings. Alternatively, this option can be set to either always permit or " +"always deny access for unmapped PAM service names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:787 +msgid "Supported values for this option include:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:791 +msgid "interactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:796 +msgid "remote_interactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:801 +msgid "network" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:806 +msgid "batch" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:811 +msgid "service" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:816 +msgid "permit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:821 +msgid "deny" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:827 +msgid "Default: deny" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:833 +msgid "ad_maximum_machine_account_password_age (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:836 +msgid "" +"SSSD will check once a day if the machine account password is older than the " +"given age in days and try to renew it. A value of 0 will disable the renewal " +"attempt." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:842 +msgid "Default: 30 days" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:848 +msgid "ad_machine_account_password_renewal_opts (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:851 +msgid "" +"This option should only be used to test the machine account renewal task. " +"The option expects 2 integers separated by a colon (':'). The first integer " +"defines the interval in seconds how often the task is run. The second " +"specifies the initial timeout in seconds before the task is run for the " +"first time after startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:860 +msgid "Default: 86400:750 (24h and 15m)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:869 +msgid "" +"Optional. This option tells SSSD to automatically update the Active " +"Directory DNS server with the IP address of this client. The update is " +"secured using GSS-TSIG. As a consequence, the Active Directory administrator " +"only needs to allow secure updates for the DNS zone. The IP address of the " +"AD LDAP connection is used for the updates, if it is not otherwise specified " +"by using the <quote>dyndns_iface</quote> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:899 +msgid "Default: 3600 (seconds)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:915 +msgid "" +"Default: Use the IP addresses of the interface which is used for AD LDAP " +"connection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:928 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true. Note that the " +"lowest possible value is 60 seconds in-case if value is provided less than " +"60, parameter will assume lowest value only." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:951 sss_rpcidmapd.5.xml:76 +msgid "Default: True" +msgstr "Padrão: TRUE" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1043 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This example shows only the AD provider-specific options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1050 +#, no-wrap +msgid "" +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1070 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1066 +msgid "" +"The AD access control provider checks if the account is expired. It has the " +"same effect as the following configuration of the LDAP provider: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1076 +msgid "" +"However, unless the <quote>ad</quote> access control provider is explicitly " +"configured, the default access provider is <quote>permit</quote>. Please " +"note that if you configure an access provider other than <quote>ad</quote>, " +"you need to set all the connection parameters (such as LDAP URIs and " +"encryption details) manually." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1084 +msgid "" +"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " +"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " +"are included in the default Active Directory schema." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 +msgid "sssd-sudo" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-sudo.5.xml:17 +msgid "Configuring sudo with the SSSD back end" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:36 +msgid "Configuring sudo to cooperate with SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:38 +msgid "" +"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " +"the <emphasis>sudoers</emphasis> entry in <citerefentry> " +"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:47 +msgid "" +"For example, to configure sudo to first lookup rules in the standard " +"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> file (which should contain rules that apply to " +"local users) and then in SSSD, the nsswitch.conf file should contain the " +"following line:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:57 +#, no-wrap +msgid "sudoers: files sss\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:61 +msgid "" +"More information about configuring the sudoers search order from the " +"nsswitch.conf file as well as information about the LDAP schema that is used " +"to store sudo rules in the directory can be found in <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:70 +msgid "" +"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " +"sudo rules, you also need to correctly set <citerefentry> " +"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry> to your NIS domain name (which equals to IPA domain name when " +"using hostgroups)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:82 +msgid "Configuring SSSD to fetch sudo rules" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:84 +msgid "" +"All configuration that is needed on SSSD side is to extend the list of " +"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " +"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " +"option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:94 +msgid "" +"The following example shows how to configure SSSD to download sudo rules " +"from an LDAP server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:99 +#, no-wrap +msgid "" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:98 +msgid "" +"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" +"\"have_systemd\"> It's important to note that on platforms where systemd is " +"supported there's no need to add the \"sudo\" provider to the list of " +"services, as it became optional. However, sssd-sudo.socket must be enabled " +"instead. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:118 +msgid "" +"When SSSD is configured to use IPA as the ID provider, the sudo provider is " +"automatically enabled. The sudo search base is configured to use the IPA " +"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " +"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," +"$SUFFIX) is no longer required for IPA sudo functionality." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:128 +msgid "The SUDO rule caching mechanism" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:130 +msgid "" +"The biggest challenge, when developing sudo support in SSSD, was to ensure " +"that running sudo with SSSD as the data source provides the same user " +"experience and is as fast as sudo but keeps providing the most current set " +"of rules as possible. To satisfy these requirements, SSSD uses three kinds " +"of updates. They are referred to as full refresh, smart refresh and rules " +"refresh." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:138 +msgid "" +"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " +"new or were modified after the last update. Its primary goal is to keep the " +"database growing by fetching only small increments that do not generate " +"large amounts of network traffic." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:144 +msgid "" +"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " +"in the cache and replaces them with all rules that are stored on the server. " +"This is used to keep the cache consistent by removing every rule which was " +"deleted from the server. However, full refresh may produce a lot of traffic " +"and thus it should be run only occasionally depending on the size and " +"stability of the sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:152 +msgid "" +"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " +"more permission than defined. It is triggered each time the user runs sudo. " +"Rules refresh will find all rules that apply to this user, check their " +"expiration time and redownload them if expired. In the case that any of " +"these rules are missing on the server, the SSSD will do an out of band full " +"refresh because more rules (that apply to other users) may have been deleted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:161 +msgid "" +"If enabled, SSSD will store only rules that can be applied to this machine. " +"This means rules that contain one of the following values in " +"<emphasis>sudoHost</emphasis> attribute:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:168 +msgid "keyword ALL" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:173 +msgid "wildcard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:178 +msgid "netgroup (in the form \"+netgroup\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:183 +msgid "hostname or fully qualified domain name of this machine" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:188 +msgid "one of the IP addresses of this machine" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:193 +msgid "one of the IP addresses of the network (in the form \"address/mask\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:199 +msgid "" +"There are many configuration options that can be used to adjust the " +"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.8.xml:10 sssd.8.xml:15 +msgid "sssd" +msgstr "sssd" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.8.xml:16 +msgid "System Security Services Daemon" +msgstr "Daemon de serviços de segurança do sistema" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssd.8.xml:21 +msgid "" +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" +msgstr "" +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:31 +msgid "" +"<command>SSSD</command> provides a set of daemons to manage access to remote " +"directories and authentication mechanisms. It provides an NSS and PAM " +"interface toward the system and a pluggable backend system to connect to " +"multiple different account sources as well as D-Bus interface. It is also " +"the basis to provide client auditing and policy services for projects like " +"FreeIPA. It provides a more robust database to store local users as well as " +"extended user data." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:46 +msgid "" +"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" +"replaceable>" +msgstr "" +"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:53 +msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" +msgstr "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:57 +msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:60 +msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:69 +msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:73 +msgid "" +"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:76 +msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:85 +msgid "<option>-f</option>,<option>--debug-to-files</option>" +msgstr "<option>-f</option>,<option>--debug-to-files</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:89 +msgid "" +"Send the debug output to files instead of stderr. By default, the log files " +"are stored in <filename>/var/log/sssd</filename> and there are separate log " +"files for every SSSD service and domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:94 +msgid "" +"This option is deprecated. It is replaced by <option>--logger=files</option>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:101 +msgid "<option>--logger=</option><replaceable>value</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:105 +msgid "" +"Location where SSSD will send log messages. This option overrides the value " +"of the deprecated option <option>--debug-to-files</option>. The deprecated " +"option will still work if the <option>--logger</option> is not used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:112 +msgid "" +"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " +"output." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:116 +msgid "" +"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " +"default, the log files are stored in <filename>/var/log/sssd</filename> and " +"there are separate log files for every SSSD service and domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:122 +msgid "" +"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:132 +msgid "<option>-D</option>,<option>--daemon</option>" +msgstr "<option>-D</option>,<option>--daemon</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:136 +msgid "Become a daemon after starting up." +msgstr "Tornar-se um daemon após a instalação." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:142 sss_seed.8.xml:136 +msgid "<option>-i</option>,<option>--interactive</option>" +msgstr "<option>-i</option>,<option>--interactive</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:146 +msgid "Run in the foreground, don't become a daemon." +msgstr "Executar em primeiro plano, não se torne um daemon." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:152 +msgid "<option>-c</option>,<option>--config</option>" +msgstr "<option>-c</option>,<option>--config</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:156 +msgid "" +"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." +"conf</filename>. For reference on the config file syntax and options, " +"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:170 +msgid "<option>--version</option>" +msgstr "<option>--version</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:174 +msgid "Print version number and exit." +msgstr "Imprimir o número da versão e sair." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.8.xml:182 +msgid "Signals" +msgstr "Sinais" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:185 +msgid "SIGTERM/SIGINT" +msgstr "SIGTERM/SIGINT" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:188 +msgid "" +"Informs the SSSD to gracefully terminate all of its child processes and then " +"shut down the monitor." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:194 +msgid "SIGHUP" +msgstr "SIGHUP" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:197 +msgid "" +"Tells the SSSD to stop writing to its current debug file descriptors and to " +"close and reopen them. This is meant to facilitate log rolling with programs " +"like logrotate." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:205 +msgid "SIGUSR1" +msgstr "SIGUSR1" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:208 +msgid "" +"Tells the SSSD to simulate offline operation for the duration of the " +"<quote>offline_timeout</quote> parameter. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:217 +msgid "SIGUSR2" +msgstr "SIGUSR2" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:220 +msgid "" +"Tells the SSSD to go online immediately. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:232 +msgid "" +"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " +"applications will not use the fast in memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 +msgid "sss_obfuscate" +msgstr "sss_obfuscate" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_obfuscate.8.xml:16 +msgid "obfuscate a clear text password" +msgstr "ofuscar uma senha de texto não criptografado" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_obfuscate.8.xml:21 +msgid "" +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" +"replaceable></arg>" +msgstr "" +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" +"replaceable></arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:32 +msgid "" +"<command>sss_obfuscate</command> converts a given password into human-" +"unreadable format and places it into appropriate domain section of the SSSD " +"config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:37 +msgid "" +"The cleartext password is read from standard input or entered " +"interactively. The obfuscated password is put into " +"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " +"<quote>ldap_default_authtok_type</quote> parameter is set to " +"<quote>obfuscated_password</quote>. Refer to <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more details on these parameters." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:49 +msgid "" +"Please note that obfuscating the password provides <emphasis>no real " +"security benefit</emphasis> as it is still possible for an attacker to " +"reverse-engineer the password back. Using better authentication mechanisms " +"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " +"advised." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:63 +msgid "<option>-s</option>,<option>--stdin</option>" +msgstr "<option>-s</option>,<option>--stdin</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:67 +msgid "The password to obfuscate will be read from standard input." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 +#: sss_ssh_knownhostsproxy.1.xml:78 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" +msgstr "" +"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:79 +msgid "" +"The SSSD domain to use the password in. The default name is <quote>default</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:86 +msgid "" +"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" +msgstr "" +"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:91 +msgid "Read the config file specified by the positional parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:95 +msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_override.8.xml:10 sss_override.8.xml:15 +msgid "sss_override" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_override.8.xml:16 +msgid "create local overrides of user and group attributes" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_override.8.xml:21 +msgid "" +"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:32 +msgid "" +"<command>sss_override</command> enables to create a client-side view and " +"allows to change selected values of specific user and groups. This change " +"takes effect only on local machine." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:37 +msgid "" +"Overrides data are stored in the SSSD cache. If the cache is deleted, all " +"local overrides are lost. Please note that after the first override is " +"created using any of the following <emphasis>user-add</emphasis>, " +"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " +"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " +"take effect. <emphasis>sss_override</emphasis> prints message when a " +"restart is required." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:50 sssctl.8.xml:41 +msgid "AVAILABLE COMMANDS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:52 +msgid "" +"Argument <emphasis>NAME</emphasis> is the name of original object in all " +"commands. It is not possible to override <emphasis>uid</emphasis> or " +"<emphasis>gid</emphasis> to 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:59 +msgid "" +"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" +"optional> <optional><option>-g,--gid</option> GID</optional> " +"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" +"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" +"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " +"CERTIFICATE</optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:72 +msgid "" +"Override attributes of an user. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:80 +msgid "<option>user-del</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:85 +msgid "" +"Remove user overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:94 +msgid "" +"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:99 +msgid "" +"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " +"is set, only users from the domain are listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:107 +msgid "<option>user-show</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:112 +msgid "Show user overrides." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:118 +msgid "<option>user-import</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:123 +msgid "" +"Import user overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard passwd file. The format is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:128 +msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:131 +msgid "" +"where original_name is original name of the user whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:140 +msgid "ckent:superman::::::" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:143 +msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:149 +msgid "<option>user-export</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:154 +msgid "" +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>user-import</emphasis> for data format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:162 +msgid "" +"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:169 +msgid "" +"Override attributes of a group. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:177 +msgid "<option>group-del</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:182 +msgid "" +"Remove group overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:191 +msgid "" +"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:196 +msgid "" +"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " +"parameter is set, only groups from the domain are listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:204 +msgid "<option>group-show</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:209 +msgid "Show group overrides." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:215 +msgid "<option>group-import</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:220 +msgid "" +"Import group overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard group file. The format is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:225 +msgid "original_name:name:gid" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:228 +msgid "" +"where original_name is original name of the group whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:237 +msgid "admins:administrators:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:240 +msgid "Domain Users:Users:501" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:246 +msgid "<option>group-export</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:251 +msgid "" +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>group-import</emphasis> for data format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:261 sssctl.8.xml:50 +msgid "COMMON OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:263 sssctl.8.xml:52 +msgid "Those options are available with all commands." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:268 sssctl.8.xml:57 +msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 +msgid "sss_useradd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_useradd.8.xml:16 +msgid "create a new user" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_useradd.8.xml:21 +msgid "" +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_useradd.8.xml:32 +msgid "" +"<command>sss_useradd</command> creates a new user account using the values " +"specified on the command line plus the default values from the system." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:43 sss_seed.8.xml:76 +msgid "" +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:48 +msgid "" +"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " +"not given, it is chosen automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +msgid "" +"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 +msgid "" +"Any text string describing the user. Often used as the field for the user's " +"full name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 +msgid "" +"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:72 +msgid "" +"The home directory of the user account. The default is to append the " +"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " +"that as the home directory. The base that is prepended before " +"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" +"baseDirectory</quote> setting in sssd.conf." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 +msgid "" +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:87 +msgid "" +"The user's login shell. The default is currently <filename>/bin/bash</" +"filename>. The default can be changed with <quote>user_defaults/" +"defaultShell</quote> setting in sssd.conf." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:96 +msgid "" +"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:101 +msgid "A list of existing groups this user is also a member of." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:107 +msgid "<option>-m</option>,<option>--create-home</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:111 +msgid "" +"Create the user's home directory if it does not exist. The files and " +"directories contained in the skeleton directory (which can be defined with " +"the -k option or in the config file) will be copied to the home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:121 +msgid "<option>-M</option>,<option>--no-create-home</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:125 +msgid "" +"Do not create the user's home directory. Overrides configuration settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:132 +msgid "" +"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:137 +msgid "" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<command>sss_useradd</command>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:143 +msgid "" +"Special files (block devices, character devices, named pipes and unix " +"sockets) will not be copied." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:147 +msgid "" +"This option is only valid if the <option>-m</option> (or <option>--create-" +"home</option>) option is specified, or creation of home directories is set " +"to TRUE in the configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 +msgid "" +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>SELINUX_USER</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:161 +msgid "" +"The SELinux user for the user's login. If not specified, the system default " +"will be used." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 +msgid "sssd-krb5" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-krb5.5.xml:17 +msgid "SSSD Kerberos provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:23 +msgid "" +"This manual page describes the configuration of the Kerberos 5 " +"authentication backend for <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " +"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:36 +msgid "" +"The Kerberos 5 authentication backend contains auth and chpass providers. It " +"must be paired with an identity provider in order to function properly (for " +"example, id_provider = ldap). Some information required by the Kerberos 5 " +"authentication backend must be provided by the identity provider, such as " +"the user's Kerberos Principal Name (UPN). The configuration of the identity " +"provider should have an entry to specify the UPN. Please refer to the man " +"page for the applicable identity provider for details on how to configure " +"this." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:47 +msgid "" +"This backend also provides access control based on the .k5login file in the " +"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " +"Please note that an empty .k5login file will deny all access to this user. " +"To activate this feature, use 'access_provider = krb5' in your SSSD " +"configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:55 +msgid "" +"In the case where the UPN is not available in the identity backend, " +"<command>sssd</command> will construct a UPN using the format " +"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:77 +msgid "" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect, in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled; for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:106 +msgid "" +"The name of the Kerberos realm. This option is required and must be " +"specified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:113 +msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:116 +msgid "" +"If the change password service is not running on the KDC, alternative " +"servers can be defined here. An optional port number (preceded by a colon) " +"may be appended to the addresses or hostnames." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:122 +msgid "" +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " +"servers to try, the backend is not switched to operate offline if " +"authentication against the KDC is still possible." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:129 +msgid "Default: Use the KDC" +msgstr "Padrão: Usar o KDC" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:135 +msgid "krb5_ccachedir (string)" +msgstr "krb5_ccachedir (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:138 +msgid "" +"Directory to store credential caches. All the substitution sequences of " +"krb5_ccname_template can be used here, too, except %d and %P. The directory " +"is created as private and owned by the user, with permissions set to 0700." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:145 +msgid "Default: /tmp" +msgstr "Padrão: /tmp." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:151 +msgid "krb5_ccname_template (string)" +msgstr "krb5_ccname_template (string)" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 +msgid "%u" +msgstr "%u" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 +msgid "login name" +msgstr "nome de login" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 +msgid "%U" +msgstr "%U" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:170 +msgid "login UID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:173 +msgid "%p" +msgstr "%p" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:174 +msgid "principal name" +msgstr "nome principal" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:178 +msgid "%r" +msgstr "%r" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:179 +msgid "realm name" +msgstr "nome de território" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:182 +msgid "%h" +msgstr "%h" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 +msgid "home directory" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 +msgid "%d" +msgstr "%d" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:188 +msgid "value of krb5_ccachedir" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 +msgid "%P" +msgstr "%P" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:194 +msgid "the process ID of the SSSD client" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 +msgid "%%" +msgstr "%%" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 +msgid "a literal '%'" +msgstr "um literal '%'" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:154 +msgid "" +"Location of the user's credential cache. Three credential cache types are " +"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " +"<quote>KEYRING:persistent</quote>. The cache can be specified either as " +"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " +"implies the <quote>FILE</quote> type. In the template, the following " +"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " +"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " +"filename in a safe way." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:208 +msgid "" +"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" +"persistent:%U</quote>, which uses the Linux kernel keyring to store " +"credentials on a per-UID basis. This is also the recommended choice, as it " +"is the most secure and predictable method." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:216 +msgid "" +"The default value for the credential cache name is sourced from the profile " +"stored in the system wide krb5.conf configuration file in the [libdefaults] " +"section. The option name is default_ccache_name. See krb5.conf(5)'s " +"PARAMETER EXPANSION paragraph for additional information on the expansion " +"format defined by krb5.conf." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:225 +msgid "" +"NOTE: Please be aware that libkrb5 ccache expansion template from " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> uses different expansion sequences than SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:234 +msgid "Default: (from libkrb5)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:240 +msgid "krb5_auth_timeout (integer)" +msgstr "krb5_auth_timeout (integer)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:243 +msgid "" +"Timeout in seconds after an online authentication request or change password " +"request is aborted. If possible, the authentication request is continued " +"offline." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:254 +msgid "krb5_validate (boolean)" +msgstr "krb5_validate (boolean)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:257 +msgid "" +"Verify with the help of krb5_keytab that the TGT obtained has not been " +"spoofed. The keytab is checked for entries sequentially, and the first entry " +"with a matching realm is used for validation. If no entry matches the realm, " +"the last entry in the keytab is used. This process can be used to validate " +"environments using cross-realm trust by placing the appropriate keytab entry " +"as the last entry or the only entry in the keytab file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:272 +msgid "krb5_keytab (string)" +msgstr "krb5_keytab (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:275 +msgid "" +"The location of the keytab to use when validating credentials obtained from " +"KDCs." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:279 +msgid "Default: /etc/krb5.keytab" +msgstr "Padrão: /etc/krb5.keytab" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:285 +msgid "krb5_store_password_if_offline (boolean)" +msgstr "krb5_store_password_if_offline (boolean)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:288 +msgid "" +"Store the password of the user if the provider is offline and use it to " +"request a TGT when the provider comes online again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:293 +msgid "" +"NOTE: this feature is only available on Linux. Passwords stored in this way " +"are kept in plaintext in the kernel keyring and are potentially accessible " +"by the root user (with difficulty)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:306 +msgid "krb5_renewable_lifetime (string)" +msgstr "krb5_renewable_lifetime (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:309 +msgid "" +"Request a renewable ticket with a total lifetime, given as an integer " +"immediately followed by a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 +msgid "<emphasis>s</emphasis> for seconds" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 +msgid "<emphasis>m</emphasis> for minutes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 +msgid "<emphasis>h</emphasis> for hours" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 +msgid "<emphasis>d</emphasis> for days." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 +msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 +msgid "" +"NOTE: It is not possible to mix units. To set the renewable lifetime to one " +"and a half hours, use '90m' instead of '1h30m'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:335 +msgid "Default: not set, i.e. the TGT is not renewable" +msgstr "Padrão: não definido, ou seja, o TGT não é renovável" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:341 +msgid "krb5_lifetime (string)" +msgstr "krb5_lifetime (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:344 +msgid "" +"Request ticket with a lifetime, given as an integer immediately followed by " +"a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:360 +msgid "If there is no unit given <emphasis>s</emphasis> is assumed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:364 +msgid "" +"NOTE: It is not possible to mix units. To set the lifetime to one and a " +"half hours please use '90m' instead of '1h30m'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:369 +msgid "" +"Default: not set, i.e. the default ticket lifetime configured on the KDC." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:376 +msgid "krb5_renew_interval (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:379 +msgid "" +"The time in seconds between two checks if the TGT should be renewed. TGTs " +"are renewed if about half of their lifetime is exceeded, given as an integer " +"immediately followed by a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:406 +msgid "If this option is not set or is 0 the automatic renewal is disabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:416 +msgid "krb5_use_fast (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:419 +msgid "" +"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" +"authentication. The following options are supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:424 +msgid "" +"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " +"option at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:428 +msgid "" +"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " +"continue the authentication without it." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:433 +msgid "" +"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " +"server does not require fast." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:438 +msgid "Default: not set, i.e. FAST is not used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:441 +msgid "NOTE: a keytab is required to use FAST." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:444 +msgid "" +"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " +"SSSD is used with an older version of MIT Kerberos, using this option is a " +"configuration error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:453 +msgid "krb5_fast_principal (string)" +msgstr "krb5_fast_principal (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:456 +msgid "Specifies the server principal to use for FAST." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:465 +msgid "" +"Specifies if the host and user principal should be canonicalized. This " +"feature is available with MIT Kerberos 1.7 and later versions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:505 +msgid "krb5_use_enterprise_principal (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:508 +msgid "" +"Specifies if the user principal should be treated as enterprise principal. " +"See section 5 of RFC 6806 for more details about enterprise principals." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:514 +msgid "Default: false (AD provider: true)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:517 +msgid "" +"The IPA provider will set to option to 'true' if it detects that the server " +"is capable of handling enterprise principals and the option is not set " +"explicitly in the config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:526 +msgid "krb5_map_user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:529 +msgid "" +"The list of mappings is given as a comma-separated list of pairs " +"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " +"name and <quote>primary</quote> is a user part of a kerberos principal. This " +"mapping is used when user is authenticating using <quote>auth_provider = " +"krb5</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-krb5.5.xml:541 +#, no-wrap +msgid "" +"krb5_realm = REALM\n" +"krb5_map_user = joe:juser,dick:richard\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:546 +msgid "" +"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " +"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " +"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " +"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:65 +msgid "" +"If the auth-module krb5 is used in an SSSD domain, the following options " +"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " +"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:572 +msgid "" +"The following example assumes that SSSD is correctly configured and FOO is " +"one of the domains in the <replaceable>[sssd]</replaceable> section. This " +"example shows only configuration of Kerberos authentication; it does not " +"include any identity provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-krb5.5.xml:580 +#, no-wrap +msgid "" +"[domain/FOO]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXAMPLE.COM\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 +msgid "sss_groupadd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupadd.8.xml:16 +msgid "create a new group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupadd.8.xml:21 +msgid "" +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupadd.8.xml:32 +msgid "" +"<command>sss_groupadd</command> creates a new group. These groups are " +"compatible with POSIX groups, with the additional feature that they can " +"contain other groups as members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 +msgid "" +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupadd.8.xml:48 +msgid "" +"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " +"not given, it is chosen automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 +msgid "sss_userdel" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_userdel.8.xml:16 +msgid "delete a user account" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_userdel.8.xml:21 +msgid "" +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_userdel.8.xml:32 +msgid "" +"<command>sss_userdel</command> deletes a user identified by login name " +"<replaceable>LOGIN</replaceable> from the system." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:44 +msgid "<option>-r</option>,<option>--remove</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:48 +msgid "" +"Files in the user's home directory will be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:56 +msgid "<option>-R</option>,<option>--no-remove</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:60 +msgid "" +"Files in the user's home directory will NOT be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:68 +msgid "<option>-f</option>,<option>--force</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:72 +msgid "" +"This option forces <command>sss_userdel</command> to remove the user's home " +"directory and mail spool, even if they are not owned by the specified user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:80 +msgid "<option>-k</option>,<option>--kick</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:84 +msgid "Before actually deleting the user, terminate all his processes." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 +msgid "sss_groupdel" +msgstr "sss_groupdel" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupdel.8.xml:16 +msgid "delete a group" +msgstr "excluir um grupo" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupdel.8.xml:21 +msgid "" +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupdel.8.xml:32 +msgid "" +"<command>sss_groupdel</command> deletes a group identified by its name " +"<replaceable>GROUP</replaceable> from the system." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 +msgid "sss_groupshow" +msgstr "sss_groupshow" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupshow.8.xml:16 +msgid "print properties of a group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupshow.8.xml:21 +msgid "" +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupshow.8.xml:32 +msgid "" +"<command>sss_groupshow</command> displays information about a group " +"identified by its name <replaceable>GROUP</replaceable>. The information " +"includes the group ID number, members of the group and the parent group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupshow.8.xml:43 +msgid "<option>-R</option>,<option>--recursive</option>" +msgstr "<option>-R</option>,<option>--recursive</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupshow.8.xml:47 +msgid "" +"Also print indirect group members in a tree-like hierarchy. Note that this " +"also affects printing parent groups - without <option>R</option>, only the " +"direct parent will be printed." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 +msgid "sss_usermod" +msgstr "sss_usermod" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_usermod.8.xml:16 +msgid "modify a user account" +msgstr "modificar uma conta de utilizador" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_usermod.8.xml:21 +msgid "" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_usermod.8.xml:32 +msgid "" +"<command>sss_usermod</command> modifies the account specified by " +"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " +"on the command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:60 +msgid "The home directory of the user account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:71 +msgid "The user's login shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:82 +msgid "" +"Append this user to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:96 +msgid "" +"Remove this user from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:103 +msgid "<option>-l</option>,<option>--lock</option>" +msgstr "<option>-l</option>,<option>--lock</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:107 +msgid "Lock the user account. The user won't be able to log in." +msgstr "" +"Bloquear a conta do utilizador. O utilizador não será capaz de efetuar login." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:114 +msgid "<option>-u</option>,<option>--unlock</option>" +msgstr "<option>-u</option>,<option>--unlock</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:118 +msgid "Unlock the user account." +msgstr "Desbloquear a conta de utilizador." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:129 +msgid "The SELinux user for the user's login." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:135 +msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:140 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:147 +msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:152 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:160 +msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:165 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_cache.8.xml:10 sss_cache.8.xml:15 +msgid "sss_cache" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_cache.8.xml:16 +msgid "perform cache cleanup" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_cache.8.xml:21 +msgid "" +"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_cache.8.xml:31 +msgid "" +"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " +"records are forced to be reloaded from server as soon as related SSSD " +"backend is online. Options that invalidate a single object only accept a " +"single provided argument." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:43 +msgid "<option>-E</option>,<option>--everything</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:47 +msgid "Invalidate all cached entries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:53 +msgid "" +"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:58 +msgid "Invalidate specific user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:64 +msgid "<option>-U</option>,<option>--users</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:68 +msgid "" +"Invalidate all user records. This option overrides invalidation of specific " +"user if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:75 +msgid "" +"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:80 +msgid "Invalidate specific group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:86 +msgid "<option>-G</option>,<option>--groups</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:90 +msgid "" +"Invalidate all group records. This option overrides invalidation of specific " +"group if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:97 +msgid "" +"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:102 +msgid "Invalidate specific netgroup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:108 +msgid "<option>-N</option>,<option>--netgroups</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:112 +msgid "" +"Invalidate all netgroup records. This option overrides invalidation of " +"specific netgroup if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:119 +msgid "" +"<option>-s</option>,<option>--service</option> <replaceable>service</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:124 +msgid "Invalidate specific service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:130 +msgid "<option>-S</option>,<option>--services</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:134 +msgid "" +"Invalidate all service records. This option overrides invalidation of " +"specific service if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:141 +msgid "" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:146 +msgid "Invalidate specific autofs maps." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:152 +msgid "<option>-A</option>,<option>--autofs-maps</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:156 +msgid "" +"Invalidate all autofs maps. This option overrides invalidation of specific " +"map if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:163 +msgid "" +"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:168 +msgid "Invalidate SSH public keys of a specific host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:174 +msgid "<option>-H</option>,<option>--ssh-hosts</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:178 +msgid "" +"Invalidate SSH public keys of all hosts. This option overrides invalidation " +"of SSH public keys of specific host if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:186 +msgid "" +"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:191 +msgid "Invalidate particular sudo rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:197 +msgid "<option>-R</option>,<option>--sudo-rules</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:201 +msgid "" +"Invalidate all cached sudo rules. This option overrides invalidation of " +"specific sudo rule if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:209 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>domain</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:214 +msgid "Restrict invalidation process only to a particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 +msgid "sss_debuglevel" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_debuglevel.8.xml:16 +msgid "[DEPRECATED] change debug level while SSSD is running" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_debuglevel.8.xml:21 +msgid "" +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" +"replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_debuglevel.8.xml:32 +msgid "" +"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " +"debug-level command. Please refer to the <command>sssctl</command> man page " +"for more information on sssctl usage." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_seed.8.xml:10 sss_seed.8.xml:15 +msgid "sss_seed" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_seed.8.xml:16 +msgid "seed the SSSD cache with a user" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_seed.8.xml:21 +msgid "" +"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:33 +msgid "" +"<command>sss_seed</command> seeds the SSSD cache with a user entry and " +"temporary password. If a user entry is already present in the SSSD cache " +"then the entry is updated with the temporary password." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:46 +msgid "" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:51 +msgid "" +"Provide the name of the domain in which the user is a member of. The domain " +"is also used to retrieve user information. The domain must be configured in " +"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " +"Information retrieved from the domain overrides what is provided in the " +"options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:63 +msgid "" +"<option>-n</option>,<option>--username</option> <replaceable>USER</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:68 +msgid "" +"The username of the entry to be created or modified in the cache. The " +"<replaceable>USER</replaceable> option must be provided." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:81 +msgid "Set the UID of the user to <replaceable>UID</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:93 +msgid "Set the GID of the user to <replaceable>GID</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:117 +msgid "" +"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:129 +msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:140 +msgid "" +"Interactive mode for entering user information. This option will only prompt " +"for information not provided in the options or retrieved from the domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:148 +msgid "" +"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:153 +msgid "" +"Specify file to read user's password from. (if not specified password is " +"prompted for)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:165 +msgid "" +"The length of the password (or the size of file specified with -p or --" +"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " +"on systems with no globally-defined PASS_MAX value)." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 +msgid "sssd-ifp" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ifp.5.xml:17 +msgid "SSSD InfoPipe responder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:23 +msgid "" +"This manual page describes the configuration of the InfoPipe responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:36 +msgid "" +"The InfoPipe responder provides a public D-Bus interface accessible over the " +"system bus. The interface allows the user to query information about remote " +"users and groups over the system bus." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:46 +msgid "These options can be used to configure the InfoPipe responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:53 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the InfoPipe responder. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:59 +msgid "" +"Default: 0 (only the root user is allowed to access the InfoPipe responder)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:63 +msgid "" +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the InfoPipe responder, which would be the typical case, you have to " +"add 0 to the list of allowed UIDs as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:77 +msgid "Specifies the comma-separated list of white or blacklisted attributes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:91 +msgid "name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:92 +msgid "user's login name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:95 +msgid "uidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:96 +msgid "user ID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:99 +msgid "gidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:100 +msgid "primary group ID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:103 +msgid "gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:104 +msgid "user information, typically full name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:107 +msgid "homeDirectory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:111 +msgid "loginShell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:112 +msgid "user shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:81 +msgid "" +"By default, the InfoPipe responder only allows the default set of POSIX " +"attributes to be requested. This set is the same as returned by " +"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ifp.5.xml:125 +#, no-wrap +msgid "" +"user_attributes = +telephoneNumber, -loginShell\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:117 +msgid "" +"It is possible to add another attribute to this set by using <quote>" +"+attr_name</quote> or explicitly remove an attribute using <quote>-" +"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " +"deny <quote>loginShell</quote>, you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:129 +msgid "Default: not set. Only the default set of POSIX attributes is allowed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:139 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup that overrides caller-supplied limit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:144 +msgid "Default: 0 (let the caller set an upper limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refentryinfo> +#: sss_rpcidmapd.5.xml:8 +msgid "" +"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" +"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " +"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" +"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " +"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" +"author>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 +msgid "sss_rpcidmapd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_rpcidmapd.5.xml:33 +msgid "sss plugin configuration directives for rpc.idmapd" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:37 +msgid "CONFIGURATION FILE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:39 +msgid "" +"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." +"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:49 +msgid "SSS CONFIGURATION EXTENSION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:51 +msgid "Enable SSS plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:53 +msgid "" +"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " +"attribute to contain <emphasis>sss</emphasis>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:59 +msgid "[sss] config section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:61 +msgid "" +"In order to change the default of one of the configuration attributes of the " +"<emphasis>sss</emphasis> plugin listed below you will need to create a " +"config section for it, named <quote>[sss]</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sss_rpcidmapd.5.xml:67 +msgid "Configuration attributes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sss_rpcidmapd.5.xml:69 +msgid "memcache (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sss_rpcidmapd.5.xml:72 +msgid "Indicates whether or not to use memcache optimisation technique." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:85 +msgid "SSSD INTEGRATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:87 +msgid "" +"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " +"in sssd." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:91 +msgid "" +"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " +"all domains (NFSv4 clients expect a fully qualified name to be sent on the " +"wire)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_rpcidmapd.5.xml:103 +#, no-wrap +msgid "" +"[General]\n" +"Verbosity = 2\n" +"# domain must be synced between NFSv4 server and clients\n" +"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:100 +msgid "" +"The following example shows a minimal idmapd.conf which makes use of the sss " +"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:180 include/seealso.xml:2 +msgid "SEE ALSO" +msgstr "VER TAMBÉM" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:122 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 +msgid "sss_ssh_authorizedkeys" +msgstr "" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 +msgid "1" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_authorizedkeys.1.xml:16 +msgid "get OpenSSH authorized keys" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_authorizedkeys.1.xml:21 +msgid "" +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>USER</replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:32 +msgid "" +"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " +"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " +"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> for more information)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:41 +msgid "" +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" +"command> for public key user authentication if it is compiled with support " +"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " +"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> man page for more details about this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_authorizedkeys.1.xml:59 +#, no-wrap +msgid "" +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:52 +msgid "" +"If <quote>AuthorizedKeysCommand</quote> is supported, " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use it by putting the following " +"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" +"\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_ssh_authorizedkeys.1.xml:65 +msgid "KEYS FROM CERTIFICATES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:67 +msgid "" +"In addition to the public SSH keys for user <replaceable>USER</replaceable> " +"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " +"from the public key of a X.509 certificate as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:73 +msgid "" +"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " +"set to true (default) in the [ssh] section of <filename>sssd.conf</" +"filename>. If the user entry contains certificates (see " +"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " +"there is a certificate in an override entry for the user (see " +"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " +"certificate is valid SSSD will extract the public key from the certificate " +"and convert it into the format expected by sshd." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:90 +msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:92 +msgid "ca_db" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:93 +msgid "p11_child_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:94 +msgid "certificate_verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:96 +msgid "" +"can be used to control how the certificates are validated (see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:101 +msgid "" +"The validation is the benefit of using X.509 certificates instead of SSH " +"keys directly because e.g. it gives a better control of the lifetime of the " +"keys. When the ssh client is configured to use the private keys from a " +"Smartcard with the help of a PKCS#11 shared library (see " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> for details) it might be irritating that authentication is " +"still working even if the related X.509 certificate on the Smartcard is " +"already expired because neither <command>ssh</command> nor <command>sshd</" +"command> will look at the certificate at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:114 +msgid "" +"It has to be noted that the derived public SSH key can still be added to the " +"<filename>authorized_keys</filename> file of the user to bypass the " +"certificate validation if the <command>sshd</command> configuration permits " +"this." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:132 +msgid "" +"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 +msgid "EXIT STATUS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 +msgid "" +"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 +msgid "sss_ssh_knownhostsproxy" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_knownhostsproxy.1.xml:16 +msgid "get OpenSSH host keys" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_knownhostsproxy.1.xml:21 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>HOST</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:33 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " +"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " +"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " +"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" +"pubconf/known_hosts</filename> and establishes the connection to the host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:43 +msgid "" +"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " +"create the connection to the host instead of opening a socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_knownhostsproxy.1.xml:55 +#, no-wrap +msgid "" +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:48 +msgid "" +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" +"command> for host key authentication by using the following directives for " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:66 +msgid "" +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:71 +msgid "" +"Use port <replaceable>PORT</replaceable> to connect to the host. By " +"default, port 22 is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:83 +msgid "" +"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:89 +#, fuzzy +#| msgid "<option>-u</option>,<option>--unlock</option>" +msgid "<option>-k</option>,<option>--pubkeys</option>" +msgstr "<option>-u</option>,<option>--unlock</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:93 +msgid "" +"Print the host ssh public keys for host <replaceable>HOST</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 +msgid "idmap_sss" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: idmap_sss.8.xml:16 +msgid "SSSD's idmap_sss Backend for Winbind" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:22 +msgid "" +"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " +"No database is required in this case as the mapping is done by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: idmap_sss.8.xml:29 +msgid "IDMAP OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: idmap_sss.8.xml:33 +msgid "range = low - high" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: idmap_sss.8.xml:35 +msgid "" +"Defines the available matching UID and GID range for which the backend is " +"authoritative." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:45 +msgid "" +"This example shows how to configure idmap_sss as the default mapping module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: idmap_sss.8.xml:50 +#, no-wrap +msgid "" +"[global]\n" +"security = domain\n" +"workgroup = MAIN\n" +"\n" +"idmap config * : backend = sss\n" +"idmap config * : range = 200000-2147483647\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssctl.8.xml:10 sssctl.8.xml:15 +msgid "sssctl" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssctl.8.xml:16 +msgid "SSSD control and status utility" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssctl.8.xml:21 +msgid "" +"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:32 +msgid "" +"<command>sssctl</command> provides a simple and unified way to obtain " +"information about SSSD status, such as active server, auto-discovered " +"servers, domains and cached objects. In addition, it can manage SSSD data " +"files for troubleshooting in such a way that is safe to manipulate while " +"SSSD is running." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:43 +msgid "" +"To list all available commands run <command>sssctl</command> without any " +"parameters. To print help for selected command run <command>sssctl COMMAND --" +"help</command>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-files.5.xml:10 sssd-files.5.xml:16 +msgid "sssd-files" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-files.5.xml:17 +msgid "SSSD files provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:23 +msgid "" +"This manual page describes the files provider for <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:36 +msgid "" +"The files provider mirrors the content of the <citerefentry> " +"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " +"provider is to make the users and groups traditionally only accessible with " +"NSS interfaces also available through the SSSD interfaces such as " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:69 +#, fuzzy +#| msgid "allowed_shells (string)" +msgid "passwd_files (string)" +msgstr "allowed_shells (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:72 +msgid "" +"Comma-separated list of one or multiple password filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:78 +#, fuzzy +#| msgid "Default: /tmp" +msgid "Default: /etc/passwd" +msgstr "Padrão: /tmp." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:84 +#, fuzzy +#| msgid "ldap_group_search_base (string)" +msgid "group_files (string)" +msgstr "ldap_group_search_base (string)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:87 +msgid "" +"Comma-separated list of one or multiple group filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:93 +#, fuzzy +#| msgid "Default: /tmp" +msgid "Default: /etc/group" +msgstr "Padrão: /tmp." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:59 +msgid "" +"In addition to the options listed below, generic SSSD domain options can be " +"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for details on the configuration of " +"an SSSD domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:105 +msgid "" +"The following example assumes that SSSD is correctly configured and files is " +"one of the domains in the <replaceable>[sssd]</replaceable> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:111 +#, no-wrap +msgid "" +"[domain/files]\n" +"id_provider = files\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 +msgid "sssd-secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-secrets.5.xml:17 +msgid "SSSD Secrets responder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:23 +msgid "" +"This manual page describes the configuration of the Secrets responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:36 +msgid "" +"Many system and user applications need to store private information such as " +"passwords or service keys and have no good way to properly deal with them. " +"The simple approach is to embed these <quote>secrets</quote> into " +"configuration files potentially ending up exposing sensitive key material to " +"backups, config management system and in general making it harder to secure " +"data." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:45 +msgid "" +"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " +"project was born to deal with this problem in cloud like environments, but " +"we found the idea compelling even at a single system level. As a security " +"service, SSSD is ideal to host this capability while offering the same API " +"via a UNIX Socket. This will make it possible to use local calls and have " +"them transparently routed to a local or a remote key management store like " +"IPA Vault for storage, escrow and recovery." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:55 +msgid "" +"The secrets are simple key-value pairs. Each user's secrets are namespaced " +"using their user ID, which means the secrets will never collide between " +"users. Secrets can be stored inside <quote>containers</quote> which can be " +"nested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:69 +msgid "secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:70 +msgid "secrets for general usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:73 +msgid "kcm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:75 +msgid "" +"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:61 +msgid "" +"Since the secrets responder can be used both externally to store general " +"secrets, as described in the rest of this man page, but also internally by " +"other SSSD components to store their secret material, some configuration " +"options, like quotas can be configured per <quote>hive</quote> in a " +"configuration subsection named after the hive. The currently supported hives " +"are: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:89 +msgid "USING THE SECRETS RESPONDER" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:91 +msgid "" +"The UNIX socket the SSSD responder listens on is located at <filename>/var/" +"run/secrets.socket</filename>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:110 +#, no-wrap +msgid "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +"systemctl enable sssd-secrets.service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:95 +msgid "" +"The secrets responder is socket-activated by <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " +"the <quote>secrets</quote> string to the <quote>service</quote> directive. " +"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " +"corresponding service file is called <quote>sssd-secrets.service</quote>. In " +"order for the service to be socket-activated, make sure the socket is " +"enabled and active and the service is enabled: <placeholder type=" +"\"programlisting\" id=\"0\"/> Please note your distribution may already " +"configure the units for you." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:122 +msgid "" +"The generic SSSD responder options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " +"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some secrets-specific options as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:132 +msgid "" +"The secrets responder is configured with a global <quote>[secrets]</quote> " +"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " +"in <filename>sssd.conf</filename>. Please note that some options, notably as " +"the provider type, can only be specified in the per-user subsections." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:141 +msgid "provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:157 +msgid "local" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:160 +msgid "" +"The secrets are stored in a local database, encrypted at rest with a master " +"key. The local provider does not have any additional config options at the " +"moment." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:168 +msgid "proxy" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:171 +msgid "" +"The secrets responder forwards the requests to a Custodia server. The proxy " +"provider supports several additional options (see below)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:144 +msgid "" +"This option specifies where should the secrets be stored. The secrets " +"responder can configure a per-user subsections (e.g. <quote>[secrets/" +"users/123]</quote> - see bottom of this manual page for a full example using " +"Custodia for a particular user) that define which provider store the secrets " +"for this particular user. The per-user subsections should contain all " +"options for that user's provider. Please note that currently the global " +"provider is always local, the proxy provider can only be specified in a per-" +"user section. The following providers are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:180 +msgid "Default: local" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:186 +msgid "" +"The following options affect only the secrets <quote>hive</quote> and " +"therefore should be set in a per-hive subsection. Setting the option to 0 " +"means \"unlimited\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:192 +msgid "containers_nest_level (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:195 +msgid "This option specifies the maximum allowed number of nested containers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:199 +msgid "Default: 4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:204 +msgid "max_secrets (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:207 +msgid "" +"This option specifies the maximum number of secrets that can be stored in " +"the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:211 +msgid "Default: 1024 (secrets hive), 256 (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:216 +msgid "max_uid_secrets (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:219 +msgid "" +"This option specifies the maximum number of secrets that can be stored per-" +"UID in the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:223 +msgid "Default: 256 (secrets hive), 64 (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:228 +msgid "max_payload_size (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:231 +msgid "" +"This option specifies the maximum payload size allowed for a secret payload " +"in kilobytes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:235 +msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:244 +#, no-wrap +msgid "" +"[secrets/secrets]\n" +"max_payload_size = 128\n" +"\n" +"[secrets/kcm]\n" +"max_payload_size = 256\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:241 +msgid "" +"For example, to adjust quotas differently for both the <quote>secrets</" +"quote> and the <quote>kcm</quote> hives, configure the following: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:252 +msgid "" +"The following options are only applicable for configurations that use the " +"<quote>proxy</quote> provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:257 +msgid "proxy_url (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:260 +msgid "" +"The URL the Custodia server is listening on. At the moment, http and https " +"protocols are supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:267 +msgid "http[s]://<host>[:port]" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:270 +msgid "Example: http://localhost:8080" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:275 +msgid "auth_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:278 +msgid "" +"The method to use when authenticating to a Custodia server. The following " +"authentication methods are supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:283 +msgid "basic_auth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:286 +msgid "" +"Authenticate with a username and a password as set in the <quote>username</" +"quote> and <quote>password</quote> options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:293 +msgid "header" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:296 +msgid "" +"Authenticate with HTTP header value as defined in the " +"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " +"configuration options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:307 +msgid "auth_header_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:310 +msgid "" +"If set, the secrets responder would put a header with this name into the " +"HTTP request with the value defined in the <quote>auth_header_value</quote> " +"configuration option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:315 +msgid "Example: MYSECRETNAME" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:320 +msgid "auth_header_value (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:323 +msgid "" +"The value sssd-secrets would use for the <quote>auth_header_name</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:327 +msgid "Example: mysecret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:332 +msgid "forward_headers (list of strings)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:335 +msgid "" +"The list of HTTP headers to forward to the Custodia server together with the " +"request." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:344 +msgid "verify_peer (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:347 +msgid "" +"Whether peer's certificate should be verified and valid if HTTPS protocol is " +"used with the proxy provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:356 +msgid "verify_host (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:359 +msgid "" +"Whether peer's hostname must match with hostname in its certificate if HTTPS " +"protocol is used with the proxy provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:369 +msgid "capath (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:372 +msgid "" +"Path to directory containing stored certificate authority certificates. " +"System default path is used if this option is not set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:382 +msgid "cacert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:385 +msgid "" +"Path to file containing server's certificate authority certificate. If this " +"option is not set then the CA's certificate is looked up in <quote>capath</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:395 +msgid "cert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:398 +msgid "" +"Path to file containing client's certificate if required by the server. This " +"file may also contain private key or the private key may be in separate file " +"set with <quote>key</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:409 +msgid "key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:412 +msgid "Path to file containing client's private key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:422 +msgid "USING THE REST API" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:424 +msgid "" +"This section lists the available commands and includes examples using the " +"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry> utility. All requests towards the proxy provider must set " +"the Content Type header to <quote>application/json</quote>. In addition, the " +"local provider also supports Content Type set to <quote>application/octet-" +"stream</quote>. Secrets stored with requests that set the Content Type " +"header to <quote>application/octet-stream</quote> are base64-encoded when " +"stored and decoded when retrieved, so it's not possible to store a secret " +"with one Content Type and retrieve with another. The secret URI must begin " +"with <filename>/secrets/</filename>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:441 +msgid "Listing secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:444 +msgid "" +"To list the available secrets, send a HTTP GET request with a trailing slash " +"appended to the container path." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:450 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:458 +msgid "Retrieving a secret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:461 +msgid "" +"To read a value of a single secret, send a HTTP GET request without a " +"trailing slash. The last portion of the URI is the name of the secret." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:468 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/foo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:473 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/bar\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:466 +msgid "" +"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:481 +msgid "Setting a secret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:484 +msgid "" +"To set a secret using the <quote>application/json</quote> type, send a HTTP " +"PUT request with a JSON payload that includes type and value. The type " +"should be set to \"simple\" and the value should be set to the secret value. " +"If a secret with that name already exists, the response is a 409 HTTP error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:492 +msgid "" +"The <quote>application/json</quote> type just sends the secret as the " +"message payload." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:501 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/foo \\\n" +" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:507 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/bar \\\n" +" -d'barsecret'\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:496 +msgid "" +"The following example sets a secret named 'foo' to a value of 'foosecret' " +"and a secret named 'bar' to a value of 'barsecret' using a different Content " +"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:516 +msgid "Creating a container" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:519 +msgid "" +"Containers provide an additional namespace for this user's secrets. To " +"create a container, send a HTTP POST request, whose URI ends with the " +"container name. Please note the URI must end with a trailing slash." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:529 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPOST http://localhost/secrets/mycontainer/\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:526 +msgid "" +"The following example creates a container named 'mycontainer': <placeholder " +"type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:538 +#, no-wrap +msgid "" +"http://localhost/secrets/mycontainer/mysecret\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:535 +msgid "" +"To manipulate secrets under this container, just nest the secrets underneath " +"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:544 +msgid "Deleting a secret or a container" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:547 +msgid "" +"To delete a secret or a container, send a HTTP DELETE request with a path to " +"the secret or the container." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:553 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XDELETE http://localhost/secrets/foo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:551 +msgid "" +"The following example deletes a secret named 'foo'. <placeholder type=" +"\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:563 +msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:565 +msgid "" +"For testing the proxy provider, you need to set up a Custodia server to " +"proxy requests to. Please always consult the Custodia documentation, the " +"configuration directives might change with different Custodia versions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:576 +#, no-wrap +msgid "" +"[global]\n" +"server_version = \"Secret/0.0.7\"\n" +"server_url = http://localhost:8080/\n" +"auditlog = /var/log/custodia.log\n" +"debug = True\n" +"\n" +"[store:simple]\n" +"handler = custodia.store.sqlite.SqliteStore\n" +"dburi = /var/lib/custodia.db\n" +"table = secrets\n" +"\n" +"[auth:header]\n" +"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" +"header = MYSECRETNAME\n" +"value = mysecretkey\n" +"\n" +"[authz:paths]\n" +"handler = custodia.httpd.authorizers.SimplePathAuthz\n" +"paths = /secrets\n" +"\n" +"[/]\n" +"handler = custodia.root.Root\n" +"store = simple\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:570 +msgid "" +"This configuration will set up a Custodia server listening on http://" +"localhost:8080, allowing anyone with header named MYSECRETNAME set to " +"mysecretkey to communicate with the Custodia server. Place the contents " +"into a file (for example, <replaceable>custodia.conf</replaceable>): " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:602 +msgid "" +"Then run the <replaceable>custodia</replaceable> command, pointing it at the " +"config file as a command line argument." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:606 +msgid "" +"Please note that currently it's not possible to proxy all requests globally " +"to a Custodia instance. Instead, per-user subsections for user IDs that " +"should proxy requests to Custodia must be defined. The following example " +"illustrates a configuration, where the user with UID 123 would proxy their " +"requests to Custodia, but all other user's requests would be handled by a " +"local provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: sssd-secrets.5.xml:614 +#, no-wrap +msgid "" +"[secrets]\n" +"\n" +"[secrets/users/123]\n" +"provider = proxy\n" +"proxy_url = http://localhost:8080/secrets/\n" +"auth_type = header\n" +"auth_header_name = MYSECRETNAME\n" +"auth_header_value = mysecretkey\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 +msgid "sssd-session-recording" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-session-recording.5.xml:17 +msgid "Configuring session recording with SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " +"implement user session recording on text terminals. For a detailed " +"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " +"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:41 +msgid "" +"SSSD can be set up to enable recording of everything specific users see or " +"type during their sessions on text terminals. E.g. when users log in on the " +"console, or via SSH. SSSD itself doesn't record anything, but makes sure " +"tlog-rec-session is started upon user login, so it can record according to " +"its configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:48 +msgid "" +"For users with session recording enabled, SSSD replaces the user shell with " +"tlog-rec-session in NSS responses, and adds a variable specifying the " +"original shell to the user environment, upon PAM session setup. This way " +"tlog-rec-session can be started in place of the user shell, and know which " +"actual shell to start, once it set up the recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:60 +msgid "These options can be used to configure the session recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:146 +msgid "" +"The following snippet of sssd.conf enables session recording for users " +"\"contractor1\" and \"contractor2\", and group \"students\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-session-recording.5.xml:151 +#, no-wrap +msgid "" +"[session_recording]\n" +"scope = some\n" +"users = contractor1, contractor2\n" +"groups = students\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 +msgid "sssd-kcm" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-kcm.8.xml:17 +msgid "SSSD Kerberos Cache Manager" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:23 +msgid "" +"This manual page describes the configuration of the SSSD Kerberos Cache " +"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " +"credential caches. It originates in the Heimdal Kerberos project, although " +"the MIT Kerberos library also provides client side (more details on that " +"below) support for the KCM credential cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:31 +msgid "" +"In a setup where Kerberos caches are managed by KCM, the Kerberos library " +"(typically used through an application, like e.g., <citerefentry> " +"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" +"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " +"being referred to as a <quote>\"KCM server\"</quote>. The client and server " +"communicate over a UNIX socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:42 +msgid "" +"The KCM server keeps track of each credential caches's owner and performs " +"access check control based on the UID and GID of the KCM client. The root " +"user has access to all credential caches." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:47 +msgid "The KCM credential cache has several interesting properties:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:51 +msgid "" +"since the process runs in userspace, it is subject to UID namespacing, " +"unlike the kernel keyring" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:56 +msgid "" +"unlike the kernel keyring-based cache, which is shared between all " +"containers, the KCM server is a separate process whose entry point is a UNIX " +"socket" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:61 +msgid "" +"the SSSD implementation stores the ccaches in the SSSD <citerefentry> " +"<refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry> secrets store, allowing the ccaches to survive KCM server " +"restarts or machine reboots." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:69 +msgid "" +"This allows the system to use a collection-aware credential cache, yet share " +"the credential cache between some or no containers by bind-mounting the " +"socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:76 +msgid "USING THE KCM CREDENTIAL CACHE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:86 +#, no-wrap +msgid "" +"[libdefaults]\n" +" default_ccache_name = KCM:\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:78 +msgid "" +"In order to use KCM credential cache, it must be selected as the default " +"credential type in <citerefentry> <refentrytitle>krb5.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " +"cache name must be only <quote>KCM:</quote> without any template " +"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:91 +msgid "" +"Next, make sure the Kerberos client libraries and the KCM server must agree " +"on the UNIX socket path. By default, both use the same path <replaceable>/" +"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " +"library, change its <quote>kcm_socket</quote> option which is described in " +"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:113 +#, no-wrap +msgid "" +"systemctl start sssd-kcm.socket\n" +"systemctl enable sssd-kcm.socket\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:102 +msgid "" +"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " +"typically socket-activated by <citerefentry> <refentrytitle>systemd</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " +"services, it cannot be started by adding the <quote>kcm</quote> string to " +"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " +"id=\"0\"/> Please note your distribution may already configure the units for " +"you." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:122 +msgid "THE CREDENTIAL CACHE STORAGE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:131 +#, no-wrap +msgid "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:124 +msgid "" +"The credential caches are stored in the SSSD secrets service (see " +"<citerefentry> <refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> for more details). Therefore it is important that " +"also the sssd-secrets service is enabled and its socket is started: " +"<placeholder type=\"programlisting\" id=\"0\"/> Your distribution should " +"already set the dependencies between the services." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:141 +msgid "" +"The KCM service is configured in the <quote>kcm</quote> section of the sssd." +"conf file. Please note that currently, is it not sufficient to restart the " +"sssd-kcm service, because the sssd configuration is only parsed and read to " +"an internal configuration database by the sssd service. Therefore you must " +"restart the sssd service if you change anything in the <quote>kcm</quote> " +"section of sssd.conf. For a detailed syntax reference, refer to the " +"<quote>FILE FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd." +"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:155 +msgid "" +"The generic SSSD service options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some KCM-specific options as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:166 +msgid "socket_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:169 +msgid "The socket the KCM service will listen on." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:172 +msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:182 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 +msgid "sssd-systemtap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-systemtap.5.xml:17 +msgid "SSSD systemtap information" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:23 +msgid "" +"This manual page provides information about the systemtap functionality in " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:32 +msgid "" +"SystemTap Probe points have been added into various locations in SSSD code " +"to assist in troubleshooting and analyzing performance related issues." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:40 +msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:46 +msgid "" +"Probes and miscellaneous functions are defined in /usr/share/systemtap/" +"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " +"respectively." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:57 +msgid "PROBE POINTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:341 +msgid "" +"The information below lists the probe points and arguments available in the " +"following format:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:64 +msgid "probe $name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:67 +msgid "Description of probe point" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:70 +#, no-wrap +msgid "" +"variable1:datatype\n" +"variable2:datatype\n" +"variable3:datatype\n" +"...\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:80 +msgid "Database Transaction Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:84 +msgid "probe sssd_transaction_start" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:87 +msgid "" +"Start of a sysdb transaction, probes the sysdb_transaction_start() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 +#: sssd-systemtap.5.xml:131 +#, no-wrap +msgid "" +"nesting:integer\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:97 +msgid "probe sssd_transaction_cancel" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:100 +msgid "" +"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " +"function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:111 +msgid "probe sssd_transaction_commit_before" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:114 +msgid "Probes the sysdb_transaction_commit_before() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:124 +msgid "probe sssd_transaction_commit_after" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:127 +msgid "Probes the sysdb_transaction_commit_after() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:141 +msgid "LDAP Search Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:145 +msgid "probe sdap_search_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:148 +msgid "Probes the sdap_get_generic_ext_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:152 sssd-systemtap.5.xml:167 sssd-systemtap.5.xml:196 +#, no-wrap +msgid "" +"base:string\n" +"scope:integer\n" +"filter:string\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:160 +msgid "probe sdap_search_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:163 +msgid "Probes the sdap_get_generic_ext_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:175 +msgid "probe sdap_deref_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:178 +msgid "Probes the sdap_deref_search_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:182 +#, no-wrap +msgid "" +"base_dn:string\n" +"deref_attr:string\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:189 +msgid "probe sdap_deref_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:192 +msgid "Probes the sdap_deref_search_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:208 +msgid "LDAP Account Request Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:212 +msgid "probe sdap_acct_req_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:215 +msgid "Probes the sdap_acct_req_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:219 sssd-systemtap.5.xml:234 +#, no-wrap +msgid "" +"entry_type:int\n" +"filter_type:int\n" +"filter_value:string\n" +"extra_value:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:227 +msgid "probe sdap_acct_req_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:230 +msgid "Probes the sdap_acct_req_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:246 +msgid "LDAP User Search Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:250 +msgid "probe sdap_search_user_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:253 +msgid "Probes the sdap_search_user_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:257 sssd-systemtap.5.xml:269 sssd-systemtap.5.xml:281 +#: sssd-systemtap.5.xml:293 +#, no-wrap +msgid "" +"filter:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:262 +msgid "probe sdap_search_user_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:265 +msgid "Probes the sdap_search_user_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:274 +msgid "probe sdap_search_user_save_begin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:277 +msgid "Probes the sdap_search_user_save_begin() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:286 +msgid "probe sdap_search_user_save_end" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:289 +msgid "Probes the sdap_search_user_save_end() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:302 +msgid "Data Provider Request Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:306 +msgid "probe dp_req_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:309 +msgid "A Data Provider request is submitted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:312 +#, no-wrap +msgid "" +"dp_req_domain:string\n" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:320 +msgid "probe dp_req_done" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:323 +msgid "A Data Provider request is completed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:326 +#, no-wrap +msgid "" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +"dp_ret:int\n" +"dp_errorstr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:339 +msgid "MISCELLANEOUS FUNCTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:346 +msgid "function acct_req_desc(entry_type)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:349 +msgid "Convert entry_type to string and return string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:354 +msgid "" +"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " +"filter_value, extra_value)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:358 +msgid "Create probe string based on filter type" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:363 +msgid "function dp_target_str(target)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:366 +msgid "Convert target to string and return string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:371 +msgid "function dp_method_str(target)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:374 +msgid "Convert method to string and return string" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/service_discovery.xml:2 +msgid "SERVICE DISCOVERY" +msgstr "DESCOBERTA DE SERVIÇOS" + +#. type: Content of: <refsect1><para> +#: include/service_discovery.xml:4 +msgid "" +"The service discovery feature allows back ends to automatically find the " +"appropriate servers to connect to using a special DNS query. This feature is " +"not supported for backup servers." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:9 include/ldap_id_mapping.xml:99 +msgid "Configuration" +msgstr "Configuração" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:11 +msgid "" +"If no servers are specified, the back end automatically uses service " +"discovery to try to find a server. Optionally, the user may choose to use " +"both fixed server addresses and service discovery by inserting a special " +"keyword, <quote>_srv_</quote>, in the list of servers. The order of " +"preference is maintained. This feature is useful if, for example, the user " +"prefers to use service discovery whenever possible, and fall back to a " +"specific server when no servers can be discovered using DNS." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:23 +msgid "The domain name" +msgstr "O nome de domínio" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:25 +msgid "" +"Please refer to the <quote>dns_discovery_domain</quote> parameter in the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more details." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:35 +msgid "The protocol" +msgstr "O protocolo" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:37 +msgid "" +"The queries usually specify _tcp as the protocol. Exceptions are documented " +"in respective option description." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:42 +msgid "See Also" +msgstr "Ver também" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:44 +msgid "" +"For more information on the service discovery mechanism, refer to RFC 2782." +msgstr "" + +#. type: Content of: <refentryinfo> +#: include/upstream.xml:2 +msgid "" +"<productname>SSSD</productname> <orgname>The SSSD upstream - https://pagure." +"io/SSSD/sssd/</orgname>" +msgstr "" + +#. type: Content of: outside any tag (error?) +#: include/upstream.xml:1 +msgid "<placeholder type=\"refentryinfo\" id=\"0\"/>" +msgstr "<placeholder type=\"refentryinfo\" id=\"0\"/>" + +#. type: Content of: <refsect1><title> +#: include/failover.xml:2 +msgid "FAILOVER" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/failover.xml:4 +msgid "" +"The failover feature allows back ends to automatically switch to a different " +"server if the current server fails." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:8 +msgid "Failover Syntax" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:10 +msgid "" +"The list of servers is given as a comma-separated list; any number of spaces " +"is allowed around the comma. The servers are listed in order of preference. " +"The list can contain any number of servers." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:16 +msgid "" +"For each failover-enabled config option, two variants exist: " +"<emphasis>primary</emphasis> and <emphasis>backup</emphasis>. The idea is " +"that servers in the primary list are preferred and backup servers are only " +"searched if no primary servers can be reached. If a backup server is " +"selected, a timeout of 31 seconds is set. After this timeout SSSD will " +"periodically try to reconnect to one of the primary servers. If it succeeds, " +"it will replace the current active (backup) server." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:27 +msgid "The Failover Mechanism" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:29 +msgid "" +"The failover mechanism distinguishes between a machine and a service. The " +"back end first tries to resolve the hostname of a given machine; if this " +"resolution attempt fails, the machine is considered offline. No further " +"attempts are made to connect to this machine for any other service. If the " +"resolution attempt succeeds, the back end tries to connect to a service on " +"this machine. If the service connection attempt fails, then only this " +"particular service is considered offline and the back end automatically " +"switches over to the next service. The machine is still considered online " +"and might still be tried for another service." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:42 +msgid "" +"Further connection attempts are made to machines or services marked as " +"offline after a specified period of time; this is currently hard coded to 30 " +"seconds." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:47 +msgid "" +"If there are no more machines to try, the back end as a whole switches to " +"offline mode, and then attempts to reconnect every 30 seconds." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:53 +msgid "Failover time outs and tuning" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:55 +msgid "" +"Resolving a server to connect to can be as simple as running a single DNS " +"query or can involve several steps, such as finding the correct site or " +"trying out multiple host names in case some of the configured servers are " +"not reachable. The more complex scenarios can take some time and SSSD needs " +"to balance between providing enough time to finish the resolution process " +"but on the other hand, not trying for too long before falling back to " +"offline mode. If the SSSD debug logs show that the server resolution is " +"timing out before a live server is contacted, you can consider changing the " +"time outs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> +#: include/failover.xml:76 +msgid "dns_resolver_op_timeout" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: include/failover.xml:80 +msgid "How long would SSSD talk to a single DNS server." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> +#: include/failover.xml:86 +msgid "dns_resolver_timeout" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: include/failover.xml:90 +msgid "" +"How long would SSSD try to resolve a failover service. This service " +"resolution internally might include several steps, such as resolving DNS SRV " +"queries or locating the site." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:67 +msgid "" +"This section lists the available tunables. Please refer to their description " +"in the <citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>, manual page. <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:100 +msgid "" +"For LDAP-based providers, the resolve operation is performed as part of an " +"LDAP connection operation. Therefore, also the <quote>ldap_opt_timeout></" +"quote> timeout should be set to a larger value than " +"<quote>dns_resolver_timeout</quote> which in turn should be set to a larger " +"value than <quote>dns_resolver_op_timeout</quote>." +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/ldap_id_mapping.xml:2 +msgid "ID MAPPING" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:4 +msgid "" +"The ID-mapping feature allows SSSD to act as a client of Active Directory " +"without requiring administrators to extend user attributes to support POSIX " +"attributes for user and group identifiers." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:9 +msgid "" +"NOTE: When ID-mapping is enabled, the uidNumber and gidNumber attributes are " +"ignored. This is to avoid the possibility of conflicts between automatically-" +"assigned and manually-assigned values. If you need to use manually-assigned " +"values, ALL values must be manually-assigned." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:16 +msgid "" +"Please note that changing the ID mapping related configuration options will " +"cause user and group IDs to change. At the moment, SSSD does not support " +"changing IDs, so the SSSD database must be removed. Because cached passwords " +"are also stored in the database, removing the database should only be " +"performed while the authentication servers are reachable, otherwise users " +"might get locked out. In order to cache the password, an authentication must " +"be performed. It is not sufficient to use <citerefentry> " +"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry> to remove the database, rather the process consists of:" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:33 +msgid "Making sure the remote servers are reachable" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:38 +msgid "Stopping the SSSD service" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:43 +msgid "Removing the database" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:48 +msgid "Starting the SSSD service" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:52 +msgid "" +"Moreover, as the change of IDs might necessitate the adjustment of other " +"system properties such as file and directory ownership, it's advisable to " +"plan ahead and test the ID mapping configuration thoroughly." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ldap_id_mapping.xml:59 +msgid "Mapping Algorithm" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:61 +msgid "" +"Active Directory provides an objectSID for every user and group object in " +"the directory. This objectSID can be broken up into components that " +"represent the Active Directory domain identity and the relative identifier " +"(RID) of the user or group object." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:67 +msgid "" +"The SSSD ID-mapping algorithm takes a range of available UIDs and divides it " +"into equally-sized component sections - called \"slices\"-. Each slice " +"represents the space available to an Active Directory domain." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:73 +msgid "" +"When a user or group entry for a particular domain is encountered for the " +"first time, the SSSD allocates one of the available slices for that domain. " +"In order to make this slice-assignment repeatable on different client " +"machines, we select the slice based on the following algorithm:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:80 +msgid "" +"The SID string is passed through the murmurhash3 algorithm to convert it to " +"a 32-bit hashed value. We then take the modulus of this value with the total " +"number of available slices to pick the slice." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:86 +msgid "" +"NOTE: It is possible to encounter collisions in the hash and subsequent " +"modulus. In these situations, we will select the next available slice, but " +"it may not be possible to reproduce the same exact set of slices on other " +"machines (since the order that they are encountered will determine their " +"slice). In this situation, it is recommended to either switch to using " +"explicit POSIX attributes in Active Directory (disabling ID-mapping) or " +"configure a default domain to guarantee that at least one is always " +"consistent. See <quote>Configuration</quote> for details." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:101 +msgid "" +"Minimum configuration (in the <quote>[domain/DOMAINNAME]</quote> section):" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><programlisting> +#: include/ldap_id_mapping.xml:106 +#, no-wrap +msgid "" +"ldap_id_mapping = True\n" +"ldap_schema = ad\n" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:111 +msgid "" +"The default configuration results in configuring 10,000 slices, each capable " +"of holding up to 200,000 IDs, starting from 200,000 and going up to " +"2,000,200,000. This should be sufficient for most deployments." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><title> +#: include/ldap_id_mapping.xml:117 +msgid "Advanced Configuration" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:120 +msgid "ldap_idmap_range_min (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:123 +msgid "" +"Specifies the lower bound of the range of POSIX IDs to use for mapping " +"Active Directory user and group SIDs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:127 +msgid "" +"NOTE: This option is different from <quote>min_id</quote> in that " +"<quote>min_id</quote> acts to filter the output of requests to this domain, " +"whereas this option controls the range of ID assignment. This is a subtle " +"distinction, but the good general advice would be to have <quote>min_id</" +"quote> be less-than or equal to <quote>ldap_idmap_range_min</quote>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:137 include/ldap_id_mapping.xml:191 +msgid "Default: 200000" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:142 +msgid "ldap_idmap_range_max (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:145 +msgid "" +"Specifies the upper bound of the range of POSIX IDs to use for mapping " +"Active Directory user and group SIDs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:149 +msgid "" +"NOTE: This option is different from <quote>max_id</quote> in that " +"<quote>max_id</quote> acts to filter the output of requests to this domain, " +"whereas this option controls the range of ID assignment. This is a subtle " +"distinction, but the good general advice would be to have <quote>max_id</" +"quote> be greater-than or equal to <quote>ldap_idmap_range_max</quote>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:159 +msgid "Default: 2000200000" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:164 +msgid "ldap_idmap_range_size (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:167 +msgid "" +"Specifies the number of IDs available for each slice. If the range size " +"does not divide evenly into the min and max values, it will create as many " +"complete slices as it can." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:173 +msgid "" +"NOTE: The value of this option must be at least as large as the highest user " +"RID planned for use on the Active Directory server. User lookups and login " +"will fail for any user whose RID is greater than this value." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:179 +msgid "" +"For example, if your most recently-added Active Directory user has " +"objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, " +"<quote>ldap_idmap_range_size</quote> must be at least 1108 as range size is " +"equal to maximal SID minus minimal SID plus one (e.g. 1108 = 1107 - 0 + 1)." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:186 +msgid "" +"It is important to plan ahead for future expansion, as changing this value " +"will result in changing all of the ID mappings on the system, leading to " +"users with different local IDs than they previously had." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:196 +msgid "ldap_idmap_default_domain_sid (string)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:199 +msgid "" +"Specify the domain SID of the default domain. This will guarantee that this " +"domain will always be assigned to slice zero in the ID map, bypassing the " +"murmurhash algorithm described above." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:210 +msgid "ldap_idmap_default_domain (string)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:213 +msgid "Specify the name of the default domain." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:221 +msgid "ldap_idmap_autorid_compat (boolean)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:224 +msgid "" +"Changes the behavior of the ID-mapping algorithm to behave more similarly to " +"winbind's <quote>idmap_autorid</quote> algorithm." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:229 +msgid "" +"When this option is configured, domains will be allocated starting with " +"slice zero and increasing monatomically with each additional domain." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:234 +msgid "" +"NOTE: This algorithm is non-deterministic (it depends on the order that " +"users and groups are requested). If this mode is required for compatibility " +"with machines running winbind, it is recommended to also use the " +"<quote>ldap_idmap_default_domain_sid</quote> option to guarantee that at " +"least one domain is consistently allocated to slice zero." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:249 +msgid "ldap_idmap_helper_table_size (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:252 +msgid "" +"Maximal number of secondary slices that is tried when performing mapping " +"from UNIX id to SID." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:256 +msgid "" +"Note: Additional secondary slices might be generated when SID is being " +"mapped to UNIX id and RID part of SID is out of range for secondary slices " +"generated so far. If value of ldap_idmap_helper_table_size is equal to 0 " +"then no additional secondary slices are generated." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ldap_id_mapping.xml:273 +msgid "Well-Known SIDs" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:275 +msgid "" +"SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a " +"special hardcoded meaning. Since the generic users and groups related to " +"those Well-Known SIDs have no equivalent in a Linux/UNIX environment no " +"POSIX IDs are available for those objects." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:281 +msgid "" +"The SID name space is organized in authorities which can be seen as " +"different domains. The authorities for the Well-Known SIDs are" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:284 +msgid "Null Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:285 +msgid "World Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:286 +msgid "Local Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:287 +msgid "Creator Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:288 +msgid "NT Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:289 +msgid "Built-in" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:291 +msgid "" +"The capitalized version of these names are used as domain names when " +"returning the fully qualified name of a Well-Known SID." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:295 +msgid "" +"Since some utilities allow to modify SID based access control information " +"with the help of a name instead of using the SID directly SSSD supports to " +"look up the SID by the name as well. To avoid collisions only the fully " +"qualified names can be used to look up Well-Known SIDs. As a result the " +"domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, " +"<quote> LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, <quote>NT " +"AUTHORITY</quote> and <quote>BUILTIN</quote> should not be used as domain " +"names in <filename>sssd.conf</filename>." +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/param_help.xml:3 +msgid "<option>-?</option>,<option>--help</option>" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/param_help.xml:7 include/param_help_py.xml:7 +msgid "Display help message and exit." +msgstr "Exibe a mensagem de ajuda e sai." + +#. type: Content of: <varlistentry><term> +#: include/param_help_py.xml:3 +msgid "<option>-h</option>,<option>--help</option>" +msgstr "<option>-h</option>,<option>--help</option>" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:3 include/debug_levels_tools.xml:3 +msgid "" +"SSSD supports two representations for specifying the debug level. The " +"simplest is to specify a decimal value from 0-9, which represents enabling " +"that level and all lower-level debug messages. The more comprehensive option " +"is to specify a hexadecimal bitmask to enable or disable specific levels " +"(such as if you wish to suppress a level)." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:10 +msgid "" +"Please note that each SSSD service logs into its own log file. Also please " +"note that enabling <quote>debug_level</quote> in the <quote>[sssd]</quote> " +"section only enables debugging just for the sssd process itself, not for the " +"responder or provider processes. The <quote>debug_level</quote> parameter " +"should be added to all sections that you wish to produce debug logs from." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:18 +msgid "" +"In addition to changing the log level in the config file using the " +"<quote>debug_level</quote> parameter, which is persistent, but requires SSSD " +"restart, it is also possible to change the debug level on the fly using the " +"<citerefentry> <refentrytitle>sss_debuglevel</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry> tool." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:29 include/debug_levels_tools.xml:10 +msgid "Currently supported debug levels:" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:32 include/debug_levels_tools.xml:13 +msgid "" +"<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fatal failures. " +"Anything that would prevent SSSD from starting up or causes it to cease " +"running." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:38 include/debug_levels_tools.xml:19 +msgid "" +"<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An " +"error that doesn't kill SSSD, but one that indicates that at least one major " +"feature is not going to work properly." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:45 include/debug_levels_tools.xml:26 +msgid "" +"<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Serious failures. An " +"error announcing that a particular request or operation has failed." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:50 include/debug_levels_tools.xml:31 +msgid "" +"<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Minor failures. These " +"are the errors that would percolate down to cause the operation failure of 2." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:55 include/debug_levels_tools.xml:36 +msgid "" +"<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Configuration settings." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:59 include/debug_levels_tools.xml:40 +msgid "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Function data." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:63 include/debug_levels_tools.xml:44 +msgid "" +"<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Trace messages for " +"operation functions." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:67 include/debug_levels_tools.xml:48 +msgid "" +"<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Trace messages for " +"internal control functions." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:72 include/debug_levels_tools.xml:53 +msgid "" +"<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contents of function-" +"internal variables that may be interesting." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:77 include/debug_levels_tools.xml:58 +msgid "" +"<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Extremely low-level " +"tracing information." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:81 include/debug_levels_tools.xml:62 +msgid "" +"To log required bitmask debug levels, simply add their numbers together as " +"shown in following examples:" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:85 include/debug_levels_tools.xml:66 +msgid "" +"<emphasis>Example</emphasis>: To log fatal failures, critical failures, " +"serious failures and function data use 0x0270." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:89 include/debug_levels_tools.xml:70 +msgid "" +"<emphasis>Example</emphasis>: To log fatal failures, configuration settings, " +"function data, trace messages for internal control functions use 0x1310." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:94 include/debug_levels_tools.xml:75 +msgid "" +"<emphasis>Note</emphasis>: The bitmask format of debug levels was introduced " +"in 1.7.0." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:98 include/debug_levels_tools.xml:79 +msgid "<emphasis>Default</emphasis>: 0" +msgstr "" + +#. type: Content of: outside any tag (error?) +#: include/experimental.xml:1 +msgid "" +"<emphasis> This is an experimental feature, please use https://pagure.io/" +"SSSD/sssd/ to report any issues. </emphasis>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/local.xml:2 +msgid "THE LOCAL DOMAIN" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/local.xml:4 +msgid "" +"In order to function correctly, a domain with <quote>id_provider=local</" +"quote> must be created and the SSSD must be running." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/local.xml:9 +msgid "" +"The administrator might want to use the SSSD local users instead of " +"traditional UNIX users in cases where the group nesting (see <citerefentry> " +"<refentrytitle>sss_groupadd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>) is needed. The local users are also useful for testing and " +"development of the SSSD without having to deploy a full remote server. The " +"<command>sss_user*</command> and <command>sss_group*</command> tools use a " +"local LDB storage to store users and groups." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/seealso.xml:4 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd-ipa</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <phrase condition=\"with_sudo\"> <citerefentry> " +"<refentrytitle>sssd-sudo</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>, </phrase> <phrase condition=\"with_secrets\"> <citerefentry> " +"<refentrytitle>sssd-secrets</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>, </phrase> <citerefentry> <refentrytitle>sssd-session-" +"recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, " +"<citerefentry> <refentrytitle>sss_cache</refentrytitle><manvolnum>8</" +"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_debuglevel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_obfuscate</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_seed</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <phrase condition=" +"\"with_ssh\"> <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_ssh_knownhostsproxy</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>, </phrase> <phrase condition=\"with_ifp\"> " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>, </phrase> <citerefentry> <refentrytitle>pam_sss</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>. <citerefentry> " +"<refentrytitle>sss_rpcidmapd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> <phrase condition=\"with_stap\"> <citerefentry> " +"<refentrytitle>sssd-systemtap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> </phrase>" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:3 +msgid "" +"An optional base DN, search scope and LDAP filter to restrict LDAP searches " +"for this attribute type." +msgstr "" + +#. type: Content of: <listitem><para><programlisting> +#: include/ldap_search_bases.xml:9 +#, no-wrap +msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]\n" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:7 +msgid "syntax: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:13 +msgid "" +"The scope can be one of \"base\", \"onelevel\" or \"subtree\". The scope " +"functions as specified in section 4.5.1.2 of http://tools.ietf.org/html/" +"rfc4511" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:23 +msgid "" +"For examples of this syntax, please refer to the <quote>ldap_search_base</" +"quote> examples section." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:31 +msgid "" +"Please note that specifying scope or filter is not supported for searches " +"against an Active Directory Server that might yield a large number of " +"results and trigger the Range Retrieval extension in the response." +msgstr "" + +#. type: Content of: <para> +#: include/autofs_restart.xml:2 +msgid "" +"Please note that the automounter only reads the master map on startup, so if " +"any autofs-related changes are made to the sssd.conf, you typically also " +"need to restart the automounter daemon after restarting the SSSD." +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/override_homedir.xml:2 +msgid "override_homedir (string)" +msgstr "override_homedir (string)" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:16 +msgid "UID number" +msgstr "Número UID" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:20 +msgid "domain name" +msgstr "nome de domínio" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:23 +msgid "%f" +msgstr "%f" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:24 +msgid "fully qualified user name (user@domain)" +msgstr "nome totalmente qualificado do utilizador (utilizador@domínio)" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:27 +msgid "%l" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:28 +msgid "The first letter of the login name." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:32 +msgid "UPN - User Principal Name (name@REALM)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:35 +msgid "%o" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:37 +msgid "The original home directory retrieved from the identity provider." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:42 +msgid "%H" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:44 +msgid "The value of configure option <emphasis>homedir_substring</emphasis>." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/override_homedir.xml:5 +msgid "" +"Override the user's home directory. You can either provide an absolute value " +"or a template. In the template, the following sequences are substituted: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><programlisting> +#: include/override_homedir.xml:61 +#, no-wrap +msgid "" +"override_homedir = /home/%u\n" +" " +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/override_homedir.xml:65 +msgid "Default: Not set (SSSD will use the value retrieved from LDAP)" +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/homedir_substring.xml:2 +msgid "homedir_substring (string)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/homedir_substring.xml:5 +msgid "" +"The value of this option will be used in the expansion of the " +"<emphasis>override_homedir</emphasis> option if the template contains the " +"format string <emphasis>%H</emphasis>. An LDAP directory entry can directly " +"contain this template so that this option can be used to expand the home " +"directory path for each client machine (or operating system). It can be set " +"per-domain or globally in the [nss] section. A value specified in a domain " +"section will override one set in the [nss] section." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/homedir_substring.xml:15 +msgid "Default: /home" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/ad_modified_defaults.xml:2 include/ipa_modified_defaults.xml:2 +msgid "MODIFIED DEFAULT OPTIONS" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ad_modified_defaults.xml:4 +msgid "" +"Certain option defaults do not match their respective backend provider " +"defaults, these option names and AD provider-specific defaults are listed " +"below:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ad_modified_defaults.xml:9 include/ipa_modified_defaults.xml:9 +msgid "KRB5 Provider" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:13 include/ipa_modified_defaults.xml:13 +msgid "krb5_validate = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:18 +msgid "krb5_use_enterprise_principal = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ad_modified_defaults.xml:24 +msgid "LDAP Provider" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:28 +msgid "ldap_schema = ad" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:33 include/ipa_modified_defaults.xml:38 +msgid "ldap_force_upper_case_realm = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:38 +msgid "ldap_id_mapping = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:43 +msgid "ldap_sasl_mech = gssapi" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:48 +msgid "ldap_referrals = false" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:53 +msgid "ldap_account_expire_policy = ad" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:58 include/ipa_modified_defaults.xml:58 +msgid "ldap_use_tokengroups = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:63 +msgid "ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:66 +msgid "" +"The AD provider looks for a different principal than the LDAP provider by " +"default, because in an Active Directory environment the principals are " +"divided into two groups - User Principals and Service Principals. Only User " +"Principal can be used to obtain a TGT and by default, computer object's " +"principal is constructed from its sAMAccountName and the AD realm. The well-" +"known host/hostname@REALM principal is a Service Principal and thus cannot " +"be used to get a TGT with." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ipa_modified_defaults.xml:4 +msgid "" +"Certain option defaults do not match their respective backend provider " +"defaults, these option names and IPA provider-specific defaults are listed " +"below:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:18 +msgid "krb5_use_fast = try" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:23 +msgid "krb5_canonicalize = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:29 +msgid "LDAP Provider - General" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:33 +msgid "ldap_schema = ipa_v1" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:43 +msgid "ldap_sasl_mech = GSSAPI" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:48 +msgid "ldap_sasl_minssf = 56" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:53 +msgid "ldap_account_expire_policy = ipa" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:64 +msgid "LDAP Provider - User options" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:68 +msgid "ldap_user_member_of = memberOf" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:73 +msgid "ldap_user_uuid = ipaUniqueID" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:78 +msgid "ldap_user_ssh_public_key = ipaSshPubKey" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:83 +msgid "ldap_user_auth_type = ipaUserAuthType" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:89 +msgid "LDAP Provider - Group options" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:93 +msgid "ldap_group_object_class = ipaUserGroup" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:98 +msgid "ldap_group_object_class_alt = posixGroup" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:103 +msgid "ldap_group_member = member" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:108 +msgid "ldap_group_uuid = ipaUniqueID" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:113 +msgid "ldap_group_objectsid = ipaNTSecurityIdentifier" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:118 +msgid "ldap_group_external_member = ipaExternalMember" +msgstr "" diff --git a/src/man/po/pt_BR.po b/src/man/po/pt_BR.po new file mode 100644 index 0000000..cec3d6a --- /dev/null +++ b/src/man/po/pt_BR.po @@ -0,0 +1,15609 @@ +# Marco Aurélio Krause <ouesten@me.com>, 2015. #zanata +# Rodrigo de Araujo Sousa Fonseca <rodrigodearaujo@fedoraproject.org>, 2017. #zanata +msgid "" +msgstr "" +"Project-Id-Version: sssd-docs 1.16.1\n" +"Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" +"POT-Creation-Date: 2018-08-12 13:01+0000\n" +"PO-Revision-Date: 2017-01-29 10:11+0000\n" +"Last-Translator: Rodrigo de Araujo Sousa Fonseca " +"<rodrigodearaujo@fedoraproject.org>\n" +"Language-Team: Portuguese (Brazil)\n" +"Language: pt_BR\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: Zanata 4.4.5\n" +"Plural-Forms: nplurals=2; plural=(n != 1)\n" + +#. type: Content of: <reference><title> +#: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5 +#: sssd_krb5_locator_plugin.8.xml:5 sssd-simple.5.xml:5 sss-certmap.5.xml:5 +#: sssd-ipa.5.xml:5 sssd-ad.5.xml:5 sssd-sudo.5.xml:5 sssd.8.xml:5 +#: sss_obfuscate.8.xml:5 sss_override.8.xml:5 sss_useradd.8.xml:5 +#: sssd-krb5.5.xml:5 sss_groupadd.8.xml:5 sss_userdel.8.xml:5 +#: sss_groupdel.8.xml:5 sss_groupshow.8.xml:5 sss_usermod.8.xml:5 +#: sss_cache.8.xml:5 sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5 +#: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 +#: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5 +#: sssd-files.5.xml:5 sssd-secrets.5.xml:5 sssd-session-recording.5.xml:5 +#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 +msgid "SSSD Manual pages" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupmod.8.xml:10 sss_groupmod.8.xml:15 +msgid "sss_groupmod" +msgstr "sss_groupmod " + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_groupmod.8.xml:11 pam_sss.8.xml:12 sssd_krb5_locator_plugin.8.xml:11 +#: sssd.8.xml:11 sss_obfuscate.8.xml:11 sss_override.8.xml:11 +#: sss_useradd.8.xml:11 sss_groupadd.8.xml:11 sss_userdel.8.xml:11 +#: sss_groupdel.8.xml:11 sss_groupshow.8.xml:11 sss_usermod.8.xml:11 +#: sss_cache.8.xml:11 sss_debuglevel.8.xml:11 sss_seed.8.xml:11 +#: idmap_sss.8.xml:11 sssctl.8.xml:11 sssd-kcm.8.xml:11 +msgid "8" +msgstr "8" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupmod.8.xml:16 +msgid "modify a group" +msgstr "Modificar um grupo" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupmod.8.xml:21 +msgid "" +"<command>sss_groupmod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:57 +#: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sss-certmap.5.xml:21 +#: sssd-ipa.5.xml:21 sssd-ad.5.xml:21 sssd-sudo.5.xml:21 sssd.8.xml:29 +#: sss_obfuscate.8.xml:30 sss_override.8.xml:30 sss_useradd.8.xml:30 +#: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30 +#: sss_groupdel.8.xml:30 sss_groupshow.8.xml:30 sss_usermod.8.xml:30 +#: sss_cache.8.xml:29 sss_debuglevel.8.xml:30 sss_seed.8.xml:31 +#: sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30 +#: sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30 +#: sssd-files.5.xml:21 sssd-secrets.5.xml:21 sssd-session-recording.5.xml:21 +#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 +msgid "DESCRIPTION" +msgstr "DESCRIÇÃO" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupmod.8.xml:32 +msgid "" +"<command>sss_groupmod</command> modifies the group to reflect the changes " +"that are specified on the command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_groupmod.8.xml:39 pam_sss.8.xml:64 sssd.8.xml:42 sss_obfuscate.8.xml:58 +#: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39 +#: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39 +#: sss_cache.8.xml:39 sss_seed.8.xml:42 sss_ssh_authorizedkeys.1.xml:123 +#: sss_ssh_knownhostsproxy.1.xml:62 +msgid "OPTIONS" +msgstr "OPÇÕES" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupmod.8.xml:43 sss_usermod.8.xml:77 +msgid "" +"<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupmod.8.xml:48 +msgid "" +"Append this group to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupmod.8.xml:57 sss_usermod.8.xml:91 +msgid "" +"<option>-r</option>,<option>--remove-group</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupmod.8.xml:62 +msgid "" +"Remove this group from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.conf.5.xml:10 sssd.conf.5.xml:16 +msgid "sssd.conf" +msgstr "ssd.conf " + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11 +#: sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 +#: sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27 +#: sssd-files.5.xml:11 sssd-secrets.5.xml:11 sssd-session-recording.5.xml:11 +#: sssd-systemtap.5.xml:11 +msgid "5" +msgstr "5" + +#. type: Content of: <reference><refentry><refmeta><refmiscinfo> +#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12 +#: sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 +#: sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28 +#: sssd-files.5.xml:12 sssd-secrets.5.xml:12 sssd-session-recording.5.xml:12 +#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 +msgid "File Formats and Conventions" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.conf.5.xml:17 +msgid "the configuration file for SSSD" +msgstr "O arquivo de configuração para SSSD" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:21 +msgid "FILE FORMAT" +msgstr "FORMATO DE ARQUIVO " + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:29 +#, no-wrap +msgid "" +"<replaceable>[section]</replaceable>\n" +"<replaceable>key</replaceable> = <replaceable>value</replaceable>\n" +"<replaceable>key2</replaceable> = <replaceable>value2,value3</replaceable>\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:24 +msgid "" +"The file has an ini-style syntax and consists of sections and parameters. A " +"section begins with the name of the section in square brackets and continues " +"until the next section begins. An example of section with single and multi-" +"valued parameters: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:36 +msgid "" +"The data types used are string (no quotes needed), integer and bool (with " +"values of <quote>TRUE/FALSE</quote>)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:41 +msgid "" +"A comment line starts with a hash sign (<quote>#</quote>) or a semicolon " +"(<quote>;</quote>). Inline comments are not supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:47 +msgid "" +"All sections can have an optional <replaceable>description</replaceable> " +"parameter. Its function is only as a label for the section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:53 +msgid "" +"<filename>sssd.conf</filename> must be a regular file, owned by root and " +"only root may read from or write to the file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:59 +msgid "CONFIGURATION SNIPPETS FROM INCLUDE DIRECTORY" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:62 +msgid "" +"The configuration file <filename>sssd.conf</filename> will include " +"configuration snippets using the include directory <filename>conf.d</" +"filename>. This feature is available if SSSD was compiled with libini " +"version 1.3.0 or later." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:69 +msgid "" +"Any file placed in <filename>conf.d</filename> that ends in " +"<quote><filename>.conf</filename></quote> and does not begin with a dot " +"(<quote>.</quote>) will be used together with <filename>sssd.conf</filename> " +"to configure SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:77 +msgid "" +"The configuration snippets from <filename>conf.d</filename> have higher " +"priority than <filename>sssd.conf</filename> and will override " +"<filename>sssd.conf</filename> when conflicts occur. If several snippets are " +"present in <filename>conf.d</filename>, then they are included in " +"alphabetical order (based on locale). Files included later have higher " +"priority. Numerical prefixes (<filename>01_snippet.conf</filename>, " +"<filename>02_snippet.conf</filename> etc.) can help visualize the priority " +"(higher number means higher priority)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:91 +msgid "" +"The snippet files require the same owner and permissions as <filename>sssd." +"conf</filename>. Which are by default root:root and 0600." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:98 +msgid "GENERAL OPTIONS" +msgstr "OPÇÕES GERAIS " + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:100 +msgid "Following options are usable in more than one configuration sections." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:104 +msgid "Options usable in all sections" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:108 +msgid "debug_level (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:112 +msgid "debug (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:115 +msgid "" +"SSSD 1.14 and later also includes the <replaceable>debug</replaceable> alias " +"for <replaceable>debug_level</replaceable> as a convenience feature. If both " +"are specified, the value of <replaceable>debug_level</replaceable> will be " +"used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:125 +msgid "debug_timestamps (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:128 +msgid "" +"Add a timestamp to the debug messages. If journald is enabled for SSSD " +"debug logging this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:133 sssd.conf.5.xml:543 sssd.conf.5.xml:839 +#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1521 sssd-ldap.5.xml:1851 +#: sssd-ldap.5.xml:1948 sssd-ldap.5.xml:2010 sssd-ldap.5.xml:2576 +#: sssd-ldap.5.xml:2641 sssd-ldap.5.xml:2659 sssd-ad.5.xml:227 +#: sssd-ad.5.xml:341 sssd-ad.5.xml:885 sssd-krb5.5.xml:499 +#: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 +msgid "Default: true" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:138 +msgid "debug_microseconds (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:141 +msgid "" +"Add microseconds to the timestamp in debug messages. If journald is enabled " +"for SSSD debug logging this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:146 sssd.conf.5.xml:540 sssd.conf.5.xml:722 +#: sssd.conf.5.xml:1424 sssd.conf.5.xml:2980 sssd-ldap.5.xml:708 +#: sssd-ldap.5.xml:1714 sssd-ldap.5.xml:1733 sssd-ldap.5.xml:1920 +#: sssd-ldap.5.xml:2346 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238 +#: sssd-ipa.5.xml:559 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300 +#: sssd-krb5.5.xml:471 +msgid "Default: false" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2384 +#: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210 +#: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304 +msgid "<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:155 +msgid "Options usable in SERVICE and DOMAIN sections" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:159 +msgid "timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:162 +msgid "" +"Timeout in seconds between heartbeats for this service. This is used to " +"ensure that the process is alive and capable of answering requests. Note " +"that after three missed heartbeats the process will terminate itself." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:169 sssd.conf.5.xml:1376 sssd.conf.5.xml:2996 +#: sssd-ldap.5.xml:1585 include/ldap_id_mapping.xml:264 +msgid "Default: 10" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:179 +msgid "SPECIAL SECTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:182 +msgid "The [sssd] section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sssd.conf.5.xml:191 sssd.conf.5.xml:3085 +msgid "Section parameters" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:193 +msgid "config_file_version (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:196 +msgid "" +"Indicates what is the syntax of the config file. SSSD 0.6.0 and later use " +"version 2." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:202 +msgid "services" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:205 +msgid "" +"Comma separated list of services that are started when sssd itself starts. " +"<phrase condition=\"have_systemd\"> The services' list is optional on " +"platforms where systemd is supported, as they will either be socket or D-Bus " +"activated when needed. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:214 +msgid "" +"Supported services: nss, pam <phrase condition=\"with_sudo\">, sudo</phrase> " +"<phrase condition=\"with_autofs\">, autofs</phrase> <phrase condition=" +"\"with_ssh\">, ssh</phrase> <phrase condition=\"with_pac_responder\">, pac</" +"phrase> <phrase condition=\"with_ifp\">, ifp</phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:222 +msgid "" +"<phrase condition=\"have_systemd\"> By default, all services are disabled " +"and the administrator must enable the ones allowed to be used by executing: " +"\"systemctl enable sssd-@service@.socket\". </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:231 sssd.conf.5.xml:614 +msgid "reconnection_retries (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:234 sssd.conf.5.xml:617 +msgid "" +"Number of times services should attempt to reconnect in the event of a Data " +"Provider crash or restart before they give up" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:239 sssd.conf.5.xml:622 +msgid "Default: 3" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:244 +msgid "domains" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:247 +msgid "" +"A domain is a database containing user information. SSSD can use more " +"domains at the same time, but at least one must be configured or SSSD won't " +"start. This parameter describes the list of domains in the order you want " +"them to be queried. A domain name should only consist of alphanumeric ASCII " +"characters, dashes, dots and underscores." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:259 sssd.conf.5.xml:2597 +msgid "re_expression (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:262 +msgid "" +"Default regular expression that describes how to parse the string containing " +"user name and domain into these components." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:267 +msgid "" +"Each domain can have an individual regular expression configured. For some " +"ID providers there are also default regular expressions. See DOMAIN SECTIONS " +"for more info on these regular expressions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:276 sssd.conf.5.xml:2645 +msgid "full_name_format (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:279 sssd.conf.5.xml:2648 +msgid "" +"A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry>-compatible format that describes how to compose a " +"fully qualified name from user name and domain name components." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:290 sssd.conf.5.xml:2659 +msgid "%1$s" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:291 sssd.conf.5.xml:2660 +msgid "user name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:294 sssd.conf.5.xml:2663 +msgid "%2$s" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:297 sssd.conf.5.xml:2666 +msgid "domain name as specified in the SSSD config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:303 sssd.conf.5.xml:2672 +msgid "%3$s" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:306 sssd.conf.5.xml:2675 +msgid "" +"domain flat name. Mostly usable for Active Directory domains, both directly " +"configured or discovered via IPA trusts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:287 sssd.conf.5.xml:2656 +msgid "" +"The following expansions are supported: <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:316 +msgid "" +"Each domain can have an individual format string configured. see DOMAIN " +"SECTIONS for more info on this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:322 +msgid "try_inotify (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:325 +msgid "" +"SSSD monitors the state of resolv.conf to identify when it needs to update " +"its internal DNS resolver. By default, we will attempt to use inotify for " +"this, and will fall back to polling resolv.conf every five seconds if " +"inotify cannot be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:333 +msgid "" +"There are some limited situations where it is preferred that we should skip " +"even trying to use inotify. In these rare cases, this option should be set " +"to 'false'" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:339 +msgid "" +"Default: true on platforms where inotify is supported. False on other " +"platforms." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:343 +msgid "" +"Note: this option will have no effect on platforms where inotify is " +"unavailable. On these platforms, polling will always be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:350 +msgid "krb5_rcache_dir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:353 +msgid "" +"Directory on the filesystem where SSSD should store Kerberos replay cache " +"files." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:357 +msgid "" +"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct " +"SSSD to let libkrb5 decide the appropriate location for the replay cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:363 +msgid "" +"Default: Distribution-specific and specified at build-time. " +"(__LIBKRB5_DEFAULTS__ if not configured)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:370 +msgid "user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:373 +msgid "" +"The user to drop the privileges to where appropriate to avoid running as the " +"root user. <phrase condition=\"have_systemd\"> This option does not work " +"when running socket-activated services, as the user set up to run the " +"processes is set up during compilation time. The way to override the " +"systemd unit files is by creating the appropriate files in /etc/systemd/" +"system/. Keep in mind that any change in the socket user, group or " +"permissions may result in a non-usable SSSD. The same may occur in case of " +"changes of the user running the NSS responder. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:391 +msgid "Default: not set, process will run as root" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:396 +msgid "default_domain_suffix (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:399 +msgid "" +"This string will be used as a default domain name for all names without a " +"domain name component. The main use case is environments where the primary " +"domain is intended for managing host policies and all users are located in a " +"trusted domain. The option allows those users to log in just with their " +"user name without giving a domain name as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:409 +msgid "" +"Please note that if this option is set all users from the primary domain " +"have to use their fully qualified name, e.g. user@domain.name, to log in. " +"Setting this option changes default of use_fully_qualified_names to True. It " +"is not allowed to use this option together with use_fully_qualified_names " +"set to False." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:418 sssd.conf.5.xml:1165 sssd-ldap.5.xml:679 +#: sssd-ldap.5.xml:1319 sssd-ldap.5.xml:1673 sssd-ldap.5.xml:1685 +#: sssd-ldap.5.xml:1767 sssd-ad.5.xml:690 sssd-ad.5.xml:765 sssd.8.xml:126 +#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:556 sssd-secrets.5.xml:339 +#: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404 +#: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205 +#: include/ldap_id_mapping.xml:216 +msgid "Default: not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:423 +msgid "override_space (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:426 +msgid "" +"This parameter will replace spaces (space bar) with the given character for " +"user and group names. e.g. (_). User name "john doe" will be " +""john_doe" This feature was added to help compatibility with shell " +"scripts that have difficulty handling spaces, due to the default field " +"separator in the shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:435 +msgid "" +"Please note it is a configuration error to use a replacement character that " +"might be used in user or group names. If a name contains the replacement " +"character SSSD tries to return the unmodified name but in general the result " +"of a lookup is undefined." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:443 +msgid "Default: not set (spaces will not be replaced)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:448 +msgid "certificate_verification (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:456 +msgid "no_ocsp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:458 +msgid "" +"Disables Online Certificate Status Protocol (OCSP) checks. This might be " +"needed if the OCSP servers defined in the certificate are not reachable from " +"the client." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:466 +msgid "no_verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:468 +msgid "" +"Disables verification completely. This option should only be used for " +"testing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:474 +msgid "ocsp_default_responder=URL" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:476 +msgid "" +"Sets the OCSP default responder which should be used instead of the one " +"mentioned in the certificate. URL must be replaced with the URL of the OCSP " +"default responder e.g. http://example.com:80/ocsp." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:482 +msgid "" +"This option must be used together with ocsp_default_responder_signing_cert." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:490 +msgid "ocsp_default_responder_signing_cert=NAME" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:492 +msgid "" +"The nickname of the cert to trust (expected) to sign the OCSP responses. " +"The certificate with the given nickname must be available in the systems NSS " +"database." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:497 +msgid "This option must be used together with ocsp_default_responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:451 +msgid "" +"With this parameter the certificate verification can be tuned with a comma " +"separated list of options. Supported options are: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:504 +msgid "Unknown options are reported but ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:507 +msgid "Default: not set, i.e. do not restrict certificate verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:513 +msgid "disable_netlink (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:516 +msgid "" +"SSSD hooks into the netlink interface to monitor changes to routes, " +"addresses, links and trigger certain actions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:521 +msgid "" +"The SSSD state changes caused by netlink events may be undesirable and can " +"be disabled by setting this option to 'true'" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:526 +msgid "Default: false (netlink changes are detected)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:531 +msgid "enable_files_domain (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:534 +msgid "" +"When this option is enabled, SSSD prepends an implicit domain with " +"<quote>id_provider=files</quote> before any explicitly configured domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:548 +msgid "domain_resolution_order" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:551 +msgid "" +"Comma separated list of domains and subdomains representing the lookup order " +"that will be followed. The list doesn't have to include all possible " +"domains as the missing domains will be looked up based on the order they're " +"presented in the <quote>domains</quote> configuration option. The " +"subdomains which are not listed as part of <quote>lookup_order</quote> will " +"be looked up in a random order for each parent domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:563 +msgid "" +"Please, note that when this option is set the output format of all commands " +"is always fully-qualified even when using short names for input, for all " +"users but the ones managed by the files provider. In case the administrator " +"wants the output not fully-qualified, the full_name_format option can be " +"used as shown below: <quote>full_name_format=%1$s</quote> However, keep in " +"mind that during login, login applications often canonicalize the username " +"by calling <citerefentry> <refentrytitle>getpwnam</refentrytitle> " +"<manvolnum>3</manvolnum> </citerefentry> which, if a shortname is returned " +"for a qualified input (while trying to reach a user which exists in multiple " +"domains) might re-route the login attempt into the domain which uses " +"shortnames, making this workaround totally not recommended in cases where " +"usernames may overlap between domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:588 sssd.conf.5.xml:1388 sssd.conf.5.xml:3046 +#: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316 +msgid "Default: Not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:184 +msgid "" +"Individual pieces of SSSD functionality are provided by special SSSD " +"services that are started and stopped together with SSSD. The services are " +"managed by a special service frequently called <quote>monitor</quote>. The " +"<quote>[sssd]</quote> section is used to configure the monitor as well as " +"some other important options like the identity domains. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:599 +msgid "SERVICES SECTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:601 +msgid "" +"Settings that can be used to configure different services are described in " +"this section. They should reside in the [<replaceable>$NAME</replaceable>] " +"section, for example, for NSS service, the section would be <quote>[nss]</" +"quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:608 +msgid "General service configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:610 +msgid "These options can be used to configure any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:627 +msgid "fd_limit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:630 +msgid "" +"This option specifies the maximum number of file descriptors that may be " +"opened at one time by this SSSD process. On systems where SSSD is granted " +"the CAP_SYS_RESOURCE capability, this will be an absolute setting. On " +"systems without this capability, the resulting value will be the lower value " +"of this or the limits.conf \"hard\" limit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:639 +msgid "Default: 8192 (or limits.conf \"hard\" limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:644 +msgid "client_idle_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:647 +msgid "" +"This option specifies the number of seconds that a client of an SSSD process " +"can hold onto a file descriptor without communicating on it. This value is " +"limited in order to avoid resource exhaustion on the system. The timeout " +"can't be shorter than 10 seconds. If a lower value is configured, it will be " +"adjusted to 10 seconds." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:656 sssd.conf.5.xml:688 sssd.conf.5.xml:970 +#: sssd.conf.5.xml:1231 sssd-ldap.5.xml:1412 +msgid "Default: 60" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:661 +msgid "offline_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:664 +msgid "" +"When SSSD switches to offline mode the amount of time before it tries to go " +"back online will increase based upon the time spent disconnected. This " +"value is in seconds and calculated by the following:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:671 +msgid "offline_timeout + random_offset" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:674 +msgid "" +"The random offset can increment up to 30 seconds. After each unsuccessful " +"attempt to go online, the new interval is recalculated by the following:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:679 +msgid "new_interval = old_interval*2 + random_offset" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:682 +msgid "" +"Note that the maximum length of each interval is currently limited to one " +"hour. If the calculated length of new_interval is greater than an hour, it " +"will be forced to one hour." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:693 +msgid "responder_idle_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:696 +msgid "" +"This option specifies the number of seconds that an SSSD responder process " +"can be up without being used. This value is limited in order to avoid " +"resource exhaustion on the system. The minimum acceptable value for this " +"option is 60 seconds. Setting this option to 0 (zero) means that no timeout " +"will be set up to the responder. This option only has effect when SSSD is " +"built with systemd support and when services are either socket or D-Bus " +"activated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:710 sssd.conf.5.xml:983 sssd.conf.5.xml:1616 +#: sssd-ldap.5.xml:722 +msgid "Default: 300" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:715 +msgid "cache_first" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:718 +msgid "" +"This option specifies whether the responder should query all caches before " +"querying the Data Providers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:730 +msgid "NSS configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:732 +msgid "" +"These options can be used to configure the Name Service Switch (NSS) service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:737 +msgid "enum_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:740 +msgid "" +"How many seconds should nss_sss cache enumerations (requests for info about " +"all users)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:744 +msgid "Default: 120" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:749 +msgid "entry_cache_nowait_percentage (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:752 +msgid "" +"The entry cache can be set to automatically update entries in the background " +"if they are requested beyond a percentage of the entry_cache_timeout value " +"for the domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:758 +msgid "" +"For example, if the domain's entry_cache_timeout is set to 30s and " +"entry_cache_nowait_percentage is set to 50 (percent), entries that come in " +"after 15 seconds past the last cache update will be returned immediately, " +"but the SSSD will go and update the cache on its own, so that future " +"requests will not need to block waiting for a cache update." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:768 +msgid "" +"Valid values for this option are 0-99 and represent a percentage of the " +"entry_cache_timeout for each domain. For performance reasons, this " +"percentage will never reduce the nowait timeout to less than 10 seconds. (0 " +"disables this feature)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:776 sssd.conf.5.xml:1445 +msgid "Default: 50" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:781 +msgid "entry_negative_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:784 +msgid "" +"Specifies for how many seconds nss_sss should cache negative cache hits " +"(that is, queries for invalid database entries, like nonexistent ones) " +"before asking the back end again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:790 sssd.conf.5.xml:1469 +msgid "Default: 15" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:795 +msgid "local_negative_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:798 +msgid "" +"Specifies for how many seconds nss_sss should keep local users and groups in " +"negative cache before trying to look it up in the back end again. Setting " +"the option to 0 disables this feature." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:804 +msgid "Default: 14400 (4 hours)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:809 +msgid "filter_users, filter_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:812 +msgid "" +"Exclude certain users or groups from being fetched from the sss NSS " +"database. This is particularly useful for system accounts. This option can " +"also be set per-domain or include fully-qualified names to filter only users " +"from the particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:819 +msgid "" +"NOTE: The filter_groups option doesn't affect inheritance of nested group " +"members, since filtering happens after they are propagated for returning via " +"NSS. E.g. a group having a member group filtered out will still have the " +"member users of the latter listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:827 +msgid "Default: root" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:832 +msgid "filter_users_in_groups (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:835 +msgid "" +"If you want filtered user still be group members set this option to false." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:846 +msgid "fallback_homedir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:849 +msgid "" +"Set a default template for a user's home directory if one is not specified " +"explicitly by the domain's data provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:854 +msgid "" +"The available values for this option are the same as for override_homedir." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:860 +#, no-wrap +msgid "" +"fallback_homedir = /home/%u\n" +" " +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: sssd.conf.5.xml:858 sssd.conf.5.xml:1298 sssd.conf.5.xml:1317 +#: sssd-krb5.5.xml:539 include/override_homedir.xml:59 +msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:864 +msgid "Default: not set (no substitution for unset home directories)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:870 +msgid "override_shell (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:873 +msgid "" +"Override the login shell for all users. This option supersedes any other " +"shell options if it takes effect and can be set either in the [nss] section " +"or per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:879 +msgid "Default: not set (SSSD will use the value retrieved from LDAP)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:885 +msgid "allowed_shells (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:888 +msgid "" +"Restrict user shell to one of the listed values. The order of evaluation is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:891 +msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:895 +msgid "" +"2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</" +"quote>, use the value of the shell_fallback parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:900 +msgid "" +"3. If the shell is not in the allowed_shells list and not in <quote>/etc/" +"shells</quote>, a nologin shell is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:905 +msgid "The wildcard (*) can be used to allow any shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:908 +msgid "" +"The (*) is useful if you want to use shell_fallback in case that user's " +"shell is not in <quote>/etc/shells</quote> and maintaining list of all " +"allowed shells in allowed_shells would be to much overhead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:915 +msgid "An empty string for shell is passed as-is to libc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:918 +msgid "" +"The <quote>/etc/shells</quote> is only read on SSSD start up, which means " +"that a restart of the SSSD is required in case a new shell is installed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:922 +msgid "Default: Not set. The user shell is automatically used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:927 +msgid "vetoed_shells (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:930 +msgid "Replace any instance of these shells with the shell_fallback" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:935 +msgid "shell_fallback (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:938 +msgid "" +"The default shell to use if an allowed shell is not installed on the machine." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:942 +msgid "Default: /bin/sh" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:947 +msgid "default_shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:950 +msgid "" +"The default shell to use if the provider does not return one during lookup. " +"This option can be specified globally in the [nss] section or per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:956 +msgid "" +"Default: not set (Return NULL if no shell is specified and rely on libc to " +"substitute something sensible when necessary, usually /bin/sh)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:963 sssd.conf.5.xml:1224 +msgid "get_domains_timeout (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:966 sssd.conf.5.xml:1227 +msgid "" +"Specifies time in seconds for which the list of subdomains will be " +"considered valid." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:975 +msgid "memcache_timeout (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:978 +msgid "" +"Specifies time in seconds for which records in the in-memory cache will be " +"valid. Setting this option to zero will disable the in-memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:986 +msgid "" +"WARNING: Disabling the in-memory cache will have significant negative impact " +"on SSSD's performance and should only be used for testing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:992 +msgid "" +"NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", " +"client applications will not use the fast in-memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1000 sssd-ifp.5.xml:74 +msgid "user_attributes (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1003 +msgid "" +"Some of the additional NSS responder requests can return more attributes " +"than just the POSIX ones defined by the NSS interface. The list of " +"attributes is controlled by this option. It is handled the same way as the " +"<quote>user_attributes</quote> option of the InfoPipe responder (see " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for details) but with no default values." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1016 +msgid "" +"To make configuration more easy the NSS responder will check the InfoPipe " +"option if it is not set for the NSS responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1021 +msgid "Default: not set, fallback to InfoPipe option" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1026 +msgid "pwfield (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1029 +msgid "" +"The value that NSS operations that return users or groups will return for " +"the <quote>password</quote> field." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: sssd.conf.5.xml:1034 include/override_homedir.xml:56 +msgid "This option can also be set per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1037 +msgid "" +"Default: <quote>*</quote> (remote domains) or <quote>x</quote> (the files " +"domain)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1045 +msgid "PAM configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1047 +msgid "" +"These options can be used to configure the Pluggable Authentication Module " +"(PAM) service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1052 +msgid "offline_credentials_expiration (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1055 +msgid "" +"If the authentication provider is offline, how long should we allow cached " +"logins (in days since the last successful online login)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1060 sssd.conf.5.xml:1073 +msgid "Default: 0 (No limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1066 +msgid "offline_failed_login_attempts (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1069 +msgid "" +"If the authentication provider is offline, how many failed login attempts " +"are allowed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1079 +msgid "offline_failed_login_delay (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1082 +msgid "" +"The time in minutes which has to pass after offline_failed_login_attempts " +"has been reached before a new login attempt is possible." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1087 +msgid "" +"If set to 0 the user cannot authenticate offline if " +"offline_failed_login_attempts has been reached. Only a successful online " +"authentication can enable offline authentication again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1093 sssd.conf.5.xml:1191 +msgid "Default: 5" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1099 +msgid "pam_verbosity (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1102 +msgid "" +"Controls what kind of messages are shown to the user during authentication. " +"The higher the number to more messages are displayed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1107 +msgid "Currently sssd supports the following values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1110 +msgid "<emphasis>0</emphasis>: do not show any message" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1113 +msgid "<emphasis>1</emphasis>: show only important messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1117 +msgid "<emphasis>2</emphasis>: show informational messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1120 +msgid "<emphasis>3</emphasis>: show all messages and debug information" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1124 sssd.8.xml:63 +msgid "Default: 1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1130 +msgid "pam_response_filter (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1133 +msgid "" +"A comma separated list of strings which allows to remove (filter) data sent " +"by the PAM responder to pam_sss PAM module. There are different kind of " +"responses sent to pam_sss e.g. messages displayed to the user or environment " +"variables which should be set by pam_sss." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1141 +msgid "" +"While messages already can be controlled with the help of the pam_verbosity " +"option this option allows to filter out other kind of responses as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1148 +msgid "ENV" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1149 +msgid "Do not send any environment variables to any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1152 +msgid "ENV:var_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1153 +msgid "Do not send environment variable var_name to any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1157 +msgid "ENV:var_name:service" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1158 +msgid "Do not send environment variable var_name to service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1146 +msgid "" +"Currently the following filters are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1168 +msgid "Example: ENV:KRB5CCNAME:sudo-i" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1174 +msgid "pam_id_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1177 +msgid "" +"For any PAM request while SSSD is online, the SSSD will attempt to " +"immediately update the cached identity information for the user in order to " +"ensure that authentication takes place with the latest information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1183 +msgid "" +"A complete PAM conversation may perform multiple PAM requests, such as " +"account management and session opening. This option controls (on a per-" +"client-application basis) how long (in seconds) we can cache the identity " +"information to avoid excessive round-trips to the identity provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1197 +msgid "pam_pwd_expiration_warning (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2078 +msgid "Display a warning N days before the password expires." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1203 +msgid "" +"Please note that the backend server has to provide information about the " +"expiration time of the password. If this information is missing, sssd " +"cannot display a warning." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1209 sssd.conf.5.xml:2081 +msgid "" +"If zero is set, then this filter is not applied, i.e. if the expiration " +"warning was received from backend server, it will automatically be displayed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1214 +msgid "" +"This setting can be overridden by setting <emphasis>pwd_expiration_warning</" +"emphasis> for a particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1219 sssd.conf.5.xml:2901 sssd.8.xml:79 +msgid "Default: 0" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1236 +msgid "pam_trusted_users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1239 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to run PAM conversations against trusted domains. Users not " +"included in this list can only access domains marked as public with " +"<quote>pam_public_domains</quote>. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1249 +msgid "Default: All users are considered trusted by default" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1253 +msgid "" +"Please note that UID 0 is always allowed to access the PAM responder even in " +"case it is not in the pam_trusted_users list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1260 +msgid "pam_public_domains (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1263 +msgid "" +"Specifies the comma-separated list of domain names that are accessible even " +"to untrusted users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1267 +msgid "Two special values for pam_public_domains option are defined:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1271 +msgid "" +"all (Untrusted users are allowed to access all domains in PAM responder.)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1275 +msgid "" +"none (Untrusted users are not allowed to access any domains PAM in " +"responder.)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1279 sssd.conf.5.xml:1304 sssd.conf.5.xml:1323 +#: sssd.conf.5.xml:1875 sssd.conf.5.xml:2837 sssd-ldap.5.xml:1979 +msgid "Default: none" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1284 +msgid "pam_account_expired_message (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1287 +msgid "" +"Allows a custom expiration message to be set, replacing the default " +"'Permission denied' message." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1292 +msgid "" +"Note: Please be aware that message is only printed for the SSH service " +"unless pam_verbosity is set to 3 (show all messages and debug information)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:1300 +#, no-wrap +msgid "" +"pam_account_expired_message = Account expired, please contact help desk.\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1309 +msgid "pam_account_locked_message (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1312 +msgid "" +"Allows a custom lockout message to be set, replacing the default 'Permission " +"denied' message." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:1319 +#, no-wrap +msgid "" +"pam_account_locked_message = Account locked, please contact help desk.\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1328 +msgid "pam_cert_auth (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1331 +msgid "" +"Enable certificate based Smartcard authentication. Since this requires " +"additional communication with the Smartcard which will delay the " +"authentication process this option is disabled by default." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1337 sssd.conf.5.xml:2930 sssd-ldap.5.xml:1087 +#: sssd-ldap.5.xml:1114 sssd-ldap.5.xml:1514 sssd-ldap.5.xml:1535 +#: sssd-ldap.5.xml:2052 include/ldap_id_mapping.xml:244 +msgid "Default: False" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1342 +msgid "pam_cert_db_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1345 +msgid "" +"The path to the certificate database which contain the PKCS#11 modules to " +"access the Smartcard." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1349 sssd.conf.5.xml:1534 +msgid "Default:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1351 sssd.conf.5.xml:1536 +msgid "/etc/pki/nssdb (NSS version, path to a NSS database)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1354 sssd.conf.5.xml:1539 +msgid "" +"/etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a file with " +"trusted CA certificates in PEM format)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1361 sssd.conf.5.xml:1546 +msgid "This man page was generated for the NSS version." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1364 sssd.conf.5.xml:1549 +msgid "This man page was generated for the OpenSSL version." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1369 +msgid "p11_child_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1372 +msgid "How many seconds will pam_sss wait for p11_child to finish." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1381 +msgid "pam_app_services (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1384 +msgid "" +"Which PAM services are permitted to contact domains of type " +"<quote>application</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1397 +msgid "SUDO configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1399 +msgid "" +"These options can be used to configure the sudo service. The detailed " +"instructions for configuration of <citerefentry> <refentrytitle>sudo</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to work with " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> are in the manual page <citerefentry> <refentrytitle>sssd-" +"sudo</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1416 +msgid "sudo_timed (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1419 +msgid "" +"Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes " +"that implement time-dependent sudoers entries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1431 +msgid "sudo_threshold (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1434 +msgid "" +"Maximum number of expired rules that can be refreshed at once. If number of " +"expired rules is below threshold, those rules are refreshed with " +"<quote>rules refresh</quote> mechanism. If the threshold is exceeded a " +"<quote>full refresh</quote> of sudo rules is triggered instead. This " +"threshold number also applies to IPA sudo command and command group searches." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1453 +msgid "AUTOFS configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1455 +msgid "These options can be used to configure the autofs service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1459 +msgid "autofs_negative_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1462 +msgid "" +"Specifies for how many seconds should the autofs responder negative cache " +"hits (that is, queries for invalid map entries, like nonexistent ones) " +"before asking the back end again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1478 +msgid "SSH configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1480 +msgid "These options can be used to configure the SSH service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1484 +msgid "ssh_hash_known_hosts (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1487 +msgid "" +"Whether or not to hash host names and addresses in the managed known_hosts " +"file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1496 +msgid "ssh_known_hosts_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1499 +msgid "" +"How many seconds to keep a host in the managed known_hosts file after its " +"host keys were requested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1503 +msgid "Default: 180" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1508 +msgid "ssh_use_certificate_keys (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1511 +msgid "" +"If set to true the <command>sss_ssh_authorizedkeys</command> will return ssh " +"keys derived from the public key of X.509 certificates stored in the user " +"entry as well. See <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry> for details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1526 +msgid "ca_db (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1529 +msgid "" +"Path to a storage of trusted CA certificates. The option is used to validate " +"user certificates before deriving public ssh keys from them." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1557 +msgid "PAC responder configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1559 +msgid "" +"The PAC responder works together with the authorization data plugin for MIT " +"Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the " +"PAC data during a GSSAPI authentication to the PAC responder. The sub-domain " +"provider collects domain SID and ID ranges of the domain the client is " +"joined to and of remote trusted domains from the local domain controller. If " +"the PAC is decoded and evaluated some of the following operations are done:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1568 +msgid "" +"If the remote user does not exist in the cache, it is created. The UID is " +"determined with the help of the SID, trusted domains will have UPGs and the " +"GID will have the same value as the UID. The home directory is set based on " +"the subdomain_homedir parameter. The shell will be empty by default, i.e. " +"the system defaults are used, but can be overwritten with the default_shell " +"parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1576 +msgid "" +"If there are SIDs of groups from domains sssd knows about, the user will be " +"added to those groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1582 +msgid "These options can be used to configure the PAC responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1586 sssd-ifp.5.xml:50 +msgid "allowed_uids (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1589 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the PAC responder. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1595 +msgid "Default: 0 (only the root user is allowed to access the PAC responder)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1599 +msgid "" +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the PAC responder, which would be the typical case, you have to add 0 " +"to the list of allowed UIDs as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1608 +msgid "pac_lifetime (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1611 +msgid "" +"Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC " +"data can be used to determine the group memberships of a user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1624 +msgid "Session recording configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1626 +msgid "" +"Session recording works in conjunction with <citerefentry> " +"<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>, a part of tlog package, to log what users see and type when " +"they log in on a text terminal. See also <citerefentry> <refentrytitle>sssd-" +"session-recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1639 +msgid "These options can be used to configure session recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1643 sssd-session-recording.5.xml:64 +msgid "scope (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1650 sssd-session-recording.5.xml:71 +msgid "\"none\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1653 sssd-session-recording.5.xml:74 +msgid "No users are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1658 sssd-session-recording.5.xml:79 +msgid "\"some\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1661 sssd-session-recording.5.xml:82 +msgid "" +"Users/groups specified by <replaceable>users</replaceable> and " +"<replaceable>groups</replaceable> options are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1670 sssd-session-recording.5.xml:91 +msgid "\"all\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1673 sssd-session-recording.5.xml:94 +msgid "All users are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1646 sssd-session-recording.5.xml:67 +msgid "" +"One of the following strings specifying the scope of session recording: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1680 sssd-session-recording.5.xml:101 +msgid "Default: \"none\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1685 sssd-session-recording.5.xml:106 +msgid "users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1688 sssd-session-recording.5.xml:109 +msgid "" +"A comma-separated list of users which should have session recording enabled. " +"Matches user names as returned by NSS. I.e. after the possible space " +"replacement, case changes, etc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1694 sssd-session-recording.5.xml:115 +msgid "Default: Empty. Matches no users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1699 sssd-session-recording.5.xml:120 +msgid "groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1702 sssd-session-recording.5.xml:123 +msgid "" +"A comma-separated list of groups, members of which should have session " +"recording enabled. Matches group names as returned by NSS. I.e. after the " +"possible space replacement, case changes, etc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1708 sssd-session-recording.5.xml:129 +msgid "" +"NOTE: using this option (having it set to anything) has a considerable " +"performance cost, because each uncached request for a user requires " +"retrieving and matching the groups the user is member of." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1715 sssd-session-recording.5.xml:136 +msgid "Default: Empty. Matches no groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:1725 +msgid "DOMAIN SECTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1732 +msgid "domain_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1735 +msgid "" +"Specifies whether the domain is meant to be used by POSIX-aware clients such " +"as the Name Service Switch or by applications that do not need POSIX data to " +"be present or generated. Only objects from POSIX domains are available to " +"the operating system interfaces and utilities." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1743 +msgid "" +"Allowed values for this option are <quote>posix</quote> and " +"<quote>application</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1747 +msgid "" +"POSIX domains are reachable by all services. Application domains are only " +"reachable from the InfoPipe responder (see <citerefentry> " +"<refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>) and the PAM responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1755 +msgid "" +"NOTE: The application domains are currently well tested with " +"<quote>id_provider=ldap</quote> only." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1759 +msgid "" +"For an easy way to configure a non-POSIX domains, please see the " +"<quote>Application domains</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1763 +msgid "Default: posix" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1769 +msgid "min_id,max_id (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1772 +msgid "" +"UID and GID limits for the domain. If a domain contains an entry that is " +"outside these limits, it is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1777 +msgid "" +"For users, this affects the primary GID limit. The user will not be returned " +"to NSS if either the UID or the primary GID is outside the range. For non-" +"primary group memberships, those that are in range will be reported as " +"expected." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1784 +msgid "" +"These ID limits affect even saving entries to cache, not only returning them " +"by name or ID." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1788 +msgid "Default: 1 for min_id, 0 (no limit) for max_id" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1794 +msgid "enumerate (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1797 +msgid "" +"Determines if a domain can be enumerated, that is, whether the domain can " +"list all the users and group it contains. Note that it is not required to " +"enable enumeration in order for secondary groups to be displayed. This " +"parameter can have one of the following values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1805 +msgid "TRUE = Users and groups are enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1808 +msgid "FALSE = No enumerations for this domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1811 sssd.conf.5.xml:2033 sssd.conf.5.xml:2208 +msgid "Default: FALSE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1814 +msgid "" +"Enumerating a domain requires SSSD to download and store ALL user and group " +"entries from the remote server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1819 +msgid "" +"Note: Enabling enumeration has a moderate performance impact on SSSD while " +"enumeration is running. It may take up to several minutes after SSSD startup " +"to fully complete enumerations. During this time, individual requests for " +"information will go directly to LDAP, though it may be slow, due to the " +"heavy enumeration processing. Saving a large number of entries to cache " +"after the enumeration completes might also be CPU intensive as the " +"memberships have to be recomputed. This can lead to the <quote>sssd_be</" +"quote> process becoming unresponsive or even restarted by the internal " +"watchdog." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1834 +msgid "" +"While the first enumeration is running, requests for the complete user or " +"group lists may return no results until it completes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1839 +msgid "" +"Further, enabling enumeration may increase the time necessary to detect " +"network disconnection, as longer timeouts are required to ensure that " +"enumeration lookups are completed successfully. For more information, refer " +"to the man pages for the specific id_provider in use." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1847 +msgid "" +"For the reasons cited above, enabling enumeration is not recommended, " +"especially in large environments." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1855 +msgid "subdomain_enumerate (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1862 +msgid "all" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1863 +msgid "All discovered trusted domains will be enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1866 +msgid "none" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1867 +msgid "No discovered trusted domains will be enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1858 +msgid "" +"Whether any of autodetected trusted domains should be enumerated. The " +"supported values are: <placeholder type=\"variablelist\" id=\"0\"/> " +"Optionally, a list of one or more domain names can enable enumeration just " +"for these trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1881 +msgid "entry_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1884 +msgid "" +"How many seconds should nss_sss consider entries valid before asking the " +"backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1888 +msgid "" +"The cache expiration timestamps are stored as attributes of individual " +"objects in the cache. Therefore, changing the cache timeout only has effect " +"for newly added or expired entries. You should run the <citerefentry> " +"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry> tool in order to force refresh of entries that have already " +"been cached." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1901 +msgid "Default: 5400" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1907 +msgid "entry_cache_user_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1910 +msgid "" +"How many seconds should nss_sss consider user entries valid before asking " +"the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1914 sssd.conf.5.xml:1927 sssd.conf.5.xml:1940 +#: sssd.conf.5.xml:1953 sssd.conf.5.xml:1966 sssd.conf.5.xml:1980 +#: sssd.conf.5.xml:1994 +msgid "Default: entry_cache_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1920 +msgid "entry_cache_group_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1923 +msgid "" +"How many seconds should nss_sss consider group entries valid before asking " +"the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1933 +msgid "entry_cache_netgroup_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1936 +msgid "" +"How many seconds should nss_sss consider netgroup entries valid before " +"asking the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1946 +msgid "entry_cache_service_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1949 +msgid "" +"How many seconds should nss_sss consider service entries valid before asking " +"the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1959 +msgid "entry_cache_sudo_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1962 +msgid "" +"How many seconds should sudo consider rules valid before asking the backend " +"again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1972 +msgid "entry_cache_autofs_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1975 +msgid "" +"How many seconds should the autofs service consider automounter maps valid " +"before asking the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1986 +msgid "entry_cache_ssh_host_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1989 +msgid "" +"How many seconds to keep a host ssh key after refresh. IE how long to cache " +"the host key for." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2000 +msgid "refresh_expired_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2003 +msgid "" +"Specifies how many seconds SSSD has to wait before triggering a background " +"refresh task which will refresh all expired or nearly expired records." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2008 +msgid "" +"The background refresh will process users, groups and netgroups in the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2012 +msgid "You can consider setting this value to 3/4 * entry_cache_timeout." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2016 sssd-ldap.5.xml:746 sssd-ipa.5.xml:254 +msgid "Default: 0 (disabled)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2022 +msgid "cache_credentials (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2025 +msgid "Determines if user credentials are also cached in the local LDB cache" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2029 +msgid "User credentials are stored in a SHA512 hash, not in plaintext" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2039 +msgid "cache_credentials_minimal_first_factor_length (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2042 +msgid "" +"If 2-Factor-Authentication (2FA) is used and credentials should be saved " +"this value determines the minimal length the first authentication factor " +"(long term password) must have to be saved as SHA512 hash into the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2049 +msgid "" +"This should avoid that the short PINs of a PIN based 2FA scheme are saved in " +"the cache which would make them easy targets for brute-force attacks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2054 +msgid "Default: 8" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2060 +msgid "account_cache_expiration (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2063 +msgid "" +"Number of days entries are left in cache after last successful login before " +"being removed during a cleanup of the cache. 0 means keep forever. The " +"value of this parameter must be greater than or equal to " +"offline_credentials_expiration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2070 +msgid "Default: 0 (unlimited)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2075 +msgid "pwd_expiration_warning (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2086 +msgid "" +"Please note that the backend server has to provide information about the " +"expiration time of the password. If this information is missing, sssd " +"cannot display a warning. Also an auth provider has to be configured for the " +"backend." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2093 +msgid "Default: 7 (Kerberos), 0 (LDAP)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2099 +msgid "id_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2102 +msgid "" +"The identification provider used for the domain. Supported ID providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2106 +msgid "<quote>proxy</quote>: Support a legacy NSS provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2109 +msgid "" +"<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2113 +msgid "" +"<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-" +"files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " +"information on how to mirror local users and groups into SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2121 +msgid "" +"<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " +"information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2129 sssd.conf.5.xml:2234 sssd.conf.5.xml:2289 +#: sssd.conf.5.xml:2352 +msgid "" +"<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management " +"provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " +"FreeIPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2138 sssd.conf.5.xml:2243 sssd.conf.5.xml:2298 +#: sssd.conf.5.xml:2361 +msgid "" +"<quote>ad</quote>: Active Directory provider. See <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Active Directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2149 +msgid "use_fully_qualified_names (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2152 +msgid "" +"Use the full name and domain (as formatted by the domain's full_name_format) " +"as the user's login name reported to NSS." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2157 +msgid "" +"If set to TRUE, all requests to this domain must use fully qualified names. " +"For example, if used in LOCAL domain that contains a \"test\" user, " +"<command>getent passwd test</command> wouldn't find the user while " +"<command>getent passwd test@LOCAL</command> would." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2165 +msgid "" +"NOTE: This option has no effect on netgroup lookups due to their tendency to " +"include nested netgroups without qualified names. For netgroups, all domains " +"will be searched when an unqualified name is requested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2172 +msgid "Default: FALSE (TRUE if default_domain_suffix is used)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2178 +msgid "ignore_group_members (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2181 +msgid "Do not return group members for group lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2184 +msgid "" +"If set to TRUE, the group membership attribute is not requested from the " +"ldap server, and group members are not returned when processing group lookup " +"calls, such as <citerefentry> <refentrytitle>getgrnam</refentrytitle> " +"<manvolnum>3</manvolnum> </citerefentry> or <citerefentry> " +"<refentrytitle>getgrgid</refentrytitle> <manvolnum>3</manvolnum> </" +"citerefentry>. As an effect, <quote>getent group $groupname</quote> would " +"return the requested group as if it was empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2202 +msgid "" +"Enabling this option can also make access provider checks for group " +"membership significantly faster, especially for groups containing many " +"members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2213 +msgid "auth_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2216 +msgid "" +"The authentication provider used for the domain. Supported auth providers " +"are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2220 sssd.conf.5.xml:2282 +msgid "" +"<quote>ldap</quote> for native LDAP authentication. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2227 +msgid "" +"<quote>krb5</quote> for Kerberos authentication. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2251 +msgid "" +"<quote>proxy</quote> for relaying authentication to some other PAM target." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2254 +msgid "<quote>local</quote>: SSSD internal provider for local users" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2258 +msgid "<quote>none</quote> disables authentication explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2261 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can handle " +"authentication requests." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2267 +msgid "access_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2270 +msgid "" +"The access control provider used for the domain. There are two built-in " +"access providers (in addition to any included in installed backends) " +"Internal special providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2276 +msgid "" +"<quote>permit</quote> always allow access. It's the only permitted access " +"provider for a local domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2279 +msgid "<quote>deny</quote> always deny access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2306 +msgid "" +"<quote>simple</quote> access control based on access or deny lists. See " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for more information on configuring the simple " +"access module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2313 +msgid "" +"<quote>krb5</quote>: .k5login based access control. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></" +"citerefentry> for more information on configuring Kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2320 +msgid "<quote>proxy</quote> for relaying access control to another PAM module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2323 +msgid "Default: <quote>permit</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2328 +msgid "chpass_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2331 +msgid "" +"The provider which should handle change password operations for the domain. " +"Supported change password providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2336 +msgid "" +"<quote>ldap</quote> to change a password stored in a LDAP server. See " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2344 +msgid "" +"<quote>krb5</quote> to change the Kerberos password. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2369 +msgid "" +"<quote>proxy</quote> for relaying password changes to some other PAM target." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2373 +msgid "<quote>none</quote> disallows password changes explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2376 +msgid "" +"Default: <quote>auth_provider</quote> is used if it is set and can handle " +"change password requests." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2383 +msgid "sudo_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2386 +msgid "The SUDO provider used for the domain. Supported SUDO providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2390 +msgid "" +"<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2398 +msgid "" +"<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default " +"settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2402 +msgid "" +"<quote>ad</quote> the same as <quote>ldap</quote> but with AD default " +"settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2406 +msgid "<quote>none</quote> disables SUDO explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2409 sssd.conf.5.xml:2495 sssd.conf.5.xml:2565 +#: sssd.conf.5.xml:2590 +msgid "Default: The value of <quote>id_provider</quote> is used if it is set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2413 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>. There are many configuration " +"options that can be used to adjust the behavior. Please refer to " +"\"ldap_sudo_*\" in <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2428 +msgid "" +"<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the " +"background unless the sudo provider is explicitly disabled. Set " +"<emphasis>sudo_provider = None</emphasis> to disable all sudo-related " +"activity in SSSD if you do not want to use sudo with SSSD at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2438 +msgid "selinux_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2441 +msgid "" +"The provider which should handle loading of selinux settings. Note that this " +"provider will be called right after access provider ends. Supported selinux " +"providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2447 +msgid "" +"<quote>ipa</quote> to load selinux settings from an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2455 +msgid "<quote>none</quote> disallows fetching selinux settings explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2458 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can handle " +"selinux loading requests." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2464 +msgid "subdomains_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2467 +msgid "" +"The provider which should handle fetching of subdomains. This value should " +"be always the same as id_provider. Supported subdomain providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2473 +msgid "" +"<quote>ipa</quote> to load a list of subdomains from an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2482 +msgid "" +"<quote>ad</quote> to load a list of subdomains from an Active Directory " +"server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " +"the AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2491 +msgid "<quote>none</quote> disallows fetching subdomains explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2501 +msgid "session_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2504 +msgid "" +"The provider which configures and manages user session related tasks. The " +"only user session task currently provided is the integration with Fleet " +"Commander, which works only with IPA. Supported session providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2511 +msgid "<quote>ipa</quote> to allow performing user session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2515 +msgid "" +"<quote>none</quote> does not perform any kind of user session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2519 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can perform " +"session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2523 +msgid "" +"<emphasis>NOTE:</emphasis> In order to have this feature working as expected " +"SSSD must be running as \"root\" and not as the unprivileged user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2531 +msgid "autofs_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2534 +msgid "" +"The autofs provider used for the domain. Supported autofs providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2538 +msgid "" +"<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2545 +msgid "" +"<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> " +"<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2553 +msgid "" +"<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring the AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2562 +msgid "<quote>none</quote> disables autofs explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2572 +msgid "hostid_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2575 +msgid "" +"The provider used for retrieving host identity information. Supported " +"hostid providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2579 +msgid "" +"<quote>ipa</quote> to load host identity stored in an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2587 +msgid "<quote>none</quote> disables hostid explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2600 +msgid "" +"Regular expression for this domain that describes how to parse the string " +"containing user name and domain into these components. The \"domain\" can " +"match either the SSSD configuration domain name, or, in the case of IPA " +"trust subdomains and Active Directory domains, the flat (NetBIOS) name of " +"the domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2609 +msgid "" +"Default for the AD and IPA provider: <quote>(((?P<domain>[^\\\\]+)\\" +"\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?" +"P<name>[^@\\\\]+)$))</quote> which allows three different styles for " +"user names:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2614 +msgid "username" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2617 +msgid "username@domain.name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2620 +msgid "domain\\username" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2623 +msgid "" +"While the first two correspond to the general default the third one is " +"introduced to allow easy integration of users from Windows domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2628 +msgid "" +"Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> " +"which translates to \"the name is everything up to the <quote>@</quote> " +"sign, the domain everything after that\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2634 +msgid "" +"NOTE: Some Active Directory groups, typically those used for MS Exchange " +"contain an <quote>@</quote> sign in the name, which clashes with the default " +"re_expression value for the AD and IPA providers. To support these groups, " +"consider changing the re_expression value to: <quote>((?P<name>.+)@(?" +"P<domain>[^@]+$))</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2685 +msgid "Default: <quote>%1$s@%2$s</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2691 +msgid "lookup_family_order (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2694 +msgid "" +"Provides the ability to select preferred address family to use when " +"performing DNS lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2698 +msgid "Supported values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2701 +msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2704 +msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2707 +msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2710 +msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2713 +msgid "Default: ipv4_first" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2719 +msgid "dns_resolver_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2722 +msgid "" +"Defines the amount of time (in seconds) to wait for a reply from the " +"internal fail over service before assuming that the service is unreachable. " +"If this timeout is reached, the domain will continue to operate in offline " +"mode." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2729 +msgid "" +"Please see the section <quote>FAILOVER</quote> for more information about " +"the service resolution." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2734 sssd-ldap.5.xml:1396 sssd-ldap.5.xml:1438 +#: sssd-ldap.5.xml:1456 sssd-krb5.5.xml:248 +msgid "Default: 6" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2740 +msgid "dns_discovery_domain (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2743 +msgid "" +"If service discovery is used in the back end, specifies the domain part of " +"the service discovery DNS query." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2747 +msgid "Default: Use the domain part of machine's hostname" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2753 +msgid "override_gid (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2756 +msgid "Override the primary GID value with the one specified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2762 +msgid "case_sensitive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2770 +msgid "True" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2773 +msgid "Case sensitive. This value is invalid for AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2779 +msgid "False" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2781 +msgid "Case insensitive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2785 +msgid "Preserving" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2788 +msgid "" +"Same as False (case insensitive), but does not lowercase names in the result " +"of NSS operations. Note that name aliases (and in case of services also " +"protocol names) are still lowercased in the output." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2765 +msgid "" +"Treat user and group names as case sensitive. At the moment, this option is " +"not supported in the local provider. Possible option values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2800 +msgid "Default: True (False for AD provider)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2806 +msgid "subdomain_inherit (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2809 +msgid "" +"Specifies a list of configuration parameters that should be inherited by a " +"subdomain. Please note that only selected parameters can be inherited. " +"Currently the following options can be inherited:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2815 +msgid "ignore_group_members" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2818 +msgid "ldap_purge_cache_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2821 sssd-ldap.5.xml:1120 +msgid "ldap_use_tokengroups" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2824 +msgid "ldap_user_principal" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2827 +msgid "" +"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab " +"is not set explicitly)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:2833 +#, no-wrap +msgid "" +"subdomain_inherit = ldap_purge_cache_timeout\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2831 sssd-secrets.5.xml:448 +msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2840 +msgid "Note: This option only works with the IPA and AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2847 +msgid "subdomain_homedir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2858 +msgid "%F" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2859 +msgid "flat (NetBIOS) name of a subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2850 +msgid "" +"Use this homedir as default value for all subdomains within this domain in " +"IPA AD trust. See <emphasis>override_homedir</emphasis> for info about " +"possible values. In addition to those, the expansion below can only be used " +"with <emphasis>subdomain_homedir</emphasis>. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2864 +msgid "" +"The value can be overridden by <emphasis>override_homedir</emphasis> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2868 +msgid "Default: <filename>/home/%d/%u</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2873 +msgid "realmd_tags (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2876 +msgid "" +"Various tags stored by the realmd configuration service for this domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2882 +msgid "cached_auth_timeout (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2885 +msgid "" +"Specifies time in seconds since last successful online authentication for " +"which user will be authenticated using cached credentials while SSSD is in " +"the online mode." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2891 +msgid "Special value 0 implies that this feature is disabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2895 +msgid "" +"Please note that if <quote>cached_auth_timeout</quote> is longer than " +"<quote>pam_id_timeout</quote> then the back end could be called to handle " +"<quote>initgroups.</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2906 +msgid "auto_private_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2909 +msgid "" +"If this option is enabled, SSSD will automatically create user private " +"groups based on user's UID number. The GID number is ignored in this case." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2914 +msgid "" +"For POSIX subdomains, setting the option in the main domain is inherited in " +"the subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2918 +msgid "" +"For ID-mapping subdomains, auto_private_groups is already enabled for the " +"subdomains and setting it to false will not have any effect for the " +"subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2923 +msgid "" +"NOTE: Because the GID number and the user private group are inferred from " +"the UID number, it is not supported to have multiple entries with the same " +"UID or GID number with this option. In other words, enabling this option " +"enforces uniqueness across the ID space." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:1727 +msgid "" +"These configuration options can be present in a domain configuration " +"section, that is, in a section called <quote>[domain/<replaceable>NAME</" +"replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2942 +msgid "proxy_pam_target (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2945 +msgid "The proxy target PAM proxies to." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2948 +msgid "" +"Default: not set by default, you have to take an existing pam configuration " +"or create a new one and add the service name here." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2956 +msgid "proxy_lib_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2959 +msgid "" +"The name of the NSS library to use in proxy domains. The NSS functions " +"searched for in the library are in the form of _nss_$(libName)_$(function), " +"for example _nss_files_getpwent." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2969 +msgid "proxy_fast_alias (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2972 +msgid "" +"When a user or group is looked up by name in the proxy provider, a second " +"lookup by ID is performed to \"canonicalize\" the name in case the requested " +"name was an alias. Setting this option to true would cause the SSSD to " +"perform the ID lookup from cache for performance reasons." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2986 +msgid "proxy_max_children (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2989 +msgid "" +"This option specifies the number of pre-forked proxy children. It is useful " +"for high-load SSSD environments where sssd may run out of available child " +"slots, which would cause some issues due to the requests being queued." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:2938 +msgid "" +"Options valid for proxy domains. <placeholder type=\"variablelist\" id=" +"\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:3005 +msgid "Application domains" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3007 +msgid "" +"SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to " +"applications as a gateway to an LDAP directory where users and groups are " +"stored. However, contrary to the traditional SSSD deployment where all users " +"and groups either have POSIX attributes or those attributes can be inferred " +"from the Windows SIDs, in many cases the users and groups in the application " +"support scenario have no POSIX attributes. Instead of setting a " +"<quote>[domain/<replaceable>NAME</replaceable>]</quote> section, the " +"administrator can set up an <quote>[application/<replaceable>NAME</" +"replaceable>]</quote> section that internally represents a domain with type " +"<quote>application</quote> optionally inherits settings from a tradition " +"SSSD domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3027 +msgid "" +"Please note that the application domain must still be explicitly enabled in " +"the <quote>domains</quote> parameter so that the lookup order between the " +"application domain and its POSIX sibling domain is set correctly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sssd.conf.5.xml:3033 +msgid "Application domain parameters" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3035 +msgid "inherit_from (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3038 +msgid "" +"The SSSD POSIX-type domain the application domain inherits all settings " +"from. The application domain can moreover add its own settings to the " +"application settings that augment or override the <quote>sibling</quote> " +"domain settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3052 +msgid "" +"The following example illustrates the use of an application domain. In this " +"setup, the POSIX domain is connected to an LDAP server and is used by the OS " +"through the NSS responder. In addition, the application domain also requests " +"the telephoneNumber attribute, stores it as the phone attribute in the cache " +"and makes the phone attribute reachable through the D-Bus interface." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><programlisting> +#: sssd.conf.5.xml:3060 +#, no-wrap +msgid "" +"[sssd]\n" +"domains = appdom, posixdom\n" +"\n" +"[ifp]\n" +"user_attributes = +phone\n" +"\n" +"[domain/posixdom]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"[application/appdom]\n" +"inherit_from = posixdom\n" +"ldap_user_extra_attrs = phone:telephoneNumber\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:3078 +msgid "The local domain section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3080 +msgid "" +"This section contains settings for domain that stores users and groups in " +"SSSD native database, that is, a domain that uses " +"<replaceable>id_provider=local</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3087 +msgid "default_shell (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3090 +msgid "The default shell for users created with SSSD userspace tools." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3094 +msgid "Default: <filename>/bin/bash</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3099 +msgid "base_directory (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3102 +msgid "" +"The tools append the login name to <replaceable>base_directory</replaceable> " +"and use that as the home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3107 +msgid "Default: <filename>/home</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3112 +msgid "create_homedir (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3115 +msgid "" +"Indicate if a home directory should be created by default for new users. " +"Can be overridden on command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3119 sssd.conf.5.xml:3131 +msgid "Default: TRUE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3124 +msgid "remove_homedir (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3127 +msgid "" +"Indicate if a home directory should be removed by default for deleted " +"users. Can be overridden on command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3136 +msgid "homedir_umask (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3139 +msgid "" +"Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions " +"on a newly created home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3147 +msgid "Default: 077" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3152 +msgid "skel_dir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3155 +msgid "" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<citerefentry> <refentrytitle>sss_useradd</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3165 +msgid "Default: <filename>/etc/skel</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3170 +msgid "mail_dir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3173 +msgid "" +"The mail spool directory. This is needed to manipulate the mailbox when its " +"corresponding user account is modified or deleted. If not specified, a " +"default value is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3180 +msgid "Default: <filename>/var/mail</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3185 +msgid "userdel_cmd (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3188 +msgid "" +"The command that is run after a user is removed. The command us passed the " +"username of the user being removed as the first and only parameter. The " +"return code of the command is not taken into account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3194 +msgid "Default: None, no command is run" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:3204 +msgid "TRUSTED DOMAIN SECTION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3206 +msgid "" +"Some options used in the domain section can also be used in the trusted " +"domain section, that is, in a section called <quote>[domain/" +"<replaceable>DOMAIN_NAME</replaceable>/<replaceable>TRUSTED_DOMAIN_NAME</" +"replaceable>]</quote>. Where DOMAIN_NAME is the actual joined-to base " +"domain. Please refer to examples below for explanation. Currently supported " +"options in the trusted domain section are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3213 +msgid "ldap_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3214 +msgid "ldap_user_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3215 +msgid "ldap_group_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3216 +msgid "ldap_netgroup_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3217 +msgid "ldap_service_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3218 +msgid "ad_server," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3219 +msgid "ad_backup_server," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3220 +msgid "ad_site," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:3221 sssd-ipa.5.xml:782 +msgid "use_fully_qualified_names" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3223 +msgid "" +"For more details about these options see their individual description in the " +"manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:3229 idmap_sss.8.xml:43 +msgid "EXAMPLES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:3235 +#, no-wrap +msgid "" +"[sssd]\n" +"domains = LDAP\n" +"services = nss, pam\n" +"config_file_version = 2\n" +"\n" +"[nss]\n" +"filter_groups = root\n" +"filter_users = root\n" +"\n" +"[pam]\n" +"\n" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"auth_provider = krb5\n" +"krb5_server = kerberos.example.com\n" +"krb5_realm = EXAMPLE.COM\n" +"cache_credentials = true\n" +"\n" +"min_id = 10000\n" +"max_id = 20000\n" +"enumerate = False\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3231 +msgid "" +"1. The following example shows a typical SSSD config. It does not describe " +"configuration of the domains themselves - refer to documentation on " +"configuring domains for more details. <placeholder type=\"programlisting\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:3268 +#, no-wrap +msgid "" +"[domain/ipa.com/child.ad.com]\n" +"use_fully_qualified_names = false\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3262 +msgid "" +"2. The following example shows configuration of IPA AD trust where the AD " +"forest consists of two domains in a parent-child structure. Suppose IPA " +"domain (ipa.com) has trust with AD domain(ad.com). ad.com has child domain " +"(child.ad.com). To enable shortnames in the child domain the following " +"configuration should be used. <placeholder type=\"programlisting\" id=\"0\"/" +">" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ldap.5.xml:10 sssd-ldap.5.xml:16 +msgid "sssd-ldap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ldap.5.xml:17 +msgid "SSSD LDAP provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:23 +msgid "" +"This manual page describes the configuration of LDAP domains for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Refer to the <quote>FILE FORMAT</quote> section of the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for detailed syntax information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:35 +msgid "You can configure SSSD to use more than one LDAP domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:38 +msgid "" +"LDAP back end supports id, auth, access and chpass providers. If you want to " +"authenticate against an LDAP server either TLS/SSL or LDAPS is required. " +"<command>sssd</command> <emphasis>does not</emphasis> support authentication " +"over an unencrypted channel. If the LDAP server is used only as an identity " +"provider, an encrypted channel is not needed. Please refer to " +"<quote>ldap_access_filter</quote> config option for more information about " +"using LDAP as an access provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:115 +#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-files.5.xml:57 +#: sssd-secrets.5.xml:120 sssd-session-recording.5.xml:58 sssd-kcm.8.xml:139 +msgid "CONFIGURATION OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:60 +msgid "ldap_uri, ldap_backup_uri (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:63 +msgid "" +"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " +"should connect in the order of preference. Refer to the <quote>FAILOVER</" +"quote> section for more information on failover and server redundancy. If " +"neither option is specified, service discovery is enabled. For more " +"information, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:264 +msgid "The format of the URI must match the format defined in RFC 2732:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:73 +msgid "ldap[s]://<host>[:port]" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:76 +msgid "" +"For explicit IPv6 addresses, <host> must be enclosed in brackets []" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:79 +msgid "example: ldap://[fc00::126:25]:389" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:85 +msgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:88 +msgid "" +"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " +"should connect in the order of preference to change the password of a user. " +"Refer to the <quote>FAILOVER</quote> section for more information on " +"failover and server redundancy." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:95 +msgid "To enable service discovery ldap_chpass_dns_service_name must be set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:99 +msgid "Default: empty, i.e. ldap_uri is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:105 +msgid "ldap_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:108 +msgid "The default base DN to use for performing LDAP user operations." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:112 +msgid "" +"Starting with SSSD 1.7.0, SSSD supports multiple search bases using the " +"syntax:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:116 +msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:119 +msgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"." +msgstr "" + +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:122 include/ldap_search_bases.xml:18 +msgid "" +"The filter must be a valid LDAP search filter as specified by http://www." +"ietf.org/rfc/rfc2254.txt" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:286 +#: sss_override.8.xml:137 sss_override.8.xml:234 +msgid "Examples:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:129 +msgid "" +"ldap_search_base = dc=example,dc=com (which is equivalent to) " +"ldap_search_base = dc=example,dc=com?subtree?" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:134 +msgid "" +"ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?" +"(host=thishost)?dc=example.com?subtree?" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:137 +msgid "" +"Note: It is unsupported to have multiple search bases which reference " +"identically-named objects (for example, groups with the same name in two " +"different search bases). This will lead to unpredictable behavior on client " +"machines." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:144 +msgid "" +"Default: If not set, the value of the defaultNamingContext or namingContexts " +"attribute from the RootDSE of the LDAP server is used. If " +"defaultNamingContext does not exist or has an empty value namingContexts is " +"used. The namingContexts attribute must have a single value with the DN of " +"the search base of the LDAP server to make this work. Multiple values are " +"are not supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:158 +msgid "ldap_schema (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:161 +msgid "" +"Specifies the Schema Type in use on the target LDAP server. Depending on " +"the selected schema, the default attribute names retrieved from the servers " +"may vary. The way that some attributes are handled may also differ." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:168 +msgid "Four schema types are currently supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:172 +msgid "rfc2307" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:177 +msgid "rfc2307bis" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:182 +msgid "IPA" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:187 +msgid "AD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:193 +msgid "" +"The main difference between these schema types is how group memberships are " +"recorded in the server. With rfc2307, group members are listed by name in " +"the <emphasis>memberUid</emphasis> attribute. With rfc2307bis and IPA, " +"group members are listed by DN and stored in the <emphasis>member</emphasis> " +"attribute. The AD schema type sets the attributes to correspond with Active " +"Directory 2008r2 values." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:203 +msgid "Default: rfc2307" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:209 +msgid "ldap_default_bind_dn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:212 +msgid "The default bind DN to use for performing LDAP operations." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:219 +msgid "ldap_default_authtok_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:222 +msgid "The type of the authentication token of the default bind DN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:226 +msgid "The two mechanisms currently supported are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:229 +msgid "password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:232 +msgid "obfuscated_password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:235 +msgid "Default: password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:241 +msgid "ldap_default_authtok (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:244 +msgid "" +"The authentication token of the default bind DN. Only clear text passwords " +"are currently supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:251 +msgid "ldap_user_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:254 +msgid "The object class of a user entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:257 +msgid "Default: posixAccount" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:263 +msgid "ldap_user_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:266 +msgid "The LDAP attribute that corresponds to the user's login name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:270 +msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:277 +msgid "ldap_user_uid_number (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:280 +msgid "The LDAP attribute that corresponds to the user's id." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:284 +msgid "Default: uidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:290 +msgid "ldap_user_gid_number (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:293 +msgid "The LDAP attribute that corresponds to the user's primary group id." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:297 sssd-ldap.5.xml:929 +msgid "Default: gidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:303 +msgid "ldap_user_primary_group (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:306 +msgid "" +"Active Directory primary group attribute for ID-mapping. Note that this " +"attribute should only be set manually if you are running the <quote>ldap</" +"quote> provider with ID mapping." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:312 +msgid "Default: unset (LDAP), primaryGroupID (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:318 +msgid "ldap_user_gecos (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:321 +msgid "The LDAP attribute that corresponds to the user's gecos field." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:325 +msgid "Default: gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:331 +msgid "ldap_user_home_directory (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:334 +msgid "The LDAP attribute that contains the name of the user's home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:338 +msgid "Default: homeDirectory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:344 +msgid "ldap_user_shell (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:347 +msgid "The LDAP attribute that contains the path to the user's default shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:351 +msgid "Default: loginShell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:357 +msgid "ldap_user_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:360 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:364 sssd-ldap.5.xml:955 +msgid "" +"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " +"IPA" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:371 +msgid "ldap_user_objectsid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:374 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP user object. This " +"is usually only necessary for ActiveDirectory servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:379 sssd-ldap.5.xml:970 +msgid "Default: objectSid for ActiveDirectory, not set for other servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:386 +msgid "ldap_user_modify_timestamp (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:389 sssd-ldap.5.xml:980 sssd-ldap.5.xml:1203 +msgid "" +"The LDAP attribute that contains timestamp of the last modification of the " +"parent object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:393 sssd-ldap.5.xml:984 sssd-ldap.5.xml:1210 +msgid "Default: modifyTimestamp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:399 +msgid "ldap_user_shadow_last_change (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:402 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " +"the last password change)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:412 +msgid "Default: shadowLastChange" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:418 +msgid "ldap_user_shadow_min (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:421 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " +"password age)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:430 +msgid "Default: shadowMin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:436 +msgid "ldap_user_shadow_max (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:439 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " +"password age)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:448 +msgid "Default: shadowMax" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:454 +msgid "ldap_user_shadow_warning (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:457 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password warning period)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:467 +msgid "Default: shadowWarning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:473 +msgid "ldap_user_shadow_inactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:476 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password inactivity period)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:486 +msgid "Default: shadowInactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:492 +msgid "ldap_user_shadow_expire (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:495 +msgid "" +"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " +"parameter contains the name of an LDAP attribute corresponding to its " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> counterpart (account expiration date)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:505 +msgid "Default: shadowExpire" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:511 +msgid "ldap_user_krb_last_pwd_change (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:514 +msgid "" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time of last password change in " +"kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:520 +msgid "Default: krbLastPwdChange" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:526 +msgid "ldap_user_krb_password_expiration (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:529 +msgid "" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time when current password expires." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:535 +msgid "Default: krbPasswordExpiration" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:541 +msgid "ldap_user_ad_account_expires (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:544 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the expiration time of the account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:549 +msgid "Default: accountExpires" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:555 +msgid "ldap_user_ad_user_account_control (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:558 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the user account control bit field." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:563 +msgid "Default: userAccountControl" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:569 +msgid "ldap_ns_account_lock (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:572 +msgid "" +"When using ldap_account_expire_policy=rhds or equivalent, this parameter " +"determines if access is allowed or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:577 +msgid "Default: nsAccountLock" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:583 +msgid "ldap_user_nds_login_disabled (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:586 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines if " +"access is allowed or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:590 sssd-ldap.5.xml:604 +msgid "Default: loginDisabled" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:596 +msgid "ldap_user_nds_login_expiration_time (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:599 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines until " +"which date access is granted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:610 +msgid "ldap_user_nds_login_allowed_time_map (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:613 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines the " +"hours of a day in a week when access is granted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:618 +msgid "Default: loginAllowedTimeMap" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:624 +msgid "ldap_user_principal (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:627 +msgid "" +"The LDAP attribute that contains the user's Kerberos User Principal Name " +"(UPN)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:631 +msgid "Default: krbPrincipalName" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:637 +msgid "ldap_user_extra_attrs (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:640 +msgid "" +"Comma-separated list of LDAP attributes that SSSD would fetch along with the " +"usual set of user attributes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:645 +msgid "" +"The list can either contain LDAP attribute names only, or colon-separated " +"tuples of SSSD cache attribute name and LDAP attribute name. In case only " +"LDAP attribute name is specified, the attribute is saved to the cache " +"verbatim. Using a custom SSSD attribute name might be required by " +"environments that configure several SSSD domains with different LDAP schemas." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:655 +msgid "" +"Please note that several attribute names are reserved by SSSD, notably the " +"<quote>name</quote> attribute. SSSD would report an error if any of the " +"reserved attribute names is used as an extra attribute name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:665 +msgid "ldap_user_extra_attrs = telephoneNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:668 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as " +"<quote>telephoneNumber</quote> to the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:672 +msgid "ldap_user_extra_attrs = phone:telephoneNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:675 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" +"quote> to the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:685 +msgid "ldap_user_ssh_public_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:688 +msgid "The LDAP attribute that contains the user's SSH public keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:692 sssd-ldap.5.xml:1306 +msgid "Default: sshPublicKey" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:698 +msgid "ldap_force_upper_case_realm (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:701 +msgid "" +"Some directory servers, for example Active Directory, might deliver the " +"realm part of the UPN in lower case, which might cause the authentication to " +"fail. Set this option to a non-zero value if you want to use an upper-case " +"realm." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:714 +msgid "ldap_enumeration_refresh_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:717 +msgid "" +"Specifies how many seconds SSSD has to wait before refreshing its cache of " +"enumerated records." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:728 +msgid "ldap_purge_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:731 +msgid "" +"Determine how often to check the cache for inactive entries (such as groups " +"with no members and users who have never logged in) and remove them to save " +"space." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:737 +msgid "" +"Setting this option to zero will disable the cache cleanup operation. Please " +"note that if enumeration is enabled, the cleanup task is required in order " +"to detect entries removed from the server and can't be disabled. By default, " +"the cleanup task will run every 3 hours with enumeration enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:752 +msgid "ldap_user_fullname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:755 +msgid "The LDAP attribute that corresponds to the user's full name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1161 sssd-ldap.5.xml:1235 +#: sssd-ldap.5.xml:1344 sssd-ldap.5.xml:2405 sssd-ipa.5.xml:607 +msgid "Default: cn" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:765 +msgid "ldap_user_member_of (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:768 +msgid "The LDAP attribute that lists the user's group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:772 sssd-ldap.5.xml:1274 +msgid "Default: memberOf" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:778 +msgid "ldap_user_authorized_service (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:781 +msgid "" +"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " +"use the presence of the authorizedService attribute in the user's LDAP entry " +"to determine access privilege." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:788 +msgid "" +"An explicit deny (!svc) is resolved first. Second, SSSD searches for " +"explicit allow (svc) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:793 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>authorized_service</quote> in order for the " +"ldap_user_authorized_service option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:800 +msgid "Default: authorizedService" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:806 +msgid "ldap_user_authorized_host (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:809 +msgid "" +"If access_provider=ldap and ldap_access_order=host, SSSD will use the " +"presence of the host attribute in the user's LDAP entry to determine access " +"privilege." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:815 +msgid "" +"An explicit deny (!host) is resolved first. Second, SSSD searches for " +"explicit allow (host) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:820 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>host</quote> in order for the " +"ldap_user_authorized_host option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:827 +msgid "Default: host" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:833 +msgid "ldap_user_authorized_rhost (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:836 +msgid "" +"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " +"presence of the rhost attribute in the user's LDAP entry to determine access " +"privilege. Similarly to host verification process." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:843 +msgid "" +"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " +"explicit allow (rhost) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:848 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>rhost</quote> in order for the " +"ldap_user_authorized_rhost option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:855 +msgid "Default: rhost" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:861 +msgid "ldap_user_certificate (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:864 +msgid "Name of the LDAP attribute containing the X509 certificate of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:868 +msgid "Default: userCertificate;binary" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:874 +msgid "ldap_user_email (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:877 +msgid "Name of the LDAP attribute containing the email address of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:881 +msgid "" +"Note: If an email address of a user conflicts with an email address or fully " +"qualified name of another user, then SSSD will not be able to serve those " +"users properly. If for some reason several users need to share the same " +"email address then set this option to a nonexistent attribute name in order " +"to disable user lookup/login by email." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:890 +msgid "Default: mail" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:896 +msgid "ldap_group_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:899 +msgid "The object class of a group entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:902 +msgid "Default: posixGroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:908 +msgid "ldap_group_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:911 +msgid "The LDAP attribute that corresponds to the group name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:915 +msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:922 +msgid "ldap_group_gid_number (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:925 +msgid "The LDAP attribute that corresponds to the group's id." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:935 +msgid "ldap_group_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:938 +msgid "The LDAP attribute that contains the names of the group's members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:942 +msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:948 +msgid "ldap_group_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:951 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:962 +msgid "ldap_group_objectsid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:965 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP group object. This " +"is usually only necessary for ActiveDirectory servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:977 +msgid "ldap_group_modify_timestamp (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:990 +msgid "ldap_group_type (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:993 +msgid "" +"The LDAP attribute that contains an integer value indicating the type of the " +"group and maybe other flags." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:998 +msgid "" +"This attribute is currently only used by the AD provider to determine if a " +"group is a domain local groups and has to be filtered out for trusted " +"domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1004 +msgid "Default: groupType in the AD provider, otherwise not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1011 +msgid "ldap_group_external_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1014 +msgid "" +"The LDAP attribute that references group members that are defined in an " +"external domain. At the moment, only IPA's external members are supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1020 +msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1027 +msgid "ldap_group_nesting_level (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1030 +msgid "" +"If ldap_schema is set to a schema format that supports nested groups (e.g. " +"RFC2307bis), then this option controls how many levels of nesting SSSD will " +"follow. This option has no effect on the RFC2307 schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1037 +msgid "" +"Note: This option specifies the guaranteed level of nested groups to be " +"processed for any lookup. However, nested groups beyond this limit " +"<emphasis>may be</emphasis> returned if previous lookups already resolved " +"the deeper nesting levels. Also, subsequent lookups for other groups may " +"enlarge the result set for original lookup if re-queried." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1046 +msgid "" +"If ldap_group_nesting_level is set to 0 then no nested groups are processed " +"at all. However, when connected to Active-Directory Server 2008 and later " +"using <quote>id_provider=ad</quote> it is furthermore required to disable " +"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " +"restrict group nesting." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1055 +msgid "Default: 2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1061 +msgid "ldap_groups_use_matching_rule_in_chain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1064 +msgid "" +"This option tells SSSD to take advantage of an Active Directory-specific " +"feature which may speed up group lookup operations on deployments with " +"complex or deep nested groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1070 +msgid "" +"In most common cases, it is best to leave this option disabled. It generally " +"only provides a performance increase on very complex nestings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1075 sssd-ldap.5.xml:1102 +msgid "" +"If this option is enabled, SSSD will use it if it detects that the server " +"supports it during initial connection. So \"True\" here essentially means " +"\"auto-detect\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1081 sssd-ldap.5.xml:1108 +msgid "" +"Note: This feature is currently known to work only with Active Directory " +"2008 R1 and later. See <ulink url=\"http://msdn.microsoft.com/en-us/library/" +"windows/desktop/aa746475%28v=vs.85%29.aspx\"> MSDN(TM) documentation</ulink> " +"for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1093 +msgid "ldap_initgroups_use_matching_rule_in_chain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1096 +msgid "" +"This option tells SSSD to take advantage of an Active Directory-specific " +"feature which might speed up initgroups operations (most notably when " +"dealing with complex or deep nested groups)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1123 +msgid "" +"This options enables or disables use of Token-Groups attribute when " +"performing initgroup for users from Active Directory Server 2008 and later." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1128 +msgid "Default: True for AD and IPA otherwise False." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1134 +msgid "ldap_netgroup_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1137 +msgid "The object class of a netgroup entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1140 +msgid "In IPA provider, ipa_netgroup_object_class should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1144 +msgid "Default: nisNetgroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1150 +msgid "ldap_netgroup_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1153 +msgid "The LDAP attribute that corresponds to the netgroup name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1157 +msgid "In IPA provider, ipa_netgroup_name should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1167 +msgid "ldap_netgroup_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1170 +msgid "The LDAP attribute that contains the names of the netgroup's members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1174 +msgid "In IPA provider, ipa_netgroup_member should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1178 +msgid "Default: memberNisNetgroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1184 +msgid "ldap_netgroup_triple (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1187 +msgid "" +"The LDAP attribute that contains the (host, user, domain) netgroup triples." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1191 sssd-ldap.5.xml:1207 +msgid "This option is not available in IPA provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1194 +msgid "Default: nisNetgroupTriple" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1200 +msgid "ldap_netgroup_modify_timestamp (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1216 +msgid "ldap_host_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1219 +msgid "The object class of a host entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1222 sssd-ldap.5.xml:1331 +msgid "Default: ipService" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1228 +msgid "ldap_host_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1231 sssd-ldap.5.xml:1257 +msgid "The LDAP attribute that corresponds to the host's name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1241 +msgid "ldap_host_fqdn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1244 +msgid "" +"The LDAP attribute that corresponds to the host's fully-qualified domain " +"name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1248 +msgid "Default: fqdn" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1254 +msgid "ldap_host_serverhostname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1261 +msgid "Default: serverHostname" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1267 +msgid "ldap_host_member_of (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1270 +msgid "The LDAP attribute that lists the host's group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1280 +msgid "ldap_host_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1283 +msgid "Optional. Use the given string as search base for host objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1287 sssd-ipa.5.xml:359 sssd-ipa.5.xml:378 +#: sssd-ipa.5.xml:397 sssd-ipa.5.xml:416 +msgid "" +"See <quote>ldap_search_base</quote> for information about configuring " +"multiple search bases." +msgstr "" + +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:1292 sssd-ipa.5.xml:364 include/ldap_search_bases.xml:27 +msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1299 +msgid "ldap_host_ssh_public_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1302 +msgid "The LDAP attribute that contains the host's SSH public keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1312 +msgid "ldap_host_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1315 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1325 +msgid "ldap_service_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1328 +msgid "The object class of a service entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1337 +msgid "ldap_service_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1340 +msgid "" +"The LDAP attribute that contains the name of service attributes and their " +"aliases." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1350 +msgid "ldap_service_port (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1353 +msgid "The LDAP attribute that contains the port managed by this service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1357 +msgid "Default: ipServicePort" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1363 +msgid "ldap_service_proto (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1366 +msgid "" +"The LDAP attribute that contains the protocols understood by this service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1370 +msgid "Default: ipServiceProtocol" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1376 +msgid "ldap_service_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1381 +msgid "ldap_search_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1384 +msgid "" +"Specifies the timeout (in seconds) that ldap searches are allowed to run " +"before they are cancelled and cached results are returned (and offline mode " +"is entered)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1390 +msgid "" +"Note: this option is subject to change in future versions of the SSSD. It " +"will likely be replaced at some point by a series of timeouts for specific " +"lookup types." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1402 +msgid "ldap_enumeration_search_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1405 +msgid "" +"Specifies the timeout (in seconds) that ldap searches for user and group " +"enumerations are allowed to run before they are cancelled and cached results " +"are returned (and offline mode is entered)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1418 +msgid "ldap_network_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1421 +msgid "" +"Specifies the timeout (in seconds) after which the <citerefentry> " +"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" +"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" +"manvolnum> </citerefentry> following a <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> returns in case of no activity." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1444 +msgid "ldap_opt_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1447 +msgid "" +"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " +"will abort if no response is received. Also controls the timeout when " +"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " +"operation, password change extended operation and the StartTLS operation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1462 +msgid "ldap_connection_expire_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1465 +msgid "" +"Specifies a timeout (in seconds) that a connection to an LDAP server will be " +"maintained. After this time, the connection will be re-established. If used " +"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " +"the TGT lifetime) will be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1473 sssd-ldap.5.xml:2562 +msgid "Default: 900 (15 minutes)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1479 +msgid "ldap_page_size (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1482 +msgid "" +"Specify the number of records to retrieve from LDAP in a single request. " +"Some LDAP servers enforce a maximum limit per-request." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1487 +msgid "Default: 1000" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1493 +msgid "ldap_disable_paging (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1496 +msgid "" +"Disable the LDAP paging control. This option should be used if the LDAP " +"server reports that it supports the LDAP paging control in its RootDSE but " +"it is not enabled or does not behave properly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1502 +msgid "" +"Example: OpenLDAP servers with the paging control module installed on the " +"server but not enabled will report it in the RootDSE but be unable to use it." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1508 +msgid "" +"Example: 389 DS has a bug where it can only support a one paging control at " +"a time on a single connection. On busy clients, this can result in some " +"requests being denied." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1520 +msgid "ldap_disable_range_retrieval (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1523 +msgid "Disable Active Directory range retrieval." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1526 +msgid "" +"Active Directory limits the number of members to be retrieved in a single " +"lookup using the MaxValRange policy (which defaults to 1500 members). If a " +"group contains more members, the reply would include an AD-specific range " +"extension. This option disables parsing of the range extension, therefore " +"large groups will appear as having no members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1541 +msgid "ldap_sasl_minssf (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1544 +msgid "" +"When communicating with an LDAP server using SASL, specify the minimum " +"security level necessary to establish the connection. The values of this " +"option are defined by OpenLDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1550 +msgid "Default: Use the system default (usually specified by ldap.conf)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1557 +msgid "ldap_deref_threshold (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1560 +msgid "" +"Specify the number of group members that must be missing from the internal " +"cache in order to trigger a dereference lookup. If less members are missing, " +"they are looked up individually." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1566 +msgid "" +"You can turn off dereference lookups completely by setting the value to 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1570 +msgid "" +"A dereference lookup is a means of fetching all group members in a single " +"LDAP call. Different LDAP servers may implement different dereference " +"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " +"Directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1578 +msgid "" +"<emphasis>Note:</emphasis> If any of the search bases specifies a search " +"filter, then the dereference lookup performance enhancement will be disabled " +"regardless of this setting." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1591 +msgid "ldap_tls_reqcert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1594 +msgid "" +"Specifies what checks to perform on server certificates in a TLS session, if " +"any. It can be specified as one of the following values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1600 +msgid "" +"<emphasis>never</emphasis> = The client will not request or check any server " +"certificate." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1604 +msgid "" +"<emphasis>allow</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, it will be ignored and the session proceeds normally." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1611 +msgid "" +"<emphasis>try</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, the session is immediately terminated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1617 +msgid "" +"<emphasis>demand</emphasis> = The server certificate is requested. If no " +"certificate is provided, or a bad certificate is provided, the session is " +"immediately terminated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1623 +msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1627 +msgid "Default: hard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1633 +msgid "ldap_tls_cacert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1636 +msgid "" +"Specifies the file that contains certificates for all of the Certificate " +"Authorities that <command>sssd</command> will recognize." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1641 sssd-ldap.5.xml:1659 sssd-ldap.5.xml:1700 +msgid "" +"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." +"conf</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1648 +msgid "ldap_tls_cacertdir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1651 +msgid "" +"Specifies the path of a directory that contains Certificate Authority " +"certificates in separate individual files. Typically the file names need to " +"be the hash of the certificate followed by '.0'. If available, " +"<command>cacertdir_rehash</command> can be used to create the correct names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1666 +msgid "ldap_tls_cert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1669 +msgid "Specifies the file that contains the certificate for the client's key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1679 +msgid "ldap_tls_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1682 +msgid "Specifies the file that contains the client's key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1691 +msgid "ldap_tls_cipher_suite (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1694 +msgid "" +"Specifies acceptable cipher suites. Typically this is a colon separated " +"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1707 +msgid "ldap_id_use_start_tls (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1710 +msgid "" +"Specifies that the id_provider connection must also use <systemitem class=" +"\"protocol\">tls</systemitem> to protect the channel." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1720 +msgid "ldap_id_mapping (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1723 +msgid "" +"Specifies that SSSD should attempt to map user and group IDs from the " +"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " +"on ldap_user_uid_number and ldap_group_gid_number." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1729 +msgid "Currently this feature supports only ActiveDirectory objectSID mapping." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1739 +msgid "ldap_min_id, ldap_max_id (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1742 +msgid "" +"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " +"set to true the allowed ID range for ldap_user_uid_number and " +"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " +"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " +"can be set to restrict the allowed range for the IDs which are read directly " +"from the server. Sub-domains can then pick other ranges to map IDs." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1754 +msgid "Default: not set (both options are set to 0)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1760 +msgid "ldap_sasl_mech (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1763 +msgid "" +"Specify the SASL mechanism to use. Currently only GSSAPI is tested and " +"supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1773 +msgid "ldap_sasl_authid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ldap.5.xml:1784 +#, no-wrap +msgid "" +"hostname@REALM\n" +"netbiosname$@REALM\n" +"host/hostname@REALM\n" +"*$@REALM\n" +"host/*@REALM\n" +"host/*\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1776 +msgid "" +"Specify the SASL authorization id to use. When GSSAPI is used, this " +"represents the Kerberos principal used for authentication to the directory. " +"This option can either contain the full principal (for example host/" +"myhost@EXAMPLE.COM) or just the principal name (for example host/myhost). By " +"default, the value is not set and the following principals are used: " +"<placeholder type=\"programlisting\" id=\"0\"/> If none of them are found, " +"the first principal in keytab is returned." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1795 +msgid "Default: host/hostname@REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1801 +msgid "ldap_sasl_realm (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1804 +msgid "" +"Specify the SASL realm to use. When not specified, this option defaults to " +"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " +"well, this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1810 +msgid "Default: the value of krb5_realm." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1816 +msgid "ldap_sasl_canonicalize (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1819 +msgid "" +"If set to true, the LDAP library would perform a reverse lookup to " +"canonicalize the host name during a SASL bind." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1824 +msgid "Default: false;" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1830 +msgid "ldap_krb5_keytab (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1833 +msgid "Specify the keytab to use when using SASL/GSSAPI." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1836 +msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1842 +msgid "ldap_krb5_init_creds (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1845 +msgid "" +"Specifies that the id_provider should init Kerberos credentials (TGT). This " +"action is performed only if SASL is used and the mechanism selected is " +"GSSAPI." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1857 +msgid "ldap_krb5_ticket_lifetime (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1860 +msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1864 sssd-ad.5.xml:937 +msgid "Default: 86400 (24 hours)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1870 sssd-krb5.5.xml:74 +msgid "krb5_server, krb5_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1873 +msgid "" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled - for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1885 sssd-krb5.5.xml:89 +msgid "" +"When using service discovery for KDC or kpasswd servers, SSSD first searches " +"for DNS entries that specify _udp as the protocol and falls back to _tcp if " +"none are found." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1890 sssd-krb5.5.xml:94 +msgid "" +"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " +"While the legacy name is recognized for the time being, users are advised to " +"migrate their config files to use <quote>krb5_server</quote> instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1899 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103 +msgid "krb5_realm (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1902 +msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1905 +msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1911 sssd-krb5.5.xml:462 +msgid "krb5_canonicalize (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1914 +msgid "" +"Specifies if the host principal should be canonicalized when connecting to " +"LDAP server. This feature is available with MIT Kerberos >= 1.7" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1926 sssd-krb5.5.xml:477 +msgid "krb5_use_kdcinfo (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1929 sssd-krb5.5.xml:480 +msgid "" +"Specifies if the SSSD should instruct the Kerberos libraries what realm and " +"which KDCs to use. This option is on by default, if you disable it, you need " +"to configure the Kerberos library using the <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> configuration file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1940 sssd-krb5.5.xml:491 +msgid "" +"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " +"information on the locator plugin." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1954 +msgid "ldap_pwd_policy (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1957 +msgid "" +"Select the policy to evaluate the password expiration on the client side. " +"The following values are allowed:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1962 +msgid "" +"<emphasis>none</emphasis> - No evaluation on the client side. This option " +"cannot disable server-side password policies." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1967 +msgid "" +"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " +"evaluate if the password has expired." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1973 +msgid "" +"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " +"to determine if the password has expired. Use chpass_provider=krb5 to update " +"these attributes when the password is changed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1982 +msgid "" +"<emphasis>Note</emphasis>: if a password policy is configured on server " +"side, it always takes precedence over policy set with this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1990 +msgid "ldap_referrals (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1993 +msgid "Specifies whether automatic referral chasing should be enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1997 +msgid "" +"Please note that sssd only supports referral chasing when it is compiled " +"with OpenLDAP version 2.4.13 or higher." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2002 +msgid "" +"Chasing referrals may incur a performance penalty in environments that use " +"them heavily, a notable example is Microsoft Active Directory. If your setup " +"does not in fact require the use of referrals, setting this option to false " +"might bring a noticeable performance improvement." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2016 +msgid "ldap_dns_service_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2019 +msgid "Specifies the service name to use when service discovery is enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2023 +msgid "Default: ldap" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2029 +msgid "ldap_chpass_dns_service_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2032 +msgid "" +"Specifies the service name to use to find an LDAP server which allows " +"password changes when service discovery is enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2037 +msgid "Default: not set, i.e. service discovery is disabled" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2043 +msgid "ldap_chpass_update_last_change (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2046 +msgid "" +"Specifies whether to update the ldap_user_shadow_last_change attribute with " +"days since the Epoch after a password change operation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2058 +msgid "ldap_access_filter (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2061 +msgid "" +"If using access_provider = ldap and ldap_access_order = filter (default), " +"this option is mandatory. It specifies an LDAP search filter criteria that " +"must be met for the user to be granted access on this host. If " +"access_provider = ldap, ldap_access_order = filter and this option is not " +"set, it will result in all users being denied access. Use access_provider = " +"permit to change this default behavior. Please note that this filter is " +"applied on the LDAP user entry only and thus filtering based on nested " +"groups may not work (e.g. memberOf attribute on AD entries points only to " +"direct parents). If filtering based on nested groups is required, please see " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2081 +msgid "Example:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ldap.5.xml:2084 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2088 +msgid "" +"This example means that access to this host is restricted to users whose " +"employeeType attribute is set to \"admin\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2093 +msgid "" +"Offline caching for this feature is limited to determining whether the " +"user's last online login was granted access permission. If they were granted " +"access during their last login, they will continue to be granted access " +"while offline and vice versa." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2101 sssd-ldap.5.xml:2158 +msgid "Default: Empty" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2107 +msgid "ldap_account_expire_policy (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2110 +msgid "" +"With this option a client side evaluation of access control attributes can " +"be enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2114 +msgid "" +"Please note that it is always recommended to use server side access control, " +"i.e. the LDAP server should deny the bind request with a suitable error code " +"even if the password is correct." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2121 +msgid "The following values are allowed:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2124 +msgid "" +"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " +"determine if the account is expired." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2129 +msgid "" +"<emphasis>ad</emphasis>: use the value of the 32bit field " +"ldap_user_ad_user_account_control and allow access if the second bit is not " +"set. If the attribute is missing access is granted. Also the expiration time " +"of the account is checked." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2136 +msgid "" +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: use the value of ldap_ns_account_lock to check if access is " +"allowed or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2142 +msgid "" +"<emphasis>nds</emphasis>: the values of " +"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " +"ldap_user_nds_login_expiration_time are used to check if access is allowed. " +"If both attributes are missing access is granted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2151 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>expire</quote> in order for the " +"ldap_account_expire_policy option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2164 +msgid "ldap_access_order (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2167 +msgid "Comma separated list of access control options. Allowed values are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2171 +msgid "<emphasis>filter</emphasis>: use ldap_access_filter" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2174 +msgid "" +"<emphasis>lockout</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " +"Please note that 'access_provider = ldap' must be set for this feature to " +"work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2184 +msgid "" +"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" +"quote> option and might be removed in a future release. </emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2191 +msgid "" +"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z' or represents any time in the past. The " +"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " +"denotes the UTC time zone. Other time zones are not currently supported and " +"will result in \"access-denied\" when users attempt to log in. Please see " +"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " +"must be set for this feature to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2208 +msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2212 +msgid "" +"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " +"pwd_expire_policy_renew: </emphasis> These options are useful if users are " +"interested in being warned that password is about to expire and " +"authentication is based on using a different method than passwords - for " +"example SSH keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2222 +msgid "" +"The difference between these options is the action taken if user password is " +"expired: pwd_expire_policy_reject - user is denied to log in, " +"pwd_expire_policy_warn - user is still able to log in, " +"pwd_expire_policy_renew - user is prompted to change his password " +"immediately." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2230 +msgid "" +"Note If user password is expired no explicit message is prompted by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2234 +msgid "" +"Please note that 'access_provider = ldap' must be set for this feature to " +"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2239 +msgid "" +"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " +"to determine access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2244 +msgid "<emphasis>host</emphasis>: use the host attribute to determine access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2248 +msgid "" +"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " +"remote host can access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2252 +msgid "" +"Please note, rhost field in pam is set by application, it is better to check " +"what the application sends to pam, before enabling this access control option" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2257 +msgid "Default: filter" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2260 +msgid "" +"Please note that it is a configuration error if a value is used more than " +"once." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2267 +msgid "ldap_pwdlockout_dn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2270 +msgid "" +"This option specifies the DN of password policy entry on LDAP server. Please " +"note that absence of this option in sssd.conf in case of enabled account " +"lockout checking will yield access denied as ppolicy attributes on LDAP " +"server cannot be checked properly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2278 +msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2281 +msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2287 +msgid "ldap_deref (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2290 +msgid "" +"Specifies how alias dereferencing is done when performing a search. The " +"following options are allowed:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2295 +msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2299 +msgid "" +"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " +"the base object, but not in locating the base object of the search." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2304 +msgid "" +"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " +"the base object of the search." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2309 +msgid "" +"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " +"in locating the base object of the search." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2314 +msgid "" +"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " +"client libraries)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2322 +msgid "ldap_rfc2307_fallback_to_local_users (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2325 +msgid "" +"Allows to retain local users as members of an LDAP group for servers that " +"use the RFC2307 schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2329 +msgid "" +"In some environments where the RFC2307 schema is used, local users are made " +"members of LDAP groups by adding their names to the memberUid attribute. " +"The self-consistency of the domain is compromised when this is done, so SSSD " +"would normally remove the \"missing\" users from the cached group " +"memberships as soon as nsswitch tries to fetch information about the user " +"via getpw*() or initgroups() calls." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2340 +msgid "" +"This option falls back to checking if local users are referenced, and caches " +"them so that later initgroups() calls will augment the local users with the " +"additional LDAP groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2352 sssd-ifp.5.xml:136 +msgid "wildcard_limit (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2355 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2359 +msgid "At the moment, only the InfoPipe responder supports wildcard lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2363 +msgid "Default: 1000 (often the size of one page)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:51 +msgid "" +"All of the common configuration options that apply to SSSD domains also " +"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for full details. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2373 +msgid "SUDO OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2375 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2386 +msgid "ldap_sudorule_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2389 +msgid "The object class of a sudo rule entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2392 +msgid "Default: sudoRole" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2398 +msgid "ldap_sudorule_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2401 +msgid "The LDAP attribute that corresponds to the sudo rule name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2411 +msgid "ldap_sudorule_command (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2414 +msgid "The LDAP attribute that corresponds to the command name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2418 +msgid "Default: sudoCommand" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2424 +msgid "ldap_sudorule_host (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2427 +msgid "" +"The LDAP attribute that corresponds to the host name (or host IP address, " +"host IP network, or host netgroup)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2432 +msgid "Default: sudoHost" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2438 +msgid "ldap_sudorule_user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2441 +msgid "" +"The LDAP attribute that corresponds to the user name (or UID, group name or " +"user's netgroup)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2445 +msgid "Default: sudoUser" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2451 +msgid "ldap_sudorule_option (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2454 +msgid "The LDAP attribute that corresponds to the sudo options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2458 +msgid "Default: sudoOption" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2464 +msgid "ldap_sudorule_runasuser (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2467 +msgid "" +"The LDAP attribute that corresponds to the user name that commands may be " +"run as." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2471 +msgid "Default: sudoRunAsUser" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2477 +msgid "ldap_sudorule_runasgroup (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2480 +msgid "" +"The LDAP attribute that corresponds to the group name or group GID that " +"commands may be run as." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2484 +msgid "Default: sudoRunAsGroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2490 +msgid "ldap_sudorule_notbefore (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2493 +msgid "" +"The LDAP attribute that corresponds to the start date/time for when the sudo " +"rule is valid." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2497 +msgid "Default: sudoNotBefore" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2503 +msgid "ldap_sudorule_notafter (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2506 +msgid "" +"The LDAP attribute that corresponds to the expiration date/time, after which " +"the sudo rule will no longer be valid." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2511 +msgid "Default: sudoNotAfter" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2517 +msgid "ldap_sudorule_order (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2520 +msgid "The LDAP attribute that corresponds to the ordering index of the rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2524 +msgid "Default: sudoOrder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2530 +msgid "ldap_sudo_full_refresh_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2533 +msgid "" +"How many seconds SSSD will wait between executing a full refresh of sudo " +"rules (which downloads all rules that are stored on the server)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2538 +msgid "" +"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" +"emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2543 +msgid "Default: 21600 (6 hours)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2549 +msgid "ldap_sudo_smart_refresh_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2552 +msgid "" +"How many seconds SSSD has to wait before executing a smart refresh of sudo " +"rules (which downloads all rules that have USN higher than the highest USN " +"of cached rules)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2558 +msgid "" +"If USN attributes are not supported by the server, the modifyTimestamp " +"attribute is used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2568 +msgid "ldap_sudo_use_host_filter (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2571 +msgid "" +"If true, SSSD will download only rules that are applicable to this machine " +"(using the IPv4 or IPv6 host/network addresses and hostnames)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2582 +msgid "ldap_sudo_hostnames (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2585 +msgid "" +"Space separated list of hostnames or fully qualified domain names that " +"should be used to filter the rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2590 +msgid "" +"If this option is empty, SSSD will try to discover the hostname and the " +"fully qualified domain name automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2595 sssd-ldap.5.xml:2618 sssd-ldap.5.xml:2636 +#: sssd-ldap.5.xml:2654 +msgid "" +"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" +"emphasis> then this option has no effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2600 sssd-ldap.5.xml:2623 +msgid "Default: not specified" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2606 +msgid "ldap_sudo_ip (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2609 +msgid "" +"Space separated list of IPv4 or IPv6 host/network addresses that should be " +"used to filter the rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2614 +msgid "" +"If this option is empty, SSSD will try to discover the addresses " +"automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2629 +msgid "ldap_sudo_include_netgroups (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2632 +msgid "" +"If true then SSSD will download every rule that contains a netgroup in " +"sudoHost attribute." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2647 +msgid "ldap_sudo_include_regexp (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2650 +msgid "" +"If true then SSSD will download every rule that contains a wildcard in " +"sudoHost attribute." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2666 +msgid "" +"This manual page only describes attribute name mapping. For detailed " +"explanation of sudo related attribute semantics, see <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2676 +msgid "AUTOFS OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2678 +msgid "" +"Some of the defaults for the parameters below are dependent on the LDAP " +"schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2684 +msgid "ldap_autofs_map_master_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2687 +msgid "The name of the automount master map in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2690 +msgid "Default: auto.master" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2697 +msgid "ldap_autofs_map_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2700 +msgid "The object class of an automount map entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2703 +msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2711 +msgid "ldap_autofs_map_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2714 +msgid "The name of an automount map entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2717 +msgid "" +"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2725 +msgid "ldap_autofs_entry_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2728 +msgid "" +"The object class of an automount entry in LDAP. The entry usually " +"corresponds to a mount point." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2733 +msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2741 +msgid "ldap_autofs_entry_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2744 sssd-ldap.5.xml:2759 +msgid "" +"The key of an automount entry in LDAP. The entry usually corresponds to a " +"mount point." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2748 +msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2756 +msgid "ldap_autofs_entry_value (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2763 +msgid "" +"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " +"automountInformation" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2682 +msgid "" +"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " +"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" +"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2774 +msgid "ADVANCED OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2781 +msgid "ldap_netgroup_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2786 +msgid "ldap_user_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2791 +msgid "ldap_group_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> +#: sssd-ldap.5.xml:2796 +msgid "<note>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> +#: sssd-ldap.5.xml:2798 +msgid "" +"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " +"against Active Directory will not be restricted and return all groups " +"memberships, even with no GID mapping. It is recommended to disable this " +"feature, if group names are not being displayed correctly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist> +#: sssd-ldap.5.xml:2805 +msgid "</note>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2807 +msgid "ldap_sudo_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2812 +msgid "ldap_autofs_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2776 +msgid "" +"These options are supported by LDAP domains, but they should be used with " +"caution. Please include them in your configuration only if you know what you " +"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2827 sssd-simple.5.xml:131 sssd-ipa.5.xml:828 +#: sssd-ad.5.xml:1041 sssd-krb5.5.xml:570 sss_rpcidmapd.5.xml:98 +#: sssd-files.5.xml:103 sssd-session-recording.5.xml:144 +msgid "EXAMPLE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2829 +msgid "" +"The following example assumes that SSSD is correctly configured and LDAP is " +"set to one of the domains in the <replaceable>[domains]</replaceable> " +"section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:2835 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: sssd-ldap.5.xml:2834 sssd-ldap.5.xml:2852 sssd-simple.5.xml:139 +#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1049 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579 +#: sssd-files.5.xml:110 sssd-session-recording.5.xml:150 +#: include/ldap_id_mapping.xml:105 +msgid "<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2846 +msgid "LDAP ACCESS FILTER EXAMPLE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2848 +msgid "" +"The following example assumes that SSSD is correctly configured and to use " +"the ldap_access_order=lockout." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:2853 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"access_provider = ldap\n" +"ldap_access_order = lockout\n" +"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2868 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148 +#: sssd-ad.5.xml:1064 sssd.8.xml:230 sss_seed.8.xml:163 +msgid "NOTES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2870 +msgid "" +"The descriptions of some of the configuration options in this manual page " +"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " +"distribution." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: pam_sss.8.xml:11 pam_sss.8.xml:16 +msgid "pam_sss" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: pam_sss.8.xml:17 +msgid "PAM module for SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: pam_sss.8.xml:22 +msgid "" +"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" +"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" +"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" +"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " +"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " +"choice='opt'> <replaceable>prompt_always</replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:58 +msgid "" +"<command>pam_sss.so</command> is the PAM interface to the System Security " +"Services daemon (SSSD). Errors and results are logged through " +"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:68 +msgid "<option>quiet</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:71 +msgid "Suppress log messages for unknown users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:76 +msgid "<option>forward_pass</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:79 +msgid "" +"If <option>forward_pass</option> is set the entered password is put on the " +"stack for other PAM modules to use." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:86 +msgid "<option>use_first_pass</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:89 +msgid "" +"The argument use_first_pass forces the module to use a previous stacked " +"modules password and will never prompt the user - if no password is " +"available or the password is not appropriate, the user will be denied access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:97 +msgid "<option>use_authtok</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:100 +msgid "" +"When password changing enforce the module to set the new password to the one " +"provided by a previously stacked password module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:107 +msgid "<option>retry=N</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:110 +msgid "" +"If specified the user is asked another N times for a password if " +"authentication fails. Default is 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:112 +msgid "" +"Please note that this option might not work as expected if the application " +"calling PAM handles the user dialog on its own. A typical example is " +"<command>sshd</command> with <option>PasswordAuthentication</option>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:121 +msgid "<option>ignore_unknown_user</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:124 +msgid "" +"If this option is specified and the user does not exist, the PAM module will " +"return PAM_IGNORE. This causes the PAM framework to ignore this module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:131 +msgid "<option>ignore_authinfo_unavail</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:135 +msgid "" +"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " +"the SSSD daemon. This causes the PAM framework to ignore this module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:142 +msgid "<option>domains</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:146 +msgid "" +"Allows the administrator to restrict the domains a particular PAM service is " +"allowed to authenticate against. The format is a comma-separated list of " +"SSSD domain names, as specified in the sssd.conf file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:152 +msgid "" +"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " +"and <quote>pam_public_domains</quote> options. Please see the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more information on these two PAM " +"responder options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:166 +msgid "<option>allow_missing_name</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:170 +msgid "" +"The main purpose of this option is to let SSSD determine the user name based " +"on additional information, e.g. the certificate from a Smartcard." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: pam_sss.8.xml:180 +#, no-wrap +msgid "" +"auth sufficient pam_sss.so allow_missing_name\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:175 +msgid "" +"The current use case are login managers which can monitor a Smartcard reader " +"for card events. In case a Smartcard is inserted the login manager will call " +"a PAM stack which includes a line like <placeholder type=\"programlisting\" " +"id=\"0\"/> In this case SSSD will try to determine the user name based on " +"the content of the Smartcard, returns it to pam_sss which will finally put " +"it on the PAM stack." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:190 +msgid "<option>prompt_always</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:194 +msgid "" +"Always prompt the user for credentials. With this option credentials " +"requested by other PAM modules, typically a password, will be ignored and " +"pam_sss will prompt for credentials again. Based on the pre-auth reply by " +"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " +"credentials." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:207 +msgid "MODULE TYPES PROVIDED" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:208 +msgid "" +"All module types (<option>account</option>, <option>auth</option>, " +"<option>password</option> and <option>session</option>) are provided." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:214 +msgid "FILES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:215 +msgid "" +"If a password reset by root fails, because the corresponding SSSD provider " +"does not support password resets, an individual message can be displayed. " +"This message can e.g. contain instructions about how to reset a password." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:220 +msgid "" +"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" +"filename> where LOC stands for a locale string returned by <citerefentry> " +"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" +"citerefentry>. If there is no matching file the content of " +"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " +"the owner of the files and only root may have read and write permissions " +"while all other users must have only read permissions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:230 +msgid "" +"These files are searched in the directory <filename>/etc/sssd/customize/" +"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " +"displayed." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 +msgid "sssd_krb5_locator_plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd_krb5_locator_plugin.8.xml:16 +msgid "Kerberos locator plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:22 +msgid "" +"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " +"used by the Kerberos provider of <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to tell the Kerberos " +"libraries what Realm and which KDC to use. Typically this is done in " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> which is always read by the Kerberos libraries. " +"To simplify the configuration the Realm and the KDC can be defined in " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> as described in <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:48 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> puts the Realm and the name or IP address of the KDC into " +"the environment variables SSSD_KRB5_REALM and SSSD_KRB5_KDC respectively. " +"When <command>sssd_krb5_locator_plugin</command> is called by the kerberos " +"libraries it reads and evaluates these variables and returns them to the " +"libraries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:63 +msgid "" +"Not all Kerberos implementations support the use of plugins. If " +"<command>sssd_krb5_locator_plugin</command> is not available on your system " +"you have to edit /etc/krb5.conf to reflect your Kerberos setup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:69 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " +"debug messages will be sent to stderr." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:73 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " +"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " +"caller." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 +msgid "sssd-simple" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-simple.5.xml:17 +msgid "the configuration file for SSSD's 'simple' access-control provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:24 +msgid "" +"This manual page describes the configuration of the simple access-control " +"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " +"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:38 +msgid "" +"The simple access provider grants or denies access based on an access or " +"deny list of user or group names. The following rules apply:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:43 +msgid "If all lists are empty, access is granted" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:47 +msgid "" +"If any list is provided, the order of evaluation is allow,deny. This means " +"that any matching deny rule will supersede any matched allow rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:54 +msgid "" +"If either or both \"allow\" lists are provided, all users are denied unless " +"they appear in the list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:60 +msgid "" +"If only \"deny\" lists are provided, all users are granted access unless " +"they appear in the list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:78 +msgid "simple_allow_users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:81 +msgid "Comma separated list of users who are allowed to log in." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:88 +msgid "simple_deny_users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:91 +msgid "Comma separated list of users who are explicitly denied access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:97 +msgid "simple_allow_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:100 +msgid "" +"Comma separated list of groups that are allowed to log in. This applies only " +"to groups within this SSSD domain. Local groups are not evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:108 +msgid "simple_deny_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:111 +msgid "" +"Comma separated list of groups that are explicitly denied access. This " +"applies only to groups within this SSSD domain. Local groups are not " +"evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 +msgid "" +"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:120 +msgid "" +"Specifying no values for any of the lists is equivalent to skipping it " +"entirely. Beware of this while generating parameters for the simple provider " +"using automated scripts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:125 +msgid "" +"Please note that it is an configuration error if both, simple_allow_users " +"and simple_deny_users, are defined." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:133 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the simple access provider-specific options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-simple.5.xml:140 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"access_provider = simple\n" +"simple_allow_users = user1, user2\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:150 +msgid "" +"The complete group membership hierarchy is resolved before the access check, " +"thus even nested groups can be included in the access lists. Please be " +"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " +"results and should be set to a sufficient value. (<citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>) option." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 +msgid "sss-certmap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss-certmap.5.xml:17 +msgid "SSSD Certificate Matching and Mapping Rules" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:23 +msgid "" +"The manual page describes the rules which can be used by SSSD and other " +"components to match X.509 certificates and map them to accounts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:28 +msgid "" +"Each rule has four components, a <quote>priority</quote>, a <quote>matching " +"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" +"quote>. All components are optional. A missing <quote>priority</quote> will " +"add the rule with the lowest priority. The default <quote>matching rule</" +"quote> will match certificates with the digitalSignature key usage and " +"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " +"the certificates will be searched in the userCertificate attribute as DER " +"encoded binary. If no domains are given only the local domain will be " +"searched." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss-certmap.5.xml:41 +msgid "RULE COMPONENTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:43 +msgid "PRIORITY" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:45 +msgid "" +"The rules are processed by priority while the number '0' (zero) indicates " +"the highest priority. The higher the number the lower is the priority. A " +"missing value indicates the lowest priority. The rules processing is stopped " +"when a matched rule is found and no further rules are checked." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:52 +msgid "" +"Internally the priority is treated as unsigned 32bit integer, using a " +"priority value larger than 4294967295 will cause an error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:57 +msgid "MATCHING RULE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:59 +msgid "" +"The matching rule is used to select a certificate to which the mapping rule " +"should be applied. It uses a system similar to the one used by " +"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " +"keyword enclosed by '<' and '>' which identified a certain part of the " +"certificate and a pattern which should be found for the rule to match. " +"Multiple keyword pattern pairs can be either joined with '&&' (and) " +"or '||' (or)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:71 +msgid "<SUBJECT>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:74 +msgid "" +"With this a part or the whole subject name of the certificate can be " +"matched. For the matching POSIX Extended Regular Expression syntax is used, " +"see regex(7) for details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:80 +msgid "" +"For the matching the subject name stored in the certificate in DER encoded " +"ASN.1 is converted into a string according to RFC 4514. This means the most " +"specific name component comes first. Please note that not all possible " +"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " +"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " +"be shown differently on different platform and by different tools. To avoid " +"confusion those attribute names are best not used or covered by a suitable " +"regular-expression." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:93 +msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:98 +msgid "<ISSUER>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:101 +msgid "" +"With this a part or the whole issuer name of the certificate can be matched. " +"All comments for <SUBJECT> apply her as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:106 +msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:111 +msgid "<KU>key-usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:114 +msgid "" +"This option can be used to specify which key usage values the certificate " +"should have. The following values can be used in a comma separated list:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:118 +msgid "digitalSignature" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:119 +msgid "nonRepudiation" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:120 +msgid "keyEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:121 +msgid "dataEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:122 +msgid "keyAgreement" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:123 +msgid "keyCertSign" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:124 +msgid "cRLSign" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:125 +msgid "encipherOnly" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:126 +msgid "decipherOnly" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:130 +msgid "" +"A numerical value in the range of a 32bit unsigned integer can be used as " +"well to cover special use cases." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:134 +msgid "Example: <KU>digitalSignature,keyEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:139 +msgid "<EKU>extended-key-usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:142 +msgid "" +"This option can be used to specify which extended key usage the certificate " +"should have. The following value can be used in a comma separated list:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:146 +msgid "serverAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:147 +msgid "clientAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:148 +msgid "codeSigning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:149 +msgid "emailProtection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:150 +msgid "timeStamping" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:151 +msgid "OCSPSigning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:152 +msgid "KPClientAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:153 +msgid "pkinit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:154 +msgid "msScLogin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:158 +msgid "" +"Extended key usages which are not listed above can be specified with their " +"OID in dotted-decimal notation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:162 +msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:167 +msgid "<SAN>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:170 +msgid "" +"To be compatible with the usage of MIT Kerberos this option will match the " +"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" +"Principal> does." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:175 +msgid "Example: <SAN>.*@MY\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:180 +msgid "<SAN:Principal>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:183 +msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:187 +msgid "Example: <SAN:Principal>.*@MY\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:192 +msgid "<SAN:ntPrincipalName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:195 +msgid "Match the Kerberos principals from the AD NT Principal SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:199 +msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:204 +msgid "<SAN:pkinit>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:207 +msgid "Match the Kerberos principals from the PKINIT SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:210 +msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:215 +msgid "<SAN:dotted-decimal-oid>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:218 +msgid "" +"Take the value of the otherName SAN component given by the OID in dotted-" +"decimal notation, interpret it as string and try to match it against the " +"regular expression." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:224 +msgid "Example: <SAN:1.2.3.4>test" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:229 +msgid "<SAN:otherName>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:232 +msgid "" +"Do a binary match with the base64 encoded blob against all otherName SAN " +"components. With this option it is possible to match against custom " +"otherName components with special encodings which could not be treated as " +"strings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:239 +msgid "Example: <SAN:otherName>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:244 +msgid "<SAN:rfc822Name>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:247 +msgid "Match the value of the rfc822Name SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:250 +msgid "Example: <SAN:rfc822Name>.*@email\\.domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:255 +msgid "<SAN:dNSName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:258 +msgid "Match the value of the dNSName SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:261 +msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:266 +msgid "<SAN:x400Address>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:269 +msgid "Binary match the value of the x400Address SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:272 +msgid "Example: <SAN:x400Address>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:277 +msgid "<SAN:directoryName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:280 +msgid "" +"Match the value of the directoryName SAN. The same comments as given for <" +"ISSUER> and <SUBJECT> apply here as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:285 +msgid "Example: <SAN:directoryName>.*,DC=com" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:290 +msgid "<SAN:ediPartyName>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:293 +msgid "Binary match the value of the ediPartyName SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:296 +msgid "Example: <SAN:ediPartyName>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:301 +msgid "<SAN:uniformResourceIdentifier>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:304 +msgid "Match the value of the uniformResourceIdentifier SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:307 +msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:312 +msgid "<SAN:iPAddress>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:315 +msgid "Match the value of the iPAddress SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:318 +msgid "Example: <SAN:iPAddress>192\\.168\\..*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:323 +msgid "<SAN:registeredID>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:326 +msgid "Match the value of the registeredID SAN as dotted-decimal string." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:330 +msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:68 +msgid "" +"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:338 +msgid "MAPPING RULE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:340 +msgid "" +"The mapping rule is used to associate a certificate with one or more " +"accounts. A Smartcard with the certificate and the matching private key can " +"then be used to authenticate as one of those accounts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:345 +msgid "" +"Currently SSSD basically only supports LDAP to lookup user information (the " +"exception is the proxy provider which is not of relevance here). Because of " +"this the mapping rule is based on LDAP search filter syntax with templates " +"to add certificate content to the filter. It is expected that the filter " +"will only contain the specific data needed for the mapping and that the " +"caller will embed it in another filter to do the actual search. Because of " +"this the filter string should start and stop with '(' and ')' respectively." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:355 +msgid "" +"In general it is recommended to use attributes from the certificate and add " +"them to special attributes to the LDAP user object. E.g. the " +"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " +"for IPA can be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:361 +msgid "" +"This should be preferred to read user specific data from the certificate " +"like e.g. an email address and search for it in the LDAP server. The reason " +"is that the user specific data in LDAP might change for various reasons " +"would break the mapping. On the other hand it would be hard to break the " +"mapping on purpose for a specific user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:376 +msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:379 +msgid "" +"This template will add the full issuer DN converted to a string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +msgid "" +"The conversion options starting with 'ad_' will use attribute names as used " +"by AD, e.g. 'S' instead of 'ST'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +msgid "" +"The conversion options starting with 'nss_' will use attribute names as used " +"by NSS." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +msgid "" +"The default conversion option is 'nss', i.e. attribute names according to " +"NSS and LDAP/RFC 4514 ordering." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:397 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" +"ad})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:402 +msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:405 +msgid "" +"This template will add the full subject DN converted to string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:423 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" +"{subject_dn!nss_x500})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:428 +msgid "{cert[!(bin|base64)]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:431 +msgid "" +"This template will add the whole DER encoded certificate as a string to the " +"search filter. Depending on the conversion option the binary certificate is " +"either converted to an escaped hex sequence '\\xx' or base64. The escaped " +"hex sequence is the default and can e.g. be used with the LDAP attribute " +"'userCertificate;binary'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:439 +msgid "Example: (userCertificate;binary={cert!bin})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:444 +msgid "{subject_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:447 +msgid "" +"This template will add the Kerberos principal which is taken either from the " +"SAN used by pkinit or the one used by AD. The 'short_name' component " +"represents the first part of the principal before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +msgid "" +"Example: (|(userPrincipal={subject_principal})" +"(samAccountName={subject_principal.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:458 +msgid "{subject_pkinit_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:461 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by pkinit. The 'short_name' component represents the first part of the " +"principal before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:467 +msgid "" +"Example: (|(userPrincipal={subject_pkinit_principal})" +"(uid={subject_pkinit_principal.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:472 +msgid "{subject_nt_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:475 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by AD. The 'short_name' component represent the first part of the principal " +"before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:486 +msgid "{subject_rfc822_name[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:489 +msgid "" +"This template will add the string which is stored in the rfc822Name " +"component of the SAN, typically an email address. The 'short_name' component " +"represents the first part of the address before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:495 +msgid "" +"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." +"short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:500 +msgid "{subject_dns_name[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:503 +msgid "" +"This template will add the string which is stored in the dNSName component " +"of the SAN, typically a fully-qualified host name. The 'short_name' " +"component represents the first part of the name before the first '.' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:509 +msgid "" +"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:514 +msgid "{subject_uri}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:517 +msgid "" +"This template will add the string which is stored in the " +"uniformResourceIdentifier component of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:521 +msgid "Example: (uri={subject_uri})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:526 +msgid "{subject_ip_address}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:529 +msgid "" +"This template will add the string which is stored in the iPAddress component " +"of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:533 +msgid "Example: (ip={subject_ip_address})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:538 +msgid "{subject_x400_address}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:541 +msgid "" +"This template will add the value which is stored in the x400Address " +"component of the SAN as escaped hex sequence." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:546 +msgid "Example: (attr:binary={subject_x400_address})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:551 +msgid "" +"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:554 +msgid "" +"This template will add the DN string of the value which is stored in the " +"directoryName component of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:558 +msgid "Example: (orig_dn={subject_directory_name})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:563 +msgid "{subject_ediparty_name}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:566 +msgid "" +"This template will add the value which is stored in the ediPartyName " +"component of the SAN as escaped hex sequence." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:571 +msgid "Example: (attr:binary={subject_ediparty_name})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:576 +msgid "{subject_registered_id}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:579 +msgid "" +"This template will add the OID which is stored in the registeredID component " +"of the SAN as a dotted-decimal string." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:584 +msgid "Example: (oid={subject_registered_id})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:369 +msgid "" +"The templates to add certificate data to the search filter are based on " +"Python-style formatting strings. They consist of a keyword in curly braces " +"with an optional sub-component specifier separated by a '.' or an optional " +"conversion/formatting option separated by a '!'. Allowed values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:592 +msgid "DOMAIN LIST" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:594 +msgid "" +"If the domain list is not empty users mapped to a given certificate are not " +"only searched in the local domain but in the listed domains as well as long " +"as they are know by SSSD. Domains not know to SSSD will be ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 +msgid "sssd-ipa" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ipa.5.xml:17 +msgid "SSSD IPA provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:23 +msgid "" +"This manual page describes the configuration of the IPA provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:36 +msgid "" +"The IPA provider is a back end used to connect to an IPA server. (Refer to " +"the freeipa.org web site for information about IPA servers.) This provider " +"requires that the machine be joined to the IPA domain; configuration is " +"almost entirely self-discovered and obtained directly from the server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:43 +msgid "" +"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for IPA environments. The IPA provider accepts the same " +"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " +"However, it is neither necessary nor recommended to set these options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:57 +msgid "" +"The IPA provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:62 +msgid "" +"As an access provider, the IPA provider uses HBAC (host-based access " +"control) rules. Please refer to freeipa.org for more information about " +"HBAC. No configuration of access provider is required on the client side." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:67 +msgid "" +"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:73 +msgid "" +"The IPA provider will use the PAC responder if the Kerberos tickets of users " +"from trusted realms contain a PAC. To make configuration easier the PAC " +"responder is started automatically if the IPA ID provider is configured." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:89 +msgid "ipa_domain (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:92 +msgid "" +"Specifies the name of the IPA domain. This is optional. If not provided, " +"the configuration domain name is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:100 +msgid "ipa_server, ipa_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:103 +msgid "" +"The comma-separated list of IP addresses or hostnames of the IPA servers to " +"which SSSD should connect in the order of preference. For more information " +"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:116 +msgid "ipa_hostname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:119 +msgid "" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the IPA domain to identify this host. The " +"hostname must be fully qualified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:128 sssd-ad.5.xml:866 +msgid "dyndns_update (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:131 +msgid "" +"Optional. This option tells SSSD to automatically update the DNS server " +"built into FreeIPA with the IP address of this client. The update is secured " +"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " +"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" +"quote> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:140 sssd-ad.5.xml:880 +msgid "" +"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " +"the default Kerberos realm must be set properly in /etc/krb5.conf" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:145 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" +"emphasis> option, users should migrate to using <emphasis>dyndns_update</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:157 sssd-ad.5.xml:891 +msgid "dyndns_ttl (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:160 sssd-ad.5.xml:894 +msgid "" +"The TTL to apply to the client DNS record when updating it. If " +"dyndns_update is false this has no effect. This will override the TTL " +"serverside if set by an administrator." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:165 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" +"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:171 +msgid "Default: 1200 (seconds)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:177 sssd-ad.5.xml:905 +msgid "dyndns_iface (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:180 sssd-ad.5.xml:908 +msgid "" +"Optional. Applicable only when dyndns_update is true. Choose the interface " +"or a list of interfaces whose IP addresses should be used for dynamic DNS " +"updates. Special value <quote>*</quote> implies that IPs from all interfaces " +"should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:187 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" +"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:193 +msgid "" +"Default: Use the IP addresses of the interface which is used for IPA LDAP " +"connection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:197 sssd-ad.5.xml:919 +msgid "Example: dyndns_iface = em1, vnet1, vnet2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:203 sssd-ad.5.xml:970 +msgid "dyndns_auth (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:206 sssd-ad.5.xml:973 +msgid "" +"Whether the nsupdate utility should use GSS-TSIG authentication for secure " +"updates with the DNS server, insecure updates can be sent by setting this " +"option to 'none'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:212 sssd-ad.5.xml:979 +msgid "Default: GSS-TSIG" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:218 +msgid "ipa_enable_dns_sites (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 +msgid "Enables DNS sites - location based service discovery." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:225 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, then the SSSD will first attempt location " +"based discovery using a query that contains \"_location.hostname.example.com" +"\" and then fall back to traditional SRV discovery. If the location based " +"discovery succeeds, the IPA servers located with the location based " +"discovery are treated as primary servers and the IPA servers located using " +"the traditional SRV discovery are used as back up servers" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:244 sssd-ad.5.xml:925 +msgid "dyndns_refresh_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:247 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:260 sssd-ad.5.xml:943 +msgid "dyndns_update_ptr (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:263 sssd-ad.5.xml:946 +msgid "" +"Whether the PTR record should also be explicitly updated when updating the " +"client's DNS records. Applicable only when dyndns_update is true." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:268 +msgid "" +"This option should be False in most IPA deployments as the IPA server " +"generates the PTR records automatically when forward records are changed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:274 +msgid "Default: False (disabled)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:280 sssd-ad.5.xml:957 +msgid "dyndns_force_tcp (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:283 sssd-ad.5.xml:960 +msgid "" +"Whether the nsupdate utility should default to using TCP for communicating " +"with the DNS server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:287 sssd-ad.5.xml:964 +msgid "Default: False (let nsupdate choose the protocol)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:293 sssd-ad.5.xml:985 +msgid "dyndns_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:296 sssd-ad.5.xml:988 +msgid "" +"The DNS server to use when performing a DNS update. In most setups, it's " +"recommended to leave this option unset." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:301 sssd-ad.5.xml:993 +msgid "" +"Setting this option makes sense for environments where the DNS server is " +"different from the identity server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:306 sssd-ad.5.xml:998 +msgid "" +"Please note that this option will be only used in fallback attempt when " +"previous attempt using autodetected settings failed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1003 +msgid "Default: None (let nsupdate choose the server)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:317 +msgid "ipa_deskprofile_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:320 +msgid "" +"Optional. Use the given string as search base for Desktop Profile related " +"objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:324 sssd-ipa.5.xml:337 +msgid "Default: Use base DN" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:330 +msgid "ipa_hbac_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:333 +msgid "Optional. Use the given string as search base for HBAC related objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:343 +msgid "ipa_host_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:346 +msgid "Deprecated. Use ldap_host_search_base instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:352 +msgid "ipa_selinux_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:355 +msgid "Optional. Use the given string as search base for SELinux user maps." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:371 +msgid "ipa_subdomains_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:374 +msgid "Optional. Use the given string as search base for trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:383 +msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:390 +msgid "ipa_master_domain_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:393 +msgid "Optional. Use the given string as search base for master domain object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:402 +msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:409 +msgid "ipa_views_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:412 +msgid "Optional. Use the given string as search base for views containers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:421 +msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:431 +msgid "" +"The name of the Kerberos realm. This is optional and defaults to the value " +"of <quote>ipa_domain</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:435 +msgid "" +"The name of the Kerberos realm has a special meaning in IPA - it is " +"converted into the base DN to use for performing LDAP operations." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1012 +msgid "krb5_confd_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1015 +msgid "" +"Absolute path of a directory where SSSD should place Kerberos configuration " +"snippets." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1019 +msgid "" +"To disable the creation of the configuration snippets set the parameter to " +"'none'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1023 +msgid "" +"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:461 +msgid "ipa_deskprofile_refresh (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:464 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server. This will reduce the latency and load on the IPA server if there " +"are many desktop profiles requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:431 +msgid "Default: 5 (seconds)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:477 +msgid "ipa_deskprofile_request_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:480 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server in case the last request did not return any rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:485 +msgid "Default: 60 (minutes)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:491 +msgid "ipa_hbac_refresh (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:494 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server. " +"This will reduce the latency and load on the IPA server if there are many " +"access-control requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:507 +msgid "ipa_hbac_selinux (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:510 +msgid "" +"The amount of time between lookups of the SELinux maps against the IPA " +"server. This will reduce the latency and load on the IPA server if there are " +"many user login requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:523 +msgid "ipa_server_mode (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:526 +msgid "" +"This option will be set by the IPA installer (ipa-server-install) " +"automatically and denotes if SSSD is running on an IPA server or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:531 +msgid "" +"On an IPA server SSSD will lookup users and groups from trusted domains " +"directly while on a client it will ask an IPA server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:536 +msgid "" +"NOTE: There are currently some assumptions that must be met when SSSD is " +"running on an IPA server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:541 +msgid "" +"The <quote>ipa_server</quote> option must be configured to point to the IPA " +"server itself. This is already the default set by the IPA installer, so no " +"manual change is required." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:550 +msgid "" +"The <quote>full_name_format</quote> option must not be tweaked to only print " +"short names for users from trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:565 +msgid "ipa_automount_location (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:568 +msgid "The automounter location this IPA client will be using" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:571 +msgid "Default: The location named \"default\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:579 +msgid "VIEWS AND OVERRIDES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:588 +msgid "ipa_view_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:591 +msgid "Objectclass of the view container." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:594 +msgid "Default: nsContainer" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:600 +msgid "ipa_view_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:603 +msgid "Name of the attribute holding the name of the view." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:613 +msgid "ipa_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:616 +msgid "Objectclass of the override objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:619 +msgid "Default: ipaOverrideAnchor" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:625 +msgid "ipa_anchor_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:628 +msgid "" +"Name of the attribute containing the reference to the original object in a " +"remote domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:632 +msgid "Default: ipaAnchorUUID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:638 +msgid "ipa_user_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:641 +msgid "" +"Name of the objectclass for user overrides. It is used to determine if the " +"found override object is related to a user or a group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:646 +msgid "User overrides can contain attributes given by" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:649 +msgid "ldap_user_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:652 +msgid "ldap_user_uid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:655 +msgid "ldap_user_gid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:658 +msgid "ldap_user_gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:661 +msgid "ldap_user_home_directory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:664 +msgid "ldap_user_shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:667 +msgid "ldap_user_ssh_public_key" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:672 +msgid "Default: ipaUserOverride" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:678 +msgid "ipa_group_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:681 +msgid "" +"Name of the objectclass for group overrides. It is used to determine if the " +"found override object is related to a user or a group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:686 +msgid "Group overrides can contain attributes given by" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:689 +msgid "ldap_group_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:692 +msgid "ldap_group_gid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:697 +msgid "Default: ipaGroupOverride" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:581 +msgid "" +"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " +"later version. Since all paths and objectclasses are fixed on the server " +"side there is basically no need to configure anything. For completeness the " +"related options are listed here with their default values. <placeholder " +"type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:709 +msgid "SUBDOMAINS PROVIDER" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:711 +msgid "" +"The IPA subdomains provider behaves slightly differently if it is configured " +"explicitly or implicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:715 +msgid "" +"If the option 'subdomains_provider = ipa' is found in the domain section of " +"sssd.conf, the IPA subdomains provider is configured explicitly, and all " +"subdomain requests are sent to the IPA server if necessary." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:721 +msgid "" +"If the option 'subdomains_provider' is not set in the domain section of sssd." +"conf but there is the option 'id_provider = ipa', the IPA subdomains " +"provider is configured implicitly. In this case, if a subdomain request " +"fails and indicates that the server does not support subdomains, i.e. is not " +"configured for trusts, the IPA subdomains provider is disabled. After an " +"hour or after the IPA provider goes online, the subdomains provider is " +"enabled again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:732 +msgid "TRUSTED DOMAINS CONFIGURATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:738 +#, no-wrap +msgid "" +"[domain/ipa.domain.com/ad.domain.com]\n" +"ad_server = dc.ad.domain.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:734 +msgid "" +"Some configuration options can be also set for a trusted domain. A trusted " +"domain configuration can either be done using a subsection, for example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:743 +msgid "" +"In addition, some options can be set in the parent domain and inherited by " +"the trusted domain using the <quote>subdomain_inherit</quote> option. For " +"more details, see the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:753 +msgid "" +"Different configuration options are tunable for a trusted domain depending " +"on whether you are configuring SSSD on an IPA server or an IPA client." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:758 +msgid "OPTIONS TUNABLE ON IPA MASTERS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:760 +msgid "" +"The following options can be set in a subdomain section on an IPA master:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:764 sssd-ipa.5.xml:794 +msgid "ad_server" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:767 +msgid "ad_backup_server" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:770 sssd-ipa.5.xml:797 +msgid "ad_site" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:773 +msgid "ldap_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:776 +msgid "ldap_user_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:779 +msgid "ldap_group_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:788 +msgid "OPTIONS TUNABLE ON IPA CLIENTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:790 +msgid "" +"The following options can be set in a subdomain section on an IPA client:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:802 +msgid "" +"Note that if both options are set, only <quote>ad_server</quote> is " +"evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:806 +msgid "" +"Since any request for a user or a group identity from a trusted domain " +"triggered from an IPA client is resolved by the IPA server, the " +"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " +"which AD DC will the authentication be performed against. In particular, the " +"addresses resolved from these lists will be written to <quote>kdcinfo</" +"quote> files read by the Kerberos locator plugin. Please refer to the " +"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " +"Kerberos locator plugin." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:830 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the ipa provider-specific options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:837 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"id_provider = ipa\n" +"ipa_server = ipaserver.example.com\n" +"ipa_hostname = myhost.example.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 +msgid "sssd-ad" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ad.5.xml:17 +msgid "SSSD Active Directory provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:23 +msgid "" +"This manual page describes the configuration of the AD provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:36 +msgid "" +"The AD provider is a back end used to connect to an Active Directory server. " +"This provider requires that the machine be joined to the AD domain and a " +"keytab is available. Back end communication occurs over a GSSAPI-encrypted " +"channel, SSL/TLS options should not be used with the AD provider and will be " +"superseded by Kerberos usage." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:44 +msgid "" +"The AD provider supports connecting to Active Directory 2008 R2 or later. " +"Earlier versions may work, but are unsupported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:48 +msgid "" +"The AD provider can be used to get user information and authenticate users " +"from trusted domains. Currently only trusted domains in the same forest are " +"recognized. In addition servers from trusted domains are always auto-" +"discovered." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:54 +msgid "" +"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for Active Directory environments. The AD provider accepts the " +"same options used by the sssd-ldap and sssd-krb5 providers with some " +"exceptions. However, it is neither necessary nor recommended to set these " +"options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:69 +msgid "" +"The AD provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:74 +msgid "" +"The AD provider can also be used as an access, chpass, sudo and autofs " +"provider. No configuration of the access provider is required on the client " +"side." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:79 +msgid "" +"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ad</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:91 +#, no-wrap +msgid "" +"ldap_id_mapping = False\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:85 +msgid "" +"By default, the AD provider will map UID and GID values from the objectSID " +"parameter in Active Directory. For details on this, see the <quote>ID " +"MAPPING</quote> section below. If you want to disable ID mapping and instead " +"rely on POSIX attributes defined in Active Directory, you should set " +"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " +"be used, it is recommended for performance reasons that the attributes are " +"also replicated to the Global Catalog. If POSIX attributes are replicated, " +"SSSD will attempt to locate the domain of a requested numerical ID with the " +"help of the Global Catalog and only search that domain. In contrast, if " +"POSIX attributes are not replicated to the Global Catalog, SSSD must search " +"all the domains in the forest sequentially. Please note that the " +"<quote>cache_first</quote> option might be also helpful in speeding up " +"domainless searches. Note that if only a subset of POSIX attributes is " +"present in the Global Catalog, the non-replicated attributes are currently " +"not read from the LDAP port." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:108 +msgid "" +"Users, groups and other entities served by SSSD are always treated as case-" +"insensitive in the AD provider for compatibility with Active Directory's " +"LDAP implementation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:123 +msgid "ad_domain (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:126 +msgid "" +"Specifies the name of the Active Directory domain. This is optional. If not " +"provided, the configuration domain name is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:131 +msgid "" +"For proper operation, this option should be specified as the lower-case " +"version of the long version of the Active Directory domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:136 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) is " +"autodetected by the SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:143 +msgid "ad_enabled_domains (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:146 +msgid "" +"A comma-separated list of enabled Active Directory domains. If provided, " +"SSSD will ignore any domains not listed in this option. If left unset, all " +"domains from the AD forest will be available." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:156 +#, no-wrap +msgid "" +"ad_enabled_domains = sales.example.com, eng.example.com\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:152 +msgid "" +"For proper operation, this option must be specified in all lower-case and as " +"the fully qualified domain name of the Active Directory domain. For example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:160 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) will be " +"autodetected by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:170 +msgid "ad_server, ad_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:173 +msgid "" +"The comma-separated list of hostnames of the AD servers to which SSSD should " +"connect in order of preference. For more information on failover and server " +"redundancy, see the <quote>FAILOVER</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:180 +msgid "" +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:185 +msgid "" +"Note: Trusted domains will always auto-discover servers even if the primary " +"server is explicitly defined in the ad_server option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:193 +msgid "ad_hostname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:196 +msgid "" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the Active Directory domain to identify this " +"host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:202 +msgid "" +"This field is used to determine the host principal in use in the keytab. It " +"must match the hostname for which the keytab was issued." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:210 +msgid "ad_enable_dns_sites (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:217 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, the SSSD will first attempt to discover the " +"Active Directory server to connect to using the Active Directory Site " +"Discovery and fall back to the DNS SRV records if no AD site is found. The " +"DNS SRV configuration, including the discovery domain, is used during site " +"discovery as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:233 +msgid "ad_access_filter (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:236 +msgid "" +"This option specifies LDAP access control filter that the user must match in " +"order to be allowed access. Please note that the <quote>access_provider</" +"quote> option must be explicitly set to <quote>ad</quote> in order for this " +"option to have an effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:244 +msgid "" +"The option also supports specifying different filters per domain or forest. " +"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " +"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " +"missing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:252 +msgid "" +"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" +"quote> specifies the domain or subdomain the filter applies to. If the " +"keyword equals to <quote>FOREST</quote>, then the filter equals to all " +"domains from the forest specified by <quote>NAME</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:260 +msgid "" +"Multiple filters can be separated with the <quote>?</quote> character, " +"similarly to how search bases work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:265 +msgid "" +"Nested group membership must be searched for using a special OID " +"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." +"example.org: syntax to ensure the parser does not attempt to interpret the " +"colon characters associated with the OID. If you do not use this OID then " +"nested group membership will not be resolved. See usage example below and " +"refer here for further information about the OID: <ulink url=\"https://msdn." +"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " +"extensions</ulink>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:278 +msgid "" +"The most specific match is always used. For example, if the option specified " +"filter for a domain the user is a member of and a global filter, the per-" +"domain filter would be applied. If there are more matches with the same " +"specification, the first one is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ad.5.xml:289 +#, no-wrap +msgid "" +"# apply filter on domain called dom1 only:\n" +"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" +"\n" +"# apply filter on domain called dom2 only:\n" +"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" +"\n" +"# apply filter on forest called EXAMPLE.COM only:\n" +"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" +"\n" +"# apply filter for a member of a nested group in dom1:\n" +"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:308 +msgid "ad_site (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:311 +msgid "" +"Specify AD site to which client should try to connect. If this option is " +"not provided, the AD site will be auto-discovered." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:322 +msgid "ad_enable_gc (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:325 +msgid "" +"By default, the SSSD connects to the Global Catalog first to retrieve users " +"from trusted domains and uses the LDAP port to retrieve group memberships or " +"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " +"port of the current AD server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:333 +msgid "" +"Please note that disabling Global Catalog support does not disable " +"retrieving users from trusted domains. The SSSD would connect to the LDAP " +"port of trusted domains instead. However, Global Catalog must be used in " +"order to resolve cross-domain group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:347 +msgid "ad_gpo_access_control (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:350 +msgid "" +"This option specifies the operation mode for GPO-based access control " +"functionality: whether it operates in disabled mode, enforcing mode, or " +"permissive mode. Please note that the <quote>access_provider</quote> option " +"must be explicitly set to <quote>ad</quote> in order for this option to have " +"an effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:359 +msgid "" +"GPO-based access control functionality uses GPO policy settings to determine " +"whether or not a particular user is allowed to logon to a particular host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:365 +msgid "" +"NOTE: The current version of SSSD does not support host (computer) entries " +"in the GPO 'Security Filtering' list. Only user and group entries are " +"supported. Host entries in the list have no effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:372 +msgid "" +"NOTE: If the operation mode is set to enforcing, it is possible that users " +"that were previously allowed logon access will now be denied logon access " +"(as dictated by the GPO policy settings). In order to facilitate a smooth " +"transition for administrators, a permissive mode is available that will not " +"enforce the access control rules, but will evaluate them and will output a " +"syslog message if access would have been denied. By examining the logs, " +"administrators can then make the necessary changes before setting the mode " +"to enforcing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:385 +msgid "There are three supported values for this option:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:389 +msgid "" +"disabled: GPO-based access control rules are neither evaluated nor enforced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:395 +msgid "enforcing: GPO-based access control rules are evaluated and enforced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:401 +msgid "" +"permissive: GPO-based access control rules are evaluated, but not enforced. " +"Instead, a syslog message will be emitted indicating that the user would " +"have been denied access if this option's value were set to enforcing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:412 +msgid "Default: permissive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:415 +msgid "Default: enforcing" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:421 +msgid "ad_gpo_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:424 +msgid "" +"The amount of time between lookups of GPO policy files against the AD " +"server. This will reduce the latency and load on the AD server if there are " +"many access-control requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:437 +msgid "ad_gpo_map_interactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:440 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the InteractiveLogonRight and " +"DenyInteractiveLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:446 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on locally\" and \"Deny log on locally\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:460 +#, no-wrap +msgid "" +"ad_gpo_map_interactive = +my_pam_service, -login\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:451 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>login</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:464 sssd-ad.5.xml:560 sssd-ad.5.xml:606 sssd-ad.5.xml:651 +#: sssd-ad.5.xml:717 +msgid "Default: the default set of PAM service names includes:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:468 +msgid "login" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:473 +msgid "su" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:478 +msgid "su-l" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:483 +msgid "gdm-fingerprint" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:488 +msgid "gdm-password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:493 +msgid "gdm-smartcard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:498 +msgid "kdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:503 +msgid "lightdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:508 +msgid "lxdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:513 +msgid "sddm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:518 +msgid "unity" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:523 +msgid "xdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:532 +msgid "ad_gpo_map_remote_interactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:535 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the RemoteInteractiveLogonRight and " +"DenyRemoteInteractiveLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:541 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on through Remote Desktop Services\" and \"Deny log on through Remote " +"Desktop Services\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:556 +#, no-wrap +msgid "" +"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:547 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>sshd</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:564 +msgid "sshd" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:569 +msgid "cockpit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:578 +msgid "ad_gpo_map_network (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:581 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the NetworkLogonRight and " +"DenyNetworkLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:587 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Access " +"this computer from the network\" and \"Deny access to this computer from the " +"network\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:602 +#, no-wrap +msgid "" +"ad_gpo_map_network = +my_pam_service, -ftp\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:593 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>ftp</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:610 +msgid "ftp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:615 +msgid "samba" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:624 +msgid "ad_gpo_map_batch (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:627 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " +"policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:633 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a batch job\" and \"Deny log on as a batch job\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:647 +#, no-wrap +msgid "" +"ad_gpo_map_batch = +my_pam_service, -crond\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:638 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>crond</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:655 +msgid "crond" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:664 +msgid "ad_gpo_map_service (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:667 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the ServiceLogonRight and " +"DenyServiceLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:673 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a service\" and \"Deny log on as a service\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:686 +#, no-wrap +msgid "" +"ad_gpo_map_service = +my_pam_service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:678 sssd-ad.5.xml:753 +msgid "" +"It is possible to add a PAM service name to the default set by using <quote>" +"+service_name</quote>. Since the default set is empty, it is not possible " +"to remove a PAM service name from the default set. For example, in order to " +"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " +"would use the following configuration: <placeholder type=\"programlisting\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:696 +msgid "ad_gpo_map_permit (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:699 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always granted, regardless of any GPO Logon Rights." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:713 +#, no-wrap +msgid "" +"ad_gpo_map_permit = +my_pam_service, -sudo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:704 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for unconditionally permitted " +"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:721 +msgid "polkit-1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:726 +msgid "sudo" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:731 +msgid "sudo-i" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:736 +msgid "systemd-user" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:745 +msgid "ad_gpo_map_deny (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:748 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always denied, regardless of any GPO Logon Rights." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:761 +#, no-wrap +msgid "" +"ad_gpo_map_deny = +my_pam_service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:771 +msgid "ad_gpo_default_right (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:774 +msgid "" +"This option defines how access control is evaluated for PAM service names " +"that are not explicitly listed in one of the ad_gpo_map_* options. This " +"option can be set in two different manners. First, this option can be set to " +"use a default logon right. For example, if this option is set to " +"'interactive', it means that unmapped PAM service names will be processed " +"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " +"settings. Alternatively, this option can be set to either always permit or " +"always deny access for unmapped PAM service names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:787 +msgid "Supported values for this option include:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:791 +msgid "interactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:796 +msgid "remote_interactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:801 +msgid "network" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:806 +msgid "batch" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:811 +msgid "service" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:816 +msgid "permit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:821 +msgid "deny" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:827 +msgid "Default: deny" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:833 +msgid "ad_maximum_machine_account_password_age (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:836 +msgid "" +"SSSD will check once a day if the machine account password is older than the " +"given age in days and try to renew it. A value of 0 will disable the renewal " +"attempt." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:842 +msgid "Default: 30 days" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:848 +msgid "ad_machine_account_password_renewal_opts (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:851 +msgid "" +"This option should only be used to test the machine account renewal task. " +"The option expects 2 integers separated by a colon (':'). The first integer " +"defines the interval in seconds how often the task is run. The second " +"specifies the initial timeout in seconds before the task is run for the " +"first time after startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:860 +msgid "Default: 86400:750 (24h and 15m)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:869 +msgid "" +"Optional. This option tells SSSD to automatically update the Active " +"Directory DNS server with the IP address of this client. The update is " +"secured using GSS-TSIG. As a consequence, the Active Directory administrator " +"only needs to allow secure updates for the DNS zone. The IP address of the " +"AD LDAP connection is used for the updates, if it is not otherwise specified " +"by using the <quote>dyndns_iface</quote> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:899 +msgid "Default: 3600 (seconds)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:915 +msgid "" +"Default: Use the IP addresses of the interface which is used for AD LDAP " +"connection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:928 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true. Note that the " +"lowest possible value is 60 seconds in-case if value is provided less than " +"60, parameter will assume lowest value only." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:951 sss_rpcidmapd.5.xml:76 +msgid "Default: True" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1043 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This example shows only the AD provider-specific options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1050 +#, no-wrap +msgid "" +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1070 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1066 +msgid "" +"The AD access control provider checks if the account is expired. It has the " +"same effect as the following configuration of the LDAP provider: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1076 +msgid "" +"However, unless the <quote>ad</quote> access control provider is explicitly " +"configured, the default access provider is <quote>permit</quote>. Please " +"note that if you configure an access provider other than <quote>ad</quote>, " +"you need to set all the connection parameters (such as LDAP URIs and " +"encryption details) manually." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1084 +msgid "" +"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " +"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " +"are included in the default Active Directory schema." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 +msgid "sssd-sudo" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-sudo.5.xml:17 +msgid "Configuring sudo with the SSSD back end" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:36 +msgid "Configuring sudo to cooperate with SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:38 +msgid "" +"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " +"the <emphasis>sudoers</emphasis> entry in <citerefentry> " +"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:47 +msgid "" +"For example, to configure sudo to first lookup rules in the standard " +"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> file (which should contain rules that apply to " +"local users) and then in SSSD, the nsswitch.conf file should contain the " +"following line:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:57 +#, no-wrap +msgid "sudoers: files sss\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:61 +msgid "" +"More information about configuring the sudoers search order from the " +"nsswitch.conf file as well as information about the LDAP schema that is used " +"to store sudo rules in the directory can be found in <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:70 +msgid "" +"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " +"sudo rules, you also need to correctly set <citerefentry> " +"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry> to your NIS domain name (which equals to IPA domain name when " +"using hostgroups)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:82 +msgid "Configuring SSSD to fetch sudo rules" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:84 +msgid "" +"All configuration that is needed on SSSD side is to extend the list of " +"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " +"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " +"option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:94 +msgid "" +"The following example shows how to configure SSSD to download sudo rules " +"from an LDAP server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:99 +#, no-wrap +msgid "" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:98 +msgid "" +"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" +"\"have_systemd\"> It's important to note that on platforms where systemd is " +"supported there's no need to add the \"sudo\" provider to the list of " +"services, as it became optional. However, sssd-sudo.socket must be enabled " +"instead. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:118 +msgid "" +"When SSSD is configured to use IPA as the ID provider, the sudo provider is " +"automatically enabled. The sudo search base is configured to use the IPA " +"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " +"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," +"$SUFFIX) is no longer required for IPA sudo functionality." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:128 +msgid "The SUDO rule caching mechanism" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:130 +msgid "" +"The biggest challenge, when developing sudo support in SSSD, was to ensure " +"that running sudo with SSSD as the data source provides the same user " +"experience and is as fast as sudo but keeps providing the most current set " +"of rules as possible. To satisfy these requirements, SSSD uses three kinds " +"of updates. They are referred to as full refresh, smart refresh and rules " +"refresh." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:138 +msgid "" +"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " +"new or were modified after the last update. Its primary goal is to keep the " +"database growing by fetching only small increments that do not generate " +"large amounts of network traffic." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:144 +msgid "" +"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " +"in the cache and replaces them with all rules that are stored on the server. " +"This is used to keep the cache consistent by removing every rule which was " +"deleted from the server. However, full refresh may produce a lot of traffic " +"and thus it should be run only occasionally depending on the size and " +"stability of the sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:152 +msgid "" +"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " +"more permission than defined. It is triggered each time the user runs sudo. " +"Rules refresh will find all rules that apply to this user, check their " +"expiration time and redownload them if expired. In the case that any of " +"these rules are missing on the server, the SSSD will do an out of band full " +"refresh because more rules (that apply to other users) may have been deleted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:161 +msgid "" +"If enabled, SSSD will store only rules that can be applied to this machine. " +"This means rules that contain one of the following values in " +"<emphasis>sudoHost</emphasis> attribute:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:168 +msgid "keyword ALL" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:173 +msgid "wildcard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:178 +msgid "netgroup (in the form \"+netgroup\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:183 +msgid "hostname or fully qualified domain name of this machine" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:188 +msgid "one of the IP addresses of this machine" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:193 +msgid "one of the IP addresses of the network (in the form \"address/mask\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:199 +msgid "" +"There are many configuration options that can be used to adjust the " +"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.8.xml:10 sssd.8.xml:15 +msgid "sssd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.8.xml:16 +msgid "System Security Services Daemon" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssd.8.xml:21 +msgid "" +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:31 +msgid "" +"<command>SSSD</command> provides a set of daemons to manage access to remote " +"directories and authentication mechanisms. It provides an NSS and PAM " +"interface toward the system and a pluggable backend system to connect to " +"multiple different account sources as well as D-Bus interface. It is also " +"the basis to provide client auditing and policy services for projects like " +"FreeIPA. It provides a more robust database to store local users as well as " +"extended user data." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:46 +msgid "" +"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:53 +msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:57 +msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:60 +msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:69 +msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:73 +msgid "" +"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:76 +msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:85 +msgid "<option>-f</option>,<option>--debug-to-files</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:89 +msgid "" +"Send the debug output to files instead of stderr. By default, the log files " +"are stored in <filename>/var/log/sssd</filename> and there are separate log " +"files for every SSSD service and domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:94 +msgid "" +"This option is deprecated. It is replaced by <option>--logger=files</option>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:101 +msgid "<option>--logger=</option><replaceable>value</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:105 +msgid "" +"Location where SSSD will send log messages. This option overrides the value " +"of the deprecated option <option>--debug-to-files</option>. The deprecated " +"option will still work if the <option>--logger</option> is not used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:112 +msgid "" +"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " +"output." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:116 +msgid "" +"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " +"default, the log files are stored in <filename>/var/log/sssd</filename> and " +"there are separate log files for every SSSD service and domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:122 +msgid "" +"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:132 +msgid "<option>-D</option>,<option>--daemon</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:136 +msgid "Become a daemon after starting up." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:142 sss_seed.8.xml:136 +msgid "<option>-i</option>,<option>--interactive</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:146 +msgid "Run in the foreground, don't become a daemon." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:152 +msgid "<option>-c</option>,<option>--config</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:156 +msgid "" +"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." +"conf</filename>. For reference on the config file syntax and options, " +"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:170 +msgid "<option>--version</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:174 +msgid "Print version number and exit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.8.xml:182 +msgid "Signals" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:185 +msgid "SIGTERM/SIGINT" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:188 +msgid "" +"Informs the SSSD to gracefully terminate all of its child processes and then " +"shut down the monitor." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:194 +msgid "SIGHUP" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:197 +msgid "" +"Tells the SSSD to stop writing to its current debug file descriptors and to " +"close and reopen them. This is meant to facilitate log rolling with programs " +"like logrotate." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:205 +msgid "SIGUSR1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:208 +msgid "" +"Tells the SSSD to simulate offline operation for the duration of the " +"<quote>offline_timeout</quote> parameter. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:217 +msgid "SIGUSR2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:220 +msgid "" +"Tells the SSSD to go online immediately. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:232 +msgid "" +"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " +"applications will not use the fast in memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 +msgid "sss_obfuscate" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_obfuscate.8.xml:16 +msgid "obfuscate a clear text password" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_obfuscate.8.xml:21 +msgid "" +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" +"replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:32 +msgid "" +"<command>sss_obfuscate</command> converts a given password into human-" +"unreadable format and places it into appropriate domain section of the SSSD " +"config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:37 +msgid "" +"The cleartext password is read from standard input or entered " +"interactively. The obfuscated password is put into " +"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " +"<quote>ldap_default_authtok_type</quote> parameter is set to " +"<quote>obfuscated_password</quote>. Refer to <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more details on these parameters." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:49 +msgid "" +"Please note that obfuscating the password provides <emphasis>no real " +"security benefit</emphasis> as it is still possible for an attacker to " +"reverse-engineer the password back. Using better authentication mechanisms " +"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " +"advised." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:63 +msgid "<option>-s</option>,<option>--stdin</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:67 +msgid "The password to obfuscate will be read from standard input." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 +#: sss_ssh_knownhostsproxy.1.xml:78 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:79 +msgid "" +"The SSSD domain to use the password in. The default name is <quote>default</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:86 +msgid "" +"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:91 +msgid "Read the config file specified by the positional parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:95 +msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_override.8.xml:10 sss_override.8.xml:15 +msgid "sss_override" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_override.8.xml:16 +msgid "create local overrides of user and group attributes" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_override.8.xml:21 +msgid "" +"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:32 +msgid "" +"<command>sss_override</command> enables to create a client-side view and " +"allows to change selected values of specific user and groups. This change " +"takes effect only on local machine." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:37 +msgid "" +"Overrides data are stored in the SSSD cache. If the cache is deleted, all " +"local overrides are lost. Please note that after the first override is " +"created using any of the following <emphasis>user-add</emphasis>, " +"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " +"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " +"take effect. <emphasis>sss_override</emphasis> prints message when a " +"restart is required." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:50 sssctl.8.xml:41 +msgid "AVAILABLE COMMANDS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:52 +msgid "" +"Argument <emphasis>NAME</emphasis> is the name of original object in all " +"commands. It is not possible to override <emphasis>uid</emphasis> or " +"<emphasis>gid</emphasis> to 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:59 +msgid "" +"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" +"optional> <optional><option>-g,--gid</option> GID</optional> " +"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" +"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" +"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " +"CERTIFICATE</optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:72 +msgid "" +"Override attributes of an user. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:80 +msgid "<option>user-del</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:85 +msgid "" +"Remove user overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:94 +msgid "" +"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:99 +msgid "" +"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " +"is set, only users from the domain are listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:107 +msgid "<option>user-show</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:112 +msgid "Show user overrides." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:118 +msgid "<option>user-import</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:123 +msgid "" +"Import user overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard passwd file. The format is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:128 +msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:131 +msgid "" +"where original_name is original name of the user whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:140 +msgid "ckent:superman::::::" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:143 +msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:149 +msgid "<option>user-export</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:154 +msgid "" +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>user-import</emphasis> for data format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:162 +msgid "" +"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:169 +msgid "" +"Override attributes of a group. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:177 +msgid "<option>group-del</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:182 +msgid "" +"Remove group overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:191 +msgid "" +"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:196 +msgid "" +"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " +"parameter is set, only groups from the domain are listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:204 +msgid "<option>group-show</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:209 +msgid "Show group overrides." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:215 +msgid "<option>group-import</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:220 +msgid "" +"Import group overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard group file. The format is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:225 +msgid "original_name:name:gid" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:228 +msgid "" +"where original_name is original name of the group whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:237 +msgid "admins:administrators:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:240 +msgid "Domain Users:Users:501" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:246 +msgid "<option>group-export</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:251 +msgid "" +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>group-import</emphasis> for data format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:261 sssctl.8.xml:50 +msgid "COMMON OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:263 sssctl.8.xml:52 +msgid "Those options are available with all commands." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:268 sssctl.8.xml:57 +msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 +msgid "sss_useradd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_useradd.8.xml:16 +msgid "create a new user" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_useradd.8.xml:21 +msgid "" +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_useradd.8.xml:32 +msgid "" +"<command>sss_useradd</command> creates a new user account using the values " +"specified on the command line plus the default values from the system." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:43 sss_seed.8.xml:76 +msgid "" +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:48 +msgid "" +"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " +"not given, it is chosen automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +msgid "" +"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 +msgid "" +"Any text string describing the user. Often used as the field for the user's " +"full name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 +msgid "" +"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:72 +msgid "" +"The home directory of the user account. The default is to append the " +"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " +"that as the home directory. The base that is prepended before " +"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" +"baseDirectory</quote> setting in sssd.conf." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 +msgid "" +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:87 +msgid "" +"The user's login shell. The default is currently <filename>/bin/bash</" +"filename>. The default can be changed with <quote>user_defaults/" +"defaultShell</quote> setting in sssd.conf." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:96 +msgid "" +"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:101 +msgid "A list of existing groups this user is also a member of." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:107 +msgid "<option>-m</option>,<option>--create-home</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:111 +msgid "" +"Create the user's home directory if it does not exist. The files and " +"directories contained in the skeleton directory (which can be defined with " +"the -k option or in the config file) will be copied to the home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:121 +msgid "<option>-M</option>,<option>--no-create-home</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:125 +msgid "" +"Do not create the user's home directory. Overrides configuration settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:132 +msgid "" +"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:137 +msgid "" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<command>sss_useradd</command>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:143 +msgid "" +"Special files (block devices, character devices, named pipes and unix " +"sockets) will not be copied." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:147 +msgid "" +"This option is only valid if the <option>-m</option> (or <option>--create-" +"home</option>) option is specified, or creation of home directories is set " +"to TRUE in the configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 +msgid "" +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>SELINUX_USER</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:161 +msgid "" +"The SELinux user for the user's login. If not specified, the system default " +"will be used." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 +msgid "sssd-krb5" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-krb5.5.xml:17 +msgid "SSSD Kerberos provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:23 +msgid "" +"This manual page describes the configuration of the Kerberos 5 " +"authentication backend for <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " +"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:36 +msgid "" +"The Kerberos 5 authentication backend contains auth and chpass providers. It " +"must be paired with an identity provider in order to function properly (for " +"example, id_provider = ldap). Some information required by the Kerberos 5 " +"authentication backend must be provided by the identity provider, such as " +"the user's Kerberos Principal Name (UPN). The configuration of the identity " +"provider should have an entry to specify the UPN. Please refer to the man " +"page for the applicable identity provider for details on how to configure " +"this." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:47 +msgid "" +"This backend also provides access control based on the .k5login file in the " +"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " +"Please note that an empty .k5login file will deny all access to this user. " +"To activate this feature, use 'access_provider = krb5' in your SSSD " +"configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:55 +msgid "" +"In the case where the UPN is not available in the identity backend, " +"<command>sssd</command> will construct a UPN using the format " +"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:77 +msgid "" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect, in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled; for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:106 +msgid "" +"The name of the Kerberos realm. This option is required and must be " +"specified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:113 +msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:116 +msgid "" +"If the change password service is not running on the KDC, alternative " +"servers can be defined here. An optional port number (preceded by a colon) " +"may be appended to the addresses or hostnames." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:122 +msgid "" +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " +"servers to try, the backend is not switched to operate offline if " +"authentication against the KDC is still possible." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:129 +msgid "Default: Use the KDC" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:135 +msgid "krb5_ccachedir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:138 +msgid "" +"Directory to store credential caches. All the substitution sequences of " +"krb5_ccname_template can be used here, too, except %d and %P. The directory " +"is created as private and owned by the user, with permissions set to 0700." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:145 +msgid "Default: /tmp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:151 +msgid "krb5_ccname_template (string)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 +msgid "%u" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 +msgid "login name" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 +msgid "%U" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:170 +msgid "login UID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:173 +msgid "%p" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:174 +msgid "principal name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:178 +msgid "%r" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:179 +msgid "realm name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:182 +msgid "%h" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 +msgid "home directory" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 +msgid "%d" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:188 +msgid "value of krb5_ccachedir" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 +msgid "%P" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:194 +msgid "the process ID of the SSSD client" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 +msgid "%%" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 +msgid "a literal '%'" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:154 +msgid "" +"Location of the user's credential cache. Three credential cache types are " +"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " +"<quote>KEYRING:persistent</quote>. The cache can be specified either as " +"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " +"implies the <quote>FILE</quote> type. In the template, the following " +"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " +"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " +"filename in a safe way." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:208 +msgid "" +"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" +"persistent:%U</quote>, which uses the Linux kernel keyring to store " +"credentials on a per-UID basis. This is also the recommended choice, as it " +"is the most secure and predictable method." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:216 +msgid "" +"The default value for the credential cache name is sourced from the profile " +"stored in the system wide krb5.conf configuration file in the [libdefaults] " +"section. The option name is default_ccache_name. See krb5.conf(5)'s " +"PARAMETER EXPANSION paragraph for additional information on the expansion " +"format defined by krb5.conf." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:225 +msgid "" +"NOTE: Please be aware that libkrb5 ccache expansion template from " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> uses different expansion sequences than SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:234 +msgid "Default: (from libkrb5)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:240 +msgid "krb5_auth_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:243 +msgid "" +"Timeout in seconds after an online authentication request or change password " +"request is aborted. If possible, the authentication request is continued " +"offline." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:254 +msgid "krb5_validate (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:257 +msgid "" +"Verify with the help of krb5_keytab that the TGT obtained has not been " +"spoofed. The keytab is checked for entries sequentially, and the first entry " +"with a matching realm is used for validation. If no entry matches the realm, " +"the last entry in the keytab is used. This process can be used to validate " +"environments using cross-realm trust by placing the appropriate keytab entry " +"as the last entry or the only entry in the keytab file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:272 +msgid "krb5_keytab (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:275 +msgid "" +"The location of the keytab to use when validating credentials obtained from " +"KDCs." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:279 +msgid "Default: /etc/krb5.keytab" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:285 +msgid "krb5_store_password_if_offline (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:288 +msgid "" +"Store the password of the user if the provider is offline and use it to " +"request a TGT when the provider comes online again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:293 +msgid "" +"NOTE: this feature is only available on Linux. Passwords stored in this way " +"are kept in plaintext in the kernel keyring and are potentially accessible " +"by the root user (with difficulty)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:306 +msgid "krb5_renewable_lifetime (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:309 +msgid "" +"Request a renewable ticket with a total lifetime, given as an integer " +"immediately followed by a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 +msgid "<emphasis>s</emphasis> for seconds" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 +msgid "<emphasis>m</emphasis> for minutes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 +msgid "<emphasis>h</emphasis> for hours" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 +msgid "<emphasis>d</emphasis> for days." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 +msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 +msgid "" +"NOTE: It is not possible to mix units. To set the renewable lifetime to one " +"and a half hours, use '90m' instead of '1h30m'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:335 +msgid "Default: not set, i.e. the TGT is not renewable" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:341 +msgid "krb5_lifetime (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:344 +msgid "" +"Request ticket with a lifetime, given as an integer immediately followed by " +"a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:360 +msgid "If there is no unit given <emphasis>s</emphasis> is assumed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:364 +msgid "" +"NOTE: It is not possible to mix units. To set the lifetime to one and a " +"half hours please use '90m' instead of '1h30m'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:369 +msgid "" +"Default: not set, i.e. the default ticket lifetime configured on the KDC." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:376 +msgid "krb5_renew_interval (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:379 +msgid "" +"The time in seconds between two checks if the TGT should be renewed. TGTs " +"are renewed if about half of their lifetime is exceeded, given as an integer " +"immediately followed by a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:406 +msgid "If this option is not set or is 0 the automatic renewal is disabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:416 +msgid "krb5_use_fast (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:419 +msgid "" +"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" +"authentication. The following options are supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:424 +msgid "" +"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " +"option at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:428 +msgid "" +"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " +"continue the authentication without it." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:433 +msgid "" +"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " +"server does not require fast." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:438 +msgid "Default: not set, i.e. FAST is not used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:441 +msgid "NOTE: a keytab is required to use FAST." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:444 +msgid "" +"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " +"SSSD is used with an older version of MIT Kerberos, using this option is a " +"configuration error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:453 +msgid "krb5_fast_principal (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:456 +msgid "Specifies the server principal to use for FAST." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:465 +msgid "" +"Specifies if the host and user principal should be canonicalized. This " +"feature is available with MIT Kerberos 1.7 and later versions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:505 +msgid "krb5_use_enterprise_principal (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:508 +msgid "" +"Specifies if the user principal should be treated as enterprise principal. " +"See section 5 of RFC 6806 for more details about enterprise principals." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:514 +msgid "Default: false (AD provider: true)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:517 +msgid "" +"The IPA provider will set to option to 'true' if it detects that the server " +"is capable of handling enterprise principals and the option is not set " +"explicitly in the config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:526 +msgid "krb5_map_user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:529 +msgid "" +"The list of mappings is given as a comma-separated list of pairs " +"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " +"name and <quote>primary</quote> is a user part of a kerberos principal. This " +"mapping is used when user is authenticating using <quote>auth_provider = " +"krb5</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-krb5.5.xml:541 +#, no-wrap +msgid "" +"krb5_realm = REALM\n" +"krb5_map_user = joe:juser,dick:richard\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:546 +msgid "" +"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " +"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " +"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " +"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:65 +msgid "" +"If the auth-module krb5 is used in an SSSD domain, the following options " +"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " +"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:572 +msgid "" +"The following example assumes that SSSD is correctly configured and FOO is " +"one of the domains in the <replaceable>[sssd]</replaceable> section. This " +"example shows only configuration of Kerberos authentication; it does not " +"include any identity provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-krb5.5.xml:580 +#, no-wrap +msgid "" +"[domain/FOO]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXAMPLE.COM\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 +msgid "sss_groupadd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupadd.8.xml:16 +msgid "create a new group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupadd.8.xml:21 +msgid "" +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupadd.8.xml:32 +msgid "" +"<command>sss_groupadd</command> creates a new group. These groups are " +"compatible with POSIX groups, with the additional feature that they can " +"contain other groups as members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 +msgid "" +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupadd.8.xml:48 +msgid "" +"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " +"not given, it is chosen automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 +msgid "sss_userdel" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_userdel.8.xml:16 +msgid "delete a user account" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_userdel.8.xml:21 +msgid "" +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_userdel.8.xml:32 +msgid "" +"<command>sss_userdel</command> deletes a user identified by login name " +"<replaceable>LOGIN</replaceable> from the system." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:44 +msgid "<option>-r</option>,<option>--remove</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:48 +msgid "" +"Files in the user's home directory will be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:56 +msgid "<option>-R</option>,<option>--no-remove</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:60 +msgid "" +"Files in the user's home directory will NOT be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:68 +msgid "<option>-f</option>,<option>--force</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:72 +msgid "" +"This option forces <command>sss_userdel</command> to remove the user's home " +"directory and mail spool, even if they are not owned by the specified user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:80 +msgid "<option>-k</option>,<option>--kick</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:84 +msgid "Before actually deleting the user, terminate all his processes." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 +msgid "sss_groupdel" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupdel.8.xml:16 +msgid "delete a group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupdel.8.xml:21 +msgid "" +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupdel.8.xml:32 +msgid "" +"<command>sss_groupdel</command> deletes a group identified by its name " +"<replaceable>GROUP</replaceable> from the system." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 +msgid "sss_groupshow" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupshow.8.xml:16 +msgid "print properties of a group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupshow.8.xml:21 +msgid "" +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupshow.8.xml:32 +msgid "" +"<command>sss_groupshow</command> displays information about a group " +"identified by its name <replaceable>GROUP</replaceable>. The information " +"includes the group ID number, members of the group and the parent group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupshow.8.xml:43 +msgid "<option>-R</option>,<option>--recursive</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupshow.8.xml:47 +msgid "" +"Also print indirect group members in a tree-like hierarchy. Note that this " +"also affects printing parent groups - without <option>R</option>, only the " +"direct parent will be printed." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 +msgid "sss_usermod" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_usermod.8.xml:16 +msgid "modify a user account" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_usermod.8.xml:21 +msgid "" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_usermod.8.xml:32 +msgid "" +"<command>sss_usermod</command> modifies the account specified by " +"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " +"on the command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:60 +msgid "The home directory of the user account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:71 +msgid "The user's login shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:82 +msgid "" +"Append this user to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:96 +msgid "" +"Remove this user from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:103 +msgid "<option>-l</option>,<option>--lock</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:107 +msgid "Lock the user account. The user won't be able to log in." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:114 +msgid "<option>-u</option>,<option>--unlock</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:118 +msgid "Unlock the user account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:129 +msgid "The SELinux user for the user's login." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:135 +msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:140 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:147 +msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:152 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:160 +msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:165 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_cache.8.xml:10 sss_cache.8.xml:15 +msgid "sss_cache" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_cache.8.xml:16 +msgid "perform cache cleanup" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_cache.8.xml:21 +msgid "" +"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_cache.8.xml:31 +msgid "" +"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " +"records are forced to be reloaded from server as soon as related SSSD " +"backend is online. Options that invalidate a single object only accept a " +"single provided argument." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:43 +msgid "<option>-E</option>,<option>--everything</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:47 +msgid "Invalidate all cached entries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:53 +msgid "" +"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:58 +msgid "Invalidate specific user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:64 +msgid "<option>-U</option>,<option>--users</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:68 +msgid "" +"Invalidate all user records. This option overrides invalidation of specific " +"user if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:75 +msgid "" +"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:80 +msgid "Invalidate specific group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:86 +msgid "<option>-G</option>,<option>--groups</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:90 +msgid "" +"Invalidate all group records. This option overrides invalidation of specific " +"group if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:97 +msgid "" +"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:102 +msgid "Invalidate specific netgroup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:108 +msgid "<option>-N</option>,<option>--netgroups</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:112 +msgid "" +"Invalidate all netgroup records. This option overrides invalidation of " +"specific netgroup if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:119 +msgid "" +"<option>-s</option>,<option>--service</option> <replaceable>service</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:124 +msgid "Invalidate specific service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:130 +msgid "<option>-S</option>,<option>--services</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:134 +msgid "" +"Invalidate all service records. This option overrides invalidation of " +"specific service if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:141 +msgid "" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:146 +msgid "Invalidate specific autofs maps." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:152 +msgid "<option>-A</option>,<option>--autofs-maps</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:156 +msgid "" +"Invalidate all autofs maps. This option overrides invalidation of specific " +"map if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:163 +msgid "" +"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:168 +msgid "Invalidate SSH public keys of a specific host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:174 +msgid "<option>-H</option>,<option>--ssh-hosts</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:178 +msgid "" +"Invalidate SSH public keys of all hosts. This option overrides invalidation " +"of SSH public keys of specific host if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:186 +msgid "" +"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:191 +msgid "Invalidate particular sudo rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:197 +msgid "<option>-R</option>,<option>--sudo-rules</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:201 +msgid "" +"Invalidate all cached sudo rules. This option overrides invalidation of " +"specific sudo rule if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:209 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>domain</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:214 +msgid "Restrict invalidation process only to a particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 +msgid "sss_debuglevel" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_debuglevel.8.xml:16 +msgid "[DEPRECATED] change debug level while SSSD is running" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_debuglevel.8.xml:21 +msgid "" +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" +"replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_debuglevel.8.xml:32 +msgid "" +"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " +"debug-level command. Please refer to the <command>sssctl</command> man page " +"for more information on sssctl usage." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_seed.8.xml:10 sss_seed.8.xml:15 +msgid "sss_seed" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_seed.8.xml:16 +msgid "seed the SSSD cache with a user" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_seed.8.xml:21 +msgid "" +"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:33 +msgid "" +"<command>sss_seed</command> seeds the SSSD cache with a user entry and " +"temporary password. If a user entry is already present in the SSSD cache " +"then the entry is updated with the temporary password." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:46 +msgid "" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:51 +msgid "" +"Provide the name of the domain in which the user is a member of. The domain " +"is also used to retrieve user information. The domain must be configured in " +"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " +"Information retrieved from the domain overrides what is provided in the " +"options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:63 +msgid "" +"<option>-n</option>,<option>--username</option> <replaceable>USER</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:68 +msgid "" +"The username of the entry to be created or modified in the cache. The " +"<replaceable>USER</replaceable> option must be provided." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:81 +msgid "Set the UID of the user to <replaceable>UID</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:93 +msgid "Set the GID of the user to <replaceable>GID</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:117 +msgid "" +"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:129 +msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:140 +msgid "" +"Interactive mode for entering user information. This option will only prompt " +"for information not provided in the options or retrieved from the domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:148 +msgid "" +"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:153 +msgid "" +"Specify file to read user's password from. (if not specified password is " +"prompted for)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:165 +msgid "" +"The length of the password (or the size of file specified with -p or --" +"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " +"on systems with no globally-defined PASS_MAX value)." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 +msgid "sssd-ifp" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ifp.5.xml:17 +msgid "SSSD InfoPipe responder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:23 +msgid "" +"This manual page describes the configuration of the InfoPipe responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:36 +msgid "" +"The InfoPipe responder provides a public D-Bus interface accessible over the " +"system bus. The interface allows the user to query information about remote " +"users and groups over the system bus." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:46 +msgid "These options can be used to configure the InfoPipe responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:53 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the InfoPipe responder. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:59 +msgid "" +"Default: 0 (only the root user is allowed to access the InfoPipe responder)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:63 +msgid "" +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the InfoPipe responder, which would be the typical case, you have to " +"add 0 to the list of allowed UIDs as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:77 +msgid "Specifies the comma-separated list of white or blacklisted attributes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:91 +msgid "name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:92 +msgid "user's login name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:95 +msgid "uidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:96 +msgid "user ID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:99 +msgid "gidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:100 +msgid "primary group ID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:103 +msgid "gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:104 +msgid "user information, typically full name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:107 +msgid "homeDirectory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:111 +msgid "loginShell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:112 +msgid "user shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:81 +msgid "" +"By default, the InfoPipe responder only allows the default set of POSIX " +"attributes to be requested. This set is the same as returned by " +"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ifp.5.xml:125 +#, no-wrap +msgid "" +"user_attributes = +telephoneNumber, -loginShell\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:117 +msgid "" +"It is possible to add another attribute to this set by using <quote>" +"+attr_name</quote> or explicitly remove an attribute using <quote>-" +"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " +"deny <quote>loginShell</quote>, you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:129 +msgid "Default: not set. Only the default set of POSIX attributes is allowed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:139 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup that overrides caller-supplied limit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:144 +msgid "Default: 0 (let the caller set an upper limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refentryinfo> +#: sss_rpcidmapd.5.xml:8 +msgid "" +"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" +"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " +"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" +"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " +"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" +"author>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 +msgid "sss_rpcidmapd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_rpcidmapd.5.xml:33 +msgid "sss plugin configuration directives for rpc.idmapd" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:37 +msgid "CONFIGURATION FILE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:39 +msgid "" +"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." +"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:49 +msgid "SSS CONFIGURATION EXTENSION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:51 +msgid "Enable SSS plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:53 +msgid "" +"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " +"attribute to contain <emphasis>sss</emphasis>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:59 +msgid "[sss] config section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:61 +msgid "" +"In order to change the default of one of the configuration attributes of the " +"<emphasis>sss</emphasis> plugin listed below you will need to create a " +"config section for it, named <quote>[sss]</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sss_rpcidmapd.5.xml:67 +msgid "Configuration attributes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sss_rpcidmapd.5.xml:69 +msgid "memcache (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sss_rpcidmapd.5.xml:72 +msgid "Indicates whether or not to use memcache optimisation technique." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:85 +msgid "SSSD INTEGRATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:87 +msgid "" +"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " +"in sssd." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:91 +msgid "" +"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " +"all domains (NFSv4 clients expect a fully qualified name to be sent on the " +"wire)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_rpcidmapd.5.xml:103 +#, no-wrap +msgid "" +"[General]\n" +"Verbosity = 2\n" +"# domain must be synced between NFSv4 server and clients\n" +"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:100 +msgid "" +"The following example shows a minimal idmapd.conf which makes use of the sss " +"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:180 include/seealso.xml:2 +msgid "SEE ALSO" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:122 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 +msgid "sss_ssh_authorizedkeys" +msgstr "" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 +msgid "1" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_authorizedkeys.1.xml:16 +msgid "get OpenSSH authorized keys" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_authorizedkeys.1.xml:21 +msgid "" +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>USER</replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:32 +msgid "" +"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " +"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " +"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> for more information)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:41 +msgid "" +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" +"command> for public key user authentication if it is compiled with support " +"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " +"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> man page for more details about this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_authorizedkeys.1.xml:59 +#, no-wrap +msgid "" +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:52 +msgid "" +"If <quote>AuthorizedKeysCommand</quote> is supported, " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use it by putting the following " +"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" +"\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_ssh_authorizedkeys.1.xml:65 +msgid "KEYS FROM CERTIFICATES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:67 +msgid "" +"In addition to the public SSH keys for user <replaceable>USER</replaceable> " +"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " +"from the public key of a X.509 certificate as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:73 +msgid "" +"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " +"set to true (default) in the [ssh] section of <filename>sssd.conf</" +"filename>. If the user entry contains certificates (see " +"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " +"there is a certificate in an override entry for the user (see " +"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " +"certificate is valid SSSD will extract the public key from the certificate " +"and convert it into the format expected by sshd." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:90 +msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:92 +msgid "ca_db" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:93 +msgid "p11_child_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:94 +msgid "certificate_verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:96 +msgid "" +"can be used to control how the certificates are validated (see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:101 +msgid "" +"The validation is the benefit of using X.509 certificates instead of SSH " +"keys directly because e.g. it gives a better control of the lifetime of the " +"keys. When the ssh client is configured to use the private keys from a " +"Smartcard with the help of a PKCS#11 shared library (see " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> for details) it might be irritating that authentication is " +"still working even if the related X.509 certificate on the Smartcard is " +"already expired because neither <command>ssh</command> nor <command>sshd</" +"command> will look at the certificate at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:114 +msgid "" +"It has to be noted that the derived public SSH key can still be added to the " +"<filename>authorized_keys</filename> file of the user to bypass the " +"certificate validation if the <command>sshd</command> configuration permits " +"this." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:132 +msgid "" +"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 +msgid "EXIT STATUS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 +msgid "" +"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 +msgid "sss_ssh_knownhostsproxy" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_knownhostsproxy.1.xml:16 +msgid "get OpenSSH host keys" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_knownhostsproxy.1.xml:21 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>HOST</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:33 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " +"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " +"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " +"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" +"pubconf/known_hosts</filename> and establishes the connection to the host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:43 +msgid "" +"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " +"create the connection to the host instead of opening a socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_knownhostsproxy.1.xml:55 +#, no-wrap +msgid "" +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:48 +msgid "" +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" +"command> for host key authentication by using the following directives for " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:66 +msgid "" +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:71 +msgid "" +"Use port <replaceable>PORT</replaceable> to connect to the host. By " +"default, port 22 is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:83 +msgid "" +"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:89 +msgid "<option>-k</option>,<option>--pubkeys</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:93 +msgid "" +"Print the host ssh public keys for host <replaceable>HOST</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 +msgid "idmap_sss" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: idmap_sss.8.xml:16 +msgid "SSSD's idmap_sss Backend for Winbind" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:22 +msgid "" +"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " +"No database is required in this case as the mapping is done by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: idmap_sss.8.xml:29 +msgid "IDMAP OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: idmap_sss.8.xml:33 +msgid "range = low - high" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: idmap_sss.8.xml:35 +msgid "" +"Defines the available matching UID and GID range for which the backend is " +"authoritative." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:45 +msgid "" +"This example shows how to configure idmap_sss as the default mapping module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: idmap_sss.8.xml:50 +#, no-wrap +msgid "" +"[global]\n" +"security = domain\n" +"workgroup = MAIN\n" +"\n" +"idmap config * : backend = sss\n" +"idmap config * : range = 200000-2147483647\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssctl.8.xml:10 sssctl.8.xml:15 +msgid "sssctl" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssctl.8.xml:16 +msgid "SSSD control and status utility" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssctl.8.xml:21 +msgid "" +"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:32 +msgid "" +"<command>sssctl</command> provides a simple and unified way to obtain " +"information about SSSD status, such as active server, auto-discovered " +"servers, domains and cached objects. In addition, it can manage SSSD data " +"files for troubleshooting in such a way that is safe to manipulate while " +"SSSD is running." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:43 +msgid "" +"To list all available commands run <command>sssctl</command> without any " +"parameters. To print help for selected command run <command>sssctl COMMAND --" +"help</command>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-files.5.xml:10 sssd-files.5.xml:16 +msgid "sssd-files" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-files.5.xml:17 +msgid "SSSD files provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:23 +msgid "" +"This manual page describes the files provider for <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:36 +msgid "" +"The files provider mirrors the content of the <citerefentry> " +"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " +"provider is to make the users and groups traditionally only accessible with " +"NSS interfaces also available through the SSSD interfaces such as " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:69 +msgid "passwd_files (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:72 +msgid "" +"Comma-separated list of one or multiple password filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:78 +msgid "Default: /etc/passwd" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:84 +msgid "group_files (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:87 +msgid "" +"Comma-separated list of one or multiple group filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:93 +msgid "Default: /etc/group" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:59 +msgid "" +"In addition to the options listed below, generic SSSD domain options can be " +"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for details on the configuration of " +"an SSSD domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:105 +msgid "" +"The following example assumes that SSSD is correctly configured and files is " +"one of the domains in the <replaceable>[sssd]</replaceable> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:111 +#, no-wrap +msgid "" +"[domain/files]\n" +"id_provider = files\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 +msgid "sssd-secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-secrets.5.xml:17 +msgid "SSSD Secrets responder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:23 +msgid "" +"This manual page describes the configuration of the Secrets responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:36 +msgid "" +"Many system and user applications need to store private information such as " +"passwords or service keys and have no good way to properly deal with them. " +"The simple approach is to embed these <quote>secrets</quote> into " +"configuration files potentially ending up exposing sensitive key material to " +"backups, config management system and in general making it harder to secure " +"data." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:45 +msgid "" +"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " +"project was born to deal with this problem in cloud like environments, but " +"we found the idea compelling even at a single system level. As a security " +"service, SSSD is ideal to host this capability while offering the same API " +"via a UNIX Socket. This will make it possible to use local calls and have " +"them transparently routed to a local or a remote key management store like " +"IPA Vault for storage, escrow and recovery." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:55 +msgid "" +"The secrets are simple key-value pairs. Each user's secrets are namespaced " +"using their user ID, which means the secrets will never collide between " +"users. Secrets can be stored inside <quote>containers</quote> which can be " +"nested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:69 +msgid "secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:70 +msgid "secrets for general usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:73 +msgid "kcm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:75 +msgid "" +"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:61 +msgid "" +"Since the secrets responder can be used both externally to store general " +"secrets, as described in the rest of this man page, but also internally by " +"other SSSD components to store their secret material, some configuration " +"options, like quotas can be configured per <quote>hive</quote> in a " +"configuration subsection named after the hive. The currently supported hives " +"are: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:89 +msgid "USING THE SECRETS RESPONDER" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:91 +msgid "" +"The UNIX socket the SSSD responder listens on is located at <filename>/var/" +"run/secrets.socket</filename>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:110 +#, no-wrap +msgid "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +"systemctl enable sssd-secrets.service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:95 +msgid "" +"The secrets responder is socket-activated by <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " +"the <quote>secrets</quote> string to the <quote>service</quote> directive. " +"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " +"corresponding service file is called <quote>sssd-secrets.service</quote>. In " +"order for the service to be socket-activated, make sure the socket is " +"enabled and active and the service is enabled: <placeholder type=" +"\"programlisting\" id=\"0\"/> Please note your distribution may already " +"configure the units for you." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:122 +msgid "" +"The generic SSSD responder options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " +"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some secrets-specific options as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:132 +msgid "" +"The secrets responder is configured with a global <quote>[secrets]</quote> " +"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " +"in <filename>sssd.conf</filename>. Please note that some options, notably as " +"the provider type, can only be specified in the per-user subsections." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:141 +msgid "provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:157 +msgid "local" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:160 +msgid "" +"The secrets are stored in a local database, encrypted at rest with a master " +"key. The local provider does not have any additional config options at the " +"moment." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:168 +msgid "proxy" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:171 +msgid "" +"The secrets responder forwards the requests to a Custodia server. The proxy " +"provider supports several additional options (see below)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:144 +msgid "" +"This option specifies where should the secrets be stored. The secrets " +"responder can configure a per-user subsections (e.g. <quote>[secrets/" +"users/123]</quote> - see bottom of this manual page for a full example using " +"Custodia for a particular user) that define which provider store the secrets " +"for this particular user. The per-user subsections should contain all " +"options for that user's provider. Please note that currently the global " +"provider is always local, the proxy provider can only be specified in a per-" +"user section. The following providers are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:180 +msgid "Default: local" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:186 +msgid "" +"The following options affect only the secrets <quote>hive</quote> and " +"therefore should be set in a per-hive subsection. Setting the option to 0 " +"means \"unlimited\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:192 +msgid "containers_nest_level (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:195 +msgid "This option specifies the maximum allowed number of nested containers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:199 +msgid "Default: 4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:204 +msgid "max_secrets (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:207 +msgid "" +"This option specifies the maximum number of secrets that can be stored in " +"the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:211 +msgid "Default: 1024 (secrets hive), 256 (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:216 +msgid "max_uid_secrets (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:219 +msgid "" +"This option specifies the maximum number of secrets that can be stored per-" +"UID in the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:223 +msgid "Default: 256 (secrets hive), 64 (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:228 +msgid "max_payload_size (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:231 +msgid "" +"This option specifies the maximum payload size allowed for a secret payload " +"in kilobytes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:235 +msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:244 +#, no-wrap +msgid "" +"[secrets/secrets]\n" +"max_payload_size = 128\n" +"\n" +"[secrets/kcm]\n" +"max_payload_size = 256\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:241 +msgid "" +"For example, to adjust quotas differently for both the <quote>secrets</" +"quote> and the <quote>kcm</quote> hives, configure the following: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:252 +msgid "" +"The following options are only applicable for configurations that use the " +"<quote>proxy</quote> provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:257 +msgid "proxy_url (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:260 +msgid "" +"The URL the Custodia server is listening on. At the moment, http and https " +"protocols are supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:267 +msgid "http[s]://<host>[:port]" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:270 +msgid "Example: http://localhost:8080" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:275 +msgid "auth_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:278 +msgid "" +"The method to use when authenticating to a Custodia server. The following " +"authentication methods are supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:283 +msgid "basic_auth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:286 +msgid "" +"Authenticate with a username and a password as set in the <quote>username</" +"quote> and <quote>password</quote> options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:293 +msgid "header" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:296 +msgid "" +"Authenticate with HTTP header value as defined in the " +"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " +"configuration options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:307 +msgid "auth_header_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:310 +msgid "" +"If set, the secrets responder would put a header with this name into the " +"HTTP request with the value defined in the <quote>auth_header_value</quote> " +"configuration option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:315 +msgid "Example: MYSECRETNAME" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:320 +msgid "auth_header_value (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:323 +msgid "" +"The value sssd-secrets would use for the <quote>auth_header_name</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:327 +msgid "Example: mysecret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:332 +msgid "forward_headers (list of strings)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:335 +msgid "" +"The list of HTTP headers to forward to the Custodia server together with the " +"request." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:344 +msgid "verify_peer (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:347 +msgid "" +"Whether peer's certificate should be verified and valid if HTTPS protocol is " +"used with the proxy provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:356 +msgid "verify_host (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:359 +msgid "" +"Whether peer's hostname must match with hostname in its certificate if HTTPS " +"protocol is used with the proxy provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:369 +msgid "capath (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:372 +msgid "" +"Path to directory containing stored certificate authority certificates. " +"System default path is used if this option is not set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:382 +msgid "cacert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:385 +msgid "" +"Path to file containing server's certificate authority certificate. If this " +"option is not set then the CA's certificate is looked up in <quote>capath</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:395 +msgid "cert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:398 +msgid "" +"Path to file containing client's certificate if required by the server. This " +"file may also contain private key or the private key may be in separate file " +"set with <quote>key</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:409 +msgid "key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:412 +msgid "Path to file containing client's private key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:422 +msgid "USING THE REST API" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:424 +msgid "" +"This section lists the available commands and includes examples using the " +"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry> utility. All requests towards the proxy provider must set " +"the Content Type header to <quote>application/json</quote>. In addition, the " +"local provider also supports Content Type set to <quote>application/octet-" +"stream</quote>. Secrets stored with requests that set the Content Type " +"header to <quote>application/octet-stream</quote> are base64-encoded when " +"stored and decoded when retrieved, so it's not possible to store a secret " +"with one Content Type and retrieve with another. The secret URI must begin " +"with <filename>/secrets/</filename>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:441 +msgid "Listing secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:444 +msgid "" +"To list the available secrets, send a HTTP GET request with a trailing slash " +"appended to the container path." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:450 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:458 +msgid "Retrieving a secret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:461 +msgid "" +"To read a value of a single secret, send a HTTP GET request without a " +"trailing slash. The last portion of the URI is the name of the secret." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:468 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/foo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:473 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/bar\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:466 +msgid "" +"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:481 +msgid "Setting a secret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:484 +msgid "" +"To set a secret using the <quote>application/json</quote> type, send a HTTP " +"PUT request with a JSON payload that includes type and value. The type " +"should be set to \"simple\" and the value should be set to the secret value. " +"If a secret with that name already exists, the response is a 409 HTTP error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:492 +msgid "" +"The <quote>application/json</quote> type just sends the secret as the " +"message payload." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:501 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/foo \\\n" +" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:507 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/bar \\\n" +" -d'barsecret'\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:496 +msgid "" +"The following example sets a secret named 'foo' to a value of 'foosecret' " +"and a secret named 'bar' to a value of 'barsecret' using a different Content " +"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:516 +msgid "Creating a container" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:519 +msgid "" +"Containers provide an additional namespace for this user's secrets. To " +"create a container, send a HTTP POST request, whose URI ends with the " +"container name. Please note the URI must end with a trailing slash." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:529 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPOST http://localhost/secrets/mycontainer/\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:526 +msgid "" +"The following example creates a container named 'mycontainer': <placeholder " +"type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:538 +#, no-wrap +msgid "" +"http://localhost/secrets/mycontainer/mysecret\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:535 +msgid "" +"To manipulate secrets under this container, just nest the secrets underneath " +"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:544 +msgid "Deleting a secret or a container" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:547 +msgid "" +"To delete a secret or a container, send a HTTP DELETE request with a path to " +"the secret or the container." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:553 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XDELETE http://localhost/secrets/foo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:551 +msgid "" +"The following example deletes a secret named 'foo'. <placeholder type=" +"\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:563 +msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:565 +msgid "" +"For testing the proxy provider, you need to set up a Custodia server to " +"proxy requests to. Please always consult the Custodia documentation, the " +"configuration directives might change with different Custodia versions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:576 +#, no-wrap +msgid "" +"[global]\n" +"server_version = \"Secret/0.0.7\"\n" +"server_url = http://localhost:8080/\n" +"auditlog = /var/log/custodia.log\n" +"debug = True\n" +"\n" +"[store:simple]\n" +"handler = custodia.store.sqlite.SqliteStore\n" +"dburi = /var/lib/custodia.db\n" +"table = secrets\n" +"\n" +"[auth:header]\n" +"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" +"header = MYSECRETNAME\n" +"value = mysecretkey\n" +"\n" +"[authz:paths]\n" +"handler = custodia.httpd.authorizers.SimplePathAuthz\n" +"paths = /secrets\n" +"\n" +"[/]\n" +"handler = custodia.root.Root\n" +"store = simple\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:570 +msgid "" +"This configuration will set up a Custodia server listening on http://" +"localhost:8080, allowing anyone with header named MYSECRETNAME set to " +"mysecretkey to communicate with the Custodia server. Place the contents " +"into a file (for example, <replaceable>custodia.conf</replaceable>): " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:602 +msgid "" +"Then run the <replaceable>custodia</replaceable> command, pointing it at the " +"config file as a command line argument." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:606 +msgid "" +"Please note that currently it's not possible to proxy all requests globally " +"to a Custodia instance. Instead, per-user subsections for user IDs that " +"should proxy requests to Custodia must be defined. The following example " +"illustrates a configuration, where the user with UID 123 would proxy their " +"requests to Custodia, but all other user's requests would be handled by a " +"local provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: sssd-secrets.5.xml:614 +#, no-wrap +msgid "" +"[secrets]\n" +"\n" +"[secrets/users/123]\n" +"provider = proxy\n" +"proxy_url = http://localhost:8080/secrets/\n" +"auth_type = header\n" +"auth_header_name = MYSECRETNAME\n" +"auth_header_value = mysecretkey\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 +msgid "sssd-session-recording" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-session-recording.5.xml:17 +msgid "Configuring session recording with SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " +"implement user session recording on text terminals. For a detailed " +"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " +"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:41 +msgid "" +"SSSD can be set up to enable recording of everything specific users see or " +"type during their sessions on text terminals. E.g. when users log in on the " +"console, or via SSH. SSSD itself doesn't record anything, but makes sure " +"tlog-rec-session is started upon user login, so it can record according to " +"its configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:48 +msgid "" +"For users with session recording enabled, SSSD replaces the user shell with " +"tlog-rec-session in NSS responses, and adds a variable specifying the " +"original shell to the user environment, upon PAM session setup. This way " +"tlog-rec-session can be started in place of the user shell, and know which " +"actual shell to start, once it set up the recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:60 +msgid "These options can be used to configure the session recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:146 +msgid "" +"The following snippet of sssd.conf enables session recording for users " +"\"contractor1\" and \"contractor2\", and group \"students\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-session-recording.5.xml:151 +#, no-wrap +msgid "" +"[session_recording]\n" +"scope = some\n" +"users = contractor1, contractor2\n" +"groups = students\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 +msgid "sssd-kcm" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-kcm.8.xml:17 +msgid "SSSD Kerberos Cache Manager" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:23 +msgid "" +"This manual page describes the configuration of the SSSD Kerberos Cache " +"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " +"credential caches. It originates in the Heimdal Kerberos project, although " +"the MIT Kerberos library also provides client side (more details on that " +"below) support for the KCM credential cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:31 +msgid "" +"In a setup where Kerberos caches are managed by KCM, the Kerberos library " +"(typically used through an application, like e.g., <citerefentry> " +"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" +"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " +"being referred to as a <quote>\"KCM server\"</quote>. The client and server " +"communicate over a UNIX socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:42 +msgid "" +"The KCM server keeps track of each credential caches's owner and performs " +"access check control based on the UID and GID of the KCM client. The root " +"user has access to all credential caches." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:47 +msgid "The KCM credential cache has several interesting properties:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:51 +msgid "" +"since the process runs in userspace, it is subject to UID namespacing, " +"unlike the kernel keyring" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:56 +msgid "" +"unlike the kernel keyring-based cache, which is shared between all " +"containers, the KCM server is a separate process whose entry point is a UNIX " +"socket" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:61 +msgid "" +"the SSSD implementation stores the ccaches in the SSSD <citerefentry> " +"<refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry> secrets store, allowing the ccaches to survive KCM server " +"restarts or machine reboots." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:69 +msgid "" +"This allows the system to use a collection-aware credential cache, yet share " +"the credential cache between some or no containers by bind-mounting the " +"socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:76 +msgid "USING THE KCM CREDENTIAL CACHE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:86 +#, no-wrap +msgid "" +"[libdefaults]\n" +" default_ccache_name = KCM:\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:78 +msgid "" +"In order to use KCM credential cache, it must be selected as the default " +"credential type in <citerefentry> <refentrytitle>krb5.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " +"cache name must be only <quote>KCM:</quote> without any template " +"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:91 +msgid "" +"Next, make sure the Kerberos client libraries and the KCM server must agree " +"on the UNIX socket path. By default, both use the same path <replaceable>/" +"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " +"library, change its <quote>kcm_socket</quote> option which is described in " +"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:113 +#, no-wrap +msgid "" +"systemctl start sssd-kcm.socket\n" +"systemctl enable sssd-kcm.socket\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:102 +msgid "" +"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " +"typically socket-activated by <citerefentry> <refentrytitle>systemd</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " +"services, it cannot be started by adding the <quote>kcm</quote> string to " +"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " +"id=\"0\"/> Please note your distribution may already configure the units for " +"you." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:122 +msgid "THE CREDENTIAL CACHE STORAGE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:131 +#, no-wrap +msgid "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:124 +msgid "" +"The credential caches are stored in the SSSD secrets service (see " +"<citerefentry> <refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> for more details). Therefore it is important that " +"also the sssd-secrets service is enabled and its socket is started: " +"<placeholder type=\"programlisting\" id=\"0\"/> Your distribution should " +"already set the dependencies between the services." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:141 +msgid "" +"The KCM service is configured in the <quote>kcm</quote> section of the sssd." +"conf file. Please note that currently, is it not sufficient to restart the " +"sssd-kcm service, because the sssd configuration is only parsed and read to " +"an internal configuration database by the sssd service. Therefore you must " +"restart the sssd service if you change anything in the <quote>kcm</quote> " +"section of sssd.conf. For a detailed syntax reference, refer to the " +"<quote>FILE FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd." +"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:155 +msgid "" +"The generic SSSD service options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some KCM-specific options as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:166 +msgid "socket_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:169 +msgid "The socket the KCM service will listen on." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:172 +msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:182 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 +msgid "sssd-systemtap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-systemtap.5.xml:17 +msgid "SSSD systemtap information" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:23 +msgid "" +"This manual page provides information about the systemtap functionality in " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:32 +msgid "" +"SystemTap Probe points have been added into various locations in SSSD code " +"to assist in troubleshooting and analyzing performance related issues." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:40 +msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:46 +msgid "" +"Probes and miscellaneous functions are defined in /usr/share/systemtap/" +"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " +"respectively." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:57 +msgid "PROBE POINTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:341 +msgid "" +"The information below lists the probe points and arguments available in the " +"following format:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:64 +msgid "probe $name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:67 +msgid "Description of probe point" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:70 +#, no-wrap +msgid "" +"variable1:datatype\n" +"variable2:datatype\n" +"variable3:datatype\n" +"...\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:80 +msgid "Database Transaction Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:84 +msgid "probe sssd_transaction_start" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:87 +msgid "" +"Start of a sysdb transaction, probes the sysdb_transaction_start() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 +#: sssd-systemtap.5.xml:131 +#, no-wrap +msgid "" +"nesting:integer\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:97 +msgid "probe sssd_transaction_cancel" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:100 +msgid "" +"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " +"function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:111 +msgid "probe sssd_transaction_commit_before" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:114 +msgid "Probes the sysdb_transaction_commit_before() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:124 +msgid "probe sssd_transaction_commit_after" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:127 +msgid "Probes the sysdb_transaction_commit_after() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:141 +msgid "LDAP Search Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:145 +msgid "probe sdap_search_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:148 +msgid "Probes the sdap_get_generic_ext_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:152 sssd-systemtap.5.xml:167 sssd-systemtap.5.xml:196 +#, no-wrap +msgid "" +"base:string\n" +"scope:integer\n" +"filter:string\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:160 +msgid "probe sdap_search_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:163 +msgid "Probes the sdap_get_generic_ext_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:175 +msgid "probe sdap_deref_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:178 +msgid "Probes the sdap_deref_search_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:182 +#, no-wrap +msgid "" +"base_dn:string\n" +"deref_attr:string\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:189 +msgid "probe sdap_deref_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:192 +msgid "Probes the sdap_deref_search_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:208 +msgid "LDAP Account Request Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:212 +msgid "probe sdap_acct_req_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:215 +msgid "Probes the sdap_acct_req_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:219 sssd-systemtap.5.xml:234 +#, no-wrap +msgid "" +"entry_type:int\n" +"filter_type:int\n" +"filter_value:string\n" +"extra_value:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:227 +msgid "probe sdap_acct_req_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:230 +msgid "Probes the sdap_acct_req_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:246 +msgid "LDAP User Search Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:250 +msgid "probe sdap_search_user_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:253 +msgid "Probes the sdap_search_user_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:257 sssd-systemtap.5.xml:269 sssd-systemtap.5.xml:281 +#: sssd-systemtap.5.xml:293 +#, no-wrap +msgid "" +"filter:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:262 +msgid "probe sdap_search_user_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:265 +msgid "Probes the sdap_search_user_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:274 +msgid "probe sdap_search_user_save_begin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:277 +msgid "Probes the sdap_search_user_save_begin() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:286 +msgid "probe sdap_search_user_save_end" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:289 +msgid "Probes the sdap_search_user_save_end() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:302 +msgid "Data Provider Request Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:306 +msgid "probe dp_req_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:309 +msgid "A Data Provider request is submitted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:312 +#, no-wrap +msgid "" +"dp_req_domain:string\n" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:320 +msgid "probe dp_req_done" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:323 +msgid "A Data Provider request is completed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:326 +#, no-wrap +msgid "" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +"dp_ret:int\n" +"dp_errorstr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:339 +msgid "MISCELLANEOUS FUNCTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:346 +msgid "function acct_req_desc(entry_type)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:349 +msgid "Convert entry_type to string and return string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:354 +msgid "" +"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " +"filter_value, extra_value)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:358 +msgid "Create probe string based on filter type" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:363 +msgid "function dp_target_str(target)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:366 +msgid "Convert target to string and return string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:371 +msgid "function dp_method_str(target)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:374 +msgid "Convert method to string and return string" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/service_discovery.xml:2 +msgid "SERVICE DISCOVERY" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/service_discovery.xml:4 +msgid "" +"The service discovery feature allows back ends to automatically find the " +"appropriate servers to connect to using a special DNS query. This feature is " +"not supported for backup servers." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:9 include/ldap_id_mapping.xml:99 +msgid "Configuration" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:11 +msgid "" +"If no servers are specified, the back end automatically uses service " +"discovery to try to find a server. Optionally, the user may choose to use " +"both fixed server addresses and service discovery by inserting a special " +"keyword, <quote>_srv_</quote>, in the list of servers. The order of " +"preference is maintained. This feature is useful if, for example, the user " +"prefers to use service discovery whenever possible, and fall back to a " +"specific server when no servers can be discovered using DNS." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:23 +msgid "The domain name" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:25 +msgid "" +"Please refer to the <quote>dns_discovery_domain</quote> parameter in the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more details." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:35 +msgid "The protocol" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:37 +msgid "" +"The queries usually specify _tcp as the protocol. Exceptions are documented " +"in respective option description." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:42 +msgid "See Also" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:44 +msgid "" +"For more information on the service discovery mechanism, refer to RFC 2782." +msgstr "" + +#. type: Content of: <refentryinfo> +#: include/upstream.xml:2 +msgid "" +"<productname>SSSD</productname> <orgname>The SSSD upstream - https://pagure." +"io/SSSD/sssd/</orgname>" +msgstr "" + +#. type: Content of: outside any tag (error?) +#: include/upstream.xml:1 +msgid "<placeholder type=\"refentryinfo\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/failover.xml:2 +msgid "FAILOVER" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/failover.xml:4 +msgid "" +"The failover feature allows back ends to automatically switch to a different " +"server if the current server fails." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:8 +msgid "Failover Syntax" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:10 +msgid "" +"The list of servers is given as a comma-separated list; any number of spaces " +"is allowed around the comma. The servers are listed in order of preference. " +"The list can contain any number of servers." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:16 +msgid "" +"For each failover-enabled config option, two variants exist: " +"<emphasis>primary</emphasis> and <emphasis>backup</emphasis>. The idea is " +"that servers in the primary list are preferred and backup servers are only " +"searched if no primary servers can be reached. If a backup server is " +"selected, a timeout of 31 seconds is set. After this timeout SSSD will " +"periodically try to reconnect to one of the primary servers. If it succeeds, " +"it will replace the current active (backup) server." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:27 +msgid "The Failover Mechanism" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:29 +msgid "" +"The failover mechanism distinguishes between a machine and a service. The " +"back end first tries to resolve the hostname of a given machine; if this " +"resolution attempt fails, the machine is considered offline. No further " +"attempts are made to connect to this machine for any other service. If the " +"resolution attempt succeeds, the back end tries to connect to a service on " +"this machine. If the service connection attempt fails, then only this " +"particular service is considered offline and the back end automatically " +"switches over to the next service. The machine is still considered online " +"and might still be tried for another service." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:42 +msgid "" +"Further connection attempts are made to machines or services marked as " +"offline after a specified period of time; this is currently hard coded to 30 " +"seconds." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:47 +msgid "" +"If there are no more machines to try, the back end as a whole switches to " +"offline mode, and then attempts to reconnect every 30 seconds." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:53 +msgid "Failover time outs and tuning" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:55 +msgid "" +"Resolving a server to connect to can be as simple as running a single DNS " +"query or can involve several steps, such as finding the correct site or " +"trying out multiple host names in case some of the configured servers are " +"not reachable. The more complex scenarios can take some time and SSSD needs " +"to balance between providing enough time to finish the resolution process " +"but on the other hand, not trying for too long before falling back to " +"offline mode. If the SSSD debug logs show that the server resolution is " +"timing out before a live server is contacted, you can consider changing the " +"time outs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> +#: include/failover.xml:76 +msgid "dns_resolver_op_timeout" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: include/failover.xml:80 +msgid "How long would SSSD talk to a single DNS server." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> +#: include/failover.xml:86 +msgid "dns_resolver_timeout" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: include/failover.xml:90 +msgid "" +"How long would SSSD try to resolve a failover service. This service " +"resolution internally might include several steps, such as resolving DNS SRV " +"queries or locating the site." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:67 +msgid "" +"This section lists the available tunables. Please refer to their description " +"in the <citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>, manual page. <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:100 +msgid "" +"For LDAP-based providers, the resolve operation is performed as part of an " +"LDAP connection operation. Therefore, also the <quote>ldap_opt_timeout></" +"quote> timeout should be set to a larger value than " +"<quote>dns_resolver_timeout</quote> which in turn should be set to a larger " +"value than <quote>dns_resolver_op_timeout</quote>." +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/ldap_id_mapping.xml:2 +msgid "ID MAPPING" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:4 +msgid "" +"The ID-mapping feature allows SSSD to act as a client of Active Directory " +"without requiring administrators to extend user attributes to support POSIX " +"attributes for user and group identifiers." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:9 +msgid "" +"NOTE: When ID-mapping is enabled, the uidNumber and gidNumber attributes are " +"ignored. This is to avoid the possibility of conflicts between automatically-" +"assigned and manually-assigned values. If you need to use manually-assigned " +"values, ALL values must be manually-assigned." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:16 +msgid "" +"Please note that changing the ID mapping related configuration options will " +"cause user and group IDs to change. At the moment, SSSD does not support " +"changing IDs, so the SSSD database must be removed. Because cached passwords " +"are also stored in the database, removing the database should only be " +"performed while the authentication servers are reachable, otherwise users " +"might get locked out. In order to cache the password, an authentication must " +"be performed. It is not sufficient to use <citerefentry> " +"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry> to remove the database, rather the process consists of:" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:33 +msgid "Making sure the remote servers are reachable" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:38 +msgid "Stopping the SSSD service" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:43 +msgid "Removing the database" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:48 +msgid "Starting the SSSD service" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:52 +msgid "" +"Moreover, as the change of IDs might necessitate the adjustment of other " +"system properties such as file and directory ownership, it's advisable to " +"plan ahead and test the ID mapping configuration thoroughly." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ldap_id_mapping.xml:59 +msgid "Mapping Algorithm" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:61 +msgid "" +"Active Directory provides an objectSID for every user and group object in " +"the directory. This objectSID can be broken up into components that " +"represent the Active Directory domain identity and the relative identifier " +"(RID) of the user or group object." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:67 +msgid "" +"The SSSD ID-mapping algorithm takes a range of available UIDs and divides it " +"into equally-sized component sections - called \"slices\"-. Each slice " +"represents the space available to an Active Directory domain." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:73 +msgid "" +"When a user or group entry for a particular domain is encountered for the " +"first time, the SSSD allocates one of the available slices for that domain. " +"In order to make this slice-assignment repeatable on different client " +"machines, we select the slice based on the following algorithm:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:80 +msgid "" +"The SID string is passed through the murmurhash3 algorithm to convert it to " +"a 32-bit hashed value. We then take the modulus of this value with the total " +"number of available slices to pick the slice." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:86 +msgid "" +"NOTE: It is possible to encounter collisions in the hash and subsequent " +"modulus. In these situations, we will select the next available slice, but " +"it may not be possible to reproduce the same exact set of slices on other " +"machines (since the order that they are encountered will determine their " +"slice). In this situation, it is recommended to either switch to using " +"explicit POSIX attributes in Active Directory (disabling ID-mapping) or " +"configure a default domain to guarantee that at least one is always " +"consistent. See <quote>Configuration</quote> for details." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:101 +msgid "" +"Minimum configuration (in the <quote>[domain/DOMAINNAME]</quote> section):" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><programlisting> +#: include/ldap_id_mapping.xml:106 +#, no-wrap +msgid "" +"ldap_id_mapping = True\n" +"ldap_schema = ad\n" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:111 +msgid "" +"The default configuration results in configuring 10,000 slices, each capable " +"of holding up to 200,000 IDs, starting from 200,000 and going up to " +"2,000,200,000. This should be sufficient for most deployments." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><title> +#: include/ldap_id_mapping.xml:117 +msgid "Advanced Configuration" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:120 +msgid "ldap_idmap_range_min (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:123 +msgid "" +"Specifies the lower bound of the range of POSIX IDs to use for mapping " +"Active Directory user and group SIDs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:127 +msgid "" +"NOTE: This option is different from <quote>min_id</quote> in that " +"<quote>min_id</quote> acts to filter the output of requests to this domain, " +"whereas this option controls the range of ID assignment. This is a subtle " +"distinction, but the good general advice would be to have <quote>min_id</" +"quote> be less-than or equal to <quote>ldap_idmap_range_min</quote>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:137 include/ldap_id_mapping.xml:191 +msgid "Default: 200000" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:142 +msgid "ldap_idmap_range_max (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:145 +msgid "" +"Specifies the upper bound of the range of POSIX IDs to use for mapping " +"Active Directory user and group SIDs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:149 +msgid "" +"NOTE: This option is different from <quote>max_id</quote> in that " +"<quote>max_id</quote> acts to filter the output of requests to this domain, " +"whereas this option controls the range of ID assignment. This is a subtle " +"distinction, but the good general advice would be to have <quote>max_id</" +"quote> be greater-than or equal to <quote>ldap_idmap_range_max</quote>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:159 +msgid "Default: 2000200000" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:164 +msgid "ldap_idmap_range_size (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:167 +msgid "" +"Specifies the number of IDs available for each slice. If the range size " +"does not divide evenly into the min and max values, it will create as many " +"complete slices as it can." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:173 +msgid "" +"NOTE: The value of this option must be at least as large as the highest user " +"RID planned for use on the Active Directory server. User lookups and login " +"will fail for any user whose RID is greater than this value." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:179 +msgid "" +"For example, if your most recently-added Active Directory user has " +"objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, " +"<quote>ldap_idmap_range_size</quote> must be at least 1108 as range size is " +"equal to maximal SID minus minimal SID plus one (e.g. 1108 = 1107 - 0 + 1)." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:186 +msgid "" +"It is important to plan ahead for future expansion, as changing this value " +"will result in changing all of the ID mappings on the system, leading to " +"users with different local IDs than they previously had." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:196 +msgid "ldap_idmap_default_domain_sid (string)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:199 +msgid "" +"Specify the domain SID of the default domain. This will guarantee that this " +"domain will always be assigned to slice zero in the ID map, bypassing the " +"murmurhash algorithm described above." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:210 +msgid "ldap_idmap_default_domain (string)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:213 +msgid "Specify the name of the default domain." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:221 +msgid "ldap_idmap_autorid_compat (boolean)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:224 +msgid "" +"Changes the behavior of the ID-mapping algorithm to behave more similarly to " +"winbind's <quote>idmap_autorid</quote> algorithm." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:229 +msgid "" +"When this option is configured, domains will be allocated starting with " +"slice zero and increasing monatomically with each additional domain." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:234 +msgid "" +"NOTE: This algorithm is non-deterministic (it depends on the order that " +"users and groups are requested). If this mode is required for compatibility " +"with machines running winbind, it is recommended to also use the " +"<quote>ldap_idmap_default_domain_sid</quote> option to guarantee that at " +"least one domain is consistently allocated to slice zero." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:249 +msgid "ldap_idmap_helper_table_size (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:252 +msgid "" +"Maximal number of secondary slices that is tried when performing mapping " +"from UNIX id to SID." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:256 +msgid "" +"Note: Additional secondary slices might be generated when SID is being " +"mapped to UNIX id and RID part of SID is out of range for secondary slices " +"generated so far. If value of ldap_idmap_helper_table_size is equal to 0 " +"then no additional secondary slices are generated." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ldap_id_mapping.xml:273 +msgid "Well-Known SIDs" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:275 +msgid "" +"SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a " +"special hardcoded meaning. Since the generic users and groups related to " +"those Well-Known SIDs have no equivalent in a Linux/UNIX environment no " +"POSIX IDs are available for those objects." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:281 +msgid "" +"The SID name space is organized in authorities which can be seen as " +"different domains. The authorities for the Well-Known SIDs are" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:284 +msgid "Null Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:285 +msgid "World Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:286 +msgid "Local Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:287 +msgid "Creator Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:288 +msgid "NT Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:289 +msgid "Built-in" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:291 +msgid "" +"The capitalized version of these names are used as domain names when " +"returning the fully qualified name of a Well-Known SID." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:295 +msgid "" +"Since some utilities allow to modify SID based access control information " +"with the help of a name instead of using the SID directly SSSD supports to " +"look up the SID by the name as well. To avoid collisions only the fully " +"qualified names can be used to look up Well-Known SIDs. As a result the " +"domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, " +"<quote> LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, <quote>NT " +"AUTHORITY</quote> and <quote>BUILTIN</quote> should not be used as domain " +"names in <filename>sssd.conf</filename>." +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/param_help.xml:3 +msgid "<option>-?</option>,<option>--help</option>" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/param_help.xml:7 include/param_help_py.xml:7 +msgid "Display help message and exit." +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/param_help_py.xml:3 +msgid "<option>-h</option>,<option>--help</option>" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:3 include/debug_levels_tools.xml:3 +msgid "" +"SSSD supports two representations for specifying the debug level. The " +"simplest is to specify a decimal value from 0-9, which represents enabling " +"that level and all lower-level debug messages. The more comprehensive option " +"is to specify a hexadecimal bitmask to enable or disable specific levels " +"(such as if you wish to suppress a level)." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:10 +msgid "" +"Please note that each SSSD service logs into its own log file. Also please " +"note that enabling <quote>debug_level</quote> in the <quote>[sssd]</quote> " +"section only enables debugging just for the sssd process itself, not for the " +"responder or provider processes. The <quote>debug_level</quote> parameter " +"should be added to all sections that you wish to produce debug logs from." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:18 +msgid "" +"In addition to changing the log level in the config file using the " +"<quote>debug_level</quote> parameter, which is persistent, but requires SSSD " +"restart, it is also possible to change the debug level on the fly using the " +"<citerefentry> <refentrytitle>sss_debuglevel</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry> tool." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:29 include/debug_levels_tools.xml:10 +msgid "Currently supported debug levels:" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:32 include/debug_levels_tools.xml:13 +msgid "" +"<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fatal failures. " +"Anything that would prevent SSSD from starting up or causes it to cease " +"running." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:38 include/debug_levels_tools.xml:19 +msgid "" +"<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An " +"error that doesn't kill SSSD, but one that indicates that at least one major " +"feature is not going to work properly." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:45 include/debug_levels_tools.xml:26 +msgid "" +"<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Serious failures. An " +"error announcing that a particular request or operation has failed." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:50 include/debug_levels_tools.xml:31 +msgid "" +"<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Minor failures. These " +"are the errors that would percolate down to cause the operation failure of 2." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:55 include/debug_levels_tools.xml:36 +msgid "" +"<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Configuration settings." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:59 include/debug_levels_tools.xml:40 +msgid "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Function data." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:63 include/debug_levels_tools.xml:44 +msgid "" +"<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Trace messages for " +"operation functions." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:67 include/debug_levels_tools.xml:48 +msgid "" +"<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Trace messages for " +"internal control functions." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:72 include/debug_levels_tools.xml:53 +msgid "" +"<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contents of function-" +"internal variables that may be interesting." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:77 include/debug_levels_tools.xml:58 +msgid "" +"<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Extremely low-level " +"tracing information." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:81 include/debug_levels_tools.xml:62 +msgid "" +"To log required bitmask debug levels, simply add their numbers together as " +"shown in following examples:" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:85 include/debug_levels_tools.xml:66 +msgid "" +"<emphasis>Example</emphasis>: To log fatal failures, critical failures, " +"serious failures and function data use 0x0270." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:89 include/debug_levels_tools.xml:70 +msgid "" +"<emphasis>Example</emphasis>: To log fatal failures, configuration settings, " +"function data, trace messages for internal control functions use 0x1310." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:94 include/debug_levels_tools.xml:75 +msgid "" +"<emphasis>Note</emphasis>: The bitmask format of debug levels was introduced " +"in 1.7.0." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:98 include/debug_levels_tools.xml:79 +msgid "<emphasis>Default</emphasis>: 0" +msgstr "" + +#. type: Content of: outside any tag (error?) +#: include/experimental.xml:1 +msgid "" +"<emphasis> This is an experimental feature, please use https://pagure.io/" +"SSSD/sssd/ to report any issues. </emphasis>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/local.xml:2 +msgid "THE LOCAL DOMAIN" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/local.xml:4 +msgid "" +"In order to function correctly, a domain with <quote>id_provider=local</" +"quote> must be created and the SSSD must be running." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/local.xml:9 +msgid "" +"The administrator might want to use the SSSD local users instead of " +"traditional UNIX users in cases where the group nesting (see <citerefentry> " +"<refentrytitle>sss_groupadd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>) is needed. The local users are also useful for testing and " +"development of the SSSD without having to deploy a full remote server. The " +"<command>sss_user*</command> and <command>sss_group*</command> tools use a " +"local LDB storage to store users and groups." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/seealso.xml:4 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd-ipa</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <phrase condition=\"with_sudo\"> <citerefentry> " +"<refentrytitle>sssd-sudo</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>, </phrase> <phrase condition=\"with_secrets\"> <citerefentry> " +"<refentrytitle>sssd-secrets</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>, </phrase> <citerefentry> <refentrytitle>sssd-session-" +"recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, " +"<citerefentry> <refentrytitle>sss_cache</refentrytitle><manvolnum>8</" +"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_debuglevel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_obfuscate</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_seed</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <phrase condition=" +"\"with_ssh\"> <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_ssh_knownhostsproxy</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>, </phrase> <phrase condition=\"with_ifp\"> " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>, </phrase> <citerefentry> <refentrytitle>pam_sss</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>. <citerefentry> " +"<refentrytitle>sss_rpcidmapd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> <phrase condition=\"with_stap\"> <citerefentry> " +"<refentrytitle>sssd-systemtap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> </phrase>" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:3 +msgid "" +"An optional base DN, search scope and LDAP filter to restrict LDAP searches " +"for this attribute type." +msgstr "" + +#. type: Content of: <listitem><para><programlisting> +#: include/ldap_search_bases.xml:9 +#, no-wrap +msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]\n" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:7 +msgid "syntax: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:13 +msgid "" +"The scope can be one of \"base\", \"onelevel\" or \"subtree\". The scope " +"functions as specified in section 4.5.1.2 of http://tools.ietf.org/html/" +"rfc4511" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:23 +msgid "" +"For examples of this syntax, please refer to the <quote>ldap_search_base</" +"quote> examples section." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:31 +msgid "" +"Please note that specifying scope or filter is not supported for searches " +"against an Active Directory Server that might yield a large number of " +"results and trigger the Range Retrieval extension in the response." +msgstr "" + +#. type: Content of: <para> +#: include/autofs_restart.xml:2 +msgid "" +"Please note that the automounter only reads the master map on startup, so if " +"any autofs-related changes are made to the sssd.conf, you typically also " +"need to restart the automounter daemon after restarting the SSSD." +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/override_homedir.xml:2 +msgid "override_homedir (string)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:16 +msgid "UID number" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:20 +msgid "domain name" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:23 +msgid "%f" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:24 +msgid "fully qualified user name (user@domain)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:27 +msgid "%l" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:28 +msgid "The first letter of the login name." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:32 +msgid "UPN - User Principal Name (name@REALM)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:35 +msgid "%o" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:37 +msgid "The original home directory retrieved from the identity provider." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:42 +msgid "%H" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:44 +msgid "The value of configure option <emphasis>homedir_substring</emphasis>." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/override_homedir.xml:5 +msgid "" +"Override the user's home directory. You can either provide an absolute value " +"or a template. In the template, the following sequences are substituted: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><programlisting> +#: include/override_homedir.xml:61 +#, no-wrap +msgid "" +"override_homedir = /home/%u\n" +" " +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/override_homedir.xml:65 +msgid "Default: Not set (SSSD will use the value retrieved from LDAP)" +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/homedir_substring.xml:2 +msgid "homedir_substring (string)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/homedir_substring.xml:5 +msgid "" +"The value of this option will be used in the expansion of the " +"<emphasis>override_homedir</emphasis> option if the template contains the " +"format string <emphasis>%H</emphasis>. An LDAP directory entry can directly " +"contain this template so that this option can be used to expand the home " +"directory path for each client machine (or operating system). It can be set " +"per-domain or globally in the [nss] section. A value specified in a domain " +"section will override one set in the [nss] section." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/homedir_substring.xml:15 +msgid "Default: /home" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/ad_modified_defaults.xml:2 include/ipa_modified_defaults.xml:2 +msgid "MODIFIED DEFAULT OPTIONS" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ad_modified_defaults.xml:4 +msgid "" +"Certain option defaults do not match their respective backend provider " +"defaults, these option names and AD provider-specific defaults are listed " +"below:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ad_modified_defaults.xml:9 include/ipa_modified_defaults.xml:9 +msgid "KRB5 Provider" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:13 include/ipa_modified_defaults.xml:13 +msgid "krb5_validate = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:18 +msgid "krb5_use_enterprise_principal = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ad_modified_defaults.xml:24 +msgid "LDAP Provider" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:28 +msgid "ldap_schema = ad" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:33 include/ipa_modified_defaults.xml:38 +msgid "ldap_force_upper_case_realm = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:38 +msgid "ldap_id_mapping = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:43 +msgid "ldap_sasl_mech = gssapi" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:48 +msgid "ldap_referrals = false" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:53 +msgid "ldap_account_expire_policy = ad" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:58 include/ipa_modified_defaults.xml:58 +msgid "ldap_use_tokengroups = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:63 +msgid "ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:66 +msgid "" +"The AD provider looks for a different principal than the LDAP provider by " +"default, because in an Active Directory environment the principals are " +"divided into two groups - User Principals and Service Principals. Only User " +"Principal can be used to obtain a TGT and by default, computer object's " +"principal is constructed from its sAMAccountName and the AD realm. The well-" +"known host/hostname@REALM principal is a Service Principal and thus cannot " +"be used to get a TGT with." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ipa_modified_defaults.xml:4 +msgid "" +"Certain option defaults do not match their respective backend provider " +"defaults, these option names and IPA provider-specific defaults are listed " +"below:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:18 +msgid "krb5_use_fast = try" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:23 +msgid "krb5_canonicalize = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:29 +msgid "LDAP Provider - General" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:33 +msgid "ldap_schema = ipa_v1" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:43 +msgid "ldap_sasl_mech = GSSAPI" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:48 +msgid "ldap_sasl_minssf = 56" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:53 +msgid "ldap_account_expire_policy = ipa" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:64 +msgid "LDAP Provider - User options" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:68 +msgid "ldap_user_member_of = memberOf" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:73 +msgid "ldap_user_uuid = ipaUniqueID" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:78 +msgid "ldap_user_ssh_public_key = ipaSshPubKey" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:83 +msgid "ldap_user_auth_type = ipaUserAuthType" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:89 +msgid "LDAP Provider - Group options" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:93 +msgid "ldap_group_object_class = ipaUserGroup" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:98 +msgid "ldap_group_object_class_alt = posixGroup" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:103 +msgid "ldap_group_member = member" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:108 +msgid "ldap_group_uuid = ipaUniqueID" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:113 +msgid "ldap_group_objectsid = ipaNTSecurityIdentifier" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:118 +msgid "ldap_group_external_member = ipaExternalMember" +msgstr "" diff --git a/src/man/po/ru.po b/src/man/po/ru.po new file mode 100644 index 0000000..b739fc6 --- /dev/null +++ b/src/man/po/ru.po @@ -0,0 +1,15622 @@ +# SOME DESCRIPTIVE TITLE +# Copyright (C) YEAR Red Hat +# This file is distributed under the same license as the sssd-docs package. +# +# Translators: +# Artyom Kunyov <artkun@guitarplayer.ru>, 2012 +msgid "" +msgstr "" +"Project-Id-Version: sssd-docs 1.16.1\n" +"Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" +"POT-Creation-Date: 2018-08-12 13:01+0000\n" +"PO-Revision-Date: 2014-12-15 12:07+0000\n" +"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n" +"Language-Team: Russian (http://www.transifex.com/projects/p/sssd/language/" +"ru/)\n" +"Language: ru\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n" +"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" +"X-Generator: Zanata 4.4.5\n" + +#. type: Content of: <reference><title> +#: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5 +#: sssd_krb5_locator_plugin.8.xml:5 sssd-simple.5.xml:5 sss-certmap.5.xml:5 +#: sssd-ipa.5.xml:5 sssd-ad.5.xml:5 sssd-sudo.5.xml:5 sssd.8.xml:5 +#: sss_obfuscate.8.xml:5 sss_override.8.xml:5 sss_useradd.8.xml:5 +#: sssd-krb5.5.xml:5 sss_groupadd.8.xml:5 sss_userdel.8.xml:5 +#: sss_groupdel.8.xml:5 sss_groupshow.8.xml:5 sss_usermod.8.xml:5 +#: sss_cache.8.xml:5 sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5 +#: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 +#: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5 +#: sssd-files.5.xml:5 sssd-secrets.5.xml:5 sssd-session-recording.5.xml:5 +#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 +msgid "SSSD Manual pages" +msgstr "Справка по SSSD" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupmod.8.xml:10 sss_groupmod.8.xml:15 +msgid "sss_groupmod" +msgstr "" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_groupmod.8.xml:11 pam_sss.8.xml:12 sssd_krb5_locator_plugin.8.xml:11 +#: sssd.8.xml:11 sss_obfuscate.8.xml:11 sss_override.8.xml:11 +#: sss_useradd.8.xml:11 sss_groupadd.8.xml:11 sss_userdel.8.xml:11 +#: sss_groupdel.8.xml:11 sss_groupshow.8.xml:11 sss_usermod.8.xml:11 +#: sss_cache.8.xml:11 sss_debuglevel.8.xml:11 sss_seed.8.xml:11 +#: idmap_sss.8.xml:11 sssctl.8.xml:11 sssd-kcm.8.xml:11 +msgid "8" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupmod.8.xml:16 +msgid "modify a group" +msgstr "изменить группу" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupmod.8.xml:21 +msgid "" +"<command>sss_groupmod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:57 +#: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sss-certmap.5.xml:21 +#: sssd-ipa.5.xml:21 sssd-ad.5.xml:21 sssd-sudo.5.xml:21 sssd.8.xml:29 +#: sss_obfuscate.8.xml:30 sss_override.8.xml:30 sss_useradd.8.xml:30 +#: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30 +#: sss_groupdel.8.xml:30 sss_groupshow.8.xml:30 sss_usermod.8.xml:30 +#: sss_cache.8.xml:29 sss_debuglevel.8.xml:30 sss_seed.8.xml:31 +#: sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30 +#: sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30 +#: sssd-files.5.xml:21 sssd-secrets.5.xml:21 sssd-session-recording.5.xml:21 +#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 +msgid "DESCRIPTION" +msgstr "ОПИСАНИЕ" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupmod.8.xml:32 +msgid "" +"<command>sss_groupmod</command> modifies the group to reflect the changes " +"that are specified on the command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_groupmod.8.xml:39 pam_sss.8.xml:64 sssd.8.xml:42 sss_obfuscate.8.xml:58 +#: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39 +#: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39 +#: sss_cache.8.xml:39 sss_seed.8.xml:42 sss_ssh_authorizedkeys.1.xml:123 +#: sss_ssh_knownhostsproxy.1.xml:62 +msgid "OPTIONS" +msgstr "ОПЦИИ" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupmod.8.xml:43 sss_usermod.8.xml:77 +msgid "" +"<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupmod.8.xml:48 +msgid "" +"Append this group to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupmod.8.xml:57 sss_usermod.8.xml:91 +msgid "" +"<option>-r</option>,<option>--remove-group</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupmod.8.xml:62 +msgid "" +"Remove this group from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.conf.5.xml:10 sssd.conf.5.xml:16 +msgid "sssd.conf" +msgstr "sssd.CONF" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11 +#: sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 +#: sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27 +#: sssd-files.5.xml:11 sssd-secrets.5.xml:11 sssd-session-recording.5.xml:11 +#: sssd-systemtap.5.xml:11 +msgid "5" +msgstr "5" + +#. type: Content of: <reference><refentry><refmeta><refmiscinfo> +#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12 +#: sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 +#: sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28 +#: sssd-files.5.xml:12 sssd-secrets.5.xml:12 sssd-session-recording.5.xml:12 +#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 +msgid "File Formats and Conventions" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.conf.5.xml:17 +msgid "the configuration file for SSSD" +msgstr "Файл конфигурации SSSD" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:21 +msgid "FILE FORMAT" +msgstr "ФОРМАТ ФАЙЛА" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:29 +#, no-wrap +msgid "" +"<replaceable>[section]</replaceable>\n" +"<replaceable>key</replaceable> = <replaceable>value</replaceable>\n" +"<replaceable>key2</replaceable> = <replaceable>value2,value3</replaceable>\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:24 +msgid "" +"The file has an ini-style syntax and consists of sections and parameters. A " +"section begins with the name of the section in square brackets and continues " +"until the next section begins. An example of section with single and multi-" +"valued parameters: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:36 +msgid "" +"The data types used are string (no quotes needed), integer and bool (with " +"values of <quote>TRUE/FALSE</quote>)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:41 +msgid "" +"A comment line starts with a hash sign (<quote>#</quote>) or a semicolon " +"(<quote>;</quote>). Inline comments are not supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:47 +msgid "" +"All sections can have an optional <replaceable>description</replaceable> " +"parameter. Its function is only as a label for the section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:53 +msgid "" +"<filename>sssd.conf</filename> must be a regular file, owned by root and " +"only root may read from or write to the file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:59 +msgid "CONFIGURATION SNIPPETS FROM INCLUDE DIRECTORY" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:62 +msgid "" +"The configuration file <filename>sssd.conf</filename> will include " +"configuration snippets using the include directory <filename>conf.d</" +"filename>. This feature is available if SSSD was compiled with libini " +"version 1.3.0 or later." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:69 +msgid "" +"Any file placed in <filename>conf.d</filename> that ends in " +"<quote><filename>.conf</filename></quote> and does not begin with a dot " +"(<quote>.</quote>) will be used together with <filename>sssd.conf</filename> " +"to configure SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:77 +msgid "" +"The configuration snippets from <filename>conf.d</filename> have higher " +"priority than <filename>sssd.conf</filename> and will override " +"<filename>sssd.conf</filename> when conflicts occur. If several snippets are " +"present in <filename>conf.d</filename>, then they are included in " +"alphabetical order (based on locale). Files included later have higher " +"priority. Numerical prefixes (<filename>01_snippet.conf</filename>, " +"<filename>02_snippet.conf</filename> etc.) can help visualize the priority " +"(higher number means higher priority)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:91 +msgid "" +"The snippet files require the same owner and permissions as <filename>sssd." +"conf</filename>. Which are by default root:root and 0600." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:98 +msgid "GENERAL OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:100 +msgid "Following options are usable in more than one configuration sections." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:104 +msgid "Options usable in all sections" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:108 +msgid "debug_level (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:112 +msgid "debug (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:115 +msgid "" +"SSSD 1.14 and later also includes the <replaceable>debug</replaceable> alias " +"for <replaceable>debug_level</replaceable> as a convenience feature. If both " +"are specified, the value of <replaceable>debug_level</replaceable> will be " +"used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:125 +msgid "debug_timestamps (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:128 +msgid "" +"Add a timestamp to the debug messages. If journald is enabled for SSSD " +"debug logging this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:133 sssd.conf.5.xml:543 sssd.conf.5.xml:839 +#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1521 sssd-ldap.5.xml:1851 +#: sssd-ldap.5.xml:1948 sssd-ldap.5.xml:2010 sssd-ldap.5.xml:2576 +#: sssd-ldap.5.xml:2641 sssd-ldap.5.xml:2659 sssd-ad.5.xml:227 +#: sssd-ad.5.xml:341 sssd-ad.5.xml:885 sssd-krb5.5.xml:499 +#: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 +msgid "Default: true" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:138 +msgid "debug_microseconds (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:141 +msgid "" +"Add microseconds to the timestamp in debug messages. If journald is enabled " +"for SSSD debug logging this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:146 sssd.conf.5.xml:540 sssd.conf.5.xml:722 +#: sssd.conf.5.xml:1424 sssd.conf.5.xml:2980 sssd-ldap.5.xml:708 +#: sssd-ldap.5.xml:1714 sssd-ldap.5.xml:1733 sssd-ldap.5.xml:1920 +#: sssd-ldap.5.xml:2346 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238 +#: sssd-ipa.5.xml:559 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300 +#: sssd-krb5.5.xml:471 +msgid "Default: false" +msgstr "По умолчанию: false" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2384 +#: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210 +#: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304 +msgid "<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:155 +msgid "Options usable in SERVICE and DOMAIN sections" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:159 +msgid "timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:162 +msgid "" +"Timeout in seconds between heartbeats for this service. This is used to " +"ensure that the process is alive and capable of answering requests. Note " +"that after three missed heartbeats the process will terminate itself." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:169 sssd.conf.5.xml:1376 sssd.conf.5.xml:2996 +#: sssd-ldap.5.xml:1585 include/ldap_id_mapping.xml:264 +msgid "Default: 10" +msgstr "По умолчанию: 10" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:179 +msgid "SPECIAL SECTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:182 +msgid "The [sssd] section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sssd.conf.5.xml:191 sssd.conf.5.xml:3085 +msgid "Section parameters" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:193 +msgid "config_file_version (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:196 +msgid "" +"Indicates what is the syntax of the config file. SSSD 0.6.0 and later use " +"version 2." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:202 +msgid "services" +msgstr "службы" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:205 +msgid "" +"Comma separated list of services that are started when sssd itself starts. " +"<phrase condition=\"have_systemd\"> The services' list is optional on " +"platforms where systemd is supported, as they will either be socket or D-Bus " +"activated when needed. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:214 +msgid "" +"Supported services: nss, pam <phrase condition=\"with_sudo\">, sudo</phrase> " +"<phrase condition=\"with_autofs\">, autofs</phrase> <phrase condition=" +"\"with_ssh\">, ssh</phrase> <phrase condition=\"with_pac_responder\">, pac</" +"phrase> <phrase condition=\"with_ifp\">, ifp</phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:222 +msgid "" +"<phrase condition=\"have_systemd\"> By default, all services are disabled " +"and the administrator must enable the ones allowed to be used by executing: " +"\"systemctl enable sssd-@service@.socket\". </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:231 sssd.conf.5.xml:614 +msgid "reconnection_retries (integer)" +msgstr "попыток_соединения (целое число)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:234 sssd.conf.5.xml:617 +msgid "" +"Number of times services should attempt to reconnect in the event of a Data " +"Provider crash or restart before they give up" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:239 sssd.conf.5.xml:622 +msgid "Default: 3" +msgstr "По умолчанию: 3" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:244 +msgid "domains" +msgstr "домены" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:247 +msgid "" +"A domain is a database containing user information. SSSD can use more " +"domains at the same time, but at least one must be configured or SSSD won't " +"start. This parameter describes the list of domains in the order you want " +"them to be queried. A domain name should only consist of alphanumeric ASCII " +"characters, dashes, dots and underscores." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:259 sssd.conf.5.xml:2597 +msgid "re_expression (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:262 +msgid "" +"Default regular expression that describes how to parse the string containing " +"user name and domain into these components." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:267 +msgid "" +"Each domain can have an individual regular expression configured. For some " +"ID providers there are also default regular expressions. See DOMAIN SECTIONS " +"for more info on these regular expressions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:276 sssd.conf.5.xml:2645 +msgid "full_name_format (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:279 sssd.conf.5.xml:2648 +msgid "" +"A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry>-compatible format that describes how to compose a " +"fully qualified name from user name and domain name components." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:290 sssd.conf.5.xml:2659 +msgid "%1$s" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:291 sssd.conf.5.xml:2660 +msgid "user name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:294 sssd.conf.5.xml:2663 +msgid "%2$s" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:297 sssd.conf.5.xml:2666 +msgid "domain name as specified in the SSSD config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:303 sssd.conf.5.xml:2672 +msgid "%3$s" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:306 sssd.conf.5.xml:2675 +msgid "" +"domain flat name. Mostly usable for Active Directory domains, both directly " +"configured or discovered via IPA trusts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:287 sssd.conf.5.xml:2656 +msgid "" +"The following expansions are supported: <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:316 +msgid "" +"Each domain can have an individual format string configured. see DOMAIN " +"SECTIONS for more info on this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:322 +msgid "try_inotify (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:325 +msgid "" +"SSSD monitors the state of resolv.conf to identify when it needs to update " +"its internal DNS resolver. By default, we will attempt to use inotify for " +"this, and will fall back to polling resolv.conf every five seconds if " +"inotify cannot be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:333 +msgid "" +"There are some limited situations where it is preferred that we should skip " +"even trying to use inotify. In these rare cases, this option should be set " +"to 'false'" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:339 +msgid "" +"Default: true on platforms where inotify is supported. False on other " +"platforms." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:343 +msgid "" +"Note: this option will have no effect on platforms where inotify is " +"unavailable. On these platforms, polling will always be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:350 +msgid "krb5_rcache_dir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:353 +msgid "" +"Directory on the filesystem where SSSD should store Kerberos replay cache " +"files." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:357 +msgid "" +"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct " +"SSSD to let libkrb5 decide the appropriate location for the replay cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:363 +msgid "" +"Default: Distribution-specific and specified at build-time. " +"(__LIBKRB5_DEFAULTS__ if not configured)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:370 +msgid "user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:373 +msgid "" +"The user to drop the privileges to where appropriate to avoid running as the " +"root user. <phrase condition=\"have_systemd\"> This option does not work " +"when running socket-activated services, as the user set up to run the " +"processes is set up during compilation time. The way to override the " +"systemd unit files is by creating the appropriate files in /etc/systemd/" +"system/. Keep in mind that any change in the socket user, group or " +"permissions may result in a non-usable SSSD. The same may occur in case of " +"changes of the user running the NSS responder. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:391 +msgid "Default: not set, process will run as root" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:396 +msgid "default_domain_suffix (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:399 +msgid "" +"This string will be used as a default domain name for all names without a " +"domain name component. The main use case is environments where the primary " +"domain is intended for managing host policies and all users are located in a " +"trusted domain. The option allows those users to log in just with their " +"user name without giving a domain name as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:409 +msgid "" +"Please note that if this option is set all users from the primary domain " +"have to use their fully qualified name, e.g. user@domain.name, to log in. " +"Setting this option changes default of use_fully_qualified_names to True. It " +"is not allowed to use this option together with use_fully_qualified_names " +"set to False." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:418 sssd.conf.5.xml:1165 sssd-ldap.5.xml:679 +#: sssd-ldap.5.xml:1319 sssd-ldap.5.xml:1673 sssd-ldap.5.xml:1685 +#: sssd-ldap.5.xml:1767 sssd-ad.5.xml:690 sssd-ad.5.xml:765 sssd.8.xml:126 +#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:556 sssd-secrets.5.xml:339 +#: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404 +#: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205 +#: include/ldap_id_mapping.xml:216 +msgid "Default: not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:423 +msgid "override_space (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:426 +msgid "" +"This parameter will replace spaces (space bar) with the given character for " +"user and group names. e.g. (_). User name "john doe" will be " +""john_doe" This feature was added to help compatibility with shell " +"scripts that have difficulty handling spaces, due to the default field " +"separator in the shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:435 +msgid "" +"Please note it is a configuration error to use a replacement character that " +"might be used in user or group names. If a name contains the replacement " +"character SSSD tries to return the unmodified name but in general the result " +"of a lookup is undefined." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:443 +msgid "Default: not set (spaces will not be replaced)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:448 +msgid "certificate_verification (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:456 +msgid "no_ocsp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:458 +msgid "" +"Disables Online Certificate Status Protocol (OCSP) checks. This might be " +"needed if the OCSP servers defined in the certificate are not reachable from " +"the client." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:466 +msgid "no_verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:468 +msgid "" +"Disables verification completely. This option should only be used for " +"testing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:474 +msgid "ocsp_default_responder=URL" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:476 +msgid "" +"Sets the OCSP default responder which should be used instead of the one " +"mentioned in the certificate. URL must be replaced with the URL of the OCSP " +"default responder e.g. http://example.com:80/ocsp." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:482 +msgid "" +"This option must be used together with ocsp_default_responder_signing_cert." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:490 +msgid "ocsp_default_responder_signing_cert=NAME" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:492 +msgid "" +"The nickname of the cert to trust (expected) to sign the OCSP responses. " +"The certificate with the given nickname must be available in the systems NSS " +"database." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:497 +msgid "This option must be used together with ocsp_default_responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:451 +msgid "" +"With this parameter the certificate verification can be tuned with a comma " +"separated list of options. Supported options are: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:504 +msgid "Unknown options are reported but ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:507 +msgid "Default: not set, i.e. do not restrict certificate verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:513 +msgid "disable_netlink (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:516 +msgid "" +"SSSD hooks into the netlink interface to monitor changes to routes, " +"addresses, links and trigger certain actions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:521 +msgid "" +"The SSSD state changes caused by netlink events may be undesirable and can " +"be disabled by setting this option to 'true'" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:526 +msgid "Default: false (netlink changes are detected)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:531 +msgid "enable_files_domain (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:534 +msgid "" +"When this option is enabled, SSSD prepends an implicit domain with " +"<quote>id_provider=files</quote> before any explicitly configured domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:548 +msgid "domain_resolution_order" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:551 +msgid "" +"Comma separated list of domains and subdomains representing the lookup order " +"that will be followed. The list doesn't have to include all possible " +"domains as the missing domains will be looked up based on the order they're " +"presented in the <quote>domains</quote> configuration option. The " +"subdomains which are not listed as part of <quote>lookup_order</quote> will " +"be looked up in a random order for each parent domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:563 +msgid "" +"Please, note that when this option is set the output format of all commands " +"is always fully-qualified even when using short names for input, for all " +"users but the ones managed by the files provider. In case the administrator " +"wants the output not fully-qualified, the full_name_format option can be " +"used as shown below: <quote>full_name_format=%1$s</quote> However, keep in " +"mind that during login, login applications often canonicalize the username " +"by calling <citerefentry> <refentrytitle>getpwnam</refentrytitle> " +"<manvolnum>3</manvolnum> </citerefentry> which, if a shortname is returned " +"for a qualified input (while trying to reach a user which exists in multiple " +"domains) might re-route the login attempt into the domain which uses " +"shortnames, making this workaround totally not recommended in cases where " +"usernames may overlap between domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:588 sssd.conf.5.xml:1388 sssd.conf.5.xml:3046 +#: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316 +msgid "Default: Not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:184 +msgid "" +"Individual pieces of SSSD functionality are provided by special SSSD " +"services that are started and stopped together with SSSD. The services are " +"managed by a special service frequently called <quote>monitor</quote>. The " +"<quote>[sssd]</quote> section is used to configure the monitor as well as " +"some other important options like the identity domains. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:599 +msgid "SERVICES SECTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:601 +msgid "" +"Settings that can be used to configure different services are described in " +"this section. They should reside in the [<replaceable>$NAME</replaceable>] " +"section, for example, for NSS service, the section would be <quote>[nss]</" +"quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:608 +msgid "General service configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:610 +msgid "These options can be used to configure any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:627 +msgid "fd_limit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:630 +msgid "" +"This option specifies the maximum number of file descriptors that may be " +"opened at one time by this SSSD process. On systems where SSSD is granted " +"the CAP_SYS_RESOURCE capability, this will be an absolute setting. On " +"systems without this capability, the resulting value will be the lower value " +"of this or the limits.conf \"hard\" limit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:639 +msgid "Default: 8192 (or limits.conf \"hard\" limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:644 +msgid "client_idle_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:647 +msgid "" +"This option specifies the number of seconds that a client of an SSSD process " +"can hold onto a file descriptor without communicating on it. This value is " +"limited in order to avoid resource exhaustion on the system. The timeout " +"can't be shorter than 10 seconds. If a lower value is configured, it will be " +"adjusted to 10 seconds." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:656 sssd.conf.5.xml:688 sssd.conf.5.xml:970 +#: sssd.conf.5.xml:1231 sssd-ldap.5.xml:1412 +msgid "Default: 60" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:661 +msgid "offline_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:664 +msgid "" +"When SSSD switches to offline mode the amount of time before it tries to go " +"back online will increase based upon the time spent disconnected. This " +"value is in seconds and calculated by the following:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:671 +msgid "offline_timeout + random_offset" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:674 +msgid "" +"The random offset can increment up to 30 seconds. After each unsuccessful " +"attempt to go online, the new interval is recalculated by the following:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:679 +msgid "new_interval = old_interval*2 + random_offset" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:682 +msgid "" +"Note that the maximum length of each interval is currently limited to one " +"hour. If the calculated length of new_interval is greater than an hour, it " +"will be forced to one hour." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:693 +msgid "responder_idle_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:696 +msgid "" +"This option specifies the number of seconds that an SSSD responder process " +"can be up without being used. This value is limited in order to avoid " +"resource exhaustion on the system. The minimum acceptable value for this " +"option is 60 seconds. Setting this option to 0 (zero) means that no timeout " +"will be set up to the responder. This option only has effect when SSSD is " +"built with systemd support and when services are either socket or D-Bus " +"activated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:710 sssd.conf.5.xml:983 sssd.conf.5.xml:1616 +#: sssd-ldap.5.xml:722 +msgid "Default: 300" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:715 +msgid "cache_first" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:718 +msgid "" +"This option specifies whether the responder should query all caches before " +"querying the Data Providers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:730 +msgid "NSS configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:732 +msgid "" +"These options can be used to configure the Name Service Switch (NSS) service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:737 +msgid "enum_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:740 +msgid "" +"How many seconds should nss_sss cache enumerations (requests for info about " +"all users)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:744 +msgid "Default: 120" +msgstr "По умолчанию: 120" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:749 +msgid "entry_cache_nowait_percentage (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:752 +msgid "" +"The entry cache can be set to automatically update entries in the background " +"if they are requested beyond a percentage of the entry_cache_timeout value " +"for the domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:758 +msgid "" +"For example, if the domain's entry_cache_timeout is set to 30s and " +"entry_cache_nowait_percentage is set to 50 (percent), entries that come in " +"after 15 seconds past the last cache update will be returned immediately, " +"but the SSSD will go and update the cache on its own, so that future " +"requests will not need to block waiting for a cache update." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:768 +msgid "" +"Valid values for this option are 0-99 and represent a percentage of the " +"entry_cache_timeout for each domain. For performance reasons, this " +"percentage will never reduce the nowait timeout to less than 10 seconds. (0 " +"disables this feature)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:776 sssd.conf.5.xml:1445 +msgid "Default: 50" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:781 +msgid "entry_negative_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:784 +msgid "" +"Specifies for how many seconds nss_sss should cache negative cache hits " +"(that is, queries for invalid database entries, like nonexistent ones) " +"before asking the back end again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:790 sssd.conf.5.xml:1469 +msgid "Default: 15" +msgstr "По умолчанию: 15" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:795 +msgid "local_negative_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:798 +msgid "" +"Specifies for how many seconds nss_sss should keep local users and groups in " +"negative cache before trying to look it up in the back end again. Setting " +"the option to 0 disables this feature." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:804 +#, fuzzy +#| msgid "Default: 10" +msgid "Default: 14400 (4 hours)" +msgstr "По умолчанию: 10" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:809 +msgid "filter_users, filter_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:812 +msgid "" +"Exclude certain users or groups from being fetched from the sss NSS " +"database. This is particularly useful for system accounts. This option can " +"also be set per-domain or include fully-qualified names to filter only users " +"from the particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:819 +msgid "" +"NOTE: The filter_groups option doesn't affect inheritance of nested group " +"members, since filtering happens after they are propagated for returning via " +"NSS. E.g. a group having a member group filtered out will still have the " +"member users of the latter listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:827 +msgid "Default: root" +msgstr "По умолчанию: root" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:832 +msgid "filter_users_in_groups (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:835 +msgid "" +"If you want filtered user still be group members set this option to false." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:846 +msgid "fallback_homedir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:849 +msgid "" +"Set a default template for a user's home directory if one is not specified " +"explicitly by the domain's data provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:854 +msgid "" +"The available values for this option are the same as for override_homedir." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:860 +#, no-wrap +msgid "" +"fallback_homedir = /home/%u\n" +" " +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: sssd.conf.5.xml:858 sssd.conf.5.xml:1298 sssd.conf.5.xml:1317 +#: sssd-krb5.5.xml:539 include/override_homedir.xml:59 +msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:864 +msgid "Default: not set (no substitution for unset home directories)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:870 +msgid "override_shell (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:873 +msgid "" +"Override the login shell for all users. This option supersedes any other " +"shell options if it takes effect and can be set either in the [nss] section " +"or per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:879 +msgid "Default: not set (SSSD will use the value retrieved from LDAP)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:885 +msgid "allowed_shells (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:888 +msgid "" +"Restrict user shell to one of the listed values. The order of evaluation is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:891 +msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:895 +msgid "" +"2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</" +"quote>, use the value of the shell_fallback parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:900 +msgid "" +"3. If the shell is not in the allowed_shells list and not in <quote>/etc/" +"shells</quote>, a nologin shell is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:905 +msgid "The wildcard (*) can be used to allow any shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:908 +msgid "" +"The (*) is useful if you want to use shell_fallback in case that user's " +"shell is not in <quote>/etc/shells</quote> and maintaining list of all " +"allowed shells in allowed_shells would be to much overhead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:915 +msgid "An empty string for shell is passed as-is to libc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:918 +msgid "" +"The <quote>/etc/shells</quote> is only read on SSSD start up, which means " +"that a restart of the SSSD is required in case a new shell is installed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:922 +msgid "Default: Not set. The user shell is automatically used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:927 +msgid "vetoed_shells (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:930 +msgid "Replace any instance of these shells with the shell_fallback" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:935 +msgid "shell_fallback (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:938 +msgid "" +"The default shell to use if an allowed shell is not installed on the machine." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:942 +msgid "Default: /bin/sh" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:947 +msgid "default_shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:950 +msgid "" +"The default shell to use if the provider does not return one during lookup. " +"This option can be specified globally in the [nss] section or per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:956 +msgid "" +"Default: not set (Return NULL if no shell is specified and rely on libc to " +"substitute something sensible when necessary, usually /bin/sh)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:963 sssd.conf.5.xml:1224 +msgid "get_domains_timeout (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:966 sssd.conf.5.xml:1227 +msgid "" +"Specifies time in seconds for which the list of subdomains will be " +"considered valid." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:975 +msgid "memcache_timeout (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:978 +msgid "" +"Specifies time in seconds for which records in the in-memory cache will be " +"valid. Setting this option to zero will disable the in-memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:986 +msgid "" +"WARNING: Disabling the in-memory cache will have significant negative impact " +"on SSSD's performance and should only be used for testing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:992 +msgid "" +"NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", " +"client applications will not use the fast in-memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1000 sssd-ifp.5.xml:74 +msgid "user_attributes (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1003 +msgid "" +"Some of the additional NSS responder requests can return more attributes " +"than just the POSIX ones defined by the NSS interface. The list of " +"attributes is controlled by this option. It is handled the same way as the " +"<quote>user_attributes</quote> option of the InfoPipe responder (see " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for details) but with no default values." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1016 +msgid "" +"To make configuration more easy the NSS responder will check the InfoPipe " +"option if it is not set for the NSS responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1021 +msgid "Default: not set, fallback to InfoPipe option" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1026 +msgid "pwfield (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1029 +msgid "" +"The value that NSS operations that return users or groups will return for " +"the <quote>password</quote> field." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: sssd.conf.5.xml:1034 include/override_homedir.xml:56 +msgid "This option can also be set per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1037 +msgid "" +"Default: <quote>*</quote> (remote domains) or <quote>x</quote> (the files " +"domain)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1045 +msgid "PAM configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1047 +msgid "" +"These options can be used to configure the Pluggable Authentication Module " +"(PAM) service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1052 +msgid "offline_credentials_expiration (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1055 +msgid "" +"If the authentication provider is offline, how long should we allow cached " +"logins (in days since the last successful online login)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1060 sssd.conf.5.xml:1073 +msgid "Default: 0 (No limit)" +msgstr "По умолчанию: 0 (неограничено)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1066 +msgid "offline_failed_login_attempts (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1069 +msgid "" +"If the authentication provider is offline, how many failed login attempts " +"are allowed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1079 +msgid "offline_failed_login_delay (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1082 +msgid "" +"The time in minutes which has to pass after offline_failed_login_attempts " +"has been reached before a new login attempt is possible." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1087 +msgid "" +"If set to 0 the user cannot authenticate offline if " +"offline_failed_login_attempts has been reached. Only a successful online " +"authentication can enable offline authentication again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1093 sssd.conf.5.xml:1191 +msgid "Default: 5" +msgstr "По умолчанию: 5" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1099 +msgid "pam_verbosity (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1102 +msgid "" +"Controls what kind of messages are shown to the user during authentication. " +"The higher the number to more messages are displayed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1107 +msgid "Currently sssd supports the following values:" +msgstr "В настоящее время sssd поддерживает следующие значения:" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1110 +msgid "<emphasis>0</emphasis>: do not show any message" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1113 +msgid "<emphasis>1</emphasis>: show only important messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1117 +msgid "<emphasis>2</emphasis>: show informational messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1120 +msgid "<emphasis>3</emphasis>: show all messages and debug information" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1124 sssd.8.xml:63 +msgid "Default: 1" +msgstr "По умолчанию: 1" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1130 +msgid "pam_response_filter (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1133 +msgid "" +"A comma separated list of strings which allows to remove (filter) data sent " +"by the PAM responder to pam_sss PAM module. There are different kind of " +"responses sent to pam_sss e.g. messages displayed to the user or environment " +"variables which should be set by pam_sss." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1141 +msgid "" +"While messages already can be controlled with the help of the pam_verbosity " +"option this option allows to filter out other kind of responses as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1148 +msgid "ENV" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1149 +msgid "Do not send any environment variables to any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1152 +msgid "ENV:var_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1153 +msgid "Do not send environment variable var_name to any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1157 +msgid "ENV:var_name:service" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1158 +msgid "Do not send environment variable var_name to service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1146 +msgid "" +"Currently the following filters are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1168 +msgid "Example: ENV:KRB5CCNAME:sudo-i" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1174 +msgid "pam_id_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1177 +msgid "" +"For any PAM request while SSSD is online, the SSSD will attempt to " +"immediately update the cached identity information for the user in order to " +"ensure that authentication takes place with the latest information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1183 +msgid "" +"A complete PAM conversation may perform multiple PAM requests, such as " +"account management and session opening. This option controls (on a per-" +"client-application basis) how long (in seconds) we can cache the identity " +"information to avoid excessive round-trips to the identity provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1197 +msgid "pam_pwd_expiration_warning (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2078 +msgid "Display a warning N days before the password expires." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1203 +msgid "" +"Please note that the backend server has to provide information about the " +"expiration time of the password. If this information is missing, sssd " +"cannot display a warning." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1209 sssd.conf.5.xml:2081 +msgid "" +"If zero is set, then this filter is not applied, i.e. if the expiration " +"warning was received from backend server, it will automatically be displayed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1214 +msgid "" +"This setting can be overridden by setting <emphasis>pwd_expiration_warning</" +"emphasis> for a particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1219 sssd.conf.5.xml:2901 sssd.8.xml:79 +msgid "Default: 0" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1236 +msgid "pam_trusted_users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1239 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to run PAM conversations against trusted domains. Users not " +"included in this list can only access domains marked as public with " +"<quote>pam_public_domains</quote>. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1249 +msgid "Default: All users are considered trusted by default" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1253 +msgid "" +"Please note that UID 0 is always allowed to access the PAM responder even in " +"case it is not in the pam_trusted_users list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1260 +msgid "pam_public_domains (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1263 +msgid "" +"Specifies the comma-separated list of domain names that are accessible even " +"to untrusted users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1267 +msgid "Two special values for pam_public_domains option are defined:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1271 +msgid "" +"all (Untrusted users are allowed to access all domains in PAM responder.)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1275 +msgid "" +"none (Untrusted users are not allowed to access any domains PAM in " +"responder.)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1279 sssd.conf.5.xml:1304 sssd.conf.5.xml:1323 +#: sssd.conf.5.xml:1875 sssd.conf.5.xml:2837 sssd-ldap.5.xml:1979 +msgid "Default: none" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1284 +msgid "pam_account_expired_message (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1287 +msgid "" +"Allows a custom expiration message to be set, replacing the default " +"'Permission denied' message." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1292 +msgid "" +"Note: Please be aware that message is only printed for the SSH service " +"unless pam_verbosity is set to 3 (show all messages and debug information)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:1300 +#, no-wrap +msgid "" +"pam_account_expired_message = Account expired, please contact help desk.\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1309 +msgid "pam_account_locked_message (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1312 +msgid "" +"Allows a custom lockout message to be set, replacing the default 'Permission " +"denied' message." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:1319 +#, no-wrap +msgid "" +"pam_account_locked_message = Account locked, please contact help desk.\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1328 +msgid "pam_cert_auth (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1331 +msgid "" +"Enable certificate based Smartcard authentication. Since this requires " +"additional communication with the Smartcard which will delay the " +"authentication process this option is disabled by default." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1337 sssd.conf.5.xml:2930 sssd-ldap.5.xml:1087 +#: sssd-ldap.5.xml:1114 sssd-ldap.5.xml:1514 sssd-ldap.5.xml:1535 +#: sssd-ldap.5.xml:2052 include/ldap_id_mapping.xml:244 +msgid "Default: False" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1342 +msgid "pam_cert_db_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1345 +msgid "" +"The path to the certificate database which contain the PKCS#11 modules to " +"access the Smartcard." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1349 sssd.conf.5.xml:1534 +#, fuzzy +#| msgid "Default: 3" +msgid "Default:" +msgstr "По умолчанию: 3" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1351 sssd.conf.5.xml:1536 +msgid "/etc/pki/nssdb (NSS version, path to a NSS database)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1354 sssd.conf.5.xml:1539 +msgid "" +"/etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a file with " +"trusted CA certificates in PEM format)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1361 sssd.conf.5.xml:1546 +msgid "This man page was generated for the NSS version." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1364 sssd.conf.5.xml:1549 +msgid "This man page was generated for the OpenSSL version." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1369 +msgid "p11_child_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1372 +msgid "How many seconds will pam_sss wait for p11_child to finish." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1381 +msgid "pam_app_services (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1384 +msgid "" +"Which PAM services are permitted to contact domains of type " +"<quote>application</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1397 +msgid "SUDO configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1399 +msgid "" +"These options can be used to configure the sudo service. The detailed " +"instructions for configuration of <citerefentry> <refentrytitle>sudo</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to work with " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> are in the manual page <citerefentry> <refentrytitle>sssd-" +"sudo</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1416 +msgid "sudo_timed (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1419 +msgid "" +"Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes " +"that implement time-dependent sudoers entries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1431 +msgid "sudo_threshold (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1434 +msgid "" +"Maximum number of expired rules that can be refreshed at once. If number of " +"expired rules is below threshold, those rules are refreshed with " +"<quote>rules refresh</quote> mechanism. If the threshold is exceeded a " +"<quote>full refresh</quote> of sudo rules is triggered instead. This " +"threshold number also applies to IPA sudo command and command group searches." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1453 +msgid "AUTOFS configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1455 +msgid "These options can be used to configure the autofs service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1459 +msgid "autofs_negative_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1462 +msgid "" +"Specifies for how many seconds should the autofs responder negative cache " +"hits (that is, queries for invalid map entries, like nonexistent ones) " +"before asking the back end again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1478 +msgid "SSH configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1480 +msgid "These options can be used to configure the SSH service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1484 +msgid "ssh_hash_known_hosts (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1487 +msgid "" +"Whether or not to hash host names and addresses in the managed known_hosts " +"file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1496 +msgid "ssh_known_hosts_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1499 +msgid "" +"How many seconds to keep a host in the managed known_hosts file after its " +"host keys were requested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1503 +msgid "Default: 180" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1508 +msgid "ssh_use_certificate_keys (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1511 +msgid "" +"If set to true the <command>sss_ssh_authorizedkeys</command> will return ssh " +"keys derived from the public key of X.509 certificates stored in the user " +"entry as well. See <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry> for details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1526 +msgid "ca_db (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1529 +msgid "" +"Path to a storage of trusted CA certificates. The option is used to validate " +"user certificates before deriving public ssh keys from them." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1557 +msgid "PAC responder configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1559 +msgid "" +"The PAC responder works together with the authorization data plugin for MIT " +"Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the " +"PAC data during a GSSAPI authentication to the PAC responder. The sub-domain " +"provider collects domain SID and ID ranges of the domain the client is " +"joined to and of remote trusted domains from the local domain controller. If " +"the PAC is decoded and evaluated some of the following operations are done:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1568 +msgid "" +"If the remote user does not exist in the cache, it is created. The UID is " +"determined with the help of the SID, trusted domains will have UPGs and the " +"GID will have the same value as the UID. The home directory is set based on " +"the subdomain_homedir parameter. The shell will be empty by default, i.e. " +"the system defaults are used, but can be overwritten with the default_shell " +"parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1576 +msgid "" +"If there are SIDs of groups from domains sssd knows about, the user will be " +"added to those groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1582 +msgid "These options can be used to configure the PAC responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1586 sssd-ifp.5.xml:50 +msgid "allowed_uids (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1589 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the PAC responder. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1595 +msgid "Default: 0 (only the root user is allowed to access the PAC responder)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1599 +msgid "" +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the PAC responder, which would be the typical case, you have to add 0 " +"to the list of allowed UIDs as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1608 +msgid "pac_lifetime (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1611 +msgid "" +"Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC " +"data can be used to determine the group memberships of a user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1624 +msgid "Session recording configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1626 +msgid "" +"Session recording works in conjunction with <citerefentry> " +"<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>, a part of tlog package, to log what users see and type when " +"they log in on a text terminal. See also <citerefentry> <refentrytitle>sssd-" +"session-recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1639 +msgid "These options can be used to configure session recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1643 sssd-session-recording.5.xml:64 +msgid "scope (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1650 sssd-session-recording.5.xml:71 +msgid "\"none\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1653 sssd-session-recording.5.xml:74 +msgid "No users are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1658 sssd-session-recording.5.xml:79 +msgid "\"some\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1661 sssd-session-recording.5.xml:82 +msgid "" +"Users/groups specified by <replaceable>users</replaceable> and " +"<replaceable>groups</replaceable> options are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1670 sssd-session-recording.5.xml:91 +msgid "\"all\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1673 sssd-session-recording.5.xml:94 +msgid "All users are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1646 sssd-session-recording.5.xml:67 +msgid "" +"One of the following strings specifying the scope of session recording: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1680 sssd-session-recording.5.xml:101 +msgid "Default: \"none\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1685 sssd-session-recording.5.xml:106 +msgid "users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1688 sssd-session-recording.5.xml:109 +msgid "" +"A comma-separated list of users which should have session recording enabled. " +"Matches user names as returned by NSS. I.e. after the possible space " +"replacement, case changes, etc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1694 sssd-session-recording.5.xml:115 +msgid "Default: Empty. Matches no users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1699 sssd-session-recording.5.xml:120 +msgid "groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1702 sssd-session-recording.5.xml:123 +msgid "" +"A comma-separated list of groups, members of which should have session " +"recording enabled. Matches group names as returned by NSS. I.e. after the " +"possible space replacement, case changes, etc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1708 sssd-session-recording.5.xml:129 +msgid "" +"NOTE: using this option (having it set to anything) has a considerable " +"performance cost, because each uncached request for a user requires " +"retrieving and matching the groups the user is member of." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1715 sssd-session-recording.5.xml:136 +msgid "Default: Empty. Matches no groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:1725 +msgid "DOMAIN SECTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1732 +msgid "domain_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1735 +msgid "" +"Specifies whether the domain is meant to be used by POSIX-aware clients such " +"as the Name Service Switch or by applications that do not need POSIX data to " +"be present or generated. Only objects from POSIX domains are available to " +"the operating system interfaces and utilities." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1743 +msgid "" +"Allowed values for this option are <quote>posix</quote> and " +"<quote>application</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1747 +msgid "" +"POSIX domains are reachable by all services. Application domains are only " +"reachable from the InfoPipe responder (see <citerefentry> " +"<refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>) and the PAM responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1755 +msgid "" +"NOTE: The application domains are currently well tested with " +"<quote>id_provider=ldap</quote> only." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1759 +msgid "" +"For an easy way to configure a non-POSIX domains, please see the " +"<quote>Application domains</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1763 +msgid "Default: posix" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1769 +msgid "min_id,max_id (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1772 +msgid "" +"UID and GID limits for the domain. If a domain contains an entry that is " +"outside these limits, it is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1777 +msgid "" +"For users, this affects the primary GID limit. The user will not be returned " +"to NSS if either the UID or the primary GID is outside the range. For non-" +"primary group memberships, those that are in range will be reported as " +"expected." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1784 +msgid "" +"These ID limits affect even saving entries to cache, not only returning them " +"by name or ID." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1788 +msgid "Default: 1 for min_id, 0 (no limit) for max_id" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1794 +msgid "enumerate (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1797 +msgid "" +"Determines if a domain can be enumerated, that is, whether the domain can " +"list all the users and group it contains. Note that it is not required to " +"enable enumeration in order for secondary groups to be displayed. This " +"parameter can have one of the following values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1805 +msgid "TRUE = Users and groups are enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1808 +msgid "FALSE = No enumerations for this domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1811 sssd.conf.5.xml:2033 sssd.conf.5.xml:2208 +msgid "Default: FALSE" +msgstr "По умолчанию: FALSE" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1814 +msgid "" +"Enumerating a domain requires SSSD to download and store ALL user and group " +"entries from the remote server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1819 +msgid "" +"Note: Enabling enumeration has a moderate performance impact on SSSD while " +"enumeration is running. It may take up to several minutes after SSSD startup " +"to fully complete enumerations. During this time, individual requests for " +"information will go directly to LDAP, though it may be slow, due to the " +"heavy enumeration processing. Saving a large number of entries to cache " +"after the enumeration completes might also be CPU intensive as the " +"memberships have to be recomputed. This can lead to the <quote>sssd_be</" +"quote> process becoming unresponsive or even restarted by the internal " +"watchdog." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1834 +msgid "" +"While the first enumeration is running, requests for the complete user or " +"group lists may return no results until it completes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1839 +msgid "" +"Further, enabling enumeration may increase the time necessary to detect " +"network disconnection, as longer timeouts are required to ensure that " +"enumeration lookups are completed successfully. For more information, refer " +"to the man pages for the specific id_provider in use." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1847 +msgid "" +"For the reasons cited above, enabling enumeration is not recommended, " +"especially in large environments." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1855 +msgid "subdomain_enumerate (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1862 +msgid "all" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1863 +msgid "All discovered trusted domains will be enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1866 +msgid "none" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1867 +msgid "No discovered trusted domains will be enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1858 +msgid "" +"Whether any of autodetected trusted domains should be enumerated. The " +"supported values are: <placeholder type=\"variablelist\" id=\"0\"/> " +"Optionally, a list of one or more domain names can enable enumeration just " +"for these trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1881 +msgid "entry_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1884 +msgid "" +"How many seconds should nss_sss consider entries valid before asking the " +"backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1888 +msgid "" +"The cache expiration timestamps are stored as attributes of individual " +"objects in the cache. Therefore, changing the cache timeout only has effect " +"for newly added or expired entries. You should run the <citerefentry> " +"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry> tool in order to force refresh of entries that have already " +"been cached." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1901 +msgid "Default: 5400" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1907 +msgid "entry_cache_user_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1910 +msgid "" +"How many seconds should nss_sss consider user entries valid before asking " +"the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1914 sssd.conf.5.xml:1927 sssd.conf.5.xml:1940 +#: sssd.conf.5.xml:1953 sssd.conf.5.xml:1966 sssd.conf.5.xml:1980 +#: sssd.conf.5.xml:1994 +msgid "Default: entry_cache_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1920 +msgid "entry_cache_group_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1923 +msgid "" +"How many seconds should nss_sss consider group entries valid before asking " +"the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1933 +msgid "entry_cache_netgroup_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1936 +msgid "" +"How many seconds should nss_sss consider netgroup entries valid before " +"asking the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1946 +msgid "entry_cache_service_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1949 +msgid "" +"How many seconds should nss_sss consider service entries valid before asking " +"the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1959 +msgid "entry_cache_sudo_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1962 +msgid "" +"How many seconds should sudo consider rules valid before asking the backend " +"again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1972 +msgid "entry_cache_autofs_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1975 +msgid "" +"How many seconds should the autofs service consider automounter maps valid " +"before asking the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1986 +msgid "entry_cache_ssh_host_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1989 +msgid "" +"How many seconds to keep a host ssh key after refresh. IE how long to cache " +"the host key for." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2000 +msgid "refresh_expired_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2003 +msgid "" +"Specifies how many seconds SSSD has to wait before triggering a background " +"refresh task which will refresh all expired or nearly expired records." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2008 +msgid "" +"The background refresh will process users, groups and netgroups in the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2012 +msgid "You can consider setting this value to 3/4 * entry_cache_timeout." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2016 sssd-ldap.5.xml:746 sssd-ipa.5.xml:254 +msgid "Default: 0 (disabled)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2022 +msgid "cache_credentials (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2025 +msgid "Determines if user credentials are also cached in the local LDB cache" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2029 +msgid "User credentials are stored in a SHA512 hash, not in plaintext" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2039 +msgid "cache_credentials_minimal_first_factor_length (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2042 +msgid "" +"If 2-Factor-Authentication (2FA) is used and credentials should be saved " +"this value determines the minimal length the first authentication factor " +"(long term password) must have to be saved as SHA512 hash into the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2049 +msgid "" +"This should avoid that the short PINs of a PIN based 2FA scheme are saved in " +"the cache which would make them easy targets for brute-force attacks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2054 +msgid "Default: 8" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2060 +msgid "account_cache_expiration (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2063 +msgid "" +"Number of days entries are left in cache after last successful login before " +"being removed during a cleanup of the cache. 0 means keep forever. The " +"value of this parameter must be greater than or equal to " +"offline_credentials_expiration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2070 +msgid "Default: 0 (unlimited)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2075 +msgid "pwd_expiration_warning (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2086 +msgid "" +"Please note that the backend server has to provide information about the " +"expiration time of the password. If this information is missing, sssd " +"cannot display a warning. Also an auth provider has to be configured for the " +"backend." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2093 +msgid "Default: 7 (Kerberos), 0 (LDAP)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2099 +msgid "id_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2102 +msgid "" +"The identification provider used for the domain. Supported ID providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2106 +msgid "<quote>proxy</quote>: Support a legacy NSS provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2109 +msgid "" +"<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2113 +msgid "" +"<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-" +"files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " +"information on how to mirror local users and groups into SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2121 +msgid "" +"<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " +"information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2129 sssd.conf.5.xml:2234 sssd.conf.5.xml:2289 +#: sssd.conf.5.xml:2352 +msgid "" +"<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management " +"provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " +"FreeIPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2138 sssd.conf.5.xml:2243 sssd.conf.5.xml:2298 +#: sssd.conf.5.xml:2361 +msgid "" +"<quote>ad</quote>: Active Directory provider. See <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Active Directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2149 +msgid "use_fully_qualified_names (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2152 +msgid "" +"Use the full name and domain (as formatted by the domain's full_name_format) " +"as the user's login name reported to NSS." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2157 +msgid "" +"If set to TRUE, all requests to this domain must use fully qualified names. " +"For example, if used in LOCAL domain that contains a \"test\" user, " +"<command>getent passwd test</command> wouldn't find the user while " +"<command>getent passwd test@LOCAL</command> would." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2165 +msgid "" +"NOTE: This option has no effect on netgroup lookups due to their tendency to " +"include nested netgroups without qualified names. For netgroups, all domains " +"will be searched when an unqualified name is requested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2172 +msgid "Default: FALSE (TRUE if default_domain_suffix is used)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2178 +msgid "ignore_group_members (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2181 +msgid "Do not return group members for group lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2184 +msgid "" +"If set to TRUE, the group membership attribute is not requested from the " +"ldap server, and group members are not returned when processing group lookup " +"calls, such as <citerefentry> <refentrytitle>getgrnam</refentrytitle> " +"<manvolnum>3</manvolnum> </citerefentry> or <citerefentry> " +"<refentrytitle>getgrgid</refentrytitle> <manvolnum>3</manvolnum> </" +"citerefentry>. As an effect, <quote>getent group $groupname</quote> would " +"return the requested group as if it was empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2202 +msgid "" +"Enabling this option can also make access provider checks for group " +"membership significantly faster, especially for groups containing many " +"members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2213 +msgid "auth_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2216 +msgid "" +"The authentication provider used for the domain. Supported auth providers " +"are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2220 sssd.conf.5.xml:2282 +msgid "" +"<quote>ldap</quote> for native LDAP authentication. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2227 +msgid "" +"<quote>krb5</quote> for Kerberos authentication. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2251 +msgid "" +"<quote>proxy</quote> for relaying authentication to some other PAM target." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2254 +msgid "<quote>local</quote>: SSSD internal provider for local users" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2258 +msgid "<quote>none</quote> disables authentication explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2261 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can handle " +"authentication requests." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2267 +msgid "access_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2270 +msgid "" +"The access control provider used for the domain. There are two built-in " +"access providers (in addition to any included in installed backends) " +"Internal special providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2276 +msgid "" +"<quote>permit</quote> always allow access. It's the only permitted access " +"provider for a local domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2279 +msgid "<quote>deny</quote> always deny access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2306 +msgid "" +"<quote>simple</quote> access control based on access or deny lists. See " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for more information on configuring the simple " +"access module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2313 +msgid "" +"<quote>krb5</quote>: .k5login based access control. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></" +"citerefentry> for more information on configuring Kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2320 +msgid "<quote>proxy</quote> for relaying access control to another PAM module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2323 +msgid "Default: <quote>permit</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2328 +msgid "chpass_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2331 +msgid "" +"The provider which should handle change password operations for the domain. " +"Supported change password providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2336 +msgid "" +"<quote>ldap</quote> to change a password stored in a LDAP server. See " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2344 +msgid "" +"<quote>krb5</quote> to change the Kerberos password. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2369 +msgid "" +"<quote>proxy</quote> for relaying password changes to some other PAM target." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2373 +msgid "<quote>none</quote> disallows password changes explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2376 +msgid "" +"Default: <quote>auth_provider</quote> is used if it is set and can handle " +"change password requests." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2383 +msgid "sudo_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2386 +msgid "The SUDO provider used for the domain. Supported SUDO providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2390 +msgid "" +"<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2398 +msgid "" +"<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default " +"settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2402 +msgid "" +"<quote>ad</quote> the same as <quote>ldap</quote> but with AD default " +"settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2406 +msgid "<quote>none</quote> disables SUDO explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2409 sssd.conf.5.xml:2495 sssd.conf.5.xml:2565 +#: sssd.conf.5.xml:2590 +msgid "Default: The value of <quote>id_provider</quote> is used if it is set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2413 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>. There are many configuration " +"options that can be used to adjust the behavior. Please refer to " +"\"ldap_sudo_*\" in <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2428 +msgid "" +"<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the " +"background unless the sudo provider is explicitly disabled. Set " +"<emphasis>sudo_provider = None</emphasis> to disable all sudo-related " +"activity in SSSD if you do not want to use sudo with SSSD at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2438 +msgid "selinux_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2441 +msgid "" +"The provider which should handle loading of selinux settings. Note that this " +"provider will be called right after access provider ends. Supported selinux " +"providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2447 +msgid "" +"<quote>ipa</quote> to load selinux settings from an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2455 +msgid "<quote>none</quote> disallows fetching selinux settings explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2458 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can handle " +"selinux loading requests." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2464 +msgid "subdomains_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2467 +msgid "" +"The provider which should handle fetching of subdomains. This value should " +"be always the same as id_provider. Supported subdomain providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2473 +msgid "" +"<quote>ipa</quote> to load a list of subdomains from an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2482 +msgid "" +"<quote>ad</quote> to load a list of subdomains from an Active Directory " +"server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " +"the AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2491 +msgid "<quote>none</quote> disallows fetching subdomains explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2501 +msgid "session_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2504 +msgid "" +"The provider which configures and manages user session related tasks. The " +"only user session task currently provided is the integration with Fleet " +"Commander, which works only with IPA. Supported session providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2511 +msgid "<quote>ipa</quote> to allow performing user session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2515 +msgid "" +"<quote>none</quote> does not perform any kind of user session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2519 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can perform " +"session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2523 +msgid "" +"<emphasis>NOTE:</emphasis> In order to have this feature working as expected " +"SSSD must be running as \"root\" and not as the unprivileged user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2531 +msgid "autofs_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2534 +msgid "" +"The autofs provider used for the domain. Supported autofs providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2538 +msgid "" +"<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2545 +msgid "" +"<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> " +"<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2553 +msgid "" +"<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring the AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2562 +msgid "<quote>none</quote> disables autofs explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2572 +msgid "hostid_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2575 +msgid "" +"The provider used for retrieving host identity information. Supported " +"hostid providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2579 +msgid "" +"<quote>ipa</quote> to load host identity stored in an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2587 +msgid "<quote>none</quote> disables hostid explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2600 +msgid "" +"Regular expression for this domain that describes how to parse the string " +"containing user name and domain into these components. The \"domain\" can " +"match either the SSSD configuration domain name, or, in the case of IPA " +"trust subdomains and Active Directory domains, the flat (NetBIOS) name of " +"the domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2609 +msgid "" +"Default for the AD and IPA provider: <quote>(((?P<domain>[^\\\\]+)\\" +"\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?" +"P<name>[^@\\\\]+)$))</quote> which allows three different styles for " +"user names:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2614 +msgid "username" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2617 +msgid "username@domain.name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2620 +msgid "domain\\username" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2623 +msgid "" +"While the first two correspond to the general default the third one is " +"introduced to allow easy integration of users from Windows domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2628 +msgid "" +"Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> " +"which translates to \"the name is everything up to the <quote>@</quote> " +"sign, the domain everything after that\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2634 +msgid "" +"NOTE: Some Active Directory groups, typically those used for MS Exchange " +"contain an <quote>@</quote> sign in the name, which clashes with the default " +"re_expression value for the AD and IPA providers. To support these groups, " +"consider changing the re_expression value to: <quote>((?P<name>.+)@(?" +"P<domain>[^@]+$))</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2685 +msgid "Default: <quote>%1$s@%2$s</quote>." +msgstr "По умолчанию: <quote>%1$s@%2$s</quote>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2691 +msgid "lookup_family_order (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2694 +msgid "" +"Provides the ability to select preferred address family to use when " +"performing DNS lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2698 +msgid "Supported values:" +msgstr "Поддерживаемые значения:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2701 +msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2704 +msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2707 +msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2710 +msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2713 +msgid "Default: ipv4_first" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2719 +msgid "dns_resolver_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2722 +msgid "" +"Defines the amount of time (in seconds) to wait for a reply from the " +"internal fail over service before assuming that the service is unreachable. " +"If this timeout is reached, the domain will continue to operate in offline " +"mode." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2729 +msgid "" +"Please see the section <quote>FAILOVER</quote> for more information about " +"the service resolution." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2734 sssd-ldap.5.xml:1396 sssd-ldap.5.xml:1438 +#: sssd-ldap.5.xml:1456 sssd-krb5.5.xml:248 +msgid "Default: 6" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2740 +msgid "dns_discovery_domain (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2743 +msgid "" +"If service discovery is used in the back end, specifies the domain part of " +"the service discovery DNS query." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2747 +msgid "Default: Use the domain part of machine's hostname" +msgstr "По умолчанию: использовать доменное имя из hostname" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2753 +msgid "override_gid (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2756 +msgid "Override the primary GID value with the one specified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2762 +msgid "case_sensitive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2770 +msgid "True" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2773 +msgid "Case sensitive. This value is invalid for AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2779 +msgid "False" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2781 +msgid "Case insensitive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2785 +msgid "Preserving" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2788 +msgid "" +"Same as False (case insensitive), but does not lowercase names in the result " +"of NSS operations. Note that name aliases (and in case of services also " +"protocol names) are still lowercased in the output." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2765 +msgid "" +"Treat user and group names as case sensitive. At the moment, this option is " +"not supported in the local provider. Possible option values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2800 +msgid "Default: True (False for AD provider)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2806 +msgid "subdomain_inherit (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2809 +msgid "" +"Specifies a list of configuration parameters that should be inherited by a " +"subdomain. Please note that only selected parameters can be inherited. " +"Currently the following options can be inherited:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2815 +msgid "ignore_group_members" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2818 +msgid "ldap_purge_cache_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2821 sssd-ldap.5.xml:1120 +msgid "ldap_use_tokengroups" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2824 +msgid "ldap_user_principal" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2827 +msgid "" +"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab " +"is not set explicitly)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:2833 +#, no-wrap +msgid "" +"subdomain_inherit = ldap_purge_cache_timeout\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2831 sssd-secrets.5.xml:448 +msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2840 +msgid "Note: This option only works with the IPA and AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2847 +msgid "subdomain_homedir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2858 +msgid "%F" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2859 +msgid "flat (NetBIOS) name of a subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2850 +msgid "" +"Use this homedir as default value for all subdomains within this domain in " +"IPA AD trust. See <emphasis>override_homedir</emphasis> for info about " +"possible values. In addition to those, the expansion below can only be used " +"with <emphasis>subdomain_homedir</emphasis>. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2864 +msgid "" +"The value can be overridden by <emphasis>override_homedir</emphasis> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2868 +msgid "Default: <filename>/home/%d/%u</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2873 +msgid "realmd_tags (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2876 +msgid "" +"Various tags stored by the realmd configuration service for this domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2882 +msgid "cached_auth_timeout (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2885 +msgid "" +"Specifies time in seconds since last successful online authentication for " +"which user will be authenticated using cached credentials while SSSD is in " +"the online mode." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2891 +msgid "Special value 0 implies that this feature is disabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2895 +msgid "" +"Please note that if <quote>cached_auth_timeout</quote> is longer than " +"<quote>pam_id_timeout</quote> then the back end could be called to handle " +"<quote>initgroups.</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2906 +msgid "auto_private_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2909 +msgid "" +"If this option is enabled, SSSD will automatically create user private " +"groups based on user's UID number. The GID number is ignored in this case." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2914 +msgid "" +"For POSIX subdomains, setting the option in the main domain is inherited in " +"the subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2918 +msgid "" +"For ID-mapping subdomains, auto_private_groups is already enabled for the " +"subdomains and setting it to false will not have any effect for the " +"subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2923 +msgid "" +"NOTE: Because the GID number and the user private group are inferred from " +"the UID number, it is not supported to have multiple entries with the same " +"UID or GID number with this option. In other words, enabling this option " +"enforces uniqueness across the ID space." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:1727 +msgid "" +"These configuration options can be present in a domain configuration " +"section, that is, in a section called <quote>[domain/<replaceable>NAME</" +"replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2942 +msgid "proxy_pam_target (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2945 +msgid "The proxy target PAM proxies to." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2948 +msgid "" +"Default: not set by default, you have to take an existing pam configuration " +"or create a new one and add the service name here." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2956 +msgid "proxy_lib_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2959 +msgid "" +"The name of the NSS library to use in proxy domains. The NSS functions " +"searched for in the library are in the form of _nss_$(libName)_$(function), " +"for example _nss_files_getpwent." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2969 +msgid "proxy_fast_alias (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2972 +msgid "" +"When a user or group is looked up by name in the proxy provider, a second " +"lookup by ID is performed to \"canonicalize\" the name in case the requested " +"name was an alias. Setting this option to true would cause the SSSD to " +"perform the ID lookup from cache for performance reasons." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2986 +msgid "proxy_max_children (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2989 +msgid "" +"This option specifies the number of pre-forked proxy children. It is useful " +"for high-load SSSD environments where sssd may run out of available child " +"slots, which would cause some issues due to the requests being queued." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:2938 +msgid "" +"Options valid for proxy domains. <placeholder type=\"variablelist\" id=" +"\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:3005 +msgid "Application domains" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3007 +msgid "" +"SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to " +"applications as a gateway to an LDAP directory where users and groups are " +"stored. However, contrary to the traditional SSSD deployment where all users " +"and groups either have POSIX attributes or those attributes can be inferred " +"from the Windows SIDs, in many cases the users and groups in the application " +"support scenario have no POSIX attributes. Instead of setting a " +"<quote>[domain/<replaceable>NAME</replaceable>]</quote> section, the " +"administrator can set up an <quote>[application/<replaceable>NAME</" +"replaceable>]</quote> section that internally represents a domain with type " +"<quote>application</quote> optionally inherits settings from a tradition " +"SSSD domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3027 +msgid "" +"Please note that the application domain must still be explicitly enabled in " +"the <quote>domains</quote> parameter so that the lookup order between the " +"application domain and its POSIX sibling domain is set correctly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sssd.conf.5.xml:3033 +msgid "Application domain parameters" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3035 +msgid "inherit_from (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3038 +msgid "" +"The SSSD POSIX-type domain the application domain inherits all settings " +"from. The application domain can moreover add its own settings to the " +"application settings that augment or override the <quote>sibling</quote> " +"domain settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3052 +msgid "" +"The following example illustrates the use of an application domain. In this " +"setup, the POSIX domain is connected to an LDAP server and is used by the OS " +"through the NSS responder. In addition, the application domain also requests " +"the telephoneNumber attribute, stores it as the phone attribute in the cache " +"and makes the phone attribute reachable through the D-Bus interface." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><programlisting> +#: sssd.conf.5.xml:3060 +#, no-wrap +msgid "" +"[sssd]\n" +"domains = appdom, posixdom\n" +"\n" +"[ifp]\n" +"user_attributes = +phone\n" +"\n" +"[domain/posixdom]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"[application/appdom]\n" +"inherit_from = posixdom\n" +"ldap_user_extra_attrs = phone:telephoneNumber\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:3078 +msgid "The local domain section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3080 +msgid "" +"This section contains settings for domain that stores users and groups in " +"SSSD native database, that is, a domain that uses " +"<replaceable>id_provider=local</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3087 +msgid "default_shell (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3090 +msgid "The default shell for users created with SSSD userspace tools." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3094 +msgid "Default: <filename>/bin/bash</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3099 +msgid "base_directory (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3102 +msgid "" +"The tools append the login name to <replaceable>base_directory</replaceable> " +"and use that as the home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3107 +msgid "Default: <filename>/home</filename>" +msgstr "По умолчанию: <filename>/home</filename>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3112 +msgid "create_homedir (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3115 +msgid "" +"Indicate if a home directory should be created by default for new users. " +"Can be overridden on command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3119 sssd.conf.5.xml:3131 +msgid "Default: TRUE" +msgstr "По умолчанию: TRUE" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3124 +msgid "remove_homedir (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3127 +msgid "" +"Indicate if a home directory should be removed by default for deleted " +"users. Can be overridden on command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3136 +msgid "homedir_umask (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3139 +msgid "" +"Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions " +"on a newly created home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3147 +msgid "Default: 077" +msgstr "По умолчанию: 077" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3152 +msgid "skel_dir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3155 +msgid "" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<citerefentry> <refentrytitle>sss_useradd</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3165 +msgid "Default: <filename>/etc/skel</filename>" +msgstr "По умолчанию: <filename>/etc/skel</filename>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3170 +msgid "mail_dir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3173 +msgid "" +"The mail spool directory. This is needed to manipulate the mailbox when its " +"corresponding user account is modified or deleted. If not specified, a " +"default value is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3180 +msgid "Default: <filename>/var/mail</filename>" +msgstr "По умолчанию: <filename>/var/mail</filename>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3185 +msgid "userdel_cmd (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3188 +msgid "" +"The command that is run after a user is removed. The command us passed the " +"username of the user being removed as the first and only parameter. The " +"return code of the command is not taken into account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3194 +msgid "Default: None, no command is run" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:3204 +msgid "TRUSTED DOMAIN SECTION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3206 +msgid "" +"Some options used in the domain section can also be used in the trusted " +"domain section, that is, in a section called <quote>[domain/" +"<replaceable>DOMAIN_NAME</replaceable>/<replaceable>TRUSTED_DOMAIN_NAME</" +"replaceable>]</quote>. Where DOMAIN_NAME is the actual joined-to base " +"domain. Please refer to examples below for explanation. Currently supported " +"options in the trusted domain section are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3213 +msgid "ldap_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3214 +msgid "ldap_user_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3215 +msgid "ldap_group_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3216 +msgid "ldap_netgroup_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3217 +msgid "ldap_service_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3218 +msgid "ad_server," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3219 +msgid "ad_backup_server," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3220 +msgid "ad_site," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:3221 sssd-ipa.5.xml:782 +msgid "use_fully_qualified_names" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3223 +msgid "" +"For more details about these options see their individual description in the " +"manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:3229 idmap_sss.8.xml:43 +msgid "EXAMPLES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:3235 +#, no-wrap +msgid "" +"[sssd]\n" +"domains = LDAP\n" +"services = nss, pam\n" +"config_file_version = 2\n" +"\n" +"[nss]\n" +"filter_groups = root\n" +"filter_users = root\n" +"\n" +"[pam]\n" +"\n" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"auth_provider = krb5\n" +"krb5_server = kerberos.example.com\n" +"krb5_realm = EXAMPLE.COM\n" +"cache_credentials = true\n" +"\n" +"min_id = 10000\n" +"max_id = 20000\n" +"enumerate = False\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3231 +msgid "" +"1. The following example shows a typical SSSD config. It does not describe " +"configuration of the domains themselves - refer to documentation on " +"configuring domains for more details. <placeholder type=\"programlisting\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:3268 +#, no-wrap +msgid "" +"[domain/ipa.com/child.ad.com]\n" +"use_fully_qualified_names = false\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3262 +msgid "" +"2. The following example shows configuration of IPA AD trust where the AD " +"forest consists of two domains in a parent-child structure. Suppose IPA " +"domain (ipa.com) has trust with AD domain(ad.com). ad.com has child domain " +"(child.ad.com). To enable shortnames in the child domain the following " +"configuration should be used. <placeholder type=\"programlisting\" id=\"0\"/" +">" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ldap.5.xml:10 sssd-ldap.5.xml:16 +msgid "sssd-ldap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ldap.5.xml:17 +msgid "SSSD LDAP provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:23 +msgid "" +"This manual page describes the configuration of LDAP domains for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Refer to the <quote>FILE FORMAT</quote> section of the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for detailed syntax information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:35 +msgid "You can configure SSSD to use more than one LDAP domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:38 +msgid "" +"LDAP back end supports id, auth, access and chpass providers. If you want to " +"authenticate against an LDAP server either TLS/SSL or LDAPS is required. " +"<command>sssd</command> <emphasis>does not</emphasis> support authentication " +"over an unencrypted channel. If the LDAP server is used only as an identity " +"provider, an encrypted channel is not needed. Please refer to " +"<quote>ldap_access_filter</quote> config option for more information about " +"using LDAP as an access provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:115 +#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-files.5.xml:57 +#: sssd-secrets.5.xml:120 sssd-session-recording.5.xml:58 sssd-kcm.8.xml:139 +msgid "CONFIGURATION OPTIONS" +msgstr "ПАРАМЕТРЫ КОНФИГУРАЦИИ" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:60 +msgid "ldap_uri, ldap_backup_uri (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:63 +msgid "" +"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " +"should connect in the order of preference. Refer to the <quote>FAILOVER</" +"quote> section for more information on failover and server redundancy. If " +"neither option is specified, service discovery is enabled. For more " +"information, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:264 +msgid "The format of the URI must match the format defined in RFC 2732:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:73 +msgid "ldap[s]://<host>[:port]" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:76 +msgid "" +"For explicit IPv6 addresses, <host> must be enclosed in brackets []" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:79 +msgid "example: ldap://[fc00::126:25]:389" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:85 +msgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:88 +msgid "" +"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " +"should connect in the order of preference to change the password of a user. " +"Refer to the <quote>FAILOVER</quote> section for more information on " +"failover and server redundancy." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:95 +msgid "To enable service discovery ldap_chpass_dns_service_name must be set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:99 +msgid "Default: empty, i.e. ldap_uri is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:105 +msgid "ldap_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:108 +msgid "The default base DN to use for performing LDAP user operations." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:112 +msgid "" +"Starting with SSSD 1.7.0, SSSD supports multiple search bases using the " +"syntax:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:116 +msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:119 +msgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"." +msgstr "" + +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:122 include/ldap_search_bases.xml:18 +msgid "" +"The filter must be a valid LDAP search filter as specified by http://www." +"ietf.org/rfc/rfc2254.txt" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:286 +#: sss_override.8.xml:137 sss_override.8.xml:234 +msgid "Examples:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:129 +msgid "" +"ldap_search_base = dc=example,dc=com (which is equivalent to) " +"ldap_search_base = dc=example,dc=com?subtree?" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:134 +msgid "" +"ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?" +"(host=thishost)?dc=example.com?subtree?" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:137 +msgid "" +"Note: It is unsupported to have multiple search bases which reference " +"identically-named objects (for example, groups with the same name in two " +"different search bases). This will lead to unpredictable behavior on client " +"machines." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:144 +msgid "" +"Default: If not set, the value of the defaultNamingContext or namingContexts " +"attribute from the RootDSE of the LDAP server is used. If " +"defaultNamingContext does not exist or has an empty value namingContexts is " +"used. The namingContexts attribute must have a single value with the DN of " +"the search base of the LDAP server to make this work. Multiple values are " +"are not supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:158 +msgid "ldap_schema (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:161 +msgid "" +"Specifies the Schema Type in use on the target LDAP server. Depending on " +"the selected schema, the default attribute names retrieved from the servers " +"may vary. The way that some attributes are handled may also differ." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:168 +msgid "Four schema types are currently supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:172 +msgid "rfc2307" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:177 +msgid "rfc2307bis" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:182 +msgid "IPA" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:187 +msgid "AD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:193 +msgid "" +"The main difference between these schema types is how group memberships are " +"recorded in the server. With rfc2307, group members are listed by name in " +"the <emphasis>memberUid</emphasis> attribute. With rfc2307bis and IPA, " +"group members are listed by DN and stored in the <emphasis>member</emphasis> " +"attribute. The AD schema type sets the attributes to correspond with Active " +"Directory 2008r2 values." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:203 +msgid "Default: rfc2307" +msgstr "По умолчанию: rfc2307" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:209 +msgid "ldap_default_bind_dn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:212 +msgid "The default bind DN to use for performing LDAP operations." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:219 +msgid "ldap_default_authtok_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:222 +msgid "The type of the authentication token of the default bind DN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:226 +msgid "The two mechanisms currently supported are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:229 +msgid "password" +msgstr "пароль" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:232 +msgid "obfuscated_password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:235 +msgid "Default: password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:241 +msgid "ldap_default_authtok (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:244 +msgid "" +"The authentication token of the default bind DN. Only clear text passwords " +"are currently supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:251 +msgid "ldap_user_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:254 +msgid "The object class of a user entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:257 +msgid "Default: posixAccount" +msgstr "По умолчанию: posixAccount" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:263 +msgid "ldap_user_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:266 +msgid "The LDAP attribute that corresponds to the user's login name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:270 +msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:277 +msgid "ldap_user_uid_number (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:280 +msgid "The LDAP attribute that corresponds to the user's id." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:284 +msgid "Default: uidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:290 +msgid "ldap_user_gid_number (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:293 +msgid "The LDAP attribute that corresponds to the user's primary group id." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:297 sssd-ldap.5.xml:929 +msgid "Default: gidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:303 +msgid "ldap_user_primary_group (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:306 +msgid "" +"Active Directory primary group attribute for ID-mapping. Note that this " +"attribute should only be set manually if you are running the <quote>ldap</" +"quote> provider with ID mapping." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:312 +msgid "Default: unset (LDAP), primaryGroupID (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:318 +msgid "ldap_user_gecos (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:321 +msgid "The LDAP attribute that corresponds to the user's gecos field." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:325 +msgid "Default: gecos" +msgstr "По умолчанию: gecos" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:331 +msgid "ldap_user_home_directory (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:334 +msgid "The LDAP attribute that contains the name of the user's home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:338 +msgid "Default: homeDirectory" +msgstr "По умолчанию: homeDirectory" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:344 +msgid "ldap_user_shell (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:347 +msgid "The LDAP attribute that contains the path to the user's default shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:351 +msgid "Default: loginShell" +msgstr "По умолчанию: loginShell" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:357 +msgid "ldap_user_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:360 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:364 sssd-ldap.5.xml:955 +msgid "" +"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " +"IPA" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:371 +msgid "ldap_user_objectsid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:374 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP user object. This " +"is usually only necessary for ActiveDirectory servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:379 sssd-ldap.5.xml:970 +msgid "Default: objectSid for ActiveDirectory, not set for other servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:386 +msgid "ldap_user_modify_timestamp (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:389 sssd-ldap.5.xml:980 sssd-ldap.5.xml:1203 +msgid "" +"The LDAP attribute that contains timestamp of the last modification of the " +"parent object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:393 sssd-ldap.5.xml:984 sssd-ldap.5.xml:1210 +msgid "Default: modifyTimestamp" +msgstr "По умолчанию: modifyTimestamp" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:399 +msgid "ldap_user_shadow_last_change (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:402 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " +"the last password change)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:412 +msgid "Default: shadowLastChange" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:418 +msgid "ldap_user_shadow_min (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:421 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " +"password age)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:430 +msgid "Default: shadowMin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:436 +msgid "ldap_user_shadow_max (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:439 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " +"password age)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:448 +msgid "Default: shadowMax" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:454 +msgid "ldap_user_shadow_warning (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:457 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password warning period)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:467 +msgid "Default: shadowWarning" +msgstr "По умолчанию: shadowWarning" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:473 +msgid "ldap_user_shadow_inactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:476 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password inactivity period)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:486 +msgid "Default: shadowInactive" +msgstr "По умолчанию: shadowInactive" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:492 +msgid "ldap_user_shadow_expire (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:495 +msgid "" +"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " +"parameter contains the name of an LDAP attribute corresponding to its " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> counterpart (account expiration date)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:505 +msgid "Default: shadowExpire" +msgstr "По умолчанию: shadowExpire" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:511 +msgid "ldap_user_krb_last_pwd_change (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:514 +msgid "" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time of last password change in " +"kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:520 +msgid "Default: krbLastPwdChange" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:526 +msgid "ldap_user_krb_password_expiration (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:529 +msgid "" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time when current password expires." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:535 +msgid "Default: krbPasswordExpiration" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:541 +msgid "ldap_user_ad_account_expires (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:544 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the expiration time of the account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:549 +msgid "Default: accountExpires" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:555 +msgid "ldap_user_ad_user_account_control (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:558 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the user account control bit field." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:563 +msgid "Default: userAccountControl" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:569 +msgid "ldap_ns_account_lock (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:572 +msgid "" +"When using ldap_account_expire_policy=rhds or equivalent, this parameter " +"determines if access is allowed or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:577 +msgid "Default: nsAccountLock" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:583 +msgid "ldap_user_nds_login_disabled (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:586 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines if " +"access is allowed or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:590 sssd-ldap.5.xml:604 +msgid "Default: loginDisabled" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:596 +msgid "ldap_user_nds_login_expiration_time (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:599 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines until " +"which date access is granted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:610 +msgid "ldap_user_nds_login_allowed_time_map (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:613 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines the " +"hours of a day in a week when access is granted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:618 +msgid "Default: loginAllowedTimeMap" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:624 +msgid "ldap_user_principal (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:627 +msgid "" +"The LDAP attribute that contains the user's Kerberos User Principal Name " +"(UPN)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:631 +msgid "Default: krbPrincipalName" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:637 +msgid "ldap_user_extra_attrs (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:640 +msgid "" +"Comma-separated list of LDAP attributes that SSSD would fetch along with the " +"usual set of user attributes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:645 +msgid "" +"The list can either contain LDAP attribute names only, or colon-separated " +"tuples of SSSD cache attribute name and LDAP attribute name. In case only " +"LDAP attribute name is specified, the attribute is saved to the cache " +"verbatim. Using a custom SSSD attribute name might be required by " +"environments that configure several SSSD domains with different LDAP schemas." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:655 +msgid "" +"Please note that several attribute names are reserved by SSSD, notably the " +"<quote>name</quote> attribute. SSSD would report an error if any of the " +"reserved attribute names is used as an extra attribute name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:665 +msgid "ldap_user_extra_attrs = telephoneNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:668 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as " +"<quote>telephoneNumber</quote> to the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:672 +msgid "ldap_user_extra_attrs = phone:telephoneNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:675 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" +"quote> to the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:685 +msgid "ldap_user_ssh_public_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:688 +msgid "The LDAP attribute that contains the user's SSH public keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:692 sssd-ldap.5.xml:1306 +msgid "Default: sshPublicKey" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:698 +msgid "ldap_force_upper_case_realm (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:701 +msgid "" +"Some directory servers, for example Active Directory, might deliver the " +"realm part of the UPN in lower case, which might cause the authentication to " +"fail. Set this option to a non-zero value if you want to use an upper-case " +"realm." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:714 +msgid "ldap_enumeration_refresh_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:717 +msgid "" +"Specifies how many seconds SSSD has to wait before refreshing its cache of " +"enumerated records." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:728 +msgid "ldap_purge_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:731 +msgid "" +"Determine how often to check the cache for inactive entries (such as groups " +"with no members and users who have never logged in) and remove them to save " +"space." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:737 +msgid "" +"Setting this option to zero will disable the cache cleanup operation. Please " +"note that if enumeration is enabled, the cleanup task is required in order " +"to detect entries removed from the server and can't be disabled. By default, " +"the cleanup task will run every 3 hours with enumeration enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:752 +msgid "ldap_user_fullname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:755 +msgid "The LDAP attribute that corresponds to the user's full name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1161 sssd-ldap.5.xml:1235 +#: sssd-ldap.5.xml:1344 sssd-ldap.5.xml:2405 sssd-ipa.5.xml:607 +msgid "Default: cn" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:765 +msgid "ldap_user_member_of (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:768 +msgid "The LDAP attribute that lists the user's group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:772 sssd-ldap.5.xml:1274 +msgid "Default: memberOf" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:778 +msgid "ldap_user_authorized_service (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:781 +msgid "" +"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " +"use the presence of the authorizedService attribute in the user's LDAP entry " +"to determine access privilege." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:788 +msgid "" +"An explicit deny (!svc) is resolved first. Second, SSSD searches for " +"explicit allow (svc) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:793 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>authorized_service</quote> in order for the " +"ldap_user_authorized_service option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:800 +msgid "Default: authorizedService" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:806 +msgid "ldap_user_authorized_host (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:809 +msgid "" +"If access_provider=ldap and ldap_access_order=host, SSSD will use the " +"presence of the host attribute in the user's LDAP entry to determine access " +"privilege." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:815 +msgid "" +"An explicit deny (!host) is resolved first. Second, SSSD searches for " +"explicit allow (host) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:820 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>host</quote> in order for the " +"ldap_user_authorized_host option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:827 +msgid "Default: host" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:833 +msgid "ldap_user_authorized_rhost (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:836 +msgid "" +"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " +"presence of the rhost attribute in the user's LDAP entry to determine access " +"privilege. Similarly to host verification process." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:843 +msgid "" +"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " +"explicit allow (rhost) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:848 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>rhost</quote> in order for the " +"ldap_user_authorized_rhost option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:855 +msgid "Default: rhost" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:861 +msgid "ldap_user_certificate (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:864 +msgid "Name of the LDAP attribute containing the X509 certificate of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:868 +msgid "Default: userCertificate;binary" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:874 +msgid "ldap_user_email (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:877 +msgid "Name of the LDAP attribute containing the email address of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:881 +msgid "" +"Note: If an email address of a user conflicts with an email address or fully " +"qualified name of another user, then SSSD will not be able to serve those " +"users properly. If for some reason several users need to share the same " +"email address then set this option to a nonexistent attribute name in order " +"to disable user lookup/login by email." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:890 +msgid "Default: mail" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:896 +msgid "ldap_group_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:899 +msgid "The object class of a group entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:902 +msgid "Default: posixGroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:908 +msgid "ldap_group_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:911 +msgid "The LDAP attribute that corresponds to the group name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:915 +msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:922 +msgid "ldap_group_gid_number (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:925 +msgid "The LDAP attribute that corresponds to the group's id." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:935 +msgid "ldap_group_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:938 +msgid "The LDAP attribute that contains the names of the group's members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:942 +msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:948 +msgid "ldap_group_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:951 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:962 +msgid "ldap_group_objectsid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:965 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP group object. This " +"is usually only necessary for ActiveDirectory servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:977 +msgid "ldap_group_modify_timestamp (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:990 +msgid "ldap_group_type (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:993 +msgid "" +"The LDAP attribute that contains an integer value indicating the type of the " +"group and maybe other flags." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:998 +msgid "" +"This attribute is currently only used by the AD provider to determine if a " +"group is a domain local groups and has to be filtered out for trusted " +"domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1004 +msgid "Default: groupType in the AD provider, otherwise not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1011 +msgid "ldap_group_external_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1014 +msgid "" +"The LDAP attribute that references group members that are defined in an " +"external domain. At the moment, only IPA's external members are supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1020 +msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1027 +msgid "ldap_group_nesting_level (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1030 +msgid "" +"If ldap_schema is set to a schema format that supports nested groups (e.g. " +"RFC2307bis), then this option controls how many levels of nesting SSSD will " +"follow. This option has no effect on the RFC2307 schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1037 +msgid "" +"Note: This option specifies the guaranteed level of nested groups to be " +"processed for any lookup. However, nested groups beyond this limit " +"<emphasis>may be</emphasis> returned if previous lookups already resolved " +"the deeper nesting levels. Also, subsequent lookups for other groups may " +"enlarge the result set for original lookup if re-queried." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1046 +msgid "" +"If ldap_group_nesting_level is set to 0 then no nested groups are processed " +"at all. However, when connected to Active-Directory Server 2008 and later " +"using <quote>id_provider=ad</quote> it is furthermore required to disable " +"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " +"restrict group nesting." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1055 +msgid "Default: 2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1061 +msgid "ldap_groups_use_matching_rule_in_chain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1064 +msgid "" +"This option tells SSSD to take advantage of an Active Directory-specific " +"feature which may speed up group lookup operations on deployments with " +"complex or deep nested groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1070 +msgid "" +"In most common cases, it is best to leave this option disabled. It generally " +"only provides a performance increase on very complex nestings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1075 sssd-ldap.5.xml:1102 +msgid "" +"If this option is enabled, SSSD will use it if it detects that the server " +"supports it during initial connection. So \"True\" here essentially means " +"\"auto-detect\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1081 sssd-ldap.5.xml:1108 +msgid "" +"Note: This feature is currently known to work only with Active Directory " +"2008 R1 and later. See <ulink url=\"http://msdn.microsoft.com/en-us/library/" +"windows/desktop/aa746475%28v=vs.85%29.aspx\"> MSDN(TM) documentation</ulink> " +"for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1093 +msgid "ldap_initgroups_use_matching_rule_in_chain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1096 +msgid "" +"This option tells SSSD to take advantage of an Active Directory-specific " +"feature which might speed up initgroups operations (most notably when " +"dealing with complex or deep nested groups)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1123 +msgid "" +"This options enables or disables use of Token-Groups attribute when " +"performing initgroup for users from Active Directory Server 2008 and later." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1128 +msgid "Default: True for AD and IPA otherwise False." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1134 +msgid "ldap_netgroup_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1137 +msgid "The object class of a netgroup entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1140 +msgid "In IPA provider, ipa_netgroup_object_class should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1144 +msgid "Default: nisNetgroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1150 +msgid "ldap_netgroup_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1153 +msgid "The LDAP attribute that corresponds to the netgroup name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1157 +msgid "In IPA provider, ipa_netgroup_name should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1167 +msgid "ldap_netgroup_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1170 +msgid "The LDAP attribute that contains the names of the netgroup's members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1174 +msgid "In IPA provider, ipa_netgroup_member should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1178 +msgid "Default: memberNisNetgroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1184 +msgid "ldap_netgroup_triple (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1187 +msgid "" +"The LDAP attribute that contains the (host, user, domain) netgroup triples." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1191 sssd-ldap.5.xml:1207 +msgid "This option is not available in IPA provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1194 +msgid "Default: nisNetgroupTriple" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1200 +msgid "ldap_netgroup_modify_timestamp (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1216 +msgid "ldap_host_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1219 +msgid "The object class of a host entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1222 sssd-ldap.5.xml:1331 +msgid "Default: ipService" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1228 +msgid "ldap_host_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1231 sssd-ldap.5.xml:1257 +msgid "The LDAP attribute that corresponds to the host's name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1241 +msgid "ldap_host_fqdn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1244 +msgid "" +"The LDAP attribute that corresponds to the host's fully-qualified domain " +"name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1248 +msgid "Default: fqdn" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1254 +msgid "ldap_host_serverhostname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1261 +msgid "Default: serverHostname" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1267 +msgid "ldap_host_member_of (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1270 +msgid "The LDAP attribute that lists the host's group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1280 +msgid "ldap_host_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1283 +msgid "Optional. Use the given string as search base for host objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1287 sssd-ipa.5.xml:359 sssd-ipa.5.xml:378 +#: sssd-ipa.5.xml:397 sssd-ipa.5.xml:416 +msgid "" +"See <quote>ldap_search_base</quote> for information about configuring " +"multiple search bases." +msgstr "" + +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:1292 sssd-ipa.5.xml:364 include/ldap_search_bases.xml:27 +msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1299 +msgid "ldap_host_ssh_public_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1302 +msgid "The LDAP attribute that contains the host's SSH public keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1312 +msgid "ldap_host_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1315 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1325 +msgid "ldap_service_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1328 +msgid "The object class of a service entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1337 +msgid "ldap_service_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1340 +msgid "" +"The LDAP attribute that contains the name of service attributes and their " +"aliases." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1350 +msgid "ldap_service_port (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1353 +msgid "The LDAP attribute that contains the port managed by this service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1357 +msgid "Default: ipServicePort" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1363 +msgid "ldap_service_proto (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1366 +msgid "" +"The LDAP attribute that contains the protocols understood by this service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1370 +msgid "Default: ipServiceProtocol" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1376 +msgid "ldap_service_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1381 +msgid "ldap_search_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1384 +msgid "" +"Specifies the timeout (in seconds) that ldap searches are allowed to run " +"before they are cancelled and cached results are returned (and offline mode " +"is entered)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1390 +msgid "" +"Note: this option is subject to change in future versions of the SSSD. It " +"will likely be replaced at some point by a series of timeouts for specific " +"lookup types." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1402 +msgid "ldap_enumeration_search_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1405 +msgid "" +"Specifies the timeout (in seconds) that ldap searches for user and group " +"enumerations are allowed to run before they are cancelled and cached results " +"are returned (and offline mode is entered)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1418 +msgid "ldap_network_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1421 +msgid "" +"Specifies the timeout (in seconds) after which the <citerefentry> " +"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" +"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" +"manvolnum> </citerefentry> following a <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> returns in case of no activity." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1444 +msgid "ldap_opt_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1447 +msgid "" +"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " +"will abort if no response is received. Also controls the timeout when " +"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " +"operation, password change extended operation and the StartTLS operation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1462 +msgid "ldap_connection_expire_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1465 +msgid "" +"Specifies a timeout (in seconds) that a connection to an LDAP server will be " +"maintained. After this time, the connection will be re-established. If used " +"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " +"the TGT lifetime) will be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1473 sssd-ldap.5.xml:2562 +msgid "Default: 900 (15 minutes)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1479 +msgid "ldap_page_size (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1482 +msgid "" +"Specify the number of records to retrieve from LDAP in a single request. " +"Some LDAP servers enforce a maximum limit per-request." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1487 +msgid "Default: 1000" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1493 +msgid "ldap_disable_paging (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1496 +msgid "" +"Disable the LDAP paging control. This option should be used if the LDAP " +"server reports that it supports the LDAP paging control in its RootDSE but " +"it is not enabled or does not behave properly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1502 +msgid "" +"Example: OpenLDAP servers with the paging control module installed on the " +"server but not enabled will report it in the RootDSE but be unable to use it." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1508 +msgid "" +"Example: 389 DS has a bug where it can only support a one paging control at " +"a time on a single connection. On busy clients, this can result in some " +"requests being denied." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1520 +msgid "ldap_disable_range_retrieval (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1523 +msgid "Disable Active Directory range retrieval." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1526 +msgid "" +"Active Directory limits the number of members to be retrieved in a single " +"lookup using the MaxValRange policy (which defaults to 1500 members). If a " +"group contains more members, the reply would include an AD-specific range " +"extension. This option disables parsing of the range extension, therefore " +"large groups will appear as having no members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1541 +msgid "ldap_sasl_minssf (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1544 +msgid "" +"When communicating with an LDAP server using SASL, specify the minimum " +"security level necessary to establish the connection. The values of this " +"option are defined by OpenLDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1550 +msgid "Default: Use the system default (usually specified by ldap.conf)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1557 +msgid "ldap_deref_threshold (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1560 +msgid "" +"Specify the number of group members that must be missing from the internal " +"cache in order to trigger a dereference lookup. If less members are missing, " +"they are looked up individually." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1566 +msgid "" +"You can turn off dereference lookups completely by setting the value to 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1570 +msgid "" +"A dereference lookup is a means of fetching all group members in a single " +"LDAP call. Different LDAP servers may implement different dereference " +"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " +"Directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1578 +msgid "" +"<emphasis>Note:</emphasis> If any of the search bases specifies a search " +"filter, then the dereference lookup performance enhancement will be disabled " +"regardless of this setting." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1591 +msgid "ldap_tls_reqcert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1594 +msgid "" +"Specifies what checks to perform on server certificates in a TLS session, if " +"any. It can be specified as one of the following values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1600 +msgid "" +"<emphasis>never</emphasis> = The client will not request or check any server " +"certificate." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1604 +msgid "" +"<emphasis>allow</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, it will be ignored and the session proceeds normally." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1611 +msgid "" +"<emphasis>try</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, the session is immediately terminated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1617 +msgid "" +"<emphasis>demand</emphasis> = The server certificate is requested. If no " +"certificate is provided, or a bad certificate is provided, the session is " +"immediately terminated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1623 +msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1627 +msgid "Default: hard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1633 +msgid "ldap_tls_cacert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1636 +msgid "" +"Specifies the file that contains certificates for all of the Certificate " +"Authorities that <command>sssd</command> will recognize." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1641 sssd-ldap.5.xml:1659 sssd-ldap.5.xml:1700 +msgid "" +"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." +"conf</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1648 +msgid "ldap_tls_cacertdir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1651 +msgid "" +"Specifies the path of a directory that contains Certificate Authority " +"certificates in separate individual files. Typically the file names need to " +"be the hash of the certificate followed by '.0'. If available, " +"<command>cacertdir_rehash</command> can be used to create the correct names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1666 +msgid "ldap_tls_cert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1669 +msgid "Specifies the file that contains the certificate for the client's key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1679 +msgid "ldap_tls_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1682 +msgid "Specifies the file that contains the client's key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1691 +msgid "ldap_tls_cipher_suite (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1694 +msgid "" +"Specifies acceptable cipher suites. Typically this is a colon separated " +"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1707 +msgid "ldap_id_use_start_tls (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1710 +msgid "" +"Specifies that the id_provider connection must also use <systemitem class=" +"\"protocol\">tls</systemitem> to protect the channel." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1720 +msgid "ldap_id_mapping (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1723 +msgid "" +"Specifies that SSSD should attempt to map user and group IDs from the " +"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " +"on ldap_user_uid_number and ldap_group_gid_number." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1729 +msgid "Currently this feature supports only ActiveDirectory objectSID mapping." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1739 +msgid "ldap_min_id, ldap_max_id (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1742 +msgid "" +"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " +"set to true the allowed ID range for ldap_user_uid_number and " +"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " +"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " +"can be set to restrict the allowed range for the IDs which are read directly " +"from the server. Sub-domains can then pick other ranges to map IDs." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1754 +msgid "Default: not set (both options are set to 0)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1760 +msgid "ldap_sasl_mech (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1763 +msgid "" +"Specify the SASL mechanism to use. Currently only GSSAPI is tested and " +"supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1773 +msgid "ldap_sasl_authid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ldap.5.xml:1784 +#, no-wrap +msgid "" +"hostname@REALM\n" +"netbiosname$@REALM\n" +"host/hostname@REALM\n" +"*$@REALM\n" +"host/*@REALM\n" +"host/*\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1776 +msgid "" +"Specify the SASL authorization id to use. When GSSAPI is used, this " +"represents the Kerberos principal used for authentication to the directory. " +"This option can either contain the full principal (for example host/" +"myhost@EXAMPLE.COM) or just the principal name (for example host/myhost). By " +"default, the value is not set and the following principals are used: " +"<placeholder type=\"programlisting\" id=\"0\"/> If none of them are found, " +"the first principal in keytab is returned." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1795 +msgid "Default: host/hostname@REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1801 +msgid "ldap_sasl_realm (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1804 +msgid "" +"Specify the SASL realm to use. When not specified, this option defaults to " +"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " +"well, this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1810 +msgid "Default: the value of krb5_realm." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1816 +msgid "ldap_sasl_canonicalize (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1819 +msgid "" +"If set to true, the LDAP library would perform a reverse lookup to " +"canonicalize the host name during a SASL bind." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1824 +msgid "Default: false;" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1830 +msgid "ldap_krb5_keytab (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1833 +msgid "Specify the keytab to use when using SASL/GSSAPI." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1836 +msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1842 +msgid "ldap_krb5_init_creds (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1845 +msgid "" +"Specifies that the id_provider should init Kerberos credentials (TGT). This " +"action is performed only if SASL is used and the mechanism selected is " +"GSSAPI." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1857 +msgid "ldap_krb5_ticket_lifetime (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1860 +msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1864 sssd-ad.5.xml:937 +msgid "Default: 86400 (24 hours)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1870 sssd-krb5.5.xml:74 +msgid "krb5_server, krb5_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1873 +msgid "" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled - for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1885 sssd-krb5.5.xml:89 +msgid "" +"When using service discovery for KDC or kpasswd servers, SSSD first searches " +"for DNS entries that specify _udp as the protocol and falls back to _tcp if " +"none are found." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1890 sssd-krb5.5.xml:94 +msgid "" +"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " +"While the legacy name is recognized for the time being, users are advised to " +"migrate their config files to use <quote>krb5_server</quote> instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1899 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103 +msgid "krb5_realm (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1902 +msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1905 +msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1911 sssd-krb5.5.xml:462 +msgid "krb5_canonicalize (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1914 +msgid "" +"Specifies if the host principal should be canonicalized when connecting to " +"LDAP server. This feature is available with MIT Kerberos >= 1.7" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1926 sssd-krb5.5.xml:477 +msgid "krb5_use_kdcinfo (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1929 sssd-krb5.5.xml:480 +msgid "" +"Specifies if the SSSD should instruct the Kerberos libraries what realm and " +"which KDCs to use. This option is on by default, if you disable it, you need " +"to configure the Kerberos library using the <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> configuration file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1940 sssd-krb5.5.xml:491 +msgid "" +"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " +"information on the locator plugin." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1954 +msgid "ldap_pwd_policy (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1957 +msgid "" +"Select the policy to evaluate the password expiration on the client side. " +"The following values are allowed:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1962 +msgid "" +"<emphasis>none</emphasis> - No evaluation on the client side. This option " +"cannot disable server-side password policies." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1967 +msgid "" +"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " +"evaluate if the password has expired." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1973 +msgid "" +"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " +"to determine if the password has expired. Use chpass_provider=krb5 to update " +"these attributes when the password is changed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1982 +msgid "" +"<emphasis>Note</emphasis>: if a password policy is configured on server " +"side, it always takes precedence over policy set with this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1990 +msgid "ldap_referrals (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1993 +msgid "Specifies whether automatic referral chasing should be enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1997 +msgid "" +"Please note that sssd only supports referral chasing when it is compiled " +"with OpenLDAP version 2.4.13 or higher." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2002 +msgid "" +"Chasing referrals may incur a performance penalty in environments that use " +"them heavily, a notable example is Microsoft Active Directory. If your setup " +"does not in fact require the use of referrals, setting this option to false " +"might bring a noticeable performance improvement." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2016 +msgid "ldap_dns_service_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2019 +msgid "Specifies the service name to use when service discovery is enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2023 +msgid "Default: ldap" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2029 +msgid "ldap_chpass_dns_service_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2032 +msgid "" +"Specifies the service name to use to find an LDAP server which allows " +"password changes when service discovery is enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2037 +msgid "Default: not set, i.e. service discovery is disabled" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2043 +msgid "ldap_chpass_update_last_change (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2046 +msgid "" +"Specifies whether to update the ldap_user_shadow_last_change attribute with " +"days since the Epoch after a password change operation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2058 +msgid "ldap_access_filter (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2061 +msgid "" +"If using access_provider = ldap and ldap_access_order = filter (default), " +"this option is mandatory. It specifies an LDAP search filter criteria that " +"must be met for the user to be granted access on this host. If " +"access_provider = ldap, ldap_access_order = filter and this option is not " +"set, it will result in all users being denied access. Use access_provider = " +"permit to change this default behavior. Please note that this filter is " +"applied on the LDAP user entry only and thus filtering based on nested " +"groups may not work (e.g. memberOf attribute on AD entries points only to " +"direct parents). If filtering based on nested groups is required, please see " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2081 +msgid "Example:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ldap.5.xml:2084 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2088 +msgid "" +"This example means that access to this host is restricted to users whose " +"employeeType attribute is set to \"admin\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2093 +msgid "" +"Offline caching for this feature is limited to determining whether the " +"user's last online login was granted access permission. If they were granted " +"access during their last login, they will continue to be granted access " +"while offline and vice versa." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2101 sssd-ldap.5.xml:2158 +msgid "Default: Empty" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2107 +msgid "ldap_account_expire_policy (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2110 +msgid "" +"With this option a client side evaluation of access control attributes can " +"be enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2114 +msgid "" +"Please note that it is always recommended to use server side access control, " +"i.e. the LDAP server should deny the bind request with a suitable error code " +"even if the password is correct." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2121 +msgid "The following values are allowed:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2124 +msgid "" +"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " +"determine if the account is expired." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2129 +msgid "" +"<emphasis>ad</emphasis>: use the value of the 32bit field " +"ldap_user_ad_user_account_control and allow access if the second bit is not " +"set. If the attribute is missing access is granted. Also the expiration time " +"of the account is checked." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2136 +msgid "" +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: use the value of ldap_ns_account_lock to check if access is " +"allowed or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2142 +msgid "" +"<emphasis>nds</emphasis>: the values of " +"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " +"ldap_user_nds_login_expiration_time are used to check if access is allowed. " +"If both attributes are missing access is granted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2151 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>expire</quote> in order for the " +"ldap_account_expire_policy option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2164 +msgid "ldap_access_order (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2167 +msgid "Comma separated list of access control options. Allowed values are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2171 +msgid "<emphasis>filter</emphasis>: use ldap_access_filter" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2174 +msgid "" +"<emphasis>lockout</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " +"Please note that 'access_provider = ldap' must be set for this feature to " +"work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2184 +msgid "" +"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" +"quote> option and might be removed in a future release. </emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2191 +msgid "" +"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z' or represents any time in the past. The " +"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " +"denotes the UTC time zone. Other time zones are not currently supported and " +"will result in \"access-denied\" when users attempt to log in. Please see " +"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " +"must be set for this feature to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2208 +msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2212 +msgid "" +"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " +"pwd_expire_policy_renew: </emphasis> These options are useful if users are " +"interested in being warned that password is about to expire and " +"authentication is based on using a different method than passwords - for " +"example SSH keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2222 +msgid "" +"The difference between these options is the action taken if user password is " +"expired: pwd_expire_policy_reject - user is denied to log in, " +"pwd_expire_policy_warn - user is still able to log in, " +"pwd_expire_policy_renew - user is prompted to change his password " +"immediately." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2230 +msgid "" +"Note If user password is expired no explicit message is prompted by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2234 +msgid "" +"Please note that 'access_provider = ldap' must be set for this feature to " +"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2239 +msgid "" +"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " +"to determine access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2244 +msgid "<emphasis>host</emphasis>: use the host attribute to determine access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2248 +msgid "" +"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " +"remote host can access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2252 +msgid "" +"Please note, rhost field in pam is set by application, it is better to check " +"what the application sends to pam, before enabling this access control option" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2257 +msgid "Default: filter" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2260 +msgid "" +"Please note that it is a configuration error if a value is used more than " +"once." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2267 +msgid "ldap_pwdlockout_dn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2270 +msgid "" +"This option specifies the DN of password policy entry on LDAP server. Please " +"note that absence of this option in sssd.conf in case of enabled account " +"lockout checking will yield access denied as ppolicy attributes on LDAP " +"server cannot be checked properly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2278 +msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2281 +msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2287 +msgid "ldap_deref (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2290 +msgid "" +"Specifies how alias dereferencing is done when performing a search. The " +"following options are allowed:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2295 +msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2299 +msgid "" +"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " +"the base object, but not in locating the base object of the search." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2304 +msgid "" +"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " +"the base object of the search." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2309 +msgid "" +"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " +"in locating the base object of the search." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2314 +msgid "" +"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " +"client libraries)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2322 +msgid "ldap_rfc2307_fallback_to_local_users (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2325 +msgid "" +"Allows to retain local users as members of an LDAP group for servers that " +"use the RFC2307 schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2329 +msgid "" +"In some environments where the RFC2307 schema is used, local users are made " +"members of LDAP groups by adding their names to the memberUid attribute. " +"The self-consistency of the domain is compromised when this is done, so SSSD " +"would normally remove the \"missing\" users from the cached group " +"memberships as soon as nsswitch tries to fetch information about the user " +"via getpw*() or initgroups() calls." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2340 +msgid "" +"This option falls back to checking if local users are referenced, and caches " +"them so that later initgroups() calls will augment the local users with the " +"additional LDAP groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2352 sssd-ifp.5.xml:136 +msgid "wildcard_limit (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2355 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2359 +msgid "At the moment, only the InfoPipe responder supports wildcard lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2363 +msgid "Default: 1000 (often the size of one page)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:51 +msgid "" +"All of the common configuration options that apply to SSSD domains also " +"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for full details. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2373 +msgid "SUDO OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2375 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2386 +msgid "ldap_sudorule_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2389 +msgid "The object class of a sudo rule entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2392 +msgid "Default: sudoRole" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2398 +msgid "ldap_sudorule_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2401 +msgid "The LDAP attribute that corresponds to the sudo rule name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2411 +msgid "ldap_sudorule_command (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2414 +msgid "The LDAP attribute that corresponds to the command name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2418 +msgid "Default: sudoCommand" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2424 +msgid "ldap_sudorule_host (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2427 +msgid "" +"The LDAP attribute that corresponds to the host name (or host IP address, " +"host IP network, or host netgroup)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2432 +msgid "Default: sudoHost" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2438 +msgid "ldap_sudorule_user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2441 +msgid "" +"The LDAP attribute that corresponds to the user name (or UID, group name or " +"user's netgroup)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2445 +msgid "Default: sudoUser" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2451 +msgid "ldap_sudorule_option (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2454 +msgid "The LDAP attribute that corresponds to the sudo options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2458 +msgid "Default: sudoOption" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2464 +msgid "ldap_sudorule_runasuser (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2467 +msgid "" +"The LDAP attribute that corresponds to the user name that commands may be " +"run as." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2471 +msgid "Default: sudoRunAsUser" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2477 +msgid "ldap_sudorule_runasgroup (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2480 +msgid "" +"The LDAP attribute that corresponds to the group name or group GID that " +"commands may be run as." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2484 +msgid "Default: sudoRunAsGroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2490 +msgid "ldap_sudorule_notbefore (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2493 +msgid "" +"The LDAP attribute that corresponds to the start date/time for when the sudo " +"rule is valid." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2497 +msgid "Default: sudoNotBefore" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2503 +msgid "ldap_sudorule_notafter (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2506 +msgid "" +"The LDAP attribute that corresponds to the expiration date/time, after which " +"the sudo rule will no longer be valid." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2511 +msgid "Default: sudoNotAfter" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2517 +msgid "ldap_sudorule_order (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2520 +msgid "The LDAP attribute that corresponds to the ordering index of the rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2524 +msgid "Default: sudoOrder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2530 +msgid "ldap_sudo_full_refresh_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2533 +msgid "" +"How many seconds SSSD will wait between executing a full refresh of sudo " +"rules (which downloads all rules that are stored on the server)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2538 +msgid "" +"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" +"emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2543 +msgid "Default: 21600 (6 hours)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2549 +msgid "ldap_sudo_smart_refresh_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2552 +msgid "" +"How many seconds SSSD has to wait before executing a smart refresh of sudo " +"rules (which downloads all rules that have USN higher than the highest USN " +"of cached rules)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2558 +msgid "" +"If USN attributes are not supported by the server, the modifyTimestamp " +"attribute is used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2568 +msgid "ldap_sudo_use_host_filter (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2571 +msgid "" +"If true, SSSD will download only rules that are applicable to this machine " +"(using the IPv4 or IPv6 host/network addresses and hostnames)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2582 +msgid "ldap_sudo_hostnames (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2585 +msgid "" +"Space separated list of hostnames or fully qualified domain names that " +"should be used to filter the rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2590 +msgid "" +"If this option is empty, SSSD will try to discover the hostname and the " +"fully qualified domain name automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2595 sssd-ldap.5.xml:2618 sssd-ldap.5.xml:2636 +#: sssd-ldap.5.xml:2654 +msgid "" +"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" +"emphasis> then this option has no effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2600 sssd-ldap.5.xml:2623 +msgid "Default: not specified" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2606 +msgid "ldap_sudo_ip (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2609 +msgid "" +"Space separated list of IPv4 or IPv6 host/network addresses that should be " +"used to filter the rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2614 +msgid "" +"If this option is empty, SSSD will try to discover the addresses " +"automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2629 +msgid "ldap_sudo_include_netgroups (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2632 +msgid "" +"If true then SSSD will download every rule that contains a netgroup in " +"sudoHost attribute." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2647 +msgid "ldap_sudo_include_regexp (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2650 +msgid "" +"If true then SSSD will download every rule that contains a wildcard in " +"sudoHost attribute." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2666 +msgid "" +"This manual page only describes attribute name mapping. For detailed " +"explanation of sudo related attribute semantics, see <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2676 +msgid "AUTOFS OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2678 +msgid "" +"Some of the defaults for the parameters below are dependent on the LDAP " +"schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2684 +msgid "ldap_autofs_map_master_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2687 +msgid "The name of the automount master map in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2690 +msgid "Default: auto.master" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2697 +msgid "ldap_autofs_map_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2700 +msgid "The object class of an automount map entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2703 +msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2711 +msgid "ldap_autofs_map_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2714 +msgid "The name of an automount map entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2717 +msgid "" +"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2725 +msgid "ldap_autofs_entry_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2728 +msgid "" +"The object class of an automount entry in LDAP. The entry usually " +"corresponds to a mount point." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2733 +msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2741 +msgid "ldap_autofs_entry_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2744 sssd-ldap.5.xml:2759 +msgid "" +"The key of an automount entry in LDAP. The entry usually corresponds to a " +"mount point." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2748 +msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2756 +msgid "ldap_autofs_entry_value (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2763 +msgid "" +"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " +"automountInformation" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2682 +msgid "" +"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " +"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" +"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2774 +msgid "ADVANCED OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2781 +msgid "ldap_netgroup_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2786 +msgid "ldap_user_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2791 +msgid "ldap_group_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> +#: sssd-ldap.5.xml:2796 +msgid "<note>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> +#: sssd-ldap.5.xml:2798 +msgid "" +"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " +"against Active Directory will not be restricted and return all groups " +"memberships, even with no GID mapping. It is recommended to disable this " +"feature, if group names are not being displayed correctly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist> +#: sssd-ldap.5.xml:2805 +msgid "</note>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2807 +msgid "ldap_sudo_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2812 +msgid "ldap_autofs_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2776 +msgid "" +"These options are supported by LDAP domains, but they should be used with " +"caution. Please include them in your configuration only if you know what you " +"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2827 sssd-simple.5.xml:131 sssd-ipa.5.xml:828 +#: sssd-ad.5.xml:1041 sssd-krb5.5.xml:570 sss_rpcidmapd.5.xml:98 +#: sssd-files.5.xml:103 sssd-session-recording.5.xml:144 +msgid "EXAMPLE" +msgstr "ПРИМЕР" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2829 +msgid "" +"The following example assumes that SSSD is correctly configured and LDAP is " +"set to one of the domains in the <replaceable>[domains]</replaceable> " +"section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:2835 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: sssd-ldap.5.xml:2834 sssd-ldap.5.xml:2852 sssd-simple.5.xml:139 +#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1049 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579 +#: sssd-files.5.xml:110 sssd-session-recording.5.xml:150 +#: include/ldap_id_mapping.xml:105 +msgid "<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2846 +msgid "LDAP ACCESS FILTER EXAMPLE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2848 +msgid "" +"The following example assumes that SSSD is correctly configured and to use " +"the ldap_access_order=lockout." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:2853 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"access_provider = ldap\n" +"ldap_access_order = lockout\n" +"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2868 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148 +#: sssd-ad.5.xml:1064 sssd.8.xml:230 sss_seed.8.xml:163 +msgid "NOTES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2870 +msgid "" +"The descriptions of some of the configuration options in this manual page " +"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " +"distribution." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: pam_sss.8.xml:11 pam_sss.8.xml:16 +msgid "pam_sss" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: pam_sss.8.xml:17 +msgid "PAM module for SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: pam_sss.8.xml:22 +msgid "" +"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" +"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" +"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" +"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " +"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " +"choice='opt'> <replaceable>prompt_always</replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:58 +msgid "" +"<command>pam_sss.so</command> is the PAM interface to the System Security " +"Services daemon (SSSD). Errors and results are logged through " +"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:68 +msgid "<option>quiet</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:71 +msgid "Suppress log messages for unknown users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:76 +msgid "<option>forward_pass</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:79 +msgid "" +"If <option>forward_pass</option> is set the entered password is put on the " +"stack for other PAM modules to use." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:86 +msgid "<option>use_first_pass</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:89 +msgid "" +"The argument use_first_pass forces the module to use a previous stacked " +"modules password and will never prompt the user - if no password is " +"available or the password is not appropriate, the user will be denied access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:97 +msgid "<option>use_authtok</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:100 +msgid "" +"When password changing enforce the module to set the new password to the one " +"provided by a previously stacked password module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:107 +msgid "<option>retry=N</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:110 +msgid "" +"If specified the user is asked another N times for a password if " +"authentication fails. Default is 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:112 +msgid "" +"Please note that this option might not work as expected if the application " +"calling PAM handles the user dialog on its own. A typical example is " +"<command>sshd</command> with <option>PasswordAuthentication</option>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:121 +msgid "<option>ignore_unknown_user</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:124 +msgid "" +"If this option is specified and the user does not exist, the PAM module will " +"return PAM_IGNORE. This causes the PAM framework to ignore this module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:131 +msgid "<option>ignore_authinfo_unavail</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:135 +msgid "" +"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " +"the SSSD daemon. This causes the PAM framework to ignore this module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:142 +msgid "<option>domains</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:146 +msgid "" +"Allows the administrator to restrict the domains a particular PAM service is " +"allowed to authenticate against. The format is a comma-separated list of " +"SSSD domain names, as specified in the sssd.conf file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:152 +msgid "" +"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " +"and <quote>pam_public_domains</quote> options. Please see the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more information on these two PAM " +"responder options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:166 +msgid "<option>allow_missing_name</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:170 +msgid "" +"The main purpose of this option is to let SSSD determine the user name based " +"on additional information, e.g. the certificate from a Smartcard." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: pam_sss.8.xml:180 +#, no-wrap +msgid "" +"auth sufficient pam_sss.so allow_missing_name\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:175 +msgid "" +"The current use case are login managers which can monitor a Smartcard reader " +"for card events. In case a Smartcard is inserted the login manager will call " +"a PAM stack which includes a line like <placeholder type=\"programlisting\" " +"id=\"0\"/> In this case SSSD will try to determine the user name based on " +"the content of the Smartcard, returns it to pam_sss which will finally put " +"it on the PAM stack." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:190 +msgid "<option>prompt_always</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:194 +msgid "" +"Always prompt the user for credentials. With this option credentials " +"requested by other PAM modules, typically a password, will be ignored and " +"pam_sss will prompt for credentials again. Based on the pre-auth reply by " +"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " +"credentials." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:207 +msgid "MODULE TYPES PROVIDED" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:208 +msgid "" +"All module types (<option>account</option>, <option>auth</option>, " +"<option>password</option> and <option>session</option>) are provided." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:214 +msgid "FILES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:215 +msgid "" +"If a password reset by root fails, because the corresponding SSSD provider " +"does not support password resets, an individual message can be displayed. " +"This message can e.g. contain instructions about how to reset a password." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:220 +msgid "" +"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" +"filename> where LOC stands for a locale string returned by <citerefentry> " +"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" +"citerefentry>. If there is no matching file the content of " +"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " +"the owner of the files and only root may have read and write permissions " +"while all other users must have only read permissions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:230 +msgid "" +"These files are searched in the directory <filename>/etc/sssd/customize/" +"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " +"displayed." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 +msgid "sssd_krb5_locator_plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd_krb5_locator_plugin.8.xml:16 +msgid "Kerberos locator plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:22 +msgid "" +"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " +"used by the Kerberos provider of <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to tell the Kerberos " +"libraries what Realm and which KDC to use. Typically this is done in " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> which is always read by the Kerberos libraries. " +"To simplify the configuration the Realm and the KDC can be defined in " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> as described in <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:48 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> puts the Realm and the name or IP address of the KDC into " +"the environment variables SSSD_KRB5_REALM and SSSD_KRB5_KDC respectively. " +"When <command>sssd_krb5_locator_plugin</command> is called by the kerberos " +"libraries it reads and evaluates these variables and returns them to the " +"libraries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:63 +msgid "" +"Not all Kerberos implementations support the use of plugins. If " +"<command>sssd_krb5_locator_plugin</command> is not available on your system " +"you have to edit /etc/krb5.conf to reflect your Kerberos setup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:69 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " +"debug messages will be sent to stderr." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:73 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " +"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " +"caller." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 +msgid "sssd-simple" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-simple.5.xml:17 +msgid "the configuration file for SSSD's 'simple' access-control provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:24 +msgid "" +"This manual page describes the configuration of the simple access-control " +"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " +"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:38 +msgid "" +"The simple access provider grants or denies access based on an access or " +"deny list of user or group names. The following rules apply:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:43 +msgid "If all lists are empty, access is granted" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:47 +msgid "" +"If any list is provided, the order of evaluation is allow,deny. This means " +"that any matching deny rule will supersede any matched allow rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:54 +msgid "" +"If either or both \"allow\" lists are provided, all users are denied unless " +"they appear in the list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:60 +msgid "" +"If only \"deny\" lists are provided, all users are granted access unless " +"they appear in the list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:78 +msgid "simple_allow_users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:81 +msgid "Comma separated list of users who are allowed to log in." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:88 +msgid "simple_deny_users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:91 +msgid "Comma separated list of users who are explicitly denied access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:97 +msgid "simple_allow_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:100 +msgid "" +"Comma separated list of groups that are allowed to log in. This applies only " +"to groups within this SSSD domain. Local groups are not evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:108 +msgid "simple_deny_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:111 +msgid "" +"Comma separated list of groups that are explicitly denied access. This " +"applies only to groups within this SSSD domain. Local groups are not " +"evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 +msgid "" +"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:120 +msgid "" +"Specifying no values for any of the lists is equivalent to skipping it " +"entirely. Beware of this while generating parameters for the simple provider " +"using automated scripts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:125 +msgid "" +"Please note that it is an configuration error if both, simple_allow_users " +"and simple_deny_users, are defined." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:133 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the simple access provider-specific options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-simple.5.xml:140 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"access_provider = simple\n" +"simple_allow_users = user1, user2\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:150 +msgid "" +"The complete group membership hierarchy is resolved before the access check, " +"thus even nested groups can be included in the access lists. Please be " +"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " +"results and should be set to a sufficient value. (<citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>) option." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 +msgid "sss-certmap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss-certmap.5.xml:17 +msgid "SSSD Certificate Matching and Mapping Rules" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:23 +msgid "" +"The manual page describes the rules which can be used by SSSD and other " +"components to match X.509 certificates and map them to accounts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:28 +msgid "" +"Each rule has four components, a <quote>priority</quote>, a <quote>matching " +"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" +"quote>. All components are optional. A missing <quote>priority</quote> will " +"add the rule with the lowest priority. The default <quote>matching rule</" +"quote> will match certificates with the digitalSignature key usage and " +"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " +"the certificates will be searched in the userCertificate attribute as DER " +"encoded binary. If no domains are given only the local domain will be " +"searched." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss-certmap.5.xml:41 +msgid "RULE COMPONENTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:43 +msgid "PRIORITY" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:45 +msgid "" +"The rules are processed by priority while the number '0' (zero) indicates " +"the highest priority. The higher the number the lower is the priority. A " +"missing value indicates the lowest priority. The rules processing is stopped " +"when a matched rule is found and no further rules are checked." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:52 +msgid "" +"Internally the priority is treated as unsigned 32bit integer, using a " +"priority value larger than 4294967295 will cause an error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:57 +msgid "MATCHING RULE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:59 +msgid "" +"The matching rule is used to select a certificate to which the mapping rule " +"should be applied. It uses a system similar to the one used by " +"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " +"keyword enclosed by '<' and '>' which identified a certain part of the " +"certificate and a pattern which should be found for the rule to match. " +"Multiple keyword pattern pairs can be either joined with '&&' (and) " +"or '||' (or)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:71 +msgid "<SUBJECT>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:74 +msgid "" +"With this a part or the whole subject name of the certificate can be " +"matched. For the matching POSIX Extended Regular Expression syntax is used, " +"see regex(7) for details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:80 +msgid "" +"For the matching the subject name stored in the certificate in DER encoded " +"ASN.1 is converted into a string according to RFC 4514. This means the most " +"specific name component comes first. Please note that not all possible " +"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " +"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " +"be shown differently on different platform and by different tools. To avoid " +"confusion those attribute names are best not used or covered by a suitable " +"regular-expression." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:93 +msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:98 +msgid "<ISSUER>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:101 +msgid "" +"With this a part or the whole issuer name of the certificate can be matched. " +"All comments for <SUBJECT> apply her as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:106 +msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:111 +msgid "<KU>key-usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:114 +msgid "" +"This option can be used to specify which key usage values the certificate " +"should have. The following values can be used in a comma separated list:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:118 +msgid "digitalSignature" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:119 +msgid "nonRepudiation" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:120 +msgid "keyEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:121 +msgid "dataEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:122 +msgid "keyAgreement" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:123 +msgid "keyCertSign" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:124 +msgid "cRLSign" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:125 +msgid "encipherOnly" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:126 +msgid "decipherOnly" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:130 +msgid "" +"A numerical value in the range of a 32bit unsigned integer can be used as " +"well to cover special use cases." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:134 +msgid "Example: <KU>digitalSignature,keyEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:139 +msgid "<EKU>extended-key-usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:142 +msgid "" +"This option can be used to specify which extended key usage the certificate " +"should have. The following value can be used in a comma separated list:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:146 +msgid "serverAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:147 +msgid "clientAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:148 +msgid "codeSigning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:149 +msgid "emailProtection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:150 +msgid "timeStamping" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:151 +msgid "OCSPSigning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:152 +msgid "KPClientAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:153 +msgid "pkinit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:154 +msgid "msScLogin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:158 +msgid "" +"Extended key usages which are not listed above can be specified with their " +"OID in dotted-decimal notation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:162 +msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:167 +msgid "<SAN>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:170 +msgid "" +"To be compatible with the usage of MIT Kerberos this option will match the " +"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" +"Principal> does." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:175 +msgid "Example: <SAN>.*@MY\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:180 +msgid "<SAN:Principal>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:183 +msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:187 +msgid "Example: <SAN:Principal>.*@MY\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:192 +msgid "<SAN:ntPrincipalName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:195 +msgid "Match the Kerberos principals from the AD NT Principal SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:199 +msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:204 +msgid "<SAN:pkinit>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:207 +msgid "Match the Kerberos principals from the PKINIT SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:210 +msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:215 +msgid "<SAN:dotted-decimal-oid>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:218 +msgid "" +"Take the value of the otherName SAN component given by the OID in dotted-" +"decimal notation, interpret it as string and try to match it against the " +"regular expression." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:224 +msgid "Example: <SAN:1.2.3.4>test" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:229 +msgid "<SAN:otherName>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:232 +msgid "" +"Do a binary match with the base64 encoded blob against all otherName SAN " +"components. With this option it is possible to match against custom " +"otherName components with special encodings which could not be treated as " +"strings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:239 +msgid "Example: <SAN:otherName>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:244 +msgid "<SAN:rfc822Name>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:247 +msgid "Match the value of the rfc822Name SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:250 +msgid "Example: <SAN:rfc822Name>.*@email\\.domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:255 +msgid "<SAN:dNSName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:258 +msgid "Match the value of the dNSName SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:261 +msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:266 +msgid "<SAN:x400Address>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:269 +msgid "Binary match the value of the x400Address SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:272 +msgid "Example: <SAN:x400Address>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:277 +msgid "<SAN:directoryName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:280 +msgid "" +"Match the value of the directoryName SAN. The same comments as given for <" +"ISSUER> and <SUBJECT> apply here as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:285 +msgid "Example: <SAN:directoryName>.*,DC=com" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:290 +msgid "<SAN:ediPartyName>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:293 +msgid "Binary match the value of the ediPartyName SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:296 +msgid "Example: <SAN:ediPartyName>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:301 +msgid "<SAN:uniformResourceIdentifier>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:304 +msgid "Match the value of the uniformResourceIdentifier SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:307 +msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:312 +msgid "<SAN:iPAddress>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:315 +msgid "Match the value of the iPAddress SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:318 +msgid "Example: <SAN:iPAddress>192\\.168\\..*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:323 +msgid "<SAN:registeredID>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:326 +msgid "Match the value of the registeredID SAN as dotted-decimal string." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:330 +msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:68 +msgid "" +"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:338 +msgid "MAPPING RULE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:340 +msgid "" +"The mapping rule is used to associate a certificate with one or more " +"accounts. A Smartcard with the certificate and the matching private key can " +"then be used to authenticate as one of those accounts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:345 +msgid "" +"Currently SSSD basically only supports LDAP to lookup user information (the " +"exception is the proxy provider which is not of relevance here). Because of " +"this the mapping rule is based on LDAP search filter syntax with templates " +"to add certificate content to the filter. It is expected that the filter " +"will only contain the specific data needed for the mapping and that the " +"caller will embed it in another filter to do the actual search. Because of " +"this the filter string should start and stop with '(' and ')' respectively." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:355 +msgid "" +"In general it is recommended to use attributes from the certificate and add " +"them to special attributes to the LDAP user object. E.g. the " +"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " +"for IPA can be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:361 +msgid "" +"This should be preferred to read user specific data from the certificate " +"like e.g. an email address and search for it in the LDAP server. The reason " +"is that the user specific data in LDAP might change for various reasons " +"would break the mapping. On the other hand it would be hard to break the " +"mapping on purpose for a specific user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:376 +msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:379 +msgid "" +"This template will add the full issuer DN converted to a string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +msgid "" +"The conversion options starting with 'ad_' will use attribute names as used " +"by AD, e.g. 'S' instead of 'ST'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +msgid "" +"The conversion options starting with 'nss_' will use attribute names as used " +"by NSS." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +msgid "" +"The default conversion option is 'nss', i.e. attribute names according to " +"NSS and LDAP/RFC 4514 ordering." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:397 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" +"ad})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:402 +msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:405 +msgid "" +"This template will add the full subject DN converted to string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:423 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" +"{subject_dn!nss_x500})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:428 +msgid "{cert[!(bin|base64)]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:431 +msgid "" +"This template will add the whole DER encoded certificate as a string to the " +"search filter. Depending on the conversion option the binary certificate is " +"either converted to an escaped hex sequence '\\xx' or base64. The escaped " +"hex sequence is the default and can e.g. be used with the LDAP attribute " +"'userCertificate;binary'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:439 +msgid "Example: (userCertificate;binary={cert!bin})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:444 +msgid "{subject_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:447 +msgid "" +"This template will add the Kerberos principal which is taken either from the " +"SAN used by pkinit or the one used by AD. The 'short_name' component " +"represents the first part of the principal before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +msgid "" +"Example: (|(userPrincipal={subject_principal})" +"(samAccountName={subject_principal.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:458 +msgid "{subject_pkinit_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:461 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by pkinit. The 'short_name' component represents the first part of the " +"principal before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:467 +msgid "" +"Example: (|(userPrincipal={subject_pkinit_principal})" +"(uid={subject_pkinit_principal.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:472 +msgid "{subject_nt_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:475 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by AD. The 'short_name' component represent the first part of the principal " +"before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:486 +msgid "{subject_rfc822_name[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:489 +msgid "" +"This template will add the string which is stored in the rfc822Name " +"component of the SAN, typically an email address. The 'short_name' component " +"represents the first part of the address before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:495 +msgid "" +"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." +"short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:500 +msgid "{subject_dns_name[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:503 +msgid "" +"This template will add the string which is stored in the dNSName component " +"of the SAN, typically a fully-qualified host name. The 'short_name' " +"component represents the first part of the name before the first '.' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:509 +msgid "" +"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:514 +msgid "{subject_uri}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:517 +msgid "" +"This template will add the string which is stored in the " +"uniformResourceIdentifier component of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:521 +msgid "Example: (uri={subject_uri})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:526 +msgid "{subject_ip_address}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:529 +msgid "" +"This template will add the string which is stored in the iPAddress component " +"of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:533 +msgid "Example: (ip={subject_ip_address})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:538 +msgid "{subject_x400_address}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:541 +msgid "" +"This template will add the value which is stored in the x400Address " +"component of the SAN as escaped hex sequence." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:546 +msgid "Example: (attr:binary={subject_x400_address})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:551 +msgid "" +"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:554 +msgid "" +"This template will add the DN string of the value which is stored in the " +"directoryName component of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:558 +msgid "Example: (orig_dn={subject_directory_name})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:563 +msgid "{subject_ediparty_name}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:566 +msgid "" +"This template will add the value which is stored in the ediPartyName " +"component of the SAN as escaped hex sequence." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:571 +msgid "Example: (attr:binary={subject_ediparty_name})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:576 +msgid "{subject_registered_id}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:579 +msgid "" +"This template will add the OID which is stored in the registeredID component " +"of the SAN as a dotted-decimal string." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:584 +msgid "Example: (oid={subject_registered_id})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:369 +msgid "" +"The templates to add certificate data to the search filter are based on " +"Python-style formatting strings. They consist of a keyword in curly braces " +"with an optional sub-component specifier separated by a '.' or an optional " +"conversion/formatting option separated by a '!'. Allowed values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:592 +msgid "DOMAIN LIST" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:594 +msgid "" +"If the domain list is not empty users mapped to a given certificate are not " +"only searched in the local domain but in the listed domains as well as long " +"as they are know by SSSD. Domains not know to SSSD will be ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 +msgid "sssd-ipa" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ipa.5.xml:17 +msgid "SSSD IPA provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:23 +msgid "" +"This manual page describes the configuration of the IPA provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:36 +msgid "" +"The IPA provider is a back end used to connect to an IPA server. (Refer to " +"the freeipa.org web site for information about IPA servers.) This provider " +"requires that the machine be joined to the IPA domain; configuration is " +"almost entirely self-discovered and obtained directly from the server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:43 +msgid "" +"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for IPA environments. The IPA provider accepts the same " +"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " +"However, it is neither necessary nor recommended to set these options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:57 +msgid "" +"The IPA provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:62 +msgid "" +"As an access provider, the IPA provider uses HBAC (host-based access " +"control) rules. Please refer to freeipa.org for more information about " +"HBAC. No configuration of access provider is required on the client side." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:67 +msgid "" +"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:73 +msgid "" +"The IPA provider will use the PAC responder if the Kerberos tickets of users " +"from trusted realms contain a PAC. To make configuration easier the PAC " +"responder is started automatically if the IPA ID provider is configured." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:89 +msgid "ipa_domain (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:92 +msgid "" +"Specifies the name of the IPA domain. This is optional. If not provided, " +"the configuration domain name is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:100 +msgid "ipa_server, ipa_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:103 +msgid "" +"The comma-separated list of IP addresses or hostnames of the IPA servers to " +"which SSSD should connect in the order of preference. For more information " +"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:116 +msgid "ipa_hostname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:119 +msgid "" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the IPA domain to identify this host. The " +"hostname must be fully qualified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:128 sssd-ad.5.xml:866 +msgid "dyndns_update (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:131 +msgid "" +"Optional. This option tells SSSD to automatically update the DNS server " +"built into FreeIPA with the IP address of this client. The update is secured " +"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " +"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" +"quote> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:140 sssd-ad.5.xml:880 +msgid "" +"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " +"the default Kerberos realm must be set properly in /etc/krb5.conf" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:145 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" +"emphasis> option, users should migrate to using <emphasis>dyndns_update</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:157 sssd-ad.5.xml:891 +msgid "dyndns_ttl (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:160 sssd-ad.5.xml:894 +msgid "" +"The TTL to apply to the client DNS record when updating it. If " +"dyndns_update is false this has no effect. This will override the TTL " +"serverside if set by an administrator." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:165 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" +"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:171 +msgid "Default: 1200 (seconds)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:177 sssd-ad.5.xml:905 +msgid "dyndns_iface (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:180 sssd-ad.5.xml:908 +msgid "" +"Optional. Applicable only when dyndns_update is true. Choose the interface " +"or a list of interfaces whose IP addresses should be used for dynamic DNS " +"updates. Special value <quote>*</quote> implies that IPs from all interfaces " +"should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:187 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" +"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:193 +msgid "" +"Default: Use the IP addresses of the interface which is used for IPA LDAP " +"connection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:197 sssd-ad.5.xml:919 +msgid "Example: dyndns_iface = em1, vnet1, vnet2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:203 sssd-ad.5.xml:970 +msgid "dyndns_auth (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:206 sssd-ad.5.xml:973 +msgid "" +"Whether the nsupdate utility should use GSS-TSIG authentication for secure " +"updates with the DNS server, insecure updates can be sent by setting this " +"option to 'none'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:212 sssd-ad.5.xml:979 +msgid "Default: GSS-TSIG" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:218 +msgid "ipa_enable_dns_sites (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 +msgid "Enables DNS sites - location based service discovery." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:225 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, then the SSSD will first attempt location " +"based discovery using a query that contains \"_location.hostname.example.com" +"\" and then fall back to traditional SRV discovery. If the location based " +"discovery succeeds, the IPA servers located with the location based " +"discovery are treated as primary servers and the IPA servers located using " +"the traditional SRV discovery are used as back up servers" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:244 sssd-ad.5.xml:925 +msgid "dyndns_refresh_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:247 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:260 sssd-ad.5.xml:943 +msgid "dyndns_update_ptr (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:263 sssd-ad.5.xml:946 +msgid "" +"Whether the PTR record should also be explicitly updated when updating the " +"client's DNS records. Applicable only when dyndns_update is true." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:268 +msgid "" +"This option should be False in most IPA deployments as the IPA server " +"generates the PTR records automatically when forward records are changed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:274 +msgid "Default: False (disabled)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:280 sssd-ad.5.xml:957 +msgid "dyndns_force_tcp (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:283 sssd-ad.5.xml:960 +msgid "" +"Whether the nsupdate utility should default to using TCP for communicating " +"with the DNS server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:287 sssd-ad.5.xml:964 +msgid "Default: False (let nsupdate choose the protocol)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:293 sssd-ad.5.xml:985 +msgid "dyndns_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:296 sssd-ad.5.xml:988 +msgid "" +"The DNS server to use when performing a DNS update. In most setups, it's " +"recommended to leave this option unset." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:301 sssd-ad.5.xml:993 +msgid "" +"Setting this option makes sense for environments where the DNS server is " +"different from the identity server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:306 sssd-ad.5.xml:998 +msgid "" +"Please note that this option will be only used in fallback attempt when " +"previous attempt using autodetected settings failed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1003 +msgid "Default: None (let nsupdate choose the server)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:317 +msgid "ipa_deskprofile_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:320 +msgid "" +"Optional. Use the given string as search base for Desktop Profile related " +"objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:324 sssd-ipa.5.xml:337 +msgid "Default: Use base DN" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:330 +msgid "ipa_hbac_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:333 +msgid "Optional. Use the given string as search base for HBAC related objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:343 +msgid "ipa_host_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:346 +msgid "Deprecated. Use ldap_host_search_base instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:352 +msgid "ipa_selinux_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:355 +msgid "Optional. Use the given string as search base for SELinux user maps." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:371 +msgid "ipa_subdomains_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:374 +msgid "Optional. Use the given string as search base for trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:383 +msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:390 +msgid "ipa_master_domain_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:393 +msgid "Optional. Use the given string as search base for master domain object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:402 +msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:409 +msgid "ipa_views_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:412 +msgid "Optional. Use the given string as search base for views containers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:421 +msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:431 +msgid "" +"The name of the Kerberos realm. This is optional and defaults to the value " +"of <quote>ipa_domain</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:435 +msgid "" +"The name of the Kerberos realm has a special meaning in IPA - it is " +"converted into the base DN to use for performing LDAP operations." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1012 +msgid "krb5_confd_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1015 +msgid "" +"Absolute path of a directory where SSSD should place Kerberos configuration " +"snippets." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1019 +msgid "" +"To disable the creation of the configuration snippets set the parameter to " +"'none'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1023 +msgid "" +"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:461 +msgid "ipa_deskprofile_refresh (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:464 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server. This will reduce the latency and load on the IPA server if there " +"are many desktop profiles requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:431 +msgid "Default: 5 (seconds)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:477 +msgid "ipa_deskprofile_request_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:480 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server in case the last request did not return any rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:485 +msgid "Default: 60 (minutes)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:491 +msgid "ipa_hbac_refresh (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:494 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server. " +"This will reduce the latency and load on the IPA server if there are many " +"access-control requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:507 +msgid "ipa_hbac_selinux (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:510 +msgid "" +"The amount of time between lookups of the SELinux maps against the IPA " +"server. This will reduce the latency and load on the IPA server if there are " +"many user login requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:523 +msgid "ipa_server_mode (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:526 +msgid "" +"This option will be set by the IPA installer (ipa-server-install) " +"automatically and denotes if SSSD is running on an IPA server or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:531 +msgid "" +"On an IPA server SSSD will lookup users and groups from trusted domains " +"directly while on a client it will ask an IPA server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:536 +msgid "" +"NOTE: There are currently some assumptions that must be met when SSSD is " +"running on an IPA server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:541 +msgid "" +"The <quote>ipa_server</quote> option must be configured to point to the IPA " +"server itself. This is already the default set by the IPA installer, so no " +"manual change is required." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:550 +msgid "" +"The <quote>full_name_format</quote> option must not be tweaked to only print " +"short names for users from trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:565 +msgid "ipa_automount_location (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:568 +msgid "The automounter location this IPA client will be using" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:571 +msgid "Default: The location named \"default\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:579 +msgid "VIEWS AND OVERRIDES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:588 +msgid "ipa_view_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:591 +msgid "Objectclass of the view container." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:594 +msgid "Default: nsContainer" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:600 +msgid "ipa_view_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:603 +msgid "Name of the attribute holding the name of the view." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:613 +msgid "ipa_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:616 +msgid "Objectclass of the override objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:619 +msgid "Default: ipaOverrideAnchor" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:625 +msgid "ipa_anchor_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:628 +msgid "" +"Name of the attribute containing the reference to the original object in a " +"remote domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:632 +msgid "Default: ipaAnchorUUID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:638 +msgid "ipa_user_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:641 +msgid "" +"Name of the objectclass for user overrides. It is used to determine if the " +"found override object is related to a user or a group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:646 +msgid "User overrides can contain attributes given by" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:649 +msgid "ldap_user_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:652 +msgid "ldap_user_uid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:655 +msgid "ldap_user_gid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:658 +msgid "ldap_user_gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:661 +msgid "ldap_user_home_directory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:664 +msgid "ldap_user_shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:667 +msgid "ldap_user_ssh_public_key" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:672 +msgid "Default: ipaUserOverride" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:678 +msgid "ipa_group_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:681 +msgid "" +"Name of the objectclass for group overrides. It is used to determine if the " +"found override object is related to a user or a group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:686 +msgid "Group overrides can contain attributes given by" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:689 +msgid "ldap_group_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:692 +msgid "ldap_group_gid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:697 +msgid "Default: ipaGroupOverride" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:581 +msgid "" +"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " +"later version. Since all paths and objectclasses are fixed on the server " +"side there is basically no need to configure anything. For completeness the " +"related options are listed here with their default values. <placeholder " +"type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:709 +msgid "SUBDOMAINS PROVIDER" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:711 +msgid "" +"The IPA subdomains provider behaves slightly differently if it is configured " +"explicitly or implicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:715 +msgid "" +"If the option 'subdomains_provider = ipa' is found in the domain section of " +"sssd.conf, the IPA subdomains provider is configured explicitly, and all " +"subdomain requests are sent to the IPA server if necessary." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:721 +msgid "" +"If the option 'subdomains_provider' is not set in the domain section of sssd." +"conf but there is the option 'id_provider = ipa', the IPA subdomains " +"provider is configured implicitly. In this case, if a subdomain request " +"fails and indicates that the server does not support subdomains, i.e. is not " +"configured for trusts, the IPA subdomains provider is disabled. After an " +"hour or after the IPA provider goes online, the subdomains provider is " +"enabled again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:732 +msgid "TRUSTED DOMAINS CONFIGURATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:738 +#, no-wrap +msgid "" +"[domain/ipa.domain.com/ad.domain.com]\n" +"ad_server = dc.ad.domain.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:734 +msgid "" +"Some configuration options can be also set for a trusted domain. A trusted " +"domain configuration can either be done using a subsection, for example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:743 +msgid "" +"In addition, some options can be set in the parent domain and inherited by " +"the trusted domain using the <quote>subdomain_inherit</quote> option. For " +"more details, see the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:753 +msgid "" +"Different configuration options are tunable for a trusted domain depending " +"on whether you are configuring SSSD on an IPA server or an IPA client." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:758 +msgid "OPTIONS TUNABLE ON IPA MASTERS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:760 +msgid "" +"The following options can be set in a subdomain section on an IPA master:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:764 sssd-ipa.5.xml:794 +msgid "ad_server" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:767 +msgid "ad_backup_server" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:770 sssd-ipa.5.xml:797 +msgid "ad_site" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:773 +msgid "ldap_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:776 +msgid "ldap_user_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:779 +msgid "ldap_group_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:788 +msgid "OPTIONS TUNABLE ON IPA CLIENTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:790 +msgid "" +"The following options can be set in a subdomain section on an IPA client:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:802 +msgid "" +"Note that if both options are set, only <quote>ad_server</quote> is " +"evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:806 +msgid "" +"Since any request for a user or a group identity from a trusted domain " +"triggered from an IPA client is resolved by the IPA server, the " +"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " +"which AD DC will the authentication be performed against. In particular, the " +"addresses resolved from these lists will be written to <quote>kdcinfo</" +"quote> files read by the Kerberos locator plugin. Please refer to the " +"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " +"Kerberos locator plugin." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:830 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the ipa provider-specific options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:837 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"id_provider = ipa\n" +"ipa_server = ipaserver.example.com\n" +"ipa_hostname = myhost.example.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 +msgid "sssd-ad" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ad.5.xml:17 +msgid "SSSD Active Directory provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:23 +msgid "" +"This manual page describes the configuration of the AD provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:36 +msgid "" +"The AD provider is a back end used to connect to an Active Directory server. " +"This provider requires that the machine be joined to the AD domain and a " +"keytab is available. Back end communication occurs over a GSSAPI-encrypted " +"channel, SSL/TLS options should not be used with the AD provider and will be " +"superseded by Kerberos usage." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:44 +msgid "" +"The AD provider supports connecting to Active Directory 2008 R2 or later. " +"Earlier versions may work, but are unsupported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:48 +msgid "" +"The AD provider can be used to get user information and authenticate users " +"from trusted domains. Currently only trusted domains in the same forest are " +"recognized. In addition servers from trusted domains are always auto-" +"discovered." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:54 +msgid "" +"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for Active Directory environments. The AD provider accepts the " +"same options used by the sssd-ldap and sssd-krb5 providers with some " +"exceptions. However, it is neither necessary nor recommended to set these " +"options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:69 +msgid "" +"The AD provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:74 +msgid "" +"The AD provider can also be used as an access, chpass, sudo and autofs " +"provider. No configuration of the access provider is required on the client " +"side." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:79 +msgid "" +"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ad</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:91 +#, no-wrap +msgid "" +"ldap_id_mapping = False\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:85 +msgid "" +"By default, the AD provider will map UID and GID values from the objectSID " +"parameter in Active Directory. For details on this, see the <quote>ID " +"MAPPING</quote> section below. If you want to disable ID mapping and instead " +"rely on POSIX attributes defined in Active Directory, you should set " +"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " +"be used, it is recommended for performance reasons that the attributes are " +"also replicated to the Global Catalog. If POSIX attributes are replicated, " +"SSSD will attempt to locate the domain of a requested numerical ID with the " +"help of the Global Catalog and only search that domain. In contrast, if " +"POSIX attributes are not replicated to the Global Catalog, SSSD must search " +"all the domains in the forest sequentially. Please note that the " +"<quote>cache_first</quote> option might be also helpful in speeding up " +"domainless searches. Note that if only a subset of POSIX attributes is " +"present in the Global Catalog, the non-replicated attributes are currently " +"not read from the LDAP port." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:108 +msgid "" +"Users, groups and other entities served by SSSD are always treated as case-" +"insensitive in the AD provider for compatibility with Active Directory's " +"LDAP implementation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:123 +msgid "ad_domain (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:126 +msgid "" +"Specifies the name of the Active Directory domain. This is optional. If not " +"provided, the configuration domain name is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:131 +msgid "" +"For proper operation, this option should be specified as the lower-case " +"version of the long version of the Active Directory domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:136 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) is " +"autodetected by the SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:143 +msgid "ad_enabled_domains (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:146 +msgid "" +"A comma-separated list of enabled Active Directory domains. If provided, " +"SSSD will ignore any domains not listed in this option. If left unset, all " +"domains from the AD forest will be available." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:156 +#, no-wrap +msgid "" +"ad_enabled_domains = sales.example.com, eng.example.com\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:152 +msgid "" +"For proper operation, this option must be specified in all lower-case and as " +"the fully qualified domain name of the Active Directory domain. For example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:160 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) will be " +"autodetected by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:170 +msgid "ad_server, ad_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:173 +msgid "" +"The comma-separated list of hostnames of the AD servers to which SSSD should " +"connect in order of preference. For more information on failover and server " +"redundancy, see the <quote>FAILOVER</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:180 +msgid "" +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:185 +msgid "" +"Note: Trusted domains will always auto-discover servers even if the primary " +"server is explicitly defined in the ad_server option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:193 +msgid "ad_hostname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:196 +msgid "" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the Active Directory domain to identify this " +"host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:202 +msgid "" +"This field is used to determine the host principal in use in the keytab. It " +"must match the hostname for which the keytab was issued." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:210 +msgid "ad_enable_dns_sites (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:217 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, the SSSD will first attempt to discover the " +"Active Directory server to connect to using the Active Directory Site " +"Discovery and fall back to the DNS SRV records if no AD site is found. The " +"DNS SRV configuration, including the discovery domain, is used during site " +"discovery as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:233 +msgid "ad_access_filter (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:236 +msgid "" +"This option specifies LDAP access control filter that the user must match in " +"order to be allowed access. Please note that the <quote>access_provider</" +"quote> option must be explicitly set to <quote>ad</quote> in order for this " +"option to have an effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:244 +msgid "" +"The option also supports specifying different filters per domain or forest. " +"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " +"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " +"missing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:252 +msgid "" +"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" +"quote> specifies the domain or subdomain the filter applies to. If the " +"keyword equals to <quote>FOREST</quote>, then the filter equals to all " +"domains from the forest specified by <quote>NAME</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:260 +msgid "" +"Multiple filters can be separated with the <quote>?</quote> character, " +"similarly to how search bases work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:265 +msgid "" +"Nested group membership must be searched for using a special OID " +"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." +"example.org: syntax to ensure the parser does not attempt to interpret the " +"colon characters associated with the OID. If you do not use this OID then " +"nested group membership will not be resolved. See usage example below and " +"refer here for further information about the OID: <ulink url=\"https://msdn." +"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " +"extensions</ulink>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:278 +msgid "" +"The most specific match is always used. For example, if the option specified " +"filter for a domain the user is a member of and a global filter, the per-" +"domain filter would be applied. If there are more matches with the same " +"specification, the first one is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ad.5.xml:289 +#, no-wrap +msgid "" +"# apply filter on domain called dom1 only:\n" +"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" +"\n" +"# apply filter on domain called dom2 only:\n" +"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" +"\n" +"# apply filter on forest called EXAMPLE.COM only:\n" +"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" +"\n" +"# apply filter for a member of a nested group in dom1:\n" +"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:308 +msgid "ad_site (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:311 +msgid "" +"Specify AD site to which client should try to connect. If this option is " +"not provided, the AD site will be auto-discovered." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:322 +msgid "ad_enable_gc (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:325 +msgid "" +"By default, the SSSD connects to the Global Catalog first to retrieve users " +"from trusted domains and uses the LDAP port to retrieve group memberships or " +"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " +"port of the current AD server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:333 +msgid "" +"Please note that disabling Global Catalog support does not disable " +"retrieving users from trusted domains. The SSSD would connect to the LDAP " +"port of trusted domains instead. However, Global Catalog must be used in " +"order to resolve cross-domain group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:347 +msgid "ad_gpo_access_control (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:350 +msgid "" +"This option specifies the operation mode for GPO-based access control " +"functionality: whether it operates in disabled mode, enforcing mode, or " +"permissive mode. Please note that the <quote>access_provider</quote> option " +"must be explicitly set to <quote>ad</quote> in order for this option to have " +"an effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:359 +msgid "" +"GPO-based access control functionality uses GPO policy settings to determine " +"whether or not a particular user is allowed to logon to a particular host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:365 +msgid "" +"NOTE: The current version of SSSD does not support host (computer) entries " +"in the GPO 'Security Filtering' list. Only user and group entries are " +"supported. Host entries in the list have no effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:372 +msgid "" +"NOTE: If the operation mode is set to enforcing, it is possible that users " +"that were previously allowed logon access will now be denied logon access " +"(as dictated by the GPO policy settings). In order to facilitate a smooth " +"transition for administrators, a permissive mode is available that will not " +"enforce the access control rules, but will evaluate them and will output a " +"syslog message if access would have been denied. By examining the logs, " +"administrators can then make the necessary changes before setting the mode " +"to enforcing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:385 +msgid "There are three supported values for this option:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:389 +msgid "" +"disabled: GPO-based access control rules are neither evaluated nor enforced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:395 +msgid "enforcing: GPO-based access control rules are evaluated and enforced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:401 +msgid "" +"permissive: GPO-based access control rules are evaluated, but not enforced. " +"Instead, a syslog message will be emitted indicating that the user would " +"have been denied access if this option's value were set to enforcing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:412 +msgid "Default: permissive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:415 +msgid "Default: enforcing" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:421 +msgid "ad_gpo_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:424 +msgid "" +"The amount of time between lookups of GPO policy files against the AD " +"server. This will reduce the latency and load on the AD server if there are " +"many access-control requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:437 +msgid "ad_gpo_map_interactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:440 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the InteractiveLogonRight and " +"DenyInteractiveLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:446 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on locally\" and \"Deny log on locally\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:460 +#, no-wrap +msgid "" +"ad_gpo_map_interactive = +my_pam_service, -login\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:451 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>login</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:464 sssd-ad.5.xml:560 sssd-ad.5.xml:606 sssd-ad.5.xml:651 +#: sssd-ad.5.xml:717 +msgid "Default: the default set of PAM service names includes:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:468 +msgid "login" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:473 +msgid "su" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:478 +msgid "su-l" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:483 +msgid "gdm-fingerprint" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:488 +msgid "gdm-password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:493 +msgid "gdm-smartcard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:498 +msgid "kdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:503 +msgid "lightdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:508 +msgid "lxdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:513 +msgid "sddm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:518 +msgid "unity" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:523 +msgid "xdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:532 +msgid "ad_gpo_map_remote_interactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:535 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the RemoteInteractiveLogonRight and " +"DenyRemoteInteractiveLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:541 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on through Remote Desktop Services\" and \"Deny log on through Remote " +"Desktop Services\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:556 +#, no-wrap +msgid "" +"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:547 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>sshd</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:564 +msgid "sshd" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:569 +msgid "cockpit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:578 +msgid "ad_gpo_map_network (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:581 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the NetworkLogonRight and " +"DenyNetworkLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:587 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Access " +"this computer from the network\" and \"Deny access to this computer from the " +"network\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:602 +#, no-wrap +msgid "" +"ad_gpo_map_network = +my_pam_service, -ftp\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:593 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>ftp</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:610 +msgid "ftp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:615 +msgid "samba" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:624 +msgid "ad_gpo_map_batch (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:627 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " +"policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:633 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a batch job\" and \"Deny log on as a batch job\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:647 +#, no-wrap +msgid "" +"ad_gpo_map_batch = +my_pam_service, -crond\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:638 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>crond</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:655 +msgid "crond" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:664 +msgid "ad_gpo_map_service (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:667 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the ServiceLogonRight and " +"DenyServiceLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:673 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a service\" and \"Deny log on as a service\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:686 +#, no-wrap +msgid "" +"ad_gpo_map_service = +my_pam_service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:678 sssd-ad.5.xml:753 +msgid "" +"It is possible to add a PAM service name to the default set by using <quote>" +"+service_name</quote>. Since the default set is empty, it is not possible " +"to remove a PAM service name from the default set. For example, in order to " +"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " +"would use the following configuration: <placeholder type=\"programlisting\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:696 +msgid "ad_gpo_map_permit (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:699 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always granted, regardless of any GPO Logon Rights." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:713 +#, no-wrap +msgid "" +"ad_gpo_map_permit = +my_pam_service, -sudo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:704 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for unconditionally permitted " +"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:721 +msgid "polkit-1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:726 +msgid "sudo" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:731 +msgid "sudo-i" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:736 +msgid "systemd-user" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:745 +msgid "ad_gpo_map_deny (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:748 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always denied, regardless of any GPO Logon Rights." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:761 +#, no-wrap +msgid "" +"ad_gpo_map_deny = +my_pam_service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:771 +msgid "ad_gpo_default_right (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:774 +msgid "" +"This option defines how access control is evaluated for PAM service names " +"that are not explicitly listed in one of the ad_gpo_map_* options. This " +"option can be set in two different manners. First, this option can be set to " +"use a default logon right. For example, if this option is set to " +"'interactive', it means that unmapped PAM service names will be processed " +"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " +"settings. Alternatively, this option can be set to either always permit or " +"always deny access for unmapped PAM service names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:787 +msgid "Supported values for this option include:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:791 +msgid "interactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:796 +msgid "remote_interactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:801 +msgid "network" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:806 +msgid "batch" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:811 +msgid "service" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:816 +msgid "permit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:821 +msgid "deny" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:827 +msgid "Default: deny" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:833 +msgid "ad_maximum_machine_account_password_age (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:836 +msgid "" +"SSSD will check once a day if the machine account password is older than the " +"given age in days and try to renew it. A value of 0 will disable the renewal " +"attempt." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:842 +msgid "Default: 30 days" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:848 +msgid "ad_machine_account_password_renewal_opts (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:851 +msgid "" +"This option should only be used to test the machine account renewal task. " +"The option expects 2 integers separated by a colon (':'). The first integer " +"defines the interval in seconds how often the task is run. The second " +"specifies the initial timeout in seconds before the task is run for the " +"first time after startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:860 +msgid "Default: 86400:750 (24h and 15m)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:869 +msgid "" +"Optional. This option tells SSSD to automatically update the Active " +"Directory DNS server with the IP address of this client. The update is " +"secured using GSS-TSIG. As a consequence, the Active Directory administrator " +"only needs to allow secure updates for the DNS zone. The IP address of the " +"AD LDAP connection is used for the updates, if it is not otherwise specified " +"by using the <quote>dyndns_iface</quote> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:899 +msgid "Default: 3600 (seconds)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:915 +msgid "" +"Default: Use the IP addresses of the interface which is used for AD LDAP " +"connection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:928 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true. Note that the " +"lowest possible value is 60 seconds in-case if value is provided less than " +"60, parameter will assume lowest value only." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:951 sss_rpcidmapd.5.xml:76 +msgid "Default: True" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1043 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This example shows only the AD provider-specific options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1050 +#, no-wrap +msgid "" +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1070 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1066 +msgid "" +"The AD access control provider checks if the account is expired. It has the " +"same effect as the following configuration of the LDAP provider: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1076 +msgid "" +"However, unless the <quote>ad</quote> access control provider is explicitly " +"configured, the default access provider is <quote>permit</quote>. Please " +"note that if you configure an access provider other than <quote>ad</quote>, " +"you need to set all the connection parameters (such as LDAP URIs and " +"encryption details) manually." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1084 +msgid "" +"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " +"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " +"are included in the default Active Directory schema." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 +msgid "sssd-sudo" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-sudo.5.xml:17 +msgid "Configuring sudo with the SSSD back end" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:36 +msgid "Configuring sudo to cooperate with SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:38 +msgid "" +"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " +"the <emphasis>sudoers</emphasis> entry in <citerefentry> " +"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:47 +msgid "" +"For example, to configure sudo to first lookup rules in the standard " +"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> file (which should contain rules that apply to " +"local users) and then in SSSD, the nsswitch.conf file should contain the " +"following line:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:57 +#, no-wrap +msgid "sudoers: files sss\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:61 +msgid "" +"More information about configuring the sudoers search order from the " +"nsswitch.conf file as well as information about the LDAP schema that is used " +"to store sudo rules in the directory can be found in <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:70 +msgid "" +"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " +"sudo rules, you also need to correctly set <citerefentry> " +"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry> to your NIS domain name (which equals to IPA domain name when " +"using hostgroups)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:82 +msgid "Configuring SSSD to fetch sudo rules" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:84 +msgid "" +"All configuration that is needed on SSSD side is to extend the list of " +"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " +"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " +"option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:94 +msgid "" +"The following example shows how to configure SSSD to download sudo rules " +"from an LDAP server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:99 +#, no-wrap +msgid "" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:98 +msgid "" +"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" +"\"have_systemd\"> It's important to note that on platforms where systemd is " +"supported there's no need to add the \"sudo\" provider to the list of " +"services, as it became optional. However, sssd-sudo.socket must be enabled " +"instead. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:118 +msgid "" +"When SSSD is configured to use IPA as the ID provider, the sudo provider is " +"automatically enabled. The sudo search base is configured to use the IPA " +"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " +"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," +"$SUFFIX) is no longer required for IPA sudo functionality." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:128 +msgid "The SUDO rule caching mechanism" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:130 +msgid "" +"The biggest challenge, when developing sudo support in SSSD, was to ensure " +"that running sudo with SSSD as the data source provides the same user " +"experience and is as fast as sudo but keeps providing the most current set " +"of rules as possible. To satisfy these requirements, SSSD uses three kinds " +"of updates. They are referred to as full refresh, smart refresh and rules " +"refresh." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:138 +msgid "" +"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " +"new or were modified after the last update. Its primary goal is to keep the " +"database growing by fetching only small increments that do not generate " +"large amounts of network traffic." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:144 +msgid "" +"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " +"in the cache and replaces them with all rules that are stored on the server. " +"This is used to keep the cache consistent by removing every rule which was " +"deleted from the server. However, full refresh may produce a lot of traffic " +"and thus it should be run only occasionally depending on the size and " +"stability of the sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:152 +msgid "" +"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " +"more permission than defined. It is triggered each time the user runs sudo. " +"Rules refresh will find all rules that apply to this user, check their " +"expiration time and redownload them if expired. In the case that any of " +"these rules are missing on the server, the SSSD will do an out of band full " +"refresh because more rules (that apply to other users) may have been deleted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:161 +msgid "" +"If enabled, SSSD will store only rules that can be applied to this machine. " +"This means rules that contain one of the following values in " +"<emphasis>sudoHost</emphasis> attribute:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:168 +msgid "keyword ALL" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:173 +msgid "wildcard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:178 +msgid "netgroup (in the form \"+netgroup\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:183 +msgid "hostname or fully qualified domain name of this machine" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:188 +msgid "one of the IP addresses of this machine" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:193 +msgid "one of the IP addresses of the network (in the form \"address/mask\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:199 +msgid "" +"There are many configuration options that can be used to adjust the " +"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.8.xml:10 sssd.8.xml:15 +msgid "sssd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.8.xml:16 +msgid "System Security Services Daemon" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssd.8.xml:21 +msgid "" +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:31 +msgid "" +"<command>SSSD</command> provides a set of daemons to manage access to remote " +"directories and authentication mechanisms. It provides an NSS and PAM " +"interface toward the system and a pluggable backend system to connect to " +"multiple different account sources as well as D-Bus interface. It is also " +"the basis to provide client auditing and policy services for projects like " +"FreeIPA. It provides a more robust database to store local users as well as " +"extended user data." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:46 +msgid "" +"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:53 +msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:57 +msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:60 +msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:69 +msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:73 +msgid "" +"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:76 +msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:85 +msgid "<option>-f</option>,<option>--debug-to-files</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:89 +msgid "" +"Send the debug output to files instead of stderr. By default, the log files " +"are stored in <filename>/var/log/sssd</filename> and there are separate log " +"files for every SSSD service and domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:94 +msgid "" +"This option is deprecated. It is replaced by <option>--logger=files</option>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:101 +msgid "<option>--logger=</option><replaceable>value</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:105 +msgid "" +"Location where SSSD will send log messages. This option overrides the value " +"of the deprecated option <option>--debug-to-files</option>. The deprecated " +"option will still work if the <option>--logger</option> is not used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:112 +msgid "" +"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " +"output." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:116 +msgid "" +"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " +"default, the log files are stored in <filename>/var/log/sssd</filename> and " +"there are separate log files for every SSSD service and domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:122 +msgid "" +"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:132 +msgid "<option>-D</option>,<option>--daemon</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:136 +msgid "Become a daemon after starting up." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:142 sss_seed.8.xml:136 +msgid "<option>-i</option>,<option>--interactive</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:146 +msgid "Run in the foreground, don't become a daemon." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:152 +msgid "<option>-c</option>,<option>--config</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:156 +msgid "" +"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." +"conf</filename>. For reference on the config file syntax and options, " +"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:170 +msgid "<option>--version</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:174 +msgid "Print version number and exit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.8.xml:182 +msgid "Signals" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:185 +msgid "SIGTERM/SIGINT" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:188 +msgid "" +"Informs the SSSD to gracefully terminate all of its child processes and then " +"shut down the monitor." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:194 +msgid "SIGHUP" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:197 +msgid "" +"Tells the SSSD to stop writing to its current debug file descriptors and to " +"close and reopen them. This is meant to facilitate log rolling with programs " +"like logrotate." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:205 +msgid "SIGUSR1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:208 +msgid "" +"Tells the SSSD to simulate offline operation for the duration of the " +"<quote>offline_timeout</quote> parameter. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:217 +msgid "SIGUSR2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:220 +msgid "" +"Tells the SSSD to go online immediately. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:232 +msgid "" +"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " +"applications will not use the fast in memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 +msgid "sss_obfuscate" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_obfuscate.8.xml:16 +msgid "obfuscate a clear text password" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_obfuscate.8.xml:21 +msgid "" +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" +"replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:32 +msgid "" +"<command>sss_obfuscate</command> converts a given password into human-" +"unreadable format and places it into appropriate domain section of the SSSD " +"config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:37 +msgid "" +"The cleartext password is read from standard input or entered " +"interactively. The obfuscated password is put into " +"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " +"<quote>ldap_default_authtok_type</quote> parameter is set to " +"<quote>obfuscated_password</quote>. Refer to <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more details on these parameters." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:49 +msgid "" +"Please note that obfuscating the password provides <emphasis>no real " +"security benefit</emphasis> as it is still possible for an attacker to " +"reverse-engineer the password back. Using better authentication mechanisms " +"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " +"advised." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:63 +msgid "<option>-s</option>,<option>--stdin</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:67 +msgid "The password to obfuscate will be read from standard input." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 +#: sss_ssh_knownhostsproxy.1.xml:78 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:79 +msgid "" +"The SSSD domain to use the password in. The default name is <quote>default</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:86 +msgid "" +"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:91 +msgid "Read the config file specified by the positional parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:95 +msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_override.8.xml:10 sss_override.8.xml:15 +msgid "sss_override" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_override.8.xml:16 +msgid "create local overrides of user and group attributes" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_override.8.xml:21 +msgid "" +"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:32 +msgid "" +"<command>sss_override</command> enables to create a client-side view and " +"allows to change selected values of specific user and groups. This change " +"takes effect only on local machine." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:37 +msgid "" +"Overrides data are stored in the SSSD cache. If the cache is deleted, all " +"local overrides are lost. Please note that after the first override is " +"created using any of the following <emphasis>user-add</emphasis>, " +"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " +"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " +"take effect. <emphasis>sss_override</emphasis> prints message when a " +"restart is required." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:50 sssctl.8.xml:41 +msgid "AVAILABLE COMMANDS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:52 +msgid "" +"Argument <emphasis>NAME</emphasis> is the name of original object in all " +"commands. It is not possible to override <emphasis>uid</emphasis> or " +"<emphasis>gid</emphasis> to 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:59 +msgid "" +"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" +"optional> <optional><option>-g,--gid</option> GID</optional> " +"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" +"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" +"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " +"CERTIFICATE</optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:72 +msgid "" +"Override attributes of an user. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:80 +msgid "<option>user-del</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:85 +msgid "" +"Remove user overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:94 +msgid "" +"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:99 +msgid "" +"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " +"is set, only users from the domain are listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:107 +msgid "<option>user-show</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:112 +msgid "Show user overrides." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:118 +msgid "<option>user-import</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:123 +msgid "" +"Import user overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard passwd file. The format is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:128 +msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:131 +msgid "" +"where original_name is original name of the user whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:140 +msgid "ckent:superman::::::" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:143 +msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:149 +msgid "<option>user-export</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:154 +msgid "" +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>user-import</emphasis> for data format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:162 +msgid "" +"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:169 +msgid "" +"Override attributes of a group. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:177 +msgid "<option>group-del</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:182 +msgid "" +"Remove group overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:191 +msgid "" +"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:196 +msgid "" +"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " +"parameter is set, only groups from the domain are listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:204 +msgid "<option>group-show</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:209 +msgid "Show group overrides." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:215 +msgid "<option>group-import</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:220 +msgid "" +"Import group overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard group file. The format is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:225 +msgid "original_name:name:gid" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:228 +msgid "" +"where original_name is original name of the group whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:237 +msgid "admins:administrators:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:240 +msgid "Domain Users:Users:501" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:246 +msgid "<option>group-export</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:251 +msgid "" +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>group-import</emphasis> for data format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:261 sssctl.8.xml:50 +msgid "COMMON OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:263 sssctl.8.xml:52 +msgid "Those options are available with all commands." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:268 sssctl.8.xml:57 +msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 +msgid "sss_useradd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_useradd.8.xml:16 +msgid "create a new user" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_useradd.8.xml:21 +msgid "" +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_useradd.8.xml:32 +msgid "" +"<command>sss_useradd</command> creates a new user account using the values " +"specified on the command line plus the default values from the system." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:43 sss_seed.8.xml:76 +msgid "" +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:48 +msgid "" +"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " +"not given, it is chosen automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +msgid "" +"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 +msgid "" +"Any text string describing the user. Often used as the field for the user's " +"full name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 +msgid "" +"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:72 +msgid "" +"The home directory of the user account. The default is to append the " +"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " +"that as the home directory. The base that is prepended before " +"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" +"baseDirectory</quote> setting in sssd.conf." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 +msgid "" +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:87 +msgid "" +"The user's login shell. The default is currently <filename>/bin/bash</" +"filename>. The default can be changed with <quote>user_defaults/" +"defaultShell</quote> setting in sssd.conf." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:96 +msgid "" +"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:101 +msgid "A list of existing groups this user is also a member of." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:107 +msgid "<option>-m</option>,<option>--create-home</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:111 +msgid "" +"Create the user's home directory if it does not exist. The files and " +"directories contained in the skeleton directory (which can be defined with " +"the -k option or in the config file) will be copied to the home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:121 +msgid "<option>-M</option>,<option>--no-create-home</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:125 +msgid "" +"Do not create the user's home directory. Overrides configuration settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:132 +msgid "" +"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:137 +msgid "" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<command>sss_useradd</command>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:143 +msgid "" +"Special files (block devices, character devices, named pipes and unix " +"sockets) will not be copied." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:147 +msgid "" +"This option is only valid if the <option>-m</option> (or <option>--create-" +"home</option>) option is specified, or creation of home directories is set " +"to TRUE in the configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 +msgid "" +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>SELINUX_USER</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:161 +msgid "" +"The SELinux user for the user's login. If not specified, the system default " +"will be used." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 +msgid "sssd-krb5" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-krb5.5.xml:17 +msgid "SSSD Kerberos provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:23 +msgid "" +"This manual page describes the configuration of the Kerberos 5 " +"authentication backend for <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " +"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:36 +msgid "" +"The Kerberos 5 authentication backend contains auth and chpass providers. It " +"must be paired with an identity provider in order to function properly (for " +"example, id_provider = ldap). Some information required by the Kerberos 5 " +"authentication backend must be provided by the identity provider, such as " +"the user's Kerberos Principal Name (UPN). The configuration of the identity " +"provider should have an entry to specify the UPN. Please refer to the man " +"page for the applicable identity provider for details on how to configure " +"this." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:47 +msgid "" +"This backend also provides access control based on the .k5login file in the " +"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " +"Please note that an empty .k5login file will deny all access to this user. " +"To activate this feature, use 'access_provider = krb5' in your SSSD " +"configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:55 +msgid "" +"In the case where the UPN is not available in the identity backend, " +"<command>sssd</command> will construct a UPN using the format " +"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:77 +msgid "" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect, in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled; for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:106 +msgid "" +"The name of the Kerberos realm. This option is required and must be " +"specified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:113 +msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:116 +msgid "" +"If the change password service is not running on the KDC, alternative " +"servers can be defined here. An optional port number (preceded by a colon) " +"may be appended to the addresses or hostnames." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:122 +msgid "" +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " +"servers to try, the backend is not switched to operate offline if " +"authentication against the KDC is still possible." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:129 +msgid "Default: Use the KDC" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:135 +msgid "krb5_ccachedir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:138 +msgid "" +"Directory to store credential caches. All the substitution sequences of " +"krb5_ccname_template can be used here, too, except %d and %P. The directory " +"is created as private and owned by the user, with permissions set to 0700." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:145 +msgid "Default: /tmp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:151 +msgid "krb5_ccname_template (string)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 +msgid "%u" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 +msgid "login name" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 +msgid "%U" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:170 +msgid "login UID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:173 +msgid "%p" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:174 +msgid "principal name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:178 +msgid "%r" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:179 +msgid "realm name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:182 +msgid "%h" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 +msgid "home directory" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 +msgid "%d" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:188 +msgid "value of krb5_ccachedir" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 +msgid "%P" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:194 +msgid "the process ID of the SSSD client" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 +msgid "%%" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 +msgid "a literal '%'" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:154 +msgid "" +"Location of the user's credential cache. Three credential cache types are " +"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " +"<quote>KEYRING:persistent</quote>. The cache can be specified either as " +"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " +"implies the <quote>FILE</quote> type. In the template, the following " +"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " +"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " +"filename in a safe way." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:208 +msgid "" +"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" +"persistent:%U</quote>, which uses the Linux kernel keyring to store " +"credentials on a per-UID basis. This is also the recommended choice, as it " +"is the most secure and predictable method." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:216 +msgid "" +"The default value for the credential cache name is sourced from the profile " +"stored in the system wide krb5.conf configuration file in the [libdefaults] " +"section. The option name is default_ccache_name. See krb5.conf(5)'s " +"PARAMETER EXPANSION paragraph for additional information on the expansion " +"format defined by krb5.conf." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:225 +msgid "" +"NOTE: Please be aware that libkrb5 ccache expansion template from " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> uses different expansion sequences than SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:234 +msgid "Default: (from libkrb5)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:240 +msgid "krb5_auth_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:243 +msgid "" +"Timeout in seconds after an online authentication request or change password " +"request is aborted. If possible, the authentication request is continued " +"offline." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:254 +msgid "krb5_validate (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:257 +msgid "" +"Verify with the help of krb5_keytab that the TGT obtained has not been " +"spoofed. The keytab is checked for entries sequentially, and the first entry " +"with a matching realm is used for validation. If no entry matches the realm, " +"the last entry in the keytab is used. This process can be used to validate " +"environments using cross-realm trust by placing the appropriate keytab entry " +"as the last entry or the only entry in the keytab file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:272 +msgid "krb5_keytab (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:275 +msgid "" +"The location of the keytab to use when validating credentials obtained from " +"KDCs." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:279 +msgid "Default: /etc/krb5.keytab" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:285 +msgid "krb5_store_password_if_offline (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:288 +msgid "" +"Store the password of the user if the provider is offline and use it to " +"request a TGT when the provider comes online again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:293 +msgid "" +"NOTE: this feature is only available on Linux. Passwords stored in this way " +"are kept in plaintext in the kernel keyring and are potentially accessible " +"by the root user (with difficulty)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:306 +msgid "krb5_renewable_lifetime (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:309 +msgid "" +"Request a renewable ticket with a total lifetime, given as an integer " +"immediately followed by a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 +msgid "<emphasis>s</emphasis> for seconds" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 +msgid "<emphasis>m</emphasis> for minutes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 +msgid "<emphasis>h</emphasis> for hours" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 +msgid "<emphasis>d</emphasis> for days." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 +msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 +msgid "" +"NOTE: It is not possible to mix units. To set the renewable lifetime to one " +"and a half hours, use '90m' instead of '1h30m'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:335 +msgid "Default: not set, i.e. the TGT is not renewable" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:341 +msgid "krb5_lifetime (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:344 +msgid "" +"Request ticket with a lifetime, given as an integer immediately followed by " +"a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:360 +msgid "If there is no unit given <emphasis>s</emphasis> is assumed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:364 +msgid "" +"NOTE: It is not possible to mix units. To set the lifetime to one and a " +"half hours please use '90m' instead of '1h30m'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:369 +msgid "" +"Default: not set, i.e. the default ticket lifetime configured on the KDC." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:376 +msgid "krb5_renew_interval (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:379 +msgid "" +"The time in seconds between two checks if the TGT should be renewed. TGTs " +"are renewed if about half of their lifetime is exceeded, given as an integer " +"immediately followed by a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:406 +msgid "If this option is not set or is 0 the automatic renewal is disabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:416 +msgid "krb5_use_fast (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:419 +msgid "" +"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" +"authentication. The following options are supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:424 +msgid "" +"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " +"option at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:428 +msgid "" +"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " +"continue the authentication without it." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:433 +msgid "" +"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " +"server does not require fast." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:438 +msgid "Default: not set, i.e. FAST is not used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:441 +msgid "NOTE: a keytab is required to use FAST." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:444 +msgid "" +"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " +"SSSD is used with an older version of MIT Kerberos, using this option is a " +"configuration error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:453 +msgid "krb5_fast_principal (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:456 +msgid "Specifies the server principal to use for FAST." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:465 +msgid "" +"Specifies if the host and user principal should be canonicalized. This " +"feature is available with MIT Kerberos 1.7 and later versions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:505 +msgid "krb5_use_enterprise_principal (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:508 +msgid "" +"Specifies if the user principal should be treated as enterprise principal. " +"See section 5 of RFC 6806 for more details about enterprise principals." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:514 +msgid "Default: false (AD provider: true)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:517 +msgid "" +"The IPA provider will set to option to 'true' if it detects that the server " +"is capable of handling enterprise principals and the option is not set " +"explicitly in the config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:526 +msgid "krb5_map_user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:529 +msgid "" +"The list of mappings is given as a comma-separated list of pairs " +"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " +"name and <quote>primary</quote> is a user part of a kerberos principal. This " +"mapping is used when user is authenticating using <quote>auth_provider = " +"krb5</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-krb5.5.xml:541 +#, no-wrap +msgid "" +"krb5_realm = REALM\n" +"krb5_map_user = joe:juser,dick:richard\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:546 +msgid "" +"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " +"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " +"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " +"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:65 +msgid "" +"If the auth-module krb5 is used in an SSSD domain, the following options " +"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " +"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:572 +msgid "" +"The following example assumes that SSSD is correctly configured and FOO is " +"one of the domains in the <replaceable>[sssd]</replaceable> section. This " +"example shows only configuration of Kerberos authentication; it does not " +"include any identity provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-krb5.5.xml:580 +#, no-wrap +msgid "" +"[domain/FOO]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXAMPLE.COM\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 +msgid "sss_groupadd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupadd.8.xml:16 +msgid "create a new group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupadd.8.xml:21 +msgid "" +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupadd.8.xml:32 +msgid "" +"<command>sss_groupadd</command> creates a new group. These groups are " +"compatible with POSIX groups, with the additional feature that they can " +"contain other groups as members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 +msgid "" +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupadd.8.xml:48 +msgid "" +"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " +"not given, it is chosen automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 +msgid "sss_userdel" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_userdel.8.xml:16 +msgid "delete a user account" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_userdel.8.xml:21 +msgid "" +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_userdel.8.xml:32 +msgid "" +"<command>sss_userdel</command> deletes a user identified by login name " +"<replaceable>LOGIN</replaceable> from the system." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:44 +msgid "<option>-r</option>,<option>--remove</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:48 +msgid "" +"Files in the user's home directory will be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:56 +msgid "<option>-R</option>,<option>--no-remove</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:60 +msgid "" +"Files in the user's home directory will NOT be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:68 +msgid "<option>-f</option>,<option>--force</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:72 +msgid "" +"This option forces <command>sss_userdel</command> to remove the user's home " +"directory and mail spool, even if they are not owned by the specified user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:80 +msgid "<option>-k</option>,<option>--kick</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:84 +msgid "Before actually deleting the user, terminate all his processes." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 +msgid "sss_groupdel" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupdel.8.xml:16 +msgid "delete a group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupdel.8.xml:21 +msgid "" +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupdel.8.xml:32 +msgid "" +"<command>sss_groupdel</command> deletes a group identified by its name " +"<replaceable>GROUP</replaceable> from the system." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 +msgid "sss_groupshow" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupshow.8.xml:16 +msgid "print properties of a group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupshow.8.xml:21 +msgid "" +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupshow.8.xml:32 +msgid "" +"<command>sss_groupshow</command> displays information about a group " +"identified by its name <replaceable>GROUP</replaceable>. The information " +"includes the group ID number, members of the group and the parent group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupshow.8.xml:43 +msgid "<option>-R</option>,<option>--recursive</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupshow.8.xml:47 +msgid "" +"Also print indirect group members in a tree-like hierarchy. Note that this " +"also affects printing parent groups - without <option>R</option>, only the " +"direct parent will be printed." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 +msgid "sss_usermod" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_usermod.8.xml:16 +msgid "modify a user account" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_usermod.8.xml:21 +msgid "" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_usermod.8.xml:32 +msgid "" +"<command>sss_usermod</command> modifies the account specified by " +"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " +"on the command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:60 +msgid "The home directory of the user account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:71 +msgid "The user's login shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:82 +msgid "" +"Append this user to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:96 +msgid "" +"Remove this user from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:103 +msgid "<option>-l</option>,<option>--lock</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:107 +msgid "Lock the user account. The user won't be able to log in." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:114 +msgid "<option>-u</option>,<option>--unlock</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:118 +msgid "Unlock the user account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:129 +msgid "The SELinux user for the user's login." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:135 +msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:140 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:147 +msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:152 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:160 +msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:165 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_cache.8.xml:10 sss_cache.8.xml:15 +msgid "sss_cache" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_cache.8.xml:16 +msgid "perform cache cleanup" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_cache.8.xml:21 +msgid "" +"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_cache.8.xml:31 +msgid "" +"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " +"records are forced to be reloaded from server as soon as related SSSD " +"backend is online. Options that invalidate a single object only accept a " +"single provided argument." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:43 +msgid "<option>-E</option>,<option>--everything</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:47 +msgid "Invalidate all cached entries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:53 +msgid "" +"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:58 +msgid "Invalidate specific user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:64 +msgid "<option>-U</option>,<option>--users</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:68 +msgid "" +"Invalidate all user records. This option overrides invalidation of specific " +"user if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:75 +msgid "" +"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:80 +msgid "Invalidate specific group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:86 +msgid "<option>-G</option>,<option>--groups</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:90 +msgid "" +"Invalidate all group records. This option overrides invalidation of specific " +"group if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:97 +msgid "" +"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:102 +msgid "Invalidate specific netgroup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:108 +msgid "<option>-N</option>,<option>--netgroups</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:112 +msgid "" +"Invalidate all netgroup records. This option overrides invalidation of " +"specific netgroup if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:119 +msgid "" +"<option>-s</option>,<option>--service</option> <replaceable>service</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:124 +msgid "Invalidate specific service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:130 +msgid "<option>-S</option>,<option>--services</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:134 +msgid "" +"Invalidate all service records. This option overrides invalidation of " +"specific service if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:141 +msgid "" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:146 +msgid "Invalidate specific autofs maps." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:152 +msgid "<option>-A</option>,<option>--autofs-maps</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:156 +msgid "" +"Invalidate all autofs maps. This option overrides invalidation of specific " +"map if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:163 +msgid "" +"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:168 +msgid "Invalidate SSH public keys of a specific host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:174 +msgid "<option>-H</option>,<option>--ssh-hosts</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:178 +msgid "" +"Invalidate SSH public keys of all hosts. This option overrides invalidation " +"of SSH public keys of specific host if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:186 +msgid "" +"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:191 +msgid "Invalidate particular sudo rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:197 +msgid "<option>-R</option>,<option>--sudo-rules</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:201 +msgid "" +"Invalidate all cached sudo rules. This option overrides invalidation of " +"specific sudo rule if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:209 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>domain</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:214 +msgid "Restrict invalidation process only to a particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 +msgid "sss_debuglevel" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_debuglevel.8.xml:16 +msgid "[DEPRECATED] change debug level while SSSD is running" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_debuglevel.8.xml:21 +msgid "" +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" +"replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_debuglevel.8.xml:32 +msgid "" +"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " +"debug-level command. Please refer to the <command>sssctl</command> man page " +"for more information on sssctl usage." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_seed.8.xml:10 sss_seed.8.xml:15 +msgid "sss_seed" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_seed.8.xml:16 +msgid "seed the SSSD cache with a user" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_seed.8.xml:21 +msgid "" +"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:33 +msgid "" +"<command>sss_seed</command> seeds the SSSD cache with a user entry and " +"temporary password. If a user entry is already present in the SSSD cache " +"then the entry is updated with the temporary password." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:46 +msgid "" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:51 +msgid "" +"Provide the name of the domain in which the user is a member of. The domain " +"is also used to retrieve user information. The domain must be configured in " +"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " +"Information retrieved from the domain overrides what is provided in the " +"options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:63 +msgid "" +"<option>-n</option>,<option>--username</option> <replaceable>USER</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:68 +msgid "" +"The username of the entry to be created or modified in the cache. The " +"<replaceable>USER</replaceable> option must be provided." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:81 +msgid "Set the UID of the user to <replaceable>UID</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:93 +msgid "Set the GID of the user to <replaceable>GID</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:117 +msgid "" +"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:129 +msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:140 +msgid "" +"Interactive mode for entering user information. This option will only prompt " +"for information not provided in the options or retrieved from the domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:148 +msgid "" +"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:153 +msgid "" +"Specify file to read user's password from. (if not specified password is " +"prompted for)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:165 +msgid "" +"The length of the password (or the size of file specified with -p or --" +"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " +"on systems with no globally-defined PASS_MAX value)." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 +msgid "sssd-ifp" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ifp.5.xml:17 +msgid "SSSD InfoPipe responder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:23 +msgid "" +"This manual page describes the configuration of the InfoPipe responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:36 +msgid "" +"The InfoPipe responder provides a public D-Bus interface accessible over the " +"system bus. The interface allows the user to query information about remote " +"users and groups over the system bus." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:46 +msgid "These options can be used to configure the InfoPipe responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:53 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the InfoPipe responder. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:59 +msgid "" +"Default: 0 (only the root user is allowed to access the InfoPipe responder)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:63 +msgid "" +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the InfoPipe responder, which would be the typical case, you have to " +"add 0 to the list of allowed UIDs as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:77 +msgid "Specifies the comma-separated list of white or blacklisted attributes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:91 +msgid "name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:92 +msgid "user's login name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:95 +msgid "uidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:96 +msgid "user ID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:99 +msgid "gidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:100 +msgid "primary group ID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:103 +msgid "gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:104 +msgid "user information, typically full name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:107 +msgid "homeDirectory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:111 +msgid "loginShell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:112 +msgid "user shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:81 +msgid "" +"By default, the InfoPipe responder only allows the default set of POSIX " +"attributes to be requested. This set is the same as returned by " +"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ifp.5.xml:125 +#, no-wrap +msgid "" +"user_attributes = +telephoneNumber, -loginShell\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:117 +msgid "" +"It is possible to add another attribute to this set by using <quote>" +"+attr_name</quote> or explicitly remove an attribute using <quote>-" +"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " +"deny <quote>loginShell</quote>, you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:129 +msgid "Default: not set. Only the default set of POSIX attributes is allowed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:139 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup that overrides caller-supplied limit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:144 +msgid "Default: 0 (let the caller set an upper limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refentryinfo> +#: sss_rpcidmapd.5.xml:8 +msgid "" +"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" +"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " +"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" +"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " +"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" +"author>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 +msgid "sss_rpcidmapd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_rpcidmapd.5.xml:33 +msgid "sss plugin configuration directives for rpc.idmapd" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:37 +msgid "CONFIGURATION FILE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:39 +msgid "" +"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." +"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:49 +msgid "SSS CONFIGURATION EXTENSION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:51 +msgid "Enable SSS plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:53 +msgid "" +"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " +"attribute to contain <emphasis>sss</emphasis>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:59 +msgid "[sss] config section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:61 +msgid "" +"In order to change the default of one of the configuration attributes of the " +"<emphasis>sss</emphasis> plugin listed below you will need to create a " +"config section for it, named <quote>[sss]</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sss_rpcidmapd.5.xml:67 +msgid "Configuration attributes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sss_rpcidmapd.5.xml:69 +msgid "memcache (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sss_rpcidmapd.5.xml:72 +msgid "Indicates whether or not to use memcache optimisation technique." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:85 +msgid "SSSD INTEGRATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:87 +msgid "" +"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " +"in sssd." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:91 +msgid "" +"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " +"all domains (NFSv4 clients expect a fully qualified name to be sent on the " +"wire)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_rpcidmapd.5.xml:103 +#, no-wrap +msgid "" +"[General]\n" +"Verbosity = 2\n" +"# domain must be synced between NFSv4 server and clients\n" +"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:100 +msgid "" +"The following example shows a minimal idmapd.conf which makes use of the sss " +"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:180 include/seealso.xml:2 +msgid "SEE ALSO" +msgstr "СМ. ТАКЖЕ" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:122 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 +msgid "sss_ssh_authorizedkeys" +msgstr "" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 +msgid "1" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_authorizedkeys.1.xml:16 +msgid "get OpenSSH authorized keys" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_authorizedkeys.1.xml:21 +msgid "" +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>USER</replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:32 +msgid "" +"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " +"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " +"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> for more information)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:41 +msgid "" +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" +"command> for public key user authentication if it is compiled with support " +"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " +"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> man page for more details about this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_authorizedkeys.1.xml:59 +#, no-wrap +msgid "" +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:52 +msgid "" +"If <quote>AuthorizedKeysCommand</quote> is supported, " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use it by putting the following " +"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" +"\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_ssh_authorizedkeys.1.xml:65 +msgid "KEYS FROM CERTIFICATES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:67 +msgid "" +"In addition to the public SSH keys for user <replaceable>USER</replaceable> " +"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " +"from the public key of a X.509 certificate as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:73 +msgid "" +"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " +"set to true (default) in the [ssh] section of <filename>sssd.conf</" +"filename>. If the user entry contains certificates (see " +"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " +"there is a certificate in an override entry for the user (see " +"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " +"certificate is valid SSSD will extract the public key from the certificate " +"and convert it into the format expected by sshd." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:90 +msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:92 +msgid "ca_db" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:93 +msgid "p11_child_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:94 +msgid "certificate_verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:96 +msgid "" +"can be used to control how the certificates are validated (see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:101 +msgid "" +"The validation is the benefit of using X.509 certificates instead of SSH " +"keys directly because e.g. it gives a better control of the lifetime of the " +"keys. When the ssh client is configured to use the private keys from a " +"Smartcard with the help of a PKCS#11 shared library (see " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> for details) it might be irritating that authentication is " +"still working even if the related X.509 certificate on the Smartcard is " +"already expired because neither <command>ssh</command> nor <command>sshd</" +"command> will look at the certificate at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:114 +msgid "" +"It has to be noted that the derived public SSH key can still be added to the " +"<filename>authorized_keys</filename> file of the user to bypass the " +"certificate validation if the <command>sshd</command> configuration permits " +"this." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:132 +msgid "" +"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 +msgid "EXIT STATUS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 +msgid "" +"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 +msgid "sss_ssh_knownhostsproxy" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_knownhostsproxy.1.xml:16 +msgid "get OpenSSH host keys" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_knownhostsproxy.1.xml:21 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>HOST</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:33 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " +"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " +"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " +"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" +"pubconf/known_hosts</filename> and establishes the connection to the host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:43 +msgid "" +"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " +"create the connection to the host instead of opening a socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_knownhostsproxy.1.xml:55 +#, no-wrap +msgid "" +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:48 +msgid "" +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" +"command> for host key authentication by using the following directives for " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:66 +msgid "" +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:71 +msgid "" +"Use port <replaceable>PORT</replaceable> to connect to the host. By " +"default, port 22 is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:83 +msgid "" +"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:89 +msgid "<option>-k</option>,<option>--pubkeys</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:93 +msgid "" +"Print the host ssh public keys for host <replaceable>HOST</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 +msgid "idmap_sss" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: idmap_sss.8.xml:16 +msgid "SSSD's idmap_sss Backend for Winbind" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:22 +msgid "" +"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " +"No database is required in this case as the mapping is done by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: idmap_sss.8.xml:29 +msgid "IDMAP OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: idmap_sss.8.xml:33 +msgid "range = low - high" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: idmap_sss.8.xml:35 +msgid "" +"Defines the available matching UID and GID range for which the backend is " +"authoritative." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:45 +msgid "" +"This example shows how to configure idmap_sss as the default mapping module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: idmap_sss.8.xml:50 +#, no-wrap +msgid "" +"[global]\n" +"security = domain\n" +"workgroup = MAIN\n" +"\n" +"idmap config * : backend = sss\n" +"idmap config * : range = 200000-2147483647\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssctl.8.xml:10 sssctl.8.xml:15 +msgid "sssctl" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssctl.8.xml:16 +msgid "SSSD control and status utility" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssctl.8.xml:21 +msgid "" +"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:32 +msgid "" +"<command>sssctl</command> provides a simple and unified way to obtain " +"information about SSSD status, such as active server, auto-discovered " +"servers, domains and cached objects. In addition, it can manage SSSD data " +"files for troubleshooting in such a way that is safe to manipulate while " +"SSSD is running." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:43 +msgid "" +"To list all available commands run <command>sssctl</command> without any " +"parameters. To print help for selected command run <command>sssctl COMMAND --" +"help</command>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-files.5.xml:10 sssd-files.5.xml:16 +msgid "sssd-files" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-files.5.xml:17 +msgid "SSSD files provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:23 +msgid "" +"This manual page describes the files provider for <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:36 +msgid "" +"The files provider mirrors the content of the <citerefentry> " +"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " +"provider is to make the users and groups traditionally only accessible with " +"NSS interfaces also available through the SSSD interfaces such as " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:69 +msgid "passwd_files (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:72 +msgid "" +"Comma-separated list of one or multiple password filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:78 +#, fuzzy +#| msgid "Default: gecos" +msgid "Default: /etc/passwd" +msgstr "По умолчанию: gecos" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:84 +msgid "group_files (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:87 +msgid "" +"Comma-separated list of one or multiple group filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:93 +#, fuzzy +#| msgid "Default: gecos" +msgid "Default: /etc/group" +msgstr "По умолчанию: gecos" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:59 +msgid "" +"In addition to the options listed below, generic SSSD domain options can be " +"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for details on the configuration of " +"an SSSD domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:105 +msgid "" +"The following example assumes that SSSD is correctly configured and files is " +"one of the domains in the <replaceable>[sssd]</replaceable> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:111 +#, no-wrap +msgid "" +"[domain/files]\n" +"id_provider = files\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 +msgid "sssd-secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-secrets.5.xml:17 +msgid "SSSD Secrets responder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:23 +msgid "" +"This manual page describes the configuration of the Secrets responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:36 +msgid "" +"Many system and user applications need to store private information such as " +"passwords or service keys and have no good way to properly deal with them. " +"The simple approach is to embed these <quote>secrets</quote> into " +"configuration files potentially ending up exposing sensitive key material to " +"backups, config management system and in general making it harder to secure " +"data." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:45 +msgid "" +"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " +"project was born to deal with this problem in cloud like environments, but " +"we found the idea compelling even at a single system level. As a security " +"service, SSSD is ideal to host this capability while offering the same API " +"via a UNIX Socket. This will make it possible to use local calls and have " +"them transparently routed to a local or a remote key management store like " +"IPA Vault for storage, escrow and recovery." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:55 +msgid "" +"The secrets are simple key-value pairs. Each user's secrets are namespaced " +"using their user ID, which means the secrets will never collide between " +"users. Secrets can be stored inside <quote>containers</quote> which can be " +"nested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:69 +msgid "secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:70 +msgid "secrets for general usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:73 +msgid "kcm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:75 +msgid "" +"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:61 +msgid "" +"Since the secrets responder can be used both externally to store general " +"secrets, as described in the rest of this man page, but also internally by " +"other SSSD components to store their secret material, some configuration " +"options, like quotas can be configured per <quote>hive</quote> in a " +"configuration subsection named after the hive. The currently supported hives " +"are: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:89 +msgid "USING THE SECRETS RESPONDER" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:91 +msgid "" +"The UNIX socket the SSSD responder listens on is located at <filename>/var/" +"run/secrets.socket</filename>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:110 +#, no-wrap +msgid "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +"systemctl enable sssd-secrets.service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:95 +msgid "" +"The secrets responder is socket-activated by <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " +"the <quote>secrets</quote> string to the <quote>service</quote> directive. " +"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " +"corresponding service file is called <quote>sssd-secrets.service</quote>. In " +"order for the service to be socket-activated, make sure the socket is " +"enabled and active and the service is enabled: <placeholder type=" +"\"programlisting\" id=\"0\"/> Please note your distribution may already " +"configure the units for you." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:122 +msgid "" +"The generic SSSD responder options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " +"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some secrets-specific options as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:132 +msgid "" +"The secrets responder is configured with a global <quote>[secrets]</quote> " +"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " +"in <filename>sssd.conf</filename>. Please note that some options, notably as " +"the provider type, can only be specified in the per-user subsections." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:141 +msgid "provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:157 +msgid "local" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:160 +msgid "" +"The secrets are stored in a local database, encrypted at rest with a master " +"key. The local provider does not have any additional config options at the " +"moment." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:168 +msgid "proxy" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:171 +msgid "" +"The secrets responder forwards the requests to a Custodia server. The proxy " +"provider supports several additional options (see below)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:144 +msgid "" +"This option specifies where should the secrets be stored. The secrets " +"responder can configure a per-user subsections (e.g. <quote>[secrets/" +"users/123]</quote> - see bottom of this manual page for a full example using " +"Custodia for a particular user) that define which provider store the secrets " +"for this particular user. The per-user subsections should contain all " +"options for that user's provider. Please note that currently the global " +"provider is always local, the proxy provider can only be specified in a per-" +"user section. The following providers are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:180 +msgid "Default: local" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:186 +msgid "" +"The following options affect only the secrets <quote>hive</quote> and " +"therefore should be set in a per-hive subsection. Setting the option to 0 " +"means \"unlimited\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:192 +msgid "containers_nest_level (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:195 +msgid "This option specifies the maximum allowed number of nested containers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:199 +msgid "Default: 4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:204 +msgid "max_secrets (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:207 +msgid "" +"This option specifies the maximum number of secrets that can be stored in " +"the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:211 +msgid "Default: 1024 (secrets hive), 256 (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:216 +msgid "max_uid_secrets (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:219 +msgid "" +"This option specifies the maximum number of secrets that can be stored per-" +"UID in the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:223 +msgid "Default: 256 (secrets hive), 64 (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:228 +msgid "max_payload_size (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:231 +msgid "" +"This option specifies the maximum payload size allowed for a secret payload " +"in kilobytes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:235 +msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:244 +#, no-wrap +msgid "" +"[secrets/secrets]\n" +"max_payload_size = 128\n" +"\n" +"[secrets/kcm]\n" +"max_payload_size = 256\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:241 +msgid "" +"For example, to adjust quotas differently for both the <quote>secrets</" +"quote> and the <quote>kcm</quote> hives, configure the following: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:252 +msgid "" +"The following options are only applicable for configurations that use the " +"<quote>proxy</quote> provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:257 +msgid "proxy_url (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:260 +msgid "" +"The URL the Custodia server is listening on. At the moment, http and https " +"protocols are supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:267 +msgid "http[s]://<host>[:port]" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:270 +msgid "Example: http://localhost:8080" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:275 +msgid "auth_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:278 +msgid "" +"The method to use when authenticating to a Custodia server. The following " +"authentication methods are supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:283 +msgid "basic_auth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:286 +msgid "" +"Authenticate with a username and a password as set in the <quote>username</" +"quote> and <quote>password</quote> options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:293 +msgid "header" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:296 +msgid "" +"Authenticate with HTTP header value as defined in the " +"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " +"configuration options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:307 +msgid "auth_header_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:310 +msgid "" +"If set, the secrets responder would put a header with this name into the " +"HTTP request with the value defined in the <quote>auth_header_value</quote> " +"configuration option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:315 +msgid "Example: MYSECRETNAME" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:320 +msgid "auth_header_value (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:323 +msgid "" +"The value sssd-secrets would use for the <quote>auth_header_name</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:327 +msgid "Example: mysecret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:332 +msgid "forward_headers (list of strings)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:335 +msgid "" +"The list of HTTP headers to forward to the Custodia server together with the " +"request." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:344 +msgid "verify_peer (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:347 +msgid "" +"Whether peer's certificate should be verified and valid if HTTPS protocol is " +"used with the proxy provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:356 +msgid "verify_host (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:359 +msgid "" +"Whether peer's hostname must match with hostname in its certificate if HTTPS " +"protocol is used with the proxy provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:369 +msgid "capath (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:372 +msgid "" +"Path to directory containing stored certificate authority certificates. " +"System default path is used if this option is not set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:382 +msgid "cacert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:385 +msgid "" +"Path to file containing server's certificate authority certificate. If this " +"option is not set then the CA's certificate is looked up in <quote>capath</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:395 +msgid "cert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:398 +msgid "" +"Path to file containing client's certificate if required by the server. This " +"file may also contain private key or the private key may be in separate file " +"set with <quote>key</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:409 +msgid "key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:412 +msgid "Path to file containing client's private key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:422 +msgid "USING THE REST API" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:424 +msgid "" +"This section lists the available commands and includes examples using the " +"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry> utility. All requests towards the proxy provider must set " +"the Content Type header to <quote>application/json</quote>. In addition, the " +"local provider also supports Content Type set to <quote>application/octet-" +"stream</quote>. Secrets stored with requests that set the Content Type " +"header to <quote>application/octet-stream</quote> are base64-encoded when " +"stored and decoded when retrieved, so it's not possible to store a secret " +"with one Content Type and retrieve with another. The secret URI must begin " +"with <filename>/secrets/</filename>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:441 +msgid "Listing secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:444 +msgid "" +"To list the available secrets, send a HTTP GET request with a trailing slash " +"appended to the container path." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:450 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:458 +msgid "Retrieving a secret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:461 +msgid "" +"To read a value of a single secret, send a HTTP GET request without a " +"trailing slash. The last portion of the URI is the name of the secret." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:468 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/foo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:473 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/bar\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:466 +msgid "" +"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:481 +msgid "Setting a secret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:484 +msgid "" +"To set a secret using the <quote>application/json</quote> type, send a HTTP " +"PUT request with a JSON payload that includes type and value. The type " +"should be set to \"simple\" and the value should be set to the secret value. " +"If a secret with that name already exists, the response is a 409 HTTP error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:492 +msgid "" +"The <quote>application/json</quote> type just sends the secret as the " +"message payload." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:501 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/foo \\\n" +" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:507 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/bar \\\n" +" -d'barsecret'\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:496 +msgid "" +"The following example sets a secret named 'foo' to a value of 'foosecret' " +"and a secret named 'bar' to a value of 'barsecret' using a different Content " +"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:516 +msgid "Creating a container" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:519 +msgid "" +"Containers provide an additional namespace for this user's secrets. To " +"create a container, send a HTTP POST request, whose URI ends with the " +"container name. Please note the URI must end with a trailing slash." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:529 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPOST http://localhost/secrets/mycontainer/\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:526 +msgid "" +"The following example creates a container named 'mycontainer': <placeholder " +"type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:538 +#, no-wrap +msgid "" +"http://localhost/secrets/mycontainer/mysecret\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:535 +msgid "" +"To manipulate secrets under this container, just nest the secrets underneath " +"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:544 +msgid "Deleting a secret or a container" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:547 +msgid "" +"To delete a secret or a container, send a HTTP DELETE request with a path to " +"the secret or the container." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:553 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XDELETE http://localhost/secrets/foo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:551 +msgid "" +"The following example deletes a secret named 'foo'. <placeholder type=" +"\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:563 +msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:565 +msgid "" +"For testing the proxy provider, you need to set up a Custodia server to " +"proxy requests to. Please always consult the Custodia documentation, the " +"configuration directives might change with different Custodia versions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:576 +#, no-wrap +msgid "" +"[global]\n" +"server_version = \"Secret/0.0.7\"\n" +"server_url = http://localhost:8080/\n" +"auditlog = /var/log/custodia.log\n" +"debug = True\n" +"\n" +"[store:simple]\n" +"handler = custodia.store.sqlite.SqliteStore\n" +"dburi = /var/lib/custodia.db\n" +"table = secrets\n" +"\n" +"[auth:header]\n" +"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" +"header = MYSECRETNAME\n" +"value = mysecretkey\n" +"\n" +"[authz:paths]\n" +"handler = custodia.httpd.authorizers.SimplePathAuthz\n" +"paths = /secrets\n" +"\n" +"[/]\n" +"handler = custodia.root.Root\n" +"store = simple\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:570 +msgid "" +"This configuration will set up a Custodia server listening on http://" +"localhost:8080, allowing anyone with header named MYSECRETNAME set to " +"mysecretkey to communicate with the Custodia server. Place the contents " +"into a file (for example, <replaceable>custodia.conf</replaceable>): " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:602 +msgid "" +"Then run the <replaceable>custodia</replaceable> command, pointing it at the " +"config file as a command line argument." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:606 +msgid "" +"Please note that currently it's not possible to proxy all requests globally " +"to a Custodia instance. Instead, per-user subsections for user IDs that " +"should proxy requests to Custodia must be defined. The following example " +"illustrates a configuration, where the user with UID 123 would proxy their " +"requests to Custodia, but all other user's requests would be handled by a " +"local provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: sssd-secrets.5.xml:614 +#, no-wrap +msgid "" +"[secrets]\n" +"\n" +"[secrets/users/123]\n" +"provider = proxy\n" +"proxy_url = http://localhost:8080/secrets/\n" +"auth_type = header\n" +"auth_header_name = MYSECRETNAME\n" +"auth_header_value = mysecretkey\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 +msgid "sssd-session-recording" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-session-recording.5.xml:17 +msgid "Configuring session recording with SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " +"implement user session recording on text terminals. For a detailed " +"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " +"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:41 +msgid "" +"SSSD can be set up to enable recording of everything specific users see or " +"type during their sessions on text terminals. E.g. when users log in on the " +"console, or via SSH. SSSD itself doesn't record anything, but makes sure " +"tlog-rec-session is started upon user login, so it can record according to " +"its configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:48 +msgid "" +"For users with session recording enabled, SSSD replaces the user shell with " +"tlog-rec-session in NSS responses, and adds a variable specifying the " +"original shell to the user environment, upon PAM session setup. This way " +"tlog-rec-session can be started in place of the user shell, and know which " +"actual shell to start, once it set up the recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:60 +msgid "These options can be used to configure the session recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:146 +msgid "" +"The following snippet of sssd.conf enables session recording for users " +"\"contractor1\" and \"contractor2\", and group \"students\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-session-recording.5.xml:151 +#, no-wrap +msgid "" +"[session_recording]\n" +"scope = some\n" +"users = contractor1, contractor2\n" +"groups = students\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 +msgid "sssd-kcm" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-kcm.8.xml:17 +msgid "SSSD Kerberos Cache Manager" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:23 +msgid "" +"This manual page describes the configuration of the SSSD Kerberos Cache " +"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " +"credential caches. It originates in the Heimdal Kerberos project, although " +"the MIT Kerberos library also provides client side (more details on that " +"below) support for the KCM credential cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:31 +msgid "" +"In a setup where Kerberos caches are managed by KCM, the Kerberos library " +"(typically used through an application, like e.g., <citerefentry> " +"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" +"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " +"being referred to as a <quote>\"KCM server\"</quote>. The client and server " +"communicate over a UNIX socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:42 +msgid "" +"The KCM server keeps track of each credential caches's owner and performs " +"access check control based on the UID and GID of the KCM client. The root " +"user has access to all credential caches." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:47 +msgid "The KCM credential cache has several interesting properties:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:51 +msgid "" +"since the process runs in userspace, it is subject to UID namespacing, " +"unlike the kernel keyring" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:56 +msgid "" +"unlike the kernel keyring-based cache, which is shared between all " +"containers, the KCM server is a separate process whose entry point is a UNIX " +"socket" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:61 +msgid "" +"the SSSD implementation stores the ccaches in the SSSD <citerefentry> " +"<refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry> secrets store, allowing the ccaches to survive KCM server " +"restarts or machine reboots." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:69 +msgid "" +"This allows the system to use a collection-aware credential cache, yet share " +"the credential cache between some or no containers by bind-mounting the " +"socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:76 +msgid "USING THE KCM CREDENTIAL CACHE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:86 +#, no-wrap +msgid "" +"[libdefaults]\n" +" default_ccache_name = KCM:\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:78 +msgid "" +"In order to use KCM credential cache, it must be selected as the default " +"credential type in <citerefentry> <refentrytitle>krb5.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " +"cache name must be only <quote>KCM:</quote> without any template " +"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:91 +msgid "" +"Next, make sure the Kerberos client libraries and the KCM server must agree " +"on the UNIX socket path. By default, both use the same path <replaceable>/" +"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " +"library, change its <quote>kcm_socket</quote> option which is described in " +"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:113 +#, no-wrap +msgid "" +"systemctl start sssd-kcm.socket\n" +"systemctl enable sssd-kcm.socket\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:102 +msgid "" +"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " +"typically socket-activated by <citerefentry> <refentrytitle>systemd</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " +"services, it cannot be started by adding the <quote>kcm</quote> string to " +"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " +"id=\"0\"/> Please note your distribution may already configure the units for " +"you." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:122 +msgid "THE CREDENTIAL CACHE STORAGE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:131 +#, no-wrap +msgid "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:124 +msgid "" +"The credential caches are stored in the SSSD secrets service (see " +"<citerefentry> <refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> for more details). Therefore it is important that " +"also the sssd-secrets service is enabled and its socket is started: " +"<placeholder type=\"programlisting\" id=\"0\"/> Your distribution should " +"already set the dependencies between the services." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:141 +msgid "" +"The KCM service is configured in the <quote>kcm</quote> section of the sssd." +"conf file. Please note that currently, is it not sufficient to restart the " +"sssd-kcm service, because the sssd configuration is only parsed and read to " +"an internal configuration database by the sssd service. Therefore you must " +"restart the sssd service if you change anything in the <quote>kcm</quote> " +"section of sssd.conf. For a detailed syntax reference, refer to the " +"<quote>FILE FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd." +"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:155 +msgid "" +"The generic SSSD service options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some KCM-specific options as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:166 +msgid "socket_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:169 +msgid "The socket the KCM service will listen on." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:172 +msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:182 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 +msgid "sssd-systemtap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-systemtap.5.xml:17 +msgid "SSSD systemtap information" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:23 +msgid "" +"This manual page provides information about the systemtap functionality in " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:32 +msgid "" +"SystemTap Probe points have been added into various locations in SSSD code " +"to assist in troubleshooting and analyzing performance related issues." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:40 +msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:46 +msgid "" +"Probes and miscellaneous functions are defined in /usr/share/systemtap/" +"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " +"respectively." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:57 +msgid "PROBE POINTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:341 +msgid "" +"The information below lists the probe points and arguments available in the " +"following format:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:64 +msgid "probe $name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:67 +msgid "Description of probe point" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:70 +#, no-wrap +msgid "" +"variable1:datatype\n" +"variable2:datatype\n" +"variable3:datatype\n" +"...\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:80 +msgid "Database Transaction Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:84 +msgid "probe sssd_transaction_start" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:87 +msgid "" +"Start of a sysdb transaction, probes the sysdb_transaction_start() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 +#: sssd-systemtap.5.xml:131 +#, no-wrap +msgid "" +"nesting:integer\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:97 +msgid "probe sssd_transaction_cancel" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:100 +msgid "" +"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " +"function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:111 +msgid "probe sssd_transaction_commit_before" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:114 +msgid "Probes the sysdb_transaction_commit_before() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:124 +msgid "probe sssd_transaction_commit_after" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:127 +msgid "Probes the sysdb_transaction_commit_after() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:141 +msgid "LDAP Search Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:145 +msgid "probe sdap_search_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:148 +msgid "Probes the sdap_get_generic_ext_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:152 sssd-systemtap.5.xml:167 sssd-systemtap.5.xml:196 +#, no-wrap +msgid "" +"base:string\n" +"scope:integer\n" +"filter:string\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:160 +msgid "probe sdap_search_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:163 +msgid "Probes the sdap_get_generic_ext_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:175 +msgid "probe sdap_deref_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:178 +msgid "Probes the sdap_deref_search_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:182 +#, no-wrap +msgid "" +"base_dn:string\n" +"deref_attr:string\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:189 +msgid "probe sdap_deref_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:192 +msgid "Probes the sdap_deref_search_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:208 +msgid "LDAP Account Request Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:212 +msgid "probe sdap_acct_req_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:215 +msgid "Probes the sdap_acct_req_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:219 sssd-systemtap.5.xml:234 +#, no-wrap +msgid "" +"entry_type:int\n" +"filter_type:int\n" +"filter_value:string\n" +"extra_value:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:227 +msgid "probe sdap_acct_req_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:230 +msgid "Probes the sdap_acct_req_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:246 +msgid "LDAP User Search Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:250 +msgid "probe sdap_search_user_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:253 +msgid "Probes the sdap_search_user_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:257 sssd-systemtap.5.xml:269 sssd-systemtap.5.xml:281 +#: sssd-systemtap.5.xml:293 +#, no-wrap +msgid "" +"filter:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:262 +msgid "probe sdap_search_user_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:265 +msgid "Probes the sdap_search_user_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:274 +msgid "probe sdap_search_user_save_begin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:277 +msgid "Probes the sdap_search_user_save_begin() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:286 +msgid "probe sdap_search_user_save_end" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:289 +msgid "Probes the sdap_search_user_save_end() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:302 +msgid "Data Provider Request Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:306 +msgid "probe dp_req_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:309 +msgid "A Data Provider request is submitted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:312 +#, no-wrap +msgid "" +"dp_req_domain:string\n" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:320 +msgid "probe dp_req_done" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:323 +msgid "A Data Provider request is completed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:326 +#, no-wrap +msgid "" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +"dp_ret:int\n" +"dp_errorstr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:339 +msgid "MISCELLANEOUS FUNCTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:346 +msgid "function acct_req_desc(entry_type)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:349 +msgid "Convert entry_type to string and return string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:354 +msgid "" +"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " +"filter_value, extra_value)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:358 +msgid "Create probe string based on filter type" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:363 +msgid "function dp_target_str(target)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:366 +msgid "Convert target to string and return string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:371 +msgid "function dp_method_str(target)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:374 +msgid "Convert method to string and return string" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/service_discovery.xml:2 +msgid "SERVICE DISCOVERY" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/service_discovery.xml:4 +msgid "" +"The service discovery feature allows back ends to automatically find the " +"appropriate servers to connect to using a special DNS query. This feature is " +"not supported for backup servers." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:9 include/ldap_id_mapping.xml:99 +msgid "Configuration" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:11 +msgid "" +"If no servers are specified, the back end automatically uses service " +"discovery to try to find a server. Optionally, the user may choose to use " +"both fixed server addresses and service discovery by inserting a special " +"keyword, <quote>_srv_</quote>, in the list of servers. The order of " +"preference is maintained. This feature is useful if, for example, the user " +"prefers to use service discovery whenever possible, and fall back to a " +"specific server when no servers can be discovered using DNS." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:23 +msgid "The domain name" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:25 +msgid "" +"Please refer to the <quote>dns_discovery_domain</quote> parameter in the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more details." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:35 +msgid "The protocol" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:37 +msgid "" +"The queries usually specify _tcp as the protocol. Exceptions are documented " +"in respective option description." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:42 +msgid "See Also" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:44 +msgid "" +"For more information on the service discovery mechanism, refer to RFC 2782." +msgstr "" + +#. type: Content of: <refentryinfo> +#: include/upstream.xml:2 +msgid "" +"<productname>SSSD</productname> <orgname>The SSSD upstream - https://pagure." +"io/SSSD/sssd/</orgname>" +msgstr "" + +#. type: Content of: outside any tag (error?) +#: include/upstream.xml:1 +msgid "<placeholder type=\"refentryinfo\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/failover.xml:2 +msgid "FAILOVER" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/failover.xml:4 +msgid "" +"The failover feature allows back ends to automatically switch to a different " +"server if the current server fails." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:8 +msgid "Failover Syntax" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:10 +msgid "" +"The list of servers is given as a comma-separated list; any number of spaces " +"is allowed around the comma. The servers are listed in order of preference. " +"The list can contain any number of servers." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:16 +msgid "" +"For each failover-enabled config option, two variants exist: " +"<emphasis>primary</emphasis> and <emphasis>backup</emphasis>. The idea is " +"that servers in the primary list are preferred and backup servers are only " +"searched if no primary servers can be reached. If a backup server is " +"selected, a timeout of 31 seconds is set. After this timeout SSSD will " +"periodically try to reconnect to one of the primary servers. If it succeeds, " +"it will replace the current active (backup) server." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:27 +msgid "The Failover Mechanism" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:29 +msgid "" +"The failover mechanism distinguishes between a machine and a service. The " +"back end first tries to resolve the hostname of a given machine; if this " +"resolution attempt fails, the machine is considered offline. No further " +"attempts are made to connect to this machine for any other service. If the " +"resolution attempt succeeds, the back end tries to connect to a service on " +"this machine. If the service connection attempt fails, then only this " +"particular service is considered offline and the back end automatically " +"switches over to the next service. The machine is still considered online " +"and might still be tried for another service." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:42 +msgid "" +"Further connection attempts are made to machines or services marked as " +"offline after a specified period of time; this is currently hard coded to 30 " +"seconds." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:47 +msgid "" +"If there are no more machines to try, the back end as a whole switches to " +"offline mode, and then attempts to reconnect every 30 seconds." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:53 +msgid "Failover time outs and tuning" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:55 +msgid "" +"Resolving a server to connect to can be as simple as running a single DNS " +"query or can involve several steps, such as finding the correct site or " +"trying out multiple host names in case some of the configured servers are " +"not reachable. The more complex scenarios can take some time and SSSD needs " +"to balance between providing enough time to finish the resolution process " +"but on the other hand, not trying for too long before falling back to " +"offline mode. If the SSSD debug logs show that the server resolution is " +"timing out before a live server is contacted, you can consider changing the " +"time outs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> +#: include/failover.xml:76 +msgid "dns_resolver_op_timeout" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: include/failover.xml:80 +msgid "How long would SSSD talk to a single DNS server." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> +#: include/failover.xml:86 +msgid "dns_resolver_timeout" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: include/failover.xml:90 +msgid "" +"How long would SSSD try to resolve a failover service. This service " +"resolution internally might include several steps, such as resolving DNS SRV " +"queries or locating the site." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:67 +msgid "" +"This section lists the available tunables. Please refer to their description " +"in the <citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>, manual page. <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:100 +msgid "" +"For LDAP-based providers, the resolve operation is performed as part of an " +"LDAP connection operation. Therefore, also the <quote>ldap_opt_timeout></" +"quote> timeout should be set to a larger value than " +"<quote>dns_resolver_timeout</quote> which in turn should be set to a larger " +"value than <quote>dns_resolver_op_timeout</quote>." +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/ldap_id_mapping.xml:2 +msgid "ID MAPPING" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:4 +msgid "" +"The ID-mapping feature allows SSSD to act as a client of Active Directory " +"without requiring administrators to extend user attributes to support POSIX " +"attributes for user and group identifiers." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:9 +msgid "" +"NOTE: When ID-mapping is enabled, the uidNumber and gidNumber attributes are " +"ignored. This is to avoid the possibility of conflicts between automatically-" +"assigned and manually-assigned values. If you need to use manually-assigned " +"values, ALL values must be manually-assigned." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:16 +msgid "" +"Please note that changing the ID mapping related configuration options will " +"cause user and group IDs to change. At the moment, SSSD does not support " +"changing IDs, so the SSSD database must be removed. Because cached passwords " +"are also stored in the database, removing the database should only be " +"performed while the authentication servers are reachable, otherwise users " +"might get locked out. In order to cache the password, an authentication must " +"be performed. It is not sufficient to use <citerefentry> " +"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry> to remove the database, rather the process consists of:" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:33 +msgid "Making sure the remote servers are reachable" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:38 +msgid "Stopping the SSSD service" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:43 +msgid "Removing the database" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:48 +msgid "Starting the SSSD service" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:52 +msgid "" +"Moreover, as the change of IDs might necessitate the adjustment of other " +"system properties such as file and directory ownership, it's advisable to " +"plan ahead and test the ID mapping configuration thoroughly." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ldap_id_mapping.xml:59 +msgid "Mapping Algorithm" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:61 +msgid "" +"Active Directory provides an objectSID for every user and group object in " +"the directory. This objectSID can be broken up into components that " +"represent the Active Directory domain identity and the relative identifier " +"(RID) of the user or group object." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:67 +msgid "" +"The SSSD ID-mapping algorithm takes a range of available UIDs and divides it " +"into equally-sized component sections - called \"slices\"-. Each slice " +"represents the space available to an Active Directory domain." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:73 +msgid "" +"When a user or group entry for a particular domain is encountered for the " +"first time, the SSSD allocates one of the available slices for that domain. " +"In order to make this slice-assignment repeatable on different client " +"machines, we select the slice based on the following algorithm:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:80 +msgid "" +"The SID string is passed through the murmurhash3 algorithm to convert it to " +"a 32-bit hashed value. We then take the modulus of this value with the total " +"number of available slices to pick the slice." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:86 +msgid "" +"NOTE: It is possible to encounter collisions in the hash and subsequent " +"modulus. In these situations, we will select the next available slice, but " +"it may not be possible to reproduce the same exact set of slices on other " +"machines (since the order that they are encountered will determine their " +"slice). In this situation, it is recommended to either switch to using " +"explicit POSIX attributes in Active Directory (disabling ID-mapping) or " +"configure a default domain to guarantee that at least one is always " +"consistent. See <quote>Configuration</quote> for details." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:101 +msgid "" +"Minimum configuration (in the <quote>[domain/DOMAINNAME]</quote> section):" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><programlisting> +#: include/ldap_id_mapping.xml:106 +#, no-wrap +msgid "" +"ldap_id_mapping = True\n" +"ldap_schema = ad\n" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:111 +msgid "" +"The default configuration results in configuring 10,000 slices, each capable " +"of holding up to 200,000 IDs, starting from 200,000 and going up to " +"2,000,200,000. This should be sufficient for most deployments." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><title> +#: include/ldap_id_mapping.xml:117 +msgid "Advanced Configuration" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:120 +msgid "ldap_idmap_range_min (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:123 +msgid "" +"Specifies the lower bound of the range of POSIX IDs to use for mapping " +"Active Directory user and group SIDs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:127 +msgid "" +"NOTE: This option is different from <quote>min_id</quote> in that " +"<quote>min_id</quote> acts to filter the output of requests to this domain, " +"whereas this option controls the range of ID assignment. This is a subtle " +"distinction, but the good general advice would be to have <quote>min_id</" +"quote> be less-than or equal to <quote>ldap_idmap_range_min</quote>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:137 include/ldap_id_mapping.xml:191 +msgid "Default: 200000" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:142 +msgid "ldap_idmap_range_max (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:145 +msgid "" +"Specifies the upper bound of the range of POSIX IDs to use for mapping " +"Active Directory user and group SIDs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:149 +msgid "" +"NOTE: This option is different from <quote>max_id</quote> in that " +"<quote>max_id</quote> acts to filter the output of requests to this domain, " +"whereas this option controls the range of ID assignment. This is a subtle " +"distinction, but the good general advice would be to have <quote>max_id</" +"quote> be greater-than or equal to <quote>ldap_idmap_range_max</quote>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:159 +msgid "Default: 2000200000" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:164 +msgid "ldap_idmap_range_size (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:167 +msgid "" +"Specifies the number of IDs available for each slice. If the range size " +"does not divide evenly into the min and max values, it will create as many " +"complete slices as it can." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:173 +msgid "" +"NOTE: The value of this option must be at least as large as the highest user " +"RID planned for use on the Active Directory server. User lookups and login " +"will fail for any user whose RID is greater than this value." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:179 +msgid "" +"For example, if your most recently-added Active Directory user has " +"objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, " +"<quote>ldap_idmap_range_size</quote> must be at least 1108 as range size is " +"equal to maximal SID minus minimal SID plus one (e.g. 1108 = 1107 - 0 + 1)." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:186 +msgid "" +"It is important to plan ahead for future expansion, as changing this value " +"will result in changing all of the ID mappings on the system, leading to " +"users with different local IDs than they previously had." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:196 +msgid "ldap_idmap_default_domain_sid (string)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:199 +msgid "" +"Specify the domain SID of the default domain. This will guarantee that this " +"domain will always be assigned to slice zero in the ID map, bypassing the " +"murmurhash algorithm described above." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:210 +msgid "ldap_idmap_default_domain (string)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:213 +msgid "Specify the name of the default domain." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:221 +msgid "ldap_idmap_autorid_compat (boolean)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:224 +msgid "" +"Changes the behavior of the ID-mapping algorithm to behave more similarly to " +"winbind's <quote>idmap_autorid</quote> algorithm." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:229 +msgid "" +"When this option is configured, domains will be allocated starting with " +"slice zero and increasing monatomically with each additional domain." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:234 +msgid "" +"NOTE: This algorithm is non-deterministic (it depends on the order that " +"users and groups are requested). If this mode is required for compatibility " +"with machines running winbind, it is recommended to also use the " +"<quote>ldap_idmap_default_domain_sid</quote> option to guarantee that at " +"least one domain is consistently allocated to slice zero." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:249 +msgid "ldap_idmap_helper_table_size (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:252 +msgid "" +"Maximal number of secondary slices that is tried when performing mapping " +"from UNIX id to SID." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:256 +msgid "" +"Note: Additional secondary slices might be generated when SID is being " +"mapped to UNIX id and RID part of SID is out of range for secondary slices " +"generated so far. If value of ldap_idmap_helper_table_size is equal to 0 " +"then no additional secondary slices are generated." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ldap_id_mapping.xml:273 +msgid "Well-Known SIDs" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:275 +msgid "" +"SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a " +"special hardcoded meaning. Since the generic users and groups related to " +"those Well-Known SIDs have no equivalent in a Linux/UNIX environment no " +"POSIX IDs are available for those objects." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:281 +msgid "" +"The SID name space is organized in authorities which can be seen as " +"different domains. The authorities for the Well-Known SIDs are" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:284 +msgid "Null Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:285 +msgid "World Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:286 +msgid "Local Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:287 +msgid "Creator Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:288 +msgid "NT Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:289 +msgid "Built-in" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:291 +msgid "" +"The capitalized version of these names are used as domain names when " +"returning the fully qualified name of a Well-Known SID." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:295 +msgid "" +"Since some utilities allow to modify SID based access control information " +"with the help of a name instead of using the SID directly SSSD supports to " +"look up the SID by the name as well. To avoid collisions only the fully " +"qualified names can be used to look up Well-Known SIDs. As a result the " +"domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, " +"<quote> LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, <quote>NT " +"AUTHORITY</quote> and <quote>BUILTIN</quote> should not be used as domain " +"names in <filename>sssd.conf</filename>." +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/param_help.xml:3 +msgid "<option>-?</option>,<option>--help</option>" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/param_help.xml:7 include/param_help_py.xml:7 +msgid "Display help message and exit." +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/param_help_py.xml:3 +msgid "<option>-h</option>,<option>--help</option>" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:3 include/debug_levels_tools.xml:3 +msgid "" +"SSSD supports two representations for specifying the debug level. The " +"simplest is to specify a decimal value from 0-9, which represents enabling " +"that level and all lower-level debug messages. The more comprehensive option " +"is to specify a hexadecimal bitmask to enable or disable specific levels " +"(such as if you wish to suppress a level)." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:10 +msgid "" +"Please note that each SSSD service logs into its own log file. Also please " +"note that enabling <quote>debug_level</quote> in the <quote>[sssd]</quote> " +"section only enables debugging just for the sssd process itself, not for the " +"responder or provider processes. The <quote>debug_level</quote> parameter " +"should be added to all sections that you wish to produce debug logs from." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:18 +msgid "" +"In addition to changing the log level in the config file using the " +"<quote>debug_level</quote> parameter, which is persistent, but requires SSSD " +"restart, it is also possible to change the debug level on the fly using the " +"<citerefentry> <refentrytitle>sss_debuglevel</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry> tool." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:29 include/debug_levels_tools.xml:10 +msgid "Currently supported debug levels:" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:32 include/debug_levels_tools.xml:13 +msgid "" +"<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fatal failures. " +"Anything that would prevent SSSD from starting up or causes it to cease " +"running." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:38 include/debug_levels_tools.xml:19 +msgid "" +"<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An " +"error that doesn't kill SSSD, but one that indicates that at least one major " +"feature is not going to work properly." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:45 include/debug_levels_tools.xml:26 +msgid "" +"<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Serious failures. An " +"error announcing that a particular request or operation has failed." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:50 include/debug_levels_tools.xml:31 +msgid "" +"<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Minor failures. These " +"are the errors that would percolate down to cause the operation failure of 2." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:55 include/debug_levels_tools.xml:36 +msgid "" +"<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Configuration settings." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:59 include/debug_levels_tools.xml:40 +msgid "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Function data." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:63 include/debug_levels_tools.xml:44 +msgid "" +"<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Trace messages for " +"operation functions." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:67 include/debug_levels_tools.xml:48 +msgid "" +"<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Trace messages for " +"internal control functions." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:72 include/debug_levels_tools.xml:53 +msgid "" +"<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contents of function-" +"internal variables that may be interesting." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:77 include/debug_levels_tools.xml:58 +msgid "" +"<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Extremely low-level " +"tracing information." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:81 include/debug_levels_tools.xml:62 +msgid "" +"To log required bitmask debug levels, simply add their numbers together as " +"shown in following examples:" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:85 include/debug_levels_tools.xml:66 +msgid "" +"<emphasis>Example</emphasis>: To log fatal failures, critical failures, " +"serious failures and function data use 0x0270." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:89 include/debug_levels_tools.xml:70 +msgid "" +"<emphasis>Example</emphasis>: To log fatal failures, configuration settings, " +"function data, trace messages for internal control functions use 0x1310." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:94 include/debug_levels_tools.xml:75 +msgid "" +"<emphasis>Note</emphasis>: The bitmask format of debug levels was introduced " +"in 1.7.0." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:98 include/debug_levels_tools.xml:79 +msgid "<emphasis>Default</emphasis>: 0" +msgstr "" + +#. type: Content of: outside any tag (error?) +#: include/experimental.xml:1 +msgid "" +"<emphasis> This is an experimental feature, please use https://pagure.io/" +"SSSD/sssd/ to report any issues. </emphasis>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/local.xml:2 +msgid "THE LOCAL DOMAIN" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/local.xml:4 +msgid "" +"In order to function correctly, a domain with <quote>id_provider=local</" +"quote> must be created and the SSSD must be running." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/local.xml:9 +msgid "" +"The administrator might want to use the SSSD local users instead of " +"traditional UNIX users in cases where the group nesting (see <citerefentry> " +"<refentrytitle>sss_groupadd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>) is needed. The local users are also useful for testing and " +"development of the SSSD without having to deploy a full remote server. The " +"<command>sss_user*</command> and <command>sss_group*</command> tools use a " +"local LDB storage to store users and groups." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/seealso.xml:4 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd-ipa</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <phrase condition=\"with_sudo\"> <citerefentry> " +"<refentrytitle>sssd-sudo</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>, </phrase> <phrase condition=\"with_secrets\"> <citerefentry> " +"<refentrytitle>sssd-secrets</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>, </phrase> <citerefentry> <refentrytitle>sssd-session-" +"recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, " +"<citerefentry> <refentrytitle>sss_cache</refentrytitle><manvolnum>8</" +"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_debuglevel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_obfuscate</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_seed</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <phrase condition=" +"\"with_ssh\"> <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_ssh_knownhostsproxy</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>, </phrase> <phrase condition=\"with_ifp\"> " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>, </phrase> <citerefentry> <refentrytitle>pam_sss</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>. <citerefentry> " +"<refentrytitle>sss_rpcidmapd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> <phrase condition=\"with_stap\"> <citerefentry> " +"<refentrytitle>sssd-systemtap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> </phrase>" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:3 +msgid "" +"An optional base DN, search scope and LDAP filter to restrict LDAP searches " +"for this attribute type." +msgstr "" + +#. type: Content of: <listitem><para><programlisting> +#: include/ldap_search_bases.xml:9 +#, no-wrap +msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]\n" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:7 +msgid "syntax: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:13 +msgid "" +"The scope can be one of \"base\", \"onelevel\" or \"subtree\". The scope " +"functions as specified in section 4.5.1.2 of http://tools.ietf.org/html/" +"rfc4511" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:23 +msgid "" +"For examples of this syntax, please refer to the <quote>ldap_search_base</" +"quote> examples section." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:31 +msgid "" +"Please note that specifying scope or filter is not supported for searches " +"against an Active Directory Server that might yield a large number of " +"results and trigger the Range Retrieval extension in the response." +msgstr "" + +#. type: Content of: <para> +#: include/autofs_restart.xml:2 +msgid "" +"Please note that the automounter only reads the master map on startup, so if " +"any autofs-related changes are made to the sssd.conf, you typically also " +"need to restart the automounter daemon after restarting the SSSD." +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/override_homedir.xml:2 +msgid "override_homedir (string)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:16 +msgid "UID number" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:20 +msgid "domain name" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:23 +msgid "%f" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:24 +msgid "fully qualified user name (user@domain)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:27 +msgid "%l" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:28 +msgid "The first letter of the login name." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:32 +msgid "UPN - User Principal Name (name@REALM)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:35 +msgid "%o" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:37 +msgid "The original home directory retrieved from the identity provider." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:42 +msgid "%H" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:44 +msgid "The value of configure option <emphasis>homedir_substring</emphasis>." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/override_homedir.xml:5 +msgid "" +"Override the user's home directory. You can either provide an absolute value " +"or a template. In the template, the following sequences are substituted: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><programlisting> +#: include/override_homedir.xml:61 +#, no-wrap +msgid "" +"override_homedir = /home/%u\n" +" " +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/override_homedir.xml:65 +msgid "Default: Not set (SSSD will use the value retrieved from LDAP)" +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/homedir_substring.xml:2 +msgid "homedir_substring (string)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/homedir_substring.xml:5 +msgid "" +"The value of this option will be used in the expansion of the " +"<emphasis>override_homedir</emphasis> option if the template contains the " +"format string <emphasis>%H</emphasis>. An LDAP directory entry can directly " +"contain this template so that this option can be used to expand the home " +"directory path for each client machine (or operating system). It can be set " +"per-domain or globally in the [nss] section. A value specified in a domain " +"section will override one set in the [nss] section." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/homedir_substring.xml:15 +msgid "Default: /home" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/ad_modified_defaults.xml:2 include/ipa_modified_defaults.xml:2 +msgid "MODIFIED DEFAULT OPTIONS" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ad_modified_defaults.xml:4 +msgid "" +"Certain option defaults do not match their respective backend provider " +"defaults, these option names and AD provider-specific defaults are listed " +"below:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ad_modified_defaults.xml:9 include/ipa_modified_defaults.xml:9 +msgid "KRB5 Provider" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:13 include/ipa_modified_defaults.xml:13 +msgid "krb5_validate = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:18 +msgid "krb5_use_enterprise_principal = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ad_modified_defaults.xml:24 +msgid "LDAP Provider" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:28 +msgid "ldap_schema = ad" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:33 include/ipa_modified_defaults.xml:38 +msgid "ldap_force_upper_case_realm = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:38 +msgid "ldap_id_mapping = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:43 +msgid "ldap_sasl_mech = gssapi" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:48 +msgid "ldap_referrals = false" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:53 +msgid "ldap_account_expire_policy = ad" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:58 include/ipa_modified_defaults.xml:58 +msgid "ldap_use_tokengroups = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:63 +msgid "ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:66 +msgid "" +"The AD provider looks for a different principal than the LDAP provider by " +"default, because in an Active Directory environment the principals are " +"divided into two groups - User Principals and Service Principals. Only User " +"Principal can be used to obtain a TGT and by default, computer object's " +"principal is constructed from its sAMAccountName and the AD realm. The well-" +"known host/hostname@REALM principal is a Service Principal and thus cannot " +"be used to get a TGT with." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ipa_modified_defaults.xml:4 +msgid "" +"Certain option defaults do not match their respective backend provider " +"defaults, these option names and IPA provider-specific defaults are listed " +"below:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:18 +msgid "krb5_use_fast = try" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:23 +msgid "krb5_canonicalize = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:29 +msgid "LDAP Provider - General" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:33 +msgid "ldap_schema = ipa_v1" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:43 +msgid "ldap_sasl_mech = GSSAPI" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:48 +msgid "ldap_sasl_minssf = 56" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:53 +msgid "ldap_account_expire_policy = ipa" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:64 +msgid "LDAP Provider - User options" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:68 +msgid "ldap_user_member_of = memberOf" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:73 +msgid "ldap_user_uuid = ipaUniqueID" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:78 +msgid "ldap_user_ssh_public_key = ipaSshPubKey" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:83 +msgid "ldap_user_auth_type = ipaUserAuthType" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:89 +msgid "LDAP Provider - Group options" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:93 +msgid "ldap_group_object_class = ipaUserGroup" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:98 +msgid "ldap_group_object_class_alt = posixGroup" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:103 +msgid "ldap_group_member = member" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:108 +msgid "ldap_group_uuid = ipaUniqueID" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:113 +msgid "ldap_group_objectsid = ipaNTSecurityIdentifier" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:118 +msgid "ldap_group_external_member = ipaExternalMember" +msgstr "" diff --git a/src/man/po/sssd-docs.pot b/src/man/po/sssd-docs.pot new file mode 100644 index 0000000..dfc52d1 --- /dev/null +++ b/src/man/po/sssd-docs.pot @@ -0,0 +1,15583 @@ +# SOME DESCRIPTIVE TITLE +# Copyright (C) YEAR Red Hat +# This file is distributed under the same license as the sssd-docs package. +# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR. +# +#, fuzzy +msgid "" +msgstr "" +"Project-Id-Version: sssd-docs 1.16.3\n" +"Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" +"POT-Creation-Date: 2018-08-12 13:01+0000\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" +"Language-Team: LANGUAGE <LL@li.org>\n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. type: Content of: <reference><title> +#: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5 sssd_krb5_locator_plugin.8.xml:5 sssd-simple.5.xml:5 sss-certmap.5.xml:5 sssd-ipa.5.xml:5 sssd-ad.5.xml:5 sssd-sudo.5.xml:5 sssd.8.xml:5 sss_obfuscate.8.xml:5 sss_override.8.xml:5 sss_useradd.8.xml:5 sssd-krb5.5.xml:5 sss_groupadd.8.xml:5 sss_userdel.8.xml:5 sss_groupdel.8.xml:5 sss_groupshow.8.xml:5 sss_usermod.8.xml:5 sss_cache.8.xml:5 sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5 sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5 sssd-files.5.xml:5 sssd-secrets.5.xml:5 sssd-session-recording.5.xml:5 sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 +msgid "SSSD Manual pages" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupmod.8.xml:10 sss_groupmod.8.xml:15 +msgid "sss_groupmod" +msgstr "" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_groupmod.8.xml:11 pam_sss.8.xml:12 sssd_krb5_locator_plugin.8.xml:11 sssd.8.xml:11 sss_obfuscate.8.xml:11 sss_override.8.xml:11 sss_useradd.8.xml:11 sss_groupadd.8.xml:11 sss_userdel.8.xml:11 sss_groupdel.8.xml:11 sss_groupshow.8.xml:11 sss_usermod.8.xml:11 sss_cache.8.xml:11 sss_debuglevel.8.xml:11 sss_seed.8.xml:11 idmap_sss.8.xml:11 sssctl.8.xml:11 sssd-kcm.8.xml:11 +msgid "8" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupmod.8.xml:16 +msgid "modify a group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupmod.8.xml:21 +msgid "" +"<command>sss_groupmod</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>GROUP</replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:57 sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sss-certmap.5.xml:21 sssd-ipa.5.xml:21 sssd-ad.5.xml:21 sssd-sudo.5.xml:21 sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_override.8.xml:30 sss_useradd.8.xml:30 sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30 sss_groupdel.8.xml:30 sss_groupshow.8.xml:30 sss_usermod.8.xml:30 sss_cache.8.xml:29 sss_debuglevel.8.xml:30 sss_seed.8.xml:31 sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30 sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30 sssd-files.5.xml:21 sssd-secrets.5.xml:21 sssd-session-recording.5.xml:21 sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 +msgid "DESCRIPTION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupmod.8.xml:32 +msgid "" +"<command>sss_groupmod</command> modifies the group to reflect the changes " +"that are specified on the command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_groupmod.8.xml:39 pam_sss.8.xml:64 sssd.8.xml:42 sss_obfuscate.8.xml:58 sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39 sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39 sss_cache.8.xml:39 sss_seed.8.xml:42 sss_ssh_authorizedkeys.1.xml:123 sss_ssh_knownhostsproxy.1.xml:62 +msgid "OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupmod.8.xml:43 sss_usermod.8.xml:77 +msgid "" +"<option>-a</option>,<option>--append-group</option> " +"<replaceable>GROUPS</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupmod.8.xml:48 +msgid "" +"Append this group to groups specified by the " +"<replaceable>GROUPS</replaceable> parameter. The " +"<replaceable>GROUPS</replaceable> parameter is a comma separated list of " +"group names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupmod.8.xml:57 sss_usermod.8.xml:91 +msgid "" +"<option>-r</option>,<option>--remove-group</option> " +"<replaceable>GROUPS</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupmod.8.xml:62 +msgid "" +"Remove this group from groups specified by the " +"<replaceable>GROUPS</replaceable> parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.conf.5.xml:10 sssd.conf.5.xml:16 +msgid "sssd.conf" +msgstr "" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11 sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27 sssd-files.5.xml:11 sssd-secrets.5.xml:11 sssd-session-recording.5.xml:11 sssd-systemtap.5.xml:11 +msgid "5" +msgstr "" + +#. type: Content of: <reference><refentry><refmeta><refmiscinfo> +#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12 sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28 sssd-files.5.xml:12 sssd-secrets.5.xml:12 sssd-session-recording.5.xml:12 sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 +msgid "File Formats and Conventions" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.conf.5.xml:17 +msgid "the configuration file for SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:21 +msgid "FILE FORMAT" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:29 +#, no-wrap +msgid "" +"<replaceable>[section]</replaceable>\n" +"<replaceable>key</replaceable> = <replaceable>value</replaceable>\n" +"<replaceable>key2</replaceable> = <replaceable>value2,value3</replaceable>\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:24 +msgid "" +"The file has an ini-style syntax and consists of sections and parameters. A " +"section begins with the name of the section in square brackets and continues " +"until the next section begins. An example of section with single and " +"multi-valued parameters: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:36 +msgid "" +"The data types used are string (no quotes needed), integer and bool (with " +"values of <quote>TRUE/FALSE</quote>)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:41 +msgid "" +"A comment line starts with a hash sign (<quote>#</quote>) or a semicolon " +"(<quote>;</quote>). Inline comments are not supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:47 +msgid "" +"All sections can have an optional <replaceable>description</replaceable> " +"parameter. Its function is only as a label for the section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:53 +msgid "" +"<filename>sssd.conf</filename> must be a regular file, owned by root and " +"only root may read from or write to the file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:59 +msgid "CONFIGURATION SNIPPETS FROM INCLUDE DIRECTORY" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:62 +msgid "" +"The configuration file <filename>sssd.conf</filename> will include " +"configuration snippets using the include directory " +"<filename>conf.d</filename>. This feature is available if SSSD was compiled " +"with libini version 1.3.0 or later." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:69 +msgid "" +"Any file placed in <filename>conf.d</filename> that ends in " +"<quote><filename>.conf</filename></quote> and does not begin with a dot " +"(<quote>.</quote>) will be used together with <filename>sssd.conf</filename> " +"to configure SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:77 +msgid "" +"The configuration snippets from <filename>conf.d</filename> have higher " +"priority than <filename>sssd.conf</filename> and will override " +"<filename>sssd.conf</filename> when conflicts occur. If several snippets are " +"present in <filename>conf.d</filename>, then they are included in " +"alphabetical order (based on locale). Files included later have higher " +"priority. Numerical prefixes (<filename>01_snippet.conf</filename>, " +"<filename>02_snippet.conf</filename> etc.) can help visualize the priority " +"(higher number means higher priority)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:91 +msgid "" +"The snippet files require the same owner and permissions as " +"<filename>sssd.conf</filename>. Which are by default root:root and 0600." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:98 +msgid "GENERAL OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:100 +msgid "Following options are usable in more than one configuration sections." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:104 +msgid "Options usable in all sections" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:108 +msgid "debug_level (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:112 +msgid "debug (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:115 +msgid "" +"SSSD 1.14 and later also includes the <replaceable>debug</replaceable> alias " +"for <replaceable>debug_level</replaceable> as a convenience feature. If both " +"are specified, the value of <replaceable>debug_level</replaceable> will be " +"used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:125 +msgid "debug_timestamps (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:128 +msgid "" +"Add a timestamp to the debug messages. If journald is enabled for SSSD " +"debug logging this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:133 sssd.conf.5.xml:543 sssd.conf.5.xml:839 sssd.conf.5.xml:1491 sssd.conf.5.xml:1521 sssd-ldap.5.xml:1851 sssd-ldap.5.xml:1948 sssd-ldap.5.xml:2010 sssd-ldap.5.xml:2576 sssd-ldap.5.xml:2641 sssd-ldap.5.xml:2659 sssd-ad.5.xml:227 sssd-ad.5.xml:341 sssd-ad.5.xml:885 sssd-krb5.5.xml:499 sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 +msgid "Default: true" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:138 +msgid "debug_microseconds (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:141 +msgid "" +"Add microseconds to the timestamp in debug messages. If journald is enabled " +"for SSSD debug logging this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:146 sssd.conf.5.xml:540 sssd.conf.5.xml:722 sssd.conf.5.xml:1424 sssd.conf.5.xml:2980 sssd-ldap.5.xml:708 sssd-ldap.5.xml:1714 sssd-ldap.5.xml:1733 sssd-ldap.5.xml:1920 sssd-ldap.5.xml:2346 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238 sssd-ipa.5.xml:559 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300 sssd-krb5.5.xml:471 +msgid "Default: false" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2384 sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210 sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304 +msgid "<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:155 +msgid "Options usable in SERVICE and DOMAIN sections" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:159 +msgid "timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:162 +msgid "" +"Timeout in seconds between heartbeats for this service. This is used to " +"ensure that the process is alive and capable of answering requests. Note " +"that after three missed heartbeats the process will terminate itself." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:169 sssd.conf.5.xml:1376 sssd.conf.5.xml:2996 sssd-ldap.5.xml:1585 include/ldap_id_mapping.xml:264 +msgid "Default: 10" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:179 +msgid "SPECIAL SECTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:182 +msgid "The [sssd] section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sssd.conf.5.xml:191 sssd.conf.5.xml:3085 +msgid "Section parameters" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:193 +msgid "config_file_version (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:196 +msgid "" +"Indicates what is the syntax of the config file. SSSD 0.6.0 and later use " +"version 2." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:202 +msgid "services" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:205 +msgid "" +"Comma separated list of services that are started when sssd itself starts. " +"<phrase condition=\"have_systemd\"> The services' list is optional on " +"platforms where systemd is supported, as they will either be socket or D-Bus " +"activated when needed. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:214 +msgid "" +"Supported services: nss, pam <phrase condition=\"with_sudo\">, sudo</phrase> " +"<phrase condition=\"with_autofs\">, autofs</phrase> <phrase " +"condition=\"with_ssh\">, ssh</phrase> <phrase " +"condition=\"with_pac_responder\">, pac</phrase> <phrase " +"condition=\"with_ifp\">, ifp</phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:222 +msgid "" +"<phrase condition=\"have_systemd\"> By default, all services are disabled " +"and the administrator must enable the ones allowed to be used by executing: " +"\"systemctl enable sssd-@service@.socket\". </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:231 sssd.conf.5.xml:614 +msgid "reconnection_retries (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:234 sssd.conf.5.xml:617 +msgid "" +"Number of times services should attempt to reconnect in the event of a Data " +"Provider crash or restart before they give up" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:239 sssd.conf.5.xml:622 +msgid "Default: 3" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:244 +msgid "domains" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:247 +msgid "" +"A domain is a database containing user information. SSSD can use more " +"domains at the same time, but at least one must be configured or SSSD won't " +"start. This parameter describes the list of domains in the order you want " +"them to be queried. A domain name should only consist of alphanumeric ASCII " +"characters, dashes, dots and underscores." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:259 sssd.conf.5.xml:2597 +msgid "re_expression (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:262 +msgid "" +"Default regular expression that describes how to parse the string containing " +"user name and domain into these components." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:267 +msgid "" +"Each domain can have an individual regular expression configured. For some " +"ID providers there are also default regular expressions. See DOMAIN SECTIONS " +"for more info on these regular expressions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:276 sssd.conf.5.xml:2645 +msgid "full_name_format (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:279 sssd.conf.5.xml:2648 +msgid "" +"A <citerefentry> <refentrytitle>printf</refentrytitle> " +"<manvolnum>3</manvolnum> </citerefentry>-compatible format that describes " +"how to compose a fully qualified name from user name and domain name " +"components." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:290 sssd.conf.5.xml:2659 +msgid "%1$s" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:291 sssd.conf.5.xml:2660 +msgid "user name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:294 sssd.conf.5.xml:2663 +msgid "%2$s" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:297 sssd.conf.5.xml:2666 +msgid "domain name as specified in the SSSD config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:303 sssd.conf.5.xml:2672 +msgid "%3$s" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:306 sssd.conf.5.xml:2675 +msgid "" +"domain flat name. Mostly usable for Active Directory domains, both directly " +"configured or discovered via IPA trusts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:287 sssd.conf.5.xml:2656 +msgid "" +"The following expansions are supported: <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:316 +msgid "" +"Each domain can have an individual format string configured. see DOMAIN " +"SECTIONS for more info on this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:322 +msgid "try_inotify (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:325 +msgid "" +"SSSD monitors the state of resolv.conf to identify when it needs to update " +"its internal DNS resolver. By default, we will attempt to use inotify for " +"this, and will fall back to polling resolv.conf every five seconds if " +"inotify cannot be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:333 +msgid "" +"There are some limited situations where it is preferred that we should skip " +"even trying to use inotify. In these rare cases, this option should be set " +"to 'false'" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:339 +msgid "" +"Default: true on platforms where inotify is supported. False on other " +"platforms." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:343 +msgid "" +"Note: this option will have no effect on platforms where inotify is " +"unavailable. On these platforms, polling will always be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:350 +msgid "krb5_rcache_dir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:353 +msgid "" +"Directory on the filesystem where SSSD should store Kerberos replay cache " +"files." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:357 +msgid "" +"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct " +"SSSD to let libkrb5 decide the appropriate location for the replay cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:363 +msgid "" +"Default: Distribution-specific and specified at " +"build-time. (__LIBKRB5_DEFAULTS__ if not configured)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:370 +msgid "user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:373 +msgid "" +"The user to drop the privileges to where appropriate to avoid running as the " +"root user. <phrase condition=\"have_systemd\"> This option does not work " +"when running socket-activated services, as the user set up to run the " +"processes is set up during compilation time. The way to override the " +"systemd unit files is by creating the appropriate files in " +"/etc/systemd/system/. Keep in mind that any change in the socket user, " +"group or permissions may result in a non-usable SSSD. The same may occur in " +"case of changes of the user running the NSS responder. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:391 +msgid "Default: not set, process will run as root" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:396 +msgid "default_domain_suffix (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:399 +msgid "" +"This string will be used as a default domain name for all names without a " +"domain name component. The main use case is environments where the primary " +"domain is intended for managing host policies and all users are located in a " +"trusted domain. The option allows those users to log in just with their " +"user name without giving a domain name as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:409 +msgid "" +"Please note that if this option is set all users from the primary domain " +"have to use their fully qualified name, e.g. user@domain.name, to log " +"in. Setting this option changes default of use_fully_qualified_names to " +"True. It is not allowed to use this option together with " +"use_fully_qualified_names set to False." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:418 sssd.conf.5.xml:1165 sssd-ldap.5.xml:679 sssd-ldap.5.xml:1319 sssd-ldap.5.xml:1673 sssd-ldap.5.xml:1685 sssd-ldap.5.xml:1767 sssd-ad.5.xml:690 sssd-ad.5.xml:765 sssd.8.xml:126 sssd-krb5.5.xml:410 sssd-krb5.5.xml:556 sssd-secrets.5.xml:339 sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404 sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205 include/ldap_id_mapping.xml:216 +msgid "Default: not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:423 +msgid "override_space (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:426 +msgid "" +"This parameter will replace spaces (space bar) with the given character for " +"user and group names. e.g. (_). User name "john doe" will be " +""john_doe" This feature was added to help compatibility with shell " +"scripts that have difficulty handling spaces, due to the default field " +"separator in the shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:435 +msgid "" +"Please note it is a configuration error to use a replacement character that " +"might be used in user or group names. If a name contains the replacement " +"character SSSD tries to return the unmodified name but in general the result " +"of a lookup is undefined." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:443 +msgid "Default: not set (spaces will not be replaced)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:448 +msgid "certificate_verification (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:456 +msgid "no_ocsp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:458 +msgid "" +"Disables Online Certificate Status Protocol (OCSP) checks. This might be " +"needed if the OCSP servers defined in the certificate are not reachable from " +"the client." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:466 +msgid "no_verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:468 +msgid "" +"Disables verification completely. This option should only be used for " +"testing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:474 +msgid "ocsp_default_responder=URL" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:476 +msgid "" +"Sets the OCSP default responder which should be used instead of the one " +"mentioned in the certificate. URL must be replaced with the URL of the OCSP " +"default responder e.g. http://example.com:80/ocsp." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:482 +msgid "This option must be used together with ocsp_default_responder_signing_cert." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:490 +msgid "ocsp_default_responder_signing_cert=NAME" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:492 +msgid "" +"The nickname of the cert to trust (expected) to sign the OCSP responses. " +"The certificate with the given nickname must be available in the systems NSS " +"database." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:497 +msgid "This option must be used together with ocsp_default_responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:451 +msgid "" +"With this parameter the certificate verification can be tuned with a comma " +"separated list of options. Supported options are: <placeholder " +"type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:504 +msgid "Unknown options are reported but ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:507 +msgid "Default: not set, i.e. do not restrict certificate verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:513 +msgid "disable_netlink (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:516 +msgid "" +"SSSD hooks into the netlink interface to monitor changes to routes, " +"addresses, links and trigger certain actions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:521 +msgid "" +"The SSSD state changes caused by netlink events may be undesirable and can " +"be disabled by setting this option to 'true'" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:526 +msgid "Default: false (netlink changes are detected)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:531 +msgid "enable_files_domain (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:534 +msgid "" +"When this option is enabled, SSSD prepends an implicit domain with " +"<quote>id_provider=files</quote> before any explicitly configured domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:548 +msgid "domain_resolution_order" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:551 +msgid "" +"Comma separated list of domains and subdomains representing the lookup order " +"that will be followed. The list doesn't have to include all possible " +"domains as the missing domains will be looked up based on the order they're " +"presented in the <quote>domains</quote> configuration option. The " +"subdomains which are not listed as part of <quote>lookup_order</quote> will " +"be looked up in a random order for each parent domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:563 +msgid "" +"Please, note that when this option is set the output format of all commands " +"is always fully-qualified even when using short names for input, for all " +"users but the ones managed by the files provider. In case the administrator " +"wants the output not fully-qualified, the full_name_format option can be " +"used as shown below: <quote>full_name_format=%1$s</quote> However, keep in " +"mind that during login, login applications often canonicalize the username " +"by calling <citerefentry> <refentrytitle>getpwnam</refentrytitle> " +"<manvolnum>3</manvolnum> </citerefentry> which, if a shortname is returned " +"for a qualified input (while trying to reach a user which exists in multiple " +"domains) might re-route the login attempt into the domain which uses " +"shortnames, making this workaround totally not recommended in cases where " +"usernames may overlap between domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:588 sssd.conf.5.xml:1388 sssd.conf.5.xml:3046 sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316 +msgid "Default: Not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:184 +msgid "" +"Individual pieces of SSSD functionality are provided by special SSSD " +"services that are started and stopped together with SSSD. The services are " +"managed by a special service frequently called <quote>monitor</quote>. The " +"<quote>[sssd]</quote> section is used to configure the monitor as well as " +"some other important options like the identity domains. <placeholder " +"type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:599 +msgid "SERVICES SECTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:601 +msgid "" +"Settings that can be used to configure different services are described in " +"this section. They should reside in the [<replaceable>$NAME</replaceable>] " +"section, for example, for NSS service, the section would be " +"<quote>[nss]</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:608 +msgid "General service configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:610 +msgid "These options can be used to configure any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:627 +msgid "fd_limit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:630 +msgid "" +"This option specifies the maximum number of file descriptors that may be " +"opened at one time by this SSSD process. On systems where SSSD is granted " +"the CAP_SYS_RESOURCE capability, this will be an absolute setting. On " +"systems without this capability, the resulting value will be the lower value " +"of this or the limits.conf \"hard\" limit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:639 +msgid "Default: 8192 (or limits.conf \"hard\" limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:644 +msgid "client_idle_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:647 +msgid "" +"This option specifies the number of seconds that a client of an SSSD process " +"can hold onto a file descriptor without communicating on it. This value is " +"limited in order to avoid resource exhaustion on the system. The timeout " +"can't be shorter than 10 seconds. If a lower value is configured, it will be " +"adjusted to 10 seconds." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:656 sssd.conf.5.xml:688 sssd.conf.5.xml:970 sssd.conf.5.xml:1231 sssd-ldap.5.xml:1412 +msgid "Default: 60" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:661 +msgid "offline_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:664 +msgid "" +"When SSSD switches to offline mode the amount of time before it tries to go " +"back online will increase based upon the time spent disconnected. This " +"value is in seconds and calculated by the following:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:671 +msgid "offline_timeout + random_offset" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:674 +msgid "" +"The random offset can increment up to 30 seconds. After each unsuccessful " +"attempt to go online, the new interval is recalculated by the following:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:679 +msgid "new_interval = old_interval*2 + random_offset" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:682 +msgid "" +"Note that the maximum length of each interval is currently limited to one " +"hour. If the calculated length of new_interval is greater than an hour, it " +"will be forced to one hour." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:693 +msgid "responder_idle_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:696 +msgid "" +"This option specifies the number of seconds that an SSSD responder process " +"can be up without being used. This value is limited in order to avoid " +"resource exhaustion on the system. The minimum acceptable value for this " +"option is 60 seconds. Setting this option to 0 (zero) means that no timeout " +"will be set up to the responder. This option only has effect when SSSD is " +"built with systemd support and when services are either socket or D-Bus " +"activated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:710 sssd.conf.5.xml:983 sssd.conf.5.xml:1616 sssd-ldap.5.xml:722 +msgid "Default: 300" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:715 +msgid "cache_first" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:718 +msgid "" +"This option specifies whether the responder should query all caches before " +"querying the Data Providers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:730 +msgid "NSS configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:732 +msgid "" +"These options can be used to configure the Name Service Switch (NSS) " +"service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:737 +msgid "enum_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:740 +msgid "" +"How many seconds should nss_sss cache enumerations (requests for info about " +"all users)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:744 +msgid "Default: 120" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:749 +msgid "entry_cache_nowait_percentage (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:752 +msgid "" +"The entry cache can be set to automatically update entries in the background " +"if they are requested beyond a percentage of the entry_cache_timeout value " +"for the domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:758 +msgid "" +"For example, if the domain's entry_cache_timeout is set to 30s and " +"entry_cache_nowait_percentage is set to 50 (percent), entries that come in " +"after 15 seconds past the last cache update will be returned immediately, " +"but the SSSD will go and update the cache on its own, so that future " +"requests will not need to block waiting for a cache update." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:768 +msgid "" +"Valid values for this option are 0-99 and represent a percentage of the " +"entry_cache_timeout for each domain. For performance reasons, this " +"percentage will never reduce the nowait timeout to less than 10 seconds. (0 " +"disables this feature)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:776 sssd.conf.5.xml:1445 +msgid "Default: 50" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:781 +msgid "entry_negative_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:784 +msgid "" +"Specifies for how many seconds nss_sss should cache negative cache hits " +"(that is, queries for invalid database entries, like nonexistent ones) " +"before asking the back end again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:790 sssd.conf.5.xml:1469 +msgid "Default: 15" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:795 +msgid "local_negative_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:798 +msgid "" +"Specifies for how many seconds nss_sss should keep local users and groups in " +"negative cache before trying to look it up in the back end again. Setting " +"the option to 0 disables this feature." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:804 +msgid "Default: 14400 (4 hours)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:809 +msgid "filter_users, filter_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:812 +msgid "" +"Exclude certain users or groups from being fetched from the sss NSS " +"database. This is particularly useful for system accounts. This option can " +"also be set per-domain or include fully-qualified names to filter only users " +"from the particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:819 +msgid "" +"NOTE: The filter_groups option doesn't affect inheritance of nested group " +"members, since filtering happens after they are propagated for returning via " +"NSS. E.g. a group having a member group filtered out will still have the " +"member users of the latter listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:827 +msgid "Default: root" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:832 +msgid "filter_users_in_groups (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:835 +msgid "If you want filtered user still be group members set this option to false." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:846 +msgid "fallback_homedir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:849 +msgid "" +"Set a default template for a user's home directory if one is not specified " +"explicitly by the domain's data provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:854 +msgid "The available values for this option are the same as for override_homedir." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:860 +#, no-wrap +msgid "" +"fallback_homedir = /home/%u\n" +" " +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: sssd.conf.5.xml:858 sssd.conf.5.xml:1298 sssd.conf.5.xml:1317 sssd-krb5.5.xml:539 include/override_homedir.xml:59 +msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:864 +msgid "Default: not set (no substitution for unset home directories)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:870 +msgid "override_shell (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:873 +msgid "" +"Override the login shell for all users. This option supersedes any other " +"shell options if it takes effect and can be set either in the [nss] section " +"or per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:879 +msgid "Default: not set (SSSD will use the value retrieved from LDAP)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:885 +msgid "allowed_shells (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:888 +msgid "Restrict user shell to one of the listed values. The order of evaluation is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:891 +msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:895 +msgid "" +"2. If the shell is in the allowed_shells list but not in " +"<quote>/etc/shells</quote>, use the value of the shell_fallback parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:900 +msgid "" +"3. If the shell is not in the allowed_shells list and not in " +"<quote>/etc/shells</quote>, a nologin shell is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:905 +msgid "The wildcard (*) can be used to allow any shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:908 +msgid "" +"The (*) is useful if you want to use shell_fallback in case that user's " +"shell is not in <quote>/etc/shells</quote> and maintaining list of all " +"allowed shells in allowed_shells would be to much overhead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:915 +msgid "An empty string for shell is passed as-is to libc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:918 +msgid "" +"The <quote>/etc/shells</quote> is only read on SSSD start up, which means " +"that a restart of the SSSD is required in case a new shell is installed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:922 +msgid "Default: Not set. The user shell is automatically used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:927 +msgid "vetoed_shells (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:930 +msgid "Replace any instance of these shells with the shell_fallback" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:935 +msgid "shell_fallback (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:938 +msgid "" +"The default shell to use if an allowed shell is not installed on the " +"machine." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:942 +msgid "Default: /bin/sh" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:947 +msgid "default_shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:950 +msgid "" +"The default shell to use if the provider does not return one during " +"lookup. This option can be specified globally in the [nss] section or " +"per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:956 +msgid "" +"Default: not set (Return NULL if no shell is specified and rely on libc to " +"substitute something sensible when necessary, usually /bin/sh)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:963 sssd.conf.5.xml:1224 +msgid "get_domains_timeout (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:966 sssd.conf.5.xml:1227 +msgid "" +"Specifies time in seconds for which the list of subdomains will be " +"considered valid." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:975 +msgid "memcache_timeout (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:978 +msgid "" +"Specifies time in seconds for which records in the in-memory cache will be " +"valid. Setting this option to zero will disable the in-memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:986 +msgid "" +"WARNING: Disabling the in-memory cache will have significant negative impact " +"on SSSD's performance and should only be used for testing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:992 +msgid "" +"NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", " +"client applications will not use the fast in-memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1000 sssd-ifp.5.xml:74 +msgid "user_attributes (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1003 +msgid "" +"Some of the additional NSS responder requests can return more attributes " +"than just the POSIX ones defined by the NSS interface. The list of " +"attributes is controlled by this option. It is handled the same way as the " +"<quote>user_attributes</quote> option of the InfoPipe responder (see " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> for details) but with no default " +"values." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1016 +msgid "" +"To make configuration more easy the NSS responder will check the InfoPipe " +"option if it is not set for the NSS responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1021 +msgid "Default: not set, fallback to InfoPipe option" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1026 +msgid "pwfield (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1029 +msgid "" +"The value that NSS operations that return users or groups will return for " +"the <quote>password</quote> field." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: sssd.conf.5.xml:1034 include/override_homedir.xml:56 +msgid "This option can also be set per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1037 +msgid "" +"Default: <quote>*</quote> (remote domains) or <quote>x</quote> (the files " +"domain)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1045 +msgid "PAM configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1047 +msgid "" +"These options can be used to configure the Pluggable Authentication Module " +"(PAM) service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1052 +msgid "offline_credentials_expiration (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1055 +msgid "" +"If the authentication provider is offline, how long should we allow cached " +"logins (in days since the last successful online login)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1060 sssd.conf.5.xml:1073 +msgid "Default: 0 (No limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1066 +msgid "offline_failed_login_attempts (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1069 +msgid "" +"If the authentication provider is offline, how many failed login attempts " +"are allowed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1079 +msgid "offline_failed_login_delay (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1082 +msgid "" +"The time in minutes which has to pass after offline_failed_login_attempts " +"has been reached before a new login attempt is possible." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1087 +msgid "" +"If set to 0 the user cannot authenticate offline if " +"offline_failed_login_attempts has been reached. Only a successful online " +"authentication can enable offline authentication again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1093 sssd.conf.5.xml:1191 +msgid "Default: 5" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1099 +msgid "pam_verbosity (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1102 +msgid "" +"Controls what kind of messages are shown to the user during " +"authentication. The higher the number to more messages are displayed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1107 +msgid "Currently sssd supports the following values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1110 +msgid "<emphasis>0</emphasis>: do not show any message" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1113 +msgid "<emphasis>1</emphasis>: show only important messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1117 +msgid "<emphasis>2</emphasis>: show informational messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1120 +msgid "<emphasis>3</emphasis>: show all messages and debug information" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1124 sssd.8.xml:63 +msgid "Default: 1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1130 +msgid "pam_response_filter (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1133 +msgid "" +"A comma separated list of strings which allows to remove (filter) data sent " +"by the PAM responder to pam_sss PAM module. There are different kind of " +"responses sent to pam_sss e.g. messages displayed to the user or environment " +"variables which should be set by pam_sss." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1141 +msgid "" +"While messages already can be controlled with the help of the pam_verbosity " +"option this option allows to filter out other kind of responses as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1148 +msgid "ENV" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1149 +msgid "Do not send any environment variables to any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1152 +msgid "ENV:var_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1153 +msgid "Do not send environment variable var_name to any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1157 +msgid "ENV:var_name:service" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1158 +msgid "Do not send environment variable var_name to service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1146 +msgid "" +"Currently the following filters are supported: <placeholder " +"type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1168 +msgid "Example: ENV:KRB5CCNAME:sudo-i" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1174 +msgid "pam_id_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1177 +msgid "" +"For any PAM request while SSSD is online, the SSSD will attempt to " +"immediately update the cached identity information for the user in order to " +"ensure that authentication takes place with the latest information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1183 +msgid "" +"A complete PAM conversation may perform multiple PAM requests, such as " +"account management and session opening. This option controls (on a " +"per-client-application basis) how long (in seconds) we can cache the " +"identity information to avoid excessive round-trips to the identity " +"provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1197 +msgid "pam_pwd_expiration_warning (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2078 +msgid "Display a warning N days before the password expires." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1203 +msgid "" +"Please note that the backend server has to provide information about the " +"expiration time of the password. If this information is missing, sssd " +"cannot display a warning." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1209 sssd.conf.5.xml:2081 +msgid "" +"If zero is set, then this filter is not applied, i.e. if the expiration " +"warning was received from backend server, it will automatically be " +"displayed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1214 +msgid "" +"This setting can be overridden by setting " +"<emphasis>pwd_expiration_warning</emphasis> for a particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1219 sssd.conf.5.xml:2901 sssd.8.xml:79 +msgid "Default: 0" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1236 +msgid "pam_trusted_users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1239 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to run PAM conversations against trusted domains. Users not " +"included in this list can only access domains marked as public with " +"<quote>pam_public_domains</quote>. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1249 +msgid "Default: All users are considered trusted by default" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1253 +msgid "" +"Please note that UID 0 is always allowed to access the PAM responder even in " +"case it is not in the pam_trusted_users list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1260 +msgid "pam_public_domains (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1263 +msgid "" +"Specifies the comma-separated list of domain names that are accessible even " +"to untrusted users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1267 +msgid "Two special values for pam_public_domains option are defined:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1271 +msgid "all (Untrusted users are allowed to access all domains in PAM responder.)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1275 +msgid "" +"none (Untrusted users are not allowed to access any domains PAM in " +"responder.)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1279 sssd.conf.5.xml:1304 sssd.conf.5.xml:1323 sssd.conf.5.xml:1875 sssd.conf.5.xml:2837 sssd-ldap.5.xml:1979 +msgid "Default: none" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1284 +msgid "pam_account_expired_message (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1287 +msgid "" +"Allows a custom expiration message to be set, replacing the default " +"'Permission denied' message." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1292 +msgid "" +"Note: Please be aware that message is only printed for the SSH service " +"unless pam_verbosity is set to 3 (show all messages and debug information)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:1300 +#, no-wrap +msgid "" +"pam_account_expired_message = Account expired, please contact help desk.\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1309 +msgid "pam_account_locked_message (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1312 +msgid "" +"Allows a custom lockout message to be set, replacing the default 'Permission " +"denied' message." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:1319 +#, no-wrap +msgid "" +"pam_account_locked_message = Account locked, please contact help desk.\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1328 +msgid "pam_cert_auth (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1331 +msgid "" +"Enable certificate based Smartcard authentication. Since this requires " +"additional communication with the Smartcard which will delay the " +"authentication process this option is disabled by default." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1337 sssd.conf.5.xml:2930 sssd-ldap.5.xml:1087 sssd-ldap.5.xml:1114 sssd-ldap.5.xml:1514 sssd-ldap.5.xml:1535 sssd-ldap.5.xml:2052 include/ldap_id_mapping.xml:244 +msgid "Default: False" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1342 +msgid "pam_cert_db_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1345 +msgid "" +"The path to the certificate database which contain the PKCS#11 modules to " +"access the Smartcard." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1349 sssd.conf.5.xml:1534 +msgid "Default:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1351 sssd.conf.5.xml:1536 +msgid "/etc/pki/nssdb (NSS version, path to a NSS database)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1354 sssd.conf.5.xml:1539 +msgid "" +"/etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a file with " +"trusted CA certificates in PEM format)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1361 sssd.conf.5.xml:1546 +msgid "This man page was generated for the NSS version." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1364 sssd.conf.5.xml:1549 +msgid "This man page was generated for the OpenSSL version." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1369 +msgid "p11_child_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1372 +msgid "How many seconds will pam_sss wait for p11_child to finish." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1381 +msgid "pam_app_services (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1384 +msgid "" +"Which PAM services are permitted to contact domains of type " +"<quote>application</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1397 +msgid "SUDO configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1399 +msgid "" +"These options can be used to configure the sudo service. The detailed " +"instructions for configuration of <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> are in the manual page " +"<citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1416 +msgid "sudo_timed (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1419 +msgid "" +"Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes " +"that implement time-dependent sudoers entries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1431 +msgid "sudo_threshold (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1434 +msgid "" +"Maximum number of expired rules that can be refreshed at once. If number of " +"expired rules is below threshold, those rules are refreshed with " +"<quote>rules refresh</quote> mechanism. If the threshold is exceeded a " +"<quote>full refresh</quote> of sudo rules is triggered instead. This " +"threshold number also applies to IPA sudo command and command group " +"searches." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1453 +msgid "AUTOFS configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1455 +msgid "These options can be used to configure the autofs service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1459 +msgid "autofs_negative_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1462 +msgid "" +"Specifies for how many seconds should the autofs responder negative cache " +"hits (that is, queries for invalid map entries, like nonexistent ones) " +"before asking the back end again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1478 +msgid "SSH configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1480 +msgid "These options can be used to configure the SSH service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1484 +msgid "ssh_hash_known_hosts (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1487 +msgid "" +"Whether or not to hash host names and addresses in the managed known_hosts " +"file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1496 +msgid "ssh_known_hosts_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1499 +msgid "" +"How many seconds to keep a host in the managed known_hosts file after its " +"host keys were requested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1503 +msgid "Default: 180" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1508 +msgid "ssh_use_certificate_keys (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1511 +msgid "" +"If set to true the <command>sss_ssh_authorizedkeys</command> will return ssh " +"keys derived from the public key of X.509 certificates stored in the user " +"entry as well. See <citerefentry> " +"<refentrytitle>sss_ssh_authorizedkeys</refentrytitle> " +"<manvolnum>1</manvolnum> </citerefentry> for details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1526 +msgid "ca_db (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1529 +msgid "" +"Path to a storage of trusted CA certificates. The option is used to validate " +"user certificates before deriving public ssh keys from them." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1557 +msgid "PAC responder configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1559 +msgid "" +"The PAC responder works together with the authorization data plugin for MIT " +"Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the " +"PAC data during a GSSAPI authentication to the PAC responder. The sub-domain " +"provider collects domain SID and ID ranges of the domain the client is " +"joined to and of remote trusted domains from the local domain controller. If " +"the PAC is decoded and evaluated some of the following operations are done:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1568 +msgid "" +"If the remote user does not exist in the cache, it is created. The UID is " +"determined with the help of the SID, trusted domains will have UPGs and the " +"GID will have the same value as the UID. The home directory is set based on " +"the subdomain_homedir parameter. The shell will be empty by default, " +"i.e. the system defaults are used, but can be overwritten with the " +"default_shell parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1576 +msgid "" +"If there are SIDs of groups from domains sssd knows about, the user will be " +"added to those groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1582 +msgid "These options can be used to configure the PAC responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1586 sssd-ifp.5.xml:50 +msgid "allowed_uids (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1589 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the PAC responder. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1595 +msgid "Default: 0 (only the root user is allowed to access the PAC responder)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1599 +msgid "" +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the PAC responder, which would be the typical case, you have to add 0 " +"to the list of allowed UIDs as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1608 +msgid "pac_lifetime (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1611 +msgid "" +"Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC " +"data can be used to determine the group memberships of a user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1624 +msgid "Session recording configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1626 +msgid "" +"Session recording works in conjunction with <citerefentry> " +"<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>, a part of tlog package, to log what users see and type when " +"they log in on a text terminal. See also <citerefentry> " +"<refentrytitle>sssd-session-recording</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1639 +msgid "These options can be used to configure session recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1643 sssd-session-recording.5.xml:64 +msgid "scope (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1650 sssd-session-recording.5.xml:71 +msgid "\"none\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1653 sssd-session-recording.5.xml:74 +msgid "No users are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1658 sssd-session-recording.5.xml:79 +msgid "\"some\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1661 sssd-session-recording.5.xml:82 +msgid "" +"Users/groups specified by <replaceable>users</replaceable> and " +"<replaceable>groups</replaceable> options are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1670 sssd-session-recording.5.xml:91 +msgid "\"all\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1673 sssd-session-recording.5.xml:94 +msgid "All users are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1646 sssd-session-recording.5.xml:67 +msgid "" +"One of the following strings specifying the scope of session recording: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1680 sssd-session-recording.5.xml:101 +msgid "Default: \"none\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1685 sssd-session-recording.5.xml:106 +msgid "users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1688 sssd-session-recording.5.xml:109 +msgid "" +"A comma-separated list of users which should have session recording " +"enabled. Matches user names as returned by NSS. I.e. after the possible " +"space replacement, case changes, etc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1694 sssd-session-recording.5.xml:115 +msgid "Default: Empty. Matches no users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1699 sssd-session-recording.5.xml:120 +msgid "groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1702 sssd-session-recording.5.xml:123 +msgid "" +"A comma-separated list of groups, members of which should have session " +"recording enabled. Matches group names as returned by NSS. I.e. after the " +"possible space replacement, case changes, etc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1708 sssd-session-recording.5.xml:129 +msgid "" +"NOTE: using this option (having it set to anything) has a considerable " +"performance cost, because each uncached request for a user requires " +"retrieving and matching the groups the user is member of." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1715 sssd-session-recording.5.xml:136 +msgid "Default: Empty. Matches no groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:1725 +msgid "DOMAIN SECTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1732 +msgid "domain_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1735 +msgid "" +"Specifies whether the domain is meant to be used by POSIX-aware clients such " +"as the Name Service Switch or by applications that do not need POSIX data to " +"be present or generated. Only objects from POSIX domains are available to " +"the operating system interfaces and utilities." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1743 +msgid "" +"Allowed values for this option are <quote>posix</quote> and " +"<quote>application</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1747 +msgid "" +"POSIX domains are reachable by all services. Application domains are only " +"reachable from the InfoPipe responder (see <citerefentry> " +"<refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry>) and the PAM responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1755 +msgid "" +"NOTE: The application domains are currently well tested with " +"<quote>id_provider=ldap</quote> only." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1759 +msgid "" +"For an easy way to configure a non-POSIX domains, please see the " +"<quote>Application domains</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1763 +msgid "Default: posix" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1769 +msgid "min_id,max_id (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1772 +msgid "" +"UID and GID limits for the domain. If a domain contains an entry that is " +"outside these limits, it is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1777 +msgid "" +"For users, this affects the primary GID limit. The user will not be returned " +"to NSS if either the UID or the primary GID is outside the range. For " +"non-primary group memberships, those that are in range will be reported as " +"expected." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1784 +msgid "" +"These ID limits affect even saving entries to cache, not only returning them " +"by name or ID." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1788 +msgid "Default: 1 for min_id, 0 (no limit) for max_id" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1794 +msgid "enumerate (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1797 +msgid "" +"Determines if a domain can be enumerated, that is, whether the domain can " +"list all the users and group it contains. Note that it is not required to " +"enable enumeration in order for secondary groups to be displayed. This " +"parameter can have one of the following values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1805 +msgid "TRUE = Users and groups are enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1808 +msgid "FALSE = No enumerations for this domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1811 sssd.conf.5.xml:2033 sssd.conf.5.xml:2208 +msgid "Default: FALSE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1814 +msgid "" +"Enumerating a domain requires SSSD to download and store ALL user and group " +"entries from the remote server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1819 +msgid "" +"Note: Enabling enumeration has a moderate performance impact on SSSD while " +"enumeration is running. It may take up to several minutes after SSSD startup " +"to fully complete enumerations. During this time, individual requests for " +"information will go directly to LDAP, though it may be slow, due to the " +"heavy enumeration processing. Saving a large number of entries to cache " +"after the enumeration completes might also be CPU intensive as the " +"memberships have to be recomputed. This can lead to the " +"<quote>sssd_be</quote> process becoming unresponsive or even restarted by " +"the internal watchdog." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1834 +msgid "" +"While the first enumeration is running, requests for the complete user or " +"group lists may return no results until it completes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1839 +msgid "" +"Further, enabling enumeration may increase the time necessary to detect " +"network disconnection, as longer timeouts are required to ensure that " +"enumeration lookups are completed successfully. For more information, refer " +"to the man pages for the specific id_provider in use." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1847 +msgid "" +"For the reasons cited above, enabling enumeration is not recommended, " +"especially in large environments." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1855 +msgid "subdomain_enumerate (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1862 +msgid "all" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1863 +msgid "All discovered trusted domains will be enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1866 +msgid "none" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1867 +msgid "No discovered trusted domains will be enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1858 +msgid "" +"Whether any of autodetected trusted domains should be enumerated. The " +"supported values are: <placeholder type=\"variablelist\" id=\"0\"/> " +"Optionally, a list of one or more domain names can enable enumeration just " +"for these trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1881 +msgid "entry_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1884 +msgid "" +"How many seconds should nss_sss consider entries valid before asking the " +"backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1888 +msgid "" +"The cache expiration timestamps are stored as attributes of individual " +"objects in the cache. Therefore, changing the cache timeout only has effect " +"for newly added or expired entries. You should run the <citerefentry> " +"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> tool in order to force refresh of entries that have already " +"been cached." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1901 +msgid "Default: 5400" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1907 +msgid "entry_cache_user_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1910 +msgid "" +"How many seconds should nss_sss consider user entries valid before asking " +"the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1914 sssd.conf.5.xml:1927 sssd.conf.5.xml:1940 sssd.conf.5.xml:1953 sssd.conf.5.xml:1966 sssd.conf.5.xml:1980 sssd.conf.5.xml:1994 +msgid "Default: entry_cache_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1920 +msgid "entry_cache_group_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1923 +msgid "" +"How many seconds should nss_sss consider group entries valid before asking " +"the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1933 +msgid "entry_cache_netgroup_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1936 +msgid "" +"How many seconds should nss_sss consider netgroup entries valid before " +"asking the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1946 +msgid "entry_cache_service_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1949 +msgid "" +"How many seconds should nss_sss consider service entries valid before asking " +"the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1959 +msgid "entry_cache_sudo_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1962 +msgid "" +"How many seconds should sudo consider rules valid before asking the backend " +"again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1972 +msgid "entry_cache_autofs_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1975 +msgid "" +"How many seconds should the autofs service consider automounter maps valid " +"before asking the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1986 +msgid "entry_cache_ssh_host_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1989 +msgid "" +"How many seconds to keep a host ssh key after refresh. IE how long to cache " +"the host key for." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2000 +msgid "refresh_expired_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2003 +msgid "" +"Specifies how many seconds SSSD has to wait before triggering a background " +"refresh task which will refresh all expired or nearly expired records." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2008 +msgid "" +"The background refresh will process users, groups and netgroups in the " +"cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2012 +msgid "You can consider setting this value to 3/4 * entry_cache_timeout." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2016 sssd-ldap.5.xml:746 sssd-ipa.5.xml:254 +msgid "Default: 0 (disabled)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2022 +msgid "cache_credentials (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2025 +msgid "Determines if user credentials are also cached in the local LDB cache" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2029 +msgid "User credentials are stored in a SHA512 hash, not in plaintext" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2039 +msgid "cache_credentials_minimal_first_factor_length (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2042 +msgid "" +"If 2-Factor-Authentication (2FA) is used and credentials should be saved " +"this value determines the minimal length the first authentication factor " +"(long term password) must have to be saved as SHA512 hash into the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2049 +msgid "" +"This should avoid that the short PINs of a PIN based 2FA scheme are saved in " +"the cache which would make them easy targets for brute-force attacks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2054 +msgid "Default: 8" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2060 +msgid "account_cache_expiration (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2063 +msgid "" +"Number of days entries are left in cache after last successful login before " +"being removed during a cleanup of the cache. 0 means keep forever. The " +"value of this parameter must be greater than or equal to " +"offline_credentials_expiration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2070 +msgid "Default: 0 (unlimited)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2075 +msgid "pwd_expiration_warning (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2086 +msgid "" +"Please note that the backend server has to provide information about the " +"expiration time of the password. If this information is missing, sssd " +"cannot display a warning. Also an auth provider has to be configured for the " +"backend." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2093 +msgid "Default: 7 (Kerberos), 0 (LDAP)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2099 +msgid "id_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2102 +msgid "" +"The identification provider used for the domain. Supported ID providers " +"are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2106 +msgid "<quote>proxy</quote>: Support a legacy NSS provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2109 +msgid "<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2113 +msgid "" +"<quote>files</quote>: FILES provider. See <citerefentry> " +"<refentrytitle>sssd-files</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> for more information on how to mirror local users and groups " +"into SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2121 +msgid "" +"<quote>ldap</quote>: LDAP provider. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2129 sssd.conf.5.xml:2234 sssd.conf.5.xml:2289 sssd.conf.5.xml:2352 +msgid "" +"<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management " +"provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " +"FreeIPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2138 sssd.conf.5.xml:2243 sssd.conf.5.xml:2298 sssd.conf.5.xml:2361 +msgid "" +"<quote>ad</quote>: Active Directory provider. See <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> for more information on configuring Active Directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2149 +msgid "use_fully_qualified_names (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2152 +msgid "" +"Use the full name and domain (as formatted by the domain's full_name_format) " +"as the user's login name reported to NSS." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2157 +msgid "" +"If set to TRUE, all requests to this domain must use fully qualified " +"names. For example, if used in LOCAL domain that contains a \"test\" user, " +"<command>getent passwd test</command> wouldn't find the user while " +"<command>getent passwd test@LOCAL</command> would." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2165 +msgid "" +"NOTE: This option has no effect on netgroup lookups due to their tendency to " +"include nested netgroups without qualified names. For netgroups, all domains " +"will be searched when an unqualified name is requested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2172 +msgid "Default: FALSE (TRUE if default_domain_suffix is used)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2178 +msgid "ignore_group_members (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2181 +msgid "Do not return group members for group lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2184 +msgid "" +"If set to TRUE, the group membership attribute is not requested from the " +"ldap server, and group members are not returned when processing group lookup " +"calls, such as <citerefentry> <refentrytitle>getgrnam</refentrytitle> " +"<manvolnum>3</manvolnum> </citerefentry> or <citerefentry> " +"<refentrytitle>getgrgid</refentrytitle> <manvolnum>3</manvolnum> " +"</citerefentry>. As an effect, <quote>getent group $groupname</quote> would " +"return the requested group as if it was empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2202 +msgid "" +"Enabling this option can also make access provider checks for group " +"membership significantly faster, especially for groups containing many " +"members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2213 +msgid "auth_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2216 +msgid "" +"The authentication provider used for the domain. Supported auth providers " +"are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2220 sssd.conf.5.xml:2282 +msgid "" +"<quote>ldap</quote> for native LDAP authentication. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2227 +msgid "" +"<quote>krb5</quote> for Kerberos authentication. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> for more information on configuring Kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2251 +msgid "<quote>proxy</quote> for relaying authentication to some other PAM target." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2254 +msgid "<quote>local</quote>: SSSD internal provider for local users" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2258 +msgid "<quote>none</quote> disables authentication explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2261 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can handle " +"authentication requests." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2267 +msgid "access_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2270 +msgid "" +"The access control provider used for the domain. There are two built-in " +"access providers (in addition to any included in installed backends) " +"Internal special providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2276 +msgid "" +"<quote>permit</quote> always allow access. It's the only permitted access " +"provider for a local domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2279 +msgid "<quote>deny</quote> always deny access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2306 +msgid "" +"<quote>simple</quote> access control based on access or deny lists. See " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for more information on configuring " +"the simple access module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2313 +msgid "" +"<quote>krb5</quote>: .k5login based access control. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for more information on configuring " +"Kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2320 +msgid "<quote>proxy</quote> for relaying access control to another PAM module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2323 +msgid "Default: <quote>permit</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2328 +msgid "chpass_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2331 +msgid "" +"The provider which should handle change password operations for the domain. " +"Supported change password providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2336 +msgid "" +"<quote>ldap</quote> to change a password stored in a LDAP server. See " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " +"LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2344 +msgid "" +"<quote>krb5</quote> to change the Kerberos password. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> for more information on configuring Kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2369 +msgid "<quote>proxy</quote> for relaying password changes to some other PAM target." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2373 +msgid "<quote>none</quote> disallows password changes explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2376 +msgid "" +"Default: <quote>auth_provider</quote> is used if it is set and can handle " +"change password requests." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2383 +msgid "sudo_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2386 +msgid "The SUDO provider used for the domain. Supported SUDO providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2390 +msgid "" +"<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2398 +msgid "" +"<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default " +"settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2402 +msgid "" +"<quote>ad</quote> the same as <quote>ldap</quote> but with AD default " +"settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2406 +msgid "<quote>none</quote> disables SUDO explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2409 sssd.conf.5.xml:2495 sssd.conf.5.xml:2565 sssd.conf.5.xml:2590 +msgid "Default: The value of <quote>id_provider</quote> is used if it is set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2413 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>. There are many configuration " +"options that can be used to adjust the behavior. Please refer to " +"\"ldap_sudo_*\" in <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2428 +msgid "" +"<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the " +"background unless the sudo provider is explicitly disabled. Set " +"<emphasis>sudo_provider = None</emphasis> to disable all sudo-related " +"activity in SSSD if you do not want to use sudo with SSSD at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2438 +msgid "selinux_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2441 +msgid "" +"The provider which should handle loading of selinux settings. Note that this " +"provider will be called right after access provider ends. Supported selinux " +"providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2447 +msgid "" +"<quote>ipa</quote> to load selinux settings from an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " +"IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2455 +msgid "<quote>none</quote> disallows fetching selinux settings explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2458 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can handle " +"selinux loading requests." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2464 +msgid "subdomains_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2467 +msgid "" +"The provider which should handle fetching of subdomains. This value should " +"be always the same as id_provider. Supported subdomain providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2473 +msgid "" +"<quote>ipa</quote> to load a list of subdomains from an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " +"IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2482 +msgid "" +"<quote>ad</quote> to load a list of subdomains from an Active Directory " +"server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " +"the AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2491 +msgid "<quote>none</quote> disallows fetching subdomains explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2501 +msgid "session_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2504 +msgid "" +"The provider which configures and manages user session related tasks. The " +"only user session task currently provided is the integration with Fleet " +"Commander, which works only with IPA. Supported session providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2511 +msgid "<quote>ipa</quote> to allow performing user session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2515 +msgid "<quote>none</quote> does not perform any kind of user session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2519 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can perform " +"session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2523 +msgid "" +"<emphasis>NOTE:</emphasis> In order to have this feature working as expected " +"SSSD must be running as \"root\" and not as the unprivileged user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2531 +msgid "autofs_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2534 +msgid "The autofs provider used for the domain. Supported autofs providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2538 +msgid "" +"<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2545 +msgid "" +"<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> " +"<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2553 +msgid "" +"<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> for more information on configuring the AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2562 +msgid "<quote>none</quote> disables autofs explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2572 +msgid "hostid_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2575 +msgid "" +"The provider used for retrieving host identity information. Supported " +"hostid providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2579 +msgid "" +"<quote>ipa</quote> to load host identity stored in an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " +"IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2587 +msgid "<quote>none</quote> disables hostid explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2600 +msgid "" +"Regular expression for this domain that describes how to parse the string " +"containing user name and domain into these components. The \"domain\" can " +"match either the SSSD configuration domain name, or, in the case of IPA " +"trust subdomains and Active Directory domains, the flat (NetBIOS) name of " +"the domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2609 +msgid "" +"Default for the AD and IPA provider: " +"<quote>(((?P<domain>[^\\\\]+)\\\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\\\]+)$))</quote> " +"which allows three different styles for user names:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2614 +msgid "username" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2617 +msgid "username@domain.name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2620 +msgid "domain\\username" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2623 +msgid "" +"While the first two correspond to the general default the third one is " +"introduced to allow easy integration of users from Windows domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2628 +msgid "" +"Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> " +"which translates to \"the name is everything up to the <quote>@</quote> " +"sign, the domain everything after that\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2634 +msgid "" +"NOTE: Some Active Directory groups, typically those used for MS Exchange " +"contain an <quote>@</quote> sign in the name, which clashes with the default " +"re_expression value for the AD and IPA providers. To support these groups, " +"consider changing the re_expression value to: " +"<quote>((?P<name>.+)@(?P<domain>[^@]+$))</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2685 +msgid "Default: <quote>%1$s@%2$s</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2691 +msgid "lookup_family_order (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2694 +msgid "" +"Provides the ability to select preferred address family to use when " +"performing DNS lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2698 +msgid "Supported values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2701 +msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2704 +msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2707 +msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2710 +msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2713 +msgid "Default: ipv4_first" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2719 +msgid "dns_resolver_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2722 +msgid "" +"Defines the amount of time (in seconds) to wait for a reply from the " +"internal fail over service before assuming that the service is " +"unreachable. If this timeout is reached, the domain will continue to operate " +"in offline mode." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2729 +msgid "" +"Please see the section <quote>FAILOVER</quote> for more information about " +"the service resolution." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2734 sssd-ldap.5.xml:1396 sssd-ldap.5.xml:1438 sssd-ldap.5.xml:1456 sssd-krb5.5.xml:248 +msgid "Default: 6" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2740 +msgid "dns_discovery_domain (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2743 +msgid "" +"If service discovery is used in the back end, specifies the domain part of " +"the service discovery DNS query." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2747 +msgid "Default: Use the domain part of machine's hostname" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2753 +msgid "override_gid (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2756 +msgid "Override the primary GID value with the one specified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2762 +msgid "case_sensitive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2770 +msgid "True" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2773 +msgid "Case sensitive. This value is invalid for AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2779 +msgid "False" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2781 +msgid "Case insensitive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2785 +msgid "Preserving" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2788 +msgid "" +"Same as False (case insensitive), but does not lowercase names in the result " +"of NSS operations. Note that name aliases (and in case of services also " +"protocol names) are still lowercased in the output." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2765 +msgid "" +"Treat user and group names as case sensitive. At the moment, this option is " +"not supported in the local provider. Possible option values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2800 +msgid "Default: True (False for AD provider)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2806 +msgid "subdomain_inherit (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2809 +msgid "" +"Specifies a list of configuration parameters that should be inherited by a " +"subdomain. Please note that only selected parameters can be inherited. " +"Currently the following options can be inherited:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2815 +msgid "ignore_group_members" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2818 +msgid "ldap_purge_cache_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2821 sssd-ldap.5.xml:1120 +msgid "ldap_use_tokengroups" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2824 +msgid "ldap_user_principal" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2827 +msgid "" +"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab " +"is not set explicitly)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:2833 +#, no-wrap +msgid "" +"subdomain_inherit = ldap_purge_cache_timeout\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2831 sssd-secrets.5.xml:448 +msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2840 +msgid "Note: This option only works with the IPA and AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2847 +msgid "subdomain_homedir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2858 +msgid "%F" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2859 +msgid "flat (NetBIOS) name of a subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2850 +msgid "" +"Use this homedir as default value for all subdomains within this domain in " +"IPA AD trust. See <emphasis>override_homedir</emphasis> for info about " +"possible values. In addition to those, the expansion below can only be used " +"with <emphasis>subdomain_homedir</emphasis>. <placeholder " +"type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2864 +msgid "The value can be overridden by <emphasis>override_homedir</emphasis> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2868 +msgid "Default: <filename>/home/%d/%u</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2873 +msgid "realmd_tags (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2876 +msgid "Various tags stored by the realmd configuration service for this domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2882 +msgid "cached_auth_timeout (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2885 +msgid "" +"Specifies time in seconds since last successful online authentication for " +"which user will be authenticated using cached credentials while SSSD is in " +"the online mode." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2891 +msgid "Special value 0 implies that this feature is disabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2895 +msgid "" +"Please note that if <quote>cached_auth_timeout</quote> is longer than " +"<quote>pam_id_timeout</quote> then the back end could be called to handle " +"<quote>initgroups.</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2906 +msgid "auto_private_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2909 +msgid "" +"If this option is enabled, SSSD will automatically create user private " +"groups based on user's UID number. The GID number is ignored in this case." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2914 +msgid "" +"For POSIX subdomains, setting the option in the main domain is inherited in " +"the subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2918 +msgid "" +"For ID-mapping subdomains, auto_private_groups is already enabled for the " +"subdomains and setting it to false will not have any effect for the " +"subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2923 +msgid "" +"NOTE: Because the GID number and the user private group are inferred from " +"the UID number, it is not supported to have multiple entries with the same " +"UID or GID number with this option. In other words, enabling this option " +"enforces uniqueness across the ID space." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:1727 +msgid "" +"These configuration options can be present in a domain configuration " +"section, that is, in a section called " +"<quote>[domain/<replaceable>NAME</replaceable>]</quote> <placeholder " +"type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2942 +msgid "proxy_pam_target (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2945 +msgid "The proxy target PAM proxies to." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2948 +msgid "" +"Default: not set by default, you have to take an existing pam configuration " +"or create a new one and add the service name here." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2956 +msgid "proxy_lib_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2959 +msgid "" +"The name of the NSS library to use in proxy domains. The NSS functions " +"searched for in the library are in the form of _nss_$(libName)_$(function), " +"for example _nss_files_getpwent." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2969 +msgid "proxy_fast_alias (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2972 +msgid "" +"When a user or group is looked up by name in the proxy provider, a second " +"lookup by ID is performed to \"canonicalize\" the name in case the requested " +"name was an alias. Setting this option to true would cause the SSSD to " +"perform the ID lookup from cache for performance reasons." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2986 +msgid "proxy_max_children (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2989 +msgid "" +"This option specifies the number of pre-forked proxy children. It is useful " +"for high-load SSSD environments where sssd may run out of available child " +"slots, which would cause some issues due to the requests being queued." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:2938 +msgid "" +"Options valid for proxy domains. <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:3005 +msgid "Application domains" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3007 +msgid "" +"SSSD, with its D-Bus interface (see <citerefentry> " +"<refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry>) is appealing to applications as a gateway to an LDAP " +"directory where users and groups are stored. However, contrary to the " +"traditional SSSD deployment where all users and groups either have POSIX " +"attributes or those attributes can be inferred from the Windows SIDs, in " +"many cases the users and groups in the application support scenario have no " +"POSIX attributes. Instead of setting a " +"<quote>[domain/<replaceable>NAME</replaceable>]</quote> section, the " +"administrator can set up an " +"<quote>[application/<replaceable>NAME</replaceable>]</quote> section that " +"internally represents a domain with type <quote>application</quote> " +"optionally inherits settings from a tradition SSSD domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3027 +msgid "" +"Please note that the application domain must still be explicitly enabled in " +"the <quote>domains</quote> parameter so that the lookup order between the " +"application domain and its POSIX sibling domain is set correctly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sssd.conf.5.xml:3033 +msgid "Application domain parameters" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3035 +msgid "inherit_from (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3038 +msgid "" +"The SSSD POSIX-type domain the application domain inherits all settings " +"from. The application domain can moreover add its own settings to the " +"application settings that augment or override the <quote>sibling</quote> " +"domain settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3052 +msgid "" +"The following example illustrates the use of an application domain. In this " +"setup, the POSIX domain is connected to an LDAP server and is used by the OS " +"through the NSS responder. In addition, the application domain also requests " +"the telephoneNumber attribute, stores it as the phone attribute in the cache " +"and makes the phone attribute reachable through the D-Bus interface." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><programlisting> +#: sssd.conf.5.xml:3060 +#, no-wrap +msgid "" +"[sssd]\n" +"domains = appdom, posixdom\n" +"\n" +"[ifp]\n" +"user_attributes = +phone\n" +"\n" +"[domain/posixdom]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"[application/appdom]\n" +"inherit_from = posixdom\n" +"ldap_user_extra_attrs = phone:telephoneNumber\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:3078 +msgid "The local domain section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3080 +msgid "" +"This section contains settings for domain that stores users and groups in " +"SSSD native database, that is, a domain that uses " +"<replaceable>id_provider=local</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3087 +msgid "default_shell (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3090 +msgid "The default shell for users created with SSSD userspace tools." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3094 +msgid "Default: <filename>/bin/bash</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3099 +msgid "base_directory (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3102 +msgid "" +"The tools append the login name to <replaceable>base_directory</replaceable> " +"and use that as the home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3107 +msgid "Default: <filename>/home</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3112 +msgid "create_homedir (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3115 +msgid "" +"Indicate if a home directory should be created by default for new users. " +"Can be overridden on command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3119 sssd.conf.5.xml:3131 +msgid "Default: TRUE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3124 +msgid "remove_homedir (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3127 +msgid "" +"Indicate if a home directory should be removed by default for deleted " +"users. Can be overridden on command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3136 +msgid "homedir_umask (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3139 +msgid "" +"Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions " +"on a newly created home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3147 +msgid "Default: 077" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3152 +msgid "skel_dir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3155 +msgid "" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<citerefentry> <refentrytitle>sss_useradd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3165 +msgid "Default: <filename>/etc/skel</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3170 +msgid "mail_dir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3173 +msgid "" +"The mail spool directory. This is needed to manipulate the mailbox when its " +"corresponding user account is modified or deleted. If not specified, a " +"default value is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3180 +msgid "Default: <filename>/var/mail</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3185 +msgid "userdel_cmd (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3188 +msgid "" +"The command that is run after a user is removed. The command us passed the " +"username of the user being removed as the first and only parameter. The " +"return code of the command is not taken into account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3194 +msgid "Default: None, no command is run" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:3204 +msgid "TRUSTED DOMAIN SECTION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3206 +msgid "" +"Some options used in the domain section can also be used in the trusted " +"domain section, that is, in a section called " +"<quote>[domain/<replaceable>DOMAIN_NAME</replaceable>/<replaceable>TRUSTED_DOMAIN_NAME</replaceable>]</quote>. " +"Where DOMAIN_NAME is the actual joined-to base domain. Please refer to " +"examples below for explanation. Currently supported options in the trusted " +"domain section are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3213 +msgid "ldap_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3214 +msgid "ldap_user_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3215 +msgid "ldap_group_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3216 +msgid "ldap_netgroup_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3217 +msgid "ldap_service_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3218 +msgid "ad_server," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3219 +msgid "ad_backup_server," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3220 +msgid "ad_site," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:3221 sssd-ipa.5.xml:782 +msgid "use_fully_qualified_names" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3223 +msgid "" +"For more details about these options see their individual description in the " +"manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:3229 idmap_sss.8.xml:43 +msgid "EXAMPLES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:3235 +#, no-wrap +msgid "" +"[sssd]\n" +"domains = LDAP\n" +"services = nss, pam\n" +"config_file_version = 2\n" +"\n" +"[nss]\n" +"filter_groups = root\n" +"filter_users = root\n" +"\n" +"[pam]\n" +"\n" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"auth_provider = krb5\n" +"krb5_server = kerberos.example.com\n" +"krb5_realm = EXAMPLE.COM\n" +"cache_credentials = true\n" +"\n" +"min_id = 10000\n" +"max_id = 20000\n" +"enumerate = False\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3231 +msgid "" +"1. The following example shows a typical SSSD config. It does not describe " +"configuration of the domains themselves - refer to documentation on " +"configuring domains for more details. <placeholder type=\"programlisting\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:3268 +#, no-wrap +msgid "" +"[domain/ipa.com/child.ad.com]\n" +"use_fully_qualified_names = false\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3262 +msgid "" +"2. The following example shows configuration of IPA AD trust where the AD " +"forest consists of two domains in a parent-child structure. Suppose IPA " +"domain (ipa.com) has trust with AD domain(ad.com). ad.com has child domain " +"(child.ad.com). To enable shortnames in the child domain the following " +"configuration should be used. <placeholder type=\"programlisting\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ldap.5.xml:10 sssd-ldap.5.xml:16 +msgid "sssd-ldap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ldap.5.xml:17 +msgid "SSSD LDAP provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:23 +msgid "" +"This manual page describes the configuration of LDAP domains for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Refer to the <quote>FILE FORMAT</quote> section of the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page for detailed syntax " +"information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:35 +msgid "You can configure SSSD to use more than one LDAP domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:38 +msgid "" +"LDAP back end supports id, auth, access and chpass providers. If you want to " +"authenticate against an LDAP server either TLS/SSL or LDAPS is " +"required. <command>sssd</command> <emphasis>does not</emphasis> support " +"authentication over an unencrypted channel. If the LDAP server is used only " +"as an identity provider, an encrypted channel is not needed. Please refer to " +"<quote>ldap_access_filter</quote> config option for more information about " +"using LDAP as an access provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:115 sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-files.5.xml:57 sssd-secrets.5.xml:120 sssd-session-recording.5.xml:58 sssd-kcm.8.xml:139 +msgid "CONFIGURATION OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:60 +msgid "ldap_uri, ldap_backup_uri (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:63 +msgid "" +"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " +"should connect in the order of preference. Refer to the " +"<quote>FAILOVER</quote> section for more information on failover and server " +"redundancy. If neither option is specified, service discovery is " +"enabled. For more information, refer to the <quote>SERVICE DISCOVERY</quote> " +"section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:264 +msgid "The format of the URI must match the format defined in RFC 2732:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:73 +msgid "ldap[s]://<host>[:port]" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:76 +msgid "For explicit IPv6 addresses, <host> must be enclosed in brackets []" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:79 +msgid "example: ldap://[fc00::126:25]:389" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:85 +msgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:88 +msgid "" +"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " +"should connect in the order of preference to change the password of a " +"user. Refer to the <quote>FAILOVER</quote> section for more information on " +"failover and server redundancy." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:95 +msgid "To enable service discovery ldap_chpass_dns_service_name must be set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:99 +msgid "Default: empty, i.e. ldap_uri is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:105 +msgid "ldap_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:108 +msgid "The default base DN to use for performing LDAP user operations." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:112 +msgid "" +"Starting with SSSD 1.7.0, SSSD supports multiple search bases using the " +"syntax:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:116 +msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:119 +msgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"." +msgstr "" + +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:122 include/ldap_search_bases.xml:18 +msgid "" +"The filter must be a valid LDAP search filter as specified by " +"http://www.ietf.org/rfc/rfc2254.txt" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:286 sss_override.8.xml:137 sss_override.8.xml:234 +msgid "Examples:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:129 +msgid "" +"ldap_search_base = dc=example,dc=com (which is equivalent to) " +"ldap_search_base = dc=example,dc=com?subtree?" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:134 +msgid "" +"ldap_search_base = " +"cn=host_specific,dc=example,dc=com?subtree?(host=thishost)?dc=example.com?subtree?" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:137 +msgid "" +"Note: It is unsupported to have multiple search bases which reference " +"identically-named objects (for example, groups with the same name in two " +"different search bases). This will lead to unpredictable behavior on client " +"machines." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:144 +msgid "" +"Default: If not set, the value of the defaultNamingContext or namingContexts " +"attribute from the RootDSE of the LDAP server is used. If " +"defaultNamingContext does not exist or has an empty value namingContexts is " +"used. The namingContexts attribute must have a single value with the DN of " +"the search base of the LDAP server to make this work. Multiple values are " +"are not supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:158 +msgid "ldap_schema (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:161 +msgid "" +"Specifies the Schema Type in use on the target LDAP server. Depending on " +"the selected schema, the default attribute names retrieved from the servers " +"may vary. The way that some attributes are handled may also differ." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:168 +msgid "Four schema types are currently supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:172 +msgid "rfc2307" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:177 +msgid "rfc2307bis" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:182 +msgid "IPA" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:187 +msgid "AD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:193 +msgid "" +"The main difference between these schema types is how group memberships are " +"recorded in the server. With rfc2307, group members are listed by name in " +"the <emphasis>memberUid</emphasis> attribute. With rfc2307bis and IPA, " +"group members are listed by DN and stored in the <emphasis>member</emphasis> " +"attribute. The AD schema type sets the attributes to correspond with Active " +"Directory 2008r2 values." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:203 +msgid "Default: rfc2307" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:209 +msgid "ldap_default_bind_dn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:212 +msgid "The default bind DN to use for performing LDAP operations." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:219 +msgid "ldap_default_authtok_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:222 +msgid "The type of the authentication token of the default bind DN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:226 +msgid "The two mechanisms currently supported are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:229 +msgid "password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:232 +msgid "obfuscated_password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:235 +msgid "Default: password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:241 +msgid "ldap_default_authtok (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:244 +msgid "" +"The authentication token of the default bind DN. Only clear text passwords " +"are currently supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:251 +msgid "ldap_user_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:254 +msgid "The object class of a user entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:257 +msgid "Default: posixAccount" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:263 +msgid "ldap_user_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:266 +msgid "The LDAP attribute that corresponds to the user's login name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:270 +msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:277 +msgid "ldap_user_uid_number (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:280 +msgid "The LDAP attribute that corresponds to the user's id." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:284 +msgid "Default: uidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:290 +msgid "ldap_user_gid_number (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:293 +msgid "The LDAP attribute that corresponds to the user's primary group id." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:297 sssd-ldap.5.xml:929 +msgid "Default: gidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:303 +msgid "ldap_user_primary_group (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:306 +msgid "" +"Active Directory primary group attribute for ID-mapping. Note that this " +"attribute should only be set manually if you are running the " +"<quote>ldap</quote> provider with ID mapping." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:312 +msgid "Default: unset (LDAP), primaryGroupID (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:318 +msgid "ldap_user_gecos (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:321 +msgid "The LDAP attribute that corresponds to the user's gecos field." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:325 +msgid "Default: gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:331 +msgid "ldap_user_home_directory (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:334 +msgid "The LDAP attribute that contains the name of the user's home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:338 +msgid "Default: homeDirectory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:344 +msgid "ldap_user_shell (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:347 +msgid "The LDAP attribute that contains the path to the user's default shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:351 +msgid "Default: loginShell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:357 +msgid "ldap_user_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:360 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:364 sssd-ldap.5.xml:955 +msgid "" +"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " +"IPA" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:371 +msgid "ldap_user_objectsid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:374 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP user object. This " +"is usually only necessary for ActiveDirectory servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:379 sssd-ldap.5.xml:970 +msgid "Default: objectSid for ActiveDirectory, not set for other servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:386 +msgid "ldap_user_modify_timestamp (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:389 sssd-ldap.5.xml:980 sssd-ldap.5.xml:1203 +msgid "" +"The LDAP attribute that contains timestamp of the last modification of the " +"parent object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:393 sssd-ldap.5.xml:984 sssd-ldap.5.xml:1210 +msgid "Default: modifyTimestamp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:399 +msgid "ldap_user_shadow_last_change (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:402 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> counterpart (date of the last password change)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:412 +msgid "Default: shadowLastChange" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:418 +msgid "ldap_user_shadow_min (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:421 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> counterpart (minimum password age)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:430 +msgid "Default: shadowMin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:436 +msgid "ldap_user_shadow_max (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:439 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> counterpart (maximum password age)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:448 +msgid "Default: shadowMax" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:454 +msgid "ldap_user_shadow_warning (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:457 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> counterpart (password warning period)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:467 +msgid "Default: shadowWarning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:473 +msgid "ldap_user_shadow_inactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:476 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> counterpart (password inactivity period)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:486 +msgid "Default: shadowInactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:492 +msgid "ldap_user_shadow_expire (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:495 +msgid "" +"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " +"parameter contains the name of an LDAP attribute corresponding to its " +"<citerefentry> <refentrytitle>shadow</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> counterpart (account expiration " +"date)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:505 +msgid "Default: shadowExpire" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:511 +msgid "ldap_user_krb_last_pwd_change (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:514 +msgid "" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time of last password change in " +"kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:520 +msgid "Default: krbLastPwdChange" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:526 +msgid "ldap_user_krb_password_expiration (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:529 +msgid "" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time when current password expires." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:535 +msgid "Default: krbPasswordExpiration" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:541 +msgid "ldap_user_ad_account_expires (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:544 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the expiration time of the account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:549 +msgid "Default: accountExpires" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:555 +msgid "ldap_user_ad_user_account_control (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:558 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the user account control bit field." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:563 +msgid "Default: userAccountControl" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:569 +msgid "ldap_ns_account_lock (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:572 +msgid "" +"When using ldap_account_expire_policy=rhds or equivalent, this parameter " +"determines if access is allowed or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:577 +msgid "Default: nsAccountLock" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:583 +msgid "ldap_user_nds_login_disabled (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:586 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines if " +"access is allowed or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:590 sssd-ldap.5.xml:604 +msgid "Default: loginDisabled" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:596 +msgid "ldap_user_nds_login_expiration_time (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:599 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines until " +"which date access is granted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:610 +msgid "ldap_user_nds_login_allowed_time_map (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:613 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines the " +"hours of a day in a week when access is granted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:618 +msgid "Default: loginAllowedTimeMap" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:624 +msgid "ldap_user_principal (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:627 +msgid "" +"The LDAP attribute that contains the user's Kerberos User Principal Name " +"(UPN)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:631 +msgid "Default: krbPrincipalName" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:637 +msgid "ldap_user_extra_attrs (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:640 +msgid "" +"Comma-separated list of LDAP attributes that SSSD would fetch along with the " +"usual set of user attributes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:645 +msgid "" +"The list can either contain LDAP attribute names only, or colon-separated " +"tuples of SSSD cache attribute name and LDAP attribute name. In case only " +"LDAP attribute name is specified, the attribute is saved to the cache " +"verbatim. Using a custom SSSD attribute name might be required by " +"environments that configure several SSSD domains with different LDAP " +"schemas." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:655 +msgid "" +"Please note that several attribute names are reserved by SSSD, notably the " +"<quote>name</quote> attribute. SSSD would report an error if any of the " +"reserved attribute names is used as an extra attribute name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:665 +msgid "ldap_user_extra_attrs = telephoneNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:668 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as " +"<quote>telephoneNumber</quote> to the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:672 +msgid "ldap_user_extra_attrs = phone:telephoneNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:675 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as " +"<quote>phone</quote> to the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:685 +msgid "ldap_user_ssh_public_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:688 +msgid "The LDAP attribute that contains the user's SSH public keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:692 sssd-ldap.5.xml:1306 +msgid "Default: sshPublicKey" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:698 +msgid "ldap_force_upper_case_realm (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:701 +msgid "" +"Some directory servers, for example Active Directory, might deliver the " +"realm part of the UPN in lower case, which might cause the authentication to " +"fail. Set this option to a non-zero value if you want to use an upper-case " +"realm." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:714 +msgid "ldap_enumeration_refresh_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:717 +msgid "" +"Specifies how many seconds SSSD has to wait before refreshing its cache of " +"enumerated records." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:728 +msgid "ldap_purge_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:731 +msgid "" +"Determine how often to check the cache for inactive entries (such as groups " +"with no members and users who have never logged in) and remove them to save " +"space." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:737 +msgid "" +"Setting this option to zero will disable the cache cleanup operation. Please " +"note that if enumeration is enabled, the cleanup task is required in order " +"to detect entries removed from the server and can't be disabled. By default, " +"the cleanup task will run every 3 hours with enumeration enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:752 +msgid "ldap_user_fullname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:755 +msgid "The LDAP attribute that corresponds to the user's full name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1161 sssd-ldap.5.xml:1235 sssd-ldap.5.xml:1344 sssd-ldap.5.xml:2405 sssd-ipa.5.xml:607 +msgid "Default: cn" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:765 +msgid "ldap_user_member_of (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:768 +msgid "The LDAP attribute that lists the user's group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:772 sssd-ldap.5.xml:1274 +msgid "Default: memberOf" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:778 +msgid "ldap_user_authorized_service (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:781 +msgid "" +"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " +"use the presence of the authorizedService attribute in the user's LDAP entry " +"to determine access privilege." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:788 +msgid "" +"An explicit deny (!svc) is resolved first. Second, SSSD searches for " +"explicit allow (svc) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:793 +msgid "" +"Please note that the ldap_access_order configuration option " +"<emphasis>must</emphasis> include <quote>authorized_service</quote> in order " +"for the ldap_user_authorized_service option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:800 +msgid "Default: authorizedService" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:806 +msgid "ldap_user_authorized_host (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:809 +msgid "" +"If access_provider=ldap and ldap_access_order=host, SSSD will use the " +"presence of the host attribute in the user's LDAP entry to determine access " +"privilege." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:815 +msgid "" +"An explicit deny (!host) is resolved first. Second, SSSD searches for " +"explicit allow (host) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:820 +msgid "" +"Please note that the ldap_access_order configuration option " +"<emphasis>must</emphasis> include <quote>host</quote> in order for the " +"ldap_user_authorized_host option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:827 +msgid "Default: host" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:833 +msgid "ldap_user_authorized_rhost (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:836 +msgid "" +"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " +"presence of the rhost attribute in the user's LDAP entry to determine access " +"privilege. Similarly to host verification process." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:843 +msgid "" +"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " +"explicit allow (rhost) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:848 +msgid "" +"Please note that the ldap_access_order configuration option " +"<emphasis>must</emphasis> include <quote>rhost</quote> in order for the " +"ldap_user_authorized_rhost option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:855 +msgid "Default: rhost" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:861 +msgid "ldap_user_certificate (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:864 +msgid "Name of the LDAP attribute containing the X509 certificate of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:868 +msgid "Default: userCertificate;binary" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:874 +msgid "ldap_user_email (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:877 +msgid "Name of the LDAP attribute containing the email address of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:881 +msgid "" +"Note: If an email address of a user conflicts with an email address or fully " +"qualified name of another user, then SSSD will not be able to serve those " +"users properly. If for some reason several users need to share the same " +"email address then set this option to a nonexistent attribute name in order " +"to disable user lookup/login by email." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:890 +msgid "Default: mail" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:896 +msgid "ldap_group_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:899 +msgid "The object class of a group entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:902 +msgid "Default: posixGroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:908 +msgid "ldap_group_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:911 +msgid "The LDAP attribute that corresponds to the group name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:915 +msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:922 +msgid "ldap_group_gid_number (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:925 +msgid "The LDAP attribute that corresponds to the group's id." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:935 +msgid "ldap_group_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:938 +msgid "The LDAP attribute that contains the names of the group's members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:942 +msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:948 +msgid "ldap_group_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:951 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:962 +msgid "ldap_group_objectsid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:965 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP group object. This " +"is usually only necessary for ActiveDirectory servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:977 +msgid "ldap_group_modify_timestamp (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:990 +msgid "ldap_group_type (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:993 +msgid "" +"The LDAP attribute that contains an integer value indicating the type of the " +"group and maybe other flags." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:998 +msgid "" +"This attribute is currently only used by the AD provider to determine if a " +"group is a domain local groups and has to be filtered out for trusted " +"domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1004 +msgid "Default: groupType in the AD provider, otherwise not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1011 +msgid "ldap_group_external_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1014 +msgid "" +"The LDAP attribute that references group members that are defined in an " +"external domain. At the moment, only IPA's external members are supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1020 +msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1027 +msgid "ldap_group_nesting_level (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1030 +msgid "" +"If ldap_schema is set to a schema format that supports nested groups " +"(e.g. RFC2307bis), then this option controls how many levels of nesting SSSD " +"will follow. This option has no effect on the RFC2307 schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1037 +msgid "" +"Note: This option specifies the guaranteed level of nested groups to be " +"processed for any lookup. However, nested groups beyond this limit " +"<emphasis>may be</emphasis> returned if previous lookups already resolved " +"the deeper nesting levels. Also, subsequent lookups for other groups may " +"enlarge the result set for original lookup if re-queried." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1046 +msgid "" +"If ldap_group_nesting_level is set to 0 then no nested groups are processed " +"at all. However, when connected to Active-Directory Server 2008 and later " +"using <quote>id_provider=ad</quote> it is furthermore required to disable " +"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " +"restrict group nesting." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1055 +msgid "Default: 2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1061 +msgid "ldap_groups_use_matching_rule_in_chain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1064 +msgid "" +"This option tells SSSD to take advantage of an Active Directory-specific " +"feature which may speed up group lookup operations on deployments with " +"complex or deep nested groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1070 +msgid "" +"In most common cases, it is best to leave this option disabled. It generally " +"only provides a performance increase on very complex nestings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1075 sssd-ldap.5.xml:1102 +msgid "" +"If this option is enabled, SSSD will use it if it detects that the server " +"supports it during initial connection. So \"True\" here essentially means " +"\"auto-detect\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1081 sssd-ldap.5.xml:1108 +msgid "" +"Note: This feature is currently known to work only with Active Directory " +"2008 R1 and later. See <ulink " +"url=\"http://msdn.microsoft.com/en-us/library/windows/desktop/aa746475%28v=vs.85%29.aspx\"> " +"MSDN(TM) documentation</ulink> for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1093 +msgid "ldap_initgroups_use_matching_rule_in_chain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1096 +msgid "" +"This option tells SSSD to take advantage of an Active Directory-specific " +"feature which might speed up initgroups operations (most notably when " +"dealing with complex or deep nested groups)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1123 +msgid "" +"This options enables or disables use of Token-Groups attribute when " +"performing initgroup for users from Active Directory Server 2008 and later." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1128 +msgid "Default: True for AD and IPA otherwise False." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1134 +msgid "ldap_netgroup_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1137 +msgid "The object class of a netgroup entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1140 +msgid "In IPA provider, ipa_netgroup_object_class should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1144 +msgid "Default: nisNetgroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1150 +msgid "ldap_netgroup_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1153 +msgid "The LDAP attribute that corresponds to the netgroup name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1157 +msgid "In IPA provider, ipa_netgroup_name should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1167 +msgid "ldap_netgroup_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1170 +msgid "The LDAP attribute that contains the names of the netgroup's members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1174 +msgid "In IPA provider, ipa_netgroup_member should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1178 +msgid "Default: memberNisNetgroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1184 +msgid "ldap_netgroup_triple (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1187 +msgid "The LDAP attribute that contains the (host, user, domain) netgroup triples." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1191 sssd-ldap.5.xml:1207 +msgid "This option is not available in IPA provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1194 +msgid "Default: nisNetgroupTriple" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1200 +msgid "ldap_netgroup_modify_timestamp (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1216 +msgid "ldap_host_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1219 +msgid "The object class of a host entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1222 sssd-ldap.5.xml:1331 +msgid "Default: ipService" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1228 +msgid "ldap_host_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1231 sssd-ldap.5.xml:1257 +msgid "The LDAP attribute that corresponds to the host's name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1241 +msgid "ldap_host_fqdn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1244 +msgid "" +"The LDAP attribute that corresponds to the host's fully-qualified domain " +"name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1248 +msgid "Default: fqdn" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1254 +msgid "ldap_host_serverhostname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1261 +msgid "Default: serverHostname" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1267 +msgid "ldap_host_member_of (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1270 +msgid "The LDAP attribute that lists the host's group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1280 +msgid "ldap_host_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1283 +msgid "Optional. Use the given string as search base for host objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1287 sssd-ipa.5.xml:359 sssd-ipa.5.xml:378 sssd-ipa.5.xml:397 sssd-ipa.5.xml:416 +msgid "" +"See <quote>ldap_search_base</quote> for information about configuring " +"multiple search bases." +msgstr "" + +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:1292 sssd-ipa.5.xml:364 include/ldap_search_bases.xml:27 +msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1299 +msgid "ldap_host_ssh_public_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1302 +msgid "The LDAP attribute that contains the host's SSH public keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1312 +msgid "ldap_host_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1315 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1325 +msgid "ldap_service_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1328 +msgid "The object class of a service entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1337 +msgid "ldap_service_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1340 +msgid "" +"The LDAP attribute that contains the name of service attributes and their " +"aliases." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1350 +msgid "ldap_service_port (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1353 +msgid "The LDAP attribute that contains the port managed by this service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1357 +msgid "Default: ipServicePort" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1363 +msgid "ldap_service_proto (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1366 +msgid "The LDAP attribute that contains the protocols understood by this service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1370 +msgid "Default: ipServiceProtocol" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1376 +msgid "ldap_service_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1381 +msgid "ldap_search_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1384 +msgid "" +"Specifies the timeout (in seconds) that ldap searches are allowed to run " +"before they are cancelled and cached results are returned (and offline mode " +"is entered)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1390 +msgid "" +"Note: this option is subject to change in future versions of the SSSD. It " +"will likely be replaced at some point by a series of timeouts for specific " +"lookup types." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1402 +msgid "ldap_enumeration_search_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1405 +msgid "" +"Specifies the timeout (in seconds) that ldap searches for user and group " +"enumerations are allowed to run before they are cancelled and cached results " +"are returned (and offline mode is entered)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1418 +msgid "ldap_network_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1421 +msgid "" +"Specifies the timeout (in seconds) after which the <citerefentry> " +"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> " +"</citerefentry>/<citerefentry> <refentrytitle>select</refentrytitle> " +"<manvolnum>2</manvolnum> </citerefentry> following a <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> " +"</citerefentry> returns in case of no activity." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1444 +msgid "ldap_opt_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1447 +msgid "" +"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " +"will abort if no response is received. Also controls the timeout when " +"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " +"operation, password change extended operation and the StartTLS operation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1462 +msgid "ldap_connection_expire_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1465 +msgid "" +"Specifies a timeout (in seconds) that a connection to an LDAP server will be " +"maintained. After this time, the connection will be re-established. If used " +"in parallel with SASL/GSSAPI, the sooner of the two values (this value " +"vs. the TGT lifetime) will be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1473 sssd-ldap.5.xml:2562 +msgid "Default: 900 (15 minutes)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1479 +msgid "ldap_page_size (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1482 +msgid "" +"Specify the number of records to retrieve from LDAP in a single " +"request. Some LDAP servers enforce a maximum limit per-request." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1487 +msgid "Default: 1000" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1493 +msgid "ldap_disable_paging (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1496 +msgid "" +"Disable the LDAP paging control. This option should be used if the LDAP " +"server reports that it supports the LDAP paging control in its RootDSE but " +"it is not enabled or does not behave properly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1502 +msgid "" +"Example: OpenLDAP servers with the paging control module installed on the " +"server but not enabled will report it in the RootDSE but be unable to use " +"it." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1508 +msgid "" +"Example: 389 DS has a bug where it can only support a one paging control at " +"a time on a single connection. On busy clients, this can result in some " +"requests being denied." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1520 +msgid "ldap_disable_range_retrieval (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1523 +msgid "Disable Active Directory range retrieval." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1526 +msgid "" +"Active Directory limits the number of members to be retrieved in a single " +"lookup using the MaxValRange policy (which defaults to 1500 members). If a " +"group contains more members, the reply would include an AD-specific range " +"extension. This option disables parsing of the range extension, therefore " +"large groups will appear as having no members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1541 +msgid "ldap_sasl_minssf (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1544 +msgid "" +"When communicating with an LDAP server using SASL, specify the minimum " +"security level necessary to establish the connection. The values of this " +"option are defined by OpenLDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1550 +msgid "Default: Use the system default (usually specified by ldap.conf)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1557 +msgid "ldap_deref_threshold (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1560 +msgid "" +"Specify the number of group members that must be missing from the internal " +"cache in order to trigger a dereference lookup. If less members are missing, " +"they are looked up individually." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1566 +msgid "You can turn off dereference lookups completely by setting the value to 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1570 +msgid "" +"A dereference lookup is a means of fetching all group members in a single " +"LDAP call. Different LDAP servers may implement different dereference " +"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " +"Directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1578 +msgid "" +"<emphasis>Note:</emphasis> If any of the search bases specifies a search " +"filter, then the dereference lookup performance enhancement will be disabled " +"regardless of this setting." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1591 +msgid "ldap_tls_reqcert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1594 +msgid "" +"Specifies what checks to perform on server certificates in a TLS session, if " +"any. It can be specified as one of the following values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1600 +msgid "" +"<emphasis>never</emphasis> = The client will not request or check any server " +"certificate." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1604 +msgid "" +"<emphasis>allow</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, it will be ignored and the session proceeds normally." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1611 +msgid "" +"<emphasis>try</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, the session is immediately terminated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1617 +msgid "" +"<emphasis>demand</emphasis> = The server certificate is requested. If no " +"certificate is provided, or a bad certificate is provided, the session is " +"immediately terminated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1623 +msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1627 +msgid "Default: hard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1633 +msgid "ldap_tls_cacert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1636 +msgid "" +"Specifies the file that contains certificates for all of the Certificate " +"Authorities that <command>sssd</command> will recognize." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1641 sssd-ldap.5.xml:1659 sssd-ldap.5.xml:1700 +msgid "" +"Default: use OpenLDAP defaults, typically in " +"<filename>/etc/openldap/ldap.conf</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1648 +msgid "ldap_tls_cacertdir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1651 +msgid "" +"Specifies the path of a directory that contains Certificate Authority " +"certificates in separate individual files. Typically the file names need to " +"be the hash of the certificate followed by '.0'. If available, " +"<command>cacertdir_rehash</command> can be used to create the correct names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1666 +msgid "ldap_tls_cert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1669 +msgid "Specifies the file that contains the certificate for the client's key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1679 +msgid "ldap_tls_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1682 +msgid "Specifies the file that contains the client's key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1691 +msgid "ldap_tls_cipher_suite (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1694 +msgid "" +"Specifies acceptable cipher suites. Typically this is a colon separated " +"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1707 +msgid "ldap_id_use_start_tls (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1710 +msgid "" +"Specifies that the id_provider connection must also use <systemitem " +"class=\"protocol\">tls</systemitem> to protect the channel." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1720 +msgid "ldap_id_mapping (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1723 +msgid "" +"Specifies that SSSD should attempt to map user and group IDs from the " +"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " +"on ldap_user_uid_number and ldap_group_gid_number." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1729 +msgid "Currently this feature supports only ActiveDirectory objectSID mapping." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1739 +msgid "ldap_min_id, ldap_max_id (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1742 +msgid "" +"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " +"set to true the allowed ID range for ldap_user_uid_number and " +"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " +"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " +"can be set to restrict the allowed range for the IDs which are read directly " +"from the server. Sub-domains can then pick other ranges to map IDs." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1754 +msgid "Default: not set (both options are set to 0)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1760 +msgid "ldap_sasl_mech (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1763 +msgid "" +"Specify the SASL mechanism to use. Currently only GSSAPI is tested and " +"supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1773 +msgid "ldap_sasl_authid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ldap.5.xml:1784 +#, no-wrap +msgid "" +"hostname@REALM\n" +"netbiosname$@REALM\n" +"host/hostname@REALM\n" +"*$@REALM\n" +"host/*@REALM\n" +"host/*\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1776 +msgid "" +"Specify the SASL authorization id to use. When GSSAPI is used, this " +"represents the Kerberos principal used for authentication to the directory. " +"This option can either contain the full principal (for example " +"host/myhost@EXAMPLE.COM) or just the principal name (for example " +"host/myhost). By default, the value is not set and the following principals " +"are used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them " +"are found, the first principal in keytab is returned." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1795 +msgid "Default: host/hostname@REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1801 +msgid "ldap_sasl_realm (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1804 +msgid "" +"Specify the SASL realm to use. When not specified, this option defaults to " +"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " +"well, this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1810 +msgid "Default: the value of krb5_realm." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1816 +msgid "ldap_sasl_canonicalize (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1819 +msgid "" +"If set to true, the LDAP library would perform a reverse lookup to " +"canonicalize the host name during a SASL bind." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1824 +msgid "Default: false;" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1830 +msgid "ldap_krb5_keytab (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1833 +msgid "Specify the keytab to use when using SASL/GSSAPI." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1836 +msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1842 +msgid "ldap_krb5_init_creds (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1845 +msgid "" +"Specifies that the id_provider should init Kerberos credentials (TGT). This " +"action is performed only if SASL is used and the mechanism selected is " +"GSSAPI." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1857 +msgid "ldap_krb5_ticket_lifetime (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1860 +msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1864 sssd-ad.5.xml:937 +msgid "Default: 86400 (24 hours)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1870 sssd-krb5.5.xml:74 +msgid "krb5_server, krb5_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1873 +msgid "" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect in the order of " +"preference. For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled - for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1885 sssd-krb5.5.xml:89 +msgid "" +"When using service discovery for KDC or kpasswd servers, SSSD first searches " +"for DNS entries that specify _udp as the protocol and falls back to _tcp if " +"none are found." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1890 sssd-krb5.5.xml:94 +msgid "" +"This option was named <quote>krb5_kdcip</quote> in earlier releases of " +"SSSD. While the legacy name is recognized for the time being, users are " +"advised to migrate their config files to use <quote>krb5_server</quote> " +"instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1899 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103 +msgid "krb5_realm (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1902 +msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1905 +msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1911 sssd-krb5.5.xml:462 +msgid "krb5_canonicalize (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1914 +msgid "" +"Specifies if the host principal should be canonicalized when connecting to " +"LDAP server. This feature is available with MIT Kerberos >= 1.7" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1926 sssd-krb5.5.xml:477 +msgid "krb5_use_kdcinfo (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1929 sssd-krb5.5.xml:480 +msgid "" +"Specifies if the SSSD should instruct the Kerberos libraries what realm and " +"which KDCs to use. This option is on by default, if you disable it, you need " +"to configure the Kerberos library using the <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> configuration file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1940 sssd-krb5.5.xml:491 +msgid "" +"See the <citerefentry> " +"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> manual page for more information on " +"the locator plugin." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1954 +msgid "ldap_pwd_policy (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1957 +msgid "" +"Select the policy to evaluate the password expiration on the client " +"side. The following values are allowed:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1962 +msgid "" +"<emphasis>none</emphasis> - No evaluation on the client side. This option " +"cannot disable server-side password policies." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1967 +msgid "" +"<emphasis>shadow</emphasis> - Use " +"<citerefentry><refentrytitle>shadow</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> style attributes to evaluate if the " +"password has expired." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1973 +msgid "" +"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " +"to determine if the password has expired. Use chpass_provider=krb5 to update " +"these attributes when the password is changed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1982 +msgid "" +"<emphasis>Note</emphasis>: if a password policy is configured on server " +"side, it always takes precedence over policy set with this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1990 +msgid "ldap_referrals (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1993 +msgid "Specifies whether automatic referral chasing should be enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1997 +msgid "" +"Please note that sssd only supports referral chasing when it is compiled " +"with OpenLDAP version 2.4.13 or higher." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2002 +msgid "" +"Chasing referrals may incur a performance penalty in environments that use " +"them heavily, a notable example is Microsoft Active Directory. If your setup " +"does not in fact require the use of referrals, setting this option to false " +"might bring a noticeable performance improvement." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2016 +msgid "ldap_dns_service_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2019 +msgid "Specifies the service name to use when service discovery is enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2023 +msgid "Default: ldap" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2029 +msgid "ldap_chpass_dns_service_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2032 +msgid "" +"Specifies the service name to use to find an LDAP server which allows " +"password changes when service discovery is enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2037 +msgid "Default: not set, i.e. service discovery is disabled" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2043 +msgid "ldap_chpass_update_last_change (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2046 +msgid "" +"Specifies whether to update the ldap_user_shadow_last_change attribute with " +"days since the Epoch after a password change operation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2058 +msgid "ldap_access_filter (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2061 +msgid "" +"If using access_provider = ldap and ldap_access_order = filter (default), " +"this option is mandatory. It specifies an LDAP search filter criteria that " +"must be met for the user to be granted access on this host. If " +"access_provider = ldap, ldap_access_order = filter and this option is not " +"set, it will result in all users being denied access. Use access_provider = " +"permit to change this default behavior. Please note that this filter is " +"applied on the LDAP user entry only and thus filtering based on nested " +"groups may not work (e.g. memberOf attribute on AD entries points only to " +"direct parents). If filtering based on nested groups is required, please see " +"<citerefentry> " +"<refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> " +"</citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2081 +msgid "Example:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ldap.5.xml:2084 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2088 +msgid "" +"This example means that access to this host is restricted to users whose " +"employeeType attribute is set to \"admin\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2093 +msgid "" +"Offline caching for this feature is limited to determining whether the " +"user's last online login was granted access permission. If they were granted " +"access during their last login, they will continue to be granted access " +"while offline and vice versa." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2101 sssd-ldap.5.xml:2158 +msgid "Default: Empty" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2107 +msgid "ldap_account_expire_policy (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2110 +msgid "" +"With this option a client side evaluation of access control attributes can " +"be enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2114 +msgid "" +"Please note that it is always recommended to use server side access control, " +"i.e. the LDAP server should deny the bind request with a suitable error code " +"even if the password is correct." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2121 +msgid "The following values are allowed:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2124 +msgid "" +"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " +"determine if the account is expired." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2129 +msgid "" +"<emphasis>ad</emphasis>: use the value of the 32bit field " +"ldap_user_ad_user_account_control and allow access if the second bit is not " +"set. If the attribute is missing access is granted. Also the expiration time " +"of the account is checked." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2136 +msgid "" +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, " +"<emphasis>389ds</emphasis>: use the value of ldap_ns_account_lock to check " +"if access is allowed or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2142 +msgid "" +"<emphasis>nds</emphasis>: the values of " +"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " +"ldap_user_nds_login_expiration_time are used to check if access is " +"allowed. If both attributes are missing access is granted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2151 +msgid "" +"Please note that the ldap_access_order configuration option " +"<emphasis>must</emphasis> include <quote>expire</quote> in order for the " +"ldap_account_expire_policy option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2164 +msgid "ldap_access_order (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2167 +msgid "Comma separated list of access control options. Allowed values are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2171 +msgid "<emphasis>filter</emphasis>: use ldap_access_filter" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2174 +msgid "" +"<emphasis>lockout</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " +"Please note that 'access_provider = ldap' must be set for this feature to " +"work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2184 +msgid "" +"<emphasis> Please note that this option is superseded by the " +"<quote>ppolicy</quote> option and might be removed in a future release. " +"</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2191 +msgid "" +"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z' or represents any time in the past. The " +"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " +"denotes the UTC time zone. Other time zones are not currently supported and " +"will result in \"access-denied\" when users attempt to log in. Please see " +"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " +"must be set for this feature to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2208 +msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2212 +msgid "" +"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " +"pwd_expire_policy_renew: </emphasis> These options are useful if users are " +"interested in being warned that password is about to expire and " +"authentication is based on using a different method than passwords - for " +"example SSH keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2222 +msgid "" +"The difference between these options is the action taken if user password is " +"expired: pwd_expire_policy_reject - user is denied to log in, " +"pwd_expire_policy_warn - user is still able to log in, " +"pwd_expire_policy_renew - user is prompted to change his password " +"immediately." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2230 +msgid "Note If user password is expired no explicit message is prompted by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2234 +msgid "" +"Please note that 'access_provider = ldap' must be set for this feature to " +"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2239 +msgid "" +"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " +"to determine access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2244 +msgid "<emphasis>host</emphasis>: use the host attribute to determine access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2248 +msgid "" +"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " +"remote host can access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2252 +msgid "" +"Please note, rhost field in pam is set by application, it is better to check " +"what the application sends to pam, before enabling this access control " +"option" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2257 +msgid "Default: filter" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2260 +msgid "" +"Please note that it is a configuration error if a value is used more than " +"once." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2267 +msgid "ldap_pwdlockout_dn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2270 +msgid "" +"This option specifies the DN of password policy entry on LDAP server. Please " +"note that absence of this option in sssd.conf in case of enabled account " +"lockout checking will yield access denied as ppolicy attributes on LDAP " +"server cannot be checked properly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2278 +msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2281 +msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2287 +msgid "ldap_deref (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2290 +msgid "" +"Specifies how alias dereferencing is done when performing a search. The " +"following options are allowed:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2295 +msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2299 +msgid "" +"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " +"the base object, but not in locating the base object of the search." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2304 +msgid "" +"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " +"the base object of the search." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2309 +msgid "" +"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " +"in locating the base object of the search." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2314 +msgid "" +"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " +"client libraries)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2322 +msgid "ldap_rfc2307_fallback_to_local_users (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2325 +msgid "" +"Allows to retain local users as members of an LDAP group for servers that " +"use the RFC2307 schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2329 +msgid "" +"In some environments where the RFC2307 schema is used, local users are made " +"members of LDAP groups by adding their names to the memberUid attribute. " +"The self-consistency of the domain is compromised when this is done, so SSSD " +"would normally remove the \"missing\" users from the cached group " +"memberships as soon as nsswitch tries to fetch information about the user " +"via getpw*() or initgroups() calls." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2340 +msgid "" +"This option falls back to checking if local users are referenced, and caches " +"them so that later initgroups() calls will augment the local users with the " +"additional LDAP groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2352 sssd-ifp.5.xml:136 +msgid "wildcard_limit (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2355 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2359 +msgid "At the moment, only the InfoPipe responder supports wildcard lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2363 +msgid "Default: 1000 (often the size of one page)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:51 +msgid "" +"All of the common configuration options that apply to SSSD domains also " +"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page for full details. " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2373 +msgid "SUDO OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2375 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2386 +msgid "ldap_sudorule_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2389 +msgid "The object class of a sudo rule entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2392 +msgid "Default: sudoRole" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2398 +msgid "ldap_sudorule_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2401 +msgid "The LDAP attribute that corresponds to the sudo rule name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2411 +msgid "ldap_sudorule_command (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2414 +msgid "The LDAP attribute that corresponds to the command name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2418 +msgid "Default: sudoCommand" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2424 +msgid "ldap_sudorule_host (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2427 +msgid "" +"The LDAP attribute that corresponds to the host name (or host IP address, " +"host IP network, or host netgroup)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2432 +msgid "Default: sudoHost" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2438 +msgid "ldap_sudorule_user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2441 +msgid "" +"The LDAP attribute that corresponds to the user name (or UID, group name or " +"user's netgroup)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2445 +msgid "Default: sudoUser" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2451 +msgid "ldap_sudorule_option (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2454 +msgid "The LDAP attribute that corresponds to the sudo options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2458 +msgid "Default: sudoOption" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2464 +msgid "ldap_sudorule_runasuser (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2467 +msgid "" +"The LDAP attribute that corresponds to the user name that commands may be " +"run as." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2471 +msgid "Default: sudoRunAsUser" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2477 +msgid "ldap_sudorule_runasgroup (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2480 +msgid "" +"The LDAP attribute that corresponds to the group name or group GID that " +"commands may be run as." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2484 +msgid "Default: sudoRunAsGroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2490 +msgid "ldap_sudorule_notbefore (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2493 +msgid "" +"The LDAP attribute that corresponds to the start date/time for when the sudo " +"rule is valid." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2497 +msgid "Default: sudoNotBefore" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2503 +msgid "ldap_sudorule_notafter (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2506 +msgid "" +"The LDAP attribute that corresponds to the expiration date/time, after which " +"the sudo rule will no longer be valid." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2511 +msgid "Default: sudoNotAfter" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2517 +msgid "ldap_sudorule_order (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2520 +msgid "The LDAP attribute that corresponds to the ordering index of the rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2524 +msgid "Default: sudoOrder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2530 +msgid "ldap_sudo_full_refresh_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2533 +msgid "" +"How many seconds SSSD will wait between executing a full refresh of sudo " +"rules (which downloads all rules that are stored on the server)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2538 +msgid "" +"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval " +"</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2543 +msgid "Default: 21600 (6 hours)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2549 +msgid "ldap_sudo_smart_refresh_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2552 +msgid "" +"How many seconds SSSD has to wait before executing a smart refresh of sudo " +"rules (which downloads all rules that have USN higher than the highest USN " +"of cached rules)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2558 +msgid "" +"If USN attributes are not supported by the server, the modifyTimestamp " +"attribute is used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2568 +msgid "ldap_sudo_use_host_filter (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2571 +msgid "" +"If true, SSSD will download only rules that are applicable to this machine " +"(using the IPv4 or IPv6 host/network addresses and hostnames)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2582 +msgid "ldap_sudo_hostnames (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2585 +msgid "" +"Space separated list of hostnames or fully qualified domain names that " +"should be used to filter the rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2590 +msgid "" +"If this option is empty, SSSD will try to discover the hostname and the " +"fully qualified domain name automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2595 sssd-ldap.5.xml:2618 sssd-ldap.5.xml:2636 sssd-ldap.5.xml:2654 +msgid "" +"If <emphasis>ldap_sudo_use_host_filter</emphasis> is " +"<emphasis>false</emphasis> then this option has no effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2600 sssd-ldap.5.xml:2623 +msgid "Default: not specified" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2606 +msgid "ldap_sudo_ip (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2609 +msgid "" +"Space separated list of IPv4 or IPv6 host/network addresses that should be " +"used to filter the rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2614 +msgid "" +"If this option is empty, SSSD will try to discover the addresses " +"automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2629 +msgid "ldap_sudo_include_netgroups (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2632 +msgid "" +"If true then SSSD will download every rule that contains a netgroup in " +"sudoHost attribute." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2647 +msgid "ldap_sudo_include_regexp (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2650 +msgid "" +"If true then SSSD will download every rule that contains a wildcard in " +"sudoHost attribute." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2666 +msgid "" +"This manual page only describes attribute name mapping. For detailed " +"explanation of sudo related attribute semantics, see <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> " +"</citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2676 +msgid "AUTOFS OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2678 +msgid "" +"Some of the defaults for the parameters below are dependent on the LDAP " +"schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2684 +msgid "ldap_autofs_map_master_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2687 +msgid "The name of the automount master map in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2690 +msgid "Default: auto.master" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2697 +msgid "ldap_autofs_map_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2700 +msgid "The object class of an automount map entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2703 +msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2711 +msgid "ldap_autofs_map_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2714 +msgid "The name of an automount map entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2717 +msgid "" +"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise " +"automountMapName" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2725 +msgid "ldap_autofs_entry_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2728 +msgid "" +"The object class of an automount entry in LDAP. The entry usually " +"corresponds to a mount point." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2733 +msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2741 +msgid "ldap_autofs_entry_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2744 sssd-ldap.5.xml:2759 +msgid "" +"The key of an automount entry in LDAP. The entry usually corresponds to a " +"mount point." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2748 +msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2756 +msgid "ldap_autofs_entry_value (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2763 +msgid "" +"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " +"automountInformation" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2682 +msgid "" +"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder " +"type=\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" " +"id=\"2\"/> <placeholder type=\"variablelist\" id=\"3\"/> <placeholder " +"type=\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" " +"id=\"5\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2774 +msgid "ADVANCED OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2781 +msgid "ldap_netgroup_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2786 +msgid "ldap_user_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2791 +msgid "ldap_group_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> +#: sssd-ldap.5.xml:2796 +msgid "<note>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> +#: sssd-ldap.5.xml:2798 +msgid "" +"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " +"against Active Directory will not be restricted and return all groups " +"memberships, even with no GID mapping. It is recommended to disable this " +"feature, if group names are not being displayed correctly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist> +#: sssd-ldap.5.xml:2805 +msgid "</note>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2807 +msgid "ldap_sudo_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2812 +msgid "ldap_autofs_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2776 +msgid "" +"These options are supported by LDAP domains, but they should be used with " +"caution. Please include them in your configuration only if you know what you " +"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder " +"type=\"variablelist\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2827 sssd-simple.5.xml:131 sssd-ipa.5.xml:828 sssd-ad.5.xml:1041 sssd-krb5.5.xml:570 sss_rpcidmapd.5.xml:98 sssd-files.5.xml:103 sssd-session-recording.5.xml:144 +msgid "EXAMPLE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2829 +msgid "" +"The following example assumes that SSSD is correctly configured and LDAP is " +"set to one of the domains in the <replaceable>[domains]</replaceable> " +"section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:2835 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: sssd-ldap.5.xml:2834 sssd-ldap.5.xml:2852 sssd-simple.5.xml:139 sssd-ipa.5.xml:836 sssd-ad.5.xml:1049 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579 sssd-files.5.xml:110 sssd-session-recording.5.xml:150 include/ldap_id_mapping.xml:105 +msgid "<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2846 +msgid "LDAP ACCESS FILTER EXAMPLE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2848 +msgid "" +"The following example assumes that SSSD is correctly configured and to use " +"the ldap_access_order=lockout." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:2853 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"access_provider = ldap\n" +"ldap_access_order = lockout\n" +"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2868 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148 sssd-ad.5.xml:1064 sssd.8.xml:230 sss_seed.8.xml:163 +msgid "NOTES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2870 +msgid "" +"The descriptions of some of the configuration options in this manual page " +"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " +"distribution." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: pam_sss.8.xml:11 pam_sss.8.xml:16 +msgid "pam_sss" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: pam_sss.8.xml:17 +msgid "PAM module for SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: pam_sss.8.xml:22 +msgid "" +"<command>pam_sss.so</command> <arg choice='opt'> " +"<replaceable>quiet</replaceable> </arg> <arg choice='opt'> " +"<replaceable>forward_pass</replaceable> </arg> <arg choice='opt'> " +"<replaceable>use_first_pass</replaceable> </arg> <arg choice='opt'> " +"<replaceable>use_authtok</replaceable> </arg> <arg choice='opt'> " +"<replaceable>retry=N</replaceable> </arg> <arg choice='opt'> " +"<replaceable>ignore_unknown_user</replaceable> </arg> <arg choice='opt'> " +"<replaceable>ignore_authinfo_unavail</replaceable> </arg> <arg choice='opt'> " +"<replaceable>domains=X</replaceable> </arg> <arg choice='opt'> " +"<replaceable>allow_missing_name</replaceable> </arg> <arg choice='opt'> " +"<replaceable>prompt_always</replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:58 +msgid "" +"<command>pam_sss.so</command> is the PAM interface to the System Security " +"Services daemon (SSSD). Errors and results are logged through " +"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:68 +msgid "<option>quiet</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:71 +msgid "Suppress log messages for unknown users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:76 +msgid "<option>forward_pass</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:79 +msgid "" +"If <option>forward_pass</option> is set the entered password is put on the " +"stack for other PAM modules to use." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:86 +msgid "<option>use_first_pass</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:89 +msgid "" +"The argument use_first_pass forces the module to use a previous stacked " +"modules password and will never prompt the user - if no password is " +"available or the password is not appropriate, the user will be denied " +"access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:97 +msgid "<option>use_authtok</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:100 +msgid "" +"When password changing enforce the module to set the new password to the one " +"provided by a previously stacked password module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:107 +msgid "<option>retry=N</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:110 +msgid "" +"If specified the user is asked another N times for a password if " +"authentication fails. Default is 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:112 +msgid "" +"Please note that this option might not work as expected if the application " +"calling PAM handles the user dialog on its own. A typical example is " +"<command>sshd</command> with <option>PasswordAuthentication</option>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:121 +msgid "<option>ignore_unknown_user</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:124 +msgid "" +"If this option is specified and the user does not exist, the PAM module will " +"return PAM_IGNORE. This causes the PAM framework to ignore this module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:131 +msgid "<option>ignore_authinfo_unavail</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:135 +msgid "" +"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " +"the SSSD daemon. This causes the PAM framework to ignore this module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:142 +msgid "<option>domains</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:146 +msgid "" +"Allows the administrator to restrict the domains a particular PAM service is " +"allowed to authenticate against. The format is a comma-separated list of " +"SSSD domain names, as specified in the sssd.conf file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:152 +msgid "" +"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " +"and <quote>pam_public_domains</quote> options. Please see the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page for more information on " +"these two PAM responder options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:166 +msgid "<option>allow_missing_name</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:170 +msgid "" +"The main purpose of this option is to let SSSD determine the user name based " +"on additional information, e.g. the certificate from a Smartcard." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: pam_sss.8.xml:180 +#, no-wrap +msgid "" +"auth sufficient pam_sss.so allow_missing_name\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:175 +msgid "" +"The current use case are login managers which can monitor a Smartcard reader " +"for card events. In case a Smartcard is inserted the login manager will call " +"a PAM stack which includes a line like <placeholder type=\"programlisting\" " +"id=\"0\"/> In this case SSSD will try to determine the user name based on " +"the content of the Smartcard, returns it to pam_sss which will finally put " +"it on the PAM stack." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:190 +msgid "<option>prompt_always</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:194 +msgid "" +"Always prompt the user for credentials. With this option credentials " +"requested by other PAM modules, typically a password, will be ignored and " +"pam_sss will prompt for credentials again. Based on the pre-auth reply by " +"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " +"credentials." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:207 +msgid "MODULE TYPES PROVIDED" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:208 +msgid "" +"All module types (<option>account</option>, <option>auth</option>, " +"<option>password</option> and <option>session</option>) are provided." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:214 +msgid "FILES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:215 +msgid "" +"If a password reset by root fails, because the corresponding SSSD provider " +"does not support password resets, an individual message can be " +"displayed. This message can e.g. contain instructions about how to reset a " +"password." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:220 +msgid "" +"The message is read from the file " +"<filename>pam_sss_pw_reset_message.LOC</filename> where LOC stands for a " +"locale string returned by <citerefentry> " +"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> " +"</citerefentry>. If there is no matching file the content of " +"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " +"the owner of the files and only root may have read and write permissions " +"while all other users must have only read permissions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:230 +msgid "" +"These files are searched in the directory " +"<filename>/etc/sssd/customize/DOMAIN_NAME/</filename>. If no matching file " +"is present a generic message is displayed." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 +msgid "sssd_krb5_locator_plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd_krb5_locator_plugin.8.xml:16 +msgid "Kerberos locator plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:22 +msgid "" +"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " +"used by the Kerberos provider of <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to tell the Kerberos libraries what Realm and which KDC to use. Typically " +"this is done in <citerefentry> <refentrytitle>krb5.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> which is always read by the " +"Kerberos libraries. To simplify the configuration the Realm and the KDC can " +"be defined in <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> as described in <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:48 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> puts the Realm and the name or IP address of the KDC into " +"the environment variables SSSD_KRB5_REALM and SSSD_KRB5_KDC respectively. " +"When <command>sssd_krb5_locator_plugin</command> is called by the kerberos " +"libraries it reads and evaluates these variables and returns them to the " +"libraries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:63 +msgid "" +"Not all Kerberos implementations support the use of plugins. If " +"<command>sssd_krb5_locator_plugin</command> is not available on your system " +"you have to edit /etc/krb5.conf to reflect your Kerberos setup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:69 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " +"debug messages will be sent to stderr." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:73 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " +"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " +"caller." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 +msgid "sssd-simple" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-simple.5.xml:17 +msgid "the configuration file for SSSD's 'simple' access-control provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:24 +msgid "" +"This manual page describes the configuration of the simple access-control " +"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " +"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:38 +msgid "" +"The simple access provider grants or denies access based on an access or " +"deny list of user or group names. The following rules apply:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:43 +msgid "If all lists are empty, access is granted" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:47 +msgid "" +"If any list is provided, the order of evaluation is allow,deny. This means " +"that any matching deny rule will supersede any matched allow rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:54 +msgid "" +"If either or both \"allow\" lists are provided, all users are denied unless " +"they appear in the list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:60 +msgid "" +"If only \"deny\" lists are provided, all users are granted access unless " +"they appear in the list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:78 +msgid "simple_allow_users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:81 +msgid "Comma separated list of users who are allowed to log in." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:88 +msgid "simple_deny_users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:91 +msgid "Comma separated list of users who are explicitly denied access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:97 +msgid "simple_allow_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:100 +msgid "" +"Comma separated list of groups that are allowed to log in. This applies only " +"to groups within this SSSD domain. Local groups are not evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:108 +msgid "simple_deny_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:111 +msgid "" +"Comma separated list of groups that are explicitly denied access. This " +"applies only to groups within this SSSD domain. Local groups are not " +"evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 +msgid "" +"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> manual page for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:120 +msgid "" +"Specifying no values for any of the lists is equivalent to skipping it " +"entirely. Beware of this while generating parameters for the simple provider " +"using automated scripts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:125 +msgid "" +"Please note that it is an configuration error if both, simple_allow_users " +"and simple_deny_users, are defined." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:133 +msgid "" +"The following example assumes that SSSD is correctly configured and " +"example.com is one of the domains in the <replaceable>[sssd]</replaceable> " +"section. This examples shows only the simple access provider-specific " +"options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-simple.5.xml:140 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"access_provider = simple\n" +"simple_allow_users = user1, user2\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:150 +msgid "" +"The complete group membership hierarchy is resolved before the access check, " +"thus even nested groups can be included in the access lists. Please be " +"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " +"results and should be set to a sufficient value. (<citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> " +"</citerefentry>) option." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 +msgid "sss-certmap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss-certmap.5.xml:17 +msgid "SSSD Certificate Matching and Mapping Rules" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:23 +msgid "" +"The manual page describes the rules which can be used by SSSD and other " +"components to match X.509 certificates and map them to accounts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:28 +msgid "" +"Each rule has four components, a <quote>priority</quote>, a <quote>matching " +"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain " +"list</quote>. All components are optional. A missing <quote>priority</quote> " +"will add the rule with the lowest priority. The default <quote>matching " +"rule</quote> will match certificates with the digitalSignature key usage and " +"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " +"the certificates will be searched in the userCertificate attribute as DER " +"encoded binary. If no domains are given only the local domain will be " +"searched." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss-certmap.5.xml:41 +msgid "RULE COMPONENTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:43 +msgid "PRIORITY" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:45 +msgid "" +"The rules are processed by priority while the number '0' (zero) indicates " +"the highest priority. The higher the number the lower is the priority. A " +"missing value indicates the lowest priority. The rules processing is stopped " +"when a matched rule is found and no further rules are checked." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:52 +msgid "" +"Internally the priority is treated as unsigned 32bit integer, using a " +"priority value larger than 4294967295 will cause an error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:57 +msgid "MATCHING RULE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:59 +msgid "" +"The matching rule is used to select a certificate to which the mapping rule " +"should be applied. It uses a system similar to the one used by " +"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " +"keyword enclosed by '<' and '>' which identified a certain part of the " +"certificate and a pattern which should be found for the rule to " +"match. Multiple keyword pattern pairs can be either joined with '&&' " +"(and) or '||' (or)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:71 +msgid "<SUBJECT>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:74 +msgid "" +"With this a part or the whole subject name of the certificate can be " +"matched. For the matching POSIX Extended Regular Expression syntax is used, " +"see regex(7) for details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:80 +msgid "" +"For the matching the subject name stored in the certificate in DER encoded " +"ASN.1 is converted into a string according to RFC 4514. This means the most " +"specific name component comes first. Please note that not all possible " +"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " +"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " +"be shown differently on different platform and by different tools. To avoid " +"confusion those attribute names are best not used or covered by a suitable " +"regular-expression." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:93 +msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:98 +msgid "<ISSUER>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:101 +msgid "" +"With this a part or the whole issuer name of the certificate can be " +"matched. All comments for <SUBJECT> apply her as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:106 +msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:111 +msgid "<KU>key-usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:114 +msgid "" +"This option can be used to specify which key usage values the certificate " +"should have. The following values can be used in a comma separated list:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:118 +msgid "digitalSignature" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:119 +msgid "nonRepudiation" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:120 +msgid "keyEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:121 +msgid "dataEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:122 +msgid "keyAgreement" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:123 +msgid "keyCertSign" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:124 +msgid "cRLSign" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:125 +msgid "encipherOnly" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:126 +msgid "decipherOnly" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:130 +msgid "" +"A numerical value in the range of a 32bit unsigned integer can be used as " +"well to cover special use cases." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:134 +msgid "Example: <KU>digitalSignature,keyEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:139 +msgid "<EKU>extended-key-usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:142 +msgid "" +"This option can be used to specify which extended key usage the certificate " +"should have. The following value can be used in a comma separated list:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:146 +msgid "serverAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:147 +msgid "clientAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:148 +msgid "codeSigning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:149 +msgid "emailProtection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:150 +msgid "timeStamping" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:151 +msgid "OCSPSigning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:152 +msgid "KPClientAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:153 +msgid "pkinit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:154 +msgid "msScLogin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:158 +msgid "" +"Extended key usages which are not listed above can be specified with their " +"OID in dotted-decimal notation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:162 +msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:167 +msgid "<SAN>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:170 +msgid "" +"To be compatible with the usage of MIT Kerberos this option will match the " +"Kerberos principals in the PKINIT or AD NT Principal SAN as " +"<SAN:Principal> does." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:175 +msgid "Example: <SAN>.*@MY\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:180 +msgid "<SAN:Principal>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:183 +msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:187 +msgid "Example: <SAN:Principal>.*@MY\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:192 +msgid "<SAN:ntPrincipalName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:195 +msgid "Match the Kerberos principals from the AD NT Principal SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:199 +msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:204 +msgid "<SAN:pkinit>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:207 +msgid "Match the Kerberos principals from the PKINIT SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:210 +msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:215 +msgid "<SAN:dotted-decimal-oid>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:218 +msgid "" +"Take the value of the otherName SAN component given by the OID in " +"dotted-decimal notation, interpret it as string and try to match it against " +"the regular expression." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:224 +msgid "Example: <SAN:1.2.3.4>test" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:229 +msgid "<SAN:otherName>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:232 +msgid "" +"Do a binary match with the base64 encoded blob against all otherName SAN " +"components. With this option it is possible to match against custom " +"otherName components with special encodings which could not be treated as " +"strings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:239 +msgid "Example: <SAN:otherName>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:244 +msgid "<SAN:rfc822Name>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:247 +msgid "Match the value of the rfc822Name SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:250 +msgid "Example: <SAN:rfc822Name>.*@email\\.domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:255 +msgid "<SAN:dNSName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:258 +msgid "Match the value of the dNSName SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:261 +msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:266 +msgid "<SAN:x400Address>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:269 +msgid "Binary match the value of the x400Address SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:272 +msgid "Example: <SAN:x400Address>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:277 +msgid "<SAN:directoryName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:280 +msgid "" +"Match the value of the directoryName SAN. The same comments as given for " +"<ISSUER> and <SUBJECT> apply here as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:285 +msgid "Example: <SAN:directoryName>.*,DC=com" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:290 +msgid "<SAN:ediPartyName>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:293 +msgid "Binary match the value of the ediPartyName SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:296 +msgid "Example: <SAN:ediPartyName>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:301 +msgid "<SAN:uniformResourceIdentifier>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:304 +msgid "Match the value of the uniformResourceIdentifier SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:307 +msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:312 +msgid "<SAN:iPAddress>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:315 +msgid "Match the value of the iPAddress SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:318 +msgid "Example: <SAN:iPAddress>192\\.168\\..*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:323 +msgid "<SAN:registeredID>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:326 +msgid "Match the value of the registeredID SAN as dotted-decimal string." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:330 +msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:68 +msgid "The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:338 +msgid "MAPPING RULE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:340 +msgid "" +"The mapping rule is used to associate a certificate with one or more " +"accounts. A Smartcard with the certificate and the matching private key can " +"then be used to authenticate as one of those accounts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:345 +msgid "" +"Currently SSSD basically only supports LDAP to lookup user information (the " +"exception is the proxy provider which is not of relevance here). Because of " +"this the mapping rule is based on LDAP search filter syntax with templates " +"to add certificate content to the filter. It is expected that the filter " +"will only contain the specific data needed for the mapping and that the " +"caller will embed it in another filter to do the actual search. Because of " +"this the filter string should start and stop with '(' and ')' respectively." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:355 +msgid "" +"In general it is recommended to use attributes from the certificate and add " +"them to special attributes to the LDAP user object. E.g. the " +"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " +"for IPA can be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:361 +msgid "" +"This should be preferred to read user specific data from the certificate " +"like e.g. an email address and search for it in the LDAP server. The reason " +"is that the user specific data in LDAP might change for various reasons " +"would break the mapping. On the other hand it would be hard to break the " +"mapping on purpose for a specific user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:376 +msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:379 +msgid "" +"This template will add the full issuer DN converted to a string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +msgid "" +"The conversion options starting with 'ad_' will use attribute names as used " +"by AD, e.g. 'S' instead of 'ST'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +msgid "" +"The conversion options starting with 'nss_' will use attribute names as used " +"by NSS." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +msgid "" +"The default conversion option is 'nss', i.e. attribute names according to " +"NSS and LDAP/RFC 4514 ordering." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:397 +msgid "" +"Example: " +"(ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!ad})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:402 +msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:405 +msgid "" +"This template will add the full subject DN converted to string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:423 +msgid "" +"Example: " +"(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:428 +msgid "{cert[!(bin|base64)]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:431 +msgid "" +"This template will add the whole DER encoded certificate as a string to the " +"search filter. Depending on the conversion option the binary certificate is " +"either converted to an escaped hex sequence '\\xx' or base64. The escaped " +"hex sequence is the default and can e.g. be used with the LDAP attribute " +"'userCertificate;binary'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:439 +msgid "Example: (userCertificate;binary={cert!bin})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:444 +msgid "{subject_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:447 +msgid "" +"This template will add the Kerberos principal which is taken either from the " +"SAN used by pkinit or the one used by AD. The 'short_name' component " +"represents the first part of the principal before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +msgid "" +"Example: " +"(|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:458 +msgid "{subject_pkinit_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:461 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by pkinit. The 'short_name' component represents the first part of the " +"principal before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:467 +msgid "" +"Example: " +"(|(userPrincipal={subject_pkinit_principal})(uid={subject_pkinit_principal.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:472 +msgid "{subject_nt_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:475 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by AD. The 'short_name' component represent the first part of the principal " +"before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:486 +msgid "{subject_rfc822_name[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:489 +msgid "" +"This template will add the string which is stored in the rfc822Name " +"component of the SAN, typically an email address. The 'short_name' component " +"represents the first part of the address before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:495 +msgid "" +"Example: " +"(|(mail={subject_rfc822_name})(uid={subject_rfc822_name.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:500 +msgid "{subject_dns_name[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:503 +msgid "" +"This template will add the string which is stored in the dNSName component " +"of the SAN, typically a fully-qualified host name. The 'short_name' " +"component represents the first part of the name before the first '.' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:509 +msgid "Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:514 +msgid "{subject_uri}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:517 +msgid "" +"This template will add the string which is stored in the " +"uniformResourceIdentifier component of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:521 +msgid "Example: (uri={subject_uri})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:526 +msgid "{subject_ip_address}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:529 +msgid "" +"This template will add the string which is stored in the iPAddress component " +"of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:533 +msgid "Example: (ip={subject_ip_address})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:538 +msgid "{subject_x400_address}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:541 +msgid "" +"This template will add the value which is stored in the x400Address " +"component of the SAN as escaped hex sequence." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:546 +msgid "Example: (attr:binary={subject_x400_address})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:551 +msgid "{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:554 +msgid "" +"This template will add the DN string of the value which is stored in the " +"directoryName component of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:558 +msgid "Example: (orig_dn={subject_directory_name})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:563 +msgid "{subject_ediparty_name}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:566 +msgid "" +"This template will add the value which is stored in the ediPartyName " +"component of the SAN as escaped hex sequence." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:571 +msgid "Example: (attr:binary={subject_ediparty_name})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:576 +msgid "{subject_registered_id}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:579 +msgid "" +"This template will add the OID which is stored in the registeredID component " +"of the SAN as a dotted-decimal string." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:584 +msgid "Example: (oid={subject_registered_id})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:369 +msgid "" +"The templates to add certificate data to the search filter are based on " +"Python-style formatting strings. They consist of a keyword in curly braces " +"with an optional sub-component specifier separated by a '.' or an optional " +"conversion/formatting option separated by a '!'. Allowed values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:592 +msgid "DOMAIN LIST" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:594 +msgid "" +"If the domain list is not empty users mapped to a given certificate are not " +"only searched in the local domain but in the listed domains as well as long " +"as they are know by SSSD. Domains not know to SSSD will be ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 +msgid "sssd-ipa" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ipa.5.xml:17 +msgid "SSSD IPA provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:23 +msgid "" +"This manual page describes the configuration of the IPA provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:36 +msgid "" +"The IPA provider is a back end used to connect to an IPA server. (Refer to " +"the freeipa.org web site for information about IPA servers.) This provider " +"requires that the machine be joined to the IPA domain; configuration is " +"almost entirely self-discovered and obtained directly from the server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:43 +msgid "" +"The IPA provider enables SSSD to use the <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> identity provider and the <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> authentication provider with optimizations for IPA " +"environments. The IPA provider accepts the same options used by the " +"sssd-ldap and sssd-krb5 providers with some exceptions. However, it is " +"neither necessary nor recommended to set these options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:57 +msgid "" +"The IPA provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:62 +msgid "" +"As an access provider, the IPA provider uses HBAC (host-based access " +"control) rules. Please refer to freeipa.org for more information about " +"HBAC. No configuration of access provider is required on the client side." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:67 +msgid "" +"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " +"configured in sssd.conf then the id_provider must also be set to " +"<quote>ipa</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:73 +msgid "" +"The IPA provider will use the PAC responder if the Kerberos tickets of users " +"from trusted realms contain a PAC. To make configuration easier the PAC " +"responder is started automatically if the IPA ID provider is configured." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:89 +msgid "ipa_domain (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:92 +msgid "" +"Specifies the name of the IPA domain. This is optional. If not provided, " +"the configuration domain name is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:100 +msgid "ipa_server, ipa_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:103 +msgid "" +"The comma-separated list of IP addresses or hostnames of the IPA servers to " +"which SSSD should connect in the order of preference. For more information " +"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:116 +msgid "ipa_hostname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:119 +msgid "" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the IPA domain to identify this host. The " +"hostname must be fully qualified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:128 sssd-ad.5.xml:866 +msgid "dyndns_update (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:131 +msgid "" +"Optional. This option tells SSSD to automatically update the DNS server " +"built into FreeIPA with the IP address of this client. The update is secured " +"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " +"updates, if it is not otherwise specified by using the " +"<quote>dyndns_iface</quote> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:140 sssd-ad.5.xml:880 +msgid "" +"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " +"the default Kerberos realm must be set properly in /etc/krb5.conf" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:145 +msgid "" +"NOTE: While it is still possible to use the old " +"<emphasis>ipa_dyndns_update</emphasis> option, users should migrate to using " +"<emphasis>dyndns_update</emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:157 sssd-ad.5.xml:891 +msgid "dyndns_ttl (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:160 sssd-ad.5.xml:894 +msgid "" +"The TTL to apply to the client DNS record when updating it. If " +"dyndns_update is false this has no effect. This will override the TTL " +"serverside if set by an administrator." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:165 +msgid "" +"NOTE: While it is still possible to use the old " +"<emphasis>ipa_dyndns_ttl</emphasis> option, users should migrate to using " +"<emphasis>dyndns_ttl</emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:171 +msgid "Default: 1200 (seconds)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:177 sssd-ad.5.xml:905 +msgid "dyndns_iface (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:180 sssd-ad.5.xml:908 +msgid "" +"Optional. Applicable only when dyndns_update is true. Choose the interface " +"or a list of interfaces whose IP addresses should be used for dynamic DNS " +"updates. Special value <quote>*</quote> implies that IPs from all interfaces " +"should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:187 +msgid "" +"NOTE: While it is still possible to use the old " +"<emphasis>ipa_dyndns_iface</emphasis> option, users should migrate to using " +"<emphasis>dyndns_iface</emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:193 +msgid "" +"Default: Use the IP addresses of the interface which is used for IPA LDAP " +"connection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:197 sssd-ad.5.xml:919 +msgid "Example: dyndns_iface = em1, vnet1, vnet2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:203 sssd-ad.5.xml:970 +msgid "dyndns_auth (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:206 sssd-ad.5.xml:973 +msgid "" +"Whether the nsupdate utility should use GSS-TSIG authentication for secure " +"updates with the DNS server, insecure updates can be sent by setting this " +"option to 'none'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:212 sssd-ad.5.xml:979 +msgid "Default: GSS-TSIG" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:218 +msgid "ipa_enable_dns_sites (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 +msgid "Enables DNS sites - location based service discovery." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:225 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, then the SSSD will first attempt location " +"based discovery using a query that contains " +"\"_location.hostname.example.com\" and then fall back to traditional SRV " +"discovery. If the location based discovery succeeds, the IPA servers located " +"with the location based discovery are treated as primary servers and the IPA " +"servers located using the traditional SRV discovery are used as back up " +"servers" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:244 sssd-ad.5.xml:925 +msgid "dyndns_refresh_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:247 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:260 sssd-ad.5.xml:943 +msgid "dyndns_update_ptr (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:263 sssd-ad.5.xml:946 +msgid "" +"Whether the PTR record should also be explicitly updated when updating the " +"client's DNS records. Applicable only when dyndns_update is true." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:268 +msgid "" +"This option should be False in most IPA deployments as the IPA server " +"generates the PTR records automatically when forward records are changed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:274 +msgid "Default: False (disabled)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:280 sssd-ad.5.xml:957 +msgid "dyndns_force_tcp (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:283 sssd-ad.5.xml:960 +msgid "" +"Whether the nsupdate utility should default to using TCP for communicating " +"with the DNS server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:287 sssd-ad.5.xml:964 +msgid "Default: False (let nsupdate choose the protocol)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:293 sssd-ad.5.xml:985 +msgid "dyndns_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:296 sssd-ad.5.xml:988 +msgid "" +"The DNS server to use when performing a DNS update. In most setups, it's " +"recommended to leave this option unset." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:301 sssd-ad.5.xml:993 +msgid "" +"Setting this option makes sense for environments where the DNS server is " +"different from the identity server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:306 sssd-ad.5.xml:998 +msgid "" +"Please note that this option will be only used in fallback attempt when " +"previous attempt using autodetected settings failed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1003 +msgid "Default: None (let nsupdate choose the server)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:317 +msgid "ipa_deskprofile_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:320 +msgid "" +"Optional. Use the given string as search base for Desktop Profile related " +"objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:324 sssd-ipa.5.xml:337 +msgid "Default: Use base DN" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:330 +msgid "ipa_hbac_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:333 +msgid "Optional. Use the given string as search base for HBAC related objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:343 +msgid "ipa_host_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:346 +msgid "Deprecated. Use ldap_host_search_base instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:352 +msgid "ipa_selinux_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:355 +msgid "Optional. Use the given string as search base for SELinux user maps." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:371 +msgid "ipa_subdomains_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:374 +msgid "Optional. Use the given string as search base for trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:383 +msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:390 +msgid "ipa_master_domain_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:393 +msgid "Optional. Use the given string as search base for master domain object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:402 +msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:409 +msgid "ipa_views_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:412 +msgid "Optional. Use the given string as search base for views containers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:421 +msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:431 +msgid "" +"The name of the Kerberos realm. This is optional and defaults to the value " +"of <quote>ipa_domain</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:435 +msgid "" +"The name of the Kerberos realm has a special meaning in IPA - it is " +"converted into the base DN to use for performing LDAP operations." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1012 +msgid "krb5_confd_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1015 +msgid "" +"Absolute path of a directory where SSSD should place Kerberos configuration " +"snippets." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1019 +msgid "" +"To disable the creation of the configuration snippets set the parameter to " +"'none'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1023 +msgid "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:461 +msgid "ipa_deskprofile_refresh (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:464 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server. This will reduce the latency and load on the IPA server if there " +"are many desktop profiles requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:431 +msgid "Default: 5 (seconds)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:477 +msgid "ipa_deskprofile_request_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:480 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server in case the last request did not return any rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:485 +msgid "Default: 60 (minutes)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:491 +msgid "ipa_hbac_refresh (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:494 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA " +"server. This will reduce the latency and load on the IPA server if there are " +"many access-control requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:507 +msgid "ipa_hbac_selinux (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:510 +msgid "" +"The amount of time between lookups of the SELinux maps against the IPA " +"server. This will reduce the latency and load on the IPA server if there are " +"many user login requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:523 +msgid "ipa_server_mode (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:526 +msgid "" +"This option will be set by the IPA installer (ipa-server-install) " +"automatically and denotes if SSSD is running on an IPA server or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:531 +msgid "" +"On an IPA server SSSD will lookup users and groups from trusted domains " +"directly while on a client it will ask an IPA server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:536 +msgid "" +"NOTE: There are currently some assumptions that must be met when SSSD is " +"running on an IPA server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:541 +msgid "" +"The <quote>ipa_server</quote> option must be configured to point to the IPA " +"server itself. This is already the default set by the IPA installer, so no " +"manual change is required." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:550 +msgid "" +"The <quote>full_name_format</quote> option must not be tweaked to only print " +"short names for users from trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:565 +msgid "ipa_automount_location (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:568 +msgid "The automounter location this IPA client will be using" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:571 +msgid "Default: The location named \"default\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:579 +msgid "VIEWS AND OVERRIDES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:588 +msgid "ipa_view_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:591 +msgid "Objectclass of the view container." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:594 +msgid "Default: nsContainer" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:600 +msgid "ipa_view_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:603 +msgid "Name of the attribute holding the name of the view." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:613 +msgid "ipa_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:616 +msgid "Objectclass of the override objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:619 +msgid "Default: ipaOverrideAnchor" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:625 +msgid "ipa_anchor_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:628 +msgid "" +"Name of the attribute containing the reference to the original object in a " +"remote domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:632 +msgid "Default: ipaAnchorUUID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:638 +msgid "ipa_user_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:641 +msgid "" +"Name of the objectclass for user overrides. It is used to determine if the " +"found override object is related to a user or a group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:646 +msgid "User overrides can contain attributes given by" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:649 +msgid "ldap_user_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:652 +msgid "ldap_user_uid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:655 +msgid "ldap_user_gid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:658 +msgid "ldap_user_gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:661 +msgid "ldap_user_home_directory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:664 +msgid "ldap_user_shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:667 +msgid "ldap_user_ssh_public_key" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:672 +msgid "Default: ipaUserOverride" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:678 +msgid "ipa_group_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:681 +msgid "" +"Name of the objectclass for group overrides. It is used to determine if the " +"found override object is related to a user or a group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:686 +msgid "Group overrides can contain attributes given by" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:689 +msgid "ldap_group_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:692 +msgid "ldap_group_gid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:697 +msgid "Default: ipaGroupOverride" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:581 +msgid "" +"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " +"later version. Since all paths and objectclasses are fixed on the server " +"side there is basically no need to configure anything. For completeness the " +"related options are listed here with their default values. <placeholder " +"type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:709 +msgid "SUBDOMAINS PROVIDER" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:711 +msgid "" +"The IPA subdomains provider behaves slightly differently if it is configured " +"explicitly or implicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:715 +msgid "" +"If the option 'subdomains_provider = ipa' is found in the domain section of " +"sssd.conf, the IPA subdomains provider is configured explicitly, and all " +"subdomain requests are sent to the IPA server if necessary." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:721 +msgid "" +"If the option 'subdomains_provider' is not set in the domain section of " +"sssd.conf but there is the option 'id_provider = ipa', the IPA subdomains " +"provider is configured implicitly. In this case, if a subdomain request " +"fails and indicates that the server does not support subdomains, i.e. is not " +"configured for trusts, the IPA subdomains provider is disabled. After an " +"hour or after the IPA provider goes online, the subdomains provider is " +"enabled again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:732 +msgid "TRUSTED DOMAINS CONFIGURATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:738 +#, no-wrap +msgid "" +"[domain/ipa.domain.com/ad.domain.com]\n" +"ad_server = dc.ad.domain.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:734 +msgid "" +"Some configuration options can be also set for a trusted domain. A trusted " +"domain configuration can either be done using a subsection, for example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:743 +msgid "" +"In addition, some options can be set in the parent domain and inherited by " +"the trusted domain using the <quote>subdomain_inherit</quote> option. For " +"more details, see the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:753 +msgid "" +"Different configuration options are tunable for a trusted domain depending " +"on whether you are configuring SSSD on an IPA server or an IPA client." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:758 +msgid "OPTIONS TUNABLE ON IPA MASTERS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:760 +msgid "The following options can be set in a subdomain section on an IPA master:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:764 sssd-ipa.5.xml:794 +msgid "ad_server" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:767 +msgid "ad_backup_server" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:770 sssd-ipa.5.xml:797 +msgid "ad_site" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:773 +msgid "ldap_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:776 +msgid "ldap_user_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:779 +msgid "ldap_group_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:788 +msgid "OPTIONS TUNABLE ON IPA CLIENTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:790 +msgid "The following options can be set in a subdomain section on an IPA client:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:802 +msgid "" +"Note that if both options are set, only <quote>ad_server</quote> is " +"evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:806 +msgid "" +"Since any request for a user or a group identity from a trusted domain " +"triggered from an IPA client is resolved by the IPA server, the " +"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " +"which AD DC will the authentication be performed against. In particular, the " +"addresses resolved from these lists will be written to " +"<quote>kdcinfo</quote> files read by the Kerberos locator plugin. Please " +"refer to the <citerefentry> " +"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " +"Kerberos locator plugin." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:830 +msgid "" +"The following example assumes that SSSD is correctly configured and " +"example.com is one of the domains in the <replaceable>[sssd]</replaceable> " +"section. This examples shows only the ipa provider-specific options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:837 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"id_provider = ipa\n" +"ipa_server = ipaserver.example.com\n" +"ipa_hostname = myhost.example.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 +msgid "sssd-ad" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ad.5.xml:17 +msgid "SSSD Active Directory provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:23 +msgid "" +"This manual page describes the configuration of the AD provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:36 +msgid "" +"The AD provider is a back end used to connect to an Active Directory " +"server. This provider requires that the machine be joined to the AD domain " +"and a keytab is available. Back end communication occurs over a " +"GSSAPI-encrypted channel, SSL/TLS options should not be used with the AD " +"provider and will be superseded by Kerberos usage." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:44 +msgid "" +"The AD provider supports connecting to Active Directory 2008 R2 or " +"later. Earlier versions may work, but are unsupported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:48 +msgid "" +"The AD provider can be used to get user information and authenticate users " +"from trusted domains. Currently only trusted domains in the same forest are " +"recognized. In addition servers from trusted domains are always " +"auto-discovered." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:54 +msgid "" +"The AD provider enables SSSD to use the <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> identity provider and the <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> authentication provider with optimizations for Active " +"Directory environments. The AD provider accepts the same options used by the " +"sssd-ldap and sssd-krb5 providers with some exceptions. However, it is " +"neither necessary nor recommended to set these options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:69 +msgid "" +"The AD provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:74 +msgid "" +"The AD provider can also be used as an access, chpass, sudo and autofs " +"provider. No configuration of the access provider is required on the client " +"side." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:79 +msgid "" +"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " +"configured in sssd.conf then the id_provider must also be set to " +"<quote>ad</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:91 +#, no-wrap +msgid "" +"ldap_id_mapping = False\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:85 +msgid "" +"By default, the AD provider will map UID and GID values from the objectSID " +"parameter in Active Directory. For details on this, see the <quote>ID " +"MAPPING</quote> section below. If you want to disable ID mapping and instead " +"rely on POSIX attributes defined in Active Directory, you should set " +"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " +"be used, it is recommended for performance reasons that the attributes are " +"also replicated to the Global Catalog. If POSIX attributes are replicated, " +"SSSD will attempt to locate the domain of a requested numerical ID with the " +"help of the Global Catalog and only search that domain. In contrast, if " +"POSIX attributes are not replicated to the Global Catalog, SSSD must search " +"all the domains in the forest sequentially. Please note that the " +"<quote>cache_first</quote> option might be also helpful in speeding up " +"domainless searches. Note that if only a subset of POSIX attributes is " +"present in the Global Catalog, the non-replicated attributes are currently " +"not read from the LDAP port." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:108 +msgid "" +"Users, groups and other entities served by SSSD are always treated as " +"case-insensitive in the AD provider for compatibility with Active " +"Directory's LDAP implementation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:123 +msgid "ad_domain (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:126 +msgid "" +"Specifies the name of the Active Directory domain. This is optional. If not " +"provided, the configuration domain name is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:131 +msgid "" +"For proper operation, this option should be specified as the lower-case " +"version of the long version of the Active Directory domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:136 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) is " +"autodetected by the SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:143 +msgid "ad_enabled_domains (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:146 +msgid "" +"A comma-separated list of enabled Active Directory domains. If provided, " +"SSSD will ignore any domains not listed in this option. If left unset, all " +"domains from the AD forest will be available." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:156 +#, no-wrap +msgid "" +"ad_enabled_domains = sales.example.com, eng.example.com\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:152 +msgid "" +"For proper operation, this option must be specified in all lower-case and as " +"the fully qualified domain name of the Active Directory domain. For example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:160 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) will be " +"autodetected by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:170 +msgid "ad_server, ad_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:173 +msgid "" +"The comma-separated list of hostnames of the AD servers to which SSSD should " +"connect in order of preference. For more information on failover and server " +"redundancy, see the <quote>FAILOVER</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:180 +msgid "" +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:185 +msgid "" +"Note: Trusted domains will always auto-discover servers even if the primary " +"server is explicitly defined in the ad_server option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:193 +msgid "ad_hostname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:196 +msgid "" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the Active Directory domain to identify this " +"host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:202 +msgid "" +"This field is used to determine the host principal in use in the keytab. It " +"must match the hostname for which the keytab was issued." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:210 +msgid "ad_enable_dns_sites (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:217 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, the SSSD will first attempt to discover the " +"Active Directory server to connect to using the Active Directory Site " +"Discovery and fall back to the DNS SRV records if no AD site is found. The " +"DNS SRV configuration, including the discovery domain, is used during site " +"discovery as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:233 +msgid "ad_access_filter (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:236 +msgid "" +"This option specifies LDAP access control filter that the user must match in " +"order to be allowed access. Please note that the " +"<quote>access_provider</quote> option must be explicitly set to " +"<quote>ad</quote> in order for this option to have an effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:244 +msgid "" +"The option also supports specifying different filters per domain or " +"forest. This extended filter would consist of: " +"<quote>KEYWORD:NAME:FILTER</quote>. The keyword can be either " +"<quote>DOM</quote>, <quote>FOREST</quote> or missing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:252 +msgid "" +"If the keyword equals to <quote>DOM</quote> or is missing, then " +"<quote>NAME</quote> specifies the domain or subdomain the filter applies " +"to. If the keyword equals to <quote>FOREST</quote>, then the filter equals " +"to all domains from the forest specified by <quote>NAME</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:260 +msgid "" +"Multiple filters can be separated with the <quote>?</quote> character, " +"similarly to how search bases work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:265 +msgid "" +"Nested group membership must be searched for using a special OID " +"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full " +"DOM:domain.example.org: syntax to ensure the parser does not attempt to " +"interpret the colon characters associated with the OID. If you do not use " +"this OID then nested group membership will not be resolved. See usage " +"example below and refer here for further information about the OID: <ulink " +"url=\"https://msdn.microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] " +"section LDAP extensions</ulink>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:278 +msgid "" +"The most specific match is always used. For example, if the option specified " +"filter for a domain the user is a member of and a global filter, the " +"per-domain filter would be applied. If there are more matches with the same " +"specification, the first one is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ad.5.xml:289 +#, no-wrap +msgid "" +"# apply filter on domain called dom1 only:\n" +"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" +"\n" +"# apply filter on domain called dom2 only:\n" +"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" +"\n" +"# apply filter on forest called EXAMPLE.COM only:\n" +"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" +"\n" +"# apply filter for a member of a nested group in dom1:\n" +"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:308 +msgid "ad_site (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:311 +msgid "" +"Specify AD site to which client should try to connect. If this option is " +"not provided, the AD site will be auto-discovered." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:322 +msgid "ad_enable_gc (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:325 +msgid "" +"By default, the SSSD connects to the Global Catalog first to retrieve users " +"from trusted domains and uses the LDAP port to retrieve group memberships or " +"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " +"port of the current AD server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:333 +msgid "" +"Please note that disabling Global Catalog support does not disable " +"retrieving users from trusted domains. The SSSD would connect to the LDAP " +"port of trusted domains instead. However, Global Catalog must be used in " +"order to resolve cross-domain group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:347 +msgid "ad_gpo_access_control (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:350 +msgid "" +"This option specifies the operation mode for GPO-based access control " +"functionality: whether it operates in disabled mode, enforcing mode, or " +"permissive mode. Please note that the <quote>access_provider</quote> option " +"must be explicitly set to <quote>ad</quote> in order for this option to have " +"an effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:359 +msgid "" +"GPO-based access control functionality uses GPO policy settings to determine " +"whether or not a particular user is allowed to logon to a particular host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:365 +msgid "" +"NOTE: The current version of SSSD does not support host (computer) entries " +"in the GPO 'Security Filtering' list. Only user and group entries are " +"supported. Host entries in the list have no effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:372 +msgid "" +"NOTE: If the operation mode is set to enforcing, it is possible that users " +"that were previously allowed logon access will now be denied logon access " +"(as dictated by the GPO policy settings). In order to facilitate a smooth " +"transition for administrators, a permissive mode is available that will not " +"enforce the access control rules, but will evaluate them and will output a " +"syslog message if access would have been denied. By examining the logs, " +"administrators can then make the necessary changes before setting the mode " +"to enforcing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:385 +msgid "There are three supported values for this option:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:389 +msgid "disabled: GPO-based access control rules are neither evaluated nor enforced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:395 +msgid "enforcing: GPO-based access control rules are evaluated and enforced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:401 +msgid "" +"permissive: GPO-based access control rules are evaluated, but not enforced. " +"Instead, a syslog message will be emitted indicating that the user would " +"have been denied access if this option's value were set to enforcing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:412 +msgid "Default: permissive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:415 +msgid "Default: enforcing" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:421 +msgid "ad_gpo_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:424 +msgid "" +"The amount of time between lookups of GPO policy files against the AD " +"server. This will reduce the latency and load on the AD server if there are " +"many access-control requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:437 +msgid "ad_gpo_map_interactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:440 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the InteractiveLogonRight and " +"DenyInteractiveLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:446 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on locally\" and \"Deny log on locally\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:460 +#, no-wrap +msgid "" +"ad_gpo_map_interactive = +my_pam_service, -login\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:451 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right " +"(e.g. <quote>login</quote>) with a custom pam service name " +"(e.g. <quote>my_pam_service</quote>), you would use the following " +"configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:464 sssd-ad.5.xml:560 sssd-ad.5.xml:606 sssd-ad.5.xml:651 sssd-ad.5.xml:717 +msgid "Default: the default set of PAM service names includes:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:468 +msgid "login" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:473 +msgid "su" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:478 +msgid "su-l" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:483 +msgid "gdm-fingerprint" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:488 +msgid "gdm-password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:493 +msgid "gdm-smartcard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:498 +msgid "kdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:503 +msgid "lightdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:508 +msgid "lxdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:513 +msgid "sddm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:518 +msgid "unity" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:523 +msgid "xdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:532 +msgid "ad_gpo_map_remote_interactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:535 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the RemoteInteractiveLogonRight and " +"DenyRemoteInteractiveLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:541 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on through Remote Desktop Services\" and \"Deny log on through Remote " +"Desktop Services\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:556 +#, no-wrap +msgid "" +"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:547 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right " +"(e.g. <quote>sshd</quote>) with a custom pam service name " +"(e.g. <quote>my_pam_service</quote>), you would use the following " +"configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:564 +msgid "sshd" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:569 +msgid "cockpit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:578 +msgid "ad_gpo_map_network (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:581 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the NetworkLogonRight and " +"DenyNetworkLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:587 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Access " +"this computer from the network\" and \"Deny access to this computer from the " +"network\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:602 +#, no-wrap +msgid "" +"ad_gpo_map_network = +my_pam_service, -ftp\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:593 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right " +"(e.g. <quote>ftp</quote>) with a custom pam service name " +"(e.g. <quote>my_pam_service</quote>), you would use the following " +"configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:610 +msgid "ftp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:615 +msgid "samba" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:624 +msgid "ad_gpo_map_batch (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:627 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " +"policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:633 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a batch job\" and \"Deny log on as a batch job\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:647 +#, no-wrap +msgid "" +"ad_gpo_map_batch = +my_pam_service, -crond\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:638 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right " +"(e.g. <quote>crond</quote>) with a custom pam service name " +"(e.g. <quote>my_pam_service</quote>), you would use the following " +"configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:655 +msgid "crond" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:664 +msgid "ad_gpo_map_service (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:667 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the ServiceLogonRight and " +"DenyServiceLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:673 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a service\" and \"Deny log on as a service\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:686 +#, no-wrap +msgid "" +"ad_gpo_map_service = +my_pam_service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:678 sssd-ad.5.xml:753 +msgid "" +"It is possible to add a PAM service name to the default set by using " +"<quote>+service_name</quote>. Since the default set is empty, it is not " +"possible to remove a PAM service name from the default set. For example, in " +"order to add a custom pam service name (e.g. <quote>my_pam_service</quote>), " +"you would use the following configuration: <placeholder " +"type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:696 +msgid "ad_gpo_map_permit (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:699 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always granted, regardless of any GPO Logon Rights." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:713 +#, no-wrap +msgid "" +"ad_gpo_map_permit = +my_pam_service, -sudo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:704 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for unconditionally permitted " +"access (e.g. <quote>sudo</quote>) with a custom pam service name " +"(e.g. <quote>my_pam_service</quote>), you would use the following " +"configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:721 +msgid "polkit-1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:726 +msgid "sudo" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:731 +msgid "sudo-i" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:736 +msgid "systemd-user" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:745 +msgid "ad_gpo_map_deny (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:748 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always denied, regardless of any GPO Logon Rights." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:761 +#, no-wrap +msgid "" +"ad_gpo_map_deny = +my_pam_service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:771 +msgid "ad_gpo_default_right (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:774 +msgid "" +"This option defines how access control is evaluated for PAM service names " +"that are not explicitly listed in one of the ad_gpo_map_* options. This " +"option can be set in two different manners. First, this option can be set to " +"use a default logon right. For example, if this option is set to " +"'interactive', it means that unmapped PAM service names will be processed " +"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " +"settings. Alternatively, this option can be set to either always permit or " +"always deny access for unmapped PAM service names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:787 +msgid "Supported values for this option include:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:791 +msgid "interactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:796 +msgid "remote_interactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:801 +msgid "network" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:806 +msgid "batch" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:811 +msgid "service" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:816 +msgid "permit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:821 +msgid "deny" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:827 +msgid "Default: deny" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:833 +msgid "ad_maximum_machine_account_password_age (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:836 +msgid "" +"SSSD will check once a day if the machine account password is older than the " +"given age in days and try to renew it. A value of 0 will disable the renewal " +"attempt." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:842 +msgid "Default: 30 days" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:848 +msgid "ad_machine_account_password_renewal_opts (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:851 +msgid "" +"This option should only be used to test the machine account renewal " +"task. The option expects 2 integers separated by a colon (':'). The first " +"integer defines the interval in seconds how often the task is run. The " +"second specifies the initial timeout in seconds before the task is run for " +"the first time after startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:860 +msgid "Default: 86400:750 (24h and 15m)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:869 +msgid "" +"Optional. This option tells SSSD to automatically update the Active " +"Directory DNS server with the IP address of this client. The update is " +"secured using GSS-TSIG. As a consequence, the Active Directory administrator " +"only needs to allow secure updates for the DNS zone. The IP address of the " +"AD LDAP connection is used for the updates, if it is not otherwise specified " +"by using the <quote>dyndns_iface</quote> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:899 +msgid "Default: 3600 (seconds)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:915 +msgid "" +"Default: Use the IP addresses of the interface which is used for AD LDAP " +"connection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:928 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true. Note that the " +"lowest possible value is 60 seconds in-case if value is provided less than " +"60, parameter will assume lowest value only." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:951 sss_rpcidmapd.5.xml:76 +msgid "Default: True" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1043 +msgid "" +"The following example assumes that SSSD is correctly configured and " +"example.com is one of the domains in the <replaceable>[sssd]</replaceable> " +"section. This example shows only the AD provider-specific options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1050 +#, no-wrap +msgid "" +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1070 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1066 +msgid "" +"The AD access control provider checks if the account is expired. It has the " +"same effect as the following configuration of the LDAP provider: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1076 +msgid "" +"However, unless the <quote>ad</quote> access control provider is explicitly " +"configured, the default access provider is <quote>permit</quote>. Please " +"note that if you configure an access provider other than <quote>ad</quote>, " +"you need to set all the connection parameters (such as LDAP URIs and " +"encryption details) manually." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1084 +msgid "" +"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " +"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " +"are included in the default Active Directory schema." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 +msgid "sssd-sudo" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-sudo.5.xml:17 +msgid "Configuring sudo with the SSSD back end" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:36 +msgid "Configuring sudo to cooperate with SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:38 +msgid "" +"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " +"the <emphasis>sudoers</emphasis> entry in <citerefentry> " +"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:47 +msgid "" +"For example, to configure sudo to first lookup rules in the standard " +"<citerefentry> <refentrytitle>sudoers</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> file (which should contain rules " +"that apply to local users) and then in SSSD, the nsswitch.conf file should " +"contain the following line:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:57 +#, no-wrap +msgid "sudoers: files sss\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:61 +msgid "" +"More information about configuring the sudoers search order from the " +"nsswitch.conf file as well as information about the LDAP schema that is used " +"to store sudo rules in the directory can be found in <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:70 +msgid "" +"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " +"sudo rules, you also need to correctly set <citerefentry> " +"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry> to your NIS domain name (which equals to IPA domain name " +"when using hostgroups)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:82 +msgid "Configuring SSSD to fetch sudo rules" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:84 +msgid "" +"All configuration that is needed on SSSD side is to extend the list of " +"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>. To speed up the LDAP lookups, you " +"can also set search base for sudo rules using " +"<emphasis>ldap_sudo_search_base</emphasis> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:94 +msgid "" +"The following example shows how to configure SSSD to download sudo rules " +"from an LDAP server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:99 +#, no-wrap +msgid "" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:98 +msgid "" +"<placeholder type=\"programlisting\" id=\"0\"/> <phrase " +"condition=\"have_systemd\"> It's important to note that on platforms where " +"systemd is supported there's no need to add the \"sudo\" provider to the " +"list of services, as it became optional. However, sssd-sudo.socket must be " +"enabled instead. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:118 +msgid "" +"When SSSD is configured to use IPA as the ID provider, the sudo provider is " +"automatically enabled. The sudo search base is configured to use the IPA " +"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " +"sssd.conf, this value will be used instead. The compat tree " +"(ou=sudoers,$SUFFIX) is no longer required for IPA sudo functionality." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:128 +msgid "The SUDO rule caching mechanism" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:130 +msgid "" +"The biggest challenge, when developing sudo support in SSSD, was to ensure " +"that running sudo with SSSD as the data source provides the same user " +"experience and is as fast as sudo but keeps providing the most current set " +"of rules as possible. To satisfy these requirements, SSSD uses three kinds " +"of updates. They are referred to as full refresh, smart refresh and rules " +"refresh." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:138 +msgid "" +"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " +"new or were modified after the last update. Its primary goal is to keep the " +"database growing by fetching only small increments that do not generate " +"large amounts of network traffic." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:144 +msgid "" +"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " +"in the cache and replaces them with all rules that are stored on the " +"server. This is used to keep the cache consistent by removing every rule " +"which was deleted from the server. However, full refresh may produce a lot " +"of traffic and thus it should be run only occasionally depending on the size " +"and stability of the sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:152 +msgid "" +"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " +"more permission than defined. It is triggered each time the user runs " +"sudo. Rules refresh will find all rules that apply to this user, check their " +"expiration time and redownload them if expired. In the case that any of " +"these rules are missing on the server, the SSSD will do an out of band full " +"refresh because more rules (that apply to other users) may have been " +"deleted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:161 +msgid "" +"If enabled, SSSD will store only rules that can be applied to this " +"machine. This means rules that contain one of the following values in " +"<emphasis>sudoHost</emphasis> attribute:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:168 +msgid "keyword ALL" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:173 +msgid "wildcard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:178 +msgid "netgroup (in the form \"+netgroup\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:183 +msgid "hostname or fully qualified domain name of this machine" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:188 +msgid "one of the IP addresses of this machine" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:193 +msgid "one of the IP addresses of the network (in the form \"address/mask\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:199 +msgid "" +"There are many configuration options that can be used to adjust the " +"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> and \"sudo_*\" in <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.8.xml:10 sssd.8.xml:15 +msgid "sssd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.8.xml:16 +msgid "System Security Services Daemon" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssd.8.xml:21 +msgid "" +"<command>sssd</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:31 +msgid "" +"<command>SSSD</command> provides a set of daemons to manage access to remote " +"directories and authentication mechanisms. It provides an NSS and PAM " +"interface toward the system and a pluggable backend system to connect to " +"multiple different account sources as well as D-Bus interface. It is also " +"the basis to provide client auditing and policy services for projects like " +"FreeIPA. It provides a more robust database to store local users as well as " +"extended user data." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:46 +msgid "" +"<option>-d</option>,<option>--debug-level</option> " +"<replaceable>LEVEL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:53 +msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:57 +msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:60 +msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:69 +msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:73 +msgid "<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:76 +msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:85 +msgid "<option>-f</option>,<option>--debug-to-files</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:89 +msgid "" +"Send the debug output to files instead of stderr. By default, the log files " +"are stored in <filename>/var/log/sssd</filename> and there are separate log " +"files for every SSSD service and domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:94 +msgid "" +"This option is deprecated. It is replaced by " +"<option>--logger=files</option>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:101 +msgid "<option>--logger=</option><replaceable>value</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:105 +msgid "" +"Location where SSSD will send log messages. This option overrides the value " +"of the deprecated option <option>--debug-to-files</option>. The deprecated " +"option will still work if the <option>--logger</option> is not used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:112 +msgid "" +"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " +"output." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:116 +msgid "" +"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " +"default, the log files are stored in <filename>/var/log/sssd</filename> and " +"there are separate log files for every SSSD service and domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:122 +msgid "<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:132 +msgid "<option>-D</option>,<option>--daemon</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:136 +msgid "Become a daemon after starting up." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:142 sss_seed.8.xml:136 +msgid "<option>-i</option>,<option>--interactive</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:146 +msgid "Run in the foreground, don't become a daemon." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:152 +msgid "<option>-c</option>,<option>--config</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:156 +msgid "" +"Specify a non-default config file. The default is " +"<filename>/etc/sssd/sssd.conf</filename>. For reference on the config file " +"syntax and options, consult the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:170 +msgid "<option>--version</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:174 +msgid "Print version number and exit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.8.xml:182 +msgid "Signals" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:185 +msgid "SIGTERM/SIGINT" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:188 +msgid "" +"Informs the SSSD to gracefully terminate all of its child processes and then " +"shut down the monitor." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:194 +msgid "SIGHUP" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:197 +msgid "" +"Tells the SSSD to stop writing to its current debug file descriptors and to " +"close and reopen them. This is meant to facilitate log rolling with programs " +"like logrotate." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:205 +msgid "SIGUSR1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:208 +msgid "" +"Tells the SSSD to simulate offline operation for the duration of the " +"<quote>offline_timeout</quote> parameter. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:217 +msgid "SIGUSR2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:220 +msgid "" +"Tells the SSSD to go online immediately. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:232 +msgid "" +"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " +"applications will not use the fast in memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 +msgid "sss_obfuscate" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_obfuscate.8.xml:16 +msgid "obfuscate a clear text password" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_obfuscate.8.xml:21 +msgid "" +"<command>sss_obfuscate</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>[PASSWORD]</replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:32 +msgid "" +"<command>sss_obfuscate</command> converts a given password into " +"human-unreadable format and places it into appropriate domain section of the " +"SSSD config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:37 +msgid "" +"The cleartext password is read from standard input or entered " +"interactively. The obfuscated password is put into " +"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " +"<quote>ldap_default_authtok_type</quote> parameter is set to " +"<quote>obfuscated_password</quote>. Refer to <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> for more details on these parameters." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:49 +msgid "" +"Please note that obfuscating the password provides <emphasis>no real " +"security benefit</emphasis> as it is still possible for an attacker to " +"reverse-engineer the password back. Using better authentication mechanisms " +"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " +"advised." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:63 +msgid "<option>-s</option>,<option>--stdin</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:67 +msgid "The password to obfuscate will be read from standard input." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 sss_ssh_knownhostsproxy.1.xml:78 +msgid "" +"<option>-d</option>,<option>--domain</option> " +"<replaceable>DOMAIN</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:79 +msgid "" +"The SSSD domain to use the password in. The default name is " +"<quote>default</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:86 +msgid "<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:91 +msgid "Read the config file specified by the positional parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:95 +msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_override.8.xml:10 sss_override.8.xml:15 +msgid "sss_override" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_override.8.xml:16 +msgid "create local overrides of user and group attributes" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_override.8.xml:21 +msgid "" +"<command>sss_override</command> <arg " +"choice='plain'><replaceable>COMMAND</replaceable></arg> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:32 +msgid "" +"<command>sss_override</command> enables to create a client-side view and " +"allows to change selected values of specific user and groups. This change " +"takes effect only on local machine." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:37 +msgid "" +"Overrides data are stored in the SSSD cache. If the cache is deleted, all " +"local overrides are lost. Please note that after the first override is " +"created using any of the following <emphasis>user-add</emphasis>, " +"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " +"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " +"take effect. <emphasis>sss_override</emphasis> prints message when a " +"restart is required." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:50 sssctl.8.xml:41 +msgid "AVAILABLE COMMANDS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:52 +msgid "" +"Argument <emphasis>NAME</emphasis> is the name of original object in all " +"commands. It is not possible to override <emphasis>uid</emphasis> or " +"<emphasis>gid</emphasis> to 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:59 +msgid "" +"<option>user-add</option> <emphasis>NAME</emphasis> " +"<optional><option>-n,--name</option> NAME</optional> " +"<optional><option>-u,--uid</option> UID</optional> " +"<optional><option>-g,--gid</option> GID</optional> " +"<optional><option>-h,--home</option> HOME</optional> " +"<optional><option>-s,--shell</option> SHELL</optional> " +"<optional><option>-c,--gecos</option> GECOS</optional> " +"<optional><option>-x,--certificate</option> BASE64 ENCODED " +"CERTIFICATE</optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:72 +msgid "" +"Override attributes of an user. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:80 +msgid "<option>user-del</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:85 +msgid "" +"Remove user overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:94 +msgid "" +"<option>user-find</option> <optional><option>-d,--domain</option> " +"DOMAIN</optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:99 +msgid "" +"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " +"is set, only users from the domain are listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:107 +msgid "<option>user-show</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:112 +msgid "Show user overrides." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:118 +msgid "<option>user-import</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:123 +msgid "" +"Import user overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard passwd file. The format is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:128 +msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:131 +msgid "" +"where original_name is original name of the user whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:140 +msgid "ckent:superman::::::" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:143 +msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:149 +msgid "<option>user-export</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:154 +msgid "" +"Export all overridden attributes and store them in " +"<emphasis>FILE</emphasis>. See <emphasis>user-import</emphasis> for data " +"format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:162 +msgid "" +"<option>group-add</option> <emphasis>NAME</emphasis> " +"<optional><option>-n,--name</option> NAME</optional> " +"<optional><option>-g,--gid</option> GID</optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:169 +msgid "" +"Override attributes of a group. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:177 +msgid "<option>group-del</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:182 +msgid "" +"Remove group overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:191 +msgid "" +"<option>group-find</option> <optional><option>-d,--domain</option> " +"DOMAIN</optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:196 +msgid "" +"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " +"parameter is set, only groups from the domain are listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:204 +msgid "<option>group-show</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:209 +msgid "Show group overrides." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:215 +msgid "<option>group-import</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:220 +msgid "" +"Import group overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard group file. The format is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:225 +msgid "original_name:name:gid" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:228 +msgid "" +"where original_name is original name of the group whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:237 +msgid "admins:administrators:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:240 +msgid "Domain Users:Users:501" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:246 +msgid "<option>group-export</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:251 +msgid "" +"Export all overridden attributes and store them in " +"<emphasis>FILE</emphasis>. See <emphasis>group-import</emphasis> for data " +"format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:261 sssctl.8.xml:50 +msgid "COMMON OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:263 sssctl.8.xml:52 +msgid "Those options are available with all commands." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:268 sssctl.8.xml:57 +msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 +msgid "sss_useradd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_useradd.8.xml:16 +msgid "create a new user" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_useradd.8.xml:21 +msgid "" +"<command>sss_useradd</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>LOGIN</replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_useradd.8.xml:32 +msgid "" +"<command>sss_useradd</command> creates a new user account using the values " +"specified on the command line plus the default values from the system." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:43 sss_seed.8.xml:76 +msgid "<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:48 +msgid "" +"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " +"not given, it is chosen automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +msgid "" +"<option>-c</option>,<option>--gecos</option> " +"<replaceable>COMMENT</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 +msgid "" +"Any text string describing the user. Often used as the field for the user's " +"full name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 +msgid "" +"<option>-h</option>,<option>--home</option> " +"<replaceable>HOME_DIR</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:72 +msgid "" +"The home directory of the user account. The default is to append the " +"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " +"that as the home directory. The base that is prepended before " +"<replaceable>LOGIN</replaceable> is tunable with " +"<quote>user_defaults/baseDirectory</quote> setting in sssd.conf." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 +msgid "" +"<option>-s</option>,<option>--shell</option> " +"<replaceable>SHELL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:87 +msgid "" +"The user's login shell. The default is currently " +"<filename>/bin/bash</filename>. The default can be changed with " +"<quote>user_defaults/defaultShell</quote> setting in sssd.conf." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:96 +msgid "" +"<option>-G</option>,<option>--groups</option> " +"<replaceable>GROUPS</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:101 +msgid "A list of existing groups this user is also a member of." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:107 +msgid "<option>-m</option>,<option>--create-home</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:111 +msgid "" +"Create the user's home directory if it does not exist. The files and " +"directories contained in the skeleton directory (which can be defined with " +"the -k option or in the config file) will be copied to the home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:121 +msgid "<option>-M</option>,<option>--no-create-home</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:125 +msgid "Do not create the user's home directory. Overrides configuration settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:132 +msgid "" +"<option>-k</option>,<option>--skel</option> " +"<replaceable>SKELDIR</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:137 +msgid "" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<command>sss_useradd</command>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:143 +msgid "" +"Special files (block devices, character devices, named pipes and unix " +"sockets) will not be copied." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:147 +msgid "" +"This option is only valid if the <option>-m</option> (or " +"<option>--create-home</option>) option is specified, or creation of home " +"directories is set to TRUE in the configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 +msgid "" +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>SELINUX_USER</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:161 +msgid "" +"The SELinux user for the user's login. If not specified, the system default " +"will be used." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 +msgid "sssd-krb5" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-krb5.5.xml:17 +msgid "SSSD Kerberos provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:23 +msgid "" +"This manual page describes the configuration of the Kerberos 5 " +"authentication backend for <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, please refer to the " +"<quote>FILE FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:36 +msgid "" +"The Kerberos 5 authentication backend contains auth and chpass providers. It " +"must be paired with an identity provider in order to function properly (for " +"example, id_provider = ldap). Some information required by the Kerberos 5 " +"authentication backend must be provided by the identity provider, such as " +"the user's Kerberos Principal Name (UPN). The configuration of the identity " +"provider should have an entry to specify the UPN. Please refer to the man " +"page for the applicable identity provider for details on how to configure " +"this." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:47 +msgid "" +"This backend also provides access control based on the .k5login file in the " +"home directory of the user. See <citerefentry> " +"<refentrytitle>.k5login</refentrytitle><manvolnum>5</manvolnum> " +"</citerefentry> for more details. Please note that an empty .k5login file " +"will deny all access to this user. To activate this feature, use " +"'access_provider = krb5' in your SSSD configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:55 +msgid "" +"In the case where the UPN is not available in the identity backend, " +"<command>sssd</command> will construct a UPN using the format " +"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:77 +msgid "" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect, in the order of " +"preference. For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled; for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:106 +msgid "" +"The name of the Kerberos realm. This option is required and must be " +"specified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:113 +msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:116 +msgid "" +"If the change password service is not running on the KDC, alternative " +"servers can be defined here. An optional port number (preceded by a colon) " +"may be appended to the addresses or hostnames." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:122 +msgid "" +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " +"servers to try, the backend is not switched to operate offline if " +"authentication against the KDC is still possible." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:129 +msgid "Default: Use the KDC" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:135 +msgid "krb5_ccachedir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:138 +msgid "" +"Directory to store credential caches. All the substitution sequences of " +"krb5_ccname_template can be used here, too, except %d and %P. The directory " +"is created as private and owned by the user, with permissions set to 0700." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:145 +msgid "Default: /tmp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:151 +msgid "krb5_ccname_template (string)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 +msgid "%u" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 +msgid "login name" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 +msgid "%U" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:170 +msgid "login UID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:173 +msgid "%p" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:174 +msgid "principal name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:178 +msgid "%r" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:179 +msgid "realm name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:182 +msgid "%h" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 +msgid "home directory" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 +msgid "%d" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:188 +msgid "value of krb5_ccachedir" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 +msgid "%P" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:194 +msgid "the process ID of the SSSD client" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 +msgid "%%" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 +msgid "a literal '%'" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:154 +msgid "" +"Location of the user's credential cache. Three credential cache types are " +"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " +"<quote>KEYRING:persistent</quote>. The cache can be specified either as " +"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " +"implies the <quote>FILE</quote> type. In the template, the following " +"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " +"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " +"filename in a safe way." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:208 +msgid "" +"When using KEYRING types, the only supported mechanism is " +"<quote>KEYRING:persistent:%U</quote>, which uses the Linux kernel keyring to " +"store credentials on a per-UID basis. This is also the recommended choice, " +"as it is the most secure and predictable method." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:216 +msgid "" +"The default value for the credential cache name is sourced from the profile " +"stored in the system wide krb5.conf configuration file in the [libdefaults] " +"section. The option name is default_ccache_name. See krb5.conf(5)'s " +"PARAMETER EXPANSION paragraph for additional information on the expansion " +"format defined by krb5.conf." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:225 +msgid "" +"NOTE: Please be aware that libkrb5 ccache expansion template from " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> uses different expansion sequences " +"than SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:234 +msgid "Default: (from libkrb5)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:240 +msgid "krb5_auth_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:243 +msgid "" +"Timeout in seconds after an online authentication request or change password " +"request is aborted. If possible, the authentication request is continued " +"offline." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:254 +msgid "krb5_validate (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:257 +msgid "" +"Verify with the help of krb5_keytab that the TGT obtained has not been " +"spoofed. The keytab is checked for entries sequentially, and the first entry " +"with a matching realm is used for validation. If no entry matches the realm, " +"the last entry in the keytab is used. This process can be used to validate " +"environments using cross-realm trust by placing the appropriate keytab entry " +"as the last entry or the only entry in the keytab file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:272 +msgid "krb5_keytab (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:275 +msgid "" +"The location of the keytab to use when validating credentials obtained from " +"KDCs." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:279 +msgid "Default: /etc/krb5.keytab" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:285 +msgid "krb5_store_password_if_offline (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:288 +msgid "" +"Store the password of the user if the provider is offline and use it to " +"request a TGT when the provider comes online again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:293 +msgid "" +"NOTE: this feature is only available on Linux. Passwords stored in this way " +"are kept in plaintext in the kernel keyring and are potentially accessible " +"by the root user (with difficulty)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:306 +msgid "krb5_renewable_lifetime (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:309 +msgid "" +"Request a renewable ticket with a total lifetime, given as an integer " +"immediately followed by a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 +msgid "<emphasis>s</emphasis> for seconds" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 +msgid "<emphasis>m</emphasis> for minutes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 +msgid "<emphasis>h</emphasis> for hours" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 +msgid "<emphasis>d</emphasis> for days." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 +msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 +msgid "" +"NOTE: It is not possible to mix units. To set the renewable lifetime to one " +"and a half hours, use '90m' instead of '1h30m'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:335 +msgid "Default: not set, i.e. the TGT is not renewable" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:341 +msgid "krb5_lifetime (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:344 +msgid "" +"Request ticket with a lifetime, given as an integer immediately followed by " +"a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:360 +msgid "If there is no unit given <emphasis>s</emphasis> is assumed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:364 +msgid "" +"NOTE: It is not possible to mix units. To set the lifetime to one and a " +"half hours please use '90m' instead of '1h30m'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:369 +msgid "Default: not set, i.e. the default ticket lifetime configured on the KDC." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:376 +msgid "krb5_renew_interval (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:379 +msgid "" +"The time in seconds between two checks if the TGT should be renewed. TGTs " +"are renewed if about half of their lifetime is exceeded, given as an integer " +"immediately followed by a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:406 +msgid "If this option is not set or is 0 the automatic renewal is disabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:416 +msgid "krb5_use_fast (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:419 +msgid "" +"Enables flexible authentication secure tunneling (FAST) for Kerberos " +"pre-authentication. The following options are supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:424 +msgid "" +"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " +"option at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:428 +msgid "" +"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " +"continue the authentication without it." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:433 +msgid "" +"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " +"server does not require fast." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:438 +msgid "Default: not set, i.e. FAST is not used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:441 +msgid "NOTE: a keytab is required to use FAST." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:444 +msgid "" +"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " +"SSSD is used with an older version of MIT Kerberos, using this option is a " +"configuration error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:453 +msgid "krb5_fast_principal (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:456 +msgid "Specifies the server principal to use for FAST." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:465 +msgid "" +"Specifies if the host and user principal should be canonicalized. This " +"feature is available with MIT Kerberos 1.7 and later versions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:505 +msgid "krb5_use_enterprise_principal (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:508 +msgid "" +"Specifies if the user principal should be treated as enterprise " +"principal. See section 5 of RFC 6806 for more details about enterprise " +"principals." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:514 +msgid "Default: false (AD provider: true)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:517 +msgid "" +"The IPA provider will set to option to 'true' if it detects that the server " +"is capable of handling enterprise principals and the option is not set " +"explicitly in the config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:526 +msgid "krb5_map_user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:529 +msgid "" +"The list of mappings is given as a comma-separated list of pairs " +"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " +"name and <quote>primary</quote> is a user part of a kerberos principal. This " +"mapping is used when user is authenticating using <quote>auth_provider = " +"krb5</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-krb5.5.xml:541 +#, no-wrap +msgid "" +"krb5_realm = REALM\n" +"krb5_map_user = joe:juser,dick:richard\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:546 +msgid "" +"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " +"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " +"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " +"try to kinit as <quote>juser@REALM</quote> resp. " +"<quote>richard@REALM</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:65 +msgid "" +"If the auth-module krb5 is used in an SSSD domain, the following options " +"must be used. See the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> manual page, section <quote>DOMAIN SECTIONS</quote>, for " +"details on the configuration of an SSSD domain. <placeholder " +"type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:572 +msgid "" +"The following example assumes that SSSD is correctly configured and FOO is " +"one of the domains in the <replaceable>[sssd]</replaceable> section. This " +"example shows only configuration of Kerberos authentication; it does not " +"include any identity provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-krb5.5.xml:580 +#, no-wrap +msgid "" +"[domain/FOO]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXAMPLE.COM\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 +msgid "sss_groupadd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupadd.8.xml:16 +msgid "create a new group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupadd.8.xml:21 +msgid "" +"<command>sss_groupadd</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>GROUP</replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupadd.8.xml:32 +msgid "" +"<command>sss_groupadd</command> creates a new group. These groups are " +"compatible with POSIX groups, with the additional feature that they can " +"contain other groups as members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 +msgid "<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupadd.8.xml:48 +msgid "" +"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " +"not given, it is chosen automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 +msgid "sss_userdel" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_userdel.8.xml:16 +msgid "delete a user account" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_userdel.8.xml:21 +msgid "" +"<command>sss_userdel</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>LOGIN</replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_userdel.8.xml:32 +msgid "" +"<command>sss_userdel</command> deletes a user identified by login name " +"<replaceable>LOGIN</replaceable> from the system." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:44 +msgid "<option>-r</option>,<option>--remove</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:48 +msgid "" +"Files in the user's home directory will be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:56 +msgid "<option>-R</option>,<option>--no-remove</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:60 +msgid "" +"Files in the user's home directory will NOT be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:68 +msgid "<option>-f</option>,<option>--force</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:72 +msgid "" +"This option forces <command>sss_userdel</command> to remove the user's home " +"directory and mail spool, even if they are not owned by the specified user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:80 +msgid "<option>-k</option>,<option>--kick</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:84 +msgid "Before actually deleting the user, terminate all his processes." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 +msgid "sss_groupdel" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupdel.8.xml:16 +msgid "delete a group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupdel.8.xml:21 +msgid "" +"<command>sss_groupdel</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>GROUP</replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupdel.8.xml:32 +msgid "" +"<command>sss_groupdel</command> deletes a group identified by its name " +"<replaceable>GROUP</replaceable> from the system." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 +msgid "sss_groupshow" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupshow.8.xml:16 +msgid "print properties of a group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupshow.8.xml:21 +msgid "" +"<command>sss_groupshow</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>GROUP</replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupshow.8.xml:32 +msgid "" +"<command>sss_groupshow</command> displays information about a group " +"identified by its name <replaceable>GROUP</replaceable>. The information " +"includes the group ID number, members of the group and the parent group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupshow.8.xml:43 +msgid "<option>-R</option>,<option>--recursive</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupshow.8.xml:47 +msgid "" +"Also print indirect group members in a tree-like hierarchy. Note that this " +"also affects printing parent groups - without <option>R</option>, only the " +"direct parent will be printed." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 +msgid "sss_usermod" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_usermod.8.xml:16 +msgid "modify a user account" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_usermod.8.xml:21 +msgid "" +"<command>sss_usermod</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>LOGIN</replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_usermod.8.xml:32 +msgid "" +"<command>sss_usermod</command> modifies the account specified by " +"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " +"on the command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:60 +msgid "The home directory of the user account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:71 +msgid "The user's login shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:82 +msgid "" +"Append this user to groups specified by the " +"<replaceable>GROUPS</replaceable> parameter. The " +"<replaceable>GROUPS</replaceable> parameter is a comma separated list of " +"group names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:96 +msgid "" +"Remove this user from groups specified by the " +"<replaceable>GROUPS</replaceable> parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:103 +msgid "<option>-l</option>,<option>--lock</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:107 +msgid "Lock the user account. The user won't be able to log in." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:114 +msgid "<option>-u</option>,<option>--unlock</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:118 +msgid "Unlock the user account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:129 +msgid "The SELinux user for the user's login." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:135 +msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:140 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:147 +msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:152 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:160 +msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:165 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_cache.8.xml:10 sss_cache.8.xml:15 +msgid "sss_cache" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_cache.8.xml:16 +msgid "perform cache cleanup" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_cache.8.xml:21 +msgid "" +"<command>sss_cache</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_cache.8.xml:31 +msgid "" +"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " +"records are forced to be reloaded from server as soon as related SSSD " +"backend is online. Options that invalidate a single object only accept a " +"single provided argument." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:43 +msgid "<option>-E</option>,<option>--everything</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:47 +msgid "Invalidate all cached entries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:53 +msgid "<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:58 +msgid "Invalidate specific user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:64 +msgid "<option>-U</option>,<option>--users</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:68 +msgid "" +"Invalidate all user records. This option overrides invalidation of specific " +"user if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:75 +msgid "" +"<option>-g</option>,<option>--group</option> " +"<replaceable>group</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:80 +msgid "Invalidate specific group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:86 +msgid "<option>-G</option>,<option>--groups</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:90 +msgid "" +"Invalidate all group records. This option overrides invalidation of specific " +"group if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:97 +msgid "" +"<option>-n</option>,<option>--netgroup</option> " +"<replaceable>netgroup</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:102 +msgid "Invalidate specific netgroup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:108 +msgid "<option>-N</option>,<option>--netgroups</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:112 +msgid "" +"Invalidate all netgroup records. This option overrides invalidation of " +"specific netgroup if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:119 +msgid "" +"<option>-s</option>,<option>--service</option> " +"<replaceable>service</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:124 +msgid "Invalidate specific service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:130 +msgid "<option>-S</option>,<option>--services</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:134 +msgid "" +"Invalidate all service records. This option overrides invalidation of " +"specific service if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:141 +msgid "" +"<option>-a</option>,<option>--autofs-map</option> " +"<replaceable>autofs-map</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:146 +msgid "Invalidate specific autofs maps." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:152 +msgid "<option>-A</option>,<option>--autofs-maps</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:156 +msgid "" +"Invalidate all autofs maps. This option overrides invalidation of specific " +"map if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:163 +msgid "" +"<option>-h</option>,<option>--ssh-host</option> " +"<replaceable>hostname</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:168 +msgid "Invalidate SSH public keys of a specific host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:174 +msgid "<option>-H</option>,<option>--ssh-hosts</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:178 +msgid "" +"Invalidate SSH public keys of all hosts. This option overrides invalidation " +"of SSH public keys of specific host if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:186 +msgid "" +"<option>-r</option>,<option>--sudo-rule</option> " +"<replaceable>rule</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:191 +msgid "Invalidate particular sudo rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:197 +msgid "<option>-R</option>,<option>--sudo-rules</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:201 +msgid "" +"Invalidate all cached sudo rules. This option overrides invalidation of " +"specific sudo rule if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:209 +msgid "" +"<option>-d</option>,<option>--domain</option> " +"<replaceable>domain</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:214 +msgid "Restrict invalidation process only to a particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 +msgid "sss_debuglevel" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_debuglevel.8.xml:16 +msgid "[DEPRECATED] change debug level while SSSD is running" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_debuglevel.8.xml:21 +msgid "" +"<command>sss_debuglevel</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>NEW_DEBUG_LEVEL</replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_debuglevel.8.xml:32 +msgid "" +"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " +"debug-level command. Please refer to the <command>sssctl</command> man page " +"for more information on sssctl usage." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_seed.8.xml:10 sss_seed.8.xml:15 +msgid "sss_seed" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_seed.8.xml:16 +msgid "seed the SSSD cache with a user" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_seed.8.xml:21 +msgid "" +"<command>sss_seed</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg choice='plain'>-D " +"<replaceable>DOMAIN</replaceable></arg> <arg choice='plain'>-n " +"<replaceable>USER</replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:33 +msgid "" +"<command>sss_seed</command> seeds the SSSD cache with a user entry and " +"temporary password. If a user entry is already present in the SSSD cache " +"then the entry is updated with the temporary password." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:46 +msgid "" +"<option>-D</option>,<option>--domain</option> " +"<replaceable>DOMAIN</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:51 +msgid "" +"Provide the name of the domain in which the user is a member of. The domain " +"is also used to retrieve user information. The domain must be configured in " +"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " +"Information retrieved from the domain overrides what is provided in the " +"options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:63 +msgid "" +"<option>-n</option>,<option>--username</option> " +"<replaceable>USER</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:68 +msgid "" +"The username of the entry to be created or modified in the cache. The " +"<replaceable>USER</replaceable> option must be provided." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:81 +msgid "Set the UID of the user to <replaceable>UID</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:93 +msgid "Set the GID of the user to <replaceable>GID</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:117 +msgid "Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:129 +msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:140 +msgid "" +"Interactive mode for entering user information. This option will only prompt " +"for information not provided in the options or retrieved from the domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:148 +msgid "" +"<option>-p</option>,<option>--password-file</option> " +"<replaceable>PASS_FILE</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:153 +msgid "" +"Specify file to read user's password from. (if not specified password is " +"prompted for)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:165 +msgid "" +"The length of the password (or the size of file specified with -p or " +"--password-file option) must be less than or equal to PASS_MAX bytes (64 " +"bytes on systems with no globally-defined PASS_MAX value)." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 +msgid "sssd-ifp" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ifp.5.xml:17 +msgid "SSSD InfoPipe responder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:23 +msgid "" +"This manual page describes the configuration of the InfoPipe responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:36 +msgid "" +"The InfoPipe responder provides a public D-Bus interface accessible over the " +"system bus. The interface allows the user to query information about remote " +"users and groups over the system bus." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:46 +msgid "These options can be used to configure the InfoPipe responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:53 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the InfoPipe responder. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:59 +msgid "Default: 0 (only the root user is allowed to access the InfoPipe responder)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:63 +msgid "" +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the InfoPipe responder, which would be the typical case, you have to " +"add 0 to the list of allowed UIDs as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:77 +msgid "Specifies the comma-separated list of white or blacklisted attributes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:91 +msgid "name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:92 +msgid "user's login name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:95 +msgid "uidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:96 +msgid "user ID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:99 +msgid "gidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:100 +msgid "primary group ID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:103 +msgid "gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:104 +msgid "user information, typically full name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:107 +msgid "homeDirectory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:111 +msgid "loginShell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:112 +msgid "user shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:81 +msgid "" +"By default, the InfoPipe responder only allows the default set of POSIX " +"attributes to be requested. This set is the same as returned by " +"<citerefentry> <refentrytitle>getpwnam</refentrytitle> " +"<manvolnum>3</manvolnum> </citerefentry> and includes: <placeholder " +"type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ifp.5.xml:125 +#, no-wrap +msgid "" +"user_attributes = +telephoneNumber, -loginShell\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:117 +msgid "" +"It is possible to add another attribute to this set by using " +"<quote>+attr_name</quote> or explicitly remove an attribute using " +"<quote>-attr_name</quote>. For example, to allow " +"<quote>telephoneNumber</quote> but deny <quote>loginShell</quote>, you would " +"use the following configuration: <placeholder type=\"programlisting\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:129 +msgid "Default: not set. Only the default set of POSIX attributes is allowed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:139 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup that overrides caller-supplied limit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:144 +msgid "Default: 0 (let the caller set an upper limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refentryinfo> +#: sss_rpcidmapd.5.xml:8 +msgid "" +"<productname>sss rpc.idmapd plugin</productname> <author> " +"<firstname>Noam</firstname> <surname>Meltzer</surname> <affiliation> " +"<orgname>Primary Data Inc.</orgname> </affiliation> <contrib>Developer " +"(2013-2014)</contrib> </author> <author> <firstname>Noam</firstname> " +"<surname>Meltzer</surname> <contrib>Developer (2014-)</contrib> " +"<email>tsnoam@gmail.com</email> </author>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 +msgid "sss_rpcidmapd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_rpcidmapd.5.xml:33 +msgid "sss plugin configuration directives for rpc.idmapd" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:37 +msgid "CONFIGURATION FILE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:39 +msgid "" +"rpc.idmapd configuration file is usually found at " +"<emphasis>/etc/idmapd.conf</emphasis>. See <citerefentry> " +"<refentrytitle>idmapd.conf</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> for more information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:49 +msgid "SSS CONFIGURATION EXTENSION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:51 +msgid "Enable SSS plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:53 +msgid "" +"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " +"attribute to contain <emphasis>sss</emphasis>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:59 +msgid "[sss] config section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:61 +msgid "" +"In order to change the default of one of the configuration attributes of the " +"<emphasis>sss</emphasis> plugin listed below you will need to create a " +"config section for it, named <quote>[sss]</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sss_rpcidmapd.5.xml:67 +msgid "Configuration attributes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sss_rpcidmapd.5.xml:69 +msgid "memcache (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sss_rpcidmapd.5.xml:72 +msgid "Indicates whether or not to use memcache optimisation technique." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:85 +msgid "SSSD INTEGRATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:87 +msgid "" +"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " +"in sssd." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:91 +msgid "" +"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " +"all domains (NFSv4 clients expect a fully qualified name to be sent on the " +"wire)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_rpcidmapd.5.xml:103 +#, no-wrap +msgid "" +"[General]\n" +"Verbosity = 2\n" +"# domain must be synced between NFSv4 server and clients\n" +"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:100 +msgid "" +"The following example shows a minimal idmapd.conf which makes use of the sss " +"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:180 include/seealso.xml:2 +msgid "SEE ALSO" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:122 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> " +"</citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 +msgid "sss_ssh_authorizedkeys" +msgstr "" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 +msgid "1" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_authorizedkeys.1.xml:16 +msgid "get OpenSSH authorized keys" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_authorizedkeys.1.xml:21 +msgid "" +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>USER</replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:32 +msgid "" +"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " +"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " +"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " +"<citerefentry><refentrytitle>sshd</refentrytitle> " +"<manvolnum>8</manvolnum></citerefentry> for more information)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:41 +msgid "" +"<citerefentry><refentrytitle>sshd</refentrytitle> " +"<manvolnum>8</manvolnum></citerefentry> can be configured to use " +"<command>sss_ssh_authorizedkeys</command> for public key user authentication " +"if it is compiled with support for <quote>AuthorizedKeysCommand</quote> " +"option. Please refer to the <citerefentry> " +"<refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> man page for more details about this " +"option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_authorizedkeys.1.xml:59 +#, no-wrap +msgid "" +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:52 +msgid "" +"If <quote>AuthorizedKeysCommand</quote> is supported, " +"<citerefentry><refentrytitle>sshd</refentrytitle> " +"<manvolnum>8</manvolnum></citerefentry> can be configured to use it by " +"putting the following directives in <citerefentry> " +"<refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>: <placeholder " +"type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_ssh_authorizedkeys.1.xml:65 +msgid "KEYS FROM CERTIFICATES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:67 +msgid "" +"In addition to the public SSH keys for user <replaceable>USER</replaceable> " +"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " +"from the public key of a X.509 certificate as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:73 +msgid "" +"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " +"set to true (default) in the [ssh] section of " +"<filename>sssd.conf</filename>. If the user entry contains certificates (see " +"<quote>ldap_user_certificate</quote> in " +"<citerefentry><refentrytitle>sssd-ldap</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for details) or there is a " +"certificate in an override entry for the user (see " +"<citerefentry><refentrytitle>sss_override</refentrytitle> " +"<manvolnum>8</manvolnum></citerefentry> or " +"<citerefentry><refentrytitle>sssd-ipa</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for details) and the certificate is " +"valid SSSD will extract the public key from the certificate and convert it " +"into the format expected by sshd." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:90 +msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:92 +msgid "ca_db" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:93 +msgid "p11_child_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:94 +msgid "certificate_verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:96 +msgid "" +"can be used to control how the certificates are validated (see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for details)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:101 +msgid "" +"The validation is the benefit of using X.509 certificates instead of SSH " +"keys directly because e.g. it gives a better control of the lifetime of the " +"keys. When the ssh client is configured to use the private keys from a " +"Smartcard with the help of a PKCS#11 shared library (see " +"<citerefentry><refentrytitle>ssh</refentrytitle> " +"<manvolnum>1</manvolnum></citerefentry> for details) it might be irritating " +"that authentication is still working even if the related X.509 certificate " +"on the Smartcard is already expired because neither <command>ssh</command> " +"nor <command>sshd</command> will look at the certificate at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:114 +msgid "" +"It has to be noted that the derived public SSH key can still be added to the " +"<filename>authorized_keys</filename> file of the user to bypass the " +"certificate validation if the <command>sshd</command> configuration permits " +"this." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:132 +msgid "" +"Search for user public keys in SSSD domain " +"<replaceable>DOMAIN</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 +msgid "EXIT STATUS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 +msgid "" +"In case of success, an exit value of 0 is returned. Otherwise, 1 is " +"returned." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 +msgid "sss_ssh_knownhostsproxy" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_knownhostsproxy.1.xml:16 +msgid "get OpenSSH host keys" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_knownhostsproxy.1.xml:21 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>HOST</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:33 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " +"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " +"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " +"of <citerefentry><refentrytitle>sshd</refentrytitle> " +"<manvolnum>8</manvolnum></citerefentry> for more information) " +"<filename>/var/lib/sss/pubconf/known_hosts</filename> and establishes the " +"connection to the host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:43 +msgid "" +"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " +"create the connection to the host instead of opening a socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_knownhostsproxy.1.xml:55 +#, no-wrap +msgid "" +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:48 +msgid "" +"<citerefentry><refentrytitle>ssh</refentrytitle> " +"<manvolnum>1</manvolnum></citerefentry> can be configured to use " +"<command>sss_ssh_knownhostsproxy</command> for host key authentication by " +"using the following directives for " +"<citerefentry><refentrytitle>ssh</refentrytitle> " +"<manvolnum>1</manvolnum></citerefentry> configuration: <placeholder " +"type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:66 +msgid "<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:71 +msgid "" +"Use port <replaceable>PORT</replaceable> to connect to the host. By " +"default, port 22 is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:83 +msgid "" +"Search for host public keys in SSSD domain " +"<replaceable>DOMAIN</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:89 +msgid "<option>-k</option>,<option>--pubkeys</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:93 +msgid "Print the host ssh public keys for host <replaceable>HOST</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 +msgid "idmap_sss" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: idmap_sss.8.xml:16 +msgid "SSSD's idmap_sss Backend for Winbind" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:22 +msgid "" +"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and " +"SIDs. No database is required in this case as the mapping is done by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: idmap_sss.8.xml:29 +msgid "IDMAP OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: idmap_sss.8.xml:33 +msgid "range = low - high" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: idmap_sss.8.xml:35 +msgid "" +"Defines the available matching UID and GID range for which the backend is " +"authoritative." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:45 +msgid "This example shows how to configure idmap_sss as the default mapping module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: idmap_sss.8.xml:50 +#, no-wrap +msgid "" +"[global]\n" +"security = domain\n" +"workgroup = MAIN\n" +"\n" +"idmap config * : backend = sss\n" +"idmap config * : range = 200000-2147483647\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssctl.8.xml:10 sssctl.8.xml:15 +msgid "sssctl" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssctl.8.xml:16 +msgid "SSSD control and status utility" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssctl.8.xml:21 +msgid "" +"<command>sssctl</command> <arg " +"choice='plain'><replaceable>COMMAND</replaceable></arg> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:32 +msgid "" +"<command>sssctl</command> provides a simple and unified way to obtain " +"information about SSSD status, such as active server, auto-discovered " +"servers, domains and cached objects. In addition, it can manage SSSD data " +"files for troubleshooting in such a way that is safe to manipulate while " +"SSSD is running." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:43 +msgid "" +"To list all available commands run <command>sssctl</command> without any " +"parameters. To print help for selected command run <command>sssctl COMMAND " +"--help</command>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-files.5.xml:10 sssd-files.5.xml:16 +msgid "sssd-files" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-files.5.xml:17 +msgid "SSSD files provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:23 +msgid "" +"This manual page describes the files provider for <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:36 +msgid "" +"The files provider mirrors the content of the <citerefentry> " +"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " +"provider is to make the users and groups traditionally only accessible with " +"NSS interfaces also available through the SSSD interfaces such as " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:69 +msgid "passwd_files (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:72 +msgid "" +"Comma-separated list of one or multiple password filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:78 +msgid "Default: /etc/passwd" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:84 +msgid "group_files (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:87 +msgid "" +"Comma-separated list of one or multiple group filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:93 +msgid "Default: /etc/group" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:59 +msgid "" +"In addition to the options listed below, generic SSSD domain options can be " +"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page for details on the " +"configuration of an SSSD domain. <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:105 +msgid "" +"The following example assumes that SSSD is correctly configured and files is " +"one of the domains in the <replaceable>[sssd]</replaceable> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:111 +#, no-wrap +msgid "" +"[domain/files]\n" +"id_provider = files\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 +msgid "sssd-secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-secrets.5.xml:17 +msgid "SSSD Secrets responder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:23 +msgid "" +"This manual page describes the configuration of the Secrets responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:36 +msgid "" +"Many system and user applications need to store private information such as " +"passwords or service keys and have no good way to properly deal with " +"them. The simple approach is to embed these <quote>secrets</quote> into " +"configuration files potentially ending up exposing sensitive key material to " +"backups, config management system and in general making it harder to secure " +"data." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:45 +msgid "" +"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " +"project was born to deal with this problem in cloud like environments, but " +"we found the idea compelling even at a single system level. As a security " +"service, SSSD is ideal to host this capability while offering the same API " +"via a UNIX Socket. This will make it possible to use local calls and have " +"them transparently routed to a local or a remote key management store like " +"IPA Vault for storage, escrow and recovery." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:55 +msgid "" +"The secrets are simple key-value pairs. Each user's secrets are namespaced " +"using their user ID, which means the secrets will never collide between " +"users. Secrets can be stored inside <quote>containers</quote> which can be " +"nested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:69 +msgid "secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:70 +msgid "secrets for general usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:73 +msgid "kcm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:75 +msgid "" +"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:61 +msgid "" +"Since the secrets responder can be used both externally to store general " +"secrets, as described in the rest of this man page, but also internally by " +"other SSSD components to store their secret material, some configuration " +"options, like quotas can be configured per <quote>hive</quote> in a " +"configuration subsection named after the hive. The currently supported hives " +"are: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:89 +msgid "USING THE SECRETS RESPONDER" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:91 +msgid "" +"The UNIX socket the SSSD responder listens on is located at " +"<filename>/var/run/secrets.socket</filename>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:110 +#, no-wrap +msgid "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +"systemctl enable sssd-secrets.service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:95 +msgid "" +"The secrets responder is socket-activated by <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry>. Unlike other SSSD responders, it cannot be started by " +"adding the <quote>secrets</quote> string to the <quote>service</quote> " +"directive. The systemd socket unit is called " +"<quote>sssd-secrets.socket</quote> and the corresponding service file is " +"called <quote>sssd-secrets.service</quote>. In order for the service to be " +"socket-activated, make sure the socket is enabled and active and the service " +"is enabled: <placeholder type=\"programlisting\" id=\"0\"/> Please note your " +"distribution may already configure the units for you." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:122 +msgid "" +"The generic SSSD responder options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " +"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page for a complete list. In " +"addition, there are some secrets-specific options as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:132 +msgid "" +"The secrets responder is configured with a global <quote>[secrets]</quote> " +"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " +"in <filename>sssd.conf</filename>. Please note that some options, notably as " +"the provider type, can only be specified in the per-user subsections." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:141 +msgid "provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:157 +msgid "local" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:160 +msgid "" +"The secrets are stored in a local database, encrypted at rest with a master " +"key. The local provider does not have any additional config options at the " +"moment." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:168 +msgid "proxy" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:171 +msgid "" +"The secrets responder forwards the requests to a Custodia server. The proxy " +"provider supports several additional options (see below)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:144 +msgid "" +"This option specifies where should the secrets be stored. The secrets " +"responder can configure a per-user subsections " +"(e.g. <quote>[secrets/users/123]</quote> - see bottom of this manual page " +"for a full example using Custodia for a particular user) that define which " +"provider store the secrets for this particular user. The per-user " +"subsections should contain all options for that user's provider. Please note " +"that currently the global provider is always local, the proxy provider can " +"only be specified in a per-user section. The following providers are " +"supported: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:180 +msgid "Default: local" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:186 +msgid "" +"The following options affect only the secrets <quote>hive</quote> and " +"therefore should be set in a per-hive subsection. Setting the option to 0 " +"means \"unlimited\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:192 +msgid "containers_nest_level (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:195 +msgid "This option specifies the maximum allowed number of nested containers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:199 +msgid "Default: 4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:204 +msgid "max_secrets (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:207 +msgid "" +"This option specifies the maximum number of secrets that can be stored in " +"the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:211 +msgid "Default: 1024 (secrets hive), 256 (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:216 +msgid "max_uid_secrets (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:219 +msgid "" +"This option specifies the maximum number of secrets that can be stored " +"per-UID in the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:223 +msgid "Default: 256 (secrets hive), 64 (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:228 +msgid "max_payload_size (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:231 +msgid "" +"This option specifies the maximum payload size allowed for a secret payload " +"in kilobytes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:235 +msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:244 +#, no-wrap +msgid "" +"[secrets/secrets]\n" +"max_payload_size = 128\n" +"\n" +"[secrets/kcm]\n" +"max_payload_size = 256\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:241 +msgid "" +"For example, to adjust quotas differently for both the " +"<quote>secrets</quote> and the <quote>kcm</quote> hives, configure the " +"following: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:252 +msgid "" +"The following options are only applicable for configurations that use the " +"<quote>proxy</quote> provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:257 +msgid "proxy_url (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:260 +msgid "" +"The URL the Custodia server is listening on. At the moment, http and https " +"protocols are supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:267 +msgid "http[s]://<host>[:port]" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:270 +msgid "Example: http://localhost:8080" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:275 +msgid "auth_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:278 +msgid "" +"The method to use when authenticating to a Custodia server. The following " +"authentication methods are supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:283 +msgid "basic_auth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:286 +msgid "" +"Authenticate with a username and a password as set in the " +"<quote>username</quote> and <quote>password</quote> options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:293 +msgid "header" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:296 +msgid "" +"Authenticate with HTTP header value as defined in the " +"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " +"configuration options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:307 +msgid "auth_header_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:310 +msgid "" +"If set, the secrets responder would put a header with this name into the " +"HTTP request with the value defined in the <quote>auth_header_value</quote> " +"configuration option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:315 +msgid "Example: MYSECRETNAME" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:320 +msgid "auth_header_value (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:323 +msgid "The value sssd-secrets would use for the <quote>auth_header_name</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:327 +msgid "Example: mysecret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:332 +msgid "forward_headers (list of strings)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:335 +msgid "" +"The list of HTTP headers to forward to the Custodia server together with the " +"request." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:344 +msgid "verify_peer (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:347 +msgid "" +"Whether peer's certificate should be verified and valid if HTTPS protocol is " +"used with the proxy provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:356 +msgid "verify_host (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:359 +msgid "" +"Whether peer's hostname must match with hostname in its certificate if HTTPS " +"protocol is used with the proxy provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:369 +msgid "capath (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:372 +msgid "" +"Path to directory containing stored certificate authority " +"certificates. System default path is used if this option is not set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:382 +msgid "cacert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:385 +msgid "" +"Path to file containing server's certificate authority certificate. If this " +"option is not set then the CA's certificate is looked up in " +"<quote>capath</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:395 +msgid "cert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:398 +msgid "" +"Path to file containing client's certificate if required by the server. This " +"file may also contain private key or the private key may be in separate file " +"set with <quote>key</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:409 +msgid "key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:412 +msgid "Path to file containing client's private key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:422 +msgid "USING THE REST API" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:424 +msgid "" +"This section lists the available commands and includes examples using the " +"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry> utility. All requests towards the proxy provider must set " +"the Content Type header to <quote>application/json</quote>. In addition, the " +"local provider also supports Content Type set to " +"<quote>application/octet-stream</quote>. Secrets stored with requests that " +"set the Content Type header to <quote>application/octet-stream</quote> are " +"base64-encoded when stored and decoded when retrieved, so it's not possible " +"to store a secret with one Content Type and retrieve with another. The " +"secret URI must begin with <filename>/secrets/</filename>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:441 +msgid "Listing secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:444 +msgid "" +"To list the available secrets, send a HTTP GET request with a trailing slash " +"appended to the container path." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:450 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:458 +msgid "Retrieving a secret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:461 +msgid "" +"To read a value of a single secret, send a HTTP GET request without a " +"trailing slash. The last portion of the URI is the name of the secret." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:468 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/foo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:473 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/bar\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:466 +msgid "" +"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder " +"type=\"programlisting\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:481 +msgid "Setting a secret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:484 +msgid "" +"To set a secret using the <quote>application/json</quote> type, send a HTTP " +"PUT request with a JSON payload that includes type and value. The type " +"should be set to \"simple\" and the value should be set to the secret " +"value. If a secret with that name already exists, the response is a 409 HTTP " +"error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:492 +msgid "" +"The <quote>application/json</quote> type just sends the secret as the " +"message payload." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:501 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/foo \\\n" +" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:507 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/bar \\\n" +" -d'barsecret'\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:496 +msgid "" +"The following example sets a secret named 'foo' to a value of 'foosecret' " +"and a secret named 'bar' to a value of 'barsecret' using a different Content " +"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder " +"type=\"programlisting\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:516 +msgid "Creating a container" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:519 +msgid "" +"Containers provide an additional namespace for this user's secrets. To " +"create a container, send a HTTP POST request, whose URI ends with the " +"container name. Please note the URI must end with a trailing slash." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:529 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPOST http://localhost/secrets/mycontainer/\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:526 +msgid "" +"The following example creates a container named 'mycontainer': <placeholder " +"type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:538 +#, no-wrap +msgid "" +"http://localhost/secrets/mycontainer/mysecret\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:535 +msgid "" +"To manipulate secrets under this container, just nest the secrets underneath " +"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:544 +msgid "Deleting a secret or a container" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:547 +msgid "" +"To delete a secret or a container, send a HTTP DELETE request with a path to " +"the secret or the container." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:553 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XDELETE http://localhost/secrets/foo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:551 +msgid "" +"The following example deletes a secret named 'foo'. <placeholder " +"type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:563 +msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:565 +msgid "" +"For testing the proxy provider, you need to set up a Custodia server to " +"proxy requests to. Please always consult the Custodia documentation, the " +"configuration directives might change with different Custodia versions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:576 +#, no-wrap +msgid "" +"[global]\n" +"server_version = \"Secret/0.0.7\"\n" +"server_url = http://localhost:8080/\n" +"auditlog = /var/log/custodia.log\n" +"debug = True\n" +"\n" +"[store:simple]\n" +"handler = custodia.store.sqlite.SqliteStore\n" +"dburi = /var/lib/custodia.db\n" +"table = secrets\n" +"\n" +"[auth:header]\n" +"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" +"header = MYSECRETNAME\n" +"value = mysecretkey\n" +"\n" +"[authz:paths]\n" +"handler = custodia.httpd.authorizers.SimplePathAuthz\n" +"paths = /secrets\n" +"\n" +"[/]\n" +"handler = custodia.root.Root\n" +"store = simple\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:570 +msgid "" +"This configuration will set up a Custodia server listening on " +"http://localhost:8080, allowing anyone with header named MYSECRETNAME set to " +"mysecretkey to communicate with the Custodia server. Place the contents " +"into a file (for example, <replaceable>custodia.conf</replaceable>): " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:602 +msgid "" +"Then run the <replaceable>custodia</replaceable> command, pointing it at the " +"config file as a command line argument." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:606 +msgid "" +"Please note that currently it's not possible to proxy all requests globally " +"to a Custodia instance. Instead, per-user subsections for user IDs that " +"should proxy requests to Custodia must be defined. The following example " +"illustrates a configuration, where the user with UID 123 would proxy their " +"requests to Custodia, but all other user's requests would be handled by a " +"local provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: sssd-secrets.5.xml:614 +#, no-wrap +msgid "" +"[secrets]\n" +"\n" +"[secrets/users/123]\n" +"provider = proxy\n" +"proxy_url = http://localhost:8080/secrets/\n" +"auth_type = header\n" +"auth_header_name = MYSECRETNAME\n" +"auth_header_value = mysecretkey\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 +msgid "sssd-session-recording" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-session-recording.5.xml:17 +msgid "Configuring session recording with SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " +"implement user session recording on text terminals. For a detailed " +"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " +"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:41 +msgid "" +"SSSD can be set up to enable recording of everything specific users see or " +"type during their sessions on text terminals. E.g. when users log in on the " +"console, or via SSH. SSSD itself doesn't record anything, but makes sure " +"tlog-rec-session is started upon user login, so it can record according to " +"its configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:48 +msgid "" +"For users with session recording enabled, SSSD replaces the user shell with " +"tlog-rec-session in NSS responses, and adds a variable specifying the " +"original shell to the user environment, upon PAM session setup. This way " +"tlog-rec-session can be started in place of the user shell, and know which " +"actual shell to start, once it set up the recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:60 +msgid "These options can be used to configure the session recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:146 +msgid "" +"The following snippet of sssd.conf enables session recording for users " +"\"contractor1\" and \"contractor2\", and group \"students\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-session-recording.5.xml:151 +#, no-wrap +msgid "" +"[session_recording]\n" +"scope = some\n" +"users = contractor1, contractor2\n" +"groups = students\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 +msgid "sssd-kcm" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-kcm.8.xml:17 +msgid "SSSD Kerberos Cache Manager" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:23 +msgid "" +"This manual page describes the configuration of the SSSD Kerberos Cache " +"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " +"credential caches. It originates in the Heimdal Kerberos project, although " +"the MIT Kerberos library also provides client side (more details on that " +"below) support for the KCM credential cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:31 +msgid "" +"In a setup where Kerberos caches are managed by KCM, the Kerberos library " +"(typically used through an application, like e.g., <citerefentry> " +"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> " +"</citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " +"being referred to as a <quote>\"KCM server\"</quote>. The client and server " +"communicate over a UNIX socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:42 +msgid "" +"The KCM server keeps track of each credential caches's owner and performs " +"access check control based on the UID and GID of the KCM client. The root " +"user has access to all credential caches." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:47 +msgid "The KCM credential cache has several interesting properties:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:51 +msgid "" +"since the process runs in userspace, it is subject to UID namespacing, " +"unlike the kernel keyring" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:56 +msgid "" +"unlike the kernel keyring-based cache, which is shared between all " +"containers, the KCM server is a separate process whose entry point is a UNIX " +"socket" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:61 +msgid "" +"the SSSD implementation stores the ccaches in the SSSD <citerefentry> " +"<refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</manvolnum> " +"</citerefentry> secrets store, allowing the ccaches to survive KCM server " +"restarts or machine reboots." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:69 +msgid "" +"This allows the system to use a collection-aware credential cache, yet share " +"the credential cache between some or no containers by bind-mounting the " +"socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:76 +msgid "USING THE KCM CREDENTIAL CACHE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:86 +#, no-wrap +msgid "" +"[libdefaults]\n" +" default_ccache_name = KCM:\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:78 +msgid "" +"In order to use KCM credential cache, it must be selected as the default " +"credential type in <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle><manvolnum>5</manvolnum> " +"</citerefentry>, The credentials cache name must be only <quote>KCM:</quote> " +"without any template expansions. For example: <placeholder " +"type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:91 +msgid "" +"Next, make sure the Kerberos client libraries and the KCM server must agree " +"on the UNIX socket path. By default, both use the same path " +"<replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure " +"the Kerberos library, change its <quote>kcm_socket</quote> option which is " +"described in the <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle><manvolnum>5</manvolnum> " +"</citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:113 +#, no-wrap +msgid "" +"systemctl start sssd-kcm.socket\n" +"systemctl enable sssd-kcm.socket\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:102 +msgid "" +"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " +"typically socket-activated by <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry>. Unlike other SSSD services, it cannot be started by adding " +"the <quote>kcm</quote> string to the <quote>service</quote> directive. " +"<placeholder type=\"programlisting\" id=\"0\"/> Please note your " +"distribution may already configure the units for you." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:122 +msgid "THE CREDENTIAL CACHE STORAGE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:131 +#, no-wrap +msgid "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:124 +msgid "" +"The credential caches are stored in the SSSD secrets service (see " +"<citerefentry> " +"<refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</manvolnum> " +"</citerefentry> for more details). Therefore it is important that also the " +"sssd-secrets service is enabled and its socket is started: <placeholder " +"type=\"programlisting\" id=\"0\"/> Your distribution should already set the " +"dependencies between the services." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:141 +msgid "" +"The KCM service is configured in the <quote>kcm</quote> section of the " +"sssd.conf file. Please note that currently, is it not sufficient to restart " +"the sssd-kcm service, because the sssd configuration is only parsed and read " +"to an internal configuration database by the sssd service. Therefore you " +"must restart the sssd service if you change anything in the " +"<quote>kcm</quote> section of sssd.conf. For a detailed syntax reference, " +"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:155 +msgid "" +"The generic SSSD service options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page for a complete list. In " +"addition, there are some KCM-specific options as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:166 +msgid "socket_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:169 +msgid "The socket the KCM service will listen on." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:172 +msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:182 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> " +"</citerefentry>, <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle><manvolnum>5</manvolnum> " +"</citerefentry>," +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 +msgid "sssd-systemtap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-systemtap.5.xml:17 +msgid "SSSD systemtap information" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:23 +msgid "" +"This manual page provides information about the systemtap functionality in " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:32 +msgid "" +"SystemTap Probe points have been added into various locations in SSSD code " +"to assist in troubleshooting and analyzing performance related issues." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:40 +msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:46 +msgid "" +"Probes and miscellaneous functions are defined in " +"/usr/share/systemtap/tapset/sssd.stp and " +"/usr/share/systemtap/tapset/sssd_functions.stp respectively." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:57 +msgid "PROBE POINTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:341 +msgid "" +"The information below lists the probe points and arguments available in the " +"following format:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:64 +msgid "probe $name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:67 +msgid "Description of probe point" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:70 +#, no-wrap +msgid "" +"variable1:datatype\n" +"variable2:datatype\n" +"variable3:datatype\n" +"...\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:80 +msgid "Database Transaction Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:84 +msgid "probe sssd_transaction_start" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:87 +msgid "Start of a sysdb transaction, probes the sysdb_transaction_start() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 sssd-systemtap.5.xml:131 +#, no-wrap +msgid "" +"nesting:integer\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:97 +msgid "probe sssd_transaction_cancel" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:100 +msgid "" +"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " +"function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:111 +msgid "probe sssd_transaction_commit_before" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:114 +msgid "Probes the sysdb_transaction_commit_before() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:124 +msgid "probe sssd_transaction_commit_after" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:127 +msgid "Probes the sysdb_transaction_commit_after() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:141 +msgid "LDAP Search Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:145 +msgid "probe sdap_search_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:148 +msgid "Probes the sdap_get_generic_ext_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:152 sssd-systemtap.5.xml:167 sssd-systemtap.5.xml:196 +#, no-wrap +msgid "" +"base:string\n" +"scope:integer\n" +"filter:string\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:160 +msgid "probe sdap_search_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:163 +msgid "Probes the sdap_get_generic_ext_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:175 +msgid "probe sdap_deref_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:178 +msgid "Probes the sdap_deref_search_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:182 +#, no-wrap +msgid "" +"base_dn:string\n" +"deref_attr:string\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:189 +msgid "probe sdap_deref_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:192 +msgid "Probes the sdap_deref_search_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:208 +msgid "LDAP Account Request Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:212 +msgid "probe sdap_acct_req_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:215 +msgid "Probes the sdap_acct_req_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:219 sssd-systemtap.5.xml:234 +#, no-wrap +msgid "" +"entry_type:int\n" +"filter_type:int\n" +"filter_value:string\n" +"extra_value:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:227 +msgid "probe sdap_acct_req_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:230 +msgid "Probes the sdap_acct_req_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:246 +msgid "LDAP User Search Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:250 +msgid "probe sdap_search_user_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:253 +msgid "Probes the sdap_search_user_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:257 sssd-systemtap.5.xml:269 sssd-systemtap.5.xml:281 sssd-systemtap.5.xml:293 +#, no-wrap +msgid "" +"filter:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:262 +msgid "probe sdap_search_user_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:265 +msgid "Probes the sdap_search_user_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:274 +msgid "probe sdap_search_user_save_begin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:277 +msgid "Probes the sdap_search_user_save_begin() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:286 +msgid "probe sdap_search_user_save_end" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:289 +msgid "Probes the sdap_search_user_save_end() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:302 +msgid "Data Provider Request Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:306 +msgid "probe dp_req_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:309 +msgid "A Data Provider request is submitted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:312 +#, no-wrap +msgid "" +"dp_req_domain:string\n" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:320 +msgid "probe dp_req_done" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:323 +msgid "A Data Provider request is completed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:326 +#, no-wrap +msgid "" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +"dp_ret:int\n" +"dp_errorstr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:339 +msgid "MISCELLANEOUS FUNCTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:346 +msgid "function acct_req_desc(entry_type)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:349 +msgid "Convert entry_type to string and return string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:354 +msgid "" +"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " +"filter_value, extra_value)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:358 +msgid "Create probe string based on filter type" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:363 +msgid "function dp_target_str(target)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:366 +msgid "Convert target to string and return string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:371 +msgid "function dp_method_str(target)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:374 +msgid "Convert method to string and return string" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/service_discovery.xml:2 +msgid "SERVICE DISCOVERY" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/service_discovery.xml:4 +msgid "" +"The service discovery feature allows back ends to automatically find the " +"appropriate servers to connect to using a special DNS query. This feature is " +"not supported for backup servers." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:9 include/ldap_id_mapping.xml:99 +msgid "Configuration" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:11 +msgid "" +"If no servers are specified, the back end automatically uses service " +"discovery to try to find a server. Optionally, the user may choose to use " +"both fixed server addresses and service discovery by inserting a special " +"keyword, <quote>_srv_</quote>, in the list of servers. The order of " +"preference is maintained. This feature is useful if, for example, the user " +"prefers to use service discovery whenever possible, and fall back to a " +"specific server when no servers can be discovered using DNS." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:23 +msgid "The domain name" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:25 +msgid "" +"Please refer to the <quote>dns_discovery_domain</quote> parameter in the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page for more details." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:35 +msgid "The protocol" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:37 +msgid "" +"The queries usually specify _tcp as the protocol. Exceptions are documented " +"in respective option description." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:42 +msgid "See Also" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:44 +msgid "For more information on the service discovery mechanism, refer to RFC 2782." +msgstr "" + +#. type: Content of: <refentryinfo> +#: include/upstream.xml:2 +msgid "" +"<productname>SSSD</productname> <orgname>The SSSD upstream - " +"https://pagure.io/SSSD/sssd/</orgname>" +msgstr "" + +#. type: Content of: outside any tag (error?) +#: include/upstream.xml:1 +msgid "<placeholder type=\"refentryinfo\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/failover.xml:2 +msgid "FAILOVER" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/failover.xml:4 +msgid "" +"The failover feature allows back ends to automatically switch to a different " +"server if the current server fails." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:8 +msgid "Failover Syntax" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:10 +msgid "" +"The list of servers is given as a comma-separated list; any number of spaces " +"is allowed around the comma. The servers are listed in order of " +"preference. The list can contain any number of servers." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:16 +msgid "" +"For each failover-enabled config option, two variants exist: " +"<emphasis>primary</emphasis> and <emphasis>backup</emphasis>. The idea is " +"that servers in the primary list are preferred and backup servers are only " +"searched if no primary servers can be reached. If a backup server is " +"selected, a timeout of 31 seconds is set. After this timeout SSSD will " +"periodically try to reconnect to one of the primary servers. If it succeeds, " +"it will replace the current active (backup) server." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:27 +msgid "The Failover Mechanism" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:29 +msgid "" +"The failover mechanism distinguishes between a machine and a service. The " +"back end first tries to resolve the hostname of a given machine; if this " +"resolution attempt fails, the machine is considered offline. No further " +"attempts are made to connect to this machine for any other service. If the " +"resolution attempt succeeds, the back end tries to connect to a service on " +"this machine. If the service connection attempt fails, then only this " +"particular service is considered offline and the back end automatically " +"switches over to the next service. The machine is still considered online " +"and might still be tried for another service." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:42 +msgid "" +"Further connection attempts are made to machines or services marked as " +"offline after a specified period of time; this is currently hard coded to 30 " +"seconds." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:47 +msgid "" +"If there are no more machines to try, the back end as a whole switches to " +"offline mode, and then attempts to reconnect every 30 seconds." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:53 +msgid "Failover time outs and tuning" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:55 +msgid "" +"Resolving a server to connect to can be as simple as running a single DNS " +"query or can involve several steps, such as finding the correct site or " +"trying out multiple host names in case some of the configured servers are " +"not reachable. The more complex scenarios can take some time and SSSD needs " +"to balance between providing enough time to finish the resolution process " +"but on the other hand, not trying for too long before falling back to " +"offline mode. If the SSSD debug logs show that the server resolution is " +"timing out before a live server is contacted, you can consider changing the " +"time outs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> +#: include/failover.xml:76 +msgid "dns_resolver_op_timeout" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: include/failover.xml:80 +msgid "How long would SSSD talk to a single DNS server." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> +#: include/failover.xml:86 +msgid "dns_resolver_timeout" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: include/failover.xml:90 +msgid "" +"How long would SSSD try to resolve a failover service. This service " +"resolution internally might include several steps, such as resolving DNS SRV " +"queries or locating the site." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:67 +msgid "" +"This section lists the available tunables. Please refer to their description " +"in the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle><manvolnum>5</manvolnum> " +"</citerefentry>, manual page. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:100 +msgid "" +"For LDAP-based providers, the resolve operation is performed as part of an " +"LDAP connection operation. Therefore, also the " +"<quote>ldap_opt_timeout></quote> timeout should be set to a larger value " +"than <quote>dns_resolver_timeout</quote> which in turn should be set to a " +"larger value than <quote>dns_resolver_op_timeout</quote>." +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/ldap_id_mapping.xml:2 +msgid "ID MAPPING" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:4 +msgid "" +"The ID-mapping feature allows SSSD to act as a client of Active Directory " +"without requiring administrators to extend user attributes to support POSIX " +"attributes for user and group identifiers." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:9 +msgid "" +"NOTE: When ID-mapping is enabled, the uidNumber and gidNumber attributes are " +"ignored. This is to avoid the possibility of conflicts between " +"automatically-assigned and manually-assigned values. If you need to use " +"manually-assigned values, ALL values must be manually-assigned." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:16 +msgid "" +"Please note that changing the ID mapping related configuration options will " +"cause user and group IDs to change. At the moment, SSSD does not support " +"changing IDs, so the SSSD database must be removed. Because cached passwords " +"are also stored in the database, removing the database should only be " +"performed while the authentication servers are reachable, otherwise users " +"might get locked out. In order to cache the password, an authentication must " +"be performed. It is not sufficient to use <citerefentry> " +"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> to remove the database, rather the process consists of:" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:33 +msgid "Making sure the remote servers are reachable" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:38 +msgid "Stopping the SSSD service" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:43 +msgid "Removing the database" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:48 +msgid "Starting the SSSD service" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:52 +msgid "" +"Moreover, as the change of IDs might necessitate the adjustment of other " +"system properties such as file and directory ownership, it's advisable to " +"plan ahead and test the ID mapping configuration thoroughly." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ldap_id_mapping.xml:59 +msgid "Mapping Algorithm" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:61 +msgid "" +"Active Directory provides an objectSID for every user and group object in " +"the directory. This objectSID can be broken up into components that " +"represent the Active Directory domain identity and the relative identifier " +"(RID) of the user or group object." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:67 +msgid "" +"The SSSD ID-mapping algorithm takes a range of available UIDs and divides it " +"into equally-sized component sections - called \"slices\"-. Each slice " +"represents the space available to an Active Directory domain." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:73 +msgid "" +"When a user or group entry for a particular domain is encountered for the " +"first time, the SSSD allocates one of the available slices for that " +"domain. In order to make this slice-assignment repeatable on different " +"client machines, we select the slice based on the following algorithm:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:80 +msgid "" +"The SID string is passed through the murmurhash3 algorithm to convert it to " +"a 32-bit hashed value. We then take the modulus of this value with the total " +"number of available slices to pick the slice." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:86 +msgid "" +"NOTE: It is possible to encounter collisions in the hash and subsequent " +"modulus. In these situations, we will select the next available slice, but " +"it may not be possible to reproduce the same exact set of slices on other " +"machines (since the order that they are encountered will determine their " +"slice). In this situation, it is recommended to either switch to using " +"explicit POSIX attributes in Active Directory (disabling ID-mapping) or " +"configure a default domain to guarantee that at least one is always " +"consistent. See <quote>Configuration</quote> for details." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:101 +msgid "Minimum configuration (in the <quote>[domain/DOMAINNAME]</quote> section):" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><programlisting> +#: include/ldap_id_mapping.xml:106 +#, no-wrap +msgid "" +"ldap_id_mapping = True\n" +"ldap_schema = ad\n" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:111 +msgid "" +"The default configuration results in configuring 10,000 slices, each capable " +"of holding up to 200,000 IDs, starting from 200,000 and going up to " +"2,000,200,000. This should be sufficient for most deployments." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><title> +#: include/ldap_id_mapping.xml:117 +msgid "Advanced Configuration" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:120 +msgid "ldap_idmap_range_min (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:123 +msgid "" +"Specifies the lower bound of the range of POSIX IDs to use for mapping " +"Active Directory user and group SIDs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:127 +msgid "" +"NOTE: This option is different from <quote>min_id</quote> in that " +"<quote>min_id</quote> acts to filter the output of requests to this domain, " +"whereas this option controls the range of ID assignment. This is a subtle " +"distinction, but the good general advice would be to have " +"<quote>min_id</quote> be less-than or equal to " +"<quote>ldap_idmap_range_min</quote>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:137 include/ldap_id_mapping.xml:191 +msgid "Default: 200000" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:142 +msgid "ldap_idmap_range_max (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:145 +msgid "" +"Specifies the upper bound of the range of POSIX IDs to use for mapping " +"Active Directory user and group SIDs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:149 +msgid "" +"NOTE: This option is different from <quote>max_id</quote> in that " +"<quote>max_id</quote> acts to filter the output of requests to this domain, " +"whereas this option controls the range of ID assignment. This is a subtle " +"distinction, but the good general advice would be to have " +"<quote>max_id</quote> be greater-than or equal to " +"<quote>ldap_idmap_range_max</quote>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:159 +msgid "Default: 2000200000" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:164 +msgid "ldap_idmap_range_size (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:167 +msgid "" +"Specifies the number of IDs available for each slice. If the range size " +"does not divide evenly into the min and max values, it will create as many " +"complete slices as it can." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:173 +msgid "" +"NOTE: The value of this option must be at least as large as the highest user " +"RID planned for use on the Active Directory server. User lookups and login " +"will fail for any user whose RID is greater than this value." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:179 +msgid "" +"For example, if your most recently-added Active Directory user has " +"objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, " +"<quote>ldap_idmap_range_size</quote> must be at least 1108 as range size is " +"equal to maximal SID minus minimal SID plus one (e.g. 1108 = 1107 - 0 + 1)." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:186 +msgid "" +"It is important to plan ahead for future expansion, as changing this value " +"will result in changing all of the ID mappings on the system, leading to " +"users with different local IDs than they previously had." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:196 +msgid "ldap_idmap_default_domain_sid (string)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:199 +msgid "" +"Specify the domain SID of the default domain. This will guarantee that this " +"domain will always be assigned to slice zero in the ID map, bypassing the " +"murmurhash algorithm described above." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:210 +msgid "ldap_idmap_default_domain (string)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:213 +msgid "Specify the name of the default domain." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:221 +msgid "ldap_idmap_autorid_compat (boolean)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:224 +msgid "" +"Changes the behavior of the ID-mapping algorithm to behave more similarly to " +"winbind's <quote>idmap_autorid</quote> algorithm." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:229 +msgid "" +"When this option is configured, domains will be allocated starting with " +"slice zero and increasing monatomically with each additional domain." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:234 +msgid "" +"NOTE: This algorithm is non-deterministic (it depends on the order that " +"users and groups are requested). If this mode is required for compatibility " +"with machines running winbind, it is recommended to also use the " +"<quote>ldap_idmap_default_domain_sid</quote> option to guarantee that at " +"least one domain is consistently allocated to slice zero." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:249 +msgid "ldap_idmap_helper_table_size (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:252 +msgid "" +"Maximal number of secondary slices that is tried when performing mapping " +"from UNIX id to SID." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:256 +msgid "" +"Note: Additional secondary slices might be generated when SID is being " +"mapped to UNIX id and RID part of SID is out of range for secondary slices " +"generated so far. If value of ldap_idmap_helper_table_size is equal to 0 " +"then no additional secondary slices are generated." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ldap_id_mapping.xml:273 +msgid "Well-Known SIDs" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:275 +msgid "" +"SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a " +"special hardcoded meaning. Since the generic users and groups related to " +"those Well-Known SIDs have no equivalent in a Linux/UNIX environment no " +"POSIX IDs are available for those objects." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:281 +msgid "" +"The SID name space is organized in authorities which can be seen as " +"different domains. The authorities for the Well-Known SIDs are" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:284 +msgid "Null Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:285 +msgid "World Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:286 +msgid "Local Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:287 +msgid "Creator Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:288 +msgid "NT Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:289 +msgid "Built-in" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:291 +msgid "" +"The capitalized version of these names are used as domain names when " +"returning the fully qualified name of a Well-Known SID." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:295 +msgid "" +"Since some utilities allow to modify SID based access control information " +"with the help of a name instead of using the SID directly SSSD supports to " +"look up the SID by the name as well. To avoid collisions only the fully " +"qualified names can be used to look up Well-Known SIDs. As a result the " +"domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, " +"<quote> LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, <quote>NT " +"AUTHORITY</quote> and <quote>BUILTIN</quote> should not be used as domain " +"names in <filename>sssd.conf</filename>." +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/param_help.xml:3 +msgid "<option>-?</option>,<option>--help</option>" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/param_help.xml:7 include/param_help_py.xml:7 +msgid "Display help message and exit." +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/param_help_py.xml:3 +msgid "<option>-h</option>,<option>--help</option>" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:3 include/debug_levels_tools.xml:3 +msgid "" +"SSSD supports two representations for specifying the debug level. The " +"simplest is to specify a decimal value from 0-9, which represents enabling " +"that level and all lower-level debug messages. The more comprehensive option " +"is to specify a hexadecimal bitmask to enable or disable specific levels " +"(such as if you wish to suppress a level)." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:10 +msgid "" +"Please note that each SSSD service logs into its own log file. Also please " +"note that enabling <quote>debug_level</quote> in the <quote>[sssd]</quote> " +"section only enables debugging just for the sssd process itself, not for the " +"responder or provider processes. The <quote>debug_level</quote> parameter " +"should be added to all sections that you wish to produce debug logs from." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:18 +msgid "" +"In addition to changing the log level in the config file using the " +"<quote>debug_level</quote> parameter, which is persistent, but requires SSSD " +"restart, it is also possible to change the debug level on the fly using the " +"<citerefentry> <refentrytitle>sss_debuglevel</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> tool." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:29 include/debug_levels_tools.xml:10 +msgid "Currently supported debug levels:" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:32 include/debug_levels_tools.xml:13 +msgid "" +"<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fatal " +"failures. Anything that would prevent SSSD from starting up or causes it to " +"cease running." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:38 include/debug_levels_tools.xml:19 +msgid "" +"<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An " +"error that doesn't kill SSSD, but one that indicates that at least one major " +"feature is not going to work properly." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:45 include/debug_levels_tools.xml:26 +msgid "" +"<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Serious failures. An " +"error announcing that a particular request or operation has failed." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:50 include/debug_levels_tools.xml:31 +msgid "" +"<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Minor failures. These " +"are the errors that would percolate down to cause the operation failure of " +"2." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:55 include/debug_levels_tools.xml:36 +msgid "<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Configuration settings." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:59 include/debug_levels_tools.xml:40 +msgid "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Function data." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:63 include/debug_levels_tools.xml:44 +msgid "" +"<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Trace messages for " +"operation functions." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:67 include/debug_levels_tools.xml:48 +msgid "" +"<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Trace messages for " +"internal control functions." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:72 include/debug_levels_tools.xml:53 +msgid "" +"<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contents of " +"function-internal variables that may be interesting." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:77 include/debug_levels_tools.xml:58 +msgid "" +"<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Extremely low-level " +"tracing information." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:81 include/debug_levels_tools.xml:62 +msgid "" +"To log required bitmask debug levels, simply add their numbers together as " +"shown in following examples:" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:85 include/debug_levels_tools.xml:66 +msgid "" +"<emphasis>Example</emphasis>: To log fatal failures, critical failures, " +"serious failures and function data use 0x0270." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:89 include/debug_levels_tools.xml:70 +msgid "" +"<emphasis>Example</emphasis>: To log fatal failures, configuration settings, " +"function data, trace messages for internal control functions use 0x1310." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:94 include/debug_levels_tools.xml:75 +msgid "" +"<emphasis>Note</emphasis>: The bitmask format of debug levels was introduced " +"in 1.7.0." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:98 include/debug_levels_tools.xml:79 +msgid "<emphasis>Default</emphasis>: 0" +msgstr "" + +#. type: Content of: outside any tag (error?) +#: include/experimental.xml:1 +msgid "" +"<emphasis> This is an experimental feature, please use " +"https://pagure.io/SSSD/sssd/ to report any issues. </emphasis>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/local.xml:2 +msgid "THE LOCAL DOMAIN" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/local.xml:4 +msgid "" +"In order to function correctly, a domain with " +"<quote>id_provider=local</quote> must be created and the SSSD must be " +"running." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/local.xml:9 +msgid "" +"The administrator might want to use the SSSD local users instead of " +"traditional UNIX users in cases where the group nesting (see <citerefentry> " +"<refentrytitle>sss_groupadd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>) is needed. The local users are also useful for testing and " +"development of the SSSD without having to deploy a full remote server. The " +"<command>sss_user*</command> and <command>sss_group*</command> tools use a " +"local LDB storage to store users and groups." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/seealso.xml:4 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> " +"</citerefentry>, <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle><manvolnum>5</manvolnum> " +"</citerefentry>, <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> " +"</citerefentry>, <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</manvolnum> " +"</citerefentry>, <citerefentry> " +"<refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> " +"</citerefentry>, <citerefentry> " +"<refentrytitle>sssd-ipa</refentrytitle><manvolnum>5</manvolnum> " +"</citerefentry>, <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum> " +"</citerefentry>, <phrase condition=\"with_sudo\"> <citerefentry> " +"<refentrytitle>sssd-sudo</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry>, </phrase> <phrase condition=\"with_secrets\"> " +"<citerefentry> <refentrytitle>sssd-secrets</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>, </phrase> <citerefentry> " +"<refentrytitle>sssd-session-recording</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_cache</refentrytitle><manvolnum>8</manvolnum> " +"</citerefentry>, <citerefentry> " +"<refentrytitle>sss_debuglevel</refentrytitle><manvolnum>8</manvolnum> " +"</citerefentry>, <citerefentry> " +"<refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum> " +"</citerefentry>, <citerefentry> " +"<refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</manvolnum> " +"</citerefentry>, <citerefentry> " +"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> " +"</citerefentry>, <citerefentry> " +"<refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum> " +"</citerefentry>, <citerefentry> " +"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> " +"</citerefentry>, <citerefentry> " +"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> " +"</citerefentry>, <citerefentry> " +"<refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> " +"</citerefentry>, <citerefentry> " +"<refentrytitle>sss_obfuscate</refentrytitle><manvolnum>8</manvolnum> " +"</citerefentry>, <citerefentry> " +"<refentrytitle>sss_seed</refentrytitle><manvolnum>8</manvolnum> " +"</citerefentry>, <citerefentry> " +"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle><manvolnum>8</manvolnum> " +"</citerefentry>, <phrase condition=\"with_ssh\"> <citerefentry> " +"<refentrytitle>sss_ssh_authorizedkeys</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_ssh_knownhostsproxy</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>, </phrase> <phrase " +"condition=\"with_ifp\"> <citerefentry> " +"<refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry>, </phrase> <citerefentry> " +"<refentrytitle>pam_sss</refentrytitle><manvolnum>8</manvolnum> " +"</citerefentry>. <citerefentry> " +"<refentrytitle>sss_rpcidmapd</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> <phrase condition=\"with_stap\"> <citerefentry> " +"<refentrytitle>sssd-systemtap</refentrytitle> <manvolnum>5</manvolnum> " +"</citerefentry> </phrase>" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:3 +msgid "" +"An optional base DN, search scope and LDAP filter to restrict LDAP searches " +"for this attribute type." +msgstr "" + +#. type: Content of: <listitem><para><programlisting> +#: include/ldap_search_bases.xml:9 +#, no-wrap +msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]\n" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:7 +msgid "syntax: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:13 +msgid "" +"The scope can be one of \"base\", \"onelevel\" or \"subtree\". The scope " +"functions as specified in section 4.5.1.2 of " +"http://tools.ietf.org/html/rfc4511" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:23 +msgid "" +"For examples of this syntax, please refer to the " +"<quote>ldap_search_base</quote> examples section." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:31 +msgid "" +"Please note that specifying scope or filter is not supported for searches " +"against an Active Directory Server that might yield a large number of " +"results and trigger the Range Retrieval extension in the response." +msgstr "" + +#. type: Content of: <para> +#: include/autofs_restart.xml:2 +msgid "" +"Please note that the automounter only reads the master map on startup, so if " +"any autofs-related changes are made to the sssd.conf, you typically also " +"need to restart the automounter daemon after restarting the SSSD." +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/override_homedir.xml:2 +msgid "override_homedir (string)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:16 +msgid "UID number" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:20 +msgid "domain name" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:23 +msgid "%f" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:24 +msgid "fully qualified user name (user@domain)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:27 +msgid "%l" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:28 +msgid "The first letter of the login name." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:32 +msgid "UPN - User Principal Name (name@REALM)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:35 +msgid "%o" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:37 +msgid "The original home directory retrieved from the identity provider." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:42 +msgid "%H" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:44 +msgid "The value of configure option <emphasis>homedir_substring</emphasis>." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/override_homedir.xml:5 +msgid "" +"Override the user's home directory. You can either provide an absolute value " +"or a template. In the template, the following sequences are substituted: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><programlisting> +#: include/override_homedir.xml:61 +#, no-wrap +msgid "" +"override_homedir = /home/%u\n" +" " +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/override_homedir.xml:65 +msgid "Default: Not set (SSSD will use the value retrieved from LDAP)" +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/homedir_substring.xml:2 +msgid "homedir_substring (string)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/homedir_substring.xml:5 +msgid "" +"The value of this option will be used in the expansion of the " +"<emphasis>override_homedir</emphasis> option if the template contains the " +"format string <emphasis>%H</emphasis>. An LDAP directory entry can directly " +"contain this template so that this option can be used to expand the home " +"directory path for each client machine (or operating system). It can be set " +"per-domain or globally in the [nss] section. A value specified in a domain " +"section will override one set in the [nss] section." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/homedir_substring.xml:15 +msgid "Default: /home" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/ad_modified_defaults.xml:2 include/ipa_modified_defaults.xml:2 +msgid "MODIFIED DEFAULT OPTIONS" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ad_modified_defaults.xml:4 +msgid "" +"Certain option defaults do not match their respective backend provider " +"defaults, these option names and AD provider-specific defaults are listed " +"below:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ad_modified_defaults.xml:9 include/ipa_modified_defaults.xml:9 +msgid "KRB5 Provider" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:13 include/ipa_modified_defaults.xml:13 +msgid "krb5_validate = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:18 +msgid "krb5_use_enterprise_principal = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ad_modified_defaults.xml:24 +msgid "LDAP Provider" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:28 +msgid "ldap_schema = ad" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:33 include/ipa_modified_defaults.xml:38 +msgid "ldap_force_upper_case_realm = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:38 +msgid "ldap_id_mapping = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:43 +msgid "ldap_sasl_mech = gssapi" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:48 +msgid "ldap_referrals = false" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:53 +msgid "ldap_account_expire_policy = ad" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:58 include/ipa_modified_defaults.xml:58 +msgid "ldap_use_tokengroups = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:63 +msgid "ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:66 +msgid "" +"The AD provider looks for a different principal than the LDAP provider by " +"default, because in an Active Directory environment the principals are " +"divided into two groups - User Principals and Service Principals. Only User " +"Principal can be used to obtain a TGT and by default, computer object's " +"principal is constructed from its sAMAccountName and the AD realm. The " +"well-known host/hostname@REALM principal is a Service Principal and thus " +"cannot be used to get a TGT with." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ipa_modified_defaults.xml:4 +msgid "" +"Certain option defaults do not match their respective backend provider " +"defaults, these option names and IPA provider-specific defaults are listed " +"below:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:18 +msgid "krb5_use_fast = try" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:23 +msgid "krb5_canonicalize = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:29 +msgid "LDAP Provider - General" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:33 +msgid "ldap_schema = ipa_v1" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:43 +msgid "ldap_sasl_mech = GSSAPI" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:48 +msgid "ldap_sasl_minssf = 56" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:53 +msgid "ldap_account_expire_policy = ipa" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:64 +msgid "LDAP Provider - User options" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:68 +msgid "ldap_user_member_of = memberOf" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:73 +msgid "ldap_user_uuid = ipaUniqueID" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:78 +msgid "ldap_user_ssh_public_key = ipaSshPubKey" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:83 +msgid "ldap_user_auth_type = ipaUserAuthType" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:89 +msgid "LDAP Provider - Group options" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:93 +msgid "ldap_group_object_class = ipaUserGroup" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:98 +msgid "ldap_group_object_class_alt = posixGroup" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:103 +msgid "ldap_group_member = member" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:108 +msgid "ldap_group_uuid = ipaUniqueID" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:113 +msgid "ldap_group_objectsid = ipaNTSecurityIdentifier" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:118 +msgid "ldap_group_external_member = ipaExternalMember" +msgstr "" diff --git a/src/man/po/sv.po b/src/man/po/sv.po new file mode 100644 index 0000000..61f0c02 --- /dev/null +++ b/src/man/po/sv.po @@ -0,0 +1,15679 @@ +# Göran Uddeborg <goeran@uddeborg.se>, 2018. #zanata +msgid "" +msgstr "" +"Project-Id-Version: sssd-docs 1.16.1\n" +"Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" +"POT-Creation-Date: 2018-08-12 13:01+0000\n" +"PO-Revision-Date: 2018-06-07 08:25+0000\n" +"Last-Translator: Göran Uddeborg <goeran@uddeborg.se>\n" +"Language-Team: Swedish\n" +"Language: sv\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: Zanata 4.4.5\n" +"Plural-Forms: nplurals=2; plural=(n != 1)\n" + +#. type: Content of: <reference><title> +#: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5 +#: sssd_krb5_locator_plugin.8.xml:5 sssd-simple.5.xml:5 sss-certmap.5.xml:5 +#: sssd-ipa.5.xml:5 sssd-ad.5.xml:5 sssd-sudo.5.xml:5 sssd.8.xml:5 +#: sss_obfuscate.8.xml:5 sss_override.8.xml:5 sss_useradd.8.xml:5 +#: sssd-krb5.5.xml:5 sss_groupadd.8.xml:5 sss_userdel.8.xml:5 +#: sss_groupdel.8.xml:5 sss_groupshow.8.xml:5 sss_usermod.8.xml:5 +#: sss_cache.8.xml:5 sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5 +#: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 +#: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5 +#: sssd-files.5.xml:5 sssd-secrets.5.xml:5 sssd-session-recording.5.xml:5 +#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 +msgid "SSSD Manual pages" +msgstr "SSSD manualsidor" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupmod.8.xml:10 sss_groupmod.8.xml:15 +msgid "sss_groupmod" +msgstr "sss_groupmod" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_groupmod.8.xml:11 pam_sss.8.xml:12 sssd_krb5_locator_plugin.8.xml:11 +#: sssd.8.xml:11 sss_obfuscate.8.xml:11 sss_override.8.xml:11 +#: sss_useradd.8.xml:11 sss_groupadd.8.xml:11 sss_userdel.8.xml:11 +#: sss_groupdel.8.xml:11 sss_groupshow.8.xml:11 sss_usermod.8.xml:11 +#: sss_cache.8.xml:11 sss_debuglevel.8.xml:11 sss_seed.8.xml:11 +#: idmap_sss.8.xml:11 sssctl.8.xml:11 sssd-kcm.8.xml:11 +msgid "8" +msgstr "8" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupmod.8.xml:16 +msgid "modify a group" +msgstr "ändra en grupp" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupmod.8.xml:21 +msgid "" +"<command>sss_groupmod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" +"<command>sss_groupmod</command> <arg choice='opt'> <replaceable>flaggor</" +"replaceable> </arg> <arg choice='plain'><replaceable>GRUPP</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:57 +#: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sss-certmap.5.xml:21 +#: sssd-ipa.5.xml:21 sssd-ad.5.xml:21 sssd-sudo.5.xml:21 sssd.8.xml:29 +#: sss_obfuscate.8.xml:30 sss_override.8.xml:30 sss_useradd.8.xml:30 +#: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30 +#: sss_groupdel.8.xml:30 sss_groupshow.8.xml:30 sss_usermod.8.xml:30 +#: sss_cache.8.xml:29 sss_debuglevel.8.xml:30 sss_seed.8.xml:31 +#: sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30 +#: sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30 +#: sssd-files.5.xml:21 sssd-secrets.5.xml:21 sssd-session-recording.5.xml:21 +#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 +msgid "DESCRIPTION" +msgstr "BESKRIVNING" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupmod.8.xml:32 +msgid "" +"<command>sss_groupmod</command> modifies the group to reflect the changes " +"that are specified on the command line." +msgstr "" +"<command>sss_groupmod</command> ändrar gruppen till att avspegla ändringarna " +"som anges på kommandoraden." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_groupmod.8.xml:39 pam_sss.8.xml:64 sssd.8.xml:42 sss_obfuscate.8.xml:58 +#: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39 +#: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39 +#: sss_cache.8.xml:39 sss_seed.8.xml:42 sss_ssh_authorizedkeys.1.xml:123 +#: sss_ssh_knownhostsproxy.1.xml:62 +msgid "OPTIONS" +msgstr "FLAGGOR" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupmod.8.xml:43 sss_usermod.8.xml:77 +msgid "" +"<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" +"<option>-a</option>,<option>--append-group</option> <replaceable>GRUPPER</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupmod.8.xml:48 +msgid "" +"Append this group to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." +msgstr "" +"Lägg till denna grupp till grupperna som anges av parametern " +"<replaceable>GRUPPER</replaceable> parameter. Parametern " +"<replaceable>GRUPPER</replaceable> är en kommaseparerad lista av gruppnamn." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupmod.8.xml:57 sss_usermod.8.xml:91 +msgid "" +"<option>-r</option>,<option>--remove-group</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" +"<option>-r</option>,<option>--remove-group</option> <replaceable>GRUPPER</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupmod.8.xml:62 +msgid "" +"Remove this group from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." +msgstr "" +"Ta bort denna grupp från grupperna som anges av parametern " +"<replaceable>GRUPPER</replaceable>." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.conf.5.xml:10 sssd.conf.5.xml:16 +msgid "sssd.conf" +msgstr "sssd.conf" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11 +#: sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 +#: sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27 +#: sssd-files.5.xml:11 sssd-secrets.5.xml:11 sssd-session-recording.5.xml:11 +#: sssd-systemtap.5.xml:11 +msgid "5" +msgstr "5" + +#. type: Content of: <reference><refentry><refmeta><refmiscinfo> +#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12 +#: sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 +#: sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28 +#: sssd-files.5.xml:12 sssd-secrets.5.xml:12 sssd-session-recording.5.xml:12 +#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 +msgid "File Formats and Conventions" +msgstr "Filformat och konventioner" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.conf.5.xml:17 +msgid "the configuration file for SSSD" +msgstr "konfigurationsfilen för SSSD" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:21 +msgid "FILE FORMAT" +msgstr "FILFORMAT" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:29 +#, no-wrap +msgid "" +"<replaceable>[section]</replaceable>\n" +"<replaceable>key</replaceable> = <replaceable>value</replaceable>\n" +"<replaceable>key2</replaceable> = <replaceable>value2,value3</replaceable>\n" +" " +msgstr "" +"<replaceable>[sektion]</replaceable>\n" +"<replaceable>nyckel</replaceable> = <replaceable>värde</replaceable>\n" +"<replaceable>nyckel2</replaceable> = <replaceable>värde2,värde3</replaceable>\n" +" " + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:24 +msgid "" +"The file has an ini-style syntax and consists of sections and parameters. A " +"section begins with the name of the section in square brackets and continues " +"until the next section begins. An example of section with single and multi-" +"valued parameters: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"Filen har en syntax i ini-stil och består av sektioner och parametrar. En " +"sektion börjar med namnet på sektionen i hakparenteser och fortsätter tills " +"nästa sektion börjar. Ett exempel på en sektion med enkla och flervärda " +"parametrar: <placeholder type=\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:36 +msgid "" +"The data types used are string (no quotes needed), integer and bool (with " +"values of <quote>TRUE/FALSE</quote>)." +msgstr "" +"Datatyperna som används är sträng (inga citationstecken behövs) , heltal och " +"bool (med värdena <quote>TRUE/FALSE</quote>)." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:41 +#, fuzzy +#| msgid "" +#| "A line comment starts with a hash sign (<quote>#</quote>) or a semicolon " +#| "(<quote>;</quote>). Inline comments are not supported." +msgid "" +"A comment line starts with a hash sign (<quote>#</quote>) or a semicolon " +"(<quote>;</quote>). Inline comments are not supported." +msgstr "" +"En radkommentar börjar med ett nummertecken (<quote>#</quote>) eller ett " +"semikolon (<quote>;</quote>). Kommentarer inom raden stödjs inte." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:47 +msgid "" +"All sections can have an optional <replaceable>description</replaceable> " +"parameter. Its function is only as a label for the section." +msgstr "" +"Alla sektioner kan valfritt ha en parameter <replaceable>description</" +"replaceable>. Dess funktion är endast som en etikett för sektionen." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:53 +msgid "" +"<filename>sssd.conf</filename> must be a regular file, owned by root and " +"only root may read from or write to the file." +msgstr "" +"<filename>sssd.conf</filename> måste vara en normal fil, ägd av root och " +"endast root får läsa från eller skriva till filen." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:59 +msgid "CONFIGURATION SNIPPETS FROM INCLUDE DIRECTORY" +msgstr "KONFIGURATIONSSNUTTAR FRÅN EN INCLUDE-KATALOG" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:62 +msgid "" +"The configuration file <filename>sssd.conf</filename> will include " +"configuration snippets using the include directory <filename>conf.d</" +"filename>. This feature is available if SSSD was compiled with libini " +"version 1.3.0 or later." +msgstr "" +"Konfigurationsfilen <filename>sssd.conf</filename> kommer inkludiera " +"konfigurationssnuttar från include-katalogen <filename>conf.d</filename>. " +"Denna fuktion är tillgänglig om SSSD kompilerades med version 1.3.0 eller " +"senare av libini." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:69 +msgid "" +"Any file placed in <filename>conf.d</filename> that ends in " +"<quote><filename>.conf</filename></quote> and does not begin with a dot " +"(<quote>.</quote>) will be used together with <filename>sssd.conf</filename> " +"to configure SSSD." +msgstr "" +"Filer lagda i <filename>conf.d</filename> som slutar med <quote><filename>." +"conf</filename></quote> och inte börjar med en punkt (<quote>.</quote>) " +"kommer användas tillsammans med <filename>sssd.conf</filename> för att " +"konfigurera SSSD." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:77 +msgid "" +"The configuration snippets from <filename>conf.d</filename> have higher " +"priority than <filename>sssd.conf</filename> and will override " +"<filename>sssd.conf</filename> when conflicts occur. If several snippets are " +"present in <filename>conf.d</filename>, then they are included in " +"alphabetical order (based on locale). Files included later have higher " +"priority. Numerical prefixes (<filename>01_snippet.conf</filename>, " +"<filename>02_snippet.conf</filename> etc.) can help visualize the priority " +"(higher number means higher priority)." +msgstr "" +"Konfigurationssnuttarna från <filename>conf.d</filename> har högre prioritet " +"än <filename>sssd.conf</filename> och kommer åsidosätta <filename>sssd.conf</" +"filename> när konflikter uppstår. Om flera snuttar finns i <filename>conf." +"d</filename> inkluderas de i alfabetisk ordning (baserat på lokalen). Filer " +"som inkluderas senare har högre prioritet. Numeriska prefix " +"(<filename>01_snutt.conf</filename>, <filename>02_snutt.conf</filename> " +"etc.) kan hjälpa till att visualisera prioriteten (högre tals betyder högre " +"prioritet)." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:91 +msgid "" +"The snippet files require the same owner and permissions as <filename>sssd." +"conf</filename>. Which are by default root:root and 0600." +msgstr "" +"Snuttfilerna behöver samma ägare och rättigheter som <filename>sssd.conf</" +"filename>. Vilket som standard är root:root och 0600." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:98 +msgid "GENERAL OPTIONS" +msgstr "ALLMÄNNA FLAGGOR" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:100 +msgid "Following options are usable in more than one configuration sections." +msgstr "Följande flaggor är användbara i mer än en konfigurationssektion." + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:104 +msgid "Options usable in all sections" +msgstr "Flaggor användbara i alla sektioner" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:108 +msgid "debug_level (integer)" +msgstr "debug_level (heltal)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:112 +msgid "debug (integer)" +msgstr "debug (heltal)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:115 +msgid "" +"SSSD 1.14 and later also includes the <replaceable>debug</replaceable> alias " +"for <replaceable>debug_level</replaceable> as a convenience feature. If both " +"are specified, the value of <replaceable>debug_level</replaceable> will be " +"used." +msgstr "" +"SSSD 1.14 och senare inkluderar också aliaset <replaceable>debug</" +"replaceable> för <replaceable>debug_level</replaceable> som en " +"bekvämlighetsfiness. Om båda anges kommer värdet " +"på<replaceable>debug_level</replaceable> användas." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:125 +msgid "debug_timestamps (bool)" +msgstr "debug_timestamps (bool)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:128 +msgid "" +"Add a timestamp to the debug messages. If journald is enabled for SSSD " +"debug logging this option is ignored." +msgstr "" +"Lägg till en tidsstämpel till felsökningsmeddelanden. Om journald är " +"aktiverat för SSSD-felsökningsloggning igoreras denna flagga." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:133 sssd.conf.5.xml:543 sssd.conf.5.xml:839 +#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1521 sssd-ldap.5.xml:1851 +#: sssd-ldap.5.xml:1948 sssd-ldap.5.xml:2010 sssd-ldap.5.xml:2576 +#: sssd-ldap.5.xml:2641 sssd-ldap.5.xml:2659 sssd-ad.5.xml:227 +#: sssd-ad.5.xml:341 sssd-ad.5.xml:885 sssd-krb5.5.xml:499 +#: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 +msgid "Default: true" +msgstr "Standard: true" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:138 +msgid "debug_microseconds (bool)" +msgstr "debug_microseconds (bool)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:141 +msgid "" +"Add microseconds to the timestamp in debug messages. If journald is enabled " +"for SSSD debug logging this option is ignored." +msgstr "" +"Lägg till mikrosekunder till tidsstämpeln till felsökningsmeddelanden. Om " +"journald är aktiverat för SSSD-felsökningsloggning igoreras denna flagga." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:146 sssd.conf.5.xml:540 sssd.conf.5.xml:722 +#: sssd.conf.5.xml:1424 sssd.conf.5.xml:2980 sssd-ldap.5.xml:708 +#: sssd-ldap.5.xml:1714 sssd-ldap.5.xml:1733 sssd-ldap.5.xml:1920 +#: sssd-ldap.5.xml:2346 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238 +#: sssd-ipa.5.xml:559 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300 +#: sssd-krb5.5.xml:471 +msgid "Default: false" +msgstr "Standard: false" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2384 +#: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210 +#: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304 +msgid "<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:155 +msgid "Options usable in SERVICE and DOMAIN sections" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:159 +msgid "timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:162 +msgid "" +"Timeout in seconds between heartbeats for this service. This is used to " +"ensure that the process is alive and capable of answering requests. Note " +"that after three missed heartbeats the process will terminate itself." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:169 sssd.conf.5.xml:1376 sssd.conf.5.xml:2996 +#: sssd-ldap.5.xml:1585 include/ldap_id_mapping.xml:264 +msgid "Default: 10" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:179 +msgid "SPECIAL SECTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:182 +msgid "The [sssd] section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sssd.conf.5.xml:191 sssd.conf.5.xml:3085 +msgid "Section parameters" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:193 +msgid "config_file_version (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:196 +msgid "" +"Indicates what is the syntax of the config file. SSSD 0.6.0 and later use " +"version 2." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:202 +msgid "services" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:205 +msgid "" +"Comma separated list of services that are started when sssd itself starts. " +"<phrase condition=\"have_systemd\"> The services' list is optional on " +"platforms where systemd is supported, as they will either be socket or D-Bus " +"activated when needed. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:214 +msgid "" +"Supported services: nss, pam <phrase condition=\"with_sudo\">, sudo</phrase> " +"<phrase condition=\"with_autofs\">, autofs</phrase> <phrase condition=" +"\"with_ssh\">, ssh</phrase> <phrase condition=\"with_pac_responder\">, pac</" +"phrase> <phrase condition=\"with_ifp\">, ifp</phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:222 +msgid "" +"<phrase condition=\"have_systemd\"> By default, all services are disabled " +"and the administrator must enable the ones allowed to be used by executing: " +"\"systemctl enable sssd-@service@.socket\". </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:231 sssd.conf.5.xml:614 +msgid "reconnection_retries (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:234 sssd.conf.5.xml:617 +msgid "" +"Number of times services should attempt to reconnect in the event of a Data " +"Provider crash or restart before they give up" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:239 sssd.conf.5.xml:622 +msgid "Default: 3" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:244 +msgid "domains" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:247 +msgid "" +"A domain is a database containing user information. SSSD can use more " +"domains at the same time, but at least one must be configured or SSSD won't " +"start. This parameter describes the list of domains in the order you want " +"them to be queried. A domain name should only consist of alphanumeric ASCII " +"characters, dashes, dots and underscores." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:259 sssd.conf.5.xml:2597 +msgid "re_expression (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:262 +msgid "" +"Default regular expression that describes how to parse the string containing " +"user name and domain into these components." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:267 +msgid "" +"Each domain can have an individual regular expression configured. For some " +"ID providers there are also default regular expressions. See DOMAIN SECTIONS " +"for more info on these regular expressions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:276 sssd.conf.5.xml:2645 +msgid "full_name_format (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:279 sssd.conf.5.xml:2648 +msgid "" +"A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry>-compatible format that describes how to compose a " +"fully qualified name from user name and domain name components." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:290 sssd.conf.5.xml:2659 +msgid "%1$s" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:291 sssd.conf.5.xml:2660 +msgid "user name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:294 sssd.conf.5.xml:2663 +msgid "%2$s" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:297 sssd.conf.5.xml:2666 +msgid "domain name as specified in the SSSD config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:303 sssd.conf.5.xml:2672 +msgid "%3$s" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:306 sssd.conf.5.xml:2675 +msgid "" +"domain flat name. Mostly usable for Active Directory domains, both directly " +"configured or discovered via IPA trusts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:287 sssd.conf.5.xml:2656 +msgid "" +"The following expansions are supported: <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:316 +msgid "" +"Each domain can have an individual format string configured. see DOMAIN " +"SECTIONS for more info on this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:322 +msgid "try_inotify (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:325 +msgid "" +"SSSD monitors the state of resolv.conf to identify when it needs to update " +"its internal DNS resolver. By default, we will attempt to use inotify for " +"this, and will fall back to polling resolv.conf every five seconds if " +"inotify cannot be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:333 +msgid "" +"There are some limited situations where it is preferred that we should skip " +"even trying to use inotify. In these rare cases, this option should be set " +"to 'false'" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:339 +msgid "" +"Default: true on platforms where inotify is supported. False on other " +"platforms." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:343 +msgid "" +"Note: this option will have no effect on platforms where inotify is " +"unavailable. On these platforms, polling will always be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:350 +msgid "krb5_rcache_dir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:353 +msgid "" +"Directory on the filesystem where SSSD should store Kerberos replay cache " +"files." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:357 +msgid "" +"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct " +"SSSD to let libkrb5 decide the appropriate location for the replay cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:363 +msgid "" +"Default: Distribution-specific and specified at build-time. " +"(__LIBKRB5_DEFAULTS__ if not configured)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:370 +msgid "user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:373 +msgid "" +"The user to drop the privileges to where appropriate to avoid running as the " +"root user. <phrase condition=\"have_systemd\"> This option does not work " +"when running socket-activated services, as the user set up to run the " +"processes is set up during compilation time. The way to override the " +"systemd unit files is by creating the appropriate files in /etc/systemd/" +"system/. Keep in mind that any change in the socket user, group or " +"permissions may result in a non-usable SSSD. The same may occur in case of " +"changes of the user running the NSS responder. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:391 +msgid "Default: not set, process will run as root" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:396 +msgid "default_domain_suffix (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:399 +msgid "" +"This string will be used as a default domain name for all names without a " +"domain name component. The main use case is environments where the primary " +"domain is intended for managing host policies and all users are located in a " +"trusted domain. The option allows those users to log in just with their " +"user name without giving a domain name as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:409 +msgid "" +"Please note that if this option is set all users from the primary domain " +"have to use their fully qualified name, e.g. user@domain.name, to log in. " +"Setting this option changes default of use_fully_qualified_names to True. It " +"is not allowed to use this option together with use_fully_qualified_names " +"set to False." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:418 sssd.conf.5.xml:1165 sssd-ldap.5.xml:679 +#: sssd-ldap.5.xml:1319 sssd-ldap.5.xml:1673 sssd-ldap.5.xml:1685 +#: sssd-ldap.5.xml:1767 sssd-ad.5.xml:690 sssd-ad.5.xml:765 sssd.8.xml:126 +#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:556 sssd-secrets.5.xml:339 +#: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404 +#: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205 +#: include/ldap_id_mapping.xml:216 +msgid "Default: not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:423 +msgid "override_space (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:426 +msgid "" +"This parameter will replace spaces (space bar) with the given character for " +"user and group names. e.g. (_). User name "john doe" will be " +""john_doe" This feature was added to help compatibility with shell " +"scripts that have difficulty handling spaces, due to the default field " +"separator in the shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:435 +msgid "" +"Please note it is a configuration error to use a replacement character that " +"might be used in user or group names. If a name contains the replacement " +"character SSSD tries to return the unmodified name but in general the result " +"of a lookup is undefined." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:443 +msgid "Default: not set (spaces will not be replaced)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:448 +msgid "certificate_verification (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:456 +msgid "no_ocsp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:458 +msgid "" +"Disables Online Certificate Status Protocol (OCSP) checks. This might be " +"needed if the OCSP servers defined in the certificate are not reachable from " +"the client." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:466 +msgid "no_verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:468 +msgid "" +"Disables verification completely. This option should only be used for " +"testing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:474 +msgid "ocsp_default_responder=URL" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:476 +msgid "" +"Sets the OCSP default responder which should be used instead of the one " +"mentioned in the certificate. URL must be replaced with the URL of the OCSP " +"default responder e.g. http://example.com:80/ocsp." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:482 +msgid "" +"This option must be used together with ocsp_default_responder_signing_cert." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:490 +msgid "ocsp_default_responder_signing_cert=NAME" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:492 +msgid "" +"The nickname of the cert to trust (expected) to sign the OCSP responses. " +"The certificate with the given nickname must be available in the systems NSS " +"database." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:497 +msgid "This option must be used together with ocsp_default_responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:451 +msgid "" +"With this parameter the certificate verification can be tuned with a comma " +"separated list of options. Supported options are: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:504 +msgid "Unknown options are reported but ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:507 +msgid "Default: not set, i.e. do not restrict certificate verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:513 +msgid "disable_netlink (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:516 +msgid "" +"SSSD hooks into the netlink interface to monitor changes to routes, " +"addresses, links and trigger certain actions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:521 +msgid "" +"The SSSD state changes caused by netlink events may be undesirable and can " +"be disabled by setting this option to 'true'" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:526 +msgid "Default: false (netlink changes are detected)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:531 +msgid "enable_files_domain (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:534 +msgid "" +"When this option is enabled, SSSD prepends an implicit domain with " +"<quote>id_provider=files</quote> before any explicitly configured domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:548 +msgid "domain_resolution_order" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:551 +msgid "" +"Comma separated list of domains and subdomains representing the lookup order " +"that will be followed. The list doesn't have to include all possible " +"domains as the missing domains will be looked up based on the order they're " +"presented in the <quote>domains</quote> configuration option. The " +"subdomains which are not listed as part of <quote>lookup_order</quote> will " +"be looked up in a random order for each parent domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:563 +msgid "" +"Please, note that when this option is set the output format of all commands " +"is always fully-qualified even when using short names for input, for all " +"users but the ones managed by the files provider. In case the administrator " +"wants the output not fully-qualified, the full_name_format option can be " +"used as shown below: <quote>full_name_format=%1$s</quote> However, keep in " +"mind that during login, login applications often canonicalize the username " +"by calling <citerefentry> <refentrytitle>getpwnam</refentrytitle> " +"<manvolnum>3</manvolnum> </citerefentry> which, if a shortname is returned " +"for a qualified input (while trying to reach a user which exists in multiple " +"domains) might re-route the login attempt into the domain which uses " +"shortnames, making this workaround totally not recommended in cases where " +"usernames may overlap between domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:588 sssd.conf.5.xml:1388 sssd.conf.5.xml:3046 +#: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316 +msgid "Default: Not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:184 +msgid "" +"Individual pieces of SSSD functionality are provided by special SSSD " +"services that are started and stopped together with SSSD. The services are " +"managed by a special service frequently called <quote>monitor</quote>. The " +"<quote>[sssd]</quote> section is used to configure the monitor as well as " +"some other important options like the identity domains. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:599 +msgid "SERVICES SECTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:601 +msgid "" +"Settings that can be used to configure different services are described in " +"this section. They should reside in the [<replaceable>$NAME</replaceable>] " +"section, for example, for NSS service, the section would be <quote>[nss]</" +"quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:608 +msgid "General service configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:610 +msgid "These options can be used to configure any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:627 +msgid "fd_limit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:630 +msgid "" +"This option specifies the maximum number of file descriptors that may be " +"opened at one time by this SSSD process. On systems where SSSD is granted " +"the CAP_SYS_RESOURCE capability, this will be an absolute setting. On " +"systems without this capability, the resulting value will be the lower value " +"of this or the limits.conf \"hard\" limit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:639 +msgid "Default: 8192 (or limits.conf \"hard\" limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:644 +msgid "client_idle_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:647 +msgid "" +"This option specifies the number of seconds that a client of an SSSD process " +"can hold onto a file descriptor without communicating on it. This value is " +"limited in order to avoid resource exhaustion on the system. The timeout " +"can't be shorter than 10 seconds. If a lower value is configured, it will be " +"adjusted to 10 seconds." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:656 sssd.conf.5.xml:688 sssd.conf.5.xml:970 +#: sssd.conf.5.xml:1231 sssd-ldap.5.xml:1412 +msgid "Default: 60" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:661 +msgid "offline_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:664 +msgid "" +"When SSSD switches to offline mode the amount of time before it tries to go " +"back online will increase based upon the time spent disconnected. This " +"value is in seconds and calculated by the following:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:671 +msgid "offline_timeout + random_offset" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:674 +msgid "" +"The random offset can increment up to 30 seconds. After each unsuccessful " +"attempt to go online, the new interval is recalculated by the following:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:679 +msgid "new_interval = old_interval*2 + random_offset" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:682 +msgid "" +"Note that the maximum length of each interval is currently limited to one " +"hour. If the calculated length of new_interval is greater than an hour, it " +"will be forced to one hour." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:693 +msgid "responder_idle_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:696 +msgid "" +"This option specifies the number of seconds that an SSSD responder process " +"can be up without being used. This value is limited in order to avoid " +"resource exhaustion on the system. The minimum acceptable value for this " +"option is 60 seconds. Setting this option to 0 (zero) means that no timeout " +"will be set up to the responder. This option only has effect when SSSD is " +"built with systemd support and when services are either socket or D-Bus " +"activated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:710 sssd.conf.5.xml:983 sssd.conf.5.xml:1616 +#: sssd-ldap.5.xml:722 +msgid "Default: 300" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:715 +msgid "cache_first" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:718 +msgid "" +"This option specifies whether the responder should query all caches before " +"querying the Data Providers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:730 +msgid "NSS configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:732 +msgid "" +"These options can be used to configure the Name Service Switch (NSS) service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:737 +msgid "enum_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:740 +msgid "" +"How many seconds should nss_sss cache enumerations (requests for info about " +"all users)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:744 +msgid "Default: 120" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:749 +msgid "entry_cache_nowait_percentage (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:752 +msgid "" +"The entry cache can be set to automatically update entries in the background " +"if they are requested beyond a percentage of the entry_cache_timeout value " +"for the domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:758 +msgid "" +"For example, if the domain's entry_cache_timeout is set to 30s and " +"entry_cache_nowait_percentage is set to 50 (percent), entries that come in " +"after 15 seconds past the last cache update will be returned immediately, " +"but the SSSD will go and update the cache on its own, so that future " +"requests will not need to block waiting for a cache update." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:768 +msgid "" +"Valid values for this option are 0-99 and represent a percentage of the " +"entry_cache_timeout for each domain. For performance reasons, this " +"percentage will never reduce the nowait timeout to less than 10 seconds. (0 " +"disables this feature)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:776 sssd.conf.5.xml:1445 +msgid "Default: 50" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:781 +msgid "entry_negative_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:784 +msgid "" +"Specifies for how many seconds nss_sss should cache negative cache hits " +"(that is, queries for invalid database entries, like nonexistent ones) " +"before asking the back end again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:790 sssd.conf.5.xml:1469 +msgid "Default: 15" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:795 +msgid "local_negative_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:798 +msgid "" +"Specifies for how many seconds nss_sss should keep local users and groups in " +"negative cache before trying to look it up in the back end again. Setting " +"the option to 0 disables this feature." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:804 +msgid "Default: 14400 (4 hours)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:809 +msgid "filter_users, filter_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:812 +msgid "" +"Exclude certain users or groups from being fetched from the sss NSS " +"database. This is particularly useful for system accounts. This option can " +"also be set per-domain or include fully-qualified names to filter only users " +"from the particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:819 +msgid "" +"NOTE: The filter_groups option doesn't affect inheritance of nested group " +"members, since filtering happens after they are propagated for returning via " +"NSS. E.g. a group having a member group filtered out will still have the " +"member users of the latter listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:827 +msgid "Default: root" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:832 +msgid "filter_users_in_groups (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:835 +msgid "" +"If you want filtered user still be group members set this option to false." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:846 +msgid "fallback_homedir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:849 +msgid "" +"Set a default template for a user's home directory if one is not specified " +"explicitly by the domain's data provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:854 +msgid "" +"The available values for this option are the same as for override_homedir." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:860 +#, no-wrap +msgid "" +"fallback_homedir = /home/%u\n" +" " +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: sssd.conf.5.xml:858 sssd.conf.5.xml:1298 sssd.conf.5.xml:1317 +#: sssd-krb5.5.xml:539 include/override_homedir.xml:59 +msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:864 +msgid "Default: not set (no substitution for unset home directories)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:870 +msgid "override_shell (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:873 +msgid "" +"Override the login shell for all users. This option supersedes any other " +"shell options if it takes effect and can be set either in the [nss] section " +"or per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:879 +msgid "Default: not set (SSSD will use the value retrieved from LDAP)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:885 +msgid "allowed_shells (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:888 +msgid "" +"Restrict user shell to one of the listed values. The order of evaluation is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:891 +msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:895 +msgid "" +"2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</" +"quote>, use the value of the shell_fallback parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:900 +msgid "" +"3. If the shell is not in the allowed_shells list and not in <quote>/etc/" +"shells</quote>, a nologin shell is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:905 +msgid "The wildcard (*) can be used to allow any shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:908 +msgid "" +"The (*) is useful if you want to use shell_fallback in case that user's " +"shell is not in <quote>/etc/shells</quote> and maintaining list of all " +"allowed shells in allowed_shells would be to much overhead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:915 +msgid "An empty string for shell is passed as-is to libc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:918 +msgid "" +"The <quote>/etc/shells</quote> is only read on SSSD start up, which means " +"that a restart of the SSSD is required in case a new shell is installed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:922 +msgid "Default: Not set. The user shell is automatically used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:927 +msgid "vetoed_shells (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:930 +msgid "Replace any instance of these shells with the shell_fallback" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:935 +msgid "shell_fallback (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:938 +msgid "" +"The default shell to use if an allowed shell is not installed on the machine." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:942 +msgid "Default: /bin/sh" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:947 +msgid "default_shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:950 +msgid "" +"The default shell to use if the provider does not return one during lookup. " +"This option can be specified globally in the [nss] section or per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:956 +msgid "" +"Default: not set (Return NULL if no shell is specified and rely on libc to " +"substitute something sensible when necessary, usually /bin/sh)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:963 sssd.conf.5.xml:1224 +msgid "get_domains_timeout (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:966 sssd.conf.5.xml:1227 +msgid "" +"Specifies time in seconds for which the list of subdomains will be " +"considered valid." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:975 +msgid "memcache_timeout (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:978 +msgid "" +"Specifies time in seconds for which records in the in-memory cache will be " +"valid. Setting this option to zero will disable the in-memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:986 +msgid "" +"WARNING: Disabling the in-memory cache will have significant negative impact " +"on SSSD's performance and should only be used for testing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:992 +msgid "" +"NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", " +"client applications will not use the fast in-memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1000 sssd-ifp.5.xml:74 +msgid "user_attributes (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1003 +msgid "" +"Some of the additional NSS responder requests can return more attributes " +"than just the POSIX ones defined by the NSS interface. The list of " +"attributes is controlled by this option. It is handled the same way as the " +"<quote>user_attributes</quote> option of the InfoPipe responder (see " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for details) but with no default values." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1016 +msgid "" +"To make configuration more easy the NSS responder will check the InfoPipe " +"option if it is not set for the NSS responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1021 +msgid "Default: not set, fallback to InfoPipe option" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1026 +msgid "pwfield (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1029 +msgid "" +"The value that NSS operations that return users or groups will return for " +"the <quote>password</quote> field." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: sssd.conf.5.xml:1034 include/override_homedir.xml:56 +msgid "This option can also be set per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1037 +msgid "" +"Default: <quote>*</quote> (remote domains) or <quote>x</quote> (the files " +"domain)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1045 +msgid "PAM configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1047 +msgid "" +"These options can be used to configure the Pluggable Authentication Module " +"(PAM) service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1052 +msgid "offline_credentials_expiration (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1055 +msgid "" +"If the authentication provider is offline, how long should we allow cached " +"logins (in days since the last successful online login)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1060 sssd.conf.5.xml:1073 +msgid "Default: 0 (No limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1066 +msgid "offline_failed_login_attempts (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1069 +msgid "" +"If the authentication provider is offline, how many failed login attempts " +"are allowed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1079 +msgid "offline_failed_login_delay (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1082 +msgid "" +"The time in minutes which has to pass after offline_failed_login_attempts " +"has been reached before a new login attempt is possible." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1087 +msgid "" +"If set to 0 the user cannot authenticate offline if " +"offline_failed_login_attempts has been reached. Only a successful online " +"authentication can enable offline authentication again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1093 sssd.conf.5.xml:1191 +msgid "Default: 5" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1099 +msgid "pam_verbosity (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1102 +msgid "" +"Controls what kind of messages are shown to the user during authentication. " +"The higher the number to more messages are displayed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1107 +msgid "Currently sssd supports the following values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1110 +msgid "<emphasis>0</emphasis>: do not show any message" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1113 +msgid "<emphasis>1</emphasis>: show only important messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1117 +msgid "<emphasis>2</emphasis>: show informational messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1120 +msgid "<emphasis>3</emphasis>: show all messages and debug information" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1124 sssd.8.xml:63 +msgid "Default: 1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1130 +msgid "pam_response_filter (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1133 +msgid "" +"A comma separated list of strings which allows to remove (filter) data sent " +"by the PAM responder to pam_sss PAM module. There are different kind of " +"responses sent to pam_sss e.g. messages displayed to the user or environment " +"variables which should be set by pam_sss." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1141 +msgid "" +"While messages already can be controlled with the help of the pam_verbosity " +"option this option allows to filter out other kind of responses as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1148 +msgid "ENV" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1149 +msgid "Do not send any environment variables to any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1152 +msgid "ENV:var_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1153 +msgid "Do not send environment variable var_name to any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1157 +msgid "ENV:var_name:service" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1158 +msgid "Do not send environment variable var_name to service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1146 +msgid "" +"Currently the following filters are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1168 +msgid "Example: ENV:KRB5CCNAME:sudo-i" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1174 +msgid "pam_id_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1177 +msgid "" +"For any PAM request while SSSD is online, the SSSD will attempt to " +"immediately update the cached identity information for the user in order to " +"ensure that authentication takes place with the latest information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1183 +msgid "" +"A complete PAM conversation may perform multiple PAM requests, such as " +"account management and session opening. This option controls (on a per-" +"client-application basis) how long (in seconds) we can cache the identity " +"information to avoid excessive round-trips to the identity provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1197 +msgid "pam_pwd_expiration_warning (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2078 +msgid "Display a warning N days before the password expires." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1203 +msgid "" +"Please note that the backend server has to provide information about the " +"expiration time of the password. If this information is missing, sssd " +"cannot display a warning." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1209 sssd.conf.5.xml:2081 +msgid "" +"If zero is set, then this filter is not applied, i.e. if the expiration " +"warning was received from backend server, it will automatically be displayed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1214 +msgid "" +"This setting can be overridden by setting <emphasis>pwd_expiration_warning</" +"emphasis> for a particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1219 sssd.conf.5.xml:2901 sssd.8.xml:79 +msgid "Default: 0" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1236 +msgid "pam_trusted_users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1239 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to run PAM conversations against trusted domains. Users not " +"included in this list can only access domains marked as public with " +"<quote>pam_public_domains</quote>. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1249 +msgid "Default: All users are considered trusted by default" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1253 +msgid "" +"Please note that UID 0 is always allowed to access the PAM responder even in " +"case it is not in the pam_trusted_users list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1260 +msgid "pam_public_domains (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1263 +msgid "" +"Specifies the comma-separated list of domain names that are accessible even " +"to untrusted users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1267 +msgid "Two special values for pam_public_domains option are defined:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1271 +msgid "" +"all (Untrusted users are allowed to access all domains in PAM responder.)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1275 +msgid "" +"none (Untrusted users are not allowed to access any domains PAM in " +"responder.)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1279 sssd.conf.5.xml:1304 sssd.conf.5.xml:1323 +#: sssd.conf.5.xml:1875 sssd.conf.5.xml:2837 sssd-ldap.5.xml:1979 +msgid "Default: none" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1284 +msgid "pam_account_expired_message (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1287 +msgid "" +"Allows a custom expiration message to be set, replacing the default " +"'Permission denied' message." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1292 +msgid "" +"Note: Please be aware that message is only printed for the SSH service " +"unless pam_verbosity is set to 3 (show all messages and debug information)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:1300 +#, no-wrap +msgid "" +"pam_account_expired_message = Account expired, please contact help desk.\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1309 +msgid "pam_account_locked_message (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1312 +msgid "" +"Allows a custom lockout message to be set, replacing the default 'Permission " +"denied' message." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:1319 +#, no-wrap +msgid "" +"pam_account_locked_message = Account locked, please contact help desk.\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1328 +msgid "pam_cert_auth (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1331 +msgid "" +"Enable certificate based Smartcard authentication. Since this requires " +"additional communication with the Smartcard which will delay the " +"authentication process this option is disabled by default." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1337 sssd.conf.5.xml:2930 sssd-ldap.5.xml:1087 +#: sssd-ldap.5.xml:1114 sssd-ldap.5.xml:1514 sssd-ldap.5.xml:1535 +#: sssd-ldap.5.xml:2052 include/ldap_id_mapping.xml:244 +msgid "Default: False" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1342 +msgid "pam_cert_db_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1345 +msgid "" +"The path to the certificate database which contain the PKCS#11 modules to " +"access the Smartcard." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1349 sssd.conf.5.xml:1534 +#, fuzzy +#| msgid "Default: true" +msgid "Default:" +msgstr "Standard: true" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1351 sssd.conf.5.xml:1536 +msgid "/etc/pki/nssdb (NSS version, path to a NSS database)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1354 sssd.conf.5.xml:1539 +msgid "" +"/etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a file with " +"trusted CA certificates in PEM format)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1361 sssd.conf.5.xml:1546 +msgid "This man page was generated for the NSS version." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1364 sssd.conf.5.xml:1549 +msgid "This man page was generated for the OpenSSL version." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1369 +msgid "p11_child_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1372 +msgid "How many seconds will pam_sss wait for p11_child to finish." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1381 +msgid "pam_app_services (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1384 +msgid "" +"Which PAM services are permitted to contact domains of type " +"<quote>application</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1397 +msgid "SUDO configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1399 +msgid "" +"These options can be used to configure the sudo service. The detailed " +"instructions for configuration of <citerefentry> <refentrytitle>sudo</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to work with " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> are in the manual page <citerefentry> <refentrytitle>sssd-" +"sudo</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1416 +msgid "sudo_timed (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1419 +msgid "" +"Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes " +"that implement time-dependent sudoers entries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1431 +msgid "sudo_threshold (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1434 +msgid "" +"Maximum number of expired rules that can be refreshed at once. If number of " +"expired rules is below threshold, those rules are refreshed with " +"<quote>rules refresh</quote> mechanism. If the threshold is exceeded a " +"<quote>full refresh</quote> of sudo rules is triggered instead. This " +"threshold number also applies to IPA sudo command and command group searches." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1453 +msgid "AUTOFS configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1455 +msgid "These options can be used to configure the autofs service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1459 +msgid "autofs_negative_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1462 +msgid "" +"Specifies for how many seconds should the autofs responder negative cache " +"hits (that is, queries for invalid map entries, like nonexistent ones) " +"before asking the back end again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1478 +msgid "SSH configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1480 +msgid "These options can be used to configure the SSH service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1484 +msgid "ssh_hash_known_hosts (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1487 +msgid "" +"Whether or not to hash host names and addresses in the managed known_hosts " +"file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1496 +msgid "ssh_known_hosts_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1499 +msgid "" +"How many seconds to keep a host in the managed known_hosts file after its " +"host keys were requested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1503 +msgid "Default: 180" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1508 +msgid "ssh_use_certificate_keys (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1511 +msgid "" +"If set to true the <command>sss_ssh_authorizedkeys</command> will return ssh " +"keys derived from the public key of X.509 certificates stored in the user " +"entry as well. See <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry> for details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1526 +msgid "ca_db (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1529 +msgid "" +"Path to a storage of trusted CA certificates. The option is used to validate " +"user certificates before deriving public ssh keys from them." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1557 +msgid "PAC responder configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1559 +msgid "" +"The PAC responder works together with the authorization data plugin for MIT " +"Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the " +"PAC data during a GSSAPI authentication to the PAC responder. The sub-domain " +"provider collects domain SID and ID ranges of the domain the client is " +"joined to and of remote trusted domains from the local domain controller. If " +"the PAC is decoded and evaluated some of the following operations are done:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1568 +msgid "" +"If the remote user does not exist in the cache, it is created. The UID is " +"determined with the help of the SID, trusted domains will have UPGs and the " +"GID will have the same value as the UID. The home directory is set based on " +"the subdomain_homedir parameter. The shell will be empty by default, i.e. " +"the system defaults are used, but can be overwritten with the default_shell " +"parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1576 +msgid "" +"If there are SIDs of groups from domains sssd knows about, the user will be " +"added to those groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1582 +msgid "These options can be used to configure the PAC responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1586 sssd-ifp.5.xml:50 +msgid "allowed_uids (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1589 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the PAC responder. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1595 +msgid "Default: 0 (only the root user is allowed to access the PAC responder)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1599 +msgid "" +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the PAC responder, which would be the typical case, you have to add 0 " +"to the list of allowed UIDs as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1608 +msgid "pac_lifetime (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1611 +msgid "" +"Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC " +"data can be used to determine the group memberships of a user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1624 +msgid "Session recording configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1626 +msgid "" +"Session recording works in conjunction with <citerefentry> " +"<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>, a part of tlog package, to log what users see and type when " +"they log in on a text terminal. See also <citerefentry> <refentrytitle>sssd-" +"session-recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1639 +msgid "These options can be used to configure session recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1643 sssd-session-recording.5.xml:64 +msgid "scope (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1650 sssd-session-recording.5.xml:71 +msgid "\"none\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1653 sssd-session-recording.5.xml:74 +msgid "No users are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1658 sssd-session-recording.5.xml:79 +msgid "\"some\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1661 sssd-session-recording.5.xml:82 +msgid "" +"Users/groups specified by <replaceable>users</replaceable> and " +"<replaceable>groups</replaceable> options are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1670 sssd-session-recording.5.xml:91 +msgid "\"all\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1673 sssd-session-recording.5.xml:94 +msgid "All users are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1646 sssd-session-recording.5.xml:67 +msgid "" +"One of the following strings specifying the scope of session recording: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1680 sssd-session-recording.5.xml:101 +msgid "Default: \"none\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1685 sssd-session-recording.5.xml:106 +msgid "users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1688 sssd-session-recording.5.xml:109 +msgid "" +"A comma-separated list of users which should have session recording enabled. " +"Matches user names as returned by NSS. I.e. after the possible space " +"replacement, case changes, etc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1694 sssd-session-recording.5.xml:115 +msgid "Default: Empty. Matches no users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1699 sssd-session-recording.5.xml:120 +msgid "groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1702 sssd-session-recording.5.xml:123 +msgid "" +"A comma-separated list of groups, members of which should have session " +"recording enabled. Matches group names as returned by NSS. I.e. after the " +"possible space replacement, case changes, etc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1708 sssd-session-recording.5.xml:129 +msgid "" +"NOTE: using this option (having it set to anything) has a considerable " +"performance cost, because each uncached request for a user requires " +"retrieving and matching the groups the user is member of." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1715 sssd-session-recording.5.xml:136 +msgid "Default: Empty. Matches no groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:1725 +msgid "DOMAIN SECTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1732 +msgid "domain_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1735 +msgid "" +"Specifies whether the domain is meant to be used by POSIX-aware clients such " +"as the Name Service Switch or by applications that do not need POSIX data to " +"be present or generated. Only objects from POSIX domains are available to " +"the operating system interfaces and utilities." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1743 +msgid "" +"Allowed values for this option are <quote>posix</quote> and " +"<quote>application</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1747 +msgid "" +"POSIX domains are reachable by all services. Application domains are only " +"reachable from the InfoPipe responder (see <citerefentry> " +"<refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>) and the PAM responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1755 +msgid "" +"NOTE: The application domains are currently well tested with " +"<quote>id_provider=ldap</quote> only." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1759 +msgid "" +"For an easy way to configure a non-POSIX domains, please see the " +"<quote>Application domains</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1763 +msgid "Default: posix" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1769 +msgid "min_id,max_id (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1772 +msgid "" +"UID and GID limits for the domain. If a domain contains an entry that is " +"outside these limits, it is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1777 +msgid "" +"For users, this affects the primary GID limit. The user will not be returned " +"to NSS if either the UID or the primary GID is outside the range. For non-" +"primary group memberships, those that are in range will be reported as " +"expected." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1784 +msgid "" +"These ID limits affect even saving entries to cache, not only returning them " +"by name or ID." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1788 +msgid "Default: 1 for min_id, 0 (no limit) for max_id" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1794 +msgid "enumerate (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1797 +msgid "" +"Determines if a domain can be enumerated, that is, whether the domain can " +"list all the users and group it contains. Note that it is not required to " +"enable enumeration in order for secondary groups to be displayed. This " +"parameter can have one of the following values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1805 +msgid "TRUE = Users and groups are enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1808 +msgid "FALSE = No enumerations for this domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1811 sssd.conf.5.xml:2033 sssd.conf.5.xml:2208 +msgid "Default: FALSE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1814 +msgid "" +"Enumerating a domain requires SSSD to download and store ALL user and group " +"entries from the remote server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1819 +msgid "" +"Note: Enabling enumeration has a moderate performance impact on SSSD while " +"enumeration is running. It may take up to several minutes after SSSD startup " +"to fully complete enumerations. During this time, individual requests for " +"information will go directly to LDAP, though it may be slow, due to the " +"heavy enumeration processing. Saving a large number of entries to cache " +"after the enumeration completes might also be CPU intensive as the " +"memberships have to be recomputed. This can lead to the <quote>sssd_be</" +"quote> process becoming unresponsive or even restarted by the internal " +"watchdog." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1834 +msgid "" +"While the first enumeration is running, requests for the complete user or " +"group lists may return no results until it completes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1839 +msgid "" +"Further, enabling enumeration may increase the time necessary to detect " +"network disconnection, as longer timeouts are required to ensure that " +"enumeration lookups are completed successfully. For more information, refer " +"to the man pages for the specific id_provider in use." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1847 +msgid "" +"For the reasons cited above, enabling enumeration is not recommended, " +"especially in large environments." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1855 +msgid "subdomain_enumerate (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1862 +msgid "all" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1863 +msgid "All discovered trusted domains will be enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1866 +msgid "none" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1867 +msgid "No discovered trusted domains will be enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1858 +msgid "" +"Whether any of autodetected trusted domains should be enumerated. The " +"supported values are: <placeholder type=\"variablelist\" id=\"0\"/> " +"Optionally, a list of one or more domain names can enable enumeration just " +"for these trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1881 +msgid "entry_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1884 +msgid "" +"How many seconds should nss_sss consider entries valid before asking the " +"backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1888 +msgid "" +"The cache expiration timestamps are stored as attributes of individual " +"objects in the cache. Therefore, changing the cache timeout only has effect " +"for newly added or expired entries. You should run the <citerefentry> " +"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry> tool in order to force refresh of entries that have already " +"been cached." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1901 +msgid "Default: 5400" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1907 +msgid "entry_cache_user_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1910 +msgid "" +"How many seconds should nss_sss consider user entries valid before asking " +"the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1914 sssd.conf.5.xml:1927 sssd.conf.5.xml:1940 +#: sssd.conf.5.xml:1953 sssd.conf.5.xml:1966 sssd.conf.5.xml:1980 +#: sssd.conf.5.xml:1994 +msgid "Default: entry_cache_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1920 +msgid "entry_cache_group_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1923 +msgid "" +"How many seconds should nss_sss consider group entries valid before asking " +"the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1933 +msgid "entry_cache_netgroup_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1936 +msgid "" +"How many seconds should nss_sss consider netgroup entries valid before " +"asking the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1946 +msgid "entry_cache_service_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1949 +msgid "" +"How many seconds should nss_sss consider service entries valid before asking " +"the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1959 +msgid "entry_cache_sudo_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1962 +msgid "" +"How many seconds should sudo consider rules valid before asking the backend " +"again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1972 +msgid "entry_cache_autofs_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1975 +msgid "" +"How many seconds should the autofs service consider automounter maps valid " +"before asking the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1986 +msgid "entry_cache_ssh_host_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1989 +msgid "" +"How many seconds to keep a host ssh key after refresh. IE how long to cache " +"the host key for." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2000 +msgid "refresh_expired_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2003 +msgid "" +"Specifies how many seconds SSSD has to wait before triggering a background " +"refresh task which will refresh all expired or nearly expired records." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2008 +msgid "" +"The background refresh will process users, groups and netgroups in the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2012 +msgid "You can consider setting this value to 3/4 * entry_cache_timeout." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2016 sssd-ldap.5.xml:746 sssd-ipa.5.xml:254 +msgid "Default: 0 (disabled)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2022 +msgid "cache_credentials (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2025 +msgid "Determines if user credentials are also cached in the local LDB cache" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2029 +msgid "User credentials are stored in a SHA512 hash, not in plaintext" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2039 +msgid "cache_credentials_minimal_first_factor_length (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2042 +msgid "" +"If 2-Factor-Authentication (2FA) is used and credentials should be saved " +"this value determines the minimal length the first authentication factor " +"(long term password) must have to be saved as SHA512 hash into the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2049 +msgid "" +"This should avoid that the short PINs of a PIN based 2FA scheme are saved in " +"the cache which would make them easy targets for brute-force attacks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2054 +msgid "Default: 8" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2060 +msgid "account_cache_expiration (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2063 +msgid "" +"Number of days entries are left in cache after last successful login before " +"being removed during a cleanup of the cache. 0 means keep forever. The " +"value of this parameter must be greater than or equal to " +"offline_credentials_expiration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2070 +msgid "Default: 0 (unlimited)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2075 +msgid "pwd_expiration_warning (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2086 +msgid "" +"Please note that the backend server has to provide information about the " +"expiration time of the password. If this information is missing, sssd " +"cannot display a warning. Also an auth provider has to be configured for the " +"backend." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2093 +msgid "Default: 7 (Kerberos), 0 (LDAP)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2099 +msgid "id_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2102 +msgid "" +"The identification provider used for the domain. Supported ID providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2106 +msgid "<quote>proxy</quote>: Support a legacy NSS provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2109 +msgid "" +"<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2113 +msgid "" +"<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-" +"files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " +"information on how to mirror local users and groups into SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2121 +msgid "" +"<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " +"information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2129 sssd.conf.5.xml:2234 sssd.conf.5.xml:2289 +#: sssd.conf.5.xml:2352 +msgid "" +"<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management " +"provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " +"FreeIPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2138 sssd.conf.5.xml:2243 sssd.conf.5.xml:2298 +#: sssd.conf.5.xml:2361 +msgid "" +"<quote>ad</quote>: Active Directory provider. See <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Active Directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2149 +msgid "use_fully_qualified_names (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2152 +msgid "" +"Use the full name and domain (as formatted by the domain's full_name_format) " +"as the user's login name reported to NSS." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2157 +msgid "" +"If set to TRUE, all requests to this domain must use fully qualified names. " +"For example, if used in LOCAL domain that contains a \"test\" user, " +"<command>getent passwd test</command> wouldn't find the user while " +"<command>getent passwd test@LOCAL</command> would." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2165 +msgid "" +"NOTE: This option has no effect on netgroup lookups due to their tendency to " +"include nested netgroups without qualified names. For netgroups, all domains " +"will be searched when an unqualified name is requested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2172 +msgid "Default: FALSE (TRUE if default_domain_suffix is used)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2178 +msgid "ignore_group_members (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2181 +msgid "Do not return group members for group lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2184 +msgid "" +"If set to TRUE, the group membership attribute is not requested from the " +"ldap server, and group members are not returned when processing group lookup " +"calls, such as <citerefentry> <refentrytitle>getgrnam</refentrytitle> " +"<manvolnum>3</manvolnum> </citerefentry> or <citerefentry> " +"<refentrytitle>getgrgid</refentrytitle> <manvolnum>3</manvolnum> </" +"citerefentry>. As an effect, <quote>getent group $groupname</quote> would " +"return the requested group as if it was empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2202 +msgid "" +"Enabling this option can also make access provider checks for group " +"membership significantly faster, especially for groups containing many " +"members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2213 +msgid "auth_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2216 +msgid "" +"The authentication provider used for the domain. Supported auth providers " +"are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2220 sssd.conf.5.xml:2282 +msgid "" +"<quote>ldap</quote> for native LDAP authentication. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2227 +msgid "" +"<quote>krb5</quote> for Kerberos authentication. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2251 +msgid "" +"<quote>proxy</quote> for relaying authentication to some other PAM target." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2254 +msgid "<quote>local</quote>: SSSD internal provider for local users" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2258 +msgid "<quote>none</quote> disables authentication explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2261 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can handle " +"authentication requests." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2267 +msgid "access_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2270 +msgid "" +"The access control provider used for the domain. There are two built-in " +"access providers (in addition to any included in installed backends) " +"Internal special providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2276 +msgid "" +"<quote>permit</quote> always allow access. It's the only permitted access " +"provider for a local domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2279 +msgid "<quote>deny</quote> always deny access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2306 +msgid "" +"<quote>simple</quote> access control based on access or deny lists. See " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for more information on configuring the simple " +"access module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2313 +msgid "" +"<quote>krb5</quote>: .k5login based access control. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></" +"citerefentry> for more information on configuring Kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2320 +msgid "<quote>proxy</quote> for relaying access control to another PAM module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2323 +msgid "Default: <quote>permit</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2328 +msgid "chpass_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2331 +msgid "" +"The provider which should handle change password operations for the domain. " +"Supported change password providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2336 +msgid "" +"<quote>ldap</quote> to change a password stored in a LDAP server. See " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2344 +msgid "" +"<quote>krb5</quote> to change the Kerberos password. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2369 +msgid "" +"<quote>proxy</quote> for relaying password changes to some other PAM target." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2373 +msgid "<quote>none</quote> disallows password changes explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2376 +msgid "" +"Default: <quote>auth_provider</quote> is used if it is set and can handle " +"change password requests." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2383 +msgid "sudo_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2386 +msgid "The SUDO provider used for the domain. Supported SUDO providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2390 +msgid "" +"<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2398 +msgid "" +"<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default " +"settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2402 +msgid "" +"<quote>ad</quote> the same as <quote>ldap</quote> but with AD default " +"settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2406 +msgid "<quote>none</quote> disables SUDO explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2409 sssd.conf.5.xml:2495 sssd.conf.5.xml:2565 +#: sssd.conf.5.xml:2590 +msgid "Default: The value of <quote>id_provider</quote> is used if it is set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2413 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>. There are many configuration " +"options that can be used to adjust the behavior. Please refer to " +"\"ldap_sudo_*\" in <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2428 +msgid "" +"<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the " +"background unless the sudo provider is explicitly disabled. Set " +"<emphasis>sudo_provider = None</emphasis> to disable all sudo-related " +"activity in SSSD if you do not want to use sudo with SSSD at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2438 +msgid "selinux_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2441 +msgid "" +"The provider which should handle loading of selinux settings. Note that this " +"provider will be called right after access provider ends. Supported selinux " +"providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2447 +msgid "" +"<quote>ipa</quote> to load selinux settings from an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2455 +msgid "<quote>none</quote> disallows fetching selinux settings explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2458 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can handle " +"selinux loading requests." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2464 +msgid "subdomains_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2467 +msgid "" +"The provider which should handle fetching of subdomains. This value should " +"be always the same as id_provider. Supported subdomain providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2473 +msgid "" +"<quote>ipa</quote> to load a list of subdomains from an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2482 +msgid "" +"<quote>ad</quote> to load a list of subdomains from an Active Directory " +"server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " +"the AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2491 +msgid "<quote>none</quote> disallows fetching subdomains explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2501 +msgid "session_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2504 +msgid "" +"The provider which configures and manages user session related tasks. The " +"only user session task currently provided is the integration with Fleet " +"Commander, which works only with IPA. Supported session providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2511 +msgid "<quote>ipa</quote> to allow performing user session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2515 +msgid "" +"<quote>none</quote> does not perform any kind of user session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2519 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can perform " +"session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2523 +msgid "" +"<emphasis>NOTE:</emphasis> In order to have this feature working as expected " +"SSSD must be running as \"root\" and not as the unprivileged user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2531 +msgid "autofs_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2534 +msgid "" +"The autofs provider used for the domain. Supported autofs providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2538 +msgid "" +"<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2545 +msgid "" +"<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> " +"<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2553 +msgid "" +"<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring the AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2562 +msgid "<quote>none</quote> disables autofs explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2572 +msgid "hostid_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2575 +msgid "" +"The provider used for retrieving host identity information. Supported " +"hostid providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2579 +msgid "" +"<quote>ipa</quote> to load host identity stored in an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2587 +msgid "<quote>none</quote> disables hostid explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2600 +msgid "" +"Regular expression for this domain that describes how to parse the string " +"containing user name and domain into these components. The \"domain\" can " +"match either the SSSD configuration domain name, or, in the case of IPA " +"trust subdomains and Active Directory domains, the flat (NetBIOS) name of " +"the domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2609 +msgid "" +"Default for the AD and IPA provider: <quote>(((?P<domain>[^\\\\]+)\\" +"\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?" +"P<name>[^@\\\\]+)$))</quote> which allows three different styles for " +"user names:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2614 +msgid "username" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2617 +msgid "username@domain.name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2620 +msgid "domain\\username" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2623 +msgid "" +"While the first two correspond to the general default the third one is " +"introduced to allow easy integration of users from Windows domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2628 +msgid "" +"Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> " +"which translates to \"the name is everything up to the <quote>@</quote> " +"sign, the domain everything after that\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2634 +msgid "" +"NOTE: Some Active Directory groups, typically those used for MS Exchange " +"contain an <quote>@</quote> sign in the name, which clashes with the default " +"re_expression value for the AD and IPA providers. To support these groups, " +"consider changing the re_expression value to: <quote>((?P<name>.+)@(?" +"P<domain>[^@]+$))</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2685 +msgid "Default: <quote>%1$s@%2$s</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2691 +msgid "lookup_family_order (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2694 +msgid "" +"Provides the ability to select preferred address family to use when " +"performing DNS lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2698 +msgid "Supported values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2701 +msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2704 +msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2707 +msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2710 +msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2713 +msgid "Default: ipv4_first" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2719 +msgid "dns_resolver_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2722 +msgid "" +"Defines the amount of time (in seconds) to wait for a reply from the " +"internal fail over service before assuming that the service is unreachable. " +"If this timeout is reached, the domain will continue to operate in offline " +"mode." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2729 +msgid "" +"Please see the section <quote>FAILOVER</quote> for more information about " +"the service resolution." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2734 sssd-ldap.5.xml:1396 sssd-ldap.5.xml:1438 +#: sssd-ldap.5.xml:1456 sssd-krb5.5.xml:248 +msgid "Default: 6" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2740 +msgid "dns_discovery_domain (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2743 +msgid "" +"If service discovery is used in the back end, specifies the domain part of " +"the service discovery DNS query." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2747 +msgid "Default: Use the domain part of machine's hostname" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2753 +msgid "override_gid (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2756 +msgid "Override the primary GID value with the one specified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2762 +msgid "case_sensitive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2770 +msgid "True" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2773 +msgid "Case sensitive. This value is invalid for AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2779 +msgid "False" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2781 +msgid "Case insensitive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2785 +msgid "Preserving" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2788 +msgid "" +"Same as False (case insensitive), but does not lowercase names in the result " +"of NSS operations. Note that name aliases (and in case of services also " +"protocol names) are still lowercased in the output." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2765 +msgid "" +"Treat user and group names as case sensitive. At the moment, this option is " +"not supported in the local provider. Possible option values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2800 +msgid "Default: True (False for AD provider)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2806 +msgid "subdomain_inherit (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2809 +msgid "" +"Specifies a list of configuration parameters that should be inherited by a " +"subdomain. Please note that only selected parameters can be inherited. " +"Currently the following options can be inherited:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2815 +msgid "ignore_group_members" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2818 +msgid "ldap_purge_cache_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2821 sssd-ldap.5.xml:1120 +msgid "ldap_use_tokengroups" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2824 +msgid "ldap_user_principal" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2827 +msgid "" +"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab " +"is not set explicitly)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:2833 +#, no-wrap +msgid "" +"subdomain_inherit = ldap_purge_cache_timeout\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2831 sssd-secrets.5.xml:448 +msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2840 +msgid "Note: This option only works with the IPA and AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2847 +msgid "subdomain_homedir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2858 +msgid "%F" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2859 +msgid "flat (NetBIOS) name of a subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2850 +msgid "" +"Use this homedir as default value for all subdomains within this domain in " +"IPA AD trust. See <emphasis>override_homedir</emphasis> for info about " +"possible values. In addition to those, the expansion below can only be used " +"with <emphasis>subdomain_homedir</emphasis>. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2864 +msgid "" +"The value can be overridden by <emphasis>override_homedir</emphasis> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2868 +msgid "Default: <filename>/home/%d/%u</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2873 +msgid "realmd_tags (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2876 +msgid "" +"Various tags stored by the realmd configuration service for this domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2882 +msgid "cached_auth_timeout (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2885 +msgid "" +"Specifies time in seconds since last successful online authentication for " +"which user will be authenticated using cached credentials while SSSD is in " +"the online mode." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2891 +msgid "Special value 0 implies that this feature is disabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2895 +msgid "" +"Please note that if <quote>cached_auth_timeout</quote> is longer than " +"<quote>pam_id_timeout</quote> then the back end could be called to handle " +"<quote>initgroups.</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2906 +msgid "auto_private_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2909 +msgid "" +"If this option is enabled, SSSD will automatically create user private " +"groups based on user's UID number. The GID number is ignored in this case." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2914 +msgid "" +"For POSIX subdomains, setting the option in the main domain is inherited in " +"the subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2918 +msgid "" +"For ID-mapping subdomains, auto_private_groups is already enabled for the " +"subdomains and setting it to false will not have any effect for the " +"subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2923 +msgid "" +"NOTE: Because the GID number and the user private group are inferred from " +"the UID number, it is not supported to have multiple entries with the same " +"UID or GID number with this option. In other words, enabling this option " +"enforces uniqueness across the ID space." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:1727 +msgid "" +"These configuration options can be present in a domain configuration " +"section, that is, in a section called <quote>[domain/<replaceable>NAME</" +"replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2942 +msgid "proxy_pam_target (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2945 +msgid "The proxy target PAM proxies to." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2948 +msgid "" +"Default: not set by default, you have to take an existing pam configuration " +"or create a new one and add the service name here." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2956 +msgid "proxy_lib_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2959 +msgid "" +"The name of the NSS library to use in proxy domains. The NSS functions " +"searched for in the library are in the form of _nss_$(libName)_$(function), " +"for example _nss_files_getpwent." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2969 +msgid "proxy_fast_alias (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2972 +msgid "" +"When a user or group is looked up by name in the proxy provider, a second " +"lookup by ID is performed to \"canonicalize\" the name in case the requested " +"name was an alias. Setting this option to true would cause the SSSD to " +"perform the ID lookup from cache for performance reasons." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2986 +msgid "proxy_max_children (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2989 +msgid "" +"This option specifies the number of pre-forked proxy children. It is useful " +"for high-load SSSD environments where sssd may run out of available child " +"slots, which would cause some issues due to the requests being queued." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:2938 +msgid "" +"Options valid for proxy domains. <placeholder type=\"variablelist\" id=" +"\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:3005 +msgid "Application domains" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3007 +msgid "" +"SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to " +"applications as a gateway to an LDAP directory where users and groups are " +"stored. However, contrary to the traditional SSSD deployment where all users " +"and groups either have POSIX attributes or those attributes can be inferred " +"from the Windows SIDs, in many cases the users and groups in the application " +"support scenario have no POSIX attributes. Instead of setting a " +"<quote>[domain/<replaceable>NAME</replaceable>]</quote> section, the " +"administrator can set up an <quote>[application/<replaceable>NAME</" +"replaceable>]</quote> section that internally represents a domain with type " +"<quote>application</quote> optionally inherits settings from a tradition " +"SSSD domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3027 +msgid "" +"Please note that the application domain must still be explicitly enabled in " +"the <quote>domains</quote> parameter so that the lookup order between the " +"application domain and its POSIX sibling domain is set correctly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sssd.conf.5.xml:3033 +msgid "Application domain parameters" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3035 +msgid "inherit_from (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3038 +msgid "" +"The SSSD POSIX-type domain the application domain inherits all settings " +"from. The application domain can moreover add its own settings to the " +"application settings that augment or override the <quote>sibling</quote> " +"domain settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3052 +msgid "" +"The following example illustrates the use of an application domain. In this " +"setup, the POSIX domain is connected to an LDAP server and is used by the OS " +"through the NSS responder. In addition, the application domain also requests " +"the telephoneNumber attribute, stores it as the phone attribute in the cache " +"and makes the phone attribute reachable through the D-Bus interface." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><programlisting> +#: sssd.conf.5.xml:3060 +#, no-wrap +msgid "" +"[sssd]\n" +"domains = appdom, posixdom\n" +"\n" +"[ifp]\n" +"user_attributes = +phone\n" +"\n" +"[domain/posixdom]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"[application/appdom]\n" +"inherit_from = posixdom\n" +"ldap_user_extra_attrs = phone:telephoneNumber\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:3078 +msgid "The local domain section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3080 +msgid "" +"This section contains settings for domain that stores users and groups in " +"SSSD native database, that is, a domain that uses " +"<replaceable>id_provider=local</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3087 +msgid "default_shell (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3090 +msgid "The default shell for users created with SSSD userspace tools." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3094 +msgid "Default: <filename>/bin/bash</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3099 +msgid "base_directory (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3102 +msgid "" +"The tools append the login name to <replaceable>base_directory</replaceable> " +"and use that as the home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3107 +msgid "Default: <filename>/home</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3112 +msgid "create_homedir (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3115 +msgid "" +"Indicate if a home directory should be created by default for new users. " +"Can be overridden on command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3119 sssd.conf.5.xml:3131 +msgid "Default: TRUE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3124 +msgid "remove_homedir (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3127 +msgid "" +"Indicate if a home directory should be removed by default for deleted " +"users. Can be overridden on command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3136 +msgid "homedir_umask (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3139 +msgid "" +"Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions " +"on a newly created home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3147 +msgid "Default: 077" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3152 +msgid "skel_dir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3155 +msgid "" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<citerefentry> <refentrytitle>sss_useradd</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3165 +msgid "Default: <filename>/etc/skel</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3170 +msgid "mail_dir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3173 +msgid "" +"The mail spool directory. This is needed to manipulate the mailbox when its " +"corresponding user account is modified or deleted. If not specified, a " +"default value is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3180 +msgid "Default: <filename>/var/mail</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3185 +msgid "userdel_cmd (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3188 +msgid "" +"The command that is run after a user is removed. The command us passed the " +"username of the user being removed as the first and only parameter. The " +"return code of the command is not taken into account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3194 +msgid "Default: None, no command is run" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:3204 +msgid "TRUSTED DOMAIN SECTION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3206 +msgid "" +"Some options used in the domain section can also be used in the trusted " +"domain section, that is, in a section called <quote>[domain/" +"<replaceable>DOMAIN_NAME</replaceable>/<replaceable>TRUSTED_DOMAIN_NAME</" +"replaceable>]</quote>. Where DOMAIN_NAME is the actual joined-to base " +"domain. Please refer to examples below for explanation. Currently supported " +"options in the trusted domain section are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3213 +msgid "ldap_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3214 +msgid "ldap_user_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3215 +msgid "ldap_group_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3216 +msgid "ldap_netgroup_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3217 +msgid "ldap_service_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3218 +msgid "ad_server," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3219 +msgid "ad_backup_server," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3220 +msgid "ad_site," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:3221 sssd-ipa.5.xml:782 +msgid "use_fully_qualified_names" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3223 +msgid "" +"For more details about these options see their individual description in the " +"manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:3229 idmap_sss.8.xml:43 +msgid "EXAMPLES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:3235 +#, no-wrap +msgid "" +"[sssd]\n" +"domains = LDAP\n" +"services = nss, pam\n" +"config_file_version = 2\n" +"\n" +"[nss]\n" +"filter_groups = root\n" +"filter_users = root\n" +"\n" +"[pam]\n" +"\n" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"auth_provider = krb5\n" +"krb5_server = kerberos.example.com\n" +"krb5_realm = EXAMPLE.COM\n" +"cache_credentials = true\n" +"\n" +"min_id = 10000\n" +"max_id = 20000\n" +"enumerate = False\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3231 +msgid "" +"1. The following example shows a typical SSSD config. It does not describe " +"configuration of the domains themselves - refer to documentation on " +"configuring domains for more details. <placeholder type=\"programlisting\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:3268 +#, no-wrap +msgid "" +"[domain/ipa.com/child.ad.com]\n" +"use_fully_qualified_names = false\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3262 +msgid "" +"2. The following example shows configuration of IPA AD trust where the AD " +"forest consists of two domains in a parent-child structure. Suppose IPA " +"domain (ipa.com) has trust with AD domain(ad.com). ad.com has child domain " +"(child.ad.com). To enable shortnames in the child domain the following " +"configuration should be used. <placeholder type=\"programlisting\" id=\"0\"/" +">" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ldap.5.xml:10 sssd-ldap.5.xml:16 +msgid "sssd-ldap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ldap.5.xml:17 +msgid "SSSD LDAP provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:23 +msgid "" +"This manual page describes the configuration of LDAP domains for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Refer to the <quote>FILE FORMAT</quote> section of the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for detailed syntax information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:35 +msgid "You can configure SSSD to use more than one LDAP domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:38 +msgid "" +"LDAP back end supports id, auth, access and chpass providers. If you want to " +"authenticate against an LDAP server either TLS/SSL or LDAPS is required. " +"<command>sssd</command> <emphasis>does not</emphasis> support authentication " +"over an unencrypted channel. If the LDAP server is used only as an identity " +"provider, an encrypted channel is not needed. Please refer to " +"<quote>ldap_access_filter</quote> config option for more information about " +"using LDAP as an access provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:115 +#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-files.5.xml:57 +#: sssd-secrets.5.xml:120 sssd-session-recording.5.xml:58 sssd-kcm.8.xml:139 +msgid "CONFIGURATION OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:60 +msgid "ldap_uri, ldap_backup_uri (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:63 +msgid "" +"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " +"should connect in the order of preference. Refer to the <quote>FAILOVER</" +"quote> section for more information on failover and server redundancy. If " +"neither option is specified, service discovery is enabled. For more " +"information, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:264 +msgid "The format of the URI must match the format defined in RFC 2732:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:73 +msgid "ldap[s]://<host>[:port]" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:76 +msgid "" +"For explicit IPv6 addresses, <host> must be enclosed in brackets []" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:79 +msgid "example: ldap://[fc00::126:25]:389" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:85 +msgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:88 +msgid "" +"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " +"should connect in the order of preference to change the password of a user. " +"Refer to the <quote>FAILOVER</quote> section for more information on " +"failover and server redundancy." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:95 +msgid "To enable service discovery ldap_chpass_dns_service_name must be set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:99 +msgid "Default: empty, i.e. ldap_uri is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:105 +msgid "ldap_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:108 +msgid "The default base DN to use for performing LDAP user operations." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:112 +msgid "" +"Starting with SSSD 1.7.0, SSSD supports multiple search bases using the " +"syntax:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:116 +msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:119 +msgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"." +msgstr "" + +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:122 include/ldap_search_bases.xml:18 +msgid "" +"The filter must be a valid LDAP search filter as specified by http://www." +"ietf.org/rfc/rfc2254.txt" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:286 +#: sss_override.8.xml:137 sss_override.8.xml:234 +msgid "Examples:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:129 +msgid "" +"ldap_search_base = dc=example,dc=com (which is equivalent to) " +"ldap_search_base = dc=example,dc=com?subtree?" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:134 +msgid "" +"ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?" +"(host=thishost)?dc=example.com?subtree?" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:137 +msgid "" +"Note: It is unsupported to have multiple search bases which reference " +"identically-named objects (for example, groups with the same name in two " +"different search bases). This will lead to unpredictable behavior on client " +"machines." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:144 +msgid "" +"Default: If not set, the value of the defaultNamingContext or namingContexts " +"attribute from the RootDSE of the LDAP server is used. If " +"defaultNamingContext does not exist or has an empty value namingContexts is " +"used. The namingContexts attribute must have a single value with the DN of " +"the search base of the LDAP server to make this work. Multiple values are " +"are not supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:158 +msgid "ldap_schema (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:161 +msgid "" +"Specifies the Schema Type in use on the target LDAP server. Depending on " +"the selected schema, the default attribute names retrieved from the servers " +"may vary. The way that some attributes are handled may also differ." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:168 +msgid "Four schema types are currently supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:172 +msgid "rfc2307" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:177 +msgid "rfc2307bis" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:182 +msgid "IPA" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:187 +msgid "AD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:193 +msgid "" +"The main difference between these schema types is how group memberships are " +"recorded in the server. With rfc2307, group members are listed by name in " +"the <emphasis>memberUid</emphasis> attribute. With rfc2307bis and IPA, " +"group members are listed by DN and stored in the <emphasis>member</emphasis> " +"attribute. The AD schema type sets the attributes to correspond with Active " +"Directory 2008r2 values." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:203 +msgid "Default: rfc2307" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:209 +msgid "ldap_default_bind_dn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:212 +msgid "The default bind DN to use for performing LDAP operations." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:219 +msgid "ldap_default_authtok_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:222 +msgid "The type of the authentication token of the default bind DN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:226 +msgid "The two mechanisms currently supported are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:229 +msgid "password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:232 +msgid "obfuscated_password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:235 +msgid "Default: password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:241 +msgid "ldap_default_authtok (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:244 +msgid "" +"The authentication token of the default bind DN. Only clear text passwords " +"are currently supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:251 +msgid "ldap_user_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:254 +msgid "The object class of a user entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:257 +msgid "Default: posixAccount" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:263 +msgid "ldap_user_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:266 +msgid "The LDAP attribute that corresponds to the user's login name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:270 +msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:277 +msgid "ldap_user_uid_number (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:280 +msgid "The LDAP attribute that corresponds to the user's id." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:284 +msgid "Default: uidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:290 +msgid "ldap_user_gid_number (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:293 +msgid "The LDAP attribute that corresponds to the user's primary group id." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:297 sssd-ldap.5.xml:929 +msgid "Default: gidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:303 +msgid "ldap_user_primary_group (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:306 +msgid "" +"Active Directory primary group attribute for ID-mapping. Note that this " +"attribute should only be set manually if you are running the <quote>ldap</" +"quote> provider with ID mapping." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:312 +msgid "Default: unset (LDAP), primaryGroupID (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:318 +msgid "ldap_user_gecos (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:321 +msgid "The LDAP attribute that corresponds to the user's gecos field." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:325 +msgid "Default: gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:331 +msgid "ldap_user_home_directory (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:334 +msgid "The LDAP attribute that contains the name of the user's home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:338 +msgid "Default: homeDirectory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:344 +msgid "ldap_user_shell (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:347 +msgid "The LDAP attribute that contains the path to the user's default shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:351 +msgid "Default: loginShell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:357 +msgid "ldap_user_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:360 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:364 sssd-ldap.5.xml:955 +msgid "" +"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " +"IPA" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:371 +msgid "ldap_user_objectsid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:374 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP user object. This " +"is usually only necessary for ActiveDirectory servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:379 sssd-ldap.5.xml:970 +msgid "Default: objectSid for ActiveDirectory, not set for other servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:386 +msgid "ldap_user_modify_timestamp (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:389 sssd-ldap.5.xml:980 sssd-ldap.5.xml:1203 +msgid "" +"The LDAP attribute that contains timestamp of the last modification of the " +"parent object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:393 sssd-ldap.5.xml:984 sssd-ldap.5.xml:1210 +msgid "Default: modifyTimestamp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:399 +msgid "ldap_user_shadow_last_change (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:402 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " +"the last password change)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:412 +msgid "Default: shadowLastChange" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:418 +msgid "ldap_user_shadow_min (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:421 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " +"password age)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:430 +msgid "Default: shadowMin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:436 +msgid "ldap_user_shadow_max (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:439 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " +"password age)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:448 +msgid "Default: shadowMax" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:454 +msgid "ldap_user_shadow_warning (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:457 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password warning period)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:467 +msgid "Default: shadowWarning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:473 +msgid "ldap_user_shadow_inactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:476 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password inactivity period)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:486 +msgid "Default: shadowInactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:492 +msgid "ldap_user_shadow_expire (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:495 +msgid "" +"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " +"parameter contains the name of an LDAP attribute corresponding to its " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> counterpart (account expiration date)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:505 +msgid "Default: shadowExpire" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:511 +msgid "ldap_user_krb_last_pwd_change (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:514 +msgid "" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time of last password change in " +"kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:520 +msgid "Default: krbLastPwdChange" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:526 +msgid "ldap_user_krb_password_expiration (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:529 +msgid "" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time when current password expires." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:535 +msgid "Default: krbPasswordExpiration" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:541 +msgid "ldap_user_ad_account_expires (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:544 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the expiration time of the account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:549 +msgid "Default: accountExpires" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:555 +msgid "ldap_user_ad_user_account_control (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:558 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the user account control bit field." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:563 +msgid "Default: userAccountControl" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:569 +msgid "ldap_ns_account_lock (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:572 +msgid "" +"When using ldap_account_expire_policy=rhds or equivalent, this parameter " +"determines if access is allowed or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:577 +msgid "Default: nsAccountLock" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:583 +msgid "ldap_user_nds_login_disabled (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:586 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines if " +"access is allowed or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:590 sssd-ldap.5.xml:604 +msgid "Default: loginDisabled" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:596 +msgid "ldap_user_nds_login_expiration_time (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:599 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines until " +"which date access is granted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:610 +msgid "ldap_user_nds_login_allowed_time_map (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:613 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines the " +"hours of a day in a week when access is granted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:618 +msgid "Default: loginAllowedTimeMap" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:624 +msgid "ldap_user_principal (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:627 +msgid "" +"The LDAP attribute that contains the user's Kerberos User Principal Name " +"(UPN)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:631 +msgid "Default: krbPrincipalName" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:637 +msgid "ldap_user_extra_attrs (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:640 +msgid "" +"Comma-separated list of LDAP attributes that SSSD would fetch along with the " +"usual set of user attributes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:645 +msgid "" +"The list can either contain LDAP attribute names only, or colon-separated " +"tuples of SSSD cache attribute name and LDAP attribute name. In case only " +"LDAP attribute name is specified, the attribute is saved to the cache " +"verbatim. Using a custom SSSD attribute name might be required by " +"environments that configure several SSSD domains with different LDAP schemas." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:655 +msgid "" +"Please note that several attribute names are reserved by SSSD, notably the " +"<quote>name</quote> attribute. SSSD would report an error if any of the " +"reserved attribute names is used as an extra attribute name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:665 +msgid "ldap_user_extra_attrs = telephoneNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:668 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as " +"<quote>telephoneNumber</quote> to the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:672 +msgid "ldap_user_extra_attrs = phone:telephoneNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:675 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" +"quote> to the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:685 +msgid "ldap_user_ssh_public_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:688 +msgid "The LDAP attribute that contains the user's SSH public keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:692 sssd-ldap.5.xml:1306 +msgid "Default: sshPublicKey" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:698 +msgid "ldap_force_upper_case_realm (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:701 +msgid "" +"Some directory servers, for example Active Directory, might deliver the " +"realm part of the UPN in lower case, which might cause the authentication to " +"fail. Set this option to a non-zero value if you want to use an upper-case " +"realm." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:714 +msgid "ldap_enumeration_refresh_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:717 +msgid "" +"Specifies how many seconds SSSD has to wait before refreshing its cache of " +"enumerated records." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:728 +msgid "ldap_purge_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:731 +msgid "" +"Determine how often to check the cache for inactive entries (such as groups " +"with no members and users who have never logged in) and remove them to save " +"space." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:737 +msgid "" +"Setting this option to zero will disable the cache cleanup operation. Please " +"note that if enumeration is enabled, the cleanup task is required in order " +"to detect entries removed from the server and can't be disabled. By default, " +"the cleanup task will run every 3 hours with enumeration enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:752 +msgid "ldap_user_fullname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:755 +msgid "The LDAP attribute that corresponds to the user's full name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1161 sssd-ldap.5.xml:1235 +#: sssd-ldap.5.xml:1344 sssd-ldap.5.xml:2405 sssd-ipa.5.xml:607 +msgid "Default: cn" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:765 +msgid "ldap_user_member_of (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:768 +msgid "The LDAP attribute that lists the user's group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:772 sssd-ldap.5.xml:1274 +msgid "Default: memberOf" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:778 +msgid "ldap_user_authorized_service (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:781 +msgid "" +"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " +"use the presence of the authorizedService attribute in the user's LDAP entry " +"to determine access privilege." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:788 +msgid "" +"An explicit deny (!svc) is resolved first. Second, SSSD searches for " +"explicit allow (svc) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:793 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>authorized_service</quote> in order for the " +"ldap_user_authorized_service option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:800 +msgid "Default: authorizedService" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:806 +msgid "ldap_user_authorized_host (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:809 +msgid "" +"If access_provider=ldap and ldap_access_order=host, SSSD will use the " +"presence of the host attribute in the user's LDAP entry to determine access " +"privilege." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:815 +msgid "" +"An explicit deny (!host) is resolved first. Second, SSSD searches for " +"explicit allow (host) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:820 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>host</quote> in order for the " +"ldap_user_authorized_host option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:827 +msgid "Default: host" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:833 +msgid "ldap_user_authorized_rhost (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:836 +msgid "" +"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " +"presence of the rhost attribute in the user's LDAP entry to determine access " +"privilege. Similarly to host verification process." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:843 +msgid "" +"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " +"explicit allow (rhost) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:848 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>rhost</quote> in order for the " +"ldap_user_authorized_rhost option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:855 +msgid "Default: rhost" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:861 +msgid "ldap_user_certificate (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:864 +msgid "Name of the LDAP attribute containing the X509 certificate of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:868 +msgid "Default: userCertificate;binary" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:874 +msgid "ldap_user_email (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:877 +msgid "Name of the LDAP attribute containing the email address of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:881 +msgid "" +"Note: If an email address of a user conflicts with an email address or fully " +"qualified name of another user, then SSSD will not be able to serve those " +"users properly. If for some reason several users need to share the same " +"email address then set this option to a nonexistent attribute name in order " +"to disable user lookup/login by email." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:890 +msgid "Default: mail" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:896 +msgid "ldap_group_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:899 +msgid "The object class of a group entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:902 +msgid "Default: posixGroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:908 +msgid "ldap_group_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:911 +msgid "The LDAP attribute that corresponds to the group name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:915 +msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:922 +msgid "ldap_group_gid_number (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:925 +msgid "The LDAP attribute that corresponds to the group's id." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:935 +msgid "ldap_group_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:938 +msgid "The LDAP attribute that contains the names of the group's members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:942 +msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:948 +msgid "ldap_group_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:951 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:962 +msgid "ldap_group_objectsid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:965 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP group object. This " +"is usually only necessary for ActiveDirectory servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:977 +msgid "ldap_group_modify_timestamp (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:990 +msgid "ldap_group_type (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:993 +msgid "" +"The LDAP attribute that contains an integer value indicating the type of the " +"group and maybe other flags." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:998 +msgid "" +"This attribute is currently only used by the AD provider to determine if a " +"group is a domain local groups and has to be filtered out for trusted " +"domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1004 +msgid "Default: groupType in the AD provider, otherwise not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1011 +msgid "ldap_group_external_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1014 +msgid "" +"The LDAP attribute that references group members that are defined in an " +"external domain. At the moment, only IPA's external members are supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1020 +msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1027 +msgid "ldap_group_nesting_level (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1030 +msgid "" +"If ldap_schema is set to a schema format that supports nested groups (e.g. " +"RFC2307bis), then this option controls how many levels of nesting SSSD will " +"follow. This option has no effect on the RFC2307 schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1037 +msgid "" +"Note: This option specifies the guaranteed level of nested groups to be " +"processed for any lookup. However, nested groups beyond this limit " +"<emphasis>may be</emphasis> returned if previous lookups already resolved " +"the deeper nesting levels. Also, subsequent lookups for other groups may " +"enlarge the result set for original lookup if re-queried." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1046 +msgid "" +"If ldap_group_nesting_level is set to 0 then no nested groups are processed " +"at all. However, when connected to Active-Directory Server 2008 and later " +"using <quote>id_provider=ad</quote> it is furthermore required to disable " +"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " +"restrict group nesting." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1055 +msgid "Default: 2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1061 +msgid "ldap_groups_use_matching_rule_in_chain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1064 +msgid "" +"This option tells SSSD to take advantage of an Active Directory-specific " +"feature which may speed up group lookup operations on deployments with " +"complex or deep nested groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1070 +msgid "" +"In most common cases, it is best to leave this option disabled. It generally " +"only provides a performance increase on very complex nestings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1075 sssd-ldap.5.xml:1102 +msgid "" +"If this option is enabled, SSSD will use it if it detects that the server " +"supports it during initial connection. So \"True\" here essentially means " +"\"auto-detect\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1081 sssd-ldap.5.xml:1108 +msgid "" +"Note: This feature is currently known to work only with Active Directory " +"2008 R1 and later. See <ulink url=\"http://msdn.microsoft.com/en-us/library/" +"windows/desktop/aa746475%28v=vs.85%29.aspx\"> MSDN(TM) documentation</ulink> " +"for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1093 +msgid "ldap_initgroups_use_matching_rule_in_chain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1096 +msgid "" +"This option tells SSSD to take advantage of an Active Directory-specific " +"feature which might speed up initgroups operations (most notably when " +"dealing with complex or deep nested groups)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1123 +msgid "" +"This options enables or disables use of Token-Groups attribute when " +"performing initgroup for users from Active Directory Server 2008 and later." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1128 +msgid "Default: True for AD and IPA otherwise False." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1134 +msgid "ldap_netgroup_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1137 +msgid "The object class of a netgroup entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1140 +msgid "In IPA provider, ipa_netgroup_object_class should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1144 +msgid "Default: nisNetgroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1150 +msgid "ldap_netgroup_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1153 +msgid "The LDAP attribute that corresponds to the netgroup name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1157 +msgid "In IPA provider, ipa_netgroup_name should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1167 +msgid "ldap_netgroup_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1170 +msgid "The LDAP attribute that contains the names of the netgroup's members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1174 +msgid "In IPA provider, ipa_netgroup_member should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1178 +msgid "Default: memberNisNetgroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1184 +msgid "ldap_netgroup_triple (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1187 +msgid "" +"The LDAP attribute that contains the (host, user, domain) netgroup triples." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1191 sssd-ldap.5.xml:1207 +msgid "This option is not available in IPA provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1194 +msgid "Default: nisNetgroupTriple" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1200 +msgid "ldap_netgroup_modify_timestamp (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1216 +msgid "ldap_host_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1219 +msgid "The object class of a host entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1222 sssd-ldap.5.xml:1331 +msgid "Default: ipService" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1228 +msgid "ldap_host_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1231 sssd-ldap.5.xml:1257 +msgid "The LDAP attribute that corresponds to the host's name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1241 +msgid "ldap_host_fqdn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1244 +msgid "" +"The LDAP attribute that corresponds to the host's fully-qualified domain " +"name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1248 +msgid "Default: fqdn" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1254 +msgid "ldap_host_serverhostname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1261 +msgid "Default: serverHostname" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1267 +msgid "ldap_host_member_of (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1270 +msgid "The LDAP attribute that lists the host's group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1280 +msgid "ldap_host_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1283 +msgid "Optional. Use the given string as search base for host objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1287 sssd-ipa.5.xml:359 sssd-ipa.5.xml:378 +#: sssd-ipa.5.xml:397 sssd-ipa.5.xml:416 +msgid "" +"See <quote>ldap_search_base</quote> for information about configuring " +"multiple search bases." +msgstr "" + +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:1292 sssd-ipa.5.xml:364 include/ldap_search_bases.xml:27 +msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1299 +msgid "ldap_host_ssh_public_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1302 +msgid "The LDAP attribute that contains the host's SSH public keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1312 +msgid "ldap_host_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1315 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1325 +msgid "ldap_service_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1328 +msgid "The object class of a service entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1337 +msgid "ldap_service_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1340 +msgid "" +"The LDAP attribute that contains the name of service attributes and their " +"aliases." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1350 +msgid "ldap_service_port (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1353 +msgid "The LDAP attribute that contains the port managed by this service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1357 +msgid "Default: ipServicePort" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1363 +msgid "ldap_service_proto (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1366 +msgid "" +"The LDAP attribute that contains the protocols understood by this service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1370 +msgid "Default: ipServiceProtocol" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1376 +msgid "ldap_service_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1381 +msgid "ldap_search_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1384 +msgid "" +"Specifies the timeout (in seconds) that ldap searches are allowed to run " +"before they are cancelled and cached results are returned (and offline mode " +"is entered)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1390 +msgid "" +"Note: this option is subject to change in future versions of the SSSD. It " +"will likely be replaced at some point by a series of timeouts for specific " +"lookup types." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1402 +msgid "ldap_enumeration_search_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1405 +msgid "" +"Specifies the timeout (in seconds) that ldap searches for user and group " +"enumerations are allowed to run before they are cancelled and cached results " +"are returned (and offline mode is entered)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1418 +msgid "ldap_network_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1421 +msgid "" +"Specifies the timeout (in seconds) after which the <citerefentry> " +"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" +"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" +"manvolnum> </citerefentry> following a <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> returns in case of no activity." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1444 +msgid "ldap_opt_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1447 +msgid "" +"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " +"will abort if no response is received. Also controls the timeout when " +"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " +"operation, password change extended operation and the StartTLS operation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1462 +msgid "ldap_connection_expire_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1465 +msgid "" +"Specifies a timeout (in seconds) that a connection to an LDAP server will be " +"maintained. After this time, the connection will be re-established. If used " +"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " +"the TGT lifetime) will be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1473 sssd-ldap.5.xml:2562 +msgid "Default: 900 (15 minutes)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1479 +msgid "ldap_page_size (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1482 +msgid "" +"Specify the number of records to retrieve from LDAP in a single request. " +"Some LDAP servers enforce a maximum limit per-request." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1487 +msgid "Default: 1000" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1493 +msgid "ldap_disable_paging (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1496 +msgid "" +"Disable the LDAP paging control. This option should be used if the LDAP " +"server reports that it supports the LDAP paging control in its RootDSE but " +"it is not enabled or does not behave properly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1502 +msgid "" +"Example: OpenLDAP servers with the paging control module installed on the " +"server but not enabled will report it in the RootDSE but be unable to use it." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1508 +msgid "" +"Example: 389 DS has a bug where it can only support a one paging control at " +"a time on a single connection. On busy clients, this can result in some " +"requests being denied." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1520 +msgid "ldap_disable_range_retrieval (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1523 +msgid "Disable Active Directory range retrieval." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1526 +msgid "" +"Active Directory limits the number of members to be retrieved in a single " +"lookup using the MaxValRange policy (which defaults to 1500 members). If a " +"group contains more members, the reply would include an AD-specific range " +"extension. This option disables parsing of the range extension, therefore " +"large groups will appear as having no members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1541 +msgid "ldap_sasl_minssf (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1544 +msgid "" +"When communicating with an LDAP server using SASL, specify the minimum " +"security level necessary to establish the connection. The values of this " +"option are defined by OpenLDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1550 +msgid "Default: Use the system default (usually specified by ldap.conf)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1557 +msgid "ldap_deref_threshold (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1560 +msgid "" +"Specify the number of group members that must be missing from the internal " +"cache in order to trigger a dereference lookup. If less members are missing, " +"they are looked up individually." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1566 +msgid "" +"You can turn off dereference lookups completely by setting the value to 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1570 +msgid "" +"A dereference lookup is a means of fetching all group members in a single " +"LDAP call. Different LDAP servers may implement different dereference " +"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " +"Directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1578 +msgid "" +"<emphasis>Note:</emphasis> If any of the search bases specifies a search " +"filter, then the dereference lookup performance enhancement will be disabled " +"regardless of this setting." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1591 +msgid "ldap_tls_reqcert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1594 +msgid "" +"Specifies what checks to perform on server certificates in a TLS session, if " +"any. It can be specified as one of the following values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1600 +msgid "" +"<emphasis>never</emphasis> = The client will not request or check any server " +"certificate." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1604 +msgid "" +"<emphasis>allow</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, it will be ignored and the session proceeds normally." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1611 +msgid "" +"<emphasis>try</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, the session is immediately terminated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1617 +msgid "" +"<emphasis>demand</emphasis> = The server certificate is requested. If no " +"certificate is provided, or a bad certificate is provided, the session is " +"immediately terminated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1623 +msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1627 +msgid "Default: hard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1633 +msgid "ldap_tls_cacert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1636 +msgid "" +"Specifies the file that contains certificates for all of the Certificate " +"Authorities that <command>sssd</command> will recognize." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1641 sssd-ldap.5.xml:1659 sssd-ldap.5.xml:1700 +msgid "" +"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." +"conf</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1648 +msgid "ldap_tls_cacertdir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1651 +msgid "" +"Specifies the path of a directory that contains Certificate Authority " +"certificates in separate individual files. Typically the file names need to " +"be the hash of the certificate followed by '.0'. If available, " +"<command>cacertdir_rehash</command> can be used to create the correct names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1666 +msgid "ldap_tls_cert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1669 +msgid "Specifies the file that contains the certificate for the client's key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1679 +msgid "ldap_tls_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1682 +msgid "Specifies the file that contains the client's key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1691 +msgid "ldap_tls_cipher_suite (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1694 +msgid "" +"Specifies acceptable cipher suites. Typically this is a colon separated " +"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1707 +msgid "ldap_id_use_start_tls (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1710 +msgid "" +"Specifies that the id_provider connection must also use <systemitem class=" +"\"protocol\">tls</systemitem> to protect the channel." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1720 +msgid "ldap_id_mapping (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1723 +msgid "" +"Specifies that SSSD should attempt to map user and group IDs from the " +"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " +"on ldap_user_uid_number and ldap_group_gid_number." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1729 +msgid "Currently this feature supports only ActiveDirectory objectSID mapping." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1739 +msgid "ldap_min_id, ldap_max_id (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1742 +msgid "" +"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " +"set to true the allowed ID range for ldap_user_uid_number and " +"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " +"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " +"can be set to restrict the allowed range for the IDs which are read directly " +"from the server. Sub-domains can then pick other ranges to map IDs." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1754 +msgid "Default: not set (both options are set to 0)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1760 +msgid "ldap_sasl_mech (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1763 +msgid "" +"Specify the SASL mechanism to use. Currently only GSSAPI is tested and " +"supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1773 +msgid "ldap_sasl_authid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ldap.5.xml:1784 +#, no-wrap +msgid "" +"hostname@REALM\n" +"netbiosname$@REALM\n" +"host/hostname@REALM\n" +"*$@REALM\n" +"host/*@REALM\n" +"host/*\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1776 +msgid "" +"Specify the SASL authorization id to use. When GSSAPI is used, this " +"represents the Kerberos principal used for authentication to the directory. " +"This option can either contain the full principal (for example host/" +"myhost@EXAMPLE.COM) or just the principal name (for example host/myhost). By " +"default, the value is not set and the following principals are used: " +"<placeholder type=\"programlisting\" id=\"0\"/> If none of them are found, " +"the first principal in keytab is returned." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1795 +msgid "Default: host/hostname@REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1801 +msgid "ldap_sasl_realm (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1804 +msgid "" +"Specify the SASL realm to use. When not specified, this option defaults to " +"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " +"well, this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1810 +msgid "Default: the value of krb5_realm." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1816 +msgid "ldap_sasl_canonicalize (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1819 +msgid "" +"If set to true, the LDAP library would perform a reverse lookup to " +"canonicalize the host name during a SASL bind." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1824 +msgid "Default: false;" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1830 +msgid "ldap_krb5_keytab (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1833 +msgid "Specify the keytab to use when using SASL/GSSAPI." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1836 +msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1842 +msgid "ldap_krb5_init_creds (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1845 +msgid "" +"Specifies that the id_provider should init Kerberos credentials (TGT). This " +"action is performed only if SASL is used and the mechanism selected is " +"GSSAPI." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1857 +msgid "ldap_krb5_ticket_lifetime (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1860 +msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1864 sssd-ad.5.xml:937 +msgid "Default: 86400 (24 hours)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1870 sssd-krb5.5.xml:74 +msgid "krb5_server, krb5_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1873 +msgid "" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled - for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1885 sssd-krb5.5.xml:89 +msgid "" +"When using service discovery for KDC or kpasswd servers, SSSD first searches " +"for DNS entries that specify _udp as the protocol and falls back to _tcp if " +"none are found." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1890 sssd-krb5.5.xml:94 +msgid "" +"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " +"While the legacy name is recognized for the time being, users are advised to " +"migrate their config files to use <quote>krb5_server</quote> instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1899 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103 +msgid "krb5_realm (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1902 +msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1905 +msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1911 sssd-krb5.5.xml:462 +msgid "krb5_canonicalize (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1914 +msgid "" +"Specifies if the host principal should be canonicalized when connecting to " +"LDAP server. This feature is available with MIT Kerberos >= 1.7" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1926 sssd-krb5.5.xml:477 +msgid "krb5_use_kdcinfo (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1929 sssd-krb5.5.xml:480 +msgid "" +"Specifies if the SSSD should instruct the Kerberos libraries what realm and " +"which KDCs to use. This option is on by default, if you disable it, you need " +"to configure the Kerberos library using the <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> configuration file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1940 sssd-krb5.5.xml:491 +msgid "" +"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " +"information on the locator plugin." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1954 +msgid "ldap_pwd_policy (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1957 +msgid "" +"Select the policy to evaluate the password expiration on the client side. " +"The following values are allowed:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1962 +msgid "" +"<emphasis>none</emphasis> - No evaluation on the client side. This option " +"cannot disable server-side password policies." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1967 +msgid "" +"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " +"evaluate if the password has expired." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1973 +msgid "" +"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " +"to determine if the password has expired. Use chpass_provider=krb5 to update " +"these attributes when the password is changed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1982 +msgid "" +"<emphasis>Note</emphasis>: if a password policy is configured on server " +"side, it always takes precedence over policy set with this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1990 +msgid "ldap_referrals (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1993 +msgid "Specifies whether automatic referral chasing should be enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1997 +msgid "" +"Please note that sssd only supports referral chasing when it is compiled " +"with OpenLDAP version 2.4.13 or higher." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2002 +msgid "" +"Chasing referrals may incur a performance penalty in environments that use " +"them heavily, a notable example is Microsoft Active Directory. If your setup " +"does not in fact require the use of referrals, setting this option to false " +"might bring a noticeable performance improvement." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2016 +msgid "ldap_dns_service_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2019 +msgid "Specifies the service name to use when service discovery is enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2023 +msgid "Default: ldap" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2029 +msgid "ldap_chpass_dns_service_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2032 +msgid "" +"Specifies the service name to use to find an LDAP server which allows " +"password changes when service discovery is enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2037 +msgid "Default: not set, i.e. service discovery is disabled" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2043 +msgid "ldap_chpass_update_last_change (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2046 +msgid "" +"Specifies whether to update the ldap_user_shadow_last_change attribute with " +"days since the Epoch after a password change operation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2058 +msgid "ldap_access_filter (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2061 +msgid "" +"If using access_provider = ldap and ldap_access_order = filter (default), " +"this option is mandatory. It specifies an LDAP search filter criteria that " +"must be met for the user to be granted access on this host. If " +"access_provider = ldap, ldap_access_order = filter and this option is not " +"set, it will result in all users being denied access. Use access_provider = " +"permit to change this default behavior. Please note that this filter is " +"applied on the LDAP user entry only and thus filtering based on nested " +"groups may not work (e.g. memberOf attribute on AD entries points only to " +"direct parents). If filtering based on nested groups is required, please see " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2081 +msgid "Example:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ldap.5.xml:2084 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2088 +msgid "" +"This example means that access to this host is restricted to users whose " +"employeeType attribute is set to \"admin\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2093 +msgid "" +"Offline caching for this feature is limited to determining whether the " +"user's last online login was granted access permission. If they were granted " +"access during their last login, they will continue to be granted access " +"while offline and vice versa." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2101 sssd-ldap.5.xml:2158 +msgid "Default: Empty" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2107 +msgid "ldap_account_expire_policy (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2110 +msgid "" +"With this option a client side evaluation of access control attributes can " +"be enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2114 +msgid "" +"Please note that it is always recommended to use server side access control, " +"i.e. the LDAP server should deny the bind request with a suitable error code " +"even if the password is correct." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2121 +msgid "The following values are allowed:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2124 +msgid "" +"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " +"determine if the account is expired." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2129 +msgid "" +"<emphasis>ad</emphasis>: use the value of the 32bit field " +"ldap_user_ad_user_account_control and allow access if the second bit is not " +"set. If the attribute is missing access is granted. Also the expiration time " +"of the account is checked." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2136 +msgid "" +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: use the value of ldap_ns_account_lock to check if access is " +"allowed or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2142 +msgid "" +"<emphasis>nds</emphasis>: the values of " +"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " +"ldap_user_nds_login_expiration_time are used to check if access is allowed. " +"If both attributes are missing access is granted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2151 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>expire</quote> in order for the " +"ldap_account_expire_policy option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2164 +msgid "ldap_access_order (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2167 +msgid "Comma separated list of access control options. Allowed values are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2171 +msgid "<emphasis>filter</emphasis>: use ldap_access_filter" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2174 +msgid "" +"<emphasis>lockout</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " +"Please note that 'access_provider = ldap' must be set for this feature to " +"work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2184 +msgid "" +"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" +"quote> option and might be removed in a future release. </emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2191 +msgid "" +"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z' or represents any time in the past. The " +"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " +"denotes the UTC time zone. Other time zones are not currently supported and " +"will result in \"access-denied\" when users attempt to log in. Please see " +"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " +"must be set for this feature to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2208 +msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2212 +msgid "" +"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " +"pwd_expire_policy_renew: </emphasis> These options are useful if users are " +"interested in being warned that password is about to expire and " +"authentication is based on using a different method than passwords - for " +"example SSH keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2222 +msgid "" +"The difference between these options is the action taken if user password is " +"expired: pwd_expire_policy_reject - user is denied to log in, " +"pwd_expire_policy_warn - user is still able to log in, " +"pwd_expire_policy_renew - user is prompted to change his password " +"immediately." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2230 +msgid "" +"Note If user password is expired no explicit message is prompted by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2234 +msgid "" +"Please note that 'access_provider = ldap' must be set for this feature to " +"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2239 +msgid "" +"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " +"to determine access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2244 +msgid "<emphasis>host</emphasis>: use the host attribute to determine access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2248 +msgid "" +"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " +"remote host can access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2252 +msgid "" +"Please note, rhost field in pam is set by application, it is better to check " +"what the application sends to pam, before enabling this access control option" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2257 +msgid "Default: filter" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2260 +msgid "" +"Please note that it is a configuration error if a value is used more than " +"once." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2267 +msgid "ldap_pwdlockout_dn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2270 +msgid "" +"This option specifies the DN of password policy entry on LDAP server. Please " +"note that absence of this option in sssd.conf in case of enabled account " +"lockout checking will yield access denied as ppolicy attributes on LDAP " +"server cannot be checked properly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2278 +msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2281 +msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2287 +msgid "ldap_deref (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2290 +msgid "" +"Specifies how alias dereferencing is done when performing a search. The " +"following options are allowed:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2295 +msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2299 +msgid "" +"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " +"the base object, but not in locating the base object of the search." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2304 +msgid "" +"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " +"the base object of the search." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2309 +msgid "" +"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " +"in locating the base object of the search." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2314 +msgid "" +"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " +"client libraries)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2322 +msgid "ldap_rfc2307_fallback_to_local_users (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2325 +msgid "" +"Allows to retain local users as members of an LDAP group for servers that " +"use the RFC2307 schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2329 +msgid "" +"In some environments where the RFC2307 schema is used, local users are made " +"members of LDAP groups by adding their names to the memberUid attribute. " +"The self-consistency of the domain is compromised when this is done, so SSSD " +"would normally remove the \"missing\" users from the cached group " +"memberships as soon as nsswitch tries to fetch information about the user " +"via getpw*() or initgroups() calls." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2340 +msgid "" +"This option falls back to checking if local users are referenced, and caches " +"them so that later initgroups() calls will augment the local users with the " +"additional LDAP groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2352 sssd-ifp.5.xml:136 +msgid "wildcard_limit (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2355 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2359 +msgid "At the moment, only the InfoPipe responder supports wildcard lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2363 +msgid "Default: 1000 (often the size of one page)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:51 +msgid "" +"All of the common configuration options that apply to SSSD domains also " +"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for full details. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2373 +msgid "SUDO OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2375 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2386 +msgid "ldap_sudorule_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2389 +msgid "The object class of a sudo rule entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2392 +msgid "Default: sudoRole" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2398 +msgid "ldap_sudorule_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2401 +msgid "The LDAP attribute that corresponds to the sudo rule name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2411 +msgid "ldap_sudorule_command (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2414 +msgid "The LDAP attribute that corresponds to the command name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2418 +msgid "Default: sudoCommand" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2424 +msgid "ldap_sudorule_host (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2427 +msgid "" +"The LDAP attribute that corresponds to the host name (or host IP address, " +"host IP network, or host netgroup)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2432 +msgid "Default: sudoHost" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2438 +msgid "ldap_sudorule_user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2441 +msgid "" +"The LDAP attribute that corresponds to the user name (or UID, group name or " +"user's netgroup)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2445 +msgid "Default: sudoUser" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2451 +msgid "ldap_sudorule_option (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2454 +msgid "The LDAP attribute that corresponds to the sudo options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2458 +msgid "Default: sudoOption" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2464 +msgid "ldap_sudorule_runasuser (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2467 +msgid "" +"The LDAP attribute that corresponds to the user name that commands may be " +"run as." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2471 +msgid "Default: sudoRunAsUser" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2477 +msgid "ldap_sudorule_runasgroup (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2480 +msgid "" +"The LDAP attribute that corresponds to the group name or group GID that " +"commands may be run as." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2484 +msgid "Default: sudoRunAsGroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2490 +msgid "ldap_sudorule_notbefore (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2493 +msgid "" +"The LDAP attribute that corresponds to the start date/time for when the sudo " +"rule is valid." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2497 +msgid "Default: sudoNotBefore" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2503 +msgid "ldap_sudorule_notafter (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2506 +msgid "" +"The LDAP attribute that corresponds to the expiration date/time, after which " +"the sudo rule will no longer be valid." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2511 +msgid "Default: sudoNotAfter" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2517 +msgid "ldap_sudorule_order (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2520 +msgid "The LDAP attribute that corresponds to the ordering index of the rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2524 +msgid "Default: sudoOrder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2530 +msgid "ldap_sudo_full_refresh_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2533 +msgid "" +"How many seconds SSSD will wait between executing a full refresh of sudo " +"rules (which downloads all rules that are stored on the server)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2538 +msgid "" +"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" +"emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2543 +msgid "Default: 21600 (6 hours)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2549 +msgid "ldap_sudo_smart_refresh_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2552 +msgid "" +"How many seconds SSSD has to wait before executing a smart refresh of sudo " +"rules (which downloads all rules that have USN higher than the highest USN " +"of cached rules)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2558 +msgid "" +"If USN attributes are not supported by the server, the modifyTimestamp " +"attribute is used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2568 +msgid "ldap_sudo_use_host_filter (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2571 +msgid "" +"If true, SSSD will download only rules that are applicable to this machine " +"(using the IPv4 or IPv6 host/network addresses and hostnames)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2582 +msgid "ldap_sudo_hostnames (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2585 +msgid "" +"Space separated list of hostnames or fully qualified domain names that " +"should be used to filter the rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2590 +msgid "" +"If this option is empty, SSSD will try to discover the hostname and the " +"fully qualified domain name automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2595 sssd-ldap.5.xml:2618 sssd-ldap.5.xml:2636 +#: sssd-ldap.5.xml:2654 +msgid "" +"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" +"emphasis> then this option has no effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2600 sssd-ldap.5.xml:2623 +msgid "Default: not specified" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2606 +msgid "ldap_sudo_ip (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2609 +msgid "" +"Space separated list of IPv4 or IPv6 host/network addresses that should be " +"used to filter the rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2614 +msgid "" +"If this option is empty, SSSD will try to discover the addresses " +"automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2629 +msgid "ldap_sudo_include_netgroups (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2632 +msgid "" +"If true then SSSD will download every rule that contains a netgroup in " +"sudoHost attribute." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2647 +msgid "ldap_sudo_include_regexp (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2650 +msgid "" +"If true then SSSD will download every rule that contains a wildcard in " +"sudoHost attribute." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2666 +msgid "" +"This manual page only describes attribute name mapping. For detailed " +"explanation of sudo related attribute semantics, see <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2676 +msgid "AUTOFS OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2678 +msgid "" +"Some of the defaults for the parameters below are dependent on the LDAP " +"schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2684 +msgid "ldap_autofs_map_master_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2687 +msgid "The name of the automount master map in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2690 +msgid "Default: auto.master" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2697 +msgid "ldap_autofs_map_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2700 +msgid "The object class of an automount map entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2703 +msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2711 +msgid "ldap_autofs_map_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2714 +msgid "The name of an automount map entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2717 +msgid "" +"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2725 +msgid "ldap_autofs_entry_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2728 +msgid "" +"The object class of an automount entry in LDAP. The entry usually " +"corresponds to a mount point." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2733 +msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2741 +msgid "ldap_autofs_entry_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2744 sssd-ldap.5.xml:2759 +msgid "" +"The key of an automount entry in LDAP. The entry usually corresponds to a " +"mount point." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2748 +msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2756 +msgid "ldap_autofs_entry_value (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2763 +msgid "" +"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " +"automountInformation" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2682 +msgid "" +"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " +"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" +"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2774 +msgid "ADVANCED OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2781 +msgid "ldap_netgroup_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2786 +msgid "ldap_user_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2791 +msgid "ldap_group_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> +#: sssd-ldap.5.xml:2796 +msgid "<note>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> +#: sssd-ldap.5.xml:2798 +msgid "" +"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " +"against Active Directory will not be restricted and return all groups " +"memberships, even with no GID mapping. It is recommended to disable this " +"feature, if group names are not being displayed correctly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist> +#: sssd-ldap.5.xml:2805 +msgid "</note>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2807 +msgid "ldap_sudo_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2812 +msgid "ldap_autofs_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2776 +msgid "" +"These options are supported by LDAP domains, but they should be used with " +"caution. Please include them in your configuration only if you know what you " +"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2827 sssd-simple.5.xml:131 sssd-ipa.5.xml:828 +#: sssd-ad.5.xml:1041 sssd-krb5.5.xml:570 sss_rpcidmapd.5.xml:98 +#: sssd-files.5.xml:103 sssd-session-recording.5.xml:144 +msgid "EXAMPLE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2829 +msgid "" +"The following example assumes that SSSD is correctly configured and LDAP is " +"set to one of the domains in the <replaceable>[domains]</replaceable> " +"section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:2835 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: sssd-ldap.5.xml:2834 sssd-ldap.5.xml:2852 sssd-simple.5.xml:139 +#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1049 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579 +#: sssd-files.5.xml:110 sssd-session-recording.5.xml:150 +#: include/ldap_id_mapping.xml:105 +msgid "<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2846 +msgid "LDAP ACCESS FILTER EXAMPLE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2848 +msgid "" +"The following example assumes that SSSD is correctly configured and to use " +"the ldap_access_order=lockout." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:2853 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"access_provider = ldap\n" +"ldap_access_order = lockout\n" +"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2868 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148 +#: sssd-ad.5.xml:1064 sssd.8.xml:230 sss_seed.8.xml:163 +msgid "NOTES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2870 +msgid "" +"The descriptions of some of the configuration options in this manual page " +"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " +"distribution." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: pam_sss.8.xml:11 pam_sss.8.xml:16 +msgid "pam_sss" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: pam_sss.8.xml:17 +msgid "PAM module for SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: pam_sss.8.xml:22 +msgid "" +"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" +"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" +"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" +"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " +"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " +"choice='opt'> <replaceable>prompt_always</replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:58 +msgid "" +"<command>pam_sss.so</command> is the PAM interface to the System Security " +"Services daemon (SSSD). Errors and results are logged through " +"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:68 +msgid "<option>quiet</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:71 +msgid "Suppress log messages for unknown users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:76 +msgid "<option>forward_pass</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:79 +msgid "" +"If <option>forward_pass</option> is set the entered password is put on the " +"stack for other PAM modules to use." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:86 +msgid "<option>use_first_pass</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:89 +msgid "" +"The argument use_first_pass forces the module to use a previous stacked " +"modules password and will never prompt the user - if no password is " +"available or the password is not appropriate, the user will be denied access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:97 +msgid "<option>use_authtok</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:100 +msgid "" +"When password changing enforce the module to set the new password to the one " +"provided by a previously stacked password module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:107 +msgid "<option>retry=N</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:110 +msgid "" +"If specified the user is asked another N times for a password if " +"authentication fails. Default is 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:112 +msgid "" +"Please note that this option might not work as expected if the application " +"calling PAM handles the user dialog on its own. A typical example is " +"<command>sshd</command> with <option>PasswordAuthentication</option>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:121 +msgid "<option>ignore_unknown_user</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:124 +msgid "" +"If this option is specified and the user does not exist, the PAM module will " +"return PAM_IGNORE. This causes the PAM framework to ignore this module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:131 +msgid "<option>ignore_authinfo_unavail</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:135 +msgid "" +"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " +"the SSSD daemon. This causes the PAM framework to ignore this module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:142 +msgid "<option>domains</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:146 +msgid "" +"Allows the administrator to restrict the domains a particular PAM service is " +"allowed to authenticate against. The format is a comma-separated list of " +"SSSD domain names, as specified in the sssd.conf file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:152 +msgid "" +"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " +"and <quote>pam_public_domains</quote> options. Please see the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more information on these two PAM " +"responder options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:166 +msgid "<option>allow_missing_name</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:170 +msgid "" +"The main purpose of this option is to let SSSD determine the user name based " +"on additional information, e.g. the certificate from a Smartcard." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: pam_sss.8.xml:180 +#, no-wrap +msgid "" +"auth sufficient pam_sss.so allow_missing_name\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:175 +msgid "" +"The current use case are login managers which can monitor a Smartcard reader " +"for card events. In case a Smartcard is inserted the login manager will call " +"a PAM stack which includes a line like <placeholder type=\"programlisting\" " +"id=\"0\"/> In this case SSSD will try to determine the user name based on " +"the content of the Smartcard, returns it to pam_sss which will finally put " +"it on the PAM stack." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:190 +msgid "<option>prompt_always</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:194 +msgid "" +"Always prompt the user for credentials. With this option credentials " +"requested by other PAM modules, typically a password, will be ignored and " +"pam_sss will prompt for credentials again. Based on the pre-auth reply by " +"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " +"credentials." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:207 +msgid "MODULE TYPES PROVIDED" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:208 +msgid "" +"All module types (<option>account</option>, <option>auth</option>, " +"<option>password</option> and <option>session</option>) are provided." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:214 +msgid "FILES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:215 +msgid "" +"If a password reset by root fails, because the corresponding SSSD provider " +"does not support password resets, an individual message can be displayed. " +"This message can e.g. contain instructions about how to reset a password." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:220 +msgid "" +"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" +"filename> where LOC stands for a locale string returned by <citerefentry> " +"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" +"citerefentry>. If there is no matching file the content of " +"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " +"the owner of the files and only root may have read and write permissions " +"while all other users must have only read permissions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:230 +msgid "" +"These files are searched in the directory <filename>/etc/sssd/customize/" +"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " +"displayed." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 +msgid "sssd_krb5_locator_plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd_krb5_locator_plugin.8.xml:16 +msgid "Kerberos locator plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:22 +msgid "" +"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " +"used by the Kerberos provider of <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to tell the Kerberos " +"libraries what Realm and which KDC to use. Typically this is done in " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> which is always read by the Kerberos libraries. " +"To simplify the configuration the Realm and the KDC can be defined in " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> as described in <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:48 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> puts the Realm and the name or IP address of the KDC into " +"the environment variables SSSD_KRB5_REALM and SSSD_KRB5_KDC respectively. " +"When <command>sssd_krb5_locator_plugin</command> is called by the kerberos " +"libraries it reads and evaluates these variables and returns them to the " +"libraries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:63 +msgid "" +"Not all Kerberos implementations support the use of plugins. If " +"<command>sssd_krb5_locator_plugin</command> is not available on your system " +"you have to edit /etc/krb5.conf to reflect your Kerberos setup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:69 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " +"debug messages will be sent to stderr." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:73 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " +"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " +"caller." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 +msgid "sssd-simple" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-simple.5.xml:17 +msgid "the configuration file for SSSD's 'simple' access-control provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:24 +msgid "" +"This manual page describes the configuration of the simple access-control " +"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " +"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:38 +msgid "" +"The simple access provider grants or denies access based on an access or " +"deny list of user or group names. The following rules apply:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:43 +msgid "If all lists are empty, access is granted" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:47 +msgid "" +"If any list is provided, the order of evaluation is allow,deny. This means " +"that any matching deny rule will supersede any matched allow rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:54 +msgid "" +"If either or both \"allow\" lists are provided, all users are denied unless " +"they appear in the list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:60 +msgid "" +"If only \"deny\" lists are provided, all users are granted access unless " +"they appear in the list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:78 +msgid "simple_allow_users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:81 +msgid "Comma separated list of users who are allowed to log in." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:88 +msgid "simple_deny_users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:91 +msgid "Comma separated list of users who are explicitly denied access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:97 +msgid "simple_allow_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:100 +msgid "" +"Comma separated list of groups that are allowed to log in. This applies only " +"to groups within this SSSD domain. Local groups are not evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:108 +msgid "simple_deny_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:111 +msgid "" +"Comma separated list of groups that are explicitly denied access. This " +"applies only to groups within this SSSD domain. Local groups are not " +"evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 +msgid "" +"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:120 +msgid "" +"Specifying no values for any of the lists is equivalent to skipping it " +"entirely. Beware of this while generating parameters for the simple provider " +"using automated scripts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:125 +msgid "" +"Please note that it is an configuration error if both, simple_allow_users " +"and simple_deny_users, are defined." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:133 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the simple access provider-specific options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-simple.5.xml:140 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"access_provider = simple\n" +"simple_allow_users = user1, user2\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:150 +msgid "" +"The complete group membership hierarchy is resolved before the access check, " +"thus even nested groups can be included in the access lists. Please be " +"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " +"results and should be set to a sufficient value. (<citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>) option." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 +msgid "sss-certmap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss-certmap.5.xml:17 +msgid "SSSD Certificate Matching and Mapping Rules" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:23 +msgid "" +"The manual page describes the rules which can be used by SSSD and other " +"components to match X.509 certificates and map them to accounts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:28 +msgid "" +"Each rule has four components, a <quote>priority</quote>, a <quote>matching " +"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" +"quote>. All components are optional. A missing <quote>priority</quote> will " +"add the rule with the lowest priority. The default <quote>matching rule</" +"quote> will match certificates with the digitalSignature key usage and " +"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " +"the certificates will be searched in the userCertificate attribute as DER " +"encoded binary. If no domains are given only the local domain will be " +"searched." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss-certmap.5.xml:41 +msgid "RULE COMPONENTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:43 +msgid "PRIORITY" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:45 +msgid "" +"The rules are processed by priority while the number '0' (zero) indicates " +"the highest priority. The higher the number the lower is the priority. A " +"missing value indicates the lowest priority. The rules processing is stopped " +"when a matched rule is found and no further rules are checked." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:52 +msgid "" +"Internally the priority is treated as unsigned 32bit integer, using a " +"priority value larger than 4294967295 will cause an error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:57 +msgid "MATCHING RULE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:59 +msgid "" +"The matching rule is used to select a certificate to which the mapping rule " +"should be applied. It uses a system similar to the one used by " +"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " +"keyword enclosed by '<' and '>' which identified a certain part of the " +"certificate and a pattern which should be found for the rule to match. " +"Multiple keyword pattern pairs can be either joined with '&&' (and) " +"or '||' (or)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:71 +msgid "<SUBJECT>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:74 +msgid "" +"With this a part or the whole subject name of the certificate can be " +"matched. For the matching POSIX Extended Regular Expression syntax is used, " +"see regex(7) for details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:80 +msgid "" +"For the matching the subject name stored in the certificate in DER encoded " +"ASN.1 is converted into a string according to RFC 4514. This means the most " +"specific name component comes first. Please note that not all possible " +"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " +"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " +"be shown differently on different platform and by different tools. To avoid " +"confusion those attribute names are best not used or covered by a suitable " +"regular-expression." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:93 +msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:98 +msgid "<ISSUER>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:101 +msgid "" +"With this a part or the whole issuer name of the certificate can be matched. " +"All comments for <SUBJECT> apply her as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:106 +msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:111 +msgid "<KU>key-usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:114 +msgid "" +"This option can be used to specify which key usage values the certificate " +"should have. The following values can be used in a comma separated list:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:118 +msgid "digitalSignature" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:119 +msgid "nonRepudiation" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:120 +msgid "keyEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:121 +msgid "dataEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:122 +msgid "keyAgreement" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:123 +msgid "keyCertSign" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:124 +msgid "cRLSign" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:125 +msgid "encipherOnly" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:126 +msgid "decipherOnly" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:130 +msgid "" +"A numerical value in the range of a 32bit unsigned integer can be used as " +"well to cover special use cases." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:134 +msgid "Example: <KU>digitalSignature,keyEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:139 +msgid "<EKU>extended-key-usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:142 +msgid "" +"This option can be used to specify which extended key usage the certificate " +"should have. The following value can be used in a comma separated list:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:146 +msgid "serverAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:147 +msgid "clientAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:148 +msgid "codeSigning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:149 +msgid "emailProtection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:150 +msgid "timeStamping" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:151 +msgid "OCSPSigning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:152 +msgid "KPClientAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:153 +msgid "pkinit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:154 +msgid "msScLogin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:158 +msgid "" +"Extended key usages which are not listed above can be specified with their " +"OID in dotted-decimal notation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:162 +msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:167 +msgid "<SAN>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:170 +msgid "" +"To be compatible with the usage of MIT Kerberos this option will match the " +"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" +"Principal> does." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:175 +msgid "Example: <SAN>.*@MY\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:180 +msgid "<SAN:Principal>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:183 +msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:187 +msgid "Example: <SAN:Principal>.*@MY\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:192 +msgid "<SAN:ntPrincipalName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:195 +msgid "Match the Kerberos principals from the AD NT Principal SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:199 +msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:204 +msgid "<SAN:pkinit>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:207 +msgid "Match the Kerberos principals from the PKINIT SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:210 +msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:215 +msgid "<SAN:dotted-decimal-oid>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:218 +msgid "" +"Take the value of the otherName SAN component given by the OID in dotted-" +"decimal notation, interpret it as string and try to match it against the " +"regular expression." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:224 +msgid "Example: <SAN:1.2.3.4>test" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:229 +msgid "<SAN:otherName>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:232 +msgid "" +"Do a binary match with the base64 encoded blob against all otherName SAN " +"components. With this option it is possible to match against custom " +"otherName components with special encodings which could not be treated as " +"strings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:239 +msgid "Example: <SAN:otherName>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:244 +msgid "<SAN:rfc822Name>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:247 +msgid "Match the value of the rfc822Name SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:250 +msgid "Example: <SAN:rfc822Name>.*@email\\.domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:255 +msgid "<SAN:dNSName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:258 +msgid "Match the value of the dNSName SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:261 +msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:266 +msgid "<SAN:x400Address>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:269 +msgid "Binary match the value of the x400Address SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:272 +msgid "Example: <SAN:x400Address>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:277 +msgid "<SAN:directoryName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:280 +msgid "" +"Match the value of the directoryName SAN. The same comments as given for <" +"ISSUER> and <SUBJECT> apply here as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:285 +msgid "Example: <SAN:directoryName>.*,DC=com" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:290 +msgid "<SAN:ediPartyName>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:293 +msgid "Binary match the value of the ediPartyName SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:296 +msgid "Example: <SAN:ediPartyName>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:301 +msgid "<SAN:uniformResourceIdentifier>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:304 +msgid "Match the value of the uniformResourceIdentifier SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:307 +msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:312 +msgid "<SAN:iPAddress>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:315 +msgid "Match the value of the iPAddress SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:318 +msgid "Example: <SAN:iPAddress>192\\.168\\..*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:323 +msgid "<SAN:registeredID>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:326 +msgid "Match the value of the registeredID SAN as dotted-decimal string." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:330 +msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:68 +msgid "" +"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:338 +msgid "MAPPING RULE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:340 +msgid "" +"The mapping rule is used to associate a certificate with one or more " +"accounts. A Smartcard with the certificate and the matching private key can " +"then be used to authenticate as one of those accounts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:345 +msgid "" +"Currently SSSD basically only supports LDAP to lookup user information (the " +"exception is the proxy provider which is not of relevance here). Because of " +"this the mapping rule is based on LDAP search filter syntax with templates " +"to add certificate content to the filter. It is expected that the filter " +"will only contain the specific data needed for the mapping and that the " +"caller will embed it in another filter to do the actual search. Because of " +"this the filter string should start and stop with '(' and ')' respectively." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:355 +msgid "" +"In general it is recommended to use attributes from the certificate and add " +"them to special attributes to the LDAP user object. E.g. the " +"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " +"for IPA can be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:361 +msgid "" +"This should be preferred to read user specific data from the certificate " +"like e.g. an email address and search for it in the LDAP server. The reason " +"is that the user specific data in LDAP might change for various reasons " +"would break the mapping. On the other hand it would be hard to break the " +"mapping on purpose for a specific user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:376 +msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:379 +msgid "" +"This template will add the full issuer DN converted to a string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +msgid "" +"The conversion options starting with 'ad_' will use attribute names as used " +"by AD, e.g. 'S' instead of 'ST'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +msgid "" +"The conversion options starting with 'nss_' will use attribute names as used " +"by NSS." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +msgid "" +"The default conversion option is 'nss', i.e. attribute names according to " +"NSS and LDAP/RFC 4514 ordering." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:397 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" +"ad})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:402 +msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:405 +msgid "" +"This template will add the full subject DN converted to string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:423 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" +"{subject_dn!nss_x500})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:428 +msgid "{cert[!(bin|base64)]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:431 +msgid "" +"This template will add the whole DER encoded certificate as a string to the " +"search filter. Depending on the conversion option the binary certificate is " +"either converted to an escaped hex sequence '\\xx' or base64. The escaped " +"hex sequence is the default and can e.g. be used with the LDAP attribute " +"'userCertificate;binary'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:439 +msgid "Example: (userCertificate;binary={cert!bin})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:444 +msgid "{subject_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:447 +msgid "" +"This template will add the Kerberos principal which is taken either from the " +"SAN used by pkinit or the one used by AD. The 'short_name' component " +"represents the first part of the principal before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +msgid "" +"Example: (|(userPrincipal={subject_principal})" +"(samAccountName={subject_principal.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:458 +msgid "{subject_pkinit_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:461 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by pkinit. The 'short_name' component represents the first part of the " +"principal before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:467 +msgid "" +"Example: (|(userPrincipal={subject_pkinit_principal})" +"(uid={subject_pkinit_principal.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:472 +msgid "{subject_nt_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:475 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by AD. The 'short_name' component represent the first part of the principal " +"before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:486 +msgid "{subject_rfc822_name[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:489 +msgid "" +"This template will add the string which is stored in the rfc822Name " +"component of the SAN, typically an email address. The 'short_name' component " +"represents the first part of the address before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:495 +msgid "" +"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." +"short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:500 +msgid "{subject_dns_name[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:503 +msgid "" +"This template will add the string which is stored in the dNSName component " +"of the SAN, typically a fully-qualified host name. The 'short_name' " +"component represents the first part of the name before the first '.' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:509 +msgid "" +"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:514 +msgid "{subject_uri}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:517 +msgid "" +"This template will add the string which is stored in the " +"uniformResourceIdentifier component of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:521 +msgid "Example: (uri={subject_uri})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:526 +msgid "{subject_ip_address}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:529 +msgid "" +"This template will add the string which is stored in the iPAddress component " +"of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:533 +msgid "Example: (ip={subject_ip_address})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:538 +msgid "{subject_x400_address}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:541 +msgid "" +"This template will add the value which is stored in the x400Address " +"component of the SAN as escaped hex sequence." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:546 +msgid "Example: (attr:binary={subject_x400_address})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:551 +msgid "" +"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:554 +msgid "" +"This template will add the DN string of the value which is stored in the " +"directoryName component of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:558 +msgid "Example: (orig_dn={subject_directory_name})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:563 +msgid "{subject_ediparty_name}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:566 +msgid "" +"This template will add the value which is stored in the ediPartyName " +"component of the SAN as escaped hex sequence." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:571 +msgid "Example: (attr:binary={subject_ediparty_name})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:576 +msgid "{subject_registered_id}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:579 +msgid "" +"This template will add the OID which is stored in the registeredID component " +"of the SAN as a dotted-decimal string." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:584 +msgid "Example: (oid={subject_registered_id})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:369 +msgid "" +"The templates to add certificate data to the search filter are based on " +"Python-style formatting strings. They consist of a keyword in curly braces " +"with an optional sub-component specifier separated by a '.' or an optional " +"conversion/formatting option separated by a '!'. Allowed values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:592 +msgid "DOMAIN LIST" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:594 +msgid "" +"If the domain list is not empty users mapped to a given certificate are not " +"only searched in the local domain but in the listed domains as well as long " +"as they are know by SSSD. Domains not know to SSSD will be ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 +msgid "sssd-ipa" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ipa.5.xml:17 +msgid "SSSD IPA provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:23 +msgid "" +"This manual page describes the configuration of the IPA provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:36 +msgid "" +"The IPA provider is a back end used to connect to an IPA server. (Refer to " +"the freeipa.org web site for information about IPA servers.) This provider " +"requires that the machine be joined to the IPA domain; configuration is " +"almost entirely self-discovered and obtained directly from the server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:43 +msgid "" +"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for IPA environments. The IPA provider accepts the same " +"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " +"However, it is neither necessary nor recommended to set these options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:57 +msgid "" +"The IPA provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:62 +msgid "" +"As an access provider, the IPA provider uses HBAC (host-based access " +"control) rules. Please refer to freeipa.org for more information about " +"HBAC. No configuration of access provider is required on the client side." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:67 +msgid "" +"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:73 +msgid "" +"The IPA provider will use the PAC responder if the Kerberos tickets of users " +"from trusted realms contain a PAC. To make configuration easier the PAC " +"responder is started automatically if the IPA ID provider is configured." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:89 +msgid "ipa_domain (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:92 +msgid "" +"Specifies the name of the IPA domain. This is optional. If not provided, " +"the configuration domain name is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:100 +msgid "ipa_server, ipa_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:103 +msgid "" +"The comma-separated list of IP addresses or hostnames of the IPA servers to " +"which SSSD should connect in the order of preference. For more information " +"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:116 +msgid "ipa_hostname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:119 +msgid "" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the IPA domain to identify this host. The " +"hostname must be fully qualified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:128 sssd-ad.5.xml:866 +msgid "dyndns_update (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:131 +msgid "" +"Optional. This option tells SSSD to automatically update the DNS server " +"built into FreeIPA with the IP address of this client. The update is secured " +"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " +"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" +"quote> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:140 sssd-ad.5.xml:880 +msgid "" +"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " +"the default Kerberos realm must be set properly in /etc/krb5.conf" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:145 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" +"emphasis> option, users should migrate to using <emphasis>dyndns_update</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:157 sssd-ad.5.xml:891 +msgid "dyndns_ttl (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:160 sssd-ad.5.xml:894 +msgid "" +"The TTL to apply to the client DNS record when updating it. If " +"dyndns_update is false this has no effect. This will override the TTL " +"serverside if set by an administrator." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:165 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" +"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:171 +msgid "Default: 1200 (seconds)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:177 sssd-ad.5.xml:905 +msgid "dyndns_iface (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:180 sssd-ad.5.xml:908 +msgid "" +"Optional. Applicable only when dyndns_update is true. Choose the interface " +"or a list of interfaces whose IP addresses should be used for dynamic DNS " +"updates. Special value <quote>*</quote> implies that IPs from all interfaces " +"should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:187 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" +"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:193 +msgid "" +"Default: Use the IP addresses of the interface which is used for IPA LDAP " +"connection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:197 sssd-ad.5.xml:919 +msgid "Example: dyndns_iface = em1, vnet1, vnet2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:203 sssd-ad.5.xml:970 +msgid "dyndns_auth (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:206 sssd-ad.5.xml:973 +msgid "" +"Whether the nsupdate utility should use GSS-TSIG authentication for secure " +"updates with the DNS server, insecure updates can be sent by setting this " +"option to 'none'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:212 sssd-ad.5.xml:979 +msgid "Default: GSS-TSIG" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:218 +msgid "ipa_enable_dns_sites (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 +msgid "Enables DNS sites - location based service discovery." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:225 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, then the SSSD will first attempt location " +"based discovery using a query that contains \"_location.hostname.example.com" +"\" and then fall back to traditional SRV discovery. If the location based " +"discovery succeeds, the IPA servers located with the location based " +"discovery are treated as primary servers and the IPA servers located using " +"the traditional SRV discovery are used as back up servers" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:244 sssd-ad.5.xml:925 +msgid "dyndns_refresh_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:247 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:260 sssd-ad.5.xml:943 +msgid "dyndns_update_ptr (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:263 sssd-ad.5.xml:946 +msgid "" +"Whether the PTR record should also be explicitly updated when updating the " +"client's DNS records. Applicable only when dyndns_update is true." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:268 +msgid "" +"This option should be False in most IPA deployments as the IPA server " +"generates the PTR records automatically when forward records are changed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:274 +msgid "Default: False (disabled)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:280 sssd-ad.5.xml:957 +msgid "dyndns_force_tcp (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:283 sssd-ad.5.xml:960 +msgid "" +"Whether the nsupdate utility should default to using TCP for communicating " +"with the DNS server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:287 sssd-ad.5.xml:964 +msgid "Default: False (let nsupdate choose the protocol)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:293 sssd-ad.5.xml:985 +msgid "dyndns_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:296 sssd-ad.5.xml:988 +msgid "" +"The DNS server to use when performing a DNS update. In most setups, it's " +"recommended to leave this option unset." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:301 sssd-ad.5.xml:993 +msgid "" +"Setting this option makes sense for environments where the DNS server is " +"different from the identity server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:306 sssd-ad.5.xml:998 +msgid "" +"Please note that this option will be only used in fallback attempt when " +"previous attempt using autodetected settings failed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1003 +msgid "Default: None (let nsupdate choose the server)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:317 +msgid "ipa_deskprofile_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:320 +msgid "" +"Optional. Use the given string as search base for Desktop Profile related " +"objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:324 sssd-ipa.5.xml:337 +msgid "Default: Use base DN" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:330 +msgid "ipa_hbac_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:333 +msgid "Optional. Use the given string as search base for HBAC related objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:343 +msgid "ipa_host_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:346 +msgid "Deprecated. Use ldap_host_search_base instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:352 +msgid "ipa_selinux_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:355 +msgid "Optional. Use the given string as search base for SELinux user maps." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:371 +msgid "ipa_subdomains_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:374 +msgid "Optional. Use the given string as search base for trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:383 +msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:390 +msgid "ipa_master_domain_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:393 +msgid "Optional. Use the given string as search base for master domain object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:402 +msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:409 +msgid "ipa_views_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:412 +msgid "Optional. Use the given string as search base for views containers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:421 +msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:431 +msgid "" +"The name of the Kerberos realm. This is optional and defaults to the value " +"of <quote>ipa_domain</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:435 +msgid "" +"The name of the Kerberos realm has a special meaning in IPA - it is " +"converted into the base DN to use for performing LDAP operations." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1012 +msgid "krb5_confd_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1015 +msgid "" +"Absolute path of a directory where SSSD should place Kerberos configuration " +"snippets." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1019 +msgid "" +"To disable the creation of the configuration snippets set the parameter to " +"'none'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1023 +msgid "" +"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:461 +msgid "ipa_deskprofile_refresh (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:464 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server. This will reduce the latency and load on the IPA server if there " +"are many desktop profiles requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:431 +msgid "Default: 5 (seconds)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:477 +msgid "ipa_deskprofile_request_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:480 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server in case the last request did not return any rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:485 +msgid "Default: 60 (minutes)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:491 +msgid "ipa_hbac_refresh (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:494 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server. " +"This will reduce the latency and load on the IPA server if there are many " +"access-control requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:507 +msgid "ipa_hbac_selinux (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:510 +msgid "" +"The amount of time between lookups of the SELinux maps against the IPA " +"server. This will reduce the latency and load on the IPA server if there are " +"many user login requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:523 +msgid "ipa_server_mode (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:526 +msgid "" +"This option will be set by the IPA installer (ipa-server-install) " +"automatically and denotes if SSSD is running on an IPA server or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:531 +msgid "" +"On an IPA server SSSD will lookup users and groups from trusted domains " +"directly while on a client it will ask an IPA server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:536 +msgid "" +"NOTE: There are currently some assumptions that must be met when SSSD is " +"running on an IPA server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:541 +msgid "" +"The <quote>ipa_server</quote> option must be configured to point to the IPA " +"server itself. This is already the default set by the IPA installer, so no " +"manual change is required." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:550 +msgid "" +"The <quote>full_name_format</quote> option must not be tweaked to only print " +"short names for users from trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:565 +msgid "ipa_automount_location (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:568 +msgid "The automounter location this IPA client will be using" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:571 +msgid "Default: The location named \"default\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:579 +msgid "VIEWS AND OVERRIDES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:588 +msgid "ipa_view_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:591 +msgid "Objectclass of the view container." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:594 +msgid "Default: nsContainer" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:600 +msgid "ipa_view_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:603 +msgid "Name of the attribute holding the name of the view." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:613 +msgid "ipa_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:616 +msgid "Objectclass of the override objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:619 +msgid "Default: ipaOverrideAnchor" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:625 +msgid "ipa_anchor_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:628 +msgid "" +"Name of the attribute containing the reference to the original object in a " +"remote domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:632 +msgid "Default: ipaAnchorUUID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:638 +msgid "ipa_user_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:641 +msgid "" +"Name of the objectclass for user overrides. It is used to determine if the " +"found override object is related to a user or a group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:646 +msgid "User overrides can contain attributes given by" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:649 +msgid "ldap_user_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:652 +msgid "ldap_user_uid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:655 +msgid "ldap_user_gid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:658 +msgid "ldap_user_gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:661 +msgid "ldap_user_home_directory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:664 +msgid "ldap_user_shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:667 +msgid "ldap_user_ssh_public_key" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:672 +msgid "Default: ipaUserOverride" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:678 +msgid "ipa_group_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:681 +msgid "" +"Name of the objectclass for group overrides. It is used to determine if the " +"found override object is related to a user or a group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:686 +msgid "Group overrides can contain attributes given by" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:689 +msgid "ldap_group_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:692 +msgid "ldap_group_gid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:697 +msgid "Default: ipaGroupOverride" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:581 +msgid "" +"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " +"later version. Since all paths and objectclasses are fixed on the server " +"side there is basically no need to configure anything. For completeness the " +"related options are listed here with their default values. <placeholder " +"type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:709 +msgid "SUBDOMAINS PROVIDER" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:711 +msgid "" +"The IPA subdomains provider behaves slightly differently if it is configured " +"explicitly or implicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:715 +msgid "" +"If the option 'subdomains_provider = ipa' is found in the domain section of " +"sssd.conf, the IPA subdomains provider is configured explicitly, and all " +"subdomain requests are sent to the IPA server if necessary." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:721 +msgid "" +"If the option 'subdomains_provider' is not set in the domain section of sssd." +"conf but there is the option 'id_provider = ipa', the IPA subdomains " +"provider is configured implicitly. In this case, if a subdomain request " +"fails and indicates that the server does not support subdomains, i.e. is not " +"configured for trusts, the IPA subdomains provider is disabled. After an " +"hour or after the IPA provider goes online, the subdomains provider is " +"enabled again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:732 +msgid "TRUSTED DOMAINS CONFIGURATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:738 +#, no-wrap +msgid "" +"[domain/ipa.domain.com/ad.domain.com]\n" +"ad_server = dc.ad.domain.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:734 +msgid "" +"Some configuration options can be also set for a trusted domain. A trusted " +"domain configuration can either be done using a subsection, for example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:743 +msgid "" +"In addition, some options can be set in the parent domain and inherited by " +"the trusted domain using the <quote>subdomain_inherit</quote> option. For " +"more details, see the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:753 +msgid "" +"Different configuration options are tunable for a trusted domain depending " +"on whether you are configuring SSSD on an IPA server or an IPA client." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:758 +msgid "OPTIONS TUNABLE ON IPA MASTERS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:760 +msgid "" +"The following options can be set in a subdomain section on an IPA master:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:764 sssd-ipa.5.xml:794 +msgid "ad_server" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:767 +msgid "ad_backup_server" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:770 sssd-ipa.5.xml:797 +msgid "ad_site" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:773 +msgid "ldap_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:776 +msgid "ldap_user_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:779 +msgid "ldap_group_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:788 +msgid "OPTIONS TUNABLE ON IPA CLIENTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:790 +msgid "" +"The following options can be set in a subdomain section on an IPA client:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:802 +msgid "" +"Note that if both options are set, only <quote>ad_server</quote> is " +"evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:806 +msgid "" +"Since any request for a user or a group identity from a trusted domain " +"triggered from an IPA client is resolved by the IPA server, the " +"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " +"which AD DC will the authentication be performed against. In particular, the " +"addresses resolved from these lists will be written to <quote>kdcinfo</" +"quote> files read by the Kerberos locator plugin. Please refer to the " +"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " +"Kerberos locator plugin." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:830 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the ipa provider-specific options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:837 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"id_provider = ipa\n" +"ipa_server = ipaserver.example.com\n" +"ipa_hostname = myhost.example.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 +msgid "sssd-ad" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ad.5.xml:17 +msgid "SSSD Active Directory provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:23 +msgid "" +"This manual page describes the configuration of the AD provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:36 +msgid "" +"The AD provider is a back end used to connect to an Active Directory server. " +"This provider requires that the machine be joined to the AD domain and a " +"keytab is available. Back end communication occurs over a GSSAPI-encrypted " +"channel, SSL/TLS options should not be used with the AD provider and will be " +"superseded by Kerberos usage." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:44 +msgid "" +"The AD provider supports connecting to Active Directory 2008 R2 or later. " +"Earlier versions may work, but are unsupported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:48 +msgid "" +"The AD provider can be used to get user information and authenticate users " +"from trusted domains. Currently only trusted domains in the same forest are " +"recognized. In addition servers from trusted domains are always auto-" +"discovered." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:54 +msgid "" +"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for Active Directory environments. The AD provider accepts the " +"same options used by the sssd-ldap and sssd-krb5 providers with some " +"exceptions. However, it is neither necessary nor recommended to set these " +"options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:69 +msgid "" +"The AD provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:74 +msgid "" +"The AD provider can also be used as an access, chpass, sudo and autofs " +"provider. No configuration of the access provider is required on the client " +"side." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:79 +msgid "" +"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ad</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:91 +#, no-wrap +msgid "" +"ldap_id_mapping = False\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:85 +msgid "" +"By default, the AD provider will map UID and GID values from the objectSID " +"parameter in Active Directory. For details on this, see the <quote>ID " +"MAPPING</quote> section below. If you want to disable ID mapping and instead " +"rely on POSIX attributes defined in Active Directory, you should set " +"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " +"be used, it is recommended for performance reasons that the attributes are " +"also replicated to the Global Catalog. If POSIX attributes are replicated, " +"SSSD will attempt to locate the domain of a requested numerical ID with the " +"help of the Global Catalog and only search that domain. In contrast, if " +"POSIX attributes are not replicated to the Global Catalog, SSSD must search " +"all the domains in the forest sequentially. Please note that the " +"<quote>cache_first</quote> option might be also helpful in speeding up " +"domainless searches. Note that if only a subset of POSIX attributes is " +"present in the Global Catalog, the non-replicated attributes are currently " +"not read from the LDAP port." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:108 +msgid "" +"Users, groups and other entities served by SSSD are always treated as case-" +"insensitive in the AD provider for compatibility with Active Directory's " +"LDAP implementation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:123 +msgid "ad_domain (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:126 +msgid "" +"Specifies the name of the Active Directory domain. This is optional. If not " +"provided, the configuration domain name is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:131 +msgid "" +"For proper operation, this option should be specified as the lower-case " +"version of the long version of the Active Directory domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:136 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) is " +"autodetected by the SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:143 +msgid "ad_enabled_domains (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:146 +msgid "" +"A comma-separated list of enabled Active Directory domains. If provided, " +"SSSD will ignore any domains not listed in this option. If left unset, all " +"domains from the AD forest will be available." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:156 +#, no-wrap +msgid "" +"ad_enabled_domains = sales.example.com, eng.example.com\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:152 +msgid "" +"For proper operation, this option must be specified in all lower-case and as " +"the fully qualified domain name of the Active Directory domain. For example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:160 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) will be " +"autodetected by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:170 +msgid "ad_server, ad_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:173 +msgid "" +"The comma-separated list of hostnames of the AD servers to which SSSD should " +"connect in order of preference. For more information on failover and server " +"redundancy, see the <quote>FAILOVER</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:180 +msgid "" +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:185 +msgid "" +"Note: Trusted domains will always auto-discover servers even if the primary " +"server is explicitly defined in the ad_server option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:193 +msgid "ad_hostname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:196 +msgid "" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the Active Directory domain to identify this " +"host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:202 +msgid "" +"This field is used to determine the host principal in use in the keytab. It " +"must match the hostname for which the keytab was issued." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:210 +msgid "ad_enable_dns_sites (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:217 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, the SSSD will first attempt to discover the " +"Active Directory server to connect to using the Active Directory Site " +"Discovery and fall back to the DNS SRV records if no AD site is found. The " +"DNS SRV configuration, including the discovery domain, is used during site " +"discovery as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:233 +msgid "ad_access_filter (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:236 +msgid "" +"This option specifies LDAP access control filter that the user must match in " +"order to be allowed access. Please note that the <quote>access_provider</" +"quote> option must be explicitly set to <quote>ad</quote> in order for this " +"option to have an effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:244 +msgid "" +"The option also supports specifying different filters per domain or forest. " +"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " +"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " +"missing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:252 +msgid "" +"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" +"quote> specifies the domain or subdomain the filter applies to. If the " +"keyword equals to <quote>FOREST</quote>, then the filter equals to all " +"domains from the forest specified by <quote>NAME</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:260 +msgid "" +"Multiple filters can be separated with the <quote>?</quote> character, " +"similarly to how search bases work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:265 +msgid "" +"Nested group membership must be searched for using a special OID " +"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." +"example.org: syntax to ensure the parser does not attempt to interpret the " +"colon characters associated with the OID. If you do not use this OID then " +"nested group membership will not be resolved. See usage example below and " +"refer here for further information about the OID: <ulink url=\"https://msdn." +"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " +"extensions</ulink>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:278 +msgid "" +"The most specific match is always used. For example, if the option specified " +"filter for a domain the user is a member of and a global filter, the per-" +"domain filter would be applied. If there are more matches with the same " +"specification, the first one is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ad.5.xml:289 +#, no-wrap +msgid "" +"# apply filter on domain called dom1 only:\n" +"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" +"\n" +"# apply filter on domain called dom2 only:\n" +"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" +"\n" +"# apply filter on forest called EXAMPLE.COM only:\n" +"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" +"\n" +"# apply filter for a member of a nested group in dom1:\n" +"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:308 +msgid "ad_site (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:311 +msgid "" +"Specify AD site to which client should try to connect. If this option is " +"not provided, the AD site will be auto-discovered." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:322 +msgid "ad_enable_gc (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:325 +msgid "" +"By default, the SSSD connects to the Global Catalog first to retrieve users " +"from trusted domains and uses the LDAP port to retrieve group memberships or " +"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " +"port of the current AD server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:333 +msgid "" +"Please note that disabling Global Catalog support does not disable " +"retrieving users from trusted domains. The SSSD would connect to the LDAP " +"port of trusted domains instead. However, Global Catalog must be used in " +"order to resolve cross-domain group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:347 +msgid "ad_gpo_access_control (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:350 +msgid "" +"This option specifies the operation mode for GPO-based access control " +"functionality: whether it operates in disabled mode, enforcing mode, or " +"permissive mode. Please note that the <quote>access_provider</quote> option " +"must be explicitly set to <quote>ad</quote> in order for this option to have " +"an effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:359 +msgid "" +"GPO-based access control functionality uses GPO policy settings to determine " +"whether or not a particular user is allowed to logon to a particular host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:365 +msgid "" +"NOTE: The current version of SSSD does not support host (computer) entries " +"in the GPO 'Security Filtering' list. Only user and group entries are " +"supported. Host entries in the list have no effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:372 +msgid "" +"NOTE: If the operation mode is set to enforcing, it is possible that users " +"that were previously allowed logon access will now be denied logon access " +"(as dictated by the GPO policy settings). In order to facilitate a smooth " +"transition for administrators, a permissive mode is available that will not " +"enforce the access control rules, but will evaluate them and will output a " +"syslog message if access would have been denied. By examining the logs, " +"administrators can then make the necessary changes before setting the mode " +"to enforcing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:385 +msgid "There are three supported values for this option:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:389 +msgid "" +"disabled: GPO-based access control rules are neither evaluated nor enforced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:395 +msgid "enforcing: GPO-based access control rules are evaluated and enforced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:401 +msgid "" +"permissive: GPO-based access control rules are evaluated, but not enforced. " +"Instead, a syslog message will be emitted indicating that the user would " +"have been denied access if this option's value were set to enforcing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:412 +msgid "Default: permissive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:415 +msgid "Default: enforcing" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:421 +msgid "ad_gpo_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:424 +msgid "" +"The amount of time between lookups of GPO policy files against the AD " +"server. This will reduce the latency and load on the AD server if there are " +"many access-control requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:437 +msgid "ad_gpo_map_interactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:440 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the InteractiveLogonRight and " +"DenyInteractiveLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:446 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on locally\" and \"Deny log on locally\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:460 +#, no-wrap +msgid "" +"ad_gpo_map_interactive = +my_pam_service, -login\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:451 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>login</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:464 sssd-ad.5.xml:560 sssd-ad.5.xml:606 sssd-ad.5.xml:651 +#: sssd-ad.5.xml:717 +msgid "Default: the default set of PAM service names includes:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:468 +msgid "login" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:473 +msgid "su" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:478 +msgid "su-l" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:483 +msgid "gdm-fingerprint" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:488 +msgid "gdm-password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:493 +msgid "gdm-smartcard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:498 +msgid "kdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:503 +msgid "lightdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:508 +msgid "lxdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:513 +msgid "sddm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:518 +msgid "unity" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:523 +msgid "xdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:532 +msgid "ad_gpo_map_remote_interactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:535 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the RemoteInteractiveLogonRight and " +"DenyRemoteInteractiveLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:541 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on through Remote Desktop Services\" and \"Deny log on through Remote " +"Desktop Services\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:556 +#, no-wrap +msgid "" +"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:547 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>sshd</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:564 +msgid "sshd" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:569 +msgid "cockpit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:578 +msgid "ad_gpo_map_network (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:581 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the NetworkLogonRight and " +"DenyNetworkLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:587 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Access " +"this computer from the network\" and \"Deny access to this computer from the " +"network\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:602 +#, no-wrap +msgid "" +"ad_gpo_map_network = +my_pam_service, -ftp\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:593 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>ftp</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:610 +msgid "ftp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:615 +msgid "samba" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:624 +msgid "ad_gpo_map_batch (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:627 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " +"policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:633 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a batch job\" and \"Deny log on as a batch job\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:647 +#, no-wrap +msgid "" +"ad_gpo_map_batch = +my_pam_service, -crond\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:638 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>crond</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:655 +msgid "crond" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:664 +msgid "ad_gpo_map_service (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:667 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the ServiceLogonRight and " +"DenyServiceLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:673 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a service\" and \"Deny log on as a service\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:686 +#, no-wrap +msgid "" +"ad_gpo_map_service = +my_pam_service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:678 sssd-ad.5.xml:753 +msgid "" +"It is possible to add a PAM service name to the default set by using <quote>" +"+service_name</quote>. Since the default set is empty, it is not possible " +"to remove a PAM service name from the default set. For example, in order to " +"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " +"would use the following configuration: <placeholder type=\"programlisting\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:696 +msgid "ad_gpo_map_permit (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:699 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always granted, regardless of any GPO Logon Rights." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:713 +#, no-wrap +msgid "" +"ad_gpo_map_permit = +my_pam_service, -sudo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:704 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for unconditionally permitted " +"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:721 +msgid "polkit-1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:726 +msgid "sudo" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:731 +msgid "sudo-i" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:736 +msgid "systemd-user" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:745 +msgid "ad_gpo_map_deny (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:748 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always denied, regardless of any GPO Logon Rights." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:761 +#, no-wrap +msgid "" +"ad_gpo_map_deny = +my_pam_service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:771 +msgid "ad_gpo_default_right (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:774 +msgid "" +"This option defines how access control is evaluated for PAM service names " +"that are not explicitly listed in one of the ad_gpo_map_* options. This " +"option can be set in two different manners. First, this option can be set to " +"use a default logon right. For example, if this option is set to " +"'interactive', it means that unmapped PAM service names will be processed " +"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " +"settings. Alternatively, this option can be set to either always permit or " +"always deny access for unmapped PAM service names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:787 +msgid "Supported values for this option include:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:791 +msgid "interactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:796 +msgid "remote_interactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:801 +msgid "network" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:806 +msgid "batch" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:811 +msgid "service" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:816 +msgid "permit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:821 +msgid "deny" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:827 +msgid "Default: deny" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:833 +msgid "ad_maximum_machine_account_password_age (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:836 +msgid "" +"SSSD will check once a day if the machine account password is older than the " +"given age in days and try to renew it. A value of 0 will disable the renewal " +"attempt." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:842 +msgid "Default: 30 days" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:848 +msgid "ad_machine_account_password_renewal_opts (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:851 +msgid "" +"This option should only be used to test the machine account renewal task. " +"The option expects 2 integers separated by a colon (':'). The first integer " +"defines the interval in seconds how often the task is run. The second " +"specifies the initial timeout in seconds before the task is run for the " +"first time after startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:860 +msgid "Default: 86400:750 (24h and 15m)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:869 +msgid "" +"Optional. This option tells SSSD to automatically update the Active " +"Directory DNS server with the IP address of this client. The update is " +"secured using GSS-TSIG. As a consequence, the Active Directory administrator " +"only needs to allow secure updates for the DNS zone. The IP address of the " +"AD LDAP connection is used for the updates, if it is not otherwise specified " +"by using the <quote>dyndns_iface</quote> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:899 +msgid "Default: 3600 (seconds)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:915 +msgid "" +"Default: Use the IP addresses of the interface which is used for AD LDAP " +"connection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:928 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true. Note that the " +"lowest possible value is 60 seconds in-case if value is provided less than " +"60, parameter will assume lowest value only." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:951 sss_rpcidmapd.5.xml:76 +msgid "Default: True" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1043 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This example shows only the AD provider-specific options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1050 +#, no-wrap +msgid "" +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1070 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1066 +msgid "" +"The AD access control provider checks if the account is expired. It has the " +"same effect as the following configuration of the LDAP provider: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1076 +msgid "" +"However, unless the <quote>ad</quote> access control provider is explicitly " +"configured, the default access provider is <quote>permit</quote>. Please " +"note that if you configure an access provider other than <quote>ad</quote>, " +"you need to set all the connection parameters (such as LDAP URIs and " +"encryption details) manually." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1084 +msgid "" +"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " +"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " +"are included in the default Active Directory schema." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 +msgid "sssd-sudo" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-sudo.5.xml:17 +msgid "Configuring sudo with the SSSD back end" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:36 +msgid "Configuring sudo to cooperate with SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:38 +msgid "" +"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " +"the <emphasis>sudoers</emphasis> entry in <citerefentry> " +"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:47 +msgid "" +"For example, to configure sudo to first lookup rules in the standard " +"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> file (which should contain rules that apply to " +"local users) and then in SSSD, the nsswitch.conf file should contain the " +"following line:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:57 +#, no-wrap +msgid "sudoers: files sss\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:61 +msgid "" +"More information about configuring the sudoers search order from the " +"nsswitch.conf file as well as information about the LDAP schema that is used " +"to store sudo rules in the directory can be found in <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:70 +msgid "" +"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " +"sudo rules, you also need to correctly set <citerefentry> " +"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry> to your NIS domain name (which equals to IPA domain name when " +"using hostgroups)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:82 +msgid "Configuring SSSD to fetch sudo rules" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:84 +msgid "" +"All configuration that is needed on SSSD side is to extend the list of " +"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " +"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " +"option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:94 +msgid "" +"The following example shows how to configure SSSD to download sudo rules " +"from an LDAP server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:99 +#, no-wrap +msgid "" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:98 +msgid "" +"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" +"\"have_systemd\"> It's important to note that on platforms where systemd is " +"supported there's no need to add the \"sudo\" provider to the list of " +"services, as it became optional. However, sssd-sudo.socket must be enabled " +"instead. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:118 +msgid "" +"When SSSD is configured to use IPA as the ID provider, the sudo provider is " +"automatically enabled. The sudo search base is configured to use the IPA " +"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " +"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," +"$SUFFIX) is no longer required for IPA sudo functionality." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:128 +msgid "The SUDO rule caching mechanism" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:130 +msgid "" +"The biggest challenge, when developing sudo support in SSSD, was to ensure " +"that running sudo with SSSD as the data source provides the same user " +"experience and is as fast as sudo but keeps providing the most current set " +"of rules as possible. To satisfy these requirements, SSSD uses three kinds " +"of updates. They are referred to as full refresh, smart refresh and rules " +"refresh." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:138 +msgid "" +"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " +"new or were modified after the last update. Its primary goal is to keep the " +"database growing by fetching only small increments that do not generate " +"large amounts of network traffic." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:144 +msgid "" +"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " +"in the cache and replaces them with all rules that are stored on the server. " +"This is used to keep the cache consistent by removing every rule which was " +"deleted from the server. However, full refresh may produce a lot of traffic " +"and thus it should be run only occasionally depending on the size and " +"stability of the sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:152 +msgid "" +"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " +"more permission than defined. It is triggered each time the user runs sudo. " +"Rules refresh will find all rules that apply to this user, check their " +"expiration time and redownload them if expired. In the case that any of " +"these rules are missing on the server, the SSSD will do an out of band full " +"refresh because more rules (that apply to other users) may have been deleted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:161 +msgid "" +"If enabled, SSSD will store only rules that can be applied to this machine. " +"This means rules that contain one of the following values in " +"<emphasis>sudoHost</emphasis> attribute:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:168 +msgid "keyword ALL" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:173 +msgid "wildcard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:178 +msgid "netgroup (in the form \"+netgroup\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:183 +msgid "hostname or fully qualified domain name of this machine" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:188 +msgid "one of the IP addresses of this machine" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:193 +msgid "one of the IP addresses of the network (in the form \"address/mask\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:199 +msgid "" +"There are many configuration options that can be used to adjust the " +"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.8.xml:10 sssd.8.xml:15 +msgid "sssd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.8.xml:16 +msgid "System Security Services Daemon" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssd.8.xml:21 +msgid "" +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:31 +msgid "" +"<command>SSSD</command> provides a set of daemons to manage access to remote " +"directories and authentication mechanisms. It provides an NSS and PAM " +"interface toward the system and a pluggable backend system to connect to " +"multiple different account sources as well as D-Bus interface. It is also " +"the basis to provide client auditing and policy services for projects like " +"FreeIPA. It provides a more robust database to store local users as well as " +"extended user data." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:46 +msgid "" +"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:53 +msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:57 +msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:60 +msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:69 +msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:73 +msgid "" +"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:76 +msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:85 +msgid "<option>-f</option>,<option>--debug-to-files</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:89 +msgid "" +"Send the debug output to files instead of stderr. By default, the log files " +"are stored in <filename>/var/log/sssd</filename> and there are separate log " +"files for every SSSD service and domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:94 +msgid "" +"This option is deprecated. It is replaced by <option>--logger=files</option>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:101 +msgid "<option>--logger=</option><replaceable>value</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:105 +msgid "" +"Location where SSSD will send log messages. This option overrides the value " +"of the deprecated option <option>--debug-to-files</option>. The deprecated " +"option will still work if the <option>--logger</option> is not used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:112 +msgid "" +"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " +"output." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:116 +msgid "" +"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " +"default, the log files are stored in <filename>/var/log/sssd</filename> and " +"there are separate log files for every SSSD service and domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:122 +msgid "" +"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:132 +msgid "<option>-D</option>,<option>--daemon</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:136 +msgid "Become a daemon after starting up." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:142 sss_seed.8.xml:136 +msgid "<option>-i</option>,<option>--interactive</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:146 +msgid "Run in the foreground, don't become a daemon." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:152 +msgid "<option>-c</option>,<option>--config</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:156 +msgid "" +"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." +"conf</filename>. For reference on the config file syntax and options, " +"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:170 +msgid "<option>--version</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:174 +msgid "Print version number and exit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.8.xml:182 +msgid "Signals" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:185 +msgid "SIGTERM/SIGINT" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:188 +msgid "" +"Informs the SSSD to gracefully terminate all of its child processes and then " +"shut down the monitor." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:194 +msgid "SIGHUP" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:197 +msgid "" +"Tells the SSSD to stop writing to its current debug file descriptors and to " +"close and reopen them. This is meant to facilitate log rolling with programs " +"like logrotate." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:205 +msgid "SIGUSR1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:208 +msgid "" +"Tells the SSSD to simulate offline operation for the duration of the " +"<quote>offline_timeout</quote> parameter. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:217 +msgid "SIGUSR2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:220 +msgid "" +"Tells the SSSD to go online immediately. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:232 +msgid "" +"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " +"applications will not use the fast in memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 +msgid "sss_obfuscate" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_obfuscate.8.xml:16 +msgid "obfuscate a clear text password" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_obfuscate.8.xml:21 +msgid "" +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" +"replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:32 +msgid "" +"<command>sss_obfuscate</command> converts a given password into human-" +"unreadable format and places it into appropriate domain section of the SSSD " +"config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:37 +msgid "" +"The cleartext password is read from standard input or entered " +"interactively. The obfuscated password is put into " +"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " +"<quote>ldap_default_authtok_type</quote> parameter is set to " +"<quote>obfuscated_password</quote>. Refer to <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more details on these parameters." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:49 +msgid "" +"Please note that obfuscating the password provides <emphasis>no real " +"security benefit</emphasis> as it is still possible for an attacker to " +"reverse-engineer the password back. Using better authentication mechanisms " +"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " +"advised." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:63 +msgid "<option>-s</option>,<option>--stdin</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:67 +msgid "The password to obfuscate will be read from standard input." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 +#: sss_ssh_knownhostsproxy.1.xml:78 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:79 +msgid "" +"The SSSD domain to use the password in. The default name is <quote>default</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:86 +msgid "" +"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:91 +msgid "Read the config file specified by the positional parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:95 +msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_override.8.xml:10 sss_override.8.xml:15 +msgid "sss_override" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_override.8.xml:16 +msgid "create local overrides of user and group attributes" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_override.8.xml:21 +msgid "" +"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:32 +msgid "" +"<command>sss_override</command> enables to create a client-side view and " +"allows to change selected values of specific user and groups. This change " +"takes effect only on local machine." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:37 +msgid "" +"Overrides data are stored in the SSSD cache. If the cache is deleted, all " +"local overrides are lost. Please note that after the first override is " +"created using any of the following <emphasis>user-add</emphasis>, " +"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " +"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " +"take effect. <emphasis>sss_override</emphasis> prints message when a " +"restart is required." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:50 sssctl.8.xml:41 +msgid "AVAILABLE COMMANDS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:52 +msgid "" +"Argument <emphasis>NAME</emphasis> is the name of original object in all " +"commands. It is not possible to override <emphasis>uid</emphasis> or " +"<emphasis>gid</emphasis> to 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:59 +msgid "" +"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" +"optional> <optional><option>-g,--gid</option> GID</optional> " +"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" +"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" +"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " +"CERTIFICATE</optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:72 +msgid "" +"Override attributes of an user. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:80 +msgid "<option>user-del</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:85 +msgid "" +"Remove user overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:94 +msgid "" +"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:99 +msgid "" +"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " +"is set, only users from the domain are listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:107 +msgid "<option>user-show</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:112 +msgid "Show user overrides." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:118 +msgid "<option>user-import</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:123 +msgid "" +"Import user overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard passwd file. The format is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:128 +msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:131 +msgid "" +"where original_name is original name of the user whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:140 +msgid "ckent:superman::::::" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:143 +msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:149 +msgid "<option>user-export</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:154 +msgid "" +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>user-import</emphasis> for data format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:162 +msgid "" +"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:169 +msgid "" +"Override attributes of a group. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:177 +msgid "<option>group-del</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:182 +msgid "" +"Remove group overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:191 +msgid "" +"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:196 +msgid "" +"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " +"parameter is set, only groups from the domain are listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:204 +msgid "<option>group-show</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:209 +msgid "Show group overrides." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:215 +msgid "<option>group-import</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:220 +msgid "" +"Import group overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard group file. The format is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:225 +msgid "original_name:name:gid" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:228 +msgid "" +"where original_name is original name of the group whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:237 +msgid "admins:administrators:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:240 +msgid "Domain Users:Users:501" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:246 +msgid "<option>group-export</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:251 +msgid "" +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>group-import</emphasis> for data format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:261 sssctl.8.xml:50 +msgid "COMMON OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:263 sssctl.8.xml:52 +msgid "Those options are available with all commands." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:268 sssctl.8.xml:57 +msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 +msgid "sss_useradd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_useradd.8.xml:16 +msgid "create a new user" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_useradd.8.xml:21 +msgid "" +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_useradd.8.xml:32 +msgid "" +"<command>sss_useradd</command> creates a new user account using the values " +"specified on the command line plus the default values from the system." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:43 sss_seed.8.xml:76 +msgid "" +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:48 +msgid "" +"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " +"not given, it is chosen automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +msgid "" +"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 +msgid "" +"Any text string describing the user. Often used as the field for the user's " +"full name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 +msgid "" +"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:72 +msgid "" +"The home directory of the user account. The default is to append the " +"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " +"that as the home directory. The base that is prepended before " +"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" +"baseDirectory</quote> setting in sssd.conf." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 +msgid "" +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:87 +msgid "" +"The user's login shell. The default is currently <filename>/bin/bash</" +"filename>. The default can be changed with <quote>user_defaults/" +"defaultShell</quote> setting in sssd.conf." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:96 +msgid "" +"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:101 +msgid "A list of existing groups this user is also a member of." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:107 +msgid "<option>-m</option>,<option>--create-home</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:111 +msgid "" +"Create the user's home directory if it does not exist. The files and " +"directories contained in the skeleton directory (which can be defined with " +"the -k option or in the config file) will be copied to the home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:121 +msgid "<option>-M</option>,<option>--no-create-home</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:125 +msgid "" +"Do not create the user's home directory. Overrides configuration settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:132 +msgid "" +"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:137 +msgid "" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<command>sss_useradd</command>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:143 +msgid "" +"Special files (block devices, character devices, named pipes and unix " +"sockets) will not be copied." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:147 +msgid "" +"This option is only valid if the <option>-m</option> (or <option>--create-" +"home</option>) option is specified, or creation of home directories is set " +"to TRUE in the configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 +msgid "" +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>SELINUX_USER</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:161 +msgid "" +"The SELinux user for the user's login. If not specified, the system default " +"will be used." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 +msgid "sssd-krb5" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-krb5.5.xml:17 +msgid "SSSD Kerberos provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:23 +msgid "" +"This manual page describes the configuration of the Kerberos 5 " +"authentication backend for <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " +"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:36 +msgid "" +"The Kerberos 5 authentication backend contains auth and chpass providers. It " +"must be paired with an identity provider in order to function properly (for " +"example, id_provider = ldap). Some information required by the Kerberos 5 " +"authentication backend must be provided by the identity provider, such as " +"the user's Kerberos Principal Name (UPN). The configuration of the identity " +"provider should have an entry to specify the UPN. Please refer to the man " +"page for the applicable identity provider for details on how to configure " +"this." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:47 +msgid "" +"This backend also provides access control based on the .k5login file in the " +"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " +"Please note that an empty .k5login file will deny all access to this user. " +"To activate this feature, use 'access_provider = krb5' in your SSSD " +"configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:55 +msgid "" +"In the case where the UPN is not available in the identity backend, " +"<command>sssd</command> will construct a UPN using the format " +"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:77 +msgid "" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect, in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled; for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:106 +msgid "" +"The name of the Kerberos realm. This option is required and must be " +"specified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:113 +msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:116 +msgid "" +"If the change password service is not running on the KDC, alternative " +"servers can be defined here. An optional port number (preceded by a colon) " +"may be appended to the addresses or hostnames." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:122 +msgid "" +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " +"servers to try, the backend is not switched to operate offline if " +"authentication against the KDC is still possible." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:129 +msgid "Default: Use the KDC" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:135 +msgid "krb5_ccachedir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:138 +msgid "" +"Directory to store credential caches. All the substitution sequences of " +"krb5_ccname_template can be used here, too, except %d and %P. The directory " +"is created as private and owned by the user, with permissions set to 0700." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:145 +msgid "Default: /tmp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:151 +msgid "krb5_ccname_template (string)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 +msgid "%u" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 +msgid "login name" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 +msgid "%U" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:170 +msgid "login UID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:173 +msgid "%p" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:174 +msgid "principal name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:178 +msgid "%r" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:179 +msgid "realm name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:182 +msgid "%h" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 +msgid "home directory" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 +msgid "%d" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:188 +msgid "value of krb5_ccachedir" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 +msgid "%P" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:194 +msgid "the process ID of the SSSD client" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 +msgid "%%" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 +msgid "a literal '%'" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:154 +msgid "" +"Location of the user's credential cache. Three credential cache types are " +"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " +"<quote>KEYRING:persistent</quote>. The cache can be specified either as " +"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " +"implies the <quote>FILE</quote> type. In the template, the following " +"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " +"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " +"filename in a safe way." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:208 +msgid "" +"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" +"persistent:%U</quote>, which uses the Linux kernel keyring to store " +"credentials on a per-UID basis. This is also the recommended choice, as it " +"is the most secure and predictable method." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:216 +msgid "" +"The default value for the credential cache name is sourced from the profile " +"stored in the system wide krb5.conf configuration file in the [libdefaults] " +"section. The option name is default_ccache_name. See krb5.conf(5)'s " +"PARAMETER EXPANSION paragraph for additional information on the expansion " +"format defined by krb5.conf." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:225 +msgid "" +"NOTE: Please be aware that libkrb5 ccache expansion template from " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> uses different expansion sequences than SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:234 +msgid "Default: (from libkrb5)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:240 +msgid "krb5_auth_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:243 +msgid "" +"Timeout in seconds after an online authentication request or change password " +"request is aborted. If possible, the authentication request is continued " +"offline." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:254 +msgid "krb5_validate (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:257 +msgid "" +"Verify with the help of krb5_keytab that the TGT obtained has not been " +"spoofed. The keytab is checked for entries sequentially, and the first entry " +"with a matching realm is used for validation. If no entry matches the realm, " +"the last entry in the keytab is used. This process can be used to validate " +"environments using cross-realm trust by placing the appropriate keytab entry " +"as the last entry or the only entry in the keytab file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:272 +msgid "krb5_keytab (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:275 +msgid "" +"The location of the keytab to use when validating credentials obtained from " +"KDCs." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:279 +msgid "Default: /etc/krb5.keytab" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:285 +msgid "krb5_store_password_if_offline (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:288 +msgid "" +"Store the password of the user if the provider is offline and use it to " +"request a TGT when the provider comes online again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:293 +msgid "" +"NOTE: this feature is only available on Linux. Passwords stored in this way " +"are kept in plaintext in the kernel keyring and are potentially accessible " +"by the root user (with difficulty)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:306 +msgid "krb5_renewable_lifetime (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:309 +msgid "" +"Request a renewable ticket with a total lifetime, given as an integer " +"immediately followed by a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 +msgid "<emphasis>s</emphasis> for seconds" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 +msgid "<emphasis>m</emphasis> for minutes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 +msgid "<emphasis>h</emphasis> for hours" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 +msgid "<emphasis>d</emphasis> for days." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 +msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 +msgid "" +"NOTE: It is not possible to mix units. To set the renewable lifetime to one " +"and a half hours, use '90m' instead of '1h30m'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:335 +msgid "Default: not set, i.e. the TGT is not renewable" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:341 +msgid "krb5_lifetime (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:344 +msgid "" +"Request ticket with a lifetime, given as an integer immediately followed by " +"a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:360 +msgid "If there is no unit given <emphasis>s</emphasis> is assumed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:364 +msgid "" +"NOTE: It is not possible to mix units. To set the lifetime to one and a " +"half hours please use '90m' instead of '1h30m'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:369 +msgid "" +"Default: not set, i.e. the default ticket lifetime configured on the KDC." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:376 +msgid "krb5_renew_interval (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:379 +msgid "" +"The time in seconds between two checks if the TGT should be renewed. TGTs " +"are renewed if about half of their lifetime is exceeded, given as an integer " +"immediately followed by a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:406 +msgid "If this option is not set or is 0 the automatic renewal is disabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:416 +msgid "krb5_use_fast (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:419 +msgid "" +"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" +"authentication. The following options are supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:424 +msgid "" +"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " +"option at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:428 +msgid "" +"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " +"continue the authentication without it." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:433 +msgid "" +"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " +"server does not require fast." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:438 +msgid "Default: not set, i.e. FAST is not used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:441 +msgid "NOTE: a keytab is required to use FAST." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:444 +msgid "" +"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " +"SSSD is used with an older version of MIT Kerberos, using this option is a " +"configuration error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:453 +msgid "krb5_fast_principal (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:456 +msgid "Specifies the server principal to use for FAST." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:465 +msgid "" +"Specifies if the host and user principal should be canonicalized. This " +"feature is available with MIT Kerberos 1.7 and later versions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:505 +msgid "krb5_use_enterprise_principal (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:508 +msgid "" +"Specifies if the user principal should be treated as enterprise principal. " +"See section 5 of RFC 6806 for more details about enterprise principals." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:514 +msgid "Default: false (AD provider: true)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:517 +msgid "" +"The IPA provider will set to option to 'true' if it detects that the server " +"is capable of handling enterprise principals and the option is not set " +"explicitly in the config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:526 +msgid "krb5_map_user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:529 +msgid "" +"The list of mappings is given as a comma-separated list of pairs " +"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " +"name and <quote>primary</quote> is a user part of a kerberos principal. This " +"mapping is used when user is authenticating using <quote>auth_provider = " +"krb5</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-krb5.5.xml:541 +#, no-wrap +msgid "" +"krb5_realm = REALM\n" +"krb5_map_user = joe:juser,dick:richard\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:546 +msgid "" +"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " +"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " +"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " +"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:65 +msgid "" +"If the auth-module krb5 is used in an SSSD domain, the following options " +"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " +"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:572 +msgid "" +"The following example assumes that SSSD is correctly configured and FOO is " +"one of the domains in the <replaceable>[sssd]</replaceable> section. This " +"example shows only configuration of Kerberos authentication; it does not " +"include any identity provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-krb5.5.xml:580 +#, no-wrap +msgid "" +"[domain/FOO]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXAMPLE.COM\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 +msgid "sss_groupadd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupadd.8.xml:16 +msgid "create a new group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupadd.8.xml:21 +msgid "" +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupadd.8.xml:32 +msgid "" +"<command>sss_groupadd</command> creates a new group. These groups are " +"compatible with POSIX groups, with the additional feature that they can " +"contain other groups as members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 +msgid "" +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupadd.8.xml:48 +msgid "" +"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " +"not given, it is chosen automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 +msgid "sss_userdel" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_userdel.8.xml:16 +msgid "delete a user account" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_userdel.8.xml:21 +msgid "" +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_userdel.8.xml:32 +msgid "" +"<command>sss_userdel</command> deletes a user identified by login name " +"<replaceable>LOGIN</replaceable> from the system." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:44 +msgid "<option>-r</option>,<option>--remove</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:48 +msgid "" +"Files in the user's home directory will be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:56 +msgid "<option>-R</option>,<option>--no-remove</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:60 +msgid "" +"Files in the user's home directory will NOT be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:68 +msgid "<option>-f</option>,<option>--force</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:72 +msgid "" +"This option forces <command>sss_userdel</command> to remove the user's home " +"directory and mail spool, even if they are not owned by the specified user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:80 +msgid "<option>-k</option>,<option>--kick</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:84 +msgid "Before actually deleting the user, terminate all his processes." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 +msgid "sss_groupdel" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupdel.8.xml:16 +msgid "delete a group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupdel.8.xml:21 +msgid "" +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupdel.8.xml:32 +msgid "" +"<command>sss_groupdel</command> deletes a group identified by its name " +"<replaceable>GROUP</replaceable> from the system." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 +msgid "sss_groupshow" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupshow.8.xml:16 +msgid "print properties of a group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupshow.8.xml:21 +msgid "" +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupshow.8.xml:32 +msgid "" +"<command>sss_groupshow</command> displays information about a group " +"identified by its name <replaceable>GROUP</replaceable>. The information " +"includes the group ID number, members of the group and the parent group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupshow.8.xml:43 +msgid "<option>-R</option>,<option>--recursive</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupshow.8.xml:47 +msgid "" +"Also print indirect group members in a tree-like hierarchy. Note that this " +"also affects printing parent groups - without <option>R</option>, only the " +"direct parent will be printed." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 +msgid "sss_usermod" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_usermod.8.xml:16 +msgid "modify a user account" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_usermod.8.xml:21 +msgid "" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_usermod.8.xml:32 +msgid "" +"<command>sss_usermod</command> modifies the account specified by " +"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " +"on the command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:60 +msgid "The home directory of the user account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:71 +msgid "The user's login shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:82 +msgid "" +"Append this user to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:96 +msgid "" +"Remove this user from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:103 +msgid "<option>-l</option>,<option>--lock</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:107 +msgid "Lock the user account. The user won't be able to log in." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:114 +msgid "<option>-u</option>,<option>--unlock</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:118 +msgid "Unlock the user account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:129 +msgid "The SELinux user for the user's login." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:135 +msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:140 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:147 +msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:152 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:160 +msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:165 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_cache.8.xml:10 sss_cache.8.xml:15 +msgid "sss_cache" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_cache.8.xml:16 +msgid "perform cache cleanup" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_cache.8.xml:21 +msgid "" +"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_cache.8.xml:31 +msgid "" +"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " +"records are forced to be reloaded from server as soon as related SSSD " +"backend is online. Options that invalidate a single object only accept a " +"single provided argument." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:43 +msgid "<option>-E</option>,<option>--everything</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:47 +msgid "Invalidate all cached entries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:53 +msgid "" +"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:58 +msgid "Invalidate specific user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:64 +msgid "<option>-U</option>,<option>--users</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:68 +msgid "" +"Invalidate all user records. This option overrides invalidation of specific " +"user if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:75 +msgid "" +"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:80 +msgid "Invalidate specific group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:86 +msgid "<option>-G</option>,<option>--groups</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:90 +msgid "" +"Invalidate all group records. This option overrides invalidation of specific " +"group if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:97 +msgid "" +"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:102 +msgid "Invalidate specific netgroup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:108 +msgid "<option>-N</option>,<option>--netgroups</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:112 +msgid "" +"Invalidate all netgroup records. This option overrides invalidation of " +"specific netgroup if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:119 +msgid "" +"<option>-s</option>,<option>--service</option> <replaceable>service</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:124 +msgid "Invalidate specific service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:130 +msgid "<option>-S</option>,<option>--services</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:134 +msgid "" +"Invalidate all service records. This option overrides invalidation of " +"specific service if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:141 +msgid "" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:146 +msgid "Invalidate specific autofs maps." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:152 +msgid "<option>-A</option>,<option>--autofs-maps</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:156 +msgid "" +"Invalidate all autofs maps. This option overrides invalidation of specific " +"map if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:163 +msgid "" +"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:168 +msgid "Invalidate SSH public keys of a specific host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:174 +msgid "<option>-H</option>,<option>--ssh-hosts</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:178 +msgid "" +"Invalidate SSH public keys of all hosts. This option overrides invalidation " +"of SSH public keys of specific host if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:186 +msgid "" +"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:191 +msgid "Invalidate particular sudo rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:197 +msgid "<option>-R</option>,<option>--sudo-rules</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:201 +msgid "" +"Invalidate all cached sudo rules. This option overrides invalidation of " +"specific sudo rule if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:209 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>domain</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:214 +msgid "Restrict invalidation process only to a particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 +msgid "sss_debuglevel" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_debuglevel.8.xml:16 +msgid "[DEPRECATED] change debug level while SSSD is running" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_debuglevel.8.xml:21 +msgid "" +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" +"replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_debuglevel.8.xml:32 +msgid "" +"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " +"debug-level command. Please refer to the <command>sssctl</command> man page " +"for more information on sssctl usage." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_seed.8.xml:10 sss_seed.8.xml:15 +msgid "sss_seed" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_seed.8.xml:16 +msgid "seed the SSSD cache with a user" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_seed.8.xml:21 +msgid "" +"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:33 +msgid "" +"<command>sss_seed</command> seeds the SSSD cache with a user entry and " +"temporary password. If a user entry is already present in the SSSD cache " +"then the entry is updated with the temporary password." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:46 +msgid "" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:51 +msgid "" +"Provide the name of the domain in which the user is a member of. The domain " +"is also used to retrieve user information. The domain must be configured in " +"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " +"Information retrieved from the domain overrides what is provided in the " +"options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:63 +msgid "" +"<option>-n</option>,<option>--username</option> <replaceable>USER</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:68 +msgid "" +"The username of the entry to be created or modified in the cache. The " +"<replaceable>USER</replaceable> option must be provided." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:81 +msgid "Set the UID of the user to <replaceable>UID</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:93 +msgid "Set the GID of the user to <replaceable>GID</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:117 +msgid "" +"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:129 +msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:140 +msgid "" +"Interactive mode for entering user information. This option will only prompt " +"for information not provided in the options or retrieved from the domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:148 +msgid "" +"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:153 +msgid "" +"Specify file to read user's password from. (if not specified password is " +"prompted for)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:165 +msgid "" +"The length of the password (or the size of file specified with -p or --" +"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " +"on systems with no globally-defined PASS_MAX value)." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 +msgid "sssd-ifp" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ifp.5.xml:17 +msgid "SSSD InfoPipe responder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:23 +msgid "" +"This manual page describes the configuration of the InfoPipe responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:36 +msgid "" +"The InfoPipe responder provides a public D-Bus interface accessible over the " +"system bus. The interface allows the user to query information about remote " +"users and groups over the system bus." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:46 +msgid "These options can be used to configure the InfoPipe responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:53 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the InfoPipe responder. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:59 +msgid "" +"Default: 0 (only the root user is allowed to access the InfoPipe responder)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:63 +msgid "" +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the InfoPipe responder, which would be the typical case, you have to " +"add 0 to the list of allowed UIDs as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:77 +msgid "Specifies the comma-separated list of white or blacklisted attributes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:91 +msgid "name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:92 +msgid "user's login name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:95 +msgid "uidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:96 +msgid "user ID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:99 +msgid "gidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:100 +msgid "primary group ID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:103 +msgid "gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:104 +msgid "user information, typically full name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:107 +msgid "homeDirectory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:111 +msgid "loginShell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:112 +msgid "user shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:81 +msgid "" +"By default, the InfoPipe responder only allows the default set of POSIX " +"attributes to be requested. This set is the same as returned by " +"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ifp.5.xml:125 +#, no-wrap +msgid "" +"user_attributes = +telephoneNumber, -loginShell\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:117 +msgid "" +"It is possible to add another attribute to this set by using <quote>" +"+attr_name</quote> or explicitly remove an attribute using <quote>-" +"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " +"deny <quote>loginShell</quote>, you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:129 +msgid "Default: not set. Only the default set of POSIX attributes is allowed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:139 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup that overrides caller-supplied limit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:144 +msgid "Default: 0 (let the caller set an upper limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refentryinfo> +#: sss_rpcidmapd.5.xml:8 +msgid "" +"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" +"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " +"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" +"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " +"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" +"author>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 +msgid "sss_rpcidmapd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_rpcidmapd.5.xml:33 +msgid "sss plugin configuration directives for rpc.idmapd" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:37 +msgid "CONFIGURATION FILE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:39 +msgid "" +"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." +"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:49 +msgid "SSS CONFIGURATION EXTENSION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:51 +msgid "Enable SSS plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:53 +msgid "" +"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " +"attribute to contain <emphasis>sss</emphasis>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:59 +msgid "[sss] config section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:61 +msgid "" +"In order to change the default of one of the configuration attributes of the " +"<emphasis>sss</emphasis> plugin listed below you will need to create a " +"config section for it, named <quote>[sss]</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sss_rpcidmapd.5.xml:67 +msgid "Configuration attributes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sss_rpcidmapd.5.xml:69 +msgid "memcache (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sss_rpcidmapd.5.xml:72 +msgid "Indicates whether or not to use memcache optimisation technique." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:85 +msgid "SSSD INTEGRATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:87 +msgid "" +"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " +"in sssd." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:91 +msgid "" +"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " +"all domains (NFSv4 clients expect a fully qualified name to be sent on the " +"wire)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_rpcidmapd.5.xml:103 +#, no-wrap +msgid "" +"[General]\n" +"Verbosity = 2\n" +"# domain must be synced between NFSv4 server and clients\n" +"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:100 +msgid "" +"The following example shows a minimal idmapd.conf which makes use of the sss " +"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:180 include/seealso.xml:2 +msgid "SEE ALSO" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:122 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 +msgid "sss_ssh_authorizedkeys" +msgstr "" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 +msgid "1" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_authorizedkeys.1.xml:16 +msgid "get OpenSSH authorized keys" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_authorizedkeys.1.xml:21 +msgid "" +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>USER</replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:32 +msgid "" +"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " +"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " +"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> for more information)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:41 +msgid "" +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" +"command> for public key user authentication if it is compiled with support " +"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " +"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> man page for more details about this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_authorizedkeys.1.xml:59 +#, no-wrap +msgid "" +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:52 +msgid "" +"If <quote>AuthorizedKeysCommand</quote> is supported, " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use it by putting the following " +"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" +"\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_ssh_authorizedkeys.1.xml:65 +msgid "KEYS FROM CERTIFICATES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:67 +msgid "" +"In addition to the public SSH keys for user <replaceable>USER</replaceable> " +"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " +"from the public key of a X.509 certificate as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:73 +msgid "" +"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " +"set to true (default) in the [ssh] section of <filename>sssd.conf</" +"filename>. If the user entry contains certificates (see " +"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " +"there is a certificate in an override entry for the user (see " +"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " +"certificate is valid SSSD will extract the public key from the certificate " +"and convert it into the format expected by sshd." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:90 +msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:92 +msgid "ca_db" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:93 +msgid "p11_child_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:94 +msgid "certificate_verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:96 +msgid "" +"can be used to control how the certificates are validated (see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:101 +msgid "" +"The validation is the benefit of using X.509 certificates instead of SSH " +"keys directly because e.g. it gives a better control of the lifetime of the " +"keys. When the ssh client is configured to use the private keys from a " +"Smartcard with the help of a PKCS#11 shared library (see " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> for details) it might be irritating that authentication is " +"still working even if the related X.509 certificate on the Smartcard is " +"already expired because neither <command>ssh</command> nor <command>sshd</" +"command> will look at the certificate at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:114 +msgid "" +"It has to be noted that the derived public SSH key can still be added to the " +"<filename>authorized_keys</filename> file of the user to bypass the " +"certificate validation if the <command>sshd</command> configuration permits " +"this." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:132 +msgid "" +"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 +msgid "EXIT STATUS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 +msgid "" +"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 +msgid "sss_ssh_knownhostsproxy" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_knownhostsproxy.1.xml:16 +msgid "get OpenSSH host keys" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_knownhostsproxy.1.xml:21 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>HOST</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:33 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " +"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " +"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " +"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" +"pubconf/known_hosts</filename> and establishes the connection to the host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:43 +msgid "" +"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " +"create the connection to the host instead of opening a socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_knownhostsproxy.1.xml:55 +#, no-wrap +msgid "" +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:48 +msgid "" +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" +"command> for host key authentication by using the following directives for " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:66 +msgid "" +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:71 +msgid "" +"Use port <replaceable>PORT</replaceable> to connect to the host. By " +"default, port 22 is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:83 +msgid "" +"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:89 +#, fuzzy +#| msgid "" +#| "<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</" +#| "replaceable>" +msgid "<option>-k</option>,<option>--pubkeys</option>" +msgstr "" +"<option>-a</option>,<option>--append-group</option> <replaceable>GRUPPER</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:93 +msgid "" +"Print the host ssh public keys for host <replaceable>HOST</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 +msgid "idmap_sss" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: idmap_sss.8.xml:16 +msgid "SSSD's idmap_sss Backend for Winbind" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:22 +msgid "" +"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " +"No database is required in this case as the mapping is done by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: idmap_sss.8.xml:29 +msgid "IDMAP OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: idmap_sss.8.xml:33 +msgid "range = low - high" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: idmap_sss.8.xml:35 +msgid "" +"Defines the available matching UID and GID range for which the backend is " +"authoritative." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:45 +msgid "" +"This example shows how to configure idmap_sss as the default mapping module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: idmap_sss.8.xml:50 +#, no-wrap +msgid "" +"[global]\n" +"security = domain\n" +"workgroup = MAIN\n" +"\n" +"idmap config * : backend = sss\n" +"idmap config * : range = 200000-2147483647\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssctl.8.xml:10 sssctl.8.xml:15 +msgid "sssctl" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssctl.8.xml:16 +msgid "SSSD control and status utility" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssctl.8.xml:21 +msgid "" +"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:32 +msgid "" +"<command>sssctl</command> provides a simple and unified way to obtain " +"information about SSSD status, such as active server, auto-discovered " +"servers, domains and cached objects. In addition, it can manage SSSD data " +"files for troubleshooting in such a way that is safe to manipulate while " +"SSSD is running." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:43 +msgid "" +"To list all available commands run <command>sssctl</command> without any " +"parameters. To print help for selected command run <command>sssctl COMMAND --" +"help</command>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-files.5.xml:10 sssd-files.5.xml:16 +msgid "sssd-files" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-files.5.xml:17 +msgid "SSSD files provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:23 +msgid "" +"This manual page describes the files provider for <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:36 +msgid "" +"The files provider mirrors the content of the <citerefentry> " +"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " +"provider is to make the users and groups traditionally only accessible with " +"NSS interfaces also available through the SSSD interfaces such as " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:69 +msgid "passwd_files (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:72 +msgid "" +"Comma-separated list of one or multiple password filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:78 +#, fuzzy +#| msgid "Default: false" +msgid "Default: /etc/passwd" +msgstr "Standard: false" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:84 +msgid "group_files (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:87 +msgid "" +"Comma-separated list of one or multiple group filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:93 +#, fuzzy +#| msgid "Default: true" +msgid "Default: /etc/group" +msgstr "Standard: true" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:59 +msgid "" +"In addition to the options listed below, generic SSSD domain options can be " +"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for details on the configuration of " +"an SSSD domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:105 +msgid "" +"The following example assumes that SSSD is correctly configured and files is " +"one of the domains in the <replaceable>[sssd]</replaceable> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:111 +#, no-wrap +msgid "" +"[domain/files]\n" +"id_provider = files\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 +msgid "sssd-secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-secrets.5.xml:17 +msgid "SSSD Secrets responder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:23 +msgid "" +"This manual page describes the configuration of the Secrets responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:36 +msgid "" +"Many system and user applications need to store private information such as " +"passwords or service keys and have no good way to properly deal with them. " +"The simple approach is to embed these <quote>secrets</quote> into " +"configuration files potentially ending up exposing sensitive key material to " +"backups, config management system and in general making it harder to secure " +"data." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:45 +msgid "" +"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " +"project was born to deal with this problem in cloud like environments, but " +"we found the idea compelling even at a single system level. As a security " +"service, SSSD is ideal to host this capability while offering the same API " +"via a UNIX Socket. This will make it possible to use local calls and have " +"them transparently routed to a local or a remote key management store like " +"IPA Vault for storage, escrow and recovery." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:55 +msgid "" +"The secrets are simple key-value pairs. Each user's secrets are namespaced " +"using their user ID, which means the secrets will never collide between " +"users. Secrets can be stored inside <quote>containers</quote> which can be " +"nested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:69 +msgid "secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:70 +msgid "secrets for general usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:73 +msgid "kcm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:75 +msgid "" +"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:61 +msgid "" +"Since the secrets responder can be used both externally to store general " +"secrets, as described in the rest of this man page, but also internally by " +"other SSSD components to store their secret material, some configuration " +"options, like quotas can be configured per <quote>hive</quote> in a " +"configuration subsection named after the hive. The currently supported hives " +"are: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:89 +msgid "USING THE SECRETS RESPONDER" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:91 +msgid "" +"The UNIX socket the SSSD responder listens on is located at <filename>/var/" +"run/secrets.socket</filename>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:110 +#, no-wrap +msgid "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +"systemctl enable sssd-secrets.service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:95 +msgid "" +"The secrets responder is socket-activated by <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " +"the <quote>secrets</quote> string to the <quote>service</quote> directive. " +"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " +"corresponding service file is called <quote>sssd-secrets.service</quote>. In " +"order for the service to be socket-activated, make sure the socket is " +"enabled and active and the service is enabled: <placeholder type=" +"\"programlisting\" id=\"0\"/> Please note your distribution may already " +"configure the units for you." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:122 +msgid "" +"The generic SSSD responder options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " +"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some secrets-specific options as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:132 +msgid "" +"The secrets responder is configured with a global <quote>[secrets]</quote> " +"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " +"in <filename>sssd.conf</filename>. Please note that some options, notably as " +"the provider type, can only be specified in the per-user subsections." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:141 +msgid "provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:157 +msgid "local" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:160 +msgid "" +"The secrets are stored in a local database, encrypted at rest with a master " +"key. The local provider does not have any additional config options at the " +"moment." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:168 +msgid "proxy" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:171 +msgid "" +"The secrets responder forwards the requests to a Custodia server. The proxy " +"provider supports several additional options (see below)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:144 +msgid "" +"This option specifies where should the secrets be stored. The secrets " +"responder can configure a per-user subsections (e.g. <quote>[secrets/" +"users/123]</quote> - see bottom of this manual page for a full example using " +"Custodia for a particular user) that define which provider store the secrets " +"for this particular user. The per-user subsections should contain all " +"options for that user's provider. Please note that currently the global " +"provider is always local, the proxy provider can only be specified in a per-" +"user section. The following providers are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:180 +msgid "Default: local" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:186 +msgid "" +"The following options affect only the secrets <quote>hive</quote> and " +"therefore should be set in a per-hive subsection. Setting the option to 0 " +"means \"unlimited\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:192 +msgid "containers_nest_level (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:195 +msgid "This option specifies the maximum allowed number of nested containers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:199 +msgid "Default: 4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:204 +msgid "max_secrets (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:207 +msgid "" +"This option specifies the maximum number of secrets that can be stored in " +"the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:211 +msgid "Default: 1024 (secrets hive), 256 (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:216 +msgid "max_uid_secrets (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:219 +msgid "" +"This option specifies the maximum number of secrets that can be stored per-" +"UID in the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:223 +msgid "Default: 256 (secrets hive), 64 (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:228 +msgid "max_payload_size (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:231 +msgid "" +"This option specifies the maximum payload size allowed for a secret payload " +"in kilobytes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:235 +msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:244 +#, no-wrap +msgid "" +"[secrets/secrets]\n" +"max_payload_size = 128\n" +"\n" +"[secrets/kcm]\n" +"max_payload_size = 256\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:241 +msgid "" +"For example, to adjust quotas differently for both the <quote>secrets</" +"quote> and the <quote>kcm</quote> hives, configure the following: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:252 +msgid "" +"The following options are only applicable for configurations that use the " +"<quote>proxy</quote> provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:257 +msgid "proxy_url (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:260 +msgid "" +"The URL the Custodia server is listening on. At the moment, http and https " +"protocols are supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:267 +msgid "http[s]://<host>[:port]" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:270 +msgid "Example: http://localhost:8080" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:275 +msgid "auth_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:278 +msgid "" +"The method to use when authenticating to a Custodia server. The following " +"authentication methods are supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:283 +msgid "basic_auth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:286 +msgid "" +"Authenticate with a username and a password as set in the <quote>username</" +"quote> and <quote>password</quote> options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:293 +msgid "header" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:296 +msgid "" +"Authenticate with HTTP header value as defined in the " +"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " +"configuration options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:307 +msgid "auth_header_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:310 +msgid "" +"If set, the secrets responder would put a header with this name into the " +"HTTP request with the value defined in the <quote>auth_header_value</quote> " +"configuration option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:315 +msgid "Example: MYSECRETNAME" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:320 +msgid "auth_header_value (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:323 +msgid "" +"The value sssd-secrets would use for the <quote>auth_header_name</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:327 +msgid "Example: mysecret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:332 +msgid "forward_headers (list of strings)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:335 +msgid "" +"The list of HTTP headers to forward to the Custodia server together with the " +"request." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:344 +msgid "verify_peer (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:347 +msgid "" +"Whether peer's certificate should be verified and valid if HTTPS protocol is " +"used with the proxy provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:356 +msgid "verify_host (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:359 +msgid "" +"Whether peer's hostname must match with hostname in its certificate if HTTPS " +"protocol is used with the proxy provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:369 +msgid "capath (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:372 +msgid "" +"Path to directory containing stored certificate authority certificates. " +"System default path is used if this option is not set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:382 +msgid "cacert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:385 +msgid "" +"Path to file containing server's certificate authority certificate. If this " +"option is not set then the CA's certificate is looked up in <quote>capath</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:395 +msgid "cert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:398 +msgid "" +"Path to file containing client's certificate if required by the server. This " +"file may also contain private key or the private key may be in separate file " +"set with <quote>key</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:409 +msgid "key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:412 +msgid "Path to file containing client's private key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:422 +msgid "USING THE REST API" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:424 +msgid "" +"This section lists the available commands and includes examples using the " +"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry> utility. All requests towards the proxy provider must set " +"the Content Type header to <quote>application/json</quote>. In addition, the " +"local provider also supports Content Type set to <quote>application/octet-" +"stream</quote>. Secrets stored with requests that set the Content Type " +"header to <quote>application/octet-stream</quote> are base64-encoded when " +"stored and decoded when retrieved, so it's not possible to store a secret " +"with one Content Type and retrieve with another. The secret URI must begin " +"with <filename>/secrets/</filename>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:441 +msgid "Listing secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:444 +msgid "" +"To list the available secrets, send a HTTP GET request with a trailing slash " +"appended to the container path." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:450 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:458 +msgid "Retrieving a secret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:461 +msgid "" +"To read a value of a single secret, send a HTTP GET request without a " +"trailing slash. The last portion of the URI is the name of the secret." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:468 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/foo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:473 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/bar\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:466 +msgid "" +"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:481 +msgid "Setting a secret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:484 +msgid "" +"To set a secret using the <quote>application/json</quote> type, send a HTTP " +"PUT request with a JSON payload that includes type and value. The type " +"should be set to \"simple\" and the value should be set to the secret value. " +"If a secret with that name already exists, the response is a 409 HTTP error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:492 +msgid "" +"The <quote>application/json</quote> type just sends the secret as the " +"message payload." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:501 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/foo \\\n" +" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:507 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/bar \\\n" +" -d'barsecret'\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:496 +msgid "" +"The following example sets a secret named 'foo' to a value of 'foosecret' " +"and a secret named 'bar' to a value of 'barsecret' using a different Content " +"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:516 +msgid "Creating a container" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:519 +msgid "" +"Containers provide an additional namespace for this user's secrets. To " +"create a container, send a HTTP POST request, whose URI ends with the " +"container name. Please note the URI must end with a trailing slash." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:529 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPOST http://localhost/secrets/mycontainer/\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:526 +msgid "" +"The following example creates a container named 'mycontainer': <placeholder " +"type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:538 +#, no-wrap +msgid "" +"http://localhost/secrets/mycontainer/mysecret\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:535 +msgid "" +"To manipulate secrets under this container, just nest the secrets underneath " +"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:544 +msgid "Deleting a secret or a container" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:547 +msgid "" +"To delete a secret or a container, send a HTTP DELETE request with a path to " +"the secret or the container." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:553 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XDELETE http://localhost/secrets/foo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:551 +msgid "" +"The following example deletes a secret named 'foo'. <placeholder type=" +"\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:563 +msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:565 +msgid "" +"For testing the proxy provider, you need to set up a Custodia server to " +"proxy requests to. Please always consult the Custodia documentation, the " +"configuration directives might change with different Custodia versions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:576 +#, no-wrap +msgid "" +"[global]\n" +"server_version = \"Secret/0.0.7\"\n" +"server_url = http://localhost:8080/\n" +"auditlog = /var/log/custodia.log\n" +"debug = True\n" +"\n" +"[store:simple]\n" +"handler = custodia.store.sqlite.SqliteStore\n" +"dburi = /var/lib/custodia.db\n" +"table = secrets\n" +"\n" +"[auth:header]\n" +"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" +"header = MYSECRETNAME\n" +"value = mysecretkey\n" +"\n" +"[authz:paths]\n" +"handler = custodia.httpd.authorizers.SimplePathAuthz\n" +"paths = /secrets\n" +"\n" +"[/]\n" +"handler = custodia.root.Root\n" +"store = simple\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:570 +msgid "" +"This configuration will set up a Custodia server listening on http://" +"localhost:8080, allowing anyone with header named MYSECRETNAME set to " +"mysecretkey to communicate with the Custodia server. Place the contents " +"into a file (for example, <replaceable>custodia.conf</replaceable>): " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:602 +msgid "" +"Then run the <replaceable>custodia</replaceable> command, pointing it at the " +"config file as a command line argument." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:606 +msgid "" +"Please note that currently it's not possible to proxy all requests globally " +"to a Custodia instance. Instead, per-user subsections for user IDs that " +"should proxy requests to Custodia must be defined. The following example " +"illustrates a configuration, where the user with UID 123 would proxy their " +"requests to Custodia, but all other user's requests would be handled by a " +"local provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: sssd-secrets.5.xml:614 +#, no-wrap +msgid "" +"[secrets]\n" +"\n" +"[secrets/users/123]\n" +"provider = proxy\n" +"proxy_url = http://localhost:8080/secrets/\n" +"auth_type = header\n" +"auth_header_name = MYSECRETNAME\n" +"auth_header_value = mysecretkey\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 +msgid "sssd-session-recording" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-session-recording.5.xml:17 +msgid "Configuring session recording with SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " +"implement user session recording on text terminals. For a detailed " +"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " +"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:41 +msgid "" +"SSSD can be set up to enable recording of everything specific users see or " +"type during their sessions on text terminals. E.g. when users log in on the " +"console, or via SSH. SSSD itself doesn't record anything, but makes sure " +"tlog-rec-session is started upon user login, so it can record according to " +"its configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:48 +msgid "" +"For users with session recording enabled, SSSD replaces the user shell with " +"tlog-rec-session in NSS responses, and adds a variable specifying the " +"original shell to the user environment, upon PAM session setup. This way " +"tlog-rec-session can be started in place of the user shell, and know which " +"actual shell to start, once it set up the recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:60 +msgid "These options can be used to configure the session recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:146 +msgid "" +"The following snippet of sssd.conf enables session recording for users " +"\"contractor1\" and \"contractor2\", and group \"students\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-session-recording.5.xml:151 +#, no-wrap +msgid "" +"[session_recording]\n" +"scope = some\n" +"users = contractor1, contractor2\n" +"groups = students\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 +msgid "sssd-kcm" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-kcm.8.xml:17 +msgid "SSSD Kerberos Cache Manager" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:23 +msgid "" +"This manual page describes the configuration of the SSSD Kerberos Cache " +"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " +"credential caches. It originates in the Heimdal Kerberos project, although " +"the MIT Kerberos library also provides client side (more details on that " +"below) support for the KCM credential cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:31 +msgid "" +"In a setup where Kerberos caches are managed by KCM, the Kerberos library " +"(typically used through an application, like e.g., <citerefentry> " +"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" +"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " +"being referred to as a <quote>\"KCM server\"</quote>. The client and server " +"communicate over a UNIX socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:42 +msgid "" +"The KCM server keeps track of each credential caches's owner and performs " +"access check control based on the UID and GID of the KCM client. The root " +"user has access to all credential caches." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:47 +msgid "The KCM credential cache has several interesting properties:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:51 +msgid "" +"since the process runs in userspace, it is subject to UID namespacing, " +"unlike the kernel keyring" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:56 +msgid "" +"unlike the kernel keyring-based cache, which is shared between all " +"containers, the KCM server is a separate process whose entry point is a UNIX " +"socket" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:61 +msgid "" +"the SSSD implementation stores the ccaches in the SSSD <citerefentry> " +"<refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry> secrets store, allowing the ccaches to survive KCM server " +"restarts or machine reboots." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:69 +msgid "" +"This allows the system to use a collection-aware credential cache, yet share " +"the credential cache between some or no containers by bind-mounting the " +"socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:76 +msgid "USING THE KCM CREDENTIAL CACHE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:86 +#, no-wrap +msgid "" +"[libdefaults]\n" +" default_ccache_name = KCM:\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:78 +msgid "" +"In order to use KCM credential cache, it must be selected as the default " +"credential type in <citerefentry> <refentrytitle>krb5.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " +"cache name must be only <quote>KCM:</quote> without any template " +"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:91 +msgid "" +"Next, make sure the Kerberos client libraries and the KCM server must agree " +"on the UNIX socket path. By default, both use the same path <replaceable>/" +"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " +"library, change its <quote>kcm_socket</quote> option which is described in " +"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:113 +#, no-wrap +msgid "" +"systemctl start sssd-kcm.socket\n" +"systemctl enable sssd-kcm.socket\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:102 +msgid "" +"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " +"typically socket-activated by <citerefentry> <refentrytitle>systemd</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " +"services, it cannot be started by adding the <quote>kcm</quote> string to " +"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " +"id=\"0\"/> Please note your distribution may already configure the units for " +"you." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:122 +msgid "THE CREDENTIAL CACHE STORAGE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:131 +#, no-wrap +msgid "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:124 +msgid "" +"The credential caches are stored in the SSSD secrets service (see " +"<citerefentry> <refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> for more details). Therefore it is important that " +"also the sssd-secrets service is enabled and its socket is started: " +"<placeholder type=\"programlisting\" id=\"0\"/> Your distribution should " +"already set the dependencies between the services." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:141 +msgid "" +"The KCM service is configured in the <quote>kcm</quote> section of the sssd." +"conf file. Please note that currently, is it not sufficient to restart the " +"sssd-kcm service, because the sssd configuration is only parsed and read to " +"an internal configuration database by the sssd service. Therefore you must " +"restart the sssd service if you change anything in the <quote>kcm</quote> " +"section of sssd.conf. For a detailed syntax reference, refer to the " +"<quote>FILE FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd." +"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:155 +msgid "" +"The generic SSSD service options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some KCM-specific options as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:166 +msgid "socket_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:169 +msgid "The socket the KCM service will listen on." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:172 +msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:182 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 +msgid "sssd-systemtap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-systemtap.5.xml:17 +msgid "SSSD systemtap information" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:23 +msgid "" +"This manual page provides information about the systemtap functionality in " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:32 +msgid "" +"SystemTap Probe points have been added into various locations in SSSD code " +"to assist in troubleshooting and analyzing performance related issues." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:40 +msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:46 +msgid "" +"Probes and miscellaneous functions are defined in /usr/share/systemtap/" +"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " +"respectively." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:57 +msgid "PROBE POINTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:341 +msgid "" +"The information below lists the probe points and arguments available in the " +"following format:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:64 +msgid "probe $name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:67 +msgid "Description of probe point" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:70 +#, no-wrap +msgid "" +"variable1:datatype\n" +"variable2:datatype\n" +"variable3:datatype\n" +"...\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:80 +msgid "Database Transaction Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:84 +msgid "probe sssd_transaction_start" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:87 +msgid "" +"Start of a sysdb transaction, probes the sysdb_transaction_start() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 +#: sssd-systemtap.5.xml:131 +#, no-wrap +msgid "" +"nesting:integer\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:97 +msgid "probe sssd_transaction_cancel" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:100 +msgid "" +"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " +"function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:111 +msgid "probe sssd_transaction_commit_before" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:114 +msgid "Probes the sysdb_transaction_commit_before() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:124 +msgid "probe sssd_transaction_commit_after" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:127 +msgid "Probes the sysdb_transaction_commit_after() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:141 +msgid "LDAP Search Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:145 +msgid "probe sdap_search_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:148 +msgid "Probes the sdap_get_generic_ext_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:152 sssd-systemtap.5.xml:167 sssd-systemtap.5.xml:196 +#, no-wrap +msgid "" +"base:string\n" +"scope:integer\n" +"filter:string\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:160 +msgid "probe sdap_search_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:163 +msgid "Probes the sdap_get_generic_ext_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:175 +msgid "probe sdap_deref_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:178 +msgid "Probes the sdap_deref_search_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:182 +#, no-wrap +msgid "" +"base_dn:string\n" +"deref_attr:string\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:189 +msgid "probe sdap_deref_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:192 +msgid "Probes the sdap_deref_search_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:208 +msgid "LDAP Account Request Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:212 +msgid "probe sdap_acct_req_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:215 +msgid "Probes the sdap_acct_req_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:219 sssd-systemtap.5.xml:234 +#, no-wrap +msgid "" +"entry_type:int\n" +"filter_type:int\n" +"filter_value:string\n" +"extra_value:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:227 +msgid "probe sdap_acct_req_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:230 +msgid "Probes the sdap_acct_req_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:246 +msgid "LDAP User Search Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:250 +msgid "probe sdap_search_user_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:253 +msgid "Probes the sdap_search_user_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:257 sssd-systemtap.5.xml:269 sssd-systemtap.5.xml:281 +#: sssd-systemtap.5.xml:293 +#, no-wrap +msgid "" +"filter:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:262 +msgid "probe sdap_search_user_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:265 +msgid "Probes the sdap_search_user_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:274 +msgid "probe sdap_search_user_save_begin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:277 +msgid "Probes the sdap_search_user_save_begin() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:286 +msgid "probe sdap_search_user_save_end" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:289 +msgid "Probes the sdap_search_user_save_end() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:302 +msgid "Data Provider Request Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:306 +msgid "probe dp_req_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:309 +msgid "A Data Provider request is submitted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:312 +#, no-wrap +msgid "" +"dp_req_domain:string\n" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:320 +msgid "probe dp_req_done" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:323 +msgid "A Data Provider request is completed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:326 +#, no-wrap +msgid "" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +"dp_ret:int\n" +"dp_errorstr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:339 +msgid "MISCELLANEOUS FUNCTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:346 +msgid "function acct_req_desc(entry_type)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:349 +msgid "Convert entry_type to string and return string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:354 +msgid "" +"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " +"filter_value, extra_value)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:358 +msgid "Create probe string based on filter type" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:363 +msgid "function dp_target_str(target)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:366 +msgid "Convert target to string and return string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:371 +msgid "function dp_method_str(target)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:374 +msgid "Convert method to string and return string" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/service_discovery.xml:2 +msgid "SERVICE DISCOVERY" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/service_discovery.xml:4 +msgid "" +"The service discovery feature allows back ends to automatically find the " +"appropriate servers to connect to using a special DNS query. This feature is " +"not supported for backup servers." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:9 include/ldap_id_mapping.xml:99 +msgid "Configuration" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:11 +msgid "" +"If no servers are specified, the back end automatically uses service " +"discovery to try to find a server. Optionally, the user may choose to use " +"both fixed server addresses and service discovery by inserting a special " +"keyword, <quote>_srv_</quote>, in the list of servers. The order of " +"preference is maintained. This feature is useful if, for example, the user " +"prefers to use service discovery whenever possible, and fall back to a " +"specific server when no servers can be discovered using DNS." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:23 +msgid "The domain name" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:25 +msgid "" +"Please refer to the <quote>dns_discovery_domain</quote> parameter in the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more details." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:35 +msgid "The protocol" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:37 +msgid "" +"The queries usually specify _tcp as the protocol. Exceptions are documented " +"in respective option description." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:42 +msgid "See Also" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:44 +msgid "" +"For more information on the service discovery mechanism, refer to RFC 2782." +msgstr "" + +#. type: Content of: <refentryinfo> +#: include/upstream.xml:2 +msgid "" +"<productname>SSSD</productname> <orgname>The SSSD upstream - https://pagure." +"io/SSSD/sssd/</orgname>" +msgstr "" + +#. type: Content of: outside any tag (error?) +#: include/upstream.xml:1 +msgid "<placeholder type=\"refentryinfo\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/failover.xml:2 +msgid "FAILOVER" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/failover.xml:4 +msgid "" +"The failover feature allows back ends to automatically switch to a different " +"server if the current server fails." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:8 +msgid "Failover Syntax" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:10 +msgid "" +"The list of servers is given as a comma-separated list; any number of spaces " +"is allowed around the comma. The servers are listed in order of preference. " +"The list can contain any number of servers." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:16 +msgid "" +"For each failover-enabled config option, two variants exist: " +"<emphasis>primary</emphasis> and <emphasis>backup</emphasis>. The idea is " +"that servers in the primary list are preferred and backup servers are only " +"searched if no primary servers can be reached. If a backup server is " +"selected, a timeout of 31 seconds is set. After this timeout SSSD will " +"periodically try to reconnect to one of the primary servers. If it succeeds, " +"it will replace the current active (backup) server." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:27 +msgid "The Failover Mechanism" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:29 +msgid "" +"The failover mechanism distinguishes between a machine and a service. The " +"back end first tries to resolve the hostname of a given machine; if this " +"resolution attempt fails, the machine is considered offline. No further " +"attempts are made to connect to this machine for any other service. If the " +"resolution attempt succeeds, the back end tries to connect to a service on " +"this machine. If the service connection attempt fails, then only this " +"particular service is considered offline and the back end automatically " +"switches over to the next service. The machine is still considered online " +"and might still be tried for another service." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:42 +msgid "" +"Further connection attempts are made to machines or services marked as " +"offline after a specified period of time; this is currently hard coded to 30 " +"seconds." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:47 +msgid "" +"If there are no more machines to try, the back end as a whole switches to " +"offline mode, and then attempts to reconnect every 30 seconds." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:53 +msgid "Failover time outs and tuning" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:55 +msgid "" +"Resolving a server to connect to can be as simple as running a single DNS " +"query or can involve several steps, such as finding the correct site or " +"trying out multiple host names in case some of the configured servers are " +"not reachable. The more complex scenarios can take some time and SSSD needs " +"to balance between providing enough time to finish the resolution process " +"but on the other hand, not trying for too long before falling back to " +"offline mode. If the SSSD debug logs show that the server resolution is " +"timing out before a live server is contacted, you can consider changing the " +"time outs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> +#: include/failover.xml:76 +msgid "dns_resolver_op_timeout" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: include/failover.xml:80 +msgid "How long would SSSD talk to a single DNS server." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> +#: include/failover.xml:86 +msgid "dns_resolver_timeout" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: include/failover.xml:90 +msgid "" +"How long would SSSD try to resolve a failover service. This service " +"resolution internally might include several steps, such as resolving DNS SRV " +"queries or locating the site." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:67 +msgid "" +"This section lists the available tunables. Please refer to their description " +"in the <citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>, manual page. <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:100 +msgid "" +"For LDAP-based providers, the resolve operation is performed as part of an " +"LDAP connection operation. Therefore, also the <quote>ldap_opt_timeout></" +"quote> timeout should be set to a larger value than " +"<quote>dns_resolver_timeout</quote> which in turn should be set to a larger " +"value than <quote>dns_resolver_op_timeout</quote>." +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/ldap_id_mapping.xml:2 +msgid "ID MAPPING" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:4 +msgid "" +"The ID-mapping feature allows SSSD to act as a client of Active Directory " +"without requiring administrators to extend user attributes to support POSIX " +"attributes for user and group identifiers." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:9 +msgid "" +"NOTE: When ID-mapping is enabled, the uidNumber and gidNumber attributes are " +"ignored. This is to avoid the possibility of conflicts between automatically-" +"assigned and manually-assigned values. If you need to use manually-assigned " +"values, ALL values must be manually-assigned." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:16 +msgid "" +"Please note that changing the ID mapping related configuration options will " +"cause user and group IDs to change. At the moment, SSSD does not support " +"changing IDs, so the SSSD database must be removed. Because cached passwords " +"are also stored in the database, removing the database should only be " +"performed while the authentication servers are reachable, otherwise users " +"might get locked out. In order to cache the password, an authentication must " +"be performed. It is not sufficient to use <citerefentry> " +"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry> to remove the database, rather the process consists of:" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:33 +msgid "Making sure the remote servers are reachable" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:38 +msgid "Stopping the SSSD service" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:43 +msgid "Removing the database" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:48 +msgid "Starting the SSSD service" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:52 +msgid "" +"Moreover, as the change of IDs might necessitate the adjustment of other " +"system properties such as file and directory ownership, it's advisable to " +"plan ahead and test the ID mapping configuration thoroughly." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ldap_id_mapping.xml:59 +msgid "Mapping Algorithm" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:61 +msgid "" +"Active Directory provides an objectSID for every user and group object in " +"the directory. This objectSID can be broken up into components that " +"represent the Active Directory domain identity and the relative identifier " +"(RID) of the user or group object." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:67 +msgid "" +"The SSSD ID-mapping algorithm takes a range of available UIDs and divides it " +"into equally-sized component sections - called \"slices\"-. Each slice " +"represents the space available to an Active Directory domain." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:73 +msgid "" +"When a user or group entry for a particular domain is encountered for the " +"first time, the SSSD allocates one of the available slices for that domain. " +"In order to make this slice-assignment repeatable on different client " +"machines, we select the slice based on the following algorithm:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:80 +msgid "" +"The SID string is passed through the murmurhash3 algorithm to convert it to " +"a 32-bit hashed value. We then take the modulus of this value with the total " +"number of available slices to pick the slice." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:86 +msgid "" +"NOTE: It is possible to encounter collisions in the hash and subsequent " +"modulus. In these situations, we will select the next available slice, but " +"it may not be possible to reproduce the same exact set of slices on other " +"machines (since the order that they are encountered will determine their " +"slice). In this situation, it is recommended to either switch to using " +"explicit POSIX attributes in Active Directory (disabling ID-mapping) or " +"configure a default domain to guarantee that at least one is always " +"consistent. See <quote>Configuration</quote> for details." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:101 +msgid "" +"Minimum configuration (in the <quote>[domain/DOMAINNAME]</quote> section):" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><programlisting> +#: include/ldap_id_mapping.xml:106 +#, no-wrap +msgid "" +"ldap_id_mapping = True\n" +"ldap_schema = ad\n" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:111 +msgid "" +"The default configuration results in configuring 10,000 slices, each capable " +"of holding up to 200,000 IDs, starting from 200,000 and going up to " +"2,000,200,000. This should be sufficient for most deployments." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><title> +#: include/ldap_id_mapping.xml:117 +msgid "Advanced Configuration" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:120 +msgid "ldap_idmap_range_min (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:123 +msgid "" +"Specifies the lower bound of the range of POSIX IDs to use for mapping " +"Active Directory user and group SIDs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:127 +msgid "" +"NOTE: This option is different from <quote>min_id</quote> in that " +"<quote>min_id</quote> acts to filter the output of requests to this domain, " +"whereas this option controls the range of ID assignment. This is a subtle " +"distinction, but the good general advice would be to have <quote>min_id</" +"quote> be less-than or equal to <quote>ldap_idmap_range_min</quote>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:137 include/ldap_id_mapping.xml:191 +msgid "Default: 200000" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:142 +msgid "ldap_idmap_range_max (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:145 +msgid "" +"Specifies the upper bound of the range of POSIX IDs to use for mapping " +"Active Directory user and group SIDs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:149 +msgid "" +"NOTE: This option is different from <quote>max_id</quote> in that " +"<quote>max_id</quote> acts to filter the output of requests to this domain, " +"whereas this option controls the range of ID assignment. This is a subtle " +"distinction, but the good general advice would be to have <quote>max_id</" +"quote> be greater-than or equal to <quote>ldap_idmap_range_max</quote>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:159 +msgid "Default: 2000200000" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:164 +msgid "ldap_idmap_range_size (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:167 +msgid "" +"Specifies the number of IDs available for each slice. If the range size " +"does not divide evenly into the min and max values, it will create as many " +"complete slices as it can." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:173 +msgid "" +"NOTE: The value of this option must be at least as large as the highest user " +"RID planned for use on the Active Directory server. User lookups and login " +"will fail for any user whose RID is greater than this value." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:179 +msgid "" +"For example, if your most recently-added Active Directory user has " +"objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, " +"<quote>ldap_idmap_range_size</quote> must be at least 1108 as range size is " +"equal to maximal SID minus minimal SID plus one (e.g. 1108 = 1107 - 0 + 1)." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:186 +msgid "" +"It is important to plan ahead for future expansion, as changing this value " +"will result in changing all of the ID mappings on the system, leading to " +"users with different local IDs than they previously had." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:196 +msgid "ldap_idmap_default_domain_sid (string)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:199 +msgid "" +"Specify the domain SID of the default domain. This will guarantee that this " +"domain will always be assigned to slice zero in the ID map, bypassing the " +"murmurhash algorithm described above." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:210 +msgid "ldap_idmap_default_domain (string)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:213 +msgid "Specify the name of the default domain." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:221 +msgid "ldap_idmap_autorid_compat (boolean)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:224 +msgid "" +"Changes the behavior of the ID-mapping algorithm to behave more similarly to " +"winbind's <quote>idmap_autorid</quote> algorithm." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:229 +msgid "" +"When this option is configured, domains will be allocated starting with " +"slice zero and increasing monatomically with each additional domain." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:234 +msgid "" +"NOTE: This algorithm is non-deterministic (it depends on the order that " +"users and groups are requested). If this mode is required for compatibility " +"with machines running winbind, it is recommended to also use the " +"<quote>ldap_idmap_default_domain_sid</quote> option to guarantee that at " +"least one domain is consistently allocated to slice zero." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:249 +msgid "ldap_idmap_helper_table_size (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:252 +msgid "" +"Maximal number of secondary slices that is tried when performing mapping " +"from UNIX id to SID." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:256 +msgid "" +"Note: Additional secondary slices might be generated when SID is being " +"mapped to UNIX id and RID part of SID is out of range for secondary slices " +"generated so far. If value of ldap_idmap_helper_table_size is equal to 0 " +"then no additional secondary slices are generated." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ldap_id_mapping.xml:273 +msgid "Well-Known SIDs" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:275 +msgid "" +"SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a " +"special hardcoded meaning. Since the generic users and groups related to " +"those Well-Known SIDs have no equivalent in a Linux/UNIX environment no " +"POSIX IDs are available for those objects." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:281 +msgid "" +"The SID name space is organized in authorities which can be seen as " +"different domains. The authorities for the Well-Known SIDs are" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:284 +msgid "Null Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:285 +msgid "World Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:286 +msgid "Local Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:287 +msgid "Creator Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:288 +msgid "NT Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:289 +msgid "Built-in" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:291 +msgid "" +"The capitalized version of these names are used as domain names when " +"returning the fully qualified name of a Well-Known SID." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:295 +msgid "" +"Since some utilities allow to modify SID based access control information " +"with the help of a name instead of using the SID directly SSSD supports to " +"look up the SID by the name as well. To avoid collisions only the fully " +"qualified names can be used to look up Well-Known SIDs. As a result the " +"domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, " +"<quote> LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, <quote>NT " +"AUTHORITY</quote> and <quote>BUILTIN</quote> should not be used as domain " +"names in <filename>sssd.conf</filename>." +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/param_help.xml:3 +msgid "<option>-?</option>,<option>--help</option>" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/param_help.xml:7 include/param_help_py.xml:7 +msgid "Display help message and exit." +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/param_help_py.xml:3 +msgid "<option>-h</option>,<option>--help</option>" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:3 include/debug_levels_tools.xml:3 +msgid "" +"SSSD supports two representations for specifying the debug level. The " +"simplest is to specify a decimal value from 0-9, which represents enabling " +"that level and all lower-level debug messages. The more comprehensive option " +"is to specify a hexadecimal bitmask to enable or disable specific levels " +"(such as if you wish to suppress a level)." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:10 +msgid "" +"Please note that each SSSD service logs into its own log file. Also please " +"note that enabling <quote>debug_level</quote> in the <quote>[sssd]</quote> " +"section only enables debugging just for the sssd process itself, not for the " +"responder or provider processes. The <quote>debug_level</quote> parameter " +"should be added to all sections that you wish to produce debug logs from." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:18 +msgid "" +"In addition to changing the log level in the config file using the " +"<quote>debug_level</quote> parameter, which is persistent, but requires SSSD " +"restart, it is also possible to change the debug level on the fly using the " +"<citerefentry> <refentrytitle>sss_debuglevel</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry> tool." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:29 include/debug_levels_tools.xml:10 +msgid "Currently supported debug levels:" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:32 include/debug_levels_tools.xml:13 +msgid "" +"<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fatal failures. " +"Anything that would prevent SSSD from starting up or causes it to cease " +"running." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:38 include/debug_levels_tools.xml:19 +msgid "" +"<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An " +"error that doesn't kill SSSD, but one that indicates that at least one major " +"feature is not going to work properly." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:45 include/debug_levels_tools.xml:26 +msgid "" +"<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Serious failures. An " +"error announcing that a particular request or operation has failed." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:50 include/debug_levels_tools.xml:31 +msgid "" +"<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Minor failures. These " +"are the errors that would percolate down to cause the operation failure of 2." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:55 include/debug_levels_tools.xml:36 +msgid "" +"<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Configuration settings." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:59 include/debug_levels_tools.xml:40 +msgid "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Function data." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:63 include/debug_levels_tools.xml:44 +msgid "" +"<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Trace messages for " +"operation functions." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:67 include/debug_levels_tools.xml:48 +msgid "" +"<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Trace messages for " +"internal control functions." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:72 include/debug_levels_tools.xml:53 +msgid "" +"<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contents of function-" +"internal variables that may be interesting." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:77 include/debug_levels_tools.xml:58 +msgid "" +"<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Extremely low-level " +"tracing information." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:81 include/debug_levels_tools.xml:62 +msgid "" +"To log required bitmask debug levels, simply add their numbers together as " +"shown in following examples:" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:85 include/debug_levels_tools.xml:66 +msgid "" +"<emphasis>Example</emphasis>: To log fatal failures, critical failures, " +"serious failures and function data use 0x0270." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:89 include/debug_levels_tools.xml:70 +msgid "" +"<emphasis>Example</emphasis>: To log fatal failures, configuration settings, " +"function data, trace messages for internal control functions use 0x1310." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:94 include/debug_levels_tools.xml:75 +msgid "" +"<emphasis>Note</emphasis>: The bitmask format of debug levels was introduced " +"in 1.7.0." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:98 include/debug_levels_tools.xml:79 +msgid "<emphasis>Default</emphasis>: 0" +msgstr "" + +#. type: Content of: outside any tag (error?) +#: include/experimental.xml:1 +msgid "" +"<emphasis> This is an experimental feature, please use https://pagure.io/" +"SSSD/sssd/ to report any issues. </emphasis>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/local.xml:2 +msgid "THE LOCAL DOMAIN" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/local.xml:4 +msgid "" +"In order to function correctly, a domain with <quote>id_provider=local</" +"quote> must be created and the SSSD must be running." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/local.xml:9 +msgid "" +"The administrator might want to use the SSSD local users instead of " +"traditional UNIX users in cases where the group nesting (see <citerefentry> " +"<refentrytitle>sss_groupadd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>) is needed. The local users are also useful for testing and " +"development of the SSSD without having to deploy a full remote server. The " +"<command>sss_user*</command> and <command>sss_group*</command> tools use a " +"local LDB storage to store users and groups." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/seealso.xml:4 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd-ipa</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <phrase condition=\"with_sudo\"> <citerefentry> " +"<refentrytitle>sssd-sudo</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>, </phrase> <phrase condition=\"with_secrets\"> <citerefentry> " +"<refentrytitle>sssd-secrets</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>, </phrase> <citerefentry> <refentrytitle>sssd-session-" +"recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, " +"<citerefentry> <refentrytitle>sss_cache</refentrytitle><manvolnum>8</" +"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_debuglevel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_obfuscate</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_seed</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <phrase condition=" +"\"with_ssh\"> <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_ssh_knownhostsproxy</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>, </phrase> <phrase condition=\"with_ifp\"> " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>, </phrase> <citerefentry> <refentrytitle>pam_sss</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>. <citerefentry> " +"<refentrytitle>sss_rpcidmapd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> <phrase condition=\"with_stap\"> <citerefentry> " +"<refentrytitle>sssd-systemtap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> </phrase>" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:3 +msgid "" +"An optional base DN, search scope and LDAP filter to restrict LDAP searches " +"for this attribute type." +msgstr "" + +#. type: Content of: <listitem><para><programlisting> +#: include/ldap_search_bases.xml:9 +#, no-wrap +msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]\n" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:7 +msgid "syntax: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:13 +msgid "" +"The scope can be one of \"base\", \"onelevel\" or \"subtree\". The scope " +"functions as specified in section 4.5.1.2 of http://tools.ietf.org/html/" +"rfc4511" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:23 +msgid "" +"For examples of this syntax, please refer to the <quote>ldap_search_base</" +"quote> examples section." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:31 +msgid "" +"Please note that specifying scope or filter is not supported for searches " +"against an Active Directory Server that might yield a large number of " +"results and trigger the Range Retrieval extension in the response." +msgstr "" + +#. type: Content of: <para> +#: include/autofs_restart.xml:2 +msgid "" +"Please note that the automounter only reads the master map on startup, so if " +"any autofs-related changes are made to the sssd.conf, you typically also " +"need to restart the automounter daemon after restarting the SSSD." +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/override_homedir.xml:2 +msgid "override_homedir (string)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:16 +msgid "UID number" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:20 +msgid "domain name" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:23 +msgid "%f" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:24 +msgid "fully qualified user name (user@domain)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:27 +msgid "%l" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:28 +msgid "The first letter of the login name." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:32 +msgid "UPN - User Principal Name (name@REALM)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:35 +msgid "%o" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:37 +msgid "The original home directory retrieved from the identity provider." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:42 +msgid "%H" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:44 +msgid "The value of configure option <emphasis>homedir_substring</emphasis>." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/override_homedir.xml:5 +msgid "" +"Override the user's home directory. You can either provide an absolute value " +"or a template. In the template, the following sequences are substituted: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><programlisting> +#: include/override_homedir.xml:61 +#, no-wrap +msgid "" +"override_homedir = /home/%u\n" +" " +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/override_homedir.xml:65 +msgid "Default: Not set (SSSD will use the value retrieved from LDAP)" +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/homedir_substring.xml:2 +msgid "homedir_substring (string)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/homedir_substring.xml:5 +msgid "" +"The value of this option will be used in the expansion of the " +"<emphasis>override_homedir</emphasis> option if the template contains the " +"format string <emphasis>%H</emphasis>. An LDAP directory entry can directly " +"contain this template so that this option can be used to expand the home " +"directory path for each client machine (or operating system). It can be set " +"per-domain or globally in the [nss] section. A value specified in a domain " +"section will override one set in the [nss] section." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/homedir_substring.xml:15 +msgid "Default: /home" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/ad_modified_defaults.xml:2 include/ipa_modified_defaults.xml:2 +msgid "MODIFIED DEFAULT OPTIONS" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ad_modified_defaults.xml:4 +msgid "" +"Certain option defaults do not match their respective backend provider " +"defaults, these option names and AD provider-specific defaults are listed " +"below:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ad_modified_defaults.xml:9 include/ipa_modified_defaults.xml:9 +msgid "KRB5 Provider" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:13 include/ipa_modified_defaults.xml:13 +msgid "krb5_validate = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:18 +msgid "krb5_use_enterprise_principal = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ad_modified_defaults.xml:24 +msgid "LDAP Provider" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:28 +msgid "ldap_schema = ad" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:33 include/ipa_modified_defaults.xml:38 +msgid "ldap_force_upper_case_realm = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:38 +msgid "ldap_id_mapping = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:43 +msgid "ldap_sasl_mech = gssapi" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:48 +msgid "ldap_referrals = false" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:53 +msgid "ldap_account_expire_policy = ad" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:58 include/ipa_modified_defaults.xml:58 +msgid "ldap_use_tokengroups = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:63 +msgid "ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:66 +msgid "" +"The AD provider looks for a different principal than the LDAP provider by " +"default, because in an Active Directory environment the principals are " +"divided into two groups - User Principals and Service Principals. Only User " +"Principal can be used to obtain a TGT and by default, computer object's " +"principal is constructed from its sAMAccountName and the AD realm. The well-" +"known host/hostname@REALM principal is a Service Principal and thus cannot " +"be used to get a TGT with." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ipa_modified_defaults.xml:4 +msgid "" +"Certain option defaults do not match their respective backend provider " +"defaults, these option names and IPA provider-specific defaults are listed " +"below:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:18 +msgid "krb5_use_fast = try" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:23 +msgid "krb5_canonicalize = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:29 +msgid "LDAP Provider - General" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:33 +msgid "ldap_schema = ipa_v1" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:43 +msgid "ldap_sasl_mech = GSSAPI" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:48 +msgid "ldap_sasl_minssf = 56" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:53 +msgid "ldap_account_expire_policy = ipa" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:64 +msgid "LDAP Provider - User options" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:68 +msgid "ldap_user_member_of = memberOf" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:73 +msgid "ldap_user_uuid = ipaUniqueID" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:78 +msgid "ldap_user_ssh_public_key = ipaSshPubKey" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:83 +msgid "ldap_user_auth_type = ipaUserAuthType" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:89 +msgid "LDAP Provider - Group options" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:93 +msgid "ldap_group_object_class = ipaUserGroup" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:98 +msgid "ldap_group_object_class_alt = posixGroup" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:103 +msgid "ldap_group_member = member" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:108 +msgid "ldap_group_uuid = ipaUniqueID" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:113 +msgid "ldap_group_objectsid = ipaNTSecurityIdentifier" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:118 +msgid "ldap_group_external_member = ipaExternalMember" +msgstr "" diff --git a/src/man/po/tg.po b/src/man/po/tg.po new file mode 100644 index 0000000..b642e0e --- /dev/null +++ b/src/man/po/tg.po @@ -0,0 +1,15620 @@ +# SOME DESCRIPTIVE TITLE +# Copyright (C) YEAR Red Hat +# This file is distributed under the same license as the sssd-docs package. +# +# Translators: +msgid "" +msgstr "" +"Project-Id-Version: sssd-docs 1.16.1\n" +"Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" +"POT-Creation-Date: 2018-08-12 13:01+0000\n" +"PO-Revision-Date: 2014-12-15 12:10+0000\n" +"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n" +"Language-Team: Tajik (http://www.transifex.com/projects/p/sssd/language/" +"tg/)\n" +"Language: tg\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" +"X-Generator: Zanata 4.4.5\n" + +#. type: Content of: <reference><title> +#: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5 +#: sssd_krb5_locator_plugin.8.xml:5 sssd-simple.5.xml:5 sss-certmap.5.xml:5 +#: sssd-ipa.5.xml:5 sssd-ad.5.xml:5 sssd-sudo.5.xml:5 sssd.8.xml:5 +#: sss_obfuscate.8.xml:5 sss_override.8.xml:5 sss_useradd.8.xml:5 +#: sssd-krb5.5.xml:5 sss_groupadd.8.xml:5 sss_userdel.8.xml:5 +#: sss_groupdel.8.xml:5 sss_groupshow.8.xml:5 sss_usermod.8.xml:5 +#: sss_cache.8.xml:5 sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5 +#: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 +#: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5 +#: sssd-files.5.xml:5 sssd-secrets.5.xml:5 sssd-session-recording.5.xml:5 +#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 +msgid "SSSD Manual pages" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupmod.8.xml:10 sss_groupmod.8.xml:15 +msgid "sss_groupmod" +msgstr "" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_groupmod.8.xml:11 pam_sss.8.xml:12 sssd_krb5_locator_plugin.8.xml:11 +#: sssd.8.xml:11 sss_obfuscate.8.xml:11 sss_override.8.xml:11 +#: sss_useradd.8.xml:11 sss_groupadd.8.xml:11 sss_userdel.8.xml:11 +#: sss_groupdel.8.xml:11 sss_groupshow.8.xml:11 sss_usermod.8.xml:11 +#: sss_cache.8.xml:11 sss_debuglevel.8.xml:11 sss_seed.8.xml:11 +#: idmap_sss.8.xml:11 sssctl.8.xml:11 sssd-kcm.8.xml:11 +msgid "8" +msgstr "8" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupmod.8.xml:16 +msgid "modify a group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupmod.8.xml:21 +msgid "" +"<command>sss_groupmod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:57 +#: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sss-certmap.5.xml:21 +#: sssd-ipa.5.xml:21 sssd-ad.5.xml:21 sssd-sudo.5.xml:21 sssd.8.xml:29 +#: sss_obfuscate.8.xml:30 sss_override.8.xml:30 sss_useradd.8.xml:30 +#: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30 +#: sss_groupdel.8.xml:30 sss_groupshow.8.xml:30 sss_usermod.8.xml:30 +#: sss_cache.8.xml:29 sss_debuglevel.8.xml:30 sss_seed.8.xml:31 +#: sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30 +#: sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30 +#: sssd-files.5.xml:21 sssd-secrets.5.xml:21 sssd-session-recording.5.xml:21 +#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 +msgid "DESCRIPTION" +msgstr "ШАРҲ" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupmod.8.xml:32 +msgid "" +"<command>sss_groupmod</command> modifies the group to reflect the changes " +"that are specified on the command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_groupmod.8.xml:39 pam_sss.8.xml:64 sssd.8.xml:42 sss_obfuscate.8.xml:58 +#: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39 +#: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39 +#: sss_cache.8.xml:39 sss_seed.8.xml:42 sss_ssh_authorizedkeys.1.xml:123 +#: sss_ssh_knownhostsproxy.1.xml:62 +msgid "OPTIONS" +msgstr "ИМКОНОТҲО" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupmod.8.xml:43 sss_usermod.8.xml:77 +msgid "" +"<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupmod.8.xml:48 +msgid "" +"Append this group to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupmod.8.xml:57 sss_usermod.8.xml:91 +msgid "" +"<option>-r</option>,<option>--remove-group</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupmod.8.xml:62 +msgid "" +"Remove this group from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.conf.5.xml:10 sssd.conf.5.xml:16 +msgid "sssd.conf" +msgstr "" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11 +#: sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 +#: sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27 +#: sssd-files.5.xml:11 sssd-secrets.5.xml:11 sssd-session-recording.5.xml:11 +#: sssd-systemtap.5.xml:11 +msgid "5" +msgstr "5" + +#. type: Content of: <reference><refentry><refmeta><refmiscinfo> +#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12 +#: sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 +#: sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28 +#: sssd-files.5.xml:12 sssd-secrets.5.xml:12 sssd-session-recording.5.xml:12 +#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 +msgid "File Formats and Conventions" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.conf.5.xml:17 +msgid "the configuration file for SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:21 +msgid "FILE FORMAT" +msgstr "Формати файл" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:29 +#, no-wrap +msgid "" +"<replaceable>[section]</replaceable>\n" +"<replaceable>key</replaceable> = <replaceable>value</replaceable>\n" +"<replaceable>key2</replaceable> = <replaceable>value2,value3</replaceable>\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:24 +msgid "" +"The file has an ini-style syntax and consists of sections and parameters. A " +"section begins with the name of the section in square brackets and continues " +"until the next section begins. An example of section with single and multi-" +"valued parameters: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:36 +msgid "" +"The data types used are string (no quotes needed), integer and bool (with " +"values of <quote>TRUE/FALSE</quote>)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:41 +msgid "" +"A comment line starts with a hash sign (<quote>#</quote>) or a semicolon " +"(<quote>;</quote>). Inline comments are not supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:47 +msgid "" +"All sections can have an optional <replaceable>description</replaceable> " +"parameter. Its function is only as a label for the section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:53 +msgid "" +"<filename>sssd.conf</filename> must be a regular file, owned by root and " +"only root may read from or write to the file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:59 +msgid "CONFIGURATION SNIPPETS FROM INCLUDE DIRECTORY" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:62 +msgid "" +"The configuration file <filename>sssd.conf</filename> will include " +"configuration snippets using the include directory <filename>conf.d</" +"filename>. This feature is available if SSSD was compiled with libini " +"version 1.3.0 or later." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:69 +msgid "" +"Any file placed in <filename>conf.d</filename> that ends in " +"<quote><filename>.conf</filename></quote> and does not begin with a dot " +"(<quote>.</quote>) will be used together with <filename>sssd.conf</filename> " +"to configure SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:77 +msgid "" +"The configuration snippets from <filename>conf.d</filename> have higher " +"priority than <filename>sssd.conf</filename> and will override " +"<filename>sssd.conf</filename> when conflicts occur. If several snippets are " +"present in <filename>conf.d</filename>, then they are included in " +"alphabetical order (based on locale). Files included later have higher " +"priority. Numerical prefixes (<filename>01_snippet.conf</filename>, " +"<filename>02_snippet.conf</filename> etc.) can help visualize the priority " +"(higher number means higher priority)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:91 +msgid "" +"The snippet files require the same owner and permissions as <filename>sssd." +"conf</filename>. Which are by default root:root and 0600." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:98 +msgid "GENERAL OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:100 +msgid "Following options are usable in more than one configuration sections." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:104 +msgid "Options usable in all sections" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:108 +msgid "debug_level (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:112 +msgid "debug (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:115 +msgid "" +"SSSD 1.14 and later also includes the <replaceable>debug</replaceable> alias " +"for <replaceable>debug_level</replaceable> as a convenience feature. If both " +"are specified, the value of <replaceable>debug_level</replaceable> will be " +"used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:125 +msgid "debug_timestamps (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:128 +msgid "" +"Add a timestamp to the debug messages. If journald is enabled for SSSD " +"debug logging this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:133 sssd.conf.5.xml:543 sssd.conf.5.xml:839 +#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1521 sssd-ldap.5.xml:1851 +#: sssd-ldap.5.xml:1948 sssd-ldap.5.xml:2010 sssd-ldap.5.xml:2576 +#: sssd-ldap.5.xml:2641 sssd-ldap.5.xml:2659 sssd-ad.5.xml:227 +#: sssd-ad.5.xml:341 sssd-ad.5.xml:885 sssd-krb5.5.xml:499 +#: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 +msgid "Default: true" +msgstr "Пешфарз: true" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:138 +msgid "debug_microseconds (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:141 +msgid "" +"Add microseconds to the timestamp in debug messages. If journald is enabled " +"for SSSD debug logging this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:146 sssd.conf.5.xml:540 sssd.conf.5.xml:722 +#: sssd.conf.5.xml:1424 sssd.conf.5.xml:2980 sssd-ldap.5.xml:708 +#: sssd-ldap.5.xml:1714 sssd-ldap.5.xml:1733 sssd-ldap.5.xml:1920 +#: sssd-ldap.5.xml:2346 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238 +#: sssd-ipa.5.xml:559 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300 +#: sssd-krb5.5.xml:471 +msgid "Default: false" +msgstr "Пешфарз: false" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2384 +#: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210 +#: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304 +msgid "<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:155 +msgid "Options usable in SERVICE and DOMAIN sections" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:159 +msgid "timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:162 +msgid "" +"Timeout in seconds between heartbeats for this service. This is used to " +"ensure that the process is alive and capable of answering requests. Note " +"that after three missed heartbeats the process will terminate itself." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:169 sssd.conf.5.xml:1376 sssd.conf.5.xml:2996 +#: sssd-ldap.5.xml:1585 include/ldap_id_mapping.xml:264 +msgid "Default: 10" +msgstr "Пешфарз: 10" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:179 +msgid "SPECIAL SECTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:182 +msgid "The [sssd] section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sssd.conf.5.xml:191 sssd.conf.5.xml:3085 +msgid "Section parameters" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:193 +msgid "config_file_version (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:196 +msgid "" +"Indicates what is the syntax of the config file. SSSD 0.6.0 and later use " +"version 2." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:202 +msgid "services" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:205 +msgid "" +"Comma separated list of services that are started when sssd itself starts. " +"<phrase condition=\"have_systemd\"> The services' list is optional on " +"platforms where systemd is supported, as they will either be socket or D-Bus " +"activated when needed. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:214 +msgid "" +"Supported services: nss, pam <phrase condition=\"with_sudo\">, sudo</phrase> " +"<phrase condition=\"with_autofs\">, autofs</phrase> <phrase condition=" +"\"with_ssh\">, ssh</phrase> <phrase condition=\"with_pac_responder\">, pac</" +"phrase> <phrase condition=\"with_ifp\">, ifp</phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:222 +msgid "" +"<phrase condition=\"have_systemd\"> By default, all services are disabled " +"and the administrator must enable the ones allowed to be used by executing: " +"\"systemctl enable sssd-@service@.socket\". </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:231 sssd.conf.5.xml:614 +msgid "reconnection_retries (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:234 sssd.conf.5.xml:617 +msgid "" +"Number of times services should attempt to reconnect in the event of a Data " +"Provider crash or restart before they give up" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:239 sssd.conf.5.xml:622 +msgid "Default: 3" +msgstr "Пешфарз: 3" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:244 +msgid "domains" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:247 +msgid "" +"A domain is a database containing user information. SSSD can use more " +"domains at the same time, but at least one must be configured or SSSD won't " +"start. This parameter describes the list of domains in the order you want " +"them to be queried. A domain name should only consist of alphanumeric ASCII " +"characters, dashes, dots and underscores." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:259 sssd.conf.5.xml:2597 +msgid "re_expression (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:262 +msgid "" +"Default regular expression that describes how to parse the string containing " +"user name and domain into these components." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:267 +msgid "" +"Each domain can have an individual regular expression configured. For some " +"ID providers there are also default regular expressions. See DOMAIN SECTIONS " +"for more info on these regular expressions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:276 sssd.conf.5.xml:2645 +msgid "full_name_format (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:279 sssd.conf.5.xml:2648 +msgid "" +"A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry>-compatible format that describes how to compose a " +"fully qualified name from user name and domain name components." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:290 sssd.conf.5.xml:2659 +msgid "%1$s" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:291 sssd.conf.5.xml:2660 +msgid "user name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:294 sssd.conf.5.xml:2663 +msgid "%2$s" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:297 sssd.conf.5.xml:2666 +msgid "domain name as specified in the SSSD config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:303 sssd.conf.5.xml:2672 +msgid "%3$s" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:306 sssd.conf.5.xml:2675 +msgid "" +"domain flat name. Mostly usable for Active Directory domains, both directly " +"configured or discovered via IPA trusts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:287 sssd.conf.5.xml:2656 +msgid "" +"The following expansions are supported: <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:316 +msgid "" +"Each domain can have an individual format string configured. see DOMAIN " +"SECTIONS for more info on this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:322 +msgid "try_inotify (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:325 +msgid "" +"SSSD monitors the state of resolv.conf to identify when it needs to update " +"its internal DNS resolver. By default, we will attempt to use inotify for " +"this, and will fall back to polling resolv.conf every five seconds if " +"inotify cannot be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:333 +msgid "" +"There are some limited situations where it is preferred that we should skip " +"even trying to use inotify. In these rare cases, this option should be set " +"to 'false'" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:339 +msgid "" +"Default: true on platforms where inotify is supported. False on other " +"platforms." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:343 +msgid "" +"Note: this option will have no effect on platforms where inotify is " +"unavailable. On these platforms, polling will always be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:350 +msgid "krb5_rcache_dir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:353 +msgid "" +"Directory on the filesystem where SSSD should store Kerberos replay cache " +"files." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:357 +msgid "" +"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct " +"SSSD to let libkrb5 decide the appropriate location for the replay cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:363 +msgid "" +"Default: Distribution-specific and specified at build-time. " +"(__LIBKRB5_DEFAULTS__ if not configured)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:370 +msgid "user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:373 +msgid "" +"The user to drop the privileges to where appropriate to avoid running as the " +"root user. <phrase condition=\"have_systemd\"> This option does not work " +"when running socket-activated services, as the user set up to run the " +"processes is set up during compilation time. The way to override the " +"systemd unit files is by creating the appropriate files in /etc/systemd/" +"system/. Keep in mind that any change in the socket user, group or " +"permissions may result in a non-usable SSSD. The same may occur in case of " +"changes of the user running the NSS responder. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:391 +msgid "Default: not set, process will run as root" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:396 +msgid "default_domain_suffix (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:399 +msgid "" +"This string will be used as a default domain name for all names without a " +"domain name component. The main use case is environments where the primary " +"domain is intended for managing host policies and all users are located in a " +"trusted domain. The option allows those users to log in just with their " +"user name without giving a domain name as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:409 +msgid "" +"Please note that if this option is set all users from the primary domain " +"have to use their fully qualified name, e.g. user@domain.name, to log in. " +"Setting this option changes default of use_fully_qualified_names to True. It " +"is not allowed to use this option together with use_fully_qualified_names " +"set to False." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:418 sssd.conf.5.xml:1165 sssd-ldap.5.xml:679 +#: sssd-ldap.5.xml:1319 sssd-ldap.5.xml:1673 sssd-ldap.5.xml:1685 +#: sssd-ldap.5.xml:1767 sssd-ad.5.xml:690 sssd-ad.5.xml:765 sssd.8.xml:126 +#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:556 sssd-secrets.5.xml:339 +#: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404 +#: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205 +#: include/ldap_id_mapping.xml:216 +msgid "Default: not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:423 +msgid "override_space (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:426 +msgid "" +"This parameter will replace spaces (space bar) with the given character for " +"user and group names. e.g. (_). User name "john doe" will be " +""john_doe" This feature was added to help compatibility with shell " +"scripts that have difficulty handling spaces, due to the default field " +"separator in the shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:435 +msgid "" +"Please note it is a configuration error to use a replacement character that " +"might be used in user or group names. If a name contains the replacement " +"character SSSD tries to return the unmodified name but in general the result " +"of a lookup is undefined." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:443 +msgid "Default: not set (spaces will not be replaced)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:448 +msgid "certificate_verification (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:456 +msgid "no_ocsp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:458 +msgid "" +"Disables Online Certificate Status Protocol (OCSP) checks. This might be " +"needed if the OCSP servers defined in the certificate are not reachable from " +"the client." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:466 +msgid "no_verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:468 +msgid "" +"Disables verification completely. This option should only be used for " +"testing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:474 +msgid "ocsp_default_responder=URL" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:476 +msgid "" +"Sets the OCSP default responder which should be used instead of the one " +"mentioned in the certificate. URL must be replaced with the URL of the OCSP " +"default responder e.g. http://example.com:80/ocsp." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:482 +msgid "" +"This option must be used together with ocsp_default_responder_signing_cert." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:490 +msgid "ocsp_default_responder_signing_cert=NAME" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:492 +msgid "" +"The nickname of the cert to trust (expected) to sign the OCSP responses. " +"The certificate with the given nickname must be available in the systems NSS " +"database." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:497 +msgid "This option must be used together with ocsp_default_responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:451 +msgid "" +"With this parameter the certificate verification can be tuned with a comma " +"separated list of options. Supported options are: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:504 +msgid "Unknown options are reported but ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:507 +msgid "Default: not set, i.e. do not restrict certificate verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:513 +msgid "disable_netlink (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:516 +msgid "" +"SSSD hooks into the netlink interface to monitor changes to routes, " +"addresses, links and trigger certain actions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:521 +msgid "" +"The SSSD state changes caused by netlink events may be undesirable and can " +"be disabled by setting this option to 'true'" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:526 +msgid "Default: false (netlink changes are detected)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:531 +msgid "enable_files_domain (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:534 +msgid "" +"When this option is enabled, SSSD prepends an implicit domain with " +"<quote>id_provider=files</quote> before any explicitly configured domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:548 +msgid "domain_resolution_order" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:551 +msgid "" +"Comma separated list of domains and subdomains representing the lookup order " +"that will be followed. The list doesn't have to include all possible " +"domains as the missing domains will be looked up based on the order they're " +"presented in the <quote>domains</quote> configuration option. The " +"subdomains which are not listed as part of <quote>lookup_order</quote> will " +"be looked up in a random order for each parent domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:563 +msgid "" +"Please, note that when this option is set the output format of all commands " +"is always fully-qualified even when using short names for input, for all " +"users but the ones managed by the files provider. In case the administrator " +"wants the output not fully-qualified, the full_name_format option can be " +"used as shown below: <quote>full_name_format=%1$s</quote> However, keep in " +"mind that during login, login applications often canonicalize the username " +"by calling <citerefentry> <refentrytitle>getpwnam</refentrytitle> " +"<manvolnum>3</manvolnum> </citerefentry> which, if a shortname is returned " +"for a qualified input (while trying to reach a user which exists in multiple " +"domains) might re-route the login attempt into the domain which uses " +"shortnames, making this workaround totally not recommended in cases where " +"usernames may overlap between domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:588 sssd.conf.5.xml:1388 sssd.conf.5.xml:3046 +#: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316 +msgid "Default: Not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:184 +msgid "" +"Individual pieces of SSSD functionality are provided by special SSSD " +"services that are started and stopped together with SSSD. The services are " +"managed by a special service frequently called <quote>monitor</quote>. The " +"<quote>[sssd]</quote> section is used to configure the monitor as well as " +"some other important options like the identity domains. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:599 +msgid "SERVICES SECTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:601 +msgid "" +"Settings that can be used to configure different services are described in " +"this section. They should reside in the [<replaceable>$NAME</replaceable>] " +"section, for example, for NSS service, the section would be <quote>[nss]</" +"quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:608 +msgid "General service configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:610 +msgid "These options can be used to configure any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:627 +msgid "fd_limit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:630 +msgid "" +"This option specifies the maximum number of file descriptors that may be " +"opened at one time by this SSSD process. On systems where SSSD is granted " +"the CAP_SYS_RESOURCE capability, this will be an absolute setting. On " +"systems without this capability, the resulting value will be the lower value " +"of this or the limits.conf \"hard\" limit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:639 +msgid "Default: 8192 (or limits.conf \"hard\" limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:644 +msgid "client_idle_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:647 +msgid "" +"This option specifies the number of seconds that a client of an SSSD process " +"can hold onto a file descriptor without communicating on it. This value is " +"limited in order to avoid resource exhaustion on the system. The timeout " +"can't be shorter than 10 seconds. If a lower value is configured, it will be " +"adjusted to 10 seconds." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:656 sssd.conf.5.xml:688 sssd.conf.5.xml:970 +#: sssd.conf.5.xml:1231 sssd-ldap.5.xml:1412 +msgid "Default: 60" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:661 +msgid "offline_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:664 +msgid "" +"When SSSD switches to offline mode the amount of time before it tries to go " +"back online will increase based upon the time spent disconnected. This " +"value is in seconds and calculated by the following:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:671 +msgid "offline_timeout + random_offset" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:674 +msgid "" +"The random offset can increment up to 30 seconds. After each unsuccessful " +"attempt to go online, the new interval is recalculated by the following:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:679 +msgid "new_interval = old_interval*2 + random_offset" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:682 +msgid "" +"Note that the maximum length of each interval is currently limited to one " +"hour. If the calculated length of new_interval is greater than an hour, it " +"will be forced to one hour." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:693 +msgid "responder_idle_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:696 +msgid "" +"This option specifies the number of seconds that an SSSD responder process " +"can be up without being used. This value is limited in order to avoid " +"resource exhaustion on the system. The minimum acceptable value for this " +"option is 60 seconds. Setting this option to 0 (zero) means that no timeout " +"will be set up to the responder. This option only has effect when SSSD is " +"built with systemd support and when services are either socket or D-Bus " +"activated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:710 sssd.conf.5.xml:983 sssd.conf.5.xml:1616 +#: sssd-ldap.5.xml:722 +msgid "Default: 300" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:715 +msgid "cache_first" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:718 +msgid "" +"This option specifies whether the responder should query all caches before " +"querying the Data Providers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:730 +msgid "NSS configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:732 +msgid "" +"These options can be used to configure the Name Service Switch (NSS) service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:737 +msgid "enum_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:740 +msgid "" +"How many seconds should nss_sss cache enumerations (requests for info about " +"all users)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:744 +msgid "Default: 120" +msgstr "Пешфарз: 120" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:749 +msgid "entry_cache_nowait_percentage (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:752 +msgid "" +"The entry cache can be set to automatically update entries in the background " +"if they are requested beyond a percentage of the entry_cache_timeout value " +"for the domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:758 +msgid "" +"For example, if the domain's entry_cache_timeout is set to 30s and " +"entry_cache_nowait_percentage is set to 50 (percent), entries that come in " +"after 15 seconds past the last cache update will be returned immediately, " +"but the SSSD will go and update the cache on its own, so that future " +"requests will not need to block waiting for a cache update." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:768 +msgid "" +"Valid values for this option are 0-99 and represent a percentage of the " +"entry_cache_timeout for each domain. For performance reasons, this " +"percentage will never reduce the nowait timeout to less than 10 seconds. (0 " +"disables this feature)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:776 sssd.conf.5.xml:1445 +msgid "Default: 50" +msgstr "Пешфарз: 50" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:781 +msgid "entry_negative_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:784 +msgid "" +"Specifies for how many seconds nss_sss should cache negative cache hits " +"(that is, queries for invalid database entries, like nonexistent ones) " +"before asking the back end again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:790 sssd.conf.5.xml:1469 +msgid "Default: 15" +msgstr "Пешфарз: 15" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:795 +msgid "local_negative_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:798 +msgid "" +"Specifies for how many seconds nss_sss should keep local users and groups in " +"negative cache before trying to look it up in the back end again. Setting " +"the option to 0 disables this feature." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:804 +#, fuzzy +#| msgid "Default: 5400" +msgid "Default: 14400 (4 hours)" +msgstr "Пешфарз: 5400" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:809 +msgid "filter_users, filter_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:812 +msgid "" +"Exclude certain users or groups from being fetched from the sss NSS " +"database. This is particularly useful for system accounts. This option can " +"also be set per-domain or include fully-qualified names to filter only users " +"from the particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:819 +msgid "" +"NOTE: The filter_groups option doesn't affect inheritance of nested group " +"members, since filtering happens after they are propagated for returning via " +"NSS. E.g. a group having a member group filtered out will still have the " +"member users of the latter listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:827 +msgid "Default: root" +msgstr "Пешфарз: root" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:832 +msgid "filter_users_in_groups (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:835 +msgid "" +"If you want filtered user still be group members set this option to false." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:846 +msgid "fallback_homedir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:849 +msgid "" +"Set a default template for a user's home directory if one is not specified " +"explicitly by the domain's data provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:854 +msgid "" +"The available values for this option are the same as for override_homedir." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:860 +#, no-wrap +msgid "" +"fallback_homedir = /home/%u\n" +" " +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: sssd.conf.5.xml:858 sssd.conf.5.xml:1298 sssd.conf.5.xml:1317 +#: sssd-krb5.5.xml:539 include/override_homedir.xml:59 +msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:864 +msgid "Default: not set (no substitution for unset home directories)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:870 +msgid "override_shell (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:873 +msgid "" +"Override the login shell for all users. This option supersedes any other " +"shell options if it takes effect and can be set either in the [nss] section " +"or per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:879 +msgid "Default: not set (SSSD will use the value retrieved from LDAP)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:885 +msgid "allowed_shells (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:888 +msgid "" +"Restrict user shell to one of the listed values. The order of evaluation is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:891 +msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:895 +msgid "" +"2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</" +"quote>, use the value of the shell_fallback parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:900 +msgid "" +"3. If the shell is not in the allowed_shells list and not in <quote>/etc/" +"shells</quote>, a nologin shell is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:905 +msgid "The wildcard (*) can be used to allow any shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:908 +msgid "" +"The (*) is useful if you want to use shell_fallback in case that user's " +"shell is not in <quote>/etc/shells</quote> and maintaining list of all " +"allowed shells in allowed_shells would be to much overhead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:915 +msgid "An empty string for shell is passed as-is to libc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:918 +msgid "" +"The <quote>/etc/shells</quote> is only read on SSSD start up, which means " +"that a restart of the SSSD is required in case a new shell is installed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:922 +msgid "Default: Not set. The user shell is automatically used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:927 +msgid "vetoed_shells (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:930 +msgid "Replace any instance of these shells with the shell_fallback" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:935 +msgid "shell_fallback (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:938 +msgid "" +"The default shell to use if an allowed shell is not installed on the machine." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:942 +msgid "Default: /bin/sh" +msgstr "Пешфарз: /bin/sh" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:947 +msgid "default_shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:950 +msgid "" +"The default shell to use if the provider does not return one during lookup. " +"This option can be specified globally in the [nss] section or per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:956 +msgid "" +"Default: not set (Return NULL if no shell is specified and rely on libc to " +"substitute something sensible when necessary, usually /bin/sh)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:963 sssd.conf.5.xml:1224 +msgid "get_domains_timeout (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:966 sssd.conf.5.xml:1227 +msgid "" +"Specifies time in seconds for which the list of subdomains will be " +"considered valid." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:975 +msgid "memcache_timeout (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:978 +msgid "" +"Specifies time in seconds for which records in the in-memory cache will be " +"valid. Setting this option to zero will disable the in-memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:986 +msgid "" +"WARNING: Disabling the in-memory cache will have significant negative impact " +"on SSSD's performance and should only be used for testing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:992 +msgid "" +"NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", " +"client applications will not use the fast in-memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1000 sssd-ifp.5.xml:74 +msgid "user_attributes (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1003 +msgid "" +"Some of the additional NSS responder requests can return more attributes " +"than just the POSIX ones defined by the NSS interface. The list of " +"attributes is controlled by this option. It is handled the same way as the " +"<quote>user_attributes</quote> option of the InfoPipe responder (see " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for details) but with no default values." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1016 +msgid "" +"To make configuration more easy the NSS responder will check the InfoPipe " +"option if it is not set for the NSS responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1021 +msgid "Default: not set, fallback to InfoPipe option" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1026 +msgid "pwfield (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1029 +msgid "" +"The value that NSS operations that return users or groups will return for " +"the <quote>password</quote> field." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: sssd.conf.5.xml:1034 include/override_homedir.xml:56 +msgid "This option can also be set per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1037 +msgid "" +"Default: <quote>*</quote> (remote domains) or <quote>x</quote> (the files " +"domain)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1045 +msgid "PAM configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1047 +msgid "" +"These options can be used to configure the Pluggable Authentication Module " +"(PAM) service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1052 +msgid "offline_credentials_expiration (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1055 +msgid "" +"If the authentication provider is offline, how long should we allow cached " +"logins (in days since the last successful online login)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1060 sssd.conf.5.xml:1073 +msgid "Default: 0 (No limit)" +msgstr "Пешфарз: 0 (Номаҳдуд)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1066 +msgid "offline_failed_login_attempts (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1069 +msgid "" +"If the authentication provider is offline, how many failed login attempts " +"are allowed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1079 +msgid "offline_failed_login_delay (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1082 +msgid "" +"The time in minutes which has to pass after offline_failed_login_attempts " +"has been reached before a new login attempt is possible." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1087 +msgid "" +"If set to 0 the user cannot authenticate offline if " +"offline_failed_login_attempts has been reached. Only a successful online " +"authentication can enable offline authentication again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1093 sssd.conf.5.xml:1191 +msgid "Default: 5" +msgstr "Пешфарз: 5" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1099 +msgid "pam_verbosity (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1102 +msgid "" +"Controls what kind of messages are shown to the user during authentication. " +"The higher the number to more messages are displayed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1107 +msgid "Currently sssd supports the following values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1110 +msgid "<emphasis>0</emphasis>: do not show any message" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1113 +msgid "<emphasis>1</emphasis>: show only important messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1117 +msgid "<emphasis>2</emphasis>: show informational messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1120 +msgid "<emphasis>3</emphasis>: show all messages and debug information" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1124 sssd.8.xml:63 +msgid "Default: 1" +msgstr "Пешфарз: 1" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1130 +msgid "pam_response_filter (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1133 +msgid "" +"A comma separated list of strings which allows to remove (filter) data sent " +"by the PAM responder to pam_sss PAM module. There are different kind of " +"responses sent to pam_sss e.g. messages displayed to the user or environment " +"variables which should be set by pam_sss." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1141 +msgid "" +"While messages already can be controlled with the help of the pam_verbosity " +"option this option allows to filter out other kind of responses as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1148 +msgid "ENV" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1149 +msgid "Do not send any environment variables to any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1152 +msgid "ENV:var_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1153 +msgid "Do not send environment variable var_name to any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1157 +msgid "ENV:var_name:service" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1158 +msgid "Do not send environment variable var_name to service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1146 +msgid "" +"Currently the following filters are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1168 +msgid "Example: ENV:KRB5CCNAME:sudo-i" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1174 +msgid "pam_id_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1177 +msgid "" +"For any PAM request while SSSD is online, the SSSD will attempt to " +"immediately update the cached identity information for the user in order to " +"ensure that authentication takes place with the latest information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1183 +msgid "" +"A complete PAM conversation may perform multiple PAM requests, such as " +"account management and session opening. This option controls (on a per-" +"client-application basis) how long (in seconds) we can cache the identity " +"information to avoid excessive round-trips to the identity provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1197 +msgid "pam_pwd_expiration_warning (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2078 +msgid "Display a warning N days before the password expires." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1203 +msgid "" +"Please note that the backend server has to provide information about the " +"expiration time of the password. If this information is missing, sssd " +"cannot display a warning." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1209 sssd.conf.5.xml:2081 +msgid "" +"If zero is set, then this filter is not applied, i.e. if the expiration " +"warning was received from backend server, it will automatically be displayed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1214 +msgid "" +"This setting can be overridden by setting <emphasis>pwd_expiration_warning</" +"emphasis> for a particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1219 sssd.conf.5.xml:2901 sssd.8.xml:79 +msgid "Default: 0" +msgstr "Пешфарз: 0" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1236 +msgid "pam_trusted_users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1239 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to run PAM conversations against trusted domains. Users not " +"included in this list can only access domains marked as public with " +"<quote>pam_public_domains</quote>. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1249 +msgid "Default: All users are considered trusted by default" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1253 +msgid "" +"Please note that UID 0 is always allowed to access the PAM responder even in " +"case it is not in the pam_trusted_users list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1260 +msgid "pam_public_domains (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1263 +msgid "" +"Specifies the comma-separated list of domain names that are accessible even " +"to untrusted users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1267 +msgid "Two special values for pam_public_domains option are defined:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1271 +msgid "" +"all (Untrusted users are allowed to access all domains in PAM responder.)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1275 +msgid "" +"none (Untrusted users are not allowed to access any domains PAM in " +"responder.)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1279 sssd.conf.5.xml:1304 sssd.conf.5.xml:1323 +#: sssd.conf.5.xml:1875 sssd.conf.5.xml:2837 sssd-ldap.5.xml:1979 +msgid "Default: none" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1284 +msgid "pam_account_expired_message (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1287 +msgid "" +"Allows a custom expiration message to be set, replacing the default " +"'Permission denied' message." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1292 +msgid "" +"Note: Please be aware that message is only printed for the SSH service " +"unless pam_verbosity is set to 3 (show all messages and debug information)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:1300 +#, no-wrap +msgid "" +"pam_account_expired_message = Account expired, please contact help desk.\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1309 +msgid "pam_account_locked_message (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1312 +msgid "" +"Allows a custom lockout message to be set, replacing the default 'Permission " +"denied' message." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:1319 +#, no-wrap +msgid "" +"pam_account_locked_message = Account locked, please contact help desk.\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1328 +msgid "pam_cert_auth (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1331 +msgid "" +"Enable certificate based Smartcard authentication. Since this requires " +"additional communication with the Smartcard which will delay the " +"authentication process this option is disabled by default." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1337 sssd.conf.5.xml:2930 sssd-ldap.5.xml:1087 +#: sssd-ldap.5.xml:1114 sssd-ldap.5.xml:1514 sssd-ldap.5.xml:1535 +#: sssd-ldap.5.xml:2052 include/ldap_id_mapping.xml:244 +msgid "Default: False" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1342 +msgid "pam_cert_db_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1345 +msgid "" +"The path to the certificate database which contain the PKCS#11 modules to " +"access the Smartcard." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1349 sssd.conf.5.xml:1534 +#, fuzzy +#| msgid "Default: 3" +msgid "Default:" +msgstr "Пешфарз: 3" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1351 sssd.conf.5.xml:1536 +msgid "/etc/pki/nssdb (NSS version, path to a NSS database)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1354 sssd.conf.5.xml:1539 +msgid "" +"/etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a file with " +"trusted CA certificates in PEM format)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1361 sssd.conf.5.xml:1546 +msgid "This man page was generated for the NSS version." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1364 sssd.conf.5.xml:1549 +msgid "This man page was generated for the OpenSSL version." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1369 +msgid "p11_child_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1372 +msgid "How many seconds will pam_sss wait for p11_child to finish." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1381 +msgid "pam_app_services (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1384 +msgid "" +"Which PAM services are permitted to contact domains of type " +"<quote>application</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1397 +msgid "SUDO configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1399 +msgid "" +"These options can be used to configure the sudo service. The detailed " +"instructions for configuration of <citerefentry> <refentrytitle>sudo</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to work with " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> are in the manual page <citerefentry> <refentrytitle>sssd-" +"sudo</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1416 +msgid "sudo_timed (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1419 +msgid "" +"Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes " +"that implement time-dependent sudoers entries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1431 +msgid "sudo_threshold (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1434 +msgid "" +"Maximum number of expired rules that can be refreshed at once. If number of " +"expired rules is below threshold, those rules are refreshed with " +"<quote>rules refresh</quote> mechanism. If the threshold is exceeded a " +"<quote>full refresh</quote> of sudo rules is triggered instead. This " +"threshold number also applies to IPA sudo command and command group searches." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1453 +msgid "AUTOFS configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1455 +msgid "These options can be used to configure the autofs service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1459 +msgid "autofs_negative_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1462 +msgid "" +"Specifies for how many seconds should the autofs responder negative cache " +"hits (that is, queries for invalid map entries, like nonexistent ones) " +"before asking the back end again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1478 +msgid "SSH configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1480 +msgid "These options can be used to configure the SSH service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1484 +msgid "ssh_hash_known_hosts (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1487 +msgid "" +"Whether or not to hash host names and addresses in the managed known_hosts " +"file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1496 +msgid "ssh_known_hosts_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1499 +msgid "" +"How many seconds to keep a host in the managed known_hosts file after its " +"host keys were requested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1503 +msgid "Default: 180" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1508 +msgid "ssh_use_certificate_keys (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1511 +msgid "" +"If set to true the <command>sss_ssh_authorizedkeys</command> will return ssh " +"keys derived from the public key of X.509 certificates stored in the user " +"entry as well. See <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry> for details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1526 +msgid "ca_db (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1529 +msgid "" +"Path to a storage of trusted CA certificates. The option is used to validate " +"user certificates before deriving public ssh keys from them." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1557 +msgid "PAC responder configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1559 +msgid "" +"The PAC responder works together with the authorization data plugin for MIT " +"Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the " +"PAC data during a GSSAPI authentication to the PAC responder. The sub-domain " +"provider collects domain SID and ID ranges of the domain the client is " +"joined to and of remote trusted domains from the local domain controller. If " +"the PAC is decoded and evaluated some of the following operations are done:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1568 +msgid "" +"If the remote user does not exist in the cache, it is created. The UID is " +"determined with the help of the SID, trusted domains will have UPGs and the " +"GID will have the same value as the UID. The home directory is set based on " +"the subdomain_homedir parameter. The shell will be empty by default, i.e. " +"the system defaults are used, but can be overwritten with the default_shell " +"parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1576 +msgid "" +"If there are SIDs of groups from domains sssd knows about, the user will be " +"added to those groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1582 +msgid "These options can be used to configure the PAC responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1586 sssd-ifp.5.xml:50 +msgid "allowed_uids (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1589 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the PAC responder. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1595 +msgid "Default: 0 (only the root user is allowed to access the PAC responder)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1599 +msgid "" +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the PAC responder, which would be the typical case, you have to add 0 " +"to the list of allowed UIDs as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1608 +msgid "pac_lifetime (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1611 +msgid "" +"Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC " +"data can be used to determine the group memberships of a user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1624 +msgid "Session recording configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1626 +msgid "" +"Session recording works in conjunction with <citerefentry> " +"<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>, a part of tlog package, to log what users see and type when " +"they log in on a text terminal. See also <citerefentry> <refentrytitle>sssd-" +"session-recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1639 +msgid "These options can be used to configure session recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1643 sssd-session-recording.5.xml:64 +msgid "scope (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1650 sssd-session-recording.5.xml:71 +msgid "\"none\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1653 sssd-session-recording.5.xml:74 +msgid "No users are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1658 sssd-session-recording.5.xml:79 +msgid "\"some\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1661 sssd-session-recording.5.xml:82 +msgid "" +"Users/groups specified by <replaceable>users</replaceable> and " +"<replaceable>groups</replaceable> options are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1670 sssd-session-recording.5.xml:91 +msgid "\"all\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1673 sssd-session-recording.5.xml:94 +msgid "All users are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1646 sssd-session-recording.5.xml:67 +msgid "" +"One of the following strings specifying the scope of session recording: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1680 sssd-session-recording.5.xml:101 +msgid "Default: \"none\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1685 sssd-session-recording.5.xml:106 +msgid "users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1688 sssd-session-recording.5.xml:109 +msgid "" +"A comma-separated list of users which should have session recording enabled. " +"Matches user names as returned by NSS. I.e. after the possible space " +"replacement, case changes, etc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1694 sssd-session-recording.5.xml:115 +msgid "Default: Empty. Matches no users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1699 sssd-session-recording.5.xml:120 +msgid "groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1702 sssd-session-recording.5.xml:123 +msgid "" +"A comma-separated list of groups, members of which should have session " +"recording enabled. Matches group names as returned by NSS. I.e. after the " +"possible space replacement, case changes, etc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1708 sssd-session-recording.5.xml:129 +msgid "" +"NOTE: using this option (having it set to anything) has a considerable " +"performance cost, because each uncached request for a user requires " +"retrieving and matching the groups the user is member of." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1715 sssd-session-recording.5.xml:136 +msgid "Default: Empty. Matches no groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:1725 +msgid "DOMAIN SECTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1732 +msgid "domain_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1735 +msgid "" +"Specifies whether the domain is meant to be used by POSIX-aware clients such " +"as the Name Service Switch or by applications that do not need POSIX data to " +"be present or generated. Only objects from POSIX domains are available to " +"the operating system interfaces and utilities." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1743 +msgid "" +"Allowed values for this option are <quote>posix</quote> and " +"<quote>application</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1747 +msgid "" +"POSIX domains are reachable by all services. Application domains are only " +"reachable from the InfoPipe responder (see <citerefentry> " +"<refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>) and the PAM responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1755 +msgid "" +"NOTE: The application domains are currently well tested with " +"<quote>id_provider=ldap</quote> only." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1759 +msgid "" +"For an easy way to configure a non-POSIX domains, please see the " +"<quote>Application domains</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1763 +msgid "Default: posix" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1769 +msgid "min_id,max_id (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1772 +msgid "" +"UID and GID limits for the domain. If a domain contains an entry that is " +"outside these limits, it is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1777 +msgid "" +"For users, this affects the primary GID limit. The user will not be returned " +"to NSS if either the UID or the primary GID is outside the range. For non-" +"primary group memberships, those that are in range will be reported as " +"expected." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1784 +msgid "" +"These ID limits affect even saving entries to cache, not only returning them " +"by name or ID." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1788 +msgid "Default: 1 for min_id, 0 (no limit) for max_id" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1794 +msgid "enumerate (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1797 +msgid "" +"Determines if a domain can be enumerated, that is, whether the domain can " +"list all the users and group it contains. Note that it is not required to " +"enable enumeration in order for secondary groups to be displayed. This " +"parameter can have one of the following values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1805 +msgid "TRUE = Users and groups are enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1808 +msgid "FALSE = No enumerations for this domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1811 sssd.conf.5.xml:2033 sssd.conf.5.xml:2208 +msgid "Default: FALSE" +msgstr "Пешфарз: FALSE" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1814 +msgid "" +"Enumerating a domain requires SSSD to download and store ALL user and group " +"entries from the remote server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1819 +msgid "" +"Note: Enabling enumeration has a moderate performance impact on SSSD while " +"enumeration is running. It may take up to several minutes after SSSD startup " +"to fully complete enumerations. During this time, individual requests for " +"information will go directly to LDAP, though it may be slow, due to the " +"heavy enumeration processing. Saving a large number of entries to cache " +"after the enumeration completes might also be CPU intensive as the " +"memberships have to be recomputed. This can lead to the <quote>sssd_be</" +"quote> process becoming unresponsive or even restarted by the internal " +"watchdog." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1834 +msgid "" +"While the first enumeration is running, requests for the complete user or " +"group lists may return no results until it completes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1839 +msgid "" +"Further, enabling enumeration may increase the time necessary to detect " +"network disconnection, as longer timeouts are required to ensure that " +"enumeration lookups are completed successfully. For more information, refer " +"to the man pages for the specific id_provider in use." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1847 +msgid "" +"For the reasons cited above, enabling enumeration is not recommended, " +"especially in large environments." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1855 +msgid "subdomain_enumerate (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1862 +msgid "all" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1863 +msgid "All discovered trusted domains will be enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1866 +msgid "none" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1867 +msgid "No discovered trusted domains will be enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1858 +msgid "" +"Whether any of autodetected trusted domains should be enumerated. The " +"supported values are: <placeholder type=\"variablelist\" id=\"0\"/> " +"Optionally, a list of one or more domain names can enable enumeration just " +"for these trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1881 +msgid "entry_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1884 +msgid "" +"How many seconds should nss_sss consider entries valid before asking the " +"backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1888 +msgid "" +"The cache expiration timestamps are stored as attributes of individual " +"objects in the cache. Therefore, changing the cache timeout only has effect " +"for newly added or expired entries. You should run the <citerefentry> " +"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry> tool in order to force refresh of entries that have already " +"been cached." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1901 +msgid "Default: 5400" +msgstr "Пешфарз: 5400" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1907 +msgid "entry_cache_user_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1910 +msgid "" +"How many seconds should nss_sss consider user entries valid before asking " +"the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1914 sssd.conf.5.xml:1927 sssd.conf.5.xml:1940 +#: sssd.conf.5.xml:1953 sssd.conf.5.xml:1966 sssd.conf.5.xml:1980 +#: sssd.conf.5.xml:1994 +msgid "Default: entry_cache_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1920 +msgid "entry_cache_group_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1923 +msgid "" +"How many seconds should nss_sss consider group entries valid before asking " +"the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1933 +msgid "entry_cache_netgroup_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1936 +msgid "" +"How many seconds should nss_sss consider netgroup entries valid before " +"asking the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1946 +msgid "entry_cache_service_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1949 +msgid "" +"How many seconds should nss_sss consider service entries valid before asking " +"the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1959 +msgid "entry_cache_sudo_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1962 +msgid "" +"How many seconds should sudo consider rules valid before asking the backend " +"again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1972 +msgid "entry_cache_autofs_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1975 +msgid "" +"How many seconds should the autofs service consider automounter maps valid " +"before asking the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1986 +msgid "entry_cache_ssh_host_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1989 +msgid "" +"How many seconds to keep a host ssh key after refresh. IE how long to cache " +"the host key for." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2000 +msgid "refresh_expired_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2003 +msgid "" +"Specifies how many seconds SSSD has to wait before triggering a background " +"refresh task which will refresh all expired or nearly expired records." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2008 +msgid "" +"The background refresh will process users, groups and netgroups in the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2012 +msgid "You can consider setting this value to 3/4 * entry_cache_timeout." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2016 sssd-ldap.5.xml:746 sssd-ipa.5.xml:254 +msgid "Default: 0 (disabled)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2022 +msgid "cache_credentials (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2025 +msgid "Determines if user credentials are also cached in the local LDB cache" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2029 +msgid "User credentials are stored in a SHA512 hash, not in plaintext" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2039 +msgid "cache_credentials_minimal_first_factor_length (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2042 +msgid "" +"If 2-Factor-Authentication (2FA) is used and credentials should be saved " +"this value determines the minimal length the first authentication factor " +"(long term password) must have to be saved as SHA512 hash into the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2049 +msgid "" +"This should avoid that the short PINs of a PIN based 2FA scheme are saved in " +"the cache which would make them easy targets for brute-force attacks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2054 +msgid "Default: 8" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2060 +msgid "account_cache_expiration (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2063 +msgid "" +"Number of days entries are left in cache after last successful login before " +"being removed during a cleanup of the cache. 0 means keep forever. The " +"value of this parameter must be greater than or equal to " +"offline_credentials_expiration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2070 +msgid "Default: 0 (unlimited)" +msgstr "Пешфарз: 0 (номаҳдуд)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2075 +msgid "pwd_expiration_warning (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2086 +msgid "" +"Please note that the backend server has to provide information about the " +"expiration time of the password. If this information is missing, sssd " +"cannot display a warning. Also an auth provider has to be configured for the " +"backend." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2093 +msgid "Default: 7 (Kerberos), 0 (LDAP)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2099 +msgid "id_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2102 +msgid "" +"The identification provider used for the domain. Supported ID providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2106 +msgid "<quote>proxy</quote>: Support a legacy NSS provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2109 +msgid "" +"<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2113 +msgid "" +"<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-" +"files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " +"information on how to mirror local users and groups into SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2121 +msgid "" +"<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " +"information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2129 sssd.conf.5.xml:2234 sssd.conf.5.xml:2289 +#: sssd.conf.5.xml:2352 +msgid "" +"<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management " +"provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " +"FreeIPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2138 sssd.conf.5.xml:2243 sssd.conf.5.xml:2298 +#: sssd.conf.5.xml:2361 +msgid "" +"<quote>ad</quote>: Active Directory provider. See <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Active Directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2149 +msgid "use_fully_qualified_names (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2152 +msgid "" +"Use the full name and domain (as formatted by the domain's full_name_format) " +"as the user's login name reported to NSS." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2157 +msgid "" +"If set to TRUE, all requests to this domain must use fully qualified names. " +"For example, if used in LOCAL domain that contains a \"test\" user, " +"<command>getent passwd test</command> wouldn't find the user while " +"<command>getent passwd test@LOCAL</command> would." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2165 +msgid "" +"NOTE: This option has no effect on netgroup lookups due to their tendency to " +"include nested netgroups without qualified names. For netgroups, all domains " +"will be searched when an unqualified name is requested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2172 +msgid "Default: FALSE (TRUE if default_domain_suffix is used)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2178 +msgid "ignore_group_members (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2181 +msgid "Do not return group members for group lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2184 +msgid "" +"If set to TRUE, the group membership attribute is not requested from the " +"ldap server, and group members are not returned when processing group lookup " +"calls, such as <citerefentry> <refentrytitle>getgrnam</refentrytitle> " +"<manvolnum>3</manvolnum> </citerefentry> or <citerefentry> " +"<refentrytitle>getgrgid</refentrytitle> <manvolnum>3</manvolnum> </" +"citerefentry>. As an effect, <quote>getent group $groupname</quote> would " +"return the requested group as if it was empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2202 +msgid "" +"Enabling this option can also make access provider checks for group " +"membership significantly faster, especially for groups containing many " +"members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2213 +msgid "auth_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2216 +msgid "" +"The authentication provider used for the domain. Supported auth providers " +"are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2220 sssd.conf.5.xml:2282 +msgid "" +"<quote>ldap</quote> for native LDAP authentication. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2227 +msgid "" +"<quote>krb5</quote> for Kerberos authentication. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2251 +msgid "" +"<quote>proxy</quote> for relaying authentication to some other PAM target." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2254 +msgid "<quote>local</quote>: SSSD internal provider for local users" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2258 +msgid "<quote>none</quote> disables authentication explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2261 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can handle " +"authentication requests." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2267 +msgid "access_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2270 +msgid "" +"The access control provider used for the domain. There are two built-in " +"access providers (in addition to any included in installed backends) " +"Internal special providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2276 +msgid "" +"<quote>permit</quote> always allow access. It's the only permitted access " +"provider for a local domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2279 +msgid "<quote>deny</quote> always deny access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2306 +msgid "" +"<quote>simple</quote> access control based on access or deny lists. See " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for more information on configuring the simple " +"access module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2313 +msgid "" +"<quote>krb5</quote>: .k5login based access control. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></" +"citerefentry> for more information on configuring Kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2320 +msgid "<quote>proxy</quote> for relaying access control to another PAM module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2323 +msgid "Default: <quote>permit</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2328 +msgid "chpass_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2331 +msgid "" +"The provider which should handle change password operations for the domain. " +"Supported change password providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2336 +msgid "" +"<quote>ldap</quote> to change a password stored in a LDAP server. See " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2344 +msgid "" +"<quote>krb5</quote> to change the Kerberos password. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2369 +msgid "" +"<quote>proxy</quote> for relaying password changes to some other PAM target." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2373 +msgid "<quote>none</quote> disallows password changes explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2376 +msgid "" +"Default: <quote>auth_provider</quote> is used if it is set and can handle " +"change password requests." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2383 +msgid "sudo_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2386 +msgid "The SUDO provider used for the domain. Supported SUDO providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2390 +msgid "" +"<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2398 +msgid "" +"<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default " +"settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2402 +msgid "" +"<quote>ad</quote> the same as <quote>ldap</quote> but with AD default " +"settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2406 +msgid "<quote>none</quote> disables SUDO explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2409 sssd.conf.5.xml:2495 sssd.conf.5.xml:2565 +#: sssd.conf.5.xml:2590 +msgid "Default: The value of <quote>id_provider</quote> is used if it is set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2413 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>. There are many configuration " +"options that can be used to adjust the behavior. Please refer to " +"\"ldap_sudo_*\" in <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2428 +msgid "" +"<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the " +"background unless the sudo provider is explicitly disabled. Set " +"<emphasis>sudo_provider = None</emphasis> to disable all sudo-related " +"activity in SSSD if you do not want to use sudo with SSSD at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2438 +msgid "selinux_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2441 +msgid "" +"The provider which should handle loading of selinux settings. Note that this " +"provider will be called right after access provider ends. Supported selinux " +"providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2447 +msgid "" +"<quote>ipa</quote> to load selinux settings from an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2455 +msgid "<quote>none</quote> disallows fetching selinux settings explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2458 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can handle " +"selinux loading requests." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2464 +msgid "subdomains_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2467 +msgid "" +"The provider which should handle fetching of subdomains. This value should " +"be always the same as id_provider. Supported subdomain providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2473 +msgid "" +"<quote>ipa</quote> to load a list of subdomains from an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2482 +msgid "" +"<quote>ad</quote> to load a list of subdomains from an Active Directory " +"server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " +"the AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2491 +msgid "<quote>none</quote> disallows fetching subdomains explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2501 +msgid "session_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2504 +msgid "" +"The provider which configures and manages user session related tasks. The " +"only user session task currently provided is the integration with Fleet " +"Commander, which works only with IPA. Supported session providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2511 +msgid "<quote>ipa</quote> to allow performing user session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2515 +msgid "" +"<quote>none</quote> does not perform any kind of user session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2519 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can perform " +"session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2523 +msgid "" +"<emphasis>NOTE:</emphasis> In order to have this feature working as expected " +"SSSD must be running as \"root\" and not as the unprivileged user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2531 +msgid "autofs_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2534 +msgid "" +"The autofs provider used for the domain. Supported autofs providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2538 +msgid "" +"<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2545 +msgid "" +"<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> " +"<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2553 +msgid "" +"<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring the AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2562 +msgid "<quote>none</quote> disables autofs explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2572 +msgid "hostid_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2575 +msgid "" +"The provider used for retrieving host identity information. Supported " +"hostid providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2579 +msgid "" +"<quote>ipa</quote> to load host identity stored in an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2587 +msgid "<quote>none</quote> disables hostid explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2600 +msgid "" +"Regular expression for this domain that describes how to parse the string " +"containing user name and domain into these components. The \"domain\" can " +"match either the SSSD configuration domain name, or, in the case of IPA " +"trust subdomains and Active Directory domains, the flat (NetBIOS) name of " +"the domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2609 +msgid "" +"Default for the AD and IPA provider: <quote>(((?P<domain>[^\\\\]+)\\" +"\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?" +"P<name>[^@\\\\]+)$))</quote> which allows three different styles for " +"user names:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2614 +msgid "username" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2617 +msgid "username@domain.name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2620 +msgid "domain\\username" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2623 +msgid "" +"While the first two correspond to the general default the third one is " +"introduced to allow easy integration of users from Windows domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2628 +msgid "" +"Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> " +"which translates to \"the name is everything up to the <quote>@</quote> " +"sign, the domain everything after that\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2634 +msgid "" +"NOTE: Some Active Directory groups, typically those used for MS Exchange " +"contain an <quote>@</quote> sign in the name, which clashes with the default " +"re_expression value for the AD and IPA providers. To support these groups, " +"consider changing the re_expression value to: <quote>((?P<name>.+)@(?" +"P<domain>[^@]+$))</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2685 +msgid "Default: <quote>%1$s@%2$s</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2691 +msgid "lookup_family_order (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2694 +msgid "" +"Provides the ability to select preferred address family to use when " +"performing DNS lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2698 +msgid "Supported values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2701 +msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2704 +msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2707 +msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2710 +msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2713 +msgid "Default: ipv4_first" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2719 +msgid "dns_resolver_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2722 +msgid "" +"Defines the amount of time (in seconds) to wait for a reply from the " +"internal fail over service before assuming that the service is unreachable. " +"If this timeout is reached, the domain will continue to operate in offline " +"mode." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2729 +msgid "" +"Please see the section <quote>FAILOVER</quote> for more information about " +"the service resolution." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2734 sssd-ldap.5.xml:1396 sssd-ldap.5.xml:1438 +#: sssd-ldap.5.xml:1456 sssd-krb5.5.xml:248 +msgid "Default: 6" +msgstr "Пешфарз: 6" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2740 +msgid "dns_discovery_domain (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2743 +msgid "" +"If service discovery is used in the back end, specifies the domain part of " +"the service discovery DNS query." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2747 +msgid "Default: Use the domain part of machine's hostname" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2753 +msgid "override_gid (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2756 +msgid "Override the primary GID value with the one specified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2762 +msgid "case_sensitive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2770 +msgid "True" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2773 +msgid "Case sensitive. This value is invalid for AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2779 +msgid "False" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2781 +msgid "Case insensitive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2785 +msgid "Preserving" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2788 +msgid "" +"Same as False (case insensitive), but does not lowercase names in the result " +"of NSS operations. Note that name aliases (and in case of services also " +"protocol names) are still lowercased in the output." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2765 +msgid "" +"Treat user and group names as case sensitive. At the moment, this option is " +"not supported in the local provider. Possible option values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2800 +msgid "Default: True (False for AD provider)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2806 +msgid "subdomain_inherit (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2809 +msgid "" +"Specifies a list of configuration parameters that should be inherited by a " +"subdomain. Please note that only selected parameters can be inherited. " +"Currently the following options can be inherited:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2815 +msgid "ignore_group_members" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2818 +msgid "ldap_purge_cache_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2821 sssd-ldap.5.xml:1120 +msgid "ldap_use_tokengroups" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2824 +msgid "ldap_user_principal" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2827 +msgid "" +"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab " +"is not set explicitly)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:2833 +#, no-wrap +msgid "" +"subdomain_inherit = ldap_purge_cache_timeout\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2831 sssd-secrets.5.xml:448 +msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2840 +msgid "Note: This option only works with the IPA and AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2847 +msgid "subdomain_homedir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2858 +msgid "%F" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2859 +msgid "flat (NetBIOS) name of a subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2850 +msgid "" +"Use this homedir as default value for all subdomains within this domain in " +"IPA AD trust. See <emphasis>override_homedir</emphasis> for info about " +"possible values. In addition to those, the expansion below can only be used " +"with <emphasis>subdomain_homedir</emphasis>. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2864 +msgid "" +"The value can be overridden by <emphasis>override_homedir</emphasis> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2868 +msgid "Default: <filename>/home/%d/%u</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2873 +msgid "realmd_tags (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2876 +msgid "" +"Various tags stored by the realmd configuration service for this domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2882 +msgid "cached_auth_timeout (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2885 +msgid "" +"Specifies time in seconds since last successful online authentication for " +"which user will be authenticated using cached credentials while SSSD is in " +"the online mode." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2891 +msgid "Special value 0 implies that this feature is disabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2895 +msgid "" +"Please note that if <quote>cached_auth_timeout</quote> is longer than " +"<quote>pam_id_timeout</quote> then the back end could be called to handle " +"<quote>initgroups.</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2906 +msgid "auto_private_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2909 +msgid "" +"If this option is enabled, SSSD will automatically create user private " +"groups based on user's UID number. The GID number is ignored in this case." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2914 +msgid "" +"For POSIX subdomains, setting the option in the main domain is inherited in " +"the subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2918 +msgid "" +"For ID-mapping subdomains, auto_private_groups is already enabled for the " +"subdomains and setting it to false will not have any effect for the " +"subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2923 +msgid "" +"NOTE: Because the GID number and the user private group are inferred from " +"the UID number, it is not supported to have multiple entries with the same " +"UID or GID number with this option. In other words, enabling this option " +"enforces uniqueness across the ID space." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:1727 +msgid "" +"These configuration options can be present in a domain configuration " +"section, that is, in a section called <quote>[domain/<replaceable>NAME</" +"replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2942 +msgid "proxy_pam_target (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2945 +msgid "The proxy target PAM proxies to." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2948 +msgid "" +"Default: not set by default, you have to take an existing pam configuration " +"or create a new one and add the service name here." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2956 +msgid "proxy_lib_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2959 +msgid "" +"The name of the NSS library to use in proxy domains. The NSS functions " +"searched for in the library are in the form of _nss_$(libName)_$(function), " +"for example _nss_files_getpwent." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2969 +msgid "proxy_fast_alias (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2972 +msgid "" +"When a user or group is looked up by name in the proxy provider, a second " +"lookup by ID is performed to \"canonicalize\" the name in case the requested " +"name was an alias. Setting this option to true would cause the SSSD to " +"perform the ID lookup from cache for performance reasons." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2986 +msgid "proxy_max_children (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2989 +msgid "" +"This option specifies the number of pre-forked proxy children. It is useful " +"for high-load SSSD environments where sssd may run out of available child " +"slots, which would cause some issues due to the requests being queued." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:2938 +msgid "" +"Options valid for proxy domains. <placeholder type=\"variablelist\" id=" +"\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:3005 +msgid "Application domains" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3007 +msgid "" +"SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to " +"applications as a gateway to an LDAP directory where users and groups are " +"stored. However, contrary to the traditional SSSD deployment where all users " +"and groups either have POSIX attributes or those attributes can be inferred " +"from the Windows SIDs, in many cases the users and groups in the application " +"support scenario have no POSIX attributes. Instead of setting a " +"<quote>[domain/<replaceable>NAME</replaceable>]</quote> section, the " +"administrator can set up an <quote>[application/<replaceable>NAME</" +"replaceable>]</quote> section that internally represents a domain with type " +"<quote>application</quote> optionally inherits settings from a tradition " +"SSSD domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3027 +msgid "" +"Please note that the application domain must still be explicitly enabled in " +"the <quote>domains</quote> parameter so that the lookup order between the " +"application domain and its POSIX sibling domain is set correctly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sssd.conf.5.xml:3033 +msgid "Application domain parameters" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3035 +msgid "inherit_from (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3038 +msgid "" +"The SSSD POSIX-type domain the application domain inherits all settings " +"from. The application domain can moreover add its own settings to the " +"application settings that augment or override the <quote>sibling</quote> " +"domain settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3052 +msgid "" +"The following example illustrates the use of an application domain. In this " +"setup, the POSIX domain is connected to an LDAP server and is used by the OS " +"through the NSS responder. In addition, the application domain also requests " +"the telephoneNumber attribute, stores it as the phone attribute in the cache " +"and makes the phone attribute reachable through the D-Bus interface." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><programlisting> +#: sssd.conf.5.xml:3060 +#, no-wrap +msgid "" +"[sssd]\n" +"domains = appdom, posixdom\n" +"\n" +"[ifp]\n" +"user_attributes = +phone\n" +"\n" +"[domain/posixdom]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"[application/appdom]\n" +"inherit_from = posixdom\n" +"ldap_user_extra_attrs = phone:telephoneNumber\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:3078 +msgid "The local domain section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3080 +msgid "" +"This section contains settings for domain that stores users and groups in " +"SSSD native database, that is, a domain that uses " +"<replaceable>id_provider=local</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3087 +msgid "default_shell (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3090 +msgid "The default shell for users created with SSSD userspace tools." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3094 +msgid "Default: <filename>/bin/bash</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3099 +msgid "base_directory (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3102 +msgid "" +"The tools append the login name to <replaceable>base_directory</replaceable> " +"and use that as the home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3107 +msgid "Default: <filename>/home</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3112 +msgid "create_homedir (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3115 +msgid "" +"Indicate if a home directory should be created by default for new users. " +"Can be overridden on command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3119 sssd.conf.5.xml:3131 +msgid "Default: TRUE" +msgstr "Пешфарз: TRUE" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3124 +msgid "remove_homedir (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3127 +msgid "" +"Indicate if a home directory should be removed by default for deleted " +"users. Can be overridden on command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3136 +msgid "homedir_umask (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3139 +msgid "" +"Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions " +"on a newly created home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3147 +msgid "Default: 077" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3152 +msgid "skel_dir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3155 +msgid "" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<citerefentry> <refentrytitle>sss_useradd</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3165 +msgid "Default: <filename>/etc/skel</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3170 +msgid "mail_dir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3173 +msgid "" +"The mail spool directory. This is needed to manipulate the mailbox when its " +"corresponding user account is modified or deleted. If not specified, a " +"default value is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3180 +msgid "Default: <filename>/var/mail</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3185 +msgid "userdel_cmd (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3188 +msgid "" +"The command that is run after a user is removed. The command us passed the " +"username of the user being removed as the first and only parameter. The " +"return code of the command is not taken into account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3194 +msgid "Default: None, no command is run" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:3204 +msgid "TRUSTED DOMAIN SECTION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3206 +msgid "" +"Some options used in the domain section can also be used in the trusted " +"domain section, that is, in a section called <quote>[domain/" +"<replaceable>DOMAIN_NAME</replaceable>/<replaceable>TRUSTED_DOMAIN_NAME</" +"replaceable>]</quote>. Where DOMAIN_NAME is the actual joined-to base " +"domain. Please refer to examples below for explanation. Currently supported " +"options in the trusted domain section are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3213 +msgid "ldap_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3214 +msgid "ldap_user_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3215 +msgid "ldap_group_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3216 +msgid "ldap_netgroup_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3217 +msgid "ldap_service_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3218 +msgid "ad_server," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3219 +msgid "ad_backup_server," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3220 +msgid "ad_site," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:3221 sssd-ipa.5.xml:782 +msgid "use_fully_qualified_names" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3223 +msgid "" +"For more details about these options see their individual description in the " +"manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:3229 idmap_sss.8.xml:43 +msgid "EXAMPLES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:3235 +#, no-wrap +msgid "" +"[sssd]\n" +"domains = LDAP\n" +"services = nss, pam\n" +"config_file_version = 2\n" +"\n" +"[nss]\n" +"filter_groups = root\n" +"filter_users = root\n" +"\n" +"[pam]\n" +"\n" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"auth_provider = krb5\n" +"krb5_server = kerberos.example.com\n" +"krb5_realm = EXAMPLE.COM\n" +"cache_credentials = true\n" +"\n" +"min_id = 10000\n" +"max_id = 20000\n" +"enumerate = False\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3231 +msgid "" +"1. The following example shows a typical SSSD config. It does not describe " +"configuration of the domains themselves - refer to documentation on " +"configuring domains for more details. <placeholder type=\"programlisting\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:3268 +#, no-wrap +msgid "" +"[domain/ipa.com/child.ad.com]\n" +"use_fully_qualified_names = false\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3262 +msgid "" +"2. The following example shows configuration of IPA AD trust where the AD " +"forest consists of two domains in a parent-child structure. Suppose IPA " +"domain (ipa.com) has trust with AD domain(ad.com). ad.com has child domain " +"(child.ad.com). To enable shortnames in the child domain the following " +"configuration should be used. <placeholder type=\"programlisting\" id=\"0\"/" +">" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ldap.5.xml:10 sssd-ldap.5.xml:16 +msgid "sssd-ldap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ldap.5.xml:17 +msgid "SSSD LDAP provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:23 +msgid "" +"This manual page describes the configuration of LDAP domains for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Refer to the <quote>FILE FORMAT</quote> section of the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for detailed syntax information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:35 +msgid "You can configure SSSD to use more than one LDAP domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:38 +msgid "" +"LDAP back end supports id, auth, access and chpass providers. If you want to " +"authenticate against an LDAP server either TLS/SSL or LDAPS is required. " +"<command>sssd</command> <emphasis>does not</emphasis> support authentication " +"over an unencrypted channel. If the LDAP server is used only as an identity " +"provider, an encrypted channel is not needed. Please refer to " +"<quote>ldap_access_filter</quote> config option for more information about " +"using LDAP as an access provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:115 +#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-files.5.xml:57 +#: sssd-secrets.5.xml:120 sssd-session-recording.5.xml:58 sssd-kcm.8.xml:139 +msgid "CONFIGURATION OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:60 +msgid "ldap_uri, ldap_backup_uri (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:63 +msgid "" +"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " +"should connect in the order of preference. Refer to the <quote>FAILOVER</" +"quote> section for more information on failover and server redundancy. If " +"neither option is specified, service discovery is enabled. For more " +"information, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:264 +msgid "The format of the URI must match the format defined in RFC 2732:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:73 +msgid "ldap[s]://<host>[:port]" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:76 +msgid "" +"For explicit IPv6 addresses, <host> must be enclosed in brackets []" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:79 +msgid "example: ldap://[fc00::126:25]:389" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:85 +msgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:88 +msgid "" +"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " +"should connect in the order of preference to change the password of a user. " +"Refer to the <quote>FAILOVER</quote> section for more information on " +"failover and server redundancy." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:95 +msgid "To enable service discovery ldap_chpass_dns_service_name must be set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:99 +msgid "Default: empty, i.e. ldap_uri is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:105 +msgid "ldap_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:108 +msgid "The default base DN to use for performing LDAP user operations." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:112 +msgid "" +"Starting with SSSD 1.7.0, SSSD supports multiple search bases using the " +"syntax:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:116 +msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:119 +msgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"." +msgstr "" + +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:122 include/ldap_search_bases.xml:18 +msgid "" +"The filter must be a valid LDAP search filter as specified by http://www." +"ietf.org/rfc/rfc2254.txt" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:286 +#: sss_override.8.xml:137 sss_override.8.xml:234 +msgid "Examples:" +msgstr "Намунаҳо:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:129 +msgid "" +"ldap_search_base = dc=example,dc=com (which is equivalent to) " +"ldap_search_base = dc=example,dc=com?subtree?" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:134 +msgid "" +"ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?" +"(host=thishost)?dc=example.com?subtree?" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:137 +msgid "" +"Note: It is unsupported to have multiple search bases which reference " +"identically-named objects (for example, groups with the same name in two " +"different search bases). This will lead to unpredictable behavior on client " +"machines." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:144 +msgid "" +"Default: If not set, the value of the defaultNamingContext or namingContexts " +"attribute from the RootDSE of the LDAP server is used. If " +"defaultNamingContext does not exist or has an empty value namingContexts is " +"used. The namingContexts attribute must have a single value with the DN of " +"the search base of the LDAP server to make this work. Multiple values are " +"are not supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:158 +msgid "ldap_schema (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:161 +msgid "" +"Specifies the Schema Type in use on the target LDAP server. Depending on " +"the selected schema, the default attribute names retrieved from the servers " +"may vary. The way that some attributes are handled may also differ." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:168 +msgid "Four schema types are currently supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:172 +msgid "rfc2307" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:177 +msgid "rfc2307bis" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:182 +msgid "IPA" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:187 +msgid "AD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:193 +msgid "" +"The main difference between these schema types is how group memberships are " +"recorded in the server. With rfc2307, group members are listed by name in " +"the <emphasis>memberUid</emphasis> attribute. With rfc2307bis and IPA, " +"group members are listed by DN and stored in the <emphasis>member</emphasis> " +"attribute. The AD schema type sets the attributes to correspond with Active " +"Directory 2008r2 values." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:203 +msgid "Default: rfc2307" +msgstr "Пешфарз: rfc2307" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:209 +msgid "ldap_default_bind_dn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:212 +msgid "The default bind DN to use for performing LDAP operations." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:219 +msgid "ldap_default_authtok_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:222 +msgid "The type of the authentication token of the default bind DN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:226 +msgid "The two mechanisms currently supported are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:229 +msgid "password" +msgstr "парол" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:232 +msgid "obfuscated_password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:235 +msgid "Default: password" +msgstr "Пешфарз: парол" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:241 +msgid "ldap_default_authtok (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:244 +msgid "" +"The authentication token of the default bind DN. Only clear text passwords " +"are currently supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:251 +msgid "ldap_user_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:254 +msgid "The object class of a user entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:257 +msgid "Default: posixAccount" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:263 +msgid "ldap_user_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:266 +msgid "The LDAP attribute that corresponds to the user's login name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:270 +msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:277 +msgid "ldap_user_uid_number (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:280 +msgid "The LDAP attribute that corresponds to the user's id." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:284 +msgid "Default: uidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:290 +msgid "ldap_user_gid_number (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:293 +msgid "The LDAP attribute that corresponds to the user's primary group id." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:297 sssd-ldap.5.xml:929 +msgid "Default: gidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:303 +msgid "ldap_user_primary_group (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:306 +msgid "" +"Active Directory primary group attribute for ID-mapping. Note that this " +"attribute should only be set manually if you are running the <quote>ldap</" +"quote> provider with ID mapping." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:312 +msgid "Default: unset (LDAP), primaryGroupID (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:318 +msgid "ldap_user_gecos (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:321 +msgid "The LDAP attribute that corresponds to the user's gecos field." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:325 +msgid "Default: gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:331 +msgid "ldap_user_home_directory (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:334 +msgid "The LDAP attribute that contains the name of the user's home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:338 +msgid "Default: homeDirectory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:344 +msgid "ldap_user_shell (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:347 +msgid "The LDAP attribute that contains the path to the user's default shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:351 +msgid "Default: loginShell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:357 +msgid "ldap_user_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:360 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:364 sssd-ldap.5.xml:955 +msgid "" +"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " +"IPA" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:371 +msgid "ldap_user_objectsid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:374 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP user object. This " +"is usually only necessary for ActiveDirectory servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:379 sssd-ldap.5.xml:970 +msgid "Default: objectSid for ActiveDirectory, not set for other servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:386 +msgid "ldap_user_modify_timestamp (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:389 sssd-ldap.5.xml:980 sssd-ldap.5.xml:1203 +msgid "" +"The LDAP attribute that contains timestamp of the last modification of the " +"parent object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:393 sssd-ldap.5.xml:984 sssd-ldap.5.xml:1210 +msgid "Default: modifyTimestamp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:399 +msgid "ldap_user_shadow_last_change (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:402 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " +"the last password change)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:412 +msgid "Default: shadowLastChange" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:418 +msgid "ldap_user_shadow_min (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:421 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " +"password age)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:430 +msgid "Default: shadowMin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:436 +msgid "ldap_user_shadow_max (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:439 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " +"password age)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:448 +msgid "Default: shadowMax" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:454 +msgid "ldap_user_shadow_warning (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:457 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password warning period)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:467 +msgid "Default: shadowWarning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:473 +msgid "ldap_user_shadow_inactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:476 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password inactivity period)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:486 +msgid "Default: shadowInactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:492 +msgid "ldap_user_shadow_expire (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:495 +msgid "" +"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " +"parameter contains the name of an LDAP attribute corresponding to its " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> counterpart (account expiration date)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:505 +msgid "Default: shadowExpire" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:511 +msgid "ldap_user_krb_last_pwd_change (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:514 +msgid "" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time of last password change in " +"kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:520 +msgid "Default: krbLastPwdChange" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:526 +msgid "ldap_user_krb_password_expiration (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:529 +msgid "" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time when current password expires." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:535 +msgid "Default: krbPasswordExpiration" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:541 +msgid "ldap_user_ad_account_expires (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:544 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the expiration time of the account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:549 +msgid "Default: accountExpires" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:555 +msgid "ldap_user_ad_user_account_control (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:558 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the user account control bit field." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:563 +msgid "Default: userAccountControl" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:569 +msgid "ldap_ns_account_lock (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:572 +msgid "" +"When using ldap_account_expire_policy=rhds or equivalent, this parameter " +"determines if access is allowed or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:577 +msgid "Default: nsAccountLock" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:583 +msgid "ldap_user_nds_login_disabled (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:586 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines if " +"access is allowed or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:590 sssd-ldap.5.xml:604 +msgid "Default: loginDisabled" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:596 +msgid "ldap_user_nds_login_expiration_time (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:599 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines until " +"which date access is granted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:610 +msgid "ldap_user_nds_login_allowed_time_map (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:613 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines the " +"hours of a day in a week when access is granted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:618 +msgid "Default: loginAllowedTimeMap" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:624 +msgid "ldap_user_principal (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:627 +msgid "" +"The LDAP attribute that contains the user's Kerberos User Principal Name " +"(UPN)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:631 +msgid "Default: krbPrincipalName" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:637 +msgid "ldap_user_extra_attrs (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:640 +msgid "" +"Comma-separated list of LDAP attributes that SSSD would fetch along with the " +"usual set of user attributes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:645 +msgid "" +"The list can either contain LDAP attribute names only, or colon-separated " +"tuples of SSSD cache attribute name and LDAP attribute name. In case only " +"LDAP attribute name is specified, the attribute is saved to the cache " +"verbatim. Using a custom SSSD attribute name might be required by " +"environments that configure several SSSD domains with different LDAP schemas." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:655 +msgid "" +"Please note that several attribute names are reserved by SSSD, notably the " +"<quote>name</quote> attribute. SSSD would report an error if any of the " +"reserved attribute names is used as an extra attribute name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:665 +msgid "ldap_user_extra_attrs = telephoneNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:668 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as " +"<quote>telephoneNumber</quote> to the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:672 +msgid "ldap_user_extra_attrs = phone:telephoneNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:675 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" +"quote> to the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:685 +msgid "ldap_user_ssh_public_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:688 +msgid "The LDAP attribute that contains the user's SSH public keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:692 sssd-ldap.5.xml:1306 +msgid "Default: sshPublicKey" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:698 +msgid "ldap_force_upper_case_realm (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:701 +msgid "" +"Some directory servers, for example Active Directory, might deliver the " +"realm part of the UPN in lower case, which might cause the authentication to " +"fail. Set this option to a non-zero value if you want to use an upper-case " +"realm." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:714 +msgid "ldap_enumeration_refresh_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:717 +msgid "" +"Specifies how many seconds SSSD has to wait before refreshing its cache of " +"enumerated records." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:728 +msgid "ldap_purge_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:731 +msgid "" +"Determine how often to check the cache for inactive entries (such as groups " +"with no members and users who have never logged in) and remove them to save " +"space." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:737 +msgid "" +"Setting this option to zero will disable the cache cleanup operation. Please " +"note that if enumeration is enabled, the cleanup task is required in order " +"to detect entries removed from the server and can't be disabled. By default, " +"the cleanup task will run every 3 hours with enumeration enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:752 +msgid "ldap_user_fullname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:755 +msgid "The LDAP attribute that corresponds to the user's full name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1161 sssd-ldap.5.xml:1235 +#: sssd-ldap.5.xml:1344 sssd-ldap.5.xml:2405 sssd-ipa.5.xml:607 +msgid "Default: cn" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:765 +msgid "ldap_user_member_of (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:768 +msgid "The LDAP attribute that lists the user's group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:772 sssd-ldap.5.xml:1274 +msgid "Default: memberOf" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:778 +msgid "ldap_user_authorized_service (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:781 +msgid "" +"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " +"use the presence of the authorizedService attribute in the user's LDAP entry " +"to determine access privilege." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:788 +msgid "" +"An explicit deny (!svc) is resolved first. Second, SSSD searches for " +"explicit allow (svc) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:793 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>authorized_service</quote> in order for the " +"ldap_user_authorized_service option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:800 +msgid "Default: authorizedService" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:806 +msgid "ldap_user_authorized_host (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:809 +msgid "" +"If access_provider=ldap and ldap_access_order=host, SSSD will use the " +"presence of the host attribute in the user's LDAP entry to determine access " +"privilege." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:815 +msgid "" +"An explicit deny (!host) is resolved first. Second, SSSD searches for " +"explicit allow (host) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:820 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>host</quote> in order for the " +"ldap_user_authorized_host option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:827 +msgid "Default: host" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:833 +msgid "ldap_user_authorized_rhost (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:836 +msgid "" +"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " +"presence of the rhost attribute in the user's LDAP entry to determine access " +"privilege. Similarly to host verification process." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:843 +msgid "" +"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " +"explicit allow (rhost) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:848 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>rhost</quote> in order for the " +"ldap_user_authorized_rhost option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:855 +msgid "Default: rhost" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:861 +msgid "ldap_user_certificate (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:864 +msgid "Name of the LDAP attribute containing the X509 certificate of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:868 +msgid "Default: userCertificate;binary" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:874 +msgid "ldap_user_email (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:877 +msgid "Name of the LDAP attribute containing the email address of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:881 +msgid "" +"Note: If an email address of a user conflicts with an email address or fully " +"qualified name of another user, then SSSD will not be able to serve those " +"users properly. If for some reason several users need to share the same " +"email address then set this option to a nonexistent attribute name in order " +"to disable user lookup/login by email." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:890 +msgid "Default: mail" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:896 +msgid "ldap_group_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:899 +msgid "The object class of a group entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:902 +msgid "Default: posixGroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:908 +msgid "ldap_group_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:911 +msgid "The LDAP attribute that corresponds to the group name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:915 +msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:922 +msgid "ldap_group_gid_number (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:925 +msgid "The LDAP attribute that corresponds to the group's id." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:935 +msgid "ldap_group_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:938 +msgid "The LDAP attribute that contains the names of the group's members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:942 +msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:948 +msgid "ldap_group_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:951 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:962 +msgid "ldap_group_objectsid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:965 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP group object. This " +"is usually only necessary for ActiveDirectory servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:977 +msgid "ldap_group_modify_timestamp (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:990 +msgid "ldap_group_type (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:993 +msgid "" +"The LDAP attribute that contains an integer value indicating the type of the " +"group and maybe other flags." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:998 +msgid "" +"This attribute is currently only used by the AD provider to determine if a " +"group is a domain local groups and has to be filtered out for trusted " +"domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1004 +msgid "Default: groupType in the AD provider, otherwise not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1011 +msgid "ldap_group_external_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1014 +msgid "" +"The LDAP attribute that references group members that are defined in an " +"external domain. At the moment, only IPA's external members are supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1020 +msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1027 +msgid "ldap_group_nesting_level (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1030 +msgid "" +"If ldap_schema is set to a schema format that supports nested groups (e.g. " +"RFC2307bis), then this option controls how many levels of nesting SSSD will " +"follow. This option has no effect on the RFC2307 schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1037 +msgid "" +"Note: This option specifies the guaranteed level of nested groups to be " +"processed for any lookup. However, nested groups beyond this limit " +"<emphasis>may be</emphasis> returned if previous lookups already resolved " +"the deeper nesting levels. Also, subsequent lookups for other groups may " +"enlarge the result set for original lookup if re-queried." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1046 +msgid "" +"If ldap_group_nesting_level is set to 0 then no nested groups are processed " +"at all. However, when connected to Active-Directory Server 2008 and later " +"using <quote>id_provider=ad</quote> it is furthermore required to disable " +"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " +"restrict group nesting." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1055 +msgid "Default: 2" +msgstr "Пешфарз: 2" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1061 +msgid "ldap_groups_use_matching_rule_in_chain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1064 +msgid "" +"This option tells SSSD to take advantage of an Active Directory-specific " +"feature which may speed up group lookup operations on deployments with " +"complex or deep nested groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1070 +msgid "" +"In most common cases, it is best to leave this option disabled. It generally " +"only provides a performance increase on very complex nestings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1075 sssd-ldap.5.xml:1102 +msgid "" +"If this option is enabled, SSSD will use it if it detects that the server " +"supports it during initial connection. So \"True\" here essentially means " +"\"auto-detect\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1081 sssd-ldap.5.xml:1108 +msgid "" +"Note: This feature is currently known to work only with Active Directory " +"2008 R1 and later. See <ulink url=\"http://msdn.microsoft.com/en-us/library/" +"windows/desktop/aa746475%28v=vs.85%29.aspx\"> MSDN(TM) documentation</ulink> " +"for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1093 +msgid "ldap_initgroups_use_matching_rule_in_chain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1096 +msgid "" +"This option tells SSSD to take advantage of an Active Directory-specific " +"feature which might speed up initgroups operations (most notably when " +"dealing with complex or deep nested groups)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1123 +msgid "" +"This options enables or disables use of Token-Groups attribute when " +"performing initgroup for users from Active Directory Server 2008 and later." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1128 +msgid "Default: True for AD and IPA otherwise False." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1134 +msgid "ldap_netgroup_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1137 +msgid "The object class of a netgroup entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1140 +msgid "In IPA provider, ipa_netgroup_object_class should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1144 +msgid "Default: nisNetgroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1150 +msgid "ldap_netgroup_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1153 +msgid "The LDAP attribute that corresponds to the netgroup name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1157 +msgid "In IPA provider, ipa_netgroup_name should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1167 +msgid "ldap_netgroup_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1170 +msgid "The LDAP attribute that contains the names of the netgroup's members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1174 +msgid "In IPA provider, ipa_netgroup_member should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1178 +msgid "Default: memberNisNetgroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1184 +msgid "ldap_netgroup_triple (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1187 +msgid "" +"The LDAP attribute that contains the (host, user, domain) netgroup triples." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1191 sssd-ldap.5.xml:1207 +msgid "This option is not available in IPA provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1194 +msgid "Default: nisNetgroupTriple" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1200 +msgid "ldap_netgroup_modify_timestamp (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1216 +msgid "ldap_host_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1219 +msgid "The object class of a host entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1222 sssd-ldap.5.xml:1331 +msgid "Default: ipService" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1228 +msgid "ldap_host_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1231 sssd-ldap.5.xml:1257 +msgid "The LDAP attribute that corresponds to the host's name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1241 +msgid "ldap_host_fqdn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1244 +msgid "" +"The LDAP attribute that corresponds to the host's fully-qualified domain " +"name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1248 +msgid "Default: fqdn" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1254 +msgid "ldap_host_serverhostname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1261 +msgid "Default: serverHostname" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1267 +msgid "ldap_host_member_of (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1270 +msgid "The LDAP attribute that lists the host's group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1280 +msgid "ldap_host_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1283 +msgid "Optional. Use the given string as search base for host objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1287 sssd-ipa.5.xml:359 sssd-ipa.5.xml:378 +#: sssd-ipa.5.xml:397 sssd-ipa.5.xml:416 +msgid "" +"See <quote>ldap_search_base</quote> for information about configuring " +"multiple search bases." +msgstr "" + +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:1292 sssd-ipa.5.xml:364 include/ldap_search_bases.xml:27 +msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1299 +msgid "ldap_host_ssh_public_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1302 +msgid "The LDAP attribute that contains the host's SSH public keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1312 +msgid "ldap_host_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1315 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1325 +msgid "ldap_service_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1328 +msgid "The object class of a service entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1337 +msgid "ldap_service_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1340 +msgid "" +"The LDAP attribute that contains the name of service attributes and their " +"aliases." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1350 +msgid "ldap_service_port (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1353 +msgid "The LDAP attribute that contains the port managed by this service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1357 +msgid "Default: ipServicePort" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1363 +msgid "ldap_service_proto (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1366 +msgid "" +"The LDAP attribute that contains the protocols understood by this service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1370 +msgid "Default: ipServiceProtocol" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1376 +msgid "ldap_service_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1381 +msgid "ldap_search_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1384 +msgid "" +"Specifies the timeout (in seconds) that ldap searches are allowed to run " +"before they are cancelled and cached results are returned (and offline mode " +"is entered)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1390 +msgid "" +"Note: this option is subject to change in future versions of the SSSD. It " +"will likely be replaced at some point by a series of timeouts for specific " +"lookup types." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1402 +msgid "ldap_enumeration_search_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1405 +msgid "" +"Specifies the timeout (in seconds) that ldap searches for user and group " +"enumerations are allowed to run before they are cancelled and cached results " +"are returned (and offline mode is entered)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1418 +msgid "ldap_network_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1421 +msgid "" +"Specifies the timeout (in seconds) after which the <citerefentry> " +"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" +"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" +"manvolnum> </citerefentry> following a <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> returns in case of no activity." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1444 +msgid "ldap_opt_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1447 +msgid "" +"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " +"will abort if no response is received. Also controls the timeout when " +"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " +"operation, password change extended operation and the StartTLS operation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1462 +msgid "ldap_connection_expire_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1465 +msgid "" +"Specifies a timeout (in seconds) that a connection to an LDAP server will be " +"maintained. After this time, the connection will be re-established. If used " +"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " +"the TGT lifetime) will be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1473 sssd-ldap.5.xml:2562 +msgid "Default: 900 (15 minutes)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1479 +msgid "ldap_page_size (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1482 +msgid "" +"Specify the number of records to retrieve from LDAP in a single request. " +"Some LDAP servers enforce a maximum limit per-request." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1487 +msgid "Default: 1000" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1493 +msgid "ldap_disable_paging (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1496 +msgid "" +"Disable the LDAP paging control. This option should be used if the LDAP " +"server reports that it supports the LDAP paging control in its RootDSE but " +"it is not enabled or does not behave properly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1502 +msgid "" +"Example: OpenLDAP servers with the paging control module installed on the " +"server but not enabled will report it in the RootDSE but be unable to use it." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1508 +msgid "" +"Example: 389 DS has a bug where it can only support a one paging control at " +"a time on a single connection. On busy clients, this can result in some " +"requests being denied." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1520 +msgid "ldap_disable_range_retrieval (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1523 +msgid "Disable Active Directory range retrieval." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1526 +msgid "" +"Active Directory limits the number of members to be retrieved in a single " +"lookup using the MaxValRange policy (which defaults to 1500 members). If a " +"group contains more members, the reply would include an AD-specific range " +"extension. This option disables parsing of the range extension, therefore " +"large groups will appear as having no members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1541 +msgid "ldap_sasl_minssf (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1544 +msgid "" +"When communicating with an LDAP server using SASL, specify the minimum " +"security level necessary to establish the connection. The values of this " +"option are defined by OpenLDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1550 +msgid "Default: Use the system default (usually specified by ldap.conf)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1557 +msgid "ldap_deref_threshold (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1560 +msgid "" +"Specify the number of group members that must be missing from the internal " +"cache in order to trigger a dereference lookup. If less members are missing, " +"they are looked up individually." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1566 +msgid "" +"You can turn off dereference lookups completely by setting the value to 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1570 +msgid "" +"A dereference lookup is a means of fetching all group members in a single " +"LDAP call. Different LDAP servers may implement different dereference " +"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " +"Directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1578 +msgid "" +"<emphasis>Note:</emphasis> If any of the search bases specifies a search " +"filter, then the dereference lookup performance enhancement will be disabled " +"regardless of this setting." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1591 +msgid "ldap_tls_reqcert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1594 +msgid "" +"Specifies what checks to perform on server certificates in a TLS session, if " +"any. It can be specified as one of the following values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1600 +msgid "" +"<emphasis>never</emphasis> = The client will not request or check any server " +"certificate." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1604 +msgid "" +"<emphasis>allow</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, it will be ignored and the session proceeds normally." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1611 +msgid "" +"<emphasis>try</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, the session is immediately terminated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1617 +msgid "" +"<emphasis>demand</emphasis> = The server certificate is requested. If no " +"certificate is provided, or a bad certificate is provided, the session is " +"immediately terminated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1623 +msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1627 +msgid "Default: hard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1633 +msgid "ldap_tls_cacert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1636 +msgid "" +"Specifies the file that contains certificates for all of the Certificate " +"Authorities that <command>sssd</command> will recognize." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1641 sssd-ldap.5.xml:1659 sssd-ldap.5.xml:1700 +msgid "" +"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." +"conf</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1648 +msgid "ldap_tls_cacertdir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1651 +msgid "" +"Specifies the path of a directory that contains Certificate Authority " +"certificates in separate individual files. Typically the file names need to " +"be the hash of the certificate followed by '.0'. If available, " +"<command>cacertdir_rehash</command> can be used to create the correct names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1666 +msgid "ldap_tls_cert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1669 +msgid "Specifies the file that contains the certificate for the client's key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1679 +msgid "ldap_tls_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1682 +msgid "Specifies the file that contains the client's key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1691 +msgid "ldap_tls_cipher_suite (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1694 +msgid "" +"Specifies acceptable cipher suites. Typically this is a colon separated " +"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1707 +msgid "ldap_id_use_start_tls (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1710 +msgid "" +"Specifies that the id_provider connection must also use <systemitem class=" +"\"protocol\">tls</systemitem> to protect the channel." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1720 +msgid "ldap_id_mapping (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1723 +msgid "" +"Specifies that SSSD should attempt to map user and group IDs from the " +"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " +"on ldap_user_uid_number and ldap_group_gid_number." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1729 +msgid "Currently this feature supports only ActiveDirectory objectSID mapping." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1739 +msgid "ldap_min_id, ldap_max_id (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1742 +msgid "" +"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " +"set to true the allowed ID range for ldap_user_uid_number and " +"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " +"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " +"can be set to restrict the allowed range for the IDs which are read directly " +"from the server. Sub-domains can then pick other ranges to map IDs." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1754 +msgid "Default: not set (both options are set to 0)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1760 +msgid "ldap_sasl_mech (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1763 +msgid "" +"Specify the SASL mechanism to use. Currently only GSSAPI is tested and " +"supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1773 +msgid "ldap_sasl_authid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ldap.5.xml:1784 +#, no-wrap +msgid "" +"hostname@REALM\n" +"netbiosname$@REALM\n" +"host/hostname@REALM\n" +"*$@REALM\n" +"host/*@REALM\n" +"host/*\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1776 +msgid "" +"Specify the SASL authorization id to use. When GSSAPI is used, this " +"represents the Kerberos principal used for authentication to the directory. " +"This option can either contain the full principal (for example host/" +"myhost@EXAMPLE.COM) or just the principal name (for example host/myhost). By " +"default, the value is not set and the following principals are used: " +"<placeholder type=\"programlisting\" id=\"0\"/> If none of them are found, " +"the first principal in keytab is returned." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1795 +msgid "Default: host/hostname@REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1801 +msgid "ldap_sasl_realm (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1804 +msgid "" +"Specify the SASL realm to use. When not specified, this option defaults to " +"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " +"well, this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1810 +msgid "Default: the value of krb5_realm." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1816 +msgid "ldap_sasl_canonicalize (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1819 +msgid "" +"If set to true, the LDAP library would perform a reverse lookup to " +"canonicalize the host name during a SASL bind." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1824 +msgid "Default: false;" +msgstr "Пешфарз: false;" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1830 +msgid "ldap_krb5_keytab (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1833 +msgid "Specify the keytab to use when using SASL/GSSAPI." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1836 +msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1842 +msgid "ldap_krb5_init_creds (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1845 +msgid "" +"Specifies that the id_provider should init Kerberos credentials (TGT). This " +"action is performed only if SASL is used and the mechanism selected is " +"GSSAPI." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1857 +msgid "ldap_krb5_ticket_lifetime (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1860 +msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1864 sssd-ad.5.xml:937 +msgid "Default: 86400 (24 hours)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1870 sssd-krb5.5.xml:74 +msgid "krb5_server, krb5_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1873 +msgid "" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled - for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1885 sssd-krb5.5.xml:89 +msgid "" +"When using service discovery for KDC or kpasswd servers, SSSD first searches " +"for DNS entries that specify _udp as the protocol and falls back to _tcp if " +"none are found." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1890 sssd-krb5.5.xml:94 +msgid "" +"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " +"While the legacy name is recognized for the time being, users are advised to " +"migrate their config files to use <quote>krb5_server</quote> instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1899 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103 +msgid "krb5_realm (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1902 +msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1905 +msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1911 sssd-krb5.5.xml:462 +msgid "krb5_canonicalize (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1914 +msgid "" +"Specifies if the host principal should be canonicalized when connecting to " +"LDAP server. This feature is available with MIT Kerberos >= 1.7" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1926 sssd-krb5.5.xml:477 +msgid "krb5_use_kdcinfo (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1929 sssd-krb5.5.xml:480 +msgid "" +"Specifies if the SSSD should instruct the Kerberos libraries what realm and " +"which KDCs to use. This option is on by default, if you disable it, you need " +"to configure the Kerberos library using the <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> configuration file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1940 sssd-krb5.5.xml:491 +msgid "" +"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " +"information on the locator plugin." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1954 +msgid "ldap_pwd_policy (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1957 +msgid "" +"Select the policy to evaluate the password expiration on the client side. " +"The following values are allowed:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1962 +msgid "" +"<emphasis>none</emphasis> - No evaluation on the client side. This option " +"cannot disable server-side password policies." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1967 +msgid "" +"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " +"evaluate if the password has expired." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1973 +msgid "" +"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " +"to determine if the password has expired. Use chpass_provider=krb5 to update " +"these attributes when the password is changed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1982 +msgid "" +"<emphasis>Note</emphasis>: if a password policy is configured on server " +"side, it always takes precedence over policy set with this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1990 +msgid "ldap_referrals (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1993 +msgid "Specifies whether automatic referral chasing should be enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1997 +msgid "" +"Please note that sssd only supports referral chasing when it is compiled " +"with OpenLDAP version 2.4.13 or higher." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2002 +msgid "" +"Chasing referrals may incur a performance penalty in environments that use " +"them heavily, a notable example is Microsoft Active Directory. If your setup " +"does not in fact require the use of referrals, setting this option to false " +"might bring a noticeable performance improvement." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2016 +msgid "ldap_dns_service_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2019 +msgid "Specifies the service name to use when service discovery is enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2023 +msgid "Default: ldap" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2029 +msgid "ldap_chpass_dns_service_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2032 +msgid "" +"Specifies the service name to use to find an LDAP server which allows " +"password changes when service discovery is enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2037 +msgid "Default: not set, i.e. service discovery is disabled" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2043 +msgid "ldap_chpass_update_last_change (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2046 +msgid "" +"Specifies whether to update the ldap_user_shadow_last_change attribute with " +"days since the Epoch after a password change operation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2058 +msgid "ldap_access_filter (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2061 +msgid "" +"If using access_provider = ldap and ldap_access_order = filter (default), " +"this option is mandatory. It specifies an LDAP search filter criteria that " +"must be met for the user to be granted access on this host. If " +"access_provider = ldap, ldap_access_order = filter and this option is not " +"set, it will result in all users being denied access. Use access_provider = " +"permit to change this default behavior. Please note that this filter is " +"applied on the LDAP user entry only and thus filtering based on nested " +"groups may not work (e.g. memberOf attribute on AD entries points only to " +"direct parents). If filtering based on nested groups is required, please see " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2081 +msgid "Example:" +msgstr "Намуна:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ldap.5.xml:2084 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2088 +msgid "" +"This example means that access to this host is restricted to users whose " +"employeeType attribute is set to \"admin\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2093 +msgid "" +"Offline caching for this feature is limited to determining whether the " +"user's last online login was granted access permission. If they were granted " +"access during their last login, they will continue to be granted access " +"while offline and vice versa." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2101 sssd-ldap.5.xml:2158 +msgid "Default: Empty" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2107 +msgid "ldap_account_expire_policy (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2110 +msgid "" +"With this option a client side evaluation of access control attributes can " +"be enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2114 +msgid "" +"Please note that it is always recommended to use server side access control, " +"i.e. the LDAP server should deny the bind request with a suitable error code " +"even if the password is correct." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2121 +msgid "The following values are allowed:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2124 +msgid "" +"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " +"determine if the account is expired." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2129 +msgid "" +"<emphasis>ad</emphasis>: use the value of the 32bit field " +"ldap_user_ad_user_account_control and allow access if the second bit is not " +"set. If the attribute is missing access is granted. Also the expiration time " +"of the account is checked." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2136 +msgid "" +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: use the value of ldap_ns_account_lock to check if access is " +"allowed or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2142 +msgid "" +"<emphasis>nds</emphasis>: the values of " +"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " +"ldap_user_nds_login_expiration_time are used to check if access is allowed. " +"If both attributes are missing access is granted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2151 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>expire</quote> in order for the " +"ldap_account_expire_policy option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2164 +msgid "ldap_access_order (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2167 +msgid "Comma separated list of access control options. Allowed values are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2171 +msgid "<emphasis>filter</emphasis>: use ldap_access_filter" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2174 +msgid "" +"<emphasis>lockout</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " +"Please note that 'access_provider = ldap' must be set for this feature to " +"work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2184 +msgid "" +"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" +"quote> option and might be removed in a future release. </emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2191 +msgid "" +"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z' or represents any time in the past. The " +"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " +"denotes the UTC time zone. Other time zones are not currently supported and " +"will result in \"access-denied\" when users attempt to log in. Please see " +"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " +"must be set for this feature to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2208 +msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2212 +msgid "" +"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " +"pwd_expire_policy_renew: </emphasis> These options are useful if users are " +"interested in being warned that password is about to expire and " +"authentication is based on using a different method than passwords - for " +"example SSH keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2222 +msgid "" +"The difference between these options is the action taken if user password is " +"expired: pwd_expire_policy_reject - user is denied to log in, " +"pwd_expire_policy_warn - user is still able to log in, " +"pwd_expire_policy_renew - user is prompted to change his password " +"immediately." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2230 +msgid "" +"Note If user password is expired no explicit message is prompted by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2234 +msgid "" +"Please note that 'access_provider = ldap' must be set for this feature to " +"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2239 +msgid "" +"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " +"to determine access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2244 +msgid "<emphasis>host</emphasis>: use the host attribute to determine access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2248 +msgid "" +"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " +"remote host can access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2252 +msgid "" +"Please note, rhost field in pam is set by application, it is better to check " +"what the application sends to pam, before enabling this access control option" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2257 +msgid "Default: filter" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2260 +msgid "" +"Please note that it is a configuration error if a value is used more than " +"once." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2267 +msgid "ldap_pwdlockout_dn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2270 +msgid "" +"This option specifies the DN of password policy entry on LDAP server. Please " +"note that absence of this option in sssd.conf in case of enabled account " +"lockout checking will yield access denied as ppolicy attributes on LDAP " +"server cannot be checked properly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2278 +msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2281 +msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2287 +msgid "ldap_deref (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2290 +msgid "" +"Specifies how alias dereferencing is done when performing a search. The " +"following options are allowed:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2295 +msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2299 +msgid "" +"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " +"the base object, but not in locating the base object of the search." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2304 +msgid "" +"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " +"the base object of the search." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2309 +msgid "" +"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " +"in locating the base object of the search." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2314 +msgid "" +"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " +"client libraries)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2322 +msgid "ldap_rfc2307_fallback_to_local_users (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2325 +msgid "" +"Allows to retain local users as members of an LDAP group for servers that " +"use the RFC2307 schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2329 +msgid "" +"In some environments where the RFC2307 schema is used, local users are made " +"members of LDAP groups by adding their names to the memberUid attribute. " +"The self-consistency of the domain is compromised when this is done, so SSSD " +"would normally remove the \"missing\" users from the cached group " +"memberships as soon as nsswitch tries to fetch information about the user " +"via getpw*() or initgroups() calls." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2340 +msgid "" +"This option falls back to checking if local users are referenced, and caches " +"them so that later initgroups() calls will augment the local users with the " +"additional LDAP groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2352 sssd-ifp.5.xml:136 +msgid "wildcard_limit (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2355 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2359 +msgid "At the moment, only the InfoPipe responder supports wildcard lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2363 +msgid "Default: 1000 (often the size of one page)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:51 +msgid "" +"All of the common configuration options that apply to SSSD domains also " +"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for full details. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2373 +msgid "SUDO OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2375 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2386 +msgid "ldap_sudorule_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2389 +msgid "The object class of a sudo rule entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2392 +msgid "Default: sudoRole" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2398 +msgid "ldap_sudorule_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2401 +msgid "The LDAP attribute that corresponds to the sudo rule name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2411 +msgid "ldap_sudorule_command (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2414 +msgid "The LDAP attribute that corresponds to the command name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2418 +msgid "Default: sudoCommand" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2424 +msgid "ldap_sudorule_host (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2427 +msgid "" +"The LDAP attribute that corresponds to the host name (or host IP address, " +"host IP network, or host netgroup)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2432 +msgid "Default: sudoHost" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2438 +msgid "ldap_sudorule_user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2441 +msgid "" +"The LDAP attribute that corresponds to the user name (or UID, group name or " +"user's netgroup)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2445 +msgid "Default: sudoUser" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2451 +msgid "ldap_sudorule_option (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2454 +msgid "The LDAP attribute that corresponds to the sudo options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2458 +msgid "Default: sudoOption" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2464 +msgid "ldap_sudorule_runasuser (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2467 +msgid "" +"The LDAP attribute that corresponds to the user name that commands may be " +"run as." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2471 +msgid "Default: sudoRunAsUser" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2477 +msgid "ldap_sudorule_runasgroup (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2480 +msgid "" +"The LDAP attribute that corresponds to the group name or group GID that " +"commands may be run as." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2484 +msgid "Default: sudoRunAsGroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2490 +msgid "ldap_sudorule_notbefore (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2493 +msgid "" +"The LDAP attribute that corresponds to the start date/time for when the sudo " +"rule is valid." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2497 +msgid "Default: sudoNotBefore" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2503 +msgid "ldap_sudorule_notafter (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2506 +msgid "" +"The LDAP attribute that corresponds to the expiration date/time, after which " +"the sudo rule will no longer be valid." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2511 +msgid "Default: sudoNotAfter" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2517 +msgid "ldap_sudorule_order (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2520 +msgid "The LDAP attribute that corresponds to the ordering index of the rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2524 +msgid "Default: sudoOrder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2530 +msgid "ldap_sudo_full_refresh_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2533 +msgid "" +"How many seconds SSSD will wait between executing a full refresh of sudo " +"rules (which downloads all rules that are stored on the server)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2538 +msgid "" +"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" +"emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2543 +msgid "Default: 21600 (6 hours)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2549 +msgid "ldap_sudo_smart_refresh_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2552 +msgid "" +"How many seconds SSSD has to wait before executing a smart refresh of sudo " +"rules (which downloads all rules that have USN higher than the highest USN " +"of cached rules)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2558 +msgid "" +"If USN attributes are not supported by the server, the modifyTimestamp " +"attribute is used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2568 +msgid "ldap_sudo_use_host_filter (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2571 +msgid "" +"If true, SSSD will download only rules that are applicable to this machine " +"(using the IPv4 or IPv6 host/network addresses and hostnames)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2582 +msgid "ldap_sudo_hostnames (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2585 +msgid "" +"Space separated list of hostnames or fully qualified domain names that " +"should be used to filter the rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2590 +msgid "" +"If this option is empty, SSSD will try to discover the hostname and the " +"fully qualified domain name automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2595 sssd-ldap.5.xml:2618 sssd-ldap.5.xml:2636 +#: sssd-ldap.5.xml:2654 +msgid "" +"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" +"emphasis> then this option has no effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2600 sssd-ldap.5.xml:2623 +msgid "Default: not specified" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2606 +msgid "ldap_sudo_ip (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2609 +msgid "" +"Space separated list of IPv4 or IPv6 host/network addresses that should be " +"used to filter the rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2614 +msgid "" +"If this option is empty, SSSD will try to discover the addresses " +"automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2629 +msgid "ldap_sudo_include_netgroups (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2632 +msgid "" +"If true then SSSD will download every rule that contains a netgroup in " +"sudoHost attribute." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2647 +msgid "ldap_sudo_include_regexp (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2650 +msgid "" +"If true then SSSD will download every rule that contains a wildcard in " +"sudoHost attribute." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2666 +msgid "" +"This manual page only describes attribute name mapping. For detailed " +"explanation of sudo related attribute semantics, see <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2676 +msgid "AUTOFS OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2678 +msgid "" +"Some of the defaults for the parameters below are dependent on the LDAP " +"schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2684 +msgid "ldap_autofs_map_master_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2687 +msgid "The name of the automount master map in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2690 +msgid "Default: auto.master" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2697 +msgid "ldap_autofs_map_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2700 +msgid "The object class of an automount map entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2703 +msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2711 +msgid "ldap_autofs_map_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2714 +msgid "The name of an automount map entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2717 +msgid "" +"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2725 +msgid "ldap_autofs_entry_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2728 +msgid "" +"The object class of an automount entry in LDAP. The entry usually " +"corresponds to a mount point." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2733 +msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2741 +msgid "ldap_autofs_entry_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2744 sssd-ldap.5.xml:2759 +msgid "" +"The key of an automount entry in LDAP. The entry usually corresponds to a " +"mount point." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2748 +msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2756 +msgid "ldap_autofs_entry_value (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2763 +msgid "" +"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " +"automountInformation" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2682 +msgid "" +"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " +"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" +"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2774 +msgid "ADVANCED OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2781 +msgid "ldap_netgroup_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2786 +msgid "ldap_user_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2791 +msgid "ldap_group_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> +#: sssd-ldap.5.xml:2796 +msgid "<note>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> +#: sssd-ldap.5.xml:2798 +msgid "" +"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " +"against Active Directory will not be restricted and return all groups " +"memberships, even with no GID mapping. It is recommended to disable this " +"feature, if group names are not being displayed correctly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist> +#: sssd-ldap.5.xml:2805 +msgid "</note>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2807 +msgid "ldap_sudo_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2812 +msgid "ldap_autofs_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2776 +msgid "" +"These options are supported by LDAP domains, but they should be used with " +"caution. Please include them in your configuration only if you know what you " +"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2827 sssd-simple.5.xml:131 sssd-ipa.5.xml:828 +#: sssd-ad.5.xml:1041 sssd-krb5.5.xml:570 sss_rpcidmapd.5.xml:98 +#: sssd-files.5.xml:103 sssd-session-recording.5.xml:144 +msgid "EXAMPLE" +msgstr "НАМУНА" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2829 +msgid "" +"The following example assumes that SSSD is correctly configured and LDAP is " +"set to one of the domains in the <replaceable>[domains]</replaceable> " +"section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:2835 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: sssd-ldap.5.xml:2834 sssd-ldap.5.xml:2852 sssd-simple.5.xml:139 +#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1049 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579 +#: sssd-files.5.xml:110 sssd-session-recording.5.xml:150 +#: include/ldap_id_mapping.xml:105 +msgid "<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2846 +msgid "LDAP ACCESS FILTER EXAMPLE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2848 +msgid "" +"The following example assumes that SSSD is correctly configured and to use " +"the ldap_access_order=lockout." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:2853 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"access_provider = ldap\n" +"ldap_access_order = lockout\n" +"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2868 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148 +#: sssd-ad.5.xml:1064 sssd.8.xml:230 sss_seed.8.xml:163 +msgid "NOTES" +msgstr "ЭЗОҲҲО" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2870 +msgid "" +"The descriptions of some of the configuration options in this manual page " +"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " +"distribution." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: pam_sss.8.xml:11 pam_sss.8.xml:16 +msgid "pam_sss" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: pam_sss.8.xml:17 +msgid "PAM module for SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: pam_sss.8.xml:22 +msgid "" +"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" +"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" +"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" +"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " +"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " +"choice='opt'> <replaceable>prompt_always</replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:58 +msgid "" +"<command>pam_sss.so</command> is the PAM interface to the System Security " +"Services daemon (SSSD). Errors and results are logged through " +"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:68 +msgid "<option>quiet</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:71 +msgid "Suppress log messages for unknown users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:76 +msgid "<option>forward_pass</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:79 +msgid "" +"If <option>forward_pass</option> is set the entered password is put on the " +"stack for other PAM modules to use." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:86 +msgid "<option>use_first_pass</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:89 +msgid "" +"The argument use_first_pass forces the module to use a previous stacked " +"modules password and will never prompt the user - if no password is " +"available or the password is not appropriate, the user will be denied access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:97 +msgid "<option>use_authtok</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:100 +msgid "" +"When password changing enforce the module to set the new password to the one " +"provided by a previously stacked password module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:107 +msgid "<option>retry=N</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:110 +msgid "" +"If specified the user is asked another N times for a password if " +"authentication fails. Default is 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:112 +msgid "" +"Please note that this option might not work as expected if the application " +"calling PAM handles the user dialog on its own. A typical example is " +"<command>sshd</command> with <option>PasswordAuthentication</option>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:121 +msgid "<option>ignore_unknown_user</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:124 +msgid "" +"If this option is specified and the user does not exist, the PAM module will " +"return PAM_IGNORE. This causes the PAM framework to ignore this module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:131 +msgid "<option>ignore_authinfo_unavail</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:135 +msgid "" +"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " +"the SSSD daemon. This causes the PAM framework to ignore this module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:142 +msgid "<option>domains</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:146 +msgid "" +"Allows the administrator to restrict the domains a particular PAM service is " +"allowed to authenticate against. The format is a comma-separated list of " +"SSSD domain names, as specified in the sssd.conf file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:152 +msgid "" +"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " +"and <quote>pam_public_domains</quote> options. Please see the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more information on these two PAM " +"responder options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:166 +msgid "<option>allow_missing_name</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:170 +msgid "" +"The main purpose of this option is to let SSSD determine the user name based " +"on additional information, e.g. the certificate from a Smartcard." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: pam_sss.8.xml:180 +#, no-wrap +msgid "" +"auth sufficient pam_sss.so allow_missing_name\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:175 +msgid "" +"The current use case are login managers which can monitor a Smartcard reader " +"for card events. In case a Smartcard is inserted the login manager will call " +"a PAM stack which includes a line like <placeholder type=\"programlisting\" " +"id=\"0\"/> In this case SSSD will try to determine the user name based on " +"the content of the Smartcard, returns it to pam_sss which will finally put " +"it on the PAM stack." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:190 +msgid "<option>prompt_always</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:194 +msgid "" +"Always prompt the user for credentials. With this option credentials " +"requested by other PAM modules, typically a password, will be ignored and " +"pam_sss will prompt for credentials again. Based on the pre-auth reply by " +"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " +"credentials." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:207 +msgid "MODULE TYPES PROVIDED" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:208 +msgid "" +"All module types (<option>account</option>, <option>auth</option>, " +"<option>password</option> and <option>session</option>) are provided." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:214 +msgid "FILES" +msgstr "ФАЙЛҲО" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:215 +msgid "" +"If a password reset by root fails, because the corresponding SSSD provider " +"does not support password resets, an individual message can be displayed. " +"This message can e.g. contain instructions about how to reset a password." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:220 +msgid "" +"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" +"filename> where LOC stands for a locale string returned by <citerefentry> " +"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" +"citerefentry>. If there is no matching file the content of " +"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " +"the owner of the files and only root may have read and write permissions " +"while all other users must have only read permissions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:230 +msgid "" +"These files are searched in the directory <filename>/etc/sssd/customize/" +"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " +"displayed." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 +msgid "sssd_krb5_locator_plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd_krb5_locator_plugin.8.xml:16 +msgid "Kerberos locator plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:22 +msgid "" +"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " +"used by the Kerberos provider of <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to tell the Kerberos " +"libraries what Realm and which KDC to use. Typically this is done in " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> which is always read by the Kerberos libraries. " +"To simplify the configuration the Realm and the KDC can be defined in " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> as described in <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:48 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> puts the Realm and the name or IP address of the KDC into " +"the environment variables SSSD_KRB5_REALM and SSSD_KRB5_KDC respectively. " +"When <command>sssd_krb5_locator_plugin</command> is called by the kerberos " +"libraries it reads and evaluates these variables and returns them to the " +"libraries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:63 +msgid "" +"Not all Kerberos implementations support the use of plugins. If " +"<command>sssd_krb5_locator_plugin</command> is not available on your system " +"you have to edit /etc/krb5.conf to reflect your Kerberos setup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:69 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " +"debug messages will be sent to stderr." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:73 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " +"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " +"caller." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 +msgid "sssd-simple" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-simple.5.xml:17 +msgid "the configuration file for SSSD's 'simple' access-control provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:24 +msgid "" +"This manual page describes the configuration of the simple access-control " +"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " +"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:38 +msgid "" +"The simple access provider grants or denies access based on an access or " +"deny list of user or group names. The following rules apply:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:43 +msgid "If all lists are empty, access is granted" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:47 +msgid "" +"If any list is provided, the order of evaluation is allow,deny. This means " +"that any matching deny rule will supersede any matched allow rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:54 +msgid "" +"If either or both \"allow\" lists are provided, all users are denied unless " +"they appear in the list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:60 +msgid "" +"If only \"deny\" lists are provided, all users are granted access unless " +"they appear in the list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:78 +msgid "simple_allow_users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:81 +msgid "Comma separated list of users who are allowed to log in." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:88 +msgid "simple_deny_users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:91 +msgid "Comma separated list of users who are explicitly denied access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:97 +msgid "simple_allow_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:100 +msgid "" +"Comma separated list of groups that are allowed to log in. This applies only " +"to groups within this SSSD domain. Local groups are not evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:108 +msgid "simple_deny_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:111 +msgid "" +"Comma separated list of groups that are explicitly denied access. This " +"applies only to groups within this SSSD domain. Local groups are not " +"evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 +msgid "" +"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:120 +msgid "" +"Specifying no values for any of the lists is equivalent to skipping it " +"entirely. Beware of this while generating parameters for the simple provider " +"using automated scripts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:125 +msgid "" +"Please note that it is an configuration error if both, simple_allow_users " +"and simple_deny_users, are defined." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:133 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the simple access provider-specific options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-simple.5.xml:140 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"access_provider = simple\n" +"simple_allow_users = user1, user2\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:150 +msgid "" +"The complete group membership hierarchy is resolved before the access check, " +"thus even nested groups can be included in the access lists. Please be " +"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " +"results and should be set to a sufficient value. (<citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>) option." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 +msgid "sss-certmap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss-certmap.5.xml:17 +msgid "SSSD Certificate Matching and Mapping Rules" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:23 +msgid "" +"The manual page describes the rules which can be used by SSSD and other " +"components to match X.509 certificates and map them to accounts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:28 +msgid "" +"Each rule has four components, a <quote>priority</quote>, a <quote>matching " +"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" +"quote>. All components are optional. A missing <quote>priority</quote> will " +"add the rule with the lowest priority. The default <quote>matching rule</" +"quote> will match certificates with the digitalSignature key usage and " +"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " +"the certificates will be searched in the userCertificate attribute as DER " +"encoded binary. If no domains are given only the local domain will be " +"searched." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss-certmap.5.xml:41 +msgid "RULE COMPONENTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:43 +msgid "PRIORITY" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:45 +msgid "" +"The rules are processed by priority while the number '0' (zero) indicates " +"the highest priority. The higher the number the lower is the priority. A " +"missing value indicates the lowest priority. The rules processing is stopped " +"when a matched rule is found and no further rules are checked." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:52 +msgid "" +"Internally the priority is treated as unsigned 32bit integer, using a " +"priority value larger than 4294967295 will cause an error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:57 +msgid "MATCHING RULE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:59 +msgid "" +"The matching rule is used to select a certificate to which the mapping rule " +"should be applied. It uses a system similar to the one used by " +"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " +"keyword enclosed by '<' and '>' which identified a certain part of the " +"certificate and a pattern which should be found for the rule to match. " +"Multiple keyword pattern pairs can be either joined with '&&' (and) " +"or '||' (or)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:71 +msgid "<SUBJECT>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:74 +msgid "" +"With this a part or the whole subject name of the certificate can be " +"matched. For the matching POSIX Extended Regular Expression syntax is used, " +"see regex(7) for details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:80 +msgid "" +"For the matching the subject name stored in the certificate in DER encoded " +"ASN.1 is converted into a string according to RFC 4514. This means the most " +"specific name component comes first. Please note that not all possible " +"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " +"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " +"be shown differently on different platform and by different tools. To avoid " +"confusion those attribute names are best not used or covered by a suitable " +"regular-expression." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:93 +msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:98 +msgid "<ISSUER>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:101 +msgid "" +"With this a part or the whole issuer name of the certificate can be matched. " +"All comments for <SUBJECT> apply her as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:106 +msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:111 +msgid "<KU>key-usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:114 +msgid "" +"This option can be used to specify which key usage values the certificate " +"should have. The following values can be used in a comma separated list:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:118 +msgid "digitalSignature" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:119 +msgid "nonRepudiation" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:120 +msgid "keyEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:121 +msgid "dataEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:122 +msgid "keyAgreement" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:123 +msgid "keyCertSign" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:124 +msgid "cRLSign" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:125 +msgid "encipherOnly" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:126 +msgid "decipherOnly" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:130 +msgid "" +"A numerical value in the range of a 32bit unsigned integer can be used as " +"well to cover special use cases." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:134 +msgid "Example: <KU>digitalSignature,keyEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:139 +msgid "<EKU>extended-key-usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:142 +msgid "" +"This option can be used to specify which extended key usage the certificate " +"should have. The following value can be used in a comma separated list:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:146 +msgid "serverAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:147 +msgid "clientAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:148 +msgid "codeSigning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:149 +msgid "emailProtection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:150 +msgid "timeStamping" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:151 +msgid "OCSPSigning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:152 +msgid "KPClientAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:153 +msgid "pkinit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:154 +msgid "msScLogin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:158 +msgid "" +"Extended key usages which are not listed above can be specified with their " +"OID in dotted-decimal notation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:162 +msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:167 +msgid "<SAN>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:170 +msgid "" +"To be compatible with the usage of MIT Kerberos this option will match the " +"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" +"Principal> does." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:175 +msgid "Example: <SAN>.*@MY\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:180 +msgid "<SAN:Principal>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:183 +msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:187 +msgid "Example: <SAN:Principal>.*@MY\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:192 +msgid "<SAN:ntPrincipalName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:195 +msgid "Match the Kerberos principals from the AD NT Principal SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:199 +msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:204 +msgid "<SAN:pkinit>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:207 +msgid "Match the Kerberos principals from the PKINIT SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:210 +msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:215 +msgid "<SAN:dotted-decimal-oid>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:218 +msgid "" +"Take the value of the otherName SAN component given by the OID in dotted-" +"decimal notation, interpret it as string and try to match it against the " +"regular expression." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:224 +msgid "Example: <SAN:1.2.3.4>test" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:229 +msgid "<SAN:otherName>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:232 +msgid "" +"Do a binary match with the base64 encoded blob against all otherName SAN " +"components. With this option it is possible to match against custom " +"otherName components with special encodings which could not be treated as " +"strings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:239 +msgid "Example: <SAN:otherName>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:244 +msgid "<SAN:rfc822Name>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:247 +msgid "Match the value of the rfc822Name SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:250 +msgid "Example: <SAN:rfc822Name>.*@email\\.domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:255 +msgid "<SAN:dNSName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:258 +msgid "Match the value of the dNSName SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:261 +msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:266 +msgid "<SAN:x400Address>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:269 +msgid "Binary match the value of the x400Address SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:272 +msgid "Example: <SAN:x400Address>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:277 +msgid "<SAN:directoryName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:280 +msgid "" +"Match the value of the directoryName SAN. The same comments as given for <" +"ISSUER> and <SUBJECT> apply here as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:285 +msgid "Example: <SAN:directoryName>.*,DC=com" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:290 +msgid "<SAN:ediPartyName>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:293 +msgid "Binary match the value of the ediPartyName SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:296 +msgid "Example: <SAN:ediPartyName>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:301 +msgid "<SAN:uniformResourceIdentifier>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:304 +msgid "Match the value of the uniformResourceIdentifier SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:307 +msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:312 +msgid "<SAN:iPAddress>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:315 +msgid "Match the value of the iPAddress SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:318 +msgid "Example: <SAN:iPAddress>192\\.168\\..*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:323 +msgid "<SAN:registeredID>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:326 +msgid "Match the value of the registeredID SAN as dotted-decimal string." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:330 +msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:68 +msgid "" +"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:338 +msgid "MAPPING RULE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:340 +msgid "" +"The mapping rule is used to associate a certificate with one or more " +"accounts. A Smartcard with the certificate and the matching private key can " +"then be used to authenticate as one of those accounts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:345 +msgid "" +"Currently SSSD basically only supports LDAP to lookup user information (the " +"exception is the proxy provider which is not of relevance here). Because of " +"this the mapping rule is based on LDAP search filter syntax with templates " +"to add certificate content to the filter. It is expected that the filter " +"will only contain the specific data needed for the mapping and that the " +"caller will embed it in another filter to do the actual search. Because of " +"this the filter string should start and stop with '(' and ')' respectively." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:355 +msgid "" +"In general it is recommended to use attributes from the certificate and add " +"them to special attributes to the LDAP user object. E.g. the " +"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " +"for IPA can be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:361 +msgid "" +"This should be preferred to read user specific data from the certificate " +"like e.g. an email address and search for it in the LDAP server. The reason " +"is that the user specific data in LDAP might change for various reasons " +"would break the mapping. On the other hand it would be hard to break the " +"mapping on purpose for a specific user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:376 +msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:379 +msgid "" +"This template will add the full issuer DN converted to a string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +msgid "" +"The conversion options starting with 'ad_' will use attribute names as used " +"by AD, e.g. 'S' instead of 'ST'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +msgid "" +"The conversion options starting with 'nss_' will use attribute names as used " +"by NSS." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +msgid "" +"The default conversion option is 'nss', i.e. attribute names according to " +"NSS and LDAP/RFC 4514 ordering." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:397 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" +"ad})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:402 +msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:405 +msgid "" +"This template will add the full subject DN converted to string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:423 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" +"{subject_dn!nss_x500})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:428 +msgid "{cert[!(bin|base64)]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:431 +msgid "" +"This template will add the whole DER encoded certificate as a string to the " +"search filter. Depending on the conversion option the binary certificate is " +"either converted to an escaped hex sequence '\\xx' or base64. The escaped " +"hex sequence is the default and can e.g. be used with the LDAP attribute " +"'userCertificate;binary'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:439 +msgid "Example: (userCertificate;binary={cert!bin})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:444 +msgid "{subject_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:447 +msgid "" +"This template will add the Kerberos principal which is taken either from the " +"SAN used by pkinit or the one used by AD. The 'short_name' component " +"represents the first part of the principal before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +msgid "" +"Example: (|(userPrincipal={subject_principal})" +"(samAccountName={subject_principal.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:458 +msgid "{subject_pkinit_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:461 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by pkinit. The 'short_name' component represents the first part of the " +"principal before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:467 +msgid "" +"Example: (|(userPrincipal={subject_pkinit_principal})" +"(uid={subject_pkinit_principal.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:472 +msgid "{subject_nt_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:475 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by AD. The 'short_name' component represent the first part of the principal " +"before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:486 +msgid "{subject_rfc822_name[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:489 +msgid "" +"This template will add the string which is stored in the rfc822Name " +"component of the SAN, typically an email address. The 'short_name' component " +"represents the first part of the address before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:495 +msgid "" +"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." +"short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:500 +msgid "{subject_dns_name[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:503 +msgid "" +"This template will add the string which is stored in the dNSName component " +"of the SAN, typically a fully-qualified host name. The 'short_name' " +"component represents the first part of the name before the first '.' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:509 +msgid "" +"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:514 +msgid "{subject_uri}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:517 +msgid "" +"This template will add the string which is stored in the " +"uniformResourceIdentifier component of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:521 +msgid "Example: (uri={subject_uri})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:526 +msgid "{subject_ip_address}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:529 +msgid "" +"This template will add the string which is stored in the iPAddress component " +"of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:533 +msgid "Example: (ip={subject_ip_address})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:538 +msgid "{subject_x400_address}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:541 +msgid "" +"This template will add the value which is stored in the x400Address " +"component of the SAN as escaped hex sequence." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:546 +msgid "Example: (attr:binary={subject_x400_address})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:551 +msgid "" +"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:554 +msgid "" +"This template will add the DN string of the value which is stored in the " +"directoryName component of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:558 +msgid "Example: (orig_dn={subject_directory_name})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:563 +msgid "{subject_ediparty_name}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:566 +msgid "" +"This template will add the value which is stored in the ediPartyName " +"component of the SAN as escaped hex sequence." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:571 +msgid "Example: (attr:binary={subject_ediparty_name})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:576 +msgid "{subject_registered_id}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:579 +msgid "" +"This template will add the OID which is stored in the registeredID component " +"of the SAN as a dotted-decimal string." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:584 +msgid "Example: (oid={subject_registered_id})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:369 +msgid "" +"The templates to add certificate data to the search filter are based on " +"Python-style formatting strings. They consist of a keyword in curly braces " +"with an optional sub-component specifier separated by a '.' or an optional " +"conversion/formatting option separated by a '!'. Allowed values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:592 +msgid "DOMAIN LIST" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:594 +msgid "" +"If the domain list is not empty users mapped to a given certificate are not " +"only searched in the local domain but in the listed domains as well as long " +"as they are know by SSSD. Domains not know to SSSD will be ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 +msgid "sssd-ipa" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ipa.5.xml:17 +msgid "SSSD IPA provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:23 +msgid "" +"This manual page describes the configuration of the IPA provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:36 +msgid "" +"The IPA provider is a back end used to connect to an IPA server. (Refer to " +"the freeipa.org web site for information about IPA servers.) This provider " +"requires that the machine be joined to the IPA domain; configuration is " +"almost entirely self-discovered and obtained directly from the server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:43 +msgid "" +"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for IPA environments. The IPA provider accepts the same " +"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " +"However, it is neither necessary nor recommended to set these options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:57 +msgid "" +"The IPA provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:62 +msgid "" +"As an access provider, the IPA provider uses HBAC (host-based access " +"control) rules. Please refer to freeipa.org for more information about " +"HBAC. No configuration of access provider is required on the client side." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:67 +msgid "" +"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:73 +msgid "" +"The IPA provider will use the PAC responder if the Kerberos tickets of users " +"from trusted realms contain a PAC. To make configuration easier the PAC " +"responder is started automatically if the IPA ID provider is configured." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:89 +msgid "ipa_domain (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:92 +msgid "" +"Specifies the name of the IPA domain. This is optional. If not provided, " +"the configuration domain name is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:100 +msgid "ipa_server, ipa_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:103 +msgid "" +"The comma-separated list of IP addresses or hostnames of the IPA servers to " +"which SSSD should connect in the order of preference. For more information " +"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:116 +msgid "ipa_hostname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:119 +msgid "" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the IPA domain to identify this host. The " +"hostname must be fully qualified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:128 sssd-ad.5.xml:866 +msgid "dyndns_update (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:131 +msgid "" +"Optional. This option tells SSSD to automatically update the DNS server " +"built into FreeIPA with the IP address of this client. The update is secured " +"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " +"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" +"quote> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:140 sssd-ad.5.xml:880 +msgid "" +"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " +"the default Kerberos realm must be set properly in /etc/krb5.conf" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:145 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" +"emphasis> option, users should migrate to using <emphasis>dyndns_update</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:157 sssd-ad.5.xml:891 +msgid "dyndns_ttl (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:160 sssd-ad.5.xml:894 +msgid "" +"The TTL to apply to the client DNS record when updating it. If " +"dyndns_update is false this has no effect. This will override the TTL " +"serverside if set by an administrator." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:165 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" +"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:171 +msgid "Default: 1200 (seconds)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:177 sssd-ad.5.xml:905 +msgid "dyndns_iface (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:180 sssd-ad.5.xml:908 +msgid "" +"Optional. Applicable only when dyndns_update is true. Choose the interface " +"or a list of interfaces whose IP addresses should be used for dynamic DNS " +"updates. Special value <quote>*</quote> implies that IPs from all interfaces " +"should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:187 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" +"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:193 +msgid "" +"Default: Use the IP addresses of the interface which is used for IPA LDAP " +"connection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:197 sssd-ad.5.xml:919 +msgid "Example: dyndns_iface = em1, vnet1, vnet2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:203 sssd-ad.5.xml:970 +msgid "dyndns_auth (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:206 sssd-ad.5.xml:973 +msgid "" +"Whether the nsupdate utility should use GSS-TSIG authentication for secure " +"updates with the DNS server, insecure updates can be sent by setting this " +"option to 'none'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:212 sssd-ad.5.xml:979 +msgid "Default: GSS-TSIG" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:218 +msgid "ipa_enable_dns_sites (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 +msgid "Enables DNS sites - location based service discovery." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:225 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, then the SSSD will first attempt location " +"based discovery using a query that contains \"_location.hostname.example.com" +"\" and then fall back to traditional SRV discovery. If the location based " +"discovery succeeds, the IPA servers located with the location based " +"discovery are treated as primary servers and the IPA servers located using " +"the traditional SRV discovery are used as back up servers" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:244 sssd-ad.5.xml:925 +msgid "dyndns_refresh_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:247 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:260 sssd-ad.5.xml:943 +msgid "dyndns_update_ptr (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:263 sssd-ad.5.xml:946 +msgid "" +"Whether the PTR record should also be explicitly updated when updating the " +"client's DNS records. Applicable only when dyndns_update is true." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:268 +msgid "" +"This option should be False in most IPA deployments as the IPA server " +"generates the PTR records automatically when forward records are changed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:274 +msgid "Default: False (disabled)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:280 sssd-ad.5.xml:957 +msgid "dyndns_force_tcp (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:283 sssd-ad.5.xml:960 +msgid "" +"Whether the nsupdate utility should default to using TCP for communicating " +"with the DNS server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:287 sssd-ad.5.xml:964 +msgid "Default: False (let nsupdate choose the protocol)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:293 sssd-ad.5.xml:985 +msgid "dyndns_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:296 sssd-ad.5.xml:988 +msgid "" +"The DNS server to use when performing a DNS update. In most setups, it's " +"recommended to leave this option unset." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:301 sssd-ad.5.xml:993 +msgid "" +"Setting this option makes sense for environments where the DNS server is " +"different from the identity server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:306 sssd-ad.5.xml:998 +msgid "" +"Please note that this option will be only used in fallback attempt when " +"previous attempt using autodetected settings failed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1003 +msgid "Default: None (let nsupdate choose the server)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:317 +msgid "ipa_deskprofile_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:320 +msgid "" +"Optional. Use the given string as search base for Desktop Profile related " +"objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:324 sssd-ipa.5.xml:337 +msgid "Default: Use base DN" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:330 +msgid "ipa_hbac_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:333 +msgid "Optional. Use the given string as search base for HBAC related objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:343 +msgid "ipa_host_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:346 +msgid "Deprecated. Use ldap_host_search_base instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:352 +msgid "ipa_selinux_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:355 +msgid "Optional. Use the given string as search base for SELinux user maps." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:371 +msgid "ipa_subdomains_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:374 +msgid "Optional. Use the given string as search base for trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:383 +msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:390 +msgid "ipa_master_domain_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:393 +msgid "Optional. Use the given string as search base for master domain object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:402 +msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:409 +msgid "ipa_views_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:412 +msgid "Optional. Use the given string as search base for views containers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:421 +msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:431 +msgid "" +"The name of the Kerberos realm. This is optional and defaults to the value " +"of <quote>ipa_domain</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:435 +msgid "" +"The name of the Kerberos realm has a special meaning in IPA - it is " +"converted into the base DN to use for performing LDAP operations." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1012 +msgid "krb5_confd_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1015 +msgid "" +"Absolute path of a directory where SSSD should place Kerberos configuration " +"snippets." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1019 +msgid "" +"To disable the creation of the configuration snippets set the parameter to " +"'none'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1023 +msgid "" +"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:461 +msgid "ipa_deskprofile_refresh (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:464 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server. This will reduce the latency and load on the IPA server if there " +"are many desktop profiles requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:431 +msgid "Default: 5 (seconds)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:477 +msgid "ipa_deskprofile_request_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:480 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server in case the last request did not return any rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:485 +msgid "Default: 60 (minutes)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:491 +msgid "ipa_hbac_refresh (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:494 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server. " +"This will reduce the latency and load on the IPA server if there are many " +"access-control requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:507 +msgid "ipa_hbac_selinux (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:510 +msgid "" +"The amount of time between lookups of the SELinux maps against the IPA " +"server. This will reduce the latency and load on the IPA server if there are " +"many user login requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:523 +msgid "ipa_server_mode (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:526 +msgid "" +"This option will be set by the IPA installer (ipa-server-install) " +"automatically and denotes if SSSD is running on an IPA server or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:531 +msgid "" +"On an IPA server SSSD will lookup users and groups from trusted domains " +"directly while on a client it will ask an IPA server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:536 +msgid "" +"NOTE: There are currently some assumptions that must be met when SSSD is " +"running on an IPA server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:541 +msgid "" +"The <quote>ipa_server</quote> option must be configured to point to the IPA " +"server itself. This is already the default set by the IPA installer, so no " +"manual change is required." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:550 +msgid "" +"The <quote>full_name_format</quote> option must not be tweaked to only print " +"short names for users from trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:565 +msgid "ipa_automount_location (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:568 +msgid "The automounter location this IPA client will be using" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:571 +msgid "Default: The location named \"default\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:579 +msgid "VIEWS AND OVERRIDES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:588 +msgid "ipa_view_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:591 +msgid "Objectclass of the view container." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:594 +msgid "Default: nsContainer" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:600 +msgid "ipa_view_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:603 +msgid "Name of the attribute holding the name of the view." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:613 +msgid "ipa_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:616 +msgid "Objectclass of the override objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:619 +msgid "Default: ipaOverrideAnchor" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:625 +msgid "ipa_anchor_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:628 +msgid "" +"Name of the attribute containing the reference to the original object in a " +"remote domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:632 +msgid "Default: ipaAnchorUUID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:638 +msgid "ipa_user_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:641 +msgid "" +"Name of the objectclass for user overrides. It is used to determine if the " +"found override object is related to a user or a group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:646 +msgid "User overrides can contain attributes given by" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:649 +msgid "ldap_user_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:652 +msgid "ldap_user_uid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:655 +msgid "ldap_user_gid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:658 +msgid "ldap_user_gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:661 +msgid "ldap_user_home_directory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:664 +msgid "ldap_user_shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:667 +msgid "ldap_user_ssh_public_key" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:672 +msgid "Default: ipaUserOverride" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:678 +msgid "ipa_group_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:681 +msgid "" +"Name of the objectclass for group overrides. It is used to determine if the " +"found override object is related to a user or a group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:686 +msgid "Group overrides can contain attributes given by" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:689 +msgid "ldap_group_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:692 +msgid "ldap_group_gid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:697 +msgid "Default: ipaGroupOverride" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:581 +msgid "" +"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " +"later version. Since all paths and objectclasses are fixed on the server " +"side there is basically no need to configure anything. For completeness the " +"related options are listed here with their default values. <placeholder " +"type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:709 +msgid "SUBDOMAINS PROVIDER" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:711 +msgid "" +"The IPA subdomains provider behaves slightly differently if it is configured " +"explicitly or implicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:715 +msgid "" +"If the option 'subdomains_provider = ipa' is found in the domain section of " +"sssd.conf, the IPA subdomains provider is configured explicitly, and all " +"subdomain requests are sent to the IPA server if necessary." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:721 +msgid "" +"If the option 'subdomains_provider' is not set in the domain section of sssd." +"conf but there is the option 'id_provider = ipa', the IPA subdomains " +"provider is configured implicitly. In this case, if a subdomain request " +"fails and indicates that the server does not support subdomains, i.e. is not " +"configured for trusts, the IPA subdomains provider is disabled. After an " +"hour or after the IPA provider goes online, the subdomains provider is " +"enabled again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:732 +msgid "TRUSTED DOMAINS CONFIGURATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:738 +#, no-wrap +msgid "" +"[domain/ipa.domain.com/ad.domain.com]\n" +"ad_server = dc.ad.domain.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:734 +msgid "" +"Some configuration options can be also set for a trusted domain. A trusted " +"domain configuration can either be done using a subsection, for example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:743 +msgid "" +"In addition, some options can be set in the parent domain and inherited by " +"the trusted domain using the <quote>subdomain_inherit</quote> option. For " +"more details, see the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:753 +msgid "" +"Different configuration options are tunable for a trusted domain depending " +"on whether you are configuring SSSD on an IPA server or an IPA client." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:758 +msgid "OPTIONS TUNABLE ON IPA MASTERS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:760 +msgid "" +"The following options can be set in a subdomain section on an IPA master:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:764 sssd-ipa.5.xml:794 +msgid "ad_server" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:767 +msgid "ad_backup_server" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:770 sssd-ipa.5.xml:797 +msgid "ad_site" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:773 +msgid "ldap_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:776 +msgid "ldap_user_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:779 +msgid "ldap_group_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:788 +msgid "OPTIONS TUNABLE ON IPA CLIENTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:790 +msgid "" +"The following options can be set in a subdomain section on an IPA client:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:802 +msgid "" +"Note that if both options are set, only <quote>ad_server</quote> is " +"evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:806 +msgid "" +"Since any request for a user or a group identity from a trusted domain " +"triggered from an IPA client is resolved by the IPA server, the " +"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " +"which AD DC will the authentication be performed against. In particular, the " +"addresses resolved from these lists will be written to <quote>kdcinfo</" +"quote> files read by the Kerberos locator plugin. Please refer to the " +"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " +"Kerberos locator plugin." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:830 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the ipa provider-specific options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:837 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"id_provider = ipa\n" +"ipa_server = ipaserver.example.com\n" +"ipa_hostname = myhost.example.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 +msgid "sssd-ad" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ad.5.xml:17 +msgid "SSSD Active Directory provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:23 +msgid "" +"This manual page describes the configuration of the AD provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:36 +msgid "" +"The AD provider is a back end used to connect to an Active Directory server. " +"This provider requires that the machine be joined to the AD domain and a " +"keytab is available. Back end communication occurs over a GSSAPI-encrypted " +"channel, SSL/TLS options should not be used with the AD provider and will be " +"superseded by Kerberos usage." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:44 +msgid "" +"The AD provider supports connecting to Active Directory 2008 R2 or later. " +"Earlier versions may work, but are unsupported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:48 +msgid "" +"The AD provider can be used to get user information and authenticate users " +"from trusted domains. Currently only trusted domains in the same forest are " +"recognized. In addition servers from trusted domains are always auto-" +"discovered." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:54 +msgid "" +"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for Active Directory environments. The AD provider accepts the " +"same options used by the sssd-ldap and sssd-krb5 providers with some " +"exceptions. However, it is neither necessary nor recommended to set these " +"options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:69 +msgid "" +"The AD provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:74 +msgid "" +"The AD provider can also be used as an access, chpass, sudo and autofs " +"provider. No configuration of the access provider is required on the client " +"side." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:79 +msgid "" +"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ad</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:91 +#, no-wrap +msgid "" +"ldap_id_mapping = False\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:85 +msgid "" +"By default, the AD provider will map UID and GID values from the objectSID " +"parameter in Active Directory. For details on this, see the <quote>ID " +"MAPPING</quote> section below. If you want to disable ID mapping and instead " +"rely on POSIX attributes defined in Active Directory, you should set " +"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " +"be used, it is recommended for performance reasons that the attributes are " +"also replicated to the Global Catalog. If POSIX attributes are replicated, " +"SSSD will attempt to locate the domain of a requested numerical ID with the " +"help of the Global Catalog and only search that domain. In contrast, if " +"POSIX attributes are not replicated to the Global Catalog, SSSD must search " +"all the domains in the forest sequentially. Please note that the " +"<quote>cache_first</quote> option might be also helpful in speeding up " +"domainless searches. Note that if only a subset of POSIX attributes is " +"present in the Global Catalog, the non-replicated attributes are currently " +"not read from the LDAP port." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:108 +msgid "" +"Users, groups and other entities served by SSSD are always treated as case-" +"insensitive in the AD provider for compatibility with Active Directory's " +"LDAP implementation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:123 +msgid "ad_domain (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:126 +msgid "" +"Specifies the name of the Active Directory domain. This is optional. If not " +"provided, the configuration domain name is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:131 +msgid "" +"For proper operation, this option should be specified as the lower-case " +"version of the long version of the Active Directory domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:136 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) is " +"autodetected by the SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:143 +msgid "ad_enabled_domains (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:146 +msgid "" +"A comma-separated list of enabled Active Directory domains. If provided, " +"SSSD will ignore any domains not listed in this option. If left unset, all " +"domains from the AD forest will be available." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:156 +#, no-wrap +msgid "" +"ad_enabled_domains = sales.example.com, eng.example.com\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:152 +msgid "" +"For proper operation, this option must be specified in all lower-case and as " +"the fully qualified domain name of the Active Directory domain. For example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:160 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) will be " +"autodetected by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:170 +msgid "ad_server, ad_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:173 +msgid "" +"The comma-separated list of hostnames of the AD servers to which SSSD should " +"connect in order of preference. For more information on failover and server " +"redundancy, see the <quote>FAILOVER</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:180 +msgid "" +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:185 +msgid "" +"Note: Trusted domains will always auto-discover servers even if the primary " +"server is explicitly defined in the ad_server option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:193 +msgid "ad_hostname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:196 +msgid "" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the Active Directory domain to identify this " +"host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:202 +msgid "" +"This field is used to determine the host principal in use in the keytab. It " +"must match the hostname for which the keytab was issued." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:210 +msgid "ad_enable_dns_sites (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:217 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, the SSSD will first attempt to discover the " +"Active Directory server to connect to using the Active Directory Site " +"Discovery and fall back to the DNS SRV records if no AD site is found. The " +"DNS SRV configuration, including the discovery domain, is used during site " +"discovery as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:233 +msgid "ad_access_filter (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:236 +msgid "" +"This option specifies LDAP access control filter that the user must match in " +"order to be allowed access. Please note that the <quote>access_provider</" +"quote> option must be explicitly set to <quote>ad</quote> in order for this " +"option to have an effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:244 +msgid "" +"The option also supports specifying different filters per domain or forest. " +"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " +"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " +"missing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:252 +msgid "" +"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" +"quote> specifies the domain or subdomain the filter applies to. If the " +"keyword equals to <quote>FOREST</quote>, then the filter equals to all " +"domains from the forest specified by <quote>NAME</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:260 +msgid "" +"Multiple filters can be separated with the <quote>?</quote> character, " +"similarly to how search bases work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:265 +msgid "" +"Nested group membership must be searched for using a special OID " +"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." +"example.org: syntax to ensure the parser does not attempt to interpret the " +"colon characters associated with the OID. If you do not use this OID then " +"nested group membership will not be resolved. See usage example below and " +"refer here for further information about the OID: <ulink url=\"https://msdn." +"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " +"extensions</ulink>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:278 +msgid "" +"The most specific match is always used. For example, if the option specified " +"filter for a domain the user is a member of and a global filter, the per-" +"domain filter would be applied. If there are more matches with the same " +"specification, the first one is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ad.5.xml:289 +#, no-wrap +msgid "" +"# apply filter on domain called dom1 only:\n" +"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" +"\n" +"# apply filter on domain called dom2 only:\n" +"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" +"\n" +"# apply filter on forest called EXAMPLE.COM only:\n" +"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" +"\n" +"# apply filter for a member of a nested group in dom1:\n" +"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:308 +msgid "ad_site (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:311 +msgid "" +"Specify AD site to which client should try to connect. If this option is " +"not provided, the AD site will be auto-discovered." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:322 +msgid "ad_enable_gc (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:325 +msgid "" +"By default, the SSSD connects to the Global Catalog first to retrieve users " +"from trusted domains and uses the LDAP port to retrieve group memberships or " +"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " +"port of the current AD server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:333 +msgid "" +"Please note that disabling Global Catalog support does not disable " +"retrieving users from trusted domains. The SSSD would connect to the LDAP " +"port of trusted domains instead. However, Global Catalog must be used in " +"order to resolve cross-domain group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:347 +msgid "ad_gpo_access_control (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:350 +msgid "" +"This option specifies the operation mode for GPO-based access control " +"functionality: whether it operates in disabled mode, enforcing mode, or " +"permissive mode. Please note that the <quote>access_provider</quote> option " +"must be explicitly set to <quote>ad</quote> in order for this option to have " +"an effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:359 +msgid "" +"GPO-based access control functionality uses GPO policy settings to determine " +"whether or not a particular user is allowed to logon to a particular host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:365 +msgid "" +"NOTE: The current version of SSSD does not support host (computer) entries " +"in the GPO 'Security Filtering' list. Only user and group entries are " +"supported. Host entries in the list have no effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:372 +msgid "" +"NOTE: If the operation mode is set to enforcing, it is possible that users " +"that were previously allowed logon access will now be denied logon access " +"(as dictated by the GPO policy settings). In order to facilitate a smooth " +"transition for administrators, a permissive mode is available that will not " +"enforce the access control rules, but will evaluate them and will output a " +"syslog message if access would have been denied. By examining the logs, " +"administrators can then make the necessary changes before setting the mode " +"to enforcing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:385 +msgid "There are three supported values for this option:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:389 +msgid "" +"disabled: GPO-based access control rules are neither evaluated nor enforced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:395 +msgid "enforcing: GPO-based access control rules are evaluated and enforced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:401 +msgid "" +"permissive: GPO-based access control rules are evaluated, but not enforced. " +"Instead, a syslog message will be emitted indicating that the user would " +"have been denied access if this option's value were set to enforcing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:412 +msgid "Default: permissive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:415 +msgid "Default: enforcing" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:421 +msgid "ad_gpo_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:424 +msgid "" +"The amount of time between lookups of GPO policy files against the AD " +"server. This will reduce the latency and load on the AD server if there are " +"many access-control requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:437 +msgid "ad_gpo_map_interactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:440 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the InteractiveLogonRight and " +"DenyInteractiveLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:446 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on locally\" and \"Deny log on locally\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:460 +#, no-wrap +msgid "" +"ad_gpo_map_interactive = +my_pam_service, -login\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:451 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>login</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:464 sssd-ad.5.xml:560 sssd-ad.5.xml:606 sssd-ad.5.xml:651 +#: sssd-ad.5.xml:717 +msgid "Default: the default set of PAM service names includes:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:468 +msgid "login" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:473 +msgid "su" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:478 +msgid "su-l" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:483 +msgid "gdm-fingerprint" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:488 +msgid "gdm-password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:493 +msgid "gdm-smartcard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:498 +msgid "kdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:503 +msgid "lightdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:508 +msgid "lxdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:513 +msgid "sddm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:518 +msgid "unity" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:523 +msgid "xdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:532 +msgid "ad_gpo_map_remote_interactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:535 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the RemoteInteractiveLogonRight and " +"DenyRemoteInteractiveLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:541 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on through Remote Desktop Services\" and \"Deny log on through Remote " +"Desktop Services\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:556 +#, no-wrap +msgid "" +"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:547 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>sshd</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:564 +msgid "sshd" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:569 +msgid "cockpit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:578 +msgid "ad_gpo_map_network (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:581 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the NetworkLogonRight and " +"DenyNetworkLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:587 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Access " +"this computer from the network\" and \"Deny access to this computer from the " +"network\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:602 +#, no-wrap +msgid "" +"ad_gpo_map_network = +my_pam_service, -ftp\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:593 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>ftp</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:610 +msgid "ftp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:615 +msgid "samba" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:624 +msgid "ad_gpo_map_batch (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:627 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " +"policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:633 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a batch job\" and \"Deny log on as a batch job\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:647 +#, no-wrap +msgid "" +"ad_gpo_map_batch = +my_pam_service, -crond\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:638 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>crond</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:655 +msgid "crond" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:664 +msgid "ad_gpo_map_service (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:667 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the ServiceLogonRight and " +"DenyServiceLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:673 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a service\" and \"Deny log on as a service\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:686 +#, no-wrap +msgid "" +"ad_gpo_map_service = +my_pam_service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:678 sssd-ad.5.xml:753 +msgid "" +"It is possible to add a PAM service name to the default set by using <quote>" +"+service_name</quote>. Since the default set is empty, it is not possible " +"to remove a PAM service name from the default set. For example, in order to " +"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " +"would use the following configuration: <placeholder type=\"programlisting\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:696 +msgid "ad_gpo_map_permit (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:699 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always granted, regardless of any GPO Logon Rights." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:713 +#, no-wrap +msgid "" +"ad_gpo_map_permit = +my_pam_service, -sudo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:704 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for unconditionally permitted " +"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:721 +msgid "polkit-1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:726 +msgid "sudo" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:731 +msgid "sudo-i" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:736 +msgid "systemd-user" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:745 +msgid "ad_gpo_map_deny (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:748 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always denied, regardless of any GPO Logon Rights." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:761 +#, no-wrap +msgid "" +"ad_gpo_map_deny = +my_pam_service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:771 +msgid "ad_gpo_default_right (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:774 +msgid "" +"This option defines how access control is evaluated for PAM service names " +"that are not explicitly listed in one of the ad_gpo_map_* options. This " +"option can be set in two different manners. First, this option can be set to " +"use a default logon right. For example, if this option is set to " +"'interactive', it means that unmapped PAM service names will be processed " +"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " +"settings. Alternatively, this option can be set to either always permit or " +"always deny access for unmapped PAM service names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:787 +msgid "Supported values for this option include:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:791 +msgid "interactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:796 +msgid "remote_interactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:801 +msgid "network" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:806 +msgid "batch" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:811 +msgid "service" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:816 +msgid "permit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:821 +msgid "deny" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:827 +msgid "Default: deny" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:833 +msgid "ad_maximum_machine_account_password_age (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:836 +msgid "" +"SSSD will check once a day if the machine account password is older than the " +"given age in days and try to renew it. A value of 0 will disable the renewal " +"attempt." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:842 +msgid "Default: 30 days" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:848 +msgid "ad_machine_account_password_renewal_opts (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:851 +msgid "" +"This option should only be used to test the machine account renewal task. " +"The option expects 2 integers separated by a colon (':'). The first integer " +"defines the interval in seconds how often the task is run. The second " +"specifies the initial timeout in seconds before the task is run for the " +"first time after startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:860 +msgid "Default: 86400:750 (24h and 15m)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:869 +msgid "" +"Optional. This option tells SSSD to automatically update the Active " +"Directory DNS server with the IP address of this client. The update is " +"secured using GSS-TSIG. As a consequence, the Active Directory administrator " +"only needs to allow secure updates for the DNS zone. The IP address of the " +"AD LDAP connection is used for the updates, if it is not otherwise specified " +"by using the <quote>dyndns_iface</quote> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:899 +msgid "Default: 3600 (seconds)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:915 +msgid "" +"Default: Use the IP addresses of the interface which is used for AD LDAP " +"connection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:928 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true. Note that the " +"lowest possible value is 60 seconds in-case if value is provided less than " +"60, parameter will assume lowest value only." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:951 sss_rpcidmapd.5.xml:76 +msgid "Default: True" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1043 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This example shows only the AD provider-specific options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1050 +#, no-wrap +msgid "" +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1070 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1066 +msgid "" +"The AD access control provider checks if the account is expired. It has the " +"same effect as the following configuration of the LDAP provider: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1076 +msgid "" +"However, unless the <quote>ad</quote> access control provider is explicitly " +"configured, the default access provider is <quote>permit</quote>. Please " +"note that if you configure an access provider other than <quote>ad</quote>, " +"you need to set all the connection parameters (such as LDAP URIs and " +"encryption details) manually." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1084 +msgid "" +"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " +"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " +"are included in the default Active Directory schema." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 +msgid "sssd-sudo" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-sudo.5.xml:17 +msgid "Configuring sudo with the SSSD back end" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:36 +msgid "Configuring sudo to cooperate with SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:38 +msgid "" +"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " +"the <emphasis>sudoers</emphasis> entry in <citerefentry> " +"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:47 +msgid "" +"For example, to configure sudo to first lookup rules in the standard " +"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> file (which should contain rules that apply to " +"local users) and then in SSSD, the nsswitch.conf file should contain the " +"following line:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:57 +#, no-wrap +msgid "sudoers: files sss\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:61 +msgid "" +"More information about configuring the sudoers search order from the " +"nsswitch.conf file as well as information about the LDAP schema that is used " +"to store sudo rules in the directory can be found in <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:70 +msgid "" +"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " +"sudo rules, you also need to correctly set <citerefentry> " +"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry> to your NIS domain name (which equals to IPA domain name when " +"using hostgroups)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:82 +msgid "Configuring SSSD to fetch sudo rules" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:84 +msgid "" +"All configuration that is needed on SSSD side is to extend the list of " +"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " +"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " +"option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:94 +msgid "" +"The following example shows how to configure SSSD to download sudo rules " +"from an LDAP server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:99 +#, no-wrap +msgid "" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:98 +msgid "" +"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" +"\"have_systemd\"> It's important to note that on platforms where systemd is " +"supported there's no need to add the \"sudo\" provider to the list of " +"services, as it became optional. However, sssd-sudo.socket must be enabled " +"instead. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:118 +msgid "" +"When SSSD is configured to use IPA as the ID provider, the sudo provider is " +"automatically enabled. The sudo search base is configured to use the IPA " +"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " +"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," +"$SUFFIX) is no longer required for IPA sudo functionality." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:128 +msgid "The SUDO rule caching mechanism" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:130 +msgid "" +"The biggest challenge, when developing sudo support in SSSD, was to ensure " +"that running sudo with SSSD as the data source provides the same user " +"experience and is as fast as sudo but keeps providing the most current set " +"of rules as possible. To satisfy these requirements, SSSD uses three kinds " +"of updates. They are referred to as full refresh, smart refresh and rules " +"refresh." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:138 +msgid "" +"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " +"new or were modified after the last update. Its primary goal is to keep the " +"database growing by fetching only small increments that do not generate " +"large amounts of network traffic." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:144 +msgid "" +"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " +"in the cache and replaces them with all rules that are stored on the server. " +"This is used to keep the cache consistent by removing every rule which was " +"deleted from the server. However, full refresh may produce a lot of traffic " +"and thus it should be run only occasionally depending on the size and " +"stability of the sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:152 +msgid "" +"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " +"more permission than defined. It is triggered each time the user runs sudo. " +"Rules refresh will find all rules that apply to this user, check their " +"expiration time and redownload them if expired. In the case that any of " +"these rules are missing on the server, the SSSD will do an out of band full " +"refresh because more rules (that apply to other users) may have been deleted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:161 +msgid "" +"If enabled, SSSD will store only rules that can be applied to this machine. " +"This means rules that contain one of the following values in " +"<emphasis>sudoHost</emphasis> attribute:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:168 +msgid "keyword ALL" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:173 +msgid "wildcard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:178 +msgid "netgroup (in the form \"+netgroup\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:183 +msgid "hostname or fully qualified domain name of this machine" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:188 +msgid "one of the IP addresses of this machine" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:193 +msgid "one of the IP addresses of the network (in the form \"address/mask\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:199 +msgid "" +"There are many configuration options that can be used to adjust the " +"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.8.xml:10 sssd.8.xml:15 +msgid "sssd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.8.xml:16 +msgid "System Security Services Daemon" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssd.8.xml:21 +msgid "" +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:31 +msgid "" +"<command>SSSD</command> provides a set of daemons to manage access to remote " +"directories and authentication mechanisms. It provides an NSS and PAM " +"interface toward the system and a pluggable backend system to connect to " +"multiple different account sources as well as D-Bus interface. It is also " +"the basis to provide client auditing and policy services for projects like " +"FreeIPA. It provides a more robust database to store local users as well as " +"extended user data." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:46 +msgid "" +"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:53 +msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:57 +msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:60 +msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:69 +msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:73 +msgid "" +"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:76 +msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:85 +msgid "<option>-f</option>,<option>--debug-to-files</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:89 +msgid "" +"Send the debug output to files instead of stderr. By default, the log files " +"are stored in <filename>/var/log/sssd</filename> and there are separate log " +"files for every SSSD service and domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:94 +msgid "" +"This option is deprecated. It is replaced by <option>--logger=files</option>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:101 +msgid "<option>--logger=</option><replaceable>value</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:105 +msgid "" +"Location where SSSD will send log messages. This option overrides the value " +"of the deprecated option <option>--debug-to-files</option>. The deprecated " +"option will still work if the <option>--logger</option> is not used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:112 +msgid "" +"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " +"output." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:116 +msgid "" +"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " +"default, the log files are stored in <filename>/var/log/sssd</filename> and " +"there are separate log files for every SSSD service and domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:122 +msgid "" +"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:132 +msgid "<option>-D</option>,<option>--daemon</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:136 +msgid "Become a daemon after starting up." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:142 sss_seed.8.xml:136 +msgid "<option>-i</option>,<option>--interactive</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:146 +msgid "Run in the foreground, don't become a daemon." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:152 +msgid "<option>-c</option>,<option>--config</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:156 +msgid "" +"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." +"conf</filename>. For reference on the config file syntax and options, " +"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:170 +msgid "<option>--version</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:174 +msgid "Print version number and exit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.8.xml:182 +msgid "Signals" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:185 +msgid "SIGTERM/SIGINT" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:188 +msgid "" +"Informs the SSSD to gracefully terminate all of its child processes and then " +"shut down the monitor." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:194 +msgid "SIGHUP" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:197 +msgid "" +"Tells the SSSD to stop writing to its current debug file descriptors and to " +"close and reopen them. This is meant to facilitate log rolling with programs " +"like logrotate." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:205 +msgid "SIGUSR1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:208 +msgid "" +"Tells the SSSD to simulate offline operation for the duration of the " +"<quote>offline_timeout</quote> parameter. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:217 +msgid "SIGUSR2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:220 +msgid "" +"Tells the SSSD to go online immediately. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:232 +msgid "" +"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " +"applications will not use the fast in memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 +msgid "sss_obfuscate" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_obfuscate.8.xml:16 +msgid "obfuscate a clear text password" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_obfuscate.8.xml:21 +msgid "" +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" +"replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:32 +msgid "" +"<command>sss_obfuscate</command> converts a given password into human-" +"unreadable format and places it into appropriate domain section of the SSSD " +"config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:37 +msgid "" +"The cleartext password is read from standard input or entered " +"interactively. The obfuscated password is put into " +"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " +"<quote>ldap_default_authtok_type</quote> parameter is set to " +"<quote>obfuscated_password</quote>. Refer to <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more details on these parameters." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:49 +msgid "" +"Please note that obfuscating the password provides <emphasis>no real " +"security benefit</emphasis> as it is still possible for an attacker to " +"reverse-engineer the password back. Using better authentication mechanisms " +"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " +"advised." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:63 +msgid "<option>-s</option>,<option>--stdin</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:67 +msgid "The password to obfuscate will be read from standard input." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 +#: sss_ssh_knownhostsproxy.1.xml:78 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:79 +msgid "" +"The SSSD domain to use the password in. The default name is <quote>default</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:86 +msgid "" +"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:91 +msgid "Read the config file specified by the positional parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:95 +msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_override.8.xml:10 sss_override.8.xml:15 +msgid "sss_override" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_override.8.xml:16 +msgid "create local overrides of user and group attributes" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_override.8.xml:21 +msgid "" +"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:32 +msgid "" +"<command>sss_override</command> enables to create a client-side view and " +"allows to change selected values of specific user and groups. This change " +"takes effect only on local machine." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:37 +msgid "" +"Overrides data are stored in the SSSD cache. If the cache is deleted, all " +"local overrides are lost. Please note that after the first override is " +"created using any of the following <emphasis>user-add</emphasis>, " +"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " +"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " +"take effect. <emphasis>sss_override</emphasis> prints message when a " +"restart is required." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:50 sssctl.8.xml:41 +msgid "AVAILABLE COMMANDS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:52 +msgid "" +"Argument <emphasis>NAME</emphasis> is the name of original object in all " +"commands. It is not possible to override <emphasis>uid</emphasis> or " +"<emphasis>gid</emphasis> to 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:59 +msgid "" +"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" +"optional> <optional><option>-g,--gid</option> GID</optional> " +"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" +"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" +"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " +"CERTIFICATE</optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:72 +msgid "" +"Override attributes of an user. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:80 +msgid "<option>user-del</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:85 +msgid "" +"Remove user overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:94 +msgid "" +"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:99 +msgid "" +"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " +"is set, only users from the domain are listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:107 +msgid "<option>user-show</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:112 +msgid "Show user overrides." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:118 +msgid "<option>user-import</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:123 +msgid "" +"Import user overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard passwd file. The format is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:128 +msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:131 +msgid "" +"where original_name is original name of the user whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:140 +msgid "ckent:superman::::::" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:143 +msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:149 +msgid "<option>user-export</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:154 +msgid "" +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>user-import</emphasis> for data format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:162 +msgid "" +"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:169 +msgid "" +"Override attributes of a group. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:177 +msgid "<option>group-del</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:182 +msgid "" +"Remove group overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:191 +msgid "" +"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:196 +msgid "" +"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " +"parameter is set, only groups from the domain are listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:204 +msgid "<option>group-show</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:209 +msgid "Show group overrides." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:215 +msgid "<option>group-import</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:220 +msgid "" +"Import group overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard group file. The format is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:225 +msgid "original_name:name:gid" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:228 +msgid "" +"where original_name is original name of the group whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:237 +msgid "admins:administrators:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:240 +msgid "Domain Users:Users:501" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:246 +msgid "<option>group-export</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:251 +msgid "" +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>group-import</emphasis> for data format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:261 sssctl.8.xml:50 +msgid "COMMON OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:263 sssctl.8.xml:52 +msgid "Those options are available with all commands." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:268 sssctl.8.xml:57 +msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 +msgid "sss_useradd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_useradd.8.xml:16 +msgid "create a new user" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_useradd.8.xml:21 +msgid "" +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_useradd.8.xml:32 +msgid "" +"<command>sss_useradd</command> creates a new user account using the values " +"specified on the command line plus the default values from the system." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:43 sss_seed.8.xml:76 +msgid "" +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:48 +msgid "" +"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " +"not given, it is chosen automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +msgid "" +"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 +msgid "" +"Any text string describing the user. Often used as the field for the user's " +"full name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 +msgid "" +"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:72 +msgid "" +"The home directory of the user account. The default is to append the " +"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " +"that as the home directory. The base that is prepended before " +"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" +"baseDirectory</quote> setting in sssd.conf." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 +msgid "" +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:87 +msgid "" +"The user's login shell. The default is currently <filename>/bin/bash</" +"filename>. The default can be changed with <quote>user_defaults/" +"defaultShell</quote> setting in sssd.conf." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:96 +msgid "" +"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:101 +msgid "A list of existing groups this user is also a member of." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:107 +msgid "<option>-m</option>,<option>--create-home</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:111 +msgid "" +"Create the user's home directory if it does not exist. The files and " +"directories contained in the skeleton directory (which can be defined with " +"the -k option or in the config file) will be copied to the home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:121 +msgid "<option>-M</option>,<option>--no-create-home</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:125 +msgid "" +"Do not create the user's home directory. Overrides configuration settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:132 +msgid "" +"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:137 +msgid "" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<command>sss_useradd</command>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:143 +msgid "" +"Special files (block devices, character devices, named pipes and unix " +"sockets) will not be copied." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:147 +msgid "" +"This option is only valid if the <option>-m</option> (or <option>--create-" +"home</option>) option is specified, or creation of home directories is set " +"to TRUE in the configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 +msgid "" +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>SELINUX_USER</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:161 +msgid "" +"The SELinux user for the user's login. If not specified, the system default " +"will be used." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 +msgid "sssd-krb5" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-krb5.5.xml:17 +msgid "SSSD Kerberos provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:23 +msgid "" +"This manual page describes the configuration of the Kerberos 5 " +"authentication backend for <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " +"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:36 +msgid "" +"The Kerberos 5 authentication backend contains auth and chpass providers. It " +"must be paired with an identity provider in order to function properly (for " +"example, id_provider = ldap). Some information required by the Kerberos 5 " +"authentication backend must be provided by the identity provider, such as " +"the user's Kerberos Principal Name (UPN). The configuration of the identity " +"provider should have an entry to specify the UPN. Please refer to the man " +"page for the applicable identity provider for details on how to configure " +"this." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:47 +msgid "" +"This backend also provides access control based on the .k5login file in the " +"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " +"Please note that an empty .k5login file will deny all access to this user. " +"To activate this feature, use 'access_provider = krb5' in your SSSD " +"configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:55 +msgid "" +"In the case where the UPN is not available in the identity backend, " +"<command>sssd</command> will construct a UPN using the format " +"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:77 +msgid "" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect, in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled; for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:106 +msgid "" +"The name of the Kerberos realm. This option is required and must be " +"specified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:113 +msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:116 +msgid "" +"If the change password service is not running on the KDC, alternative " +"servers can be defined here. An optional port number (preceded by a colon) " +"may be appended to the addresses or hostnames." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:122 +msgid "" +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " +"servers to try, the backend is not switched to operate offline if " +"authentication against the KDC is still possible." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:129 +msgid "Default: Use the KDC" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:135 +msgid "krb5_ccachedir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:138 +msgid "" +"Directory to store credential caches. All the substitution sequences of " +"krb5_ccname_template can be used here, too, except %d and %P. The directory " +"is created as private and owned by the user, with permissions set to 0700." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:145 +msgid "Default: /tmp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:151 +msgid "krb5_ccname_template (string)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 +msgid "%u" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 +msgid "login name" +msgstr "Номи логин" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 +msgid "%U" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:170 +msgid "login UID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:173 +msgid "%p" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:174 +msgid "principal name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:178 +msgid "%r" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:179 +msgid "realm name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:182 +msgid "%h" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 +msgid "home directory" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 +msgid "%d" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:188 +msgid "value of krb5_ccachedir" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 +msgid "%P" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:194 +msgid "the process ID of the SSSD client" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 +msgid "%%" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 +msgid "a literal '%'" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:154 +msgid "" +"Location of the user's credential cache. Three credential cache types are " +"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " +"<quote>KEYRING:persistent</quote>. The cache can be specified either as " +"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " +"implies the <quote>FILE</quote> type. In the template, the following " +"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " +"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " +"filename in a safe way." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:208 +msgid "" +"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" +"persistent:%U</quote>, which uses the Linux kernel keyring to store " +"credentials on a per-UID basis. This is also the recommended choice, as it " +"is the most secure and predictable method." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:216 +msgid "" +"The default value for the credential cache name is sourced from the profile " +"stored in the system wide krb5.conf configuration file in the [libdefaults] " +"section. The option name is default_ccache_name. See krb5.conf(5)'s " +"PARAMETER EXPANSION paragraph for additional information on the expansion " +"format defined by krb5.conf." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:225 +msgid "" +"NOTE: Please be aware that libkrb5 ccache expansion template from " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> uses different expansion sequences than SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:234 +msgid "Default: (from libkrb5)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:240 +msgid "krb5_auth_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:243 +msgid "" +"Timeout in seconds after an online authentication request or change password " +"request is aborted. If possible, the authentication request is continued " +"offline." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:254 +msgid "krb5_validate (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:257 +msgid "" +"Verify with the help of krb5_keytab that the TGT obtained has not been " +"spoofed. The keytab is checked for entries sequentially, and the first entry " +"with a matching realm is used for validation. If no entry matches the realm, " +"the last entry in the keytab is used. This process can be used to validate " +"environments using cross-realm trust by placing the appropriate keytab entry " +"as the last entry or the only entry in the keytab file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:272 +msgid "krb5_keytab (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:275 +msgid "" +"The location of the keytab to use when validating credentials obtained from " +"KDCs." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:279 +msgid "Default: /etc/krb5.keytab" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:285 +msgid "krb5_store_password_if_offline (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:288 +msgid "" +"Store the password of the user if the provider is offline and use it to " +"request a TGT when the provider comes online again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:293 +msgid "" +"NOTE: this feature is only available on Linux. Passwords stored in this way " +"are kept in plaintext in the kernel keyring and are potentially accessible " +"by the root user (with difficulty)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:306 +msgid "krb5_renewable_lifetime (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:309 +msgid "" +"Request a renewable ticket with a total lifetime, given as an integer " +"immediately followed by a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 +msgid "<emphasis>s</emphasis> for seconds" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 +msgid "<emphasis>m</emphasis> for minutes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 +msgid "<emphasis>h</emphasis> for hours" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 +msgid "<emphasis>d</emphasis> for days." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 +msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 +msgid "" +"NOTE: It is not possible to mix units. To set the renewable lifetime to one " +"and a half hours, use '90m' instead of '1h30m'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:335 +msgid "Default: not set, i.e. the TGT is not renewable" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:341 +msgid "krb5_lifetime (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:344 +msgid "" +"Request ticket with a lifetime, given as an integer immediately followed by " +"a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:360 +msgid "If there is no unit given <emphasis>s</emphasis> is assumed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:364 +msgid "" +"NOTE: It is not possible to mix units. To set the lifetime to one and a " +"half hours please use '90m' instead of '1h30m'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:369 +msgid "" +"Default: not set, i.e. the default ticket lifetime configured on the KDC." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:376 +msgid "krb5_renew_interval (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:379 +msgid "" +"The time in seconds between two checks if the TGT should be renewed. TGTs " +"are renewed if about half of their lifetime is exceeded, given as an integer " +"immediately followed by a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:406 +msgid "If this option is not set or is 0 the automatic renewal is disabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:416 +msgid "krb5_use_fast (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:419 +msgid "" +"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" +"authentication. The following options are supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:424 +msgid "" +"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " +"option at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:428 +msgid "" +"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " +"continue the authentication without it." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:433 +msgid "" +"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " +"server does not require fast." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:438 +msgid "Default: not set, i.e. FAST is not used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:441 +msgid "NOTE: a keytab is required to use FAST." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:444 +msgid "" +"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " +"SSSD is used with an older version of MIT Kerberos, using this option is a " +"configuration error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:453 +msgid "krb5_fast_principal (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:456 +msgid "Specifies the server principal to use for FAST." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:465 +msgid "" +"Specifies if the host and user principal should be canonicalized. This " +"feature is available with MIT Kerberos 1.7 and later versions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:505 +msgid "krb5_use_enterprise_principal (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:508 +msgid "" +"Specifies if the user principal should be treated as enterprise principal. " +"See section 5 of RFC 6806 for more details about enterprise principals." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:514 +msgid "Default: false (AD provider: true)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:517 +msgid "" +"The IPA provider will set to option to 'true' if it detects that the server " +"is capable of handling enterprise principals and the option is not set " +"explicitly in the config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:526 +msgid "krb5_map_user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:529 +msgid "" +"The list of mappings is given as a comma-separated list of pairs " +"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " +"name and <quote>primary</quote> is a user part of a kerberos principal. This " +"mapping is used when user is authenticating using <quote>auth_provider = " +"krb5</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-krb5.5.xml:541 +#, no-wrap +msgid "" +"krb5_realm = REALM\n" +"krb5_map_user = joe:juser,dick:richard\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:546 +msgid "" +"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " +"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " +"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " +"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:65 +msgid "" +"If the auth-module krb5 is used in an SSSD domain, the following options " +"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " +"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:572 +msgid "" +"The following example assumes that SSSD is correctly configured and FOO is " +"one of the domains in the <replaceable>[sssd]</replaceable> section. This " +"example shows only configuration of Kerberos authentication; it does not " +"include any identity provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-krb5.5.xml:580 +#, no-wrap +msgid "" +"[domain/FOO]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXAMPLE.COM\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 +msgid "sss_groupadd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupadd.8.xml:16 +msgid "create a new group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupadd.8.xml:21 +msgid "" +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupadd.8.xml:32 +msgid "" +"<command>sss_groupadd</command> creates a new group. These groups are " +"compatible with POSIX groups, with the additional feature that they can " +"contain other groups as members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 +msgid "" +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupadd.8.xml:48 +msgid "" +"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " +"not given, it is chosen automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 +msgid "sss_userdel" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_userdel.8.xml:16 +msgid "delete a user account" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_userdel.8.xml:21 +msgid "" +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_userdel.8.xml:32 +msgid "" +"<command>sss_userdel</command> deletes a user identified by login name " +"<replaceable>LOGIN</replaceable> from the system." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:44 +msgid "<option>-r</option>,<option>--remove</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:48 +msgid "" +"Files in the user's home directory will be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:56 +msgid "<option>-R</option>,<option>--no-remove</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:60 +msgid "" +"Files in the user's home directory will NOT be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:68 +msgid "<option>-f</option>,<option>--force</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:72 +msgid "" +"This option forces <command>sss_userdel</command> to remove the user's home " +"directory and mail spool, even if they are not owned by the specified user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:80 +msgid "<option>-k</option>,<option>--kick</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:84 +msgid "Before actually deleting the user, terminate all his processes." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 +msgid "sss_groupdel" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupdel.8.xml:16 +msgid "delete a group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupdel.8.xml:21 +msgid "" +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupdel.8.xml:32 +msgid "" +"<command>sss_groupdel</command> deletes a group identified by its name " +"<replaceable>GROUP</replaceable> from the system." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 +msgid "sss_groupshow" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupshow.8.xml:16 +msgid "print properties of a group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupshow.8.xml:21 +msgid "" +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupshow.8.xml:32 +msgid "" +"<command>sss_groupshow</command> displays information about a group " +"identified by its name <replaceable>GROUP</replaceable>. The information " +"includes the group ID number, members of the group and the parent group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupshow.8.xml:43 +msgid "<option>-R</option>,<option>--recursive</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupshow.8.xml:47 +msgid "" +"Also print indirect group members in a tree-like hierarchy. Note that this " +"also affects printing parent groups - without <option>R</option>, only the " +"direct parent will be printed." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 +msgid "sss_usermod" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_usermod.8.xml:16 +msgid "modify a user account" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_usermod.8.xml:21 +msgid "" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_usermod.8.xml:32 +msgid "" +"<command>sss_usermod</command> modifies the account specified by " +"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " +"on the command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:60 +msgid "The home directory of the user account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:71 +msgid "The user's login shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:82 +msgid "" +"Append this user to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:96 +msgid "" +"Remove this user from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:103 +msgid "<option>-l</option>,<option>--lock</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:107 +msgid "Lock the user account. The user won't be able to log in." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:114 +msgid "<option>-u</option>,<option>--unlock</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:118 +msgid "Unlock the user account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:129 +msgid "The SELinux user for the user's login." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:135 +msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:140 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:147 +msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:152 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:160 +msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:165 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_cache.8.xml:10 sss_cache.8.xml:15 +msgid "sss_cache" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_cache.8.xml:16 +msgid "perform cache cleanup" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_cache.8.xml:21 +msgid "" +"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_cache.8.xml:31 +msgid "" +"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " +"records are forced to be reloaded from server as soon as related SSSD " +"backend is online. Options that invalidate a single object only accept a " +"single provided argument." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:43 +msgid "<option>-E</option>,<option>--everything</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:47 +msgid "Invalidate all cached entries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:53 +msgid "" +"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:58 +msgid "Invalidate specific user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:64 +msgid "<option>-U</option>,<option>--users</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:68 +msgid "" +"Invalidate all user records. This option overrides invalidation of specific " +"user if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:75 +msgid "" +"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:80 +msgid "Invalidate specific group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:86 +msgid "<option>-G</option>,<option>--groups</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:90 +msgid "" +"Invalidate all group records. This option overrides invalidation of specific " +"group if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:97 +msgid "" +"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:102 +msgid "Invalidate specific netgroup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:108 +msgid "<option>-N</option>,<option>--netgroups</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:112 +msgid "" +"Invalidate all netgroup records. This option overrides invalidation of " +"specific netgroup if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:119 +msgid "" +"<option>-s</option>,<option>--service</option> <replaceable>service</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:124 +msgid "Invalidate specific service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:130 +msgid "<option>-S</option>,<option>--services</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:134 +msgid "" +"Invalidate all service records. This option overrides invalidation of " +"specific service if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:141 +msgid "" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:146 +msgid "Invalidate specific autofs maps." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:152 +msgid "<option>-A</option>,<option>--autofs-maps</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:156 +msgid "" +"Invalidate all autofs maps. This option overrides invalidation of specific " +"map if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:163 +msgid "" +"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:168 +msgid "Invalidate SSH public keys of a specific host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:174 +msgid "<option>-H</option>,<option>--ssh-hosts</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:178 +msgid "" +"Invalidate SSH public keys of all hosts. This option overrides invalidation " +"of SSH public keys of specific host if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:186 +msgid "" +"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:191 +msgid "Invalidate particular sudo rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:197 +msgid "<option>-R</option>,<option>--sudo-rules</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:201 +msgid "" +"Invalidate all cached sudo rules. This option overrides invalidation of " +"specific sudo rule if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:209 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>domain</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:214 +msgid "Restrict invalidation process only to a particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 +msgid "sss_debuglevel" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_debuglevel.8.xml:16 +msgid "[DEPRECATED] change debug level while SSSD is running" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_debuglevel.8.xml:21 +msgid "" +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" +"replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_debuglevel.8.xml:32 +msgid "" +"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " +"debug-level command. Please refer to the <command>sssctl</command> man page " +"for more information on sssctl usage." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_seed.8.xml:10 sss_seed.8.xml:15 +msgid "sss_seed" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_seed.8.xml:16 +msgid "seed the SSSD cache with a user" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_seed.8.xml:21 +msgid "" +"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:33 +msgid "" +"<command>sss_seed</command> seeds the SSSD cache with a user entry and " +"temporary password. If a user entry is already present in the SSSD cache " +"then the entry is updated with the temporary password." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:46 +msgid "" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:51 +msgid "" +"Provide the name of the domain in which the user is a member of. The domain " +"is also used to retrieve user information. The domain must be configured in " +"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " +"Information retrieved from the domain overrides what is provided in the " +"options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:63 +msgid "" +"<option>-n</option>,<option>--username</option> <replaceable>USER</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:68 +msgid "" +"The username of the entry to be created or modified in the cache. The " +"<replaceable>USER</replaceable> option must be provided." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:81 +msgid "Set the UID of the user to <replaceable>UID</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:93 +msgid "Set the GID of the user to <replaceable>GID</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:117 +msgid "" +"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:129 +msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:140 +msgid "" +"Interactive mode for entering user information. This option will only prompt " +"for information not provided in the options or retrieved from the domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:148 +msgid "" +"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:153 +msgid "" +"Specify file to read user's password from. (if not specified password is " +"prompted for)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:165 +msgid "" +"The length of the password (or the size of file specified with -p or --" +"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " +"on systems with no globally-defined PASS_MAX value)." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 +msgid "sssd-ifp" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ifp.5.xml:17 +msgid "SSSD InfoPipe responder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:23 +msgid "" +"This manual page describes the configuration of the InfoPipe responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:36 +msgid "" +"The InfoPipe responder provides a public D-Bus interface accessible over the " +"system bus. The interface allows the user to query information about remote " +"users and groups over the system bus." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:46 +msgid "These options can be used to configure the InfoPipe responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:53 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the InfoPipe responder. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:59 +msgid "" +"Default: 0 (only the root user is allowed to access the InfoPipe responder)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:63 +msgid "" +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the InfoPipe responder, which would be the typical case, you have to " +"add 0 to the list of allowed UIDs as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:77 +msgid "Specifies the comma-separated list of white or blacklisted attributes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:91 +msgid "name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:92 +msgid "user's login name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:95 +msgid "uidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:96 +msgid "user ID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:99 +msgid "gidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:100 +msgid "primary group ID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:103 +msgid "gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:104 +msgid "user information, typically full name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:107 +msgid "homeDirectory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:111 +msgid "loginShell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:112 +msgid "user shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:81 +msgid "" +"By default, the InfoPipe responder only allows the default set of POSIX " +"attributes to be requested. This set is the same as returned by " +"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ifp.5.xml:125 +#, no-wrap +msgid "" +"user_attributes = +telephoneNumber, -loginShell\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:117 +msgid "" +"It is possible to add another attribute to this set by using <quote>" +"+attr_name</quote> or explicitly remove an attribute using <quote>-" +"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " +"deny <quote>loginShell</quote>, you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:129 +msgid "Default: not set. Only the default set of POSIX attributes is allowed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:139 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup that overrides caller-supplied limit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:144 +msgid "Default: 0 (let the caller set an upper limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refentryinfo> +#: sss_rpcidmapd.5.xml:8 +msgid "" +"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" +"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " +"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" +"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " +"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" +"author>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 +msgid "sss_rpcidmapd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_rpcidmapd.5.xml:33 +msgid "sss plugin configuration directives for rpc.idmapd" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:37 +msgid "CONFIGURATION FILE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:39 +msgid "" +"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." +"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:49 +msgid "SSS CONFIGURATION EXTENSION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:51 +msgid "Enable SSS plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:53 +msgid "" +"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " +"attribute to contain <emphasis>sss</emphasis>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:59 +msgid "[sss] config section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:61 +msgid "" +"In order to change the default of one of the configuration attributes of the " +"<emphasis>sss</emphasis> plugin listed below you will need to create a " +"config section for it, named <quote>[sss]</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sss_rpcidmapd.5.xml:67 +msgid "Configuration attributes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sss_rpcidmapd.5.xml:69 +msgid "memcache (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sss_rpcidmapd.5.xml:72 +msgid "Indicates whether or not to use memcache optimisation technique." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:85 +msgid "SSSD INTEGRATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:87 +msgid "" +"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " +"in sssd." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:91 +msgid "" +"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " +"all domains (NFSv4 clients expect a fully qualified name to be sent on the " +"wire)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_rpcidmapd.5.xml:103 +#, no-wrap +msgid "" +"[General]\n" +"Verbosity = 2\n" +"# domain must be synced between NFSv4 server and clients\n" +"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:100 +msgid "" +"The following example shows a minimal idmapd.conf which makes use of the sss " +"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:180 include/seealso.xml:2 +msgid "SEE ALSO" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:122 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 +msgid "sss_ssh_authorizedkeys" +msgstr "" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 +msgid "1" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_authorizedkeys.1.xml:16 +msgid "get OpenSSH authorized keys" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_authorizedkeys.1.xml:21 +msgid "" +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>USER</replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:32 +msgid "" +"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " +"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " +"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> for more information)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:41 +msgid "" +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" +"command> for public key user authentication if it is compiled with support " +"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " +"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> man page for more details about this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_authorizedkeys.1.xml:59 +#, no-wrap +msgid "" +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:52 +msgid "" +"If <quote>AuthorizedKeysCommand</quote> is supported, " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use it by putting the following " +"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" +"\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_ssh_authorizedkeys.1.xml:65 +msgid "KEYS FROM CERTIFICATES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:67 +msgid "" +"In addition to the public SSH keys for user <replaceable>USER</replaceable> " +"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " +"from the public key of a X.509 certificate as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:73 +msgid "" +"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " +"set to true (default) in the [ssh] section of <filename>sssd.conf</" +"filename>. If the user entry contains certificates (see " +"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " +"there is a certificate in an override entry for the user (see " +"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " +"certificate is valid SSSD will extract the public key from the certificate " +"and convert it into the format expected by sshd." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:90 +msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:92 +msgid "ca_db" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:93 +msgid "p11_child_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:94 +msgid "certificate_verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:96 +msgid "" +"can be used to control how the certificates are validated (see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:101 +msgid "" +"The validation is the benefit of using X.509 certificates instead of SSH " +"keys directly because e.g. it gives a better control of the lifetime of the " +"keys. When the ssh client is configured to use the private keys from a " +"Smartcard with the help of a PKCS#11 shared library (see " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> for details) it might be irritating that authentication is " +"still working even if the related X.509 certificate on the Smartcard is " +"already expired because neither <command>ssh</command> nor <command>sshd</" +"command> will look at the certificate at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:114 +msgid "" +"It has to be noted that the derived public SSH key can still be added to the " +"<filename>authorized_keys</filename> file of the user to bypass the " +"certificate validation if the <command>sshd</command> configuration permits " +"this." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:132 +msgid "" +"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 +msgid "EXIT STATUS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 +msgid "" +"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 +msgid "sss_ssh_knownhostsproxy" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_knownhostsproxy.1.xml:16 +msgid "get OpenSSH host keys" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_knownhostsproxy.1.xml:21 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>HOST</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:33 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " +"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " +"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " +"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" +"pubconf/known_hosts</filename> and establishes the connection to the host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:43 +msgid "" +"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " +"create the connection to the host instead of opening a socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_knownhostsproxy.1.xml:55 +#, no-wrap +msgid "" +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:48 +msgid "" +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" +"command> for host key authentication by using the following directives for " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:66 +msgid "" +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:71 +msgid "" +"Use port <replaceable>PORT</replaceable> to connect to the host. By " +"default, port 22 is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:83 +msgid "" +"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:89 +msgid "<option>-k</option>,<option>--pubkeys</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:93 +msgid "" +"Print the host ssh public keys for host <replaceable>HOST</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 +msgid "idmap_sss" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: idmap_sss.8.xml:16 +msgid "SSSD's idmap_sss Backend for Winbind" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:22 +msgid "" +"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " +"No database is required in this case as the mapping is done by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: idmap_sss.8.xml:29 +msgid "IDMAP OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: idmap_sss.8.xml:33 +msgid "range = low - high" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: idmap_sss.8.xml:35 +msgid "" +"Defines the available matching UID and GID range for which the backend is " +"authoritative." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:45 +msgid "" +"This example shows how to configure idmap_sss as the default mapping module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: idmap_sss.8.xml:50 +#, no-wrap +msgid "" +"[global]\n" +"security = domain\n" +"workgroup = MAIN\n" +"\n" +"idmap config * : backend = sss\n" +"idmap config * : range = 200000-2147483647\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssctl.8.xml:10 sssctl.8.xml:15 +msgid "sssctl" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssctl.8.xml:16 +msgid "SSSD control and status utility" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssctl.8.xml:21 +msgid "" +"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:32 +msgid "" +"<command>sssctl</command> provides a simple and unified way to obtain " +"information about SSSD status, such as active server, auto-discovered " +"servers, domains and cached objects. In addition, it can manage SSSD data " +"files for troubleshooting in such a way that is safe to manipulate while " +"SSSD is running." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:43 +msgid "" +"To list all available commands run <command>sssctl</command> without any " +"parameters. To print help for selected command run <command>sssctl COMMAND --" +"help</command>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-files.5.xml:10 sssd-files.5.xml:16 +msgid "sssd-files" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-files.5.xml:17 +msgid "SSSD files provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:23 +msgid "" +"This manual page describes the files provider for <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:36 +msgid "" +"The files provider mirrors the content of the <citerefentry> " +"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " +"provider is to make the users and groups traditionally only accessible with " +"NSS interfaces also available through the SSSD interfaces such as " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:69 +msgid "passwd_files (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:72 +msgid "" +"Comma-separated list of one or multiple password filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:78 +#, fuzzy +#| msgid "Default: password" +msgid "Default: /etc/passwd" +msgstr "Пешфарз: парол" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:84 +msgid "group_files (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:87 +msgid "" +"Comma-separated list of one or multiple group filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:93 +#, fuzzy +#| msgid "Default: true" +msgid "Default: /etc/group" +msgstr "Пешфарз: true" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:59 +msgid "" +"In addition to the options listed below, generic SSSD domain options can be " +"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for details on the configuration of " +"an SSSD domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:105 +msgid "" +"The following example assumes that SSSD is correctly configured and files is " +"one of the domains in the <replaceable>[sssd]</replaceable> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:111 +#, no-wrap +msgid "" +"[domain/files]\n" +"id_provider = files\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 +msgid "sssd-secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-secrets.5.xml:17 +msgid "SSSD Secrets responder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:23 +msgid "" +"This manual page describes the configuration of the Secrets responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:36 +msgid "" +"Many system and user applications need to store private information such as " +"passwords or service keys and have no good way to properly deal with them. " +"The simple approach is to embed these <quote>secrets</quote> into " +"configuration files potentially ending up exposing sensitive key material to " +"backups, config management system and in general making it harder to secure " +"data." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:45 +msgid "" +"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " +"project was born to deal with this problem in cloud like environments, but " +"we found the idea compelling even at a single system level. As a security " +"service, SSSD is ideal to host this capability while offering the same API " +"via a UNIX Socket. This will make it possible to use local calls and have " +"them transparently routed to a local or a remote key management store like " +"IPA Vault for storage, escrow and recovery." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:55 +msgid "" +"The secrets are simple key-value pairs. Each user's secrets are namespaced " +"using their user ID, which means the secrets will never collide between " +"users. Secrets can be stored inside <quote>containers</quote> which can be " +"nested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:69 +msgid "secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:70 +msgid "secrets for general usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:73 +msgid "kcm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:75 +msgid "" +"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:61 +msgid "" +"Since the secrets responder can be used both externally to store general " +"secrets, as described in the rest of this man page, but also internally by " +"other SSSD components to store their secret material, some configuration " +"options, like quotas can be configured per <quote>hive</quote> in a " +"configuration subsection named after the hive. The currently supported hives " +"are: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:89 +msgid "USING THE SECRETS RESPONDER" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:91 +msgid "" +"The UNIX socket the SSSD responder listens on is located at <filename>/var/" +"run/secrets.socket</filename>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:110 +#, no-wrap +msgid "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +"systemctl enable sssd-secrets.service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:95 +msgid "" +"The secrets responder is socket-activated by <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " +"the <quote>secrets</quote> string to the <quote>service</quote> directive. " +"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " +"corresponding service file is called <quote>sssd-secrets.service</quote>. In " +"order for the service to be socket-activated, make sure the socket is " +"enabled and active and the service is enabled: <placeholder type=" +"\"programlisting\" id=\"0\"/> Please note your distribution may already " +"configure the units for you." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:122 +msgid "" +"The generic SSSD responder options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " +"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some secrets-specific options as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:132 +msgid "" +"The secrets responder is configured with a global <quote>[secrets]</quote> " +"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " +"in <filename>sssd.conf</filename>. Please note that some options, notably as " +"the provider type, can only be specified in the per-user subsections." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:141 +msgid "provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:157 +msgid "local" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:160 +msgid "" +"The secrets are stored in a local database, encrypted at rest with a master " +"key. The local provider does not have any additional config options at the " +"moment." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:168 +msgid "proxy" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:171 +msgid "" +"The secrets responder forwards the requests to a Custodia server. The proxy " +"provider supports several additional options (see below)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:144 +msgid "" +"This option specifies where should the secrets be stored. The secrets " +"responder can configure a per-user subsections (e.g. <quote>[secrets/" +"users/123]</quote> - see bottom of this manual page for a full example using " +"Custodia for a particular user) that define which provider store the secrets " +"for this particular user. The per-user subsections should contain all " +"options for that user's provider. Please note that currently the global " +"provider is always local, the proxy provider can only be specified in a per-" +"user section. The following providers are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:180 +msgid "Default: local" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:186 +msgid "" +"The following options affect only the secrets <quote>hive</quote> and " +"therefore should be set in a per-hive subsection. Setting the option to 0 " +"means \"unlimited\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:192 +msgid "containers_nest_level (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:195 +msgid "This option specifies the maximum allowed number of nested containers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:199 +msgid "Default: 4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:204 +msgid "max_secrets (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:207 +msgid "" +"This option specifies the maximum number of secrets that can be stored in " +"the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:211 +msgid "Default: 1024 (secrets hive), 256 (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:216 +msgid "max_uid_secrets (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:219 +msgid "" +"This option specifies the maximum number of secrets that can be stored per-" +"UID in the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:223 +msgid "Default: 256 (secrets hive), 64 (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:228 +msgid "max_payload_size (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:231 +msgid "" +"This option specifies the maximum payload size allowed for a secret payload " +"in kilobytes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:235 +msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:244 +#, no-wrap +msgid "" +"[secrets/secrets]\n" +"max_payload_size = 128\n" +"\n" +"[secrets/kcm]\n" +"max_payload_size = 256\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:241 +msgid "" +"For example, to adjust quotas differently for both the <quote>secrets</" +"quote> and the <quote>kcm</quote> hives, configure the following: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:252 +msgid "" +"The following options are only applicable for configurations that use the " +"<quote>proxy</quote> provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:257 +msgid "proxy_url (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:260 +msgid "" +"The URL the Custodia server is listening on. At the moment, http and https " +"protocols are supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:267 +msgid "http[s]://<host>[:port]" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:270 +msgid "Example: http://localhost:8080" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:275 +msgid "auth_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:278 +msgid "" +"The method to use when authenticating to a Custodia server. The following " +"authentication methods are supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:283 +msgid "basic_auth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:286 +msgid "" +"Authenticate with a username and a password as set in the <quote>username</" +"quote> and <quote>password</quote> options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:293 +msgid "header" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:296 +msgid "" +"Authenticate with HTTP header value as defined in the " +"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " +"configuration options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:307 +msgid "auth_header_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:310 +msgid "" +"If set, the secrets responder would put a header with this name into the " +"HTTP request with the value defined in the <quote>auth_header_value</quote> " +"configuration option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:315 +msgid "Example: MYSECRETNAME" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:320 +msgid "auth_header_value (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:323 +msgid "" +"The value sssd-secrets would use for the <quote>auth_header_name</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:327 +msgid "Example: mysecret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:332 +msgid "forward_headers (list of strings)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:335 +msgid "" +"The list of HTTP headers to forward to the Custodia server together with the " +"request." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:344 +msgid "verify_peer (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:347 +msgid "" +"Whether peer's certificate should be verified and valid if HTTPS protocol is " +"used with the proxy provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:356 +msgid "verify_host (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:359 +msgid "" +"Whether peer's hostname must match with hostname in its certificate if HTTPS " +"protocol is used with the proxy provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:369 +msgid "capath (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:372 +msgid "" +"Path to directory containing stored certificate authority certificates. " +"System default path is used if this option is not set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:382 +msgid "cacert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:385 +msgid "" +"Path to file containing server's certificate authority certificate. If this " +"option is not set then the CA's certificate is looked up in <quote>capath</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:395 +msgid "cert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:398 +msgid "" +"Path to file containing client's certificate if required by the server. This " +"file may also contain private key or the private key may be in separate file " +"set with <quote>key</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:409 +msgid "key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:412 +msgid "Path to file containing client's private key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:422 +msgid "USING THE REST API" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:424 +msgid "" +"This section lists the available commands and includes examples using the " +"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry> utility. All requests towards the proxy provider must set " +"the Content Type header to <quote>application/json</quote>. In addition, the " +"local provider also supports Content Type set to <quote>application/octet-" +"stream</quote>. Secrets stored with requests that set the Content Type " +"header to <quote>application/octet-stream</quote> are base64-encoded when " +"stored and decoded when retrieved, so it's not possible to store a secret " +"with one Content Type and retrieve with another. The secret URI must begin " +"with <filename>/secrets/</filename>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:441 +msgid "Listing secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:444 +msgid "" +"To list the available secrets, send a HTTP GET request with a trailing slash " +"appended to the container path." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:450 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:458 +msgid "Retrieving a secret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:461 +msgid "" +"To read a value of a single secret, send a HTTP GET request without a " +"trailing slash. The last portion of the URI is the name of the secret." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:468 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/foo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:473 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/bar\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:466 +msgid "" +"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:481 +msgid "Setting a secret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:484 +msgid "" +"To set a secret using the <quote>application/json</quote> type, send a HTTP " +"PUT request with a JSON payload that includes type and value. The type " +"should be set to \"simple\" and the value should be set to the secret value. " +"If a secret with that name already exists, the response is a 409 HTTP error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:492 +msgid "" +"The <quote>application/json</quote> type just sends the secret as the " +"message payload." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:501 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/foo \\\n" +" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:507 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/bar \\\n" +" -d'barsecret'\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:496 +msgid "" +"The following example sets a secret named 'foo' to a value of 'foosecret' " +"and a secret named 'bar' to a value of 'barsecret' using a different Content " +"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:516 +msgid "Creating a container" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:519 +msgid "" +"Containers provide an additional namespace for this user's secrets. To " +"create a container, send a HTTP POST request, whose URI ends with the " +"container name. Please note the URI must end with a trailing slash." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:529 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPOST http://localhost/secrets/mycontainer/\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:526 +msgid "" +"The following example creates a container named 'mycontainer': <placeholder " +"type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:538 +#, no-wrap +msgid "" +"http://localhost/secrets/mycontainer/mysecret\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:535 +msgid "" +"To manipulate secrets under this container, just nest the secrets underneath " +"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:544 +msgid "Deleting a secret or a container" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:547 +msgid "" +"To delete a secret or a container, send a HTTP DELETE request with a path to " +"the secret or the container." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:553 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XDELETE http://localhost/secrets/foo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:551 +msgid "" +"The following example deletes a secret named 'foo'. <placeholder type=" +"\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:563 +msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:565 +msgid "" +"For testing the proxy provider, you need to set up a Custodia server to " +"proxy requests to. Please always consult the Custodia documentation, the " +"configuration directives might change with different Custodia versions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:576 +#, no-wrap +msgid "" +"[global]\n" +"server_version = \"Secret/0.0.7\"\n" +"server_url = http://localhost:8080/\n" +"auditlog = /var/log/custodia.log\n" +"debug = True\n" +"\n" +"[store:simple]\n" +"handler = custodia.store.sqlite.SqliteStore\n" +"dburi = /var/lib/custodia.db\n" +"table = secrets\n" +"\n" +"[auth:header]\n" +"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" +"header = MYSECRETNAME\n" +"value = mysecretkey\n" +"\n" +"[authz:paths]\n" +"handler = custodia.httpd.authorizers.SimplePathAuthz\n" +"paths = /secrets\n" +"\n" +"[/]\n" +"handler = custodia.root.Root\n" +"store = simple\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:570 +msgid "" +"This configuration will set up a Custodia server listening on http://" +"localhost:8080, allowing anyone with header named MYSECRETNAME set to " +"mysecretkey to communicate with the Custodia server. Place the contents " +"into a file (for example, <replaceable>custodia.conf</replaceable>): " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:602 +msgid "" +"Then run the <replaceable>custodia</replaceable> command, pointing it at the " +"config file as a command line argument." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:606 +msgid "" +"Please note that currently it's not possible to proxy all requests globally " +"to a Custodia instance. Instead, per-user subsections for user IDs that " +"should proxy requests to Custodia must be defined. The following example " +"illustrates a configuration, where the user with UID 123 would proxy their " +"requests to Custodia, but all other user's requests would be handled by a " +"local provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: sssd-secrets.5.xml:614 +#, no-wrap +msgid "" +"[secrets]\n" +"\n" +"[secrets/users/123]\n" +"provider = proxy\n" +"proxy_url = http://localhost:8080/secrets/\n" +"auth_type = header\n" +"auth_header_name = MYSECRETNAME\n" +"auth_header_value = mysecretkey\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 +msgid "sssd-session-recording" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-session-recording.5.xml:17 +msgid "Configuring session recording with SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " +"implement user session recording on text terminals. For a detailed " +"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " +"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:41 +msgid "" +"SSSD can be set up to enable recording of everything specific users see or " +"type during their sessions on text terminals. E.g. when users log in on the " +"console, or via SSH. SSSD itself doesn't record anything, but makes sure " +"tlog-rec-session is started upon user login, so it can record according to " +"its configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:48 +msgid "" +"For users with session recording enabled, SSSD replaces the user shell with " +"tlog-rec-session in NSS responses, and adds a variable specifying the " +"original shell to the user environment, upon PAM session setup. This way " +"tlog-rec-session can be started in place of the user shell, and know which " +"actual shell to start, once it set up the recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:60 +msgid "These options can be used to configure the session recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:146 +msgid "" +"The following snippet of sssd.conf enables session recording for users " +"\"contractor1\" and \"contractor2\", and group \"students\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-session-recording.5.xml:151 +#, no-wrap +msgid "" +"[session_recording]\n" +"scope = some\n" +"users = contractor1, contractor2\n" +"groups = students\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 +msgid "sssd-kcm" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-kcm.8.xml:17 +msgid "SSSD Kerberos Cache Manager" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:23 +msgid "" +"This manual page describes the configuration of the SSSD Kerberos Cache " +"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " +"credential caches. It originates in the Heimdal Kerberos project, although " +"the MIT Kerberos library also provides client side (more details on that " +"below) support for the KCM credential cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:31 +msgid "" +"In a setup where Kerberos caches are managed by KCM, the Kerberos library " +"(typically used through an application, like e.g., <citerefentry> " +"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" +"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " +"being referred to as a <quote>\"KCM server\"</quote>. The client and server " +"communicate over a UNIX socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:42 +msgid "" +"The KCM server keeps track of each credential caches's owner and performs " +"access check control based on the UID and GID of the KCM client. The root " +"user has access to all credential caches." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:47 +msgid "The KCM credential cache has several interesting properties:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:51 +msgid "" +"since the process runs in userspace, it is subject to UID namespacing, " +"unlike the kernel keyring" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:56 +msgid "" +"unlike the kernel keyring-based cache, which is shared between all " +"containers, the KCM server is a separate process whose entry point is a UNIX " +"socket" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:61 +msgid "" +"the SSSD implementation stores the ccaches in the SSSD <citerefentry> " +"<refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry> secrets store, allowing the ccaches to survive KCM server " +"restarts or machine reboots." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:69 +msgid "" +"This allows the system to use a collection-aware credential cache, yet share " +"the credential cache between some or no containers by bind-mounting the " +"socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:76 +msgid "USING THE KCM CREDENTIAL CACHE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:86 +#, no-wrap +msgid "" +"[libdefaults]\n" +" default_ccache_name = KCM:\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:78 +msgid "" +"In order to use KCM credential cache, it must be selected as the default " +"credential type in <citerefentry> <refentrytitle>krb5.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " +"cache name must be only <quote>KCM:</quote> without any template " +"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:91 +msgid "" +"Next, make sure the Kerberos client libraries and the KCM server must agree " +"on the UNIX socket path. By default, both use the same path <replaceable>/" +"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " +"library, change its <quote>kcm_socket</quote> option which is described in " +"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:113 +#, no-wrap +msgid "" +"systemctl start sssd-kcm.socket\n" +"systemctl enable sssd-kcm.socket\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:102 +msgid "" +"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " +"typically socket-activated by <citerefentry> <refentrytitle>systemd</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " +"services, it cannot be started by adding the <quote>kcm</quote> string to " +"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " +"id=\"0\"/> Please note your distribution may already configure the units for " +"you." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:122 +msgid "THE CREDENTIAL CACHE STORAGE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:131 +#, no-wrap +msgid "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:124 +msgid "" +"The credential caches are stored in the SSSD secrets service (see " +"<citerefentry> <refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> for more details). Therefore it is important that " +"also the sssd-secrets service is enabled and its socket is started: " +"<placeholder type=\"programlisting\" id=\"0\"/> Your distribution should " +"already set the dependencies between the services." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:141 +msgid "" +"The KCM service is configured in the <quote>kcm</quote> section of the sssd." +"conf file. Please note that currently, is it not sufficient to restart the " +"sssd-kcm service, because the sssd configuration is only parsed and read to " +"an internal configuration database by the sssd service. Therefore you must " +"restart the sssd service if you change anything in the <quote>kcm</quote> " +"section of sssd.conf. For a detailed syntax reference, refer to the " +"<quote>FILE FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd." +"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:155 +msgid "" +"The generic SSSD service options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some KCM-specific options as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:166 +msgid "socket_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:169 +msgid "The socket the KCM service will listen on." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:172 +msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:182 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 +msgid "sssd-systemtap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-systemtap.5.xml:17 +msgid "SSSD systemtap information" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:23 +msgid "" +"This manual page provides information about the systemtap functionality in " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:32 +msgid "" +"SystemTap Probe points have been added into various locations in SSSD code " +"to assist in troubleshooting and analyzing performance related issues." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:40 +msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:46 +msgid "" +"Probes and miscellaneous functions are defined in /usr/share/systemtap/" +"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " +"respectively." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:57 +msgid "PROBE POINTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:341 +msgid "" +"The information below lists the probe points and arguments available in the " +"following format:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:64 +msgid "probe $name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:67 +msgid "Description of probe point" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:70 +#, no-wrap +msgid "" +"variable1:datatype\n" +"variable2:datatype\n" +"variable3:datatype\n" +"...\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:80 +msgid "Database Transaction Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:84 +msgid "probe sssd_transaction_start" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:87 +msgid "" +"Start of a sysdb transaction, probes the sysdb_transaction_start() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 +#: sssd-systemtap.5.xml:131 +#, no-wrap +msgid "" +"nesting:integer\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:97 +msgid "probe sssd_transaction_cancel" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:100 +msgid "" +"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " +"function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:111 +msgid "probe sssd_transaction_commit_before" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:114 +msgid "Probes the sysdb_transaction_commit_before() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:124 +msgid "probe sssd_transaction_commit_after" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:127 +msgid "Probes the sysdb_transaction_commit_after() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:141 +msgid "LDAP Search Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:145 +msgid "probe sdap_search_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:148 +msgid "Probes the sdap_get_generic_ext_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:152 sssd-systemtap.5.xml:167 sssd-systemtap.5.xml:196 +#, no-wrap +msgid "" +"base:string\n" +"scope:integer\n" +"filter:string\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:160 +msgid "probe sdap_search_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:163 +msgid "Probes the sdap_get_generic_ext_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:175 +msgid "probe sdap_deref_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:178 +msgid "Probes the sdap_deref_search_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:182 +#, no-wrap +msgid "" +"base_dn:string\n" +"deref_attr:string\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:189 +msgid "probe sdap_deref_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:192 +msgid "Probes the sdap_deref_search_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:208 +msgid "LDAP Account Request Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:212 +msgid "probe sdap_acct_req_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:215 +msgid "Probes the sdap_acct_req_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:219 sssd-systemtap.5.xml:234 +#, no-wrap +msgid "" +"entry_type:int\n" +"filter_type:int\n" +"filter_value:string\n" +"extra_value:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:227 +msgid "probe sdap_acct_req_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:230 +msgid "Probes the sdap_acct_req_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:246 +msgid "LDAP User Search Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:250 +msgid "probe sdap_search_user_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:253 +msgid "Probes the sdap_search_user_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:257 sssd-systemtap.5.xml:269 sssd-systemtap.5.xml:281 +#: sssd-systemtap.5.xml:293 +#, no-wrap +msgid "" +"filter:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:262 +msgid "probe sdap_search_user_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:265 +msgid "Probes the sdap_search_user_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:274 +msgid "probe sdap_search_user_save_begin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:277 +msgid "Probes the sdap_search_user_save_begin() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:286 +msgid "probe sdap_search_user_save_end" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:289 +msgid "Probes the sdap_search_user_save_end() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:302 +msgid "Data Provider Request Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:306 +msgid "probe dp_req_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:309 +msgid "A Data Provider request is submitted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:312 +#, no-wrap +msgid "" +"dp_req_domain:string\n" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:320 +msgid "probe dp_req_done" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:323 +msgid "A Data Provider request is completed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:326 +#, no-wrap +msgid "" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +"dp_ret:int\n" +"dp_errorstr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:339 +msgid "MISCELLANEOUS FUNCTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:346 +msgid "function acct_req_desc(entry_type)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:349 +msgid "Convert entry_type to string and return string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:354 +msgid "" +"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " +"filter_value, extra_value)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:358 +msgid "Create probe string based on filter type" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:363 +msgid "function dp_target_str(target)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:366 +msgid "Convert target to string and return string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:371 +msgid "function dp_method_str(target)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:374 +msgid "Convert method to string and return string" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/service_discovery.xml:2 +msgid "SERVICE DISCOVERY" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/service_discovery.xml:4 +msgid "" +"The service discovery feature allows back ends to automatically find the " +"appropriate servers to connect to using a special DNS query. This feature is " +"not supported for backup servers." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:9 include/ldap_id_mapping.xml:99 +msgid "Configuration" +msgstr "Ҷӯрсозӣ" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:11 +msgid "" +"If no servers are specified, the back end automatically uses service " +"discovery to try to find a server. Optionally, the user may choose to use " +"both fixed server addresses and service discovery by inserting a special " +"keyword, <quote>_srv_</quote>, in the list of servers. The order of " +"preference is maintained. This feature is useful if, for example, the user " +"prefers to use service discovery whenever possible, and fall back to a " +"specific server when no servers can be discovered using DNS." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:23 +msgid "The domain name" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:25 +msgid "" +"Please refer to the <quote>dns_discovery_domain</quote> parameter in the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more details." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:35 +msgid "The protocol" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:37 +msgid "" +"The queries usually specify _tcp as the protocol. Exceptions are documented " +"in respective option description." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:42 +msgid "See Also" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:44 +msgid "" +"For more information on the service discovery mechanism, refer to RFC 2782." +msgstr "" + +#. type: Content of: <refentryinfo> +#: include/upstream.xml:2 +msgid "" +"<productname>SSSD</productname> <orgname>The SSSD upstream - https://pagure." +"io/SSSD/sssd/</orgname>" +msgstr "" + +#. type: Content of: outside any tag (error?) +#: include/upstream.xml:1 +msgid "<placeholder type=\"refentryinfo\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/failover.xml:2 +msgid "FAILOVER" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/failover.xml:4 +msgid "" +"The failover feature allows back ends to automatically switch to a different " +"server if the current server fails." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:8 +msgid "Failover Syntax" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:10 +msgid "" +"The list of servers is given as a comma-separated list; any number of spaces " +"is allowed around the comma. The servers are listed in order of preference. " +"The list can contain any number of servers." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:16 +msgid "" +"For each failover-enabled config option, two variants exist: " +"<emphasis>primary</emphasis> and <emphasis>backup</emphasis>. The idea is " +"that servers in the primary list are preferred and backup servers are only " +"searched if no primary servers can be reached. If a backup server is " +"selected, a timeout of 31 seconds is set. After this timeout SSSD will " +"periodically try to reconnect to one of the primary servers. If it succeeds, " +"it will replace the current active (backup) server." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:27 +msgid "The Failover Mechanism" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:29 +msgid "" +"The failover mechanism distinguishes between a machine and a service. The " +"back end first tries to resolve the hostname of a given machine; if this " +"resolution attempt fails, the machine is considered offline. No further " +"attempts are made to connect to this machine for any other service. If the " +"resolution attempt succeeds, the back end tries to connect to a service on " +"this machine. If the service connection attempt fails, then only this " +"particular service is considered offline and the back end automatically " +"switches over to the next service. The machine is still considered online " +"and might still be tried for another service." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:42 +msgid "" +"Further connection attempts are made to machines or services marked as " +"offline after a specified period of time; this is currently hard coded to 30 " +"seconds." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:47 +msgid "" +"If there are no more machines to try, the back end as a whole switches to " +"offline mode, and then attempts to reconnect every 30 seconds." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:53 +msgid "Failover time outs and tuning" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:55 +msgid "" +"Resolving a server to connect to can be as simple as running a single DNS " +"query or can involve several steps, such as finding the correct site or " +"trying out multiple host names in case some of the configured servers are " +"not reachable. The more complex scenarios can take some time and SSSD needs " +"to balance between providing enough time to finish the resolution process " +"but on the other hand, not trying for too long before falling back to " +"offline mode. If the SSSD debug logs show that the server resolution is " +"timing out before a live server is contacted, you can consider changing the " +"time outs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> +#: include/failover.xml:76 +msgid "dns_resolver_op_timeout" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: include/failover.xml:80 +msgid "How long would SSSD talk to a single DNS server." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> +#: include/failover.xml:86 +msgid "dns_resolver_timeout" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: include/failover.xml:90 +msgid "" +"How long would SSSD try to resolve a failover service. This service " +"resolution internally might include several steps, such as resolving DNS SRV " +"queries or locating the site." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:67 +msgid "" +"This section lists the available tunables. Please refer to their description " +"in the <citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>, manual page. <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:100 +msgid "" +"For LDAP-based providers, the resolve operation is performed as part of an " +"LDAP connection operation. Therefore, also the <quote>ldap_opt_timeout></" +"quote> timeout should be set to a larger value than " +"<quote>dns_resolver_timeout</quote> which in turn should be set to a larger " +"value than <quote>dns_resolver_op_timeout</quote>." +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/ldap_id_mapping.xml:2 +msgid "ID MAPPING" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:4 +msgid "" +"The ID-mapping feature allows SSSD to act as a client of Active Directory " +"without requiring administrators to extend user attributes to support POSIX " +"attributes for user and group identifiers." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:9 +msgid "" +"NOTE: When ID-mapping is enabled, the uidNumber and gidNumber attributes are " +"ignored. This is to avoid the possibility of conflicts between automatically-" +"assigned and manually-assigned values. If you need to use manually-assigned " +"values, ALL values must be manually-assigned." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:16 +msgid "" +"Please note that changing the ID mapping related configuration options will " +"cause user and group IDs to change. At the moment, SSSD does not support " +"changing IDs, so the SSSD database must be removed. Because cached passwords " +"are also stored in the database, removing the database should only be " +"performed while the authentication servers are reachable, otherwise users " +"might get locked out. In order to cache the password, an authentication must " +"be performed. It is not sufficient to use <citerefentry> " +"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry> to remove the database, rather the process consists of:" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:33 +msgid "Making sure the remote servers are reachable" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:38 +msgid "Stopping the SSSD service" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:43 +msgid "Removing the database" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:48 +msgid "Starting the SSSD service" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:52 +msgid "" +"Moreover, as the change of IDs might necessitate the adjustment of other " +"system properties such as file and directory ownership, it's advisable to " +"plan ahead and test the ID mapping configuration thoroughly." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ldap_id_mapping.xml:59 +msgid "Mapping Algorithm" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:61 +msgid "" +"Active Directory provides an objectSID for every user and group object in " +"the directory. This objectSID can be broken up into components that " +"represent the Active Directory domain identity and the relative identifier " +"(RID) of the user or group object." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:67 +msgid "" +"The SSSD ID-mapping algorithm takes a range of available UIDs and divides it " +"into equally-sized component sections - called \"slices\"-. Each slice " +"represents the space available to an Active Directory domain." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:73 +msgid "" +"When a user or group entry for a particular domain is encountered for the " +"first time, the SSSD allocates one of the available slices for that domain. " +"In order to make this slice-assignment repeatable on different client " +"machines, we select the slice based on the following algorithm:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:80 +msgid "" +"The SID string is passed through the murmurhash3 algorithm to convert it to " +"a 32-bit hashed value. We then take the modulus of this value with the total " +"number of available slices to pick the slice." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:86 +msgid "" +"NOTE: It is possible to encounter collisions in the hash and subsequent " +"modulus. In these situations, we will select the next available slice, but " +"it may not be possible to reproduce the same exact set of slices on other " +"machines (since the order that they are encountered will determine their " +"slice). In this situation, it is recommended to either switch to using " +"explicit POSIX attributes in Active Directory (disabling ID-mapping) or " +"configure a default domain to guarantee that at least one is always " +"consistent. See <quote>Configuration</quote> for details." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:101 +msgid "" +"Minimum configuration (in the <quote>[domain/DOMAINNAME]</quote> section):" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><programlisting> +#: include/ldap_id_mapping.xml:106 +#, no-wrap +msgid "" +"ldap_id_mapping = True\n" +"ldap_schema = ad\n" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:111 +msgid "" +"The default configuration results in configuring 10,000 slices, each capable " +"of holding up to 200,000 IDs, starting from 200,000 and going up to " +"2,000,200,000. This should be sufficient for most deployments." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><title> +#: include/ldap_id_mapping.xml:117 +msgid "Advanced Configuration" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:120 +msgid "ldap_idmap_range_min (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:123 +msgid "" +"Specifies the lower bound of the range of POSIX IDs to use for mapping " +"Active Directory user and group SIDs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:127 +msgid "" +"NOTE: This option is different from <quote>min_id</quote> in that " +"<quote>min_id</quote> acts to filter the output of requests to this domain, " +"whereas this option controls the range of ID assignment. This is a subtle " +"distinction, but the good general advice would be to have <quote>min_id</" +"quote> be less-than or equal to <quote>ldap_idmap_range_min</quote>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:137 include/ldap_id_mapping.xml:191 +msgid "Default: 200000" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:142 +msgid "ldap_idmap_range_max (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:145 +msgid "" +"Specifies the upper bound of the range of POSIX IDs to use for mapping " +"Active Directory user and group SIDs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:149 +msgid "" +"NOTE: This option is different from <quote>max_id</quote> in that " +"<quote>max_id</quote> acts to filter the output of requests to this domain, " +"whereas this option controls the range of ID assignment. This is a subtle " +"distinction, but the good general advice would be to have <quote>max_id</" +"quote> be greater-than or equal to <quote>ldap_idmap_range_max</quote>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:159 +msgid "Default: 2000200000" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:164 +msgid "ldap_idmap_range_size (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:167 +msgid "" +"Specifies the number of IDs available for each slice. If the range size " +"does not divide evenly into the min and max values, it will create as many " +"complete slices as it can." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:173 +msgid "" +"NOTE: The value of this option must be at least as large as the highest user " +"RID planned for use on the Active Directory server. User lookups and login " +"will fail for any user whose RID is greater than this value." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:179 +msgid "" +"For example, if your most recently-added Active Directory user has " +"objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, " +"<quote>ldap_idmap_range_size</quote> must be at least 1108 as range size is " +"equal to maximal SID minus minimal SID plus one (e.g. 1108 = 1107 - 0 + 1)." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:186 +msgid "" +"It is important to plan ahead for future expansion, as changing this value " +"will result in changing all of the ID mappings on the system, leading to " +"users with different local IDs than they previously had." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:196 +msgid "ldap_idmap_default_domain_sid (string)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:199 +msgid "" +"Specify the domain SID of the default domain. This will guarantee that this " +"domain will always be assigned to slice zero in the ID map, bypassing the " +"murmurhash algorithm described above." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:210 +msgid "ldap_idmap_default_domain (string)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:213 +msgid "Specify the name of the default domain." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:221 +msgid "ldap_idmap_autorid_compat (boolean)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:224 +msgid "" +"Changes the behavior of the ID-mapping algorithm to behave more similarly to " +"winbind's <quote>idmap_autorid</quote> algorithm." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:229 +msgid "" +"When this option is configured, domains will be allocated starting with " +"slice zero and increasing monatomically with each additional domain." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:234 +msgid "" +"NOTE: This algorithm is non-deterministic (it depends on the order that " +"users and groups are requested). If this mode is required for compatibility " +"with machines running winbind, it is recommended to also use the " +"<quote>ldap_idmap_default_domain_sid</quote> option to guarantee that at " +"least one domain is consistently allocated to slice zero." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:249 +msgid "ldap_idmap_helper_table_size (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:252 +msgid "" +"Maximal number of secondary slices that is tried when performing mapping " +"from UNIX id to SID." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:256 +msgid "" +"Note: Additional secondary slices might be generated when SID is being " +"mapped to UNIX id and RID part of SID is out of range for secondary slices " +"generated so far. If value of ldap_idmap_helper_table_size is equal to 0 " +"then no additional secondary slices are generated." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ldap_id_mapping.xml:273 +msgid "Well-Known SIDs" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:275 +msgid "" +"SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a " +"special hardcoded meaning. Since the generic users and groups related to " +"those Well-Known SIDs have no equivalent in a Linux/UNIX environment no " +"POSIX IDs are available for those objects." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:281 +msgid "" +"The SID name space is organized in authorities which can be seen as " +"different domains. The authorities for the Well-Known SIDs are" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:284 +msgid "Null Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:285 +msgid "World Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:286 +msgid "Local Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:287 +msgid "Creator Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:288 +msgid "NT Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:289 +msgid "Built-in" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:291 +msgid "" +"The capitalized version of these names are used as domain names when " +"returning the fully qualified name of a Well-Known SID." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:295 +msgid "" +"Since some utilities allow to modify SID based access control information " +"with the help of a name instead of using the SID directly SSSD supports to " +"look up the SID by the name as well. To avoid collisions only the fully " +"qualified names can be used to look up Well-Known SIDs. As a result the " +"domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, " +"<quote> LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, <quote>NT " +"AUTHORITY</quote> and <quote>BUILTIN</quote> should not be used as domain " +"names in <filename>sssd.conf</filename>." +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/param_help.xml:3 +msgid "<option>-?</option>,<option>--help</option>" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/param_help.xml:7 include/param_help_py.xml:7 +msgid "Display help message and exit." +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/param_help_py.xml:3 +msgid "<option>-h</option>,<option>--help</option>" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:3 include/debug_levels_tools.xml:3 +msgid "" +"SSSD supports two representations for specifying the debug level. The " +"simplest is to specify a decimal value from 0-9, which represents enabling " +"that level and all lower-level debug messages. The more comprehensive option " +"is to specify a hexadecimal bitmask to enable or disable specific levels " +"(such as if you wish to suppress a level)." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:10 +msgid "" +"Please note that each SSSD service logs into its own log file. Also please " +"note that enabling <quote>debug_level</quote> in the <quote>[sssd]</quote> " +"section only enables debugging just for the sssd process itself, not for the " +"responder or provider processes. The <quote>debug_level</quote> parameter " +"should be added to all sections that you wish to produce debug logs from." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:18 +msgid "" +"In addition to changing the log level in the config file using the " +"<quote>debug_level</quote> parameter, which is persistent, but requires SSSD " +"restart, it is also possible to change the debug level on the fly using the " +"<citerefentry> <refentrytitle>sss_debuglevel</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry> tool." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:29 include/debug_levels_tools.xml:10 +msgid "Currently supported debug levels:" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:32 include/debug_levels_tools.xml:13 +msgid "" +"<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fatal failures. " +"Anything that would prevent SSSD from starting up or causes it to cease " +"running." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:38 include/debug_levels_tools.xml:19 +msgid "" +"<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An " +"error that doesn't kill SSSD, but one that indicates that at least one major " +"feature is not going to work properly." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:45 include/debug_levels_tools.xml:26 +msgid "" +"<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Serious failures. An " +"error announcing that a particular request or operation has failed." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:50 include/debug_levels_tools.xml:31 +msgid "" +"<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Minor failures. These " +"are the errors that would percolate down to cause the operation failure of 2." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:55 include/debug_levels_tools.xml:36 +msgid "" +"<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Configuration settings." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:59 include/debug_levels_tools.xml:40 +msgid "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Function data." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:63 include/debug_levels_tools.xml:44 +msgid "" +"<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Trace messages for " +"operation functions." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:67 include/debug_levels_tools.xml:48 +msgid "" +"<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Trace messages for " +"internal control functions." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:72 include/debug_levels_tools.xml:53 +msgid "" +"<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contents of function-" +"internal variables that may be interesting." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:77 include/debug_levels_tools.xml:58 +msgid "" +"<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Extremely low-level " +"tracing information." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:81 include/debug_levels_tools.xml:62 +msgid "" +"To log required bitmask debug levels, simply add their numbers together as " +"shown in following examples:" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:85 include/debug_levels_tools.xml:66 +msgid "" +"<emphasis>Example</emphasis>: To log fatal failures, critical failures, " +"serious failures and function data use 0x0270." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:89 include/debug_levels_tools.xml:70 +msgid "" +"<emphasis>Example</emphasis>: To log fatal failures, configuration settings, " +"function data, trace messages for internal control functions use 0x1310." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:94 include/debug_levels_tools.xml:75 +msgid "" +"<emphasis>Note</emphasis>: The bitmask format of debug levels was introduced " +"in 1.7.0." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:98 include/debug_levels_tools.xml:79 +msgid "<emphasis>Default</emphasis>: 0" +msgstr "" + +#. type: Content of: outside any tag (error?) +#: include/experimental.xml:1 +msgid "" +"<emphasis> This is an experimental feature, please use https://pagure.io/" +"SSSD/sssd/ to report any issues. </emphasis>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/local.xml:2 +msgid "THE LOCAL DOMAIN" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/local.xml:4 +msgid "" +"In order to function correctly, a domain with <quote>id_provider=local</" +"quote> must be created and the SSSD must be running." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/local.xml:9 +msgid "" +"The administrator might want to use the SSSD local users instead of " +"traditional UNIX users in cases where the group nesting (see <citerefentry> " +"<refentrytitle>sss_groupadd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>) is needed. The local users are also useful for testing and " +"development of the SSSD without having to deploy a full remote server. The " +"<command>sss_user*</command> and <command>sss_group*</command> tools use a " +"local LDB storage to store users and groups." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/seealso.xml:4 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd-ipa</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <phrase condition=\"with_sudo\"> <citerefentry> " +"<refentrytitle>sssd-sudo</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>, </phrase> <phrase condition=\"with_secrets\"> <citerefentry> " +"<refentrytitle>sssd-secrets</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>, </phrase> <citerefentry> <refentrytitle>sssd-session-" +"recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, " +"<citerefentry> <refentrytitle>sss_cache</refentrytitle><manvolnum>8</" +"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_debuglevel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_obfuscate</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_seed</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <phrase condition=" +"\"with_ssh\"> <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_ssh_knownhostsproxy</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>, </phrase> <phrase condition=\"with_ifp\"> " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>, </phrase> <citerefentry> <refentrytitle>pam_sss</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>. <citerefentry> " +"<refentrytitle>sss_rpcidmapd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> <phrase condition=\"with_stap\"> <citerefentry> " +"<refentrytitle>sssd-systemtap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> </phrase>" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:3 +msgid "" +"An optional base DN, search scope and LDAP filter to restrict LDAP searches " +"for this attribute type." +msgstr "" + +#. type: Content of: <listitem><para><programlisting> +#: include/ldap_search_bases.xml:9 +#, no-wrap +msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]\n" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:7 +msgid "syntax: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:13 +msgid "" +"The scope can be one of \"base\", \"onelevel\" or \"subtree\". The scope " +"functions as specified in section 4.5.1.2 of http://tools.ietf.org/html/" +"rfc4511" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:23 +msgid "" +"For examples of this syntax, please refer to the <quote>ldap_search_base</" +"quote> examples section." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:31 +msgid "" +"Please note that specifying scope or filter is not supported for searches " +"against an Active Directory Server that might yield a large number of " +"results and trigger the Range Retrieval extension in the response." +msgstr "" + +#. type: Content of: <para> +#: include/autofs_restart.xml:2 +msgid "" +"Please note that the automounter only reads the master map on startup, so if " +"any autofs-related changes are made to the sssd.conf, you typically also " +"need to restart the automounter daemon after restarting the SSSD." +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/override_homedir.xml:2 +msgid "override_homedir (string)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:16 +msgid "UID number" +msgstr "Рақами UID" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:20 +msgid "domain name" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:23 +msgid "%f" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:24 +msgid "fully qualified user name (user@domain)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:27 +msgid "%l" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:28 +msgid "The first letter of the login name." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:32 +msgid "UPN - User Principal Name (name@REALM)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:35 +msgid "%o" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:37 +msgid "The original home directory retrieved from the identity provider." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:42 +msgid "%H" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:44 +msgid "The value of configure option <emphasis>homedir_substring</emphasis>." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/override_homedir.xml:5 +msgid "" +"Override the user's home directory. You can either provide an absolute value " +"or a template. In the template, the following sequences are substituted: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><programlisting> +#: include/override_homedir.xml:61 +#, no-wrap +msgid "" +"override_homedir = /home/%u\n" +" " +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/override_homedir.xml:65 +msgid "Default: Not set (SSSD will use the value retrieved from LDAP)" +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/homedir_substring.xml:2 +msgid "homedir_substring (string)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/homedir_substring.xml:5 +msgid "" +"The value of this option will be used in the expansion of the " +"<emphasis>override_homedir</emphasis> option if the template contains the " +"format string <emphasis>%H</emphasis>. An LDAP directory entry can directly " +"contain this template so that this option can be used to expand the home " +"directory path for each client machine (or operating system). It can be set " +"per-domain or globally in the [nss] section. A value specified in a domain " +"section will override one set in the [nss] section." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/homedir_substring.xml:15 +msgid "Default: /home" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/ad_modified_defaults.xml:2 include/ipa_modified_defaults.xml:2 +msgid "MODIFIED DEFAULT OPTIONS" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ad_modified_defaults.xml:4 +msgid "" +"Certain option defaults do not match their respective backend provider " +"defaults, these option names and AD provider-specific defaults are listed " +"below:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ad_modified_defaults.xml:9 include/ipa_modified_defaults.xml:9 +msgid "KRB5 Provider" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:13 include/ipa_modified_defaults.xml:13 +msgid "krb5_validate = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:18 +msgid "krb5_use_enterprise_principal = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ad_modified_defaults.xml:24 +msgid "LDAP Provider" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:28 +msgid "ldap_schema = ad" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:33 include/ipa_modified_defaults.xml:38 +msgid "ldap_force_upper_case_realm = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:38 +msgid "ldap_id_mapping = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:43 +msgid "ldap_sasl_mech = gssapi" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:48 +msgid "ldap_referrals = false" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:53 +msgid "ldap_account_expire_policy = ad" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:58 include/ipa_modified_defaults.xml:58 +msgid "ldap_use_tokengroups = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:63 +msgid "ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:66 +msgid "" +"The AD provider looks for a different principal than the LDAP provider by " +"default, because in an Active Directory environment the principals are " +"divided into two groups - User Principals and Service Principals. Only User " +"Principal can be used to obtain a TGT and by default, computer object's " +"principal is constructed from its sAMAccountName and the AD realm. The well-" +"known host/hostname@REALM principal is a Service Principal and thus cannot " +"be used to get a TGT with." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ipa_modified_defaults.xml:4 +msgid "" +"Certain option defaults do not match their respective backend provider " +"defaults, these option names and IPA provider-specific defaults are listed " +"below:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:18 +msgid "krb5_use_fast = try" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:23 +msgid "krb5_canonicalize = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:29 +msgid "LDAP Provider - General" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:33 +msgid "ldap_schema = ipa_v1" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:43 +msgid "ldap_sasl_mech = GSSAPI" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:48 +msgid "ldap_sasl_minssf = 56" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:53 +msgid "ldap_account_expire_policy = ipa" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:64 +msgid "LDAP Provider - User options" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:68 +msgid "ldap_user_member_of = memberOf" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:73 +msgid "ldap_user_uuid = ipaUniqueID" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:78 +msgid "ldap_user_ssh_public_key = ipaSshPubKey" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:83 +msgid "ldap_user_auth_type = ipaUserAuthType" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:89 +msgid "LDAP Provider - Group options" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:93 +msgid "ldap_group_object_class = ipaUserGroup" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:98 +msgid "ldap_group_object_class_alt = posixGroup" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:103 +msgid "ldap_group_member = member" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:108 +msgid "ldap_group_uuid = ipaUniqueID" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:113 +msgid "ldap_group_objectsid = ipaNTSecurityIdentifier" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:118 +msgid "ldap_group_external_member = ipaExternalMember" +msgstr "" diff --git a/src/man/po/uk.po b/src/man/po/uk.po new file mode 100644 index 0000000..9f94ae2 --- /dev/null +++ b/src/man/po/uk.po @@ -0,0 +1,19726 @@ +# SOME DESCRIPTIVE TITLE +# Copyright (C) YEAR Red Hat +# This file is distributed under the same license as the sssd-docs package. +# +# Translators: +# sgallagh <sgallagh@redhat.com>, 2011 +# Yuri Chornoivan <yurchor@ukr.net>, 2011-2014 +# Yuri Chornoivan <yurchor@ukr.net>, 2013 +# Yuri Chornoivan <yurchor@ukr.net>, 2015. #zanata +# Yuri Chornoivan <yurchor@ukr.net>, 2017. #zanata +# Yuri Chornoivan <yurchor@ukr.net>, 2018. #zanata +msgid "" +msgstr "" +"Project-Id-Version: sssd-docs 1.16.1\n" +"Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" +"POT-Creation-Date: 2018-08-12 13:01+0000\n" +"PO-Revision-Date: 2018-03-09 11:48+0000\n" +"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n" +"Language-Team: Ukrainian (http://www.transifex.com/projects/p/sssd/language/" +"uk/)\n" +"Language: uk\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n" +"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" +"X-Generator: Zanata 4.4.5\n" + +#. type: Content of: <reference><title> +#: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5 +#: sssd_krb5_locator_plugin.8.xml:5 sssd-simple.5.xml:5 sss-certmap.5.xml:5 +#: sssd-ipa.5.xml:5 sssd-ad.5.xml:5 sssd-sudo.5.xml:5 sssd.8.xml:5 +#: sss_obfuscate.8.xml:5 sss_override.8.xml:5 sss_useradd.8.xml:5 +#: sssd-krb5.5.xml:5 sss_groupadd.8.xml:5 sss_userdel.8.xml:5 +#: sss_groupdel.8.xml:5 sss_groupshow.8.xml:5 sss_usermod.8.xml:5 +#: sss_cache.8.xml:5 sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5 +#: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 +#: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5 +#: sssd-files.5.xml:5 sssd-secrets.5.xml:5 sssd-session-recording.5.xml:5 +#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 +msgid "SSSD Manual pages" +msgstr "Сторінки підручника SSSD" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupmod.8.xml:10 sss_groupmod.8.xml:15 +msgid "sss_groupmod" +msgstr "sss_groupmod" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_groupmod.8.xml:11 pam_sss.8.xml:12 sssd_krb5_locator_plugin.8.xml:11 +#: sssd.8.xml:11 sss_obfuscate.8.xml:11 sss_override.8.xml:11 +#: sss_useradd.8.xml:11 sss_groupadd.8.xml:11 sss_userdel.8.xml:11 +#: sss_groupdel.8.xml:11 sss_groupshow.8.xml:11 sss_usermod.8.xml:11 +#: sss_cache.8.xml:11 sss_debuglevel.8.xml:11 sss_seed.8.xml:11 +#: idmap_sss.8.xml:11 sssctl.8.xml:11 sssd-kcm.8.xml:11 +msgid "8" +msgstr "8" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupmod.8.xml:16 +msgid "modify a group" +msgstr "зміна групи" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupmod.8.xml:21 +msgid "" +"<command>sss_groupmod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" +"<command>sss_groupmod</command> <arg choice='opt'> <replaceable>параметри</" +"replaceable> </arg> <arg choice='plain'><replaceable>ГРУПА</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:57 +#: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sss-certmap.5.xml:21 +#: sssd-ipa.5.xml:21 sssd-ad.5.xml:21 sssd-sudo.5.xml:21 sssd.8.xml:29 +#: sss_obfuscate.8.xml:30 sss_override.8.xml:30 sss_useradd.8.xml:30 +#: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30 +#: sss_groupdel.8.xml:30 sss_groupshow.8.xml:30 sss_usermod.8.xml:30 +#: sss_cache.8.xml:29 sss_debuglevel.8.xml:30 sss_seed.8.xml:31 +#: sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30 +#: sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30 +#: sssd-files.5.xml:21 sssd-secrets.5.xml:21 sssd-session-recording.5.xml:21 +#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 +msgid "DESCRIPTION" +msgstr "ОПИС" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupmod.8.xml:32 +msgid "" +"<command>sss_groupmod</command> modifies the group to reflect the changes " +"that are specified on the command line." +msgstr "" +"<command>sss_groupmod</command> змінює назву групи відповідно до змін, " +"внесених за допомогою командного рядка." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_groupmod.8.xml:39 pam_sss.8.xml:64 sssd.8.xml:42 sss_obfuscate.8.xml:58 +#: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39 +#: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39 +#: sss_cache.8.xml:39 sss_seed.8.xml:42 sss_ssh_authorizedkeys.1.xml:123 +#: sss_ssh_knownhostsproxy.1.xml:62 +msgid "OPTIONS" +msgstr "ПАРАМЕТРИ" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupmod.8.xml:43 sss_usermod.8.xml:77 +msgid "" +"<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" +"<option>-a</option>,<option>--append-group</option> <replaceable>ГРУПИ</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupmod.8.xml:48 +msgid "" +"Append this group to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." +msgstr "" +"Додати групу до груп, вказаних за допомогою параметра <replaceable>ГРУПИ</" +"replaceable>. Параметр <replaceable>ГРУПИ</replaceable> є списком груп, " +"відокремлених комами." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupmod.8.xml:57 sss_usermod.8.xml:91 +msgid "" +"<option>-r</option>,<option>--remove-group</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" +"<option>-r</option>,<option>--remove-group</option> <replaceable>ГРУПИ</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupmod.8.xml:62 +msgid "" +"Remove this group from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." +msgstr "" +"Вилучає групу з груп, вказаних за допомогою параметра <replaceable>ГРУПИ</" +"replaceable>." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.conf.5.xml:10 sssd.conf.5.xml:16 +msgid "sssd.conf" +msgstr "sssd.conf" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11 +#: sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 +#: sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27 +#: sssd-files.5.xml:11 sssd-secrets.5.xml:11 sssd-session-recording.5.xml:11 +#: sssd-systemtap.5.xml:11 +msgid "5" +msgstr "5" + +#. type: Content of: <reference><refentry><refmeta><refmiscinfo> +#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12 +#: sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 +#: sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28 +#: sssd-files.5.xml:12 sssd-secrets.5.xml:12 sssd-session-recording.5.xml:12 +#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 +msgid "File Formats and Conventions" +msgstr "Формати файлів та правила" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.conf.5.xml:17 +msgid "the configuration file for SSSD" +msgstr "файл налаштування SSSD" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:21 +msgid "FILE FORMAT" +msgstr "ФОРМАТ ФАЙЛА" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:29 +#, no-wrap +msgid "" +"<replaceable>[section]</replaceable>\n" +"<replaceable>key</replaceable> = <replaceable>value</replaceable>\n" +"<replaceable>key2</replaceable> = <replaceable>value2,value3</replaceable>\n" +" " +msgstr "" +"<replaceable>[розділ]</replaceable>\n" +"<replaceable>ключ</replaceable> = <replaceable>значення</replaceable>\n" +"<replaceable>ключ2</replaceable> = <replaceable>значення2,значення3</replaceable>\n" +" " + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:24 +msgid "" +"The file has an ini-style syntax and consists of sections and parameters. A " +"section begins with the name of the section in square brackets and continues " +"until the next section begins. An example of section with single and multi-" +"valued parameters: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"Файл складено з використанням синтаксичний конструкцій у стилі ini, він " +"складається з розділів і окремих записів параметрів. Розділ починається з " +"рядка назви розділу у квадратних дужках і продовжується до початку нового " +"розділу. Приклад розділу з параметрами, які мають єдине і декілька значень: " +"<placeholder type=\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:36 +msgid "" +"The data types used are string (no quotes needed), integer and bool (with " +"values of <quote>TRUE/FALSE</quote>)." +msgstr "" +"Типами даних є рядок (без символів лапок), ціле число і булеве значення " +"(можливі два значення — <quote>TRUE</quote> і <quote>FALSE</quote>)." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:41 +#, fuzzy +#| msgid "" +#| "A line comment starts with a hash sign (<quote>#</quote>) or a semicolon " +#| "(<quote>;</quote>). Inline comments are not supported." +msgid "" +"A comment line starts with a hash sign (<quote>#</quote>) or a semicolon " +"(<quote>;</quote>). Inline comments are not supported." +msgstr "" +"Рядок коментаря починається з символу решітки (<quote>#</quote>) або крапки " +"з комою (<quote>;</quote>). Підтримки вбудованих коментарів не передбачено." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:47 +msgid "" +"All sections can have an optional <replaceable>description</replaceable> " +"parameter. Its function is only as a label for the section." +msgstr "" +"Для всіх розділів передбачено додатковий параметр <replaceable>description</" +"replaceable>. Його призначено лише для позначення розділу." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:53 +msgid "" +"<filename>sssd.conf</filename> must be a regular file, owned by root and " +"only root may read from or write to the file." +msgstr "" +"<filename>sssd.conf</filename> має бути звичайним файлом, власником якого є " +"користувач root. Права на читання та запис до цього файла повинен мати лише " +"користувач root." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:59 +msgid "CONFIGURATION SNIPPETS FROM INCLUDE DIRECTORY" +msgstr "ФРАГМЕНТИ НАЛАШТУВАНЬ З КАТАЛОГУ ВКЛЮЧЕННЯ" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:62 +msgid "" +"The configuration file <filename>sssd.conf</filename> will include " +"configuration snippets using the include directory <filename>conf.d</" +"filename>. This feature is available if SSSD was compiled with libini " +"version 1.3.0 or later." +msgstr "" +"До файла налаштувань <filename>sssd.conf</filename> буде включено фрагменти " +"налаштувань з каталогу <filename>conf.d</filename>. Цією можливістю можна " +"буде скористатися, якщо SSSD було зібрано із бібліотекою libini версії 1.3.0 " +"або новішою." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:69 +msgid "" +"Any file placed in <filename>conf.d</filename> that ends in " +"<quote><filename>.conf</filename></quote> and does not begin with a dot " +"(<quote>.</quote>) will be used together with <filename>sssd.conf</filename> " +"to configure SSSD." +msgstr "" +"Будь-який файл, розташований у <filename>conf.d</filename>, назва якого " +"завершується на <quote><filename>.conf</filename></quote> і не починається з " +"крапки (<quote>.</quote>), буде використано разом із <filename>sssd.conf</" +"filename> для налаштовування SSSD." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:77 +msgid "" +"The configuration snippets from <filename>conf.d</filename> have higher " +"priority than <filename>sssd.conf</filename> and will override " +"<filename>sssd.conf</filename> when conflicts occur. If several snippets are " +"present in <filename>conf.d</filename>, then they are included in " +"alphabetical order (based on locale). Files included later have higher " +"priority. Numerical prefixes (<filename>01_snippet.conf</filename>, " +"<filename>02_snippet.conf</filename> etc.) can help visualize the priority " +"(higher number means higher priority)." +msgstr "" +"Фрагменти налаштувань з <filename>conf.d</filename> мають вищий пріоритет за " +"<filename>sssd.conf</filename>, вони мають вищий пріоритет за <filename>sssd." +"conf</filename>, якщо виникне конфлікт. Якщо у <filename>conf.d</filename> " +"буде виявлено декілька фрагментів, їх буде включено за абеткою (на основі " +"параметрів локалі). Файли, які включаються пізніше, мають вищий пріоритет. " +"Числові префікси (<filename>01_фрагмент.conf</filename>, " +"<filename>02_фрагмент.conf</filename> тощо) можуть допомогти у візуалізації " +"пріоритетності (більше число означає вищу пріоритетність)." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:91 +msgid "" +"The snippet files require the same owner and permissions as <filename>sssd." +"conf</filename>. Which are by default root:root and 0600." +msgstr "" +"Файли фрагментів мають належати одному користувачеві і мати однакові права " +"доступу із файлом <filename>sssd.conf</filename>. Типовим власником є root:" +"root, а типовими правами доступу — 0600." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:98 +msgid "GENERAL OPTIONS" +msgstr "ЗАГАЛЬНІ ПАРАМЕТРИ" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:100 +msgid "Following options are usable in more than one configuration sections." +msgstr "" +"Нижче наведено параметри, які можна використовувати у декількох розділах " +"налаштувань." + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:104 +msgid "Options usable in all sections" +msgstr "Параметри, які можна використовувати у всіх розділах" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:108 +msgid "debug_level (integer)" +msgstr "debug_level (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:112 +msgid "debug (integer)" +msgstr "debug (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:115 +msgid "" +"SSSD 1.14 and later also includes the <replaceable>debug</replaceable> alias " +"for <replaceable>debug_level</replaceable> as a convenience feature. If both " +"are specified, the value of <replaceable>debug_level</replaceable> will be " +"used." +msgstr "" +"У SSSD 1.14 і новіших версіях з міркувань зручності також передбачено " +"альтернативний варіант <replaceable>debug</replaceable> для " +"<replaceable>debug_level</replaceable>. Якщо вказано одразу обидва варіанти, " +"буде використано варіант <replaceable>debug_level</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:125 +msgid "debug_timestamps (bool)" +msgstr "debug_timestamps (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:128 +msgid "" +"Add a timestamp to the debug messages. If journald is enabled for SSSD " +"debug logging this option is ignored." +msgstr "" +"Додати часову позначку до діагностичних повідомлень. Якщо для запису " +"діагностичного журналу у SSSD увімкнено journald, цей параметр буде " +"проігноровано." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:133 sssd.conf.5.xml:543 sssd.conf.5.xml:839 +#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1521 sssd-ldap.5.xml:1851 +#: sssd-ldap.5.xml:1948 sssd-ldap.5.xml:2010 sssd-ldap.5.xml:2576 +#: sssd-ldap.5.xml:2641 sssd-ldap.5.xml:2659 sssd-ad.5.xml:227 +#: sssd-ad.5.xml:341 sssd-ad.5.xml:885 sssd-krb5.5.xml:499 +#: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 +msgid "Default: true" +msgstr "Типове значення: true" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:138 +msgid "debug_microseconds (bool)" +msgstr "debug_microseconds (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:141 +msgid "" +"Add microseconds to the timestamp in debug messages. If journald is enabled " +"for SSSD debug logging this option is ignored." +msgstr "" +"Додати значення мікросекунд до часової позначки у діагностичних " +"повідомлення. Якщо для запису діагностичного журналу у SSSD увімкнено " +"journald, цей параметр буде проігноровано." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:146 sssd.conf.5.xml:540 sssd.conf.5.xml:722 +#: sssd.conf.5.xml:1424 sssd.conf.5.xml:2980 sssd-ldap.5.xml:708 +#: sssd-ldap.5.xml:1714 sssd-ldap.5.xml:1733 sssd-ldap.5.xml:1920 +#: sssd-ldap.5.xml:2346 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238 +#: sssd-ipa.5.xml:559 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300 +#: sssd-krb5.5.xml:471 +msgid "Default: false" +msgstr "Типове значення: false" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2384 +#: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210 +#: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304 +msgid "<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "<placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:155 +msgid "Options usable in SERVICE and DOMAIN sections" +msgstr "Параметри які можна використовувати у розділах SERVICE та DOMAIN" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:159 +msgid "timeout (integer)" +msgstr "timeout (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:162 +msgid "" +"Timeout in seconds between heartbeats for this service. This is used to " +"ensure that the process is alive and capable of answering requests. Note " +"that after three missed heartbeats the process will terminate itself." +msgstr "" +"Проміжок у секундах між циклами роботи цієї служби. Використовується для " +"перевірки працездатності процесу та його змоги відповідати на запити. " +"Зауважте, що після трьох пропущених циклів процес перерве своє виконання " +"самостійно." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:169 sssd.conf.5.xml:1376 sssd.conf.5.xml:2996 +#: sssd-ldap.5.xml:1585 include/ldap_id_mapping.xml:264 +msgid "Default: 10" +msgstr "Типове значення: 10" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:179 +msgid "SPECIAL SECTIONS" +msgstr "ОСОБЛИВІ РОЗДІЛИ" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:182 +msgid "The [sssd] section" +msgstr "Розділ [sssd]" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sssd.conf.5.xml:191 sssd.conf.5.xml:3085 +msgid "Section parameters" +msgstr "Параметри розділу" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:193 +msgid "config_file_version (integer)" +msgstr "config_file_version (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:196 +msgid "" +"Indicates what is the syntax of the config file. SSSD 0.6.0 and later use " +"version 2." +msgstr "" +"Визначає версію синтаксичних конструкцій файла налаштування. Для версій SSSD " +"0.6.0 та пізніших слід використовувати версію 2." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:202 +msgid "services" +msgstr "services" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:205 +msgid "" +"Comma separated list of services that are started when sssd itself starts. " +"<phrase condition=\"have_systemd\"> The services' list is optional on " +"platforms where systemd is supported, as they will either be socket or D-Bus " +"activated when needed. </phrase>" +msgstr "" +"Список служб, відокремлених комами, які запускаються разом із sssd. <phrase " +"condition=\"have_systemd\">Список служб є необов'язковим на платформах, де " +"передбачено підтримку systemd, оскільки там такі служби вмикаються за " +"допомогою сокетів або D-Bus.</phrase>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:214 +msgid "" +"Supported services: nss, pam <phrase condition=\"with_sudo\">, sudo</phrase> " +"<phrase condition=\"with_autofs\">, autofs</phrase> <phrase condition=" +"\"with_ssh\">, ssh</phrase> <phrase condition=\"with_pac_responder\">, pac</" +"phrase> <phrase condition=\"with_ifp\">, ifp</phrase>" +msgstr "" +"Підтримувані служби: nss, pam <phrase condition=\"with_sudo\">, sudo</" +"phrase> <phrase condition=\"with_autofs\">, autofs</phrase> <phrase " +"condition=\"with_ssh\">, ssh</phrase> <phrase condition=\"with_pac_responder" +"\">, pac</phrase> <phrase condition=\"with_ifp\">, ifp</phrase>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:222 +msgid "" +"<phrase condition=\"have_systemd\"> By default, all services are disabled " +"and the administrator must enable the ones allowed to be used by executing: " +"\"systemctl enable sssd-@service@.socket\". </phrase>" +msgstr "" +"<phrase condition=\"have_systemd\">Типово усі служби вимкнено. Адміністратор " +"має увімкнути дозволені до використання служби за допомогою такої команди: " +"\"systemctl enable sssd-@service@.socket\". </phrase>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:231 sssd.conf.5.xml:614 +msgid "reconnection_retries (integer)" +msgstr "reconnection_retries (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:234 sssd.conf.5.xml:617 +msgid "" +"Number of times services should attempt to reconnect in the event of a Data " +"Provider crash or restart before they give up" +msgstr "" +"Кількість повторних спроб встановлення зв’язку зі службами або їх " +"перезапуску у разі аварійного завершення роботи інструменту надання даних до " +"визнання подальших спроб безнадійними." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:239 sssd.conf.5.xml:622 +msgid "Default: 3" +msgstr "Типове значення: 3" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:244 +msgid "domains" +msgstr "domains" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:247 +msgid "" +"A domain is a database containing user information. SSSD can use more " +"domains at the same time, but at least one must be configured or SSSD won't " +"start. This parameter describes the list of domains in the order you want " +"them to be queried. A domain name should only consist of alphanumeric ASCII " +"characters, dashes, dots and underscores." +msgstr "" +"Домен — це база даних, у якій містяться дані щодо користувачів. SSSD може " +"одночасно використовувати декілька доменів. Вам слід вказати принаймні один " +"домен, інакше SSSD просто не запуститься. За допомогою цього параметра можна " +"вказати список доменів, впорядкованих за пріоритетністю під час надсилання " +"до них запитів щодо даних. Назва домену має складатися лише з літер і цифр " +"ASCII, дефісів, крапок та знаків підкреслювання." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:259 sssd.conf.5.xml:2597 +msgid "re_expression (string)" +msgstr "re_expression (рядок)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:262 +msgid "" +"Default regular expression that describes how to parse the string containing " +"user name and domain into these components." +msgstr "" +"Типовий формальний вираз, який описує спосіб поділу рядка з іменем " +"користувача і доменом на його частини." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:267 +msgid "" +"Each domain can have an individual regular expression configured. For some " +"ID providers there are also default regular expressions. See DOMAIN SECTIONS " +"for more info on these regular expressions." +msgstr "" +"Для кожного з доменів можна налаштувати окремий формальний вираз. Для деяких " +"з засобів надання ідентифікаторів передбачено типові формальні вирази. " +"Докладніше про ці формальні вирази можна дізнатися з довідки до РОЗДІЛІВ " +"ДОМЕНІВ." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:276 sssd.conf.5.xml:2645 +msgid "full_name_format (string)" +msgstr "full_name_format (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:279 sssd.conf.5.xml:2648 +msgid "" +"A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry>-compatible format that describes how to compose a " +"fully qualified name from user name and domain name components." +msgstr "" +"Сумісний з <citerefentry> <refentrytitle>printf</refentrytitle> " +"<manvolnum>3</manvolnum> </citerefentry> формат, який описує спосіб " +"створення повного імені на основі імені користувача та компонентів назви " +"домену." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:290 sssd.conf.5.xml:2659 +msgid "%1$s" +msgstr "%1$s" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:291 sssd.conf.5.xml:2660 +msgid "user name" +msgstr "ім’я користувача" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:294 sssd.conf.5.xml:2663 +msgid "%2$s" +msgstr "%2$s" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:297 sssd.conf.5.xml:2666 +msgid "domain name as specified in the SSSD config file." +msgstr "назва домену у форматі, вказаному у файлі налаштувань SSSD." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:303 sssd.conf.5.xml:2672 +msgid "%3$s" +msgstr "%3$s" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:306 sssd.conf.5.xml:2675 +msgid "" +"domain flat name. Mostly usable for Active Directory domains, both directly " +"configured or discovered via IPA trusts." +msgstr "" +"проста назва домену. Здебільшого використовується для доменів Active " +"Directory, налаштованих та автоматично виявлених за зв’язками довіри IPA." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:287 sssd.conf.5.xml:2656 +msgid "" +"The following expansions are supported: <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" +"Передбачено використання таких замінників: <placeholder type=\"variablelist" +"\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:316 +msgid "" +"Each domain can have an individual format string configured. see DOMAIN " +"SECTIONS for more info on this option." +msgstr "" +"Для кожного з доменів можна налаштувати окремий рядок формату. Докладніше " +"про ці рядки можна дізнатися з довідки до РОЗДІЛІВ ДОМЕНІВ." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:322 +msgid "try_inotify (boolean)" +msgstr "try_inotify (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:325 +msgid "" +"SSSD monitors the state of resolv.conf to identify when it needs to update " +"its internal DNS resolver. By default, we will attempt to use inotify for " +"this, and will fall back to polling resolv.conf every five seconds if " +"inotify cannot be used." +msgstr "" +"SSSD спостерігає за станом resolv.conf для визначення моменту, коли слід " +"оновити дані вбудованого інструменту визначення DNS. Типово, з цією метою " +"використовується inotify. У разі неможливості використання inotify, " +"виконуватиметься опитування resolv.conf кожні п’ять секунд." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:333 +msgid "" +"There are some limited situations where it is preferred that we should skip " +"even trying to use inotify. In these rare cases, this option should be set " +"to 'false'" +msgstr "" +"Зрідка бажано не вдаватися навіть до спроб скористатися inotify. У цих " +"рідкісних випадках слід встановити для цього параметра значення «false»." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:339 +msgid "" +"Default: true on platforms where inotify is supported. False on other " +"platforms." +msgstr "" +"Типове значення: «true» на платформах, де підтримується inotify. «false» на " +"інших платформах." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:343 +msgid "" +"Note: this option will have no effect on platforms where inotify is " +"unavailable. On these platforms, polling will always be used." +msgstr "" +"Зауваження: цей параметр ні на що не вплине на платформах, де inotify " +"недоступний. На цих платформах завжди використовуватиметься безпосереднє " +"опитування файла." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:350 +msgid "krb5_rcache_dir (string)" +msgstr "krb5_rcache_dir (рядок)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:353 +msgid "" +"Directory on the filesystem where SSSD should store Kerberos replay cache " +"files." +msgstr "" +"Каталог у файловій системі, де SSSD має зберігати файли кешу відтворення " +"Kerberos." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:357 +msgid "" +"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct " +"SSSD to let libkrb5 decide the appropriate location for the replay cache." +msgstr "" +"Цей параметр приймає особливе значення __LIBKRB5_DEFAULTS__, за допомогою " +"якого можна наказати SSSD надати змогу libkrb5 визначити відповідну адресу " +"для кешу відтворення." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:363 +msgid "" +"Default: Distribution-specific and specified at build-time. " +"(__LIBKRB5_DEFAULTS__ if not configured)" +msgstr "" +"Типове значення: визначається дистрибутивом та вказується під час збирання. " +"(__LIBKRB5_DEFAULTS__, якщо не вказано)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:370 +msgid "user (string)" +msgstr "user (рядок)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:373 +msgid "" +"The user to drop the privileges to where appropriate to avoid running as the " +"root user. <phrase condition=\"have_systemd\"> This option does not work " +"when running socket-activated services, as the user set up to run the " +"processes is set up during compilation time. The way to override the " +"systemd unit files is by creating the appropriate files in /etc/systemd/" +"system/. Keep in mind that any change in the socket user, group or " +"permissions may result in a non-usable SSSD. The same may occur in case of " +"changes of the user running the NSS responder. </phrase>" +msgstr "" +"Користувач, до якого слід скинути права доступу, якщо це потрібно для " +"уникнення запуску від імені користувача root. <phrase condition=" +"\"have_systemd\"> Цей параметр не спрацює, якщо запущено служби, які " +"активуються сокетами, оскільки ім'я користувача для запуску налаштовується " +"під час збирання. Параметри файлів модулів systemd можна перевизначити " +"створенням відповідних файлів у /etc/systemd/system/. Слід пам'ятати, щоб " +"будь-які зміни у параметрах користувача, групи чи прав доступу можуть " +"призвести до непрацездатності SSSD. Те саме може статися, якщо змінити " +"користувача, від імені якого запущено відповідач NSS. </phrase>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:391 +msgid "Default: not set, process will run as root" +msgstr "Типове значення: не встановлено, процес буде запущено від імені root" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:396 +msgid "default_domain_suffix (string)" +msgstr "default_domain_suffix (рядок)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:399 +msgid "" +"This string will be used as a default domain name for all names without a " +"domain name component. The main use case is environments where the primary " +"domain is intended for managing host policies and all users are located in a " +"trusted domain. The option allows those users to log in just with their " +"user name without giving a domain name as well." +msgstr "" +"Цей рядок буде використано як типову назву домену для всіх назв без " +"компонента назви домену. Основним призначенням використання цього рядка є " +"середовища, де основний домен призначено для керування правилами вузлів та " +"всіма користувачами, розташованими на надійному (довіреному) домені. За " +"допомогою цього параметра користувачі можуть входити до системи за допомогою " +"лише імені користувача без додавання до нього назви домену." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:409 +msgid "" +"Please note that if this option is set all users from the primary domain " +"have to use their fully qualified name, e.g. user@domain.name, to log in. " +"Setting this option changes default of use_fully_qualified_names to True. It " +"is not allowed to use this option together with use_fully_qualified_names " +"set to False." +msgstr "" +"Будь ласка, зауважте, що якщо встановлено цей параметр, для усіх " +"користувачів із основного домену доведеться використовувати ім’я повністю, " +"тобто користувач@назва.домену, для входу до системи. Встановлення цього " +"параметра змінює типове значення use_fully_qualified_names на True. Цей " +"параметр не можна використовувати у поєднанні із значенням " +"use_fully_qualified_names рівним False." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:418 sssd.conf.5.xml:1165 sssd-ldap.5.xml:679 +#: sssd-ldap.5.xml:1319 sssd-ldap.5.xml:1673 sssd-ldap.5.xml:1685 +#: sssd-ldap.5.xml:1767 sssd-ad.5.xml:690 sssd-ad.5.xml:765 sssd.8.xml:126 +#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:556 sssd-secrets.5.xml:339 +#: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404 +#: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205 +#: include/ldap_id_mapping.xml:216 +msgid "Default: not set" +msgstr "Типове значення: not set" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:423 +msgid "override_space (string)" +msgstr "override_space (рядок)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:426 +msgid "" +"This parameter will replace spaces (space bar) with the given character for " +"user and group names. e.g. (_). User name "john doe" will be " +""john_doe" This feature was added to help compatibility with shell " +"scripts that have difficulty handling spaces, due to the default field " +"separator in the shell." +msgstr "" +"За допомогою цього параметра можна змінити пробіли у іменах користувачів та " +"назвах груп вказаним симовлом, наприклад _. Ім’я користувача «john doe» буде " +"перетворено на «john_doe». Цю можливість було додано для сумісності із " +"скриптами командної оболонки, у яких виникають проблеми із обробкою пробілів " +"через типовий роздільник полів у оболонці." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:435 +msgid "" +"Please note it is a configuration error to use a replacement character that " +"might be used in user or group names. If a name contains the replacement " +"character SSSD tries to return the unmodified name but in general the result " +"of a lookup is undefined." +msgstr "" +"Будь ласка, зауважте, що використання символу-замінника, який може бути " +"використано у іменах користувачів і назвах груп, є помилкою у налаштуваннях. " +"Якщо назва містить символ-замінник, SSSD спробує повернути незмінену назву, " +"але, загалом, результат пошуку буде невизначеним." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:443 +msgid "Default: not set (spaces will not be replaced)" +msgstr "Типове значення: не встановлено (пробіли не замінятимуться)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:448 +msgid "certificate_verification (string)" +msgstr "certificate_verification (рядок)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:456 +msgid "no_ocsp" +msgstr "no_ocsp" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:458 +msgid "" +"Disables Online Certificate Status Protocol (OCSP) checks. This might be " +"needed if the OCSP servers defined in the certificate are not reachable from " +"the client." +msgstr "" +"Вимикає перевірки протоколу стану мережевої сертифікації (Online Certificate " +"Status Protocol або OCSP). Це може знадобитися, якщо сервери OCSP, визначені " +"у сертифікаті, є недоступними з клієнта." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:466 +msgid "no_verification" +msgstr "no_verification" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:468 +msgid "" +"Disables verification completely. This option should only be used for " +"testing." +msgstr "" +"Повністю вимикає перевірку. Цим варіантом слід користуватися лише для " +"тестування." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:474 +msgid "ocsp_default_responder=URL" +msgstr "ocsp_default_responder=URL" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:476 +msgid "" +"Sets the OCSP default responder which should be used instead of the one " +"mentioned in the certificate. URL must be replaced with the URL of the OCSP " +"default responder e.g. http://example.com:80/ocsp." +msgstr "" +"Встановлює типовий відповідач OCSP, який слід використовувати замість " +"визначеного у сертифікаті. Адресу слід замінити адресою типового " +"відповідача, наприклад http://example.com:80/ocsp." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:482 +msgid "" +"This option must be used together with ocsp_default_responder_signing_cert." +msgstr "" +"Цей параметр слід використовувати разом із параметром " +"ocsp_default_responder_signing_cert." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:490 +msgid "ocsp_default_responder_signing_cert=NAME" +msgstr "ocsp_default_responder_signing_cert=НАЗВА" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:492 +msgid "" +"The nickname of the cert to trust (expected) to sign the OCSP responses. " +"The certificate with the given nickname must be available in the systems NSS " +"database." +msgstr "" +"Альтернативна назва сертифіката, якому слід довіряти (очікувано) для " +"підписування відповідей OCSP. Сертифікат із вказаною альтернативною назвою " +"має зберігатися у базі даних NSS системи." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:497 +msgid "This option must be used together with ocsp_default_responder." +msgstr "" +"Цим параметром слід користуватися разом із параметром ocsp_default_responder." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:451 +msgid "" +"With this parameter the certificate verification can be tuned with a comma " +"separated list of options. Supported options are: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" +"За допомогою цього параметра можна виконати тонке налаштовування перевірки " +"сертифікатів на основі списку параметрів, відокремлених комами. Підтримувані " +"параметри: <placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:504 +msgid "Unknown options are reported but ignored." +msgstr "" +"Обробник параметрів повідомлятиме про невідомі параметри і просто " +"ігноруватиме їх." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:507 +msgid "Default: not set, i.e. do not restrict certificate verification" +msgstr "" +"Типове значення: не встановлено, тобто перевірка сертифікатів нічим не " +"обмежуватиметься" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:513 +msgid "disable_netlink (boolean)" +msgstr "disable_netlink (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:516 +msgid "" +"SSSD hooks into the netlink interface to monitor changes to routes, " +"addresses, links and trigger certain actions." +msgstr "" +"Перехоплювачі SSSD у інтерфейсі netlink для стеження за змінами у маршрутах, " +"адресах, посилання та виконання певних дій." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:521 +msgid "" +"The SSSD state changes caused by netlink events may be undesirable and can " +"be disabled by setting this option to 'true'" +msgstr "" +"Зміни стану SSSD, спричинені подіями netlink, можуть бути небажаними, їх " +"можна вимкнути встановленням для цього параметра значення «true»" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:526 +msgid "Default: false (netlink changes are detected)" +msgstr "Типове значення: false (виявлення змін у netlink)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:531 +msgid "enable_files_domain (boolean)" +msgstr "enable_files_domain (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:534 +msgid "" +"When this option is enabled, SSSD prepends an implicit domain with " +"<quote>id_provider=files</quote> before any explicitly configured domains." +msgstr "" +"Якщо цю можливість увімкнено, SSSD дописуватиме неявний домен із " +"<quote>id_provider=files</quote> до усіх явним чином налаштованих доменів." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:548 +msgid "domain_resolution_order" +msgstr "domain_resolution_order" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:551 +msgid "" +"Comma separated list of domains and subdomains representing the lookup order " +"that will be followed. The list doesn't have to include all possible " +"domains as the missing domains will be looked up based on the order they're " +"presented in the <quote>domains</quote> configuration option. The " +"subdomains which are not listed as part of <quote>lookup_order</quote> will " +"be looked up in a random order for each parent domain." +msgstr "" +"Список доменів і піддоменів, відокремлених комами, який визначає порядок " +"пошуку, який використовуватиметься. Список не обов'язково включатиме усі " +"можливі домени, оскільки пошук у пропущених доменах відбуватиметься у " +"порядку, у якому їх вказано у параметрі налаштування <quote>domains</quote>. " +"Пошук у піддоменах, яких немає у списку <quote>lookup_order</quote>, " +"відбуватиметься у випадковому порядку для кожного батьківського домену." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:563 +#, fuzzy +#| msgid "" +#| "Please, note that when this option is set the output format of all " +#| "commands is always fully-qualified even when using short names for " +#| "input. In case the administrator wants the output not fully-qualified, " +#| "the full_name_format option can be used as shown below: " +#| "<quote>full_name_format=%1$s</quote> However, keep in mind that during " +#| "login, login applications often canonicalize the username by calling " +#| "<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" +#| "manvolnum> </citerefentry> which, if a shortname is returned for a " +#| "qualified input (while trying to reach a user which exists in multiple " +#| "domains) might re-route the login attempt into the domain which users " +#| "shortnames, making this workaround totally not recommended in cases where " +#| "usernames may overlap between domains." +msgid "" +"Please, note that when this option is set the output format of all commands " +"is always fully-qualified even when using short names for input, for all " +"users but the ones managed by the files provider. In case the administrator " +"wants the output not fully-qualified, the full_name_format option can be " +"used as shown below: <quote>full_name_format=%1$s</quote> However, keep in " +"mind that during login, login applications often canonicalize the username " +"by calling <citerefentry> <refentrytitle>getpwnam</refentrytitle> " +"<manvolnum>3</manvolnum> </citerefentry> which, if a shortname is returned " +"for a qualified input (while trying to reach a user which exists in multiple " +"domains) might re-route the login attempt into the domain which uses " +"shortnames, making this workaround totally not recommended in cases where " +"usernames may overlap between domains." +msgstr "" +"Будь ласка, зауважте, що якщо встановлено цей параметр, для виведення даних " +"усіма командами використовуватиметься повний формат, навіть якщо у вхідних " +"даних були скорочені назви. Якщо адміністратору потрібні скорочені дані у " +"виведенні, параметр full_name_format можна використати так: " +"<quote>full_name_format=%1$s</quote> Втім, слід пам'ятати, що під час входу " +"до облікового запису програми часто перетворюють ім'я користувача до " +"канонічної форми, викликаючи програму <citerefentry> " +"<refentrytitle>getpwnam</refentrytitle> <manvolnum>3</manvolnum> </" +"citerefentry>, яка, якщо повернуто скорочену назву для повних вхідних даних " +"(під час спроби обробки даних користувача, запис якого існує у декількох " +"доменах) може переспрямувати спробу входу до домену, де використовуються " +"скорочені назви, і знівелює цей обхідний маневр, якщо імена користувачів у " +"різних доменах можуть бути однаковими." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:588 sssd.conf.5.xml:1388 sssd.conf.5.xml:3046 +#: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316 +msgid "Default: Not set" +msgstr "Типове значення: не встановлено" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:184 +msgid "" +"Individual pieces of SSSD functionality are provided by special SSSD " +"services that are started and stopped together with SSSD. The services are " +"managed by a special service frequently called <quote>monitor</quote>. The " +"<quote>[sssd]</quote> section is used to configure the monitor as well as " +"some other important options like the identity domains. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" +"Окремі функції у SSSD виконуються особливими службами SSSD, які запускаються " +"і зупиняються разом SSSD. Ці служби керуються окремою службою, яку часто " +"називають «монітором». Розділ <quote>[sssd]</quote> використовується для " +"налаштування монітора та деяких інших важливих параметрів, зокрема доменів " +"профілів. <placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:599 +msgid "SERVICES SECTIONS" +msgstr "РОЗДІЛИ СЛУЖБ" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:601 +msgid "" +"Settings that can be used to configure different services are described in " +"this section. They should reside in the [<replaceable>$NAME</replaceable>] " +"section, for example, for NSS service, the section would be <quote>[nss]</" +"quote>" +msgstr "" +"У цьому розділі описано параметри, якими можна скористатися для налаштування " +"різноманітних служб. Ці параметри має бути зібрано у розділах з назвами " +"[<replaceable>$NAME</replaceable>]. Наприклад, параметри служби NSS зібрано " +"у розділі <quote>[nss]</quote>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:608 +msgid "General service configuration options" +msgstr "Загальні параметри налаштування служб" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:610 +msgid "These options can be used to configure any service." +msgstr "Цими параметрами можна скористатися для налаштування будь-яких служб." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:627 +msgid "fd_limit" +msgstr "fd_limit" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:630 +msgid "" +"This option specifies the maximum number of file descriptors that may be " +"opened at one time by this SSSD process. On systems where SSSD is granted " +"the CAP_SYS_RESOURCE capability, this will be an absolute setting. On " +"systems without this capability, the resulting value will be the lower value " +"of this or the limits.conf \"hard\" limit." +msgstr "" +"За допомогою цього параметра можна визначити максимальну кількість " +"дескрипторів файлів, які одночасно може бути відкрито цим процесом SSSD. У " +"системах, де SSSD надано можливості CAP_SYS_RESOURCE, цей параметр " +"використовуватиметься незалежно від інших параметрів системи. У системах без " +"цієї можливості, кількість дескрипторів визначатиметься найменшим зі значень " +"цього параметра і обмеженням \"hard\" у limits.conf." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:639 +msgid "Default: 8192 (or limits.conf \"hard\" limit)" +msgstr "Типове значення: 8192 (або обмеження у limits.conf \"hard\")" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:644 +msgid "client_idle_timeout" +msgstr "client_idle_timeout" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:647 +msgid "" +"This option specifies the number of seconds that a client of an SSSD process " +"can hold onto a file descriptor without communicating on it. This value is " +"limited in order to avoid resource exhaustion on the system. The timeout " +"can't be shorter than 10 seconds. If a lower value is configured, it will be " +"adjusted to 10 seconds." +msgstr "" +"За допомогою цього параметра можна визначити кількість секунд, протягом яких " +"клієнтська частина SSSD може утримувати дескриптор файла без здійснення за " +"його допомогою обміну даними. Таке обмеження потрібне для того, щоб уникнути " +"вичерпання ресурсів системи. Час очікування не може бути меншим за 10 " +"секунд. Якщо у налаштуваннях вказано менше значення, його буде скориговано " +"до 10 секунд." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:656 sssd.conf.5.xml:688 sssd.conf.5.xml:970 +#: sssd.conf.5.xml:1231 sssd-ldap.5.xml:1412 +msgid "Default: 60" +msgstr "Типове значення: 60" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:661 +msgid "offline_timeout (integer)" +msgstr "offline_timeout (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:664 +msgid "" +"When SSSD switches to offline mode the amount of time before it tries to go " +"back online will increase based upon the time spent disconnected. This " +"value is in seconds and calculated by the following:" +msgstr "" +"Коли SSSD перемикається на автономний режим роботи, час, який має минути, " +"перш ніж буде здійснено спробу повернутися до режиму у мережі, " +"збільшуватиметься, відповідно до часу, проведеного у режимі від’єднання. Це " +"значення вказується у секундах і обчислюється за такою формулою:" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:671 +msgid "offline_timeout + random_offset" +msgstr "час_очікування_для_переходу_у_автономний_режим + випадковий_зсув" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:674 +msgid "" +"The random offset can increment up to 30 seconds. After each unsuccessful " +"attempt to go online, the new interval is recalculated by the following:" +msgstr "" +"Випадковий зсув може збільшувати час на інтервал до 30 секунд. Після кожної " +"невдалої спроби переходу до режиму у мережі новий інтервал часу обчислюється " +"таким чином:" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:679 +msgid "new_interval = old_interval*2 + random_offset" +msgstr "новий_інтервал = старий_інтервал*2 + випадковий_зсув" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:682 +msgid "" +"Note that the maximum length of each interval is currently limited to one " +"hour. If the calculated length of new_interval is greater than an hour, it " +"will be forced to one hour." +msgstr "" +"Зауважте, що максимальна тривалість кожного з інтервалів у поточній версії " +"обмежено однією годиною. Якщо обчислена тривалість нового інтервалу " +"перевищує годину, буде встановлено інтервал у одну годину." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:693 +msgid "responder_idle_timeout" +msgstr "responder_idle_timeout" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:696 +msgid "" +"This option specifies the number of seconds that an SSSD responder process " +"can be up without being used. This value is limited in order to avoid " +"resource exhaustion on the system. The minimum acceptable value for this " +"option is 60 seconds. Setting this option to 0 (zero) means that no timeout " +"will be set up to the responder. This option only has effect when SSSD is " +"built with systemd support and when services are either socket or D-Bus " +"activated." +msgstr "" +"Цей параметр визначає кількість секунд, протягом яких процес відповідача " +"SSSD може працювати без використання. Це значення обмежено з метою уникнення " +"вичерпання ресурсів системи. Мінімальним прийнятним значенням для цього " +"параметра є 60 секунд. Встановлення для цього параметра значення 0 (нуль) " +"означає, що для відповідача не встановлюватиметься ніякого часу очікування. " +"Цей параметр враховуватиметься, лише якщо SSSD зібрано з підтримкою systemd " +"і якщо служби активуються за допомогою або сокетів або D-Bus." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:710 sssd.conf.5.xml:983 sssd.conf.5.xml:1616 +#: sssd-ldap.5.xml:722 +msgid "Default: 300" +msgstr "Типове значення: 300" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:715 +msgid "cache_first" +msgstr "cache_first" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:718 +msgid "" +"This option specifies whether the responder should query all caches before " +"querying the Data Providers." +msgstr "" +"Цей параметр визначає, чи слід відповідачеві опитати усі кеші до надсилання " +"запису до модулів засобів надання даних." + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:730 +msgid "NSS configuration options" +msgstr "Параметри налаштування NSS" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:732 +msgid "" +"These options can be used to configure the Name Service Switch (NSS) service." +msgstr "" +"Цими параметрами можна скористатися для налаштування служби Name Service " +"Switch (NSS або перемикання служби визначення назв)." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:737 +msgid "enum_cache_timeout (integer)" +msgstr "enum_cache_timeout (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:740 +msgid "" +"How many seconds should nss_sss cache enumerations (requests for info about " +"all users)" +msgstr "" +"Тривалість зберігання переліків (запитів щодо даних всіх користувачів) у " +"кеші nss_sss у секундах" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:744 +msgid "Default: 120" +msgstr "Типове значення: 120" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:749 +msgid "entry_cache_nowait_percentage (integer)" +msgstr "entry_cache_nowait_percentage (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:752 +msgid "" +"The entry cache can be set to automatically update entries in the background " +"if they are requested beyond a percentage of the entry_cache_timeout value " +"for the domain." +msgstr "" +"Можна встановити кеш записів для автоматичного оновлення записів у фоновому " +"режимі, якщо запит щодо них надходить у визначений у відсотках від " +"entry_cache_timeout для домену період часу." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:758 +msgid "" +"For example, if the domain's entry_cache_timeout is set to 30s and " +"entry_cache_nowait_percentage is set to 50 (percent), entries that come in " +"after 15 seconds past the last cache update will be returned immediately, " +"but the SSSD will go and update the cache on its own, so that future " +"requests will not need to block waiting for a cache update." +msgstr "" +"Наприклад, якщо entry_cache_timeout домену встановлено у значення 30s, а " +"entry_cache_nowait_percentage — у значення 50 (у відсотках), записи, які " +"надійдуть за 15 секунд після останнього оновлення кешу, буде повернуто " +"одразу, але SSSD оновить власний кеш, отже наступні запити очікуватимуть на " +"розблокування після оновлення кешу." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:768 +msgid "" +"Valid values for this option are 0-99 and represent a percentage of the " +"entry_cache_timeout for each domain. For performance reasons, this " +"percentage will never reduce the nowait timeout to less than 10 seconds. (0 " +"disables this feature)" +msgstr "" +"Коректними значеннями цього параметра є 0-99. Ці значення відповідають " +"відсоткам entry_cache_timeout для кожного з доменів. З міркувань покращення " +"швидкодії це відсоткове значення ніколи не зменшуватиме час очікування " +"nowait до значення, меншого за 10 секунд. Визначення значення 0 вимкне цю " +"можливість." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:776 sssd.conf.5.xml:1445 +msgid "Default: 50" +msgstr "Типове значення: 50" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:781 +msgid "entry_negative_timeout (integer)" +msgstr "entry_negative_timeout (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:784 +msgid "" +"Specifies for how many seconds nss_sss should cache negative cache hits " +"(that is, queries for invalid database entries, like nonexistent ones) " +"before asking the back end again." +msgstr "" +"Визначає кількість секунд, протягом яких nss_sss має кешувати негативні " +"результати пошуку у кеші (тобто запити щодо некоректних записів у базі " +"даних, зокрема неіснуючих) перед повторним запитом до сервера обробки." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:790 sssd.conf.5.xml:1469 +msgid "Default: 15" +msgstr "Типове значення: 15" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:795 +msgid "local_negative_timeout (integer)" +msgstr "local_negative_timeout (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:798 +#, fuzzy +#| msgid "" +#| "Specifies for how many seconds nss_sss should keep local users and groups " +#| "in negative cache before trying to look it up in the back end again." +msgid "" +"Specifies for how many seconds nss_sss should keep local users and groups in " +"negative cache before trying to look it up in the back end again. Setting " +"the option to 0 disables this feature." +msgstr "" +"Визначає кількість секунд, протягом яких nss_sss має зберігати негативні " +"результати пошуку у кеші користувачів і груп, перші ніж намагатися знову " +"шукати їх за допомогою модуля надання даних." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:804 +#, fuzzy +#| msgid "Default: 86400 (24 hours)" +msgid "Default: 14400 (4 hours)" +msgstr "Типове значення: 86400 (24 години)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:809 +msgid "filter_users, filter_groups (string)" +msgstr "filter_users, filter_groups (рядок)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:812 +msgid "" +"Exclude certain users or groups from being fetched from the sss NSS " +"database. This is particularly useful for system accounts. This option can " +"also be set per-domain or include fully-qualified names to filter only users " +"from the particular domain." +msgstr "" +"Виключити певних користувачів або групи зі списку отримання даних з бази " +"даних NSS sss. Таке виключення може бути корисним для облікових записів " +"керування системою. Цей параметр також можна встановлювати для кожного з " +"доменів окремо або включити до нього імена користувачів повністю для " +"обмеження списку користувачами лише з певного домену." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:819 +msgid "" +"NOTE: The filter_groups option doesn't affect inheritance of nested group " +"members, since filtering happens after they are propagated for returning via " +"NSS. E.g. a group having a member group filtered out will still have the " +"member users of the latter listed." +msgstr "" +"ЗАУВАЖЕННЯ: параметр filter_groups не впливає на успадкованість вкладених " +"записів групи, оскільки фільтрування відбувається після їх передавання для " +"повернення за допомогою NSS. Наприклад, у списку групи, що містить вкладену " +"групу, яку відфільтровано, залишатимуться записи користувачів " +"відфільтрованої групи." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:827 +msgid "Default: root" +msgstr "Типове значення: root" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:832 +msgid "filter_users_in_groups (bool)" +msgstr "filter_users_in_groups (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:835 +msgid "" +"If you want filtered user still be group members set this option to false." +msgstr "" +"Якщо ви хочете, щоб фільтровані користувачі залишалися учасниками груп, " +"встановіть для цього параметра значення «false»." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:846 +msgid "fallback_homedir (string)" +msgstr "fallback_homedir (рядок)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:849 +msgid "" +"Set a default template for a user's home directory if one is not specified " +"explicitly by the domain's data provider." +msgstr "" +"Встановити типовий шаблон назви домашнього каталогу користувача, якщо цей " +"каталог не вказано явним чином засобом надання даних домену." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:854 +msgid "" +"The available values for this option are the same as for override_homedir." +msgstr "" +"Можливі варіанти значень для цього параметра збігаються з варіантами значень " +"для параметра override_homedir." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:860 +#, no-wrap +msgid "" +"fallback_homedir = /home/%u\n" +" " +msgstr "" +"fallback_homedir = /home/%u\n" +" " + +#. type: Content of: <varlistentry><listitem><para> +#: sssd.conf.5.xml:858 sssd.conf.5.xml:1298 sssd.conf.5.xml:1317 +#: sssd-krb5.5.xml:539 include/override_homedir.xml:59 +msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "приклад: <placeholder type=\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:864 +msgid "Default: not set (no substitution for unset home directories)" +msgstr "" +"Типове значення: не встановлено (без замін для невстановлених домашніх " +"каталогів)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:870 +msgid "override_shell (string)" +msgstr "override_shell (рядок)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:873 +msgid "" +"Override the login shell for all users. This option supersedes any other " +"shell options if it takes effect and can be set either in the [nss] section " +"or per-domain." +msgstr "" +"Перевизначити командну оболонку входу до системи для усіх користувачів. Цей " +"параметр має пріоритет над будь-якими іншими параметрами визначення " +"командної оболонки, якщо він діє. Його можна встановити або у розділі [nss] " +"або для кожного з доменів окремо." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:879 +msgid "Default: not set (SSSD will use the value retrieved from LDAP)" +msgstr "" +"Типове значення: не встановлено (SSSD використовуватиме значення, отримане " +"від LDAP)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:885 +msgid "allowed_shells (string)" +msgstr "allowed_shells (рядок)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:888 +msgid "" +"Restrict user shell to one of the listed values. The order of evaluation is:" +msgstr "" +"Обмежити перелік можливих командних оболонок користувачів вказаними. Порядок " +"визначення оболонки є таким:" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:891 +msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used." +msgstr "" +"1. Якщо оболонку вказано у <quote>/etc/shells</quote>, її буде використано." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:895 +msgid "" +"2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</" +"quote>, use the value of the shell_fallback parameter." +msgstr "" +"2. Якщо оболонку вказано у списку allowed_shells, але її немає у списку " +"<quote>/etc/shells</quote>, буде використано значення параметра " +"shell_fallback." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:900 +msgid "" +"3. If the shell is not in the allowed_shells list and not in <quote>/etc/" +"shells</quote>, a nologin shell is used." +msgstr "" +"3. Якщо оболонку не вказано у списку allowed_shells і її немає у списку " +"<quote>/etc/shells</quote>, буде використано оболонку nologin." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:905 +msgid "The wildcard (*) can be used to allow any shell." +msgstr "" +"Для визначення будь-якої командної оболонки можна скористатися шаблоном " +"заміни (*)." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:908 +msgid "" +"The (*) is useful if you want to use shell_fallback in case that user's " +"shell is not in <quote>/etc/shells</quote> and maintaining list of all " +"allowed shells in allowed_shells would be to much overhead." +msgstr "" +"Значенням (*) варто користуватися, якщо ви хочете скористатися " +"shell_fallback, коли командної оболонки користувача немає у «/etc/shells», а " +"супровід списку усіх командних оболонок у allowed_shells є надто марудною " +"справою." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:915 +msgid "An empty string for shell is passed as-is to libc." +msgstr "Порожній рядок оболонки буде передано без обробки до libc." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:918 +msgid "" +"The <quote>/etc/shells</quote> is only read on SSSD start up, which means " +"that a restart of the SSSD is required in case a new shell is installed." +msgstr "" +"Читання <quote>/etc/shells</quote> виконується лише під час запуску SSSD, " +"тобто у разі встановлення нової оболонки слід перезапустити SSSD." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:922 +msgid "Default: Not set. The user shell is automatically used." +msgstr "" +"Типове значення: не встановлено. Автоматично використовується оболонка " +"користувача." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:927 +msgid "vetoed_shells (string)" +msgstr "vetoed_shells (рядок)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:930 +msgid "Replace any instance of these shells with the shell_fallback" +msgstr "Замінити всі записи цих оболонок на shell_fallback" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:935 +msgid "shell_fallback (string)" +msgstr "shell_fallback (рядок)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:938 +msgid "" +"The default shell to use if an allowed shell is not installed on the machine." +msgstr "" +"Типова оболонка, яку слід використовувати, якщо дозволеної оболонки у " +"системі не встановлено." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:942 +msgid "Default: /bin/sh" +msgstr "Типове значення: /bin/sh" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:947 +msgid "default_shell" +msgstr "default_shell" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:950 +msgid "" +"The default shell to use if the provider does not return one during lookup. " +"This option can be specified globally in the [nss] section or per-domain." +msgstr "" +"Типова командна оболонка, яку буде використано, якщо засобом надання даних " +"не було повернуто назви оболонки під час пошуку. Цей параметр можна вказати " +"або на загальному рівні у розділі [nss], або окремо для кожного з доменів." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:956 +msgid "" +"Default: not set (Return NULL if no shell is specified and rely on libc to " +"substitute something sensible when necessary, usually /bin/sh)" +msgstr "" +"Типове значення: не встановлено (повернути NULL, якщо оболонку не " +"встановлено і покластися на libc у визначенні потрібного програмі значення, " +"зазвичай /bin/sh)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:963 sssd.conf.5.xml:1224 +msgid "get_domains_timeout (int)" +msgstr "get_domains_timeout (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:966 sssd.conf.5.xml:1227 +msgid "" +"Specifies time in seconds for which the list of subdomains will be " +"considered valid." +msgstr "" +"Визначає час у секундах, протягом якого список піддоменів вважатиметься " +"чинним." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:975 +msgid "memcache_timeout (int)" +msgstr "memcache_timeout (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:978 +msgid "" +"Specifies time in seconds for which records in the in-memory cache will be " +"valid. Setting this option to zero will disable the in-memory cache." +msgstr "" +"Визначає час у секундах, протягом якого список піддоменів вважатиметься " +"чинним. Встановлення для цього параметра нульового значення вимикає кеш у " +"пам'яті." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:986 +msgid "" +"WARNING: Disabling the in-memory cache will have significant negative impact " +"on SSSD's performance and should only be used for testing." +msgstr "" +"Попередження: вимикання кешу у пам'яті значно погіршить швидкодію SSSD, ним " +"варто користуватися лише для тестування." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:992 +msgid "" +"NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", " +"client applications will not use the fast in-memory cache." +msgstr "" +"ЗАУВАЖЕННЯ: якщо для змінної середовища SSS_NSS_USE_MEMCACHE встановлено " +"значення «NO», клієнтські програми не використовуватимуть fast у кеші у " +"пам’яті." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1000 sssd-ifp.5.xml:74 +msgid "user_attributes (string)" +msgstr "user_attributes (рядок)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1003 +msgid "" +"Some of the additional NSS responder requests can return more attributes " +"than just the POSIX ones defined by the NSS interface. The list of " +"attributes is controlled by this option. It is handled the same way as the " +"<quote>user_attributes</quote> option of the InfoPipe responder (see " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for details) but with no default values." +msgstr "" +"Деякі із додаткових запитів до відповідача NSS можуть повертати більшу " +"кількість атрибутів, ніж це визначено POSIX для інтерфейсу NSS. Списком " +"атрибутів можна керувати за допомогою цього параметра. Обробка виконується у " +"той самий спосіб, що і для параметра «user_attributes» відповідача InfoPipe " +"(див. <citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>, щоб дізнатися більше), але без типових значень." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1016 +msgid "" +"To make configuration more easy the NSS responder will check the InfoPipe " +"option if it is not set for the NSS responder." +msgstr "" +"Щоб полегшити налаштовування відповідач NSS перевірятиме параметр InfoPipe " +"на те, чи не встановлено його для відповідача NSS." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1021 +msgid "Default: not set, fallback to InfoPipe option" +msgstr "" +"Типове значення: не встановлено, резервне значення визначається за " +"параметром InfoPipe" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1026 +msgid "pwfield (string)" +msgstr "pwfield (рядок)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1029 +msgid "" +"The value that NSS operations that return users or groups will return for " +"the <quote>password</quote> field." +msgstr "" +"Значення, яке повертають операції NSS, які повертають записи користувачів чи " +"груп, для поля <quote>password</quote>." + +#. type: Content of: <varlistentry><listitem><para> +#: sssd.conf.5.xml:1034 include/override_homedir.xml:56 +msgid "This option can also be set per-domain." +msgstr "" +"Значення цього параметра можна встановлювати для кожного з доменів окремо." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1037 +msgid "" +"Default: <quote>*</quote> (remote domains) or <quote>x</quote> (the files " +"domain)" +msgstr "" +"Типове значення: <quote>*</quote> (віддалені домени) або <quote>x</quote> " +"(файловий домен)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1045 +msgid "PAM configuration options" +msgstr "Параметри налаштування PAM" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1047 +msgid "" +"These options can be used to configure the Pluggable Authentication Module " +"(PAM) service." +msgstr "" +"Цими параметрами можна скористатися для налаштування служби Pluggable " +"Authentication Module (PAM або блокового модуля розпізнавання)." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1052 +msgid "offline_credentials_expiration (integer)" +msgstr "offline_credentials_expiration (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1055 +msgid "" +"If the authentication provider is offline, how long should we allow cached " +"logins (in days since the last successful online login)." +msgstr "" +"У разі неможливості встановлення з’єднання з сервером розпізнавання визначає " +"тривалість зберігання кешованих входів (у днях з часу останнього успішного " +"входу до системи)." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1060 sssd.conf.5.xml:1073 +msgid "Default: 0 (No limit)" +msgstr "Типове значення: 0 (без обмежень)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1066 +msgid "offline_failed_login_attempts (integer)" +msgstr "offline_failed_login_attempts (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1069 +msgid "" +"If the authentication provider is offline, how many failed login attempts " +"are allowed." +msgstr "" +"У разі неможливості встановлення з’єднання з сервером розпізнавання визначає " +"дозволену кількість спроб входу з визначенням помилкового пароля." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1079 +msgid "offline_failed_login_delay (integer)" +msgstr "offline_failed_login_delay (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1082 +msgid "" +"The time in minutes which has to pass after offline_failed_login_attempts " +"has been reached before a new login attempt is possible." +msgstr "" +"Час у хвилинах, який має пройти між досягненням значення " +"offline_failed_login_attempts і повторним вмиканням можливості входу до " +"системи." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1087 +msgid "" +"If set to 0 the user cannot authenticate offline if " +"offline_failed_login_attempts has been reached. Only a successful online " +"authentication can enable offline authentication again." +msgstr "" +"Якщо встановлено значення 0, користувач не зможе пройти розпізнавання у " +"автономному режимі, якщо буде досягнуто значення " +"offline_failed_login_attempts. Лише успішне розпізнавання може знову " +"увімкнути можливість автономного розпізнавання." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1093 sssd.conf.5.xml:1191 +msgid "Default: 5" +msgstr "Типове значення: 5" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1099 +msgid "pam_verbosity (integer)" +msgstr "pam_verbosity (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1102 +msgid "" +"Controls what kind of messages are shown to the user during authentication. " +"The higher the number to more messages are displayed." +msgstr "" +"Керує типами повідомлень, які буде показано користувачеві під час " +"розпізнавання. Чим більшим є значення, тим більше повідомлень буде показано." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1107 +msgid "Currently sssd supports the following values:" +msgstr "У поточній версії sssd передбачено підтримку таких значень:" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1110 +msgid "<emphasis>0</emphasis>: do not show any message" +msgstr "<emphasis>0</emphasis>: не показувати жодних повідомлень" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1113 +msgid "<emphasis>1</emphasis>: show only important messages" +msgstr "<emphasis>1</emphasis>: показувати лише важливі повідомлення" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1117 +msgid "<emphasis>2</emphasis>: show informational messages" +msgstr "<emphasis>2</emphasis>: показувати всі інформаційні повідомлення" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1120 +msgid "<emphasis>3</emphasis>: show all messages and debug information" +msgstr "" +"<emphasis>3</emphasis>: показувати всі повідомлення та діагностичні дані" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1124 sssd.8.xml:63 +msgid "Default: 1" +msgstr "Типове значення: 1" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1130 +msgid "pam_response_filter (integer)" +msgstr "pam_response_filter (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1133 +msgid "" +"A comma separated list of strings which allows to remove (filter) data sent " +"by the PAM responder to pam_sss PAM module. There are different kind of " +"responses sent to pam_sss e.g. messages displayed to the user or environment " +"variables which should be set by pam_sss." +msgstr "" +"Список рядків, відокремлених комами, за допомогою якого можна вилучати " +"(фільтрувати) дані, які надсилаються відповідачем PAM до модуля PAM pam_sss. " +"Існують різні тип відповідей, які надсилаються до pam_sss, наприклад " +"повідомлення, які показуються користувачеві, або змінні середовища, які слід " +"встановлювати за допомогою pam_sss." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1141 +msgid "" +"While messages already can be controlled with the help of the pam_verbosity " +"option this option allows to filter out other kind of responses as well." +msgstr "" +"Хоча повідомленнями вже можна керувати за допомогою параметра pam_verbosity, " +"за допомогою цього параметра можна відфільтрувати також інші типи " +"повідомлень." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1148 +msgid "ENV" +msgstr "ENV" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1149 +msgid "Do not send any environment variables to any service." +msgstr "Не надсилати жодних змінних середовища до жодної служби." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1152 +msgid "ENV:var_name" +msgstr "ENV:назва_змінної" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1153 +msgid "Do not send environment variable var_name to any service." +msgstr "Не надсилати змінної середовища назва_змінної до жодної служби." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1157 +msgid "ENV:var_name:service" +msgstr "ENV:назва_змінної:служба" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1158 +msgid "Do not send environment variable var_name to service." +msgstr "Не надсилати змінної середовища назва_змінної до вказаної служби." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1146 +msgid "" +"Currently the following filters are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" +"У поточній версії передбачено підтримку таких фільтрів: <placeholder type=" +"\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1168 +msgid "Example: ENV:KRB5CCNAME:sudo-i" +msgstr "Приклад: ENV:KRB5CCNAME:sudo-i" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1174 +msgid "pam_id_timeout (integer)" +msgstr "pam_id_timeout (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1177 +msgid "" +"For any PAM request while SSSD is online, the SSSD will attempt to " +"immediately update the cached identity information for the user in order to " +"ensure that authentication takes place with the latest information." +msgstr "" +"Для кожного з запитів PAM під час роботи SSSD система SSSD зробить спробу " +"негайно оновити кешовані дані щодо профілю користувача з метою переконатися, " +"що розпізнавання виконується на основі найсвіжіших даних." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1183 +msgid "" +"A complete PAM conversation may perform multiple PAM requests, such as " +"account management and session opening. This option controls (on a per-" +"client-application basis) how long (in seconds) we can cache the identity " +"information to avoid excessive round-trips to the identity provider." +msgstr "" +"Повний обмін даними сеансу PAM може включати декілька запитів PAM, зокрема " +"для керування обліковими записами та відкриття сеансів. За допомогою цього " +"параметра можна керувати (для окремих клієнтів-програм) тривалістю (у " +"секундах) кешування даних профілю з метою уникнути повторних викликів засобу " +"надання даних профілів." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1197 +msgid "pam_pwd_expiration_warning (integer)" +msgstr "pam_pwd_expiration_warning (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2078 +msgid "Display a warning N days before the password expires." +msgstr "" +"Показати попередження за вказану кількість днів перед завершенням дії пароля." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1203 +msgid "" +"Please note that the backend server has to provide information about the " +"expiration time of the password. If this information is missing, sssd " +"cannot display a warning." +msgstr "" +"Будь ласка, зауважте, що сервер обробки має надати дані щодо часу завершення " +"дії пароля. Якщо ці дані не буде виявлено, sssd не зможе показати " +"попередження." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1209 sssd.conf.5.xml:2081 +msgid "" +"If zero is set, then this filter is not applied, i.e. if the expiration " +"warning was received from backend server, it will automatically be displayed." +msgstr "" +"Якщо встановлено нульове значення, цей фільтр не застосовуватиметься, тобто " +"якщо з сервера обробки надійде попередження щодо завершення строку дії, його " +"буде автоматично показано." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1214 +msgid "" +"This setting can be overridden by setting <emphasis>pwd_expiration_warning</" +"emphasis> for a particular domain." +msgstr "" +"Цей параметр може бути перевизначено встановленням параметра " +"<emphasis>pwd_expiration_warning</emphasis> для окремого домену." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1219 sssd.conf.5.xml:2901 sssd.8.xml:79 +msgid "Default: 0" +msgstr "Типове значення: 0" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1236 +msgid "pam_trusted_users (string)" +msgstr "pam_trusted_users (рядок)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1239 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to run PAM conversations against trusted domains. Users not " +"included in this list can only access domains marked as public with " +"<quote>pam_public_domains</quote>. User names are resolved to UIDs at " +"startup." +msgstr "" +"Визначає список відокремлених комами значень UID або імен користувачів, яким " +"дозволено виконувати обмін даними PAM із довіреними доменами. Користувачі, " +"яких не включено до цього списку, можуть отримувати доступ лише до доменів, " +"які позначено як загальнодоступні (public) за допомогою " +"<quote>pam_public_domains</quote>. Імена користувачів перетворюються на UID " +"під час запуску системи." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1249 +msgid "Default: All users are considered trusted by default" +msgstr "" +"Типове значення: типово усі користувачі вважаються надійними (довіреними)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1253 +msgid "" +"Please note that UID 0 is always allowed to access the PAM responder even in " +"case it is not in the pam_trusted_users list." +msgstr "" +"Будь ласка, зауважте, що користувачеві з UID 0 завжди мають доступ до " +"відповідача PAM, навіть якщо користувача немає у списку pam_trusted_users." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1260 +msgid "pam_public_domains (string)" +msgstr "pam_public_domains (рядок)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1263 +msgid "" +"Specifies the comma-separated list of domain names that are accessible even " +"to untrusted users." +msgstr "" +"Визначає список назв доменів, відокремлених комами, доступ до яких можуть " +"отримувати навіть ненадійні користувачі." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1267 +msgid "Two special values for pam_public_domains option are defined:" +msgstr "Визначено два спеціальних значення параметра pam_public_domains:" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1271 +msgid "" +"all (Untrusted users are allowed to access all domains in PAM responder.)" +msgstr "" +"all (Ненадійним користувачам відкрито доступ до усіх доменів у відповідачі " +"PAM.)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1275 +msgid "" +"none (Untrusted users are not allowed to access any domains PAM in " +"responder.)" +msgstr "" +"none (Ненадійним користувачам заборонено доступ до усіх доменів PAM у " +"відповідачі.)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1279 sssd.conf.5.xml:1304 sssd.conf.5.xml:1323 +#: sssd.conf.5.xml:1875 sssd.conf.5.xml:2837 sssd-ldap.5.xml:1979 +msgid "Default: none" +msgstr "Типове значення: none" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1284 +msgid "pam_account_expired_message (string)" +msgstr "pam_account_expired_message (рядок)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1287 +msgid "" +"Allows a custom expiration message to be set, replacing the default " +"'Permission denied' message." +msgstr "" +"Надає змогу встановити нетипове повідомлення щодо завершення строку дії, яке " +"замінити типове повідомлення «Доступ заборонено» («Permission denied»)." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1292 +msgid "" +"Note: Please be aware that message is only printed for the SSH service " +"unless pam_verbosity is set to 3 (show all messages and debug information)." +msgstr "" +"Зауваження: будь ласка, зверніть увагу на те, що повідомлення буде виведено " +"для служби SSH, лише якщо pam_verbosity не встановлено у значення 3 " +"(показувати усі повідомлення і діагностичні дані)." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:1300 +#, no-wrap +msgid "" +"pam_account_expired_message = Account expired, please contact help desk.\n" +" " +msgstr "" +"pam_account_expired_message = Account expired, please contact help desk.\n" +" " + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1309 +msgid "pam_account_locked_message (string)" +msgstr "pam_account_locked_message (рядок)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1312 +msgid "" +"Allows a custom lockout message to be set, replacing the default 'Permission " +"denied' message." +msgstr "" +"Надає змогу встановити нетипове повідомлення щодо блокування, яке замінити " +"типове повідомлення «Доступ заборонено» («Permission denied»)." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:1319 +#, no-wrap +msgid "" +"pam_account_locked_message = Account locked, please contact help desk.\n" +" " +msgstr "" +"pam_account_locked_message = Account locked, please contact help desk.\n" +" " + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1328 +msgid "pam_cert_auth (bool)" +msgstr "pam_cert_auth (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1331 +msgid "" +"Enable certificate based Smartcard authentication. Since this requires " +"additional communication with the Smartcard which will delay the " +"authentication process this option is disabled by default." +msgstr "" +"Увімкнути сертифікацію на основі розпізнавання за смарткартками. Оскільки це " +"потребує додаткового обміну даним із смарткарткою, що затримує процес " +"розпізнавання, типово таку сертифікацію вимкнено." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1337 sssd.conf.5.xml:2930 sssd-ldap.5.xml:1087 +#: sssd-ldap.5.xml:1114 sssd-ldap.5.xml:1514 sssd-ldap.5.xml:1535 +#: sssd-ldap.5.xml:2052 include/ldap_id_mapping.xml:244 +msgid "Default: False" +msgstr "Типове значення: False" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1342 +msgid "pam_cert_db_path (string)" +msgstr "pam_cert_db_path (рядок)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1345 +msgid "" +"The path to the certificate database which contain the PKCS#11 modules to " +"access the Smartcard." +msgstr "" +"Шлях до бази даних сертифікатів, яка містить модулі PKCS#11 для доступу до " +"смарткартки." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1349 sssd.conf.5.xml:1534 +#, fuzzy +#| msgid "Default: 3" +msgid "Default:" +msgstr "Типове значення: 3" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1351 sssd.conf.5.xml:1536 +#, fuzzy +#| msgid "Default: /etc/pki/nssdb (NSS version)" +msgid "/etc/pki/nssdb (NSS version, path to a NSS database)" +msgstr "Типове значення: /etc/pki/nssdb (версія NSS)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1354 sssd.conf.5.xml:1539 +msgid "" +"/etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a file with " +"trusted CA certificates in PEM format)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1361 sssd.conf.5.xml:1546 +msgid "This man page was generated for the NSS version." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1364 sssd.conf.5.xml:1549 +msgid "This man page was generated for the OpenSSL version." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1369 +msgid "p11_child_timeout (integer)" +msgstr "p11_child_timeout (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1372 +msgid "How many seconds will pam_sss wait for p11_child to finish." +msgstr "" +"Час у секундах, протягом якого pam_sss очікуватиме на завершення роботи " +"p11_child." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1381 +msgid "pam_app_services (string)" +msgstr "pam_app_services (рядок)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1384 +msgid "" +"Which PAM services are permitted to contact domains of type " +"<quote>application</quote>" +msgstr "" +"Визначає, яким службам PAM дозволено встановлювати з'єднання із доменами " +"типу <quote>application</quote>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1397 +msgid "SUDO configuration options" +msgstr "Параметри налаштування SUDO" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1399 +msgid "" +"These options can be used to configure the sudo service. The detailed " +"instructions for configuration of <citerefentry> <refentrytitle>sudo</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to work with " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> are in the manual page <citerefentry> <refentrytitle>sssd-" +"sudo</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" +"Цими параметрами можна скористатися для налаштовування служби sudo. Докладні " +"настанови щодо налаштовування <citerefentry> <refentrytitle>sudo</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> на роботу з " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> можна знайти на сторінці довідника <citerefentry> " +"<refentrytitle>sssd-sudo</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1416 +msgid "sudo_timed (bool)" +msgstr "sudo_timed (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1419 +msgid "" +"Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes " +"that implement time-dependent sudoers entries." +msgstr "" +"Визначає, чи слід обробляти атрибути sudoNotBefore і sudoNotAfter, " +"призначені для визначення часових обмежень для записів sudoers." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1431 +msgid "sudo_threshold (integer)" +msgstr "sudo_threshold (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1434 +msgid "" +"Maximum number of expired rules that can be refreshed at once. If number of " +"expired rules is below threshold, those rules are refreshed with " +"<quote>rules refresh</quote> mechanism. If the threshold is exceeded a " +"<quote>full refresh</quote> of sudo rules is triggered instead. This " +"threshold number also applies to IPA sudo command and command group searches." +msgstr "" +"Максимальна кількість застарілих правил, які можна оновлювати за один крок. " +"Якщо кількість застарілих правил є нижчою за це порогове значення, правила " +"буде оновлено за допомогою механізму <quote>rules refresh</quote>. Якщо " +"порогове значення перевищено, замість нього буде використано <quote>full " +"refresh</quote> з правил sudo. Це порогове значення також стосується команди " +"sudo IPA та групових пошуків команд." + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1453 +msgid "AUTOFS configuration options" +msgstr "Параметри налаштування AUTOFS" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1455 +msgid "These options can be used to configure the autofs service." +msgstr "Цими параметрами можна скористатися для налаштування служби autofs." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1459 +msgid "autofs_negative_timeout (integer)" +msgstr "autofs_negative_timeout (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1462 +msgid "" +"Specifies for how many seconds should the autofs responder negative cache " +"hits (that is, queries for invalid map entries, like nonexistent ones) " +"before asking the back end again." +msgstr "" +"Визначає кількість секунд, протягом яких відповідач autofs має кешувати " +"негативні результати пошуку у кеші (тобто запити щодо некоректних записів у " +"базі даних, зокрема неіснуючих) перед повторним запитом до сервера обробки." + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1478 +msgid "SSH configuration options" +msgstr "Параметри налаштувань SSH" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1480 +msgid "These options can be used to configure the SSH service." +msgstr "Цими параметрами можна скористатися для налаштування служби SSH." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1484 +msgid "ssh_hash_known_hosts (bool)" +msgstr "ssh_hash_known_hosts (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1487 +msgid "" +"Whether or not to hash host names and addresses in the managed known_hosts " +"file." +msgstr "" +"Чи слід хешувати назви та адреси вузлів у керованому файлі known_hosts." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1496 +msgid "ssh_known_hosts_timeout (integer)" +msgstr "ssh_known_hosts_timeout (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1499 +msgid "" +"How many seconds to keep a host in the managed known_hosts file after its " +"host keys were requested." +msgstr "" +"Кількість секунд, протягом яких запису вузла зберігатиметься у керованому " +"файлі known_hosts після надсилання запиту щодо ключів вузла." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1503 +msgid "Default: 180" +msgstr "Типове значення: 180" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1508 +#, fuzzy +#| msgid "ldap_user_certificate (string)" +msgid "ssh_use_certificate_keys (bool)" +msgstr "ldap_user_certificate (рядок)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1511 +#, fuzzy +#| msgid "" +#| "The skeleton directory, which contains files and directories to be copied " +#| "in the user's home directory, when the home directory is created by " +#| "<citerefentry> <refentrytitle>sss_useradd</refentrytitle> <manvolnum>8</" +#| "manvolnum> </citerefentry>" +msgid "" +"If set to true the <command>sss_ssh_authorizedkeys</command> will return ssh " +"keys derived from the public key of X.509 certificates stored in the user " +"entry as well. See <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry> for details." +msgstr "" +"Каркасний каталог, який містить файли і каталоги, які буде скопійовано до " +"домашнього каталогу користувача, коли такий домашній каталог створюється " +"командою <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1526 +msgid "ca_db (string)" +msgstr "ca_db (рядок)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1529 +msgid "" +"Path to a storage of trusted CA certificates. The option is used to validate " +"user certificates before deriving public ssh keys from them." +msgstr "" +"Шлях до сховища довірених сертифікатів CA. Параметр використовується для " +"перевірки сертифікатів користувачів до отримання з них відкритих ключів ssh." + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1557 +msgid "PAC responder configuration options" +msgstr "Параметри налаштування відповідача PAC" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1559 +msgid "" +"The PAC responder works together with the authorization data plugin for MIT " +"Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the " +"PAC data during a GSSAPI authentication to the PAC responder. The sub-domain " +"provider collects domain SID and ID ranges of the domain the client is " +"joined to and of remote trusted domains from the local domain controller. If " +"the PAC is decoded and evaluated some of the following operations are done:" +msgstr "" +"Відповідач PAC працює разом з додатком даних уповноваження для " +"sssd_pac_plugin.so зі складу MIT Kerberos та засобу надання даних " +"піддоменів. Цей додаток надсилає до відповідача PAC дані PAC під час " +"розпізнавання за допомогою GSSAPI. Засіб надання даних піддоменів збирає " +"дані щодо діапазонів SID і ID домену, до якого долучено клієнт, та " +"віддалених надійних доменів з локального контролера доменів. Якщо PAC " +"декодовано і визначено, виконуються деякі з таких дій:" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1568 +msgid "" +"If the remote user does not exist in the cache, it is created. The UID is " +"determined with the help of the SID, trusted domains will have UPGs and the " +"GID will have the same value as the UID. The home directory is set based on " +"the subdomain_homedir parameter. The shell will be empty by default, i.e. " +"the system defaults are used, but can be overwritten with the default_shell " +"parameter." +msgstr "" +"Якщо у кеші немає даних віддаленого користувача, запис цих даних буде " +"створено. UID буде визначено за допомогою SID, надійні домени матимуть UPG, " +"а gid матиме те саме значення, що і UID. Дані домашнього каталогу буде " +"засновано на значенні параметра subdomain_homedir. Типово, для командної " +"оболонки буде вибрано порожнє значення, тобто використовуватимуться типові " +"параметри системи. Значення для оболонки можна змінити за допомогою " +"параметра default_shell." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1576 +msgid "" +"If there are SIDs of groups from domains sssd knows about, the user will be " +"added to those groups." +msgstr "" +"Якщо існують SID груп з доменів, про які відомо SSSD, запис користувача буде " +"додано до цих груп." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1582 +msgid "These options can be used to configure the PAC responder." +msgstr "" +"Цими параметрами можна скористатися для налаштовування відповідача PAC." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1586 sssd-ifp.5.xml:50 +msgid "allowed_uids (string)" +msgstr "allowed_uids (рядок)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1589 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the PAC responder. User names are resolved to UIDs at " +"startup." +msgstr "" +"Визначає список значень UID або імен користувачів, відокремлених комами. " +"Користувачам з цього списку буде дозволено доступ до відповідача PAC. UID за " +"іменами користувачів визначатимуться під час запуску." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1595 +msgid "Default: 0 (only the root user is allowed to access the PAC responder)" +msgstr "" +"Типове значення: 0 (доступ до відповідача PAC має лише адміністративний " +"користувач (root))" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1599 +msgid "" +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the PAC responder, which would be the typical case, you have to add 0 " +"to the list of allowed UIDs as well." +msgstr "" +"Будь ласка, зауважте, що хоча типово використовується UID 0, значення UID " +"буде перевизначено на основі цього параметра. Якщо ви хочете надати " +"адміністративному користувачеві (root) доступ до відповідача PAC, що може " +"бути типовим варіантом, вам слід додати до списку UID з правами доступу " +"запис 0." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1608 +msgid "pac_lifetime (integer)" +msgstr "pac_lifetime (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1611 +msgid "" +"Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC " +"data can be used to determine the group memberships of a user." +msgstr "" +"Строк дії запису PAC у секундах. Якщо PAC є чинним, дані PAC можна " +"використовувати для визначення членства користувача у групі." + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1624 +msgid "Session recording configuration options" +msgstr "Параметри налаштовування запису сеансів" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1626 +msgid "" +"Session recording works in conjunction with <citerefentry> " +"<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>, a part of tlog package, to log what users see and type when " +"they log in on a text terminal. See also <citerefentry> <refentrytitle>sssd-" +"session-recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" +"Запис сеансів працює у зв'язці з <citerefentry> <refentrytitle>tlog-rec-" +"session</refentrytitle> <manvolnum>8</manvolnum> </citerefentry>, частиною " +"пакунка tlog, для запису даних, які бачать і вводять користувачі після входу " +"до текстового термінала. Див. також <citerefentry> <refentrytitle>sssd-" +"session-recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1639 +msgid "These options can be used to configure session recording." +msgstr "Цими параметрами можна скористатися для налаштовування запису сеансів." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1643 sssd-session-recording.5.xml:64 +msgid "scope (string)" +msgstr "scope (рядок)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1650 sssd-session-recording.5.xml:71 +msgid "\"none\"" +msgstr "\"none\"" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1653 sssd-session-recording.5.xml:74 +msgid "No users are recorded." +msgstr "Користувачі не записуються." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1658 sssd-session-recording.5.xml:79 +msgid "\"some\"" +msgstr "\"some\"" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1661 sssd-session-recording.5.xml:82 +msgid "" +"Users/groups specified by <replaceable>users</replaceable> and " +"<replaceable>groups</replaceable> options are recorded." +msgstr "" +"Запис вестиметься для користувачів і груп, вказаних параметрами " +"<replaceable>користувачі</replaceable> і <replaceable>групи</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1670 sssd-session-recording.5.xml:91 +msgid "\"all\"" +msgstr "\"all\"" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1673 sssd-session-recording.5.xml:94 +msgid "All users are recorded." +msgstr "Усі користувачі записуються." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1646 sssd-session-recording.5.xml:67 +msgid "" +"One of the following strings specifying the scope of session recording: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" +"Один із вказаних нижче рядків, що визначають область запису сеансів: " +"<placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1680 sssd-session-recording.5.xml:101 +msgid "Default: \"none\"" +msgstr "Типове значення: none" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1685 sssd-session-recording.5.xml:106 +msgid "users (string)" +msgstr "users (рядок)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1688 sssd-session-recording.5.xml:109 +msgid "" +"A comma-separated list of users which should have session recording enabled. " +"Matches user names as returned by NSS. I.e. after the possible space " +"replacement, case changes, etc." +msgstr "" +"Список відокремлених комами записів користувачів, для яких увімкнено " +"записування сеансів. Належність до списку визначатиметься за іменами, " +"повернутими NSS, тобто після можливих замін пробілів, змін регістру символів " +"тощо." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1694 sssd-session-recording.5.xml:115 +msgid "Default: Empty. Matches no users." +msgstr "Типове значення: порожнє. Не відповідає жодному користувачу." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1699 sssd-session-recording.5.xml:120 +msgid "groups (string)" +msgstr "groups (рядок)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1702 sssd-session-recording.5.xml:123 +msgid "" +"A comma-separated list of groups, members of which should have session " +"recording enabled. Matches group names as returned by NSS. I.e. after the " +"possible space replacement, case changes, etc." +msgstr "" +"Список відокремлених комами записів груп, для користувачів яких буде " +"увімкнено записування сеансів. Належність до списку визначатиметься за " +"назвами, повернутими NSS, тобто після можливих замін пробілів, змін регістру " +"символів тощо." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1708 sssd-session-recording.5.xml:129 +msgid "" +"NOTE: using this option (having it set to anything) has a considerable " +"performance cost, because each uncached request for a user requires " +"retrieving and matching the groups the user is member of." +msgstr "" +"Зауваження: використання цього параметра (встановлення для нього будь-якого " +"значення) значно впливає на швидкодію, оскільки некешований запит щодо " +"користувача потребує отримання і встановлення відповідності груп, до яких " +"належить користувач." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1715 sssd-session-recording.5.xml:136 +msgid "Default: Empty. Matches no groups." +msgstr "Типове значення: порожнє. Не відповідає жодній групі." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:1725 +msgid "DOMAIN SECTIONS" +msgstr "РОЗДІЛИ ДОМЕНІВ" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1732 +msgid "domain_type (string)" +msgstr "domain_type (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1735 +msgid "" +"Specifies whether the domain is meant to be used by POSIX-aware clients such " +"as the Name Service Switch or by applications that do not need POSIX data to " +"be present or generated. Only objects from POSIX domains are available to " +"the operating system interfaces and utilities." +msgstr "" +"Визначає, чи призначено домен для використання клієнтами у стандарті POSIX, " +"зокрема NSS, або програмами, які не потребують наявності або створення даних " +"POSIX. Інтерфейсам та інструментам операційних систем доступні лише об'єкти " +"з доменів POSIX." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1743 +msgid "" +"Allowed values for this option are <quote>posix</quote> and " +"<quote>application</quote>." +msgstr "" +"Дозволеними значеннями цього параметра є <quote>posix</quote> і " +"<quote>application</quote>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1747 +msgid "" +"POSIX domains are reachable by all services. Application domains are only " +"reachable from the InfoPipe responder (see <citerefentry> " +"<refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>) and the PAM responder." +msgstr "" +"Домени POSIX доступні для усіх служб. Домени програм доступні лише з " +"відповідача InfoPipe (див. <citerefentry> <refentrytitle>sssd-ifp</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) і відповідача PAM." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1755 +msgid "" +"NOTE: The application domains are currently well tested with " +"<quote>id_provider=ldap</quote> only." +msgstr "" +"ЗАУВАЖЕННЯ: належне тестування у поточній версії виконано лише для доменів " +"application з <quote>id_provider=ldap</quote>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1759 +msgid "" +"For an easy way to configure a non-POSIX domains, please see the " +"<quote>Application domains</quote> section." +msgstr "" +"Щоб ознайомитися із простим способом налаштовування не-POSIX доменів, будь " +"ласка, ознайомтеся із розділом <quote>Домени програм</quote>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1763 +msgid "Default: posix" +msgstr "Типове значення: posix" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1769 +msgid "min_id,max_id (integer)" +msgstr "min_id,max_id (ціле значення)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1772 +msgid "" +"UID and GID limits for the domain. If a domain contains an entry that is " +"outside these limits, it is ignored." +msgstr "" +"Обмеження UID і GID для домену. Якщо у домені міститься запис, що не " +"відповідає цим обмеженням, його буде проігноровано." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1777 +msgid "" +"For users, this affects the primary GID limit. The user will not be returned " +"to NSS if either the UID or the primary GID is outside the range. For non-" +"primary group memberships, those that are in range will be reported as " +"expected." +msgstr "" +"Для користувачів зміна цього параметра вплине на основне обмеження GID. " +"Запис користувача не буде повернуто до NSS, якщо UID або основний GID не " +"належать вказаному діапазону. Записи користувачів, які не є учасниками " +"основної групи і належать діапазону, буде виведено у звичайному режимі." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1784 +msgid "" +"These ID limits affect even saving entries to cache, not only returning them " +"by name or ID." +msgstr "" +"Ці обмеження на ідентифікатори стосуються і збереження записів до кешу, не " +"лише повернення записів за назвою або ідентифікатором." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1788 +msgid "Default: 1 for min_id, 0 (no limit) for max_id" +msgstr "Типові значення: 1 для min_id, 0 (без обмежень) для max_id" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1794 +msgid "enumerate (bool)" +msgstr "enumerate (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1797 +msgid "" +"Determines if a domain can be enumerated, that is, whether the domain can " +"list all the users and group it contains. Note that it is not required to " +"enable enumeration in order for secondary groups to be displayed. This " +"parameter can have one of the following values:" +msgstr "" +"Визначає, чи можна нумерувати домен, тобто, чи може домен створити список " +"усіх користувачів і груп, які у ньому містяться. Зауважте, що вмикання " +"нумерування не є обов'язковим для показу вторинних груп. Цей параметр може " +"мати такі значення:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1805 +msgid "TRUE = Users and groups are enumerated" +msgstr "TRUE = користувачі і групи нумеруються" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1808 +msgid "FALSE = No enumerations for this domain" +msgstr "FALSE = не використовувати нумерацію для цього домену" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1811 sssd.conf.5.xml:2033 sssd.conf.5.xml:2208 +msgid "Default: FALSE" +msgstr "Типове значення: FALSE" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1814 +msgid "" +"Enumerating a domain requires SSSD to download and store ALL user and group " +"entries from the remote server." +msgstr "" +"Нумерування домену потребує від SSSD отримання і зберігання усіх записів " +"користувачів і груп із віддаленого сервера." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1819 +msgid "" +"Note: Enabling enumeration has a moderate performance impact on SSSD while " +"enumeration is running. It may take up to several minutes after SSSD startup " +"to fully complete enumerations. During this time, individual requests for " +"information will go directly to LDAP, though it may be slow, due to the " +"heavy enumeration processing. Saving a large number of entries to cache " +"after the enumeration completes might also be CPU intensive as the " +"memberships have to be recomputed. This can lead to the <quote>sssd_be</" +"quote> process becoming unresponsive or even restarted by the internal " +"watchdog." +msgstr "" +"Зауваження: вмикання нумерації помірно знизить швидкодію SSSD на час " +"виконання нумерації. Нумерація може тривати до декількох хвилин після " +"запуску SSSD. Протягом виконання нумерації окремі запити щодо даних буде " +"надіслано безпосередньо до LDAP, хоча і з уповільненням через навантаження " +"системи виконанням нумерації. Збереження великої кількості записів до кешу " +"після завершення нумерації може також значно навантажити процесор, оскільки " +"повторне визначення параметрів участі також іноді є складним завданням. Це " +"може призвести до проблем із отриманням відповіді від процесу " +"<quote>sssd_be</quote> або навіть перезапуску усього засобу стеження." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1834 +msgid "" +"While the first enumeration is running, requests for the complete user or " +"group lists may return no results until it completes." +msgstr "" +"Під час першого виконання нумерації запити щодо повних списків користувачів " +"та груп можуть не повертати жодних результатів, аж доки нумерацію не буде " +"завершено." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1839 +msgid "" +"Further, enabling enumeration may increase the time necessary to detect " +"network disconnection, as longer timeouts are required to ensure that " +"enumeration lookups are completed successfully. For more information, refer " +"to the man pages for the specific id_provider in use." +msgstr "" +"Крім того, вмикання нумерації може збільшити час, потрібний для виявлення " +"того, що мережеве з’єднання розірвано, оскільки потрібне буде збільшення " +"часу очікування для забезпечення успішного завершення пошуків нумерації. Щоб " +"отримати додаткову інформацію, зверніться до сторінок довідника (man) " +"відповідного використаного засобу обробки ідентифікаторів (id_provider)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1847 +msgid "" +"For the reasons cited above, enabling enumeration is not recommended, " +"especially in large environments." +msgstr "" +"З вказаних вище причин не рекомендуємо вам вмикати нумерацію, особливо у " +"об’ємних середовищах." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1855 +msgid "subdomain_enumerate (string)" +msgstr "subdomain_enumerate (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1862 +msgid "all" +msgstr "all" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1863 +msgid "All discovered trusted domains will be enumerated" +msgstr "Усі виявлені надійні домени буде пронумеровано" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1866 +msgid "none" +msgstr "none" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1867 +msgid "No discovered trusted domains will be enumerated" +msgstr "Нумерація виявлених надійних доменів не виконуватиметься" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1858 +msgid "" +"Whether any of autodetected trusted domains should be enumerated. The " +"supported values are: <placeholder type=\"variablelist\" id=\"0\"/> " +"Optionally, a list of one or more domain names can enable enumeration just " +"for these trusted domains." +msgstr "" +"Визначає, чи слід нумерувати усі автоматично виявлені надійні (довірені) " +"домени. Підтримувані значення: <placeholder type=\"variablelist\" id=\"0\"/> " +"Якщо потрібно, можна вказати список з однієї або декількох назв надійних " +"доменів, для яких буде увімкнено нумерацію." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1881 +msgid "entry_cache_timeout (integer)" +msgstr "entry_cache_timeout (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1884 +msgid "" +"How many seconds should nss_sss consider entries valid before asking the " +"backend again" +msgstr "" +"Кількість секунд, протягом яких nss_sss вважатиме записи чинними, перш ніж " +"надсилати повторний запит до сервера" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1888 +msgid "" +"The cache expiration timestamps are stored as attributes of individual " +"objects in the cache. Therefore, changing the cache timeout only has effect " +"for newly added or expired entries. You should run the <citerefentry> " +"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry> tool in order to force refresh of entries that have already " +"been cached." +msgstr "" +"Дані щодо часових позначок завершення строку дії записів кешу зберігаються " +"як атрибути окремих об’єктів у кеші. Тому зміна часу очікування на дані у " +"кеші впливає лише на нові записи та записи, строк дії яких вичерпано. Для " +"примусового оновлення записів, які вже було кешовано, вам слід запустити " +"програму <citerefentry> <refentrytitle>sss_cache</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1901 +msgid "Default: 5400" +msgstr "Типове значення: 5400" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1907 +msgid "entry_cache_user_timeout (integer)" +msgstr "entry_cache_user_timeout (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1910 +msgid "" +"How many seconds should nss_sss consider user entries valid before asking " +"the backend again" +msgstr "" +"Кількість секунд, протягом яких nss_sss вважатиме записи користувачів " +"чинними, перш ніж надсилати повторний запит до сервера" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1914 sssd.conf.5.xml:1927 sssd.conf.5.xml:1940 +#: sssd.conf.5.xml:1953 sssd.conf.5.xml:1966 sssd.conf.5.xml:1980 +#: sssd.conf.5.xml:1994 +msgid "Default: entry_cache_timeout" +msgstr "Типове значення: entry_cache_timeout" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1920 +msgid "entry_cache_group_timeout (integer)" +msgstr "entry_cache_group_timeout (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1923 +msgid "" +"How many seconds should nss_sss consider group entries valid before asking " +"the backend again" +msgstr "" +"Кількість секунд, протягом яких nss_sss вважатиме записи груп чинними, перш " +"ніж надсилати повторний запит до сервера" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1933 +msgid "entry_cache_netgroup_timeout (integer)" +msgstr "entry_cache_netgroup_timeout (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1936 +msgid "" +"How many seconds should nss_sss consider netgroup entries valid before " +"asking the backend again" +msgstr "" +"Кількість секунд, протягом яких nss_sss вважатиме записи мережевих груп " +"чинними, перш ніж надсилати повторний запит до сервера" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1946 +msgid "entry_cache_service_timeout (integer)" +msgstr "entry_cache_service_timeout (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1949 +msgid "" +"How many seconds should nss_sss consider service entries valid before asking " +"the backend again" +msgstr "" +"Кількість секунд, протягом яких nss_sss вважатиме записи служб чинними, перш " +"ніж надсилати повторний запит до сервера" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1959 +msgid "entry_cache_sudo_timeout (integer)" +msgstr "entry_cache_sudo_timeout (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1962 +msgid "" +"How many seconds should sudo consider rules valid before asking the backend " +"again" +msgstr "" +"Кількість секунд, протягом яких sudo вважатиме правила чинними, перш ніж " +"надсилати повторний запит до сервера" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1972 +msgid "entry_cache_autofs_timeout (integer)" +msgstr "entry_cache_autofs_timeout (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1975 +msgid "" +"How many seconds should the autofs service consider automounter maps valid " +"before asking the backend again" +msgstr "" +"Кількість секунд, протягом яких служба autofs вважатиме карти автомонтування " +"чинними, перш ніж надсилати повторний запит до сервера" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1986 +msgid "entry_cache_ssh_host_timeout (integer)" +msgstr "entry_cache_ssh_host_timeout (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1989 +msgid "" +"How many seconds to keep a host ssh key after refresh. IE how long to cache " +"the host key for." +msgstr "" +"Кількість секунд, протягом яких слід зберігати ключ ssh вузла після " +"оновлення. Іншими словами, параметр визначає тривалість зберігання ключа " +"вузла у кеші." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2000 +msgid "refresh_expired_interval (integer)" +msgstr "refresh_expired_interval (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2003 +msgid "" +"Specifies how many seconds SSSD has to wait before triggering a background " +"refresh task which will refresh all expired or nearly expired records." +msgstr "" +"Визначає кількість секунд, протягом яких SSSD має очікувати до запуску " +"завдання з оновлення у фоновому режимі записів кешу, строк дії яких " +"вичерпано або майже вичерпано." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2008 +msgid "" +"The background refresh will process users, groups and netgroups in the cache." +msgstr "" +"Під час фонового оновлення виконуватиметься обробка записів користувачів, " +"груп та мережевих груп у кеші." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2012 +msgid "You can consider setting this value to 3/4 * entry_cache_timeout." +msgstr "" +"Варто визначити для цього параметра значення 3/4 * entry_cache_timeout." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2016 sssd-ldap.5.xml:746 sssd-ipa.5.xml:254 +msgid "Default: 0 (disabled)" +msgstr "Типове значення: 0 (вимкнено)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2022 +msgid "cache_credentials (bool)" +msgstr "cache_credentials (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2025 +msgid "Determines if user credentials are also cached in the local LDB cache" +msgstr "" +"Визначає, чи слід також кешувати реєстраційні дані користувача у локальному " +"кеші LDB" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2029 +msgid "User credentials are stored in a SHA512 hash, not in plaintext" +msgstr "" +"Реєстраційні дані користувача зберігаються у форматі хешу SHA512, а не у " +"форматі звичайного тексту" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2039 +msgid "cache_credentials_minimal_first_factor_length (int)" +msgstr "cache_credentials_minimal_first_factor_length (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2042 +msgid "" +"If 2-Factor-Authentication (2FA) is used and credentials should be saved " +"this value determines the minimal length the first authentication factor " +"(long term password) must have to be saved as SHA512 hash into the cache." +msgstr "" +"Якщо використано двофакторне розпізнавання (2FA) і реєстраційні дані мають " +"зберігатися, це значення визначає мінімальну довжину першого фактора " +"розпізнавання (довготривалого пароля), який має бути збережено у форматі " +"контрольної суми SHA512 у кеші." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2049 +msgid "" +"This should avoid that the short PINs of a PIN based 2FA scheme are saved in " +"the cache which would make them easy targets for brute-force attacks." +msgstr "" +"Таким чином забезпечується уникнення випадку, коли короткі PIN-коди " +"заснованої на PIN-кодах схеми 2FA зберігаються у кеші, що робить їх простою " +"мішенню атак із перебиранням паролів." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2054 +msgid "Default: 8" +msgstr "Типове значення: 8" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2060 +msgid "account_cache_expiration (integer)" +msgstr "account_cache_expiration (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2063 +msgid "" +"Number of days entries are left in cache after last successful login before " +"being removed during a cleanup of the cache. 0 means keep forever. The " +"value of this parameter must be greater than or equal to " +"offline_credentials_expiration." +msgstr "" +"Кількість днів, протягом яких записи залишатимуться у кеші після успішного " +"входу до системи до вилучення під час спорожнення кешу. 0 — не вилучати " +"записи. Значення цього параметра має бути більшим або рівним значенню " +"offline_credentials_expiration." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2070 +msgid "Default: 0 (unlimited)" +msgstr "Типове значення: 0 (без обмежень)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2075 +msgid "pwd_expiration_warning (integer)" +msgstr "pwd_expiration_warning (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2086 +msgid "" +"Please note that the backend server has to provide information about the " +"expiration time of the password. If this information is missing, sssd " +"cannot display a warning. Also an auth provider has to be configured for the " +"backend." +msgstr "" +"Будь ласка, зауважте, що сервер обробки має надати дані щодо часу завершення " +"дії пароля. Якщо ці дані не буде виявлено, sssd не зможе показати " +"попередження. Крім того для цього сервера може бути вказано службу надання " +"даних розпізнавання." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2093 +msgid "Default: 7 (Kerberos), 0 (LDAP)" +msgstr "Типове значення: 7 (Kerberos), 0 (LDAP)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2099 +msgid "id_provider (string)" +msgstr "id_provider (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2102 +msgid "" +"The identification provider used for the domain. Supported ID providers are:" +msgstr "" +"Засіб надання даних ідентифікації, який використовується для цього домену. " +"Серед підтримуваних засобів такі:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2106 +#, fuzzy +#| msgid "<quote>proxy</quote>: Support a legacy NSS provider" +msgid "<quote>proxy</quote>: Support a legacy NSS provider." +msgstr "«proxy»: підтримка застарілого модуля надання даних NSS" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2109 +#, fuzzy +#| msgid "<quote>local</quote>: SSSD internal provider for local users" +msgid "" +"<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)." +msgstr "<quote>local</quote>: вбудований засіб SSSD для локальних користувачів" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2113 +#, fuzzy +#| msgid "" +#| "<quote>ldap</quote>: LDAP provider. See <citerefentry> " +#| "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +#| "citerefentry> for more information on configuring LDAP." +msgid "" +"<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-" +"files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " +"information on how to mirror local users and groups into SSSD." +msgstr "" +"<quote>ldap</quote>: засіб LDAP. Докладніше про налаштовування LDAP можна " +"дізнатися з довідки до <citerefentry> <refentrytitle>sssd-ldap</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2121 +msgid "" +"<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " +"information on configuring LDAP." +msgstr "" +"<quote>ldap</quote>: засіб LDAP. Докладніше про налаштовування LDAP можна " +"дізнатися з довідки до <citerefentry> <refentrytitle>sssd-ldap</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2129 sssd.conf.5.xml:2234 sssd.conf.5.xml:2289 +#: sssd.conf.5.xml:2352 +msgid "" +"<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management " +"provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " +"FreeIPA." +msgstr "" +"<quote>ipa</quote>: засіб FreeIPA та керування профілями Red Hat Enterprise. " +"Докладніші відомості щодо налаштовування IPA викладено у довіднику з " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum></" +"manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2138 sssd.conf.5.xml:2243 sssd.conf.5.xml:2298 +#: sssd.conf.5.xml:2361 +msgid "" +"<quote>ad</quote>: Active Directory provider. See <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Active Directory." +msgstr "" +"<quote>ad</quote>: засіб Active Directory. Докладніші відомості щодо " +"налаштовування Active Directory викладено у довіднику з <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2149 +msgid "use_fully_qualified_names (bool)" +msgstr "use_fully_qualified_names (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2152 +msgid "" +"Use the full name and domain (as formatted by the domain's full_name_format) " +"as the user's login name reported to NSS." +msgstr "" +"Використовувати ім’я та домен повністю (у форматі, визначеному " +"full_name_format домену) як ім’я користувача у системі, що повідомляється " +"NSS." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2157 +msgid "" +"If set to TRUE, all requests to this domain must use fully qualified names. " +"For example, if used in LOCAL domain that contains a \"test\" user, " +"<command>getent passwd test</command> wouldn't find the user while " +"<command>getent passwd test@LOCAL</command> would." +msgstr "" +"Якщо встановлено значення TRUE, всі запити до цього домену мають " +"використовувати повні назви. Наприклад, якщо використано домен LOCAL, який " +"містить запис користувача «test» user, <command>getent passwd test</command> " +"не покаже користувача, а <command>getent passwd test@LOCAL</command> покаже." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2165 +msgid "" +"NOTE: This option has no effect on netgroup lookups due to their tendency to " +"include nested netgroups without qualified names. For netgroups, all domains " +"will be searched when an unqualified name is requested." +msgstr "" +"ЗАУВАЖЕННЯ: цей параметр не впливатиме на пошук у мережевих групах через " +"тенденцію до включення до таких груп вкладених мережевих груп. Для мережевих " +"груп, якщо задано неповну назву, буде виконано пошук у всіх доменах." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2172 +msgid "Default: FALSE (TRUE if default_domain_suffix is used)" +msgstr "Типове значення: FALSE (TRUE, якщо використано default_domain_suffix)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2178 +msgid "ignore_group_members (bool)" +msgstr "ignore_group_members (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2181 +msgid "Do not return group members for group lookups." +msgstr "Не повертати записи учасників груп для пошуків груп." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2184 +msgid "" +"If set to TRUE, the group membership attribute is not requested from the " +"ldap server, and group members are not returned when processing group lookup " +"calls, such as <citerefentry> <refentrytitle>getgrnam</refentrytitle> " +"<manvolnum>3</manvolnum> </citerefentry> or <citerefentry> " +"<refentrytitle>getgrgid</refentrytitle> <manvolnum>3</manvolnum> </" +"citerefentry>. As an effect, <quote>getent group $groupname</quote> would " +"return the requested group as if it was empty." +msgstr "" +"Якщо встановлено значення TRUE, сервер LDAP не запитуватиме дані щодо " +"атрибутів участі у групах, а списки учасників груп не повертаються під час " +"обробки запитів щодо пошуку груп, зокрема <citerefentry> " +"<refentrytitle>getgrnam</refentrytitle> <manvolnum>3</manvolnum> </" +"citerefentry> або <citerefentry> <refentrytitle>getgrgid</refentrytitle> " +"<manvolnum>3</manvolnum> </citerefentry>. Отже, <quote>getent group " +"$groupname</quote> поверне запитану групу так, наче вона була порожня." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2202 +msgid "" +"Enabling this option can also make access provider checks for group " +"membership significantly faster, especially for groups containing many " +"members." +msgstr "" +"Вмикання цього параметра може також значно пришвидшити перевірки засобу " +"надання доступу для участі у групі, особливо для груп, у яких багато " +"учасників." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2213 +msgid "auth_provider (string)" +msgstr "auth_provider (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2216 +msgid "" +"The authentication provider used for the domain. Supported auth providers " +"are:" +msgstr "" +"Служба розпізнавання, яку використано для цього домену. Серед підтримуваних " +"служб розпізнавання:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2220 sssd.conf.5.xml:2282 +msgid "" +"<quote>ldap</quote> for native LDAP authentication. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" +"<quote>ldap</quote> — вбудоване розпізнавання LDAP. Докладніші відомості " +"щодо налаштовування LDAP викладено у довіднику з <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2227 +msgid "" +"<quote>krb5</quote> for Kerberos authentication. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Kerberos." +msgstr "" +"<quote>krb5</quote> — вбудоване розпізнавання Kerberos. Докладніші відомості " +"щодо налаштовування Kerberos викладено у довіднику з <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum></manvolnum> </" +"citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2251 +msgid "" +"<quote>proxy</quote> for relaying authentication to some other PAM target." +msgstr "<quote>proxy</quote> — трансльоване розпізнавання у іншій системі PAM." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2254 +msgid "<quote>local</quote>: SSSD internal provider for local users" +msgstr "<quote>local</quote>: вбудований засіб SSSD для локальних користувачів" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2258 +msgid "<quote>none</quote> disables authentication explicitly." +msgstr "<quote>none</quote> — вимкнути розпізнавання повністю." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2261 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can handle " +"authentication requests." +msgstr "" +"Типове значення: буде використано <quote>id_provider</quote>, якщо цей " +"спосіб встановлено і можлива обробка запитів щодо розпізнавання." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2267 +msgid "access_provider (string)" +msgstr "access_provider (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2270 +msgid "" +"The access control provider used for the domain. There are two built-in " +"access providers (in addition to any included in installed backends) " +"Internal special providers are:" +msgstr "" +"Програма керування доступом для домену. Передбачено дві вбудованих програми " +"керування доступом (окрім всіх встановлених додаткових серверів). " +"Вбудованими програмами є:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2276 +msgid "" +"<quote>permit</quote> always allow access. It's the only permitted access " +"provider for a local domain." +msgstr "" +"<quote>permit</quote> дозволяти доступ завжди. Єдиний дозволений засіб " +"доступу для локального домену." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2279 +msgid "<quote>deny</quote> always deny access." +msgstr "<quote>deny</quote> — завжди забороняти доступ." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2306 +msgid "" +"<quote>simple</quote> access control based on access or deny lists. See " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for more information on configuring the simple " +"access module." +msgstr "" +"<quote>simple</quote> — керування доступом на основі списків дозволу або " +"заборони. Докладніші відомості щодо налаштовування модуля доступу simple " +"можна знайти у довідці до <citerefentry> <refentrytitle>sssd-simple</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2313 +msgid "" +"<quote>krb5</quote>: .k5login based access control. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></" +"citerefentry> for more information on configuring Kerberos." +msgstr "" +"<quote>krb5</quote> — керування доступом на основі .k5login. Докладніші " +"відомості щодо налаштовування Kerberos викладено у довіднику з " +"<citerefentry> <refentrytitle>sssd-krb5</refentrytitle> <manvolnum></" +"manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2320 +msgid "<quote>proxy</quote> for relaying access control to another PAM module." +msgstr "" +"<quote>proxy</quote> — для трансляції керування доступом до іншого модуля " +"PAM." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2323 +msgid "Default: <quote>permit</quote>" +msgstr "Типове значення: <quote>permit</quote>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2328 +msgid "chpass_provider (string)" +msgstr "chpass_provider (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2331 +msgid "" +"The provider which should handle change password operations for the domain. " +"Supported change password providers are:" +msgstr "" +"Система, яка має обробляти дії зі зміни паролів для домену. Передбачено " +"підтримку таких систем зміни паролів:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2336 +msgid "" +"<quote>ldap</quote> to change a password stored in a LDAP server. See " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring LDAP." +msgstr "" +"<quote>ldap</quote> — змінити пароль, що зберігається на сервері LDAP. " +"Докладніші відомості щодо налаштовування LDAP викладено у довіднику з " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2344 +msgid "" +"<quote>krb5</quote> to change the Kerberos password. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Kerberos." +msgstr "" +"<quote>krb5</quote> — змінити пароль Kerberos. Докладніші відомості щодо " +"налаштовування Kerberos викладено у довіднику з <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum></manvolnum> </" +"citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2369 +msgid "" +"<quote>proxy</quote> for relaying password changes to some other PAM target." +msgstr "<quote>proxy</quote> — трансльована зміна пароля у іншій системі PAM." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2373 +msgid "<quote>none</quote> disallows password changes explicitly." +msgstr "<quote>none</quote> — явно вимкнути можливість зміни пароля." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2376 +msgid "" +"Default: <quote>auth_provider</quote> is used if it is set and can handle " +"change password requests." +msgstr "" +"Типове значення: використовується «auth_provider», якщо встановлено значення " +"цього параметра і якщо система здатна обробляти запити щодо паролів." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2383 +msgid "sudo_provider (string)" +msgstr "sudo_provider (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2386 +msgid "The SUDO provider used for the domain. Supported SUDO providers are:" +msgstr "" +"Служба SUDO, яку використано для цього домену. Серед підтримуваних служб " +"SUDO:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2390 +msgid "" +"<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" +"<quote>ldap</quote> для правил, що зберігаються у LDAP. Докладніше про " +"налаштовування LDAP можна дізнатися з довідки до <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2398 +msgid "" +"<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default " +"settings." +msgstr "" +"<quote>ipa</quote> — те саме, що і <quote>ldap</quote>, але з типовими " +"параметрами IPA." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2402 +msgid "" +"<quote>ad</quote> the same as <quote>ldap</quote> but with AD default " +"settings." +msgstr "" +"<quote>ad</quote> — те саме, що і <quote>ldap</quote>, але з типовими " +"параметрами AD." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2406 +msgid "<quote>none</quote> disables SUDO explicitly." +msgstr "<quote>none</quote> явним чином вимикає SUDO." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2409 sssd.conf.5.xml:2495 sssd.conf.5.xml:2565 +#: sssd.conf.5.xml:2590 +msgid "Default: The value of <quote>id_provider</quote> is used if it is set." +msgstr "" +"Типове значення: використовується значення <quote>id_provider</quote>, якщо " +"його встановлено." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2413 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>. There are many configuration " +"options that can be used to adjust the behavior. Please refer to " +"\"ldap_sudo_*\" in <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." +msgstr "" +"З докладними настановами щодо налаштовування sudo_provider можна " +"ознайомитися за допомогою сторінки підручника (man) <citerefentry> " +"<refentrytitle>sssd-sudo</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>. Передбачено доволі багато параметрів налаштовування, якими " +"можна скористатися для коригування поведінки програми. Докладніший опис " +"можна знайти у розділах щодо «ldap_sudo_*»\" у підручнику з <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2428 +msgid "" +"<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the " +"background unless the sudo provider is explicitly disabled. Set " +"<emphasis>sudo_provider = None</emphasis> to disable all sudo-related " +"activity in SSSD if you do not want to use sudo with SSSD at all." +msgstr "" +"<emphasis>Зауваження:</emphasis> правила sudo періодично отримуються у " +"фоновому режимі, якщо постачальник даних sudo не вимкнено явним чином. " +"Встановіть значення <emphasis>sudo_provider = None</emphasis>, щоб вимкнути " +"усі дії, пов'язані із sudo у SSSD, якщо ви взагалі не хочете використовувати " +"sudo у SSSD." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2438 +msgid "selinux_provider (string)" +msgstr "selinux_provider (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2441 +msgid "" +"The provider which should handle loading of selinux settings. Note that this " +"provider will be called right after access provider ends. Supported selinux " +"providers are:" +msgstr "" +"Засіб, який має відповідати за завантаження параметрів SELinux. Зауважте, що " +"цей засіб буде викликано одразу після завершення роботи служби надання " +"доступу. Передбачено підтримку таких засобів надання даних SELinux:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2447 +msgid "" +"<quote>ipa</quote> to load selinux settings from an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" +"<quote>ipa</quote> для завантаження параметрів selinux з сервера IPA. " +"Докладніші відомості щодо налаштовування IPA викладено у довіднику з " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2455 +msgid "<quote>none</quote> disallows fetching selinux settings explicitly." +msgstr "" +"<quote>none</quote> явним чином забороняє отримання даних щодо параметрів " +"SELinux." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2458 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can handle " +"selinux loading requests." +msgstr "" +"Типове значення: буде використано <quote>id_provider</quote>, якщо цей " +"спосіб встановлено і можлива обробка запитів щодо завантаження SELinux." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2464 +msgid "subdomains_provider (string)" +msgstr "subdomains_provider (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2467 +msgid "" +"The provider which should handle fetching of subdomains. This value should " +"be always the same as id_provider. Supported subdomain providers are:" +msgstr "" +"Засіб надання даних, який має обробляти отримання даних піддоменів. Це " +"значення має завжди збігатися зі значенням id_provider. Передбачено " +"підтримку таких засобів надання даних піддоменів:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2473 +msgid "" +"<quote>ipa</quote> to load a list of subdomains from an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" +"<quote>ipa</quote> для завантаження списку піддоменів з сервера IPA. " +"Докладніші відомості щодо налаштовування IPA викладено у довіднику з " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2482 +msgid "" +"<quote>ad</quote> to load a list of subdomains from an Active Directory " +"server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " +"the AD provider." +msgstr "" +"«ad», з якої слід завантажувати список піддоменів з сервера Active " +"Directory. Див. <citerefentry> <refentrytitle>sssd-ad</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>, щоб дізнатися більше про " +"налаштовування засобу надання даних AD." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2491 +msgid "<quote>none</quote> disallows fetching subdomains explicitly." +msgstr "<quote>none</quote> забороняє ячним чином отримання даних піддоменів." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2501 +msgid "session_provider (string)" +msgstr "session_provider (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2504 +msgid "" +"The provider which configures and manages user session related tasks. The " +"only user session task currently provided is the integration with Fleet " +"Commander, which works only with IPA. Supported session providers are:" +msgstr "" +"Постачальник даних, який налаштовує завдання, пов'язані із сеансами " +"користувачів, і керує ними. Єдиним завданням сеансів користувача у поточній " +"версії є інтеграція із Fleet Commander, який працює лише з IPA. Підтримувані " +"постачальники даних сеансів:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2511 +msgid "<quote>ipa</quote> to allow performing user session related tasks." +msgstr "" +"<quote>ipa</quote>, щоб дозволити пов'язані із сеансами користувачів " +"завдання." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2515 +msgid "" +"<quote>none</quote> does not perform any kind of user session related tasks." +msgstr "" +"<quote>none</quote> — не виконувати жодних пов'язаних із сеансами " +"користувачів завдань." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2519 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can perform " +"session related tasks." +msgstr "" +"Типове значення: використовується значення <quote>id_provider</quote>, якщо " +"його встановлено і дозволено виконувати пов'язані із сеансами завдання." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2523 +msgid "" +"<emphasis>NOTE:</emphasis> In order to have this feature working as expected " +"SSSD must be running as \"root\" and not as the unprivileged user." +msgstr "" +"<emphasis>Зауваження:</emphasis> щоб ця можливість працювала як слід, SSSD " +"має бути запущено від імені користувача root, а не якогось іншого " +"непривілейованого користувача." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2531 +msgid "autofs_provider (string)" +msgstr "autofs_provider (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2534 +msgid "" +"The autofs provider used for the domain. Supported autofs providers are:" +msgstr "" +"Служба autofs, яку використано для цього домену. Серед підтримуваних служб " +"autofs:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2538 +msgid "" +"<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" +"<quote>ldap</quote> — завантажити карти, що зберігаються у LDAP. Докладніше " +"про налаштовування LDAP можна дізнатися з довідки до <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2545 +msgid "" +"<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> " +"<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring IPA." +msgstr "" +"<quote>ipa</quote> — завантажити карти, що зберігається на сервері IPA. " +"Докладніші відомості щодо налаштовування IPA викладено у довіднику з " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum></" +"manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2553 +msgid "" +"<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring the AD provider." +msgstr "" +"<quote>ad</quote> — завантажити карти, що зберігаються на сервері AD. Див. " +"<citerefentry> <refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>, щоб дізнатися більше про налаштовування засобу " +"надання даних AD." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2562 +msgid "<quote>none</quote> disables autofs explicitly." +msgstr "<quote>none</quote> вимикає autofs повністю." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2572 +msgid "hostid_provider (string)" +msgstr "hostid_provider (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2575 +msgid "" +"The provider used for retrieving host identity information. Supported " +"hostid providers are:" +msgstr "" +"Засіб надання даних, який використовується для отримання даних щодо профілю " +"вузла. Серед підтримуваних засобів надання hostid:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2579 +msgid "" +"<quote>ipa</quote> to load host identity stored in an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" +"<quote>ipa</quote> — завантажити профіль системи, що зберігається на сервері " +"IPA. Докладніші відомості щодо налаштовування IPA викладено у довіднику з " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum></" +"manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2587 +msgid "<quote>none</quote> disables hostid explicitly." +msgstr "<quote>none</quote> вимикає hostid повністю." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2600 +msgid "" +"Regular expression for this domain that describes how to parse the string " +"containing user name and domain into these components. The \"domain\" can " +"match either the SSSD configuration domain name, or, in the case of IPA " +"trust subdomains and Active Directory domains, the flat (NetBIOS) name of " +"the domain." +msgstr "" +"Формальний вираз для цього домену, який описує спосіб поділи рядка, що " +"містить ім’я користувача та назву домену на ці компоненти. «Домен» може " +"відповідати назві домену налаштувань SSSD або, у випадку піддоменів довіри " +"IPA та доменів Active Directory, простій назві (NetBIOS) домену." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2609 +msgid "" +"Default for the AD and IPA provider: <quote>(((?P<domain>[^\\\\]+)\\" +"\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?" +"P<name>[^@\\\\]+)$))</quote> which allows three different styles for " +"user names:" +msgstr "" +"Типовий для засобів надання AD і IPA: <quote>(((?P<domain>[^\\\\]+)\\" +"\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?" +"P<name>[^@\\\\]+)$))</quote> За його допомогою можна визначати три " +"різні стилі запису імен користувачів:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2614 +msgid "username" +msgstr "користувач" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2617 +msgid "username@domain.name" +msgstr "користувач@назва.домену" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2620 +msgid "domain\\username" +msgstr "домен\\користувач" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2623 +msgid "" +"While the first two correspond to the general default the third one is " +"introduced to allow easy integration of users from Windows domains." +msgstr "" +"Перші два стилі відповідають загальним типовим стилям, а третій введено для " +"того, щоб полегшити інтеграцію користувачів з доменів Windows." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2628 +msgid "" +"Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> " +"which translates to \"the name is everything up to the <quote>@</quote> " +"sign, the domain everything after that\"" +msgstr "" +"Типове значення: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</" +"quote>, можна висловити так: іменем користувача є все до символу «@», назвою " +"домену — все після цього символу." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2634 +msgid "" +"NOTE: Some Active Directory groups, typically those used for MS Exchange " +"contain an <quote>@</quote> sign in the name, which clashes with the default " +"re_expression value for the AD and IPA providers. To support these groups, " +"consider changing the re_expression value to: <quote>((?P<name>.+)@(?" +"P<domain>[^@]+$))</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2685 +msgid "Default: <quote>%1$s@%2$s</quote>." +msgstr "Типове значення: <quote>%1$s@%2$s</quote>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2691 +msgid "lookup_family_order (string)" +msgstr "lookup_family_order (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2694 +msgid "" +"Provides the ability to select preferred address family to use when " +"performing DNS lookups." +msgstr "" +"Надає можливість вибрати бажане сімейство адрес, яке слід використовувати " +"під час виконання пошуків у DNS." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2698 +msgid "Supported values:" +msgstr "Передбачено підтримку таких значень:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2701 +msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6" +msgstr "" +"ipv4_first: спробувати визначити адресу у форматі IPv4, у разі невдачі " +"спробувати формат IPv6" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2704 +msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses." +msgstr "" +"ipv4_only: намагатися визначити назви вузлів лише у форматі адрес IPv4." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2707 +msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4" +msgstr "" +"ipv6_first: спробувати визначити адресу у форматі IPv6, у разі невдачі " +"спробувати формат IPv4" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2710 +msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses." +msgstr "" +"ipv6_only: намагатися визначити назви вузлів лише у форматі адрес IPv6." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2713 +msgid "Default: ipv4_first" +msgstr "Типове значення: ipv4_first" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2719 +msgid "dns_resolver_timeout (integer)" +msgstr "dns_resolver_timeout (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2722 +msgid "" +"Defines the amount of time (in seconds) to wait for a reply from the " +"internal fail over service before assuming that the service is unreachable. " +"If this timeout is reached, the domain will continue to operate in offline " +"mode." +msgstr "" +"Визначає кількість часу (у секундах) очікування відповіді від внутрішньої " +"служби перемикання на резервний ресурс, перш ніж службу буде визначено " +"недоступним. Якщо час очікування буде перевищено, домен продовжуватиме " +"роботу у автономному режимі." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2729 +msgid "" +"Please see the section <quote>FAILOVER</quote> for more information about " +"the service resolution." +msgstr "" +"Будь ласка, ознайомтеся із розділом <quote>РЕЗЕРВ</quote>, щоб дізнатися " +"більше про розв'язування питань, пов'язаних із службами." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2734 sssd-ldap.5.xml:1396 sssd-ldap.5.xml:1438 +#: sssd-ldap.5.xml:1456 sssd-krb5.5.xml:248 +msgid "Default: 6" +msgstr "Типове значення: 6" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2740 +msgid "dns_discovery_domain (string)" +msgstr "dns_discovery_domain (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2743 +msgid "" +"If service discovery is used in the back end, specifies the domain part of " +"the service discovery DNS query." +msgstr "" +"Якщо у модулі обробки використовується визначення служб, вказує доменну " +"частину запиту визначення служб DNS." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2747 +msgid "Default: Use the domain part of machine's hostname" +msgstr "" +"Типова поведінка: використовувати назву домену з назви вузла комп’ютера." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2753 +msgid "override_gid (integer)" +msgstr "override_gid (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2756 +msgid "Override the primary GID value with the one specified." +msgstr "Замірити значення основного GID на вказане." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2762 +msgid "case_sensitive (string)" +msgstr "case_sensitive (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2770 +msgid "True" +msgstr "True" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2773 +msgid "Case sensitive. This value is invalid for AD provider." +msgstr "" +"Враховується регістр. Це значення є некоректним для засобу надання даних AD." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2779 +msgid "False" +msgstr "False" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2781 +msgid "Case insensitive." +msgstr "Без врахування регістру." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2785 +msgid "Preserving" +msgstr "Preserving" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2788 +msgid "" +"Same as False (case insensitive), but does not lowercase names in the result " +"of NSS operations. Note that name aliases (and in case of services also " +"protocol names) are still lowercased in the output." +msgstr "" +"Те саме, що і False (без врахування регістру символів), але без переведення " +"у нижній регістр імен у результатах дій NSS. Зауважте, що альтернативні " +"імена (у випадку служб також назви протоколів) у виведених даних все одно " +"буде переведено у нижній регістр." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2765 +msgid "" +"Treat user and group names as case sensitive. At the moment, this option is " +"not supported in the local provider. Possible option values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" +"Враховувати регістр записів імен користувачів та назв груп. У поточній " +"версії підтримку передбачено лише для локальних надавачів даних. Можливі " +"значення параметра: <placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2800 +msgid "Default: True (False for AD provider)" +msgstr "Типове значення: True (False для засобу надання даних AD)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2806 +msgid "subdomain_inherit (string)" +msgstr "subdomain_inherit (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2809 +msgid "" +"Specifies a list of configuration parameters that should be inherited by a " +"subdomain. Please note that only selected parameters can be inherited. " +"Currently the following options can be inherited:" +msgstr "" +"Визначає список параметрів налаштування, які слід успадковувати для " +"піддомену. Будь ласка, зауважте, що успадковуватимуться лише вказані " +"параметри. У поточній версії передбачено можливість успадковування таких " +"параметрів:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2815 +msgid "ignore_group_members" +msgstr "ignore_group_members" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2818 +msgid "ldap_purge_cache_timeout" +msgstr "ldap_purge_cache_timeout" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2821 sssd-ldap.5.xml:1120 +msgid "ldap_use_tokengroups" +msgstr "ldap_use_tokengroups" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2824 +msgid "ldap_user_principal" +msgstr "ldap_user_principal" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2827 +msgid "" +"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab " +"is not set explicitly)" +msgstr "" +"ldap_krb5_keytab (значення krb5_keytab буде використано, якщо " +"ldap_krb5_keytab не встановлено явним чином)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:2833 +#, no-wrap +msgid "" +"subdomain_inherit = ldap_purge_cache_timeout\n" +" " +msgstr "" +"subdomain_inherit = ldap_purge_cache_timeout\n" +" " + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2831 sssd-secrets.5.xml:448 +msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "Приклад: <placeholder type=\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2840 +msgid "Note: This option only works with the IPA and AD provider." +msgstr "" +"Зауваження: цей параметр працює лише для засобів надання даних IPA і AD." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2847 +msgid "subdomain_homedir (string)" +msgstr "subdomain_homedir (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2858 +msgid "%F" +msgstr "%F" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2859 +msgid "flat (NetBIOS) name of a subdomain." +msgstr "спрощена (NetBIOS) назва піддомену." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2850 +msgid "" +"Use this homedir as default value for all subdomains within this domain in " +"IPA AD trust. See <emphasis>override_homedir</emphasis> for info about " +"possible values. In addition to those, the expansion below can only be used " +"with <emphasis>subdomain_homedir</emphasis>. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" +"Використовувати вказаний домашній каталог як типовий для всіх піддоменів у " +"цьому домені у межах довіри AD IPA. Дані щодо можливих значень наведено у " +"описі параметра <emphasis>override_homedir</emphasis>. Крім того, " +"розгортання можна використовувати лише з <emphasis>subdomain_homedir</" +"emphasis>. <placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2864 +msgid "" +"The value can be overridden by <emphasis>override_homedir</emphasis> option." +msgstr "" +"Це значення може бути перевизначено параметром <emphasis>override_homedir</" +"emphasis>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2868 +msgid "Default: <filename>/home/%d/%u</filename>" +msgstr "Типове значення: <filename>/home/%d/%u</filename>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2873 +msgid "realmd_tags (string)" +msgstr "realmd_tags (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2876 +msgid "" +"Various tags stored by the realmd configuration service for this domain." +msgstr "" +"Різноманітні теґи, що зберігаються службою налаштовування realmd для цього " +"домену." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2882 +msgid "cached_auth_timeout (int)" +msgstr "cached_auth_timeout (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2885 +msgid "" +"Specifies time in seconds since last successful online authentication for " +"which user will be authenticated using cached credentials while SSSD is in " +"the online mode." +msgstr "" +"Визначає час у секундах з моменту останнього успішного розпізнавання у " +"мережі, для якого користувача буде розпізнано за допомогою кешованих " +"реєстраційних даних, доки SSSD перебуває у режимі «у мережі»." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2891 +msgid "Special value 0 implies that this feature is disabled." +msgstr "Спеціальне значення 0 означає, що цю можливість вимкнено." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2895 +msgid "" +"Please note that if <quote>cached_auth_timeout</quote> is longer than " +"<quote>pam_id_timeout</quote> then the back end could be called to handle " +"<quote>initgroups.</quote>" +msgstr "" +"Будь ласка, зауважте, що якщо <quote>cached_auth_timeout</quote> має більше " +"значення за <quote>pam_id_timeout</quote>, модуль може бути викликано для " +"обробки <quote>initgroups</quote>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2906 +msgid "auto_private_groups (string)" +msgstr "auto_private_groups (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2909 +msgid "" +"If this option is enabled, SSSD will automatically create user private " +"groups based on user's UID number. The GID number is ignored in this case." +msgstr "" +"Якщо увімкнено цей параметр, SSSD автоматично створюватиме приватні групи " +"користувачів на основі номера UID користувача. Номер GID у цьому випадку " +"ігноруватиметься." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2914 +msgid "" +"For POSIX subdomains, setting the option in the main domain is inherited in " +"the subdomain." +msgstr "" +"Для піддоменів POSIX встановлення для цього параметра значення головного " +"домену успадковується у піддомені." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2918 +msgid "" +"For ID-mapping subdomains, auto_private_groups is already enabled for the " +"subdomains and setting it to false will not have any effect for the " +"subdomain." +msgstr "" +"Для піддоменів із прив'язкою за ідентифікатором auto_private_groups вже " +"увімкнено для піддоменів, встановлення для нього значення false ніяк не " +"впливатиме на піддомен." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2923 +msgid "" +"NOTE: Because the GID number and the user private group are inferred from " +"the UID number, it is not supported to have multiple entries with the same " +"UID or GID number with this option. In other words, enabling this option " +"enforces uniqueness across the ID space." +msgstr "" +"Зауваження: оскільки номер GID і приватна група користувача успадковуються з " +"номера UID, підтримки декількох записів із однаковим номером UID або GID у " +"цьому параметрі не передбачено. Іншими словами, вмикання цього параметра " +"примусово встановлює унікальність записів у просторі ідентифікаторів." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:1727 +msgid "" +"These configuration options can be present in a domain configuration " +"section, that is, in a section called <quote>[domain/<replaceable>NAME</" +"replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" +"Ці параметри налаштування може бути вказано у розділі налаштування домену, " +"тобто у розділі з назвою <quote>[domain/<replaceable>НАЗВА</replaceable>]</" +"quote> <placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2942 +msgid "proxy_pam_target (string)" +msgstr "proxy_pam_target (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2945 +msgid "The proxy target PAM proxies to." +msgstr "Комп’ютер, для якого виконує проксі-сервер PAM." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2948 +msgid "" +"Default: not set by default, you have to take an existing pam configuration " +"or create a new one and add the service name here." +msgstr "" +"Типове значення: типово не встановлено, вам слід скористатися вже створеними " +"налаштуваннями pam або створити нові і тут додати назву служби." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2956 +msgid "proxy_lib_name (string)" +msgstr "proxy_lib_name (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2959 +msgid "" +"The name of the NSS library to use in proxy domains. The NSS functions " +"searched for in the library are in the form of _nss_$(libName)_$(function), " +"for example _nss_files_getpwent." +msgstr "" +"Назва бібліотеки NSS для використання у доменах з проксі-серверами. Функції " +"NSS шукаються у бібліотеці у форматі _nss_$(назва_бібліотеки)_$(функція), " +"наприклад _nss_files_getpwent." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2969 +msgid "proxy_fast_alias (boolean)" +msgstr "proxy_fast_alias (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2972 +msgid "" +"When a user or group is looked up by name in the proxy provider, a second " +"lookup by ID is performed to \"canonicalize\" the name in case the requested " +"name was an alias. Setting this option to true would cause the SSSD to " +"perform the ID lookup from cache for performance reasons." +msgstr "" +"Під час пошуку запису користувача чи групи за назвою у системі надання даних " +"переадресації виконується вторинний пошук за ідентифікатором з метою " +"визначення «канонічної» форми назви, якщо результат знайдено за " +"альтернативною назвою (псевдонімом). Встановлення для цього параметра " +"значення «true» призведе до того, що SSSD виконуватиме пошук ідентифікатора " +"у кеші, щоб пришвидшити надання результатів." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2986 +msgid "proxy_max_children (integer)" +msgstr "proxy_max_children (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2989 +msgid "" +"This option specifies the number of pre-forked proxy children. It is useful " +"for high-load SSSD environments where sssd may run out of available child " +"slots, which would cause some issues due to the requests being queued." +msgstr "" +"Цей параметр визначає кількість попередньо розгалужених дочірніх проксі. Він " +"корисний для високонавантажених середовищ SSSD, де sssd може вичерпати " +"кількість доступних дочірніх слотів, що може спричинити деякі вади через " +"використання черги запитів." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:2938 +msgid "" +"Options valid for proxy domains. <placeholder type=\"variablelist\" id=" +"\"0\"/>" +msgstr "" +"Параметри, які є чинними для доменів проксі. <placeholder type=" +"\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:3005 +msgid "Application domains" +msgstr "Домени програм (application)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3007 +msgid "" +"SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to " +"applications as a gateway to an LDAP directory where users and groups are " +"stored. However, contrary to the traditional SSSD deployment where all users " +"and groups either have POSIX attributes or those attributes can be inferred " +"from the Windows SIDs, in many cases the users and groups in the application " +"support scenario have no POSIX attributes. Instead of setting a " +"<quote>[domain/<replaceable>NAME</replaceable>]</quote> section, the " +"administrator can set up an <quote>[application/<replaceable>NAME</" +"replaceable>]</quote> section that internally represents a domain with type " +"<quote>application</quote> optionally inherits settings from a tradition " +"SSSD domain." +msgstr "" +"SSSD, з його інтерфейсом D-Bus (див. <citerefentry> <refentrytitle>sssd-ifp</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) є привабливим для " +"програм як шлюз до каталогу LDAP, де зберігаються дані користувачів і груп. " +"Втім, на відміну від традиційного формату роботи SSSD, де усі користувачі і " +"групи або мають атрибути POSIX, або ці атрибути може бути успадковано з SID " +"Windows, у багатьох випадках користувачі і групи у сценарії підтримки роботи " +"програм не мають атрибутів POSIX. Замість визначення розділу <quote>[domain/" +"<replaceable>НАЗВА</replaceable>]</quote> адміністратор може визначити " +"розділ <quote>[application/<replaceable>НАЗВА</replaceable>]</quote>, який " +"на внутрішньому рівні представляє домен типу <quote>application</quote>, " +"який може успадковувати параметр з традиційного домену SSSD." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3027 +msgid "" +"Please note that the application domain must still be explicitly enabled in " +"the <quote>domains</quote> parameter so that the lookup order between the " +"application domain and its POSIX sibling domain is set correctly." +msgstr "" +"Будь ласка, зауважте, що домен програм має так само явним чином увімкнено у " +"параметрі <quote>domains</quote>, отже порядок пошуку між доменом програм і " +"його доменом-близнюком у POSIX має бути встановлено належним чином." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sssd.conf.5.xml:3033 +msgid "Application domain parameters" +msgstr "Параметри доменів програм" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3035 +msgid "inherit_from (string)" +msgstr "inherit_from (рядок)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3038 +msgid "" +"The SSSD POSIX-type domain the application domain inherits all settings " +"from. The application domain can moreover add its own settings to the " +"application settings that augment or override the <quote>sibling</quote> " +"domain settings." +msgstr "" +"Домен типу POSIX SSSD, з якого домен програм успадковує усі параметри. Далі, " +"домен програм поже додавати власні параметри до параметрів програми, які " +"розширюють або перевизначають параметри домену-<quote>близнюка</quote>." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3052 +msgid "" +"The following example illustrates the use of an application domain. In this " +"setup, the POSIX domain is connected to an LDAP server and is used by the OS " +"through the NSS responder. In addition, the application domain also requests " +"the telephoneNumber attribute, stores it as the phone attribute in the cache " +"and makes the phone attribute reachable through the D-Bus interface." +msgstr "" +"У наведеному нижче прикладі проілюстровано використання домену програм. У " +"цій конфігурації домен POSIX з'єднано із сервером LDAP, він використовується " +"операційною системою через відповідач NSS. Крім того, домен програм також " +"надсилає запит щодо атрибута telephoneNumber, зберігає його як атрибут phone " +"у кеші і робить атрибут phone доступним через інтерфейс D-Bus." + +#. type: Content of: <reference><refentry><refsect1><refsect2><programlisting> +#: sssd.conf.5.xml:3060 +#, no-wrap +msgid "" +"[sssd]\n" +"domains = appdom, posixdom\n" +"\n" +"[ifp]\n" +"user_attributes = +phone\n" +"\n" +"[domain/posixdom]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"[application/appdom]\n" +"inherit_from = posixdom\n" +"ldap_user_extra_attrs = phone:telephoneNumber\n" +msgstr "" +"[sssd]\n" +"domains = appdom, posixdom\n" +"\n" +"[ifp]\n" +"user_attributes = +phone\n" +"\n" +"[domain/posixdom]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"[application/appdom]\n" +"inherit_from = posixdom\n" +"ldap_user_extra_attrs = phone:telephoneNumber\n" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:3078 +msgid "The local domain section" +msgstr "Розділ локального домену" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3080 +msgid "" +"This section contains settings for domain that stores users and groups in " +"SSSD native database, that is, a domain that uses " +"<replaceable>id_provider=local</replaceable>." +msgstr "" +"У цьому розділі містяться параметри для домену, який зберігає записи " +"користувачів і груп у вбудованій базі даних SSSD, тобто домену, який " +"використовує <replaceable>id_provider=local</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3087 +msgid "default_shell (string)" +msgstr "default_shell (рядок)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3090 +msgid "The default shell for users created with SSSD userspace tools." +msgstr "" +"Типова оболонка для записів користувачів, створених за допомогою " +"інструментів простору користувачів SSSD." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3094 +msgid "Default: <filename>/bin/bash</filename>" +msgstr "Типове значення: <filename>/bin/bash</filename>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3099 +msgid "base_directory (string)" +msgstr "base_directory (рядок)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3102 +msgid "" +"The tools append the login name to <replaceable>base_directory</replaceable> " +"and use that as the home directory." +msgstr "" +"Інструменти додають ім’я користувача до <replaceable>base_directory</" +"replaceable> і використовують отриману адресу як адресу домашнього каталогу." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3107 +msgid "Default: <filename>/home</filename>" +msgstr "Типове значення: <filename>/home</filename>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3112 +msgid "create_homedir (bool)" +msgstr "create_homedir (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3115 +msgid "" +"Indicate if a home directory should be created by default for new users. " +"Can be overridden on command line." +msgstr "" +"Визначає, чи слід типово створювати домашній каталог для нових користувачів. " +"Може бути перевизначено з командного рядка." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3119 sssd.conf.5.xml:3131 +msgid "Default: TRUE" +msgstr "Типове значення: TRUE" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3124 +msgid "remove_homedir (bool)" +msgstr "remove_homedir (булівське значення)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3127 +msgid "" +"Indicate if a home directory should be removed by default for deleted " +"users. Can be overridden on command line." +msgstr "" +"Визначає, чи слід вилучати домашній каталог для вилучених записів " +"користувачів. Може бути перевизначено з командного рядка." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3136 +msgid "homedir_umask (integer)" +msgstr "homedir_umask (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3139 +msgid "" +"Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions " +"on a newly created home directory." +msgstr "" +"Використовується <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> для визначення типових прав доступу " +"до щойно створеного домашнього каталогу." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3147 +msgid "Default: 077" +msgstr "Типове значення: 077" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3152 +msgid "skel_dir (string)" +msgstr "skel_dir (рядок)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3155 +msgid "" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<citerefentry> <refentrytitle>sss_useradd</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>" +msgstr "" +"Каркасний каталог, який містить файли і каталоги, які буде скопійовано до " +"домашнього каталогу користувача, коли такий домашній каталог створюється " +"командою <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3165 +msgid "Default: <filename>/etc/skel</filename>" +msgstr "Типове значення: <filename>/etc/skel</filename>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3170 +msgid "mail_dir (string)" +msgstr "mail_dir (рядок)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3173 +msgid "" +"The mail spool directory. This is needed to manipulate the mailbox when its " +"corresponding user account is modified or deleted. If not specified, a " +"default value is used." +msgstr "" +"Каталог буфера пошти. Цей каталог потрібен для обробки поштової скриньки, " +"якщо відповідний обліковий запис користувача змінено або вилучено. Якщо " +"каталог не вказано, буде використано типове значення." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3180 +msgid "Default: <filename>/var/mail</filename>" +msgstr "Типове значення: <filename>/var/mail</filename>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3185 +msgid "userdel_cmd (string)" +msgstr "userdel_cmd (рядок)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3188 +msgid "" +"The command that is run after a user is removed. The command us passed the " +"username of the user being removed as the first and only parameter. The " +"return code of the command is not taken into account." +msgstr "" +"Команда, яку буде виконано після вилучення запису користувача. Команді, як " +"перший і єдиний параметр, передається ім’я користувача, запис якого " +"вилучається. Код виконання, повернутий програмою не обробляється." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3194 +msgid "Default: None, no command is run" +msgstr "Типове значення: None, не виконувати жодних команд" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:3204 +msgid "TRUSTED DOMAIN SECTION" +msgstr "РОЗДІЛ ДОВІРЕНИХ ДОМЕНІВ" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3206 +msgid "" +"Some options used in the domain section can also be used in the trusted " +"domain section, that is, in a section called <quote>[domain/" +"<replaceable>DOMAIN_NAME</replaceable>/<replaceable>TRUSTED_DOMAIN_NAME</" +"replaceable>]</quote>. Where DOMAIN_NAME is the actual joined-to base " +"domain. Please refer to examples below for explanation. Currently supported " +"options in the trusted domain section are:" +msgstr "" +"Деякі параметри, які використовуються у розділі домену, можна також " +"використовувати у розділі довіреного домену, тобто у розділі, який " +"називається <quote>[domain/<replaceable>НАЗВА_ДОМЕНУ</replaceable>/" +"<replaceable>НАЗВА_ДОВІРЕНОГО_ДОМЕНУ</replaceable>]</quote>. Де НАЗВА_ДОМЕНУ " +"є справжнім базовим доменом для долучення. Приклади наведено нижче. У " +"поточній версії підтримуваними параметрами у розділі довіреного домену є " +"такі параметри:" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3213 +msgid "ldap_search_base," +msgstr "ldap_search_base," + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3214 +msgid "ldap_user_search_base," +msgstr "ldap_user_search_base," + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3215 +msgid "ldap_group_search_base," +msgstr "ldap_group_search_base," + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3216 +msgid "ldap_netgroup_search_base," +msgstr "ldap_netgroup_search_base," + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3217 +msgid "ldap_service_search_base," +msgstr "ldap_service_search_base," + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3218 +msgid "ad_server," +msgstr "ad_server," + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3219 +msgid "ad_backup_server," +msgstr "ad_backup_server," + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3220 +msgid "ad_site," +msgstr "ad_site," + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:3221 sssd-ipa.5.xml:782 +msgid "use_fully_qualified_names" +msgstr "use_fully_qualified_names" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3223 +msgid "" +"For more details about these options see their individual description in the " +"manual page." +msgstr "" +"Докладніший опис цих параметрів можна знайти у окремих описах на сторінці " +"підручника." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:3229 idmap_sss.8.xml:43 +msgid "EXAMPLES" +msgstr "ПРИКЛАДИ" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:3235 +#, no-wrap +msgid "" +"[sssd]\n" +"domains = LDAP\n" +"services = nss, pam\n" +"config_file_version = 2\n" +"\n" +"[nss]\n" +"filter_groups = root\n" +"filter_users = root\n" +"\n" +"[pam]\n" +"\n" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"auth_provider = krb5\n" +"krb5_server = kerberos.example.com\n" +"krb5_realm = EXAMPLE.COM\n" +"cache_credentials = true\n" +"\n" +"min_id = 10000\n" +"max_id = 20000\n" +"enumerate = False\n" +msgstr "" +"[sssd]\n" +"domains = LDAP\n" +"services = nss, pam\n" +"config_file_version = 2\n" +"\n" +"[nss]\n" +"filter_groups = root\n" +"filter_users = root\n" +"\n" +"[pam]\n" +"\n" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"auth_provider = krb5\n" +"krb5_server = kerberos.example.com\n" +"krb5_realm = EXAMPLE.COM\n" +"cache_credentials = true\n" +"\n" +"min_id = 10000\n" +"max_id = 20000\n" +"enumerate = False\n" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3231 +msgid "" +"1. The following example shows a typical SSSD config. It does not describe " +"configuration of the domains themselves - refer to documentation on " +"configuring domains for more details. <placeholder type=\"programlisting\" " +"id=\"0\"/>" +msgstr "" +"1. Нижче наведено приклад типових налаштувань SSSD. Налаштування самого " +"домену не наведено, — щоб дізнатися більше про неї, ознайомтеся з " +"документацією щодо налаштовування доменів. <placeholder type=" +"\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:3268 +#, no-wrap +msgid "" +"[domain/ipa.com/child.ad.com]\n" +"use_fully_qualified_names = false\n" +msgstr "" +"[domain/ipa.com/child.ad.com]\n" +"use_fully_qualified_names = false\n" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3262 +msgid "" +"2. The following example shows configuration of IPA AD trust where the AD " +"forest consists of two domains in a parent-child structure. Suppose IPA " +"domain (ipa.com) has trust with AD domain(ad.com). ad.com has child domain " +"(child.ad.com). To enable shortnames in the child domain the following " +"configuration should be used. <placeholder type=\"programlisting\" id=\"0\"/" +">" +msgstr "" +"2. У наведеному нижче прикладі показано налаштування довіри AD у IPA, де ліс " +"AD складається з двох доменів у структурі батьківський-дочірній. Нехай домен " +"IPA (ipa.com) має стосунки довіри з доменом AD (ad.com). ad.com має дочірній " +"домен (child.ad.com). Щоб увімкнути скорочені назви у дочірньому домені, " +"слід скористатися наведеними нижче налаштуваннями. <placeholder type=" +"\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ldap.5.xml:10 sssd-ldap.5.xml:16 +msgid "sssd-ldap" +msgstr "sssd-ldap" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ldap.5.xml:17 +msgid "SSSD LDAP provider" +msgstr "Модуль надання даних LDAP SSSD" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:23 +msgid "" +"This manual page describes the configuration of LDAP domains for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Refer to the <quote>FILE FORMAT</quote> section of the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for detailed syntax information." +msgstr "" +"На цій сторінці довідника описано налаштування доменів LDAP для " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Щоб дізнатися більше про синтаксис налаштування, зверніться " +"до розділу «ФОРМАТ ФАЙЛА» сторінки довідника <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:35 +msgid "You can configure SSSD to use more than one LDAP domain." +msgstr "Ви можете налаштувати SSSD на використання декількох доменів LDAP." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:38 +msgid "" +"LDAP back end supports id, auth, access and chpass providers. If you want to " +"authenticate against an LDAP server either TLS/SSL or LDAPS is required. " +"<command>sssd</command> <emphasis>does not</emphasis> support authentication " +"over an unencrypted channel. If the LDAP server is used only as an identity " +"provider, an encrypted channel is not needed. Please refer to " +"<quote>ldap_access_filter</quote> config option for more information about " +"using LDAP as an access provider." +msgstr "" +"У основному модулі LDAP передбачено підтримку засобів надання ідентифікатора " +"(id), уповноважень (auth), доступу (access) та зміни паролів (chpass). Якщо " +"ви бажаєте виконувати розпізнавання на сервері LDAP, потрібен TLS/SSL або " +"LDAPS. У <command>sssd</command> <emphasis>не передбачено</emphasis> " +"підтримки розпізнавання за допомогою шифрованого каналу обміну даними. Якщо " +"сервер LDAP використовується лише для надання даних профілів, потреби у " +"шифруванні каналу обміну даними немає. Будь ласка, зверніться до опису " +"параметра налаштування <quote>ldap_access_filter</quote>, щоб дізнатися " +"більше про використання LDAP, як засобу керування доступом." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:115 +#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-files.5.xml:57 +#: sssd-secrets.5.xml:120 sssd-session-recording.5.xml:58 sssd-kcm.8.xml:139 +msgid "CONFIGURATION OPTIONS" +msgstr "ПАРАМЕТРИ НАЛАШТУВАННЯ" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:60 +msgid "ldap_uri, ldap_backup_uri (string)" +msgstr "ldap_uri, ldap_backup_uri (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:63 +msgid "" +"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " +"should connect in the order of preference. Refer to the <quote>FAILOVER</" +"quote> section for more information on failover and server redundancy. If " +"neither option is specified, service discovery is enabled. For more " +"information, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" +"Визначає список адрес серверів LDAP, відокремлених комами, з якими SSSD має " +"встановлювати з’єднання у порядку пріоритету. Зверніться до розділу " +"«РЕЗЕРВ», щоб дізнатися більше про перемикання на резервні ресурси та " +"додаткові сервери. Якщо не вказано, буде використано автоматичне виявлення " +"служб. Докладніші відомості можна знайти у розділі «ПОШУК СЛУЖБ»." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:264 +msgid "The format of the URI must match the format defined in RFC 2732:" +msgstr "Формат адреси має відповідати формату, що визначається RFC 2732:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:73 +msgid "ldap[s]://<host>[:port]" +msgstr "ldap[s]://<вузол>[:порт]" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:76 +msgid "" +"For explicit IPv6 addresses, <host> must be enclosed in brackets []" +msgstr "" +"У явних адресах IPv6 <вузол> має бути вказано у квадратних дужках, []" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:79 +msgid "example: ldap://[fc00::126:25]:389" +msgstr "приклад: ldap://[fc00::126:25]:389" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:85 +msgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)" +msgstr "ldap_chpass_uri, ldap_chpass_backup_uri (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:88 +msgid "" +"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " +"should connect in the order of preference to change the password of a user. " +"Refer to the <quote>FAILOVER</quote> section for more information on " +"failover and server redundancy." +msgstr "" +"Визначає список адрес серверів LDAP, відокремлених комами, з якими SSSD має " +"встановлювати з’єднання у порядку пріоритету для зміни пароля користувача. " +"Зверніться до розділу «РЕЗЕРВ», щоб дізнатися більше про перемикання на " +"резервні ресурси та додаткові сервери." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:95 +msgid "To enable service discovery ldap_chpass_dns_service_name must be set." +msgstr "" +"Для того, щоб уможливити визначення служб, слід встановити значення " +"параметра ldap_chpass_dns_service_name." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:99 +msgid "Default: empty, i.e. ldap_uri is used." +msgstr "Типове значення: порожнє, тобто використовується ldap_uri." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:105 +msgid "ldap_search_base (string)" +msgstr "ldap_search_base (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:108 +msgid "The default base DN to use for performing LDAP user operations." +msgstr "" +"Типова базова назва домену, яку слід використовувати для виконання дій від " +"імені користувача LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:112 +msgid "" +"Starting with SSSD 1.7.0, SSSD supports multiple search bases using the " +"syntax:" +msgstr "" +"Починаючи з SSSD 1.7.0, у SSSD передбачено підтримку визначення декількох " +"основ для пошуку за допомогою таких синтаксичних конструкцій:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:116 +msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]" +msgstr "основа_пошуку[?діапазон?[фільтр][?основа_пошуку?діапазон?[фільтр]]*]" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:119 +msgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"." +msgstr "" +"Діапазоном може бути одне зі значень, «base» (основа), «onelevel» (окремий " +"рівень) або «subtree» (піддерево)." + +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:122 include/ldap_search_bases.xml:18 +msgid "" +"The filter must be a valid LDAP search filter as specified by http://www." +"ietf.org/rfc/rfc2254.txt" +msgstr "" +"Фільтром має бути коректний запис фільтрування LDAP, відповідно до " +"специфікації http://www.ietf.org/rfc/rfc2254.txt" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:286 +#: sss_override.8.xml:137 sss_override.8.xml:234 +msgid "Examples:" +msgstr "Приклади:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:129 +msgid "" +"ldap_search_base = dc=example,dc=com (which is equivalent to) " +"ldap_search_base = dc=example,dc=com?subtree?" +msgstr "" +"ldap_search_base = dc=example,dc=com (еквівалентне до) ldap_search_base = " +"dc=example,dc=com?subtree?" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:134 +msgid "" +"ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?" +"(host=thishost)?dc=example.com?subtree?" +msgstr "" +"ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?" +"(host=thishost)?dc=example.com?subtree?" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:137 +msgid "" +"Note: It is unsupported to have multiple search bases which reference " +"identically-named objects (for example, groups with the same name in two " +"different search bases). This will lead to unpredictable behavior on client " +"machines." +msgstr "" +"Зауваження: підтримки визначення декількох основ пошуку з посиланням на " +"об’єкти з однаковими назвами (наприклад груп з однаковою назвою у двох " +"різних основах пошуку) не передбачено. Такі визначення можуть призвести до " +"непередбачуваних результатів на клієнтських комп’ютерах." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:144 +msgid "" +"Default: If not set, the value of the defaultNamingContext or namingContexts " +"attribute from the RootDSE of the LDAP server is used. If " +"defaultNamingContext does not exist or has an empty value namingContexts is " +"used. The namingContexts attribute must have a single value with the DN of " +"the search base of the LDAP server to make this work. Multiple values are " +"are not supported." +msgstr "" +"Типове значення: якщо значення не встановлено, буде використано значення " +"атрибута defaultNamingContext або namingContexts з RootDSE сервера LDAP. " +"Якщо запису defaultNamingContext не існує або цей запис має порожнє " +"значення, буде використано namingContexts. Для роботи системи потрібно, щоб " +"атрибут namingContexts має єдине значення DN бази пошуку сервера LDAP. " +"Підтримки визначення декількох значень не передбачено." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:158 +msgid "ldap_schema (string)" +msgstr "ldap_schema (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:161 +msgid "" +"Specifies the Schema Type in use on the target LDAP server. Depending on " +"the selected schema, the default attribute names retrieved from the servers " +"may vary. The way that some attributes are handled may also differ." +msgstr "" +"Визначає тип схеми, що використовується на сервері LDAP призначення. " +"Відповідно до вибраної схеми, типові назви атрибутів, отриманих з сервера, " +"можуть бути різними. Спосіб обробки атрибутів також може бути різним." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:168 +msgid "Four schema types are currently supported:" +msgstr "У поточній версії передбачено підтримку чотирьох типів схем:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:172 +msgid "rfc2307" +msgstr "rfc2307" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:177 +msgid "rfc2307bis" +msgstr "rfc2307bis" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:182 +msgid "IPA" +msgstr "IPA" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:187 +msgid "AD" +msgstr "AD" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:193 +msgid "" +"The main difference between these schema types is how group memberships are " +"recorded in the server. With rfc2307, group members are listed by name in " +"the <emphasis>memberUid</emphasis> attribute. With rfc2307bis and IPA, " +"group members are listed by DN and stored in the <emphasis>member</emphasis> " +"attribute. The AD schema type sets the attributes to correspond with Active " +"Directory 2008r2 values." +msgstr "" +"Основною відмінністю між цими типами схем є спосіб запису даних щодо участі " +"у групах на сервері. Відповідно до rfc2307, список учасників груп " +"впорядковується за користувачами у атрибуті <emphasis>memberUid</emphasis>. " +"Відповідно до rfc2307bis і IPA, список учасників груп впорядковується за " +"назвою домену (DN) і зберігається у атрибуті <emphasis>member</emphasis>. " +"Відповідно до типу схеми AD, встановлюється відповідність зі значеннями " +"Active Directory 2008r2." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:203 +msgid "Default: rfc2307" +msgstr "Типове значення: rfc2307" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:209 +msgid "ldap_default_bind_dn (string)" +msgstr "ldap_default_bind_dn (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:212 +msgid "The default bind DN to use for performing LDAP operations." +msgstr "" +"Типова назва домену прив’язки, яку слід використовувати для виконання дій " +"LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:219 +msgid "ldap_default_authtok_type (string)" +msgstr "ldap_default_authtok_type (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:222 +msgid "The type of the authentication token of the default bind DN." +msgstr "Тип розпізнавання для типової назви сервера прив’язки." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:226 +msgid "The two mechanisms currently supported are:" +msgstr "У поточній версії передбачено підтримку двох механізмів:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:229 +msgid "password" +msgstr "password" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:232 +msgid "obfuscated_password" +msgstr "obfuscated_password" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:235 +msgid "Default: password" +msgstr "Типове значення: password" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:241 +msgid "ldap_default_authtok (string)" +msgstr "ldap_default_authtok (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:244 +msgid "" +"The authentication token of the default bind DN. Only clear text passwords " +"are currently supported." +msgstr "" +"Лексема розпізнавання типової назви сервера прив’язки. У поточній версії " +"передбачено підтримку лише паролів у форматі звичайного тексту." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:251 +msgid "ldap_user_object_class (string)" +msgstr "ldap_user_object_class (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:254 +msgid "The object class of a user entry in LDAP." +msgstr "Клас об’єктів запису користувача у LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:257 +msgid "Default: posixAccount" +msgstr "Типове значення: posixAccount" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:263 +msgid "ldap_user_name (string)" +msgstr "ldap_user_name (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:266 +msgid "The LDAP attribute that corresponds to the user's login name." +msgstr "Атрибут LDAP, що відповідає назві облікового запису користувача." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:270 +msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "Типове значення: uid (rfc2307, rfc2307bis і IPA), sAMAccountName (AD)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:277 +msgid "ldap_user_uid_number (string)" +msgstr "ldap_user_uid_number (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:280 +msgid "The LDAP attribute that corresponds to the user's id." +msgstr "Атрибут LDAP, що відповідає ідентифікатору користувача." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:284 +msgid "Default: uidNumber" +msgstr "Типове значення: uidNumber" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:290 +msgid "ldap_user_gid_number (string)" +msgstr "ldap_user_gid_number (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:293 +msgid "The LDAP attribute that corresponds to the user's primary group id." +msgstr "Атрибут LDAP, що відповідає ідентифікатору основної групи користувача." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:297 sssd-ldap.5.xml:929 +msgid "Default: gidNumber" +msgstr "Типове значення: gidNumber" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:303 +msgid "ldap_user_primary_group (string)" +msgstr "ldap_user_primary_group (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:306 +msgid "" +"Active Directory primary group attribute for ID-mapping. Note that this " +"attribute should only be set manually if you are running the <quote>ldap</" +"quote> provider with ID mapping." +msgstr "" +"Атрибут основної групи Active Directory для встановлення відповідності " +"ідентифікатора. Зауважте, що цей атрибут слід встановлювати вручну, лише " +"якщо ви користуєтеся засобом надання даних <quote>ldap</quote> з прив'язкою " +"до ідентифікаторів." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:312 +msgid "Default: unset (LDAP), primaryGroupID (AD)" +msgstr "Типове значення: unset (LDAP), primaryGroupID (AD)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:318 +msgid "ldap_user_gecos (string)" +msgstr "ldap_user_gecos (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:321 +msgid "The LDAP attribute that corresponds to the user's gecos field." +msgstr "Атрибут LDAP, що відповідає полю gecos користувача." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:325 +msgid "Default: gecos" +msgstr "Типове значення: gecos" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:331 +msgid "ldap_user_home_directory (string)" +msgstr "ldap_user_home_directory (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:334 +msgid "The LDAP attribute that contains the name of the user's home directory." +msgstr "Атрибут LDAP, що містить назву домашнього каталогу користувача." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:338 +msgid "Default: homeDirectory" +msgstr "Типове значення: homeDirectory" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:344 +msgid "ldap_user_shell (string)" +msgstr "ldap_user_shell (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:347 +msgid "The LDAP attribute that contains the path to the user's default shell." +msgstr "" +"Атрибут LDAP, що містить шлях до типової командної оболонки користувача." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:351 +msgid "Default: loginShell" +msgstr "Типове значення: loginShell" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:357 +msgid "ldap_user_uuid (string)" +msgstr "ldap_user_uuid (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:360 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." +msgstr "Атрибут LDAP, що містить UUID/GUID об’єкта користувача LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:364 sssd-ldap.5.xml:955 +msgid "" +"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " +"IPA" +msgstr "" +"Типове значення: не встановлено у загальному випадку, objectGUID для AD і " +"ipaUniqueID для IPA" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:371 +msgid "ldap_user_objectsid (string)" +msgstr "ldap_user_objectsid (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:374 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP user object. This " +"is usually only necessary for ActiveDirectory servers." +msgstr "" +"Атрибут LDAP, що містить objectSID об’єкта користувача LDAP. Зазвичай, " +"потрібен лише для серверів ActiveDirectory." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:379 sssd-ldap.5.xml:970 +msgid "Default: objectSid for ActiveDirectory, not set for other servers." +msgstr "" +"Типове значення: objectSid для ActiveDirectory, не встановлено для інших " +"серверів." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:386 +msgid "ldap_user_modify_timestamp (string)" +msgstr "ldap_user_modify_timestamp (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:389 sssd-ldap.5.xml:980 sssd-ldap.5.xml:1203 +msgid "" +"The LDAP attribute that contains timestamp of the last modification of the " +"parent object." +msgstr "" +"Атрибут LDAP, що містить часову позначку останньої зміни батьківського " +"об’єкта." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:393 sssd-ldap.5.xml:984 sssd-ldap.5.xml:1210 +msgid "Default: modifyTimestamp" +msgstr "Типове значення: modifyTimestamp" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:399 +msgid "ldap_user_shadow_last_change (string)" +msgstr "ldap_user_shadow_last_change (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:402 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " +"the last password change)." +msgstr "" +"У разі використання ldap_pwd_policy=shadow цей параметр містить назву " +"атрибута LDAP, який є відповідником параметра <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> (дати останньої зміни пароля)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:412 +msgid "Default: shadowLastChange" +msgstr "Типове значення: shadowLastChange" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:418 +msgid "ldap_user_shadow_min (string)" +msgstr "ldap_user_shadow_min (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:421 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " +"password age)." +msgstr "" +"У разі використання ldap_pwd_policy=shadow цей параметр містить назву " +"атрибута LDAP, який є відповідником параметра <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> (мінімального віку пароля)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:430 +msgid "Default: shadowMin" +msgstr "Типове значення: shadowMin" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:436 +msgid "ldap_user_shadow_max (string)" +msgstr "ldap_user_shadow_max (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:439 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " +"password age)." +msgstr "" +"У разі використання ldap_pwd_policy=shadow цей параметр містить назву " +"атрибута LDAP, який є відповідником параметра <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> (максимального віку пароля)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:448 +msgid "Default: shadowMax" +msgstr "Типове значення: shadowMax" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:454 +msgid "ldap_user_shadow_warning (string)" +msgstr "ldap_user_shadow_warning (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:457 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password warning period)." +msgstr "" +"У разі використання ldap_pwd_policy=shadow цей параметр містить назву " +"атрибута LDAP, який є відповідником параметра <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> (проміжку попередження щодо пароля)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:467 +msgid "Default: shadowWarning" +msgstr "Типове значення: shadowWarning" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:473 +msgid "ldap_user_shadow_inactive (string)" +msgstr "ldap_user_shadow_inactive (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:476 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password inactivity period)." +msgstr "" +"У разі використання ldap_pwd_policy=shadow цей параметр містить назву " +"атрибута LDAP, який є відповідником параметра <citerefentry> " +"<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> (тривалості періоду невикористання пароля)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:486 +msgid "Default: shadowInactive" +msgstr "Типове значення: shadowInactive" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:492 +msgid "ldap_user_shadow_expire (string)" +msgstr "ldap_user_shadow_expire (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:495 +msgid "" +"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " +"parameter contains the name of an LDAP attribute corresponding to its " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> counterpart (account expiration date)." +msgstr "" +"У разі використання ldap_pwd_policy=shadow або " +"ldap_account_expire_policy=shadow цей параметр містить назву атрибута LDAP, " +"який є відповідником параметра <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> (дати завершення " +"строку дії пароля)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:505 +msgid "Default: shadowExpire" +msgstr "Типове значення: shadowExpire" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:511 +msgid "ldap_user_krb_last_pwd_change (string)" +msgstr "ldap_user_krb_last_pwd_change (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:514 +msgid "" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time of last password change in " +"kerberos." +msgstr "" +"Якщо використано значення ldap_pwd_policy=mit_kerberos, цей параметр містить " +"назву атрибута LDAP, у якому зберігається дата і час останньої зміни пароля " +"у kerberos." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:520 +msgid "Default: krbLastPwdChange" +msgstr "Типове значення: krbLastPwdChange" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:526 +msgid "ldap_user_krb_password_expiration (string)" +msgstr "ldap_user_krb_password_expiration (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:529 +msgid "" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time when current password expires." +msgstr "" +"Якщо використано значення ldap_pwd_policy=mit_kerberos, цей параметр містить " +"назву атрибута LDAP, у якому зберігається дата і час завершення строку дії " +"поточного пароля." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:535 +msgid "Default: krbPasswordExpiration" +msgstr "Типове значення: krbPasswordExpiration" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:541 +msgid "ldap_user_ad_account_expires (string)" +msgstr "ldap_user_ad_account_expires (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:544 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the expiration time of the account." +msgstr "" +"Якщо вказано ldap_account_expire_policy=ad, цей параметр містить назву " +"атрибута LDAP, у якому зберігаються дані щодо строку завершення дії " +"облікового запису." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:549 +msgid "Default: accountExpires" +msgstr "Типове значення: accountExpires" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:555 +msgid "ldap_user_ad_user_account_control (string)" +msgstr "ldap_user_ad_user_account_control (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:558 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the user account control bit field." +msgstr "" +"Якщо вказано ldap_account_expire_policy=ad, цей параметр містить назву " +"атрибута LDAP, у якому зберігаються дані щодо поля контрольного біта " +"облікового запису користувача." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:563 +msgid "Default: userAccountControl" +msgstr "Типове значення: userAccountControl" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:569 +msgid "ldap_ns_account_lock (string)" +msgstr "ldap_ns_account_lock (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:572 +msgid "" +"When using ldap_account_expire_policy=rhds or equivalent, this parameter " +"determines if access is allowed or not." +msgstr "" +"Якщо вказано ldap_account_expire_policy=rhds або еквівалентне налаштування, " +"цей параметр визначає, заборонено чи дозволено доступ." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:577 +msgid "Default: nsAccountLock" +msgstr "Типове значення: nsAccountLock" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:583 +msgid "ldap_user_nds_login_disabled (string)" +msgstr "ldap_user_nds_login_disabled (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:586 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines if " +"access is allowed or not." +msgstr "" +"Якщо вказано ldap_account_expire_policy=nds, цей атрибут визначає, дозволено " +"чи заборонено доступ." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:590 sssd-ldap.5.xml:604 +msgid "Default: loginDisabled" +msgstr "Типове значення: loginDisabled" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:596 +msgid "ldap_user_nds_login_expiration_time (string)" +msgstr "ldap_user_nds_login_expiration_time (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:599 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines until " +"which date access is granted." +msgstr "" +"Якщо вказано ldap_account_expire_policy=nds, цей атрибут визначає дату, до " +"якої надано доступ." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:610 +msgid "ldap_user_nds_login_allowed_time_map (string)" +msgstr "ldap_user_nds_login_allowed_time_map (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:613 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines the " +"hours of a day in a week when access is granted." +msgstr "" +"Якщо вказано ldap_account_expire_policy=nds, цей атрибут визначає годити дня " +"тижня, коли надається доступ." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:618 +msgid "Default: loginAllowedTimeMap" +msgstr "Типове значення: loginAllowedTimeMap" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:624 +msgid "ldap_user_principal (string)" +msgstr "ldap_user_principal (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:627 +msgid "" +"The LDAP attribute that contains the user's Kerberos User Principal Name " +"(UPN)." +msgstr "" +"Атрибут LDAP, що містить Kerberos User Principal Name (UPN) користувача." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:631 +msgid "Default: krbPrincipalName" +msgstr "Типове значення: krbPrincipalName" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:637 +msgid "ldap_user_extra_attrs (string)" +msgstr "ldap_user_extra_attrs (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:640 +msgid "" +"Comma-separated list of LDAP attributes that SSSD would fetch along with the " +"usual set of user attributes." +msgstr "" +"Відокремлений комами список атрибутів LDAP, які SSSD має отримувати разом зі " +"звичайним набором атрибутів запису користувача." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:645 +msgid "" +"The list can either contain LDAP attribute names only, or colon-separated " +"tuples of SSSD cache attribute name and LDAP attribute name. In case only " +"LDAP attribute name is specified, the attribute is saved to the cache " +"verbatim. Using a custom SSSD attribute name might be required by " +"environments that configure several SSSD domains with different LDAP schemas." +msgstr "" +"Список може або містити лише назви атрибутів LDAP, або відокремлені " +"двокрапками кортежі з назви атрибута кешу SSSD та назви атрибута LDAP. Якщо " +"вказано лише назву атрибута LDAP, атрибут зберігається до кешу буквально. " +"Використання нетипової назви атрибута SSSD може бути потрібним середовищам, " +"де налаштовано декілька доменів SSSD з різними схемами LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:655 +msgid "" +"Please note that several attribute names are reserved by SSSD, notably the " +"<quote>name</quote> attribute. SSSD would report an error if any of the " +"reserved attribute names is used as an extra attribute name." +msgstr "" +"Будь ласка, зауважте, що декілька назв атрибутів зарезервовано SSSD, зокрема " +"атрибут «name». SSSD повідомить про помилку, якщо будь-які із зарезервованих " +"назв атрибутів використано як назву додаткового атрибута." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:665 +msgid "ldap_user_extra_attrs = telephoneNumber" +msgstr "ldap_user_extra_attrs = telephoneNumber" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:668 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as " +"<quote>telephoneNumber</quote> to the cache." +msgstr "" +"Зберегти атрибут «telephoneNumber» з LDAP як «telephoneNumber» до кешу." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:672 +msgid "ldap_user_extra_attrs = phone:telephoneNumber" +msgstr "ldap_user_extra_attrs = phone:telephoneNumber" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:675 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" +"quote> to the cache." +msgstr "Зберегти атрибут «telephoneNumber» з LDAP як «phone» до кешу." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:685 +msgid "ldap_user_ssh_public_key (string)" +msgstr "ldap_user_ssh_public_key (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:688 +msgid "The LDAP attribute that contains the user's SSH public keys." +msgstr "Атрибут LDAP, який містить відкриті ключі SSH користувача." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:692 sssd-ldap.5.xml:1306 +msgid "Default: sshPublicKey" +msgstr "Типове значення: sshPublicKey" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:698 +msgid "ldap_force_upper_case_realm (boolean)" +msgstr "ldap_force_upper_case_realm (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:701 +msgid "" +"Some directory servers, for example Active Directory, might deliver the " +"realm part of the UPN in lower case, which might cause the authentication to " +"fail. Set this option to a non-zero value if you want to use an upper-case " +"realm." +msgstr "" +"Деякі з серверів каталогів, наприклад Active Directory, можуть надавати " +"частину області адреси UPN лише малими літерами (літерами нижнього " +"регістру), що може призвести до невдалої спроби розпізнавання. Встановіть " +"ненульове значення цього параметра, якщо ви бажаєте використовувати назву " +"області у верхньому регістрі." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:714 +msgid "ldap_enumeration_refresh_timeout (integer)" +msgstr "ldap_enumeration_refresh_timeout (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:717 +msgid "" +"Specifies how many seconds SSSD has to wait before refreshing its cache of " +"enumerated records." +msgstr "" +"Визначає кількість секунд, протягом яких SSSD має очікувати до оновлення " +"свого кешу нумерованих записів." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:728 +msgid "ldap_purge_cache_timeout (integer)" +msgstr "ldap_purge_cache_timeout (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:731 +msgid "" +"Determine how often to check the cache for inactive entries (such as groups " +"with no members and users who have never logged in) and remove them to save " +"space." +msgstr "" +"Визначає частоту пошуків у кеші неактивних записів (зокрема груп без " +"учасників та користувачів, які ніколи не входили до системи) та вилучення " +"цих записів з метою економії місця." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:737 +msgid "" +"Setting this option to zero will disable the cache cleanup operation. Please " +"note that if enumeration is enabled, the cleanup task is required in order " +"to detect entries removed from the server and can't be disabled. By default, " +"the cleanup task will run every 3 hours with enumeration enabled." +msgstr "" +"Встановлення нульового значення цього параметра вимикає дію з очищення кешу. " +"Будь ласка, зауважте, що якщо увімкнено нумерацію, дія з очищення є " +"необхідною з метою виявлення записів, вилучених із сервера, її не можна " +"вимикати. Типово, дія з очищення, якщо увімкнено нумерацію, виконується " +"кожні 3 години." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:752 +msgid "ldap_user_fullname (string)" +msgstr "ldap_user_fullname (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:755 +msgid "The LDAP attribute that corresponds to the user's full name." +msgstr "Атрибут LDAP, що відповідає повному імені користувача." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1161 sssd-ldap.5.xml:1235 +#: sssd-ldap.5.xml:1344 sssd-ldap.5.xml:2405 sssd-ipa.5.xml:607 +msgid "Default: cn" +msgstr "Типове значення: cn" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:765 +msgid "ldap_user_member_of (string)" +msgstr "ldap_user_member_of (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:768 +msgid "The LDAP attribute that lists the user's group memberships." +msgstr "Атрибут LDAP зі списком груп, у яких бере участь користувач." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:772 sssd-ldap.5.xml:1274 +msgid "Default: memberOf" +msgstr "Типове значення: memberOf" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:778 +msgid "ldap_user_authorized_service (string)" +msgstr "ldap_user_authorized_service (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:781 +msgid "" +"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " +"use the presence of the authorizedService attribute in the user's LDAP entry " +"to determine access privilege." +msgstr "" +"Якщо access_provider=ldap і ldap_access_order=authorized_service, SSSD " +"використовуватиме наявність атрибута authorizedService у записі користувача " +"LDAP для визначення прав доступу." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:788 +msgid "" +"An explicit deny (!svc) is resolved first. Second, SSSD searches for " +"explicit allow (svc) and finally for allow_all (*)." +msgstr "" +"Спочатку визначаються явні заборони (!svc). Далі SSSD шукає явні дозволи " +"(svc) і нарешті загальні дозволи або allow_all (*)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:793 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>authorized_service</quote> in order for the " +"ldap_user_authorized_service option to work." +msgstr "" +"Будь ласка, зауважте, що параметр налаштування ldap_access_order " +"<emphasis>має</emphasis> включати <quote>authorized_service</quote>, щоб " +"система змогла скористатися параметром ldap_user_authorized_service." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:800 +msgid "Default: authorizedService" +msgstr "Типове значення: authorizedService" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:806 +msgid "ldap_user_authorized_host (string)" +msgstr "ldap_user_authorized_host (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:809 +msgid "" +"If access_provider=ldap and ldap_access_order=host, SSSD will use the " +"presence of the host attribute in the user's LDAP entry to determine access " +"privilege." +msgstr "" +"Якщо access_provider=ldap і ldap_access_order=host, SSSD використовуватиме " +"наявність атрибута host у записі користувача LDAP для визначення прав " +"доступу." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:815 +msgid "" +"An explicit deny (!host) is resolved first. Second, SSSD searches for " +"explicit allow (host) and finally for allow_all (*)." +msgstr "" +"Спочатку визначаються явні заборони (!host). Далі SSSD шукає явні дозволи " +"(host) і нарешті загальні дозволи або allow_all (*)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:820 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>host</quote> in order for the " +"ldap_user_authorized_host option to work." +msgstr "" +"Будь ласка, зауважте, що параметр налаштування ldap_access_order " +"<emphasis>має</emphasis> включати <quote>host</quote>, щоб можна було " +"скористатися параметром ldap_user_authorized_host." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:827 +msgid "Default: host" +msgstr "Типове значення: host" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:833 +msgid "ldap_user_authorized_rhost (string)" +msgstr "ldap_user_authorized_rhost (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:836 +msgid "" +"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " +"presence of the rhost attribute in the user's LDAP entry to determine access " +"privilege. Similarly to host verification process." +msgstr "" +"Якщо access_provider=ldap і ldap_access_order=rhost, SSSD використовуватиме " +"наявність атрибута rhost у записі користувача LDAP для визначення прав " +"доступу. Те саме стосується і процесу перевірки вузла." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:843 +msgid "" +"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " +"explicit allow (rhost) and finally for allow_all (*)." +msgstr "" +"Спочатку визначаються явні заборони (!rhost). Далі SSSD шукає явні дозволи " +"(rhost) і нарешті загальні дозволи або allow_all (*)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:848 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>rhost</quote> in order for the " +"ldap_user_authorized_rhost option to work." +msgstr "" +"Будь ласка, зауважте, що параметр налаштування ldap_access_order " +"<emphasis>має</emphasis> включати <quote>rhost</quote>, щоб можна було " +"скористатися параметром ldap_user_authorized_rhost." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:855 +msgid "Default: rhost" +msgstr "Типове значення: rhost" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:861 +msgid "ldap_user_certificate (string)" +msgstr "ldap_user_certificate (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:864 +msgid "Name of the LDAP attribute containing the X509 certificate of the user." +msgstr "Назва атрибута LDAP, що містить сертифікат X509 користувача." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:868 +msgid "Default: userCertificate;binary" +msgstr "Типове значення: userCertificate;binary" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:874 +msgid "ldap_user_email (string)" +msgstr "ldap_user_email (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:877 +msgid "Name of the LDAP attribute containing the email address of the user." +msgstr "" +"Назва атрибута LDAP, який містить адресу електронної пошти користувача." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:881 +msgid "" +"Note: If an email address of a user conflicts with an email address or fully " +"qualified name of another user, then SSSD will not be able to serve those " +"users properly. If for some reason several users need to share the same " +"email address then set this option to a nonexistent attribute name in order " +"to disable user lookup/login by email." +msgstr "" +"Зауваження: якщо адреса електронної пошти користувача конфліктує із адресою " +"електронної пошти або повним ім'ям іншого користувача, SSSD не зможе " +"обслуговувати належним чином записи таких користувачів. Якщо з якоїсь " +"причини у декількох користувачів має бути одна адреса електронної пошти, " +"встановіть для цього параметра довільну назву атрибута, щоб вимкнути пошук і " +"вхід до системи за адресою електронної пошти." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:890 +msgid "Default: mail" +msgstr "Типове значення: mail" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:896 +msgid "ldap_group_object_class (string)" +msgstr "ldap_group_object_class (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:899 +msgid "The object class of a group entry in LDAP." +msgstr "Клас об’єктів запису групи у LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:902 +msgid "Default: posixGroup" +msgstr "Типове значення: posixGroup" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:908 +msgid "ldap_group_name (string)" +msgstr "ldap_group_name (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:911 +msgid "The LDAP attribute that corresponds to the group name." +msgstr "Атрибут LDAP, що відповідає назві групи." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:915 +msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "Типове значення: cn (rfc2307, rfc2307bis і IPA), sAMAccountName (AD)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:922 +msgid "ldap_group_gid_number (string)" +msgstr "ldap_group_gid_number (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:925 +msgid "The LDAP attribute that corresponds to the group's id." +msgstr "Атрибут LDAP, що відповідає ідентифікатору групи." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:935 +msgid "ldap_group_member (string)" +msgstr "ldap_group_member (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:938 +msgid "The LDAP attribute that contains the names of the group's members." +msgstr "Атрибут LDAP, у якому містяться імена учасників групи." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:942 +msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" +msgstr "Типове значення: memberuid (rfc2307) / member (rfc2307bis)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:948 +msgid "ldap_group_uuid (string)" +msgstr "ldap_group_uuid (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:951 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." +msgstr "Атрибут LDAP, що містить UUID/GUID об’єкта групи LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:962 +msgid "ldap_group_objectsid (string)" +msgstr "ldap_group_objectsid (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:965 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP group object. This " +"is usually only necessary for ActiveDirectory servers." +msgstr "" +"Атрибут LDAP, що містить objectSID об’єкта групи LDAP. Зазвичай, потрібен " +"лише для серверів ActiveDirectory." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:977 +msgid "ldap_group_modify_timestamp (string)" +msgstr "ldap_group_modify_timestamp (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:990 +msgid "ldap_group_type (integer)" +msgstr "ldap_group_type (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:993 +msgid "" +"The LDAP attribute that contains an integer value indicating the type of the " +"group and maybe other flags." +msgstr "" +"Атрибут LDAP, що містить ціле значення і позначає тип групи, а також, " +"можливо, інші прапорці." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:998 +msgid "" +"This attribute is currently only used by the AD provider to determine if a " +"group is a domain local groups and has to be filtered out for trusted " +"domains." +msgstr "" +"Цей атрибут у поточній версії використовується лише засобом надання даних AD " +"для визначення, чи є група локальною групою домену і чи має бути її " +"відфільтровано у списку надійних (довірених) доменів." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1004 +msgid "Default: groupType in the AD provider, otherwise not set" +msgstr "" +"Типове значення: groupType у засобі надання даних AD, у інших засобах не " +"встановлено" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1011 +msgid "ldap_group_external_member (string)" +msgstr "ldap_group_external_member (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1014 +msgid "" +"The LDAP attribute that references group members that are defined in an " +"external domain. At the moment, only IPA's external members are supported." +msgstr "" +"Атрибут LDAP, який посилається на записи учасників групи, які визначено у " +"зовнішньому домені. У поточній версії передбачено підтримку лише зовнішніх " +"записів учасників IPA." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1020 +msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." +msgstr "" +"Типове значення: ipaExternalMember у засобі надання даних IPA, у інших " +"засобах не визначено." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1027 +msgid "ldap_group_nesting_level (integer)" +msgstr "ldap_group_nesting_level (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1030 +msgid "" +"If ldap_schema is set to a schema format that supports nested groups (e.g. " +"RFC2307bis), then this option controls how many levels of nesting SSSD will " +"follow. This option has no effect on the RFC2307 schema." +msgstr "" +"Якщо ldap_schema встановлено у значення формату схеми, у якому передбачено " +"підтримку вкладеності груп (наприклад RFC2307bis), цей параметр визначає " +"кількість рівнів вкладеності, які оброблятимуться SSSD. Значення цього " +"параметра буде проігноровано, якщо використано схему RFC2307." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1037 +msgid "" +"Note: This option specifies the guaranteed level of nested groups to be " +"processed for any lookup. However, nested groups beyond this limit " +"<emphasis>may be</emphasis> returned if previous lookups already resolved " +"the deeper nesting levels. Also, subsequent lookups for other groups may " +"enlarge the result set for original lookup if re-queried." +msgstr "" +"Зауваження: за допомогою цього параметра визначається гарантований рівень " +"вкладеності груп для обробки під час будь-якого пошуку. Втім, <emphasis>може " +"бути</emphasis> повернуто і групи із більшим рівнем вкладеності, якщо під " +"час попередніх пошуків відбувалася обробка вищих рівнів вкладеності. Крім " +"того, послідовні пошуки інших груп можуть розширити набір результатів " +"початкового пошуку, якщо запити щодо пошуку надходять повторно." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1046 +msgid "" +"If ldap_group_nesting_level is set to 0 then no nested groups are processed " +"at all. However, when connected to Active-Directory Server 2008 and later " +"using <quote>id_provider=ad</quote> it is furthermore required to disable " +"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " +"restrict group nesting." +msgstr "" +"Якщо значенням ldap_group_nesting_level є 0, вкладені групи взагалі не " +"оброблятимуться. Втім, якщо з’єднання встановлено з Active-Directory Server " +"2008 та новішими версіями з використанням <quote>id_provider=ad</quote>, " +"слід також вимкнути використання груп реєстраційних записів (Token-Groups) " +"встановленням для параметра ldap_use_tokengroups значення false з метою " +"обмеження вкладеності у групах." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1055 +msgid "Default: 2" +msgstr "Типове значення: 2" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1061 +msgid "ldap_groups_use_matching_rule_in_chain" +msgstr "ldap_groups_use_matching_rule_in_chain" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1064 +msgid "" +"This option tells SSSD to take advantage of an Active Directory-specific " +"feature which may speed up group lookup operations on deployments with " +"complex or deep nested groups." +msgstr "" +"За допомогою цього параметра можна наказати SSSD скористатися перевагами " +"специфічної для Active Directory можливості, яка надає змогу пришвидшити дії " +"з пошуку груп у мережах зі складною системою груп або системою груп з " +"високим рівнем вкладеності." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1070 +msgid "" +"In most common cases, it is best to leave this option disabled. It generally " +"only provides a performance increase on very complex nestings." +msgstr "" +"Здебільшого, не варто вмикати цю можливість. Пришвидшення за її допомогою " +"можна буде спостерігати лише у дуже складних випадках вкладеності груп." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1075 sssd-ldap.5.xml:1102 +msgid "" +"If this option is enabled, SSSD will use it if it detects that the server " +"supports it during initial connection. So \"True\" here essentially means " +"\"auto-detect\"." +msgstr "" +"Якщо увімкнено цей параметр, SSSD використовуватиме можливість, якщо під час " +"початкового сеансу з’єднання виявить, що на сервері передбачено підтримку " +"можливості. Отже, насправді значення «True» означає «визначити автоматично»." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1081 sssd-ldap.5.xml:1108 +msgid "" +"Note: This feature is currently known to work only with Active Directory " +"2008 R1 and later. See <ulink url=\"http://msdn.microsoft.com/en-us/library/" +"windows/desktop/aa746475%28v=vs.85%29.aspx\"> MSDN(TM) documentation</ulink> " +"for more details." +msgstr "" +"Зауваження: відомо, що у поточній версії цією можливістю можна скористатися " +"лише для Active Directory 2008 R1 та пізніших версій. Докладніше про це " +"можна дізнатися з <ulink url=\"http://msdn.microsoft.com/en-us/library/" +"windows/desktop/aa746475%28v=vs.85%29.aspx\">документації MSDN(TM)</ulink>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1093 +msgid "ldap_initgroups_use_matching_rule_in_chain" +msgstr "ldap_initgroups_use_matching_rule_in_chain" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1096 +msgid "" +"This option tells SSSD to take advantage of an Active Directory-specific " +"feature which might speed up initgroups operations (most notably when " +"dealing with complex or deep nested groups)." +msgstr "" +"За допомогою цього параметра можна наказати SSSD скористатися перевагами " +"специфічної для Active Directory можливості, яка може пришвидшити дії з " +"початковими групами (initgroups). Особливо помітним таке пришвидшення є у " +"системах зі складною системою груп або системою груп з високим рівнем " +"вкладеності." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1123 +msgid "" +"This options enables or disables use of Token-Groups attribute when " +"performing initgroup for users from Active Directory Server 2008 and later." +msgstr "" +"За допомогою цього параметра можна увімкнути або вимкнути використання " +"атрибута Token-Groups під час виконання initgroup для користувачів Active " +"Directory Server 2008 та новіших версій." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1128 +msgid "Default: True for AD and IPA otherwise False." +msgstr "Типове значення: True для AD і IPA, інакше False." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1134 +msgid "ldap_netgroup_object_class (string)" +msgstr "ldap_netgroup_object_class (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1137 +msgid "The object class of a netgroup entry in LDAP." +msgstr "Клас об’єктів запису мережевої групи (netgroup) у LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1140 +msgid "In IPA provider, ipa_netgroup_object_class should be used instead." +msgstr "У надавачі даних IPA має бути використано ipa_netgroup_object_class." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1144 +msgid "Default: nisNetgroup" +msgstr "Типове значення: nisNetgroup" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1150 +msgid "ldap_netgroup_name (string)" +msgstr "ldap_netgroup_name (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1153 +msgid "The LDAP attribute that corresponds to the netgroup name." +msgstr "Атрибут LDAP, що відповідає назві мережевої групи (netgroup)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1157 +msgid "In IPA provider, ipa_netgroup_name should be used instead." +msgstr "У надавачі даних IPA має бути використано ipa_netgroup_name." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1167 +msgid "ldap_netgroup_member (string)" +msgstr "ldap_netgroup_member (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1170 +msgid "The LDAP attribute that contains the names of the netgroup's members." +msgstr "" +"Атрибут LDAP, у якому містяться імена учасників мережевої групи (netgroup)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1174 +msgid "In IPA provider, ipa_netgroup_member should be used instead." +msgstr "У надавачі даних IPA має бути використано ipa_netgroup_member." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1178 +msgid "Default: memberNisNetgroup" +msgstr "Типове значення: memberNisNetgroup" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1184 +msgid "ldap_netgroup_triple (string)" +msgstr "ldap_netgroup_triple (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1187 +msgid "" +"The LDAP attribute that contains the (host, user, domain) netgroup triples." +msgstr "" +"Атрибут LDAP, що містить трійки мережевої групи (вузол, користувач, домен)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1191 sssd-ldap.5.xml:1207 +msgid "This option is not available in IPA provider." +msgstr "Цим параметром не можна скористатися у надавачі даних IPA." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1194 +msgid "Default: nisNetgroupTriple" +msgstr "Типове значення: nisNetgroupTriple" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1200 +msgid "ldap_netgroup_modify_timestamp (string)" +msgstr "ldap_netgroup_modify_timestamp (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1216 +msgid "ldap_host_object_class (string)" +msgstr "ldap_host_object_class (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1219 +msgid "The object class of a host entry in LDAP." +msgstr "Клас об’єктів запису вузла у LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1222 sssd-ldap.5.xml:1331 +msgid "Default: ipService" +msgstr "Типове значення: ipService" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1228 +msgid "ldap_host_name (string)" +msgstr "ldap_host_name (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1231 sssd-ldap.5.xml:1257 +msgid "The LDAP attribute that corresponds to the host's name." +msgstr "Атрибут LDAP, що відповідає назві вузла." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1241 +msgid "ldap_host_fqdn (string)" +msgstr "ldap_host_fqdn (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1244 +msgid "" +"The LDAP attribute that corresponds to the host's fully-qualified domain " +"name." +msgstr "Атрибут LDAP, що відповідає повній назві вузла." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1248 +msgid "Default: fqdn" +msgstr "Типове значення: fqdn" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1254 +msgid "ldap_host_serverhostname (string)" +msgstr "ldap_host_serverhostname (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1261 +msgid "Default: serverHostname" +msgstr "Типове значення: serverHostname" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1267 +msgid "ldap_host_member_of (string)" +msgstr "ldap_host_member_of (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1270 +msgid "The LDAP attribute that lists the host's group memberships." +msgstr "Атрибут LDAP зі списком груп, у яких бере участь вузол." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1280 +msgid "ldap_host_search_base (string)" +msgstr "ldap_host_search_base (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1283 +msgid "Optional. Use the given string as search base for host objects." +msgstr "" +"Необов’язковий. Використати вказаний рядок як основу пошуку об’єктів вузлів." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1287 sssd-ipa.5.xml:359 sssd-ipa.5.xml:378 +#: sssd-ipa.5.xml:397 sssd-ipa.5.xml:416 +msgid "" +"See <quote>ldap_search_base</quote> for information about configuring " +"multiple search bases." +msgstr "" +"Ознайомтеся з розділом щодо «ldap_search_base», щоб дізнатися більше про " +"налаштування декількох основ пошуку." + +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:1292 sssd-ipa.5.xml:364 include/ldap_search_bases.xml:27 +msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" +msgstr "Типове значення: значення <emphasis>ldap_search_base</emphasis>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1299 +msgid "ldap_host_ssh_public_key (string)" +msgstr "ldap_host_ssh_public_key (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1302 +msgid "The LDAP attribute that contains the host's SSH public keys." +msgstr "Атрибут LDAP, який містить відкриті ключі SSH вузла." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1312 +msgid "ldap_host_uuid (string)" +msgstr "ldap_host_uuid (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1315 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." +msgstr "Атрибут LDAP, що містить UUID/GUID об’єкта вузла LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1325 +msgid "ldap_service_object_class (string)" +msgstr "ldap_service_object_class (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1328 +msgid "The object class of a service entry in LDAP." +msgstr "Клас об’єктів запису служби у LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1337 +msgid "ldap_service_name (string)" +msgstr "ldap_service_name (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1340 +msgid "" +"The LDAP attribute that contains the name of service attributes and their " +"aliases." +msgstr "" +"Атрибут LDAP, що містить назву атрибутів служби та замінників цих атрибутів." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1350 +msgid "ldap_service_port (string)" +msgstr "ldap_service_port (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1353 +msgid "The LDAP attribute that contains the port managed by this service." +msgstr "Атрибут LDAP, що містить номер порту, яким керує ця служба." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1357 +msgid "Default: ipServicePort" +msgstr "Типове значення: ipServicePort" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1363 +msgid "ldap_service_proto (string)" +msgstr "ldap_service_proto (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1366 +msgid "" +"The LDAP attribute that contains the protocols understood by this service." +msgstr "Атрибут LDAP, що містить протоколи, за яким може працювати ця служба." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1370 +msgid "Default: ipServiceProtocol" +msgstr "Типове значення: ipServiceProtocol" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1376 +msgid "ldap_service_search_base (string)" +msgstr "ldap_service_search_base (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1381 +msgid "ldap_search_timeout (integer)" +msgstr "ldap_search_timeout (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1384 +msgid "" +"Specifies the timeout (in seconds) that ldap searches are allowed to run " +"before they are cancelled and cached results are returned (and offline mode " +"is entered)" +msgstr "" +"Визначає час очікування на дані (у секундах) для виконання пошуків ldap, " +"перш ніж пошук буде скасовано з поверненням кешованих даних (і переходом до " +"автономного режиму роботи)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1390 +msgid "" +"Note: this option is subject to change in future versions of the SSSD. It " +"will likely be replaced at some point by a series of timeouts for specific " +"lookup types." +msgstr "" +"Зауваження: роботу цього параметра буде змінено у наступних версіях SSSD. " +"Ймовірно, його буде колись замінено на послідовність часів очікування для " +"окремих типів пошуків." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1402 +msgid "ldap_enumeration_search_timeout (integer)" +msgstr "ldap_enumeration_search_timeout (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1405 +msgid "" +"Specifies the timeout (in seconds) that ldap searches for user and group " +"enumerations are allowed to run before they are cancelled and cached results " +"are returned (and offline mode is entered)" +msgstr "" +"Визначає час очікування на дані (у секундах) для виконання пошуків номерів " +"користувачів та груп у ldap, перш ніж пошук буде скасовано з поверненням " +"кешованих даних (і переходом до автономного режиму роботи)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1418 +msgid "ldap_network_timeout (integer)" +msgstr "ldap_network_timeout (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1421 +msgid "" +"Specifies the timeout (in seconds) after which the <citerefentry> " +"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" +"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" +"manvolnum> </citerefentry> following a <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> returns in case of no activity." +msgstr "" +"Визначає час очікування (у секундах), після завершення якого <citerefentry> " +"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" +"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" +"manvolnum> </citerefentry> з наступним <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> повертається до стану бездіяльності." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1444 +msgid "ldap_opt_timeout (integer)" +msgstr "ldap_opt_timeout (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1447 +msgid "" +"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " +"will abort if no response is received. Also controls the timeout when " +"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " +"operation, password change extended operation and the StartTLS operation." +msgstr "" +"Визначає час очікування (у секундах), після завершення якого виклики до " +"синхронних програмних інтерфейсів LDAP буде перервано, якщо не буде отримано " +"відповіді. Також керує часом очікування під час обміну даними з KDC у " +"випадку прив’язки SASL, часом очікування на дію з прив’язування LDAP, " +"розширеної операції зі зміни пароля та дії StartTLS." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1462 +msgid "ldap_connection_expire_timeout (integer)" +msgstr "ldap_connection_expire_timeout (ціле значення)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1465 +msgid "" +"Specifies a timeout (in seconds) that a connection to an LDAP server will be " +"maintained. After this time, the connection will be re-established. If used " +"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " +"the TGT lifetime) will be used." +msgstr "" +"Визначає час очікування (у секундах), протягом якого підтримуватиметься " +"з’єднання з сервером LDAP. По завершенню цього часу буде зроблено спробу " +"повторно встановити з’єднання. У разі використання паралельно до SASL/GSSAPI " +"буде використано перше за часом значення (це значення або значення строку " +"дії TGT)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1473 sssd-ldap.5.xml:2562 +msgid "Default: 900 (15 minutes)" +msgstr "Типове значення: 900 (15 хвилин)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1479 +msgid "ldap_page_size (integer)" +msgstr "ldap_page_size (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1482 +msgid "" +"Specify the number of records to retrieve from LDAP in a single request. " +"Some LDAP servers enforce a maximum limit per-request." +msgstr "" +"Визначити кількість записів, які слід отримати з LDAP у відповідь на один " +"запит. На деяких серверах LDAP визначено обмеження максимальної кількості на " +"один запит." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1487 +msgid "Default: 1000" +msgstr "Типове значення: 1000" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1493 +msgid "ldap_disable_paging (boolean)" +msgstr "ldap_disable_paging (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1496 +msgid "" +"Disable the LDAP paging control. This option should be used if the LDAP " +"server reports that it supports the LDAP paging control in its RootDSE but " +"it is not enabled or does not behave properly." +msgstr "" +"Вимикає контроль сторінок LDAP. Цим параметром слід скористатися, якщо " +"сервер LDAP повідомляє про підтримку контролю сторінок LDAP у своєму " +"RootDSE, але цю підтримку не увімкнено або вона не працює належним чином." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1502 +msgid "" +"Example: OpenLDAP servers with the paging control module installed on the " +"server but not enabled will report it in the RootDSE but be unable to use it." +msgstr "" +"Приклад: сервери OpenLDAP з модулем контролю сторінок, встановленим на " +"сервері, але не увімкненим, повідомляють про підтримку у RootDSE, але цією " +"підтримкою не можна скористатися." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1508 +msgid "" +"Example: 389 DS has a bug where it can only support a one paging control at " +"a time on a single connection. On busy clients, this can result in some " +"requests being denied." +msgstr "" +"Приклад: 389 DS має ваду, пов’язану з тим, що здатен підтримувати лише один " +"процес контролю сторінок для одного з’єднання. У разі значного навантаження " +"це може призвести до відмови у виконанні запитів." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1520 +msgid "ldap_disable_range_retrieval (boolean)" +msgstr "ldap_disable_range_retrieval (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1523 +msgid "Disable Active Directory range retrieval." +msgstr "Вимкнути отримання діапазону Active Directory." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1526 +msgid "" +"Active Directory limits the number of members to be retrieved in a single " +"lookup using the MaxValRange policy (which defaults to 1500 members). If a " +"group contains more members, the reply would include an AD-specific range " +"extension. This option disables parsing of the range extension, therefore " +"large groups will appear as having no members." +msgstr "" +"У Active Directory за допомогою правила MaxValRange (типове значення 1500 " +"записів) обмежується кількість записів, які може бути отримано під час " +"пошуку. Якщо у певній групі міститься більше записів учасників, до відповіді " +"буде включено специфічне для AD розширення діапазону. За допомогою цього " +"параметра можна вимкнути обробку розширення діапазону, отже великі групи " +"буде представлено як такі, у яких немає учасників." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1541 +msgid "ldap_sasl_minssf (integer)" +msgstr "ldap_sasl_minssf (ціле значення)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1544 +msgid "" +"When communicating with an LDAP server using SASL, specify the minimum " +"security level necessary to establish the connection. The values of this " +"option are defined by OpenLDAP." +msgstr "" +"Під час обміну даними з сервером LDAP за допомогою SASL визначає мінімальний " +"рівень захисту, потрібний для встановлення з’єднання. Значення цього " +"параметра визначається OpenLDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1550 +msgid "Default: Use the system default (usually specified by ldap.conf)" +msgstr "" +"Типове значення: типове для системи значення (зазвичай, визначається у ldap." +"conf)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1557 +msgid "ldap_deref_threshold (integer)" +msgstr "ldap_deref_threshold (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1560 +msgid "" +"Specify the number of group members that must be missing from the internal " +"cache in order to trigger a dereference lookup. If less members are missing, " +"they are looked up individually." +msgstr "" +"Вказує кількість учасників групи, записів яких має не вистачати у " +"зовнішньому кеші для запуску загального пошуку з розіменуванням. Якщо " +"пропущених записів буде менше за вказану кількість, пошук для них " +"виконуватиметься окремо." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1566 +msgid "" +"You can turn off dereference lookups completely by setting the value to 0." +msgstr "" +"Ви можете повністю вимкнути пошуки з отриманням значення об’єкта " +"(розіменуванням), якщо вкажете значення 0." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1570 +msgid "" +"A dereference lookup is a means of fetching all group members in a single " +"LDAP call. Different LDAP servers may implement different dereference " +"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " +"Directory." +msgstr "" +"Пошук з розіменуванням — це отримання всіх записів учасників групи за одним " +"викликом LDAP. У різних серверах LDAP може бути передбачено різні способи " +"розіменування. У поточній версії передбачено підтримку серверів 389/RHDS, " +"OpenLDAP та Active Directory." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1578 +msgid "" +"<emphasis>Note:</emphasis> If any of the search bases specifies a search " +"filter, then the dereference lookup performance enhancement will be disabled " +"regardless of this setting." +msgstr "" +"<emphasis>Зауваження:</emphasis> якщо у одній з основ пошуку визначається " +"фільтр пошуку, покращення швидкодії фільтрів розіменування буде вимкнено, " +"незалежно від використання цього параметра." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1591 +msgid "ldap_tls_reqcert (string)" +msgstr "ldap_tls_reqcert (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1594 +msgid "" +"Specifies what checks to perform on server certificates in a TLS session, if " +"any. It can be specified as one of the following values:" +msgstr "" +"Визначає перелік перевірок, які слід виконати для сертифікатів серверів у " +"сеансі TLS, якщо такі перевірки слід виконувати. Може бути визначено одне з " +"таких значень:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1600 +msgid "" +"<emphasis>never</emphasis> = The client will not request or check any server " +"certificate." +msgstr "" +"<emphasis>never</emphasis> = клієнт не надсилатиме запиту і не перевірятиме " +"жодних сертифікатів сервера." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1604 +msgid "" +"<emphasis>allow</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, it will be ignored and the session proceeds normally." +msgstr "" +"<emphasis>allow</emphasis> = надіслати запит щодо сертифіката сервера. Якщо " +"сертифікат не буде надано, продовжити сеанс у звичайному режимі. Якщо буде " +"надано помилковий сертифікат, ігнорувати і продовжити сеанс у звичайному " +"режимі." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1611 +msgid "" +"<emphasis>try</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, the session is immediately terminated." +msgstr "" +"<emphasis>try</emphasis> = надіслати запит щодо сертифіката сервера. Якщо " +"сертифікат не буде надано, продовжити сеанс у звичайному режимі. Якщо буде " +"надано помилковий сертифікат, негайно перервати сеанс." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1617 +msgid "" +"<emphasis>demand</emphasis> = The server certificate is requested. If no " +"certificate is provided, or a bad certificate is provided, the session is " +"immediately terminated." +msgstr "" +"<emphasis>demand</emphasis> = надіслати запит щодо сертифіката сервера. Якщо " +"сертифікат не буде надано або буде надано помилковий сертифікат, негайно " +"перервати сеанс." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1623 +msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" +msgstr "<emphasis>hard</emphasis> = те саме, що і <quote>demand</quote>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1627 +msgid "Default: hard" +msgstr "Типове значення: hard" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1633 +msgid "ldap_tls_cacert (string)" +msgstr "ldap_tls_cacert (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1636 +msgid "" +"Specifies the file that contains certificates for all of the Certificate " +"Authorities that <command>sssd</command> will recognize." +msgstr "" +"Визначає файл, який містить сертифікати для всіх служб сертифікації, які " +"розпізнаються <command>sssd</command>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1641 sssd-ldap.5.xml:1659 sssd-ldap.5.xml:1700 +msgid "" +"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." +"conf</filename>" +msgstr "" +"Типове значення: використовувати типові параметри OpenLDAP, що зберігаються " +"у <filename>/etc/openldap/ldap.conf</filename>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1648 +msgid "ldap_tls_cacertdir (string)" +msgstr "ldap_tls_cacertdir (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1651 +msgid "" +"Specifies the path of a directory that contains Certificate Authority " +"certificates in separate individual files. Typically the file names need to " +"be the hash of the certificate followed by '.0'. If available, " +"<command>cacertdir_rehash</command> can be used to create the correct names." +msgstr "" +"Визначає шлях до каталогу, де у окремих файлах містяться сертифікати служб " +"сертифікації (CA). Типовими назвами файлів є хеші сертифікатів з додаванням " +"«.0». Для створення відповідних назв можна скористатися " +"<command>cacertdir_rehash</command>, якщо ця програма є доступною." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1666 +msgid "ldap_tls_cert (string)" +msgstr "ldap_tls_cert (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1669 +msgid "Specifies the file that contains the certificate for the client's key." +msgstr "Визначає файл, який містить сертифікат для ключа клієнта." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1679 +msgid "ldap_tls_key (string)" +msgstr "ldap_tls_key (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1682 +msgid "Specifies the file that contains the client's key." +msgstr "Визначає файл, у якому міститься ключ клієнта." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1691 +msgid "ldap_tls_cipher_suite (string)" +msgstr "ldap_tls_cipher_suite (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1694 +msgid "" +"Specifies acceptable cipher suites. Typically this is a colon separated " +"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for format." +msgstr "" +"Визначає прийнятні комплекти програм для шифрування. Записи у типовому " +"списку слід відокремлювати комами. З форматом можна ознайомитися на сторінці " +"довідника до <citerefentry><refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1707 +msgid "ldap_id_use_start_tls (boolean)" +msgstr "ldap_id_use_start_tls (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1710 +msgid "" +"Specifies that the id_provider connection must also use <systemitem class=" +"\"protocol\">tls</systemitem> to protect the channel." +msgstr "" +"Визначає, що з’єднання id_provider має також використовувати <systemitem " +"class=\"protocol\">tls</systemitem> для захисту каналу." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1720 +msgid "ldap_id_mapping (boolean)" +msgstr "ldap_id_mapping (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1723 +msgid "" +"Specifies that SSSD should attempt to map user and group IDs from the " +"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " +"on ldap_user_uid_number and ldap_group_gid_number." +msgstr "" +"Визначає, що SSSD має намагатися встановити відповідність ідентифікаторів " +"користувача і групи на основі атрибутів ldap_user_objectsid та " +"ldap_group_objectsid, замість атрибутів ldap_user_uid_number та " +"ldap_group_gid_number." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1729 +msgid "Currently this feature supports only ActiveDirectory objectSID mapping." +msgstr "" +"У поточній версії у цій можливості передбачено підтримку лише встановлення " +"відповідності objectSID у ActiveDirectory." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1739 +msgid "ldap_min_id, ldap_max_id (integer)" +msgstr "ldap_min_id, ldap_max_id (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1742 +msgid "" +"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " +"set to true the allowed ID range for ldap_user_uid_number and " +"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " +"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " +"can be set to restrict the allowed range for the IDs which are read directly " +"from the server. Sub-domains can then pick other ranges to map IDs." +msgstr "" +"На відміну від прив’язування ідентифікаторів на основі SID, яке " +"використовується, якщо параметр ldap_id_mapping має значення true, діапазон " +"дозволених ідентифікаторів для ldap_user_uid_number і ldap_group_gid_number " +"є необмеженим. У конфігураціях з піддоменами та довіреними доменами це може " +"призвести до конфліктів ідентифікаторів. Щоб уникнути конфліктів, можна " +"встановити значення ldap_min_id і ldap_max_id для обмеження дозволеного " +"діапазону ідентифікаторів, які буде прочитано безпосередньо з сервера. Після " +"цього піддомени можуть вибирати інші діапазони для прив’язування " +"ідентифікаторів." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1754 +msgid "Default: not set (both options are set to 0)" +msgstr "" +"Типове значення: не встановлено (обидва параметри встановлено у значення 0)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1760 +msgid "ldap_sasl_mech (string)" +msgstr "ldap_sasl_mech (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1763 +msgid "" +"Specify the SASL mechanism to use. Currently only GSSAPI is tested and " +"supported." +msgstr "" +"Визначає механізм SASL, який слід використовувати. У поточній версії " +"перевірено і підтримується лише механізм GSSAPI." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1773 +msgid "ldap_sasl_authid (string)" +msgstr "ldap_sasl_authid (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ldap.5.xml:1784 +#, no-wrap +msgid "" +"hostname@REALM\n" +"netbiosname$@REALM\n" +"host/hostname@REALM\n" +"*$@REALM\n" +"host/*@REALM\n" +"host/*\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1776 +#, fuzzy +#| msgid "" +#| "Specify the SASL authorization id to use. When GSSAPI is used, this " +#| "represents the Kerberos principal used for authentication to the " +#| "directory. This option can either contain the full principal (for " +#| "example host/myhost@EXAMPLE.COM) or just the principal name (for example " +#| "host/myhost)." +msgid "" +"Specify the SASL authorization id to use. When GSSAPI is used, this " +"represents the Kerberos principal used for authentication to the directory. " +"This option can either contain the full principal (for example host/" +"myhost@EXAMPLE.COM) or just the principal name (for example host/myhost). By " +"default, the value is not set and the following principals are used: " +"<placeholder type=\"programlisting\" id=\"0\"/> If none of them are found, " +"the first principal in keytab is returned." +msgstr "" +"Визначає ідентифікатор уповноваження SASL, який слід використовувати. Якщо " +"використано GSSAPI, відповідає реєстраційному запису Kerberos, який " +"використовується для розпізнавання під час доступу до каталогу. У цьому " +"параметрів можуть зберігатися або реєстраційні дані повністю (наприклад host/" +"myhost@EXAMPLE.COM) або лише назва реєстраційного запису (наприклад host/" +"myhost)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1795 +msgid "Default: host/hostname@REALM" +msgstr "Типове значення: вузол/назва_вузла@ОБЛАСТЬ" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1801 +msgid "ldap_sasl_realm (string)" +msgstr "ldap_sasl_realm (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1804 +msgid "" +"Specify the SASL realm to use. When not specified, this option defaults to " +"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " +"well, this option is ignored." +msgstr "" +"Визначає область SASL, яку слід використовувати. Якщо не вказано значення, " +"типовим значенням цього параметра є значення krb5_realm. Якщо " +"ldap_sasl_authid також містить запис області, цей параметр буде " +"проігноровано." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1810 +msgid "Default: the value of krb5_realm." +msgstr "Типове значення: значення krb5_realm." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1816 +msgid "ldap_sasl_canonicalize (boolean)" +msgstr "ldap_sasl_canonicalize (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1819 +msgid "" +"If set to true, the LDAP library would perform a reverse lookup to " +"canonicalize the host name during a SASL bind." +msgstr "" +"Якщо встановлено значення true (1), бібліотека LDAP виконувати зворотній " +"пошук з метою переведення назв вузлів у канонічну форму під час прив’язки до " +"SASL." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1824 +msgid "Default: false;" +msgstr "Типове значення: false;" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1830 +msgid "ldap_krb5_keytab (string)" +msgstr "ldap_krb5_keytab (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1833 +msgid "Specify the keytab to use when using SASL/GSSAPI." +msgstr "Визначає таблицю ключів, яку слід використовувати разом з SASL/GSSAPI." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1836 +msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" +msgstr "" +"Типове значення: системна таблиця ключів, зазвичай <filename>/etc/krb5." +"keytab</filename>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1842 +msgid "ldap_krb5_init_creds (boolean)" +msgstr "ldap_krb5_init_creds (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1845 +msgid "" +"Specifies that the id_provider should init Kerberos credentials (TGT). This " +"action is performed only if SASL is used and the mechanism selected is " +"GSSAPI." +msgstr "" +"Визначає, що id_provider має ініціалізувати реєстраційні дані Kerberos " +"(TGT). Цю дію буде виконано, лише якщо використовується SASL і вибрано " +"механізм GSSAPI." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1857 +msgid "ldap_krb5_ticket_lifetime (integer)" +msgstr "ldap_krb5_ticket_lifetime (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1860 +msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used." +msgstr "Визначає строк дії (у секундах) TGT, якщо використовується GSSAPI." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1864 sssd-ad.5.xml:937 +msgid "Default: 86400 (24 hours)" +msgstr "Типове значення: 86400 (24 години)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1870 sssd-krb5.5.xml:74 +msgid "krb5_server, krb5_backup_server (string)" +msgstr "krb5_server, krb5_backup_server (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1873 +msgid "" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled - for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." +msgstr "" +"Визначає список IP-адрес або назв вузлів, відокремлених комами, серверів " +"Kerberos, з якими SSSD має встановлювати з’єднання. Список має бути " +"впорядковано за пріоритетом. Докладніше про резервування та додаткові " +"сервери можна дізнатися з розділу «РЕЗЕРВ». До адрес або назв вузлів може " +"бути додано номер порту (перед номером слід вписати двокрапку). Якщо " +"параметр матиме порожнє значення, буде увімкнено виявлення служб. Докладніше " +"про виявлення служб можна дізнатися з розділу «ПОШУК СЛУЖБ»." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1885 sssd-krb5.5.xml:89 +msgid "" +"When using service discovery for KDC or kpasswd servers, SSSD first searches " +"for DNS entries that specify _udp as the protocol and falls back to _tcp if " +"none are found." +msgstr "" +"Під час використання виявлення служб для серверів KDC або kpasswd SSSD " +"спочатку намагається знайти записи DNS, у яких визначається протокол _udp. " +"Використання протоколу _tcp відбувається, лише якщо таких записів не " +"вдасться знайти." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1890 sssd-krb5.5.xml:94 +msgid "" +"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " +"While the legacy name is recognized for the time being, users are advised to " +"migrate their config files to use <quote>krb5_server</quote> instead." +msgstr "" +"У попередніх випусках SSSD цей параметр мав назву «krb5_kdcip». У поточній " +"версії передбачено розпізнавання цієї застарілої назви, але користувачам " +"варто перейти на використання «krb5_server» у файлах налаштувань." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1899 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103 +msgid "krb5_realm (string)" +msgstr "krb5_realm (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1902 +msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)." +msgstr "Вказати область Kerberos (для розпізнавання за SASL/GSSAPI)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1905 +msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" +msgstr "" +"Типове значення: типове значення системи, див. <filename>/etc/krb5.conf</" +"filename>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1911 sssd-krb5.5.xml:462 +msgid "krb5_canonicalize (boolean)" +msgstr "krb5_canonicalize (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1914 +msgid "" +"Specifies if the host principal should be canonicalized when connecting to " +"LDAP server. This feature is available with MIT Kerberos >= 1.7" +msgstr "" +"Визначає, чи слід перетворювати реєстраційний запис вузла у канонічну форму " +"під час встановлення з’єднання з сервером LDAP. Цю можливість передбачено з " +"версії MIT Kerberos >= 1.7" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1926 sssd-krb5.5.xml:477 +msgid "krb5_use_kdcinfo (boolean)" +msgstr "krb5_use_kdcinfo (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1929 sssd-krb5.5.xml:480 +msgid "" +"Specifies if the SSSD should instruct the Kerberos libraries what realm and " +"which KDCs to use. This option is on by default, if you disable it, you need " +"to configure the Kerberos library using the <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> configuration file." +msgstr "" +"Визначає, чи слід SSSD вказувати бібліотекам Kerberos, яку область і які " +"значення KDC слід використовувати. Типово, дію параметра увімкнено. Якщо ви " +"вимкнете його, вам слід налаштувати бібліотеку Kerberos за допомогою файла " +"налаштувань <citerefentry> <refentrytitle>krb5.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1940 sssd-krb5.5.xml:491 +msgid "" +"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " +"information on the locator plugin." +msgstr "" +"Див. сторінку підручника (man) <citerefentry> " +"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>, щоб дізнатися більше про додаток пошуку." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1954 +msgid "ldap_pwd_policy (string)" +msgstr "ldap_pwd_policy (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1957 +msgid "" +"Select the policy to evaluate the password expiration on the client side. " +"The following values are allowed:" +msgstr "" +"Визначає правил оцінки строку дії пароля на боці клієнта. Можна " +"використовувати такі значення:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1962 +msgid "" +"<emphasis>none</emphasis> - No evaluation on the client side. This option " +"cannot disable server-side password policies." +msgstr "" +"<emphasis>none</emphasis> — не використовувати перевірки на боці клієнта. У " +"разі використання цього варіанта перевірку на боці сервера вимкнено не буде." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1967 +msgid "" +"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " +"evaluate if the password has expired." +msgstr "" +"<emphasis>shadow</emphasis> — використовувати атрибути у стилі " +"<citerefentry><refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> для визначення того, чи чинним є пароль." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1973 +msgid "" +"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " +"to determine if the password has expired. Use chpass_provider=krb5 to update " +"these attributes when the password is changed." +msgstr "" +"<emphasis>mit_kerberos</emphasis> — використовувати атрибути MIT Kerberos " +"для визначення завершення строку дії пароля. У разі зміни пароля " +"скористайтеся chpass_provider=krb5 для оновлення цих атрибутів." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1982 +msgid "" +"<emphasis>Note</emphasis>: if a password policy is configured on server " +"side, it always takes precedence over policy set with this option." +msgstr "" +"<emphasis>Зауваження</emphasis>: якщо правила поводження з паролями " +"налаштовано на боці сервера, ці правила мають пріоритет над правилами, " +"встановленими за допомогою цього параметра." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1990 +msgid "ldap_referrals (boolean)" +msgstr "ldap_referrals (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1993 +msgid "Specifies whether automatic referral chasing should be enabled." +msgstr "" +"Визначає, чи має бути увімкнено автоматичне визначення напрямків пошуку." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1997 +msgid "" +"Please note that sssd only supports referral chasing when it is compiled " +"with OpenLDAP version 2.4.13 or higher." +msgstr "" +"Зауважте, що sssd підтримує визначення напрямків, лише якщо систему зібрано " +"з версією OpenLDAP 2.4.13 або новішою версією." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2002 +msgid "" +"Chasing referrals may incur a performance penalty in environments that use " +"them heavily, a notable example is Microsoft Active Directory. If your setup " +"does not in fact require the use of referrals, setting this option to false " +"might bring a noticeable performance improvement." +msgstr "" +"Перехід за спрямуваннями може призвести до значних втрат швидкодії у " +"середовищах, де такі спрямування використовуються широко. Прикладом такого " +"середовища може бути Microsoft Active Directory. Якщо у вашому середовищі " +"спрямування не є обов’язковими, встановлення для цього параметра значення " +"«false» може значно пришвидшити роботу." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2016 +msgid "ldap_dns_service_name (string)" +msgstr "ldap_dns_service_name (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2019 +msgid "Specifies the service name to use when service discovery is enabled." +msgstr "" +"Визначає назву служби, яку буде використано у разі вмикання визначення служб." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2023 +msgid "Default: ldap" +msgstr "Типове значення: ldap" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2029 +msgid "ldap_chpass_dns_service_name (string)" +msgstr "ldap_chpass_dns_service_name (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2032 +msgid "" +"Specifies the service name to use to find an LDAP server which allows " +"password changes when service discovery is enabled." +msgstr "" +"Визначає назву служби, яку буде використано для пошуку сервера LDAP, який " +"уможливлює зміну паролів, у разі вмикання визначення служб." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2037 +msgid "Default: not set, i.e. service discovery is disabled" +msgstr "Типове значення: не встановлено, тобто пошук служб вимкнено" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2043 +msgid "ldap_chpass_update_last_change (bool)" +msgstr "ldap_chpass_update_last_change (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2046 +msgid "" +"Specifies whether to update the ldap_user_shadow_last_change attribute with " +"days since the Epoch after a password change operation." +msgstr "" +"Визначає, чи слід оновлювати атрибут ldap_user_shadow_last_change даними " +"щодо кількості днів з часу виконання дії зі зміни пароля." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2058 +msgid "ldap_access_filter (string)" +msgstr "ldap_access_filter (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2061 +msgid "" +"If using access_provider = ldap and ldap_access_order = filter (default), " +"this option is mandatory. It specifies an LDAP search filter criteria that " +"must be met for the user to be granted access on this host. If " +"access_provider = ldap, ldap_access_order = filter and this option is not " +"set, it will result in all users being denied access. Use access_provider = " +"permit to change this default behavior. Please note that this filter is " +"applied on the LDAP user entry only and thus filtering based on nested " +"groups may not work (e.g. memberOf attribute on AD entries points only to " +"direct parents). If filtering based on nested groups is required, please see " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>." +msgstr "" +"Якщо використовується access_provider = ldap та ldap_access_order = filter " +"(типова поведінка), цей параметр є обов’язковим. Він вказує критерії " +"фільтрування LDAP, яким має задовольняти запис користувача для надання " +"доступу до цього вузла. Якщо визначено access_provider = ldap та " +"ldap_access_order = filter, а цей параметр не встановлено, доступ буде " +"заборонено всім користувачам. Щоб змінити таку типову поведінку системи, " +"скористайтеся параметром access_provider = permit. Будь ласка, зауважте, що " +"цей фільтр застосовуватиметься лише до запису користувача LDAP, отже " +"фільтрування, засноване на вкладених групах може не працювати (наприклад, " +"атрибут memberOf для записів AD вказує лише на безпосередні батьківські " +"записи). Якщо вам потрібне фільтрування, засноване на вкладених групах, будь " +"ласка, скористайтеся параметром <citerefentry> <refentrytitle>sssd-simple</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2081 +msgid "Example:" +msgstr "Приклад:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ldap.5.xml:2084 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " +msgstr "" +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2088 +msgid "" +"This example means that access to this host is restricted to users whose " +"employeeType attribute is set to \"admin\"." +msgstr "" +"У прикладі доступ до цього вузла обмежено користувачами, чий атрибут " +"employeeType встановлено у значення «admin»." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2093 +msgid "" +"Offline caching for this feature is limited to determining whether the " +"user's last online login was granted access permission. If they were granted " +"access during their last login, they will continue to be granted access " +"while offline and vice versa." +msgstr "" +"Автономне кешування для цієї можливості обмежено визначенням того, чи було " +"надано користувачеві під час попередньої спроби увійти до системи з мережі " +"права доступу. Якщо під час останньої спроби увійти такі права було надано, " +"система продовжуватиме надавати права доступу у автономному режимі. Якщо ж " +"таких прав не було надано, у автономному режимі їх також не буде надано." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2101 sssd-ldap.5.xml:2158 +msgid "Default: Empty" +msgstr "Типове значення: порожній рядок" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2107 +msgid "ldap_account_expire_policy (string)" +msgstr "ldap_account_expire_policy (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2110 +msgid "" +"With this option a client side evaluation of access control attributes can " +"be enabled." +msgstr "" +"За допомогою цього параметра може бути увімкнено визначення атрибутів " +"керування доступом на боці клієнта." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2114 +msgid "" +"Please note that it is always recommended to use server side access control, " +"i.e. the LDAP server should deny the bind request with a suitable error code " +"even if the password is correct." +msgstr "" +"Будь ласка, зауважте, що завжди варто використовувати керування доступом на " +"боці сервера, тобто сервер LDAP має відмовляти у запитах щодо прив’язування " +"з відповідним кодом помилки, навіть якщо вказано правильний пароль." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2121 +msgid "The following values are allowed:" +msgstr "Можна використовувати такі значення:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2124 +msgid "" +"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " +"determine if the account is expired." +msgstr "" +"<emphasis>shadow</emphasis>: це значення ldap_user_shadow_expire допомагає " +"визначити, чи завершено строк дії облікового запису." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2129 +msgid "" +"<emphasis>ad</emphasis>: use the value of the 32bit field " +"ldap_user_ad_user_account_control and allow access if the second bit is not " +"set. If the attribute is missing access is granted. Also the expiration time " +"of the account is checked." +msgstr "" +"<emphasis>ad</emphasis>: скористатися значенням 32-бітового поля " +"ldap_user_ad_user_account_control і дозволити доступ, якщо другий біт має " +"нульове значення. Якщо атрибут не буде знайдено, доступ буде дозволено. " +"Також буде перевірено, чи не вичерпано строк дії облікового запису." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2136 +msgid "" +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: use the value of ldap_ns_account_lock to check if access is " +"allowed or not." +msgstr "" +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: використовувати для перевірки доступу значення " +"ldap_ns_account_lock." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2142 +msgid "" +"<emphasis>nds</emphasis>: the values of " +"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " +"ldap_user_nds_login_expiration_time are used to check if access is allowed. " +"If both attributes are missing access is granted." +msgstr "" +"<emphasis>nds</emphasis>: для перевірки доступу використовувати значення " +"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled і " +"ldap_user_nds_login_expiration_time. Якщо не буде виявлено жодного з цих " +"атрибутів, надати доступ." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2151 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>expire</quote> in order for the " +"ldap_account_expire_policy option to work." +msgstr "" +"Будь ласка, зауважте, що параметр налаштування ldap_access_order " +"<emphasis>має</emphasis> включати <quote>expire</quote>, щоб можна було " +"користуватися параметром ldap_account_expire_policy." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2164 +msgid "ldap_access_order (string)" +msgstr "ldap_access_order (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2167 +msgid "Comma separated list of access control options. Allowed values are:" +msgstr "" +"Список відокремлених комами параметрів керування доступом. Можливі значення " +"списку:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2171 +msgid "<emphasis>filter</emphasis>: use ldap_access_filter" +msgstr "<emphasis>filter</emphasis>: використовувати ldap_access_filter" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2174 +msgid "" +"<emphasis>lockout</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " +"Please note that 'access_provider = ldap' must be set for this feature to " +"work." +msgstr "" +"<emphasis>lockout</emphasis>: використовувати блокування облікових записів. " +"Якщо встановлено, цей параметр забороняє доступ, якщо існує атрибут ldap " +"«pwdAccountLockedTime» і його значенням є «000001010000Z». Будь ласка, " +"ознайомтеся із документацією до параметра ldap_pwdlockout_dn. Зауважте, що " +"для працездатності цієї можливості слід встановити «access_provider = ldap»." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2184 +msgid "" +"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" +"quote> option and might be removed in a future release. </emphasis>" +msgstr "" +"<emphasis> Будь ласка, зауважте, що цей параметр має нижчий пріоритет за " +"параметр «ppolicy», його може бути вилучено у наступних випусках. </" +"emphasis>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2191 +msgid "" +"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z' or represents any time in the past. The " +"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " +"denotes the UTC time zone. Other time zones are not currently supported and " +"will result in \"access-denied\" when users attempt to log in. Please see " +"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " +"must be set for this feature to work." +msgstr "" +"<emphasis>ppolicy</emphasis>: використовувати блокування облікових записів. " +"Якщо встановлено, забороняє доступ у випадку наявності атрибута ldap " +"«pwdAccountLockedTime» рівного «000001010000Z» або такого, що відповідає " +"моменту часу у минулому. Значення атрибута «pwdAccountLockedTime» має " +"завершуватися на «Z», що позначає часовий пояс UTC. Підтримки інших часових " +"поясів у поточній версії не передбачено, їхнє використання призводитиме до " +"появи повідомлення про заборону доступу, коли користувачі намагатимуться " +"увійти до системи. Докладніший опис можна знайти у розділі щодо параметра " +"ldap_pwdlockout_dn. Будь ласка, зауважте, що для працездатності цього " +"параметра слід встановити значення «access_provider = ldap»." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2208 +msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" +msgstr "" +"<emphasis>expire</emphasis>: використовувати ldap_account_expire_policy" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2212 +msgid "" +"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " +"pwd_expire_policy_renew: </emphasis> These options are useful if users are " +"interested in being warned that password is about to expire and " +"authentication is based on using a different method than passwords - for " +"example SSH keys." +msgstr "" +"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " +"pwd_expire_policy_renew: </emphasis> Ці параметри корисні, якщо користувачам " +"потрібні попередження щодо скорого завершення строку дії пароля, і у " +"випадках, коли розпізнавання засновано на відмінних від паролів методах, " +"наприклад на ключах SSH." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2222 +msgid "" +"The difference between these options is the action taken if user password is " +"expired: pwd_expire_policy_reject - user is denied to log in, " +"pwd_expire_policy_warn - user is still able to log in, " +"pwd_expire_policy_renew - user is prompted to change his password " +"immediately." +msgstr "" +"Відмінність між цими параметрами полягає у дії, яку буде виконано, якщо " +"строк дії пароля вичерпано: pwd_expire_policy_reject — користувачеві буде " +"заборонено вхід до системи, pwd_expire_policy_warn — користувач ще зможе " +"увійти до системи, pwd_expire_policy_renew — система попросить користувача " +"негайно змінити пароль." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2230 +msgid "" +"Note If user password is expired no explicit message is prompted by SSSD." +msgstr "" +"Зауважте, що якщо строк дії пароля вичерпано, запит із явним повідомленням " +"від SSSD не надходитиме." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2234 +msgid "" +"Please note that 'access_provider = ldap' must be set for this feature to " +"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." +msgstr "" +"Будь ласка, зауважте, що для того, щоб цим можна було скористатися, слід " +"встановити «access_provider = ldap». Крім того, слід встановити для " +"параметра «ldap_pwd_policy» відповідні правила поводження із паролями." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2239 +msgid "" +"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " +"to determine access" +msgstr "" +"<emphasis>authorized_service</emphasis>: використовувати для визначення " +"можливості доступу атрибут authorizedService" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2244 +msgid "<emphasis>host</emphasis>: use the host attribute to determine access" +msgstr "" +"<emphasis>host</emphasis>: за допомогою цього атрибута вузла можна визначити " +"права доступу" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2248 +msgid "" +"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " +"remote host can access" +msgstr "" +"<emphasis>rhost</emphasis>: використовувати атрибут rhost для визначення " +"того, чи матиме віддалений вузол доступ" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2252 +msgid "" +"Please note, rhost field in pam is set by application, it is better to check " +"what the application sends to pam, before enabling this access control option" +msgstr "" +"Будь ласка, зауважте, що значення поля rhost у pam встановлюється програмою. " +"Варто перевірити, що програма надсилає pam, перш ніж вмикати цей варіант " +"керування доступом." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2257 +msgid "Default: filter" +msgstr "Типове значення: filter" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2260 +msgid "" +"Please note that it is a configuration error if a value is used more than " +"once." +msgstr "" +"Зауважте, що програма повідомить про помилку, якщо одне значення було " +"використано декілька разів." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2267 +msgid "ldap_pwdlockout_dn (string)" +msgstr "ldap_pwdlockout_dn (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2270 +msgid "" +"This option specifies the DN of password policy entry on LDAP server. Please " +"note that absence of this option in sssd.conf in case of enabled account " +"lockout checking will yield access denied as ppolicy attributes on LDAP " +"server cannot be checked properly." +msgstr "" +"За допомогою цього параметра визначається DN запису правил поводження із " +"паролями на сервері LDAP. Будь ласка, зауважте, що те, що цього параметра не " +"буде у sssd.conf, у випадку увімкненого блокування облікових записів " +"призведе до заборони доступу, оскільки атрибути ppolicy на сервері LDAP не " +"можна буде перевірити належним чином." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2278 +msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" +msgstr "Приклад: cn=ppolicy,ou=policies,dc=example,dc=com" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2281 +msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" +msgstr "Типове значення: cn=ppolicy,ou=policies,$ldap_search_base" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2287 +msgid "ldap_deref (string)" +msgstr "ldap_deref (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2290 +msgid "" +"Specifies how alias dereferencing is done when performing a search. The " +"following options are allowed:" +msgstr "" +"Визначає спосіб виконання розіменовування псевдонімів під час виконання " +"пошуку. Можливі такі варіанти:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2295 +msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." +msgstr "" +"<emphasis>never</emphasis>: ніколи не виконувати розіменування псевдонімів." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2299 +msgid "" +"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " +"the base object, but not in locating the base object of the search." +msgstr "" +"<emphasis>searching</emphasis>: розіменування псевдонімів відбувається у " +"межах основного об’єкта, а не на основі визначення місця основного об’єкта " +"пошуку." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2304 +msgid "" +"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " +"the base object of the search." +msgstr "" +"<emphasis>finding</emphasis>: розіменування псевдонімів відбувається лише " +"під час визначення місця основного об’єкта пошуку." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2309 +msgid "" +"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " +"in locating the base object of the search." +msgstr "" +"<emphasis>always</emphasis>: розіменування псевдонімів відбувається як під " +"час пошуку, так і під час визначення місця основного об’єкта пошуку." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2314 +msgid "" +"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " +"client libraries)" +msgstr "" +"Типове значення: не встановлено (обробка бібліотеками LDAP клієнта за " +"сценарієм <emphasis>never</emphasis>)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2322 +msgid "ldap_rfc2307_fallback_to_local_users (boolean)" +msgstr "ldap_rfc2307_fallback_to_local_users (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2325 +msgid "" +"Allows to retain local users as members of an LDAP group for servers that " +"use the RFC2307 schema." +msgstr "" +"Надає змогу зберігати локальних користувачів як учасників групи LDAP для " +"серверів, у яких використовується схема RFC2307." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2329 +msgid "" +"In some environments where the RFC2307 schema is used, local users are made " +"members of LDAP groups by adding their names to the memberUid attribute. " +"The self-consistency of the domain is compromised when this is done, so SSSD " +"would normally remove the \"missing\" users from the cached group " +"memberships as soon as nsswitch tries to fetch information about the user " +"via getpw*() or initgroups() calls." +msgstr "" +"У деяких середовищах, де використовується схема RFC2307, локальних " +"користувачів можна зробити учасниками груп LDAP додаванням імен цих " +"користувачів до атрибута memberUid. Узгодженість домену може бути " +"скомпрометовано, якщо буде виконано подібне додавання учасника, тому SSSD за " +"звичайних умов вилучає записи користувачів, яких «не вистачає», з кешованих " +"даних щодо участі у групах, щойно nsswitch спробує отримати дані щодо " +"користувачів за допомогою виклику getpw*() або initgroups()." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2340 +msgid "" +"This option falls back to checking if local users are referenced, and caches " +"them so that later initgroups() calls will augment the local users with the " +"additional LDAP groups." +msgstr "" +"У разі використання цього параметра програма повертається до перевірки " +"посилань на локальних користувачів і кешує їх так, що наступні виклики " +"initgroups() розширюватимуть список локальних користувачів додатковими " +"групами LDAP." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2352 sssd-ifp.5.xml:136 +msgid "wildcard_limit (integer)" +msgstr "wildcard_limit (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2355 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup." +msgstr "" +"Визначає верхню межу для кількості записів, які отримуватимуться під час " +"пошуку з використанням символів-замінників." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2359 +msgid "At the moment, only the InfoPipe responder supports wildcard lookups." +msgstr "" +"У поточній версії пошук із використанням символів-замінників передбачено " +"лише для відповідача InfoPipe." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2363 +msgid "Default: 1000 (often the size of one page)" +msgstr "Типове значення: 1000 (часто розмір однієї сторінки)" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:51 +msgid "" +"All of the common configuration options that apply to SSSD domains also " +"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for full details. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" +"Всі загальні параметри налаштування, які стосуються доменів SSSD, також " +"стосуються і доменів LDAP. Зверніться до розділу «РОЗДІЛИ ДОМЕНІВ» сторінки " +"підручника <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>, щоб дізнатися більше. " +"<placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2373 +msgid "SUDO OPTIONS" +msgstr "ПАРАМЕТРИ SUDO" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2375 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." +msgstr "" +"Докладні настанов щодо налаштовування sudo_provider можна знайти на сторінці " +"довідника (man) <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2386 +msgid "ldap_sudorule_object_class (string)" +msgstr "ldap_sudorule_object_class (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2389 +msgid "The object class of a sudo rule entry in LDAP." +msgstr "Клас об’єктів запису правила sudo у LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2392 +msgid "Default: sudoRole" +msgstr "Типове значення: sudoRole" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2398 +msgid "ldap_sudorule_name (string)" +msgstr "ldap_sudorule_name (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2401 +msgid "The LDAP attribute that corresponds to the sudo rule name." +msgstr "Атрибут LDAP, що відповідає назві правила sudo." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2411 +msgid "ldap_sudorule_command (string)" +msgstr "ldap_sudorule_command (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2414 +msgid "The LDAP attribute that corresponds to the command name." +msgstr "Атрибут LDAP, що відповідає назві команди." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2418 +msgid "Default: sudoCommand" +msgstr "Типове значення: sudoCommand" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2424 +msgid "ldap_sudorule_host (string)" +msgstr "ldap_sudorule_host (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2427 +msgid "" +"The LDAP attribute that corresponds to the host name (or host IP address, " +"host IP network, or host netgroup)" +msgstr "" +"Атрибут LDAP, який відповідає назві вузла (або IP-адресі вузла, IP-мережі " +"вузла, мережевій групі вузла)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2432 +msgid "Default: sudoHost" +msgstr "Типове значення: sudoHost" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2438 +msgid "ldap_sudorule_user (string)" +msgstr "ldap_sudorule_user (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2441 +msgid "" +"The LDAP attribute that corresponds to the user name (or UID, group name or " +"user's netgroup)" +msgstr "" +"Атрибут LDAP, що відповідає назві імені користувача (або UID, назві групи " +"або назві мережевої групи користувача)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2445 +msgid "Default: sudoUser" +msgstr "Типове значення: sudoUser" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2451 +msgid "ldap_sudorule_option (string)" +msgstr "ldap_sudorule_option (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2454 +msgid "The LDAP attribute that corresponds to the sudo options." +msgstr "Атрибут LDAP, що відповідає параметрам sudo." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2458 +msgid "Default: sudoOption" +msgstr "Типове значення: sudoOption" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2464 +msgid "ldap_sudorule_runasuser (string)" +msgstr "ldap_sudorule_runasuser (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2467 +msgid "" +"The LDAP attribute that corresponds to the user name that commands may be " +"run as." +msgstr "" +"Атрибут LDAP, що відповідає користувачеві, від імені якого можна виконувати " +"команди." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2471 +msgid "Default: sudoRunAsUser" +msgstr "Типове значення: sudoRunAsUser" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2477 +msgid "ldap_sudorule_runasgroup (string)" +msgstr "ldap_sudorule_runasgroup (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2480 +msgid "" +"The LDAP attribute that corresponds to the group name or group GID that " +"commands may be run as." +msgstr "" +"Атрибут LDAP, що відповідає назві групи або GID, від імені якої можна " +"виконувати команди." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2484 +msgid "Default: sudoRunAsGroup" +msgstr "Типове значення: sudoRunAsGroup" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2490 +msgid "ldap_sudorule_notbefore (string)" +msgstr "ldap_sudorule_notbefore (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2493 +msgid "" +"The LDAP attribute that corresponds to the start date/time for when the sudo " +"rule is valid." +msgstr "" +"Атрибут LDAP, що відповідає даті і часу набуття чинності правилом sudo." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2497 +msgid "Default: sudoNotBefore" +msgstr "Типове значення: sudoNotBefore" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2503 +msgid "ldap_sudorule_notafter (string)" +msgstr "ldap_sudorule_notafter (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2506 +msgid "" +"The LDAP attribute that corresponds to the expiration date/time, after which " +"the sudo rule will no longer be valid." +msgstr "Атрибут LDAP, що відповідає даті і часу втрати чинності правилом sudo." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2511 +msgid "Default: sudoNotAfter" +msgstr "Типове значення: sudoNotAfter" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2517 +msgid "ldap_sudorule_order (string)" +msgstr "ldap_sudorule_order (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2520 +msgid "The LDAP attribute that corresponds to the ordering index of the rule." +msgstr "Атрибут LDAP, що відповідає порядковому номеру правила." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2524 +msgid "Default: sudoOrder" +msgstr "Типове значення: sudoOrder" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2530 +msgid "ldap_sudo_full_refresh_interval (integer)" +msgstr "ldap_sudo_full_refresh_interval (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2533 +msgid "" +"How many seconds SSSD will wait between executing a full refresh of sudo " +"rules (which downloads all rules that are stored on the server)." +msgstr "" +"Проміжок часу у секундах між послідовними повними оновленнями правил sudo " +"SSSD у автоматичному режимі. Під час таких оновлень буде отримано повний " +"набір правил, що зберігаються на сервері." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2538 +msgid "" +"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" +"emphasis>" +msgstr "" +"Це значення має перевищувати значення " +"<emphasis>ldap_sudo_smart_refresh_interval </emphasis>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2543 +msgid "Default: 21600 (6 hours)" +msgstr "Типове значення: 21600 (6 годин)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2549 +msgid "ldap_sudo_smart_refresh_interval (integer)" +msgstr "ldap_sudo_smart_refresh_interval (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2552 +msgid "" +"How many seconds SSSD has to wait before executing a smart refresh of sudo " +"rules (which downloads all rules that have USN higher than the highest USN " +"of cached rules)." +msgstr "" +"Проміжок часу у секундах між послідовними кмітливими оновленнями правил sudo " +"SSSD у автоматичному режимі. Під час таких оновлень буде отримано всі дані " +"правил, USN яких перевищує найбільше значення USN у кешованих правилах." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2558 +msgid "" +"If USN attributes are not supported by the server, the modifyTimestamp " +"attribute is used instead." +msgstr "" +"Якщо підтримки атрибутів USN на сервері не передбачено, буде використано " +"дані атрибута modifyTimestamp." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2568 +msgid "ldap_sudo_use_host_filter (boolean)" +msgstr "ldap_sudo_use_host_filter (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2571 +msgid "" +"If true, SSSD will download only rules that are applicable to this machine " +"(using the IPv4 or IPv6 host/network addresses and hostnames)." +msgstr "" +"Якщо визначено значення true, SSSD отримуватиме лише правила, що стосуються " +"цього комп’ютера (на основі адрес вузла або мережі у форматах IPv4 і IPv6 та " +"назв вузлів)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2582 +msgid "ldap_sudo_hostnames (string)" +msgstr "ldap_sudo_hostnames (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2585 +msgid "" +"Space separated list of hostnames or fully qualified domain names that " +"should be used to filter the rules." +msgstr "" +"Список назв вузлів або повних доменних назв, відокремлених пробілами, для " +"фільтрування списку правил." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2590 +msgid "" +"If this option is empty, SSSD will try to discover the hostname and the " +"fully qualified domain name automatically." +msgstr "" +"Якщо значення цього параметра є порожнім, SSSD намагатиметься визначити " +"назву вузла та повну назву комп’ютера у домені у автоматичному режимі." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2595 sssd-ldap.5.xml:2618 sssd-ldap.5.xml:2636 +#: sssd-ldap.5.xml:2654 +msgid "" +"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" +"emphasis> then this option has no effect." +msgstr "" +"Якщо для <emphasis>ldap_sudo_use_host_filter</emphasis> встановлено значення " +"<emphasis>false</emphasis>, цей параметр ні на що не впливатиме." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2600 sssd-ldap.5.xml:2623 +msgid "Default: not specified" +msgstr "Типове значення: не вказано" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2606 +msgid "ldap_sudo_ip (string)" +msgstr "ldap_sudo_ip (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2609 +msgid "" +"Space separated list of IPv4 or IPv6 host/network addresses that should be " +"used to filter the rules." +msgstr "" +"Список адрес вузлів або мереж у форматах IPv4 і IPv6 для фільтрування списку " +"правил." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2614 +msgid "" +"If this option is empty, SSSD will try to discover the addresses " +"automatically." +msgstr "" +"Якщо значення цього параметра є порожнім, SSSD намагатиметься визначити " +"адресу у автоматичному режимі." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2629 +msgid "ldap_sudo_include_netgroups (boolean)" +msgstr "ldap_sudo_include_netgroups (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2632 +msgid "" +"If true then SSSD will download every rule that contains a netgroup in " +"sudoHost attribute." +msgstr "" +"Якщо вказано значення true, SSSD отримуватиме всі правила, що містять " +"мережеву групу (netgroup) у атрибуті sudoHost." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2647 +msgid "ldap_sudo_include_regexp (boolean)" +msgstr "ldap_sudo_include_regexp (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2650 +msgid "" +"If true then SSSD will download every rule that contains a wildcard in " +"sudoHost attribute." +msgstr "" +"Якщо вказано значення true, SSSD отримуватиме всі правила, що містять шаблон " +"заміни у атрибуті sudoHost." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2666 +msgid "" +"This manual page only describes attribute name mapping. For detailed " +"explanation of sudo related attribute semantics, see <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>" +msgstr "" +"На цій сторінці довідника наведено дані щодо відповідності назв атрибутів. " +"Докладний опис семантики атрибутів, пов’язаних з sudo, можна знайти у " +"довідці з <citerefentry> <refentrytitle>sudoers.ldap</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2676 +msgid "AUTOFS OPTIONS" +msgstr "ПАРАМЕТРИ AUTOFS" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2678 +msgid "" +"Some of the defaults for the parameters below are dependent on the LDAP " +"schema." +msgstr "" +"Деякі типові значення параметрів, описаних нижче, залежать від бази даних " +"LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2684 +msgid "ldap_autofs_map_master_name (string)" +msgstr "ldap_autofs_map_master_name (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2687 +msgid "The name of the automount master map in LDAP." +msgstr "Назва основної карти автоматичного монтування у LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2690 +msgid "Default: auto.master" +msgstr "Типове значення: auto.master" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2697 +msgid "ldap_autofs_map_object_class (string)" +msgstr "ldap_autofs_map_object_class (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2700 +msgid "The object class of an automount map entry in LDAP." +msgstr "Клас об’єктів запису карти автоматичного монтування у LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2703 +msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" +msgstr "" +"Типове значення: nisMap (rfc2307, autofs_provider=ad), у інших випадках " +"automountMap" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2711 +msgid "ldap_autofs_map_name (string)" +msgstr "ldap_autofs_map_name (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2714 +msgid "The name of an automount map entry in LDAP." +msgstr "Назва запису карти автоматичного монтування у LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2717 +msgid "" +"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" +msgstr "" +"Типове значення: nisMapName (rfc2307, autofs_provider=ad), у інших випадках " +"automountMapName" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2725 +msgid "ldap_autofs_entry_object_class (string)" +msgstr "ldap_autofs_entry_object_class (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2728 +msgid "" +"The object class of an automount entry in LDAP. The entry usually " +"corresponds to a mount point." +msgstr "" +"Клас об'єктів автоматичного монтування LDAP. Цей запис зазвичай відповідає " +"точні монтування." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2733 +msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" +msgstr "" +"Типове значення: nisObject (rfc2307, autofs_provider=ad), у інших випадках " +"automount" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2741 +msgid "ldap_autofs_entry_key (string)" +msgstr "ldap_autofs_entry_key (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2744 sssd-ldap.5.xml:2759 +msgid "" +"The key of an automount entry in LDAP. The entry usually corresponds to a " +"mount point." +msgstr "" +"Ключ запису автоматичного монтування LDAP. Цей запис зазвичай відповідає " +"точні монтування." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2748 +msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" +msgstr "" +"Типове значення: cn (rfc2307, autofs_provider=ad), у інших випадках " +"automountKey" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2756 +msgid "ldap_autofs_entry_value (string)" +msgstr "ldap_autofs_entry_value (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2763 +msgid "" +"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " +"automountInformation" +msgstr "" +"Типове значення: nisMapEntry (rfc2307, autofs_provider=ad), у інших випадках " +"automountInformation" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2682 +msgid "" +"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " +"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" +"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" +msgstr "" +"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " +"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" +"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2774 +msgid "ADVANCED OPTIONS" +msgstr "ДОДАТКОВІ ПАРАМЕТРИ" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2781 +msgid "ldap_netgroup_search_base (string)" +msgstr "ldap_netgroup_search_base (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2786 +msgid "ldap_user_search_base (string)" +msgstr "ldap_user_search_base (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2791 +msgid "ldap_group_search_base (string)" +msgstr "ldap_group_search_base (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> +#: sssd-ldap.5.xml:2796 +msgid "<note>" +msgstr "<note>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> +#: sssd-ldap.5.xml:2798 +msgid "" +"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " +"against Active Directory will not be restricted and return all groups " +"memberships, even with no GID mapping. It is recommended to disable this " +"feature, if group names are not being displayed correctly." +msgstr "" +"Якщо увімкнено параметр <quote>ldap_use_tokengroups</quote>, пошуки в Active " +"Directory не буде обмежено — він повертатиме усі дані щодо участі у групах, " +"навіть без прив'язки до GID. Рекомендуємо вимкнути цю можливість, якщо назви " +"груп показуються неправильно." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist> +#: sssd-ldap.5.xml:2805 +msgid "</note>" +msgstr "</note>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2807 +msgid "ldap_sudo_search_base (string)" +msgstr "ldap_sudo_search_base (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2812 +msgid "ldap_autofs_search_base (string)" +msgstr "ldap_autofs_search_base (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2776 +msgid "" +"These options are supported by LDAP domains, but they should be used with " +"caution. Please include them in your configuration only if you know what you " +"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/>" +msgstr "" +"Підтримку цих параметрів передбачено доменами LDAP, але користуватися ними " +"слід обережно. Будь ласка, використовуйте їх у налаштуваннях, лише якщо вам " +"відомі наслідки ваших дій. <placeholder type=\"variablelist\" id=\"0\"/> " +"<placeholder type=\"variablelist\" id=\"1\"/>" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2827 sssd-simple.5.xml:131 sssd-ipa.5.xml:828 +#: sssd-ad.5.xml:1041 sssd-krb5.5.xml:570 sss_rpcidmapd.5.xml:98 +#: sssd-files.5.xml:103 sssd-session-recording.5.xml:144 +msgid "EXAMPLE" +msgstr "ПРИКЛАД" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2829 +msgid "" +"The following example assumes that SSSD is correctly configured and LDAP is " +"set to one of the domains in the <replaceable>[domains]</replaceable> " +"section." +msgstr "" +"У наведеному нижче прикладі припускається, що SSSD налаштовано належним " +"чином, а LDAP встановлено на один з доменів з розділу " +"<replaceable>[domains]</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:2835 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" +msgstr "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" + +#. type: Content of: <refsect1><refsect2><para> +#: sssd-ldap.5.xml:2834 sssd-ldap.5.xml:2852 sssd-simple.5.xml:139 +#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1049 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579 +#: sssd-files.5.xml:110 sssd-session-recording.5.xml:150 +#: include/ldap_id_mapping.xml:105 +msgid "<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "<placeholder type=\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2846 +msgid "LDAP ACCESS FILTER EXAMPLE" +msgstr "ПРИКЛАД ФІЛЬТРА ДОСТУПУ LDAP" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2848 +msgid "" +"The following example assumes that SSSD is correctly configured and to use " +"the ldap_access_order=lockout." +msgstr "" +"У наведеному нижче прикладі припускається, що SSSD налаштовано належним " +"чином і використано ldap_access_order=lockout." + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:2853 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"access_provider = ldap\n" +"ldap_access_order = lockout\n" +"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" +msgstr "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"access_provider = ldap\n" +"ldap_access_order = lockout\n" +"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2868 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148 +#: sssd-ad.5.xml:1064 sssd.8.xml:230 sss_seed.8.xml:163 +msgid "NOTES" +msgstr "ЗАУВАЖЕННЯ" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2870 +msgid "" +"The descriptions of some of the configuration options in this manual page " +"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " +"distribution." +msgstr "" +"Описи деяких з параметрів налаштування на цій сторінці підручника засновано " +"на даних сторінки підручника (man) <citerefentry> <refentrytitle>ldap.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> з пакунка OpenLDAP " +"2.4." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: pam_sss.8.xml:11 pam_sss.8.xml:16 +msgid "pam_sss" +msgstr "pam_sss" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: pam_sss.8.xml:17 +msgid "PAM module for SSSD" +msgstr "модуль PAM для SSSD" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: pam_sss.8.xml:22 +msgid "" +"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" +"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" +"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" +"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " +"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " +"choice='opt'> <replaceable>prompt_always</replaceable> </arg>" +msgstr "" +"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" +"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" +"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" +"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " +"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " +"choice='opt'> <replaceable>prompt_always</replaceable> </arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:58 +msgid "" +"<command>pam_sss.so</command> is the PAM interface to the System Security " +"Services daemon (SSSD). Errors and results are logged through " +"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." +msgstr "" +"<command>pam_sss.so</command> — інтерфейс PAM до System Security Services " +"daemon (SSSD). Помилки та результати роботи записуються за допомогою " +"<command>syslog(3)</command> до запису LOG_AUTHPRIV." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:68 +msgid "<option>quiet</option>" +msgstr "<option>quiet</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:71 +msgid "Suppress log messages for unknown users." +msgstr "Не показувати у журналі повідомлень для невідомих користувачів." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:76 +msgid "<option>forward_pass</option>" +msgstr "<option>forward_pass</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:79 +msgid "" +"If <option>forward_pass</option> is set the entered password is put on the " +"stack for other PAM modules to use." +msgstr "" +"Якщо встановлено значення <option>forward_pass</option>, введений пароль " +"буде збережено у стосі паролів для використання іншими модулями PAM." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:86 +msgid "<option>use_first_pass</option>" +msgstr "<option>use_first_pass</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:89 +msgid "" +"The argument use_first_pass forces the module to use a previous stacked " +"modules password and will never prompt the user - if no password is " +"available or the password is not appropriate, the user will be denied access." +msgstr "" +"Використання аргументу use_first_pass примушує модуль до використання пароля " +"з модулів попереднього рівня. Ніяких запитів до користувача не " +"надсилатиметься, — якщо пароль не буде виявлено або пароль виявиться " +"непридатним, доступ користувачеві буде заборонено." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:97 +msgid "<option>use_authtok</option>" +msgstr "<option>use_authtok</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:100 +msgid "" +"When password changing enforce the module to set the new password to the one " +"provided by a previously stacked password module." +msgstr "" +"Визначає ситуацію, коли зміна пароля примушує модуль встановлювати новий " +"пароль на основі пароля, наданого попереднім модулем обробки паролів зі " +"стосу модулів." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:107 +msgid "<option>retry=N</option>" +msgstr "<option>retry=N</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:110 +msgid "" +"If specified the user is asked another N times for a password if " +"authentication fails. Default is 0." +msgstr "" +"Якщо вказано, користувача запитуватимуть про пароль ще N разів, якщо перший " +"раз розпізнавання зазнає невдачі. Типовим значенням є 0." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:112 +msgid "" +"Please note that this option might not work as expected if the application " +"calling PAM handles the user dialog on its own. A typical example is " +"<command>sshd</command> with <option>PasswordAuthentication</option>." +msgstr "" +"Будь ласка, зауважте, що цей параметр може працювати не так, як очікується, " +"якщо програма, яка викликає PAM, має власний обробник діалогових вікон " +"взаємодії з користувачем. Типовим прикладом є <command>sshd</command> з " +"<option>PasswordAuthentication</option>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:121 +msgid "<option>ignore_unknown_user</option>" +msgstr "<option>ignore_unknown_user</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:124 +msgid "" +"If this option is specified and the user does not exist, the PAM module will " +"return PAM_IGNORE. This causes the PAM framework to ignore this module." +msgstr "" +"Якщо вказано цей параметр і облікового запису не існує, модуль PAM поверне " +"PAM_IGNORE. Це призводить до ігнорування цього модуля оболонкою PAM." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:131 +msgid "<option>ignore_authinfo_unavail</option>" +msgstr "<option>ignore_authinfo_unavail</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:135 +msgid "" +"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " +"the SSSD daemon. This causes the PAM framework to ignore this module." +msgstr "" +"Визначає, що модуль PAM має повертати PAM_IGNORE, якщо не вдається " +"встановити зв’язок із фоновою службою SSSD. У результаті набір інструментів " +"PAM ігнорує цей модуль." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:142 +msgid "<option>domains</option>" +msgstr "<option>domains</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:146 +msgid "" +"Allows the administrator to restrict the domains a particular PAM service is " +"allowed to authenticate against. The format is a comma-separated list of " +"SSSD domain names, as specified in the sssd.conf file." +msgstr "" +"Надає змогу адміністратору обмежити домен певною службою PAM, за допомогою " +"якої можна буде виконувати розпізнавання. Формат значення: список назв " +"доменів SSSD, відокремлених комами, так, як їх вказано у файлі sssd.conf." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:152 +msgid "" +"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " +"and <quote>pam_public_domains</quote> options. Please see the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more information on these two PAM " +"responder options." +msgstr "" +"Зауваження: слід використовувати разом із параметрами «pam_trusted_users» і " +"«pam_public_domains». Будь ласка, ознайомтеся із сторінкою підручника " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>, щоб дізнатися більше про ці два параметри " +"відповідача PAM." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:166 +msgid "<option>allow_missing_name</option>" +msgstr "<option>allow_missing_name</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:170 +msgid "" +"The main purpose of this option is to let SSSD determine the user name based " +"on additional information, e.g. the certificate from a Smartcard." +msgstr "" +"Основним призначенням цього параметра є надання SSSD змоги визначати ім'я " +"користувача на основі додаткових даних, наприклад сертифіката зі смарткартки." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: pam_sss.8.xml:180 +#, no-wrap +msgid "" +"auth sufficient pam_sss.so allow_missing_name\n" +" " +msgstr "" +"auth sufficient pam_sss.so allow_missing_name\n" +" " + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:175 +msgid "" +"The current use case are login managers which can monitor a Smartcard reader " +"for card events. In case a Smartcard is inserted the login manager will call " +"a PAM stack which includes a line like <placeholder type=\"programlisting\" " +"id=\"0\"/> In this case SSSD will try to determine the user name based on " +"the content of the Smartcard, returns it to pam_sss which will finally put " +"it on the PAM stack." +msgstr "" +"Поточним основним призначенням є засоби керування входом до системи, які " +"можуть спостерігати за подіями обробки карток на засобі читання смарткарток. " +"Щойно буде вставлено смарткартку, засіб керування входом до системи викличе " +"стос PAM, до якого включено рядок, подібний до <placeholder type=" +"\"programlisting\" id=\"0\"/> Якщо SSSD спробує визначити ім'я користувача " +"на основі вмісту смарткартки, повертає його до pam_sss, який, нарешті, " +"передасть його стосу PAM." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:190 +msgid "<option>prompt_always</option>" +msgstr "<option>prompt_always</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:194 +msgid "" +"Always prompt the user for credentials. With this option credentials " +"requested by other PAM modules, typically a password, will be ignored and " +"pam_sss will prompt for credentials again. Based on the pre-auth reply by " +"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " +"credentials." +msgstr "" +"Завжди запитувати у користувача реєстраційні дані. Якщо використано цей " +"параметр, реєстраційні дані, запит на які надійшов від інших модулів PAM, " +"типово, пароль, буде проігноровано, а pam_sss надсилатиме запит щодо " +"реєстраційних даних знову. На основі відповіді на попереднє розпізнавання " +"від SSSD pam_sss може надіслати запит щодо пароля, пін-коду смарткартки або " +"інших реєстраційних даних." + +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:207 +msgid "MODULE TYPES PROVIDED" +msgstr "ПЕРЕДБАЧЕНІ ТИПИ МОДУЛІВ" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:208 +msgid "" +"All module types (<option>account</option>, <option>auth</option>, " +"<option>password</option> and <option>session</option>) are provided." +msgstr "" +"Передбачено всі типи модулів (<option>account</option>, <option>auth</" +"option>, <option>password</option> і <option>session</option>)." + +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:214 +msgid "FILES" +msgstr "ФАЙЛИ" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:215 +msgid "" +"If a password reset by root fails, because the corresponding SSSD provider " +"does not support password resets, an individual message can be displayed. " +"This message can e.g. contain instructions about how to reset a password." +msgstr "" +"Якщо спроба скидання пароля від імені адміністративного користувача (root) " +"зазнає невдачі, оскільки у відповідному засобі обробки SSSD не передбачено " +"скидання паролів, може бути показано певне повідомлення. У цьому " +"повідомленні, наприклад, можуть міститися настанови щодо скидання пароля." + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:220 +msgid "" +"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" +"filename> where LOC stands for a locale string returned by <citerefentry> " +"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" +"citerefentry>. If there is no matching file the content of " +"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " +"the owner of the files and only root may have read and write permissions " +"while all other users must have only read permissions." +msgstr "" +"Текст повідомлення буде прочитано з файла <filename>pam_sss_pw_reset_message." +"LOC</filename>, де «LOC» — рядок локалі у форматі, повернутому " +"<citerefentry> <refentrytitle>setlocale</refentrytitle><manvolnum>3</" +"manvolnum> </citerefentry>. Якщо відповідного файла знайдено не буде, буде " +"показано вміст файла <filename>pam_sss_pw_reset_message.txt</filename>. " +"Власником файлів має бути адміністративний користувач (root). Доступ до " +"запису файлів також повинен мати лише адміністративний користувач. Всім " +"іншим користувачам може бути надано лише право читання файлів." + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:230 +msgid "" +"These files are searched in the directory <filename>/etc/sssd/customize/" +"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " +"displayed." +msgstr "" +"Пошук цих файлів виконуватиметься у каталозі <filename>/etc/sssd/customize/" +"НАЗВА_ДОМЕНУ/</filename>. Якщо відповідний файл не буде знайдено, буде " +"показано типове повідомлення." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 +msgid "sssd_krb5_locator_plugin" +msgstr "sssd_krb5_locator_plugin" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd_krb5_locator_plugin.8.xml:16 +msgid "Kerberos locator plugin" +msgstr "Додаток локатора Kerberos" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:22 +msgid "" +"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " +"used by the Kerberos provider of <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to tell the Kerberos " +"libraries what Realm and which KDC to use. Typically this is done in " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> which is always read by the Kerberos libraries. " +"To simplify the configuration the Realm and the KDC can be defined in " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> as described in <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>" +msgstr "" +"Додаток пошуку Kerberos <command>sssd_krb5_locator_plugin</command> " +"використовується засобом обробки Kerberos <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"для сповіщення бібліотек Kerberos яку область і KDC слід використовувати. " +"Типово, таке сповіщення виконується за допомогою <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>, файла, читання якого завжди виконується бібліотеками " +"Kerberos. Щоб спростити налаштування, область та KDC можна визначити у " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> у спосіб, описаний на сторінці довідки " +"<citerefentry> <refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:48 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> puts the Realm and the name or IP address of the KDC into " +"the environment variables SSSD_KRB5_REALM and SSSD_KRB5_KDC respectively. " +"When <command>sssd_krb5_locator_plugin</command> is called by the kerberos " +"libraries it reads and evaluates these variables and returns them to the " +"libraries." +msgstr "" +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> зберігає область і назву або IP-адресу KDC у змінних " +"середовища SSSD_KRB5_REALM і SSSD_KRB5_KDC, відповідно. Якщо програма " +"<command>sssd_krb5_locator_plugin</command> викликається бібліотеками " +"kerberos, ця програма читає і визначає ці змінні і повертає їхні значення " +"бібліотекам." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:63 +msgid "" +"Not all Kerberos implementations support the use of plugins. If " +"<command>sssd_krb5_locator_plugin</command> is not available on your system " +"you have to edit /etc/krb5.conf to reflect your Kerberos setup." +msgstr "" +"Підтримку використання додатків передбачено не у всіх реалізаціях Kerberos. " +"Якщо у вашій системі немає <command>sssd_krb5_locator_plugin</command>, вам " +"слід внести зміни до /etc/krb5.conf, які відповідатимуть вашій версії " +"Kerberos." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:69 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " +"debug messages will be sent to stderr." +msgstr "" +"Якщо встановлено будь-яке значення змінної середовища " +"SSSD_KRB5_LOCATOR_DEBUG, діагностичні повідомлення надсилатимуться до stderr." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:73 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " +"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " +"caller." +msgstr "" +"Якщо встановлено будь-яке значення для змінної середовища " +"SSSD_KRB5_LOCATOR_DISABLE, додаток буде вимкнено і поверне функції виклику " +"лише KRB5_PLUGIN_NO_HANDLE." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 +msgid "sssd-simple" +msgstr "sssd-simple" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-simple.5.xml:17 +msgid "the configuration file for SSSD's 'simple' access-control provider" +msgstr "файл налаштувань інструмента керування доступом «simple» SSSD" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:24 +msgid "" +"This manual page describes the configuration of the simple access-control " +"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " +"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page." +msgstr "" +"На цій сторінці довідника описано налаштування простого засобу керування " +"доступом для <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. Щоб дізнатися більше про синтаксис " +"налаштування, зверніться до розділу «ФОРМАТ ФАЙЛА» сторінки довідника " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:38 +msgid "" +"The simple access provider grants or denies access based on an access or " +"deny list of user or group names. The following rules apply:" +msgstr "" +"Простий засіб керування доступом надає або забороняє доступ на основі списку " +"допуску або заборони, складеного за назвами облікових записів користувачів " +"та групами. Використовуються такі правила:" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:43 +msgid "If all lists are empty, access is granted" +msgstr "Якщо всі списки є порожніми, доступ буде надано." + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:47 +msgid "" +"If any list is provided, the order of evaluation is allow,deny. This means " +"that any matching deny rule will supersede any matched allow rule." +msgstr "" +"Якщо вказано будь-який зі списків, обробка виконуватиметься за послідовністю " +"«допуск, потім заборона» (allow,deny). Це означає, що будь-яке з правил " +"заборони матиме пріоритет над будь-яким правилом допуску." + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:54 +msgid "" +"If either or both \"allow\" lists are provided, all users are denied unless " +"they appear in the list." +msgstr "" +"Якщо буде вказано один або обидва списки допуску («allow»), всім " +"користувачам поза цими списками доступ буде заборонено." + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:60 +msgid "" +"If only \"deny\" lists are provided, all users are granted access unless " +"they appear in the list." +msgstr "" +"Якщо буде вказано лише списки заборони («deny»), всі користувачам поза цими " +"списками доступ буде надано." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:78 +msgid "simple_allow_users (string)" +msgstr "simple_allow_users (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:81 +msgid "Comma separated list of users who are allowed to log in." +msgstr "" +"Відокремлений комами список користувачів, яким дозволено вхід до системи." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:88 +msgid "simple_deny_users (string)" +msgstr "simple_deny_users (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:91 +msgid "Comma separated list of users who are explicitly denied access." +msgstr "" +"Список користувачів, яким явно заборонено доступ; записи відокремлюються " +"комами." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:97 +msgid "simple_allow_groups (string)" +msgstr "simple_allow_groups (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:100 +msgid "" +"Comma separated list of groups that are allowed to log in. This applies only " +"to groups within this SSSD domain. Local groups are not evaluated." +msgstr "" +"Відокремлений комами список груп, користувачам яких дозволено вхід до " +"системи. Стосується лише груп у межах цього домену SSSD. Локальні групи не " +"обробляються." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:108 +msgid "simple_deny_groups (string)" +msgstr "simple_deny_groups (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:111 +msgid "" +"Comma separated list of groups that are explicitly denied access. This " +"applies only to groups within this SSSD domain. Local groups are not " +"evaluated." +msgstr "" +"Відокремлений комами список груп, користувачам яких явно заборонено доступ. " +"Стосується лише груп у межах цього домену SSSD. Локальні групи не " +"обробляються." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 +msgid "" +"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" +"Зверніться до розділу «РОЗДІЛИ ДОМЕНІВ» сторінки довідника (man) " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>, щоб дізнатися більше про налаштування домену " +"SSSD. <placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:120 +msgid "" +"Specifying no values for any of the lists is equivalent to skipping it " +"entirely. Beware of this while generating parameters for the simple provider " +"using automated scripts." +msgstr "" +"Якщо не вказувати значень для жодного зі списків, вважатиметься, що параметр " +"не визначено. Пам’ятайте про це, якщо захочете створити параметри для " +"простого надавача автоматизованими скриптами." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:125 +msgid "" +"Please note that it is an configuration error if both, simple_allow_users " +"and simple_deny_users, are defined." +msgstr "" +"Будь ласка, зауважте, що визначення обох параметрів, simple_allow_users і " +"simple_deny_users, є помилкою у налаштуванні." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:133 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the simple access provider-specific options." +msgstr "" +"У наведеному нижче прикладі припускаємо, що SSSD налаштовано належним чином, " +"а example.com є одним з доменів у розділі <replaceable>[sssd]</replaceable>. " +"У прикладі продемонстровано лише параметри, специфічні для простого засобу " +"доступу." + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-simple.5.xml:140 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"access_provider = simple\n" +"simple_allow_users = user1, user2\n" +msgstr "" +"[domain/example.com]\n" +"access_provider = simple\n" +"simple_allow_users = user1, user2\n" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:150 +msgid "" +"The complete group membership hierarchy is resolved before the access check, " +"thus even nested groups can be included in the access lists. Please be " +"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " +"results and should be set to a sufficient value. (<citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>) option." +msgstr "" +"Повна обробка ієрархії участі у групах виконується до перевірки прав " +"доступу, отже, до списку груп доступу може бути включено навіть вкладені " +"групи. Будь ласка, зауважте, що на результати може вплинути значення " +"параметра «ldap_group_nesting_level». Вам слід встановити для нього достатнє " +"значення. Див. <citerefentry> <refentrytitle>sssd-ldap</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 +msgid "sss-certmap" +msgstr "sss-certmap" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss-certmap.5.xml:17 +msgid "SSSD Certificate Matching and Mapping Rules" +msgstr "Правила встановлення відповідності і прив'язування сертифікатів SSSD" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:23 +msgid "" +"The manual page describes the rules which can be used by SSSD and other " +"components to match X.509 certificates and map them to accounts." +msgstr "" +"На цій сторінці підручника описано правила, якими можна скористатися у SSSD " +"та інших компонентах для встановлення відповідності сертифікатів X.509 та " +"прив'язування їх до облікових записів." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:28 +msgid "" +"Each rule has four components, a <quote>priority</quote>, a <quote>matching " +"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" +"quote>. All components are optional. A missing <quote>priority</quote> will " +"add the rule with the lowest priority. The default <quote>matching rule</" +"quote> will match certificates with the digitalSignature key usage and " +"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " +"the certificates will be searched in the userCertificate attribute as DER " +"encoded binary. If no domains are given only the local domain will be " +"searched." +msgstr "" +"У кожного правила чотири компоненти — <quote>пріоритетність</quote>, " +"<quote>правило встановлення відповідності</quote>, <quote>правило прив'язки</" +"quote> і <quote>список доменів</quote>. Усі компоненти є необов'язковими. " +"Якщо не вказано <quote>пріоритетність</quote>, буде додано правило із " +"найнижчою пріоритетністю. Типове <quote>правило встановлення відповідності</" +"quote> встановлює відповідність сертифікатів із використанням ключів " +"digitalSignature і розширеним використанням ключів clientAuth. Якщо " +"<quote>правило прив'язки</quote> є порожнім, сертифікати шукатимуться у " +"атрибуті userCertificate у форматі закодованих двійкових даних DER. Якщо не " +"буде вказано доменів, пошук відбуватиметься у локальному домені." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss-certmap.5.xml:41 +msgid "RULE COMPONENTS" +msgstr "КОМПОНЕНТИ ПРАВИЛ" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:43 +msgid "PRIORITY" +msgstr "ПРІОРИТЕТНІСТЬ" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:45 +#, fuzzy +#| msgid "" +#| "The rules are processed by priority while the number '0' (zero) " +#| "indicates the highest priority. The higher the number the lower is the " +#| "priority. A missing value indicates the lowest priority." +msgid "" +"The rules are processed by priority while the number '0' (zero) indicates " +"the highest priority. The higher the number the lower is the priority. A " +"missing value indicates the lowest priority. The rules processing is stopped " +"when a matched rule is found and no further rules are checked." +msgstr "" +"Правила оброблятимуться за пріоритетністю, номер «0» (нуль) відповідає " +"найвищому рівню пріоритетності. Чим більшим є значення, тим нижчою є " +"пріоритетність. Якщо значення не вказано, пріоритетність вважається " +"найнижчою." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:52 +msgid "" +"Internally the priority is treated as unsigned 32bit integer, using a " +"priority value larger than 4294967295 will cause an error." +msgstr "" +"На внутрішньому рівні пріоритетність визначається 32-бітовим цілим числом " +"без знаку. Використання значення пріоритетності, що перевищує 4294967295, " +"призводитиме до виведення повідомлення про помилку." + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:57 +msgid "MATCHING RULE" +msgstr "ПРАВИЛО ВІДПОВІДНОСТІ" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:59 +msgid "" +"The matching rule is used to select a certificate to which the mapping rule " +"should be applied. It uses a system similar to the one used by " +"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " +"keyword enclosed by '<' and '>' which identified a certain part of the " +"certificate and a pattern which should be found for the rule to match. " +"Multiple keyword pattern pairs can be either joined with '&&' (and) " +"or '||' (or)." +msgstr "" +"Правило встановлення відповідності використовується для вибору сертифіката, " +"до якого слід застосовувати правило прив'язки. У цьому використовується " +"система, подібна до використаної у параметрі <quote>pkinit_cert_match</" +"quote> Kerberos MIT. Правило складається з ключового слова між символами " +"«<» і «>», яке визначає певну частину сертифіката, і взірцем, який має " +"бути знайдено, для встановлення відповідності правила. Декілька пар ключове " +"слово-взірець можна сполучати за допомогою логічних операторів «&" +"&» (та) або «||» (або)." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:71 +msgid "<SUBJECT>regular-expression" +msgstr "<SUBJECT>формальний-вираз" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:74 +msgid "" +"With this a part or the whole subject name of the certificate can be " +"matched. For the matching POSIX Extended Regular Expression syntax is used, " +"see regex(7) for details." +msgstr "" +"За допомогою цього компонент можна встановлювати відповідність частини або " +"усього запису призначення. Для встановлення відповідності використовується " +"синтаксис розширених формальних виразів POSIX. Докладніший опис синтаксису " +"можна знайти на сторінці підручника regex(7)." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:80 +msgid "" +"For the matching the subject name stored in the certificate in DER encoded " +"ASN.1 is converted into a string according to RFC 4514. This means the most " +"specific name component comes first. Please note that not all possible " +"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " +"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " +"be shown differently on different platform and by different tools. To avoid " +"confusion those attribute names are best not used or covered by a suitable " +"regular-expression." +msgstr "" +"Для встановлення відповідності запис призначення, що зберігається у " +"сертифікаті у форматі кодованого DER ASN.1, буде перетворено на текстовий " +"рядок відповідно до RFC 4514. Це означає, що першою у рядку буде " +"найспецифічніша компонента. Будь ласка, зауважте, що у RFC 4514 описано не " +"усі можливі назви атрибутів. Включеними вважаються такі назви: «CN», «L», " +"«ST», «O», «OU», «C», «STREET», «DC» і «UID». Назви інших атрибутів може " +"бути показано у різний спосіб на різних платформах і у різних інструментах. " +"Щоб уникнути двозначностей, не варто використовувати ці атрибути і вживати " +"їх у відповідних формальних виразах." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:93 +msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" +msgstr "Приклад: <SUBJECT>.*,DC=MY,DC=DOMAIN" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:98 +msgid "<ISSUER>regular-expression" +msgstr "<ISSUER>формальний-вираз" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:101 +msgid "" +"With this a part or the whole issuer name of the certificate can be matched. " +"All comments for <SUBJECT> apply her as well." +msgstr "" +"За допомогою цього компонент можна встановлювати відповідність частини або " +"усього запису видавця. Цього запису стосуються усі коментарі щодо <" +"SUBJECT>." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:106 +msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" +msgstr "Приклад: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:111 +msgid "<KU>key-usage" +msgstr "<KU>використання-ключа" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:114 +msgid "" +"This option can be used to specify which key usage values the certificate " +"should have. The following values can be used in a comma separated list:" +msgstr "" +"За допомогою цього параметра можна визначити значення використання ключа, " +"які повинен містити сертифікат. У списку значень, відокремлених комами, " +"можна використовувати такі значення:" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:118 +msgid "digitalSignature" +msgstr "digitalSignature" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:119 +msgid "nonRepudiation" +msgstr "nonRepudiation" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:120 +msgid "keyEncipherment" +msgstr "keyEncipherment" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:121 +msgid "dataEncipherment" +msgstr "dataEncipherment" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:122 +msgid "keyAgreement" +msgstr "keyAgreement" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:123 +msgid "keyCertSign" +msgstr "keyCertSign" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:124 +msgid "cRLSign" +msgstr "cRLSign" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:125 +msgid "encipherOnly" +msgstr "encipherOnly" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:126 +msgid "decipherOnly" +msgstr "decipherOnly" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:130 +msgid "" +"A numerical value in the range of a 32bit unsigned integer can be used as " +"well to cover special use cases." +msgstr "" +"Для спеціальних випадків можна також використати числове значення у " +"діапазоні 32-бітових цілих чисел без знаку." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:134 +msgid "Example: <KU>digitalSignature,keyEncipherment" +msgstr "Приклад: <KU>digitalSignature,keyEncipherment" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:139 +msgid "<EKU>extended-key-usage" +msgstr "<EKU>розширене-використання-ключа" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:142 +msgid "" +"This option can be used to specify which extended key usage the certificate " +"should have. The following value can be used in a comma separated list:" +msgstr "" +"За допомогою цього параметра можна визначити значення розширеного " +"використання ключа, які повинен містити сертифікат. У списку значень, " +"відокремлених комами, можна використовувати такі значення:" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:146 +msgid "serverAuth" +msgstr "serverAuth" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:147 +msgid "clientAuth" +msgstr "clientAuth" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:148 +msgid "codeSigning" +msgstr "codeSigning" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:149 +msgid "emailProtection" +msgstr "emailProtection" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:150 +msgid "timeStamping" +msgstr "timeStamping" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:151 +msgid "OCSPSigning" +msgstr "OCSPSigning" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:152 +msgid "KPClientAuth" +msgstr "KPClientAuth" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:153 +msgid "pkinit" +msgstr "pkinit" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:154 +msgid "msScLogin" +msgstr "msScLogin" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:158 +msgid "" +"Extended key usages which are not listed above can be specified with their " +"OID in dotted-decimal notation." +msgstr "" +"Розширені використання ключа, які не потрапили до вказаного вище списку, " +"можна визначити за допомогою їхнього OID у точково-десятковому позначенні." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:162 +msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" +msgstr "Приклад: <EKU>clientAuth,1.3.6.1.5.2.3.4" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:167 +msgid "<SAN>regular-expression" +msgstr "<SAN>формальний-вираз" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:170 +msgid "" +"To be compatible with the usage of MIT Kerberos this option will match the " +"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" +"Principal> does." +msgstr "" +"Для сумісності із використанням Kerberos MIT цей параметр встановлюватиме " +"відповідність реєстраційних даних Kerberos у PKINIT або AD NT Principal SAN " +"так, як це робить <SAN:Principal>." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:175 +msgid "Example: <SAN>.*@MY\\.REALM" +msgstr "Приклад: <SAN>.*@MY\\.REALM" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:180 +msgid "<SAN:Principal>regular-expression" +msgstr "<SAN:Principal>формальний-вираз" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:183 +msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." +msgstr "" +"Встановити відповідність реєстраційних даних Kerberos у PKINIT або AD NT " +"Principal SAN." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:187 +msgid "Example: <SAN:Principal>.*@MY\\.REALM" +msgstr "Приклад: <SAN:Principal>.*@MY\\.REALM" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:192 +msgid "<SAN:ntPrincipalName>regular-expression" +msgstr "<SAN:ntPrincipalName>формальний-вираз" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:195 +msgid "Match the Kerberos principals from the AD NT Principal SAN." +msgstr "" +"Встановити відповідність реєстраційних даних Kerberos з AD NT Principal SAN." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:199 +msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" +msgstr "Приклад: <SAN:ntPrincipalName>.*@MY.AD.REALM" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:204 +msgid "<SAN:pkinit>regular-expression" +msgstr "<SAN:pkinit>формальний-вираз" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:207 +msgid "Match the Kerberos principals from the PKINIT SAN." +msgstr "Встановити відповідність реєстраційних даних Kerberos з SAN PKINIT." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:210 +msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" +msgstr "Приклад: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:215 +msgid "<SAN:dotted-decimal-oid>regular-expression" +msgstr "<SAN:dotted-decimal-oid>формальний-вираз" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:218 +msgid "" +"Take the value of the otherName SAN component given by the OID in dotted-" +"decimal notation, interpret it as string and try to match it against the " +"regular expression." +msgstr "" +"Отримати значення компонента SAN otherName, яке задано OID у крапково-" +"десятковому позначенні, обробити його як рядок і спробувати встановити " +"відповідність формальному виразу." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:224 +msgid "Example: <SAN:1.2.3.4>test" +msgstr "Приклад: <SAN:1.2.3.4>test" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:229 +msgid "<SAN:otherName>base64-string" +msgstr "<SAN:otherName>base64-string" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:232 +msgid "" +"Do a binary match with the base64 encoded blob against all otherName SAN " +"components. With this option it is possible to match against custom " +"otherName components with special encodings which could not be treated as " +"strings." +msgstr "" +"Виконати спробу встановлення двійкової відповідності блоку у кодуванні " +"base64 із усіма компонентами SAN otherName. За допомогою цього параметра " +"можна встановлювати відповідність із нетиповими компонентами otherName із " +"особливими кодуваннями, які не можна обробляти як рядки." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:239 +msgid "Example: <SAN:otherName>MTIz" +msgstr "Приклад: <SAN:otherName>MTIz" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:244 +msgid "<SAN:rfc822Name>regular-expression" +msgstr "<SAN:rfc822Name>формальний-вираз" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:247 +msgid "Match the value of the rfc822Name SAN." +msgstr "Встановити відповідність значення SAN rfc822Name." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:250 +msgid "Example: <SAN:rfc822Name>.*@email\\.domain" +msgstr "Приклад: <SAN:rfc822Name>.*@email\\.domain" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:255 +msgid "<SAN:dNSName>regular-expression" +msgstr "<SAN:dNSName>формальний-вираз" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:258 +msgid "Match the value of the dNSName SAN." +msgstr "Встановити відповідність значення SAN dNSName." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:261 +msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" +msgstr "Приклад: <SAN:dNSName>.*\\.my\\.dns\\.domain" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:266 +msgid "<SAN:x400Address>base64-string" +msgstr "<SAN:x400Address>рядок-base64" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:269 +msgid "Binary match the value of the x400Address SAN." +msgstr "Встановити двійкову відповідність значення SAN x400Address." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:272 +msgid "Example: <SAN:x400Address>MTIz" +msgstr "Приклад: <SAN:x400Address>MTIz" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:277 +msgid "<SAN:directoryName>regular-expression" +msgstr "<SAN:directoryName>формальний-вираз" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:280 +msgid "" +"Match the value of the directoryName SAN. The same comments as given for <" +"ISSUER> and <SUBJECT> apply here as well." +msgstr "" +"Встановити відповідність значення SAN directoryName. Цього параметра " +"стосуються ті самі коментарі, які було вказано для параметрів <ISSUER> " +"та <SUBJECT>." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:285 +msgid "Example: <SAN:directoryName>.*,DC=com" +msgstr "Приклад: <SAN:directoryName>.*,DC=com" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:290 +msgid "<SAN:ediPartyName>base64-string" +msgstr "<SAN:ediPartyName>рядок-base64" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:293 +msgid "Binary match the value of the ediPartyName SAN." +msgstr "Встановити двійкову відповідність значення SAN ediPartyName." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:296 +msgid "Example: <SAN:ediPartyName>MTIz" +msgstr "Приклад: <SAN:ediPartyName>MTIz" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:301 +msgid "<SAN:uniformResourceIdentifier>regular-expression" +msgstr "<SAN:uniformResourceIdentifier>формальний-вираз" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:304 +msgid "Match the value of the uniformResourceIdentifier SAN." +msgstr "Встановити відповідність значення SAN uniformResourceIdentifier." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:307 +msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" +msgstr "Приклад: <SAN:uniformResourceIdentifier>URN:.*" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:312 +msgid "<SAN:iPAddress>regular-expression" +msgstr "<SAN:iPAddress>формальний-вираз" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:315 +msgid "Match the value of the iPAddress SAN." +msgstr "Встановити відповідність значення SAN iPAddress." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:318 +msgid "Example: <SAN:iPAddress>192\\.168\\..*" +msgstr "Приклад: <SAN:iPAddress>192\\.168\\..*" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:323 +msgid "<SAN:registeredID>regular-expression" +msgstr "<SAN:registeredID>формальний-вираз" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:326 +msgid "Match the value of the registeredID SAN as dotted-decimal string." +msgstr "" +"Встановити значення SAN registeredID у форматі точково-десяткового рядка." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:330 +msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" +msgstr "Приклад: <SAN:registeredID>1\\.2\\.3\\..*" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:68 +msgid "" +"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "Доступні варіанти: <placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:338 +msgid "MAPPING RULE" +msgstr "ПРАВИЛО ПРИВʼЯЗУВАННЯ" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:340 +msgid "" +"The mapping rule is used to associate a certificate with one or more " +"accounts. A Smartcard with the certificate and the matching private key can " +"then be used to authenticate as one of those accounts." +msgstr "" +"Правило прив'язки використовується для пов'язування сертифіката із одним або " +"декількома обліковими записами. Далі, смарткарткою із сертифікатом та " +"відповідним закритим ключем можна скористатися для розпізнавання за одним з " +"цих облікових записів." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:345 +msgid "" +"Currently SSSD basically only supports LDAP to lookup user information (the " +"exception is the proxy provider which is not of relevance here). Because of " +"this the mapping rule is based on LDAP search filter syntax with templates " +"to add certificate content to the filter. It is expected that the filter " +"will only contain the specific data needed for the mapping and that the " +"caller will embed it in another filter to do the actual search. Because of " +"this the filter string should start and stop with '(' and ')' respectively." +msgstr "" +"У поточній версії SSSD на базовому рівні підтримує пошук даних користувачів " +"лише у LDAP (винятком є лише засіб надання проксі, який у цьому контексті є " +"недоречним). Через це правило прив'язки засновано на синтаксисі фільтрування " +"пошуку LDAP з шаблонами для додавання вмісту сертифікатів до фільтра. " +"Очікується, що цей фільтр міститиме лише специфічні дані, потрібні для " +"прив'язки, яку функція виклику вбудовуватиме до іншого фільтра для виконання " +"справжнього пошуку. Через це рядок фільтрування має починатися із " +"завершуватися «(» і «)», відповідно." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:355 +msgid "" +"In general it is recommended to use attributes from the certificate and add " +"them to special attributes to the LDAP user object. E.g. the " +"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " +"for IPA can be used." +msgstr "" +"Загалом, рекомендується використовувати атрибути з сертифіката і додати їх " +"до спеціальних атрибутів об'єкта користувача LDAP. Наприклад, можна " +"скористатися атрибутом «altSecurityIdentities» у AD або атрибутом " +"«ipaCertMapData» для IPA." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:361 +msgid "" +"This should be preferred to read user specific data from the certificate " +"like e.g. an email address and search for it in the LDAP server. The reason " +"is that the user specific data in LDAP might change for various reasons " +"would break the mapping. On the other hand it would be hard to break the " +"mapping on purpose for a specific user." +msgstr "" +"Бажаним шляхом є читання із сертифіката специфічних для користувача даних, " +"наприклад адреси електронної пошти, і пошук цих даних на сервері LDAP. " +"Причиною є те, що специфічні для користувача дані у LDAP можу бути з різних " +"причин змінено, що розірве прив'язку. З іншого боку, якщо скористатися " +"бажаним шляхом, розірвати прив'язку буде важко." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:376 +msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:379 +msgid "" +"This template will add the full issuer DN converted to a string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." +msgstr "" +"Цей шаблон додасть повний DN видавця, перетворений на рядок відповідно до " +"RFC 4514. Якщо використано упорядковування X.500 (найспецифічніший RDN " +"стоїть останнім), буде використано параметр із префіксом «_x500»." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +msgid "" +"The conversion options starting with 'ad_' will use attribute names as used " +"by AD, e.g. 'S' instead of 'ST'." +msgstr "" +"У варіантах перетворення, назви яких починаються з «ad_», " +"використовуватимуться назви атрибутів, які використовуються AD, наприклад " +"«S», замість «ST»." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +msgid "" +"The conversion options starting with 'nss_' will use attribute names as used " +"by NSS." +msgstr "" +"У варіантах перетворення, назви яких починаються з «nss_», " +"використовуватимуться назви атрибутів, які використовуються NSS." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +msgid "" +"The default conversion option is 'nss', i.e. attribute names according to " +"NSS and LDAP/RFC 4514 ordering." +msgstr "" +"Типовим варіантом перетворення є «nss», тобто назви атрибутів відповідно до " +"NSS і упорядковування за LDAP/RFC 4514." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:397 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" +"ad})" +msgstr "" +"Приклад: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" +"ad})" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:402 +msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:405 +msgid "" +"This template will add the full subject DN converted to string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." +msgstr "" +"Цей шаблон додасть повний DN призначення, перетворений на рядок відповідно " +"до RFC 4514. Якщо використано упорядковування X.500 (найспецифічніший RDN " +"стоїть останнім), буде використано параметр із префіксом «_x500»." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:423 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" +"{subject_dn!nss_x500})" +msgstr "" +"Приклад: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" +"{subject_dn!nss_x500})" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:428 +msgid "{cert[!(bin|base64)]}" +msgstr "{cert[!(bin|base64)]}" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:431 +msgid "" +"This template will add the whole DER encoded certificate as a string to the " +"search filter. Depending on the conversion option the binary certificate is " +"either converted to an escaped hex sequence '\\xx' or base64. The escaped " +"hex sequence is the default and can e.g. be used with the LDAP attribute " +"'userCertificate;binary'." +msgstr "" +"Цей шаблон додасть увесь сертифікат у кодуванні DER як рядок до фільтра " +"пошуку. Залежно від параметра перетворення, двійковий сертифікат або буде " +"преетворено на екрановану послідовність шістнадцяткових чисел у форматі " +"«\\xx», або на код base64. Типовим варіантом є екранована шістнадцяткова " +"послідовність, її може бути, наприклад, використано з атрибутом LDAP " +"«userCertificate;binary»." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:439 +msgid "Example: (userCertificate;binary={cert!bin})" +msgstr "Приклад: (userCertificate;binary={cert!bin})" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:444 +msgid "{subject_principal[.short_name]}" +msgstr "{subject_principal[.short_name]}" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:447 +msgid "" +"This template will add the Kerberos principal which is taken either from the " +"SAN used by pkinit or the one used by AD. The 'short_name' component " +"represents the first part of the principal before the '@' sign." +msgstr "" +"Цей шаблон додасть реєстраційні дані Kerberos, які буде взято або з SAN, " +"який використовується pkinit, або з реєстраційних даних AD. Компонент " +"«short_name» відповідає першій частині реєстраційного запису до символу «@»." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +msgid "" +"Example: (|(userPrincipal={subject_principal})" +"(samAccountName={subject_principal.short_name}))" +msgstr "" +"Приклад: (|(userPrincipal={subject_principal})" +"(samAccountName={subject_principal.short_name}))" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:458 +msgid "{subject_pkinit_principal[.short_name]}" +msgstr "{subject_pkinit_principal[.short_name]}" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:461 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by pkinit. The 'short_name' component represents the first part of the " +"principal before the '@' sign." +msgstr "" +"Цей шаблон додасть реєстраційні дані Kerberos, які буде передано SAN, що " +"використовується pkinit. Компонент «short_name» відповідає першій частині " +"реєстраційного запису до символу «@»." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:467 +msgid "" +"Example: (|(userPrincipal={subject_pkinit_principal})" +"(uid={subject_pkinit_principal.short_name}))" +msgstr "" +"Приклад: (|(userPrincipal={subject_pkinit_principal})" +"(uid={subject_pkinit_principal.short_name}))" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:472 +msgid "{subject_nt_principal[.short_name]}" +msgstr "{subject_nt_principal[.short_name]}" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:475 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by AD. The 'short_name' component represent the first part of the principal " +"before the '@' sign." +msgstr "" +"Цей шаблон додасть реєстраційні дані Kerberos, які буде передано SAN, що " +"використовується AD. Компонент «short_name» відповідає першій частині " +"реєстраційного запису до символу «@»." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:486 +msgid "{subject_rfc822_name[.short_name]}" +msgstr "{subject_rfc822_name[.short_name]}" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:489 +msgid "" +"This template will add the string which is stored in the rfc822Name " +"component of the SAN, typically an email address. The 'short_name' component " +"represents the first part of the address before the '@' sign." +msgstr "" +"Цей шаблон додасть рядок, який зберігається у компоненті rfc822Name SAN, " +"типово, адресу електронної пошти. Компонент «short_name» відповідає першій " +"частині адреси до символу «@»." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:495 +msgid "" +"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." +"short_name}))" +msgstr "" +"Приклад: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." +"short_name}))" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:500 +msgid "{subject_dns_name[.short_name]}" +msgstr "{subject_dns_name[.short_name]}" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:503 +msgid "" +"This template will add the string which is stored in the dNSName component " +"of the SAN, typically a fully-qualified host name. The 'short_name' " +"component represents the first part of the name before the first '.' sign." +msgstr "" +"Цей шаблон додасть рядок, який зберігається у компоненті dNSName SAN, " +"типово, повну назву вузла. Компонент «short_name» відповідає першій частині " +"назви до першого символу «.»." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:509 +msgid "" +"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" +msgstr "" +"Приклад: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:514 +msgid "{subject_uri}" +msgstr "{subject_uri}" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:517 +msgid "" +"This template will add the string which is stored in the " +"uniformResourceIdentifier component of the SAN." +msgstr "" +"Цей шаблон додає рядок, який зберігається у компоненті " +"uniformResourceIdentifier SAN." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:521 +msgid "Example: (uri={subject_uri})" +msgstr "Приклад: (uri={subject_uri})" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:526 +msgid "{subject_ip_address}" +msgstr "{subject_ip_address}" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:529 +msgid "" +"This template will add the string which is stored in the iPAddress component " +"of the SAN." +msgstr "Цей шаблон додає рядок, який зберігається у компоненті iPAddress SAN." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:533 +msgid "Example: (ip={subject_ip_address})" +msgstr "Приклад: (ip={subject_ip_address})" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:538 +msgid "{subject_x400_address}" +msgstr "{subject_x400_address}" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:541 +msgid "" +"This template will add the value which is stored in the x400Address " +"component of the SAN as escaped hex sequence." +msgstr "" +"Цей шаблон додає значення, яке зберігається у компоненті x400Address SAN як " +"послідовність екранованих шістнадцяткових чисел." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:546 +msgid "Example: (attr:binary={subject_x400_address})" +msgstr "Приклад: (attr:binary={subject_x400_address})" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:551 +msgid "" +"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" +"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:554 +msgid "" +"This template will add the DN string of the value which is stored in the " +"directoryName component of the SAN." +msgstr "" +"Цей шаблон додасть рядок DN значення, яке зберігається у компоненті " +"directoryName SAN." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:558 +msgid "Example: (orig_dn={subject_directory_name})" +msgstr "Приклад: (orig_dn={subject_directory_name})" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:563 +msgid "{subject_ediparty_name}" +msgstr "{subject_ediparty_name}" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:566 +msgid "" +"This template will add the value which is stored in the ediPartyName " +"component of the SAN as escaped hex sequence." +msgstr "" +"Цей шаблон додає значення, яке зберігається у компоненті ediPartyName SAN як " +"послідовність екранованих шістнадцяткових чисел." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:571 +msgid "Example: (attr:binary={subject_ediparty_name})" +msgstr "Приклад: (attr:binary={subject_ediparty_name})" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:576 +msgid "{subject_registered_id}" +msgstr "{subject_registered_id}" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:579 +msgid "" +"This template will add the OID which is stored in the registeredID component " +"of the SAN as a dotted-decimal string." +msgstr "" +"Цей шаблон додає OID, який зберігається у компоненті registeredID SAN у " +"форматі точково-десяткового рядка." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:584 +msgid "Example: (oid={subject_registered_id})" +msgstr "Приклад: (oid={subject_registered_id})" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:369 +msgid "" +"The templates to add certificate data to the search filter are based on " +"Python-style formatting strings. They consist of a keyword in curly braces " +"with an optional sub-component specifier separated by a '.' or an optional " +"conversion/formatting option separated by a '!'. Allowed values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" +"Шаблони для додавання даних сертифікатів до фільтра пошуку засновано на " +"рядках форматування у стилі Python. Воли складаються з ключового слова у " +"фігурних дужках із додатковим підкомпонентом-специфікатором, відокремленим " +"«.», або додатковим параметром перетворення-форматування, відокремленим «!». " +"Дозволені значення: <placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:592 +msgid "DOMAIN LIST" +msgstr "СПИСОК ДОМЕНІВ" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:594 +msgid "" +"If the domain list is not empty users mapped to a given certificate are not " +"only searched in the local domain but in the listed domains as well as long " +"as they are know by SSSD. Domains not know to SSSD will be ignored." +msgstr "" +"Якщо список доменів не є порожнім, записи користувачів, прив'язані до " +"заданого сертифіката, шукаються не лише у локальному домені, а і у доменах " +"зі списку, якщо вони відомі SSSD. Домени, які не відомі SSSD, буде " +"проігноровано." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 +msgid "sssd-ipa" +msgstr "sssd-ipa" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ipa.5.xml:17 +msgid "SSSD IPA provider" +msgstr "Модуль надання даних IPA SSSD" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:23 +msgid "" +"This manual page describes the configuration of the IPA provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" +"На цій сторінці довідника описано налаштування засобу керування доступом IPA " +"для <citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>. Щоб дізнатися більше про синтаксис налаштування, " +"зверніться до розділу «ФОРМАТ ФАЙЛІВ» сторінки довідника <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:36 +msgid "" +"The IPA provider is a back end used to connect to an IPA server. (Refer to " +"the freeipa.org web site for information about IPA servers.) This provider " +"requires that the machine be joined to the IPA domain; configuration is " +"almost entirely self-discovered and obtained directly from the server." +msgstr "" +"Інструмент надання даних IPA — модуль, який використовується для " +"встановлення з’єднання з сервером IPA. (Інформацію щодо серверів IPA можна " +"знайти на сайті freeipa.org.) Цей інструмент надання доступу потребує " +"включення комп’ютера до домену IPA. Налаштування майже повністю " +"автоматизовано, дані для нього отримуються безпосередньо з сервера." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:43 +msgid "" +"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for IPA environments. The IPA provider accepts the same " +"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " +"However, it is neither necessary nor recommended to set these options." +msgstr "" +"Засіб надання даних IPA уможливлює для SSSD використання засобу надання " +"даних профілів <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> та засобу надання даних " +"розпізнавання <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> з оптимізацією для середовищ IPA. " +"Засіб надання даних IPA приймає ті самі параметри, які використовуються " +"засобами надання даних sssd-ldap та sssd-krb5, із деякими виключеннями. " +"Втім, встановлювати ці параметри не обов'язково і не рекомендовано." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:57 +msgid "" +"The IPA provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +msgstr "" +"Засіб надання даних IPA в основному копіює типові параметри традиційних " +"засобів надання даних ldap і krb5 із деякими виключенням. Відмінності " +"наведено у розділі <quote>ЗМІНЕНІ ТИПОВІ ПАРАМЕТРИ</quote>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:62 +msgid "" +"As an access provider, the IPA provider uses HBAC (host-based access " +"control) rules. Please refer to freeipa.org for more information about " +"HBAC. No configuration of access provider is required on the client side." +msgstr "" +"Як інструмент надання доступу, інструмент надання даних IPA для керування " +"доступом використовує правила HBAC (host-based access control або керування " +"доступом на основі даних щодо вузлів). Докладнішу інформацію щодо HBAC можна " +"отримати на сайті freeipa.org. У налаштуванні керування доступом на боці " +"клієнта немає потреби." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:67 +msgid "" +"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" +"quote>." +msgstr "" +"Якщо у sssd.conf вказано <quote>auth_provider=ipa</quote> або " +"<quote>access_provider=ipa</quote>, для id_provider також має бути вказано " +"<quote>ipa</quote>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:73 +msgid "" +"The IPA provider will use the PAC responder if the Kerberos tickets of users " +"from trusted realms contain a PAC. To make configuration easier the PAC " +"responder is started automatically if the IPA ID provider is configured." +msgstr "" +"Інструмент надання даних IPA використовуватиме відповідач PAC, якщо квитки " +"Kerberos користувачів з довірених областей містять PAC. Для полегшення " +"налаштовування відповідач PAC запускається автоматично, якщо налаштовано " +"інструмент надання даних ідентифікаторів IPA." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:89 +msgid "ipa_domain (string)" +msgstr "ipa_domain (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:92 +msgid "" +"Specifies the name of the IPA domain. This is optional. If not provided, " +"the configuration domain name is used." +msgstr "" +"Визначає назву домену IPA. Є необов’язковим. Якщо не вказано, буде " +"використано назву домену з налаштувань." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:100 +msgid "ipa_server, ipa_backup_server (string)" +msgstr "ipa_server, ipa_backup_server (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:103 +msgid "" +"The comma-separated list of IP addresses or hostnames of the IPA servers to " +"which SSSD should connect in the order of preference. For more information " +"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" +"Впорядкований за пріоритетом список IP-адрес або назв вузлів, відокремлених " +"комами, серверів IPA, з якими має встановити з’єднання SSSD. Докладніші " +"відомості щодо резервних серверів викладено у розділі «РЕЗЕРВ». Цей список є " +"необов’язковим, якщо увімкнено автоматичне виявлення служб. Докладніші " +"відомості щодо автоматичного виявлення служб наведено у розділі «ПОШУК " +"СЛУЖБ»." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:116 +msgid "ipa_hostname (string)" +msgstr "ipa_hostname (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:119 +msgid "" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the IPA domain to identify this host. The " +"hostname must be fully qualified." +msgstr "" +"Необов’язковий. Може бути встановлено на комп’ютерах, де hostname(5) не " +"відповідає повній назві, що використовується доменом IPA для розпізнавання " +"цього вузла. Назву вузла слід вказувати повністю." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:128 sssd-ad.5.xml:866 +msgid "dyndns_update (boolean)" +msgstr "dyndns_update (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:131 +msgid "" +"Optional. This option tells SSSD to automatically update the DNS server " +"built into FreeIPA with the IP address of this client. The update is secured " +"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " +"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" +"quote> option." +msgstr "" +"Необов’язковий. За допомогою цього параметра можна наказати SSSD автоматично " +"оновити на сервері DNS, вбудованому до FreeIPA, IP-адресу клієнта. Захист " +"оновлення буде забезпечено за допомогою GSS-TSIG. Для оновлення буде " +"використано IP-адресу з’єднання LDAP IPA, якщо не вказано іншу адресу за " +"допомогою параметра «dyndns_iface»." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:140 sssd-ad.5.xml:880 +msgid "" +"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " +"the default Kerberos realm must be set properly in /etc/krb5.conf" +msgstr "" +"ЗАУВАЖЕННЯ: на застарілих системах (зокрема RHEL 5) для надійної роботи у " +"цьому режимі типову область дії Kerberos має бути належним чином визначено " +"у /etc/krb5.conf" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:145 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" +"emphasis> option, users should migrate to using <emphasis>dyndns_update</" +"emphasis> in their config file." +msgstr "" +"ЗАУВАЖЕННЯ: хоча можна використовувати і попередню назву параметра, " +"<emphasis>ipa_dyndns_update</emphasis>, користувачам слід переходити на нову " +"назву, <emphasis>dyndns_update</emphasis>, у файлі налаштувань." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:157 sssd-ad.5.xml:891 +msgid "dyndns_ttl (integer)" +msgstr "dyndns_ttl (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:160 sssd-ad.5.xml:894 +msgid "" +"The TTL to apply to the client DNS record when updating it. If " +"dyndns_update is false this has no effect. This will override the TTL " +"serverside if set by an administrator." +msgstr "" +"TTL, до якого буде застосовано клієнтський запис DNS під час його оновлення. " +"Якщо dyndns_update має значення false, цей параметр буде проігноровано. " +"Перевизначає TTL на боці сервера, якщо встановлено адміністратором." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:165 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" +"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" +"emphasis> in their config file." +msgstr "" +"ЗАУВАЖЕННЯ: хоча можна використовувати і попередню назву параметра, " +"<emphasis>ipa_dyndns_ttl</emphasis>, користувачам слід переходити на нову " +"назву, <emphasis>dyndns_ttl</emphasis>, у файлі налаштувань." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:171 +msgid "Default: 1200 (seconds)" +msgstr "Типове значення: 1200 (секунд)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:177 sssd-ad.5.xml:905 +msgid "dyndns_iface (string)" +msgstr "dyndns_iface (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:180 sssd-ad.5.xml:908 +msgid "" +"Optional. Applicable only when dyndns_update is true. Choose the interface " +"or a list of interfaces whose IP addresses should be used for dynamic DNS " +"updates. Special value <quote>*</quote> implies that IPs from all interfaces " +"should be used." +msgstr "" +"Необов'язковий. Застосовний, лише якщо dyndns_update має значення true. " +"Виберіть інтерфейс або список інтерфейсів, чиї IP-адреси має бути " +"використано для динамічних оновлень DNS. Спеціальне значення <quote>*</" +"quote> означає, що слід використовувати IP-адреси з усіх інтерфейсів." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:187 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" +"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" +"emphasis> in their config file." +msgstr "" +"ЗАУВАЖЕННЯ: хоча можна використовувати і попередню назву параметра, " +"<emphasis>ipa_dyndns_iface</emphasis>, користувачам слід переходити на нову " +"назву, <emphasis>dyndns_iface</emphasis>, у файлі налаштувань." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:193 +msgid "" +"Default: Use the IP addresses of the interface which is used for IPA LDAP " +"connection" +msgstr "" +"Типове значення: використовувати IP-адреси інтерфейсу, який використовується " +"для з’єднання LDAP IPA" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:197 sssd-ad.5.xml:919 +msgid "Example: dyndns_iface = em1, vnet1, vnet2" +msgstr "Приклад: dyndns_iface = em1, vnet1, vnet2" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:203 sssd-ad.5.xml:970 +msgid "dyndns_auth (string)" +msgstr "dyndns_auth (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:206 sssd-ad.5.xml:973 +msgid "" +"Whether the nsupdate utility should use GSS-TSIG authentication for secure " +"updates with the DNS server, insecure updates can be sent by setting this " +"option to 'none'." +msgstr "" +"Визначає, чи має використовувати допоміжний засіб nsupdate розпізнавання GSS-" +"TSIG для безпечних оновлень за допомогою сервера DNS, незахищені оновлення " +"можна надсилати встановленням для цього параметра значення «none»." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:212 sssd-ad.5.xml:979 +msgid "Default: GSS-TSIG" +msgstr "Типове значення: GSS-TSIG" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:218 +msgid "ipa_enable_dns_sites (boolean)" +msgstr "ipa_enable_dns_sites (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 +msgid "Enables DNS sites - location based service discovery." +msgstr "Вмикає сайти DNS — визначення служб на основі адрес." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:225 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, then the SSSD will first attempt location " +"based discovery using a query that contains \"_location.hostname.example.com" +"\" and then fall back to traditional SRV discovery. If the location based " +"discovery succeeds, the IPA servers located with the location based " +"discovery are treated as primary servers and the IPA servers located using " +"the traditional SRV discovery are used as back up servers" +msgstr "" +"Якщо вказано значення true і увімкнено визначення служб (див. розділ щодо " +"пошуку служб у нижній частині сторінки підручника (man)), SSSD спочатку " +"спробує визначення на основі адрес за допомогою запиту, що містить " +"\"_location.hostname.example.com\", а потім повертається до традиційного " +"визначення SRV. Якщо визначення на основі адреси буде успішним, сервери IPA, " +"виявлені на основі визначення за адресою, вважатимуться основним серверами, " +"а сервери IPA, виявлені за допомогою традиційного визначення SRV, " +"вважатимуться резервними серверами." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:244 sssd-ad.5.xml:925 +msgid "dyndns_refresh_interval (integer)" +msgstr "dyndns_refresh_interval (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:247 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true." +msgstr "" +"Визначає, наскільки часто серверний модуль має виконувати періодичні " +"оновлення DNS на додачу до автоматичного оновлення, яке виконується під час " +"кожного встановлення з’єднання серверного модуля з мережею. Цей параметр не " +"є обов’язкоми, його застосовують, лише якщо dyndns_update має значення true." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:260 sssd-ad.5.xml:943 +msgid "dyndns_update_ptr (bool)" +msgstr "dyndns_update_ptr (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:263 sssd-ad.5.xml:946 +msgid "" +"Whether the PTR record should also be explicitly updated when updating the " +"client's DNS records. Applicable only when dyndns_update is true." +msgstr "" +"Визначає, чи слід явним чином оновлювати запис PTR під час оновлення записів " +"DNS клієнта. Застосовується, лише якщо значенням dyndns_update буде true." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:268 +msgid "" +"This option should be False in most IPA deployments as the IPA server " +"generates the PTR records automatically when forward records are changed." +msgstr "" +"Значенням цього параметра у більшості розгорнутих систем IPA має бути False, " +"оскільки сервер IPA створює записи PTR автоматично після зміни у записах " +"переспрямовування." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:274 +msgid "Default: False (disabled)" +msgstr "Типове значення: False (вимкнено)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:280 sssd-ad.5.xml:957 +msgid "dyndns_force_tcp (bool)" +msgstr "dyndns_force_tcp (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:283 sssd-ad.5.xml:960 +msgid "" +"Whether the nsupdate utility should default to using TCP for communicating " +"with the DNS server." +msgstr "" +"Визначає, чи слід у програмі nsupdate типово використовувати TCP для обміну " +"даними з сервером DNS." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:287 sssd-ad.5.xml:964 +msgid "Default: False (let nsupdate choose the protocol)" +msgstr "Типове значення: False (надати змогу nsupdate вибирати протокол)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:293 sssd-ad.5.xml:985 +msgid "dyndns_server (string)" +msgstr "dyndns_server (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:296 sssd-ad.5.xml:988 +msgid "" +"The DNS server to use when performing a DNS update. In most setups, it's " +"recommended to leave this option unset." +msgstr "" +"Сервер DNS, який слід використовувати для виконання оновлення DNS. У " +"більшості конфігурацій рекомендуємо не встановлювати значення для цього " +"параметра." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:301 sssd-ad.5.xml:993 +msgid "" +"Setting this option makes sense for environments where the DNS server is " +"different from the identity server." +msgstr "" +"Встановлення значення для цього параметра потрібне для середовищ, де сервер " +"DNS відрізняється від сервера профілів." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:306 sssd-ad.5.xml:998 +msgid "" +"Please note that this option will be only used in fallback attempt when " +"previous attempt using autodetected settings failed." +msgstr "" +"Будь ласка, зауважте, що цей параметр буде використано лише для резервних " +"спроб, якщо попередні спроби із використанням автовиявлення завершаться " +"невдало." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1003 +msgid "Default: None (let nsupdate choose the server)" +msgstr "Типове значення: немає (надати nsupdate змогу вибирати сервер)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:317 +msgid "ipa_deskprofile_search_base (string)" +msgstr "ipa_deskprofile_search_base (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:320 +msgid "" +"Optional. Use the given string as search base for Desktop Profile related " +"objects." +msgstr "" +"Необов’язковий. Використати вказаний рядок як основу пошуку пов’язаних з " +"профілями станції (Desktop Profile) об’єктів." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:324 sssd-ipa.5.xml:337 +msgid "Default: Use base DN" +msgstr "Типове значення: використання базової назви домену" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:330 +msgid "ipa_hbac_search_base (string)" +msgstr "ipa_hbac_search_base (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:333 +msgid "Optional. Use the given string as search base for HBAC related objects." +msgstr "" +"Необов’язковий. Використати вказаний рядок як основу пошуку пов’язаних з " +"HBAC об’єктів." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:343 +msgid "ipa_host_search_base (string)" +msgstr "ipa_host_search_base (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:346 +msgid "Deprecated. Use ldap_host_search_base instead." +msgstr "Застарілий. Скористайтеся замість нього ldap_host_search_base." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:352 +msgid "ipa_selinux_search_base (string)" +msgstr "ipa_selinux_search_base (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:355 +msgid "Optional. Use the given string as search base for SELinux user maps." +msgstr "" +"Необов’язковий. Використати вказаний рядок як основу пошуку карт " +"користувачів SELinux." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:371 +msgid "ipa_subdomains_search_base (string)" +msgstr "ipa_subdomains_search_base (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:374 +msgid "Optional. Use the given string as search base for trusted domains." +msgstr "" +"Необов’язковий. Використати вказаний рядок як основу пошуку надійних доменів." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:383 +msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" +msgstr "Типове значення: значення <emphasis>cn=trusts,%basedn</emphasis>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:390 +msgid "ipa_master_domain_search_base (string)" +msgstr "ipa_master_domain_search_base (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:393 +msgid "Optional. Use the given string as search base for master domain object." +msgstr "" +"Необов’язковий. Використати вказаний рядок як основу пошуку основного " +"об’єкта домену." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:402 +msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" +msgstr "" +"Типове значення: значення виразу <emphasis>cn=ad,cn=etc,%basedn</emphasis>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:409 +msgid "ipa_views_search_base (string)" +msgstr "ipa_views_search_base (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:412 +msgid "Optional. Use the given string as search base for views containers." +msgstr "" +"Необов’язковий. Використати вказаний рядок як основу пошуку контейнерів " +"перегляду." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:421 +msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" +msgstr "" +"Типове значення: значення <emphasis>cn=views,cn=accounts,%basedn</emphasis>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:431 +msgid "" +"The name of the Kerberos realm. This is optional and defaults to the value " +"of <quote>ipa_domain</quote>." +msgstr "" +"Назва області дії Kerberos. Є необов’язковою, типовим значенням є значення " +"«ipa_domain»." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:435 +msgid "" +"The name of the Kerberos realm has a special meaning in IPA - it is " +"converted into the base DN to use for performing LDAP operations." +msgstr "" +"Назва області дії Kerberos має особливе значення у IPA: цю назву буде " +"перетворено у основний DN для виконання дій LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1012 +msgid "krb5_confd_path (string)" +msgstr "krb5_confd_path (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1015 +msgid "" +"Absolute path of a directory where SSSD should place Kerberos configuration " +"snippets." +msgstr "" +"Абсолютний шлях до каталогу, у якому SSSD має зберігати фрагменти " +"налаштувань Kerberos." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1019 +msgid "" +"To disable the creation of the configuration snippets set the parameter to " +"'none'." +msgstr "" +"Щоб вимкнути створення фрагментів налаштувань, встановіть для параметра " +"значення «none»." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1023 +msgid "" +"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" +msgstr "" +"Типове значення: не встановлено (підкаталог krb5.include.d каталогу pubconf " +"SSSD)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:461 +msgid "ipa_deskprofile_refresh (integer)" +msgstr "ipa_deskprofile_refresh (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:464 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server. This will reduce the latency and load on the IPA server if there " +"are many desktop profiles requests made in a short period." +msgstr "" +"Проміжок часу між послідовними пошуками правил профілів станції (Desktop " +"Profile) щодо сервера IPA. Зміна може зменшити час затримки та навантаження " +"на сервер IPA, якщо протягом короткого періоду часу надходить багато запитів " +"щодо профілів станції." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:431 +msgid "Default: 5 (seconds)" +msgstr "Типове значення: 5 (секунд)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:477 +msgid "ipa_deskprofile_request_interval (integer)" +msgstr "ipa_deskprofile_request_interval (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:480 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server in case the last request did not return any rule." +msgstr "" +"Час між пошуками у правилах профілів станцій на сервері IPA, якщо за " +"останнім запитом не повернуто жодного правила." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:485 +msgid "Default: 60 (minutes)" +msgstr "Типове значення: 60 (хвилин)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:491 +msgid "ipa_hbac_refresh (integer)" +msgstr "ipa_hbac_refresh (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:494 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server. " +"This will reduce the latency and load on the IPA server if there are many " +"access-control requests made in a short period." +msgstr "" +"Проміжок часу між послідовними пошуками правил HBAC щодо сервера IPA. Зміна " +"може зменшити час затримки та навантаження на сервер IPA, якщо протягом " +"короткого періоду часу надходить багато запитів щодо керування доступом." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:507 +msgid "ipa_hbac_selinux (integer)" +msgstr "ipa_hbac_selinux (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:510 +msgid "" +"The amount of time between lookups of the SELinux maps against the IPA " +"server. This will reduce the latency and load on the IPA server if there are " +"many user login requests made in a short period." +msgstr "" +"Проміжок часу між послідовними пошуками у картах SELinux щодо сервера IPA. " +"Зміна може зменшити час затримки та навантаження на сервер IPA, якщо " +"протягом короткого періоду часу надходить багато запитів щодо входу " +"користувача до системи." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:523 +msgid "ipa_server_mode (boolean)" +msgstr "ipa_server_mode (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:526 +msgid "" +"This option will be set by the IPA installer (ipa-server-install) " +"automatically and denotes if SSSD is running on an IPA server or not." +msgstr "" +"Цей параметр буде встановлено засобом встановлення IPA (ipa-server-install) " +"автоматично, він визначає, чи запущено SSSD на сервері IPA." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:531 +msgid "" +"On an IPA server SSSD will lookup users and groups from trusted domains " +"directly while on a client it will ask an IPA server." +msgstr "" +"На сервері IPA SSSD шукатиме записи користувачів і груп із довірених доменів " +"безпосередньо, хоча на клієнті SSSD надсилатиме запит на сервер IPA." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:536 +msgid "" +"NOTE: There are currently some assumptions that must be met when SSSD is " +"running on an IPA server." +msgstr "" +"Зауваження: у поточній версії має бути виконано декілька умов, якщо SSSD " +"працює на сервері IPA." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:541 +msgid "" +"The <quote>ipa_server</quote> option must be configured to point to the IPA " +"server itself. This is already the default set by the IPA installer, so no " +"manual change is required." +msgstr "" +"Параметр <quote>ipa_server</quote> має бути налаштовано так, щоб він " +"вказував на сам сервер IPA. Це типово робить засіб встановлення IPA, тому " +"зміни вручну є зайвими." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:550 +msgid "" +"The <quote>full_name_format</quote> option must not be tweaked to only print " +"short names for users from trusted domains." +msgstr "" +"Не слід змінювати значення параметра <quote>full_name_format</quote> для " +"того, щоб лише виводити короткі імена користувачів з довірених доменів." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:565 +msgid "ipa_automount_location (string)" +msgstr "ipa_automount_location (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:568 +msgid "The automounter location this IPA client will be using" +msgstr "" +"Адреса автоматичного монтування, яку буде використовувати цей клієнт IPA" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:571 +msgid "Default: The location named \"default\"" +msgstr "Типове значення: адреса з назвою \"default\"" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:579 +msgid "VIEWS AND OVERRIDES" +msgstr "ПЕРЕГЛЯДИ і ПЕРЕВИЗНАЧЕННЯ" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:588 +msgid "ipa_view_class (string)" +msgstr "ipa_view_class (рядок)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:591 +msgid "Objectclass of the view container." +msgstr "Клас об’єктів для контейнерів перегляду." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:594 +msgid "Default: nsContainer" +msgstr "Типове значення: nsContainer" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:600 +msgid "ipa_view_name (string)" +msgstr "ipa_view_name (рядок)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:603 +msgid "Name of the attribute holding the name of the view." +msgstr "Назва атрибута, у якому зберігається назва перегляду." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:613 +msgid "ipa_override_object_class (string)" +msgstr "ipa_override_object_class (рядок)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:616 +msgid "Objectclass of the override objects." +msgstr "Клас об’єктів для об’єктів перевизначення" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:619 +msgid "Default: ipaOverrideAnchor" +msgstr "Типове значення: ipaOverrideAnchor" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:625 +msgid "ipa_anchor_uuid (string)" +msgstr "ipa_anchor_uuid (рядок)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:628 +msgid "" +"Name of the attribute containing the reference to the original object in a " +"remote domain." +msgstr "" +"Назва атрибута, у якому зберігається посилання на початковий об’єкт на " +"віддаленому домені." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:632 +msgid "Default: ipaAnchorUUID" +msgstr "Типове значення: ipaAnchorUUID" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:638 +msgid "ipa_user_override_object_class (string)" +msgstr "ipa_user_override_object_class (рядок)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:641 +msgid "" +"Name of the objectclass for user overrides. It is used to determine if the " +"found override object is related to a user or a group." +msgstr "" +"Назва класу об’єктів для перевизначень користувачів. Використовується для " +"визначення того, чи знайдений об’єкт перевизначення пов’язано з користувачем " +"або групою." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:646 +msgid "User overrides can contain attributes given by" +msgstr "Перевизначення користувачів можуть містити атрибути, задані" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:649 +msgid "ldap_user_name" +msgstr "ldap_user_name" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:652 +msgid "ldap_user_uid_number" +msgstr "ldap_user_uid_number" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:655 +msgid "ldap_user_gid_number" +msgstr "ldap_user_gid_number" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:658 +msgid "ldap_user_gecos" +msgstr "ldap_user_gecos" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:661 +msgid "ldap_user_home_directory" +msgstr "ldap_user_home_directory" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:664 +msgid "ldap_user_shell" +msgstr "ldap_user_shell" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:667 +msgid "ldap_user_ssh_public_key" +msgstr "ldap_user_ssh_public_key" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:672 +msgid "Default: ipaUserOverride" +msgstr "Типове значення: ipaUserOverride" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:678 +msgid "ipa_group_override_object_class (string)" +msgstr "ipa_group_override_object_class (рядок)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:681 +msgid "" +"Name of the objectclass for group overrides. It is used to determine if the " +"found override object is related to a user or a group." +msgstr "" +"Назва класу об’єктів для перевизначень груп. Використовується для визначення " +"того, чи знайдений об’єкт перевизначення пов’язано з користувачем або групою." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:686 +msgid "Group overrides can contain attributes given by" +msgstr "Перевизначення груп можуть містити атрибути, задані" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:689 +msgid "ldap_group_name" +msgstr "ldap_group_name" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:692 +msgid "ldap_group_gid_number" +msgstr "ldap_group_gid_number" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:697 +msgid "Default: ipaGroupOverride" +msgstr "Типове значення: ipaGroupOverride" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:581 +msgid "" +"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " +"later version. Since all paths and objectclasses are fixed on the server " +"side there is basically no need to configure anything. For completeness the " +"related options are listed here with their default values. <placeholder " +"type=\"variablelist\" id=\"0\"/>" +msgstr "" +"SSSD може обробляти перегляди та перевизначення, які пропонуються FreeIPA " +"4.1 та новішими версіями. Оскільки усі шляхи і класи об’єктів зафіксовано на " +"боці сервера, в основному, немає потреби у додатковому налаштовуванні. Для " +"повноти, усі відповідні параметри наведено у списку разом з їхніми типовими " +"значеннями. <placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:709 +msgid "SUBDOMAINS PROVIDER" +msgstr "СЛУЖБА ПІДДОМЕНІВ" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:711 +msgid "" +"The IPA subdomains provider behaves slightly differently if it is configured " +"explicitly or implicitly." +msgstr "" +"Поведінка інструмента надання даних піддоменів IPA залежить від того, у який " +"спосіб його налаштовано: явний чи неявний." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:715 +msgid "" +"If the option 'subdomains_provider = ipa' is found in the domain section of " +"sssd.conf, the IPA subdomains provider is configured explicitly, and all " +"subdomain requests are sent to the IPA server if necessary." +msgstr "" +"Якщо у розділі домену sssd.conf буде знайдено запис параметра " +"«subdomains_provider = ipa», інструмент надання даних піддоменів IPA " +"налаштовано явно, отже всі запити піддоменів надсилатимуться серверу IPA, " +"якщо це потрібно." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:721 +msgid "" +"If the option 'subdomains_provider' is not set in the domain section of sssd." +"conf but there is the option 'id_provider = ipa', the IPA subdomains " +"provider is configured implicitly. In this case, if a subdomain request " +"fails and indicates that the server does not support subdomains, i.e. is not " +"configured for trusts, the IPA subdomains provider is disabled. After an " +"hour or after the IPA provider goes online, the subdomains provider is " +"enabled again." +msgstr "" +"Якщо у розділі домену sssdconf не встановлено параметр " +"«subdomains_provider», але встановлено параметр «id_provider = ipa», " +"інструмент надання даних піддоменів IPA налаштовано неявним чином. У цьому " +"випадку спроба запиту щодо піддомену зазнає невдачі і вказуватиме на те, що " +"на сервері не передбачено піддоменів, тобто його не налаштовано на довіру, " +"отже інструмент надання даних піддоменів IPA вимкнено. Щойно мине година або " +"відкриється доступ до інструмента надання даних IPA, інструмент надання " +"даних піддоменів буде знову увімкнено." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:732 +#, fuzzy +#| msgid "TRUSTED DOMAIN SECTION" +msgid "TRUSTED DOMAINS CONFIGURATION" +msgstr "РОЗДІЛ ДОВІРЕНИХ ДОМЕНІВ" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:738 +#, no-wrap +msgid "" +"[domain/ipa.domain.com/ad.domain.com]\n" +"ad_server = dc.ad.domain.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:734 +#, fuzzy +#| msgid "" +#| "These configuration options can be present in a domain configuration " +#| "section, that is, in a section called <quote>[domain/<replaceable>NAME</" +#| "replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>" +msgid "" +"Some configuration options can be also set for a trusted domain. A trusted " +"domain configuration can either be done using a subsection, for example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"Ці параметри налаштування може бути вказано у розділі налаштування домену, " +"тобто у розділі з назвою <quote>[domain/<replaceable>НАЗВА</replaceable>]</" +"quote> <placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:743 +#, fuzzy +#| msgid "" +#| "Please refer to the <quote>dns_discovery_domain</quote> parameter in the " +#| "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +#| "manvolnum> </citerefentry> manual page for more details." +msgid "" +"In addition, some options can be set in the parent domain and inherited by " +"the trusted domain using the <quote>subdomain_inherit</quote> option. For " +"more details, see the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" +"З докладнішими відомостями щодо параметра «dns_discovery_domain» можна " +"ознайомитися на сторінці підручника (man) <citerefentry> <refentrytitle>sssd." +"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:753 +msgid "" +"Different configuration options are tunable for a trusted domain depending " +"on whether you are configuring SSSD on an IPA server or an IPA client." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:758 +msgid "OPTIONS TUNABLE ON IPA MASTERS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:760 +msgid "" +"The following options can be set in a subdomain section on an IPA master:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:764 sssd-ipa.5.xml:794 +#, fuzzy +#| msgid "ad_server," +msgid "ad_server" +msgstr "ad_server," + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:767 +#, fuzzy +#| msgid "ad_backup_server," +msgid "ad_backup_server" +msgstr "ad_backup_server," + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:770 sssd-ipa.5.xml:797 +#, fuzzy +#| msgid "ad_site," +msgid "ad_site" +msgstr "ad_site," + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:773 +#, fuzzy +#| msgid "ldap_search_base," +msgid "ldap_search_base" +msgstr "ldap_search_base," + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:776 +#, fuzzy +#| msgid "ldap_user_search_base," +msgid "ldap_user_search_base" +msgstr "ldap_user_search_base," + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:779 +#, fuzzy +#| msgid "ldap_group_search_base," +msgid "ldap_group_search_base" +msgstr "ldap_group_search_base," + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:788 +msgid "OPTIONS TUNABLE ON IPA CLIENTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:790 +msgid "" +"The following options can be set in a subdomain section on an IPA client:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:802 +msgid "" +"Note that if both options are set, only <quote>ad_server</quote> is " +"evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:806 +msgid "" +"Since any request for a user or a group identity from a trusted domain " +"triggered from an IPA client is resolved by the IPA server, the " +"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " +"which AD DC will the authentication be performed against. In particular, the " +"addresses resolved from these lists will be written to <quote>kdcinfo</" +"quote> files read by the Kerberos locator plugin. Please refer to the " +"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " +"Kerberos locator plugin." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:830 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the ipa provider-specific options." +msgstr "" +"У наведеному нижче прикладі припускаємо, що SSSD налаштовано належним чином, " +"а example.com є одним з доменів у розділі <replaceable>[sssd]</replaceable>. " +"У прикладі продемонстровано лише параметри доступу, специфічні для засобу " +"ipa." + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:837 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"id_provider = ipa\n" +"ipa_server = ipaserver.example.com\n" +"ipa_hostname = myhost.example.com\n" +msgstr "" +"[domain/example.com]\n" +"id_provider = ipa\n" +"ipa_server = ipaserver.example.com\n" +"ipa_hostname = myhost.example.com\n" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 +msgid "sssd-ad" +msgstr "sssd-ad" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ad.5.xml:17 +msgid "SSSD Active Directory provider" +msgstr "Модуль надання даних Active Directory SSSD" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:23 +msgid "" +"This manual page describes the configuration of the AD provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" +"На цій сторінці довідника описано налаштування засобу керування доступом AD " +"для <citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>. Щоб дізнатися більше про синтаксис налаштування, " +"зверніться до розділу «ФОРМАТ ФАЙЛІВ» сторінки довідника <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:36 +msgid "" +"The AD provider is a back end used to connect to an Active Directory server. " +"This provider requires that the machine be joined to the AD domain and a " +"keytab is available. Back end communication occurs over a GSSAPI-encrypted " +"channel, SSL/TLS options should not be used with the AD provider and will be " +"superseded by Kerberos usage." +msgstr "" +"Засіб надання даних AD є модулем, який використовується для встановлення " +"з'єднання із сервером Active Directory. Для роботи цього засобу надання " +"даних потрібно, щоб комп'ютер було долучено до домену AD і щоб було " +"доступним сховище ключів. Обмін даними із модулем відбувається за допомогою " +"каналу із шифруванням GSSAPI. Із засобом надання даних AD не слід " +"використовувати параметри SSL/TLS, оскільки їх перекриває використання " +"Kerberos." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:44 +msgid "" +"The AD provider supports connecting to Active Directory 2008 R2 or later. " +"Earlier versions may work, but are unsupported." +msgstr "" +"У засобі надання даних AD передбачено підтримку встановлення з’єднання з " +"Active Directory 2008 R2 або пізнішою версією. Робота з попередніми версіями " +"можлива, але не підтримується." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:48 +msgid "" +"The AD provider can be used to get user information and authenticate users " +"from trusted domains. Currently only trusted domains in the same forest are " +"recognized. In addition servers from trusted domains are always auto-" +"discovered." +msgstr "" +"Засобом надання даних AD можна скористатися для отримання даних щодо " +"користувачів і розпізнавання користувачів за допомогою довірених доменів. У " +"поточній версії передбачено підтримку використання лише довірених доменів з " +"того самого лісу. Крім того автоматично визначаються сервери із довірених " +"доменів." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:54 +msgid "" +"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for Active Directory environments. The AD provider accepts the " +"same options used by the sssd-ldap and sssd-krb5 providers with some " +"exceptions. However, it is neither necessary nor recommended to set these " +"options." +msgstr "" +"Засіб надання даних AD уможливлює для SSSD використання засобу надання даних " +"профілів <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> та засобу надання даних " +"розпізнавання <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> з оптимізацією для середовищ Active " +"Directory. Засіб надання даних AD приймає ті самі параметри, які " +"використовуються засобами надання даних sssd-ldap та sssd-krb5, із деякими " +"виключеннями. Втім, встановлювати ці параметри не обов'язково і не " +"рекомендовано." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:69 +msgid "" +"The AD provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +msgstr "" +"Засіб надання даних AD в основному копіює типові параметри традиційних " +"засобів надання даних ldap і krb5 із деякими виключенням. Відмінності " +"наведено у розділі <quote>ЗМІНЕНІ ТИПОВІ ПАРАМЕТРИ</quote>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:74 +msgid "" +"The AD provider can also be used as an access, chpass, sudo and autofs " +"provider. No configuration of the access provider is required on the client " +"side." +msgstr "" +"Інструментом надання даних AD також можна скористатися для доступу, зміни " +"паролів запуску від імені користувача (sudo) та використання autofs. У " +"налаштовуванні керування доступом на боці клієнта немає потреби." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:79 +msgid "" +"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ad</" +"quote>." +msgstr "" +"Якщо у sssdconf вказано <quote>auth_provider=ad</quote> або " +"<quote>access_provider=ad</quote>, для id_provider також має бути вказано " +"<quote>ad</quote>." + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:91 +#, no-wrap +msgid "" +"ldap_id_mapping = False\n" +" " +msgstr "" +"ldap_id_mapping = False\n" +" " + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:85 +#, fuzzy +#| msgid "" +#| "By default, the AD provider will map UID and GID values from the " +#| "objectSID parameter in Active Directory. For details on this, see the " +#| "<quote>ID MAPPING</quote> section below. If you want to disable ID " +#| "mapping and instead rely on POSIX attributes defined in Active Directory, " +#| "you should set <placeholder type=\"programlisting\" id=\"0\"/> If POSIX " +#| "attributes should be used, it is recommended for performance reasons that " +#| "the attributes are also replicated to the Global Catalog. If POSIX " +#| "attributes are replicated, SSSD will attempt to locate the domain of a " +#| "requested numerical ID with the help of the Global Catalog and only " +#| "search that domain. In contrast, if POSIX attributes are not replicated " +#| "to the Global Catalog, SSSD must search all the domains in the forest " +#| "sequentially. Please note that the <quote>cache_first</quote> option " +#| "might be also helpful in speeding up domainless searches." +msgid "" +"By default, the AD provider will map UID and GID values from the objectSID " +"parameter in Active Directory. For details on this, see the <quote>ID " +"MAPPING</quote> section below. If you want to disable ID mapping and instead " +"rely on POSIX attributes defined in Active Directory, you should set " +"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " +"be used, it is recommended for performance reasons that the attributes are " +"also replicated to the Global Catalog. If POSIX attributes are replicated, " +"SSSD will attempt to locate the domain of a requested numerical ID with the " +"help of the Global Catalog and only search that domain. In contrast, if " +"POSIX attributes are not replicated to the Global Catalog, SSSD must search " +"all the domains in the forest sequentially. Please note that the " +"<quote>cache_first</quote> option might be also helpful in speeding up " +"domainless searches. Note that if only a subset of POSIX attributes is " +"present in the Global Catalog, the non-replicated attributes are currently " +"not read from the LDAP port." +msgstr "" +"Типово, модуль надання даних AD виконуватиме прив’язку до значень UID та GID " +"з параметра objectSID у Active Directory. Докладніший опис наведено у " +"розділі «ВСТАНОВЛЕННЯ ВІДПОВІДНОСТІ ІДЕНТИФІКАТОРІВ». Якщо вам потрібно " +"вимкнути встановлення відповідності ідентифікаторів і покладатися на " +"атрибути POSIX, визначені у Active Directory, вам слід встановити " +"<placeholder type=\"programlisting\" id=\"0\"/> Якщо має бути використано " +"атрибути POSIX, рекомендуємо з міркувань швидкодії виконувати також " +"реплікацію атрибутів до загального каталогу. Якщо виконується реплікація " +"атрибутів POSIX, SSSD намагатиметься знайти домен числового ідентифікатора " +"із запиту за допомогою загального каталогу і шукатиме лише цей домен. І " +"навпаки, якщо реплікація атрибутів POSIX до загального каталогу не " +"відбувається, SSSD доводиться шукати на усіх доменах у лісі послідовно. Будь " +"ласка, зауважте, що для пришвидшення пошуку без доменів також може бути " +"корисним використання параметра <quote>cache_first</quote>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:108 +msgid "" +"Users, groups and other entities served by SSSD are always treated as case-" +"insensitive in the AD provider for compatibility with Active Directory's " +"LDAP implementation." +msgstr "" +"Дані щодо користувачів, груп та інших записів, які обслуговуються SSSD, у " +"модулі надання даних AD завжди обробляються із врахуванням регістру символів " +"для забезпечення сумісності з реалізацією Active Directory у LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:123 +msgid "ad_domain (string)" +msgstr "ad_domain (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:126 +msgid "" +"Specifies the name of the Active Directory domain. This is optional. If not " +"provided, the configuration domain name is used." +msgstr "" +"Визначає назву домену Active Directory. Є необов’язковим. Якщо не вказано, " +"буде використано назву домену з налаштувань." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:131 +msgid "" +"For proper operation, this option should be specified as the lower-case " +"version of the long version of the Active Directory domain." +msgstr "" +"Для забезпечення належної роботи цей параметр слід вказати у форматі запису " +"малими літерами повної версії назви домену Active Directory." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:136 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) is " +"autodetected by the SSSD." +msgstr "" +"Скорочена назва домену (також відома як назва NetBIOS або проста назва) " +"автоматично визначається засобами SSSD." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:143 +msgid "ad_enabled_domains (string)" +msgstr "ad_enabled_domains (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:146 +msgid "" +"A comma-separated list of enabled Active Directory domains. If provided, " +"SSSD will ignore any domains not listed in this option. If left unset, all " +"domains from the AD forest will be available." +msgstr "" +"Список дозволених доменів Active Directory, відокремлених комами. Якщо " +"вказано, SSSD ігноруватиме будь-які домени, яких немає у списку цього " +"параметра. Якщо значення параметра не встановлено, доступними будуть усі " +"домени з лісу AD." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:156 +#, no-wrap +msgid "" +"ad_enabled_domains = sales.example.com, eng.example.com\n" +" " +msgstr "" +"ad_enabled_domains = sales.example.com, eng.example.com\n" +" " + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:152 +msgid "" +"For proper operation, this option must be specified in all lower-case and as " +"the fully qualified domain name of the Active Directory domain. For example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"Для належного функціонування значення цього параметра має бути вказано " +"малими літерами у форматі повної назви домену Active Directory. Приклад: " +"<placeholder type=\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:160 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) will be " +"autodetected by SSSD." +msgstr "" +"Скорочена назва домену (також відома як назва NetBIOS або проста назва) " +"автоматично визначається засобами SSSD." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:170 +msgid "ad_server, ad_backup_server (string)" +msgstr "ad_server, ad_backup_server (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:173 +msgid "" +"The comma-separated list of hostnames of the AD servers to which SSSD should " +"connect in order of preference. For more information on failover and server " +"redundancy, see the <quote>FAILOVER</quote> section." +msgstr "" +"Список назв тих вузлів серверів AD, відокремлених комами, з якими SSSD має " +"встановлювати з'єднання у порядку пріоритетності. Щоб дізнатися більше про " +"резервне використання серверів, ознайомтеся із розділом <quote>РЕЗЕРВ</" +"quote>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:180 +msgid "" +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" +"Цей список є необов’язковим, якщо увімкнено автоматичне виявлення служб. " +"Докладніші відомості щодо автоматичного виявлення служб наведено у розділі " +"«ПОШУК СЛУЖБ»." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:185 +msgid "" +"Note: Trusted domains will always auto-discover servers even if the primary " +"server is explicitly defined in the ad_server option." +msgstr "" +"Зауваження: довірені домени завжди автоматично визначають сервери, навіть " +"якщо основний сервер явним чином визначено у параметрі ad_server." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:193 +msgid "ad_hostname (string)" +msgstr "ad_hostname (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:196 +msgid "" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the Active Directory domain to identify this " +"host." +msgstr "" +"Необов’язковий. Може бути встановлено на комп’ютерах, де hostname(5) не " +"відповідає повній назві, що використовується доменом Active Directory для " +"розпізнавання цього вузла." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:202 +msgid "" +"This field is used to determine the host principal in use in the keytab. It " +"must match the hostname for which the keytab was issued." +msgstr "" +"Це поле використовується для визначення основної назви вузла, яка " +"використовуватиметься у таблиці ключів. Ця назва має відповідати назві " +"вузла, для якого випущено таблицю ключів." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:210 +msgid "ad_enable_dns_sites (boolean)" +msgstr "ad_enable_dns_sites (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:217 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, the SSSD will first attempt to discover the " +"Active Directory server to connect to using the Active Directory Site " +"Discovery and fall back to the DNS SRV records if no AD site is found. The " +"DNS SRV configuration, including the discovery domain, is used during site " +"discovery as well." +msgstr "" +"Якщо вказано значення true і увімкнено визначення служб (див. розділ щодо " +"пошуку служб у нижній частині сторінки підручника (man)), SSSD спочатку " +"спробує визначити сервер Active Directory для встановлення з’єднання на " +"основі використання визначення сайтів Active Directory і повертається до " +"визначення за записами SRV DNS, якщо сайт AD не буде знайдено. Налаштування " +"SRV DNS, зокрема домен пошуку, використовуються також під час визначення " +"сайтів." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:233 +msgid "ad_access_filter (string)" +msgstr "ad_access_filter (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:236 +msgid "" +"This option specifies LDAP access control filter that the user must match in " +"order to be allowed access. Please note that the <quote>access_provider</" +"quote> option must be explicitly set to <quote>ad</quote> in order for this " +"option to have an effect." +msgstr "" +"Цей параметр визначає фільтр керування доступом LDAP, якому має відповідати " +"запис користувача для того, щоб йому було надано доступ. Будь ласка, " +"зауважте, що слід явним чином встановити для параметра «access_provider» " +"значення «ad», щоб цей параметр почав діяти." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:244 +msgid "" +"The option also supports specifying different filters per domain or forest. " +"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " +"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " +"missing." +msgstr "" +"У параметрі також передбачено підтримку визначення різних фільтрів для " +"окремих доменів або дерев. Цей розширений фільтр повинен мати такий формат: " +"«КЛЮЧОВЕ СЛОВО:НАЗВА:ФІЛЬТР». Набір підтримуваних ключових слів: «DOM», " +"«FOREST» або ключове слово слід пропустити." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:252 +msgid "" +"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" +"quote> specifies the domain or subdomain the filter applies to. If the " +"keyword equals to <quote>FOREST</quote>, then the filter equals to all " +"domains from the forest specified by <quote>NAME</quote>." +msgstr "" +"Якщо вказано ключове слово «DOM» або ключового слова не вказано, «НАЗВА» " +"визначає домен або піддомен, до якого застосовується фільтрування. Якщо " +"ключовим словом є «FOREST», фільтр застосовується до усіх доменів з лісу, " +"вказаного значенням «НАЗВА»." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:260 +msgid "" +"Multiple filters can be separated with the <quote>?</quote> character, " +"similarly to how search bases work." +msgstr "" +"Декілька фільтрів можна відокремити символом «?», подібно до способу " +"визначення фільтрів у базах для пошуку." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:265 +msgid "" +"Nested group membership must be searched for using a special OID " +"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." +"example.org: syntax to ensure the parser does not attempt to interpret the " +"colon characters associated with the OID. If you do not use this OID then " +"nested group membership will not be resolved. See usage example below and " +"refer here for further information about the OID: <ulink url=\"https://msdn." +"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " +"extensions</ulink>" +msgstr "" +"Визначення участі у вкладених групах має відбуватися із використанням " +"спеціалізованого OID <quote>:1.2.840.113556.1.4.1941:</quote>, окрім повних " +"синтаксичних конструкцій DOM:domain.example.org:, щоб засіб обробки не " +"намагався інтерпретувати символи двокрапки, пов'язані з OID. Якщо ви не " +"використовуєте цей OID, вкладена участь у групах не визначатиметься. " +"Ознайомтеся із прикладом використання, який наведено нижче, і цим " +"посиланням, щоб дізнатися більше про OID: <ulink url=\"https://msdn." +"microsoft.com/en-us/library/cc223367.aspx\">[MS-ADTS] Правила встановлення " +"відповідності у LDAP</ulink>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:278 +msgid "" +"The most specific match is always used. For example, if the option specified " +"filter for a domain the user is a member of and a global filter, the per-" +"domain filter would be applied. If there are more matches with the same " +"specification, the first one is used." +msgstr "" +"Завжди використовується відповідник з найвищим рівнем відповідності. " +"Наприклад, якщо визначено фільтрування для домену, учасником якого є " +"користувач, і загальне фільтрування, буде використано фільтрування для " +"окремого домену. Якщо буде виявлено декілька відповідників з однаковою " +"специфікацією, використовуватиметься лише перший з них." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ad.5.xml:289 +#, no-wrap +msgid "" +"# apply filter on domain called dom1 only:\n" +"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" +"\n" +"# apply filter on domain called dom2 only:\n" +"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" +"\n" +"# apply filter on forest called EXAMPLE.COM only:\n" +"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" +"\n" +"# apply filter for a member of a nested group in dom1:\n" +"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" +" " +msgstr "" +"# застосувати фільтрування лише для домену з назвою dom1:\n" +"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" +"\n" +"# застосувати фільтрування лише для домену з назвою dom2:\n" +"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" +"\n" +"# застосувати фільтрування лише для лісу з назвою EXAMPLE.COM:\n" +"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" +"\n" +"# застосувати фільтрування до учасника вкладеної групи у dom1:\n" +"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" +" " + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:308 +msgid "ad_site (string)" +msgstr "ad_site (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:311 +msgid "" +"Specify AD site to which client should try to connect. If this option is " +"not provided, the AD site will be auto-discovered." +msgstr "" +"Визначає сайт AD, з яким має встановлювати з’єднання клієнт. Якщо не буде " +"вказано, виконуватиметься спроба автоматичного визначення сайта AD." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:322 +msgid "ad_enable_gc (boolean)" +msgstr "ad_enable_gc (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:325 +msgid "" +"By default, the SSSD connects to the Global Catalog first to retrieve users " +"from trusted domains and uses the LDAP port to retrieve group memberships or " +"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " +"port of the current AD server." +msgstr "" +"Типово, SSSD для отримання даних користувачів з надійних (довірених) доменів " +"спочатку встановлює з’єднання із загальним каталогом (Global Catalog). Якщо " +"ж отримати дані не вдасться, система використовує порт LDAP для отримання " +"даних щодо участі у групах. Вимикання цього параметра призведе до того, що " +"SSSD встановлюватиме зв’язок лише з портом LDAP поточного сервера AD." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:333 +msgid "" +"Please note that disabling Global Catalog support does not disable " +"retrieving users from trusted domains. The SSSD would connect to the LDAP " +"port of trusted domains instead. However, Global Catalog must be used in " +"order to resolve cross-domain group memberships." +msgstr "" +"Будь ласка, зауважте, що вимикання підтримки загального каталогу (Global " +"Catalog) не призведе до вимикання спроб отримати дані користувачів з " +"надійних (довірених) доменів. Просто SSSD намагатиметься отримати ці ж дані " +"за допомогою порту LDAP надійних доменів. Втім, загальним каталогом (Global " +"Catalog) доведеться скористатися для визначення зв’язків даних щодо участі у " +"групах для різних доменів." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:347 +msgid "ad_gpo_access_control (string)" +msgstr "ad_gpo_access_control (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:350 +msgid "" +"This option specifies the operation mode for GPO-based access control " +"functionality: whether it operates in disabled mode, enforcing mode, or " +"permissive mode. Please note that the <quote>access_provider</quote> option " +"must be explicitly set to <quote>ad</quote> in order for this option to have " +"an effect." +msgstr "" +"Цей параметр визначає режим роботи для функціональних можливостей керування " +"доступом на основі GPO: працюватиме система у вимкненому режимі, режимі " +"примушення чи дозвільному режимі. Будь ласка, зауважте, що для того, щоб цей " +"параметр запрацював, слід явним чином встановити для параметра " +"«access_provider» значення «ad»." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:359 +msgid "" +"GPO-based access control functionality uses GPO policy settings to determine " +"whether or not a particular user is allowed to logon to a particular host." +msgstr "" +"Функціональні можливості з керування доступом на основі GPO використовують " +"параметри правил GPO для визначення того, може чи не може той чи інший " +"користувач увійти до системи певного вузла мережі." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:365 +msgid "" +"NOTE: The current version of SSSD does not support host (computer) entries " +"in the GPO 'Security Filtering' list. Only user and group entries are " +"supported. Host entries in the list have no effect." +msgstr "" +"Зауваження: у поточній версії SSSD не передбачено підтримки записів вузлів " +"(комп'ютерів) до списку «Фільтрування захисту» («Security Filtering») GPO. " +"Передбачено підтримку лише записів користувачів і груп. Записи вузлів у " +"списку ні на що не впливатимуть." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:372 +msgid "" +"NOTE: If the operation mode is set to enforcing, it is possible that users " +"that were previously allowed logon access will now be denied logon access " +"(as dictated by the GPO policy settings). In order to facilitate a smooth " +"transition for administrators, a permissive mode is available that will not " +"enforce the access control rules, but will evaluate them and will output a " +"syslog message if access would have been denied. By examining the logs, " +"administrators can then make the necessary changes before setting the mode " +"to enforcing." +msgstr "" +"ЗАУВАЖЕННЯ: якщо встановлено режим роботи «примусовий» (enforcing), можлива " +"ситуація, коли користувачі, які раніше мали доступ до входу, позбудуться " +"такого доступу (через використання параметрів правил GPO). З метою полегшити " +"перехід на нову систему для адміністраторів передбачено дозвільний режим " +"доступу (permissive), за якого правила керування доступом не " +"встановлюватимуться у примусовому порядку. Програма лише перевірятиме " +"відповідність цим правилам і виводитиме до системного журналу повідомлення, " +"якщо доступ було надано усупереч цим правилам. Вивчення журналу надасть " +"змогу адміністраторам внести відповідні зміни до встановлення примусового " +"режиму (enforcing)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:385 +msgid "There are three supported values for this option:" +msgstr "У цього параметра є три підтримуваних значення:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:389 +msgid "" +"disabled: GPO-based access control rules are neither evaluated nor enforced." +msgstr "" +"disabled: правила керування доступом, засновані на GPO, не обробляються і не " +"використовуються примусово." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:395 +msgid "enforcing: GPO-based access control rules are evaluated and enforced." +msgstr "" +"enforcing: правила керування доступом, засновані на GPO, обробляються і " +"використовуються примусово." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:401 +msgid "" +"permissive: GPO-based access control rules are evaluated, but not enforced. " +"Instead, a syslog message will be emitted indicating that the user would " +"have been denied access if this option's value were set to enforcing." +msgstr "" +"permissive: виконати перевірку відповідності правилам керування доступом на " +"основі GPO, але не наполягати на їхньому виконанні. Якщо правила не " +"виконуються, вивести до системного журналу повідомлення про те, що " +"користувачеві було б заборонено доступ, якби використовувався режим " +"enforcing." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:412 +msgid "Default: permissive" +msgstr "Типове значення: permissive" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:415 +msgid "Default: enforcing" +msgstr "Типове значення: enforcing" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:421 +msgid "ad_gpo_cache_timeout (integer)" +msgstr "ad_gpo_cache_timeout (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:424 +msgid "" +"The amount of time between lookups of GPO policy files against the AD " +"server. This will reduce the latency and load on the AD server if there are " +"many access-control requests made in a short period." +msgstr "" +"Проміжок часу між послідовними пошуками файлів правил GPO щодо сервера AD. " +"Зміна може зменшити час затримки та навантаження на сервер AD, якщо протягом " +"короткого періоду часу надходить багато запитів щодо керування доступом." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:437 +msgid "ad_gpo_map_interactive (string)" +msgstr "ad_gpo_map_interactive (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:440 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the InteractiveLogonRight and " +"DenyInteractiveLogonRight policy settings." +msgstr "" +"Список назв служб PAM, відокремлених комами, для яких керування доступом на " +"основі GPO виконуватиметься на основі параметрів правил " +"InteractiveLogonRight і DenyInteractiveLogonRight." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:446 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on locally\" and \"Deny log on locally\"." +msgstr "" +"Зауваження: у редакторі керування правилами для груп це значення має назву " +"«Дозволити локальний вхід» («Allow log on locally») та «Заборонити локальний " +"вхід» («Deny log on locally»)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:460 +#, no-wrap +msgid "" +"ad_gpo_map_interactive = +my_pam_service, -login\n" +" " +msgstr "" +"ad_gpo_map_interactive = +my_pam_service, -login\n" +" " + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:451 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>login</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"Можна додати іншу назву служби PAM до типового набору за допомогою " +"конструкції «+назва_служби» або явним чином вилучити назву служби PAM з " +"типового набору за допомогою конструкції «-назва_служби». Наприклад, щоб " +"замінити типову назву служби PAM для цього входу (наприклад, «login») з " +"нетиповою назвою служби pam (наприклад, «my_pam_service»), вам слід " +"скористатися такими налаштуваннями: <placeholder type=\"programlisting\" id=" +"\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:464 sssd-ad.5.xml:560 sssd-ad.5.xml:606 sssd-ad.5.xml:651 +#: sssd-ad.5.xml:717 +msgid "Default: the default set of PAM service names includes:" +msgstr "" +"Типове значення: типовий набір назв служб PAM складається з таких значень:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:468 +msgid "login" +msgstr "login" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:473 +msgid "su" +msgstr "su" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:478 +msgid "su-l" +msgstr "su-l" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:483 +msgid "gdm-fingerprint" +msgstr "gdm-fingerprint" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:488 +msgid "gdm-password" +msgstr "gdm-password" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:493 +msgid "gdm-smartcard" +msgstr "gdm-smartcard" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:498 +msgid "kdm" +msgstr "kdm" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:503 +msgid "lightdm" +msgstr "lightdm" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:508 +msgid "lxdm" +msgstr "lxdm" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:513 +msgid "sddm" +msgstr "sddm" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:518 +msgid "unity" +msgstr "unity" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:523 +msgid "xdm" +msgstr "xdm" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:532 +msgid "ad_gpo_map_remote_interactive (string)" +msgstr "ad_gpo_map_remote_interactive (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:535 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the RemoteInteractiveLogonRight and " +"DenyRemoteInteractiveLogonRight policy settings." +msgstr "" +"Список назв служб PAM, відокремлених комами, для яких керування доступом на " +"основі GPO засновано на параметрах захисту RemoteInteractiveLogonRight і " +"DenyRemoteInteractiveLogonRight." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:541 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on through Remote Desktop Services\" and \"Deny log on through Remote " +"Desktop Services\"." +msgstr "" +"Зауваження: у редакторі керування правилами щодо груп це значення " +"називається «Дозволити вхід за допомогою служб віддаленої стільниці» («Allow " +"log on through Remote Desktop Services») та «Заборонити вхід за допомогою " +"служб віддаленої стільниці» («Deny log on through Remote Desktop Services»)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:556 +#, no-wrap +msgid "" +"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" +" " +msgstr "" +"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" +" " + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:547 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>sshd</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"Можна додати іншу назву служби PAM до типового набору за допомогою " +"конструкції «+назва_служби» або явним чином вилучити назву служби PAM з " +"типового набору за допомогою конструкції «-назва_служби». Наприклад, щоб " +"замінити типову назву служби PAM для цього входу (наприклад, «sshd») з " +"нетиповою назвою служби pam (наприклад, «my_pam_service»), вам слід " +"скористатися такими налаштуваннями: <placeholder type=\"programlisting\" id=" +"\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:564 +msgid "sshd" +msgstr "sshd" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:569 +msgid "cockpit" +msgstr "cockpit" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:578 +msgid "ad_gpo_map_network (string)" +msgstr "ad_gpo_map_network (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:581 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the NetworkLogonRight and " +"DenyNetworkLogonRight policy settings." +msgstr "" +"Список назв служб PAM, відокремлених комами, для яких керування доступом на " +"основі GPO засновано на параметрах захисту NetworkLogonRight і " +"DenyNetworkLogonRight." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:587 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Access " +"this computer from the network\" and \"Deny access to this computer from the " +"network\"." +msgstr "" +"Зауваження: у редакторі керування правилами щодо груп це значення " +"називається «Відкрити доступ до цього комп’ютера із мережі» («Access this " +"computer from the network») і «Заборонити доступ до цього комп’ютера із " +"мережі» (Deny access to this computer from the network»)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:602 +#, no-wrap +msgid "" +"ad_gpo_map_network = +my_pam_service, -ftp\n" +" " +msgstr "" +"ad_gpo_map_network = +my_pam_service, -ftp\n" +" " + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:593 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>ftp</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"Можна додати іншу назву служби PAM до типового набору за допомогою " +"конструкції «+назва_служби» або явним чином вилучити назву служби PAM з " +"типового набору за допомогою конструкції «-назва_служби». Наприклад, щоб " +"замінити типову назву служби PAM для цього входу (наприклад, «ftp») з " +"нетиповою назвою служби pam (наприклад, «my_pam_service»), вам слід " +"скористатися такими налаштуваннями: <placeholder type=\"programlisting\" id=" +"\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:610 +msgid "ftp" +msgstr "ftp" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:615 +msgid "samba" +msgstr "samba" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:624 +msgid "ad_gpo_map_batch (string)" +msgstr "ad_gpo_map_batch (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:627 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " +"policy settings." +msgstr "" +"Список назв служб PAM, відокремлених комами, для яких керування доступом на " +"основі GPO засновано на параметрах захисту BatchLogonRight і " +"DenyBatchLogonRight." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:633 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a batch job\" and \"Deny log on as a batch job\"." +msgstr "" +"Зауваження: у редакторі керування правилами щодо груп це значення " +"називається «Дозволити вхід як пакетне завдання» («Allow log on as a batch " +"job») і «Заборонити вхід як пакетне завдання» («Deny log on as a batch job»)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:647 +#, no-wrap +msgid "" +"ad_gpo_map_batch = +my_pam_service, -crond\n" +" " +msgstr "" +"ad_gpo_map_batch = +my_pam_service, -crond\n" +" " + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:638 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>crond</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"Можна додати іншу назву служби PAM до типового набору за допомогою " +"конструкції «+назва_служби» або явним чином вилучити назву служби PAM з " +"типового набору за допомогою конструкції «-назва_служби». Наприклад, щоб " +"замінити типову назву служби PAM для цього входу (наприклад, «crond») з " +"нетиповою назвою служби pam (наприклад, «my_pam_service»), вам слід " +"скористатися такими налаштуваннями: <placeholder type=\"programlisting\" id=" +"\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:655 +msgid "crond" +msgstr "crond" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:664 +msgid "ad_gpo_map_service (string)" +msgstr "ad_gpo_map_service (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:667 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the ServiceLogonRight and " +"DenyServiceLogonRight policy settings." +msgstr "" +"Список назв служб PAM, відокремлених комами, для яких керування доступом на " +"основі GPO засновано на параметрах захисту ServiceLogonRight і " +"DenyServiceLogonRight." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:673 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a service\" and \"Deny log on as a service\"." +msgstr "" +"Зауваження: у редакторі керування правилами щодо груп це значення " +"називається «Дозволити вхід як службу» («Allow log on as a service») і " +"«Заборонити вхід як службу» («Deny log on as a service»)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:686 +#, no-wrap +msgid "" +"ad_gpo_map_service = +my_pam_service\n" +" " +msgstr "" +"ad_gpo_map_service = +my_pam_service\n" +" " + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:678 sssd-ad.5.xml:753 +msgid "" +"It is possible to add a PAM service name to the default set by using <quote>" +"+service_name</quote>. Since the default set is empty, it is not possible " +"to remove a PAM service name from the default set. For example, in order to " +"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " +"would use the following configuration: <placeholder type=\"programlisting\" " +"id=\"0\"/>" +msgstr "" +"Можна додати іншу назву служби PAM до типового набору за допомогою " +"конструкції «+назва_служби». Оскільки типовий набір є порожнім, назви служби " +"з типового набору назв служб PAM вилучити неможливо. Наприклад, щоб додати " +"нетипову назву служби PAM (наприклад, «my_pam_service»), вам слід " +"скористатися такими налаштуваннями: <placeholder type=\"programlisting\" id=" +"\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:696 +msgid "ad_gpo_map_permit (string)" +msgstr "ad_gpo_map_permit (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:699 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always granted, regardless of any GPO Logon Rights." +msgstr "" +"Список назв служб PAM, відокремлених комами, яким завжди надається доступ на " +"основі GPO, незалежно від будь-яких прав входу GPO." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:713 +#, no-wrap +msgid "" +"ad_gpo_map_permit = +my_pam_service, -sudo\n" +" " +msgstr "" +"ad_gpo_map_permit = +my_pam_service, -sudo\n" +" " + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:704 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for unconditionally permitted " +"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"Можна додати іншу назву служби PAM до типового набору за допомогою " +"конструкції «+назва_служби» або явним чином вилучити назву служби PAM з " +"типового набору за допомогою конструкції «-назва_служби». Наприклад, щоб " +"замінити типову назву служби PAM для безумовного дозволеного доступу " +"(наприклад, «sudo») з нетиповою назвою служби pam (наприклад, " +"«my_pam_service»), вам слід скористатися такими налаштуваннями: <placeholder " +"type=\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:721 +msgid "polkit-1" +msgstr "polkit-1" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:726 +msgid "sudo" +msgstr "sudo" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:731 +msgid "sudo-i" +msgstr "sudo-i" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:736 +msgid "systemd-user" +msgstr "systemd-user" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:745 +msgid "ad_gpo_map_deny (string)" +msgstr "ad_gpo_map_deny (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:748 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always denied, regardless of any GPO Logon Rights." +msgstr "" +"Список назв служб PAM, відокремлених комами, яким завжди заборонено доступ " +"на основі GPO, незалежно від будь-яких прав входу GPO." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:761 +#, no-wrap +msgid "" +"ad_gpo_map_deny = +my_pam_service\n" +" " +msgstr "" +"ad_gpo_map_deny = +my_pam_service\n" +" " + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:771 +msgid "ad_gpo_default_right (string)" +msgstr "ad_gpo_default_right (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:774 +msgid "" +"This option defines how access control is evaluated for PAM service names " +"that are not explicitly listed in one of the ad_gpo_map_* options. This " +"option can be set in two different manners. First, this option can be set to " +"use a default logon right. For example, if this option is set to " +"'interactive', it means that unmapped PAM service names will be processed " +"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " +"settings. Alternatively, this option can be set to either always permit or " +"always deny access for unmapped PAM service names." +msgstr "" +"За допомогою цього параметра визначається спосіб керування доступом для назв " +"служб PAM, які не вказано явним чином у одному з параметрів ad_gpo_map_*. " +"Цей параметр може бути встановлено у два різних способи. По-перше, цей " +"параметр можна встановити так, що використовуватиметься типовий вхід. " +"Наприклад, якщо для цього параметра встановлено значення «interactive», " +"непов’язані назви служб PAM оброблятимуться на основі параметрів правил " +"InteractiveLogonRight і DenyInteractiveLogonRight. Крім того, для цього " +"параметра можна встановити таке значення, щоб система завжди дозволяла або " +"забороняла доступ для непов’язаних назв служб PAM." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:787 +msgid "Supported values for this option include:" +msgstr "Передбачені значення для цього параметра:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:791 +msgid "interactive" +msgstr "interactive" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:796 +msgid "remote_interactive" +msgstr "remote_interactive" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:801 +msgid "network" +msgstr "network" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:806 +msgid "batch" +msgstr "batch" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:811 +msgid "service" +msgstr "service" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:816 +msgid "permit" +msgstr "permit" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:821 +msgid "deny" +msgstr "deny" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:827 +msgid "Default: deny" +msgstr "Типове значення: deny" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:833 +msgid "ad_maximum_machine_account_password_age (integer)" +msgstr "ad_maximum_machine_account_password_age (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:836 +msgid "" +"SSSD will check once a day if the machine account password is older than the " +"given age in days and try to renew it. A value of 0 will disable the renewal " +"attempt." +msgstr "" +"SSSD перевірятиме раз на день, чи має пароль до облікового запису комп'ютера " +"вік, який перевищує заданий вік у днях, і намагатиметься оновити його. " +"Значення 0 вимкне спроби оновлення." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:842 +msgid "Default: 30 days" +msgstr "Типове значення: 30 днів" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:848 +msgid "ad_machine_account_password_renewal_opts (string)" +msgstr "ad_machine_account_password_renewal_opts (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:851 +msgid "" +"This option should only be used to test the machine account renewal task. " +"The option expects 2 integers separated by a colon (':'). The first integer " +"defines the interval in seconds how often the task is run. The second " +"specifies the initial timeout in seconds before the task is run for the " +"first time after startup." +msgstr "" +"Цей параметр має використовуватися лише для перевірки завдання із оновлення " +"облікових записів комп'ютерів. Параметру слід передати цілих числа, " +"відокремлених двокрапкою («:»). Перше ціле число визначає інтервал у " +"секундах між послідовними повторними виконаннями завдання з оновлення. Друге " +"— визначає початковий час очікування на перший запуск завдання." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:860 +msgid "Default: 86400:750 (24h and 15m)" +msgstr "Типове значення: 86400:750 (24 годин і 15 хвилин)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:869 +msgid "" +"Optional. This option tells SSSD to automatically update the Active " +"Directory DNS server with the IP address of this client. The update is " +"secured using GSS-TSIG. As a consequence, the Active Directory administrator " +"only needs to allow secure updates for the DNS zone. The IP address of the " +"AD LDAP connection is used for the updates, if it is not otherwise specified " +"by using the <quote>dyndns_iface</quote> option." +msgstr "" +"Необов’язковий. За допомогою цього параметра можна наказати SSSD автоматично " +"оновити IP-адресу цього клієнта на сервері DNS Active Directory. Захист " +"оновлення буде забезпечено за допомогою GSS-TSIG. Як наслідок, " +"адміністраторові Active Directory достатньо буде дозволити оновлення безпеки " +"для зони DNS. Для оновлення буде використано IP-адресу з’єднання LDAP AD, " +"якщо цю адресу не було змінено за допомогою параметра «dyndns_iface»." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:899 +msgid "Default: 3600 (seconds)" +msgstr "Типове значення: 3600 (секунд)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:915 +msgid "" +"Default: Use the IP addresses of the interface which is used for AD LDAP " +"connection" +msgstr "" +"Типове значення: використовувати IP-адреси інтерфейсу, який використовується " +"для з’єднання LDAP AD" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:928 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true. Note that the " +"lowest possible value is 60 seconds in-case if value is provided less than " +"60, parameter will assume lowest value only." +msgstr "" +"Визначає, наскільки часто серверний модуль має виконувати періодичні " +"оновлення DNS на додачу до автоматичного оновлення, яке виконується під час " +"кожного встановлення з’єднання серверного модуля з мережею. Цей параметр не " +"є обов’язкоми, його застосовують, лише якщо dyndns_update має значення true. " +"Зауважте, що найменшим можливим значенням є 60 секунд. Якщо буде вказано " +"значення, яке є меншим за 60, використовуватиметься найменше можливе " +"значення." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:951 sss_rpcidmapd.5.xml:76 +msgid "Default: True" +msgstr "Типове значення: True" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1043 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This example shows only the AD provider-specific options." +msgstr "" +"У наведеному нижче прикладі припускаємо, що SSSD налаштовано належним чином, " +"а example.com є одним з доменів у розділі <replaceable>[sssd]</replaceable>. " +"У прикладі продемонстровано лише параметри доступу, специфічні для засобу AD." + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1050 +#, no-wrap +msgid "" +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" +msgstr "" +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1070 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" +msgstr "" +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1066 +msgid "" +"The AD access control provider checks if the account is expired. It has the " +"same effect as the following configuration of the LDAP provider: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"Інструмент керування доступом AD перевіряє, чи не завершено строк дії " +"облікового запису. Дає той самий результат, що і ось таке налаштовування " +"інструмента надання даних LDAP: <placeholder type=\"programlisting\" id=" +"\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1076 +msgid "" +"However, unless the <quote>ad</quote> access control provider is explicitly " +"configured, the default access provider is <quote>permit</quote>. Please " +"note that if you configure an access provider other than <quote>ad</quote>, " +"you need to set all the connection parameters (such as LDAP URIs and " +"encryption details) manually." +msgstr "" +"Втім, якщо явно не налаштовано засіб надання доступу «ad», типовим засобом " +"надання доступу буде «permit». Будь ласка, зауважте, що якщо вами " +"налаштовано засіб надання доступу, відмінний від «ad», вам доведеться " +"встановлювати усі параметри з’єднання (зокрема адреси LDAP та параметри " +"шифрування) вручну." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1084 +msgid "" +"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " +"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " +"are included in the default Active Directory schema." +msgstr "" +"Якщо для засобу надання даних autofs встановлено значення <quote>ad</quote>, " +"використовується схема прив'язки атрибутів RFC2307 (nisMap, nisObject, ...), " +"оскільки ці атрибути включено до типової схеми Active Directory." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 +msgid "sssd-sudo" +msgstr "sssd-sudo" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-sudo.5.xml:17 +msgid "Configuring sudo with the SSSD back end" +msgstr "Налаштовування sudo за допомогою модуля SSSD" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." +msgstr "" +"На цій сторінці підручника описано способи налаштовування <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"на роботу у комплексі з <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> та способи кешування правил sudo у " +"SSSD." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:36 +msgid "Configuring sudo to cooperate with SSSD" +msgstr "Налаштовування sudo на співпрацю з SSSD" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:38 +msgid "" +"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " +"the <emphasis>sudoers</emphasis> entry in <citerefentry> " +"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" +"Щоб увімкнути SSSD як джерело правил sudo, додайте <emphasis>sss</emphasis> " +"до запису <emphasis>sudoers</emphasis> у файлі <citerefentry> " +"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:47 +msgid "" +"For example, to configure sudo to first lookup rules in the standard " +"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> file (which should contain rules that apply to " +"local users) and then in SSSD, the nsswitch.conf file should contain the " +"following line:" +msgstr "" +"Наприклад, щоб налаштувати sudo на першочерговий пошук правил у стандартному " +"файлі <citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> (цей файл має містити правила, що стосуються " +"локальних користувачів), а потім у SSSD, у файлі nsswitch.conf слід вказати " +"такий рядок:" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:57 +#, no-wrap +msgid "sudoers: files sss\n" +msgstr "sudoers: files sss\n" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:61 +msgid "" +"More information about configuring the sudoers search order from the " +"nsswitch.conf file as well as information about the LDAP schema that is used " +"to store sudo rules in the directory can be found in <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" +"Докладніші дані щодо налаштовування порядку пошуку у sudoers за допомогою " +"файла nsswitch.conf, а також дані щодо бази даних LDAP, у якій зберігаються " +"правила sudo каталогу, можна знайти на сторінці підручника <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:70 +msgid "" +"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " +"sudo rules, you also need to correctly set <citerefentry> " +"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry> to your NIS domain name (which equals to IPA domain name when " +"using hostgroups)." +msgstr "" +"<emphasis>Зауваження</emphasis>: щоб у правилах sudo можна було " +"використовувати мережеві групи або групи вузлів IPA, вам слід належним чином " +"налаштувати <citerefentry> <refentrytitle>nisdomainname</refentrytitle> " +"<manvolnum>1</manvolnum> </citerefentry> на назву домену NIS (назва цього " +"домену збігається з назвою домену IPA, якщо використовуються групи вузлів " +"IPA)." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:82 +msgid "Configuring SSSD to fetch sudo rules" +msgstr "Налаштовування SSSD на отримання правил sudo" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:84 +msgid "" +"All configuration that is needed on SSSD side is to extend the list of " +"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " +"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " +"option." +msgstr "" +"На боці SSSD достатньо розширити список <emphasis>служб</emphasis> " +"дописуванням «sudo» до розділу [sssd] <citerefentry> <refentrytitle>sssd." +"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>. Щоб " +"пришвидшити пошуку у LDAP, ви також можете налаштувати базу пошуку для " +"правил sudo за допомогою параметра <emphasis>ldap_sudo_search_base</" +"emphasis>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:94 +msgid "" +"The following example shows how to configure SSSD to download sudo rules " +"from an LDAP server." +msgstr "" +"У наведеному нижче прикладі показано, як налаштувати SSSD на отримання " +"правил sudo з сервера LDAP." + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:99 +#, no-wrap +msgid "" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +msgstr "" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:98 +msgid "" +"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" +"\"have_systemd\"> It's important to note that on platforms where systemd is " +"supported there's no need to add the \"sudo\" provider to the list of " +"services, as it became optional. However, sssd-sudo.socket must be enabled " +"instead. </phrase>" +msgstr "" +"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" +"\"have_systemd\"> Важливо зауважити, що на платформах, де передбачено " +"підтримку systemd, немає потреби додавати засіб надання даних «sudo» до " +"списку служб, оскільки він стає необов'язковим. Втім, замість нього слід " +"увімкнути sssd-sudo.socket.</phrase>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:118 +msgid "" +"When SSSD is configured to use IPA as the ID provider, the sudo provider is " +"automatically enabled. The sudo search base is configured to use the IPA " +"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " +"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," +"$SUFFIX) is no longer required for IPA sudo functionality." +msgstr "" +"Якщо SSSD налаштовано на використання IPA як засобу надання даних ID, засіб " +"надання даних sudo буде увімкнено автоматично. Базу пошуку sudo буде " +"налаштовано на використання природного для IPA дерева LDAP (cn=sudo," +"$SUFFIX). Якщо у sssd.conf буде визначено будь-яку іншу базу пошуку, " +"використовуватиметься це значення. Для використання функціональних " +"можливостей sudo у IPA потреби у дереві compat (ou=sudoers,$SUFFIX) більше " +"немає." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:128 +msgid "The SUDO rule caching mechanism" +msgstr "Механізм кешування правил SUDO" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:130 +msgid "" +"The biggest challenge, when developing sudo support in SSSD, was to ensure " +"that running sudo with SSSD as the data source provides the same user " +"experience and is as fast as sudo but keeps providing the most current set " +"of rules as possible. To satisfy these requirements, SSSD uses three kinds " +"of updates. They are referred to as full refresh, smart refresh and rules " +"refresh." +msgstr "" +"Найбільшою складністю під час розробки підтримки sudo у SSSD було " +"забезпечення роботи sudo з SSSD так, щоб для користувача джерело даних " +"надавало дані у один спосіб та з тією самою швидкістю, що і sudo, надаючи " +"при цьому якомога свіжіший набір правил. Щоб виконати ці умови, SSSD " +"використовує оновлення трьох типів. Будемо називати ці тип повним " +"оновленням, інтелектуальним оновленням та оновленням правил." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:138 +msgid "" +"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " +"new or were modified after the last update. Its primary goal is to keep the " +"database growing by fetching only small increments that do not generate " +"large amounts of network traffic." +msgstr "" +"Використання типу <emphasis>інтелектуального оновлення</emphasis> полягає у " +"отриманні правил, які було додано або змінено з часу попереднього оновлення. " +"Основним призначенням оновлення такого типу є підтримання актуального стану " +"бази даних невеличкими порціями, які не спричиняють значного навантаження на " +"мережу." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:144 +msgid "" +"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " +"in the cache and replaces them with all rules that are stored on the server. " +"This is used to keep the cache consistent by removing every rule which was " +"deleted from the server. However, full refresh may produce a lot of traffic " +"and thus it should be run only occasionally depending on the size and " +"stability of the sudo rules." +msgstr "" +"У разі використання <emphasis>повного оновлення</emphasis> всі правила sudo, " +"що зберігаються у кеші, буде вилучено і замінено на всі правила, які " +"зберігаються на сервері. Таким чином, кеш буде узгоджено шляхом вилучення " +"всіх правил, які було вилучено на сервері. Втім, повне оновлення може значно " +"навантажувати канал з’єднання, а отже його варто використовувати лише іноді. " +"Проміжок між сеансами повного оновлення має залежати від розміру і " +"стабільності правил sudo." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:152 +msgid "" +"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " +"more permission than defined. It is triggered each time the user runs sudo. " +"Rules refresh will find all rules that apply to this user, check their " +"expiration time and redownload them if expired. In the case that any of " +"these rules are missing on the server, the SSSD will do an out of band full " +"refresh because more rules (that apply to other users) may have been deleted." +msgstr "" +"У разі використання типу <emphasis>оновлення правил</emphasis> " +"забезпечується ненадання користувачам ширших дозволів, ніж це було визначено " +"на сервері. Оновлення цього типу виконується під час кожного запуску " +"користувачем sudo. Під час оновлення буде виявлено всі правила, які " +"стосуються користувача, перевірено, чи не завершено строк дії цих правил, і " +"повторно отримано правила, якщо строк дії правил завершено. Якщо якихось з " +"правил не буде виявлено на сервері, SSSD виконає позачергове повне " +"оновлення, оскільки може виявитися, що було вилучено набагато більше правил " +"(які стосуються інших користувачів)." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:161 +msgid "" +"If enabled, SSSD will store only rules that can be applied to this machine. " +"This means rules that contain one of the following values in " +"<emphasis>sudoHost</emphasis> attribute:" +msgstr "" +"Якщо увімкнено, SSSD зберігатиме лише правила, які можна застосувати до " +"цього комп’ютера. Це означає, що зберігатимуться правила, що містять у " +"атрибуті <emphasis>sudoHost</emphasis> одне з таких значень:" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:168 +msgid "keyword ALL" +msgstr "ключове слово ALL" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:173 +msgid "wildcard" +msgstr "шаблон заміни" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:178 +msgid "netgroup (in the form \"+netgroup\")" +msgstr "мережеву групу (у форматі «+мережева група»)" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:183 +msgid "hostname or fully qualified domain name of this machine" +msgstr "назву вузла або повну назву у домені цього комп’ютера" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:188 +msgid "one of the IP addresses of this machine" +msgstr "одну з IP-адрес цього комп’ютера" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:193 +msgid "one of the IP addresses of the network (in the form \"address/mask\")" +msgstr "одну з IP-адрес мережі (у форматі «адреса/маска»)" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:199 +msgid "" +"There are many configuration options that can be used to adjust the " +"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" +"Для точного налаштовування поведінки передбачено доволі багато параметрів " +"Будь ласка, зверніться до розділу «ldap_sudo_*» у <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> та «sudo_*» у <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, щоб ознайомитися з " +"докладним описом." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.8.xml:10 sssd.8.xml:15 +msgid "sssd" +msgstr "sssd" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.8.xml:16 +msgid "System Security Services Daemon" +msgstr "Фонова служба безпеки системи" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssd.8.xml:21 +msgid "" +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" +msgstr "" +"<command>sssd</command> <arg choice='opt'> <replaceable>параметри</" +"replaceable> </arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:31 +msgid "" +"<command>SSSD</command> provides a set of daemons to manage access to remote " +"directories and authentication mechanisms. It provides an NSS and PAM " +"interface toward the system and a pluggable backend system to connect to " +"multiple different account sources as well as D-Bus interface. It is also " +"the basis to provide client auditing and policy services for projects like " +"FreeIPA. It provides a more robust database to store local users as well as " +"extended user data." +msgstr "" +"У <command>SSSD</command> передбачено набір фонових служб для керування " +"доступом до віддалених каталогів та механізмами розпізнавання. " +"<command>SSSD</command> надає операційній системі інтерфейси NSS і PAM, а " +"також систему придатних для під’єднання модулів для встановлення з’єднання з " +"декількома різними джерелами даних щодо облікових записів та інтерфейс D-" +"Bus. <command>SSSD</command> також є основою для систем перевірки " +"клієнтських систем та служб обслуговування правил доступу для проектів, " +"подібних до FreeIPA. <command>SSSD</command> надає стійкішу базу даних для " +"збереження записів локальних користувачів, а також додаткових даних щодо " +"користувачів." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:46 +msgid "" +"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" +"replaceable>" +msgstr "" +"<option>-d</option>,<option>--debug-level</option> <replaceable>РІВЕНЬ</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:53 +msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" +msgstr "<option>--debug-timestamps=</option><replaceable>режим</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:57 +msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" +msgstr "" +"<emphasis>1</emphasis>: додати часову позначку до діагностичних повідомлень." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:60 +msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" +msgstr "" +"<emphasis>0</emphasis>: вимкнути часову позначку у діагностичних " +"повідомленнях" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:69 +msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" +msgstr "<option>--debug-microseconds=</option><replaceable>режим</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:73 +msgid "" +"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" +msgstr "" +"<emphasis>1</emphasis>: додати значення мікросекунд до часової позначки у " +"діагностичних повідомленнях" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:76 +msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" +msgstr "" +"<emphasis>0</emphasis>: вимкнути додавання мікросекунд до часової позначки" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:85 +msgid "<option>-f</option>,<option>--debug-to-files</option>" +msgstr "<option>-f</option>,<option>--debug-to-files</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:89 +msgid "" +"Send the debug output to files instead of stderr. By default, the log files " +"are stored in <filename>/var/log/sssd</filename> and there are separate log " +"files for every SSSD service and domain." +msgstr "" +"Надіслати діагностичні дані до файлів, а не до stderr. Типово файли журналів " +"зберігаються у <filename>/var/log/sssd</filename>, передбачено також окремий " +"журнал для кожної служби і домену SSSD." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:94 +msgid "" +"This option is deprecated. It is replaced by <option>--logger=files</option>." +msgstr "" +"Цей параметр вважається застарілим. Його замінено параметром <option>--" +"logger=files</option>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:101 +msgid "<option>--logger=</option><replaceable>value</replaceable>" +msgstr "<option>--logger=</option><replaceable>значення</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:105 +msgid "" +"Location where SSSD will send log messages. This option overrides the value " +"of the deprecated option <option>--debug-to-files</option>. The deprecated " +"option will still work if the <option>--logger</option> is not used." +msgstr "" +"Місце, куди SSSD надсилатиме повідомлення журналу. Значення цього параметра " +"має вищий пріоритет за значення застарілого параметра <option>--debug-to-" +"files</option>. Застарілий параметр працюватиме, якщо не використано " +"параметр <option>--logger</option>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:112 +msgid "" +"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " +"output." +msgstr "" +"<emphasis>stderr</emphasis>: переспрямувати діагностичні повідомлення до " +"стандартного виведення помилок." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:116 +msgid "" +"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " +"default, the log files are stored in <filename>/var/log/sssd</filename> and " +"there are separate log files for every SSSD service and domain." +msgstr "" +"<emphasis>files</emphasis>: переспрямувати діагностичні повідомлення до " +"файлів журналу. Типово файли журналів зберігаються у <filename>/var/log/" +"sssd</filename>, передбачено також окремий журнал для кожної служби і домену " +"SSSD." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:122 +msgid "" +"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" +msgstr "" +"<emphasis>journald</emphasis>: переспрямувати діагностичні повідомлення до " +"systemd-journald" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:132 +msgid "<option>-D</option>,<option>--daemon</option>" +msgstr "<option>-D</option>,<option>--daemon</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:136 +msgid "Become a daemon after starting up." +msgstr "Перейти у режим фонової служби після запуску." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:142 sss_seed.8.xml:136 +msgid "<option>-i</option>,<option>--interactive</option>" +msgstr "<option>-i</option>,<option>--interactive</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:146 +msgid "Run in the foreground, don't become a daemon." +msgstr "Запустити програму у звичайному режимі, не створювати фонової служби." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:152 +msgid "<option>-c</option>,<option>--config</option>" +msgstr "<option>-c</option>,<option>--config</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:156 +msgid "" +"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." +"conf</filename>. For reference on the config file syntax and options, " +"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" +"Визначити нетиповий файл налаштувань. Типовим файлом налаштувань є " +"<filename>/etc/sssd/sssd.conf</filename>. Довідку щодо синтаксису та " +"параметрів файла налаштувань можна знайти на сторінці довідника (man) " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:170 +msgid "<option>--version</option>" +msgstr "<option>--version</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:174 +msgid "Print version number and exit." +msgstr "Вивести номер версії і завершити роботу." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.8.xml:182 +msgid "Signals" +msgstr "Сигнали" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:185 +msgid "SIGTERM/SIGINT" +msgstr "SIGTERM/SIGINT" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:188 +msgid "" +"Informs the SSSD to gracefully terminate all of its child processes and then " +"shut down the monitor." +msgstr "" +"Повідомляє SSSD, що слід поступово завершити роботу всіх дочірніх процесів, " +"а потім завершити роботу монітора." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:194 +msgid "SIGHUP" +msgstr "SIGHUP" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:197 +msgid "" +"Tells the SSSD to stop writing to its current debug file descriptors and to " +"close and reopen them. This is meant to facilitate log rolling with programs " +"like logrotate." +msgstr "" +"Повідомляє SSSD, що слід припинити запис до файлів діагностичних даних з " +"поточними дескрипторами, закрити і повторно відкрити ці файли. Цей сигнал " +"призначено для полегшення процедури архівування журналів за допомогою " +"програм, подібних до logrotate." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:205 +msgid "SIGUSR1" +msgstr "SIGUSR1" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:208 +msgid "" +"Tells the SSSD to simulate offline operation for the duration of the " +"<quote>offline_timeout</quote> parameter. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." +msgstr "" +"Наказує SSSD імітувати автономну дію, тривалість якої визначається " +"параметром «offline_timeout». Найкориснішим застосуванням є тестування " +"служби. Сигнал може бути надіслано або процесу sssd, або процесу sssd_be " +"безпосередньо." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:217 +msgid "SIGUSR2" +msgstr "SIGUSR2" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:220 +msgid "" +"Tells the SSSD to go online immediately. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." +msgstr "" +"Наказує SSSD перейти у режим роботи у мережі негайно. Найкориснішим " +"застосуванням є тестування служби. Сигнал може бути надіслано або процесу " +"sssd, або процесу sssd_be безпосередньо." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:232 +msgid "" +"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " +"applications will not use the fast in memory cache." +msgstr "" +"Якщо для змінної середовища SSS_NSS_USE_MEMCACHE встановлено значення «NO», " +"клієнтські програми не використовуватимуть fast у кеші у пам’яті." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 +msgid "sss_obfuscate" +msgstr "sss_obfuscate" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_obfuscate.8.xml:16 +msgid "obfuscate a clear text password" +msgstr "заплутування пароля у форматі звичайного тексту" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_obfuscate.8.xml:21 +msgid "" +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" +"replaceable></arg>" +msgstr "" +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>параметри</" +"replaceable> </arg> <arg choice='plain'><replaceable>[ПАРОЛЬ]</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:32 +msgid "" +"<command>sss_obfuscate</command> converts a given password into human-" +"unreadable format and places it into appropriate domain section of the SSSD " +"config file." +msgstr "" +"<command>sss_obfuscate</command> перетворює вказаний пароль на пароль у " +"форматі зручному для читання і розташовує його у розділі відповідного домену " +"файла налаштувань SSSD." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:37 +msgid "" +"The cleartext password is read from standard input or entered " +"interactively. The obfuscated password is put into " +"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " +"<quote>ldap_default_authtok_type</quote> parameter is set to " +"<quote>obfuscated_password</quote>. Refer to <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more details on these parameters." +msgstr "" +"Пароль у форматі звичайного тексту буде прочитано зі стандартного джерела " +"вхідних даних або введено інтерактивно. Заплутану версію пароля буде " +"збережено у параметрі з назвою «ldap_default_authtok» вказаного домену SSSD, " +"параметру «ldap_default_authtok_type» буде надано значення " +"«obfuscated_password». Докладніший опис цих параметрів можна знайти на " +"сторінці підручника (man) <citerefentry> <refentrytitle>sssd-ldap</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:49 +msgid "" +"Please note that obfuscating the password provides <emphasis>no real " +"security benefit</emphasis> as it is still possible for an attacker to " +"reverse-engineer the password back. Using better authentication mechanisms " +"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " +"advised." +msgstr "" +"Будь ласка, зауважте, що заплутування паролів <emphasis>не є справжнім " +"захистом</emphasis>, оскільки зловмисник може визначити алгоритм " +"заплутування за кодом програми. <emphasis>Наполегливо</emphasis> радимо вам " +"скористатися кращими механізмами захисту даних розпізнавання, зокрема " +"клієнтськими сертифікатами або GSSAPI." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:63 +msgid "<option>-s</option>,<option>--stdin</option>" +msgstr "<option>-s</option>,<option>--stdin</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:67 +msgid "The password to obfuscate will be read from standard input." +msgstr "" +"Пароль для заплутування буде прочитано зі стандартного джерела вхідних даних." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 +#: sss_ssh_knownhostsproxy.1.xml:78 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" +msgstr "" +"<option>-d</option>,<option>--domain</option> <replaceable>ДОМЕН</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:79 +msgid "" +"The SSSD domain to use the password in. The default name is <quote>default</" +"quote>." +msgstr "" +"Домен SSSD, для якого буде використано пароль. Типовою назвою є " +"<quote>default</quote>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:86 +msgid "" +"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" +msgstr "" +"<option>-f</option>,<option>--file</option> <replaceable>ФАЙЛ</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:91 +msgid "Read the config file specified by the positional parameter." +msgstr "Прочитати дані з файла налаштувань, вказаного позиційним параметром." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:95 +msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" +msgstr "Типове значення: <filename>/etc/sssd/sssd.conf</filename>" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_override.8.xml:10 sss_override.8.xml:15 +msgid "sss_override" +msgstr "sss_override" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_override.8.xml:16 +msgid "create local overrides of user and group attributes" +msgstr "створити локальні перевизначення атрибутів користувача і групи" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_override.8.xml:21 +msgid "" +"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" +msgstr "" +"<command>sss_override</command> <arg choice='plain'><replaceable>КОМАНДА</" +"replaceable></arg> <arg choice='opt'> <replaceable>параметри</replaceable> </" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:32 +msgid "" +"<command>sss_override</command> enables to create a client-side view and " +"allows to change selected values of specific user and groups. This change " +"takes effect only on local machine." +msgstr "" +"<command>sss_override</command> надає змогу створювати перегляди на боці " +"клієнта і змінювати вибрані значення для певного користувача і груп. Ці " +"зміни буде застосовано лише на локальному комп'ютері." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:37 +msgid "" +"Overrides data are stored in the SSSD cache. If the cache is deleted, all " +"local overrides are lost. Please note that after the first override is " +"created using any of the following <emphasis>user-add</emphasis>, " +"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " +"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " +"take effect. <emphasis>sss_override</emphasis> prints message when a " +"restart is required." +msgstr "" +"Дані перевизначень зберігаються у кеші SSSD. Якщо кеш вилучено, усі локальні " +"перевизначення буде втрачено. Будь ласка, зауважте, що після першого " +"створення перевизначення за допомогою команди <emphasis>user-add</emphasis>, " +"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> або " +"<emphasis>group-import</emphasis> SSSD слід перезапустити, щоб зміни набули " +"чинності. Якщо потрібен перезапуск, <emphasis>sss_override</emphasis> виведе " +"відповідне повідомлення." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:50 sssctl.8.xml:41 +msgid "AVAILABLE COMMANDS" +msgstr "ДОСТУПНІ КОМАНДИ" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:52 +msgid "" +"Argument <emphasis>NAME</emphasis> is the name of original object in all " +"commands. It is not possible to override <emphasis>uid</emphasis> or " +"<emphasis>gid</emphasis> to 0." +msgstr "" +"Аргумент <emphasis>НАЗВА</emphasis> в усіх командах є назвою початкового " +"об'єкта. Не можна перевизначити <emphasis>uid</emphasis> або <emphasis>gid</" +"emphasis> на 0." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:59 +msgid "" +"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" +"optional> <optional><option>-g,--gid</option> GID</optional> " +"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" +"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" +"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " +"CERTIFICATE</optional>" +msgstr "" +"<option>user-add</option> <emphasis>НАЗВА</emphasis> <optional><option>-n,--" +"name</option> НАЗВА</optional> <optional><option>-u,--uid</option> UID</" +"optional> <optional><option>-g,--gid</option> GID</optional> " +"<optional><option>-h,--home</option> ДОМІВКА</optional> <optional><option>-" +"s,--shell</option> ОБОЛОНКА</optional> <optional><option>-c,--gecos</option> " +"GECOS</optional> <optional><option>-x,--certificate</option> СЕРТИФІКАТ У " +"КОДУВАННІ BASE64</optional>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:72 +msgid "" +"Override attributes of an user. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) user." +msgstr "" +"Перевизначити атрибути запису користувача. Будь ласка, зверніть увагу, що " +"виклик цієї команди замінить усі попередні перевизначення для вказаного за " +"назвою облікового запису користувача." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:80 +msgid "<option>user-del</option> <emphasis>NAME</emphasis>" +msgstr "<option>user-del</option> <emphasis>НАЗВА</emphasis>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:85 +msgid "" +"Remove user overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." +msgstr "" +"Вилучити перевизначення користувача. Втім, слід мати на увазі, що " +"перевизначені атрибути може бути повернено з кешу у пам'яті. Будь ласка, " +"ознайомтеся із документацією до параметра SSSD <emphasis>memcache_timeout</" +"emphasis>, щоб дізнатися більше." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:94 +msgid "" +"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" +msgstr "" +"<option>user-find</option> <optional><option>-d,--domain</option> ДОМЕН</" +"optional>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:99 +msgid "" +"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " +"is set, only users from the domain are listed." +msgstr "" +"Вивести список усіх користувачів, для яких встановлено перевизначення. Якщо " +"встановлено параметр <emphasis>ДОМЕН</emphasis>, буде показано лише " +"користувачів з відповідного домену." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:107 +msgid "<option>user-show</option> <emphasis>NAME</emphasis>" +msgstr "<option>user-show</option> <emphasis>НАЗВА</emphasis>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:112 +msgid "Show user overrides." +msgstr "Показати перевизначення користувача." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:118 +msgid "<option>user-import</option> <emphasis>FILE</emphasis>" +msgstr "<option>user-import</option> <emphasis>ФАЙЛ</emphasis>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:123 +msgid "" +"Import user overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard passwd file. The format is:" +msgstr "" +"Імпортувати перевизначення користувачів з файла <emphasis>ФАЙЛ</emphasis>. " +"Формат даних у файлі має бути таким самим, як у стандартному файлі passwd. " +"Приклад:" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:128 +msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" +msgstr "" +"початкова_назва:назва:uid:gid:gecos:домівка:оболонка:" +"сертифікат_у_кодуванні_base64" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:131 +msgid "" +"where original_name is original name of the user whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." +msgstr "" +"де «початкова_назва» — початкова назва запису користувача, чиї атрибути має " +"бути перевизначено. Решта полів відповідає новим значенням. Ви можете " +"пропустити значення, не заповнюючи відповідного поля." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:140 +msgid "ckent:superman::::::" +msgstr "ckent:superman::::::" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:143 +msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" +msgstr "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:149 +msgid "<option>user-export</option> <emphasis>FILE</emphasis>" +msgstr "<option>user-export</option> <emphasis>ФАЙЛ</emphasis>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:154 +msgid "" +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>user-import</emphasis> for data format." +msgstr "" +"Експортувати усі перевизначені атрибути і зберегти їх у файлі " +"<emphasis>ФАЙЛ</emphasis>. Див. <emphasis>user-import</emphasis>, щоб " +"дізнатися більше про формат даних." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:162 +msgid "" +"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" +"optional>" +msgstr "" +"<option>group-add</option> <emphasis>НАЗВА</emphasis> <optional><option>-n,--" +"name</option> НАЗВА</optional> <optional><option>-g,--gid</option> GID</" +"optional>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:169 +msgid "" +"Override attributes of a group. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) group." +msgstr "" +"Перевизначити атрибути запису групи. Будь ласка, зверніть увагу, що виклик " +"цієї команди замінить усі попередні перевизначення для вказаної за назвою " +"групи." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:177 +msgid "<option>group-del</option> <emphasis>NAME</emphasis>" +msgstr "<option>group-del</option> <emphasis>НАЗВА</emphasis>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:182 +msgid "" +"Remove group overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." +msgstr "" +"Вилучити перевизначення групи. Втім, слід мати на увазі, що перевизначені " +"атрибути може бути повернено з кешу у пам'яті. Будь ласка, ознайомтеся із " +"документацією до параметра SSSD <emphasis>memcache_timeout</emphasis>, щоб " +"дізнатися більше." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:191 +msgid "" +"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" +msgstr "" +"<option>group-find</option> <optional><option>-d,--domain</option> ДОМЕН</" +"optional>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:196 +msgid "" +"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " +"parameter is set, only groups from the domain are listed." +msgstr "" +"Вивести список усіх груп, для яких встановлено перевизначення. Якщо " +"встановлено параметр <emphasis>ДОМЕН</emphasis>, буде показано лише групи з " +"відповідного домену." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:204 +msgid "<option>group-show</option> <emphasis>NAME</emphasis>" +msgstr "<option>group-show</option> <emphasis>НАЗВА</emphasis>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:209 +msgid "Show group overrides." +msgstr "Показати перевизначення групи." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:215 +msgid "<option>group-import</option> <emphasis>FILE</emphasis>" +msgstr "<option>group-import</option> <emphasis>ФАЙЛ</emphasis>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:220 +msgid "" +"Import group overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard group file. The format is:" +msgstr "" +"Імпортувати перевизначення груп з файла <emphasis>ФАЙЛ</emphasis>. Формат " +"даних у файлі має бути таким самим, як у стандартному файлі group. Приклад:" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:225 +msgid "original_name:name:gid" +msgstr "початкова_назва:назва:gid" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:228 +msgid "" +"where original_name is original name of the group whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." +msgstr "" +"де «початкова_назва» — початкова назва групи, чиї атрибути має бути " +"перевизначено. Решта полів відповідає новим значенням. Ви можете пропустити " +"значення, не заповнюючи відповідного поля." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:237 +msgid "admins:administrators:" +msgstr "admins:administrators:" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:240 +msgid "Domain Users:Users:501" +msgstr "Domain Users:Users:501" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:246 +msgid "<option>group-export</option> <emphasis>FILE</emphasis>" +msgstr "<option>group-export</option> <emphasis>ФАЙЛ</emphasis>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:251 +msgid "" +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>group-import</emphasis> for data format." +msgstr "" +"Експортувати усі перевизначені атрибути і зберегти їх у файлі " +"<emphasis>ФАЙЛ</emphasis>. Див. <emphasis>group-import</emphasis>, щоб " +"дізнатися більше про формат даних." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:261 sssctl.8.xml:50 +msgid "COMMON OPTIONS" +msgstr "ЗАГАЛЬНІ ПАРАМЕТРИ" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:263 sssctl.8.xml:52 +msgid "Those options are available with all commands." +msgstr "Ці параметри можна використовувати з усіма командами." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:268 sssctl.8.xml:57 +msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" +msgstr "<option>--debug</option> <replaceable>РІВЕНЬ</replaceable>" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 +msgid "sss_useradd" +msgstr "sss_useradd" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_useradd.8.xml:16 +msgid "create a new user" +msgstr "створення нового запису користувача" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_useradd.8.xml:21 +msgid "" +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>параметри</" +"replaceable> </arg> <arg " +"choice='plain'><replaceable>НАЗВА_ОБЛІКОВОГО_ЗАПИСУ</replaceable></arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_useradd.8.xml:32 +msgid "" +"<command>sss_useradd</command> creates a new user account using the values " +"specified on the command line plus the default values from the system." +msgstr "" +"<command>sss_useradd</command> створює обліковий запис користувача на основі " +"значень, вказаних у командному рядку та типових значень системи." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:43 sss_seed.8.xml:76 +msgid "" +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" +msgstr "" +"<option>-u</option>,<option>--uid</option> <replaceable>ідентифікатор " +"користувача</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:48 +msgid "" +"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " +"not given, it is chosen automatically." +msgstr "" +"Встановити для параметра ідентифікатора користувача (UID) значення " +"<replaceable>UID</replaceable>. Якщо таке значення не буде вказано, програма " +"вибере його автоматично." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +msgid "" +"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" +"replaceable>" +msgstr "" +"<option>-c</option>,<option>--gecos</option> <replaceable>КОМЕНТАР</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 +msgid "" +"Any text string describing the user. Often used as the field for the user's " +"full name." +msgstr "" +"Будь-який рядок тексту, що описує користувача. Часто використовується для " +"зберігання паспортного імені користувача." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 +msgid "" +"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"replaceable>" +msgstr "" +"<option>-h</option>,<option>--home</option> <replaceable>ДОМАШНІЙ_КАТАЛОГ</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:72 +msgid "" +"The home directory of the user account. The default is to append the " +"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " +"that as the home directory. The base that is prepended before " +"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" +"baseDirectory</quote> setting in sssd.conf." +msgstr "" +"Домашній каталог облікового запису користувача. Типовою назвою такого " +"каталогу є назва, що утворюється додаванням <replaceable>ІМЕНІ_КОРИСТУВАЧА</" +"replaceable> до запису <filename>/home</filename>. Рядок, який буде додано " +"перед <replaceable>ІМЕНЕМ_КОРИСТУВАЧА</replaceable>, можна визначити за " +"допомогою параметра «user_defaults/baseDirectory» у sssd.conf." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 +msgid "" +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" +msgstr "" +"<option>-s</option>,<option>--shell</option> <replaceable>ОБОЛОНКА</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:87 +msgid "" +"The user's login shell. The default is currently <filename>/bin/bash</" +"filename>. The default can be changed with <quote>user_defaults/" +"defaultShell</quote> setting in sssd.conf." +msgstr "" +"Командна оболонка реєстрації користувача. У поточній версії типовою " +"оболонкою є <filename>/bin/bash</filename>. Типову оболонку можна змінити за " +"допомогою параметра «user_defaults/defaultShell» у sssd.conf." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:96 +msgid "" +"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" +"<option>-G</option>,<option>--groups</option> <replaceable>ГРУПИ</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:101 +msgid "A list of existing groups this user is also a member of." +msgstr "Список груп, учасником яких є користувач." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:107 +msgid "<option>-m</option>,<option>--create-home</option>" +msgstr "<option>-m</option>,<option>--create-home</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:111 +msgid "" +"Create the user's home directory if it does not exist. The files and " +"directories contained in the skeleton directory (which can be defined with " +"the -k option or in the config file) will be copied to the home directory." +msgstr "" +"Створити домашній каталог користувача, якщо такого ще не існує. До такого " +"домашнього каталогу буде скопійовано файли і каталоги з каркасного каталогу " +"(який можна визначити за допомогою параметра -k або запису у файлі " +"налаштувань)." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:121 +msgid "<option>-M</option>,<option>--no-create-home</option>" +msgstr "<option>-M</option>,<option>--no-create-home</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:125 +msgid "" +"Do not create the user's home directory. Overrides configuration settings." +msgstr "" +"Не створювати домашнього каталогу користувача. Має пріоритет над іншими " +"параметрами налаштування." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:132 +msgid "" +"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"replaceable>" +msgstr "" +"<option>-k</option>,<option>--skel</option> <replaceable>КАТАЛОГ_SKEL</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:137 +msgid "" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<command>sss_useradd</command>." +msgstr "" +"Каркасний каталог, який містить файли і каталоги, які буде скопійовано до " +"домашнього каталогу користувача, коли такий домашній каталог створюється " +"командою <command>sss_useradd</command>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:143 +msgid "" +"Special files (block devices, character devices, named pipes and unix " +"sockets) will not be copied." +msgstr "" +"Спеціальні файли (блокові пристрої, символьні пристрої, іменовані канали та " +"сокети UNIX) скопійовано не буде." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:147 +msgid "" +"This option is only valid if the <option>-m</option> (or <option>--create-" +"home</option>) option is specified, or creation of home directories is set " +"to TRUE in the configuration." +msgstr "" +"Цей параметр набуде чинності, лише якщо вказано параметр <option>-m</option> " +"(або <option>--create-home</option>) або для створення домашніх каталогів " +"вказано TRUE у налаштуваннях." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 +msgid "" +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>SELINUX_USER</replaceable>" +msgstr "" +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>КОРИСТУВАЧ_SELINUX</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:161 +msgid "" +"The SELinux user for the user's login. If not specified, the system default " +"will be used." +msgstr "" +"Користувач SELinux, що відповідає користувачеві, який увійшов до системи. " +"Якщо не вказано, буде використано типового користувача системи." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 +msgid "sssd-krb5" +msgstr "sssd-krb5" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-krb5.5.xml:17 +msgid "SSSD Kerberos provider" +msgstr "Модуль надання даних Kerberos SSSD" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:23 +msgid "" +"This manual page describes the configuration of the Kerberos 5 " +"authentication backend for <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " +"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." +msgstr "" +"На цій сторінці довідника описано налаштування засобу розпізнавання Kerberos " +"5 для <citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>. Щоб дізнатися більше про синтаксис налаштування, " +"зверніться до розділу «ФОРМАТ ФАЙЛА» сторінки довідника <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:36 +msgid "" +"The Kerberos 5 authentication backend contains auth and chpass providers. It " +"must be paired with an identity provider in order to function properly (for " +"example, id_provider = ldap). Some information required by the Kerberos 5 " +"authentication backend must be provided by the identity provider, such as " +"the user's Kerberos Principal Name (UPN). The configuration of the identity " +"provider should have an entry to specify the UPN. Please refer to the man " +"page for the applicable identity provider for details on how to configure " +"this." +msgstr "" +"Модуль розпізнавання Kerberos 5 містити засоби розпізнавання та зміни " +"паролів. З метою отримання належних результатів його слід використовувати " +"разом з інструментом обробки профілів (наприклад, id_provider = ldap). Деякі " +"з даних, потрібних для роботи модуля розпізнавання Kerberos 5, має бути " +"надано інструментом обробки профілів, серед цих даних Kerberos Principal " +"Name (UPN) або реєстраційне ім’я користувача. У налаштуваннях інструменту " +"обробки профілів має бути запис з визначенням UPN. Докладні настанови щодо " +"визначення такого UPN має бути викладено на сторінці довідника (man) " +"відповідного інструменту обробки профілів." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:47 +msgid "" +"This backend also provides access control based on the .k5login file in the " +"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " +"Please note that an empty .k5login file will deny all access to this user. " +"To activate this feature, use 'access_provider = krb5' in your SSSD " +"configuration." +msgstr "" +"У цьому інструменті керування даними також передбачено можливості керування " +"доступом, засновані на даних з файла .k5login у домашньому каталозі " +"користувача. Докладніші відомості можна отримати з підручника до " +"<citerefentry> <refentrytitle>.k5login</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>. Зауважте, що якщо файл .k5login виявиться " +"порожнім, доступ користувачеві буде заборонено. Щоб задіяти можливість " +"керування доступом, додайте рядок «access_provider = krb5» до ваших " +"налаштувань SSSD." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:55 +msgid "" +"In the case where the UPN is not available in the identity backend, " +"<command>sssd</command> will construct a UPN using the format " +"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." +msgstr "" +"У випадку, коли доступу до UPN у модулі профілів не передбачено, " +"<command>sssd</command> побудує UPN у форматі <replaceable>ім’я_користувача</" +"replaceable>@<replaceable>область_krb5</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:77 +msgid "" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect, in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled; for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." +msgstr "" +"Визначає список IP-адрес або назв вузлів, відокремлених комами, серверів " +"Kerberos, з якими SSSD має встановлювати з’єднання. Список має бути " +"впорядковано за пріоритетом. Докладніше про резервування та додаткові " +"сервери можна дізнатися з розділу «РЕЗЕРВ». До адрес або назв вузлів може " +"бути додано номер порту (перед номером слід вписати двокрапку). Якщо " +"параметр матиме порожнє значення, буде увімкнено виявлення служб. Докладніше " +"про виявлення служб можна дізнатися з розділу «ПОШУК СЛУЖБ»." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:106 +msgid "" +"The name of the Kerberos realm. This option is required and must be " +"specified." +msgstr "" +"Назва області Kerberos. Цей параметр є обов’язковим, його неодмінно слід " +"вказати." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:113 +msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" +msgstr "krb5_kpasswd, krb5_backup_kpasswd (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:116 +msgid "" +"If the change password service is not running on the KDC, alternative " +"servers can be defined here. An optional port number (preceded by a colon) " +"may be appended to the addresses or hostnames." +msgstr "" +"Якщо службу зміни паролів не запущено на KDC, тут можна визначити " +"альтернативні сервери. До адрес або назв вузлів можна додати номер порту " +"(перед яким слід вписати двокрапку)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:122 +msgid "" +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " +"servers to try, the backend is not switched to operate offline if " +"authentication against the KDC is still possible." +msgstr "" +"Додаткові відомості щодо резервних серверів можна знайти у розділі «РЕЗЕРВ». " +"Зауваження: навіть якщо список всіх серверів kpasswd буде вичерпано, модуль " +"не перемкнеться у автономний режим роботи, якщо розпізнавання за KDC " +"залишатиметься можливим." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:129 +msgid "Default: Use the KDC" +msgstr "Типове значення: використання KDC" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:135 +msgid "krb5_ccachedir (string)" +msgstr "krb5_ccachedir (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:138 +msgid "" +"Directory to store credential caches. All the substitution sequences of " +"krb5_ccname_template can be used here, too, except %d and %P. The directory " +"is created as private and owned by the user, with permissions set to 0700." +msgstr "" +"Каталог для зберігання кешу реєстраційних даних. Тут також можна " +"використовувати усі замінники з krb5_ccname_template, окрім %d та %P. " +"Каталог створюється як конфіденційний, власником є користувач, права доступу " +"— 0700." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:145 +msgid "Default: /tmp" +msgstr "Типове значення: /tmp" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:151 +msgid "krb5_ccname_template (string)" +msgstr "krb5_ccname_template (рядок)" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 +msgid "%u" +msgstr "%u" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 +msgid "login name" +msgstr "ім'я користувача" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 +msgid "%U" +msgstr "%U" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:170 +msgid "login UID" +msgstr "ідентифікатор користувача" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:173 +msgid "%p" +msgstr "%p" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:174 +msgid "principal name" +msgstr "назва реєстраційного запису" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:178 +msgid "%r" +msgstr "%r" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:179 +msgid "realm name" +msgstr "назва області" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:182 +msgid "%h" +msgstr "%h" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 +msgid "home directory" +msgstr "домашній каталог" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 +msgid "%d" +msgstr "%d" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:188 +msgid "value of krb5_ccachedir" +msgstr "значення krb5_ccachedir" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 +msgid "%P" +msgstr "%P" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:194 +msgid "the process ID of the SSSD client" +msgstr "ідентифікатор процесу клієнтської частини SSSD" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 +msgid "%%" +msgstr "%%" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 +msgid "a literal '%'" +msgstr "символ відсотків («%»)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:154 +msgid "" +"Location of the user's credential cache. Three credential cache types are " +"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " +"<quote>KEYRING:persistent</quote>. The cache can be specified either as " +"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " +"implies the <quote>FILE</quote> type. In the template, the following " +"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " +"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " +"filename in a safe way." +msgstr "" +"Розташування кешу з реєстраційними даними користувача У поточній версії " +"передбачено підтримку трьох типів кешу реєстраційних даних: <quote>FILE</" +"quote>, <quote>DIR</quote> та <quote>KEYRING:persistent</quote>. Кеш може " +"бути вказано або у форматі <replaceable>ТИП:РЕШТА</replaceable>, або у " +"форматі абсолютного шляху (тоді вважається, що типом кешу є <quote>FILE</" +"quote>). У шаблоні передбачено можливість використання таких послідовностей-" +"замінників: <placeholder type=\"variablelist\" id=\"0\"/> Якщо шаблон " +"завершується послідовністю «XXXXXX», для безпечного створення назви файла " +"використовується mkstemp(3)." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:208 +msgid "" +"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" +"persistent:%U</quote>, which uses the Linux kernel keyring to store " +"credentials on a per-UID basis. This is also the recommended choice, as it " +"is the most secure and predictable method." +msgstr "" +"Якщо використовуються типи KEYRING, єдиним підтримуваним механізмом є " +"«KEYRING:persistent:%U», тобто використання сховища ключів ядра Linux для " +"зберігання реєстраційних даних на основі поділу за UID. Цей варіант є " +"рекомендованим, оскільки це найбезпечніший та найпередбачуваніший спосіб." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:216 +msgid "" +"The default value for the credential cache name is sourced from the profile " +"stored in the system wide krb5.conf configuration file in the [libdefaults] " +"section. The option name is default_ccache_name. See krb5.conf(5)'s " +"PARAMETER EXPANSION paragraph for additional information on the expansion " +"format defined by krb5.conf." +msgstr "" +"Типове значення назви кешу реєстраційних даних буде запозичено з " +"загальносистемного профілю, що зберігається у файлі налаштувань krb5.conf, " +"розділ [libdefaults]. Назва параметра — default_ccache_name. Див. розділ " +"щодо розгортання параметрів (PARAMETER EXPANSION) у довідці щодо krb5." +"conf(5), щоб отримати додаткові дані щодо формату розгортання, використаного " +"у krb5.conf." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:225 +msgid "" +"NOTE: Please be aware that libkrb5 ccache expansion template from " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> uses different expansion sequences than SSSD." +msgstr "" +"ЗАУВАЖЕННЯ: майте на увазі, що шаблон розширення ccache libkrb5 з " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> використовує інші послідовності розширення, що не " +"збігаються із використаними у SSSD." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:234 +msgid "Default: (from libkrb5)" +msgstr "Типове значення: (з libkrb5)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:240 +msgid "krb5_auth_timeout (integer)" +msgstr "krb5_auth_timeout (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:243 +msgid "" +"Timeout in seconds after an online authentication request or change password " +"request is aborted. If possible, the authentication request is continued " +"offline." +msgstr "" +"Час очікування, по завершенню якого буде перервано запит щодо розпізнавання " +"або зміни пароля у мережі. Якщо це можливо, обробку запиту щодо " +"розпізнавання буде продовжено у автономному режимі." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:254 +msgid "krb5_validate (boolean)" +msgstr "krb5_validate (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:257 +msgid "" +"Verify with the help of krb5_keytab that the TGT obtained has not been " +"spoofed. The keytab is checked for entries sequentially, and the first entry " +"with a matching realm is used for validation. If no entry matches the realm, " +"the last entry in the keytab is used. This process can be used to validate " +"environments using cross-realm trust by placing the appropriate keytab entry " +"as the last entry or the only entry in the keytab file." +msgstr "" +"Перевірити за допомогою krb5_keytab, чи отриманий TGT не було підмінено. " +"Перевірка записів у таблиці ключів виконується послідовно. Для перевірки " +"використовується перший запис з відповідним значенням області. Якщо не буде " +"знайдено жодного відповідного області запису, буде використано останній " +"запис з таблиці ключів. Цим процесом можна скористатися для перевірки " +"середовищ за допомогою зв’язків довіри між записами областей: достатньо " +"розташувати відповідний запис таблиці ключів на останньому місці або зробити " +"його єдиним записом у файлі таблиці ключів." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:272 +msgid "krb5_keytab (string)" +msgstr "krb5_keytab (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:275 +msgid "" +"The location of the keytab to use when validating credentials obtained from " +"KDCs." +msgstr "" +"Розташування таблиці ключів, якою слід скористатися під час перевірки " +"реєстраційних даних, отриманих від KDC." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:279 +msgid "Default: /etc/krb5.keytab" +msgstr "Типове значення: /etc/krb5.keytab" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:285 +msgid "krb5_store_password_if_offline (boolean)" +msgstr "krb5_store_password_if_offline (булівське значення)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:288 +msgid "" +"Store the password of the user if the provider is offline and use it to " +"request a TGT when the provider comes online again." +msgstr "" +"Зберігати пароль користувача, якщо засіб перевірки перебуває поза мережею, і " +"використовувати його для запитів TGT після встановлення з’єднання з засобом " +"перевірки." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:293 +msgid "" +"NOTE: this feature is only available on Linux. Passwords stored in this way " +"are kept in plaintext in the kernel keyring and are potentially accessible " +"by the root user (with difficulty)." +msgstr "" +"Зауваження: ця можливість у поточній версії доступна лише на платформі " +"Linux. Паролі зберігатимуться у форматі звичайного тексту (без шифрування) у " +"сховищі ключів ядра, потенційно до них може отримати доступ адміністративний " +"користувач (root), але йому для цього слід буде подолати деякі перешкоди." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:306 +msgid "krb5_renewable_lifetime (string)" +msgstr "krb5_renewable_lifetime (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:309 +msgid "" +"Request a renewable ticket with a total lifetime, given as an integer " +"immediately followed by a time unit:" +msgstr "" +"Надіслати запит щодо поновлюваного квитка з загальним строком дії, вказаним " +"за допомогою цілого числа, за яким одразу вказано одиницю часу:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 +msgid "<emphasis>s</emphasis> for seconds" +msgstr "<emphasis>s</emphasis> — секунди" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 +msgid "<emphasis>m</emphasis> for minutes" +msgstr "<emphasis>m</emphasis> — хвилини" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 +msgid "<emphasis>h</emphasis> for hours" +msgstr "<emphasis>h</emphasis> — години" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 +msgid "<emphasis>d</emphasis> for days." +msgstr "<emphasis>d</emphasis> — дні." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 +msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." +msgstr "" +"Якщо одиниці часу не буде вказано, вважатиметься, що використано одиницю " +"<emphasis>s</emphasis>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 +msgid "" +"NOTE: It is not possible to mix units. To set the renewable lifetime to one " +"and a half hours, use '90m' instead of '1h30m'." +msgstr "" +"Зауваження: не можна використовувати одразу декілька одиниць. Якщо вам " +"потрібно встановити строк дії у півтори години, слід вказати «90m», а не " +"«1h30m»." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:335 +msgid "Default: not set, i.e. the TGT is not renewable" +msgstr "Типове значення: не встановлено, тобто TGT не є оновлюваним" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:341 +msgid "krb5_lifetime (string)" +msgstr "krb5_lifetime (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:344 +msgid "" +"Request ticket with a lifetime, given as an integer immediately followed by " +"a time unit:" +msgstr "" +"Надіслати запит щодо квитка з загальним строком дії, вказаним за допомогою " +"цілого числа, за яким одразу вказано одиницю часу:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:360 +msgid "If there is no unit given <emphasis>s</emphasis> is assumed." +msgstr "" +"Якщо одиниці часу не буде вказано, вважатиметься, що використано одиницю " +"<emphasis>s</emphasis>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:364 +msgid "" +"NOTE: It is not possible to mix units. To set the lifetime to one and a " +"half hours please use '90m' instead of '1h30m'." +msgstr "" +"Зауваження: не можна використовувати одразу декілька одиниць. Якщо вам " +"потрібно встановити строк дії у півтори години, слід вказати «90m», а не " +"«1h30m»." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:369 +msgid "" +"Default: not set, i.e. the default ticket lifetime configured on the KDC." +msgstr "" +"Типове значення: не встановлено, тобто типовий строк дії квитка " +"визначатиметься у налаштуваннях KDC." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:376 +msgid "krb5_renew_interval (string)" +msgstr "krb5_renew_interval (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:379 +msgid "" +"The time in seconds between two checks if the TGT should be renewed. TGTs " +"are renewed if about half of their lifetime is exceeded, given as an integer " +"immediately followed by a time unit:" +msgstr "" +"Час у секундах між двома послідовними перевірками того, чи слід оновлювати " +"записи TGT. Записи TGT оновлюються після завершення приблизно половини " +"їхнього строку дії, що задається як ціле число з наступним позначенням " +"одиниці часу:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:406 +msgid "If this option is not set or is 0 the automatic renewal is disabled." +msgstr "" +"Якщо значення для цього параметра встановлено не буде або буде встановлено " +"значення 0, автоматичного оновлення не відбуватиметься." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:416 +msgid "krb5_use_fast (string)" +msgstr "krb5_use_fast (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:419 +msgid "" +"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" +"authentication. The following options are supported:" +msgstr "" +"Вмикає безпечне тунелювання для гнучкого розпізнавання (flexible " +"authentication secure tunneling або FAST) для попереднього розпізнавання у " +"Kerberos. Передбачено такі варіанти:" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:424 +msgid "" +"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " +"option at all." +msgstr "" +"<emphasis>never</emphasis> використовувати FAST, рівнозначний варіанту, за " +"якого значення цього параметра взагалі не задається." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:428 +msgid "" +"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " +"continue the authentication without it." +msgstr "" +"<emphasis>try</emphasis> — використовувати FAST. Якщо на сервері не " +"передбачено підтримки FAST, продовжити розпізнавання без FAST." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:433 +msgid "" +"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " +"server does not require fast." +msgstr "" +"<emphasis>demand</emphasis> — використовувати FAST. Якщо на сервері не " +"передбачено підтримки FAST, спроба розпізнавання зазнає невдачі." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:438 +msgid "Default: not set, i.e. FAST is not used." +msgstr "Типове значення: не встановлено, тобто FAST не використовується." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:441 +msgid "NOTE: a keytab is required to use FAST." +msgstr "" +"Зауваження: будь ласка, зауважте, що для використання FAST потрібна таблиця " +"ключів." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:444 +msgid "" +"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " +"SSSD is used with an older version of MIT Kerberos, using this option is a " +"configuration error." +msgstr "" +"Зауваження: у SSSD передбачено підтримку FAST лише у разі використання MIT " +"Kerberos версії 1.8 або новішої. Якщо SSSD буде використано зі старішою " +"версією MIT Kerberos і цим параметром, буде повідомлено про помилку у " +"налаштуваннях." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:453 +msgid "krb5_fast_principal (string)" +msgstr "krb5_fast_principal (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:456 +msgid "Specifies the server principal to use for FAST." +msgstr "" +"Визначає реєстраційний запис сервера, який слід використовувати для FAST." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:465 +msgid "" +"Specifies if the host and user principal should be canonicalized. This " +"feature is available with MIT Kerberos 1.7 and later versions." +msgstr "" +"Визначає, чи слід перетворювати реєстраційний запис вузла і користувача у " +"канонічну форму. Цю можливість передбачено з версії MIT Kerberos 1.7." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:505 +msgid "krb5_use_enterprise_principal (boolean)" +msgstr "krb5_use_enterprise_principal (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:508 +msgid "" +"Specifies if the user principal should be treated as enterprise principal. " +"See section 5 of RFC 6806 for more details about enterprise principals." +msgstr "" +"Визначає, чи слід вважати реєстраційні дані користувача даними промислового " +"рівня. Див. розділ 5 RFC 6806, щоб дізнатися більше про промислові " +"реєстраційні дані." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:514 +msgid "Default: false (AD provider: true)" +msgstr "Типове значення: false (надається AD: true)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:517 +msgid "" +"The IPA provider will set to option to 'true' if it detects that the server " +"is capable of handling enterprise principals and the option is not set " +"explicitly in the config file." +msgstr "" +"Засіб надання даних IPA встановить для цього параметра значення «true», якщо " +"виявить, що сервер здатен обробляти реєстраційні дані промислового класу, і " +"параметр на встановлено явним чином у файлі налаштувань." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:526 +msgid "krb5_map_user (string)" +msgstr "krb5_map_user (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:529 +msgid "" +"The list of mappings is given as a comma-separated list of pairs " +"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " +"name and <quote>primary</quote> is a user part of a kerberos principal. This " +"mapping is used when user is authenticating using <quote>auth_provider = " +"krb5</quote>." +msgstr "" +"Список прив’язок визначається як список пар «користувач:основа», де " +"«користувач» — ім’я користувача UNIX, а «основа» — частина щодо користувача " +"у реєстраційному записі kerberos. Ця прив’язка використовується, якщо " +"користувач проходить розпізнавання із використанням «auth_provider = krb5»." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-krb5.5.xml:541 +#, no-wrap +msgid "" +"krb5_realm = REALM\n" +"krb5_map_user = joe:juser,dick:richard\n" +msgstr "" +"krb5_realm = REALM\n" +"krb5_map_user = joe:juser,dick:richard\n" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:546 +msgid "" +"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " +"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " +"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " +"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" +"quote>." +msgstr "" +"<quote>joe</quote> і <quote>dick</quote> — імена користувачів UNIX, а " +"<quote>juser</quote> і <quote>richard</quote> основні частини реєстраційних " +"записів kerberos. Для користувачів <quote>joe</quote> та, відповідно, " +"<quote>dick</quote> SSSD намагатиметься виконати ініціалізацію kinit як " +"<quote>juser@REALM</quote> і, відповідно, <quote>richard@REALM</quote>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:65 +msgid "" +"If the auth-module krb5 is used in an SSSD domain, the following options " +"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " +"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" +"Якщо у домені SSSD використано auth-module krb5, має бути використано " +"вказані нижче параметри. Зверніться до сторінки довідника (man) " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>, розділ «РОЗДІЛИ ДОМЕНІВ», щоб дізнатися більше " +"про налаштування домену SSSD. <placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:572 +msgid "" +"The following example assumes that SSSD is correctly configured and FOO is " +"one of the domains in the <replaceable>[sssd]</replaceable> section. This " +"example shows only configuration of Kerberos authentication; it does not " +"include any identity provider." +msgstr "" +"У наведеному нижче прикладі припускається, що SSSD налаштовано належним " +"чином, а FOO є одним з доменів у розділі <replaceable>[sssd]</replaceable>. " +"У прикладі продемонстровано лише налаштування розпізнавання аз допомогою " +"Kerberos, там не вказано інструменту обробки профілів." + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-krb5.5.xml:580 +#, no-wrap +msgid "" +"[domain/FOO]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXAMPLE.COM\n" +msgstr "" +"[domain/FOO]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXAMPLE.COM\n" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 +msgid "sss_groupadd" +msgstr "sss_groupadd" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupadd.8.xml:16 +msgid "create a new group" +msgstr "створення нової групи" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupadd.8.xml:21 +msgid "" +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>параметри</" +"replaceable> </arg> <arg choice='plain'><replaceable>ГРУПА</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupadd.8.xml:32 +msgid "" +"<command>sss_groupadd</command> creates a new group. These groups are " +"compatible with POSIX groups, with the additional feature that they can " +"contain other groups as members." +msgstr "" +"<command>sss_groupadd</command> створює групу. Такі групи є сумісними з " +"групами POSIX. Додатковою можливістю цих груп є те, що учасниками можуть " +"бути інші групи." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 +msgid "" +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" +msgstr "" +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupadd.8.xml:48 +msgid "" +"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " +"not given, it is chosen automatically." +msgstr "" +"Встановити для параметра ідентифікатора групи (GID) значення " +"<replaceable>GID</replaceable>. Якщо таке значення не буде вказано, програма " +"вибере його автоматично." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 +msgid "sss_userdel" +msgstr "sss_userdel" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_userdel.8.xml:16 +msgid "delete a user account" +msgstr "вилучення облікового запису користувача" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_userdel.8.xml:21 +msgid "" +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>параметри</" +"replaceable> </arg> <arg " +"choice='plain'><replaceable>НАЗВА_ОБЛІКОВОГО_ЗАПИСУ</replaceable></arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_userdel.8.xml:32 +msgid "" +"<command>sss_userdel</command> deletes a user identified by login name " +"<replaceable>LOGIN</replaceable> from the system." +msgstr "" +"<command>sss_userdel</command> вилучає обліковий запис користувача " +"<replaceable>ІМ’Я_КОРИСТУВАЧА</replaceable> з системи." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:44 +msgid "<option>-r</option>,<option>--remove</option>" +msgstr "<option>-r</option>,<option>--remove</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:48 +msgid "" +"Files in the user's home directory will be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." +msgstr "" +"Файли у домашньому каталозі користувача буде вилучено разом з самим домашнім " +"каталогом та поштовим буфером користувача. Може бути перевизначено у " +"налаштуваннях." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:56 +msgid "<option>-R</option>,<option>--no-remove</option>" +msgstr "<option>-R</option>,<option>--no-remove</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:60 +msgid "" +"Files in the user's home directory will NOT be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." +msgstr "" +"Файли у домашньому каталозі користувача НЕ буде вилучено разом з самим " +"домашнім каталогом та поштовим буфером користувача. Може бути перевизначено " +"у налаштуваннях." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:68 +msgid "<option>-f</option>,<option>--force</option>" +msgstr "<option>-f</option>,<option>--force</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:72 +msgid "" +"This option forces <command>sss_userdel</command> to remove the user's home " +"directory and mail spool, even if they are not owned by the specified user." +msgstr "" +"За допомогою цього параметра можна примусити <command>sss_userdel</command> " +"вилучати домашній каталог користувача та буфер пошти, навіть якщо їхнім " +"власником не є вказаний користувач." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:80 +msgid "<option>-k</option>,<option>--kick</option>" +msgstr "<option>-k</option>,<option>--kick</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:84 +msgid "Before actually deleting the user, terminate all his processes." +msgstr "" +"До вилучення запису користувача завершити роботу всіх процесів, власником " +"яких є цей користувач." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 +msgid "sss_groupdel" +msgstr "sss_groupdel" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupdel.8.xml:16 +msgid "delete a group" +msgstr "вилучення групи" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupdel.8.xml:21 +msgid "" +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>параметри</" +"replaceable> </arg> <arg choice='plain'><replaceable>ГРУПА</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupdel.8.xml:32 +msgid "" +"<command>sss_groupdel</command> deletes a group identified by its name " +"<replaceable>GROUP</replaceable> from the system." +msgstr "" +"<command>sss_groupdel</command> вилучає групу, вказану за допомогою " +"аргументу <replaceable>ГРУПА</replaceable>, з системи." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 +msgid "sss_groupshow" +msgstr "sss_groupshow" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupshow.8.xml:16 +msgid "print properties of a group" +msgstr "показ параметрів групи" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupshow.8.xml:21 +msgid "" +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>параметри</" +"replaceable> </arg> <arg choice='plain'><replaceable>ГРУПА</replaceable></" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupshow.8.xml:32 +msgid "" +"<command>sss_groupshow</command> displays information about a group " +"identified by its name <replaceable>GROUP</replaceable>. The information " +"includes the group ID number, members of the group and the parent group." +msgstr "" +"<command>sss_groupshow</command> показує дані щодо групи, вказаної за " +"назвою, <replaceable>ГРУПА</replaceable>. Серед даних буде ідентифікаційний " +"номер групи, кількість учасників групи та назва батьківської групи." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupshow.8.xml:43 +msgid "<option>-R</option>,<option>--recursive</option>" +msgstr "<option>-R</option>,<option>--recursive</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupshow.8.xml:47 +msgid "" +"Also print indirect group members in a tree-like hierarchy. Note that this " +"also affects printing parent groups - without <option>R</option>, only the " +"direct parent will be printed." +msgstr "" +"Вивести також список непрямих учасників групи у форматі деревоподібної " +"ієрархії. Зауважте, що використання параметра також вплине на виведення " +"батьківських груп: без <option>R</option> буде виведено список лише " +"безпосередніх батьківських груп." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 +msgid "sss_usermod" +msgstr "sss_usermod" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_usermod.8.xml:16 +msgid "modify a user account" +msgstr "зміна облікового запису користувача" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_usermod.8.xml:21 +msgid "" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>параметри</" +"replaceable> </arg> <arg choice='plain'><replaceable>ІМ’Я_КОРИСТУВАЧА</" +"replaceable></arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_usermod.8.xml:32 +msgid "" +"<command>sss_usermod</command> modifies the account specified by " +"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " +"on the command line." +msgstr "" +"<command>sss_usermod</command> змінює параметри облікового запису " +"<replaceable>ІМ’Я_КОРИСТУВАЧА</replaceable> відповідно до значень, вказаних " +"у командному рядку." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:60 +msgid "The home directory of the user account." +msgstr "Домашній каталог облікового запису користувача." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:71 +msgid "The user's login shell." +msgstr "Оболонка для входу користувача до системи." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:82 +msgid "" +"Append this user to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." +msgstr "" +"Додати запис користувача до груп, вказаних за допомогою параметра " +"<replaceable>ГРУПИ</replaceable>. Параметр <replaceable>ГРУПИ</replaceable> " +"є списком груп, відокремлених комами." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:96 +msgid "" +"Remove this user from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." +msgstr "" +"Вилучає запис користувача з груп, вказаних за допомогою параметра " +"<replaceable>ГРУПИ</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:103 +msgid "<option>-l</option>,<option>--lock</option>" +msgstr "<option>-l</option>,<option>--lock</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:107 +msgid "Lock the user account. The user won't be able to log in." +msgstr "" +"Заблокувати обліковий запис користувача. Заблокований користувач не зможе " +"входити до системи." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:114 +msgid "<option>-u</option>,<option>--unlock</option>" +msgstr "<option>-u</option>,<option>--unlock</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:118 +msgid "Unlock the user account." +msgstr "Розблокувати обліковий запис користувача." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:129 +msgid "The SELinux user for the user's login." +msgstr "Ім’я користувача SELinux, що відповідає імені для входу до системи." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:135 +msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" +"<option>--addattr</option> <replaceable>ПАРА_АТРИБУТ-ЗНАЧЕННЯ</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:140 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "Додати пару атрибут-значення. Форматування: атрибут=значення." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:147 +msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" +"<option>--setattr</option> <replaceable>ПАРА_АТРИБУТ-ЗНАЧЕННЯ</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:152 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" +"Встановити для вказаного за назвою атрибута значення. Форматування: " +"атрибут=значення. Для атрибутів з декількома значеннями команда призведе до " +"заміни поточних значень." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:160 +msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" +"<option>--delattr</option> <replaceable>ПАРА_АТРИБУТ-ЗНАЧЕННЯ</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:165 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "Вилучити пару атрибут-значення. Форматування: атрибут=значення." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_cache.8.xml:10 sss_cache.8.xml:15 +msgid "sss_cache" +msgstr "sss_cache" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_cache.8.xml:16 +msgid "perform cache cleanup" +msgstr "виконати спорожнення кешу" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_cache.8.xml:21 +msgid "" +"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" +msgstr "" +"<command>sss_cache</command> <arg choice='opt'> <replaceable>параметри</" +"replaceable> </arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_cache.8.xml:31 +msgid "" +"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " +"records are forced to be reloaded from server as soon as related SSSD " +"backend is online. Options that invalidate a single object only accept a " +"single provided argument." +msgstr "" +"<command>sss_cache</command> скасовує визначення записів у кеші SSSD. Дані " +"записів зі скасованими визначеннями буде перезавантажено з сервера у " +"примусовому порядку, щойно відповідний модуль SSSD отримає до них доступ. " +"Параметри, які скасовують визначення окремого об'єкта приймають лише один " +"аргумент." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:43 +msgid "<option>-E</option>,<option>--everything</option>" +msgstr "<option>-E</option>,<option>--everything</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:47 +msgid "Invalidate all cached entries." +msgstr "Скасувати чинність усіх кешованих записів." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:53 +msgid "" +"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" +msgstr "" +"<option>-u</option>,<option>--user</option> <replaceable>реєстраційні дані</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:58 +msgid "Invalidate specific user." +msgstr "Скасувати визначення вказаного користувача." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:64 +msgid "<option>-U</option>,<option>--users</option>" +msgstr "<option>-U</option>,<option>--users</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:68 +msgid "" +"Invalidate all user records. This option overrides invalidation of specific " +"user if it was also set." +msgstr "" +"Скасувати визначення всіх записів. Цей параметр має вищий пріоритет за " +"параметр скасування визначення для будь-якого користувача, якщо такий " +"параметр вказано." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:75 +msgid "" +"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" +msgstr "" +"<option>-g</option>,<option>--group</option> <replaceable>група</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:80 +msgid "Invalidate specific group." +msgstr "Скасувати визначення вказаної групи." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:86 +msgid "<option>-G</option>,<option>--groups</option>" +msgstr "<option>-G</option>,<option>--groups</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:90 +msgid "" +"Invalidate all group records. This option overrides invalidation of specific " +"group if it was also set." +msgstr "" +"Скасувати визначення записів для всіх груп. Цей параметр має вищий пріоритет " +"за параметр скасування визначення для будь-якої групи, якщо такий параметр " +"вказано." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:97 +msgid "" +"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" +"replaceable>" +msgstr "" +"<option>-n</option>,<option>--netgroup</option> <replaceable>мережева група</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:102 +msgid "Invalidate specific netgroup." +msgstr "Скасувати визначення вказаної мережевої групи." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:108 +msgid "<option>-N</option>,<option>--netgroups</option>" +msgstr "<option>-N</option>,<option>--netgroups</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:112 +msgid "" +"Invalidate all netgroup records. This option overrides invalidation of " +"specific netgroup if it was also set." +msgstr "" +"Скасувати визначення всіх записів мережевих груп. Цей параметр має вищий " +"пріоритет за параметр скасування визначення для будь-якої мережевої групи, " +"якщо такий параметр вказано." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:119 +msgid "" +"<option>-s</option>,<option>--service</option> <replaceable>service</" +"replaceable>" +msgstr "" +"<option>-s</option>,<option>--service</option> <replaceable>служба</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:124 +msgid "Invalidate specific service." +msgstr "Скасувати визначення вказаної служби." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:130 +msgid "<option>-S</option>,<option>--services</option>" +msgstr "<option>-S</option>,<option>--services</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:134 +msgid "" +"Invalidate all service records. This option overrides invalidation of " +"specific service if it was also set." +msgstr "" +"Скасувати визначення всіх записів служб. Цей параметр має вищий пріоритет за " +"параметр скасування визначення для будь-якої служби, якщо такий параметр " +"вказано." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:141 +msgid "" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" +"replaceable>" +msgstr "" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>карта autofs</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:146 +msgid "Invalidate specific autofs maps." +msgstr "Скасувати визначення певної карти autofs." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:152 +msgid "<option>-A</option>,<option>--autofs-maps</option>" +msgstr "<option>-A</option>,<option>--autofs-maps</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:156 +msgid "" +"Invalidate all autofs maps. This option overrides invalidation of specific " +"map if it was also set." +msgstr "" +"Скасувати визначення всіх записів карт autofs. Цей параметр має вищий " +"пріоритет за параметр скасування визначення для будь-якої карти, якщо такий " +"параметр вказано." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:163 +msgid "" +"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" +"replaceable>" +msgstr "" +"<option>-h</option>,<option>--ssh-host</option> <replaceable>назва вузла</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:168 +msgid "Invalidate SSH public keys of a specific host." +msgstr "Скасувати чинність відкритих ключів SSH певного вузла." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:174 +msgid "<option>-H</option>,<option>--ssh-hosts</option>" +msgstr "<option>-H</option>,<option>--ssh-hosts</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:178 +msgid "" +"Invalidate SSH public keys of all hosts. This option overrides invalidation " +"of SSH public keys of specific host if it was also set." +msgstr "" +"Скасувати чинність усіх відкритих ключів SSH усіх вузлів. Цей параметр " +"перевизначає скасовування чинності ключів SSH певних вузлів, якщо для них " +"було використано таке скасовування." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:186 +msgid "" +"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" +"replaceable>" +msgstr "" +"<option>-r</option>,<option>--sudo-rule</option> <replaceable>правило</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:191 +msgid "Invalidate particular sudo rule." +msgstr "Скасувати чинність певного правила sudo." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:197 +msgid "<option>-R</option>,<option>--sudo-rules</option>" +msgstr "<option>-R</option>,<option>--sudo-rules</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:201 +msgid "" +"Invalidate all cached sudo rules. This option overrides invalidation of " +"specific sudo rule if it was also set." +msgstr "" +"Скасувати визначення усіх кешованих правил sudo. Цей параметр має вищий " +"пріоритет за параметр скасування визначення для будь-якого правила sudo, " +"якщо такий параметр вказано." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:209 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>domain</" +"replaceable>" +msgstr "" +"<option>-d</option>,<option>--domain</option> <replaceable>домен</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:214 +msgid "Restrict invalidation process only to a particular domain." +msgstr "Обмежити процедуру скасування визначення лише певним доменом." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 +msgid "sss_debuglevel" +msgstr "sss_debuglevel" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_debuglevel.8.xml:16 +msgid "[DEPRECATED] change debug level while SSSD is running" +msgstr "[ЗАСТАРІЛИЙ] змінити рівень діагностики протягом сеансу роботи з SSSD" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_debuglevel.8.xml:21 +msgid "" +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" +"replaceable></arg>" +msgstr "" +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg " +"choice='plain'><replaceable>НОВИЙ_РІВЕНЬ_ДІАГНОСТИКИ</replaceable></arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_debuglevel.8.xml:32 +msgid "" +"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " +"debug-level command. Please refer to the <command>sssctl</command> man page " +"for more information on sssctl usage." +msgstr "" +"<command>sss_debuglevel</command> вважається застарілим, його замінено " +"командою debug-level sssctl. Будь ласка, зверніться до сторінки підручника " +"щодо <command>sssctl</command>, щоб дізнатися більше про використання sssctl." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_seed.8.xml:10 sss_seed.8.xml:15 +msgid "sss_seed" +msgstr "sss_seed" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_seed.8.xml:16 +msgid "seed the SSSD cache with a user" +msgstr "надсилає дані кешу SSSD щодо користувача" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_seed.8.xml:21 +msgid "" +"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" +"arg>" +msgstr "" +"<command>sss_seed</command> <arg choice='opt'> <replaceable>параметри</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>ДОМЕН</replaceable></" +"arg> <arg choice='plain'>-n <replaceable>КОРИСТУВАЧ</replaceable></arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:33 +msgid "" +"<command>sss_seed</command> seeds the SSSD cache with a user entry and " +"temporary password. If a user entry is already present in the SSSD cache " +"then the entry is updated with the temporary password." +msgstr "" +"<command>sss_seed</command> розповсюджує кеш SSSD з записом користувача і " +"тимчасовим паролем. Якщо запис користувача вже є у кеші SSSD, запис буде " +"оновлено зі встановленням тимчасового пароля." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:46 +msgid "" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" +msgstr "" +"<option>-D</option>,<option>--domain</option> <replaceable>ДОМЕН</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:51 +msgid "" +"Provide the name of the domain in which the user is a member of. The domain " +"is also used to retrieve user information. The domain must be configured in " +"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " +"Information retrieved from the domain overrides what is provided in the " +"options." +msgstr "" +"Визначає назву домену, учасником якого є користувач. Домен використовується " +"для отримання даних щодо користувачів. Домен має бути налаштовано у sssd." +"conf. Має бути надано аргумент <replaceable>ДОМЕН</replaceable>. Дані, " +"отримані з домену, матимуть вищий пріоритет за дані, вказані за допомогою " +"параметрів." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:63 +msgid "" +"<option>-n</option>,<option>--username</option> <replaceable>USER</" +"replaceable>" +msgstr "" +"<option>-n</option>,<option>--username</option> <replaceable>КОРИСТУВАЧ</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:68 +msgid "" +"The username of the entry to be created or modified in the cache. The " +"<replaceable>USER</replaceable> option must be provided." +msgstr "" +"Ім’я користувача, запис якого слід створити або змінити у кеші. Має бути " +"вказано аргумент <replaceable>КОРИСТУВАЧ</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:81 +msgid "Set the UID of the user to <replaceable>UID</replaceable>." +msgstr "Встановити UID користувача у значення <replaceable>UID</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:93 +msgid "Set the GID of the user to <replaceable>GID</replaceable>." +msgstr "Встановити GID користувача у значення <replaceable>GID</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:117 +msgid "" +"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." +msgstr "" +"Встановити домашній каталог користувача у значення " +"<replaceable>ДОМАШНІЙ_КАТАЛОГ</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:129 +msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." +msgstr "" +"Встановити оболонку реєстрації користувача у значення <replaceable>ОБОЛОНКА</" +"replaceable>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:140 +msgid "" +"Interactive mode for entering user information. This option will only prompt " +"for information not provided in the options or retrieved from the domain." +msgstr "" +"Інтерактивний режим для введення даних користувача. У разі використання " +"цього параметра програма надсилатиме запит лише щодо даних, які не було " +"отримано з параметрів команди або домену." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:148 +msgid "" +"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" +"replaceable>" +msgstr "" +"<option>-p</option>,<option>--password-file</option> " +"<replaceable>ФАЙЛ_ПАРОЛІВ</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:153 +msgid "" +"Specify file to read user's password from. (if not specified password is " +"prompted for)" +msgstr "" +"Вказати файл, звідки слід читати дані щодо паролів користувачів. Якщо пароль " +"не буде знайдено, програма надішле запит на його введення." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:165 +msgid "" +"The length of the password (or the size of file specified with -p or --" +"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " +"on systems with no globally-defined PASS_MAX value)." +msgstr "" +"Довжина пароля (або розмір файла, визначеного за допомогою параметра -p або " +"--password-file) має бути меншою або рівною PASS_MAX байтів (64 байти у " +"системах без визначеного на загальному рівні значення PASS_MAX)." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 +msgid "sssd-ifp" +msgstr "sssd-ifp" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ifp.5.xml:17 +msgid "SSSD InfoPipe responder" +msgstr "Відповідач InfoPipe SSSD" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:23 +msgid "" +"This manual page describes the configuration of the InfoPipe responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" +"На цій сторінці довідника описано налаштування засобу надання відповідей " +"InfoPipe для <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. Щоб дізнатися більше про синтаксис " +"налаштування, зверніться до розділу «ФОРМАТ ФАЙЛІВ» сторінки довідника " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:36 +msgid "" +"The InfoPipe responder provides a public D-Bus interface accessible over the " +"system bus. The interface allows the user to query information about remote " +"users and groups over the system bus." +msgstr "" +"Відповідач InfoPipe забезпечує роботу відкритого інтерфейсу D-Bus над " +"системним каналом повідомлень. За допомогою цього інтерфейсу користувачі " +"можуть надсилати загальносистемним каналом повідомлень запити щодо " +"інформації про віддалених користувачів і групи." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:46 +msgid "These options can be used to configure the InfoPipe responder." +msgstr "" +"Цими параметрами можна скористатися для налаштовування відповідача InfoPipe." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:53 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the InfoPipe responder. User names are resolved to UIDs at " +"startup." +msgstr "" +"Визначає список значень UID або імен користувачів, відокремлених комами. " +"Користувачам з цього списку буде дозволено доступ до відповідача InfoPipe. " +"UID за іменами користувачів визначатимуться під час запуску." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:59 +msgid "" +"Default: 0 (only the root user is allowed to access the InfoPipe responder)" +msgstr "" +"Типове значення: 0 (доступ до відповідача InfoPipe має лише адміністративний " +"користувач (root))" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:63 +msgid "" +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the InfoPipe responder, which would be the typical case, you have to " +"add 0 to the list of allowed UIDs as well." +msgstr "" +"Будь ласка, зауважте, що хоча типово використовується UID 0, значення UID " +"буде перевизначено на основі цього параметра. Якщо ви хочете надати " +"адміністративному користувачеві (root) доступ до відповідача InfoPipe, що " +"може бути типовим варіантом, вам слід додати до списку UID з правами доступу " +"запис 0." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:77 +msgid "Specifies the comma-separated list of white or blacklisted attributes." +msgstr "" +"Визначає список атрибутів з «білого» або «чорного» списків, відокремлених " +"комами." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:91 +msgid "name" +msgstr "name" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:92 +msgid "user's login name" +msgstr "реєстраційне ім’я користувача" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:95 +msgid "uidNumber" +msgstr "uidNumber" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:96 +msgid "user ID" +msgstr "ідентифікатор користувача" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:99 +msgid "gidNumber" +msgstr "gidNumber" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:100 +msgid "primary group ID" +msgstr "ідентифікатор основної групи" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:103 +msgid "gecos" +msgstr "gecos" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:104 +msgid "user information, typically full name" +msgstr "дані щодо користувача, типово ім’я повністю" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:107 +msgid "homeDirectory" +msgstr "homeDirectory" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:111 +msgid "loginShell" +msgstr "loginShell" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:112 +msgid "user shell" +msgstr "командна оболонка користувача" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:81 +msgid "" +"By default, the InfoPipe responder only allows the default set of POSIX " +"attributes to be requested. This set is the same as returned by " +"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" +"Типово, відповідач InfoPipe надає дані лише щодо типового набору атрибутів " +"POSIX. Цей набір є тим самим, який повертає програма <citerefentry> " +"<refentrytitle>getpwnam</refentrytitle> <manvolnum>3</manvolnum> </" +"citerefentry>, його елементи: <placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ifp.5.xml:125 +#, no-wrap +msgid "" +"user_attributes = +telephoneNumber, -loginShell\n" +" " +msgstr "" +"user_attributes = +telephoneNumber, -loginShell\n" +" " + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:117 +msgid "" +"It is possible to add another attribute to this set by using <quote>" +"+attr_name</quote> or explicitly remove an attribute using <quote>-" +"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " +"deny <quote>loginShell</quote>, you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"Ви можете додати інший атрибут до цього набору за допомогою параметра " +"«+назва_атрибута» або явним чином виключити атрибут за допомогою параметра «-" +"назва_атрибута». Наприклад, щоб дозволити «telephoneNumber», але заборонити " +"«loginShell», вам слід скористатися такими налаштуваннями: <placeholder type=" +"\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:129 +msgid "Default: not set. Only the default set of POSIX attributes is allowed." +msgstr "" +"Типове значення: не встановлено. Дозволено лише типовий набір атрибутів " +"POSIX." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:139 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup that overrides caller-supplied limit." +msgstr "" +"Визначає верхню межу для кількості записів, які отримуватимуться під час " +"пошуку з використанням символів-замінників, які перевизначають обмеження, " +"яке накладається функцією виклику." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:144 +msgid "Default: 0 (let the caller set an upper limit)" +msgstr "" +"Типове значення: 0 (дозволити встановлювати верхнє обмеження функції виклику)" + +#. type: Content of: <reference><refentry><refentryinfo> +#: sss_rpcidmapd.5.xml:8 +msgid "" +"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" +"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " +"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" +"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " +"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" +"author>" +msgstr "" +"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" +"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " +"Inc.</orgname> </affiliation> <contrib>Розробник (2013-2014)</contrib> </" +"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " +"<contrib>Розробник (2014-)</contrib> <email>tsnoam@gmail.com</email> </" +"author>" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 +msgid "sss_rpcidmapd" +msgstr "sss_rpcidmapd" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_rpcidmapd.5.xml:33 +msgid "sss plugin configuration directives for rpc.idmapd" +msgstr "Директиви налаштовування додатка sss для rpc.idmapd" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:37 +msgid "CONFIGURATION FILE" +msgstr "ФАЙЛ НАЛАШТУВАНЬ" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:39 +msgid "" +"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." +"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." +msgstr "" +"Файл налаштувань rpc.idmapd зазвичай зберігається тут: <emphasis>/etc/idmapd." +"conf</emphasis>. Див. підручник з <citerefentry> <refentrytitle>idmapd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, щоб дізнатися " +"більше." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:49 +msgid "SSS CONFIGURATION EXTENSION" +msgstr "РОЗШИРЕННЯ НАЛАШТОВУВАННЯ SSS" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:51 +msgid "Enable SSS plugin" +msgstr "Вмикання додатка SSS" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:53 +msgid "" +"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " +"attribute to contain <emphasis>sss</emphasis>." +msgstr "" +"У розділі «[Translation]» змініть або додайте атрибут «Method» із вмістом " +"<emphasis>sss</emphasis>." + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:59 +msgid "[sss] config section" +msgstr "Розділ налаштовування [sss]" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:61 +msgid "" +"In order to change the default of one of the configuration attributes of the " +"<emphasis>sss</emphasis> plugin listed below you will need to create a " +"config section for it, named <quote>[sss]</quote>." +msgstr "" +"Якщо вам потрібно змінити типове значення одного з атрибутів налаштувань, " +"перелічених нижче, додатка <emphasis>sss</emphasis>, вам слід створити " +"розділ налаштувань для нього з назвою «[sss]»." + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sss_rpcidmapd.5.xml:67 +msgid "Configuration attributes" +msgstr "Атрибути налаштувань" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sss_rpcidmapd.5.xml:69 +msgid "memcache (bool)" +msgstr "memcache (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sss_rpcidmapd.5.xml:72 +msgid "Indicates whether or not to use memcache optimisation technique." +msgstr "Визначає, чи слід використовувати методику оптимізації кешу у пам’яті." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:85 +msgid "SSSD INTEGRATION" +msgstr "ІНТЕГРАЦІЯ З SSSD" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:87 +msgid "" +"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " +"in sssd." +msgstr "" +"Додаток sss потребує вмикання <emphasis>Відповідача NSS</emphasis> у sssd." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:91 +msgid "" +"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " +"all domains (NFSv4 clients expect a fully qualified name to be sent on the " +"wire)." +msgstr "" +"Атрибут «use_fully_qualified_names» має бути увімкнено для усіх доменів " +"(клієнти NFSv4 очікують на те, що надсилається назва повністю)." + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_rpcidmapd.5.xml:103 +#, no-wrap +msgid "" +"[General]\n" +"Verbosity = 2\n" +"# domain must be synced between NFSv4 server and clients\n" +"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" +msgstr "" +"[General]\n" +"Verbosity = 2\n" +"# домен має бути синхронізовано між сервером NFSv4 та клієнтами\n" +"# У Solaris/Illumos/AIX типово використовується \"локальний домен\"!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:100 +msgid "" +"The following example shows a minimal idmapd.conf which makes use of the sss " +"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"У наведеному нижче прикладі показано мінімальний вигляд idmapd.conf, де " +"використовується додаток sss. <placeholder type=\"programlisting\" id=\"0\"/" +">" + +#. type: Content of: <refsect1><title> +#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:180 include/seealso.xml:2 +msgid "SEE ALSO" +msgstr "ТАКОЖ ПЕРЕГЛЯНЬТЕ" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:122 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" +msgstr "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 +msgid "sss_ssh_authorizedkeys" +msgstr "sss_ssh_authorizedkeys" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 +msgid "1" +msgstr "1" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_authorizedkeys.1.xml:16 +msgid "get OpenSSH authorized keys" +msgstr "отримати уповноважені ключі OpenSSH" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_authorizedkeys.1.xml:21 +msgid "" +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>USER</replaceable></arg>" +msgstr "" +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>параметри</replaceable> </arg> <arg " +"choice='plain'><replaceable>КОРИСТУВАЧ</replaceable></arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:32 +msgid "" +"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " +"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " +"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> for more information)." +msgstr "" +"<command>sss_ssh_authorizedkeys</command> отримує відкриті ключі SSH для " +"користувача <replaceable>КОРИСТУВАЧ</replaceable> і виводить їх у форматі " +"authorized_keys OpenSSH (щоб дізнатися більше, див. розділ <quote>ФОРМАТ " +"ФАЙЛІВ AUTHORIZED_KEYS</quote> на сторінці підручника (man) з " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry>)." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:41 +msgid "" +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" +"command> for public key user authentication if it is compiled with support " +"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " +"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> man page for more details about this option." +msgstr "" +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> можна налаштувати на використання " +"<command>sss_ssh_authorizedkeys</command> для розпізнавання користувачів за " +"відкритими ключами, якщо програму зібрано із підтримкою параметра " +"<quote>AuthorizedKeysCommand</quote>. Будь ласка, зверніться до сторінки " +"підручника <citerefentry> <refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>, щоб дізнатися більше про цей " +"параметр." + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_authorizedkeys.1.xml:59 +#, no-wrap +msgid "" +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" +msgstr "" +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:52 +msgid "" +"If <quote>AuthorizedKeysCommand</quote> is supported, " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use it by putting the following " +"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" +"\" id=\"0\"/>" +msgstr "" +"Якщо передбачено підтримку <quote>AuthorizedKeysCommand</quote>, " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> можна налаштувати на використання ключів за допомогою таких " +"інструкцій у <citerefentry> <refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" +"\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_ssh_authorizedkeys.1.xml:65 +msgid "KEYS FROM CERTIFICATES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:67 +msgid "" +"In addition to the public SSH keys for user <replaceable>USER</replaceable> " +"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " +"from the public key of a X.509 certificate as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:73 +msgid "" +"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " +"set to true (default) in the [ssh] section of <filename>sssd.conf</" +"filename>. If the user entry contains certificates (see " +"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " +"there is a certificate in an override entry for the user (see " +"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " +"certificate is valid SSSD will extract the public key from the certificate " +"and convert it into the format expected by sshd." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:90 +msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:92 +msgid "ca_db" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:93 +#, fuzzy +#| msgid "p11_child_timeout (integer)" +msgid "p11_child_timeout" +msgstr "p11_child_timeout (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:94 +#, fuzzy +#| msgid "certificate_verification (string)" +msgid "certificate_verification" +msgstr "certificate_verification (рядок)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:96 +#, fuzzy +#| msgid "" +#| "Please refer to the <quote>dns_discovery_domain</quote> parameter in the " +#| "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +#| "manvolnum> </citerefentry> manual page for more details." +msgid "" +"can be used to control how the certificates are validated (see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details)." +msgstr "" +"З докладнішими відомостями щодо параметра «dns_discovery_domain» можна " +"ознайомитися на сторінці підручника (man) <citerefentry> <refentrytitle>sssd." +"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:101 +msgid "" +"The validation is the benefit of using X.509 certificates instead of SSH " +"keys directly because e.g. it gives a better control of the lifetime of the " +"keys. When the ssh client is configured to use the private keys from a " +"Smartcard with the help of a PKCS#11 shared library (see " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> for details) it might be irritating that authentication is " +"still working even if the related X.509 certificate on the Smartcard is " +"already expired because neither <command>ssh</command> nor <command>sshd</" +"command> will look at the certificate at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:114 +msgid "" +"It has to be noted that the derived public SSH key can still be added to the " +"<filename>authorized_keys</filename> file of the user to bypass the " +"certificate validation if the <command>sshd</command> configuration permits " +"this." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:132 +msgid "" +"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +msgstr "" +"Шукати відкриті ключі користувачів у домені SSSD <replaceable>ДОМЕН</" +"replaceable>." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 +msgid "EXIT STATUS" +msgstr "СТАН ВИХОДУ" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 +msgid "" +"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." +msgstr "" +"У випадку успіху значення стану виходу дорівнює 0. У всіх інших випадках " +"програма повертає 1." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 +msgid "sss_ssh_knownhostsproxy" +msgstr "sss_ssh_knownhostsproxy" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_knownhostsproxy.1.xml:16 +msgid "get OpenSSH host keys" +msgstr "отримати ключі вузла OpenSSH" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_knownhostsproxy.1.xml:21 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>HOST</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" +msgstr "" +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>параметри</replaceable> </arg> <arg " +"choice='plain'><replaceable>ВУЗОЛ</replaceable></arg> <arg " +"choice='opt'><replaceable>КОМАНДА_ПРОКСІ</replaceable></arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:33 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " +"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " +"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " +"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" +"pubconf/known_hosts</filename> and establishes the connection to the host." +msgstr "" +"<command>sss_ssh_knownhostsproxy</command> отримує відкриті ключі вузла SSH " +"для вузла <replaceable>ВУЗОЛ</replaceable>, зберігає їх до нетипового файла " +"OpenSSH known_hosts (щоб дізнатися більше, ознайомтеся з розділом " +"<quote>ФОРМАТ ФАЙЛІВ SSH_KNOWN_HOSTS</quote> сторінки підручника (man) " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry>) за адресою <filename>/var/lib/sss/pubconf/known_hosts</" +"filename> і встановлює з’єднання з вузлом." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:43 +msgid "" +"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " +"create the connection to the host instead of opening a socket." +msgstr "" +"Якщо вказано параметр <replaceable>КОМАНДА_ПРОКСІ</replaceable>, замість " +"відкриття сокета для створення з’єднання буде використано відповідну команду." + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_knownhostsproxy.1.xml:55 +#, no-wrap +msgid "" +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" +msgstr "" +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:48 +msgid "" +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" +"command> for host key authentication by using the following directives for " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> можна налаштувати на використання " +"<command>sss_ssh_knownhostsproxy</command> для розпізнавання вузлів за " +"ключами за допомогою таких інструкцій у налаштуваннях " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry>: <placeholder type=\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:66 +msgid "" +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" +msgstr "" +"<option>-p</option>,<option>--port</option> <replaceable>ПОРТ</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:71 +msgid "" +"Use port <replaceable>PORT</replaceable> to connect to the host. By " +"default, port 22 is used." +msgstr "" +"Використовувати для встановлення з’єднання з вузлом порт <replaceable>ПОРТ</" +"replaceable>. Типовим портом є порт 22." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:83 +msgid "" +"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +msgstr "" +"Шукати відкриті ключі вузлів у домені SSSD <replaceable>ДОМЕН</replaceable>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:89 +#, fuzzy +#| msgid "<option>-U</option>,<option>--users</option>" +msgid "<option>-k</option>,<option>--pubkeys</option>" +msgstr "<option>-U</option>,<option>--users</option>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:93 +#, fuzzy +#| msgid "" +#| "Search for host public keys in SSSD domain <replaceable>DOMAIN</" +#| "replaceable>." +msgid "" +"Print the host ssh public keys for host <replaceable>HOST</replaceable>." +msgstr "" +"Шукати відкриті ключі вузлів у домені SSSD <replaceable>ДОМЕН</replaceable>." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 +msgid "idmap_sss" +msgstr "idmap_sss" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: idmap_sss.8.xml:16 +msgid "SSSD's idmap_sss Backend for Winbind" +msgstr "Модуль idmap_sss SSSD для Winbind" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:22 +msgid "" +"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " +"No database is required in this case as the mapping is done by SSSD." +msgstr "" +"Модуль idmap_sss надає змогу викликати SSSD для прив'язки UID/GID і SID. У " +"цьому випадку база даних не потрібна, оскільки прив'язка виконується " +"засобами SSSD." + +#. type: Content of: <reference><refentry><refsect1><title> +#: idmap_sss.8.xml:29 +msgid "IDMAP OPTIONS" +msgstr "ПАРАМЕТРИ IDMAP" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: idmap_sss.8.xml:33 +msgid "range = low - high" +msgstr "діапазон = нижче - вище" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: idmap_sss.8.xml:35 +msgid "" +"Defines the available matching UID and GID range for which the backend is " +"authoritative." +msgstr "" +"Визначає доступний для обробки модулем діапазон відповідності UID і GID." + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:45 +msgid "" +"This example shows how to configure idmap_sss as the default mapping module." +msgstr "" +"У цьому прикладі продемонстровано налаштовування idmap_sss як типового " +"модуля прив'язки." + +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: idmap_sss.8.xml:50 +#, no-wrap +msgid "" +"[global]\n" +"security = domain\n" +"workgroup = MAIN\n" +"\n" +"idmap config * : backend = sss\n" +"idmap config * : range = 200000-2147483647\n" +" " +msgstr "" +"[global]\n" +"security = domain\n" +"workgroup = MAIN\n" +"\n" +"idmap config * : backend = sss\n" +"idmap config * : range = 200000-2147483647\n" +" " + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssctl.8.xml:10 sssctl.8.xml:15 +msgid "sssctl" +msgstr "sssctl" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssctl.8.xml:16 +msgid "SSSD control and status utility" +msgstr "Засіб керування і визначення стану SSSD" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssctl.8.xml:21 +msgid "" +"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" +msgstr "" +"<command>sssctl</command> <arg choice='plain'><replaceable>КОМАНДА</" +"replaceable></arg> <arg choice='opt'> <replaceable>параметри</replaceable> </" +"arg>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:32 +msgid "" +"<command>sssctl</command> provides a simple and unified way to obtain " +"information about SSSD status, such as active server, auto-discovered " +"servers, domains and cached objects. In addition, it can manage SSSD data " +"files for troubleshooting in such a way that is safe to manipulate while " +"SSSD is running." +msgstr "" +"<command>sssctl</command> є простим і уніфікованим засобом отримання даних " +"щодо стану SSSD, зокрема активного сервера, серверів автоматичного " +"визначення, доменів і кешованих об'єктів. Крім того, програма здатна " +"керувати файлами даних SSSD для усування вад у такий спосіб, щоб з ними " +"можна було безпечно працювати, доки працює SSSD." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:43 +msgid "" +"To list all available commands run <command>sssctl</command> without any " +"parameters. To print help for selected command run <command>sssctl COMMAND --" +"help</command>." +msgstr "" +"Щоб ознайомитися зі списком усіх доступних команд, віддайте команду " +"<command>sssctl</command> без параметрів. Щоб програма вивела довідкове " +"повідомлення щодо певної команди, віддайте команду <command>sssctl КОМАНДА --" +"help</command>." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-files.5.xml:10 sssd-files.5.xml:16 +msgid "sssd-files" +msgstr "sssd-files" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-files.5.xml:17 +msgid "SSSD files provider" +msgstr "Засіб надання файлів SSSD" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:23 +msgid "" +"This manual page describes the files provider for <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" +"На цій сторінці довідника описано налаштування засобу обробки файлів для " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Щоб дізнатися більше про синтаксис налаштування, зверніться " +"до розділу «ФОРМАТ ФАЙЛА» сторінки довідника <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:36 +msgid "" +"The files provider mirrors the content of the <citerefentry> " +"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " +"provider is to make the users and groups traditionally only accessible with " +"NSS interfaces also available through the SSSD interfaces such as " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." +msgstr "" +"Засіб надання даних файлів створює дзеркальну копію вмісту файлів " +"<citerefentry> <refentrytitle>passwd</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> і <citerefentry> <refentrytitle>group</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>. Метою роботи засобу " +"надання даних файлів є забезпечення доступу до даних користувачів і груп, " +"які традиційно доступні за допомогою інтерфейсів NSS, також за допомогою " +"інтерфейсів SSSD, зокрема <citerefentry> <refentrytitle>sssd-ifp</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:69 +#, fuzzy +#| msgid "pwfield (string)" +msgid "passwd_files (string)" +msgstr "pwfield (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:72 +msgid "" +"Comma-separated list of one or multiple password filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:78 +#, fuzzy +#| msgid "Default: /etc/pki/nssdb" +msgid "Default: /etc/passwd" +msgstr "Типове значення: /etc/pki/nssdb" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:84 +#, fuzzy +#| msgid "groups (string)" +msgid "group_files (string)" +msgstr "groups (рядок)" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:87 +msgid "" +"Comma-separated list of one or multiple group filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:93 +#, fuzzy +#| msgid "Default: nisNetgroup" +msgid "Default: /etc/group" +msgstr "Типове значення: nisNetgroup" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:59 +#, fuzzy +#| msgid "" +#| "The files provider has no specific options of its own, however, generic " +#| "SSSD domain options can be set where applicable. Refer to the section " +#| "<quote>DOMAIN SECTIONS</quote> of the <citerefentry> <refentrytitle>sssd." +#| "conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page " +#| "for details on the configuration of an SSSD domain." +msgid "" +"In addition to the options listed below, generic SSSD domain options can be " +"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for details on the configuration of " +"an SSSD domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" +"Засіб надання даних файлів не має власних специфічних параметрів. Втім, " +"можна використовувати загальні параметри доменів SSSD там, де це є доречним. " +"Зверніться до розділу «РОЗДІЛИ ДОМЕНІВ» сторінки довідника (man) " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>, щоб дізнатися більше про налаштування домену " +"SSSD. " + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:105 +msgid "" +"The following example assumes that SSSD is correctly configured and files is " +"one of the domains in the <replaceable>[sssd]</replaceable> section." +msgstr "" +"У наведеному нижче прикладі припускається, що SSSD налаштовано належним " +"чином, а files встановлено на один з доменів з розділу <replaceable>[sssd]</" +"replaceable>." + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:111 +#, no-wrap +msgid "" +"[domain/files]\n" +"id_provider = files\n" +msgstr "" +"[domain/files]\n" +"id_provider = files\n" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 +msgid "sssd-secrets" +msgstr "sssd-secrets" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-secrets.5.xml:17 +msgid "SSSD Secrets responder" +msgstr "Відповідач реєстраційних даних SSSD" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:23 +msgid "" +"This manual page describes the configuration of the Secrets responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" +"На цій сторінці довідника описано налаштування засобу надання відповідей " +"Secrets для <citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>. Щоб дізнатися більше про синтаксис налаштування, " +"зверніться до розділу «ФОРМАТ ФАЙЛІВ» сторінки довідника <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:36 +msgid "" +"Many system and user applications need to store private information such as " +"passwords or service keys and have no good way to properly deal with them. " +"The simple approach is to embed these <quote>secrets</quote> into " +"configuration files potentially ending up exposing sensitive key material to " +"backups, config management system and in general making it harder to secure " +"data." +msgstr "" +"У багатьох програмах системи або користувача існує потреба у збереженні " +"конфіденційних даних, зокрема паролів і ключів до служб, та зручній роботі з " +"цими даними. Простим способом вирішення цієї проблеми є вбудовування цих " +"<quote>реєстраційних даних</quote> до файлів налаштувань. Втім, це " +"призводить до потенційного розширення доступу до конфіденційних даних через " +"резервні копії, системи керування налаштуваннями, та загалом робить захист " +"даних важчим." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:45 +msgid "" +"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " +"project was born to deal with this problem in cloud like environments, but " +"we found the idea compelling even at a single system level. As a security " +"service, SSSD is ideal to host this capability while offering the same API " +"via a UNIX Socket. This will make it possible to use local calls and have " +"them transparently routed to a local or a remote key management store like " +"IPA Vault for storage, escrow and recovery." +msgstr "" +"Проект <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " +"було створено для урегулювання цієї проблеми у хмароподібних середовищах, " +"але нам ця ідея здалася вартою уваги навіть на рівні окремої ізольованої " +"системи. Як служба захисту, SSSD є ідеальним місцем для реалізації такої " +"можливості з доступом до відповідного програмного інтерфейсу через сокети " +"UNIX. Така реалізація уможливлює використання локальних викликів і належну " +"маршрутизацію до локального або віддаленого сховища ключів, зокрема сховища " +"IPA, для зберігання, депонування і відновлення даних." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:55 +msgid "" +"The secrets are simple key-value pairs. Each user's secrets are namespaced " +"using their user ID, which means the secrets will never collide between " +"users. Secrets can be stored inside <quote>containers</quote> which can be " +"nested." +msgstr "" +"Записи реєстраційних даних є простими парами ключ-значення. Реєстраційні " +"дані кожного з користувачів співвідносяться із його простором назв на основі " +"ідентифікатора користувача. Це означає, що реєстраційні дані одного " +"користувача ніколи не потраплять до іншого. Реєстраційні дані зберігаються у " +"<quote>контейнерах</quote>, які можна вкладати один у одного." + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:69 +msgid "secrets" +msgstr "secrets" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:70 +msgid "secrets for general usage" +msgstr "записи реєстраційних даних для загального використання" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:73 +msgid "kcm" +msgstr "kcm" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:75 +msgid "" +"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> service." +msgstr "" +"використовується службою <citerefentry> <refentrytitle>sssd-kcm</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:61 +msgid "" +"Since the secrets responder can be used both externally to store general " +"secrets, as described in the rest of this man page, but also internally by " +"other SSSD components to store their secret material, some configuration " +"options, like quotas can be configured per <quote>hive</quote> in a " +"configuration subsection named after the hive. The currently supported hives " +"are: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" +"Оскільки відповідач реєстраційних даних може використовуватися ззовні для " +"зберігання загальних реєстраційних даних, як це описано у решті цієї " +"сторінки підручника, і всередині іншими компонентами SSSD для зберігання " +"власних реєстраційних даних, можна налаштувати деякі параметри, зокрема " +"квоти для окремих записів <quote>hive</quote> у підрозділі налаштувань із " +"назвою відповідного рою. Підтримувані у поточній версії рої: <placeholder " +"type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:89 +msgid "USING THE SECRETS RESPONDER" +msgstr "КОРИСТУВАННЯ ВІДПОВІДАЧЕМ РЕЄСТРАЦІЙНИХ ДАНИХ" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:91 +msgid "" +"The UNIX socket the SSSD responder listens on is located at <filename>/var/" +"run/secrets.socket</filename>." +msgstr "" +"Сокет UNIX, на якому відповідач SSSD очікує на дані, розташовано у " +"<filename>/var/run/secrets.socket</filename>." + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:110 +#, no-wrap +msgid "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +"systemctl enable sssd-secrets.service\n" +" " +msgstr "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +"systemctl enable sssd-secrets.service\n" +" " + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:95 +msgid "" +"The secrets responder is socket-activated by <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " +"the <quote>secrets</quote> string to the <quote>service</quote> directive. " +"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " +"corresponding service file is called <quote>sssd-secrets.service</quote>. In " +"order for the service to be socket-activated, make sure the socket is " +"enabled and active and the service is enabled: <placeholder type=" +"\"programlisting\" id=\"0\"/> Please note your distribution may already " +"configure the units for you." +msgstr "" +"Відповідач для реєстраційних даних активується за допомогою сокетів " +"<citerefentry> <refentrytitle>systemd</refentrytitle> <manvolnum>1</" +"manvolnum> </citerefentry>. На відміну від інших відповідачів SSSD, його не " +"можна запустити додаванням рядка <quote>secrets</quote> до інструкції " +"<quote>service</quote>. Модуль сокета systemd називається <quote>sssd-" +"secrets.socket</quote>, а відповідний файл служби має назву <quote>sssd-" +"secrets.service</quote>. Щоб службу можна було активувати за допомогою " +"сокета, слід увімкнути і задіяти сокет, а потім увімкнути службу: " +"<placeholder type=\"programlisting\" id=\"0\"/> Будь ласка, зауважте, що " +"відповідні налаштування модулів вже могло бути виконано засобами вашого " +"дистрибутива." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:122 +msgid "" +"The generic SSSD responder options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " +"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some secrets-specific options as well." +msgstr "" +"Відповідачу реєстраційних даних можна передавати типові параметри " +"відповідача SSSD, зокрема <quote>debug_level</quote> та <quote>fd_limit</" +"quote>. Із повним списком параметрів можна ознайомитися на сторінці " +"підручника <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>. Крім того, передбачено декілька " +"специфічних для реєстраційних даних параметрів." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:132 +msgid "" +"The secrets responder is configured with a global <quote>[secrets]</quote> " +"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " +"in <filename>sssd.conf</filename>. Please note that some options, notably as " +"the provider type, can only be specified in the per-user subsections." +msgstr "" +"Відповідач реєстраційних даних налаштовується за допомогою загального " +"розділу <quote>[secrets]</quote> і необов'язкових розділів <quote>[secrets/" +"users/$uid]</quote> для окремих користувачів у <filename>sssd.conf</" +"filename>. Будь ласка, зауважте, що деякі параметра, зокрема тип " +"постачальника даних, можна вказати лише у підрозділах окремих користувачів." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:141 +msgid "provider (string)" +msgstr "provider (рядок)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:157 +msgid "local" +msgstr "local" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:160 +msgid "" +"The secrets are stored in a local database, encrypted at rest with a master " +"key. The local provider does not have any additional config options at the " +"moment." +msgstr "" +"Реєстраційні дані зберігаються у локальній базі даних, зашифровані, разом із " +"іншими даними, за допомогою основного ключа. Для локального засобу надання " +"даних у поточній версії не передбачено жодних додаткових параметрів." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:168 +msgid "proxy" +msgstr "proxy" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:171 +msgid "" +"The secrets responder forwards the requests to a Custodia server. The proxy " +"provider supports several additional options (see below)." +msgstr "" +"Відповідач реєстраційних даних переспрямовує запити до сервера Custodia. Для " +"засобу надання даних «proxy» передбачено декілька додаткових параметрів " +"(див. нижче)." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:144 +msgid "" +"This option specifies where should the secrets be stored. The secrets " +"responder can configure a per-user subsections (e.g. <quote>[secrets/" +"users/123]</quote> - see bottom of this manual page for a full example using " +"Custodia for a particular user) that define which provider store the secrets " +"for this particular user. The per-user subsections should contain all " +"options for that user's provider. Please note that currently the global " +"provider is always local, the proxy provider can only be specified in a per-" +"user section. The following providers are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" +"Цей параметр визначає, де слід зберігати реєстраційні дані. Відповідач " +"реєстраційних даних може налаштувати підрозділи для окремих користувачів " +"(наприклад, <quote>[secrets/users/123]</quote> — див. нижню частину цієї " +"сторінки підручників, де наведено повний приклад використання Custodia для " +"окремого користувача), які визначатимуть, яке сховище відповідача " +"зберігатиме дані певного користувача. Підрозділи окремих користувачів мають " +"містити усі параметри відповідного засобу надання даних користувача. Будь " +"ласка, зауважте, що у поточній версії загальний постачальних даних з завжди " +"локальним, а проміжного постачальника можна вказати лише для окремого " +"користувача у відповідному розділі. Передбачено підтримку таких " +"відповідачів: <placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:180 +msgid "Default: local" +msgstr "Типове значення: local" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:186 +msgid "" +"The following options affect only the secrets <quote>hive</quote> and " +"therefore should be set in a per-hive subsection. Setting the option to 0 " +"means \"unlimited\"." +msgstr "" +"Наведені нижче параметри стосуються лише записів реєстраційних даних " +"<quote>hive</quote> і тому їх слід встановлювати у підрозділах окремих роїв. " +"Встановлення значення параметра 0 означає «без обмежень»." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:192 +msgid "containers_nest_level (integer)" +msgstr "containers_nest_level (ціле значення)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:195 +msgid "This option specifies the maximum allowed number of nested containers." +msgstr "" +"Цей параметр визначає максимальну дозволену кількість вкладених контейнерів." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:199 +msgid "Default: 4" +msgstr "Типове значення: 4" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:204 +msgid "max_secrets (integer)" +msgstr "max_secrets (ціле значення)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:207 +msgid "" +"This option specifies the maximum number of secrets that can be stored in " +"the hive." +msgstr "" +"Цей параметр визначає максимальну кількість записів реєстраційних даних, які " +"можна зберігати у рою." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:211 +msgid "Default: 1024 (secrets hive), 256 (kcm hive)" +msgstr "Типове значення: 1024 (рій реєстраційних даних), 256 (рій kcm)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:216 +msgid "max_uid_secrets (integer)" +msgstr "max_uid_secrets (ціле число)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:219 +msgid "" +"This option specifies the maximum number of secrets that can be stored per-" +"UID in the hive." +msgstr "" +"Цей параметр визначає максимальну кількість записів реєстраційних даних, які " +"можна зберігати окремо для різних UID у рою." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:223 +msgid "Default: 256 (secrets hive), 64 (kcm hive)" +msgstr "Типове значення: 256 (рій реєстраційних даних), 64 (рій kcm)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:228 +msgid "max_payload_size (integer)" +msgstr "max_payload_size (ціле значення)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:231 +msgid "" +"This option specifies the maximum payload size allowed for a secret payload " +"in kilobytes." +msgstr "" +"Цей параметри визначає максимальний об'єм даних для реєстраційного запису у " +"кілобайтах." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:235 +msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" +msgstr "" +"Типове значення: 16 (рій реєстраційних даних), 65536 (64 МіБ) (рій kcm)" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:244 +#, no-wrap +msgid "" +"[secrets/secrets]\n" +"max_payload_size = 128\n" +"\n" +"[secrets/kcm]\n" +"max_payload_size = 256\n" +" " +msgstr "" +"[secrets/secrets]\n" +"max_payload_size = 128\n" +"\n" +"[secrets/kcm]\n" +"max_payload_size = 256\n" +" " + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:241 +msgid "" +"For example, to adjust quotas differently for both the <quote>secrets</" +"quote> and the <quote>kcm</quote> hives, configure the following: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"Наприклад, щоб встановити різні квоти для роїв <quote>secrets</quote> та " +"<quote>kcm</quote>, скористайтеся такими рядками: <placeholder type=" +"\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:252 +msgid "" +"The following options are only applicable for configurations that use the " +"<quote>proxy</quote> provider." +msgstr "" +"Вказані нижче параметри стосуються лише конфігурацій, у яких " +"використовується засіб надання даних <quote>proxy</quote>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:257 +msgid "proxy_url (string)" +msgstr "proxy_url (рядок)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:260 +msgid "" +"The URL the Custodia server is listening on. At the moment, http and https " +"protocols are supported." +msgstr "" +"Адреса, за якою очікуватиме на дані сервер Custodia. У поточній версії " +"передбачено підтримку протоколів http і https." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:267 +msgid "http[s]://<host>[:port]" +msgstr "http[s]://<вузол>[:порт]" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:270 +msgid "Example: http://localhost:8080" +msgstr "Приклад: http://localhost:8080" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:275 +msgid "auth_type (string)" +msgstr "auth_type (рядок)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:278 +msgid "" +"The method to use when authenticating to a Custodia server. The following " +"authentication methods are supported:" +msgstr "" +"Спосіб розпізнавання сервером Custodia. Передбачено підтримку таких способів " +"розпізнавання:" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:283 +msgid "basic_auth" +msgstr "basic_auth" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:286 +msgid "" +"Authenticate with a username and a password as set in the <quote>username</" +"quote> and <quote>password</quote> options." +msgstr "" +"Виконати розпізнавання на основі імені користувача і пароля, які визначено " +"параметрами <quote>username</quote> і <quote>password</quote>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:293 +msgid "header" +msgstr "header" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:296 +msgid "" +"Authenticate with HTTP header value as defined in the " +"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " +"configuration options." +msgstr "" +"Виконати розпізнавання за допомогою значення заголовка HTTP, як його " +"визначено у параметрах налаштування <quote>auth_header_name</quote> і " +"<quote>auth_header_value</quote>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:307 +msgid "auth_header_name (string)" +msgstr "auth_header_name (рядок)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:310 +msgid "" +"If set, the secrets responder would put a header with this name into the " +"HTTP request with the value defined in the <quote>auth_header_value</quote> " +"configuration option." +msgstr "" +"Якщо встановлено, відповідач реєстраційних даних додаватиме заголовок із " +"цією назвою до запиту HTTP разом із значенням, яке визначається параметром " +"налаштування <quote>auth_header_value</quote>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:315 +msgid "Example: MYSECRETNAME" +msgstr "Приклад: MYSECRETNAME" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:320 +msgid "auth_header_value (string)" +msgstr "auth_header_value (рядок)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:323 +msgid "" +"The value sssd-secrets would use for the <quote>auth_header_name</quote>." +msgstr "" +"Значення, яке sssd-secrets має використовувати для <quote>auth_header_name</" +"quote>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:327 +msgid "Example: mysecret" +msgstr "Приклад: mysecret" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:332 +msgid "forward_headers (list of strings)" +msgstr "forward_headers (список рядків)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:335 +msgid "" +"The list of HTTP headers to forward to the Custodia server together with the " +"request." +msgstr "" +"Список заголовків HTTP, які слід переспрямувати до сервера Custodia разом із " +"запитом." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:344 +msgid "verify_peer (boolean)" +msgstr "verify_peer (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:347 +msgid "" +"Whether peer's certificate should be verified and valid if HTTPS protocol is " +"used with the proxy provider." +msgstr "" +"Визначає, чи слід перевіряти сертифікат вузла і чи слід вважати його чинним, " +"якщо для засобу надання даних проксі використано протокол HTTPS." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:356 +msgid "verify_host (boolean)" +msgstr "verify_host (булеве значення)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:359 +msgid "" +"Whether peer's hostname must match with hostname in its certificate if HTTPS " +"protocol is used with the proxy provider." +msgstr "" +"Визначає, чи має назва вузла збігатися із назвою вузла у його сертифікаті, " +"якщо для засобу надання даних проксі використано протокол HTTPS." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:369 +msgid "capath (string)" +msgstr "capath (рядок)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:372 +msgid "" +"Path to directory containing stored certificate authority certificates. " +"System default path is used if this option is not set." +msgstr "" +"Шлях до каталогу, у якому зберігаються сертифікати служб сертифікації. Якщо " +"для цього параметра не встановлено значення, використовуватиметься " +"загальносистемний типовий шлях." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:382 +msgid "cacert (string)" +msgstr "cacert (рядок)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:385 +msgid "" +"Path to file containing server's certificate authority certificate. If this " +"option is not set then the CA's certificate is looked up in <quote>capath</" +"quote>." +msgstr "" +"Шлях до файла, у якому міститься сертифікат служби сертифікації сервера. " +"Якщо для цього параметра не встановлено значення, програма шукатиме " +"сертифікат CA у <quote>capath</quote>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:395 +msgid "cert (string)" +msgstr "cert (рядок)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:398 +msgid "" +"Path to file containing client's certificate if required by the server. This " +"file may also contain private key or the private key may be in separate file " +"set with <quote>key</quote>." +msgstr "" +"Шлях до файла, що містить клієнтський сертифікат, якщо такий потрібен для " +"сервера. Цей файл може також містити закритий ключ. Закритий ключ можна " +"також зберігати у файлі, назву якого встановлено за допомогою параметра " +"<quote>key</quote>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:409 +msgid "key (string)" +msgstr "key (рядок)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:412 +msgid "Path to file containing client's private key." +msgstr "Шлях до файла, у якому міститься закритий ключ клієнта." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:422 +msgid "USING THE REST API" +msgstr "КОРИСТУВАННЯ API REST" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:424 +msgid "" +"This section lists the available commands and includes examples using the " +"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry> utility. All requests towards the proxy provider must set " +"the Content Type header to <quote>application/json</quote>. In addition, the " +"local provider also supports Content Type set to <quote>application/octet-" +"stream</quote>. Secrets stored with requests that set the Content Type " +"header to <quote>application/octet-stream</quote> are base64-encoded when " +"stored and decoded when retrieved, so it's not possible to store a secret " +"with one Content Type and retrieve with another. The secret URI must begin " +"with <filename>/secrets/</filename>." +msgstr "" +"У цьому розділі наведено список доступних команд та приклади користування із " +"використанням програми <citerefentry> <refentrytitle>curl</refentrytitle> " +"<manvolnum>1</manvolnum> </citerefentry>. Усі запити до засобу надання даних " +"проксі мають встановлювати для заголовка Content Type значення " +"<quote>application/json</quote>. Крім того, для локального засобу надання " +"даних передбачено підтримку встановлення для Content Type значення " +"<quote>application/octet-stream</quote>. Реєстраційні дані, збережені із " +"запитами, де встановлено значення заголовка Content Type <quote>application/" +"octet-stream</quote>, є даними у кодуванні base64 у сховищі, які " +"розшифровуються під час отримання, тому не можна зберігати реєстраційні дані " +"із одним значенням Content Type і отримувати з іншим. Адреса реєстраційних " +"даних має починатися з <filename>/secrets/</filename>." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:441 +msgid "Listing secrets" +msgstr "Отримання списку реєстраційних даних" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:444 +msgid "" +"To list the available secrets, send a HTTP GET request with a trailing slash " +"appended to the container path." +msgstr "" +"Щоб отримати список доступних реєстраційних даних, надішліть запит HTTP GET " +"із кінцевою навскісною рискою у шляху до контейнера." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:450 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/\n" +" " +msgstr "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/\n" +" " + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:458 +msgid "Retrieving a secret" +msgstr "Отримання реєстраційних даних" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:461 +msgid "" +"To read a value of a single secret, send a HTTP GET request without a " +"trailing slash. The last portion of the URI is the name of the secret." +msgstr "" +"Щоб прочитати значення окремого запису реєстраційних даних, надішліть запит " +"HTTP GET без кінцевої навскісної риски. Остання частина адреси вважатиметься " +"назвою запису реєстраційних даних." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:468 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/foo\n" +" " +msgstr "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/foo\n" +" " + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:473 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/bar\n" +" " +msgstr "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/bar\n" +" " + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:466 +msgid "" +"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" +msgstr "" +"Приклади: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:481 +msgid "Setting a secret" +msgstr "Встановлення реєстраційних даних" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:484 +msgid "" +"To set a secret using the <quote>application/json</quote> type, send a HTTP " +"PUT request with a JSON payload that includes type and value. The type " +"should be set to \"simple\" and the value should be set to the secret value. " +"If a secret with that name already exists, the response is a 409 HTTP error." +msgstr "" +"Щоб встановити запис реєстраційних даних з використанням типу " +"<quote>application/json</quote>, надішліть запит HTTP PUT із даними JSON, " +"які включатимуть тип і значення. Тип (type) має бути встановлено у значення " +"\"simple\", а значення (value) має містити дані реєстраційного запису. Якщо " +"запис із вказаною назвою вже існує, відповіддю буде повідомлення про помилку " +"409 HTTP." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:492 +msgid "" +"The <quote>application/json</quote> type just sends the secret as the " +"message payload." +msgstr "" +"Тип <quote>application/json</quote> просто надсилає реєстраційний ключ як " +"вміст повідомлення." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:501 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/foo \\\n" +" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" +" " +msgstr "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/foo \\\n" +" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" +" " + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:507 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/bar \\\n" +" -d'barsecret'\n" +" " +msgstr "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/bar \\\n" +" -d'barsecret'\n" +" " + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:496 +msgid "" +"The following example sets a secret named 'foo' to a value of 'foosecret' " +"and a secret named 'bar' to a value of 'barsecret' using a different Content " +"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" +msgstr "" +"У наведеному нижче прикладі ми встановлюємо для реєстраційних даних із " +"назвою «foo» значення «foosecret», а для реєстраційних даних із назвою «bar» " +"— значення «barsecret», використовуючи різні значення Content Type. " +"<placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:516 +msgid "Creating a container" +msgstr "Створення контейнера" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:519 +msgid "" +"Containers provide an additional namespace for this user's secrets. To " +"create a container, send a HTTP POST request, whose URI ends with the " +"container name. Please note the URI must end with a trailing slash." +msgstr "" +"Контейнери надають додатковий простір назв для реєстраційних даних цього " +"користувача. Для створення контейнера надішліть запит HTTP POST, чи я адреса " +"завершуватиметься назвою контейнера. Будь ласка, зауважте, що адреса має " +"завершуватися символом навскісної риски." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:529 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPOST http://localhost/secrets/mycontainer/\n" +" " +msgstr "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPOST http://localhost/secrets/mycontainer/\n" +" " + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:526 +msgid "" +"The following example creates a container named 'mycontainer': <placeholder " +"type=\"programlisting\" id=\"0\"/>" +msgstr "" +"У наступному прикладі створюємо контейнер із назвою «mycontainer»: " +"<placeholder type=\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:538 +#, no-wrap +msgid "" +"http://localhost/secrets/mycontainer/mysecret\n" +" " +msgstr "" +"http://localhost/secrets/mycontainer/mysecret\n" +" " + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:535 +msgid "" +"To manipulate secrets under this container, just nest the secrets underneath " +"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"Щоб працювати із записами реєстраційних даних у цьому контейнері, просто " +"вкладіть записи реєстраційних даних до шляху контейнера: <placeholder type=" +"\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:544 +msgid "Deleting a secret or a container" +msgstr "Вилучення реєстраційних даних або контейнера" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:547 +msgid "" +"To delete a secret or a container, send a HTTP DELETE request with a path to " +"the secret or the container." +msgstr "" +"Щоб вилучити запис реєстраційних даних або контейнер, надішліть запит HTTP " +"DELETE із шляхом до запису реєстраційних даних або до контейнера." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:553 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XDELETE http://localhost/secrets/foo\n" +" " +msgstr "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XDELETE http://localhost/secrets/foo\n" +" " + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:551 +msgid "" +"The following example deletes a secret named 'foo'. <placeholder type=" +"\"programlisting\" id=\"0\"/>" +msgstr "" +"У наведеному нижче прикладі ми вилучимо реєстраційні дані для запису «foo». " +"<placeholder type=\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:563 +msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" +msgstr "ПРИКЛАД НАЛАШТОВУВАННЯ МОДУЛІВ НАДАННЯ ДАНИХ CUSTODIA І ПРОКСІ" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:565 +msgid "" +"For testing the proxy provider, you need to set up a Custodia server to " +"proxy requests to. Please always consult the Custodia documentation, the " +"configuration directives might change with different Custodia versions." +msgstr "" +"Для тестування засобу надання даних «proxy» вам слід налаштувати проксі-" +"передавання на сервер Custodia. Будь ласка, завжди користуйтеся " +"документацією до Custodia, оскільки інструкції налаштовування у різних " +"версіях Custodia можуть бути різними." + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:576 +#, no-wrap +msgid "" +"[global]\n" +"server_version = \"Secret/0.0.7\"\n" +"server_url = http://localhost:8080/\n" +"auditlog = /var/log/custodia.log\n" +"debug = True\n" +"\n" +"[store:simple]\n" +"handler = custodia.store.sqlite.SqliteStore\n" +"dburi = /var/lib/custodia.db\n" +"table = secrets\n" +"\n" +"[auth:header]\n" +"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" +"header = MYSECRETNAME\n" +"value = mysecretkey\n" +"\n" +"[authz:paths]\n" +"handler = custodia.httpd.authorizers.SimplePathAuthz\n" +"paths = /secrets\n" +"\n" +"[/]\n" +"handler = custodia.root.Root\n" +"store = simple\n" +" " +msgstr "" +"[global]\n" +"server_version = \"Secret/0.0.7\"\n" +"server_url = http://localhost:8080/\n" +"auditlog = /var/log/custodia.log\n" +"debug = True\n" +"\n" +"[store:simple]\n" +"handler = custodia.store.sqlite.SqliteStore\n" +"dburi = /var/lib/custodia.db\n" +"table = secrets\n" +"\n" +"[auth:header]\n" +"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" +"header = MYSECRETNAME\n" +"value = mysecretkey\n" +"\n" +"[authz:paths]\n" +"handler = custodia.httpd.authorizers.SimplePathAuthz\n" +"paths = /secrets\n" +"\n" +"[/]\n" +"handler = custodia.root.Root\n" +"store = simple\n" +" " + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:570 +msgid "" +"This configuration will set up a Custodia server listening on http://" +"localhost:8080, allowing anyone with header named MYSECRETNAME set to " +"mysecretkey to communicate with the Custodia server. Place the contents " +"into a file (for example, <replaceable>custodia.conf</replaceable>): " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"Ці налаштування визначають для сервера Custodia адресу очікування даних " +"http://localhost:8080, дозволяють будь-кому із заголовком із назвою " +"MYSECRETNAME, який встановлено у значення mysecretkey, обмін даними із " +"сервером Custodia. Запишіть ці дані до файла (наприклад, " +"<replaceable>custodia.conf</replaceable>): <placeholder type=\"programlisting" +"\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:602 +msgid "" +"Then run the <replaceable>custodia</replaceable> command, pointing it at the " +"config file as a command line argument." +msgstr "" +"Далі, віддайте команду <replaceable>custodia</replaceable>, вказавши файл " +"налаштувань у параметрі командного рядка." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:606 +msgid "" +"Please note that currently it's not possible to proxy all requests globally " +"to a Custodia instance. Instead, per-user subsections for user IDs that " +"should proxy requests to Custodia must be defined. The following example " +"illustrates a configuration, where the user with UID 123 would proxy their " +"requests to Custodia, but all other user's requests would be handled by a " +"local provider." +msgstr "" +"Будь ласка, зверніть увагу на те, що у поточній версії неможливо на " +"загальному рівні переспрямовувати усі запити до екземпляра Custodia. Замість " +"цього слід визначати підрозділи для окремих ідентифікаторів користувачів, " +"які переспрямовуватимуть запити до Custodia. У наведеному нижче прикладі " +"проілюстровано конфігурацію, за якої запити користувача із UID 123 " +"переспрямовуватимуться до Custodia, а запити усіх інших користувачів " +"оброблятимуться локальним засобом надання даних." + +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: sssd-secrets.5.xml:614 +#, no-wrap +msgid "" +"[secrets]\n" +"\n" +"[secrets/users/123]\n" +"provider = proxy\n" +"proxy_url = http://localhost:8080/secrets/\n" +"auth_type = header\n" +"auth_header_name = MYSECRETNAME\n" +"auth_header_value = mysecretkey\n" +" " +msgstr "" +"[secrets]\n" +"\n" +"[secrets/users/123]\n" +"provider = proxy\n" +"proxy_url = http://localhost:8080/secrets/\n" +"auth_type = header\n" +"auth_header_name = MYSECRETNAME\n" +"auth_header_value = mysecretkey\n" +" " + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 +msgid "sssd-session-recording" +msgstr "sssd-session-recording" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-session-recording.5.xml:17 +msgid "Configuring session recording with SSSD" +msgstr "Налаштовування записів сеансів за допомогою SSSD" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " +"implement user session recording on text terminals. For a detailed " +"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " +"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" +"На цій сторінці підручника описано налаштовування <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"на роботу з <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>, частиною пакунка tlog, для " +"реалізації записування сеансів користувачів у текстових терміналах. " +"Докладний довідник щодо синтаксису налаштувань можна знайти у розділі " +"<quote>ФОРМАТ ФАЙЛА</quote> сторінки підручника з <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:41 +msgid "" +"SSSD can be set up to enable recording of everything specific users see or " +"type during their sessions on text terminals. E.g. when users log in on the " +"console, or via SSH. SSSD itself doesn't record anything, but makes sure " +"tlog-rec-session is started upon user login, so it can record according to " +"its configuration." +msgstr "" +"SSSD можна налаштувати так, щоб уможливити запис усіх даних, які бачать або " +"вводять протягом сеансу у текстових терміналах вказані користувачі. " +"Наприклад, можна записувати дані щодо входу користувачів за допомогою " +"консолі або SSH. Сама SSSD нічого не записує, а лише забезпечує запуск tlog-" +"rec-session під час входу до системи користувача, щоб можна було здійснювати " +"запис відповідно до налаштувань." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:48 +msgid "" +"For users with session recording enabled, SSSD replaces the user shell with " +"tlog-rec-session in NSS responses, and adds a variable specifying the " +"original shell to the user environment, upon PAM session setup. This way " +"tlog-rec-session can be started in place of the user shell, and know which " +"actual shell to start, once it set up the recording." +msgstr "" +"Для користувачів, для яких увімкнено запис сеансів, SSSD замінює командну " +"оболонку користувача на tlog-rec-session у відповідях NSS і додає змінну, " +"яка вказує на початкову командну оболонку до середовища користувача у " +"налаштування сеансу PAM. Таким чином забезпечується запуск tlog-rec-session " +"замість командної оболонки користувача і надання даних про те, яку командну " +"оболонку слід запустити, щойно розпочнеться записування." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:60 +msgid "These options can be used to configure the session recording." +msgstr "Цими параметрами можна скористатися для налаштовування запису сеансів." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:146 +msgid "" +"The following snippet of sssd.conf enables session recording for users " +"\"contractor1\" and \"contractor2\", and group \"students\"." +msgstr "" +"У наведеному нижче фрагменті файла sssd.conf увімкнено запис сеансів для " +"користувачів contractor1 і contractor2» та групи students." + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-session-recording.5.xml:151 +#, no-wrap +msgid "" +"[session_recording]\n" +"scope = some\n" +"users = contractor1, contractor2\n" +"groups = students\n" +msgstr "" +"[session_recording]\n" +"scope = some\n" +"users = contractor1, contractor2\n" +"groups = students\n" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 +msgid "sssd-kcm" +msgstr "sssd-kcm" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-kcm.8.xml:17 +msgid "SSSD Kerberos Cache Manager" +msgstr "Керування кешем Kerberos SSSD" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:23 +msgid "" +"This manual page describes the configuration of the SSSD Kerberos Cache " +"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " +"credential caches. It originates in the Heimdal Kerberos project, although " +"the MIT Kerberos library also provides client side (more details on that " +"below) support for the KCM credential cache." +msgstr "" +"На цій сторінці підручника описано налаштування засобу керування кешем " +"Kerberos SSSD (Kerberos Cache Manager або KCM). KCM є процесом, який " +"зберігає, стежить і керує кешем реєстраційних даних Kerberos. Ідея створення " +"засобу походить із проекту Heimdal Kerberos, хоча у бібліотеці Kerberos MIT " +"також надається підтримка з боку клієнта для кешу реєстраційних даних KCM " +"(докладніше про це нижче)." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:31 +msgid "" +"In a setup where Kerberos caches are managed by KCM, the Kerberos library " +"(typically used through an application, like e.g., <citerefentry> " +"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" +"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " +"being referred to as a <quote>\"KCM server\"</quote>. The client and server " +"communicate over a UNIX socket." +msgstr "" +"У конфігураціях, де кешем Kerberos керує KCM, бібліотека Kerberos (типово " +"використовується за допомогою якоїсь програми, наприклад <citerefentry> " +"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" +"citerefentry>) є <quote>клієнтом KCM</quote>, а фонова служба KCM вважається " +"<quote>сервером KCM</quote>. Клієнт і сервер обмінюються даними за допомогою " +"сокета UNIX." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:42 +msgid "" +"The KCM server keeps track of each credential caches's owner and performs " +"access check control based on the UID and GID of the KCM client. The root " +"user has access to all credential caches." +msgstr "" +"Сервер KCM стежити за кожним власником кешу реєстраційних даних і виконує " +"перевірку прав доступу на основі UID і GID клієнта KCM. Користувач root має " +"доступ до усіх кешів реєстраційних даних." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:47 +msgid "The KCM credential cache has several interesting properties:" +msgstr "Кеш реєстраційних даних KCM має декілька цікавих властивостей:" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:51 +msgid "" +"since the process runs in userspace, it is subject to UID namespacing, " +"unlike the kernel keyring" +msgstr "" +"оскільки процес виконується у просторі користувача, він підлягає обмеженням " +"за простором назв UID, на відміну від набору ключів ядра" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:56 +msgid "" +"unlike the kernel keyring-based cache, which is shared between all " +"containers, the KCM server is a separate process whose entry point is a UNIX " +"socket" +msgstr "" +"на відміну від кешу на основі наборів ключів ядра, який є спільним для усіх " +"контейнерів, сервер KCM є окремим процесом, чия точка входу є сокетом UNIX" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:61 +msgid "" +"the SSSD implementation stores the ccaches in the SSSD <citerefentry> " +"<refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry> secrets store, allowing the ccaches to survive KCM server " +"restarts or machine reboots." +msgstr "" +"реалізація у SSSD зберігає ccache-і у сховищі реєстраційних даних " +"<citerefentry> <refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> SSSD, що надає змогу ccache-ам переживати " +"перезапуски сервера KCM та перезавантаження комп'ютера." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:69 +msgid "" +"This allows the system to use a collection-aware credential cache, yet share " +"the credential cache between some or no containers by bind-mounting the " +"socket." +msgstr "" +"Це надає змогу системі використовувати кеш реєстраційних даних із " +"врахуванням збірок, одночасно надаючи спільний доступ до кешу реєстраційних " +"даних для декількох контейнерів або без контейнерів взагалі шляхом " +"прив'язування-монтування сокета." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:76 +msgid "USING THE KCM CREDENTIAL CACHE" +msgstr "КОРИСТУВАННЯ КЕШЕМ РЕЄСТРАЦІЙНИХ ДАНИХ KCM" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:86 +#, no-wrap +msgid "" +"[libdefaults]\n" +" default_ccache_name = KCM:\n" +" " +msgstr "" +"[libdefaults]\n" +" default_ccache_name = KCM:\n" +" " + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:78 +msgid "" +"In order to use KCM credential cache, it must be selected as the default " +"credential type in <citerefentry> <refentrytitle>krb5.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " +"cache name must be only <quote>KCM:</quote> without any template " +"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" +"Для використання кешу реєстраційних даних KCM його слід вибрати стандартним " +"типом реєстраційних даних у <citerefentry> <refentrytitle>krb5.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>. Назвою кешу " +"реєстраційних даних має бути лише <quote>KCM:</quote> без будь-яких " +"розширень шаблонами. Приклад: <placeholder type=\"programlisting\" id=\"0\"/>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:91 +msgid "" +"Next, make sure the Kerberos client libraries and the KCM server must agree " +"on the UNIX socket path. By default, both use the same path <replaceable>/" +"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " +"library, change its <quote>kcm_socket</quote> option which is described in " +"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> manual page." +msgstr "" +"Далі, слід визначити однаковий шлях до сокета UNIX для клієнтських бібліотек " +"Kerberos і сервера KCM. Типово, у обох випадках використовується однаковий " +"шлях <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>. Для " +"налаштовування бібліотеки Kerberos змініть значення її параметра " +"<quote>kcm_socket</quote>, як це описано на сторінці підручника " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:113 +#, no-wrap +msgid "" +"systemctl start sssd-kcm.socket\n" +"systemctl enable sssd-kcm.socket\n" +" " +msgstr "" +"systemctl start sssd-kcm.socket\n" +"systemctl enable sssd-kcm.socket\n" +" " + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:102 +msgid "" +"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " +"typically socket-activated by <citerefentry> <refentrytitle>systemd</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " +"services, it cannot be started by adding the <quote>kcm</quote> string to " +"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " +"id=\"0\"/> Please note your distribution may already configure the units for " +"you." +msgstr "" +"Нарешті, переконайтеся, що з сервером KCM SSSD можна встановити зв'язок. " +"Типово, служба KCM вмикається за допомогою сокета з <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. На відміну від інших служб SSSD, її не можна запустити " +"додаванням рядка <quote>kcm</quote> до інструкції <quote>service</quote>. " +"<placeholder type=\"programlisting\" id=\"0\"/> Будь ласка, зауважте, що " +"відповідні налаштування модулів вже могло бути виконано засобами вашого " +"дистрибутива." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:122 +msgid "THE CREDENTIAL CACHE STORAGE" +msgstr "СХОВИЩЕ КЕШУ РЕЄСТРАЦІЙНИХ ДАНИХ" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:131 +#, no-wrap +msgid "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +" " +msgstr "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +" " + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:124 +msgid "" +"The credential caches are stored in the SSSD secrets service (see " +"<citerefentry> <refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> for more details). Therefore it is important that " +"also the sssd-secrets service is enabled and its socket is started: " +"<placeholder type=\"programlisting\" id=\"0\"/> Your distribution should " +"already set the dependencies between the services." +msgstr "" +"Кеші реєстраційних даних зберігаються у сховищі служби реєстраційних даних " +"SSSD (докладніший опис наведено на сторінці підручника <citerefentry> " +"<refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>). Тому важливо, щоб було увімкнено службу sssd-secrets, а її " +"сокет був доступним: <placeholder type=\"programlisting\" id=\"0\"/> " +"Відповідні залежності між цими службами вже мало бути встановлено засобами " +"вашого дистрибутива." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:141 +msgid "" +"The KCM service is configured in the <quote>kcm</quote> section of the sssd." +"conf file. Please note that currently, is it not sufficient to restart the " +"sssd-kcm service, because the sssd configuration is only parsed and read to " +"an internal configuration database by the sssd service. Therefore you must " +"restart the sssd service if you change anything in the <quote>kcm</quote> " +"section of sssd.conf. For a detailed syntax reference, refer to the " +"<quote>FILE FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd." +"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" +"Налаштовування служби KCM виконується за допомогою розділу <quote>kcm</" +"quote> файла sssd.conf. Будь ласка, зауважте, що у поточній версії для " +"застосування налаштувань перезапуску служби sssd-kcm недостатньо, оскільки " +"обробка і читання налаштувань sssd до внутрішньої бази даних налаштувань " +"виконується лише самою службою sssd. Тому вам слід перезапустити вашу службу " +"sssd, якщо ви щось змінили у розділі <quote>kcm</quote> файла sssd.conf. " +"Докладний опис синтаксису файла налаштувань наведено у розділі <quote>ФОРМАТ " +"ФАЙЛА</quote> сторінки підручника <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:155 +msgid "" +"The generic SSSD service options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some KCM-specific options as well." +msgstr "" +"Службі kcm можна передавати типові параметри служби SSSD, зокрема " +"<quote>debug_level</quote> та <quote>fd_limit</quote> Із повним списком " +"параметрів можна ознайомитися на сторінці підручника <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>. Крім того, передбачено декілька специфічних для KCM " +"параметрів." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:166 +msgid "socket_path (string)" +msgstr "socket_path (рядок)" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:169 +msgid "The socket the KCM service will listen on." +msgstr "Сокет, на якому очікуватиме на з'єднання служба KCM." + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:172 +msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" +msgstr "" +"Типове значення: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:182 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," +msgstr "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 +msgid "sssd-systemtap" +msgstr "sssd-systemtap" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-systemtap.5.xml:17 +msgid "SSSD systemtap information" +msgstr "Дані systemtap SSSD" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:23 +msgid "" +"This manual page provides information about the systemtap functionality in " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>." +msgstr "" +"Цю сторінку підручника присвячено функціональним можливостям systemtap у " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>." + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:32 +msgid "" +"SystemTap Probe points have been added into various locations in SSSD code " +"to assist in troubleshooting and analyzing performance related issues." +msgstr "" +"Точки зондування SystemTap додано до різноманітних частин коду SSSD, щоб " +"полегшити усування вад та аналіз пов'язаних зі швидкодією проблем." + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:40 +msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" +msgstr "" +"Зразки скриптів SystemTap зберігаються у каталозі /usr/share/sssd/systemtap/" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:46 +msgid "" +"Probes and miscellaneous functions are defined in /usr/share/systemtap/" +"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " +"respectively." +msgstr "" +"Зонди і різноманітні функції визначено у /usr/share/systemtap/tapset/sssd." +"stp і /usr/share/systemtap/tapset/sssd_functions.stp, відповідно." + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:57 +msgid "PROBE POINTS" +msgstr "ТОЧКИ ЗОНДУВАННЯ" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:341 +msgid "" +"The information below lists the probe points and arguments available in the " +"following format:" +msgstr "" +"Дані у наведених нижче списках точок зондування та аргументів записано у " +"такому форматі:" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:64 +msgid "probe $name" +msgstr "зонд $назва" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:67 +msgid "Description of probe point" +msgstr "Опис точки зондування" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:70 +#, no-wrap +msgid "" +"variable1:datatype\n" +"variable2:datatype\n" +"variable3:datatype\n" +"...\n" +" " +msgstr "" +"змінна1:тип даних\n" +"змінна2:тип даних\n" +"змінна3:тип даних\n" +"...\n" +" " + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:80 +msgid "Database Transaction Probes" +msgstr "Зонди операцій із базою даних" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:84 +msgid "probe sssd_transaction_start" +msgstr "зонд sssd_transaction_start" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:87 +msgid "" +"Start of a sysdb transaction, probes the sysdb_transaction_start() function." +msgstr "Розпочати операцію sysdb, зондує функцію sysdb_transaction_start()." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 +#: sssd-systemtap.5.xml:131 +#, no-wrap +msgid "" +"nesting:integer\n" +"probestr:string\n" +" " +msgstr "" +"nesting:ціле число\n" +"probestr:рядок\n" +" " + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:97 +msgid "probe sssd_transaction_cancel" +msgstr "зонд sssd_transaction_cancel" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:100 +msgid "" +"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " +"function." +msgstr "" +"Скасовування операції sysdb, зондує функцію sysdb_transaction_cancel() ." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:111 +msgid "probe sssd_transaction_commit_before" +msgstr "зонд sssd_transaction_commit_before" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:114 +msgid "Probes the sysdb_transaction_commit_before() function." +msgstr "Зондує функцію sysdb_transaction_commit_before()." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:124 +msgid "probe sssd_transaction_commit_after" +msgstr "зонд sssd_transaction_commit_after" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:127 +msgid "Probes the sysdb_transaction_commit_after() function." +msgstr "Зондує функцію sysdb_transaction_commit_after()." + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:141 +msgid "LDAP Search Probes" +msgstr "Зонди пошуку у LDAP" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:145 +msgid "probe sdap_search_send" +msgstr "зонд sdap_search_send" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:148 +msgid "Probes the sdap_get_generic_ext_send() function." +msgstr "Зондує функцію sdap_get_generic_ext_send()." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:152 sssd-systemtap.5.xml:167 sssd-systemtap.5.xml:196 +#, no-wrap +msgid "" +"base:string\n" +"scope:integer\n" +"filter:string\n" +"probestr:string\n" +" " +msgstr "" +"base:рядок\n" +"scope:ціле число\n" +"filter:рядок\n" +"probestr:рядок\n" +" " + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:160 +msgid "probe sdap_search_recv" +msgstr "зонд sdap_search_recv" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:163 +msgid "Probes the sdap_get_generic_ext_recv() function." +msgstr "Зондує функцію sdap_get_generic_ext_recv()." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:175 +msgid "probe sdap_deref_send" +msgstr "зонд sdap_deref_send" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:178 +msgid "Probes the sdap_deref_search_send() function." +msgstr "Зондує функцію sdap_deref_search_send()." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:182 +#, no-wrap +msgid "" +"base_dn:string\n" +"deref_attr:string\n" +"probestr:string\n" +" " +msgstr "" +"base_dn:рядок\n" +"deref_attr:рядок\n" +"probestr:рядок\n" +" " + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:189 +msgid "probe sdap_deref_recv" +msgstr "зонд sdap_deref_recv" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:192 +msgid "Probes the sdap_deref_search_recv() function." +msgstr "Зондує функцію sdap_deref_search_recv()." + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:208 +msgid "LDAP Account Request Probes" +msgstr "Зонди запитів щодо облікових записів у LDAP" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:212 +msgid "probe sdap_acct_req_send" +msgstr "зонд sdap_acct_req_send" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:215 +msgid "Probes the sdap_acct_req_send() function." +msgstr "Зондує функцію sdap_acct_req_send()." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:219 sssd-systemtap.5.xml:234 +#, no-wrap +msgid "" +"entry_type:int\n" +"filter_type:int\n" +"filter_value:string\n" +"extra_value:string\n" +" " +msgstr "" +"entry_type:ціле число\n" +"filter_type:ціле число\n" +"filter_value:рядок\n" +"extra_value:рядок\n" +" " + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:227 +msgid "probe sdap_acct_req_recv" +msgstr "зонд sdap_acct_req_recv" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:230 +msgid "Probes the sdap_acct_req_recv() function." +msgstr "Зондує функцію sdap_acct_req_recv()." + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:246 +msgid "LDAP User Search Probes" +msgstr "Зонди пошуку користувачів у LDAP" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:250 +msgid "probe sdap_search_user_send" +msgstr "зонд sdap_search_user_send" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:253 +msgid "Probes the sdap_search_user_send() function." +msgstr "Зондує функцію sdap_search_user_send()." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:257 sssd-systemtap.5.xml:269 sssd-systemtap.5.xml:281 +#: sssd-systemtap.5.xml:293 +#, no-wrap +msgid "" +"filter:string\n" +" " +msgstr "" +"filter:рядок\n" +" " + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:262 +msgid "probe sdap_search_user_recv" +msgstr "зонд sdap_search_user_recv" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:265 +msgid "Probes the sdap_search_user_recv() function." +msgstr "Зондує функцію sdap_search_user_recv()." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:274 +msgid "probe sdap_search_user_save_begin" +msgstr "зонд sdap_search_user_save_begin" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:277 +msgid "Probes the sdap_search_user_save_begin() function." +msgstr "Зондує функцію sdap_search_user_save_begin()." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:286 +msgid "probe sdap_search_user_save_end" +msgstr "зонд sdap_search_user_save_end" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:289 +msgid "Probes the sdap_search_user_save_end() function." +msgstr "Зондує функцію sdap_search_user_save_end()." + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:302 +msgid "Data Provider Request Probes" +msgstr "Зонди запитів до постачальника даних" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:306 +msgid "probe dp_req_send" +msgstr "зонд dp_req_send" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:309 +msgid "A Data Provider request is submitted." +msgstr "Подано запит до постачальника даних." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:312 +#, no-wrap +msgid "" +"dp_req_domain:string\n" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +" " +msgstr "" +"dp_req_domain:рядок\n" +"dp_req_name:рядок\n" +"dp_req_target:ціле число\n" +"dp_req_method:ціле число\n" +" " + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:320 +msgid "probe dp_req_done" +msgstr "зонд dp_req_done" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:323 +msgid "A Data Provider request is completed." +msgstr "Завершено виконання запиту до постачальника даних." + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:326 +#, no-wrap +msgid "" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +"dp_ret:int\n" +"dp_errorstr:string\n" +" " +msgstr "" +"dp_req_name:рядок\n" +"dp_req_target:ціле число\n" +"dp_req_method:ціле число\n" +"dp_ret:ціле число\n" +"dp_errorstr:рядок\n" +" " + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:339 +msgid "MISCELLANEOUS FUNCTIONS" +msgstr "РІЗНОМАНІТНІ ФУНКЦІЇ" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:346 +msgid "function acct_req_desc(entry_type)" +msgstr "функція acct_req_desc(entry_type)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:349 +msgid "Convert entry_type to string and return string" +msgstr "Перетворення entry_type на рядок і повернення рядка" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:354 +msgid "" +"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " +"filter_value, extra_value)" +msgstr "" +"функція sssd_acct_req_probestr(fc_name, entry_type, filter_type, " +"filter_value, extra_value)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:358 +msgid "Create probe string based on filter type" +msgstr "Створення рядка зонду на основі типу фільтрування" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:363 +msgid "function dp_target_str(target)" +msgstr "функція dp_target_str(target)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:366 +msgid "Convert target to string and return string" +msgstr "Перетворення target на рядок і повернення рядка" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:371 +msgid "function dp_method_str(target)" +msgstr "функція dp_method_str(target)" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:374 +msgid "Convert method to string and return string" +msgstr "Перетворення методу на рядок і повернення рядка" + +#. type: Content of: <refsect1><title> +#: include/service_discovery.xml:2 +msgid "SERVICE DISCOVERY" +msgstr "ПОШУК СЛУЖБ" + +#. type: Content of: <refsect1><para> +#: include/service_discovery.xml:4 +msgid "" +"The service discovery feature allows back ends to automatically find the " +"appropriate servers to connect to using a special DNS query. This feature is " +"not supported for backup servers." +msgstr "" +"За допомогою можливості виявлення служб основні модулі мають змогу " +"автоматично визначати відповідні сервери для встановлення з’єднання на " +"основі даних, отриманих у відповідь на спеціальний запит до DNS. Підтримки " +"цієї можливості для резервних серверів не передбачено." + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:9 include/ldap_id_mapping.xml:99 +msgid "Configuration" +msgstr "Налаштування" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:11 +msgid "" +"If no servers are specified, the back end automatically uses service " +"discovery to try to find a server. Optionally, the user may choose to use " +"both fixed server addresses and service discovery by inserting a special " +"keyword, <quote>_srv_</quote>, in the list of servers. The order of " +"preference is maintained. This feature is useful if, for example, the user " +"prefers to use service discovery whenever possible, and fall back to a " +"specific server when no servers can be discovered using DNS." +msgstr "" +"Якщо серверів не буде вказано, модуль автоматично використає визначення " +"служб для пошуку сервера. Крім того, користувач може використовувати і " +"фіксовані адреси серверів і виявлення служб. Для цього слід вставити " +"особливе ключове слово, «_srv_», до списку серверів. Пріоритет визначається " +"за вказаним порядком. Ця можливість є корисною, якщо, наприклад, користувач " +"надає перевагу використанню виявлення служб, якщо це можливо, з поверненням " +"до використання певного сервера, якщо за допомогою DNS не вдасться виявити " +"жодного сервера." + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:23 +msgid "The domain name" +msgstr "Назва домену" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:25 +msgid "" +"Please refer to the <quote>dns_discovery_domain</quote> parameter in the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more details." +msgstr "" +"З докладнішими відомостями щодо параметра «dns_discovery_domain» можна " +"ознайомитися на сторінці підручника (man) <citerefentry> <refentrytitle>sssd." +"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:35 +msgid "The protocol" +msgstr "Протокол" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:37 +msgid "" +"The queries usually specify _tcp as the protocol. Exceptions are documented " +"in respective option description." +msgstr "" +"Запитами зазвичай визначається протокол _tcp. Виключення документовано у " +"описі відповідного параметра." + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:42 +msgid "See Also" +msgstr "Також прочитайте" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:44 +msgid "" +"For more information on the service discovery mechanism, refer to RFC 2782." +msgstr "" +"Докладніші відомості щодо механізмів визначення служб можна знайти у RFC " +"2782." + +#. type: Content of: <refentryinfo> +#: include/upstream.xml:2 +msgid "" +"<productname>SSSD</productname> <orgname>The SSSD upstream - https://pagure." +"io/SSSD/sssd/</orgname>" +msgstr "" +"<productname>SSSD</productname> <orgname>Основна гілка розробки SSSD — " +"https://pagure.io/SSSD/sssd/</orgname>" + +#. type: Content of: outside any tag (error?) +#: include/upstream.xml:1 +msgid "<placeholder type=\"refentryinfo\" id=\"0\"/>" +msgstr "<placeholder type=\"refentryinfo\" id=\"0\"/>" + +#. type: Content of: <refsect1><title> +#: include/failover.xml:2 +msgid "FAILOVER" +msgstr "РЕЗЕРВ" + +#. type: Content of: <refsect1><para> +#: include/failover.xml:4 +msgid "" +"The failover feature allows back ends to automatically switch to a different " +"server if the current server fails." +msgstr "" +"Можливість резервування надає змогу модулям обробки автоматично перемикатися " +"на інші сервери, якщо спроба встановлення з’єднання з поточним сервером " +"зазнає невдачі." + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:8 +msgid "Failover Syntax" +msgstr "Синтаксичні конструкції визначення резервного сервера" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:10 +msgid "" +"The list of servers is given as a comma-separated list; any number of spaces " +"is allowed around the comma. The servers are listed in order of preference. " +"The list can contain any number of servers." +msgstr "" +"Список записів серверів, відокремлених комами. Між комами можна " +"використовувати довільну кількість пробілів. Порядок у списку визначає " +"пріоритет. У списку може бути будь-яка кількість записів серверів." + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:16 +msgid "" +"For each failover-enabled config option, two variants exist: " +"<emphasis>primary</emphasis> and <emphasis>backup</emphasis>. The idea is " +"that servers in the primary list are preferred and backup servers are only " +"searched if no primary servers can be reached. If a backup server is " +"selected, a timeout of 31 seconds is set. After this timeout SSSD will " +"periodically try to reconnect to one of the primary servers. If it succeeds, " +"it will replace the current active (backup) server." +msgstr "" +"Для кожного з параметрів налаштування з увімкненим резервним отриманням " +"існує два варіанти: <emphasis>основний</emphasis> і <emphasis>резервний</" +"emphasis>. Ідея полягає у тому, що сервери з основного списку мають вищий " +"пріоритет за резервні сервери, пошук же на резервних серверах виконується, " +"лише якщо не вдасться з’єднатися з жодним з основних серверів. Якщо буде " +"вибрано резервний сервер, встановлюється час очікування у 31 секунду. Після " +"завершення часу очікування SSSD періодично намагатиметься повторно " +"встановити з’єднання з основними серверами. Якщо спроба буде успішною, " +"поточний активний резервний сервер буде замінено на основний." + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:27 +msgid "The Failover Mechanism" +msgstr "Механізм визначення резервного сервера" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:29 +msgid "" +"The failover mechanism distinguishes between a machine and a service. The " +"back end first tries to resolve the hostname of a given machine; if this " +"resolution attempt fails, the machine is considered offline. No further " +"attempts are made to connect to this machine for any other service. If the " +"resolution attempt succeeds, the back end tries to connect to a service on " +"this machine. If the service connection attempt fails, then only this " +"particular service is considered offline and the back end automatically " +"switches over to the next service. The machine is still considered online " +"and might still be tried for another service." +msgstr "" +"Механізмом резервного використання розрізняються окремі комп’ютери і служби. " +"Спочатку модуль намагається визначити назву вузла вказаного комп’ютера. Якщо " +"спроби визначення зазнають невдачі, комп’ютер вважатиметься від’єднаним від " +"мережі. Подальших спроб встановити з’єднання з цим комп’ютером для всіх " +"інших служб не виконуватиметься. Якщо вдасться виконати визначення, модуль " +"зробити спробу встановити з’єднання зі службою на визначеному комп’ютері. " +"Якщо спроба з’єднання зі службою не призведе до успіху, непрацездатною " +"вважатиметься лише служба, модуль автоматично перемкнеться на наступну " +"службу. Комп’ютер служби вважатиметься з’єднаним з мережею, можливі подальші " +"спроби використання інших служб." + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:42 +msgid "" +"Further connection attempts are made to machines or services marked as " +"offline after a specified period of time; this is currently hard coded to 30 " +"seconds." +msgstr "" +"Подальші спроби встановлення з’єднання з комп’ютерами або службами, " +"позначеними як такі, що перебувають поза мережею, буде виконано за певний " +"проміжок часу. У поточній версії цей проміжок є незмінним і дорівнює 30 " +"секундам." + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:47 +msgid "" +"If there are no more machines to try, the back end as a whole switches to " +"offline mode, and then attempts to reconnect every 30 seconds." +msgstr "" +"Якщо список комп’ютерів буде вичерпано, основний модуль перейде у режим " +"автономної роботи і повторюватиме спроби з’єднання кожні 30 секунд." + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:53 +msgid "Failover time outs and tuning" +msgstr "" +"Час очікування на перемикання на резервний ресурс та точне налаштовування" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:55 +msgid "" +"Resolving a server to connect to can be as simple as running a single DNS " +"query or can involve several steps, such as finding the correct site or " +"trying out multiple host names in case some of the configured servers are " +"not reachable. The more complex scenarios can take some time and SSSD needs " +"to balance between providing enough time to finish the resolution process " +"but on the other hand, not trying for too long before falling back to " +"offline mode. If the SSSD debug logs show that the server resolution is " +"timing out before a live server is contacted, you can consider changing the " +"time outs." +msgstr "" +"Для визначення сервера для з'єднання достатньо одного запиту DNS або " +"декількох кроків, зокрема визначення відповідного сайта або спроба " +"використати декілька назв вузлів у випадку, якщо якісь із налаштованих " +"серверів недоступні. Складніші сценарії можуть потребувати додаткового часу, " +"а SSSD треба збалансувати надання достатнього часу для завершення процесу " +"визначення і використання притомного часу на виконання цього запиту перед " +"переходом до автономного режиму. Якщо діагностичний журнал SSSD показує, що " +"під час визначення сервера перевищено час очікування на з'єднання із " +"працездатним сервером, варто змінити значення параметрів часу очікування." + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> +#: include/failover.xml:76 +msgid "dns_resolver_op_timeout" +msgstr "dns_resolver_op_timeout" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: include/failover.xml:80 +msgid "How long would SSSD talk to a single DNS server." +msgstr "" +"Наскільки довго SSSD обмінюватиметься інформацією із окремим сервером DNS." + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> +#: include/failover.xml:86 +msgid "dns_resolver_timeout" +msgstr "dns_resolver_timeout" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: include/failover.xml:90 +msgid "" +"How long would SSSD try to resolve a failover service. This service " +"resolution internally might include several steps, such as resolving DNS SRV " +"queries or locating the site." +msgstr "" +"Наскільки довго має чекати SSSD на визначення резервної служби надання " +"даних. На внутрішньому рівні визначення такої служби може включати декілька " +"кроків, зокрема визначення адрес запитів DNS SRV або пошук розташування " +"сайта." + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:67 +msgid "" +"This section lists the available tunables. Please refer to their description " +"in the <citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>, manual page. <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" +"У цьому розділі наведено списки доступних для коригування параметрів. Будь " +"ласка, ознайомтеся із їхніми описами за допомогою сторінки підручника " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>. <placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:100 +#, fuzzy +#| msgid "" +#| "For LDAP-based providers, the resolve operation is performed as part of " +#| "an LDAP connection operation. Thefore, also the <quote>ldap_opt_timeout></" +#| "quote> timeout should be set to a larger value than " +#| "<quote>dns_resolver_timeout</quote> which in turn should be set to a " +#| "larger value than <quote>dns_resolver_op_timeout</quote>." +msgid "" +"For LDAP-based providers, the resolve operation is performed as part of an " +"LDAP connection operation. Therefore, also the <quote>ldap_opt_timeout></" +"quote> timeout should be set to a larger value than " +"<quote>dns_resolver_timeout</quote> which in turn should be set to a larger " +"value than <quote>dns_resolver_op_timeout</quote>." +msgstr "" +"Для заснованих на LDAP постачальників даних дія з визначення виконується як " +"частина дії зі встановлення з'єднання із LDAP. Тому слід також встановити " +"для часу очікування <quote>ldap_opt_timeout></quote> значення, яке " +"перевищуватиме значення <quote>dns_resolver_timeout</quote>, яке також має " +"перевищувати значення <quote>dns_resolver_op_timeout</quote>." + +#. type: Content of: <refsect1><title> +#: include/ldap_id_mapping.xml:2 +msgid "ID MAPPING" +msgstr "ВСТАНОВЛЕННЯ ВІДПОВІДНОСТІ ІДЕНТИФІКАТОРІВ" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:4 +msgid "" +"The ID-mapping feature allows SSSD to act as a client of Active Directory " +"without requiring administrators to extend user attributes to support POSIX " +"attributes for user and group identifiers." +msgstr "" +"Можливість встановлення відповідності ідентифікаторів надає SSSD змогу " +"працювати у режимі клієнта Active Directory без потреби для адміністраторів " +"розширювати атрибути користувача з метою підтримки атрибутів POSIX для " +"ідентифікаторів користувачів та груп." + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:9 +msgid "" +"NOTE: When ID-mapping is enabled, the uidNumber and gidNumber attributes are " +"ignored. This is to avoid the possibility of conflicts between automatically-" +"assigned and manually-assigned values. If you need to use manually-assigned " +"values, ALL values must be manually-assigned." +msgstr "" +"Зауваження: якщо увімкнено встановлення відповідності ідентифікаторів, " +"атрибути uidNumber та gidNumber буде проігноровано. Так зроблено з метою " +"уникання конфліктів між автоматично визначеними та визначеними вручну " +"значеннями. Якщо вам потрібно призначити певні значення вручну, вручну " +"доведеться призначати ВСІ значення." + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:16 +msgid "" +"Please note that changing the ID mapping related configuration options will " +"cause user and group IDs to change. At the moment, SSSD does not support " +"changing IDs, so the SSSD database must be removed. Because cached passwords " +"are also stored in the database, removing the database should only be " +"performed while the authentication servers are reachable, otherwise users " +"might get locked out. In order to cache the password, an authentication must " +"be performed. It is not sufficient to use <citerefentry> " +"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry> to remove the database, rather the process consists of:" +msgstr "" +"Будь ласка, зауважте, що зміна параметрів налаштувань, пов’язаних із " +"встановленням відповідності ідентифікаторів, призведе до зміни " +"ідентифікаторів користувачів і груп. У поточній версії SSSD зміни " +"ідентифікаторів не передбачено, отже, вам доведеться вилучити базу даних " +"SSSD. Оскільки кешовані паролі також зберігаються у базі даних, вилучення " +"бази даних слід виконувати, лише якщо сервери розпізнавання є доступними, " +"інакше користувачі не зможуть отримати потрібного їм доступу. З метою " +"кешування паролів слід виконати сеанс розпізнавання. Для вилучення бази " +"даних недостатньо використання команди <citerefentry> " +"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>, процедура має складатися з декількох кроків:" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:33 +msgid "Making sure the remote servers are reachable" +msgstr "Переконуємося, що віддалені сервери є доступними." + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:38 +msgid "Stopping the SSSD service" +msgstr "Зупиняємо роботу служби SSSD" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:43 +msgid "Removing the database" +msgstr "Вилучаємо базу даних" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:48 +msgid "Starting the SSSD service" +msgstr "Запускаємо службу SSSD" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:52 +msgid "" +"Moreover, as the change of IDs might necessitate the adjustment of other " +"system properties such as file and directory ownership, it's advisable to " +"plan ahead and test the ID mapping configuration thoroughly." +msgstr "" +"Крім того, оскільки зміна ідентифікаторів може потребувати коригування інших " +"властивостей системи, зокрема прав власності на файли і каталоги, варто " +"спланувати усе наперед і ретельно перевірити налаштування встановлення " +"відповідності ідентифікаторів." + +#. type: Content of: <refsect1><refsect2><title> +#: include/ldap_id_mapping.xml:59 +msgid "Mapping Algorithm" +msgstr "Алгоритм встановлення відповідності" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:61 +msgid "" +"Active Directory provides an objectSID for every user and group object in " +"the directory. This objectSID can be broken up into components that " +"represent the Active Directory domain identity and the relative identifier " +"(RID) of the user or group object." +msgstr "" +"Active Directory надає значення objectSID для всіх об’єктів користувачів і " +"груп у каталозі. Таке значення objectSID можна розбити на компоненти, які " +"відповідають профілю домену Active Directory та відносному ідентифікатору " +"(RID) об’єкта користувача або групи." + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:67 +msgid "" +"The SSSD ID-mapping algorithm takes a range of available UIDs and divides it " +"into equally-sized component sections - called \"slices\"-. Each slice " +"represents the space available to an Active Directory domain." +msgstr "" +"Алгоритмом встановлення відповідності ідентифікаторів SSSD передбачено поділ " +"діапазону доступних UID на розділи однакових розмірів, які називаються " +"«зрізами». Кожен зріз відповідає простору, доступному певному домену Active " +"Directory." + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:73 +msgid "" +"When a user or group entry for a particular domain is encountered for the " +"first time, the SSSD allocates one of the available slices for that domain. " +"In order to make this slice-assignment repeatable on different client " +"machines, we select the slice based on the following algorithm:" +msgstr "" +"Коли SSSD вперше зустрічає запис користувача або групи певного домену, SSSD " +"віддає один з доступних зрізів під цей домен. З метою уможливлення " +"відтворення такого призначення зрізів на різних клієнтських системах, зріз " +"вибирається за таким алгоритмом:" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:80 +msgid "" +"The SID string is passed through the murmurhash3 algorithm to convert it to " +"a 32-bit hashed value. We then take the modulus of this value with the total " +"number of available slices to pick the slice." +msgstr "" +"Рядок SID передається алгоритмові murmurhash3 з метою перетворення його на " +"хешоване 32-бітове значення. Для вибору зрізу використовується ціла частина " +"від ділення цього значення на загальну кількість доступних зрізів." + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:86 +msgid "" +"NOTE: It is possible to encounter collisions in the hash and subsequent " +"modulus. In these situations, we will select the next available slice, but " +"it may not be possible to reproduce the same exact set of slices on other " +"machines (since the order that they are encountered will determine their " +"slice). In this situation, it is recommended to either switch to using " +"explicit POSIX attributes in Active Directory (disabling ID-mapping) or " +"configure a default domain to guarantee that at least one is always " +"consistent. See <quote>Configuration</quote> for details." +msgstr "" +"Зауваження: за такого алгоритму можливі збіги за хешем та відповідною цілою " +"частиною від ділення. У разі виявлення таких збігів буде вибрано наступний " +"доступних зріз, але це може призвести до неможливості відтворити точно такий " +"самий набір зрізів на інших комп’ютерах (оскільки в такому разі на вибір " +"зрізів може вплинути порядок, у якому виконується обробка даних). Якщо ви " +"зіткнулися з подібною ситуацією, рекомендуємо вам або перейти на " +"використання явних атрибутів POSIX у Active Directory (вимкнути встановлення " +"відповідності ідентифікаторів) або налаштувати типовий домен з метою " +"гарантування того, що принаймні цей домен матиме еталонні дані. Докладніше " +"про це у розділі «Налаштування»." + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:101 +msgid "" +"Minimum configuration (in the <quote>[domain/DOMAINNAME]</quote> section):" +msgstr "" +"Мінімальне налаштовування (у розділі <quote>[domain/НАЗВА_ДОМЕНУ]</quote>):" + +#. type: Content of: <refsect1><refsect2><para><programlisting> +#: include/ldap_id_mapping.xml:106 +#, no-wrap +msgid "" +"ldap_id_mapping = True\n" +"ldap_schema = ad\n" +msgstr "" +"ldap_id_mapping = True\n" +"ldap_schema = ad\n" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:111 +msgid "" +"The default configuration results in configuring 10,000 slices, each capable " +"of holding up to 200,000 IDs, starting from 200,000 and going up to " +"2,000,200,000. This should be sufficient for most deployments." +msgstr "" +"За типових налаштувань буде створено 10000 зрізів, кожен з яких може містити " +"до 200000 ідентифікаторів, починаючи з 2000000 і аж до 2000200000. Цього має " +"вистачити для більшості розгорнутих середовищ." + +#. type: Content of: <refsect1><refsect2><refsect3><title> +#: include/ldap_id_mapping.xml:117 +msgid "Advanced Configuration" +msgstr "Додаткові налаштування" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:120 +msgid "ldap_idmap_range_min (integer)" +msgstr "ldap_idmap_range_min (ціле число)" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:123 +msgid "" +"Specifies the lower bound of the range of POSIX IDs to use for mapping " +"Active Directory user and group SIDs." +msgstr "" +"Визначає нижню межу діапазону ідентифікаторів POSIX, які слід " +"використовувати для встановлення відповідності SID користувачів і груп " +"Active Directory." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:127 +msgid "" +"NOTE: This option is different from <quote>min_id</quote> in that " +"<quote>min_id</quote> acts to filter the output of requests to this domain, " +"whereas this option controls the range of ID assignment. This is a subtle " +"distinction, but the good general advice would be to have <quote>min_id</" +"quote> be less-than or equal to <quote>ldap_idmap_range_min</quote>" +msgstr "" +"Зауваження: цей параметр відрізняється від <quote>min_id</quote> тим, що " +"<quote>min_id</quote> працює як фільтр відповідей на запити щодо цього " +"домену, а цей параметр керує діапазоном призначення ідентифікаторів. Ця " +"відмінність є мінімальною, але загалом варто визначати <quote>min_id</quote> " +"меншим або рівним <quote>ldap_idmap_range_min</quote>" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:137 include/ldap_id_mapping.xml:191 +msgid "Default: 200000" +msgstr "Типове значення: 200000" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:142 +msgid "ldap_idmap_range_max (integer)" +msgstr "ldap_idmap_range_max (ціле число)" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:145 +msgid "" +"Specifies the upper bound of the range of POSIX IDs to use for mapping " +"Active Directory user and group SIDs." +msgstr "" +"Визначає верхню межу діапазону ідентифікаторів POSIX, які слід " +"використовувати для встановлення відповідності SID користувачів і груп " +"Active Directory." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:149 +msgid "" +"NOTE: This option is different from <quote>max_id</quote> in that " +"<quote>max_id</quote> acts to filter the output of requests to this domain, " +"whereas this option controls the range of ID assignment. This is a subtle " +"distinction, but the good general advice would be to have <quote>max_id</" +"quote> be greater-than or equal to <quote>ldap_idmap_range_max</quote>" +msgstr "" +"Зауваження: цей параметр відрізняється від <quote>max_id</quote> тим, що " +"<quote>max_id</quote> працює як фільтр відповідей на запити щодо цього " +"домену, а цей параметр керує діапазоном призначення ідентифікаторів. Ця " +"відмінність є мінімальною, але загалом варто визначати <quote>max_id</quote> " +"більшим або рівним <quote>ldap_idmap_range_max</quote>" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:159 +msgid "Default: 2000200000" +msgstr "Типове значення: 2000200000" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:164 +msgid "ldap_idmap_range_size (integer)" +msgstr "ldap_idmap_range_size (ціле число)" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:167 +msgid "" +"Specifies the number of IDs available for each slice. If the range size " +"does not divide evenly into the min and max values, it will create as many " +"complete slices as it can." +msgstr "" +"Визначає кількість ідентифікаторів доступних на кожному зі зрізів. Якщо " +"розмір діапазону не ділиться націло на мінімальне і максимальне значення, " +"буде створено якомога більше повних зрізів." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:173 +msgid "" +"NOTE: The value of this option must be at least as large as the highest user " +"RID planned for use on the Active Directory server. User lookups and login " +"will fail for any user whose RID is greater than this value." +msgstr "" +"ЗАУВАЖЕННЯ: значення цього параметра має бути не меншим за значення " +"максимального запланованого до використання RID на сервері Active Directory. " +"Пошук даних та вхід для будь-яких користувачів з RID, що перевищує це " +"значення, буде неможливим." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:179 +msgid "" +"For example, if your most recently-added Active Directory user has " +"objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, " +"<quote>ldap_idmap_range_size</quote> must be at least 1108 as range size is " +"equal to maximal SID minus minimal SID plus one (e.g. 1108 = 1107 - 0 + 1)." +msgstr "" +"Приклад: якщо найсвіжішим доданим користувачем Active Directory є користувач " +"з objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, " +"«ldap_idmap_range_size» повинне мати значення, яке є не меншим за 1108, " +"оскільки розмір діапазону дорівнює максимальному SID мінус мінімальний SID " +"плюс 1. (Наприклад, 1108 = 1107 - 0 + 1)." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:186 +msgid "" +"It is important to plan ahead for future expansion, as changing this value " +"will result in changing all of the ID mappings on the system, leading to " +"users with different local IDs than they previously had." +msgstr "" +"Для майбутнього можливого розширення важливо все спланувати наперед, " +"оскільки зміна цього значення призведе до зміни усіх прив’язок " +"ідентифікаторів у системі, отже зміни попередніх локальних ідентифікаторів " +"користувачів." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:196 +msgid "ldap_idmap_default_domain_sid (string)" +msgstr "ldap_idmap_default_domain_sid (рядок)" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:199 +msgid "" +"Specify the domain SID of the default domain. This will guarantee that this " +"domain will always be assigned to slice zero in the ID map, bypassing the " +"murmurhash algorithm described above." +msgstr "" +"Визначає SID типового домену. За допомогою цього параметра можна гарантувати " +"те, що цей домен буде завжди призначено до нульового зрізу у карті " +"ідентифікаторів без використання алгоритму murmurhash описаного вище." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:210 +msgid "ldap_idmap_default_domain (string)" +msgstr "ldap_idmap_default_domain (рядок)" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:213 +msgid "Specify the name of the default domain." +msgstr "Вказати назву типового домену." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:221 +msgid "ldap_idmap_autorid_compat (boolean)" +msgstr "ldap_idmap_autorid_compat (булеве значення)" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:224 +msgid "" +"Changes the behavior of the ID-mapping algorithm to behave more similarly to " +"winbind's <quote>idmap_autorid</quote> algorithm." +msgstr "" +"Змінює поведінку алгоритму встановлення відповідності ідентифікаторів так, " +"щоб обчислення відбувалися за алгоритмом подібним до алгоритму " +"<quote>idmap_autorid</quote> winbind." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:229 +msgid "" +"When this option is configured, domains will be allocated starting with " +"slice zero and increasing monatomically with each additional domain." +msgstr "" +"Якщо встановлено цей параметр, домени призначатимуться, починаючи з " +"нульового зрізу з поступовим зростанням номерів на кожен додатковий домен." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:234 +msgid "" +"NOTE: This algorithm is non-deterministic (it depends on the order that " +"users and groups are requested). If this mode is required for compatibility " +"with machines running winbind, it is recommended to also use the " +"<quote>ldap_idmap_default_domain_sid</quote> option to guarantee that at " +"least one domain is consistently allocated to slice zero." +msgstr "" +"Зауваження: цей алгоритм є недетерміністичним (залежить від порядку записів " +"користувачів та груп). Якщо з метою сумісності з системою, у якій запущено " +"winbind, буде використано цей алгоритм, варто також скористатися параметром " +"<quote>ldap_idmap_default_domain_sid</quote> з метою гарантування " +"послідовного призначення принаймні одного домену до нульового зрізу." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:249 +msgid "ldap_idmap_helper_table_size (integer)" +msgstr "ldap_idmap_helper_table_size (ціле число)" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:252 +msgid "" +"Maximal number of secondary slices that is tried when performing mapping " +"from UNIX id to SID." +msgstr "" +"Максимальна кількість вторинних зрізів, яку можна використовувати під час " +"виконання прив'язки ідентифікатора UNIX до SID." + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:256 +msgid "" +"Note: Additional secondary slices might be generated when SID is being " +"mapped to UNIX id and RID part of SID is out of range for secondary slices " +"generated so far. If value of ldap_idmap_helper_table_size is equal to 0 " +"then no additional secondary slices are generated." +msgstr "" +"Зауваження: під час прив'язування SID до ідентифікатора UNIX може бути " +"створено додаткові вторинні зрізи, якщо частини RID SID перебувають поза " +"межами діапазону вже створених вторинних зрізів. Якщо значенням " +"ldap_idmap_helper_table_size буде 0, додаткові вторинні зрізи не " +"створюватимуться." + +#. type: Content of: <refsect1><refsect2><title> +#: include/ldap_id_mapping.xml:273 +msgid "Well-Known SIDs" +msgstr "Добре відомі SID" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:275 +msgid "" +"SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a " +"special hardcoded meaning. Since the generic users and groups related to " +"those Well-Known SIDs have no equivalent in a Linux/UNIX environment no " +"POSIX IDs are available for those objects." +msgstr "" +"У SSSD передбачено підтримку пошуку назв за добре відомими (Well-Known) SID, " +"тобто SID із особливим запрограмованим призначенням. Оскільки типові " +"користувачі і групи, пов’язані із цими добре відомими SID не мають " +"еквівалентів у середовищі Linux/UNIX, ідентифікаторів POSIX для цих об’єктів " +"немає." + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:281 +msgid "" +"The SID name space is organized in authorities which can be seen as " +"different domains. The authorities for the Well-Known SIDs are" +msgstr "" +"Простір назв SID упорядковано службами сертифікації, які виглядають як інші " +"домени. Службами сертифікації для добре відомих (Well-Known) SID є" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:284 +msgid "Null Authority" +msgstr "Фіктивна служба сертифікації (Null Authority)" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:285 +msgid "World Authority" +msgstr "Загальна служба сертифікації (World Authority)" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:286 +msgid "Local Authority" +msgstr "Локальна служба сертифікації (Local Authority)" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:287 +msgid "Creator Authority" +msgstr "Авторська служба сертифікації (Creator Authority)" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:288 +msgid "NT Authority" +msgstr "Служба сертифікації NT (NT Authority)" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:289 +msgid "Built-in" +msgstr "Вбудована (Built-in)" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:291 +msgid "" +"The capitalized version of these names are used as domain names when " +"returning the fully qualified name of a Well-Known SID." +msgstr "" +"Написані літерами верхнього регістру ці назви буде використано як назви " +"доменів для повернення повних назв добре відомих (Well-Known) SID." + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:295 +msgid "" +"Since some utilities allow to modify SID based access control information " +"with the help of a name instead of using the SID directly SSSD supports to " +"look up the SID by the name as well. To avoid collisions only the fully " +"qualified names can be used to look up Well-Known SIDs. As a result the " +"domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, " +"<quote> LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, <quote>NT " +"AUTHORITY</quote> and <quote>BUILTIN</quote> should not be used as domain " +"names in <filename>sssd.conf</filename>." +msgstr "" +"Оскільки деякі з програм надають змогу змінювати дані щодо керування " +"доступом на основі SID за допомогою назви, а не безпосереднього " +"використання, у SSSD передбачено підтримку пошуку SID за назвою. Щоб " +"уникнути конфліктів, для пошуку добре відомих (Well-Known) SID приймаються " +"лише повні назви. Отже, не можна використовувати як назви доменів у " +"<filename>sssd.conf</filename> такі назви: «NULL AUTHORITY», «WORLD " +"AUTHORITY», «LOCAL AUTHORITY», «CREATOR AUTHORITY», «NT AUTHORITY» та " +"«BUILTIN»." + +#. type: Content of: <varlistentry><term> +#: include/param_help.xml:3 +msgid "<option>-?</option>,<option>--help</option>" +msgstr "<option>-?</option>,<option>--help</option>" + +#. type: Content of: <varlistentry><listitem><para> +#: include/param_help.xml:7 include/param_help_py.xml:7 +msgid "Display help message and exit." +msgstr "Показати довідкове повідомлення і завершити роботу." + +#. type: Content of: <varlistentry><term> +#: include/param_help_py.xml:3 +msgid "<option>-h</option>,<option>--help</option>" +msgstr "<option>-h</option>,<option>--help</option>" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:3 include/debug_levels_tools.xml:3 +msgid "" +"SSSD supports two representations for specifying the debug level. The " +"simplest is to specify a decimal value from 0-9, which represents enabling " +"that level and all lower-level debug messages. The more comprehensive option " +"is to specify a hexadecimal bitmask to enable or disable specific levels " +"(such as if you wish to suppress a level)." +msgstr "" +"У SSSD передбачено два представлення для визначення рівня діагностики. " +"Найпростішим є визначення десяткового значення у діапазоні 0-9. Кожному " +"значенню відповідає вмикання відповідного рівня діагностики і усіх нижчих " +"рівнів. Точніше визначення вмикання або вимикання (якщо це потрібно) " +"специфічних рівнів можна встановити за допомогою шістнадцяткової бітової " +"маски." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:10 +msgid "" +"Please note that each SSSD service logs into its own log file. Also please " +"note that enabling <quote>debug_level</quote> in the <quote>[sssd]</quote> " +"section only enables debugging just for the sssd process itself, not for the " +"responder or provider processes. The <quote>debug_level</quote> parameter " +"should be added to all sections that you wish to produce debug logs from." +msgstr "" +"Будь ласка, зауважте, що кожна служба SSSD веде журнал у власному файлі. " +"Також зауважте, що вмикання <quote>debug_level</quote> у розділі " +"<quote>[sssd]</quote> вмикає діагностику лише для самого процесу sssd, а не " +"для процесів відповідача чи надавача даних. Для отримання діагностичних " +"повідомлень слід додати параметр «debug_level» до усіх розділів, для яких " +"слід створювати журнал діагностичних повідомлень." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:18 +msgid "" +"In addition to changing the log level in the config file using the " +"<quote>debug_level</quote> parameter, which is persistent, but requires SSSD " +"restart, it is also possible to change the debug level on the fly using the " +"<citerefentry> <refentrytitle>sss_debuglevel</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry> tool." +msgstr "" +"Окрім зміни рівня ведення журналу у файлі налаштувань за допомогою параметра " +"«debug_level», який не змінюється під час роботи, але зміна якого потребує " +"перезапуску SSSD, можна змінити режим діагностики без перезапуску за " +"допомогою програми <citerefentry> <refentrytitle>sss_debuglevel</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:29 include/debug_levels_tools.xml:10 +msgid "Currently supported debug levels:" +msgstr "Рівні діагностики, передбачені у поточній версії:" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:32 include/debug_levels_tools.xml:13 +msgid "" +"<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fatal failures. " +"Anything that would prevent SSSD from starting up or causes it to cease " +"running." +msgstr "" +"<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: критичні помилки з " +"аварійним завершенням роботи. Всі помилки, які не дають SSSD змоги розпочати " +"або продовжувати роботу." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:38 include/debug_levels_tools.xml:19 +msgid "" +"<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An " +"error that doesn't kill SSSD, but one that indicates that at least one major " +"feature is not going to work properly." +msgstr "" +"<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: критичні помилки. " +"Помилки, які не призводять до аварійного завершення роботи SSSD, але " +"означають, що одна з основних можливостей не працює належним чином." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:45 include/debug_levels_tools.xml:26 +msgid "" +"<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Serious failures. An " +"error announcing that a particular request or operation has failed." +msgstr "" +"<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: серйозні помилки. " +"Повідомлення про такі помилки означають, що не вдалося виконати певний запит " +"або дію." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:50 include/debug_levels_tools.xml:31 +msgid "" +"<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Minor failures. These " +"are the errors that would percolate down to cause the operation failure of 2." +msgstr "" +"<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: незначні помилки. Це " +"помилки які можуть призвести до помилок під час виконання дій." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:55 include/debug_levels_tools.xml:36 +msgid "" +"<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Configuration settings." +msgstr "" +"<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: параметри налаштування." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:59 include/debug_levels_tools.xml:40 +msgid "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Function data." +msgstr "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: дані функцій." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:63 include/debug_levels_tools.xml:44 +msgid "" +"<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Trace messages for " +"operation functions." +msgstr "" +"<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: повідомлення трасування " +"для функцій дій." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:67 include/debug_levels_tools.xml:48 +msgid "" +"<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Trace messages for " +"internal control functions." +msgstr "" +"<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: повідомлення трасування " +"для функцій внутрішнього трасування." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:72 include/debug_levels_tools.xml:53 +msgid "" +"<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contents of function-" +"internal variables that may be interesting." +msgstr "" +"<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: вміст внутрішніх " +"змінних функцій, який може бути цікавим." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:77 include/debug_levels_tools.xml:58 +msgid "" +"<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Extremely low-level " +"tracing information." +msgstr "" +"<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: дані трасування " +"найнижчого рівня." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:81 include/debug_levels_tools.xml:62 +msgid "" +"To log required bitmask debug levels, simply add their numbers together as " +"shown in following examples:" +msgstr "" +"Щоб до журналу було записано дані потрібних бітових масок рівнів " +"діагностики, просто додайте відповідні числа, як це показано у наведених " +"нижче прикладах:" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:85 include/debug_levels_tools.xml:66 +msgid "" +"<emphasis>Example</emphasis>: To log fatal failures, critical failures, " +"serious failures and function data use 0x0270." +msgstr "" +"<emphasis>Example</emphasis>: щоб до журналу було записано дані щодо " +"критичних помилок з аварійним завершенням роботи, критичних помилок, " +"серйозних помилок та дані функцій, скористайтеся рівнем діагностики 0x0270." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:89 include/debug_levels_tools.xml:70 +msgid "" +"<emphasis>Example</emphasis>: To log fatal failures, configuration settings, " +"function data, trace messages for internal control functions use 0x1310." +msgstr "" +"<emphasis>Приклад</emphasis>: щоб до журналу було записано критичні помилки " +"з аварійним завершенням роботи, параметри налаштування, дані функцій та " +"повідомлення трасування для функцій внутрішнього керування, скористайтеся " +"рівнем 0x1310." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:94 include/debug_levels_tools.xml:75 +msgid "" +"<emphasis>Note</emphasis>: The bitmask format of debug levels was introduced " +"in 1.7.0." +msgstr "" +"<emphasis>Зауваження</emphasis>: формат бітових масок для рівнів діагностики " +"впроваджено у версії 1.7.0." + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:98 include/debug_levels_tools.xml:79 +msgid "<emphasis>Default</emphasis>: 0" +msgstr "<emphasis>Типове значення</emphasis>: 0" + +#. type: Content of: outside any tag (error?) +#: include/experimental.xml:1 +msgid "" +"<emphasis> This is an experimental feature, please use https://pagure.io/" +"SSSD/sssd/ to report any issues. </emphasis>" +msgstr "" +"<emphasis> Цю можливість ще не перевірено достатнім чином Будь ласка, якщо " +"помітите якісь вади, повідомте про них за допомогою настанов на сторінці " +"https://pagure.io/SSSD/sssd/. </emphasis>" + +#. type: Content of: <refsect1><title> +#: include/local.xml:2 +msgid "THE LOCAL DOMAIN" +msgstr "ЛОКАЛЬНИЙ ДОМЕН" + +#. type: Content of: <refsect1><para> +#: include/local.xml:4 +msgid "" +"In order to function correctly, a domain with <quote>id_provider=local</" +"quote> must be created and the SSSD must be running." +msgstr "" +"З метою забезпечення належної роботи слід створити домен з " +"<quote>id_provider=local</quote> та запустити SSSD." + +#. type: Content of: <refsect1><para> +#: include/local.xml:9 +msgid "" +"The administrator might want to use the SSSD local users instead of " +"traditional UNIX users in cases where the group nesting (see <citerefentry> " +"<refentrytitle>sss_groupadd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>) is needed. The local users are also useful for testing and " +"development of the SSSD without having to deploy a full remote server. The " +"<command>sss_user*</command> and <command>sss_group*</command> tools use a " +"local LDB storage to store users and groups." +msgstr "" +"Адміністратор може надати перевагу використанню локальних записів " +"користувачів SSSD замість традиційних записів користувачів UNIX, якщо для " +"роботи потрібна вкладеність груп (див. <citerefentry> " +"<refentrytitle>sss_groupadd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>). Використання локальних записів може також бути корисним для " +"тестування та розробки програмного забезпечення з підтримкою SSSD (у такому " +"разі не потрібно розгортати повноцінний віддалений сервер). Інструменти " +"<command>sss_user*</command> та <command>sss_group*</command> використовують " +"для зберігання записів користувачів і груп локальне сховище даних LDB." + +#. type: Content of: <refsect1><para> +#: include/seealso.xml:4 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd-ipa</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <phrase condition=\"with_sudo\"> <citerefentry> " +"<refentrytitle>sssd-sudo</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>, </phrase> <phrase condition=\"with_secrets\"> <citerefentry> " +"<refentrytitle>sssd-secrets</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>, </phrase> <citerefentry> <refentrytitle>sssd-session-" +"recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, " +"<citerefentry> <refentrytitle>sss_cache</refentrytitle><manvolnum>8</" +"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_debuglevel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_obfuscate</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_seed</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <phrase condition=" +"\"with_ssh\"> <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_ssh_knownhostsproxy</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>, </phrase> <phrase condition=\"with_ifp\"> " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>, </phrase> <citerefentry> <refentrytitle>pam_sss</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>. <citerefentry> " +"<refentrytitle>sss_rpcidmapd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> <phrase condition=\"with_stap\"> <citerefentry> " +"<refentrytitle>sssd-systemtap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> </phrase>" +msgstr "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd-ipa</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <phrase condition=\"with_sudo\"> <citerefentry> " +"<refentrytitle>sssd-sudo</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>, </phrase> <phrase condition=\"with_secrets\"> <citerefentry> " +"<refentrytitle>sssd-secrets</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>, </phrase> <citerefentry> <refentrytitle>sssd-session-" +"recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, " +"<citerefentry> <refentrytitle>sss_cache</refentrytitle><manvolnum>8</" +"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_debuglevel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_obfuscate</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_seed</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <phrase condition=" +"\"with_ssh\"> <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_ssh_knownhostsproxy</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>, </phrase> <phrase condition=\"with_ifp\"> " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>, </phrase> <citerefentry> <refentrytitle>pam_sss</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>. <citerefentry> " +"<refentrytitle>sss_rpcidmapd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> <phrase condition=\"with_stap\"> <citerefentry> " +"<refentrytitle>sssd-systemtap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> </phrase>" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:3 +msgid "" +"An optional base DN, search scope and LDAP filter to restrict LDAP searches " +"for this attribute type." +msgstr "" +"Додатковий основний DN, область пошуку і фільтр LDAP для обмеження пошуків " +"LDAP цим типом атрибутів." + +#. type: Content of: <listitem><para><programlisting> +#: include/ldap_search_bases.xml:9 +#, no-wrap +msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]\n" +msgstr "search_base[?scope?[filter][?search_base?scope?[filter]]*]\n" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:7 +msgid "syntax: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "синтаксис: <placeholder type=\"programlisting\" id=\"0\"/>" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:13 +msgid "" +"The scope can be one of \"base\", \"onelevel\" or \"subtree\". The scope " +"functions as specified in section 4.5.1.2 of http://tools.ietf.org/html/" +"rfc4511" +msgstr "" +"Діапазоном може бути одне зі значень, «base» (основа), «onelevel» (окремий " +"рівень) або «subtree» (піддерево). Докладніший опис діапазонів наведено у " +"розділі 4.5.1.2 документа http://tools.ietf.org/html/rfc4511" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:23 +msgid "" +"For examples of this syntax, please refer to the <quote>ldap_search_base</" +"quote> examples section." +msgstr "" +"Приклади використання цих синтаксичних конструкцій можна знайти у розділі " +"прикладів «ldap_search_base»." + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:31 +msgid "" +"Please note that specifying scope or filter is not supported for searches " +"against an Active Directory Server that might yield a large number of " +"results and trigger the Range Retrieval extension in the response." +msgstr "" +"Будь ласка, зауважте, що підтримки визначення області або фільтра для " +"пошуків на сервері Active Directory не передбачено. Це може призвести до " +"отримання значної кількості результатів і викликати реакцію з боку " +"розширення діапазону отримання (Range Retrieval)." + +#. type: Content of: <para> +#: include/autofs_restart.xml:2 +msgid "" +"Please note that the automounter only reads the master map on startup, so if " +"any autofs-related changes are made to the sssd.conf, you typically also " +"need to restart the automounter daemon after restarting the SSSD." +msgstr "" +"Будь ласка, зауважте, що засіб автоматичного монтування читає основну карту " +"лише під час запуску, отже якщо до ssd.conf внесено будь-які пов’язані з " +"autofs зміни, типово слід перезапустити фонову службу автоматичного " +"монтування після перезапуску SSSD." + +#. type: Content of: <varlistentry><term> +#: include/override_homedir.xml:2 +msgid "override_homedir (string)" +msgstr "override_homedir (рядок)" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:16 +msgid "UID number" +msgstr "номер UID" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:20 +msgid "domain name" +msgstr "назва домену" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:23 +msgid "%f" +msgstr "%f" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:24 +msgid "fully qualified user name (user@domain)" +msgstr "ім’я користувача повністю (користувач@домен)" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:27 +msgid "%l" +msgstr "%l" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:28 +msgid "The first letter of the login name." +msgstr "Перша літера назви облікового запису." + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:32 +msgid "UPN - User Principal Name (name@REALM)" +msgstr "UPN - User Principal Name (ім’я@ОБЛАСТЬ)" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:35 +msgid "%o" +msgstr "%o" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:37 +msgid "The original home directory retrieved from the identity provider." +msgstr "Початкова домашня тека, отримана від служби профілів." + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:42 +msgid "%H" +msgstr "%H" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:44 +msgid "The value of configure option <emphasis>homedir_substring</emphasis>." +msgstr "" +"Значення параметра налаштовування <emphasis>homedir_substring</emphasis>." + +#. type: Content of: <varlistentry><listitem><para> +#: include/override_homedir.xml:5 +msgid "" +"Override the user's home directory. You can either provide an absolute value " +"or a template. In the template, the following sequences are substituted: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" +"Перевизначити домашній каталог користувача. Ви можете вказати абсолютне " +"значення або шаблон. У шаблоні можна використовувати такі замінники: " +"<placeholder type=\"variablelist\" id=\"0\"/>" + +#. type: Content of: <varlistentry><listitem><para><programlisting> +#: include/override_homedir.xml:61 +#, no-wrap +msgid "" +"override_homedir = /home/%u\n" +" " +msgstr "" +"override_homedir = /home/%u\n" +" " + +#. type: Content of: <varlistentry><listitem><para> +#: include/override_homedir.xml:65 +msgid "Default: Not set (SSSD will use the value retrieved from LDAP)" +msgstr "" +"Типове значення: не встановлено (SSSD використовуватиме значення, отримане " +"від LDAP)" + +#. type: Content of: <varlistentry><term> +#: include/homedir_substring.xml:2 +msgid "homedir_substring (string)" +msgstr "homedir_substring (рядок)" + +#. type: Content of: <varlistentry><listitem><para> +#: include/homedir_substring.xml:5 +msgid "" +"The value of this option will be used in the expansion of the " +"<emphasis>override_homedir</emphasis> option if the template contains the " +"format string <emphasis>%H</emphasis>. An LDAP directory entry can directly " +"contain this template so that this option can be used to expand the home " +"directory path for each client machine (or operating system). It can be set " +"per-domain or globally in the [nss] section. A value specified in a domain " +"section will override one set in the [nss] section." +msgstr "" +"Значення цього параметра буде використано під час розгортання параметра " +"<emphasis>override_homedir</emphasis>, якщо у шаблоні міститься рядок " +"форматування <emphasis>%H</emphasis>. Запис каталогу LDAP може безпосередньо " +"містити цей шаблон для розгортання шляху до домашнього каталогу на кожному з " +"клієнтських комп’ютерів (або у кожній з операційних систем). Значення " +"параметра можна вказати окремо для кожного з доменів або на загальному рівні " +"у розділі [nss]. Значення, вказане у розділі домену, має вищий пріоритет за " +"значення, встановлене за допомогою розділу [nss]." + +#. type: Content of: <varlistentry><listitem><para> +#: include/homedir_substring.xml:15 +msgid "Default: /home" +msgstr "Типове значення: /home" + +#. type: Content of: <refsect1><title> +#: include/ad_modified_defaults.xml:2 include/ipa_modified_defaults.xml:2 +msgid "MODIFIED DEFAULT OPTIONS" +msgstr "ЗМІНЕНІ ТИПОВІ ПАРАМЕТРИ" + +#. type: Content of: <refsect1><para> +#: include/ad_modified_defaults.xml:4 +msgid "" +"Certain option defaults do not match their respective backend provider " +"defaults, these option names and AD provider-specific defaults are listed " +"below:" +msgstr "" +"Деякі типові значення параметрів не збігаються із типовими значеннями " +"параметрів засобу надання даних. Із назвами відповідних параметрів та " +"специфічні для засобу надання даних AD значення цих параметрів можна " +"ознайомитися за допомогою наведеного нижче списку:" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ad_modified_defaults.xml:9 include/ipa_modified_defaults.xml:9 +msgid "KRB5 Provider" +msgstr "Модуль надання даних KRB5" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:13 include/ipa_modified_defaults.xml:13 +msgid "krb5_validate = true" +msgstr "krb5_validate = true" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:18 +msgid "krb5_use_enterprise_principal = true" +msgstr "krb5_use_enterprise_principal = true" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ad_modified_defaults.xml:24 +msgid "LDAP Provider" +msgstr "Модуль надання даних LDAP" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:28 +msgid "ldap_schema = ad" +msgstr "ldap_schema = ad" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:33 include/ipa_modified_defaults.xml:38 +msgid "ldap_force_upper_case_realm = true" +msgstr "ldap_force_upper_case_realm = true" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:38 +msgid "ldap_id_mapping = true" +msgstr "ldap_id_mapping = true" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:43 +msgid "ldap_sasl_mech = gssapi" +msgstr "ldap_sasl_mech = gssapi" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:48 +msgid "ldap_referrals = false" +msgstr "ldap_referrals = false" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:53 +msgid "ldap_account_expire_policy = ad" +msgstr "ldap_account_expire_policy = ad" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:58 include/ipa_modified_defaults.xml:58 +msgid "ldap_use_tokengroups = true" +msgstr "ldap_use_tokengroups = true" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:63 +msgid "ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:66 +msgid "" +"The AD provider looks for a different principal than the LDAP provider by " +"default, because in an Active Directory environment the principals are " +"divided into two groups - User Principals and Service Principals. Only User " +"Principal can be used to obtain a TGT and by default, computer object's " +"principal is constructed from its sAMAccountName and the AD realm. The well-" +"known host/hostname@REALM principal is a Service Principal and thus cannot " +"be used to get a TGT with." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ipa_modified_defaults.xml:4 +msgid "" +"Certain option defaults do not match their respective backend provider " +"defaults, these option names and IPA provider-specific defaults are listed " +"below:" +msgstr "" +"Деякі типові значення параметрів не збігаються із типовими значеннями " +"параметрів засобу надання даних. Із назвами відповідних параметрів та " +"специфічні для засобу надання даних IPA значення цих параметрів можна " +"ознайомитися за допомогою наведеного нижче списку:" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:18 +msgid "krb5_use_fast = try" +msgstr "krb5_use_fast = try" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:23 +msgid "krb5_canonicalize = true" +msgstr "krb5_canonicalize = true" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:29 +msgid "LDAP Provider - General" +msgstr "Модуль надання даних LDAP — Загальне" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:33 +msgid "ldap_schema = ipa_v1" +msgstr "ldap_schema = ipa_v1" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:43 +msgid "ldap_sasl_mech = GSSAPI" +msgstr "ldap_sasl_mech = GSSAPI" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:48 +msgid "ldap_sasl_minssf = 56" +msgstr "ldap_sasl_minssf = 56" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:53 +msgid "ldap_account_expire_policy = ipa" +msgstr "ldap_account_expire_policy = ipa" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:64 +msgid "LDAP Provider - User options" +msgstr "Модуль надання даних LDAP — Параметри користувачів" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:68 +msgid "ldap_user_member_of = memberOf" +msgstr "ldap_user_member_of = memberOf" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:73 +msgid "ldap_user_uuid = ipaUniqueID" +msgstr "ldap_user_uuid = ipaUniqueID" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:78 +msgid "ldap_user_ssh_public_key = ipaSshPubKey" +msgstr "ldap_user_ssh_public_key = ipaSshPubKey" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:83 +msgid "ldap_user_auth_type = ipaUserAuthType" +msgstr "ldap_user_auth_type = ipaUserAuthType" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:89 +msgid "LDAP Provider - Group options" +msgstr "Модуль надання даних LDAP — Параметри груп" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:93 +msgid "ldap_group_object_class = ipaUserGroup" +msgstr "ldap_group_object_class = ipaUserGroup" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:98 +msgid "ldap_group_object_class_alt = posixGroup" +msgstr "ldap_group_object_class_alt = posixGroup" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:103 +msgid "ldap_group_member = member" +msgstr "ldap_group_member = member" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:108 +msgid "ldap_group_uuid = ipaUniqueID" +msgstr "ldap_group_uuid = ipaUniqueID" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:113 +msgid "ldap_group_objectsid = ipaNTSecurityIdentifier" +msgstr "ldap_group_objectsid = ipaNTSecurityIdentifier" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:118 +msgid "ldap_group_external_member = ipaExternalMember" +msgstr "ldap_group_external_member = ipaExternalMember" + +#~ msgid "" +#~ "PLEASE NOTE: the support for non-unique named subpatterns is not " +#~ "available on all platforms (e.g. RHEL5 and SLES10). Only platforms with " +#~ "libpcre version 7 or higher can support non-unique named subpatterns." +#~ msgstr "" +#~ "Будь ласка, зауважте: підтримку неунікальних назв підшаблонів передбачено " +#~ "не для всіх платформ (наприклад, нею не можна скористатися у RHEL5 і " +#~ "SLES10). Підтримкою неунікальних назв підшаблонів можна скористатися лише " +#~ "на платформах з версією libpcre 7." + +#~ msgid "" +#~ "PLEASE NOTE ALSO: older version of libpcre only support the Python syntax " +#~ "(?P<name>) to label subpatterns." +#~ msgstr "" +#~ "Додаткове зауваження: у застарілих версіях libpcre передбачено підтримку " +#~ "лише синтаксичних конструкцій Python (?P<name>) для позначення " +#~ "підшаблонів." diff --git a/src/man/po/zh_CN.po b/src/man/po/zh_CN.po new file mode 100644 index 0000000..a9cbd8e --- /dev/null +++ b/src/man/po/zh_CN.po @@ -0,0 +1,15631 @@ +# SOME DESCRIPTIVE TITLE +# Copyright (C) YEAR Red Hat +# This file is distributed under the same license as the sssd-docs package. +# +# Translators: +# Christopher Meng <cickumqt@gmail.com>, 2012 +msgid "" +msgstr "" +"Project-Id-Version: sssd-docs 1.16.1\n" +"Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" +"POT-Creation-Date: 2018-08-12 13:01+0000\n" +"PO-Revision-Date: 2014-12-15 12:16+0000\n" +"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n" +"Language-Team: Chinese (China) (http://www.transifex.com/projects/p/sssd/" +"language/zh_CN/)\n" +"Language: zh_CN\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=1; plural=0;\n" +"X-Generator: Zanata 4.4.5\n" + +#. type: Content of: <reference><title> +#: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5 +#: sssd_krb5_locator_plugin.8.xml:5 sssd-simple.5.xml:5 sss-certmap.5.xml:5 +#: sssd-ipa.5.xml:5 sssd-ad.5.xml:5 sssd-sudo.5.xml:5 sssd.8.xml:5 +#: sss_obfuscate.8.xml:5 sss_override.8.xml:5 sss_useradd.8.xml:5 +#: sssd-krb5.5.xml:5 sss_groupadd.8.xml:5 sss_userdel.8.xml:5 +#: sss_groupdel.8.xml:5 sss_groupshow.8.xml:5 sss_usermod.8.xml:5 +#: sss_cache.8.xml:5 sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5 +#: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 +#: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5 +#: sssd-files.5.xml:5 sssd-secrets.5.xml:5 sssd-session-recording.5.xml:5 +#: sssd-kcm.8.xml:5 sssd-systemtap.5.xml:5 +msgid "SSSD Manual pages" +msgstr "SSSD 手册页面" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupmod.8.xml:10 sss_groupmod.8.xml:15 +msgid "sss_groupmod" +msgstr "sss_groupmod" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_groupmod.8.xml:11 pam_sss.8.xml:12 sssd_krb5_locator_plugin.8.xml:11 +#: sssd.8.xml:11 sss_obfuscate.8.xml:11 sss_override.8.xml:11 +#: sss_useradd.8.xml:11 sss_groupadd.8.xml:11 sss_userdel.8.xml:11 +#: sss_groupdel.8.xml:11 sss_groupshow.8.xml:11 sss_usermod.8.xml:11 +#: sss_cache.8.xml:11 sss_debuglevel.8.xml:11 sss_seed.8.xml:11 +#: idmap_sss.8.xml:11 sssctl.8.xml:11 sssd-kcm.8.xml:11 +msgid "8" +msgstr "8" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupmod.8.xml:16 +msgid "modify a group" +msgstr "变更一个组" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupmod.8.xml:21 +msgid "" +"<command>sss_groupmod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:57 +#: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sss-certmap.5.xml:21 +#: sssd-ipa.5.xml:21 sssd-ad.5.xml:21 sssd-sudo.5.xml:21 sssd.8.xml:29 +#: sss_obfuscate.8.xml:30 sss_override.8.xml:30 sss_useradd.8.xml:30 +#: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30 +#: sss_groupdel.8.xml:30 sss_groupshow.8.xml:30 sss_usermod.8.xml:30 +#: sss_cache.8.xml:29 sss_debuglevel.8.xml:30 sss_seed.8.xml:31 +#: sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30 +#: sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30 +#: sssd-files.5.xml:21 sssd-secrets.5.xml:21 sssd-session-recording.5.xml:21 +#: sssd-kcm.8.xml:21 sssd-systemtap.5.xml:21 +msgid "DESCRIPTION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupmod.8.xml:32 +msgid "" +"<command>sss_groupmod</command> modifies the group to reflect the changes " +"that are specified on the command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_groupmod.8.xml:39 pam_sss.8.xml:64 sssd.8.xml:42 sss_obfuscate.8.xml:58 +#: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39 +#: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39 +#: sss_cache.8.xml:39 sss_seed.8.xml:42 sss_ssh_authorizedkeys.1.xml:123 +#: sss_ssh_knownhostsproxy.1.xml:62 +msgid "OPTIONS" +msgstr "选项" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupmod.8.xml:43 sss_usermod.8.xml:77 +msgid "" +"<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" +"<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupmod.8.xml:48 +msgid "" +"Append this group to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupmod.8.xml:57 sss_usermod.8.xml:91 +msgid "" +"<option>-r</option>,<option>--remove-group</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" +"<option>-r</option>,<option>--remove-group</option> <replaceable>GROUPS</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupmod.8.xml:62 +msgid "" +"Remove this group from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." +msgstr "" +"Remove this group from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.conf.5.xml:10 sssd.conf.5.xml:16 +msgid "sssd.conf" +msgstr "sssd.conf" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11 +#: sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 +#: sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27 +#: sssd-files.5.xml:11 sssd-secrets.5.xml:11 sssd-session-recording.5.xml:11 +#: sssd-systemtap.5.xml:11 +msgid "5" +msgstr "5" + +#. type: Content of: <reference><refentry><refmeta><refmiscinfo> +#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12 +#: sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 +#: sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28 +#: sssd-files.5.xml:12 sssd-secrets.5.xml:12 sssd-session-recording.5.xml:12 +#: sssd-kcm.8.xml:12 sssd-systemtap.5.xml:12 +msgid "File Formats and Conventions" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.conf.5.xml:17 +msgid "the configuration file for SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:21 +msgid "FILE FORMAT" +msgstr "文件格式" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:29 +#, no-wrap +msgid "" +"<replaceable>[section]</replaceable>\n" +"<replaceable>key</replaceable> = <replaceable>value</replaceable>\n" +"<replaceable>key2</replaceable> = <replaceable>value2,value3</replaceable>\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:24 +msgid "" +"The file has an ini-style syntax and consists of sections and parameters. A " +"section begins with the name of the section in square brackets and continues " +"until the next section begins. An example of section with single and multi-" +"valued parameters: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:36 +msgid "" +"The data types used are string (no quotes needed), integer and bool (with " +"values of <quote>TRUE/FALSE</quote>)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:41 +msgid "" +"A comment line starts with a hash sign (<quote>#</quote>) or a semicolon " +"(<quote>;</quote>). Inline comments are not supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:47 +msgid "" +"All sections can have an optional <replaceable>description</replaceable> " +"parameter. Its function is only as a label for the section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:53 +msgid "" +"<filename>sssd.conf</filename> must be a regular file, owned by root and " +"only root may read from or write to the file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:59 +msgid "CONFIGURATION SNIPPETS FROM INCLUDE DIRECTORY" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:62 +msgid "" +"The configuration file <filename>sssd.conf</filename> will include " +"configuration snippets using the include directory <filename>conf.d</" +"filename>. This feature is available if SSSD was compiled with libini " +"version 1.3.0 or later." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:69 +msgid "" +"Any file placed in <filename>conf.d</filename> that ends in " +"<quote><filename>.conf</filename></quote> and does not begin with a dot " +"(<quote>.</quote>) will be used together with <filename>sssd.conf</filename> " +"to configure SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:77 +msgid "" +"The configuration snippets from <filename>conf.d</filename> have higher " +"priority than <filename>sssd.conf</filename> and will override " +"<filename>sssd.conf</filename> when conflicts occur. If several snippets are " +"present in <filename>conf.d</filename>, then they are included in " +"alphabetical order (based on locale). Files included later have higher " +"priority. Numerical prefixes (<filename>01_snippet.conf</filename>, " +"<filename>02_snippet.conf</filename> etc.) can help visualize the priority " +"(higher number means higher priority)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:91 +msgid "" +"The snippet files require the same owner and permissions as <filename>sssd." +"conf</filename>. Which are by default root:root and 0600." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:98 +msgid "GENERAL OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:100 +msgid "Following options are usable in more than one configuration sections." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:104 +msgid "Options usable in all sections" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:108 +msgid "debug_level (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:112 +msgid "debug (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:115 +msgid "" +"SSSD 1.14 and later also includes the <replaceable>debug</replaceable> alias " +"for <replaceable>debug_level</replaceable> as a convenience feature. If both " +"are specified, the value of <replaceable>debug_level</replaceable> will be " +"used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:125 +msgid "debug_timestamps (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:128 +msgid "" +"Add a timestamp to the debug messages. If journald is enabled for SSSD " +"debug logging this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:133 sssd.conf.5.xml:543 sssd.conf.5.xml:839 +#: sssd.conf.5.xml:1491 sssd.conf.5.xml:1521 sssd-ldap.5.xml:1851 +#: sssd-ldap.5.xml:1948 sssd-ldap.5.xml:2010 sssd-ldap.5.xml:2576 +#: sssd-ldap.5.xml:2641 sssd-ldap.5.xml:2659 sssd-ad.5.xml:227 +#: sssd-ad.5.xml:341 sssd-ad.5.xml:885 sssd-krb5.5.xml:499 +#: sssd-secrets.5.xml:351 sssd-secrets.5.xml:364 +msgid "Default: true" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:138 +msgid "debug_microseconds (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:141 +msgid "" +"Add microseconds to the timestamp in debug messages. If journald is enabled " +"for SSSD debug logging this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:146 sssd.conf.5.xml:540 sssd.conf.5.xml:722 +#: sssd.conf.5.xml:1424 sssd.conf.5.xml:2980 sssd-ldap.5.xml:708 +#: sssd-ldap.5.xml:1714 sssd-ldap.5.xml:1733 sssd-ldap.5.xml:1920 +#: sssd-ldap.5.xml:2346 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238 +#: sssd-ipa.5.xml:559 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300 +#: sssd-krb5.5.xml:471 +msgid "Default: false" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2384 +#: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210 +#: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304 +msgid "<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:155 +msgid "Options usable in SERVICE and DOMAIN sections" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:159 +msgid "timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:162 +msgid "" +"Timeout in seconds between heartbeats for this service. This is used to " +"ensure that the process is alive and capable of answering requests. Note " +"that after three missed heartbeats the process will terminate itself." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:169 sssd.conf.5.xml:1376 sssd.conf.5.xml:2996 +#: sssd-ldap.5.xml:1585 include/ldap_id_mapping.xml:264 +msgid "Default: 10" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:179 +msgid "SPECIAL SECTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:182 +msgid "The [sssd] section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sssd.conf.5.xml:191 sssd.conf.5.xml:3085 +msgid "Section parameters" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:193 +msgid "config_file_version (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:196 +msgid "" +"Indicates what is the syntax of the config file. SSSD 0.6.0 and later use " +"version 2." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:202 +msgid "services" +msgstr "服务" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:205 +msgid "" +"Comma separated list of services that are started when sssd itself starts. " +"<phrase condition=\"have_systemd\"> The services' list is optional on " +"platforms where systemd is supported, as they will either be socket or D-Bus " +"activated when needed. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:214 +msgid "" +"Supported services: nss, pam <phrase condition=\"with_sudo\">, sudo</phrase> " +"<phrase condition=\"with_autofs\">, autofs</phrase> <phrase condition=" +"\"with_ssh\">, ssh</phrase> <phrase condition=\"with_pac_responder\">, pac</" +"phrase> <phrase condition=\"with_ifp\">, ifp</phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:222 +msgid "" +"<phrase condition=\"have_systemd\"> By default, all services are disabled " +"and the administrator must enable the ones allowed to be used by executing: " +"\"systemctl enable sssd-@service@.socket\". </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:231 sssd.conf.5.xml:614 +msgid "reconnection_retries (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:234 sssd.conf.5.xml:617 +msgid "" +"Number of times services should attempt to reconnect in the event of a Data " +"Provider crash or restart before they give up" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:239 sssd.conf.5.xml:622 +msgid "Default: 3" +msgstr "默认: 3" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:244 +msgid "domains" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:247 +msgid "" +"A domain is a database containing user information. SSSD can use more " +"domains at the same time, but at least one must be configured or SSSD won't " +"start. This parameter describes the list of domains in the order you want " +"them to be queried. A domain name should only consist of alphanumeric ASCII " +"characters, dashes, dots and underscores." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:259 sssd.conf.5.xml:2597 +msgid "re_expression (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:262 +msgid "" +"Default regular expression that describes how to parse the string containing " +"user name and domain into these components." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:267 +msgid "" +"Each domain can have an individual regular expression configured. For some " +"ID providers there are also default regular expressions. See DOMAIN SECTIONS " +"for more info on these regular expressions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:276 sssd.conf.5.xml:2645 +msgid "full_name_format (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:279 sssd.conf.5.xml:2648 +msgid "" +"A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry>-compatible format that describes how to compose a " +"fully qualified name from user name and domain name components." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:290 sssd.conf.5.xml:2659 +msgid "%1$s" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:291 sssd.conf.5.xml:2660 +msgid "user name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:294 sssd.conf.5.xml:2663 +msgid "%2$s" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:297 sssd.conf.5.xml:2666 +msgid "domain name as specified in the SSSD config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:303 sssd.conf.5.xml:2672 +msgid "%3$s" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:306 sssd.conf.5.xml:2675 +msgid "" +"domain flat name. Mostly usable for Active Directory domains, both directly " +"configured or discovered via IPA trusts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:287 sssd.conf.5.xml:2656 +msgid "" +"The following expansions are supported: <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:316 +msgid "" +"Each domain can have an individual format string configured. see DOMAIN " +"SECTIONS for more info on this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:322 +msgid "try_inotify (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:325 +msgid "" +"SSSD monitors the state of resolv.conf to identify when it needs to update " +"its internal DNS resolver. By default, we will attempt to use inotify for " +"this, and will fall back to polling resolv.conf every five seconds if " +"inotify cannot be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:333 +msgid "" +"There are some limited situations where it is preferred that we should skip " +"even trying to use inotify. In these rare cases, this option should be set " +"to 'false'" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:339 +msgid "" +"Default: true on platforms where inotify is supported. False on other " +"platforms." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:343 +msgid "" +"Note: this option will have no effect on platforms where inotify is " +"unavailable. On these platforms, polling will always be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:350 +msgid "krb5_rcache_dir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:353 +msgid "" +"Directory on the filesystem where SSSD should store Kerberos replay cache " +"files." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:357 +msgid "" +"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct " +"SSSD to let libkrb5 decide the appropriate location for the replay cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:363 +msgid "" +"Default: Distribution-specific and specified at build-time. " +"(__LIBKRB5_DEFAULTS__ if not configured)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:370 +msgid "user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:373 +msgid "" +"The user to drop the privileges to where appropriate to avoid running as the " +"root user. <phrase condition=\"have_systemd\"> This option does not work " +"when running socket-activated services, as the user set up to run the " +"processes is set up during compilation time. The way to override the " +"systemd unit files is by creating the appropriate files in /etc/systemd/" +"system/. Keep in mind that any change in the socket user, group or " +"permissions may result in a non-usable SSSD. The same may occur in case of " +"changes of the user running the NSS responder. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:391 +msgid "Default: not set, process will run as root" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:396 +msgid "default_domain_suffix (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:399 +msgid "" +"This string will be used as a default domain name for all names without a " +"domain name component. The main use case is environments where the primary " +"domain is intended for managing host policies and all users are located in a " +"trusted domain. The option allows those users to log in just with their " +"user name without giving a domain name as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:409 +msgid "" +"Please note that if this option is set all users from the primary domain " +"have to use their fully qualified name, e.g. user@domain.name, to log in. " +"Setting this option changes default of use_fully_qualified_names to True. It " +"is not allowed to use this option together with use_fully_qualified_names " +"set to False." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:418 sssd.conf.5.xml:1165 sssd-ldap.5.xml:679 +#: sssd-ldap.5.xml:1319 sssd-ldap.5.xml:1673 sssd-ldap.5.xml:1685 +#: sssd-ldap.5.xml:1767 sssd-ad.5.xml:690 sssd-ad.5.xml:765 sssd.8.xml:126 +#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:556 sssd-secrets.5.xml:339 +#: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404 +#: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205 +#: include/ldap_id_mapping.xml:216 +msgid "Default: not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:423 +msgid "override_space (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:426 +msgid "" +"This parameter will replace spaces (space bar) with the given character for " +"user and group names. e.g. (_). User name "john doe" will be " +""john_doe" This feature was added to help compatibility with shell " +"scripts that have difficulty handling spaces, due to the default field " +"separator in the shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:435 +msgid "" +"Please note it is a configuration error to use a replacement character that " +"might be used in user or group names. If a name contains the replacement " +"character SSSD tries to return the unmodified name but in general the result " +"of a lookup is undefined." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:443 +msgid "Default: not set (spaces will not be replaced)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:448 +msgid "certificate_verification (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:456 +msgid "no_ocsp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:458 +msgid "" +"Disables Online Certificate Status Protocol (OCSP) checks. This might be " +"needed if the OCSP servers defined in the certificate are not reachable from " +"the client." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:466 +msgid "no_verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:468 +msgid "" +"Disables verification completely. This option should only be used for " +"testing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:474 +msgid "ocsp_default_responder=URL" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:476 +msgid "" +"Sets the OCSP default responder which should be used instead of the one " +"mentioned in the certificate. URL must be replaced with the URL of the OCSP " +"default responder e.g. http://example.com:80/ocsp." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:482 +msgid "" +"This option must be used together with ocsp_default_responder_signing_cert." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:490 +msgid "ocsp_default_responder_signing_cert=NAME" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:492 +msgid "" +"The nickname of the cert to trust (expected) to sign the OCSP responses. " +"The certificate with the given nickname must be available in the systems NSS " +"database." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:497 +msgid "This option must be used together with ocsp_default_responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:451 +msgid "" +"With this parameter the certificate verification can be tuned with a comma " +"separated list of options. Supported options are: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:504 +msgid "Unknown options are reported but ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:507 +msgid "Default: not set, i.e. do not restrict certificate verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:513 +msgid "disable_netlink (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:516 +msgid "" +"SSSD hooks into the netlink interface to monitor changes to routes, " +"addresses, links and trigger certain actions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:521 +msgid "" +"The SSSD state changes caused by netlink events may be undesirable and can " +"be disabled by setting this option to 'true'" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:526 +msgid "Default: false (netlink changes are detected)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:531 +msgid "enable_files_domain (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:534 +msgid "" +"When this option is enabled, SSSD prepends an implicit domain with " +"<quote>id_provider=files</quote> before any explicitly configured domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:548 +msgid "domain_resolution_order" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:551 +msgid "" +"Comma separated list of domains and subdomains representing the lookup order " +"that will be followed. The list doesn't have to include all possible " +"domains as the missing domains will be looked up based on the order they're " +"presented in the <quote>domains</quote> configuration option. The " +"subdomains which are not listed as part of <quote>lookup_order</quote> will " +"be looked up in a random order for each parent domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:563 +msgid "" +"Please, note that when this option is set the output format of all commands " +"is always fully-qualified even when using short names for input, for all " +"users but the ones managed by the files provider. In case the administrator " +"wants the output not fully-qualified, the full_name_format option can be " +"used as shown below: <quote>full_name_format=%1$s</quote> However, keep in " +"mind that during login, login applications often canonicalize the username " +"by calling <citerefentry> <refentrytitle>getpwnam</refentrytitle> " +"<manvolnum>3</manvolnum> </citerefentry> which, if a shortname is returned " +"for a qualified input (while trying to reach a user which exists in multiple " +"domains) might re-route the login attempt into the domain which uses " +"shortnames, making this workaround totally not recommended in cases where " +"usernames may overlap between domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:588 sssd.conf.5.xml:1388 sssd.conf.5.xml:3046 +#: sssd-ad.5.xml:164 sssd-ad.5.xml:302 sssd-ad.5.xml:316 +msgid "Default: Not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:184 +msgid "" +"Individual pieces of SSSD functionality are provided by special SSSD " +"services that are started and stopped together with SSSD. The services are " +"managed by a special service frequently called <quote>monitor</quote>. The " +"<quote>[sssd]</quote> section is used to configure the monitor as well as " +"some other important options like the identity domains. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:599 +msgid "SERVICES SECTIONS" +msgstr "服务部分" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:601 +msgid "" +"Settings that can be used to configure different services are described in " +"this section. They should reside in the [<replaceable>$NAME</replaceable>] " +"section, for example, for NSS service, the section would be <quote>[nss]</" +"quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:608 +msgid "General service configuration options" +msgstr "基本服务配置选项" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:610 +msgid "These options can be used to configure any service." +msgstr "这些选项可被用于配置任何服务。" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:627 +msgid "fd_limit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:630 +msgid "" +"This option specifies the maximum number of file descriptors that may be " +"opened at one time by this SSSD process. On systems where SSSD is granted " +"the CAP_SYS_RESOURCE capability, this will be an absolute setting. On " +"systems without this capability, the resulting value will be the lower value " +"of this or the limits.conf \"hard\" limit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:639 +msgid "Default: 8192 (or limits.conf \"hard\" limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:644 +msgid "client_idle_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:647 +msgid "" +"This option specifies the number of seconds that a client of an SSSD process " +"can hold onto a file descriptor without communicating on it. This value is " +"limited in order to avoid resource exhaustion on the system. The timeout " +"can't be shorter than 10 seconds. If a lower value is configured, it will be " +"adjusted to 10 seconds." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:656 sssd.conf.5.xml:688 sssd.conf.5.xml:970 +#: sssd.conf.5.xml:1231 sssd-ldap.5.xml:1412 +msgid "Default: 60" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:661 +msgid "offline_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:664 +msgid "" +"When SSSD switches to offline mode the amount of time before it tries to go " +"back online will increase based upon the time spent disconnected. This " +"value is in seconds and calculated by the following:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:671 +msgid "offline_timeout + random_offset" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:674 +msgid "" +"The random offset can increment up to 30 seconds. After each unsuccessful " +"attempt to go online, the new interval is recalculated by the following:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:679 +msgid "new_interval = old_interval*2 + random_offset" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:682 +msgid "" +"Note that the maximum length of each interval is currently limited to one " +"hour. If the calculated length of new_interval is greater than an hour, it " +"will be forced to one hour." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:693 +msgid "responder_idle_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:696 +msgid "" +"This option specifies the number of seconds that an SSSD responder process " +"can be up without being used. This value is limited in order to avoid " +"resource exhaustion on the system. The minimum acceptable value for this " +"option is 60 seconds. Setting this option to 0 (zero) means that no timeout " +"will be set up to the responder. This option only has effect when SSSD is " +"built with systemd support and when services are either socket or D-Bus " +"activated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:710 sssd.conf.5.xml:983 sssd.conf.5.xml:1616 +#: sssd-ldap.5.xml:722 +msgid "Default: 300" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:715 +msgid "cache_first" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:718 +msgid "" +"This option specifies whether the responder should query all caches before " +"querying the Data Providers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:730 +msgid "NSS configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:732 +msgid "" +"These options can be used to configure the Name Service Switch (NSS) service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:737 +msgid "enum_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:740 +msgid "" +"How many seconds should nss_sss cache enumerations (requests for info about " +"all users)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:744 +msgid "Default: 120" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:749 +msgid "entry_cache_nowait_percentage (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:752 +msgid "" +"The entry cache can be set to automatically update entries in the background " +"if they are requested beyond a percentage of the entry_cache_timeout value " +"for the domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:758 +msgid "" +"For example, if the domain's entry_cache_timeout is set to 30s and " +"entry_cache_nowait_percentage is set to 50 (percent), entries that come in " +"after 15 seconds past the last cache update will be returned immediately, " +"but the SSSD will go and update the cache on its own, so that future " +"requests will not need to block waiting for a cache update." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:768 +msgid "" +"Valid values for this option are 0-99 and represent a percentage of the " +"entry_cache_timeout for each domain. For performance reasons, this " +"percentage will never reduce the nowait timeout to less than 10 seconds. (0 " +"disables this feature)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:776 sssd.conf.5.xml:1445 +msgid "Default: 50" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:781 +msgid "entry_negative_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:784 +msgid "" +"Specifies for how many seconds nss_sss should cache negative cache hits " +"(that is, queries for invalid database entries, like nonexistent ones) " +"before asking the back end again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:790 sssd.conf.5.xml:1469 +msgid "Default: 15" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:795 +msgid "local_negative_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:798 +msgid "" +"Specifies for how many seconds nss_sss should keep local users and groups in " +"negative cache before trying to look it up in the back end again. Setting " +"the option to 0 disables this feature." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:804 +msgid "Default: 14400 (4 hours)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:809 +msgid "filter_users, filter_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:812 +msgid "" +"Exclude certain users or groups from being fetched from the sss NSS " +"database. This is particularly useful for system accounts. This option can " +"also be set per-domain or include fully-qualified names to filter only users " +"from the particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:819 +msgid "" +"NOTE: The filter_groups option doesn't affect inheritance of nested group " +"members, since filtering happens after they are propagated for returning via " +"NSS. E.g. a group having a member group filtered out will still have the " +"member users of the latter listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:827 +msgid "Default: root" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:832 +msgid "filter_users_in_groups (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:835 +msgid "" +"If you want filtered user still be group members set this option to false." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:846 +msgid "fallback_homedir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:849 +msgid "" +"Set a default template for a user's home directory if one is not specified " +"explicitly by the domain's data provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:854 +msgid "" +"The available values for this option are the same as for override_homedir." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:860 +#, no-wrap +msgid "" +"fallback_homedir = /home/%u\n" +" " +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: sssd.conf.5.xml:858 sssd.conf.5.xml:1298 sssd.conf.5.xml:1317 +#: sssd-krb5.5.xml:539 include/override_homedir.xml:59 +msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:864 +msgid "Default: not set (no substitution for unset home directories)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:870 +msgid "override_shell (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:873 +msgid "" +"Override the login shell for all users. This option supersedes any other " +"shell options if it takes effect and can be set either in the [nss] section " +"or per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:879 +msgid "Default: not set (SSSD will use the value retrieved from LDAP)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:885 +msgid "allowed_shells (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:888 +msgid "" +"Restrict user shell to one of the listed values. The order of evaluation is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:891 +msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:895 +msgid "" +"2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</" +"quote>, use the value of the shell_fallback parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:900 +msgid "" +"3. If the shell is not in the allowed_shells list and not in <quote>/etc/" +"shells</quote>, a nologin shell is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:905 +msgid "The wildcard (*) can be used to allow any shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:908 +msgid "" +"The (*) is useful if you want to use shell_fallback in case that user's " +"shell is not in <quote>/etc/shells</quote> and maintaining list of all " +"allowed shells in allowed_shells would be to much overhead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:915 +msgid "An empty string for shell is passed as-is to libc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:918 +msgid "" +"The <quote>/etc/shells</quote> is only read on SSSD start up, which means " +"that a restart of the SSSD is required in case a new shell is installed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:922 +msgid "Default: Not set. The user shell is automatically used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:927 +msgid "vetoed_shells (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:930 +msgid "Replace any instance of these shells with the shell_fallback" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:935 +msgid "shell_fallback (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:938 +msgid "" +"The default shell to use if an allowed shell is not installed on the machine." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:942 +msgid "Default: /bin/sh" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:947 +msgid "default_shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:950 +msgid "" +"The default shell to use if the provider does not return one during lookup. " +"This option can be specified globally in the [nss] section or per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:956 +msgid "" +"Default: not set (Return NULL if no shell is specified and rely on libc to " +"substitute something sensible when necessary, usually /bin/sh)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:963 sssd.conf.5.xml:1224 +msgid "get_domains_timeout (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:966 sssd.conf.5.xml:1227 +msgid "" +"Specifies time in seconds for which the list of subdomains will be " +"considered valid." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:975 +msgid "memcache_timeout (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:978 +msgid "" +"Specifies time in seconds for which records in the in-memory cache will be " +"valid. Setting this option to zero will disable the in-memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:986 +msgid "" +"WARNING: Disabling the in-memory cache will have significant negative impact " +"on SSSD's performance and should only be used for testing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:992 +msgid "" +"NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", " +"client applications will not use the fast in-memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1000 sssd-ifp.5.xml:74 +msgid "user_attributes (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1003 +msgid "" +"Some of the additional NSS responder requests can return more attributes " +"than just the POSIX ones defined by the NSS interface. The list of " +"attributes is controlled by this option. It is handled the same way as the " +"<quote>user_attributes</quote> option of the InfoPipe responder (see " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for details) but with no default values." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1016 +msgid "" +"To make configuration more easy the NSS responder will check the InfoPipe " +"option if it is not set for the NSS responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1021 +msgid "Default: not set, fallback to InfoPipe option" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1026 +msgid "pwfield (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1029 +msgid "" +"The value that NSS operations that return users or groups will return for " +"the <quote>password</quote> field." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: sssd.conf.5.xml:1034 include/override_homedir.xml:56 +msgid "This option can also be set per-domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1037 +msgid "" +"Default: <quote>*</quote> (remote domains) or <quote>x</quote> (the files " +"domain)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1045 +msgid "PAM configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1047 +msgid "" +"These options can be used to configure the Pluggable Authentication Module " +"(PAM) service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1052 +msgid "offline_credentials_expiration (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1055 +msgid "" +"If the authentication provider is offline, how long should we allow cached " +"logins (in days since the last successful online login)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1060 sssd.conf.5.xml:1073 +msgid "Default: 0 (No limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1066 +msgid "offline_failed_login_attempts (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1069 +msgid "" +"If the authentication provider is offline, how many failed login attempts " +"are allowed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1079 +msgid "offline_failed_login_delay (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1082 +msgid "" +"The time in minutes which has to pass after offline_failed_login_attempts " +"has been reached before a new login attempt is possible." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1087 +msgid "" +"If set to 0 the user cannot authenticate offline if " +"offline_failed_login_attempts has been reached. Only a successful online " +"authentication can enable offline authentication again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1093 sssd.conf.5.xml:1191 +msgid "Default: 5" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1099 +msgid "pam_verbosity (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1102 +msgid "" +"Controls what kind of messages are shown to the user during authentication. " +"The higher the number to more messages are displayed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1107 +msgid "Currently sssd supports the following values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1110 +msgid "<emphasis>0</emphasis>: do not show any message" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1113 +msgid "<emphasis>1</emphasis>: show only important messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1117 +msgid "<emphasis>2</emphasis>: show informational messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1120 +msgid "<emphasis>3</emphasis>: show all messages and debug information" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1124 sssd.8.xml:63 +msgid "Default: 1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1130 +msgid "pam_response_filter (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1133 +msgid "" +"A comma separated list of strings which allows to remove (filter) data sent " +"by the PAM responder to pam_sss PAM module. There are different kind of " +"responses sent to pam_sss e.g. messages displayed to the user or environment " +"variables which should be set by pam_sss." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1141 +msgid "" +"While messages already can be controlled with the help of the pam_verbosity " +"option this option allows to filter out other kind of responses as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1148 +msgid "ENV" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1149 +msgid "Do not send any environment variables to any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1152 +msgid "ENV:var_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1153 +msgid "Do not send environment variable var_name to any service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1157 +msgid "ENV:var_name:service" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1158 +msgid "Do not send environment variable var_name to service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1146 +msgid "" +"Currently the following filters are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1168 +msgid "Example: ENV:KRB5CCNAME:sudo-i" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1174 +msgid "pam_id_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1177 +msgid "" +"For any PAM request while SSSD is online, the SSSD will attempt to " +"immediately update the cached identity information for the user in order to " +"ensure that authentication takes place with the latest information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1183 +msgid "" +"A complete PAM conversation may perform multiple PAM requests, such as " +"account management and session opening. This option controls (on a per-" +"client-application basis) how long (in seconds) we can cache the identity " +"information to avoid excessive round-trips to the identity provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1197 +msgid "pam_pwd_expiration_warning (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1200 sssd.conf.5.xml:2078 +msgid "Display a warning N days before the password expires." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1203 +msgid "" +"Please note that the backend server has to provide information about the " +"expiration time of the password. If this information is missing, sssd " +"cannot display a warning." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1209 sssd.conf.5.xml:2081 +msgid "" +"If zero is set, then this filter is not applied, i.e. if the expiration " +"warning was received from backend server, it will automatically be displayed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1214 +msgid "" +"This setting can be overridden by setting <emphasis>pwd_expiration_warning</" +"emphasis> for a particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1219 sssd.conf.5.xml:2901 sssd.8.xml:79 +msgid "Default: 0" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1236 +msgid "pam_trusted_users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1239 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to run PAM conversations against trusted domains. Users not " +"included in this list can only access domains marked as public with " +"<quote>pam_public_domains</quote>. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1249 +msgid "Default: All users are considered trusted by default" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1253 +msgid "" +"Please note that UID 0 is always allowed to access the PAM responder even in " +"case it is not in the pam_trusted_users list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1260 +msgid "pam_public_domains (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1263 +msgid "" +"Specifies the comma-separated list of domain names that are accessible even " +"to untrusted users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1267 +msgid "Two special values for pam_public_domains option are defined:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1271 +msgid "" +"all (Untrusted users are allowed to access all domains in PAM responder.)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1275 +msgid "" +"none (Untrusted users are not allowed to access any domains PAM in " +"responder.)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1279 sssd.conf.5.xml:1304 sssd.conf.5.xml:1323 +#: sssd.conf.5.xml:1875 sssd.conf.5.xml:2837 sssd-ldap.5.xml:1979 +msgid "Default: none" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1284 +msgid "pam_account_expired_message (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1287 +msgid "" +"Allows a custom expiration message to be set, replacing the default " +"'Permission denied' message." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1292 +msgid "" +"Note: Please be aware that message is only printed for the SSH service " +"unless pam_verbosity is set to 3 (show all messages and debug information)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:1300 +#, no-wrap +msgid "" +"pam_account_expired_message = Account expired, please contact help desk.\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1309 +msgid "pam_account_locked_message (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1312 +msgid "" +"Allows a custom lockout message to be set, replacing the default 'Permission " +"denied' message." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:1319 +#, no-wrap +msgid "" +"pam_account_locked_message = Account locked, please contact help desk.\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1328 +msgid "pam_cert_auth (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1331 +msgid "" +"Enable certificate based Smartcard authentication. Since this requires " +"additional communication with the Smartcard which will delay the " +"authentication process this option is disabled by default." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1337 sssd.conf.5.xml:2930 sssd-ldap.5.xml:1087 +#: sssd-ldap.5.xml:1114 sssd-ldap.5.xml:1514 sssd-ldap.5.xml:1535 +#: sssd-ldap.5.xml:2052 include/ldap_id_mapping.xml:244 +msgid "Default: False" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1342 +msgid "pam_cert_db_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1345 +msgid "" +"The path to the certificate database which contain the PKCS#11 modules to " +"access the Smartcard." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1349 sssd.conf.5.xml:1534 +#, fuzzy +#| msgid "Default: 3" +msgid "Default:" +msgstr "默认: 3" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1351 sssd.conf.5.xml:1536 +msgid "/etc/pki/nssdb (NSS version, path to a NSS database)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1354 sssd.conf.5.xml:1539 +msgid "" +"/etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a file with " +"trusted CA certificates in PEM format)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1361 sssd.conf.5.xml:1546 +msgid "This man page was generated for the NSS version." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1364 sssd.conf.5.xml:1549 +msgid "This man page was generated for the OpenSSL version." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1369 +msgid "p11_child_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1372 +msgid "How many seconds will pam_sss wait for p11_child to finish." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1381 +msgid "pam_app_services (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1384 +msgid "" +"Which PAM services are permitted to contact domains of type " +"<quote>application</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1397 +msgid "SUDO configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1399 +msgid "" +"These options can be used to configure the sudo service. The detailed " +"instructions for configuration of <citerefentry> <refentrytitle>sudo</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to work with " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> are in the manual page <citerefentry> <refentrytitle>sssd-" +"sudo</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1416 +msgid "sudo_timed (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1419 +msgid "" +"Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes " +"that implement time-dependent sudoers entries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1431 +msgid "sudo_threshold (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1434 +msgid "" +"Maximum number of expired rules that can be refreshed at once. If number of " +"expired rules is below threshold, those rules are refreshed with " +"<quote>rules refresh</quote> mechanism. If the threshold is exceeded a " +"<quote>full refresh</quote> of sudo rules is triggered instead. This " +"threshold number also applies to IPA sudo command and command group searches." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1453 +msgid "AUTOFS configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1455 +msgid "These options can be used to configure the autofs service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1459 +msgid "autofs_negative_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1462 +msgid "" +"Specifies for how many seconds should the autofs responder negative cache " +"hits (that is, queries for invalid map entries, like nonexistent ones) " +"before asking the back end again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1478 +msgid "SSH configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1480 +msgid "These options can be used to configure the SSH service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1484 +msgid "ssh_hash_known_hosts (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1487 +msgid "" +"Whether or not to hash host names and addresses in the managed known_hosts " +"file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1496 +msgid "ssh_known_hosts_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1499 +msgid "" +"How many seconds to keep a host in the managed known_hosts file after its " +"host keys were requested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1503 +msgid "Default: 180" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1508 +msgid "ssh_use_certificate_keys (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1511 +msgid "" +"If set to true the <command>sss_ssh_authorizedkeys</command> will return ssh " +"keys derived from the public key of X.509 certificates stored in the user " +"entry as well. See <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry> for details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1526 +msgid "ca_db (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1529 +msgid "" +"Path to a storage of trusted CA certificates. The option is used to validate " +"user certificates before deriving public ssh keys from them." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1557 +msgid "PAC responder configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1559 +msgid "" +"The PAC responder works together with the authorization data plugin for MIT " +"Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the " +"PAC data during a GSSAPI authentication to the PAC responder. The sub-domain " +"provider collects domain SID and ID ranges of the domain the client is " +"joined to and of remote trusted domains from the local domain controller. If " +"the PAC is decoded and evaluated some of the following operations are done:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1568 +msgid "" +"If the remote user does not exist in the cache, it is created. The UID is " +"determined with the help of the SID, trusted domains will have UPGs and the " +"GID will have the same value as the UID. The home directory is set based on " +"the subdomain_homedir parameter. The shell will be empty by default, i.e. " +"the system defaults are used, but can be overwritten with the default_shell " +"parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:1576 +msgid "" +"If there are SIDs of groups from domains sssd knows about, the user will be " +"added to those groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1582 +msgid "These options can be used to configure the PAC responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1586 sssd-ifp.5.xml:50 +msgid "allowed_uids (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1589 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the PAC responder. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1595 +msgid "Default: 0 (only the root user is allowed to access the PAC responder)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1599 +msgid "" +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the PAC responder, which would be the typical case, you have to add 0 " +"to the list of allowed UIDs as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1608 +msgid "pac_lifetime (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1611 +msgid "" +"Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC " +"data can be used to determine the group memberships of a user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:1624 +msgid "Session recording configuration options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1626 +msgid "" +"Session recording works in conjunction with <citerefentry> " +"<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>, a part of tlog package, to log what users see and type when " +"they log in on a text terminal. See also <citerefentry> <refentrytitle>sssd-" +"session-recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:1639 +msgid "These options can be used to configure session recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1643 sssd-session-recording.5.xml:64 +msgid "scope (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1650 sssd-session-recording.5.xml:71 +msgid "\"none\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1653 sssd-session-recording.5.xml:74 +msgid "No users are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1658 sssd-session-recording.5.xml:79 +msgid "\"some\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1661 sssd-session-recording.5.xml:82 +msgid "" +"Users/groups specified by <replaceable>users</replaceable> and " +"<replaceable>groups</replaceable> options are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1670 sssd-session-recording.5.xml:91 +msgid "\"all\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1673 sssd-session-recording.5.xml:94 +msgid "All users are recorded." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1646 sssd-session-recording.5.xml:67 +msgid "" +"One of the following strings specifying the scope of session recording: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1680 sssd-session-recording.5.xml:101 +msgid "Default: \"none\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1685 sssd-session-recording.5.xml:106 +msgid "users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1688 sssd-session-recording.5.xml:109 +msgid "" +"A comma-separated list of users which should have session recording enabled. " +"Matches user names as returned by NSS. I.e. after the possible space " +"replacement, case changes, etc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1694 sssd-session-recording.5.xml:115 +msgid "Default: Empty. Matches no users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1699 sssd-session-recording.5.xml:120 +msgid "groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1702 sssd-session-recording.5.xml:123 +msgid "" +"A comma-separated list of groups, members of which should have session " +"recording enabled. Matches group names as returned by NSS. I.e. after the " +"possible space replacement, case changes, etc." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1708 sssd-session-recording.5.xml:129 +msgid "" +"NOTE: using this option (having it set to anything) has a considerable " +"performance cost, because each uncached request for a user requires " +"retrieving and matching the groups the user is member of." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1715 sssd-session-recording.5.xml:136 +msgid "Default: Empty. Matches no groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:1725 +msgid "DOMAIN SECTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1732 +msgid "domain_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1735 +msgid "" +"Specifies whether the domain is meant to be used by POSIX-aware clients such " +"as the Name Service Switch or by applications that do not need POSIX data to " +"be present or generated. Only objects from POSIX domains are available to " +"the operating system interfaces and utilities." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1743 +msgid "" +"Allowed values for this option are <quote>posix</quote> and " +"<quote>application</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1747 +msgid "" +"POSIX domains are reachable by all services. Application domains are only " +"reachable from the InfoPipe responder (see <citerefentry> " +"<refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>) and the PAM responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1755 +msgid "" +"NOTE: The application domains are currently well tested with " +"<quote>id_provider=ldap</quote> only." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1759 +msgid "" +"For an easy way to configure a non-POSIX domains, please see the " +"<quote>Application domains</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1763 +msgid "Default: posix" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1769 +msgid "min_id,max_id (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1772 +msgid "" +"UID and GID limits for the domain. If a domain contains an entry that is " +"outside these limits, it is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1777 +msgid "" +"For users, this affects the primary GID limit. The user will not be returned " +"to NSS if either the UID or the primary GID is outside the range. For non-" +"primary group memberships, those that are in range will be reported as " +"expected." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1784 +msgid "" +"These ID limits affect even saving entries to cache, not only returning them " +"by name or ID." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1788 +msgid "Default: 1 for min_id, 0 (no limit) for max_id" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1794 +msgid "enumerate (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1797 +msgid "" +"Determines if a domain can be enumerated, that is, whether the domain can " +"list all the users and group it contains. Note that it is not required to " +"enable enumeration in order for secondary groups to be displayed. This " +"parameter can have one of the following values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1805 +msgid "TRUE = Users and groups are enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1808 +msgid "FALSE = No enumerations for this domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1811 sssd.conf.5.xml:2033 sssd.conf.5.xml:2208 +msgid "Default: FALSE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1814 +msgid "" +"Enumerating a domain requires SSSD to download and store ALL user and group " +"entries from the remote server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1819 +msgid "" +"Note: Enabling enumeration has a moderate performance impact on SSSD while " +"enumeration is running. It may take up to several minutes after SSSD startup " +"to fully complete enumerations. During this time, individual requests for " +"information will go directly to LDAP, though it may be slow, due to the " +"heavy enumeration processing. Saving a large number of entries to cache " +"after the enumeration completes might also be CPU intensive as the " +"memberships have to be recomputed. This can lead to the <quote>sssd_be</" +"quote> process becoming unresponsive or even restarted by the internal " +"watchdog." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1834 +msgid "" +"While the first enumeration is running, requests for the complete user or " +"group lists may return no results until it completes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1839 +msgid "" +"Further, enabling enumeration may increase the time necessary to detect " +"network disconnection, as longer timeouts are required to ensure that " +"enumeration lookups are completed successfully. For more information, refer " +"to the man pages for the specific id_provider in use." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1847 +msgid "" +"For the reasons cited above, enabling enumeration is not recommended, " +"especially in large environments." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1855 +msgid "subdomain_enumerate (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1862 +msgid "all" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1863 +msgid "All discovered trusted domains will be enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1866 +msgid "none" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1867 +msgid "No discovered trusted domains will be enumerated" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1858 +msgid "" +"Whether any of autodetected trusted domains should be enumerated. The " +"supported values are: <placeholder type=\"variablelist\" id=\"0\"/> " +"Optionally, a list of one or more domain names can enable enumeration just " +"for these trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1881 +msgid "entry_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1884 +msgid "" +"How many seconds should nss_sss consider entries valid before asking the " +"backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1888 +msgid "" +"The cache expiration timestamps are stored as attributes of individual " +"objects in the cache. Therefore, changing the cache timeout only has effect " +"for newly added or expired entries. You should run the <citerefentry> " +"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry> tool in order to force refresh of entries that have already " +"been cached." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1901 +msgid "Default: 5400" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1907 +msgid "entry_cache_user_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1910 +msgid "" +"How many seconds should nss_sss consider user entries valid before asking " +"the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1914 sssd.conf.5.xml:1927 sssd.conf.5.xml:1940 +#: sssd.conf.5.xml:1953 sssd.conf.5.xml:1966 sssd.conf.5.xml:1980 +#: sssd.conf.5.xml:1994 +msgid "Default: entry_cache_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1920 +msgid "entry_cache_group_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1923 +msgid "" +"How many seconds should nss_sss consider group entries valid before asking " +"the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1933 +msgid "entry_cache_netgroup_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1936 +msgid "" +"How many seconds should nss_sss consider netgroup entries valid before " +"asking the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1946 +msgid "entry_cache_service_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1949 +msgid "" +"How many seconds should nss_sss consider service entries valid before asking " +"the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1959 +msgid "entry_cache_sudo_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1962 +msgid "" +"How many seconds should sudo consider rules valid before asking the backend " +"again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1972 +msgid "entry_cache_autofs_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1975 +msgid "" +"How many seconds should the autofs service consider automounter maps valid " +"before asking the backend again" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:1986 +msgid "entry_cache_ssh_host_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:1989 +msgid "" +"How many seconds to keep a host ssh key after refresh. IE how long to cache " +"the host key for." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2000 +msgid "refresh_expired_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2003 +msgid "" +"Specifies how many seconds SSSD has to wait before triggering a background " +"refresh task which will refresh all expired or nearly expired records." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2008 +msgid "" +"The background refresh will process users, groups and netgroups in the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2012 +msgid "You can consider setting this value to 3/4 * entry_cache_timeout." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2016 sssd-ldap.5.xml:746 sssd-ipa.5.xml:254 +msgid "Default: 0 (disabled)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2022 +msgid "cache_credentials (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2025 +msgid "Determines if user credentials are also cached in the local LDB cache" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2029 +msgid "User credentials are stored in a SHA512 hash, not in plaintext" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2039 +msgid "cache_credentials_minimal_first_factor_length (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2042 +msgid "" +"If 2-Factor-Authentication (2FA) is used and credentials should be saved " +"this value determines the minimal length the first authentication factor " +"(long term password) must have to be saved as SHA512 hash into the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2049 +msgid "" +"This should avoid that the short PINs of a PIN based 2FA scheme are saved in " +"the cache which would make them easy targets for brute-force attacks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2054 +msgid "Default: 8" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2060 +msgid "account_cache_expiration (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2063 +msgid "" +"Number of days entries are left in cache after last successful login before " +"being removed during a cleanup of the cache. 0 means keep forever. The " +"value of this parameter must be greater than or equal to " +"offline_credentials_expiration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2070 +msgid "Default: 0 (unlimited)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2075 +msgid "pwd_expiration_warning (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2086 +msgid "" +"Please note that the backend server has to provide information about the " +"expiration time of the password. If this information is missing, sssd " +"cannot display a warning. Also an auth provider has to be configured for the " +"backend." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2093 +msgid "Default: 7 (Kerberos), 0 (LDAP)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2099 +msgid "id_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2102 +msgid "" +"The identification provider used for the domain. Supported ID providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2106 +msgid "<quote>proxy</quote>: Support a legacy NSS provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2109 +msgid "" +"<quote>local</quote>: SSSD internal provider for local users (DEPRECATED)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2113 +msgid "" +"<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-" +"files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " +"information on how to mirror local users and groups into SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2121 +msgid "" +"<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " +"information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2129 sssd.conf.5.xml:2234 sssd.conf.5.xml:2289 +#: sssd.conf.5.xml:2352 +msgid "" +"<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management " +"provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " +"FreeIPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2138 sssd.conf.5.xml:2243 sssd.conf.5.xml:2298 +#: sssd.conf.5.xml:2361 +msgid "" +"<quote>ad</quote>: Active Directory provider. See <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Active Directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2149 +msgid "use_fully_qualified_names (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2152 +msgid "" +"Use the full name and domain (as formatted by the domain's full_name_format) " +"as the user's login name reported to NSS." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2157 +msgid "" +"If set to TRUE, all requests to this domain must use fully qualified names. " +"For example, if used in LOCAL domain that contains a \"test\" user, " +"<command>getent passwd test</command> wouldn't find the user while " +"<command>getent passwd test@LOCAL</command> would." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2165 +msgid "" +"NOTE: This option has no effect on netgroup lookups due to their tendency to " +"include nested netgroups without qualified names. For netgroups, all domains " +"will be searched when an unqualified name is requested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2172 +msgid "Default: FALSE (TRUE if default_domain_suffix is used)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2178 +msgid "ignore_group_members (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2181 +msgid "Do not return group members for group lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2184 +msgid "" +"If set to TRUE, the group membership attribute is not requested from the " +"ldap server, and group members are not returned when processing group lookup " +"calls, such as <citerefentry> <refentrytitle>getgrnam</refentrytitle> " +"<manvolnum>3</manvolnum> </citerefentry> or <citerefentry> " +"<refentrytitle>getgrgid</refentrytitle> <manvolnum>3</manvolnum> </" +"citerefentry>. As an effect, <quote>getent group $groupname</quote> would " +"return the requested group as if it was empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2202 +msgid "" +"Enabling this option can also make access provider checks for group " +"membership significantly faster, especially for groups containing many " +"members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2213 +msgid "auth_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2216 +msgid "" +"The authentication provider used for the domain. Supported auth providers " +"are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2220 sssd.conf.5.xml:2282 +msgid "" +"<quote>ldap</quote> for native LDAP authentication. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2227 +msgid "" +"<quote>krb5</quote> for Kerberos authentication. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2251 +msgid "" +"<quote>proxy</quote> for relaying authentication to some other PAM target." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2254 +msgid "<quote>local</quote>: SSSD internal provider for local users" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2258 +msgid "<quote>none</quote> disables authentication explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2261 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can handle " +"authentication requests." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2267 +msgid "access_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2270 +msgid "" +"The access control provider used for the domain. There are two built-in " +"access providers (in addition to any included in installed backends) " +"Internal special providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2276 +msgid "" +"<quote>permit</quote> always allow access. It's the only permitted access " +"provider for a local domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2279 +msgid "<quote>deny</quote> always deny access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2306 +msgid "" +"<quote>simple</quote> access control based on access or deny lists. See " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for more information on configuring the simple " +"access module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2313 +msgid "" +"<quote>krb5</quote>: .k5login based access control. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></" +"citerefentry> for more information on configuring Kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2320 +msgid "<quote>proxy</quote> for relaying access control to another PAM module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2323 +msgid "Default: <quote>permit</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2328 +msgid "chpass_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2331 +msgid "" +"The provider which should handle change password operations for the domain. " +"Supported change password providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2336 +msgid "" +"<quote>ldap</quote> to change a password stored in a LDAP server. See " +"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2344 +msgid "" +"<quote>krb5</quote> to change the Kerberos password. See <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring Kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2369 +msgid "" +"<quote>proxy</quote> for relaying password changes to some other PAM target." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2373 +msgid "<quote>none</quote> disallows password changes explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2376 +msgid "" +"Default: <quote>auth_provider</quote> is used if it is set and can handle " +"change password requests." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2383 +msgid "sudo_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2386 +msgid "The SUDO provider used for the domain. Supported SUDO providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2390 +msgid "" +"<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2398 +msgid "" +"<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default " +"settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2402 +msgid "" +"<quote>ad</quote> the same as <quote>ldap</quote> but with AD default " +"settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2406 +msgid "<quote>none</quote> disables SUDO explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2409 sssd.conf.5.xml:2495 sssd.conf.5.xml:2565 +#: sssd.conf.5.xml:2590 +msgid "Default: The value of <quote>id_provider</quote> is used if it is set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2413 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>. There are many configuration " +"options that can be used to adjust the behavior. Please refer to " +"\"ldap_sudo_*\" in <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2428 +msgid "" +"<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the " +"background unless the sudo provider is explicitly disabled. Set " +"<emphasis>sudo_provider = None</emphasis> to disable all sudo-related " +"activity in SSSD if you do not want to use sudo with SSSD at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2438 +msgid "selinux_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2441 +msgid "" +"The provider which should handle loading of selinux settings. Note that this " +"provider will be called right after access provider ends. Supported selinux " +"providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2447 +msgid "" +"<quote>ipa</quote> to load selinux settings from an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2455 +msgid "<quote>none</quote> disallows fetching selinux settings explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2458 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can handle " +"selinux loading requests." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2464 +msgid "subdomains_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2467 +msgid "" +"The provider which should handle fetching of subdomains. This value should " +"be always the same as id_provider. Supported subdomain providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2473 +msgid "" +"<quote>ipa</quote> to load a list of subdomains from an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2482 +msgid "" +"<quote>ad</quote> to load a list of subdomains from an Active Directory " +"server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " +"the AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2491 +msgid "<quote>none</quote> disallows fetching subdomains explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2501 +msgid "session_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2504 +msgid "" +"The provider which configures and manages user session related tasks. The " +"only user session task currently provided is the integration with Fleet " +"Commander, which works only with IPA. Supported session providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2511 +msgid "<quote>ipa</quote> to allow performing user session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2515 +msgid "" +"<quote>none</quote> does not perform any kind of user session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2519 +msgid "" +"Default: <quote>id_provider</quote> is used if it is set and can perform " +"session related tasks." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2523 +msgid "" +"<emphasis>NOTE:</emphasis> In order to have this feature working as expected " +"SSSD must be running as \"root\" and not as the unprivileged user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2531 +msgid "autofs_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2534 +msgid "" +"The autofs provider used for the domain. Supported autofs providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2538 +msgid "" +"<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2545 +msgid "" +"<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> " +"<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2553 +msgid "" +"<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more information on configuring the AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2562 +msgid "<quote>none</quote> disables autofs explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2572 +msgid "hostid_provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2575 +msgid "" +"The provider used for retrieving host identity information. Supported " +"hostid providers are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2579 +msgid "" +"<quote>ipa</quote> to load host identity stored in an IPA server. See " +"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> for more information on configuring IPA." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2587 +msgid "<quote>none</quote> disables hostid explicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2600 +msgid "" +"Regular expression for this domain that describes how to parse the string " +"containing user name and domain into these components. The \"domain\" can " +"match either the SSSD configuration domain name, or, in the case of IPA " +"trust subdomains and Active Directory domains, the flat (NetBIOS) name of " +"the domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2609 +msgid "" +"Default for the AD and IPA provider: <quote>(((?P<domain>[^\\\\]+)\\" +"\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?" +"P<name>[^@\\\\]+)$))</quote> which allows three different styles for " +"user names:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2614 +msgid "username" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2617 +msgid "username@domain.name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:2620 +msgid "domain\\username" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2623 +msgid "" +"While the first two correspond to the general default the third one is " +"introduced to allow easy integration of users from Windows domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2628 +msgid "" +"Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> " +"which translates to \"the name is everything up to the <quote>@</quote> " +"sign, the domain everything after that\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2634 +msgid "" +"NOTE: Some Active Directory groups, typically those used for MS Exchange " +"contain an <quote>@</quote> sign in the name, which clashes with the default " +"re_expression value for the AD and IPA providers. To support these groups, " +"consider changing the re_expression value to: <quote>((?P<name>.+)@(?" +"P<domain>[^@]+$))</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2685 +msgid "Default: <quote>%1$s@%2$s</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2691 +msgid "lookup_family_order (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2694 +msgid "" +"Provides the ability to select preferred address family to use when " +"performing DNS lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2698 +msgid "Supported values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2701 +msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2704 +msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2707 +msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2710 +msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2713 +msgid "Default: ipv4_first" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2719 +msgid "dns_resolver_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2722 +msgid "" +"Defines the amount of time (in seconds) to wait for a reply from the " +"internal fail over service before assuming that the service is unreachable. " +"If this timeout is reached, the domain will continue to operate in offline " +"mode." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2729 +msgid "" +"Please see the section <quote>FAILOVER</quote> for more information about " +"the service resolution." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2734 sssd-ldap.5.xml:1396 sssd-ldap.5.xml:1438 +#: sssd-ldap.5.xml:1456 sssd-krb5.5.xml:248 +msgid "Default: 6" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2740 +msgid "dns_discovery_domain (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2743 +msgid "" +"If service discovery is used in the back end, specifies the domain part of " +"the service discovery DNS query." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2747 +msgid "Default: Use the domain part of machine's hostname" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2753 +msgid "override_gid (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2756 +msgid "Override the primary GID value with the one specified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2762 +msgid "case_sensitive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2770 +msgid "True" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2773 +msgid "Case sensitive. This value is invalid for AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2779 +msgid "False" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2781 +msgid "Case insensitive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2785 +msgid "Preserving" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2788 +msgid "" +"Same as False (case insensitive), but does not lowercase names in the result " +"of NSS operations. Note that name aliases (and in case of services also " +"protocol names) are still lowercased in the output." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2765 +msgid "" +"Treat user and group names as case sensitive. At the moment, this option is " +"not supported in the local provider. Possible option values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2800 +msgid "Default: True (False for AD provider)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2806 +msgid "subdomain_inherit (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2809 +msgid "" +"Specifies a list of configuration parameters that should be inherited by a " +"subdomain. Please note that only selected parameters can be inherited. " +"Currently the following options can be inherited:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2815 +msgid "ignore_group_members" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2818 +msgid "ldap_purge_cache_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2821 sssd-ldap.5.xml:1120 +msgid "ldap_use_tokengroups" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2824 +msgid "ldap_user_principal" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2827 +msgid "" +"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab " +"is not set explicitly)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd.conf.5.xml:2833 +#, no-wrap +msgid "" +"subdomain_inherit = ldap_purge_cache_timeout\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2831 sssd-secrets.5.xml:448 +msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2840 +msgid "Note: This option only works with the IPA and AD provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2847 +msgid "subdomain_homedir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2858 +msgid "%F" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2859 +msgid "flat (NetBIOS) name of a subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2850 +msgid "" +"Use this homedir as default value for all subdomains within this domain in " +"IPA AD trust. See <emphasis>override_homedir</emphasis> for info about " +"possible values. In addition to those, the expansion below can only be used " +"with <emphasis>subdomain_homedir</emphasis>. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2864 +msgid "" +"The value can be overridden by <emphasis>override_homedir</emphasis> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2868 +msgid "Default: <filename>/home/%d/%u</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2873 +msgid "realmd_tags (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2876 +msgid "" +"Various tags stored by the realmd configuration service for this domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2882 +msgid "cached_auth_timeout (int)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2885 +msgid "" +"Specifies time in seconds since last successful online authentication for " +"which user will be authenticated using cached credentials while SSSD is in " +"the online mode." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2891 +msgid "Special value 0 implies that this feature is disabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2895 +msgid "" +"Please note that if <quote>cached_auth_timeout</quote> is longer than " +"<quote>pam_id_timeout</quote> then the back end could be called to handle " +"<quote>initgroups.</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2906 +msgid "auto_private_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2909 +msgid "" +"If this option is enabled, SSSD will automatically create user private " +"groups based on user's UID number. The GID number is ignored in this case." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2914 +msgid "" +"For POSIX subdomains, setting the option in the main domain is inherited in " +"the subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2918 +msgid "" +"For ID-mapping subdomains, auto_private_groups is already enabled for the " +"subdomains and setting it to false will not have any effect for the " +"subdomain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2923 +msgid "" +"NOTE: Because the GID number and the user private group are inferred from " +"the UID number, it is not supported to have multiple entries with the same " +"UID or GID number with this option. In other words, enabling this option " +"enforces uniqueness across the ID space." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:1727 +msgid "" +"These configuration options can be present in a domain configuration " +"section, that is, in a section called <quote>[domain/<replaceable>NAME</" +"replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2942 +msgid "proxy_pam_target (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2945 +msgid "The proxy target PAM proxies to." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2948 +msgid "" +"Default: not set by default, you have to take an existing pam configuration " +"or create a new one and add the service name here." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2956 +msgid "proxy_lib_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2959 +msgid "" +"The name of the NSS library to use in proxy domains. The NSS functions " +"searched for in the library are in the form of _nss_$(libName)_$(function), " +"for example _nss_files_getpwent." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2969 +msgid "proxy_fast_alias (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2972 +msgid "" +"When a user or group is looked up by name in the proxy provider, a second " +"lookup by ID is performed to \"canonicalize\" the name in case the requested " +"name was an alias. Setting this option to true would cause the SSSD to " +"perform the ID lookup from cache for performance reasons." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd.conf.5.xml:2986 +msgid "proxy_max_children (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:2989 +msgid "" +"This option specifies the number of pre-forked proxy children. It is useful " +"for high-load SSSD environments where sssd may run out of available child " +"slots, which would cause some issues due to the requests being queued." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:2938 +msgid "" +"Options valid for proxy domains. <placeholder type=\"variablelist\" id=" +"\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:3005 +msgid "Application domains" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3007 +msgid "" +"SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to " +"applications as a gateway to an LDAP directory where users and groups are " +"stored. However, contrary to the traditional SSSD deployment where all users " +"and groups either have POSIX attributes or those attributes can be inferred " +"from the Windows SIDs, in many cases the users and groups in the application " +"support scenario have no POSIX attributes. Instead of setting a " +"<quote>[domain/<replaceable>NAME</replaceable>]</quote> section, the " +"administrator can set up an <quote>[application/<replaceable>NAME</" +"replaceable>]</quote> section that internally represents a domain with type " +"<quote>application</quote> optionally inherits settings from a tradition " +"SSSD domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3027 +msgid "" +"Please note that the application domain must still be explicitly enabled in " +"the <quote>domains</quote> parameter so that the lookup order between the " +"application domain and its POSIX sibling domain is set correctly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sssd.conf.5.xml:3033 +msgid "Application domain parameters" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3035 +msgid "inherit_from (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3038 +msgid "" +"The SSSD POSIX-type domain the application domain inherits all settings " +"from. The application domain can moreover add its own settings to the " +"application settings that augment or override the <quote>sibling</quote> " +"domain settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3052 +msgid "" +"The following example illustrates the use of an application domain. In this " +"setup, the POSIX domain is connected to an LDAP server and is used by the OS " +"through the NSS responder. In addition, the application domain also requests " +"the telephoneNumber attribute, stores it as the phone attribute in the cache " +"and makes the phone attribute reachable through the D-Bus interface." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><programlisting> +#: sssd.conf.5.xml:3060 +#, no-wrap +msgid "" +"[sssd]\n" +"domains = appdom, posixdom\n" +"\n" +"[ifp]\n" +"user_attributes = +phone\n" +"\n" +"[domain/posixdom]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"[application/appdom]\n" +"inherit_from = posixdom\n" +"ldap_user_extra_attrs = phone:telephoneNumber\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd.conf.5.xml:3078 +msgid "The local domain section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd.conf.5.xml:3080 +msgid "" +"This section contains settings for domain that stores users and groups in " +"SSSD native database, that is, a domain that uses " +"<replaceable>id_provider=local</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3087 +msgid "default_shell (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3090 +msgid "The default shell for users created with SSSD userspace tools." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3094 +msgid "Default: <filename>/bin/bash</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3099 +msgid "base_directory (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3102 +msgid "" +"The tools append the login name to <replaceable>base_directory</replaceable> " +"and use that as the home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3107 +msgid "Default: <filename>/home</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3112 +msgid "create_homedir (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3115 +msgid "" +"Indicate if a home directory should be created by default for new users. " +"Can be overridden on command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3119 sssd.conf.5.xml:3131 +msgid "Default: TRUE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3124 +msgid "remove_homedir (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3127 +msgid "" +"Indicate if a home directory should be removed by default for deleted " +"users. Can be overridden on command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3136 +msgid "homedir_umask (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3139 +msgid "" +"Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions " +"on a newly created home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3147 +msgid "Default: 077" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3152 +msgid "skel_dir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3155 +msgid "" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<citerefentry> <refentrytitle>sss_useradd</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3165 +msgid "Default: <filename>/etc/skel</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3170 +msgid "mail_dir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3173 +msgid "" +"The mail spool directory. This is needed to manipulate the mailbox when its " +"corresponding user account is modified or deleted. If not specified, a " +"default value is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3180 +msgid "Default: <filename>/var/mail</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd.conf.5.xml:3185 +msgid "userdel_cmd (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3188 +msgid "" +"The command that is run after a user is removed. The command us passed the " +"username of the user being removed as the first and only parameter. The " +"return code of the command is not taken into account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd.conf.5.xml:3194 +msgid "Default: None, no command is run" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:3204 +msgid "TRUSTED DOMAIN SECTION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3206 +msgid "" +"Some options used in the domain section can also be used in the trusted " +"domain section, that is, in a section called <quote>[domain/" +"<replaceable>DOMAIN_NAME</replaceable>/<replaceable>TRUSTED_DOMAIN_NAME</" +"replaceable>]</quote>. Where DOMAIN_NAME is the actual joined-to base " +"domain. Please refer to examples below for explanation. Currently supported " +"options in the trusted domain section are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3213 +msgid "ldap_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3214 +msgid "ldap_user_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3215 +msgid "ldap_group_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3216 +msgid "ldap_netgroup_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3217 +msgid "ldap_service_search_base," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3218 +msgid "ad_server," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3219 +msgid "ad_backup_server," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3220 +msgid "ad_site," +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd.conf.5.xml:3221 sssd-ipa.5.xml:782 +msgid "use_fully_qualified_names" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3223 +msgid "" +"For more details about these options see their individual description in the " +"manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.conf.5.xml:3229 idmap_sss.8.xml:43 +msgid "EXAMPLES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:3235 +#, no-wrap +msgid "" +"[sssd]\n" +"domains = LDAP\n" +"services = nss, pam\n" +"config_file_version = 2\n" +"\n" +"[nss]\n" +"filter_groups = root\n" +"filter_users = root\n" +"\n" +"[pam]\n" +"\n" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"ldap_uri = ldap://ldap.example.com\n" +"ldap_search_base = dc=example,dc=com\n" +"\n" +"auth_provider = krb5\n" +"krb5_server = kerberos.example.com\n" +"krb5_realm = EXAMPLE.COM\n" +"cache_credentials = true\n" +"\n" +"min_id = 10000\n" +"max_id = 20000\n" +"enumerate = False\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3231 +msgid "" +"1. The following example shows a typical SSSD config. It does not describe " +"configuration of the domains themselves - refer to documentation on " +"configuring domains for more details. <placeholder type=\"programlisting\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd.conf.5.xml:3268 +#, no-wrap +msgid "" +"[domain/ipa.com/child.ad.com]\n" +"use_fully_qualified_names = false\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.conf.5.xml:3262 +msgid "" +"2. The following example shows configuration of IPA AD trust where the AD " +"forest consists of two domains in a parent-child structure. Suppose IPA " +"domain (ipa.com) has trust with AD domain(ad.com). ad.com has child domain " +"(child.ad.com). To enable shortnames in the child domain the following " +"configuration should be used. <placeholder type=\"programlisting\" id=\"0\"/" +">" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ldap.5.xml:10 sssd-ldap.5.xml:16 +msgid "sssd-ldap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ldap.5.xml:17 +msgid "SSSD LDAP provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:23 +msgid "" +"This manual page describes the configuration of LDAP domains for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. Refer to the <quote>FILE FORMAT</quote> section of the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for detailed syntax information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:35 +msgid "You can configure SSSD to use more than one LDAP domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:38 +msgid "" +"LDAP back end supports id, auth, access and chpass providers. If you want to " +"authenticate against an LDAP server either TLS/SSL or LDAPS is required. " +"<command>sssd</command> <emphasis>does not</emphasis> support authentication " +"over an unencrypted channel. If the LDAP server is used only as an identity " +"provider, an encrypted channel is not needed. Please refer to " +"<quote>ldap_access_filter</quote> config option for more information about " +"using LDAP as an access provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:115 +#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-files.5.xml:57 +#: sssd-secrets.5.xml:120 sssd-session-recording.5.xml:58 sssd-kcm.8.xml:139 +msgid "CONFIGURATION OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:60 +msgid "ldap_uri, ldap_backup_uri (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:63 +msgid "" +"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " +"should connect in the order of preference. Refer to the <quote>FAILOVER</" +"quote> section for more information on failover and server redundancy. If " +"neither option is specified, service discovery is enabled. For more " +"information, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:70 sssd-secrets.5.xml:264 +msgid "The format of the URI must match the format defined in RFC 2732:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:73 +msgid "ldap[s]://<host>[:port]" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:76 +msgid "" +"For explicit IPv6 addresses, <host> must be enclosed in brackets []" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:79 +msgid "example: ldap://[fc00::126:25]:389" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:85 +msgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:88 +msgid "" +"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " +"should connect in the order of preference to change the password of a user. " +"Refer to the <quote>FAILOVER</quote> section for more information on " +"failover and server redundancy." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:95 +msgid "To enable service discovery ldap_chpass_dns_service_name must be set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:99 +msgid "Default: empty, i.e. ldap_uri is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:105 +msgid "ldap_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:108 +msgid "The default base DN to use for performing LDAP user operations." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:112 +msgid "" +"Starting with SSSD 1.7.0, SSSD supports multiple search bases using the " +"syntax:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:116 +msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:119 +msgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"." +msgstr "" + +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:122 include/ldap_search_bases.xml:18 +msgid "" +"The filter must be a valid LDAP search filter as specified by http://www." +"ietf.org/rfc/rfc2254.txt" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:286 +#: sss_override.8.xml:137 sss_override.8.xml:234 +msgid "Examples:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:129 +msgid "" +"ldap_search_base = dc=example,dc=com (which is equivalent to) " +"ldap_search_base = dc=example,dc=com?subtree?" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:134 +msgid "" +"ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?" +"(host=thishost)?dc=example.com?subtree?" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:137 +msgid "" +"Note: It is unsupported to have multiple search bases which reference " +"identically-named objects (for example, groups with the same name in two " +"different search bases). This will lead to unpredictable behavior on client " +"machines." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:144 +msgid "" +"Default: If not set, the value of the defaultNamingContext or namingContexts " +"attribute from the RootDSE of the LDAP server is used. If " +"defaultNamingContext does not exist or has an empty value namingContexts is " +"used. The namingContexts attribute must have a single value with the DN of " +"the search base of the LDAP server to make this work. Multiple values are " +"are not supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:158 +msgid "ldap_schema (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:161 +msgid "" +"Specifies the Schema Type in use on the target LDAP server. Depending on " +"the selected schema, the default attribute names retrieved from the servers " +"may vary. The way that some attributes are handled may also differ." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:168 +msgid "Four schema types are currently supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:172 +msgid "rfc2307" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:177 +msgid "rfc2307bis" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:182 +msgid "IPA" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ldap.5.xml:187 +msgid "AD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:193 +msgid "" +"The main difference between these schema types is how group memberships are " +"recorded in the server. With rfc2307, group members are listed by name in " +"the <emphasis>memberUid</emphasis> attribute. With rfc2307bis and IPA, " +"group members are listed by DN and stored in the <emphasis>member</emphasis> " +"attribute. The AD schema type sets the attributes to correspond with Active " +"Directory 2008r2 values." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:203 +msgid "Default: rfc2307" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:209 +msgid "ldap_default_bind_dn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:212 +msgid "The default bind DN to use for performing LDAP operations." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:219 +msgid "ldap_default_authtok_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:222 +msgid "The type of the authentication token of the default bind DN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:226 +msgid "The two mechanisms currently supported are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:229 +msgid "password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:232 +msgid "obfuscated_password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:235 +msgid "Default: password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:241 +msgid "ldap_default_authtok (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:244 +msgid "" +"The authentication token of the default bind DN. Only clear text passwords " +"are currently supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:251 +msgid "ldap_user_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:254 +msgid "The object class of a user entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:257 +msgid "Default: posixAccount" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:263 +msgid "ldap_user_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:266 +msgid "The LDAP attribute that corresponds to the user's login name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:270 +msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:277 +msgid "ldap_user_uid_number (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:280 +msgid "The LDAP attribute that corresponds to the user's id." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:284 +msgid "Default: uidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:290 +msgid "ldap_user_gid_number (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:293 +msgid "The LDAP attribute that corresponds to the user's primary group id." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:297 sssd-ldap.5.xml:929 +msgid "Default: gidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:303 +msgid "ldap_user_primary_group (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:306 +msgid "" +"Active Directory primary group attribute for ID-mapping. Note that this " +"attribute should only be set manually if you are running the <quote>ldap</" +"quote> provider with ID mapping." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:312 +msgid "Default: unset (LDAP), primaryGroupID (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:318 +msgid "ldap_user_gecos (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:321 +msgid "The LDAP attribute that corresponds to the user's gecos field." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:325 +msgid "Default: gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:331 +msgid "ldap_user_home_directory (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:334 +msgid "The LDAP attribute that contains the name of the user's home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:338 +msgid "Default: homeDirectory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:344 +msgid "ldap_user_shell (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:347 +msgid "The LDAP attribute that contains the path to the user's default shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:351 +msgid "Default: loginShell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:357 +msgid "ldap_user_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:360 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:364 sssd-ldap.5.xml:955 +msgid "" +"Default: not set in the general case, objectGUID for AD and ipaUniqueID for " +"IPA" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:371 +msgid "ldap_user_objectsid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:374 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP user object. This " +"is usually only necessary for ActiveDirectory servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:379 sssd-ldap.5.xml:970 +msgid "Default: objectSid for ActiveDirectory, not set for other servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:386 +msgid "ldap_user_modify_timestamp (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:389 sssd-ldap.5.xml:980 sssd-ldap.5.xml:1203 +msgid "" +"The LDAP attribute that contains timestamp of the last modification of the " +"parent object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:393 sssd-ldap.5.xml:984 sssd-ldap.5.xml:1210 +msgid "Default: modifyTimestamp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:399 +msgid "ldap_user_shadow_last_change (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:402 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " +"the last password change)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:412 +msgid "Default: shadowLastChange" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:418 +msgid "ldap_user_shadow_min (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:421 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " +"password age)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:430 +msgid "Default: shadowMin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:436 +msgid "ldap_user_shadow_max (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:439 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " +"password age)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:448 +msgid "Default: shadowMax" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:454 +msgid "ldap_user_shadow_warning (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:457 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password warning period)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:467 +msgid "Default: shadowWarning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:473 +msgid "ldap_user_shadow_inactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:476 +msgid "" +"When using ldap_pwd_policy=shadow, this parameter contains the name of an " +"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " +"(password inactivity period)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:486 +msgid "Default: shadowInactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:492 +msgid "ldap_user_shadow_expire (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:495 +msgid "" +"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " +"parameter contains the name of an LDAP attribute corresponding to its " +"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> counterpart (account expiration date)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:505 +msgid "Default: shadowExpire" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:511 +msgid "ldap_user_krb_last_pwd_change (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:514 +msgid "" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time of last password change in " +"kerberos." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:520 +msgid "Default: krbLastPwdChange" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:526 +msgid "ldap_user_krb_password_expiration (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:529 +msgid "" +"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " +"an LDAP attribute storing the date and time when current password expires." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:535 +msgid "Default: krbPasswordExpiration" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:541 +msgid "ldap_user_ad_account_expires (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:544 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the expiration time of the account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:549 +msgid "Default: accountExpires" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:555 +msgid "ldap_user_ad_user_account_control (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:558 +msgid "" +"When using ldap_account_expire_policy=ad, this parameter contains the name " +"of an LDAP attribute storing the user account control bit field." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:563 +msgid "Default: userAccountControl" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:569 +msgid "ldap_ns_account_lock (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:572 +msgid "" +"When using ldap_account_expire_policy=rhds or equivalent, this parameter " +"determines if access is allowed or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:577 +msgid "Default: nsAccountLock" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:583 +msgid "ldap_user_nds_login_disabled (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:586 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines if " +"access is allowed or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:590 sssd-ldap.5.xml:604 +msgid "Default: loginDisabled" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:596 +msgid "ldap_user_nds_login_expiration_time (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:599 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines until " +"which date access is granted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:610 +msgid "ldap_user_nds_login_allowed_time_map (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:613 +msgid "" +"When using ldap_account_expire_policy=nds, this attribute determines the " +"hours of a day in a week when access is granted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:618 +msgid "Default: loginAllowedTimeMap" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:624 +msgid "ldap_user_principal (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:627 +msgid "" +"The LDAP attribute that contains the user's Kerberos User Principal Name " +"(UPN)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:631 +msgid "Default: krbPrincipalName" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:637 +msgid "ldap_user_extra_attrs (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:640 +msgid "" +"Comma-separated list of LDAP attributes that SSSD would fetch along with the " +"usual set of user attributes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:645 +msgid "" +"The list can either contain LDAP attribute names only, or colon-separated " +"tuples of SSSD cache attribute name and LDAP attribute name. In case only " +"LDAP attribute name is specified, the attribute is saved to the cache " +"verbatim. Using a custom SSSD attribute name might be required by " +"environments that configure several SSSD domains with different LDAP schemas." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:655 +msgid "" +"Please note that several attribute names are reserved by SSSD, notably the " +"<quote>name</quote> attribute. SSSD would report an error if any of the " +"reserved attribute names is used as an extra attribute name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:665 +msgid "ldap_user_extra_attrs = telephoneNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:668 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as " +"<quote>telephoneNumber</quote> to the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:672 +msgid "ldap_user_extra_attrs = phone:telephoneNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:675 +msgid "" +"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" +"quote> to the cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:685 +msgid "ldap_user_ssh_public_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:688 +msgid "The LDAP attribute that contains the user's SSH public keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:692 sssd-ldap.5.xml:1306 +msgid "Default: sshPublicKey" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:698 +msgid "ldap_force_upper_case_realm (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:701 +msgid "" +"Some directory servers, for example Active Directory, might deliver the " +"realm part of the UPN in lower case, which might cause the authentication to " +"fail. Set this option to a non-zero value if you want to use an upper-case " +"realm." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:714 +msgid "ldap_enumeration_refresh_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:717 +msgid "" +"Specifies how many seconds SSSD has to wait before refreshing its cache of " +"enumerated records." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:728 +msgid "ldap_purge_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:731 +msgid "" +"Determine how often to check the cache for inactive entries (such as groups " +"with no members and users who have never logged in) and remove them to save " +"space." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:737 +msgid "" +"Setting this option to zero will disable the cache cleanup operation. Please " +"note that if enumeration is enabled, the cleanup task is required in order " +"to detect entries removed from the server and can't be disabled. By default, " +"the cleanup task will run every 3 hours with enumeration enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:752 +msgid "ldap_user_fullname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:755 +msgid "The LDAP attribute that corresponds to the user's full name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1161 sssd-ldap.5.xml:1235 +#: sssd-ldap.5.xml:1344 sssd-ldap.5.xml:2405 sssd-ipa.5.xml:607 +msgid "Default: cn" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:765 +msgid "ldap_user_member_of (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:768 +msgid "The LDAP attribute that lists the user's group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:772 sssd-ldap.5.xml:1274 +msgid "Default: memberOf" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:778 +msgid "ldap_user_authorized_service (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:781 +msgid "" +"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " +"use the presence of the authorizedService attribute in the user's LDAP entry " +"to determine access privilege." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:788 +msgid "" +"An explicit deny (!svc) is resolved first. Second, SSSD searches for " +"explicit allow (svc) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:793 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>authorized_service</quote> in order for the " +"ldap_user_authorized_service option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:800 +msgid "Default: authorizedService" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:806 +msgid "ldap_user_authorized_host (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:809 +msgid "" +"If access_provider=ldap and ldap_access_order=host, SSSD will use the " +"presence of the host attribute in the user's LDAP entry to determine access " +"privilege." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:815 +msgid "" +"An explicit deny (!host) is resolved first. Second, SSSD searches for " +"explicit allow (host) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:820 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>host</quote> in order for the " +"ldap_user_authorized_host option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:827 +msgid "Default: host" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:833 +msgid "ldap_user_authorized_rhost (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:836 +msgid "" +"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " +"presence of the rhost attribute in the user's LDAP entry to determine access " +"privilege. Similarly to host verification process." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:843 +msgid "" +"An explicit deny (!rhost) is resolved first. Second, SSSD searches for " +"explicit allow (rhost) and finally for allow_all (*)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:848 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>rhost</quote> in order for the " +"ldap_user_authorized_rhost option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:855 +msgid "Default: rhost" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:861 +msgid "ldap_user_certificate (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:864 +msgid "Name of the LDAP attribute containing the X509 certificate of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:868 +msgid "Default: userCertificate;binary" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:874 +msgid "ldap_user_email (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:877 +msgid "Name of the LDAP attribute containing the email address of the user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:881 +msgid "" +"Note: If an email address of a user conflicts with an email address or fully " +"qualified name of another user, then SSSD will not be able to serve those " +"users properly. If for some reason several users need to share the same " +"email address then set this option to a nonexistent attribute name in order " +"to disable user lookup/login by email." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:890 +msgid "Default: mail" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:896 +msgid "ldap_group_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:899 +msgid "The object class of a group entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:902 +msgid "Default: posixGroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:908 +msgid "ldap_group_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:911 +msgid "The LDAP attribute that corresponds to the group name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:915 +msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:922 +msgid "ldap_group_gid_number (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:925 +msgid "The LDAP attribute that corresponds to the group's id." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:935 +msgid "ldap_group_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:938 +msgid "The LDAP attribute that contains the names of the group's members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:942 +msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:948 +msgid "ldap_group_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:951 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:962 +msgid "ldap_group_objectsid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:965 +msgid "" +"The LDAP attribute that contains the objectSID of an LDAP group object. This " +"is usually only necessary for ActiveDirectory servers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:977 +msgid "ldap_group_modify_timestamp (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:990 +msgid "ldap_group_type (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:993 +msgid "" +"The LDAP attribute that contains an integer value indicating the type of the " +"group and maybe other flags." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:998 +msgid "" +"This attribute is currently only used by the AD provider to determine if a " +"group is a domain local groups and has to be filtered out for trusted " +"domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1004 +msgid "Default: groupType in the AD provider, otherwise not set" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1011 +msgid "ldap_group_external_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1014 +msgid "" +"The LDAP attribute that references group members that are defined in an " +"external domain. At the moment, only IPA's external members are supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1020 +msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1027 +msgid "ldap_group_nesting_level (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1030 +msgid "" +"If ldap_schema is set to a schema format that supports nested groups (e.g. " +"RFC2307bis), then this option controls how many levels of nesting SSSD will " +"follow. This option has no effect on the RFC2307 schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1037 +msgid "" +"Note: This option specifies the guaranteed level of nested groups to be " +"processed for any lookup. However, nested groups beyond this limit " +"<emphasis>may be</emphasis> returned if previous lookups already resolved " +"the deeper nesting levels. Also, subsequent lookups for other groups may " +"enlarge the result set for original lookup if re-queried." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1046 +msgid "" +"If ldap_group_nesting_level is set to 0 then no nested groups are processed " +"at all. However, when connected to Active-Directory Server 2008 and later " +"using <quote>id_provider=ad</quote> it is furthermore required to disable " +"usage of Token-Groups by setting ldap_use_tokengroups to false in order to " +"restrict group nesting." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1055 +msgid "Default: 2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1061 +msgid "ldap_groups_use_matching_rule_in_chain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1064 +msgid "" +"This option tells SSSD to take advantage of an Active Directory-specific " +"feature which may speed up group lookup operations on deployments with " +"complex or deep nested groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1070 +msgid "" +"In most common cases, it is best to leave this option disabled. It generally " +"only provides a performance increase on very complex nestings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1075 sssd-ldap.5.xml:1102 +msgid "" +"If this option is enabled, SSSD will use it if it detects that the server " +"supports it during initial connection. So \"True\" here essentially means " +"\"auto-detect\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1081 sssd-ldap.5.xml:1108 +msgid "" +"Note: This feature is currently known to work only with Active Directory " +"2008 R1 and later. See <ulink url=\"http://msdn.microsoft.com/en-us/library/" +"windows/desktop/aa746475%28v=vs.85%29.aspx\"> MSDN(TM) documentation</ulink> " +"for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1093 +msgid "ldap_initgroups_use_matching_rule_in_chain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1096 +msgid "" +"This option tells SSSD to take advantage of an Active Directory-specific " +"feature which might speed up initgroups operations (most notably when " +"dealing with complex or deep nested groups)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1123 +msgid "" +"This options enables or disables use of Token-Groups attribute when " +"performing initgroup for users from Active Directory Server 2008 and later." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1128 +msgid "Default: True for AD and IPA otherwise False." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1134 +msgid "ldap_netgroup_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1137 +msgid "The object class of a netgroup entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1140 +msgid "In IPA provider, ipa_netgroup_object_class should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1144 +msgid "Default: nisNetgroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1150 +msgid "ldap_netgroup_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1153 +msgid "The LDAP attribute that corresponds to the netgroup name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1157 +msgid "In IPA provider, ipa_netgroup_name should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1167 +msgid "ldap_netgroup_member (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1170 +msgid "The LDAP attribute that contains the names of the netgroup's members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1174 +msgid "In IPA provider, ipa_netgroup_member should be used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1178 +msgid "Default: memberNisNetgroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1184 +msgid "ldap_netgroup_triple (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1187 +msgid "" +"The LDAP attribute that contains the (host, user, domain) netgroup triples." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1191 sssd-ldap.5.xml:1207 +msgid "This option is not available in IPA provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1194 +msgid "Default: nisNetgroupTriple" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1200 +msgid "ldap_netgroup_modify_timestamp (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1216 +msgid "ldap_host_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1219 +msgid "The object class of a host entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1222 sssd-ldap.5.xml:1331 +msgid "Default: ipService" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1228 +msgid "ldap_host_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1231 sssd-ldap.5.xml:1257 +msgid "The LDAP attribute that corresponds to the host's name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1241 +msgid "ldap_host_fqdn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1244 +msgid "" +"The LDAP attribute that corresponds to the host's fully-qualified domain " +"name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1248 +msgid "Default: fqdn" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1254 +msgid "ldap_host_serverhostname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1261 +msgid "Default: serverHostname" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1267 +msgid "ldap_host_member_of (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1270 +msgid "The LDAP attribute that lists the host's group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1280 +msgid "ldap_host_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1283 +msgid "Optional. Use the given string as search base for host objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1287 sssd-ipa.5.xml:359 sssd-ipa.5.xml:378 +#: sssd-ipa.5.xml:397 sssd-ipa.5.xml:416 +msgid "" +"See <quote>ldap_search_base</quote> for information about configuring " +"multiple search bases." +msgstr "" + +#. type: Content of: <listitem><para> +#: sssd-ldap.5.xml:1292 sssd-ipa.5.xml:364 include/ldap_search_bases.xml:27 +msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1299 +msgid "ldap_host_ssh_public_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1302 +msgid "The LDAP attribute that contains the host's SSH public keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1312 +msgid "ldap_host_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1315 +msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1325 +msgid "ldap_service_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1328 +msgid "The object class of a service entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1337 +msgid "ldap_service_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1340 +msgid "" +"The LDAP attribute that contains the name of service attributes and their " +"aliases." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1350 +msgid "ldap_service_port (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1353 +msgid "The LDAP attribute that contains the port managed by this service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1357 +msgid "Default: ipServicePort" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1363 +msgid "ldap_service_proto (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1366 +msgid "" +"The LDAP attribute that contains the protocols understood by this service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1370 +msgid "Default: ipServiceProtocol" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1376 +msgid "ldap_service_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1381 +msgid "ldap_search_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1384 +msgid "" +"Specifies the timeout (in seconds) that ldap searches are allowed to run " +"before they are cancelled and cached results are returned (and offline mode " +"is entered)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1390 +msgid "" +"Note: this option is subject to change in future versions of the SSSD. It " +"will likely be replaced at some point by a series of timeouts for specific " +"lookup types." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1402 +msgid "ldap_enumeration_search_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1405 +msgid "" +"Specifies the timeout (in seconds) that ldap searches for user and group " +"enumerations are allowed to run before they are cancelled and cached results " +"are returned (and offline mode is entered)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1418 +msgid "ldap_network_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1421 +msgid "" +"Specifies the timeout (in seconds) after which the <citerefentry> " +"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" +"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" +"manvolnum> </citerefentry> following a <citerefentry> " +"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" +"citerefentry> returns in case of no activity." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1444 +msgid "ldap_opt_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1447 +msgid "" +"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " +"will abort if no response is received. Also controls the timeout when " +"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " +"operation, password change extended operation and the StartTLS operation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1462 +msgid "ldap_connection_expire_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1465 +msgid "" +"Specifies a timeout (in seconds) that a connection to an LDAP server will be " +"maintained. After this time, the connection will be re-established. If used " +"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " +"the TGT lifetime) will be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1473 sssd-ldap.5.xml:2562 +msgid "Default: 900 (15 minutes)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1479 +msgid "ldap_page_size (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1482 +msgid "" +"Specify the number of records to retrieve from LDAP in a single request. " +"Some LDAP servers enforce a maximum limit per-request." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1487 +msgid "Default: 1000" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1493 +msgid "ldap_disable_paging (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1496 +msgid "" +"Disable the LDAP paging control. This option should be used if the LDAP " +"server reports that it supports the LDAP paging control in its RootDSE but " +"it is not enabled or does not behave properly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1502 +msgid "" +"Example: OpenLDAP servers with the paging control module installed on the " +"server but not enabled will report it in the RootDSE but be unable to use it." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1508 +msgid "" +"Example: 389 DS has a bug where it can only support a one paging control at " +"a time on a single connection. On busy clients, this can result in some " +"requests being denied." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1520 +msgid "ldap_disable_range_retrieval (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1523 +msgid "Disable Active Directory range retrieval." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1526 +msgid "" +"Active Directory limits the number of members to be retrieved in a single " +"lookup using the MaxValRange policy (which defaults to 1500 members). If a " +"group contains more members, the reply would include an AD-specific range " +"extension. This option disables parsing of the range extension, therefore " +"large groups will appear as having no members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1541 +msgid "ldap_sasl_minssf (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1544 +msgid "" +"When communicating with an LDAP server using SASL, specify the minimum " +"security level necessary to establish the connection. The values of this " +"option are defined by OpenLDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1550 +msgid "Default: Use the system default (usually specified by ldap.conf)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1557 +msgid "ldap_deref_threshold (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1560 +msgid "" +"Specify the number of group members that must be missing from the internal " +"cache in order to trigger a dereference lookup. If less members are missing, " +"they are looked up individually." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1566 +msgid "" +"You can turn off dereference lookups completely by setting the value to 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1570 +msgid "" +"A dereference lookup is a means of fetching all group members in a single " +"LDAP call. Different LDAP servers may implement different dereference " +"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " +"Directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1578 +msgid "" +"<emphasis>Note:</emphasis> If any of the search bases specifies a search " +"filter, then the dereference lookup performance enhancement will be disabled " +"regardless of this setting." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1591 +msgid "ldap_tls_reqcert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1594 +msgid "" +"Specifies what checks to perform on server certificates in a TLS session, if " +"any. It can be specified as one of the following values:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1600 +msgid "" +"<emphasis>never</emphasis> = The client will not request or check any server " +"certificate." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1604 +msgid "" +"<emphasis>allow</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, it will be ignored and the session proceeds normally." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1611 +msgid "" +"<emphasis>try</emphasis> = The server certificate is requested. If no " +"certificate is provided, the session proceeds normally. If a bad certificate " +"is provided, the session is immediately terminated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1617 +msgid "" +"<emphasis>demand</emphasis> = The server certificate is requested. If no " +"certificate is provided, or a bad certificate is provided, the session is " +"immediately terminated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1623 +msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1627 +msgid "Default: hard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1633 +msgid "ldap_tls_cacert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1636 +msgid "" +"Specifies the file that contains certificates for all of the Certificate " +"Authorities that <command>sssd</command> will recognize." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1641 sssd-ldap.5.xml:1659 sssd-ldap.5.xml:1700 +msgid "" +"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." +"conf</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1648 +msgid "ldap_tls_cacertdir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1651 +msgid "" +"Specifies the path of a directory that contains Certificate Authority " +"certificates in separate individual files. Typically the file names need to " +"be the hash of the certificate followed by '.0'. If available, " +"<command>cacertdir_rehash</command> can be used to create the correct names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1666 +msgid "ldap_tls_cert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1669 +msgid "Specifies the file that contains the certificate for the client's key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1679 +msgid "ldap_tls_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1682 +msgid "Specifies the file that contains the client's key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1691 +msgid "ldap_tls_cipher_suite (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1694 +msgid "" +"Specifies acceptable cipher suites. Typically this is a colon separated " +"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry> for format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1707 +msgid "ldap_id_use_start_tls (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1710 +msgid "" +"Specifies that the id_provider connection must also use <systemitem class=" +"\"protocol\">tls</systemitem> to protect the channel." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1720 +msgid "ldap_id_mapping (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1723 +msgid "" +"Specifies that SSSD should attempt to map user and group IDs from the " +"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " +"on ldap_user_uid_number and ldap_group_gid_number." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1729 +msgid "Currently this feature supports only ActiveDirectory objectSID mapping." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1739 +msgid "ldap_min_id, ldap_max_id (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1742 +msgid "" +"In contrast to the SID based ID mapping which is used if ldap_id_mapping is " +"set to true the allowed ID range for ldap_user_uid_number and " +"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " +"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " +"can be set to restrict the allowed range for the IDs which are read directly " +"from the server. Sub-domains can then pick other ranges to map IDs." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1754 +msgid "Default: not set (both options are set to 0)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1760 +msgid "ldap_sasl_mech (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1763 +msgid "" +"Specify the SASL mechanism to use. Currently only GSSAPI is tested and " +"supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1773 +msgid "ldap_sasl_authid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ldap.5.xml:1784 +#, no-wrap +msgid "" +"hostname@REALM\n" +"netbiosname$@REALM\n" +"host/hostname@REALM\n" +"*$@REALM\n" +"host/*@REALM\n" +"host/*\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1776 +msgid "" +"Specify the SASL authorization id to use. When GSSAPI is used, this " +"represents the Kerberos principal used for authentication to the directory. " +"This option can either contain the full principal (for example host/" +"myhost@EXAMPLE.COM) or just the principal name (for example host/myhost). By " +"default, the value is not set and the following principals are used: " +"<placeholder type=\"programlisting\" id=\"0\"/> If none of them are found, " +"the first principal in keytab is returned." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1795 +msgid "Default: host/hostname@REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1801 +msgid "ldap_sasl_realm (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1804 +msgid "" +"Specify the SASL realm to use. When not specified, this option defaults to " +"the value of krb5_realm. If the ldap_sasl_authid contains the realm as " +"well, this option is ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1810 +msgid "Default: the value of krb5_realm." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1816 +msgid "ldap_sasl_canonicalize (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1819 +msgid "" +"If set to true, the LDAP library would perform a reverse lookup to " +"canonicalize the host name during a SASL bind." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1824 +msgid "Default: false;" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1830 +msgid "ldap_krb5_keytab (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1833 +msgid "Specify the keytab to use when using SASL/GSSAPI." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1836 +msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1842 +msgid "ldap_krb5_init_creds (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1845 +msgid "" +"Specifies that the id_provider should init Kerberos credentials (TGT). This " +"action is performed only if SASL is used and the mechanism selected is " +"GSSAPI." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1857 +msgid "ldap_krb5_ticket_lifetime (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1860 +msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1864 sssd-ad.5.xml:937 +msgid "Default: 86400 (24 hours)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1870 sssd-krb5.5.xml:74 +msgid "krb5_server, krb5_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1873 +msgid "" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled - for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1885 sssd-krb5.5.xml:89 +msgid "" +"When using service discovery for KDC or kpasswd servers, SSSD first searches " +"for DNS entries that specify _udp as the protocol and falls back to _tcp if " +"none are found." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1890 sssd-krb5.5.xml:94 +msgid "" +"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " +"While the legacy name is recognized for the time being, users are advised to " +"migrate their config files to use <quote>krb5_server</quote> instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1899 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103 +msgid "krb5_realm (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1902 +msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1905 +msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1911 sssd-krb5.5.xml:462 +msgid "krb5_canonicalize (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1914 +msgid "" +"Specifies if the host principal should be canonicalized when connecting to " +"LDAP server. This feature is available with MIT Kerberos >= 1.7" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1926 sssd-krb5.5.xml:477 +msgid "krb5_use_kdcinfo (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1929 sssd-krb5.5.xml:480 +msgid "" +"Specifies if the SSSD should instruct the Kerberos libraries what realm and " +"which KDCs to use. This option is on by default, if you disable it, you need " +"to configure the Kerberos library using the <citerefentry> " +"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> configuration file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1940 sssd-krb5.5.xml:491 +msgid "" +"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " +"information on the locator plugin." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1954 +msgid "ldap_pwd_policy (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1957 +msgid "" +"Select the policy to evaluate the password expiration on the client side. " +"The following values are allowed:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1962 +msgid "" +"<emphasis>none</emphasis> - No evaluation on the client side. This option " +"cannot disable server-side password policies." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1967 +msgid "" +"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " +"evaluate if the password has expired." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1973 +msgid "" +"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " +"to determine if the password has expired. Use chpass_provider=krb5 to update " +"these attributes when the password is changed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1982 +msgid "" +"<emphasis>Note</emphasis>: if a password policy is configured on server " +"side, it always takes precedence over policy set with this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:1990 +msgid "ldap_referrals (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1993 +msgid "Specifies whether automatic referral chasing should be enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:1997 +msgid "" +"Please note that sssd only supports referral chasing when it is compiled " +"with OpenLDAP version 2.4.13 or higher." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2002 +msgid "" +"Chasing referrals may incur a performance penalty in environments that use " +"them heavily, a notable example is Microsoft Active Directory. If your setup " +"does not in fact require the use of referrals, setting this option to false " +"might bring a noticeable performance improvement." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2016 +msgid "ldap_dns_service_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2019 +msgid "Specifies the service name to use when service discovery is enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2023 +msgid "Default: ldap" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2029 +msgid "ldap_chpass_dns_service_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2032 +msgid "" +"Specifies the service name to use to find an LDAP server which allows " +"password changes when service discovery is enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2037 +msgid "Default: not set, i.e. service discovery is disabled" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2043 +msgid "ldap_chpass_update_last_change (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2046 +msgid "" +"Specifies whether to update the ldap_user_shadow_last_change attribute with " +"days since the Epoch after a password change operation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2058 +msgid "ldap_access_filter (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2061 +msgid "" +"If using access_provider = ldap and ldap_access_order = filter (default), " +"this option is mandatory. It specifies an LDAP search filter criteria that " +"must be met for the user to be granted access on this host. If " +"access_provider = ldap, ldap_access_order = filter and this option is not " +"set, it will result in all users being denied access. Use access_provider = " +"permit to change this default behavior. Please note that this filter is " +"applied on the LDAP user entry only and thus filtering based on nested " +"groups may not work (e.g. memberOf attribute on AD entries points only to " +"direct parents). If filtering based on nested groups is required, please see " +"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2081 +msgid "Example:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ldap.5.xml:2084 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_filter = (employeeType=admin)\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2088 +msgid "" +"This example means that access to this host is restricted to users whose " +"employeeType attribute is set to \"admin\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2093 +msgid "" +"Offline caching for this feature is limited to determining whether the " +"user's last online login was granted access permission. If they were granted " +"access during their last login, they will continue to be granted access " +"while offline and vice versa." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2101 sssd-ldap.5.xml:2158 +msgid "Default: Empty" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2107 +msgid "ldap_account_expire_policy (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2110 +msgid "" +"With this option a client side evaluation of access control attributes can " +"be enabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2114 +msgid "" +"Please note that it is always recommended to use server side access control, " +"i.e. the LDAP server should deny the bind request with a suitable error code " +"even if the password is correct." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2121 +msgid "The following values are allowed:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2124 +msgid "" +"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " +"determine if the account is expired." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2129 +msgid "" +"<emphasis>ad</emphasis>: use the value of the 32bit field " +"ldap_user_ad_user_account_control and allow access if the second bit is not " +"set. If the attribute is missing access is granted. Also the expiration time " +"of the account is checked." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2136 +msgid "" +"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" +"emphasis>: use the value of ldap_ns_account_lock to check if access is " +"allowed or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2142 +msgid "" +"<emphasis>nds</emphasis>: the values of " +"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " +"ldap_user_nds_login_expiration_time are used to check if access is allowed. " +"If both attributes are missing access is granted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2151 +msgid "" +"Please note that the ldap_access_order configuration option <emphasis>must</" +"emphasis> include <quote>expire</quote> in order for the " +"ldap_account_expire_policy option to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2164 +msgid "ldap_access_order (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2167 +msgid "Comma separated list of access control options. Allowed values are:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2171 +msgid "<emphasis>filter</emphasis>: use ldap_access_filter" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2174 +msgid "" +"<emphasis>lockout</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " +"Please note that 'access_provider = ldap' must be set for this feature to " +"work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2184 +msgid "" +"<emphasis> Please note that this option is superseded by the <quote>ppolicy</" +"quote> option and might be removed in a future release. </emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2191 +msgid "" +"<emphasis>ppolicy</emphasis>: use account locking. If set, this option " +"denies access in case that ldap attribute 'pwdAccountLockedTime' is present " +"and has value of '000001010000Z' or represents any time in the past. The " +"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " +"denotes the UTC time zone. Other time zones are not currently supported and " +"will result in \"access-denied\" when users attempt to log in. Please see " +"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " +"must be set for this feature to work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2208 +msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2212 +msgid "" +"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " +"pwd_expire_policy_renew: </emphasis> These options are useful if users are " +"interested in being warned that password is about to expire and " +"authentication is based on using a different method than passwords - for " +"example SSH keys." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2222 +msgid "" +"The difference between these options is the action taken if user password is " +"expired: pwd_expire_policy_reject - user is denied to log in, " +"pwd_expire_policy_warn - user is still able to log in, " +"pwd_expire_policy_renew - user is prompted to change his password " +"immediately." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2230 +msgid "" +"Note If user password is expired no explicit message is prompted by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2234 +msgid "" +"Please note that 'access_provider = ldap' must be set for this feature to " +"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2239 +msgid "" +"<emphasis>authorized_service</emphasis>: use the authorizedService attribute " +"to determine access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2244 +msgid "<emphasis>host</emphasis>: use the host attribute to determine access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2248 +msgid "" +"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " +"remote host can access" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2252 +msgid "" +"Please note, rhost field in pam is set by application, it is better to check " +"what the application sends to pam, before enabling this access control option" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2257 +msgid "Default: filter" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2260 +msgid "" +"Please note that it is a configuration error if a value is used more than " +"once." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2267 +msgid "ldap_pwdlockout_dn (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2270 +msgid "" +"This option specifies the DN of password policy entry on LDAP server. Please " +"note that absence of this option in sssd.conf in case of enabled account " +"lockout checking will yield access denied as ppolicy attributes on LDAP " +"server cannot be checked properly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2278 +msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2281 +msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2287 +msgid "ldap_deref (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2290 +msgid "" +"Specifies how alias dereferencing is done when performing a search. The " +"following options are allowed:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2295 +msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2299 +msgid "" +"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " +"the base object, but not in locating the base object of the search." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2304 +msgid "" +"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " +"the base object of the search." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2309 +msgid "" +"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " +"in locating the base object of the search." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2314 +msgid "" +"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " +"client libraries)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2322 +msgid "ldap_rfc2307_fallback_to_local_users (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2325 +msgid "" +"Allows to retain local users as members of an LDAP group for servers that " +"use the RFC2307 schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2329 +msgid "" +"In some environments where the RFC2307 schema is used, local users are made " +"members of LDAP groups by adding their names to the memberUid attribute. " +"The self-consistency of the domain is compromised when this is done, so SSSD " +"would normally remove the \"missing\" users from the cached group " +"memberships as soon as nsswitch tries to fetch information about the user " +"via getpw*() or initgroups() calls." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2340 +msgid "" +"This option falls back to checking if local users are referenced, and caches " +"them so that later initgroups() calls will augment the local users with the " +"additional LDAP groups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2352 sssd-ifp.5.xml:136 +msgid "wildcard_limit (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2355 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2359 +msgid "At the moment, only the InfoPipe responder supports wildcard lookups." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2363 +msgid "Default: 1000 (often the size of one page)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:51 +msgid "" +"All of the common configuration options that apply to SSSD domains also " +"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for full details. <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2373 +msgid "SUDO OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2375 +msgid "" +"The detailed instructions for configuration of sudo_provider are in the " +"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2386 +msgid "ldap_sudorule_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2389 +msgid "The object class of a sudo rule entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2392 +msgid "Default: sudoRole" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2398 +msgid "ldap_sudorule_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2401 +msgid "The LDAP attribute that corresponds to the sudo rule name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2411 +msgid "ldap_sudorule_command (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2414 +msgid "The LDAP attribute that corresponds to the command name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2418 +msgid "Default: sudoCommand" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2424 +msgid "ldap_sudorule_host (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2427 +msgid "" +"The LDAP attribute that corresponds to the host name (or host IP address, " +"host IP network, or host netgroup)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2432 +msgid "Default: sudoHost" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2438 +msgid "ldap_sudorule_user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2441 +msgid "" +"The LDAP attribute that corresponds to the user name (or UID, group name or " +"user's netgroup)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2445 +msgid "Default: sudoUser" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2451 +msgid "ldap_sudorule_option (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2454 +msgid "The LDAP attribute that corresponds to the sudo options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2458 +msgid "Default: sudoOption" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2464 +msgid "ldap_sudorule_runasuser (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2467 +msgid "" +"The LDAP attribute that corresponds to the user name that commands may be " +"run as." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2471 +msgid "Default: sudoRunAsUser" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2477 +msgid "ldap_sudorule_runasgroup (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2480 +msgid "" +"The LDAP attribute that corresponds to the group name or group GID that " +"commands may be run as." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2484 +msgid "Default: sudoRunAsGroup" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2490 +msgid "ldap_sudorule_notbefore (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2493 +msgid "" +"The LDAP attribute that corresponds to the start date/time for when the sudo " +"rule is valid." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2497 +msgid "Default: sudoNotBefore" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2503 +msgid "ldap_sudorule_notafter (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2506 +msgid "" +"The LDAP attribute that corresponds to the expiration date/time, after which " +"the sudo rule will no longer be valid." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2511 +msgid "Default: sudoNotAfter" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2517 +msgid "ldap_sudorule_order (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2520 +msgid "The LDAP attribute that corresponds to the ordering index of the rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2524 +msgid "Default: sudoOrder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2530 +msgid "ldap_sudo_full_refresh_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2533 +msgid "" +"How many seconds SSSD will wait between executing a full refresh of sudo " +"rules (which downloads all rules that are stored on the server)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2538 +msgid "" +"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" +"emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2543 +msgid "Default: 21600 (6 hours)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2549 +msgid "ldap_sudo_smart_refresh_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2552 +msgid "" +"How many seconds SSSD has to wait before executing a smart refresh of sudo " +"rules (which downloads all rules that have USN higher than the highest USN " +"of cached rules)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2558 +msgid "" +"If USN attributes are not supported by the server, the modifyTimestamp " +"attribute is used instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2568 +msgid "ldap_sudo_use_host_filter (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2571 +msgid "" +"If true, SSSD will download only rules that are applicable to this machine " +"(using the IPv4 or IPv6 host/network addresses and hostnames)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2582 +msgid "ldap_sudo_hostnames (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2585 +msgid "" +"Space separated list of hostnames or fully qualified domain names that " +"should be used to filter the rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2590 +msgid "" +"If this option is empty, SSSD will try to discover the hostname and the " +"fully qualified domain name automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2595 sssd-ldap.5.xml:2618 sssd-ldap.5.xml:2636 +#: sssd-ldap.5.xml:2654 +msgid "" +"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" +"emphasis> then this option has no effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2600 sssd-ldap.5.xml:2623 +msgid "Default: not specified" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2606 +msgid "ldap_sudo_ip (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2609 +msgid "" +"Space separated list of IPv4 or IPv6 host/network addresses that should be " +"used to filter the rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2614 +msgid "" +"If this option is empty, SSSD will try to discover the addresses " +"automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2629 +msgid "ldap_sudo_include_netgroups (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2632 +msgid "" +"If true then SSSD will download every rule that contains a netgroup in " +"sudoHost attribute." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2647 +msgid "ldap_sudo_include_regexp (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2650 +msgid "" +"If true then SSSD will download every rule that contains a wildcard in " +"sudoHost attribute." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2666 +msgid "" +"This manual page only describes attribute name mapping. For detailed " +"explanation of sudo related attribute semantics, see <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2676 +msgid "AUTOFS OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2678 +msgid "" +"Some of the defaults for the parameters below are dependent on the LDAP " +"schema." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2684 +msgid "ldap_autofs_map_master_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2687 +msgid "The name of the automount master map in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2690 +msgid "Default: auto.master" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2697 +msgid "ldap_autofs_map_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2700 +msgid "The object class of an automount map entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2703 +msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2711 +msgid "ldap_autofs_map_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2714 +msgid "The name of an automount map entry in LDAP." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2717 +msgid "" +"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2725 +msgid "ldap_autofs_entry_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2728 +msgid "" +"The object class of an automount entry in LDAP. The entry usually " +"corresponds to a mount point." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2733 +msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2741 +msgid "ldap_autofs_entry_key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2744 sssd-ldap.5.xml:2759 +msgid "" +"The key of an automount entry in LDAP. The entry usually corresponds to a " +"mount point." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2748 +msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2756 +msgid "ldap_autofs_entry_value (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ldap.5.xml:2763 +msgid "" +"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " +"automountInformation" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2682 +msgid "" +"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> " +"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type=" +"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2774 +msgid "ADVANCED OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2781 +msgid "ldap_netgroup_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2786 +msgid "ldap_user_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2791 +msgid "ldap_group_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note> +#: sssd-ldap.5.xml:2796 +msgid "<note>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> +#: sssd-ldap.5.xml:2798 +msgid "" +"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " +"against Active Directory will not be restricted and return all groups " +"memberships, even with no GID mapping. It is recommended to disable this " +"feature, if group names are not being displayed correctly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist> +#: sssd-ldap.5.xml:2805 +msgid "</note>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2807 +msgid "ldap_sudo_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ldap.5.xml:2812 +msgid "ldap_autofs_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2776 +msgid "" +"These options are supported by LDAP domains, but they should be used with " +"caution. Please include them in your configuration only if you know what you " +"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type=" +"\"variablelist\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2827 sssd-simple.5.xml:131 sssd-ipa.5.xml:828 +#: sssd-ad.5.xml:1041 sssd-krb5.5.xml:570 sss_rpcidmapd.5.xml:98 +#: sssd-files.5.xml:103 sssd-session-recording.5.xml:144 +msgid "EXAMPLE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2829 +msgid "" +"The following example assumes that SSSD is correctly configured and LDAP is " +"set to one of the domains in the <replaceable>[domains]</replaceable> " +"section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:2835 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: sssd-ldap.5.xml:2834 sssd-ldap.5.xml:2852 sssd-simple.5.xml:139 +#: sssd-ipa.5.xml:836 sssd-ad.5.xml:1049 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579 +#: sssd-files.5.xml:110 sssd-session-recording.5.xml:150 +#: include/ldap_id_mapping.xml:105 +msgid "<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2846 +msgid "LDAP ACCESS FILTER EXAMPLE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2848 +msgid "" +"The following example assumes that SSSD is correctly configured and to use " +"the ldap_access_order=lockout." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ldap.5.xml:2853 +#, no-wrap +msgid "" +"[domain/LDAP]\n" +"id_provider = ldap\n" +"auth_provider = ldap\n" +"access_provider = ldap\n" +"ldap_access_order = lockout\n" +"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" +"ldap_uri = ldap://ldap.mydomain.org\n" +"ldap_search_base = dc=mydomain,dc=org\n" +"ldap_tls_reqcert = demand\n" +"cache_credentials = true\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ldap.5.xml:2868 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148 +#: sssd-ad.5.xml:1064 sssd.8.xml:230 sss_seed.8.xml:163 +msgid "NOTES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ldap.5.xml:2870 +msgid "" +"The descriptions of some of the configuration options in this manual page " +"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " +"distribution." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: pam_sss.8.xml:11 pam_sss.8.xml:16 +msgid "pam_sss" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: pam_sss.8.xml:17 +msgid "PAM module for SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: pam_sss.8.xml:22 +msgid "" +"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" +"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" +"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" +"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" +"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" +"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " +"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " +"choice='opt'> <replaceable>prompt_always</replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:58 +msgid "" +"<command>pam_sss.so</command> is the PAM interface to the System Security " +"Services daemon (SSSD). Errors and results are logged through " +"<command>syslog(3)</command> with the LOG_AUTHPRIV facility." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:68 +msgid "<option>quiet</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:71 +msgid "Suppress log messages for unknown users." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:76 +msgid "<option>forward_pass</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:79 +msgid "" +"If <option>forward_pass</option> is set the entered password is put on the " +"stack for other PAM modules to use." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:86 +msgid "<option>use_first_pass</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:89 +msgid "" +"The argument use_first_pass forces the module to use a previous stacked " +"modules password and will never prompt the user - if no password is " +"available or the password is not appropriate, the user will be denied access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:97 +msgid "<option>use_authtok</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:100 +msgid "" +"When password changing enforce the module to set the new password to the one " +"provided by a previously stacked password module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:107 +msgid "<option>retry=N</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:110 +msgid "" +"If specified the user is asked another N times for a password if " +"authentication fails. Default is 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:112 +msgid "" +"Please note that this option might not work as expected if the application " +"calling PAM handles the user dialog on its own. A typical example is " +"<command>sshd</command> with <option>PasswordAuthentication</option>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:121 +msgid "<option>ignore_unknown_user</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:124 +msgid "" +"If this option is specified and the user does not exist, the PAM module will " +"return PAM_IGNORE. This causes the PAM framework to ignore this module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:131 +msgid "<option>ignore_authinfo_unavail</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:135 +msgid "" +"Specifies that the PAM module should return PAM_IGNORE if it cannot contact " +"the SSSD daemon. This causes the PAM framework to ignore this module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:142 +msgid "<option>domains</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:146 +msgid "" +"Allows the administrator to restrict the domains a particular PAM service is " +"allowed to authenticate against. The format is a comma-separated list of " +"SSSD domain names, as specified in the sssd.conf file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:152 +msgid "" +"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> " +"and <quote>pam_public_domains</quote> options. Please see the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more information on these two PAM " +"responder options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:166 +msgid "<option>allow_missing_name</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:170 +msgid "" +"The main purpose of this option is to let SSSD determine the user name based " +"on additional information, e.g. the certificate from a Smartcard." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: pam_sss.8.xml:180 +#, no-wrap +msgid "" +"auth sufficient pam_sss.so allow_missing_name\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:175 +msgid "" +"The current use case are login managers which can monitor a Smartcard reader " +"for card events. In case a Smartcard is inserted the login manager will call " +"a PAM stack which includes a line like <placeholder type=\"programlisting\" " +"id=\"0\"/> In this case SSSD will try to determine the user name based on " +"the content of the Smartcard, returns it to pam_sss which will finally put " +"it on the PAM stack." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: pam_sss.8.xml:190 +msgid "<option>prompt_always</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: pam_sss.8.xml:194 +msgid "" +"Always prompt the user for credentials. With this option credentials " +"requested by other PAM modules, typically a password, will be ignored and " +"pam_sss will prompt for credentials again. Based on the pre-auth reply by " +"SSSD pam_sss might prompt for a password, a Smartcard PIN or other " +"credentials." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:207 +msgid "MODULE TYPES PROVIDED" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:208 +msgid "" +"All module types (<option>account</option>, <option>auth</option>, " +"<option>password</option> and <option>session</option>) are provided." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: pam_sss.8.xml:214 +msgid "FILES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:215 +msgid "" +"If a password reset by root fails, because the corresponding SSSD provider " +"does not support password resets, an individual message can be displayed. " +"This message can e.g. contain instructions about how to reset a password." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:220 +msgid "" +"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" +"filename> where LOC stands for a locale string returned by <citerefentry> " +"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" +"citerefentry>. If there is no matching file the content of " +"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " +"the owner of the files and only root may have read and write permissions " +"while all other users must have only read permissions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: pam_sss.8.xml:230 +msgid "" +"These files are searched in the directory <filename>/etc/sssd/customize/" +"DOMAIN_NAME/</filename>. If no matching file is present a generic message is " +"displayed." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 +msgid "sssd_krb5_locator_plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd_krb5_locator_plugin.8.xml:16 +msgid "Kerberos locator plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:22 +msgid "" +"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " +"used by the Kerberos provider of <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to tell the Kerberos " +"libraries what Realm and which KDC to use. Typically this is done in " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> which is always read by the Kerberos libraries. " +"To simplify the configuration the Realm and the KDC can be defined in " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> as described in <citerefentry> " +"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:48 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry> puts the Realm and the name or IP address of the KDC into " +"the environment variables SSSD_KRB5_REALM and SSSD_KRB5_KDC respectively. " +"When <command>sssd_krb5_locator_plugin</command> is called by the kerberos " +"libraries it reads and evaluates these variables and returns them to the " +"libraries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:63 +msgid "" +"Not all Kerberos implementations support the use of plugins. If " +"<command>sssd_krb5_locator_plugin</command> is not available on your system " +"you have to edit /etc/krb5.conf to reflect your Kerberos setup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:69 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " +"debug messages will be sent to stderr." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd_krb5_locator_plugin.8.xml:73 +msgid "" +"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " +"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " +"caller." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-simple.5.xml:10 sssd-simple.5.xml:16 +msgid "sssd-simple" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-simple.5.xml:17 +msgid "the configuration file for SSSD's 'simple' access-control provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:24 +msgid "" +"This manual page describes the configuration of the simple access-control " +"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " +"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:38 +msgid "" +"The simple access provider grants or denies access based on an access or " +"deny list of user or group names. The following rules apply:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:43 +msgid "If all lists are empty, access is granted" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:47 +msgid "" +"If any list is provided, the order of evaluation is allow,deny. This means " +"that any matching deny rule will supersede any matched allow rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:54 +msgid "" +"If either or both \"allow\" lists are provided, all users are denied unless " +"they appear in the list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-simple.5.xml:60 +msgid "" +"If only \"deny\" lists are provided, all users are granted access unless " +"they appear in the list." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:78 +msgid "simple_allow_users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:81 +msgid "Comma separated list of users who are allowed to log in." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:88 +msgid "simple_deny_users (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:91 +msgid "Comma separated list of users who are explicitly denied access." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:97 +msgid "simple_allow_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:100 +msgid "" +"Comma separated list of groups that are allowed to log in. This applies only " +"to groups within this SSSD domain. Local groups are not evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-simple.5.xml:108 +msgid "simple_deny_groups (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-simple.5.xml:111 +msgid "" +"Comma separated list of groups that are explicitly denied access. This " +"applies only to groups within this SSSD domain. Local groups are not " +"evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:116 +msgid "" +"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " +"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> manual page for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:120 +msgid "" +"Specifying no values for any of the lists is equivalent to skipping it " +"entirely. Beware of this while generating parameters for the simple provider " +"using automated scripts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:125 +msgid "" +"Please note that it is an configuration error if both, simple_allow_users " +"and simple_deny_users, are defined." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:133 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the simple access provider-specific options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-simple.5.xml:140 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"access_provider = simple\n" +"simple_allow_users = user1, user2\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-simple.5.xml:150 +msgid "" +"The complete group membership hierarchy is resolved before the access check, " +"thus even nested groups can be included in the access lists. Please be " +"aware that the <quote>ldap_group_nesting_level</quote> option may impact the " +"results and should be set to a sufficient value. (<citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>) option." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss-certmap.5.xml:10 sss-certmap.5.xml:16 +msgid "sss-certmap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss-certmap.5.xml:17 +msgid "SSSD Certificate Matching and Mapping Rules" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:23 +msgid "" +"The manual page describes the rules which can be used by SSSD and other " +"components to match X.509 certificates and map them to accounts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss-certmap.5.xml:28 +msgid "" +"Each rule has four components, a <quote>priority</quote>, a <quote>matching " +"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" +"quote>. All components are optional. A missing <quote>priority</quote> will " +"add the rule with the lowest priority. The default <quote>matching rule</" +"quote> will match certificates with the digitalSignature key usage and " +"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " +"the certificates will be searched in the userCertificate attribute as DER " +"encoded binary. If no domains are given only the local domain will be " +"searched." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss-certmap.5.xml:41 +msgid "RULE COMPONENTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:43 +msgid "PRIORITY" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:45 +msgid "" +"The rules are processed by priority while the number '0' (zero) indicates " +"the highest priority. The higher the number the lower is the priority. A " +"missing value indicates the lowest priority. The rules processing is stopped " +"when a matched rule is found and no further rules are checked." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:52 +msgid "" +"Internally the priority is treated as unsigned 32bit integer, using a " +"priority value larger than 4294967295 will cause an error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:57 +msgid "MATCHING RULE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:59 +msgid "" +"The matching rule is used to select a certificate to which the mapping rule " +"should be applied. It uses a system similar to the one used by " +"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " +"keyword enclosed by '<' and '>' which identified a certain part of the " +"certificate and a pattern which should be found for the rule to match. " +"Multiple keyword pattern pairs can be either joined with '&&' (and) " +"or '||' (or)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:71 +msgid "<SUBJECT>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:74 +msgid "" +"With this a part or the whole subject name of the certificate can be " +"matched. For the matching POSIX Extended Regular Expression syntax is used, " +"see regex(7) for details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:80 +msgid "" +"For the matching the subject name stored in the certificate in DER encoded " +"ASN.1 is converted into a string according to RFC 4514. This means the most " +"specific name component comes first. Please note that not all possible " +"attribute names are covered by RFC 4514. The names included are 'CN', 'L', " +"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " +"be shown differently on different platform and by different tools. To avoid " +"confusion those attribute names are best not used or covered by a suitable " +"regular-expression." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:93 +msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:98 +msgid "<ISSUER>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:101 +msgid "" +"With this a part or the whole issuer name of the certificate can be matched. " +"All comments for <SUBJECT> apply her as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:106 +msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:111 +msgid "<KU>key-usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:114 +msgid "" +"This option can be used to specify which key usage values the certificate " +"should have. The following values can be used in a comma separated list:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:118 +msgid "digitalSignature" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:119 +msgid "nonRepudiation" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:120 +msgid "keyEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:121 +msgid "dataEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:122 +msgid "keyAgreement" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:123 +msgid "keyCertSign" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:124 +msgid "cRLSign" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:125 +msgid "encipherOnly" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:126 +msgid "decipherOnly" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:130 +msgid "" +"A numerical value in the range of a 32bit unsigned integer can be used as " +"well to cover special use cases." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:134 +msgid "Example: <KU>digitalSignature,keyEncipherment" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:139 +msgid "<EKU>extended-key-usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:142 +msgid "" +"This option can be used to specify which extended key usage the certificate " +"should have. The following value can be used in a comma separated list:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:146 +msgid "serverAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:147 +msgid "clientAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:148 +msgid "codeSigning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:149 +msgid "emailProtection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:150 +msgid "timeStamping" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:151 +msgid "OCSPSigning" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:152 +msgid "KPClientAuth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:153 +msgid "pkinit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sss-certmap.5.xml:154 +msgid "msScLogin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:158 +msgid "" +"Extended key usages which are not listed above can be specified with their " +"OID in dotted-decimal notation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:162 +msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:167 +msgid "<SAN>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:170 +msgid "" +"To be compatible with the usage of MIT Kerberos this option will match the " +"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" +"Principal> does." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:175 +msgid "Example: <SAN>.*@MY\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:180 +msgid "<SAN:Principal>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:183 +msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:187 +msgid "Example: <SAN:Principal>.*@MY\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:192 +msgid "<SAN:ntPrincipalName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:195 +msgid "Match the Kerberos principals from the AD NT Principal SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:199 +msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:204 +msgid "<SAN:pkinit>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:207 +msgid "Match the Kerberos principals from the PKINIT SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:210 +msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:215 +msgid "<SAN:dotted-decimal-oid>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:218 +msgid "" +"Take the value of the otherName SAN component given by the OID in dotted-" +"decimal notation, interpret it as string and try to match it against the " +"regular expression." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:224 +msgid "Example: <SAN:1.2.3.4>test" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:229 +msgid "<SAN:otherName>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:232 +msgid "" +"Do a binary match with the base64 encoded blob against all otherName SAN " +"components. With this option it is possible to match against custom " +"otherName components with special encodings which could not be treated as " +"strings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:239 +msgid "Example: <SAN:otherName>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:244 +msgid "<SAN:rfc822Name>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:247 +msgid "Match the value of the rfc822Name SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:250 +msgid "Example: <SAN:rfc822Name>.*@email\\.domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:255 +msgid "<SAN:dNSName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:258 +msgid "Match the value of the dNSName SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:261 +msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:266 +msgid "<SAN:x400Address>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:269 +msgid "Binary match the value of the x400Address SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:272 +msgid "Example: <SAN:x400Address>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:277 +msgid "<SAN:directoryName>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:280 +msgid "" +"Match the value of the directoryName SAN. The same comments as given for <" +"ISSUER> and <SUBJECT> apply here as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:285 +msgid "Example: <SAN:directoryName>.*,DC=com" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:290 +msgid "<SAN:ediPartyName>base64-string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:293 +msgid "Binary match the value of the ediPartyName SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:296 +msgid "Example: <SAN:ediPartyName>MTIz" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:301 +msgid "<SAN:uniformResourceIdentifier>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:304 +msgid "Match the value of the uniformResourceIdentifier SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:307 +msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:312 +msgid "<SAN:iPAddress>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:315 +msgid "Match the value of the iPAddress SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:318 +msgid "Example: <SAN:iPAddress>192\\.168\\..*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:323 +msgid "<SAN:registeredID>regular-expression" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:326 +msgid "Match the value of the registeredID SAN as dotted-decimal string." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:330 +msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:68 +msgid "" +"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:338 +msgid "MAPPING RULE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:340 +msgid "" +"The mapping rule is used to associate a certificate with one or more " +"accounts. A Smartcard with the certificate and the matching private key can " +"then be used to authenticate as one of those accounts." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:345 +msgid "" +"Currently SSSD basically only supports LDAP to lookup user information (the " +"exception is the proxy provider which is not of relevance here). Because of " +"this the mapping rule is based on LDAP search filter syntax with templates " +"to add certificate content to the filter. It is expected that the filter " +"will only contain the specific data needed for the mapping and that the " +"caller will embed it in another filter to do the actual search. Because of " +"this the filter string should start and stop with '(' and ')' respectively." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:355 +msgid "" +"In general it is recommended to use attributes from the certificate and add " +"them to special attributes to the LDAP user object. E.g. the " +"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " +"for IPA can be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:361 +msgid "" +"This should be preferred to read user specific data from the certificate " +"like e.g. an email address and search for it in the LDAP server. The reason " +"is that the user specific data in LDAP might change for various reasons " +"would break the mapping. On the other hand it would be hard to break the " +"mapping on purpose for a specific user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:376 +msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:379 +msgid "" +"This template will add the full issuer DN converted to a string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:385 sss-certmap.5.xml:411 +msgid "" +"The conversion options starting with 'ad_' will use attribute names as used " +"by AD, e.g. 'S' instead of 'ST'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:389 sss-certmap.5.xml:415 +msgid "" +"The conversion options starting with 'nss_' will use attribute names as used " +"by NSS." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:393 sss-certmap.5.xml:419 +msgid "" +"The default conversion option is 'nss', i.e. attribute names according to " +"NSS and LDAP/RFC 4514 ordering." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:397 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" +"ad})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:402 +msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:405 +msgid "" +"This template will add the full subject DN converted to string according to " +"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " +"the '_x500' prefix should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:423 +msgid "" +"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" +"{subject_dn!nss_x500})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:428 +msgid "{cert[!(bin|base64)]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:431 +msgid "" +"This template will add the whole DER encoded certificate as a string to the " +"search filter. Depending on the conversion option the binary certificate is " +"either converted to an escaped hex sequence '\\xx' or base64. The escaped " +"hex sequence is the default and can e.g. be used with the LDAP attribute " +"'userCertificate;binary'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:439 +msgid "Example: (userCertificate;binary={cert!bin})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:444 +msgid "{subject_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:447 +msgid "" +"This template will add the Kerberos principal which is taken either from the " +"SAN used by pkinit or the one used by AD. The 'short_name' component " +"represents the first part of the principal before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:453 sss-certmap.5.xml:481 +msgid "" +"Example: (|(userPrincipal={subject_principal})" +"(samAccountName={subject_principal.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:458 +msgid "{subject_pkinit_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:461 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by pkinit. The 'short_name' component represents the first part of the " +"principal before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:467 +msgid "" +"Example: (|(userPrincipal={subject_pkinit_principal})" +"(uid={subject_pkinit_principal.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:472 +msgid "{subject_nt_principal[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:475 +msgid "" +"This template will add the Kerberos principal which is given by the SAN used " +"by AD. The 'short_name' component represent the first part of the principal " +"before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:486 +msgid "{subject_rfc822_name[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:489 +msgid "" +"This template will add the string which is stored in the rfc822Name " +"component of the SAN, typically an email address. The 'short_name' component " +"represents the first part of the address before the '@' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:495 +msgid "" +"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." +"short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:500 +msgid "{subject_dns_name[.short_name]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:503 +msgid "" +"This template will add the string which is stored in the dNSName component " +"of the SAN, typically a fully-qualified host name. The 'short_name' " +"component represents the first part of the name before the first '.' sign." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:509 +msgid "" +"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:514 +msgid "{subject_uri}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:517 +msgid "" +"This template will add the string which is stored in the " +"uniformResourceIdentifier component of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:521 +msgid "Example: (uri={subject_uri})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:526 +msgid "{subject_ip_address}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:529 +msgid "" +"This template will add the string which is stored in the iPAddress component " +"of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:533 +msgid "Example: (ip={subject_ip_address})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:538 +msgid "{subject_x400_address}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:541 +msgid "" +"This template will add the value which is stored in the x400Address " +"component of the SAN as escaped hex sequence." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:546 +msgid "Example: (attr:binary={subject_x400_address})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:551 +msgid "" +"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:554 +msgid "" +"This template will add the DN string of the value which is stored in the " +"directoryName component of the SAN." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:558 +msgid "Example: (orig_dn={subject_directory_name})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:563 +msgid "{subject_ediparty_name}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:566 +msgid "" +"This template will add the value which is stored in the ediPartyName " +"component of the SAN as escaped hex sequence." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:571 +msgid "Example: (attr:binary={subject_ediparty_name})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sss-certmap.5.xml:576 +msgid "{subject_registered_id}" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:579 +msgid "" +"This template will add the OID which is stored in the registeredID component " +"of the SAN as a dotted-decimal string." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sss-certmap.5.xml:584 +msgid "Example: (oid={subject_registered_id})" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:369 +msgid "" +"The templates to add certificate data to the search filter are based on " +"Python-style formatting strings. They consist of a keyword in curly braces " +"with an optional sub-component specifier separated by a '.' or an optional " +"conversion/formatting option separated by a '!'. Allowed values are: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss-certmap.5.xml:592 +msgid "DOMAIN LIST" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss-certmap.5.xml:594 +msgid "" +"If the domain list is not empty users mapped to a given certificate are not " +"only searched in the local domain but in the listed domains as well as long " +"as they are know by SSSD. Domains not know to SSSD will be ignored." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 +msgid "sssd-ipa" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ipa.5.xml:17 +msgid "SSSD IPA provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:23 +msgid "" +"This manual page describes the configuration of the IPA provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:36 +msgid "" +"The IPA provider is a back end used to connect to an IPA server. (Refer to " +"the freeipa.org web site for information about IPA servers.) This provider " +"requires that the machine be joined to the IPA domain; configuration is " +"almost entirely self-discovered and obtained directly from the server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:43 +msgid "" +"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for IPA environments. The IPA provider accepts the same " +"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " +"However, it is neither necessary nor recommended to set these options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:57 +msgid "" +"The IPA provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:62 +msgid "" +"As an access provider, the IPA provider uses HBAC (host-based access " +"control) rules. Please refer to freeipa.org for more information about " +"HBAC. No configuration of access provider is required on the client side." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:67 +msgid "" +"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ipa</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:73 +msgid "" +"The IPA provider will use the PAC responder if the Kerberos tickets of users " +"from trusted realms contain a PAC. To make configuration easier the PAC " +"responder is started automatically if the IPA ID provider is configured." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:89 +msgid "ipa_domain (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:92 +msgid "" +"Specifies the name of the IPA domain. This is optional. If not provided, " +"the configuration domain name is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:100 +msgid "ipa_server, ipa_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:103 +msgid "" +"The comma-separated list of IP addresses or hostnames of the IPA servers to " +"which SSSD should connect in the order of preference. For more information " +"on failover and server redundancy, see the <quote>FAILOVER</quote> section. " +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:116 +msgid "ipa_hostname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:119 +msgid "" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the IPA domain to identify this host. The " +"hostname must be fully qualified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:128 sssd-ad.5.xml:866 +msgid "dyndns_update (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:131 +msgid "" +"Optional. This option tells SSSD to automatically update the DNS server " +"built into FreeIPA with the IP address of this client. The update is secured " +"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " +"updates, if it is not otherwise specified by using the <quote>dyndns_iface</" +"quote> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:140 sssd-ad.5.xml:880 +msgid "" +"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " +"the default Kerberos realm must be set properly in /etc/krb5.conf" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:145 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" +"emphasis> option, users should migrate to using <emphasis>dyndns_update</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:157 sssd-ad.5.xml:891 +msgid "dyndns_ttl (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:160 sssd-ad.5.xml:894 +msgid "" +"The TTL to apply to the client DNS record when updating it. If " +"dyndns_update is false this has no effect. This will override the TTL " +"serverside if set by an administrator." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:165 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" +"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:171 +msgid "Default: 1200 (seconds)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:177 sssd-ad.5.xml:905 +msgid "dyndns_iface (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:180 sssd-ad.5.xml:908 +msgid "" +"Optional. Applicable only when dyndns_update is true. Choose the interface " +"or a list of interfaces whose IP addresses should be used for dynamic DNS " +"updates. Special value <quote>*</quote> implies that IPs from all interfaces " +"should be used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:187 +msgid "" +"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" +"emphasis> option, users should migrate to using <emphasis>dyndns_iface</" +"emphasis> in their config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:193 +msgid "" +"Default: Use the IP addresses of the interface which is used for IPA LDAP " +"connection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:197 sssd-ad.5.xml:919 +msgid "Example: dyndns_iface = em1, vnet1, vnet2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:203 sssd-ad.5.xml:970 +msgid "dyndns_auth (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:206 sssd-ad.5.xml:973 +msgid "" +"Whether the nsupdate utility should use GSS-TSIG authentication for secure " +"updates with the DNS server, insecure updates can be sent by setting this " +"option to 'none'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:212 sssd-ad.5.xml:979 +msgid "Default: GSS-TSIG" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:218 +msgid "ipa_enable_dns_sites (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:221 sssd-ad.5.xml:213 +msgid "Enables DNS sites - location based service discovery." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:225 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, then the SSSD will first attempt location " +"based discovery using a query that contains \"_location.hostname.example.com" +"\" and then fall back to traditional SRV discovery. If the location based " +"discovery succeeds, the IPA servers located with the location based " +"discovery are treated as primary servers and the IPA servers located using " +"the traditional SRV discovery are used as back up servers" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:244 sssd-ad.5.xml:925 +msgid "dyndns_refresh_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:247 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:260 sssd-ad.5.xml:943 +msgid "dyndns_update_ptr (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:263 sssd-ad.5.xml:946 +msgid "" +"Whether the PTR record should also be explicitly updated when updating the " +"client's DNS records. Applicable only when dyndns_update is true." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:268 +msgid "" +"This option should be False in most IPA deployments as the IPA server " +"generates the PTR records automatically when forward records are changed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:274 +msgid "Default: False (disabled)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:280 sssd-ad.5.xml:957 +msgid "dyndns_force_tcp (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:283 sssd-ad.5.xml:960 +msgid "" +"Whether the nsupdate utility should default to using TCP for communicating " +"with the DNS server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:287 sssd-ad.5.xml:964 +msgid "Default: False (let nsupdate choose the protocol)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:293 sssd-ad.5.xml:985 +msgid "dyndns_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:296 sssd-ad.5.xml:988 +msgid "" +"The DNS server to use when performing a DNS update. In most setups, it's " +"recommended to leave this option unset." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:301 sssd-ad.5.xml:993 +msgid "" +"Setting this option makes sense for environments where the DNS server is " +"different from the identity server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:306 sssd-ad.5.xml:998 +msgid "" +"Please note that this option will be only used in fallback attempt when " +"previous attempt using autodetected settings failed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:311 sssd-ad.5.xml:1003 +msgid "Default: None (let nsupdate choose the server)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:317 +msgid "ipa_deskprofile_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:320 +msgid "" +"Optional. Use the given string as search base for Desktop Profile related " +"objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:324 sssd-ipa.5.xml:337 +msgid "Default: Use base DN" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:330 +msgid "ipa_hbac_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:333 +msgid "Optional. Use the given string as search base for HBAC related objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:343 +msgid "ipa_host_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:346 +msgid "Deprecated. Use ldap_host_search_base instead." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:352 +msgid "ipa_selinux_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:355 +msgid "Optional. Use the given string as search base for SELinux user maps." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:371 +msgid "ipa_subdomains_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:374 +msgid "Optional. Use the given string as search base for trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:383 +msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:390 +msgid "ipa_master_domain_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:393 +msgid "Optional. Use the given string as search base for master domain object." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:402 +msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:409 +msgid "ipa_views_search_base (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:412 +msgid "Optional. Use the given string as search base for views containers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:421 +msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:431 +msgid "" +"The name of the Kerberos realm. This is optional and defaults to the value " +"of <quote>ipa_domain</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:435 +msgid "" +"The name of the Kerberos realm has a special meaning in IPA - it is " +"converted into the base DN to use for performing LDAP operations." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:443 sssd-ad.5.xml:1012 +msgid "krb5_confd_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:446 sssd-ad.5.xml:1015 +msgid "" +"Absolute path of a directory where SSSD should place Kerberos configuration " +"snippets." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:450 sssd-ad.5.xml:1019 +msgid "" +"To disable the creation of the configuration snippets set the parameter to " +"'none'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:454 sssd-ad.5.xml:1023 +msgid "" +"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:461 +msgid "ipa_deskprofile_refresh (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:464 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server. This will reduce the latency and load on the IPA server if there " +"are many desktop profiles requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:431 +msgid "Default: 5 (seconds)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:477 +msgid "ipa_deskprofile_request_interval (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:480 +msgid "" +"The amount of time between lookups of the Desktop Profile rules against the " +"IPA server in case the last request did not return any rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:485 +msgid "Default: 60 (minutes)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:491 +msgid "ipa_hbac_refresh (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:494 +msgid "" +"The amount of time between lookups of the HBAC rules against the IPA server. " +"This will reduce the latency and load on the IPA server if there are many " +"access-control requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:507 +msgid "ipa_hbac_selinux (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:510 +msgid "" +"The amount of time between lookups of the SELinux maps against the IPA " +"server. This will reduce the latency and load on the IPA server if there are " +"many user login requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:523 +msgid "ipa_server_mode (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:526 +msgid "" +"This option will be set by the IPA installer (ipa-server-install) " +"automatically and denotes if SSSD is running on an IPA server or not." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:531 +msgid "" +"On an IPA server SSSD will lookup users and groups from trusted domains " +"directly while on a client it will ask an IPA server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:536 +msgid "" +"NOTE: There are currently some assumptions that must be met when SSSD is " +"running on an IPA server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:541 +msgid "" +"The <quote>ipa_server</quote> option must be configured to point to the IPA " +"server itself. This is already the default set by the IPA installer, so no " +"manual change is required." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:550 +msgid "" +"The <quote>full_name_format</quote> option must not be tweaked to only print " +"short names for users from trusted domains." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:565 +msgid "ipa_automount_location (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:568 +msgid "The automounter location this IPA client will be using" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:571 +msgid "Default: The location named \"default\"" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:579 +msgid "VIEWS AND OVERRIDES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:588 +msgid "ipa_view_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:591 +msgid "Objectclass of the view container." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:594 +msgid "Default: nsContainer" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:600 +msgid "ipa_view_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:603 +msgid "Name of the attribute holding the name of the view." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:613 +msgid "ipa_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:616 +msgid "Objectclass of the override objects." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:619 +msgid "Default: ipaOverrideAnchor" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:625 +msgid "ipa_anchor_uuid (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:628 +msgid "" +"Name of the attribute containing the reference to the original object in a " +"remote domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:632 +msgid "Default: ipaAnchorUUID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:638 +msgid "ipa_user_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:641 +msgid "" +"Name of the objectclass for user overrides. It is used to determine if the " +"found override object is related to a user or a group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:646 +msgid "User overrides can contain attributes given by" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:649 +msgid "ldap_user_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:652 +msgid "ldap_user_uid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:655 +msgid "ldap_user_gid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:658 +msgid "ldap_user_gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:661 +msgid "ldap_user_home_directory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:664 +msgid "ldap_user_shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:667 +msgid "ldap_user_ssh_public_key" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:672 +msgid "Default: ipaUserOverride" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-ipa.5.xml:678 +msgid "ipa_group_override_object_class (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:681 +msgid "" +"Name of the objectclass for group overrides. It is used to determine if the " +"found override object is related to a user or a group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:686 +msgid "Group overrides can contain attributes given by" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:689 +msgid "ldap_group_name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:692 +msgid "ldap_group_gid_number" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-ipa.5.xml:697 +msgid "Default: ipaGroupOverride" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:581 +msgid "" +"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " +"later version. Since all paths and objectclasses are fixed on the server " +"side there is basically no need to configure anything. For completeness the " +"related options are listed here with their default values. <placeholder " +"type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:709 +msgid "SUBDOMAINS PROVIDER" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:711 +msgid "" +"The IPA subdomains provider behaves slightly differently if it is configured " +"explicitly or implicitly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:715 +msgid "" +"If the option 'subdomains_provider = ipa' is found in the domain section of " +"sssd.conf, the IPA subdomains provider is configured explicitly, and all " +"subdomain requests are sent to the IPA server if necessary." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:721 +msgid "" +"If the option 'subdomains_provider' is not set in the domain section of sssd." +"conf but there is the option 'id_provider = ipa', the IPA subdomains " +"provider is configured implicitly. In this case, if a subdomain request " +"fails and indicates that the server does not support subdomains, i.e. is not " +"configured for trusts, the IPA subdomains provider is disabled. After an " +"hour or after the IPA provider goes online, the subdomains provider is " +"enabled again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-ipa.5.xml:732 +msgid "TRUSTED DOMAINS CONFIGURATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:738 +#, no-wrap +msgid "" +"[domain/ipa.domain.com/ad.domain.com]\n" +"ad_server = dc.ad.domain.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:734 +msgid "" +"Some configuration options can be also set for a trusted domain. A trusted " +"domain configuration can either be done using a subsection, for example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:743 +msgid "" +"In addition, some options can be set in the parent domain and inherited by " +"the trusted domain using the <quote>subdomain_inherit</quote> option. For " +"more details, see the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:753 +msgid "" +"Different configuration options are tunable for a trusted domain depending " +"on whether you are configuring SSSD on an IPA server or an IPA client." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:758 +msgid "OPTIONS TUNABLE ON IPA MASTERS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:760 +msgid "" +"The following options can be set in a subdomain section on an IPA master:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:764 sssd-ipa.5.xml:794 +msgid "ad_server" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:767 +msgid "ad_backup_server" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:770 sssd-ipa.5.xml:797 +msgid "ad_site" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:773 +msgid "ldap_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:776 +msgid "ldap_user_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sssd-ipa.5.xml:779 +msgid "ldap_group_search_base" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-ipa.5.xml:788 +msgid "OPTIONS TUNABLE ON IPA CLIENTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:790 +msgid "" +"The following options can be set in a subdomain section on an IPA client:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:802 +msgid "" +"Note that if both options are set, only <quote>ad_server</quote> is " +"evaluated." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-ipa.5.xml:806 +msgid "" +"Since any request for a user or a group identity from a trusted domain " +"triggered from an IPA client is resolved by the IPA server, the " +"<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " +"which AD DC will the authentication be performed against. In particular, the " +"addresses resolved from these lists will be written to <quote>kdcinfo</" +"quote> files read by the Kerberos locator plugin. Please refer to the " +"<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " +"Kerberos locator plugin." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ipa.5.xml:830 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This examples shows only the ipa provider-specific options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ipa.5.xml:837 +#, no-wrap +msgid "" +"[domain/example.com]\n" +"id_provider = ipa\n" +"ipa_server = ipaserver.example.com\n" +"ipa_hostname = myhost.example.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ad.5.xml:10 sssd-ad.5.xml:16 +msgid "sssd-ad" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ad.5.xml:17 +msgid "SSSD Active Directory provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:23 +msgid "" +"This manual page describes the configuration of the AD provider for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:36 +msgid "" +"The AD provider is a back end used to connect to an Active Directory server. " +"This provider requires that the machine be joined to the AD domain and a " +"keytab is available. Back end communication occurs over a GSSAPI-encrypted " +"channel, SSL/TLS options should not be used with the AD provider and will be " +"superseded by Kerberos usage." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:44 +msgid "" +"The AD provider supports connecting to Active Directory 2008 R2 or later. " +"Earlier versions may work, but are unsupported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:48 +msgid "" +"The AD provider can be used to get user information and authenticate users " +"from trusted domains. Currently only trusted domains in the same forest are " +"recognized. In addition servers from trusted domains are always auto-" +"discovered." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:54 +msgid "" +"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " +"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> authentication provider with " +"optimizations for Active Directory environments. The AD provider accepts the " +"same options used by the sssd-ldap and sssd-krb5 providers with some " +"exceptions. However, it is neither necessary nor recommended to set these " +"options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:69 +msgid "" +"The AD provider primarily copies the traditional ldap and krb5 provider " +"default options with some exceptions, the differences are listed in the " +"<quote>MODIFIED DEFAULT OPTIONS</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:74 +msgid "" +"The AD provider can also be used as an access, chpass, sudo and autofs " +"provider. No configuration of the access provider is required on the client " +"side." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:79 +msgid "" +"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " +"configured in sssd.conf then the id_provider must also be set to <quote>ad</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:91 +#, no-wrap +msgid "" +"ldap_id_mapping = False\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:85 +msgid "" +"By default, the AD provider will map UID and GID values from the objectSID " +"parameter in Active Directory. For details on this, see the <quote>ID " +"MAPPING</quote> section below. If you want to disable ID mapping and instead " +"rely on POSIX attributes defined in Active Directory, you should set " +"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " +"be used, it is recommended for performance reasons that the attributes are " +"also replicated to the Global Catalog. If POSIX attributes are replicated, " +"SSSD will attempt to locate the domain of a requested numerical ID with the " +"help of the Global Catalog and only search that domain. In contrast, if " +"POSIX attributes are not replicated to the Global Catalog, SSSD must search " +"all the domains in the forest sequentially. Please note that the " +"<quote>cache_first</quote> option might be also helpful in speeding up " +"domainless searches. Note that if only a subset of POSIX attributes is " +"present in the Global Catalog, the non-replicated attributes are currently " +"not read from the LDAP port." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:108 +msgid "" +"Users, groups and other entities served by SSSD are always treated as case-" +"insensitive in the AD provider for compatibility with Active Directory's " +"LDAP implementation." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:123 +msgid "ad_domain (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:126 +msgid "" +"Specifies the name of the Active Directory domain. This is optional. If not " +"provided, the configuration domain name is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:131 +msgid "" +"For proper operation, this option should be specified as the lower-case " +"version of the long version of the Active Directory domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:136 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) is " +"autodetected by the SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:143 +msgid "ad_enabled_domains (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:146 +msgid "" +"A comma-separated list of enabled Active Directory domains. If provided, " +"SSSD will ignore any domains not listed in this option. If left unset, all " +"domains from the AD forest will be available." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:156 +#, no-wrap +msgid "" +"ad_enabled_domains = sales.example.com, eng.example.com\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:152 +msgid "" +"For proper operation, this option must be specified in all lower-case and as " +"the fully qualified domain name of the Active Directory domain. For example: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:160 +msgid "" +"The short domain name (also known as the NetBIOS or the flat name) will be " +"autodetected by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:170 +msgid "ad_server, ad_backup_server (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:173 +msgid "" +"The comma-separated list of hostnames of the AD servers to which SSSD should " +"connect in order of preference. For more information on failover and server " +"redundancy, see the <quote>FAILOVER</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:180 +msgid "" +"This is optional if autodiscovery is enabled. For more information on " +"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:185 +msgid "" +"Note: Trusted domains will always auto-discover servers even if the primary " +"server is explicitly defined in the ad_server option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:193 +msgid "ad_hostname (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:196 +msgid "" +"Optional. May be set on machines where the hostname(5) does not reflect the " +"fully qualified name used in the Active Directory domain to identify this " +"host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:202 +msgid "" +"This field is used to determine the host principal in use in the keytab. It " +"must match the hostname for which the keytab was issued." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:210 +msgid "ad_enable_dns_sites (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:217 +msgid "" +"If true and service discovery (see Service Discovery paragraph at the bottom " +"of the man page) is enabled, the SSSD will first attempt to discover the " +"Active Directory server to connect to using the Active Directory Site " +"Discovery and fall back to the DNS SRV records if no AD site is found. The " +"DNS SRV configuration, including the discovery domain, is used during site " +"discovery as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:233 +msgid "ad_access_filter (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:236 +msgid "" +"This option specifies LDAP access control filter that the user must match in " +"order to be allowed access. Please note that the <quote>access_provider</" +"quote> option must be explicitly set to <quote>ad</quote> in order for this " +"option to have an effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:244 +msgid "" +"The option also supports specifying different filters per domain or forest. " +"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " +"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " +"missing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:252 +msgid "" +"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" +"quote> specifies the domain or subdomain the filter applies to. If the " +"keyword equals to <quote>FOREST</quote>, then the filter equals to all " +"domains from the forest specified by <quote>NAME</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:260 +msgid "" +"Multiple filters can be separated with the <quote>?</quote> character, " +"similarly to how search bases work." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:265 +msgid "" +"Nested group membership must be searched for using a special OID " +"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." +"example.org: syntax to ensure the parser does not attempt to interpret the " +"colon characters associated with the OID. If you do not use this OID then " +"nested group membership will not be resolved. See usage example below and " +"refer here for further information about the OID: <ulink url=\"https://msdn." +"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " +"extensions</ulink>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:278 +msgid "" +"The most specific match is always used. For example, if the option specified " +"filter for a domain the user is a member of and a global filter, the per-" +"domain filter would be applied. If there are more matches with the same " +"specification, the first one is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-ad.5.xml:289 +#, no-wrap +msgid "" +"# apply filter on domain called dom1 only:\n" +"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" +"\n" +"# apply filter on domain called dom2 only:\n" +"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" +"\n" +"# apply filter on forest called EXAMPLE.COM only:\n" +"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" +"\n" +"# apply filter for a member of a nested group in dom1:\n" +"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:308 +msgid "ad_site (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:311 +msgid "" +"Specify AD site to which client should try to connect. If this option is " +"not provided, the AD site will be auto-discovered." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:322 +msgid "ad_enable_gc (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:325 +msgid "" +"By default, the SSSD connects to the Global Catalog first to retrieve users " +"from trusted domains and uses the LDAP port to retrieve group memberships or " +"as a fallback. Disabling this option makes the SSSD only connect to the LDAP " +"port of the current AD server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:333 +msgid "" +"Please note that disabling Global Catalog support does not disable " +"retrieving users from trusted domains. The SSSD would connect to the LDAP " +"port of trusted domains instead. However, Global Catalog must be used in " +"order to resolve cross-domain group memberships." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:347 +msgid "ad_gpo_access_control (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:350 +msgid "" +"This option specifies the operation mode for GPO-based access control " +"functionality: whether it operates in disabled mode, enforcing mode, or " +"permissive mode. Please note that the <quote>access_provider</quote> option " +"must be explicitly set to <quote>ad</quote> in order for this option to have " +"an effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:359 +msgid "" +"GPO-based access control functionality uses GPO policy settings to determine " +"whether or not a particular user is allowed to logon to a particular host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:365 +msgid "" +"NOTE: The current version of SSSD does not support host (computer) entries " +"in the GPO 'Security Filtering' list. Only user and group entries are " +"supported. Host entries in the list have no effect." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:372 +msgid "" +"NOTE: If the operation mode is set to enforcing, it is possible that users " +"that were previously allowed logon access will now be denied logon access " +"(as dictated by the GPO policy settings). In order to facilitate a smooth " +"transition for administrators, a permissive mode is available that will not " +"enforce the access control rules, but will evaluate them and will output a " +"syslog message if access would have been denied. By examining the logs, " +"administrators can then make the necessary changes before setting the mode " +"to enforcing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:385 +msgid "There are three supported values for this option:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:389 +msgid "" +"disabled: GPO-based access control rules are neither evaluated nor enforced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:395 +msgid "enforcing: GPO-based access control rules are evaluated and enforced." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:401 +msgid "" +"permissive: GPO-based access control rules are evaluated, but not enforced. " +"Instead, a syslog message will be emitted indicating that the user would " +"have been denied access if this option's value were set to enforcing." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:412 +msgid "Default: permissive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:415 +msgid "Default: enforcing" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:421 +msgid "ad_gpo_cache_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:424 +msgid "" +"The amount of time between lookups of GPO policy files against the AD " +"server. This will reduce the latency and load on the AD server if there are " +"many access-control requests made in a short period." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:437 +msgid "ad_gpo_map_interactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:440 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the InteractiveLogonRight and " +"DenyInteractiveLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:446 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on locally\" and \"Deny log on locally\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:460 +#, no-wrap +msgid "" +"ad_gpo_map_interactive = +my_pam_service, -login\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:451 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>login</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:464 sssd-ad.5.xml:560 sssd-ad.5.xml:606 sssd-ad.5.xml:651 +#: sssd-ad.5.xml:717 +msgid "Default: the default set of PAM service names includes:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:468 +msgid "login" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:473 +msgid "su" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:478 +msgid "su-l" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:483 +msgid "gdm-fingerprint" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:488 +msgid "gdm-password" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:493 +msgid "gdm-smartcard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:498 +msgid "kdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:503 +msgid "lightdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:508 +msgid "lxdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:513 +msgid "sddm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:518 +msgid "unity" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:523 +msgid "xdm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:532 +msgid "ad_gpo_map_remote_interactive (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:535 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the RemoteInteractiveLogonRight and " +"DenyRemoteInteractiveLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:541 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on through Remote Desktop Services\" and \"Deny log on through Remote " +"Desktop Services\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:556 +#, no-wrap +msgid "" +"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:547 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>sshd</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:564 +msgid "sshd" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:569 +msgid "cockpit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:578 +msgid "ad_gpo_map_network (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:581 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the NetworkLogonRight and " +"DenyNetworkLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:587 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Access " +"this computer from the network\" and \"Deny access to this computer from the " +"network\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:602 +#, no-wrap +msgid "" +"ad_gpo_map_network = +my_pam_service, -ftp\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:593 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>ftp</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:610 +msgid "ftp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:615 +msgid "samba" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:624 +msgid "ad_gpo_map_batch (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:627 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " +"policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:633 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a batch job\" and \"Deny log on as a batch job\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:647 +#, no-wrap +msgid "" +"ad_gpo_map_batch = +my_pam_service, -crond\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:638 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for this logon right (e.g. " +"<quote>crond</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:655 +msgid "crond" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:664 +msgid "ad_gpo_map_service (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:667 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access " +"control is evaluated based on the ServiceLogonRight and " +"DenyServiceLogonRight policy settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:673 +msgid "" +"Note: Using the Group Policy Management Editor this value is called \"Allow " +"log on as a service\" and \"Deny log on as a service\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:686 +#, no-wrap +msgid "" +"ad_gpo_map_service = +my_pam_service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:678 sssd-ad.5.xml:753 +msgid "" +"It is possible to add a PAM service name to the default set by using <quote>" +"+service_name</quote>. Since the default set is empty, it is not possible " +"to remove a PAM service name from the default set. For example, in order to " +"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you " +"would use the following configuration: <placeholder type=\"programlisting\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:696 +msgid "ad_gpo_map_permit (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:699 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always granted, regardless of any GPO Logon Rights." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:713 +#, no-wrap +msgid "" +"ad_gpo_map_permit = +my_pam_service, -sudo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:704 +msgid "" +"It is possible to add another PAM service name to the default set by using " +"<quote>+service_name</quote> or to explicitly remove a PAM service name from " +"the default set by using <quote>-service_name</quote>. For example, in " +"order to replace a default PAM service name for unconditionally permitted " +"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " +"<quote>my_pam_service</quote>), you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:721 +msgid "polkit-1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:726 +msgid "sudo" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:731 +msgid "sudo-i" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:736 +msgid "systemd-user" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:745 +msgid "ad_gpo_map_deny (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:748 +msgid "" +"A comma-separated list of PAM service names for which GPO-based access is " +"always denied, regardless of any GPO Logon Rights." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ad.5.xml:761 +#, no-wrap +msgid "" +"ad_gpo_map_deny = +my_pam_service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:771 +msgid "ad_gpo_default_right (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:774 +msgid "" +"This option defines how access control is evaluated for PAM service names " +"that are not explicitly listed in one of the ad_gpo_map_* options. This " +"option can be set in two different manners. First, this option can be set to " +"use a default logon right. For example, if this option is set to " +"'interactive', it means that unmapped PAM service names will be processed " +"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " +"settings. Alternatively, this option can be set to either always permit or " +"always deny access for unmapped PAM service names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:787 +msgid "Supported values for this option include:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:791 +msgid "interactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:796 +msgid "remote_interactive" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:801 +msgid "network" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:806 +msgid "batch" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:811 +msgid "service" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:816 +msgid "permit" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> +#: sssd-ad.5.xml:821 +msgid "deny" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:827 +msgid "Default: deny" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:833 +msgid "ad_maximum_machine_account_password_age (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:836 +msgid "" +"SSSD will check once a day if the machine account password is older than the " +"given age in days and try to renew it. A value of 0 will disable the renewal " +"attempt." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:842 +msgid "Default: 30 days" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-ad.5.xml:848 +msgid "ad_machine_account_password_renewal_opts (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:851 +msgid "" +"This option should only be used to test the machine account renewal task. " +"The option expects 2 integers separated by a colon (':'). The first integer " +"defines the interval in seconds how often the task is run. The second " +"specifies the initial timeout in seconds before the task is run for the " +"first time after startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:860 +msgid "Default: 86400:750 (24h and 15m)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:869 +msgid "" +"Optional. This option tells SSSD to automatically update the Active " +"Directory DNS server with the IP address of this client. The update is " +"secured using GSS-TSIG. As a consequence, the Active Directory administrator " +"only needs to allow secure updates for the DNS zone. The IP address of the " +"AD LDAP connection is used for the updates, if it is not otherwise specified " +"by using the <quote>dyndns_iface</quote> option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:899 +msgid "Default: 3600 (seconds)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:915 +msgid "" +"Default: Use the IP addresses of the interface which is used for AD LDAP " +"connection" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:928 +msgid "" +"How often should the back end perform periodic DNS update in addition to the " +"automatic update performed when the back end goes online. This option is " +"optional and applicable only when dyndns_update is true. Note that the " +"lowest possible value is 60 seconds in-case if value is provided less than " +"60, parameter will assume lowest value only." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-ad.5.xml:951 sss_rpcidmapd.5.xml:76 +msgid "Default: True" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1043 +msgid "" +"The following example assumes that SSSD is correctly configured and example." +"com is one of the domains in the <replaceable>[sssd]</replaceable> section. " +"This example shows only the AD provider-specific options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1050 +#, no-wrap +msgid "" +"[domain/EXAMPLE]\n" +"id_provider = ad\n" +"auth_provider = ad\n" +"access_provider = ad\n" +"chpass_provider = ad\n" +"\n" +"ad_server = dc1.example.com\n" +"ad_hostname = client.example.com\n" +"ad_domain = example.com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-ad.5.xml:1070 +#, no-wrap +msgid "" +"access_provider = ldap\n" +"ldap_access_order = expire\n" +"ldap_account_expire_policy = ad\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1066 +msgid "" +"The AD access control provider checks if the account is expired. It has the " +"same effect as the following configuration of the LDAP provider: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1076 +msgid "" +"However, unless the <quote>ad</quote> access control provider is explicitly " +"configured, the default access provider is <quote>permit</quote>. Please " +"note that if you configure an access provider other than <quote>ad</quote>, " +"you need to set all the connection parameters (such as LDAP URIs and " +"encryption details) manually." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ad.5.xml:1084 +msgid "" +"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " +"attribute mapping (nisMap, nisObject, ...) is used, because these attributes " +"are included in the default Active Directory schema." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 +msgid "sssd-sudo" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-sudo.5.xml:17 +msgid "Configuring sudo with the SSSD back end" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:36 +msgid "Configuring sudo to cooperate with SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:38 +msgid "" +"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " +"the <emphasis>sudoers</emphasis> entry in <citerefentry> " +"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:47 +msgid "" +"For example, to configure sudo to first lookup rules in the standard " +"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> file (which should contain rules that apply to " +"local users) and then in SSSD, the nsswitch.conf file should contain the " +"following line:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:57 +#, no-wrap +msgid "sudoers: files sss\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:61 +msgid "" +"More information about configuring the sudoers search order from the " +"nsswitch.conf file as well as information about the LDAP schema that is used " +"to store sudo rules in the directory can be found in <citerefentry> " +"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:70 +msgid "" +"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " +"sudo rules, you also need to correctly set <citerefentry> " +"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry> to your NIS domain name (which equals to IPA domain name when " +"using hostgroups)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:82 +msgid "Configuring SSSD to fetch sudo rules" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:84 +msgid "" +"All configuration that is needed on SSSD side is to extend the list of " +"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " +"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " +"option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:94 +msgid "" +"The following example shows how to configure SSSD to download sudo rules " +"from an LDAP server." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-sudo.5.xml:99 +#, no-wrap +msgid "" +"[sssd]\n" +"config_file_version = 2\n" +"services = nss, pam, sudo\n" +"domains = EXAMPLE\n" +"\n" +"[domain/EXAMPLE]\n" +"id_provider = ldap\n" +"sudo_provider = ldap\n" +"ldap_uri = ldap://example.com\n" +"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:98 +msgid "" +"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition=" +"\"have_systemd\"> It's important to note that on platforms where systemd is " +"supported there's no need to add the \"sudo\" provider to the list of " +"services, as it became optional. However, sssd-sudo.socket must be enabled " +"instead. </phrase>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:118 +msgid "" +"When SSSD is configured to use IPA as the ID provider, the sudo provider is " +"automatically enabled. The sudo search base is configured to use the IPA " +"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " +"sssd.conf, this value will be used instead. The compat tree (ou=sudoers," +"$SUFFIX) is no longer required for IPA sudo functionality." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-sudo.5.xml:128 +msgid "The SUDO rule caching mechanism" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:130 +msgid "" +"The biggest challenge, when developing sudo support in SSSD, was to ensure " +"that running sudo with SSSD as the data source provides the same user " +"experience and is as fast as sudo but keeps providing the most current set " +"of rules as possible. To satisfy these requirements, SSSD uses three kinds " +"of updates. They are referred to as full refresh, smart refresh and rules " +"refresh." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:138 +msgid "" +"The <emphasis>smart refresh</emphasis> periodically downloads rules that are " +"new or were modified after the last update. Its primary goal is to keep the " +"database growing by fetching only small increments that do not generate " +"large amounts of network traffic." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:144 +msgid "" +"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " +"in the cache and replaces them with all rules that are stored on the server. " +"This is used to keep the cache consistent by removing every rule which was " +"deleted from the server. However, full refresh may produce a lot of traffic " +"and thus it should be run only occasionally depending on the size and " +"stability of the sudo rules." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:152 +msgid "" +"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " +"more permission than defined. It is triggered each time the user runs sudo. " +"Rules refresh will find all rules that apply to this user, check their " +"expiration time and redownload them if expired. In the case that any of " +"these rules are missing on the server, the SSSD will do an out of band full " +"refresh because more rules (that apply to other users) may have been deleted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:161 +msgid "" +"If enabled, SSSD will store only rules that can be applied to this machine. " +"This means rules that contain one of the following values in " +"<emphasis>sudoHost</emphasis> attribute:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:168 +msgid "keyword ALL" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:173 +msgid "wildcard" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:178 +msgid "netgroup (in the form \"+netgroup\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:183 +msgid "hostname or fully qualified domain name of this machine" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:188 +msgid "one of the IP addresses of this machine" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> +#: sssd-sudo.5.xml:193 +msgid "one of the IP addresses of the network (in the form \"address/mask\")" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-sudo.5.xml:199 +msgid "" +"There are many configuration options that can be used to adjust the " +"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd.8.xml:10 sssd.8.xml:15 +msgid "sssd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd.8.xml:16 +msgid "System Security Services Daemon" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssd.8.xml:21 +msgid "" +"<command>sssd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:31 +msgid "" +"<command>SSSD</command> provides a set of daemons to manage access to remote " +"directories and authentication mechanisms. It provides an NSS and PAM " +"interface toward the system and a pluggable backend system to connect to " +"multiple different account sources as well as D-Bus interface. It is also " +"the basis to provide client auditing and policy services for projects like " +"FreeIPA. It provides a more robust database to store local users as well as " +"extended user data." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:46 +msgid "" +"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:53 +msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:57 +msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:60 +msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:69 +msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:73 +msgid "" +"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:76 +msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:85 +msgid "<option>-f</option>,<option>--debug-to-files</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:89 +msgid "" +"Send the debug output to files instead of stderr. By default, the log files " +"are stored in <filename>/var/log/sssd</filename> and there are separate log " +"files for every SSSD service and domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:94 +msgid "" +"This option is deprecated. It is replaced by <option>--logger=files</option>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:101 +msgid "<option>--logger=</option><replaceable>value</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:105 +msgid "" +"Location where SSSD will send log messages. This option overrides the value " +"of the deprecated option <option>--debug-to-files</option>. The deprecated " +"option will still work if the <option>--logger</option> is not used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:112 +msgid "" +"<emphasis>stderr</emphasis>: Redirect debug messages to standard error " +"output." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:116 +msgid "" +"<emphasis>files</emphasis>: Redirect debug messages to the log files. By " +"default, the log files are stored in <filename>/var/log/sssd</filename> and " +"there are separate log files for every SSSD service and domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:122 +msgid "" +"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:132 +msgid "<option>-D</option>,<option>--daemon</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:136 +msgid "Become a daemon after starting up." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:142 sss_seed.8.xml:136 +msgid "<option>-i</option>,<option>--interactive</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:146 +msgid "Run in the foreground, don't become a daemon." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:152 +msgid "<option>-c</option>,<option>--config</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:156 +msgid "" +"Specify a non-default config file. The default is <filename>/etc/sssd/sssd." +"conf</filename>. For reference on the config file syntax and options, " +"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:170 +msgid "<option>--version</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:174 +msgid "Print version number and exit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd.8.xml:182 +msgid "Signals" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:185 +msgid "SIGTERM/SIGINT" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:188 +msgid "" +"Informs the SSSD to gracefully terminate all of its child processes and then " +"shut down the monitor." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:194 +msgid "SIGHUP" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:197 +msgid "" +"Tells the SSSD to stop writing to its current debug file descriptors and to " +"close and reopen them. This is meant to facilitate log rolling with programs " +"like logrotate." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:205 +msgid "SIGUSR1" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:208 +msgid "" +"Tells the SSSD to simulate offline operation for the duration of the " +"<quote>offline_timeout</quote> parameter. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd.8.xml:217 +msgid "SIGUSR2" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd.8.xml:220 +msgid "" +"Tells the SSSD to go online immediately. This is useful for testing. The " +"signal can be sent to either the sssd process or any sssd_be process " +"directly." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd.8.xml:232 +msgid "" +"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " +"applications will not use the fast in memory cache." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 +msgid "sss_obfuscate" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_obfuscate.8.xml:16 +msgid "obfuscate a clear text password" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_obfuscate.8.xml:21 +msgid "" +"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" +"replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:32 +msgid "" +"<command>sss_obfuscate</command> converts a given password into human-" +"unreadable format and places it into appropriate domain section of the SSSD " +"config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:37 +msgid "" +"The cleartext password is read from standard input or entered " +"interactively. The obfuscated password is put into " +"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " +"<quote>ldap_default_authtok_type</quote> parameter is set to " +"<quote>obfuscated_password</quote>. Refer to <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> for more details on these parameters." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_obfuscate.8.xml:49 +msgid "" +"Please note that obfuscating the password provides <emphasis>no real " +"security benefit</emphasis> as it is still possible for an attacker to " +"reverse-engineer the password back. Using better authentication mechanisms " +"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " +"advised." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:63 +msgid "<option>-s</option>,<option>--stdin</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:67 +msgid "The password to obfuscate will be read from standard input." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 +#: sss_ssh_knownhostsproxy.1.xml:78 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:79 +msgid "" +"The SSSD domain to use the password in. The default name is <quote>default</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_obfuscate.8.xml:86 +msgid "" +"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:91 +msgid "Read the config file specified by the positional parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_obfuscate.8.xml:95 +msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_override.8.xml:10 sss_override.8.xml:15 +msgid "sss_override" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_override.8.xml:16 +msgid "create local overrides of user and group attributes" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_override.8.xml:21 +msgid "" +"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:32 +msgid "" +"<command>sss_override</command> enables to create a client-side view and " +"allows to change selected values of specific user and groups. This change " +"takes effect only on local machine." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:37 +msgid "" +"Overrides data are stored in the SSSD cache. If the cache is deleted, all " +"local overrides are lost. Please note that after the first override is " +"created using any of the following <emphasis>user-add</emphasis>, " +"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " +"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " +"take effect. <emphasis>sss_override</emphasis> prints message when a " +"restart is required." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:50 sssctl.8.xml:41 +msgid "AVAILABLE COMMANDS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:52 +msgid "" +"Argument <emphasis>NAME</emphasis> is the name of original object in all " +"commands. It is not possible to override <emphasis>uid</emphasis> or " +"<emphasis>gid</emphasis> to 0." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:59 +msgid "" +"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" +"optional> <optional><option>-g,--gid</option> GID</optional> " +"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" +"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" +"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " +"CERTIFICATE</optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:72 +msgid "" +"Override attributes of an user. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:80 +msgid "<option>user-del</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:85 +msgid "" +"Remove user overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:94 +msgid "" +"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:99 +msgid "" +"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " +"is set, only users from the domain are listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:107 +msgid "<option>user-show</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:112 +msgid "Show user overrides." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:118 +msgid "<option>user-import</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:123 +msgid "" +"Import user overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard passwd file. The format is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:128 +msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:131 +msgid "" +"where original_name is original name of the user whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:140 +msgid "ckent:superman::::::" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:143 +msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:149 +msgid "<option>user-export</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:154 +msgid "" +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>user-import</emphasis> for data format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:162 +msgid "" +"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" +"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:169 +msgid "" +"Override attributes of a group. Please be aware that calling this command " +"will replace any previous override for the (NAMEd) group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:177 +msgid "<option>group-del</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:182 +msgid "" +"Remove group overrides. However be aware that overridden attributes might be " +"returned from memory cache. Please see SSSD option " +"<emphasis>memcache_timeout</emphasis> for more details." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:191 +msgid "" +"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" +"optional>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:196 +msgid "" +"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " +"parameter is set, only groups from the domain are listed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:204 +msgid "<option>group-show</option> <emphasis>NAME</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:209 +msgid "Show group overrides." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:215 +msgid "<option>group-import</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:220 +msgid "" +"Import group overrides from <emphasis>FILE</emphasis>. Data format is " +"similar to standard group file. The format is:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:225 +msgid "original_name:name:gid" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:228 +msgid "" +"where original_name is original name of the group whose attributes should be " +"overridden. The rest of fields correspond to new values. You can omit a " +"value simply by leaving corresponding field empty." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:237 +msgid "admins:administrators:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:240 +msgid "Domain Users:Users:501" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:246 +msgid "<option>group-export</option> <emphasis>FILE</emphasis>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_override.8.xml:251 +msgid "" +"Export all overridden attributes and store them in <emphasis>FILE</" +"emphasis>. See <emphasis>group-import</emphasis> for data format." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_override.8.xml:261 sssctl.8.xml:50 +msgid "COMMON OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_override.8.xml:263 sssctl.8.xml:52 +msgid "Those options are available with all commands." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_override.8.xml:268 sssctl.8.xml:57 +msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_useradd.8.xml:10 sss_useradd.8.xml:15 +msgid "sss_useradd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_useradd.8.xml:16 +msgid "create a new user" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_useradd.8.xml:21 +msgid "" +"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_useradd.8.xml:32 +msgid "" +"<command>sss_useradd</command> creates a new user account using the values " +"specified on the command line plus the default values from the system." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:43 sss_seed.8.xml:76 +msgid "" +"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:48 +msgid "" +"Set the UID of the user to the value of <replaceable>UID</replaceable>. If " +"not given, it is chosen automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100 +msgid "" +"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105 +msgid "" +"Any text string describing the user. Often used as the field for the user's " +"full name." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112 +msgid "" +"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:72 +msgid "" +"The home directory of the user account. The default is to append the " +"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use " +"that as the home directory. The base that is prepended before " +"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/" +"baseDirectory</quote> setting in sssd.conf." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124 +msgid "" +"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:87 +msgid "" +"The user's login shell. The default is currently <filename>/bin/bash</" +"filename>. The default can be changed with <quote>user_defaults/" +"defaultShell</quote> setting in sssd.conf." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:96 +msgid "" +"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:101 +msgid "A list of existing groups this user is also a member of." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:107 +msgid "<option>-m</option>,<option>--create-home</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:111 +msgid "" +"Create the user's home directory if it does not exist. The files and " +"directories contained in the skeleton directory (which can be defined with " +"the -k option or in the config file) will be copied to the home directory." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:121 +msgid "<option>-M</option>,<option>--no-create-home</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:125 +msgid "" +"Do not create the user's home directory. Overrides configuration settings." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:132 +msgid "" +"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:137 +msgid "" +"The skeleton directory, which contains files and directories to be copied in " +"the user's home directory, when the home directory is created by " +"<command>sss_useradd</command>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:143 +msgid "" +"Special files (block devices, character devices, named pipes and unix " +"sockets) will not be copied." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:147 +msgid "" +"This option is only valid if the <option>-m</option> (or <option>--create-" +"home</option>) option is specified, or creation of home directories is set " +"to TRUE in the configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_useradd.8.xml:156 sss_usermod.8.xml:124 +msgid "" +"<option>-Z</option>,<option>--selinux-user</option> " +"<replaceable>SELINUX_USER</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_useradd.8.xml:161 +msgid "" +"The SELinux user for the user's login. If not specified, the system default " +"will be used." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 +msgid "sssd-krb5" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-krb5.5.xml:17 +msgid "SSSD Kerberos provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:23 +msgid "" +"This manual page describes the configuration of the Kerberos 5 " +"authentication backend for <citerefentry> <refentrytitle>sssd</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " +"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:36 +msgid "" +"The Kerberos 5 authentication backend contains auth and chpass providers. It " +"must be paired with an identity provider in order to function properly (for " +"example, id_provider = ldap). Some information required by the Kerberos 5 " +"authentication backend must be provided by the identity provider, such as " +"the user's Kerberos Principal Name (UPN). The configuration of the identity " +"provider should have an entry to specify the UPN. Please refer to the man " +"page for the applicable identity provider for details on how to configure " +"this." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:47 +msgid "" +"This backend also provides access control based on the .k5login file in the " +"home directory of the user. See <citerefentry> <refentrytitle>.k5login</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " +"Please note that an empty .k5login file will deny all access to this user. " +"To activate this feature, use 'access_provider = krb5' in your SSSD " +"configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:55 +msgid "" +"In the case where the UPN is not available in the identity backend, " +"<command>sssd</command> will construct a UPN using the format " +"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:77 +msgid "" +"Specifies the comma-separated list of IP addresses or hostnames of the " +"Kerberos servers to which SSSD should connect, in the order of preference. " +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. An optional port number (preceded by a " +"colon) may be appended to the addresses or hostnames. If empty, service " +"discovery is enabled; for more information, refer to the <quote>SERVICE " +"DISCOVERY</quote> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:106 +msgid "" +"The name of the Kerberos realm. This option is required and must be " +"specified." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:113 +msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:116 +msgid "" +"If the change password service is not running on the KDC, alternative " +"servers can be defined here. An optional port number (preceded by a colon) " +"may be appended to the addresses or hostnames." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:122 +msgid "" +"For more information on failover and server redundancy, see the " +"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " +"servers to try, the backend is not switched to operate offline if " +"authentication against the KDC is still possible." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:129 +msgid "Default: Use the KDC" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:135 +msgid "krb5_ccachedir (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:138 +msgid "" +"Directory to store credential caches. All the substitution sequences of " +"krb5_ccname_template can be used here, too, except %d and %P. The directory " +"is created as private and owned by the user, with permissions set to 0700." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:145 +msgid "Default: /tmp" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:151 +msgid "krb5_ccname_template (string)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:165 include/override_homedir.xml:11 +msgid "%u" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:166 include/override_homedir.xml:12 +msgid "login name" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:169 include/override_homedir.xml:15 +msgid "%U" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:170 +msgid "login UID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:173 +msgid "%p" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:174 +msgid "principal name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:178 +msgid "%r" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:179 +msgid "realm name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:182 +msgid "%h" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:183 sssd-ifp.5.xml:108 +msgid "home directory" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:187 include/override_homedir.xml:19 +msgid "%d" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:188 +msgid "value of krb5_ccachedir" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:193 include/override_homedir.xml:31 +msgid "%P" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:194 +msgid "the process ID of the SSSD client" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:199 include/override_homedir.xml:49 +msgid "%%" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:200 include/override_homedir.xml:50 +msgid "a literal '%'" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:154 +msgid "" +"Location of the user's credential cache. Three credential cache types are " +"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " +"<quote>KEYRING:persistent</quote>. The cache can be specified either as " +"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " +"implies the <quote>FILE</quote> type. In the template, the following " +"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " +"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " +"filename in a safe way." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:208 +msgid "" +"When using KEYRING types, the only supported mechanism is <quote>KEYRING:" +"persistent:%U</quote>, which uses the Linux kernel keyring to store " +"credentials on a per-UID basis. This is also the recommended choice, as it " +"is the most secure and predictable method." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:216 +msgid "" +"The default value for the credential cache name is sourced from the profile " +"stored in the system wide krb5.conf configuration file in the [libdefaults] " +"section. The option name is default_ccache_name. See krb5.conf(5)'s " +"PARAMETER EXPANSION paragraph for additional information on the expansion " +"format defined by krb5.conf." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:225 +msgid "" +"NOTE: Please be aware that libkrb5 ccache expansion template from " +"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> uses different expansion sequences than SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:234 +msgid "Default: (from libkrb5)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:240 +msgid "krb5_auth_timeout (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:243 +msgid "" +"Timeout in seconds after an online authentication request or change password " +"request is aborted. If possible, the authentication request is continued " +"offline." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:254 +msgid "krb5_validate (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:257 +msgid "" +"Verify with the help of krb5_keytab that the TGT obtained has not been " +"spoofed. The keytab is checked for entries sequentially, and the first entry " +"with a matching realm is used for validation. If no entry matches the realm, " +"the last entry in the keytab is used. This process can be used to validate " +"environments using cross-realm trust by placing the appropriate keytab entry " +"as the last entry or the only entry in the keytab file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:272 +msgid "krb5_keytab (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:275 +msgid "" +"The location of the keytab to use when validating credentials obtained from " +"KDCs." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:279 +msgid "Default: /etc/krb5.keytab" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:285 +msgid "krb5_store_password_if_offline (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:288 +msgid "" +"Store the password of the user if the provider is offline and use it to " +"request a TGT when the provider comes online again." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:293 +msgid "" +"NOTE: this feature is only available on Linux. Passwords stored in this way " +"are kept in plaintext in the kernel keyring and are potentially accessible " +"by the root user (with difficulty)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:306 +msgid "krb5_renewable_lifetime (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:309 +msgid "" +"Request a renewable ticket with a total lifetime, given as an integer " +"immediately followed by a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385 +msgid "<emphasis>s</emphasis> for seconds" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388 +msgid "<emphasis>m</emphasis> for minutes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391 +msgid "<emphasis>h</emphasis> for hours" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394 +msgid "<emphasis>d</emphasis> for days." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:326 sssd-krb5.5.xml:397 +msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:330 sssd-krb5.5.xml:401 +msgid "" +"NOTE: It is not possible to mix units. To set the renewable lifetime to one " +"and a half hours, use '90m' instead of '1h30m'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:335 +msgid "Default: not set, i.e. the TGT is not renewable" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:341 +msgid "krb5_lifetime (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:344 +msgid "" +"Request ticket with a lifetime, given as an integer immediately followed by " +"a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:360 +msgid "If there is no unit given <emphasis>s</emphasis> is assumed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:364 +msgid "" +"NOTE: It is not possible to mix units. To set the lifetime to one and a " +"half hours please use '90m' instead of '1h30m'." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:369 +msgid "" +"Default: not set, i.e. the default ticket lifetime configured on the KDC." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:376 +msgid "krb5_renew_interval (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:379 +msgid "" +"The time in seconds between two checks if the TGT should be renewed. TGTs " +"are renewed if about half of their lifetime is exceeded, given as an integer " +"immediately followed by a time unit:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:406 +msgid "If this option is not set or is 0 the automatic renewal is disabled." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:416 +msgid "krb5_use_fast (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:419 +msgid "" +"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" +"authentication. The following options are supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:424 +msgid "" +"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " +"option at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:428 +msgid "" +"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " +"continue the authentication without it." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:433 +msgid "" +"<emphasis>demand</emphasis> to use FAST. The authentication fails if the " +"server does not require fast." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:438 +msgid "Default: not set, i.e. FAST is not used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:441 +msgid "NOTE: a keytab is required to use FAST." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:444 +msgid "" +"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " +"SSSD is used with an older version of MIT Kerberos, using this option is a " +"configuration error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:453 +msgid "krb5_fast_principal (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:456 +msgid "Specifies the server principal to use for FAST." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:465 +msgid "" +"Specifies if the host and user principal should be canonicalized. This " +"feature is available with MIT Kerberos 1.7 and later versions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:505 +msgid "krb5_use_enterprise_principal (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:508 +msgid "" +"Specifies if the user principal should be treated as enterprise principal. " +"See section 5 of RFC 6806 for more details about enterprise principals." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:514 +msgid "Default: false (AD provider: true)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:517 +msgid "" +"The IPA provider will set to option to 'true' if it detects that the server " +"is capable of handling enterprise principals and the option is not set " +"explicitly in the config file." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-krb5.5.xml:526 +msgid "krb5_map_user (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:529 +msgid "" +"The list of mappings is given as a comma-separated list of pairs " +"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " +"name and <quote>primary</quote> is a user part of a kerberos principal. This " +"mapping is used when user is authenticating using <quote>auth_provider = " +"krb5</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-krb5.5.xml:541 +#, no-wrap +msgid "" +"krb5_realm = REALM\n" +"krb5_map_user = joe:juser,dick:richard\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-krb5.5.xml:546 +msgid "" +"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " +"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " +"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " +"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:65 +msgid "" +"If the auth-module krb5 is used in an SSSD domain, the following options " +"must be used. See the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " +"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " +"domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-krb5.5.xml:572 +msgid "" +"The following example assumes that SSSD is correctly configured and FOO is " +"one of the domains in the <replaceable>[sssd]</replaceable> section. This " +"example shows only configuration of Kerberos authentication; it does not " +"include any identity provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-krb5.5.xml:580 +#, no-wrap +msgid "" +"[domain/FOO]\n" +"auth_provider = krb5\n" +"krb5_server = 192.168.1.1\n" +"krb5_realm = EXAMPLE.COM\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15 +msgid "sss_groupadd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupadd.8.xml:16 +msgid "create a new group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupadd.8.xml:21 +msgid "" +"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupadd.8.xml:32 +msgid "" +"<command>sss_groupadd</command> creates a new group. These groups are " +"compatible with POSIX groups, with the additional feature that they can " +"contain other groups as members." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupadd.8.xml:43 sss_seed.8.xml:88 +msgid "" +"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupadd.8.xml:48 +msgid "" +"Set the GID of the group to the value of <replaceable>GID</replaceable>. If " +"not given, it is chosen automatically." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_userdel.8.xml:10 sss_userdel.8.xml:15 +msgid "sss_userdel" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_userdel.8.xml:16 +msgid "delete a user account" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_userdel.8.xml:21 +msgid "" +"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_userdel.8.xml:32 +msgid "" +"<command>sss_userdel</command> deletes a user identified by login name " +"<replaceable>LOGIN</replaceable> from the system." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:44 +msgid "<option>-r</option>,<option>--remove</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:48 +msgid "" +"Files in the user's home directory will be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:56 +msgid "<option>-R</option>,<option>--no-remove</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:60 +msgid "" +"Files in the user's home directory will NOT be removed along with the home " +"directory itself and the user's mail spool. Overrides the configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:68 +msgid "<option>-f</option>,<option>--force</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:72 +msgid "" +"This option forces <command>sss_userdel</command> to remove the user's home " +"directory and mail spool, even if they are not owned by the specified user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_userdel.8.xml:80 +msgid "<option>-k</option>,<option>--kick</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_userdel.8.xml:84 +msgid "Before actually deleting the user, terminate all his processes." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15 +msgid "sss_groupdel" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupdel.8.xml:16 +msgid "delete a group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupdel.8.xml:21 +msgid "" +"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupdel.8.xml:32 +msgid "" +"<command>sss_groupdel</command> deletes a group identified by its name " +"<replaceable>GROUP</replaceable> from the system." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15 +msgid "sss_groupshow" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_groupshow.8.xml:16 +msgid "print properties of a group" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_groupshow.8.xml:21 +msgid "" +"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_groupshow.8.xml:32 +msgid "" +"<command>sss_groupshow</command> displays information about a group " +"identified by its name <replaceable>GROUP</replaceable>. The information " +"includes the group ID number, members of the group and the parent group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_groupshow.8.xml:43 +msgid "<option>-R</option>,<option>--recursive</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_groupshow.8.xml:47 +msgid "" +"Also print indirect group members in a tree-like hierarchy. Note that this " +"also affects printing parent groups - without <option>R</option>, only the " +"direct parent will be printed." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_usermod.8.xml:10 sss_usermod.8.xml:15 +msgid "sss_usermod" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_usermod.8.xml:16 +msgid "modify a user account" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_usermod.8.xml:21 +msgid "" +"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_usermod.8.xml:32 +msgid "" +"<command>sss_usermod</command> modifies the account specified by " +"<replaceable>LOGIN</replaceable> to reflect the changes that are specified " +"on the command line." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:60 +msgid "The home directory of the user account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:71 +msgid "The user's login shell." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:82 +msgid "" +"Append this user to groups specified by the <replaceable>GROUPS</" +"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is " +"a comma separated list of group names." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:96 +msgid "" +"Remove this user from groups specified by the <replaceable>GROUPS</" +"replaceable> parameter." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:103 +msgid "<option>-l</option>,<option>--lock</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:107 +msgid "Lock the user account. The user won't be able to log in." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:114 +msgid "<option>-u</option>,<option>--unlock</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:118 +msgid "Unlock the user account." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:129 +msgid "The SELinux user for the user's login." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:135 +msgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:140 +msgid "Add an attribute/value pair. The format is attrname=value." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:147 +msgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:152 +msgid "" +"Set an attribute to a name/value pair. The format is attrname=value. For " +"multi-valued attributes, the command replaces the values already present" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_usermod.8.xml:160 +msgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_usermod.8.xml:165 +msgid "Delete an attribute/value pair. The format is attrname=value." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_cache.8.xml:10 sss_cache.8.xml:15 +msgid "sss_cache" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_cache.8.xml:16 +msgid "perform cache cleanup" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_cache.8.xml:21 +msgid "" +"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_cache.8.xml:31 +msgid "" +"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " +"records are forced to be reloaded from server as soon as related SSSD " +"backend is online. Options that invalidate a single object only accept a " +"single provided argument." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:43 +msgid "<option>-E</option>,<option>--everything</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:47 +msgid "Invalidate all cached entries." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:53 +msgid "" +"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:58 +msgid "Invalidate specific user." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:64 +msgid "<option>-U</option>,<option>--users</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:68 +msgid "" +"Invalidate all user records. This option overrides invalidation of specific " +"user if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:75 +msgid "" +"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:80 +msgid "Invalidate specific group." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:86 +msgid "<option>-G</option>,<option>--groups</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:90 +msgid "" +"Invalidate all group records. This option overrides invalidation of specific " +"group if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:97 +msgid "" +"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:102 +msgid "Invalidate specific netgroup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:108 +msgid "<option>-N</option>,<option>--netgroups</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:112 +msgid "" +"Invalidate all netgroup records. This option overrides invalidation of " +"specific netgroup if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:119 +msgid "" +"<option>-s</option>,<option>--service</option> <replaceable>service</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:124 +msgid "Invalidate specific service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:130 +msgid "<option>-S</option>,<option>--services</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:134 +msgid "" +"Invalidate all service records. This option overrides invalidation of " +"specific service if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:141 +msgid "" +"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:146 +msgid "Invalidate specific autofs maps." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:152 +msgid "<option>-A</option>,<option>--autofs-maps</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:156 +msgid "" +"Invalidate all autofs maps. This option overrides invalidation of specific " +"map if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:163 +msgid "" +"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:168 +msgid "Invalidate SSH public keys of a specific host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:174 +msgid "<option>-H</option>,<option>--ssh-hosts</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:178 +msgid "" +"Invalidate SSH public keys of all hosts. This option overrides invalidation " +"of SSH public keys of specific host if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:186 +msgid "" +"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:191 +msgid "Invalidate particular sudo rule." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:197 +msgid "<option>-R</option>,<option>--sudo-rules</option>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:201 +msgid "" +"Invalidate all cached sudo rules. This option overrides invalidation of " +"specific sudo rule if it was also set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_cache.8.xml:209 +msgid "" +"<option>-d</option>,<option>--domain</option> <replaceable>domain</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_cache.8.xml:214 +msgid "Restrict invalidation process only to a particular domain." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 +msgid "sss_debuglevel" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_debuglevel.8.xml:16 +msgid "[DEPRECATED] change debug level while SSSD is running" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_debuglevel.8.xml:21 +msgid "" +"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" +"replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_debuglevel.8.xml:32 +msgid "" +"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " +"debug-level command. Please refer to the <command>sssctl</command> man page " +"for more information on sssctl usage." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_seed.8.xml:10 sss_seed.8.xml:15 +msgid "sss_seed" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_seed.8.xml:16 +msgid "seed the SSSD cache with a user" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_seed.8.xml:21 +msgid "" +"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" +"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" +"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:33 +msgid "" +"<command>sss_seed</command> seeds the SSSD cache with a user entry and " +"temporary password. If a user entry is already present in the SSSD cache " +"then the entry is updated with the temporary password." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:46 +msgid "" +"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:51 +msgid "" +"Provide the name of the domain in which the user is a member of. The domain " +"is also used to retrieve user information. The domain must be configured in " +"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " +"Information retrieved from the domain overrides what is provided in the " +"options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:63 +msgid "" +"<option>-n</option>,<option>--username</option> <replaceable>USER</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:68 +msgid "" +"The username of the entry to be created or modified in the cache. The " +"<replaceable>USER</replaceable> option must be provided." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:81 +msgid "Set the UID of the user to <replaceable>UID</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:93 +msgid "Set the GID of the user to <replaceable>GID</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:117 +msgid "" +"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:129 +msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:140 +msgid "" +"Interactive mode for entering user information. This option will only prompt " +"for information not provided in the options or retrieved from the domain." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_seed.8.xml:148 +msgid "" +"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" +"replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_seed.8.xml:153 +msgid "" +"Specify file to read user's password from. (if not specified password is " +"prompted for)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_seed.8.xml:165 +msgid "" +"The length of the password (or the size of file specified with -p or --" +"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " +"on systems with no globally-defined PASS_MAX value)." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 +msgid "sssd-ifp" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-ifp.5.xml:17 +msgid "SSSD InfoPipe responder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:23 +msgid "" +"This manual page describes the configuration of the InfoPipe responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:36 +msgid "" +"The InfoPipe responder provides a public D-Bus interface accessible over the " +"system bus. The interface allows the user to query information about remote " +"users and groups over the system bus." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-ifp.5.xml:46 +msgid "These options can be used to configure the InfoPipe responder." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:53 +msgid "" +"Specifies the comma-separated list of UID values or user names that are " +"allowed to access the InfoPipe responder. User names are resolved to UIDs at " +"startup." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:59 +msgid "" +"Default: 0 (only the root user is allowed to access the InfoPipe responder)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:63 +msgid "" +"Please note that although the UID 0 is used as the default it will be " +"overwritten with this option. If you still want to allow the root user to " +"access the InfoPipe responder, which would be the typical case, you have to " +"add 0 to the list of allowed UIDs as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:77 +msgid "Specifies the comma-separated list of white or blacklisted attributes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:91 +msgid "name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:92 +msgid "user's login name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:95 +msgid "uidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:96 +msgid "user ID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:99 +msgid "gidNumber" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:100 +msgid "primary group ID" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:103 +msgid "gecos" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:104 +msgid "user information, typically full name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:107 +msgid "homeDirectory" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-ifp.5.xml:111 +msgid "loginShell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:112 +msgid "user shell" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:81 +msgid "" +"By default, the InfoPipe responder only allows the default set of POSIX " +"attributes to be requested. This set is the same as returned by " +"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" +"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-ifp.5.xml:125 +#, no-wrap +msgid "" +"user_attributes = +telephoneNumber, -loginShell\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:117 +msgid "" +"It is possible to add another attribute to this set by using <quote>" +"+attr_name</quote> or explicitly remove an attribute using <quote>-" +"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " +"deny <quote>loginShell</quote>, you would use the following configuration: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:129 +msgid "Default: not set. Only the default set of POSIX attributes is allowed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:139 +msgid "" +"Specifies an upper limit on the number of entries that are downloaded during " +"a wildcard lookup that overrides caller-supplied limit." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-ifp.5.xml:144 +msgid "Default: 0 (let the caller set an upper limit)" +msgstr "" + +#. type: Content of: <reference><refentry><refentryinfo> +#: sss_rpcidmapd.5.xml:8 +msgid "" +"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" +"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " +"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" +"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " +"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" +"author>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 +msgid "sss_rpcidmapd" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_rpcidmapd.5.xml:33 +msgid "sss plugin configuration directives for rpc.idmapd" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:37 +msgid "CONFIGURATION FILE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:39 +msgid "" +"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." +"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:49 +msgid "SSS CONFIGURATION EXTENSION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:51 +msgid "Enable SSS plugin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:53 +msgid "" +"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " +"attribute to contain <emphasis>sss</emphasis>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_rpcidmapd.5.xml:59 +msgid "[sss] config section" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_rpcidmapd.5.xml:61 +msgid "" +"In order to change the default of one of the configuration attributes of the " +"<emphasis>sss</emphasis> plugin listed below you will need to create a " +"config section for it, named <quote>[sss]</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> +#: sss_rpcidmapd.5.xml:67 +msgid "Configuration attributes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sss_rpcidmapd.5.xml:69 +msgid "memcache (bool)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sss_rpcidmapd.5.xml:72 +msgid "Indicates whether or not to use memcache optimisation technique." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_rpcidmapd.5.xml:85 +msgid "SSSD INTEGRATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:87 +msgid "" +"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " +"in sssd." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:91 +msgid "" +"The attribute <quote>use_fully_qualified_names</quote> must be enabled on " +"all domains (NFSv4 clients expect a fully qualified name to be sent on the " +"wire)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_rpcidmapd.5.xml:103 +#, no-wrap +msgid "" +"[General]\n" +"Verbosity = 2\n" +"# domain must be synced between NFSv4 server and clients\n" +"# Solaris/Illumos/AIX use \"localdomain\" as default!\n" +"Domain = default\n" +"\n" +"[Mapping]\n" +"Nobody-User = nfsnobody\n" +"Nobody-Group = nfsnobody\n" +"\n" +"[Translation]\n" +"Method = sss\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:100 +msgid "" +"The following example shows a minimal idmapd.conf which makes use of the sss " +"plugin. <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:180 include/seealso.xml:2 +msgid "SEE ALSO" +msgstr "另见" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_rpcidmapd.5.xml:122 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry>" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 +msgid "sss_ssh_authorizedkeys" +msgstr "" + +#. type: Content of: <reference><refentry><refmeta><manvolnum> +#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 +msgid "1" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_authorizedkeys.1.xml:16 +msgid "get OpenSSH authorized keys" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_authorizedkeys.1.xml:21 +msgid "" +"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>USER</replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:32 +msgid "" +"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " +"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " +"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> for more information)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:41 +msgid "" +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" +"command> for public key user authentication if it is compiled with support " +"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " +"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> man page for more details about this option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_authorizedkeys.1.xml:59 +#, no-wrap +msgid "" +" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" +" AuthorizedKeysCommandUser nobody\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:52 +msgid "" +"If <quote>AuthorizedKeysCommand</quote> is supported, " +"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" +"citerefentry> can be configured to use it by putting the following " +"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " +"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting" +"\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sss_ssh_authorizedkeys.1.xml:65 +msgid "KEYS FROM CERTIFICATES" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:67 +msgid "" +"In addition to the public SSH keys for user <replaceable>USER</replaceable> " +"<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " +"from the public key of a X.509 certificate as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:73 +msgid "" +"To enable this the <quote>ssh_use_certificate_keys</quote> option must be " +"set to true (default) in the [ssh] section of <filename>sssd.conf</" +"filename>. If the user entry contains certificates (see " +"<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" +"ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " +"there is a certificate in an override entry for the user (see " +"<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" +"refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " +"certificate is valid SSSD will extract the public key from the certificate " +"and convert it into the format expected by sshd." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:90 +msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:92 +msgid "ca_db" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:93 +msgid "p11_child_timeout" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:94 +msgid "certificate_verification" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:96 +msgid "" +"can be used to control how the certificates are validated (see " +"<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum></citerefentry> for details)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:101 +msgid "" +"The validation is the benefit of using X.509 certificates instead of SSH " +"keys directly because e.g. it gives a better control of the lifetime of the " +"keys. When the ssh client is configured to use the private keys from a " +"Smartcard with the help of a PKCS#11 shared library (see " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> for details) it might be irritating that authentication is " +"still working even if the related X.509 certificate on the Smartcard is " +"already expired because neither <command>ssh</command> nor <command>sshd</" +"command> will look at the certificate at all." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sss_ssh_authorizedkeys.1.xml:114 +msgid "" +"It has to be noted that the derived public SSH key can still be added to the " +"<filename>authorized_keys</filename> file of the user to bypass the " +"certificate validation if the <command>sshd</command> configuration permits " +"this." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_authorizedkeys.1.xml:132 +msgid "" +"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 +msgid "EXIT STATUS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 +msgid "" +"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 +msgid "sss_ssh_knownhostsproxy" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sss_ssh_knownhostsproxy.1.xml:16 +msgid "get OpenSSH host keys" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sss_ssh_knownhostsproxy.1.xml:21 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " +"<replaceable>options</replaceable> </arg> <arg " +"choice='plain'><replaceable>HOST</replaceable></arg> <arg " +"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:33 +msgid "" +"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " +"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " +"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " +"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" +"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" +"pubconf/known_hosts</filename> and establishes the connection to the host." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:43 +msgid "" +"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " +"create the connection to the host instead of opening a socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sss_ssh_knownhostsproxy.1.xml:55 +#, no-wrap +msgid "" +"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" +"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sss_ssh_knownhostsproxy.1.xml:48 +msgid "" +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" +"command> for host key authentication by using the following directives for " +"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" +"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:66 +msgid "" +"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:71 +msgid "" +"Use port <replaceable>PORT</replaceable> to connect to the host. By " +"default, port 22 is used." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:83 +msgid "" +"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sss_ssh_knownhostsproxy.1.xml:89 +#, fuzzy +#| msgid "" +#| "<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</" +#| "replaceable>" +msgid "<option>-k</option>,<option>--pubkeys</option>" +msgstr "" +"<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</" +"replaceable>" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sss_ssh_knownhostsproxy.1.xml:93 +msgid "" +"Print the host ssh public keys for host <replaceable>HOST</replaceable>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: idmap_sss.8.xml:10 idmap_sss.8.xml:15 +msgid "idmap_sss" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: idmap_sss.8.xml:16 +msgid "SSSD's idmap_sss Backend for Winbind" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:22 +msgid "" +"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " +"No database is required in this case as the mapping is done by SSSD." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: idmap_sss.8.xml:29 +msgid "IDMAP OPTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: idmap_sss.8.xml:33 +msgid "range = low - high" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: idmap_sss.8.xml:35 +msgid "" +"Defines the available matching UID and GID range for which the backend is " +"authoritative." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: idmap_sss.8.xml:45 +msgid "" +"This example shows how to configure idmap_sss as the default mapping module." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: idmap_sss.8.xml:50 +#, no-wrap +msgid "" +"[global]\n" +"security = domain\n" +"workgroup = MAIN\n" +"\n" +"idmap config * : backend = sss\n" +"idmap config * : range = 200000-2147483647\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssctl.8.xml:10 sssctl.8.xml:15 +msgid "sssctl" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssctl.8.xml:16 +msgid "SSSD control and status utility" +msgstr "" + +#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> +#: sssctl.8.xml:21 +msgid "" +"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" +"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" +"arg>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:32 +msgid "" +"<command>sssctl</command> provides a simple and unified way to obtain " +"information about SSSD status, such as active server, auto-discovered " +"servers, domains and cached objects. In addition, it can manage SSSD data " +"files for troubleshooting in such a way that is safe to manipulate while " +"SSSD is running." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssctl.8.xml:43 +msgid "" +"To list all available commands run <command>sssctl</command> without any " +"parameters. To print help for selected command run <command>sssctl COMMAND --" +"help</command>." +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-files.5.xml:10 sssd-files.5.xml:16 +msgid "sssd-files" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-files.5.xml:17 +msgid "SSSD files provider" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:23 +msgid "" +"This manual page describes the files provider for <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:36 +msgid "" +"The files provider mirrors the content of the <citerefentry> " +"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " +"provider is to make the users and groups traditionally only accessible with " +"NSS interfaces also available through the SSSD interfaces such as " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:69 +msgid "passwd_files (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:72 +msgid "" +"Comma-separated list of one or multiple password filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:78 +#, fuzzy +#| msgid "Default: 3" +msgid "Default: /etc/passwd" +msgstr "默认: 3" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-files.5.xml:84 +msgid "group_files (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:87 +msgid "" +"Comma-separated list of one or multiple group filenames to be read and " +"enumerated by the files provider, inotify monitor watches will be set on " +"each file to detect changes dynamically." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-files.5.xml:93 +#, fuzzy +#| msgid "Default: 3" +msgid "Default: /etc/group" +msgstr "默认: 3" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:59 +msgid "" +"In addition to the options listed below, generic SSSD domain options can be " +"set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " +"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for details on the configuration of " +"an SSSD domain. <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-files.5.xml:105 +msgid "" +"The following example assumes that SSSD is correctly configured and files is " +"one of the domains in the <replaceable>[sssd]</replaceable> section." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-files.5.xml:111 +#, no-wrap +msgid "" +"[domain/files]\n" +"id_provider = files\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-secrets.5.xml:10 sssd-secrets.5.xml:16 +msgid "sssd-secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-secrets.5.xml:17 +msgid "SSSD Secrets responder" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:23 +msgid "" +"This manual page describes the configuration of the Secrets responder for " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " +"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:36 +msgid "" +"Many system and user applications need to store private information such as " +"passwords or service keys and have no good way to properly deal with them. " +"The simple approach is to embed these <quote>secrets</quote> into " +"configuration files potentially ending up exposing sensitive key material to " +"backups, config management system and in general making it harder to secure " +"data." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:45 +msgid "" +"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> " +"project was born to deal with this problem in cloud like environments, but " +"we found the idea compelling even at a single system level. As a security " +"service, SSSD is ideal to host this capability while offering the same API " +"via a UNIX Socket. This will make it possible to use local calls and have " +"them transparently routed to a local or a remote key management store like " +"IPA Vault for storage, escrow and recovery." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:55 +msgid "" +"The secrets are simple key-value pairs. Each user's secrets are namespaced " +"using their user ID, which means the secrets will never collide between " +"users. Secrets can be stored inside <quote>containers</quote> which can be " +"nested." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:69 +msgid "secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:70 +msgid "secrets for general usage" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:73 +msgid "kcm" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:75 +msgid "" +"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry> service." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:61 +msgid "" +"Since the secrets responder can be used both externally to store general " +"secrets, as described in the rest of this man page, but also internally by " +"other SSSD components to store their secret material, some configuration " +"options, like quotas can be configured per <quote>hive</quote> in a " +"configuration subsection named after the hive. The currently supported hives " +"are: <placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:89 +msgid "USING THE SECRETS RESPONDER" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:91 +msgid "" +"The UNIX socket the SSSD responder listens on is located at <filename>/var/" +"run/secrets.socket</filename>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:110 +#, no-wrap +msgid "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +"systemctl enable sssd-secrets.service\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:95 +msgid "" +"The secrets responder is socket-activated by <citerefentry> " +"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" +"citerefentry>. Unlike other SSSD responders, it cannot be started by adding " +"the <quote>secrets</quote> string to the <quote>service</quote> directive. " +"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the " +"corresponding service file is called <quote>sssd-secrets.service</quote>. In " +"order for the service to be socket-activated, make sure the socket is " +"enabled and active and the service is enabled: <placeholder type=" +"\"programlisting\" id=\"0\"/> Please note your distribution may already " +"configure the units for you." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:122 +msgid "" +"The generic SSSD responder options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer " +"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some secrets-specific options as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:132 +msgid "" +"The secrets responder is configured with a global <quote>[secrets]</quote> " +"section and an optional per-user <quote>[secrets/users/$uid]</quote> section " +"in <filename>sssd.conf</filename>. Please note that some options, notably as " +"the provider type, can only be specified in the per-user subsections." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:141 +msgid "provider (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:157 +msgid "local" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:160 +msgid "" +"The secrets are stored in a local database, encrypted at rest with a master " +"key. The local provider does not have any additional config options at the " +"moment." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:168 +msgid "proxy" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:171 +msgid "" +"The secrets responder forwards the requests to a Custodia server. The proxy " +"provider supports several additional options (see below)." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:144 +msgid "" +"This option specifies where should the secrets be stored. The secrets " +"responder can configure a per-user subsections (e.g. <quote>[secrets/" +"users/123]</quote> - see bottom of this manual page for a full example using " +"Custodia for a particular user) that define which provider store the secrets " +"for this particular user. The per-user subsections should contain all " +"options for that user's provider. Please note that currently the global " +"provider is always local, the proxy provider can only be specified in a per-" +"user section. The following providers are supported: <placeholder type=" +"\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:180 +msgid "Default: local" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:186 +msgid "" +"The following options affect only the secrets <quote>hive</quote> and " +"therefore should be set in a per-hive subsection. Setting the option to 0 " +"means \"unlimited\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:192 +msgid "containers_nest_level (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:195 +msgid "This option specifies the maximum allowed number of nested containers." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:199 +msgid "Default: 4" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:204 +msgid "max_secrets (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:207 +msgid "" +"This option specifies the maximum number of secrets that can be stored in " +"the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:211 +msgid "Default: 1024 (secrets hive), 256 (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:216 +msgid "max_uid_secrets (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:219 +msgid "" +"This option specifies the maximum number of secrets that can be stored per-" +"UID in the hive." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:223 +msgid "Default: 256 (secrets hive), 64 (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:228 +msgid "max_payload_size (integer)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:231 +msgid "" +"This option specifies the maximum payload size allowed for a secret payload " +"in kilobytes." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:235 +msgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:244 +#, no-wrap +msgid "" +"[secrets/secrets]\n" +"max_payload_size = 128\n" +"\n" +"[secrets/kcm]\n" +"max_payload_size = 256\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:241 +msgid "" +"For example, to adjust quotas differently for both the <quote>secrets</" +"quote> and the <quote>kcm</quote> hives, configure the following: " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:252 +msgid "" +"The following options are only applicable for configurations that use the " +"<quote>proxy</quote> provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:257 +msgid "proxy_url (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:260 +msgid "" +"The URL the Custodia server is listening on. At the moment, http and https " +"protocols are supported." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:267 +msgid "http[s]://<host>[:port]" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:270 +msgid "Example: http://localhost:8080" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:275 +msgid "auth_type (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:278 +msgid "" +"The method to use when authenticating to a Custodia server. The following " +"authentication methods are supported:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:283 +msgid "basic_auth" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:286 +msgid "" +"Authenticate with a username and a password as set in the <quote>username</" +"quote> and <quote>password</quote> options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:293 +msgid "header" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:296 +msgid "" +"Authenticate with HTTP header value as defined in the " +"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> " +"configuration options." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:307 +msgid "auth_header_name (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:310 +msgid "" +"If set, the secrets responder would put a header with this name into the " +"HTTP request with the value defined in the <quote>auth_header_value</quote> " +"configuration option." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:315 +msgid "Example: MYSECRETNAME" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:320 +msgid "auth_header_value (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:323 +msgid "" +"The value sssd-secrets would use for the <quote>auth_header_name</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:327 +msgid "Example: mysecret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:332 +msgid "forward_headers (list of strings)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:335 +msgid "" +"The list of HTTP headers to forward to the Custodia server together with the " +"request." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:344 +msgid "verify_peer (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:347 +msgid "" +"Whether peer's certificate should be verified and valid if HTTPS protocol is " +"used with the proxy provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:356 +msgid "verify_host (boolean)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:359 +msgid "" +"Whether peer's hostname must match with hostname in its certificate if HTTPS " +"protocol is used with the proxy provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:369 +msgid "capath (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:372 +msgid "" +"Path to directory containing stored certificate authority certificates. " +"System default path is used if this option is not set." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:382 +msgid "cacert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:385 +msgid "" +"Path to file containing server's certificate authority certificate. If this " +"option is not set then the CA's certificate is looked up in <quote>capath</" +"quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:395 +msgid "cert (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:398 +msgid "" +"Path to file containing client's certificate if required by the server. This " +"file may also contain private key or the private key may be in separate file " +"set with <quote>key</quote>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:409 +msgid "key (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:412 +msgid "Path to file containing client's private key." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:422 +msgid "USING THE REST API" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:424 +msgid "" +"This section lists the available commands and includes examples using the " +"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> " +"</citerefentry> utility. All requests towards the proxy provider must set " +"the Content Type header to <quote>application/json</quote>. In addition, the " +"local provider also supports Content Type set to <quote>application/octet-" +"stream</quote>. Secrets stored with requests that set the Content Type " +"header to <quote>application/octet-stream</quote> are base64-encoded when " +"stored and decoded when retrieved, so it's not possible to store a secret " +"with one Content Type and retrieve with another. The secret URI must begin " +"with <filename>/secrets/</filename>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:441 +msgid "Listing secrets" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:444 +msgid "" +"To list the available secrets, send a HTTP GET request with a trailing slash " +"appended to the container path." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:450 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:458 +msgid "Retrieving a secret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:461 +msgid "" +"To read a value of a single secret, send a HTTP GET request without a " +"trailing slash. The last portion of the URI is the name of the secret." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:468 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/foo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:473 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XGET http://localhost/secrets/bar\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:466 +msgid "" +"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:481 +msgid "Setting a secret" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:484 +msgid "" +"To set a secret using the <quote>application/json</quote> type, send a HTTP " +"PUT request with a JSON payload that includes type and value. The type " +"should be set to \"simple\" and the value should be set to the secret value. " +"If a secret with that name already exists, the response is a 409 HTTP error." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:492 +msgid "" +"The <quote>application/json</quote> type just sends the secret as the " +"message payload." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:501 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/foo \\\n" +" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:507 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/octet-stream\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPUT http://localhost/secrets/bar \\\n" +" -d'barsecret'\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:496 +msgid "" +"The following example sets a secret named 'foo' to a value of 'foosecret' " +"and a secret named 'bar' to a value of 'barsecret' using a different Content " +"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type=" +"\"programlisting\" id=\"1\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:516 +msgid "Creating a container" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:519 +msgid "" +"Containers provide an additional namespace for this user's secrets. To " +"create a container, send a HTTP POST request, whose URI ends with the " +"container name. Please note the URI must end with a trailing slash." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:529 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XPOST http://localhost/secrets/mycontainer/\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:526 +msgid "" +"The following example creates a container named 'mycontainer': <placeholder " +"type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:538 +#, no-wrap +msgid "" +"http://localhost/secrets/mycontainer/mysecret\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:535 +msgid "" +"To manipulate secrets under this container, just nest the secrets underneath " +"the container path: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-secrets.5.xml:544 +msgid "Deleting a secret or a container" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:547 +msgid "" +"To delete a secret or a container, send a HTTP DELETE request with a path to " +"the secret or the container." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> +#: sssd-secrets.5.xml:553 +#, no-wrap +msgid "" +"curl -H \"Content-Type: application/json\" \\\n" +" --unix-socket /var/run/secrets.socket \\\n" +" -XDELETE http://localhost/secrets/foo\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-secrets.5.xml:551 +msgid "" +"The following example deletes a secret named 'foo'. <placeholder type=" +"\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-secrets.5.xml:563 +msgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:565 +msgid "" +"For testing the proxy provider, you need to set up a Custodia server to " +"proxy requests to. Please always consult the Custodia documentation, the " +"configuration directives might change with different Custodia versions." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-secrets.5.xml:576 +#, no-wrap +msgid "" +"[global]\n" +"server_version = \"Secret/0.0.7\"\n" +"server_url = http://localhost:8080/\n" +"auditlog = /var/log/custodia.log\n" +"debug = True\n" +"\n" +"[store:simple]\n" +"handler = custodia.store.sqlite.SqliteStore\n" +"dburi = /var/lib/custodia.db\n" +"table = secrets\n" +"\n" +"[auth:header]\n" +"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n" +"header = MYSECRETNAME\n" +"value = mysecretkey\n" +"\n" +"[authz:paths]\n" +"handler = custodia.httpd.authorizers.SimplePathAuthz\n" +"paths = /secrets\n" +"\n" +"[/]\n" +"handler = custodia.root.Root\n" +"store = simple\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:570 +msgid "" +"This configuration will set up a Custodia server listening on http://" +"localhost:8080, allowing anyone with header named MYSECRETNAME set to " +"mysecretkey to communicate with the Custodia server. Place the contents " +"into a file (for example, <replaceable>custodia.conf</replaceable>): " +"<placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:602 +msgid "" +"Then run the <replaceable>custodia</replaceable> command, pointing it at the " +"config file as a command line argument." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-secrets.5.xml:606 +msgid "" +"Please note that currently it's not possible to proxy all requests globally " +"to a Custodia instance. Instead, per-user subsections for user IDs that " +"should proxy requests to Custodia must be defined. The following example " +"illustrates a configuration, where the user with UID 123 would proxy their " +"requests to Custodia, but all other user's requests would be handled by a " +"local provider." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><programlisting> +#: sssd-secrets.5.xml:614 +#, no-wrap +msgid "" +"[secrets]\n" +"\n" +"[secrets/users/123]\n" +"provider = proxy\n" +"proxy_url = http://localhost:8080/secrets/\n" +"auth_type = header\n" +"auth_header_name = MYSECRETNAME\n" +"auth_header_value = mysecretkey\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 +msgid "sssd-session-recording" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-session-recording.5.xml:17 +msgid "Configuring session recording with SSSD" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:23 +msgid "" +"This manual page describes how to configure <citerefentry> " +"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " +"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " +"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " +"implement user session recording on text terminals. For a detailed " +"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " +"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " +"<manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:41 +msgid "" +"SSSD can be set up to enable recording of everything specific users see or " +"type during their sessions on text terminals. E.g. when users log in on the " +"console, or via SSH. SSSD itself doesn't record anything, but makes sure " +"tlog-rec-session is started upon user login, so it can record according to " +"its configuration." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:48 +msgid "" +"For users with session recording enabled, SSSD replaces the user shell with " +"tlog-rec-session in NSS responses, and adds a variable specifying the " +"original shell to the user environment, upon PAM session setup. This way " +"tlog-rec-session can be started in place of the user shell, and know which " +"actual shell to start, once it set up the recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:60 +msgid "These options can be used to configure the session recording." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-session-recording.5.xml:146 +msgid "" +"The following snippet of sssd.conf enables session recording for users " +"\"contractor1\" and \"contractor2\", and group \"students\"." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-session-recording.5.xml:151 +#, no-wrap +msgid "" +"[session_recording]\n" +"scope = some\n" +"users = contractor1, contractor2\n" +"groups = students\n" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 +msgid "sssd-kcm" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-kcm.8.xml:17 +msgid "SSSD Kerberos Cache Manager" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:23 +msgid "" +"This manual page describes the configuration of the SSSD Kerberos Cache " +"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " +"credential caches. It originates in the Heimdal Kerberos project, although " +"the MIT Kerberos library also provides client side (more details on that " +"below) support for the KCM credential cache." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:31 +msgid "" +"In a setup where Kerberos caches are managed by KCM, the Kerberos library " +"(typically used through an application, like e.g., <citerefentry> " +"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" +"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " +"being referred to as a <quote>\"KCM server\"</quote>. The client and server " +"communicate over a UNIX socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:42 +msgid "" +"The KCM server keeps track of each credential caches's owner and performs " +"access check control based on the UID and GID of the KCM client. The root " +"user has access to all credential caches." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:47 +msgid "The KCM credential cache has several interesting properties:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:51 +msgid "" +"since the process runs in userspace, it is subject to UID namespacing, " +"unlike the kernel keyring" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:56 +msgid "" +"unlike the kernel keyring-based cache, which is shared between all " +"containers, the KCM server is a separate process whose entry point is a UNIX " +"socket" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-kcm.8.xml:61 +msgid "" +"the SSSD implementation stores the ccaches in the SSSD <citerefentry> " +"<refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry> secrets store, allowing the ccaches to survive KCM server " +"restarts or machine reboots." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:69 +msgid "" +"This allows the system to use a collection-aware credential cache, yet share " +"the credential cache between some or no containers by bind-mounting the " +"socket." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:76 +msgid "USING THE KCM CREDENTIAL CACHE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:86 +#, no-wrap +msgid "" +"[libdefaults]\n" +" default_ccache_name = KCM:\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:78 +msgid "" +"In order to use KCM credential cache, it must be selected as the default " +"credential type in <citerefentry> <refentrytitle>krb5.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " +"cache name must be only <quote>KCM:</quote> without any template " +"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:91 +msgid "" +"Next, make sure the Kerberos client libraries and the KCM server must agree " +"on the UNIX socket path. By default, both use the same path <replaceable>/" +"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " +"library, change its <quote>kcm_socket</quote> option which is described in " +"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:113 +#, no-wrap +msgid "" +"systemctl start sssd-kcm.socket\n" +"systemctl enable sssd-kcm.socket\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:102 +msgid "" +"Finally, make sure the SSSD KCM server can be contacted. The KCM service is " +"typically socket-activated by <citerefentry> <refentrytitle>systemd</" +"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " +"services, it cannot be started by adding the <quote>kcm</quote> string to " +"the <quote>service</quote> directive. <placeholder type=\"programlisting\" " +"id=\"0\"/> Please note your distribution may already configure the units for " +"you." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-kcm.8.xml:122 +msgid "THE CREDENTIAL CACHE STORAGE" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><programlisting> +#: sssd-kcm.8.xml:131 +#, no-wrap +msgid "" +"systemctl start sssd-secrets.socket\n" +"systemctl enable sssd-secrets.socket\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:124 +msgid "" +"The credential caches are stored in the SSSD secrets service (see " +"<citerefentry> <refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry> for more details). Therefore it is important that " +"also the sssd-secrets service is enabled and its socket is started: " +"<placeholder type=\"programlisting\" id=\"0\"/> Your distribution should " +"already set the dependencies between the services." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:141 +msgid "" +"The KCM service is configured in the <quote>kcm</quote> section of the sssd." +"conf file. Please note that currently, is it not sufficient to restart the " +"sssd-kcm service, because the sssd configuration is only parsed and read to " +"an internal configuration database by the sssd service. Therefore you must " +"restart the sssd service if you change anything in the <quote>kcm</quote> " +"section of sssd.conf. For a detailed syntax reference, refer to the " +"<quote>FILE FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd." +"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:155 +msgid "" +"The generic SSSD service options such as <quote>debug_level</quote> or " +"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " +"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for a complete list. In addition, " +"there are some KCM-specific options as well." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-kcm.8.xml:166 +msgid "socket_path (string)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:169 +msgid "The socket the KCM service will listen on." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-kcm.8.xml:172 +msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-kcm.8.xml:182 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>," +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refname> +#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 +msgid "sssd-systemtap" +msgstr "" + +#. type: Content of: <reference><refentry><refnamediv><refpurpose> +#: sssd-systemtap.5.xml:17 +msgid "SSSD systemtap information" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:23 +msgid "" +"This manual page provides information about the systemtap functionality in " +"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " +"</citerefentry>." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para> +#: sssd-systemtap.5.xml:32 +msgid "" +"SystemTap Probe points have been added into various locations in SSSD code " +"to assist in troubleshooting and analyzing performance related issues." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:40 +msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> +#: sssd-systemtap.5.xml:46 +msgid "" +"Probes and miscellaneous functions are defined in /usr/share/systemtap/" +"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " +"respectively." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><title> +#: sssd-systemtap.5.xml:57 +msgid "PROBE POINTS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para> +#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:341 +msgid "" +"The information below lists the probe points and arguments available in the " +"following format:" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:64 +msgid "probe $name" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:67 +msgid "Description of probe point" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:70 +#, no-wrap +msgid "" +"variable1:datatype\n" +"variable2:datatype\n" +"variable3:datatype\n" +"...\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:80 +msgid "Database Transaction Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:84 +msgid "probe sssd_transaction_start" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:87 +msgid "" +"Start of a sysdb transaction, probes the sysdb_transaction_start() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 +#: sssd-systemtap.5.xml:131 +#, no-wrap +msgid "" +"nesting:integer\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:97 +msgid "probe sssd_transaction_cancel" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:100 +msgid "" +"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " +"function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:111 +msgid "probe sssd_transaction_commit_before" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:114 +msgid "Probes the sysdb_transaction_commit_before() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:124 +msgid "probe sssd_transaction_commit_after" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:127 +msgid "Probes the sysdb_transaction_commit_after() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:141 +msgid "LDAP Search Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:145 +msgid "probe sdap_search_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:148 +msgid "Probes the sdap_get_generic_ext_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:152 sssd-systemtap.5.xml:167 sssd-systemtap.5.xml:196 +#, no-wrap +msgid "" +"base:string\n" +"scope:integer\n" +"filter:string\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:160 +msgid "probe sdap_search_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:163 +msgid "Probes the sdap_get_generic_ext_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:175 +msgid "probe sdap_deref_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:178 +msgid "Probes the sdap_deref_search_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:182 +#, no-wrap +msgid "" +"base_dn:string\n" +"deref_attr:string\n" +"probestr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:189 +msgid "probe sdap_deref_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:192 +msgid "Probes the sdap_deref_search_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:208 +msgid "LDAP Account Request Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:212 +msgid "probe sdap_acct_req_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:215 +msgid "Probes the sdap_acct_req_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:219 sssd-systemtap.5.xml:234 +#, no-wrap +msgid "" +"entry_type:int\n" +"filter_type:int\n" +"filter_value:string\n" +"extra_value:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:227 +msgid "probe sdap_acct_req_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:230 +msgid "Probes the sdap_acct_req_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:246 +msgid "LDAP User Search Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:250 +msgid "probe sdap_search_user_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:253 +msgid "Probes the sdap_search_user_send() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:257 sssd-systemtap.5.xml:269 sssd-systemtap.5.xml:281 +#: sssd-systemtap.5.xml:293 +#, no-wrap +msgid "" +"filter:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:262 +msgid "probe sdap_search_user_recv" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:265 +msgid "Probes the sdap_search_user_recv() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:274 +msgid "probe sdap_search_user_save_begin" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:277 +msgid "Probes the sdap_search_user_save_begin() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:286 +msgid "probe sdap_search_user_save_end" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:289 +msgid "Probes the sdap_search_user_save_end() function." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:302 +msgid "Data Provider Request Probes" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:306 +msgid "probe dp_req_send" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:309 +msgid "A Data Provider request is submitted." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:312 +#, no-wrap +msgid "" +"dp_req_domain:string\n" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:320 +msgid "probe dp_req_done" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:323 +msgid "A Data Provider request is completed." +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> +#: sssd-systemtap.5.xml:326 +#, no-wrap +msgid "" +"dp_req_name:string\n" +"dp_req_target:int\n" +"dp_req_method:int\n" +"dp_ret:int\n" +"dp_errorstr:string\n" +" " +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><title> +#: sssd-systemtap.5.xml:339 +msgid "MISCELLANEOUS FUNCTIONS" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:346 +msgid "function acct_req_desc(entry_type)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:349 +msgid "Convert entry_type to string and return string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:354 +msgid "" +"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " +"filter_value, extra_value)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:358 +msgid "Create probe string based on filter type" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:363 +msgid "function dp_target_str(target)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:366 +msgid "Convert target to string and return string" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> +#: sssd-systemtap.5.xml:371 +msgid "function dp_method_str(target)" +msgstr "" + +#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> +#: sssd-systemtap.5.xml:374 +msgid "Convert method to string and return string" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/service_discovery.xml:2 +msgid "SERVICE DISCOVERY" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/service_discovery.xml:4 +msgid "" +"The service discovery feature allows back ends to automatically find the " +"appropriate servers to connect to using a special DNS query. This feature is " +"not supported for backup servers." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:9 include/ldap_id_mapping.xml:99 +msgid "Configuration" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:11 +msgid "" +"If no servers are specified, the back end automatically uses service " +"discovery to try to find a server. Optionally, the user may choose to use " +"both fixed server addresses and service discovery by inserting a special " +"keyword, <quote>_srv_</quote>, in the list of servers. The order of " +"preference is maintained. This feature is useful if, for example, the user " +"prefers to use service discovery whenever possible, and fall back to a " +"specific server when no servers can be discovered using DNS." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:23 +msgid "The domain name" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:25 +msgid "" +"Please refer to the <quote>dns_discovery_domain</quote> parameter in the " +"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry> manual page for more details." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:35 +msgid "The protocol" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:37 +msgid "" +"The queries usually specify _tcp as the protocol. Exceptions are documented " +"in respective option description." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/service_discovery.xml:42 +msgid "See Also" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/service_discovery.xml:44 +msgid "" +"For more information on the service discovery mechanism, refer to RFC 2782." +msgstr "" + +#. type: Content of: <refentryinfo> +#: include/upstream.xml:2 +msgid "" +"<productname>SSSD</productname> <orgname>The SSSD upstream - https://pagure." +"io/SSSD/sssd/</orgname>" +msgstr "" + +#. type: Content of: outside any tag (error?) +#: include/upstream.xml:1 +msgid "<placeholder type=\"refentryinfo\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/failover.xml:2 +msgid "FAILOVER" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/failover.xml:4 +msgid "" +"The failover feature allows back ends to automatically switch to a different " +"server if the current server fails." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:8 +msgid "Failover Syntax" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:10 +msgid "" +"The list of servers is given as a comma-separated list; any number of spaces " +"is allowed around the comma. The servers are listed in order of preference. " +"The list can contain any number of servers." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:16 +msgid "" +"For each failover-enabled config option, two variants exist: " +"<emphasis>primary</emphasis> and <emphasis>backup</emphasis>. The idea is " +"that servers in the primary list are preferred and backup servers are only " +"searched if no primary servers can be reached. If a backup server is " +"selected, a timeout of 31 seconds is set. After this timeout SSSD will " +"periodically try to reconnect to one of the primary servers. If it succeeds, " +"it will replace the current active (backup) server." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:27 +msgid "The Failover Mechanism" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:29 +msgid "" +"The failover mechanism distinguishes between a machine and a service. The " +"back end first tries to resolve the hostname of a given machine; if this " +"resolution attempt fails, the machine is considered offline. No further " +"attempts are made to connect to this machine for any other service. If the " +"resolution attempt succeeds, the back end tries to connect to a service on " +"this machine. If the service connection attempt fails, then only this " +"particular service is considered offline and the back end automatically " +"switches over to the next service. The machine is still considered online " +"and might still be tried for another service." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:42 +msgid "" +"Further connection attempts are made to machines or services marked as " +"offline after a specified period of time; this is currently hard coded to 30 " +"seconds." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:47 +msgid "" +"If there are no more machines to try, the back end as a whole switches to " +"offline mode, and then attempts to reconnect every 30 seconds." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/failover.xml:53 +msgid "Failover time outs and tuning" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:55 +msgid "" +"Resolving a server to connect to can be as simple as running a single DNS " +"query or can involve several steps, such as finding the correct site or " +"trying out multiple host names in case some of the configured servers are " +"not reachable. The more complex scenarios can take some time and SSSD needs " +"to balance between providing enough time to finish the resolution process " +"but on the other hand, not trying for too long before falling back to " +"offline mode. If the SSSD debug logs show that the server resolution is " +"timing out before a live server is contacted, you can consider changing the " +"time outs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> +#: include/failover.xml:76 +msgid "dns_resolver_op_timeout" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: include/failover.xml:80 +msgid "How long would SSSD talk to a single DNS server." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> +#: include/failover.xml:86 +msgid "dns_resolver_timeout" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> +#: include/failover.xml:90 +msgid "" +"How long would SSSD try to resolve a failover service. This service " +"resolution internally might include several steps, such as resolving DNS SRV " +"queries or locating the site." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:67 +msgid "" +"This section lists the available tunables. Please refer to their description " +"in the <citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</" +"manvolnum> </citerefentry>, manual page. <placeholder type=\"variablelist\" " +"id=\"0\"/>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/failover.xml:100 +msgid "" +"For LDAP-based providers, the resolve operation is performed as part of an " +"LDAP connection operation. Therefore, also the <quote>ldap_opt_timeout></" +"quote> timeout should be set to a larger value than " +"<quote>dns_resolver_timeout</quote> which in turn should be set to a larger " +"value than <quote>dns_resolver_op_timeout</quote>." +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/ldap_id_mapping.xml:2 +msgid "ID MAPPING" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:4 +msgid "" +"The ID-mapping feature allows SSSD to act as a client of Active Directory " +"without requiring administrators to extend user attributes to support POSIX " +"attributes for user and group identifiers." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:9 +msgid "" +"NOTE: When ID-mapping is enabled, the uidNumber and gidNumber attributes are " +"ignored. This is to avoid the possibility of conflicts between automatically-" +"assigned and manually-assigned values. If you need to use manually-assigned " +"values, ALL values must be manually-assigned." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:16 +msgid "" +"Please note that changing the ID mapping related configuration options will " +"cause user and group IDs to change. At the moment, SSSD does not support " +"changing IDs, so the SSSD database must be removed. Because cached passwords " +"are also stored in the database, removing the database should only be " +"performed while the authentication servers are reachable, otherwise users " +"might get locked out. In order to cache the password, an authentication must " +"be performed. It is not sufficient to use <citerefentry> " +"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry> to remove the database, rather the process consists of:" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:33 +msgid "Making sure the remote servers are reachable" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:38 +msgid "Stopping the SSSD service" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:43 +msgid "Removing the database" +msgstr "" + +#. type: Content of: <refsect1><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:48 +msgid "Starting the SSSD service" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ldap_id_mapping.xml:52 +msgid "" +"Moreover, as the change of IDs might necessitate the adjustment of other " +"system properties such as file and directory ownership, it's advisable to " +"plan ahead and test the ID mapping configuration thoroughly." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ldap_id_mapping.xml:59 +msgid "Mapping Algorithm" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:61 +msgid "" +"Active Directory provides an objectSID for every user and group object in " +"the directory. This objectSID can be broken up into components that " +"represent the Active Directory domain identity and the relative identifier " +"(RID) of the user or group object." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:67 +msgid "" +"The SSSD ID-mapping algorithm takes a range of available UIDs and divides it " +"into equally-sized component sections - called \"slices\"-. Each slice " +"represents the space available to an Active Directory domain." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:73 +msgid "" +"When a user or group entry for a particular domain is encountered for the " +"first time, the SSSD allocates one of the available slices for that domain. " +"In order to make this slice-assignment repeatable on different client " +"machines, we select the slice based on the following algorithm:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:80 +msgid "" +"The SID string is passed through the murmurhash3 algorithm to convert it to " +"a 32-bit hashed value. We then take the modulus of this value with the total " +"number of available slices to pick the slice." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:86 +msgid "" +"NOTE: It is possible to encounter collisions in the hash and subsequent " +"modulus. In these situations, we will select the next available slice, but " +"it may not be possible to reproduce the same exact set of slices on other " +"machines (since the order that they are encountered will determine their " +"slice). In this situation, it is recommended to either switch to using " +"explicit POSIX attributes in Active Directory (disabling ID-mapping) or " +"configure a default domain to guarantee that at least one is always " +"consistent. See <quote>Configuration</quote> for details." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:101 +msgid "" +"Minimum configuration (in the <quote>[domain/DOMAINNAME]</quote> section):" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><programlisting> +#: include/ldap_id_mapping.xml:106 +#, no-wrap +msgid "" +"ldap_id_mapping = True\n" +"ldap_schema = ad\n" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:111 +msgid "" +"The default configuration results in configuring 10,000 slices, each capable " +"of holding up to 200,000 IDs, starting from 200,000 and going up to " +"2,000,200,000. This should be sufficient for most deployments." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><title> +#: include/ldap_id_mapping.xml:117 +msgid "Advanced Configuration" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:120 +msgid "ldap_idmap_range_min (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:123 +msgid "" +"Specifies the lower bound of the range of POSIX IDs to use for mapping " +"Active Directory user and group SIDs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:127 +msgid "" +"NOTE: This option is different from <quote>min_id</quote> in that " +"<quote>min_id</quote> acts to filter the output of requests to this domain, " +"whereas this option controls the range of ID assignment. This is a subtle " +"distinction, but the good general advice would be to have <quote>min_id</" +"quote> be less-than or equal to <quote>ldap_idmap_range_min</quote>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:137 include/ldap_id_mapping.xml:191 +msgid "Default: 200000" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:142 +msgid "ldap_idmap_range_max (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:145 +msgid "" +"Specifies the upper bound of the range of POSIX IDs to use for mapping " +"Active Directory user and group SIDs." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:149 +msgid "" +"NOTE: This option is different from <quote>max_id</quote> in that " +"<quote>max_id</quote> acts to filter the output of requests to this domain, " +"whereas this option controls the range of ID assignment. This is a subtle " +"distinction, but the good general advice would be to have <quote>max_id</" +"quote> be greater-than or equal to <quote>ldap_idmap_range_max</quote>" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:159 +msgid "Default: 2000200000" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:164 +msgid "ldap_idmap_range_size (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:167 +msgid "" +"Specifies the number of IDs available for each slice. If the range size " +"does not divide evenly into the min and max values, it will create as many " +"complete slices as it can." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:173 +msgid "" +"NOTE: The value of this option must be at least as large as the highest user " +"RID planned for use on the Active Directory server. User lookups and login " +"will fail for any user whose RID is greater than this value." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:179 +msgid "" +"For example, if your most recently-added Active Directory user has " +"objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, " +"<quote>ldap_idmap_range_size</quote> must be at least 1108 as range size is " +"equal to maximal SID minus minimal SID plus one (e.g. 1108 = 1107 - 0 + 1)." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:186 +msgid "" +"It is important to plan ahead for future expansion, as changing this value " +"will result in changing all of the ID mappings on the system, leading to " +"users with different local IDs than they previously had." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:196 +msgid "ldap_idmap_default_domain_sid (string)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:199 +msgid "" +"Specify the domain SID of the default domain. This will guarantee that this " +"domain will always be assigned to slice zero in the ID map, bypassing the " +"murmurhash algorithm described above." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:210 +msgid "ldap_idmap_default_domain (string)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:213 +msgid "Specify the name of the default domain." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:221 +msgid "ldap_idmap_autorid_compat (boolean)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:224 +msgid "" +"Changes the behavior of the ID-mapping algorithm to behave more similarly to " +"winbind's <quote>idmap_autorid</quote> algorithm." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:229 +msgid "" +"When this option is configured, domains will be allocated starting with " +"slice zero and increasing monatomically with each additional domain." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:234 +msgid "" +"NOTE: This algorithm is non-deterministic (it depends on the order that " +"users and groups are requested). If this mode is required for compatibility " +"with machines running winbind, it is recommended to also use the " +"<quote>ldap_idmap_default_domain_sid</quote> option to guarantee that at " +"least one domain is consistently allocated to slice zero." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> +#: include/ldap_id_mapping.xml:249 +msgid "ldap_idmap_helper_table_size (integer)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:252 +msgid "" +"Maximal number of secondary slices that is tried when performing mapping " +"from UNIX id to SID." +msgstr "" + +#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> +#: include/ldap_id_mapping.xml:256 +msgid "" +"Note: Additional secondary slices might be generated when SID is being " +"mapped to UNIX id and RID part of SID is out of range for secondary slices " +"generated so far. If value of ldap_idmap_helper_table_size is equal to 0 " +"then no additional secondary slices are generated." +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ldap_id_mapping.xml:273 +msgid "Well-Known SIDs" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:275 +msgid "" +"SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a " +"special hardcoded meaning. Since the generic users and groups related to " +"those Well-Known SIDs have no equivalent in a Linux/UNIX environment no " +"POSIX IDs are available for those objects." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:281 +msgid "" +"The SID name space is organized in authorities which can be seen as " +"different domains. The authorities for the Well-Known SIDs are" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:284 +msgid "Null Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:285 +msgid "World Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:286 +msgid "Local Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:287 +msgid "Creator Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:288 +msgid "NT Authority" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> +#: include/ldap_id_mapping.xml:289 +msgid "Built-in" +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:291 +msgid "" +"The capitalized version of these names are used as domain names when " +"returning the fully qualified name of a Well-Known SID." +msgstr "" + +#. type: Content of: <refsect1><refsect2><para> +#: include/ldap_id_mapping.xml:295 +msgid "" +"Since some utilities allow to modify SID based access control information " +"with the help of a name instead of using the SID directly SSSD supports to " +"look up the SID by the name as well. To avoid collisions only the fully " +"qualified names can be used to look up Well-Known SIDs. As a result the " +"domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, " +"<quote> LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, <quote>NT " +"AUTHORITY</quote> and <quote>BUILTIN</quote> should not be used as domain " +"names in <filename>sssd.conf</filename>." +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/param_help.xml:3 +msgid "<option>-?</option>,<option>--help</option>" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/param_help.xml:7 include/param_help_py.xml:7 +msgid "Display help message and exit." +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/param_help_py.xml:3 +msgid "<option>-h</option>,<option>--help</option>" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:3 include/debug_levels_tools.xml:3 +msgid "" +"SSSD supports two representations for specifying the debug level. The " +"simplest is to specify a decimal value from 0-9, which represents enabling " +"that level and all lower-level debug messages. The more comprehensive option " +"is to specify a hexadecimal bitmask to enable or disable specific levels " +"(such as if you wish to suppress a level)." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:10 +msgid "" +"Please note that each SSSD service logs into its own log file. Also please " +"note that enabling <quote>debug_level</quote> in the <quote>[sssd]</quote> " +"section only enables debugging just for the sssd process itself, not for the " +"responder or provider processes. The <quote>debug_level</quote> parameter " +"should be added to all sections that you wish to produce debug logs from." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:18 +msgid "" +"In addition to changing the log level in the config file using the " +"<quote>debug_level</quote> parameter, which is persistent, but requires SSSD " +"restart, it is also possible to change the debug level on the fly using the " +"<citerefentry> <refentrytitle>sss_debuglevel</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry> tool." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:29 include/debug_levels_tools.xml:10 +msgid "Currently supported debug levels:" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:32 include/debug_levels_tools.xml:13 +msgid "" +"<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fatal failures. " +"Anything that would prevent SSSD from starting up or causes it to cease " +"running." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:38 include/debug_levels_tools.xml:19 +msgid "" +"<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An " +"error that doesn't kill SSSD, but one that indicates that at least one major " +"feature is not going to work properly." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:45 include/debug_levels_tools.xml:26 +msgid "" +"<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Serious failures. An " +"error announcing that a particular request or operation has failed." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:50 include/debug_levels_tools.xml:31 +msgid "" +"<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Minor failures. These " +"are the errors that would percolate down to cause the operation failure of 2." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:55 include/debug_levels_tools.xml:36 +msgid "" +"<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Configuration settings." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:59 include/debug_levels_tools.xml:40 +msgid "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Function data." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:63 include/debug_levels_tools.xml:44 +msgid "" +"<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Trace messages for " +"operation functions." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:67 include/debug_levels_tools.xml:48 +msgid "" +"<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Trace messages for " +"internal control functions." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:72 include/debug_levels_tools.xml:53 +msgid "" +"<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contents of function-" +"internal variables that may be interesting." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:77 include/debug_levels_tools.xml:58 +msgid "" +"<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Extremely low-level " +"tracing information." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:81 include/debug_levels_tools.xml:62 +msgid "" +"To log required bitmask debug levels, simply add their numbers together as " +"shown in following examples:" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:85 include/debug_levels_tools.xml:66 +msgid "" +"<emphasis>Example</emphasis>: To log fatal failures, critical failures, " +"serious failures and function data use 0x0270." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:89 include/debug_levels_tools.xml:70 +msgid "" +"<emphasis>Example</emphasis>: To log fatal failures, configuration settings, " +"function data, trace messages for internal control functions use 0x1310." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:94 include/debug_levels_tools.xml:75 +msgid "" +"<emphasis>Note</emphasis>: The bitmask format of debug levels was introduced " +"in 1.7.0." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/debug_levels.xml:98 include/debug_levels_tools.xml:79 +msgid "<emphasis>Default</emphasis>: 0" +msgstr "" + +#. type: Content of: outside any tag (error?) +#: include/experimental.xml:1 +msgid "" +"<emphasis> This is an experimental feature, please use https://pagure.io/" +"SSSD/sssd/ to report any issues. </emphasis>" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/local.xml:2 +msgid "THE LOCAL DOMAIN" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/local.xml:4 +msgid "" +"In order to function correctly, a domain with <quote>id_provider=local</" +"quote> must be created and the SSSD must be running." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/local.xml:9 +msgid "" +"The administrator might want to use the SSSD local users instead of " +"traditional UNIX users in cases where the group nesting (see <citerefentry> " +"<refentrytitle>sss_groupadd</refentrytitle> <manvolnum>8</manvolnum> </" +"citerefentry>) is needed. The local users are also useful for testing and " +"development of the SSSD without having to deploy a full remote server. The " +"<command>sss_user*</command> and <command>sss_group*</command> tools use a " +"local LDB storage to store users and groups." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/seealso.xml:4 +msgid "" +"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd-ipa</" +"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum> </" +"citerefentry>, <phrase condition=\"with_sudo\"> <citerefentry> " +"<refentrytitle>sssd-sudo</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>, </phrase> <phrase condition=\"with_secrets\"> <citerefentry> " +"<refentrytitle>sssd-secrets</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry>, </phrase> <citerefentry> <refentrytitle>sssd-session-" +"recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, " +"<citerefentry> <refentrytitle>sss_cache</refentrytitle><manvolnum>8</" +"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_debuglevel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sss_obfuscate</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_seed</refentrytitle><manvolnum>8</manvolnum> </" +"citerefentry>, <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <phrase condition=" +"\"with_ssh\"> <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" +"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " +"<refentrytitle>sss_ssh_knownhostsproxy</refentrytitle> <manvolnum>8</" +"manvolnum> </citerefentry>, </phrase> <phrase condition=\"with_ifp\"> " +"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" +"manvolnum> </citerefentry>, </phrase> <citerefentry> <refentrytitle>pam_sss</" +"refentrytitle><manvolnum>8</manvolnum> </citerefentry>. <citerefentry> " +"<refentrytitle>sss_rpcidmapd</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> <phrase condition=\"with_stap\"> <citerefentry> " +"<refentrytitle>sssd-systemtap</refentrytitle> <manvolnum>5</manvolnum> </" +"citerefentry> </phrase>" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:3 +msgid "" +"An optional base DN, search scope and LDAP filter to restrict LDAP searches " +"for this attribute type." +msgstr "" + +#. type: Content of: <listitem><para><programlisting> +#: include/ldap_search_bases.xml:9 +#, no-wrap +msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]\n" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:7 +msgid "syntax: <placeholder type=\"programlisting\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:13 +msgid "" +"The scope can be one of \"base\", \"onelevel\" or \"subtree\". The scope " +"functions as specified in section 4.5.1.2 of http://tools.ietf.org/html/" +"rfc4511" +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:23 +msgid "" +"For examples of this syntax, please refer to the <quote>ldap_search_base</" +"quote> examples section." +msgstr "" + +#. type: Content of: <listitem><para> +#: include/ldap_search_bases.xml:31 +msgid "" +"Please note that specifying scope or filter is not supported for searches " +"against an Active Directory Server that might yield a large number of " +"results and trigger the Range Retrieval extension in the response." +msgstr "" + +#. type: Content of: <para> +#: include/autofs_restart.xml:2 +msgid "" +"Please note that the automounter only reads the master map on startup, so if " +"any autofs-related changes are made to the sssd.conf, you typically also " +"need to restart the automounter daemon after restarting the SSSD." +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/override_homedir.xml:2 +msgid "override_homedir (string)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:16 +msgid "UID number" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:20 +msgid "domain name" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:23 +msgid "%f" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:24 +msgid "fully qualified user name (user@domain)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:27 +msgid "%l" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:28 +msgid "The first letter of the login name." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:32 +msgid "UPN - User Principal Name (name@REALM)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:35 +msgid "%o" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:37 +msgid "The original home directory retrieved from the identity provider." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> +#: include/override_homedir.xml:42 +msgid "%H" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> +#: include/override_homedir.xml:44 +msgid "The value of configure option <emphasis>homedir_substring</emphasis>." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/override_homedir.xml:5 +msgid "" +"Override the user's home directory. You can either provide an absolute value " +"or a template. In the template, the following sequences are substituted: " +"<placeholder type=\"variablelist\" id=\"0\"/>" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para><programlisting> +#: include/override_homedir.xml:61 +#, no-wrap +msgid "" +"override_homedir = /home/%u\n" +" " +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/override_homedir.xml:65 +msgid "Default: Not set (SSSD will use the value retrieved from LDAP)" +msgstr "" + +#. type: Content of: <varlistentry><term> +#: include/homedir_substring.xml:2 +msgid "homedir_substring (string)" +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/homedir_substring.xml:5 +msgid "" +"The value of this option will be used in the expansion of the " +"<emphasis>override_homedir</emphasis> option if the template contains the " +"format string <emphasis>%H</emphasis>. An LDAP directory entry can directly " +"contain this template so that this option can be used to expand the home " +"directory path for each client machine (or operating system). It can be set " +"per-domain or globally in the [nss] section. A value specified in a domain " +"section will override one set in the [nss] section." +msgstr "" + +#. type: Content of: <varlistentry><listitem><para> +#: include/homedir_substring.xml:15 +msgid "Default: /home" +msgstr "" + +#. type: Content of: <refsect1><title> +#: include/ad_modified_defaults.xml:2 include/ipa_modified_defaults.xml:2 +msgid "MODIFIED DEFAULT OPTIONS" +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ad_modified_defaults.xml:4 +msgid "" +"Certain option defaults do not match their respective backend provider " +"defaults, these option names and AD provider-specific defaults are listed " +"below:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ad_modified_defaults.xml:9 include/ipa_modified_defaults.xml:9 +msgid "KRB5 Provider" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:13 include/ipa_modified_defaults.xml:13 +msgid "krb5_validate = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:18 +msgid "krb5_use_enterprise_principal = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ad_modified_defaults.xml:24 +msgid "LDAP Provider" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:28 +msgid "ldap_schema = ad" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:33 include/ipa_modified_defaults.xml:38 +msgid "ldap_force_upper_case_realm = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:38 +msgid "ldap_id_mapping = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:43 +msgid "ldap_sasl_mech = gssapi" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:48 +msgid "ldap_referrals = false" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:53 +msgid "ldap_account_expire_policy = ad" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:58 include/ipa_modified_defaults.xml:58 +msgid "ldap_use_tokengroups = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:63 +msgid "ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM)" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ad_modified_defaults.xml:66 +msgid "" +"The AD provider looks for a different principal than the LDAP provider by " +"default, because in an Active Directory environment the principals are " +"divided into two groups - User Principals and Service Principals. Only User " +"Principal can be used to obtain a TGT and by default, computer object's " +"principal is constructed from its sAMAccountName and the AD realm. The well-" +"known host/hostname@REALM principal is a Service Principal and thus cannot " +"be used to get a TGT with." +msgstr "" + +#. type: Content of: <refsect1><para> +#: include/ipa_modified_defaults.xml:4 +msgid "" +"Certain option defaults do not match their respective backend provider " +"defaults, these option names and IPA provider-specific defaults are listed " +"below:" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:18 +msgid "krb5_use_fast = try" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:23 +msgid "krb5_canonicalize = true" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:29 +msgid "LDAP Provider - General" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:33 +msgid "ldap_schema = ipa_v1" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:43 +msgid "ldap_sasl_mech = GSSAPI" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:48 +msgid "ldap_sasl_minssf = 56" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:53 +msgid "ldap_account_expire_policy = ipa" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:64 +msgid "LDAP Provider - User options" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:68 +msgid "ldap_user_member_of = memberOf" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:73 +msgid "ldap_user_uuid = ipaUniqueID" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:78 +msgid "ldap_user_ssh_public_key = ipaSshPubKey" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:83 +msgid "ldap_user_auth_type = ipaUserAuthType" +msgstr "" + +#. type: Content of: <refsect1><refsect2><title> +#: include/ipa_modified_defaults.xml:89 +msgid "LDAP Provider - Group options" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:93 +msgid "ldap_group_object_class = ipaUserGroup" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:98 +msgid "ldap_group_object_class_alt = posixGroup" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:103 +msgid "ldap_group_member = member" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:108 +msgid "ldap_group_uuid = ipaUniqueID" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:113 +msgid "ldap_group_objectsid = ipaNTSecurityIdentifier" +msgstr "" + +#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> +#: include/ipa_modified_defaults.xml:118 +msgid "ldap_group_external_member = ipaExternalMember" +msgstr "" diff --git a/src/man/pt/include/ad_modified_defaults.xml b/src/man/pt/include/ad_modified_defaults.xml new file mode 100644 index 0000000..7c6def2 --- /dev/null +++ b/src/man/pt/include/ad_modified_defaults.xml @@ -0,0 +1,77 @@ +<refsect1 id='modified-default-options'> + <title>MODIFIED DEFAULT OPTIONS + + Certain option defaults do not match their respective backend provider +defaults, these option names and AD provider-specific defaults are listed +below: + + + KRB5 Provider + + + + krb5_validate = true + + + + + krb5_use_enterprise_principal = true + + + + + + LDAP Provider + + + + ldap_schema = ad + + + + + ldap_force_upper_case_realm = true + + + + + ldap_id_mapping = true + + + + + ldap_sasl_mech = gssapi + + + + + ldap_referrals = false + + + + + ldap_account_expire_policy = ad + + + + + ldap_use_tokengroups = true + + + + + ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM) + + + The AD provider looks for a different principal than the LDAP provider by +default, because in an Active Directory environment the principals are +divided into two groups - User Principals and Service Principals. Only User +Principal can be used to obtain a TGT and by default, computer object's +principal is constructed from its sAMAccountName and the AD realm. The +well-known host/hostname@REALM principal is a Service Principal and thus +cannot be used to get a TGT with. + + + + + diff --git a/src/man/pt/include/autofs_restart.xml b/src/man/pt/include/autofs_restart.xml new file mode 100644 index 0000000..f31efe5 --- /dev/null +++ b/src/man/pt/include/autofs_restart.xml @@ -0,0 +1,5 @@ + + Please note that the automounter only reads the master map on startup, so if +any autofs-related changes are made to the sssd.conf, you typically also +need to restart the automounter daemon after restarting the SSSD. + diff --git a/src/man/pt/include/debug_levels.xml b/src/man/pt/include/debug_levels.xml new file mode 100644 index 0000000..5148252 --- /dev/null +++ b/src/man/pt/include/debug_levels.xml @@ -0,0 +1,86 @@ + + + SSSD supports two representations for specifying the debug level. The +simplest is to specify a decimal value from 0-9, which represents enabling +that level and all lower-level debug messages. The more comprehensive option +is to specify a hexadecimal bitmask to enable or disable specific levels +(such as if you wish to suppress a level). + + + Please note that each SSSD service logs into its own log file. Also please +note that enabling debug_level in the [sssd] +section only enables debugging just for the sssd process itself, not for the +responder or provider processes. The debug_level parameter +should be added to all sections that you wish to produce debug logs from. + + + In addition to changing the log level in the config file using the +debug_level parameter, which is persistent, but requires SSSD +restart, it is also possible to change the debug level on the fly using the + sss_debuglevel +8 tool. + + + Currently supported debug levels: + + + 0, 0x0010: Fatal +failures. Anything that would prevent SSSD from starting up or causes it to +cease running. + + + 1, 0x0020: Critical failures. An +error that doesn't kill SSSD, but one that indicates that at least one major +feature is not going to work properly. + + + 2, 0x0040: Serious failures. An +error announcing that a particular request or operation has failed. + + + 3, 0x0080: Minor failures. These +are the errors that would percolate down to cause the operation failure of +2. + + + 4, 0x0100: Configuration settings. + + + 5, 0x0200: Function data. + + + 6, 0x0400: Trace messages for +operation functions. + + + 7, 0x1000: Trace messages for +internal control functions. + + + 8, 0x2000: Contents of +function-internal variables that may be interesting. + + + 9, 0x4000: Extremely low-level +tracing information. + + + To log required bitmask debug levels, simply add their numbers together as +shown in following examples: + + + Example: To log fatal failures, critical failures, +serious failures and function data use 0x0270. + + + Example: To log fatal failures, configuration settings, +function data, trace messages for internal control functions use 0x1310. + + + Note: The bitmask format of debug levels was introduced +in 1.7.0. + + + Default: 0 + + diff --git a/src/man/pt/include/debug_levels_tools.xml b/src/man/pt/include/debug_levels_tools.xml new file mode 100644 index 0000000..8bc77cf --- /dev/null +++ b/src/man/pt/include/debug_levels_tools.xml @@ -0,0 +1,72 @@ + + + SSSD supports two representations for specifying the debug level. The +simplest is to specify a decimal value from 0-9, which represents enabling +that level and all lower-level debug messages. The more comprehensive option +is to specify a hexadecimal bitmask to enable or disable specific levels +(such as if you wish to suppress a level). + + + Currently supported debug levels: + + + 0, 0x0010: Fatal +failures. Anything that would prevent SSSD from starting up or causes it to +cease running. + + + 1, 0x0020: Critical failures. An +error that doesn't kill SSSD, but one that indicates that at least one major +feature is not going to work properly. + + + 2, 0x0040: Serious failures. An +error announcing that a particular request or operation has failed. + + + 3, 0x0080: Minor failures. These +are the errors that would percolate down to cause the operation failure of +2. + + + 4, 0x0100: Configuration settings. + + + 5, 0x0200: Function data. + + + 6, 0x0400: Trace messages for +operation functions. + + + 7, 0x1000: Trace messages for +internal control functions. + + + 8, 0x2000: Contents of +function-internal variables that may be interesting. + + + 9, 0x4000: Extremely low-level +tracing information. + + + To log required bitmask debug levels, simply add their numbers together as +shown in following examples: + + + Example: To log fatal failures, critical failures, +serious failures and function data use 0x0270. + + + Example: To log fatal failures, configuration settings, +function data, trace messages for internal control functions use 0x1310. + + + Note: The bitmask format of debug levels was introduced +in 1.7.0. + + + Default: 0 + + diff --git a/src/man/pt/include/experimental.xml b/src/man/pt/include/experimental.xml new file mode 100644 index 0000000..7103a0e --- /dev/null +++ b/src/man/pt/include/experimental.xml @@ -0,0 +1,2 @@ + This is an experimental feature, please use +https://pagure.io/SSSD/sssd/ to report any issues. diff --git a/src/man/pt/include/failover.xml b/src/man/pt/include/failover.xml new file mode 100644 index 0000000..ebb7b21 --- /dev/null +++ b/src/man/pt/include/failover.xml @@ -0,0 +1,97 @@ + + FAILOVER + + The failover feature allows back ends to automatically switch to a different +server if the current server fails. + + + Failover Syntax + + The list of servers is given as a comma-separated list; any number of spaces +is allowed around the comma. The servers are listed in order of +preference. The list can contain any number of servers. + + + For each failover-enabled config option, two variants exist: +primary and backup. The idea is +that servers in the primary list are preferred and backup servers are only +searched if no primary servers can be reached. If a backup server is +selected, a timeout of 31 seconds is set. After this timeout SSSD will +periodically try to reconnect to one of the primary servers. If it succeeds, +it will replace the current active (backup) server. + + + + The Failover Mechanism + + The failover mechanism distinguishes between a machine and a service. The +back end first tries to resolve the hostname of a given machine; if this +resolution attempt fails, the machine is considered offline. No further +attempts are made to connect to this machine for any other service. If the +resolution attempt succeeds, the back end tries to connect to a service on +this machine. If the service connection attempt fails, then only this +particular service is considered offline and the back end automatically +switches over to the next service. The machine is still considered online +and might still be tried for another service. + + + Further connection attempts are made to machines or services marked as +offline after a specified period of time; this is currently hard coded to 30 +seconds. + + + If there are no more machines to try, the back end as a whole switches to +offline mode, and then attempts to reconnect every 30 seconds. + + + + Failover time outs and tuning + + Resolving a server to connect to can be as simple as running a single DNS +query or can involve several steps, such as finding the correct site or +trying out multiple host names in case some of the configured servers are +not reachable. The more complex scenarios can take some time and SSSD needs +to balance between providing enough time to finish the resolution process +but on the other hand, not trying for too long before falling back to +offline mode. If the SSSD debug logs show that the server resolution is +timing out before a live server is contacted, you can consider changing the +time outs. + + + This section lists the available tunables. Please refer to their description +in the +sssd.conf5 +, manual page. + + + dns_resolver_op_timeout + + + + How long would SSSD talk to a single DNS server. + + + + + + dns_resolver_timeout + + + + How long would SSSD try to resolve a failover service. This service +resolution internally might include several steps, such as resolving DNS SRV +queries or locating the site. + + + + + + + For LDAP-based providers, the resolve operation is performed as part of an +LDAP connection operation. Therefore, also the +ldap_opt_timeout> timeout should be set to a larger value +than dns_resolver_timeout which in turn should be set to a +larger value than dns_resolver_op_timeout. + + + diff --git a/src/man/pt/include/homedir_substring.xml b/src/man/pt/include/homedir_substring.xml new file mode 100644 index 0000000..d7533de --- /dev/null +++ b/src/man/pt/include/homedir_substring.xml @@ -0,0 +1,17 @@ + + homedir_substring (string) + + + The value of this option will be used in the expansion of the +override_homedir option if the template contains the +format string %H. An LDAP directory entry can directly +contain this template so that this option can be used to expand the home +directory path for each client machine (or operating system). It can be set +per-domain or globally in the [nss] section. A value specified in a domain +section will override one set in the [nss] section. + + + Default: /home + + + diff --git a/src/man/pt/include/ipa_modified_defaults.xml b/src/man/pt/include/ipa_modified_defaults.xml new file mode 100644 index 0000000..4ad4b45 --- /dev/null +++ b/src/man/pt/include/ipa_modified_defaults.xml @@ -0,0 +1,123 @@ + + MODIFIED DEFAULT OPTIONS + + Certain option defaults do not match their respective backend provider +defaults, these option names and IPA provider-specific defaults are listed +below: + + + KRB5 Provider + + + + krb5_validate = true + + + + + krb5_use_fast = try + + + + + krb5_canonicalize = true + + + + + + LDAP Provider - General + + + + ldap_schema = ipa_v1 + + + + + ldap_force_upper_case_realm = true + + + + + ldap_sasl_mech = GSSAPI + + + + + ldap_sasl_minssf = 56 + + + + + ldap_account_expire_policy = ipa + + + + + ldap_use_tokengroups = true + + + + + + LDAP Provider - User options + + + + ldap_user_member_of = memberOf + + + + + ldap_user_uuid = ipaUniqueID + + + + + ldap_user_ssh_public_key = ipaSshPubKey + + + + + ldap_user_auth_type = ipaUserAuthType + + + + + + LDAP Provider - Group options + + + + ldap_group_object_class = ipaUserGroup + + + + + ldap_group_object_class_alt = posixGroup + + + + + ldap_group_member = member + + + + + ldap_group_uuid = ipaUniqueID + + + + + ldap_group_objectsid = ipaNTSecurityIdentifier + + + + + ldap_group_external_member = ipaExternalMember + + + + + diff --git a/src/man/pt/include/ldap_id_mapping.xml b/src/man/pt/include/ldap_id_mapping.xml new file mode 100644 index 0000000..175e0a9 --- /dev/null +++ b/src/man/pt/include/ldap_id_mapping.xml @@ -0,0 +1,278 @@ + + ID MAPPING + + The ID-mapping feature allows SSSD to act as a client of Active Directory +without requiring administrators to extend user attributes to support POSIX +attributes for user and group identifiers. + + + NOTE: When ID-mapping is enabled, the uidNumber and gidNumber attributes are +ignored. This is to avoid the possibility of conflicts between +automatically-assigned and manually-assigned values. If you need to use +manually-assigned values, ALL values must be manually-assigned. + + + Please note that changing the ID mapping related configuration options will +cause user and group IDs to change. At the moment, SSSD does not support +changing IDs, so the SSSD database must be removed. Because cached passwords +are also stored in the database, removing the database should only be +performed while the authentication servers are reachable, otherwise users +might get locked out. In order to cache the password, an authentication must +be performed. It is not sufficient to use +sss_cache 8 + to remove the database, rather the process consists of: + + + + Making sure the remote servers are reachable + + + + + Stopping the SSSD service + + + + + Removing the database + + + + + Starting the SSSD service + + + + Moreover, as the change of IDs might necessitate the adjustment of other +system properties such as file and directory ownership, it's advisable to +plan ahead and test the ID mapping configuration thoroughly. + + + + Mapping Algorithm + + Active Directory provides an objectSID for every user and group object in +the directory. This objectSID can be broken up into components that +represent the Active Directory domain identity and the relative identifier +(RID) of the user or group object. + + + The SSSD ID-mapping algorithm takes a range of available UIDs and divides it +into equally-sized component sections - called "slices"-. Each slice +represents the space available to an Active Directory domain. + + + When a user or group entry for a particular domain is encountered for the +first time, the SSSD allocates one of the available slices for that +domain. In order to make this slice-assignment repeatable on different +client machines, we select the slice based on the following algorithm: + + + The SID string is passed through the murmurhash3 algorithm to convert it to +a 32-bit hashed value. We then take the modulus of this value with the total +number of available slices to pick the slice. + + + NOTE: It is possible to encounter collisions in the hash and subsequent +modulus. In these situations, we will select the next available slice, but +it may not be possible to reproduce the same exact set of slices on other +machines (since the order that they are encountered will determine their +slice). In this situation, it is recommended to either switch to using +explicit POSIX attributes in Active Directory (disabling ID-mapping) or +configure a default domain to guarantee that at least one is always +consistent. See Configuration for details. + + + + + Configuração + + Minimum configuration (in the [domain/DOMAINNAME] section): + + + +ldap_id_mapping = True +ldap_schema = ad + + + + The default configuration results in configuring 10,000 slices, each capable +of holding up to 200,000 IDs, starting from 200,000 and going up to +2,000,200,000. This should be sufficient for most deployments. + + + Advanced Configuration + + + ldap_idmap_range_min (integer) + + + Specifies the lower bound of the range of POSIX IDs to use for mapping +Active Directory user and group SIDs. + + + NOTE: This option is different from min_id in that +min_id acts to filter the output of requests to this domain, +whereas this option controls the range of ID assignment. This is a subtle +distinction, but the good general advice would be to have +min_id be less-than or equal to +ldap_idmap_range_min + + + Default: 200000 + + + + + ldap_idmap_range_max (integer) + + + Specifies the upper bound of the range of POSIX IDs to use for mapping +Active Directory user and group SIDs. + + + NOTE: This option is different from max_id in that +max_id acts to filter the output of requests to this domain, +whereas this option controls the range of ID assignment. This is a subtle +distinction, but the good general advice would be to have +max_id be greater-than or equal to +ldap_idmap_range_max + + + Default: 2000200000 + + + + + ldap_idmap_range_size (integer) + + + Specifies the number of IDs available for each slice. If the range size +does not divide evenly into the min and max values, it will create as many +complete slices as it can. + + + NOTE: The value of this option must be at least as large as the highest user +RID planned for use on the Active Directory server. User lookups and login +will fail for any user whose RID is greater than this value. + + + For example, if your most recently-added Active Directory user has +objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, +ldap_idmap_range_size must be at least 1108 as range size is +equal to maximal SID minus minimal SID plus one (e.g. 1108 = 1107 - 0 + 1). + + + It is important to plan ahead for future expansion, as changing this value +will result in changing all of the ID mappings on the system, leading to +users with different local IDs than they previously had. + + + Default: 200000 + + + + + ldap_idmap_default_domain_sid (string) + + + Specify the domain SID of the default domain. This will guarantee that this +domain will always be assigned to slice zero in the ID map, bypassing the +murmurhash algorithm described above. + + + Default: not set + + + + + ldap_idmap_default_domain (string) + + + Specify the name of the default domain. + + + Default: not set + + + + + ldap_idmap_autorid_compat (boolean) + + + Changes the behavior of the ID-mapping algorithm to behave more similarly to +winbind's idmap_autorid algorithm. + + + When this option is configured, domains will be allocated starting with +slice zero and increasing monatomically with each additional domain. + + + NOTE: This algorithm is non-deterministic (it depends on the order that +users and groups are requested). If this mode is required for compatibility +with machines running winbind, it is recommended to also use the +ldap_idmap_default_domain_sid option to guarantee that at +least one domain is consistently allocated to slice zero. + + + Default: False + + + + + ldap_idmap_helper_table_size (integer) + + + Maximal number of secondary slices that is tried when performing mapping +from UNIX id to SID. + + + Note: Additional secondary slices might be generated when SID is being +mapped to UNIX id and RID part of SID is out of range for secondary slices +generated so far. If value of ldap_idmap_helper_table_size is equal to 0 +then no additional secondary slices are generated. + + + Padrão: 10 + + + + + + + + + Well-Known SIDs + + SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a +special hardcoded meaning. Since the generic users and groups related to +those Well-Known SIDs have no equivalent in a Linux/UNIX environment no +POSIX IDs are available for those objects. + + + The SID name space is organized in authorities which can be seen as +different domains. The authorities for the Well-Known SIDs are + + Null Authority + World Authority + Local Authority + Creator Authority + NT Authority + Built-in + + The capitalized version of these names are used as domain names when +returning the fully qualified name of a Well-Known SID. + + + Since some utilities allow to modify SID based access control information +with the help of a name instead of using the SID directly SSSD supports to +look up the SID by the name as well. To avoid collisions only the fully +qualified names can be used to look up Well-Known SIDs. As a result the +domain names NULL AUTHORITY, WORLD AUTHORITY, + LOCAL AUTHORITY, CREATOR AUTHORITY, NT +AUTHORITY and BUILTIN should not be used as domain +names in sssd.conf. + + + + diff --git a/src/man/pt/include/ldap_search_bases.xml b/src/man/pt/include/ldap_search_bases.xml new file mode 100644 index 0000000..189f862 --- /dev/null +++ b/src/man/pt/include/ldap_search_bases.xml @@ -0,0 +1,31 @@ + + + An optional base DN, search scope and LDAP filter to restrict LDAP searches +for this attribute type. + + + syntax: +search_base[?scope?[filter][?search_base?scope?[filter]]*] + + + + The scope can be one of "base", "onelevel" or "subtree". The scope functions +as specified in section 4.5.1.2 of http://tools.ietf.org/html/rfc4511 + + + The filter must be a valid LDAP search filter as specified by +http://www.ietf.org/rfc/rfc2254.txt + + + For examples of this syntax, please refer to the +ldap_search_base examples section. + + + Default: the value of ldap_search_base + + + Please note that specifying scope or filter is not supported for searches +against an Active Directory Server that might yield a large number of +results and trigger the Range Retrieval extension in the response. + + diff --git a/src/man/pt/include/local.xml b/src/man/pt/include/local.xml new file mode 100644 index 0000000..ce849a3 --- /dev/null +++ b/src/man/pt/include/local.xml @@ -0,0 +1,17 @@ + + THE LOCAL DOMAIN + + In order to function correctly, a domain with +id_provider=local must be created and the SSSD must be +running. + + + The administrator might want to use the SSSD local users instead of +traditional UNIX users in cases where the group nesting (see +sss_groupadd 8 +) is needed. The local users are also useful for testing and +development of the SSSD without having to deploy a full remote server. The +sss_user* and sss_group* tools use a +local LDB storage to store users and groups. + + diff --git a/src/man/pt/include/override_homedir.xml b/src/man/pt/include/override_homedir.xml new file mode 100644 index 0000000..163e16c --- /dev/null +++ b/src/man/pt/include/override_homedir.xml @@ -0,0 +1,63 @@ + +override_homedir (string) + + + Override the user's home directory. You can either provide an absolute value +or a template. In the template, the following sequences are substituted: + + + %u + nome de login + + + %U + Número UID + + + %d + nome de domínio + + + %f + nome totalmente qualificado do utilizador (utilizador@domínio) + + + %l + The first letter of the login name. + + + %P + UPN - User Principal Name (name@REALM) + + + %o + + The original home directory retrieved from the identity provider. + + + + %H + + The value of configure option homedir_substring. + + + + %% + um literal '%' + + + + + + This option can also be set per-domain. + + + example: +override_homedir = /home/%u + + + + Default: Not set (SSSD will use the value retrieved from LDAP) + + + diff --git a/src/man/pt/include/param_help.xml b/src/man/pt/include/param_help.xml new file mode 100644 index 0000000..3fce9da --- /dev/null +++ b/src/man/pt/include/param_help.xml @@ -0,0 +1,10 @@ + + + , + + + + Exibe a mensagem de ajuda e sai. + + + diff --git a/src/man/pt/include/param_help_py.xml b/src/man/pt/include/param_help_py.xml new file mode 100644 index 0000000..37d99bd --- /dev/null +++ b/src/man/pt/include/param_help_py.xml @@ -0,0 +1,10 @@ + + + , + + + + Exibe a mensagem de ajuda e sai. + + + diff --git a/src/man/pt/include/seealso.xml b/src/man/pt/include/seealso.xml new file mode 100644 index 0000000..2c1259b --- /dev/null +++ b/src/man/pt/include/seealso.xml @@ -0,0 +1,61 @@ + + VER TAMBÉM + + sssd8 +, +sssd.conf5 +, +sssd-ldap5 +, +sssd-krb55 +, +sssd-simple5 +, +sssd-ipa5 +, +sssd-ad5 +, +sssd-sudo 5 +, +sssd-secrets 5 +, +sssd-session-recording +5 , +sss_cache8 +, +sss_debuglevel8 +, +sss_groupadd8 +, +sss_groupdel8 +, +sss_groupshow8 +, +sss_groupmod8 +, +sss_useradd8 +, +sss_userdel8 +, +sss_usermod8 +, +sss_obfuscate8 +, +sss_seed8 +, +sssd_krb5_locator_plugin8 +, +sss_ssh_authorizedkeys +8 , +sss_ssh_knownhostsproxy +8 , sssd-ifp +5 , +pam_sss8 +. +sss_rpcidmapd 5 + +sssd-systemtap 5 + + + diff --git a/src/man/pt/include/service_discovery.xml b/src/man/pt/include/service_discovery.xml new file mode 100644 index 0000000..20ded77 --- /dev/null +++ b/src/man/pt/include/service_discovery.xml @@ -0,0 +1,41 @@ + + DESCOBERTA DE SERVIÇOS + + The service discovery feature allows back ends to automatically find the +appropriate servers to connect to using a special DNS query. This feature is +not supported for backup servers. + + + Configuração + + If no servers are specified, the back end automatically uses service +discovery to try to find a server. Optionally, the user may choose to use +both fixed server addresses and service discovery by inserting a special +keyword, _srv_, in the list of servers. The order of +preference is maintained. This feature is useful if, for example, the user +prefers to use service discovery whenever possible, and fall back to a +specific server when no servers can be discovered using DNS. + + + + O nome de domínio + + Please refer to the dns_discovery_domain parameter in the + sssd.conf +5 manual page for more details. + + + + O protocolo + + The queries usually specify _tcp as the protocol. Exceptions are documented +in respective option description. + + + + Ver também + + For more information on the service discovery mechanism, refer to RFC 2782. + + + diff --git a/src/man/pt/include/upstream.xml b/src/man/pt/include/upstream.xml new file mode 100644 index 0000000..ba04020 --- /dev/null +++ b/src/man/pt/include/upstream.xml @@ -0,0 +1,3 @@ + +SSSD The SSSD upstream - +https://pagure.io/SSSD/sssd/ diff --git a/src/man/pt/sss_groupdel.8.xml b/src/man/pt/sss_groupdel.8.xml new file mode 100644 index 0000000..b9bbb6e --- /dev/null +++ b/src/man/pt/sss_groupdel.8.xml @@ -0,0 +1,46 @@ + + + +Páginas de Manual de SSSD + + + + + sss_groupdel + 8 + + + + sss_groupdel + excluir um grupo + + + + +sss_groupdel +options GROUP + + + + DESCRIÇÃO + + sss_groupdel deletes a group identified by its name +GROUP from the system. + + + + + Opções + + + + + + + + + + + diff --git a/src/man/pt/sss_groupmod.8.xml b/src/man/pt/sss_groupmod.8.xml new file mode 100644 index 0000000..575c955 --- /dev/null +++ b/src/man/pt/sss_groupmod.8.xml @@ -0,0 +1,72 @@ + + + +Páginas de Manual de SSSD + + + + + sss_groupmod + 8 + + + + sss_groupmod + modificar um grupo + + + + +sss_groupmod +Opções +grupo + + + + DESCRIÇÃO + + sss_groupmod modifica o grupo para refletir as alterações +que são especificadas na linha de comando. + + + + + Opções + + + + , +GROUPS + + + + Acrescente este grupo para grupos especificados pelo parâmetro de +GROUPS. O parâmetro de +GROUPS é uma lista separada por vírgulas de nomes +de grupo. + + + + + + , +GROUPS + + + + Remova este grupo de grupos especificados pelo parâmetro de +GROUPS. + + + + + + + + + + + + + diff --git a/src/man/pt_BR/include/ad_modified_defaults.xml b/src/man/pt_BR/include/ad_modified_defaults.xml new file mode 100644 index 0000000..7c6def2 --- /dev/null +++ b/src/man/pt_BR/include/ad_modified_defaults.xml @@ -0,0 +1,77 @@ + + MODIFIED DEFAULT OPTIONS + + Certain option defaults do not match their respective backend provider +defaults, these option names and AD provider-specific defaults are listed +below: + + + KRB5 Provider + + + + krb5_validate = true + + + + + krb5_use_enterprise_principal = true + + + + + + LDAP Provider + + + + ldap_schema = ad + + + + + ldap_force_upper_case_realm = true + + + + + ldap_id_mapping = true + + + + + ldap_sasl_mech = gssapi + + + + + ldap_referrals = false + + + + + ldap_account_expire_policy = ad + + + + + ldap_use_tokengroups = true + + + + + ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM) + + + The AD provider looks for a different principal than the LDAP provider by +default, because in an Active Directory environment the principals are +divided into two groups - User Principals and Service Principals. Only User +Principal can be used to obtain a TGT and by default, computer object's +principal is constructed from its sAMAccountName and the AD realm. The +well-known host/hostname@REALM principal is a Service Principal and thus +cannot be used to get a TGT with. + + + + + diff --git a/src/man/pt_BR/include/autofs_restart.xml b/src/man/pt_BR/include/autofs_restart.xml new file mode 100644 index 0000000..f31efe5 --- /dev/null +++ b/src/man/pt_BR/include/autofs_restart.xml @@ -0,0 +1,5 @@ + + Please note that the automounter only reads the master map on startup, so if +any autofs-related changes are made to the sssd.conf, you typically also +need to restart the automounter daemon after restarting the SSSD. + diff --git a/src/man/pt_BR/include/debug_levels.xml b/src/man/pt_BR/include/debug_levels.xml new file mode 100644 index 0000000..5148252 --- /dev/null +++ b/src/man/pt_BR/include/debug_levels.xml @@ -0,0 +1,86 @@ + + + SSSD supports two representations for specifying the debug level. The +simplest is to specify a decimal value from 0-9, which represents enabling +that level and all lower-level debug messages. The more comprehensive option +is to specify a hexadecimal bitmask to enable or disable specific levels +(such as if you wish to suppress a level). + + + Please note that each SSSD service logs into its own log file. Also please +note that enabling debug_level in the [sssd] +section only enables debugging just for the sssd process itself, not for the +responder or provider processes. The debug_level parameter +should be added to all sections that you wish to produce debug logs from. + + + In addition to changing the log level in the config file using the +debug_level parameter, which is persistent, but requires SSSD +restart, it is also possible to change the debug level on the fly using the + sss_debuglevel +8 tool. + + + Currently supported debug levels: + + + 0, 0x0010: Fatal +failures. Anything that would prevent SSSD from starting up or causes it to +cease running. + + + 1, 0x0020: Critical failures. An +error that doesn't kill SSSD, but one that indicates that at least one major +feature is not going to work properly. + + + 2, 0x0040: Serious failures. An +error announcing that a particular request or operation has failed. + + + 3, 0x0080: Minor failures. These +are the errors that would percolate down to cause the operation failure of +2. + + + 4, 0x0100: Configuration settings. + + + 5, 0x0200: Function data. + + + 6, 0x0400: Trace messages for +operation functions. + + + 7, 0x1000: Trace messages for +internal control functions. + + + 8, 0x2000: Contents of +function-internal variables that may be interesting. + + + 9, 0x4000: Extremely low-level +tracing information. + + + To log required bitmask debug levels, simply add their numbers together as +shown in following examples: + + + Example: To log fatal failures, critical failures, +serious failures and function data use 0x0270. + + + Example: To log fatal failures, configuration settings, +function data, trace messages for internal control functions use 0x1310. + + + Note: The bitmask format of debug levels was introduced +in 1.7.0. + + + Default: 0 + + diff --git a/src/man/pt_BR/include/debug_levels_tools.xml b/src/man/pt_BR/include/debug_levels_tools.xml new file mode 100644 index 0000000..8bc77cf --- /dev/null +++ b/src/man/pt_BR/include/debug_levels_tools.xml @@ -0,0 +1,72 @@ + + + SSSD supports two representations for specifying the debug level. The +simplest is to specify a decimal value from 0-9, which represents enabling +that level and all lower-level debug messages. The more comprehensive option +is to specify a hexadecimal bitmask to enable or disable specific levels +(such as if you wish to suppress a level). + + + Currently supported debug levels: + + + 0, 0x0010: Fatal +failures. Anything that would prevent SSSD from starting up or causes it to +cease running. + + + 1, 0x0020: Critical failures. An +error that doesn't kill SSSD, but one that indicates that at least one major +feature is not going to work properly. + + + 2, 0x0040: Serious failures. An +error announcing that a particular request or operation has failed. + + + 3, 0x0080: Minor failures. These +are the errors that would percolate down to cause the operation failure of +2. + + + 4, 0x0100: Configuration settings. + + + 5, 0x0200: Function data. + + + 6, 0x0400: Trace messages for +operation functions. + + + 7, 0x1000: Trace messages for +internal control functions. + + + 8, 0x2000: Contents of +function-internal variables that may be interesting. + + + 9, 0x4000: Extremely low-level +tracing information. + + + To log required bitmask debug levels, simply add their numbers together as +shown in following examples: + + + Example: To log fatal failures, critical failures, +serious failures and function data use 0x0270. + + + Example: To log fatal failures, configuration settings, +function data, trace messages for internal control functions use 0x1310. + + + Note: The bitmask format of debug levels was introduced +in 1.7.0. + + + Default: 0 + + diff --git a/src/man/pt_BR/include/experimental.xml b/src/man/pt_BR/include/experimental.xml new file mode 100644 index 0000000..7103a0e --- /dev/null +++ b/src/man/pt_BR/include/experimental.xml @@ -0,0 +1,2 @@ + This is an experimental feature, please use +https://pagure.io/SSSD/sssd/ to report any issues. diff --git a/src/man/pt_BR/include/failover.xml b/src/man/pt_BR/include/failover.xml new file mode 100644 index 0000000..ebb7b21 --- /dev/null +++ b/src/man/pt_BR/include/failover.xml @@ -0,0 +1,97 @@ + + FAILOVER + + The failover feature allows back ends to automatically switch to a different +server if the current server fails. + + + Failover Syntax + + The list of servers is given as a comma-separated list; any number of spaces +is allowed around the comma. The servers are listed in order of +preference. The list can contain any number of servers. + + + For each failover-enabled config option, two variants exist: +primary and backup. The idea is +that servers in the primary list are preferred and backup servers are only +searched if no primary servers can be reached. If a backup server is +selected, a timeout of 31 seconds is set. After this timeout SSSD will +periodically try to reconnect to one of the primary servers. If it succeeds, +it will replace the current active (backup) server. + + + + The Failover Mechanism + + The failover mechanism distinguishes between a machine and a service. The +back end first tries to resolve the hostname of a given machine; if this +resolution attempt fails, the machine is considered offline. No further +attempts are made to connect to this machine for any other service. If the +resolution attempt succeeds, the back end tries to connect to a service on +this machine. If the service connection attempt fails, then only this +particular service is considered offline and the back end automatically +switches over to the next service. The machine is still considered online +and might still be tried for another service. + + + Further connection attempts are made to machines or services marked as +offline after a specified period of time; this is currently hard coded to 30 +seconds. + + + If there are no more machines to try, the back end as a whole switches to +offline mode, and then attempts to reconnect every 30 seconds. + + + + Failover time outs and tuning + + Resolving a server to connect to can be as simple as running a single DNS +query or can involve several steps, such as finding the correct site or +trying out multiple host names in case some of the configured servers are +not reachable. The more complex scenarios can take some time and SSSD needs +to balance between providing enough time to finish the resolution process +but on the other hand, not trying for too long before falling back to +offline mode. If the SSSD debug logs show that the server resolution is +timing out before a live server is contacted, you can consider changing the +time outs. + + + This section lists the available tunables. Please refer to their description +in the +sssd.conf5 +, manual page. + + + dns_resolver_op_timeout + + + + How long would SSSD talk to a single DNS server. + + + + + + dns_resolver_timeout + + + + How long would SSSD try to resolve a failover service. This service +resolution internally might include several steps, such as resolving DNS SRV +queries or locating the site. + + + + + + + For LDAP-based providers, the resolve operation is performed as part of an +LDAP connection operation. Therefore, also the +ldap_opt_timeout> timeout should be set to a larger value +than dns_resolver_timeout which in turn should be set to a +larger value than dns_resolver_op_timeout. + + + diff --git a/src/man/pt_BR/include/homedir_substring.xml b/src/man/pt_BR/include/homedir_substring.xml new file mode 100644 index 0000000..d7533de --- /dev/null +++ b/src/man/pt_BR/include/homedir_substring.xml @@ -0,0 +1,17 @@ + + homedir_substring (string) + + + The value of this option will be used in the expansion of the +override_homedir option if the template contains the +format string %H. An LDAP directory entry can directly +contain this template so that this option can be used to expand the home +directory path for each client machine (or operating system). It can be set +per-domain or globally in the [nss] section. A value specified in a domain +section will override one set in the [nss] section. + + + Default: /home + + + diff --git a/src/man/pt_BR/include/ipa_modified_defaults.xml b/src/man/pt_BR/include/ipa_modified_defaults.xml new file mode 100644 index 0000000..4ad4b45 --- /dev/null +++ b/src/man/pt_BR/include/ipa_modified_defaults.xml @@ -0,0 +1,123 @@ + + MODIFIED DEFAULT OPTIONS + + Certain option defaults do not match their respective backend provider +defaults, these option names and IPA provider-specific defaults are listed +below: + + + KRB5 Provider + + + + krb5_validate = true + + + + + krb5_use_fast = try + + + + + krb5_canonicalize = true + + + + + + LDAP Provider - General + + + + ldap_schema = ipa_v1 + + + + + ldap_force_upper_case_realm = true + + + + + ldap_sasl_mech = GSSAPI + + + + + ldap_sasl_minssf = 56 + + + + + ldap_account_expire_policy = ipa + + + + + ldap_use_tokengroups = true + + + + + + LDAP Provider - User options + + + + ldap_user_member_of = memberOf + + + + + ldap_user_uuid = ipaUniqueID + + + + + ldap_user_ssh_public_key = ipaSshPubKey + + + + + ldap_user_auth_type = ipaUserAuthType + + + + + + LDAP Provider - Group options + + + + ldap_group_object_class = ipaUserGroup + + + + + ldap_group_object_class_alt = posixGroup + + + + + ldap_group_member = member + + + + + ldap_group_uuid = ipaUniqueID + + + + + ldap_group_objectsid = ipaNTSecurityIdentifier + + + + + ldap_group_external_member = ipaExternalMember + + + + + diff --git a/src/man/pt_BR/include/ldap_id_mapping.xml b/src/man/pt_BR/include/ldap_id_mapping.xml new file mode 100644 index 0000000..b9be536 --- /dev/null +++ b/src/man/pt_BR/include/ldap_id_mapping.xml @@ -0,0 +1,278 @@ + + ID MAPPING + + The ID-mapping feature allows SSSD to act as a client of Active Directory +without requiring administrators to extend user attributes to support POSIX +attributes for user and group identifiers. + + + NOTE: When ID-mapping is enabled, the uidNumber and gidNumber attributes are +ignored. This is to avoid the possibility of conflicts between +automatically-assigned and manually-assigned values. If you need to use +manually-assigned values, ALL values must be manually-assigned. + + + Please note that changing the ID mapping related configuration options will +cause user and group IDs to change. At the moment, SSSD does not support +changing IDs, so the SSSD database must be removed. Because cached passwords +are also stored in the database, removing the database should only be +performed while the authentication servers are reachable, otherwise users +might get locked out. In order to cache the password, an authentication must +be performed. It is not sufficient to use +sss_cache 8 + to remove the database, rather the process consists of: + + + + Making sure the remote servers are reachable + + + + + Stopping the SSSD service + + + + + Removing the database + + + + + Starting the SSSD service + + + + Moreover, as the change of IDs might necessitate the adjustment of other +system properties such as file and directory ownership, it's advisable to +plan ahead and test the ID mapping configuration thoroughly. + + + + Mapping Algorithm + + Active Directory provides an objectSID for every user and group object in +the directory. This objectSID can be broken up into components that +represent the Active Directory domain identity and the relative identifier +(RID) of the user or group object. + + + The SSSD ID-mapping algorithm takes a range of available UIDs and divides it +into equally-sized component sections - called "slices"-. Each slice +represents the space available to an Active Directory domain. + + + When a user or group entry for a particular domain is encountered for the +first time, the SSSD allocates one of the available slices for that +domain. In order to make this slice-assignment repeatable on different +client machines, we select the slice based on the following algorithm: + + + The SID string is passed through the murmurhash3 algorithm to convert it to +a 32-bit hashed value. We then take the modulus of this value with the total +number of available slices to pick the slice. + + + NOTE: It is possible to encounter collisions in the hash and subsequent +modulus. In these situations, we will select the next available slice, but +it may not be possible to reproduce the same exact set of slices on other +machines (since the order that they are encountered will determine their +slice). In this situation, it is recommended to either switch to using +explicit POSIX attributes in Active Directory (disabling ID-mapping) or +configure a default domain to guarantee that at least one is always +consistent. See Configuration for details. + + + + + Configuration + + Minimum configuration (in the [domain/DOMAINNAME] section): + + + +ldap_id_mapping = True +ldap_schema = ad + + + + The default configuration results in configuring 10,000 slices, each capable +of holding up to 200,000 IDs, starting from 200,000 and going up to +2,000,200,000. This should be sufficient for most deployments. + + + Advanced Configuration + + + ldap_idmap_range_min (integer) + + + Specifies the lower bound of the range of POSIX IDs to use for mapping +Active Directory user and group SIDs. + + + NOTE: This option is different from min_id in that +min_id acts to filter the output of requests to this domain, +whereas this option controls the range of ID assignment. This is a subtle +distinction, but the good general advice would be to have +min_id be less-than or equal to +ldap_idmap_range_min + + + Default: 200000 + + + + + ldap_idmap_range_max (integer) + + + Specifies the upper bound of the range of POSIX IDs to use for mapping +Active Directory user and group SIDs. + + + NOTE: This option is different from max_id in that +max_id acts to filter the output of requests to this domain, +whereas this option controls the range of ID assignment. This is a subtle +distinction, but the good general advice would be to have +max_id be greater-than or equal to +ldap_idmap_range_max + + + Default: 2000200000 + + + + + ldap_idmap_range_size (integer) + + + Specifies the number of IDs available for each slice. If the range size +does not divide evenly into the min and max values, it will create as many +complete slices as it can. + + + NOTE: The value of this option must be at least as large as the highest user +RID planned for use on the Active Directory server. User lookups and login +will fail for any user whose RID is greater than this value. + + + For example, if your most recently-added Active Directory user has +objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, +ldap_idmap_range_size must be at least 1108 as range size is +equal to maximal SID minus minimal SID plus one (e.g. 1108 = 1107 - 0 + 1). + + + It is important to plan ahead for future expansion, as changing this value +will result in changing all of the ID mappings on the system, leading to +users with different local IDs than they previously had. + + + Default: 200000 + + + + + ldap_idmap_default_domain_sid (string) + + + Specify the domain SID of the default domain. This will guarantee that this +domain will always be assigned to slice zero in the ID map, bypassing the +murmurhash algorithm described above. + + + Default: not set + + + + + ldap_idmap_default_domain (string) + + + Specify the name of the default domain. + + + Default: not set + + + + + ldap_idmap_autorid_compat (boolean) + + + Changes the behavior of the ID-mapping algorithm to behave more similarly to +winbind's idmap_autorid algorithm. + + + When this option is configured, domains will be allocated starting with +slice zero and increasing monatomically with each additional domain. + + + NOTE: This algorithm is non-deterministic (it depends on the order that +users and groups are requested). If this mode is required for compatibility +with machines running winbind, it is recommended to also use the +ldap_idmap_default_domain_sid option to guarantee that at +least one domain is consistently allocated to slice zero. + + + Default: False + + + + + ldap_idmap_helper_table_size (integer) + + + Maximal number of secondary slices that is tried when performing mapping +from UNIX id to SID. + + + Note: Additional secondary slices might be generated when SID is being +mapped to UNIX id and RID part of SID is out of range for secondary slices +generated so far. If value of ldap_idmap_helper_table_size is equal to 0 +then no additional secondary slices are generated. + + + Default: 10 + + + + + + + + + Well-Known SIDs + + SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a +special hardcoded meaning. Since the generic users and groups related to +those Well-Known SIDs have no equivalent in a Linux/UNIX environment no +POSIX IDs are available for those objects. + + + The SID name space is organized in authorities which can be seen as +different domains. The authorities for the Well-Known SIDs are + + Null Authority + World Authority + Local Authority + Creator Authority + NT Authority + Built-in + + The capitalized version of these names are used as domain names when +returning the fully qualified name of a Well-Known SID. + + + Since some utilities allow to modify SID based access control information +with the help of a name instead of using the SID directly SSSD supports to +look up the SID by the name as well. To avoid collisions only the fully +qualified names can be used to look up Well-Known SIDs. As a result the +domain names NULL AUTHORITY, WORLD AUTHORITY, + LOCAL AUTHORITY, CREATOR AUTHORITY, NT +AUTHORITY and BUILTIN should not be used as domain +names in sssd.conf. + + + + diff --git a/src/man/pt_BR/include/ldap_search_bases.xml b/src/man/pt_BR/include/ldap_search_bases.xml new file mode 100644 index 0000000..189f862 --- /dev/null +++ b/src/man/pt_BR/include/ldap_search_bases.xml @@ -0,0 +1,31 @@ + + + An optional base DN, search scope and LDAP filter to restrict LDAP searches +for this attribute type. + + + syntax: +search_base[?scope?[filter][?search_base?scope?[filter]]*] + + + + The scope can be one of "base", "onelevel" or "subtree". The scope functions +as specified in section 4.5.1.2 of http://tools.ietf.org/html/rfc4511 + + + The filter must be a valid LDAP search filter as specified by +http://www.ietf.org/rfc/rfc2254.txt + + + For examples of this syntax, please refer to the +ldap_search_base examples section. + + + Default: the value of ldap_search_base + + + Please note that specifying scope or filter is not supported for searches +against an Active Directory Server that might yield a large number of +results and trigger the Range Retrieval extension in the response. + + diff --git a/src/man/pt_BR/include/local.xml b/src/man/pt_BR/include/local.xml new file mode 100644 index 0000000..ce849a3 --- /dev/null +++ b/src/man/pt_BR/include/local.xml @@ -0,0 +1,17 @@ + + THE LOCAL DOMAIN + + In order to function correctly, a domain with +id_provider=local must be created and the SSSD must be +running. + + + The administrator might want to use the SSSD local users instead of +traditional UNIX users in cases where the group nesting (see +sss_groupadd 8 +) is needed. The local users are also useful for testing and +development of the SSSD without having to deploy a full remote server. The +sss_user* and sss_group* tools use a +local LDB storage to store users and groups. + + diff --git a/src/man/pt_BR/include/override_homedir.xml b/src/man/pt_BR/include/override_homedir.xml new file mode 100644 index 0000000..94caee1 --- /dev/null +++ b/src/man/pt_BR/include/override_homedir.xml @@ -0,0 +1,63 @@ + +override_homedir (string) + + + Override the user's home directory. You can either provide an absolute value +or a template. In the template, the following sequences are substituted: + + + %u + login name + + + %U + UID number + + + %d + domain name + + + %f + fully qualified user name (user@domain) + + + %l + The first letter of the login name. + + + %P + UPN - User Principal Name (name@REALM) + + + %o + + The original home directory retrieved from the identity provider. + + + + %H + + The value of configure option homedir_substring. + + + + %% + a literal '%' + + + + + + This option can also be set per-domain. + + + example: +override_homedir = /home/%u + + + + Default: Not set (SSSD will use the value retrieved from LDAP) + + + diff --git a/src/man/pt_BR/include/param_help.xml b/src/man/pt_BR/include/param_help.xml new file mode 100644 index 0000000..d28020b --- /dev/null +++ b/src/man/pt_BR/include/param_help.xml @@ -0,0 +1,10 @@ + + + , + + + + Display help message and exit. + + + diff --git a/src/man/pt_BR/include/param_help_py.xml b/src/man/pt_BR/include/param_help_py.xml new file mode 100644 index 0000000..a2478bf --- /dev/null +++ b/src/man/pt_BR/include/param_help_py.xml @@ -0,0 +1,10 @@ + + + , + + + + Display help message and exit. + + + diff --git a/src/man/pt_BR/include/seealso.xml b/src/man/pt_BR/include/seealso.xml new file mode 100644 index 0000000..9b5b28a --- /dev/null +++ b/src/man/pt_BR/include/seealso.xml @@ -0,0 +1,61 @@ + + SEE ALSO + + sssd8 +, +sssd.conf5 +, +sssd-ldap5 +, +sssd-krb55 +, +sssd-simple5 +, +sssd-ipa5 +, +sssd-ad5 +, +sssd-sudo 5 +, +sssd-secrets 5 +, +sssd-session-recording +5 , +sss_cache8 +, +sss_debuglevel8 +, +sss_groupadd8 +, +sss_groupdel8 +, +sss_groupshow8 +, +sss_groupmod8 +, +sss_useradd8 +, +sss_userdel8 +, +sss_usermod8 +, +sss_obfuscate8 +, +sss_seed8 +, +sssd_krb5_locator_plugin8 +, +sss_ssh_authorizedkeys +8 , +sss_ssh_knownhostsproxy +8 , sssd-ifp +5 , +pam_sss8 +. +sss_rpcidmapd 5 + +sssd-systemtap 5 + + + diff --git a/src/man/pt_BR/include/service_discovery.xml b/src/man/pt_BR/include/service_discovery.xml new file mode 100644 index 0000000..2e417a9 --- /dev/null +++ b/src/man/pt_BR/include/service_discovery.xml @@ -0,0 +1,41 @@ + + SERVICE DISCOVERY + + The service discovery feature allows back ends to automatically find the +appropriate servers to connect to using a special DNS query. This feature is +not supported for backup servers. + + + Configuration + + If no servers are specified, the back end automatically uses service +discovery to try to find a server. Optionally, the user may choose to use +both fixed server addresses and service discovery by inserting a special +keyword, _srv_, in the list of servers. The order of +preference is maintained. This feature is useful if, for example, the user +prefers to use service discovery whenever possible, and fall back to a +specific server when no servers can be discovered using DNS. + + + + The domain name + + Please refer to the dns_discovery_domain parameter in the + sssd.conf +5 manual page for more details. + + + + The protocol + + The queries usually specify _tcp as the protocol. Exceptions are documented +in respective option description. + + + + See Also + + For more information on the service discovery mechanism, refer to RFC 2782. + + + diff --git a/src/man/pt_BR/include/upstream.xml b/src/man/pt_BR/include/upstream.xml new file mode 100644 index 0000000..ba04020 --- /dev/null +++ b/src/man/pt_BR/include/upstream.xml @@ -0,0 +1,3 @@ + +SSSD The SSSD upstream - +https://pagure.io/SSSD/sssd/ diff --git a/src/man/ru/include/ad_modified_defaults.xml b/src/man/ru/include/ad_modified_defaults.xml new file mode 100644 index 0000000..7c6def2 --- /dev/null +++ b/src/man/ru/include/ad_modified_defaults.xml @@ -0,0 +1,77 @@ + + MODIFIED DEFAULT OPTIONS + + Certain option defaults do not match their respective backend provider +defaults, these option names and AD provider-specific defaults are listed +below: + + + KRB5 Provider + + + + krb5_validate = true + + + + + krb5_use_enterprise_principal = true + + + + + + LDAP Provider + + + + ldap_schema = ad + + + + + ldap_force_upper_case_realm = true + + + + + ldap_id_mapping = true + + + + + ldap_sasl_mech = gssapi + + + + + ldap_referrals = false + + + + + ldap_account_expire_policy = ad + + + + + ldap_use_tokengroups = true + + + + + ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM) + + + The AD provider looks for a different principal than the LDAP provider by +default, because in an Active Directory environment the principals are +divided into two groups - User Principals and Service Principals. Only User +Principal can be used to obtain a TGT and by default, computer object's +principal is constructed from its sAMAccountName and the AD realm. The +well-known host/hostname@REALM principal is a Service Principal and thus +cannot be used to get a TGT with. + + + + + diff --git a/src/man/ru/include/autofs_restart.xml b/src/man/ru/include/autofs_restart.xml new file mode 100644 index 0000000..f31efe5 --- /dev/null +++ b/src/man/ru/include/autofs_restart.xml @@ -0,0 +1,5 @@ + + Please note that the automounter only reads the master map on startup, so if +any autofs-related changes are made to the sssd.conf, you typically also +need to restart the automounter daemon after restarting the SSSD. + diff --git a/src/man/ru/include/debug_levels.xml b/src/man/ru/include/debug_levels.xml new file mode 100644 index 0000000..5148252 --- /dev/null +++ b/src/man/ru/include/debug_levels.xml @@ -0,0 +1,86 @@ + + + SSSD supports two representations for specifying the debug level. The +simplest is to specify a decimal value from 0-9, which represents enabling +that level and all lower-level debug messages. The more comprehensive option +is to specify a hexadecimal bitmask to enable or disable specific levels +(such as if you wish to suppress a level). + + + Please note that each SSSD service logs into its own log file. Also please +note that enabling debug_level in the [sssd] +section only enables debugging just for the sssd process itself, not for the +responder or provider processes. The debug_level parameter +should be added to all sections that you wish to produce debug logs from. + + + In addition to changing the log level in the config file using the +debug_level parameter, which is persistent, but requires SSSD +restart, it is also possible to change the debug level on the fly using the + sss_debuglevel +8 tool. + + + Currently supported debug levels: + + + 0, 0x0010: Fatal +failures. Anything that would prevent SSSD from starting up or causes it to +cease running. + + + 1, 0x0020: Critical failures. An +error that doesn't kill SSSD, but one that indicates that at least one major +feature is not going to work properly. + + + 2, 0x0040: Serious failures. An +error announcing that a particular request or operation has failed. + + + 3, 0x0080: Minor failures. These +are the errors that would percolate down to cause the operation failure of +2. + + + 4, 0x0100: Configuration settings. + + + 5, 0x0200: Function data. + + + 6, 0x0400: Trace messages for +operation functions. + + + 7, 0x1000: Trace messages for +internal control functions. + + + 8, 0x2000: Contents of +function-internal variables that may be interesting. + + + 9, 0x4000: Extremely low-level +tracing information. + + + To log required bitmask debug levels, simply add their numbers together as +shown in following examples: + + + Example: To log fatal failures, critical failures, +serious failures and function data use 0x0270. + + + Example: To log fatal failures, configuration settings, +function data, trace messages for internal control functions use 0x1310. + + + Note: The bitmask format of debug levels was introduced +in 1.7.0. + + + Default: 0 + + diff --git a/src/man/ru/include/debug_levels_tools.xml b/src/man/ru/include/debug_levels_tools.xml new file mode 100644 index 0000000..8bc77cf --- /dev/null +++ b/src/man/ru/include/debug_levels_tools.xml @@ -0,0 +1,72 @@ + + + SSSD supports two representations for specifying the debug level. The +simplest is to specify a decimal value from 0-9, which represents enabling +that level and all lower-level debug messages. The more comprehensive option +is to specify a hexadecimal bitmask to enable or disable specific levels +(such as if you wish to suppress a level). + + + Currently supported debug levels: + + + 0, 0x0010: Fatal +failures. Anything that would prevent SSSD from starting up or causes it to +cease running. + + + 1, 0x0020: Critical failures. An +error that doesn't kill SSSD, but one that indicates that at least one major +feature is not going to work properly. + + + 2, 0x0040: Serious failures. An +error announcing that a particular request or operation has failed. + + + 3, 0x0080: Minor failures. These +are the errors that would percolate down to cause the operation failure of +2. + + + 4, 0x0100: Configuration settings. + + + 5, 0x0200: Function data. + + + 6, 0x0400: Trace messages for +operation functions. + + + 7, 0x1000: Trace messages for +internal control functions. + + + 8, 0x2000: Contents of +function-internal variables that may be interesting. + + + 9, 0x4000: Extremely low-level +tracing information. + + + To log required bitmask debug levels, simply add their numbers together as +shown in following examples: + + + Example: To log fatal failures, critical failures, +serious failures and function data use 0x0270. + + + Example: To log fatal failures, configuration settings, +function data, trace messages for internal control functions use 0x1310. + + + Note: The bitmask format of debug levels was introduced +in 1.7.0. + + + Default: 0 + + diff --git a/src/man/ru/include/experimental.xml b/src/man/ru/include/experimental.xml new file mode 100644 index 0000000..7103a0e --- /dev/null +++ b/src/man/ru/include/experimental.xml @@ -0,0 +1,2 @@ + This is an experimental feature, please use +https://pagure.io/SSSD/sssd/ to report any issues. diff --git a/src/man/ru/include/failover.xml b/src/man/ru/include/failover.xml new file mode 100644 index 0000000..ebb7b21 --- /dev/null +++ b/src/man/ru/include/failover.xml @@ -0,0 +1,97 @@ + + FAILOVER + + The failover feature allows back ends to automatically switch to a different +server if the current server fails. + + + Failover Syntax + + The list of servers is given as a comma-separated list; any number of spaces +is allowed around the comma. The servers are listed in order of +preference. The list can contain any number of servers. + + + For each failover-enabled config option, two variants exist: +primary and backup. The idea is +that servers in the primary list are preferred and backup servers are only +searched if no primary servers can be reached. If a backup server is +selected, a timeout of 31 seconds is set. After this timeout SSSD will +periodically try to reconnect to one of the primary servers. If it succeeds, +it will replace the current active (backup) server. + + + + The Failover Mechanism + + The failover mechanism distinguishes between a machine and a service. The +back end first tries to resolve the hostname of a given machine; if this +resolution attempt fails, the machine is considered offline. No further +attempts are made to connect to this machine for any other service. If the +resolution attempt succeeds, the back end tries to connect to a service on +this machine. If the service connection attempt fails, then only this +particular service is considered offline and the back end automatically +switches over to the next service. The machine is still considered online +and might still be tried for another service. + + + Further connection attempts are made to machines or services marked as +offline after a specified period of time; this is currently hard coded to 30 +seconds. + + + If there are no more machines to try, the back end as a whole switches to +offline mode, and then attempts to reconnect every 30 seconds. + + + + Failover time outs and tuning + + Resolving a server to connect to can be as simple as running a single DNS +query or can involve several steps, such as finding the correct site or +trying out multiple host names in case some of the configured servers are +not reachable. The more complex scenarios can take some time and SSSD needs +to balance between providing enough time to finish the resolution process +but on the other hand, not trying for too long before falling back to +offline mode. If the SSSD debug logs show that the server resolution is +timing out before a live server is contacted, you can consider changing the +time outs. + + + This section lists the available tunables. Please refer to their description +in the +sssd.conf5 +, manual page. + + + dns_resolver_op_timeout + + + + How long would SSSD talk to a single DNS server. + + + + + + dns_resolver_timeout + + + + How long would SSSD try to resolve a failover service. This service +resolution internally might include several steps, such as resolving DNS SRV +queries or locating the site. + + + + + + + For LDAP-based providers, the resolve operation is performed as part of an +LDAP connection operation. Therefore, also the +ldap_opt_timeout> timeout should be set to a larger value +than dns_resolver_timeout which in turn should be set to a +larger value than dns_resolver_op_timeout. + + + diff --git a/src/man/ru/include/homedir_substring.xml b/src/man/ru/include/homedir_substring.xml new file mode 100644 index 0000000..d7533de --- /dev/null +++ b/src/man/ru/include/homedir_substring.xml @@ -0,0 +1,17 @@ + + homedir_substring (string) + + + The value of this option will be used in the expansion of the +override_homedir option if the template contains the +format string %H. An LDAP directory entry can directly +contain this template so that this option can be used to expand the home +directory path for each client machine (or operating system). It can be set +per-domain or globally in the [nss] section. A value specified in a domain +section will override one set in the [nss] section. + + + Default: /home + + + diff --git a/src/man/ru/include/ipa_modified_defaults.xml b/src/man/ru/include/ipa_modified_defaults.xml new file mode 100644 index 0000000..4ad4b45 --- /dev/null +++ b/src/man/ru/include/ipa_modified_defaults.xml @@ -0,0 +1,123 @@ + + MODIFIED DEFAULT OPTIONS + + Certain option defaults do not match their respective backend provider +defaults, these option names and IPA provider-specific defaults are listed +below: + + + KRB5 Provider + + + + krb5_validate = true + + + + + krb5_use_fast = try + + + + + krb5_canonicalize = true + + + + + + LDAP Provider - General + + + + ldap_schema = ipa_v1 + + + + + ldap_force_upper_case_realm = true + + + + + ldap_sasl_mech = GSSAPI + + + + + ldap_sasl_minssf = 56 + + + + + ldap_account_expire_policy = ipa + + + + + ldap_use_tokengroups = true + + + + + + LDAP Provider - User options + + + + ldap_user_member_of = memberOf + + + + + ldap_user_uuid = ipaUniqueID + + + + + ldap_user_ssh_public_key = ipaSshPubKey + + + + + ldap_user_auth_type = ipaUserAuthType + + + + + + LDAP Provider - Group options + + + + ldap_group_object_class = ipaUserGroup + + + + + ldap_group_object_class_alt = posixGroup + + + + + ldap_group_member = member + + + + + ldap_group_uuid = ipaUniqueID + + + + + ldap_group_objectsid = ipaNTSecurityIdentifier + + + + + ldap_group_external_member = ipaExternalMember + + + + + diff --git a/src/man/ru/include/ldap_id_mapping.xml b/src/man/ru/include/ldap_id_mapping.xml new file mode 100644 index 0000000..8880a07 --- /dev/null +++ b/src/man/ru/include/ldap_id_mapping.xml @@ -0,0 +1,278 @@ + + ID MAPPING + + The ID-mapping feature allows SSSD to act as a client of Active Directory +without requiring administrators to extend user attributes to support POSIX +attributes for user and group identifiers. + + + NOTE: When ID-mapping is enabled, the uidNumber and gidNumber attributes are +ignored. This is to avoid the possibility of conflicts between +automatically-assigned and manually-assigned values. If you need to use +manually-assigned values, ALL values must be manually-assigned. + + + Please note that changing the ID mapping related configuration options will +cause user and group IDs to change. At the moment, SSSD does not support +changing IDs, so the SSSD database must be removed. Because cached passwords +are also stored in the database, removing the database should only be +performed while the authentication servers are reachable, otherwise users +might get locked out. In order to cache the password, an authentication must +be performed. It is not sufficient to use +sss_cache 8 + to remove the database, rather the process consists of: + + + + Making sure the remote servers are reachable + + + + + Stopping the SSSD service + + + + + Removing the database + + + + + Starting the SSSD service + + + + Moreover, as the change of IDs might necessitate the adjustment of other +system properties such as file and directory ownership, it's advisable to +plan ahead and test the ID mapping configuration thoroughly. + + + + Mapping Algorithm + + Active Directory provides an objectSID for every user and group object in +the directory. This objectSID can be broken up into components that +represent the Active Directory domain identity and the relative identifier +(RID) of the user or group object. + + + The SSSD ID-mapping algorithm takes a range of available UIDs and divides it +into equally-sized component sections - called "slices"-. Each slice +represents the space available to an Active Directory domain. + + + When a user or group entry for a particular domain is encountered for the +first time, the SSSD allocates one of the available slices for that +domain. In order to make this slice-assignment repeatable on different +client machines, we select the slice based on the following algorithm: + + + The SID string is passed through the murmurhash3 algorithm to convert it to +a 32-bit hashed value. We then take the modulus of this value with the total +number of available slices to pick the slice. + + + NOTE: It is possible to encounter collisions in the hash and subsequent +modulus. In these situations, we will select the next available slice, but +it may not be possible to reproduce the same exact set of slices on other +machines (since the order that they are encountered will determine their +slice). In this situation, it is recommended to either switch to using +explicit POSIX attributes in Active Directory (disabling ID-mapping) or +configure a default domain to guarantee that at least one is always +consistent. See Configuration for details. + + + + + Configuration + + Minimum configuration (in the [domain/DOMAINNAME] section): + + + +ldap_id_mapping = True +ldap_schema = ad + + + + The default configuration results in configuring 10,000 slices, each capable +of holding up to 200,000 IDs, starting from 200,000 and going up to +2,000,200,000. This should be sufficient for most deployments. + + + Advanced Configuration + + + ldap_idmap_range_min (integer) + + + Specifies the lower bound of the range of POSIX IDs to use for mapping +Active Directory user and group SIDs. + + + NOTE: This option is different from min_id in that +min_id acts to filter the output of requests to this domain, +whereas this option controls the range of ID assignment. This is a subtle +distinction, but the good general advice would be to have +min_id be less-than or equal to +ldap_idmap_range_min + + + Default: 200000 + + + + + ldap_idmap_range_max (integer) + + + Specifies the upper bound of the range of POSIX IDs to use for mapping +Active Directory user and group SIDs. + + + NOTE: This option is different from max_id in that +max_id acts to filter the output of requests to this domain, +whereas this option controls the range of ID assignment. This is a subtle +distinction, but the good general advice would be to have +max_id be greater-than or equal to +ldap_idmap_range_max + + + Default: 2000200000 + + + + + ldap_idmap_range_size (integer) + + + Specifies the number of IDs available for each slice. If the range size +does not divide evenly into the min and max values, it will create as many +complete slices as it can. + + + NOTE: The value of this option must be at least as large as the highest user +RID planned for use on the Active Directory server. User lookups and login +will fail for any user whose RID is greater than this value. + + + For example, if your most recently-added Active Directory user has +objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, +ldap_idmap_range_size must be at least 1108 as range size is +equal to maximal SID minus minimal SID plus one (e.g. 1108 = 1107 - 0 + 1). + + + It is important to plan ahead for future expansion, as changing this value +will result in changing all of the ID mappings on the system, leading to +users with different local IDs than they previously had. + + + Default: 200000 + + + + + ldap_idmap_default_domain_sid (string) + + + Specify the domain SID of the default domain. This will guarantee that this +domain will always be assigned to slice zero in the ID map, bypassing the +murmurhash algorithm described above. + + + Default: not set + + + + + ldap_idmap_default_domain (string) + + + Specify the name of the default domain. + + + Default: not set + + + + + ldap_idmap_autorid_compat (boolean) + + + Changes the behavior of the ID-mapping algorithm to behave more similarly to +winbind's idmap_autorid algorithm. + + + When this option is configured, domains will be allocated starting with +slice zero and increasing monatomically with each additional domain. + + + NOTE: This algorithm is non-deterministic (it depends on the order that +users and groups are requested). If this mode is required for compatibility +with machines running winbind, it is recommended to also use the +ldap_idmap_default_domain_sid option to guarantee that at +least one domain is consistently allocated to slice zero. + + + Default: False + + + + + ldap_idmap_helper_table_size (integer) + + + Maximal number of secondary slices that is tried when performing mapping +from UNIX id to SID. + + + Note: Additional secondary slices might be generated when SID is being +mapped to UNIX id and RID part of SID is out of range for secondary slices +generated so far. If value of ldap_idmap_helper_table_size is equal to 0 +then no additional secondary slices are generated. + + + По умолчанию: 10 + + + + + + + + + Well-Known SIDs + + SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a +special hardcoded meaning. Since the generic users and groups related to +those Well-Known SIDs have no equivalent in a Linux/UNIX environment no +POSIX IDs are available for those objects. + + + The SID name space is organized in authorities which can be seen as +different domains. The authorities for the Well-Known SIDs are + + Null Authority + World Authority + Local Authority + Creator Authority + NT Authority + Built-in + + The capitalized version of these names are used as domain names when +returning the fully qualified name of a Well-Known SID. + + + Since some utilities allow to modify SID based access control information +with the help of a name instead of using the SID directly SSSD supports to +look up the SID by the name as well. To avoid collisions only the fully +qualified names can be used to look up Well-Known SIDs. As a result the +domain names NULL AUTHORITY, WORLD AUTHORITY, + LOCAL AUTHORITY, CREATOR AUTHORITY, NT +AUTHORITY and BUILTIN should not be used as domain +names in sssd.conf. + + + + diff --git a/src/man/ru/include/ldap_search_bases.xml b/src/man/ru/include/ldap_search_bases.xml new file mode 100644 index 0000000..189f862 --- /dev/null +++ b/src/man/ru/include/ldap_search_bases.xml @@ -0,0 +1,31 @@ + + + An optional base DN, search scope and LDAP filter to restrict LDAP searches +for this attribute type. + + + syntax: +search_base[?scope?[filter][?search_base?scope?[filter]]*] + + + + The scope can be one of "base", "onelevel" or "subtree". The scope functions +as specified in section 4.5.1.2 of http://tools.ietf.org/html/rfc4511 + + + The filter must be a valid LDAP search filter as specified by +http://www.ietf.org/rfc/rfc2254.txt + + + For examples of this syntax, please refer to the +ldap_search_base examples section. + + + Default: the value of ldap_search_base + + + Please note that specifying scope or filter is not supported for searches +against an Active Directory Server that might yield a large number of +results and trigger the Range Retrieval extension in the response. + + diff --git a/src/man/ru/include/local.xml b/src/man/ru/include/local.xml new file mode 100644 index 0000000..ce849a3 --- /dev/null +++ b/src/man/ru/include/local.xml @@ -0,0 +1,17 @@ + + THE LOCAL DOMAIN + + In order to function correctly, a domain with +id_provider=local must be created and the SSSD must be +running. + + + The administrator might want to use the SSSD local users instead of +traditional UNIX users in cases where the group nesting (see +sss_groupadd 8 +) is needed. The local users are also useful for testing and +development of the SSSD without having to deploy a full remote server. The +sss_user* and sss_group* tools use a +local LDB storage to store users and groups. + + diff --git a/src/man/ru/include/override_homedir.xml b/src/man/ru/include/override_homedir.xml new file mode 100644 index 0000000..94caee1 --- /dev/null +++ b/src/man/ru/include/override_homedir.xml @@ -0,0 +1,63 @@ + +override_homedir (string) + + + Override the user's home directory. You can either provide an absolute value +or a template. In the template, the following sequences are substituted: + + + %u + login name + + + %U + UID number + + + %d + domain name + + + %f + fully qualified user name (user@domain) + + + %l + The first letter of the login name. + + + %P + UPN - User Principal Name (name@REALM) + + + %o + + The original home directory retrieved from the identity provider. + + + + %H + + The value of configure option homedir_substring. + + + + %% + a literal '%' + + + + + + This option can also be set per-domain. + + + example: +override_homedir = /home/%u + + + + Default: Not set (SSSD will use the value retrieved from LDAP) + + + diff --git a/src/man/ru/include/param_help.xml b/src/man/ru/include/param_help.xml new file mode 100644 index 0000000..d28020b --- /dev/null +++ b/src/man/ru/include/param_help.xml @@ -0,0 +1,10 @@ + + + , + + + + Display help message and exit. + + + diff --git a/src/man/ru/include/param_help_py.xml b/src/man/ru/include/param_help_py.xml new file mode 100644 index 0000000..a2478bf --- /dev/null +++ b/src/man/ru/include/param_help_py.xml @@ -0,0 +1,10 @@ + + + , + + + + Display help message and exit. + + + diff --git a/src/man/ru/include/seealso.xml b/src/man/ru/include/seealso.xml new file mode 100644 index 0000000..ca39ba7 --- /dev/null +++ b/src/man/ru/include/seealso.xml @@ -0,0 +1,61 @@ + + СМ. ТАКЖЕ + + sssd8 +, +sssd.conf5 +, +sssd-ldap5 +, +sssd-krb55 +, +sssd-simple5 +, +sssd-ipa5 +, +sssd-ad5 +, +sssd-sudo 5 +, +sssd-secrets 5 +, +sssd-session-recording +5 , +sss_cache8 +, +sss_debuglevel8 +, +sss_groupadd8 +, +sss_groupdel8 +, +sss_groupshow8 +, +sss_groupmod8 +, +sss_useradd8 +, +sss_userdel8 +, +sss_usermod8 +, +sss_obfuscate8 +, +sss_seed8 +, +sssd_krb5_locator_plugin8 +, +sss_ssh_authorizedkeys +8 , +sss_ssh_knownhostsproxy +8 , sssd-ifp +5 , +pam_sss8 +. +sss_rpcidmapd 5 + +sssd-systemtap 5 + + + diff --git a/src/man/ru/include/service_discovery.xml b/src/man/ru/include/service_discovery.xml new file mode 100644 index 0000000..2e417a9 --- /dev/null +++ b/src/man/ru/include/service_discovery.xml @@ -0,0 +1,41 @@ + + SERVICE DISCOVERY + + The service discovery feature allows back ends to automatically find the +appropriate servers to connect to using a special DNS query. This feature is +not supported for backup servers. + + + Configuration + + If no servers are specified, the back end automatically uses service +discovery to try to find a server. Optionally, the user may choose to use +both fixed server addresses and service discovery by inserting a special +keyword, _srv_, in the list of servers. The order of +preference is maintained. This feature is useful if, for example, the user +prefers to use service discovery whenever possible, and fall back to a +specific server when no servers can be discovered using DNS. + + + + The domain name + + Please refer to the dns_discovery_domain parameter in the + sssd.conf +5 manual page for more details. + + + + The protocol + + The queries usually specify _tcp as the protocol. Exceptions are documented +in respective option description. + + + + See Also + + For more information on the service discovery mechanism, refer to RFC 2782. + + + diff --git a/src/man/ru/include/upstream.xml b/src/man/ru/include/upstream.xml new file mode 100644 index 0000000..ba04020 --- /dev/null +++ b/src/man/ru/include/upstream.xml @@ -0,0 +1,3 @@ + +SSSD The SSSD upstream - +https://pagure.io/SSSD/sssd/ diff --git a/src/man/sss-certmap.5.xml b/src/man/sss-certmap.5.xml new file mode 100644 index 0000000..db258d1 --- /dev/null +++ b/src/man/sss-certmap.5.xml @@ -0,0 +1,602 @@ + + + +SSSD Manual pages + + + + + sss-certmap + 5 + File Formats and Conventions + + + + sss-certmap + SSSD Certificate Matching and Mapping Rules + + + + DESCRIPTION + + The manual page describes the rules which can be used by SSSD and + other components to match X.509 certificates and map them to + accounts. + + + Each rule has four components, a priority, a + matching rule, a mapping rule and a + domain list. All components are optional. A missing + priority will add the rule with the lowest priority. + The default matching rule will match certificates with + the digitalSignature key usage and clientAuth extended key usage. If + the mapping rule is empty the certificates will be + searched in the userCertificate attribute as DER encoded binary. If + no domains are given only the local domain will be searched. + + + + + RULE COMPONENTS + + PRIORITY + + The rules are processed by priority while the number '0' (zero) + indicates the highest priority. The higher the number the lower is + the priority. A missing value indicates the lowest priority. The + rules processing is stopped when a matched rule is found and no + further rules are checked. + + + Internally the priority is treated as unsigned 32bit integer, using + a priority value larger than 4294967295 will cause an error. + + + + MATCHING RULE + + The matching rule is used to select a certificate to which the + mapping rule should be applied. It uses a system similar to the one + used by pkinit_cert_match option of MIT Kerberos. It + consists of a keyword enclosed by '<' and '>' which identified + a certain part of the certificate and a pattern which should be + found for the rule to match. Multiple keyword pattern pairs can be + either joined with '&&' (and) or '||' (or). + + + The available options are: + + + <SUBJECT>regular-expression + + + With this a part or the whole subject name of the + certificate can be matched. For the matching POSIX + Extended Regular Expression syntax is used, see regex(7) + for details. + + + For the matching the subject name stored in the + certificate in DER encoded ASN.1 is converted into a + string according to RFC 4514. This means the most + specific name component comes first. Please note that + not all possible attribute names are covered by RFC + 4514. The names included are 'CN', 'L', 'ST', 'O', + 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute + names might be shown differently on different platform + and by different tools. To avoid confusion those + attribute names are best not used or covered by a + suitable regular-expression. + + + Example: <SUBJECT>.*,DC=MY,DC=DOMAIN + + + + + <ISSUER>regular-expression + + + With this a part or the whole issuer name of the + certificate can be matched. All comments for + <SUBJECT> apply her as well. + + + Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$ + + + + + <KU>key-usage + + + This option can be used to specify which key usage + values the certificate should have. The following values + can be used in a comma separated list: + + digitalSignature + nonRepudiation + keyEncipherment + dataEncipherment + keyAgreement + keyCertSign + cRLSign + encipherOnly + decipherOnly + + + + A numerical value in the range of a 32bit unsigned + integer can be used as well to cover special use cases. + + + Example: <KU>digitalSignature,keyEncipherment + + + + + <EKU>extended-key-usage + + + This option can be used to specify which extended key + usage the certificate should have. The following value + can be used in a comma separated list: + + serverAuth + clientAuth + codeSigning + emailProtection + timeStamping + OCSPSigning + KPClientAuth + pkinit + msScLogin + + + + Extended key usages which are not listed above can be + specified with their OID in dotted-decimal notation. + + + Example: <EKU>clientAuth,1.3.6.1.5.2.3.4 + + + + + <SAN>regular-expression + + + To be compatible with the usage of MIT Kerberos this + option will match the Kerberos principals in the PKINIT + or AD NT Principal SAN as <SAN:Principal> does. + + + Example: <SAN>.*@MY\.REALM + + + + + <SAN:Principal>regular-expression + + + Match the Kerberos principals in the PKINIT or AD NT + Principal SAN. + + + Example: <SAN:Principal>.*@MY\.REALM + + + + + <SAN:ntPrincipalName>regular-expression + + + Match the Kerberos principals from the AD NT Principal + SAN. + + + Example: <SAN:ntPrincipalName>.*@MY.AD.REALM + + + + + <SAN:pkinit>regular-expression + + + Match the Kerberos principals from the PKINIT SAN. + + + Example: <SAN:ntPrincipalName>.*@MY\.PKINIT\.REALM + + + + + <SAN:dotted-decimal-oid>regular-expression + + + Take the value of the otherName SAN component given by + the OID in dotted-decimal notation, interpret it as + string and try to match it against the regular + expression. + + + Example: <SAN:1.2.3.4>test + + + + + <SAN:otherName>base64-string + + + Do a binary match with the base64 encoded blob against + all otherName SAN components. With this option it is + possible to match against custom otherName components + with special encodings which could not be treated as + strings. + + + Example: <SAN:otherName>MTIz + + + + + <SAN:rfc822Name>regular-expression + + + Match the value of the rfc822Name SAN. + + + Example: <SAN:rfc822Name>.*@email\.domain + + + + + <SAN:dNSName>regular-expression + + + Match the value of the dNSName SAN. + + + Example: <SAN:dNSName>.*\.my\.dns\.domain + + + + + <SAN:x400Address>base64-string + + + Binary match the value of the x400Address SAN. + + + Example: <SAN:x400Address>MTIz + + + + + <SAN:directoryName>regular-expression + + + Match the value of the directoryName SAN. The same + comments as given for <ISSUER> and <SUBJECT> + apply here as well. + + + Example: <SAN:directoryName>.*,DC=com + + + + + <SAN:ediPartyName>base64-string + + + Binary match the value of the ediPartyName SAN. + + + Example: <SAN:ediPartyName>MTIz + + + + + <SAN:uniformResourceIdentifier>regular-expression + + + Match the value of the uniformResourceIdentifier SAN. + + + Example: <SAN:uniformResourceIdentifier>URN:.* + + + + + <SAN:iPAddress>regular-expression + + + Match the value of the iPAddress SAN. + + + Example: <SAN:iPAddress>192\.168\..* + + + + + <SAN:registeredID>regular-expression + + + Match the value of the registeredID SAN as + dotted-decimal string. + + + Example: <SAN:registeredID>1\.2\.3\..* + + + + + + + + MAPPING RULE + + The mapping rule is used to associate a certificate with one or more + accounts. A Smartcard with the certificate and the matching private + key can then be used to authenticate as one of those accounts. + + + Currently SSSD basically only supports LDAP to lookup user + information (the exception is the proxy provider which is not of + relevance here). Because of this the mapping rule is based on LDAP + search filter syntax with templates to add certificate content to + the filter. It is expected that the filter will only contain the + specific data needed for the mapping and that the caller will embed + it in another filter to do the actual search. Because of this the + filter string should start and stop with '(' and ')' respectively. + + + In general it is recommended to use attributes from the certificate + and add them to special attributes to the LDAP user object. E.g. the + 'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' + attribute for IPA can be used. + + + This should be preferred to read user specific data from the + certificate like e.g. an email address and search for it in the LDAP + server. The reason is that the user specific data in LDAP might + change for various reasons would break the mapping. On the + other hand it would be hard to break the mapping on purpose for a + specific user. + + + The templates to add certificate data to the search filter are based + on Python-style formatting strings. They consist of a keyword in + curly braces with an optional sub-component specifier separated by a + '.' or an optional conversion/formatting option separated by a '!'. + Allowed values are: + + + {issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]} + + + This template will add the full issuer DN converted to a + string according to RFC 4514. If X.500 ordering (most + specific RDN comes last) an option with the '_x500' + prefix should be used. + + + The conversion options starting with 'ad_' will use + attribute names as used by AD, e.g. 'S' instead of 'ST'. + + + The conversion options starting with 'nss_' will use + attribute names as used by NSS. + + + The default conversion option is 'nss', i.e. attribute + names according to NSS and LDAP/RFC 4514 ordering. + + + Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!ad}) + + + + + {subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]} + + + This template will add the full subject DN converted to + string according to RFC 4514. If X.500 ordering (most + specific RDN comes last) an option with the '_x500' + prefix should be used. + + + The conversion options starting with 'ad_' will use + attribute names as used by AD, e.g. 'S' instead of 'ST'. + + + The conversion options starting with 'nss_' will use + attribute names as used by NSS. + + + The default conversion option is 'nss', i.e. attribute + names according to NSS and LDAP/RFC 4514 ordering. + + + Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500}) + + + + + {cert[!(bin|base64)]} + + + This template will add the whole DER encoded certificate + as a string to the search filter. Depending on the + conversion option the binary certificate is either + converted to an escaped hex sequence '\xx' or base64. + The escaped hex sequence is the default and can e.g. be + used with the LDAP attribute 'userCertificate;binary'. + + + Example: (userCertificate;binary={cert!bin}) + + + + + {subject_principal[.short_name]} + + + This template will add the Kerberos principal which is + taken either from the SAN used by pkinit or the one used + by AD. The 'short_name' component represents the first + part of the principal before the '@' sign. + + + Example: (|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name})) + + + + + {subject_pkinit_principal[.short_name]} + + + This template will add the Kerberos principal which is + given by the SAN used by pkinit. The 'short_name' + component represents the first part of the principal + before the '@' sign. + + + Example: (|(userPrincipal={subject_pkinit_principal})(uid={subject_pkinit_principal.short_name})) + + + + + {subject_nt_principal[.short_name]} + + + This template will add the Kerberos principal which is + given by the SAN used by AD. The 'short_name' component + represent the first part of the principal before the '@' + sign. + + + Example: (|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name})) + + + + + {subject_rfc822_name[.short_name]} + + + This template will add the string which is stored in the + rfc822Name component of the SAN, typically an email + address. The 'short_name' component represents the first + part of the address before the '@' sign. + + + Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name.short_name})) + + + + + {subject_dns_name[.short_name]} + + + This template will add the string which is stored in the + dNSName component of the SAN, typically a fully-qualified host name. + The 'short_name' component represents the first + part of the name before the first '.' sign. + + + Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name})) + + + + + {subject_uri} + + + This template will add the string which is stored in the + uniformResourceIdentifier component of the SAN. + + + Example: (uri={subject_uri}) + + + + + {subject_ip_address} + + + This template will add the string which is stored in the + iPAddress component of the SAN. + + + Example: (ip={subject_ip_address}) + + + + + {subject_x400_address} + + + This template will add the value which is stored in the + x400Address component of the SAN as escaped hex + sequence. + + + Example: (attr:binary={subject_x400_address}) + + + + + {subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]} + + + This template will add the DN string of the value which + is stored in the directoryName component of the SAN. + + + Example: (orig_dn={subject_directory_name}) + + + + + {subject_ediparty_name} + + + This template will add the value which is stored in the + ediPartyName component of the SAN as escaped hex + sequence. + + + Example: (attr:binary={subject_ediparty_name}) + + + + + {subject_registered_id} + + + This template will add the OID which is stored in the + registeredID component of the SAN as a dotted-decimal + string. + + + Example: (oid={subject_registered_id}) + + + + + + + + DOMAIN LIST + + If the domain list is not empty users mapped to a given certificate + are not only searched in the local domain but in the listed domains + as well as long as they are know by SSSD. Domains not know to SSSD + will be ignored. + + + + + diff --git a/src/man/sss_cache.8.xml b/src/man/sss_cache.8.xml new file mode 100644 index 0000000..221c0a8 --- /dev/null +++ b/src/man/sss_cache.8.xml @@ -0,0 +1,226 @@ + + + +SSSD Manual pages + + + + + sss_cache + 8 + + + + sss_cache + perform cache cleanup + + + + + sss_cache + + options + + + + + + DESCRIPTION + + sss_cache invalidates records in SSSD cache. + Invalidated records are forced to be reloaded from server as soon + as related SSSD backend is online. Options that invalidate a single + object only accept a single provided argument. + + + + + OPTIONS + + + + , + + + + Invalidate all cached entries. + + + + + + , + login + + + + Invalidate specific user. + + + + + + , + + + + Invalidate all user records. This option overrides + invalidation of specific user if it was also set. + + + + + + , + group + + + + Invalidate specific group. + + + + + + , + + + + Invalidate all group records. This option overrides + invalidation of specific group if it was also set. + + + + + + , + netgroup + + + + Invalidate specific netgroup. + + + + + + , + + + + Invalidate all netgroup records. This option overrides + invalidation of specific netgroup if it was also set. + + + + + + , + service + + + + Invalidate specific service. + + + + + + , + + + + Invalidate all service records. This option overrides + invalidation of specific service if it was also set. + + + + + + , + autofs-map + + + + Invalidate specific autofs maps. + + + + + + , + + + + Invalidate all autofs maps. This option overrides + invalidation of specific map if it was also set. + + + + + + , + hostname + + + + Invalidate SSH public keys of a specific host. + + + + + + , + + + + Invalidate SSH public keys of all hosts. This option + overrides invalidation of SSH public keys of specific + host if it was also set. + + + + + + , + rule + + + + Invalidate particular sudo rule. + + + + + + , + + + + Invalidate all cached sudo rules. This option + overrides invalidation of specific sudo rule + if it was also set. + + + + + + , + domain + + + + Restrict invalidation process only to a particular + domain. + + + + + + + + + + + diff --git a/src/man/sss_debuglevel.8.xml b/src/man/sss_debuglevel.8.xml new file mode 100644 index 0000000..0538dc5 --- /dev/null +++ b/src/man/sss_debuglevel.8.xml @@ -0,0 +1,41 @@ + + + +SSSD Manual pages + + + + + sss_debuglevel + 8 + + + + sss_debuglevel + [DEPRECATED] change debug level while SSSD is running + + + + + sss_debuglevel + + options + + NEW_DEBUG_LEVEL + + + + + DESCRIPTION + + sss_debuglevel is deprecated and replaced + by the sssctl debug-level command. Please refer to the + sssctl man page for more information on sssctl usage. + + + + + + + diff --git a/src/man/sss_groupadd.8.xml b/src/man/sss_groupadd.8.xml new file mode 100644 index 0000000..e12f950 --- /dev/null +++ b/src/man/sss_groupadd.8.xml @@ -0,0 +1,62 @@ + + + +SSSD Manual pages + + + + + sss_groupadd + 8 + + + + sss_groupadd + create a new group + + + + + sss_groupadd + + options + + GROUP + + + + + DESCRIPTION + + sss_groupadd creates a new group. These groups are compatible + with POSIX groups, with the additional feature that they can contain other groups + as members. + + + + + OPTIONS + + + + , + GID + + + + Set the GID of the group to the value of GID. + If not given, it is chosen automatically. + + + + + + + + + + + + + diff --git a/src/man/sss_groupdel.8.xml b/src/man/sss_groupdel.8.xml new file mode 100644 index 0000000..52062ea --- /dev/null +++ b/src/man/sss_groupdel.8.xml @@ -0,0 +1,50 @@ + + + +SSSD Manual pages + + + + + sss_groupdel + 8 + + + + sss_groupdel + delete a group + + + + + sss_groupdel + + options + + GROUP + + + + + DESCRIPTION + + sss_groupdel deletes a group + identified by its name GROUP + from the system. + + + + + OPTIONS + + + + + + + + + + + diff --git a/src/man/sss_groupmod.8.xml b/src/man/sss_groupmod.8.xml new file mode 100644 index 0000000..1b91a57 --- /dev/null +++ b/src/man/sss_groupmod.8.xml @@ -0,0 +1,76 @@ + + + +SSSD Manual pages + + + + + sss_groupmod + 8 + + + + sss_groupmod + modify a group + + + + + sss_groupmod + + options + + GROUP + + + + + DESCRIPTION + + sss_groupmod modifies the + group to reflect the changes that are specified on + the command line. + + + + + OPTIONS + + + + , + GROUPS + + + + Append this group to groups specified by the + GROUPS parameter. + The GROUPS parameter + is a comma separated list of group names. + + + + + + , + GROUPS + + + + Remove this group from groups specified by the + GROUPS parameter. + + + + + + + + + + + + + diff --git a/src/man/sss_groupshow.8.xml b/src/man/sss_groupshow.8.xml new file mode 100644 index 0000000..4077807 --- /dev/null +++ b/src/man/sss_groupshow.8.xml @@ -0,0 +1,62 @@ + + + +SSSD Manual pages + + + + + sss_groupshow + 8 + + + + sss_groupshow + print properties of a group + + + + + sss_groupshow + + options + + GROUP + + + + + DESCRIPTION + + sss_groupshow displays information about a group + identified by its name GROUP. The information + includes the group ID number, members of the group and the parent group. + + + + + OPTIONS + + + + , + + + + Also print indirect group members in a tree-like hierarchy. + Note that this also affects printing parent groups - without + , only the direct parent will be printed. + + + + + + + + + + + + + diff --git a/src/man/sss_obfuscate.8.xml b/src/man/sss_obfuscate.8.xml new file mode 100644 index 0000000..eeea5fa --- /dev/null +++ b/src/man/sss_obfuscate.8.xml @@ -0,0 +1,105 @@ + + + +SSSD Manual pages + + + + + sss_obfuscate + 8 + + + + sss_obfuscate + obfuscate a clear text password + + + + + sss_obfuscate + + options + + [PASSWORD] + + + + + DESCRIPTION + + sss_obfuscate converts a given password into + human-unreadable format and places it into appropriate domain + section of the SSSD config file. + + + The cleartext password is read from standard input or entered interactively. + The obfuscated password is put into ldap_default_authtok + parameter of a given SSSD domain and the + ldap_default_authtok_type parameter is set to + obfuscated_password. Refer to + + sssd-ldap + 5 + + for more details on these parameters. + + + Please note that obfuscating the password provides no + real security benefit as it is still possible for an + attacker to reverse-engineer the password back. Using better + authentication mechanisms such as client side certificates or GSSAPI + is strongly advised. + + + + + OPTIONS + + + + + , + + + + The password to obfuscate will be read from standard + input. + + + + + + , + DOMAIN + + + + The SSSD domain to use the password in. The + default name is default. + + + + + + , + FILE + + + + Read the config file specified by the positional + parameter. + + + Default: /etc/sssd/sssd.conf + + + + + + + + + + diff --git a/src/man/sss_override.8.xml b/src/man/sss_override.8.xml new file mode 100644 index 0000000..9f4d1c8 --- /dev/null +++ b/src/man/sss_override.8.xml @@ -0,0 +1,279 @@ + + + +SSSD Manual pages + + + + + sss_override + 8 + + + + sss_override + create local overrides of user and group attributes + + + + + sss_override + COMMAND + + options + + + + + + DESCRIPTION + + sss_override enables to create a client-side + view and allows to change selected values of specific user + and groups. This change takes effect only on local machine. + + + Overrides data are stored in the SSSD cache. If the cache is deleted, + all local overrides are lost. Please note that after the first + override is created using any of the following + user-add, group-add, + user-import or + group-import command. SSSD needs to be + restarted to take effect. + sss_override prints message when a restart is + required. + + + + + AVAILABLE COMMANDS + + Argument NAME is the name of original object + in all commands. It is not possible to override + uid or gid to 0. + + + + + + NAME + NAME + UID + GID + HOME + SHELL + GECOS + + BASE64 ENCODED CERTIFICATE + + + + Override attributes of an user. Please be aware that + calling this command will replace any previous override + for the (NAMEd) user. + + + + + + + NAME + + + + Remove user overrides. However be aware that overridden + attributes might be returned from memory cache. Please + see SSSD option memcache_timeout + for more details. + + + + + + + DOMAIN + + + + List all users with set overrides. + If DOMAIN parameter is set, + only users from the domain are listed. + + + + + + + NAME + + + + Show user overrides. + + + + + + + FILE + + + + Import user overrides from FILE. + Data format is similar to standard passwd file. + The format is: + + + original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate + + + where original_name is original name of the user whose + attributes should be overridden. The rest of fields + correspond to new values. You can omit a value simply + by leaving corresponding field empty. + + + Examples: + + + ckent:superman:::::: + + + ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash: + + + + + + + FILE + + + + Export all overridden attributes and store them in + FILE. See + user-import for data format. + + + + + + + NAME + NAME + GID + + + + Override attributes of a group. Please be aware that + calling this command will replace any previous override + for the (NAMEd) group. + + + + + + + NAME + + + + Remove group overrides. However be aware that overridden + attributes might be returned from memory cache. Please + see SSSD option memcache_timeout + for more details. + + + + + + + DOMAIN + + + + List all groups with set overrides. + If DOMAIN parameter is set, + only groups from the domain are listed. + + + + + + + NAME + + + + Show group overrides. + + + + + + + FILE + + + + Import group overrides from FILE. + Data format is similar to standard group file. + The format is: + + + original_name:name:gid + + + where original_name is original name of the group whose + attributes should be overridden. The rest of fields + correspond to new values. You can omit a value simply + by leaving corresponding field empty. + + + Examples: + + + admins:administrators: + + + Domain Users:Users:501 + + + + + + + FILE + + + + Export all overridden attributes and store them in + FILE. See + group-import for data format. + + + + + + + + COMMON OPTIONS + + Those options are available with all commands. + + + + + + LEVEL + + + + + + + + + + diff --git a/src/man/sss_rpcidmapd.5.xml b/src/man/sss_rpcidmapd.5.xml new file mode 100644 index 0000000..e2d0fe9 --- /dev/null +++ b/src/man/sss_rpcidmapd.5.xml @@ -0,0 +1,132 @@ + + + +SSSD Manual pages + + + sss rpc.idmapd plugin + + Noam + Meltzer + + Primary Data Inc. + + Developer (2013-2014) + + + Noam + Meltzer + Developer (2014-) + tsnoam@gmail.com + + + + + sss_rpcidmapd + 5 + File Formats and Conventions + + + + sss_rpcidmapd + sss plugin configuration directives for rpc.idmapd + + + + CONFIGURATION FILE + + rpc.idmapd configuration file is usually found at + /etc/idmapd.conf. See + + idmapd.conf + 5 + for more information. + + + + + SSS CONFIGURATION EXTENSION + + Enable SSS plugin + + In section [Translation], modify/set + Method attribute to contain + sss. + + + + [sss] config section + + In order to change the default of one of the configuration + attributes of the sss plugin listed + below you will need to create a config section for it, named + [sss]. + + + Configuration attributes + + memcache (bool) + + + Indicates whether or not to use memcache + optimisation technique. + + + Default: True + + + + + + + + + SSSD INTEGRATION + + The sss plugin requires the NSS Responder + to be enabled in sssd. + + + The attribute use_fully_qualified_names must be + enabled on all domains (NFSv4 clients expect a fully qualified name + to be sent on the wire). + + + + + EXAMPLE + + The following example shows a minimal idmapd.conf which makes use of + the sss plugin. + +[General] +Verbosity = 2 +# domain must be synced between NFSv4 server and clients +# Solaris/Illumos/AIX use "localdomain" as default! +Domain = default + +[Mapping] +Nobody-User = nfsnobody +Nobody-Group = nfsnobody + +[Translation] +Method = sss + + + + + + SEE ALSO + + + sssd8 + , + + idmapd.conf + 5 + + + + + diff --git a/src/man/sss_seed.8.xml b/src/man/sss_seed.8.xml new file mode 100644 index 0000000..39f8c02 --- /dev/null +++ b/src/man/sss_seed.8.xml @@ -0,0 +1,177 @@ + + + +SSSD Manual pages + + + + + sss_seed + 8 + + + + sss_seed + seed the SSSD cache with a user + + + + + sss_seed + + options + + -D DOMAIN + -n USER + + + + + DESCRIPTION + + sss_seed seeds the SSSD cache with a user entry + and temporary password. If a user entry is already present in the + SSSD cache then the entry is updated with the temporary password. + + + + + + + OPTIONS + + + + , + DOMAIN + + + + Provide the name of the domain in which the + user is a member of. The domain is also used to + retrieve user information. The domain must be configured + in sssd.conf. The DOMAIN + option must be provided. + Information retrieved from the domain + overrides what is provided in the options. + + + + + + , + USER + + + + The username of the entry to be created or modified + in the cache. The USER option + must be provided. + + + + + + , + UID + + + + Set the UID of the user to + UID. + + + + + + , + GID + + + + Set the GID of the user to + GID. + + + + + + , + COMMENT + + + + Any text string describing the user. Often used as + the field for the user's full name. + + + + + + , + HOME_DIR + + + + Set the home directory of the user to + HOME_DIR. + + + + + + , + SHELL + + + + Set the login shell of the user to + SHELL. + + + + + + , + + + + Interactive mode for entering user information. This + option will only prompt for information not provided in + the options or retrieved from the domain. + + + + + + , + PASS_FILE + + + + Specify file to read user's password from. (if not + specified password is prompted for) + + + + + + + + + NOTES + + The length of the password (or the size of file specified with -p + or --password-file option) must be less than or equal to PASS_MAX + bytes (64 bytes on systems with no globally-defined PASS_MAX value). + + + + + + + + + + diff --git a/src/man/sss_ssh_authorizedkeys.1.xml b/src/man/sss_ssh_authorizedkeys.1.xml new file mode 100644 index 0000000..2f4756d --- /dev/null +++ b/src/man/sss_ssh_authorizedkeys.1.xml @@ -0,0 +1,151 @@ + + + +SSSD Manual pages + + + + + sss_ssh_authorizedkeys + 1 + + + + sss_ssh_authorizedkeys + get OpenSSH authorized keys + + + + + sss_ssh_authorizedkeys + + options + + USER + + + + + DESCRIPTION + + sss_ssh_authorizedkeys acquires SSH + public keys for user USER and + outputs them in OpenSSH authorized_keys format (see the + AUTHORIZED_KEYS FILE FORMAT section of + sshd + 8 for more + information). + + + sshd + 8 can be configured + to use sss_ssh_authorizedkeys for public + key user authentication if it is compiled with support for + AuthorizedKeysCommand option. Please refer + to the + sshd_config + 5 man page for more + details about this option. + + + If AuthorizedKeysCommand is supported, + sshd + 8 can be configured to + use it by putting the following directives in + sshd_config + 5: + + AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys + AuthorizedKeysCommandUser nobody + + + + + KEYS FROM CERTIFICATES + + In addition to the public SSH keys for user + USER + sss_ssh_authorizedkeys can return public SSH keys + derived from the public key of a X.509 certificate as well. + + + To enable this the ssh_use_certificate_keys option + must be set to true (default) in the [ssh] section of + sssd.conf. If the user entry contains + certificates (see ldap_user_certificate in + sssd-ldap + 5 + for details) or there is a certificate in an override entry for the + user (see + sss_override + 8 + or sssd-ipa + 5 + for details) and the certificate is valid SSSD will extract the + public key from the certificate and convert it into the format + expected by sshd. + + + Besides ssh_use_certificate_keys the options + + ca_db + p11_child_timeout + certificate_verification + + can be used to control how the certificates are validated (see + sssd.conf + 5 for details). + + + The validation is the benefit of using X.509 certificates instead of + SSH keys directly because e.g. it gives a better control of the + lifetime of the keys. When the ssh client is configured to use the + private keys from a Smartcard with the help of a PKCS#11 shared + library (see + ssh + 1 + for details) it might be irritating that authentication is still + working even if the related X.509 certificate on the Smartcard is + already expired because neither ssh nor + sshd will look at the certificate at all. + + + It has to be noted that the derived public SSH key can still be + added to the authorized_keys file of the user + to bypass the certificate validation if the sshd + configuration permits this. + + + + + + OPTIONS + + + + , + DOMAIN + + + + Search for user public keys in SSSD domain DOMAIN. + + + + + + + + + EXIT STATUS + + In case of success, an exit value of 0 is returned. Otherwise, + 1 is returned. + + + + + + + diff --git a/src/man/sss_ssh_knownhostsproxy.1.xml b/src/man/sss_ssh_knownhostsproxy.1.xml new file mode 100644 index 0000000..f84732c --- /dev/null +++ b/src/man/sss_ssh_knownhostsproxy.1.xml @@ -0,0 +1,112 @@ + + + +SSSD Manual pages + + + + + sss_ssh_knownhostsproxy + 1 + + + + sss_ssh_knownhostsproxy + get OpenSSH host keys + + + + + sss_ssh_knownhostsproxy + + options + + HOST + PROXY_COMMAND + + + + + DESCRIPTION + + sss_ssh_knownhostsproxy acquires SSH host + public keys for host HOST, stores + them in a custom OpenSSH known_hosts file (see the + SSH_KNOWN_HOSTS FILE FORMAT section of + sshd + 8 for more information) + /var/lib/sss/pubconf/known_hosts and + establishes the connection to the host. + + + If PROXY_COMMAND is specified, + it is used to create the connection to the host instead of + opening a socket. + + + ssh + 1 can be configured to + use sss_ssh_knownhostsproxy for host key + authentication by using the following directives for + ssh + 1 configuration: + +ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h +GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts + + + + + + OPTIONS + + + + , + PORT + + + + Use port PORT to connect to the host. + By default, port 22 is used. + + + + + + , + DOMAIN + + + + Search for host public keys in SSSD domain DOMAIN. + + + + + + , + + + + Print the host ssh public keys for host HOST. + + + + + + + + + EXIT STATUS + + In case of success, an exit value of 0 is returned. Otherwise, + 1 is returned. + + + + + + + diff --git a/src/man/sss_useradd.8.xml b/src/man/sss_useradd.8.xml new file mode 100644 index 0000000..f937599 --- /dev/null +++ b/src/man/sss_useradd.8.xml @@ -0,0 +1,175 @@ + + + +SSSD Manual pages + + + + + sss_useradd + 8 + + + + sss_useradd + create a new user + + + + + sss_useradd + + options + + LOGIN + + + + + DESCRIPTION + + sss_useradd creates a new user account using + the values specified on the command line plus the default values from + the system. + + + + + OPTIONS + + + + , + UID + + + + Set the UID of the user to the value of UID. + If not given, it is chosen automatically. + + + + + + , + COMMENT + + + + Any text string describing the user. Often used as + the field for the user's full name. + + + + + + , + HOME_DIR + + + + The home directory of the user account. + The default is to append the LOGIN name + to /home and use that as the home directory. + The base that is prepended before LOGIN is tunable + with user_defaults/baseDirectory setting in sssd.conf. + + + + + + , + SHELL + + + + The user's login shell. The default is currently /bin/bash. + The default can be changed with + user_defaults/defaultShell setting + in sssd.conf. + + + + + + , + GROUPS + + + + A list of existing groups this user is also a member of. + + + + + + , + + + + Create the user's home directory if it does not + exist. The files and directories contained in the + skeleton directory (which can be defined with the + -k option or in the config file) will be copied + to the home directory. + + + + + + , + + + + Do not create the user's home directory. Overrides + configuration settings. + + + + + + , + SKELDIR + + + + The skeleton directory, which contains files + and directories to be copied in the user's home + directory, when the home directory is + created by sss_useradd. + + + Special files (block devices, character devices, named + pipes and unix sockets) will not be copied. + + + This option is only valid if the + (or ) option is + specified, or creation of home directories is set to TRUE + in the configuration. + + + + + + , + SELINUX_USER + + + + The SELinux user for the user's login. If not specified, + the system default will be used. + + + + + + + + + + + + + diff --git a/src/man/sss_userdel.8.xml b/src/man/sss_userdel.8.xml new file mode 100644 index 0000000..3bff8c8 --- /dev/null +++ b/src/man/sss_userdel.8.xml @@ -0,0 +1,97 @@ + + + +SSSD Manual pages + + + + + sss_userdel + 8 + + + + sss_userdel + delete a user account + + + + + sss_userdel + + options + + LOGIN + + + + + DESCRIPTION + + sss_userdel deletes a user + identified by login name LOGIN + from the system. + + + + + OPTIONS + + + + + , + + + + Files in the user's home directory will be + removed along with the home directory itself and + the user's mail spool. Overrides the configuration. + + + + + + , + + + + Files in the user's home directory will NOT be + removed along with the home directory itself and + the user's mail spool. Overrides the configuration. + + + + + + , + + + + This option forces sss_userdel + to remove the user's home directory and mail spool, + even if they are not owned by the specified user. + + + + + + , + + + + Before actually deleting the user, terminate all + his processes. + + + + + + + + + + + + diff --git a/src/man/sss_usermod.8.xml b/src/man/sss_usermod.8.xml new file mode 100644 index 0000000..b9fef82 --- /dev/null +++ b/src/man/sss_usermod.8.xml @@ -0,0 +1,178 @@ + + + +SSSD Manual pages + + + + + sss_usermod + 8 + + + + sss_usermod + modify a user account + + + + + sss_usermod + + options + + LOGIN + + + + + DESCRIPTION + + sss_usermod modifies the + account specified by LOGIN + to reflect the changes that are specified on the command line. + + + + + OPTIONS + + + + , + COMMENT + + + + Any text string describing the user. Often used as + the field for the user's full name. + + + + + + , + HOME_DIR + + + + The home directory of the user account. + + + + + + , + SHELL + + + + The user's login shell. + + + + + + , + GROUPS + + + + Append this user to groups specified by the + GROUPS parameter. + The GROUPS parameter + is a comma separated list of group names. + + + + + + , + GROUPS + + + + Remove this user from groups specified by the + GROUPS parameter. + + + + + + , + + + + Lock the user account. The user won't be able + to log in. + + + + + + , + + + + Unlock the user account. + + + + + + , + SELINUX_USER + + + + The SELinux user for the user's login. + + + + + + + ATTR_NAME_VAL + + + + Add an attribute/value pair. The format is + attrname=value. + + + + + + + ATTR_NAME_VAL + + + + Set an attribute to a name/value pair. The format + is attrname=value. For multi-valued attributes, + the command replaces the values already present + + + + + + + ATTR_NAME_VAL + + + + Delete an attribute/value pair. The format is attrname=value. + + + + + + + + + + + + + diff --git a/src/man/sssctl.8.xml b/src/man/sssctl.8.xml new file mode 100644 index 0000000..7e19e00 --- /dev/null +++ b/src/man/sssctl.8.xml @@ -0,0 +1,68 @@ + + + +SSSD Manual pages + + + + + sssctl + 8 + + + + sssctl + SSSD control and status utility + + + + + sssctl + COMMAND + + options + + + + + + DESCRIPTION + + sssctl provides a simple and unified way + to obtain information about SSSD status, such as active server, + auto-discovered servers, domains and cached objects. In addition, + it can manage SSSD data files for troubleshooting in such a way + that is safe to manipulate while SSSD is running. + + + + + AVAILABLE COMMANDS + + To list all available commands run sssctl + without any parameters. To print help for selected command + run sssctl COMMAND --help. + + + + + COMMON OPTIONS + + Those options are available with all commands. + + + + + + LEVEL + + + + + + + + + + diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml new file mode 100644 index 0000000..f43c7fc --- /dev/null +++ b/src/man/sssd-ad.5.xml @@ -0,0 +1,1096 @@ + + + +SSSD Manual pages + + + + + sssd-ad + 5 + File Formats and Conventions + + + + sssd-ad + SSSD Active Directory provider + + + + DESCRIPTION + + This manual page describes the configuration of the AD provider + for + + sssd + 8 + . + For a detailed syntax reference, refer to the FILE FORMAT section of the + + sssd.conf + 5 + manual page. + + + The AD provider is a back end used to connect to an Active + Directory server. This provider requires that the machine be + joined to the AD domain and a keytab is available. Back end + communication occurs over a GSSAPI-encrypted channel, SSL/TLS + options should not be used with the AD provider and will be + superseded by Kerberos usage. + + + The AD provider supports connecting to Active Directory 2008 R2 + or later. Earlier versions may work, but are unsupported. + + + The AD provider can be used to get user information + and authenticate users from trusted domains. Currently + only trusted domains in the same forest are recognized. In + addition servers from trusted domains are always auto-discovered. + + + The AD provider enables SSSD to use the + + sssd-ldap + 5 + identity provider and the + + sssd-krb5 + 5 + authentication provider with optimizations for + Active Directory environments. The AD provider accepts the same + options used by the sssd-ldap and sssd-krb5 providers with some + exceptions. However, it is neither necessary nor recommended to + set these options. + + + The AD provider primarily copies the traditional ldap and krb5 + provider default options with some exceptions, the differences + are listed in the MODIFIED DEFAULT OPTIONS section. + + + The AD provider can also be used as an access, chpass, + sudo and autofs provider. No configuration of the access provider + is required on the client side. + + + If auth_provider=ad or + access_provider=ad is configured + in sssd.conf then the id_provider must also be set to + ad. + + + By default, the AD provider will map UID and GID values from the + objectSID parameter in Active Directory. For details on this, see + the ID MAPPING section below. If you want to + disable ID mapping and instead rely on POSIX attributes defined in + Active Directory, you should set + +ldap_id_mapping = False + + If POSIX attributes should be used, it is recommended for + performance reasons that the attributes are also replicated + to the Global Catalog. If POSIX attributes are replicated, + SSSD will attempt to locate the domain of a requested + numerical ID with the help of the Global Catalog and only + search that domain. In contrast, if POSIX attributes are not + replicated to the Global Catalog, SSSD must search all the + domains in the forest sequentially. Please note that the + cache_first option might be also helpful in + speeding up domainless searches. + Note that if only a subset of POSIX attributes is present in + the Global Catalog, the non-replicated attributes are currently + not read from the LDAP port. + + + Users, groups and other entities served by SSSD are always treated as + case-insensitive in the AD provider for compatibility with Active + Directory's LDAP implementation. + + + + + CONFIGURATION OPTIONS + Refer to the section DOMAIN SECTIONS of the + + sssd.conf + 5 + manual page for details on the configuration of an SSSD domain. + + + ad_domain (string) + + + Specifies the name of the Active Directory domain. + This is optional. If not provided, the + configuration domain name is used. + + + For proper operation, this option should be + specified as the lower-case version of the long + version of the Active Directory domain. + + + The short domain name (also known as the NetBIOS + or the flat name) is autodetected by the SSSD. + + + + + + ad_enabled_domains (string) + + + A comma-separated list of enabled Active Directory domains. + If provided, SSSD will ignore any domains not listed in this + option. If left unset, all domains from the AD forest will + be available. + + + For proper operation, this option must be specified in all + lower-case and as the fully qualified domain name of the + Active Directory domain. For example: + +ad_enabled_domains = sales.example.com, eng.example.com + + + + The short domain name (also known as the NetBIOS or the flat + name) will be autodetected by SSSD. + + + Default: Not set + + + + + + ad_server, ad_backup_server (string) + + + The comma-separated list of + hostnames of the AD servers to which SSSD should + connect in order of preference. For more + information on failover and server redundancy, see + the FAILOVER section. + + + This is optional if autodiscovery is enabled. + For more information on service discovery, refer + to the SERVICE DISCOVERY section. + + + Note: Trusted domains will always auto-discover + servers even if the primary server is explicitly + defined in the ad_server option. + + + + + + ad_hostname (string) + + + Optional. May be set on machines where the + hostname(5) does not reflect the fully qualified + name used in the Active Directory domain to + identify this host. + + + This field is used to determine the host principal + in use in the keytab. It must match the hostname + for which the keytab was issued. + + + + + + ad_enable_dns_sites (boolean) + + + Enables DNS sites - location based + service discovery. + + + If true and service discovery (see Service + Discovery paragraph at the bottom of the man page) + is enabled, the SSSD will first attempt to discover + the Active Directory server to connect to using the + Active Directory Site Discovery and fall back to + the DNS SRV records if no AD site is found. The + DNS SRV configuration, including the discovery + domain, is used during site discovery as well. + + + Default: true + + + + + + ad_access_filter (string) + + + This option specifies LDAP access control + filter that the user must match in order + to be allowed access. Please note that the + access_provider option must be + explicitly set to ad in order + for this option to have an effect. + + + The option also supports specifying different + filters per domain or forest. This + extended filter would consist of: + KEYWORD:NAME:FILTER. + The keyword can be either DOM, + FOREST or missing. + + + If the keyword equals to DOM + or is missing, then NAME specifies + the domain or subdomain the filter applies to. + If the keyword equals to FOREST, + then the filter equals to all domains from the + forest specified by NAME. + + + Multiple filters can be separated with the + ? character, similarly to how + search bases work. + + + Nested group membership must be searched for using + a special OID :1.2.840.113556.1.4.1941: + in addition to the full DOM:domain.example.org: syntax + to ensure the parser does not attempt to interpret the + colon characters associated with the OID. If you do not + use this OID then nested group membership will not be + resolved. See usage example below and refer here + for further information about the OID: + + [MS-ADTS] section LDAP extensions + + + The most specific match is always used. For + example, if the option specified filter + for a domain the user is a member of and a + global filter, the per-domain filter would + be applied. If there are more matches with + the same specification, the first one is used. + + + Examples: + + +# apply filter on domain called dom1 only: +dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com) + +# apply filter on domain called dom2 only: +DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com) + +# apply filter on forest called EXAMPLE.COM only: +FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com) + +# apply filter for a member of a nested group in dom1: +DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com) + + + Default: Not set + + + + + + ad_site (string) + + + Specify AD site to which client should try to connect. + If this option is not provided, the AD site will be + auto-discovered. + + + Default: Not set + + + + + + ad_enable_gc (boolean) + + + By default, the SSSD connects to the Global + Catalog first to retrieve users from trusted + domains and uses the LDAP port to retrieve + group memberships or as a fallback. Disabling + this option makes the SSSD only connect to + the LDAP port of the current AD server. + + + Please note that disabling Global Catalog support + does not disable retrieving users from trusted + domains. The SSSD would connect to the LDAP port + of trusted domains instead. However, Global + Catalog must be used in order to resolve + cross-domain group memberships. + + + Default: true + + + + + + ad_gpo_access_control (string) + + + This option specifies the operation mode for + GPO-based access control functionality: + whether it operates in disabled mode, enforcing + mode, or permissive mode. Please note that the + access_provider option must be + explicitly set to ad in order for + this option to have an effect. + + + GPO-based access control functionality uses GPO + policy settings to determine whether or not a + particular user is allowed to logon to a particular + host. + + + NOTE: The current version of SSSD does not support + host (computer) entries in the GPO 'Security + Filtering' list. Only user and group entries are + supported. Host entries in the list have no + effect. + + + NOTE: If the operation mode is set to enforcing, it + is possible that users that were previously allowed + logon access will now be denied logon access (as + dictated by the GPO policy settings). In order to + facilitate a smooth transition for administrators, + a permissive mode is available that will not enforce + the access control rules, but will evaluate them and + will output a syslog message if access would have + been denied. By examining the logs, administrators + can then make the necessary changes before setting + the mode to enforcing. + + + There are three supported values for this option: + + + + disabled: GPO-based access control rules + are neither evaluated nor enforced. + + + + + enforcing: GPO-based access control + rules are evaluated and enforced. + + + + + permissive: GPO-based access control + rules are evaluated, but not enforced. + Instead, a syslog message will be + emitted indicating that the user would + have been denied access if this option's + value were set to enforcing. + + + + + + Default: permissive + + + Default: enforcing + + + + + + ad_gpo_cache_timeout (integer) + + + The amount of time between lookups of GPO policy + files against the AD server. This will reduce the + latency and load on the AD server if there are + many access-control requests made in a short + period. + + + Default: 5 (seconds) + + + + + + ad_gpo_map_interactive (string) + + + A comma-separated list of PAM service names for + which GPO-based access control is evaluated based on + the InteractiveLogonRight and + DenyInteractiveLogonRight policy settings. + + + Note: Using the Group Policy Management Editor + this value is called "Allow log on locally" + and "Deny log on locally". + + + It is possible to add another PAM service name + to the default set by using +service_name + or to explicitly remove a PAM service name from + the default set by using -service_name. + For example, in order to replace a default PAM service + name for this logon right (e.g. login) + with a custom pam service name (e.g. my_pam_service), + you would use the following configuration: + +ad_gpo_map_interactive = +my_pam_service, -login + + + + Default: the default set of PAM service names includes: + + + + login + + + + + su + + + + + su-l + + + + + gdm-fingerprint + + + + + gdm-password + + + + + gdm-smartcard + + + + + kdm + + + + + lightdm + + + + + lxdm + + + + + sddm + + + + + unity + + + + + xdm + + + + + + + + + ad_gpo_map_remote_interactive (string) + + + A comma-separated list of PAM service names for + which GPO-based access control is evaluated based on + the RemoteInteractiveLogonRight and + DenyRemoteInteractiveLogonRight policy settings. + + + Note: Using the Group Policy Management Editor this + value is called "Allow log on through Remote Desktop + Services" and "Deny log on through Remote Desktop + Services". + + + It is possible to add another PAM service name + to the default set by using +service_name + or to explicitly remove a PAM service name from + the default set by using -service_name. + For example, in order to replace a default PAM service + name for this logon right (e.g. sshd) + with a custom pam service name (e.g. my_pam_service), + you would use the following configuration: + +ad_gpo_map_remote_interactive = +my_pam_service, -sshd + + + + Default: the default set of PAM service names includes: + + + + sshd + + + + + cockpit + + + + + + + + + ad_gpo_map_network (string) + + + A comma-separated list of PAM service names for + which GPO-based access control is evaluated based on + the NetworkLogonRight and DenyNetworkLogonRight + policy settings. + + + Note: Using the Group Policy Management Editor + this value is called "Access this computer + from the network" and "Deny access to this + computer from the network". + + + It is possible to add another PAM service name + to the default set by using +service_name + or to explicitly remove a PAM service name from + the default set by using -service_name. + For example, in order to replace a default PAM service + name for this logon right (e.g. ftp) + with a custom pam service name (e.g. my_pam_service), + you would use the following configuration: + +ad_gpo_map_network = +my_pam_service, -ftp + + + + Default: the default set of PAM service names includes: + + + + ftp + + + + + samba + + + + + + + + + ad_gpo_map_batch (string) + + + A comma-separated list of PAM service names for + which GPO-based access control is evaluated based on + the BatchLogonRight and DenyBatchLogonRight + policy settings. + + + Note: Using the Group Policy Management Editor + this value is called "Allow log on as a batch + job" and "Deny log on as a batch job". + + + It is possible to add another PAM service name + to the default set by using +service_name + or to explicitly remove a PAM service name from + the default set by using -service_name. + For example, in order to replace a default PAM service + name for this logon right (e.g. crond) + with a custom pam service name (e.g. my_pam_service), + you would use the following configuration: + +ad_gpo_map_batch = +my_pam_service, -crond + + + + Default: the default set of PAM service names includes: + + + + crond + + + + + + + + + ad_gpo_map_service (string) + + + A comma-separated list of PAM service names for + which GPO-based access control is evaluated based on + the ServiceLogonRight and DenyServiceLogonRight + policy settings. + + + Note: Using the Group Policy Management Editor + this value is called "Allow log on as a service" + and "Deny log on as a service". + + + It is possible to add a PAM service name to the + default set by using +service_name. + Since the default set is empty, it is not possible + to remove a PAM service name from the default set. + For example, in order to add a custom pam service + name (e.g. my_pam_service), you + would use the following configuration: + +ad_gpo_map_service = +my_pam_service + + + + Default: not set + + + + + + ad_gpo_map_permit (string) + + + A comma-separated list of PAM service names for + which GPO-based access is always granted, regardless + of any GPO Logon Rights. + + + It is possible to add another PAM service name + to the default set by using +service_name + or to explicitly remove a PAM service name from + the default set by using -service_name. + For example, in order to replace a default PAM service + name for unconditionally permitted access (e.g. sudo) + with a custom pam service name (e.g. my_pam_service), + you would use the following configuration: + +ad_gpo_map_permit = +my_pam_service, -sudo + + + + Default: the default set of PAM service names includes: + + + + polkit-1 + + + + + sudo + + + + + sudo-i + + + + + systemd-user + + + + + + + + + ad_gpo_map_deny (string) + + + A comma-separated list of PAM service names for + which GPO-based access is always denied, regardless + of any GPO Logon Rights. + + + It is possible to add a PAM service name to the + default set by using +service_name. + Since the default set is empty, it is not possible + to remove a PAM service name from the default set. + For example, in order to add a custom pam service + name (e.g. my_pam_service), you + would use the following configuration: + +ad_gpo_map_deny = +my_pam_service + + + + Default: not set + + + + + + ad_gpo_default_right (string) + + + This option defines how access control is evaluated + for PAM service names that are not explicitly listed + in one of the ad_gpo_map_* options. This option can be + set in two different manners. First, this option can + be set to use a default logon right. For example, if + this option is set to 'interactive', it means that + unmapped PAM service names will be processed based on + the InteractiveLogonRight and DenyInteractiveLogonRight + policy settings. Alternatively, this option can be set + to either always permit or always deny access for + unmapped PAM service names. + + + Supported values for this option include: + + + + interactive + + + + + remote_interactive + + + + + network + + + + + batch + + + + + service + + + + + permit + + + + + deny + + + + + + Default: deny + + + + + + ad_maximum_machine_account_password_age (integer) + + + SSSD will check once a day if the machine account + password is older than the given age in days and try + to renew it. A value of 0 will disable the renewal + attempt. + + + Default: 30 days + + + + + + ad_machine_account_password_renewal_opts (string) + + + This option should only be used to test the machine + account renewal task. The option expects 2 integers + separated by a colon (':'). The first integer + defines the interval in seconds how often the task + is run. The second specifies the initial timeout in + seconds before the task is run for the first time + after startup. + + + Default: 86400:750 (24h and 15m) + + + + + + dyndns_update (boolean) + + + Optional. This option tells SSSD to automatically + update the Active Directory DNS server with + the IP address of this client. The update is + secured using GSS-TSIG. As a consequence, the + Active Directory administrator only needs to + allow secure updates for the DNS zone. The IP + address of the AD LDAP connection is used for + the updates, if it is not otherwise specified + by using the dyndns_iface option. + + + NOTE: On older systems (such as RHEL 5), for this + behavior to work reliably, the default Kerberos + realm must be set properly in /etc/krb5.conf + + + Default: true + + + + + + dyndns_ttl (integer) + + + The TTL to apply to the client DNS record when updating it. + If dyndns_update is false this has no effect. This will + override the TTL serverside if set by an administrator. + + + Default: 3600 (seconds) + + + + + + dyndns_iface (string) + + + Optional. Applicable only when dyndns_update + is true. Choose the interface or a list of interfaces + whose IP addresses should be used for dynamic DNS + updates. Special value * implies that + IPs from all interfaces should be used. + + + Default: Use the IP addresses of the interface which + is used for AD LDAP connection + + + Example: dyndns_iface = em1, vnet1, vnet2 + + + + + + dyndns_refresh_interval (integer) + + + How often should the back end perform periodic DNS update in + addition to the automatic update performed when the back end + goes online. + This option is optional and applicable only when dyndns_update + is true. Note that the lowest possible value is 60 seconds in-case + if value is provided less than 60, parameter will assume lowest + value only. + + + Default: 86400 (24 hours) + + + + + + dyndns_update_ptr (bool) + + + Whether the PTR record should also be explicitly + updated when updating the client's DNS records. + Applicable only when dyndns_update is true. + + + Default: True + + + + + + dyndns_force_tcp (bool) + + + Whether the nsupdate utility should default to using + TCP for communicating with the DNS server. + + + Default: False (let nsupdate choose the protocol) + + + + + + dyndns_auth (string) + + + Whether the nsupdate utility should use GSS-TSIG + authentication for secure updates with the DNS + server, insecure updates can be sent by setting + this option to 'none'. + + + Default: GSS-TSIG + + + + + + dyndns_server (string) + + + The DNS server to use when performing a DNS + update. In most setups, it's recommended to leave + this option unset. + + + Setting this option makes sense for environments + where the DNS server is different from the identity + server. + + + Please note that this option will be only used in + fallback attempt when previous attempt using + autodetected settings failed. + + + Default: None (let nsupdate choose the server) + + + + + + + + + krb5_confd_path (string) + + + Absolute path of a directory where SSSD should place + Kerberos configuration snippets. + + + To disable the creation of the configuration + snippets set the parameter to 'none'. + + + Default: not set (krb5.include.d subdirectory of + SSSD's pubconf directory) + + + + + + + + + + + + + + + + + EXAMPLE + + The following example assumes that SSSD is correctly + configured and example.com is one of the domains in the + [sssd] section. This example shows only + the AD provider-specific options. + + + +[domain/EXAMPLE] +id_provider = ad +auth_provider = ad +access_provider = ad +chpass_provider = ad + +ad_server = dc1.example.com +ad_hostname = client.example.com +ad_domain = example.com + + + + + + NOTES + + The AD access control provider checks if the account is expired. + It has the same effect as the following configuration of the LDAP + provider: + +access_provider = ldap +ldap_access_order = expire +ldap_account_expire_policy = ad + + + + However, unless the ad access control provider + is explicitly configured, the default access provider is + permit. Please note that if you configure an + access provider other than ad, you need to set + all the connection parameters (such as LDAP URIs and encryption + details) manually. + + + When the autofs provider is set to ad, the RFC2307 + schema attribute mapping (nisMap, nisObject, ...) is used, + because these attributes are included in the default Active + Directory schema. + + + + + + + + + diff --git a/src/man/sssd-files.5.xml b/src/man/sssd-files.5.xml new file mode 100644 index 0000000..59e1b65 --- /dev/null +++ b/src/man/sssd-files.5.xml @@ -0,0 +1,120 @@ + + + +SSSD Manual pages + + + + + sssd-files + 5 + File Formats and Conventions + + + + sssd-files + SSSD files provider + + + + DESCRIPTION + + This manual page describes the files provider + for + + sssd + 8 + . + For a detailed syntax reference, refer to the FILE FORMAT section of the + + sssd.conf + 5 + manual page. + + + The files provider mirrors the content of the + + passwd + 5 + + and + + group + 5 + + files. The purpose of the files provider is to make the users + and groups traditionally only accessible with NSS interfaces + also available through the SSSD interfaces such as + + sssd-ifp + 5 + . + + + + + CONFIGURATION OPTIONS + + In addition to the options listed below, generic SSSD domain options + can be set where applicable. + Refer to the section DOMAIN SECTIONS of the + + sssd.conf + 5 + manual page for details on the configuration + of an SSSD domain. + + + passwd_files (string) + + + Comma-separated list of one or multiple password + filenames to be read and enumerated by the files + provider, inotify monitor watches will be set on + each file to detect changes dynamically. + + + Default: /etc/passwd + + + + + + group_files (string) + + + Comma-separated list of one or multiple group + filenames to be read and enumerated by the files + provider, inotify monitor watches will be set on + each file to detect changes dynamically. + + + Default: /etc/group + + + + + + + + + + EXAMPLE + + The following example assumes that SSSD is correctly + configured and files is one of the domains in the + [sssd] section. + + + +[domain/files] +id_provider = files + + + + + + + + diff --git a/src/man/sssd-ifp.5.xml b/src/man/sssd-ifp.5.xml new file mode 100644 index 0000000..acb3e34 --- /dev/null +++ b/src/man/sssd-ifp.5.xml @@ -0,0 +1,155 @@ + + + +SSSD Manual pages + + + + + sssd-ifp + 5 + File Formats and Conventions + + + + sssd-ifp + SSSD InfoPipe responder + + + + DESCRIPTION + + This manual page describes the configuration of the InfoPipe responder + for + + sssd + 8 + . + For a detailed syntax reference, refer to the FILE FORMAT section of the + + sssd.conf + 5 + manual page. + + + The InfoPipe responder provides a public D-Bus interface + accessible over the system bus. The interface allows the user + to query information about remote users and groups over the + system bus. + + + + + CONFIGURATION OPTIONS + + These options can be used to configure the InfoPipe responder. + + + + allowed_uids (string) + + + Specifies the comma-separated list of UID values or + user names that are allowed to access the InfoPipe + responder. User names are resolved to UIDs at + startup. + + + Default: 0 (only the root user is allowed to access + the InfoPipe responder) + + + Please note that although the UID 0 is used as the + default it will be overwritten with this option. If + you still want to allow the root user to access the + InfoPipe responder, which would be the typical + case, you have to add 0 to the list of allowed UIDs + as well. + + + + + + user_attributes (string) + + + Specifies the comma-separated list of white + or blacklisted attributes. + + + By default, the InfoPipe responder only + allows the default set of POSIX attributes to + be requested. This set is the same as returned by + + getpwnam + 3 + + and includes: + + + name + user's login name + + + uidNumber + user ID + + + gidNumber + primary group ID + + + gecos + user information, typically full name + + + homeDirectory + home directory + + + loginShell + user shell + + + + + It is possible to add another attribute to + this set by using +attr_name + or explicitly remove an attribute using + -attr_name. For example, to + allow telephoneNumber but deny + loginShell, you would use the + following configuration: + +user_attributes = +telephoneNumber, -loginShell + + + + Default: not set. Only the default set of + POSIX attributes is allowed. + + + + + + wildcard_limit (integer) + + + Specifies an upper limit on the number of entries + that are downloaded during a wildcard lookup that + overrides caller-supplied limit. + + + Default: 0 (let the caller set an upper limit) + + + + + + + + + + + diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml new file mode 100644 index 0000000..e46957d --- /dev/null +++ b/src/man/sssd-ipa.5.xml @@ -0,0 +1,848 @@ + + + +SSSD Manual pages + + + + + sssd-ipa + 5 + File Formats and Conventions + + + + sssd-ipa + SSSD IPA provider + + + + DESCRIPTION + + This manual page describes the configuration of the IPA provider + for + + sssd + 8 + . + For a detailed syntax reference, refer to the FILE FORMAT section of the + + sssd.conf + 5 + manual page. + + + The IPA provider is a back end used to connect to an IPA server. + (Refer to the freeipa.org web site for information about IPA servers.) + This provider requires that the machine be joined to the IPA domain; + configuration is almost entirely self-discovered and obtained + directly from the server. + + + The IPA provider enables SSSD to use the + + sssd-ldap + 5 + identity provider and the + + sssd-krb5 + 5 + authentication provider with optimizations for IPA + environments. The IPA provider accepts the same options used by the + sssd-ldap and sssd-krb5 providers with some exceptions. However, it is + neither necessary nor recommended to set these options. + + + The IPA provider primarily copies the traditional ldap and krb5 provider + default options with some exceptions, the differences are listed in the + MODIFIED DEFAULT OPTIONS section. + + + As an access provider, the IPA provider uses HBAC (host-based access control) + rules. Please refer to freeipa.org for more information about HBAC. No + configuration of access provider is required on the client side. + + + If auth_provider=ipa or + access_provider=ipa is configured + in sssd.conf then the id_provider must also be set to + ipa. + + + The IPA provider will use the PAC responder if the Kerberos tickets + of users from trusted realms contain a PAC. To make configuration + easier the PAC responder is started automatically if the IPA ID + provider is configured. + + + + + CONFIGURATION OPTIONS + Refer to the section DOMAIN SECTIONS of the + + sssd.conf + 5 + manual page for details on the configuration of an SSSD domain. + + + ipa_domain (string) + + + Specifies the name of the IPA domain. + This is optional. If not provided, the configuration + domain name is used. + + + + + + ipa_server, ipa_backup_server (string) + + + The comma-separated list of IP addresses or hostnames of the + IPA servers to which SSSD should connect in + the order of preference. For more information + on failover and server redundancy, see the + FAILOVER section. + This is optional if autodiscovery is enabled. + For more information on service discovery, refer + to the SERVICE DISCOVERY section. + + + + + + ipa_hostname (string) + + + Optional. May be set on machines where the + hostname(5) does not reflect the fully qualified + name used in the IPA domain to identify this host. + The hostname must be fully qualified. + + + + + + dyndns_update (boolean) + + + Optional. This option tells SSSD to automatically + update the DNS server built into FreeIPA with + the IP address of this client. The update is + secured using GSS-TSIG. The IP address of the IPA + LDAP connection is used for the updates, if it is + not otherwise specified by using the + dyndns_iface option. + + + NOTE: On older systems (such as RHEL 5), for this + behavior to work reliably, the default Kerberos + realm must be set properly in /etc/krb5.conf + + + NOTE: While it is still possible to use the old + ipa_dyndns_update option, users + should migrate to using dyndns_update + in their config file. + + + Default: false + + + + + + dyndns_ttl (integer) + + + The TTL to apply to the client DNS record when updating it. + If dyndns_update is false this has no effect. This will + override the TTL serverside if set by an administrator. + + + NOTE: While it is still possible to use the old + ipa_dyndns_ttl option, users + should migrate to using dyndns_ttl + in their config file. + + + Default: 1200 (seconds) + + + + + + dyndns_iface (string) + + + Optional. Applicable only when dyndns_update + is true. Choose the interface or a list of interfaces + whose IP addresses should be used for dynamic DNS + updates. Special value * implies that + IPs from all interfaces should be used. + + + NOTE: While it is still possible to use the old + ipa_dyndns_iface option, users + should migrate to using dyndns_iface + in their config file. + + + Default: Use the IP addresses of the interface which + is used for IPA LDAP connection + + + Example: dyndns_iface = em1, vnet1, vnet2 + + + + + + dyndns_auth (string) + + + Whether the nsupdate utility should use GSS-TSIG + authentication for secure updates with the DNS + server, insecure updates can be sent by setting + this option to 'none'. + + + Default: GSS-TSIG + + + + + + ipa_enable_dns_sites (boolean) + + + Enables DNS sites - location based + service discovery. + + + If true and service discovery (see Service + Discovery paragraph at the bottom of the man page) + is enabled, then the SSSD will first attempt + location based discovery using a query that contains + "_location.hostname.example.com" and then fall back + to traditional SRV discovery. If the location based + discovery succeeds, the IPA servers located with + the location based discovery are treated as primary + servers and the IPA servers located using the + traditional SRV discovery are used as back up + servers + + + Default: false + + + + + + dyndns_refresh_interval (integer) + + + How often should the back end perform periodic DNS update in + addition to the automatic update performed when the back end + goes online. + This option is optional and applicable only when dyndns_update + is true. + + + Default: 0 (disabled) + + + + + + dyndns_update_ptr (bool) + + + Whether the PTR record should also be explicitly + updated when updating the client's DNS records. + Applicable only when dyndns_update is true. + + + This option should be False in most IPA + deployments as the IPA server generates the + PTR records automatically when forward records + are changed. + + + Default: False (disabled) + + + + + + dyndns_force_tcp (bool) + + + Whether the nsupdate utility should default to using + TCP for communicating with the DNS server. + + + Default: False (let nsupdate choose the protocol) + + + + + + dyndns_server (string) + + + The DNS server to use when performing a DNS + update. In most setups, it's recommended to leave + this option unset. + + + Setting this option makes sense for environments + where the DNS server is different from the identity + server. + + + Please note that this option will be only used in + fallback attempt when previous attempt using + autodetected settings failed. + + + Default: None (let nsupdate choose the server) + + + + + + ipa_deskprofile_search_base (string) + + + Optional. Use the given string as search base for + Desktop Profile related objects. + + + Default: Use base DN + + + + + + ipa_hbac_search_base (string) + + + Optional. Use the given string as search base for + HBAC related objects. + + + Default: Use base DN + + + + + + ipa_host_search_base (string) + + + Deprecated. Use ldap_host_search_base instead. + + + + + + ipa_selinux_search_base (string) + + + Optional. Use the given string as search base for + SELinux user maps. + + + See ldap_search_base for + information about configuring multiple search + bases. + + + Default: the value of + ldap_search_base + + + + + + ipa_subdomains_search_base (string) + + + Optional. Use the given string as search base for + trusted domains. + + + See ldap_search_base for + information about configuring multiple search + bases. + + + Default: the value of + cn=trusts,%basedn + + + + + + ipa_master_domain_search_base (string) + + + Optional. Use the given string as search base for + master domain object. + + + See ldap_search_base for + information about configuring multiple search + bases. + + + Default: the value of + cn=ad,cn=etc,%basedn + + + + + + ipa_views_search_base (string) + + + Optional. Use the given string as search base for + views containers. + + + See ldap_search_base for + information about configuring multiple search + bases. + + + Default: the value of + cn=views,cn=accounts,%basedn + + + + + + krb5_realm (string) + + + The name of the Kerberos realm. This is optional and + defaults to the value of ipa_domain. + + + The name of the Kerberos realm has a special + meaning in IPA - it is converted into the base + DN to use for performing LDAP operations. + + + + + + krb5_confd_path (string) + + + Absolute path of a directory where SSSD should place + Kerberos configuration snippets. + + + To disable the creation of the configuration + snippets set the parameter to 'none'. + + + Default: not set (krb5.include.d subdirectory of + SSSD's pubconf directory) + + + + + + ipa_deskprofile_refresh (integer) + + + The amount of time between lookups of the Desktop + Profile rules against the IPA server. This will + reduce the latency and load on the IPA server if + there are many desktop profiles requests made in a + short period. + + + Default: 5 (seconds) + + + + + + ipa_deskprofile_request_interval (integer) + + + The amount of time between lookups of the Desktop + Profile rules against the IPA server in case the + last request did not return any rule. + + + Default: 60 (minutes) + + + + + + ipa_hbac_refresh (integer) + + + The amount of time between lookups of the HBAC + rules against the IPA server. This will reduce the + latency and load on the IPA server if there are + many access-control requests made in a short + period. + + + Default: 5 (seconds) + + + + + + ipa_hbac_selinux (integer) + + + The amount of time between lookups of the SELinux + maps against the IPA server. This will reduce the + latency and load on the IPA server if there are + many user login requests made in a short + period. + + + Default: 5 (seconds) + + + + + + ipa_server_mode (boolean) + + + This option will be set by the IPA installer + (ipa-server-install) automatically and denotes + if SSSD is running on an IPA server or not. + + + On an IPA server SSSD will lookup users and groups + from trusted domains directly while on a client + it will ask an IPA server. + + + NOTE: There are currently some assumptions that + must be met when SSSD is running on an IPA server. + + + + The ipa_server option + must be configured to point to the + IPA server itself. This is already + the default set by the IPA installer, + so no manual change is required. + + + + + The full_name_format + option must not be tweaked to only + print short names for users from + trusted domains. + + + + + + Default: false + + + + + + ipa_automount_location (string) + + + The automounter location this IPA client will be using + + + Default: The location named "default" + + + + + + + + VIEWS AND OVERRIDES + + SSSD can handle views and overrides which are offered by + FreeIPA 4.1 and later version. Since all paths and objectclasses + are fixed on the server side there is basically no need to + configure anything. For completeness the related options are + listed here with their default values. + + + ipa_view_class (string) + + + Objectclass of the view container. + + + Default: nsContainer + + + + + + ipa_view_name (string) + + + Name of the attribute holding the name of the + view. + + + Default: cn + + + + + + ipa_override_object_class (string) + + + Objectclass of the override objects. + + + Default: ipaOverrideAnchor + + + + + + ipa_anchor_uuid (string) + + + Name of the attribute containing the reference + to the original object in a remote domain. + + + Default: ipaAnchorUUID + + + + + + ipa_user_override_object_class (string) + + + Name of the objectclass for user overrides. It + is used to determine if the found override + object is related to a user or a group. + + + User overrides can contain attributes given by + + + ldap_user_name + + + ldap_user_uid_number + + + ldap_user_gid_number + + + ldap_user_gecos + + + ldap_user_home_directory + + + ldap_user_shell + + + ldap_user_ssh_public_key + + + + + Default: ipaUserOverride + + + + + + ipa_group_override_object_class (string) + + + Name of the objectclass for group overrides. It + is used to determine if the found override + object is related to a user or a group. + + + Group overrides can contain attributes given by + + + ldap_group_name + + + ldap_group_gid_number + + + + + Default: ipaGroupOverride + + + + + + + + + + + + SUBDOMAINS PROVIDER + + The IPA subdomains provider behaves slightly differently + if it is configured explicitly or implicitly. + + + If the option 'subdomains_provider = ipa' is found in the + domain section of sssd.conf, the IPA subdomains provider is + configured explicitly, and all subdomain requests are sent to the + IPA server if necessary. + + + If the option 'subdomains_provider' is not set in the domain + section of sssd.conf but there is the option 'id_provider = ipa', + the IPA subdomains provider is configured implicitly. In this case, + if a subdomain request fails and indicates that the server does not + support subdomains, i.e. is not configured for trusts, the IPA + subdomains provider is disabled. After an hour or after the IPA + provider goes online, the subdomains provider is enabled again. + + + + + TRUSTED DOMAINS CONFIGURATION + + Some configuration options can be also set for a trusted domain. + A trusted domain configuration can either be done using + a subsection, for example: + +[domain/ipa.domain.com/ad.domain.com] +ad_server = dc.ad.domain.com + + + + In addition, some options can be set in the parent domain + and inherited by the trusted domain using the + subdomain_inherit option. For more details, + see the + + sssd.conf + 5 + manual page. + + + Different configuration options are tunable for a trusted + domain depending on whether you are configuring SSSD on an + IPA server or an IPA client. + + + OPTIONS TUNABLE ON IPA MASTERS + + The following options can be set in a subdomain + section on an IPA master: + + + ad_server + + + ad_backup_server + + + ad_site + + + ldap_search_base + + + ldap_user_search_base + + + ldap_group_search_base + + + use_fully_qualified_names + + + + + + OPTIONS TUNABLE ON IPA CLIENTS + + The following options can be set in a subdomain + section on an IPA client: + + + ad_server + + + ad_site + + + + + Note that if both options are set, only + ad_server is evaluated. + + + Since any request for a user or a group identity from a + trusted domain triggered from an IPA client is resolved + by the IPA server, the ad_server and + ad_site options only affect which AD DC will + the authentication be performed against. In particular, + the addresses resolved from these lists will be written to + kdcinfo files read by the Kerberos locator + plugin. Please refer to the + + sssd_krb5_locator_plugin + 8 + manual page for more details on the Kerberos + locator plugin. + + + + + + + + + + EXAMPLE + + The following example assumes that SSSD is correctly + configured and example.com is one of the domains in the + [sssd] section. This examples shows only + the ipa provider-specific options. + + + +[domain/example.com] +id_provider = ipa +ipa_server = ipaserver.example.com +ipa_hostname = myhost.example.com + + + + + + + + diff --git a/src/man/sssd-kcm.8.xml b/src/man/sssd-kcm.8.xml new file mode 100644 index 0000000..78d3551 --- /dev/null +++ b/src/man/sssd-kcm.8.xml @@ -0,0 +1,191 @@ + + + +SSSD Manual pages + + + + + sssd-kcm + 8 + File Formats and Conventions + + + + sssd-kcm + SSSD Kerberos Cache Manager + + + + DESCRIPTION + + This manual page describes the configuration of the SSSD Kerberos + Cache Manager (KCM). KCM is a process that stores, tracks and + manages Kerberos credential caches. It originates in the Heimdal + Kerberos project, although the MIT Kerberos library also provides + client side (more details on that below) support for the KCM + credential cache. + + + In a setup where Kerberos caches are managed by KCM, the + Kerberos library (typically used through an application, like + e.g., + + kinit1 + , + is a "KCM client" and the KCM daemon + is being referred to as a "KCM server". The client + and server communicate over a UNIX socket. + + + The KCM server keeps track of each credential caches's owner and + performs access check control based on the UID and GID of the + KCM client. The root user has access to all credential caches. + + + The KCM credential cache has several interesting properties: + + + + since the process runs in userspace, it is subject to UID namespacing, unlike the kernel keyring + + + + + unlike the kernel keyring-based cache, which is shared between all containers, the KCM server is a separate process whose entry point is a UNIX socket + + + + + the SSSD implementation stores the ccaches in the SSSD + + sssd-secrets5 + + secrets store, allowing the ccaches to survive KCM server restarts or machine reboots. + + + + This allows the system to use a collection-aware credential + cache, yet share the credential cache between some or no + containers by bind-mounting the socket. + + + + + USING THE KCM CREDENTIAL CACHE + + In order to use KCM credential cache, it must be selected as the default + credential type in + + krb5.conf5 + , + The credentials cache name must be only KCM: + without any template expansions. For example: + +[libdefaults] + default_ccache_name = KCM: + + + + Next, make sure the Kerberos client libraries and the KCM server must agree + on the UNIX socket path. By default, both use the same path + /var/run/.heim_org.h5l.kcm-socket. To configure + the Kerberos library, change its kcm_socket option which + is described in the + + krb5.conf5 + + manual page. + + + Finally, make sure the SSSD KCM server can be contacted. + The KCM service is typically socket-activated by + + systemd + 1 + . + Unlike + other SSSD services, it cannot be started by adding the + kcm string to the service + directive. + +systemctl start sssd-kcm.socket +systemctl enable sssd-kcm.socket + + Please note your distribution may already configure the units + for you. + + + + + THE CREDENTIAL CACHE STORAGE + + The credential caches are stored in the SSSD secrets service (see + + sssd-secrets5 + + for more details). Therefore it is important that also the sssd-secrets + service is enabled and its socket is started: + +systemctl start sssd-secrets.socket +systemctl enable sssd-secrets.socket + + Your distribution should already set the dependencies between the services. + + + + + CONFIGURATION OPTIONS + + The KCM service is configured in the kcm + section of the sssd.conf file. Please note that currently, + is it not sufficient to restart the sssd-kcm service, because + the sssd configuration is only parsed and read to an internal + configuration database by the sssd service. Therefore you + must restart the sssd service if you change anything in the + kcm section of sssd.conf. + For a detailed syntax reference, refer to the FILE FORMAT section of the + + sssd.conf + 5 + manual page. + + + The generic SSSD service options such as + debug_level or fd_limit are + accepted by the kcm service. Please refer to the + + sssd.conf + 5 + manual page for a complete list. In addition, + there are some KCM-specific options as well. + + + + socket_path (string) + + + The socket the KCM service will listen on. + + + Default: /var/run/.heim_org.h5l.kcm-socket + + + + + + + + SEE ALSO + + + sssd8 + , + + sssd.conf5 + , + + + + diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml new file mode 100644 index 0000000..60b7dfb --- /dev/null +++ b/src/man/sssd-krb5.5.xml @@ -0,0 +1,591 @@ + + + +SSSD Manual pages + + + + + sssd-krb5 + 5 + File Formats and Conventions + + + + sssd-krb5 + SSSD Kerberos provider + + + + DESCRIPTION + + This manual page describes the configuration of the Kerberos + 5 authentication backend for + + sssd + 8 + . + For a detailed syntax reference, please refer to the FILE FORMAT section of the + + sssd.conf + 5 + manual page. + + + The Kerberos 5 authentication backend contains auth and chpass + providers. It must be paired with an identity provider in + order to function properly (for example, id_provider = ldap). Some + information required by the Kerberos 5 authentication backend must + be provided by the identity provider, such as the user's Kerberos + Principal Name (UPN). The configuration of the identity provider + should have an entry to specify the UPN. Please refer to the man + page for the applicable identity provider for details on how to + configure this. + + + This backend also provides access control based on the .k5login + file in the home directory of the user. See + .k5login5 + for more details. Please note that an empty .k5login + file will deny all access to this user. To activate this feature, + use 'access_provider = krb5' in your SSSD configuration. + + + In the case where the UPN is not available in the identity backend, + sssd will construct a UPN using the format + username@krb5_realm. + + + + + + CONFIGURATION OPTIONS + + If the auth-module krb5 is used in an SSSD domain, the following + options must be used. See the + + sssd.conf + 5 + manual page, section DOMAIN SECTIONS, + for details on the configuration of an SSSD domain. + + + krb5_server, krb5_backup_server (string) + + + Specifies the comma-separated list of IP addresses or hostnames + of the Kerberos servers to which SSSD should + connect, in the order of preference. For more + information on failover and server redundancy, + see the FAILOVER section. An optional + port number (preceded by a colon) may be appended to + the addresses or hostnames. + If empty, service discovery is enabled; + for more information, refer to the + SERVICE DISCOVERY section. + + + When using service discovery for KDC or kpasswd servers, + SSSD first searches for DNS entries that specify _udp as + the protocol and falls back to _tcp if none are found. + + + This option was named krb5_kdcip in + earlier releases of SSSD. While the legacy name is recognized + for the time being, users are advised to migrate their config + files to use krb5_server instead. + + + + + + krb5_realm (string) + + + The name of the Kerberos realm. This option is required + and must be specified. + + + + + + krb5_kpasswd, krb5_backup_kpasswd (string) + + + If the change password service is not running on the + KDC, alternative servers can be defined here. An + optional port number (preceded by a colon) may be + appended to the addresses or hostnames. + + + For more information on failover and server + redundancy, see the FAILOVER section. + NOTE: Even if there are no more kpasswd + servers to try, the backend is not switched to operate offline + if authentication against the KDC is still possible. + + + Default: Use the KDC + + + + + + krb5_ccachedir (string) + + + Directory to store credential caches. All the + substitution sequences of krb5_ccname_template can + be used here, too, except %d and %P. + The directory is created as private and owned + by the user, with permissions set to 0700. + + + Default: /tmp + + + + + + krb5_ccname_template (string) + + + Location of the user's credential cache. Three + credential cache types are currently supported: + FILE, DIR and + KEYRING:persistent. The cache can + be specified either as + TYPE:RESIDUAL, or as an + absolute path, which implies the + FILE type. In the template, the + following sequences are substituted: + + + %u + login name + + + %U + login UID + + + %p + principal name + + + + %r + realm name + + + %h + home directory + + + + %d + value of krb5_ccachedir + + + + + %P + the process ID of the SSSD + client + + + + %% + a literal '%' + + + + If the template ends with 'XXXXXX' mkstemp(3) is + used to create a unique filename in a safe way. + + + When using KEYRING types, the only supported + mechanism is KEYRING:persistent:%U, + which uses the Linux kernel keyring to store + credentials on a per-UID basis. This is also the + recommended choice, as it is the most secure and + predictable method. + + + The default value for the credential cache name is + sourced from the profile stored in the system wide + krb5.conf configuration file in the [libdefaults] + section. The option name is default_ccache_name. + See krb5.conf(5)'s PARAMETER EXPANSION paragraph + for additional information on the expansion format + defined by krb5.conf. + + + NOTE: Please be aware that libkrb5 ccache expansion + template from + + krb5.conf + 5 + + uses different expansion sequences than SSSD. + + + Default: (from libkrb5) + + + + + + krb5_auth_timeout (integer) + + + Timeout in seconds after an online authentication request + or change password request is aborted. If possible, the + authentication request is continued offline. + + + Default: 6 + + + + + + krb5_validate (boolean) + + + Verify with the help of krb5_keytab that the TGT + obtained has not been spoofed. The keytab is checked for + entries sequentially, and the first entry with a matching + realm is used for validation. If no entry matches the realm, the last + entry in the keytab is used. This process can be used to validate + environments using cross-realm trust by placing the appropriate + keytab entry as the last entry or the only entry in the keytab file. + + + Default: false + + + + + + krb5_keytab (string) + + + The location of the keytab to use when validating + credentials obtained from KDCs. + + + Default: /etc/krb5.keytab + + + + + + krb5_store_password_if_offline (boolean) + + + Store the password of the user if the provider is + offline and use it to request a TGT when the + provider comes online again. + + + NOTE: this feature is only available on Linux. + Passwords stored in this way are kept in + plaintext in the kernel keyring and are + potentially accessible by the root user + (with difficulty). + + + Default: false + + + + + + krb5_renewable_lifetime (string) + + + Request a renewable ticket with a total + lifetime, given as an integer immediately followed + by a time unit: + + + s for seconds + + + m for minutes + + + h for hours + + + d for days. + + + If there is no unit given, s is + assumed. + + + NOTE: It is not possible to mix units. To set + the renewable lifetime to one and a half hours, + use '90m' instead of '1h30m'. + + + Default: not set, i.e. the TGT is not renewable + + + + + + krb5_lifetime (string) + + + Request ticket with a lifetime, given as an + integer immediately followed by a time unit: + + + s for seconds + + + m for minutes + + + h for hours + + + d for days. + + + If there is no unit given s is + assumed. + + + NOTE: It is not possible to mix units. + To set the lifetime to one and a half + hours please use '90m' instead of '1h30m'. + + + Default: not set, i.e. the default ticket lifetime + configured on the KDC. + + + + + + krb5_renew_interval (string) + + + The time in seconds between two checks if the TGT + should be renewed. TGTs are renewed if about half + of their lifetime is exceeded, given as an integer + immediately followed by a time unit: + + + s for seconds + + + m for minutes + + + h for hours + + + d for days. + + + If there is no unit given, s is + assumed. + + + NOTE: It is not possible to mix units. To set + the renewable lifetime to one and a half hours, + use '90m' instead of '1h30m'. + + + If this option is not set or is 0 the automatic + renewal is disabled. + + + Default: not set + + + + + + krb5_use_fast (string) + + + Enables flexible authentication secure tunneling + (FAST) for Kerberos pre-authentication. The + following options are supported: + + + never use FAST. This is + equivalent to not setting this option at all. + + + try to use FAST. If the server + does not support FAST, continue the + authentication without it. + + + demand to use FAST. The + authentication fails if the server does not + require fast. + + + Default: not set, i.e. FAST is not used. + + + NOTE: a keytab is required to use FAST. + + + NOTE: SSSD supports FAST only with + MIT Kerberos version 1.8 and later. If SSSD is used + with an older version of MIT Kerberos, using this + option is a configuration error. + + + + + + krb5_fast_principal (string) + + + Specifies the server principal to use for FAST. + + + + + + krb5_canonicalize (boolean) + + + Specifies if the host and user principal should be + canonicalized. This feature is available with MIT + Kerberos 1.7 and later versions. + + + + Default: false + + + + + + krb5_use_kdcinfo (boolean) + + + Specifies if the SSSD should instruct the Kerberos + libraries what realm and which KDCs to use. This option + is on by default, if you disable it, you need to configure + the Kerberos library using the + + krb5.conf + 5 + + configuration file. + + + See the + + sssd_krb5_locator_plugin + 8 + + manual page for more information on the locator plugin. + + + Default: true + + + + + + krb5_use_enterprise_principal (boolean) + + + Specifies if the user principal should be treated + as enterprise principal. See section 5 of RFC 6806 + for more details about enterprise principals. + + + + Default: false (AD provider: true) + + + The IPA provider will set to option to 'true' if it + detects that the server is capable of handling + enterprise principals and the option is not set + explicitly in the config file. + + + + + + krb5_map_user (string) + + + The list of mappings is given as a comma-separated + list of pairs username:primary + where username is a UNIX user name + and primary is a user part of + a kerberos principal. This mapping is used when + user is authenticating using + auth_provider = krb5. + + + + example: + +krb5_realm = REALM +krb5_map_user = joe:juser,dick:richard + + + + joe and dick are + UNIX user names and juser and + richard are primaries of kerberos + principals. For user joe resp. + dick SSSD will try to kinit as + juser@REALM resp. + richard@REALM. + + + + Default: not set + + + + + + + + + + + + + + EXAMPLE + + The following example assumes that SSSD is correctly + configured and FOO is one of the domains in the + [sssd] section. This example shows + only configuration of Kerberos authentication; it does not include + any identity provider. + + + +[domain/FOO] +auth_provider = krb5 +krb5_server = 192.168.1.1 +krb5_realm = EXAMPLE.COM + + + + + + + + diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml new file mode 100644 index 0000000..3145f07 --- /dev/null +++ b/src/man/sssd-ldap.5.xml @@ -0,0 +1,2881 @@ + + + +SSSD Manual pages + + + + + sssd-ldap + 5 + File Formats and Conventions + + + + sssd-ldap + SSSD LDAP provider + + + + DESCRIPTION + + This manual page describes the configuration of LDAP + domains for + + sssd + 8 + . + Refer to the FILE FORMAT section of the + + sssd.conf + 5 + manual page for detailed syntax information. + + You can configure SSSD to use more than one LDAP domain. + + + LDAP back end supports id, auth, access and chpass providers. If you want + to authenticate against an LDAP server either TLS/SSL or LDAPS + is required. sssd does + not support authentication over an unencrypted channel. + If the LDAP server is used only as an identity provider, an encrypted + channel is not needed. Please refer to ldap_access_filter + config option for more information about using LDAP as an access provider. + + + + + CONFIGURATION OPTIONS + + All of the common configuration options that apply to SSSD domains also apply + to LDAP domains. Refer to the DOMAIN SECTIONS section of the + + sssd.conf + 5 + manual page for full details. + + + + ldap_uri, ldap_backup_uri (string) + + + Specifies the comma-separated list of URIs of the LDAP servers to which + SSSD should connect in the order of preference. Refer to the + FAILOVER section for more information on failover and server redundancy. + If neither option is specified, service discovery is enabled. For more information, + refer to the SERVICE DISCOVERY section. + + + The format of the URI must match the format defined in RFC 2732: + + + ldap[s]://<host>[:port] + + + For explicit IPv6 addresses, <host> must be enclosed in brackets [] + + + example: ldap://[fc00::126:25]:389 + + + + + + ldap_chpass_uri, ldap_chpass_backup_uri (string) + + + Specifies the comma-separated list of URIs of the LDAP servers to + which SSSD should connect in the order of preference + to change the password of a user. Refer to the + FAILOVER section for more information + on failover and server redundancy. + + + To enable service discovery + ldap_chpass_dns_service_name must be set. + + + Default: empty, i.e. ldap_uri is used. + + + + + + ldap_search_base (string) + + + The default base DN to use for + performing LDAP user operations. + + + Starting with SSSD 1.7.0, SSSD supports multiple + search bases using the syntax: + + + search_base[?scope?[filter][?search_base?scope?[filter]]*] + + + The scope can be one of "base", "onelevel" or "subtree". + + + The filter must be a valid LDAP search filter as + specified by http://www.ietf.org/rfc/rfc2254.txt + + + Examples: + + + ldap_search_base = dc=example,dc=com + (which is equivalent to) + ldap_search_base = dc=example,dc=com?subtree? + + + ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?(host=thishost)?dc=example.com?subtree? + + + Note: It is unsupported to have multiple search + bases which reference identically-named objects + (for example, groups with the same name in two + different search bases). This will lead to + unpredictable behavior on client machines. + + + Default: If not set, the value of the + defaultNamingContext or namingContexts attribute + from the RootDSE of the LDAP server is + used. If defaultNamingContext does not exist or + has an empty value namingContexts is used. + The namingContexts attribute must have a + single value with the DN of the search base of the + LDAP server to make this work. Multiple values are + are not supported. + + + + + + ldap_schema (string) + + + Specifies the Schema Type in use on the target LDAP + server. + Depending on the selected schema, the default + attribute names retrieved from the servers may vary. + The way that some attributes are handled may also differ. + + + Four schema types are currently supported: + + + + rfc2307 + + + + + rfc2307bis + + + + + IPA + + + + + AD + + + + + + The main difference between these schema types is + how group memberships are recorded in the server. + With rfc2307, group members are listed by name in the + memberUid attribute. + With rfc2307bis and IPA, group members are listed by DN + and stored in the member attribute. + The AD schema type sets the attributes to correspond with + Active Directory 2008r2 values. + + + Default: rfc2307 + + + + + + ldap_default_bind_dn (string) + + + The default bind DN to use for + performing LDAP operations. + + + + + + ldap_default_authtok_type (string) + + + The type of the authentication token of the + default bind DN. + + + The two mechanisms currently supported are: + + + password + + + obfuscated_password + + + Default: password + + + + + + ldap_default_authtok (string) + + + The authentication token of the default bind DN. + Only clear text passwords are currently supported. + + + + + + ldap_user_object_class (string) + + + The object class of a user entry in LDAP. + + + Default: posixAccount + + + + + + ldap_user_name (string) + + + The LDAP attribute that corresponds to the + user's login name. + + + Default: uid (rfc2307, rfc2307bis and IPA), + sAMAccountName (AD) + + + + + + ldap_user_uid_number (string) + + + The LDAP attribute that corresponds to the + user's id. + + + Default: uidNumber + + + + + + ldap_user_gid_number (string) + + + The LDAP attribute that corresponds to the + user's primary group id. + + + Default: gidNumber + + + + + + ldap_user_primary_group (string) + + + Active Directory primary group attribute + for ID-mapping. Note that this attribute should + only be set manually if you are running the + ldap provider with ID mapping. + + + Default: unset (LDAP), primaryGroupID (AD) + + + + + + ldap_user_gecos (string) + + + The LDAP attribute that corresponds to the + user's gecos field. + + + Default: gecos + + + + + + ldap_user_home_directory (string) + + + The LDAP attribute that contains the name of the user's + home directory. + + + Default: homeDirectory + + + + + + ldap_user_shell (string) + + + The LDAP attribute that contains the path to the + user's default shell. + + + Default: loginShell + + + + + + ldap_user_uuid (string) + + + The LDAP attribute that contains the UUID/GUID of + an LDAP user object. + + + Default: not set in the general case, objectGUID for + AD and ipaUniqueID for IPA + + + + + + ldap_user_objectsid (string) + + + The LDAP attribute that contains the objectSID of + an LDAP user object. This is usually only + necessary for ActiveDirectory servers. + + + Default: objectSid for ActiveDirectory, not set + for other servers. + + + + + + ldap_user_modify_timestamp (string) + + + The LDAP attribute that contains timestamp of the + last modification of the parent object. + + + Default: modifyTimestamp + + + + + + ldap_user_shadow_last_change (string) + + + When using ldap_pwd_policy=shadow, this parameter + contains the name of an LDAP attribute corresponding + to its + + shadow + 5 + counterpart (date of the last + password change). + + + Default: shadowLastChange + + + + + + ldap_user_shadow_min (string) + + + When using ldap_pwd_policy=shadow, this parameter + contains the name of an LDAP attribute corresponding + to its + + shadow + 5 + counterpart (minimum password age). + + + Default: shadowMin + + + + + + ldap_user_shadow_max (string) + + + When using ldap_pwd_policy=shadow, this parameter + contains the name of an LDAP attribute corresponding + to its + + shadow + 5 + counterpart (maximum password age). + + + Default: shadowMax + + + + + + ldap_user_shadow_warning (string) + + + When using ldap_pwd_policy=shadow, this parameter + contains the name of an LDAP attribute corresponding + to its + + shadow + 5 + counterpart (password warning + period). + + + Default: shadowWarning + + + + + + ldap_user_shadow_inactive (string) + + + When using ldap_pwd_policy=shadow, this parameter + contains the name of an LDAP attribute corresponding + to its + + shadow + 5 + counterpart (password inactivity + period). + + + Default: shadowInactive + + + + + + ldap_user_shadow_expire (string) + + + When using ldap_pwd_policy=shadow or + ldap_account_expire_policy=shadow, this parameter + contains the name of an LDAP attribute corresponding + to its + + shadow + 5 + counterpart (account expiration date). + + + Default: shadowExpire + + + + + + ldap_user_krb_last_pwd_change (string) + + + When using ldap_pwd_policy=mit_kerberos, this + parameter contains the name of an LDAP attribute + storing the date and time of last password change + in kerberos. + + + Default: krbLastPwdChange + + + + + + ldap_user_krb_password_expiration (string) + + + When using ldap_pwd_policy=mit_kerberos, this + parameter contains the name of an LDAP attribute + storing the date and time when current password + expires. + + + Default: krbPasswordExpiration + + + + + + ldap_user_ad_account_expires (string) + + + When using ldap_account_expire_policy=ad, this + parameter contains the name of an LDAP attribute + storing the expiration time of the account. + + + Default: accountExpires + + + + + + ldap_user_ad_user_account_control (string) + + + When using ldap_account_expire_policy=ad, this + parameter contains the name of an LDAP attribute + storing the user account control bit field. + + + Default: userAccountControl + + + + + + ldap_ns_account_lock (string) + + + When using ldap_account_expire_policy=rhds or + equivalent, this parameter determines if access is + allowed or not. + + + Default: nsAccountLock + + + + + + ldap_user_nds_login_disabled (string) + + + When using ldap_account_expire_policy=nds, this + attribute determines if access is allowed or not. + + + Default: loginDisabled + + + + + + ldap_user_nds_login_expiration_time (string) + + + When using ldap_account_expire_policy=nds, this + attribute determines until which date access is + granted. + + + Default: loginDisabled + + + + + + ldap_user_nds_login_allowed_time_map (string) + + + When using ldap_account_expire_policy=nds, this + attribute determines the hours of a day in a week + when access is granted. + + + Default: loginAllowedTimeMap + + + + + + ldap_user_principal (string) + + + The LDAP attribute that contains the user's Kerberos + User Principal Name (UPN). + + + Default: krbPrincipalName + + + + + + ldap_user_extra_attrs (string) + + + Comma-separated list of LDAP attributes that SSSD + would fetch along with the usual set of user + attributes. + + + The list can either contain LDAP attribute names + only, or colon-separated tuples of SSSD cache + attribute name and LDAP attribute name. In + case only LDAP attribute name is specified, + the attribute is saved to the cache verbatim. + Using a custom SSSD attribute name might be + required by environments that configure several + SSSD domains with different LDAP schemas. + + + Please note that several attribute names are + reserved by SSSD, notably the name + attribute. SSSD would report an error if any of + the reserved attribute names is used as an extra + attribute name. + + + Examples: + + + ldap_user_extra_attrs = telephoneNumber + + + Save the telephoneNumber attribute from LDAP + as telephoneNumber to the cache. + + + ldap_user_extra_attrs = phone:telephoneNumber + + + Save the telephoneNumber attribute from LDAP + as phone to the cache. + + + Default: not set + + + + + + ldap_user_ssh_public_key (string) + + + The LDAP attribute that contains the user's SSH + public keys. + + + Default: sshPublicKey + + + + + + ldap_force_upper_case_realm (boolean) + + + Some directory servers, for example Active Directory, + might deliver the realm part of the UPN in lower case, + which might cause the authentication to fail. Set this + option to a non-zero value if you want to use an + upper-case realm. + + + Default: false + + + + + + ldap_enumeration_refresh_timeout (integer) + + + Specifies how many seconds SSSD has to wait + before refreshing its cache of enumerated + records. + + + Default: 300 + + + + + + ldap_purge_cache_timeout (integer) + + + Determine how often to check the cache for + inactive entries (such as groups with no + members and users who have never logged in) and + remove them to save space. + + + Setting this option to zero will disable the + cache cleanup operation. Please note that if + enumeration is enabled, the cleanup task is + required in order to detect entries removed from + the server and can't be disabled. By default, + the cleanup task will run every 3 hours with + enumeration enabled. + + + Default: 0 (disabled) + + + + + + ldap_user_fullname (string) + + + The LDAP attribute that corresponds to the + user's full name. + + + Default: cn + + + + + + ldap_user_member_of (string) + + + The LDAP attribute that lists the user's + group memberships. + + + Default: memberOf + + + + + + ldap_user_authorized_service (string) + + + If access_provider=ldap and + ldap_access_order=authorized_service, SSSD will + use the presence of the authorizedService + attribute in the user's LDAP entry to determine + access privilege. + + + An explicit deny (!svc) is resolved first. Second, + SSSD searches for explicit allow (svc) and finally + for allow_all (*). + + + Please note that the ldap_access_order + configuration option must include + authorized_service in order for the + ldap_user_authorized_service option + to work. + + + Default: authorizedService + + + + + + ldap_user_authorized_host (string) + + + If access_provider=ldap and + ldap_access_order=host, SSSD will use the presence + of the host attribute in the user's LDAP entry to + determine access privilege. + + + An explicit deny (!host) is resolved first. Second, + SSSD searches for explicit allow (host) and finally + for allow_all (*). + + + Please note that the ldap_access_order + configuration option must + include host in order for the + ldap_user_authorized_host option + to work. + + + Default: host + + + + + + ldap_user_authorized_rhost (string) + + + If access_provider=ldap and + ldap_access_order=rhost, SSSD will use the presence + of the rhost attribute in the user's LDAP entry to + determine access privilege. Similarly to host + verification process. + + + An explicit deny (!rhost) is resolved first. Second, + SSSD searches for explicit allow (rhost) and finally + for allow_all (*). + + + Please note that the ldap_access_order + configuration option must + include rhost in order for the + ldap_user_authorized_rhost option + to work. + + + Default: rhost + + + + + + ldap_user_certificate (string) + + + Name of the LDAP attribute containing the X509 + certificate of the user. + + + Default: userCertificate;binary + + + + + + ldap_user_email (string) + + + Name of the LDAP attribute containing the email + address of the user. + + + Note: If an email address of a user conflicts with + an email address or fully qualified name of another + user, then SSSD will not be able to serve those + users properly. If for some reason several users + need to share the same email address then set + this option to a nonexistent attribute name in + order to disable user lookup/login by email. + + + Default: mail + + + + + + ldap_group_object_class (string) + + + The object class of a group entry in LDAP. + + + Default: posixGroup + + + + + + ldap_group_name (string) + + + The LDAP attribute that corresponds to + the group name. + + + Default: cn (rfc2307, rfc2307bis and IPA), + sAMAccountName (AD) + + + + + + ldap_group_gid_number (string) + + + The LDAP attribute that corresponds to the + group's id. + + + Default: gidNumber + + + + + + ldap_group_member (string) + + + The LDAP attribute that contains the names of + the group's members. + + + Default: memberuid (rfc2307) / member (rfc2307bis) + + + + + + ldap_group_uuid (string) + + + The LDAP attribute that contains the UUID/GUID of + an LDAP group object. + + + Default: not set in the general case, objectGUID for + AD and ipaUniqueID for IPA + + + + + + ldap_group_objectsid (string) + + + The LDAP attribute that contains the objectSID of + an LDAP group object. This is usually only + necessary for ActiveDirectory servers. + + + Default: objectSid for ActiveDirectory, not set + for other servers. + + + + + + ldap_group_modify_timestamp (string) + + + The LDAP attribute that contains timestamp of the + last modification of the parent object. + + + Default: modifyTimestamp + + + + + + ldap_group_type (integer) + + + The LDAP attribute that contains an integer value + indicating the type of the group and maybe other + flags. + + + This attribute is currently only used by the AD + provider to determine if a group is a domain local + groups and has to be filtered out for trusted + domains. + + + Default: groupType in the AD provider, otherwise not + set + + + + + + ldap_group_external_member (string) + + + The LDAP attribute that references group + members that are defined in an external + domain. At the moment, only IPA's external + members are supported. + + + Default: ipaExternalMember in the IPA provider, + otherwise unset. + + + + + + ldap_group_nesting_level (integer) + + + If ldap_schema is set to a schema format that + supports nested groups (e.g. RFC2307bis), then + this option controls how many levels of nesting + SSSD will follow. This option has no effect on the + RFC2307 schema. + + + Note: This option specifies the guaranteed level of + nested groups to be processed for any lookup. However, + nested groups beyond this limit + may be returned if previous + lookups already resolved the deeper nesting levels. + Also, subsequent lookups for other groups may enlarge + the result set for original lookup if re-queried. + + + If ldap_group_nesting_level is set to 0 then no + nested groups are processed at all. However, when + connected to Active-Directory Server 2008 + and later using id_provider=ad + it is furthermore required to disable usage of + Token-Groups by setting ldap_use_tokengroups + to false in order to restrict group nesting. + + + Default: 2 + + + + + + ldap_groups_use_matching_rule_in_chain + + + This option tells SSSD to take advantage of an + Active Directory-specific feature which may speed + up group lookup operations on deployments with + complex or deep nested groups. + + + In most common cases, it is best to leave this + option disabled. It generally only provides a + performance increase on very complex nestings. + + + If this option is enabled, SSSD will use it if it + detects that the server supports it during initial + connection. So "True" here essentially means + "auto-detect". + + + Note: This feature is currently known to work only + with Active Directory 2008 R1 and later. See + + MSDN(TM) documentation for more details. + + + Default: False + + + + + + ldap_initgroups_use_matching_rule_in_chain + + + This option tells SSSD to take advantage of an + Active Directory-specific feature which might speed + up initgroups operations (most notably when + dealing with complex or deep nested groups). + + + If this option is enabled, SSSD will use it if it + detects that the server supports it during initial + connection. So "True" here essentially means + "auto-detect". + + + Note: This feature is currently known to work only + with Active Directory 2008 R1 and later. See + + MSDN(TM) documentation for more details. + + + Default: False + + + + + + ldap_use_tokengroups + + + This options enables or disables use of Token-Groups + attribute when performing initgroup for users from + Active Directory Server 2008 and later. + + + Default: True for AD and IPA otherwise False. + + + + + + ldap_netgroup_object_class (string) + + + The object class of a netgroup entry in LDAP. + + + In IPA provider, ipa_netgroup_object_class should + be used instead. + + + Default: nisNetgroup + + + + + + ldap_netgroup_name (string) + + + The LDAP attribute that corresponds to + the netgroup name. + + + In IPA provider, ipa_netgroup_name should + be used instead. + + + Default: cn + + + + + + ldap_netgroup_member (string) + + + The LDAP attribute that contains the names of + the netgroup's members. + + + In IPA provider, ipa_netgroup_member should + be used instead. + + + Default: memberNisNetgroup + + + + + + ldap_netgroup_triple (string) + + + The LDAP attribute that contains the (host, user, + domain) netgroup triples. + + + This option is not available in IPA provider. + + + Default: nisNetgroupTriple + + + + + + ldap_netgroup_modify_timestamp (string) + + + The LDAP attribute that contains timestamp of the + last modification of the parent object. + + + This option is not available in IPA provider. + + + Default: modifyTimestamp + + + + + + ldap_host_object_class (string) + + + The object class of a host entry in LDAP. + + + Default: ipService + + + + + + ldap_host_name (string) + + + The LDAP attribute that corresponds to the host's + name. + + + Default: cn + + + + + + ldap_host_fqdn (string) + + + The LDAP attribute that corresponds to the host's + fully-qualified domain name. + + + Default: fqdn + + + + + + ldap_host_serverhostname (string) + + + The LDAP attribute that corresponds to the host's + name. + + + Default: serverHostname + + + + + + ldap_host_member_of (string) + + + The LDAP attribute that lists the host's group + memberships. + + + Default: memberOf + + + + + + ldap_host_search_base (string) + + + Optional. Use the given string as search base for + host objects. + + + See ldap_search_base for + information about configuring multiple search + bases. + + + Default: the value of + ldap_search_base + + + + + + ldap_host_ssh_public_key (string) + + + The LDAP attribute that contains the host's SSH + public keys. + + + Default: sshPublicKey + + + + + + ldap_host_uuid (string) + + + The LDAP attribute that contains the UUID/GUID of + an LDAP host object. + + + Default: not set + + + + + + ldap_service_object_class (string) + + + The object class of a service entry in LDAP. + + + Default: ipService + + + + + + ldap_service_name (string) + + + The LDAP attribute that contains the name of + service attributes and their aliases. + + + Default: cn + + + + + + ldap_service_port (string) + + + The LDAP attribute that contains the port managed + by this service. + + + Default: ipServicePort + + + + + + ldap_service_proto (string) + + + The LDAP attribute that contains the protocols + understood by this service. + + + Default: ipServiceProtocol + + + + + + ldap_service_search_base (string) + + + + + ldap_search_timeout (integer) + + + Specifies the timeout (in seconds) that ldap + searches are allowed to run before they are + cancelled and cached results are returned (and + offline mode is entered) + + + Note: this option is subject to change in future + versions of the SSSD. It will likely be replaced at + some point by a series of timeouts for specific + lookup types. + + + Default: 6 + + + + + + ldap_enumeration_search_timeout (integer) + + + Specifies the timeout (in seconds) that ldap + searches for user and group enumerations + are allowed to run before they are cancelled and + cached results are returned (and offline mode is + entered) + + + Default: 60 + + + + + + ldap_network_timeout (integer) + + + Specifies the timeout (in seconds) after which + the + + poll + 2 + / + select + 2 + + following a + + connect + 2 + + returns in case of no activity. + + + Default: 6 + + + + + + ldap_opt_timeout (integer) + + + Specifies a timeout (in seconds) after which + calls to synchronous LDAP APIs will abort if no + response is received. Also controls the timeout + when communicating with the KDC in case of SASL + bind, the timeout of an LDAP bind operation, + password change extended operation and the + StartTLS operation. + + + Default: 6 + + + + + + ldap_connection_expire_timeout (integer) + + + Specifies a timeout (in seconds) that a connection + to an LDAP server will be maintained. After this + time, the connection will be re-established. If + used in parallel with SASL/GSSAPI, the sooner of + the two values (this value vs. the TGT lifetime) + will be used. + + + Default: 900 (15 minutes) + + + + + + ldap_page_size (integer) + + + Specify the number of records to retrieve from + LDAP in a single request. Some LDAP servers + enforce a maximum limit per-request. + + + Default: 1000 + + + + + + ldap_disable_paging (boolean) + + + Disable the LDAP paging control. This option + should be used if the LDAP server reports that it + supports the LDAP paging control in its RootDSE + but it is not enabled or does not behave properly. + + + Example: OpenLDAP servers with the paging control + module installed on the server but not enabled + will report it in the RootDSE but be unable to use + it. + + + Example: 389 DS has a bug where it can only + support a one paging control at a time on a single + connection. On busy clients, this can result in + some requests being denied. + + + Default: False + + + + + + ldap_disable_range_retrieval (boolean) + + + Disable Active Directory range retrieval. + + + Active Directory limits the number of members to be + retrieved in a single lookup using the MaxValRange + policy (which defaults to 1500 members). If a group + contains more members, the reply would include an + AD-specific range extension. This option disables + parsing of the range extension, therefore large + groups will appear as having no members. + + + Default: False + + + + + + ldap_sasl_minssf (integer) + + + When communicating with an LDAP server using SASL, + specify the minimum security level necessary to + establish the connection. The values of this + option are defined by OpenLDAP. + + + Default: Use the system default (usually specified + by ldap.conf) + + + + + + ldap_deref_threshold (integer) + + + Specify the number of group members that must be + missing from the internal cache in order to trigger + a dereference lookup. If less members are missing, + they are looked up individually. + + + You can turn off dereference lookups completely by + setting the value to 0. + + + A dereference lookup is a means of fetching all + group members in a single LDAP call. + Different LDAP servers may implement different + dereference methods. The currently supported + servers are 389/RHDS, OpenLDAP and Active + Directory. + + + Note: + If any of the search bases specifies a search + filter, then the dereference lookup performance + enhancement will be disabled regardless of this + setting. + + + Default: 10 + + + + + + ldap_tls_reqcert (string) + + + Specifies what checks to perform on server + certificates in a TLS session, if any. It + can be specified as one of the following + values: + + + never = The client will + not request or check any server certificate. + + + allow = The server + certificate is requested. If no certificate is + provided, the session proceeds normally. If a + bad certificate is provided, it will be ignored + and the session proceeds normally. + + + try = The server certificate + is requested. If no certificate is provided, the + session proceeds normally. If a bad certificate + is provided, the session is immediately terminated. + + + demand = The server + certificate is requested. If no certificate + is provided, or a bad certificate is provided, + the session is immediately terminated. + + + hard = Same as + demand + + + Default: hard + + + + + + ldap_tls_cacert (string) + + + Specifies the file that contains certificates for + all of the Certificate Authorities that + sssd will recognize. + + + Default: use OpenLDAP defaults, typically in + /etc/openldap/ldap.conf + + + + + + ldap_tls_cacertdir (string) + + + Specifies the path of a directory that contains + Certificate Authority certificates in separate + individual files. Typically the file names need to + be the hash of the certificate followed by '.0'. + If available, cacertdir_rehash + can be used to create the correct names. + + + Default: use OpenLDAP defaults, typically in + /etc/openldap/ldap.conf + + + + + + ldap_tls_cert (string) + + + Specifies the file that contains the certificate + for the client's key. + + + Default: not set + + + + + + ldap_tls_key (string) + + + Specifies the file that contains the client's key. + + + Default: not set + + + + + + ldap_tls_cipher_suite (string) + + + Specifies acceptable cipher suites. Typically this + is a colon separated list. See + ldap.conf + 5 for format. + + + Default: use OpenLDAP defaults, typically in + /etc/openldap/ldap.conf + + + + + + ldap_id_use_start_tls (boolean) + + + Specifies that the id_provider connection must also + use tls to protect the channel. + + + Default: false + + + + + + ldap_id_mapping (boolean) + + + Specifies that SSSD should attempt to map user and + group IDs from the ldap_user_objectsid and + ldap_group_objectsid attributes instead of relying + on ldap_user_uid_number and ldap_group_gid_number. + + + Currently this feature supports only + ActiveDirectory objectSID mapping. + + + Default: false + + + + + + ldap_min_id, ldap_max_id (integer) + + + In contrast to the SID based ID mapping which is + used if ldap_id_mapping is set to true the allowed + ID range for ldap_user_uid_number and + ldap_group_gid_number is unbound. In a setup with + sub/trusted-domains this might lead to ID + collisions. To avoid collisions ldap_min_id and + ldap_max_id can be set to restrict the allowed + range for the IDs which are read directly from the + server. Sub-domains can then pick other ranges to + map IDs. + + + Default: not set (both options are set to 0) + + + + + + ldap_sasl_mech (string) + + + Specify the SASL mechanism to use. + Currently only GSSAPI is tested and supported. + + + Default: not set + + + + + + ldap_sasl_authid (string) + + + Specify the SASL authorization id to use. + When GSSAPI is used, this represents the Kerberos + principal used for authentication to the directory. + This option can either contain the full principal (for + example host/myhost@EXAMPLE.COM) or just the principal name + (for example host/myhost). By default, the value is not set + and the following principals are used: + +hostname@REALM +netbiosname$@REALM +host/hostname@REALM +*$@REALM +host/*@REALM +host/* + + If none of them are found, the first principal in keytab is + returned. + + + Default: host/hostname@REALM + + + + + + ldap_sasl_realm (string) + + + Specify the SASL realm to use. When not specified, + this option defaults to the value of krb5_realm. + If the ldap_sasl_authid contains the realm as well, + this option is ignored. + + + Default: the value of krb5_realm. + + + + + + ldap_sasl_canonicalize (boolean) + + + If set to true, the LDAP library would perform + a reverse lookup to canonicalize the host name + during a SASL bind. + + + Default: false; + + + + + + ldap_krb5_keytab (string) + + + Specify the keytab to use when using SASL/GSSAPI. + + + Default: System keytab, normally /etc/krb5.keytab + + + + + + ldap_krb5_init_creds (boolean) + + + Specifies that the id_provider should init + Kerberos credentials (TGT). + This action is performed only if SASL is used and + the mechanism selected is GSSAPI. + + + Default: true + + + + + + ldap_krb5_ticket_lifetime (integer) + + + Specifies the lifetime in seconds of the TGT if + GSSAPI is used. + + + Default: 86400 (24 hours) + + + + + + krb5_server, krb5_backup_server (string) + + + Specifies the comma-separated list of IP addresses or hostnames + of the Kerberos servers to which SSSD should + connect in the order of preference. For more + information on failover and server redundancy, + see the FAILOVER section. An optional + port number (preceded by a colon) may be appended to + the addresses or hostnames. + If empty, service discovery is enabled - + for more information, refer to the + SERVICE DISCOVERY section. + + + When using service discovery for KDC or kpasswd servers, + SSSD first searches for DNS entries that specify _udp as + the protocol and falls back to _tcp if none are found. + + + This option was named krb5_kdcip in + earlier releases of SSSD. While the legacy name is recognized + for the time being, users are advised to migrate their config + files to use krb5_server instead. + + + + + + krb5_realm (string) + + + Specify the Kerberos REALM (for SASL/GSSAPI auth). + + + Default: System defaults, see /etc/krb5.conf + + + + + + krb5_canonicalize (boolean) + + + Specifies if the host principal should be canonicalized + when connecting to LDAP server. This feature is + available with MIT Kerberos >= 1.7 + + + + Default: false + + + + + + krb5_use_kdcinfo (boolean) + + + Specifies if the SSSD should instruct the Kerberos + libraries what realm and which KDCs to use. This option + is on by default, if you disable it, you need to configure + the Kerberos library using the + + krb5.conf + 5 + + configuration file. + + + See the + + sssd_krb5_locator_plugin + 8 + + manual page for more information on the locator plugin. + + + Default: true + + + + + + ldap_pwd_policy (string) + + + Select the policy to evaluate the password + expiration on the client side. The following values + are allowed: + + + none - No evaluation on the + client side. This option cannot disable server-side + password policies. + + + shadow - Use + shadow + 5 style + attributes to evaluate if the password has expired. + + + mit_kerberos - Use the attributes + used by MIT Kerberos to determine if the password has + expired. Use chpass_provider=krb5 to update these + attributes when the password is changed. + + + Default: none + + + Note: if a password policy + is configured on server side, it always takes + precedence over policy set with this option. + + + + + + ldap_referrals (boolean) + + + Specifies whether automatic referral chasing should + be enabled. + + + Please note that sssd only supports referral chasing + when it is compiled with OpenLDAP version 2.4.13 or + higher. + + + Chasing referrals may incur a performance penalty + in environments that use them heavily, a notable + example is Microsoft Active Directory. If + your setup does not in fact require the use + of referrals, setting this option to false + might bring a noticeable performance improvement. + + + Default: true + + + + + + ldap_dns_service_name (string) + + + Specifies the service name to use when service + discovery is enabled. + + + Default: ldap + + + + + + ldap_chpass_dns_service_name (string) + + + Specifies the service name to use to find an LDAP + server which allows password changes when service + discovery is enabled. + + + Default: not set, i.e. service discovery is disabled + + + + + + ldap_chpass_update_last_change (bool) + + + Specifies whether to update the + ldap_user_shadow_last_change attribute with + days since the Epoch after a password change + operation. + + + Default: False + + + + + + ldap_access_filter (string) + + + If using access_provider = ldap and + ldap_access_order = filter (default), this option is + mandatory. It specifies an LDAP search filter + criteria that must be met for the user to be + granted access on this host. If + access_provider = ldap, ldap_access_order = filter + and this option is not set, it will result in all + users being denied access. + Use access_provider = permit to change this default + behavior. Please note that this filter is applied on + the LDAP user entry only and thus filtering based + on nested groups may not work (e.g. memberOf + attribute on AD entries points only to direct + parents). If filtering based on nested groups + is required, please see + + sssd-simple5 + . + + + Example: + + +access_provider = ldap +ldap_access_filter = (employeeType=admin) + + + This example means that access to this host is + restricted to users whose employeeType + attribute is set to "admin". + + + Offline caching for this feature is limited to + determining whether the user's last online login + was granted access permission. If they were + granted access during their last login, they will + continue to be granted access while offline and + vice versa. + + + Default: Empty + + + + + + ldap_account_expire_policy (string) + + + With this option a client side evaluation of + access control attributes can be enabled. + + + Please note that it is always recommended to + use server side access control, i.e. the LDAP + server should deny the bind request with a + suitable error code even if the password is + correct. + + + The following values are allowed: + + + shadow: use the value of + ldap_user_shadow_expire to determine if the account + is expired. + + + ad: use the value of the 32bit + field ldap_user_ad_user_account_control and allow + access if the second bit is not set. If the + attribute is missing access is granted. Also the + expiration time of the account is checked. + + + rhds, ipa, + 389ds: + use the value of ldap_ns_account_lock to check if + access is allowed or not. + + + nds: the values of + ldap_user_nds_login_allowed_time_map, + ldap_user_nds_login_disabled and + ldap_user_nds_login_expiration_time are used to + check if access is allowed. If both attributes are + missing access is granted. + + + + Please note that the ldap_access_order + configuration option must + include expire in order for the + ldap_account_expire_policy option + to work. + + + Default: Empty + + + + + + ldap_access_order (string) + + + Comma separated list of access control options. + Allowed values are: + + + filter: use ldap_access_filter + + + lockout: use account locking. + If set, this option denies access in case that ldap + attribute 'pwdAccountLockedTime' is present and has + value of '000001010000Z'. Please see the option + ldap_pwdlockout_dn. + + Please note that 'access_provider = ldap' must + be set for this feature to work. + + + + Please note that this option is superseded by + the ppolicy option and might be + removed in a future release. + + + + ppolicy: use account locking. + If set, this option denies access in case that ldap + attribute 'pwdAccountLockedTime' is present and has + value of '000001010000Z' or represents any time in the past. + + The value of the 'pwdAccountLockedTime' attribute + must end with 'Z', which denotes the UTC time zone. + Other time zones are not currently supported and + will result in "access-denied" when users attempt + to log in. + + Please see the option ldap_pwdlockout_dn. + Please note that 'access_provider = ldap' must + be set for this feature to work. + + + + expire: use + ldap_account_expire_policy + + + pwd_expire_policy_reject, + pwd_expire_policy_warn, + pwd_expire_policy_renew: + + These options are useful if users are interested + in being warned that password is about to expire + and authentication is based on using a different + method than passwords - for example SSH keys. + + + The difference between these options is the action + taken if user password is expired: + pwd_expire_policy_reject - user is denied to log in, + pwd_expire_policy_warn - user is still able to log in, + pwd_expire_policy_renew - user is prompted to change + his password immediately. + + + Note If user password is expired no explicit message + is prompted by SSSD. + + + Please note that 'access_provider = ldap' must + be set for this feature to work. Also 'ldap_pwd_policy' + must be set to an appropriate password policy. + + + authorized_service: use + the authorizedService attribute to determine + access + + + host: use the host attribute + to determine access + + + rhost: use the rhost attribute + to determine whether remote host can access + + + Please note, rhost field in pam is set by application, + it is better to check what the application sends to + pam, before enabling this access control option + + + Default: filter + + + Please note that it is a configuration error if a + value is used more than once. + + + + + + ldap_pwdlockout_dn (string) + + + This option specifies the DN of password policy entry + on LDAP server. Please note that absence of this + option in sssd.conf in case of enabled account + lockout checking will yield access denied as + ppolicy attributes on LDAP server cannot be checked + properly. + + + Example: cn=ppolicy,ou=policies,dc=example,dc=com + + + Default: cn=ppolicy,ou=policies,$ldap_search_base + + + + + + ldap_deref (string) + + + Specifies how alias dereferencing is done when + performing a search. The following options are + allowed: + + + never: Aliases are never + dereferenced. + + + searching: Aliases are + dereferenced in subordinates of the base object, + but not in locating the base object of the search. + + + finding: Aliases are only + dereferenced when locating the base object of the + search. + + + always: Aliases are + dereferenced both in searching and in locating the + base object of the search. + + + Default: Empty (this is handled as + never by the LDAP client + libraries) + + + + + + ldap_rfc2307_fallback_to_local_users (boolean) + + + Allows to retain local users as members of an LDAP + group for servers that use the RFC2307 schema. + + + In some environments where the RFC2307 schema is + used, local users are made members of LDAP groups + by adding their names to the memberUid attribute. + The self-consistency of the domain is compromised + when this is done, so SSSD would normally remove + the "missing" users from the cached group + memberships as soon as nsswitch tries to fetch + information about the user via getpw*() or + initgroups() calls. + + + This option falls back to checking if local users + are referenced, and caches them so that later + initgroups() calls will augment the local users + with the additional LDAP groups. + + + Default: false + + + + + + wildcard_limit (integer) + + + Specifies an upper limit on the number of entries + that are downloaded during a wildcard lookup. + + + At the moment, only the InfoPipe responder supports + wildcard lookups. + + + Default: 1000 (often the size of one page) + + + + + + + + + + SUDO OPTIONS + + The detailed instructions for configuration of sudo_provider + are in the manual page + + sssd-sudo + 5 + . + + + + + + ldap_sudorule_object_class (string) + + + The object class of a sudo rule entry in LDAP. + + + Default: sudoRole + + + + + + ldap_sudorule_name (string) + + + The LDAP attribute that corresponds to + the sudo rule name. + + + Default: cn + + + + + + ldap_sudorule_command (string) + + + The LDAP attribute that corresponds to the + command name. + + + Default: sudoCommand + + + + + + ldap_sudorule_host (string) + + + The LDAP attribute that corresponds to the + host name (or host IP address, host IP network, + or host netgroup) + + + Default: sudoHost + + + + + + ldap_sudorule_user (string) + + + The LDAP attribute that corresponds to the + user name (or UID, group name or user's netgroup) + + + Default: sudoUser + + + + + + ldap_sudorule_option (string) + + + The LDAP attribute that corresponds to the + sudo options. + + + Default: sudoOption + + + + + + ldap_sudorule_runasuser (string) + + + The LDAP attribute that corresponds to the + user name that commands may be run as. + + + Default: sudoRunAsUser + + + + + + ldap_sudorule_runasgroup (string) + + + The LDAP attribute that corresponds to the group + name or group GID that commands may be run as. + + + Default: sudoRunAsGroup + + + + + + ldap_sudorule_notbefore (string) + + + The LDAP attribute that corresponds to the + start date/time for when the sudo rule is valid. + + + Default: sudoNotBefore + + + + + + ldap_sudorule_notafter (string) + + + The LDAP attribute that corresponds to the + expiration date/time, after which the sudo rule + will no longer be valid. + + + Default: sudoNotAfter + + + + + + ldap_sudorule_order (string) + + + The LDAP attribute that corresponds to the + ordering index of the rule. + + + Default: sudoOrder + + + + + + ldap_sudo_full_refresh_interval (integer) + + + How many seconds SSSD will wait between executing + a full refresh of sudo rules (which downloads all + rules that are stored on the server). + + + The value must be greater than + ldap_sudo_smart_refresh_interval + + + + Default: 21600 (6 hours) + + + + + + ldap_sudo_smart_refresh_interval (integer) + + + How many seconds SSSD has to wait before executing + a smart refresh of sudo rules (which downloads all + rules that have USN higher than the highest USN of + cached rules). + + + If USN attributes are not supported by the server, + the modifyTimestamp attribute is used instead. + + + Default: 900 (15 minutes) + + + + + + ldap_sudo_use_host_filter (boolean) + + + If true, SSSD will download only rules that are + applicable to this machine (using the IPv4 or IPv6 + host/network addresses and hostnames). + + + Default: true + + + + + + ldap_sudo_hostnames (string) + + + Space separated list of hostnames or fully qualified + domain names that should be used to filter + the rules. + + + If this option is empty, SSSD will try to discover + the hostname and the fully qualified domain name + automatically. + + + If ldap_sudo_use_host_filter + is false then this option + has no effect. + + + Default: not specified + + + + + + ldap_sudo_ip (string) + + + Space separated list of IPv4 or IPv6 + host/network addresses that should be used to filter + the rules. + + + If this option is empty, SSSD will try to + discover the addresses automatically. + + + If ldap_sudo_use_host_filter + is false then this option + has no effect. + + + Default: not specified + + + + + + ldap_sudo_include_netgroups (boolean) + + + If true then SSSD will download every rule that + contains a netgroup in sudoHost attribute. + + + If ldap_sudo_use_host_filter + is false then this option + has no effect. + + + Default: true + + + + + + ldap_sudo_include_regexp (boolean) + + + If true then SSSD will download every rule that + contains a wildcard in sudoHost attribute. + + + If ldap_sudo_use_host_filter + is false then this option + has no effect. + + + Default: true + + + + + + + This manual page only describes attribute name mapping. + For detailed explanation of sudo related attribute semantics, + see + + sudoers.ldap5 + + + + + + AUTOFS OPTIONS + + Some of the defaults for the parameters below are dependent on the + LDAP schema. + + + + + ldap_autofs_map_master_name (string) + + + The name of the automount master map in LDAP. + + + Default: auto.master + + + + + + + ldap_autofs_map_object_class (string) + + + The object class of an automount map entry in LDAP. + + + Default: nisMap (rfc2307, autofs_provider=ad), + otherwise automountMap + + + + + + + ldap_autofs_map_name (string) + + + The name of an automount map entry in LDAP. + + + Default: nisMapName (rfc2307, + autofs_provider=ad), otherwise automountMapName + + + + + + + ldap_autofs_entry_object_class (string) + + + The object class of an automount entry + in LDAP. The entry usually corresponds to a mount + point. + + + Default: nisObject (rfc2307, autofs_provider=ad), + otherwise automount + + + + + + + ldap_autofs_entry_key (string) + + + The key of an automount entry in LDAP. The + entry usually corresponds to a mount point. + + + Default: cn (rfc2307, autofs_provider=ad), + otherwise automountKey + + + + + + + ldap_autofs_entry_value (string) + + + The key of an automount entry in LDAP. The + entry usually corresponds to a mount point. + + + Default: nisMapEntry (rfc2307, + autofs_provider=ad), otherwise automountInformation + + + + + + + + + + ADVANCED OPTIONS + + These options are supported by LDAP domains, but they should be used + with caution. Please include them in your configuration only if you + know what you are doing. + + + ldap_netgroup_search_base (string) + + + + + ldap_user_search_base (string) + + + + + ldap_group_search_base (string) + + + + + + + If the option ldap_use_tokengroups is + enabled, the searches against Active Directory will + not be restricted and return all groups memberships, + even with no GID mapping. It is recommended to disable + this feature, if group names are not being displayed + correctly. + + + + ldap_sudo_search_base (string) + + + + + ldap_autofs_search_base (string) + + + + + + + + + + + + + + + EXAMPLE + + The following example assumes that SSSD is correctly + configured and LDAP is set to one of the domains in the + [domains] section. + + + +[domain/LDAP] +id_provider = ldap +auth_provider = ldap +ldap_uri = ldap://ldap.mydomain.org +ldap_search_base = dc=mydomain,dc=org +ldap_tls_reqcert = demand +cache_credentials = true + + + + + LDAP ACCESS FILTER EXAMPLE + + The following example assumes that SSSD is correctly + configured and to use the ldap_access_order=lockout. + + + +[domain/LDAP] +id_provider = ldap +auth_provider = ldap +access_provider = ldap +ldap_access_order = lockout +ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org +ldap_uri = ldap://ldap.mydomain.org +ldap_search_base = dc=mydomain,dc=org +ldap_tls_reqcert = demand +cache_credentials = true + + + + + + NOTES + + The descriptions of some of the configuration options in this manual + page are based on the + ldap.conf + 5 + manual page from the OpenLDAP 2.4 distribution. + + + + + + + diff --git a/src/man/sssd-secrets.5.xml b/src/man/sssd-secrets.5.xml new file mode 100644 index 0000000..a738fbf --- /dev/null +++ b/src/man/sssd-secrets.5.xml @@ -0,0 +1,625 @@ + + + +SSSD Manual pages + + + + + sssd-secrets + 5 + File Formats and Conventions + + + + sssd-secrets + SSSD Secrets responder + + + + DESCRIPTION + + This manual page describes the configuration of the Secrets responder + for + + sssd + 8 + . + For a detailed syntax reference, refer to the FILE FORMAT section of the + + sssd.conf + 5 + manual page. + + + Many system and user applications need to store private + information such as passwords or service keys and have no good + way to properly deal with them. The simple approach is to embed + these secrets into configuration files + potentially ending up exposing sensitive key material to + backups, config management system and in general making it + harder to secure data. + + + The custodia + project was born to deal with this problem in cloud like + environments, but we found the idea compelling even at a + single system level. As a security service, SSSD is ideal to + host this capability while offering the same API via a UNIX + Socket. This will make it possible to use local calls and have + them transparently routed to a local or a remote key management + store like IPA Vault for storage, escrow and recovery. + + + The secrets are simple key-value pairs. Each user's secrets are + namespaced using their user ID, which means the secrets will never + collide between users. Secrets can be stored inside + containers which can be nested. + + + Since the secrets responder can be used both externally to store + general secrets, as described in the rest of this man page, but + also internally by other SSSD components to store their secret + material, some configuration options, like quotas can be configured + per hive in a configuration subsection named after + the hive. The currently supported hives are: + + + secrets + secrets for general usage + + + kcm + + used by the + + sssd-kcm + 8 + + service. + + + + + + + + + USING THE SECRETS RESPONDER + + The UNIX socket the SSSD responder listens on is located at + /var/run/secrets.socket. + + + The secrets responder is socket-activated by + + systemd + 1 + . + Unlike + other SSSD responders, it cannot be started by adding the + secrets string to the service + directive. + The systemd socket unit is called + sssd-secrets.socket and the corresponding service + file is called sssd-secrets.service. In order + for the service to be socket-activated, make sure the socket + is enabled and active and the service is enabled: + +systemctl start sssd-secrets.socket +systemctl enable sssd-secrets.socket +systemctl enable sssd-secrets.service + + Please note your distribution may already configure the units + for you. + + + + + CONFIGURATION OPTIONS + + The generic SSSD responder options such as + debug_level or fd_limit are + accepted by the secrets responder. Please refer to the + + sssd.conf + 5 + manual page for a complete list. In addition, + there are some secrets-specific options as well. + + + The secrets responder is configured with a global + [secrets] section and an optional per-user + [secrets/users/$uid] section in + sssd.conf. Please note that some options, + notably as the provider type, can only be specified in the per-user + subsections. + + + + provider (string) + + + This option specifies where should the secrets be + stored. The secrets responder can configure a per-user + subsections (e.g. [secrets/users/123] + - see bottom of this manual page for a full example + using Custodia for a particular user) that define + which provider store the secrets for this particular + user. The per-user subsections should contain all + options for that user's provider. Please note that + currently the global provider is always local, the + proxy provider can only be specified in a per-user + section. The following providers are supported: + + + local + + + The secrets are stored in a local database, + encrypted at rest with a master key. The local + provider does not have any additional config options + at the moment. + + + + + proxy + + + The secrets responder forwards the requests to + a Custodia server. The proxy provider supports + several additional options (see below). + + + + + + + Default: local + + + + + + The following options affect only the secrets hive + and therefore should be set in a per-hive subsection. Setting the + option to 0 means "unlimited". + + + + containers_nest_level (integer) + + + This option specifies the maximum allowed number of nested + containers. + + + Default: 4 + + + + + max_secrets (integer) + + + This option specifies the maximum number of secrets that + can be stored in the hive. + + + Default: 1024 (secrets hive), 256 (kcm hive) + + + + + max_uid_secrets (integer) + + + This option specifies the maximum number of secrets that + can be stored per-UID in the hive. + + + Default: 256 (secrets hive), 64 (kcm hive) + + + + + max_payload_size (integer) + + + This option specifies the maximum payload size allowed for + a secret payload in kilobytes. + + + Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive) + + + + + + For example, to adjust quotas differently for both the secrets + and the kcm hives, configure the following: + +[secrets/secrets] +max_payload_size = 128 + +[secrets/kcm] +max_payload_size = 256 + + + + The following options are only applicable for configurations that + use the proxy provider. + + + + proxy_url (string) + + + The URL the Custodia server is listening on. At the moment, + http and https protocols are supported. + + + The format of the URI must match the format defined in RFC 2732: + + + http[s]://<host>[:port] + + + Example: http://localhost:8080 + + + + + auth_type (string) + + + The method to use when authenticating to a Custodia server. The + following authentication methods are supported: + + + + basic_auth + + + Authenticate with a username and a password as set + in the username and + password options. + + + + + header + + + Authenticate with HTTP header value as defined in + the auth_header_name and + auth_header_value + configuration options. + + + + + + + + auth_header_name (string) + + + If set, the secrets responder would put a header with this name + into the HTTP request with the value defined in the + auth_header_value configuration option. + + + Example: MYSECRETNAME + + + + + auth_header_value (string) + + + The value sssd-secrets would use for the + auth_header_name. + + + Example: mysecret + + + + + forward_headers (list of strings) + + + The list of HTTP headers to forward to the Custodia server + together with the request. + + + Default: not set + + + + + verify_peer (boolean) + + + Whether peer's certificate should be verified and valid + if HTTPS protocol is used with the proxy provider. + + + Default: true + + + + + verify_host (boolean) + + + Whether peer's hostname must match with hostname in + its certificate if HTTPS protocol is used with the + proxy provider. + + + Default: true + + + + + capath (string) + + + Path to directory containing stored certificate authority + certificates. System default path is used if this option is + not set. + + + Default: not set + + + + + cacert (string) + + + Path to file containing server's certificate authority + certificate. If this option is not set then the CA's + certificate is looked up in capath. + + + Default: not set + + + + + cert (string) + + + Path to file containing client's certificate if required + by the server. This file may also contain private key or + the private key may be in separate file set with + key. + + + Default: not set + + + + + key (string) + + + Path to file containing client's private key. + + + Default: not set + + + + + + + USING THE REST API + + This section lists the available commands and includes examples using the + + curl + 1 + utility. + All requests towards the proxy provider must set the Content + Type header to application/json. In addition, + the local provider also supports Content Type set to + application/octet-stream. + Secrets stored with requests that set the Content Type header + to application/octet-stream are base64-encoded + when stored and decoded when retrieved, so it's not possible to + store a secret with one Content Type and retrieve with another. + The secret URI must begin with /secrets/. + + + + Listing secrets + + + To list the available secrets, send a HTTP GET request + with a trailing slash appended to the container path. + + + Example: + +curl -H "Content-Type: application/json" \ + --unix-socket /var/run/secrets.socket \ + -XGET http://localhost/secrets/ + + + + + + Retrieving a secret + + + To read a value of a single secret, send a HTTP GET request + without a trailing slash. The last portion of the URI is the name + of the secret. + + + Examples: + +curl -H "Content-Type: application/json" \ + --unix-socket /var/run/secrets.socket \ + -XGET http://localhost/secrets/foo + + +curl -H "Content-Type: application/octet-stream" \ + --unix-socket /var/run/secrets.socket \ + -XGET http://localhost/secrets/bar + + + + + + Setting a secret + + + To set a secret using the application/json + type, send a HTTP PUT request with a + JSON payload that includes type and value. The type + should be set to "simple" and the value should be + set to the secret value. If a secret with that name + already exists, the response is a 409 HTTP error. + + + The application/json type just sends + the secret as the message payload. + + + The following example sets a secret named 'foo' + to a value of 'foosecret' and a secret named 'bar' + to a value of 'barsecret' using a different + Content Type. + +curl -H "Content-Type: application/json" \ + --unix-socket /var/run/secrets.socket \ + -XPUT http://localhost/secrets/foo \ + -d'{"type":"simple","value":"foosecret"}' + + +curl -H "Content-Type: application/octet-stream" \ + --unix-socket /var/run/secrets.socket \ + -XPUT http://localhost/secrets/bar \ + -d'barsecret' + + + + + + Creating a container + + + Containers provide an additional namespace for + this user's secrets. To create a container, send + a HTTP POST request, whose URI ends with the + container name. Please note the URI must end with + a trailing slash. + + + The following example creates a container named + 'mycontainer': + +curl -H "Content-Type: application/json" \ + --unix-socket /var/run/secrets.socket \ + -XPOST http://localhost/secrets/mycontainer/ + + + + To manipulate secrets under this container, just nest the + secrets underneath the container path: + +http://localhost/secrets/mycontainer/mysecret + + + + + + Deleting a secret or a container + + + To delete a secret or a container, send a HTTP DELETE + request with a path to the secret or the container. + + + The following example deletes a secret named 'foo'. + +curl -H "Content-Type: application/json" \ + --unix-socket /var/run/secrets.socket \ + -XDELETE http://localhost/secrets/foo + + + + + + + + EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION + + For testing the proxy provider, you need to set up a Custodia server + to proxy requests to. Please always consult the Custodia documentation, + the configuration directives might change with different Custodia versions. + + + This configuration will set up a Custodia server listening on + http://localhost:8080, allowing anyone with header named MYSECRETNAME + set to mysecretkey to communicate with the Custodia server. + Place the contents into a file (for example, + custodia.conf): + +[global] +server_version = "Secret/0.0.7" +server_url = http://localhost:8080/ +auditlog = /var/log/custodia.log +debug = True + +[store:simple] +handler = custodia.store.sqlite.SqliteStore +dburi = /var/lib/custodia.db +table = secrets + +[auth:header] +handler = custodia.httpd.authenticators.SimpleHeaderAuth +header = MYSECRETNAME +value = mysecretkey + +[authz:paths] +handler = custodia.httpd.authorizers.SimplePathAuthz +paths = /secrets + +[/] +handler = custodia.root.Root +store = simple + + + + Then run the custodia command, pointing it + at the config file as a command line argument. + + + Please note that currently it's not possible to proxy all + requests globally to a Custodia instance. Instead, per-user + subsections for user IDs that should proxy requests to Custodia + must be defined. The following example illustrates a configuration, + where the user with UID 123 would proxy their requests to Custodia, + but all other user's requests would be handled by a local provider. + + +[secrets] + +[secrets/users/123] +provider = proxy +proxy_url = http://localhost:8080/secrets/ +auth_type = header +auth_header_name = MYSECRETNAME +auth_header_value = mysecretkey + + + + diff --git a/src/man/sssd-session-recording.5.xml b/src/man/sssd-session-recording.5.xml new file mode 100644 index 0000000..c4b6d7a --- /dev/null +++ b/src/man/sssd-session-recording.5.xml @@ -0,0 +1,162 @@ + + + +SSSD Manual pages + + + + + sssd-session-recording + 5 + File Formats and Conventions + + + + sssd-session-recording + Configuring session recording with SSSD + + + + DESCRIPTION + + This manual page describes how to configure + + sssd + 8 + to work with + + tlog-rec-session + 8 + , a part of tlog package, to implement user session + recording on text terminals. + For a detailed configuration syntax reference, refer to the + FILE FORMAT section of the + + sssd.conf + 5 + manual page. + + + SSSD can be set up to enable recording of everything specific + users see or type during their sessions on text terminals. E.g. + when users log in on the console, or via SSH. SSSD itself doesn't + record anything, but makes sure tlog-rec-session is started upon + user login, so it can record according to its configuration. + + + For users with session recording enabled, SSSD replaces the user + shell with tlog-rec-session in NSS responses, and adds a variable + specifying the original shell to the user environment, upon PAM + session setup. This way tlog-rec-session can be started in place + of the user shell, and know which actual shell to start, once it + set up the recording. + + + + + CONFIGURATION OPTIONS + + These options can be used to configure the session recording. + + + + scope (string) + + + One of the following strings specifying the scope + of session recording: + + + "none" + + + No users are recorded. + + + + + "some" + + + Users/groups specified by + users + and + groups + options are recorded. + + + + + "all" + + + All users are recorded. + + + + + + + Default: "none" + + + + + users (string) + + + A comma-separated list of users which should have + session recording enabled. Matches user names as + returned by NSS. I.e. after the possible space + replacement, case changes, etc. + + + Default: Empty. Matches no users. + + + + + groups (string) + + + A comma-separated list of groups, members of which + should have session recording enabled. Matches + group names as returned by NSS. I.e. after the + possible space replacement, case changes, etc. + + + NOTE: using this option (having it set to + anything) has a considerable performance cost, + because each uncached request for a user requires + retrieving and matching the groups the user is + member of. + + + Default: Empty. Matches no groups. + + + + + + + + EXAMPLE + + The following snippet of sssd.conf enables session recording for + users "contractor1" and "contractor2", and group "students". + + + +[session_recording] +scope = some +users = contractor1, contractor2 +groups = students + + + + + + + + diff --git a/src/man/sssd-simple.5.xml b/src/man/sssd-simple.5.xml new file mode 100644 index 0000000..c7ac179 --- /dev/null +++ b/src/man/sssd-simple.5.xml @@ -0,0 +1,164 @@ + + + +SSSD Manual pages + + + + + sssd-simple + 5 + File Formats and Conventions + + + + sssd-simple + the configuration file for SSSD's 'simple' access-control + provider + + + + DESCRIPTION + + This manual page describes the configuration of the simple + access-control provider for + + sssd + 8 + . + For a detailed syntax reference, refer to the + FILE FORMAT section of the + + sssd.conf + 5 + manual page. + + + The simple access provider grants or denies access based on an + access or deny list of user or group names. The following rules + apply: + + + If all lists are empty, access is granted + + + + If any list is provided, the order of evaluation is + allow,deny. This means that any matching deny rule + will supersede any matched allow rule. + + + + + If either or both "allow" lists are provided, all + users are denied unless they appear in the list. + + + + + If only "deny" lists are provided, all users are + granted access unless they appear in the list. + + + + + + + + CONFIGURATION OPTIONS + Refer to the section DOMAIN SECTIONS of the + + sssd.conf + 5 + manual page for details on the configuration of an + SSSD domain. + + + simple_allow_users (string) + + + Comma separated list of users who are allowed to + log in. + + + + + + simple_deny_users (string) + + + Comma separated list of users who are explicitly + denied access. + + + + + simple_allow_groups (string) + + + Comma separated list of groups that are allowed to + log in. This applies only to groups within this + SSSD domain. Local groups are not evaluated. + + + + + + simple_deny_groups (string) + + + Comma separated list of groups that are explicitly + denied access. This applies only to groups within + this SSSD domain. Local groups are not evaluated. + + + + + + + Specifying no values for any of the lists is equivalent + to skipping it entirely. Beware of this while generating + parameters for the simple provider using automated scripts. + + + Please note that it is an configuration error if both, + simple_allow_users and simple_deny_users, are defined. + + + + + EXAMPLE + + The following example assumes that SSSD is correctly + configured and example.com is one of the domains in the + [sssd] section. This examples shows only + the simple access provider-specific options. + + + +[domain/example.com] +access_provider = simple +simple_allow_users = user1, user2 + + + + + + NOTES + + The complete group membership hierarchy is resolved + before the access check, thus even nested groups can be + included in the access lists. Please be aware that the + ldap_group_nesting_level option may impact the + results and should be set to a sufficient value. + ( + sssd-ldap5 + ) option. + + + + + + + diff --git a/src/man/sssd-sudo.5.xml b/src/man/sssd-sudo.5.xml new file mode 100644 index 0000000..5bc56c4 --- /dev/null +++ b/src/man/sssd-sudo.5.xml @@ -0,0 +1,215 @@ + + + +SSSD Manual pages + + + + + sssd-sudo + 5 + File Formats and Conventions + + + + sssd-sudo + Configuring sudo with the SSSD back end + + + + DESCRIPTION + + This manual page describes how to configure + + sudo + 8 + to work with + + sssd + 8 + and how SSSD caches sudo rules. + + + + + Configuring sudo to cooperate with SSSD + + To enable SSSD as a source for sudo rules, add + sss to the sudoers entry + in + + nsswitch.conf + 5 + . + + + For example, to configure sudo to first lookup rules in the standard + + sudoers + 5 + file (which should contain rules that apply to + local users) and then in SSSD, the nsswitch.conf file should contain + the following line: + + + +sudoers: files sss + + + + More information about configuring the sudoers search order from the + nsswitch.conf file as well as information about the LDAP schema that + is used to store sudo rules in the directory can be found in + + sudoers.ldap + 5 + . + + + Note: in order to use netgroups or IPA + hostgroups in sudo rules, you also need to correctly set + + nisdomainname + 1 + + to your NIS domain name (which equals to IPA domain name when + using hostgroups). + + + + + Configuring SSSD to fetch sudo rules + + All configuration that is needed on SSSD side is to extend the list + of services with "sudo" in [sssd] section of + + sssd.conf + 5 + . To speed up the LDAP lookups, you can also set + search base for sudo rules using + ldap_sudo_search_base option. + + + The following example shows how to configure SSSD to download sudo + rules from an LDAP server. + + + +[sssd] +config_file_version = 2 +services = nss, pam, sudo +domains = EXAMPLE + +[domain/EXAMPLE] +id_provider = ldap +sudo_provider = ldap +ldap_uri = ldap://example.com +ldap_sudo_search_base = ou=sudoers,dc=example,dc=com + + + It's important to note that on platforms where systemd is supported + there's no need to add the "sudo" provider to the list of services, + as it became optional. However, sssd-sudo.socket must be enabled + instead. + + + + When SSSD is configured to use IPA as the ID provider, the + sudo provider is automatically enabled. The sudo search base is + configured to use the IPA native LDAP tree (cn=sudo,$SUFFIX). + If any other search base is defined in sssd.conf, this value will be + used instead. The compat tree (ou=sudoers,$SUFFIX) is no longer + required for IPA sudo functionality. + + + + + The SUDO rule caching mechanism + + The biggest challenge, when developing sudo support in SSSD, was to + ensure that running sudo with SSSD as the data source provides the + same user experience and is as fast as sudo but keeps providing + the most current set of rules as possible. To satisfy these + requirements, SSSD uses three kinds of updates. They are referred to + as full refresh, smart refresh and rules refresh. + + + The smart refresh periodically downloads rules + that are new or were modified after the last update. Its primary + goal is to keep the database growing by fetching only small + increments that do not generate large amounts of network traffic. + + + The full refresh simply deletes all sudo rules + stored in the cache and replaces them with all rules that are stored + on the server. This is used to keep the cache consistent by removing + every rule which was deleted from the server. However, full refresh + may produce a lot of traffic and thus it should be run only + occasionally depending on the size and stability of the sudo rules. + + + The rules refresh ensures that we do not grant + the user more permission than defined. It is triggered each time the + user runs sudo. Rules refresh will find all rules that apply to this + user, check their expiration time and redownload them if expired. + In the case that any of these rules are missing on the server, the + SSSD will do an out of band full refresh because more rules + (that apply to other users) may have been deleted. + + + If enabled, SSSD will store only rules that can be applied to this + machine. This means rules that contain one of the following values + in sudoHost attribute: + + + + + keyword ALL + + + + + wildcard + + + + + netgroup (in the form "+netgroup") + + + + + hostname or fully qualified domain name of this machine + + + + + one of the IP addresses of this machine + + + + + one of the IP addresses of the network + (in the form "address/mask") + + + + + There are many configuration options that can be used to adjust + the behavior. Please refer to "ldap_sudo_*" in + + sssd-ldap + 5 + and "sudo_*" in + + sssd.conf + 5 + . + + + + + + + diff --git a/src/man/sssd-systemtap.5.xml b/src/man/sssd-systemtap.5.xml new file mode 100644 index 0000000..f7b04e0 --- /dev/null +++ b/src/man/sssd-systemtap.5.xml @@ -0,0 +1,386 @@ + + + +SSSD Manual pages + + + + + sssd-systemtap + 5 + File Formats and Conventions + + + + sssd-systemtap + SSSD systemtap information + + + + DESCRIPTION + + This manual page provides information about + the systemtap functionality + in + + sssd + 8 + . + + + SystemTap Probe points have been added into various + locations in SSSD code to assist in troubleshooting + and analyzing performance related issues. + + + + + + Sample SystemTap scripts are + provided in /usr/share/sssd/systemtap/ + + + + + Probes and miscellaneous functions are + defined in /usr/share/systemtap/tapset/sssd.stp + and /usr/share/systemtap/tapset/sssd_functions.stp + respectively. + + + + + + + + PROBE POINTS + + The information below lists the probe points and arguments available + in the following format: + + + + probe $name + + + Description of probe point + + +variable1:datatype +variable2:datatype +variable3:datatype +... + + + + + + + Database Transaction Probes + + + + probe sssd_transaction_start + + + Start of a sysdb transaction, probes the + sysdb_transaction_start() function. + + +nesting:integer +probestr:string + + + + + probe sssd_transaction_cancel + + + Cancellation of a sysdb transaction, + probes the sysdb_transaction_cancel() + function. + + +nesting:integer +probestr:string + + + + + probe sssd_transaction_commit_before + + + Probes the sysdb_transaction_commit_before() + function. + + +nesting:integer +probestr:string + + + + + probe sssd_transaction_commit_after + + + Probes the sysdb_transaction_commit_after() + function. + + +nesting:integer +probestr:string + + + + + + + + + LDAP Search Probes + + + + probe sdap_search_send + + + Probes the sdap_get_generic_ext_send() + function. + + +base:string +scope:integer +filter:string +probestr:string + + + + + probe sdap_search_recv + + + Probes the sdap_get_generic_ext_recv() + function. + + +base:string +scope:integer +filter:string +probestr:string + + + + + probe sdap_deref_send + + + Probes the sdap_deref_search_send() + function. + + +base_dn:string +deref_attr:string +probestr:string + + + + + probe sdap_deref_recv + + + Probes the sdap_deref_search_recv() + function. + + +base:string +scope:integer +filter:string +probestr:string + + + + + + + + + LDAP Account Request Probes + + + + probe sdap_acct_req_send + + + Probes the sdap_acct_req_send() + function. + + +entry_type:int +filter_type:int +filter_value:string +extra_value:string + + + + + probe sdap_acct_req_recv + + + Probes the sdap_acct_req_recv() + function. + + +entry_type:int +filter_type:int +filter_value:string +extra_value:string + + + + + + + + + LDAP User Search Probes + + + + probe sdap_search_user_send + + + Probes the sdap_search_user_send() + function. + + +filter:string + + + + + probe sdap_search_user_recv + + + Probes the sdap_search_user_recv() + function. + + +filter:string + + + + + probe sdap_search_user_save_begin + + + Probes the sdap_search_user_save_begin() + function. + + +filter:string + + + + + probe sdap_search_user_save_end + + + Probes the sdap_search_user_save_end() + function. + + +filter:string + + + + + + + + + Data Provider Request Probes + + + + probe dp_req_send + + + A Data Provider request is submitted. + + +dp_req_domain:string +dp_req_name:string +dp_req_target:int +dp_req_method:int + + + + + probe dp_req_done + + + A Data Provider request is completed. + + +dp_req_name:string +dp_req_target:int +dp_req_method:int +dp_ret:int +dp_errorstr:string + + + + + + + + + MISCELLANEOUS FUNCTIONS + + The information below lists the probe points and arguments available + in the following format: + + + + function acct_req_desc(entry_type) + + + Convert entry_type to string and return string + + + + + function sssd_acct_req_probestr(fc_name, entry_type, + filter_type, filter_value, extra_value) + + + Create probe string based on filter type + + + + + function dp_target_str(target) + + + Convert target to string and return string + + + + + function dp_method_str(target) + + + Convert method to string and return string + + + + + + + + + + + + diff --git a/src/man/sssd.8.xml b/src/man/sssd.8.xml new file mode 100644 index 0000000..f2cbe01 --- /dev/null +++ b/src/man/sssd.8.xml @@ -0,0 +1,240 @@ + + + +SSSD Manual pages + + + + + sssd + 8 + + + + sssd + System Security Services Daemon + + + + + sssd + + options + + + + + + DESCRIPTION + + SSSD provides a set of daemons to manage access to remote + directories and authentication mechanisms. It provides an NSS and + PAM interface toward the system and a pluggable backend system to + connect to multiple different account sources as well as D-Bus + interface. It is also the basis to provide client auditing and + policy services for projects like FreeIPA. It provides a more robust database + to store local users as well as extended user data. + + + + + OPTIONS + + + + , + LEVEL + + + + + + mode + + + + 1: Add a timestamp to the debug messages + + + 0: Disable timestamp in the debug messages + + + Default: 1 + + + + + + mode + + + + 1: Add microseconds to the timestamp in debug messages + + + 0: Disable microseconds in timestamp + + + Default: 0 + + + + + + , + + + + Send the debug output to files instead of stderr. By default, the + log files are stored in /var/log/sssd and + there are separate log files for every SSSD service and domain. + + + This option is deprecated. It is replaced by + . + + + + + + value + + + + Location where SSSD will send log messages. This option + overrides the value of the deprecated option + . The deprecated + option will still work if the + is not used. + + + stderr: Redirect debug messages to + standard error output. + + + files: Redirect debug messages to + the log files. By default, the log files are stored in + /var/log/sssd and there are + separate log files for every SSSD service and domain. + + + journald: Redirect debug messages + to systemd-journald + + + Default: not set + + + + + + , + + + + Become a daemon after starting up. + + + + + + , + + + + Run in the foreground, don't become a daemon. + + + + + + , + + + + Specify a non-default config file. The default is + /etc/sssd/sssd.conf. For reference + on the config file syntax and options, consult the + + sssd.conf + 5 + + manual page. + + + + + + + + + + + Print version number and exit. + + + + + + + + Signals + + + SIGTERM/SIGINT + + + Informs the SSSD to gracefully terminate all of its + child processes and then shut down the monitor. + + + + + SIGHUP + + + Tells the SSSD to stop writing to its current debug + file descriptors and to close and reopen them. This is + meant to facilitate log rolling with programs like + logrotate. + + + + + SIGUSR1 + + + Tells the SSSD to simulate offline operation for the + duration of the offline_timeout + parameter. This is useful for testing. The signal + can be sent to either the sssd process or any sssd_be + process directly. + + + + + SIGUSR2 + + + Tells the SSSD to go online immediately. This is + useful for testing. The signal can be sent to either + the sssd process or any sssd_be process directly. + + + + + + + + NOTES + + If the environment variable SSS_NSS_USE_MEMCACHE is set to "NO", + client applications will not use the fast in memory cache. + + + + + + + diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml new file mode 100644 index 0000000..ed3c100 --- /dev/null +++ b/src/man/sssd.conf.5.xml @@ -0,0 +1,3277 @@ + + + +SSSD Manual pages + + + + + sssd.conf + 5 + File Formats and Conventions + + + + sssd.conf + the configuration file for SSSD + + + + FILE FORMAT + + + The file has an ini-style syntax and consists of sections and + parameters. A section begins with the name of the section in + square brackets and continues until the next section begins. An + example of section with single and multi-valued parameters: + +[section] +key = value +key2 = value2,value3 + + + + + The data types used are string (no quotes needed), integer + and bool (with values of TRUE/FALSE). + + + + A comment line starts with a hash sign (#) or a + semicolon (;). + Inline comments are not supported. + + + + All sections can have an optional + description parameter. Its function + is only as a label for the section. + + + + sssd.conf must be a regular file, owned by + root and only root may read from or write to the file. + + + + + CONFIGURATION SNIPPETS FROM INCLUDE DIRECTORY + + + The configuration file sssd.conf will + include configuration snippets using the include directory + conf.d. This feature is available if + SSSD was compiled with libini version 1.3.0 or later. + + + + Any file placed in conf.d + that ends in .conf + and does not begin with a dot (.) will + be used together with sssd.conf + to configure SSSD. + + + + The configuration snippets from conf.d + have higher priority than sssd.conf + and will override sssd.conf when + conflicts occur. If several snippets are present in + conf.d, then they are included in + alphabetical order (based on locale). + Files included later have higher priority. Numerical + prefixes (01_snippet.conf, + 02_snippet.conf etc.) can help + visualize the priority (higher number means higher + priority). + + + + The snippet files require the same owner and permissions + as sssd.conf. Which are by default + root:root and 0600. + + + + + GENERAL OPTIONS + + Following options are usable in more than one configuration + sections. + + + Options usable in all sections + + + + debug_level (integer) + + + + debug (integer) + + + SSSD 1.14 and later also includes the + debug alias for + debug_level as a + convenience feature. If both are specified, the + value of debug_level + will be used. + + + + + debug_timestamps (bool) + + + Add a timestamp to the debug messages. + If journald is enabled for SSSD debug logging this + option is ignored. + + + Default: true + + + + + debug_microseconds (bool) + + + Add microseconds to the timestamp in debug messages. + If journald is enabled for SSSD debug logging this + option is ignored. + + + Default: false + + + + + + + + + Options usable in SERVICE and DOMAIN sections + + + + timeout (integer) + + + Timeout in seconds between heartbeats for this + service. This is used to ensure that the process + is alive and capable of answering requests. Note + that after three missed heartbeats the process + will terminate itself. + + + Default: 10 + + + + + + + + + + SPECIAL SECTIONS + + + The [sssd] section + + Individual pieces of SSSD functionality are provided by special + SSSD services that are started and stopped together with SSSD. + The services are managed by a special service frequently called + monitor. The [sssd] section is used + to configure the monitor as well as some other important options + like the identity domains. + + Section parameters + + config_file_version (integer) + + + Indicates what is the syntax of the config + file. SSSD 0.6.0 and later use version 2. + + + + + services + + + Comma separated list of services that are + started when sssd itself starts. + + The services' list is optional on platforms + where systemd is supported, as they will either + be socket or D-Bus activated when needed. + + + + Supported services: nss, pam + , sudo + , autofs + , ssh + , pac + , ifp + + + + By default, all services are disabled and the administrator + must enable the ones allowed to be used by executing: + "systemctl enable sssd-@service@.socket". + + + + + + reconnection_retries (integer) + + + Number of times services should attempt to + reconnect in the event of a Data Provider + crash or restart before they give up + + + Default: 3 + + + + + domains + + + A domain is a database containing user + information. SSSD can use more domains + at the same time, but at least one + must be configured or SSSD won't start. + This parameter describes the list of domains + in the order you want them to be queried. + A domain name should only consist of alphanumeric + ASCII characters, dashes, dots and underscores. + + + + + re_expression (string) + + + Default regular expression that describes how to + parse the string containing user name and domain + into these components. + + + Each domain can have an individual regular + expression configured. For some ID providers + there are also default regular expressions. See + DOMAIN SECTIONS for more info on these regular + expressions. + + + + + full_name_format (string) + + + A + printf + 3 + -compatible format that describes how to + compose a fully qualified name from user name + and domain name components. + + + The following expansions are supported: + + + %1$s + user name + + + %2$s + + + domain name as specified in the + SSSD config file. + + + + + %3$s + + + domain flat name. Mostly usable + for Active Directory domains, both + directly configured or discovered + via IPA trusts. + + + + + + + Each domain can have an individual format string configured. + see DOMAIN SECTIONS for more info on this option. + + + + + try_inotify (boolean) + + + SSSD monitors the state of resolv.conf to + identify when it needs to update its internal + DNS resolver. By default, we will attempt to + use inotify for this, and will fall back to + polling resolv.conf every five seconds if + inotify cannot be used. + + + There are some limited situations where it is + preferred that we should skip even trying to + use inotify. In these rare cases, this option + should be set to 'false' + + + Default: true on platforms where inotify is + supported. False on other platforms. + + + Note: this option will have no effect on + platforms where inotify is unavailable. On + these platforms, polling will always be used. + + + + + krb5_rcache_dir (string) + + + Directory on the filesystem where SSSD should + store Kerberos replay cache files. + + + This option accepts a special value + __LIBKRB5_DEFAULTS__ that will instruct SSSD + to let libkrb5 decide the appropriate + location for the replay cache. + + + Default: Distribution-specific and specified + at build-time. (__LIBKRB5_DEFAULTS__ if not + configured) + + + + + user (string) + + + The user to drop the privileges to where + appropriate to avoid running as the + root user. + + This option does not work when running socket-activated + services, as the user set up to run the processes is + set up during compilation time. + + The way to override the systemd unit files is by creating + the appropriate files in /etc/systemd/system/. + + Keep in mind that any change in the socket user, group or + permissions may result in a non-usable SSSD. The same may + occur in case of changes of the user running the NSS + responder. + + + + Default: not set, process will run as root + + + + + default_domain_suffix (string) + + + This string will be used as a default domain + name for all names without a domain name + component. The main use case is environments + where the primary domain is intended for managing host + policies and all users are located in a trusted domain. + The option allows those users + to log in just with their user name without + giving a domain name as well. + + + Please note that if this option is set all + users from the primary domain have to use their + fully qualified name, e.g. user@domain.name, + to log in. Setting this option changes default + of use_fully_qualified_names to True. It is not + allowed to use this option together with + use_fully_qualified_names set to False. + + + Default: not set + + + + + override_space (string) + + + This parameter will replace spaces (space bar) + with the given character for user and group names. + e.g. (_). User name "john doe" will + be "john_doe" This feature was added to + help compatibility with shell scripts that have + difficulty handling spaces, due to the + default field separator in the shell. + + + Please note it is a configuration error to use + a replacement character that might be used in + user or group names. If a name contains the + replacement character SSSD tries to return the + unmodified name but in general the result of a + lookup is undefined. + + + Default: not set (spaces will not be replaced) + + + + + certificate_verification (string) + + + With this parameter the certificate verification + can be tuned with a comma separated list of + options. Supported options are: + + + no_ocsp + + Disables Online Certificate Status + Protocol (OCSP) checks. This might be + needed if the OCSP servers defined in + the certificate are not reachable from + the client. + + + + no_verification + + Disables verification completely. + This option should only be used for + testing. + + + + ocsp_default_responder=URL + + Sets the OCSP default responder + which should be used instead of the one + mentioned in the certificate. URL must + be replaced with the URL of the OCSP + default responder e.g. + http://example.com:80/ocsp. + This option must be used together + with + ocsp_default_responder_signing_cert. + + + + + + ocsp_default_responder_signing_cert=NAME + + The nickname of the cert to trust + (expected) to sign the OCSP responses. + The certificate with the given nickname + must be available in the systems NSS + database. + This option must be used together + with ocsp_default_responder. + + + + + + Unknown options are reported but ignored. + + + Default: not set, i.e. do not restrict + certificate verification + + + + + disable_netlink (boolean) + + + SSSD hooks into the netlink interface to + monitor changes to routes, addresses, links + and trigger certain actions. + + + The SSSD state changes caused by netlink + events may be undesirable and can be disabled + by setting this option to 'true' + + + Default: false (netlink changes are detected) + + + + + enable_files_domain (boolean) + + + When this option is enabled, SSSD + prepends an implicit domain with + id_provider=files before + any explicitly configured domains. + + + Default: false + + + Default: true + + + + + domain_resolution_order + + + Comma separated list of domains and subdomains + representing the lookup order that will be + followed. + The list doesn't have to include all possible + domains as the missing domains will be looked + up based on the order they're presented in the + domains configuration option. + The subdomains which are not listed as part of + lookup_order will be looked up + in a random order for each parent domain. + + + Please, note that when this option is set the + output format of all commands is always + fully-qualified even when using short names + for input, for all users but the ones managed + by the files provider. + In case the administrator wants the output not + fully-qualified, the full_name_format option + can be used as shown below: + full_name_format=%1$s + However, keep in mind that during login, login + applications often canonicalize the username by + calling + + getpwnam + 3 + + which, if a shortname is returned for a + qualified input (while trying to reach a user + which exists in multiple domains) might + re-route the login attempt into the domain + which uses shortnames, making this workaround + totally not recommended in cases where + usernames may overlap between domains. + + + Default: Not set + + + + + + + + + + + SERVICES SECTIONS + + Settings that can be used to configure different services + are described in this section. They should reside in the + [$NAME] section, for example, + for NSS service, the section would be [nss] + + + + General service configuration options + + These options can be used to configure any service. + + + + reconnection_retries (integer) + + + Number of times services should attempt to + reconnect in the event of a Data Provider + crash or restart before they give up + + + Default: 3 + + + + + fd_limit + + + This option specifies the maximum number of file + descriptors that may be opened at one time by this + SSSD process. On systems where SSSD is granted the + CAP_SYS_RESOURCE capability, this will be an + absolute setting. On systems without this + capability, the resulting value will be the lower + value of this or the limits.conf "hard" limit. + + + Default: 8192 (or limits.conf "hard" limit) + + + + + client_idle_timeout + + + This option specifies the number of seconds that + a client of an SSSD process can hold onto a file + descriptor without communicating on it. This value + is limited in order to avoid resource exhaustion + on the system. The timeout can't be shorter than + 10 seconds. If a lower value is configured, it + will be adjusted to 10 seconds. + + + Default: 60 + + + + + offline_timeout (integer) + + + When SSSD switches to offline mode the amount of + time before it tries to go back online will + increase based upon the time spent disconnected. + This value is in seconds and calculated by the + following: + + + offline_timeout + random_offset + + + The random offset can increment up to 30 seconds. + After each unsuccessful attempt to go online, + the new interval is recalculated by the following: + + + new_interval = old_interval*2 + random_offset + + + Note that the maximum length of each interval + is currently limited to one hour. If the + calculated length of new_interval is greater + than an hour, it will be forced to one hour. + + + Default: 60 + + + + + responder_idle_timeout + + + This option specifies the number of seconds that + an SSSD responder process can be up without being + used. This value is limited in order to avoid + resource exhaustion on the system. + The minimum acceptable value for this option is 60 + seconds. + Setting this option to 0 (zero) means that no + timeout will be set up to the responder. + + This option only has effect when SSSD is built with + systemd support and when services are either socket + or D-Bus activated. + + + Default: 300 + + + + + cache_first + + + This option specifies whether the responder should + query all caches before querying the Data Providers. + + + Default: false + + + + + + + + NSS configuration options + + These options can be used to configure the + Name Service Switch (NSS) service. + + + + enum_cache_timeout (integer) + + + How many seconds should nss_sss cache enumerations + (requests for info about all users) + + + Default: 120 + + + + + entry_cache_nowait_percentage (integer) + + + The entry cache can be set to automatically update + entries in the background if they are requested + beyond a percentage of the entry_cache_timeout + value for the domain. + + + For example, if the domain's entry_cache_timeout + is set to 30s and entry_cache_nowait_percentage is + set to 50 (percent), entries that come in after 15 + seconds past the last cache update will be + returned immediately, but the SSSD will go and + update the cache on its own, so that future + requests will not need to block waiting for a + cache update. + + + Valid values for this option are 0-99 and + represent a percentage of the entry_cache_timeout + for each domain. For performance reasons, this + percentage will never reduce the nowait timeout to + less than 10 seconds. + (0 disables this feature) + + + Default: 50 + + + + + entry_negative_timeout (integer) + + + Specifies for how many seconds nss_sss should cache + negative cache hits (that is, queries for + invalid database entries, like nonexistent ones) + before asking the back end again. + + + Default: 15 + + + + + local_negative_timeout (integer) + + + Specifies for how many seconds nss_sss should keep + local users and groups in negative cache before + trying to look it up in the back end again. Setting + the option to 0 disables this feature. + + + Default: 14400 (4 hours) + + + + + filter_users, filter_groups (string) + + + Exclude certain users or groups from being fetched + from the sss NSS database. This is particularly + useful for system accounts. This option can also + be set per-domain or include fully-qualified names + to filter only users from the particular domain. + + + NOTE: The filter_groups option doesn't affect + inheritance of nested group members, since + filtering happens after they are propagated for + returning via NSS. E.g. a group having a member + group filtered out will still have the member + users of the latter listed. + + + Default: root + + + + + filter_users_in_groups (bool) + + + If you want filtered user still be group members + set this option to false. + + + Default: true + + + + + + + fallback_homedir (string) + + + Set a default template for a user's home directory + if one is not specified explicitly by the domain's + data provider. + + + The available values for this option are the same + as for override_homedir. + + + example: + +fallback_homedir = /home/%u + + + + Default: not set (no substitution for unset home + directories) + + + + + override_shell (string) + + + Override the login shell for all users. This + option supersedes any other shell options if + it takes effect and can be set either in the + [nss] section or per-domain. + + + Default: not set (SSSD will use the value + retrieved from LDAP) + + + + + allowed_shells (string) + + + Restrict user shell to one of the listed values. The order of evaluation is: + + + 1. If the shell is present in + /etc/shells, it is used. + + + 2. If the shell is in the allowed_shells list but + not in /etc/shells, use the + value of the shell_fallback parameter. + + + 3. If the shell is not in the allowed_shells list and + not in /etc/shells, a nologin shell + is used. + + + The wildcard (*) can be used to allow any shell. + + + The (*) is useful if you want to use + shell_fallback in case that user's shell is not + in /etc/shells and maintaining list + of all allowed shells in allowed_shells would be + to much overhead. + + + An empty string for shell is passed as-is to libc. + + + The /etc/shells is only read on SSSD start up, which means that + a restart of the SSSD is required in case a new shell is installed. + + + Default: Not set. The user shell is automatically used. + + + + + vetoed_shells (string) + + + Replace any instance of these shells with the shell_fallback + + + + + shell_fallback (string) + + + The default shell to use if an allowed shell is not + installed on the machine. + + + Default: /bin/sh + + + + + default_shell + + + The default shell to use if the provider does + not return one during lookup. This option can + be specified globally in the [nss] section + or per-domain. + + + Default: not set (Return NULL if no shell is + specified and rely on libc to substitute something + sensible when necessary, usually /bin/sh) + + + + + get_domains_timeout (int) + + + Specifies time in seconds for which the list of + subdomains will be considered valid. + + + Default: 60 + + + + + memcache_timeout (int) + + + Specifies time in seconds for which records + in the in-memory cache will be valid. Setting this + option to zero will disable the in-memory cache. + + + Default: 300 + + + WARNING: Disabling the in-memory cache will + have significant negative impact on SSSD's + performance and should only be used for + testing. + + + NOTE: If the environment variable + SSS_NSS_USE_MEMCACHE is set to "NO", client + applications will not use the fast in-memory + cache. + + + + + user_attributes (string) + + + Some of the additional NSS responder requests can + return more attributes than just the POSIX ones + defined by the NSS interface. The list of attributes + is controlled by this option. It is handled the same + way as the user_attributes option of + the InfoPipe responder (see + + sssd-ifp + 5 + + for details) but with no default values. + + + To make configuration more easy the NSS responder + will check the InfoPipe option if it is not set for + the NSS responder. + + + Default: not set, fallback to InfoPipe option + + + + + pwfield (string) + + + The value that NSS operations that return + users or groups will return for the + password field. + + + This option can also be set per-domain. + + + Default: * (remote domains) + or x (the files domain) + + + + + + + PAM configuration options + + These options can be used to configure the + Pluggable Authentication Module (PAM) service. + + + + offline_credentials_expiration (integer) + + + If the authentication provider is offline, how + long should we allow cached logins (in days since + the last successful online login). + + + Default: 0 (No limit) + + + + + + offline_failed_login_attempts (integer) + + + If the authentication provider is offline, how + many failed login attempts are allowed. + + + Default: 0 (No limit) + + + + + + offline_failed_login_delay (integer) + + + The time in minutes which has to pass after + offline_failed_login_attempts has been reached + before a new login attempt is possible. + + + If set to 0 the user cannot authenticate offline if + offline_failed_login_attempts has been reached. Only + a successful online authentication can enable + offline authentication again. + + + Default: 5 + + + + + + pam_verbosity (integer) + + + Controls what kind of messages are shown to the user + during authentication. The higher the number to more + messages are displayed. + + + Currently sssd supports the following values: + + + 0: do not show any message + + + 1: show only important + messages + + + 2: show informational messages + + + 3: show all messages and debug + information + + + Default: 1 + + + + + + pam_response_filter (integer) + + + A comma separated list of strings which allows to + remove (filter) data sent by the PAM responder to + pam_sss PAM module. There are different kind of + responses sent to pam_sss e.g. messages displayed to + the user or environment variables which should be + set by pam_sss. + + + While messages already can be controlled with the + help of the pam_verbosity option this option allows + to filter out other kind of responses as well. + + + Currently the following filters are supported: + + ENV + Do not send any environment + variables to any service. + + ENV:var_name + Do not send environment + variable var_name to any + service. + + ENV:var_name:service + Do not send environment + variable var_name to + service. + + + + + Default: not set + + + Example: ENV:KRB5CCNAME:sudo-i + + + + + + pam_id_timeout (integer) + + + For any PAM request while SSSD is online, the SSSD will + attempt to immediately update the cached identity + information for the user in order to ensure that + authentication takes place with the latest information. + + + A complete PAM conversation may perform multiple PAM + requests, such as account management and session + opening. This option controls (on a + per-client-application basis) how long (in seconds) we + can cache the identity information to avoid excessive + round-trips to the identity provider. + + + Default: 5 + + + + + + pam_pwd_expiration_warning (integer) + + + Display a warning N days before the password expires. + + + Please note that the backend server has to provide + information about the expiration time of the password. + If this information is missing, sssd cannot display a + warning. + + + If zero is set, then this filter is not applied, + i.e. if the expiration warning was received from + backend server, it will automatically be displayed. + + + This setting can be overridden by setting + pwd_expiration_warning + for a particular domain. + + + Default: 0 + + + + + get_domains_timeout (int) + + + Specifies time in seconds for which the list of + subdomains will be considered valid. + + + Default: 60 + + + + + pam_trusted_users (string) + + + Specifies the comma-separated list of UID + values or user names that are allowed to run + PAM conversations against trusted domains. + Users not included in this list can only access + domains marked as public with + pam_public_domains. + User names are resolved to UIDs at + startup. + + + Default: All users are considered trusted + by default + + + Please note that UID 0 is always allowed to access + the PAM responder even in case it is not in the + pam_trusted_users list. + + + + + pam_public_domains (string) + + + Specifies the comma-separated list of domain names + that are accessible even to untrusted users. + + + Two special values for pam_public_domains option + are defined: + + + all (Untrusted users are allowed to access + all domains in PAM responder.) + + + none (Untrusted users are not allowed to access + any domains PAM in responder.) + + + Default: none + + + + + pam_account_expired_message (string) + + + Allows a custom expiration message to be set, + replacing the default 'Permission denied' + message. + + + Note: Please be aware that message is only + printed for the SSH service unless pam_verbosity + is set to 3 (show all messages and debug + information). + + + example: + +pam_account_expired_message = Account expired, please contact help desk. + + + + Default: none + + + + + pam_account_locked_message (string) + + + Allows a custom lockout message to be set, + replacing the default 'Permission denied' + message. + + + example: + +pam_account_locked_message = Account locked, please contact help desk. + + + + Default: none + + + + + pam_cert_auth (bool) + + + Enable certificate based Smartcard authentication. + Since this requires additional communication with + the Smartcard which will delay the authentication + process this option is disabled by default. + + + Default: False + + + + + pam_cert_db_path (string) + + + The path to the certificate database which contain + the PKCS#11 modules to access the Smartcard. + + + Default: + + /etc/pki/nssdb (NSS version, + path to a NSS + database) + /etc/sssd/pki/sssd_auth_ca_db.pem + (OpenSSL version, path to a file + with trusted CA certificates in + PEM format) + + + + This man page was generated for the NSS version. + + + This man page was generated for the OpenSSL version. + + + + + p11_child_timeout (integer) + + + How many seconds will pam_sss wait for + p11_child to finish. + + + Default: 10 + + + + + pam_app_services (string) + + + Which PAM services are permitted to contact + domains of type application + + + Default: Not set + + + + + + + + + SUDO configuration options + + These options can be used to configure the sudo service. + The detailed instructions for configuration of + + sudo + 8 + to work with + + sssd + 8 + are in the manual page + + sssd-sudo + 5 + . + + + + sudo_timed (bool) + + + Whether or not to evaluate the sudoNotBefore + and sudoNotAfter attributes that implement + time-dependent sudoers entries. + + + Default: false + + + + + + + sudo_threshold (integer) + + + Maximum number of expired rules that can be + refreshed at once. If number of expired rules + is below threshold, those rules are refreshed + with rules refresh mechanism. If + the threshold is exceeded a + full refresh of sudo rules is + triggered instead. This threshold number also + applies to IPA sudo command and command group + searches. + + + Default: 50 + + + + + + + + AUTOFS configuration options + + These options can be used to configure the autofs service. + + + + autofs_negative_timeout (integer) + + + Specifies for how many seconds should the + autofs responder negative cache hits + (that is, queries for invalid map entries, + like nonexistent ones) before asking the back + end again. + + + Default: 15 + + + + + + + + + SSH configuration options + + These options can be used to configure the SSH service. + + + + ssh_hash_known_hosts (bool) + + + Whether or not to hash host names and addresses in + the managed known_hosts file. + + + Default: true + + + + + ssh_known_hosts_timeout (integer) + + + How many seconds to keep a host in the managed + known_hosts file after its host keys were requested. + + + Default: 180 + + + + + ssh_use_certificate_keys (bool) + + + If set to true the + sss_ssh_authorizedkeys will + return ssh keys derived from the public key of X.509 + certificates stored in the user entry as well. See + + sss_ssh_authorizedkeys + 1 + for details. + + + Default: true + + + + + ca_db (string) + + + Path to a storage of trusted CA certificates. The + option is used to validate user certificates before + deriving public ssh keys from them. + + + Default: + + /etc/pki/nssdb (NSS version, + path to a NSS + database) + /etc/sssd/pki/sssd_auth_ca_db.pem + (OpenSSL version, path to a file + with trusted CA certificates in + PEM format) + + + + This man page was generated for the NSS version. + + + This man page was generated for the OpenSSL version. + + + + + + + + PAC responder configuration options + + The PAC responder works together with the authorization data + plugin for MIT Kerberos sssd_pac_plugin.so and a sub-domain + provider. The plugin sends the PAC data during a GSSAPI + authentication to the PAC responder. The sub-domain provider + collects domain SID and ID ranges of the domain the client is + joined to and of remote trusted domains from the local domain + controller. If the PAC is decoded and evaluated some of the + following operations are done: + + If the remote user does not exist in the + cache, it is created. The UID is determined with the help + of the SID, trusted domains will have UPGs and the GID + will have the same value as the UID. The home directory is + set based on the subdomain_homedir parameter. The shell will + be empty by default, i.e. the system defaults are used, but + can be overwritten with the default_shell parameter. + + If there are SIDs of groups from domains + sssd knows about, the user will be added to those groups. + + + + + These options can be used to configure the PAC responder. + + + + allowed_uids (string) + + + Specifies the comma-separated list of UID values or + user names that are allowed to access the PAC + responder. User names are resolved to UIDs at + startup. + + + Default: 0 (only the root user is allowed to access + the PAC responder) + + + Please note that although the UID 0 is used as the + default it will be overwritten with this option. If + you still want to allow the root user to access the + PAC responder, which would be the typical case, you + have to add 0 to the list of allowed UIDs as well. + + + + + pac_lifetime (integer) + + + Lifetime of the PAC entry in seconds. As long as the + PAC is valid the PAC data can be used to determine + the group memberships of a user. + + + Default: 300 + + + + + + + + Session recording configuration options + + Session recording works in conjunction with + + tlog-rec-session + 8 + , a part of tlog package, to log what users see + and type when they log in on a text terminal. + See also + + sssd-session-recording + 5 + . + + + These options can be used to configure session recording. + + + + scope (string) + + + One of the following strings specifying the scope + of session recording: + + + "none" + + + No users are recorded. + + + + + "some" + + + Users/groups specified by + users + and + groups + options are recorded. + + + + + "all" + + + All users are recorded. + + + + + + + Default: "none" + + + + + users (string) + + + A comma-separated list of users which should have + session recording enabled. Matches user names as + returned by NSS. I.e. after the possible space + replacement, case changes, etc. + + + Default: Empty. Matches no users. + + + + + groups (string) + + + A comma-separated list of groups, members of which + should have session recording enabled. Matches + group names as returned by NSS. I.e. after the + possible space replacement, case changes, etc. + + + NOTE: using this option (having it set to + anything) has a considerable performance cost, + because each uncached request for a user requires + retrieving and matching the groups the user is + member of. + + + Default: Empty. Matches no groups. + + + + + + + + + + DOMAIN SECTIONS + + These configuration options can be present in a domain + configuration section, that is, in a section called + [domain/NAME] + + + domain_type (string) + + + Specifies whether the domain is meant to be used + by POSIX-aware clients such as the Name Service Switch + or by applications that do not need POSIX data to be + present or generated. Only objects from POSIX domains + are available to the operating system interfaces and + utilities. + + + Allowed values for this option are posix + and application. + + + POSIX domains are reachable by all services. Application + domains are only reachable from the InfoPipe responder (see + + sssd-ifp + 5 + ) and the PAM responder. + + + NOTE: The application domains are currently well tested with + id_provider=ldap only. + + + For an easy way to configure a non-POSIX domains, please + see the Application domains section. + + + Default: posix + + + + + + min_id,max_id (integer) + + + UID and GID limits for the domain. If a domain + contains an entry that is outside these limits, it + is ignored. + + + For users, this affects the primary GID limit. The + user will not be returned to NSS if either the + UID or the primary GID is outside the range. For + non-primary group memberships, those that are in + range will be reported as expected. + + + These ID limits affect even saving entries to + cache, not only returning them by name or ID. + + + Default: 1 for min_id, 0 (no limit) for max_id + + + + + + enumerate (bool) + + + Determines if a domain can be enumerated, + that is, whether the domain can list all the + users and group it contains. Note that it is + not required to enable enumeration in order + for secondary groups to be displayed. This + parameter can have one of the following values: + + + TRUE = Users and groups are enumerated + + + FALSE = No enumerations for this domain + + + Default: FALSE + + + Enumerating a domain requires SSSD to download + and store ALL user and group entries from the + remote server. + + + Note: Enabling enumeration has a moderate + performance impact on SSSD while enumeration + is running. It may take up to several minutes + after SSSD startup to fully complete enumerations. + During this time, individual requests for + information will go directly to LDAP, though it + may be slow, due to the heavy enumeration + processing. Saving a large number of entries + to cache after the enumeration completes might + also be CPU intensive as the memberships have + to be recomputed. This can lead to the + sssd_be process becoming unresponsive + or even restarted by the internal watchdog. + + + While the first enumeration is running, requests + for the complete user or group lists may return + no results until it completes. + + + Further, enabling enumeration may increase the time + necessary to detect network disconnection, as + longer timeouts are required to ensure that + enumeration lookups are completed successfully. + For more information, refer to the man pages for + the specific id_provider in use. + + + For the reasons cited above, enabling enumeration + is not recommended, especially in large + environments. + + + + + + subdomain_enumerate (string) + + + Whether any of autodetected trusted domains should + be enumerated. The supported values are: + + + all + All discovered trusted domains will be enumerated + + + none + No discovered trusted domains will be enumerated + + + Optionally, a list of one or more domain + names can enable enumeration just for these + trusted domains. + + + Default: none + + + + + + entry_cache_timeout (integer) + + + How many seconds should nss_sss consider + entries valid before asking the backend again + + + The cache expiration timestamps are stored + as attributes of individual objects in the + cache. Therefore, changing the cache timeout only + has effect for newly added or expired entries. + You should run the + + sss_cache + 8 + + tool in order to force refresh of entries that + have already been cached. + + + Default: 5400 + + + + + + entry_cache_user_timeout (integer) + + + How many seconds should nss_sss consider + user entries valid before asking the backend again + + + Default: entry_cache_timeout + + + + + + entry_cache_group_timeout (integer) + + + How many seconds should nss_sss consider + group entries valid before asking the backend again + + + Default: entry_cache_timeout + + + + + + entry_cache_netgroup_timeout (integer) + + + How many seconds should nss_sss consider + netgroup entries valid before asking the backend again + + + Default: entry_cache_timeout + + + + + + entry_cache_service_timeout (integer) + + + How many seconds should nss_sss consider + service entries valid before asking the backend again + + + Default: entry_cache_timeout + + + + + + entry_cache_sudo_timeout (integer) + + + How many seconds should sudo consider + rules valid before asking the backend again + + + Default: entry_cache_timeout + + + + + + entry_cache_autofs_timeout (integer) + + + How many seconds should the autofs service + consider automounter maps valid before asking + the backend again + + + Default: entry_cache_timeout + + + + + + entry_cache_ssh_host_timeout (integer) + + + How many seconds to keep a host ssh key after + refresh. IE how long to cache the host key + for. + + + Default: entry_cache_timeout + + + + + + refresh_expired_interval (integer) + + + Specifies how many seconds SSSD has to wait before + triggering a background refresh task which will + refresh all expired or nearly expired records. + + + The background refresh will process users, + groups and netgroups in the cache. + + + You can consider setting this value to + 3/4 * entry_cache_timeout. + + + Default: 0 (disabled) + + + + + + cache_credentials (bool) + + + Determines if user credentials are also cached + in the local LDB cache + + + User credentials are stored in a SHA512 hash, not + in plaintext + + + Default: FALSE + + + + + + cache_credentials_minimal_first_factor_length (int) + + + If 2-Factor-Authentication (2FA) is used and + credentials should be saved this value determines + the minimal length the first authentication factor + (long term password) must have to be saved as SHA512 + hash into the cache. + + + This should avoid that the short PINs of a PIN based + 2FA scheme are saved in the cache which would make + them easy targets for brute-force attacks. + + + Default: 8 + + + + + + account_cache_expiration (integer) + + + Number of days entries are left in cache after + last successful login before being removed during + a cleanup of the cache. 0 means keep forever. + The value of this parameter must be greater than or + equal to offline_credentials_expiration. + + + Default: 0 (unlimited) + + + + + pwd_expiration_warning (integer) + + + Display a warning N days before the password expires. + + + If zero is set, then this filter is not applied, + i.e. if the expiration warning was received from + backend server, it will automatically be displayed. + + + Please note that the backend server has to provide + information about the expiration time of the password. + If this information is missing, sssd cannot display a + warning. Also an auth provider has to be configured for + the backend. + + + Default: 7 (Kerberos), 0 (LDAP) + + + + + + id_provider (string) + + + The identification provider used for the domain. + Supported ID providers are: + + + proxy: Support a legacy NSS provider. + + + local: SSSD internal provider for + local users (DEPRECATED). + + + files: FILES provider. See + + sssd-files + 5 + for more information on + how to mirror local users and groups into SSSD. + + + ldap: LDAP provider. See + + sssd-ldap + 5 + for more information on + configuring LDAP. + + + ipa: FreeIPA and Red Hat Enterprise + Identity Management provider. See + + sssd-ipa + 5 + for more information on + configuring FreeIPA. + + + ad: Active Directory provider. See + + sssd-ad + 5 + for more information on + configuring Active Directory. + + + + + + use_fully_qualified_names (bool) + + + Use the full name and domain (as formatted by + the domain's full_name_format) as the user's login + name reported to NSS. + + + If set to TRUE, all requests to this domain + must use fully qualified names. For example, + if used in LOCAL domain that contains a "test" + user, getent passwd test + wouldn't find the user while getent + passwd test@LOCAL would. + + + NOTE: This option has no effect on netgroup + lookups due to their tendency to include nested + netgroups without qualified names. For netgroups, + all domains will be searched when an unqualified + name is requested. + + + Default: FALSE (TRUE if default_domain_suffix is + used) + + + + + ignore_group_members (bool) + + + Do not return group members for group lookups. + + + If set to TRUE, the group membership attribute + is not requested from the ldap server, and + group members are not returned when processing + group lookup calls, such as + + getgrnam + 3 + + or + + getgrgid + 3 + . + As an effect, getent group + $groupname would return the requested + group as if it was empty. + + + Enabling this option can also make access + provider checks for group membership + significantly faster, especially for groups + containing many members. + + + Default: FALSE + + + + + auth_provider (string) + + + The authentication provider used for the domain. + Supported auth providers are: + + + ldap for native LDAP authentication. See + + sssd-ldap + 5 + for more information on configuring LDAP. + + + krb5 for Kerberos authentication. See + + sssd-krb5 + 5 + for more information on configuring Kerberos. + + + ipa: FreeIPA and Red Hat Enterprise + Identity Management provider. See + + sssd-ipa + 5 + for more information on + configuring FreeIPA. + + + ad: Active Directory provider. See + + sssd-ad + 5 + for more information on + configuring Active Directory. + + + proxy for relaying authentication to some other PAM target. + + + local: SSSD internal provider for + local users + + + none disables authentication explicitly. + + + Default: id_provider is used if it + is set and can handle authentication requests. + + + + + access_provider (string) + + + The access control provider used for the domain. + There are two built-in access providers (in + addition to any included in installed backends) + Internal special providers are: + + + permit always allow access. It's the only permitted access provider for a local domain. + + + deny always deny access. + + + ldap for native LDAP authentication. See + + sssd-ldap + 5 + for more information on configuring LDAP. + + + ipa: FreeIPA and Red Hat Enterprise + Identity Management provider. See + + sssd-ipa + 5 + for more information on + configuring FreeIPA. + + + ad: Active Directory provider. See + + sssd-ad + 5 + for more information on + configuring Active Directory. + + + simple access control based on access + or deny lists. See + sssd-simple + 5 for more + information on configuring the simple access module. + + + krb5: .k5login based access control. + See + sssd-krb5 + 5 for more + information on configuring Kerberos. + + + proxy for relaying access control to another PAM module. + + + Default: permit + + + + + chpass_provider (string) + + + The provider which should handle change password + operations for the domain. + Supported change password providers are: + + + ldap to change a password stored + in a LDAP server. See + + sssd-ldap + 5 + for more information on configuring LDAP. + + + krb5 to change the Kerberos + password. See + + sssd-krb5 + 5 + for more information on configuring Kerberos. + + + ipa: FreeIPA and Red Hat Enterprise + Identity Management provider. See + + sssd-ipa + 5 + for more information on + configuring FreeIPA. + + + ad: Active Directory provider. See + + sssd-ad + 5 + for more information on + configuring Active Directory. + + + proxy for relaying password changes + to some other PAM target. + + + none disallows password changes explicitly. + + + Default: auth_provider is used if it + is set and can handle change password requests. + + + + + + sudo_provider (string) + + + The SUDO provider used for the domain. + Supported SUDO providers are: + + + ldap for rules stored in LDAP. See + + sssd-ldap + 5 + for more information on configuring + LDAP. + + + ipa the same as ldap + but with IPA default settings. + + + ad the same as ldap + but with AD default settings. + + + none disables SUDO explicitly. + + + Default: The value of id_provider is + used if it is set. + + + The detailed instructions for configuration of + sudo_provider are in the manual page + + sssd-sudo + 5 + . + There are many configuration options that can be + used to adjust the behavior. Please refer to + "ldap_sudo_*" in + + sssd-ldap + 5 + . + + + NOTE: Sudo rules are + periodically downloaded in the background unless + the sudo provider is explicitly disabled. Set + sudo_provider = None to + disable all sudo-related activity in SSSD if you do + not want to use sudo with SSSD at all. + + + + + selinux_provider (string) + + + The provider which should handle loading of selinux + settings. Note that this provider will be called right + after access provider ends. + Supported selinux providers are: + + + ipa to load selinux settings + from an IPA server. See + + sssd-ipa + 5 + for more information on configuring IPA. + + + none disallows fetching selinux settings explicitly. + + + Default: id_provider is used if it + is set and can handle selinux loading requests. + + + + + subdomains_provider (string) + + + The provider which should handle fetching of + subdomains. This value should be always the same as + id_provider. + Supported subdomain providers are: + + + ipa to load a list of subdomains + from an IPA server. See + + sssd-ipa + 5 + for more information on configuring + IPA. + + + ad to load a list of subdomains + from an Active Directory server. See + + sssd-ad + 5 + for more information on configuring + the AD provider. + + + none disallows fetching subdomains + explicitly. + + + Default: The value of id_provider is + used if it is set. + + + + + session_provider (string) + + + The provider which configures and manages user session + related tasks. The only user session task currently + provided is the integration with Fleet Commander, which + works only with IPA. + Supported session providers are: + + + ipa to allow performing user session + related tasks. + + + none does not perform any kind of user + session related tasks. + + + Default: id_provider is used if it + is set and can perform session related tasks. + + + NOTE: In order to have this feature + working as expected SSSD must be running as "root" and + not as the unprivileged user. + + + + + + autofs_provider (string) + + + The autofs provider used for the domain. + Supported autofs providers are: + + + ldap to load maps stored in LDAP. See + + sssd-ldap + 5 + for more information on configuring LDAP. + + + ipa to load maps stored in an IPA + server. See + + sssd-ipa + 5 + for more information on configuring IPA. + + + ad to load maps stored in an AD + server. See + + sssd-ad + 5 + for more information on configuring + the AD provider. + + + none disables autofs explicitly. + + + Default: The value of id_provider is used if it + is set. + + + + + + hostid_provider (string) + + + The provider used for retrieving host identity information. + Supported hostid providers are: + + + ipa to load host identity stored in an IPA + server. See + + sssd-ipa + 5 + for more information on configuring IPA. + + + none disables hostid explicitly. + + + Default: The value of id_provider is used if it + is set. + + + + + + re_expression (string) + + + Regular expression for this domain that describes + how to parse the string containing user name and + domain into these components. + The "domain" can match either the SSSD + configuration domain name, or, in the case + of IPA trust subdomains and Active Directory + domains, the flat (NetBIOS) name of the domain. + + + Default for the AD and IPA provider: + (((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$)) + which allows three different styles for user names: + + + username + + + username@domain.name + + + domain\username + + + While the first two correspond to the general + default the third one is introduced to allow easy + integration of users from Windows domains. + + + Default: (?P<name>[^@]+)@?(?P<domain>[^@]*$) + which translates to "the name is everything up to + the @ sign, the domain everything + after that" + + + NOTE: Some Active Directory groups, typically + those used for MS Exchange contain an + @ sign in the name, which + clashes with the default re_expression value for + the AD and IPA providers. To support these groups, + consider changing the re_expression value to: + ((?P<name>.+)@(?P<domain>[^@]+$)). + + + + + full_name_format (string) + + + A + printf + 3 + -compatible format that describes how to + compose a fully qualified name from user name + and domain name components. + + + The following expansions are supported: + + + %1$s + user name + + + %2$s + + + domain name as specified in the + SSSD config file. + + + + + %3$s + + + domain flat name. Mostly usable + for Active Directory domains, both + directly configured or discovered + via IPA trusts. + + + + + + + Default: %1$s@%2$s. + + + + + + lookup_family_order (string) + + + Provides the ability to select preferred address family + to use when performing DNS lookups. + + + Supported values: + + + ipv4_first: Try looking up IPv4 address, if that fails, try IPv6 + + + ipv4_only: Only attempt to resolve hostnames to IPv4 addresses. + + + ipv6_first: Try looking up IPv6 address, if that fails, try IPv4 + + + ipv6_only: Only attempt to resolve hostnames to IPv6 addresses. + + + Default: ipv4_first + + + + + + dns_resolver_timeout (integer) + + + Defines the amount of time (in seconds) to + wait for a reply from the internal fail over + service before assuming that the service is + unreachable. If this timeout is reached, the + domain will continue to operate in offline mode. + + + Please see the section FAILOVER + for more information about the service + resolution. + + + Default: 6 + + + + + + dns_discovery_domain (string) + + + If service discovery is used in the back end, specifies + the domain part of the service discovery DNS query. + + + Default: Use the domain part of machine's hostname + + + + + + override_gid (integer) + + + Override the primary GID value with the one specified. + + + + + + case_sensitive (string) + + + Treat user and group names as case sensitive. At + the moment, this option is not supported in + the local provider. Possible option values are: + + + True + + + Case sensitive. This value is invalid + for AD provider. + + + + + False + + Case insensitive. + + + + Preserving + + + Same as False (case insensitive), but + does not lowercase names in the result + of NSS operations. Note that name + aliases (and in case of services also + protocol names) are still lowercased in + the output. + + + + + + + Default: True (False for AD provider) + + + + + + subdomain_inherit (string) + + + Specifies a list of configuration parameters that + should be inherited by a subdomain. Please note + that only selected parameters can be inherited. + Currently the following options can be inherited: + + + ignore_group_members + + + ldap_purge_cache_timeout + + + ldap_use_tokengroups + + + ldap_user_principal + + + ldap_krb5_keytab (the value of krb5_keytab will be + used if ldap_krb5_keytab is not set explicitly) + + + Example: + +subdomain_inherit = ldap_purge_cache_timeout + + + + Default: none + + + Note: This option only works with the IPA and + AD provider. + + + + + + subdomain_homedir (string) + + + Use this homedir as default value for all subdomains + within this domain in IPA AD trust. + See override_homedir + for info about possible values. In addition to those, the + expansion below can only be used with + subdomain_homedir. + + + %F + flat (NetBIOS) name of a subdomain. + + + + + The value can be overridden by + override_homedir option. + + + Default: /home/%d/%u + + + + + realmd_tags (string) + + + Various tags stored by the realmd configuration service + for this domain. + + + + + cached_auth_timeout (int) + + + Specifies time in seconds since last successful + online authentication for which user will be + authenticated using cached credentials while + SSSD is in the online mode. + + + Special value 0 implies that this feature is + disabled. + + + Please note that if cached_auth_timeout + is longer than pam_id_timeout then the + back end could be called to handle + initgroups. + + + Default: 0 + + + + + auto_private_groups (string) + + + If this option is enabled, SSSD will automatically + create user private groups based on user's + UID number. The GID number is ignored in this case. + + + For POSIX subdomains, setting the option in the main + domain is inherited in the subdomain. + + + For ID-mapping subdomains, auto_private_groups is + already enabled for the subdomains and setting it to + false will not have any effect for the subdomain. + + + NOTE: Because the GID number and the user private group + are inferred from the UID number, it is not supported + to have multiple entries with the same UID or GID number + with this option. In other words, enabling this option + enforces uniqueness across the ID space. + + + Default: False + + + + + + + + Options valid for proxy domains. + + + + proxy_pam_target (string) + + + The proxy target PAM proxies to. + + + Default: not set by default, you have to take an + existing pam configuration or create a new one and + add the service name here. + + + + + + proxy_lib_name (string) + + + The name of the NSS library to use in proxy + domains. The NSS functions searched for in the + library are in the form of + _nss_$(libName)_$(function), for example + _nss_files_getpwent. + + + + + + proxy_fast_alias (boolean) + + + When a user or group is looked up by name in + the proxy provider, a second lookup by ID is + performed to "canonicalize" the name in case + the requested name was an alias. Setting this + option to true would cause the SSSD to perform + the ID lookup from cache for performance reasons. + + + Default: false + + + + + + proxy_max_children (integer) + + + This option specifies the number of pre-forked + proxy children. It is useful for high-load SSSD + environments where sssd may run out of available + child slots, which would cause some issues due to + the requests being queued. + + + Default: 10 + + + + + + + + + Application domains + + SSSD, with its D-Bus interface (see + + sssd-ifp + 5 + ) is appealing to applications + as a gateway to an LDAP directory where users and groups + are stored. However, contrary to the traditional SSSD + deployment where all users and groups either have POSIX + attributes or those attributes can be inferred from the + Windows SIDs, in many cases the users and groups in the + application support scenario have no POSIX attributes. + Instead of setting a + [domain/NAME] + section, the administrator can set up an + [application/NAME] + section that internally represents a domain with type + application optionally inherits settings + from a tradition SSSD domain. + + + Please note that the application domain must still be + explicitly enabled in the domains parameter + so that the lookup order between the application domain + and its POSIX sibling domain is set correctly. + + + Application domain parameters + + inherit_from (string) + + + The SSSD POSIX-type domain the application + domain inherits all settings from. The + application domain can moreover add its own + settings to the application settings that augment + or override the sibling + domain settings. + + + Default: Not set + + + + + + The following example illustrates the use of an application + domain. In this setup, the POSIX domain is connected to an LDAP + server and is used by the OS through the NSS responder. In addition, + the application domain also requests the telephoneNumber attribute, + stores it as the phone attribute in the cache and makes the phone + attribute reachable through the D-Bus interface. + + +[sssd] +domains = appdom, posixdom + +[ifp] +user_attributes = +phone + +[domain/posixdom] +id_provider = ldap +ldap_uri = ldap://ldap.example.com +ldap_search_base = dc=example,dc=com + +[application/appdom] +inherit_from = posixdom +ldap_user_extra_attrs = phone:telephoneNumber + + + + + The local domain section + + This section contains settings for domain that stores users and + groups in SSSD native database, that is, a domain that uses + id_provider=local. + + + Section parameters + + default_shell (string) + + + The default shell for users created + with SSSD userspace tools. + + + Default: /bin/bash + + + + + base_directory (string) + + + The tools append the login name to + base_directory and + use that as the home directory. + + + Default: /home + + + + + create_homedir (bool) + + + Indicate if a home directory should be created by default for new users. + Can be overridden on command line. + + + Default: TRUE + + + + + remove_homedir (bool) + + + Indicate if a home directory should be removed by default for deleted users. + Can be overridden on command line. + + + Default: TRUE + + + + + homedir_umask (integer) + + + Used by + + sss_useradd + 8 + to specify the default permissions on a newly created + home directory. + + + Default: 077 + + + + + skel_dir (string) + + + The skeleton directory, which contains files + and directories to be copied in the user's + home directory, when the home directory is + created by + + sss_useradd + 8 + + + + Default: /etc/skel + + + + + mail_dir (string) + + + The mail spool directory. This is needed to + manipulate the mailbox when its corresponding + user account is modified or deleted. + If not specified, a default + value is used. + + + Default: /var/mail + + + + + userdel_cmd (string) + + + The command that is run after a user is removed. + The command us passed the username of the user being + removed as the first and only parameter. The return + code of the command is not taken into account. + + + Default: None, no command is run + + + + + + + + + + TRUSTED DOMAIN SECTION + + Some options used in the domain section can also be used in the + trusted domain section, that is, in a section called + [domain/DOMAIN_NAME/TRUSTED_DOMAIN_NAME]. + Where DOMAIN_NAME is the actual joined-to base domain. Please refer + to examples below for explanation. + Currently supported options in the trusted domain section are: + + ldap_search_base, + ldap_user_search_base, + ldap_group_search_base, + ldap_netgroup_search_base, + ldap_service_search_base, + ad_server, + ad_backup_server, + ad_site, + use_fully_qualified_names + + For more details about these options see their individual description + in the manual page. + + + + + EXAMPLES + + 1. The following example shows a typical SSSD config. It does + not describe configuration of the domains themselves - refer to + documentation on configuring domains for more details. + +[sssd] +domains = LDAP +services = nss, pam +config_file_version = 2 + +[nss] +filter_groups = root +filter_users = root + +[pam] + +[domain/LDAP] +id_provider = ldap +ldap_uri = ldap://ldap.example.com +ldap_search_base = dc=example,dc=com + +auth_provider = krb5 +krb5_server = kerberos.example.com +krb5_realm = EXAMPLE.COM +cache_credentials = true + +min_id = 10000 +max_id = 20000 +enumerate = False + + + + 2. The following example shows configuration of IPA AD trust where + the AD forest consists of two domains in a parent-child structure. + Suppose IPA domain (ipa.com) has trust with AD domain(ad.com). + ad.com has child domain (child.ad.com). To enable shortnames in + the child domain the following configuration should be used. + +[domain/ipa.com/child.ad.com] +use_fully_qualified_names = false + + + + + + + + diff --git a/src/man/sssd_krb5_locator_plugin.8.xml b/src/man/sssd_krb5_locator_plugin.8.xml new file mode 100644 index 0000000..d285460 --- /dev/null +++ b/src/man/sssd_krb5_locator_plugin.8.xml @@ -0,0 +1,82 @@ + + + +SSSD Manual pages + + + + + sssd_krb5_locator_plugin + 8 + + + + sssd_krb5_locator_plugin + Kerberos locator plugin + + + + DESCRIPTION + + The Kerberos locator plugin + sssd_krb5_locator_plugin is used by the Kerberos + provider of + + sssd + 8 + + to tell the Kerberos libraries what Realm and which KDC to use. + Typically this is done in + + krb5.conf + 5 + + which is always read by the Kerberos libraries. To simplify the + configuration the Realm and the KDC can be defined in + + sssd.conf + 5 + + as described in + + sssd-krb5 + 5 + + + + + sssd + 8 + + puts the Realm and the name or IP address of the KDC into the + environment variables SSSD_KRB5_REALM and SSSD_KRB5_KDC respectively. + When sssd_krb5_locator_plugin is called by the + kerberos libraries it reads and evaluates these variables and returns + them to the libraries. + + + + + NOTES + + Not all Kerberos implementations support the use of plugins. If + sssd_krb5_locator_plugin is not available on + your system you have to edit /etc/krb5.conf to reflect your + Kerberos setup. + + + If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any + value debug messages will be sent to stderr. + + + If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any + value the plugin is disabled and will just return + KRB5_PLUGIN_NO_HANDLE to the caller. + + + + + + + diff --git a/src/man/sv/include/ad_modified_defaults.xml b/src/man/sv/include/ad_modified_defaults.xml new file mode 100644 index 0000000..7c6def2 --- /dev/null +++ b/src/man/sv/include/ad_modified_defaults.xml @@ -0,0 +1,77 @@ + + MODIFIED DEFAULT OPTIONS + + Certain option defaults do not match their respective backend provider +defaults, these option names and AD provider-specific defaults are listed +below: + + + KRB5 Provider + + + + krb5_validate = true + + + + + krb5_use_enterprise_principal = true + + + + + + LDAP Provider + + + + ldap_schema = ad + + + + + ldap_force_upper_case_realm = true + + + + + ldap_id_mapping = true + + + + + ldap_sasl_mech = gssapi + + + + + ldap_referrals = false + + + + + ldap_account_expire_policy = ad + + + + + ldap_use_tokengroups = true + + + + + ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM) + + + The AD provider looks for a different principal than the LDAP provider by +default, because in an Active Directory environment the principals are +divided into two groups - User Principals and Service Principals. Only User +Principal can be used to obtain a TGT and by default, computer object's +principal is constructed from its sAMAccountName and the AD realm. The +well-known host/hostname@REALM principal is a Service Principal and thus +cannot be used to get a TGT with. + + + + + diff --git a/src/man/sv/include/autofs_restart.xml b/src/man/sv/include/autofs_restart.xml new file mode 100644 index 0000000..f31efe5 --- /dev/null +++ b/src/man/sv/include/autofs_restart.xml @@ -0,0 +1,5 @@ + + Please note that the automounter only reads the master map on startup, so if +any autofs-related changes are made to the sssd.conf, you typically also +need to restart the automounter daemon after restarting the SSSD. + diff --git a/src/man/sv/include/debug_levels.xml b/src/man/sv/include/debug_levels.xml new file mode 100644 index 0000000..5148252 --- /dev/null +++ b/src/man/sv/include/debug_levels.xml @@ -0,0 +1,86 @@ + + + SSSD supports two representations for specifying the debug level. The +simplest is to specify a decimal value from 0-9, which represents enabling +that level and all lower-level debug messages. The more comprehensive option +is to specify a hexadecimal bitmask to enable or disable specific levels +(such as if you wish to suppress a level). + + + Please note that each SSSD service logs into its own log file. Also please +note that enabling debug_level in the [sssd] +section only enables debugging just for the sssd process itself, not for the +responder or provider processes. The debug_level parameter +should be added to all sections that you wish to produce debug logs from. + + + In addition to changing the log level in the config file using the +debug_level parameter, which is persistent, but requires SSSD +restart, it is also possible to change the debug level on the fly using the + sss_debuglevel +8 tool. + + + Currently supported debug levels: + + + 0, 0x0010: Fatal +failures. Anything that would prevent SSSD from starting up or causes it to +cease running. + + + 1, 0x0020: Critical failures. An +error that doesn't kill SSSD, but one that indicates that at least one major +feature is not going to work properly. + + + 2, 0x0040: Serious failures. An +error announcing that a particular request or operation has failed. + + + 3, 0x0080: Minor failures. These +are the errors that would percolate down to cause the operation failure of +2. + + + 4, 0x0100: Configuration settings. + + + 5, 0x0200: Function data. + + + 6, 0x0400: Trace messages for +operation functions. + + + 7, 0x1000: Trace messages for +internal control functions. + + + 8, 0x2000: Contents of +function-internal variables that may be interesting. + + + 9, 0x4000: Extremely low-level +tracing information. + + + To log required bitmask debug levels, simply add their numbers together as +shown in following examples: + + + Example: To log fatal failures, critical failures, +serious failures and function data use 0x0270. + + + Example: To log fatal failures, configuration settings, +function data, trace messages for internal control functions use 0x1310. + + + Note: The bitmask format of debug levels was introduced +in 1.7.0. + + + Default: 0 + + diff --git a/src/man/sv/include/debug_levels_tools.xml b/src/man/sv/include/debug_levels_tools.xml new file mode 100644 index 0000000..8bc77cf --- /dev/null +++ b/src/man/sv/include/debug_levels_tools.xml @@ -0,0 +1,72 @@ + + + SSSD supports two representations for specifying the debug level. The +simplest is to specify a decimal value from 0-9, which represents enabling +that level and all lower-level debug messages. The more comprehensive option +is to specify a hexadecimal bitmask to enable or disable specific levels +(such as if you wish to suppress a level). + + + Currently supported debug levels: + + + 0, 0x0010: Fatal +failures. Anything that would prevent SSSD from starting up or causes it to +cease running. + + + 1, 0x0020: Critical failures. An +error that doesn't kill SSSD, but one that indicates that at least one major +feature is not going to work properly. + + + 2, 0x0040: Serious failures. An +error announcing that a particular request or operation has failed. + + + 3, 0x0080: Minor failures. These +are the errors that would percolate down to cause the operation failure of +2. + + + 4, 0x0100: Configuration settings. + + + 5, 0x0200: Function data. + + + 6, 0x0400: Trace messages for +operation functions. + + + 7, 0x1000: Trace messages for +internal control functions. + + + 8, 0x2000: Contents of +function-internal variables that may be interesting. + + + 9, 0x4000: Extremely low-level +tracing information. + + + To log required bitmask debug levels, simply add their numbers together as +shown in following examples: + + + Example: To log fatal failures, critical failures, +serious failures and function data use 0x0270. + + + Example: To log fatal failures, configuration settings, +function data, trace messages for internal control functions use 0x1310. + + + Note: The bitmask format of debug levels was introduced +in 1.7.0. + + + Default: 0 + + diff --git a/src/man/sv/include/experimental.xml b/src/man/sv/include/experimental.xml new file mode 100644 index 0000000..7103a0e --- /dev/null +++ b/src/man/sv/include/experimental.xml @@ -0,0 +1,2 @@ + This is an experimental feature, please use +https://pagure.io/SSSD/sssd/ to report any issues. diff --git a/src/man/sv/include/failover.xml b/src/man/sv/include/failover.xml new file mode 100644 index 0000000..ebb7b21 --- /dev/null +++ b/src/man/sv/include/failover.xml @@ -0,0 +1,97 @@ + + FAILOVER + + The failover feature allows back ends to automatically switch to a different +server if the current server fails. + + + Failover Syntax + + The list of servers is given as a comma-separated list; any number of spaces +is allowed around the comma. The servers are listed in order of +preference. The list can contain any number of servers. + + + For each failover-enabled config option, two variants exist: +primary and backup. The idea is +that servers in the primary list are preferred and backup servers are only +searched if no primary servers can be reached. If a backup server is +selected, a timeout of 31 seconds is set. After this timeout SSSD will +periodically try to reconnect to one of the primary servers. If it succeeds, +it will replace the current active (backup) server. + + + + The Failover Mechanism + + The failover mechanism distinguishes between a machine and a service. The +back end first tries to resolve the hostname of a given machine; if this +resolution attempt fails, the machine is considered offline. No further +attempts are made to connect to this machine for any other service. If the +resolution attempt succeeds, the back end tries to connect to a service on +this machine. If the service connection attempt fails, then only this +particular service is considered offline and the back end automatically +switches over to the next service. The machine is still considered online +and might still be tried for another service. + + + Further connection attempts are made to machines or services marked as +offline after a specified period of time; this is currently hard coded to 30 +seconds. + + + If there are no more machines to try, the back end as a whole switches to +offline mode, and then attempts to reconnect every 30 seconds. + + + + Failover time outs and tuning + + Resolving a server to connect to can be as simple as running a single DNS +query or can involve several steps, such as finding the correct site or +trying out multiple host names in case some of the configured servers are +not reachable. The more complex scenarios can take some time and SSSD needs +to balance between providing enough time to finish the resolution process +but on the other hand, not trying for too long before falling back to +offline mode. If the SSSD debug logs show that the server resolution is +timing out before a live server is contacted, you can consider changing the +time outs. + + + This section lists the available tunables. Please refer to their description +in the +sssd.conf5 +, manual page. + + + dns_resolver_op_timeout + + + + How long would SSSD talk to a single DNS server. + + + + + + dns_resolver_timeout + + + + How long would SSSD try to resolve a failover service. This service +resolution internally might include several steps, such as resolving DNS SRV +queries or locating the site. + + + + + + + For LDAP-based providers, the resolve operation is performed as part of an +LDAP connection operation. Therefore, also the +ldap_opt_timeout> timeout should be set to a larger value +than dns_resolver_timeout which in turn should be set to a +larger value than dns_resolver_op_timeout. + + + diff --git a/src/man/sv/include/homedir_substring.xml b/src/man/sv/include/homedir_substring.xml new file mode 100644 index 0000000..d7533de --- /dev/null +++ b/src/man/sv/include/homedir_substring.xml @@ -0,0 +1,17 @@ + + homedir_substring (string) + + + The value of this option will be used in the expansion of the +override_homedir option if the template contains the +format string %H. An LDAP directory entry can directly +contain this template so that this option can be used to expand the home +directory path for each client machine (or operating system). It can be set +per-domain or globally in the [nss] section. A value specified in a domain +section will override one set in the [nss] section. + + + Default: /home + + + diff --git a/src/man/sv/include/ipa_modified_defaults.xml b/src/man/sv/include/ipa_modified_defaults.xml new file mode 100644 index 0000000..4ad4b45 --- /dev/null +++ b/src/man/sv/include/ipa_modified_defaults.xml @@ -0,0 +1,123 @@ + + MODIFIED DEFAULT OPTIONS + + Certain option defaults do not match their respective backend provider +defaults, these option names and IPA provider-specific defaults are listed +below: + + + KRB5 Provider + + + + krb5_validate = true + + + + + krb5_use_fast = try + + + + + krb5_canonicalize = true + + + + + + LDAP Provider - General + + + + ldap_schema = ipa_v1 + + + + + ldap_force_upper_case_realm = true + + + + + ldap_sasl_mech = GSSAPI + + + + + ldap_sasl_minssf = 56 + + + + + ldap_account_expire_policy = ipa + + + + + ldap_use_tokengroups = true + + + + + + LDAP Provider - User options + + + + ldap_user_member_of = memberOf + + + + + ldap_user_uuid = ipaUniqueID + + + + + ldap_user_ssh_public_key = ipaSshPubKey + + + + + ldap_user_auth_type = ipaUserAuthType + + + + + + LDAP Provider - Group options + + + + ldap_group_object_class = ipaUserGroup + + + + + ldap_group_object_class_alt = posixGroup + + + + + ldap_group_member = member + + + + + ldap_group_uuid = ipaUniqueID + + + + + ldap_group_objectsid = ipaNTSecurityIdentifier + + + + + ldap_group_external_member = ipaExternalMember + + + + + diff --git a/src/man/sv/include/ldap_id_mapping.xml b/src/man/sv/include/ldap_id_mapping.xml new file mode 100644 index 0000000..b9be536 --- /dev/null +++ b/src/man/sv/include/ldap_id_mapping.xml @@ -0,0 +1,278 @@ + + ID MAPPING + + The ID-mapping feature allows SSSD to act as a client of Active Directory +without requiring administrators to extend user attributes to support POSIX +attributes for user and group identifiers. + + + NOTE: When ID-mapping is enabled, the uidNumber and gidNumber attributes are +ignored. This is to avoid the possibility of conflicts between +automatically-assigned and manually-assigned values. If you need to use +manually-assigned values, ALL values must be manually-assigned. + + + Please note that changing the ID mapping related configuration options will +cause user and group IDs to change. At the moment, SSSD does not support +changing IDs, so the SSSD database must be removed. Because cached passwords +are also stored in the database, removing the database should only be +performed while the authentication servers are reachable, otherwise users +might get locked out. In order to cache the password, an authentication must +be performed. It is not sufficient to use +sss_cache 8 + to remove the database, rather the process consists of: + + + + Making sure the remote servers are reachable + + + + + Stopping the SSSD service + + + + + Removing the database + + + + + Starting the SSSD service + + + + Moreover, as the change of IDs might necessitate the adjustment of other +system properties such as file and directory ownership, it's advisable to +plan ahead and test the ID mapping configuration thoroughly. + + + + Mapping Algorithm + + Active Directory provides an objectSID for every user and group object in +the directory. This objectSID can be broken up into components that +represent the Active Directory domain identity and the relative identifier +(RID) of the user or group object. + + + The SSSD ID-mapping algorithm takes a range of available UIDs and divides it +into equally-sized component sections - called "slices"-. Each slice +represents the space available to an Active Directory domain. + + + When a user or group entry for a particular domain is encountered for the +first time, the SSSD allocates one of the available slices for that +domain. In order to make this slice-assignment repeatable on different +client machines, we select the slice based on the following algorithm: + + + The SID string is passed through the murmurhash3 algorithm to convert it to +a 32-bit hashed value. We then take the modulus of this value with the total +number of available slices to pick the slice. + + + NOTE: It is possible to encounter collisions in the hash and subsequent +modulus. In these situations, we will select the next available slice, but +it may not be possible to reproduce the same exact set of slices on other +machines (since the order that they are encountered will determine their +slice). In this situation, it is recommended to either switch to using +explicit POSIX attributes in Active Directory (disabling ID-mapping) or +configure a default domain to guarantee that at least one is always +consistent. See Configuration for details. + + + + + Configuration + + Minimum configuration (in the [domain/DOMAINNAME] section): + + + +ldap_id_mapping = True +ldap_schema = ad + + + + The default configuration results in configuring 10,000 slices, each capable +of holding up to 200,000 IDs, starting from 200,000 and going up to +2,000,200,000. This should be sufficient for most deployments. + + + Advanced Configuration + + + ldap_idmap_range_min (integer) + + + Specifies the lower bound of the range of POSIX IDs to use for mapping +Active Directory user and group SIDs. + + + NOTE: This option is different from min_id in that +min_id acts to filter the output of requests to this domain, +whereas this option controls the range of ID assignment. This is a subtle +distinction, but the good general advice would be to have +min_id be less-than or equal to +ldap_idmap_range_min + + + Default: 200000 + + + + + ldap_idmap_range_max (integer) + + + Specifies the upper bound of the range of POSIX IDs to use for mapping +Active Directory user and group SIDs. + + + NOTE: This option is different from max_id in that +max_id acts to filter the output of requests to this domain, +whereas this option controls the range of ID assignment. This is a subtle +distinction, but the good general advice would be to have +max_id be greater-than or equal to +ldap_idmap_range_max + + + Default: 2000200000 + + + + + ldap_idmap_range_size (integer) + + + Specifies the number of IDs available for each slice. If the range size +does not divide evenly into the min and max values, it will create as many +complete slices as it can. + + + NOTE: The value of this option must be at least as large as the highest user +RID planned for use on the Active Directory server. User lookups and login +will fail for any user whose RID is greater than this value. + + + For example, if your most recently-added Active Directory user has +objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, +ldap_idmap_range_size must be at least 1108 as range size is +equal to maximal SID minus minimal SID plus one (e.g. 1108 = 1107 - 0 + 1). + + + It is important to plan ahead for future expansion, as changing this value +will result in changing all of the ID mappings on the system, leading to +users with different local IDs than they previously had. + + + Default: 200000 + + + + + ldap_idmap_default_domain_sid (string) + + + Specify the domain SID of the default domain. This will guarantee that this +domain will always be assigned to slice zero in the ID map, bypassing the +murmurhash algorithm described above. + + + Default: not set + + + + + ldap_idmap_default_domain (string) + + + Specify the name of the default domain. + + + Default: not set + + + + + ldap_idmap_autorid_compat (boolean) + + + Changes the behavior of the ID-mapping algorithm to behave more similarly to +winbind's idmap_autorid algorithm. + + + When this option is configured, domains will be allocated starting with +slice zero and increasing monatomically with each additional domain. + + + NOTE: This algorithm is non-deterministic (it depends on the order that +users and groups are requested). If this mode is required for compatibility +with machines running winbind, it is recommended to also use the +ldap_idmap_default_domain_sid option to guarantee that at +least one domain is consistently allocated to slice zero. + + + Default: False + + + + + ldap_idmap_helper_table_size (integer) + + + Maximal number of secondary slices that is tried when performing mapping +from UNIX id to SID. + + + Note: Additional secondary slices might be generated when SID is being +mapped to UNIX id and RID part of SID is out of range for secondary slices +generated so far. If value of ldap_idmap_helper_table_size is equal to 0 +then no additional secondary slices are generated. + + + Default: 10 + + + + + + + + + Well-Known SIDs + + SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a +special hardcoded meaning. Since the generic users and groups related to +those Well-Known SIDs have no equivalent in a Linux/UNIX environment no +POSIX IDs are available for those objects. + + + The SID name space is organized in authorities which can be seen as +different domains. The authorities for the Well-Known SIDs are + + Null Authority + World Authority + Local Authority + Creator Authority + NT Authority + Built-in + + The capitalized version of these names are used as domain names when +returning the fully qualified name of a Well-Known SID. + + + Since some utilities allow to modify SID based access control information +with the help of a name instead of using the SID directly SSSD supports to +look up the SID by the name as well. To avoid collisions only the fully +qualified names can be used to look up Well-Known SIDs. As a result the +domain names NULL AUTHORITY, WORLD AUTHORITY, + LOCAL AUTHORITY, CREATOR AUTHORITY, NT +AUTHORITY and BUILTIN should not be used as domain +names in sssd.conf. + + + + diff --git a/src/man/sv/include/ldap_search_bases.xml b/src/man/sv/include/ldap_search_bases.xml new file mode 100644 index 0000000..189f862 --- /dev/null +++ b/src/man/sv/include/ldap_search_bases.xml @@ -0,0 +1,31 @@ + + + An optional base DN, search scope and LDAP filter to restrict LDAP searches +for this attribute type. + + + syntax: +search_base[?scope?[filter][?search_base?scope?[filter]]*] + + + + The scope can be one of "base", "onelevel" or "subtree". The scope functions +as specified in section 4.5.1.2 of http://tools.ietf.org/html/rfc4511 + + + The filter must be a valid LDAP search filter as specified by +http://www.ietf.org/rfc/rfc2254.txt + + + For examples of this syntax, please refer to the +ldap_search_base examples section. + + + Default: the value of ldap_search_base + + + Please note that specifying scope or filter is not supported for searches +against an Active Directory Server that might yield a large number of +results and trigger the Range Retrieval extension in the response. + + diff --git a/src/man/sv/include/local.xml b/src/man/sv/include/local.xml new file mode 100644 index 0000000..ce849a3 --- /dev/null +++ b/src/man/sv/include/local.xml @@ -0,0 +1,17 @@ + + THE LOCAL DOMAIN + + In order to function correctly, a domain with +id_provider=local must be created and the SSSD must be +running. + + + The administrator might want to use the SSSD local users instead of +traditional UNIX users in cases where the group nesting (see +sss_groupadd 8 +) is needed. The local users are also useful for testing and +development of the SSSD without having to deploy a full remote server. The +sss_user* and sss_group* tools use a +local LDB storage to store users and groups. + + diff --git a/src/man/sv/include/override_homedir.xml b/src/man/sv/include/override_homedir.xml new file mode 100644 index 0000000..94caee1 --- /dev/null +++ b/src/man/sv/include/override_homedir.xml @@ -0,0 +1,63 @@ + +override_homedir (string) + + + Override the user's home directory. You can either provide an absolute value +or a template. In the template, the following sequences are substituted: + + + %u + login name + + + %U + UID number + + + %d + domain name + + + %f + fully qualified user name (user@domain) + + + %l + The first letter of the login name. + + + %P + UPN - User Principal Name (name@REALM) + + + %o + + The original home directory retrieved from the identity provider. + + + + %H + + The value of configure option homedir_substring. + + + + %% + a literal '%' + + + + + + This option can also be set per-domain. + + + example: +override_homedir = /home/%u + + + + Default: Not set (SSSD will use the value retrieved from LDAP) + + + diff --git a/src/man/sv/include/param_help.xml b/src/man/sv/include/param_help.xml new file mode 100644 index 0000000..d28020b --- /dev/null +++ b/src/man/sv/include/param_help.xml @@ -0,0 +1,10 @@ + + + , + + + + Display help message and exit. + + + diff --git a/src/man/sv/include/param_help_py.xml b/src/man/sv/include/param_help_py.xml new file mode 100644 index 0000000..a2478bf --- /dev/null +++ b/src/man/sv/include/param_help_py.xml @@ -0,0 +1,10 @@ + + + , + + + + Display help message and exit. + + + diff --git a/src/man/sv/include/seealso.xml b/src/man/sv/include/seealso.xml new file mode 100644 index 0000000..9b5b28a --- /dev/null +++ b/src/man/sv/include/seealso.xml @@ -0,0 +1,61 @@ + + SEE ALSO + + sssd8 +, +sssd.conf5 +, +sssd-ldap5 +, +sssd-krb55 +, +sssd-simple5 +, +sssd-ipa5 +, +sssd-ad5 +, +sssd-sudo 5 +, +sssd-secrets 5 +, +sssd-session-recording +5 , +sss_cache8 +, +sss_debuglevel8 +, +sss_groupadd8 +, +sss_groupdel8 +, +sss_groupshow8 +, +sss_groupmod8 +, +sss_useradd8 +, +sss_userdel8 +, +sss_usermod8 +, +sss_obfuscate8 +, +sss_seed8 +, +sssd_krb5_locator_plugin8 +, +sss_ssh_authorizedkeys +8 , +sss_ssh_knownhostsproxy +8 , sssd-ifp +5 , +pam_sss8 +. +sss_rpcidmapd 5 + +sssd-systemtap 5 + + + diff --git a/src/man/sv/include/service_discovery.xml b/src/man/sv/include/service_discovery.xml new file mode 100644 index 0000000..2e417a9 --- /dev/null +++ b/src/man/sv/include/service_discovery.xml @@ -0,0 +1,41 @@ + + SERVICE DISCOVERY + + The service discovery feature allows back ends to automatically find the +appropriate servers to connect to using a special DNS query. This feature is +not supported for backup servers. + + + Configuration + + If no servers are specified, the back end automatically uses service +discovery to try to find a server. Optionally, the user may choose to use +both fixed server addresses and service discovery by inserting a special +keyword, _srv_, in the list of servers. The order of +preference is maintained. This feature is useful if, for example, the user +prefers to use service discovery whenever possible, and fall back to a +specific server when no servers can be discovered using DNS. + + + + The domain name + + Please refer to the dns_discovery_domain parameter in the + sssd.conf +5 manual page for more details. + + + + The protocol + + The queries usually specify _tcp as the protocol. Exceptions are documented +in respective option description. + + + + See Also + + For more information on the service discovery mechanism, refer to RFC 2782. + + + diff --git a/src/man/sv/include/upstream.xml b/src/man/sv/include/upstream.xml new file mode 100644 index 0000000..ba04020 --- /dev/null +++ b/src/man/sv/include/upstream.xml @@ -0,0 +1,3 @@ + +SSSD The SSSD upstream - +https://pagure.io/SSSD/sssd/ diff --git a/src/man/sv/sss_groupmod.8.xml b/src/man/sv/sss_groupmod.8.xml new file mode 100644 index 0000000..da1e465 --- /dev/null +++ b/src/man/sv/sss_groupmod.8.xml @@ -0,0 +1,71 @@ + + + +SSSD manualsidor + + + + + sss_groupmod + 8 + + + + sss_groupmod + ändra en grupp + + + + +sss_groupmod +flaggor GRUPP + + + + BESKRIVNING + + sss_groupmod ändrar gruppen till att avspegla ändringarna +som anges pÃ¥ kommandoraden. + + + + + FLAGGOR + + + + , +GRUPPER + + + + Lägg till denna grupp till grupperna som anges av parametern +GRUPPER parameter. Parametern +GRUPPER är en kommaseparerad lista av gruppnamn. + + + + + + , +GRUPPER + + + + Ta bort denna grupp frÃ¥n grupperna som anges av parametern +GRUPPER. + + + + + + + + + + + + + diff --git a/src/man/tg/include/ad_modified_defaults.xml b/src/man/tg/include/ad_modified_defaults.xml new file mode 100644 index 0000000..7c6def2 --- /dev/null +++ b/src/man/tg/include/ad_modified_defaults.xml @@ -0,0 +1,77 @@ + + MODIFIED DEFAULT OPTIONS + + Certain option defaults do not match their respective backend provider +defaults, these option names and AD provider-specific defaults are listed +below: + + + KRB5 Provider + + + + krb5_validate = true + + + + + krb5_use_enterprise_principal = true + + + + + + LDAP Provider + + + + ldap_schema = ad + + + + + ldap_force_upper_case_realm = true + + + + + ldap_id_mapping = true + + + + + ldap_sasl_mech = gssapi + + + + + ldap_referrals = false + + + + + ldap_account_expire_policy = ad + + + + + ldap_use_tokengroups = true + + + + + ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM) + + + The AD provider looks for a different principal than the LDAP provider by +default, because in an Active Directory environment the principals are +divided into two groups - User Principals and Service Principals. Only User +Principal can be used to obtain a TGT and by default, computer object's +principal is constructed from its sAMAccountName and the AD realm. The +well-known host/hostname@REALM principal is a Service Principal and thus +cannot be used to get a TGT with. + + + + + diff --git a/src/man/tg/include/autofs_restart.xml b/src/man/tg/include/autofs_restart.xml new file mode 100644 index 0000000..f31efe5 --- /dev/null +++ b/src/man/tg/include/autofs_restart.xml @@ -0,0 +1,5 @@ + + Please note that the automounter only reads the master map on startup, so if +any autofs-related changes are made to the sssd.conf, you typically also +need to restart the automounter daemon after restarting the SSSD. + diff --git a/src/man/tg/include/debug_levels.xml b/src/man/tg/include/debug_levels.xml new file mode 100644 index 0000000..5148252 --- /dev/null +++ b/src/man/tg/include/debug_levels.xml @@ -0,0 +1,86 @@ + + + SSSD supports two representations for specifying the debug level. The +simplest is to specify a decimal value from 0-9, which represents enabling +that level and all lower-level debug messages. The more comprehensive option +is to specify a hexadecimal bitmask to enable or disable specific levels +(such as if you wish to suppress a level). + + + Please note that each SSSD service logs into its own log file. Also please +note that enabling debug_level in the [sssd] +section only enables debugging just for the sssd process itself, not for the +responder or provider processes. The debug_level parameter +should be added to all sections that you wish to produce debug logs from. + + + In addition to changing the log level in the config file using the +debug_level parameter, which is persistent, but requires SSSD +restart, it is also possible to change the debug level on the fly using the + sss_debuglevel +8 tool. + + + Currently supported debug levels: + + + 0, 0x0010: Fatal +failures. Anything that would prevent SSSD from starting up or causes it to +cease running. + + + 1, 0x0020: Critical failures. An +error that doesn't kill SSSD, but one that indicates that at least one major +feature is not going to work properly. + + + 2, 0x0040: Serious failures. An +error announcing that a particular request or operation has failed. + + + 3, 0x0080: Minor failures. These +are the errors that would percolate down to cause the operation failure of +2. + + + 4, 0x0100: Configuration settings. + + + 5, 0x0200: Function data. + + + 6, 0x0400: Trace messages for +operation functions. + + + 7, 0x1000: Trace messages for +internal control functions. + + + 8, 0x2000: Contents of +function-internal variables that may be interesting. + + + 9, 0x4000: Extremely low-level +tracing information. + + + To log required bitmask debug levels, simply add their numbers together as +shown in following examples: + + + Example: To log fatal failures, critical failures, +serious failures and function data use 0x0270. + + + Example: To log fatal failures, configuration settings, +function data, trace messages for internal control functions use 0x1310. + + + Note: The bitmask format of debug levels was introduced +in 1.7.0. + + + Default: 0 + + diff --git a/src/man/tg/include/debug_levels_tools.xml b/src/man/tg/include/debug_levels_tools.xml new file mode 100644 index 0000000..8bc77cf --- /dev/null +++ b/src/man/tg/include/debug_levels_tools.xml @@ -0,0 +1,72 @@ + + + SSSD supports two representations for specifying the debug level. The +simplest is to specify a decimal value from 0-9, which represents enabling +that level and all lower-level debug messages. The more comprehensive option +is to specify a hexadecimal bitmask to enable or disable specific levels +(such as if you wish to suppress a level). + + + Currently supported debug levels: + + + 0, 0x0010: Fatal +failures. Anything that would prevent SSSD from starting up or causes it to +cease running. + + + 1, 0x0020: Critical failures. An +error that doesn't kill SSSD, but one that indicates that at least one major +feature is not going to work properly. + + + 2, 0x0040: Serious failures. An +error announcing that a particular request or operation has failed. + + + 3, 0x0080: Minor failures. These +are the errors that would percolate down to cause the operation failure of +2. + + + 4, 0x0100: Configuration settings. + + + 5, 0x0200: Function data. + + + 6, 0x0400: Trace messages for +operation functions. + + + 7, 0x1000: Trace messages for +internal control functions. + + + 8, 0x2000: Contents of +function-internal variables that may be interesting. + + + 9, 0x4000: Extremely low-level +tracing information. + + + To log required bitmask debug levels, simply add their numbers together as +shown in following examples: + + + Example: To log fatal failures, critical failures, +serious failures and function data use 0x0270. + + + Example: To log fatal failures, configuration settings, +function data, trace messages for internal control functions use 0x1310. + + + Note: The bitmask format of debug levels was introduced +in 1.7.0. + + + Default: 0 + + diff --git a/src/man/tg/include/experimental.xml b/src/man/tg/include/experimental.xml new file mode 100644 index 0000000..7103a0e --- /dev/null +++ b/src/man/tg/include/experimental.xml @@ -0,0 +1,2 @@ + This is an experimental feature, please use +https://pagure.io/SSSD/sssd/ to report any issues. diff --git a/src/man/tg/include/failover.xml b/src/man/tg/include/failover.xml new file mode 100644 index 0000000..ebb7b21 --- /dev/null +++ b/src/man/tg/include/failover.xml @@ -0,0 +1,97 @@ + + FAILOVER + + The failover feature allows back ends to automatically switch to a different +server if the current server fails. + + + Failover Syntax + + The list of servers is given as a comma-separated list; any number of spaces +is allowed around the comma. The servers are listed in order of +preference. The list can contain any number of servers. + + + For each failover-enabled config option, two variants exist: +primary and backup. The idea is +that servers in the primary list are preferred and backup servers are only +searched if no primary servers can be reached. If a backup server is +selected, a timeout of 31 seconds is set. After this timeout SSSD will +periodically try to reconnect to one of the primary servers. If it succeeds, +it will replace the current active (backup) server. + + + + The Failover Mechanism + + The failover mechanism distinguishes between a machine and a service. The +back end first tries to resolve the hostname of a given machine; if this +resolution attempt fails, the machine is considered offline. No further +attempts are made to connect to this machine for any other service. If the +resolution attempt succeeds, the back end tries to connect to a service on +this machine. If the service connection attempt fails, then only this +particular service is considered offline and the back end automatically +switches over to the next service. The machine is still considered online +and might still be tried for another service. + + + Further connection attempts are made to machines or services marked as +offline after a specified period of time; this is currently hard coded to 30 +seconds. + + + If there are no more machines to try, the back end as a whole switches to +offline mode, and then attempts to reconnect every 30 seconds. + + + + Failover time outs and tuning + + Resolving a server to connect to can be as simple as running a single DNS +query or can involve several steps, such as finding the correct site or +trying out multiple host names in case some of the configured servers are +not reachable. The more complex scenarios can take some time and SSSD needs +to balance between providing enough time to finish the resolution process +but on the other hand, not trying for too long before falling back to +offline mode. If the SSSD debug logs show that the server resolution is +timing out before a live server is contacted, you can consider changing the +time outs. + + + This section lists the available tunables. Please refer to their description +in the +sssd.conf5 +, manual page. + + + dns_resolver_op_timeout + + + + How long would SSSD talk to a single DNS server. + + + + + + dns_resolver_timeout + + + + How long would SSSD try to resolve a failover service. This service +resolution internally might include several steps, such as resolving DNS SRV +queries or locating the site. + + + + + + + For LDAP-based providers, the resolve operation is performed as part of an +LDAP connection operation. Therefore, also the +ldap_opt_timeout> timeout should be set to a larger value +than dns_resolver_timeout which in turn should be set to a +larger value than dns_resolver_op_timeout. + + + diff --git a/src/man/tg/include/homedir_substring.xml b/src/man/tg/include/homedir_substring.xml new file mode 100644 index 0000000..d7533de --- /dev/null +++ b/src/man/tg/include/homedir_substring.xml @@ -0,0 +1,17 @@ + + homedir_substring (string) + + + The value of this option will be used in the expansion of the +override_homedir option if the template contains the +format string %H. An LDAP directory entry can directly +contain this template so that this option can be used to expand the home +directory path for each client machine (or operating system). It can be set +per-domain or globally in the [nss] section. A value specified in a domain +section will override one set in the [nss] section. + + + Default: /home + + + diff --git a/src/man/tg/include/ipa_modified_defaults.xml b/src/man/tg/include/ipa_modified_defaults.xml new file mode 100644 index 0000000..4ad4b45 --- /dev/null +++ b/src/man/tg/include/ipa_modified_defaults.xml @@ -0,0 +1,123 @@ + + MODIFIED DEFAULT OPTIONS + + Certain option defaults do not match their respective backend provider +defaults, these option names and IPA provider-specific defaults are listed +below: + + + KRB5 Provider + + + + krb5_validate = true + + + + + krb5_use_fast = try + + + + + krb5_canonicalize = true + + + + + + LDAP Provider - General + + + + ldap_schema = ipa_v1 + + + + + ldap_force_upper_case_realm = true + + + + + ldap_sasl_mech = GSSAPI + + + + + ldap_sasl_minssf = 56 + + + + + ldap_account_expire_policy = ipa + + + + + ldap_use_tokengroups = true + + + + + + LDAP Provider - User options + + + + ldap_user_member_of = memberOf + + + + + ldap_user_uuid = ipaUniqueID + + + + + ldap_user_ssh_public_key = ipaSshPubKey + + + + + ldap_user_auth_type = ipaUserAuthType + + + + + + LDAP Provider - Group options + + + + ldap_group_object_class = ipaUserGroup + + + + + ldap_group_object_class_alt = posixGroup + + + + + ldap_group_member = member + + + + + ldap_group_uuid = ipaUniqueID + + + + + ldap_group_objectsid = ipaNTSecurityIdentifier + + + + + ldap_group_external_member = ipaExternalMember + + + + + diff --git a/src/man/tg/include/ldap_id_mapping.xml b/src/man/tg/include/ldap_id_mapping.xml new file mode 100644 index 0000000..e497566 --- /dev/null +++ b/src/man/tg/include/ldap_id_mapping.xml @@ -0,0 +1,278 @@ + + ID MAPPING + + The ID-mapping feature allows SSSD to act as a client of Active Directory +without requiring administrators to extend user attributes to support POSIX +attributes for user and group identifiers. + + + NOTE: When ID-mapping is enabled, the uidNumber and gidNumber attributes are +ignored. This is to avoid the possibility of conflicts between +automatically-assigned and manually-assigned values. If you need to use +manually-assigned values, ALL values must be manually-assigned. + + + Please note that changing the ID mapping related configuration options will +cause user and group IDs to change. At the moment, SSSD does not support +changing IDs, so the SSSD database must be removed. Because cached passwords +are also stored in the database, removing the database should only be +performed while the authentication servers are reachable, otherwise users +might get locked out. In order to cache the password, an authentication must +be performed. It is not sufficient to use +sss_cache 8 + to remove the database, rather the process consists of: + + + + Making sure the remote servers are reachable + + + + + Stopping the SSSD service + + + + + Removing the database + + + + + Starting the SSSD service + + + + Moreover, as the change of IDs might necessitate the adjustment of other +system properties such as file and directory ownership, it's advisable to +plan ahead and test the ID mapping configuration thoroughly. + + + + Mapping Algorithm + + Active Directory provides an objectSID for every user and group object in +the directory. This objectSID can be broken up into components that +represent the Active Directory domain identity and the relative identifier +(RID) of the user or group object. + + + The SSSD ID-mapping algorithm takes a range of available UIDs and divides it +into equally-sized component sections - called "slices"-. Each slice +represents the space available to an Active Directory domain. + + + When a user or group entry for a particular domain is encountered for the +first time, the SSSD allocates one of the available slices for that +domain. In order to make this slice-assignment repeatable on different +client machines, we select the slice based on the following algorithm: + + + The SID string is passed through the murmurhash3 algorithm to convert it to +a 32-bit hashed value. We then take the modulus of this value with the total +number of available slices to pick the slice. + + + NOTE: It is possible to encounter collisions in the hash and subsequent +modulus. In these situations, we will select the next available slice, but +it may not be possible to reproduce the same exact set of slices on other +machines (since the order that they are encountered will determine their +slice). In this situation, it is recommended to either switch to using +explicit POSIX attributes in Active Directory (disabling ID-mapping) or +configure a default domain to guarantee that at least one is always +consistent. See Configuration for details. + + + + + Ҷӯрсозӣ + + Minimum configuration (in the [domain/DOMAINNAME] section): + + + +ldap_id_mapping = True +ldap_schema = ad + + + + The default configuration results in configuring 10,000 slices, each capable +of holding up to 200,000 IDs, starting from 200,000 and going up to +2,000,200,000. This should be sufficient for most deployments. + + + Advanced Configuration + + + ldap_idmap_range_min (integer) + + + Specifies the lower bound of the range of POSIX IDs to use for mapping +Active Directory user and group SIDs. + + + NOTE: This option is different from min_id in that +min_id acts to filter the output of requests to this domain, +whereas this option controls the range of ID assignment. This is a subtle +distinction, but the good general advice would be to have +min_id be less-than or equal to +ldap_idmap_range_min + + + Default: 200000 + + + + + ldap_idmap_range_max (integer) + + + Specifies the upper bound of the range of POSIX IDs to use for mapping +Active Directory user and group SIDs. + + + NOTE: This option is different from max_id in that +max_id acts to filter the output of requests to this domain, +whereas this option controls the range of ID assignment. This is a subtle +distinction, but the good general advice would be to have +max_id be greater-than or equal to +ldap_idmap_range_max + + + Default: 2000200000 + + + + + ldap_idmap_range_size (integer) + + + Specifies the number of IDs available for each slice. If the range size +does not divide evenly into the min and max values, it will create as many +complete slices as it can. + + + NOTE: The value of this option must be at least as large as the highest user +RID planned for use on the Active Directory server. User lookups and login +will fail for any user whose RID is greater than this value. + + + For example, if your most recently-added Active Directory user has +objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, +ldap_idmap_range_size must be at least 1108 as range size is +equal to maximal SID minus minimal SID plus one (e.g. 1108 = 1107 - 0 + 1). + + + It is important to plan ahead for future expansion, as changing this value +will result in changing all of the ID mappings on the system, leading to +users with different local IDs than they previously had. + + + Default: 200000 + + + + + ldap_idmap_default_domain_sid (string) + + + Specify the domain SID of the default domain. This will guarantee that this +domain will always be assigned to slice zero in the ID map, bypassing the +murmurhash algorithm described above. + + + Default: not set + + + + + ldap_idmap_default_domain (string) + + + Specify the name of the default domain. + + + Default: not set + + + + + ldap_idmap_autorid_compat (boolean) + + + Changes the behavior of the ID-mapping algorithm to behave more similarly to +winbind's idmap_autorid algorithm. + + + When this option is configured, domains will be allocated starting with +slice zero and increasing monatomically with each additional domain. + + + NOTE: This algorithm is non-deterministic (it depends on the order that +users and groups are requested). If this mode is required for compatibility +with machines running winbind, it is recommended to also use the +ldap_idmap_default_domain_sid option to guarantee that at +least one domain is consistently allocated to slice zero. + + + Default: False + + + + + ldap_idmap_helper_table_size (integer) + + + Maximal number of secondary slices that is tried when performing mapping +from UNIX id to SID. + + + Note: Additional secondary slices might be generated when SID is being +mapped to UNIX id and RID part of SID is out of range for secondary slices +generated so far. If value of ldap_idmap_helper_table_size is equal to 0 +then no additional secondary slices are generated. + + + Пешфарз: 10 + + + + + + + + + Well-Known SIDs + + SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a +special hardcoded meaning. Since the generic users and groups related to +those Well-Known SIDs have no equivalent in a Linux/UNIX environment no +POSIX IDs are available for those objects. + + + The SID name space is organized in authorities which can be seen as +different domains. The authorities for the Well-Known SIDs are + + Null Authority + World Authority + Local Authority + Creator Authority + NT Authority + Built-in + + The capitalized version of these names are used as domain names when +returning the fully qualified name of a Well-Known SID. + + + Since some utilities allow to modify SID based access control information +with the help of a name instead of using the SID directly SSSD supports to +look up the SID by the name as well. To avoid collisions only the fully +qualified names can be used to look up Well-Known SIDs. As a result the +domain names NULL AUTHORITY, WORLD AUTHORITY, + LOCAL AUTHORITY, CREATOR AUTHORITY, NT +AUTHORITY and BUILTIN should not be used as domain +names in sssd.conf. + + + + diff --git a/src/man/tg/include/ldap_search_bases.xml b/src/man/tg/include/ldap_search_bases.xml new file mode 100644 index 0000000..189f862 --- /dev/null +++ b/src/man/tg/include/ldap_search_bases.xml @@ -0,0 +1,31 @@ + + + An optional base DN, search scope and LDAP filter to restrict LDAP searches +for this attribute type. + + + syntax: +search_base[?scope?[filter][?search_base?scope?[filter]]*] + + + + The scope can be one of "base", "onelevel" or "subtree". The scope functions +as specified in section 4.5.1.2 of http://tools.ietf.org/html/rfc4511 + + + The filter must be a valid LDAP search filter as specified by +http://www.ietf.org/rfc/rfc2254.txt + + + For examples of this syntax, please refer to the +ldap_search_base examples section. + + + Default: the value of ldap_search_base + + + Please note that specifying scope or filter is not supported for searches +against an Active Directory Server that might yield a large number of +results and trigger the Range Retrieval extension in the response. + + diff --git a/src/man/tg/include/local.xml b/src/man/tg/include/local.xml new file mode 100644 index 0000000..ce849a3 --- /dev/null +++ b/src/man/tg/include/local.xml @@ -0,0 +1,17 @@ + + THE LOCAL DOMAIN + + In order to function correctly, a domain with +id_provider=local must be created and the SSSD must be +running. + + + The administrator might want to use the SSSD local users instead of +traditional UNIX users in cases where the group nesting (see +sss_groupadd 8 +) is needed. The local users are also useful for testing and +development of the SSSD without having to deploy a full remote server. The +sss_user* and sss_group* tools use a +local LDB storage to store users and groups. + + diff --git a/src/man/tg/include/override_homedir.xml b/src/man/tg/include/override_homedir.xml new file mode 100644 index 0000000..be62c21 --- /dev/null +++ b/src/man/tg/include/override_homedir.xml @@ -0,0 +1,63 @@ + +override_homedir (string) + + + Override the user's home directory. You can either provide an absolute value +or a template. In the template, the following sequences are substituted: + + + %u + Номи логин + + + %U + Рақами UID + + + %d + domain name + + + %f + fully qualified user name (user@domain) + + + %l + The first letter of the login name. + + + %P + UPN - User Principal Name (name@REALM) + + + %o + + The original home directory retrieved from the identity provider. + + + + %H + + The value of configure option homedir_substring. + + + + %% + a literal '%' + + + + + + This option can also be set per-domain. + + + example: +override_homedir = /home/%u + + + + Default: Not set (SSSD will use the value retrieved from LDAP) + + + diff --git a/src/man/tg/include/param_help.xml b/src/man/tg/include/param_help.xml new file mode 100644 index 0000000..d28020b --- /dev/null +++ b/src/man/tg/include/param_help.xml @@ -0,0 +1,10 @@ + + + , + + + + Display help message and exit. + + + diff --git a/src/man/tg/include/param_help_py.xml b/src/man/tg/include/param_help_py.xml new file mode 100644 index 0000000..a2478bf --- /dev/null +++ b/src/man/tg/include/param_help_py.xml @@ -0,0 +1,10 @@ + + + , + + + + Display help message and exit. + + + diff --git a/src/man/tg/include/seealso.xml b/src/man/tg/include/seealso.xml new file mode 100644 index 0000000..9b5b28a --- /dev/null +++ b/src/man/tg/include/seealso.xml @@ -0,0 +1,61 @@ + + SEE ALSO + + sssd8 +, +sssd.conf5 +, +sssd-ldap5 +, +sssd-krb55 +, +sssd-simple5 +, +sssd-ipa5 +, +sssd-ad5 +, +sssd-sudo 5 +, +sssd-secrets 5 +, +sssd-session-recording +5 , +sss_cache8 +, +sss_debuglevel8 +, +sss_groupadd8 +, +sss_groupdel8 +, +sss_groupshow8 +, +sss_groupmod8 +, +sss_useradd8 +, +sss_userdel8 +, +sss_usermod8 +, +sss_obfuscate8 +, +sss_seed8 +, +sssd_krb5_locator_plugin8 +, +sss_ssh_authorizedkeys +8 , +sss_ssh_knownhostsproxy +8 , sssd-ifp +5 , +pam_sss8 +. +sss_rpcidmapd 5 + +sssd-systemtap 5 + + + diff --git a/src/man/tg/include/service_discovery.xml b/src/man/tg/include/service_discovery.xml new file mode 100644 index 0000000..e7f811b --- /dev/null +++ b/src/man/tg/include/service_discovery.xml @@ -0,0 +1,41 @@ + + SERVICE DISCOVERY + + The service discovery feature allows back ends to automatically find the +appropriate servers to connect to using a special DNS query. This feature is +not supported for backup servers. + + + Ҷӯрсозӣ + + If no servers are specified, the back end automatically uses service +discovery to try to find a server. Optionally, the user may choose to use +both fixed server addresses and service discovery by inserting a special +keyword, _srv_, in the list of servers. The order of +preference is maintained. This feature is useful if, for example, the user +prefers to use service discovery whenever possible, and fall back to a +specific server when no servers can be discovered using DNS. + + + + The domain name + + Please refer to the dns_discovery_domain parameter in the + sssd.conf +5 manual page for more details. + + + + The protocol + + The queries usually specify _tcp as the protocol. Exceptions are documented +in respective option description. + + + + See Also + + For more information on the service discovery mechanism, refer to RFC 2782. + + + diff --git a/src/man/tg/include/upstream.xml b/src/man/tg/include/upstream.xml new file mode 100644 index 0000000..ba04020 --- /dev/null +++ b/src/man/tg/include/upstream.xml @@ -0,0 +1,3 @@ + +SSSD The SSSD upstream - +https://pagure.io/SSSD/sssd/ diff --git a/src/man/uk/idmap_sss.8.xml b/src/man/uk/idmap_sss.8.xml new file mode 100644 index 0000000..9d33d05 --- /dev/null +++ b/src/man/uk/idmap_sss.8.xml @@ -0,0 +1,61 @@ + + + +Сторінки підручника SSSD + + + + + idmap_sss + 8 + + + + idmap_sss + Модуль idmap_sss SSSD для Winbind + + + + ОПИС + + Модуль idmap_sss надає змогу викликати SSSD для прив'язки UID/GID і SID. У +цьому випадку база даних не потрібна, оскільки прив'язка виконується +засобами SSSD. + + + + + ПАРАМЕТРИ IDMAP + + + + діапазон = нижче - вище + + Визначає доступний для обробки модулем діапазон відповідності UID і GID. + + + + + + + ПРИКЛАДИ + + У цьому прикладі продемонстровано налаштовування idmap_sss як типового +модуля прив'язки. + + + +[global] +security = domain +workgroup = MAIN + +idmap config * : backend = sss +idmap config * : range = 200000-2147483647 + + + + + + + diff --git a/src/man/uk/include/ad_modified_defaults.xml b/src/man/uk/include/ad_modified_defaults.xml new file mode 100644 index 0000000..6b3c6cb --- /dev/null +++ b/src/man/uk/include/ad_modified_defaults.xml @@ -0,0 +1,78 @@ + + ЗМІНЕНІ ТИПОВІ ПАРАМЕТРИ + + Деякі типові значення параметрів не збігаються із типовими значеннями +параметрів засобу надання даних. Із назвами відповідних параметрів та +специфічні для засобу надання даних AD значення цих параметрів можна +ознайомитися за допомогою наведеного нижче списку: + + + Модуль надання даних KRB5 + + + + krb5_validate = true + + + + + krb5_use_enterprise_principal = true + + + + + + Модуль надання даних LDAP + + + + ldap_schema = ad + + + + + ldap_force_upper_case_realm = true + + + + + ldap_id_mapping = true + + + + + ldap_sasl_mech = gssapi + + + + + ldap_referrals = false + + + + + ldap_account_expire_policy = ad + + + + + ldap_use_tokengroups = true + + + + + ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM) + + + The AD provider looks for a different principal than the LDAP provider by +default, because in an Active Directory environment the principals are +divided into two groups - User Principals and Service Principals. Only User +Principal can be used to obtain a TGT and by default, computer object's +principal is constructed from its sAMAccountName and the AD realm. The +well-known host/hostname@REALM principal is a Service Principal and thus +cannot be used to get a TGT with. + + + + + diff --git a/src/man/uk/include/autofs_restart.xml b/src/man/uk/include/autofs_restart.xml new file mode 100644 index 0000000..e941c4b --- /dev/null +++ b/src/man/uk/include/autofs_restart.xml @@ -0,0 +1,6 @@ + + Будь ласка, зауважте, що засіб автоматичного монтування читає основну карту +лише під час запуску, отже якщо до ssd.conf внесено будь-які пов’язані з +autofs зміни, типово слід перезапустити фонову службу автоматичного +монтування після перезапуску SSSD. + diff --git a/src/man/uk/include/debug_levels.xml b/src/man/uk/include/debug_levels.xml new file mode 100644 index 0000000..2af19ad --- /dev/null +++ b/src/man/uk/include/debug_levels.xml @@ -0,0 +1,93 @@ + + + У SSSD передбачено два представлення для визначення рівня +діагностики. Найпростішим є визначення десяткового значення у діапазоні +0-9. Кожному значенню відповідає вмикання відповідного рівня діагностики і +усіх нижчих рівнів. Точніше визначення вмикання або вимикання (якщо це +потрібно) специфічних рівнів можна встановити за допомогою шістнадцяткової +бітової маски. + + + Будь ласка, зауважте, що кожна служба SSSD веде журнал у власному +файлі. Також зауважте, що вмикання debug_level у розділі +[sssd] вмикає діагностику лише для самого процесу sssd, а не +для процесів відповідача чи надавача даних. Для отримання діагностичних +повідомлень слід додати параметр «debug_level» до усіх розділів, для яких +слід створювати журнал діагностичних повідомлень. + + + Окрім зміни рівня ведення журналу у файлі налаштувань за допомогою параметра +«debug_level», який не змінюється під час роботи, але зміна якого потребує +перезапуску SSSD, можна змінити режим діагностики без перезапуску за +допомогою програми +sss_debuglevel 8 +. + + + Рівні діагностики, передбачені у поточній версії: + + + 0, 0x0010: критичні помилки з +аварійним завершенням роботи. Всі помилки, які не дають SSSD змоги розпочати +або продовжувати роботу. + + + 1, 0x0020: критичні +помилки. Помилки, які не призводять до аварійного завершення роботи SSSD, +але означають, що одна з основних можливостей не працює належним чином. + + + 2, 0x0040: серйозні +помилки. Повідомлення про такі помилки означають, що не вдалося виконати +певний запит або дію. + + + 3, 0x0080: незначні помилки. Це +помилки які можуть призвести до помилок під час виконання дій. + + + 4, 0x0100: параметри налаштування. + + + 5, 0x0200: дані функцій. + + + 6, 0x0400: повідомлення трасування +для функцій дій. + + + 7, 0x1000: повідомлення трасування +для функцій внутрішнього трасування. + + + 8, 0x2000: вміст внутрішніх +змінних функцій, який може бути цікавим. + + + 9, 0x4000: дані трасування +найнижчого рівня. + + + Щоб до журналу було записано дані потрібних бітових масок рівнів +діагностики, просто додайте відповідні числа, як це показано у наведених +нижче прикладах: + + + Example: щоб до журналу було записано дані щодо +критичних помилок з аварійним завершенням роботи, критичних помилок, +серйозних помилок та дані функцій, скористайтеся рівнем діагностики 0x0270. + + + Приклад: щоб до журналу було записано критичні помилки +з аварійним завершенням роботи, параметри налаштування, дані функцій та +повідомлення трасування для функцій внутрішнього керування, скористайтеся +рівнем 0x1310. + + + Зауваження: формат бітових масок для рівнів діагностики +впроваджено у версії 1.7.0. + + + Типове значення: 0 + + diff --git a/src/man/uk/include/debug_levels_tools.xml b/src/man/uk/include/debug_levels_tools.xml new file mode 100644 index 0000000..41a34a9 --- /dev/null +++ b/src/man/uk/include/debug_levels_tools.xml @@ -0,0 +1,77 @@ + + + У SSSD передбачено два представлення для визначення рівня +діагностики. Найпростішим є визначення десяткового значення у діапазоні +0-9. Кожному значенню відповідає вмикання відповідного рівня діагностики і +усіх нижчих рівнів. Точніше визначення вмикання або вимикання (якщо це +потрібно) специфічних рівнів можна встановити за допомогою шістнадцяткової +бітової маски. + + + Рівні діагностики, передбачені у поточній версії: + + + 0, 0x0010: критичні помилки з +аварійним завершенням роботи. Всі помилки, які не дають SSSD змоги розпочати +або продовжувати роботу. + + + 1, 0x0020: критичні +помилки. Помилки, які не призводять до аварійного завершення роботи SSSD, +але означають, що одна з основних можливостей не працює належним чином. + + + 2, 0x0040: серйозні +помилки. Повідомлення про такі помилки означають, що не вдалося виконати +певний запит або дію. + + + 3, 0x0080: незначні помилки. Це +помилки які можуть призвести до помилок під час виконання дій. + + + 4, 0x0100: параметри налаштування. + + + 5, 0x0200: дані функцій. + + + 6, 0x0400: повідомлення трасування +для функцій дій. + + + 7, 0x1000: повідомлення трасування +для функцій внутрішнього трасування. + + + 8, 0x2000: вміст внутрішніх +змінних функцій, який може бути цікавим. + + + 9, 0x4000: дані трасування +найнижчого рівня. + + + Щоб до журналу було записано дані потрібних бітових масок рівнів +діагностики, просто додайте відповідні числа, як це показано у наведених +нижче прикладах: + + + Example: щоб до журналу було записано дані щодо +критичних помилок з аварійним завершенням роботи, критичних помилок, +серйозних помилок та дані функцій, скористайтеся рівнем діагностики 0x0270. + + + Приклад: щоб до журналу було записано критичні помилки +з аварійним завершенням роботи, параметри налаштування, дані функцій та +повідомлення трасування для функцій внутрішнього керування, скористайтеся +рівнем 0x1310. + + + Зауваження: формат бітових масок для рівнів діагностики +впроваджено у версії 1.7.0. + + + Типове значення: 0 + + diff --git a/src/man/uk/include/experimental.xml b/src/man/uk/include/experimental.xml new file mode 100644 index 0000000..ae0cc9c --- /dev/null +++ b/src/man/uk/include/experimental.xml @@ -0,0 +1,3 @@ + Цю можливість ще не перевірено достатнім чином Будь ласка, якщо +помітите якісь вади, повідомте про них за допомогою настанов на сторінці +https://pagure.io/SSSD/sssd/. diff --git a/src/man/uk/include/failover.xml b/src/man/uk/include/failover.xml new file mode 100644 index 0000000..129ef18 --- /dev/null +++ b/src/man/uk/include/failover.xml @@ -0,0 +1,105 @@ + + РЕЗЕРВ + + Можливість резервування надає змогу модулям обробки автоматично перемикатися +на інші сервери, якщо спроба встановлення з’єднання з поточним сервером +зазнає невдачі. + + + Синтаксичні конструкції визначення резервного сервера + + Список записів серверів, відокремлених комами. Між комами можна +використовувати довільну кількість пробілів. Порядок у списку визначає +пріоритет. У списку може бути будь-яка кількість записів серверів. + + + Для кожного з параметрів налаштування з увімкненим резервним отриманням +існує два варіанти: основний і +резервний. Ідея полягає у тому, що сервери з основного +списку мають вищий пріоритет за резервні сервери, пошук же на резервних +серверах виконується, лише якщо не вдасться з’єднатися з жодним з основних +серверів. Якщо буде вибрано резервний сервер, встановлюється час очікування +у 31 секунду. Після завершення часу очікування SSSD періодично +намагатиметься повторно встановити з’єднання з основними серверами. Якщо +спроба буде успішною, поточний активний резервний сервер буде замінено на +основний. + + + + Механізм визначення резервного сервера + + Механізмом резервного використання розрізняються окремі комп’ютери і +служби. Спочатку модуль намагається визначити назву вузла вказаного +комп’ютера. Якщо спроби визначення зазнають невдачі, комп’ютер вважатиметься +від’єднаним від мережі. Подальших спроб встановити з’єднання з цим +комп’ютером для всіх інших служб не виконуватиметься. Якщо вдасться виконати +визначення, модуль зробити спробу встановити з’єднання зі службою на +визначеному комп’ютері. Якщо спроба з’єднання зі службою не призведе до +успіху, непрацездатною вважатиметься лише служба, модуль автоматично +перемкнеться на наступну службу. Комп’ютер служби вважатиметься з’єднаним з +мережею, можливі подальші спроби використання інших служб. + + + Подальші спроби встановлення з’єднання з комп’ютерами або службами, +позначеними як такі, що перебувають поза мережею, буде виконано за певний +проміжок часу. У поточній версії цей проміжок є незмінним і дорівнює 30 +секундам. + + + Якщо список комп’ютерів буде вичерпано, основний модуль перейде у режим +автономної роботи і повторюватиме спроби з’єднання кожні 30 секунд. + + + + Час очікування на перемикання на резервний ресурс та точне налаштовування + + Для визначення сервера для з'єднання достатньо одного запиту DNS або +декількох кроків, зокрема визначення відповідного сайта або спроба +використати декілька назв вузлів у випадку, якщо якісь із налаштованих +серверів недоступні. Складніші сценарії можуть потребувати додаткового часу, +а SSSD треба збалансувати надання достатнього часу для завершення процесу +визначення і використання притомного часу на виконання цього запиту перед +переходом до автономного режиму. Якщо діагностичний журнал SSSD показує, що +під час визначення сервера перевищено час очікування на з'єднання із +працездатним сервером, варто змінити значення параметрів часу очікування. + + + У цьому розділі наведено списки доступних для коригування параметрів. Будь +ласка, ознайомтеся із їхніми описами за допомогою сторінки підручника + +sssd.conf5 +. + + + dns_resolver_op_timeout + + + + Наскільки довго SSSD обмінюватиметься інформацією із окремим сервером DNS. + + + + + + dns_resolver_timeout + + + + Наскільки довго має чекати SSSD на визначення резервної служби надання +даних. На внутрішньому рівні визначення такої служби може включати декілька +кроків, зокрема визначення адрес запитів DNS SRV або пошук розташування +сайта. + + + + + + + For LDAP-based providers, the resolve operation is performed as part of an +LDAP connection operation. Therefore, also the +ldap_opt_timeout> timeout should be set to a larger value +than dns_resolver_timeout which in turn should be set to a +larger value than dns_resolver_op_timeout. + + + diff --git a/src/man/uk/include/homedir_substring.xml b/src/man/uk/include/homedir_substring.xml new file mode 100644 index 0000000..d8238bc --- /dev/null +++ b/src/man/uk/include/homedir_substring.xml @@ -0,0 +1,18 @@ + + homedir_substring (рядок) + + + Значення цього параметра буде використано під час розгортання параметра +override_homedir, якщо у шаблоні міститься рядок +форматування %H. Запис каталогу LDAP може безпосередньо +містити цей шаблон для розгортання шляху до домашнього каталогу на кожному з +клієнтських комп’ютерів (або у кожній з операційних систем). Значення +параметра можна вказати окремо для кожного з доменів або на загальному рівні +у розділі [nss]. Значення, вказане у розділі домену, має вищий пріоритет за +значення, встановлене за допомогою розділу [nss]. + + + Типове значення: /home + + + diff --git a/src/man/uk/include/ipa_modified_defaults.xml b/src/man/uk/include/ipa_modified_defaults.xml new file mode 100644 index 0000000..8f8f904 --- /dev/null +++ b/src/man/uk/include/ipa_modified_defaults.xml @@ -0,0 +1,124 @@ + + ЗМІНЕНІ ТИПОВІ ПАРАМЕТРИ + + Деякі типові значення параметрів не збігаються із типовими значеннями +параметрів засобу надання даних. Із назвами відповідних параметрів та +специфічні для засобу надання даних IPA значення цих параметрів можна +ознайомитися за допомогою наведеного нижче списку: + + + Модуль надання даних KRB5 + + + + krb5_validate = true + + + + + krb5_use_fast = try + + + + + krb5_canonicalize = true + + + + + + Модуль надання даних LDAP — Загальне + + + + ldap_schema = ipa_v1 + + + + + ldap_force_upper_case_realm = true + + + + + ldap_sasl_mech = GSSAPI + + + + + ldap_sasl_minssf = 56 + + + + + ldap_account_expire_policy = ipa + + + + + ldap_use_tokengroups = true + + + + + + Модуль надання даних LDAP — Параметри користувачів + + + + ldap_user_member_of = memberOf + + + + + ldap_user_uuid = ipaUniqueID + + + + + ldap_user_ssh_public_key = ipaSshPubKey + + + + + ldap_user_auth_type = ipaUserAuthType + + + + + + Модуль надання даних LDAP — Параметри груп + + + + ldap_group_object_class = ipaUserGroup + + + + + ldap_group_object_class_alt = posixGroup + + + + + ldap_group_member = member + + + + + ldap_group_uuid = ipaUniqueID + + + + + ldap_group_objectsid = ipaNTSecurityIdentifier + + + + + ldap_group_external_member = ipaExternalMember + + + + + diff --git a/src/man/uk/include/ldap_id_mapping.xml b/src/man/uk/include/ldap_id_mapping.xml new file mode 100644 index 0000000..17bd8dd --- /dev/null +++ b/src/man/uk/include/ldap_id_mapping.xml @@ -0,0 +1,292 @@ + + ВСТАНОВЛЕННЯ ВІДПОВІДНОСТІ ІДЕНТИФІКАТОРІВ + + Можливість встановлення відповідності ідентифікаторів надає SSSD змогу +працювати у режимі клієнта Active Directory без потреби для адміністраторів +розширювати атрибути користувача з метою підтримки атрибутів POSIX для +ідентифікаторів користувачів та груп. + + + Зауваження: якщо увімкнено встановлення відповідності ідентифікаторів, +атрибути uidNumber та gidNumber буде проігноровано. Так зроблено з метою +уникання конфліктів між автоматично визначеними та визначеними вручну +значеннями. Якщо вам потрібно призначити певні значення вручну, вручну +доведеться призначати ВСІ значення. + + + Будь ласка, зауважте, що зміна параметрів налаштувань, пов’язаних із +встановленням відповідності ідентифікаторів, призведе до зміни +ідентифікаторів користувачів і груп. У поточній версії SSSD зміни +ідентифікаторів не передбачено, отже, вам доведеться вилучити базу даних +SSSD. Оскільки кешовані паролі також зберігаються у базі даних, вилучення +бази даних слід виконувати, лише якщо сервери розпізнавання є доступними, +інакше користувачі не зможуть отримати потрібного їм доступу. З метою +кешування паролів слід виконати сеанс розпізнавання. Для вилучення бази +даних недостатньо використання команди +sss_cache 8 +, процедура має складатися з декількох кроків: + + + + Переконуємося, що віддалені сервери є доступними. + + + + + Зупиняємо роботу служби SSSD + + + + + Вилучаємо базу даних + + + + + Запускаємо службу SSSD + + + + Крім того, оскільки зміна ідентифікаторів може потребувати коригування інших +властивостей системи, зокрема прав власності на файли і каталоги, варто +спланувати усе наперед і ретельно перевірити налаштування встановлення +відповідності ідентифікаторів. + + + + Алгоритм встановлення відповідності + + Active Directory надає значення objectSID для всіх об’єктів користувачів і +груп у каталозі. Таке значення objectSID можна розбити на компоненти, які +відповідають профілю домену Active Directory та відносному ідентифікатору +(RID) об’єкта користувача або групи. + + + Алгоритмом встановлення відповідності ідентифікаторів SSSD передбачено поділ +діапазону доступних UID на розділи однакових розмірів, які називаються +«зрізами». Кожен зріз відповідає простору, доступному певному домену Active +Directory. + + + Коли SSSD вперше зустрічає запис користувача або групи певного домену, SSSD +віддає один з доступних зрізів під цей домен. З метою уможливлення +відтворення такого призначення зрізів на різних клієнтських системах, зріз +вибирається за таким алгоритмом: + + + Рядок SID передається алгоритмові murmurhash3 з метою перетворення його на +хешоване 32-бітове значення. Для вибору зрізу використовується ціла частина +від ділення цього значення на загальну кількість доступних зрізів. + + + Зауваження: за такого алгоритму можливі збіги за хешем та відповідною цілою +частиною від ділення. У разі виявлення таких збігів буде вибрано наступний +доступних зріз, але це може призвести до неможливості відтворити точно такий +самий набір зрізів на інших комп’ютерах (оскільки в такому разі на вибір +зрізів може вплинути порядок, у якому виконується обробка даних). Якщо ви +зіткнулися з подібною ситуацією, рекомендуємо вам або перейти на +використання явних атрибутів POSIX у Active Directory (вимкнути встановлення +відповідності ідентифікаторів) або налаштувати типовий домен з метою +гарантування того, що принаймні цей домен матиме еталонні дані. Докладніше +про це у розділі «Налаштування». + + + + + Налаштування + + Мінімальне налаштовування (у розділі [domain/НАЗВА_ДОМЕНУ]): + + + +ldap_id_mapping = True +ldap_schema = ad + + + + За типових налаштувань буде створено 10000 зрізів, кожен з яких може містити +до 200000 ідентифікаторів, починаючи з 2000000 і аж до 2000200000. Цього має +вистачити для більшості розгорнутих середовищ. + + + Додаткові налаштування + + + ldap_idmap_range_min (ціле число) + + + Визначає нижню межу діапазону ідентифікаторів POSIX, які слід +використовувати для встановлення відповідності SID користувачів і груп +Active Directory. + + + Зауваження: цей параметр відрізняється від min_id тим, що +min_id працює як фільтр відповідей на запити щодо цього +домену, а цей параметр керує діапазоном призначення ідентифікаторів. Ця +відмінність є мінімальною, але загалом варто визначати min_id +меншим або рівним ldap_idmap_range_min + + + Типове значення: 200000 + + + + + ldap_idmap_range_max (ціле число) + + + Визначає верхню межу діапазону ідентифікаторів POSIX, які слід +використовувати для встановлення відповідності SID користувачів і груп +Active Directory. + + + Зауваження: цей параметр відрізняється від max_id тим, що +max_id працює як фільтр відповідей на запити щодо цього +домену, а цей параметр керує діапазоном призначення ідентифікаторів. Ця +відмінність є мінімальною, але загалом варто визначати max_id +більшим або рівним ldap_idmap_range_max + + + Типове значення: 2000200000 + + + + + ldap_idmap_range_size (ціле число) + + + Визначає кількість ідентифікаторів доступних на кожному зі зрізів. Якщо +розмір діапазону не ділиться націло на мінімальне і максимальне значення, +буде створено якомога більше повних зрізів. + + + ЗАУВАЖЕННЯ: значення цього параметра має бути не меншим за значення +максимального запланованого до використання RID на сервері Active +Directory. Пошук даних та вхід для будь-яких користувачів з RID, що +перевищує це значення, буде неможливим. + + + Приклад: якщо найсвіжішим доданим користувачем Active Directory є користувач +з objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, +«ldap_idmap_range_size» повинне мати значення, яке є не меншим за 1108, +оскільки розмір діапазону дорівнює максимальному SID мінус мінімальний SID +плюс 1. (Наприклад, 1108 = 1107 - 0 + 1). + + + Для майбутнього можливого розширення важливо все спланувати наперед, +оскільки зміна цього значення призведе до зміни усіх прив’язок +ідентифікаторів у системі, отже зміни попередніх локальних ідентифікаторів +користувачів. + + + Типове значення: 200000 + + + + + ldap_idmap_default_domain_sid (рядок) + + + Визначає SID типового домену. За допомогою цього параметра можна гарантувати +те, що цей домен буде завжди призначено до нульового зрізу у карті +ідентифікаторів без використання алгоритму murmurhash описаного вище. + + + Типове значення: not set + + + + + ldap_idmap_default_domain (рядок) + + + Вказати назву типового домену. + + + Типове значення: not set + + + + + ldap_idmap_autorid_compat (булеве значення) + + + Змінює поведінку алгоритму встановлення відповідності ідентифікаторів так, +щоб обчислення відбувалися за алгоритмом подібним до алгоритму +idmap_autorid winbind. + + + Якщо встановлено цей параметр, домени призначатимуться, починаючи з +нульового зрізу з поступовим зростанням номерів на кожен додатковий домен. + + + Зауваження: цей алгоритм є недетерміністичним (залежить від порядку записів +користувачів та груп). Якщо з метою сумісності з системою, у якій запущено +winbind, буде використано цей алгоритм, варто також скористатися параметром +ldap_idmap_default_domain_sid з метою гарантування +послідовного призначення принаймні одного домену до нульового зрізу. + + + Типове значення: False + + + + + ldap_idmap_helper_table_size (ціле число) + + + Максимальна кількість вторинних зрізів, яку можна використовувати під час +виконання прив'язки ідентифікатора UNIX до SID. + + + Зауваження: під час прив'язування SID до ідентифікатора UNIX може бути +створено додаткові вторинні зрізи, якщо частини RID SID перебувають поза +межами діапазону вже створених вторинних зрізів. Якщо значенням +ldap_idmap_helper_table_size буде 0, додаткові вторинні зрізи не +створюватимуться. + + + Типове значення: 10 + + + + + + + + + Добре відомі SID + + У SSSD передбачено підтримку пошуку назв за добре відомими (Well-Known) SID, +тобто SID із особливим запрограмованим призначенням. Оскільки типові +користувачі і групи, пов’язані із цими добре відомими SID не мають +еквівалентів у середовищі Linux/UNIX, ідентифікаторів POSIX для цих об’єктів +немає. + + + Простір назв SID упорядковано службами сертифікації, які виглядають як інші +домени. Службами сертифікації для добре відомих (Well-Known) SID є + + Фіктивна служба сертифікації (Null Authority) + Загальна служба сертифікації (World Authority) + Локальна служба сертифікації (Local Authority) + Авторська служба сертифікації (Creator Authority) + Служба сертифікації NT (NT Authority) + Вбудована (Built-in) + + Написані літерами верхнього регістру ці назви буде використано як назви +доменів для повернення повних назв добре відомих (Well-Known) SID. + + + Оскільки деякі з програм надають змогу змінювати дані щодо керування +доступом на основі SID за допомогою назви, а не безпосереднього +використання, у SSSD передбачено підтримку пошуку SID за назвою. Щоб +уникнути конфліктів, для пошуку добре відомих (Well-Known) SID приймаються +лише повні назви. Отже, не можна використовувати як назви доменів у +sssd.conf такі назви: «NULL AUTHORITY», «WORLD +AUTHORITY», «LOCAL AUTHORITY», «CREATOR AUTHORITY», «NT AUTHORITY» та +«BUILTIN». + + + + diff --git a/src/man/uk/include/ldap_search_bases.xml b/src/man/uk/include/ldap_search_bases.xml new file mode 100644 index 0000000..7261348 --- /dev/null +++ b/src/man/uk/include/ldap_search_bases.xml @@ -0,0 +1,33 @@ + + + Додатковий основний DN, область пошуку і фільтр LDAP для обмеження пошуків +LDAP цим типом атрибутів. + + + синтаксис: +search_base[?scope?[filter][?search_base?scope?[filter]]*] + + + + Діапазоном може бути одне зі значень, «base» (основа), «onelevel» (окремий +рівень) або «subtree» (піддерево). Докладніший опис діапазонів наведено у +розділі 4.5.1.2 документа http://tools.ietf.org/html/rfc4511 + + + Фільтром має бути коректний запис фільтрування LDAP, відповідно до +специфікації http://www.ietf.org/rfc/rfc2254.txt + + + Приклади використання цих синтаксичних конструкцій можна знайти у розділі +прикладів «ldap_search_base». + + + Типове значення: значення ldap_search_base + + + Будь ласка, зауважте, що підтримки визначення області або фільтра для +пошуків на сервері Active Directory не передбачено. Це може призвести до +отримання значної кількості результатів і викликати реакцію з боку +розширення діапазону отримання (Range Retrieval). + + diff --git a/src/man/uk/include/local.xml b/src/man/uk/include/local.xml new file mode 100644 index 0000000..d26290f --- /dev/null +++ b/src/man/uk/include/local.xml @@ -0,0 +1,19 @@ + + ЛОКАЛЬНИЙ ДОМЕН + + З метою забезпечення належної роботи слід створити домен з +id_provider=local та запустити SSSD. + + + Адміністратор може надати перевагу використанню локальних записів +користувачів SSSD замість традиційних записів користувачів UNIX, якщо для +роботи потрібна вкладеність груп (див. +sss_groupadd 8 +). Використання локальних записів може також бути корисним +для тестування та розробки програмного забезпечення з підтримкою SSSD (у +такому разі не потрібно розгортати повноцінний віддалений +сервер). Інструменти sss_user* та +sss_group* використовують для зберігання записів +користувачів і груп локальне сховище даних LDB. + + diff --git a/src/man/uk/include/override_homedir.xml b/src/man/uk/include/override_homedir.xml new file mode 100644 index 0000000..6e9ccb1 --- /dev/null +++ b/src/man/uk/include/override_homedir.xml @@ -0,0 +1,64 @@ + +override_homedir (рядок) + + + Перевизначити домашній каталог користувача. Ви можете вказати абсолютне +значення або шаблон. У шаблоні можна використовувати такі замінники: + + + %u + ім'я користувача + + + %U + номер UID + + + %d + назва домену + + + %f + ім’я користувача повністю (користувач@домен) + + + %l + Перша літера назви облікового запису. + + + %P + UPN - User Principal Name (ім’я@ОБЛАСТЬ) + + + %o + + Початкова домашня тека, отримана від служби профілів. + + + + %H + + Значення параметра налаштовування homedir_substring. + + + + %% + символ відсотків («%») + + + + + + Значення цього параметра можна встановлювати для кожного з доменів окремо. + + + приклад: +override_homedir = /home/%u + + + + Типове значення: не встановлено (SSSD використовуватиме значення, отримане +від LDAP) + + + diff --git a/src/man/uk/include/param_help.xml b/src/man/uk/include/param_help.xml new file mode 100644 index 0000000..2905109 --- /dev/null +++ b/src/man/uk/include/param_help.xml @@ -0,0 +1,10 @@ + + + , + + + + Показати довідкове повідомлення і завершити роботу. + + + diff --git a/src/man/uk/include/param_help_py.xml b/src/man/uk/include/param_help_py.xml new file mode 100644 index 0000000..8870e8f --- /dev/null +++ b/src/man/uk/include/param_help_py.xml @@ -0,0 +1,10 @@ + + + , + + + + Показати довідкове повідомлення і завершити роботу. + + + diff --git a/src/man/uk/include/seealso.xml b/src/man/uk/include/seealso.xml new file mode 100644 index 0000000..d6af021 --- /dev/null +++ b/src/man/uk/include/seealso.xml @@ -0,0 +1,61 @@ + + ТАКОЖ ПЕРЕГЛЯНЬТЕ + + sssd8 +, +sssd.conf5 +, +sssd-ldap5 +, +sssd-krb55 +, +sssd-simple5 +, +sssd-ipa5 +, +sssd-ad5 +, +sssd-sudo 5 +, +sssd-secrets 5 +, +sssd-session-recording +5 , +sss_cache8 +, +sss_debuglevel8 +, +sss_groupadd8 +, +sss_groupdel8 +, +sss_groupshow8 +, +sss_groupmod8 +, +sss_useradd8 +, +sss_userdel8 +, +sss_usermod8 +, +sss_obfuscate8 +, +sss_seed8 +, +sssd_krb5_locator_plugin8 +, +sss_ssh_authorizedkeys +8 , +sss_ssh_knownhostsproxy +8 , sssd-ifp +5 , +pam_sss8 +. +sss_rpcidmapd 5 + +sssd-systemtap 5 + + + diff --git a/src/man/uk/include/service_discovery.xml b/src/man/uk/include/service_discovery.xml new file mode 100644 index 0000000..8452639 --- /dev/null +++ b/src/man/uk/include/service_discovery.xml @@ -0,0 +1,45 @@ + + ПОШУК СЛУЖБ + + За допомогою можливості виявлення служб основні модулі мають змогу +автоматично визначати відповідні сервери для встановлення з’єднання на +основі даних, отриманих у відповідь на спеціальний запит до DNS. Підтримки +цієї можливості для резервних серверів не передбачено. + + + Налаштування + + Якщо серверів не буде вказано, модуль автоматично використає визначення +служб для пошуку сервера. Крім того, користувач може використовувати і +фіксовані адреси серверів і виявлення служб. Для цього слід вставити +особливе ключове слово, «_srv_», до списку серверів. Пріоритет визначається +за вказаним порядком. Ця можливість є корисною, якщо, наприклад, користувач +надає перевагу використанню виявлення служб, якщо це можливо, з поверненням +до використання певного сервера, якщо за допомогою DNS не вдасться виявити +жодного сервера. + + + + Назва домену + + З докладнішими відомостями щодо параметра «dns_discovery_domain» можна +ознайомитися на сторінці підручника (man) +sssd.conf 5 +. + + + + Протокол + + Запитами зазвичай визначається протокол _tcp. Виключення документовано у +описі відповідного параметра. + + + + Також прочитайте + + Докладніші відомості щодо механізмів визначення служб можна знайти у RFC +2782. + + + diff --git a/src/man/uk/include/upstream.xml b/src/man/uk/include/upstream.xml new file mode 100644 index 0000000..4b0c243 --- /dev/null +++ b/src/man/uk/include/upstream.xml @@ -0,0 +1,3 @@ + +SSSD Основна гілка розробки SSSD — +https://pagure.io/SSSD/sssd/ diff --git a/src/man/uk/pam_sss.8.xml b/src/man/uk/pam_sss.8.xml new file mode 100644 index 0000000..fc39ca9 --- /dev/null +++ b/src/man/uk/pam_sss.8.xml @@ -0,0 +1,209 @@ + + + +Сторінки підручника SSSD + + + + + pam_sss + 8 + + + + pam_sss + модуль PAM для SSSD + + + + +pam_sss.so +quiet +forward_pass +use_first_pass +use_authtok +retry=N +ignore_unknown_user +ignore_authinfo_unavail +domains=X +allow_missing_name +prompt_always + + + + ОПИС + pam_sss.so — інтерфейс PAM до System Security Services +daemon (SSSD). Помилки та результати роботи записуються за допомогою +syslog(3) до запису LOG_AUTHPRIV. + + + + ПАРАМЕТРИ + + + + + + + Не показувати у журналі повідомлень для невідомих користувачів. + + + + + + + + Якщо встановлено значення , введений пароль +буде збережено у стосі паролів для використання іншими модулями PAM. + + + + + + + + + Використання аргументу use_first_pass примушує модуль до використання пароля +з модулів попереднього рівня. Ніяких запитів до користувача не +надсилатиметься, — якщо пароль не буде виявлено або пароль виявиться +непридатним, доступ користувачеві буде заборонено. + + + + + + + + Визначає ситуацію, коли зміна пароля примушує модуль встановлювати новий +пароль на основі пароля, наданого попереднім модулем обробки паролів зі +стосу модулів. + + + + + + + + Якщо вказано, користувача запитуватимуть про пароль ще N разів, якщо перший +раз розпізнавання зазнає невдачі. Типовим значенням є 0. + Будь ласка, зауважте, що цей параметр може працювати не так, як очікується, +якщо програма, яка викликає PAM, має власний обробник діалогових вікон +взаємодії з користувачем. Типовим прикладом є sshd з +. + + + + + + + + Якщо вказано цей параметр і облікового запису не існує, модуль PAM поверне +PAM_IGNORE. Це призводить до ігнорування цього модуля оболонкою PAM. + + + + + + + + + Визначає, що модуль PAM має повертати PAM_IGNORE, якщо не вдається +встановити зв’язок із фоновою службою SSSD. У результаті набір інструментів +PAM ігнорує цей модуль. + + + + + + + + + Надає змогу адміністратору обмежити домен певною службою PAM, за допомогою +якої можна буде виконувати розпізнавання. Формат значення: список назв +доменів SSSD, відокремлених комами, так, як їх вказано у файлі sssd.conf. + + + Зауваження: слід використовувати разом із параметрами «pam_trusted_users» і +«pam_public_domains». Будь ласка, ознайомтеся із сторінкою підручника + sssd.conf +5 , щоб дізнатися більше про ці два +параметри відповідача PAM. + + + + + + + + + + Основним призначенням цього параметра є надання SSSD змоги визначати ім'я +користувача на основі додаткових даних, наприклад сертифіката зі +смарткартки. + + + Поточним основним призначенням є засоби керування входом до системи, які +можуть спостерігати за подіями обробки карток на засобі читання +смарткарток. Щойно буде вставлено смарткартку, засіб керування входом до +системи викличе стос PAM, до якого включено рядок, подібний до +auth sufficient pam_sss.so allow_missing_name + Якщо SSSD спробує визначити ім'я користувача +на основі вмісту смарткартки, повертає його до pam_sss, який, нарешті, +передасть його стосу PAM. + + + + + + + + + + Завжди запитувати у користувача реєстраційні дані. Якщо використано цей +параметр, реєстраційні дані, запит на які надійшов від інших модулів PAM, +типово, пароль, буде проігноровано, а pam_sss надсилатиме запит щодо +реєстраційних даних знову. На основі відповіді на попереднє розпізнавання +від SSSD pam_sss може надіслати запит щодо пароля, пін-коду смарткартки або +інших реєстраційних даних. + + + + + + + + ПЕРЕДБАЧЕНІ ТИПИ МОДУЛІВ + Передбачено всі типи модулів (, +, і +). + + + + + ФАЙЛИ + Якщо спроба скидання пароля від імені адміністративного користувача (root) +зазнає невдачі, оскільки у відповідному засобі обробки SSSD не передбачено +скидання паролів, може бути показано певне повідомлення. У цьому +повідомленні, наприклад, можуть міститися настанови щодо скидання пароля. + + Текст повідомлення буде прочитано з файла +pam_sss_pw_reset_message.LOC, де «LOC» — рядок локалі у +форматі, повернутому +setlocale3 +. Якщо відповідного файла знайдено не буде, буде показано +вміст файла pam_sss_pw_reset_message.txt. Власником +файлів має бути адміністративний користувач (root). Доступ до запису файлів +також повинен мати лише адміністративний користувач. Всім іншим користувачам +може бути надано лише право читання файлів. + + Пошук цих файлів виконуватиметься у каталозі +/etc/sssd/customize/НАЗВА_ДОМЕНУ/. Якщо відповідний +файл не буде знайдено, буде показано типове повідомлення. + + + + + + diff --git a/src/man/uk/sss-certmap.5.xml b/src/man/uk/sss-certmap.5.xml new file mode 100644 index 0000000..eb94780 --- /dev/null +++ b/src/man/uk/sss-certmap.5.xml @@ -0,0 +1,593 @@ + + + +Сторінки підручника SSSD + + + + + sss-certmap + 5 + Формати файлів та правила + + + + sss-certmap + Правила встановлення відповідності і прив'язування сертифікатів SSSD + + + + ОПИС + + На цій сторінці підручника описано правила, якими можна скористатися у SSSD +та інших компонентах для встановлення відповідності сертифікатів X.509 та +прив'язування їх до облікових записів. + + + У кожного правила чотири компоненти — пріоритетність, +правило встановлення відповідності, правило +прив'язки і список доменів. Усі компоненти є +необов'язковими. Якщо не вказано пріоритетність, буде додано +правило із найнижчою пріоритетністю. Типове правило встановлення +відповідності встановлює відповідність сертифікатів із використанням +ключів digitalSignature і розширеним використанням ключів clientAuth. Якщо +правило прив'язки є порожнім, сертифікати шукатимуться у +атрибуті userCertificate у форматі закодованих двійкових даних DER. Якщо не +буде вказано доменів, пошук відбуватиметься у локальному домені. + + + + + КОМПОНЕНТИ ПРАВИЛ + + ПРІОРИТЕТНІСТЬ + + The rules are processed by priority while the number '0' (zero) indicates +the highest priority. The higher the number the lower is the priority. A +missing value indicates the lowest priority. The rules processing is stopped +when a matched rule is found and no further rules are checked. + + + На внутрішньому рівні пріоритетність визначається 32-бітовим цілим числом +без знаку. Використання значення пріоритетності, що перевищує 4294967295, +призводитиме до виведення повідомлення про помилку. + + + + ПРАВИЛО ВІДПОВІДНОСТІ + + Правило встановлення відповідності використовується для вибору сертифіката, +до якого слід застосовувати правило прив'язки. У цьому використовується +система, подібна до використаної у параметрі +pkinit_cert_match Kerberos MIT. Правило складається з +ключового слова між символами «<» і «>», яке визначає певну частину +сертифіката, і взірцем, який має бути знайдено, для встановлення +відповідності правила. Декілька пар ключове слово-взірець можна сполучати за +допомогою логічних операторів «&&» (та) або «||» (або). + + + Доступні варіанти: + + <SUBJECT>формальний-вираз + + + За допомогою цього компонент можна встановлювати відповідність частини або +усього запису призначення. Для встановлення відповідності використовується +синтаксис розширених формальних виразів POSIX. Докладніший опис синтаксису +можна знайти на сторінці підручника regex(7). + + + Для встановлення відповідності запис призначення, що зберігається у +сертифікаті у форматі кодованого DER ASN.1, буде перетворено на текстовий +рядок відповідно до RFC 4514. Це означає, що першою у рядку буде +найспецифічніша компонента. Будь ласка, зауважте, що у RFC 4514 описано не +усі можливі назви атрибутів. Включеними вважаються такі назви: «CN», «L», +«ST», «O», «OU», «C», «STREET», «DC» і «UID». Назви інших атрибутів може +бути показано у різний спосіб на різних платформах і у різних +інструментах. Щоб уникнути двозначностей, не варто використовувати ці +атрибути і вживати їх у відповідних формальних виразах. + + + Приклад: <SUBJECT>.*,DC=MY,DC=DOMAIN + + + + + <ISSUER>формальний-вираз + + + За допомогою цього компонент можна встановлювати відповідність частини або +усього запису видавця. Цього запису стосуються усі коментарі щодо +<SUBJECT>. + + + Приклад: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$ + + + + + <KU>використання-ключа + + + За допомогою цього параметра можна визначити значення використання ключа, +які повинен містити сертифікат. У списку значень, відокремлених комами, +можна використовувати такі значення: + + digitalSignature + nonRepudiation + keyEncipherment + dataEncipherment + keyAgreement + keyCertSign + cRLSign + encipherOnly + decipherOnly + + + + Для спеціальних випадків можна також використати числове значення у +діапазоні 32-бітових цілих чисел без знаку. + + + Приклад: <KU>digitalSignature,keyEncipherment + + + + + <EKU>розширене-використання-ключа + + + За допомогою цього параметра можна визначити значення розширеного +використання ключа, які повинен містити сертифікат. У списку значень, +відокремлених комами, можна використовувати такі значення: + + serverAuth + clientAuth + codeSigning + emailProtection + timeStamping + OCSPSigning + KPClientAuth + pkinit + msScLogin + + + + Розширені використання ключа, які не потрапили до вказаного вище списку, +можна визначити за допомогою їхнього OID у точково-десятковому позначенні. + + + Приклад: <EKU>clientAuth,1.3.6.1.5.2.3.4 + + + + + <SAN>формальний-вираз + + + Для сумісності із використанням Kerberos MIT цей параметр встановлюватиме +відповідність реєстраційних даних Kerberos у PKINIT або AD NT Principal SAN +так, як це робить <SAN:Principal>. + + + Приклад: <SAN>.*@MY\.REALM + + + + + <SAN:Principal>формальний-вираз + + + Встановити відповідність реєстраційних даних Kerberos у PKINIT або AD NT +Principal SAN. + + + Приклад: <SAN:Principal>.*@MY\.REALM + + + + + <SAN:ntPrincipalName>формальний-вираз + + + Встановити відповідність реєстраційних даних Kerberos з AD NT Principal SAN. + + + Приклад: <SAN:ntPrincipalName>.*@MY.AD.REALM + + + + + <SAN:pkinit>формальний-вираз + + + Встановити відповідність реєстраційних даних Kerberos з SAN PKINIT. + + + Приклад: <SAN:ntPrincipalName>.*@MY\.PKINIT\.REALM + + + + + <SAN:dotted-decimal-oid>формальний-вираз + + + Отримати значення компонента SAN otherName, яке задано OID у +крапково-десятковому позначенні, обробити його як рядок і спробувати +встановити відповідність формальному виразу. + + + Приклад: <SAN:1.2.3.4>test + + + + + <SAN:otherName>base64-string + + + Виконати спробу встановлення двійкової відповідності блоку у кодуванні +base64 із усіма компонентами SAN otherName. За допомогою цього параметра +можна встановлювати відповідність із нетиповими компонентами otherName із +особливими кодуваннями, які не можна обробляти як рядки. + + + Приклад: <SAN:otherName>MTIz + + + + + <SAN:rfc822Name>формальний-вираз + + + Встановити відповідність значення SAN rfc822Name. + + + Приклад: <SAN:rfc822Name>.*@email\.domain + + + + + <SAN:dNSName>формальний-вираз + + + Встановити відповідність значення SAN dNSName. + + + Приклад: <SAN:dNSName>.*\.my\.dns\.domain + + + + + <SAN:x400Address>рядок-base64 + + + Встановити двійкову відповідність значення SAN x400Address. + + + Приклад: <SAN:x400Address>MTIz + + + + + <SAN:directoryName>формальний-вираз + + + Встановити відповідність значення SAN directoryName. Цього параметра +стосуються ті самі коментарі, які було вказано для параметрів <ISSUER> +та <SUBJECT>. + + + Приклад: <SAN:directoryName>.*,DC=com + + + + + <SAN:ediPartyName>рядок-base64 + + + Встановити двійкову відповідність значення SAN ediPartyName. + + + Приклад: <SAN:ediPartyName>MTIz + + + + + <SAN:uniformResourceIdentifier>формальний-вираз + + + Встановити відповідність значення SAN uniformResourceIdentifier. + + + Приклад: <SAN:uniformResourceIdentifier>URN:.* + + + + + <SAN:iPAddress>формальний-вираз + + + Встановити відповідність значення SAN iPAddress. + + + Приклад: <SAN:iPAddress>192\.168\..* + + + + + <SAN:registeredID>формальний-вираз + + + Встановити значення SAN registeredID у форматі точково-десяткового рядка. + + + Приклад: <SAN:registeredID>1\.2\.3\..* + + + + + + + + ПРАВИЛО ПРИВʼЯЗУВАННЯ + + Правило прив'язки використовується для пов'язування сертифіката із одним або +декількома обліковими записами. Далі, смарткарткою із сертифікатом та +відповідним закритим ключем можна скористатися для розпізнавання за одним з +цих облікових записів. + + + У поточній версії SSSD на базовому рівні підтримує пошук даних користувачів +лише у LDAP (винятком є лише засіб надання проксі, який у цьому контексті є +недоречним). Через це правило прив'язки засновано на синтаксисі фільтрування +пошуку LDAP з шаблонами для додавання вмісту сертифікатів до +фільтра. Очікується, що цей фільтр міститиме лише специфічні дані, потрібні +для прив'язки, яку функція виклику вбудовуватиме до іншого фільтра для +виконання справжнього пошуку. Через це рядок фільтрування має починатися із +завершуватися «(» і «)», відповідно. + + + Загалом, рекомендується використовувати атрибути з сертифіката і додати їх +до спеціальних атрибутів об'єкта користувача LDAP. Наприклад, можна +скористатися атрибутом «altSecurityIdentities» у AD або атрибутом +«ipaCertMapData» для IPA. + + + Бажаним шляхом є читання із сертифіката специфічних для користувача даних, +наприклад адреси електронної пошти, і пошук цих даних на сервері +LDAP. Причиною є те, що специфічні для користувача дані у LDAP можу бути з +різних причин змінено, що розірве прив'язку. З іншого боку, якщо +скористатися бажаним шляхом, розірвати прив'язку буде важко. + + + Шаблони для додавання даних сертифікатів до фільтра пошуку засновано на +рядках форматування у стилі Python. Воли складаються з ключового слова у +фігурних дужках із додатковим підкомпонентом-специфікатором, відокремленим +«.», або додатковим параметром перетворення-форматування, відокремленим +«!». Дозволені значення: + + {issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]} + + + Цей шаблон додасть повний DN видавця, перетворений на рядок відповідно до +RFC 4514. Якщо використано упорядковування X.500 (найспецифічніший RDN +стоїть останнім), буде використано параметр із префіксом «_x500». + + + У варіантах перетворення, назви яких починаються з «ad_», +використовуватимуться назви атрибутів, які використовуються AD, наприклад +«S», замість «ST». + + + У варіантах перетворення, назви яких починаються з «nss_», +використовуватимуться назви атрибутів, які використовуються NSS. + + + Типовим варіантом перетворення є «nss», тобто назви атрибутів відповідно до +NSS і упорядковування за LDAP/RFC 4514. + + + Приклад: +(ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!ad}) + + + + + {subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]} + + + Цей шаблон додасть повний DN призначення, перетворений на рядок відповідно +до RFC 4514. Якщо використано упорядковування X.500 (найспецифічніший RDN +стоїть останнім), буде використано параметр із префіксом «_x500». + + + У варіантах перетворення, назви яких починаються з «ad_», +використовуватимуться назви атрибутів, які використовуються AD, наприклад +«S», замість «ST». + + + У варіантах перетворення, назви яких починаються з «nss_», +використовуватимуться назви атрибутів, які використовуються NSS. + + + Типовим варіантом перетворення є «nss», тобто назви атрибутів відповідно до +NSS і упорядковування за LDAP/RFC 4514. + + + Приклад: +(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500}) + + + + + {cert[!(bin|base64)]} + + + Цей шаблон додасть увесь сертифікат у кодуванні DER як рядок до фільтра +пошуку. Залежно від параметра перетворення, двійковий сертифікат або буде +преетворено на екрановану послідовність шістнадцяткових чисел у форматі +«\xx», або на код base64. Типовим варіантом є екранована шістнадцяткова +послідовність, її може бути, наприклад, використано з атрибутом LDAP +«userCertificate;binary». + + + Приклад: (userCertificate;binary={cert!bin}) + + + + + {subject_principal[.short_name]} + + + Цей шаблон додасть реєстраційні дані Kerberos, які буде взято або з SAN, +який використовується pkinit, або з реєстраційних даних AD. Компонент +«short_name» відповідає першій частині реєстраційного запису до символу «@». + + + Приклад: +(|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name})) + + + + + {subject_pkinit_principal[.short_name]} + + + Цей шаблон додасть реєстраційні дані Kerberos, які буде передано SAN, що +використовується pkinit. Компонент «short_name» відповідає першій частині +реєстраційного запису до символу «@». + + + Приклад: +(|(userPrincipal={subject_pkinit_principal})(uid={subject_pkinit_principal.short_name})) + + + + + {subject_nt_principal[.short_name]} + + + Цей шаблон додасть реєстраційні дані Kerberos, які буде передано SAN, що +використовується AD. Компонент «short_name» відповідає першій частині +реєстраційного запису до символу «@». + + + Приклад: +(|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name})) + + + + + {subject_rfc822_name[.short_name]} + + + Цей шаблон додасть рядок, який зберігається у компоненті rfc822Name SAN, +типово, адресу електронної пошти. Компонент «short_name» відповідає першій +частині адреси до символу «@». + + + Приклад: +(|(mail={subject_rfc822_name})(uid={subject_rfc822_name.short_name})) + + + + + {subject_dns_name[.short_name]} + + + Цей шаблон додасть рядок, який зберігається у компоненті dNSName SAN, +типово, повну назву вузла. Компонент «short_name» відповідає першій частині +назви до першого символу «.». + + + Приклад: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name})) + + + + + {subject_uri} + + + Цей шаблон додає рядок, який зберігається у компоненті +uniformResourceIdentifier SAN. + + + Приклад: (uri={subject_uri}) + + + + + {subject_ip_address} + + + Цей шаблон додає рядок, який зберігається у компоненті iPAddress SAN. + + + Приклад: (ip={subject_ip_address}) + + + + + {subject_x400_address} + + + Цей шаблон додає значення, яке зберігається у компоненті x400Address SAN як +послідовність екранованих шістнадцяткових чисел. + + + Приклад: (attr:binary={subject_x400_address}) + + + + + {subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]} + + + Цей шаблон додасть рядок DN значення, яке зберігається у компоненті +directoryName SAN. + + + Приклад: (orig_dn={subject_directory_name}) + + + + + {subject_ediparty_name} + + + Цей шаблон додає значення, яке зберігається у компоненті ediPartyName SAN як +послідовність екранованих шістнадцяткових чисел. + + + Приклад: (attr:binary={subject_ediparty_name}) + + + + + {subject_registered_id} + + + Цей шаблон додає OID, який зберігається у компоненті registeredID SAN у +форматі точково-десяткового рядка. + + + Приклад: (oid={subject_registered_id}) + + + + + + + + СПИСОК ДОМЕНІВ + + Якщо список доменів не є порожнім, записи користувачів, прив'язані до +заданого сертифіката, шукаються не лише у локальному домені, а і у доменах +зі списку, якщо вони відомі SSSD. Домени, які не відомі SSSD, буде +проігноровано. + + + + + diff --git a/src/man/uk/sss_cache.8.xml b/src/man/uk/sss_cache.8.xml new file mode 100644 index 0000000..e66cfa3 --- /dev/null +++ b/src/man/uk/sss_cache.8.xml @@ -0,0 +1,228 @@ + + + +Сторінки підручника SSSD + + + + + sss_cache + 8 + + + + sss_cache + виконати спорожнення кешу + + + + +sss_cache +параметри + + + + ОПИС + + sss_cache скасовує визначення записів у кеші SSSD. Дані +записів зі скасованими визначеннями буде перезавантажено з сервера у +примусовому порядку, щойно відповідний модуль SSSD отримає до них +доступ. Параметри, які скасовують визначення окремого об'єкта приймають лише +один аргумент. + + + + + ПАРАМЕТРИ + + + + , + + + + Скасувати чинність усіх кешованих записів. + + + + + + , реєстраційні +дані + + + + Скасувати визначення вказаного користувача. + + + + + + , + + + + Скасувати визначення всіх записів. Цей параметр має вищий пріоритет за +параметр скасування визначення для будь-якого користувача, якщо такий +параметр вказано. + + + + + + , +група + + + + Скасувати визначення вказаної групи. + + + + + + , + + + + Скасувати визначення записів для всіх груп. Цей параметр має вищий пріоритет +за параметр скасування визначення для будь-якої групи, якщо такий параметр +вказано. + + + + + + , мережева +група + + + + Скасувати визначення вказаної мережевої групи. + + + + + + , + + + + Скасувати визначення всіх записів мережевих груп. Цей параметр має вищий +пріоритет за параметр скасування визначення для будь-якої мережевої групи, +якщо такий параметр вказано. + + + + + + , +служба + + + + Скасувати визначення вказаної служби. + + + + + + , + + + + Скасувати визначення всіх записів служб. Цей параметр має вищий пріоритет за +параметр скасування визначення для будь-якої служби, якщо такий параметр +вказано. + + + + + + , карта +autofs + + + + Скасувати визначення певної карти autofs. + + + + + + , + + + + Скасувати визначення всіх записів карт autofs. Цей параметр має вищий +пріоритет за параметр скасування визначення для будь-якої карти, якщо такий +параметр вказано. + + + + + + , назва +вузла + + + + Скасувати чинність відкритих ключів SSH певного вузла. + + + + + + , + + + + Скасувати чинність усіх відкритих ключів SSH усіх вузлів. Цей параметр +перевизначає скасовування чинності ключів SSH певних вузлів, якщо для них +було використано таке скасовування. + + + + + + , +правило + + + + Скасувати чинність певного правила sudo. + + + + + + , + + + + Скасувати визначення усіх кешованих правил sudo. Цей параметр має вищий +пріоритет за параметр скасування визначення для будь-якого правила sudo, +якщо такий параметр вказано. + + + + + + , +домен + + + + Обмежити процедуру скасування визначення лише певним доменом. + + + + + + + + + + + diff --git a/src/man/uk/sss_debuglevel.8.xml b/src/man/uk/sss_debuglevel.8.xml new file mode 100644 index 0000000..b7b4df8 --- /dev/null +++ b/src/man/uk/sss_debuglevel.8.xml @@ -0,0 +1,39 @@ + + + +Сторінки підручника SSSD + + + + + sss_debuglevel + 8 + + + + sss_debuglevel + [ЗАСТАРІЛИЙ] змінити рівень діагностики протягом сеансу роботи з SSSD + + + + +sss_debuglevel +options НОВИЙ_РІВЕНЬ_ДІАГНОСТИКИ + + + + ОПИС + + sss_debuglevel вважається застарілим, його замінено +командою debug-level sssctl. Будь ласка, зверніться до сторінки підручника +щодо sssctl, щоб дізнатися більше про використання +sssctl. + + + + + + + diff --git a/src/man/uk/sss_groupadd.8.xml b/src/man/uk/sss_groupadd.8.xml new file mode 100644 index 0000000..c12f0ac --- /dev/null +++ b/src/man/uk/sss_groupadd.8.xml @@ -0,0 +1,59 @@ + + + +Сторінки підручника SSSD + + + + + sss_groupadd + 8 + + + + sss_groupadd + створення нової групи + + + + +sss_groupadd +параметри ГРУПА + + + + ОПИС + + sss_groupadd створює групу. Такі групи є сумісними з +групами POSIX. Додатковою можливістю цих груп є те, що учасниками можуть +бути інші групи. + + + + + ПАРАМЕТРИ + + + + , GID + + + + Встановити для параметра ідентифікатора групи (GID) значення +GID. Якщо таке значення не буде вказано, програма +вибере його автоматично. + + + + + + + + + + + + + diff --git a/src/man/uk/sss_groupdel.8.xml b/src/man/uk/sss_groupdel.8.xml new file mode 100644 index 0000000..44cf2ca --- /dev/null +++ b/src/man/uk/sss_groupdel.8.xml @@ -0,0 +1,46 @@ + + + +Сторінки підручника SSSD + + + + + sss_groupdel + 8 + + + + sss_groupdel + вилучення групи + + + + +sss_groupdel +параметри ГРУПА + + + + ОПИС + + sss_groupdel вилучає групу, вказану за допомогою +аргументу ГРУПА, з системи. + + + + + ПАРАМЕТРИ + + + + + + + + + + + diff --git a/src/man/uk/sss_groupmod.8.xml b/src/man/uk/sss_groupmod.8.xml new file mode 100644 index 0000000..5ce5425 --- /dev/null +++ b/src/man/uk/sss_groupmod.8.xml @@ -0,0 +1,71 @@ + + + +Сторінки підручника SSSD + + + + + sss_groupmod + 8 + + + + sss_groupmod + зміна групи + + + + +sss_groupmod +параметри ГРУПА + + + + ОПИС + + sss_groupmod змінює назву групи відповідно до змін, +внесених за допомогою командного рядка. + + + + + ПАРАМЕТРИ + + + + , +ГРУПИ + + + + Додати групу до груп, вказаних за допомогою параметра +ГРУПИ. Параметр ГРУПИ +є списком груп, відокремлених комами. + + + + + + , +ГРУПИ + + + + Вилучає групу з груп, вказаних за допомогою параметра +ГРУПИ. + + + + + + + + + + + + + diff --git a/src/man/uk/sss_groupshow.8.xml b/src/man/uk/sss_groupshow.8.xml new file mode 100644 index 0000000..e334650 --- /dev/null +++ b/src/man/uk/sss_groupshow.8.xml @@ -0,0 +1,60 @@ + + + +Сторінки підручника SSSD + + + + + sss_groupshow + 8 + + + + sss_groupshow + показ параметрів групи + + + + +sss_groupshow +параметри ГРУПА + + + + ОПИС + + sss_groupshow показує дані щодо групи, вказаної за +назвою, ГРУПА. Серед даних буде ідентифікаційний +номер групи, кількість учасників групи та назва батьківської групи. + + + + + ПАРАМЕТРИ + + + + , + + + + Вивести також список непрямих учасників групи у форматі деревоподібної +ієрархії. Зауважте, що використання параметра також вплине на виведення +батьківських груп: без буде виведено список лише +безпосередніх батьківських груп. + + + + + + + + + + + + + diff --git a/src/man/uk/sss_obfuscate.8.xml b/src/man/uk/sss_obfuscate.8.xml new file mode 100644 index 0000000..8686367 --- /dev/null +++ b/src/man/uk/sss_obfuscate.8.xml @@ -0,0 +1,98 @@ + + + +Сторінки підручника SSSD + + + + + sss_obfuscate + 8 + + + + sss_obfuscate + заплутування пароля у форматі звичайного тексту + + + + +sss_obfuscate +параметри [ПАРОЛЬ] + + + + ОПИС + + sss_obfuscate перетворює вказаний пароль на пароль у +форматі зручному для читання і розташовує його у розділі відповідного домену +файла налаштувань SSSD. + + + Пароль у форматі звичайного тексту буде прочитано зі стандартного джерела +вхідних даних або введено інтерактивно. Заплутану версію пароля буде +збережено у параметрі з назвою «ldap_default_authtok» вказаного домену SSSD, +параметру «ldap_default_authtok_type» буде надано значення +«obfuscated_password». Докладніший опис цих параметрів можна знайти на +сторінці підручника (man) +sssd-ldap 5 +. + + + Будь ласка, зауважте, що заплутування паролів не є справжнім +захистом, оскільки зловмисник може визначити алгоритм +заплутування за кодом програми. Наполегливо радимо вам +скористатися кращими механізмами захисту даних розпізнавання, зокрема +клієнтськими сертифікатами або GSSAPI. + + + + + ПАРАМЕТРИ + + + + + , + + + + Пароль для заплутування буде прочитано зі стандартного джерела вхідних +даних. + + + + + + , +ДОМЕН + + + + Домен SSSD, для якого буде використано пароль. Типовою назвою є +default. + + + + + + , ФАЙЛ + + + + Прочитати дані з файла налаштувань, вказаного позиційним параметром. + + + Типове значення: /etc/sssd/sssd.conf + + + + + + + + + + diff --git a/src/man/uk/sss_override.8.xml b/src/man/uk/sss_override.8.xml new file mode 100644 index 0000000..1454f18 --- /dev/null +++ b/src/man/uk/sss_override.8.xml @@ -0,0 +1,260 @@ + + + +Сторінки підручника SSSD + + + + + sss_override + 8 + + + + sss_override + створити локальні перевизначення атрибутів користувача і групи + + + + +sss_override КОМАНДА +параметри + + + + ОПИС + + sss_override надає змогу створювати перегляди на боці +клієнта і змінювати вибрані значення для певного користувача і груп. Ці +зміни буде застосовано лише на локальному комп'ютері. + + + Дані перевизначень зберігаються у кеші SSSD. Якщо кеш вилучено, усі локальні +перевизначення буде втрачено. Будь ласка, зауважте, що після першого +створення перевизначення за допомогою команди user-add, +group-add, user-import або +group-import SSSD слід перезапустити, щоб зміни набули +чинності. Якщо потрібен перезапуск, sss_override виведе +відповідне повідомлення. + + + + + ДОСТУПНІ КОМАНДИ + + Аргумент НАЗВА в усіх командах є назвою початкового +об'єкта. Не можна перевизначити uid або +gid на 0. + + + + + НАЗВА + НАЗВА + UID + GID + ДОМІВКА + ОБОЛОНКА + GECOS + СЕРТИФІКАТ У КОДУВАННІ +BASE64 + + + + Перевизначити атрибути запису користувача. Будь ласка, зверніть увагу, що +виклик цієї команди замінить усі попередні перевизначення для вказаного за +назвою облікового запису користувача. + + + + + + НАЗВА + + + + Вилучити перевизначення користувача. Втім, слід мати на увазі, що +перевизначені атрибути може бути повернено з кешу у пам'яті. Будь ласка, +ознайомтеся із документацією до параметра SSSD +memcache_timeout, щоб дізнатися більше. + + + + + + +ДОМЕН + + + + Вивести список усіх користувачів, для яких встановлено перевизначення. Якщо +встановлено параметр ДОМЕН, буде показано лише +користувачів з відповідного домену. + + + + + + НАЗВА + + + + Показати перевизначення користувача. + + + + + + ФАЙЛ + + + + Імпортувати перевизначення користувачів з файла +ФАЙЛ. Формат даних у файлі має бути таким самим, як у +стандартному файлі passwd. Приклад: + + + початкова_назва:назва:uid:gid:gecos:домівка:оболонка:сертифікат_у_кодуванні_base64 + + + де «початкова_назва» — початкова назва запису користувача, чиї атрибути має +бути перевизначено. Решта полів відповідає новим значенням. Ви можете +пропустити значення, не заповнюючи відповідного поля. + + + Приклади: + + + ckent:superman:::::: + + + ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash: + + + + + + ФАЙЛ + + + + Експортувати усі перевизначені атрибути і зберегти їх у файлі +ФАЙЛ. Див. user-import, щоб +дізнатися більше про формат даних. + + + + + + НАЗВА + НАЗВА + GID + + + + Перевизначити атрибути запису групи. Будь ласка, зверніть увагу, що виклик +цієї команди замінить усі попередні перевизначення для вказаної за назвою +групи. + + + + + + НАЗВА + + + + Вилучити перевизначення групи. Втім, слід мати на увазі, що перевизначені +атрибути може бути повернено з кешу у пам'яті. Будь ласка, ознайомтеся із +документацією до параметра SSSD memcache_timeout, щоб +дізнатися більше. + + + + + + +ДОМЕН + + + + Вивести список усіх груп, для яких встановлено перевизначення. Якщо +встановлено параметр ДОМЕН, буде показано лише групи з +відповідного домену. + + + + + + НАЗВА + + + + Показати перевизначення групи. + + + + + + ФАЙЛ + + + + Імпортувати перевизначення груп з файла ФАЙЛ. Формат +даних у файлі має бути таким самим, як у стандартному файлі group. Приклад: + + + початкова_назва:назва:gid + + + де «початкова_назва» — початкова назва групи, чиї атрибути має бути +перевизначено. Решта полів відповідає новим значенням. Ви можете пропустити +значення, не заповнюючи відповідного поля. + + + Приклади: + + + admins:administrators: + + + Domain Users:Users:501 + + + + + + ФАЙЛ + + + + Експортувати усі перевизначені атрибути і зберегти їх у файлі +ФАЙЛ. Див. group-import, щоб +дізнатися більше про формат даних. + + + + + + + + ЗАГАЛЬНІ ПАРАМЕТРИ + + Ці параметри можна використовувати з усіма командами. + + + + + РІВЕНЬ + + + + + + + + + + diff --git a/src/man/uk/sss_rpcidmapd.5.xml b/src/man/uk/sss_rpcidmapd.5.xml new file mode 100644 index 0000000..9ca9b7b --- /dev/null +++ b/src/man/uk/sss_rpcidmapd.5.xml @@ -0,0 +1,110 @@ + + + +Сторінки підручника SSSD + + +sss rpc.idmapd plugin +Noam Meltzer +Primary Data Inc. Розробник +(2013-2014) Noam +Meltzer Розробник (2014-) +tsnoam@gmail.com + + + sss_rpcidmapd + 5 + Формати файлів та правила + + + + sss_rpcidmapd + Директиви налаштовування додатка sss для rpc.idmapd + + + + ФАЙЛ НАЛАШТУВАНЬ + + Файл налаштувань rpc.idmapd зазвичай зберігається тут: +/etc/idmapd.conf. Див. підручник з +idmapd.conf 5 +, щоб дізнатися більше. + + + + + РОЗШИРЕННЯ НАЛАШТОВУВАННЯ SSS + + Вмикання додатка SSS + + У розділі «[Translation]» змініть або додайте атрибут «Method» із вмістом +sss. + + + + Розділ налаштовування [sss] + + Якщо вам потрібно змінити типове значення одного з атрибутів налаштувань, +перелічених нижче, додатка sss, вам слід створити +розділ налаштувань для нього з назвою «[sss]». + + + Атрибути налаштувань + + memcache (булеве значення) + + + Визначає, чи слід використовувати методику оптимізації кешу у пам’яті. + + + Типове значення: True + + + + + + + + + ІНТЕГРАЦІЯ З SSSD + + Додаток sss потребує вмикання Відповідача NSS у sssd. + + + Атрибут «use_fully_qualified_names» має бути увімкнено для усіх доменів +(клієнти NFSv4 очікують на те, що надсилається назва повністю). + + + + + ПРИКЛАД + + У наведеному нижче прикладі показано мінімальний вигляд idmapd.conf, де +використовується додаток sss. +[General] +Verbosity = 2 +# домен має бути синхронізовано між сервером NFSv4 та клієнтами +# У Solaris/Illumos/AIX типово використовується "локальний домен"! +Domain = default + +[Mapping] +Nobody-User = nfsnobody +Nobody-Group = nfsnobody + +[Translation] +Method = sss + + + + + + ТАКОЖ ПЕРЕГЛЯНЬТЕ + + sssd8 +, idmapd.conf +5 + + + + diff --git a/src/man/uk/sss_seed.8.xml b/src/man/uk/sss_seed.8.xml new file mode 100644 index 0000000..d45a440 --- /dev/null +++ b/src/man/uk/sss_seed.8.xml @@ -0,0 +1,168 @@ + + + +Сторінки підручника SSSD + + + + + sss_seed + 8 + + + + sss_seed + надсилає дані кешу SSSD щодо користувача + + + + +sss_seed +параметри -D +ДОМЕН -n +КОРИСТУВАЧ + + + + ОПИС + + sss_seed розповсюджує кеш SSSD з записом користувача і +тимчасовим паролем. Якщо запис користувача вже є у кеші SSSD, запис буде +оновлено зі встановленням тимчасового пароля. + + + + + + + ПАРАМЕТРИ + + + + , +ДОМЕН + + + + Визначає назву домену, учасником якого є користувач. Домен використовується +для отримання даних щодо користувачів. Домен має бути налаштовано у +sssd.conf. Має бути надано аргумент ДОМЕН. Дані, +отримані з домену, матимуть вищий пріоритет за дані, вказані за допомогою +параметрів. + + + + + + , +КОРИСТУВАЧ + + + + Ім’я користувача, запис якого слід створити або змінити у кеші. Має бути +вказано аргумент КОРИСТУВАЧ. + + + + + + , ідентифікатор +користувача + + + + Встановити UID користувача у значення UID. + + + + + + , GID + + + + Встановити GID користувача у значення GID. + + + + + + , +КОМЕНТАР + + + + Будь-який рядок тексту, що описує користувача. Часто використовується для +зберігання паспортного імені користувача. + + + + + + , +ДОМАШНІЙ_КАТАЛОГ + + + + Встановити домашній каталог користувача у значення +ДОМАШНІЙ_КАТАЛОГ. + + + + + + , +ОБОЛОНКА + + + + Встановити оболонку реєстрації користувача у значення +ОБОЛОНКА. + + + + + + , + + + + Інтерактивний режим для введення даних користувача. У разі використання +цього параметра програма надсилатиме запит лише щодо даних, які не було +отримано з параметрів команди або домену. + + + + + + , +ФАЙЛ_ПАРОЛІВ + + + + Вказати файл, звідки слід читати дані щодо паролів користувачів. Якщо пароль +не буде знайдено, програма надішле запит на його введення. + + + + + + + + + ЗАУВАЖЕННЯ + + Довжина пароля (або розмір файла, визначеного за допомогою параметра -p або +--password-file) має бути меншою або рівною PASS_MAX байтів (64 байти у +системах без визначеного на загальному рівні значення PASS_MAX). + + + + + + + + + + diff --git a/src/man/uk/sss_ssh_knownhostsproxy.1.xml b/src/man/uk/sss_ssh_knownhostsproxy.1.xml new file mode 100644 index 0000000..0c13d8d --- /dev/null +++ b/src/man/uk/sss_ssh_knownhostsproxy.1.xml @@ -0,0 +1,107 @@ + + + +Сторінки підручника SSSD + + + + + sss_ssh_knownhostsproxy + 1 + + + + sss_ssh_knownhostsproxy + отримати ключі вузла OpenSSH + + + + +sss_ssh_knownhostsproxy +параметри ВУЗОЛ КОМАНДА_ПРОКСІ + + + + ОПИС + + sss_ssh_knownhostsproxy отримує відкриті ключі вузла SSH +для вузла ВУЗОЛ, зберігає їх до нетипового файла +OpenSSH known_hosts (щоб дізнатися більше, ознайомтеся з розділом +ФОРМАТ ФАЙЛІВ SSH_KNOWN_HOSTS сторінки підручника (man) +sshd +8) за адресою +/var/lib/sss/pubconf/known_hosts і встановлює з’єднання +з вузлом. + + + Якщо вказано параметр КОМАНДА_ПРОКСІ, замість +відкриття сокета для створення з’єднання буде використано відповідну +команду. + + + ssh +1 можна налаштувати на використання +sss_ssh_knownhostsproxy для розпізнавання вузлів за +ключами за допомогою таких інструкцій у налаштуваннях +ssh +1: +ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h +GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts + + + + + + ПАРАМЕТРИ + + + + , ПОРТ + + + + ВикористовуваÑ‚и для встановлення з’єднання з вузлом порт +ПОРТ. Типовим портом є порт 22. + + + + + + , +ДОМЕН + + + + Шукати відкриті ключі вузлів у домені SSSD ДОМЕН. + + + + + + , + + + + Print the host ssh public keys for host HOST. + + + + + + + + + СТАН ВИХОДУ + + У випадку успіху значення стану виходу дорівнює 0. У всіх інших випадках +програма повертає 1. + + + + + + + diff --git a/src/man/uk/sss_useradd.8.xml b/src/man/uk/sss_useradd.8.xml new file mode 100644 index 0000000..5e2b88d --- /dev/null +++ b/src/man/uk/sss_useradd.8.xml @@ -0,0 +1,169 @@ + + + +Сторінки підручника SSSD + + + + + sss_useradd + 8 + + + + sss_useradd + створення нового запису користувача + + + + +sss_useradd +параметри НАЗВА_ОБЛІКОВОГО_ЗАПИСУ + + + + ОПИС + + sss_useradd створює обліковий запис користувача на основі +значень, вказаних у командному рядку та типових значень системи. + + + + + ПАРАМЕТРИ + + + + , ідентифікатор +користувача + + + + Встановити для параметра ідентифікатора користувача (UID) значення +UID. Якщо таке значення не буде вказано, програма +вибере його автоматично. + + + + + + , +КОМЕНТАР + + + + Будь-який рядок тексту, що описує користувача. Часто використовується для +зберігання паспортного імені користувача. + + + + + + , +ДОМАШНІЙ_КАТАЛОГ + + + + Домашній каталог облікового запису користувача. Типовою назвою такого +каталогу є назва, що утворюється додаванням +ІМЕНІ_КОРИСТУВАЧА до запису +/home. Рядок, який буде додано перед +ІМЕНЕМ_КОРИСТУВАЧА, можна визначити за допомогою +параметра «user_defaults/baseDirectory» у sssd.conf. + + + + + + , +ОБОЛОНКА + + + + Командна оболонка реєстрації користувача. У поточній версії типовою +оболонкою є /bin/bash. Типову оболонку можна змінити за +допомогою параметра «user_defaults/defaultShell» у sssd.conf. + + + + + + , +ГРУПИ + + + + Список груп, учасником яких є користувач. + + + + + + , + + + + Створити домашній каталог користувача, якщо такого ще не існує. До такого +домашнього каталогу буде скопійовано файли і каталоги з каркасного каталогу +(який можна визначити за допомогою параметра -k або запису у файлі +налаштувань). + + + + + + , + + + + Не створювати домашнього каталогу користувача. Має пріоритет над іншими +параметрами налаштування. + + + + + + , +КАТАЛОГ_SKEL + + + + Каркасний каталог, який містить файли і каталоги, які буде скопійовано до +домашнього каталогу користувача, коли такий домашній каталог створюється +командою sss_useradd. + + + Спеціальні файли (блокові пристрої, символьні пристрої, іменовані канали та +сокети UNIX) скопійовано не буде. + + + Цей параметр набуде чинності, лише якщо вказано параметр +(або ) або для створення домашніх каталогів +вказано TRUE у налаштуваннях. + + + + + + , +КОРИСТУВАЧ_SELINUX + + + + Користувач SELinux, що відповідає користувачеві, який увійшов до +системи. Якщо не вказано, буде використано типового користувача системи. + + + + + + + + + + + + + diff --git a/src/man/uk/sss_userdel.8.xml b/src/man/uk/sss_userdel.8.xml new file mode 100644 index 0000000..10f7612 --- /dev/null +++ b/src/man/uk/sss_userdel.8.xml @@ -0,0 +1,93 @@ + + + +Сторінки підручника SSSD + + + + + sss_userdel + 8 + + + + sss_userdel + вилучення облікового запису користувача + + + + +sss_userdel +параметри НАЗВА_ОБЛІКОВОГО_ЗАПИСУ + + + + ОПИС + + sss_userdel вилучає обліковий запис користувача +ІМ’Я_КОРИСТУВАЧА з системи. + + + + + ПАРАМЕТРИ + + + + + , + + + + Файли у домашньому каталозі користувача буде вилучено разом з самим домашнім +каталогом та поштовим буфером користувача. Може бути перевизначено у +налаштуваннях. + + + + + + , + + + + Файли у домашньому каталозі користувача НЕ буде вилучено разом з самим +домашнім каталогом та поштовим буфером користувача. Може бути перевизначено +у налаштуваннях. + + + + + + , + + + + За допомогою цього параметра можна примусити sss_userdel +вилучати домашній каталог користувача та буфер пошти, навіть якщо їхнім +власником не є вказаний користувач. + + + + + + , + + + + До вилучення запису користувача завершити роботу всіх процесів, власником +яких є цей користувач. + + + + + + + + + + + + diff --git a/src/man/uk/sss_usermod.8.xml b/src/man/uk/sss_usermod.8.xml new file mode 100644 index 0000000..832639b --- /dev/null +++ b/src/man/uk/sss_usermod.8.xml @@ -0,0 +1,170 @@ + + + +Сторінки підручника SSSD + + + + + sss_usermod + 8 + + + + sss_usermod + зміна облікового запису користувача + + + + +sss_usermod +параметри ІМ’Я_КОРИСТУВАЧА + + + + ОПИС + + sss_usermod змінює параметри облікового запису +ІМ’Я_КОРИСТУВАЧА відповідно до значень, вказаних +у командному рядку. + + + + + ПАРАМЕТРИ + + + + , +КОМЕНТАР + + + + Будь-який рядок тексту, що описує користувача. Часто використовується для +зберігання паспортного імені користувача. + + + + + + , +ДОМАШНІЙ_КАТАЛОГ + + + + Домашній каталог облікового запису користувача. + + + + + + , +ОБОЛОНКА + + + + Оболонка для входу користувача до системи. + + + + + + , +ГРУПИ + + + + Додати запис користувача до груп, вказаних за допомогою параметра +ГРУПИ. Параметр ГРУПИ +є списком груп, відокремлених комами. + + + + + + , +ГРУПИ + + + + Вилучає запис користувача з груп, вказаних за допомогою параметра +ГРУПИ. + + + + + + , + + + + Заблокувати обліковий запис користувача. Заблокований користувач не зможе +входити до системи. + + + + + + , + + + + Розблокувати обліковий запис користувача. + + + + + + , +КОРИСТУВАЧ_SELINUX + + + + Ім’я користувача SELinux, що відповідає імені для входу до системи. + + + + + + ПАРА_АТРИБУТ-ЗНАЧЕННЯ + + + + Додати пару атрибут-значення. Форматування: атрибут=значення. + + + + + + ПАРА_АТРИБУТ-ЗНАЧЕННЯ + + + + Встановити для вказаного за назвою атрибута значення. Форматування: +атрибут=значення. Для атрибутів з декількома значеннями команда призведе до +заміни поточних значень. + + + + + + ПАРА_АТРИБУТ-ЗНАЧЕННЯ + + + + Вилучити пару атрибут-значення. Форматування: атрибут=значення. + + + + + + + + + + + + + diff --git a/src/man/uk/sssctl.8.xml b/src/man/uk/sssctl.8.xml new file mode 100644 index 0000000..745197b --- /dev/null +++ b/src/man/uk/sssctl.8.xml @@ -0,0 +1,65 @@ + + + +Сторінки підручника SSSD + + + + + sssctl + 8 + + + + sssctl + Засіб керування і визначення стану SSSD + + + + +sssctl КОМАНДА +параметри + + + + ОПИС + + sssctl є простим і уніфікованим засобом отримання даних +щодо стану SSSD, зокрема активного сервера, серверів автоматичного +визначення, доменів і кешованих об'єктів. Крім того, програма здатна +керувати файлами даних SSSD для усування вад у такий спосіб, щоб з ними +можна було безпечно працювати, доки працює SSSD. + + + + + ДОСТУПНІ КОМАНДИ + + Щоб ознайомитися зі списком усіх доступних команд, віддайте команду +sssctl без параметрів. Щоб програма вивела довідкове +повідомлення щодо певної команди, віддайте команду sssctl КОМАНДА +--help. + + + + + ЗАГАЛЬНІ ПАРАМЕТРИ + + Ці параметри можна використовувати з усіма командами. + + + + + РІВЕНЬ + + + + + + + + + + diff --git a/src/man/uk/sssd-ad.5.xml b/src/man/uk/sssd-ad.5.xml new file mode 100644 index 0000000..913d2b5 --- /dev/null +++ b/src/man/uk/sssd-ad.5.xml @@ -0,0 +1,1017 @@ + + + +Сторінки підручника SSSD + + + + + sssd-ad + 5 + Формати файлів та правила + + + + sssd-ad + Модуль надання даних Active Directory SSSD + + + + ОПИС + + На цій сторінці довідника описано налаштування засобу керування доступом AD +для sssd +8 . Щоб дізнатися більше про синтаксис +налаштування, зверніться до розділу «ФОРМАТ ФАЙЛІВ» сторінки довідника + sssd.conf +5 . + + + Засіб надання даних AD є модулем, який використовується для встановлення +з'єднання із сервером Active Directory. Для роботи цього засобу надання +даних потрібно, щоб комп'ютер було долучено до домену AD і щоб було +доступним сховище ключів. Обмін даними із модулем відбувається за допомогою +каналу із шифруванням GSSAPI. Із засобом надання даних AD не слід +використовувати параметри SSL/TLS, оскільки їх перекриває використання +Kerberos. + + + У засобі надання даних AD передбачено підтримку встановлення з’єднання з +Active Directory 2008 R2 або пізнішою версією. Робота з попередніми версіями +можлива, але не підтримується. + + + Засобом надання даних AD можна скористатися для отримання даних щодо +користувачів і розпізнавання користувачів за допомогою довірених доменів. У +поточній версії передбачено підтримку використання лише довірених доменів з +того самого лісу. Крім того автоматично визначаються сервери із довірених +доменів. + + + Засіб надання даних AD уможливлює для SSSD використання засобу надання даних +профілів sssd-ldap +5 та засобу надання даних +розпізнавання sssd-krb5 +5 з оптимізацією для середовищ Active +Directory. Засіб надання даних AD приймає ті самі параметри, які +використовуються засобами надання даних sssd-ldap та sssd-krb5, із деякими +виключеннями. Втім, встановлювати ці параметри не обов'язково і не +рекомендовано. + + + Засіб надання даних AD в основному копіює типові параметри традиційних +засобів надання даних ldap і krb5 із деякими виключенням. Відмінності +наведено у розділі ЗМІНЕНІ ТИПОВІ ПАРАМЕТРИ. + + + Інструментом надання даних AD також можна скористатися для доступу, зміни +паролів запуску від імені користувача (sudo) та використання autofs. У +налаштовуванні керування доступом на боці клієнта немає потреби. + + + Якщо у sssdconf вказано auth_provider=ad або +access_provider=ad, для id_provider також має бути вказано +ad. + + + By default, the AD provider will map UID and GID values from the objectSID +parameter in Active Directory. For details on this, see the ID +MAPPING section below. If you want to disable ID mapping and instead +rely on POSIX attributes defined in Active Directory, you should set + +ldap_id_mapping = False + If POSIX attributes should be +used, it is recommended for performance reasons that the attributes are also +replicated to the Global Catalog. If POSIX attributes are replicated, SSSD +will attempt to locate the domain of a requested numerical ID with the help +of the Global Catalog and only search that domain. In contrast, if POSIX +attributes are not replicated to the Global Catalog, SSSD must search all +the domains in the forest sequentially. Please note that the +cache_first option might be also helpful in speeding up +domainless searches. Note that if only a subset of POSIX attributes is +present in the Global Catalog, the non-replicated attributes are currently +not read from the LDAP port. + + + Дані щодо користувачів, груп та інших записів, які обслуговуються SSSD, у +модулі надання даних AD завжди обробляються із врахуванням регістру символів +для забезпечення сумісності з реалізацією Active Directory у LDAP. + + + + + ПАРАМЕТРИ НАЛАШТУВАННЯ + Зверніться до розділу «РОЗДІЛИ ДОМЕНІВ» сторінки довідника (man) + sssd.conf +5 , щоб дізнатися більше про +налаштування домену SSSD. + + ad_domain (рядок) + + + Визначає назву домену Active Directory. Є необов’язковим. Якщо не вказано, +буде використано назву домену з налаштувань. + + + Для забезпечення належної роботи цей параметр слід вказати у форматі запису +малими літерами повної версії назви домену Active Directory. + + + Скорочена назва домену (також відома як назва NetBIOS або проста назва) +автоматично визначається засобами SSSD. + + + + + + ad_enabled_domains (рядок) + + + Список дозволених доменів Active Directory, відокремлених комами. Якщо +вказано, SSSD ігноруватиме будь-які домени, яких немає у списку цього +параметра. Якщо значення параметра не встановлено, доступними будуть усі +домени з лісу AD. + + + Для належного функціонування значення цього параметра має бути вказано +малими літерами у форматі повної назви домену Active Directory. Приклад: + +ad_enabled_domains = sales.example.com, eng.example.com + + + + Скорочена назва домену (також відома як назва NetBIOS або проста назва) +автоматично визначається засобами SSSD. + + + Типове значення: не встановлено + + + + + + ad_server, ad_backup_server (рядок) + + + Список назв тих вузлів серверів AD, відокремлених комами, з якими SSSD має +встановлювати з'єднання у порядку пріоритетності. Щоб дізнатися більше про +резервне використання серверів, ознайомтеся із розділом +РЕЗЕРВ. + + + Цей список є необов’язковим, якщо увімкнено автоматичне виявлення +служб. Докладніші відомості щодо автоматичного виявлення служб наведено у +розділі «ПОШУК СЛУЖБ». + + + Зауваження: довірені домени завжди автоматично визначають сервери, навіть +якщо основний сервер явним чином визначено у параметрі ad_server. + + + + + + ad_hostname (рядок) + + + Необов’язковий. Може бути встановлено на комп’ютерах, де hostname(5) не +відповідає повній назві, що використовується доменом Active Directory для +розпізнавання цього вузла. + + + Це поле використовується для визначення основної назви вузла, яка +використовуватиметься у таблиці ключів. Ця назва має відповідати назві +вузла, для якого випущено таблицю ключів. + + + + + + ad_enable_dns_sites (булеве значення) + + + Вмикає сайти DNS — визначення служб на основі адрес. + + + Якщо вказано значення true і увімкнено визначення служб (див. розділ щодо +пошуку служб у нижній частині сторінки підручника (man)), SSSD спочатку +спробує визначити сервер Active Directory для встановлення з’єднання на +основі використання визначення сайтів Active Directory і повертається до +визначення за записами SRV DNS, якщо сайт AD не буде знайдено. Налаштування +SRV DNS, зокрема домен пошуку, використовуються також під час визначення +сайтів. + + + Типове значення: true + + + + + + ad_access_filter (рядок) + + + Цей параметр визначає фільтр керування доступом LDAP, якому має відповідати +запис користувача для того, щоб йому було надано доступ. Будь ласка, +зауважте, що слід явним чином встановити для параметра «access_provider» +значення «ad», щоб цей параметр почав діяти. + + + У параметрі також передбачено підтримку визначення різних фільтрів для +окремих доменів або дерев. Цей розширений фільтр повинен мати такий формат: +«КЛЮЧОВЕ СЛОВО:НАЗВА:ФІЛЬТР». Набір підтримуваних ключових слів: «DOM», +«FOREST» або ключове слово слід пропустити. + + + Якщо вказано ключове слово «DOM» або ключового слова не вказано, «НАЗВА» +визначає домен або піддомен, до якого застосовується фільтрування. Якщо +ключовим словом є «FOREST», фільтр застосовується до усіх доменів з лісу, +вказаного значенням «НАЗВА». + + + Декілька фільтрів можна відокремити символом «?», подібно до способу +визначення фільтрів у базах для пошуку. + + + Визначення участі у вкладених групах має відбуватися із використанням +спеціалізованого OID :1.2.840.113556.1.4.1941:, окрім повних +синтаксичних конструкцій DOM:domain.example.org:, щоб засіб обробки не +намагався інтерпретувати символи двокрапки, пов'язані з OID. Якщо ви не +використовуєте цей OID, вкладена участь у групах не +визначатиметься. Ознайомтеся із прикладом використання, який наведено нижче, +і цим посиланням, щоб дізнатися більше про OID: [MS-ADTS] +Правила встановлення відповідності у LDAP + + + Завжди використовується відповідник з найвищим рівнем +відповідності. Наприклад, якщо визначено фільтрування для домену, учасником +якого є користувач, і загальне фільтрування, буде використано фільтрування +для окремого домену. Якщо буде виявлено декілька відповідників з однаковою +специфікацією, використовуватиметься лише перший з них. + + + Приклади: + + +# застосувати фільтрування лише для домену з назвою dom1: +dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com) + +# застосувати фільтрування лише для домену з назвою dom2: +DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com) + +# застосувати фільтрування лише для лісу з назвою EXAMPLE.COM: +FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com) + +# застосувати фільтрування до учасника вкладеної групи у dom1: +DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com) + + + Типове значення: не встановлено + + + + + + ad_site (рядок) + + + Визначає сайт AD, з яким має встановлювати з’єднання клієнт. Якщо не буде +вказано, виконуватиметься спроба автоматичного визначення сайта AD. + + + Типове значення: не встановлено + + + + + + ad_enable_gc (булеве значення) + + + Типово, SSSD для отримання даних користувачів з надійних (довірених) доменів +спочатку встановлює з’єднання із загальним каталогом (Global Catalog). Якщо +ж отримати дані не вдасться, система використовує порт LDAP для отримання +даних щодо участі у групах. Вимикання цього параметра призведе до того, що +SSSD встановлюватиме зв’язок лише з портом LDAP поточного сервера AD. + + + Будь ласка, зауважте, що вимикання підтримки загального каталогу (Global +Catalog) не призведе до вимикання спроб отримати дані користувачів з +надійних (довірених) доменів. Просто SSSD намагатиметься отримати ці ж дані +за допомогою порту LDAP надійних доменів. Втім, загальним каталогом (Global +Catalog) доведеться скористатися для визначення зв’язків даних щодо участі у +групах для різних доменів. + + + Типове значення: true + + + + + + ad_gpo_access_control (рядок) + + + Цей параметр визначає режим роботи для функціональних можливостей керування +доступом на основі GPO: працюватиме система у вимкненому режимі, режимі +примушення чи дозвільному режимі. Будь ласка, зауважте, що для того, щоб цей +параметр запрацював, слід явним чином встановити для параметра +«access_provider» значення «ad». + + + Функціональні можливості з керування доступом на основі GPO використовують +параметри правил GPO для визначення того, може чи не може той чи інший +користувач увійти до системи певного вузла мережі. + + + Зауваження: у поточній версії SSSD не передбачено підтримки записів вузлів +(комп'ютерів) до списку «Фільтрування захисту» («Security Filtering») +GPO. Передбачено підтримку лише записів користувачів і груп. Записи вузлів у +списку ні на що не впливатимуть. + + + ЗАУВАЖЕННЯ: якщо встановлено режим роботи «примусовий» (enforcing), можлива +ситуація, коли користувачі, які раніше мали доступ до входу, позбудуться +такого доступу (через використання параметрів правил GPO). З метою полегшити +перехід на нову систему для адміністраторів передбачено дозвільний режим +доступу (permissive), за якого правила керування доступом не +встановлюватимуться у примусовому порядку. Програма лише перевірятиме +відповідність цим правилам і виводитиме до системного журналу повідомлення, +якщо доступ було надано усупереч цим правилам. Вивчення журналу надасть +змогу адміністраторам внести відповідні зміни до встановлення примусового +режиму (enforcing). + + + У цього параметра є три підтримуваних значення: + + + + disabled: правила керування доступом, засновані на GPO, не обробляються і не +використовуються примусово. + + + + + enforcing: правила керування доступом, засновані на GPO, обробляються і +використовуються примусово. + + + + + permissive: виконати перевірку відповідності правилам керування доступом на +основі GPO, але не наполягати на їхньому виконанні. Якщо правила не +виконуються, вивести до системного журналу повідомлення про те, що +користувачеві було б заборонено доступ, якби використовувався режим +enforcing. + + + + + + Типове значення: permissive + + + Типове значення: enforcing + + + + + + ad_gpo_cache_timeout (ціле число) + + + Проміжок часу між послідовними пошуками файлів правил GPO щодо сервера +AD. Зміна може зменшити час затримки та навантаження на сервер AD, якщо +протягом короткого періоду часу надходить багато запитів щодо керування +доступом. + + + Типове значення: 5 (секунд) + + + + + + ad_gpo_map_interactive (рядок) + + + Список назв служб PAM, відокремлених комами, для яких керування доступом на +основі GPO виконуватиметься на основі параметрів правил +InteractiveLogonRight і DenyInteractiveLogonRight. + + + Зауваження: у редакторі керування правилами для груп це значення має назву +«Дозволити локальний вхід» («Allow log on locally») та «Заборонити локальний +вхід» («Deny log on locally»). + + + Можна додати іншу назву служби PAM до типового набору за допомогою +конструкції «+назва_служби» або явним чином вилучити назву служби PAM з +типового набору за допомогою конструкції «-назва_служби». Наприклад, щоб +замінити типову назву служби PAM для цього входу (наприклад, «login») з +нетиповою назвою служби pam (наприклад, «my_pam_service»), вам слід +скористатися такими налаштуваннями: +ad_gpo_map_interactive = +my_pam_service, -login + + + + Типове значення: типовий набір назв служб PAM складається з таких значень: + + + + login + + + + + su + + + + + su-l + + + + + gdm-fingerprint + + + + + gdm-password + + + + + gdm-smartcard + + + + + kdm + + + + + lightdm + + + + + lxdm + + + + + sddm + + + + + unity + + + + + xdm + + + + + + + + + ad_gpo_map_remote_interactive (рядок) + + + Список назв служб PAM, відокремлених комами, для яких керування доступом на +основі GPO засновано на параметрах захисту RemoteInteractiveLogonRight і +DenyRemoteInteractiveLogonRight. + + + Зауваження: у редакторі керування правилами щодо груп це значення +називається «Дозволити вхід за допомогою служб віддаленої стільниці» («Allow +log on through Remote Desktop Services») та «Заборонити вхід за допомогою +служб віддаленої стільниці» («Deny log on through Remote Desktop Services»). + + + Можна додати іншу назву служби PAM до типового набору за допомогою +конструкції «+назва_служби» або явним чином вилучити назву служби PAM з +типового набору за допомогою конструкції «-назва_служби». Наприклад, щоб +замінити типову назву служби PAM для цього входу (наприклад, «sshd») з +нетиповою назвою служби pam (наприклад, «my_pam_service»), вам слід +скористатися такими налаштуваннями: +ad_gpo_map_remote_interactive = +my_pam_service, -sshd + + + + Типове значення: типовий набір назв служб PAM складається з таких значень: + + + + sshd + + + + + cockpit + + + + + + + + + ad_gpo_map_network (рядок) + + + Список назв служб PAM, відокремлених комами, для яких керування доступом на +основі GPO засновано на параметрах захисту NetworkLogonRight і +DenyNetworkLogonRight. + + + Зауваження: у редакторі керування правилами щодо груп це значення +називається «Відкрити доступ до цього комп’ютера із мережі» («Access this +computer from the network») і «Заборонити доступ до цього комп’ютера із +мережі» (Deny access to this computer from the network»). + + + Можна додати іншу назву служби PAM до типового набору за допомогою +конструкції «+назва_служби» або явним чином вилучити назву служби PAM з +типового набору за допомогою конструкції «-назва_служби». Наприклад, щоб +замінити типову назву служби PAM для цього входу (наприклад, «ftp») з +нетиповою назвою служби pam (наприклад, «my_pam_service»), вам слід +скористатися такими налаштуваннями: +ad_gpo_map_network = +my_pam_service, -ftp + + + + Типове значення: типовий набір назв служб PAM складається з таких значень: + + + + ftp + + + + + samba + + + + + + + + + ad_gpo_map_batch (рядок) + + + Список назв служб PAM, відокремлених комами, для яких керування доступом на +основі GPO засновано на параметрах захисту BatchLogonRight і +DenyBatchLogonRight. + + + Зауваження: у редакторі керування правилами щодо груп це значення +називається «Дозволити вхід як пакетне завдання» («Allow log on as a batch +job») і «Заборонити вхід як пакетне завдання» («Deny log on as a batch +job»). + + + Можна додати іншу назву служби PAM до типового набору за допомогою +конструкції «+назва_служби» або явним чином вилучити назву служби PAM з +типового набору за допомогою конструкції «-назва_служби». Наприклад, щоб +замінити типову назву служби PAM для цього входу (наприклад, «crond») з +нетиповою назвою служби pam (наприклад, «my_pam_service»), вам слід +скористатися такими налаштуваннями: +ad_gpo_map_batch = +my_pam_service, -crond + + + + Типове значення: типовий набір назв служб PAM складається з таких значень: + + + + crond + + + + + + + + + ad_gpo_map_service (рядок) + + + Список назв служб PAM, відокремлених комами, для яких керування доступом на +основі GPO засновано на параметрах захисту ServiceLogonRight і +DenyServiceLogonRight. + + + Зауваження: у редакторі керування правилами щодо груп це значення +називається «Дозволити вхід як службу» («Allow log on as a service») і +«Заборонити вхід як службу» («Deny log on as a service»). + + + Можна додати іншу назву служби PAM до типового набору за допомогою +конструкції «+назва_служби». Оскільки типовий набір є порожнім, назви служби +з типового набору назв служб PAM вилучити неможливо. Наприклад, щоб додати +нетипову назву служби PAM (наприклад, «my_pam_service»), вам слід +скористатися такими налаштуваннями: +ad_gpo_map_service = +my_pam_service + + + + Типове значення: not set + + + + + + ad_gpo_map_permit (рядок) + + + Список назв служб PAM, відокремлених комами, яким завжди надається доступ на +основі GPO, незалежно від будь-яких прав входу GPO. + + + Можна додати іншу назву служби PAM до типового набору за допомогою +конструкції «+назва_служби» або явним чином вилучити назву служби PAM з +типового набору за допомогою конструкції «-назва_служби». Наприклад, щоб +замінити типову назву служби PAM для безумовного дозволеного доступу +(наприклад, «sudo») з нетиповою назвою служби pam (наприклад, +«my_pam_service»), вам слід скористатися такими налаштуваннями: +ad_gpo_map_permit = +my_pam_service, -sudo + + + + Типове значення: типовий набір назв служб PAM складається з таких значень: + + + + polkit-1 + + + + + sudo + + + + + sudo-i + + + + + systemd-user + + + + + + + + + ad_gpo_map_deny (рядок) + + + Список назв служб PAM, відокремлених комами, яким завжди заборонено доступ +на основі GPO, незалежно від будь-яких прав входу GPO. + + + Можна додати іншу назву служби PAM до типового набору за допомогою +конструкції «+назва_служби». Оскільки типовий набір є порожнім, назви служби +з типового набору назв служб PAM вилучити неможливо. Наприклад, щоб додати +нетипову назву служби PAM (наприклад, «my_pam_service»), вам слід +скористатися такими налаштуваннями: +ad_gpo_map_deny = +my_pam_service + + + + Типове значення: not set + + + + + + ad_gpo_default_right (рядок) + + + За допомогою цього параметра визначається спосіб керування доступом для назв +служб PAM, які не вказано явним чином у одному з параметрів +ad_gpo_map_*. Цей параметр може бути встановлено у два різних +способи. По-перше, цей параметр можна встановити так, що +використовуватиметься типовий вхід. Наприклад, якщо для цього параметра +встановлено значення «interactive», непов’язані назви служб PAM +оброблятимуться на основі параметрів правил InteractiveLogonRight і +DenyInteractiveLogonRight. Крім того, для цього параметра можна встановити +таке значення, щоб система завжди дозволяла або забороняла доступ для +непов’язаних назв служб PAM. + + + Передбачені значення для цього параметра: + + + + interactive + + + + + remote_interactive + + + + + network + + + + + batch + + + + + service + + + + + permit + + + + + deny + + + + + + Типове значення: deny + + + + + + ad_maximum_machine_account_password_age (ціле число) + + + SSSD перевірятиме раз на день, чи має пароль до облікового запису комп'ютера +вік, який перевищує заданий вік у днях, і намагатиметься оновити +його. Значення 0 вимкне спроби оновлення. + + + Типове значення: 30 днів + + + + + + ad_machine_account_password_renewal_opts (рядок) + + + Цей параметр має використовуватися лише для перевірки завдання із оновлення +облікових записів комп'ютерів. Параметру слід передати цілих числа, +відокремлених двокрапкою («:»). Перше ціле число визначає інтервал у +секундах між послідовними повторними виконаннями завдання з оновлення. Друге +— визначає початковий час очікування на перший запуск завдання. + + + Типове значення: 86400:750 (24 годин і 15 хвилин) + + + + + + dyndns_update (булеве значення) + + + Необов’язковий. За допомогою цього параметра можна наказати SSSD автоматично +оновити IP-адресу цього клієнта на сервері DNS Active Directory. Захист +оновлення буде забезпечено за допомогою GSS-TSIG. Як наслідок, +адміністраторові Active Directory достатньо буде дозволити оновлення безпеки +для зони DNS. Для оновлення буде використано IP-адресу з’єднання LDAP AD, +якщо цю адресу не було змінено за допомогою параметра «dyndns_iface». + + + ЗАУВАЖЕННЯ: на застарілих системах (зокрема RHEL 5) для надійної роботи у +цьому режимі типову область дії Kerberos має бути належним чином визначено у +/etc/krb5.conf + + + Типове значення: true + + + + + + dyndns_ttl (ціле число) + + + TTL, до якого буде застосовано клієнтський запис DNS під час його +оновлення. Якщо dyndns_update має значення false, цей параметр буде +проігноровано. Перевизначає TTL на боці сервера, якщо встановлено +адміністратором. + + + Типове значення: 3600 (секунд) + + + + + + dyndns_iface (рядок) + + + Необов'язковий. Застосовний, лише якщо dyndns_update має значення +true. Виберіть інтерфейс або список інтерфейсів, чиї IP-адреси має бути +використано для динамічних оновлень DNS. Спеціальне значення +* означає, що слід використовувати IP-адреси з усіх +інтерфейсів. + + + Типове значення: використовувати IP-адреси інтерфейсу, який використовується +для з’єднання LDAP AD + + + Приклад: dyndns_iface = em1, vnet1, vnet2 + + + + + + dyndns_refresh_interval (ціле число) + + + Визначає, наскільки часто серверний модуль має виконувати періодичні +оновлення DNS на додачу до автоматичного оновлення, яке виконується під час +кожного встановлення з’єднання серверного модуля з мережею. Цей параметр не +є обов’язкоми, його застосовують, лише якщо dyndns_update має значення +true. Зауважте, що найменшим можливим значенням є 60 секунд. Якщо буде +вказано значення, яке є меншим за 60, використовуватиметься найменше можливе +значення. + + + Типове значення: 86400 (24 години) + + + + + + dyndns_update_ptr (булеве значення) + + + Визначає, чи слід явним чином оновлювати запис PTR під час оновлення записів +DNS клієнта. Застосовується, лише якщо значенням dyndns_update буде true. + + + Типове значення: True + + + + + + dyndns_force_tcp (булеве значення) + + + Визначає, чи слід у програмі nsupdate типово використовувати TCP для обміну +даними з сервером DNS. + + + Типове значення: False (надати змогу nsupdate вибирати протокол) + + + + + + dyndns_auth (рядок) + + + Визначає, чи має використовувати допоміжний засіб nsupdate розпізнавання +GSS-TSIG для безпечних оновлень за допомогою сервера DNS, незахищені +оновлення можна надсилати встановленням для цього параметра значення «none». + + + Типове значення: GSS-TSIG + + + + + + dyndns_server (рядок) + + + Сервер DNS, який слід використовувати для виконання оновлення DNS. У +більшості конфігурацій рекомендуємо не встановлювати значення для цього +параметра. + + + Встановлення значення для цього параметра потрібне для середовищ, де сервер +DNS відрізняється від сервера профілів. + + + Будь ласка, зауважте, що цей параметр буде використано лише для резервних +спроб, якщо попередні спроби із використанням автовиявлення завершаться +невдало. + + + Типове значення: немає (надати nsupdate змогу вибирати сервер) + + + + + + + + + krb5_confd_path (рядок) + + + Абсолютний шлях до каталогу, у якому SSSD має зберігати фрагменти +налаштувань Kerberos. + + + Щоб вимкнути створення фрагментів налаштувань, встановіть для параметра +значення «none». + + + Типове значення: не встановлено (підкаталог krb5.include.d каталогу pubconf +SSSD) + + + + + + + + + + + + + + + + + ПРИКЛАД + + У наведеному нижче прикладі припускаємо, що SSSD налаштовано належним чином, +а example.com є одним з доменів у розділі +[sssd]. У прикладі продемонстровано лише +параметри доступу, специфічні для засобу AD. + + + +[domain/EXAMPLE] +id_provider = ad +auth_provider = ad +access_provider = ad +chpass_provider = ad + +ad_server = dc1.example.com +ad_hostname = client.example.com +ad_domain = example.com + + + + + + ЗАУВАЖЕННЯ + + Інструмент керування доступом AD перевіряє, чи не завершено строк дії +облікового запису. Дає той самий результат, що і ось таке налаштовування +інструмента надання даних LDAP: +access_provider = ldap +ldap_access_order = expire +ldap_account_expire_policy = ad + + + + Втім, якщо явно не налаштовано засіб надання доступу «ad», типовим засобом +надання доступу буде «permit». Будь ласка, зауважте, що якщо вами +налаштовано засіб надання доступу, відмінний від «ad», вам доведеться +встановлювати усі параметри з’єднання (зокрема адреси LDAP та параметри +шифрування) вручну. + + + Якщо для засобу надання даних autofs встановлено значення ad, +використовується схема прив'язки атрибутів RFC2307 (nisMap, nisObject, ...), +оскільки ці атрибути включено до типової схеми Active Directory. + + + + + + + + + diff --git a/src/man/uk/sssd-ifp.5.xml b/src/man/uk/sssd-ifp.5.xml new file mode 100644 index 0000000..b347984 --- /dev/null +++ b/src/man/uk/sssd-ifp.5.xml @@ -0,0 +1,141 @@ + + + +Сторінки підручника SSSD + + + + + sssd-ifp + 5 + Формати файлів та правила + + + + sssd-ifp + Відповідач InfoPipe SSSD + + + + ОПИС + + На цій сторінці довідника описано налаштування засобу надання відповідей +InfoPipe для sssd +8 . Щоб дізнатися більше про синтаксис +налаштування, зверніться до розділу «ФОРМАТ ФАЙЛІВ» сторінки довідника + sssd.conf +5 . + + + Відповідач InfoPipe забезпечує роботу відкритого інтерфейсу D-Bus над +системним каналом повідомлень. За допомогою цього інтерфейсу користувачі +можуть надсилати загальносистемним каналом повідомлень запити щодо +інформації про віддалених користувачів і групи. + + + + + ПАРАМЕТРИ НАЛАШТУВАННЯ + + Цими параметрами можна скористатися для налаштовування відповідача InfoPipe. + + + + allowed_uids (рядок) + + + Визначає список значень UID або імен користувачів, відокремлених +комами. Користувачам з цього списку буде дозволено доступ до відповідача +InfoPipe. UID за іменами користувачів визначатимуться під час запуску. + + + Типове значення: 0 (доступ до відповідача InfoPipe має лише адміністративний +користувач (root)) + + + Будь ласка, зауважте, що хоча типово використовується UID 0, значення UID +буде перевизначено на основі цього параметра. Якщо ви хочете надати +адміністративному користувачеві (root) доступ до відповідача InfoPipe, що +може бути типовим варіантом, вам слід додати до списку UID з правами доступу +запис 0. + + + + + + user_attributes (рядок) + + + Визначає список атрибутів з «білого» або «чорного» списків, відокремлених +комами. + + + Типово, відповідач InfoPipe надає дані лише щодо типового набору атрибутів +POSIX. Цей набір є тим самим, який повертає програма +getpwnam 3 +, його елементи: + + name + реєстраційне ім’я користувача + + + uidNumber + ідентифікатор користувача + + + gidNumber + ідентифікатор основної групи + + + gecos + дані щодо користувача, типово ім’я повністю + + + homeDirectory + домашній каталог + + + loginShell + командна оболонка користувача + + + + + Ви можете додати інший атрибут до цього набору за допомогою параметра +«+назва_атрибута» або явним чином виключити атрибут за допомогою параметра +«-назва_атрибута». Наприклад, щоб дозволити «telephoneNumber», але +заборонити «loginShell», вам слід скористатися такими налаштуваннями: + +user_attributes = +telephoneNumber, -loginShell + + + + Типове значення: не встановлено. Дозволено лише типовий набір атрибутів +POSIX. + + + + + + wildcard_limit (ціле число) + + + Визначає верхню межу для кількості записів, які отримуватимуться під час +пошуку з використанням символів-замінників, які перевизначають обмеження, +яке накладається функцією виклику. + + + Типове значення: 0 (дозволити встановлювати верхнє обмеження функції +виклику) + + + + + + + + + + + diff --git a/src/man/uk/sssd-ipa.5.xml b/src/man/uk/sssd-ipa.5.xml new file mode 100644 index 0000000..d436402 --- /dev/null +++ b/src/man/uk/sssd-ipa.5.xml @@ -0,0 +1,791 @@ + + + +Сторінки підручника SSSD + + + + + sssd-ipa + 5 + Формати файлів та правила + + + + sssd-ipa + Модуль надання даних IPA SSSD + + + + ОПИС + + На цій сторінці довідника описано налаштування засобу керування доступом IPA +для sssd +8 . Щоб дізнатися більше про синтаксис +налаштування, зверніться до розділу «ФОРМАТ ФАЙЛІВ» сторінки довідника + sssd.conf +5 . + + + Інструмент надання даних IPA — модуль, який використовується для +встановлення з’єднання з сервером IPA. (Інформацію щодо серверів IPA можна +знайти на сайті freeipa.org.) Цей інструмент надання доступу потребує +включення комп’ютера до домену IPA. Налаштування майже повністю +автоматизовано, дані для нього отримуються безпосередньо з сервера. + + + Засіб надання даних IPA уможливлює для SSSD використання засобу надання +даних профілів sssd-ldap +5 та засобу надання даних +розпізнавання sssd-krb5 +5 з оптимізацією для середовищ +IPA. Засіб надання даних IPA приймає ті самі параметри, які використовуються +засобами надання даних sssd-ldap та sssd-krb5, із деякими +виключеннями. Втім, встановлювати ці параметри не обов'язково і не +рекомендовано. + + + Засіб надання даних IPA в основному копіює типові параметри традиційних +засобів надання даних ldap і krb5 із деякими виключенням. Відмінності +наведено у розділі ЗМІНЕНІ ТИПОВІ ПАРАМЕТРИ. + + + Як інструмент надання доступу, інструмент надання даних IPA для керування +доступом використовує правила HBAC (host-based access control або керування +доступом на основі даних щодо вузлів). Докладнішу інформацію щодо HBAC можна +отримати на сайті freeipa.org. У налаштуванні керування доступом на боці +клієнта немає потреби. + + + Якщо у sssd.conf вказано auth_provider=ipa або +access_provider=ipa, для id_provider також має бути вказано +ipa. + + + Інструмент надання даних IPA використовуватиме відповідач PAC, якщо квитки +Kerberos користувачів з довірених областей містять PAC. Для полегшення +налаштовування відповідач PAC запускається автоматично, якщо налаштовано +інструмент надання даних ідентифікаторів IPA. + + + + + ПАРАМЕТРИ НАЛАШТУВАННЯ + Зверніться до розділу «РОЗДІЛИ ДОМЕНІВ» сторінки довідника (man) + sssd.conf +5 , щоб дізнатися більше про +налаштування домену SSSD. + + ipa_domain (рядок) + + + Визначає назву домену IPA. Є необов’язковим. Якщо не вказано, буде +використано назву домену з налаштувань. + + + + + + ipa_server, ipa_backup_server (рядок) + + + Впорядкований за пріоритетом список IP-адрес або назв вузлів, відокремлених +комами, серверів IPA, з якими має встановити з’єднання SSSD. Докладніші +відомості щодо резервних серверів викладено у розділі «РЕЗЕРВ». Цей список є +необов’язковим, якщо увімкнено автоматичне виявлення служб. Докладніші +відомості щодо автоматичного виявлення служб наведено у розділі «ПОШУК +СЛУЖБ». + + + + + + ipa_hostname (рядок) + + + Необов’язковий. Може бути встановлено на комп’ютерах, де hostname(5) не +відповідає повній назві, що використовується доменом IPA для розпізнавання +цього вузла. Назву вузла слід вказувати повністю. + + + + + + dyndns_update (булеве значення) + + + Необов’язковий. За допомогою цього параметра можна наказати SSSD автоматично +оновити на сервері DNS, вбудованому до FreeIPA, IP-адресу клієнта. Захист +оновлення буде забезпечено за допомогою GSS-TSIG. Для оновлення буде +використано IP-адресу з’єднання LDAP IPA, якщо не вказано іншу адресу за +допомогою параметра «dyndns_iface». + + + ЗАУВАЖЕННЯ: на застарілих системах (зокрема RHEL 5) для надійної роботи у +цьому режимі типову область дії Kerberos має бути належним чином визначено у +/etc/krb5.conf + + + ЗАУВАЖЕННЯ: хоча можна використовувати і попередню назву параметра, +ipa_dyndns_update, користувачам слід переходити на нову +назву, dyndns_update, у файлі налаштувань. + + + Типове значення: false + + + + + + dyndns_ttl (ціле число) + + + TTL, до якого буде застосовано клієнтський запис DNS під час його +оновлення. Якщо dyndns_update має значення false, цей параметр буде +проігноровано. Перевизначає TTL на боці сервера, якщо встановлено +адміністратором. + + + ЗАУВАЖЕННЯ: хоча можна використовувати і попередню назву параметра, +ipa_dyndns_ttl, користувачам слід переходити на нову +назву, dyndns_ttl, у файлі налаштувань. + + + Типове значення: 1200 (секунд) + + + + + + dyndns_iface (рядок) + + + Необов'язковий. Застосовний, лише якщо dyndns_update має значення +true. Виберіть інтерфейс або список інтерфейсів, чиї IP-адреси має бути +використано для динамічних оновлень DNS. Спеціальне значення +* означає, що слід використовувати IP-адреси з усіх +інтерфейсів. + + + ЗАУВАЖЕННЯ: хоча можна використовувати і попередню назву параметра, +ipa_dyndns_iface, користувачам слід переходити на нову +назву, dyndns_iface, у файлі налаштувань. + + + Типове значення: використовувати IP-адреси інтерфейсу, який використовується +для з’єднання LDAP IPA + + + Приклад: dyndns_iface = em1, vnet1, vnet2 + + + + + + dyndns_auth (рядок) + + + Визначає, чи має використовувати допоміжний засіб nsupdate розпізнавання +GSS-TSIG для безпечних оновлень за допомогою сервера DNS, незахищені +оновлення можна надсилати встановленням для цього параметра значення «none». + + + Типове значення: GSS-TSIG + + + + + + ipa_enable_dns_sites (булеве значення) + + + Вмикає сайти DNS — визначення служб на основі адрес. + + + Якщо вказано значення true і увімкнено визначення служб (див. розділ щодо +пошуку служб у нижній частині сторінки підручника (man)), SSSD спочатку +спробує визначення на основі адрес за допомогою запиту, що містить +"_location.hostname.example.com", а потім повертається до традиційного +визначення SRV. Якщо визначення на основі адреси буде успішним, сервери IPA, +виявлені на основі визначення за адресою, вважатимуться основним серверами, +а сервери IPA, виявлені за допомогою традиційного визначення SRV, +вважатимуться резервними серверами. + + + Типове значення: false + + + + + + dyndns_refresh_interval (ціле число) + + + Визначає, наскільки часто серверний модуль має виконувати періодичні +оновлення DNS на додачу до автоматичного оновлення, яке виконується під час +кожного встановлення з’єднання серверного модуля з мережею. Цей параметр не +є обов’язкоми, його застосовують, лише якщо dyndns_update має значення true. + + + Типове значення: 0 (вимкнено) + + + + + + dyndns_update_ptr (булеве значення) + + + Визначає, чи слід явним чином оновлювати запис PTR під час оновлення записів +DNS клієнта. Застосовується, лише якщо значенням dyndns_update буде true. + + + Значенням цього параметра у більшості розгорнутих систем IPA має бути False, +оскільки сервер IPA створює записи PTR автоматично після зміни у записах +переспрямовування. + + + Типове значення: False (вимкнено) + + + + + + dyndns_force_tcp (булеве значення) + + + Визначає, чи слід у програмі nsupdate типово використовувати TCP для обміну +даними з сервером DNS. + + + Типове значення: False (надати змогу nsupdate вибирати протокол) + + + + + + dyndns_server (рядок) + + + Сервер DNS, який слід використовувати для виконання оновлення DNS. У +більшості конфігурацій рекомендуємо не встановлювати значення для цього +параметра. + + + Встановлення значення для цього параметра потрібне для середовищ, де сервер +DNS відрізняється від сервера профілів. + + + Будь ласка, зауважте, що цей параметр буде використано лише для резервних +спроб, якщо попередні спроби із використанням автовиявлення завершаться +невдало. + + + Типове значення: немає (надати nsupdate змогу вибирати сервер) + + + + + + ipa_deskprofile_search_base (рядок) + + + Необов’язковий. Використати вказаний рядок як основу пошуку пов’язаних з +профілями станції (Desktop Profile) об’єктів. + + + Типове значення: використання базової назви домену + + + + + + ipa_hbac_search_base (рядок) + + + Необов’язковий. Використати вказаний рядок як основу пошуку пов’язаних з +HBAC об’єктів. + + + Типове значення: використання базової назви домену + + + + + + ipa_host_search_base (рядок) + + + Застарілий. Скористайтеся замість нього ldap_host_search_base. + + + + + + ipa_selinux_search_base (рядок) + + + Необов’язковий. Використати вказаний рядок як основу пошуку карт +користувачів SELinux. + + + Ознайомтеся з розділом щодо «ldap_search_base», щоб дізнатися більше про +налаштування декількох основ пошуку. + + + Типове значення: значення ldap_search_base + + + + + + ipa_subdomains_search_base (рядок) + + + Необов’язковий. Використати вказаний рядок як основу пошуку надійних +доменів. + + + Ознайомтеся з розділом щодо «ldap_search_base», щоб дізнатися більше про +налаштування декількох основ пошуку. + + + Типове значення: значення cn=trusts,%basedn + + + + + + ipa_master_domain_search_base (рядок) + + + Необов’язковий. Використати вказаний рядок як основу пошуку основного +об’єкта домену. + + + Ознайомтеся з розділом щодо «ldap_search_base», щоб дізнатися більше про +налаштування декількох основ пошуку. + + + Типове значення: значення виразу cn=ad,cn=etc,%basedn + + + + + + ipa_views_search_base (рядок) + + + Необов’язковий. Використати вказаний рядок як основу пошуку контейнерів +перегляду. + + + Ознайомтеся з розділом щодо «ldap_search_base», щоб дізнатися більше про +налаштування декількох основ пошуку. + + + Типове значення: значення cn=views,cn=accounts,%basedn + + + + + + krb5_realm (рядок) + + + Назва області дії Kerberos. Є необов’язковою, типовим значенням є значення +«ipa_domain». + + + Назва області дії Kerberos має особливе значення у IPA: цю назву буде +перетворено у основний DN для виконання дій LDAP. + + + + + + krb5_confd_path (рядок) + + + Абсолютний шлях до каталогу, у якому SSSD має зберігати фрагменти +налаштувань Kerberos. + + + Щоб вимкнути створення фрагментів налаштувань, встановіть для параметра +значення «none». + + + Типове значення: не встановлено (підкаталог krb5.include.d каталогу pubconf +SSSD) + + + + + + ipa_deskprofile_refresh (ціле число) + + + Проміжок часу між послідовними пошуками правил профілів станції (Desktop +Profile) щодо сервера IPA. Зміна може зменшити час затримки та навантаження +на сервер IPA, якщо протягом короткого періоду часу надходить багато запитів +щодо профілів станції. + + + Типове значення: 5 (секунд) + + + + + + ipa_deskprofile_request_interval (ціле число) + + + Час між пошуками у правилах профілів станцій на сервері IPA, якщо за +останнім запитом не повернуто жодного правила. + + + Типове значення: 60 (хвилин) + + + + + + ipa_hbac_refresh (ціле число) + + + Проміжок часу між послідовними пошуками правил HBAC щодо сервера IPA. Зміна +може зменшити час затримки та навантаження на сервер IPA, якщо протягом +короткого періоду часу надходить багато запитів щодо керування доступом. + + + Типове значення: 5 (секунд) + + + + + + ipa_hbac_selinux (ціле число) + + + Проміжок часу між послідовними пошуками у картах SELinux щодо сервера +IPA. Зміна може зменшити час затримки та навантаження на сервер IPA, якщо +протягом короткого періоду часу надходить багато запитів щодо входу +користувача до системи. + + + Типове значення: 5 (секунд) + + + + + + ipa_server_mode (булеве значення) + + + Цей параметр буде встановлено засобом встановлення IPA (ipa-server-install) +автоматично, він визначає, чи запущено SSSD на сервері IPA. + + + На сервері IPA SSSD шукатиме записи користувачів і груп із довірених доменів +безпосередньо, хоча на клієнті SSSD надсилатиме запит на сервер IPA. + + + Зауваження: у поточній версії має бути виконано декілька умов, якщо SSSD +працює на сервері IPA. + + + + Параметр ipa_server має бути налаштовано так, щоб він +вказував на сам сервер IPA. Це типово робить засіб встановлення IPA, тому +зміни вручну є зайвими. + + + + + Не слід змінювати значення параметра full_name_format для +того, щоб лише виводити короткі імена користувачів з довірених доменів. + + + + + + Типове значення: false + + + + + + ipa_automount_location (рядок) + + + Адреса автоматичного монтування, яку буде використовувати цей клієнт IPA + + + Типове значення: адреса з назвою "default" + + + + + + + + ПЕРЕГЛЯДИ і ПЕРЕВИЗНАЧЕННЯ + + SSSD може обробляти перегляди та перевизначення, які пропонуються FreeIPA +4.1 та новішими версіями. Оскільки усі шляхи і класи об’єктів зафіксовано на +боці сервера, в основному, немає потреби у додатковому налаштовуванні. Для +повноти, усі відповідні параметри наведено у списку разом з їхніми типовими +значеннями. + + ipa_view_class (рядок) + + + Клас об’єктів для контейнерів перегляду. + + + Типове значення: nsContainer + + + + + + ipa_view_name (рядок) + + + Назва атрибута, у якому зберігається назва перегляду. + + + Типове значення: cn + + + + + + ipa_override_object_class (рядок) + + + Клас об’єктів для об’єктів перевизначення + + + Типове значення: ipaOverrideAnchor + + + + + + ipa_anchor_uuid (рядок) + + + Назва атрибута, у якому зберігається посилання на початковий об’єкт на +віддаленому домені. + + + Типове значення: ipaAnchorUUID + + + + + + ipa_user_override_object_class (рядок) + + + Назва класу об’єктів для перевизначень користувачів. Використовується для +визначення того, чи знайдений об’єкт перевизначення пов’язано з користувачем +або групою. + + + Перевизначення користувачів можуть містити атрибути, задані + + + ldap_user_name + + + ldap_user_uid_number + + + ldap_user_gid_number + + + ldap_user_gecos + + + ldap_user_home_directory + + + ldap_user_shell + + + ldap_user_ssh_public_key + + + + + Типове значення: ipaUserOverride + + + + + + ipa_group_override_object_class (рядок) + + + Назва класу об’єктів для перевизначень груп. Використовується для визначення +того, чи знайдений об’єкт перевизначення пов’язано з користувачем або +групою. + + + Перевизначення груп можуть містити атрибути, задані + + + ldap_group_name + + + ldap_group_gid_number + + + + + Типове значення: ipaGroupOverride + + + + + + + + + + + + СЛУЖБА ПІДДОМЕНІВ + + Поведінка інструмента надання даних піддоменів IPA залежить від того, у який +спосіб його налаштовано: явний чи неявний. + + + Якщо у розділі домену sssd.conf буде знайдено запис параметра +«subdomains_provider = ipa», інструмент надання даних піддоменів IPA +налаштовано явно, отже всі запити піддоменів надсилатимуться серверу IPA, +якщо це потрібно. + + + Якщо у розділі домену sssdconf не встановлено параметр +«subdomains_provider», але встановлено параметр «id_provider = ipa», +інструмент надання даних піддоменів IPA налаштовано неявним чином. У цьому +випадку спроба запиту щодо піддомену зазнає невдачі і вказуватиме на те, що +на сервері не передбачено піддоменів, тобто його не налаштовано на довіру, +отже інструмент надання даних піддоменів IPA вимкнено. Щойно мине година або +відкриється доступ до інструмента надання даних IPA, інструмент надання +даних піддоменів буде знову увімкнено. + + + + + TRUSTED DOMAINS CONFIGURATION + + Some configuration options can be also set for a trusted domain. A trusted +domain configuration can either be done using a subsection, for example: + +[domain/ipa.domain.com/ad.domain.com] +ad_server = dc.ad.domain.com + + + + In addition, some options can be set in the parent domain and inherited by +the trusted domain using the subdomain_inherit option. For +more details, see the +sssd.conf 5 + manual page. + + + Different configuration options are tunable for a trusted domain depending +on whether you are configuring SSSD on an IPA server or an IPA client. + + + OPTIONS TUNABLE ON IPA MASTERS + + The following options can be set in a subdomain section on an IPA master: + + + ad_server + + + ad_backup_server + + + ad_site + + + ldap_search_base + + + ldap_user_search_base + + + ldap_group_search_base + + + use_fully_qualified_names + + + + + + OPTIONS TUNABLE ON IPA CLIENTS + + The following options can be set in a subdomain section on an IPA client: + + + ad_server + + + ad_site + + + + + Note that if both options are set, only ad_server is +evaluated. + + + Since any request for a user or a group identity from a trusted domain +triggered from an IPA client is resolved by the IPA server, the +ad_server and ad_site options only affect +which AD DC will the authentication be performed against. In particular, the +addresses resolved from these lists will be written to +kdcinfo files read by the Kerberos locator plugin. Please +refer to the +sssd_krb5_locator_plugin +8 manual page for more details on the +Kerberos locator plugin. + + + + + + + + + + ПРИКЛАД + + У наведеному нижче прикладі припускаємо, що SSSD налаштовано належним чином, +а example.com є одним з доменів у розділі +[sssd]. У прикладі продемонстровано лише +параметри доступу, специфічні для засобу ipa. + + + +[domain/example.com] +id_provider = ipa +ipa_server = ipaserver.example.com +ipa_hostname = myhost.example.com + + + + + + + + diff --git a/src/man/uk/sssd-kcm.8.xml b/src/man/uk/sssd-kcm.8.xml new file mode 100644 index 0000000..06c45d5 --- /dev/null +++ b/src/man/uk/sssd-kcm.8.xml @@ -0,0 +1,176 @@ + + + +Сторінки підручника SSSD + + + + + sssd-kcm + 8 + Формати файлів та правила + + + + sssd-kcm + Керування кешем Kerberos SSSD + + + + ОПИС + + На цій сторінці підручника описано налаштування засобу керування кешем +Kerberos SSSD (Kerberos Cache Manager або KCM). KCM є процесом, який +зберігає, стежить і керує кешем реєстраційних даних Kerberos. Ідея створення +засобу походить із проекту Heimdal Kerberos, хоча у бібліотеці Kerberos MIT +також надається підтримка з боку клієнта для кешу реєстраційних даних KCM +(докладніше про це нижче). + + + У конфігураціях, де кешем Kerberos керує KCM, бібліотека Kerberos (типово +використовується за допомогою якоїсь програми, наприклад +kinit1 +) є клієнтом KCM, а фонова служба KCM +вважається сервером KCM. Клієнт і сервер обмінюються даними +за допомогою сокета UNIX. + + + Сервер KCM стежити за кожним власником кешу реєстраційних даних і виконує +перевірку прав доступу на основі UID і GID клієнта KCM. Користувач root має +доступ до усіх кешів реєстраційних даних. + + + Кеш реєстраційних даних KCM має декілька цікавих властивостей: + + + + оскільки процес виконується у просторі користувача, він підлягає обмеженням +за простором назв UID, на відміну від набору ключів ядра + + + + + на відміну від кешу на основі наборів ключів ядра, який є спільним для усіх +контейнерів, сервер KCM є окремим процесом, чия точка входу є сокетом UNIX + + + + + реалізація у SSSD зберігає ccache-і у сховищі реєстраційних даних + +sssd-secrets5 + SSSD, що надає змогу ccache-ам переживати перезапуски +сервера KCM та перезавантаження комп'ютера. + + + + Це надає змогу системі використовувати кеш реєстраційних даних із +врахуванням збірок, одночасно надаючи спільний доступ до кешу реєстраційних +даних для декількох контейнерів або без контейнерів взагалі шляхом +прив'язування-монтування сокета. + + + + + КОРИСТУВАННЯ КЕШЕМ РЕЄСТРАЦІЙНИХ ДАНИХ KCM + + Для використання кешу реєстраційних даних KCM його слід вибрати стандартним +типом реєстраційних даних у +krb5.conf5 +. Назвою кешу реєстраційних даних має бути лише +KCM: без будь-яких розширень шаблонами. Приклад: +[libdefaults] + default_ccache_name = KCM: + + + + Далі, слід визначити однаковий шлях до сокета UNIX для клієнтських бібліотек +Kerberos і сервера KCM. Типово, у обох випадках використовується однаковий +шлях /var/run/.heim_org.h5l.kcm-socket. Для +налаштовування бібліотеки Kerberos змініть значення її параметра +kcm_socket, як це описано на сторінці підручника + +krb5.conf5 +. + + + Нарешті, переконайтеся, що з сервером KCM SSSD можна встановити +зв'язок. Типово, служба KCM вмикається за допомогою сокета з +systemd 1 +. На відміну від інших служб SSSD, її не можна запустити +додаванням рядка kcm до інструкції service. + +systemctl start sssd-kcm.socket +systemctl enable sssd-kcm.socket + Будь ласка, зауважте, що +відповідні налаштування модулів вже могло бути виконано засобами вашого +дистрибутива. + + + + + СХОВИЩЕ КЕШУ РЕЄСТРАЦІЙНИХ ДАНИХ + + Кеші реєстраційних даних зберігаються у сховищі служби реєстраційних даних +SSSD (докладніший опис наведено на сторінці підручника +sssd-secrets5 +). Тому важливо, щоб було увімкнено службу sssd-secrets, а її +сокет був доступним: +systemctl start sssd-secrets.socket +systemctl enable sssd-secrets.socket + Відповідні +залежності між цими службами вже мало бути встановлено засобами вашого +дистрибутива. + + + + + ПАРАМЕТРИ НАЛАШТУВАННЯ + + Налаштовування служби KCM виконується за допомогою розділу +kcm файла sssd.conf. Будь ласка, зауважте, що у поточній +версії для застосування налаштувань перезапуску служби sssd-kcm недостатньо, +оскільки обробка і читання налаштувань sssd до внутрішньої бази даних +налаштувань виконується лише самою службою sssd. Тому вам слід перезапустити +вашу службу sssd, якщо ви щось змінили у розділі kcm файла +sssd.conf. Докладний опис синтаксису файла налаштувань наведено у розділі +ФОРМАТ ФАЙЛА сторінки підручника +sssd.conf 5 +. + + + Службі kcm можна передавати типові параметри служби SSSD, зокрема +debug_level та fd_limit Із повним списком +параметрів можна ознайомитися на сторінці підручника +sssd.conf 5 +. Крім того, передбачено декілька специфічних для KCM +параметрів. + + + + socket_path (рядок) + + + Сокет, на якому очікуватиме на з'єднання служба KCM. + + + Типове значення: +/var/run/.heim_org.h5l.kcm-socket + + + + + + + + ТАКОЖ ПЕРЕГЛЯНЬТЕ + + sssd8 +, +sssd.conf5 +, + + + + diff --git a/src/man/uk/sssd-krb5.5.xml b/src/man/uk/sssd-krb5.5.xml new file mode 100644 index 0000000..683deb2 --- /dev/null +++ b/src/man/uk/sssd-krb5.5.xml @@ -0,0 +1,552 @@ + + + +Сторінки підручника SSSD + + + + + sssd-krb5 + 5 + Формати файлів та правила + + + + sssd-krb5 + Модуль надання даних Kerberos SSSD + + + + ОПИС + + На цій сторінці довідника описано налаштування засобу розпізнавання Kerberos +5 для sssd +8 . Щоб дізнатися більше про синтаксис +налаштування, зверніться до розділу «ФОРМАТ ФАЙЛА» сторінки довідника + sssd.conf +5 . + + + Модуль розпізнавання Kerberos 5 містити засоби розпізнавання та зміни +паролів. З метою отримання належних результатів його слід використовувати +разом з інструментом обробки профілів (наприклад, id_provider = ldap). Деякі +з даних, потрібних для роботи модуля розпізнавання Kerberos 5, має бути +надано інструментом обробки профілів, серед цих даних Kerberos Principal +Name (UPN) або реєстраційне ім’я користувача. У налаштуваннях інструменту +обробки профілів має бути запис з визначенням UPN. Докладні настанови щодо +визначення такого UPN має бути викладено на сторінці довідника (man) +відповідного інструменту обробки профілів. + + + У цьому інструменті керування даними також передбачено можливості керування +доступом, засновані на даних з файла .k5login у домашньому каталозі +користувача. Докладніші відомості можна отримати з підручника до + +.k5login5 +. Зауважте, що якщо файл .k5login виявиться порожнім, доступ +користувачеві буде заборонено. Щоб задіяти можливість керування доступом, +додайте рядок «access_provider = krb5» до ваших налаштувань SSSD. + + + У випадку, коли доступу до UPN у модулі профілів не передбачено, +sssd побудує UPN у форматі +ім’я_користувача@область_krb5. + + + + + + ПАРАМЕТРИ НАЛАШТУВАННЯ + + Якщо у домені SSSD використано auth-module krb5, має бути використано +вказані нижче параметри. Зверніться до сторінки довідника (man) + sssd.conf +5 , розділ «РОЗДІЛИ ДОМЕНІВ», щоб +дізнатися більше про налаштування домену SSSD. + + krb5_server, krb5_backup_server (рядок) + + + Визначає список IP-адрес або назв вузлів, відокремлених комами, серверів +Kerberos, з якими SSSD має встановлювати з’єднання. Список має бути +впорядковано за пріоритетом. Докладніше про резервування та додаткові +сервери можна дізнатися з розділу «РЕЗЕРВ». До адрес або назв вузлів може +бути додано номер порту (перед номером слід вписати двокрапку). Якщо +параметр матиме порожнє значення, буде увімкнено виявлення служб. Докладніше +про виявлення служб можна дізнатися з розділу «ПОШУК СЛУЖБ». + + + Під час використання виявлення служб для серверів KDC або kpasswd SSSD +спочатку намагається знайти записи DNS, у яких визначається протокол +_udp. Використання протоколу _tcp відбувається, лише якщо таких записів не +вдасться знайти. + + + У попередніх випусках SSSD цей параметр мав назву «krb5_kdcip». У поточній +версії передбачено розпізнавання цієї застарілої назви, але користувачам +варто перейти на використання «krb5_server» у файлах налаштувань. + + + + + + krb5_realm (рядок) + + + Назва області Kerberos. Цей параметр є обов’язковим, його неодмінно слід +вказати. + + + + + + krb5_kpasswd, krb5_backup_kpasswd (рядок) + + + Якщо службу зміни паролів не запущено на KDC, тут можна визначити +альтернативні сервери. До адрес або назв вузлів можна додати номер порту +(перед яким слід вписати двокрапку). + + + Додаткові відомості щодо резервних серверів можна знайти у розділі +«РЕЗЕРВ». Зауваження: навіть якщо список всіх серверів kpasswd буде +вичерпано, модуль не перемкнеться у автономний режим роботи, якщо +розпізнавання за KDC залишатиметься можливим. + + + Типове значення: використання KDC + + + + + + krb5_ccachedir (рядок) + + + Каталог для зберігання кешу реєстраційних даних. Тут також можна +використовувати усі замінники з krb5_ccname_template, окрім %d та +%P. Каталог створюється як конфіденційний, власником є користувач, права +доступу — 0700. + + + Типове значення: /tmp + + + + + + krb5_ccname_template (рядок) + + + Розташування кешу з реєстраційними даними користувача У поточній версії +передбачено підтримку трьох типів кешу реєстраційних даних: +FILE, DIR та +KEYRING:persistent. Кеш може бути вказано або у форматі +ТИП:РЕШТА, або у форматі абсолютного шляху (тоді +вважається, що типом кешу є FILE). У шаблоні передбачено +можливість використання таких послідовностей-замінників: + + %u + ім'я користувача + + + %U + ідентифікатор користувача + + + %p + назва реєстраційного запису + + + + %r + назва області + + + %h + домашній каталог + + + + %d + значення krb5_ccachedir + + + + + %P + ідентифікатор процесу клієнтської частини SSSD + + + + %% + символ відсотків («%») + + + Якщо шаблон завершується послідовністю +«XXXXXX», для безпечного створення назви файла використовується mkstemp(3). + + + Якщо використовуються типи KEYRING, єдиним підтримуваним механізмом є +«KEYRING:persistent:%U», тобто використання сховища ключів ядра Linux для +зберігання реєстраційних даних на основі поділу за UID. Цей варіант є +рекомендованим, оскільки це найбезпечніший та найпередбачуваніший спосіб. + + + Типове значення назви кешу реєстраційних даних буде запозичено з +загальносистемного профілю, що зберігається у файлі налаштувань krb5.conf, +розділ [libdefaults]. Назва параметра — default_ccache_name. Див. розділ +щодо розгортання параметрів (PARAMETER EXPANSION) у довідці щодо +krb5.conf(5), щоб отримати додаткові дані щодо формату розгортання, +використаного у krb5.conf. + + + ЗАУВАЖЕННЯ: майте на увазі, що шаблон розширення ccache libkrb5 з + krb5.conf +5 використовує інші послідовності +розширення, що не збігаються із використаними у SSSD. + + + Типове значення: (з libkrb5) + + + + + + krb5_auth_timeout (ціле число) + + + Час очікування, по завершенню якого буде перервано запит щодо розпізнавання +або зміни пароля у мережі. Якщо це можливо, обробку запиту щодо +розпізнавання буде продовжено у автономному режимі. + + + Типове значення: 6 + + + + + + krb5_validate (булеве значення) + + + Перевірити за допомогою krb5_keytab, чи отриманий TGT не було +підмінено. Перевірка записів у таблиці ключів виконується послідовно. Для +перевірки використовується перший запис з відповідним значенням +області. Якщо не буде знайдено жодного відповідного області запису, буде +використано останній запис з таблиці ключів. Цим процесом можна скористатися +для перевірки середовищ за допомогою зв’язків довіри між записами областей: +достатньо розташувати відповідний запис таблиці ключів на останньому місці +або зробити його єдиним записом у файлі таблиці ключів. + + + Типове значення: false + + + + + + krb5_keytab (рядок) + + + Розташування таблиці ключів, якою слід скористатися під час перевірки +реєстраційних даних, отриманих від KDC. + + + Типове значення: /etc/krb5.keytab + + + + + + krb5_store_password_if_offline (булівське значення) + + + Зберігати пароль користувача, якщо засіб перевірки перебуває поза мережею, і +використовувати його для запитів TGT після встановлення з’єднання з засобом +перевірки. + + + Зауваження: ця можливість у поточній версії доступна лише на платформі +Linux. Паролі зберігатимуться у форматі звичайного тексту (без шифрування) у +сховищі ключів ядра, потенційно до них може отримати доступ адміністративний +користувач (root), але йому для цього слід буде подолати деякі перешкоди. + + + Типове значення: false + + + + + + krb5_renewable_lifetime (рядок) + + + Надіслати запит щодо поновлюваного квитка з загальним строком дії, вказаним +за допомогою цілого числа, за яким одразу вказано одиницю часу: + + + s — секунди + + + m — хвилини + + + h — години + + + d — дні. + + + Якщо одиниці часу не буде вказано, вважатиметься, що використано одиницю +s. + + + Зауваження: не можна використовувати одразу декілька одиниць. Якщо вам +потрібно встановити строк дії у півтори години, слід вказати «90m», а не +«1h30m». + + + Типове значення: не встановлено, тобто TGT не є оновлюваним + + + + + + krb5_lifetime (рядок) + + + Надіслати запит щодо квитка з загальним строком дії, вказаним за допомогою +цілого числа, за яким одразу вказано одиницю часу: + + + s — секунди + + + m — хвилини + + + h — години + + + d — дні. + + + Якщо одиниці часу не буде вказано, вважатиметься, що використано одиницю +s. + + + Зауваження: не можна використовувати одразу декілька одиниць. Якщо вам +потрібно встановити строк дії у півтори години, слід вказати «90m», а не +«1h30m». + + + Типове значення: не встановлено, тобто типовий строк дії квитка +визначатиметься у налаштуваннях KDC. + + + + + + krb5_renew_interval (рядок) + + + Час у секундах між двома послідовними перевірками того, чи слід оновлювати +записи TGT. Записи TGT оновлюються після завершення приблизно половини +їхнього строку дії, що задається як ціле число з наступним позначенням +одиниці часу: + + + s — секунди + + + m — хвилини + + + h — години + + + d — дні. + + + Якщо одиниці часу не буде вказано, вважатиметься, що використано одиницю +s. + + + Зауваження: не можна використовувати одразу декілька одиниць. Якщо вам +потрібно встановити строк дії у півтори години, слід вказати «90m», а не +«1h30m». + + + Якщо значення для цього параметра встановлено не буде або буде встановлено +значення 0, автоматичного оновлення не відбуватиметься. + + + Типове значення: not set + + + + + + krb5_use_fast (рядок) + + + Вмикає безпечне тунелювання для гнучкого розпізнавання (flexible +authentication secure tunneling або FAST) для попереднього розпізнавання у +Kerberos. Передбачено такі варіанти: + + + never використовувати FAST, рівнозначний варіанту, за +якого значення цього параметра взагалі не задається. + + + try — використовувати FAST. Якщо на сервері не +передбачено підтримки FAST, продовжити розпізнавання без FAST. + + + demand — використовувати FAST. Якщо на сервері не +передбачено підтримки FAST, спроба розпізнавання зазнає невдачі. + + + Типове значення: не встановлено, тобто FAST не використовується. + + + Зауваження: будь ласка, зауважте, що для використання FAST потрібна таблиця +ключів. + + + Зауваження: у SSSD передбачено підтримку FAST лише у разі використання MIT +Kerberos версії 1.8 або новішої. Якщо SSSD буде використано зі старішою +версією MIT Kerberos і цим параметром, буде повідомлено про помилку у +налаштуваннях. + + + + + + krb5_fast_principal (рядок) + + + Визначає реєстраційний запис сервера, який слід використовувати для FAST. + + + + + + krb5_canonicalize (булеве значення) + + + Визначає, чи слід перетворювати реєстраційний запис вузла і користувача у +канонічну форму. Цю можливість передбачено з версії MIT Kerberos 1.7. + + + + Типове значення: false + + + + + + krb5_use_kdcinfo (булеве значення) + + + Визначає, чи слід SSSD вказувати бібліотекам Kerberos, яку область і які +значення KDC слід використовувати. Типово, дію параметра увімкнено. Якщо ви +вимкнете його, вам слід налаштувати бібліотеку Kerberos за допомогою файла +налаштувань krb5.conf +5 . + + + Див. сторінку підручника (man) +sssd_krb5_locator_plugin +8 , щоб дізнатися більше про додаток +пошуку. + + + Типове значення: true + + + + + + krb5_use_enterprise_principal (булеве значення) + + + Визначає, чи слід вважати реєстраційні дані користувача даними промислового +рівня. Див. розділ 5 RFC 6806, щоб дізнатися більше про промислові +реєстраційні дані. + + + + Типове значення: false (надається AD: true) + + + Засіб надання даних IPA встановить для цього параметра значення «true», якщо +виявить, що сервер здатен обробляти реєстраційні дані промислового класу, і +параметр на встановлено явним чином у файлі налаштувань. + + + + + + krb5_map_user (рядок) + + + Список прив’язок визначається як список пар «користувач:основа», де +«користувач» — ім’я користувача UNIX, а «основа» — частина щодо користувача +у реєстраційному записі kerberos. Ця прив’язка використовується, якщо +користувач проходить розпізнавання із використанням «auth_provider = krb5». + + + + приклад: +krb5_realm = REALM +krb5_map_user = joe:juser,dick:richard + + + + joe і dick — імена користувачів UNIX, а +juser і richard основні частини реєстраційних +записів kerberos. Для користувачів joe та, відповідно, +dick SSSD намагатиметься виконати ініціалізацію kinit як +juser@REALM і, відповідно, richard@REALM. + + + + Типове значення: not set + + + + + + + + + + + + + + ПРИКЛАД + + У наведеному нижче прикладі припускається, що SSSD налаштовано належним +чином, а FOO є одним з доменів у розділі +[sssd]. У прикладі продемонстровано лише +налаштування розпізнавання аз допомогою Kerberos, там не вказано інструменту +обробки профілів. + + + +[domain/FOO] +auth_provider = krb5 +krb5_server = 192.168.1.1 +krb5_realm = EXAMPLE.COM + + + + + + + + diff --git a/src/man/uk/sssd-ldap.5.xml b/src/man/uk/sssd-ldap.5.xml new file mode 100644 index 0000000..ee52b02 --- /dev/null +++ b/src/man/uk/sssd-ldap.5.xml @@ -0,0 +1,2648 @@ + + + +Сторінки підручника SSSD + + + + + sssd-ldap + 5 + Формати файлів та правила + + + + sssd-ldap + Модуль надання даних LDAP SSSD + + + + ОПИС + + На цій сторінці довідника описано налаштування доменів LDAP для + sssd 8 +. Щоб дізнатися більше про синтаксис налаштування, зверніться +до розділу «ФОРМАТ ФАЙЛА» сторінки довідника +sssd.conf 5 +. + + Ви можете налаштувати SSSD на використання декількох доменів LDAP. + + + У основному модулі LDAP передбачено підтримку засобів надання ідентифікатора +(id), уповноважень (auth), доступу (access) та зміни паролів (chpass). Якщо +ви бажаєте виконувати розпізнавання на сервері LDAP, потрібен TLS/SSL або +LDAPS. У sssd не передбачено +підтримки розпізнавання за допомогою шифрованого каналу обміну даними. Якщо +сервер LDAP використовується лише для надання даних профілів, потреби у +шифруванні каналу обміну даними немає. Будь ласка, зверніться до опису +параметра налаштування ldap_access_filter, щоб дізнатися +більше про використання LDAP, як засобу керування доступом. + + + + + ПАРАМЕТРИ НАЛАШТУВАННЯ + + Всі загальні параметри налаштування, які стосуються доменів SSSD, також +стосуються і доменів LDAP. Зверніться до розділу «РОЗДІЛИ ДОМЕНІВ» сторінки +підручника sssd.conf +5 , щоб дізнатися більше. + + + ldap_uri, ldap_backup_uri (рядок) + + + Визначає список адрес серверів LDAP, відокремлених комами, з якими SSSD має +встановлювати з’єднання у порядку пріоритету. Зверніться до розділу +«РЕЗЕРВ», щоб дізнатися більше про перемикання на резервні ресурси та +додаткові сервери. Якщо не вказано, буде використано автоматичне виявлення +служб. Докладніші відомості можна знайти у розділі «ПОШУК СЛУЖБ». + + + Формат адреси має відповідати формату, що визначається RFC 2732: + + + ldap[s]://<вузол>[:порт] + + + У явних адресах IPv6 <вузол> має бути вказано у квадратних дужках, [] + + + приклад: ldap://[fc00::126:25]:389 + + + + + + ldap_chpass_uri, ldap_chpass_backup_uri (рядок) + + + Визначає список адрес серверів LDAP, відокремлених комами, з якими SSSD має +встановлювати з’єднання у порядку пріоритету для зміни пароля +користувача. Зверніться до розділу «РЕЗЕРВ», щоб дізнатися більше про +перемикання на резервні ресурси та додаткові сервери. + + + Для того, щоб уможливити визначення служб, слід встановити значення +параметра ldap_chpass_dns_service_name. + + + Типове значення: порожнє, тобто використовується ldap_uri. + + + + + + ldap_search_base (рядок) + + + Типова базова назва домену, яку слід використовувати для виконання дій від +імені користувача LDAP. + + + Починаючи з SSSD 1.7.0, у SSSD передбачено підтримку визначення декількох +основ для пошуку за допомогою таких синтаксичних конструкцій: + + + основа_пошуку[?діапазон?[фільтр][?основа_пошуку?діапазон?[фільтр]]*] + + + Діапазоном може бути одне зі значень, «base» (основа), «onelevel» (окремий +рівень) або «subtree» (піддерево). + + + Фільтром має бути коректний запис фільтрування LDAP, відповідно до +специфікації http://www.ietf.org/rfc/rfc2254.txt + + + Приклади: + + + ldap_search_base = dc=example,dc=com (еквівалентне до) ldap_search_base = +dc=example,dc=com?subtree? + + + ldap_search_base = +cn=host_specific,dc=example,dc=com?subtree?(host=thishost)?dc=example.com?subtree? + + + Зауваження: підтримки визначення декількох основ пошуку з посиланням на +об’єкти з однаковими назвами (наприклад груп з однаковою назвою у двох +різних основах пошуку) не передбачено. Такі визначення можуть призвести до +непередбачуваних результатів на клієнтських комп’ютерах. + + + Типове значення: якщо значення не встановлено, буде використано значення +атрибута defaultNamingContext або namingContexts з RootDSE сервера +LDAP. Якщо запису defaultNamingContext не існує або цей запис має порожнє +значення, буде використано namingContexts. Для роботи системи потрібно, щоб +атрибут namingContexts має єдине значення DN бази пошуку сервера +LDAP. Підтримки визначення декількох значень не передбачено. + + + + + + ldap_schema (рядок) + + + Визначає тип схеми, що використовується на сервері LDAP +призначення. Відповідно до вибраної схеми, типові назви атрибутів, отриманих +з сервера, можуть бути різними. Спосіб обробки атрибутів також може бути +різним. + + + У поточній версії передбачено підтримку чотирьох типів схем: + + + + rfc2307 + + + + + rfc2307bis + + + + + IPA + + + + + AD + + + + + + Основною відмінністю між цими типами схем є спосіб запису даних щодо участі +у групах на сервері. Відповідно до rfc2307, список учасників груп +впорядковується за користувачами у атрибуті +memberUid. Відповідно до rfc2307bis і IPA, список +учасників груп впорядковується за назвою домену (DN) і зберігається у +атрибуті member. Відповідно до типу схеми AD, +встановлюється відповідність зі значеннями Active Directory 2008r2. + + + Типове значення: rfc2307 + + + + + + ldap_default_bind_dn (рядок) + + + Типова назва домену прив’язки, яку слід використовувати для виконання дій +LDAP. + + + + + + ldap_default_authtok_type (рядок) + + + Тип розпізнавання для типової назви сервера прив’язки. + + + У поточній версії передбачено підтримку двох механізмів: + + + password + + + obfuscated_password + + + Типове значення: password + + + + + + ldap_default_authtok (рядок) + + + Лексема розпізнавання типової назви сервера прив’язки. У поточній версії +передбачено підтримку лише паролів у форматі звичайного тексту. + + + + + + ldap_user_object_class (рядок) + + + Клас об’єктів запису користувача у LDAP. + + + Типове значення: posixAccount + + + + + + ldap_user_name (рядок) + + + Атрибут LDAP, що відповідає назві облікового запису користувача. + + + Типове значення: uid (rfc2307, rfc2307bis і IPA), sAMAccountName (AD) + + + + + + ldap_user_uid_number (рядок) + + + Атрибут LDAP, що відповідає ідентифікатору користувача. + + + Типове значення: uidNumber + + + + + + ldap_user_gid_number (рядок) + + + Атрибут LDAP, що відповідає ідентифікатору основної групи користувача. + + + Типове значення: gidNumber + + + + + + ldap_user_primary_group (рядок) + + + Атрибут основної групи Active Directory для встановлення відповідності +ідентифікатора. Зауважте, що цей атрибут слід встановлювати вручну, лише +якщо ви користуєтеся засобом надання даних ldap з прив'язкою +до ідентифікаторів. + + + Типове значення: unset (LDAP), primaryGroupID (AD) + + + + + + ldap_user_gecos (рядок) + + + Атрибут LDAP, що відповідає полю gecos користувача. + + + Типове значення: gecos + + + + + + ldap_user_home_directory (рядок) + + + Атрибут LDAP, що містить назву домашнього каталогу користувача. + + + Типове значення: homeDirectory + + + + + + ldap_user_shell (рядок) + + + Атрибут LDAP, що містить шлях до типової командної оболонки користувача. + + + Типове значення: loginShell + + + + + + ldap_user_uuid (рядок) + + + Атрибут LDAP, що містить UUID/GUID об’єкта користувача LDAP. + + + Типове значення: не встановлено у загальному випадку, objectGUID для AD і +ipaUniqueID для IPA + + + + + + ldap_user_objectsid (рядок) + + + Атрибут LDAP, що містить objectSID об’єкта користувача LDAP. Зазвичай, +потрібен лише для серверів ActiveDirectory. + + + Типове значення: objectSid для ActiveDirectory, не встановлено для інших +серверів. + + + + + + ldap_user_modify_timestamp (рядок) + + + Атрибут LDAP, що містить часову позначку останньої зміни батьківського +об’єкта. + + + Типове значення: modifyTimestamp + + + + + + ldap_user_shadow_last_change (рядок) + + + У разі використання ldap_pwd_policy=shadow цей параметр містить назву +атрибута LDAP, який є відповідником параметра +shadow 5 + (дати останньої зміни пароля). + + + Типове значення: shadowLastChange + + + + + + ldap_user_shadow_min (рядок) + + + У разі використання ldap_pwd_policy=shadow цей параметр містить назву +атрибута LDAP, який є відповідником параметра +shadow 5 + (мінімального віку пароля). + + + Типове значення: shadowMin + + + + + + ldap_user_shadow_max (рядок) + + + У разі використання ldap_pwd_policy=shadow цей параметр містить назву +атрибута LDAP, який є відповідником параметра +shadow 5 + (максимального віку пароля). + + + Типове значення: shadowMax + + + + + + ldap_user_shadow_warning (рядок) + + + У разі використання ldap_pwd_policy=shadow цей параметр містить назву +атрибута LDAP, який є відповідником параметра +shadow 5 + (проміжку попередження щодо пароля). + + + Типове значення: shadowWarning + + + + + + ldap_user_shadow_inactive (рядок) + + + У разі використання ldap_pwd_policy=shadow цей параметр містить назву +атрибута LDAP, який є відповідником параметра +shadow 5 + (тривалості періоду невикористання пароля). + + + Типове значення: shadowInactive + + + + + + ldap_user_shadow_expire (рядок) + + + У разі використання ldap_pwd_policy=shadow або +ldap_account_expire_policy=shadow цей параметр містить назву атрибута LDAP, +який є відповідником параметра +shadow 5 + (дати завершення строку дії пароля). + + + Типове значення: shadowExpire + + + + + + ldap_user_krb_last_pwd_change (рядок) + + + Якщо використано значення ldap_pwd_policy=mit_kerberos, цей параметр містить +назву атрибута LDAP, у якому зберігається дата і час останньої зміни пароля +у kerberos. + + + Типове значення: krbLastPwdChange + + + + + + ldap_user_krb_password_expiration (рядок) + + + Якщо використано значення ldap_pwd_policy=mit_kerberos, цей параметр містить +назву атрибута LDAP, у якому зберігається дата і час завершення строку дії +поточного пароля. + + + Типове значення: krbPasswordExpiration + + + + + + ldap_user_ad_account_expires (рядок) + + + Якщо вказано ldap_account_expire_policy=ad, цей параметр містить назву +атрибута LDAP, у якому зберігаються дані щодо строку завершення дії +облікового запису. + + + Типове значення: accountExpires + + + + + + ldap_user_ad_user_account_control (рядок) + + + Якщо вказано ldap_account_expire_policy=ad, цей параметр містить назву +атрибута LDAP, у якому зберігаються дані щодо поля контрольного біта +облікового запису користувача. + + + Типове значення: userAccountControl + + + + + + ldap_ns_account_lock (рядок) + + + Якщо вказано ldap_account_expire_policy=rhds або еквівалентне налаштування, +цей параметр визначає, заборонено чи дозволено доступ. + + + Типове значення: nsAccountLock + + + + + + ldap_user_nds_login_disabled (рядок) + + + Якщо вказано ldap_account_expire_policy=nds, цей атрибут визначає, дозволено +чи заборонено доступ. + + + Типове значення: loginDisabled + + + + + + ldap_user_nds_login_expiration_time (рядок) + + + Якщо вказано ldap_account_expire_policy=nds, цей атрибут визначає дату, до +якої надано доступ. + + + Типове значення: loginDisabled + + + + + + ldap_user_nds_login_allowed_time_map (рядок) + + + Якщо вказано ldap_account_expire_policy=nds, цей атрибут визначає годити дня +тижня, коли надається доступ. + + + Типове значення: loginAllowedTimeMap + + + + + + ldap_user_principal (рядок) + + + Атрибут LDAP, що містить Kerberos User Principal Name (UPN) користувача. + + + Типове значення: krbPrincipalName + + + + + + ldap_user_extra_attrs (рядок) + + + Відокремлений комами список атрибутів LDAP, які SSSD має отримувати разом зі +звичайним набором атрибутів запису користувача. + + + Список може або містити лише назви атрибутів LDAP, або відокремлені +двокрапками кортежі з назви атрибута кешу SSSD та назви атрибута LDAP. Якщо +вказано лише назву атрибута LDAP, атрибут зберігається до кешу +буквально. Використання нетипової назви атрибута SSSD може бути потрібним +середовищам, де налаштовано декілька доменів SSSD з різними схемами LDAP. + + + Будь ласка, зауважте, що декілька назв атрибутів зарезервовано SSSD, зокрема +атрибут «name». SSSD повідомить про помилку, якщо будь-які із зарезервованих +назв атрибутів використано як назву додаткового атрибута. + + + Приклади: + + + ldap_user_extra_attrs = telephoneNumber + + + Зберегти атрибут «telephoneNumber» з LDAP як «telephoneNumber» до кешу. + + + ldap_user_extra_attrs = phone:telephoneNumber + + + Зберегти атрибут «telephoneNumber» з LDAP як «phone» до кешу. + + + Типове значення: not set + + + + + + ldap_user_ssh_public_key (рядок) + + + Атрибут LDAP, який містить відкриті ключі SSH користувача. + + + Типове значення: sshPublicKey + + + + + + ldap_force_upper_case_realm (булеве значення) + + + Деякі з серверів каталогів, наприклад Active Directory, можуть надавати +частину області адреси UPN лише малими літерами (літерами нижнього +регістру), що може призвести до невдалої спроби розпізнавання. Встановіть +ненульове значення цього параметра, якщо ви бажаєте використовувати назву +області у верхньому регістрі. + + + Типове значення: false + + + + + + ldap_enumeration_refresh_timeout (ціле число) + + + Визначає кількість секунд, протягом яких SSSD має очікувати до оновлення +свого кешу нумерованих записів. + + + Типове значення: 300 + + + + + + ldap_purge_cache_timeout (ціле число) + + + Визначає частоту пошуків у кеші неактивних записів (зокрема груп без +учасників та користувачів, які ніколи не входили до системи) та вилучення +цих записів з метою економії місця. + + + Встановлення нульового значення цього параметра вимикає дію з очищення +кешу. Будь ласка, зауважте, що якщо увімкнено нумерацію, дія з очищення є +необхідною з метою виявлення записів, вилучених із сервера, її не можна +вимикати. Типово, дія з очищення, якщо увімкнено нумерацію, виконується +кожні 3 години. + + + Типове значення: 0 (вимкнено) + + + + + + ldap_user_fullname (рядок) + + + Атрибут LDAP, що відповідає повному імені користувача. + + + Типове значення: cn + + + + + + ldap_user_member_of (рядок) + + + Атрибут LDAP зі списком груп, у яких бере участь користувач. + + + Типове значення: memberOf + + + + + + ldap_user_authorized_service (рядок) + + + Якщо access_provider=ldap і ldap_access_order=authorized_service, SSSD +використовуватиме наявність атрибута authorizedService у записі користувача +LDAP для визначення прав доступу. + + + Спочатку визначаються явні заборони (!svc). Далі SSSD шукає явні дозволи +(svc) і нарешті загальні дозволи або allow_all (*). + + + Будь ласка, зауважте, що параметр налаштування ldap_access_order +має включати authorized_service, щоб +система змогла скористатися параметром ldap_user_authorized_service. + + + Типове значення: authorizedService + + + + + + ldap_user_authorized_host (рядок) + + + Якщо access_provider=ldap і ldap_access_order=host, SSSD використовуватиме +наявність атрибута host у записі користувача LDAP для визначення прав +доступу. + + + Спочатку визначаються явні заборони (!host). Далі SSSD шукає явні дозволи +(host) і нарешті загальні дозволи або allow_all (*). + + + Будь ласка, зауважте, що параметр налаштування ldap_access_order +має включати host, щоб можна було +скористатися параметром ldap_user_authorized_host. + + + Типове значення: host + + + + + + ldap_user_authorized_rhost (рядок) + + + Якщо access_provider=ldap і ldap_access_order=rhost, SSSD використовуватиме +наявність атрибута rhost у записі користувача LDAP для визначення прав +доступу. Те саме стосується і процесу перевірки вузла. + + + Спочатку визначаються явні заборони (!rhost). Далі SSSD шукає явні дозволи +(rhost) і нарешті загальні дозволи або allow_all (*). + + + Будь ласка, зауважте, що параметр налаштування ldap_access_order +має включати rhost, щоб можна було +скористатися параметром ldap_user_authorized_rhost. + + + Типове значення: rhost + + + + + + ldap_user_certificate (рядок) + + + Назва атрибута LDAP, що містить сертифікат X509 користувача. + + + Типове значення: userCertificate;binary + + + + + + ldap_user_email (рядок) + + + Назва атрибута LDAP, який містить адресу електронної пошти користувача. + + + Зауваження: якщо адреса електронної пошти користувача конфліктує із адресою +електронної пошти або повним ім'ям іншого користувача, SSSD не зможе +обслуговувати належним чином записи таких користувачів. Якщо з якоїсь +причини у декількох користувачів має бути одна адреса електронної пошти, +встановіть для цього параметра довільну назву атрибута, щоб вимкнути пошук і +вхід до системи за адресою електронної пошти. + + + Типове значення: mail + + + + + + ldap_group_object_class (рядок) + + + Клас об’єктів запису групи у LDAP. + + + Типове значення: posixGroup + + + + + + ldap_group_name (рядок) + + + Атрибут LDAP, що відповідає назві групи. + + + Типове значення: cn (rfc2307, rfc2307bis і IPA), sAMAccountName (AD) + + + + + + ldap_group_gid_number (рядок) + + + Атрибут LDAP, що відповідає ідентифікатору групи. + + + Типове значення: gidNumber + + + + + + ldap_group_member (рядок) + + + Атрибут LDAP, у якому містяться імена учасників групи. + + + Типове значення: memberuid (rfc2307) / member (rfc2307bis) + + + + + + ldap_group_uuid (рядок) + + + Атрибут LDAP, що містить UUID/GUID об’єкта групи LDAP. + + + Типове значення: не встановлено у загальному випадку, objectGUID для AD і +ipaUniqueID для IPA + + + + + + ldap_group_objectsid (рядок) + + + Атрибут LDAP, що містить objectSID об’єкта групи LDAP. Зазвичай, потрібен +лише для серверів ActiveDirectory. + + + Типове значення: objectSid для ActiveDirectory, не встановлено для інших +серверів. + + + + + + ldap_group_modify_timestamp (рядок) + + + Атрибут LDAP, що містить часову позначку останньої зміни батьківського +об’єкта. + + + Типове значення: modifyTimestamp + + + + + + ldap_group_type (ціле число) + + + Атрибут LDAP, що містить ціле значення і позначає тип групи, а також, +можливо, інші прапорці. + + + Цей атрибут у поточній версії використовується лише засобом надання даних AD +для визначення, чи є група локальною групою домену і чи має бути її +відфільтровано у списку надійних (довірених) доменів. + + + Типове значення: groupType у засобі надання даних AD, у інших засобах не +встановлено + + + + + + ldap_group_external_member (рядок) + + + Атрибут LDAP, який посилається на записи учасників групи, які визначено у +зовнішньому домені. У поточній версії передбачено підтримку лише зовнішніх +записів учасників IPA. + + + Типове значення: ipaExternalMember у засобі надання даних IPA, у інших +засобах не визначено. + + + + + + ldap_group_nesting_level (ціле число) + + + Якщо ldap_schema встановлено у значення формату схеми, у якому передбачено +підтримку вкладеності груп (наприклад RFC2307bis), цей параметр визначає +кількість рівнів вкладеності, які оброблятимуться SSSD. Значення цього +параметра буде проігноровано, якщо використано схему RFC2307. + + + Зауваження: за допомогою цього параметра визначається гарантований рівень +вкладеності груп для обробки під час будь-якого пошуку. Втім, може +бути повернуто і групи із більшим рівнем вкладеності, якщо під +час попередніх пошуків відбувалася обробка вищих рівнів вкладеності. Крім +того, послідовні пошуки інших груп можуть розширити набір результатів +початкового пошуку, якщо запити щодо пошуку надходять повторно. + + + Якщо значенням ldap_group_nesting_level є 0, вкладені групи взагалі не +оброблятимуться. Втім, якщо з’єднання встановлено з Active-Directory Server +2008 та новішими версіями з використанням id_provider=ad, +слід також вимкнути використання груп реєстраційних записів (Token-Groups) +встановленням для параметра ldap_use_tokengroups значення false з метою +обмеження вкладеності у групах. + + + Типове значення: 2 + + + + + + ldap_groups_use_matching_rule_in_chain + + + За допомогою цього параметра можна наказати SSSD скористатися перевагами +специфічної для Active Directory можливості, яка надає змогу пришвидшити дії +з пошуку груп у мережах зі складною системою груп або системою груп з +високим рівнем вкладеності. + + + Здебільшого, не варто вмикати цю можливість. Пришвидшення за її допомогою +можна буде спостерігати лише у дуже складних випадках вкладеності груп. + + + Якщо увімкнено цей параметр, SSSD використовуватиме можливість, якщо під час +початкового сеансу з’єднання виявить, що на сервері передбачено підтримку +можливості. Отже, насправді значення «True» означає «визначити автоматично». + + + Зауваження: відомо, що у поточній версії цією можливістю можна скористатися +лише для Active Directory 2008 R1 та пізніших версій. Докладніше про це +можна дізнатися з документації +MSDN(TM). + + + Типове значення: False + + + + + + ldap_initgroups_use_matching_rule_in_chain + + + За допомогою цього параметра можна наказати SSSD скористатися перевагами +специфічної для Active Directory можливості, яка може пришвидшити дії з +початковими групами (initgroups). Особливо помітним таке пришвидшення є у +системах зі складною системою груп або системою груп з високим рівнем +вкладеності. + + + Якщо увімкнено цей параметр, SSSD використовуватиме можливість, якщо під час +початкового сеансу з’єднання виявить, що на сервері передбачено підтримку +можливості. Отже, насправді значення «True» означає «визначити автоматично». + + + Зауваження: відомо, що у поточній версії цією можливістю можна скористатися +лише для Active Directory 2008 R1 та пізніших версій. Докладніше про це +можна дізнатися з документації +MSDN(TM). + + + Типове значення: False + + + + + + ldap_use_tokengroups + + + За допомогою цього параметра можна увімкнути або вимкнути використання +атрибута Token-Groups під час виконання initgroup для користувачів Active +Directory Server 2008 та новіших версій. + + + Типове значення: True для AD і IPA, інакше False. + + + + + + ldap_netgroup_object_class (рядок) + + + Клас об’єктів запису мережевої групи (netgroup) у LDAP. + + + У надавачі даних IPA має бути використано ipa_netgroup_object_class. + + + Типове значення: nisNetgroup + + + + + + ldap_netgroup_name (рядок) + + + Атрибут LDAP, що відповідає назві мережевої групи (netgroup). + + + У надавачі даних IPA має бути використано ipa_netgroup_name. + + + Типове значення: cn + + + + + + ldap_netgroup_member (рядок) + + + Атрибут LDAP, у якому містяться імена учасників мережевої групи (netgroup). + + + У надавачі даних IPA має бути використано ipa_netgroup_member. + + + Типове значення: memberNisNetgroup + + + + + + ldap_netgroup_triple (рядок) + + + Атрибут LDAP, що містить трійки мережевої групи (вузол, користувач, домен). + + + Цим параметром не можна скористатися у надавачі даних IPA. + + + Типове значення: nisNetgroupTriple + + + + + + ldap_netgroup_modify_timestamp (рядок) + + + Атрибут LDAP, що містить часову позначку останньої зміни батьківського +об’єкта. + + + Цим параметром не можна скористатися у надавачі даних IPA. + + + Типове значення: modifyTimestamp + + + + + + ldap_host_object_class (рядок) + + + Клас об’єктів запису вузла у LDAP. + + + Типове значення: ipService + + + + + + ldap_host_name (рядок) + + + Атрибут LDAP, що відповідає назві вузла. + + + Типове значення: cn + + + + + + ldap_host_fqdn (рядок) + + + Атрибут LDAP, що відповідає повній назві вузла. + + + Типове значення: fqdn + + + + + + ldap_host_serverhostname (рядок) + + + Атрибут LDAP, що відповідає назві вузла. + + + Типове значення: serverHostname + + + + + + ldap_host_member_of (рядок) + + + Атрибут LDAP зі списком груп, у яких бере участь вузол. + + + Типове значення: memberOf + + + + + + ldap_host_search_base (рядок) + + + Необов’язковий. Використати вказаний рядок як основу пошуку об’єктів вузлів. + + + Ознайомтеся з розділом щодо «ldap_search_base», щоб дізнатися більше про +налаштування декількох основ пошуку. + + + Типове значення: значення ldap_search_base + + + + + + ldap_host_ssh_public_key (рядок) + + + Атрибут LDAP, який містить відкриті ключі SSH вузла. + + + Типове значення: sshPublicKey + + + + + + ldap_host_uuid (рядок) + + + Атрибут LDAP, що містить UUID/GUID об’єкта вузла LDAP. + + + Типове значення: not set + + + + + + ldap_service_object_class (рядок) + + + Клас об’єктів запису служби у LDAP. + + + Типове значення: ipService + + + + + + ldap_service_name (рядок) + + + Атрибут LDAP, що містить назву атрибутів служби та замінників цих атрибутів. + + + Типове значення: cn + + + + + + ldap_service_port (рядок) + + + Атрибут LDAP, що містить номер порту, яким керує ця служба. + + + Типове значення: ipServicePort + + + + + + ldap_service_proto (рядок) + + + Атрибут LDAP, що містить протоколи, за яким може працювати ця служба. + + + Типове значення: ipServiceProtocol + + + + + + ldap_service_search_base (рядок) + + + + + ldap_search_timeout (ціле число) + + + Визначає час очікування на дані (у секундах) для виконання пошуків ldap, +перш ніж пошук буде скасовано з поверненням кешованих даних (і переходом до +автономного режиму роботи) + + + Зауваження: роботу цього параметра буде змінено у наступних версіях +SSSD. Ймовірно, його буде колись замінено на послідовність часів очікування +для окремих типів пошуків. + + + Типове значення: 6 + + + + + + ldap_enumeration_search_timeout (ціле число) + + + Визначає час очікування на дані (у секундах) для виконання пошуків номерів +користувачів та груп у ldap, перш ніж пошук буде скасовано з поверненням +кешованих даних (і переходом до автономного режиму роботи) + + + Типове значення: 60 + + + + + + ldap_network_timeout (ціле число) + + + Визначає час очікування (у секундах), після завершення якого +poll 2 +/ select +2 з наступним +connect 2 + повертається до стану бездіяльності. + + + Типове значення: 6 + + + + + + ldap_opt_timeout (ціле число) + + + Визначає час очікування (у секундах), після завершення якого виклики до +синхронних програмних інтерфейсів LDAP буде перервано, якщо не буде отримано +відповіді. Також керує часом очікування під час обміну даними з KDC у +випадку прив’язки SASL, часом очікування на дію з прив’язування LDAP, +розширеної операції зі зміни пароля та дії StartTLS. + + + Типове значення: 6 + + + + + + ldap_connection_expire_timeout (ціле значення) + + + Визначає час очікування (у секундах), протягом якого підтримуватиметься +з’єднання з сервером LDAP. По завершенню цього часу буде зроблено спробу +повторно встановити з’єднання. У разі використання паралельно до SASL/GSSAPI +буде використано перше за часом значення (це значення або значення строку +дії TGT). + + + Типове значення: 900 (15 хвилин) + + + + + + ldap_page_size (ціле число) + + + Визначити кількість записів, які слід отримати з LDAP у відповідь на один +запит. На деяких серверах LDAP визначено обмеження максимальної кількості на +один запит. + + + Типове значення: 1000 + + + + + + ldap_disable_paging (булеве значення) + + + Вимикає контроль сторінок LDAP. Цим параметром слід скористатися, якщо +сервер LDAP повідомляє про підтримку контролю сторінок LDAP у своєму +RootDSE, але цю підтримку не увімкнено або вона не працює належним чином. + + + Приклад: сервери OpenLDAP з модулем контролю сторінок, встановленим на +сервері, але не увімкненим, повідомляють про підтримку у RootDSE, але цією +підтримкою не можна скористатися. + + + Приклад: 389 DS має ваду, пов’язану з тим, що здатен підтримувати лише один +процес контролю сторінок для одного з’єднання. У разі значного навантаження +це може призвести до відмови у виконанні запитів. + + + Типове значення: False + + + + + + ldap_disable_range_retrieval (булеве значення) + + + Вимкнути отримання діапазону Active Directory. + + + У Active Directory за допомогою правила MaxValRange (типове значення 1500 +записів) обмежується кількість записів, які може бути отримано під час +пошуку. Якщо у певній групі міститься більше записів учасників, до відповіді +буде включено специфічне для AD розширення діапазону. За допомогою цього +параметра можна вимкнути обробку розширення діапазону, отже великі групи +буде представлено як такі, у яких немає учасників. + + + Типове значення: False + + + + + + ldap_sasl_minssf (ціле значення) + + + Під час обміну даними з сервером LDAP за допомогою SASL визначає мінімальний +рівень захисту, потрібний для встановлення з’єднання. Значення цього +параметра визначається OpenLDAP. + + + Типове значення: типове для системи значення (зазвичай, визначається у +ldap.conf) + + + + + + ldap_deref_threshold (ціле число) + + + Вказує кількість учасників групи, записів яких має не вистачати у +зовнішньому кеші для запуску загального пошуку з розіменуванням. Якщо +пропущених записів буде менше за вказану кількість, пошук для них +виконуватиметься окремо. + + + Ви можете повністю вимкнути пошуки з отриманням значення об’єкта +(розіменуванням), якщо вкажете значення 0. + + + Пошук з розіменуванням — це отримання всіх записів учасників групи за одним +викликом LDAP. У різних серверах LDAP може бути передбачено різні способи +розіменування. У поточній версії передбачено підтримку серверів 389/RHDS, +OpenLDAP та Active Directory. + + + Зауваження: якщо у одній з основ пошуку визначається +фільтр пошуку, покращення швидкодії фільтрів розіменування буде вимкнено, +незалежно від використання цього параметра. + + + Типове значення: 10 + + + + + + ldap_tls_reqcert (рядок) + + + Визначає перелік перевірок, які слід виконати для сертифікатів серверів у +сеансі TLS, якщо такі перевірки слід виконувати. Може бути визначено одне з +таких значень: + + + never = клієнт не надсилатиме запиту і не перевірятиме +жодних сертифікатів сервера. + + + allow = надіслати запит щодо сертифіката сервера. Якщо +сертифікат не буде надано, продовжити сеанс у звичайному режимі. Якщо буде +надано помилковий сертифікат, ігнорувати і продовжити сеанс у звичайному +режимі. + + + try = надіслати запит щодо сертифіката сервера. Якщо +сертифікат не буде надано, продовжити сеанс у звичайному режимі. Якщо буде +надано помилковий сертифікат, негайно перервати сеанс. + + + demand = надіслати запит щодо сертифіката сервера. Якщо +сертифікат не буде надано або буде надано помилковий сертифікат, негайно +перервати сеанс. + + + hard = те саме, що і demand + + + Типове значення: hard + + + + + + ldap_tls_cacert (рядок) + + + Визначає файл, який містить сертифікати для всіх служб сертифікації, які +розпізнаються sssd. + + + Типове значення: використовувати типові параметри OpenLDAP, що зберігаються +у /etc/openldap/ldap.conf + + + + + + ldap_tls_cacertdir (рядок) + + + Визначає шлях до каталогу, де у окремих файлах містяться сертифікати служб +сертифікації (CA). Типовими назвами файлів є хеші сертифікатів з додаванням +«.0». Для створення відповідних назв можна скористатися +cacertdir_rehash, якщо ця програма є доступною. + + + Типове значення: використовувати типові параметри OpenLDAP, що зберігаються +у /etc/openldap/ldap.conf + + + + + + ldap_tls_cert (рядок) + + + Визначає файл, який містить сертифікат для ключа клієнта. + + + Типове значення: not set + + + + + + ldap_tls_key (рядок) + + + Визначає файл, у якому міститься ключ клієнта. + + + Типове значення: not set + + + + + + ldap_tls_cipher_suite (рядок) + + + Визначає прийнятні комплекти програм для шифрування. Записи у типовому +списку слід відокремлювати комами. З форматом можна ознайомитися на сторінці +довідника до ldap.conf +5. + + + Типове значення: використовувати типові параметри OpenLDAP, що зберігаються +у /etc/openldap/ldap.conf + + + + + + ldap_id_use_start_tls (булеве значення) + + + Визначає, що з’єднання id_provider має також використовувати tls для захисту каналу. + + + Типове значення: false + + + + + + ldap_id_mapping (булеве значення) + + + Визначає, що SSSD має намагатися встановити відповідність ідентифікаторів +користувача і групи на основі атрибутів ldap_user_objectsid та +ldap_group_objectsid, замість атрибутів ldap_user_uid_number та +ldap_group_gid_number. + + + У поточній версії у цій можливості передбачено підтримку лише встановлення +відповідності objectSID у ActiveDirectory. + + + Типове значення: false + + + + + + ldap_min_id, ldap_max_id (ціле число) + + + На відміну від прив’язування ідентифікаторів на основі SID, яке +використовується, якщо параметр ldap_id_mapping має значення true, діапазон +дозволених ідентифікаторів для ldap_user_uid_number і ldap_group_gid_number +є необмеженим. У конфігураціях з піддоменами та довіреними доменами це може +призвести до конфліктів ідентифікаторів. Щоб уникнути конфліктів, можна +встановити значення ldap_min_id і ldap_max_id для обмеження дозволеного +діапазону ідентифікаторів, які буде прочитано безпосередньо з сервера. Після +цього піддомени можуть вибирати інші діапазони для прив’язування +ідентифікаторів. + + + Типове значення: не встановлено (обидва параметри встановлено у значення 0) + + + + + + ldap_sasl_mech (рядок) + + + Визначає механізм SASL, який слід використовувати. У поточній версії +перевірено і підтримується лише механізм GSSAPI. + + + Типове значення: not set + + + + + + ldap_sasl_authid (рядок) + + + Specify the SASL authorization id to use. When GSSAPI is used, this +represents the Kerberos principal used for authentication to the directory. +This option can either contain the full principal (for example +host/myhost@EXAMPLE.COM) or just the principal name (for example +host/myhost). By default, the value is not set and the following principals +are used: +hostname@REALM +netbiosname$@REALM +host/hostname@REALM +*$@REALM +host/*@REALM +host/* + If none of them are +found, the first principal in keytab is returned. + + + Типове значення: вузол/назва_вузла@ОБЛАСТЬ + + + + + + ldap_sasl_realm (рядок) + + + Визначає область SASL, яку слід використовувати. Якщо не вказано значення, +типовим значенням цього параметра є значення krb5_realm. Якщо +ldap_sasl_authid також містить запис області, цей параметр буде +проігноровано. + + + Типове значення: значення krb5_realm. + + + + + + ldap_sasl_canonicalize (булеве значення) + + + Якщо встановлено значення true (1), бібліотека LDAP виконувати зворотній +пошук з метою переведення назв вузлів у канонічну форму під час прив’язки до +SASL. + + + Типове значення: false; + + + + + + ldap_krb5_keytab (рядок) + + + Визначає таблицю ключів, яку слід використовувати разом з SASL/GSSAPI. + + + Типове значення: системна таблиця ключів, зазвичай +/etc/krb5.keytab + + + + + + ldap_krb5_init_creds (булеве значення) + + + Визначає, що id_provider має ініціалізувати реєстраційні дані Kerberos +(TGT). Цю дію буде виконано, лише якщо використовується SASL і вибрано +механізм GSSAPI. + + + Типове значення: true + + + + + + ldap_krb5_ticket_lifetime (ціле число) + + + Визначає строк дії (у секундах) TGT, якщо використовується GSSAPI. + + + Типове значення: 86400 (24 години) + + + + + + krb5_server, krb5_backup_server (рядок) + + + Визначає список IP-адрес або назв вузлів, відокремлених комами, серверів +Kerberos, з якими SSSD має встановлювати з’єднання. Список має бути +впорядковано за пріоритетом. Докладніше про резервування та додаткові +сервери можна дізнатися з розділу «РЕЗЕРВ». До адрес або назв вузлів може +бути додано номер порту (перед номером слід вписати двокрапку). Якщо +параметр матиме порожнє значення, буде увімкнено виявлення служб. Докладніше +про виявлення служб можна дізнатися з розділу «ПОШУК СЛУЖБ». + + + Під час використання виявлення служб для серверів KDC або kpasswd SSSD +спочатку намагається знайти записи DNS, у яких визначається протокол +_udp. Використання протоколу _tcp відбувається, лише якщо таких записів не +вдасться знайти. + + + У попередніх випусках SSSD цей параметр мав назву «krb5_kdcip». У поточній +версії передбачено розпізнавання цієї застарілої назви, але користувачам +варто перейти на використання «krb5_server» у файлах налаштувань. + + + + + + krb5_realm (рядок) + + + Вказати область Kerberos (для розпізнавання за SASL/GSSAPI). + + + Типове значення: типове значення системи, +див. /etc/krb5.conf + + + + + + krb5_canonicalize (булеве значення) + + + Визначає, чи слід перетворювати реєстраційний запис вузла у канонічну форму +під час встановлення з’єднання з сервером LDAP. Цю можливість передбачено з +версії MIT Kerberos >= 1.7 + + + + Типове значення: false + + + + + + krb5_use_kdcinfo (булеве значення) + + + Визначає, чи слід SSSD вказувати бібліотекам Kerberos, яку область і які +значення KDC слід використовувати. Типово, дію параметра увімкнено. Якщо ви +вимкнете його, вам слід налаштувати бібліотеку Kerberos за допомогою файла +налаштувань krb5.conf +5 . + + + Див. сторінку підручника (man) +sssd_krb5_locator_plugin +8 , щоб дізнатися більше про додаток +пошуку. + + + Типове значення: true + + + + + + ldap_pwd_policy (рядок) + + + Визначає правил оцінки строку дії пароля на боці клієнта. Можна +використовувати такі значення: + + + none — не використовувати перевірки на боці клієнта. У +разі використання цього варіанта перевірку на боці сервера вимкнено не буде. + + + shadow — використовувати атрибути у стилі +shadow +5 для визначення того, чи чинним є +пароль. + + + mit_kerberos — використовувати атрибути MIT Kerberos +для визначення завершення строку дії пароля. У разі зміни пароля +скористайтеся chpass_provider=krb5 для оновлення цих атрибутів. + + + Типове значення: none + + + Зауваження: якщо правила поводження з паролями +налаштовано на боці сервера, ці правила мають пріоритет над правилами, +встановленими за допомогою цього параметра. + + + + + + ldap_referrals (булеве значення) + + + Визначає, чи має бути увімкнено автоматичне визначення напрямків пошуку. + + + Зауважте, що sssd підтримує визначення напрямків, лише якщо систему зібрано +з версією OpenLDAP 2.4.13 або новішою версією. + + + Перехід за спрямуваннями може призвести до значних втрат швидкодії у +середовищах, де такі спрямування використовуються широко. Прикладом такого +середовища може бути Microsoft Active Directory. Якщо у вашому середовищі +спрямування не є обов’язковими, встановлення для цього параметра значення +«false» може значно пришвидшити роботу. + + + Типове значення: true + + + + + + ldap_dns_service_name (рядок) + + + Визначає назву служби, яку буде використано у разі вмикання визначення +служб. + + + Типове значення: ldap + + + + + + ldap_chpass_dns_service_name (рядок) + + + Визначає назву служби, яку буде використано для пошуку сервера LDAP, який +уможливлює зміну паролів, у разі вмикання визначення служб. + + + Типове значення: не встановлено, тобто пошук служб вимкнено + + + + + + ldap_chpass_update_last_change (булеве значення) + + + Визначає, чи слід оновлювати атрибут ldap_user_shadow_last_change даними +щодо кількості днів з часу виконання дії зі зміни пароля. + + + Типове значення: False + + + + + + ldap_access_filter (рядок) + + + Якщо використовується access_provider = ldap та ldap_access_order = filter +(типова поведінка), цей параметр є обов’язковим. Він вказує критерії +фільтрування LDAP, яким має задовольняти запис користувача для надання +доступу до цього вузла. Якщо визначено access_provider = ldap та +ldap_access_order = filter, а цей параметр не встановлено, доступ буде +заборонено всім користувачам. Щоб змінити таку типову поведінку системи, +скористайтеся параметром access_provider = permit. Будь ласка, зауважте, що +цей фільтр застосовуватиметься лише до запису користувача LDAP, отже +фільтрування, засноване на вкладених групах може не працювати (наприклад, +атрибут memberOf для записів AD вказує лише на безпосередні батьківські +записи). Якщо вам потрібне фільтрування, засноване на вкладених групах, будь +ласка, скористайтеся параметром +sssd-simple5 +. + + + Приклад: + + +access_provider = ldap +ldap_access_filter = (employeeType=admin) + + + У прикладі доступ до цього вузла обмежено користувачами, чий атрибут +employeeType встановлено у значення «admin». + + + Автономне кешування для цієї можливості обмежено визначенням того, чи було +надано користувачеві під час попередньої спроби увійти до системи з мережі +права доступу. Якщо під час останньої спроби увійти такі права було надано, +система продовжуватиме надавати права доступу у автономному режимі. Якщо ж +таких прав не було надано, у автономному режимі їх також не буде надано. + + + Типове значення: порожній рядок + + + + + + ldap_account_expire_policy (рядок) + + + За допомогою цього параметра може бути увімкнено визначення атрибутів +керування доступом на боці клієнта. + + + Будь ласка, зауважте, що завжди варто використовувати керування доступом на +боці сервера, тобто сервер LDAP має відмовляти у запитах щодо прив’язування +з відповідним кодом помилки, навіть якщо вказано правильний пароль. + + + Можна використовувати такі значення: + + + shadow: це значення ldap_user_shadow_expire допомагає +визначити, чи завершено строк дії облікового запису. + + + ad: скористатися значенням 32-бітового поля +ldap_user_ad_user_account_control і дозволити доступ, якщо другий біт має +нульове значення. Якщо атрибут не буде знайдено, доступ буде +дозволено. Також буде перевірено, чи не вичерпано строк дії облікового +запису. + + + rhds, ipa, +389ds: використовувати для перевірки доступу значення +ldap_ns_account_lock. + + + nds: для перевірки доступу використовувати значення +ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled і +ldap_user_nds_login_expiration_time. Якщо не буде виявлено жодного з цих +атрибутів, надати доступ. + + + + Будь ласка, зауважте, що параметр налаштування ldap_access_order +має включати expire, щоб можна було +користуватися параметром ldap_account_expire_policy. + + + Типове значення: порожній рядок + + + + + + ldap_access_order (рядок) + + + Список відокремлених комами параметрів керування доступом. Можливі значення +списку: + + + filter: використовувати ldap_access_filter + + + lockout: використовувати блокування облікових +записів. Якщо встановлено, цей параметр забороняє доступ, якщо існує атрибут +ldap «pwdAccountLockedTime» і його значенням є «000001010000Z». Будь ласка, +ознайомтеся із документацією до параметра ldap_pwdlockout_dn. Зауважте, що +для працездатності цієї можливості слід встановити «access_provider = ldap». + + + Будь ласка, зауважте, що цей параметр має нижчий пріоритет за +параметр «ppolicy», його може бути вилучено у наступних випусках. + + + + ppolicy: використовувати блокування облікових +записів. Якщо встановлено, забороняє доступ у випадку наявності атрибута +ldap «pwdAccountLockedTime» рівного «000001010000Z» або такого, що +відповідає моменту часу у минулому. Значення атрибута «pwdAccountLockedTime» +має завершуватися на «Z», що позначає часовий пояс UTC. Підтримки інших +часових поясів у поточній версії не передбачено, їхнє використання +призводитиме до появи повідомлення про заборону доступу, коли користувачі +намагатимуться увійти до системи. Докладніший опис можна знайти у розділі +щодо параметра ldap_pwdlockout_dn. Будь ласка, зауважте, що для +працездатності цього параметра слід встановити значення «access_provider = +ldap». + + + + expire: використовувати ldap_account_expire_policy + + + pwd_expire_policy_reject, pwd_expire_policy_warn, +pwd_expire_policy_renew: Ці параметри корисні, якщо користувачам +потрібні попередження щодо скорого завершення строку дії пароля, і у +випадках, коли розпізнавання засновано на відмінних від паролів методах, +наприклад на ключах SSH. + + + Відмінність між цими параметрами полягає у дії, яку буде виконано, якщо +строк дії пароля вичерпано: pwd_expire_policy_reject — користувачеві буде +заборонено вхід до системи, pwd_expire_policy_warn — користувач ще зможе +увійти до системи, pwd_expire_policy_renew — система попросить користувача +негайно змінити пароль. + + + Зауважте, що якщо строк дії пароля вичерпано, запит із явним повідомленням +від SSSD не надходитиме. + + + Будь ласка, зауважте, що для того, щоб цим можна було скористатися, слід +встановити «access_provider = ldap». Крім того, слід встановити для +параметра «ldap_pwd_policy» відповідні правила поводження із паролями. + + + authorized_service: використовувати для визначення +можливості доступу атрибут authorizedService + + + host: за допомогою цього атрибута вузла можна визначити +права доступу + + + rhost: використовувати атрибут rhost для визначення +того, чи матиме віддалений вузол доступ + + + Будь ласка, зауважте, що значення поля rhost у pam встановлюється +програмою. Варто перевірити, що програма надсилає pam, перш ніж вмикати цей +варіант керування доступом. + + + Типове значення: filter + + + Зауважте, що програма повідомить про помилку, якщо одне значення було +використано декілька разів. + + + + + + ldap_pwdlockout_dn (рядок) + + + За допомогою цього параметра визначається DN запису правил поводження із +паролями на сервері LDAP. Будь ласка, зауважте, що те, що цього параметра не +буде у sssd.conf, у випадку увімкненого блокування облікових записів +призведе до заборони доступу, оскільки атрибути ppolicy на сервері LDAP не +можна буде перевірити належним чином. + + + Приклад: cn=ppolicy,ou=policies,dc=example,dc=com + + + Типове значення: cn=ppolicy,ou=policies,$ldap_search_base + + + + + + ldap_deref (рядок) + + + Визначає спосіб виконання розіменовування псевдонімів під час виконання +пошуку. Можливі такі варіанти: + + + never: ніколи не виконувати розіменування псевдонімів. + + + searching: розіменування псевдонімів відбувається у +межах основного об’єкта, а не на основі визначення місця основного об’єкта +пошуку. + + + finding: розіменування псевдонімів відбувається лише +під час визначення місця основного об’єкта пошуку. + + + always: розіменування псевдонімів відбувається як під +час пошуку, так і під час визначення місця основного об’єкта пошуку. + + + Типове значення: не встановлено (обробка бібліотеками LDAP клієнта за +сценарієм never) + + + + + + ldap_rfc2307_fallback_to_local_users (булеве значення) + + + Надає змогу зберігати локальних користувачів як учасників групи LDAP для +серверів, у яких використовується схема RFC2307. + + + У деяких середовищах, де використовується схема RFC2307, локальних +користувачів можна зробити учасниками груп LDAP додаванням імен цих +користувачів до атрибута memberUid. Узгодженість домену може бути +скомпрометовано, якщо буде виконано подібне додавання учасника, тому SSSD за +звичайних умов вилучає записи користувачів, яких «не вистачає», з кешованих +даних щодо участі у групах, щойно nsswitch спробує отримати дані щодо +користувачів за допомогою виклику getpw*() або initgroups(). + + + У разі використання цього параметра програма повертається до перевірки +посилань на локальних користувачів і кешує їх так, що наступні виклики +initgroups() розширюватимуть список локальних користувачів додатковими +групами LDAP. + + + Типове значення: false + + + + + + wildcard_limit (ціле число) + + + Визначає верхню межу для кількості записів, які отримуватимуться під час +пошуку з використанням символів-замінників. + + + У поточній версії пошук із використанням символів-замінників передбачено +лише для відповідача InfoPipe. + + + Типове значення: 1000 (часто розмір однієї сторінки) + + + + + + + + + + ПАРАМЕТРИ SUDO + + Докладні настанов щодо налаштовування sudo_provider можна знайти на сторінці +довідника (man) sssd-sudo +5 . + + + + + + ldap_sudorule_object_class (рядок) + + + Клас об’єктів запису правила sudo у LDAP. + + + Типове значення: sudoRole + + + + + + ldap_sudorule_name (рядок) + + + Атрибут LDAP, що відповідає назві правила sudo. + + + Типове значення: cn + + + + + + ldap_sudorule_command (рядок) + + + Атрибут LDAP, що відповідає назві команди. + + + Типове значення: sudoCommand + + + + + + ldap_sudorule_host (рядок) + + + Атрибут LDAP, який відповідає назві вузла (або IP-адресі вузла, IP-мережі +вузла, мережевій групі вузла) + + + Типове значення: sudoHost + + + + + + ldap_sudorule_user (рядок) + + + Атрибут LDAP, що відповідає назві імені користувача (або UID, назві групи +або назві мережевої групи користувача) + + + Типове значення: sudoUser + + + + + + ldap_sudorule_option (рядок) + + + Атрибут LDAP, що відповідає параметрам sudo. + + + Типове значення: sudoOption + + + + + + ldap_sudorule_runasuser (рядок) + + + Атрибут LDAP, що відповідає користувачеві, від імені якого можна виконувати +команди. + + + Типове значення: sudoRunAsUser + + + + + + ldap_sudorule_runasgroup (рядок) + + + Атрибут LDAP, що відповідає назві групи або GID, від імені якої можна +виконувати команди. + + + Типове значення: sudoRunAsGroup + + + + + + ldap_sudorule_notbefore (рядок) + + + Атрибут LDAP, що відповідає даті і часу набуття чинності правилом sudo. + + + Типове значення: sudoNotBefore + + + + + + ldap_sudorule_notafter (рядок) + + + Атрибут LDAP, що відповідає даті і часу втрати чинності правилом sudo. + + + Типове значення: sudoNotAfter + + + + + + ldap_sudorule_order (рядок) + + + Атрибут LDAP, що відповідає порядковому номеру правила. + + + Типове значення: sudoOrder + + + + + + ldap_sudo_full_refresh_interval (ціле число) + + + Проміжок часу у секундах між послідовними повними оновленнями правил sudo +SSSD у автоматичному режимі. Під час таких оновлень буде отримано повний +набір правил, що зберігаються на сервері. + + + Це значення має перевищувати значення +ldap_sudo_smart_refresh_interval + + + Типове значення: 21600 (6 годин) + + + + + + ldap_sudo_smart_refresh_interval (ціле число) + + + Проміжок часу у секундах між послідовними кмітливими оновленнями правил sudo +SSSD у автоматичному режимі. Під час таких оновлень буде отримано всі дані +правил, USN яких перевищує найбільше значення USN у кешованих правилах. + + + Якщо підтримки атрибутів USN на сервері не передбачено, буде використано +дані атрибута modifyTimestamp. + + + Типове значення: 900 (15 хвилин) + + + + + + ldap_sudo_use_host_filter (булеве значення) + + + Якщо визначено значення true, SSSD отримуватиме лише правила, що стосуються +цього комп’ютера (на основі адрес вузла або мережі у форматах IPv4 і IPv6 та +назв вузлів). + + + Типове значення: true + + + + + + ldap_sudo_hostnames (рядок) + + + Список назв вузлів або повних доменних назв, відокремлених пробілами, для +фільтрування списку правил. + + + Якщо значення цього параметра є порожнім, SSSD намагатиметься визначити +назву вузла та повну назву комп’ютера у домені у автоматичному режимі. + + + Якщо для ldap_sudo_use_host_filter встановлено значення +false, цей параметр ні на що не впливатиме. + + + Типове значення: не вказано + + + + + + ldap_sudo_ip (рядок) + + + Список адрес вузлів або мереж у форматах IPv4 і IPv6 для фільтрування списку +правил. + + + Якщо значення цього параметра є порожнім, SSSD намагатиметься визначити +адресу у автоматичному режимі. + + + Якщо для ldap_sudo_use_host_filter встановлено значення +false, цей параметр ні на що не впливатиме. + + + Типове значення: не вказано + + + + + + ldap_sudo_include_netgroups (булеве значення) + + + Якщо вказано значення true, SSSD отримуватиме всі правила, що містять +мережеву групу (netgroup) у атрибуті sudoHost. + + + Якщо для ldap_sudo_use_host_filter встановлено значення +false, цей параметр ні на що не впливатиме. + + + Типове значення: true + + + + + + ldap_sudo_include_regexp (булеве значення) + + + Якщо вказано значення true, SSSD отримуватиме всі правила, що містять шаблон +заміни у атрибуті sudoHost. + + + Якщо для ldap_sudo_use_host_filter встановлено значення +false, цей параметр ні на що не впливатиме. + + + Типове значення: true + + + + + + + На цій сторінці довідника наведено дані щодо відповідності назв +атрибутів. Докладний опис семантики атрибутів, пов’язаних з sudo, можна +знайти у довідці з +sudoers.ldap5 +. + + + + + ПАРАМЕТРИ AUTOFS + + Деякі типові значення параметрів, описаних нижче, залежать від бази даних +LDAP. + + + + + ldap_autofs_map_master_name (рядок) + + + Назва основної карти автоматичного монтування у LDAP. + + + Типове значення: auto.master + + + + + + ldap_autofs_map_object_class (рядок) + + + Клас об’єктів запису карти автоматичного монтування у LDAP. + + + Типове значення: nisMap (rfc2307, autofs_provider=ad), у інших випадках +automountMap + + + + + + ldap_autofs_map_name (рядок) + + + Назва запису карти автоматичного монтування у LDAP. + + + Типове значення: nisMapName (rfc2307, autofs_provider=ad), у інших випадках +automountMapName + + + + + + ldap_autofs_entry_object_class (рядок) + + + Клас об'єктів автоматичного монтування LDAP. Цей запис зазвичай відповідає +точні монтування. + + + Типове значення: nisObject (rfc2307, autofs_provider=ad), у інших випадках +automount + + + + + + ldap_autofs_entry_key (рядок) + + + Ключ запису автоматичного монтування LDAP. Цей запис зазвичай відповідає +точні монтування. + + + Типове значення: cn (rfc2307, autofs_provider=ad), у інших випадках +automountKey + + + + + + + ldap_autofs_entry_value (рядок) + + + Ключ запису автоматичного монтування LDAP. Цей запис зазвичай відповідає +точні монтування. + + + Типове значення: nisMapEntry (rfc2307, autofs_provider=ad), у інших випадках +automountInformation + + + + + + + + + + ДОДАТКОВІ ПАРАМЕТРИ + + Підтримку цих параметрів передбачено доменами LDAP, але користуватися ними +слід обережно. Будь ласка, використовуйте їх у налаштуваннях, лише якщо вам +відомі наслідки ваших дій. + + ldap_netgroup_search_base (рядок) + + + + + ldap_user_search_base (рядок) + + + + + ldap_group_search_base (рядок) + + + + + + + Якщо увімкнено параметр ldap_use_tokengroups, пошуки в Active +Directory не буде обмежено — він повертатиме усі дані щодо участі у групах, +навіть без прив'язки до GID. Рекомендуємо вимкнути цю можливість, якщо назви +груп показуються неправильно. + + + + ldap_sudo_search_base (рядок) + + + + + ldap_autofs_search_base (рядок) + + + + + + + + + + + + + + + ПРИКЛАД + + У наведеному нижче прикладі припускається, що SSSD налаштовано належним +чином, а LDAP встановлено на один з доменів з розділу +[domains]. + + + +[domain/LDAP] +id_provider = ldap +auth_provider = ldap +ldap_uri = ldap://ldap.mydomain.org +ldap_search_base = dc=mydomain,dc=org +ldap_tls_reqcert = demand +cache_credentials = true + + + + + ПРИКЛАД ФІЛЬТРА ДОСТУПУ LDAP + + У наведеному нижче прикладі припускається, що SSSD налаштовано належним +чином і використано ldap_access_order=lockout. + + + +[domain/LDAP] +id_provider = ldap +auth_provider = ldap +access_provider = ldap +ldap_access_order = lockout +ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org +ldap_uri = ldap://ldap.mydomain.org +ldap_search_base = dc=mydomain,dc=org +ldap_tls_reqcert = demand +cache_credentials = true + + + + + + ЗАУВАЖЕННЯ + + Описи деяких з параметрів налаштування на цій сторінці підручника засновано +на даних сторінки підручника (man) +ldap.conf 5 + з пакунка OpenLDAP 2.4. + + + + + + + diff --git a/src/man/uk/sssd-secrets.5.xml b/src/man/uk/sssd-secrets.5.xml new file mode 100644 index 0000000..b66287c --- /dev/null +++ b/src/man/uk/sssd-secrets.5.xml @@ -0,0 +1,594 @@ + + + +Сторінки підручника SSSD + + + + + sssd-secrets + 5 + Формати файлів та правила + + + + sssd-secrets + Відповідач реєстраційних даних SSSD + + + + ОПИС + + На цій сторінці довідника описано налаштування засобу надання відповідей +Secrets для sssd +8 . Щоб дізнатися більше про синтаксис +налаштування, зверніться до розділу «ФОРМАТ ФАЙЛІВ» сторінки довідника + sssd.conf +5 . + + + У багатьох програмах системи або користувача існує потреба у збереженні +конфіденційних даних, зокрема паролів і ключів до служб, та зручній роботі з +цими даними. Простим способом вирішення цієї проблеми є вбудовування цих +реєстраційних даних до файлів налаштувань. Втім, це +призводить до потенційного розширення доступу до конфіденційних даних через +резервні копії, системи керування налаштуваннями, та загалом робить захист +даних важчим. + + + Проект custodia +було створено для урегулювання цієї проблеми у хмароподібних середовищах, +але нам ця ідея здалася вартою уваги навіть на рівні окремої ізольованої +системи. Як служба захисту, SSSD є ідеальним місцем для реалізації такої +можливості з доступом до відповідного програмного інтерфейсу через сокети +UNIX. Така реалізація уможливлює використання локальних викликів і належну +маршрутизацію до локального або віддаленого сховища ключів, зокрема сховища +IPA, для зберігання, депонування і відновлення даних. + + + Записи реєстраційних даних є простими парами ключ-значення. Реєстраційні +дані кожного з користувачів співвідносяться із його простором назв на основі +ідентифікатора користувача. Це означає, що реєстраційні дані одного +користувача ніколи не потраплять до іншого. Реєстраційні дані зберігаються у +контейнерах, які можна вкладати один у одного. + + + Оскільки відповідач реєстраційних даних може використовуватися ззовні для +зберігання загальних реєстраційних даних, як це описано у решті цієї +сторінки підручника, і всередині іншими компонентами SSSD для зберігання +власних реєстраційних даних, можна налаштувати деякі параметри, зокрема +квоти для окремих записів hive у підрозділі налаштувань із +назвою відповідного рою. Підтримувані у поточній версії рої: + + secrets + записи реєстраційних даних для загального використання + + + kcm + + використовується службою +sssd-kcm 8 +. + + + + + + + + + КОРИСТУВАННЯ ВІДПОВІДАЧЕМ РЕЄСТРАЦІЙНИХ ДАНИХ + + Сокет UNIX, на якому відповідач SSSD очікує на дані, розташовано у +/var/run/secrets.socket. + + + Відповідач для реєстраційних даних активується за допомогою сокетів + systemd +1 . На відміну від інших відповідачів +SSSD, його не можна запустити додаванням рядка secrets до +інструкції service. Модуль сокета systemd називається +sssd-secrets.socket, а відповідний файл служби має назву +sssd-secrets.service. Щоб службу можна було активувати за +допомогою сокета, слід увімкнути і задіяти сокет, а потім увімкнути службу: + +systemctl start sssd-secrets.socket +systemctl enable sssd-secrets.socket +systemctl enable sssd-secrets.service + Будь ласка, зауважте, що +відповідні налаштування модулів вже могло бути виконано засобами вашого +дистрибутива. + + + + + ПАРАМЕТРИ НАЛАШТУВАННЯ + + Відповідачу реєстраційних даних можна передавати типові параметри +відповідача SSSD, зокрема debug_level та +fd_limit. Із повним списком параметрів можна ознайомитися на +сторінці підручника sssd.conf +5 . Крім того, передбачено декілька +специфічних для реєстраційних даних параметрів. + + + Відповідач реєстраційних даних налаштовується за допомогою загального +розділу [secrets] і необов'язкових розділів +[secrets/users/$uid] для окремих користувачів у +sssd.conf. Будь ласка, зауважте, що деякі параметра, +зокрема тип постачальника даних, можна вказати лише у підрозділах окремих +користувачів. + + + + provider (рядок) + + + Цей параметр визначає, де слід зберігати реєстраційні дані. Відповідач +реєстраційних даних може налаштувати підрозділи для окремих користувачів +(наприклад, [secrets/users/123] — див. нижню частину цієї +сторінки підручників, де наведено повний приклад використання Custodia для +окремого користувача), які визначатимуть, яке сховище відповідача +зберігатиме дані певного користувача. Підрозділи окремих користувачів мають +містити усі параметри відповідного засобу надання даних користувача. Будь +ласка, зауважте, що у поточній версії загальний постачальних даних з завжди +локальним, а проміжного постачальника можна вказати лише для окремого +користувача у відповідному розділі. Передбачено підтримку таких +відповідачів: + + local + + + Реєстраційні дані зберігаються у локальній базі даних, зашифровані, разом із +іншими даними, за допомогою основного ключа. Для локального засобу надання +даних у поточній версії не передбачено жодних додаткових параметрів. + + + + + proxy + + + Відповідач реєстраційних даних переспрямовує запити до сервера Custodia. Для +засобу надання даних «proxy» передбачено декілька додаткових параметрів +(див. нижче). + + + + + + + Типове значення: local + + + + + + Наведені нижче параметри стосуються лише записів реєстраційних даних +hive і тому їх слід встановлювати у підрозділах окремих +роїв. Встановлення значення параметра 0 означає «без обмежень». + + + + containers_nest_level (ціле значення) + + + Цей параметр визначає максимальну дозволену кількість вкладених контейнерів. + + + Типове значення: 4 + + + + + max_secrets (ціле значення) + + + Цей параметр визначає максимальну кількість записів реєстраційних даних, які +можна зберігати у рою. + + + Типове значення: 1024 (рій реєстраційних даних), 256 (рій kcm) + + + + + max_uid_secrets (ціле число) + + + Цей параметр визначає максимальну кількість записів реєстраційних даних, які +можна зберігати окремо для різних UID у рою. + + + Типове значення: 256 (рій реєстраційних даних), 64 (рій kcm) + + + + + max_payload_size (ціле значення) + + + Цей параметри визначає максимальний об'єм даних для реєстраційного запису у +кілобайтах. + + + Типове значення: 16 (рій реєстраційних даних), 65536 (64 МіБ) (рій kcm) + + + + + + Наприклад, щоб встановити різні квоти для роїв secrets та +kcm, скористайтеся такими рядками: +[secrets/secrets] +max_payload_size = 128 + +[secrets/kcm] +max_payload_size = 256 + + + + Вказані нижче параметри стосуються лише конфігурацій, у яких +використовується засіб надання даних proxy. + + + + proxy_url (рядок) + + + Адреса, за якою очікуватиме на дані сервер Custodia. У поточній версії +передбачено підтримку протоколів http і https. + + + Формат адреси має відповідати формату, що визначається RFC 2732: + + + http[s]://<вузол>[:порт] + + + Приклад: http://localhost:8080 + + + + + auth_type (рядок) + + + Спосіб розпізнавання сервером Custodia. Передбачено підтримку таких способів +розпізнавання: + + + + basic_auth + + + Виконати розпізнавання на основі імені користувача і пароля, які визначено +параметрами username і password. + + + + + header + + + Виконати розпізнавання за допомогою значення заголовка HTTP, як його +визначено у параметрах налаштування auth_header_name і +auth_header_value. + + + + + + + + auth_header_name (рядок) + + + Якщо встановлено, відповідач реєстраційних даних додаватиме заголовок із +цією назвою до запиту HTTP разом із значенням, яке визначається параметром +налаштування auth_header_value. + + + Приклад: MYSECRETNAME + + + + + auth_header_value (рядок) + + + Значення, яке sssd-secrets має використовувати для +auth_header_name. + + + Приклад: mysecret + + + + + forward_headers (список рядків) + + + Список заголовків HTTP, які слід переспрямувати до сервера Custodia разом із +запитом. + + + Типове значення: not set + + + + + verify_peer (булеве значення) + + + Визначає, чи слід перевіряти сертифікат вузла і чи слід вважати його чинним, +якщо для засобу надання даних проксі використано протокол HTTPS. + + + Типове значення: true + + + + + verify_host (булеве значення) + + + Визначає, чи має назва вузла збігатися із назвою вузла у його сертифікаті, +якщо для засобу надання даних проксі використано протокол HTTPS. + + + Типове значення: true + + + + + capath (рядок) + + + Шлях до каталогу, у якому зберігаються сертифікати служб сертифікації. Якщо +для цього параметра не встановлено значення, використовуватиметься +загальносистемний типовий шлях. + + + Типове значення: not set + + + + + cacert (рядок) + + + Шлях до файла, у якому міститься сертифікат служби сертифікації +сервера. Якщо для цього параметра не встановлено значення, програма шукатиме +сертифікат CA у capath. + + + Типове значення: not set + + + + + cert (рядок) + + + Шлях до файла, що містить клієнтський сертифікат, якщо такий потрібен для +сервера. Цей файл може також містити закритий ключ. Закритий ключ можна +також зберігати у файлі, назву якого встановлено за допомогою параметра +key. + + + Типове значення: not set + + + + + key (рядок) + + + Шлях до файла, у якому міститься закритий ключ клієнта. + + + Типове значення: not set + + + + + + + КОРИСТУВАННЯ API REST + + У цьому розділі наведено список доступних команд та приклади користування із +використанням програми curl +1 . Усі запити до засобу надання даних +проксі мають встановлювати для заголовка Content Type значення +application/json. Крім того, для локального засобу надання +даних передбачено підтримку встановлення для Content Type значення +application/octet-stream. Реєстраційні дані, збережені із +запитами, де встановлено значення заголовка Content Type +application/octet-stream, є даними у кодуванні base64 у +сховищі, які розшифровуються під час отримання, тому не можна зберігати +реєстраційні дані із одним значенням Content Type і отримувати з +іншим. Адреса реєстраційних даних має починатися з +/secrets/. + + + + Отримання списку реєстраційних даних + + + Щоб отримати список доступних реєстраційних даних, надішліть запит HTTP GET +із кінцевою навскісною рискою у шляху до контейнера. + + + Приклад: +curl -H "Content-Type: application/json" \ + --unix-socket /var/run/secrets.socket \ + -XGET http://localhost/secrets/ + + + + + + Отримання реєстраційних даних + + + Щоб прочитати значення окремого запису реєстраційних даних, надішліть запит +HTTP GET без кінцевої навскісної риски. Остання частина адреси вважатиметься +назвою запису реєстраційних даних. + + + Приклади: +curl -H "Content-Type: application/json" \ + --unix-socket /var/run/secrets.socket \ + -XGET http://localhost/secrets/foo + +curl -H "Content-Type: application/octet-stream" \ + --unix-socket /var/run/secrets.socket \ + -XGET http://localhost/secrets/bar + + + + + + Встановлення реєстраційних даних + + + Щоб встановити запис реєстраційних даних з використанням типу +application/json, надішліть запит HTTP PUT із даними JSON, +які включатимуть тип і значення. Тип (type) має бути встановлено у значення +"simple", а значення (value) має містити дані реєстраційного запису. Якщо +запис із вказаною назвою вже існує, відповіддю буде повідомлення про помилку +409 HTTP. + + + Тип application/json просто надсилає реєстраційний ключ як +вміст повідомлення. + + + У наведеному нижче прикладі ми встановлюємо для реєстраційних даних із +назвою «foo» значення «foosecret», а для реєстраційних даних із назвою «bar» +— значення «barsecret», використовуючи різні значення Content Type. + +curl -H "Content-Type: application/json" \ + --unix-socket /var/run/secrets.socket \ + -XPUT http://localhost/secrets/foo \ + -d'{"type":"simple","value":"foosecret"}' + +curl -H "Content-Type: application/octet-stream" \ + --unix-socket /var/run/secrets.socket \ + -XPUT http://localhost/secrets/bar \ + -d'barsecret' + + + + + + Створення контейнера + + + Контейнери надають додатковий простір назв для реєстраційних даних цього +користувача. Для створення контейнера надішліть запит HTTP POST, чи я адреса +завершуватиметься назвою контейнера. Будь ласка, зауважте, що адреса має +завершуватися символом навскісної риски. + + + У наступному прикладі створюємо контейнер із назвою «mycontainer»: + +curl -H "Content-Type: application/json" \ + --unix-socket /var/run/secrets.socket \ + -XPOST http://localhost/secrets/mycontainer/ + + + + Щоб працювати із записами реєстраційних даних у цьому контейнері, просто +вкладіть записи реєстраційних даних до шляху контейнера: +http://localhost/secrets/mycontainer/mysecret + + + + + + Вилучення реєстраційних даних або контейнера + + + Щоб вилучити запис реєстраційних даних або контейнер, надішліть запит HTTP +DELETE із шляхом до запису реєстраційних даних або до контейнера. + + + У наведеному нижче прикладі ми вилучимо реєстраційні дані для запису «foo». + +curl -H "Content-Type: application/json" \ + --unix-socket /var/run/secrets.socket \ + -XDELETE http://localhost/secrets/foo + + + + + + + + ПРИКЛАД НАЛАШТОВУВАННЯ МОДУЛІВ НАДАННЯ ДАНИХ CUSTODIA І ПРОКСІ + + Для тестування засобу надання даних «proxy» вам слід налаштувати +проксі-передавання на сервер Custodia. Будь ласка, завжди користуйтеся +документацією до Custodia, оскільки інструкції налаштовування у різних +версіях Custodia можуть бути різними. + + + Ці налаштування визначають для сервера Custodia адресу очікування даних +http://localhost:8080, дозволяють будь-кому із заголовком із назвою +MYSECRETNAME, який встановлено у значення mysecretkey, обмін даними із +сервером Custodia. Запишіть ці дані до файла (наприклад, +custodia.conf): +[global] +server_version = "Secret/0.0.7" +server_url = http://localhost:8080/ +auditlog = /var/log/custodia.log +debug = True + +[store:simple] +handler = custodia.store.sqlite.SqliteStore +dburi = /var/lib/custodia.db +table = secrets + +[auth:header] +handler = custodia.httpd.authenticators.SimpleHeaderAuth +header = MYSECRETNAME +value = mysecretkey + +[authz:paths] +handler = custodia.httpd.authorizers.SimplePathAuthz +paths = /secrets + +[/] +handler = custodia.root.Root +store = simple + + + + Далі, віддайте команду custodia, вказавши файл +налаштувань у параметрі командного рядка. + + + Будь ласка, зверніть увагу на те, що у поточній версії неможливо на +загальному рівні переспрямовувати усі запити до екземпляра Custodia. Замість +цього слід визначати підрозділи для окремих ідентифікаторів користувачів, +які переспрямовуватимуть запити до Custodia. У наведеному нижче прикладі +проілюстровано конфігурацію, за якої запити користувача із UID 123 +переспрямовуватимуться до Custodia, а запити усіх інших користувачів +оброблятимуться локальним засобом надання даних. + + +[secrets] + +[secrets/users/123] +provider = proxy +proxy_url = http://localhost:8080/secrets/ +auth_type = header +auth_header_name = MYSECRETNAME +auth_header_value = mysecretkey + + + + diff --git a/src/man/uk/sssd-session-recording.5.xml b/src/man/uk/sssd-session-recording.5.xml new file mode 100644 index 0000000..a948e3a --- /dev/null +++ b/src/man/uk/sssd-session-recording.5.xml @@ -0,0 +1,151 @@ + + + +Сторінки підручника SSSD + + + + + sssd-session-recording + 5 + Формати файлів та правила + + + + sssd-session-recording + Налаштовування записів сеансів за допомогою SSSD + + + + ОПИС + + На цій сторінці підручника описано налаштовування +sssd 8 +на роботу з tlog-rec-session +8 , частиною пакунка tlog, для +реалізації записування сеансів користувачів у текстових +терміналах. Докладний довідник щодо синтаксису налаштувань можна знайти у +розділі ФОРМАТ ФАЙЛА сторінки підручника з +sssd.conf 5 +. + + + SSSD можна налаштувати так, щоб уможливити запис усіх даних, які бачать або +вводять протягом сеансу у текстових терміналах вказані +користувачі. Наприклад, можна записувати дані щодо входу користувачів за +допомогою консолі або SSH. Сама SSSD нічого не записує, а лише забезпечує +запуск tlog-rec-session під час входу до системи користувача, щоб можна було +здійснювати запис відповідно до налаштувань. + + + Для користувачів, для яких увімкнено запис сеансів, SSSD замінює командну +оболонку користувача на tlog-rec-session у відповідях NSS і додає змінну, +яка вказує на початкову командну оболонку до середовища користувача у +налаштування сеансу PAM. Таким чином забезпечується запуск tlog-rec-session +замість командної оболонки користувача і надання даних про те, яку командну +оболонку слід запустити, щойно розпочнеться записування. + + + + + ПАРАМЕТРИ НАЛАШТУВАННЯ + + Цими параметрами можна скористатися для налаштовування запису сеансів. + + + + scope (рядок) + + + Один із вказаних нижче рядків, що визначають область запису сеансів: + + + "none" + + + Користувачі не записуються. + + + + + "some" + + + Запис вестиметься для користувачів і груп, вказаних параметрами +користувачі і групи. + + + + + "all" + + + Усі користувачі записуються. + + + + + + + Типове значення: none + + + + + users (рядок) + + + Список відокремлених комами записів користувачів, для яких увімкнено +записування сеансів. Належність до списку визначатиметься за іменами, +повернутими NSS, тобто після можливих замін пробілів, змін регістру символів +тощо. + + + Типове значення: порожнє. Не відповідає жодному користувачу. + + + + + groups (рядок) + + + Список відокремлених комами записів груп, для користувачів яких буде +увімкнено записування сеансів. Належність до списку визначатиметься за +назвами, повернутими NSS, тобто після можливих замін пробілів, змін регістру +символів тощо. + + + Зауваження: використання цього параметра (встановлення для нього будь-якого +значення) значно впливає на швидкодію, оскільки некешований запит щодо +користувача потребує отримання і встановлення відповідності груп, до яких +належить користувач. + + + Типове значення: порожнє. Не відповідає жодній групі. + + + + + + + + ПРИКЛАД + + У наведеному нижче фрагменті файла sssd.conf увімкнено запис сеансів для +користувачів contractor1 і contractor2» та групи students. + + + +[session_recording] +scope = some +users = contractor1, contractor2 +groups = students + + + + + + + + diff --git a/src/man/uk/sssd-simple.5.xml b/src/man/uk/sssd-simple.5.xml new file mode 100644 index 0000000..8e19a66 --- /dev/null +++ b/src/man/uk/sssd-simple.5.xml @@ -0,0 +1,152 @@ + + + +Сторінки підручника SSSD + + + + + sssd-simple + 5 + Формати файлів та правила + + + + sssd-simple + файл налаштувань інструмента керування доступом «simple» SSSD + + + + ОПИС + + На цій сторінці довідника описано налаштування простого засобу керування +доступом для sssd +8 . Щоб дізнатися більше про синтаксис +налаштування, зверніться до розділу «ФОРМАТ ФАЙЛА» сторінки довідника + sssd.conf +5 . + + + Простий засіб керування доступом надає або забороняє доступ на основі списку +допуску або заборони, складеного за назвами облікових записів користувачів +та групами. Використовуються такі правила: + + + Якщо всі списки є порожніми, доступ буде надано. + + + + Якщо вказано будь-який зі списків, обробка виконуватиметься за послідовністю +«допуск, потім заборона» (allow,deny). Це означає, що будь-яке з правил +заборони матиме пріоритет над будь-яким правилом допуску. + + + + + Якщо буде вказано один або обидва списки допуску («allow»), всім +користувачам поза цими списками доступ буде заборонено. + + + + + Якщо буде вказано лише списки заборони («deny»), всі користувачам поза цими +списками доступ буде надано. + + + + + + + + ПАРАМЕТРИ НАЛАШТУВАННЯ + Зверніться до розділу «РОЗДІЛИ ДОМЕНІВ» сторінки довідника (man) + sssd.conf +5 , щоб дізнатися більше про +налаштування домену SSSD. + + simple_allow_users (рядок) + + + Відокремлений комами список користувачів, яким дозволено вхід до системи. + + + + + + simple_deny_users (рядок) + + + Список користувачів, яким явно заборонено доступ; записи відокремлюються +комами. + + + + + simple_allow_groups (рядок) + + + Відокремлений комами список груп, користувачам яких дозволено вхід до +системи. Стосується лише груп у межах цього домену SSSD. Локальні групи не +обробляються. + + + + + + simple_deny_groups (рядок) + + + Відокремлений комами список груп, користувачам яких явно заборонено +доступ. Стосується лише груп у межах цього домену SSSD. Локальні групи не +обробляються. + + + + + + + Якщо не вказувати значень для жодного зі списків, вважатиметься, що параметр +не визначено. Пам’ятайте про це, якщо захочете створити параметри для +простого надавача автоматизованими скриптами. + + + Будь ласка, зауважте, що визначення обох параметрів, simple_allow_users і +simple_deny_users, є помилкою у налаштуванні. + + + + + ПРИКЛАД + + У наведеному нижче прикладі припускаємо, що SSSD налаштовано належним чином, +а example.com є одним з доменів у розділі +[sssd]. У прикладі продемонстровано лише +параметри, специфічні для простого засобу доступу. + + + +[domain/example.com] +access_provider = simple +simple_allow_users = user1, user2 + + + + + + ЗАУВАЖЕННЯ + + Повна обробка ієрархії участі у групах виконується до перевірки прав +доступу, отже, до списку груп доступу може бути включено навіть вкладені +групи. Будь ласка, зауважте, що на результати може вплинути значення +параметра «ldap_group_nesting_level». Вам слід встановити для нього достатнє +значення. Див. +sssd-ldap5 +. + + + + + + + diff --git a/src/man/uk/sssd-sudo.5.xml b/src/man/uk/sssd-sudo.5.xml new file mode 100644 index 0000000..b3c3cf9 --- /dev/null +++ b/src/man/uk/sssd-sudo.5.xml @@ -0,0 +1,198 @@ + + + +Сторінки підручника SSSD + + + + + sssd-sudo + 5 + Формати файлів та правила + + + + sssd-sudo + Налаштовування sudo за допомогою модуля SSSD + + + + ОПИС + + На цій сторінці підручника описано способи налаштовування +sudo 8 +на роботу у комплексі з sssd +8 та способи кешування правил sudo у +SSSD. + + + + + Налаштовування sudo на співпрацю з SSSD + + Щоб увімкнути SSSD як джерело правил sudo, додайте sss +до запису sudoers у файлі +nsswitch.conf 5 +. + + + Наприклад, щоб налаштувати sudo на першочерговий пошук правил у стандартному +файлі sudoers +5 (цей файл має містити правила, що +стосуються локальних користувачів), а потім у SSSD, у файлі nsswitch.conf +слід вказати такий рядок: + + + +sudoers: files sss + + + + Докладніші дані щодо налаштовування порядку пошуку у sudoers за допомогою +файла nsswitch.conf, а також дані щодо бази даних LDAP, у якій зберігаються +правила sudo каталогу, можна знайти на сторінці підручника +sudoers.ldap 5 +. + + + Зауваження: щоб у правилах sudo можна було +використовувати мережеві групи або групи вузлів IPA, вам слід належним чином +налаштувати nisdomainname +1 на назву домену NIS (назва цього +домену збігається з назвою домену IPA, якщо використовуються групи вузлів +IPA). + + + + + Налаштовування SSSD на отримання правил sudo + + На боці SSSD достатньо розширити список служб +дописуванням «sudo» до розділу [sssd] +sssd.conf 5 +. Щоб пришвидшити пошуку у LDAP, ви також можете налаштувати +базу пошуку для правил sudo за допомогою параметра +ldap_sudo_search_base. + + + У наведеному нижче прикладі показано, як налаштувати SSSD на отримання +правил sudo з сервера LDAP. + + + +[sssd] +config_file_version = 2 +services = nss, pam, sudo +domains = EXAMPLE + +[domain/EXAMPLE] +id_provider = ldap +sudo_provider = ldap +ldap_uri = ldap://example.com +ldap_sudo_search_base = ou=sudoers,dc=example,dc=com + Важливо зауважити, що на платформах, де +передбачено підтримку systemd, немає потреби додавати засіб надання даних +«sudo» до списку служб, оскільки він стає необов'язковим. Втім, замість +нього слід увімкнути sssd-sudo.socket. + + + Якщо SSSD налаштовано на використання IPA як засобу надання даних ID, засіб +надання даних sudo буде увімкнено автоматично. Базу пошуку sudo буде +налаштовано на використання природного для IPA дерева LDAP +(cn=sudo,$SUFFIX). Якщо у sssd.conf буде визначено будь-яку іншу базу +пошуку, використовуватиметься це значення. Для використання функціональних +можливостей sudo у IPA потреби у дереві compat (ou=sudoers,$SUFFIX) більше +немає. + + + + + Механізм кешування правил SUDO + + Найбільшою складністю під час розробки підтримки sudo у SSSD було +забезпечення роботи sudo з SSSD так, щоб для користувача джерело даних +надавало дані у один спосіб та з тією самою швидкістю, що і sudo, надаючи +при цьому якомога свіжіший набір правил. Щоб виконати ці умови, SSSD +використовує оновлення трьох типів. Будемо називати ці тип повним +оновленням, інтелектуальним оновленням та оновленням правил. + + + Використання типу інтелектуального оновлення полягає у +отриманні правил, які було додано або змінено з часу попереднього +оновлення. Основним призначенням оновлення такого типу є підтримання +актуального стану бази даних невеличкими порціями, які не спричиняють +значного навантаження на мережу. + + + У разі використання повного оновлення всі правила sudo, +що зберігаються у кеші, буде вилучено і замінено на всі правила, які +зберігаються на сервері. Таким чином, кеш буде узгоджено шляхом вилучення +всіх правил, які було вилучено на сервері. Втім, повне оновлення може значно +навантажувати канал з’єднання, а отже його варто використовувати лише +іноді. Проміжок між сеансами повного оновлення має залежати від розміру і +стабільності правил sudo. + + + У разі використання типу оновлення правил +забезпечується ненадання користувачам ширших дозволів, ніж це було визначено +на сервері. Оновлення цього типу виконується під час кожного запуску +користувачем sudo. Під час оновлення буде виявлено всі правила, які +стосуються користувача, перевірено, чи не завершено строк дії цих правил, і +повторно отримано правила, якщо строк дії правил завершено. Якщо якихось з +правил не буде виявлено на сервері, SSSD виконає позачергове повне +оновлення, оскільки може виявитися, що було вилучено набагато більше правил +(які стосуються інших користувачів). + + + Якщо увімкнено, SSSD зберігатиме лише правила, які можна застосувати до +цього комп’ютера. Це означає, що зберігатимуться правила, що містять у +атрибуті sudoHost одне з таких значень: + + + + + ключове слово ALL + + + + + шаблон заміни + + + + + мережеву групу (у форматі «+мережева група») + + + + + назву вузла або повну назву у домені цього комп’ютера + + + + + одну з IP-адрес цього комп’ютера + + + + + одну з IP-адрес мережі (у форматі «адреса/маска») + + + + + Для точного налаштовування поведінки передбачено доволі багато параметрів +Будь ласка, зверніться до розділу «ldap_sudo_*» у +sssd-ldap 5 + та «sudo_*» у +sssd.conf 5 +, щоб ознайомитися з докладним описом. + + + + + + + diff --git a/src/man/uk/sssd-systemtap.5.xml b/src/man/uk/sssd-systemtap.5.xml new file mode 100644 index 0000000..3ccd2bb --- /dev/null +++ b/src/man/uk/sssd-systemtap.5.xml @@ -0,0 +1,364 @@ + + + +Сторінки підручника SSSD + + + + + sssd-systemtap + 5 + Формати файлів та правила + + + + sssd-systemtap + Дані systemtap SSSD + + + + ОПИС + + Цю сторінку підручника присвячено функціональним можливостям systemtap у + sssd 8 +. + + + Точки зондування SystemTap додано до різноманітних частин коду SSSD, щоб +полегшити усування вад та аналіз пов'язаних зі швидкодією проблем. + + + + + + Зразки скриптів SystemTap зберігаються у каталозі /usr/share/sssd/systemtap/ + + + + + Зонди і різноманітні функції визначено у +/usr/share/systemtap/tapset/sssd.stp і +/usr/share/systemtap/tapset/sssd_functions.stp, відповідно. + + + + + + + + ТОЧКИ ЗОНДУВАННЯ + + Дані у наведених нижче списках точок зондування та аргументів записано у +такому форматі: + + + + зонд $назва + + + Опис точки зондування + + +змінна1:тип даних +змінна2:тип даних +змінна3:тип даних +... + + + + + + + Зонди операцій із базою даних + + + + зонд sssd_transaction_start + + + Розпочати операцію sysdb, зондує функцію sysdb_transaction_start(). + + +nesting:ціле число +probestr:рядок + + + + + зонд sssd_transaction_cancel + + + Скасовування операції sysdb, зондує функцію sysdb_transaction_cancel() . + + +nesting:ціле число +probestr:рядок + + + + + зонд sssd_transaction_commit_before + + + Зондує функцію sysdb_transaction_commit_before(). + + +nesting:ціле число +probestr:рядок + + + + + зонд sssd_transaction_commit_after + + + Зондує функцію sysdb_transaction_commit_after(). + + +nesting:ціле число +probestr:рядок + + + + + + + + + Зонди пошуку у LDAP + + + + зонд sdap_search_send + + + Зондує функцію sdap_get_generic_ext_send(). + + +base:рядок +scope:ціле число +filter:рядок +probestr:рядок + + + + + зонд sdap_search_recv + + + Зондує функцію sdap_get_generic_ext_recv(). + + +base:рядок +scope:ціле число +filter:рядок +probestr:рядок + + + + + зонд sdap_deref_send + + + Зондує функцію sdap_deref_search_send(). + + +base_dn:рядок +deref_attr:рядок +probestr:рядок + + + + + зонд sdap_deref_recv + + + Зондує функцію sdap_deref_search_recv(). + + +base:рядок +scope:ціле число +filter:рядок +probestr:рядок + + + + + + + + + Зонди запитів щодо облікових записів у LDAP + + + + зонд sdap_acct_req_send + + + Зондує функцію sdap_acct_req_send(). + + +entry_type:ціле число +filter_type:ціле число +filter_value:рядок +extra_value:рядок + + + + + зонд sdap_acct_req_recv + + + Зондує функцію sdap_acct_req_recv(). + + +entry_type:ціле число +filter_type:ціле число +filter_value:рядок +extra_value:рядок + + + + + + + + + Зонди пошуку користувачів у LDAP + + + + зонд sdap_search_user_send + + + Зондує функцію sdap_search_user_send(). + + +filter:рядок + + + + + зонд sdap_search_user_recv + + + Зондує функцію sdap_search_user_recv(). + + +filter:рядок + + + + + зонд sdap_search_user_save_begin + + + Зондує функцію sdap_search_user_save_begin(). + + +filter:рядок + + + + + зонд sdap_search_user_save_end + + + Зондує функцію sdap_search_user_save_end(). + + +filter:рядок + + + + + + + + + Зонди запитів до постачальника даних + + + + зонд dp_req_send + + + Подано запит до постачальника даних. + + +dp_req_domain:рядок +dp_req_name:рядок +dp_req_target:ціле число +dp_req_method:ціле число + + + + + зонд dp_req_done + + + Завершено виконання запиту до постачальника даних. + + +dp_req_name:рядок +dp_req_target:ціле число +dp_req_method:ціле число +dp_ret:ціле число +dp_errorstr:рядок + + + + + + + + + РІЗНОМАНІТНІ ФУНКЦІЇ + + Дані у наведених нижче списках точок зондування та аргументів записано у +такому форматі: + + + + функція acct_req_desc(entry_type) + + + Перетворення entry_type на рядок і повернення рядка + + + + + функція sssd_acct_req_probestr(fc_name, entry_type, filter_type, +filter_value, extra_value) + + + Створення рядка зонду на основі типу фільтрування + + + + + функція dp_target_str(target) + + + Перетворення target на рядок і повернення рядка + + + + + функція dp_method_str(target) + + + Перетворення методу на рядок і повернення рядка + + + + + + + + + + + + diff --git a/src/man/uk/sssd.8.xml b/src/man/uk/sssd.8.xml new file mode 100644 index 0000000..e068092 --- /dev/null +++ b/src/man/uk/sssd.8.xml @@ -0,0 +1,237 @@ + + + +Сторінки підручника SSSD + + + + + sssd + 8 + + + + sssd + Фонова служба безпеки системи + + + + +sssd +параметри + + + + ОПИС + + У SSSD передбачено набір фонових служб для керування +доступом до віддалених каталогів та механізмами +розпізнавання. SSSD надає операційній системі інтерфейси +NSS і PAM, а також систему придатних для під’єднання модулів для +встановлення з’єднання з декількома різними джерелами даних щодо облікових +записів та інтерфейс D-Bus. SSSD також є основою для +систем перевірки клієнтських систем та служб обслуговування правил доступу +для проектів, подібних до FreeIPA. SSSD надає стійкішу +базу даних для збереження записів локальних користувачів, а також додаткових +даних щодо користувачів. + + + + + ПАРАМЕТРИ + + + + , +РІВЕНЬ + + + + + + режим + + + + 1: додати часову позначку до діагностичних повідомлень. + + + 0: вимкнути часову позначку у діагностичних +повідомленнях + + + Типове значення: 1 + + + + + + режим + + + + 1: додати значення мікросекунд до часової позначки у +діагностичних повідомленнях + + + 0: вимкнути додавання мікросекунд до часової позначки + + + Типове значення: 0 + + + + + + , + + + + Надіслати діагностичні дані до файлів, а не до stderr. Типово файли журналів +зберігаються у /var/log/sssd, передбачено також окремий +журнал для кожної служби і домену SSSD. + + + Цей параметр вважається застарілим. Його замінено параметром +. + + + + + + значення + + + + Місце, куди SSSD надсилатиме повідомлення журналу. Значення цього параметра +має вищий пріоритет за значення застарілого параметра +. Застарілий параметр працюватиме, якщо не +використано параметр . + + + stderr: переспрямувати діагностичні повідомлення до +стандартного виведення помилок. + + + files: переспрямувати діагностичні повідомлення до +файлів журналу. Типово файли журналів зберігаються у +/var/log/sssd, передбачено також окремий журнал для +кожної служби і домену SSSD. + + + journald: переспрямувати діагностичні повідомлення до +systemd-journald + + + Типове значення: not set + + + + + + , + + + + Перейти у режим фонової служби після запуску. + + + + + + , + + + + Запустити програму у звичайному режимі, не створювати фонової служби. + + + + + + , + + + + Визначити нетиповий файл налаштувань. Типовим файлом налаштувань є +/etc/sssd/sssd.conf. Довідку щодо синтаксису та +параметрів файла налаштувань можна знайти на сторінці довідника (man) + sssd.conf +5 . + + + + + + + + + + + Вивести номер версії і завершити роботу. + + + + + + + + Сигнали + + + SIGTERM/SIGINT + + + Повідомляє SSSD, що слід поступово завершити роботу всіх дочірніх процесів, +а потім завершити роботу монітора. + + + + + SIGHUP + + + Повідомляє SSSD, що слід припинити запис до файлів діагностичних даних з +поточними дескрипторами, закрити і повторно відкрити ці файли. Цей сигнал +призначено для полегшення процедури архівування журналів за допомогою +програм, подібних до logrotate. + + + + + SIGUSR1 + + + Наказує SSSD імітувати автономну дію, тривалість якої визначається +параметром «offline_timeout». Найкориснішим застосуванням є тестування +служби. Сигнал може бути надіслано або процесу sssd, або процесу sssd_be +безпосередньо. + + + + + SIGUSR2 + + + Наказує SSSD перейти у режим роботи у мережі негайно. Найкориснішим +застосуванням є тестування служби. Сигнал може бути надіслано або процесу +sssd, або процесу sssd_be безпосередньо. + + + + + + + + ЗАУВАЖЕННЯ + + Якщо для змінної середовища SSS_NSS_USE_MEMCACHE встановлено значення «NO», +клієнтські програми не використовуватимуть fast у кеші у пам’яті. + + + + + + + diff --git a/src/man/uk/sssd.conf.5.xml b/src/man/uk/sssd.conf.5.xml new file mode 100644 index 0000000..0abf332 --- /dev/null +++ b/src/man/uk/sssd.conf.5.xml @@ -0,0 +1,2960 @@ + + + +Сторінки підручника SSSD + + + + + sssd.conf + 5 + Формати файлів та правила + + + + sssd.conf + файл налаштування SSSD + + + + ФОРМАТ ФАЙЛА + + + Файл складено з використанням синтаксичний конструкцій у стилі ini, він +складається з розділів і окремих записів параметрів. Розділ починається з +рядка назви розділу у квадратних дужках і продовжується до початку нового +розділу. Приклад розділу з параметрами, які мають єдине і декілька значень: + +[розділ] +ключ = значення +ключ2 = значення2,значення3 + + + + + Типами даних є рядок (без символів лапок), ціле число і булеве значення +(можливі два значення — TRUE і FALSE). + + + + A comment line starts with a hash sign (#) or a semicolon +(;). Inline comments are not supported. + + + + Для всіх розділів передбачено додатковий параметр +description. Його призначено лише для позначення +розділу. + + + + sssd.conf має бути звичайним файлом, власником якого є +користувач root. Права на читання та запис до цього файла повинен мати лише +користувач root. + + + + + ФРАГМЕНТИ НАЛАШТУВАНЬ З КАТАЛОГУ ВКЛЮЧЕННЯ + + + До файла налаштувань sssd.conf буде включено фрагменти +налаштувань з каталогу conf.d. Цією можливістю можна +буде скористатися, якщо SSSD було зібрано із бібліотекою libini версії 1.3.0 +або новішою. + + + + Будь-який файл, розташований у conf.d, назва якого +завершується на .conf і не починається з +крапки (.), буде використано разом із +sssd.conf для налаштовування SSSD. + + + + Фрагменти налаштувань з conf.d мають вищий пріоритет за +sssd.conf, вони мають вищий пріоритет за +sssd.conf, якщо виникне конфлікт. Якщо у +conf.d буде виявлено декілька фрагментів, їх буде +включено за абеткою (на основі параметрів локалі). Файли, які включаються +пізніше, мають вищий пріоритет. Числові префікси +(01_фрагмент.conf, +02_фрагмент.conf тощо) можуть допомогти у візуалізації +пріоритетності (більше число означає вищу пріоритетність). + + + + Файли фрагментів мають належати одному користувачеві і мати однакові права +доступу із файлом sssd.conf. Типовим власником є +root:root, а типовими правами доступу — 0600. + + + + + ЗАГАЛЬНІ ПАРАМЕТРИ + + Нижче наведено параметри, які можна використовувати у декількох розділах +налаштувань. + + + Параметри, які можна використовувати у всіх розділах + + + + debug_level (ціле число) + + + + debug (ціле число) + + + У SSSD 1.14 і новіших версіях з міркувань зручності також передбачено +альтернативний варіант debug для +debug_level. Якщо вказано одразу обидва варіанти, +буде використано варіант debug_level. + + + + + debug_timestamps (булеве значення) + + + Додати часову позначку до діагностичних повідомлень. Якщо для запису +діагностичного журналу у SSSD увімкнено journald, цей параметр буде +проігноровано. + + + Типове значення: true + + + + + debug_microseconds (булеве значення) + + + Додати значення мікросекунд до часової позначки у діагностичних +повідомлення. Якщо для запису діагностичного журналу у SSSD увімкнено +journald, цей параметр буде проігноровано. + + + Типове значення: false + + + + + + + + + Параметри які можна використовувати у розділах SERVICE та DOMAIN + + + + timeout (ціле число) + + + Проміжок у секундах між циклами роботи цієї служби. Використовується для +перевірки працездатності процесу та його змоги відповідати на +запити. Зауважте, що після трьох пропущених циклів процес перерве своє +виконання самостійно. + + + Типове значення: 10 + + + + + + + + + + ОСОБЛИВІ РОЗДІЛИ + + + Розділ [sssd] + + Окремі функції у SSSD виконуються особливими службами SSSD, які запускаються +і зупиняються разом SSSD. Ці служби керуються окремою службою, яку часто +називають «монітором». Розділ [sssd] використовується для +налаштування монітора та деяких інших важливих параметрів, зокрема доменів +профілів. + Параметри розділу + + config_file_version (ціле число) + + + Визначає версію синтаксичних конструкцій файла налаштування. Для версій SSSD +0.6.0 та пізніших слід використовувати версію 2. + + + + + services + + + Список служб, відокремлених комами, які запускаються разом із sssd. Список служб є необов'язковим на платформах, де +передбачено підтримку systemd, оскільки там такі служби вмикаються за +допомогою сокетів або D-Bus. + + + Підтримувані служби: nss, pam , sudo +, autofs , ssh , +pac , ifp + + + Типово усі служби вимкнено. Адміністратор +має увімкнути дозволені до використання служби за допомогою такої команди: +"systemctl enable sssd-@service@.socket". + + + + + reconnection_retries (ціле число) + + + Кількість повторних спроб встановлення зв’язку зі службами або їх +перезапуску у разі аварійного завершення роботи інструменту надання даних до +визнання подальших спроб безнадійними. + + + Типове значення: 3 + + + + + domains + + + Домен — це база даних, у якій містяться дані щодо користувачів. SSSD може +одночасно використовувати декілька доменів. Вам слід вказати принаймні один +домен, інакше SSSD просто не запуститься. За допомогою цього параметра можна +вказати список доменів, впорядкованих за пріоритетністю під час надсилання +до них запитів щодо даних. Назва домену має складатися лише з літер і цифр +ASCII, дефісів, крапок та знаків підкреслювання. + + + + + re_expression (рядок) + + + Типовий формальний вираз, який описує спосіб поділу рядка з іменем +користувача і доменом на його частини. + + + Для кожного з доменів можна налаштувати окремий формальний вираз. Для деяких +з засобів надання ідентифікаторів передбачено типові формальні +вирази. Докладніше про ці формальні вирази можна дізнатися з довідки до +РОЗДІЛІВ ДОМЕНІВ. + + + + + full_name_format (рядок) + + + Сумісний з printf +3 формат, який описує спосіб +створення повного імені на основі імені користувача та компонентів назви +домену. + + + Передбачено використання таких замінників: + + %1$s + ім’я користувача + + + %2$s + + + назва домену у форматі, вказаному у файлі налаштувань SSSD. + + + + + %3$s + + + проста назва домену. Здебільшого використовується для доменів Active +Directory, налаштованих та автоматично виявлених за зв’язками довіри IPA. + + + + + + + Для кожного з доменів можна налаштувати окремий рядок формату. Докладніше +про ці рядки можна дізнатися з довідки до РОЗДІЛІВ ДОМЕНІВ. + + + + + try_inotify (булеве значення) + + + SSSD спостерігає за станом resolv.conf для визначення моменту, коли слід +оновити дані вбудованого інструменту визначення DNS. Типово, з цією метою +використовується inotify. У разі неможливості використання inotify, +виконуватиметься опитування resolv.conf кожні п’ять секунд. + + + Зрідка бажано не вдаватися навіть до спроб скористатися inotify. У цих +рідкісних випадках слід встановити для цього параметра значення «false». + + + Типове значення: «true» на платформах, де підтримується inotify. «false» на +інших платформах. + + + Зауваження: цей параметр ні на що не вплине на платформах, де inotify +недоступний. На цих платформах завжди використовуватиметься безпосереднє +опитування файла. + + + + + krb5_rcache_dir (рядок) + + + Каталог у файловій системі, де SSSD має зберігати файли кешу відтворення +Kerberos. + + + Цей параметр приймає особливе значення __LIBKRB5_DEFAULTS__, за допомогою +якого можна наказати SSSD надати змогу libkrb5 визначити відповідну адресу +для кешу відтворення. + + + Типове значення: визначається дистрибутивом та вказується під час +збирання. (__LIBKRB5_DEFAULTS__, якщо не вказано) + + + + + user (рядок) + + + Користувач, до якого слід скинути права доступу, якщо це потрібно для +уникнення запуску від імені користувача root. Цей параметр не спрацює, якщо запущено служби, які +активуються сокетами, оскільки ім'я користувача для запуску налаштовується +під час збирання. Параметри файлів модулів systemd можна перевизначити +створенням відповідних файлів у /etc/systemd/system/. Слід пам'ятати, щоб +будь-які зміни у параметрах користувача, групи чи прав доступу можуть +призвести до непрацездатності SSSD. Те саме може статися, якщо змінити +користувача, від імені якого запущено відповідач NSS. + + + Типове значення: не встановлено, процес буде запущено від імені root + + + + + default_domain_suffix (рядок) + + + Цей рядок буде використано як типову назву домену для всіх назв без +компонента назви домену. Основним призначенням використання цього рядка є +середовища, де основний домен призначено для керування правилами вузлів та +всіма користувачами, розташованими на надійному (довіреному) домені. За +допомогою цього параметра користувачі можуть входити до системи за допомогою +лише імені користувача без додавання до нього назви домену. + + + Будь ласка, зауважте, що якщо встановлено цей параметр, для усіх +користувачів із основного домену доведеться використовувати ім’я повністю, +тобто користувач@назва.домену, для входу до системи. Встановлення цього +параметра змінює типове значення use_fully_qualified_names на True. Цей +параметр не можна використовувати у поєднанні із значенням +use_fully_qualified_names рівним False. + + + Типове значення: not set + + + + + override_space (рядок) + + + За допомогою цього параметра можна змінити пробіли у іменах користувачів та +назвах груп вказаним симовлом, наприклад _. Ім’я користувача «john doe» буде +перетворено на «john_doe». Цю можливість було додано для сумісності із +скриптами командної оболонки, у яких виникають проблеми із обробкою пробілів +через типовий роздільник полів у оболонці. + + + Будь ласка, зауважте, що використання символу-замінника, який може бути +використано у іменах користувачів і назвах груп, є помилкою у +налаштуваннях. Якщо назва містить символ-замінник, SSSD спробує повернути +незмінену назву, але, загалом, результат пошуку буде невизначеним. + + + Типове значення: не встановлено (пробіли не замінятимуться) + + + + + certificate_verification (рядок) + + + За допомогою цього параметра можна виконати тонке налаштовування перевірки +сертифікатів на основі списку параметрів, відокремлених комами. Підтримувані +параметри: + + no_ocsp + + Вимикає перевірки протоколу стану мережевої сертифікації (Online Certificate +Status Protocol або OCSP). Це може знадобитися, якщо сервери OCSP, визначені +у сертифікаті, є недоступними з клієнта. + + + + no_verification + + Повністю вимикає перевірку. Цим варіантом слід користуватися лише для +тестування. + + + + ocsp_default_responder=URL + + Встановлює типовий відповідач OCSP, який слід використовувати замість +визначеного у сертифікаті. Адресу слід замінити адресою типового +відповідача, наприклад http://example.com:80/ocsp. + Цей параметр слід використовувати разом із параметром +ocsp_default_responder_signing_cert. + + + + + + ocsp_default_responder_signing_cert=НАЗВА + + Альтернативна назва сертифіката, якому слід довіряти (очікувано) для +підписування відповідей OCSP. Сертифікат із вказаною альтернативною назвою +має зберігатися у базі даних NSS системи. + Цим параметром слід користуватися разом із параметром +ocsp_default_responder. + + + + + + Обробник параметрів повідомлятиме про невідомі параметри і просто +ігноруватиме їх. + + + Типове значення: не встановлено, тобто перевірка сертифікатів нічим не +обмежуватиметься + + + + + disable_netlink (булеве значення) + + + Перехоплювачі SSSD у інтерфейсі netlink для стеження за змінами у маршрутах, +адресах, посилання та виконання певних дій. + + + Зміни стану SSSD, спричинені подіями netlink, можуть бути небажаними, їх +можна вимкнути встановленням для цього параметра значення «true» + + + Типове значення: false (виявлення змін у netlink) + + + + + enable_files_domain (булеве значення) + + + Якщо цю можливість увімкнено, SSSD дописуватиме неявний домен із +id_provider=files до усіх явним чином налаштованих доменів. + + + Типове значення: false + + + Типове значення: true + + + + + domain_resolution_order + + + Список доменів і піддоменів, відокремлених комами, який визначає порядок +пошуку, який використовуватиметься. Список не обов'язково включатиме усі +можливі домени, оскільки пошук у пропущених доменах відбуватиметься у +порядку, у якому їх вказано у параметрі налаштування +domains. Пошук у піддоменах, яких немає у списку +lookup_order, відбуватиметься у випадковому порядку для +кожного батьківського домену. + + + Please, note that when this option is set the output format of all commands +is always fully-qualified even when using short names for input, for all +users but the ones managed by the files provider. In case the administrator +wants the output not fully-qualified, the full_name_format option can be +used as shown below: full_name_format=%1$s However, keep in +mind that during login, login applications often canonicalize the username +by calling getpwnam +3 which, if a shortname is returned +for a qualified input (while trying to reach a user which exists in multiple +domains) might re-route the login attempt into the domain which uses +shortnames, making this workaround totally not recommended in cases where +usernames may overlap between domains. + + + Типове значення: не встановлено + + + + + + + + + + + РОЗДІЛИ СЛУЖБ + + У цьому розділі описано параметри, якими можна скористатися для налаштування +різноманітних служб. Ці параметри має бути зібрано у розділах з назвами +[$NAME]. Наприклад, параметри служби NSS зібрано +у розділі [nss] + + + + Загальні параметри налаштування служб + + Цими параметрами можна скористатися для налаштування будь-яких служб. + + + + reconnection_retries (ціле число) + + + Кількість повторних спроб встановлення зв’язку зі службами або їх +перезапуску у разі аварійного завершення роботи інструменту надання даних до +визнання подальших спроб безнадійними. + + + Типове значення: 3 + + + + + fd_limit + + + За допомогою цього параметра можна визначити максимальну кількість +дескрипторів файлів, які одночасно може бути відкрито цим процесом SSSD. У +системах, де SSSD надано можливості CAP_SYS_RESOURCE, цей параметр +використовуватиметься незалежно від інших параметрів системи. У системах без +цієї можливості, кількість дескрипторів визначатиметься найменшим зі значень +цього параметра і обмеженням "hard" у limits.conf. + + + Типове значення: 8192 (або обмеження у limits.conf "hard") + + + + + client_idle_timeout + + + За допомогою цього параметра можна визначити кількість секунд, протягом яких +клієнтська частина SSSD може утримувати дескриптор файла без здійснення за +його допомогою обміну даними. Таке обмеження потрібне для того, щоб уникнути +вичерпання ресурсів системи. Час очікування не може бути меншим за 10 +секунд. Якщо у налаштуваннях вказано менше значення, його буде скориговано +до 10 секунд. + + + Типове значення: 60 + + + + + offline_timeout (ціле число) + + + Коли SSSD перемикається на автономний режим роботи, час, який має минути, +перш ніж буде здійснено спробу повернутися до режиму у мережі, +збільшуватиметься, відповідно до часу, проведеного у режимі від’єднання. Це +значення вказується у секундах і обчислюється за такою формулою: + + + час_очікування_для_переходу_у_автономний_режим + випадковий_зсув + + + Випадковий зсув може збільшувати час на інтервал до 30 секунд. Після кожної +невдалої спроби переходу до режиму у мережі новий інтервал часу обчислюється +таким чином: + + + новий_інтервал = старий_інтервал*2 + випадковий_зсув + + + Зауважте, що максимальна тривалість кожного з інтервалів у поточній версії +обмежено однією годиною. Якщо обчислена тривалість нового інтервалу +перевищує годину, буде встановлено інтервал у одну годину. + + + Типове значення: 60 + + + + + responder_idle_timeout + + + Цей параметр визначає кількість секунд, протягом яких процес відповідача +SSSD може працювати без використання. Це значення обмежено з метою уникнення +вичерпання ресурсів системи. Мінімальним прийнятним значенням для цього +параметра є 60 секунд. Встановлення для цього параметра значення 0 (нуль) +означає, що для відповідача не встановлюватиметься ніякого часу +очікування. Цей параметр враховуватиметься, лише якщо SSSD зібрано з +підтримкою systemd і якщо служби активуються за допомогою або сокетів або +D-Bus. + + + Типове значення: 300 + + + + + cache_first + + + Цей параметр визначає, чи слід відповідачеві опитати усі кеші до надсилання +запису до модулів засобів надання даних. + + + Типове значення: false + + + + + + + + Параметри налаштування NSS + + Цими параметрами можна скористатися для налаштування служби Name Service +Switch (NSS або перемикання служби визначення назв). + + + + enum_cache_timeout (ціле число) + + + Тривалість зберігання переліків (запитів щодо даних всіх користувачів) у +кеші nss_sss у секундах + + + Типове значення: 120 + + + + + entry_cache_nowait_percentage (ціле число) + + + Можна встановити кеш записів для автоматичного оновлення записів у фоновому +режимі, якщо запит щодо них надходить у визначений у відсотках від +entry_cache_timeout для домену період часу. + + + Наприклад, якщо entry_cache_timeout домену встановлено у значення 30s, а +entry_cache_nowait_percentage — у значення 50 (у відсотках), записи, які +надійдуть за 15 секунд після останнього оновлення кешу, буде повернуто +одразу, але SSSD оновить власний кеш, отже наступні запити очікуватимуть на +розблокування після оновлення кешу. + + + Коректними значеннями цього параметра є 0-99. Ці значення відповідають +відсоткам entry_cache_timeout для кожного з доменів. З міркувань покращення +швидкодії це відсоткове значення ніколи не зменшуватиме час очікування +nowait до значення, меншого за 10 секунд. Визначення значення 0 вимкне цю +можливість. + + + Типове значення: 50 + + + + + entry_negative_timeout (ціле число) + + + Визначає кількість секунд, протягом яких nss_sss має кешувати негативні +результати пошуку у кеші (тобто запити щодо некоректних записів у базі +даних, зокрема неіснуючих) перед повторним запитом до сервера обробки. + + + Типове значення: 15 + + + + + local_negative_timeout (ціле число) + + + Specifies for how many seconds nss_sss should keep local users and groups in +negative cache before trying to look it up in the back end again. Setting +the option to 0 disables this feature. + + + Default: 14400 (4 hours) + + + + + filter_users, filter_groups (рядок) + + + Виключити певних користувачів або групи зі списку отримання даних з бази +даних NSS sss. Таке виключення може бути корисним для облікових записів +керування системою. Цей параметр також можна встановлювати для кожного з +доменів окремо або включити до нього імена користувачів повністю для +обмеження списку користувачами лише з певного домену. + + + ЗАУВАЖЕННЯ: параметр filter_groups не впливає на успадкованість вкладених +записів групи, оскільки фільтрування відбувається після їх передавання для +повернення за допомогою NSS. Наприклад, у списку групи, що містить вкладену +групу, яку відфільтровано, залишатимуться записи користувачів +відфільтрованої групи. + + + Типове значення: root + + + + + filter_users_in_groups (булеве значення) + + + Якщо ви хочете, щоб фільтровані користувачі залишалися учасниками груп, +встановіть для цього параметра значення «false». + + + Типове значення: true + + + + + + + fallback_homedir (рядок) + + + Встановити типовий шаблон назви домашнього каталогу користувача, якщо цей +каталог не вказано явним чином засобом надання даних домену. + + + Можливі варіанти значень для цього параметра збігаються з варіантами значень +для параметра override_homedir. + + + приклад: +fallback_homedir = /home/%u + + + + Типове значення: не встановлено (без замін для невстановлених домашніх +каталогів) + + + + + override_shell (рядок) + + + Перевизначити командну оболонку входу до системи для усіх користувачів. Цей +параметр має пріоритет над будь-якими іншими параметрами визначення +командної оболонки, якщо він діє. Його можна встановити або у розділі [nss] +або для кожного з доменів окремо. + + + Типове значення: не встановлено (SSSD використовуватиме значення, отримане +від LDAP) + + + + + allowed_shells (рядок) + + + Обмежити перелік можливих командних оболонок користувачів вказаними. Порядок +визначення оболонки є таким: + + + 1. Якщо оболонку вказано у /etc/shells, її буде використано. + + + 2. Якщо оболонку вказано у списку allowed_shells, але її немає у списку +/etc/shells, буде використано значення параметра +shell_fallback. + + + 3. Якщо оболонку не вказано у списку allowed_shells і її немає у списку +/etc/shells, буде використано оболонку nologin. + + + Для визначення будь-якої командної оболонки можна скористатися шаблоном +заміни (*). + + + Значенням (*) варто користуватися, якщо ви хочете скористатися +shell_fallback, коли командної оболонки користувача немає у «/etc/shells», а +супровід списку усіх командних оболонок у allowed_shells є надто марудною +справою. + + + Порожній рядок оболонки буде передано без обробки до libc. + + + Читання /etc/shells виконується лише під час запуску SSSD, +тобто у разі встановлення нової оболонки слід перезапустити SSSD. + + + Типове значення: не встановлено. Автоматично використовується оболонка +користувача. + + + + + vetoed_shells (рядок) + + + Замінити всі записи цих оболонок на shell_fallback + + + + + shell_fallback (рядок) + + + Типова оболонка, яку слід використовувати, якщо дозволеної оболонки у +системі не встановлено. + + + Типове значення: /bin/sh + + + + + default_shell + + + Типова командна оболонка, яку буде використано, якщо засобом надання даних +не було повернуто назви оболонки під час пошуку. Цей параметр можна вказати +або на загальному рівні у розділі [nss], або окремо для кожного з доменів. + + + Типове значення: не встановлено (повернути NULL, якщо оболонку не +встановлено і покластися на libc у визначенні потрібного програмі значення, +зазвичай /bin/sh) + + + + + get_domains_timeout (ціле число) + + + Визначає час у секундах, протягом якого список піддоменів вважатиметься +чинним. + + + Типове значення: 60 + + + + + memcache_timeout (ціле число) + + + Визначає час у секундах, протягом якого список піддоменів вважатиметься +чинним. Встановлення для цього параметра нульового значення вимикає кеш у +пам'яті. + + + Типове значення: 300 + + + Попередження: вимикання кешу у пам'яті значно погіршить швидкодію SSSD, ним +варто користуватися лише для тестування. + + + ЗАУВАЖЕННЯ: якщо для змінної середовища SSS_NSS_USE_MEMCACHE встановлено +значення «NO», клієнтські програми не використовуватимуть fast у кеші у +пам’яті. + + + + + user_attributes (рядок) + + + Деякі із додаткових запитів до відповідача NSS можуть повертати більшу +кількість атрибутів, ніж це визначено POSIX для інтерфейсу NSS. Списком +атрибутів можна керувати за допомогою цього параметра. Обробка виконується у +той самий спосіб, що і для параметра «user_attributes» відповідача InfoPipe +(див. sssd-ifp +5 , щоб дізнатися більше), але без +типових значень. + + + Щоб полегшити налаштовування відповідач NSS перевірятиме параметр InfoPipe +на те, чи не встановлено його для відповідача NSS. + + + Типове значення: не встановлено, резервне значення визначається за +параметром InfoPipe + + + + + pwfield (рядок) + + + Значення, яке повертають операції NSS, які повертають записи користувачів чи +груп, для поля password. + + + Значення цього параметра можна встановлювати для кожного з доменів окремо. + + + Типове значення: * (віддалені домени) або x +(файловий домен) + + + + + + + Параметри налаштування PAM + + Цими параметрами можна скористатися для налаштування служби Pluggable +Authentication Module (PAM або блокового модуля розпізнавання). + + + + offline_credentials_expiration (ціле число) + + + У разі неможливості встановлення з’єднання з сервером розпізнавання визначає +тривалість зберігання кешованих входів (у днях з часу останнього успішного +входу до системи). + + + Типове значення: 0 (без обмежень) + + + + + + offline_failed_login_attempts (ціле число) + + + У разі неможливості встановлення з’єднання з сервером розпізнавання визначає +дозволену кількість спроб входу з визначенням помилкового пароля. + + + Типове значення: 0 (без обмежень) + + + + + + offline_failed_login_delay (ціле число) + + + Час у хвилинах, який має пройти між досягненням значення +offline_failed_login_attempts і повторним вмиканням можливості входу до +системи. + + + Якщо встановлено значення 0, користувач не зможе пройти розпізнавання у +автономному режимі, якщо буде досягнуто значення +offline_failed_login_attempts. Лише успішне розпізнавання може знову +увімкнути можливість автономного розпізнавання. + + + Типове значення: 5 + + + + + + pam_verbosity (ціле число) + + + Керує типами повідомлень, які буде показано користувачеві під час +розпізнавання. Чим більшим є значення, тим більше повідомлень буде показано. + + + У поточній версії sssd передбачено підтримку таких значень: + + + 0: не показувати жодних повідомлень + + + 1: показувати лише важливі повідомлення + + + 2: показувати всі інформаційні повідомлення + + + 3: показувати всі повідомлення та діагностичні дані + + + Типове значення: 1 + + + + + + pam_response_filter (ціле число) + + + Список рядків, відокремлених комами, за допомогою якого можна вилучати +(фільтрувати) дані, які надсилаються відповідачем PAM до модуля PAM +pam_sss. Існують різні тип відповідей, які надсилаються до pam_sss, +наприклад повідомлення, які показуються користувачеві, або змінні +середовища, які слід встановлювати за допомогою pam_sss. + + + Хоча повідомленнями вже можна керувати за допомогою параметра pam_verbosity, +за допомогою цього параметра можна відфільтрувати також інші типи +повідомлень. + + + У поточній версії передбачено підтримку таких фільтрів: + ENV + Не надсилати жодних змінних середовища до жодної служби. + + ENV:назва_змінної + Не надсилати змінної середовища назва_змінної до жодної служби. + + ENV:назва_змінної:служба + Не надсилати змінної середовища назва_змінної до вказаної служби. + + + + + Типове значення: not set + + + Приклад: ENV:KRB5CCNAME:sudo-i + + + + + + pam_id_timeout (ціле число) + + + Для кожного з запитів PAM під час роботи SSSD система SSSD зробить спробу +негайно оновити кешовані дані щодо профілю користувача з метою переконатися, +що розпізнавання виконується на основі найсвіжіших даних. + + + Повний обмін даними сеансу PAM може включати декілька запитів PAM, зокрема +для керування обліковими записами та відкриття сеансів. За допомогою цього +параметра можна керувати (для окремих клієнтів-програм) тривалістю (у +секундах) кешування даних профілю з метою уникнути повторних викликів засобу +надання даних профілів. + + + Типове значення: 5 + + + + + + pam_pwd_expiration_warning (ціле число) + + + Показати попередження за вказану кількість днів перед завершенням дії +пароля. + + + Будь ласка, зауважте, що сервер обробки має надати дані щодо часу завершення +дії пароля. Якщо ці дані не буде виявлено, sssd не зможе показати +попередження. + + + Якщо встановлено нульове значення, цей фільтр не застосовуватиметься, тобто +якщо з сервера обробки надійде попередження щодо завершення строку дії, його +буде автоматично показано. + + + Цей параметр може бути перевизначено встановленням параметра +pwd_expiration_warning для окремого домену. + + + Типове значення: 0 + + + + + get_domains_timeout (ціле число) + + + Визначає час у секундах, протягом якого список піддоменів вважатиметься +чинним. + + + Типове значення: 60 + + + + + pam_trusted_users (рядок) + + + Визначає список відокремлених комами значень UID або імен користувачів, яким +дозволено виконувати обмін даними PAM із довіреними доменами. Користувачі, +яких не включено до цього списку, можуть отримувати доступ лише до доменів, +які позначено як загальнодоступні (public) за допомогою +pam_public_domains. Імена користувачів перетворюються на UID +під час запуску системи. + + + Типове значення: типово усі користувачі вважаються надійними (довіреними) + + + Будь ласка, зауважте, що користувачеві з UID 0 завжди мають доступ до +відповідача PAM, навіть якщо користувача немає у списку pam_trusted_users. + + + + + pam_public_domains (рядок) + + + Визначає список назв доменів, відокремлених комами, доступ до яких можуть +отримувати навіть ненадійні користувачі. + + + Визначено два спеціальних значення параметра pam_public_domains: + + + all (Ненадійним користувачам відкрито доступ до усіх доменів у відповідачі +PAM.) + + + none (Ненадійним користувачам заборонено доступ до усіх доменів PAM у +відповідачі.) + + + Типове значення: none + + + + + pam_account_expired_message (рядок) + + + Надає змогу встановити нетипове повідомлення щодо завершення строку дії, яке +замінити типове повідомлення «Доступ заборонено» («Permission denied»). + + + Зауваження: будь ласка, зверніть увагу на те, що повідомлення буде виведено +для служби SSH, лише якщо pam_verbosity не встановлено у значення 3 +(показувати усі повідомлення і діагностичні дані). + + + приклад: +pam_account_expired_message = Account expired, please contact help desk. + + + + Типове значення: none + + + + + pam_account_locked_message (рядок) + + + Надає змогу встановити нетипове повідомлення щодо блокування, яке замінити +типове повідомлення «Доступ заборонено» («Permission denied»). + + + приклад: +pam_account_locked_message = Account locked, please contact help desk. + + + + Типове значення: none + + + + + pam_cert_auth (булеве значення) + + + Увімкнути сертифікацію на основі розпізнавання за смарткартками. Оскільки це +потребує додаткового обміну даним із смарткарткою, що затримує процес +розпізнавання, типово таку сертифікацію вимкнено. + + + Типове значення: False + + + + + pam_cert_db_path (рядок) + + + Шлях до бази даних сертифікатів, яка містить модулі PKCS#11 для доступу до +смарткартки. + + + Default: + + /etc/pki/nssdb (NSS version, path to a NSS database) + /etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a file with +trusted CA certificates in PEM format) + + + + This man page was generated for the NSS version. + + + This man page was generated for the OpenSSL version. + + + + + p11_child_timeout (ціле число) + + + Час у секундах, протягом якого pam_sss очікуватиме на завершення роботи +p11_child. + + + Типове значення: 10 + + + + + pam_app_services (рядок) + + + Визначає, яким службам PAM дозволено встановлювати з'єднання із доменами +типу application + + + Типове значення: не встановлено + + + + + + + + + Параметри налаштування SUDO + + Цими параметрами можна скористатися для налаштовування служби sudo. Докладні +настанови щодо налаштовування +sudo 8 +на роботу з sssd +8 можна знайти на сторінці довідника + sssd-sudo +5 . + + + + sudo_timed (булеве значення) + + + Визначає, чи слід обробляти атрибути sudoNotBefore і sudoNotAfter, +призначені для визначення часових обмежень для записів sudoers. + + + Типове значення: false + + + + + + + sudo_threshold (ціле число) + + + Максимальна кількість застарілих правил, які можна оновлювати за один +крок. Якщо кількість застарілих правил є нижчою за це порогове значення, +правила буде оновлено за допомогою механізму rules +refresh. Якщо порогове значення перевищено, замість нього буде +використано full refresh з правил sudo. Це порогове значення +також стосується команди sudo IPA та групових пошуків команд. + + + Типове значення: 50 + + + + + + + + Параметри налаштування AUTOFS + + Цими параметрами можна скористатися для налаштування служби autofs. + + + + autofs_negative_timeout (ціле число) + + + Визначає кількість секунд, протягом яких відповідач autofs має кешувати +негативні результати пошуку у кеші (тобто запити щодо некоректних записів у +базі даних, зокрема неіснуючих) перед повторним запитом до сервера обробки. + + + Типове значення: 15 + + + + + + + + + Параметри налаштувань SSH + + Цими параметрами можна скористатися для налаштування служби SSH. + + + + ssh_hash_known_hosts (булеве значення) + + + Чи слід хешувати назви та адреси вузлів у керованому файлі known_hosts. + + + Типове значення: true + + + + + ssh_known_hosts_timeout (ціле число) + + + Кількість секунд, протягом яких запису вузла зберігатиметься у керованому +файлі known_hosts після надсилання запиту щодо ключів вузла. + + + Типове значення: 180 + + + + + ssh_use_certificate_keys (bool) + + + If set to true the sss_ssh_authorizedkeys will return ssh +keys derived from the public key of X.509 certificates stored in the user +entry as well. See +sss_ssh_authorizedkeys +1 for details. + + + Типове значення: true + + + + + ca_db (рядок) + + + Шлях до сховища довірених сертифікатів CA. Параметр використовується для +перевірки сертифікатів користувачів до отримання з них відкритих ключів ssh. + + + Default: + + /etc/pki/nssdb (NSS version, path to a NSS database) + /etc/sssd/pki/sssd_auth_ca_db.pem (OpenSSL version, path to a file with +trusted CA certificates in PEM format) + + + + This man page was generated for the NSS version. + + + This man page was generated for the OpenSSL version. + + + + + + + + Параметри налаштування відповідача PAC + + Відповідач PAC працює разом з додатком даних уповноваження для +sssd_pac_plugin.so зі складу MIT Kerberos та засобу надання даних +піддоменів. Цей додаток надсилає до відповідача PAC дані PAC під час +розпізнавання за допомогою GSSAPI. Засіб надання даних піддоменів збирає +дані щодо діапазонів SID і ID домену, до якого долучено клієнт, та +віддалених надійних доменів з локального контролера доменів. Якщо PAC +декодовано і визначено, виконуються деякі з таких дій: + + Якщо у кеші немає даних віддаленого користувача, запис цих даних буде +створено. UID буде визначено за допомогою SID, надійні домени матимуть UPG, +а gid матиме те саме значення, що і UID. Дані домашнього каталогу буде +засновано на значенні параметра subdomain_homedir. Типово, для командної +оболонки буде вибрано порожнє значення, тобто використовуватимуться типові +параметри системи. Значення для оболонки можна змінити за допомогою +параметра default_shell. + + Якщо існують SID груп з доменів, про які відомо SSSD, запис користувача буде +додано до цих груп. + + + + + Цими параметрами можна скористатися для налаштовування відповідача PAC. + + + + allowed_uids (рядок) + + + Визначає список значень UID або імен користувачів, відокремлених +комами. Користувачам з цього списку буде дозволено доступ до відповідача +PAC. UID за іменами користувачів визначатимуться під час запуску. + + + Типове значення: 0 (доступ до відповідача PAC має лише адміністративний +користувач (root)) + + + Будь ласка, зауважте, що хоча типово використовується UID 0, значення UID +буде перевизначено на основі цього параметра. Якщо ви хочете надати +адміністративному користувачеві (root) доступ до відповідача PAC, що може +бути типовим варіантом, вам слід додати до списку UID з правами доступу +запис 0. + + + + + pac_lifetime (ціле число) + + + Строк дії запису PAC у секундах. Якщо PAC є чинним, дані PAC можна +використовувати для визначення членства користувача у групі. + + + Типове значення: 300 + + + + + + + + Параметри налаштовування запису сеансів + + Запис сеансів працює у зв'язці з +tlog-rec-session 8 +, частиною пакунка tlog, для запису даних, які бачать і +вводять користувачі після входу до текстового термінала. Див. також + sssd-session-recording +5 . + + + Цими параметрами можна скористатися для налаштовування запису сеансів. + + + + scope (рядок) + + + Один із вказаних нижче рядків, що визначають область запису сеансів: + + + "none" + + + Користувачі не записуються. + + + + + "some" + + + Запис вестиметься для користувачів і груп, вказаних параметрами +користувачі і групи. + + + + + "all" + + + Усі користувачі записуються. + + + + + + + Типове значення: none + + + + + users (рядок) + + + Список відокремлених комами записів користувачів, для яких увімкнено +записування сеансів. Належність до списку визначатиметься за іменами, +повернутими NSS, тобто після можливих замін пробілів, змін регістру символів +тощо. + + + Типове значення: порожнє. Не відповідає жодному користувачу. + + + + + groups (рядок) + + + Список відокремлених комами записів груп, для користувачів яких буде +увімкнено записування сеансів. Належність до списку визначатиметься за +назвами, повернутими NSS, тобто після можливих замін пробілів, змін регістру +символів тощо. + + + Зауваження: використання цього параметра (встановлення для нього будь-якого +значення) значно впливає на швидкодію, оскільки некешований запит щодо +користувача потребує отримання і встановлення відповідності груп, до яких +належить користувач. + + + Типове значення: порожнє. Не відповідає жодній групі. + + + + + + + + + + РОЗДІЛИ ДОМЕНІВ + + Ці параметри налаштування може бути вказано у розділі налаштування домену, +тобто у розділі з назвою +[domain/НАЗВА] + + domain_type (рядок) + + + Визначає, чи призначено домен для використання клієнтами у стандарті POSIX, +зокрема NSS, або програмами, які не потребують наявності або створення даних +POSIX. Інтерфейсам та інструментам операційних систем доступні лише об'єкти +з доменів POSIX. + + + Дозволеними значеннями цього параметра є posix і +application. + + + Домени POSIX доступні для усіх служб. Домени програм доступні лише з +відповідача InfoPipe (див. +sssd-ifp 5 +) і відповідача PAM. + + + ЗАУВАЖЕННЯ: належне тестування у поточній версії виконано лише для доменів +application з id_provider=ldap. + + + Щоб ознайомитися із простим способом налаштовування не-POSIX доменів, будь +ласка, ознайомтеся із розділом Домени програм. + + + Типове значення: posix + + + + + + min_id,max_id (ціле значення) + + + Обмеження UID і GID для домену. Якщо у домені міститься запис, що не +відповідає цим обмеженням, його буде проігноровано. + + + Для користувачів зміна цього параметра вплине на основне обмеження +GID. Запис користувача не буде повернуто до NSS, якщо UID або основний GID +не належать вказаному діапазону. Записи користувачів, які не є учасниками +основної групи і належать діапазону, буде виведено у звичайному режимі. + + + Ці обмеження на ідентифікатори стосуються і збереження записів до кешу, не +лише повернення записів за назвою або ідентифікатором. + + + Типові значення: 1 для min_id, 0 (без обмежень) для max_id + + + + + + enumerate (булеве значення) + + + Визначає, чи можна нумерувати домен, тобто, чи може домен створити список +усіх користувачів і груп, які у ньому містяться. Зауважте, що вмикання +нумерування не є обов'язковим для показу вторинних груп. Цей параметр може +мати такі значення: + + + TRUE = користувачі і групи нумеруються + + + FALSE = не використовувати нумерацію для цього домену + + + Типове значення: FALSE + + + Нумерування домену потребує від SSSD отримання і зберігання усіх записів +користувачів і груп із віддаленого сервера. + + + Зауваження: вмикання нумерації помірно знизить швидкодію SSSD на час +виконання нумерації. Нумерація може тривати до декількох хвилин після +запуску SSSD. Протягом виконання нумерації окремі запити щодо даних буде +надіслано безпосередньо до LDAP, хоча і з уповільненням через навантаження +системи виконанням нумерації. Збереження великої кількості записів до кешу +після завершення нумерації може також значно навантажити процесор, оскільки +повторне визначення параметрів участі також іноді є складним завданням. Це +може призвести до проблем із отриманням відповіді від процесу +sssd_be або навіть перезапуску усього засобу стеження. + + + Під час першого виконання нумерації запити щодо повних списків користувачів +та груп можуть не повертати жодних результатів, аж доки нумерацію не буде +завершено. + + + Крім того, вмикання нумерації може збільшити час, потрібний для виявлення +того, що мережеве з’єднання розірвано, оскільки потрібне буде збільшення +часу очікування для забезпечення успішного завершення пошуків нумерації. Щоб +отримати додаткову інформацію, зверніться до сторінок довідника (man) +відповідного використаного засобу обробки ідентифікаторів (id_provider). + + + З вказаних вище причин не рекомендуємо вам вмикати нумерацію, особливо у +об’ємних середовищах. + + + + + + subdomain_enumerate (рядок) + + + Визначає, чи слід нумерувати усі автоматично виявлені надійні (довірені) +домени. Підтримувані значення: + + all + Усі виявлені надійні домени буде пронумеровано + + + none + Нумерація виявлених надійних доменів не виконуватиметься + + +Якщо потрібно, можна вказати список з однієї або декількох назв надійних +доменів, для яких буде увімкнено нумерацію. + + + Типове значення: none + + + + + + entry_cache_timeout (ціле число) + + + Кількість секунд, протягом яких nss_sss вважатиме записи чинними, перш ніж +надсилати повторний запит до сервера + + + Дані щодо часових позначок завершення строку дії записів кешу зберігаються +як атрибути окремих об’єктів у кеші. Тому зміна часу очікування на дані у +кеші впливає лише на нові записи та записи, строк дії яких вичерпано. Для +примусового оновлення записів, які вже було кешовано, вам слід запустити +програму sss_cache +8 . + + + Типове значення: 5400 + + + + + + entry_cache_user_timeout (ціле число) + + + Кількість секунд, протягом яких nss_sss вважатиме записи користувачів +чинними, перш ніж надсилати повторний запит до сервера + + + Типове значення: entry_cache_timeout + + + + + + entry_cache_group_timeout (ціле число) + + + Кількість секунд, протягом яких nss_sss вважатиме записи груп чинними, перш +ніж надсилати повторний запит до сервера + + + Типове значення: entry_cache_timeout + + + + + + entry_cache_netgroup_timeout (ціле число) + + + Кількість секунд, протягом яких nss_sss вважатиме записи мережевих груп +чинними, перш ніж надсилати повторний запит до сервера + + + Типове значення: entry_cache_timeout + + + + + + entry_cache_service_timeout (ціле число) + + + Кількість секунд, протягом яких nss_sss вважатиме записи служб чинними, перш +ніж надсилати повторний запит до сервера + + + Типове значення: entry_cache_timeout + + + + + + entry_cache_sudo_timeout (ціле число) + + + Кількість секунд, протягом яких sudo вважатиме правила чинними, перш ніж +надсилати повторний запит до сервера + + + Типове значення: entry_cache_timeout + + + + + + entry_cache_autofs_timeout (ціле число) + + + Кількість секунд, протягом яких служба autofs вважатиме карти автомонтування +чинними, перш ніж надсилати повторний запит до сервера + + + Типове значення: entry_cache_timeout + + + + + + entry_cache_ssh_host_timeout (ціле число) + + + Кількість секунд, протягом яких слід зберігати ключ ssh вузла після +оновлення. Іншими словами, параметр визначає тривалість зберігання ключа +вузла у кеші. + + + Типове значення: entry_cache_timeout + + + + + + refresh_expired_interval (ціле число) + + + Визначає кількість секунд, протягом яких SSSD має очікувати до запуску +завдання з оновлення у фоновому режимі записів кешу, строк дії яких +вичерпано або майже вичерпано. + + + Під час фонового оновлення виконуватиметься обробка записів користувачів, +груп та мережевих груп у кеші. + + + Варто визначити для цього параметра значення 3/4 * entry_cache_timeout. + + + Типове значення: 0 (вимкнено) + + + + + + cache_credentials (булеве значення) + + + Визначає, чи слід також кешувати реєстраційні дані користувача у локальному +кеші LDB + + + Реєстраційні дані користувача зберігаються у форматі хешу SHA512, а не у +форматі звичайного тексту + + + Типове значення: FALSE + + + + + + cache_credentials_minimal_first_factor_length (ціле число) + + + Якщо використано двофакторне розпізнавання (2FA) і реєстраційні дані мають +зберігатися, це значення визначає мінімальну довжину першого фактора +розпізнавання (довготривалого пароля), який має бути збережено у форматі +контрольної суми SHA512 у кеші. + + + Таким чином забезпечується уникнення випадку, коли короткі PIN-коди +заснованої на PIN-кодах схеми 2FA зберігаються у кеші, що робить їх простою +мішенню атак із перебиранням паролів. + + + Типове значення: 8 + + + + + + account_cache_expiration (ціле число) + + + Кількість днів, протягом яких записи залишатимуться у кеші після успішного +входу до системи до вилучення під час спорожнення кешу. 0 — не вилучати +записи. Значення цього параметра має бути більшим або рівним значенню +offline_credentials_expiration. + + + Типове значення: 0 (без обмежень) + + + + + pwd_expiration_warning (ціле число) + + + Показати попередження за вказану кількість днів перед завершенням дії +пароля. + + + Якщо встановлено нульове значення, цей фільтр не застосовуватиметься, тобто +якщо з сервера обробки надійде попередження щодо завершення строку дії, його +буде автоматично показано. + + + Будь ласка, зауважте, що сервер обробки має надати дані щодо часу завершення +дії пароля. Якщо ці дані не буде виявлено, sssd не зможе показати +попередження. Крім того для цього сервера може бути вказано службу надання +даних розпізнавання. + + + Типове значення: 7 (Kerberos), 0 (LDAP) + + + + + + id_provider (рядок) + + + Засіб надання даних ідентифікації, який використовується для цього +домену. Серед підтримуваних засобів такі: + + + proxy: Support a legacy NSS provider. + + + local: SSSD internal provider for local users (DEPRECATED). + + + files: FILES provider. See +sssd-files 5 + for more information on how to mirror local users and groups +into SSSD. + + + ldap: засіб LDAP. Докладніше про налаштовування LDAP можна +дізнатися з довідки до +sssd-ldap 5 +. + + + ipa: засіб FreeIPA та керування профілями Red Hat +Enterprise. Докладніші відомості щодо налаштовування IPA викладено у +довіднику з sssd-ipa + . + + + ad: засіб Active Directory. Докладніші відомості щодо +налаштовування Active Directory викладено у довіднику з +sssd-ad 5 +. + + + + + + use_fully_qualified_names (булеве значення) + + + Використовувати ім’я та домен повністю (у форматі, визначеному +full_name_format домену) як ім’я користувача у системі, що повідомляється +NSS. + + + Якщо встановлено значення TRUE, всі запити до цього домену мають +використовувати повні назви. Наприклад, якщо використано домен LOCAL, який +містить запис користувача «test» user, getent passwd test +не покаже користувача, а getent passwd test@LOCAL покаже. + + + ЗАУВАЖЕННЯ: цей параметр не впливатиме на пошук у мережевих групах через +тенденцію до включення до таких груп вкладених мережевих груп. Для мережевих +груп, якщо задано неповну назву, буде виконано пошук у всіх доменах. + + + Типове значення: FALSE (TRUE, якщо використано default_domain_suffix) + + + + + ignore_group_members (булеве значення) + + + Не повертати записи учасників груп для пошуків груп. + + + Якщо встановлено значення TRUE, сервер LDAP не запитуватиме дані щодо +атрибутів участі у групах, а списки учасників груп не повертаються під час +обробки запитів щодо пошуку груп, зокрема +getgrnam 3 + або getgrgid +3 . Отже, getent group +$groupname поверне запитану групу так, наче вона була порожня. + + + Вмикання цього параметра може також значно пришвидшити перевірки засобу +надання доступу для участі у групі, особливо для груп, у яких багато +учасників. + + + Типове значення: FALSE + + + + + auth_provider (рядок) + + + Служба розпізнавання, яку використано для цього домену. Серед підтримуваних +служб розпізнавання: + + + ldap — вбудоване розпізнавання LDAP. Докладніші відомості +щодо налаштовування LDAP викладено у довіднику з +sssd-ldap 5 +. + + + krb5 — вбудоване розпізнавання Kerberos. Докладніші відомості +щодо налаштовування Kerberos викладено у довіднику з +sssd-krb5 +. + + + ipa: засіб FreeIPA та керування профілями Red Hat +Enterprise. Докладніші відомості щодо налаштовування IPA викладено у +довіднику з sssd-ipa + . + + + ad: засіб Active Directory. Докладніші відомості щодо +налаштовування Active Directory викладено у довіднику з +sssd-ad 5 +. + + + proxy — трансльоване розпізнавання у іншій системі PAM. + + + local: вбудований засіб SSSD для локальних користувачів + + + none — вимкнути розпізнавання повністю. + + + Типове значення: буде використано id_provider, якщо цей +спосіб встановлено і можлива обробка запитів щодо розпізнавання. + + + + + access_provider (рядок) + + + Програма керування доступом для домену. Передбачено дві вбудованих програми +керування доступом (окрім всіх встановлених додаткових +серверів). Вбудованими програмами є: + + + permit дозволяти доступ завжди. Єдиний дозволений засіб +доступу для локального домену. + + + deny — завжди забороняти доступ. + + + ldap — вбудоване розпізнавання LDAP. Докладніші відомості +щодо налаштовування LDAP викладено у довіднику з +sssd-ldap 5 +. + + + ipa: засіб FreeIPA та керування профілями Red Hat +Enterprise. Докладніші відомості щодо налаштовування IPA викладено у +довіднику з sssd-ipa + . + + + ad: засіб Active Directory. Докладніші відомості щодо +налаштовування Active Directory викладено у довіднику з +sssd-ad 5 +. + + + simple — керування доступом на основі списків дозволу або +заборони. Докладніші відомості щодо налаштовування модуля доступу simple +можна знайти у довідці до +sssd-simple +5. + + + krb5 — керування доступом на основі .k5login. Докладніші +відомості щодо налаштовування Kerberos викладено у довіднику з + sssd-krb5 + . + + + proxy — для трансляції керування доступом до іншого модуля +PAM. + + + Типове значення: permit + + + + + chpass_provider (рядок) + + + Система, яка має обробляти дії зі зміни паролів для домену. Передбачено +підтримку таких систем зміни паролів: + + + ldap — змінити пароль, що зберігається на сервері +LDAP. Докладніші відомості щодо налаштовування LDAP викладено у довіднику з + sssd-ldap +5 . + + + krb5 — змінити пароль Kerberos. Докладніші відомості щодо +налаштовування Kerberos викладено у довіднику з +sssd-krb5 +. + + + ipa: засіб FreeIPA та керування профілями Red Hat +Enterprise. Докладніші відомості щодо налаштовування IPA викладено у +довіднику з sssd-ipa + . + + + ad: засіб Active Directory. Докладніші відомості щодо +налаштовування Active Directory викладено у довіднику з +sssd-ad 5 +. + + + proxy — трансльована зміна пароля у іншій системі PAM. + + + none — явно вимкнути можливість зміни пароля. + + + Типове значення: використовується «auth_provider», якщо встановлено значення +цього параметра і якщо система здатна обробляти запити щодо паролів. + + + + + + sudo_provider (рядок) + + + Служба SUDO, яку використано для цього домену. Серед підтримуваних служб +SUDO: + + + ldap для правил, що зберігаються у LDAP. Докладніше про +налаштовування LDAP можна дізнатися з довідки до +sssd-ldap 5 +. + + + ipa — те саме, що і ldap, але з типовими +параметрами IPA. + + + ad — те саме, що і ldap, але з типовими +параметрами AD. + + + none явним чином вимикає SUDO. + + + Типове значення: використовується значення id_provider, якщо +його встановлено. + + + З докладними настановами щодо налаштовування sudo_provider можна +ознайомитися за допомогою сторінки підручника (man) +sssd-sudo 5 +. Передбачено доволі багато параметрів налаштовування, якими +можна скористатися для коригування поведінки програми. Докладніший опис +можна знайти у розділах щодо «ldap_sudo_*»" у підручнику з +sssd-ldap 5 +. + + + Зауваження: правила sudo періодично отримуються у +фоновому режимі, якщо постачальник даних sudo не вимкнено явним +чином. Встановіть значення sudo_provider = None, щоб +вимкнути усі дії, пов'язані із sudo у SSSD, якщо ви взагалі не хочете +використовувати sudo у SSSD. + + + + + selinux_provider (рядок) + + + Засіб, який має відповідати за завантаження параметрів SELinux. Зауважте, що +цей засіб буде викликано одразу після завершення роботи служби надання +доступу. Передбачено підтримку таких засобів надання даних SELinux: + + + ipa для завантаження параметрів selinux з сервера +IPA. Докладніші відомості щодо налаштовування IPA викладено у довіднику з + sssd-ipa +5 . + + + none явним чином забороняє отримання даних щодо параметрів +SELinux. + + + Типове значення: буде використано id_provider, якщо цей +спосіб встановлено і можлива обробка запитів щодо завантаження SELinux. + + + + + subdomains_provider (рядок) + + + Засіб надання даних, який має обробляти отримання даних піддоменів. Це +значення має завжди збігатися зі значенням id_provider. Передбачено +підтримку таких засобів надання даних піддоменів: + + + ipa для завантаження списку піддоменів з сервера +IPA. Докладніші відомості щодо налаштовування IPA викладено у довіднику з + sssd-ipa +5 . + + + «ad», з якої слід завантажувати список піддоменів з сервера Active +Directory. Див. sssd-ad +5 , щоб дізнатися більше про +налаштовування засобу надання даних AD. + + + none забороняє ячним чином отримання даних піддоменів. + + + Типове значення: використовується значення id_provider, якщо +його встановлено. + + + + + session_provider (рядок) + + + Постачальник даних, який налаштовує завдання, пов'язані із сеансами +користувачів, і керує ними. Єдиним завданням сеансів користувача у поточній +версії є інтеграція із Fleet Commander, який працює лише з IPA. Підтримувані +постачальники даних сеансів: + + + ipa, щоб дозволити пов'язані із сеансами користувачів +завдання. + + + none — не виконувати жодних пов'язаних із сеансами +користувачів завдань. + + + Типове значення: використовується значення id_provider, якщо +його встановлено і дозволено виконувати пов'язані із сеансами завдання. + + + Зауваження: щоб ця можливість працювала як слід, SSSD +має бути запущено від імені користувача root, а не якогось іншого +непривілейованого користувача. + + + + + + autofs_provider (рядок) + + + Служба autofs, яку використано для цього домену. Серед підтримуваних служб +autofs: + + + ldap — завантажити карти, що зберігаються у LDAP. Докладніше +про налаштовування LDAP можна дізнатися з довідки до +sssd-ldap 5 +. + + + ipa — завантажити карти, що зберігається на сервері +IPA. Докладніші відомості щодо налаштовування IPA викладено у довіднику з + sssd-ipa + . + + + ad — завантажити карти, що зберігаються на сервері +AD. Див. sssd-ad +5 , щоб дізнатися більше про +налаштовування засобу надання даних AD. + + + none вимикає autofs повністю. + + + Типове значення: використовується значення id_provider, якщо +його встановлено. + + + + + + hostid_provider (рядок) + + + Засіб надання даних, який використовується для отримання даних щодо профілю +вузла. Серед підтримуваних засобів надання hostid: + + + ipa — завантажити профіль системи, що зберігається на сервері +IPA. Докладніші відомості щодо налаштовування IPA викладено у довіднику з + sssd-ipa + . + + + none вимикає hostid повністю. + + + Типове значення: використовується значення id_provider, якщо +його встановлено. + + + + + + re_expression (рядок) + + + Формальний вираз для цього домену, який описує спосіб поділи рядка, що +містить ім’я користувача та назву домену на ці компоненти. «Домен» може +відповідати назві домену налаштувань SSSD або, у випадку піддоменів довіри +IPA та доменів Active Directory, простій назві (NetBIOS) домену. + + + Типовий для засобів надання AD і IPA: +(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$)) +За його допомогою можна визначати три різні стилі запису імен користувачів: + + + користувач + + + користувач@назва.домену + + + домен\користувач + + + Перші два стилі відповідають загальним типовим стилям, а третій введено для +того, щоб полегшити інтеграцію користувачів з доменів Windows. + + + Типове значення: +(?P<name>[^@]+)@?(?P<domain>[^@]*$), можна +висловити так: іменем користувача є все до символу «@», назвою домену — все +після цього символу. + + + NOTE: Some Active Directory groups, typically those used for MS Exchange +contain an @ sign in the name, which clashes with the default +re_expression value for the AD and IPA providers. To support these groups, +consider changing the re_expression value to: +((?P<name>.+)@(?P<domain>[^@]+$)). + + + + + full_name_format (рядок) + + + Сумісний з printf +3 формат, який описує спосіб +створення повного імені на основі імені користувача та компонентів назви +домену. + + + Передбачено використання таких замінників: + + %1$s + ім’я користувача + + + %2$s + + + назва домену у форматі, вказаному у файлі налаштувань SSSD. + + + + + %3$s + + + проста назва домену. Здебільшого використовується для доменів Active +Directory, налаштованих та автоматично виявлених за зв’язками довіри IPA. + + + + + + + Типове значення: %1$s@%2$s. + + + + + + lookup_family_order (рядок) + + + Надає можливість вибрати бажане сімейство адрес, яке слід використовувати +під час виконання пошуків у DNS. + + + Передбачено підтримку таких значень: + + + ipv4_first: спробувати визначити адресу у форматі IPv4, у разі невдачі +спробувати формат IPv6 + + + ipv4_only: намагатися визначити назви вузлів лише у форматі адрес IPv4. + + + ipv6_first: спробувати визначити адресу у форматі IPv6, у разі невдачі +спробувати формат IPv4 + + + ipv6_only: намагатися визначити назви вузлів лише у форматі адрес IPv6. + + + Типове значення: ipv4_first + + + + + + dns_resolver_timeout (ціле число) + + + Визначає кількість часу (у секундах) очікування відповіді від внутрішньої +служби перемикання на резервний ресурс, перш ніж службу буде визначено +недоступним. Якщо час очікування буде перевищено, домен продовжуватиме +роботу у автономному режимі. + + + Будь ласка, ознайомтеся із розділом РЕЗЕРВ, щоб дізнатися +більше про розв'язування питань, пов'язаних із службами. + + + Типове значення: 6 + + + + + + dns_discovery_domain (рядок) + + + Якщо у модулі обробки використовується визначення служб, вказує доменну +частину запиту визначення служб DNS. + + + Типова поведінка: використовувати назву домену з назви вузла комп’ютера. + + + + + + override_gid (ціле число) + + + Замірити значення основного GID на вказане. + + + + + + case_sensitive (рядок) + + + Враховувати регістр записів імен користувачів та назв груп. У поточній +версії підтримку передбачено лише для локальних надавачів даних. Можливі +значення параметра: + + True + + + Враховується регістр. Це значення є некоректним для засобу надання даних AD. + + + + + False + + Без врахування регістру. + + + + Preserving + + + Те саме, що і False (без врахування регістру символів), але без переведення +у нижній регістр імен у результатах дій NSS. Зауважте, що альтернативні +імена (у випадку служб також назви протоколів) у виведених даних все одно +буде переведено у нижній регістр. + + + + + + + Типове значення: True (False для засобу надання даних AD) + + + + + + subdomain_inherit (рядок) + + + Визначає список параметрів налаштування, які слід успадковувати для +піддомену. Будь ласка, зауважте, що успадковуватимуться лише вказані +параметри. У поточній версії передбачено можливість успадковування таких +параметрів: + + + ignore_group_members + + + ldap_purge_cache_timeout + + + ldap_use_tokengroups + + + ldap_user_principal + + + ldap_krb5_keytab (значення krb5_keytab буде використано, якщо +ldap_krb5_keytab не встановлено явним чином) + + + Приклад: +subdomain_inherit = ldap_purge_cache_timeout + + + + Типове значення: none + + + Зауваження: цей параметр працює лише для засобів надання даних IPA і AD. + + + + + + subdomain_homedir (рядок) + + + Використовувати вказаний домашній каталог як типовий для всіх піддоменів у +цьому домені у межах довіри AD IPA. Дані щодо можливих значень наведено у +описі параметра override_homedir. Крім того, +розгортання можна використовувати лише з +subdomain_homedir. + + %F + спрощена (NetBIOS) назва піддомену. + + + + + Це значення може бути перевизначено параметром +override_homedir. + + + Типове значення: /home/%d/%u + + + + + realmd_tags (рядок) + + + Різноманітні теґи, що зберігаються службою налаштовування realmd для цього +домену. + + + + + cached_auth_timeout (ціле число) + + + Визначає час у секундах з моменту останнього успішного розпізнавання у +мережі, для якого користувача буде розпізнано за допомогою кешованих +реєстраційних даних, доки SSSD перебуває у режимі «у мережі». + + + Спеціальне значення 0 означає, що цю можливість вимкнено. + + + Будь ласка, зауважте, що якщо cached_auth_timeout має більше +значення за pam_id_timeout, модуль може бути викликано для +обробки initgroups. + + + Типове значення: 0 + + + + + auto_private_groups (рядок) + + + Якщо увімкнено цей параметр, SSSD автоматично створюватиме приватні групи +користувачів на основі номера UID користувача. Номер GID у цьому випадку +ігноруватиметься. + + + Для піддоменів POSIX встановлення для цього параметра значення головного +домену успадковується у піддомені. + + + Для піддоменів із прив'язкою за ідентифікатором auto_private_groups вже +увімкнено для піддоменів, встановлення для нього значення false ніяк не +впливатиме на піддомен. + + + Зауваження: оскільки номер GID і приватна група користувача успадковуються з +номера UID, підтримки декількох записів із однаковим номером UID або GID у +цьому параметрі не передбачено. Іншими словами, вмикання цього параметра +примусово встановлює унікальність записів у просторі ідентифікаторів. + + + Типове значення: False + + + + + + + + Параметри, які є чинними для доменів проксі. + + proxy_pam_target (рядок) + + + Комп’ютер, для якого виконує проксі-сервер PAM. + + + Типове значення: типово не встановлено, вам слід скористатися вже створеними +налаштуваннями pam або створити нові і тут додати назву служби. + + + + + + proxy_lib_name (рядок) + + + Назва бібліотеки NSS для використання у доменах з проксі-серверами. Функції +NSS шукаються у бібліотеці у форматі _nss_$(назва_бібліотеки)_$(функція), +наприклад _nss_files_getpwent. + + + + + + proxy_fast_alias (булеве значення) + + + Під час пошуку запису користувача чи групи за назвою у системі надання даних +переадресації виконується вторинний пошук за ідентифікатором з метою +визначення «канонічної» форми назви, якщо результат знайдено за +альтернативною назвою (псевдонімом). Встановлення для цього параметра +значення «true» призведе до того, що SSSD виконуватиме пошук ідентифікатора +у кеші, щоб пришвидшити надання результатів. + + + Типове значення: false + + + + + + proxy_max_children (ціле число) + + + Цей параметр визначає кількість попередньо розгалужених дочірніх проксі. Він +корисний для високонавантажених середовищ SSSD, де sssd може вичерпати +кількість доступних дочірніх слотів, що може спричинити деякі вади через +використання черги запитів. + + + Типове значення: 10 + + + + + + + + + Домени програм (application) + + SSSD, з його інтерфейсом D-Bus (див. +sssd-ifp 5 +) є привабливим для програм як шлюз до каталогу LDAP, де +зберігаються дані користувачів і груп. Втім, на відміну від традиційного +формату роботи SSSD, де усі користувачі і групи або мають атрибути POSIX, +або ці атрибути може бути успадковано з SID Windows, у багатьох випадках +користувачі і групи у сценарії підтримки роботи програм не мають атрибутів +POSIX. Замість визначення розділу +[domain/НАЗВА] адміністратор може +визначити розділ +[application/НАЗВА], який на +внутрішньому рівні представляє домен типу application, який +може успадковувати параметр з традиційного домену SSSD. + + + Будь ласка, зауважте, що домен програм має так само явним чином увімкнено у +параметрі domains, отже порядок пошуку між доменом програм і +його доменом-близнюком у POSIX має бути встановлено належним чином. + + + Параметри доменів програм + + inherit_from (рядок) + + + Домен типу POSIX SSSD, з якого домен програм успадковує усі параметри. Далі, +домен програм поже додавати власні параметри до параметрів програми, які +розширюють або перевизначають параметри домену-близнюка. + + + Типове значення: не встановлено + + + + + + У наведеному нижче прикладі проілюстровано використання домену програм. У +цій конфігурації домен POSIX з'єднано із сервером LDAP, він використовується +операційною системою через відповідач NSS. Крім того, домен програм також +надсилає запит щодо атрибута telephoneNumber, зберігає його як атрибут phone +у кеші і робить атрибут phone доступним через інтерфейс D-Bus. + + +[sssd] +domains = appdom, posixdom + +[ifp] +user_attributes = +phone + +[domain/posixdom] +id_provider = ldap +ldap_uri = ldap://ldap.example.com +ldap_search_base = dc=example,dc=com + +[application/appdom] +inherit_from = posixdom +ldap_user_extra_attrs = phone:telephoneNumber + + + + + Розділ локального домену + + У цьому розділі містяться параметри для домену, який зберігає записи +користувачів і груп у вбудованій базі даних SSSD, тобто домену, який +використовує id_provider=local. + + + Параметри розділу + + default_shell (рядок) + + + Типова оболонка для записів користувачів, створених за допомогою +інструментів простору користувачів SSSD. + + + Типове значення: /bin/bash + + + + + base_directory (рядок) + + + Інструменти додають ім’я користувача до +base_directory і використовують отриману адресу +як адресу домашнього каталогу. + + + Типове значення: /home + + + + + create_homedir (булеве значення) + + + Визначає, чи слід типово створювати домашній каталог для нових +користувачів. Може бути перевизначено з командного рядка. + + + Типове значення: TRUE + + + + + remove_homedir (булівське значення) + + + Визначає, чи слід вилучати домашній каталог для вилучених записів +користувачів. Може бути перевизначено з командного рядка. + + + Типове значення: TRUE + + + + + homedir_umask (ціле число) + + + Використовується sss_useradd +8 для визначення типових прав доступу +до щойно створеного домашнього каталогу. + + + Типове значення: 077 + + + + + skel_dir (рядок) + + + Каркасний каталог, який містить файли і каталоги, які буде скопійовано до +домашнього каталогу користувача, коли такий домашній каталог створюється +командою sss_useradd +8 + + + Типове значення: /etc/skel + + + + + mail_dir (рядок) + + + Каталог буфера пошти. Цей каталог потрібен для обробки поштової скриньки, +якщо відповідний обліковий запис користувача змінено або вилучено. Якщо +каталог не вказано, буде використано типове значення. + + + Типове значення: /var/mail + + + + + userdel_cmd (рядок) + + + Команда, яку буде виконано після вилучення запису користувача. Команді, як +перший і єдиний параметр, передається ім’я користувача, запис якого +вилучається. Код виконання, повернутий програмою не обробляється. + + + Типове значення: None, не виконувати жодних команд + + + + + + + + + + РОЗДІЛ ДОВІРЕНИХ ДОМЕНІВ + + Деякі параметри, які використовуються у розділі домену, можна також +використовувати у розділі довіреного домену, тобто у розділі, який +називається +[domain/НАЗВА_ДОМЕНУ/НАЗВА_ДОВІРЕНОГО_ДОМЕНУ]. +Де НАЗВА_ДОМЕНУ є справжнім базовим доменом для долучення. Приклади наведено +нижче. У поточній версії підтримуваними параметрами у розділі довіреного +домену є такі параметри: + + ldap_search_base, + ldap_user_search_base, + ldap_group_search_base, + ldap_netgroup_search_base, + ldap_service_search_base, + ad_server, + ad_backup_server, + ad_site, + use_fully_qualified_names + + Докладніший опис цих параметрів можна знайти у окремих описах на сторінці +підручника. + + + + + ПРИКЛАДИ + + 1. Нижче наведено приклад типових налаштувань SSSD. Налаштування самого +домену не наведено, — щоб дізнатися більше про неї, ознайомтеся з +документацією щодо налаштовування доменів. +[sssd] +domains = LDAP +services = nss, pam +config_file_version = 2 + +[nss] +filter_groups = root +filter_users = root + +[pam] + +[domain/LDAP] +id_provider = ldap +ldap_uri = ldap://ldap.example.com +ldap_search_base = dc=example,dc=com + +auth_provider = krb5 +krb5_server = kerberos.example.com +krb5_realm = EXAMPLE.COM +cache_credentials = true + +min_id = 10000 +max_id = 20000 +enumerate = False + + + + 2. У наведеному нижче прикладі показано налаштування довіри AD у IPA, де ліс +AD складається з двох доменів у структурі батьківський-дочірній. Нехай домен +IPA (ipa.com) має стосунки довіри з доменом AD (ad.com). ad.com має дочірній +домен (child.ad.com). Щоб увімкнути скорочені назви у дочірньому домені, +слід скористатися наведеними нижче налаштуваннями. +[domain/ipa.com/child.ad.com] +use_fully_qualified_names = false + + + + + + + + diff --git a/src/man/uk/sssd_krb5_locator_plugin.8.xml b/src/man/uk/sssd_krb5_locator_plugin.8.xml new file mode 100644 index 0000000..6c54b8a --- /dev/null +++ b/src/man/uk/sssd_krb5_locator_plugin.8.xml @@ -0,0 +1,69 @@ + + + +Сторінки підручника SSSD + + + + + sssd_krb5_locator_plugin + 8 + + + + sssd_krb5_locator_plugin + Додаток локатора Kerberos + + + + ОПИС + + Додаток пошуку Kerberos sssd_krb5_locator_plugin +використовується засобом обробки Kerberos +sssd 8 +для сповіщення бібліотек Kerberos яку область і KDC слід +використовувати. Типово, таке сповіщення виконується за допомогою + krb5.conf +5 , файла, читання якого завжди +виконується бібліотеками Kerberos. Щоб спростити налаштування, область та +KDC можна визначити у +sssd.conf 5 + у спосіб, описаний на сторінці довідки +sssd-krb5 5 + + + + sssd 8 + зберігає область і назву або IP-адресу KDC у змінних +середовища SSSD_KRB5_REALM і SSSD_KRB5_KDC, відповідно. Якщо програма +sssd_krb5_locator_plugin викликається бібліотеками +kerberos, ця програма читає і визначає ці змінні і повертає їхні значення +бібліотекам. + + + + + ЗАУВАЖЕННЯ + + Підтримку використання додатків передбачено не у всіх реалізаціях +Kerberos. Якщо у вашій системі немає +sssd_krb5_locator_plugin, вам слід внести зміни до +/etc/krb5.conf, які відповідатимуть вашій версії Kerberos. + + + Якщо встановлено будь-яке значення змінної середовища +SSSD_KRB5_LOCATOR_DEBUG, діагностичні повідомлення надсилатимуться до +stderr. + + + Якщо встановлено будь-яке значення для змінної середовища +SSSD_KRB5_LOCATOR_DISABLE, додаток буде вимкнено і поверне функції виклику +лише KRB5_PLUGIN_NO_HANDLE. + + + + + + + diff --git a/src/man/zh_CN/include/ad_modified_defaults.xml b/src/man/zh_CN/include/ad_modified_defaults.xml new file mode 100644 index 0000000..7c6def2 --- /dev/null +++ b/src/man/zh_CN/include/ad_modified_defaults.xml @@ -0,0 +1,77 @@ + + MODIFIED DEFAULT OPTIONS + + Certain option defaults do not match their respective backend provider +defaults, these option names and AD provider-specific defaults are listed +below: + + + KRB5 Provider + + + + krb5_validate = true + + + + + krb5_use_enterprise_principal = true + + + + + + LDAP Provider + + + + ldap_schema = ad + + + + + ldap_force_upper_case_realm = true + + + + + ldap_id_mapping = true + + + + + ldap_sasl_mech = gssapi + + + + + ldap_referrals = false + + + + + ldap_account_expire_policy = ad + + + + + ldap_use_tokengroups = true + + + + + ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM) + + + The AD provider looks for a different principal than the LDAP provider by +default, because in an Active Directory environment the principals are +divided into two groups - User Principals and Service Principals. Only User +Principal can be used to obtain a TGT and by default, computer object's +principal is constructed from its sAMAccountName and the AD realm. The +well-known host/hostname@REALM principal is a Service Principal and thus +cannot be used to get a TGT with. + + + + + diff --git a/src/man/zh_CN/include/autofs_restart.xml b/src/man/zh_CN/include/autofs_restart.xml new file mode 100644 index 0000000..f31efe5 --- /dev/null +++ b/src/man/zh_CN/include/autofs_restart.xml @@ -0,0 +1,5 @@ + + Please note that the automounter only reads the master map on startup, so if +any autofs-related changes are made to the sssd.conf, you typically also +need to restart the automounter daemon after restarting the SSSD. + diff --git a/src/man/zh_CN/include/debug_levels.xml b/src/man/zh_CN/include/debug_levels.xml new file mode 100644 index 0000000..5148252 --- /dev/null +++ b/src/man/zh_CN/include/debug_levels.xml @@ -0,0 +1,86 @@ + + + SSSD supports two representations for specifying the debug level. The +simplest is to specify a decimal value from 0-9, which represents enabling +that level and all lower-level debug messages. The more comprehensive option +is to specify a hexadecimal bitmask to enable or disable specific levels +(such as if you wish to suppress a level). + + + Please note that each SSSD service logs into its own log file. Also please +note that enabling debug_level in the [sssd] +section only enables debugging just for the sssd process itself, not for the +responder or provider processes. The debug_level parameter +should be added to all sections that you wish to produce debug logs from. + + + In addition to changing the log level in the config file using the +debug_level parameter, which is persistent, but requires SSSD +restart, it is also possible to change the debug level on the fly using the + sss_debuglevel +8 tool. + + + Currently supported debug levels: + + + 0, 0x0010: Fatal +failures. Anything that would prevent SSSD from starting up or causes it to +cease running. + + + 1, 0x0020: Critical failures. An +error that doesn't kill SSSD, but one that indicates that at least one major +feature is not going to work properly. + + + 2, 0x0040: Serious failures. An +error announcing that a particular request or operation has failed. + + + 3, 0x0080: Minor failures. These +are the errors that would percolate down to cause the operation failure of +2. + + + 4, 0x0100: Configuration settings. + + + 5, 0x0200: Function data. + + + 6, 0x0400: Trace messages for +operation functions. + + + 7, 0x1000: Trace messages for +internal control functions. + + + 8, 0x2000: Contents of +function-internal variables that may be interesting. + + + 9, 0x4000: Extremely low-level +tracing information. + + + To log required bitmask debug levels, simply add their numbers together as +shown in following examples: + + + Example: To log fatal failures, critical failures, +serious failures and function data use 0x0270. + + + Example: To log fatal failures, configuration settings, +function data, trace messages for internal control functions use 0x1310. + + + Note: The bitmask format of debug levels was introduced +in 1.7.0. + + + Default: 0 + + diff --git a/src/man/zh_CN/include/debug_levels_tools.xml b/src/man/zh_CN/include/debug_levels_tools.xml new file mode 100644 index 0000000..8bc77cf --- /dev/null +++ b/src/man/zh_CN/include/debug_levels_tools.xml @@ -0,0 +1,72 @@ + + + SSSD supports two representations for specifying the debug level. The +simplest is to specify a decimal value from 0-9, which represents enabling +that level and all lower-level debug messages. The more comprehensive option +is to specify a hexadecimal bitmask to enable or disable specific levels +(such as if you wish to suppress a level). + + + Currently supported debug levels: + + + 0, 0x0010: Fatal +failures. Anything that would prevent SSSD from starting up or causes it to +cease running. + + + 1, 0x0020: Critical failures. An +error that doesn't kill SSSD, but one that indicates that at least one major +feature is not going to work properly. + + + 2, 0x0040: Serious failures. An +error announcing that a particular request or operation has failed. + + + 3, 0x0080: Minor failures. These +are the errors that would percolate down to cause the operation failure of +2. + + + 4, 0x0100: Configuration settings. + + + 5, 0x0200: Function data. + + + 6, 0x0400: Trace messages for +operation functions. + + + 7, 0x1000: Trace messages for +internal control functions. + + + 8, 0x2000: Contents of +function-internal variables that may be interesting. + + + 9, 0x4000: Extremely low-level +tracing information. + + + To log required bitmask debug levels, simply add their numbers together as +shown in following examples: + + + Example: To log fatal failures, critical failures, +serious failures and function data use 0x0270. + + + Example: To log fatal failures, configuration settings, +function data, trace messages for internal control functions use 0x1310. + + + Note: The bitmask format of debug levels was introduced +in 1.7.0. + + + Default: 0 + + diff --git a/src/man/zh_CN/include/experimental.xml b/src/man/zh_CN/include/experimental.xml new file mode 100644 index 0000000..7103a0e --- /dev/null +++ b/src/man/zh_CN/include/experimental.xml @@ -0,0 +1,2 @@ + This is an experimental feature, please use +https://pagure.io/SSSD/sssd/ to report any issues. diff --git a/src/man/zh_CN/include/failover.xml b/src/man/zh_CN/include/failover.xml new file mode 100644 index 0000000..ebb7b21 --- /dev/null +++ b/src/man/zh_CN/include/failover.xml @@ -0,0 +1,97 @@ + + FAILOVER + + The failover feature allows back ends to automatically switch to a different +server if the current server fails. + + + Failover Syntax + + The list of servers is given as a comma-separated list; any number of spaces +is allowed around the comma. The servers are listed in order of +preference. The list can contain any number of servers. + + + For each failover-enabled config option, two variants exist: +primary and backup. The idea is +that servers in the primary list are preferred and backup servers are only +searched if no primary servers can be reached. If a backup server is +selected, a timeout of 31 seconds is set. After this timeout SSSD will +periodically try to reconnect to one of the primary servers. If it succeeds, +it will replace the current active (backup) server. + + + + The Failover Mechanism + + The failover mechanism distinguishes between a machine and a service. The +back end first tries to resolve the hostname of a given machine; if this +resolution attempt fails, the machine is considered offline. No further +attempts are made to connect to this machine for any other service. If the +resolution attempt succeeds, the back end tries to connect to a service on +this machine. If the service connection attempt fails, then only this +particular service is considered offline and the back end automatically +switches over to the next service. The machine is still considered online +and might still be tried for another service. + + + Further connection attempts are made to machines or services marked as +offline after a specified period of time; this is currently hard coded to 30 +seconds. + + + If there are no more machines to try, the back end as a whole switches to +offline mode, and then attempts to reconnect every 30 seconds. + + + + Failover time outs and tuning + + Resolving a server to connect to can be as simple as running a single DNS +query or can involve several steps, such as finding the correct site or +trying out multiple host names in case some of the configured servers are +not reachable. The more complex scenarios can take some time and SSSD needs +to balance between providing enough time to finish the resolution process +but on the other hand, not trying for too long before falling back to +offline mode. If the SSSD debug logs show that the server resolution is +timing out before a live server is contacted, you can consider changing the +time outs. + + + This section lists the available tunables. Please refer to their description +in the +sssd.conf5 +, manual page. + + + dns_resolver_op_timeout + + + + How long would SSSD talk to a single DNS server. + + + + + + dns_resolver_timeout + + + + How long would SSSD try to resolve a failover service. This service +resolution internally might include several steps, such as resolving DNS SRV +queries or locating the site. + + + + + + + For LDAP-based providers, the resolve operation is performed as part of an +LDAP connection operation. Therefore, also the +ldap_opt_timeout> timeout should be set to a larger value +than dns_resolver_timeout which in turn should be set to a +larger value than dns_resolver_op_timeout. + + + diff --git a/src/man/zh_CN/include/homedir_substring.xml b/src/man/zh_CN/include/homedir_substring.xml new file mode 100644 index 0000000..d7533de --- /dev/null +++ b/src/man/zh_CN/include/homedir_substring.xml @@ -0,0 +1,17 @@ + + homedir_substring (string) + + + The value of this option will be used in the expansion of the +override_homedir option if the template contains the +format string %H. An LDAP directory entry can directly +contain this template so that this option can be used to expand the home +directory path for each client machine (or operating system). It can be set +per-domain or globally in the [nss] section. A value specified in a domain +section will override one set in the [nss] section. + + + Default: /home + + + diff --git a/src/man/zh_CN/include/ipa_modified_defaults.xml b/src/man/zh_CN/include/ipa_modified_defaults.xml new file mode 100644 index 0000000..4ad4b45 --- /dev/null +++ b/src/man/zh_CN/include/ipa_modified_defaults.xml @@ -0,0 +1,123 @@ + + MODIFIED DEFAULT OPTIONS + + Certain option defaults do not match their respective backend provider +defaults, these option names and IPA provider-specific defaults are listed +below: + + + KRB5 Provider + + + + krb5_validate = true + + + + + krb5_use_fast = try + + + + + krb5_canonicalize = true + + + + + + LDAP Provider - General + + + + ldap_schema = ipa_v1 + + + + + ldap_force_upper_case_realm = true + + + + + ldap_sasl_mech = GSSAPI + + + + + ldap_sasl_minssf = 56 + + + + + ldap_account_expire_policy = ipa + + + + + ldap_use_tokengroups = true + + + + + + LDAP Provider - User options + + + + ldap_user_member_of = memberOf + + + + + ldap_user_uuid = ipaUniqueID + + + + + ldap_user_ssh_public_key = ipaSshPubKey + + + + + ldap_user_auth_type = ipaUserAuthType + + + + + + LDAP Provider - Group options + + + + ldap_group_object_class = ipaUserGroup + + + + + ldap_group_object_class_alt = posixGroup + + + + + ldap_group_member = member + + + + + ldap_group_uuid = ipaUniqueID + + + + + ldap_group_objectsid = ipaNTSecurityIdentifier + + + + + ldap_group_external_member = ipaExternalMember + + + + + diff --git a/src/man/zh_CN/include/ldap_id_mapping.xml b/src/man/zh_CN/include/ldap_id_mapping.xml new file mode 100644 index 0000000..b9be536 --- /dev/null +++ b/src/man/zh_CN/include/ldap_id_mapping.xml @@ -0,0 +1,278 @@ + + ID MAPPING + + The ID-mapping feature allows SSSD to act as a client of Active Directory +without requiring administrators to extend user attributes to support POSIX +attributes for user and group identifiers. + + + NOTE: When ID-mapping is enabled, the uidNumber and gidNumber attributes are +ignored. This is to avoid the possibility of conflicts between +automatically-assigned and manually-assigned values. If you need to use +manually-assigned values, ALL values must be manually-assigned. + + + Please note that changing the ID mapping related configuration options will +cause user and group IDs to change. At the moment, SSSD does not support +changing IDs, so the SSSD database must be removed. Because cached passwords +are also stored in the database, removing the database should only be +performed while the authentication servers are reachable, otherwise users +might get locked out. In order to cache the password, an authentication must +be performed. It is not sufficient to use +sss_cache 8 + to remove the database, rather the process consists of: + + + + Making sure the remote servers are reachable + + + + + Stopping the SSSD service + + + + + Removing the database + + + + + Starting the SSSD service + + + + Moreover, as the change of IDs might necessitate the adjustment of other +system properties such as file and directory ownership, it's advisable to +plan ahead and test the ID mapping configuration thoroughly. + + + + Mapping Algorithm + + Active Directory provides an objectSID for every user and group object in +the directory. This objectSID can be broken up into components that +represent the Active Directory domain identity and the relative identifier +(RID) of the user or group object. + + + The SSSD ID-mapping algorithm takes a range of available UIDs and divides it +into equally-sized component sections - called "slices"-. Each slice +represents the space available to an Active Directory domain. + + + When a user or group entry for a particular domain is encountered for the +first time, the SSSD allocates one of the available slices for that +domain. In order to make this slice-assignment repeatable on different +client machines, we select the slice based on the following algorithm: + + + The SID string is passed through the murmurhash3 algorithm to convert it to +a 32-bit hashed value. We then take the modulus of this value with the total +number of available slices to pick the slice. + + + NOTE: It is possible to encounter collisions in the hash and subsequent +modulus. In these situations, we will select the next available slice, but +it may not be possible to reproduce the same exact set of slices on other +machines (since the order that they are encountered will determine their +slice). In this situation, it is recommended to either switch to using +explicit POSIX attributes in Active Directory (disabling ID-mapping) or +configure a default domain to guarantee that at least one is always +consistent. See Configuration for details. + + + + + Configuration + + Minimum configuration (in the [domain/DOMAINNAME] section): + + + +ldap_id_mapping = True +ldap_schema = ad + + + + The default configuration results in configuring 10,000 slices, each capable +of holding up to 200,000 IDs, starting from 200,000 and going up to +2,000,200,000. This should be sufficient for most deployments. + + + Advanced Configuration + + + ldap_idmap_range_min (integer) + + + Specifies the lower bound of the range of POSIX IDs to use for mapping +Active Directory user and group SIDs. + + + NOTE: This option is different from min_id in that +min_id acts to filter the output of requests to this domain, +whereas this option controls the range of ID assignment. This is a subtle +distinction, but the good general advice would be to have +min_id be less-than or equal to +ldap_idmap_range_min + + + Default: 200000 + + + + + ldap_idmap_range_max (integer) + + + Specifies the upper bound of the range of POSIX IDs to use for mapping +Active Directory user and group SIDs. + + + NOTE: This option is different from max_id in that +max_id acts to filter the output of requests to this domain, +whereas this option controls the range of ID assignment. This is a subtle +distinction, but the good general advice would be to have +max_id be greater-than or equal to +ldap_idmap_range_max + + + Default: 2000200000 + + + + + ldap_idmap_range_size (integer) + + + Specifies the number of IDs available for each slice. If the range size +does not divide evenly into the min and max values, it will create as many +complete slices as it can. + + + NOTE: The value of this option must be at least as large as the highest user +RID planned for use on the Active Directory server. User lookups and login +will fail for any user whose RID is greater than this value. + + + For example, if your most recently-added Active Directory user has +objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, +ldap_idmap_range_size must be at least 1108 as range size is +equal to maximal SID minus minimal SID plus one (e.g. 1108 = 1107 - 0 + 1). + + + It is important to plan ahead for future expansion, as changing this value +will result in changing all of the ID mappings on the system, leading to +users with different local IDs than they previously had. + + + Default: 200000 + + + + + ldap_idmap_default_domain_sid (string) + + + Specify the domain SID of the default domain. This will guarantee that this +domain will always be assigned to slice zero in the ID map, bypassing the +murmurhash algorithm described above. + + + Default: not set + + + + + ldap_idmap_default_domain (string) + + + Specify the name of the default domain. + + + Default: not set + + + + + ldap_idmap_autorid_compat (boolean) + + + Changes the behavior of the ID-mapping algorithm to behave more similarly to +winbind's idmap_autorid algorithm. + + + When this option is configured, domains will be allocated starting with +slice zero and increasing monatomically with each additional domain. + + + NOTE: This algorithm is non-deterministic (it depends on the order that +users and groups are requested). If this mode is required for compatibility +with machines running winbind, it is recommended to also use the +ldap_idmap_default_domain_sid option to guarantee that at +least one domain is consistently allocated to slice zero. + + + Default: False + + + + + ldap_idmap_helper_table_size (integer) + + + Maximal number of secondary slices that is tried when performing mapping +from UNIX id to SID. + + + Note: Additional secondary slices might be generated when SID is being +mapped to UNIX id and RID part of SID is out of range for secondary slices +generated so far. If value of ldap_idmap_helper_table_size is equal to 0 +then no additional secondary slices are generated. + + + Default: 10 + + + + + + + + + Well-Known SIDs + + SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a +special hardcoded meaning. Since the generic users and groups related to +those Well-Known SIDs have no equivalent in a Linux/UNIX environment no +POSIX IDs are available for those objects. + + + The SID name space is organized in authorities which can be seen as +different domains. The authorities for the Well-Known SIDs are + + Null Authority + World Authority + Local Authority + Creator Authority + NT Authority + Built-in + + The capitalized version of these names are used as domain names when +returning the fully qualified name of a Well-Known SID. + + + Since some utilities allow to modify SID based access control information +with the help of a name instead of using the SID directly SSSD supports to +look up the SID by the name as well. To avoid collisions only the fully +qualified names can be used to look up Well-Known SIDs. As a result the +domain names NULL AUTHORITY, WORLD AUTHORITY, + LOCAL AUTHORITY, CREATOR AUTHORITY, NT +AUTHORITY and BUILTIN should not be used as domain +names in sssd.conf. + + + + diff --git a/src/man/zh_CN/include/ldap_search_bases.xml b/src/man/zh_CN/include/ldap_search_bases.xml new file mode 100644 index 0000000..189f862 --- /dev/null +++ b/src/man/zh_CN/include/ldap_search_bases.xml @@ -0,0 +1,31 @@ + + + An optional base DN, search scope and LDAP filter to restrict LDAP searches +for this attribute type. + + + syntax: +search_base[?scope?[filter][?search_base?scope?[filter]]*] + + + + The scope can be one of "base", "onelevel" or "subtree". The scope functions +as specified in section 4.5.1.2 of http://tools.ietf.org/html/rfc4511 + + + The filter must be a valid LDAP search filter as specified by +http://www.ietf.org/rfc/rfc2254.txt + + + For examples of this syntax, please refer to the +ldap_search_base examples section. + + + Default: the value of ldap_search_base + + + Please note that specifying scope or filter is not supported for searches +against an Active Directory Server that might yield a large number of +results and trigger the Range Retrieval extension in the response. + + diff --git a/src/man/zh_CN/include/local.xml b/src/man/zh_CN/include/local.xml new file mode 100644 index 0000000..ce849a3 --- /dev/null +++ b/src/man/zh_CN/include/local.xml @@ -0,0 +1,17 @@ + + THE LOCAL DOMAIN + + In order to function correctly, a domain with +id_provider=local must be created and the SSSD must be +running. + + + The administrator might want to use the SSSD local users instead of +traditional UNIX users in cases where the group nesting (see +sss_groupadd 8 +) is needed. The local users are also useful for testing and +development of the SSSD without having to deploy a full remote server. The +sss_user* and sss_group* tools use a +local LDB storage to store users and groups. + + diff --git a/src/man/zh_CN/include/override_homedir.xml b/src/man/zh_CN/include/override_homedir.xml new file mode 100644 index 0000000..94caee1 --- /dev/null +++ b/src/man/zh_CN/include/override_homedir.xml @@ -0,0 +1,63 @@ + +override_homedir (string) + + + Override the user's home directory. You can either provide an absolute value +or a template. In the template, the following sequences are substituted: + + + %u + login name + + + %U + UID number + + + %d + domain name + + + %f + fully qualified user name (user@domain) + + + %l + The first letter of the login name. + + + %P + UPN - User Principal Name (name@REALM) + + + %o + + The original home directory retrieved from the identity provider. + + + + %H + + The value of configure option homedir_substring. + + + + %% + a literal '%' + + + + + + This option can also be set per-domain. + + + example: +override_homedir = /home/%u + + + + Default: Not set (SSSD will use the value retrieved from LDAP) + + + diff --git a/src/man/zh_CN/include/param_help.xml b/src/man/zh_CN/include/param_help.xml new file mode 100644 index 0000000..d28020b --- /dev/null +++ b/src/man/zh_CN/include/param_help.xml @@ -0,0 +1,10 @@ + + + , + + + + Display help message and exit. + + + diff --git a/src/man/zh_CN/include/param_help_py.xml b/src/man/zh_CN/include/param_help_py.xml new file mode 100644 index 0000000..a2478bf --- /dev/null +++ b/src/man/zh_CN/include/param_help_py.xml @@ -0,0 +1,10 @@ + + + , + + + + Display help message and exit. + + + diff --git a/src/man/zh_CN/include/seealso.xml b/src/man/zh_CN/include/seealso.xml new file mode 100644 index 0000000..2c0d259 --- /dev/null +++ b/src/man/zh_CN/include/seealso.xml @@ -0,0 +1,61 @@ + + 另见 + + sssd8 +, +sssd.conf5 +, +sssd-ldap5 +, +sssd-krb55 +, +sssd-simple5 +, +sssd-ipa5 +, +sssd-ad5 +, +sssd-sudo 5 +, +sssd-secrets 5 +, +sssd-session-recording +5 , +sss_cache8 +, +sss_debuglevel8 +, +sss_groupadd8 +, +sss_groupdel8 +, +sss_groupshow8 +, +sss_groupmod8 +, +sss_useradd8 +, +sss_userdel8 +, +sss_usermod8 +, +sss_obfuscate8 +, +sss_seed8 +, +sssd_krb5_locator_plugin8 +, +sss_ssh_authorizedkeys +8 , +sss_ssh_knownhostsproxy +8 , sssd-ifp +5 , +pam_sss8 +. +sss_rpcidmapd 5 + +sssd-systemtap 5 + + + diff --git a/src/man/zh_CN/include/service_discovery.xml b/src/man/zh_CN/include/service_discovery.xml new file mode 100644 index 0000000..2e417a9 --- /dev/null +++ b/src/man/zh_CN/include/service_discovery.xml @@ -0,0 +1,41 @@ + + SERVICE DISCOVERY + + The service discovery feature allows back ends to automatically find the +appropriate servers to connect to using a special DNS query. This feature is +not supported for backup servers. + + + Configuration + + If no servers are specified, the back end automatically uses service +discovery to try to find a server. Optionally, the user may choose to use +both fixed server addresses and service discovery by inserting a special +keyword, _srv_, in the list of servers. The order of +preference is maintained. This feature is useful if, for example, the user +prefers to use service discovery whenever possible, and fall back to a +specific server when no servers can be discovered using DNS. + + + + The domain name + + Please refer to the dns_discovery_domain parameter in the + sssd.conf +5 manual page for more details. + + + + The protocol + + The queries usually specify _tcp as the protocol. Exceptions are documented +in respective option description. + + + + See Also + + For more information on the service discovery mechanism, refer to RFC 2782. + + + diff --git a/src/man/zh_CN/include/upstream.xml b/src/man/zh_CN/include/upstream.xml new file mode 100644 index 0000000..ba04020 --- /dev/null +++ b/src/man/zh_CN/include/upstream.xml @@ -0,0 +1,3 @@ + +SSSD The SSSD upstream - +https://pagure.io/SSSD/sssd/ diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c new file mode 100644 index 0000000..ca5c799 --- /dev/null +++ b/src/monitor/monitor.c @@ -0,0 +1,2697 @@ +/* + SSSD + + Service monitor + + Copyright (C) Simo Sorce 2008 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "util/child_common.h" +#include +#include +#include +#include +#include +#include +#include +#ifdef HAVE_SYS_INOTIFY_H +#include +#endif +#include +#include +#include +#include +#include +#include +#include + +/* Needed for res_init() */ +#include +#include +#include + +#include "confdb/confdb.h" +#include "confdb/confdb_setup.h" +#include "db/sysdb.h" +#include "monitor/monitor.h" +#include "sbus/sssd_dbus.h" +#include "monitor/monitor_interfaces.h" +#include "responder/common/responder_sbus.h" +#include "util/inotify.h" + +#ifdef USE_KEYRING +#include +#endif + +#ifdef HAVE_SYSTEMD +#include +#endif + +/* terminate the child after this interval by default if it + * doesn't shutdown on receiving SIGTERM */ +#define MONITOR_DEF_FORCE_TIME 60 + +/* TODO: get the restart related values from config */ +#define MONITOR_RESTART_CNT_INTERVAL_RESET 30 +/* maximum allowed number of service restarts if the restarts + * were less than MONITOR_RESTART_CNT_INTERVAL_RESET apart, which would + * indicate a crash after startup or after every request */ +#define MONITOR_MAX_SVC_RESTARTS 2 +/* The services are restarted with a delay in case the restart was + * hitting a race condition where the DP is not ready yet either. + * The MONITOR_MAX_RESTART_DELAY defines the maximum delay between + * restarts. + */ +#define MONITOR_MAX_RESTART_DELAY 4 + +/* name of the monitor server instance */ +#define MONITOR_NAME "sssd" + +/* Special value to leave the Kerberos Replay Cache set to use + * the libkrb5 defaults + */ +#define KRB5_RCACHE_DIR_DISABLE "__LIBKRB5_DEFAULTS__" + +/* Warning messages */ +#define CONF_FILE_PERM_ERROR_MSG "Cannot read config file %s. Please check "\ + "that the file is accessible only by the "\ + "owner and owned by root.root.\n" + +/* SSSD domain name that is used for the auto-configured files domain */ +#define IMPLICIT_FILES_DOMAIN_NAME "implicit_files" + +int cmdline_debug_level; +int cmdline_debug_timestamps; +int cmdline_debug_microseconds; + +struct svc_spy; + +struct mt_svc { + struct mt_svc *prev; + struct mt_svc *next; + enum mt_svc_type type; + + struct sbus_connection *conn; + struct svc_spy *conn_spy; + + struct mt_ctx *mt_ctx; + + char *provider; + char *command; + char *name; + char *identity; + pid_t pid; + + int kill_time; + + bool svc_started; + bool socket_activated; /* also used for dbus-activated services */ + + int restarts; + time_t last_restart; + DBusPendingCall *pending; + + int debug_level; + + struct sss_child_ctx *child_ctx; +}; + +typedef int (*monitor_reconf_fn)(struct config_file_ctx *file_ctx, + const char *filename); + +struct config_file_callback { + int wd; + monitor_reconf_fn fn; + char *filename; + time_t modified; + struct config_file_callback *next; + struct config_file_callback *prev; +}; + +struct config_file_ctx { + struct config_file_inotify_check { + struct snotify_ctx *snctx; + } inotify_check; + + struct config_file_poll_check { + TALLOC_CTX *parent_ctx; + struct tevent_timer *timer; + struct config_file_callback *callbacks; + } poll_check; + + monitor_reconf_fn fn; + struct mt_ctx *mt_ctx; +}; + +struct mt_ctx { + struct tevent_context *ev; + struct confdb_ctx *cdb; + struct sss_domain_info *domains; + char **services; + int num_services; + int started_services; + struct mt_svc *svc_list; + struct sbus_connection *sbus_srv; + struct config_file_ctx *file_ctx; + int service_id_timeout; + bool check_children; + bool services_started; + struct netlink_ctx *nlctx; + const char *conf_path; + struct sss_sigchild_ctx *sigchld_ctx; + bool pid_file_created; + bool is_daemon; + pid_t parent_pid; + + /* For running unprivileged services */ + uid_t uid; + gid_t gid; +}; + +static int start_service(struct mt_svc *mt_svc); + +static int monitor_service_init(struct sbus_connection *conn, void *data); + +static int monitor_service_shutdown(struct sbus_connection *conn, void *data); + +static int service_signal_reset_offline(struct mt_svc *svc); + +static int get_service_config(struct mt_ctx *ctx, const char *name, + struct mt_svc **svc_cfg); +static int get_provider_config(struct mt_ctx *ctx, const char *name, + struct mt_svc **svc_cfg); +static int add_new_service(struct mt_ctx *ctx, + const char *name, + int restarts); +static int add_new_provider(struct mt_ctx *ctx, + const char *name, + int restarts); + +static char *check_service(char *service); + +static int mark_service_as_started(struct mt_svc *svc); + +static int monitor_cleanup(void); + +static void network_status_change_cb(void *cb_data) +{ + struct mt_svc *iter; + struct mt_ctx *ctx = (struct mt_ctx *) cb_data; + + DEBUG(SSSDBG_TRACE_INTERNAL, "A networking status change detected " + "signaling providers to reset offline status\n"); + for (iter = ctx->svc_list; iter; iter = iter->next) { + /* Don't signal services, only providers */ + if (iter->provider) { + service_signal_reset_offline(iter); + } + } +} + +/* dbus_get_monitor_version + * Return the monitor version over D-BUS */ +static int get_monitor_version(struct sbus_request *dbus_req, void *data) +{ + dbus_uint16_t version = MONITOR_VERSION; + + return sbus_request_return_and_finish(dbus_req, + DBUS_TYPE_UINT16, &version, + DBUS_TYPE_INVALID); +} + +struct mon_init_conn { + struct mt_ctx *ctx; + struct sbus_connection *conn; + struct tevent_timer *timeout; +}; + +static int add_svc_conn_spy(struct mt_svc *svc); + +static int service_not_found(char *svc_name, + struct mt_svc **_svc) +{ + DEBUG(SSSDBG_FATAL_FAILURE, + "Unable to find peer [%s] in list of services, " + "killing connection!\n", svc_name); + + *_svc = NULL; + return ENOENT; +} + +#ifdef HAVE_SYSTEMD +static int socket_activated_service_not_found(struct mon_init_conn *mini, + char *svc_name, + bool is_provider, + struct mt_svc **_svc) +{ + struct mt_svc *svc = NULL; + int ret; + + if (is_provider) { + return service_not_found(svc_name, _svc); + } + + /* As the service is a responder and wasn't part of the services' list, it means + * the service has been socket/dbus activated and has to be configured and added + * to the services' list now */ + + *_svc = NULL; + + if (check_service(svc_name) != NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Invalid service %s\n", svc_name); + return EINVAL; + } + + mini->ctx->services_started = true; + mini->ctx->num_services++; + + ret = get_service_config(mini->ctx, svc_name, &svc); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Unable to get the configuration for the service: %s\n", + svc_name); + return ret; + } + svc->restarts = 0; + svc->socket_activated = true; + + DLIST_ADD(mini->ctx->svc_list, svc); + + *_svc = svc; + return EOK; +} +#endif + +static int get_service_in_the_list(struct mon_init_conn *mini, + char *svc_name, + bool is_provider, + struct mt_svc **_svc) +{ + struct mt_svc *svc; + + for (svc = mini->ctx->svc_list; svc != NULL; svc = svc->next) { + if (strcasecmp(svc->identity, svc_name) == 0) { + svc->socket_activated = false; + *_svc = svc; + return EOK; + } + } + +#ifdef HAVE_SYSTEMD + return socket_activated_service_not_found(mini, svc_name, is_provider, + _svc); +#else + return service_not_found(svc_name, _svc); +#endif +} + +static int sbus_connection_destructor(struct sbus_connection *conn) +{ + return monitor_service_shutdown(conn, + sbus_connection_get_destructor_data(conn)); +} + +/* registers a new client. + * if operation is successful also sends back the Monitor version */ +static int client_registration(struct sbus_request *dbus_req, void *data) +{ + dbus_uint16_t version = MONITOR_VERSION; + struct mon_init_conn *mini; + struct mt_svc *svc = NULL; + DBusError dbus_error; + dbus_uint16_t svc_ver; + dbus_uint16_t svc_type; + char *svc_name; + dbus_bool_t dbret; + int ret; + + mini = talloc_get_type(data, struct mon_init_conn); + if (!mini) { + DEBUG(SSSDBG_FATAL_FAILURE, "Connection holds no valid init data\n"); + return EINVAL; + } + + /* First thing, cancel the timeout */ + talloc_zfree(mini->timeout); + + dbus_error_init(&dbus_error); + + dbret = dbus_message_get_args(dbus_req->message, &dbus_error, + DBUS_TYPE_STRING, &svc_name, + DBUS_TYPE_UINT16, &svc_ver, + DBUS_TYPE_UINT16, &svc_type, + DBUS_TYPE_INVALID); + if (!dbret) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to parse message, killing connection\n"); + if (dbus_error_is_set(&dbus_error)) dbus_error_free(&dbus_error); + sbus_disconnect(dbus_req->conn); + sbus_request_finish(dbus_req, NULL); + /* FIXME: should we just talloc_zfree(conn)? */ + goto done; + } + + DEBUG(SSSDBG_CONF_SETTINGS, + "Received ID registration: (%s,%d)\n", svc_name, svc_ver); + + /* search this service in the list */ + ret = get_service_in_the_list(mini, svc_name, svc_type == MT_SVC_PROVIDER, + &svc); + if (ret != EOK) { + sbus_disconnect(dbus_req->conn); + sbus_request_finish(dbus_req, NULL); + /* FIXME: should we just talloc_zfree(conn)? */ + + goto done; + } + + /* Fill in svc structure with connection data */ + svc->conn = mini->conn; + + /* For {dbus,socket}-activated services we will have to unregister then + * when the sbus_connection is freed. That's the reason we have to + * hook up on its destructor function, do the service unregistration + * from there and set the destructor back to NULL just before freeing + * the service itself. */ + if (svc->socket_activated) { + talloc_set_destructor(svc->conn, sbus_connection_destructor); + } + + ret = mark_service_as_started(svc); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to mark service [%s]!\n", svc_name); + goto done; + } + + /* reply that all is ok */ + sbus_request_return_and_finish(dbus_req, + DBUS_TYPE_UINT16, &version, + DBUS_TYPE_INVALID); + +done: + /* init complete, get rid of temp init context */ + talloc_zfree(mini); + + return EOK; +} + +struct svc_spy { + struct mt_svc *svc; +}; + +static int svc_destructor(void *mem) +{ + struct mt_svc *svc = talloc_get_type(mem, struct mt_svc); + if (!svc) { + /* ?!?!? */ + return 0; + } + + /* try to delist service */ + if (svc->mt_ctx) { + DLIST_REMOVE(svc->mt_ctx->svc_list, svc); + } + + /* Cancel any pending calls */ + if (svc->pending) { + dbus_pending_call_cancel(svc->pending); + } + + /* svc is being freed, neutralize the spy */ + if (svc->conn_spy) { + talloc_set_destructor((TALLOC_CTX *)svc->conn_spy, NULL); + talloc_zfree(svc->conn_spy); + } + + if (svc->type == MT_SVC_SERVICE && svc->svc_started + && svc->mt_ctx != NULL && svc->mt_ctx->started_services > 0) { + svc->mt_ctx->started_services--; + } + + return 0; +} + +static int svc_spy_destructor(void *mem) +{ + struct svc_spy *spy = talloc_get_type(mem, struct svc_spy); + if (!spy) { + /* ?!?!? */ + return 0; + } + + /* svc->conn has been freed, NULL the pointer in svc */ + spy->svc->conn_spy = NULL; + spy->svc->conn = NULL; + return 0; +} + +static int add_svc_conn_spy(struct mt_svc *svc) +{ + struct svc_spy *spy; + + spy = talloc(svc->conn, struct svc_spy); + if (!spy) return ENOMEM; + + spy->svc = svc; + talloc_set_destructor((TALLOC_CTX *)spy, svc_spy_destructor); + svc->conn_spy = spy; + + return EOK; +} + + +static void svc_child_info(struct mt_svc *svc, int wait_status) +{ + if (WIFEXITED(wait_status)) { + DEBUG(SSSDBG_OP_FAILURE, + "Child [%d] exited with code [%d]\n", + svc->pid, WEXITSTATUS(wait_status)); + } else if (WIFSIGNALED(wait_status)) { + DEBUG(SSSDBG_OP_FAILURE, + "Child [%d] terminated with signal [%d]\n", + svc->pid, WTERMSIG(wait_status)); + } else { + DEBUG(SSSDBG_FATAL_FAILURE, + "Child [%d] did not exit cleanly\n", svc->pid); + /* Forcibly kill this child, just in case */ + kill(svc->pid, SIGKILL); + + /* Let us get caught by another + * call to the SIGCHLD handler + */ + } +} + +static int notify_startup(void) +{ +#ifdef HAVE_SYSTEMD + int ret; + + DEBUG(SSSDBG_TRACE_FUNC, "Sending startup notification to systemd\n"); + ret = sd_notify(0, "READY=1"); + if (ret < 0) { + ret = -ret; + DEBUG(SSSDBG_CRIT_FAILURE, + "Error sending notification to systemd %d: %s\n", + ret, sss_strerror(ret)); + + return ret; + } +#endif + + return EOK; +} + +static int mark_service_as_started(struct mt_svc *svc) +{ + struct mt_ctx *ctx = svc->mt_ctx; + struct mt_svc *iter; + int ret; + int i; + + DEBUG(SSSDBG_FUNC_DATA, "Marking %s as started.\n", svc->name); + svc->svc_started = true; + + /* We need to attach a spy to the connection structure so that if some code + * frees it we can zero it out in the service structure. Otherwise we may + * try to access or even free, freed memory. */ + ret = add_svc_conn_spy(svc); + if (ret) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to attach spy\n"); + goto done; + } + + if (!ctx->services_started) { + + /* check if all providers are up */ + for (iter = ctx->svc_list; iter; iter = iter->next) { + if (iter->provider && !iter->svc_started) { + DEBUG(SSSDBG_FUNC_DATA, + "Still waiting on %s provider.\n", iter->name); + break; + } + } + + if (iter) { + /* there are still unstarted providers */ + goto done; + } + + if (ctx->services != NULL) { + ctx->services_started = true; + + DEBUG(SSSDBG_CONF_SETTINGS, "Now starting services!\n"); + /* then start all services */ + for (i = 0; ctx->services[i]; i++) { + add_new_service(ctx, ctx->services[i], 0); + } + } + } + + if (svc->type == MT_SVC_SERVICE) { + ctx->started_services++; + } + + /* create the pid file if all services are alive */ + if (!ctx->pid_file_created && ctx->started_services == ctx->num_services) { + if (svc->socket_activated) { + /* There's no reason for trying to terminate the parent process + * when the responder was socket-activated. */ + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "All services have successfully started, creating pid file\n"); + ret = pidfile(PID_PATH, MONITOR_NAME); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Error creating pidfile: %s/%s.pid! (%d [%s])\n", + PID_PATH, MONITOR_NAME, ret, strerror(ret)); + kill(getpid(), SIGTERM); + } + + ctx->pid_file_created = true; + + notify_startup(); + + /* Initialization is complete, terminate parent process if in daemon + * mode. Make sure we send the signal to the right process */ + if (ctx->is_daemon) { + if (ctx->parent_pid <= 1 || ctx->parent_pid != getppid()) { + /* the parent process was already terminated */ + DEBUG(SSSDBG_MINOR_FAILURE, "Invalid parent pid: %d\n", + ctx->parent_pid); + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "SSSD is initialized, " + "terminating parent process\n"); + + errno = 0; + ret = kill(ctx->parent_pid, SIGTERM); + if (ret != 0) { + ret = errno; + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to terminate parent " + "process [%d]: %s\n", ret, strerror(ret)); + } + } + } + +done: + return ret; +} + +static void services_startup_timeout(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval t, void *ptr) +{ + struct mt_ctx *ctx = talloc_get_type(ptr, struct mt_ctx); + int i; + + if (ctx->services == NULL) { + return; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Handling timeout\n"); + + if (!ctx->services_started) { + + DEBUG(SSSDBG_CRIT_FAILURE, "Providers did not start in time, " + "forcing services startup!\n"); + + ctx->services_started = true; + + DEBUG(SSSDBG_CONF_SETTINGS, "Now starting services!\n"); + /* then start all services */ + for (i = 0; ctx->services[i]; i++) { + add_new_service(ctx, ctx->services[i], 0); + } + } +} + +static int add_services_startup_timeout(struct mt_ctx *ctx) +{ + struct tevent_timer *to; + struct timeval tv; + + /* 5 seconds should be plenty */ + tv = tevent_timeval_current_ofs(5, 0); + to = tevent_add_timer(ctx->ev, ctx, tv, services_startup_timeout, ctx); + if (!to) { + DEBUG(SSSDBG_FATAL_FAILURE,"Out of memory?!\n"); + return ENOMEM; + } + + return EOK; +} + +struct mon_srv_iface monitor_methods = { + { &mon_srv_iface_meta, 0 }, + .getVersion = get_monitor_version, + .RegisterService = client_registration, +}; + +/* monitor_dbus_init + * Set up the monitor service as a D-BUS Server */ +static int monitor_dbus_init(struct mt_ctx *ctx) +{ + char *monitor_address; + int ret; + + ret = monitor_get_sbus_address(ctx, &monitor_address); + if (ret != EOK) { + return ret; + } + + /* If a service is running as unprivileged user, we need to make sure this + * user can access the monitor sbus server. root is still king, so we don't + * lose any access. + */ + ret = sbus_new_server(ctx, ctx->ev, monitor_address, ctx->uid, ctx->gid, + false, &ctx->sbus_srv, monitor_service_init, ctx, ctx); + + talloc_free(monitor_address); + + return ret; +} + +static void monitor_restart_service(struct mt_svc *svc); + +static void reload_reply(DBusPendingCall *pending, void *data) +{ + DBusMessage *reply; + struct mt_svc *svc = talloc_get_type(data, struct mt_svc); + + reply = dbus_pending_call_steal_reply(pending); + if (!reply) { + /* reply should never be null. This function shouldn't be called + * until reply is valid or timeout has occurred. If reply is NULL + * here, something is seriously wrong and we should bail out. + */ + DEBUG(SSSDBG_FATAL_FAILURE, + "A reply callback was called but no reply was received" + " and no timeout occurred\n"); + /* Destroy this connection */ + sbus_disconnect(svc->conn); + dbus_pending_call_unref(pending); + return; + } + + /* TODO: Handle cases where the call has timed out or returned + * with an error. + */ + + dbus_pending_call_unref(pending); + dbus_message_unref(reply); +} + +static int service_signal_dns_reload(struct mt_svc *svc); +static int monitor_update_resolv(struct config_file_ctx *file_ctx, + const char *filename) +{ + int ret; + struct mt_svc *cur_svc; + struct mt_ctx *mt_ctx; + + mt_ctx = file_ctx->mt_ctx; + + DEBUG(SSSDBG_TRACE_LIBS, "Resolv.conf has been updated. Reloading.\n"); + + ret = res_init(); + if (ret != 0) { + return EIO; + } + + /* Signal all services to reload their DNS configuration */ + for (cur_svc = mt_ctx->svc_list; cur_svc; cur_svc = cur_svc->next) { + service_signal_dns_reload(cur_svc); + } + return EOK; +} + +static int service_signal(struct mt_svc *svc, const char *svc_signal) +{ + DBusMessage *msg; + int ret; + + if (svc->provider && strcasecmp(svc->provider, "local") == 0) { + /* The local provider requires no signaling */ + return EOK; + } + + if (!svc->conn) { + /* Avoid a race condition where we are trying to + * order a service to reload that hasn't started + * yet. + */ + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not signal service [%s].\n", svc->name); + return EIO; + } + + msg = dbus_message_new_method_call(NULL, + MONITOR_PATH, + MON_CLI_IFACE, + svc_signal); + if (msg == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Out of memory trying to allocate memory to invoke: %s\n", + svc_signal); + return ENOMEM; + } + + ret = sbus_conn_send(svc->conn, msg, + svc->mt_ctx->service_id_timeout, + reload_reply, svc, NULL); + + dbus_message_unref(msg); + return ret; +} + +static int service_signal_dns_reload(struct mt_svc *svc) +{ + return service_signal(svc, MON_CLI_IFACE_RESINIT); +} +static int service_signal_offline(struct mt_svc *svc) +{ + return service_signal(svc, MON_CLI_IFACE_GOOFFLINE); +} +static int service_signal_reset_offline(struct mt_svc *svc) +{ + return service_signal(svc, MON_CLI_IFACE_RESETOFFLINE); +} +static int service_signal_rotate(struct mt_svc *svc) +{ + return service_signal(svc, MON_CLI_IFACE_ROTATELOGS); +} +static int service_signal_clear_memcache(struct mt_svc *svc) +{ + return service_signal(svc, MON_CLI_IFACE_CLEARMEMCACHE); +} +static int service_signal_clear_enum_cache(struct mt_svc *svc) +{ + return service_signal(svc, MON_CLI_IFACE_CLEARENUMCACHE); +} +static int service_signal_sysbus_reconnect(struct mt_svc *svc) +{ + return service_signal(svc, MON_CLI_IFACE_SYSBUSRECONNECT); +} + +static int check_domain_ranges(struct sss_domain_info *domains) +{ + struct sss_domain_info *dom = domains, *other = NULL; + uint32_t id_min, id_max; + + while (dom) { + other = get_next_domain(dom, 0); + if (dom->id_max && dom->id_min > dom->id_max) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Domain '%s' does not have a valid ID range\n", dom->name); + return EINVAL; + } + + while (other) { + id_min = MAX(dom->id_min, other->id_min); + id_max = MIN((dom->id_max ? dom->id_max : UINT32_MAX), + (other->id_max ? other->id_max : UINT32_MAX)); + if (id_min <= id_max) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Domains '%s' and '%s' overlap in range %u - %u\n", + dom->name, other->name, id_min, id_max); + } + other = get_next_domain(other, 0); + } + dom = get_next_domain(dom, 0); + } + + return EOK; +} + +static int check_local_domain_unique(struct sss_domain_info *domains) +{ + uint8_t count = 0; + + struct sss_domain_info *dom = domains; + + while (dom) { + if (strcasecmp(dom->provider, "local") == 0) { + count++; + } + + if (count > 1) { + break; + } + + dom = get_next_domain(dom, 0); + } + + if (count > 1) { + return EINVAL; + } + + return EOK; +} + +static errno_t add_implicit_services(struct confdb_ctx *cdb, TALLOC_CTX *mem_ctx, + char ***_services) +{ + int ret; + char **domain_names; + TALLOC_CTX *tmp_ctx; + size_t c; + char *conf_path; + char *id_provider; + bool add_pac = false; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); + return ENOMEM; + } + + ret = confdb_get_string_as_list(cdb, tmp_ctx, + CONFDB_MONITOR_CONF_ENTRY, + CONFDB_MONITOR_ACTIVE_DOMAINS, + &domain_names); + if (ret == ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, "No domains configured!\n"); + goto done; + } + + for (c = 0; domain_names[c] != NULL; c++) { + conf_path = talloc_asprintf(tmp_ctx, CONFDB_DOMAIN_PATH_TMPL, + domain_names[c]); + if (conf_path == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto done; + } + + ret = confdb_get_string(cdb, tmp_ctx, conf_path, + CONFDB_DOMAIN_ID_PROVIDER, NULL, &id_provider); + if (ret == EOK) { + if (id_provider == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "id_provider is not set for " + "domain [%s], trying next domain.\n", domain_names[c]); + continue; + } + + if (strcasecmp(id_provider, "IPA") == 0) { + add_pac = true; + } + } else { + DEBUG(SSSDBG_OP_FAILURE, "Failed to get id_provider for " \ + "domain [%s], trying next domain.\n", + domain_names[c]); + } + } + + if (BUILD_WITH_PAC_RESPONDER && add_pac && + !string_in_list("pac", *_services, false)) { + ret = add_string_to_list(mem_ctx, "pac", _services); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "add_string_to_list failed.\n"); + goto done; + } + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + + return ret; +} + +static char *check_service(char *service) +{ + const char * const *known_services = get_known_services(); + int i; + + for (i = 0; known_services[i] != NULL; i++) { + if (strcasecmp(service, known_services[i]) == 0) { + break; + } + } + + if (known_services[i] == NULL) { + return service; + } + + return NULL; +} + +static char *check_services(char **services) +{ + if (services == NULL) { + return NULL; + } + + /* Check if services we are about to start are in the list if known */ + for (int i = 0; services[i]; i++) { + if (check_service(services[i]) != NULL) { + return services[i]; + } + } + + return NULL; +} + +static int get_service_user(struct mt_ctx *ctx) +{ + errno_t ret; + char *user_str; + + ret = confdb_get_string(ctx->cdb, ctx, CONFDB_MONITOR_CONF_ENTRY, + CONFDB_MONITOR_USER_RUNAS, + SSSD_USER, &user_str); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to get the user to run as\n"); + return ret; + } + + ret = sss_user_by_name_or_uid(user_str, &ctx->uid, &ctx->gid); + talloc_free(user_str); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to set allowed UIDs.\n"); + return ret; + } + + return EOK; +} + +static int get_monitor_config(struct mt_ctx *ctx) +{ + int ret; + int timeout_seconds; + char *badsrv = NULL; + int i; + + ret = confdb_get_int(ctx->cdb, + CONFDB_MONITOR_CONF_ENTRY, + CONFDB_MONITOR_SBUS_TIMEOUT, + 10, &timeout_seconds); + if (ret != EOK) { + return ret; + } + + ctx->service_id_timeout = timeout_seconds * 1000; /* service_id_timeout is in ms */ + + ret = confdb_get_string_as_list(ctx->cdb, ctx, + CONFDB_MONITOR_CONF_ENTRY, + CONFDB_MONITOR_ACTIVE_SERVICES, + &ctx->services); + +#ifdef HAVE_SYSTEMD + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to get the explicitly configured services!\n"); + return EINVAL; + } +#else + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "No services configured!\n"); + return EINVAL; + } +#endif + + ret = add_implicit_services(ctx->cdb, ctx, &ctx->services); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to add implicit configured " + "services. Some functionality might " + "be missing\n"); + } + + badsrv = check_services(ctx->services); + if (badsrv != NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Invalid service %s\n", badsrv); + return EINVAL; + } + + ctx->started_services = 0; + ctx->num_services = 0; + + if (ctx->services != NULL) { + for (i = 0; ctx->services[i] != NULL; i++) { + ctx->num_services++; + } + } + + ret = get_service_user(ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to get the unprivileged user\n"); + return ret; + } + + ret = confdb_ensure_files_domain(ctx->cdb, IMPLICIT_FILES_DOMAIN_NAME); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot add the implicit files domain [%d]: %s\n", + ret, strerror(ret)); + /* Not fatal */ + } + + ret = confdb_expand_app_domains(ctx->cdb); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to expand application domains\n"); + /* This must not be fatal so that SSSD keeps running and lets + * admin correct the error. + */ + } + + ret = confdb_get_domains(ctx->cdb, &ctx->domains); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "No domains configured.\n"); + return ret; + } + + ret = check_local_domain_unique(ctx->domains); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "More than one local domain configured.\n"); + return ret; + } + + /* Check UID/GID overlaps */ + ret = check_domain_ranges(ctx->domains); + if (ret != EOK) { + return ret; + } + + return EOK; +} + +/* This is a temporary function that returns false if the service + * being started was only tested when running as root. + */ +static bool svc_supported_as_nonroot(const char *svc_name) +{ + if ((strcmp(svc_name, "nss") == 0) + || (strcmp(svc_name, "pam") == 0) + || (strcmp(svc_name, "autofs") == 0) + || (strcmp(svc_name, "pac") == 0) + || (strcmp(svc_name, "sudo") == 0) + || (strcmp(svc_name, "ssh") == 0)) { + return true; + } + return false; +} + +static int get_service_config(struct mt_ctx *ctx, const char *name, + struct mt_svc **svc_cfg) +{ + int ret; + char *path; + struct mt_svc *svc; + time_t now = time(NULL); + uid_t uid = 0; + gid_t gid = 0; + + *svc_cfg = NULL; + + svc = talloc_zero(ctx, struct mt_svc); + if (!svc) { + return ENOMEM; + } + svc->mt_ctx = ctx; + svc->type = MT_SVC_SERVICE; + + talloc_set_destructor((TALLOC_CTX *)svc, svc_destructor); + + svc->name = talloc_strdup(svc, name); + if (!svc->name) { + talloc_free(svc); + return ENOMEM; + } + + svc->identity = talloc_strdup(svc, name); + if (!svc->identity) { + talloc_free(svc); + return ENOMEM; + } + + path = talloc_asprintf(svc, CONFDB_SERVICE_PATH_TMPL, svc->name); + if (!path) { + talloc_free(svc); + return ENOMEM; + } + + ret = confdb_get_string(ctx->cdb, svc, path, + CONFDB_SERVICE_COMMAND, + NULL, &svc->command); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE,"Failed to start service '%s'\n", svc->name); + talloc_free(svc); + return ret; + } + + if (svc_supported_as_nonroot(svc->name)) { + uid = ctx->uid; + gid = ctx->gid; + } + + if (!svc->command) { + svc->command = talloc_asprintf( + svc, "%s/sssd_%s", SSSD_LIBEXEC_PATH, svc->name + ); + if (!svc->command) { + talloc_free(svc); + return ENOMEM; + } + + svc->command = talloc_asprintf_append(svc->command, + " --uid %"SPRIuid" --gid %"SPRIgid, + uid, gid); + if (!svc->command) { + talloc_free(svc); + return ENOMEM; + } + + if (cmdline_debug_level != SSSDBG_UNRESOLVED) { + svc->command = talloc_asprintf_append( + svc->command, " -d %#.4x", cmdline_debug_level + ); + if (!svc->command) { + talloc_free(svc); + return ENOMEM; + } + } + + if (cmdline_debug_timestamps != SSSDBG_TIMESTAMP_UNRESOLVED) { + svc->command = talloc_asprintf_append( + svc->command, " --debug-timestamps=%d", cmdline_debug_timestamps + ); + if (!svc->command) { + talloc_free(svc); + return ENOMEM; + } + } + + if (cmdline_debug_microseconds != SSSDBG_MICROSECONDS_UNRESOLVED) { + svc->command = talloc_asprintf_append( + svc->command, " --debug-microseconds=%d", + cmdline_debug_microseconds + ); + if (!svc->command) { + talloc_free(svc); + return ENOMEM; + } + } + + svc->command = talloc_asprintf_append( + svc->command, " --logger=%s", sss_logger_str[sss_logger]); + if (!svc->command) { + talloc_free(svc); + return ENOMEM; + } + } + + svc->last_restart = now; + + *svc_cfg = svc; + talloc_free(path); + + return EOK; +} + +static int add_new_service(struct mt_ctx *ctx, + const char *name, + int restarts) +{ + int ret; + struct mt_svc *svc; + + ret = get_service_config(ctx, name, &svc); + if (ret != EOK) { + return ret; + } + svc->restarts = restarts; + + ret = start_service(svc); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE,"Failed to start service '%s'\n", svc->name); + talloc_free(svc); + } + + return ret; +} + +static int get_provider_config(struct mt_ctx *ctx, const char *name, + struct mt_svc **svc_cfg) +{ + int ret; + char *path; + struct mt_svc *svc; + time_t now = time(NULL); + + *svc_cfg = NULL; + + svc = talloc_zero(ctx, struct mt_svc); + if (!svc) { + return ENOMEM; + } + svc->mt_ctx = ctx; + svc->type = MT_SVC_PROVIDER; + + talloc_set_destructor((TALLOC_CTX *)svc, svc_destructor); + + svc->name = talloc_strdup(svc, name); + if (!svc->name) { + talloc_free(svc); + return ENOMEM; + } + + svc->identity = talloc_asprintf(svc, "%%BE_%s", svc->name); + if (!svc->identity) { + talloc_free(svc); + return ENOMEM; + } + + path = talloc_asprintf(svc, CONFDB_DOMAIN_PATH_TMPL, name); + if (!path) { + talloc_free(svc); + return ENOMEM; + } + + ret = confdb_get_string(ctx->cdb, svc, path, + CONFDB_DOMAIN_ID_PROVIDER, + NULL, &svc->provider); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to find ID provider from [%s] configuration\n", name); + talloc_free(svc); + return ret; + } + + ret = confdb_get_string(ctx->cdb, svc, path, + CONFDB_DOMAIN_COMMAND, + NULL, &svc->command); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to find command from [%s] configuration\n", name); + talloc_free(svc); + return ret; + } + + talloc_free(path); + + /* if no provider is present do not run the domain */ + if (!svc->provider) { + talloc_free(svc); + return EIO; + } + + /* if there are no custom commands, build a default one */ + if (!svc->command) { + svc->command = talloc_asprintf( + svc, "%s/sssd_be --domain %s", SSSD_LIBEXEC_PATH, svc->name + ); + if (!svc->command) { + talloc_free(svc); + return ENOMEM; + } + + svc->command = talloc_asprintf_append(svc->command, + " --uid %"SPRIuid" --gid %"SPRIgid, + ctx->uid, ctx->gid); + if (!svc->command) { + talloc_free(svc); + return ENOMEM; + } + + if (cmdline_debug_level != SSSDBG_UNRESOLVED) { + svc->command = talloc_asprintf_append( + svc->command, " -d %#.4x", cmdline_debug_level + ); + if (!svc->command) { + talloc_free(svc); + return ENOMEM; + } + } + + if (cmdline_debug_timestamps != SSSDBG_TIMESTAMP_UNRESOLVED) { + svc->command = talloc_asprintf_append( + svc->command, " --debug-timestamps=%d", cmdline_debug_timestamps + ); + if (!svc->command) { + talloc_free(svc); + return ENOMEM; + } + } + + if (cmdline_debug_microseconds != SSSDBG_MICROSECONDS_UNRESOLVED) { + svc->command = talloc_asprintf_append( + svc->command, " --debug-microseconds=%d", + cmdline_debug_microseconds + ); + if (!svc->command) { + talloc_free(svc); + return ENOMEM; + } + } + + svc->command = talloc_asprintf_append( + svc->command, " --logger=%s", sss_logger_str[sss_logger]); + if (!svc->command) { + talloc_free(svc); + return ENOMEM; + } + } + + svc->last_restart = now; + + *svc_cfg = svc; + return EOK; +} + +static int add_new_provider(struct mt_ctx *ctx, + const char *name, + int restarts) +{ + int ret; + struct mt_svc *svc; + + ret = get_provider_config(ctx, name, &svc); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Could not get provider configuration for [%s]\n", + name); + return ret; + } + svc->restarts = restarts; + + if (strcasecmp(svc->provider, "local") == 0) { + /* The LOCAL provider requires no back-end currently + * We'll add it to the service list, but we don't need + * to poll it. + */ + svc->svc_started = true; + DLIST_ADD(ctx->svc_list, svc); + return ENOENT; + } + + ret = start_service(svc); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE,"Failed to start service '%s'\n", svc->name); + talloc_free(svc); + } + + return ret; +} + +static void monitor_hup(struct tevent_context *ev, + struct tevent_signal *se, + int signum, + int count, + void *siginfo, + void *private_data) +{ + struct mt_ctx *ctx = talloc_get_type(private_data, struct mt_ctx); + struct mt_svc *cur_svc; + + DEBUG(SSSDBG_CRIT_FAILURE, "Received SIGHUP.\n"); + + /* Send D-Bus message to other services to rotate their logs. + * NSS service receives also message to clear memory caches. */ + for(cur_svc = ctx->svc_list; cur_svc; cur_svc = cur_svc->next) { + service_signal_rotate(cur_svc); + if (!strcmp(NSS_SBUS_SERVICE_NAME, cur_svc->name)) { + service_signal_clear_memcache(cur_svc); + service_signal_clear_enum_cache(cur_svc); + } + + if (!strcmp(SSS_AUTOFS_SBUS_SERVICE_NAME, cur_svc->name)) { + service_signal_clear_enum_cache(cur_svc); + } + + } + +} + +static int monitor_cleanup(void) +{ + int ret; + + errno = 0; + ret = unlink(SSSD_PIDFILE); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_FATAL_FAILURE, + "Error removing pidfile! (%d [%s])\n", ret, strerror(ret)); + return ret; + } + + return EOK; +} + +static void monitor_quit(struct mt_ctx *mt_ctx, int ret) +{ + struct mt_svc *svc; + pid_t pid; + int status; + errno_t error; + int kret; + bool killed; + + DEBUG(SSSDBG_IMPORTANT_INFO, "Returned with: %d\n", ret); + + /* Kill all of our known children manually */ + DLIST_FOR_EACH(svc, mt_ctx->svc_list) { + if (svc->socket_activated && svc->conn != NULL) { + /* Unset the sbus_connection destructor used to + * unregister the service from the monitor as + * it may lead to a double-free here. */ + talloc_set_destructor(svc->conn, NULL); + } + + if (svc->pid == 0) { + /* The local provider has no PID */ + continue; + } + + killed = false; + DEBUG(SSSDBG_CRIT_FAILURE, + "Terminating [%s][%d]\n", svc->name, svc->pid); + do { + errno = 0; + kret = kill(-svc->pid, SIGTERM); + if (kret < 0) { + error = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "Couldn't kill [%s][%d]: [%s]\n", + svc->name, svc->pid, strerror(error)); + } + + error = 0; + do { + errno = 0; + pid = waitpid(svc->pid, &status, WNOHANG); + if (pid == -1) { + /* An error occurred while waiting */ + error = errno; + if (error == ECHILD) { + killed = true; + } else if (error != EINTR) { + DEBUG(SSSDBG_FATAL_FAILURE, + "[%d][%s] while waiting for [%s]\n", + error, strerror(error), svc->name); + /* Forcibly kill this child */ + kill(-svc->pid, SIGKILL); + break; + } + } else if (pid != 0) { + error = 0; + if (WIFEXITED(status)) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Child [%s] exited gracefully\n", svc->name); + } else if (WIFSIGNALED(status)) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Child [%s] terminated with a signal\n", svc->name); + } else { + DEBUG(SSSDBG_FATAL_FAILURE, + "Child [%s] did not exit cleanly\n", svc->name); + /* Forcibly kill this child */ + kill(-svc->pid, SIGKILL); + } + killed = true; + } + } while (error == EINTR); + if (!killed) { + /* Sleep 10ms and try again */ + usleep(10000); + } + } while (!killed); + } + +#if HAVE_GETPGRP + /* Kill any remaining children in our process group, just in case + * we have any leftover children we don't expect. For example, if + * a krb5_child or ldap_child is running at the same moment. + */ + error = 0; + if (getpgrp() == getpid()) { + kill(-getpgrp(), SIGTERM); + do { + errno = 0; + pid = waitpid(0, &status, 0); + if (pid == -1) { + error = errno; + } + } while (error == EINTR || pid > 0); + } +#endif + + monitor_cleanup(); + + exit(ret); +} + +static void monitor_quit_signal(struct tevent_context *ev, + struct tevent_signal *se, + int signum, + int count, + void *siginfo, + void *private_data) +{ + struct mt_ctx *mt_ctx = talloc_get_type(private_data, struct mt_ctx); + + DEBUG(SSSDBG_TRACE_INTERNAL, "Received shutdown command\n"); + + DEBUG(SSSDBG_IMPORTANT_INFO, "Monitor received %s: terminating " + "children\n", strsignal(signum)); + + monitor_quit(mt_ctx, 0); +} + +static void signal_res_init(struct mt_ctx *monitor) +{ + struct mt_svc *cur_svc; + int ret; + DEBUG(SSSDBG_OP_FAILURE, "Reloading Resolv.conf.\n"); + + ret = res_init(); + if (ret == 0) { + for(cur_svc = monitor->svc_list; cur_svc; cur_svc = cur_svc->next) { + service_signal_dns_reload(cur_svc); + } + } +} + +static void signal_offline(struct tevent_context *ev, + struct tevent_signal *se, + int signum, + int count, + void *siginfo, + void *private_data) +{ + struct mt_ctx *monitor; + struct mt_svc *cur_svc; + + monitor = talloc_get_type(private_data, struct mt_ctx); + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Signaling providers to go offline immediately.\n"); + + /* Signal all providers to immediately go offline */ + for(cur_svc = monitor->svc_list; cur_svc; cur_svc = cur_svc->next) { + /* Don't signal services, only providers */ + if (cur_svc->provider) { + service_signal_offline(cur_svc); + } + } +} + +static void signal_offline_reset(struct tevent_context *ev, + struct tevent_signal *se, + int signum, + int count, + void *siginfo, + void *private_data) +{ + struct mt_ctx *monitor; + struct mt_svc *cur_svc; + + monitor = talloc_get_type(private_data, struct mt_ctx); + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Signaling providers to reset offline immediately.\n"); + + for(cur_svc = monitor->svc_list; cur_svc; cur_svc = cur_svc->next) { + if (cur_svc->provider) { + service_signal_reset_offline(cur_svc); + } + + if (strcmp(SSS_IFP_SBUS_SERVICE_NAME, cur_svc->name) == 0) { + service_signal_sysbus_reconnect(cur_svc); + } + } + signal_res_init(monitor); +} + +static int monitor_ctx_destructor(void *mem) +{ + struct mt_ctx *mon = talloc_get_type(mem, struct mt_ctx); + struct mt_svc *svc; + + /* zero out references in SVCs so that they don't try + * to access the monitor context on process shutdown */ + + for (svc = mon->svc_list; svc; svc = svc->next) { + svc->mt_ctx = NULL; + } + return 0; +} + +/* + * This function should not be static otherwise gcc does some special kind of + * optimisations which should not happen according to code: chown (unlink) + * failed (return -1) but errno was zero. + * As a result of this * warning is printed ‘monitor’ may be used + * uninitialized in this function. Instead of checking errno for 0 + * it's better to disable optimisation (in-lining) of this function. + */ +errno_t load_configuration(TALLOC_CTX *mem_ctx, + const char *config_file, + const char *config_dir, + struct mt_ctx **monitor) +{ + errno_t ret; + struct mt_ctx *ctx; + char *cdb_file = NULL; + + ctx = talloc_zero(mem_ctx, struct mt_ctx); + if(!ctx) { + return ENOMEM; + } + + ctx->pid_file_created = false; + talloc_set_destructor((TALLOC_CTX *)ctx, monitor_ctx_destructor); + + cdb_file = talloc_asprintf(ctx, "%s/%s", DB_PATH, CONFDB_FILE); + if (cdb_file == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE,"Out of memory, aborting!\n"); + ret = ENOMEM; + goto done; + } + + ret = confdb_setup(ctx, cdb_file, config_file, config_dir, &ctx->cdb); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to setup ConfDB [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + /* Validate the configuration in the database */ + /* Read in the monitor's configuration */ + ret = get_monitor_config(ctx); + if (ret != EOK) { + goto done; + } + + /* Allow configuration database to be accessible + * when SSSD runs as nonroot */ + ret = chown(cdb_file, ctx->uid, ctx->gid); + if (ret != 0) { + ret = errno; + DEBUG(SSSDBG_FATAL_FAILURE, + "chown failed for [%s]: [%d][%s].\n", + cdb_file, ret, sss_strerror(ret)); + goto done; + } + + *monitor = ctx; + + ret = EOK; + +done: + talloc_free(cdb_file); + if (ret != EOK) { + talloc_free(ctx); + } + return ret; +} + +static void poll_config_file(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval t, void *ptr); +static errno_t monitor_config_file_fallback(TALLOC_CTX *parent_ctx, + struct config_file_ctx *file_ctx, + const char *file); + +static errno_t create_poll_timer(struct config_file_ctx *file_ctx) +{ + struct timeval tv; + + gettimeofday(&tv, NULL); + tv.tv_sec += CONFIG_FILE_POLL_INTERVAL; + tv.tv_usec = 0; + + file_ctx->poll_check.timer = tevent_add_timer(file_ctx->mt_ctx->ev, + file_ctx->poll_check.parent_ctx, + tv, + poll_config_file, + file_ctx); + if (!file_ctx->poll_check.timer) { + talloc_free(file_ctx); + return EIO; + } + + return EOK; +} + +static void poll_config_file(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval t, void *ptr) +{ + int ret, err; + struct stat file_stat; + struct config_file_ctx *file_ctx; + struct config_file_callback *cb; + + file_ctx = talloc_get_type(ptr, struct config_file_ctx); + + for (cb = file_ctx->poll_check.callbacks; cb; cb = cb->next) { + ret = stat(cb->filename, &file_stat); + if (ret < 0) { + err = errno; + DEBUG(SSSDBG_FATAL_FAILURE, + "Could not stat file [%s]. Error [%d:%s]\n", + cb->filename, err, strerror(err)); + return; + } + + if (file_stat.st_mtime != cb->modified) { + /* Parse the configuration file and signal the children */ + /* Note: this will fire if the modification time changes into the past + * as well as the future. + */ + DEBUG(SSSDBG_CRIT_FAILURE, "Config file changed\n"); + cb->modified = file_stat.st_mtime; + + /* Tell the monitor to signal the children */ + cb->fn(file_ctx, cb->filename); + } + } + + ret = create_poll_timer(file_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Error: Config file no longer monitored for changes!\n"); + } +} + +static int resolv_conf_inotify_cb(const char *filename, + uint32_t flags, + void *pvt) +{ + struct config_file_ctx *file_ctx; + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Received inotify notification for %s\n", filename); + + file_ctx = talloc_get_type(pvt, struct config_file_ctx); + if (file_ctx == NULL) { + return EINVAL; + } + + return file_ctx->fn(file_ctx, filename); +} + +static int try_inotify(struct config_file_ctx *file_ctx, + const char *filename) +{ +#ifdef HAVE_INOTIFY + struct snotify_ctx *snctx; + /* We will queue the file for update in one second. + * This way, if there is a script writing to the file + * repeatedly, we won't be attempting to update multiple + * times. + */ + struct timeval delay = { .tv_sec = 1, .tv_usec = 0 }; + + snctx = snotify_create(file_ctx, file_ctx->mt_ctx->ev, SNOTIFY_WATCH_DIR, + filename, &delay, + IN_DELETE_SELF | IN_CLOSE_WRITE | IN_MOVE_SELF | \ + IN_CREATE | IN_MOVED_TO | IN_IGNORED, + resolv_conf_inotify_cb, file_ctx); + if (snctx == NULL) { + return EIO; + } + + return EOK; +#else + return EINVAL; +#endif /* HAVE_INOTIFY */ +} + +static int monitor_config_file(TALLOC_CTX *mem_ctx, + struct mt_ctx *ctx, + monitor_reconf_fn fn, + const char *file) +{ + int ret; + bool use_inotify; + + if (!ctx->file_ctx) { + ctx->file_ctx = talloc_zero(mem_ctx, struct config_file_ctx); + if (!ctx->file_ctx) return ENOMEM; + + ctx->file_ctx->mt_ctx = ctx; + ctx->file_ctx->fn = fn; + } + + ret = confdb_get_bool(ctx->cdb, + CONFDB_MONITOR_CONF_ENTRY, + CONFDB_MONITOR_TRY_INOTIFY, + true, &use_inotify); + if (ret != EOK) { + talloc_free(ctx->file_ctx); + return ret; + } + + if (use_inotify) { + ret = try_inotify(ctx->file_ctx, file); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Falling back to polling\n"); + use_inotify = false; + } + } + + if (use_inotify == false) { + ret = monitor_config_file_fallback(mem_ctx, ctx->file_ctx, file); + } + + return ret; +} + +static errno_t monitor_config_file_fallback(TALLOC_CTX *parent_ctx, + struct config_file_ctx *file_ctx, + const char *file) +{ + struct config_file_callback *cb = NULL; + struct stat file_stat; + int ret, err; + + ret = stat(file, &file_stat); + if (ret < 0) { + err = errno; + if (err == ENOENT) { + DEBUG(SSSDBG_MINOR_FAILURE, + "file [%s] is missing. Will not update online status " + "based on watching the file\n", file); + return EOK; + + } else { + DEBUG(SSSDBG_FATAL_FAILURE, + "Could not stat file [%s]. Error [%d:%s]\n", + file, err, strerror(err)); + + return err; + } + } + + file_ctx->poll_check.parent_ctx = parent_ctx; + + cb = talloc_zero(file_ctx, struct config_file_callback); + if (!cb) { + talloc_free(file_ctx); + return ENOMEM; + } + cb->filename = talloc_strdup(cb, file); + if (!cb->filename) { + talloc_free(file_ctx); + return ENOMEM; + } + cb->fn = file_ctx->fn; + cb->modified = file_stat.st_mtime; + + DLIST_ADD(file_ctx->poll_check.callbacks, cb); + + if(!file_ctx->poll_check.timer) { + ret = create_poll_timer(file_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot create poll timer\n"); + return ret; + } + } + + return EOK; +} + +#define MISSING_RESOLV_CONF_POLL_TIME 10 + +static void missing_resolv_conf(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval tv, void *data) +{ + int ret; + struct mt_ctx *ctx = talloc_get_type(data, struct mt_ctx); + + ret = monitor_config_file(ctx, ctx, monitor_update_resolv, RESOLV_CONF_PATH); + if (ret == EOK) { + signal_res_init(ctx); + } else if (ret == ENOENT) { + tv = tevent_timeval_current_ofs(MISSING_RESOLV_CONF_POLL_TIME, 0); + te = tevent_add_timer(ctx->ev, ctx, tv, missing_resolv_conf, ctx); + if (te == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, + "tevent_add_timer failed. resolv.conf will be ignored.\n"); + } + } else { + DEBUG(SSSDBG_FATAL_FAILURE, + "Monitor_config_file failed. resolv.conf will be ignored.\n"); + } +} + +static int monitor_process_init(struct mt_ctx *ctx, + const char *config_file) +{ + TALLOC_CTX *tmp_ctx; + struct tevent_signal *tes; + struct timeval tv; + struct tevent_timer *te; + struct sss_domain_info *dom; + char *rcachedir; + int num_providers; + int ret; + int error; + bool disable_netlink; + struct sysdb_upgrade_ctx db_up_ctx; + + /* Set up the environment variable for the Kerberos Replay Cache */ + ret = confdb_get_string(ctx->cdb, ctx, + CONFDB_MONITOR_CONF_ENTRY, + CONFDB_MONITOR_KRB5_RCACHEDIR, + KRB5_RCACHE_DIR, + &rcachedir); + if (ret != EOK) { + return ret; + } + + if (strcmp(rcachedir, KRB5_RCACHE_DIR_DISABLE) != 0) + { + errno = 0; + ret = setenv("KRB5RCACHEDIR", rcachedir, 1); + if (ret < 0) { + error = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "Unable to set KRB5RCACHEDIR: %s." + "Will attempt to use libkrb5 defaults\n", + strerror(error)); + } + talloc_zfree(rcachedir); + } + + /* Set up an event handler for a SIGHUP */ + tes = tevent_add_signal(ctx->ev, ctx, SIGHUP, 0, + monitor_hup, ctx); + if (tes == NULL) { + return EIO; + } + + /* Set up an event handler for a SIGINT */ + BlockSignals(false, SIGINT); + tes = tevent_add_signal(ctx->ev, ctx, SIGINT, 0, + monitor_quit_signal, ctx); + if (tes == NULL) { + return EIO; + } + + /* Set up an event handler for a SIGTERM */ + tes = tevent_add_signal(ctx->ev, ctx, SIGTERM, 0, + monitor_quit_signal, ctx); + if (tes == NULL) { + return EIO; + } + + /* Handle SIGUSR1 (tell all providers to go offline) */ + BlockSignals(false, SIGUSR1); + tes = tevent_add_signal(ctx->ev, ctx, SIGUSR1, 0, + signal_offline, ctx); + if (tes == NULL) { + return EIO; + } + + /* Handle SIGUSR2 (tell all providers to go reset offline) */ + BlockSignals(false, SIGUSR2); + tes = tevent_add_signal(ctx->ev, ctx, SIGUSR2, 0, + signal_offline_reset, ctx); + if (tes == NULL) { + return EIO; + } + + /* Set up the SIGCHLD handler */ + ret = sss_sigchld_init(ctx, ctx->ev, &ctx->sigchld_ctx); + if (ret != EOK) return ret; + + /* Watch for changes to the DNS resolv.conf */ + ret = monitor_config_file(ctx, ctx, monitor_update_resolv, RESOLV_CONF_PATH); + if (ret == ENOENT) { + tv = tevent_timeval_current_ofs(MISSING_RESOLV_CONF_POLL_TIME, 0); + te = tevent_add_timer(ctx->ev, ctx, tv, missing_resolv_conf, ctx); + if (te == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "resolv.conf will be ignored\n"); + } + } else if (ret != EOK) { + return ret; + } + + /* Avoid a startup race condition between process. + * We need to handle DB upgrades or DB creation only + * in one process before all other start. + */ + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + return ENOMEM; + } + + db_up_ctx.cdb = ctx->cdb; + ret = sysdb_init_ext(tmp_ctx, ctx->domains, &db_up_ctx, + true, ctx->uid, ctx->gid); + if (ret != EOK) { + SYSDB_VERSION_ERROR_DAEMON(ret); + return ret; + } + talloc_zfree(tmp_ctx); + + /* Initialize D-BUS Server + * The monitor will act as a D-BUS server for all + * SSSD processes */ + ret = monitor_dbus_init(ctx); + if (ret != EOK) { + return ret; + } + + ret = confdb_get_bool(ctx->cdb, + CONFDB_MONITOR_CONF_ENTRY, + CONFDB_MONITOR_DISABLE_NETLINK, + false, &disable_netlink); + + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to read disable_netlink from confdb: [%d] %s\n", + ret, sss_strerror(ret)); + return ret; + } + + if (disable_netlink == false) { + ret = setup_netlink(ctx, ctx->ev, network_status_change_cb, + ctx, &ctx->nlctx); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot set up listening for network notifications\n"); + return ret; + } + } + + /* start providers */ + num_providers = 0; + for (dom = ctx->domains; dom; dom = get_next_domain(dom, 0)) { + ret = add_new_provider(ctx, dom->name, 0); + if (ret != EOK && ret != ENOENT) { + return ret; + } + if (ret != ENOENT) { + num_providers++; + } + } + + if (num_providers > 0) { + /* now set the services startup timeout * + * (responders will be started automatically when all + * providers are up and running or when the timeout + * expires) */ + ret = add_services_startup_timeout(ctx); + if (ret != EOK) { + return ret; + } + } else if (ctx->services != NULL) { + int i; + + ctx->services_started = true; + + /* No providers start services immediately + * Normally this means only LOCAL is configured */ + for (i = 0; ctx->services[i]; i++) { + add_new_service(ctx, ctx->services[i], 0); + } + } + + /* When the only provider set up is the local one (num_providers == 0) and + * there's no responder explicitly set up it means that we should notify + * systemd that SSSD is ready right now as any other provider/responder + * would be able to do so and the SSSD would end up hitting a systemd + * timeout! */ + if (num_providers == 0 && ctx->services == NULL) { + ret = notify_startup(); + } + + return EOK; +} + +static void init_timeout(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval t, void *ptr) +{ + struct mon_init_conn *mini; + + DEBUG(SSSDBG_OP_FAILURE, "Client timed out before Identification!\n"); + + mini = talloc_get_type(ptr, struct mon_init_conn); + + sbus_disconnect(mini->conn); + talloc_zfree(mini); +} + +/* + * monitor_service_init + * Set up a timeout function and temporary connection structure. + * If the client does not identify before the timeout kicks in, + * the client is forcibly disconnected. + */ +static int monitor_service_init(struct sbus_connection *conn, void *data) +{ + struct mt_ctx *ctx; + struct mon_init_conn *mini; + struct timeval tv; + + DEBUG(SSSDBG_TRACE_FUNC, "Initializing D-BUS Service\n"); + + ctx = talloc_get_type(data, struct mt_ctx); + + mini = talloc(conn, struct mon_init_conn); + if (!mini) { + DEBUG(SSSDBG_FATAL_FAILURE,"Out of memory?!\n"); + talloc_zfree(conn); + return ENOMEM; + } + mini->ctx = ctx; + mini->conn = conn; + + /* Allow access from the SSSD user */ + sbus_allow_uid(conn, &ctx->uid); + + /* 10 seconds should be plenty */ + tv = tevent_timeval_current_ofs(10, 0); + + mini->timeout = tevent_add_timer(ctx->ev, mini, tv, init_timeout, mini); + if (!mini->timeout) { + DEBUG(SSSDBG_FATAL_FAILURE,"Out of memory?!\n"); + talloc_zfree(conn); + return ENOMEM; + } + + return sbus_conn_register_iface(conn, &monitor_methods.vtable, + MON_SRV_PATH, mini); +} + +/* + * monitor_service_shutdown + * Unregister the client when it's connection is finished. + * Shuts down, from the monitor point of view, the service that just finished. + */ +static int monitor_service_shutdown(struct sbus_connection *conn, void *data) +{ + struct mt_ctx *ctx; + struct mt_svc *svc; + + ctx = talloc_get_type(data, struct mt_ctx); + + for (svc = ctx->svc_list; svc != NULL; svc = svc->next) { + if (svc->conn == conn) { + break; + } + } + + if (svc != NULL) { + /* We must decrease the number of services when shutting down + * a {socket,dbus}-activated service. */ + ctx->num_services--; + + DEBUG(SSSDBG_TRACE_FUNC, + "Unregistering service %s (%p)\n", svc->identity, svc); + + /* Before freeing the service, let's unset the sbus_connection + * destructor that triggered this call, otherwise we may end up + * with a double-free due to a cycling call */ + talloc_set_destructor(svc->conn, NULL); + + talloc_zfree(svc); + } + + return 0; +} + +static void service_startup_handler(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval t, void *ptr); + +static int start_service(struct mt_svc *svc) +{ + struct tevent_timer *te; + struct timeval tv; + + DEBUG(SSSDBG_CONF_SETTINGS,"Queueing service %s for startup\n", svc->name); + + tv = tevent_timeval_current(); + + /* Add a timed event to start up the service. + * We have to do this in order to avoid a race + * condition where the service being started forks + * and attempts to connect to the SBUS before + * the monitor is serving it. + */ + te = tevent_add_timer(svc->mt_ctx->ev, svc, tv, + service_startup_handler, svc); + if (te == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Unable to queue service %s for startup\n", svc->name); + return ENOMEM; + } + return EOK; +} + +static void mt_svc_exit_handler(int pid, int wait_status, void *pvt); +static void service_startup_handler(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval t, void *ptr) +{ + errno_t ret; + struct mt_svc *mt_svc; + char **args; + + mt_svc = talloc_get_type(ptr, struct mt_svc); + if (mt_svc == NULL) { + return; + } + + mt_svc->pid = fork(); + if (mt_svc->pid != 0) { + if (mt_svc->pid == -1) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Could not fork child to start service [%s]. " + "Continuing.\n", mt_svc->name); + return; + } + + /* Parent */ + mt_svc->mt_ctx->check_children = true; + + /* Handle process exit */ + ret = sss_child_register(mt_svc, + mt_svc->mt_ctx->sigchld_ctx, + mt_svc->pid, + mt_svc_exit_handler, + mt_svc, + &mt_svc->child_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Could not register sigchld handler.\n"); + /* Should we exit here? For now, we'll hope this + * child never dies, because we can't restart it. + */ + } + + DLIST_ADD(mt_svc->mt_ctx->svc_list, mt_svc); + + return; + } + + /* child */ + + args = parse_args(mt_svc->command); + execvp(args[0], args); + + /* If we are here, exec() has failed + * Print errno and abort quickly */ + DEBUG(SSSDBG_FATAL_FAILURE, + "Could not exec %s, reason: %s\n", mt_svc->command, strerror(errno)); + + /* We have to call _exit() instead of exit() here + * because a bug in D-BUS will cause the server to + * close its socket at exit() */ + _exit(1); +} + +static void mt_svc_restart(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval t, void *ptr) +{ + struct mt_svc *svc; + + svc = talloc_get_type(ptr, struct mt_svc); + if (svc == NULL) { + return; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Scheduling service %s for restart %d\n", + svc->name, svc->restarts+1); + + if (svc->type == MT_SVC_SERVICE) { + add_new_service(svc->mt_ctx, svc->name, svc->restarts + 1); + } else if (svc->type == MT_SVC_PROVIDER) { + add_new_provider(svc->mt_ctx, svc->name, svc->restarts + 1); + } else { + /* Invalid type? */ + DEBUG(SSSDBG_CRIT_FAILURE, + "BUG: Invalid child process type [%d]\n", svc->type); + } + + /* Free the old service (which will also remove it + * from the child list) + */ + talloc_free(svc); +} + +static void mt_svc_exit_handler(int pid, int wait_status, void *pvt) +{ + struct mt_svc *svc = talloc_get_type(pvt, struct mt_svc); + + DEBUG(SSSDBG_TRACE_LIBS, + "SIGCHLD handler of service %s called\n", svc->name); + svc_child_info(svc, wait_status); + + /* Check the number of restart tries and relaunch the service */ + monitor_restart_service(svc); + + return; +} + +static void monitor_restart_service(struct mt_svc *svc) +{ + struct mt_ctx *mt_ctx = svc->mt_ctx; + int restart_delay; + time_t now = time(NULL); + struct tevent_timer *te; + struct timeval tv; + + /* Handle the actual checks for how many times to restart this + * service before giving up. + */ + if ((now - svc->last_restart) > MONITOR_RESTART_CNT_INTERVAL_RESET) { + svc->restarts = 0; + } + + /* Restart the service */ + if (svc->restarts > MONITOR_MAX_SVC_RESTARTS) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Process [%s], definitely stopped!\n", svc->name); + + sss_log(SSS_LOG_ERR, + "Exiting the SSSD. Could not restart critical service [%s].", + svc->name); + + talloc_free(svc); + + /* exit the SSSD with an error, shutting down all + * services and domains. + * We do this because if one of the responders is down + * and can't come back up, this is the only way to + * guarantee admin intervention. + */ + monitor_quit(mt_ctx, 1); + return; + } + + /* restarts are schedule after 0, 2, 4 seconds */ + restart_delay = svc->restarts << 1; + if (restart_delay > MONITOR_MAX_RESTART_DELAY) { + restart_delay = MONITOR_MAX_RESTART_DELAY; + } + + tv = tevent_timeval_current_ofs(restart_delay, 0); + te = tevent_add_timer(svc->mt_ctx->ev, svc, tv, mt_svc_restart, svc); + if (te == NULL) { + /* Nothing much we can do */ + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to allocate timed event: mt_svc_restart.\n"); + talloc_free(svc); + return; + } +} + +int main(int argc, const char *argv[]) +{ + int opt; + poptContext pc; + int opt_daemon = 0; + int opt_interactive = 0; + int opt_genconf = 0; + int opt_version = 0; + int opt_netlinkoff = 0; + char *opt_config_file = NULL; + char *opt_logger = NULL; + char *config_file = NULL; + int flags = 0; + struct main_context *main_ctx; + TALLOC_CTX *tmp_ctx; + struct mt_ctx *monitor; + int ret; + uid_t uid; + + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_MAIN_OPTS + SSSD_LOGGER_OPTS + {"daemon", 'D', POPT_ARG_NONE, &opt_daemon, 0, \ + _("Become a daemon (default)"), NULL }, \ + {"interactive", 'i', POPT_ARG_NONE, &opt_interactive, 0, \ + _("Run interactive (not a daemon)"), NULL}, \ + {"disable-netlink", '\0', POPT_ARG_NONE | POPT_ARGFLAG_DOC_HIDDEN, + &opt_netlinkoff, 0, \ + _("Disable netlink interface"), NULL}, \ + {"config", 'c', POPT_ARG_STRING, &opt_config_file, 0, \ + _("Specify a non-default config file"), NULL}, \ + {"genconf", 'g', POPT_ARG_NONE, &opt_genconf, 0, \ + _("Refresh the configuration database, then exit"), \ + NULL}, \ + {"version", '\0', POPT_ARG_NONE, &opt_version, 0, \ + _("Print version number and exit"), NULL }, \ + POPT_TABLEEND + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + + DEBUG_INIT(debug_level); + + if (opt_version) { + puts(VERSION""PRERELEASE_VERSION); + return EXIT_SUCCESS; + } + + /* If the level or timestamps was passed at the command-line, we want + * to save it and pass it to the children later. + */ + cmdline_debug_level = debug_level; + cmdline_debug_timestamps = debug_timestamps; + cmdline_debug_microseconds = debug_microseconds; + + if (opt_daemon && opt_interactive) { + fprintf(stderr, "Option -i|--interactive is not allowed together with -D|--daemon\n"); + poptPrintUsage(pc, stderr, 0); + return 1; + } + + if (opt_genconf && (opt_daemon || opt_interactive)) { + fprintf(stderr, "Option -g is incompatible with -D or -i\n"); + poptPrintUsage(pc, stderr, 0); + return 1; + } + + if (!opt_daemon && !opt_interactive && !opt_genconf) { + opt_daemon = 1; + } + + poptFreeContext(pc); + + uid = getuid(); + if (uid != 0) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Running under %"SPRIuid", must be root\n", uid); + sss_log(SSS_LOG_ALERT, "sssd must be run as root"); + return 8; + } + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + return 7; + } + + if (opt_daemon) flags |= FLAGS_DAEMON; + if (opt_interactive) { + flags |= FLAGS_INTERACTIVE; + debug_to_stderr = 1; + } + if (opt_genconf) { + flags |= FLAGS_GEN_CONF; + debug_to_stderr = 1; + } + + sss_set_logger(opt_logger); + + if (opt_config_file) { + config_file = talloc_strdup(tmp_ctx, opt_config_file); + } else { + config_file = talloc_strdup(tmp_ctx, SSSD_CONFIG_FILE); + } + + if (opt_netlinkoff) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Option --disable-netlink has been removed and " + "replaced as a monitor option in sssd.conf\n"); + sss_log(SSS_LOG_ALERT, + "--disable-netlink has been deprecated, tunable option " + "disable_netlink available as replacement(man sssd.conf)"); + } + + if (!config_file) { + return 6; + } + + /* the monitor should not run a watchdog on itself */ + flags |= FLAGS_NO_WATCHDOG; + + /* Open before server_setup() does to have logging + * during configuration checking */ + if (sss_logger == FILES_LOGGER) { + ret = open_debug_file(); + if (ret) { + return 7; + } + } + +#ifdef USE_KEYRING + /* Do this before all the forks, it sets the session key ring so all + * keys are private to the daemon and cannot be read by any other process + * tree */ + + /* make a new session */ + ret = keyctl_join_session_keyring(NULL); + if (ret == -1) { + sss_log(SSS_LOG_ALERT, + "Could not create private keyring session. " + "If you store password there they may be easily accessible " + "to the root user. (%d, %s)", errno, strerror(errno)); + } + + ret = keyctl_setperm(KEY_SPEC_SESSION_KEYRING, KEY_POS_ALL); + if (ret == -1) { + sss_log(SSS_LOG_ALERT, + "Could not set permissions on private keyring. " + "If you store password there they may be easily accessible " + "to the root user. (%d, %s)", errno, strerror(errno)); + } +#endif + + /* Warn if nscd seems to be running */ + ret = check_file(NSCD_SOCKET_PATH, + -1, -1, S_IFSOCK, S_IFMT, NULL, false); + if (ret == EOK) { + ret = sss_nscd_parse_conf(NSCD_CONF_PATH); + + switch (ret) { + case ENOENT: + sss_log(SSS_LOG_NOTICE, + "NSCD socket was detected. NSCD caching capabilities " + "may conflict with SSSD for users and groups. It is " + "recommended not to run NSCD in parallel with SSSD, " + "unless NSCD is configured not to cache the passwd, " + "group, netgroup and services nsswitch maps."); + break; + + case EEXIST: + sss_log(SSS_LOG_NOTICE, + "NSCD socket was detected and seems to be configured " + "to cache some of the databases controlled by " + "SSSD [passwd,group,netgroup,services]. It is " + "recommended not to run NSCD in parallel with SSSD, " + "unless NSCD is configured not to cache these."); + break; + + case EOK: + DEBUG(SSSDBG_TRACE_FUNC, "NSCD socket was detected and it " + "seems to be configured not to interfere with " + "SSSD's caching capabilities\n"); + } + } + + /* Check if the SSSD is already running */ + ret = check_file(SSSD_PIDFILE, 0, 0, S_IFREG|0600, 0, NULL, false); + if (ret == EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "pidfile exists at %s\n", SSSD_PIDFILE); + ERROR("SSSD is already running\n"); + return 2; + } + + /* Parse config file, fail if cannot be done */ + ret = load_configuration(tmp_ctx, config_file, CONFDB_DEFAULT_CONFIG_DIR, + &monitor); + if (ret != EOK) { + switch (ret) { + case EPERM: + case EACCES: + DEBUG(SSSDBG_CRIT_FAILURE, + CONF_FILE_PERM_ERROR_MSG, config_file); + sss_log(SSS_LOG_ALERT, CONF_FILE_PERM_ERROR_MSG, config_file); + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, + "SSSD couldn't load the configuration database.\n"); + sss_log(SSS_LOG_ALERT, + "SSSD couldn't load the configuration database [%d]: %s.\n", + ret, strerror(ret)); + break; + } + return 4; + } + + /* at this point we are done generating the config file, we may exit + * if that's all we were asked to do */ + if (opt_genconf) return 0; + + /* set up things like debug, signals, daemonization, etc. */ + monitor->conf_path = CONFDB_MONITOR_CONF_ENTRY; + ret = close(STDIN_FILENO); + if (ret != EOK) return 6; + + ret = server_setup(MONITOR_NAME, flags, 0, 0, + monitor->conf_path, &main_ctx); + if (ret != EOK) return 2; + + /* Use confd initialized in server_setup. ldb_tdb module (1.4.0) check PID + * of process which initialized db for locking purposes. + * Failed to unlock db: ../ldb_tdb/ldb_tdb.c:147: + * Reusing ldb opened by pid 28889 in process 28893 + */ + talloc_zfree(monitor->cdb); + monitor->cdb = main_ctx->confdb_ctx; + + ret = confdb_get_domains(monitor->cdb, &monitor->domains); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "No domains configured.\n"); + return 4; + } + + monitor->is_daemon = !opt_interactive; + monitor->parent_pid = main_ctx->parent_pid; + monitor->ev = main_ctx->event_ctx; + talloc_steal(main_ctx, monitor); + + ret = monitor_process_init(monitor, config_file); + + if (ret != EOK) return 3; + talloc_free(tmp_ctx); + + /* loop on main */ + server_loop(main_ctx); + + ret = monitor_cleanup(); + if (ret != EOK) return 5; + + return 0; +} diff --git a/src/monitor/monitor.h b/src/monitor/monitor.h new file mode 100644 index 0000000..3f679de --- /dev/null +++ b/src/monitor/monitor.h @@ -0,0 +1,46 @@ +/* + SSSD + + Service monitor + + Copyright (C) Simo Sorce 2008 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _MONITOR_H_ +#define _MONITOR_H_ + +#define RESOLV_CONF_PATH "/etc/resolv.conf" +#define CONFIG_FILE_POLL_INTERVAL 5 /* seconds */ + +/* for detecting if NSCD is running */ +#ifndef NSCD_SOCKET_PATH +#define NSCD_SOCKET_PATH "/var/run/nscd/socket" +#endif + +struct config_file_ctx; + +struct mt_ctx; + +/* from monitor_netlink.c */ +struct netlink_ctx; + +typedef void (*network_change_cb)(void *); + +int setup_netlink(TALLOC_CTX *mem_ctx, struct tevent_context *ev, + network_change_cb change_cb, void *cb_data, + struct netlink_ctx **_nlctx); + +#endif /* _MONITOR_H */ diff --git a/src/monitor/monitor_iface.xml b/src/monitor/monitor_iface.xml new file mode 100644 index 0000000..c2b5863 --- /dev/null +++ b/src/monitor/monitor_iface.xml @@ -0,0 +1,47 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/monitor/monitor_iface_generated.c b/src/monitor/monitor_iface_generated.c new file mode 100644 index 0000000..066612c --- /dev/null +++ b/src/monitor/monitor_iface_generated.c @@ -0,0 +1,101 @@ +/* The following definitions are auto-generated from monitor_iface.xml */ + +#include + +#include "dbus/dbus-protocol.h" +#include "util/util_errors.h" +#include "sbus/sssd_dbus.h" +#include "sbus/sssd_dbus_meta.h" +#include "sbus/sssd_dbus_invokers.h" +#include "monitor_iface_generated.h" + +/* methods for org.freedesktop.sssd.monitor */ +const struct sbus_method_meta mon_srv_iface__methods[] = { + { + "getVersion", /* name */ + NULL, /* no in_args */ + NULL, /* no out_args */ + offsetof(struct mon_srv_iface, getVersion), + NULL, /* no invoker */ + }, + { + "RegisterService", /* name */ + NULL, /* no in_args */ + NULL, /* no out_args */ + offsetof(struct mon_srv_iface, RegisterService), + NULL, /* no invoker */ + }, + { NULL, } +}; + +/* interface info for org.freedesktop.sssd.monitor */ +const struct sbus_interface_meta mon_srv_iface_meta = { + "org.freedesktop.sssd.monitor", /* name */ + mon_srv_iface__methods, + NULL, /* no signals */ + NULL, /* no properties */ + sbus_invoke_get_all, /* GetAll invoker */ +}; + +/* methods for org.freedesktop.sssd.service */ +const struct sbus_method_meta mon_cli_iface__methods[] = { + { + "resInit", /* name */ + NULL, /* no in_args */ + NULL, /* no out_args */ + offsetof(struct mon_cli_iface, resInit), + NULL, /* no invoker */ + }, + { + "goOffline", /* name */ + NULL, /* no in_args */ + NULL, /* no out_args */ + offsetof(struct mon_cli_iface, goOffline), + NULL, /* no invoker */ + }, + { + "resetOffline", /* name */ + NULL, /* no in_args */ + NULL, /* no out_args */ + offsetof(struct mon_cli_iface, resetOffline), + NULL, /* no invoker */ + }, + { + "rotateLogs", /* name */ + NULL, /* no in_args */ + NULL, /* no out_args */ + offsetof(struct mon_cli_iface, rotateLogs), + NULL, /* no invoker */ + }, + { + "clearMemcache", /* name */ + NULL, /* no in_args */ + NULL, /* no out_args */ + offsetof(struct mon_cli_iface, clearMemcache), + NULL, /* no invoker */ + }, + { + "clearEnumCache", /* name */ + NULL, /* no in_args */ + NULL, /* no out_args */ + offsetof(struct mon_cli_iface, clearEnumCache), + NULL, /* no invoker */ + }, + { + "sysbusReconnect", /* name */ + NULL, /* no in_args */ + NULL, /* no out_args */ + offsetof(struct mon_cli_iface, sysbusReconnect), + NULL, /* no invoker */ + }, + { NULL, } +}; + +/* interface info for org.freedesktop.sssd.service */ +const struct sbus_interface_meta mon_cli_iface_meta = { + "org.freedesktop.sssd.service", /* name */ + mon_cli_iface__methods, + NULL, /* no signals */ + NULL, /* no properties */ + sbus_invoke_get_all, /* GetAll invoker */ +}; diff --git a/src/monitor/monitor_iface_generated.h b/src/monitor/monitor_iface_generated.h new file mode 100644 index 0000000..58cc6f5 --- /dev/null +++ b/src/monitor/monitor_iface_generated.h @@ -0,0 +1,83 @@ +/* The following declarations are auto-generated from monitor_iface.xml */ + +#ifndef __MONITOR_IFACE_XML__ +#define __MONITOR_IFACE_XML__ + +#include "sbus/sssd_dbus.h" +#include "sbus/sssd_dbus_meta.h" + +/* ------------------------------------------------------------------------ + * DBus Constants + * + * Various constants of interface and method names mostly for use by clients + */ + +/* constants for org.freedesktop.sssd.monitor */ +#define MON_SRV_IFACE "org.freedesktop.sssd.monitor" +#define MON_SRV_IFACE_GETVERSION "getVersion" +#define MON_SRV_IFACE_REGISTERSERVICE "RegisterService" + +/* constants for org.freedesktop.sssd.service */ +#define MON_CLI_IFACE "org.freedesktop.sssd.service" +#define MON_CLI_IFACE_RESINIT "resInit" +#define MON_CLI_IFACE_GOOFFLINE "goOffline" +#define MON_CLI_IFACE_RESETOFFLINE "resetOffline" +#define MON_CLI_IFACE_ROTATELOGS "rotateLogs" +#define MON_CLI_IFACE_CLEARMEMCACHE "clearMemcache" +#define MON_CLI_IFACE_CLEARENUMCACHE "clearEnumCache" +#define MON_CLI_IFACE_SYSBUSRECONNECT "sysbusReconnect" + +/* ------------------------------------------------------------------------ + * DBus handlers + * + * These structures are filled in by implementors of the different + * dbus interfaces to handle method calls. + * + * Handler functions of type sbus_msg_handler_fn accept raw messages, + * other handlers are typed appropriately. If a handler that is + * set to NULL is invoked it will result in a + * org.freedesktop.DBus.Error.NotSupported error for the caller. + * + * Handlers have a matching xxx_finish() function (unless the method has + * accepts raw messages). These finish functions the + * sbus_request_return_and_finish() with the appropriate arguments to + * construct a valid reply. Once a finish function has been called, the + * @dbus_req it was called with is freed and no longer valid. + */ + +/* vtable for org.freedesktop.sssd.monitor */ +struct mon_srv_iface { + struct sbus_vtable vtable; /* derive from sbus_vtable */ + sbus_msg_handler_fn getVersion; + sbus_msg_handler_fn RegisterService; +}; + +/* vtable for org.freedesktop.sssd.service */ +struct mon_cli_iface { + struct sbus_vtable vtable; /* derive from sbus_vtable */ + sbus_msg_handler_fn resInit; + sbus_msg_handler_fn goOffline; + sbus_msg_handler_fn resetOffline; + sbus_msg_handler_fn rotateLogs; + sbus_msg_handler_fn clearMemcache; + sbus_msg_handler_fn clearEnumCache; + sbus_msg_handler_fn sysbusReconnect; +}; + +/* ------------------------------------------------------------------------ + * DBus Interface Metadata + * + * These structure definitions are filled in with the information about + * the interfaces, methods, properties and so on. + * + * The actual definitions are found in the accompanying C file next + * to this header. + */ + +/* interface info for org.freedesktop.sssd.monitor */ +extern const struct sbus_interface_meta mon_srv_iface_meta; + +/* interface info for org.freedesktop.sssd.service */ +extern const struct sbus_interface_meta mon_cli_iface_meta; + +#endif /* __MONITOR_IFACE_XML__ */ diff --git a/src/monitor/monitor_interfaces.h b/src/monitor/monitor_interfaces.h new file mode 100644 index 0000000..136beb4 --- /dev/null +++ b/src/monitor/monitor_interfaces.h @@ -0,0 +1,54 @@ +/* + SSSD + + Sbus Interfaces + + Copyright (C) Simo Sorce 2008 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "sbus/sssd_dbus.h" + +#include "monitor/monitor_iface_generated.h" + +/*** Monitor ***/ + +#define MONITOR_VERSION 0x0001 + +/*** Monitor SRV Interface ***/ +#define MON_SRV_PATH "/org/freedesktop/sssd/monitor" + +/*** Monitor CLI Interface ***/ +#define MONITOR_PATH "/org/freedesktop/sssd/service" + +#define SSSD_SERVICE_PIPE "private/sbus-monitor" + +enum mt_svc_type { + MT_SVC_SERVICE, + MT_SVC_PROVIDER +}; + +int monitor_get_sbus_address(TALLOC_CTX *mem_ctx, char **address); +int monitor_common_res_init(struct sbus_request *dbus_req, void *data); + +errno_t sss_monitor_init(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct mon_cli_iface *mon_iface, + const char *svc_name, + uint16_t svc_version, + uint16_t svc_type, + void *pvt, + time_t *last_request_time, + struct sbus_connection **mon_conn); diff --git a/src/monitor/monitor_netlink.c b/src/monitor/monitor_netlink.c new file mode 100644 index 0000000..a54ae5a --- /dev/null +++ b/src/monitor/monitor_netlink.c @@ -0,0 +1,885 @@ +/* + SSSD - Service monitor - netlink support + + Authors: + Jakub Hrozek + Parts of this code were borrowed from NetworkManager + + Copyright (C) 2010 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "monitor/monitor.h" +#include "util/util.h" + +#ifdef HAVE_LIBNL +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#endif + +/* Linux header file confusion causes this to be undefined. */ +#ifndef SOL_NETLINK +#define SOL_NETLINK 270 +#endif + +#define SYSFS_IFACE_TEMPLATE "/sys/class/net/%s" +#define SYSFS_IFACE_PATH_MAX (16+IFNAMSIZ) + +#define PHY_80211_SUBDIR "phy80211" +/* 9 = strlen(PHY_80211_SUBDIR)+1, 1 = path delimiter */ +#define SYSFS_SUBDIR_PATH_MAX (SYSFS_IFACE_PATH_MAX+9+1) + +#define TYPE_FILE "type" +/* 5 = strlen(TYPE_FILE)+1, 1 = path delimiter */ +#define SYSFS_TYPE_PATH_MAX (SYSFS_IFACE_PATH_MAX+5+1) + +#define BUFSIZE 8 + +#ifdef HAVE_LIBNL +/* Wrappers determining use of libnl version 1 or 3 */ +#ifdef HAVE_LIBNL3 + +#define nlw_destroy_handle nl_socket_free +#define nlw_alloc nl_socket_alloc +#define nlw_disable_seq_check nl_socket_disable_seq_check + +#define nlw_geterror(error) nl_geterror(error) + +#define nlw_handle nl_sock + +#elif defined(HAVE_LIBNL1) + +#define nlw_destroy_handle nl_handle_destroy +#define nlw_alloc nl_handle_alloc +#define nlw_disable_seq_check nl_disable_sequence_check + +#define nlw_geterror(error) nl_geterror() + +#define nlw_handle nl_handle + +#endif /* HAVE_LIBNL3 */ + +#endif /* HAVE_LIBNL */ + +enum nlw_msg_type { + NLW_LINK, + NLW_ROUTE, + NLW_ADDR, + NLW_OTHER +}; + +struct netlink_ctx { +#ifdef HAVE_LIBNL + struct nlw_handle *nlp; +#endif + struct tevent_fd *tefd; + + network_change_cb change_cb; + void *cb_data; +}; + +#ifdef HAVE_LIBNL +static int netlink_ctx_destructor(void *ptr) +{ + struct netlink_ctx *nlctx; + nlctx = talloc_get_type(ptr, struct netlink_ctx); + + nlw_destroy_handle(nlctx->nlp); + return 0; +} + +/******************************************************************* + * Utility functions + *******************************************************************/ + +/* rtnl_route_get_oif removed from libnl3 */ +int +rtnlw_route_get_oif(struct rtnl_route * route) +{ +#ifndef HAVE_RTNL_ROUTE_GET_OIF + struct rtnl_nexthop * nh; + int hops; + + hops = rtnl_route_get_nnexthops(route); + if (hops <= 0) { + return 0; + } + + nh = rtnl_route_nexthop_n(route, 0); + + return rtnl_route_nh_get_ifindex(nh); +#else + return rtnl_route_get_oif(route); +#endif +} + +static bool has_wireless_extension(const char *ifname) +{ + int s; + errno_t ret; + struct iwreq iwr; + + s = socket(PF_INET, SOCK_DGRAM, 0); + if (s == -1) { + ret = errno; + DEBUG(SSSDBG_OP_FAILURE, + "Could not open socket: [%d] %s\n", ret, strerror(ret)); + return false; + } + + strncpy(iwr.ifr_ifrn.ifrn_name, ifname, IFNAMSIZ-1); + iwr.ifr_ifrn.ifrn_name[IFNAMSIZ-1] = '\0'; + /* Does the interface support a wireless extension? */ + ret = ioctl(s, SIOCGIWNAME, &iwr); + close(s); + + return ret == 0; +} + +static bool has_ethernet_encapsulation(const char *sysfs_path) +{ + char type_path[SYSFS_TYPE_PATH_MAX]; + errno_t ret; + int fd = -1; + char buf[BUFSIZE]; + + ret = snprintf(type_path, SYSFS_TYPE_PATH_MAX, + "%s/%s", sysfs_path, TYPE_FILE); + if (ret < 0) { + DEBUG(SSSDBG_OP_FAILURE, "snprintf failed\n"); + return false; + } else if (ret >= SYSFS_TYPE_PATH_MAX) { + DEBUG(SSSDBG_OP_FAILURE, "path too long?!?!\n"); + return false; + } + + errno = 0; + fd = open(type_path, O_RDONLY); + if (fd == -1) { + ret = errno; + DEBUG(SSSDBG_OP_FAILURE, "Could not open sysfs file %s: [%d] %s\n", + type_path, ret, strerror(ret)); + return false; + } + + memset(buf, 0, BUFSIZE); + errno = 0; + ret = sss_atomic_read_s(fd, buf, BUFSIZE); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_OP_FAILURE, + "read failed [%d][%s].\n", ret, strerror(ret)); + close(fd); + return false; + } + close(fd); + buf[BUFSIZE-1] = '\0'; + + return strncmp(buf, "1\n", BUFSIZE) == 0; +} + +static bool has_phy_80211_subdir(const char *sysfs_path) +{ + char phy80211_path[SYSFS_SUBDIR_PATH_MAX]; + struct stat statbuf; + errno_t ret; + + ret = snprintf(phy80211_path, SYSFS_SUBDIR_PATH_MAX, + "%s/%s", sysfs_path, PHY_80211_SUBDIR); + if (ret < 0) { + DEBUG(SSSDBG_OP_FAILURE, "snprintf failed\n"); + return false; + } else if (ret >= SYSFS_SUBDIR_PATH_MAX) { + DEBUG(SSSDBG_OP_FAILURE, "path too long?!?!\n"); + return false; + } + + errno = 0; + ret = stat(phy80211_path, &statbuf); + if (ret == -1) { + ret = errno; + if (ret == ENOENT || ret == ENOTDIR) { + DEBUG(SSSDBG_TRACE_LIBS, "No %s directory in sysfs, probably " + "not a wireless interface\n", PHY_80211_SUBDIR); + } else { + DEBUG(SSSDBG_OP_FAILURE, "stat failed: [%d] %s\n", + ret, strerror(ret)); + } + return false; + } + + if (statbuf.st_mode & S_IFDIR) { + DEBUG(SSSDBG_TRACE_LIBS, "Directory %s found in sysfs, looks like " + "a wireless iface\n", PHY_80211_SUBDIR); + return true; + } + + return false; +} + +static bool discard_iff_up(const char *ifname) +{ + char path[SYSFS_IFACE_PATH_MAX]; + errno_t ret; + + /* This catches most of the new 80211 drivers */ + if (has_wireless_extension(ifname)) { + DEBUG(SSSDBG_TRACE_FUNC, "%s has a wireless extension\n", ifname); + return true; + } + + ret = snprintf(path, SYSFS_IFACE_PATH_MAX, SYSFS_IFACE_TEMPLATE, ifname); + if (ret < 0) { + DEBUG(SSSDBG_OP_FAILURE, "snprintf failed\n"); + return false; + } else if (ret >= SYSFS_IFACE_PATH_MAX) { + DEBUG(SSSDBG_OP_FAILURE, "path too long?!?!\n"); + return false; + } + + /* This will filter PPP and such. Both wired and wireless + * interfaces have the encapsulation. */ + if (!has_ethernet_encapsulation(path)) { + DEBUG(SSSDBG_TRACE_FUNC, "%s does not have ethernet encapsulation, " + "filtering out\n", ifname); + return true; + } + + /* This captures old WEXT drivers, the new mac8011 would + * be caught by the ioctl check */ + if (has_phy_80211_subdir(path)) { + DEBUG(SSSDBG_TRACE_FUNC, "%s has a 802_11 subdir, filtering out\n", + ifname); + return true; + } + + return false; +} + +static void nladdr_to_string(struct nl_addr *nl, char *buf, size_t bufsize) +{ + int addr_family; + void *addr; + + addr_family = nl_addr_get_family(nl); + if (addr_family != AF_INET && addr_family != AF_INET6) { + strncpy(buf, "unknown", bufsize); + return; + } + + addr = nl_addr_get_binary_addr(nl); + if (!addr) return; + + if (inet_ntop(addr_family, addr, buf, bufsize) == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "inet_ntop failed\n"); + snprintf(buf, bufsize, "unknown"); + } +} + +/******************************************************************* + * Wrappers for different capabilities of different libnl versions + *******************************************************************/ + +static bool nlw_accept_message(struct nlw_handle *nlp, + const struct sockaddr_nl *snl, + struct nlmsghdr *hdr) +{ + bool accept_msg = false; + uint32_t local_port; + + if (snl == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "Malformed message, skipping\n"); + return false; + } + + /* Accept any messages from the kernel */ + if (hdr->nlmsg_pid == 0 || snl->nl_pid == 0) { + accept_msg = true; + } + + /* And any multicast message directed to our netlink PID, since multicast + * currently requires CAP_ADMIN to use. + */ + local_port = nl_socket_get_local_port(nlp); + if ((hdr->nlmsg_pid == local_port) && snl->nl_groups) { + accept_msg = true; + } + + if (accept_msg == false) { + DEBUG(SSSDBG_TRACE_ALL, + "ignoring netlink message from PID %d\n", hdr->nlmsg_pid); + } + + return accept_msg; +} + +static bool nlw_is_addr_object(struct nl_object *obj) +{ + bool is_addr_object = true; + struct rtnl_addr *filter; + + filter = rtnl_addr_alloc(); + if (!filter) { + DEBUG(SSSDBG_CRIT_FAILURE, "Allocation error!\n"); + is_addr_object = false; + } + + /* Ensure it's an addr object */ + if (!nl_object_match_filter(obj, OBJ_CAST(filter))) { + DEBUG(SSSDBG_MINOR_FAILURE, "Not an addr object\n"); + is_addr_object = false; + } + + rtnl_addr_put(filter); + return is_addr_object; +} + +static bool nlw_is_route_object(struct nl_object *obj) +{ + bool is_route_object = true; + struct rtnl_route *filter; + + filter = rtnl_route_alloc(); + if (!filter) { + DEBUG(SSSDBG_CRIT_FAILURE, "Allocation error!\n"); + is_route_object = false; + } + + /* Ensure it's a route object */ + if (!nl_object_match_filter(obj, OBJ_CAST(filter))) { + DEBUG(SSSDBG_MINOR_FAILURE, "Not a route object\n"); + is_route_object = false; + } + + rtnl_route_put(filter); + return is_route_object; +} + +static bool nlw_is_link_object(struct nl_object *obj) +{ + bool is_link_object = true; + struct rtnl_link *filter; + + filter = rtnl_link_alloc(); + if (!filter) { + DEBUG(SSSDBG_FATAL_FAILURE, "Allocation error!\n"); + is_link_object = false; + } + + /* Ensure it's a link object */ + if (!nl_object_match_filter(obj, OBJ_CAST(filter))) { + DEBUG(SSSDBG_OP_FAILURE, "Not a link object\n"); + is_link_object = false; + } + + rtnl_link_put(filter); + return is_link_object; +} + +static int nlw_enable_passcred(struct nlw_handle *nlp) +{ +#ifdef HAVE_NL_SET_PASSCRED + return nl_set_passcred(nlp, 1); /* 1 = enabled */ +#elif defined(HAVE_NL_SOCKET_SET_PASSCRED) + return nl_socket_set_passcred(nlp, 1); +#else + return EOK; /* not available in this version */ +#endif +} + +static int nlw_group_subscribe(struct nlw_handle *nlp, int group) +{ + int ret; + +#ifdef HAVE_NL_SOCKET_ADD_MEMBERSHIP + ret = nl_socket_add_membership(nlp, group); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unable to add membership: %s\n", nlw_geterror(ret)); + return ret; + } +#else + int nlfd = nl_socket_get_fd(nlp); + + errno = 0; + ret = setsockopt(nlfd, SOL_NETLINK, NETLINK_ADD_MEMBERSHIP, + &group, sizeof(group)); + if (ret < 0) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "setsockopt failed (%d): %s\n", ret, strerror(ret)); + return ret; + } +#endif + + return 0; +} + +static int nlw_groups_subscribe(struct nlw_handle *nlp, int *groups) +{ + int ret; + int i; + + for (i=0; groups[i]; i++) { + ret = nlw_group_subscribe(nlp, groups[i]); + if (ret != EOK) return ret; + } + + return EOK; +} + +/******************************************************************* + * Callbacks for validating and receiving messages + *******************************************************************/ + +static int event_msg_recv(struct nl_msg *msg, void *arg) +{ + struct netlink_ctx *ctx = (struct netlink_ctx *) arg; + struct nlmsghdr *hdr; + const struct sockaddr_nl *snl; + struct ucred *creds; + + creds = nlmsg_get_creds(msg); + if (!creds || creds->uid != 0) { + DEBUG(SSSDBG_TRACE_ALL, + "Ignoring netlink message from UID %"SPRIuid"\n", + creds ? creds->uid : (uid_t)-1); + return NL_SKIP; + } + + hdr = nlmsg_hdr(msg); + snl = nlmsg_get_src(msg); + + if (!nlw_accept_message(ctx->nlp, snl, hdr)) { + return NL_SKIP; + } + + return NL_OK; +} + +static void link_msg_handler(struct nl_object *obj, void *arg); +static void route_msg_handler(struct nl_object *obj, void *arg); +static void addr_msg_handler(struct nl_object *obj, void *arg); + +static enum nlw_msg_type message_type(struct nlmsghdr *hdr) +{ + DEBUG(SSSDBG_FUNC_DATA, "netlink Message type: %d\n", hdr->nlmsg_type); + switch (hdr->nlmsg_type) { + /* network interface added */ + case RTM_NEWLINK: + return NLW_LINK; + /* routing table changed */ + case RTM_NEWROUTE: + case RTM_DELROUTE: + return NLW_ROUTE; + /* IP address added or deleted */ + case RTM_NEWADDR: + case RTM_DELADDR: + return NLW_ADDR; + /* Something else happened, but we don't care (typically RTM_GET* ) */ + default: + return NLW_OTHER; + } + + return NLW_OTHER; +} + +static int event_msg_ready(struct nl_msg *msg, void *arg) +{ + struct nlmsghdr *hdr = nlmsg_hdr(msg); + + switch (message_type(hdr)) { + case NLW_LINK: + nl_msg_parse(msg, &link_msg_handler, arg); + break; + case NLW_ROUTE: + nl_msg_parse(msg, &route_msg_handler, arg); + break; + case NLW_ADDR: + nl_msg_parse(msg, &addr_msg_handler, arg); + break; + default: + return EOK; /* Don't care */ + } + + return NL_OK; +} + +static int nlw_set_callbacks(struct nlw_handle *nlp, void *data) +{ + int ret = EIO; + +#ifdef HAVE_NL_SOCKET_MODIFY_CB + ret = nl_socket_modify_cb(nlp, NL_CB_MSG_IN, NL_CB_CUSTOM, event_msg_recv, + data); +#else + struct nl_cb *cb = nl_handle_get_cb(nlp); + ret = nl_cb_set(cb, NL_CB_MSG_IN, NL_CB_CUSTOM, event_msg_recv, data); +#endif + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set validation callback\n"); + return ret; + } + +#ifdef HAVE_NL_SOCKET_MODIFY_CB + ret = nl_socket_modify_cb(nlp, NL_CB_VALID, NL_CB_CUSTOM, event_msg_ready, + data); +#else + ret = nl_cb_set(cb, NL_CB_VALID, NL_CB_CUSTOM, event_msg_ready, data); +#endif + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set receive callback\n"); + return ret; + } + + return ret; +} + +static void route_msg_debug_print(struct rtnl_route *route_obj) +{ + int prefixlen; + char buf[INET6_ADDRSTRLEN]; + struct nl_addr *nl; + + nl = rtnl_route_get_dst(route_obj); + if (nl) { + nladdr_to_string(nl, buf, INET6_ADDRSTRLEN); + prefixlen = nl_addr_get_prefixlen(nl); + } else { + strncpy(buf, "unknown", INET6_ADDRSTRLEN); + prefixlen = 0; + } + + DEBUG(SSSDBG_TRACE_LIBS, "route idx %d flags %#X family %d addr %s/%d\n", + rtnlw_route_get_oif(route_obj), rtnl_route_get_flags(route_obj), + rtnl_route_get_family(route_obj), buf, prefixlen); + +} + +/* + * If a bridge interface is configured it sets up a timer to requery for + * multicast group memberships periodically. We need to discard such + * messages. + */ +static bool route_is_multicast(struct rtnl_route *route_obj) +{ + struct nl_addr *nl; + struct in6_addr *addr6 = NULL; + struct in_addr *addr4 = NULL; + + nl = rtnl_route_get_dst(route_obj); + if (!nl) { + DEBUG(SSSDBG_MINOR_FAILURE, "A route with no destination?\n"); + return false; + } + + if (nl_addr_get_family(nl) == AF_INET) { + addr4 = nl_addr_get_binary_addr(nl); + if (!addr4) { + return false; + } + + return IN_MULTICAST(ntohl(addr4->s_addr)); + } else if (nl_addr_get_family(nl) == AF_INET6) { + addr6 = nl_addr_get_binary_addr(nl); + if (!addr6) { + return false; + } + + return IN6_IS_ADDR_MULTICAST(addr6); + } + + DEBUG(SSSDBG_MINOR_FAILURE, "Unknown route address family\n"); + return false; +} + +static void route_msg_handler(struct nl_object *obj, void *arg) +{ + struct rtnl_route *route_obj; + struct netlink_ctx *ctx = (struct netlink_ctx *) arg; + + if (!nlw_is_route_object(obj)) return; + + route_obj = (struct rtnl_route *) obj; + + if (route_is_multicast(route_obj)) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "Discarding multicast route message\n"); + return; + } + + if (debug_level & SSSDBG_TRACE_LIBS) { + route_msg_debug_print(route_obj); + } + + ctx->change_cb(ctx->cb_data); +} + +static void addr_msg_debug_print(struct rtnl_addr *addr_obj) +{ + unsigned int flags; + char str_flags[512]; + int ifidx; + struct nl_addr *local_addr; + char buf[INET6_ADDRSTRLEN]; + + flags = rtnl_addr_get_flags(addr_obj); + ifidx = rtnl_addr_get_ifindex(addr_obj); + local_addr = rtnl_addr_get_local(addr_obj); + + rtnl_addr_flags2str(flags, str_flags, 512); + nladdr_to_string(local_addr, buf, INET6_ADDRSTRLEN); + + DEBUG(SSSDBG_TRACE_LIBS, "netlink addr message: iface idx %u " + "addr %s flags 0x%X (%s)\n", ifidx, buf, flags, str_flags); +} + +static void addr_msg_handler(struct nl_object *obj, void *arg) +{ + int err; + struct netlink_ctx *ctx = (struct netlink_ctx *) arg; + struct rtnl_addr *addr_obj; + struct nl_addr *local_addr; + struct sockaddr_in sa4; + struct sockaddr_in6 sa6; + socklen_t salen; + + if (!nlw_is_addr_object(obj)) return; + + addr_obj = (struct rtnl_addr *) obj; + if (debug_level & SSSDBG_TRACE_LIBS) { + addr_msg_debug_print(addr_obj); + } + + local_addr = rtnl_addr_get_local(addr_obj); + if (local_addr == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Received RTM_NEWADDR with no address\n"); + return; + } + + switch (nl_addr_get_family(local_addr)) { + case AF_INET6: + salen = sizeof(struct sockaddr_in6); + err = nl_addr_fill_sockaddr(local_addr, + (struct sockaddr *) &sa6, + &salen); + if (err < 0) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Unknown error in nl_addr_fill_sockaddr\n"); + return; + } + + if (!check_ipv6_addr(&sa6.sin6_addr, SSS_NO_SPECIAL)) { + DEBUG(SSSDBG_TRACE_LIBS, "Ignoring special address.\n"); + return; + } + break; + + case AF_INET: + salen = sizeof(struct sockaddr_in); + err = nl_addr_fill_sockaddr(local_addr, + (struct sockaddr *) &sa4, + &salen); + if (err < 0) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Unknown error in nl_addr_fill_sockaddr\n"); + return; + } + if (check_ipv4_addr(&sa4.sin_addr, SSS_NO_SPECIAL)) { + DEBUG(SSSDBG_TRACE_LIBS, "Ignoring special address.\n"); + return; + } + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unknown address family\n"); + return; + } + + ctx->change_cb(ctx->cb_data); +} + +static void link_msg_handler(struct nl_object *obj, void *arg) +{ + struct netlink_ctx *ctx = (struct netlink_ctx *) arg; + struct rtnl_link *link_obj; + unsigned int flags; + char str_flags[512]; + int ifidx; + const char *ifname; + + if (!nlw_is_link_object(obj)) return; + + link_obj = (struct rtnl_link *) obj; + flags = rtnl_link_get_flags(link_obj); + ifidx = rtnl_link_get_ifindex(link_obj); + + rtnl_link_flags2str(flags, str_flags, 512); + + ifname = rtnl_link_get_name(link_obj); + DEBUG(SSSDBG_TRACE_LIBS, "netlink link message: iface idx %u (%s) " + "flags 0x%X (%s)\n", ifidx, ifname, flags, str_flags); + + /* IFF_LOWER_UP is the indicator of carrier status */ + if ((flags & IFF_RUNNING) && (flags & IFF_LOWER_UP) && + !discard_iff_up(ifname)) { + ctx->change_cb(ctx->cb_data); + } +} + +static void netlink_fd_handler(struct tevent_context *ev, struct tevent_fd *fde, + uint16_t flags, void *data) +{ + struct netlink_ctx *nlctx = talloc_get_type(data, struct netlink_ctx); + int ret; + + if (!nlctx || !nlctx->nlp) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Invalid netlink handle, this is most likely a bug!\n"); + return; + } + + ret = nl_recvmsgs_default(nlctx->nlp); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Error while reading from netlink fd\n"); + return; + } +} + +/******************************************************************* + * Set up the netlink library + *******************************************************************/ + +int setup_netlink(TALLOC_CTX *mem_ctx, struct tevent_context *ev, + network_change_cb change_cb, void *cb_data, + struct netlink_ctx **_nlctx) +{ + struct netlink_ctx *nlctx; + int ret; + int nlfd; + unsigned flags; + int groups[] = { RTNLGRP_LINK, RTNLGRP_IPV4_ROUTE, RTNLGRP_IPV6_ROUTE, + RTNLGRP_IPV4_IFADDR, RTNLGRP_IPV6_IFADDR, 0 }; + + nlctx = talloc_zero(mem_ctx, struct netlink_ctx); + if (!nlctx) return ENOMEM; + talloc_set_destructor((TALLOC_CTX *) nlctx, netlink_ctx_destructor); + + nlctx->change_cb = change_cb; + nlctx->cb_data = cb_data; + + /* allocate the libnl handle/socket and register the default filter set */ + nlctx->nlp = nlw_alloc(); + if (!nlctx->nlp) { + DEBUG(SSSDBG_CRIT_FAILURE, + "unable to allocate netlink handle: %s\n", nlw_geterror(ENOMEM)); + ret = ENOMEM; + goto fail; + } + + /* Register our custom message validation filter */ + ret = nlw_set_callbacks(nlctx->nlp, nlctx); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set callbacks\n"); + ret = EIO; + goto fail; + } + + /* Try to start talking to netlink */ + ret = nl_connect(nlctx->nlp, NETLINK_ROUTE); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unable to connect to netlink: %s\n", nlw_geterror(ret)); + ret = EIO; + goto fail; + } + + ret = nlw_enable_passcred(nlctx->nlp); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot enable credential passing: %s\n", nlw_geterror(ret)); + ret = EIO; + goto fail; + } + + /* Subscribe to the LINK group for internal carrier signals */ + ret = nlw_groups_subscribe(nlctx->nlp, groups); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to subscribe to netlink monitor\n"); + ret = EIO; + goto fail; + } + + nlw_disable_seq_check(nlctx->nlp); + + nlfd = nl_socket_get_fd(nlctx->nlp); + flags = fcntl(nlfd, F_GETFL, 0); + + errno = 0; + ret = fcntl(nlfd, F_SETFL, flags | O_NONBLOCK); + if (ret < 0) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot set the netlink fd to nonblocking\n"); + goto fail; + } + + nlctx->tefd = tevent_add_fd(ev, nlctx, nlfd, TEVENT_FD_READ, + netlink_fd_handler, nlctx); + if (nlctx->tefd == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_add_fd() failed\n"); + ret = EIO; + goto fail; + } + + *_nlctx = nlctx; + return EOK; + +fail: + talloc_free(nlctx); + return ret; +} + +#else /* HAVE_LIBNL not defined */ +int setup_netlink(TALLOC_CTX *mem_ctx, struct tevent_context *ev, + network_change_cb change_cb, void *cb_data, + struct netlink_ctx **_nlctx) +{ + if (_nlctx) *_nlctx = NULL; + return EOK; +} +#endif diff --git a/src/monitor/monitor_sbus.c b/src/monitor/monitor_sbus.c new file mode 100644 index 0000000..9d3cd47 --- /dev/null +++ b/src/monitor/monitor_sbus.c @@ -0,0 +1,208 @@ +/* + SSSD + + Data Provider Helpers + + Copyright (C) Stephen Gallagher 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +/* Needed for res_init() */ +#include +#include +#include + +#include "util/util.h" +#include "confdb/confdb.h" +#include "sbus/sssd_dbus.h" +#include "sbus/sbus_client.h" +#include "monitor/monitor_interfaces.h" + +int monitor_get_sbus_address(TALLOC_CTX *mem_ctx, char **address) +{ + char *default_address; + + *address = NULL; + default_address = talloc_asprintf(mem_ctx, "unix:path=%s/%s", + PIPE_PATH, SSSD_SERVICE_PIPE); + if (default_address == NULL) { + return ENOMEM; + } + + *address = default_address; + return EOK; +} + +static void id_callback(DBusPendingCall *pending, void *ptr) +{ + DBusMessage *reply; + DBusError dbus_error; + dbus_bool_t ret; + dbus_uint16_t mon_ver; + int type; + + dbus_error_init(&dbus_error); + + reply = dbus_pending_call_steal_reply(pending); + if (!reply) { + /* reply should never be null. This function shouldn't be called + * until reply is valid or timeout has occurred. If reply is NULL + * here, something is seriously wrong and we should bail out. + */ + DEBUG(SSSDBG_FATAL_FAILURE, + "Severe error. A reply callback was called but no" + " reply was received and no timeout occurred\n"); + + /* FIXME: Destroy this connection? */ + goto done; + } + + type = dbus_message_get_type(reply); + switch (type) { + case DBUS_MESSAGE_TYPE_METHOD_RETURN: + ret = dbus_message_get_args(reply, &dbus_error, + DBUS_TYPE_UINT16, &mon_ver, + DBUS_TYPE_INVALID); + if (!ret) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to parse message\n"); + if (dbus_error_is_set(&dbus_error)) dbus_error_free(&dbus_error); + /* FIXME: Destroy this connection? */ + goto done; + } + + DEBUG(SSSDBG_CONF_SETTINGS, + "Got id ack and version (%d) from Monitor\n", mon_ver); + + break; + + case DBUS_MESSAGE_TYPE_ERROR: + DEBUG(SSSDBG_FATAL_FAILURE,"The Monitor returned an error [%s]\n", + dbus_message_get_error_name(reply)); + /* Falling through to default intentionally*/ + default: + /* + * Timeout or other error occurred or something + * unexpected happened. + * It doesn't matter which, because either way we + * know that this connection isn't trustworthy. + * We'll destroy it now. + */ + + /* FIXME: Destroy this connection? */ + break; + } + +done: + dbus_pending_call_unref(pending); + dbus_message_unref(reply); +} + +static int monitor_common_send_id(struct sbus_connection *conn, + const char *name, + uint16_t version, + uint16_t type) +{ + DBusMessage *msg; + dbus_bool_t ret; + int retval; + + /* create the message */ + msg = dbus_message_new_method_call(NULL, + MON_SRV_PATH, + MON_SRV_IFACE, + MON_SRV_IFACE_REGISTERSERVICE); + if (msg == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?!\n"); + return ENOMEM; + } + + DEBUG(SSSDBG_CONF_SETTINGS, "Sending ID: (%s,%d)\n", name, version); + + ret = dbus_message_append_args(msg, + DBUS_TYPE_STRING, &name, + DBUS_TYPE_UINT16, &version, + DBUS_TYPE_UINT16, &type, + DBUS_TYPE_INVALID); + if (!ret) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to build message\n"); + return EIO; + } + + retval = sbus_conn_send(conn, msg, 3000, + id_callback, + NULL, NULL); + dbus_message_unref(msg); + return retval; +} + +int monitor_common_res_init(struct sbus_request *dbus_req, void *data) +{ + int ret; + + ret = res_init(); + if(ret != 0) { + return EIO; + } + + /* Send an empty reply to acknowledge receipt */ + return sbus_request_return_and_finish(dbus_req, DBUS_TYPE_INVALID); +} + +errno_t sss_monitor_init(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct mon_cli_iface *mon_iface, + const char *svc_name, + uint16_t svc_version, + uint16_t svc_type, + void *pvt, + time_t *last_request_time, + struct sbus_connection **mon_conn) +{ + errno_t ret; + char *sbus_address; + struct sbus_connection *conn; + + /* Set up SBUS connection to the monitor */ + ret = monitor_get_sbus_address(NULL, &sbus_address); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Could not locate monitor address.\n"); + return ret; + } + + ret = sbus_client_init(mem_ctx, ev, sbus_address, last_request_time, &conn); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to connect to monitor services.\n"); + talloc_free(sbus_address); + return ret; + } + talloc_free(sbus_address); + + ret = sbus_conn_register_iface(conn, &mon_iface->vtable, MONITOR_PATH, pvt); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to export monitor client.\n"); + return ret; + } + + /* Identify ourselves to the monitor */ + ret = monitor_common_send_id(conn, svc_name, svc_version, svc_type); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to identify to the monitor!\n"); + return ret; + } + + *mon_conn = conn; + + return EOK; +} diff --git a/src/p11_child/p11_child.h b/src/p11_child/p11_child.h new file mode 100644 index 0000000..1e9fc3d --- /dev/null +++ b/src/p11_child/p11_child.h @@ -0,0 +1,55 @@ +/* + SSSD + + Helper child to commmunicate with SmartCard + + Authors: + Sumit Bose + + Copyright (C) 2018 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __P11_CHILD_H__ +#define __P11_CHILD_H__ + +struct p11_ctx; + +enum op_mode { + OP_NONE, + OP_AUTH, + OP_PREAUTH, + OP_VERIFIY +}; + +enum pin_mode { + PIN_NONE, + PIN_STDIN, + PIN_KEYPAD +}; + +errno_t init_p11_ctx(TALLOC_CTX *mem_ctx, const char *nss_db, + struct p11_ctx **p11_ctx); + +errno_t init_verification(struct p11_ctx *p11_ctx, + struct cert_verify_opts *cert_verify_opts); + +bool do_verification_b64(struct p11_ctx *p11_ctx, const char *cert_b64); + +errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx, + enum op_mode mode, const char *pin, + const char *module_name_in, const char *token_name_in, + const char *key_id_in, char **_multi); +#endif /* __P11_CHILD_H__ */ diff --git a/src/p11_child/p11_child_common.c b/src/p11_child/p11_child_common.c new file mode 100644 index 0000000..125430d --- /dev/null +++ b/src/p11_child/p11_child_common.c @@ -0,0 +1,381 @@ +/* + SSSD + + Helper child to commmunicate with SmartCard -- common code + + Authors: + Sumit Bose + + Copyright (C) 2019 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include + +#include "util/util.h" +#include "util/child_common.h" +#include "providers/backend.h" +#include "util/crypto/sss_crypto.h" +#include "util/cert.h" +#include "p11_child/p11_child.h" + +static const char *op_mode_str(enum op_mode mode) +{ + switch (mode) { + case OP_NONE: + return "none"; + break; + case OP_AUTH: + return "auth"; + break; + case OP_PREAUTH: + return "pre-auth"; + break; + case OP_VERIFIY: + return "verifiy"; + break; + default: + return "unknown"; + } +} + +static int do_work(TALLOC_CTX *mem_ctx, enum op_mode mode, const char *ca_db, + struct cert_verify_opts *cert_verify_opts, + const char *cert_b64, const char *pin, + const char *module_name, const char *token_name, + const char *key_id, char **multi) +{ + int ret; + struct p11_ctx *p11_ctx; + + ret = init_p11_ctx(mem_ctx, ca_db, &p11_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "init_p11_ctx failed.\n"); + return ret; + } + + if (cert_verify_opts->do_verification) { + ret = init_verification(p11_ctx, cert_verify_opts); + if (ret != 0) { + DEBUG(SSSDBG_OP_FAILURE, "init_verification failed.\n"); + goto done; + } + } + + + if (mode == OP_VERIFIY) { + if (do_verification_b64(p11_ctx, cert_b64)) { + DEBUG(SSSDBG_TRACE_FUNC, "Certificate is valid.\n"); + ret = 0; + } else { + DEBUG(SSSDBG_TRACE_FUNC, "Certificate is NOT valid.\n"); + ret = EINVAL; + } + } else { + ret = do_card(mem_ctx, p11_ctx, mode, pin, + module_name, token_name, key_id, multi); + } + +done: + talloc_free(p11_ctx); + + return ret; +} + +static errno_t p11c_recv_data(TALLOC_CTX *mem_ctx, int fd, char **pin) +{ + uint8_t buf[IN_BUF_SIZE]; + ssize_t len; + errno_t ret; + char *str; + + errno = 0; + len = sss_atomic_read_s(fd, buf, IN_BUF_SIZE); + if (len == -1) { + ret = errno; + ret = (ret == 0) ? EINVAL: ret; + DEBUG(SSSDBG_CRIT_FAILURE, + "read failed [%d][%s].\n", ret, strerror(ret)); + return ret; + } + + if (len == 0 || *buf == '\0') { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing PIN.\n"); + return EINVAL; + } + + str = talloc_strndup(mem_ctx, (char *) buf, len); + if (str == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n"); + return ENOMEM; + } + + if (strlen(str) != len) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Input contains additional data, only PIN expected.\n"); + talloc_free(str); + return EINVAL; + } + + *pin = str; + + return EOK; +} + +int main(int argc, const char *argv[]) +{ + int opt; + poptContext pc; + int debug_fd = -1; + const char *opt_logger = NULL; + errno_t ret; + TALLOC_CTX *main_ctx = NULL; + enum op_mode mode = OP_NONE; + enum pin_mode pin_mode = PIN_NONE; + char *pin = NULL; + char *nss_db = NULL; + struct cert_verify_opts *cert_verify_opts; + char *verify_opts = NULL; + char *multi = NULL; + char *module_name = NULL; + char *token_name = NULL; + char *key_id = NULL; + char *cert_b64 = NULL; + + struct poptOption long_options[] = { + POPT_AUTOHELP + {"debug-level", 'd', POPT_ARG_INT, &debug_level, 0, + _("Debug level"), NULL}, + {"debug-timestamps", 0, POPT_ARG_INT, &debug_timestamps, 0, + _("Add debug timestamps"), NULL}, + {"debug-microseconds", 0, POPT_ARG_INT, &debug_microseconds, 0, + _("Show timestamps with microseconds"), NULL}, + {"debug-fd", 0, POPT_ARG_INT, &debug_fd, 0, + _("An open file descriptor for the debug logs"), NULL}, + {"debug-to-stderr", 0, POPT_ARG_NONE | POPT_ARGFLAG_DOC_HIDDEN, + &debug_to_stderr, 0, + _("Send the debug output to stderr directly."), NULL }, + SSSD_LOGGER_OPTS + {"auth", 0, POPT_ARG_NONE, NULL, 'a', _("Run in auth mode"), NULL}, + {"pre", 0, POPT_ARG_NONE, NULL, 'p', _("Run in pre-auth mode"), NULL}, + {"verification", 0, POPT_ARG_NONE, NULL, 'v', _("Run in verification mode"), + NULL}, + {"pin", 0, POPT_ARG_NONE, NULL, 'i', _("Expect PIN on stdin"), NULL}, + {"keypad", 0, POPT_ARG_NONE, NULL, 'k', _("Expect PIN on keypad"), + NULL}, + {"verify", 0, POPT_ARG_STRING, &verify_opts, 0 , _("Tune validation"), + NULL}, + {"nssdb", 0, POPT_ARG_STRING, &nss_db, 0, _("NSS DB to use"), + NULL}, + {"module_name", 0, POPT_ARG_STRING, &module_name, 0, + _("Module name for authentication"), NULL}, + {"token_name", 0, POPT_ARG_STRING, &token_name, 0, + _("Token name for authentication"), NULL}, + {"key_id", 0, POPT_ARG_STRING, &key_id, 0, + _("Key ID for authentication"), NULL}, + {"certificate", 0, POPT_ARG_STRING, &cert_b64, 0, + _("certificate to verify, base64 encoded"), NULL}, + POPT_TABLEEND + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + /* + * This child can run as root or as sssd user relying on policy kit to + * grant access to pcscd. This means that no setuid or setgid bit must be + * set on the binary. We still should make sure to run with a restrictive + * umask but do not have to make additional precautions like clearing the + * environment. This would allow to use e.g. pkcs11-spy.so for further + * debugging. + */ + umask(SSS_DFL_UMASK); + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while ((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + case 'a': + if (mode != OP_NONE) { + fprintf(stderr, + "\n--verifiy, --auth and --pre are mutually " \ + "exclusive and should be only used once.\n\n"); + poptPrintUsage(pc, stderr, 0); + _exit(-1); + } + mode = OP_AUTH; + break; + case 'p': + if (mode != OP_NONE) { + fprintf(stderr, + "\n--verifiy, --auth and --pre are mutually " \ + "exclusive and should be only used once.\n\n"); + poptPrintUsage(pc, stderr, 0); + _exit(-1); + } + mode = OP_PREAUTH; + break; + case 'v': + if (mode != OP_NONE) { + fprintf(stderr, + "\n--verifiy, --auth and --pre are mutually " \ + "exclusive and should be only used once.\n\n"); + poptPrintUsage(pc, stderr, 0); + _exit(-1); + } + mode = OP_VERIFIY; + break; + case 'i': + if (pin_mode != PIN_NONE) { + fprintf(stderr, "\n--pin and --keypad are mutually exclusive " \ + "and should be only used once.\n\n"); + poptPrintUsage(pc, stderr, 0); + _exit(-1); + } + pin_mode = PIN_STDIN; + break; + case 'k': + if (pin_mode != PIN_NONE) { + fprintf(stderr, "\n--pin and --keypad are mutually exclusive " \ + "and should be only used once.\n\n"); + poptPrintUsage(pc, stderr, 0); + _exit(-1); + } + pin_mode = PIN_KEYPAD; + break; + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + _exit(-1); + } + } + + if (nss_db == NULL) { + fprintf(stderr, "\nMissing NSS DB --nssdb must be specified.\n\n"); + poptPrintUsage(pc, stderr, 0); + _exit(-1); + } + + if (mode == OP_NONE) { + fprintf(stderr, "\nMissing operation mode, either " \ + "--verifiy, --auth or --pre must be specified.\n\n"); + poptPrintUsage(pc, stderr, 0); + _exit(-1); + } else if (mode == OP_AUTH && pin_mode == PIN_NONE) { + fprintf(stderr, "\nMissing PIN mode for authentication, " \ + "either --pin or --keypad must be specified.\n"); + poptPrintUsage(pc, stderr, 0); + _exit(-1); + } else if (mode == OP_VERIFIY && cert_b64 == NULL) { + fprintf(stderr, "\nMissing certificate for verify operation, " \ + "--certificate base64_encoded_certificate " \ + "must be added.\n"); + poptPrintUsage(pc, stderr, 0); + _exit(-1); + } + + poptFreeContext(pc); + + DEBUG_INIT(debug_level); + + debug_prg_name = talloc_asprintf(NULL, "[sssd[p11_child[%d]]]", getpid()); + if (debug_prg_name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); + goto fail; + } + + if (debug_fd != -1) { + ret = set_debug_file_from_fd(debug_fd); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "set_debug_file_from_fd failed.\n"); + } + opt_logger = sss_logger_str[FILES_LOGGER]; + } + + sss_set_logger(opt_logger); + + DEBUG(SSSDBG_TRACE_FUNC, "p11_child started.\n"); + + DEBUG(SSSDBG_TRACE_INTERNAL, "Running in [%s] mode.\n", op_mode_str(mode)); + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Running with effective IDs: [%"SPRIuid"][%"SPRIgid"].\n", + geteuid(), getegid()); + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Running with real IDs [%"SPRIuid"][%"SPRIgid"].\n", + getuid(), getgid()); + + main_ctx = talloc_new(NULL); + if (main_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new failed.\n"); + talloc_free(discard_const(debug_prg_name)); + goto fail; + } + talloc_steal(main_ctx, debug_prg_name); + + if (mode == OP_AUTH && (module_name == NULL || token_name == NULL + || key_id == NULL)) { + DEBUG(SSSDBG_FATAL_FAILURE, + "--module_name, --token_name and --key_id must be given for " + "authentication"); + ret = EINVAL; + goto fail; + } + + ret = parse_cert_verify_opts(main_ctx, verify_opts, &cert_verify_opts); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse verifiy option.\n"); + goto fail; + } + + if (mode == OP_VERIFIY && !cert_verify_opts->do_verification) { + fprintf(stderr, + "Cannot run verification with option 'no_verification'.\n"); + ret = EINVAL; + goto fail; + } + + if (mode == OP_AUTH && pin_mode == PIN_STDIN) { + ret = p11c_recv_data(main_ctx, STDIN_FILENO, &pin); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to read PIN.\n"); + goto fail; + } + } + + ret = do_work(main_ctx, mode, nss_db, cert_verify_opts, cert_b64, + pin, module_name, token_name, key_id, &multi); + if (ret != 0) { + DEBUG(SSSDBG_OP_FAILURE, "do_work failed.\n"); + goto fail; + } + + if (multi != NULL) { + fprintf(stdout, "%s", multi); + } + + talloc_free(main_ctx); + return EXIT_SUCCESS; +fail: + DEBUG(SSSDBG_CRIT_FAILURE, "p11_child failed!\n"); + close(STDOUT_FILENO); + talloc_free(main_ctx); + return EXIT_FAILURE; +} diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c new file mode 100644 index 0000000..d6a0b80 --- /dev/null +++ b/src/p11_child/p11_child_nss.c @@ -0,0 +1,686 @@ +/* + SSSD + + Helper child to commmunicate with SmartCard via NSS + + Authors: + Sumit Bose + + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include + +#include "util/util.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "util/child_common.h" +#include "providers/backend.h" +#include "util/crypto/sss_crypto.h" +#include "util/cert.h" +#include "p11_child/p11_child.h" + +struct p11_ctx { + NSSInitContext *nss_ctx; + CERTCertDBHandle *handle; + struct cert_verify_opts *cert_verify_opts; + const char *nss_db; +}; + +#define EXP_USAGES ( certificateUsageSSLClient \ + | certificateUsageSSLServer \ + | certificateUsageSSLServerWithStepUp \ + | certificateUsageEmailSigner \ + | certificateUsageEmailRecipient \ + | certificateUsageObjectSigner \ + | certificateUsageStatusResponder \ + | certificateUsageSSLCA ) + +static char *password_passthrough(PK11SlotInfo *slot, PRBool retry, void *arg) +{ + /* give up if 1) no password was supplied, or 2) the password has already + * been rejected once by this token. */ + if (retry || (arg == NULL)) { + return NULL; + } + return PL_strdup((char *)arg); +} + +static char *get_key_id_str(PK11SlotInfo *slot, CERTCertificate *cert) +{ + SECItem *key_id = NULL; + char *key_id_str = NULL; + + key_id = PK11_GetLowLevelKeyIDForCert(slot, cert, NULL); + if (key_id == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "PK11_GetLowLevelKeyIDForCert failed [%d][%s].\n", + PR_GetError(), PORT_ErrorToString(PR_GetError())); + return NULL; + } + + key_id_str = CERT_Hexify(key_id, PR_FALSE); + SECITEM_FreeItem(key_id, PR_TRUE); + if (key_id_str == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "CERT_Hexify failed [%d][%s].\n", + PR_GetError(), PORT_ErrorToString(PR_GetError())); + return NULL; + } + + return key_id_str; +} + +static int b64_to_cert(struct p11_ctx *p11_ctx, const char *b64, + CERTCertificate **cert) +{ + CERTCertificate *c = NULL; + SECItem der_item = { 0 }; + + der_item.data = ATOB_AsciiToData(b64, &der_item.len); + if (der_item.data == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ATOB_AsciiToData failed.\n"); + return EIO; + } + + c = CERT_NewTempCertificate(p11_ctx->handle, &der_item, NULL, PR_FALSE, + PR_TRUE); + PORT_Free(der_item.data); + if (c == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "CERT_NewTempCertificate failed.\n"); + return EINVAL; + } + + *cert = c; + + return EOK; +} + +static int talloc_free_handle(struct p11_ctx *p11_ctx) +{ + SECStatus rv; + + /* Disable OCSP default responder so that NSS can shutdown properly */ + if (p11_ctx->cert_verify_opts->do_ocsp + && p11_ctx->cert_verify_opts->ocsp_default_responder != NULL + && p11_ctx->cert_verify_opts->ocsp_default_responder_signing_cert + != NULL) { + rv = CERT_DisableOCSPDefaultResponder(p11_ctx->handle); + if (rv != SECSuccess) { + DEBUG(SSSDBG_OP_FAILURE, + "CERT_DisableOCSPDefaultResponder failed: [%d][%s].\n", + PR_GetError(), PORT_ErrorToString(PR_GetError())); + } + } + + return 0; +} + +errno_t init_verification(struct p11_ctx *p11_ctx, + struct cert_verify_opts *cert_verify_opts) +{ + SECStatus rv; + CERTCertDBHandle *handle; + + handle = CERT_GetDefaultCertDB(); + if (handle == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "CERT_GetDefaultCertDB failed: [%d][%s].\n", + PR_GetError(), PORT_ErrorToString(PR_GetError())); + return EIO; + } + + if (cert_verify_opts->do_ocsp) { + rv = CERT_EnableOCSPChecking(handle); + if (rv != SECSuccess) { + DEBUG(SSSDBG_OP_FAILURE, + "CERT_EnableOCSPChecking failed: [%d][%s].\n", + PR_GetError(), PORT_ErrorToString(PR_GetError())); + return EIO; + } + + if (cert_verify_opts->ocsp_default_responder != NULL + && cert_verify_opts->ocsp_default_responder_signing_cert != NULL) { + rv = CERT_SetOCSPDefaultResponder(handle, + cert_verify_opts->ocsp_default_responder, + cert_verify_opts->ocsp_default_responder_signing_cert); + if (rv != SECSuccess) { + DEBUG(SSSDBG_OP_FAILURE, + "CERT_SetOCSPDefaultResponder failed: [%d][%s].\n", + PR_GetError(), PORT_ErrorToString(PR_GetError())); + return EIO; + } + + rv = CERT_EnableOCSPDefaultResponder(handle); + if (rv != SECSuccess) { + DEBUG(SSSDBG_OP_FAILURE, + "CERT_EnableOCSPDefaultResponder failed: [%d][%s].\n", + PR_GetError(), PORT_ErrorToString(PR_GetError())); + return EIO; + } + } + } + + p11_ctx->handle = handle; + p11_ctx->cert_verify_opts = cert_verify_opts; + talloc_set_destructor(p11_ctx, talloc_free_handle); + + return EOK; +} + +bool do_verification(struct p11_ctx *p11_ctx, CERTCertificate *cert) +{ + SECStatus rv; + SECCertificateUsage returned_usage = 0; + + rv = CERT_VerifyCertificateNow(p11_ctx->handle, cert, PR_TRUE, + certificateUsageCheckAllUsages, + NULL, &returned_usage); + if (rv != SECSuccess || ((returned_usage & EXP_USAGES) == 0)) { + DEBUG(SSSDBG_OP_FAILURE, + "Certificate [%s][%s] not valid [%d][%s].\n", + cert->nickname, cert->subjectName, + PR_GetError(), PORT_ErrorToString(PR_GetError())); + return false; + } + + return true; +} + +bool do_verification_b64(struct p11_ctx *p11_ctx, const char *cert_b64) +{ + int ret; + CERTCertificate *cert; + bool res; + + ret = b64_to_cert(p11_ctx, cert_b64, &cert); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to convert certificate.\n"); + return false; + } + + res = do_verification(p11_ctx, cert); + CERT_DestroyCertificate(cert); + + return res; +} + +errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx, + enum op_mode mode, const char *pin, + const char *module_name_in, const char *token_name_in, + const char *key_id_in, char **_multi) +{ + int ret; + SECStatus rv; + SECMODModuleList *mod_list; + SECMODModuleList *mod_list_item; + SECMODModule *module; + const char *slot_name; + const char *token_name; + PK11SlotInfo *slot = NULL; + CK_SLOT_ID slot_id; + SECMODModuleID module_id; + const char *module_name; + CERTCertList *cert_list = NULL; + CERTCertListNode *cert_list_node; + const PK11DefaultArrayEntry friendly_attr = { "Publicly-readable certs", + SECMOD_FRIENDLY_FLAG, + CKM_INVALID_MECHANISM }; + unsigned char random_value[128]; + SECKEYPrivateKey *priv_key; + SECOidTag algtag; + SECItem signed_random_value = {0}; + SECKEYPublicKey *pub_key; + CERTCertificate *found_cert = NULL; + PK11SlotList *list = NULL; + PK11SlotListElement *le; + const char *label; + char *key_id_str = NULL; + CERTCertList *valid_certs = NULL; + char *cert_b64 = NULL; + char *multi = NULL; + PRCList *node; + + PK11_SetPasswordFunc(password_passthrough); + + DEBUG(SSSDBG_TRACE_ALL, "Default Module List:\n"); + mod_list = SECMOD_GetDefaultModuleList(); + for (mod_list_item = mod_list; mod_list_item != NULL; + mod_list_item = mod_list_item->next) { + DEBUG(SSSDBG_TRACE_ALL, "common name: [%s].\n", + mod_list_item->module->commonName); + DEBUG(SSSDBG_TRACE_ALL, "dll name: [%s].\n", + mod_list_item->module->dllName); + } + + DEBUG(SSSDBG_TRACE_ALL, "Dead Module List:\n"); + mod_list = SECMOD_GetDeadModuleList(); + for (mod_list_item = mod_list; mod_list_item != NULL; + mod_list_item = mod_list_item->next) { + DEBUG(SSSDBG_TRACE_ALL, "common name: [%s].\n", + mod_list_item->module->commonName); + DEBUG(SSSDBG_TRACE_ALL, "dll name: [%s].\n", + mod_list_item->module->dllName); + } + + DEBUG(SSSDBG_TRACE_ALL, "DB Module List:\n"); + mod_list = SECMOD_GetDBModuleList(); + for (mod_list_item = mod_list; mod_list_item != NULL; + mod_list_item = mod_list_item->next) { + DEBUG(SSSDBG_TRACE_ALL, "common name: [%s].\n", + mod_list_item->module->commonName); + DEBUG(SSSDBG_TRACE_ALL, "dll name: [%s].\n", + mod_list_item->module->dllName); + } + + list = PK11_GetAllTokens(CKM_INVALID_MECHANISM, PR_FALSE, PR_TRUE, + NULL); + if (list == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "PK11_GetAllTokens failed.\n"); + ret = EIO; + goto done; + } + + for (le = list->head; le; le = le->next) { + CK_SLOT_INFO slInfo; + + slInfo.flags = 0; + rv = PK11_GetSlotInfo(le->slot, &slInfo); + DEBUG(SSSDBG_TRACE_ALL, + "Description [%s] Manufacturer [%s] flags [%lu].\n", + slInfo.slotDescription, slInfo.manufacturerID, slInfo.flags); + if (rv == SECSuccess && (slInfo.flags & CKF_REMOVABLE_DEVICE)) { + slot = PK11_ReferenceSlot(le->slot); + break; + } + } + PK11_FreeSlotList(list); + if (slot == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "No removable slots found.\n"); + ret = EIO; + goto done; + } + + slot_id = PK11_GetSlotID(slot); + module_id = PK11_GetModuleID(slot); + slot_name = PK11_GetSlotName(slot); + token_name = PK11_GetTokenName(slot); + module = PK11_GetModule(slot); + module_name = module->dllName == NULL ? "NSS-Internal" : module->dllName; + + DEBUG(SSSDBG_TRACE_ALL, "Found [%s] in slot [%s][%d] of module [%d][%s].\n", + token_name, slot_name, (int) slot_id, (int) module_id, module_name); + + if (PK11_IsFriendly(slot)) { + DEBUG(SSSDBG_TRACE_ALL, "Token is friendly.\n"); + } else { + DEBUG(SSSDBG_TRACE_ALL, + "Token is NOT friendly.\n"); + if (mode == OP_PREAUTH) { + DEBUG(SSSDBG_TRACE_ALL, "Trying to switch to friendly to read certificate.\n"); + rv = PK11_UpdateSlotAttribute(slot, &friendly_attr, PR_TRUE); + if (rv != SECSuccess) { + DEBUG(SSSDBG_OP_FAILURE, + "PK11_UpdateSlotAttribute failed, continue.\n"); + } + } + } + + /* TODO: check PK11_ProtectedAuthenticationPath() and return the result */ + if (mode == OP_AUTH || PK11_NeedLogin(slot)) { + DEBUG(SSSDBG_TRACE_ALL, "Login required.\n"); + if (pin != NULL) { + rv = PK11_Authenticate(slot, PR_FALSE, discard_const(pin)); + if (rv != SECSuccess) { + DEBUG(SSSDBG_OP_FAILURE, "PK11_Authenticate failed: [%d][%s].\n", + PR_GetError(), PORT_ErrorToString(PR_GetError())); + ret = EIO; + goto done; + } + } else { + DEBUG(SSSDBG_CRIT_FAILURE, + "Login required but no PIN available, continue.\n"); + } + } else { + DEBUG(SSSDBG_TRACE_ALL, "Login NOT required.\n"); + } + + cert_list = PK11_ListCertsInSlot(slot); + if (cert_list == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "PK11_ListCertsInSlot failed: [%d][%s].\n", + PR_GetError(), PORT_ErrorToString(PR_GetError())); + ret = EIO; + goto done; + } + + for (cert_list_node = CERT_LIST_HEAD(cert_list); + !CERT_LIST_END(cert_list_node, cert_list); + cert_list_node = CERT_LIST_NEXT(cert_list_node)) { + if (cert_list_node->cert) { + DEBUG(SSSDBG_TRACE_ALL, "found cert[%s][%s]\n", + cert_list_node->cert->nickname, + cert_list_node->cert->subjectName); + } else { + DEBUG(SSSDBG_TRACE_ALL, "--- empty cert list node ---\n"); + } + } + + found_cert = NULL; + valid_certs = CERT_NewCertList(); + if (valid_certs == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "CERT_NewCertList failed [%d][%s].\n", + PR_GetError(), PORT_ErrorToString(PR_GetError())); + ret = ENOMEM; + goto done; + } + + DEBUG(SSSDBG_TRACE_ALL, "Filtered certificates:\n"); + for (cert_list_node = CERT_LIST_HEAD(cert_list); + !CERT_LIST_END(cert_list_node, cert_list); + cert_list_node = CERT_LIST_NEXT(cert_list_node)) { + if (cert_list_node->cert == NULL) { + DEBUG(SSSDBG_TRACE_ALL, "--- empty cert list node ---\n"); + continue; + } + + DEBUG(SSSDBG_TRACE_ALL, + "found cert[%s][%s]\n", + cert_list_node->cert->nickname, + cert_list_node->cert->subjectName); + + if (p11_ctx->handle != NULL) { + if (!do_verification(p11_ctx, cert_list_node->cert)) { + DEBUG(SSSDBG_OP_FAILURE, + "Certificate [%s][%s] not valid, skipping.\n", + cert_list_node->cert->nickname, + cert_list_node->cert->subjectName); + continue; + } + } + + if (key_id_in != NULL) { + PORT_Free(key_id_str); + key_id_str = NULL; + key_id_str = get_key_id_str(slot, cert_list_node->cert); + } + /* Check if we found the certificates we needed for authentication or + * the requested ones for pre-auth. For authentication all attributes + * must be given and match, for pre-auth only the given ones must + * match. */ + DEBUG(SSSDBG_TRACE_ALL, "%s %s %s %s %s %s.\n", + module_name_in, module_name, token_name_in, token_name, + key_id_in, key_id_str); + if ((mode == OP_AUTH + && module_name_in != NULL + && token_name_in != NULL + && key_id_in != NULL + && key_id_str != NULL + && strcmp(key_id_in, key_id_str) == 0 + && strcmp(token_name_in, token_name) == 0 + && strcmp(module_name_in, module_name) == 0) + || (mode == OP_PREAUTH + && (module_name_in == NULL + || (module_name_in != NULL + && strcmp(module_name_in, module_name) == 0)) + && (token_name_in == NULL + || (token_name_in != NULL + && strcmp(token_name_in, token_name) == 0)) + && (key_id_in == NULL + || (key_id_in != NULL && key_id_str != NULL + && strcmp(key_id_in, key_id_str) == 0)))) { + + rv = CERT_AddCertToListTail(valid_certs, cert_list_node->cert); + if (rv != SECSuccess) { + DEBUG(SSSDBG_OP_FAILURE, + "CERT_AddCertToListTail failed [%d][%s].\n", + PR_GetError(), PORT_ErrorToString(PR_GetError())); + ret = EIO; + goto done; + } + } + } + + if (CERT_LIST_EMPTY(valid_certs)) { + DEBUG(SSSDBG_TRACE_ALL, "No certificate found.\n"); + *_multi = NULL; + ret = EOK; + goto done; + } + + if (mode == OP_AUTH) { + cert_list_node = CERT_LIST_HEAD(valid_certs); + if (!CERT_LIST_END(CERT_LIST_NEXT(cert_list_node), valid_certs)) { + DEBUG(SSSDBG_FATAL_FAILURE, + "More than one certificate found for authentication, " + "aborting!\n"); + ret = EINVAL; + goto done; + } + + found_cert = cert_list_node->cert; + if (found_cert == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, + "No certificate found for authentication, aborting!\n"); + ret = EINVAL; + goto done; + } + + rv = PK11_GenerateRandom(random_value, sizeof(random_value)); + if (rv != SECSuccess) { + DEBUG(SSSDBG_OP_FAILURE, + "PK11_GenerateRandom failed [%d][%s].\n", + PR_GetError(), PORT_ErrorToString(PR_GetError())); + ret = EIO; + goto done; + } + + priv_key = PK11_FindPrivateKeyFromCert(slot, found_cert, NULL); + if (priv_key == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "PK11_FindPrivateKeyFromCert failed [%d][%s]." + "Maybe PIN is missing.\n", + PR_GetError(), PORT_ErrorToString(PR_GetError())); + ret = EIO; + goto done; + } + + algtag = SEC_GetSignatureAlgorithmOidTag(priv_key->keyType, + SEC_OID_SHA1); + if (algtag == SEC_OID_UNKNOWN) { + SECKEY_DestroyPrivateKey(priv_key); + DEBUG(SSSDBG_OP_FAILURE, + "SEC_GetSignatureAlgorithmOidTag failed [%d][%s].\n", + PR_GetError(), PORT_ErrorToString(PR_GetError())); + ret = EIO; + goto done; + } + + rv = SEC_SignData(&signed_random_value, + random_value, sizeof(random_value), + priv_key, algtag); + SECKEY_DestroyPrivateKey(priv_key); + if (rv != SECSuccess) { + DEBUG(SSSDBG_OP_FAILURE, "SEC_SignData failed [%d][%s].\n", + PR_GetError(), PORT_ErrorToString(PR_GetError())); + ret = EIO; + goto done; + } + + pub_key = CERT_ExtractPublicKey(found_cert); + if (pub_key == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "CERT_ExtractPublicKey failed [%d][%s].\n", + PR_GetError(), PORT_ErrorToString(PR_GetError())); + ret = EIO; + goto done; + } + + rv = VFY_VerifyData(random_value, sizeof(random_value), + pub_key, &signed_random_value, algtag, + NULL); + SECKEY_DestroyPublicKey(pub_key); + if (rv != SECSuccess) { + DEBUG(SSSDBG_OP_FAILURE, "VFY_VerifyData failed [%d][%s].\n", + PR_GetError(), PORT_ErrorToString(PR_GetError())); + ret = EACCES; + goto done; + } + + DEBUG(SSSDBG_TRACE_ALL, + "Certificate verified and validated.\n"); + } + + multi = talloc_strdup(mem_ctx, ""); + if (multi == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to create output string.\n"); + ret = ENOMEM; + goto done; + } + + for (cert_list_node = CERT_LIST_HEAD(valid_certs); + !CERT_LIST_END(cert_list_node, valid_certs); + cert_list_node = CERT_LIST_NEXT(cert_list_node)) { + + found_cert = cert_list_node->cert; + + PORT_Free(key_id_str); + key_id_str = get_key_id_str(slot, found_cert); + if (key_id_str == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "get_key_id_str [%d][%s].\n", + PR_GetError(), PORT_ErrorToString(PR_GetError())); + ret = ENOMEM; + goto done; + } + + /* The NSS nickname is typically token_name:label, so the label starts + * after the ':'. */ + if (found_cert->nickname != NULL) { + if ((label = strchr(found_cert->nickname, ':')) == NULL) { + label = found_cert->nickname; + } else { + label++; + } + } else { + label = "- no label found -"; + } + talloc_free(cert_b64); + cert_b64 = sss_base64_encode(mem_ctx, found_cert->derCert.data, + found_cert->derCert.len); + if (cert_b64 == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sss_base64_encode failed.\n"); + ret = ENOMEM; + goto done; + } + + DEBUG(SSSDBG_TRACE_ALL, "Found certificate has key id [%s].\n", + key_id_str); + + multi = talloc_asprintf_append(multi, "%s\n%s\n%s\n%s\n%s\n", + token_name, module_name, key_id_str, + label, cert_b64); + } + *_multi = multi; + + ret = EOK; + +done: + if (slot != NULL) { + PK11_FreeSlot(slot); + } + + if (valid_certs != NULL) { + /* The certificates can be found in valid_certs and cert_list and + * CERT_DestroyCertList() will free the certificates as well. To avoid + * a double free the nodes from valid_certs are removed first because + * valid_certs will only have a sub-set of the certificates. */ + while (!PR_CLIST_IS_EMPTY(&valid_certs->list)) { + node = PR_LIST_HEAD(&valid_certs->list); + PR_REMOVE_LINK(node); + } + CERT_DestroyCertList(valid_certs); + } + + if (cert_list != NULL) { + CERT_DestroyCertList(cert_list); + } + + PORT_Free(key_id_str); + + PORT_Free(signed_random_value.data); + + talloc_free(cert_b64); + + return ret; +} + +static int talloc_nss_shutdown(struct p11_ctx *p11_ctx) +{ + SECStatus rv; + + rv = NSS_ShutdownContext(p11_ctx->nss_ctx); + if (rv != SECSuccess) { + DEBUG(SSSDBG_OP_FAILURE, "NSS_ShutdownContext failed [%d][%s].\n", + PR_GetError(), PORT_ErrorToString(PR_GetError())); + } + + return 0; +} + +errno_t init_p11_ctx(TALLOC_CTX *mem_ctx, const char *nss_db, + struct p11_ctx **p11_ctx) +{ + struct p11_ctx *ctx; + uint32_t flags = NSS_INIT_READONLY + | NSS_INIT_FORCEOPEN + | NSS_INIT_NOROOTINIT + | NSS_INIT_OPTIMIZESPACE + | NSS_INIT_PK11RELOAD; + NSSInitParameters parameters = { 0 }; + parameters.length = sizeof (parameters); + + ctx = talloc_zero(mem_ctx, struct p11_ctx); + if (ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_zero failed.\n"); + return ENOMEM; + } + ctx->nss_db = nss_db; + + ctx->nss_ctx = NSS_InitContext(nss_db, "", "", SECMOD_DB, ¶meters, + flags); + if (ctx->nss_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "NSS_InitContext failed [%d][%s].\n", + PR_GetError(), PORT_ErrorToString(PR_GetError())); + talloc_free(p11_ctx); + return EIO; + } + + talloc_set_destructor(ctx, talloc_nss_shutdown); + + *p11_ctx = ctx; + + return EOK; +} diff --git a/src/p11_child/p11_child_openssl.c b/src/p11_child/p11_child_openssl.c new file mode 100644 index 0000000..be58726 --- /dev/null +++ b/src/p11_child/p11_child_openssl.c @@ -0,0 +1,771 @@ +/* + SSSD + + Helper child to commmunicate with SmartCard via OpenSSL + + Authors: + Sumit Bose + + Copyright (C) 2018 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include + +#include + +#include "util/util.h" +#include "util/crypto/sss_crypto.h" +#include "util/child_common.h" +#include "p11_child/p11_child.h" + +struct p11_ctx { + X509_STORE *x509_store; + const char *ca_db; +}; + +static int talloc_cleanup_openssl(struct p11_ctx *p11_ctx) +{ + CRYPTO_cleanup_all_ex_data(); + + return 0; +} +errno_t init_p11_ctx(TALLOC_CTX *mem_ctx, const char *ca_db, + struct p11_ctx **p11_ctx) +{ + int ret; + struct p11_ctx *ctx; + + /* See https://wiki.openssl.org/index.php/Library_Initialization for + * details. */ +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + ret = OPENSSL_init_ssl(0, NULL); +#else + ret = SSL_library_init(); +#endif + if (ret != 1) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to initialize OpenSSL.\n"); + return EIO; + } + + ctx = talloc_zero(mem_ctx, struct p11_ctx); + if (ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_zero failed.\n"); + return ENOMEM; + } + + ctx->ca_db = ca_db; + talloc_set_destructor(ctx, talloc_cleanup_openssl); + + *p11_ctx = ctx; + + return EOK; +} + +static int talloc_free_x509_store(struct p11_ctx *p11_ctx) +{ + X509_STORE_free(p11_ctx->x509_store); + + return 0; +} + +errno_t init_verification(struct p11_ctx *p11_ctx, + struct cert_verify_opts *cert_verify_opts) +{ + int ret; + X509_STORE *store = NULL; + unsigned long err; + X509_LOOKUP *lookup = NULL; + + store = X509_STORE_new(); + if (store == NULL) { + err = ERR_get_error(); + DEBUG(SSSDBG_OP_FAILURE, "X509_STORE_new failed [%lu][%s].\n", + err, ERR_error_string(err, NULL)); + return ENOMEM; + } + + lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); + if (lookup == NULL) { + err = ERR_get_error(); + DEBUG(SSSDBG_OP_FAILURE, "X509_LOOKUP_file failed [%lu][%s].\n", + err, ERR_error_string(err, NULL)); + ret = EIO; + goto done; + } + + if (!X509_LOOKUP_load_file(lookup, p11_ctx->ca_db, X509_FILETYPE_PEM)) { + err = ERR_get_error(); + DEBUG(SSSDBG_OP_FAILURE, "X509_LOOKUP_load_file failed [%lu][%s].\n", + err, ERR_error_string(err, NULL)); + ret = EIO; + goto done; + } + + p11_ctx->x509_store = store; + talloc_set_destructor(p11_ctx, talloc_free_x509_store); + + ret = EOK; + +done: + if (ret != EOK) { + X509_STORE_free(store); + X509_LOOKUP_free(lookup); + } + + return ret; +} + +static int b64_to_cert(const char *b64, X509 **cert) +{ + X509 *x509; + unsigned char *der = NULL; + const unsigned char *d; + size_t der_size; + + der = sss_base64_decode(NULL, b64, &der_size); + if (der == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sss_base64_decode failed.\n"); + return ENOMEM; + } + + d = (const unsigned char *) der; + x509 = d2i_X509(NULL, &d, (int) der_size); + talloc_free(der); + if (x509 == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "d2i_X509 failed.\n"); + return EINVAL; + } + + *cert = x509; + + return 0; +} + +bool do_verification(struct p11_ctx *p11_ctx, X509 *cert) +{ + bool res = false; + int ret; + X509_STORE_CTX *ctx = NULL; + unsigned long err; + + ctx = X509_STORE_CTX_new(); + if (ctx == NULL) { + err = ERR_get_error(); + DEBUG(SSSDBG_OP_FAILURE, "X509_STORE_CTX_new failed [%lu][%s].\n", + err, ERR_error_string(err, NULL)); + return false; + } + + if (!X509_STORE_CTX_init(ctx, p11_ctx->x509_store, cert, NULL)) { + err = ERR_get_error(); + DEBUG(SSSDBG_OP_FAILURE, "X509_STORE_CTX_init failed [%lu][%s].\n", + err, ERR_error_string(err, NULL)); + goto done; + } + + ret = X509_verify_cert(ctx); + if (ret != 1) { + DEBUG(SSSDBG_OP_FAILURE, "X509_verify_cert failed [%d].\n", ret); + ret = X509_STORE_CTX_get_error(ctx); + DEBUG(SSSDBG_OP_FAILURE, "X509_verify_cert failed [%d][%s].\n", + ret, X509_verify_cert_error_string(ret)); + ret = EINVAL; + goto done; + } + + res = true; + +done: + X509_STORE_CTX_free(ctx); + + return res; +} + +bool do_verification_b64(struct p11_ctx *p11_ctx, const char *cert_b64) +{ + int ret; + X509 *cert; + bool res; + + ret = b64_to_cert(cert_b64, &cert); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to convert certificate.\n"); + return false; + } + + res = do_verification(p11_ctx, cert); + X509_free(cert); + + return res; +} + +#define ATTR_ID 0 +#define ATTR_LABEL 1 +#define ATTR_CERT 2 + +struct cert_list { + struct cert_list *prev; + struct cert_list *next; + CK_ATTRIBUTE attributes[3]; + char *id; + char *label; + X509 *cert; + char *subject_dn; + char *cert_b64; + CK_KEY_TYPE key_type; + CK_OBJECT_HANDLE private_key; +}; + +static int free_x509_cert(struct cert_list *item) +{ + X509_free(item->cert); + return 0; +} + +static int read_certs(TALLOC_CTX *mem_ctx, CK_FUNCTION_LIST *module, + CK_SESSION_HANDLE session, struct p11_ctx *p11_ctx, + struct cert_list **cert_list) +{ + int ret; + size_t c; + CK_RV rv; + struct cert_list *list = NULL; + struct cert_list *item; + X509_NAME *tmp_name; + char *tmp_name_str; + + CK_OBJECT_CLASS cert_class = CKO_CERTIFICATE; + CK_CERTIFICATE_TYPE cert_type = CKC_X_509; + CK_ATTRIBUTE cert_find_template[] = { + {CKA_CLASS, &cert_class, sizeof(CK_OBJECT_CLASS)} , + {CKA_CERTIFICATE_TYPE, &cert_type, sizeof(CK_CERTIFICATE_TYPE)} + }; + + CK_ULONG obj_count; + CK_OBJECT_HANDLE obj; + + rv = module->C_FindObjectsInit(session, cert_find_template, 2); + if (rv != CKR_OK) { + DEBUG(SSSDBG_OP_FAILURE ,"C_FindObjectsInit failed [%lu][%s].\n", + rv, p11_kit_strerror(rv)); + return EIO; + } + + do { + rv = module->C_FindObjects(session, &obj, 1, &obj_count); + if (rv != CKR_OK) { + DEBUG(SSSDBG_OP_FAILURE ,"C_FindObject failed [%lu][%s].\n", + rv, p11_kit_strerror(rv)); + ret = EIO; + goto done; + } + + if (obj_count != 0) { + item = talloc_zero(mem_ctx, struct cert_list); + if (item == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_zero failed.\n"); + ret = ENOMEM; + goto done; + } + item->attributes[0].type = CKA_ID; + item->attributes[1].type = CKA_LABEL; + item->attributes[2].type = CKA_VALUE; + + rv = module->C_GetAttributeValue(session, obj, item->attributes, 3); + if (rv != CKR_OK) { + DEBUG(SSSDBG_OP_FAILURE, + "C_GetAttributeValue failed [%lu][%s].\n", + rv, p11_kit_strerror(rv)); + ret = EIO; + goto done; + } + + if (item->attributes[0].ulValueLen == -1 + || item->attributes[1].ulValueLen == -1 + || item->attributes[2].ulValueLen == -1) { + DEBUG(SSSDBG_OP_FAILURE, + "One of the needed attributes cannot be read.\n"); + ret = EIO; + goto done; + } + + item->attributes[0].pValue = talloc_size(item, + item->attributes[0].ulValueLen); + item->attributes[1].pValue = talloc_size(item, + item->attributes[1].ulValueLen); + item->attributes[2].pValue = talloc_size(item, + item->attributes[2].ulValueLen); + if (item->attributes[0].pValue == NULL + || item->attributes[1].pValue == NULL + || item->attributes[2].pValue == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_size failed.\n"); + ret = ENOMEM; + goto done; + } + + rv = module->C_GetAttributeValue(session, obj, item->attributes, 3); + if (rv != CKR_OK) { + DEBUG(SSSDBG_OP_FAILURE, + "C_GetAttributeValue failed [%lu][%s].\n", + rv, p11_kit_strerror(rv)); + ret = EIO; + goto done; + } + + item->label = talloc_strndup(item, item->attributes[1].pValue, + item->attributes[1].ulValueLen); + if (item->label == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n"); + ret = ENOMEM; + goto done; + } + + item->id = talloc_zero_size(item, 2 * item->attributes[0].ulValueLen + 1); + if (item->id == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n"); + ret = ENOMEM; + goto done; + } + + for (c = 0; c < item->attributes[0].ulValueLen; c++) { + ret = snprintf(item->id + 2*c, 3, "%02X", + ((uint8_t *)item->attributes[0].pValue)[c]); + if (ret != 2) { + DEBUG(SSSDBG_OP_FAILURE, "snprintf failed.\n"); + ret = EIO; + goto done; + } + } + + item->cert_b64 = sss_base64_encode(item, + item->attributes[2].pValue, + item->attributes[2].ulValueLen); + if (item->cert_b64 == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sss_base64_encode failed.\n"); + ret = ENOMEM; + goto done; + } + + /* It looks like d2i_X509 modifies the given binary data, so do + * not use item->attributes[2].pValue after this call. */ + item->cert = d2i_X509(NULL, + (const unsigned char **)&item->attributes[2].pValue, + item->attributes[2].ulValueLen); + if (item->cert == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "d2i_X509 failed.\n"); + ret = EINVAL; + goto done; + } + talloc_set_destructor(item, free_x509_cert); + + tmp_name = X509_get_subject_name(item->cert); + tmp_name_str = X509_NAME_oneline(tmp_name, NULL, 0); + + item->subject_dn = talloc_strdup(item, tmp_name_str); + OPENSSL_free(tmp_name_str); + if (item->subject_dn == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + + DEBUG(SSSDBG_TRACE_ALL, "found cert[%s][%s]\n", + item->label, item->subject_dn); + + if (p11_ctx->x509_store == NULL + || do_verification(p11_ctx, item->cert)) { + DLIST_ADD(list, item); + } else { + DEBUG(SSSDBG_OP_FAILURE, + "Certificate [%s][%s] not valid, skipping.\n", + item->label, + item->subject_dn); + talloc_free(item); + } + } + } while (obj_count != 0); + + *cert_list = list; + + ret = EOK; + +done: + rv = module->C_FindObjectsFinal(session); + if (rv != CKR_OK) { + DEBUG(SSSDBG_OP_FAILURE ,"C_FindObject failed [%lu][%s].\n", + rv, p11_kit_strerror(rv)); + ret = EIO; + } + + return ret; +} + +static int sign_data(CK_FUNCTION_LIST *module, CK_SESSION_HANDLE session, + struct cert_list *cert) +{ + CK_OBJECT_CLASS key_class = CKO_PRIVATE_KEY; + CK_BBOOL key_sign = CK_TRUE; + CK_ATTRIBUTE key_template[] = { + {CKA_CLASS, &key_class, sizeof(key_class)}, + {CKA_SIGN, &key_sign, sizeof(key_sign)}, + {CKA_ID, NULL, 0} + }; + CK_MECHANISM mechanism = { CKM_SHA1_RSA_PKCS, NULL, 0 }; + CK_OBJECT_HANDLE priv_key_object; + CK_ULONG object_count; + CK_BYTE random_value[128]; + CK_BYTE *signature = NULL; + CK_ULONG signature_size = 0; + CK_RV rv; + CK_RV rv_f; + EVP_PKEY *cert_pub_key = NULL; + EVP_MD_CTX *md_ctx; + int ret; + + key_template[2].pValue = cert->attributes[ATTR_ID].pValue; + key_template[2].ulValueLen = cert->attributes[ATTR_ID].ulValueLen; + + rv = module->C_FindObjectsInit(session, key_template, 3); + if (rv != CKR_OK) { + DEBUG(SSSDBG_OP_FAILURE ,"C_FindObjectsInit failed [%lu][%s].\n", + rv, p11_kit_strerror(rv)); + return EIO; + } + + rv = module->C_FindObjects(session, &priv_key_object, 1, &object_count); + rv_f = module->C_FindObjectsFinal(session); + if (rv != CKR_OK) { + DEBUG(SSSDBG_OP_FAILURE ,"C_FindObject failed [%lu][%s].\n", + rv, p11_kit_strerror(rv)); + return EIO; + } + if (rv_f != CKR_OK) { + DEBUG(SSSDBG_OP_FAILURE ,"C_FindObjectsFinal failed [%lu][%s].\n", + rv_f, p11_kit_strerror(rv_f)); + return EIO; + } + + if (object_count == 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "No private key found.\n"); + return EINVAL; + } + + rv = module->C_SignInit(session, &mechanism, priv_key_object); + if (rv != CKR_OK) { + DEBUG(SSSDBG_OP_FAILURE, "C_SignInit failed [%lu][%s].", + rv, p11_kit_strerror(rv)); + return EIO; + } + + ret = RAND_bytes(random_value, sizeof(random_value)); + if (ret != 1) { + DEBUG(SSSDBG_OP_FAILURE, "RAND_bytes failed.\n"); + return EINVAL; + } + + rv = module->C_Sign(session, random_value, sizeof(random_value), NULL, + &signature_size); + if (rv != CKR_OK || signature_size == 0) { + DEBUG(SSSDBG_OP_FAILURE, "C_Sign failed [%lu][%s].\n", + rv, p11_kit_strerror(rv)); + return EIO; + } + + signature = talloc_size(cert, signature_size); + if (signature == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_size failed.\n"); + return ENOMEM; + } + + rv = module->C_Sign(session, random_value, sizeof(random_value), signature, + &signature_size); + if (rv != CKR_OK) { + DEBUG(SSSDBG_OP_FAILURE, "C_Sign failed [%lu][%s].\n", + rv, p11_kit_strerror(rv)); + return EIO; + } + + cert_pub_key = X509_get_pubkey(cert->cert); + if (cert_pub_key == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "X509_get_pubkey failed.\n"); + ret = EIO; + goto done; + } + + md_ctx = EVP_MD_CTX_create(); + if (md_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "EVP_MD_CTX_create failed.\n"); + ret = ENOMEM; + goto done; + } + ret = EVP_VerifyInit(md_ctx, EVP_sha1()); + if (ret != 1) { + DEBUG(SSSDBG_OP_FAILURE, "EVP_VerifyInit failed.\n"); + ret = EINVAL; + goto done; + } + + ret = EVP_VerifyUpdate(md_ctx, random_value, sizeof(random_value)); + if (ret != 1) { + DEBUG(SSSDBG_OP_FAILURE, "EVP_VerifyUpdate failed.\n"); + ret = EINVAL; + goto done; + } + + ret = EVP_VerifyFinal(md_ctx, signature, signature_size, cert_pub_key); + if (ret != 1) { + DEBUG(SSSDBG_OP_FAILURE, "EVP_VerifyFinal failed.\n"); + ret = EINVAL; + goto done; + } + + ret = EOK; + +done: + talloc_free(signature); + EVP_PKEY_free(cert_pub_key); + + return ret; +} + +#define MAX_SLOTS 64 + +errno_t do_card(TALLOC_CTX *mem_ctx, struct p11_ctx *p11_ctx, + enum op_mode mode, const char *pin, + const char *module_name_in, const char *token_name_in, + const char *key_id_in, char **_multi) +{ + int ret; + size_t c; + size_t s; + CK_FUNCTION_LIST **modules; + CK_FUNCTION_LIST *module = NULL; + char *mod_name; + char *mod_file_name; + CK_ULONG num_slots; + CK_SLOT_ID slots[MAX_SLOTS]; + CK_SLOT_ID slot_id; + CK_SLOT_INFO info; + CK_TOKEN_INFO token_info; + CK_RV rv; + size_t module_id; + char *module_file_name = NULL; + char *slot_name = NULL; + char *token_name = NULL; + CK_SESSION_HANDLE session = 0; + struct cert_list *cert_list = NULL; + struct cert_list *item = NULL; + char *multi = NULL; + bool pkcs11_session = false; + bool pkcs11_login = false; + + /* Maybe use P11_KIT_MODULE_TRUSTED ? */ + modules = p11_kit_modules_load_and_initialize(0); + if (modules == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "p11_kit_modules_load_and_initialize failed.\n"); + return EIO; + } + + DEBUG(SSSDBG_TRACE_ALL, "Module List:\n"); + for (c = 0; modules[c] != NULL; c++) { + mod_name = p11_kit_module_get_name(modules[c]); + mod_file_name = p11_kit_module_get_filename(modules[c]); + DEBUG(SSSDBG_TRACE_ALL, "common name: [%s].\n", mod_name); + DEBUG(SSSDBG_TRACE_ALL, "dll name: [%s].\n", mod_file_name); + free(mod_name); + free(mod_file_name); + + num_slots = MAX_SLOTS; + rv = modules[c]->C_GetSlotList(CK_TRUE, slots, &num_slots); + if (rv != CKR_OK) { + DEBUG(SSSDBG_OP_FAILURE, "C_GetSlotList failed.\n"); + ret = EIO; + goto done; + } + + for (s = 0; s < num_slots; s++) { + rv = modules[c]->C_GetSlotInfo(slots[s], &info); + if (rv != CKR_OK) { + DEBUG(SSSDBG_OP_FAILURE, "C_GetSlotInfo failed\n"); + ret = EIO; + goto done; + } + DEBUG(SSSDBG_TRACE_ALL, + "Description [%s] Manufacturer [%s] flags [%lu] removable [%s].\n", + info.slotDescription, info.manufacturerID, info.flags, + (info.flags & CKF_REMOVABLE_DEVICE) ? "true": "false"); + if ((info.flags & CKF_REMOVABLE_DEVICE)) { + break; + } + } + if (s != num_slots) { + break; + } + } + + if (modules[c] == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "No removable slots found.\n"); + ret = EIO; + goto done; + } + + rv = modules[c]->C_GetTokenInfo(slots[s], &token_info); + if (rv != CKR_OK) { + DEBUG(SSSDBG_OP_FAILURE, "C_GetTokenInfo failed.\n"); + ret = EIO; + goto done; + } + + slot_id = slots[s]; + module_id = c; + slot_name = p11_kit_space_strdup(info.slotDescription, + sizeof(info.slotDescription)); + if (slot_name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "p11_kit_space_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + + token_name = p11_kit_space_strdup(token_info.label, + sizeof(token_info.label)); + if (token_name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "p11_kit_space_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + module = modules[c]; + module_file_name = p11_kit_module_get_filename(module); + + DEBUG(SSSDBG_TRACE_ALL, "Found [%s] in slot [%s][%d] of module [%d][%s].\n", + token_name, slot_name, (int) slot_id, (int) module_id, + module_file_name); + + rv = module->C_OpenSession(slot_id, CKF_SERIAL_SESSION, NULL, NULL, + &session); + if (rv != CKR_OK) { + DEBUG(SSSDBG_OP_FAILURE, "C_OpenSession failed [%lu][%s].\n", + rv, p11_kit_strerror(rv)); + ret = EIO; + goto done; + } + pkcs11_session = true; + + /* login: do we need to check for Login Required? */ + if (mode == OP_AUTH) { + DEBUG(SSSDBG_TRACE_ALL, "Login required.\n"); + if (pin != NULL) { + rv = module->C_Login(session, CKU_USER, discard_const(pin), + strlen(pin)); + if (rv != CKR_OK) { + DEBUG(SSSDBG_OP_FAILURE, "C_Login failed [%lu][%s].\n", + rv, p11_kit_strerror(rv)); + ret = EIO; + goto done; + } + pkcs11_login = true; + } else { + DEBUG(SSSDBG_CRIT_FAILURE, + "Login required but no PIN available, continue.\n"); + } + } else { + DEBUG(SSSDBG_TRACE_ALL, "Login NOT required.\n"); + } + + ret = read_certs(mem_ctx, module, session, p11_ctx, &cert_list); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "read_certs failed.\n"); + goto done; + } + + /* TODO: check module_name_in, token_name_in, key_id_in */ + + if (cert_list == NULL) { + DEBUG(SSSDBG_TRACE_ALL, "No certificate found.\n"); + *_multi = NULL; + ret = EOK; + goto done; + } + + if (mode == OP_AUTH) { + if (cert_list->next != NULL || cert_list->prev != NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, + "More than one certificate found for authentication, " + "aborting!\n"); + ret = EINVAL; + goto done; + } + + ret = sign_data(module, session, cert_list); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sign_data failed.\n"); + ret = EACCES; + goto done; + } + + DEBUG(SSSDBG_TRACE_ALL, + "Certificate verified and validated.\n"); + } + + multi = talloc_strdup(mem_ctx, ""); + if (multi == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to create output string.\n"); + ret = ENOMEM; + goto done; + } + + DLIST_FOR_EACH(item, cert_list) { + DEBUG(SSSDBG_TRACE_ALL, "Found certificate has key id [%s].\n", + item->id); + + multi = talloc_asprintf_append(multi, "%s\n%s\n%s\n%s\n%s\n", + token_name, module_file_name, item->id, + item->label, item->cert_b64); + } + + *_multi = multi; + + ret = EOK; +done: + if (module != NULL) { + if (pkcs11_login) { + rv = module->C_Logout(session); + if (rv != CKR_OK) { + DEBUG(SSSDBG_OP_FAILURE, "C_Logout failed [%lu][%s].\n", + rv, p11_kit_strerror(rv)); + } + } + if (pkcs11_session) { + rv = module->C_CloseSession(session); + if (rv != CKR_OK) { + DEBUG(SSSDBG_OP_FAILURE, "C_CloseSession failed [%lu][%s].\n", + rv, p11_kit_strerror(rv)); + } + } + } + free(slot_name); + free(token_name); + free(module_file_name); + p11_kit_modules_finalize_and_release(modules); + + return ret; +} diff --git a/src/providers/ad/ad_access.c b/src/providers/ad/ad_access.c new file mode 100644 index 0000000..a64a5b0 --- /dev/null +++ b/src/providers/ad/ad_access.c @@ -0,0 +1,548 @@ +/* + SSSD + + Authors: + Stephen Gallagher + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "src/util/util.h" +#include "src/providers/data_provider.h" +#include "src/providers/backend.h" +#include "src/providers/ad/ad_access.h" +#include "providers/ad/ad_gpo.h" +#include "src/providers/ad/ad_common.h" +#include "src/providers/ldap/sdap_access.h" + +/* + * More advanced format can be used to restrict the filter to a specific + * domain or a specific forest. This format is KEYWORD:NAME:FILTER + * + * KEYWORD can be one of DOM or FOREST + * KEYWORD can be missing + * NAME is a label. + * - if KEYWORD equals DOM or missing completely, the filter is applied + * for users from domain named NAME only + * - if KEYWORD equals FOREST, the filter is applied on users from + * forest named NAME only + * examples of valid filters are: + * apply filter on domain called dom1 only: + * dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com) + * apply filter on domain called dom2 only: + * DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com) + * apply filter on forest called EXAMPLE.COM only: + * FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com) + * + * If any of the extended formats are used, the filter MUST be enclosed + * already. + */ + +/* From least specific */ +#define AD_FILTER_GENERIC 0x01 +#define AD_FILTER_FOREST 0x02 +#define AD_FILTER_DOMAIN 0x04 + +#define KW_FOREST "FOREST" +#define KW_DOMAIN "DOM" + +/* parse filter in the format domain_name:filter */ +static errno_t +parse_sub_filter(TALLOC_CTX *mem_ctx, const char *full_filter, + char **filter, char **sub_name, int *flags, + const int flagconst) +{ + char *specdelim; + + specdelim = strchr(full_filter, ':'); + if (specdelim == NULL) return EINVAL; + + /* Make sure the filter is already enclosed in brackets */ + if (*(specdelim+1) != '(') return EINVAL; + + *sub_name = talloc_strndup(mem_ctx, full_filter, specdelim - full_filter); + *filter = talloc_strdup(mem_ctx, specdelim+1); + if (*sub_name == NULL || *filter == NULL) return ENOMEM; + + *flags = flagconst; + return EOK; +} + +static inline errno_t +parse_dom_filter(TALLOC_CTX *mem_ctx, const char *dom_filter, + char **filter, char **domname, int *flags) +{ + return parse_sub_filter(mem_ctx, dom_filter, filter, domname, + flags, AD_FILTER_DOMAIN); +} + +static inline errno_t +parse_forest_filter(TALLOC_CTX *mem_ctx, const char *forest_filter, + char **filter, char **forest_name, int *flags) +{ + return parse_sub_filter(mem_ctx, forest_filter, filter, forest_name, + flags, AD_FILTER_FOREST); +} + + +static errno_t +parse_filter(TALLOC_CTX *mem_ctx, const char *full_filter, + char **filter, char **spec, int *flags) +{ + char *kwdelim, *specdelim; + + if (filter == NULL || spec == NULL || flags == NULL) return EINVAL; + + kwdelim = strchr(full_filter, ':'); + if (kwdelim != NULL) { + specdelim = strchr(kwdelim+1, ':'); + + if (specdelim == NULL) { + /* There is a single keyword. Treat it as a domain name */ + return parse_dom_filter(mem_ctx, full_filter, filter, spec, flags); + } else if (strncmp(full_filter, "DOM", kwdelim-full_filter) == 0) { + /* The format must be DOM:domain_name:filter */ + if (specdelim && specdelim-kwdelim <= 1) { + /* Check if there is some domain_name */ + return EINVAL; + } + + return parse_dom_filter(mem_ctx, kwdelim + 1, filter, spec, flags); + } else if (strncmp(full_filter, "FOREST", kwdelim-full_filter) == 0) { + /* The format must be FOREST:forest_name:filter */ + if (specdelim && specdelim-kwdelim <= 1) { + /* Check if there is some domain_name */ + return EINVAL; + } + + return parse_forest_filter(mem_ctx, kwdelim + 1, + filter, spec, flags); + } + + /* Malformed option */ + DEBUG(SSSDBG_CRIT_FAILURE, + "Keyword in filter [%s] did not match expected format\n", + full_filter); + return EINVAL; + } + + /* No keyword. Easy. */ + *filter = talloc_strdup(mem_ctx, full_filter); + if (*filter == NULL) return ENOMEM; + + *spec = NULL; + *flags = AD_FILTER_GENERIC; + return EOK; +} + +static errno_t +ad_parse_access_filter(TALLOC_CTX *mem_ctx, + struct sss_domain_info *dom, + const char *filter_list, + char **_filter) +{ + char **filters; + int nfilters; + errno_t ret; + char *best_match; + int best_flags; + char *filter; + char *spec; + int flags; + TALLOC_CTX *tmp_ctx; + int i = 0; + + if (_filter == NULL) return EINVAL; + + tmp_ctx = talloc_new(mem_ctx); + if (tmp_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + if (filter_list == NULL) { + *_filter = NULL; + ret = EOK; + goto done; + } + + ret = split_on_separator(tmp_ctx, filter_list, '?', true, true, + &filters, &nfilters); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot parse the list of ad_access_filters\n"); + goto done; + } + + best_match = NULL; + best_flags = 0; + for (i=0; i < nfilters; i++) { + ret = parse_filter(tmp_ctx, filters[i], &filter, &spec, &flags); + if (ret != EOK) { + /* Skip the faulty filter. At worst, the user won't be + * allowed access */ + DEBUG(SSSDBG_MINOR_FAILURE, "Access filter [%s] could not be " + "parsed, skipping\n", filters[i]); + continue; + } + + if (flags & AD_FILTER_DOMAIN && strcasecmp(spec, dom->name) != 0) { + /* If the filter specifies a domain, it must match the + * domain the user comes from + */ + continue; + } + + if (flags & AD_FILTER_FOREST && strcasecmp(spec, dom->forest) != 0) { + /* If the filter specifies a forest, it must match the + * forest the user comes from + */ + continue; + } + + if (flags > best_flags) { + best_flags = flags; + best_match = filter; + } + } + + ret = EOK; + /* Make sure the result is enclosed in brackets */ + *_filter = sdap_get_access_filter(mem_ctx, best_match); +done: + talloc_free(tmp_ctx); + return ret; +} + +struct ad_access_state { + struct tevent_context *ev; + struct ad_access_ctx *ctx; + struct pam_data *pd; + struct be_ctx *be_ctx; + struct sss_domain_info *domain; + + char *filter; + struct sdap_id_conn_ctx **clist; + int cindex; +}; + +static errno_t +ad_sdap_access_step(struct tevent_req *req, struct sdap_id_conn_ctx *conn); +static void +ad_sdap_access_done(struct tevent_req *req); + +static struct tevent_req * +ad_access_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct sss_domain_info *domain, + struct ad_access_ctx *ctx, + struct pam_data *pd) +{ + struct tevent_req *req; + struct ad_access_state *state; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct ad_access_state); + if (req == NULL) { + return NULL; + } + + state->ev = ev; + state->ctx = ctx; + state->pd = pd; + state->be_ctx = be_ctx; + state->domain = domain; + + ret = ad_parse_access_filter(state, domain, ctx->sdap_access_ctx->filter, + &state->filter); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not determine the best filter\n"); + ret = ERR_ACCESS_DENIED; + goto done; + } + + state->clist = ad_gc_conn_list(state, ctx->ad_id_ctx, domain); + if (state->clist == NULL) { + ret = ENOMEM; + goto done; + } + + ret = ad_sdap_access_step(req, state->clist[state->cindex]); + if (ret != EOK) { + goto done; + } + + ret = EOK; +done: + if (ret != EOK) { + tevent_req_error(req, ret); + + tevent_req_post(req, ev); + } + return req; +} + +static errno_t +ad_sdap_access_step(struct tevent_req *req, struct sdap_id_conn_ctx *conn) +{ + struct tevent_req *subreq; + struct ad_access_state *state; + struct sdap_access_ctx *req_ctx; + + state = tevent_req_data(req, struct ad_access_state); + + req_ctx = talloc(state, struct sdap_access_ctx); + if (req_ctx == NULL) { + return ENOMEM; + } + req_ctx->id_ctx = state->ctx->sdap_access_ctx->id_ctx; + req_ctx->filter = state->filter; + memcpy(&req_ctx->access_rule, + state->ctx->sdap_access_ctx->access_rule, + sizeof(int) * LDAP_ACCESS_LAST); + + subreq = sdap_access_send(state, state->ev, state->be_ctx, + state->domain, req_ctx, + conn, state->pd); + if (req == NULL) { + talloc_free(req_ctx); + return ENOMEM; + } + tevent_req_set_callback(subreq, ad_sdap_access_done, req); + return EOK; +} + +static void +ad_gpo_access_done(struct tevent_req *subreq); + +static void +ad_sdap_access_done(struct tevent_req *subreq) +{ + struct tevent_req *req; + struct ad_access_state *state; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ad_access_state); + + ret = sdap_access_recv(subreq); + talloc_zfree(subreq); + + if (ret != EOK) { + switch (ret) { + case ERR_ACCOUNT_EXPIRED: + tevent_req_error(req, ret); + return; + + case ERR_ACCESS_DENIED: + /* Retry on ACCESS_DENIED, too, to make sure that we don't + * miss out any attributes not present in GC + * FIXME - this is slow. We should retry only if GC failed + * and LDAP succeeded after the first ACCESS_DENIED + */ + break; + + default: + break; + } + + /* If possible, retry with LDAP */ + state->cindex++; + if (state->clist[state->cindex] == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "Error retrieving access check result: %s\n", + sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + ret = ad_sdap_access_step(req, state->clist[state->cindex]); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + /* Another check in progress */ + + return; + } + + switch (state->ctx->gpo_access_control_mode) { + case GPO_ACCESS_CONTROL_DISABLED: + /* do not evaluate gpos; mark request done */ + tevent_req_done(req); + return; + case GPO_ACCESS_CONTROL_PERMISSIVE: + case GPO_ACCESS_CONTROL_ENFORCING: + /* continue on to evaluate gpos */ + break; + default: + tevent_req_error(req, EINVAL); + return; + } + + subreq = ad_gpo_access_send(state, + state->be_ctx->ev, + state->domain, + state->ctx, + state->pd->user, + state->pd->service); + + if (!subreq) { + tevent_req_error(req, ENOMEM); + return; + } + + tevent_req_set_callback(subreq, ad_gpo_access_done, req); + +} + +static void +ad_gpo_access_done(struct tevent_req *subreq) +{ + struct tevent_req *req; + struct ad_access_state *state; + errno_t ret; + enum gpo_access_control_mode mode; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ad_access_state); + mode = state->ctx->gpo_access_control_mode; + + ret = ad_gpo_access_recv(subreq); + talloc_zfree(subreq); + + if (ret == EOK) { + DEBUG(SSSDBG_TRACE_FUNC, "GPO-based access control successful.\n"); + tevent_req_done(req); + } else { + DEBUG(SSSDBG_OP_FAILURE, "GPO-based access control failed.\n"); + if (mode == GPO_ACCESS_CONTROL_ENFORCING) { + tevent_req_error(req, ret); + } else { + DEBUG(SSSDBG_OP_FAILURE, + "Ignoring error: [%d](%s); GPO-based access control failed, " + "but GPO is not in enforcing mode.\n", + ret, sss_strerror(ret)); + sss_log_ext(SSS_LOG_WARNING, LOG_AUTHPRIV, "Warning: user would " + "have been denied GPO-based logon access if the " + "ad_gpo_access_control option were set to enforcing mode."); + tevent_req_done(req); + } + } +} + +static errno_t +ad_access_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +struct ad_pam_access_handler_state { + struct pam_data *pd; +}; + +static void ad_pam_access_handler_done(struct tevent_req *subreq); + +struct tevent_req * +ad_pam_access_handler_send(TALLOC_CTX *mem_ctx, + struct ad_access_ctx *access_ctx, + struct pam_data *pd, + struct dp_req_params *params) +{ + struct ad_pam_access_handler_state *state; + struct tevent_req *subreq; + struct tevent_req *req; + + req = tevent_req_create(mem_ctx, &state, + struct ad_pam_access_handler_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->pd = pd; + + subreq = ad_access_send(state, params->ev, params->be_ctx, + params->domain, access_ctx, pd); + if (subreq == NULL) { + pd->pam_status = PAM_SYSTEM_ERR; + goto immediately; + } + + tevent_req_set_callback(subreq, ad_pam_access_handler_done, req); + + return req; + +immediately: + /* TODO For backward compatibility we always return EOK to DP now. */ + tevent_req_done(req); + tevent_req_post(req, params->ev); + + return req; +} + +static void ad_pam_access_handler_done(struct tevent_req *subreq) +{ + struct ad_pam_access_handler_state *state; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ad_pam_access_handler_state); + + ret = ad_access_recv(subreq); + talloc_free(subreq); + switch (ret) { + case EOK: + state->pd->pam_status = PAM_SUCCESS; + break; + case ERR_ACCESS_DENIED: + state->pd->pam_status = PAM_PERM_DENIED; + break; + case ERR_ACCOUNT_EXPIRED: + state->pd->pam_status = PAM_ACCT_EXPIRED; + break; + default: + state->pd->pam_status = PAM_SYSTEM_ERR; + break; + } + + /* TODO For backward compatibility we always return EOK to DP now. */ + tevent_req_done(req); +} + +errno_t +ad_pam_access_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct pam_data **_data) +{ + struct ad_pam_access_handler_state *state = NULL; + + state = tevent_req_data(req, struct ad_pam_access_handler_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *_data = talloc_steal(mem_ctx, state->pd); + + return EOK; +} diff --git a/src/providers/ad/ad_access.h b/src/providers/ad/ad_access.h new file mode 100644 index 0000000..34d5597 --- /dev/null +++ b/src/providers/ad/ad_access.h @@ -0,0 +1,65 @@ +/* + SSSD + + Authors: + Stephen Gallagher + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef AD_ACCESS_H_ +#define AD_ACCESS_H_ + +#include "providers/data_provider.h" + +struct ad_access_ctx { + struct dp_option *ad_options; + struct sdap_access_ctx *sdap_access_ctx; + struct ad_id_ctx *ad_id_ctx; + /* supported GPO access control modes */ + enum gpo_access_control_mode { + GPO_ACCESS_CONTROL_DISABLED, + GPO_ACCESS_CONTROL_PERMISSIVE, + GPO_ACCESS_CONTROL_ENFORCING + } gpo_access_control_mode; + int gpo_cache_timeout; + /* supported GPO map options */ + enum gpo_map_type { + GPO_MAP_INTERACTIVE = 0, + GPO_MAP_REMOTE_INTERACTIVE, + GPO_MAP_NETWORK, + GPO_MAP_BATCH, + GPO_MAP_SERVICE, + GPO_MAP_PERMIT, + GPO_MAP_DENY, + GPO_MAP_NUM_OPTS + } gpo_map_type; + hash_table_t *gpo_map_options_table; + enum gpo_map_type gpo_default_right; +}; + +struct tevent_req * +ad_pam_access_handler_send(TALLOC_CTX *mem_ctx, + struct ad_access_ctx *access_ctx, + struct pam_data *pd, + struct dp_req_params *params); + +errno_t +ad_pam_access_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct pam_data **_data); + +#endif /* AD_ACCESS_H_ */ diff --git a/src/providers/ad/ad_autofs.c b/src/providers/ad/ad_autofs.c new file mode 100644 index 0000000..c1d7219 --- /dev/null +++ b/src/providers/ad/ad_autofs.c @@ -0,0 +1,50 @@ +/* + SSSD + + AD autofs Provider Initialization functions + + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "providers/ad/ad_common.h" +#include "providers/ldap/sdap_autofs.h" + +errno_t ad_autofs_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct ad_id_ctx *id_ctx, + struct dp_method *dp_methods) +{ + int ret; + + DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing autofs AD back end\n"); + + ret = sdap_autofs_init(mem_ctx, be_ctx, id_ctx->sdap_id_ctx, dp_methods); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD autofs [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + ret = ad_get_autofs_options(id_ctx->ad_options, be_ctx->cdb, + be_ctx->conf_path); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD autofs [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + return EOK; +} diff --git a/src/providers/ad/ad_common.c b/src/providers/ad/ad_common.c new file mode 100644 index 0000000..6d395cf --- /dev/null +++ b/src/providers/ad/ad_common.c @@ -0,0 +1,1446 @@ +/* + SSSD + + Authors: + Stephen Gallagher + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +#include + +#include "providers/ad/ad_common.h" +#include "providers/ad/ad_opts.h" +#include "providers/be_dyndns.h" + +struct ad_server_data { + bool gc; +}; + +errno_t ad_set_search_bases(struct sdap_options *id_opts, + struct sdap_domain *sdap); +static errno_t ad_set_sdap_options(struct ad_options *ad_opts, + struct sdap_options *id_opts); + +static struct sdap_options * +ad_create_default_sdap_options(TALLOC_CTX *mem_ctx, + struct data_provider *dp) +{ + struct sdap_options *id_opts; + errno_t ret; + + id_opts = talloc_zero(mem_ctx, struct sdap_options); + if (!id_opts) { + return NULL; + } + id_opts->dp = dp; + + ret = dp_copy_defaults(id_opts, + ad_def_ldap_opts, + SDAP_OPTS_BASIC, + &id_opts->basic); + if (ret != EOK) { + goto fail; + } + + /* Get sdap option maps */ + + /* General Attribute Map */ + ret = sdap_copy_map(id_opts, + ad_2008r2_attr_map, + SDAP_AT_GENERAL, + &id_opts->gen_map); + if (ret != EOK) { + goto fail; + } + + /* User map */ + ret = sdap_copy_map(id_opts, + ad_2008r2_user_map, + SDAP_OPTS_USER, + &id_opts->user_map); + if (ret != EOK) { + goto fail; + } + id_opts->user_map_cnt = SDAP_OPTS_USER; + + /* Group map */ + ret = sdap_copy_map(id_opts, + ad_2008r2_group_map, + SDAP_OPTS_GROUP, + &id_opts->group_map); + if (ret != EOK) { + goto fail; + } + + /* Netgroup map */ + ret = sdap_copy_map(id_opts, + ad_netgroup_map, + SDAP_OPTS_NETGROUP, + &id_opts->netgroup_map); + if (ret != EOK) { + goto fail; + } + + /* Services map */ + ret = sdap_copy_map(id_opts, + ad_service_map, + SDAP_OPTS_SERVICES, + &id_opts->service_map); + if (ret != EOK) { + goto fail; + } + + return id_opts; + +fail: + talloc_free(id_opts); + return NULL; +} + +static errno_t +ad_create_sdap_options(TALLOC_CTX *mem_ctx, + struct confdb_ctx *cdb, + const char *conf_path, + struct data_provider *dp, + struct sdap_options **_id_opts) +{ + struct sdap_options *id_opts; + errno_t ret = EOK; + + if (cdb == NULL || conf_path == NULL) { + /* Fallback to defaults if there is no confdb */ + id_opts = ad_create_default_sdap_options(mem_ctx, dp); + if (id_opts == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to initialize default sdap options\n"); + ret = EIO; + } + /* Nothing to do without cdb */ + goto done; + } + + id_opts = talloc_zero(mem_ctx, struct sdap_options); + if (!id_opts) { + ret = ENOMEM; + goto done; + } + + ret = dp_get_options(id_opts, cdb, conf_path, + ad_def_ldap_opts, + SDAP_OPTS_BASIC, + &id_opts->basic); + if (ret != EOK) { + goto done; + } + + /* Get sdap option maps */ + + /* General Attribute Map */ + ret = sdap_get_map(id_opts, + cdb, conf_path, + ad_2008r2_attr_map, + SDAP_AT_GENERAL, + &id_opts->gen_map); + if (ret != EOK) { + goto done; + } + + /* User map */ + ret = sdap_get_map(id_opts, + cdb, conf_path, + ad_2008r2_user_map, + SDAP_OPTS_USER, + &id_opts->user_map); + if (ret != EOK) { + goto done; + } + + ret = sdap_extend_map_with_list(id_opts, id_opts, + SDAP_USER_EXTRA_ATTRS, + id_opts->user_map, + SDAP_OPTS_USER, + &id_opts->user_map, + &id_opts->user_map_cnt); + if (ret != EOK) { + goto done; + } + + /* Group map */ + ret = sdap_get_map(id_opts, + cdb, conf_path, + ad_2008r2_group_map, + SDAP_OPTS_GROUP, + &id_opts->group_map); + if (ret != EOK) { + goto done; + } + + /* Netgroup map */ + ret = sdap_get_map(id_opts, + cdb, conf_path, + ad_netgroup_map, + SDAP_OPTS_NETGROUP, + &id_opts->netgroup_map); + if (ret != EOK) { + goto done; + } + + /* Services map */ + ret = sdap_get_map(id_opts, + cdb, conf_path, + ad_service_map, + SDAP_OPTS_SERVICES, + &id_opts->service_map); + if (ret != EOK) { + goto done; + } + + ret = EOK; +done: + if (ret == EOK) { + *_id_opts = id_opts; + } else { + talloc_free(id_opts); + } + + return ret; +} + +struct ad_options * +ad_create_options(TALLOC_CTX *mem_ctx, + struct confdb_ctx *cdb, + const char *conf_path, + struct data_provider *dp, + struct sss_domain_info *subdom) +{ + struct ad_options *ad_options; + errno_t ret; + + ad_options = talloc_zero(mem_ctx, struct ad_options); + if (ad_options == NULL) return NULL; + + if (cdb != NULL && conf_path != NULL) { + ret = dp_get_options(ad_options, + cdb, + conf_path, + ad_basic_opts, + AD_OPTS_BASIC, + &ad_options->basic); + } else { + /* Fallback to reading the defaults only if no confdb + * is available */ + ret = dp_copy_defaults(ad_options, + ad_basic_opts, + AD_OPTS_BASIC, + &ad_options->basic); + } + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get basic AD options\n"); + talloc_free(ad_options); + return NULL; + } + + ret = ad_create_sdap_options(ad_options, + cdb, + conf_path, + dp, + &ad_options->id); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD LDAP options\n"); + talloc_free(ad_options); + return NULL; + } + + return ad_options; +} + +static errno_t +set_common_ad_trust_opts(struct ad_options *ad_options, + const char *realm, + const char *ad_domain, + const char *hostname, + const char *keytab) +{ + errno_t ret; + + ret = dp_opt_set_string(ad_options->basic, AD_KRB5_REALM, realm); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot set AD krb5 realm\n"); + return ret; + } + + ret = dp_opt_set_string(ad_options->basic, AD_DOMAIN, ad_domain); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot set AD domain\n"); + return ret; + } + + ret = dp_opt_set_string(ad_options->basic, AD_HOSTNAME, hostname); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot set AD hostname\n"); + return ret; + } + + if (keytab != NULL) { + ret = dp_opt_set_string(ad_options->basic, AD_KEYTAB, keytab); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot set keytab\n"); + return ret; + } + } + + return EOK; +} + +struct ad_options * +ad_create_2way_trust_options(TALLOC_CTX *mem_ctx, + struct confdb_ctx *cdb, + const char *conf_path, + struct data_provider *dp, + const char *realm, + struct sss_domain_info *subdom, + const char *hostname, + const char *keytab) +{ + struct ad_options *ad_options; + errno_t ret; + + DEBUG(SSSDBG_TRACE_FUNC, "2way trust is defined to domain '%s'\n", + subdom->name); + + ad_options = ad_create_options(mem_ctx, cdb, conf_path, dp, subdom); + if (ad_options == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "ad_create_options failed\n"); + return NULL; + } + + ret = set_common_ad_trust_opts(ad_options, realm, subdom->name, hostname, + keytab); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "set_common_ad_trust_opts failed\n"); + talloc_free(ad_options); + return NULL; + } + + ret = ad_set_sdap_options(ad_options, ad_options->id); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "ad_set_sdap_options failed"); + talloc_free(ad_options); + return NULL; + } + + return ad_options; +} + +struct ad_options * +ad_create_1way_trust_options(TALLOC_CTX *mem_ctx, + struct confdb_ctx *cdb, + const char *subdom_conf_path, + struct data_provider *dp, + struct sss_domain_info *subdom, + const char *hostname, + const char *keytab, + const char *sasl_authid) +{ + struct ad_options *ad_options; + const char *realm; + errno_t ret; + + DEBUG(SSSDBG_TRACE_FUNC, "1way trust is defined to domain '%s'\n", + subdom->name); + + ad_options = ad_create_options(mem_ctx, cdb, subdom_conf_path, dp, subdom); + if (ad_options == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "ad_create_options failed\n"); + return NULL; + } + + realm = get_uppercase_realm(ad_options, subdom->name); + if (!realm) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to get uppercase realm\n"); + talloc_free(ad_options); + return NULL; + } + + ret = set_common_ad_trust_opts(ad_options, realm, + subdom->name, hostname, keytab); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "set_common_ad_trust_opts failed [%d]: %s\n", + ret, sss_strerror(ret)); + talloc_free(ad_options); + return NULL; + } + + /* Set SDAP_SASL_AUTHID to the trust principal */ + ret = dp_opt_set_string(ad_options->id->basic, + SDAP_SASL_AUTHID, sasl_authid); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot set SASL authid\n"); + talloc_free(ad_options); + return NULL; + } + + ret = ad_set_sdap_options(ad_options, ad_options->id); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "ad_set_sdap_options failed [%d]: %s\n", + ret, sss_strerror(ret)); + talloc_free(ad_options); + return NULL; + } + + return ad_options; +} + +errno_t +ad_get_common_options(TALLOC_CTX *mem_ctx, + struct confdb_ctx *cdb, + const char *conf_path, + struct sss_domain_info *dom, + struct ad_options **_opts) +{ + errno_t ret; + int gret; + struct ad_options *opts = NULL; + char *domain; + char *server; + char *realm; + char *ad_hostname; + char hostname[HOST_NAME_MAX + 1]; + char *case_sensitive_opt; + const char *opt_override; + + opts = talloc_zero(mem_ctx, struct ad_options); + if (!opts) return ENOMEM; + + ret = dp_get_options(opts, cdb, conf_path, + ad_basic_opts, + AD_OPTS_BASIC, + &opts->basic); + if (ret != EOK) { + goto done; + } + + /* If the AD domain name wasn't explicitly set, assume that it + * matches the SSSD domain name + */ + domain = dp_opt_get_string(opts->basic, AD_DOMAIN); + if (!domain) { + ret = dp_opt_set_string(opts->basic, AD_DOMAIN, dom->name); + if (ret != EOK) { + goto done; + } + domain = dom->name; + } + + /* Did we get an explicit server name, or are we discovering it? */ + server = dp_opt_get_string(opts->basic, AD_SERVER); + if (!server) { + DEBUG(SSSDBG_CONF_SETTINGS, + "No AD server set, will use service discovery!\n"); + } + + /* Set the machine's hostname to the local host name if it + * wasn't explicitly specified. + */ + ad_hostname = dp_opt_get_string(opts->basic, AD_HOSTNAME); + if (ad_hostname == NULL) { + gret = gethostname(hostname, HOST_NAME_MAX); + if (gret != 0) { + ret = errno; + DEBUG(SSSDBG_FATAL_FAILURE, + "gethostname failed [%s].\n", + strerror(ret)); + goto done; + } + hostname[HOST_NAME_MAX] = '\0'; + DEBUG(SSSDBG_CONF_SETTINGS, + "Setting ad_hostname to [%s].\n", hostname); + ret = dp_opt_set_string(opts->basic, AD_HOSTNAME, hostname); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Setting ad_hostname failed [%s].\n", + strerror(ret)); + goto done; + } + } + + + /* Always use the upper-case AD domain for the kerberos realm */ + realm = get_uppercase_realm(opts, domain); + if (!realm) { + ret = ENOMEM; + goto done; + } + + ret = dp_opt_set_string(opts->basic, AD_KRB5_REALM, realm); + if (ret != EOK) { + goto done; + } + + /* Active Directory is always case-insensitive */ + ret = confdb_get_string(cdb, mem_ctx, conf_path, + CONFDB_DOMAIN_CASE_SENSITIVE, "false", + &case_sensitive_opt); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "condb_get_string failed.\n"); + goto done; + } + + if (strcasecmp(case_sensitive_opt, "true") == 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Warning: AD domain can not be set as case-sensitive.\n"); + dom->case_sensitive = false; + dom->case_preserve = false; + } else if (strcasecmp(case_sensitive_opt, "false") == 0) { + dom->case_sensitive = false; + dom->case_preserve = false; + } else if (strcasecmp(case_sensitive_opt, "preserving") == 0) { + dom->case_sensitive = false; + dom->case_preserve = true; + } else { + DEBUG(SSSDBG_FATAL_FAILURE, + "Invalid value for %s\n", CONFDB_DOMAIN_CASE_SENSITIVE); + goto done; + } + + opt_override = dom->case_preserve ? "preserving" : "false"; + + /* Set this in the confdb so that the responders pick it + * up when they start up. + */ + ret = confdb_set_string(cdb, conf_path, "case_sensitive", opt_override); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not set domain option case_sensitive: [%s]\n", + strerror(ret)); + goto done; + } + + DEBUG(SSSDBG_CONF_SETTINGS, + "Setting domain option case_sensitive to [%s]\n", opt_override); + + ret = EOK; + *_opts = opts; + +done: + if (ret != EOK) { + talloc_zfree(opts); + } + return ret; +} + +static void +ad_resolve_callback(void *private_data, struct fo_server *server); + +static errno_t +_ad_servers_init(struct ad_service *service, + struct be_ctx *bectx, + const char *fo_service, + const char *fo_gc_service, + const char *servers, + const char *ad_domain, + bool primary) +{ + size_t i; + size_t j; + errno_t ret = 0; + char **list; + struct ad_server_data *sdata; + TALLOC_CTX *tmp_ctx; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) return ENOMEM; + + /* Split the server list */ + ret = split_on_separator(tmp_ctx, servers, ',', true, true, &list, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to parse server list!\n"); + goto done; + } + + for (j = 0; list[j]; j++) { + if (resolv_is_address(list[j])) { + DEBUG(SSSDBG_IMPORTANT_INFO, + "ad_server [%s] is detected as IP address, " + "this can cause GSSAPI problems\n", list[j]); + } + } + + /* Add each of these servers to the failover service */ + for (i = 0; list[i]; i++) { + if (be_fo_is_srv_identifier(list[i])) { + if (!primary) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to add server [%s] to failover service: " + "SRV resolution only allowed for primary servers!\n", + list[i]); + continue; + } + + sdata = talloc(service, struct ad_server_data); + if (sdata == NULL) { + ret = ENOMEM; + goto done; + } + sdata->gc = true; + + ret = be_fo_add_srv_server(bectx, fo_gc_service, "gc", + ad_domain, BE_FO_PROTO_TCP, + false, sdata); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to add service discovery to failover: [%s]\n", + strerror(ret)); + goto done; + } + + sdata = talloc(service, struct ad_server_data); + if (sdata == NULL) { + ret = ENOMEM; + goto done; + } + sdata->gc = false; + + ret = be_fo_add_srv_server(bectx, fo_service, "ldap", + ad_domain, BE_FO_PROTO_TCP, + false, sdata); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to add service discovery to failover: [%s]\n", + strerror(ret)); + goto done; + } + + DEBUG(SSSDBG_CONF_SETTINGS, "Added service discovery for AD\n"); + continue; + } + + /* It could be ipv6 address in square brackets. Remove + * the brackets if needed. */ + ret = remove_ipv6_brackets(list[i]); + if (ret != EOK) { + goto done; + } + + sdata = talloc(service, struct ad_server_data); + if (sdata == NULL) { + ret = ENOMEM; + goto done; + } + sdata->gc = true; + + ret = be_fo_add_server(bectx, fo_gc_service, list[i], 0, sdata, primary); + if (ret && ret != EEXIST) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to add server\n"); + goto done; + } + + sdata = talloc(service, struct ad_server_data); + if (sdata == NULL) { + ret = ENOMEM; + goto done; + } + sdata->gc = false; + + ret = be_fo_add_server(bectx, fo_service, list[i], 0, sdata, primary); + if (ret && ret != EEXIST) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to add server\n"); + goto done; + } + + DEBUG(SSSDBG_CONF_SETTINGS, "Added failover server %s\n", list[i]); + } +done: + talloc_free(tmp_ctx); + return ret; +} + +static inline errno_t +ad_primary_servers_init(struct ad_service *service, + struct be_ctx *bectx, const char *servers, + const char *fo_service, const char *fo_gc_service, + const char *ad_domain) +{ + return _ad_servers_init(service, bectx, fo_service, + fo_gc_service, servers, ad_domain, true); +} + +static inline errno_t +ad_backup_servers_init(struct ad_service *service, + struct be_ctx *bectx, const char *servers, + const char *fo_service, const char *fo_gc_service, + const char *ad_domain) +{ + return _ad_servers_init(service, bectx, fo_service, + fo_gc_service, servers, ad_domain, false); +} + +static int ad_user_data_cmp(void *ud1, void *ud2) +{ + struct ad_server_data *sd1, *sd2; + + sd1 = talloc_get_type(ud1, struct ad_server_data); + sd2 = talloc_get_type(ud2, struct ad_server_data); + if (sd1 == NULL || sd2 == NULL) { + DEBUG(SSSDBG_TRACE_FUNC, "No user data\n"); + return sd1 == sd2 ? 0 : 1; + } + + if (sd1->gc == sd2->gc) { + return 0; + } + + return 1; +} + +static void ad_online_cb(void *pvt) +{ + struct ad_service *service = talloc_get_type(pvt, struct ad_service); + + if (service == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid private pointer\n"); + return; + } + + DEBUG(SSSDBG_TRACE_FUNC, "The AD provider is online\n"); +} + +errno_t +ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *bectx, + const char *primary_servers, + const char *backup_servers, + const char *krb5_realm, + const char *ad_service, + const char *ad_gc_service, + const char *ad_domain, + bool use_kdcinfo, + struct ad_service **_service) +{ + errno_t ret; + TALLOC_CTX *tmp_ctx; + struct ad_service *service; + + tmp_ctx = talloc_new(mem_ctx); + if (!tmp_ctx) return ENOMEM; + + service = talloc_zero(tmp_ctx, struct ad_service); + if (!service) { + ret = ENOMEM; + goto done; + } + + service->sdap = talloc_zero(service, struct sdap_service); + service->gc = talloc_zero(service, struct sdap_service); + if (!service->sdap || !service->gc) { + ret = ENOMEM; + goto done; + } + + service->sdap->name = talloc_strdup(service->sdap, ad_service); + service->gc->name = talloc_strdup(service->gc, ad_gc_service); + if (!service->sdap->name || !service->gc->name) { + ret = ENOMEM; + goto done; + } + + service->krb5_service = krb5_service_new(service, bectx, + ad_service, krb5_realm, + use_kdcinfo); + if (!service->krb5_service) { + ret = ENOMEM; + goto done; + } + + ret = be_fo_add_service(bectx, ad_service, ad_user_data_cmp); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to create failover service!\n"); + goto done; + } + + ret = be_fo_add_service(bectx, ad_gc_service, ad_user_data_cmp); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to create GC failover service!\n"); + goto done; + } + + service->sdap->kinit_service_name = service->krb5_service->name; + service->gc->kinit_service_name = service->krb5_service->name; + + if (!krb5_realm) { + DEBUG(SSSDBG_CRIT_FAILURE, "No Kerberos realm set\n"); + ret = EINVAL; + goto done; + } + + if (!primary_servers) { + DEBUG(SSSDBG_CONF_SETTINGS, + "No primary servers defined, using service discovery\n"); + primary_servers = BE_SRV_IDENTIFIER; + } + + ret = ad_primary_servers_init(service, bectx, + primary_servers, ad_service, + ad_gc_service, ad_domain); + if (ret != EOK) { + goto done; + } + + if (backup_servers) { + ret = ad_backup_servers_init(service, bectx, + backup_servers, ad_service, + ad_gc_service, ad_domain); + if (ret != EOK) { + goto done; + } + } + + ret = be_add_online_cb(bectx, bectx, ad_online_cb, service, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not set up AD online callback\n"); + goto done; + } + + ret = be_fo_service_add_callback(mem_ctx, bectx, ad_service, + ad_resolve_callback, service); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to add failover callback! [%s]\n", strerror(ret)); + goto done; + } + + ret = be_fo_service_add_callback(mem_ctx, bectx, ad_gc_service, + ad_resolve_callback, service); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to add failover callback! [%s]\n", strerror(ret)); + goto done; + } + + *_service = talloc_steal(mem_ctx, service); + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static void +ad_resolve_callback(void *private_data, struct fo_server *server) +{ + errno_t ret; + TALLOC_CTX *tmp_ctx; + struct ad_service *service; + struct resolv_hostent *srvaddr; + struct sockaddr_storage *sockaddr; + char *address; + char *safe_addr_list[2] = { NULL, NULL }; + char *new_uri; + int new_port; + const char *srv_name; + struct ad_server_data *sdata = NULL; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory\n"); + return; + } + + sdata = fo_get_server_user_data(server); + if (fo_is_srv_lookup(server) == false && sdata == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "No user data?\n"); + ret = EINVAL; + goto done; + } + + service = talloc_get_type(private_data, struct ad_service); + if (!service) { + ret = EINVAL; + goto done; + } + + srvaddr = fo_get_server_hostent(server); + if (!srvaddr) { + DEBUG(SSSDBG_CRIT_FAILURE, + "No hostent available for server (%s)\n", + fo_get_server_str_name(server)); + ret = EINVAL; + goto done; + } + + address = resolv_get_string_address(tmp_ctx, srvaddr); + if (address == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "resolv_get_string_address failed.\n"); + ret = EIO; + goto done; + } + + srv_name = fo_get_server_name(server); + if (srv_name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not get server host name\n"); + ret = EINVAL; + goto done; + } + + new_uri = talloc_asprintf(service->sdap, "ldap://%s", srv_name); + if (!new_uri) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to copy URI\n"); + ret = ENOMEM; + goto done; + } + DEBUG(SSSDBG_CONF_SETTINGS, "Constructed uri '%s'\n", new_uri); + + sockaddr = resolv_get_sockaddr_address(tmp_ctx, srvaddr, LDAP_PORT); + if (sockaddr == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "resolv_get_sockaddr_address failed.\n"); + ret = EIO; + goto done; + } + + /* free old one and replace with new one */ + talloc_zfree(service->sdap->uri); + service->sdap->uri = new_uri; + talloc_zfree(service->sdap->sockaddr); + service->sdap->sockaddr = talloc_steal(service->sdap, sockaddr); + + talloc_zfree(service->gc->uri); + talloc_zfree(service->gc->sockaddr); + if (sdata && sdata->gc) { + new_port = fo_get_server_port(server); + new_port = (new_port == 0) ? AD_GC_PORT : new_port; + + service->gc->uri = talloc_asprintf(service->gc, "%s:%d", + new_uri, new_port); + + service->gc->sockaddr = resolv_get_sockaddr_address(service->gc, + srvaddr, + new_port); + } else { + /* Make sure there always is an URI even if we know that this + * server doesn't support GC. That way the lookup would go through + * just not return anything + */ + service->gc->uri = talloc_strdup(service->gc, service->sdap->uri); + service->gc->sockaddr = talloc_memdup(service->gc, service->sdap->sockaddr, + sizeof(struct sockaddr_storage)); + } + + if (!service->gc->uri) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to append to URI\n"); + ret = ENOMEM; + goto done; + } + DEBUG(SSSDBG_CONF_SETTINGS, "Constructed GC uri '%s'\n", service->gc->uri); + + if (service->gc->sockaddr == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "resolv_get_sockaddr_address failed.\n"); + ret = EIO; + goto done; + } + + /* Only write kdcinfo files for local servers */ + if ((sdata == NULL || sdata->gc == false) && + service->krb5_service->write_kdcinfo) { + /* Write krb5 info files */ + safe_addr_list[0] = sss_escape_ip_address(tmp_ctx, + srvaddr->family, + address); + if (safe_addr_list[0] == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "sss_escape_ip_address failed.\n"); + ret = ENOMEM; + goto done; + } + + ret = write_krb5info_file(service->krb5_service, + safe_addr_list, + SSS_KRB5KDC_FO_SRV); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "write_krb5info_file failed, authentication might fail.\n"); + } + } + + ret = EOK; +done: + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Error: [%s]\n", strerror(ret)); + } + talloc_free(tmp_ctx); + return; +} + +static errno_t +ad_set_sdap_options(struct ad_options *ad_opts, + struct sdap_options *id_opts) +{ + errno_t ret; + char *krb5_realm; + char *keytab_path; + const char *schema; + + /* We only support Kerberos password policy with AD, so + * force that on. + */ + ret = dp_opt_set_string(id_opts->basic, + SDAP_PWD_POLICY, + PWD_POL_OPT_MIT); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Could not set password policy\n"); + goto done; + } + + /* Set the Kerberos Realm for GSSAPI */ + krb5_realm = dp_opt_get_string(ad_opts->basic, AD_KRB5_REALM); + if (!krb5_realm) { + /* Should be impossible, this is set in ad_get_common_options() */ + DEBUG(SSSDBG_FATAL_FAILURE, "No Kerberos realm\n"); + ret = EINVAL; + goto done; + } + + ret = dp_opt_set_string(id_opts->basic, SDAP_KRB5_REALM, krb5_realm); + if (ret != EOK) goto done; + DEBUG(SSSDBG_CONF_SETTINGS, + "Option %s set to %s\n", + id_opts->basic[SDAP_KRB5_REALM].opt_name, + krb5_realm); + + keytab_path = dp_opt_get_string(ad_opts->basic, AD_KEYTAB); + if (keytab_path) { + ret = dp_opt_set_string(id_opts->basic, SDAP_KRB5_KEYTAB, + keytab_path); + if (ret != EOK) goto done; + DEBUG(SSSDBG_CONF_SETTINGS, + "Option %s set to %s\n", + id_opts->basic[SDAP_KRB5_KEYTAB].opt_name, + keytab_path); + } + + ret = sdap_set_sasl_options(id_opts, + dp_opt_get_string(ad_opts->basic, + AD_HOSTNAME), + dp_opt_get_string(ad_opts->basic, + AD_KRB5_REALM), + keytab_path); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot set the SASL-related options\n"); + goto done; + } + + /* Warn if the user is doing something silly like overriding the schema + * with the AD provider + */ + schema = dp_opt_get_string(id_opts->basic, SDAP_SCHEMA); + if (schema != NULL && strcasecmp(schema, "ad") != 0) { + DEBUG(SSSDBG_IMPORTANT_INFO, + "The AD provider only supports the AD LDAP schema. " + "SSSD will ignore the ldap_schema option value and proceed " + "with ldap_schema=ad\n"); + } + + /* fix schema to AD */ + id_opts->schema_type = SDAP_SCHEMA_AD; + + ad_opts->id = id_opts; + ret = EOK; +done: + return ret; +} + +errno_t +ad_get_id_options(struct ad_options *ad_opts, + struct confdb_ctx *cdb, + const char *conf_path, + struct data_provider *dp, + struct sdap_options **_opts) +{ + struct sdap_options *id_opts; + errno_t ret; + + ret = ad_create_sdap_options(ad_opts, cdb, conf_path, dp, &id_opts); + if (ret != EOK) { + return ENOMEM; + } + + ret = ad_set_sdap_options(ad_opts, id_opts); + if (ret != EOK) { + talloc_free(id_opts); + return ret; + } + + ret = sdap_domain_add(id_opts, + ad_opts->id_ctx->sdap_id_ctx->be->domain, + NULL); + if (ret != EOK) { + talloc_free(id_opts); + return ret; + } + + /* Set up search bases if they were assigned explicitly */ + ret = ad_set_search_bases(id_opts, NULL); + if (ret != EOK) { + talloc_free(id_opts); + return ret; + } + + *_opts = id_opts; + return EOK; +} + +errno_t +ad_get_autofs_options(struct ad_options *ad_opts, + struct confdb_ctx *cdb, + const char *conf_path) +{ + errno_t ret; + + /* autofs maps */ + ret = sdap_get_map(ad_opts->id, + cdb, + conf_path, + ad_autofs_mobject_map, + SDAP_OPTS_AUTOFS_MAP, + &ad_opts->id->autofs_mobject_map); + if (ret != EOK) { + return ret; + } + + ret = sdap_get_map(ad_opts->id, + cdb, + conf_path, + ad_autofs_entry_map, + SDAP_OPTS_AUTOFS_ENTRY, + &ad_opts->id->autofs_entry_map); + if (ret != EOK) { + return ret; + } + + return EOK; +} + +errno_t +ad_set_search_bases(struct sdap_options *id_opts, + struct sdap_domain *sdom) +{ + errno_t ret; + char *default_search_base = NULL; + size_t o; + struct sdap_domain *sdap_dom; + bool has_default; + const int search_base_options[] = { SDAP_USER_SEARCH_BASE, + SDAP_GROUP_SEARCH_BASE, + SDAP_NETGROUP_SEARCH_BASE, + SDAP_SERVICE_SEARCH_BASE, + -1 }; + + /* AD servers provide defaultNamingContext, so we will + * rely on that to specify the search base unless it has + * been specifically overridden. + */ + + if (sdom != NULL) { + sdap_dom = sdom; + } else { + /* If no specific sdom was given, use the first in the list. */ + sdap_dom = id_opts->sdom; + } + + has_default = sdap_dom->search_bases != NULL; + + if (has_default == false) { + default_search_base = + dp_opt_get_string(id_opts->basic, SDAP_SEARCH_BASE); + } + + if (default_search_base && has_default == false) { + /* set search bases if they are not */ + for (o = 0; search_base_options[o] != -1; o++) { + if (NULL == dp_opt_get_string(id_opts->basic, + search_base_options[o])) { + ret = dp_opt_set_string(id_opts->basic, + search_base_options[o], + default_search_base); + if (ret != EOK) { + goto done; + } + DEBUG(SSSDBG_CONF_SETTINGS, + "Option %s set to %s\n", + id_opts->basic[search_base_options[o]].opt_name, + dp_opt_get_string(id_opts->basic, + search_base_options[o])); + } + } + } else { + DEBUG(SSSDBG_CONF_SETTINGS, + "Search base not set. SSSD will attempt to discover it later, " + "when connecting to the LDAP server.\n"); + } + + /* Default search */ + ret = sdap_parse_search_base(id_opts, id_opts->basic, + SDAP_SEARCH_BASE, + &sdap_dom->search_bases); + if (ret != EOK && ret != ENOENT) goto done; + + /* User search */ + ret = sdap_parse_search_base(id_opts, id_opts->basic, + SDAP_USER_SEARCH_BASE, + &sdap_dom->user_search_bases); + if (ret != EOK && ret != ENOENT) goto done; + + /* Group search base */ + ret = sdap_parse_search_base(id_opts, id_opts->basic, + SDAP_GROUP_SEARCH_BASE, + &sdap_dom->group_search_bases); + if (ret != EOK && ret != ENOENT) goto done; + + /* Netgroup search */ + ret = sdap_parse_search_base(id_opts, id_opts->basic, + SDAP_NETGROUP_SEARCH_BASE, + &sdap_dom->netgroup_search_bases); + if (ret != EOK && ret != ENOENT) goto done; + + /* Service search */ + ret = sdap_parse_search_base(id_opts, id_opts->basic, + SDAP_SERVICE_SEARCH_BASE, + &sdap_dom->service_search_bases); + if (ret != EOK && ret != ENOENT) goto done; + + ret = EOK; +done: + return ret; +} + +errno_t +ad_get_auth_options(TALLOC_CTX *mem_ctx, + struct ad_options *ad_opts, + struct be_ctx *bectx, + struct dp_option **_opts) +{ + errno_t ret; + struct dp_option *krb5_options; + const char *ad_servers; + const char *krb5_realm; + + TALLOC_CTX *tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) return ENOMEM; + + /* Get krb5 options */ + ret = dp_get_options(tmp_ctx, bectx->cdb, bectx->conf_path, + ad_def_krb5_opts, KRB5_OPTS, + &krb5_options); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not read Kerberos options from the configuration\n"); + goto done; + } + + ad_servers = dp_opt_get_string(ad_opts->basic, AD_SERVER); + + /* Force the krb5_servers to match the ad_servers */ + ret = dp_opt_set_string(krb5_options, KRB5_KDC, ad_servers); + if (ret != EOK) goto done; + DEBUG(SSSDBG_CONF_SETTINGS, + "Option %s set to %s\n", + krb5_options[KRB5_KDC].opt_name, + ad_servers); + + /* Set krb5 realm */ + /* Set the Kerberos Realm for GSSAPI */ + krb5_realm = dp_opt_get_string(ad_opts->basic, AD_KRB5_REALM); + if (!krb5_realm) { + /* Should be impossible, this is set in ad_get_common_options() */ + DEBUG(SSSDBG_FATAL_FAILURE, "No Kerberos realm\n"); + ret = EINVAL; + goto done; + } + + /* Force the kerberos realm to match the AD_KRB5_REALM (which may have + * been upper-cased in ad_common_options() + */ + ret = dp_opt_set_string(krb5_options, KRB5_REALM, krb5_realm); + if (ret != EOK) goto done; + DEBUG(SSSDBG_CONF_SETTINGS, + "Option %s set to %s\n", + krb5_options[KRB5_REALM].opt_name, + krb5_realm); + + /* Set flag that controls whether we want to write the + * kdcinfo files at all + */ + ad_opts->service->krb5_service->write_kdcinfo = \ + dp_opt_get_bool(krb5_options, KRB5_USE_KDCINFO); + DEBUG(SSSDBG_CONF_SETTINGS, "Option %s set to %s\n", + krb5_options[KRB5_USE_KDCINFO].opt_name, + ad_opts->service->krb5_service->write_kdcinfo ? "true" : "false"); + + *_opts = talloc_steal(mem_ctx, krb5_options); + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +errno_t ad_get_dyndns_options(struct be_ctx *be_ctx, + struct ad_options *ad_opts) +{ + errno_t ret; + + ret = be_nsupdate_init(ad_opts, be_ctx, ad_dyndns_opts, + &ad_opts->dyndns_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot initialize AD dyndns opts [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + return EOK; +} + + +struct ad_id_ctx * +ad_id_ctx_init(struct ad_options *ad_opts, struct be_ctx *bectx) +{ + struct sdap_id_ctx *sdap_ctx; + struct ad_id_ctx *ad_ctx; + + ad_ctx = talloc_zero(ad_opts, struct ad_id_ctx); + if (ad_ctx == NULL) { + return NULL; + } + ad_ctx->ad_options = ad_opts; + + sdap_ctx = sdap_id_ctx_new(ad_ctx, bectx, ad_opts->service->sdap); + if (sdap_ctx == NULL) { + talloc_free(ad_ctx); + return NULL; + } + ad_ctx->sdap_id_ctx = sdap_ctx; + ad_ctx->ldap_ctx = sdap_ctx->conn; + + ad_ctx->gc_ctx = sdap_id_ctx_conn_add(sdap_ctx, ad_opts->service->gc); + if (ad_ctx->gc_ctx == NULL) { + talloc_free(ad_ctx); + return NULL; + } + + return ad_ctx; +} + +struct sdap_id_conn_ctx * +ad_get_dom_ldap_conn(struct ad_id_ctx *ad_ctx, struct sss_domain_info *dom) +{ + struct sdap_id_conn_ctx *conn; + struct sdap_domain *sdom; + struct ad_id_ctx *subdom_id_ctx; + + sdom = sdap_domain_get(ad_ctx->sdap_id_ctx->opts, dom); + if (sdom == NULL || sdom->pvt == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "No ID ctx available for [%s].\n", + dom->name); + return NULL; + } + subdom_id_ctx = talloc_get_type(sdom->pvt, struct ad_id_ctx); + conn = subdom_id_ctx->ldap_ctx; + + if (IS_SUBDOMAIN(sdom->dom) == true && conn != NULL) { + /* Regardless of connection types, a subdomain error must not be + * allowed to set the whole back end offline, rather report an error + * and let the caller deal with it (normally disable the subdomain + */ + conn->ignore_mark_offline = true; + } + + return conn; +} + +struct sdap_id_conn_ctx ** +ad_gc_conn_list(TALLOC_CTX *mem_ctx, struct ad_id_ctx *ad_ctx, + struct sss_domain_info *dom) +{ + struct sdap_id_conn_ctx **clist; + int cindex = 0; + + clist = talloc_zero_array(mem_ctx, struct sdap_id_conn_ctx *, 3); + if (clist == NULL) return NULL; + + /* Always try GC first */ + if (dp_opt_get_bool(ad_ctx->ad_options->basic, AD_ENABLE_GC)) { + clist[cindex] = ad_ctx->gc_ctx; + clist[cindex]->ignore_mark_offline = true; + clist[cindex]->no_mpg_user_fallback = true; + cindex++; + } + + clist[cindex] = ad_get_dom_ldap_conn(ad_ctx, dom); + + return clist; +} + +struct sdap_id_conn_ctx ** +ad_ldap_conn_list(TALLOC_CTX *mem_ctx, + struct ad_id_ctx *ad_ctx, + struct sss_domain_info *dom) +{ + struct sdap_id_conn_ctx **clist; + + clist = talloc_zero_array(mem_ctx, struct sdap_id_conn_ctx *, 2); + if (clist == NULL) { + return NULL; + } + + clist[0] = ad_get_dom_ldap_conn(ad_ctx, dom); + + clist[1] = NULL; + return clist; +} + +struct sdap_id_conn_ctx ** +ad_user_conn_list(TALLOC_CTX *mem_ctx, + struct ad_id_ctx *ad_ctx, + struct sss_domain_info *dom) +{ + struct sdap_id_conn_ctx **clist; + int cindex = 0; + + clist = talloc_zero_array(mem_ctx, struct sdap_id_conn_ctx *, 3); + if (clist == NULL) { + return NULL; + } + + /* Try GC first for users from trusted domains, but go to LDAP + * for users from non-trusted domains to get all POSIX attrs + */ + if (dp_opt_get_bool(ad_ctx->ad_options->basic, AD_ENABLE_GC) + && IS_SUBDOMAIN(dom)) { + clist[cindex] = ad_ctx->gc_ctx; + clist[cindex]->ignore_mark_offline = true; + cindex++; + } + + /* Users from primary domain can be just downloaded from LDAP. + * The domain's LDAP connection also works as a fallback + */ + clist[cindex] = ad_get_dom_ldap_conn(ad_ctx, dom); + + return clist; +} diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h new file mode 100644 index 0000000..dd440da --- /dev/null +++ b/src/providers/ad/ad_common.h @@ -0,0 +1,215 @@ +/* + SSSD + + Authors: + Stephen Gallagher + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef AD_COMMON_H_ +#define AD_COMMON_H_ + +#include "util/util.h" +#include "providers/ldap/ldap_common.h" + +#define AD_SERVICE_NAME "AD" +#define AD_GC_SERVICE_NAME "AD_GC" +/* The port the Global Catalog runs on */ +#define AD_GC_PORT 3268 + +#define AD_AT_OBJECT_SID "objectSID" +#define AD_AT_DNS_DOMAIN "DnsDomain" +#define AD_AT_NT_VERSION "NtVer" +#define AD_AT_NETLOGON "netlogon" + +#define MASTER_DOMAIN_SID_FILTER "objectclass=domain" + +struct ad_options; + +enum ad_basic_opt { + AD_DOMAIN = 0, + AD_ENABLED_DOMAINS, + AD_SERVER, + AD_BACKUP_SERVER, + AD_HOSTNAME, + AD_KEYTAB, + AD_KRB5_REALM, + AD_ENABLE_DNS_SITES, + AD_ACCESS_FILTER, + AD_ENABLE_GC, + AD_GPO_ACCESS_CONTROL, + AD_GPO_CACHE_TIMEOUT, + AD_GPO_MAP_INTERACTIVE, + AD_GPO_MAP_REMOTE_INTERACTIVE, + AD_GPO_MAP_NETWORK, + AD_GPO_MAP_BATCH, + AD_GPO_MAP_SERVICE, + AD_GPO_MAP_PERMIT, + AD_GPO_MAP_DENY, + AD_GPO_DEFAULT_RIGHT, + AD_SITE, + AD_KRB5_CONFD_PATH, + AD_MAXIMUM_MACHINE_ACCOUNT_PASSWORD_AGE, + AD_MACHINE_ACCOUNT_PASSWORD_RENEWAL_OPTS, + + AD_OPTS_BASIC /* opts counter */ +}; + +struct ad_id_ctx { + struct sdap_id_ctx *sdap_id_ctx; + struct sdap_id_conn_ctx *ldap_ctx; + struct sdap_id_conn_ctx *gc_ctx; + struct ad_options *ad_options; +}; + +struct ad_service { + struct sdap_service *sdap; + struct sdap_service *gc; + struct krb5_service *krb5_service; +}; + +struct ad_options { + /* Common options */ + struct dp_option *basic; + struct ad_service *service; + + /* ID Provider */ + struct sdap_options *id; + struct ad_id_ctx *id_ctx; + + /* Auth and chpass Provider */ + struct krb5_ctx *auth_ctx; + + /* Dynamic DNS updates */ + struct be_resolv_ctx *be_res; + struct be_nsupdate_ctx *dyndns_ctx; +}; + +errno_t +ad_get_common_options(TALLOC_CTX *mem_ctx, + struct confdb_ctx *cdb, + const char *conf_path, + struct sss_domain_info *dom, + struct ad_options **_opts); + +/* FIXME: ad_get_common_options and ad_create_options are + * similar. The later is subdomain specific. It may be + * good to merge the two into one more generic funtion. */ +struct ad_options *ad_create_options(TALLOC_CTX *mem_ctx, + struct confdb_ctx *cdb, + const char *conf_path, + struct data_provider *dp, + struct sss_domain_info *subdom); + +struct ad_options *ad_create_2way_trust_options(TALLOC_CTX *mem_ctx, + struct confdb_ctx *cdb, + const char *conf_path, + struct data_provider *dp, + const char *realm, + struct sss_domain_info *subdom, + const char *hostname, + const char *keytab); + +struct ad_options *ad_create_1way_trust_options(TALLOC_CTX *mem_ctx, + struct confdb_ctx *cdb, + const char *conf_path, + struct data_provider *dp, + struct sss_domain_info *subdom, + const char *hostname, + const char *keytab, + const char *sasl_authid); + +errno_t ad_set_search_bases(struct sdap_options *id_opts, + struct sdap_domain *sdap); + +errno_t +ad_failover_init(TALLOC_CTX *mem_ctx, struct be_ctx *ctx, + const char *primary_servers, + const char *backup_servers, + const char *krb5_realm, + const char *ad_service, + const char *ad_gc_service, + const char *ad_domain, + bool use_kdcinfo, + struct ad_service **_service); + +errno_t +ad_get_id_options(struct ad_options *ad_opts, + struct confdb_ctx *cdb, + const char *conf_path, + struct data_provider *dp, + struct sdap_options **_opts); +errno_t +ad_get_autofs_options(struct ad_options *ad_opts, + struct confdb_ctx *cdb, + const char *conf_path); +errno_t +ad_get_auth_options(TALLOC_CTX *mem_ctx, + struct ad_options *ad_opts, + struct be_ctx *bectx, + struct dp_option **_opts); + +errno_t +ad_get_dyndns_options(struct be_ctx *be_ctx, + struct ad_options *ad_opts); + +struct ad_id_ctx * +ad_id_ctx_init(struct ad_options *ad_opts, struct be_ctx *bectx); + +struct sdap_id_conn_ctx ** +ad_gc_conn_list(TALLOC_CTX *mem_ctx, struct ad_id_ctx *ad_ctx, + struct sss_domain_info *dom); + +struct sdap_id_conn_ctx ** +ad_ldap_conn_list(TALLOC_CTX *mem_ctx, + struct ad_id_ctx *ad_ctx, + struct sss_domain_info *dom); + +struct sdap_id_conn_ctx ** +ad_user_conn_list(TALLOC_CTX *mem_ctx, + struct ad_id_ctx *ad_ctx, + struct sss_domain_info *dom); + +struct sdap_id_conn_ctx * +ad_get_dom_ldap_conn(struct ad_id_ctx *ad_ctx, struct sss_domain_info *dom); + +/* AD dynamic DNS updates */ +errno_t ad_dyndns_init(struct be_ctx *be_ctx, + struct ad_options *ctx); +void ad_dyndns_timer(void *pvt); + +errno_t ad_sudo_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct ad_id_ctx *id_ctx, + struct dp_method *dp_methods); + +errno_t ad_autofs_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct ad_id_ctx *id_ctx, + struct dp_method *dp_methods); + +errno_t ad_machine_account_password_renewal_init(struct be_ctx *be_ctx, + struct ad_options *ad_opts); + +errno_t netlogon_get_domain_info(TALLOC_CTX *mem_ctx, + struct sysdb_attrs *reply, + bool check_next_nearest_site_as_well, + char **_flat_name, + char **_site, + char **_forest); + +#endif /* AD_COMMON_H_ */ diff --git a/src/providers/ad/ad_domain_info.c b/src/providers/ad/ad_domain_info.c new file mode 100644 index 0000000..5302c80 --- /dev/null +++ b/src/providers/ad/ad_domain_info.c @@ -0,0 +1,454 @@ +/* + SSSD + + AD Domain Info Module + + Authors: + Sumit Bose + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include + +#include "providers/ldap/sdap.h" +#include "providers/ldap/sdap_async.h" +#include "providers/ldap/sdap_idmap.h" +#include "providers/ad/ad_domain_info.h" +#include "providers/ad/ad_common.h" +#include "util/util.h" + +errno_t netlogon_get_domain_info(TALLOC_CTX *mem_ctx, + struct sysdb_attrs *reply, + bool check_next_nearest_site_as_well, + char **_flat_name, + char **_site, + char **_forest) +{ + errno_t ret; + struct ldb_message_element *el; + DATA_BLOB blob; + struct ndr_pull *ndr_pull = NULL; + enum ndr_err_code ndr_err; + struct netlogon_samlogon_response response; + TALLOC_CTX *tmp_ctx; + + ret = sysdb_attrs_get_el(reply, AD_AT_NETLOGON, &el); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_el() failed\n"); + return ret; + } + + if (el->num_values == 0) { + DEBUG(SSSDBG_OP_FAILURE, "netlogon has no value\n"); + return ENOENT; + } else if (el->num_values > 1) { + DEBUG(SSSDBG_OP_FAILURE, "More than one netlogon value?\n"); + return EIO; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); + return ENOMEM; + } + + blob.data = el->values[0].data; + blob.length = el->values[0].length; + + /* The ndr_pull_* calls do not use ndr_pull as a talloc context to + * allocate memory but the second argument of ndr_pull_init_blob(). To + * make sure no memory is leaked here a temporary talloc context is + * needed. */ + ndr_pull = ndr_pull_init_blob(&blob, tmp_ctx); + if (ndr_pull == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ndr_pull_init_blob() failed.\n"); + ret = ENOMEM; + goto done; + } + + ndr_err = ndr_pull_netlogon_samlogon_response(ndr_pull, NDR_SCALARS, + &response); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + DEBUG(SSSDBG_OP_FAILURE, "ndr_pull_netlogon_samlogon_response() " + "failed [%d]\n", ndr_err); + ret = EBADMSG; + goto done; + } + + if (!(response.ntver & NETLOGON_NT_VERSION_5EX)) { + DEBUG(SSSDBG_OP_FAILURE, "Wrong version returned [%x]\n", + response.ntver); + ret = EBADMSG; + goto done; + } + + /* get flat domain name */ + if (_flat_name != NULL) { + if (response.data.nt5_ex.domain_name != NULL && + *response.data.nt5_ex.domain_name != '\0') { + *_flat_name = talloc_strdup(mem_ctx, + response.data.nt5_ex.domain_name); + if (*_flat_name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + } else { + DEBUG(SSSDBG_MINOR_FAILURE, + "No netlogon flat domain name data available.\n"); + *_flat_name = NULL; + } + } + + + /* get forest */ + if (_forest != NULL) { + if (response.data.nt5_ex.forest != NULL && + *response.data.nt5_ex.forest != '\0') { + *_forest = talloc_strdup(mem_ctx, response.data.nt5_ex.forest); + if (*_forest == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + } else { + DEBUG(SSSDBG_MINOR_FAILURE, "No netlogon forest data available.\n"); + *_forest = NULL; + } + } + + /* get site name */ + if (_site != NULL) { + if (response.data.nt5_ex.client_site != NULL + && response.data.nt5_ex.client_site[0] != '\0') { + *_site = talloc_strdup(mem_ctx, response.data.nt5_ex.client_site); + if (*_site == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + } else { + DEBUG(SSSDBG_MINOR_FAILURE, + "No netlogon site name data available.\n"); + *_site = NULL; + + if (check_next_nearest_site_as_well) { + if (response.data.nt5_ex.next_closest_site != NULL + && response.data.nt5_ex.next_closest_site[0] != '\0') { + *_site = talloc_strdup(mem_ctx, + response.data.nt5_ex.next_closest_site); + if (*_site == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + } else { + DEBUG(SSSDBG_MINOR_FAILURE, + "No netlogon next closest site name data " + "available.\n"); + } + } + } + } + + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} + +struct ad_master_domain_state { + struct tevent_context *ev; + struct sdap_id_conn_ctx *conn; + struct sdap_id_op *id_op; + struct sdap_id_ctx *id_ctx; + struct sdap_options *opts; + + const char *dom_name; + int base_iter; + + char *flat; + char *site; + char *forest; + char *sid; +}; + +static errno_t ad_master_domain_next(struct tevent_req *req); +static void ad_master_domain_next_done(struct tevent_req *subreq); +static void ad_master_domain_netlogon_done(struct tevent_req *req); + +struct tevent_req * +ad_master_domain_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_id_conn_ctx *conn, + struct sdap_id_op *op, + const char *dom_name) +{ + errno_t ret; + struct tevent_req *req; + struct ad_master_domain_state *state; + + req = tevent_req_create(mem_ctx, &state, struct ad_master_domain_state); + if (!req) return NULL; + + state->ev = ev; + state->id_op = op; + state->conn = conn; + state->id_ctx = conn->id_ctx; + state->opts = conn->id_ctx->opts; + state->dom_name = dom_name; + + ret = ad_master_domain_next(req); + if (ret != EOK && ret != EAGAIN) { + goto immediate; + } + + return req; + +immediate: + if (ret != EOK) { + tevent_req_error(req, ret); + } else { + tevent_req_done(req); + } + tevent_req_post(req, ev); + return req; +} + +static errno_t +ad_master_domain_next(struct tevent_req *req) +{ + struct tevent_req *subreq; + struct sdap_search_base *base; + const char *master_sid_attrs[] = {AD_AT_OBJECT_SID, NULL}; + + struct ad_master_domain_state *state = + tevent_req_data(req, struct ad_master_domain_state); + + base = state->opts->sdom->search_bases[state->base_iter]; + if (base == NULL) { + return EOK; + } + + subreq = sdap_get_generic_send(state, state->ev, + state->id_ctx->opts, + sdap_id_op_handle(state->id_op), + base->basedn, LDAP_SCOPE_BASE, + MASTER_DOMAIN_SID_FILTER, master_sid_attrs, + NULL, 0, + dp_opt_get_int(state->opts->basic, + SDAP_SEARCH_TIMEOUT), + false); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_get_generic_send failed.\n"); + return ENOMEM; + } + tevent_req_set_callback(subreq, ad_master_domain_next_done, req); + + return EAGAIN; +} + +static void +ad_master_domain_next_done(struct tevent_req *subreq) +{ + errno_t ret; + size_t reply_count; + struct sysdb_attrs **reply = NULL; + struct ldb_message_element *el; + char *sid_str; + enum idmap_error_code err; + static const char *attrs[] = {AD_AT_NETLOGON, NULL}; + char *filter; + char *ntver; + + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ad_master_domain_state *state = + tevent_req_data(req, struct ad_master_domain_state); + + ret = sdap_get_generic_recv(subreq, state, &reply_count, &reply); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_get_generic_send request failed.\n"); + goto done; + } + + if (reply_count == 0) { + state->base_iter++; + ret = ad_master_domain_next(req); + if (ret == EAGAIN) { + /* Async request will get us back here again */ + return; + } else if (ret != EOK) { + goto done; + } + + /* EOK */ + tevent_req_done(req); + return; + } else if (reply_count == 1) { + ret = sysdb_attrs_get_el(reply[0], AD_AT_OBJECT_SID, &el); + if (ret != EOK || el->num_values != 1) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_attrs_get_el failed.\n"); + goto done; + } + + err = sss_idmap_bin_sid_to_sid(state->opts->idmap_ctx->map, + el->values[0].data, + el->values[0].length, + &sid_str); + if (err != IDMAP_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not convert SID: [%s].\n", idmap_error_string(err)); + ret = EFAULT; + goto done; + } + + state->sid = talloc_steal(state, sid_str); + } else { + DEBUG(SSSDBG_OP_FAILURE, + "More than one result for domain SID found.\n"); + ret = EINVAL; + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Found SID [%s].\n", state->sid); + + ntver = sss_ldap_encode_ndr_uint32(state, NETLOGON_NT_VERSION_5EX | + NETLOGON_NT_VERSION_WITH_CLOSEST_SITE); + if (ntver == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sss_ldap_encode_ndr_uint32 failed.\n"); + ret = ENOMEM; + goto done; + } + + filter = talloc_asprintf(state, "(&(%s=%s)(%s=%s))", + AD_AT_DNS_DOMAIN, state->dom_name, + AD_AT_NT_VERSION, ntver); + if (filter == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto done; + } + + subreq = sdap_get_generic_send(state, state->ev, + state->id_ctx->opts, + sdap_id_op_handle(state->id_op), + "", LDAP_SCOPE_BASE, filter, attrs, NULL, 0, + dp_opt_get_int(state->opts->basic, + SDAP_SEARCH_TIMEOUT), + false); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_get_generic_send failed.\n"); + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, ad_master_domain_netlogon_done, req); + return; + +done: + tevent_req_error(req, ret); +} + +static void +ad_master_domain_netlogon_done(struct tevent_req *subreq) +{ + int ret; + size_t reply_count; + struct sysdb_attrs **reply = NULL; + + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ad_master_domain_state *state = + tevent_req_data(req, struct ad_master_domain_state); + + ret = sdap_get_generic_recv(subreq, state, &reply_count, &reply); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_get_generic_send request failed.\n"); + tevent_req_error(req, ret); + return; + } + + /* Failure to get the flat name is not fatal. Just quit. */ + if (reply_count == 0) { + DEBUG(SSSDBG_MINOR_FAILURE, "No netlogon data available. Flat name " \ + "might not be usable\n"); + goto done; + } else if (reply_count > 1) { + DEBUG(SSSDBG_MINOR_FAILURE, + "More than one netlogon info returned.\n"); + goto done; + } + + /* Exactly one flat name. Carry on */ + + ret = netlogon_get_domain_info(state, reply[0], false, &state->flat, + &state->site, &state->forest); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not get the flat name or forest: %d:[%s]\n", + ret, sss_strerror(ret)); + /* Not fatal. Just quit. */ + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Found flat name [%s].\n", state->flat); + DEBUG(SSSDBG_TRACE_FUNC, "Found site [%s].\n", state->site); + DEBUG(SSSDBG_TRACE_FUNC, "Found forest [%s].\n", state->forest); + +done: + tevent_req_done(req); + return; +} + +errno_t +ad_master_domain_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + char **_flat, + char **_id, + char **_site, + char **_forest) +{ + struct ad_master_domain_state *state = tevent_req_data(req, + struct ad_master_domain_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (_flat) { + *_flat = talloc_steal(mem_ctx, state->flat); + } + + if (_site) { + *_site = talloc_steal(mem_ctx, state->site); + } + + if (_forest) { + *_forest = talloc_steal(mem_ctx, state->forest); + } + + if (_id) { + *_id = talloc_steal(mem_ctx, state->sid); + } + + return EOK; +} diff --git a/src/providers/ad/ad_domain_info.h b/src/providers/ad/ad_domain_info.h new file mode 100644 index 0000000..b96e8a3 --- /dev/null +++ b/src/providers/ad/ad_domain_info.h @@ -0,0 +1,43 @@ +/* + SSSD + + AD Master Domain Module + + Authors: + Sumit Bose + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _AD_MASTER_DOMAIN_H_ +#define _AD_MASTER_DOMAIN_H_ + +struct tevent_req * +ad_master_domain_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_id_conn_ctx *conn, + struct sdap_id_op *op, + const char *dom_name); + +errno_t +ad_master_domain_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + char **_flat, + char **_id, + char **_site, + char **_forest); + +#endif /* _AD_MASTER_DOMAIN_H_ */ diff --git a/src/providers/ad/ad_dyndns.c b/src/providers/ad/ad_dyndns.c new file mode 100644 index 0000000..0019048 --- /dev/null +++ b/src/providers/ad/ad_dyndns.c @@ -0,0 +1,275 @@ +/* + SSSD + + ad_dyndns.c + + Authors: + Jakub Hrozek + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include "util/util.h" +#include "providers/ldap/sdap_dyndns.h" +#include "providers/data_provider.h" +#include "providers/be_dyndns.h" +#include "providers/ad/ad_common.h" + +void ad_dyndns_update(void *pvt); + +errno_t ad_dyndns_init(struct be_ctx *be_ctx, + struct ad_options *ad_opts) +{ + errno_t ret; + + /* nsupdate is available. Dynamic updates + * are supported + */ + ret = ad_get_dyndns_options(be_ctx, ad_opts); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not set AD options\n"); + return ret; + } + + if (dp_opt_get_bool(ad_opts->dyndns_ctx->opts, + DP_OPT_DYNDNS_UPDATE) == false) { + DEBUG(SSSDBG_CONF_SETTINGS, "Dynamic DNS updates are off.\n"); + return EOK; + } + + DEBUG(SSSDBG_CONF_SETTINGS, + "Dynamic DNS updates are on. Checking for nsupdate..\n"); + ret = be_nsupdate_check(); + if (ret == ENOENT) { + DEBUG(SSSDBG_MINOR_FAILURE, + "DNS updates requested but nsupdate not available\n"); + return EOK; + } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not check for nsupdate\n"); + return ret; + } + + ad_opts->be_res = be_ctx->be_res; + if (ad_opts->be_res == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Resolver must be initialized in order " + "to use the AD dynamic DNS updates\n"); + return EINVAL; + } + + ret = be_nsupdate_init_timer(ad_opts->dyndns_ctx, be_ctx->ev, + ad_dyndns_timer, ad_opts); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not set up periodic update\n"); + return ret; + } + + ret = be_add_online_cb(be_ctx, be_ctx, + ad_dyndns_update, + ad_opts, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not set up online callback\n"); + return ret; + } + + return EOK; +} + +static void ad_dyndns_timer_connected(struct tevent_req *req); + +void ad_dyndns_timer(void *pvt) +{ + struct ad_options *ctx = talloc_get_type(pvt, struct ad_options); + struct sdap_id_ctx *sdap_ctx = ctx->id_ctx->sdap_id_ctx; + struct tevent_req *req; + + req = sdap_dyndns_timer_conn_send(ctx, sdap_ctx->be->ev, sdap_ctx, + ctx->dyndns_ctx); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory\n"); + /* Not much we can do. Just attempt to reschedule */ + be_nsupdate_timer_schedule(sdap_ctx->be->ev, ctx->dyndns_ctx); + return; + } + tevent_req_set_callback(req, ad_dyndns_timer_connected, ctx); +} + +static void ad_dyndns_timer_connected(struct tevent_req *req) +{ + errno_t ret; + struct ad_options *ctx = tevent_req_callback_data(req, struct ad_options); + + ret = sdap_dyndns_timer_conn_recv(req); + talloc_zfree(req); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to connect to AD: [%d](%s)\n", ret, sss_strerror(ret)); + return; + } + + return ad_dyndns_update(ctx); +} + +static struct tevent_req *ad_dyndns_update_send(struct ad_options *ctx); +static errno_t ad_dyndns_update_recv(struct tevent_req *req); +static void ad_dyndns_nsupdate_done(struct tevent_req *req); + +void ad_dyndns_update(void *pvt) +{ + struct ad_options *ctx = talloc_get_type(pvt, struct ad_options); + struct sdap_id_ctx *sdap_ctx = ctx->id_ctx->sdap_id_ctx; + struct tevent_req *req; + + /* Schedule timer after provider went offline */ + be_nsupdate_timer_schedule(sdap_ctx->be->ev, ctx->dyndns_ctx); + + req = ad_dyndns_update_send(ctx); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not update DNS\n"); + return; + } + tevent_req_set_callback(req, ad_dyndns_nsupdate_done, NULL); +} + +static void ad_dyndns_nsupdate_done(struct tevent_req *req) +{ + int ret = ad_dyndns_update_recv(req); + talloc_free(req); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Updating DNS entry failed [%d]: %s\n", + ret, sss_strerror(ret)); + return; + } + + DEBUG(SSSDBG_TRACE_FUNC, "DNS update finished\n"); +} + +struct ad_dyndns_update_state { + struct ad_options *ad_ctx; +}; + +static void ad_dyndns_sdap_update_done(struct tevent_req *subreq); + +static struct tevent_req * +ad_dyndns_update_send(struct ad_options *ctx) +{ + int ret; + struct ad_dyndns_update_state *state; + struct tevent_req *req, *subreq; + struct sdap_id_ctx *sdap_ctx = ctx->id_ctx->sdap_id_ctx; + LDAPURLDesc *lud; + + DEBUG(SSSDBG_TRACE_FUNC, "Performing update\n"); + + req = tevent_req_create(ctx, &state, struct ad_dyndns_update_state); + if (req == NULL) { + return NULL; + } + state->ad_ctx = ctx; + + if (ctx->dyndns_ctx->last_refresh + 60 > time(NULL) || + ctx->dyndns_ctx->timer_in_progress) { + DEBUG(SSSDBG_FUNC_DATA, "Last periodic update ran recently or timer " + "in progress, not scheduling another update\n"); + tevent_req_done(req); + tevent_req_post(req, sdap_ctx->be->ev); + return req; + } + state->ad_ctx->dyndns_ctx->last_refresh = time(NULL); + + ret = ldap_url_parse(ctx->service->sdap->uri, &lud); + if (ret != LDAP_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to parse ldap URI (%s)!\n", ctx->service->sdap->uri); + ret = EINVAL; + goto done; + } + + if (lud->lud_scheme != NULL && + strcasecmp(lud->lud_scheme, "ldapi") == 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "The LDAP scheme is ldapi://, cannot proceed with update\n"); + ldap_free_urldesc(lud); + ret = EINVAL; + goto done; + } + + if (lud->lud_host == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "The LDAP URI (%s) did not contain a host name\n", + ctx->service->sdap->uri); + ldap_free_urldesc(lud); + ret = EINVAL; + goto done; + } + + subreq = sdap_dyndns_update_send(state, sdap_ctx->be->ev, + sdap_ctx->be, + ctx->dyndns_ctx->opts, + sdap_ctx, + ctx->dyndns_ctx->auth_type, + dp_opt_get_string(ctx->dyndns_ctx->opts, + DP_OPT_DYNDNS_IFACE), + dp_opt_get_string(ctx->basic, + AD_HOSTNAME), + dp_opt_get_string(ctx->basic, + AD_KRB5_REALM), + dp_opt_get_int(ctx->dyndns_ctx->opts, + DP_OPT_DYNDNS_TTL), + false); + if (!subreq) { + ret = EIO; + DEBUG(SSSDBG_OP_FAILURE, + "sdap_id_op_connect_send failed: [%d](%s)\n", + ret, sss_strerror(ret)); + goto done; + } + tevent_req_set_callback(subreq, ad_dyndns_sdap_update_done, req); + + ret = EOK; +done: + if (ret != EOK) { + tevent_req_error(req, ret); + tevent_req_post(req, sdap_ctx->be->ev); + } + return req; +} + +static void ad_dyndns_sdap_update_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + errno_t ret; + + ret = sdap_dyndns_update_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Dynamic DNS update failed [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +static errno_t ad_dyndns_update_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c new file mode 100644 index 0000000..d568643 --- /dev/null +++ b/src/providers/ad/ad_gpo.c @@ -0,0 +1,4644 @@ +/* + SSSD + + Authors: + Yassir Elley + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +/* + * This file implements the following pair of *public* functions (see header): + * ad_gpo_access_send/recv: provides client-side GPO processing + * + * This file also implements the following pairs of *private* functions (which + * are used by the public functions): + * ad_gpo_process_som_send/recv: populate list of gp_som objects + * ad_gpo_process_gpo_send/recv: populate list of gp_gpo objects + * ad_gpo_process_cse_send/recv: retrieve policy file data + */ + +#include +#include +#include +#include +#include "util/util.h" +#include "util/strtonum.h" +#include "util/child_common.h" +#include "providers/data_provider.h" +#include "providers/backend.h" +#include "providers/ad/ad_access.h" +#include "providers/ad/ad_common.h" +#include "providers/ad/ad_domain_info.h" +#include "providers/ad/ad_gpo.h" +#include "providers/ldap/sdap_access.h" +#include "providers/ldap/sdap_async.h" +#include "providers/ldap/sdap.h" +#include "providers/ldap/sdap_idmap.h" +#include "util/util_sss_idmap.h" +#include +#include + +/* == gpo-ldap constants =================================================== */ + +#define AD_AT_DN "distinguishedName" +#define AD_AT_UAC "userAccountControl" +#define AD_AT_CONFIG_NC "configurationNamingContext" +#define AD_AT_GPLINK "gPLink" +#define AD_AT_GPOPTIONS "gpOptions" +#define AD_AT_NT_SEC_DESC "nTSecurityDescriptor" +#define AD_AT_CN "cn" +#define AD_AT_FILE_SYS_PATH "gPCFileSysPath" +#define AD_AT_MACHINE_EXT_NAMES "gPCMachineExtensionNames" +#define AD_AT_FUNC_VERSION "gPCFunctionalityVersion" +#define AD_AT_FLAGS "flags" + +#define UAC_WORKSTATION_TRUST_ACCOUNT 0x00001000 +#define UAC_SERVER_TRUST_ACCOUNT 0x00002000 +#define AD_AGP_GUID "edacfd8f-ffb3-11d1-b41d-00a0c968f939" +#define AD_AUTHENTICATED_USERS_SID "S-1-5-11" + +/* == gpo-smb constants ==================================================== */ + +#define SMB_STANDARD_URI "smb://" +#define BUFSIZE 65536 + +#define RIGHTS_SECTION "Privilege Rights" +#define ALLOW_LOGON_INTERACTIVE "SeInteractiveLogonRight" +#define DENY_LOGON_INTERACTIVE "SeDenyInteractiveLogonRight" +#define ALLOW_LOGON_REMOTE_INTERACTIVE "SeRemoteInteractiveLogonRight" +#define DENY_LOGON_REMOTE_INTERACTIVE "SeDenyRemoteInteractiveLogonRight" +#define ALLOW_LOGON_NETWORK "SeNetworkLogonRight" +#define DENY_LOGON_NETWORK "SeDenyNetworkLogonRight" +#define ALLOW_LOGON_BATCH "SeBatchLogonRight" +#define DENY_LOGON_BATCH "SeDenyBatchLogonRight" +#define ALLOW_LOGON_SERVICE "SeServiceLogonRight" +#define DENY_LOGON_SERVICE "SeDenyServiceLogonRight" + +#define GP_EXT_GUID_SECURITY "{827D319E-6EAC-11D2-A4EA-00C04F79F83A}" +#define GP_EXT_GUID_SECURITY_SUFFIX "/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf" + +#ifndef SSSD_LIBEXEC_PATH +#error "SSSD_LIBEXEC_PATH not defined" +#else +#define GPO_CHILD SSSD_LIBEXEC_PATH"/gpo_child" +#endif + +/* If INI_PARSE_IGNORE_NON_KVP is not defined, use 0 (no effect) */ +#ifndef INI_PARSE_IGNORE_NON_KVP +#define INI_PARSE_IGNORE_NON_KVP 0 +#warning INI_PARSE_IGNORE_NON_KVP not defined. +#endif + +/* fd used by the gpo_child process for logging */ +int gpo_child_debug_fd = -1; + +/* == common data structures and declarations ============================= */ + +struct gp_som { + const char *som_dn; + struct gp_gplink **gplink_list; + int num_gplinks; +}; + +struct gp_gplink { + const char *gpo_dn; + bool enforced; +}; + +struct gp_gpo { + struct security_descriptor *gpo_sd; + const char *gpo_dn; + const char *gpo_guid; + const char *smb_server; + const char *smb_share; + const char *smb_path; + const char **gpo_cse_guids; + int num_gpo_cse_guids; + int gpo_func_version; + int gpo_flags; + bool send_to_child; + const char *policy_filename; +}; + +enum ace_eval_status { + AD_GPO_ACE_DENIED, + AD_GPO_ACE_ALLOWED, + AD_GPO_ACE_NEUTRAL +}; + +struct tevent_req *ad_gpo_process_som_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_id_conn_ctx *conn, + struct ldb_context *ldb_ctx, + struct sdap_id_op *sdap_op, + struct sdap_options *opts, + struct dp_option *ad_options, + int timeout, + const char *target_dn, + const char *domain_name); +int ad_gpo_process_som_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + struct gp_som ***som_list); + +struct tevent_req * +ad_gpo_process_gpo_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_id_op *sdap_op, + struct sdap_options *opts, + char *server_hostname, + struct sss_domain_info *host_domain, + struct ad_access_ctx *access_ctx, + int timeout, + struct gp_som **som_list); +int ad_gpo_process_gpo_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + struct gp_gpo ***candidate_gpos, + int *num_candidate_gpos); + +struct tevent_req *ad_gpo_process_cse_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + bool send_to_child, + struct sss_domain_info *domain, + const char *gpo_guid, + const char *smb_server, + const char *smb_share, + const char *smb_path, + const char *smb_cse_suffix, + int cached_gpt_version, + int gpo_timeout_option); + +int ad_gpo_process_cse_recv(struct tevent_req *req); + +/* == ad_gpo_parse_map_options and helpers ==================================*/ + +#define GPO_LOGIN "login" +#define GPO_SU "su" +#define GPO_SU_L "su-l" +#define GPO_GDM_FINGERPRINT "gdm-fingerprint" +#define GPO_GDM_PASSWORD "gdm-password" +#define GPO_GDM_SMARTCARD "gdm-smartcard" +#define GPO_KDM "kdm" +#define GPO_LIGHTDM "lightdm" +#define GPO_LXDM "lxdm" +#define GPO_SDDM "sddm" +#define GPO_UNITY "unity" +#define GPO_XDM "xdm" +#define GPO_SSHD "sshd" +#define GPO_FTP "ftp" +#define GPO_SAMBA "samba" +#define GPO_CROND "crond" +#define GPO_POLKIT "polkit-1" +#define GPO_SUDO "sudo" +#define GPO_SUDO_I "sudo-i" +#define GPO_SYSTEMD_USER "systemd-user" +#define GPO_COCKPIT "cockpit" + +struct gpo_map_option_entry { + enum gpo_map_type gpo_map_type; + enum ad_basic_opt ad_basic_opt; + const char **gpo_map_defaults; + const char *allow_key; + const char *deny_key; +}; + +const char *gpo_map_interactive_defaults[] = + {GPO_LOGIN, GPO_SU, GPO_SU_L, + GPO_GDM_FINGERPRINT, GPO_GDM_PASSWORD, GPO_GDM_SMARTCARD, GPO_KDM, + GPO_LIGHTDM, GPO_LXDM, GPO_SDDM, GPO_UNITY, GPO_XDM, NULL}; +const char *gpo_map_remote_interactive_defaults[] = {GPO_SSHD, GPO_COCKPIT, + NULL}; +const char *gpo_map_network_defaults[] = {GPO_FTP, GPO_SAMBA, NULL}; +const char *gpo_map_batch_defaults[] = {GPO_CROND, NULL}; +const char *gpo_map_service_defaults[] = {NULL}; +const char *gpo_map_permit_defaults[] = {GPO_POLKIT, + GPO_SUDO, GPO_SUDO_I, + GPO_SYSTEMD_USER, NULL}; +const char *gpo_map_deny_defaults[] = {NULL}; + +struct gpo_map_option_entry gpo_map_option_entries[] = { + {GPO_MAP_INTERACTIVE, AD_GPO_MAP_INTERACTIVE, gpo_map_interactive_defaults, + ALLOW_LOGON_INTERACTIVE, DENY_LOGON_INTERACTIVE}, + {GPO_MAP_REMOTE_INTERACTIVE, AD_GPO_MAP_REMOTE_INTERACTIVE, + gpo_map_remote_interactive_defaults, + ALLOW_LOGON_REMOTE_INTERACTIVE, DENY_LOGON_REMOTE_INTERACTIVE}, + {GPO_MAP_NETWORK, AD_GPO_MAP_NETWORK, gpo_map_network_defaults, + ALLOW_LOGON_NETWORK, DENY_LOGON_NETWORK}, + {GPO_MAP_BATCH, AD_GPO_MAP_BATCH, gpo_map_batch_defaults, + ALLOW_LOGON_BATCH, DENY_LOGON_BATCH}, + {GPO_MAP_SERVICE, AD_GPO_MAP_SERVICE, gpo_map_service_defaults, + ALLOW_LOGON_SERVICE, DENY_LOGON_SERVICE}, + {GPO_MAP_PERMIT, AD_GPO_MAP_PERMIT, gpo_map_permit_defaults, NULL, NULL}, + {GPO_MAP_DENY, AD_GPO_MAP_DENY, gpo_map_deny_defaults, NULL, NULL}, +}; + +const char* gpo_map_type_string(int gpo_map_type) +{ + switch(gpo_map_type) { + case GPO_MAP_INTERACTIVE: return "Interactive"; + case GPO_MAP_REMOTE_INTERACTIVE: return "Remote Interactive"; + case GPO_MAP_NETWORK: return "Network"; + case GPO_MAP_BATCH: return "Batch"; + case GPO_MAP_SERVICE: return "Service"; + case GPO_MAP_PERMIT: return "Permitted"; + case GPO_MAP_DENY: return "Denied"; + } + return NULL; +} + +static inline bool +ad_gpo_service_in_list(char **list, size_t nlist, const char *str) +{ + size_t i; + + for (i = 0; i < nlist; i++) { + if (strcasecmp(list[i], str) == 0) { + break; + } + } + + return (i < nlist) ? true : false; +} + +errno_t +ad_gpo_parse_map_option_helper(enum gpo_map_type gpo_map_type, + hash_key_t key, + hash_table_t *options_table) +{ + hash_value_t val; + int hret; + int ret; + + hret = hash_lookup(options_table, &key, &val); + if (hret != HASH_SUCCESS && hret != HASH_ERROR_KEY_NOT_FOUND) { + DEBUG(SSSDBG_OP_FAILURE, "Error checking hash table: [%s]\n", + hash_error_string(hret)); + ret = EINVAL; + goto done; + } else if (hret == HASH_SUCCESS) { + /* handle unexpected case where mapping for key already exists */ + if (val.i == gpo_map_type) { + /* mapping for key exists for same map type; no error */ + DEBUG(SSSDBG_TRACE_FUNC, + "PAM service %s maps to %s multiple times\n", key.str, + gpo_map_type_string(gpo_map_type)); + ret = EOK; + } else { + /* mapping for key exists for different map type; error! */ + DEBUG(SSSDBG_CRIT_FAILURE, + "Configuration error: PAM service %s maps to both %s and " + "%s. If you are changing the default mappings of Group " + "Policy rules to PAM services using one of the ad_gpo_map_*" + " options make sure that the PAM service you add to one map " + "using the '+service' syntax is not already present in " + "another map by default (if it is then remove it from the " + "other map by using the '-service' syntax. Check manual " + "pages 'man sssd-ad' for details).\n", key.str, + gpo_map_type_string(val.i), gpo_map_type_string(gpo_map_type)); + sss_log(SSS_LOG_ERR, + "Configuration error: PAM service %s maps to both %s and " + "%s. If you are changing the default mappings of Group " + "Policy rules to PAM services using one of the ad_gpo_map_*" + " options make sure that the PAM service you add to one map " + "using the '+service' syntax is not already present in " + "another map by default (if it is then remove it from the " + "other map by using the '-service' syntax. Check manual " + "pages 'man sssd-ad' for details).\n", key.str, + gpo_map_type_string(val.i), gpo_map_type_string(gpo_map_type)); + ret = EINVAL; + } + goto done; + } else { + /* handle expected case where mapping for key doesn't already exist */ + val.type = HASH_VALUE_INT; + val.i = gpo_map_type; + + hret = hash_enter(options_table, &key, &val); + if (hret != HASH_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, "Error checking hash table: [%s]\n", + hash_error_string(hret)); + ret = EIO; + goto done; + } + ret = EOK; + } + +done: + return ret; +} + +errno_t +ad_gpo_parse_map_option(TALLOC_CTX *mem_ctx, + enum gpo_map_type gpo_map_type, + hash_table_t *options_table, + char *conf_str, + const char **defaults) +{ + TALLOC_CTX *tmp_ctx; + errno_t ret; + char **conf_list = NULL; + int conf_list_size = 0; + char **add_list = NULL; + char **remove_list = NULL; + int ai = 0, ri = 0; + int i; + hash_key_t key; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + DEBUG(SSSDBG_TRACE_ALL, "gpo_map_type: %s\n", + gpo_map_type_string(gpo_map_type)); + + if (conf_str) { + ret = split_on_separator(tmp_ctx, conf_str, ',', true, true, + &conf_list, &conf_list_size); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot parse list of service names %s: %d\n", conf_str, ret); + ret = EINVAL; + goto done; + } + + add_list = talloc_zero_array(tmp_ctx, char *, conf_list_size); + remove_list = talloc_zero_array(tmp_ctx, char *, conf_list_size); + if (add_list == NULL || remove_list == NULL) { + ret = ENOMEM; + goto done; + } + } + + for (i = 0; i < conf_list_size; i++) { + switch (conf_list[i][0]) { + case '+': + add_list[ai] = conf_list[i] + 1; + ai++; + continue; + case '-': + remove_list[ri] = conf_list[i] + 1; + ri++; + continue; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "ad_gpo_map values must start with" + "either '+' (for adding service) or '-' (for removing service), " + "got '%s'\n", + conf_list[i]); + ret = EINVAL; + goto done; + } + } + + /* Start by adding explicitly added services ('+') to hashtable */ + for (i = 0; i < ai; i++) { + /* if the service is explicitly configured to be removed, skip it */ + if (ad_gpo_service_in_list(remove_list, ri, add_list[i])) { + continue; + } + + key.type = HASH_KEY_STRING; + key.str = (char *)add_list[i]; + + ret = ad_gpo_parse_map_option_helper(gpo_map_type, key, options_table); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Invalid configuration: %d\n", ret); + goto done; + } + + DEBUG(SSSDBG_TRACE_ALL, "Explicitly added service: %s\n", key.str); + } + + /* Add defaults to hashtable */ + for (i = 0; defaults[i]; i++) { + /* if the service is explicitly configured to be removed, skip it */ + if (ad_gpo_service_in_list(remove_list, ri, defaults[i])) { + continue; + } + + key.type = HASH_KEY_STRING; + key.str = talloc_strdup(mem_ctx, defaults[i]); + + ret = ad_gpo_parse_map_option_helper(gpo_map_type, key, options_table); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Invalid configuration: %d\n", ret); + goto done; + } + + DEBUG(SSSDBG_TRACE_ALL, "Default service (not explicitly removed): %s\n", + key.str); + } + + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} + +errno_t +ad_gpo_parse_map_options(struct ad_access_ctx *access_ctx) +{ + char *gpo_default_right_config; + enum gpo_map_type gpo_default_right; + errno_t ret; + int i; + + for (i = 0; i < GPO_MAP_NUM_OPTS; i++) { + + struct gpo_map_option_entry entry = gpo_map_option_entries[i]; + + char *entry_config = dp_opt_get_string(access_ctx->ad_options, + entry.ad_basic_opt); + + ret = ad_gpo_parse_map_option(access_ctx, entry.gpo_map_type, + access_ctx->gpo_map_options_table, + entry_config, entry.gpo_map_defaults); + + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Invalid configuration: %d\n", ret); + ret = EINVAL; + goto fail; + } + } + + /* default right (applicable for services without any mapping) */ + gpo_default_right_config = + dp_opt_get_string(access_ctx->ad_options, AD_GPO_DEFAULT_RIGHT); + + DEBUG(SSSDBG_TRACE_ALL, "gpo_default_right_config: %s\n", + gpo_default_right_config); + + /* if default right not set in config, set them to DENY */ + if (gpo_default_right_config == NULL) { + gpo_default_right = GPO_MAP_DENY; + } else if (strncasecmp(gpo_default_right_config, "interactive", + strlen("interactive")) == 0) { + gpo_default_right = GPO_MAP_INTERACTIVE; + } else if (strncasecmp(gpo_default_right_config, "remote_interactive", + strlen("remote_interactive")) == 0) { + gpo_default_right = GPO_MAP_REMOTE_INTERACTIVE; + } else if (strncasecmp(gpo_default_right_config, "network", + strlen("network")) == 0) { + gpo_default_right = GPO_MAP_NETWORK; + } else if (strncasecmp(gpo_default_right_config, "batch", + strlen("batch")) == 0) { + gpo_default_right = GPO_MAP_BATCH; + } else if (strncasecmp(gpo_default_right_config, "service", + strlen("service")) == 0) { + gpo_default_right = GPO_MAP_SERVICE; + } else if (strncasecmp(gpo_default_right_config, "permit", + strlen("permit")) == 0) { + gpo_default_right = GPO_MAP_PERMIT; + } else if (strncasecmp(gpo_default_right_config, "deny", + strlen("deny")) == 0) { + gpo_default_right = GPO_MAP_DENY; + } else { + ret = EINVAL; + goto fail; + } + + DEBUG(SSSDBG_TRACE_ALL, "gpo_default_right: %d\n", gpo_default_right); + access_ctx->gpo_default_right = gpo_default_right; + +fail: + return ret; +} + +/* == ad_gpo_access_send/recv helpers =======================================*/ + +static bool +ad_gpo_dom_sid_equal(const struct dom_sid *sid1, const struct dom_sid *sid2) +{ + int i; + + if (sid1 == sid2) { + return true; + } + + if (!sid1 || !sid2) { + return false; + } + + if (sid1->sid_rev_num != sid2->sid_rev_num) { + return false; + } + + for (i = 0; i < 6; i++) { + if (sid1->id_auth[i] != sid2->id_auth[i]) { + return false; + } + } + + if (sid1->num_auths != sid2->num_auths) { + return false; + } + + for (i = 0; i < sid1->num_auths; i++) { + if (sid1->sub_auths[i] != sid2->sub_auths[i]) { + return false; + } + } + + return true; +} + + +/* + * This function retrieves the SIDs corresponding to the input user and returns + * the user_sid, group_sids, and group_size in their respective output params. + * + * Note: since authentication must complete successfully before the + * gpo access checks are called, we can safely assume that the user/computer + * has been authenticated. As such, this function always adds the + * AD_AUTHENTICATED_USERS_SID to the group_sids. + */ +static errno_t +ad_gpo_get_sids(TALLOC_CTX *mem_ctx, + const char *user, + struct sss_domain_info *domain, + const char **_user_sid, + const char ***_group_sids, + int *_group_size) +{ + TALLOC_CTX *tmp_ctx = NULL; + struct ldb_result *res; + int ret = 0; + int i = 0; + int num_group_sids = 0; + const char *user_sid = NULL; + const char *group_sid = NULL; + const char **group_sids = NULL; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + /* first result from sysdb_initgroups is user_sid; rest are group_sids */ + ret = sysdb_initgroups(tmp_ctx, domain, user, &res); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_initgroups failed: [%d](%s)\n", + ret, sss_strerror(ret)); + goto done; + } + + if (res->count == 0) { + ret = ENOENT; + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_initgroups returned empty result\n"); + goto done; + } + + user_sid = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_SID_STR, NULL); + num_group_sids = (res->count) - 1; + + /* include space for AD_AUTHENTICATED_USERS_SID and NULL */ + group_sids = talloc_array(tmp_ctx, const char *, num_group_sids + 1 + 1); + if (group_sids == NULL) { + ret = ENOMEM; + goto done; + } + + for (i = 0; i < num_group_sids; i++) { + group_sid = ldb_msg_find_attr_as_string(res->msgs[i+1], + SYSDB_SID_STR, NULL); + if (group_sid == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing SID for cache entry [%s].\n", + ldb_dn_get_linearized(res->msgs[i+1]->dn)); + ret = EINVAL; + goto done; + } + + group_sids[i] = talloc_steal(group_sids, group_sid); + if (group_sids[i] == NULL) { + ret = ENOMEM; + goto done; + } + } + group_sids[i++] = talloc_strdup(group_sids, AD_AUTHENTICATED_USERS_SID); + group_sids[i] = NULL; + + *_group_size = num_group_sids + 1; + *_group_sids = talloc_steal(mem_ctx, group_sids); + *_user_sid = talloc_steal(mem_ctx, user_sid); + ret = EOK; + + done: + talloc_free(tmp_ctx); + return ret; +} + +/* + * This function determines whether the input ace_dom_sid matches any of the + * client's SIDs. The boolean result is assigned to the _included output param. + */ +static errno_t +ad_gpo_ace_includes_client_sid(const char *user_sid, + const char **group_sids, + int group_size, + struct dom_sid ace_dom_sid, + struct sss_idmap_ctx *idmap_ctx, + bool *_included) +{ + int i = 0; + struct dom_sid *user_dom_sid; + struct dom_sid *group_dom_sid; + enum idmap_error_code err; + bool included = false; + + err = sss_idmap_sid_to_smb_sid(idmap_ctx, user_sid, &user_dom_sid); + if (err != IDMAP_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to initialize idmap context.\n"); + return EFAULT; + } + + included = ad_gpo_dom_sid_equal(&ace_dom_sid, user_dom_sid); + sss_idmap_free_smb_sid(idmap_ctx, user_dom_sid); + if (included) { + *_included = true; + return EOK; + } + + for (i = 0; i < group_size; i++) { + err = sss_idmap_sid_to_smb_sid(idmap_ctx, group_sids[i], &group_dom_sid); + if (err != IDMAP_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to initialize idmap context.\n"); + return EFAULT; + } + included = ad_gpo_dom_sid_equal(&ace_dom_sid, group_dom_sid); + sss_idmap_free_smb_sid(idmap_ctx, group_dom_sid); + if (included) { + *_included = true; + return EOK; + } + } + + *_included = false; + return EOK; +} + +/* + * This function determines whether use of the extended right + * named "ApplyGroupPolicy" (AGP) is allowed, by comparing the specified + * user_sid and group_sids against the specified access control entry (ACE). + * This function returns ALLOWED, DENIED, or NEUTRAL depending on whether + * the ACE explicitly allows, explicitly denies, or does neither. + * + * Note that the 'M' abbreviation used in the evaluation algorithm stands for + * "access_mask", which represents the set of access rights associated with an + * individual ACE. The access right of interest to the GPO code is + * RIGHT_DS_CONTROL_ACCESS, which serves as a container for all control access + * rights. The specific control access right is identified by a GUID in the + * ACE's ObjectType. In our case, this is the GUID corresponding to AGP. + * + * The ACE evaluation algorithm is specified in [MS-ADTS] 5.1.3.3.4: + * - Deny access by default + * - If the "Inherit Only" (IO) flag is set in the ACE, skip the ACE. + * - If the SID in the ACE does not match any SID in the requester's + * security context, skip the ACE + * - If the ACE type is "Object Access Allowed", the access right + * RIGHT_DS_CONTROL_ACCESS (CR) is present in M, and the ObjectType + * field in the ACE is either not present OR contains a GUID value equal + * to AGP, then grant requested control access right. Stop access checking. + * - If the ACE type is "Object Access Denied", the access right + * RIGHT_DS_CONTROL_ACCESS (CR) is present in M, and the ObjectType + * field in the ACE is either not present OR contains a GUID value equal to + * AGP, then deny the requested control access right. Stop access checking. + */ +static enum ace_eval_status ad_gpo_evaluate_ace(struct security_ace *ace, + struct sss_idmap_ctx *idmap_ctx, + const char *user_sid, + const char **group_sids, + int group_size) +{ + bool agp_included = false; + bool included = false; + int ret = 0; + struct security_ace_object object; + struct GUID ext_right_agp_guid; + + if (ace->flags & SEC_ACE_FLAG_INHERIT_ONLY) { + return AD_GPO_ACE_NEUTRAL; + } + + ret = ad_gpo_ace_includes_client_sid(user_sid, group_sids, group_size, + ace->trustee, idmap_ctx, &included); + + if (ret != EOK) { + return AD_GPO_ACE_DENIED; + } + + if (!included) { + return AD_GPO_ACE_NEUTRAL; + } + + object = ace->object.object; + GUID_from_string(AD_AGP_GUID, &ext_right_agp_guid); + + if (object.flags & SEC_ACE_OBJECT_TYPE_PRESENT) { + if (GUID_equal(&object.type.type, &ext_right_agp_guid)) { + agp_included = true; + } + } else { + agp_included = false; + } + + if (ace->access_mask & SEC_ADS_CONTROL_ACCESS) { + if (agp_included) { + if (ace->type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) { + return AD_GPO_ACE_ALLOWED; + } else if (ace->type == SEC_ACE_TYPE_ACCESS_DENIED_OBJECT) { + return AD_GPO_ACE_DENIED; + } + } + } + + return AD_GPO_ACE_DENIED; +} + +/* + * This function extracts the GPO's DACL (discretionary access control list) + * from the GPO's specified security descriptor, and determines whether + * the GPO is applicable to the policy target, by comparing the specified + * user_sid and group_sids against each access control entry (ACE) in the DACL. + * The boolean result is assigned to the _access_allowed output parameter. + */ +static errno_t ad_gpo_evaluate_dacl(struct security_acl *dacl, + struct sss_idmap_ctx *idmap_ctx, + const char *user_sid, + const char **group_sids, + int group_size, + bool *_dacl_access_allowed) +{ + uint32_t num_aces = 0; + enum ace_eval_status ace_status; + int i = 0; + struct security_ace *ace = NULL; + + num_aces = dacl->num_aces; + + /* + * [MS-ADTS] 5.1.3.3.4: + * If the DACL does not have any ACE, then deny the requester the + * requested control access right. + */ + if (num_aces == 0) { + *_dacl_access_allowed = false; + return EOK; + } + + for (i = 0; i < dacl->num_aces; i ++) { + ace = &dacl->aces[i]; + + ace_status = ad_gpo_evaluate_ace(ace, idmap_ctx, user_sid, + group_sids, group_size); + + switch (ace_status) { + case AD_GPO_ACE_NEUTRAL: + continue; + case AD_GPO_ACE_ALLOWED: + *_dacl_access_allowed = true; + return EOK; + case AD_GPO_ACE_DENIED: + *_dacl_access_allowed = false; + return EOK; + } + } + + *_dacl_access_allowed = false; + return EOK; +} + +/* + * This function takes candidate_gpos as input, filters out any gpo that is + * not applicable to the policy target and assigns the result to the + * _dacl_filtered_gpos output parameter. The filtering algorithm is + * defined in [MS-GPOL] 3.2.5.1.6 + */ +static errno_t +ad_gpo_filter_gpos_by_dacl(TALLOC_CTX *mem_ctx, + const char *user, + struct sss_domain_info *domain, + struct sss_idmap_ctx *idmap_ctx, + struct gp_gpo **candidate_gpos, + int num_candidate_gpos, + struct gp_gpo ***_dacl_filtered_gpos, + int *_num_dacl_filtered_gpos) +{ + TALLOC_CTX *tmp_ctx = NULL; + int i = 0; + int ret = 0; + struct gp_gpo *candidate_gpo = NULL; + struct security_descriptor *sd = NULL; + struct security_acl *dacl = NULL; + const char *user_sid = NULL; + const char **group_sids = NULL; + int group_size = 0; + int gpo_dn_idx = 0; + bool access_allowed = false; + struct gp_gpo **dacl_filtered_gpos = NULL; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + ret = ad_gpo_get_sids(tmp_ctx, user, domain, &user_sid, + &group_sids, &group_size); + if (ret != EOK) { + ret = ERR_NO_SIDS; + DEBUG(SSSDBG_OP_FAILURE, + "Unable to retrieve SIDs: [%d](%s)\n", ret, sss_strerror(ret)); + goto done; + } + + dacl_filtered_gpos = talloc_array(tmp_ctx, + struct gp_gpo *, + num_candidate_gpos + 1); + + if (dacl_filtered_gpos == NULL) { + ret = ENOMEM; + goto done; + } + + for (i = 0; i < num_candidate_gpos; i++) { + + access_allowed = false; + candidate_gpo = candidate_gpos[i]; + + DEBUG(SSSDBG_TRACE_ALL, "examining dacl candidate_gpo_guid:%s\n", + candidate_gpo->gpo_guid); + + /* gpo_func_version must be set to version 2 */ + if (candidate_gpo->gpo_func_version != 2) { + DEBUG(SSSDBG_TRACE_ALL, + "GPO not applicable to target per security filtering: " + "gPCFunctionalityVersion is not 2\n"); + continue; + } + + sd = candidate_gpo->gpo_sd; + if (sd == NULL) { + DEBUG(SSSDBG_TRACE_ALL, "Security descriptor is missing\n"); + ret = EINVAL; + goto done; + } + + dacl = candidate_gpo->gpo_sd->dacl; + + /* gpo_flags value of 2 means that GPO's computer portion is disabled */ + if (candidate_gpo->gpo_flags == 2) { + DEBUG(SSSDBG_TRACE_ALL, + "GPO not applicable to target per security filtering: " + "GPO's computer portion is disabled\n"); + continue; + } + + /* + * [MS-ADTS] 5.1.3.3.4: + * If the security descriptor has no DACL or its "DACL Present" bit + * is not set, then grant requester the requested control access right. + */ + + if ((!(sd->type & SEC_DESC_DACL_PRESENT)) || (dacl == NULL)) { + DEBUG(SSSDBG_TRACE_ALL, "DACL is not present\n"); + access_allowed = true; + break; + } + + ret = ad_gpo_evaluate_dacl(dacl, idmap_ctx, user_sid, group_sids, + group_size, &access_allowed); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Could not determine if GPO is applicable\n"); + continue; + } + + if (access_allowed) { + DEBUG(SSSDBG_TRACE_ALL, + "GPO applicable to target per security filtering\n"); + dacl_filtered_gpos[gpo_dn_idx] = talloc_steal(dacl_filtered_gpos, + candidate_gpo); + gpo_dn_idx++; + } else { + DEBUG(SSSDBG_TRACE_ALL, + "GPO not applicable to target per security filtering: " + "result of DACL evaluation\n"); + continue; + } + } + + dacl_filtered_gpos[gpo_dn_idx] = NULL; + + *_dacl_filtered_gpos = talloc_steal(mem_ctx, dacl_filtered_gpos); + *_num_dacl_filtered_gpos = gpo_dn_idx; + + ret = EOK; + + done: + talloc_free(tmp_ctx); + return ret; +} + +/* + * This function determines whether the input cse_guid matches any of the input + * gpo_cse_guids. The boolean result is assigned to the _included output param. + */ +static bool +ad_gpo_includes_cse_guid(const char *cse_guid, + const char **gpo_cse_guids, + int num_gpo_cse_guids) +{ + int i = 0; + const char *gpo_cse_guid = NULL; + + for (i = 0; i < num_gpo_cse_guids; i++) { + gpo_cse_guid = gpo_cse_guids[i]; + if (strcmp(gpo_cse_guid, cse_guid) == 0) { + return true; + } + } + + return false; +} + +/* + * This function takes an input dacl_filtered_gpos list, filters out any gpo + * that does not contain the input cse_guid, and assigns the result to the + * _cse_filtered_gpos output parameter. + */ +static errno_t +ad_gpo_filter_gpos_by_cse_guid(TALLOC_CTX *mem_ctx, + const char *cse_guid, + struct gp_gpo **dacl_filtered_gpos, + int num_dacl_filtered_gpos, + struct gp_gpo ***_cse_filtered_gpos, + int *_num_cse_filtered_gpos) +{ + TALLOC_CTX *tmp_ctx = NULL; + int i = 0; + int ret = 0; + struct gp_gpo *dacl_filtered_gpo = NULL; + int gpo_dn_idx = 0; + struct gp_gpo **cse_filtered_gpos = NULL; + bool included; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + cse_filtered_gpos = talloc_array(tmp_ctx, + struct gp_gpo *, + num_dacl_filtered_gpos + 1); + if (cse_filtered_gpos == NULL) { + ret = ENOMEM; + goto done; + } + + for (i = 0; i < num_dacl_filtered_gpos; i++) { + + dacl_filtered_gpo = dacl_filtered_gpos[i]; + + DEBUG(SSSDBG_TRACE_ALL, "examining cse candidate_gpo_guid: %s\n", + dacl_filtered_gpo->gpo_guid); + + included = ad_gpo_includes_cse_guid(cse_guid, + dacl_filtered_gpo->gpo_cse_guids, + dacl_filtered_gpo->num_gpo_cse_guids); + + if (included) { + DEBUG(SSSDBG_TRACE_ALL, + "GPO applicable to target per cse_guid filtering\n"); + cse_filtered_gpos[gpo_dn_idx] = talloc_steal(cse_filtered_gpos, + dacl_filtered_gpo); + dacl_filtered_gpos[i] = NULL; + gpo_dn_idx++; + } else { + DEBUG(SSSDBG_TRACE_ALL, + "GPO not applicable to target per cse_guid filtering\n"); + continue; + } + } + + cse_filtered_gpos[gpo_dn_idx] = NULL; + + *_cse_filtered_gpos = talloc_steal(mem_ctx, cse_filtered_gpos); + *_num_cse_filtered_gpos = gpo_dn_idx; + + ret = EOK; + + done: + talloc_free(tmp_ctx); + return ret; +} + +/* + * This cse-specific function (GP_EXT_GUID_SECURITY) returns a boolean value + * based on whether the input user_sid or any of the input group_sids appear + * in the input list of privilege_sids. + */ +static bool +check_rights(char **privilege_sids, + int privilege_size, + const char *user_sid, + const char **group_sids, + int group_size) +{ + int i, j; + + for (i = 0; i < privilege_size; i++) { + if (strcmp(user_sid, privilege_sids[i]) == 0) { + return true; + } + for (j = 0; j < group_size; j++) { + if (strcmp(group_sids[j], privilege_sids[i]) == 0) { + return true; + } + } + } + + return false; +} + +/* + * This function parses the input ini_config object (which represents + * the cse-specific filename), and returns the policy_setting_value + * corresponding to the input policy_setting_key. + */ +static errno_t +ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx, + struct ini_cfgobj *ini_config, + const char *policy_setting_key, + char **_policy_setting_value) +{ + struct value_obj *vobj = NULL; + int ret; + const char *policy_setting_value; + + ret = ini_get_config_valueobj(RIGHTS_SECTION, policy_setting_key, ini_config, + INI_GET_FIRST_VALUE, &vobj); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ini_get_config_valueobj failed [%d][%s]\n", ret, strerror(ret)); + goto done; + } + if (vobj == NULL) { + DEBUG(SSSDBG_TRACE_ALL, "section/name not found: [%s][%s]\n", + RIGHTS_SECTION, policy_setting_key); + ret = ENOENT; + goto done; + } + policy_setting_value = ini_get_string_config_value(vobj, &ret); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ini_get_string_config_value failed [%d][%s]\n", + ret, strerror(ret)); + goto done; + } + + if (policy_setting_value[0]) { + *_policy_setting_value = talloc_strdup(mem_ctx, policy_setting_value); + if (!*_policy_setting_value) { + ret = ENOMEM; + goto done; + } + } else { + /* This is an explicitly empty policy setting. + * We need to remove this from the LDB. + */ + *_policy_setting_value = NULL; + } + + ret = EOK; + + done: + + return ret; +} + +/* + * This function parses the cse-specific (GP_EXT_GUID_SECURITY) filename, + * and stores the allow_key and deny_key of all of the gpo_map_types present + * in the file (as part of the GPO Result object in the sysdb cache). + */ +static errno_t +ad_gpo_store_policy_settings(struct sss_domain_info *domain, + const char *filename) +{ + struct ini_cfgfile *file_ctx = NULL; + struct ini_cfgobj *ini_config = NULL; + int ret; + int i; + char *allow_value = NULL; + char *deny_value = NULL; + const char *empty_val = "NO_SID"; + const char *allow_key = NULL; + const char *deny_key = NULL; + TALLOC_CTX *tmp_ctx = NULL; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + ret = ini_config_create(&ini_config); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ini_config_create failed [%d][%s]\n", ret, strerror(ret)); + goto done; + } + + ret = ini_config_file_open(filename, 0, &file_ctx); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ini_config_file_open failed [%d][%s]\n", ret, strerror(ret)); + goto done; + } + + ret = ini_config_parse(file_ctx, INI_STOP_ON_NONE, 0, 0, ini_config); + if (ret != 0) { + int lret; + char **errors; + + DEBUG(SSSDBG_CRIT_FAILURE, + "[%s]: ini_config_parse failed [%d][%s]\n", + filename, ret, strerror(ret)); + + /* Now get specific errors if there are any */ + lret = ini_config_get_errors(ini_config, &errors); + if (lret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to get specific parse error [%d][%s]\n", lret, + strerror(lret)); + goto done; + } + + for (int a = 0; errors[a]; a++) { + DEBUG(SSSDBG_CRIT_FAILURE, "%s\n", errors[a]); + } + ini_config_free_errors(errors); + + /* Do not 'goto done' here. We will try to parse + * the GPO file again. */ + } + + if (ret != EOK) { + /* A problem occurred during parsing. Try again + * with INI_PARSE_IGNORE_NON_KVP flag */ + + ini_config_file_destroy(file_ctx); + file_ctx = NULL; + ini_config_destroy(ini_config); + ini_config = NULL; + + ret = ini_config_file_open(filename, 0, &file_ctx); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ini_config_file_open failed [%d][%s]\n", + ret, strerror(ret)); + goto done; + } + + ret = ini_config_create(&ini_config); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ini_config_create failed [%d][%s]\n", ret, strerror(ret)); + goto done; + } + + ret = ini_config_parse(file_ctx, INI_STOP_ON_NONE, 0, + INI_PARSE_IGNORE_NON_KVP, ini_config); + if (ret != 0) { + int lret; + char **errors; + + DEBUG(SSSDBG_CRIT_FAILURE, + "[%s]: ini_config_parse failed [%d][%s]\n", + filename, ret, strerror(ret)); + + /* Now get specific errors if there are any */ + lret = ini_config_get_errors(ini_config, &errors); + if (lret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to get specific parse error [%d][%s]\n", lret, + strerror(lret)); + goto done; + } + + for (int a = 0; errors[a]; a++) { + DEBUG(SSSDBG_CRIT_FAILURE, "%s\n", errors[a]); + } + ini_config_free_errors(errors); + + goto done; + } + } + + for (i = 0; i < GPO_MAP_NUM_OPTS; i++) { + /* The NO_SID val is used as special SID value for the case when + * no SIDs are found in the rule, but we need to store some + * value (SID) with the key (rule name) so that it is clear + * that the rule is defined on the server. */ + struct gpo_map_option_entry entry = gpo_map_option_entries[i]; + + allow_key = entry.allow_key; + if (allow_key != NULL) { + DEBUG(SSSDBG_TRACE_ALL, "allow_key = %s\n", allow_key); + ret = ad_gpo_extract_policy_setting(tmp_ctx, + ini_config, + allow_key, + &allow_value); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ad_gpo_extract_policy_setting failed for %s [%d][%s]\n", + allow_key, ret, sss_strerror(ret)); + goto done; + } else if (ret != ENOENT) { + const char *value = allow_value ? allow_value : empty_val; + ret = sysdb_gpo_store_gpo_result_setting(domain, + allow_key, + value); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sysdb_gpo_store_gpo_result_setting failed for key:" + "'%s' value:'%s' [%d][%s]\n", allow_key, allow_value, + ret, sss_strerror(ret)); + goto done; + } + } + } + + deny_key = entry.deny_key; + if (deny_key != NULL) { + DEBUG(SSSDBG_TRACE_ALL, "deny_key = %s\n", deny_key); + ret = ad_gpo_extract_policy_setting(tmp_ctx, + ini_config, + deny_key, + &deny_value); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ad_gpo_extract_policy_setting failed for %s [%d][%s]\n", + deny_key, ret, sss_strerror(ret)); + goto done; + } else if (ret != ENOENT) { + const char *value = deny_value ? deny_value : empty_val; + ret = sysdb_gpo_store_gpo_result_setting(domain, + deny_key, + value); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sysdb_gpo_store_gpo_result_setting failed for key:" + "'%s' value:'%s' [%d][%s]\n", deny_key, deny_value, + ret, sss_strerror(ret)); + goto done; + } + } + } + } + + ret = EOK; + + done: + + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Error encountered: %d.\n", ret); + } + ini_config_file_destroy(file_ctx); + ini_config_destroy(ini_config); + talloc_free(tmp_ctx); + return ret; +} + +/* + * This cse-specific function (GP_EXT_GUID_SECURITY) performs the access + * check for determining whether logon access is granted or denied for + * the {user,domain} tuple specified in the inputs. This function returns EOK + * to indicate that access is granted. Any other return value indicates that + * access is denied. + * + * The access control algorithm first determines whether the "principal_sids" + * (i.e. user_sid or group_sids) appear in allowed_sids and denied_sids. + * + * For access to be granted, both the "allowed_sids_condition" *and* the + * "denied_sids_condition" must be met (in all other cases, access is denied). + * 1) The "allowed_sids_condition" is satisfied if any of the principal_sids + * appears in allowed_sids OR if the allowed_sids list is empty + * 2) The "denied_sids_condition" is satisfied if none of the principal_sids + * appear in denied_sids + * + * Note that a deployment that is unaware of GPO-based access-control policy + * settings is unaffected by them (b/c absence of allowed_sids grants access). + * + * Note that if a principal_sid appears in both allowed_sids and denied_sids, + * the "allowed_sids_condition" is met, but the "denied_sids_condition" is not. + * In other words, Deny takes precedence over Allow. + */ +static errno_t +ad_gpo_access_check(TALLOC_CTX *mem_ctx, + enum gpo_access_control_mode gpo_mode, + enum gpo_map_type gpo_map_type, + const char *user, + struct sss_domain_info *domain, + char **allowed_sids, + int allowed_size, + char **denied_sids, + int denied_size) +{ + const char *user_sid; + const char **group_sids; + int group_size = 0; + bool access_granted = false; + bool access_denied = false; + int ret; + int j; + + DEBUG(SSSDBG_TRACE_FUNC, "RESULTANT POLICY:\n"); + DEBUG(SSSDBG_TRACE_FUNC, "gpo_map_type: %s\n", + gpo_map_type_string(gpo_map_type)); + DEBUG(SSSDBG_TRACE_FUNC, "allowed_size = %d\n", allowed_size); + for (j= 0; j < allowed_size; j++) { + DEBUG(SSSDBG_TRACE_FUNC, "allowed_sids[%d] = %s\n", j, allowed_sids[j]); + } + + DEBUG(SSSDBG_TRACE_FUNC, "denied_size = %d\n", denied_size); + for (j= 0; j < denied_size; j++) { + DEBUG(SSSDBG_TRACE_FUNC, " denied_sids[%d] = %s\n", j, denied_sids[j]); + } + + ret = ad_gpo_get_sids(mem_ctx, user, domain, &user_sid, + &group_sids, &group_size); + if (ret != EOK) { + ret = ERR_NO_SIDS; + DEBUG(SSSDBG_OP_FAILURE, + "Unable to retrieve SIDs: [%d](%s)\n", ret, sss_strerror(ret)); + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "CURRENT USER:\n"); + DEBUG(SSSDBG_TRACE_FUNC, " user_sid = %s\n", user_sid); + + for (j= 0; j < group_size; j++) { + DEBUG(SSSDBG_TRACE_FUNC, " group_sids[%d] = %s\n", j, + group_sids[j]); + } + + if (allowed_size == 0) { + access_granted = true; + } else { + access_granted = check_rights(allowed_sids, allowed_size, user_sid, + group_sids, group_size); + } + + DEBUG(SSSDBG_TRACE_FUNC, "POLICY DECISION:\n"); + + DEBUG(SSSDBG_TRACE_FUNC, " access_granted = %d\n", access_granted); + + access_denied = check_rights(denied_sids, denied_size, user_sid, + group_sids, group_size); + DEBUG(SSSDBG_TRACE_FUNC, " access_denied = %d\n", access_denied); + + if (access_granted && !access_denied) { + return EOK; + } else { + switch (gpo_mode) { + case GPO_ACCESS_CONTROL_ENFORCING: + return ERR_ACCESS_DENIED; + case GPO_ACCESS_CONTROL_PERMISSIVE: + DEBUG(SSSDBG_TRACE_FUNC, "access denied: permissive mode\n"); + sss_log_ext(SSS_LOG_WARNING, LOG_AUTHPRIV, "Warning: user would " \ + "have been denied GPO-based logon access if the " \ + "ad_gpo_access_control option were set to enforcing " \ + "mode."); + return EOK; + default: + return EINVAL; + } + } + + done: + + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, "Error encountered: %d.\n", ret); + } + + return ret; +} + +#define GPO_CHILD_LOG_FILE "gpo_child" + +static errno_t gpo_child_init(void) +{ + return child_debug_init(GPO_CHILD_LOG_FILE, &gpo_child_debug_fd); +} + +/* + * This function retrieves the raw policy_setting_value for the input key from + * the GPO_Result object in the sysdb cache. It then parses the raw value and + * uses the results to populate the output parameters with the sids_list and + * the size of the sids_list. + */ +errno_t +parse_policy_setting_value(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *key, + char ***_sids_list, + int *_sids_list_size) +{ + int ret; + int i; + const char *value; + int sids_list_size; + char **sids_list = NULL; + + ret = sysdb_gpo_get_gpo_result_setting(mem_ctx, domain, key, &value); + if (ret == ENOENT) { + DEBUG(SSSDBG_TRACE_FUNC, "No previous GPO result\n"); + value = NULL; + } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot retrieve settings from sysdb for key: '%s' [%d][%s].\n", + key, ret, sss_strerror(ret)); + goto done; + } + + if (value == NULL) { + DEBUG(SSSDBG_TRACE_FUNC, + "No value for key [%s] found in gpo result\n", key); + sids_list_size = 0; + } else { + ret = split_on_separator(mem_ctx, value, ',', true, true, + &sids_list, &sids_list_size); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot parse list of sids %s: %d\n", value, ret); + ret = EINVAL; + goto done; + } + + for (i = 0; i < sids_list_size; i++) { + /* remove the asterisk prefix found on sids */ + sids_list[i]++; + } + } + + *_sids_list = talloc_steal(mem_ctx, sids_list); + *_sids_list_size = sids_list_size; + + ret = EOK; + + done: + return ret; +} + +/* + * This cse-specific function (GP_EXT_GUID_SECURITY) performs HBAC policy + * processing and determines whether logon access is granted or denied for + * the {user,domain} tuple specified in the inputs. This function returns EOK + * to indicate that access is granted. Any other return value indicates that + * access is denied. + * + * Internally, this function retrieves the allow_value and deny_value for the + * input gpo_map_type from the GPO Result object in the sysdb cache, parses + * the values into allow_sids and deny_sids, and executes the access control + * algorithm which compares the allow_sids and deny_sids against the user_sid + * and group_sids for the input user. + */ +static errno_t +ad_gpo_perform_hbac_processing(TALLOC_CTX *mem_ctx, + enum gpo_access_control_mode gpo_mode, + enum gpo_map_type gpo_map_type, + const char *user, + struct sss_domain_info *user_domain, + struct sss_domain_info *host_domain) +{ + int ret; + const char *allow_key = NULL; + char **allow_sids; + int allow_size ; + const char *deny_key = NULL; + char **deny_sids; + int deny_size; + + allow_key = gpo_map_option_entries[gpo_map_type].allow_key; + DEBUG(SSSDBG_TRACE_ALL, "allow_key: %s\n", allow_key); + deny_key = gpo_map_option_entries[gpo_map_type].deny_key; + DEBUG(SSSDBG_TRACE_ALL, "deny_key: %s\n", deny_key); + + ret = parse_policy_setting_value(mem_ctx, host_domain, allow_key, + &allow_sids, &allow_size); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "parse_policy_setting_value failed for key %s: [%d](%s)\n", + allow_key, ret, sss_strerror(ret)); + ret = EINVAL; + goto done; + } + + ret = parse_policy_setting_value(mem_ctx, host_domain, deny_key, + &deny_sids, &deny_size); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "parse_policy_setting_value failed for key %s: [%d](%s)\n", + deny_key, ret, sss_strerror(ret)); + ret = EINVAL; + goto done; + } + + /* perform access check with the final resultant allow_sids and deny_sids */ + ret = ad_gpo_access_check(mem_ctx, gpo_mode, gpo_map_type, user, + user_domain, allow_sids, allow_size, deny_sids, + deny_size); + + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "GPO access check failed: [%d](%s)\n", + ret, sss_strerror(ret)); + goto done; + } + + done: + return ret; +} + +/* == ad_gpo_access_send/recv implementation ================================*/ + +struct ad_gpo_access_state { + struct tevent_context *ev; + struct ldb_context *ldb_ctx; + struct ad_access_ctx *access_ctx; + enum gpo_access_control_mode gpo_mode; + enum gpo_map_type gpo_map_type; + struct sdap_id_conn_ctx *conn; + struct sdap_id_op *sdap_op; + char *server_hostname; + struct sdap_options *opts; + int timeout; + struct sss_domain_info *user_domain; + struct sss_domain_info *host_domain; + const char *user; + int gpo_timeout_option; + const char *ad_hostname; + const char *target_dn; + struct gp_gpo **dacl_filtered_gpos; + int num_dacl_filtered_gpos; + struct gp_gpo **cse_filtered_gpos; + int num_cse_filtered_gpos; + int cse_gpo_index; +}; + +static void ad_gpo_connect_done(struct tevent_req *subreq); +static void ad_gpo_target_dn_retrieval_done(struct tevent_req *subreq); +static void ad_gpo_process_som_done(struct tevent_req *subreq); +static void ad_gpo_process_gpo_done(struct tevent_req *subreq); + +static errno_t ad_gpo_cse_step(struct tevent_req *req); +static void ad_gpo_cse_done(struct tevent_req *subreq); + +struct tevent_req * +ad_gpo_access_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sss_domain_info *domain, + struct ad_access_ctx *ctx, + const char *user, + const char *service) +{ + struct tevent_req *req; + struct tevent_req *subreq; + struct ad_gpo_access_state *state; + errno_t ret; + int hret; + hash_key_t key; + hash_value_t val; + enum gpo_map_type gpo_map_type; + + /* setup logging for gpo child */ + gpo_child_init(); + + req = tevent_req_create(mem_ctx, &state, struct ad_gpo_access_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + /* determine service's option_type (e.g. interactive, network, etc) */ + key.type = HASH_KEY_STRING; + key.str = talloc_strdup(state, service); + + hret = hash_lookup(ctx->gpo_map_options_table, &key, &val); + if (hret != HASH_SUCCESS && hret != HASH_ERROR_KEY_NOT_FOUND) { + DEBUG(SSSDBG_OP_FAILURE, "Error checking hash table: [%s]\n", + hash_error_string(hret)); + ret = EINVAL; + goto immediately; + } + + /* if service isn't mapped, map it to value of ad_gpo_default_right option */ + if (hret == HASH_ERROR_KEY_NOT_FOUND) { + DEBUG(SSSDBG_TRACE_FUNC, + "Configuration hint: PAM service '%s' is not mapped to any Group" + " Policy rule. If you plan to use this PAM service it is " + "recommended to use the ad_gpo_map_* family of options to map " + "this PAM service to a Group Policy rule. PAM services not " + "present in any map will fall back to value set in " + "ad_gpo_default_right, which is currently set to %s (see manual " + "pages 'man sssd-ad' for more details).\n", service, + gpo_map_type_string(ctx->gpo_default_right)); + gpo_map_type = ctx->gpo_default_right; + } else { + gpo_map_type = (enum gpo_map_type) val.i; + } + + DEBUG(SSSDBG_TRACE_FUNC, "service %s maps to %s\n", service, + gpo_map_type_string(gpo_map_type)); + + if (gpo_map_type == GPO_MAP_PERMIT) { + ret = EOK; + goto immediately; + } + + if (gpo_map_type == GPO_MAP_DENY) { + switch (ctx->gpo_access_control_mode) { + case GPO_ACCESS_CONTROL_ENFORCING: + ret = ERR_ACCESS_DENIED; + goto immediately; + case GPO_ACCESS_CONTROL_PERMISSIVE: + DEBUG(SSSDBG_TRACE_FUNC, "access denied: permissive mode\n"); + sss_log_ext(SSS_LOG_WARNING, LOG_AUTHPRIV, "Warning: user would " \ + "have been denied GPO-based logon access if the " \ + "ad_gpo_access_control option were set to enforcing " \ + "mode."); + ret = EOK; + goto immediately; + default: + ret = EINVAL; + goto immediately; + } + } + + /* GPO Operations all happen against the enrolled domain, + * not the user's domain (which may be a trusted realm) + */ + state->user_domain = domain; + state->host_domain = get_domains_head(domain); + + state->gpo_map_type = gpo_map_type; + state->dacl_filtered_gpos = NULL; + state->num_dacl_filtered_gpos = 0; + state->cse_filtered_gpos = NULL; + state->num_cse_filtered_gpos = 0; + state->cse_gpo_index = 0; + state->ev = ev; + state->user = user; + state->ldb_ctx = sysdb_ctx_get_ldb(state->host_domain->sysdb); + state->gpo_mode = ctx->gpo_access_control_mode; + state->gpo_timeout_option = ctx->gpo_cache_timeout; + state->ad_hostname = dp_opt_get_string(ctx->ad_options, AD_HOSTNAME); + state->access_ctx = ctx; + state->opts = ctx->sdap_access_ctx->id_ctx->opts; + state->timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT); + state->conn = ad_get_dom_ldap_conn(ctx->ad_id_ctx, state->host_domain); + state->sdap_op = sdap_id_op_create(state, state->conn->conn_cache); + if (state->sdap_op == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed.\n"); + ret = ENOMEM; + goto immediately; + } + + subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "sdap_id_op_connect_send failed: [%d](%s)\n", + ret, sss_strerror(ret)); + goto immediately; + } + tevent_req_set_callback(subreq, ad_gpo_connect_done, req); + + return req; + +immediately: + + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + + tevent_req_post(req, ev); + return req; +} + +static errno_t +process_offline_gpos(TALLOC_CTX *mem_ctx, + const char *user, + enum gpo_access_control_mode gpo_mode, + struct sss_domain_info *user_domain, + struct sss_domain_info *host_domain, + enum gpo_map_type gpo_map_type) + +{ + errno_t ret; + + ret = ad_gpo_perform_hbac_processing(mem_ctx, + gpo_mode, + gpo_map_type, + user, + user_domain, + host_domain); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "HBAC processing failed: [%d](%s}\n", + ret, sss_strerror(ret)); + goto done; + } + + /* we have successfully processed all offline gpos */ + ret = EOK; + + done: + return ret; +} + +static void +ad_gpo_connect_done(struct tevent_req *subreq) +{ + struct tevent_req *req; + struct ad_gpo_access_state *state; + char *filter; + const char *sam_account_name; + char *domain_dn; + int dp_error; + errno_t ret; + char *server_uri; + LDAPURLDesc *lud; + + const char *attrs[] = {AD_AT_DN, AD_AT_UAC, NULL}; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ad_gpo_access_state); + + ret = sdap_id_op_connect_recv(subreq, &dp_error); + talloc_zfree(subreq); + + if (ret != EOK) { + if (dp_error != DP_ERR_OFFLINE) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to connect to AD server: [%d](%s)\n", + ret, sss_strerror(ret)); + goto done; + } else { + DEBUG(SSSDBG_TRACE_FUNC, "Preparing for offline operation.\n"); + ret = process_offline_gpos(state, + state->user, + state->gpo_mode, + state->user_domain, + state->host_domain, + state->gpo_map_type); + + if (ret == EOK) { + DEBUG(SSSDBG_TRACE_FUNC, "process_offline_gpos succeeded\n"); + tevent_req_done(req); + goto done; + } else { + DEBUG(SSSDBG_OP_FAILURE, + "process_offline_gpos failed [%d](%s)\n", + ret, sss_strerror(ret)); + goto done; + } + } + } + + /* extract server_hostname from server_uri */ + server_uri = state->conn->service->uri; + ret = ldap_url_parse(server_uri, &lud); + if (ret != LDAP_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to parse ldap URI (%s)!\n", server_uri); + ret = EINVAL; + goto done; + } + + if (lud->lud_host == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "The LDAP URI (%s) did not contain a host name\n", server_uri); + ldap_free_urldesc(lud); + ret = EINVAL; + goto done; + } + + state->server_hostname = talloc_strdup(state, lud->lud_host); + ldap_free_urldesc(lud); + if (!state->server_hostname) { + ret = ENOMEM; + goto done; + } + DEBUG(SSSDBG_TRACE_ALL, "server_hostname from uri: %s\n", + state->server_hostname); + + /* SDAP_SASL_AUTHID contains the name used for kinit and SASL bind which + * in the AD case is the NetBIOS name. */ + sam_account_name = dp_opt_get_string(state->opts->basic, SDAP_SASL_AUTHID); + if (sam_account_name == NULL) { + ret = ENOMEM; + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "sam_account_name is %s\n", sam_account_name); + + /* Convert the domain name into domain DN */ + ret = domain_to_basedn(state, state->host_domain->name, &domain_dn); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot convert domain name [%s] to base DN [%d]: %s\n", + state->host_domain->name, ret, sss_strerror(ret)); + goto done; + } + + /* SDAP_OC_USER objectclass covers both users and computers */ + filter = talloc_asprintf(state, + "(&(objectclass=%s)(%s=%s))", + state->opts->user_map[SDAP_OC_USER].name, + state->opts->user_map[SDAP_AT_USER_NAME].name, + sam_account_name); + if (filter == NULL) { + ret = ENOMEM; + goto done; + } + + subreq = sdap_get_generic_send(state, state->ev, state->opts, + sdap_id_op_handle(state->sdap_op), + domain_dn, LDAP_SCOPE_SUBTREE, + filter, attrs, NULL, 0, + state->timeout, + false); + + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_get_generic_send failed.\n"); + ret = EIO; + goto done; + } + + tevent_req_set_callback(subreq, ad_gpo_target_dn_retrieval_done, req); + + ret = EOK; + + done: + + if (ret != EOK) { + tevent_req_error(req, ret); + } +} + +static void +ad_gpo_target_dn_retrieval_done(struct tevent_req *subreq) +{ + struct tevent_req *req; + struct ad_gpo_access_state *state; + int ret; + int dp_error; + size_t reply_count; + struct sysdb_attrs **reply; + const char *target_dn = NULL; + uint32_t uac; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ad_gpo_access_state); + ret = sdap_get_generic_recv(subreq, state, + &reply_count, &reply); + talloc_zfree(subreq); + if (ret != EOK) { + ret = sdap_id_op_done(state->sdap_op, ret, &dp_error); + if (ret == EAGAIN && dp_error == DP_ERR_OFFLINE) { + DEBUG(SSSDBG_TRACE_FUNC, "Preparing for offline operation.\n"); + ret = process_offline_gpos(state, + state->user, + state->gpo_mode, + state->user_domain, + state->host_domain, + state->gpo_map_type); + + if (ret == EOK) { + DEBUG(SSSDBG_TRACE_FUNC, "process_offline_gpos succeeded\n"); + tevent_req_done(req); + goto done; + } else { + DEBUG(SSSDBG_OP_FAILURE, + "process_offline_gpos failed [%d](%s)\n", + ret, sss_strerror(ret)); + goto done; + } + } + + DEBUG(SSSDBG_OP_FAILURE, + "Unable to get policy target's DN: [%d](%s)\n", + ret, sss_strerror(ret)); + ret = ENOENT; + goto done; + } + + /* make sure there is only one non-NULL reply returned */ + + if (reply_count < 1) { + DEBUG(SSSDBG_OP_FAILURE, "No DN retrieved for policy target.\n"); + ret = ENOENT; + goto done; + } else if (reply_count > 1) { + DEBUG(SSSDBG_OP_FAILURE, "Multiple replies for policy target\n"); + ret = ERR_INTERNAL; + goto done; + } else if (reply == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "reply_count is 1, but reply is NULL\n"); + ret = ERR_INTERNAL; + goto done; + } + + /* reply[0] holds requested attributes of single reply */ + ret = sysdb_attrs_get_string(reply[0], AD_AT_DN, &target_dn); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_attrs_get_string failed: [%d](%s)\n", + ret, sss_strerror(ret)); + goto done; + } + state->target_dn = talloc_steal(state, target_dn); + if (state->target_dn == NULL) { + ret = ENOMEM; + goto done; + } + + ret = sysdb_attrs_get_uint32_t(reply[0], AD_AT_UAC, &uac); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_attrs_get_uint32_t failed: [%d](%s)\n", + ret, sss_strerror(ret)); + goto done; + } + + /* we only support computer policy targets, not users */ + if (!(uac & UAC_WORKSTATION_TRUST_ACCOUNT || + uac & UAC_SERVER_TRUST_ACCOUNT)) { + DEBUG(SSSDBG_OP_FAILURE, + "Invalid userAccountControl (%x) value for machine account.\n", + uac); + ret = EINVAL; + goto done; + } + + subreq = ad_gpo_process_som_send(state, + state->ev, + state->conn, + state->ldb_ctx, + state->sdap_op, + state->opts, + state->access_ctx->ad_options, + state->timeout, + state->target_dn, + state->host_domain->name); + if (subreq == NULL) { + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, ad_gpo_process_som_done, req); + + ret = EOK; + + done: + + if (ret != EOK) { + tevent_req_error(req, ret); + } +} + +static void +ad_gpo_process_som_done(struct tevent_req *subreq) +{ + struct tevent_req *req; + struct ad_gpo_access_state *state; + int ret; + struct gp_som **som_list; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ad_gpo_access_state); + ret = ad_gpo_process_som_recv(subreq, state, &som_list); + talloc_zfree(subreq); + + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Unable to get som list: [%d](%s)\n", + ret, sss_strerror(ret)); + ret = ENOENT; + goto done; + } + + subreq = ad_gpo_process_gpo_send(state, + state->ev, + state->sdap_op, + state->opts, + state->server_hostname, + state->host_domain, + state->access_ctx, + state->timeout, + som_list); + if (subreq == NULL) { + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, ad_gpo_process_gpo_done, req); + + ret = EOK; + + done: + + if (ret != EOK) { + tevent_req_error(req, ret); + } +} + +/* + * This function retrieves a list of candidate_gpos and potentially reduces it + * to a list of dacl_filtered_gpos, based on each GPO's DACL. + * + * This function then takes the list of dacl_filtered_gpos and potentially + * reduces it to a list of cse_filtered_gpos, based on whether each GPO's list + * of cse_guids includes the "SecuritySettings" CSE GUID (used for HBAC). + * + * Ultimately, this function then sends each cse_filtered_gpo to the gpo_child, + * which retrieves the GPT.INI and policy files (as needed). Once all files + * have been downloaded, the ad_gpo_cse_done function performs HBAC processing. + */ +static void +ad_gpo_process_gpo_done(struct tevent_req *subreq) +{ + struct tevent_req *req; + struct ad_gpo_access_state *state; + int ret; + int dp_error; + struct gp_gpo **candidate_gpos = NULL; + int num_candidate_gpos = 0; + int i = 0; + const char **cse_filtered_gpo_guids; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ad_gpo_access_state); + ret = ad_gpo_process_gpo_recv(subreq, state, &candidate_gpos, + &num_candidate_gpos); + + talloc_zfree(subreq); + + ret = sdap_id_op_done(state->sdap_op, ret, &dp_error); + + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, + "Unable to get GPO list: [%d](%s)\n", + ret, sss_strerror(ret)); + goto done; + } else if (ret == ENOENT) { + DEBUG(SSSDBG_TRACE_FUNC, + "No GPOs found that apply to this system.\n"); + /* + * Delete the result object list, since there are no + * GPOs to include in it. + */ + ret = sysdb_gpo_delete_gpo_result_object(state, state->host_domain); + if (ret != EOK) { + switch (ret) { + case ENOENT: + DEBUG(SSSDBG_TRACE_FUNC, "No GPO Result available in cache\n"); + break; + default: + DEBUG(SSSDBG_FATAL_FAILURE, + "Could not delete GPO Result from cache: [%s]\n", + sss_strerror(ret)); + goto done; + } + } + + ret = EOK; + goto done; + } + + ret = ad_gpo_filter_gpos_by_dacl(state, state->user, state->user_domain, + state->opts->idmap_ctx->map, + candidate_gpos, num_candidate_gpos, + &state->dacl_filtered_gpos, + &state->num_dacl_filtered_gpos); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Unable to filter GPO list by DACL: [%d](%s)\n", + ret, sss_strerror(ret)); + goto done; + } + + if (state->dacl_filtered_gpos[0] == NULL) { + /* since no applicable gpos were found, there is nothing to enforce */ + DEBUG(SSSDBG_TRACE_FUNC, + "no applicable gpos found after dacl filtering\n"); + + /* + * Delete the result object list, since there are no + * GPOs to include in it. + */ + ret = sysdb_gpo_delete_gpo_result_object(state, state->host_domain); + if (ret != EOK) { + switch (ret) { + case ENOENT: + DEBUG(SSSDBG_TRACE_FUNC, "No GPO Result available in cache\n"); + break; + default: + DEBUG(SSSDBG_FATAL_FAILURE, + "Could not delete GPO Result from cache: [%s]\n", + sss_strerror(ret)); + goto done; + } + } + + ret = EOK; + goto done; + } + + for (i = 0; i < state->num_dacl_filtered_gpos; i++) { + DEBUG(SSSDBG_TRACE_FUNC, "dacl_filtered_gpos[%d]->gpo_guid is %s\n", i, + state->dacl_filtered_gpos[i]->gpo_guid); + } + + ret = ad_gpo_filter_gpos_by_cse_guid(state, + GP_EXT_GUID_SECURITY, + state->dacl_filtered_gpos, + state->num_dacl_filtered_gpos, + &state->cse_filtered_gpos, + &state->num_cse_filtered_gpos); + + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Unable to filter GPO list by CSE_GUID: [%d](%s)\n", + ret, sss_strerror(ret)); + goto done; + } + + if (state->cse_filtered_gpos[0] == NULL) { + /* no gpos contain "SecuritySettings" cse_guid, nothing to enforce */ + DEBUG(SSSDBG_TRACE_FUNC, + "no applicable gpos found after cse_guid filtering\n"); + ret = EOK; + goto done; + } + + /* we create and populate an array of applicable gpo-guids */ + cse_filtered_gpo_guids = + talloc_array(state, const char *, state->num_cse_filtered_gpos); + if (cse_filtered_gpo_guids == NULL) { + ret = ENOMEM; + goto done; + } + + for (i = 0; i < state->num_cse_filtered_gpos; i++) { + DEBUG(SSSDBG_TRACE_FUNC, "cse_filtered_gpos[%d]->gpo_guid is %s\n", i, + state->cse_filtered_gpos[i]->gpo_guid); + cse_filtered_gpo_guids[i] = talloc_steal(cse_filtered_gpo_guids, + state->cse_filtered_gpos[i]->gpo_guid); + if (cse_filtered_gpo_guids[i] == NULL) { + ret = ENOMEM; + goto done; + } + } + + DEBUG(SSSDBG_TRACE_FUNC, "num_cse_filtered_gpos: %d\n", + state->num_cse_filtered_gpos); + + /* + * before we start processing each gpo, we delete the GPO Result object + * from the sysdb cache so that any previous policy settings are cleared; + * subsequent functions will add the GPO Result object (and populate it + * with resultant policy settings) for this policy application + */ + ret = sysdb_gpo_delete_gpo_result_object(state, state->host_domain); + if (ret != EOK) { + switch (ret) { + case ENOENT: + DEBUG(SSSDBG_TRACE_FUNC, "No GPO Result available in cache\n"); + break; + default: + DEBUG(SSSDBG_FATAL_FAILURE, + "Could not delete GPO Result from cache: [%s]\n", + sss_strerror(ret)); + goto done; + } + } + + ret = ad_gpo_cse_step(req); + + done: + + if (ret == EOK) { + tevent_req_done(req); + } else if (ret != EAGAIN) { + tevent_req_error(req, ret); + } +} + +static errno_t +ad_gpo_cse_step(struct tevent_req *req) +{ + struct tevent_req *subreq; + struct ad_gpo_access_state *state; + int i = 0; + struct ldb_result *res; + errno_t ret; + bool send_to_child = true; + int cached_gpt_version = 0; + time_t policy_file_timeout = 0; + + state = tevent_req_data(req, struct ad_gpo_access_state); + + struct gp_gpo *cse_filtered_gpo = + state->cse_filtered_gpos[state->cse_gpo_index]; + + /* cse_filtered_gpo is NULL after all GPO policy files have been downloaded */ + if (cse_filtered_gpo == NULL) return EOK; + + DEBUG(SSSDBG_TRACE_FUNC, "cse filtered_gpos[%d]->gpo_guid is %s\n", + state->cse_gpo_index, cse_filtered_gpo->gpo_guid); + for (i = 0; i < cse_filtered_gpo->num_gpo_cse_guids; i++) { + DEBUG(SSSDBG_TRACE_ALL, + "cse_filtered_gpos[%d]->gpo_cse_guids[%d]->gpo_guid is %s\n", + state->cse_gpo_index, i, cse_filtered_gpo->gpo_cse_guids[i]); + } + + DEBUG(SSSDBG_TRACE_FUNC, "smb_server: %s\n", cse_filtered_gpo->smb_server); + DEBUG(SSSDBG_TRACE_FUNC, "smb_share: %s\n", cse_filtered_gpo->smb_share); + DEBUG(SSSDBG_TRACE_FUNC, "smb_path: %s\n", cse_filtered_gpo->smb_path); + DEBUG(SSSDBG_TRACE_FUNC, "gpo_guid: %s\n", cse_filtered_gpo->gpo_guid); + + cse_filtered_gpo->policy_filename = + talloc_asprintf(state, + GPO_CACHE_PATH"%s%s", + cse_filtered_gpo->smb_path, + GP_EXT_GUID_SECURITY_SUFFIX); + if (cse_filtered_gpo->policy_filename == NULL) { + return ENOMEM; + } + + /* retrieve gpo cache entry; set cached_gpt_version to -1 if unavailable */ + DEBUG(SSSDBG_TRACE_FUNC, "retrieving GPO from cache [%s]\n", + cse_filtered_gpo->gpo_guid); + ret = sysdb_gpo_get_gpo_by_guid(state, + state->host_domain, + cse_filtered_gpo->gpo_guid, + &res); + if (ret == EOK) { + /* + * Note: if the timeout is valid, then we can later avoid downloading + * the GPT.INI file, as well as any policy files (i.e. we don't need + * to interact with the gpo_child at all). However, even if the timeout + * is not valid, while we will have to interact with the gpo child to + * download the GPT.INI file, we may still be able to avoid downloading + * the policy files (if the cached_gpt_version is the same as the + * GPT.INI version). In other words, the timeout is *not* an expiration + * for the entire cache entry; the cached_gpt_version never expires. + */ + + cached_gpt_version = ldb_msg_find_attr_as_int(res->msgs[0], + SYSDB_GPO_VERSION_ATTR, + 0); + + policy_file_timeout = ldb_msg_find_attr_as_uint64 + (res->msgs[0], SYSDB_GPO_TIMEOUT_ATTR, 0); + + if (policy_file_timeout >= time(NULL)) { + send_to_child = false; + } + } else if (ret == ENOENT) { + DEBUG(SSSDBG_TRACE_FUNC, "ENOENT\n"); + cached_gpt_version = -1; + } else { + DEBUG(SSSDBG_FATAL_FAILURE, "Could not read GPO from cache: [%s]\n", + sss_strerror(ret)); + return ret; + } + + DEBUG(SSSDBG_TRACE_FUNC, "send_to_child: %d\n", send_to_child); + DEBUG(SSSDBG_TRACE_FUNC, "cached_gpt_version: %d\n", cached_gpt_version); + + cse_filtered_gpo->send_to_child = send_to_child; + + subreq = ad_gpo_process_cse_send(state, + state->ev, + send_to_child, + state->host_domain, + cse_filtered_gpo->gpo_guid, + cse_filtered_gpo->smb_server, + cse_filtered_gpo->smb_share, + cse_filtered_gpo->smb_path, + GP_EXT_GUID_SECURITY_SUFFIX, + cached_gpt_version, + state->gpo_timeout_option); + + tevent_req_set_callback(subreq, ad_gpo_cse_done, req); + return EAGAIN; +} + +/* + * This cse-specific function (GP_EXT_GUID_SECURITY) increments the + * cse_gpo_index until the policy settings for all applicable GPOs have been + * stored as part of the GPO Result object in the sysdb cache. Once all + * GPOs have been processed, this functions performs HBAC processing by + * comparing the resultant policy setting values in the GPO Result object + * with the user_sid/group_sids of interest. + */ +static void +ad_gpo_cse_done(struct tevent_req *subreq) +{ + struct tevent_req *req; + struct ad_gpo_access_state *state; + int ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ad_gpo_access_state); + + struct gp_gpo *cse_filtered_gpo = + state->cse_filtered_gpos[state->cse_gpo_index]; + + const char *gpo_guid = cse_filtered_gpo->gpo_guid; + + DEBUG(SSSDBG_TRACE_FUNC, "gpo_guid: %s\n", gpo_guid); + + ret = ad_gpo_process_cse_recv(subreq); + + talloc_zfree(subreq); + + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to retrieve policy data: [%d](%s}\n", + ret, sss_strerror(ret)); + goto done; + } + + /* + * now that the policy file for this gpo have been downloaded to the + * GPO CACHE, we store all of the supported keys present in the file + * (as part of the GPO Result object in the sysdb cache). + */ + ret = ad_gpo_store_policy_settings(state->host_domain, + cse_filtered_gpo->policy_filename); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "ad_gpo_store_policy_settings failed: [%d](%s)\n", + ret, sss_strerror(ret)); + goto done; + } + + state->cse_gpo_index++; + ret = ad_gpo_cse_step(req); + + if (ret == EOK) { + /* ret is EOK only after all GPO policy files have been downloaded */ + ret = ad_gpo_perform_hbac_processing(state, + state->gpo_mode, + state->gpo_map_type, + state->user, + state->user_domain, + state->host_domain); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "HBAC processing failed: [%d](%s}\n", + ret, sss_strerror(ret)); + goto done; + } + + } + + done: + + if (ret == EOK) { + tevent_req_done(req); + } else if (ret != EAGAIN) { + tevent_req_error(req, ret); + } +} + +errno_t +ad_gpo_access_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +/* == ad_gpo_process_som_send/recv helpers ================================= */ + +/* + * This function returns the parent of an LDAP DN + */ +static errno_t +ad_gpo_parent_dn(TALLOC_CTX *mem_ctx, + struct ldb_context *ldb_ctx, + const char *dn, + const char **_parent_dn) +{ + struct ldb_dn *ldb_dn; + struct ldb_dn *parent_ldb_dn; + const char *p; + int ret; + TALLOC_CTX *tmp_ctx = NULL; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + ldb_dn = ldb_dn_new(tmp_ctx, ldb_ctx, dn); + parent_ldb_dn = ldb_dn_get_parent(tmp_ctx, ldb_dn); + p = ldb_dn_get_linearized(parent_ldb_dn); + + *_parent_dn = talloc_steal(mem_ctx, p); + ret = EOK; + + done: + talloc_free(tmp_ctx); + return ret; +} + +/* + * This function populates the _som_list output parameter by parsing the input + * DN into a list of gp_som objects. This function essentially repeatedly + * appends the input DN's parent to the SOM List (if the parent starts with + * "OU=" or "DC="), until the first "DC=" component is reached. + * Example: if input DN is "CN=MyComputer,CN=Computers,OU=Sales,DC=FOO,DC=COM", + * then SOM List has 2 SOM entries: {[OU=Sales,DC=FOO,DC=COM], [DC=FOO, DC=COM]} + */ + +static errno_t +ad_gpo_populate_som_list(TALLOC_CTX *mem_ctx, + struct ldb_context *ldb_ctx, + const char *target_dn, + int *_num_soms, + struct gp_som ***_som_list) +{ + TALLOC_CTX *tmp_ctx = NULL; + int ret; + int rdn_count = 0; + int som_idx = 0; + struct gp_som **som_list; + const char *parent_dn = NULL; + const char *tmp_dn = NULL; + struct ldb_dn *ldb_target_dn; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + ldb_target_dn = ldb_dn_new(tmp_ctx, ldb_ctx, target_dn); + if (ldb_target_dn == NULL) { + ret = EINVAL; + goto done; + } + + rdn_count = ldb_dn_get_comp_num(ldb_target_dn); + if (rdn_count == -1) { + ret = EINVAL; + goto done; + } + + if (rdn_count == 0) { + *_som_list = NULL; + ret = EOK; + goto done; + } + + /* assume the worst-case, in which every parent is a SOM */ + /* include space for Site SOM and NULL: rdn_count + 1 + 1 */ + som_list = talloc_array(tmp_ctx, struct gp_som *, rdn_count + 1 + 1); + if (som_list == NULL) { + ret = ENOMEM; + goto done; + } + + /* first, populate the OU and Domain SOMs */ + tmp_dn = target_dn; + while ((ad_gpo_parent_dn(tmp_ctx, ldb_ctx, tmp_dn, &parent_dn)) == EOK) { + + if ((strncasecmp(parent_dn, "OU=", strlen("OU=")) == 0) || + (strncasecmp(parent_dn, "DC=", strlen("DC=")) == 0)) { + + som_list[som_idx] = talloc_zero(som_list, struct gp_som); + if (som_list[som_idx] == NULL) { + ret = ENOMEM; + goto done; + } + som_list[som_idx]->som_dn = talloc_steal(som_list[som_idx], + parent_dn); + if (som_list[som_idx]->som_dn == NULL) { + ret = ENOMEM; + goto done; + } + som_idx++; + } + + if (strncasecmp(parent_dn, "DC=", strlen("DC=")) == 0) { + break; + } + tmp_dn = parent_dn; + } + + som_list[som_idx] = NULL; + + *_num_soms = som_idx; + *_som_list = talloc_steal(mem_ctx, som_list); + + ret = EOK; + + done: + talloc_free(tmp_ctx); + return ret; +} + +/* + * This function populates the _gplink_list output parameter by parsing the + * input raw_gplink_value into an array of gp_gplink objects, each consisting of + * a GPO DN and bool enforced field. + * + * The raw_gplink_value is single string consisting of multiple gplink strings. + * The raw_gplink_value is in the following format: + * "[GPO_DN_1;GPLinkOptions_1]...[GPO_DN_n;GPLinkOptions_n]" + * + * Each gplink string consists of a GPO DN and a GPLinkOptions field (which + * indicates whether its associated GPO DN is ignored, unenforced, or enforced). + * If a GPO DN is flagged as ignored, it is discarded and will not be added to + * the _gplink_list. If the allow_enforced_only input is true, AND a GPO DN is + * flagged as unenforced, it will also be discarded. + * + * Example: if raw_gplink_value="[OU=Sales,DC=FOO,DC=COM;0][DC=FOO,DC=COM;2]" + * and allow_enforced_only=FALSE, then the output would consist of following: + * _gplink_list[0]: {GPO DN: "OU=Sales,DC=FOO,DC=COM", enforced: FALSE} + * _gplink_list[1]: {GPO DN: "DC=FOO,DC=COM", enforced: TRUE} + */ +static errno_t +ad_gpo_populate_gplink_list(TALLOC_CTX *mem_ctx, + const char *som_dn, + char *raw_gplink_value, + struct gp_gplink ***_gplink_list, + bool allow_enforced_only) +{ + TALLOC_CTX *tmp_ctx = NULL; + char *ptr; + char *first; + char *last; + char *dn; + char *gplink_options; + const char delim = ']'; + struct gp_gplink **gplink_list; + int i; + int ret; + uint32_t gplink_number; + int gplink_count = 0; + int num_enabled = 0; + + if (raw_gplink_value == NULL || + *raw_gplink_value == '\0' || + _gplink_list == NULL) { + return EINVAL; + } + + DEBUG(SSSDBG_TRACE_FUNC, "som_dn: %s\n", som_dn); + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + ptr = raw_gplink_value; + + while ((ptr = strchr(ptr, delim))) { + ptr++; + gplink_count++; + } + + if (gplink_count == 0) { + ret = EOK; + goto done; + } + + gplink_list = talloc_array(tmp_ctx, struct gp_gplink *, gplink_count + 1); + if (gplink_list == NULL) { + ret = ENOMEM; + goto done; + } + + num_enabled = 0; + ptr = raw_gplink_value; + for (i = 0; i < gplink_count; i++) { + first = ptr + 1; + last = strchr(first, delim); + if (last == NULL) { + ret = EINVAL; + goto done; + } + *last = '\0'; + last++; + dn = first; + if ( strncasecmp(dn, "LDAP://", 7)== 0 ) { + dn = dn + 7; + } + gplink_options = strchr(first, ';'); + if (gplink_options == NULL) { + ret = EINVAL; + goto done; + } + *gplink_options = '\0'; + gplink_options++; + + gplink_number = strtouint32(gplink_options, NULL, 10); + if (errno != 0) { + ret = errno; + DEBUG(SSSDBG_OP_FAILURE, + "strtouint32 failed: [%d](%s)\n", ret, sss_strerror(ret)); + goto done; + } + + DEBUG(SSSDBG_TRACE_ALL, + "gplink_list[%d]: [%s; %d]\n", num_enabled, dn, gplink_number); + + if ((gplink_number == 1) || (gplink_number ==3)) { + /* ignore flag is set */ + DEBUG(SSSDBG_TRACE_ALL, "ignored gpo skipped\n"); + ptr = last; + continue; + } + + if (allow_enforced_only && (gplink_number == 0)) { + /* unenforced flag is set; only enforced gpos allowed */ + DEBUG(SSSDBG_TRACE_ALL, "unenforced gpo skipped\n"); + ptr = last; + continue; + } + + gplink_list[num_enabled] = talloc_zero(gplink_list, struct gp_gplink); + if (gplink_list[num_enabled] == NULL) { + ret = ENOMEM; + goto done; + } + gplink_list[num_enabled]->gpo_dn = + talloc_strdup(gplink_list[num_enabled], dn); + + if (gplink_list[num_enabled]->gpo_dn == NULL) { + ret = ENOMEM; + goto done; + } + + if (gplink_number == 0) { + gplink_list[num_enabled]->enforced = 0; + num_enabled++; + } else if (gplink_number == 2) { + gplink_list[num_enabled]->enforced = 1; + num_enabled++; + } else { + ret = EINVAL; + goto done; + } + + ptr = last; + } + gplink_list[num_enabled] = NULL; + + *_gplink_list = talloc_steal(mem_ctx, gplink_list); + ret = EOK; + + done: + talloc_free(tmp_ctx); + return ret; +} + +/* == ad_gpo_process_som_send/recv implementation ========================== */ + +struct ad_gpo_process_som_state { + struct tevent_context *ev; + struct sdap_id_op *sdap_op; + struct sdap_options *opts; + struct dp_option *ad_options; + int timeout; + bool allow_enforced_only; + char *site_name; + char *site_dn; + struct gp_som **som_list; + int som_index; + int num_soms; +}; + +static void ad_gpo_site_name_retrieval_done(struct tevent_req *subreq); +static void ad_gpo_site_dn_retrieval_done(struct tevent_req *subreq); +static errno_t ad_gpo_get_som_attrs_step(struct tevent_req *req); +static void ad_gpo_get_som_attrs_done(struct tevent_req *subreq); + +/* + * This function uses the input target_dn and input domain_name to populate + * a list of gp_som objects. Each object in this list represents a SOM + * associated with the target (such as OU, Domain, and Site). + * + * The inputs are used to determine the DNs of each SOM associated with the + * target. In turn, the SOM object DNs are used to retrieve certain LDAP + * attributes of each SOM object, that are parsed into an array of gp_gplink + * objects, essentially representing the GPOs that have been linked to each + * SOM object. Note that it is perfectly valid for there to be *no* GPOs + * linked to a SOM object. + */ +struct tevent_req * +ad_gpo_process_som_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_id_conn_ctx *conn, + struct ldb_context *ldb_ctx, + struct sdap_id_op *sdap_op, + struct sdap_options *opts, + struct dp_option *ad_options, + int timeout, + const char *target_dn, + const char *domain_name) +{ + struct tevent_req *req; + struct tevent_req *subreq; + struct ad_gpo_process_som_state *state; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct ad_gpo_process_som_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->ev = ev; + state->sdap_op = sdap_op; + state->opts = opts; + state->ad_options = ad_options; + state->timeout = timeout; + state->som_index = 0; + state->allow_enforced_only = 0; + + ret = ad_gpo_populate_som_list(state, ldb_ctx, target_dn, + &state->num_soms, &state->som_list); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Unable to retrieve SOM List : [%d](%s)\n", + ret, sss_strerror(ret)); + ret = ENOENT; + goto immediately; + } + + if (state->som_list == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "target dn must have at least one parent\n"); + ret = EINVAL; + goto immediately; + } + + subreq = ad_master_domain_send(state, state->ev, conn, + state->sdap_op, domain_name); + + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ad_master_domain_send failed.\n"); + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, ad_gpo_site_name_retrieval_done, req); + + ret = EOK; + + immediately: + + if (ret != EOK) { + tevent_req_error(req, ret); + tevent_req_post(req, ev); + } + + return req; +} + +static void +ad_gpo_site_name_retrieval_done(struct tevent_req *subreq) +{ + struct tevent_req *req; + struct ad_gpo_process_som_state *state; + int ret; + char *site = NULL; + char *site_override = NULL; + const char *attrs[] = {AD_AT_CONFIG_NC, NULL}; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ad_gpo_process_som_state); + + /* gpo code only cares about the site name */ + ret = ad_master_domain_recv(subreq, state, NULL, NULL, &site, NULL); + talloc_zfree(subreq); + + if (ret != EOK || site == NULL) { + DEBUG(SSSDBG_TRACE_FUNC, + "Could not autodiscover AD site. This is not fatal if " + "ad_site option was set.\n"); + } + + site_override = dp_opt_get_string(state->ad_options, AD_SITE); + if (site_override != NULL) { + DEBUG(SSSDBG_TRACE_FUNC, + "Overriding autodiscovered AD site value '%s' with '%s' from " + "configuration.\n", site ? site : "none", site_override); + } + + if (site == NULL && site_override == NULL) { + sss_log(SSS_LOG_WARNING, + "Could not autodiscover AD site value using DNS and ad_site " + "option was not set in configuration. GPO will not work. " + "To work around this issue you can use ad_site option in SSSD " + "configuration."); + DEBUG(SSSDBG_OP_FAILURE, + "Could not autodiscover AD site value using DNS and ad_site " + "option was not set in configuration. GPO will not work. " + "To work around this issue you can use ad_site option in SSSD " + "configuration.\n"); + tevent_req_error(req, ENOENT); + return; + } + + state->site_name = talloc_asprintf(state, "cn=%s", + site_override ? site_override + : site); + if (state->site_name == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Using AD site '%s'.\n", state->site_name); + + /* + * note: the configNC attribute is being retrieved here from the rootDSE + * entry. In future, since we already make an LDAP query for the rootDSE + * entry when LDAP connection is made, this attribute should really be + * retrieved at that point (see https://fedorahosted.org/sssd/ticket/2276) + */ + subreq = sdap_get_generic_send(state, state->ev, state->opts, + sdap_id_op_handle(state->sdap_op), + "", LDAP_SCOPE_BASE, + "(objectclass=*)", attrs, NULL, 0, + state->timeout, + false); + + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_get_generic_send failed.\n"); + tevent_req_error(req, ENOMEM); + return; + } + + tevent_req_set_callback(subreq, ad_gpo_site_dn_retrieval_done, req); +} + +static void +ad_gpo_site_dn_retrieval_done(struct tevent_req *subreq) +{ + struct tevent_req *req; + struct ad_gpo_process_som_state *state; + int ret; + int dp_error; + int i = 0; + size_t reply_count; + struct sysdb_attrs **reply; + const char *configNC; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ad_gpo_process_som_state); + + ret = sdap_get_generic_recv(subreq, state, + &reply_count, &reply); + talloc_zfree(subreq); + if (ret != EOK) { + ret = sdap_id_op_done(state->sdap_op, ret, &dp_error); + + DEBUG(SSSDBG_OP_FAILURE, + "Unable to get configNC: [%d](%s)\n", ret, sss_strerror(ret)); + ret = ENOENT; + goto done; + } + + /* make sure there is only one non-NULL reply returned */ + + if (reply_count < 1) { + DEBUG(SSSDBG_OP_FAILURE, "No configNC retrieved\n"); + ret = ENOENT; + goto done; + } else if (reply_count > 1) { + DEBUG(SSSDBG_OP_FAILURE, "Multiple replies for configNC\n"); + ret = ERR_INTERNAL; + goto done; + } else if (reply == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "reply_count is 1, but reply is NULL\n"); + ret = ERR_INTERNAL; + goto done; + } + + /* reply[0] holds requested attributes of single reply */ + ret = sysdb_attrs_get_string(reply[0], AD_AT_CONFIG_NC, &configNC); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_attrs_get_string failed: [%d](%s)\n", + ret, sss_strerror(ret)); + goto done; + } + state->site_dn = + talloc_asprintf(state, "%s,cn=Sites,%s", state->site_name, configNC); + if (state->site_dn == NULL) { + ret = ENOMEM; + goto done; + } + + /* note that space was allocated for site_dn when allocating som_list */ + state->som_list[state->num_soms] = + talloc_zero(state->som_list, struct gp_som); + if (state->som_list[state->num_soms] == NULL) { + ret = ENOMEM; + goto done; + } + + state->som_list[state->num_soms]->som_dn = + talloc_steal(state->som_list[state->num_soms], state->site_dn); + + if (state->som_list[state->num_soms]->som_dn == NULL) { + ret = ENOMEM; + goto done; + } + + state->num_soms++; + state->som_list[state->num_soms] = NULL; + + i = 0; + while (state->som_list[i]) { + DEBUG(SSSDBG_TRACE_FUNC, "som_list[%d]->som_dn is %s\n", i, + state->som_list[i]->som_dn); + i++; + } + + ret = ad_gpo_get_som_attrs_step(req); + + done: + + if (ret == EOK) { + tevent_req_done(req); + } else if (ret != EAGAIN) { + tevent_req_error(req, ret); + } + +} +static errno_t +ad_gpo_get_som_attrs_step(struct tevent_req *req) +{ + const char *attrs[] = {AD_AT_GPLINK, AD_AT_GPOPTIONS, NULL}; + struct tevent_req *subreq; + struct ad_gpo_process_som_state *state; + + state = tevent_req_data(req, struct ad_gpo_process_som_state); + + struct gp_som *gp_som = state->som_list[state->som_index]; + + /* gp_som is NULL only after all SOMs have been processed */ + if (gp_som == NULL) return EOK; + + const char *som_dn = gp_som->som_dn; + subreq = sdap_get_generic_send(state, state->ev, state->opts, + sdap_id_op_handle(state->sdap_op), + som_dn, LDAP_SCOPE_BASE, + "(objectclass=*)", attrs, NULL, 0, + state->timeout, + false); + + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_get_generic_send failed.\n"); + return ENOMEM; + } + + tevent_req_set_callback(subreq, ad_gpo_get_som_attrs_done, req); + return EAGAIN; +} + +static void +ad_gpo_get_som_attrs_done(struct tevent_req *subreq) +{ + struct tevent_req *req; + struct ad_gpo_process_som_state *state; + int ret; + int dp_error; + size_t num_results; + struct sysdb_attrs **results; + struct ldb_message_element *el = NULL; + uint8_t *raw_gplink_value; + uint8_t *raw_gpoptions_value; + uint32_t allow_enforced_only = 0; + struct gp_som *gp_som; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ad_gpo_process_som_state); + ret = sdap_get_generic_recv(subreq, state, + &num_results, &results); + talloc_zfree(subreq); + + if (ret != EOK) { + ret = sdap_id_op_done(state->sdap_op, ret, &dp_error); + + DEBUG(SSSDBG_OP_FAILURE, + "Unable to get SOM attributes: [%d](%s)\n", + ret, sss_strerror(ret)); + ret = ENOENT; + goto done; + } + if ((num_results < 1) || (results == NULL)) { + DEBUG(SSSDBG_OP_FAILURE, "no attrs found for SOM; try next SOM.\n"); + state->som_index++; + ret = ad_gpo_get_som_attrs_step(req); + goto done; + } else if (num_results > 1) { + DEBUG(SSSDBG_OP_FAILURE, "Received multiple replies\n"); + ret = ERR_INTERNAL; + goto done; + } + + /* Get the gplink value, if available */ + ret = sysdb_attrs_get_el(results[0], AD_AT_GPLINK, &el); + + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_attrs_get_el() failed: [%d](%s)\n", + ret, sss_strerror(ret)); + goto done; + } + + if ((ret == ENOENT) || (el->num_values == 0)) { + DEBUG(SSSDBG_OP_FAILURE, "no attrs found for SOM; try next SOM\n"); + state->som_index++; + ret = ad_gpo_get_som_attrs_step(req); + goto done; + } + + raw_gplink_value = el[0].values[0].data; + + ret = sysdb_attrs_get_el(results[0], AD_AT_GPOPTIONS, &el); + + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_el() failed\n"); + goto done; + } + + if ((ret == ENOENT) || (el->num_values == 0)) { + DEBUG(SSSDBG_TRACE_ALL, + "gpoptions attr not found or has no value; defaults to 0\n"); + allow_enforced_only = 0; + } else { + raw_gpoptions_value = el[0].values[0].data; + allow_enforced_only = strtouint32((char *)raw_gpoptions_value, NULL, 10); + if (errno != 0) { + ret = errno; + DEBUG(SSSDBG_OP_FAILURE, + "strtouint32 failed: [%d](%s)\n", ret, sss_strerror(ret)); + goto done; + } + } + + gp_som = state->som_list[state->som_index]; + ret = ad_gpo_populate_gplink_list(gp_som, + gp_som->som_dn, + (char *)raw_gplink_value, + &gp_som->gplink_list, + state->allow_enforced_only); + + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "ad_gpo_populate_gplink_list() failed\n"); + goto done; + } + + if (allow_enforced_only) { + state->allow_enforced_only = 1; + } + + state->som_index++; + ret = ad_gpo_get_som_attrs_step(req); + + done: + + if (ret == EOK) { + tevent_req_done(req); + } else if (ret != EAGAIN) { + tevent_req_error(req, ret); + } +} + +int +ad_gpo_process_som_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + struct gp_som ***som_list) +{ + + struct ad_gpo_process_som_state *state = + tevent_req_data(req, struct ad_gpo_process_som_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + *som_list = talloc_steal(mem_ctx, state->som_list); + return EOK; +} + +/* == ad_gpo_process_gpo_send/recv helpers ================================= */ + +/* + * This function examines the gp_gplink objects in each gp_som object specified + * in the input som_list, and populates the _candidate_gpos output parameter's + * gpo_dn fields with prioritized list of GPO DNs. Prioritization ensures that: + * - GPOs linked to an OU will be applied after GPOs linked to a Domain, + * which will be applied after GPOs linked to a Site. + * - multiple GPOs linked to a single SOM are applied in their link order + * (i.e. 1st GPO linked to SOM is applied after 2nd GPO linked to SOM, etc). + * - enforced GPOs are applied after unenforced GPOs. + * + * As such, the _candidate_gpos output's dn fields looks like (in link order): + * [unenforced {Site, Domain, OU}; enforced {Site, Domain, OU}] + * + * Note that in the case of conflicting policy settings, GPOs appearing later + * in the list will trump GPOs appearing earlier in the list. + */ +static errno_t +ad_gpo_populate_candidate_gpos(TALLOC_CTX *mem_ctx, + struct gp_som **som_list, + struct gp_gpo ***_candidate_gpos, + int *_num_candidate_gpos) +{ + + TALLOC_CTX *tmp_ctx = NULL; + struct gp_som *gp_som = NULL; + struct gp_gplink *gp_gplink = NULL; + struct gp_gpo **candidate_gpos = NULL; + int num_candidate_gpos = 0; + const char **enforced_gpo_dns = NULL; + const char **unenforced_gpo_dns = NULL; + int gpo_dn_idx = 0; + int num_enforced = 0; + int enforced_idx = 0; + int num_unenforced = 0; + int unenforced_idx = 0; + int i = 0; + int j = 0; + int ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + while (som_list[i]) { + gp_som = som_list[i]; + j = 0; + while (gp_som && gp_som->gplink_list && gp_som->gplink_list[j]) { + gp_gplink = gp_som->gplink_list[j]; + if (gp_gplink == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "unexpected null gp_gplink\n"); + ret = EINVAL; + goto done; + } + if (gp_gplink->enforced) { + num_enforced++; + } else { + num_unenforced++; + } + j++; + } + i++; + } + + num_candidate_gpos = num_enforced + num_unenforced; + + if (num_candidate_gpos == 0) { + *_candidate_gpos = NULL; + *_num_candidate_gpos = 0; + ret = EOK; + goto done; + } + + enforced_gpo_dns = talloc_array(tmp_ctx, const char *, num_enforced + 1); + if (enforced_gpo_dns == NULL) { + ret = ENOMEM; + goto done; + } + + unenforced_gpo_dns = talloc_array(tmp_ctx, const char *, num_unenforced + 1); + if (unenforced_gpo_dns == NULL) { + ret = ENOMEM; + goto done; + } + + i = 0; + while (som_list[i]) { + gp_som = som_list[i]; + j = 0; + while (gp_som && gp_som->gplink_list && gp_som->gplink_list[j]) { + gp_gplink = gp_som->gplink_list[j]; + if (gp_gplink == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "unexpected null gp_gplink\n"); + ret = EINVAL; + goto done; + } + + if (gp_gplink->enforced) { + enforced_gpo_dns[enforced_idx] = + talloc_steal(enforced_gpo_dns, gp_gplink->gpo_dn); + if (enforced_gpo_dns[enforced_idx] == NULL) { + ret = ENOMEM; + goto done; + } + enforced_idx++; + } else { + + unenforced_gpo_dns[unenforced_idx] = + talloc_steal(unenforced_gpo_dns, gp_gplink->gpo_dn); + + if (unenforced_gpo_dns[unenforced_idx] == NULL) { + ret = ENOMEM; + goto done; + } + unenforced_idx++; + } + j++; + } + i++; + } + enforced_gpo_dns[num_enforced] = NULL; + unenforced_gpo_dns[num_unenforced] = NULL; + + candidate_gpos = talloc_array(tmp_ctx, + struct gp_gpo *, + num_candidate_gpos + 1); + + if (candidate_gpos == NULL) { + ret = ENOMEM; + goto done; + } + + gpo_dn_idx = 0; + for (i = num_unenforced - 1; i >= 0; i--) { + candidate_gpos[gpo_dn_idx] = talloc_zero(candidate_gpos, struct gp_gpo); + if (candidate_gpos[gpo_dn_idx] == NULL) { + ret = ENOMEM; + goto done; + } + candidate_gpos[gpo_dn_idx]->gpo_dn = + talloc_steal(candidate_gpos[gpo_dn_idx], unenforced_gpo_dns[i]); + + if (candidate_gpos[gpo_dn_idx]->gpo_dn == NULL) { + ret = ENOMEM; + goto done; + } + DEBUG(SSSDBG_TRACE_FUNC, + "candidate_gpos[%d]->gpo_dn: %s\n", + gpo_dn_idx, candidate_gpos[gpo_dn_idx]->gpo_dn); + gpo_dn_idx++; + } + + for (i = 0; i < num_enforced; i++) { + + candidate_gpos[gpo_dn_idx] = talloc_zero(candidate_gpos, struct gp_gpo); + if (candidate_gpos[gpo_dn_idx] == NULL) { + ret = ENOMEM; + goto done; + } + + candidate_gpos[gpo_dn_idx]->gpo_dn = + talloc_steal(candidate_gpos[gpo_dn_idx], enforced_gpo_dns[i]); + if (candidate_gpos[gpo_dn_idx]->gpo_dn == NULL) { + ret = ENOMEM; + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "candidate_gpos[%d]->gpo_dn: %s\n", + gpo_dn_idx, candidate_gpos[gpo_dn_idx]->gpo_dn); + gpo_dn_idx++; + } + + candidate_gpos[gpo_dn_idx] = NULL; + + *_candidate_gpos = talloc_steal(mem_ctx, candidate_gpos); + *_num_candidate_gpos = num_candidate_gpos; + + ret = EOK; + + done: + talloc_free(tmp_ctx); + return ret; +} + +/* + * This function parses the input_path into its components, replaces each + * back slash ('\') with a forward slash ('/'), and populates the output params. + * + * The smb_server output is constructed by concatenating the following elements: + * - SMB_STANDARD_URI ("smb://") + * - server_hostname (which replaces domain_name in input path) + * The smb_share and smb_path outputs are extracted from the input_path. + * + * Example: if input_path = "\\foo.com\SysVol\foo.com\..." and + * server_hostname = "adserver.foo.com", then + * _smb_server = "smb://adserver.foo.com" + * _smb_share = "SysVol" + * _smb_path = "/foo.com/..." + * + * Note that the input_path must have at least four forward slash separators. + * For example, input_path = "\\foo.com\SysVol" is not a valid input_path, + * because it has only three forward slash separators. + */ +static errno_t +ad_gpo_extract_smb_components(TALLOC_CTX *mem_ctx, + char *server_hostname, + char *input_path, + const char **_smb_server, + const char **_smb_share, + const char **_smb_path) +{ + char *ptr; + const char delim = '\\'; + int ret; + int num_seps = 0; + char *smb_path = NULL; + char *smb_share = NULL; + + DEBUG(SSSDBG_TRACE_ALL, "input_path: %s\n", input_path); + + if (input_path == NULL || + *input_path == '\0' || + _smb_server == NULL || + _smb_share == NULL || + _smb_path == NULL) { + ret = EINVAL; + goto done; + } + + ptr = input_path; + while ((ptr = strchr(ptr, delim))) { + num_seps++; + if (num_seps == 3) { + /* replace the slash before the share name with null string */ + + *ptr = '\0'; + ptr++; + smb_share = ptr; + continue; + } else if (num_seps == 4) { + /* replace the slash after the share name with null string */ + *ptr = '\0'; + ptr++; + smb_path = ptr; + continue; + } + *ptr = '/'; + ptr++; + } + + if (num_seps == 0) { + ret = EINVAL; + goto done; + } + + if (smb_path == NULL) { + ret = EINVAL; + goto done; + } + + *_smb_server = talloc_asprintf(mem_ctx, "%s%s", + SMB_STANDARD_URI, + server_hostname); + if (*_smb_server == NULL) { + ret = ENOMEM; + goto done; + } + + *_smb_share = talloc_asprintf(mem_ctx, "/%s", smb_share); + if (*_smb_share == NULL) { + ret = ENOMEM; + goto done; + } + + *_smb_path = talloc_asprintf(mem_ctx, "/%s", smb_path); + if (*_smb_path == NULL) { + ret = ENOMEM; + goto done; + } + + ret = EOK; + + done: + return ret; +} + +/* + * This function populates the _cse_guid_list output parameter by parsing the + * input raw_machine_ext_names_value into an array of cse_guid strings. + * + * The raw_machine_ext_names_value is a single string in the following format: + * "[{cse_guid_1}{tool_guid1}]...[{cse_guid_n}{tool_guid_n}]" + */ +static errno_t +ad_gpo_parse_machine_ext_names(TALLOC_CTX *mem_ctx, + char *raw_machine_ext_names_value, + const char ***_gpo_cse_guids, + int *_num_gpo_cse_guids) +{ + TALLOC_CTX *tmp_ctx = NULL; + char *ptr; + char *first; + char *last; + char *cse_guid; + char *tool_guid; + const char delim = ']'; + const char **gpo_cse_guids; + int i; + int ret; + int num_gpo_cse_guids = 0; + + if (raw_machine_ext_names_value == NULL || + *raw_machine_ext_names_value == '\0' || + _gpo_cse_guids == NULL) { + return EINVAL; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + ptr = raw_machine_ext_names_value; + while ((ptr = strchr(ptr, delim))) { + ptr++; + num_gpo_cse_guids++; + } + + if (num_gpo_cse_guids == 0) { + ret = EINVAL; + goto done; + } + + gpo_cse_guids = talloc_array(tmp_ctx, const char *, num_gpo_cse_guids + 1); + if (gpo_cse_guids == NULL) { + ret = ENOMEM; + goto done; + } + + ptr = raw_machine_ext_names_value; + for (i = 0; i < num_gpo_cse_guids; i++) { + first = ptr + 1; + last = strchr(first, delim); + if (last == NULL) { + break; + } + *last = '\0'; + last++; + cse_guid = first; + first ++; + tool_guid = strchr(first, '{'); + if (tool_guid == NULL) { + break; + } + *tool_guid = '\0'; + gpo_cse_guids[i] = talloc_strdup(gpo_cse_guids, cse_guid); + ptr = last; + } + gpo_cse_guids[i] = NULL; + + DEBUG(SSSDBG_TRACE_ALL, "num_gpo_cse_guids: %d\n", num_gpo_cse_guids); + + for (i = 0; i < num_gpo_cse_guids; i++) { + DEBUG(SSSDBG_TRACE_ALL, + "gpo_cse_guids[%d] is %s\n", i, gpo_cse_guids[i]); + } + + *_gpo_cse_guids = talloc_steal(mem_ctx, gpo_cse_guids); + *_num_gpo_cse_guids = num_gpo_cse_guids; + ret = EOK; + + done: + talloc_free(tmp_ctx); + return ret; +} + +enum ndr_err_code +ad_gpo_ndr_pull_security_descriptor(struct ndr_pull *ndr, int ndr_flags, + struct security_descriptor *r); + +/* + * This function parses the input data blob and assigns the resulting + * security_descriptor object to the _gpo_sd output parameter. + */ +static errno_t ad_gpo_parse_sd(TALLOC_CTX *mem_ctx, + uint8_t *data, + size_t length, + struct security_descriptor **_gpo_sd) +{ + + struct ndr_pull *ndr_pull = NULL; + struct security_descriptor sd; + DATA_BLOB blob; + enum ndr_err_code ndr_err; + + blob.data = data; + blob.length = length; + + ndr_pull = ndr_pull_init_blob(&blob, mem_ctx); + if (ndr_pull == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ndr_pull_init_blob() failed.\n"); + return EINVAL; + } + + ndr_err = ad_gpo_ndr_pull_security_descriptor(ndr_pull, + NDR_SCALARS|NDR_BUFFERS, + &sd); + + if (ndr_err != NDR_ERR_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to pull security descriptor\n"); + return EINVAL; + } + + *_gpo_sd = talloc_memdup(mem_ctx, &sd, sizeof(struct security_descriptor)); + + return EOK; +} + +/* == ad_gpo_process_gpo_send/recv implementation ========================== */ + +struct ad_gpo_process_gpo_state { + struct ad_access_ctx *access_ctx; + struct tevent_context *ev; + struct sdap_id_op *sdap_op; + struct sdap_options *opts; + char *server_hostname; + struct sss_domain_info *host_domain; + int timeout; + struct gp_gpo **candidate_gpos; + int num_candidate_gpos; + int gpo_index; +}; + +static errno_t ad_gpo_get_gpo_attrs_step(struct tevent_req *req); +static void ad_gpo_get_gpo_attrs_done(struct tevent_req *subreq); + +/* + * This function uses the input som_list to populate a prioritized list of + * gp_gpo objects, prioritized based on SOM type, link order, and whether the + * GPO is "enforced". This list represents the initial set of candidate GPOs + * that might be applicable to the target. This list can not be expanded, but + * it might be reduced based on subsequent filtering steps. The GPO object DNs + * are used to retrieve certain LDAP attributes of each GPO object, that are + * parsed into the various fields of the gp_gpo object. + */ +struct tevent_req * +ad_gpo_process_gpo_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_id_op *sdap_op, + struct sdap_options *opts, + char *server_hostname, + struct sss_domain_info *host_domain, + struct ad_access_ctx *access_ctx, + int timeout, + struct gp_som **som_list) +{ + struct tevent_req *req; + struct ad_gpo_process_gpo_state *state; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct ad_gpo_process_gpo_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->ev = ev; + state->sdap_op = sdap_op; + state->opts = opts; + state->server_hostname = server_hostname; + state->host_domain = host_domain; + state->access_ctx = access_ctx; + state->timeout = timeout; + state->gpo_index = 0; + state->candidate_gpos = NULL; + state->num_candidate_gpos = 0; + + ret = ad_gpo_populate_candidate_gpos(state, + som_list, + &state->candidate_gpos, + &state->num_candidate_gpos); + + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Unable to retrieve GPO List: [%d](%s)\n", + ret, sss_strerror(ret)); + goto immediately; + } + + if (state->candidate_gpos == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "no gpos found\n"); + ret = ENOENT; + goto immediately; + } + + ret = ad_gpo_get_gpo_attrs_step(req); + +immediately: + + if (ret == EOK) { + tevent_req_done(req); + tevent_req_post(req, ev); + } else if (ret != EAGAIN) { + tevent_req_error(req, ret); + tevent_req_post(req, ev); + } + + return req; +} + +static errno_t +ad_gpo_get_gpo_attrs_step(struct tevent_req *req) +{ + const char *attrs[] = AD_GPO_ATTRS; + struct tevent_req *subreq; + struct ad_gpo_process_gpo_state *state; + + state = tevent_req_data(req, struct ad_gpo_process_gpo_state); + + struct gp_gpo *gp_gpo = state->candidate_gpos[state->gpo_index]; + + /* gp_gpo is NULL only after all GPOs have been processed */ + if (gp_gpo == NULL) return EOK; + + const char *gpo_dn = gp_gpo->gpo_dn; + + subreq = sdap_sd_search_send(state, state->ev, + state->opts, sdap_id_op_handle(state->sdap_op), + gpo_dn, SECINFO_DACL, attrs, state->timeout); + + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_sd_search_send failed.\n"); + return ENOMEM; + } + + tevent_req_set_callback(subreq, ad_gpo_get_gpo_attrs_done, req); + return EAGAIN; +} + +static errno_t +ad_gpo_sd_process_attrs(struct tevent_req *req, + char *smb_host, + struct sysdb_attrs *result); +void +ad_gpo_get_sd_referral_done(struct tevent_req *subreq); + +static struct tevent_req * +ad_gpo_get_sd_referral_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct ad_access_ctx *access_ctx, + struct sdap_options *opts, + const char *referral, + struct sss_domain_info *host_domain, + int timeout); +errno_t +ad_gpo_get_sd_referral_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + char **_smb_host, + struct sysdb_attrs **_reply); + +static void +ad_gpo_get_gpo_attrs_done(struct tevent_req *subreq) +{ + struct tevent_req *req; + struct ad_gpo_process_gpo_state *state; + int ret; + int dp_error; + size_t num_results, refcount; + struct sysdb_attrs **results; + char **refs; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ad_gpo_process_gpo_state); + + ret = sdap_sd_search_recv(subreq, state, + &num_results, &results, + &refcount, &refs); + talloc_zfree(subreq); + + if (ret != EOK) { + ret = sdap_id_op_done(state->sdap_op, ret, &dp_error); + + DEBUG(SSSDBG_OP_FAILURE, + "Unable to get GPO attributes: [%d](%s)\n", + ret, sss_strerror(ret)); + ret = ENOENT; + goto done; + } + + if ((num_results < 1) || (results == NULL)) { + if (refcount == 1) { + /* If we were redirected to a referral, process it. + * There must be a single referral result here; if we get + * more than one (or zero) it's a bug. + */ + + subreq = ad_gpo_get_sd_referral_send(state, state->ev, + state->access_ctx, + state->opts, + refs[0], + state->host_domain, + state->timeout); + if (!subreq) { + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, ad_gpo_get_sd_referral_done, req); + ret = EAGAIN; + goto done; + + } else { + const char *gpo_dn = state->candidate_gpos[state->gpo_index]->gpo_dn; + + DEBUG(SSSDBG_OP_FAILURE, + "No attrs found for GPO [%s].\n", gpo_dn); + ret = ENOENT; + goto done; + } + } else if (num_results > 1) { + DEBUG(SSSDBG_OP_FAILURE, "Received multiple replies\n"); + ret = ERR_INTERNAL; + goto done; + } + + ret = ad_gpo_sd_process_attrs(req, state->server_hostname, results[0]); + +done: + + if (ret == EOK) { + tevent_req_done(req); + } else if (ret != EAGAIN) { + tevent_req_error(req, ret); + } +} + +void +ad_gpo_get_sd_referral_done(struct tevent_req *subreq) +{ + errno_t ret; + int dp_error; + struct sysdb_attrs *reply; + char *smb_host; + + struct tevent_req *req = + tevent_req_callback_data(subreq, struct tevent_req); + struct ad_gpo_process_gpo_state *state = + tevent_req_data(req, struct ad_gpo_process_gpo_state); + + ret = ad_gpo_get_sd_referral_recv(subreq, state, &smb_host, &reply); + talloc_zfree(subreq); + if (ret != EOK) { + /* Terminate the sdap_id_op */ + ret = sdap_id_op_done(state->sdap_op, ret, &dp_error); + + DEBUG(SSSDBG_OP_FAILURE, + "Unable to get referred GPO attributes: [%d](%s)\n", + ret, sss_strerror(ret)); + + goto done; + } + + /* Lookup succeeded. Process it */ + ret = ad_gpo_sd_process_attrs(req, smb_host, reply); + +done: + + if (ret == EOK) { + tevent_req_done(req); + } else if (ret != EAGAIN) { + tevent_req_error(req, ret); + } +} + +static bool machine_ext_names_is_blank(char *attr_value) +{ + char *ptr; + + if (attr_value == NULL) { + return true; + } + + ptr = attr_value; + for (; *ptr != '\0'; ptr++) { + if (!isspace(*ptr)) { + return false; + } + } + + return true; +} + +static errno_t +ad_gpo_sd_process_attrs(struct tevent_req *req, + char *smb_host, + struct sysdb_attrs *result) +{ + struct ad_gpo_process_gpo_state *state; + struct gp_gpo *gp_gpo; + int ret; + struct ldb_message_element *el = NULL; + const char *gpo_guid = NULL; + const char *raw_file_sys_path = NULL; + char *file_sys_path = NULL; + uint8_t *raw_machine_ext_names = NULL; + + state = tevent_req_data(req, struct ad_gpo_process_gpo_state); + gp_gpo = state->candidate_gpos[state->gpo_index]; + + /* retrieve AD_AT_CN */ + ret = sysdb_attrs_get_string(result, AD_AT_CN, &gpo_guid); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_attrs_get_string failed: [%d](%s)\n", + ret, sss_strerror(ret)); + goto done; + } + + gp_gpo->gpo_guid = talloc_steal(gp_gpo, gpo_guid); + if (gp_gpo->gpo_guid == NULL) { + ret = ENOMEM; + goto done; + } + + DEBUG(SSSDBG_TRACE_ALL, "populating attrs for gpo_guid: %s\n", + gp_gpo->gpo_guid); + + /* retrieve AD_AT_FILE_SYS_PATH */ + ret = sysdb_attrs_get_string(result, + AD_AT_FILE_SYS_PATH, + &raw_file_sys_path); + + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_attrs_get_string failed: [%d](%s)\n", + ret, sss_strerror(ret)); + goto done; + } + + file_sys_path = talloc_strdup(gp_gpo, raw_file_sys_path); + + ret = ad_gpo_extract_smb_components(gp_gpo, smb_host, + file_sys_path, &gp_gpo->smb_server, + &gp_gpo->smb_share, &gp_gpo->smb_path); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "unable to extract smb components from file_sys_path: [%d](%s)\n", + ret, sss_strerror(ret)); + goto done; + } + + DEBUG(SSSDBG_TRACE_ALL, "smb_server: %s\n", gp_gpo->smb_server); + DEBUG(SSSDBG_TRACE_ALL, "smb_share: %s\n", gp_gpo->smb_share); + DEBUG(SSSDBG_TRACE_ALL, "smb_path: %s\n", gp_gpo->smb_path); + + /* retrieve AD_AT_FUNC_VERSION */ + ret = sysdb_attrs_get_int32_t(result, AD_AT_FUNC_VERSION, + &gp_gpo->gpo_func_version); + if (ret == ENOENT) { + /* If this attribute is missing we can skip the GPO. It will + * be filtered out according to MS-GPOL: + * https://msdn.microsoft.com/en-us/library/cc232538.aspx */ + DEBUG(SSSDBG_TRACE_ALL, "GPO with GUID %s is missing attribute " + AD_AT_FUNC_VERSION " and will be skipped.\n", gp_gpo->gpo_guid); + state->gpo_index++; + ret = ad_gpo_get_gpo_attrs_step(req); + goto done; + } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_attrs_get_int32_t failed: [%d](%s)\n", + ret, sss_strerror(ret)); + goto done; + } + + DEBUG(SSSDBG_TRACE_ALL, "gpo_func_version: %d\n", + gp_gpo->gpo_func_version); + + /* retrieve AD_AT_FLAGS */ + ret = sysdb_attrs_get_int32_t(result, AD_AT_FLAGS, + &gp_gpo->gpo_flags); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_attrs_get_int32_t failed: [%d](%s)\n", + ret, sss_strerror(ret)); + goto done; + } + + DEBUG(SSSDBG_TRACE_ALL, "gpo_flags: %d\n", gp_gpo->gpo_flags); + + /* retrieve AD_AT_NT_SEC_DESC */ + ret = sysdb_attrs_get_el(result, AD_AT_NT_SEC_DESC, &el); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_el() failed\n"); + goto done; + } + if ((ret == ENOENT) || (el->num_values == 0)) { + DEBUG(SSSDBG_OP_FAILURE, + "nt_sec_desc attribute not found or has no value\n"); + ret = ENOENT; + goto done; + } + + ret = ad_gpo_parse_sd(gp_gpo, el[0].values[0].data, el[0].values[0].length, + &gp_gpo->gpo_sd); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ad_gpo_parse_sd() failed\n"); + goto done; + } + + /* retrieve AD_AT_MACHINE_EXT_NAMES */ + ret = sysdb_attrs_get_el(result, AD_AT_MACHINE_EXT_NAMES, &el); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_el() failed\n"); + goto done; + } + + if ((ret == ENOENT) || (el->num_values == 0) + || machine_ext_names_is_blank((char *) el[0].values[0].data)) { + /* + * if gpo has no machine_ext_names (which is perfectly valid: it could + * have only user_ext_names, for example), we continue to next gpo + */ + DEBUG(SSSDBG_TRACE_ALL, + "machine_ext_names attribute not found or has no value\n"); + state->gpo_index++; + } else { + raw_machine_ext_names = el[0].values[0].data; + + ret = ad_gpo_parse_machine_ext_names(gp_gpo, + (char *)raw_machine_ext_names, + &gp_gpo->gpo_cse_guids, + &gp_gpo->num_gpo_cse_guids); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "ad_gpo_parse_machine_ext_names() failed\n"); + goto done; + } + + state->gpo_index++; + } + + ret = ad_gpo_get_gpo_attrs_step(req); + + done: + + return ret; +} + +int +ad_gpo_process_gpo_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + struct gp_gpo ***candidate_gpos, + int *num_candidate_gpos) +{ + struct ad_gpo_process_gpo_state *state = + tevent_req_data(req, struct ad_gpo_process_gpo_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *candidate_gpos = talloc_steal(mem_ctx, state->candidate_gpos); + *num_candidate_gpos = state->num_candidate_gpos; + return EOK; +} + +/* == ad_gpo_process_cse_send/recv helpers ================================= */ +static errno_t +create_cse_send_buffer(TALLOC_CTX *mem_ctx, + const char *smb_server, + const char *smb_share, + const char *smb_path, + const char *smb_cse_suffix, + int cached_gpt_version, + struct io_buffer **io_buf) +{ + struct io_buffer *buf; + size_t rp; + int smb_server_length; + int smb_share_length; + int smb_path_length; + int smb_cse_suffix_length; + + smb_server_length = strlen(smb_server); + smb_share_length = strlen(smb_share); + smb_path_length = strlen(smb_path); + smb_cse_suffix_length = strlen(smb_cse_suffix); + + buf = talloc(mem_ctx, struct io_buffer); + if (buf == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc failed.\n"); + return ENOMEM; + } + + buf->size = 5 * sizeof(uint32_t); + buf->size += smb_server_length + smb_share_length + smb_path_length + + smb_cse_suffix_length; + + DEBUG(SSSDBG_TRACE_ALL, "buffer size: %zu\n", buf->size); + + buf->data = talloc_size(buf, buf->size); + if (buf->data == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_size failed.\n"); + talloc_free(buf); + return ENOMEM; + } + + rp = 0; + /* cached_gpt_version */ + SAFEALIGN_SET_UINT32(&buf->data[rp], cached_gpt_version, &rp); + + /* smb_server */ + SAFEALIGN_SET_UINT32(&buf->data[rp], smb_server_length, &rp); + safealign_memcpy(&buf->data[rp], smb_server, smb_server_length, &rp); + + /* smb_share */ + SAFEALIGN_SET_UINT32(&buf->data[rp], smb_share_length, &rp); + safealign_memcpy(&buf->data[rp], smb_share, smb_share_length, &rp); + + /* smb_path */ + SAFEALIGN_SET_UINT32(&buf->data[rp], smb_path_length, &rp); + safealign_memcpy(&buf->data[rp], smb_path, smb_path_length, &rp); + + /* smb_cse_suffix */ + SAFEALIGN_SET_UINT32(&buf->data[rp], smb_cse_suffix_length, &rp); + safealign_memcpy(&buf->data[rp], smb_cse_suffix, smb_cse_suffix_length, &rp); + + *io_buf = buf; + return EOK; +} + +static errno_t +ad_gpo_parse_gpo_child_response(uint8_t *buf, + ssize_t size, + uint32_t *_sysvol_gpt_version, + uint32_t *_result) +{ + + int ret; + size_t p = 0; + uint32_t sysvol_gpt_version; + uint32_t result; + + /* sysvol_gpt_version */ + SAFEALIGN_COPY_UINT32_CHECK(&sysvol_gpt_version, buf + p, size, &p); + + /* operation result code */ + SAFEALIGN_COPY_UINT32_CHECK(&result, buf + p, size, &p); + + *_sysvol_gpt_version = sysvol_gpt_version; + *_result = result; + + ret = EOK; + return ret; +} + +/* == ad_gpo_process_cse_send/recv implementation ========================== */ + +struct ad_gpo_process_cse_state { + struct tevent_context *ev; + struct sss_domain_info *domain; + int gpo_timeout_option; + const char *gpo_guid; + const char *smb_path; + const char *smb_cse_suffix; + pid_t child_pid; + uint8_t *buf; + ssize_t len; + struct child_io_fds *io; +}; + +static errno_t gpo_fork_child(struct tevent_req *req); +static void gpo_cse_step(struct tevent_req *subreq); +static void gpo_cse_done(struct tevent_req *subreq); + +/* + * This cse-specific function (GP_EXT_GUID_SECURITY) sends the input smb uri + * components and cached_gpt_version to the gpo child, which, in turn, + * will download the GPT.INI file and policy files (as needed) and store + * them in the GPO_CACHE directory. Note that if the send_to_child input is + * false, this function simply completes the request. + */ +struct tevent_req * +ad_gpo_process_cse_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + bool send_to_child, + struct sss_domain_info *domain, + const char *gpo_guid, + const char *smb_server, + const char *smb_share, + const char *smb_path, + const char *smb_cse_suffix, + int cached_gpt_version, + int gpo_timeout_option) +{ + struct tevent_req *req; + struct tevent_req *subreq; + struct ad_gpo_process_cse_state *state; + struct io_buffer *buf = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct ad_gpo_process_cse_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + if (!send_to_child) { + /* + * if we don't need to talk to child (b/c cache timeout is still valid), + * we simply complete the request + */ + ret = EOK; + goto immediately; + } + + state->ev = ev; + state->buf = NULL; + state->len = 0; + state->domain = domain; + state->gpo_timeout_option = gpo_timeout_option; + state->gpo_guid = gpo_guid; + state->smb_path = smb_path; + state->smb_cse_suffix = smb_cse_suffix; + state->io = talloc(state, struct child_io_fds); + if (state->io == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc failed.\n"); + ret = ENOMEM; + goto immediately; + } + + state->io->write_to_child_fd = -1; + state->io->read_from_child_fd = -1; + talloc_set_destructor((void *) state->io, child_io_destructor); + + /* prepare the data to pass to child */ + ret = create_cse_send_buffer(state, smb_server, smb_share, smb_path, + smb_cse_suffix, cached_gpt_version, &buf); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "create_cse_send_buffer failed.\n"); + goto immediately; + } + + ret = gpo_fork_child(req); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "gpo_fork_child failed.\n"); + goto immediately; + } + + subreq = write_pipe_send(state, ev, buf->data, buf->size, + state->io->write_to_child_fd); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + tevent_req_set_callback(subreq, gpo_cse_step, req); + + return req; + +immediately: + + if (ret == EOK) { + tevent_req_done(req); + tevent_req_post(req, ev); + } else { + tevent_req_error(req, ret); + tevent_req_post(req, ev); + } + + return req; +} + +static void gpo_cse_step(struct tevent_req *subreq) +{ + struct tevent_req *req; + struct ad_gpo_process_cse_state *state; + int ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ad_gpo_process_cse_state); + + ret = write_pipe_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + PIPE_FD_CLOSE(state->io->write_to_child_fd); + + subreq = read_pipe_send(state, state->ev, state->io->read_from_child_fd); + + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, gpo_cse_done, req); +} + +static void gpo_cse_done(struct tevent_req *subreq) +{ + struct tevent_req *req; + struct ad_gpo_process_cse_state *state; + uint32_t sysvol_gpt_version = -1; + uint32_t child_result; + time_t now; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ad_gpo_process_cse_state); + int ret; + + ret = read_pipe_recv(subreq, state, &state->buf, &state->len); + talloc_zfree(subreq); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + PIPE_FD_CLOSE(state->io->read_from_child_fd); + + ret = ad_gpo_parse_gpo_child_response(state->buf, state->len, + &sysvol_gpt_version, &child_result); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ad_gpo_parse_gpo_child_response failed: [%d][%s]\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } else if (child_result != 0){ + DEBUG(SSSDBG_CRIT_FAILURE, + "Error in gpo_child: [%d][%s]\n", + child_result, strerror(child_result)); + tevent_req_error(req, child_result); + return; + } + + now = time(NULL); + DEBUG(SSSDBG_TRACE_FUNC, "sysvol_gpt_version: %d\n", sysvol_gpt_version); + ret = sysdb_gpo_store_gpo(state->domain, state->gpo_guid, sysvol_gpt_version, + state->gpo_timeout_option, now); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to store gpo cache entry: [%d](%s}\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); + return; +} + +int ad_gpo_process_cse_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + return EOK; +} + +static errno_t +gpo_fork_child(struct tevent_req *req) +{ + int pipefd_to_child[2] = PIPE_INIT; + int pipefd_from_child[2] = PIPE_INIT; + pid_t pid; + errno_t ret; + struct ad_gpo_process_cse_state *state; + + state = tevent_req_data(req, struct ad_gpo_process_cse_state); + + ret = pipe(pipefd_from_child); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "pipe failed [%d][%s].\n", errno, strerror(errno)); + goto fail; + } + ret = pipe(pipefd_to_child); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "pipe failed [%d][%s].\n", errno, strerror(errno)); + goto fail; + } + + pid = fork(); + + if (pid == 0) { /* child */ + exec_child_ex(state, + pipefd_to_child, pipefd_from_child, + GPO_CHILD, gpo_child_debug_fd, NULL, false, + STDIN_FILENO, AD_GPO_CHILD_OUT_FILENO); + + /* We should never get here */ + DEBUG(SSSDBG_CRIT_FAILURE, "BUG: Could not exec gpo_child:\n"); + } else if (pid > 0) { /* parent */ + state->child_pid = pid; + state->io->read_from_child_fd = pipefd_from_child[0]; + PIPE_FD_CLOSE(pipefd_from_child[1]); + state->io->write_to_child_fd = pipefd_to_child[1]; + PIPE_FD_CLOSE(pipefd_to_child[0]); + sss_fd_nonblocking(state->io->read_from_child_fd); + sss_fd_nonblocking(state->io->write_to_child_fd); + + ret = child_handler_setup(state->ev, pid, NULL, NULL, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not set up child signal handler\n"); + goto fail; + } + } else { /* error */ + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "fork failed [%d][%s].\n", errno, strerror(errno)); + goto fail; + } + + return EOK; + +fail: + PIPE_CLOSE(pipefd_from_child); + PIPE_CLOSE(pipefd_to_child); + return ret; +} + +struct ad_gpo_get_sd_referral_state { + struct tevent_context *ev; + struct ad_access_ctx *access_ctx; + struct sdap_options *opts; + struct sss_domain_info *host_domain; + struct sss_domain_info *ref_domain; + struct sdap_id_conn_ctx *conn; + struct sdap_id_op *ref_op; + int timeout; + char *gpo_dn; + char *smb_host; + + + struct sysdb_attrs *reply; +}; + +static void +ad_gpo_get_sd_referral_conn_done(struct tevent_req *subreq); + +static struct tevent_req * +ad_gpo_get_sd_referral_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct ad_access_ctx *access_ctx, + struct sdap_options *opts, + const char *referral, + struct sss_domain_info *host_domain, + int timeout) +{ + errno_t ret; + struct tevent_req *req; + struct ad_gpo_get_sd_referral_state *state; + struct tevent_req *subreq; + LDAPURLDesc *lud = NULL; + + req = tevent_req_create(mem_ctx, &state, + struct ad_gpo_get_sd_referral_state); + if (!req) return NULL; + + state->ev = ev; + state->access_ctx = access_ctx; + state->opts = opts; + state->host_domain = host_domain; + state->timeout = timeout; + + /* Parse the URL for the domain */ + ret = ldap_url_parse(referral, &lud); + if (ret != LDAP_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to parse referral URI (%s)!\n", referral); + ret = EINVAL; + goto done; + } + + state->gpo_dn = talloc_strdup(state, lud->lud_dn); + if (!state->gpo_dn) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not copy referral DN (%s)!\n", lud->lud_dn); + ldap_free_urldesc(lud); + ret = ENOMEM; + goto done; + } + + /* Active Directory returns the domain name as the hostname + * in these referrals, so we can use that to look up the + * necessary connection. + */ + state->ref_domain = find_domain_by_name(state->host_domain, + lud->lud_host, true); + if (!state->ref_domain) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not find domain matching [%s]\n", + lud->lud_host); + ldap_free_urldesc(lud); + ret = EIO; + goto done; + } + + ldap_free_urldesc(lud); + lud = NULL; + + state->conn = ad_get_dom_ldap_conn(state->access_ctx->ad_id_ctx, + state->ref_domain); + if (!state->conn) { + DEBUG(SSSDBG_OP_FAILURE, + "No connection for %s\n", state->ref_domain->name); + ret = EINVAL; + goto done; + } + + /* Get the hostname we're going to connect to. + * We'll need this later for performing the samba + * connection. + */ + ret = ldap_url_parse(state->conn->service->uri, &lud); + if (ret != LDAP_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to parse service URI (%s)!\n", referral); + ret = EINVAL; + goto done; + } + + state->smb_host = talloc_strdup(state, lud->lud_host); + ldap_free_urldesc(lud); + if (!state->smb_host) { + ret = ENOMEM; + goto done; + } + + /* Start an ID operation for the referral */ + state->ref_op = sdap_id_op_create(state, state->conn->conn_cache); + if (!state->ref_op) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed.\n"); + ret = ENOMEM; + goto done; + } + + /* Establish the sdap_id_op connection */ + subreq = sdap_id_op_connect_send(state->ref_op, state, &ret); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_connect_send failed: %d(%s).\n", + ret, sss_strerror(ret)); + goto done; + } + tevent_req_set_callback(subreq, ad_gpo_get_sd_referral_conn_done, req); + +done: + + if (ret != EOK) { + tevent_req_error(req, ret); + tevent_req_post(req, ev); + } + return req; +} + +static void +ad_gpo_get_sd_referral_search_done(struct tevent_req *subreq); + +static void +ad_gpo_get_sd_referral_conn_done(struct tevent_req *subreq) +{ + errno_t ret; + int dp_error; + const char *attrs[] = AD_GPO_ATTRS; + + struct tevent_req *req = + tevent_req_callback_data(subreq, struct tevent_req); + struct ad_gpo_get_sd_referral_state *state = + tevent_req_data(req, struct ad_gpo_get_sd_referral_state); + + ret = sdap_id_op_connect_recv(subreq, &dp_error); + talloc_zfree(subreq); + if (ret != EOK) { + if (dp_error == DP_ERR_OFFLINE) { + DEBUG(SSSDBG_TRACE_FUNC, + "Backend is marked offline, retry later!\n"); + tevent_req_done(req); + } else { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cross-realm GPO processing failed to connect to " \ + "referred LDAP server: (%d)[%s]\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + } + return; + } + + /* Request the referred GPO data */ + subreq = sdap_sd_search_send(state, state->ev, state->opts, + sdap_id_op_handle(state->ref_op), + state->gpo_dn, + SECINFO_DACL, + attrs, + state->timeout); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_sd_search_send failed.\n"); + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, ad_gpo_get_sd_referral_search_done, req); + +} + +static void +ad_gpo_get_sd_referral_search_done(struct tevent_req *subreq) +{ + errno_t ret; + int dp_error; + size_t num_results, num_refs; + struct sysdb_attrs **results = NULL; + char **refs; + struct tevent_req *req = + tevent_req_callback_data(subreq, struct tevent_req); + struct ad_gpo_get_sd_referral_state *state = + tevent_req_data(req, struct ad_gpo_get_sd_referral_state); + + ret = sdap_sd_search_recv(subreq, NULL, + &num_results, &results, + &num_refs, &refs); + talloc_zfree(subreq); + if (ret != EOK) { + ret = sdap_id_op_done(state->ref_op, ret, &dp_error); + + DEBUG(SSSDBG_OP_FAILURE, + "Unable to get GPO attributes: [%d](%s)\n", + ret, sss_strerror(ret)); + ret = ENOENT; + goto done; + + } + + if ((num_results < 1) || (results == NULL)) { + /* TODO: + * It's strictly possible for the referral search to return + * another referral value here, but it shouldn't actually + * happen with Active Directory. Properly handling (and + * limiting) the referral chain would be fairly complex, so + * we will do it later if it ever becomes necessary. + */ + DEBUG(SSSDBG_OP_FAILURE, + "No attrs found for referred GPO [%s].\n", state->gpo_dn); + ret = ENOENT; + goto done; + + } else if (num_results > 1) { + DEBUG(SSSDBG_OP_FAILURE, "Received multiple replies\n"); + ret = ERR_INTERNAL; + goto done; + } + + state->reply = talloc_steal(state, results[0]); + +done: + talloc_free(results); + + if (ret == EOK) { + tevent_req_done(req); + } else if (ret != EAGAIN) { + tevent_req_error(req, ret); + } +} + +errno_t +ad_gpo_get_sd_referral_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + char **_smb_host, + struct sysdb_attrs **_reply) +{ + struct ad_gpo_get_sd_referral_state *state = + tevent_req_data(req, struct ad_gpo_get_sd_referral_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *_smb_host = talloc_steal(mem_ctx, state->smb_host); + *_reply = talloc_steal(mem_ctx, state->reply); + + return EOK; +} diff --git a/src/providers/ad/ad_gpo.h b/src/providers/ad/ad_gpo.h new file mode 100644 index 0000000..f57889f --- /dev/null +++ b/src/providers/ad/ad_gpo.h @@ -0,0 +1,65 @@ +/* + SSSD + + Authors: + Yassir Elley + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef AD_GPO_H_ +#define AD_GPO_H_ + +#include "providers/ad/ad_access.h" + +#define AD_GPO_CHILD_OUT_FILENO 3 + +#define AD_GPO_ATTRS {AD_AT_NT_SEC_DESC, \ + AD_AT_CN, AD_AT_FILE_SYS_PATH, \ + AD_AT_MACHINE_EXT_NAMES, \ + AD_AT_FUNC_VERSION, \ + AD_AT_FLAGS, \ + NULL} + +/* + * This pair of functions provides client-side GPO processing. + * + * While a GPO can target both user and computer objects, this + * implementation only supports targetting of computer objects. + * + * A GPO overview is at https://fedorahosted.org/sssd/wiki/GpoOverview + * + * In summary, client-side processing involves: + * - determining the target's DN + * - extracting the SOM object DNs (i.e. OUs and Domain) from target's DN + * - including the target's Site as another SOM object + * - determining which GPOs apply to the target's SOMs + * - prioritizing GPOs based on SOM, link order, and whether GPO is "enforced" + * - retrieving the corresponding GPO objects + * - sending the GPO DNs to the CSE processing engine for policy application + * - policy application currently consists of HBAC-like functionality + */ +struct tevent_req * +ad_gpo_access_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sss_domain_info *domain, + struct ad_access_ctx *ctx, + const char *user, + const char *service); + +errno_t ad_gpo_access_recv(struct tevent_req *req); + +#endif /* AD_GPO_H_ */ diff --git a/src/providers/ad/ad_gpo_child.c b/src/providers/ad/ad_gpo_child.c new file mode 100644 index 0000000..a0bd6e1 --- /dev/null +++ b/src/providers/ad/ad_gpo_child.c @@ -0,0 +1,841 @@ +/* + SSSD + + AD GPO Backend Module -- perform SMB and CSE processing in a child process + + Authors: + Yassir Elley + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include + +#include "util/util.h" +#include "util/child_common.h" +#include "providers/backend.h" +#include "providers/ad/ad_gpo.h" +#include "sss_cli.h" + +#define SMB_BUFFER_SIZE 65536 +#define GPT_INI "/GPT.INI" +#define INI_GENERAL_SECTION "General" +#define GPT_INI_VERSION "Version" + +struct input_buffer { + int cached_gpt_version; + const char *smb_server; + const char *smb_share; + const char *smb_path; + const char *smb_cse_suffix; +}; + +static errno_t +unpack_buffer(uint8_t *buf, + size_t size, + struct input_buffer *ibuf) +{ + size_t p = 0; + uint32_t len; + uint32_t cached_gpt_version; + + /* cached_gpt_version */ + SAFEALIGN_COPY_UINT32_CHECK(&cached_gpt_version, buf + p, size, &p); + DEBUG(SSSDBG_TRACE_FUNC, "cached_gpt_version: %d\n", cached_gpt_version); + ibuf->cached_gpt_version = cached_gpt_version; + + /* smb_server */ + SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p); + DEBUG(SSSDBG_TRACE_ALL, "smb_server length: %d\n", len); + if (len == 0) { + return EINVAL; + } else { + if (len > size - p) return EINVAL; + ibuf->smb_server = talloc_strndup(ibuf, (char *)(buf + p), len); + if (ibuf->smb_server == NULL) return ENOMEM; + DEBUG(SSSDBG_TRACE_ALL, "smb_server: %s\n", ibuf->smb_server); + p += len; + } + + /* smb_share */ + SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p); + DEBUG(SSSDBG_TRACE_ALL, "smb_share length: %d\n", len); + if (len == 0) { + return EINVAL; + } else { + if (len > size - p) return EINVAL; + ibuf->smb_share = talloc_strndup(ibuf, (char *)(buf + p), len); + if (ibuf->smb_share == NULL) return ENOMEM; + DEBUG(SSSDBG_TRACE_ALL, "smb_share: %s\n", ibuf->smb_share); + p += len; + } + + /* smb_path */ + SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p); + DEBUG(SSSDBG_TRACE_ALL, "smb_path length: %d\n", len); + if (len == 0) { + return EINVAL; + } else { + if (len > size - p) return EINVAL; + ibuf->smb_path = talloc_strndup(ibuf, (char *)(buf + p), len); + if (ibuf->smb_path == NULL) return ENOMEM; + DEBUG(SSSDBG_TRACE_ALL, "smb_path: %s\n", ibuf->smb_path); + p += len; + } + + /* smb_cse_suffix */ + SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p); + DEBUG(SSSDBG_TRACE_ALL, "smb_cse_suffix length: %d\n", len); + if (len == 0) { + return EINVAL; + } else { + if (len > size - p) return EINVAL; + ibuf->smb_cse_suffix = talloc_strndup(ibuf, (char *)(buf + p), len); + if (ibuf->smb_cse_suffix == NULL) return ENOMEM; + DEBUG(SSSDBG_TRACE_ALL, "smb_cse_suffix: %s\n", ibuf->smb_cse_suffix); + p += len; + } + + return EOK; +} + + +static errno_t +pack_buffer(struct response *r, + int sysvol_gpt_version, + int result) +{ + size_t p = 0; + + /* A buffer with the following structure must be created: + * uint32_t sysvol_gpt_version (required) + * uint32_t status of the request (required) + */ + r->size = 2 * sizeof(uint32_t); + + r->buf = talloc_array(r, uint8_t, r->size); + if(r->buf == NULL) { + return ENOMEM; + } + + DEBUG(SSSDBG_TRACE_FUNC, "result [%d]\n", result); + + /* sysvol_gpt_version */ + SAFEALIGN_SET_UINT32(&r->buf[p], sysvol_gpt_version, &p); + + /* result */ + SAFEALIGN_SET_UINT32(&r->buf[p], result, &p); + + return EOK; +} + +static errno_t +prepare_response(TALLOC_CTX *mem_ctx, + int sysvol_gpt_version, + int result, + struct response **rsp) +{ + int ret; + struct response *r = NULL; + + r = talloc_zero(mem_ctx, struct response); + if (r == NULL) { + return ENOMEM; + } + + r->buf = NULL; + r->size = 0; + + ret = pack_buffer(r, sysvol_gpt_version, result); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "pack_buffer failed\n"); + return ret; + } + + *rsp = r; + DEBUG(SSSDBG_TRACE_ALL, "r->size: %zu\n", r->size); + return EOK; +} + +static void +sssd_krb_get_auth_data_fn(const char * pServer, + const char * pShare, + char * pWorkgroup, + int maxLenWorkgroup, + char * pUsername, + int maxLenUsername, + char * pPassword, + int maxLenPassword) +{ + /* since we are using kerberos for authentication, we simply return */ + return; +} + +/* + * This function prepares the gpo_cache by: + * - parsing the input_smb_path into its component directories + * - creating each component directory (if it doesn't already exist) + */ +static errno_t prepare_gpo_cache(TALLOC_CTX *mem_ctx, + const char *cache_dir, + const char *input_smb_path_with_suffix) +{ + char *current_dir; + char *ptr; + const char delim = '/'; + int num_dirs = 0; + int i; + char *first = NULL; + char *last = NULL; + char *smb_path_with_suffix = NULL; + errno_t ret; + mode_t old_umask; + + smb_path_with_suffix = talloc_strdup(mem_ctx, input_smb_path_with_suffix); + if (smb_path_with_suffix == NULL) { + return ENOMEM; + } + + DEBUG(SSSDBG_TRACE_ALL, "smb_path_with_suffix: %s\n", smb_path_with_suffix); + + current_dir = talloc_strdup(mem_ctx, cache_dir); + if (current_dir == NULL) { + return ENOMEM; + } + + ptr = smb_path_with_suffix + 1; + while ((ptr = strchr(ptr, delim))) { + ptr++; + num_dirs++; + } + + ptr = smb_path_with_suffix + 1; + + old_umask = umask(SSS_DFL_X_UMASK); + for (i = 0; i < num_dirs; i++) { + first = ptr; + last = strchr(first, delim); + if (last == NULL) { + ret = EINVAL; + goto done; + } + *last = '\0'; + last++; + + current_dir = talloc_asprintf(mem_ctx, "%s/%s", current_dir, first); + if (current_dir == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto done; + } + DEBUG(SSSDBG_TRACE_FUNC, "Storing GPOs in %s\n", current_dir); + + if ((mkdir(current_dir, 0700)) < 0 && errno != EEXIST) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "mkdir(%s) failed: %d\n", current_dir, ret); + goto done; + } + + ptr = last; + } + + ret = EOK; + +done: + umask(old_umask); + + return ret; +} + +/* + * This function stores the input buf to a local file, whose file path + * is constructed by concatenating: + * GPO_CACHE_PATH, + * input smb_path, + * input smb_cse_suffix + * Note that the backend will later read the file from the same file path. + */ +static errno_t gpo_cache_store_file(const char *smb_path, + const char *smb_cse_suffix, + uint8_t *buf, + int buflen) +{ + int ret; + int fret; + int fd = -1; + char *tmp_name = NULL; + ssize_t written; + char *filename = NULL; + char *smb_path_with_suffix = NULL; + TALLOC_CTX *tmp_ctx = NULL; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + smb_path_with_suffix = + talloc_asprintf(tmp_ctx, "%s%s", smb_path, smb_cse_suffix); + if (smb_path_with_suffix == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto done; + } + + /* create component directories of smb_path, if needed */ + ret = prepare_gpo_cache(tmp_ctx, GPO_CACHE_PATH, smb_path_with_suffix); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "prepare_gpo_cache failed [%d][%s]\n", + ret, strerror(ret)); + goto done; + } + + filename = talloc_asprintf(tmp_ctx, GPO_CACHE_PATH"%s", smb_path_with_suffix); + if (filename == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto done; + } + + tmp_name = talloc_asprintf(tmp_ctx, "%sXXXXXX", filename); + if (tmp_name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto done; + } + + fd = sss_unique_file(tmp_ctx, tmp_name, &ret); + if (fd == -1) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sss_unique_file failed [%d][%s].\n", ret, strerror(ret)); + goto done; + } + + errno = 0; + written = sss_atomic_write_s(fd, buf, buflen); + if (written == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "write failed [%d][%s].\n", ret, strerror(ret)); + goto done; + } + + if (written != buflen) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Write error, wrote [%zd] bytes, expected [%d]\n", + written, buflen); + ret = EIO; + goto done; + } + + ret = fchmod(fd, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "fchmod failed [%d][%s].\n", ret, strerror(ret)); + goto done; + } + + ret = rename(tmp_name, filename); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "rename failed [%d][%s].\n", ret, strerror(ret)); + goto done; + } + + ret = EOK; + done: + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Error encountered: %d.\n", ret); + } + + if (fd != -1) { + fret = close(fd); + if (fret == -1) { + fret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "close failed [%d][%s].\n", fret, strerror(fret)); + } + } + + talloc_free(tmp_ctx); + return ret; +} + +static errno_t +parse_ini_file_with_libini(struct ini_cfgobj *ini_config, + int *_gpt_version) +{ + int ret; + struct value_obj *vobj = NULL; + int gpt_version; + + ret = ini_get_config_valueobj(INI_GENERAL_SECTION, GPT_INI_VERSION, + ini_config, INI_GET_FIRST_VALUE, &vobj); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ini_get_config_valueobj failed [%d][%s]\n", ret, strerror(ret)); + goto done; + } + if (vobj == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "section/name not found: [%s][%s]\n", + INI_GENERAL_SECTION, GPT_INI_VERSION); + ret = EINVAL; + goto done; + } + + gpt_version = ini_get_int32_config_value(vobj, 0, -1, &ret); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ini_get_int32_config_value failed [%d][%s]\n", + ret, strerror(ret)); + goto done; + } + + *_gpt_version = gpt_version; + + ret = EOK; + + done: + + return ret; +} + +/* + * This function parses the GPT_INI file stored in the gpo_cache, and uses the + * results to populate the output parameters ... + */ +static errno_t +ad_gpo_parse_ini_file(const char *smb_path, + int *_gpt_version) +{ + struct ini_cfgfile *file_ctx = NULL; + struct ini_cfgobj *ini_config = NULL; + const char *ini_filename; + int ret; + int gpt_version = -1; + TALLOC_CTX *tmp_ctx = NULL; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + ini_filename = talloc_asprintf(tmp_ctx, GPO_CACHE_PATH"%s%s", + smb_path, GPT_INI); + if (ini_filename == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "ini_filename:%s\n", ini_filename); + + ret = ini_config_create(&ini_config); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ini_config_create failed [%d][%s]\n", ret, strerror(ret)); + goto done; + } + + ret = ini_config_file_open(ini_filename, 0, &file_ctx); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ini_config_file_open failed [%d][%s]\n", ret, strerror(ret)); + goto done; + } + + ret = ini_config_parse(file_ctx, INI_STOP_ON_NONE, 0, 0, ini_config); + if (ret != 0) { + int lret; + char **errors; + + DEBUG(SSSDBG_CRIT_FAILURE, + "[%s]: ini_config_parse failed [%d][%s]\n", + ini_filename, ret, strerror(ret)); + + /* Now get specific errors if there are any */ + lret = ini_config_get_errors(ini_config, &errors); + if (lret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to get specific parse error [%d][%s]\n", lret, + strerror(lret)); + goto done; + } + + for (int i = 0; errors[i]; i++) { + DEBUG(SSSDBG_CRIT_FAILURE, "%s\n", errors[i]); + } + ini_config_free_errors(errors); + + goto done; + } + + ret = parse_ini_file_with_libini(ini_config, &gpt_version); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "parse_ini_file_with_libini failed [%d][%s]\n", + ret, strerror(ret)); + goto done; + } + + *_gpt_version = gpt_version; + + done: + + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Error encountered: %d.\n", ret); + } + + ini_config_file_destroy(file_ctx); + ini_config_destroy(ini_config); + talloc_free(tmp_ctx); + return ret; +} + +/* + * This function uses the input smb uri components to download a sysvol file + * (e.g. INI file, policy file, etc) and store it to the GPO_CACHE directory. + */ +static errno_t +copy_smb_file_to_gpo_cache(SMBCCTX *smbc_ctx, + const char *smb_server, + const char *smb_share, + const char *smb_path, + const char *smb_cse_suffix) +{ + char *smb_uri = NULL; + SMBCFILE *file; + int ret; + uint8_t *buf = NULL; + int buflen = 0; + + TALLOC_CTX *tmp_ctx = NULL; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + smb_uri = talloc_asprintf(tmp_ctx, "%s%s%s%s", smb_server, + smb_share, smb_path, smb_cse_suffix); + if (smb_uri == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "smb_uri: %s\n", smb_uri); + + errno = 0; + file = smbc_getFunctionOpen(smbc_ctx)(smbc_ctx, smb_uri, O_RDONLY, 0755); + if (file == NULL) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "smbc_getFunctionOpen failed [%d][%s]\n", + ret, strerror(ret)); + goto done; + } + + buf = talloc_array(tmp_ctx, uint8_t, SMB_BUFFER_SIZE); + if (buf == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_array failed.\n"); + ret = ENOMEM; + goto done; + } + + errno = 0; + buflen = smbc_getFunctionRead(smbc_ctx)(smbc_ctx, file, buf, SMB_BUFFER_SIZE); + if (buflen < 0) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "smbc_getFunctionRead failed [%d][%s]\n", + ret, strerror(ret)); + goto done; + } + + DEBUG(SSSDBG_TRACE_ALL, "smb_buflen: %d\n", buflen); + + ret = gpo_cache_store_file(smb_path, smb_cse_suffix, buf, buflen); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "gpo_cache_store_file failed [%d][%s]\n", + ret, strerror(ret)); + goto done; + } + + done: + talloc_free(tmp_ctx); + return ret; +} + + +/* + * Using its smb_uri components and cached_gpt_version inputs, this function + * does several things: + * - it downloads the GPT_INI file to GPO_CACHE + * - it parses the sysvol_gpt_version field from the GPT_INI file + * - if the sysvol_gpt_version is greater than the cached_gpt_version + * - it downloads the policy file to GPO_CACHE + * - else + * - it doesn't retrieve the policy file + * - in this case, the backend will use the existing policy file in GPO_CACHE + * - it returns the sysvol_gpt_version in the _sysvol_gpt_version output param + * + * Note that if the cached_gpt_version sent by the backend is -1 (to indicate + * that no gpt_version has been set in the cache for the corresponding gpo_guid), + * then the parsed sysvol_gpt_version (which must be at least 0) will be greater + * than the cached_gpt_version, thereby triggering a fresh download. + * + * Note that the backend will later do the following: + * - backend will save the sysvol_gpt_version to sysdb cache + * - backend will read the policy file from the GPO_CACHE + */ +static errno_t +perform_smb_operations(int cached_gpt_version, + const char *smb_server, + const char *smb_share, + const char *smb_path, + const char *smb_cse_suffix, + int *_sysvol_gpt_version) +{ + SMBCCTX *smbc_ctx; + int ret; + int sysvol_gpt_version; + + smbc_ctx = smbc_new_context(); + if (smbc_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not allocate new smbc context\n"); + ret = ENOMEM; + goto done; + } + + smbc_setOptionDebugToStderr(smbc_ctx, 1); + smbc_setFunctionAuthData(smbc_ctx, sssd_krb_get_auth_data_fn); + smbc_setOptionUseKerberos(smbc_ctx, 1); + + /* Initialize the context using the previously specified options */ + if (smbc_init_context(smbc_ctx) == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not initialize smbc context\n"); + ret = ENOMEM; + goto done; + } + + /* download ini file */ + ret = copy_smb_file_to_gpo_cache(smbc_ctx, smb_server, smb_share, smb_path, + GPT_INI); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "copy_smb_file_to_gpo_cache failed [%d][%s]\n", + ret, strerror(ret)); + goto done; + } + + ret = ad_gpo_parse_ini_file(smb_path, &sysvol_gpt_version); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot parse ini file: [%d][%s]\n", ret, strerror(ret)); + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "sysvol_gpt_version: %d\n", sysvol_gpt_version); + + if (sysvol_gpt_version > cached_gpt_version) { + /* download policy file */ + ret = copy_smb_file_to_gpo_cache(smbc_ctx, smb_server, smb_share, + smb_path, smb_cse_suffix); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "copy_smb_file_to_gpo_cache failed [%d][%s]\n", + ret, strerror(ret)); + goto done; + } + } + + *_sysvol_gpt_version = sysvol_gpt_version; + + done: + smbc_free_context(smbc_ctx, 0); + return ret; +} + +int +main(int argc, const char *argv[]) +{ + int opt; + poptContext pc; + int debug_fd = -1; + const char *opt_logger = NULL; + errno_t ret; + int sysvol_gpt_version; + int result; + TALLOC_CTX *main_ctx = NULL; + uint8_t *buf = NULL; + ssize_t len = 0; + struct input_buffer *ibuf = NULL; + struct response *resp = NULL; + ssize_t written; + + struct poptOption long_options[] = { + POPT_AUTOHELP + {"debug-level", 'd', POPT_ARG_INT, &debug_level, 0, + _("Debug level"), NULL}, + {"debug-timestamps", 0, POPT_ARG_INT, &debug_timestamps, 0, + _("Add debug timestamps"), NULL}, + {"debug-microseconds", 0, POPT_ARG_INT, &debug_microseconds, 0, + _("Show timestamps with microseconds"), NULL}, + {"debug-fd", 0, POPT_ARG_INT, &debug_fd, 0, + _("An open file descriptor for the debug logs"), NULL}, + {"debug-to-stderr", 0, POPT_ARG_NONE | POPT_ARGFLAG_DOC_HIDDEN, + &debug_to_stderr, 0, + _("Send the debug output to stderr directly."), NULL }, + SSSD_LOGGER_OPTS + POPT_TABLEEND + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + _exit(-1); + } + } + + poptFreeContext(pc); + + DEBUG_INIT(debug_level); + + debug_prg_name = talloc_asprintf(NULL, "[sssd[gpo_child[%d]]]", getpid()); + if (debug_prg_name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); + goto fail; + } + + if (debug_fd != -1) { + ret = set_debug_file_from_fd(debug_fd); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "set_debug_file_from_fd failed.\n"); + } + opt_logger = sss_logger_str[FILES_LOGGER]; + } + + sss_set_logger(opt_logger); + + DEBUG(SSSDBG_TRACE_FUNC, "gpo_child started.\n"); + + main_ctx = talloc_new(NULL); + if (main_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new failed.\n"); + talloc_free(discard_const(debug_prg_name)); + goto fail; + } + talloc_steal(main_ctx, debug_prg_name); + + buf = talloc_size(main_ctx, sizeof(uint8_t)*IN_BUF_SIZE); + if (buf == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_size failed.\n"); + goto fail; + } + + ibuf = talloc_zero(main_ctx, struct input_buffer); + if (ibuf == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n"); + goto fail; + } + + DEBUG(SSSDBG_TRACE_FUNC, "context initialized\n"); + + errno = 0; + len = sss_atomic_read_s(STDIN_FILENO, buf, IN_BUF_SIZE); + if (len == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "read failed [%d][%s].\n", ret, strerror(ret)); + goto fail; + } + + close(STDIN_FILENO); + + ret = unpack_buffer(buf, len, ibuf); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "unpack_buffer failed.[%d][%s].\n", ret, strerror(ret)); + goto fail; + } + + DEBUG(SSSDBG_TRACE_FUNC, "performing smb operations\n"); + + result = perform_smb_operations(ibuf->cached_gpt_version, + ibuf->smb_server, + ibuf->smb_share, + ibuf->smb_path, + ibuf->smb_cse_suffix, + &sysvol_gpt_version); + if (result != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "perform_smb_operations failed.[%d][%s].\n", + result, strerror(result)); + goto fail; + } + + ret = prepare_response(main_ctx, sysvol_gpt_version, result, &resp); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "prepare_response failed. [%d][%s].\n", + ret, strerror(ret)); + goto fail; + } + + errno = 0; + + written = sss_atomic_write_s(AD_GPO_CHILD_OUT_FILENO, resp->buf, resp->size); + if (written == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "write failed [%d][%s].\n", ret, + strerror(ret)); + goto fail; + } + + if (written != resp->size) { + DEBUG(SSSDBG_CRIT_FAILURE, "Expected to write %zu bytes, wrote %zu\n", + resp->size, written); + goto fail; + } + + DEBUG(SSSDBG_TRACE_FUNC, "gpo_child completed successfully\n"); + close(AD_GPO_CHILD_OUT_FILENO); + talloc_free(main_ctx); + return EXIT_SUCCESS; + +fail: + DEBUG(SSSDBG_CRIT_FAILURE, "gpo_child failed!\n"); + close(AD_GPO_CHILD_OUT_FILENO); + talloc_free(main_ctx); + return EXIT_FAILURE; +} diff --git a/src/providers/ad/ad_gpo_ndr.c b/src/providers/ad/ad_gpo_ndr.c new file mode 100644 index 0000000..884ab76 --- /dev/null +++ b/src/providers/ad/ad_gpo_ndr.c @@ -0,0 +1,508 @@ +/* + SSSD + + ad_gpo_ndr.c + + Authors: + Yassir Elley + + Copyright (C) 2014 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +/* + * This file contains a copy of samba's ndr_pull_* functions needed + * to parse a security_descriptor. We are copying them here so that we don't + * have to link against libsamba-security, which is a private samba library + * These functions are taken from: + * librpc/ndr/gen_ndr/ndr_security.c + * librpc/ndr/ndr_misc.c + * librpc/ndr/ndr_sec_helper.c + */ + +#include "util/util.h" +#include +#include + +static enum ndr_err_code +ndr_pull_GUID(struct ndr_pull *ndr, + int ndr_flags, + struct GUID *r) +{ + uint32_t size_clock_seq_0 = 0; + uint32_t size_node_0 = 0; + NDR_PULL_CHECK_FLAGS(ndr, ndr_flags); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->time_low)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->time_mid)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->time_hi_and_version)); + size_clock_seq_0 = 2; + NDR_CHECK(ndr_pull_array_uint8(ndr, + NDR_SCALARS, + r->clock_seq, + size_clock_seq_0)); + size_node_0 = 6; + NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->node, size_node_0)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); + } + if (ndr_flags & NDR_BUFFERS) { + } + return NDR_ERR_SUCCESS; +} + +static enum ndr_err_code +ndr_pull_security_ace_flags(struct ndr_pull *ndr, + int ndr_flags, + uint8_t *r) +{ + uint8_t v; + NDR_CHECK(ndr_pull_uint8(ndr, ndr_flags, &v)); + *r = v; + return NDR_ERR_SUCCESS; +} + + +static enum ndr_err_code +ndr_pull_security_ace_type(struct ndr_pull *ndr, + int ndr_flags, + enum security_ace_type *r) +{ + uint8_t v; + NDR_CHECK(ndr_pull_enum_uint8(ndr, ndr_flags, &v)); + *r = v; + return NDR_ERR_SUCCESS; +} + + +static enum ndr_err_code +ndr_pull_security_ace_object_flags(struct ndr_pull *ndr, + int ndr_flags, + uint32_t *r) +{ + uint32_t v; + NDR_CHECK(ndr_pull_uint32(ndr, ndr_flags, &v)); + *r = v; + return NDR_ERR_SUCCESS; +} + + +static enum ndr_err_code +ndr_pull_security_ace_object_type(struct ndr_pull *ndr, + int ndr_flags, + union security_ace_object_type *r) +{ + uint32_t level; + level = ndr_pull_get_switch_value(ndr, r); + NDR_PULL_CHECK_FLAGS(ndr, ndr_flags); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 4)); + switch (level) { + case SEC_ACE_OBJECT_TYPE_PRESENT: { + NDR_CHECK(ndr_pull_GUID(ndr, NDR_SCALARS, &r->type)); + break; } + default: { + break; } + } + } + if (ndr_flags & NDR_BUFFERS) { + switch (level) { + case SEC_ACE_OBJECT_TYPE_PRESENT: + break; + default: + break; + } + } + return NDR_ERR_SUCCESS; +} + + +static enum ndr_err_code +ndr_pull_security_ace_object_inherited_type(struct ndr_pull *ndr, + int ndr_flags, + union security_ace_object_inherited_type *r) +{ + uint32_t level; + level = ndr_pull_get_switch_value(ndr, r); + NDR_PULL_CHECK_FLAGS(ndr, ndr_flags); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 4)); + switch (level) { + case SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT: { + NDR_CHECK(ndr_pull_GUID(ndr, + NDR_SCALARS, + &r->inherited_type)); + break; } + default: { + break; } + } + } + if (ndr_flags & NDR_BUFFERS) { + switch (level) { + case SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT: + break; + default: + break; + } + } + return NDR_ERR_SUCCESS; +} + +static enum ndr_err_code +ndr_pull_security_ace_object(struct ndr_pull *ndr, + int ndr_flags, + struct security_ace_object *r) +{ + NDR_PULL_CHECK_FLAGS(ndr, ndr_flags); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_security_ace_object_flags + (ndr, NDR_SCALARS, &r->flags)); + NDR_CHECK(ndr_pull_set_switch_value + (ndr, &r->type, r->flags & SEC_ACE_OBJECT_TYPE_PRESENT)); + NDR_CHECK(ndr_pull_security_ace_object_type + (ndr, NDR_SCALARS, &r->type)); + NDR_CHECK(ndr_pull_set_switch_value + (ndr, + &r->inherited_type, + r->flags & SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT)); + NDR_CHECK(ndr_pull_security_ace_object_inherited_type + (ndr, NDR_SCALARS, &r->inherited_type)); + NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); + } + if (ndr_flags & NDR_BUFFERS) { + NDR_CHECK(ndr_pull_security_ace_object_type + (ndr, NDR_BUFFERS, &r->type)); + NDR_CHECK(ndr_pull_security_ace_object_inherited_type + (ndr, NDR_BUFFERS, &r->inherited_type)); + } + return NDR_ERR_SUCCESS; +} + + +static enum ndr_err_code +ndr_pull_security_ace_object_ctr(struct ndr_pull *ndr, + int ndr_flags, + union security_ace_object_ctr *r) +{ + uint32_t level; + level = ndr_pull_get_switch_value(ndr, r); + NDR_PULL_CHECK_FLAGS(ndr, ndr_flags); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_union_align(ndr, 4)); + switch (level) { + case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: { + NDR_CHECK(ndr_pull_security_ace_object + (ndr, NDR_SCALARS, &r->object)); + break; } + case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: { + NDR_CHECK(ndr_pull_security_ace_object + (ndr, NDR_SCALARS, &r->object)); + break; } + case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT: { + NDR_CHECK(ndr_pull_security_ace_object + (ndr, NDR_SCALARS, &r->object)); + break; } + case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT: { + NDR_CHECK(ndr_pull_security_ace_object + (ndr, NDR_SCALARS, &r->object)); + break; } + default: { + break; } + } + } + if (ndr_flags & NDR_BUFFERS) { + switch (level) { + case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT: + NDR_CHECK(ndr_pull_security_ace_object + (ndr, NDR_BUFFERS, &r->object)); + break; + case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: + NDR_CHECK(ndr_pull_security_ace_object + (ndr, NDR_BUFFERS, &r->object)); + break; + case SEC_ACE_TYPE_SYSTEM_AUDIT_OBJECT: + NDR_CHECK(ndr_pull_security_ace_object + (ndr, NDR_BUFFERS, &r->object)); + break; + case SEC_ACE_TYPE_SYSTEM_ALARM_OBJECT: + NDR_CHECK(ndr_pull_security_ace_object + (ndr, NDR_BUFFERS, &r->object)); + break; + default: + break; + } + } + return NDR_ERR_SUCCESS; +} + +static enum ndr_err_code +ndr_pull_dom_sid(struct ndr_pull *ndr, + int ndr_flags, + struct dom_sid *r) +{ + uint32_t cntr_sub_auths_0; + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_uint8(ndr, NDR_SCALARS, &r->sid_rev_num)); + NDR_CHECK(ndr_pull_int8(ndr, NDR_SCALARS, &r->num_auths)); + if (r->num_auths < 0 || r->num_auths > ARRAY_SIZE(r->sub_auths)) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } + NDR_CHECK(ndr_pull_array_uint8(ndr, NDR_SCALARS, r->id_auth, 6)); + ZERO_STRUCT(r->sub_auths); + for (cntr_sub_auths_0 = 0; + cntr_sub_auths_0 < r->num_auths; + cntr_sub_auths_0++) { + NDR_CHECK(ndr_pull_uint32 + (ndr, NDR_SCALARS, &r->sub_auths[cntr_sub_auths_0])); + } + } + return NDR_ERR_SUCCESS; +} + +static enum ndr_err_code +ndr_pull_security_ace(struct ndr_pull *ndr, + int ndr_flags, + struct security_ace *r) +{ + if (ndr_flags & NDR_SCALARS) { + uint32_t start_ofs = ndr->offset; + uint32_t size = 0; + uint32_t pad = 0; + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_security_ace_type(ndr, NDR_SCALARS, &r->type)); + NDR_CHECK(ndr_pull_security_ace_flags(ndr, NDR_SCALARS, &r->flags)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->size)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->access_mask)); + NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->object, r->type)); + NDR_CHECK(ndr_pull_security_ace_object_ctr + (ndr, NDR_SCALARS, &r->object)); + NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, &r->trustee)); + size = ndr->offset - start_ofs; + if (r->size < size) { + return ndr_pull_error(ndr, NDR_ERR_BUFSIZE, + "ndr_pull_security_ace: r->size %u < size %u", + (unsigned)r->size, size); + } + pad = r->size - size; + NDR_PULL_NEED_BYTES(ndr, pad); + ndr->offset += pad; + } + if (ndr_flags & NDR_BUFFERS) { + NDR_CHECK(ndr_pull_security_ace_object_ctr + (ndr, NDR_BUFFERS, &r->object)); + } + return NDR_ERR_SUCCESS; +} + +static enum ndr_err_code +ndr_pull_security_acl_revision(struct ndr_pull *ndr, + int ndr_flags, + enum security_acl_revision *r) +{ + uint16_t v; + NDR_CHECK(ndr_pull_enum_uint1632(ndr, ndr_flags, &v)); + *r = v; + return NDR_ERR_SUCCESS; +} + + +static enum ndr_err_code +ndr_pull_security_acl(struct ndr_pull *ndr, + int ndr_flags, + struct security_acl *r) +{ + uint32_t size_aces_0 = 0; + uint32_t cntr_aces_0; + TALLOC_CTX *_mem_save_aces_0; + NDR_PULL_CHECK_FLAGS(ndr, ndr_flags); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 4)); + NDR_CHECK(ndr_pull_security_acl_revision + (ndr, NDR_SCALARS, &r->revision)); + NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->size)); + NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->num_aces)); + if (r->num_aces > 1000) { + return ndr_pull_error(ndr, NDR_ERR_RANGE, "value out of range"); + } + size_aces_0 = r->num_aces; + NDR_PULL_ALLOC_N(ndr, r->aces, size_aces_0); + _mem_save_aces_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->aces, 0); + for (cntr_aces_0 = 0; cntr_aces_0 < size_aces_0; cntr_aces_0++) { + NDR_CHECK(ndr_pull_security_ace + (ndr, NDR_SCALARS, &r->aces[cntr_aces_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_aces_0, 0); + NDR_CHECK(ndr_pull_trailer_align(ndr, 4)); + } + if (ndr_flags & NDR_BUFFERS) { + size_aces_0 = r->num_aces; + _mem_save_aces_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->aces, 0); + for (cntr_aces_0 = 0; cntr_aces_0 < size_aces_0; cntr_aces_0++) { + NDR_CHECK(ndr_pull_security_ace + (ndr, NDR_BUFFERS, &r->aces[cntr_aces_0])); + } + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_aces_0, 0); + } + return NDR_ERR_SUCCESS; +} + + +static enum ndr_err_code +ndr_pull_security_descriptor_revision(struct ndr_pull *ndr, + int ndr_flags, + enum security_descriptor_revision *r) +{ + uint8_t v; + NDR_CHECK(ndr_pull_enum_uint8(ndr, ndr_flags, &v)); + *r = v; + return NDR_ERR_SUCCESS; +} + + + +static enum ndr_err_code +ndr_pull_security_descriptor_type(struct ndr_pull *ndr, + int ndr_flags, + uint16_t *r) +{ + uint16_t v; + NDR_CHECK(ndr_pull_uint16(ndr, ndr_flags, &v)); + *r = v; + return NDR_ERR_SUCCESS; +} + + +enum ndr_err_code +ad_gpo_ndr_pull_security_descriptor(struct ndr_pull *ndr, + int ndr_flags, + struct security_descriptor *r) +{ + uint32_t _ptr_owner_sid; + TALLOC_CTX *_mem_save_owner_sid_0; + uint32_t _ptr_group_sid; + TALLOC_CTX *_mem_save_group_sid_0; + uint32_t _ptr_sacl; + TALLOC_CTX *_mem_save_sacl_0; + uint32_t _ptr_dacl; + TALLOC_CTX *_mem_save_dacl_0; + uint32_t _flags_save_STRUCT = ndr->flags; + uint32_t _relative_save_offset; + + ndr_set_flags(&ndr->flags, LIBNDR_FLAG_LITTLE_ENDIAN); + NDR_PULL_CHECK_FLAGS(ndr, ndr_flags); + if (ndr_flags & NDR_SCALARS) { + NDR_CHECK(ndr_pull_align(ndr, 5)); + NDR_CHECK(ndr_pull_security_descriptor_revision(ndr, + NDR_SCALARS, + &r->revision)); + NDR_CHECK(ndr_pull_security_descriptor_type(ndr, + NDR_SCALARS, + &r->type)); + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_owner_sid)); + if (_ptr_owner_sid) { + NDR_PULL_ALLOC(ndr, r->owner_sid); + NDR_CHECK(ndr_pull_relative_ptr1(ndr, + r->owner_sid, + _ptr_owner_sid)); + } else { + r->owner_sid = NULL; + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_group_sid)); + if (_ptr_group_sid) { + NDR_PULL_ALLOC(ndr, r->group_sid); + NDR_CHECK(ndr_pull_relative_ptr1(ndr, + r->group_sid, + _ptr_group_sid)); + } else { + r->group_sid = NULL; + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_sacl)); + if (_ptr_sacl) { + NDR_PULL_ALLOC(ndr, r->sacl); + NDR_CHECK(ndr_pull_relative_ptr1(ndr, r->sacl, _ptr_sacl)); + } else { + r->sacl = NULL; + } + NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_dacl)); + if (_ptr_dacl) { + NDR_PULL_ALLOC(ndr, r->dacl); + NDR_CHECK(ndr_pull_relative_ptr1(ndr, r->dacl, _ptr_dacl)); + } else { + r->dacl = NULL; + } + NDR_CHECK(ndr_pull_trailer_align(ndr, 5)); + } + if (ndr_flags & NDR_BUFFERS) { + if (r->owner_sid) { + _relative_save_offset = ndr->offset; + NDR_CHECK(ndr_pull_relative_ptr2(ndr, r->owner_sid)); + _mem_save_owner_sid_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->owner_sid, 0); + NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, r->owner_sid)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_owner_sid_0, 0); + if (ndr->offset > ndr->relative_highest_offset) { + ndr->relative_highest_offset = ndr->offset; + } + ndr->offset = _relative_save_offset; + } + if (r->group_sid) { + _relative_save_offset = ndr->offset; + NDR_CHECK(ndr_pull_relative_ptr2(ndr, r->group_sid)); + _mem_save_group_sid_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->group_sid, 0); + NDR_CHECK(ndr_pull_dom_sid(ndr, NDR_SCALARS, r->group_sid)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_group_sid_0, 0); + if (ndr->offset > ndr->relative_highest_offset) { + ndr->relative_highest_offset = ndr->offset; + } + ndr->offset = _relative_save_offset; + } + if (r->sacl) { + _relative_save_offset = ndr->offset; + NDR_CHECK(ndr_pull_relative_ptr2(ndr, r->sacl)); + _mem_save_sacl_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->sacl, 0); + NDR_CHECK(ndr_pull_security_acl(ndr, + NDR_SCALARS|NDR_BUFFERS, + r->sacl)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_sacl_0, 0); + if (ndr->offset > ndr->relative_highest_offset) { + ndr->relative_highest_offset = ndr->offset; + } + ndr->offset = _relative_save_offset; + } + if (r->dacl) { + _relative_save_offset = ndr->offset; + NDR_CHECK(ndr_pull_relative_ptr2(ndr, r->dacl)); + _mem_save_dacl_0 = NDR_PULL_GET_MEM_CTX(ndr); + NDR_PULL_SET_MEM_CTX(ndr, r->dacl, 0); + NDR_CHECK(ndr_pull_security_acl(ndr, + NDR_SCALARS|NDR_BUFFERS, + r->dacl)); + NDR_PULL_SET_MEM_CTX(ndr, _mem_save_dacl_0, 0); + if (ndr->offset > ndr->relative_highest_offset) { + ndr->relative_highest_offset = ndr->offset; + } + ndr->offset = _relative_save_offset; + } + + ndr->flags = _flags_save_STRUCT; + } + return NDR_ERR_SUCCESS; +} diff --git a/src/providers/ad/ad_id.c b/src/providers/ad/ad_id.c new file mode 100644 index 0000000..1da4843 --- /dev/null +++ b/src/providers/ad/ad_id.c @@ -0,0 +1,1434 @@ +/* + SSSD + + Authors: + Stephen Gallagher + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +#include "util/util.h" +#include "util/strtonum.h" +#include "providers/ad/ad_common.h" +#include "providers/ad/ad_id.h" +#include "providers/ad/ad_domain_info.h" +#include "providers/ad/ad_pac.h" +#include "providers/ldap/sdap_async_enum.h" +#include "providers/ldap/sdap_idmap.h" +#include "providers/ldap/sdap_async.h" + +static bool ad_account_can_shortcut(struct sdap_idmap_ctx *idmap_ctx, + struct sss_domain_info *domain, + int filter_type, + const char *filter_value) +{ + struct sss_domain_info *dom_head = NULL; + struct sss_domain_info *sid_dom = NULL; + enum idmap_error_code err; + char *sid = NULL; + const char *csid = NULL; + uint32_t id; + bool shortcut = false; + errno_t ret; + + if (!sdap_idmap_domain_has_algorithmic_mapping(idmap_ctx, domain->name, + domain->domain_id)) { + goto done; + } + + switch (filter_type) { + case BE_FILTER_IDNUM: + /* convert value to ID */ + errno = 0; + id = strtouint32(filter_value, NULL, 10); + if (errno != 0) { + ret = errno; + DEBUG(SSSDBG_MINOR_FAILURE, "Unable to convert filter value to " + "number [%d]: %s\n", ret, strerror(ret)); + goto done; + } + + /* convert the ID to its SID equivalent */ + err = sss_idmap_unix_to_sid(idmap_ctx->map, id, &sid); + if (err != IDMAP_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, "Mapping ID [%s] to SID failed: " + "[%s]\n", filter_value, idmap_error_string(err)); + /* assume id is from a different domain */ + shortcut = true; + goto done; + } + /* fall through */ + SSS_ATTRIBUTE_FALLTHROUGH; + case BE_FILTER_SECID: + csid = sid == NULL ? filter_value : sid; + + dom_head = get_domains_head(domain); + if (dom_head == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot find domain head\n"); + goto done; + } + + sid_dom = find_domain_by_sid(dom_head, csid); + if (sid_dom == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Invalid domain for SID:%s\n", csid); + goto done; + } + + if (strcasecmp(sid_dom->name, domain->name) != 0) { + shortcut = true; + } + break; + default: + break; + } + +done: + if (sid != NULL) { + sss_idmap_free_sid(idmap_ctx->map, sid); + } + + return shortcut; +} + +struct ad_handle_acct_info_state { + struct dp_id_data *ar; + struct sdap_id_ctx *ctx; + struct sdap_id_conn_ctx **conn; + struct sdap_domain *sdom; + size_t cindex; + struct ad_options *ad_options; + bool using_pac; + + int dp_error; + const char *err; +}; + +static errno_t ad_handle_acct_info_step(struct tevent_req *req); +static void ad_handle_acct_info_done(struct tevent_req *subreq); + +struct tevent_req * +ad_handle_acct_info_send(TALLOC_CTX *mem_ctx, + struct dp_id_data *ar, + struct sdap_id_ctx *ctx, + struct ad_options *ad_options, + struct sdap_domain *sdom, + struct sdap_id_conn_ctx **conn) +{ + struct tevent_req *req; + struct ad_handle_acct_info_state *state; + struct be_ctx *be_ctx = ctx->be; + errno_t ret; + bool shortcut; + + req = tevent_req_create(mem_ctx, &state, struct ad_handle_acct_info_state); + if (req == NULL) { + return NULL; + } + state->ar = ar; + state->ctx = ctx; + state->sdom = sdom; + state->conn = conn; + state->ad_options = ad_options; + state->cindex = 0; + + /* Try to shortcut if this is ID or SID search and it belongs to + * other domain range than is in ar->domain. */ + shortcut = ad_account_can_shortcut(ctx->opts->idmap_ctx, + sdom->dom, + ar->filter_type, + ar->filter_value); + if (shortcut) { + DEBUG(SSSDBG_TRACE_FUNC, "This ID is from different domain\n"); + ret = EOK; + goto immediate; + } + + if (sss_domain_get_state(sdom->dom) == DOM_INACTIVE) { + ret = ERR_SUBDOM_INACTIVE; + goto immediate; + } + + ret = ad_handle_acct_info_step(req); + if (ret != EAGAIN) { + goto immediate; + } + + /* Lookup in progress */ + return req; + +immediate: + if (ret != EOK) { + tevent_req_error(req, ret); + } else { + tevent_req_done(req); + } + tevent_req_post(req, be_ctx->ev); + return req; +} + +static errno_t +ad_handle_acct_info_step(struct tevent_req *req) +{ + struct tevent_req *subreq = NULL; + struct ad_handle_acct_info_state *state = tevent_req_data(req, + struct ad_handle_acct_info_state); + bool noexist_delete = false; + struct ldb_message *msg; + int ret; + + if (state->conn[state->cindex] == NULL) { + return EOK; + } + + if (state->conn[state->cindex+1] == NULL) { + noexist_delete = true; + } + + + state->using_pac = false; + if ((state->ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_INITGROUPS) { + ret = check_if_pac_is_available(state, state->sdom->dom, + state->ar, &msg); + + if (ret == EOK) { + /* evaluate PAC */ + state->using_pac = true; + subreq = ad_handle_pac_initgr_send(state, state->ctx->be, + state->ar, state->ctx, + state->sdom, + state->conn[state->cindex], + noexist_delete, + msg); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ad_handle_pac_initgr_send failed.\n"); + return ENOMEM; + } + + } + + /* Fall through if there is no PAC or any other error */ + } + + if (subreq == NULL) { + subreq = sdap_handle_acct_req_send(state, state->ctx->be, + state->ar, state->ctx, + state->sdom, + state->conn[state->cindex], + noexist_delete); + if (subreq == NULL) { + return ENOMEM; + } + } + + tevent_req_set_callback(subreq, ad_handle_acct_info_done, req); + return EAGAIN; +} + +static void +ad_handle_acct_info_done(struct tevent_req *subreq) +{ + errno_t ret; + int dp_error; + int sdap_err; + const char *err; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ad_handle_acct_info_state *state = tevent_req_data(req, + struct ad_handle_acct_info_state); + + if (state->using_pac) { + ret = ad_handle_pac_initgr_recv(subreq, &dp_error, &err, &sdap_err); + } else { + ret = sdap_handle_acct_req_recv(subreq, &dp_error, &err, &sdap_err); + } + if (dp_error == DP_ERR_OFFLINE + && state->conn[state->cindex+1] != NULL + && state->conn[state->cindex]->ignore_mark_offline) { + /* This is a special case: GC does not work. + * We need to Fall back to ldap + */ + ret = EOK; + sdap_err = ENOENT; + } + talloc_zfree(subreq); + if (ret != EOK) { + /* if GC was not used dp error should be set */ + state->dp_error = dp_error; + state->err = err; + + goto fail; + } + + if (sdap_err == EOK) { + tevent_req_done(req); + return; + } else if (sdap_err != ENOENT) { + ret = EIO; + goto fail; + } + + /* Ret is only ENOENT now. Try the next connection */ + state->cindex++; + ret = ad_handle_acct_info_step(req); + if (ret != EAGAIN) { + /* No additional search in progress. Save the last + * error status, we'll be returning it. + */ + state->dp_error = dp_error; + state->err = err; + + if (ret == EOK) { + /* No more connections */ + tevent_req_done(req); + } else { + goto fail; + } + return; + } + + /* Another lookup in progress */ + return; + +fail: + if (IS_SUBDOMAIN(state->sdom->dom)) { + /* Deactivate subdomain on lookup errors instead of going + * offline completely. + * This is a stopgap, until our failover is per-domain, + * not per-backend. Unfortunately, we can't rewrite the error + * code on some reported codes only, because sdap_id_op code + * encapsulated the failover as well.. + */ + ret = ERR_SUBDOM_INACTIVE; + } + tevent_req_error(req, ret); + return; +} + +errno_t +ad_handle_acct_info_recv(struct tevent_req *req, + int *_dp_error, const char **_err) +{ + struct ad_handle_acct_info_state *state = tevent_req_data(req, + struct ad_handle_acct_info_state); + + if (_dp_error) { + *_dp_error = state->dp_error; + } + + if (_err) { + *_err = state->err; + } + + TEVENT_REQ_RETURN_ON_ERROR(req); + return EOK; +} + +struct sdap_id_conn_ctx ** +get_conn_list(TALLOC_CTX *mem_ctx, struct ad_id_ctx *ad_ctx, + struct sss_domain_info *dom, struct dp_id_data *ar) +{ + struct sdap_id_conn_ctx **clist; + + switch (ar->entry_type & BE_REQ_TYPE_MASK) { + case BE_REQ_USER: /* user */ + clist = ad_user_conn_list(mem_ctx, ad_ctx, dom); + break; + case BE_REQ_BY_SECID: /* by SID */ + case BE_REQ_USER_AND_GROUP: /* get SID */ + case BE_REQ_GROUP: /* group */ + case BE_REQ_INITGROUPS: /* init groups for user */ + clist = ad_gc_conn_list(mem_ctx, ad_ctx, dom); + break; + default: + /* Requests for other object should only contact LDAP by default */ + clist = ad_ldap_conn_list(mem_ctx, ad_ctx, dom); + break; + } + + return clist; +} + +struct ad_account_info_handler_state { + struct sss_domain_info *domain; + struct dp_reply_std reply; +}; + +static void ad_account_info_handler_done(struct tevent_req *subreq); + +struct tevent_req * +ad_account_info_handler_send(TALLOC_CTX *mem_ctx, + struct ad_id_ctx *id_ctx, + struct dp_id_data *data, + struct dp_req_params *params) +{ + struct ad_account_info_handler_state *state; + struct sdap_id_conn_ctx **clist; + struct sdap_id_ctx *sdap_id_ctx; + struct sss_domain_info *domain; + struct sdap_domain *sdom; + struct tevent_req *subreq; + struct tevent_req *req; + struct be_ctx *be_ctx; + errno_t ret; + + sdap_id_ctx = id_ctx->sdap_id_ctx; + be_ctx = params->be_ctx; + + req = tevent_req_create(mem_ctx, &state, + struct ad_account_info_handler_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + if (sdap_is_enum_request(data)) { + DEBUG(SSSDBG_TRACE_LIBS, "Skipping enumeration on demand\n"); + ret = EOK; + goto immediately; + } + + domain = be_ctx->domain; + if (strcasecmp(data->domain, be_ctx->domain->name) != 0) { + /* Subdomain request, verify subdomain. */ + domain = find_domain_by_name(be_ctx->domain, data->domain, true); + } + + if (domain == NULL) { + ret = EINVAL; + goto immediately; + } + + /* Determine whether to connect to GC, LDAP or try both. */ + clist = get_conn_list(state, id_ctx, domain, data); + if (clist == NULL) { + ret = EIO; + goto immediately; + } + + sdom = sdap_domain_get(sdap_id_ctx->opts, domain); + if (sdom == NULL) { + ret = EIO; + goto immediately; + } + + state->domain = sdom->dom; + + subreq = ad_handle_acct_info_send(state, data, sdap_id_ctx, + id_ctx->ad_options, sdom, clist); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, ad_account_info_handler_done, req); + + return req; + +immediately: + dp_reply_std_set(&state->reply, DP_ERR_DECIDE, ret, NULL); + + /* TODO For backward compatibility we always return EOK to DP now. */ + tevent_req_done(req); + tevent_req_post(req, params->ev); + + return req; +} + +static void ad_account_info_handler_done(struct tevent_req *subreq) +{ + struct ad_account_info_handler_state *state; + struct tevent_req *req; + const char *err_msg; + int dp_error; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ad_account_info_handler_state); + + ret = ad_handle_acct_info_recv(subreq, &dp_error, &err_msg); + talloc_zfree(subreq); + + /* TODO For backward compatibility we always return EOK to DP now. */ + dp_reply_std_set(&state->reply, dp_error, ret, err_msg); + tevent_req_done(req); +} + +errno_t ad_account_info_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct dp_reply_std *data) +{ + struct ad_account_info_handler_state *state = NULL; + + state = tevent_req_data(req, struct ad_account_info_handler_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *data = state->reply; + + return EOK; +} + +struct ad_enumeration_state { + struct ad_id_ctx *id_ctx; + struct ldap_enum_ctx *ectx; + struct sdap_id_op *sdap_op; + struct tevent_context *ev; + + const char *realm; + struct sdap_domain *sdom; + struct sdap_domain *sditer; +}; + +static void ad_enumeration_conn_done(struct tevent_req *subreq); +static void ad_enumeration_master_done(struct tevent_req *subreq); +static errno_t ad_enum_sdom(struct tevent_req *req, struct sdap_domain *sd, + struct ad_id_ctx *id_ctx); +static void ad_enumeration_done(struct tevent_req *subreq); + +struct tevent_req * +ad_enumeration_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct be_ptask *be_ptask, + void *pvt) +{ + struct tevent_req *req; + struct tevent_req *subreq; + struct ad_enumeration_state *state; + struct ldap_enum_ctx *ectx; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct ad_enumeration_state); + if (req == NULL) return NULL; + + ectx = talloc_get_type(pvt, struct ldap_enum_ctx); + if (ectx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot retrieve ldap_enum_ctx!\n"); + ret = EFAULT; + goto fail; + } + + state->ectx = ectx; + state->ev = ev; + state->sdom = ectx->sdom; + state->sditer = state->sdom; + state->id_ctx = talloc_get_type(ectx->pvt, struct ad_id_ctx); + + state->realm = dp_opt_get_cstring(state->id_ctx->ad_options->basic, + AD_KRB5_REALM); + if (state->realm == NULL) { + DEBUG(SSSDBG_CONF_SETTINGS, "Missing realm\n"); + ret = EINVAL; + goto fail; + } + + state->sdap_op = sdap_id_op_create(state, + state->id_ctx->ldap_ctx->conn_cache); + if (state->sdap_op == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed.\n"); + ret = ENOMEM; + goto fail; + } + + subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_connect_send failed: %d(%s).\n", + ret, strerror(ret)); + goto fail; + } + tevent_req_set_callback(subreq, ad_enumeration_conn_done, req); + + return req; + +fail: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void +ad_enumeration_conn_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ad_enumeration_state *state = tevent_req_data(req, + struct ad_enumeration_state); + int ret, dp_error; + + ret = sdap_id_op_connect_recv(subreq, &dp_error); + talloc_zfree(subreq); + if (ret != EOK) { + if (dp_error == DP_ERR_OFFLINE) { + DEBUG(SSSDBG_TRACE_FUNC, + "Backend is marked offline, retry later!\n"); + tevent_req_done(req); + } else { + DEBUG(SSSDBG_MINOR_FAILURE, + "Domain enumeration failed to connect to " \ + "LDAP server: (%d)[%s]\n", ret, strerror(ret)); + tevent_req_error(req, ret); + } + return; + } + + subreq = ad_master_domain_send(state, state->ev, + state->id_ctx->ldap_ctx, + state->sdap_op, + state->sdom->dom->name); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ad_master_domain_send failed.\n"); + tevent_req_error(req, ret); + return; + } + tevent_req_set_callback(subreq, ad_enumeration_master_done, req); +} + +static void +ad_enumeration_master_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ad_enumeration_state *state = tevent_req_data(req, + struct ad_enumeration_state); + char *flat_name; + char *master_sid; + char *forest; + + ret = ad_master_domain_recv(subreq, state, + &flat_name, &master_sid, NULL, &forest); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot retrieve master domain info\n"); + tevent_req_error(req, ret); + return; + } + + ret = sysdb_master_domain_add_info(state->sdom->dom, state->realm, + flat_name, master_sid, forest, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot save master domain info\n"); + tevent_req_error(req, ret); + return; + } + + ret = ad_enum_sdom(req, state->sdom, state->id_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not enumerate domain %s\n", state->sdom->dom->name); + tevent_req_error(req, ret); + return; + } + + /* Execution will resume in ad_enumeration_done */ +} + +static errno_t +ad_enum_sdom(struct tevent_req *req, + struct sdap_domain *sd, + struct ad_id_ctx *id_ctx) +{ + struct sdap_id_conn_ctx *user_conn; + struct tevent_req *subreq; + struct ad_enumeration_state *state = tevent_req_data(req, + struct ad_enumeration_state); + + if (dp_opt_get_bool(id_ctx->ad_options->basic, AD_ENABLE_GC)) { + user_conn = id_ctx->gc_ctx; + } else { + user_conn = id_ctx->ldap_ctx; + } + + /* Groups are searched for in LDAP, users in GC. Services (if present, + * which is unlikely in AD) from LDAP as well + */ + subreq = sdap_dom_enum_ex_send(state, state->ev, + id_ctx->sdap_id_ctx, + sd, + user_conn, /* Users */ + id_ctx->ldap_ctx, /* Groups */ + id_ctx->ldap_ctx); /* Services */ + if (subreq == NULL) { + /* The ptask API will reschedule the enumeration on its own on + * failure */ + DEBUG(SSSDBG_OP_FAILURE, + "Failed to schedule enumeration, retrying later!\n"); + return ENOMEM; + } + tevent_req_set_callback(subreq, ad_enumeration_done, req); + + return EOK; +} + +static errno_t ad_enum_cross_dom_members(struct sdap_options *opts, + struct sss_domain_info *dom); + +static void +ad_enumeration_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ad_enumeration_state *state = tevent_req_data(req, + struct ad_enumeration_state); + + ret = sdap_dom_enum_ex_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not enumerate domain %s\n", state->sditer->dom->name); + tevent_req_error(req, ret); + return; + } + + do { + state->sditer = state->sditer->next; + } while (state->sditer && + state->sditer->dom->enumerate == false); + + if (state->sditer != NULL) { + ret = ad_enum_sdom(req, state->sditer, state->sditer->pvt); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not enumerate domain %s\n", + state->sditer->dom->name); + tevent_req_error(req, ret); + return; + } + + /* Execution will resume in ad_enumeration_done */ + return; + } + + /* No more subdomains to enumerate. Check if we need to fixup + * cross-domain membership + */ + if (state->sditer != state->sdom) { + /* We did enumerate at least one subdomain. Walk the subdomains + * and fixup members for each of them + */ + for (state->sditer = state->sdom; + state->sditer; + state->sditer = state->sditer->next) { + ret = ad_enum_cross_dom_members(state->id_ctx->ad_options->id, + state->sditer->dom); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Could not check cross-domain " + "memberships for %s, group memberships might be " + "incomplete!\n", state->sdom->dom->name); + continue; + } + } + } + + tevent_req_done(req); +} + +static errno_t ad_group_extra_members(TALLOC_CTX *mem_ctx, + const struct ldb_message *group, + struct sss_domain_info *dom, + char ***_group_only); +static errno_t ad_group_add_member(struct sdap_options *opts, + struct sss_domain_info *group_domain, + struct ldb_dn *group_dn, + const char *member); + +static errno_t +ad_enum_cross_dom_members(struct sdap_options *opts, + struct sss_domain_info *dom) +{ + errno_t ret; + errno_t sret; + char *filter; + TALLOC_CTX *tmp_ctx; + const char *attrs[] = { + SYSDB_NAME, + SYSDB_MEMBER, + SYSDB_ORIG_MEMBER, + NULL + }; + size_t count, i, mi; + struct ldb_message **msgs; + bool in_transaction = false; + char **group_only; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) return ENOMEM; + + ret = sysdb_transaction_start(dom->sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n"); + goto done; + } + in_transaction = true; + + filter = talloc_asprintf(tmp_ctx, "(%s=*)", SYSDB_NAME); + if (filter == NULL) { + ret = ENOMEM; + goto done; + } + + ret = sysdb_search_groups(tmp_ctx, dom, filter, attrs, &count, &msgs); + if (ret != EOK) { + goto done; + } + + for (i = 0; i < count; i++) { + ret = ad_group_extra_members(tmp_ctx, msgs[i], dom, &group_only); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to check extra members\n"); + continue; + } else if (group_only == NULL) { + DEBUG(SSSDBG_TRACE_INTERNAL, "No extra members\n"); + continue; + } + + /* Group has extra members */ + for (mi = 0; group_only[mi]; mi++) { + ret = ad_group_add_member(opts, dom, msgs[i]->dn, group_only[mi]); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Failed to add [%s]: %s\n", + group_only[mi], strerror(ret)); + continue; + } + } + + talloc_zfree(group_only); + } + + ret = sysdb_transaction_commit(dom->sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n"); + goto done; + } + in_transaction = false; + + ret = EOK; +done: + if (in_transaction) { + sret = sysdb_transaction_cancel(dom->sysdb); + if (sret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not cancel transaction\n"); + } + } + talloc_free(tmp_ctx); + return ret; +} + +static errno_t +ad_group_stored_orig_members(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom, + struct ldb_dn *dn, char ***_odn_list); + +static errno_t +ad_group_extra_members(TALLOC_CTX *mem_ctx, const struct ldb_message *group, + struct sss_domain_info *dom, char ***_group_only) +{ + TALLOC_CTX *tmp_ctx; + struct ldb_message_element *m, *om; + const char *name; + errno_t ret; + char **sysdb_odn_list; + const char **group_odn_list; + char **group_only = NULL; + + if (_group_only == NULL) return EINVAL; + *_group_only = NULL; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) return ENOMEM; + + om = ldb_msg_find_element(group, SYSDB_ORIG_MEMBER); + m = ldb_msg_find_element(group, SYSDB_MEMBER); + name = ldb_msg_find_attr_as_string(group, SYSDB_NAME, NULL); + if (name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "A group with no name!\n"); + ret = EFAULT; + goto done; + } + + if (om == NULL || om->num_values == 0) { + DEBUG(SSSDBG_TRACE_FUNC, "Group %s has no original members\n", name); + ret = EOK; + goto done; + } + + if (m == NULL || (m->num_values < om->num_values)) { + DEBUG(SSSDBG_TRACE_FUNC, + "Group %s has %d members but %d original members\n", + name, m ? m->num_values : 0, om->num_values); + + /* Get the list of originalDN attributes that are already + * linked to the group + */ + ret = ad_group_stored_orig_members(tmp_ctx, dom, group->dn, + &sysdb_odn_list); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not retrieve list of original members for %s\n", + name); + goto done; + } + + /* Get the list of original DN attributes the group had in AD */ + group_odn_list = sss_ldb_el_to_string_list(tmp_ctx, om); + if (group_odn_list == NULL) { + ret = EFAULT; + goto done; + } + + /* Compare the two lists */ + ret = diff_string_lists(tmp_ctx, discard_const(group_odn_list), + sysdb_odn_list, &group_only, NULL, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not compare lists of members for %s\n", name); + goto done; + } + } + + ret = EOK; + *_group_only = talloc_steal(mem_ctx, group_only); +done: + talloc_free(tmp_ctx); + return ret; +} + +static errno_t +ad_group_stored_orig_members(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom, + struct ldb_dn *dn, char ***_odn_list) +{ + errno_t ret; + TALLOC_CTX *tmp_ctx; + size_t m_count, i; + struct ldb_message **members; + const char *attrs[] = { + SYSDB_NAME, + SYSDB_ORIG_DN, + NULL + }; + char **odn_list; + const char *odn; + size_t oi; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) return ENOMEM; + + /* Get all entries member element points to */ + ret = sysdb_asq_search(tmp_ctx, dom, dn, NULL, SYSDB_MEMBER, + attrs, &m_count, &members); + if (ret != EOK) { + goto done; + } + + odn_list = talloc_zero_array(tmp_ctx, char *, m_count + 1); + if (odn_list == NULL) { + ret = ENOMEM; + goto done; + } + + /* Get a list of their original DNs */ + oi = 0; + for (i = 0; i < m_count; i++) { + odn = ldb_msg_find_attr_as_string(members[i], SYSDB_ORIG_DN, NULL); + if (odn == NULL) { + continue; + } + + odn_list[oi] = talloc_strdup(odn_list, odn); + if (odn_list[oi] == NULL) { + ret = ENOMEM; + goto done; + } + oi++; + DEBUG(SSSDBG_TRACE_INTERNAL, "Member %s already in sysdb\n", odn); + } + + ret = EOK; + *_odn_list = talloc_steal(mem_ctx, odn_list); +done: + talloc_free(tmp_ctx); + return ret; +} + +static errno_t +ad_group_add_member(struct sdap_options *opts, + struct sss_domain_info *group_domain, + struct ldb_dn *group_dn, + const char *member) +{ + struct sdap_domain *sd; + struct ldb_dn *base_dn; + TALLOC_CTX *tmp_ctx; + errno_t ret; + const char *mem_filter; + size_t msgs_count; + struct ldb_message **msgs; + + /* This member would be from a different domain */ + sd = sdap_domain_get_by_dn(opts, member); + if (sd == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "No matching domain for %s\n", member); + return ENOENT; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) return ENOMEM; + + mem_filter = talloc_asprintf(tmp_ctx, "(%s=%s)", + SYSDB_ORIG_DN, member); + if (mem_filter == NULL) { + ret = ENOMEM; + goto done; + } + + base_dn = sysdb_domain_dn(tmp_ctx, sd->dom); + if (base_dn == NULL) { + ret = ENOMEM; + goto done; + } + + ret = sysdb_search_entry(tmp_ctx, sd->dom->sysdb, base_dn, + LDB_SCOPE_SUBTREE, mem_filter, NULL, + &msgs_count, &msgs); + if (ret == ENOENT) { + DEBUG(SSSDBG_TRACE_FUNC, "No member [%s] in sysdb\n", member); + ret = EOK; + goto done; + } else if (ret != EOK) { + goto done; + } + DEBUG(SSSDBG_TRACE_INTERNAL, "[%s] found in sysdb\n", member); + + if (msgs_count != 1) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Search by orig DN returned %zd results!\n", msgs_count); + ret = EFAULT; + goto done; + } + + ret = sysdb_mod_group_member(group_domain, msgs[0]->dn, group_dn, SYSDB_MOD_ADD); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not add [%s] as a member of [%s]\n", + ldb_dn_get_linearized(msgs[0]->dn), + ldb_dn_get_linearized(group_dn)); + goto done; + } + + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} + +errno_t +ad_enumeration_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + return EOK; +} + +static errno_t ad_get_account_domain_prepare_search(struct tevent_req *req); +static errno_t ad_get_account_domain_connect_retry(struct tevent_req *req); +static void ad_get_account_domain_connect_done(struct tevent_req *subreq); +static void ad_get_account_domain_search(struct tevent_req *req); +static void ad_get_account_domain_search_done(struct tevent_req *subreq); +static void ad_get_account_domain_evaluate(struct tevent_req *req); + +struct ad_get_account_domain_state { + struct tevent_context *ev; + struct ad_id_ctx *id_ctx; + struct sdap_id_ctx *sdap_id_ctx; + struct sdap_domain *sdom; + uint32_t entry_type; + uint32_t filter_type; + char *clean_filter; + + bool twopass; + + struct sdap_search_base **search_bases; + size_t base_iter; + const char *base_filter; + char *filter; + const char **attrs; + int dp_error; + struct dp_reply_std reply; + struct sdap_id_op *op; + struct sysdb_attrs **objects; + size_t count; + + const char *found_domain_name; +}; + +struct tevent_req * +ad_get_account_domain_send(TALLOC_CTX *mem_ctx, + struct ad_id_ctx *id_ctx, + struct dp_get_acct_domain_data *data, + struct dp_req_params *params) +{ + struct ad_get_account_domain_state *state; + struct tevent_req *req; + errno_t ret; + bool use_id_mapping; + + req = tevent_req_create(mem_ctx, &state, + struct ad_get_account_domain_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + state->ev = params->ev; + state->id_ctx = id_ctx; + state->sdap_id_ctx = id_ctx->sdap_id_ctx; + state->entry_type = data->entry_type & BE_REQ_TYPE_MASK; + state->filter_type = data->filter_type; + state->attrs = talloc_array(state, const char *, 2); + if (state->attrs == NULL) { + ret = ENOMEM; + goto immediately; + } + state->attrs[0] = "objectclass"; + state->attrs[1] = NULL; + + if (params->be_ctx->domain->mpg == true + || state->entry_type == BE_REQ_USER_AND_GROUP) { + state->twopass = true; + if (state->entry_type == BE_REQ_USER_AND_GROUP) { + state->entry_type = BE_REQ_GROUP; + } + } + + /* The get-account-domain request only works with GC */ + if (dp_opt_get_bool(id_ctx->ad_options->basic, AD_ENABLE_GC) == false) { + DEBUG(SSSDBG_CONF_SETTINGS, + "Global catalog support is not enabled, " + "cannot locate the account domain\n"); + ret = ERR_GET_ACCT_DOM_NOT_SUPPORTED; + goto immediately; + } + + state->sdom = sdap_domain_get(id_ctx->sdap_id_ctx->opts, + params->be_ctx->domain); + if (state->sdom == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot find sdap_domain\n"); + ret = EIO; + goto immediately; + } + + /* Currently we only support locating the account domain + * if ID mapping is disabled. With ID mapping enabled, we can + * already shortcut the 'real' ID request + */ + use_id_mapping = sdap_idmap_domain_has_algorithmic_mapping( + state->sdap_id_ctx->opts->idmap_ctx, + state->sdom->dom->name, + state->sdom->dom->domain_id); + if (use_id_mapping == true) { + DEBUG(SSSDBG_CONF_SETTINGS, + "No point in locating domain with GC if ID-mapping " + "is enabled\n"); + ret = ERR_GET_ACCT_DOM_NOT_SUPPORTED; + goto immediately; + } + + ret = sss_filter_sanitize(state, data->filter_value, &state->clean_filter); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot sanitize filter [%d]: %s\n", ret, sss_strerror(ret)); + goto immediately; + } + + ret = ad_get_account_domain_prepare_search(req); + if (ret != EOK) { + goto immediately; + } + + /* FIXME - should gc_ctx always default to ignore_offline on creation + * time rather than setting the flag on first use? + */ + id_ctx->gc_ctx->ignore_mark_offline = true; + state->op = sdap_id_op_create(state, id_ctx->gc_ctx->conn_cache); + if (state->op == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed\n"); + ret = ENOMEM; + goto immediately; + } + + ret = ad_get_account_domain_connect_retry(req); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Connection error"); + goto immediately; + } + + return req; + +immediately: + dp_reply_std_set(&state->reply, DP_ERR_DECIDE, ret, NULL); + + /* TODO For backward compatibility we always return EOK to DP now. */ + tevent_req_done(req); + tevent_req_post(req, params->ev); + + return req; +} + +static errno_t ad_get_account_domain_prepare_search(struct tevent_req *req) +{ + struct ad_get_account_domain_state *state = tevent_req_data(req, + struct ad_get_account_domain_state); + const char *attr_name = NULL; + const char *objectclass = NULL; + + switch (state->entry_type) { + case BE_REQ_USER: + state->search_bases = state->sdom->user_search_bases; + attr_name = state->sdap_id_ctx->opts->user_map[SDAP_AT_USER_UID].name; + objectclass = state->sdap_id_ctx->opts->user_map[SDAP_OC_USER].name; + break; + case BE_REQ_GROUP: + state->search_bases = state->sdom->group_search_bases; + attr_name = state->sdap_id_ctx->opts->group_map[SDAP_AT_GROUP_GID].name; + objectclass = state->sdap_id_ctx->opts->group_map[SDAP_OC_GROUP].name; + break; + default: + DEBUG(SSSDBG_OP_FAILURE, + "Unsupported request type %X\n", + state->entry_type & BE_REQ_TYPE_MASK); + return EINVAL; + } + + switch (state->filter_type) { + case BE_FILTER_IDNUM: + break; + default: + DEBUG(SSSDBG_OP_FAILURE, + "Unsupported filter type %X\n", state->filter_type); + return EINVAL; + } + + talloc_zfree(state->base_filter); + state->base_filter = talloc_asprintf(state, + "(&(%s=%s)(objectclass=%s))", + attr_name, + state->clean_filter, + objectclass); + if (state->base_filter == NULL) { + return ENOMEM; + } + + return EOK; +} + +static errno_t ad_get_account_domain_connect_retry(struct tevent_req *req) +{ + struct ad_get_account_domain_state *state = tevent_req_data(req, + struct ad_get_account_domain_state); + struct tevent_req *subreq; + errno_t ret; + + subreq = sdap_id_op_connect_send(state->op, state, &ret); + if (subreq == NULL) { + return ENOMEM; + } + + tevent_req_set_callback(subreq, ad_get_account_domain_connect_done, req); + return ret; +} + +static void ad_get_account_domain_connect_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ad_get_account_domain_state *state = tevent_req_data(req, + struct ad_get_account_domain_state); + int dp_error = DP_ERR_FATAL; + errno_t ret; + + ret = sdap_id_op_connect_recv(subreq, &dp_error); + talloc_zfree(subreq); + + if (ret != EOK) { + state->dp_error = dp_error; + tevent_req_error(req, ret); + return; + } + + ad_get_account_domain_search(req); +} + +static void ad_get_account_domain_search(struct tevent_req *req) +{ + struct ad_get_account_domain_state *state = tevent_req_data(req, + struct ad_get_account_domain_state); + struct tevent_req *subreq; + + talloc_zfree(state->filter); + state->filter = sdap_combine_filters(state, state->base_filter, + state->search_bases[state->base_iter]->filter); + if (state->filter == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + + subreq = sdap_get_generic_send(state, state->ev, state->sdap_id_ctx->opts, + sdap_id_op_handle(state->op), + "", + LDAP_SCOPE_SUBTREE, + state->filter, + state->attrs, NULL, 0, + dp_opt_get_int(state->sdap_id_ctx->opts->basic, + SDAP_SEARCH_TIMEOUT), + false); + + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_get_generic_send failed.\n"); + tevent_req_error(req, EIO); + return; + } + + tevent_req_set_callback(subreq, ad_get_account_domain_search_done, req); +} + +static void ad_get_account_domain_search_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ad_get_account_domain_state *state = tevent_req_data(req, + struct ad_get_account_domain_state); + size_t count; + struct sysdb_attrs **objects; + errno_t ret; + + ret = sdap_get_generic_recv(subreq, state, + &count, &objects); + talloc_zfree(subreq); + if (ret) { + tevent_req_error(req, ret); + return; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Search returned %zu results.\n", count); + + if (count > 0) { + size_t copied; + + state->objects = + talloc_realloc(state, + state->objects, + struct sysdb_attrs *, + state->count + count + 1); + if (!state->objects) { + tevent_req_error(req, ENOMEM); + return; + } + + copied = sdap_steal_objects_in_dom(state->sdap_id_ctx->opts, + state->objects, + state->count, + NULL, + objects, count, + false); + + state->count += copied; + state->objects[state->count] = NULL; + } + + /* Even though we search with an empty search base (=across all domains) + * the reason we iterate over search bases is that the search bases can + * also contain a filter which might restrict the IDs we find + */ + state->base_iter++; + if (state->search_bases[state->base_iter]) { + /* There are more search bases to try */ + ad_get_account_domain_search(req); + return; + } + + /* No more searches, evaluate results */ + ad_get_account_domain_evaluate(req); +} + +static void ad_get_account_domain_evaluate(struct tevent_req *req) +{ + struct ad_get_account_domain_state *state = tevent_req_data(req, + struct ad_get_account_domain_state); + struct sss_domain_info *obj_dom; + errno_t ret; + + if (state->count == 0) { + if (state->twopass + && state->entry_type != BE_REQ_USER) { + DEBUG(SSSDBG_TRACE_FUNC, "Retrying search\n"); + + state->entry_type = BE_REQ_USER; + state->base_iter = 0; + ret = ad_get_account_domain_prepare_search(req); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot retry search\n"); + tevent_req_error(req, ret); + return; + } + + ad_get_account_domain_search(req); + return; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Not found\n"); + dp_reply_std_set(&state->reply, DP_ERR_DECIDE, ERR_NOT_FOUND, NULL); + tevent_req_done(req); + return; + } else if (state->count > 1) { + /* FIXME: If more than one entry was found, return error for now + * as the account requsts have no way of returning multiple + * messages back until we switch to the rdp_* requests + * from the responder side + */ + DEBUG(SSSDBG_OP_FAILURE, "Multiple entries found, error!\n"); + dp_reply_std_set(&state->reply, DP_ERR_DECIDE, ERANGE, NULL); + tevent_req_done(req); + return; + } + + /* Exactly one entry was found */ + obj_dom = sdap_get_object_domain(state->sdap_id_ctx->opts, + state->objects[0], + state->sdom->dom); + if (obj_dom == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not match entry with domain!\n"); + dp_reply_std_set(&state->reply, DP_ERR_DECIDE, ERR_NOT_FOUND, NULL); + tevent_req_done(req); + return; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Found object in domain %s\n", obj_dom->name); + dp_reply_std_set(&state->reply, DP_ERR_DECIDE, EOK, obj_dom->name); + tevent_req_done(req); +} + +errno_t ad_get_account_domain_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct dp_reply_std *data) +{ + struct ad_get_account_domain_state *state = NULL; + + state = tevent_req_data(req, struct ad_get_account_domain_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *data = state->reply; + + return EOK; +} diff --git a/src/providers/ad/ad_id.h b/src/providers/ad/ad_id.h new file mode 100644 index 0000000..5154393 --- /dev/null +++ b/src/providers/ad/ad_id.h @@ -0,0 +1,67 @@ +/* + SSSD + + Authors: + Stephen Gallagher + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef AD_ID_H_ +#define AD_ID_H_ + +struct tevent_req * +ad_account_info_handler_send(TALLOC_CTX *mem_ctx, + struct ad_id_ctx *id_ctx, + struct dp_id_data *data, + struct dp_req_params *params); + +errno_t ad_account_info_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct dp_reply_std *data); + +struct tevent_req * +ad_handle_acct_info_send(TALLOC_CTX *mem_ctx, + struct dp_id_data *ar, + struct sdap_id_ctx *ctx, + struct ad_options *ad_options, + struct sdap_domain *sdom, + struct sdap_id_conn_ctx **conn); +errno_t +ad_handle_acct_info_recv(struct tevent_req *req, + int *_dp_error, const char **_err); + +struct tevent_req * +ad_enumeration_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct be_ptask *be_ptask, + void *pvt); + +errno_t +ad_enumeration_recv(struct tevent_req *req); + +struct tevent_req * +ad_get_account_domain_send(TALLOC_CTX *mem_ctx, + struct ad_id_ctx *id_ctx, + struct dp_get_acct_domain_data *data, + struct dp_req_params *params); + +errno_t ad_get_account_domain_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct dp_reply_std *data); + +#endif /* AD_ID_H_ */ diff --git a/src/providers/ad/ad_init.c b/src/providers/ad/ad_init.c new file mode 100644 index 0000000..637efb7 --- /dev/null +++ b/src/providers/ad/ad_init.c @@ -0,0 +1,654 @@ +/* + SSSD + + Authors: + Stephen Gallagher + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + + +#include +#include +#include +#include + +#include + +#include "util/util.h" +#include "providers/ad/ad_common.h" +#include "providers/ad/ad_access.h" +#include "providers/ldap/ldap_common.h" +#include "providers/ldap/sdap_access.h" +#include "providers/ldap/sdap_idmap.h" +#include "providers/krb5/krb5_auth.h" +#include "providers/krb5/krb5_init_shared.h" +#include "providers/ad/ad_id.h" +#include "providers/ad/ad_srv.h" +#include "providers/be_dyndns.h" +#include "providers/ad/ad_subdomains.h" +#include "providers/ad/ad_domain_info.h" + +struct ad_init_ctx { + struct ad_options *options; + struct ad_id_ctx *id_ctx; + struct krb5_ctx *auth_ctx; +}; + +#define AD_COMPAT_ON "1" +static int ad_sasl_getopt(void *context, const char *plugin_name, + const char *option, + const char **result, unsigned *len) +{ + if (!plugin_name || !result) { + return SASL_FAIL; + } + if (strcmp(plugin_name, "GSSAPI") != 0) { + return SASL_FAIL; + } + if (strcmp(option, "ad_compat") != 0) { + return SASL_FAIL; + } + *result = AD_COMPAT_ON; + if (len) { + *len = 2; + } + return SASL_OK; +} + +typedef int (*sss_sasl_gen_cb_fn)(void); + +static int map_sasl2sssd_log_level(int sasl_level) +{ + int sssd_level; + + switch(sasl_level) { + case SASL_LOG_ERR: /* log unusual errors (default) */ + sssd_level = SSSDBG_CRIT_FAILURE; + break; + case SASL_LOG_FAIL: /* log all authentication failures */ + sssd_level = SSSDBG_OP_FAILURE; + break; + case SASL_LOG_WARN: /* log non-fatal warnings */ + sssd_level = SSSDBG_MINOR_FAILURE; + break; + case SASL_LOG_NOTE: /* more verbose than LOG_WARN */ + case SASL_LOG_DEBUG: /* more verbose than LOG_NOTE */ + case SASL_LOG_TRACE: /* traces of internal protocols */ + case SASL_LOG_PASS: /* traces of internal protocols, including */ + sssd_level = SSSDBG_TRACE_ALL; + break; + default: + sssd_level = SSSDBG_TRACE_ALL; + break; + } + + return sssd_level; +} + +static int ad_sasl_log(void *context, int level, const char *message) +{ + int sssd_level; + + if (level == SASL_LOG_ERR || level == SASL_LOG_FAIL) { + sss_log(SSS_LOG_ERR, "%s\n", message); + } + + sssd_level = map_sasl2sssd_log_level(level); + DEBUG(sssd_level, "SASL: %s\n", message); + return SASL_OK; +} + +static const sasl_callback_t ad_sasl_callbacks[] = { + { SASL_CB_GETOPT, (sss_sasl_gen_cb_fn)(void *)ad_sasl_getopt, NULL }, + { SASL_CB_LOG, (sss_sasl_gen_cb_fn)(void *)ad_sasl_log, NULL }, + { SASL_CB_LIST_END, NULL, NULL } +}; + +/* This is quite a hack, we *try* to fool openldap libraries by initializing + * sasl first so we can pass in the SASL_CB_GETOPT callback we need to set some + * options. Should be removed as soon as openldap exposes a way to do that */ +static void ad_sasl_initialize(void) +{ + /* NOTE: this may fail if soe other library in the system happens to + * initialize and use openldap libraries or directly the cyrus-sasl + * library as this initialization function can be called only once per + * process */ + (void)sasl_client_init(ad_sasl_callbacks); +} + +static errno_t ad_init_options(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct ad_options **_ad_options) +{ + struct ad_options *ad_options; + char *ad_servers = NULL; + char *ad_backup_servers = NULL; + char *ad_realm; + errno_t ret; + + ad_sasl_initialize(); + + /* Get AD-specific options */ + ret = ad_get_common_options(mem_ctx, be_ctx->cdb, be_ctx->conf_path, + be_ctx->domain, &ad_options); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Could not parse common options " + "[%d]: %s\n", ret, sss_strerror(ret)); + return ret; + } + + ad_servers = dp_opt_get_string(ad_options->basic, AD_SERVER); + ad_backup_servers = dp_opt_get_string(ad_options->basic, AD_BACKUP_SERVER); + ad_realm = dp_opt_get_string(ad_options->basic, AD_KRB5_REALM); + + /* Set up the failover service */ + ret = ad_failover_init(ad_options, be_ctx, ad_servers, ad_backup_servers, + ad_realm, AD_SERVICE_NAME, AD_GC_SERVICE_NAME, + dp_opt_get_string(ad_options->basic, AD_DOMAIN), + false, /* will be set in ad_get_auth_options() */ + &ad_options->service); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to init AD failover service: " + "[%d]: %s\n", ret, sss_strerror(ret)); + talloc_free(ad_options); + return ret; + } + + *_ad_options = ad_options; + + return EOK; +} + +static errno_t ad_init_srv_plugin(struct be_ctx *be_ctx, + struct ad_options *ad_options) +{ + struct ad_srv_plugin_ctx *srv_ctx; + const char *hostname; + const char *ad_domain; + const char *ad_site_override; + bool sites_enabled; + errno_t ret; + + hostname = dp_opt_get_string(ad_options->basic, AD_HOSTNAME); + ad_domain = dp_opt_get_string(ad_options->basic, AD_DOMAIN); + ad_site_override = dp_opt_get_string(ad_options->basic, AD_SITE); + sites_enabled = dp_opt_get_bool(ad_options->basic, AD_ENABLE_DNS_SITES); + + + if (!sites_enabled) { + ret = be_fo_set_dns_srv_lookup_plugin(be_ctx, hostname); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set SRV lookup plugin " + "[%d]: %s\n", ret, sss_strerror(ret)); + return ret; + } + + return EOK; + } + + srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx, be_ctx->be_res, + default_host_dbs, ad_options->id, + hostname, ad_domain, + ad_site_override); + if (srv_ctx == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n"); + return ENOMEM; + } + + be_fo_set_srv_lookup_plugin(be_ctx, ad_srv_plugin_send, + ad_srv_plugin_recv, srv_ctx, "AD"); + + return EOK; +} + +static errno_t ad_init_sdap_access_ctx(struct ad_access_ctx *access_ctx) +{ + struct dp_option *options = access_ctx->ad_options; + struct sdap_id_ctx *sdap_id_ctx = access_ctx->ad_id_ctx->sdap_id_ctx; + struct sdap_access_ctx *sdap_access_ctx; + const char *filter; + + sdap_access_ctx = talloc_zero(access_ctx, struct sdap_access_ctx); + if (sdap_access_ctx == NULL) { + return ENOMEM; + } + + sdap_access_ctx->id_ctx = sdap_id_ctx; + + + /* If ad_access_filter is set, the value of ldap_acess_order is + * expire, filter, otherwise only expire. + */ + sdap_access_ctx->access_rule[0] = LDAP_ACCESS_EXPIRE; + filter = dp_opt_get_cstring(options, AD_ACCESS_FILTER); + if (filter != NULL) { + /* The processing of the extended filter is performed during the access + * check itself. + */ + sdap_access_ctx->filter = talloc_strdup(sdap_access_ctx, filter); + if (sdap_access_ctx->filter == NULL) { + talloc_free(sdap_access_ctx); + return ENOMEM; + } + + sdap_access_ctx->access_rule[1] = LDAP_ACCESS_FILTER; + sdap_access_ctx->access_rule[2] = LDAP_ACCESS_EMPTY; + } else { + sdap_access_ctx->access_rule[1] = LDAP_ACCESS_EMPTY; + } + + access_ctx->sdap_access_ctx = sdap_access_ctx; + + return EOK; +} + +errno_t ad_gpo_parse_map_options(struct ad_access_ctx *access_ctx); + +static errno_t ad_init_gpo(struct ad_access_ctx *access_ctx) +{ + struct dp_option *options; + const char *gpo_access_control_mode; + int gpo_cache_timeout; + errno_t ret; + + options = access_ctx->ad_options; + + /* GPO access control mode */ + gpo_access_control_mode = dp_opt_get_string(options, AD_GPO_ACCESS_CONTROL); + if (gpo_access_control_mode == NULL) { + return EINVAL; + } else if (strcasecmp(gpo_access_control_mode, "disabled") == 0) { + access_ctx->gpo_access_control_mode = GPO_ACCESS_CONTROL_DISABLED; + } else if (strcasecmp(gpo_access_control_mode, "permissive") == 0) { + access_ctx->gpo_access_control_mode = GPO_ACCESS_CONTROL_PERMISSIVE; + } else if (strcasecmp(gpo_access_control_mode, "enforcing") == 0) { + access_ctx->gpo_access_control_mode = GPO_ACCESS_CONTROL_ENFORCING; + } else { + DEBUG(SSSDBG_FATAL_FAILURE, "Unrecognized GPO access control mode: " + "%s\n", gpo_access_control_mode); + return EINVAL; + } + + /* GPO cache timeout */ + gpo_cache_timeout = dp_opt_get_int(options, AD_GPO_CACHE_TIMEOUT); + access_ctx->gpo_cache_timeout = gpo_cache_timeout; + + /* GPO logon maps */ + ret = sss_hash_create(access_ctx, 10, &access_ctx->gpo_map_options_table); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Could not create gpo_map_options " + "hash table [%d]: %s\n", ret, sss_strerror(ret)); + return ret; + } + + ret = ad_gpo_parse_map_options(access_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Could not parse gpo_map_options " + "(invalid config) [%d]: %s\n", ret, sss_strerror(ret)); + talloc_zfree(access_ctx->gpo_map_options_table); + return ret; + } + + return EOK; +} + +static errno_t ad_init_auth_ctx(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct ad_options *ad_options, + struct krb5_ctx **_auth_ctx) +{ + struct krb5_ctx *krb5_auth_ctx; + errno_t ret; + + krb5_auth_ctx = talloc_zero(mem_ctx, struct krb5_ctx); + if (krb5_auth_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + krb5_auth_ctx->config_type = K5C_GENERIC; + krb5_auth_ctx->sss_creds_password = true; + krb5_auth_ctx->service = ad_options->service->krb5_service; + + ret = ad_get_auth_options(krb5_auth_ctx, ad_options, be_ctx, + &krb5_auth_ctx->opts); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Could not determine Kerberos options\n"); + goto done; + } + + ret = krb5_child_init(krb5_auth_ctx, be_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Could not initialize krb5_child settings: " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + ad_options->auth_ctx = krb5_auth_ctx; + *_auth_ctx = krb5_auth_ctx; + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(krb5_auth_ctx); + } + + return ret; +} + +static errno_t ad_init_misc(struct be_ctx *be_ctx, + struct ad_options *ad_options, + struct ad_id_ctx *ad_id_ctx, + struct sdap_id_ctx *sdap_id_ctx) +{ + errno_t ret; + + ret = ad_dyndns_init(be_ctx, ad_options); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failure setting up automatic DNS update\n"); + /* Continue without DNS updates */ + } + + ret = setup_tls_config(sdap_id_ctx->opts->basic); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get TLS options [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + ret = sdap_idmap_init(sdap_id_ctx, sdap_id_ctx, + &sdap_id_ctx->opts->idmap_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Could not initialize ID mapping. In case ID mapping properties " + "changed on the server, please remove the SSSD database\n"); + return ret; + } + + ret = sdap_id_setup_tasks(be_ctx, sdap_id_ctx, sdap_id_ctx->opts->sdom, + ad_enumeration_send, ad_enumeration_recv, + ad_id_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup background tasks " + "[%d]: %s\n", ret, sss_strerror(ret)); + return ret; + } + + sdap_id_ctx->opts->sdom->pvt = ad_id_ctx; + + ret = sdap_setup_child(); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sdap_setup_child() failed [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + ret = ad_init_srv_plugin(be_ctx, ad_options); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup SRV plugin [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + ret = sdap_refresh_init(be_ctx->refresh_ctx, sdap_id_ctx); + if (ret != EOK && ret != EEXIST) { + DEBUG(SSSDBG_MINOR_FAILURE, "Periodical refresh " + "will not work [%d]: %s\n", ret, sss_strerror(ret)); + } + + ret = ad_machine_account_password_renewal_init(be_ctx, ad_options); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot setup task for machine account " + "password renewal.\n"); + return ret; + } + + return EOK; +} + +errno_t sssm_ad_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct data_provider *provider, + const char *module_name, + void **_module_data) +{ + struct ad_init_ctx *init_ctx; + errno_t ret; + + init_ctx = talloc_zero(mem_ctx, struct ad_init_ctx); + if (init_ctx == NULL) { + return ENOMEM; + } + + /* Always initialize options since it is needed everywhere. */ + ret = ad_init_options(mem_ctx, be_ctx, &init_ctx->options); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to init AD options [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + /* Always initialize id_ctx since it is needed everywhere. */ + init_ctx->id_ctx = ad_id_ctx_init(init_ctx->options, be_ctx); + if (init_ctx->id_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize AD ID context\n"); + ret = ENOMEM; + goto done; + } + + init_ctx->options->id_ctx = init_ctx->id_ctx; + + ret = ad_get_id_options(init_ctx->options, + be_ctx->cdb, + be_ctx->conf_path, + be_ctx->provider, + &init_ctx->id_ctx->sdap_id_ctx->opts); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to init AD id options\n"); + return ret; + } + + /* Setup miscellaneous things. */ + ret = ad_init_misc(be_ctx, init_ctx->options, init_ctx->id_ctx, + init_ctx->id_ctx->sdap_id_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to init AD module " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + /* Initialize auth_ctx only if one of the target is enabled. */ + if (dp_target_enabled(provider, module_name, DPT_AUTH, DPT_CHPASS)) { + ret = ad_init_auth_ctx(init_ctx, be_ctx, init_ctx->options, + &init_ctx->auth_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create auth context " + "[%d]: %s\n", ret, sss_strerror(ret)); + return ret; + } + } + + *_module_data = init_ctx; + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(init_ctx); + } + + return ret; +} + +errno_t sssm_ad_id_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + void *module_data, + struct dp_method *dp_methods) +{ + struct ad_init_ctx *init_ctx; + struct ad_id_ctx *id_ctx; + + init_ctx = talloc_get_type(module_data, struct ad_init_ctx); + id_ctx = init_ctx->id_ctx; + + dp_set_method(dp_methods, DPM_ACCOUNT_HANDLER, + ad_account_info_handler_send, ad_account_info_handler_recv, id_ctx, + struct ad_id_ctx, struct dp_id_data, struct dp_reply_std); + + dp_set_method(dp_methods, DPM_CHECK_ONLINE, + sdap_online_check_handler_send, sdap_online_check_handler_recv, id_ctx->sdap_id_ctx, + struct sdap_id_ctx, void, struct dp_reply_std); + + dp_set_method(dp_methods, DPM_ACCT_DOMAIN_HANDLER, + ad_get_account_domain_send, ad_get_account_domain_recv, id_ctx, + struct ad_id_ctx, struct dp_get_acct_domain_data, struct dp_reply_std); + + return EOK; +} + +errno_t sssm_ad_auth_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + void *module_data, + struct dp_method *dp_methods) +{ + struct ad_init_ctx *init_ctx; + struct krb5_ctx *auth_ctx; + + init_ctx = talloc_get_type(module_data, struct ad_init_ctx); + auth_ctx = init_ctx->auth_ctx; + + dp_set_method(dp_methods, DPM_AUTH_HANDLER, + krb5_pam_handler_send, krb5_pam_handler_recv, auth_ctx, + struct krb5_ctx, struct pam_data, struct pam_data *); + + return EOK; +} + +errno_t sssm_ad_chpass_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + void *module_data, + struct dp_method *dp_methods) +{ + return sssm_ad_auth_init(mem_ctx, be_ctx, module_data, dp_methods); +} + +errno_t sssm_ad_access_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + void *module_data, + struct dp_method *dp_methods) +{ + struct ad_init_ctx *init_ctx; + struct ad_access_ctx *access_ctx; + errno_t ret; + + init_ctx = talloc_get_type(module_data, struct ad_init_ctx); + + access_ctx = talloc_zero(mem_ctx, struct ad_access_ctx); + if (access_ctx == NULL) { + return ENOMEM; + } + + access_ctx->ad_id_ctx = init_ctx->id_ctx; + + ret = dp_copy_options(access_ctx, init_ctx->options->basic, AD_OPTS_BASIC, + &access_ctx->ad_options); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not initialize access provider " + "options [%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + ret = ad_init_sdap_access_ctx(access_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not initialize sdap access context " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + ret = ad_init_gpo(access_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not initialize GPO " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + dp_set_method(dp_methods, DPM_ACCESS_HANDLER, + ad_pam_access_handler_send, ad_pam_access_handler_recv, access_ctx, + struct ad_access_ctx, struct pam_data, struct pam_data *); + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(access_ctx); + } + + return ret; +} + +errno_t sssm_ad_autofs_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + void *module_data, + struct dp_method *dp_methods) +{ +#ifdef BUILD_AUTOFS + struct ad_init_ctx *init_ctx; + + DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing AD autofs handler\n"); + init_ctx = talloc_get_type(module_data, struct ad_init_ctx); + + return ad_autofs_init(mem_ctx, be_ctx, init_ctx->id_ctx, dp_methods); +#else + DEBUG(SSSDBG_MINOR_FAILURE, "Autofs init handler called but SSSD is " + "built without autofs support, ignoring\n"); + return EOK; +#endif +} + +errno_t sssm_ad_subdomains_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + void *module_data, + struct dp_method *dp_methods) +{ + struct ad_init_ctx *init_ctx; + + DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing AD subdomains handler\n"); + init_ctx = talloc_get_type(module_data, struct ad_init_ctx); + + return ad_subdomains_init(mem_ctx, be_ctx, init_ctx->id_ctx, dp_methods); +} + +errno_t sssm_ad_sudo_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + void *module_data, + struct dp_method *dp_methods) +{ +#ifdef BUILD_SUDO + struct ad_init_ctx *init_ctx; + + DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing AD sudo handler\n"); + init_ctx = talloc_get_type(module_data, struct ad_init_ctx); + + return ad_sudo_init(mem_ctx, be_ctx, init_ctx->id_ctx, dp_methods); +#else + DEBUG(SSSDBG_MINOR_FAILURE, "Sudo init handler called but SSSD is " + "built without sudo support, ignoring\n"); + return EOK; +#endif +} diff --git a/src/providers/ad/ad_machine_pw_renewal.c b/src/providers/ad/ad_machine_pw_renewal.c new file mode 100644 index 0000000..5b6ba26 --- /dev/null +++ b/src/providers/ad/ad_machine_pw_renewal.c @@ -0,0 +1,403 @@ +/* + SSSD + + Authors: + Sumit Bose + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + + +#include "util/util.h" +#include "util/strtonum.h" +#include "providers/be_ptask.h" +#include "providers/ad/ad_common.h" + +#ifndef RENEWAL_PROG_PATH +#define RENEWAL_PROG_PATH "/usr/sbin/adcli" +#endif + +struct renewal_data { + struct be_ctx *be_ctx; + char *prog_path; + const char **extra_args; +}; + +static errno_t get_adcli_extra_args(const char *ad_domain, + const char *ad_hostname, + const char *ad_keytab, + size_t pw_lifetime_in_days, + size_t period, + size_t initial_delay, + struct renewal_data *renewal_data) +{ + const char **args; + size_t c = 0; + + if (ad_domain == NULL || ad_hostname == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing AD domain or hostname.\n"); + return EINVAL; + } + + renewal_data->prog_path = talloc_strdup(renewal_data, RENEWAL_PROG_PATH); + if (renewal_data->prog_path == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + return ENOMEM; + } + + args = talloc_array(renewal_data, const char *, 8); + if (args == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_array failed.\n"); + return ENOMEM; + } + + /* extra_args are added in revers order */ + /* first add NULL as a placeholder for the server name which is determined + * at runtime */ + args[c++] = NULL; + args[c++] = talloc_asprintf(args, "--computer-password-lifetime=%zu", + pw_lifetime_in_days); + args[c++] = talloc_asprintf(args, "--host-fqdn=%s", ad_hostname); + if (ad_keytab != NULL) { + args[c++] = talloc_asprintf(args, "--host-keytab=%s", ad_keytab); + } + args[c++] = talloc_asprintf(args, "--domain=%s", ad_domain); + if (DEBUG_IS_SET(SSSDBG_TRACE_LIBS)) { + args[c++] = talloc_strdup(args, "--verbose"); + } + args[c++] = talloc_strdup(args, "update"); + args[c] = NULL; + + do { + if (args[--c] == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "talloc failed while copying arguments.\n"); + talloc_free(args); + return ENOMEM; + } + } while (c != 1); /* it is expected that the first element is NULL */ + + renewal_data->extra_args = args; + + return EOK; +} + +struct renewal_state { + int child_status; + struct sss_child_ctx_old *child_ctx; + struct tevent_timer *timeout_handler; + struct tevent_context *ev; + + struct child_io_fds *io; +}; + +static void ad_machine_account_password_renewal_done(struct tevent_req *subreq); +static void +ad_machine_account_password_renewal_timeout(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval tv, void *pvt); + +static struct tevent_req * +ad_machine_account_password_renewal_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct be_ptask *be_ptask, + void *pvt) +{ + struct renewal_data *renewal_data; + struct renewal_state *state; + struct tevent_req *req; + struct tevent_req *subreq; + pid_t child_pid; + struct timeval tv; + int pipefd_to_child[2] = PIPE_INIT; + int pipefd_from_child[2] = PIPE_INIT; + int ret; + const char **extra_args; + const char *server_name; + + req = tevent_req_create(mem_ctx, &state, struct renewal_state); + if (req == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "tevent_req_create failed.\n"); + return NULL; + } + + renewal_data = talloc_get_type(pvt, struct renewal_data); + + state->ev = ev; + state->child_status = EFAULT; + state->io = talloc(state, struct child_io_fds); + if (state->io == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc failed.\n"); + ret = ENOMEM; + goto done; + } + state->io->write_to_child_fd = -1; + state->io->read_from_child_fd = -1; + talloc_set_destructor((void *) state->io, child_io_destructor); + + server_name = be_fo_get_active_server_name(be_ctx, AD_SERVICE_NAME); + talloc_zfree(renewal_data->extra_args[0]); + if (server_name != NULL) { + renewal_data->extra_args[0] = talloc_asprintf(renewal_data->extra_args, + "--domain-controller=%s", + server_name); + /* if talloc_asprintf() fails we let adcli try to find a server */ + } + + extra_args = renewal_data->extra_args; + if (extra_args[0] == NULL) { + extra_args = &renewal_data->extra_args[1]; + } + + ret = pipe(pipefd_from_child); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "pipe failed [%d][%s].\n", ret, strerror(ret)); + goto done; + } + ret = pipe(pipefd_to_child); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "pipe failed [%d][%s].\n", ret, strerror(ret)); + goto done; + } + + child_pid = fork(); + if (child_pid == 0) { /* child */ + exec_child_ex(state, pipefd_to_child, pipefd_from_child, + renewal_data->prog_path, -1, + extra_args, true, + STDIN_FILENO, STDERR_FILENO); + + /* We should never get here */ + DEBUG(SSSDBG_CRIT_FAILURE, "Could not exec renewal child\n"); + } else if (child_pid > 0) { /* parent */ + + state->io->read_from_child_fd = pipefd_from_child[0]; + PIPE_FD_CLOSE(pipefd_from_child[1]); + sss_fd_nonblocking(state->io->read_from_child_fd); + + state->io->write_to_child_fd = pipefd_to_child[1]; + PIPE_FD_CLOSE(pipefd_to_child[0]); + sss_fd_nonblocking(state->io->write_to_child_fd); + + /* Set up SIGCHLD handler */ + ret = child_handler_setup(ev, child_pid, NULL, NULL, &state->child_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not set up child handlers [%d]: %s\n", + ret, sss_strerror(ret)); + ret = ERR_RENEWAL_CHILD; + goto done; + } + + /* Set up timeout handler */ + tv = tevent_timeval_current_ofs(be_ptask_get_timeout(be_ptask), 0); + state->timeout_handler = tevent_add_timer(ev, req, tv, + ad_machine_account_password_renewal_timeout, + req); + if(state->timeout_handler == NULL) { + ret = ERR_RENEWAL_CHILD; + goto done; + } + + subreq = read_pipe_send(state, ev, state->io->read_from_child_fd); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "read_pipe_send failed.\n"); + ret = ERR_RENEWAL_CHILD; + goto done; + } + tevent_req_set_callback(subreq, + ad_machine_account_password_renewal_done, req); + + /* Now either wait for the timeout to fire or the child + * to finish + */ + } else { /* error */ + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "fork failed [%d][%s].\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = EOK; + +done: + if (ret != EOK) { + PIPE_CLOSE(pipefd_from_child); + PIPE_CLOSE(pipefd_to_child); + tevent_req_error(req, ret); + tevent_req_post(req, ev); + } + return req; +} + +static void ad_machine_account_password_renewal_done(struct tevent_req *subreq) +{ + uint8_t *buf; + ssize_t buf_len; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct renewal_state *state = tevent_req_data(req, struct renewal_state); + int ret; + + talloc_zfree(state->timeout_handler); + + ret = read_pipe_recv(subreq, state, &buf, &buf_len); + talloc_zfree(subreq); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + DEBUG(SSSDBG_TRACE_LIBS, "--- adcli output start---\n" + "%.*s" + "---adcli output end---\n", + (int) buf_len, buf); + + tevent_req_done(req); + return; +} + +static void +ad_machine_account_password_renewal_timeout(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval tv, void *pvt) +{ + struct tevent_req *req = talloc_get_type(pvt, struct tevent_req); + struct renewal_state *state = tevent_req_data(req, struct renewal_state); + + DEBUG(SSSDBG_CRIT_FAILURE, "Timeout reached for AD renewal child.\n"); + child_handler_destroy(state->child_ctx); + state->child_ctx = NULL; + state->child_status = ETIMEDOUT; + tevent_req_error(req, ERR_RENEWAL_CHILD); +} + +static errno_t +ad_machine_account_password_renewal_recv(struct tevent_req *req) +{ + + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +errno_t ad_machine_account_password_renewal_init(struct be_ctx *be_ctx, + struct ad_options *ad_opts) +{ + int ret; + struct renewal_data *renewal_data; + int lifetime; + size_t period; + size_t initial_delay; + const char *dummy; + char **opt_list; + int opt_list_size; + char *endptr; + + ret = access(RENEWAL_PROG_PATH, X_OK); + if (ret != 0) { + ret = errno; + DEBUG(SSSDBG_CONF_SETTINGS, + "The helper program ["RENEWAL_PROG_PATH"] for renewal " + "doesn't exist [%d]: %s\n", ret, strerror(ret)); + return EOK; + } + + lifetime = dp_opt_get_int(ad_opts->basic, + AD_MAXIMUM_MACHINE_ACCOUNT_PASSWORD_AGE); + + if (lifetime == 0) { + DEBUG(SSSDBG_CONF_SETTINGS, "Automatic machine account renewal disabled.\n"); + return EOK; + } + + if (lifetime < 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Illegal value [%d] for password lifetime.\n", lifetime); + return EINVAL; + } + + renewal_data = talloc(be_ctx, struct renewal_data); + if (renewal_data == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc failed.\n"); + return ENOMEM; + } + + dummy = dp_opt_get_cstring(ad_opts->basic, + AD_MACHINE_ACCOUNT_PASSWORD_RENEWAL_OPTS); + ret = split_on_separator(renewal_data, dummy, ':', true, false, + &opt_list, &opt_list_size); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "split_on_separator failed.\n"); + goto done; + } + + if (opt_list_size != 2) { + DEBUG(SSSDBG_CRIT_FAILURE, "Wrong number of renewal options.\n"); + ret = EINVAL; + goto done; + } + + errno = 0; + period = strtouint32(opt_list[0], &endptr, 10); + if (errno != 0 || *endptr != '\0' || opt_list[0] == endptr) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse first renewal option.\n"); + ret = EINVAL; + goto done; + } + + errno = 0; + initial_delay = strtouint32(opt_list[1], &endptr, 10); + if (errno != 0 || *endptr != '\0' || opt_list[0] == endptr) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse second renewal option.\n"); + ret = EINVAL; + goto done; + } + + ret = get_adcli_extra_args(dp_opt_get_cstring(ad_opts->basic, AD_DOMAIN), + dp_opt_get_cstring(ad_opts->basic, AD_HOSTNAME), + dp_opt_get_cstring(ad_opts->id_ctx->sdap_id_ctx->opts->basic, + SDAP_KRB5_KEYTAB), + lifetime, period, initial_delay, renewal_data); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "get_adcli_extra_args failed.\n"); + goto done; + } + + ret = be_ptask_create(be_ctx, be_ctx, period, initial_delay, 0, 0, 60, + BE_PTASK_OFFLINE_DISABLE, 0, + ad_machine_account_password_renewal_send, + ad_machine_account_password_renewal_recv, + renewal_data, + "AD machine account password renewal", NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "be_ptask_create failed.\n"); + goto done; + } + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(renewal_data); + } + + return ret; +} diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c new file mode 100644 index 0000000..afcfa37 --- /dev/null +++ b/src/providers/ad/ad_opts.c @@ -0,0 +1,285 @@ +/* + SSSD + + Authors: + Stephen Gallagher + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "src/providers/data_provider.h" +#include "db/sysdb_services.h" +#include "db/sysdb_autofs.h" +#include "providers/ldap/ldap_common.h" +#include "config.h" + +struct dp_option ad_basic_opts[] = { + { "ad_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ad_enabled_domains", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ad_server", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ad_backup_server", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ad_hostname", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING}, + { "ad_enable_dns_sites", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + { "ad_access_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING}, + { "ad_enable_gc", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + { "ad_gpo_access_control", DP_OPT_STRING, { AD_GPO_ACCESS_MODE_DEFAULT }, NULL_STRING }, + { "ad_gpo_cache_timeout", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER }, + { "ad_gpo_map_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ad_gpo_map_remote_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ad_gpo_map_network", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ad_gpo_map_batch", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ad_gpo_map_service", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ad_gpo_map_permit", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ad_gpo_map_deny", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ad_gpo_default_right", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ad_site", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_confd_path", DP_OPT_STRING, { KRB5_MAPPING_DIR }, NULL_STRING }, + { "ad_maximum_machine_account_password_age", DP_OPT_NUMBER, { .number = 30 }, NULL_NUMBER }, + { "ad_machine_account_password_renewal_opts", DP_OPT_STRING, { "86400:750" }, NULL_STRING }, + DP_OPTION_TERMINATOR +}; + +struct dp_option ad_def_ldap_opts[] = { + { "ldap_uri", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_backup_uri", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_default_bind_dn", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_default_authtok_type", DP_OPT_STRING, { "password" }, NULL_STRING}, + { "ldap_default_authtok", DP_OPT_BLOB, NULL_BLOB, NULL_BLOB }, + { "ldap_search_timeout", DP_OPT_NUMBER, { .number = 6 }, NULL_NUMBER }, + { "ldap_network_timeout", DP_OPT_NUMBER, { .number = 6 }, NULL_NUMBER }, + { "ldap_opt_timeout", DP_OPT_NUMBER, { .number = 6 }, NULL_NUMBER }, + { "ldap_tls_reqcert", DP_OPT_STRING, { "hard" }, NULL_STRING }, + { "ldap_user_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_user_search_scope", DP_OPT_STRING, { "sub" }, NULL_STRING }, + { "ldap_user_search_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_user_extra_attrs", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_group_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_group_search_scope", DP_OPT_STRING, { "sub" }, NULL_STRING }, + { "ldap_group_search_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_host_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_service_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_sudo_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_sudo_full_refresh_interval", DP_OPT_NUMBER, { .number = 21600 }, NULL_NUMBER }, /* 360 mins */ + { "ldap_sudo_smart_refresh_interval", DP_OPT_NUMBER, { .number = 900 }, NULL_NUMBER }, /* 15 mins */ + { "ldap_sudo_use_host_filter", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + { "ldap_sudo_hostnames", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_sudo_ip", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_sudo_include_netgroups", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + { "ldap_sudo_include_regexp", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + { "ldap_autofs_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_autofs_map_master_name", DP_OPT_STRING, { "auto.master" }, NULL_STRING }, + { "ldap_schema", DP_OPT_STRING, { "ad" }, NULL_STRING }, + { "ldap_offline_timeout", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER }, + { "ldap_force_upper_case_realm", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + { "ldap_enumeration_refresh_timeout", DP_OPT_NUMBER, { .number = 300 }, NULL_NUMBER }, + { "ldap_purge_cache_timeout", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER }, + { "ldap_tls_cacert", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_tls_cacertdir", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_tls_cert", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_tls_key", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_tls_cipher_suite", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_id_use_start_tls", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_id_mapping", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + { "ldap_sasl_mech", DP_OPT_STRING, { "gssapi" }, NULL_STRING }, + { "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_sasl_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_sasl_minssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER }, + { "ldap_krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + /* use the same parm name as the krb5 module so we set it only once */ + { "krb5_server", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_backup_server", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "krb5_use_kdcinfo", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + { "ldap_pwd_policy", DP_OPT_STRING, { "none" }, NULL_STRING }, + { "ldap_referrals", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "account_cache_expiration", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER }, + { "ldap_dns_service_name", DP_OPT_STRING, { SSS_LDAP_SRV_NAME }, NULL_STRING }, + { "ldap_krb5_ticket_lifetime", DP_OPT_NUMBER, { .number = (24 * 60 * 60) }, NULL_NUMBER }, + { "ldap_access_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_netgroup_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_group_nesting_level", DP_OPT_NUMBER, { .number = 2 }, NULL_NUMBER }, + { "ldap_deref", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_account_expire_policy", DP_OPT_STRING, { "ad" }, NULL_STRING }, + { "ldap_access_order", DP_OPT_STRING, { "filter" }, NULL_STRING }, + { "ldap_chpass_uri", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_chpass_backup_uri", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_chpass_dns_service_name", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_chpass_update_last_change", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_enumeration_search_timeout", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER }, + /* Do not include ldap_auth_disable_tls_never_use_in_production in the + * manpages or SSSDConfig API + */ + { "ldap_auth_disable_tls_never_use_in_production", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_page_size", DP_OPT_NUMBER, { .number = 1000 }, NULL_NUMBER }, + { "ldap_deref_threshold", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER }, + { "ldap_sasl_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_connection_expire_timeout", DP_OPT_NUMBER, { .number = 900 }, NULL_NUMBER }, + { "ldap_disable_paging", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_idmap_range_min", DP_OPT_NUMBER, { .number = 200000 }, NULL_NUMBER }, + { "ldap_idmap_range_max", DP_OPT_NUMBER, { .number = 2000200000LL }, NULL_NUMBER }, + { "ldap_idmap_range_size", DP_OPT_NUMBER, { .number = 200000 }, NULL_NUMBER }, + { "ldap_idmap_autorid_compat", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_idmap_default_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_idmap_default_domain_sid", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_idmap_helper_table_size", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER }, + { "ldap_groups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_initgroups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_use_tokengroups", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE}, + { "ldap_rfc2307_fallback_to_local_users", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_disable_range_retrieval", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_min_id", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER}, + { "ldap_max_id", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER}, + { "ldap_pwdlockout_dn", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "wildcard_limit", DP_OPT_NUMBER, { .number = 1000 }, NULL_NUMBER}, + DP_OPTION_TERMINATOR +}; + +struct dp_option ad_def_krb5_opts[] = { + { "krb5_server", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_backup_server", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_ccachedir", DP_OPT_STRING, { DEFAULT_CCACHE_DIR }, NULL_STRING }, + { "krb5_ccname_template", DP_OPT_STRING, NULL_STRING, NULL_STRING}, + { "krb5_auth_timeout", DP_OPT_NUMBER, { .number = 6 }, NULL_NUMBER }, + { "krb5_keytab", DP_OPT_STRING, { "/etc/krb5.keytab" }, NULL_STRING }, + { "krb5_validate", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + { "krb5_kpasswd", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_backup_kpasswd", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_store_password_if_offline", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "krb5_renewable_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_renew_interval", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_use_fast", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "krb5_use_enterprise_principal", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + { "krb5_use_kdcinfo", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + { "krb5_map_user", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + DP_OPTION_TERMINATOR +}; + +struct sdap_attr_map ad_2008r2_attr_map[] = { + { "ldap_entry_usn", SDAP_AD_USN, SYSDB_USN, NULL }, + { "ldap_rootdse_last_usn", SDAP_AD_LAST_USN, SYSDB_HIGH_USN, NULL }, + SDAP_ATTR_MAP_TERMINATOR +}; + +struct sdap_attr_map ad_2008r2_user_map[] = { + { "ldap_user_object_class", "user", SYSDB_USER_CLASS, NULL }, + { "ldap_user_name", "sAMAccountName", SYSDB_NAME, NULL }, + { "ldap_user_pwd", "unixUserPassword", SYSDB_PWD, NULL }, + { "ldap_user_uid_number", "uidNumber", SYSDB_UIDNUM, NULL }, + { "ldap_user_gid_number", "gidNumber", SYSDB_GIDNUM, NULL }, + { "ldap_user_gecos", "gecos", SYSDB_GECOS, NULL }, + { "ldap_user_home_directory", "unixHomeDirectory", SYSDB_HOMEDIR, NULL }, + { "ldap_user_shell", "loginShell", SYSDB_SHELL, NULL }, + { "ldap_user_principal", "userPrincipalName", SYSDB_UPN, NULL }, + { "ldap_user_fullname", "name", SYSDB_FULLNAME, NULL }, + { "ldap_user_member_of", "memberOf", SYSDB_MEMBEROF, NULL }, + { "ldap_user_uuid", "objectGUID", SYSDB_UUID, NULL }, + { "ldap_user_objectsid", "objectSID", SYSDB_SID, NULL }, + { "ldap_user_primary_group", "primaryGroupID", SYSDB_PRIMARY_GROUP, NULL }, + { "ldap_user_modify_timestamp", "whenChanged", SYSDB_ORIG_MODSTAMP, NULL }, + { "ldap_user_entry_usn", SDAP_AD_USN, SYSDB_USN, NULL }, + { "ldap_user_shadow_last_change", NULL, SYSDB_SHADOWPW_LASTCHANGE, NULL }, + { "ldap_user_shadow_min", NULL, SYSDB_SHADOWPW_MIN, NULL }, + { "ldap_user_shadow_max", NULL, SYSDB_SHADOWPW_MAX, NULL }, + { "ldap_user_shadow_warning", NULL, SYSDB_SHADOWPW_WARNING, NULL }, + { "ldap_user_shadow_inactive", NULL, SYSDB_SHADOWPW_INACTIVE, NULL }, + { "ldap_user_shadow_expire", NULL, SYSDB_SHADOWPW_EXPIRE, NULL }, + { "ldap_user_shadow_flag", NULL, SYSDB_SHADOWPW_FLAG, NULL }, + { "ldap_user_krb_last_pwd_change", NULL, SYSDB_KRBPW_LASTCHANGE, NULL }, + { "ldap_user_krb_password_expiration", NULL, SYSDB_KRBPW_EXPIRATION, NULL }, + { "ldap_pwd_attribute", NULL, SYSDB_PWD_ATTRIBUTE, NULL }, + { "ldap_user_authorized_service", NULL, SYSDB_AUTHORIZED_SERVICE, NULL }, + { "ldap_user_ad_account_expires", "accountExpires", SYSDB_AD_ACCOUNT_EXPIRES, NULL}, + { "ldap_user_ad_user_account_control", "userAccountControl", SYSDB_AD_USER_ACCOUNT_CONTROL, NULL}, + { "ldap_ns_account_lock", NULL, SYSDB_NS_ACCOUNT_LOCK, NULL}, + { "ldap_user_authorized_host", NULL, SYSDB_AUTHORIZED_HOST, NULL }, + { "ldap_user_authorized_rhost", NULL, SYSDB_AUTHORIZED_RHOST, NULL }, + { "ldap_user_nds_login_disabled", NULL, SYSDB_NDS_LOGIN_DISABLED, NULL }, + { "ldap_user_nds_login_expiration_time", NULL, SYSDB_NDS_LOGIN_EXPIRATION_TIME, NULL }, + { "ldap_user_nds_login_allowed_time_map", NULL, SYSDB_NDS_LOGIN_ALLOWED_TIME_MAP, NULL }, + { "ldap_user_ssh_public_key", NULL, SYSDB_SSH_PUBKEY, NULL }, + { "ldap_user_auth_type", NULL, SYSDB_AUTH_TYPE, NULL }, + { "ldap_user_certificate", "userCertificate;binary", SYSDB_USER_CERT, NULL }, + { "ldap_user_email", "mail", SYSDB_USER_EMAIL, NULL }, + SDAP_ATTR_MAP_TERMINATOR +}; + +struct sdap_attr_map ad_2008r2_group_map[] = { + { "ldap_group_object_class", "group", SYSDB_GROUP_CLASS, NULL }, + { "ldap_group_object_class_alt", NULL, SYSDB_GROUP_CLASS, NULL }, + { "ldap_group_name", "sAMAccountName", SYSDB_NAME, NULL }, + { "ldap_group_pwd", NULL, SYSDB_PWD, NULL }, + { "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL }, + { "ldap_group_member", "member", SYSDB_MEMBER, NULL }, + { "ldap_group_uuid", "objectGUID", SYSDB_UUID, NULL }, + { "ldap_group_objectsid", "objectSID", SYSDB_SID, NULL }, + { "ldap_group_modify_timestamp", "whenChanged", SYSDB_ORIG_MODSTAMP, NULL }, + { "ldap_group_entry_usn", SDAP_AD_USN, SYSDB_USN, NULL }, + { "ldap_group_type", "groupType", SYSDB_GROUP_TYPE, NULL }, + { "ldap_group_external_member", NULL, SYSDB_EXTERNAL_MEMBER, NULL }, + SDAP_ATTR_MAP_TERMINATOR +}; + +struct sdap_attr_map ad_netgroup_map[] = { + { "ldap_netgroup_object_class", "nisNetgroup", SYSDB_NETGROUP_CLASS, NULL }, + { "ldap_netgroup_name", "cn", SYSDB_NAME, NULL }, + { "ldap_netgroup_member", "memberNisNetgroup", SYSDB_ORIG_NETGROUP_MEMBER, NULL }, + { "ldap_netgroup_triple", "nisNetgroupTriple", SYSDB_NETGROUP_TRIPLE, NULL }, + { "ldap_netgroup_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL }, + SDAP_ATTR_MAP_TERMINATOR +}; + +struct sdap_attr_map ad_service_map[] = { + { "ldap_service_object_class", "ipService", SYSDB_SVC_CLASS, NULL }, + { "ldap_service_name", "cn", SYSDB_NAME, NULL }, + { "ldap_service_port", "ipServicePort", SYSDB_SVC_PORT, NULL }, + { "ldap_service_proto", "ipServiceProtocol", SYSDB_SVC_PROTO, NULL }, + { "ldap_service_entry_usn", NULL, SYSDB_USN, NULL }, + SDAP_ATTR_MAP_TERMINATOR +}; + +struct sdap_attr_map ad_autofs_mobject_map[] = { + { "ldap_autofs_map_object_class", "nisMap", SYSDB_AUTOFS_MAP_OC, NULL }, + { "ldap_autofs_map_name", "nisMapName", SYSDB_AUTOFS_MAP_NAME, NULL }, + SDAP_ATTR_MAP_TERMINATOR +}; + +struct sdap_attr_map ad_autofs_entry_map[] = { + { "ldap_autofs_entry_object_class", "nisObject", SYSDB_AUTOFS_ENTRY_OC, NULL }, + { "ldap_autofs_entry_key", "cn", SYSDB_AUTOFS_ENTRY_KEY, NULL }, + { "ldap_autofs_entry_value", "nisMapEntry", SYSDB_AUTOFS_ENTRY_VALUE, NULL }, + SDAP_ATTR_MAP_TERMINATOR +}; + +struct dp_option ad_dyndns_opts[] = { + { "dyndns_update", DP_OPT_BOOL, BOOL_TRUE, BOOL_FALSE }, + { "dyndns_refresh_interval", DP_OPT_NUMBER, { .number = 86400 }, NULL_NUMBER }, + { "dyndns_iface", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "dyndns_ttl", DP_OPT_NUMBER, { .number = 3600 }, NULL_NUMBER }, + { "dyndns_update_ptr", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + { "dyndns_force_tcp", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "dyndns_auth", DP_OPT_STRING, { "gss-tsig" }, NULL_STRING }, + { "dyndns_server", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + DP_OPTION_TERMINATOR +}; diff --git a/src/providers/ad/ad_opts.h b/src/providers/ad/ad_opts.h new file mode 100644 index 0000000..a15a362 --- /dev/null +++ b/src/providers/ad/ad_opts.h @@ -0,0 +1,51 @@ +/* + SSSD + + Authors: + Stephen Gallagher + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef AD_OPTS_H_ +#define AD_OPTS_H_ + +#include "src/providers/data_provider.h" +#include "providers/ldap/ldap_common.h" + +extern struct dp_option ad_basic_opts[]; + +extern struct dp_option ad_def_ldap_opts[]; + +extern struct dp_option ad_def_krb5_opts[]; + +extern struct sdap_attr_map ad_2008r2_attr_map[]; + +extern struct sdap_attr_map ad_2008r2_user_map[]; + +extern struct sdap_attr_map ad_2008r2_group_map[]; + +extern struct sdap_attr_map ad_netgroup_map[]; + +extern struct sdap_attr_map ad_service_map[]; + +extern struct sdap_attr_map ad_autofs_mobject_map[]; + +extern struct sdap_attr_map ad_autofs_entry_map[]; + +extern struct dp_option ad_dyndns_opts[]; + +#endif /* AD_OPTS_H_ */ diff --git a/src/providers/ad/ad_pac.c b/src/providers/ad/ad_pac.c new file mode 100644 index 0000000..80424b4 --- /dev/null +++ b/src/providers/ad/ad_pac.c @@ -0,0 +1,744 @@ +/* + SSSD + + Authors: + Sumit Bose + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "providers/ad/ad_pac.h" +#include "providers/ad/ad_common.h" +#include "providers/ad/ad_id.h" +#include "providers/ldap/sdap_idmap.h" +#include "providers/ldap/sdap_async_ad.h" + +static errno_t find_user_entry(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom, + struct dp_id_data *ar, + struct ldb_message **_msg) +{ + const char *user_attrs[] = { SYSDB_NAME, SYSDB_OBJECTCATEGORY, + SYSDB_PAC_BLOB, SYSDB_PAC_BLOB_EXPIRE, + NULL }; + struct ldb_message *msg; + struct ldb_result *res; + int ret; + TALLOC_CTX *tmp_ctx = NULL; + + if (dom == NULL || ar == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Missing arguments.\n"); + return EINVAL; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); + return ENOMEM; + } + + if (ar->extra_value && strcmp(ar->extra_value, EXTRA_NAME_IS_UPN) == 0) { + ret = sysdb_search_user_by_upn(tmp_ctx, dom, false, ar->filter_value, + user_attrs, &msg); + } else { + switch (ar->filter_type) { + case BE_FILTER_SECID: + ret = sysdb_search_user_by_sid_str(tmp_ctx, dom, ar->filter_value, + user_attrs, &msg); + break; + case BE_FILTER_UUID: + ret = sysdb_search_object_by_uuid(tmp_ctx, dom, ar->filter_value, + user_attrs, &res); + + if (ret == EOK) { + if (res->count == 1) { + msg = res->msgs[0]; + } else { + talloc_free(res); + DEBUG(SSSDBG_CRIT_FAILURE, + "Search by UUID returned multiple results.\n"); + ret = EINVAL; + goto done; + } + } + break; + case BE_FILTER_NAME: + ret = sysdb_search_user_by_name(tmp_ctx, dom, ar->filter_value, + user_attrs, &msg); + break; + default: + DEBUG(SSSDBG_OP_FAILURE, "Unsupported filter type [%d].\n", + ar->filter_type); + ret = EINVAL; + goto done; + } + } + + if (ret != EOK) { + if (ret == ENOENT) { + DEBUG(SSSDBG_TRACE_ALL, "No user found with filter [%s].\n", + ar->filter_value); + } else { + DEBUG(SSSDBG_OP_FAILURE, + "Looking up user in cache with filter [%s] failed.\n", + ar->filter_value); + } + goto done; + } + + *_msg = talloc_steal(mem_ctx, msg); + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +errno_t check_if_pac_is_available(TALLOC_CTX *mem_ctx, + struct sss_domain_info *dom, + struct dp_id_data *ar, + struct ldb_message **_msg) +{ + struct ldb_message *msg; + struct ldb_message_element *el; + uint64_t pac_expires; + time_t now; + int ret; + + ret = find_user_entry(mem_ctx, dom, ar, &msg); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "find_user_entry failed.\n"); + return ret; + } + + el = ldb_msg_find_element(msg, SYSDB_PAC_BLOB); + if (el == NULL) { + DEBUG(SSSDBG_TRACE_ALL, "No PAC available.\n"); + talloc_free(msg); + return ENOENT; + } + + pac_expires = ldb_msg_find_attr_as_uint64(msg, SYSDB_PAC_BLOB_EXPIRE, 0); + now = time(NULL); + if (pac_expires < now) { + DEBUG(SSSDBG_TRACE_FUNC, "PAC available but too old.\n"); + talloc_free(msg); + return ENOENT; + } + + if (_msg != NULL) { + *_msg = msg; + } + + return EOK; +} + +static errno_t +add_sids_from_rid_array_to_hash_table(struct dom_sid *dom_sid, + struct samr_RidWithAttributeArray *groups, + struct sss_idmap_ctx *idmap_ctx, + hash_table_t *sid_table) +{ + enum idmap_error_code err; + char *dom_sid_str = NULL; + size_t dom_sid_str_len; + char *sid_str = NULL; + char *rid_start; + hash_key_t key; + hash_value_t value; + int ret; + size_t c; + TALLOC_CTX *tmp_ctx = NULL; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); + return ENOMEM; + } + + key.type = HASH_KEY_STRING; + value.type = HASH_VALUE_ULONG; + + err = sss_idmap_smb_sid_to_sid(idmap_ctx, dom_sid, &dom_sid_str); + if (err != IDMAP_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, "sss_idmap_smb_sid_to_sid failed.\n"); + ret = EFAULT; + goto done; + } + + dom_sid_str_len = strlen(dom_sid_str); + sid_str = talloc_zero_size(tmp_ctx, dom_sid_str_len + 12); + if (sid_str == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_size failed.\n"); + ret = ENOMEM; + goto done; + } + rid_start = sid_str + dom_sid_str_len; + + memcpy(sid_str, dom_sid_str, dom_sid_str_len); + + for (c = 0; c < groups->count; c++) { + memset(rid_start, '\0', 12); + ret = snprintf(rid_start, 12, "-%lu", + (unsigned long) groups->rids[c].rid); + if (ret < 0 || ret > 12) { + DEBUG(SSSDBG_OP_FAILURE, "snprintf failed.\n"); + ret = EIO; + goto done; + } + + key.str = sid_str; + value.ul = 0; + + ret = hash_enter(sid_table, &key, &value); + if (ret != HASH_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, "hash_enter failed [%d][%s].\n", + ret, hash_error_string(ret)); + ret = EIO; + goto done; + } + + } + + ret = EOK; + +done: + sss_idmap_free_sid(idmap_ctx, dom_sid_str); + talloc_free(tmp_ctx); + + return ret; +} + +struct resource_groups { + struct dom_sid2 *domain_sid; + struct samr_RidWithAttributeArray groups; +}; + +errno_t ad_get_sids_from_pac(TALLOC_CTX *mem_ctx, + struct sss_idmap_ctx *idmap_ctx, + struct PAC_LOGON_INFO *logon_info, + char **_user_sid_str, + char **_primary_group_sid_str, + size_t *_num_sids, + char *** _sid_list) +{ + int ret; + size_t s; + struct netr_SamInfo3 *info3; + struct resource_groups resource_groups = { 0 }; + char *sid_str = NULL; + char *msid_str = NULL; + char *user_dom_sid_str = NULL; + size_t user_dom_sid_str_len; + enum idmap_error_code err; + hash_table_t *sid_table = NULL; + hash_key_t key; + hash_value_t value; + char *rid_start; + char *user_sid_str = NULL; + char *primary_group_sid_str = NULL; + size_t c; + size_t num_sids; + char **sid_list = NULL; + struct hash_iter_context_t *iter = NULL; + hash_entry_t *entry; + TALLOC_CTX *tmp_ctx; + + if (idmap_ctx == NULL || logon_info == NULL + || _num_sids == NULL || _sid_list == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Missing parameter.\n"); + return EINVAL; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); + return ENOMEM; + } + + info3 = &logon_info->info3; +#ifdef HAVE_STRUCT_PAC_LOGON_INFO_RESOURCE_GROUPS + resource_groups.domain_sid = logon_info->resource_groups.domain_sid; + resource_groups.groups.count = logon_info->resource_groups.groups.count; + resource_groups.groups.rids = logon_info->resource_groups.groups.rids; +#endif + + ret = sss_hash_create(tmp_ctx, + info3->sidcount + info3->base.groups.count + 2 + + resource_groups.groups.count, + &sid_table); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_hash_create failed.\n"); + goto done; + } + + key.type = HASH_KEY_STRING; + value.type = HASH_VALUE_ULONG; + + err = sss_idmap_smb_sid_to_sid(idmap_ctx, info3->base.domain_sid, + &user_dom_sid_str); + if (err != IDMAP_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, "sss_idmap_smb_sid_to_sid failed.\n"); + ret = EFAULT; + goto done; + } + + user_dom_sid_str_len = strlen(user_dom_sid_str); + sid_str = talloc_zero_size(tmp_ctx, user_dom_sid_str_len + 12); + if (sid_str == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_size failed.\n"); + ret = ENOMEM; + goto done; + } + rid_start = sid_str + user_dom_sid_str_len; + + memcpy(sid_str, user_dom_sid_str, user_dom_sid_str_len); + + memset(rid_start, '\0', 12); + ret = snprintf(rid_start, 12, "-%lu", + (unsigned long) info3->base.rid); + if (ret < 0 || ret > 12) { + DEBUG(SSSDBG_OP_FAILURE, "snprintf failed.\n"); + ret = EIO; + goto done; + } + + user_sid_str = talloc_strdup(tmp_ctx, sid_str); + if (user_sid_str == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + + key.str = sid_str; + value.ul = 0; + + memset(rid_start, '\0', 12); + ret = snprintf(rid_start, 12, "-%lu", + (unsigned long) info3->base.primary_gid); + if (ret < 0 || ret > 12) { + DEBUG(SSSDBG_OP_FAILURE, "snprintf failed.\n"); + ret = EIO; + goto done; + } + + primary_group_sid_str = talloc_strdup(tmp_ctx, sid_str); + if (primary_group_sid_str == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + + key.str = sid_str; + value.ul = 0; + + ret = hash_enter(sid_table, &key, &value); + if (ret != HASH_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, "hash_enter failed [%d][%s].\n", + ret, hash_error_string(ret)); + ret = EIO; + goto done; + } + + ret = add_sids_from_rid_array_to_hash_table(info3->base.domain_sid, + &info3->base.groups, + idmap_ctx, sid_table); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "add_sids_from_rid_array_to_hash_table failed.\n"); + goto done; + } + + for(s = 0; s < info3->sidcount; s++) { + err = sss_idmap_smb_sid_to_sid(idmap_ctx, info3->sids[s].sid, + &msid_str); + if (err != IDMAP_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, "sss_idmap_smb_sid_to_sid failed.\n"); + ret = EFAULT; + goto done; + } + + key.str = msid_str; + value.ul = 0; + + ret = hash_enter(sid_table, &key, &value); + sss_idmap_free_sid(idmap_ctx, msid_str); + if (ret != HASH_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, "hash_enter failed [%d][%s].\n", + ret, hash_error_string(ret)); + ret = EIO; + goto done; + } + } + + if (resource_groups.domain_sid != NULL) { + ret = add_sids_from_rid_array_to_hash_table(resource_groups.domain_sid, + &resource_groups.groups, + idmap_ctx, sid_table); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "add_sids_from_rid_array_to_hash_table failed.\n"); + goto done; + } + } + + num_sids = hash_count(sid_table); + sid_list = talloc_array(tmp_ctx, char *, num_sids); + if (sid_list == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_array failed.\n"); + ret = ENOMEM; + goto done; + } + + iter = new_hash_iter_context(sid_table); + if (iter == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "new_hash_iter_context failed.\n"); + ret = EINVAL; + goto done; + } + + c = 0; + while ((entry = iter->next(iter)) != NULL) { + sid_list[c] = talloc_strdup(sid_list, entry->key.str); + if (sid_list[c] == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + c++; + } + + ret = EOK; + +done: + sss_idmap_free_sid(idmap_ctx, user_dom_sid_str); + hash_destroy(sid_table); + + if (ret == EOK) { + *_sid_list = talloc_steal(mem_ctx, sid_list); + *_user_sid_str = talloc_steal(mem_ctx, user_sid_str); + *_num_sids = num_sids; + *_primary_group_sid_str = talloc_steal(mem_ctx, primary_group_sid_str); + } + + talloc_free(tmp_ctx); + + return ret; +} + +errno_t ad_get_pac_data_from_user_entry(TALLOC_CTX *mem_ctx, + struct ldb_message *msg, + struct sss_idmap_ctx *idmap_ctx, + char **_username, + char **user_sid, + char **primary_group_sid, + size_t *num_sids, + char ***group_sids) +{ + int ret; + struct ldb_message_element *el; + struct PAC_LOGON_INFO *logon_info = NULL; + const char *dummy; + TALLOC_CTX *tmp_ctx = NULL; + char *username; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); + return ENOMEM; + } + + el = ldb_msg_find_element(msg, SYSDB_PAC_BLOB); + if (el == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Missing PAC blob.\n"); + ret = EINVAL; + goto done; + } + + if (el->num_values != 1) { + DEBUG(SSSDBG_OP_FAILURE, "Expected only one PAC blob."); + ret = EINVAL; + goto done; + } + + ret = ad_get_data_from_pac(tmp_ctx, el->values[0].data, + el->values[0].length, + &logon_info); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "get_data_from_pac failed.\n"); + goto done; + } + + dummy = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); + if (dummy == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Missing user name in cache entry.\n"); + ret = EINVAL; + goto done; + } + + username = talloc_strdup(tmp_ctx, dummy); + if (username == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + + ret = ad_get_sids_from_pac(mem_ctx, idmap_ctx, logon_info, + user_sid, primary_group_sid, + num_sids, group_sids); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "get_sids_from_pac failed.\n"); + goto done; + } + + *_username = talloc_steal(mem_ctx, username); + + ret = EOK; +done: + talloc_free(tmp_ctx); + + return ret; +} + +struct ad_handle_pac_initgr_state { + struct dp_id_data *ar; + const char *err; + int dp_error; + int sdap_ret; + struct sdap_options *opts; + + size_t num_missing_sids; + char **missing_sids; + size_t num_cached_groups; + char **cached_groups; + char *username; + struct sss_domain_info *user_dom; +}; + +static void ad_handle_pac_initgr_lookup_sids_done(struct tevent_req *subreq); + +struct tevent_req *ad_handle_pac_initgr_send(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct dp_id_data *ar, + struct sdap_id_ctx *id_ctx, + struct sdap_domain *sdom, + struct sdap_id_conn_ctx *conn, + bool noexist_delete, + struct ldb_message *msg) +{ + int ret; + struct ad_handle_pac_initgr_state *state; + struct tevent_req *req; + struct tevent_req *subreq; + char *user_sid; + char *primary_group_sid; + size_t num_sids; + char **group_sids; + bool use_id_mapping; + + req = tevent_req_create(mem_ctx, &state, + struct ad_handle_pac_initgr_state); + if (req == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "tevent_req_create failed.\n"); + return NULL; + } + state->user_dom = sdom->dom; + state->opts = id_ctx->opts; + + /* The following variables are currently unused because no sub-request + * returns any of them. But they are needed to allow the same signature as + * sdap_handle_acct_req_recv() from the alternative group-membership + * lookup path. */ + state->err = NULL; + state->dp_error = DP_ERR_OK; + state->sdap_ret = EOK; + + ret = ad_get_pac_data_from_user_entry(state, msg, + id_ctx->opts->idmap_ctx->map, + &state->username, + &user_sid, &primary_group_sid, + &num_sids, &group_sids); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ad_get_pac_data_from_user_entry failed.\n"); + goto done; + } + + use_id_mapping = sdap_idmap_domain_has_algorithmic_mapping( + id_ctx->opts->idmap_ctx, + sdom->dom->name, + sdom->dom->domain_id); + if (use_id_mapping + && sdom->dom->ignore_group_members == false) { + /* In contrast to the tokenGroups based group-membership lookup the + * PAC based approach can be used for sub-domains with id-mapping as + * well because the PAC will only contain groups which are valid in + * the target domain, i.e. it will not contain domain-local groups for + * domains other than the user domain. This means the groups must not + * be looked up immediately to determine if they are domain-local or + * not. + * + * Additionally, as a temporary workaround until + * https://fedorahosted.org/sssd/ticket/2522 is fixed, we also fetch + * the group object if group members are ignored to avoid having to + * transfer and retain members when the fake tokengroups object + * without name is replaced by the full group object. + */ + + DEBUG(SSSDBG_TRACE_ALL, "Running PAC processing with id-mapping.\n"); + + ret = sdap_ad_save_group_membership_with_idmapping(state->username, + state->opts, + sdom->dom, + id_ctx->opts->idmap_ctx, + num_sids, group_sids); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sdap_ad_save_group_membership_with_idmapping failed.\n"); + } + + /* this path only includes cache operation, so we can finish the + * request immediately */ + goto done; + } else { + + DEBUG(SSSDBG_TRACE_ALL, "Running PAC processing with external IDs.\n"); + + ret = sdap_ad_tokengroups_get_posix_members(state, sdom->dom, + num_sids, group_sids, + &state->num_missing_sids, + &state->missing_sids, + &state->num_cached_groups, + &state->cached_groups); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sdap_ad_tokengroups_get_posix_members failed.\n"); + goto done; + } + + /* download missing SIDs */ + subreq = sdap_ad_resolve_sids_send(state, be_ctx->ev, id_ctx, + conn, + id_ctx->opts, sdom->dom, + state->missing_sids); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_ad_resolve_sids_send failed.\n"); + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, ad_handle_pac_initgr_lookup_sids_done, + req); + + } + + return req; + +done: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, be_ctx->ev); + + return req; +} + +static void ad_handle_pac_initgr_lookup_sids_done(struct tevent_req *subreq) +{ + struct ad_handle_pac_initgr_state *state; + struct tevent_req *req = NULL; + errno_t ret; + char **cached_groups; + size_t num_cached_groups; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ad_handle_pac_initgr_state); + + ret = sdap_ad_resolve_sids_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to resolve missing SIDs " + "[%d]: %s\n", ret, strerror(ret)); + goto done; + } + + ret = sdap_ad_tokengroups_get_posix_members(state, state->user_dom, + state->num_missing_sids, + state->missing_sids, + NULL, NULL, + &num_cached_groups, + &cached_groups); + if (ret != EOK){ + DEBUG(SSSDBG_MINOR_FAILURE, + "sdap_ad_tokengroups_get_posix_members failed [%d]: %s\n", + ret, strerror(ret)); + goto done; + } + + state->cached_groups = concatenate_string_array(state, + state->cached_groups, + state->num_cached_groups, + cached_groups, + num_cached_groups); + if (state->cached_groups == NULL) { + ret = ENOMEM; + goto done; + } + + /* update membership of existing groups */ + ret = sdap_ad_tokengroups_update_members(state->username, + state->user_dom->sysdb, + state->user_dom, + state->cached_groups); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Membership update failed [%d]: %s\n", + ret, strerror(ret)); + goto done; + } + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +errno_t ad_handle_pac_initgr_recv(struct tevent_req *req, + int *_dp_error, const char **_err, + int *sdap_ret) +{ + struct ad_handle_pac_initgr_state *state; + + state = tevent_req_data(req, struct ad_handle_pac_initgr_state); + + if (_dp_error) { + *_dp_error = state->dp_error; + } + + if (_err) { + *_err = state->err; + } + + if (sdap_ret) { + *sdap_ret = state->sdap_ret; + } + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} diff --git a/src/providers/ad/ad_pac.h b/src/providers/ad/ad_pac.h new file mode 100644 index 0000000..34f1e92 --- /dev/null +++ b/src/providers/ad/ad_pac.h @@ -0,0 +1,82 @@ +/* + SSSD + + Authors: + Sumit Bose + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef AD_PAC_H_ +#define AD_PAC_H_ + +#include +#include +/* ldb_val is defined as datablob in the Samba header files data_blob.h which + * is included via ndr.h -> samba_util.h -> data_blob.h. + * To allow proper type checking we have to make sure to keep the original + * definition from ldb.h */ +#ifdef ldb_val +#error Please make sure to include ad_pac.h before ldb.h +#endif +#include +#include +#include +#undef ldb_val + +#include "util/util.h" +#include "providers/ldap/ldap_common.h" + +errno_t check_if_pac_is_available(TALLOC_CTX *mem_ctx, + struct sss_domain_info *dom, + struct dp_id_data *ar, + struct ldb_message **_msg); + +errno_t ad_get_data_from_pac(TALLOC_CTX *mem_ctx, + uint8_t *pac_blob, size_t pac_len, + struct PAC_LOGON_INFO **_logon_info); + +errno_t ad_get_sids_from_pac(TALLOC_CTX *mem_ctx, + struct sss_idmap_ctx *idmap_ctx, + struct PAC_LOGON_INFO *logon_info, + char **_user_sid_str, + char **_primary_group_sid_str, + size_t *_num_sids, + char *** _sid_list); + +errno_t ad_get_pac_data_from_user_entry(TALLOC_CTX *mem_ctx, + struct ldb_message *msg, + struct sss_idmap_ctx *idmap_ctx, + char **username, + char **user_sid, + char **primary_group_sid, + size_t *num_sids, + char ***group_sids); + +struct tevent_req *ad_handle_pac_initgr_send(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct dp_id_data *ar, + struct sdap_id_ctx *id_ctx, + struct sdap_domain *sdom, + struct sdap_id_conn_ctx *conn, + bool noexist_delete, + struct ldb_message *msg); + +errno_t ad_handle_pac_initgr_recv(struct tevent_req *req, + int *_dp_error, const char **_err, + int *sdap_ret); + +#endif /* AD_PAC_H_ */ diff --git a/src/providers/ad/ad_pac_common.c b/src/providers/ad/ad_pac_common.c new file mode 100644 index 0000000..64c7ba4 --- /dev/null +++ b/src/providers/ad/ad_pac_common.c @@ -0,0 +1,86 @@ +/* + SSSD + + Authors: + Sumit Bose + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + + +#include "providers/ad/ad_pac.h" +#include "util/util.h" + +errno_t ad_get_data_from_pac(TALLOC_CTX *mem_ctx, + uint8_t *pac_blob, size_t pac_len, + struct PAC_LOGON_INFO **_logon_info) +{ + DATA_BLOB blob; + struct ndr_pull *ndr_pull; + struct PAC_DATA *pac_data; + enum ndr_err_code ndr_err; + size_t c; + int ret; + TALLOC_CTX *tmp_ctx; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); + return ENOMEM; + } + + blob.data = pac_blob; + blob.length = pac_len; + + ndr_pull = ndr_pull_init_blob(&blob, tmp_ctx); + if (ndr_pull == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ndr_pull_init_blob failed.\n"); + ret = ENOMEM; + goto done; + } + ndr_pull->flags |= LIBNDR_FLAG_REF_ALLOC; /* FIXME: is this really needed ? */ + + pac_data = talloc_zero(tmp_ctx, struct PAC_DATA); + if (pac_data == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_zero failed.\n"); + ret = ENOMEM; + goto done; + } + + ndr_err = ndr_pull_PAC_DATA(ndr_pull, NDR_SCALARS|NDR_BUFFERS, pac_data); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + DEBUG(SSSDBG_OP_FAILURE, "ndr_pull_PAC_DATA failed [%d]\n", ndr_err); + ret = EBADMSG; + goto done; + } + + for(c = 0; c < pac_data->num_buffers; c++) { + if (pac_data->buffers[c].type == PAC_TYPE_LOGON_INFO) { + *_logon_info = talloc_steal(mem_ctx, + pac_data->buffers[c].info->logon_info.info); + + ret = EOK; + goto done; + } + } + + ret = EINVAL; + +done: + talloc_free(tmp_ctx); + + return ret; +} diff --git a/src/providers/ad/ad_srv.c b/src/providers/ad/ad_srv.c new file mode 100644 index 0000000..5fd25f6 --- /dev/null +++ b/src/providers/ad/ad_srv.c @@ -0,0 +1,928 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include + +#include "util/util.h" +#include "util/sss_ldap.h" +#include "resolv/async_resolv.h" +#include "providers/backend.h" +#include "providers/ad/ad_srv.h" +#include "providers/ad/ad_common.h" +#include "providers/fail_over.h" +#include "providers/fail_over_srv.h" +#include "providers/ldap/sdap.h" +#include "providers/ldap/sdap_async.h" +#include "db/sysdb.h" + +#define AD_SITE_DOMAIN_FMT "%s._sites.%s" + +char *ad_site_dns_discovery_domain(TALLOC_CTX *mem_ctx, + const char *site, + const char *domain) +{ + return talloc_asprintf(mem_ctx, AD_SITE_DOMAIN_FMT, site, domain); +} + +static errno_t ad_sort_servers_by_dns(TALLOC_CTX *mem_ctx, + const char *domain, + struct fo_server_info **_srv, + size_t num) +{ + struct fo_server_info *out = NULL; + struct fo_server_info *srv = NULL; + struct fo_server_info in_domain[num]; + struct fo_server_info out_domain[num]; + size_t srv_index = 0; + size_t in_index = 0; + size_t out_index = 0; + size_t i, j; + + if (_srv == NULL) { + return EINVAL; + } + + srv = *_srv; + + if (num <= 1) { + return EOK; + } + + out = talloc_zero_array(mem_ctx, struct fo_server_info, num); + if (out == NULL) { + return ENOMEM; + } + + /* When several servers share priority, we will prefer the one that + * is located in the same domain as client (e.g. child domain instead + * of forest root) but obey their weight. We will use the fact that + * the servers are already sorted by priority. */ + + for (i = 0; i < num; i++) { + if (is_host_in_domain(srv[i].host, domain)) { + /* this is a preferred server, push it to the in domain list */ + in_domain[in_index] = srv[i]; + in_index++; + } else { + /* this is a normal server, push it to the out domain list */ + out_domain[out_index] = srv[i]; + out_index++; + } + + if (i + 1 == num || srv[i].priority != srv[i + 1].priority) { + /* priority has changed or we have reached the end of the srv list, + * we will merge the list into final list and start over with + * next priority */ + for (j = 0; j < in_index; j++) { + out[srv_index] = in_domain[j]; + talloc_steal(out, out[srv_index].host); + srv_index++; + } + + for (j = 0; j < out_index; j++) { + out[srv_index] = out_domain[j]; + talloc_steal(out, out[srv_index].host); + srv_index++; + } + + in_index = 0; + out_index = 0; + } + } + + talloc_free(*_srv); + *_srv = out; + return EOK; +} + +struct ad_get_dc_servers_state { + struct fo_server_info *servers; + size_t num_servers; +}; + +static void ad_get_dc_servers_done(struct tevent_req *subreq); + +static struct tevent_req *ad_get_dc_servers_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resolv_ctx *resolv_ctx, + const char *discovery_domain, + const char *site) +{ + struct ad_get_dc_servers_state *state = NULL; + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + const char **domains = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct ad_get_dc_servers_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + domains = talloc_zero_array(state, const char *, 3); + if (domains == NULL) { + ret = ENOMEM; + goto immediately; + } + + if (site == NULL) { + DEBUG(SSSDBG_TRACE_FUNC, "Looking up domain controllers in domain " + "%s\n", discovery_domain); + + domains[0] = talloc_strdup(domains, discovery_domain); + if (domains[0] == NULL) { + ret = ENOMEM; + goto immediately; + } + } else { + DEBUG(SSSDBG_TRACE_FUNC, "Looking up domain controllers in domain " + "%s and site %s\n", discovery_domain, site); + + domains[0] = ad_site_dns_discovery_domain(domains, + site, discovery_domain); + if (domains[0] == NULL) { + ret = ENOMEM; + goto immediately; + } + + domains[1] = talloc_strdup(domains, discovery_domain); + if (domains[1] == NULL) { + ret = ENOMEM; + goto immediately; + } + } + + subreq = fo_discover_srv_send(state, ev, resolv_ctx, + "ldap", FO_PROTO_TCP, domains); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, ad_get_dc_servers_done, req); + + return req; + +immediately: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + + return req; +} + +static void ad_get_dc_servers_done(struct tevent_req *subreq) +{ + struct ad_get_dc_servers_state *state = NULL; + struct tevent_req *req = NULL; + char *domain = NULL; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ad_get_dc_servers_state); + + ret = fo_discover_srv_recv(state, subreq, &domain, NULL, + &state->servers, &state->num_servers); + talloc_zfree(subreq); + if (ret != EOK) { + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Found %zu domain controllers in domain %s\n", + state->num_servers, domain); + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +static int ad_get_dc_servers_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct fo_server_info **_dcs, + size_t *_num_dcs) +{ + struct ad_get_dc_servers_state *state = NULL; + state = tevent_req_data(req, struct ad_get_dc_servers_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *_dcs = talloc_steal(mem_ctx, state->servers); + *_num_dcs = state->num_servers; + + return EOK; +} + +struct ad_get_client_site_state { + struct tevent_context *ev; + struct be_resolv_ctx *be_res; + enum host_database *host_db; + struct sdap_options *opts; + const char *ad_domain; + struct fo_server_info *dcs; + size_t num_dcs; + size_t dc_index; + struct fo_server_info dc; + + struct sdap_handle *sh; + char *site; + char *forest; +}; + +static errno_t ad_get_client_site_next_dc(struct tevent_req *req); +static void ad_get_client_site_connect_done(struct tevent_req *subreq); +static void ad_get_client_site_done(struct tevent_req *subreq); + +struct tevent_req *ad_get_client_site_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_resolv_ctx *be_res, + enum host_database *host_db, + struct sdap_options *opts, + const char *ad_domain, + struct fo_server_info *dcs, + size_t num_dcs) +{ + struct ad_get_client_site_state *state = NULL; + struct tevent_req *req = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct ad_get_client_site_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + if (be_res == NULL || host_db == NULL || opts == NULL) { + ret = EINVAL; + goto immediately; + } + + state->ev = ev; + state->be_res = be_res; + state->host_db = host_db; + state->opts = opts; + state->ad_domain = ad_domain; + state->dcs = dcs; + state->num_dcs = num_dcs; + + state->dc_index = 0; + ret = ad_get_client_site_next_dc(req); + if (ret == EOK) { + ret = ENOENT; + goto immediately; + } else if (ret != EAGAIN) { + goto immediately; + } + + return req; + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + + return req; +} + +static errno_t ad_get_client_site_next_dc(struct tevent_req *req) +{ + struct ad_get_client_site_state *state = NULL; + struct tevent_req *subreq = NULL; + errno_t ret; + + state = tevent_req_data(req, struct ad_get_client_site_state); + + if (state->dc_index >= state->num_dcs) { + ret = EOK; + goto done; + } + + state->dc = state->dcs[state->dc_index]; + + subreq = sdap_connect_host_send(state, state->ev, state->opts, + state->be_res->resolv, + state->be_res->family_order, + state->host_db, "ldap", state->dc.host, + state->dc.port, false); + if (subreq == NULL) { + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, ad_get_client_site_connect_done, req); + + state->dc_index++; + ret = EAGAIN; + +done: + return ret; +} + +static void ad_get_client_site_connect_done(struct tevent_req *subreq) +{ + struct ad_get_client_site_state *state = NULL; + struct tevent_req *req = NULL; + static const char *attrs[] = {AD_AT_NETLOGON, NULL}; + char *filter = NULL; + char *ntver = NULL; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ad_get_client_site_state); + + ret = sdap_connect_host_recv(state, subreq, &state->sh); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Unable to connect to domain controller " + "[%s:%d]\n", state->dc.host, state->dc.port); + + ret = ad_get_client_site_next_dc(req); + if (ret == EOK) { + ret = ENOENT; + } + + goto done; + } + + ntver = sss_ldap_encode_ndr_uint32(state, NETLOGON_NT_VERSION_5EX | + NETLOGON_NT_VERSION_WITH_CLOSEST_SITE); + if (ntver == NULL) { + ret = ENOMEM; + goto done; + } + + filter = talloc_asprintf(state, "(&(%s=%s)(%s=%s))", + AD_AT_DNS_DOMAIN, state->ad_domain, + AD_AT_NT_VERSION, ntver); + if (filter == NULL) { + ret = ENOMEM; + goto done; + } + + subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh, + "", LDAP_SCOPE_BASE, filter, + attrs, NULL, 0, + dp_opt_get_int(state->opts->basic, + SDAP_SEARCH_TIMEOUT), + false); + if (subreq == NULL) { + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, ad_get_client_site_done, req); + + ret = EAGAIN; + +done: + if (ret == EOK) { + tevent_req_done(req); + } else if (ret != EAGAIN) { + tevent_req_error(req, ret); + } + + return; +} + +static void ad_get_client_site_done(struct tevent_req *subreq) +{ + struct ad_get_client_site_state *state = NULL; + struct tevent_req *req = NULL; + struct sysdb_attrs **reply = NULL; + size_t reply_count; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ad_get_client_site_state); + + ret = sdap_get_generic_recv(subreq, state, &reply_count, &reply); + talloc_zfree(subreq); + + /* we're done with this LDAP, close connection */ + talloc_zfree(state->sh); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to get netlogon information\n"); + + ret = ad_get_client_site_next_dc(req); + if (ret == EOK) { + ret = ENOENT; + } + goto done; + } + + if (reply_count == 0) { + DEBUG(SSSDBG_OP_FAILURE, "No netlogon information retrieved\n"); + ret = ENOENT; + goto done; + } + + ret = netlogon_get_domain_info(state, reply[0], true, NULL, &state->site, + &state->forest); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to retrieve site name [%d]: %s\n", + ret, strerror(ret)); + ret = ENOENT; + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Found site: %s\n", state->site); + DEBUG(SSSDBG_TRACE_FUNC, "Found forest: %s\n", state->forest); + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +int ad_get_client_site_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + const char **_site, + const char **_forest) +{ + struct ad_get_client_site_state *state = NULL; + state = tevent_req_data(req, struct ad_get_client_site_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *_site = talloc_steal(mem_ctx, state->site); + *_forest = talloc_steal(mem_ctx, state->forest); + + return EOK; +} + +struct ad_srv_plugin_ctx { + struct be_ctx *be_ctx; + struct be_resolv_ctx *be_res; + enum host_database *host_dbs; + struct sdap_options *opts; + const char *hostname; + const char *ad_domain; + const char *ad_site_override; + const char *current_site; +}; + +struct ad_srv_plugin_ctx * +ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct be_resolv_ctx *be_res, + enum host_database *host_dbs, + struct sdap_options *opts, + const char *hostname, + const char *ad_domain, + const char *ad_site_override) +{ + struct ad_srv_plugin_ctx *ctx = NULL; + errno_t ret; + + ctx = talloc_zero(mem_ctx, struct ad_srv_plugin_ctx); + if (ctx == NULL) { + return NULL; + } + + ctx->be_ctx = be_ctx; + ctx->be_res = be_res; + ctx->host_dbs = host_dbs; + ctx->opts = opts; + + ctx->hostname = talloc_strdup(ctx, hostname); + if (ctx->hostname == NULL) { + goto fail; + } + + ctx->ad_domain = talloc_strdup(ctx, ad_domain); + if (ctx->ad_domain == NULL) { + goto fail; + } + + if (ad_site_override != NULL) { + ctx->ad_site_override = talloc_strdup(ctx, ad_site_override); + if (ctx->ad_site_override == NULL) { + goto fail; + } + + ctx->current_site = talloc_strdup(ctx, ad_site_override); + if (ctx->current_site == NULL) { + goto fail; + } + } else { + ret = sysdb_get_site(ctx, be_ctx->domain, &ctx->current_site); + if (ret != EOK) { + /* Not fatal. */ + DEBUG(SSSDBG_MINOR_FAILURE, + "Unable to get current site from cache [%d]: %s\n", + ret, sss_strerror(ret)); + ctx->current_site = NULL; + } + } + + return ctx; + +fail: + talloc_free(ctx); + return NULL; +} + +static errno_t +ad_srv_plugin_ctx_switch_site(struct ad_srv_plugin_ctx *ctx, + const char *new_site) +{ + const char *site; + errno_t ret; + + if (new_site == NULL) { + return EOK; + } + + if (ctx->current_site != NULL && strcmp(ctx->current_site, new_site) == 0) { + return EOK; + } + + site = talloc_strdup(ctx, new_site); + if (site == NULL) { + return ENOMEM; + } + + talloc_zfree(ctx->current_site); + ctx->current_site = site; + + ret = sysdb_set_site(ctx->be_ctx->domain, ctx->current_site); + if (ret != EOK) { + /* Not fatal. */ + DEBUG(SSSDBG_MINOR_FAILURE, "Unable to store site information " + "[%d]: %s\n", ret, sss_strerror(ret)); + } + + return EOK; +} + +struct ad_srv_plugin_state { + struct tevent_context *ev; + struct ad_srv_plugin_ctx *ctx; + const char *service; + const char *protocol; + const char *discovery_domain; + + const char *site; + char *dns_domain; + uint32_t ttl; + const char *forest; + struct fo_server_info *primary_servers; + size_t num_primary_servers; + struct fo_server_info *backup_servers; + size_t num_backup_servers; +}; + +static void ad_srv_plugin_dcs_done(struct tevent_req *subreq); +static void ad_srv_plugin_site_done(struct tevent_req *subreq); +static void ad_srv_plugin_servers_done(struct tevent_req *subreq); + +/* 1. Do a DNS lookup to find any DC in domain + * _ldap._tcp.domain.name + * 2. Send a CLDAP ping to the found DC to get the desirable site + * 3. Do a DNS lookup to find SRV in the site (a) + * _service._protocol.site-name._sites.domain.name + * 4. Do a DNS lookup to find global SRV records (b) + * _service._protocol.domain.name + * 5. If the site is found, use (a) as primary and (b) as backup servers, + * otherwise use (b) as primary servers + */ +struct tevent_req *ad_srv_plugin_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + const char *service, + const char *protocol, + const char *discovery_domain, + void *pvt) +{ + struct ad_srv_plugin_state *state = NULL; + struct ad_srv_plugin_ctx *ctx = NULL; + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct ad_srv_plugin_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + ctx = talloc_get_type(pvt, struct ad_srv_plugin_ctx); + if (ctx == NULL) { + ret = EINVAL; + goto immediately; + } + + state->ev = ev; + state->ctx = ctx; + + state->service = talloc_strdup(state, service); + if (state->service == NULL) { + ret = ENOMEM; + goto immediately; + } + + state->protocol = talloc_strdup(state, protocol); + if (state->protocol == NULL) { + ret = ENOMEM; + goto immediately; + } + + if (discovery_domain != NULL) { + state->discovery_domain = talloc_strdup(state, discovery_domain); + } else { + state->discovery_domain = talloc_strdup(state, ctx->ad_domain); + } + if (state->discovery_domain == NULL) { + ret = ENOMEM; + goto immediately; + } + + DEBUG(SSSDBG_TRACE_FUNC, "About to find domain controllers\n"); + + subreq = ad_get_dc_servers_send(state, ev, ctx->be_res->resolv, + state->discovery_domain, + state->ctx->current_site); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, ad_srv_plugin_dcs_done, req); + + return req; + +immediately: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + + return req; +} + +static void ad_srv_plugin_dcs_done(struct tevent_req *subreq) +{ + struct ad_srv_plugin_state *state = NULL; + struct tevent_req *req = NULL; + struct fo_server_info *dcs = NULL; + size_t num_dcs = 0; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ad_srv_plugin_state); + + ret = ad_get_dc_servers_recv(state, subreq, &dcs, &num_dcs); + talloc_zfree(subreq); + if (ret != EOK) { + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "About to locate suitable site\n"); + + subreq = ad_get_client_site_send(state, state->ev, + state->ctx->be_res, + state->ctx->host_dbs, + state->ctx->opts, + state->discovery_domain, + dcs, num_dcs); + if (subreq == NULL) { + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, ad_srv_plugin_site_done, req); + + ret = EAGAIN; + +done: + if (ret == EOK) { + tevent_req_done(req); + } else if (ret != EAGAIN) { + tevent_req_error(req, ret); + } + + return; +} + +static void ad_srv_plugin_site_done(struct tevent_req *subreq) +{ + struct ad_srv_plugin_state *state = NULL; + struct tevent_req *req = NULL; + const char *primary_domain = NULL; + const char *backup_domain = NULL; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ad_srv_plugin_state); + + ret = ad_get_client_site_recv(state, subreq, &state->site, &state->forest); + talloc_zfree(subreq); + /* Ignore AD site found by dns discovery if specific site is set in + * configuration file. */ + if (state->ctx->ad_site_override != NULL) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "Ignoring AD site found by DNS discovery: '%s', " + "using configured value: '%s' instead.\n", + state->site, state->ctx->ad_site_override); + state->site = state->ctx->ad_site_override; + + if (state->forest == NULL) { + DEBUG(SSSDBG_TRACE_FUNC, "Missing forest information, using %s\n", + state->discovery_domain); + state->forest = state->discovery_domain; + } + + ret = EOK; + } + + primary_domain = state->discovery_domain; + backup_domain = NULL; + + if (ret == EOK) { + /* Remember current site so it can be used during next lookup so + * we can contact directory controllers within a known reachable + * site first. */ + ret = ad_srv_plugin_ctx_switch_site(state->ctx, state->site); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set site [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + if (strcmp(state->service, "gc") == 0) { + if (state->forest != NULL) { + if (state->site != NULL) { + primary_domain = ad_site_dns_discovery_domain( + state, + state->site, + state->forest); + if (primary_domain == NULL) { + ret = ENOMEM; + goto done; + } + + backup_domain = state->forest; + } else { + primary_domain = state->forest; + backup_domain = NULL; + } + } + } else { + if (state->site != NULL) { + primary_domain = ad_site_dns_discovery_domain( + state, + state->site, + state->discovery_domain); + if (primary_domain == NULL) { + ret = ENOMEM; + goto done; + } + + backup_domain = state->discovery_domain; + } + } + } else if (ret != ENOENT && ret != EOK) { + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "About to discover primary and " + "backup servers\n"); + + subreq = fo_discover_servers_send(state, state->ev, + state->ctx->be_res->resolv, + state->service, state->protocol, + primary_domain, backup_domain); + if (subreq == NULL) { + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, ad_srv_plugin_servers_done, req); + + ret = EAGAIN; + +done: + if (ret == EOK) { + tevent_req_done(req); + } else if (ret != EAGAIN) { + tevent_req_error(req, ret); + } + + return; +} + +static void ad_srv_plugin_servers_done(struct tevent_req *subreq) +{ + struct ad_srv_plugin_state *state = NULL; + struct tevent_req *req = NULL; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ad_srv_plugin_state); + + ret = fo_discover_servers_recv(state, subreq, &state->dns_domain, + &state->ttl, + &state->primary_servers, + &state->num_primary_servers, + &state->backup_servers, + &state->num_backup_servers); + talloc_zfree(subreq); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Got %zu primary and %zu backup servers\n", + state->num_primary_servers, state->num_backup_servers); + + ret = ad_sort_servers_by_dns(state, state->discovery_domain, + &state->primary_servers, + state->num_primary_servers); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Unable to sort primary servers by DNS" + "[%d]: %s\n", ret, sss_strerror(ret)); + /* continue */ + } + + ret = ad_sort_servers_by_dns(state, state->discovery_domain, + &state->backup_servers, + state->num_backup_servers); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Unable to sort backup servers by DNS" + "[%d]: %s\n", ret, sss_strerror(ret)); + /* continue */ + } + + tevent_req_done(req); +} + +errno_t ad_srv_plugin_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + char **_dns_domain, + uint32_t *_ttl, + struct fo_server_info **_primary_servers, + size_t *_num_primary_servers, + struct fo_server_info **_backup_servers, + size_t *_num_backup_servers) +{ + struct ad_srv_plugin_state *state = NULL; + state = tevent_req_data(req, struct ad_srv_plugin_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (_primary_servers) { + *_primary_servers = talloc_steal(mem_ctx, state->primary_servers); + } + + if (_num_primary_servers) { + *_num_primary_servers = state->num_primary_servers; + } + + if (_backup_servers) { + *_backup_servers = talloc_steal(mem_ctx, state->backup_servers); + } + + if (_num_backup_servers) { + *_num_backup_servers = state->num_backup_servers; + } + + if (_dns_domain) { + *_dns_domain = talloc_steal(mem_ctx, state->dns_domain); + } + + if (_ttl) { + *_ttl = state->ttl; + } + + return EOK; +} diff --git a/src/providers/ad/ad_srv.h b/src/providers/ad/ad_srv.h new file mode 100644 index 0000000..e553d59 --- /dev/null +++ b/src/providers/ad/ad_srv.h @@ -0,0 +1,56 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __AD_SRV_H__ +#define __AD_SRV_H__ + +struct ad_srv_plugin_ctx; + +struct ad_srv_plugin_ctx * +ad_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct be_resolv_ctx *be_res, + enum host_database *host_dbs, + struct sdap_options *opts, + const char *hostname, + const char *ad_domain, + const char *ad_site_override); + +struct tevent_req *ad_srv_plugin_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + const char *service, + const char *protocol, + const char *discovery_domain, + void *pvt); + +errno_t ad_srv_plugin_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + char **_dns_domain, + uint32_t *_ttl, + struct fo_server_info **_primary_servers, + size_t *_num_primary_servers, + struct fo_server_info **_backup_servers, + size_t *_num_backup_servers); + +char *ad_site_dns_discovery_domain(TALLOC_CTX *mem_ctx, + const char *site, + const char *domain); + +#endif /* __AD_SRV_H__ */ diff --git a/src/providers/ad/ad_subdomains.c b/src/providers/ad/ad_subdomains.c new file mode 100644 index 0000000..549c2c1 --- /dev/null +++ b/src/providers/ad/ad_subdomains.c @@ -0,0 +1,1979 @@ +/* + SSSD + + AD Subdomains Module + + Authors: + Sumit Bose + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "providers/ldap/sdap_async.h" +#include "providers/ad/ad_subdomains.h" +#include "providers/ad/ad_domain_info.h" +#include "providers/ad/ad_srv.h" +#include "providers/ad/ad_common.h" + +#include "providers/ldap/sdap_idmap.h" +#include "providers/ldap/sdap_ops.h" +#include "util/util_sss_idmap.h" +#include +#include +#include + +/* Attributes of AD trusted domains */ +#define AD_AT_FLATNAME "flatName" +#define AD_AT_SID "securityIdentifier" +#define AD_AT_TRUST_TYPE "trustType" +#define AD_AT_TRUST_PARTNER "trustPartner" +#define AD_AT_TRUST_ATTRS "trustAttributes" + +/* trustType=2 denotes uplevel (NT5 and later) trusted domains. See + * http://msdn.microsoft.com/en-us/library/windows/desktop/ms680342%28v=vs.85%29.aspx + * for example. + * + * The absence of msDS-TrustForestTrustInfo attribute denotes a domain from + * the same forest. See http://msdn.microsoft.com/en-us/library/cc223786.aspx + * for more information. + */ +#define SLAVE_DOMAIN_FILTER_BASE "(objectclass=trustedDomain)(trustType=2)(!(msDS-TrustForestTrustInfo=*))" +#define SLAVE_DOMAIN_FILTER "(&"SLAVE_DOMAIN_FILTER_BASE")" +#define FOREST_ROOT_FILTER_FMT "(&"SLAVE_DOMAIN_FILTER_BASE"(cn=%s))" + +/* Attributes of schema objects. See e.g. + * https://docs.microsoft.com/en-us/windows/desktop/AD/characteristics-of-attributes + * for more details + */ +#define AD_SCHEMA_AT_OC "attributeSchema" +#define AD_AT_SCHEMA_NAME "cn" +#define AD_AT_SCHEMA_IS_REPL "isMemberOfPartialAttributeSet" + +/* do not refresh more often than every 5 seconds for now */ +#define AD_SUBDOMAIN_REFRESH_LIMIT 5 + +static void +ad_disable_gc(struct ad_options *ad_options) +{ + errno_t ret; + + if (dp_opt_get_bool(ad_options->basic, AD_ENABLE_GC) == false) { + return; + } + + DEBUG(SSSDBG_IMPORTANT_INFO, "POSIX attributes were requested " + "but are not present on the server side. Global Catalog " + "lookups will be disabled\n"); + + ret = dp_opt_set_bool(ad_options->basic, + AD_ENABLE_GC, false); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not turn off GC support\n"); + /* Not fatal */ + } +} + +static struct sss_domain_info * +ads_get_root_domain(struct be_ctx *be_ctx, struct sysdb_attrs *attrs) +{ + struct sss_domain_info *dom; + const char *name; + errno_t ret; + + if (attrs == NULL) { + /* Clients joined to the forest root directly don't even discover + * the root domain, so the attrs are expected to be NULL in this + * case + */ + return be_ctx->domain; + } + + ret = sysdb_attrs_get_string(attrs, AD_AT_TRUST_PARTNER, &name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); + return NULL; + } + + /* With a subsequent run, the root should already be known */ + for (dom = be_ctx->domain; dom != NULL; + dom = get_next_domain(dom, SSS_GND_ALL_DOMAINS)) { + + if (strcasecmp(dom->name, name) == 0) { + /* The forest root is special, although it might be disabled for + * general lookups we still want to try to get the domains in the + * forest from a DC of the forest root */ + if (sss_domain_get_state(dom) == DOM_DISABLED + && !sss_domain_is_forest_root(dom)) { + return NULL; + } + return dom; + } + } + + return NULL; +} + +static struct sdap_domain * +ads_get_root_sdap_domain(struct be_ctx *be_ctx, + struct sdap_options *opts, + struct sysdb_attrs *attrs) +{ + struct sdap_domain *root_sdom; + struct sss_domain_info *root_dom; + + root_dom = ads_get_root_domain(be_ctx, attrs); + if (root_dom == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "ads_get_root_domain did not find the domain\n"); + return NULL; + } + + root_sdom = sdap_domain_get(opts, root_dom); + if (root_sdom == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to find sdap_domain for the root domain\n"); + return NULL; + } + + return root_sdom; +} + +static errno_t ad_get_enabled_domains(TALLOC_CTX *mem_ctx, + struct ad_id_ctx *ad_id_ctx, + const char *ad_domain, + const char ***_ad_enabled_domains) +{ + int ret; + const char *str; + const char *option_name; + const char **domains = NULL; + int count; + bool is_ad_in_domains; + TALLOC_CTX *tmp_ctx = NULL; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + str = dp_opt_get_cstring(ad_id_ctx->ad_options->basic, AD_ENABLED_DOMAINS); + if (str == NULL) { + *_ad_enabled_domains = NULL; + ret = EOK; + goto done; + } + + count = 0; + ret = split_on_separator(tmp_ctx, str, ',', true, true, + discard_const_p(char **, &domains), &count); + if (ret != EOK) { + option_name = ad_id_ctx->ad_options->basic[AD_ENABLED_DOMAINS].opt_name; + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to parse option [%s], [%i] [%s]!\n", + option_name, ret, sss_strerror(ret)); + ret = EINVAL; + goto done; + } + + is_ad_in_domains = false; + for (int i = 0; i < count; i++) { + is_ad_in_domains += strcmp(ad_domain, domains[i]) == 0 ? true : false; + } + + if (is_ad_in_domains == false) { + domains = talloc_realloc(tmp_ctx, domains, const char*, count + 2); + if (domains == NULL) { + ret = ENOMEM; + goto done; + } + + domains[count] = talloc_strdup(domains, ad_domain); + if (domains[count] == NULL) { + ret = ENOMEM; + goto done; + } + + domains[count + 1] = NULL; + } else { + domains = talloc_realloc(tmp_ctx, domains, const char*, count + 1); + if (domains == NULL) { + ret = ENOMEM; + goto done; + } + + domains[count] = NULL; + } + + *_ad_enabled_domains = talloc_steal(mem_ctx, domains); + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static bool is_domain_enabled(const char *domain, + const char **enabled_doms) +{ + if (enabled_doms == NULL) { + return true; + } + + return string_in_list(domain, discard_const_p(char *, enabled_doms), false); +} + +static errno_t +update_parent_sdap_list(struct sdap_domain *parent_list, + struct sdap_domain *child_sdap) +{ + struct sdap_domain *sditer; + + DLIST_FOR_EACH(sditer, parent_list) { + if (sditer->dom == child_sdap->dom) { + break; + } + } + + if (sditer == NULL) { + /* Nothing to do */ + return EOK; + } + + /* Update the search bases */ + sdap_domain_copy_search_bases(sditer, child_sdap); + + return EOK; +} + +static errno_t +ad_subdom_ad_ctx_new(struct be_ctx *be_ctx, + struct ad_id_ctx *id_ctx, + struct sss_domain_info *subdom, + struct ad_id_ctx **_subdom_id_ctx) +{ + struct ad_options *ad_options; + struct ad_id_ctx *ad_id_ctx; + const char *gc_service_name; + const char *service_name; + struct ad_srv_plugin_ctx *srv_ctx; + char *ad_domain; + char *ad_site_override; + struct sdap_domain *sdom; + errno_t ret; + const char *realm; + const char *servers; + const char *backup_servers; + const char *hostname; + const char *keytab; + char *subdom_conf_path; + bool use_kdcinfo = false; + + realm = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_KRB5_REALM); + hostname = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_HOSTNAME); + keytab = dp_opt_get_cstring(id_ctx->ad_options->basic, AD_KEYTAB); + ad_domain = subdom->name; + if (realm == NULL || hostname == NULL || ad_domain == NULL) { + DEBUG(SSSDBG_CONF_SETTINGS, "Missing realm or hostname.\n"); + return EINVAL; + } + + subdom_conf_path = subdomain_create_conf_path(id_ctx, subdom); + if (subdom_conf_path == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "subdom_conf_path failed\n"); + return ENOMEM; + } + + ad_options = ad_create_2way_trust_options(id_ctx, + be_ctx->cdb, + subdom_conf_path, + be_ctx->provider, + realm, + subdom, + hostname, keytab); + talloc_free(subdom_conf_path); + if (ad_options == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD options\n"); + talloc_free(ad_options); + return ENOMEM; + } + + ad_site_override = dp_opt_get_string(ad_options->basic, AD_SITE); + + gc_service_name = talloc_asprintf(ad_options, "sd_gc_%s", subdom->name); + if (gc_service_name == NULL) { + talloc_free(ad_options); + return ENOMEM; + } + + service_name = talloc_asprintf(ad_options, "sd_%s", subdom->name); + if (service_name == NULL) { + talloc_free(ad_options); + return ENOMEM; + } + + servers = dp_opt_get_string(ad_options->basic, AD_SERVER); + backup_servers = dp_opt_get_string(ad_options->basic, AD_BACKUP_SERVER); + + if (id_ctx->ad_options->auth_ctx != NULL + && id_ctx->ad_options->auth_ctx->opts != NULL) { + use_kdcinfo = dp_opt_get_bool(id_ctx->ad_options->auth_ctx->opts, + KRB5_USE_KDCINFO); + } + + DEBUG(SSSDBG_TRACE_ALL, + "Init failover for [%s][%s] with use_kdcinfo [%s].\n", + subdom->name, subdom->realm, use_kdcinfo ? "true" : "false"); + + ret = ad_failover_init(ad_options, be_ctx, servers, backup_servers, + subdom->realm, service_name, gc_service_name, + subdom->name, use_kdcinfo, &ad_options->service); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD failover\n"); + talloc_free(ad_options); + return ret; + } + + ad_id_ctx = ad_id_ctx_init(ad_options, be_ctx); + if (ad_id_ctx == NULL) { + talloc_free(ad_options); + return ENOMEM; + } + ad_id_ctx->sdap_id_ctx->opts = ad_options->id; + ad_options->id_ctx = ad_id_ctx; + + /* use AD plugin */ + srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx, be_ctx->be_res, + default_host_dbs, + ad_id_ctx->ad_options->id, + hostname, + ad_domain, + ad_site_override); + if (srv_ctx == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n"); + return ENOMEM; + } + be_fo_set_srv_lookup_plugin(be_ctx, ad_srv_plugin_send, + ad_srv_plugin_recv, srv_ctx, "AD"); + + ret = sdap_domain_subdom_add(ad_id_ctx->sdap_id_ctx, + ad_id_ctx->sdap_id_ctx->opts->sdom, + subdom->parent); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize sdap domain\n"); + talloc_free(ad_options); + return ret; + } + + sdom = sdap_domain_get(ad_id_ctx->sdap_id_ctx->opts, subdom); + if (sdom == NULL) { + return EFAULT; + } + + sdap_inherit_options(subdom->parent->sd_inherit, + id_ctx->sdap_id_ctx->opts, + ad_id_ctx->sdap_id_ctx->opts); + + /* Set up the ID mapping object */ + ad_id_ctx->sdap_id_ctx->opts->idmap_ctx = + id_ctx->sdap_id_ctx->opts->idmap_ctx; + + ret = ad_set_search_bases(ad_options->id, sdom); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Failed to set LDAP search bases for " + "domain '%s'. Will try to use automatically detected search " + "bases.", subdom->name); + } + + ret = update_parent_sdap_list(id_ctx->sdap_id_ctx->opts->sdom, + sdom); + if (ret != EOK) { + return ret; + } + + *_subdom_id_ctx = ad_id_ctx; + return EOK; +} + +struct ad_subdomains_ctx { + struct be_ctx *be_ctx; + struct ad_id_ctx *ad_id_ctx; + struct sdap_id_ctx *sdap_id_ctx; + + struct sdap_domain *sdom; + char *domain_name; + const char **ad_enabled_domains; + + time_t last_refreshed; +}; + +static errno_t ad_subdom_enumerates(struct sss_domain_info *parent, + struct sysdb_attrs *attrs, + bool *_enumerates) +{ + errno_t ret; + const char *name; + + ret = sysdb_attrs_get_string(attrs, AD_AT_TRUST_PARTNER, &name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); + return ret; + } + + *_enumerates = subdomain_enumerates(parent, name); + return EOK; +} + +static errno_t +ad_subdom_store(struct sdap_idmap_ctx *idmap_ctx, + struct sss_domain_info *domain, + struct sysdb_attrs *subdom_attrs, + bool enumerate) +{ + TALLOC_CTX *tmp_ctx; + const char *name; + char *realm; + const char *flat; + errno_t ret; + enum idmap_error_code err; + struct ldb_message_element *el; + char *sid_str = NULL; + uint32_t trust_type; + bool mpg; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + ret = sysdb_attrs_get_uint32_t(subdom_attrs, AD_AT_TRUST_TYPE, + &trust_type); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_uint32_t failed.\n"); + goto done; + } + + ret = sysdb_attrs_get_string(subdom_attrs, AD_AT_TRUST_PARTNER, &name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "failed to get subdomain name\n"); + goto done; + } + + realm = get_uppercase_realm(tmp_ctx, name); + if (!realm) { + ret = ENOMEM; + goto done; + } + + ret = sysdb_attrs_get_string(subdom_attrs, AD_AT_FLATNAME, &flat); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, "failed to get flat name of subdomain %s\n", + name); + goto done; + } + + ret = sysdb_attrs_get_el(subdom_attrs, AD_AT_SID, &el); + if (ret != EOK || el->num_values != 1) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_attrs_get_el failed.\n"); + goto done; + } + + err = sss_idmap_bin_sid_to_sid(idmap_ctx->map, el->values[0].data, + el->values[0].length, &sid_str); + if (err != IDMAP_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not convert SID: [%s].\n", idmap_error_string(err)); + ret = EFAULT; + goto done; + } + + mpg = sdap_idmap_domain_has_algorithmic_mapping(idmap_ctx, name, sid_str); + if (mpg == false) { + /* Domains that use the POSIX attributes set by the admin must + * inherit the MPG setting from the parent domain so that the + * auto_private_groups options works for trusted domains as well + */ + mpg = domain->mpg; + } + + ret = sysdb_subdomain_store(domain->sysdb, name, realm, flat, sid_str, + mpg, enumerate, domain->forest, 0, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_subdomain_store failed.\n"); + goto done; + } + + ret = EOK; +done: + sss_idmap_free_sid(idmap_ctx->map, sid_str); + talloc_free(tmp_ctx); + + return ret; +} + +static errno_t ad_subdomains_refresh(struct be_ctx *be_ctx, + struct sdap_idmap_ctx *idmap_ctx, + struct sdap_options *opts, + struct sysdb_attrs **subdomains, + size_t num_subdomains, + bool root_domain, + time_t *_last_refreshed, + bool *_changes) +{ + struct sdap_domain *sdom; + struct sss_domain_info *domain; + struct sss_domain_info *dom; + bool handled[num_subdomains]; + const char *value; + const char *root_name = NULL; + size_t c, h; + int ret; + bool enumerate; + + domain = be_ctx->domain; + memset(handled, 0, sizeof(bool) * num_subdomains); + h = 0; + + if (root_domain) { + ret = sysdb_attrs_get_string(subdomains[0], AD_AT_TRUST_PARTNER, + &root_name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); + goto done; + } + } + + /* check existing subdomains */ + for (dom = get_next_domain(domain, SSS_GND_DESCEND); + dom && IS_SUBDOMAIN(dom); /* if we get back to a parent, stop */ + dom = get_next_domain(dom, 0)) { + + /* If we are handling root domain, skip all the other domains. We don't + * want to accidentally remove non-root domains + */ + if (root_name && strcmp(root_name, dom->name) != 0) { + continue; + } + + for (c = 0; c < num_subdomains; c++) { + if (handled[c]) { + continue; + } + ret = sysdb_attrs_get_string(subdomains[c], AD_AT_TRUST_PARTNER, + &value); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); + goto done; + } + if (strcmp(value, dom->name) == 0) { + break; + } + } + + if (c >= num_subdomains) { + /* ok this subdomain does not exist anymore, let's clean up */ + sss_domain_set_state(dom, DOM_DISABLED); + + /* Just disable the forest root but do not remove sdap data */ + if (sss_domain_is_forest_root(dom)) { + DEBUG(SSSDBG_TRACE_ALL, + "Skipping removal of forest root sdap data.\n"); + continue; + } + + ret = sysdb_subdomain_delete(dom->sysdb, dom->name); + if (ret != EOK) { + goto done; + } + + sdom = sdap_domain_get(opts, dom); + if (sdom == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "BUG: Domain does not exist?\n"); + continue; + } + + /* Remove the subdomain from the list of LDAP domains */ + sdap_domain_remove(opts, dom); + + be_ptask_destroy(&sdom->enum_task); + be_ptask_destroy(&sdom->cleanup_task); + + /* terminate all requests for this subdomain so we can free it */ + dp_terminate_domain_requests(be_ctx->provider, dom->name); + talloc_zfree(sdom); + } else { + /* ok let's try to update it */ + ret = ad_subdom_enumerates(domain, subdomains[c], &enumerate); + if (ret != EOK) { + goto done; + } + + ret = ad_subdom_store(idmap_ctx, domain, subdomains[c], enumerate); + if (ret) { + /* Nothing we can do about the error. Let's at least try + * to reuse the existing domains + */ + DEBUG(SSSDBG_MINOR_FAILURE, "Failed to parse subdom data, " + "will try to use cached subdomain\n"); + } + handled[c] = true; + h++; + } + } + + if (num_subdomains == h) { + /* all domains were already accounted for and have been updated */ + ret = EOK; + *_changes = false; + goto done; + } + + /* if we get here it means we have changes to the subdomains list */ + *_changes = true; + + for (c = 0; c < num_subdomains; c++) { + if (handled[c]) { + continue; + } + /* Nothing we can do about the error. Let's at least try + * to reuse the existing domains. + */ + ret = ad_subdom_enumerates(domain, subdomains[c], &enumerate); + if (ret != EOK) { + goto done; + } + + ret = ad_subdom_store(idmap_ctx, domain, subdomains[c], enumerate); + if (ret) { + DEBUG(SSSDBG_MINOR_FAILURE, "Failed to parse subdom data, " + "will try to use cached subdomain\n"); + } + } + + ret = EOK; + +done: + if (ret != EOK) { + *_last_refreshed = 0; + } else { + *_last_refreshed = time(NULL); + } + + return ret; +} + +static errno_t ad_subdomains_process(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char **enabled_domains_list, + size_t nsd, struct sysdb_attrs **sd, + struct sysdb_attrs *root, + size_t *_nsd_out, + struct sysdb_attrs ***_sd_out) +{ + size_t i, sdi; + struct sysdb_attrs **sd_out; + const char *sd_name; + const char *root_name; + errno_t ret; + + if (root == NULL && enabled_domains_list == NULL) { + /* We are connected directly to the root domain. The 'sd' + * list is complete and we can just use it + */ + *_nsd_out = nsd; + *_sd_out = sd; + return EOK; + } + + /* If we searched for root separately, we must: + * a) treat the root domain as a subdomain + * b) filter the subdomain we are connected to from the subdomain + * list, from our point of view, it's the master domain + */ + sd_out = talloc_zero_array(mem_ctx, struct sysdb_attrs *, nsd+1); + if (sd_out == NULL) { + return ENOMEM; + } + + sdi = 0; + for (i = 0; i < nsd; i++) { + ret = sysdb_attrs_get_string(sd[i], AD_AT_TRUST_PARTNER, &sd_name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); + goto fail; + } + + if (is_domain_enabled(sd_name, enabled_domains_list) == false) { + DEBUG(SSSDBG_TRACE_FUNC, "Disabling subdomain %s\n", sd_name); + continue; + } else { + DEBUG(SSSDBG_TRACE_FUNC, "Enabling subdomain %s\n", sd_name); + } + + if (strcasecmp(sd_name, domain->name) == 0) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "Not including primary domain %s in the subdomain list\n", + domain->name); + continue; + } + + sd_out[sdi] = talloc_steal(sd_out, sd[i]); + sdi++; + } + + /* Now include the root */ + if (root != NULL) { + ret = sysdb_attrs_get_string(root, AD_AT_TRUST_PARTNER, &root_name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); + goto fail; + } + + if (is_domain_enabled(root_name, enabled_domains_list) == true) { + sd_out[sdi] = talloc_steal(sd_out, root); + sdi++; + } else { + DEBUG(SSSDBG_TRACE_FUNC, "Disabling forest root domain %s\n", + root_name); + } + } + + *_nsd_out = sdi; + *_sd_out = sd_out; + return EOK; + +fail: + talloc_free(sd_out); + return ret; +} + +static errno_t +ads_store_sdap_subdom(struct ad_subdomains_ctx *ctx, + struct sss_domain_info *parent) +{ + int ret; + struct sdap_domain *sditer; + struct ad_id_ctx *subdom_id_ctx; + + ret = sdap_domain_subdom_add(ctx->sdap_id_ctx, ctx->sdom, parent); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_domain_subdom_add failed.\n"); + return ret; + } + + ret = ad_set_search_bases(ctx->ad_id_ctx->ad_options->id, ctx->sdom); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "failed to set ldap search bases for " + "domain '%s'. will try to use automatically detected search " + "bases.", ctx->sdom->dom->name); + } + + DLIST_FOR_EACH(sditer, ctx->sdom) { + if (IS_SUBDOMAIN(sditer->dom) && sditer->pvt == NULL) { + ret = ad_subdom_ad_ctx_new(ctx->be_ctx, ctx->ad_id_ctx, + sditer->dom, &subdom_id_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ad_subdom_ad_ctx_new failed.\n"); + } else { + sditer->pvt = subdom_id_ctx; + } + } + } + + return EOK; +} + +static errno_t ad_subdom_reinit(struct ad_subdomains_ctx *subdoms_ctx) +{ + const char *path; + errno_t ret; + bool canonicalize = false; + struct sss_domain_info *dom; + + path = dp_opt_get_string(subdoms_ctx->ad_id_ctx->ad_options->basic, + AD_KRB5_CONFD_PATH); + + if (subdoms_ctx->ad_id_ctx->ad_options->auth_ctx != NULL + && subdoms_ctx->ad_id_ctx->ad_options->auth_ctx->opts != NULL) { + canonicalize = dp_opt_get_bool( + subdoms_ctx->ad_id_ctx->ad_options->auth_ctx->opts, + KRB5_CANONICALIZE); + } else { + DEBUG(SSSDBG_CONF_SETTINGS, "Auth provider data is not available, " + "most probably because the auth provider " + "is not 'ad'. Kerberos configuration " + "snippet to set the 'canonicalize' option " + "will not be created.\n"); + } + + ret = sss_write_krb5_conf_snippet(path, canonicalize, true); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "sss_write_krb5_conf_snippet failed.\n"); + /* Just continue */ + } + + ret = sysdb_update_subdomains(subdoms_ctx->be_ctx->domain, + subdoms_ctx->be_ctx->cdb); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_update_subdomains failed.\n"); + return ret; + } + + ret = sss_write_domain_mappings(subdoms_ctx->be_ctx->domain); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "sss_krb5_write_mappings failed.\n"); + /* Just continue */ + } + + ret = ads_store_sdap_subdom(subdoms_ctx, subdoms_ctx->be_ctx->domain); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ads_store_sdap_subdom failed.\n"); + return ret; + } + + /* Make sure disabled domains are not re-enabled accidentially */ + if (subdoms_ctx->ad_enabled_domains != NULL) { + for (dom = subdoms_ctx->be_ctx->domain->subdomains; dom; + dom = get_next_domain(dom, false)) { + if (!is_domain_enabled(dom->name, + subdoms_ctx->ad_enabled_domains)) { + sss_domain_set_state(dom, DOM_DISABLED); + } + } + } + + return EOK; +} + +struct ad_get_slave_domain_state { + struct tevent_context *ev; + struct ad_subdomains_ctx *sd_ctx; + struct be_ctx *be_ctx; + struct sdap_options *opts; + struct sdap_idmap_ctx *idmap_ctx; + struct sysdb_attrs *root_attrs; + struct sdap_domain *root_sdom; + struct sdap_id_op *sdap_op; +}; + +static errno_t ad_get_slave_domain_retry(struct tevent_req *req); +static void ad_get_slave_domain_connect_done(struct tevent_req *subreq); +static void ad_get_slave_domain_done(struct tevent_req *subreq); + +static struct tevent_req * +ad_get_slave_domain_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct ad_subdomains_ctx *sd_ctx, + struct sysdb_attrs *root_attrs, + struct ad_id_ctx *root_id_ctx) +{ + struct ad_get_slave_domain_state *state; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct ad_get_slave_domain_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->ev = ev; + state->sd_ctx = sd_ctx; + state->be_ctx = sd_ctx->be_ctx; + state->opts = root_id_ctx->sdap_id_ctx->opts; + state->idmap_ctx = root_id_ctx->sdap_id_ctx->opts->idmap_ctx; + state->root_attrs = root_attrs; + state->root_sdom = ads_get_root_sdap_domain(state->be_ctx, + state->opts, + state->root_attrs); + if (state->root_sdom == NULL) { + ret = ERR_DOMAIN_NOT_FOUND; + goto immediately; + } + + state->sdap_op = sdap_id_op_create(state, root_id_ctx->ldap_ctx->conn_cache); + if (state->sdap_op == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create() failed\n"); + ret = ENOMEM; + goto immediately; + } + + ret = ad_get_slave_domain_retry(req); + if (ret == EAGAIN) { + /* asynchronous processing */ + return req; + } + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + + return req; +} + +static errno_t ad_get_slave_domain_retry(struct tevent_req *req) +{ + struct ad_get_slave_domain_state *state; + struct tevent_req *subreq; + int ret; + + state = tevent_req_data(req, struct ad_get_slave_domain_state); + + subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "sdap_id_op_connect_send() failed " + "[%d]: %s\n", ret, sss_strerror(ret)); + return ret; + } + + tevent_req_set_callback(subreq, ad_get_slave_domain_connect_done, req); + + return EAGAIN; +} + +static void ad_get_slave_domain_connect_done(struct tevent_req *subreq) +{ + struct ad_get_slave_domain_state *state; + struct tevent_req *req = NULL; + int dp_error; + errno_t ret; + const char *attrs[] = { AD_AT_FLATNAME, AD_AT_TRUST_PARTNER, + AD_AT_SID, AD_AT_TRUST_TYPE, + AD_AT_TRUST_ATTRS, NULL }; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ad_get_slave_domain_state); + + ret = sdap_id_op_connect_recv(subreq, &dp_error); + talloc_zfree(subreq); + + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to connect to LDAP " + "[%d]: %s\n", ret, sss_strerror(ret)); + if (dp_error == DP_ERR_OFFLINE) { + DEBUG(SSSDBG_MINOR_FAILURE, "No AD server is available, " + "cannot get the subdomain list while offline\n"); + ret = ERR_OFFLINE; + } + tevent_req_error(req, ret); + return; + } + + subreq = sdap_search_bases_send(state, state->ev, state->opts, + sdap_id_op_handle(state->sdap_op), + state->root_sdom->search_bases, + NULL, false, 0, + SLAVE_DOMAIN_FILTER, attrs); + if (subreq == NULL) { + tevent_req_error(req, ret); + return; + } + + tevent_req_set_callback(subreq, ad_get_slave_domain_done, req); + return; +} + +static void ad_get_slave_domain_done(struct tevent_req *subreq) +{ + struct ad_get_slave_domain_state *state; + struct tevent_req *req; + struct sysdb_attrs **reply; + size_t reply_count; + struct sysdb_attrs **subdoms; + size_t nsubdoms; + bool has_changes; + int dp_error; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ad_get_slave_domain_state); + + ret = sdap_search_bases_recv(subreq, state, &reply_count, &reply); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to lookup slave domain data " + "[%d]: %s\n", ret, sss_strerror(ret)); + /* We continue to finish sdap_id_op. */ + } + + ret = sdap_id_op_done(state->sdap_op, ret, &dp_error); + if (dp_error == DP_ERR_OK && ret != EOK) { + /* retry */ + ret = ad_get_slave_domain_retry(req); + if (ret != EOK) { + goto done; + } + return; + } else if (dp_error == DP_ERR_OFFLINE) { + ret = ERR_OFFLINE; + goto done; + } else if (ret != EOK) { + goto done; + } + + /* Based on whether we are connected to the forest root or not, we might + * need to exclude the subdomain we are connected to from the list of + * subdomains. + */ + ret = ad_subdomains_process(state, state->be_ctx->domain, + state->sd_ctx->ad_enabled_domains, + reply_count, reply, state->root_attrs, + &nsubdoms, &subdoms); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot process subdomain list\n"); + tevent_req_error(req, ret); + return; + } + + /* Got all the subdomains, let's process them. */ + ret = ad_subdomains_refresh(state->be_ctx, state->idmap_ctx, state->opts, + subdoms, nsubdoms, false, + &state->sd_ctx->last_refreshed, + &has_changes); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to refresh subdomains.\n"); + goto done; + } + + DEBUG(SSSDBG_TRACE_LIBS, "There are %schanges\n", + has_changes ? "" : "no "); + + if (has_changes) { + ret = ad_subdom_reinit(state->sd_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not reinitialize subdomains\n"); + goto done; + } + } + + state->sd_ctx->last_refreshed = time(NULL); + ret = EOK; + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +static errno_t ad_get_slave_domain_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +static struct ad_id_ctx * +ads_get_root_id_ctx(struct be_ctx *be_ctx, + struct ad_id_ctx *ad_id_ctx, + struct sss_domain_info *root_domain, + struct sdap_options *opts) +{ + errno_t ret; + struct sdap_domain *sdom; + struct ad_id_ctx *root_id_ctx; + + sdom = sdap_domain_get(opts, root_domain); + if (sdom == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot get the sdom for %s!\n", root_domain->name); + return NULL; + } + + if (sdom->pvt == NULL) { + ret = ad_subdom_ad_ctx_new(be_ctx, ad_id_ctx, root_domain, + &root_id_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ad_subdom_ad_ctx_new failed.\n"); + return NULL; + } + + sdom->pvt = root_id_ctx; + } else { + root_id_ctx = sdom->pvt; + } + + root_id_ctx->ldap_ctx->ignore_mark_offline = true; + return root_id_ctx; +} + +struct ad_get_root_domain_state { + struct ad_subdomains_ctx *sd_ctx; + struct be_ctx *be_ctx; + struct sdap_idmap_ctx *idmap_ctx; + struct sdap_options *opts; + + struct ad_id_ctx *root_id_ctx; + struct sysdb_attrs *root_domain_attrs; +}; + +static void ad_get_root_domain_done(struct tevent_req *subreq); + +static struct tevent_req * +ad_get_root_domain_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + const char *domain, + const char *forest, + struct sdap_handle *sh, + struct ad_subdomains_ctx *sd_ctx) +{ + struct ad_get_root_domain_state *state; + struct tevent_req *subreq; + struct tevent_req *req; + struct sdap_options *opts; + errno_t ret; + const char *filter; + const char *attrs[] = { AD_AT_FLATNAME, AD_AT_TRUST_PARTNER, + AD_AT_SID, AD_AT_TRUST_TYPE, + AD_AT_TRUST_ATTRS, NULL }; + + req = tevent_req_create(mem_ctx, &state, struct ad_get_root_domain_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + if (forest != NULL && strcasecmp(domain, forest) == 0) { + state->root_id_ctx = sd_ctx->ad_id_ctx; + state->root_domain_attrs = NULL; + ret = EOK; + goto immediately; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Looking up the forest root domain.\n"); + + state->sd_ctx = sd_ctx; + state->opts = opts = sd_ctx->sdap_id_ctx->opts; + state->be_ctx = sd_ctx->be_ctx; + state->idmap_ctx = opts->idmap_ctx; + + filter = talloc_asprintf(state, FOREST_ROOT_FILTER_FMT, forest); + if (filter == NULL) { + ret = ENOMEM; + goto immediately; + } + + subreq = sdap_search_bases_return_first_send(state, ev, opts, sh, + opts->sdom->search_bases, + NULL, false, 0, filter, attrs); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, ad_get_root_domain_done, req); + + return req; + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + + return req; +} + +static void ad_get_root_domain_done(struct tevent_req *subreq) +{ + struct tevent_req *req; + struct ad_get_root_domain_state *state; + struct sysdb_attrs **reply; + struct sss_domain_info *root_domain; + size_t reply_count; + bool has_changes; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ad_get_root_domain_state); + + ret = sdap_search_bases_return_first_recv(subreq, state, &reply_count, + &reply); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to lookup forest root information " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + if (reply_count == 0) { + DEBUG(SSSDBG_OP_FAILURE, "No information provided for root domain\n"); + ret = ENOENT; + goto done; + } else if (reply_count > 1) { + DEBUG(SSSDBG_CRIT_FAILURE, "Multiple results for root domain search, " + "domain list might be incomplete!\n"); + ret = ERR_MALFORMED_ENTRY; + goto done; + } + + ret = ad_subdomains_refresh(state->be_ctx, state->idmap_ctx, state->opts, + reply, reply_count, true, + &state->sd_ctx->last_refreshed, + &has_changes); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ad_subdomains_refresh failed [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + if (has_changes) { + ret = ad_subdom_reinit(state->sd_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not reinitialize subdomains\n"); + goto done; + } + } + + state->root_domain_attrs = reply[0]; + root_domain = ads_get_root_domain(state->be_ctx, reply[0]); + if (root_domain == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Could not find the root domain\n"); + ret = EFAULT; + goto done; + } + + state->root_id_ctx = ads_get_root_id_ctx(state->be_ctx, + state->sd_ctx->ad_id_ctx, + root_domain, state->opts); + if (state->root_id_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot create id ctx for the root domain\n"); + ret = EFAULT; + goto done; + } + + ret = EOK; + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +static errno_t ad_get_root_domain_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct sysdb_attrs **_attrs, + struct ad_id_ctx **_id_ctx) +{ + struct ad_get_root_domain_state *state = NULL; + state = tevent_req_data(req, struct ad_get_root_domain_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *_attrs = talloc_steal(mem_ctx, state->root_domain_attrs); + *_id_ctx = state->root_id_ctx; + + return EOK; +} + +static void ad_check_gc_usability_search_done(struct tevent_req *subreq); + +struct ad_check_gc_usability_state { + struct sdap_options *sdap_opts; + + const char *attrs[3]; + + bool is_gc_usable; +}; + +static struct tevent_req * +ad_check_gc_usability_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct ad_options *ad_options, + struct sdap_options *sdap_opts, + struct sdap_id_op *op, + const char *domain_name, + const char *domain_sid) +{ + struct ad_check_gc_usability_state *state = NULL; + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + const char *filter = NULL; + errno_t ret; + bool uses_id_mapping; + + req = tevent_req_create(mem_ctx, &state, + struct ad_check_gc_usability_state); + if (req == NULL) { + return NULL; + } + state->sdap_opts = sdap_opts; + state->is_gc_usable = false; + + if (dp_opt_get_bool(ad_options->basic, AD_ENABLE_GC) == false) { + DEBUG(SSSDBG_TRACE_FUNC, "GC explicitly disabled\n"); + state->is_gc_usable = false; + ret = EOK; + goto immediately; + } + + uses_id_mapping = sdap_idmap_domain_has_algorithmic_mapping( + sdap_opts->idmap_ctx, + domain_name, + domain_sid); + if (uses_id_mapping == true) { + DEBUG(SSSDBG_TRACE_FUNC, "GC always usable while ID mapping\n"); + state->is_gc_usable = true; + ret = EOK; + goto immediately; + } + + /* The schema partition is replicated across all DCs in the forest, so + * it's safe to use the baseDN even if e.g. joined to a child domain + * even though the base DN "looks" like a part of the forest root + * tree. On the other hand, it doesn't make sense to guess the value + * if we can't detect it from the rootDSE. + */ + if (state->sdap_opts->schema_basedn == NULL) { + DEBUG(SSSDBG_TRACE_FUNC, + "No idea where to look for the schema, disabling GC\n"); + state->is_gc_usable = false; + ret = EOK; + goto immediately; + } + + state->attrs[0] = AD_AT_SCHEMA_NAME; + state->attrs[1] = AD_AT_SCHEMA_IS_REPL; + state->attrs[2] = NULL; + + DEBUG(SSSDBG_TRACE_FUNC, "Checking for POSIX attributes in GC\n"); + + filter = talloc_asprintf( + state, + "(&(objectclass=%s)(|(%s=%s)(%s=%s)))", + AD_SCHEMA_AT_OC, + AD_AT_SCHEMA_NAME, + state->sdap_opts->user_map[SDAP_AT_USER_UID].name, + AD_AT_SCHEMA_NAME, + state->sdap_opts->group_map[SDAP_AT_GROUP_GID].name); + if (filter == NULL) { + ret = ENOMEM; + goto immediately; + } + + subreq = sdap_get_generic_send(state, + ev, + state->sdap_opts, + sdap_id_op_handle(op), + state->sdap_opts->schema_basedn, + LDAP_SCOPE_SUBTREE, + filter, + state->attrs, + NULL, 0, + dp_opt_get_int(state->sdap_opts->basic, + SDAP_SEARCH_TIMEOUT), + false); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + tevent_req_set_callback(subreq, ad_check_gc_usability_search_done, req); + + return req; + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + + return req; +} + +static void ad_check_gc_usability_search_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ad_check_gc_usability_state *state = tevent_req_data(req, + struct ad_check_gc_usability_state); + errno_t ret; + size_t reply_count; + struct sysdb_attrs **reply = NULL; + bool uid = false; + bool gid = false; + + ret = sdap_get_generic_recv(subreq, state, &reply_count, &reply); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sdap_get_generic_recv failed [%d]: %s\n", + ret, strerror(ret)); + /* We continue to finish sdap_id_op. */ + } + + if (reply_count == 0) { + DEBUG(SSSDBG_TRACE_LIBS, + "Nothing found, so no POSIX attrs can exist\n"); + state->is_gc_usable = false; + tevent_req_done(req); + return; + } + + for (size_t i = 0; i < reply_count; i++) { + const char *name = NULL; + const char *is_in_partial_set = NULL; + bool *val = NULL; + + ret = sysdb_attrs_get_string(reply[i], AD_AT_SCHEMA_NAME, &name); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Cannot get "AD_AT_SCHEMA_NAME); + continue; + } + + if (strcasecmp(name, state->sdap_opts->user_map[SDAP_AT_USER_UID].name) == 0) { + val = &uid; + } else if (strcasecmp(name, state->sdap_opts->user_map[SDAP_AT_USER_GID].name) == 0) { + val = &gid; + } else { + DEBUG(SSSDBG_MINOR_FAILURE, "Unexpected attribute\n"); + continue; + } + + ret = sysdb_attrs_get_string(reply[i], + AD_AT_SCHEMA_IS_REPL, + &is_in_partial_set); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Cannot get "AD_AT_SCHEMA_IS_REPL); + continue; + } + + if (strcasecmp(is_in_partial_set, "true") == 0) { + *val = true; + } + } + + if (uid == true && gid == true) { + state->is_gc_usable = true; + } + + if (state->is_gc_usable == true) { + DEBUG(SSSDBG_FUNC_DATA, "Server has POSIX attributes. Global Catalog will " + "be used for user and group lookups. Note that if " + "only a subset of POSIX attributes is present " + "in GC, the non-replicated attributes are " + "currently not read from the LDAP port\n"); + } + + tevent_req_done(req); +} + +static errno_t ad_check_gc_usability_recv(struct tevent_req *req, + bool *_is_gc_usable) +{ + struct ad_check_gc_usability_state *state = NULL; + + state = tevent_req_data(req, struct ad_check_gc_usability_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *_is_gc_usable = state->is_gc_usable; + return EOK; +} + +struct ad_subdomains_refresh_state { + struct tevent_context *ev; + struct be_ctx *be_ctx; + struct ad_subdomains_ctx *sd_ctx; + struct sdap_id_op *sdap_op; + struct sdap_id_ctx *id_ctx; + struct ad_options *ad_options; + + char *forest; +}; + +static errno_t ad_subdomains_refresh_retry(struct tevent_req *req); +static void ad_subdomains_refresh_connect_done(struct tevent_req *subreq); +static void ad_subdomains_refresh_master_done(struct tevent_req *subreq); +static void ad_subdomains_refresh_gc_check_done(struct tevent_req *subreq); +static void ad_subdomains_refresh_root_done(struct tevent_req *subreq); +static void ad_subdomains_refresh_done(struct tevent_req *subreq); + +static struct tevent_req * +ad_subdomains_refresh_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct ad_subdomains_ctx *sd_ctx) +{ + struct ad_subdomains_refresh_state *state; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct ad_subdomains_refresh_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->ev = ev; + state->be_ctx = sd_ctx->be_ctx; + state->sd_ctx = sd_ctx; + state->id_ctx = sd_ctx->sdap_id_ctx; + state->ad_options = sd_ctx->ad_id_ctx->ad_options; + + state->sdap_op = sdap_id_op_create(state, + sd_ctx->sdap_id_ctx->conn->conn_cache); + if (state->sdap_op == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create() failed\n"); + ret = ENOMEM; + goto immediately; + } + + ret = ad_subdomains_refresh_retry(req); + if (ret == EAGAIN) { + /* asynchronous processing */ + return req; + } + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + + return req; +} + +static errno_t ad_subdomains_refresh_retry(struct tevent_req *req) +{ + struct ad_subdomains_refresh_state *state; + struct tevent_req *subreq; + int ret; + + state = tevent_req_data(req, struct ad_subdomains_refresh_state); + + subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "sdap_id_op_connect_send() failed " + "[%d]: %s\n", ret, sss_strerror(ret)); + return ret; + } + + tevent_req_set_callback(subreq, ad_subdomains_refresh_connect_done, req); + + return EAGAIN; +} + +static void ad_subdomains_refresh_connect_done(struct tevent_req *subreq) +{ + struct ad_subdomains_refresh_state *state; + struct tevent_req *req; + int dp_error; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ad_subdomains_refresh_state); + + ret = sdap_id_op_connect_recv(subreq, &dp_error); + talloc_zfree(subreq); + + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to connect to LDAP " + "[%d]: %s\n", ret, sss_strerror(ret)); + if (dp_error == DP_ERR_OFFLINE) { + DEBUG(SSSDBG_MINOR_FAILURE, "No AD server is available, " + "cannot get the subdomain list while offline\n"); + ret = ERR_OFFLINE; + } + tevent_req_error(req, ret); + return; + } + + /* connect to the DC we are a member of */ + subreq = ad_master_domain_send(state, state->ev, state->id_ctx->conn, + state->sdap_op, state->sd_ctx->domain_name); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + + tevent_req_set_callback(subreq, ad_subdomains_refresh_master_done, req); + return; +} + +static void ad_subdomains_refresh_master_done(struct tevent_req *subreq) +{ + struct ad_subdomains_refresh_state *state; + struct tevent_req *req; + const char *realm; + char *master_sid; + char *flat_name; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ad_subdomains_refresh_state); + + ret = ad_master_domain_recv(subreq, state, &flat_name, &master_sid, + NULL, &state->forest); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get master domain information " + "[%d]: %s\n", ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + realm = dp_opt_get_cstring(state->ad_options->basic, AD_KRB5_REALM); + if (realm == NULL) { + DEBUG(SSSDBG_CONF_SETTINGS, "Missing realm.\n"); + tevent_req_error(req, EINVAL); + return; + } + + ret = sysdb_master_domain_add_info(state->be_ctx->domain, realm, + flat_name, master_sid, state->forest, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot save master domain info [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + subreq = ad_check_gc_usability_send(state, + state->ev, + state->ad_options, + state->id_ctx->opts, + state->sdap_op, + state->be_ctx->domain->name, + master_sid); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, ad_subdomains_refresh_gc_check_done, req); +} + +static void ad_subdomains_refresh_gc_check_done(struct tevent_req *subreq) +{ + struct ad_subdomains_refresh_state *state; + struct tevent_req *req; + const char *ad_domain; + bool is_gc_usable; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ad_subdomains_refresh_state); + + ret = ad_check_gc_usability_recv(subreq, &is_gc_usable); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Unable to get GC usability status\n"); + is_gc_usable = false; + } + + if (is_gc_usable == false) { + ad_disable_gc(state->ad_options); + } + + /* + * If ad_enabled_domains contains only master domain + * we shouldn't lookup other domains. + */ + if (state->sd_ctx->ad_enabled_domains != NULL) { + if (talloc_array_length(state->sd_ctx->ad_enabled_domains) == 2) { + if (strcasecmp(state->sd_ctx->ad_enabled_domains[0], + state->be_ctx->domain->name) == 0) { + DEBUG(SSSDBG_TRACE_FUNC, + "No other enabled domain than master.\n"); + tevent_req_done(req); + return; + } + } + } + + ad_domain = dp_opt_get_cstring(state->ad_options->basic, AD_DOMAIN); + if (ad_domain == NULL) { + DEBUG(SSSDBG_CONF_SETTINGS, + "Missing AD domain name, falling back to sssd domain name\n"); + ad_domain = state->sd_ctx->be_ctx->domain->name; + } + + subreq = ad_get_root_domain_send(state, state->ev, ad_domain, state->forest, + sdap_id_op_handle(state->sdap_op), + state->sd_ctx); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + + tevent_req_set_callback(subreq, ad_subdomains_refresh_root_done, req); + return; +} + +static void ad_subdomains_refresh_root_done(struct tevent_req *subreq) +{ + struct ad_subdomains_refresh_state *state; + struct tevent_req *req; + struct ad_id_ctx *root_id_ctx; + struct sysdb_attrs *root_attrs; + int dp_error; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ad_subdomains_refresh_state); + + /* Note: For clients joined to the root domain, root_attrs is NULL, + * see ad_get_root_domain_send() + */ + ret = ad_get_root_domain_recv(state, subreq, &root_attrs, &root_id_ctx); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get forest root [%d]: %s\n", + ret, sss_strerror(ret)); + root_attrs = NULL; + root_id_ctx = NULL; + /* We continue to finish sdap_id_op. */ + } + + /* We finish sdap_id_op here since we connect + * to forest root for slave domains. */ + ret = sdap_id_op_done(state->sdap_op, ret, &dp_error); + if (dp_error == DP_ERR_OK && ret != EOK) { + /* retry */ + ret = ad_subdomains_refresh_retry(req); + if (ret != EOK) { + tevent_req_error(req, ret); + } + return; + } else if (dp_error == DP_ERR_OFFLINE) { + tevent_req_error(req, ERR_OFFLINE); + return; + } else if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + subreq = ad_get_slave_domain_send(state, state->ev, state->sd_ctx, + root_attrs, root_id_ctx); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + + tevent_req_set_callback(subreq, ad_subdomains_refresh_done, req); + return; +} + +static void ad_subdomains_refresh_done(struct tevent_req *subreq) +{ + struct tevent_req *req; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + + ret = ad_get_slave_domain_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to get subdomains [%d]: %s\n", + ret, sss_strerror(ret)); + } + + if (ret != EOK) { + DEBUG(SSSDBG_TRACE_FUNC, "Unable to refresh subdomains [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Subdomains refreshed.\n"); + tevent_req_done(req); +} + +static errno_t ad_subdomains_refresh_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +struct ad_subdomains_handler_state { + struct dp_reply_std reply; +}; + +static void ad_subdomains_handler_done(struct tevent_req *subreq); + +static struct tevent_req * +ad_subdomains_handler_send(TALLOC_CTX *mem_ctx, + struct ad_subdomains_ctx *sd_ctx, + struct dp_subdomains_data *data, + struct dp_req_params *params) +{ + struct ad_subdomains_handler_state *state; + struct tevent_req *req; + struct tevent_req *subreq; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct ad_subdomains_handler_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + + if (sd_ctx->last_refreshed > time(NULL) - AD_SUBDOMAIN_REFRESH_LIMIT) { + DEBUG(SSSDBG_TRACE_FUNC, "Subdomains were recently refreshed, " + "nothing to do\n"); + ret = EOK; + goto immediately; + } + + subreq = ad_subdomains_refresh_send(state, params->ev, sd_ctx); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, ad_subdomains_handler_done, req); + + return req; + +immediately: + dp_reply_std_set(&state->reply, DP_ERR_DECIDE, ret, NULL); + + /* TODO For backward compatibility we always return EOK to DP now. */ + tevent_req_done(req); + tevent_req_post(req, params->ev); + + return req; +} + +static void ad_subdomains_handler_done(struct tevent_req *subreq) +{ + struct ad_subdomains_handler_state *state; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ad_subdomains_handler_state); + + ret = ad_subdomains_refresh_recv(subreq); + talloc_zfree(subreq); + + /* TODO For backward compatibility we always return EOK to DP now. */ + dp_reply_std_set(&state->reply, DP_ERR_DECIDE, ret, NULL); + tevent_req_done(req); +} + +static errno_t ad_subdomains_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct dp_reply_std *data) +{ + struct ad_subdomains_handler_state *state; + + state = tevent_req_data(req, struct ad_subdomains_handler_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *data = state->reply; + + return EOK; +} + +static struct tevent_req * +ad_subdomains_ptask_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct be_ptask *be_ptask, + void *pvt) +{ + struct ad_subdomains_ctx *sd_ctx; + sd_ctx = talloc_get_type(pvt, struct ad_subdomains_ctx); + + return ad_subdomains_refresh_send(mem_ctx, ev, sd_ctx); +} + +static errno_t +ad_subdomains_ptask_recv(struct tevent_req *req) +{ + return ad_subdomains_refresh_recv(req); +} + +errno_t ad_subdomains_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct ad_id_ctx *ad_id_ctx, + struct dp_method *dp_methods) +{ + struct ad_subdomains_ctx *sd_ctx; + const char *ad_domain; + const char **ad_enabled_domains = NULL; + time_t period; + errno_t ret; + + ad_domain = dp_opt_get_string(ad_id_ctx->ad_options->basic, AD_DOMAIN); + + sd_ctx = talloc_zero(mem_ctx, struct ad_subdomains_ctx); + if (sd_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n"); + return ENOMEM; + } + + ret = ad_get_enabled_domains(sd_ctx, ad_id_ctx, ad_domain, + &ad_enabled_domains); + if (ret != EOK) { + return EINVAL; + } + + sd_ctx->be_ctx = be_ctx; + sd_ctx->sdom = ad_id_ctx->sdap_id_ctx->opts->sdom; + sd_ctx->sdap_id_ctx = ad_id_ctx->sdap_id_ctx; + sd_ctx->domain_name = talloc_strdup(sd_ctx, ad_domain); + if (sd_ctx->domain_name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + return ENOMEM; + } + sd_ctx->ad_enabled_domains = ad_enabled_domains; + sd_ctx->ad_id_ctx = ad_id_ctx; + + dp_set_method(dp_methods, DPM_DOMAINS_HANDLER, + ad_subdomains_handler_send, ad_subdomains_handler_recv, sd_ctx, + struct ad_subdomains_ctx, struct dp_subdomains_data, struct dp_reply_std); + + period = be_ctx->domain->subdomain_refresh_interval; + ret = be_ptask_create(sd_ctx, be_ctx, period, 0, 0, 0, period, + BE_PTASK_OFFLINE_DISABLE, 0, + ad_subdomains_ptask_send, ad_subdomains_ptask_recv, sd_ctx, + "Subdomains Refresh", NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup ptask " + "[%d]: %s\n", ret, sss_strerror(ret)); + /* Ignore, responders will trigger refresh from time to time. */ + } + + ret = ad_subdom_reinit(sd_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Could not reinitialize subdomains. " + "Users from trusted domains might not be resolved correctly\n"); + /* Ignore this error and try to discover the subdomains later */ + } + + return EOK; +} diff --git a/src/providers/ad/ad_subdomains.h b/src/providers/ad/ad_subdomains.h new file mode 100644 index 0000000..adc286b --- /dev/null +++ b/src/providers/ad/ad_subdomains.h @@ -0,0 +1,36 @@ +/* + SSSD + + AD Subdomains Module + + Authors: + Sumit Bose + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _AD_SUBDOMAINS_H_ +#define _AD_SUBDOMAINS_H_ + +#include "providers/backend.h" +#include "providers/ad/ad_common.h" + +errno_t ad_subdomains_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct ad_id_ctx *ad_id_ctx, + struct dp_method *dp_methods); + +#endif /* _AD_SUBDOMAINS_H_ */ diff --git a/src/providers/ad/ad_sudo.c b/src/providers/ad/ad_sudo.c new file mode 100644 index 0000000..026eab1 --- /dev/null +++ b/src/providers/ad/ad_sudo.c @@ -0,0 +1,51 @@ +/* + SSSD + + AD SUDO Provider Initialization functions + + Authors: + Sumit Bose + + Copyright (C) 2014 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "providers/ad/ad_common.h" +#include "providers/ldap/sdap_sudo.h" + +errno_t ad_sudo_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct ad_id_ctx *id_ctx, + struct dp_method *dp_methods) +{ + errno_t ret; + struct ad_options *ad_options; + struct sdap_options *ldap_options; + + DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing sudo AD back end\n"); + + ret = sdap_sudo_init(mem_ctx, be_ctx, id_ctx->sdap_id_ctx, dp_methods); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize LDAP SUDO [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + ad_options = id_ctx->ad_options; + ldap_options = id_ctx->sdap_id_ctx->opts; + + ad_options->id->sudorule_map = ldap_options->sudorule_map; + return EOK; +} diff --git a/src/providers/backend.h b/src/providers/backend.h new file mode 100644 index 0000000..6a34b91 --- /dev/null +++ b/src/providers/backend.h @@ -0,0 +1,229 @@ +/* + SSSD + + Data Provider, private header file + + Copyright (C) Simo Sorce 2008 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __DP_BACKEND_H__ +#define __DP_BACKEND_H__ + +#include "providers/data_provider.h" +#include "providers/fail_over.h" +#include "providers/be_refresh.h" +#include "providers/data_provider/dp.h" +#include "util/child_common.h" +#include "util/session_recording.h" +#include "db/sysdb.h" + +/* a special token, if used in place of the hostname, denotes that real + * hostnames should be looked up from DNS using SRV requests + */ +#define BE_SRV_IDENTIFIER "_srv_" + +struct be_ctx; + +typedef void (*be_callback_t)(void *); + +struct be_offline_status { + time_t went_offline; + bool offline; +}; + +struct be_resolv_ctx { + struct resolv_ctx *resolv; + struct dp_option *opts; + + enum restrict_family family_order; +}; + +struct be_svc_data { + struct be_svc_data *prev; + struct be_svc_data *next; + + const char *name; + struct fo_service *fo_service; + + struct fo_server *last_good_srv; + time_t last_status_change; + bool run_callbacks; + + struct be_svc_callback *callbacks; + struct fo_server *first_resolved; +}; + +struct be_failover_ctx { + struct fo_ctx *fo_ctx; + struct be_resolv_ctx *be_res; + + struct be_svc_data *svcs; + struct tevent_timer *primary_server_handler; +}; + +struct be_cb; + +struct be_ctx { + struct tevent_context *ev; + struct confdb_ctx *cdb; + struct sss_domain_info *domain; + const char *identity; + const char *conf_path; + uid_t uid; + gid_t gid; + char override_space; + struct session_recording_conf sr_conf; + struct be_failover_ctx *be_fo; + struct be_resolv_ctx *be_res; + + /* Functions to be invoked when the + * backend goes online or offline + */ + struct be_cb *online_cb_list; + bool run_online_cb; + struct be_cb *offline_cb_list; + bool run_offline_cb; + struct be_cb *reconnect_cb_list; + /* In contrast to online_cb_list which are only run if the backend is + * offline the unconditional_online_cb_list should be run whenever the + * backend receives a request to go online. The typical use case is to + * reset timers independenly of the state of the backend. */ + struct be_cb *unconditional_online_cb_list; + + struct be_offline_status offstat; + /* Periodicly check if we can go online. */ + struct be_ptask *check_if_online_ptask; + + struct sbus_connection *mon_conn; + + struct be_refresh_ctx *refresh_ctx; + + size_t check_online_ref_count; + + struct data_provider *provider; + + /* Indicates whether the last state of the DP that has been logged is + * DP_ERR_OK or DP_ERR_OFFLINE. The only usage of this var, so far, is + * to log the DP status without spamming the syslog/journal. */ + int last_dp_state; +}; + +bool be_is_offline(struct be_ctx *ctx); +void be_mark_offline(struct be_ctx *ctx); +void be_mark_dom_offline(struct sss_domain_info *dom, struct be_ctx *ctx); + +int be_add_reconnect_cb(TALLOC_CTX *mem_ctx, + struct be_ctx *ctx, + be_callback_t cb, + void *pvt, + struct be_cb **reconnect_cb); +void be_run_reconnect_cb(struct be_ctx *be); + +int be_add_online_cb(TALLOC_CTX *mem_ctx, + struct be_ctx *ctx, + be_callback_t cb, + void *pvt, + struct be_cb **online_cb); +void be_run_online_cb(struct be_ctx *be); +int be_add_unconditional_online_cb(TALLOC_CTX *mem_ctx, struct be_ctx *ctx, + be_callback_t cb, void *pvt, + struct be_cb **unconditional_online_cb); +void be_run_unconditional_online_cb(struct be_ctx *be); + +int be_add_offline_cb(TALLOC_CTX *mem_ctx, + struct be_ctx *ctx, + be_callback_t cb, + void *pvt, + struct be_cb **online_cb); +void be_run_offline_cb(struct be_ctx *be); + +/* from data_provider_fo.c */ +enum be_fo_protocol { + BE_FO_PROTO_TCP, + BE_FO_PROTO_UDP, + BE_FO_PROTO_SENTINEL +}; + +typedef void (be_svc_callback_fn_t)(void *, struct fo_server *); + +int be_init_failover(struct be_ctx *ctx); +int be_fo_is_srv_identifier(const char *server); +int be_fo_add_service(struct be_ctx *ctx, const char *service_name, + datacmp_fn user_data_cmp); +int be_fo_service_add_callback(TALLOC_CTX *memctx, + struct be_ctx *ctx, const char *service_name, + be_svc_callback_fn_t *fn, void *private_data); +int be_fo_get_server_count(struct be_ctx *ctx, const char *service_name); + +void be_fo_set_srv_lookup_plugin(struct be_ctx *ctx, + fo_srv_lookup_plugin_send_t send_fn, + fo_srv_lookup_plugin_recv_t recv_fn, + void *pvt, + const char *plugin_name); + +errno_t be_fo_set_dns_srv_lookup_plugin(struct be_ctx *be_ctx, + const char *hostname); + +int be_fo_add_srv_server(struct be_ctx *ctx, + const char *service_name, + const char *query_service, + const char *default_discovery_domain, + enum be_fo_protocol proto, + bool proto_fallback, void *user_data); +int be_fo_add_server(struct be_ctx *ctx, const char *service_name, + const char *server, int port, void *user_data, + bool primary); + +struct tevent_req *be_resolve_server_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct be_ctx *ctx, + const char *service_name, + bool first_try); +int be_resolve_server_recv(struct tevent_req *req, + TALLOC_CTX *ref_ctx, + struct fo_server **srv); + +#define be_fo_set_port_status(ctx, service_name, server, status) \ + _be_fo_set_port_status(ctx, service_name, server, status, \ + __LINE__, __FILE__, __FUNCTION__) + +void _be_fo_set_port_status(struct be_ctx *ctx, + const char *service_name, + struct fo_server *server, + enum port_status status, + int line, + const char *file, + const char *function); + +/* + * Instruct fail-over to try next server on the next connect attempt. + * Should be used after connection to service was unexpectedly dropped + * but there is no authoritative information on whether active server is down. + */ +void be_fo_try_next_server(struct be_ctx *ctx, const char *service_name); + +int be_fo_run_callbacks_at_next_request(struct be_ctx *ctx, + const char *service_name); + +void reset_fo(struct be_ctx *be_ctx); +void be_fo_reset_svc(struct be_ctx *be_ctx, const char *svc_name); + +const char *be_fo_get_active_server_name(struct be_ctx *ctx, + const char *service_name); + +errno_t be_res_init(struct be_ctx *ctx); + +#endif /* __DP_BACKEND_H___ */ diff --git a/src/providers/be_dyndns.c b/src/providers/be_dyndns.c new file mode 100644 index 0000000..ebe1fcd --- /dev/null +++ b/src/providers/be_dyndns.c @@ -0,0 +1,1368 @@ +/* + SSSD + + dp_dyndns.c + + Authors: + Stephen Gallagher + Jakub Hrozek + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include +#include "util/util.h" +#include "confdb/confdb.h" +#include "util/child_common.h" +#include "providers/data_provider.h" +#include "providers/backend.h" +#include "providers/be_dyndns.h" +#include "resolv/async_resolv.h" + +#ifndef DYNDNS_TIMEOUT +#define DYNDNS_TIMEOUT 15 +#endif /* DYNDNS_TIMEOUT */ + +/* MASK represents special value for matching all interfaces */ +#define MASK "*" + +struct sss_iface_addr { + struct sss_iface_addr *next; + struct sss_iface_addr *prev; + + struct sockaddr_storage *addr; +}; + +struct sockaddr_storage* +sss_iface_addr_get_address(struct sss_iface_addr *address) +{ + if (address == NULL) { + return NULL; + } + + return address->addr; +} + +struct sss_iface_addr *sss_iface_addr_get_next(struct sss_iface_addr *address) +{ + if (address) { + return address->next; + } + + return NULL; +} + +void sss_iface_addr_concatenate(struct sss_iface_addr **list, + struct sss_iface_addr *list2) +{ + DLIST_CONCATENATE((*list), list2, struct sss_iface_addr*); +} + +static errno_t addr_to_str(struct sockaddr_storage *addr, + char *dst, size_t size) +{ + const void *src; + const char *res; + errno_t ret; + + switch(addr->ss_family) { + case AF_INET: + src = &(((struct sockaddr_in *)addr)->sin_addr); + break; + case AF_INET6: + src = &(((struct sockaddr_in6 *)addr)->sin6_addr); + break; + default: + ret = ERR_ADDR_FAMILY_NOT_SUPPORTED; + goto done; + } + + res = inet_ntop(addr->ss_family, src, dst, size); + if (res == NULL) { + ret = errno; + DEBUG(SSSDBG_OP_FAILURE, "inet_ntop failed [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = EOK; + +done: + return ret; +} + +errno_t +sss_iface_addr_list_as_str_list(TALLOC_CTX *mem_ctx, + struct sss_iface_addr *ifaddr_list, + char ***_straddrs) +{ + struct sss_iface_addr *ifaddr; + size_t count; + int ai; + char **straddrs; + char ip_addr[INET6_ADDRSTRLEN]; + errno_t ret; + + count = 0; + DLIST_FOR_EACH(ifaddr, ifaddr_list) { + count++; + } + + straddrs = talloc_array(mem_ctx, char *, count+1); + if (straddrs == NULL) { + return ENOMEM; + } + + ai = 0; + DLIST_FOR_EACH(ifaddr, ifaddr_list) { + + ret = addr_to_str(ifaddr->addr, ip_addr, INET6_ADDRSTRLEN); + if (ret == ERR_ADDR_FAMILY_NOT_SUPPORTED) { + continue; + } else if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "addr_to_str failed: %d:[%s],\n", + ret, sss_strerror(ret)); + goto fail; + } + + straddrs[ai] = talloc_strdup(straddrs, ip_addr); + if (straddrs[ai] == NULL) { + ret = ENOMEM; + goto fail; + } + ai++; + } + + straddrs[count] = NULL; + *_straddrs = straddrs; + return EOK; + +fail: + talloc_free(straddrs); + return ret; +} + +static bool +ok_for_dns(struct sockaddr *sa) +{ + struct sockaddr_in sa4; + struct sockaddr_in6 sa6; + + switch (sa->sa_family) { + case AF_INET6: + memcpy(&sa6, sa, sizeof(struct sockaddr_in6)); + return check_ipv6_addr(&sa6.sin6_addr, SSS_NO_SPECIAL); + case AF_INET: + memcpy(&sa4, sa, sizeof(struct sockaddr_in)); + return check_ipv4_addr(&sa4.sin_addr, SSS_NO_SPECIAL); + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unknown address family\n"); + return false; + } + + return true; +} + +static bool supported_address_family(sa_family_t sa_family) +{ + return sa_family == AF_INET || sa_family == AF_INET6; +} + +static bool matching_name(const char *ifname, const char *ifname2) +{ + return (strcmp(MASK, ifname) == 0) || (strcasecmp(ifname, ifname2) == 0); +} + +/* Collect IP addresses associated with an interface */ +errno_t +sss_iface_addr_list_get(TALLOC_CTX *mem_ctx, const char *ifname, + struct sss_iface_addr **_addrlist) +{ + struct ifaddrs *ifaces = NULL; + struct ifaddrs *ifa; + errno_t ret; + size_t addrsize; + struct sss_iface_addr *address; + struct sss_iface_addr *addrlist = NULL; + + /* Get the IP addresses associated with the + * specified interface + */ + errno = 0; + ret = getifaddrs(&ifaces); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_OP_FAILURE, + "Could not read interfaces [%d][%s]\n", ret, strerror(ret)); + goto done; + } + + for (ifa = ifaces; ifa != NULL; ifa = ifa->ifa_next) { + /* Some interfaces don't have an ifa_addr */ + if (!ifa->ifa_addr) continue; + + /* Add IP addresses to the list */ + if (supported_address_family(ifa->ifa_addr->sa_family) + && matching_name(ifname, ifa->ifa_name) + && ok_for_dns(ifa->ifa_addr)) { + + /* Add this address to the IP address list */ + address = talloc_zero(mem_ctx, struct sss_iface_addr); + if (!address) { + ret = ENOMEM; + goto done; + } + + addrsize = ifa->ifa_addr->sa_family == AF_INET ? \ + sizeof(struct sockaddr_in) : \ + sizeof(struct sockaddr_in6); + + address->addr = talloc_memdup(address, ifa->ifa_addr, + addrsize); + if (address->addr == NULL) { + ret = ENOMEM; + goto done; + } + + /* steal old dlist to the new head */ + talloc_steal(address, addrlist); + DLIST_ADD(addrlist, address); + } + } + + if (addrlist != NULL) { + /* OK, some result was found */ + ret = EOK; + *_addrlist = addrlist; + } else { + /* No result was found */ + DEBUG(SSSDBG_TRACE_FUNC, + "No IP usable for DNS was found for interface: %s.\n", ifname); + ret = ENOENT; + } + +done: + freeifaddrs(ifaces); + return ret; +} + +static char * +nsupdate_msg_add_fwd(char *update_msg, struct sss_iface_addr *addresses, + const char *hostname, int ttl, uint8_t remove_af) +{ + struct sss_iface_addr *new_record; + char ip_addr[INET6_ADDRSTRLEN]; + errno_t ret; + + /* A addresses first */ + /* Remove existing entries as needed */ + if (remove_af & DYNDNS_REMOVE_A) { + update_msg = talloc_asprintf_append(update_msg, + "update delete %s. in A\n", + hostname); + if (update_msg == NULL) { + return NULL; + } + } + DLIST_FOR_EACH(new_record, addresses) { + if (new_record->addr->ss_family == AF_INET) { + ret = addr_to_str(new_record->addr, ip_addr, INET6_ADDRSTRLEN); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "addr_to_str failed: %d:[%s],\n", + ret, sss_strerror(ret)); + return NULL; + } + + /* Format the record update */ + update_msg = talloc_asprintf_append(update_msg, + "update add %s. %d in %s %s\n", + hostname, ttl, "A", ip_addr); + if (update_msg == NULL) { + return NULL; + } + } + } + update_msg = talloc_asprintf_append(update_msg, "send\n"); + + /* AAAA addresses next */ + /* Remove existing entries as needed */ + if (remove_af & DYNDNS_REMOVE_AAAA) { + update_msg = talloc_asprintf_append(update_msg, + "update delete %s. in AAAA\n", + hostname); + if (update_msg == NULL) { + return NULL; + } + } + DLIST_FOR_EACH(new_record, addresses) { + if (new_record->addr->ss_family == AF_INET6) { + ret = addr_to_str(new_record->addr, ip_addr, INET6_ADDRSTRLEN); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "addr_to_str failed: %d:[%s],\n", + ret, sss_strerror(ret)); + return NULL; + } + + /* Format the record update */ + update_msg = talloc_asprintf_append(update_msg, + "update add %s. %d in %s %s\n", + hostname, ttl, "AAAA", ip_addr); + if (update_msg == NULL) { + return NULL; + } + } + } + + return talloc_asprintf_append(update_msg, "send\n"); +} + +static uint8_t *nsupdate_convert_address(struct sockaddr_storage *add_address) +{ + uint8_t *addr; + + switch(add_address->ss_family) { + case AF_INET: + addr = (uint8_t *) &((struct sockaddr_in *) add_address)->sin_addr; + break; + case AF_INET6: + addr = (uint8_t *) &((struct sockaddr_in6 *) add_address)->sin6_addr; + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unknown address family\n"); + addr = NULL; + break; + } + + return addr; +} + +static char *nsupdate_msg_add_ptr(char *update_msg, + struct sockaddr_storage *address, + const char *hostname, + int ttl, + bool delete) +{ + char *strptr; + uint8_t *addr; + + addr = nsupdate_convert_address(address); + if (addr == NULL) { + return NULL; + } + + strptr = resolv_get_string_ptr_address(update_msg, address->ss_family, + addr); + if (strptr == NULL) { + return NULL; + } + + if (delete) { + /* example: update delete 38.78.16.10.in-addr.arpa. in PTR */ + update_msg = talloc_asprintf_append(update_msg, + "update delete %s in PTR\n" + "send\n", + strptr); + } else { + /* example: update delete 38.78.16.10.in-addr.arpa. in PTR */ + update_msg = talloc_asprintf_append(update_msg, + "update add %s %d in PTR %s.\n" + "send\n", + strptr, ttl, hostname); + } + + talloc_free(strptr); + if (update_msg == NULL) { + return NULL; + } + + return update_msg; +} + +static char * +nsupdate_msg_add_realm_cmd(TALLOC_CTX *mem_ctx, const char *realm) +{ +#ifdef HAVE_NSUPDATE_REALM + if (realm != NULL) { + return talloc_asprintf(mem_ctx, "realm %s\n", realm); + } +#endif + return talloc_asprintf(mem_ctx, "\n"); +} + +static char * +nsupdate_msg_create_common(TALLOC_CTX *mem_ctx, const char *realm, + const char *servername) +{ + char *realm_directive; + char *update_msg; + TALLOC_CTX *tmp_ctx; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) return NULL; + + realm_directive = nsupdate_msg_add_realm_cmd(tmp_ctx, realm); + if (!realm_directive) { + goto fail; + } + + /* The realm_directive would now either contain an empty string or be + * completely empty so we don't need to add another newline here + */ + if (servername) { + DEBUG(SSSDBG_FUNC_DATA, + "Creating update message for server [%s] and realm [%s].\n", + servername, realm); + + /* Add the server, realm and headers */ + update_msg = talloc_asprintf(tmp_ctx, "server %s\n%s", + servername, realm_directive); + } else if (realm != NULL) { + DEBUG(SSSDBG_FUNC_DATA, + "Creating update message for realm [%s].\n", realm); + /* Add the realm headers */ + update_msg = talloc_asprintf(tmp_ctx, "%s", realm_directive); + } else { + DEBUG(SSSDBG_FUNC_DATA, + "Creating update message for auto-discovered realm.\n"); + update_msg = talloc_asprintf(tmp_ctx, "%s", realm_directive); + } + talloc_free(realm_directive); + if (update_msg == NULL) { + goto fail; + } + + update_msg = talloc_steal(mem_ctx, update_msg); + talloc_free(tmp_ctx); + return update_msg; + +fail: + talloc_free(tmp_ctx); + return NULL; +} + +errno_t +be_nsupdate_create_fwd_msg(TALLOC_CTX *mem_ctx, const char *realm, + const char *servername, + const char *hostname, const unsigned int ttl, + uint8_t remove_af, struct sss_iface_addr *addresses, + char **_update_msg) +{ + int ret; + char *update_msg; + TALLOC_CTX *tmp_ctx; + + /* in some cases realm could have been NULL if we weren't using TSIG */ + if (hostname == NULL) { + return EINVAL; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) return ENOMEM; + + update_msg = nsupdate_msg_create_common(tmp_ctx, realm, servername); + if (update_msg == NULL) { + ret = ENOMEM; + goto done; + } + + update_msg = nsupdate_msg_add_fwd(update_msg, addresses, hostname, + ttl, remove_af); + if (update_msg == NULL) { + ret = ENOMEM; + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, + " -- Begin nsupdate message -- \n" + "%s" + " -- End nsupdate message -- \n", + update_msg); + + ret = ERR_OK; + *_update_msg = talloc_steal(mem_ctx, update_msg); +done: + talloc_free(tmp_ctx); + return ret; +} + +errno_t +be_nsupdate_create_ptr_msg(TALLOC_CTX *mem_ctx, const char *realm, + const char *servername, const char *hostname, + const unsigned int ttl, + struct sockaddr_storage *address, + bool delete, + char **_update_msg) +{ + errno_t ret; + char *update_msg; + + /* in some cases realm could have been NULL if we weren't using TSIG */ + if (hostname == NULL) { + return EINVAL; + } + + update_msg = nsupdate_msg_create_common(mem_ctx, realm, servername); + if (update_msg == NULL) { + ret = ENOMEM; + goto done; + } + + update_msg = nsupdate_msg_add_ptr(update_msg, address, hostname, ttl, + delete); + if (update_msg == NULL) { + ret = ENOMEM; + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, + " -- Begin nsupdate message -- \n" + "%s" + " -- End nsupdate message -- \n", + update_msg); + + ret = ERR_OK; + *_update_msg = update_msg; + +done: + return ret; +} + +struct nsupdate_get_addrs_state { + struct tevent_context *ev; + struct be_resolv_ctx *be_res; + enum host_database *db; + const char *hostname; + + /* Use sss_addr in this request */ + struct sss_iface_addr *addrlist; + size_t count; +}; + +static void nsupdate_get_addrs_done(struct tevent_req *subreq); + +struct tevent_req * +nsupdate_get_addrs_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_resolv_ctx *be_res, + const char *hostname) +{ + errno_t ret; + struct tevent_req *req; + struct tevent_req *subreq; + struct nsupdate_get_addrs_state *state; + + req = tevent_req_create(mem_ctx, &state, struct nsupdate_get_addrs_state); + if (req == NULL) { + return NULL; + } + state->be_res = be_res; + state->ev = ev; + state->hostname = talloc_strdup(state, hostname); + if (state->hostname == NULL) { + ret = ENOMEM; + goto done; + } + + state->db = talloc_array(state, enum host_database, 2); + if (state->db == NULL) { + ret = ENOMEM; + goto done; + } + state->db[0] = DB_DNS; + state->db[1] = DB_SENTINEL; + + subreq = resolv_gethostbyname_send(state, ev, be_res->resolv, hostname, + state->be_res->family_order, + state->db); + if (subreq == NULL) { + ret = ENOMEM; + goto done; + } + tevent_req_set_callback(subreq, nsupdate_get_addrs_done, req); + + ret = ERR_OK; +done: + if (ret != ERR_OK) { + tevent_req_error(req, ret); + tevent_req_post(req, ev); + } + return req; +} + +static void +nsupdate_get_addrs_done(struct tevent_req *subreq) +{ + errno_t ret; + size_t count; + struct tevent_req *req = + tevent_req_callback_data(subreq, struct tevent_req); + struct nsupdate_get_addrs_state *state = tevent_req_data(req, + struct nsupdate_get_addrs_state); + struct resolv_hostent *rhostent; + struct sss_iface_addr *addr; + int i; + int resolv_status; + enum restrict_family retry_family_order; + + ret = resolv_gethostbyname_recv(subreq, state, &resolv_status, NULL, + &rhostent); + talloc_zfree(subreq); + + /* If the retry did not match, simply quit */ + if (ret == ENOENT) { + /* If the resolver is set to honor both address families + * it automatically retries the other one internally, so ENOENT + * means neither matched and we can simply quit. + */ + ret = EOK; + goto done; + } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not resolve address for this machine, error [%d]: %s, " + "resolver returned: [%d]: %s\n", ret, sss_strerror(ret), + resolv_status, resolv_strerror(resolv_status)); + goto done; + } + + /* EOK */ + + if (rhostent->addr_list) { + for (count=0; rhostent->addr_list[count]; count++); + } else { + /* The address list is NULL. This is probably a bug in + * c-ares, but we need to handle it gracefully. + */ + DEBUG(SSSDBG_MINOR_FAILURE, + "Lookup of [%s] returned no addresses. Skipping.\n", + rhostent->name); + count = 0; + } + + for (i=0; i < count; i++) { + addr = talloc(state, struct sss_iface_addr); + if (addr == NULL) { + ret = ENOMEM; + goto done; + } + + addr->addr = resolv_get_sockaddr_address_index(addr, rhostent, 0, i); + if (addr->addr == NULL) { + ret = ENOMEM; + goto done; + } + + if (state->addrlist) { + talloc_steal(state->addrlist, addr); + } + + /* steal old dlist to the new head */ + talloc_steal(addr, state->addrlist); + DLIST_ADD(state->addrlist, addr); + } + state->count += count; + + /* If the resolver is set to honor both address families + * and the first one matched, retry the second one to + * get the complete list. + */ + if (((state->be_res->family_order == IPV4_FIRST && + rhostent->family == AF_INET) || + (state->be_res->family_order == IPV6_FIRST && + rhostent->family == AF_INET6))) { + + retry_family_order = (state->be_res->family_order == IPV4_FIRST) ? \ + IPV6_ONLY : \ + IPV4_ONLY; + + subreq = resolv_gethostbyname_send(state, state->ev, + state->be_res->resolv, + state->hostname, + retry_family_order, + state->db); + if (!subreq) { + ret = ENOMEM; + goto done; + } + tevent_req_set_callback(subreq, nsupdate_get_addrs_done, req); + return; + } + + /* The second address matched either immediately or after a retry. + * No need to retry again. */ + ret = EOK; + +done: + if (ret == EOK) { + /* All done */ + tevent_req_done(req); + } else if (ret != EAGAIN) { + DEBUG(SSSDBG_OP_FAILURE, + "nsupdate_get_addrs_done failed: [%d]: [%s]\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + } + /* EAGAIN - another lookup in progress */ +} + +errno_t +nsupdate_get_addrs_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + struct sss_iface_addr **_addrlist, + size_t *_count) +{ + struct nsupdate_get_addrs_state *state = tevent_req_data(req, + struct nsupdate_get_addrs_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (_addrlist) { + *_addrlist = talloc_steal(mem_ctx, state->addrlist); + } + + if (_count) { + *_count = state->count; + } + + return EOK; +} + +/* Write the nsupdate_msg into the already forked child, wait until + * the child finishes + * + * This is not a typical tevent_req styled request as it ends either after + * a timeout or when the child finishes operation. + */ +struct nsupdate_child_state { + int pipefd_to_child; + struct tevent_timer *timeout_handler; + struct sss_child_ctx_old *child_ctx; + + int child_status; +}; + +static void +nsupdate_child_timeout(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval tv, void *pvt); +static void +nsupdate_child_handler(int child_status, + struct tevent_signal *sige, + void *pvt); + +static void nsupdate_child_stdin_done(struct tevent_req *subreq); + +static struct tevent_req * +nsupdate_child_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + int pipefd_to_child, + pid_t child_pid, + char *child_stdin) +{ + errno_t ret; + struct tevent_req *req; + struct tevent_req *subreq; + struct nsupdate_child_state *state; + struct timeval tv; + + req = tevent_req_create(mem_ctx, &state, struct nsupdate_child_state); + if (req == NULL) { + close(pipefd_to_child); + return NULL; + } + state->pipefd_to_child = pipefd_to_child; + + /* Set up SIGCHLD handler */ + ret = child_handler_setup(ev, child_pid, nsupdate_child_handler, req, + &state->child_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not set up child handlers [%d]: %s\n", + ret, sss_strerror(ret)); + ret = ERR_DYNDNS_FAILED; + goto done; + } + + /* Set up timeout handler */ + tv = tevent_timeval_current_ofs(DYNDNS_TIMEOUT, 0); + state->timeout_handler = tevent_add_timer(ev, req, tv, + nsupdate_child_timeout, req); + if(state->timeout_handler == NULL) { + ret = ERR_DYNDNS_FAILED; + goto done; + } + + /* Write the update message to the nsupdate child */ + subreq = write_pipe_send(req, ev, + (uint8_t *) child_stdin, + strlen(child_stdin)+1, + state->pipefd_to_child); + if (subreq == NULL) { + ret = ERR_DYNDNS_FAILED; + goto done; + } + tevent_req_set_callback(subreq, nsupdate_child_stdin_done, req); + + ret = EOK; +done: + if (ret != EOK) { + tevent_req_error(req, ret); + tevent_req_post(req, ev); + } + return req; +} + +static void +nsupdate_child_timeout(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval tv, void *pvt) +{ + struct tevent_req *req = + talloc_get_type(pvt, struct tevent_req); + struct nsupdate_child_state *state = + tevent_req_data(req, struct nsupdate_child_state); + + DEBUG(SSSDBG_CRIT_FAILURE, "Timeout reached for dynamic DNS update\n"); + child_handler_destroy(state->child_ctx); + state->child_ctx = NULL; + state->child_status = ETIMEDOUT; + tevent_req_error(req, ERR_DYNDNS_TIMEOUT); +} + +static void +nsupdate_child_stdin_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = + tevent_req_callback_data(subreq, struct tevent_req); + struct nsupdate_child_state *state = + tevent_req_data(req, struct nsupdate_child_state); + + /* Verify that the buffer was sent, then return + * and wait for the sigchld handler to finish. + */ + DEBUG(SSSDBG_TRACE_LIBS, "Sending nsupdate data complete\n"); + + ret = write_pipe_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Sending nsupdate data failed [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ERR_DYNDNS_FAILED); + return; + } + + PIPE_FD_CLOSE(state->pipefd_to_child); + + /* Now either wait for the timeout to fire or the child + * to finish + */ +} + +static void +nsupdate_child_handler(int child_status, + struct tevent_signal *sige, + void *pvt) +{ + struct tevent_req *req = talloc_get_type(pvt, struct tevent_req); + struct nsupdate_child_state *state = + tevent_req_data(req, struct nsupdate_child_state); + + state->child_status = child_status; + + if (WIFEXITED(child_status) && WEXITSTATUS(child_status) != 0) { + DEBUG(SSSDBG_OP_FAILURE, + "Dynamic DNS child failed with status [%d]\n", child_status); + tevent_req_error(req, ERR_DYNDNS_FAILED); + return; + } + + if (WIFSIGNALED(child_status)) { + DEBUG(SSSDBG_OP_FAILURE, + "Dynamic DNS child was terminated by signal [%d]\n", + WTERMSIG(child_status)); + tevent_req_error(req, ERR_DYNDNS_FAILED); + return; + } + + tevent_req_done(req); +} + +static errno_t +nsupdate_child_recv(struct tevent_req *req, int *child_status) +{ + struct nsupdate_child_state *state = + tevent_req_data(req, struct nsupdate_child_state); + + *child_status = state->child_status; + + PIPE_FD_CLOSE(state->pipefd_to_child); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + return ERR_OK; +} + +/* Fork a nsupdate child, write the nsupdate_msg into stdin and wait for the child + * to finish one way or another + */ +struct be_nsupdate_state { + int child_status; +}; + +static void be_nsupdate_done(struct tevent_req *subreq); +static char **be_nsupdate_args(TALLOC_CTX *mem_ctx, + enum be_nsupdate_auth auth_type, + bool force_tcp); + +struct tevent_req *be_nsupdate_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + enum be_nsupdate_auth auth_type, + char *nsupdate_msg, + bool force_tcp) +{ + int pipefd_to_child[2] = PIPE_INIT; + pid_t child_pid; + errno_t ret; + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct be_nsupdate_state *state; + char **args; + int debug_fd; + + req = tevent_req_create(mem_ctx, &state, struct be_nsupdate_state); + if (req == NULL) { + return NULL; + } + state->child_status = 0; + + ret = pipe(pipefd_to_child); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "pipe failed [%d][%s].\n", ret, strerror(ret)); + goto done; + } + + child_pid = fork(); + + if (child_pid == 0) { /* child */ + PIPE_FD_CLOSE(pipefd_to_child[1]); + ret = dup2(pipefd_to_child[0], STDIN_FILENO); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "dup2 failed [%d][%s].\n", ret, strerror(ret)); + goto done; + } + + if (debug_level >= SSSDBG_TRACE_LIBS) { + debug_fd = get_fd_from_debug_file(); + ret = dup2(debug_fd, STDERR_FILENO); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_MINOR_FAILURE, + "dup2 failed [%d][%s].\n", ret, strerror(ret)); + /* stderr is not fatal */ + } + } + + args = be_nsupdate_args(state, auth_type, force_tcp); + if (args == NULL) { + ret = ENOMEM; + goto done; + } + + errno = 0; + execv(NSUPDATE_PATH, args); + /* The child should never end up here */ + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "execv failed [%d][%s].\n", ret, strerror(ret)); + goto done; + } else if (child_pid > 0) { /* parent */ + PIPE_FD_CLOSE(pipefd_to_child[0]); + + /* the nsupdate_child request now owns the pipefd and is responsible + * for closing it + */ + subreq = nsupdate_child_send(state, ev, pipefd_to_child[1], + child_pid, nsupdate_msg); + if (subreq == NULL) { + ret = ERR_DYNDNS_FAILED; + goto done; + } + tevent_req_set_callback(subreq, be_nsupdate_done, req); + } else { /* error */ + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "fork failed [%d][%s].\n", ret, strerror(ret)); + goto done; + } + + ret = EOK; +done: + if (ret != EOK) { + PIPE_CLOSE(pipefd_to_child); + tevent_req_error(req, ret); + tevent_req_post(req, ev); + } + return req; +} + +static char ** +be_nsupdate_args(TALLOC_CTX *mem_ctx, + enum be_nsupdate_auth auth_type, + bool force_tcp) +{ + char **argv; + int argc = 0; + + argv = talloc_zero_array(mem_ctx, char *, 6); + if (argv == NULL) { + return NULL; + } + + argv[argc] = talloc_strdup(argv, NSUPDATE_PATH); + if (argv[argc] == NULL) { + goto fail; + } + argc++; + + switch (auth_type) { + case BE_NSUPDATE_AUTH_NONE: + DEBUG(SSSDBG_FUNC_DATA, "nsupdate auth type: none\n"); + break; + case BE_NSUPDATE_AUTH_GSS_TSIG: + DEBUG(SSSDBG_FUNC_DATA, "nsupdate auth type: GSS-TSIG\n"); + argv[argc] = talloc_strdup(argv, "-g"); + if (argv[argc] == NULL) { + goto fail; + } + argc++; + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unknown nsupdate auth type\n"); + goto fail; + } + + if (force_tcp) { + DEBUG(SSSDBG_FUNC_DATA, "TCP is set to on\n"); + argv[argc] = talloc_strdup(argv, "-v"); + if (argv[argc] == NULL) { + goto fail; + } + argc++; + } + + if (debug_level >= SSSDBG_TRACE_LIBS) { + argv[argc] = talloc_strdup(argv, "-d"); + if (argv[argc] == NULL) { + goto fail; + } + argc++; + } + + if (debug_level >= SSSDBG_TRACE_INTERNAL) { + argv[argc] = talloc_strdup(argv, "-D"); + if (argv[argc] == NULL) { + goto fail; + } + argc++; + } + + return argv; + +fail: + talloc_free(argv); + return NULL; +} + +static void +be_nsupdate_done(struct tevent_req *subreq) +{ + struct tevent_req *req = + tevent_req_callback_data(subreq, struct tevent_req); + struct be_nsupdate_state *state = + tevent_req_data(req, struct be_nsupdate_state); + errno_t ret; + + ret = nsupdate_child_recv(subreq, &state->child_status); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "nsupdate child execution failed [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + DEBUG(SSSDBG_FUNC_DATA, + "nsupdate child status: %d\n", state->child_status); + tevent_req_done(req); +} + +errno_t +be_nsupdate_recv(struct tevent_req *req, int *child_status) +{ + struct be_nsupdate_state *state = + tevent_req_data(req, struct be_nsupdate_state); + + *child_status = state->child_status; + + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +static void be_nsupdate_timer(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval current_time, + void *pvt) +{ + struct be_nsupdate_ctx *ctx = talloc_get_type(pvt, struct be_nsupdate_ctx); + + talloc_zfree(ctx->refresh_timer); + ctx->timer_callback(ctx->timer_pvt); + + /* timer_callback is responsible for calling be_nsupdate_timer_schedule + * again */ +} + +void be_nsupdate_timer_schedule(struct tevent_context *ev, + struct be_nsupdate_ctx *ctx) +{ + int refresh; + struct timeval tv; + + if (ctx->refresh_timer) { + DEBUG(SSSDBG_FUNC_DATA, "Timer already scheduled\n"); + return; + } + + refresh = dp_opt_get_int(ctx->opts, DP_OPT_DYNDNS_REFRESH_INTERVAL); + if (refresh == 0) return; + DEBUG(SSSDBG_FUNC_DATA, "Scheduling timer in %d seconds\n", refresh); + + tv = tevent_timeval_current_ofs(refresh, 0); + ctx->refresh_timer = tevent_add_timer(ev, ctx, tv, + be_nsupdate_timer, ctx); + + if (!ctx->refresh_timer) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to add dyndns refresh timer event\n"); + } +} + +errno_t +be_nsupdate_check(void) +{ + errno_t ret; + struct stat stat_buf; + + /* Ensure that nsupdate exists */ + errno = 0; + ret = stat(NSUPDATE_PATH, &stat_buf); + if (ret == -1) { + ret = errno; + if (ret == ENOENT) { + DEBUG(SSSDBG_MINOR_FAILURE, + "%s does not exist. Dynamic DNS updates disabled\n", + NSUPDATE_PATH); + } else { + DEBUG(SSSDBG_OP_FAILURE, + "Could not set up dynamic DNS updates: [%d][%s]\n", + ret, strerror(ret)); + } + } + + return ret; +} + +static struct dp_option default_dyndns_opts[] = { + { "dyndns_update", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "dyndns_refresh_interval", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER }, + { "dyndns_iface", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "dyndns_ttl", DP_OPT_NUMBER, { .number = 1200 }, NULL_NUMBER }, + { "dyndns_update_ptr", DP_OPT_BOOL, BOOL_TRUE, BOOL_FALSE }, + { "dyndns_force_tcp", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "dyndns_auth", DP_OPT_STRING, { "gss-tsig" }, NULL_STRING }, + { "dyndns_server", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + + DP_OPTION_TERMINATOR +}; + +errno_t +be_nsupdate_init(TALLOC_CTX *mem_ctx, struct be_ctx *be_ctx, + struct dp_option *defopts, + struct be_nsupdate_ctx **_ctx) +{ + errno_t ret; + struct dp_option *src_opts; + struct be_nsupdate_ctx *ctx; + char *strauth; + + ctx = talloc_zero(mem_ctx, struct be_nsupdate_ctx); + if (ctx == NULL) return ENOMEM; + + src_opts = defopts ? defopts : default_dyndns_opts; + + ret = dp_get_options(ctx, be_ctx->cdb, be_ctx->conf_path, + src_opts, DP_OPT_DYNDNS, &ctx->opts); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot retrieve dynamic DNS options\n"); + return ret; + } + + strauth = dp_opt_get_string(ctx->opts, DP_OPT_DYNDNS_AUTH); + if (strcasecmp(strauth, "gss-tsig") == 0) { + ctx->auth_type = BE_NSUPDATE_AUTH_GSS_TSIG; + } else if (strcasecmp(strauth, "none") == 0) { + ctx->auth_type = BE_NSUPDATE_AUTH_NONE; + } else { + DEBUG(SSSDBG_OP_FAILURE, "Unknown dyndns auth type %s\n", strauth); + return EINVAL; + } + + *_ctx = ctx; + return ERR_OK; +} + +errno_t be_nsupdate_init_timer(struct be_nsupdate_ctx *ctx, + struct tevent_context *ev, + nsupdate_timer_fn_t timer_callback, + void *timer_pvt) +{ + if (ctx == NULL) return EINVAL; + + ctx->timer_callback = timer_callback; + ctx->timer_pvt = timer_pvt; + be_nsupdate_timer_schedule(ev, ctx); + + return ERR_OK; +} + +static bool match_ip(const struct sockaddr *sa, + const struct sockaddr *sb) +{ + size_t addrsize; + bool res; + const void *addr_a; + const void *addr_b; + + if (sa->sa_family == AF_INET) { + addrsize = sizeof(struct in_addr); + addr_a = (const void *) &((const struct sockaddr_in *) sa)->sin_addr; + addr_b = (const void *) &((const struct sockaddr_in *) sb)->sin_addr; + } else if (sa->sa_family == AF_INET6) { + addrsize = sizeof(struct in6_addr); + addr_a = (const void *) &((const struct sockaddr_in6 *) sa)->sin6_addr; + addr_b = (const void *) &((const struct sockaddr_in6 *) sb)->sin6_addr; + } else { + res = false; + goto done; + } + + if (sa->sa_family != sb->sa_family) { + res = false; + goto done; + } + + res = memcmp(addr_a, addr_b, addrsize) == 0; + +done: + return res; +} + +static errno_t find_iface_by_addr(TALLOC_CTX *mem_ctx, + const struct sockaddr *ss, + const char **_iface_name) +{ + struct ifaddrs *ifaces = NULL; + struct ifaddrs *ifa; + errno_t ret; + + ret = getifaddrs(&ifaces); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_OP_FAILURE, + "Could not read interfaces [%d][%s]\n", ret, sss_strerror(ret)); + goto done; + } + + for (ifa = ifaces; ifa != NULL; ifa = ifa->ifa_next) { + + /* Some interfaces don't have an ifa_addr */ + if (!ifa->ifa_addr) continue; + + if (match_ip(ss, ifa->ifa_addr)) { + const char *iface_name; + iface_name = talloc_strdup(mem_ctx, ifa->ifa_name); + if (iface_name == NULL) { + ret = ENOMEM; + } else { + *_iface_name = iface_name; + ret = EOK; + } + goto done; + } + } + ret = ENOENT; + +done: + freeifaddrs(ifaces); + return ret; +} + +errno_t sss_get_dualstack_addresses(TALLOC_CTX *mem_ctx, + struct sockaddr *ss, + struct sss_iface_addr **_iface_addrs) +{ + struct sss_iface_addr *iface_addrs; + const char *iface_name = NULL; + TALLOC_CTX *tmp_ctx; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + ret = find_iface_by_addr(tmp_ctx, ss, &iface_name); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "find_iface_by_addr failed: %d:[%s]\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = sss_iface_addr_list_get(tmp_ctx, iface_name, &iface_addrs); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "sss_iface_addr_list_get failed: %d:[%s]\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = EOK; + *_iface_addrs = talloc_steal(mem_ctx, iface_addrs); + +done: + talloc_free(tmp_ctx); + return ret; +} diff --git a/src/providers/be_dyndns.h b/src/providers/be_dyndns.h new file mode 100644 index 0000000..9f39e5d --- /dev/null +++ b/src/providers/be_dyndns.h @@ -0,0 +1,143 @@ +/* + SSSD + + dp_dyndns.h + + Authors: + Jakub Hrozek + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + + +#ifndef DP_DYNDNS_H_ +#define DP_DYNDNS_H_ + +/* dynamic dns helpers */ +struct sss_iface_addr; + +typedef void (*nsupdate_timer_fn_t)(void *pvt); + +enum be_nsupdate_auth { + BE_NSUPDATE_AUTH_NONE, + BE_NSUPDATE_AUTH_GSS_TSIG, +}; + +struct be_nsupdate_ctx { + struct dp_option *opts; + enum be_nsupdate_auth auth_type; + + time_t last_refresh; + bool timer_in_progress; + struct tevent_timer *refresh_timer; + nsupdate_timer_fn_t timer_callback; + void *timer_pvt; +}; + +enum dp_dyndns_opts { + DP_OPT_DYNDNS_UPDATE, + DP_OPT_DYNDNS_REFRESH_INTERVAL, + DP_OPT_DYNDNS_IFACE, + DP_OPT_DYNDNS_TTL, + DP_OPT_DYNDNS_UPDATE_PTR, + DP_OPT_DYNDNS_FORCE_TCP, + DP_OPT_DYNDNS_AUTH, + DP_OPT_DYNDNS_SERVER, + + DP_OPT_DYNDNS /* attrs counter */ +}; + +#define DYNDNS_REMOVE_A 0x1 +#define DYNDNS_REMOVE_AAAA 0x2 + +errno_t be_nsupdate_check(void); + +errno_t +be_nsupdate_init(TALLOC_CTX *mem_ctx, struct be_ctx *be_ctx, + struct dp_option *defopts, + struct be_nsupdate_ctx **_ctx); + +errno_t be_nsupdate_init_timer(struct be_nsupdate_ctx *ctx, + struct tevent_context *ev, + nsupdate_timer_fn_t timer_callback, + void *timer_pvt); + +void be_nsupdate_timer_schedule(struct tevent_context *ev, + struct be_nsupdate_ctx *ctx); + +errno_t +sss_iface_addr_list_get(TALLOC_CTX *mem_ctx, const char *ifname, + struct sss_iface_addr **_addrlist); + +errno_t +sss_iface_addr_list_as_str_list(TALLOC_CTX *mem_ctx, + struct sss_iface_addr *ifaddr_list, + char ***_straddrs); + +errno_t +be_nsupdate_create_fwd_msg(TALLOC_CTX *mem_ctx, const char *realm, + const char *servername, + const char *hostname, const unsigned int ttl, + uint8_t remove_af, struct sss_iface_addr *addresses, + char **_update_msg); + +errno_t +be_nsupdate_create_ptr_msg(TALLOC_CTX *mem_ctx, const char *realm, + const char *servername, const char *hostname, + const unsigned int ttl, + struct sockaddr_storage *address, + bool delete, + char **_update_msg); + +/* Returns: + * * ERR_OK - on success + * * ERR_DYNDNS_FAILED - if nsupdate fails for any reason + * * ERR_DYNDNS_TIMEOUT - if the update times out. child_status + * is ETIMEDOUT in this case + */ +struct tevent_req *be_nsupdate_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + enum be_nsupdate_auth auth_type, + char *nsupdate_msg, + bool force_tcp); +errno_t be_nsupdate_recv(struct tevent_req *req, int *child_status); + +struct tevent_req * nsupdate_get_addrs_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_resolv_ctx *be_res, + const char *hostname); +errno_t +nsupdate_get_addrs_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + struct sss_iface_addr **_addrlist, + size_t *_count); + +void +sss_iface_addr_concatenate(struct sss_iface_addr **list, + struct sss_iface_addr *list2); + +errno_t +sss_get_dualstack_addresses(TALLOC_CTX *mem_ctx, + struct sockaddr *ss, + struct sss_iface_addr **_iface_addrs); + +struct sss_iface_addr * +sss_iface_addr_get_next(struct sss_iface_addr *address); + +struct sockaddr_storage* +sss_iface_addr_get_address(struct sss_iface_addr *address); + +#endif /* DP_DYNDNS_H_ */ diff --git a/src/providers/be_ptask.c b/src/providers/be_ptask.c new file mode 100644 index 0000000..dc3c57d --- /dev/null +++ b/src/providers/be_ptask.c @@ -0,0 +1,484 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include + +#include "util/util.h" +#include "providers/backend.h" +#include "providers/be_ptask_private.h" +#include "providers/be_ptask.h" + +#define backoff_allowed(ptask) (ptask->max_backoff != 0) + +enum be_ptask_schedule { + BE_PTASK_SCHEDULE_FROM_NOW, + BE_PTASK_SCHEDULE_FROM_LAST +}; + +enum be_ptask_delay { + BE_PTASK_FIRST_DELAY, + BE_PTASK_ENABLED_DELAY, + BE_PTASK_PERIOD +}; + +static void be_ptask_schedule(struct be_ptask *task, + enum be_ptask_delay delay_type, + enum be_ptask_schedule from); + +static int be_ptask_destructor(void *pvt) +{ + struct be_ptask *task; + + task = talloc_get_type(pvt, struct be_ptask); + if (task == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "BUG: task is NULL\n"); + return 0; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Terminating periodic task [%s]\n", task->name); + + return 0; +} + +static void be_ptask_online_cb(void *pvt) +{ + struct be_ptask *task = NULL; + + task = talloc_get_type(pvt, struct be_ptask); + if (task == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "BUG: task is NULL\n"); + return; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Back end is online\n"); + be_ptask_enable(task); +} + +static void be_ptask_offline_cb(void *pvt) +{ + struct be_ptask *task = NULL; + task = talloc_get_type(pvt, struct be_ptask); + + DEBUG(SSSDBG_TRACE_FUNC, "Back end is offline\n"); + be_ptask_disable(task); +} + +static void be_ptask_timeout(struct tevent_context *ev, + struct tevent_timer *tt, + struct timeval tv, + void *pvt) +{ + struct be_ptask *task = NULL; + task = talloc_get_type(pvt, struct be_ptask); + + DEBUG(SSSDBG_OP_FAILURE, "Task [%s]: timed out\n", task->name); + + talloc_zfree(task->req); + be_ptask_schedule(task, BE_PTASK_PERIOD, BE_PTASK_SCHEDULE_FROM_NOW); +} + +static void be_ptask_done(struct tevent_req *req); + +static void be_ptask_execute(struct tevent_context *ev, + struct tevent_timer *tt, + struct timeval tv, + void *pvt) +{ + struct be_ptask *task = NULL; + struct tevent_timer *timeout = NULL; + + task = talloc_get_type(pvt, struct be_ptask); + task->timer = NULL; /* timer is freed by tevent */ + + if (be_is_offline(task->be_ctx)) { + DEBUG(SSSDBG_TRACE_FUNC, "Back end is offline\n"); + switch (task->offline) { + case BE_PTASK_OFFLINE_SKIP: + be_ptask_schedule(task, BE_PTASK_PERIOD, + BE_PTASK_SCHEDULE_FROM_NOW); + return; + case BE_PTASK_OFFLINE_DISABLE: + /* This case is normally handled by offline callback but we + * should handle it here as well since we can get here in some + * special cases for example unit tests or tevent events order. */ + be_ptask_disable(task); + return; + case BE_PTASK_OFFLINE_EXECUTE: + /* continue */ + break; + } + } + + DEBUG(SSSDBG_TRACE_FUNC, "Task [%s]: executing task, timeout %lu " + "seconds\n", task->name, task->timeout); + + task->last_execution = tv.tv_sec; + + task->req = task->send_fn(task, task->ev, task->be_ctx, task, task->pvt); + if (task->req == NULL) { + /* skip this iteration and try again later */ + DEBUG(SSSDBG_OP_FAILURE, "Task [%s]: failed to execute task, " + "will try again later\n", task->name); + + be_ptask_schedule(task, BE_PTASK_PERIOD, BE_PTASK_SCHEDULE_FROM_NOW); + return; + } + + tevent_req_set_callback(task->req, be_ptask_done, task); + + /* schedule timeout */ + if (task->timeout > 0) { + tv = tevent_timeval_current_ofs(task->timeout, 0); + timeout = tevent_add_timer(task->ev, task->req, tv, + be_ptask_timeout, task); + if (timeout == NULL) { + /* If we can't guarantee a timeout, + * we need to cancel the request. */ + talloc_zfree(task->req); + + DEBUG(SSSDBG_OP_FAILURE, "Task [%s]: failed to set timeout, " + "the task will be rescheduled\n", task->name); + + be_ptask_schedule(task, BE_PTASK_PERIOD, + BE_PTASK_SCHEDULE_FROM_NOW); + } + } + + return; +} + +static void be_ptask_done(struct tevent_req *req) +{ + struct be_ptask *task = NULL; + errno_t ret; + + task = tevent_req_callback_data(req, struct be_ptask); + + ret = task->recv_fn(req); + talloc_zfree(req); + task->req = NULL; + switch (ret) { + case EOK: + DEBUG(SSSDBG_TRACE_FUNC, "Task [%s]: finished successfully\n", + task->name); + + be_ptask_schedule(task, BE_PTASK_PERIOD, BE_PTASK_SCHEDULE_FROM_LAST); + break; + default: + DEBUG(SSSDBG_OP_FAILURE, "Task [%s]: failed with [%d]: %s\n", + task->name, ret, sss_strerror(ret)); + + be_ptask_schedule(task, BE_PTASK_PERIOD, BE_PTASK_SCHEDULE_FROM_NOW); + break; + } +} + +static void be_ptask_schedule(struct be_ptask *task, + enum be_ptask_delay delay_type, + enum be_ptask_schedule from) +{ + struct timeval tv = { 0, }; + time_t delay = 0; + + if (!task->enabled) { + DEBUG(SSSDBG_TRACE_FUNC, "Task [%s]: disabled\n", task->name); + return; + } + + switch (delay_type) { + case BE_PTASK_FIRST_DELAY: + delay = task->first_delay; + break; + case BE_PTASK_ENABLED_DELAY: + delay = task->enabled_delay; + break; + case BE_PTASK_PERIOD: + delay = task->period; + + if (backoff_allowed(task) && task->period * 2 <= task->max_backoff) { + /* double the period for the next execution */ + task->period *= 2; + } + break; + } + + /* add random offset */ + if (task->random_offset != 0) { + delay = delay + (rand_r(&task->ro_seed) % task->random_offset); + } + + switch (from) { + case BE_PTASK_SCHEDULE_FROM_NOW: + tv = tevent_timeval_current_ofs(delay, 0); + + DEBUG(SSSDBG_TRACE_FUNC, "Task [%s]: scheduling task %lu seconds " + "from now [%lu]\n", task->name, delay, tv.tv_sec); + break; + case BE_PTASK_SCHEDULE_FROM_LAST: + tv = tevent_timeval_set(task->last_execution + delay, 0); + + DEBUG(SSSDBG_TRACE_FUNC, "Task [%s]: scheduling task %lu seconds " + "from last execution time [%lu]\n", + task->name, delay, tv.tv_sec); + break; + } + + if (task->timer != NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "Task [%s]: another timer is already " + "active?\n", task->name); + talloc_zfree(task->timer); + } + + task->timer = tevent_add_timer(task->ev, task, tv, be_ptask_execute, task); + if (task->timer == NULL) { + /* nothing we can do about it */ + DEBUG(SSSDBG_CRIT_FAILURE, "FATAL: Unable to schedule task [%s]\n", + task->name); + be_ptask_disable(task); + } + + task->next_execution = tv.tv_sec; +} + +errno_t be_ptask_create(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + time_t period, + time_t first_delay, + time_t enabled_delay, + time_t random_offset, + time_t timeout, + enum be_ptask_offline offline, + time_t max_backoff, + be_ptask_send_t send_fn, + be_ptask_recv_t recv_fn, + void *pvt, + const char *name, + struct be_ptask **_task) +{ + struct be_ptask *task = NULL; + errno_t ret; + + if (be_ctx == NULL || period == 0 || send_fn == NULL || recv_fn == NULL + || name == NULL) { + return EINVAL; + } + + task = talloc_zero(mem_ctx, struct be_ptask); + if (task == NULL) { + ret = ENOMEM; + goto done; + } + + task->ev = be_ctx->ev; + task->be_ctx = be_ctx; + task->period = period; + task->orig_period = period; + task->first_delay = first_delay; + task->enabled_delay = enabled_delay; + task->random_offset = random_offset; + task->ro_seed = time(NULL) * getpid(); + task->max_backoff = max_backoff; + task->timeout = timeout; + task->offline = offline; + task->send_fn = send_fn; + task->recv_fn = recv_fn; + task->pvt = pvt; + task->name = talloc_strdup(task, name); + if (task->name == NULL) { + ret = ENOMEM; + goto done; + } + + task->enabled = true; + + talloc_set_destructor((TALLOC_CTX*)task, be_ptask_destructor); + + if (offline == BE_PTASK_OFFLINE_DISABLE) { + /* install offline and online callbacks */ + ret = be_add_online_cb(task, be_ctx, be_ptask_online_cb, task, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Unable to install online callback [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = be_add_offline_cb(task, be_ctx, be_ptask_offline_cb, task, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Unable to install offline callback [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + } + + DEBUG(SSSDBG_TRACE_FUNC, "Periodic task [%s] was created\n", task->name); + + be_ptask_schedule(task, BE_PTASK_FIRST_DELAY, BE_PTASK_SCHEDULE_FROM_NOW); + + if (_task != NULL) { + *_task = task; + } + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(task); + } + + return ret; +} + +void be_ptask_enable(struct be_ptask *task) +{ + if (task->enabled) { + DEBUG(SSSDBG_MINOR_FAILURE, "Task [%s]: already enabled\n", + task->name); + return; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Task [%s]: enabling task\n", task->name); + + task->enabled = true; + be_ptask_schedule(task, BE_PTASK_ENABLED_DELAY, BE_PTASK_SCHEDULE_FROM_NOW); +} + +/* Disable the task, but if a request already in progress, let it finish. */ +void be_ptask_disable(struct be_ptask *task) +{ + DEBUG(SSSDBG_TRACE_FUNC, "Task [%s]: disabling task\n", task->name); + + talloc_zfree(task->timer); + task->enabled = false; + task->period = task->orig_period; +} + +void be_ptask_destroy(struct be_ptask **task) +{ + talloc_zfree(*task); +} + +time_t be_ptask_get_period(struct be_ptask *task) +{ + return task->period; +} + +time_t be_ptask_get_timeout(struct be_ptask *task) +{ + return task->timeout; +} + +struct be_ptask_sync_ctx { + be_ptask_sync_t fn; + void *pvt; +}; + +struct be_ptask_sync_state { + int dummy; +}; + +/* This is not an asynchronous request so there is not any _done function. */ +static struct tevent_req * +be_ptask_sync_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct be_ptask *be_ptask, + void *pvt) +{ + struct be_ptask_sync_ctx *ctx = NULL; + struct be_ptask_sync_state *state = NULL; + struct tevent_req *req = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct be_ptask_sync_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + ctx = talloc_get_type(pvt, struct be_ptask_sync_ctx); + ret = ctx->fn(mem_ctx, ev, be_ctx, be_ptask, ctx->pvt); + + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + + return req; +} + +static errno_t be_ptask_sync_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +errno_t be_ptask_create_sync(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + time_t period, + time_t first_delay, + time_t enabled_delay, + time_t random_offset, + time_t timeout, + enum be_ptask_offline offline, + time_t max_backoff, + be_ptask_sync_t fn, + void *pvt, + const char *name, + struct be_ptask **_task) +{ + errno_t ret; + struct be_ptask_sync_ctx *ctx = NULL; + + ctx = talloc_zero(mem_ctx, struct be_ptask_sync_ctx); + if (ctx == NULL) { + ret = ENOMEM; + goto done; + } + + ctx->fn = fn; + ctx->pvt = pvt; + + ret = be_ptask_create(mem_ctx, be_ctx, period, first_delay, + enabled_delay, random_offset, timeout, offline, + max_backoff, be_ptask_sync_send, be_ptask_sync_recv, + ctx, name, _task); + if (ret != EOK) { + goto done; + } + + talloc_steal(*_task, ctx); + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(ctx); + } + + return ret; +} diff --git a/src/providers/be_ptask.h b/src/providers/be_ptask.h new file mode 100644 index 0000000..3b97553 --- /dev/null +++ b/src/providers/be_ptask.h @@ -0,0 +1,131 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _DP_PTASK_H_ +#define _DP_PTASK_H_ + +#include +#include +#include + +/* solve circular dependency */ +struct be_ctx; + +struct be_ptask; + +/** + * Defines how should task behave when back end is offline. + */ +enum be_ptask_offline { + /* current request will be skipped and rescheduled to 'now + period' */ + BE_PTASK_OFFLINE_SKIP, + + /* An offline and online callback is registered. The task is disabled + * immediately when back end goes offline and then enabled again + * when back end goes back online */ + BE_PTASK_OFFLINE_DISABLE, + + /* current request will be executed as planned */ + BE_PTASK_OFFLINE_EXECUTE +}; + +typedef struct tevent_req * +(*be_ptask_send_t)(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct be_ptask *be_ptask, + void *pvt); + +/** + * If EOK, task will be scheduled again to 'last_execution_time + period'. + * If other error code, task will be rescheduled to 'now + period'. + */ +typedef errno_t +(*be_ptask_recv_t)(struct tevent_req *req); + +/** + * If EOK, task will be scheduled again to 'last_execution_time + period'. + * If other error code, task will be rescheduled to 'now + period'. + */ +typedef errno_t +(*be_ptask_sync_t)(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct be_ptask *be_ptask, + void *pvt); + +/** + * The first execution is scheduled first_delay seconds after the task is + * created. + * + * If request does not complete in timeout seconds, it will be + * cancelled and rescheduled to 'now + period'. + * + * If the task is reenabled, it will be scheduled again to + * 'now + enabled_delay'. + * + * The random_offset is maximum number of seconds added to the + * expected delay. Set to 0 if no randomization is needed. + + * If max_backoff is not 0 then the period is doubled + * every time the task is scheduled. The maximum value of + * period is max_backoff. The value of period will be reset to + * original value when the task is disabled. With max_backoff + * set to zero, this feature is disabled. + * + * If an internal error occurred, the task is automatically disabled. + */ +errno_t be_ptask_create(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + time_t period, + time_t first_delay, + time_t enabled_delay, + time_t random_offset, + time_t timeout, + enum be_ptask_offline offline, + time_t max_backoff, + be_ptask_send_t send_fn, + be_ptask_recv_t recv_fn, + void *pvt, + const char *name, + struct be_ptask **_task); + +errno_t be_ptask_create_sync(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + time_t period, + time_t first_delay, + time_t enabled_delay, + time_t random_offset, + time_t timeout, + enum be_ptask_offline offline, + time_t max_backoff, + be_ptask_sync_t fn, + void *pvt, + const char *name, + struct be_ptask **_task); + +void be_ptask_enable(struct be_ptask *task); +void be_ptask_disable(struct be_ptask *task); +void be_ptask_destroy(struct be_ptask **task); + +time_t be_ptask_get_period(struct be_ptask *task); +time_t be_ptask_get_timeout(struct be_ptask *task); + +#endif /* _DP_PTASK_H_ */ diff --git a/src/providers/be_ptask_private.h b/src/providers/be_ptask_private.h new file mode 100644 index 0000000..4144a39 --- /dev/null +++ b/src/providers/be_ptask_private.h @@ -0,0 +1,48 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2014 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef DP_PTASK_PRIVATE_H_ +#define DP_PTASK_PRIVATE_H_ + +struct be_ptask { + struct tevent_context *ev; + struct be_ctx *be_ctx; + time_t orig_period; + time_t first_delay; + time_t enabled_delay; + time_t random_offset; + unsigned int ro_seed; + time_t timeout; + time_t max_backoff; + enum be_ptask_offline offline; + be_ptask_send_t send_fn; + be_ptask_recv_t recv_fn; + void *pvt; + const char *name; + + time_t period; /* computed period */ + time_t next_execution; /* next time when the task is scheduled */ + time_t last_execution; /* last time when send was called */ + struct tevent_req *req; /* active tevent request */ + struct tevent_timer *timer; /* active tevent timer */ + bool enabled; +}; + +#endif /* DP_PTASK_PRIVATE_H_ */ diff --git a/src/providers/be_refresh.c b/src/providers/be_refresh.c new file mode 100644 index 0000000..e8cf5da --- /dev/null +++ b/src/providers/be_refresh.c @@ -0,0 +1,341 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include + +#include "providers/backend.h" +#include "providers/be_ptask.h" +#include "providers/be_refresh.h" +#include "util/util_errors.h" +#include "db/sysdb.h" + +static errno_t be_refresh_get_values_ex(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + time_t period, + struct ldb_dn *base_dn, + const char *attr, + char ***_values) +{ + TALLOC_CTX *tmp_ctx = NULL; + const char *attrs[] = {attr, NULL}; + const char *filter = NULL; + char **values = NULL; + struct ldb_message **msgs = NULL; + struct sysdb_attrs **records = NULL; + size_t count; + time_t now = time(NULL); + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + filter = talloc_asprintf(tmp_ctx, "(&(%s<=%lld))", + SYSDB_CACHE_EXPIRE, (long long) now + period); + if (filter == NULL) { + ret = ENOMEM; + goto done; + } + + ret = sysdb_search_entry(tmp_ctx, domain->sysdb, base_dn, + LDB_SCOPE_SUBTREE, filter, attrs, + &count, &msgs); + if (ret == ENOENT) { + count = 0; + } else if (ret != EOK) { + goto done; + } + + ret = sysdb_msg2attrs(tmp_ctx, count, msgs, &records); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not convert ldb message to sysdb_attrs\n"); + goto done; + } + + ret = sysdb_attrs_to_list(tmp_ctx, records, count, attr, &values); + if (ret != EOK) { + goto done; + } + + *_values = talloc_steal(mem_ctx, values); + ret = EOK; + +done: + talloc_free(tmp_ctx); + + return ret; +} + +static errno_t be_refresh_get_values(TALLOC_CTX *mem_ctx, + enum be_refresh_type type, + struct sss_domain_info *domain, + time_t period, + char ***_values) +{ + struct ldb_dn *base_dn = NULL; + errno_t ret; + + switch (type) { + case BE_REFRESH_TYPE_USERS: + base_dn = sysdb_user_base_dn(mem_ctx, domain); + break; + case BE_REFRESH_TYPE_GROUPS: + base_dn = sysdb_group_base_dn(mem_ctx, domain); + break; + case BE_REFRESH_TYPE_NETGROUPS: + base_dn = sysdb_netgroup_base_dn(mem_ctx, domain); + break; + case BE_REFRESH_TYPE_SENTINEL: + return ERR_INTERNAL; + break; + } + + if (base_dn == NULL) { + return ENOMEM; + } + + ret = be_refresh_get_values_ex(mem_ctx, domain, period, + base_dn, SYSDB_NAME, _values); + + talloc_free(base_dn); + return ret; +} + +struct be_refresh_cb { + const char *name; + bool enabled; + be_refresh_send_t send_fn; + be_refresh_recv_t recv_fn; + void *pvt; +}; + +struct be_refresh_ctx { + struct be_refresh_cb callbacks[BE_REFRESH_TYPE_SENTINEL]; +}; + +struct be_refresh_ctx *be_refresh_ctx_init(TALLOC_CTX *mem_ctx) +{ + struct be_refresh_ctx *ctx = NULL; + + ctx = talloc_zero(mem_ctx, struct be_refresh_ctx); + if (ctx == NULL) { + return NULL; + } + + ctx->callbacks[BE_REFRESH_TYPE_USERS].name = "users"; + ctx->callbacks[BE_REFRESH_TYPE_GROUPS].name = "groups"; + ctx->callbacks[BE_REFRESH_TYPE_NETGROUPS].name = "netgroups"; + + return ctx; +} + +errno_t be_refresh_add_cb(struct be_refresh_ctx *ctx, + enum be_refresh_type type, + be_refresh_send_t send_fn, + be_refresh_recv_t recv_fn, + void *pvt) +{ + if (ctx == NULL || send_fn == NULL || recv_fn == NULL + || type >= BE_REFRESH_TYPE_SENTINEL) { + return EINVAL; + } + + if (ctx->callbacks[type].enabled) { + return EEXIST; + } + + ctx->callbacks[type].enabled = true; + ctx->callbacks[type].send_fn = send_fn; + ctx->callbacks[type].recv_fn = recv_fn; + ctx->callbacks[type].pvt = pvt; + + return EOK; +} + +struct be_refresh_state { + struct tevent_context *ev; + struct be_ctx *be_ctx; + struct be_refresh_ctx *ctx; + struct be_refresh_cb *cb; + + struct sss_domain_info *domain; + enum be_refresh_type index; + time_t period; +}; + +static errno_t be_refresh_step(struct tevent_req *req); +static void be_refresh_done(struct tevent_req *subreq); + +struct tevent_req *be_refresh_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct be_ptask *be_ptask, + void *pvt) +{ + struct be_refresh_state *state = NULL; + struct tevent_req *req = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct be_refresh_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->ev = ev; + state->be_ctx = be_ctx; + state->domain = be_ctx->domain; + state->period = be_ptask_get_period(be_ptask); + state->ctx = talloc_get_type(pvt, struct be_refresh_ctx); + if (state->ctx == NULL) { + ret = EINVAL; + goto immediately; + } + + ret = be_refresh_step(req); + if (ret == EOK) { + goto immediately; + } else if (ret != EAGAIN) { + DEBUG(SSSDBG_CRIT_FAILURE, "be_refresh_step() failed [%d]: %s\n", + ret, sss_strerror(ret)); + goto immediately; + } + + return req; + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + + return req; +} + +static errno_t be_refresh_step(struct tevent_req *req) +{ + struct be_refresh_state *state = NULL; + struct tevent_req *subreq = NULL; + char **values = NULL; + errno_t ret; + + state = tevent_req_data(req, struct be_refresh_state); + + while (state->domain != NULL) { + /* find first enabled callback */ + state->cb = &state->ctx->callbacks[state->index]; + while (state->index != BE_REFRESH_TYPE_SENTINEL && !state->cb->enabled) { + state->index++; + state->cb = &state->ctx->callbacks[state->index]; + } + + /* if not found than continue with next domain */ + if (state->index == BE_REFRESH_TYPE_SENTINEL) { + state->domain = get_next_domain(state->domain, 0); + continue; + } + + if (state->cb->send_fn == NULL || state->cb->recv_fn == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid parameters!\n"); + ret = ERR_INTERNAL; + goto done; + } + + ret = be_refresh_get_values(state, state->index, state->domain, + state->period, &values); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to obtain DN list [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Refreshing %s in domain %s\n", + state->cb->name, state->domain->name); + + subreq = state->cb->send_fn(state, state->ev, state->be_ctx, + state->domain, values, state->cb->pvt); + if (subreq == NULL) { + ret = ENOMEM; + goto done; + } + + /* make the list disappear with subreq */ + talloc_steal(subreq, values); + + tevent_req_set_callback(subreq, be_refresh_done, req); + + state->index++; + ret = EAGAIN; + goto done; + } + + ret = EOK; + +done: + if (ret != EOK && ret != EAGAIN) { + talloc_free(values); + } + + return ret; +} + +static void be_refresh_done(struct tevent_req *subreq) +{ + struct be_refresh_state *state = NULL; + struct tevent_req *req = NULL; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct be_refresh_state); + + ret = state->cb->recv_fn(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + goto done; + } + + ret = be_refresh_step(req); + if (ret == EAGAIN) { + return; + } + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +errno_t be_refresh_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} diff --git a/src/providers/be_refresh.h b/src/providers/be_refresh.h new file mode 100644 index 0000000..927fa4a --- /dev/null +++ b/src/providers/be_refresh.h @@ -0,0 +1,71 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _DP_REFRESH_H_ +#define _DP_REFRESH_H_ + +#include +#include + +#include "providers/be_ptask.h" + +/* solve circular dependency */ +struct be_ctx; + +/** + * name_list contains SYSDB_NAME of all expired records. + */ +typedef struct tevent_req * +(*be_refresh_send_t)(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct sss_domain_info *domain, + char **values, + void *pvt); + +typedef errno_t +(*be_refresh_recv_t)(struct tevent_req *req); + +enum be_refresh_type { + BE_REFRESH_TYPE_USERS, + BE_REFRESH_TYPE_GROUPS, + BE_REFRESH_TYPE_NETGROUPS, + BE_REFRESH_TYPE_SENTINEL +}; + +struct be_refresh_ctx; + +struct be_refresh_ctx *be_refresh_ctx_init(TALLOC_CTX *mem_ctx); + +errno_t be_refresh_add_cb(struct be_refresh_ctx *ctx, + enum be_refresh_type type, + be_refresh_send_t send_fn, + be_refresh_recv_t recv_fn, + void *pvt); + +struct tevent_req *be_refresh_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct be_ptask *be_ptask, + void *pvt); + +errno_t be_refresh_recv(struct tevent_req *req); + +#endif /* _DP_REFRESH_H_ */ diff --git a/src/providers/data_provider.h b/src/providers/data_provider.h new file mode 100644 index 0000000..d30d81b --- /dev/null +++ b/src/providers/data_provider.h @@ -0,0 +1,336 @@ +/* + SSSD + + Data Provider, private header file + + Copyright (C) Simo Sorce 2008 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __DATA_PROVIDER_H__ +#define __DATA_PROVIDER_H__ + +#include "config.h" + +#include +#include +#include +#include +#ifdef USE_KEYRING +#include +#include +#endif +#include +#include +#include +#include + +#include "util/util.h" +#include "confdb/confdb.h" +#include "sbus/sssd_dbus.h" +#include "sbus/sbus_client.h" +#include "sss_client/sss_cli.h" +#include "util/authtok.h" +#include "providers/data_provider_req.h" + +#define DATA_PROVIDER_VERSION 0x0001 +#define DATA_PROVIDER_PIPE "private/sbus-dp" + +#define DP_PATH "/org/freedesktop/sssd/dataprovider" + +/** + * @defgroup pamHandler PAM DBUS request + * @ingroup sss_pam + * + * The PAM responder send all the data it has received from the PAM client to + * the authentication backend with a DBUS message. + * + * As a response it expects a PAM return value (see pam(3) for details). + * The backend may send any number of additional messages (see ...) which are + * forwarded by the PAM responder to the PAM client. + * @{ + */ + +/** Then pamHandler Request + * + * The following two functions can help you to pack and unpack the DBUS + * message for a PAM request. If it is necessary to create the DBUS message by + * hand it must have the following elements: + * + * @param DBUS_TYPE_INT32 PAM Command, see #sss_cli_command for allowed values + * @param DBUS_TYPE_STRING User name, this value is send by the PAM client and + * contains the value of the PAM item PAM_USER + * @param DBUS_TYPE_STRING Service name, this value is send by the PAM client + * and contains the value of the PAM item PAM_SERVICE + * @param DBUS_TYPE_STRING TTY name this value is send by the PAM client and + * contains the value of the PAM item PAM_TTY + * @param DBUS_TYPE_STRING Remote user, this value is send by the PAM client + * and contains the value of the PAM item PAM_RUSER + * @param DBUS_TYPE_STRING Remote host, this value is send by the PAM client + * and contains the value of the PAM item PAM_RHOST + * @param DBUS_TYPE_UINT32 Type of the authentication token, see #sss_authtok_type + * for allowed values + * @param DBUS_TYPE_ARRAY__(BYTE) Authentication token, DBUS array which + * contains the authentication token, it is not required that passwords have a + * trailing \\0, this value is send by the PAM client and contains the value of + * the PAM item PAM_AUTHTOK or PAM_OLDAUTHTOK if the PAM command is + * #SSS_PAM_CHAUTHTOK or #SSS_PAM_CHAUTHTOK_PRELIM + * @param DBUS_TYPE_UINT32 Type of the new authentication token, see + * #sss_authtok_type for allowed values + * @param DBUS_TYPE_ARRAY__(BYTE) New authentication token, DBUS array which + * contains the new authentication token for a password change, it is not + * required that passwords have a trailing \\0, this value is send by the PAM + * client and contains the value of the PAM item PAM_AUTHTOK if the PAM + * command is #SSS_PAM_CHAUTHTOK or #SSS_PAM_CHAUTHTOK_PRELIM + * @param DBUS_TYPE_INT32 Privileged flag is set to a non-zero value if the + * PAM client connected to the PAM responder via the privileged pipe, i.e. if + * the PAM client is running with root privileges + * @param DBUS_TYPE_UINT32 + * + * @retval DBUS_TYPE_UINT32 PAM return value, PAM_AUTHINFO_UNAVAIL is used to + * indicate that the provider is offline and that the PAM responder should try + * a cached authentication, for all other return value see the man pages for + * the corresponding PAM service functions + * @retval DBUS_TYPE_ARRAY__(STRUCT) Zero or more additional getAccountInfo + * messages, here the DBUS_TYPE_STRUCT is build of a DBUS_TYPE_UINT32 holding + * an identifier (see #response_type) and DBUS_TYPE_G_BYTE_ARRAY with the data + * of the message. + */ + + +/** + * @} + */ /* end of group pamHandler */ + +#define DP_ERR_DECIDE -1 +#define DP_ERR_OK 0 +#define DP_ERR_OFFLINE 1 +#define DP_ERR_TIMEOUT 2 +#define DP_ERR_FATAL 3 + +#define BE_FILTER_NAME 1 +#define BE_FILTER_IDNUM 2 +#define BE_FILTER_ENUM 3 +#define BE_FILTER_SECID 4 +#define BE_FILTER_UUID 5 +#define BE_FILTER_CERT 6 +#define BE_FILTER_WILDCARD 7 + +#define DP_SEC_ID "secid" +#define DP_CERT "cert" +/* sizeof() counts the trailing \0 so we must subtract 1 for the string + * length */ +#define DP_SEC_ID_LEN (sizeof(DP_SEC_ID) - 1) +#define DP_CERT_LEN (sizeof(DP_CERT) - 1) + +#define DP_WILDCARD "wildcard" +#define DP_WILDCARD_LEN (sizeof(DP_WILDCARD) - 1) + +#define EXTRA_NAME_IS_UPN "U" +#define EXTRA_INPUT_MAYBE_WITH_VIEW "V" + +/* AUTH related common data and functions */ + +#define DEBUG_PAM_DATA(level, pd) do { \ + if (DEBUG_IS_SET(level)) pam_print_data(level, pd); \ +} while(0) + + +struct response_data { + int32_t type; + int32_t len; + uint8_t *data; + bool do_not_send_to_client; + struct response_data *next; +}; + +struct pam_data { + int cmd; + char *domain; + char *user; + char *service; + char *tty; + char *ruser; + char *rhost; + char **requested_domains; + struct sss_auth_token *authtok; + struct sss_auth_token *newauthtok; + uint32_t cli_pid; + char *logon_name; + + int pam_status; + int response_delay; + struct response_data *resp_list; + + bool offline_auth; + bool last_auth_saved; + int priv; + int account_locked; + +#ifdef USE_KEYRING + key_serial_t key_serial; +#endif +}; + +/* from dp_auth_util.c */ +#define SSS_SERVER_INFO 0x80000000 + +#define SSS_KRB5_INFO 0x40000000 +#define SSS_LDAP_INFO 0x20000000 +#define SSS_PROXY_INFO 0x10000000 + +#define SSS_KRB5_INFO_TGT_LIFETIME (SSS_SERVER_INFO|SSS_KRB5_INFO|0x01) +#define SSS_KRB5_INFO_UPN (SSS_SERVER_INFO|SSS_KRB5_INFO|0x02) + +/** + * @brief Create new zero initialized struct pam_data. + * + * @param mem_ctx A memory context use to allocate the internal data + * @return A pointer to new struct pam_data + * NULL on error + * + * NOTE: This function should be the only way, how to create new empty + * struct pam_data, because this function automatically initialize sub + * structures and set destructor to created object. + */ +struct pam_data *create_pam_data(TALLOC_CTX *mem_ctx); +errno_t copy_pam_data(TALLOC_CTX *mem_ctx, struct pam_data *old_pd, + struct pam_data **new_pd); +void pam_print_data(int l, struct pam_data *pd); +int pam_add_response(struct pam_data *pd, + enum response_type type, + int len, const uint8_t *data); + +bool dp_pack_pam_request(DBusMessage *msg, struct pam_data *pd); +bool dp_unpack_pam_request(DBusMessage *msg, TALLOC_CTX *mem_ctx, + struct pam_data **new_pd, DBusError *dbus_error); + +bool dp_pack_pam_response(DBusMessage *msg, struct pam_data *pd); +bool dp_unpack_pam_response(DBusMessage *msg, struct pam_data *pd, + DBusError *dbus_error); + +void dp_id_callback(DBusPendingCall *pending, void *ptr); + +/* from dp_sbus.c */ +int dp_get_sbus_address(TALLOC_CTX *mem_ctx, + char **address, const char *domain_name); + + +/* Reserved filter name for request which waits until the files provider finishes mirroring + * the file content + */ +#define DP_REQ_OPT_FILES_INITGR "files_initgr_request" + +/* Helpers */ + +#define NULL_STRING { .string = NULL } +#define NULL_BLOB { .blob = { NULL, 0 } } +#define NULL_NUMBER { .number = 0 } +#define BOOL_FALSE { .boolean = false } +#define BOOL_TRUE { .boolean = true } + +enum dp_opt_type { + DP_OPT_STRING, + DP_OPT_BLOB, + DP_OPT_NUMBER, + DP_OPT_BOOL +}; + +struct dp_opt_blob { + uint8_t *data; + size_t length; +}; + +union dp_opt_value { + const char *cstring; + char *string; + struct dp_opt_blob blob; + int number; + bool boolean; +}; + +struct dp_option { + const char *opt_name; + enum dp_opt_type type; + union dp_opt_value def_val; + union dp_opt_value val; +}; + +#define DP_OPTION_TERMINATOR { NULL, 0, NULL_STRING, NULL_STRING } + +void dp_option_inherit(char **inherit_opt_list, + int option, + struct dp_option *parent_opts, + struct dp_option *subdom_opts); + +int dp_get_options(TALLOC_CTX *memctx, + struct confdb_ctx *cdb, + const char *conf_path, + struct dp_option *def_opts, + int num_opts, + struct dp_option **_opts); + +int dp_copy_options(TALLOC_CTX *memctx, + struct dp_option *src_opts, + int num_opts, + struct dp_option **_opts); + +int dp_copy_defaults(TALLOC_CTX *memctx, + struct dp_option *src_opts, + int num_opts, + struct dp_option **_opts); + +const char *_dp_opt_get_cstring(struct dp_option *opts, + int id, const char *location); +char *_dp_opt_get_string(struct dp_option *opts, + int id, const char *location); +struct dp_opt_blob _dp_opt_get_blob(struct dp_option *opts, + int id, const char *location); +int _dp_opt_get_int(struct dp_option *opts, + int id, const char *location); +bool _dp_opt_get_bool(struct dp_option *opts, + int id, const char *location); +#define dp_opt_get_cstring(o, i) _dp_opt_get_cstring(o, i, __FUNCTION__) +#define dp_opt_get_string(o, i) _dp_opt_get_string(o, i, __FUNCTION__) +#define dp_opt_get_blob(o, i) _dp_opt_get_blob(o, i, __FUNCTION__) +#define dp_opt_get_int(o, i) _dp_opt_get_int(o, i, __FUNCTION__) +#define dp_opt_get_bool(o, i) _dp_opt_get_bool(o, i, __FUNCTION__) + +int _dp_opt_set_string(struct dp_option *opts, int id, + const char *s, const char *location); +int _dp_opt_set_blob(struct dp_option *opts, int id, + struct dp_opt_blob b, const char *location); +int _dp_opt_set_int(struct dp_option *opts, int id, + int i, const char *location); +int _dp_opt_set_bool(struct dp_option *opts, int id, + bool b, const char *location); +#define dp_opt_set_string(o, i, v) _dp_opt_set_string(o, i, v, __FUNCTION__) +#define dp_opt_set_blob(o, i, v) _dp_opt_set_blob(o, i, v, __FUNCTION__) +#define dp_opt_set_int(o, i, v) _dp_opt_set_int(o, i, v, __FUNCTION__) +#define dp_opt_set_bool(o, i, v) _dp_opt_set_bool(o, i, v, __FUNCTION__) + +/* Generic Data Provider options */ + +/* Resolver DP options */ +enum dp_res_opts { + DP_RES_OPT_FAMILY_ORDER, + DP_RES_OPT_RESOLVER_TIMEOUT, + DP_RES_OPT_RESOLVER_OP_TIMEOUT, + DP_RES_OPT_DNS_DOMAIN, + + DP_RES_OPTS /* attrs counter */ +}; + +#endif /* __DATA_PROVIDER_ */ diff --git a/src/providers/data_provider/dp.c b/src/providers/data_provider/dp.c new file mode 100644 index 0000000..bab47f4 --- /dev/null +++ b/src/providers/data_provider/dp.c @@ -0,0 +1,135 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "config.h" +#include "providers/data_provider/dp.h" +#include "providers/data_provider/dp_private.h" +#include "providers/backend.h" +#include "util/util.h" + +static errno_t dp_init_dbus_server(struct data_provider *provider) +{ + const char *domain; + char *sbus_address; + errno_t ret; + + domain = provider->be_ctx->domain->name; + ret = dp_get_sbus_address(NULL, &sbus_address, domain); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Could not get sbus backend address.\n"); + return ret; + } + + ret = sbus_new_server(provider, provider->ev, sbus_address, + provider->uid, provider->gid, true, + &provider->srv_conn, + dp_client_init, provider, NULL); + talloc_free(sbus_address); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Could not set up sbus server.\n"); + return ret; + } + + return EOK; +} + +static int dp_destructor(struct data_provider *provider) +{ + enum dp_clients client; + + provider->terminating = true; + + dp_terminate_active_requests(provider); + + for (client = 0; client != DP_CLIENT_SENTINEL; client++) { + talloc_zfree(provider->clients[client]); + } + + return 0; +} + +errno_t dp_init(struct tevent_context *ev, + struct be_ctx *be_ctx, + uid_t uid, + gid_t gid) +{ + struct data_provider *provider; + + errno_t ret; + + provider = talloc_zero(be_ctx, struct data_provider); + if (provider == NULL) { + return ENOMEM; + } + + provider->ev = ev; + provider->uid = uid; + provider->gid = gid; + provider->be_ctx = be_ctx; + + /* Initialize request table. */ + ret = dp_req_table_init(provider, &provider->requests.reply_table); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize request table " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + /* Initialize data provider bus. Data provider can receive client + * registration and other D-Bus methods. However no data provider + * request will be executed as long as the modules and targets + * are not initialized. + */ + talloc_set_destructor(provider, dp_destructor); + + ret = dp_init_dbus_server(provider); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to setup service bus [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + be_ctx->provider = provider; + + ret = dp_init_modules(provider, &provider->modules); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize DP modules " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + ret = dp_init_targets(provider, be_ctx, provider, provider->modules); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize DP targets " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(provider); + } + + return ret; +} diff --git a/src/providers/data_provider/dp.h b/src/providers/data_provider/dp.h new file mode 100644 index 0000000..e8b2f9c --- /dev/null +++ b/src/providers/data_provider/dp.h @@ -0,0 +1,204 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _DP_H_ +#define _DP_H_ + +#include + +#include "sbus/sssd_dbus.h" +#include "providers/backend.h" +#include "providers/data_provider/dp_request.h" +#include "providers/data_provider/dp_custom_data.h" +#include "providers/data_provider/dp_flags.h" + +struct data_provider; +struct dp_method; + +/** + * Module constructor. + * + * It is possible to create a module data that is passed into all + * target initialization functions. + */ +typedef errno_t (*dp_module_init_fn)(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct data_provider *provider, + const char *module_name, + void **_module_data); + +/** + * Target initialization function. + * + * Pointer to dp_method is unique for all targets. Make sure that + * dp_set_method is called in all targets even if you are reusing + * some existing context or initialization function. + */ +typedef errno_t (*dp_target_init_fn)(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + void *module_data, + struct dp_method *dp_methods); + +enum dp_targets { + DPT_ID, + DPT_AUTH, + DPT_ACCESS, + DPT_CHPASS, + DPT_SUDO, + DPT_AUTOFS, + DPT_SELINUX, + DPT_HOSTID, + DPT_SUBDOMAINS, + DPT_SESSION, + + DP_TARGET_SENTINEL +}; + +enum dp_methods { + DPM_CHECK_ONLINE, + DPM_ACCOUNT_HANDLER, + DPM_AUTH_HANDLER, + DPM_ACCESS_HANDLER, + DPM_SELINUX_HANDLER, + DPM_SUDO_HANDLER, + DPM_AUTOFS_HANDLER, + DPM_HOSTID_HANDLER, + DPM_DOMAINS_HANDLER, + DPM_SESSION_HANDLER, + DPM_ACCT_DOMAIN_HANDLER, + + DPM_REFRESH_ACCESS_RULES, + + DP_METHOD_SENTINEL +}; + +/* Method handler. */ + +struct dp_req_params { + struct tevent_context *ev; + struct be_ctx *be_ctx; + struct sss_domain_info *domain; + enum dp_targets target; + enum dp_methods method; +}; + +typedef struct tevent_req * +(*dp_req_send_fn)(TALLOC_CTX *mem_ctx, void *method_data, void *request_data, + struct dp_req_params *params); + +typedef errno_t +(*dp_req_recv_fn)(TALLOC_CTX *mem_ctx, struct tevent_req *req, void *data); + +/* Data provider initialization. */ + +errno_t dp_init(struct tevent_context *ev, + struct be_ctx *be_ctx, + uid_t uid, + gid_t gid); + +bool _dp_target_enabled(struct data_provider *provider, + const char *module_name, + ...); + +#define dp_target_enabled(provider, module_name, ...) \ + _dp_target_enabled(provider, module_name, ##__VA_ARGS__, DP_TARGET_SENTINEL) + +struct dp_module *dp_target_module(struct data_provider *provider, + enum dp_targets target); + +void *dp_get_module_data(struct dp_module *dp_module); + +void _dp_set_method(struct dp_method *methods, + enum dp_methods method, + dp_req_send_fn send_fn, + dp_req_recv_fn recv_fn, + void *method_data, + const char *method_dtype, + const char *request_dtype, + const char *output_dtype, + uint32_t output_size); + +/* We check function headers on compile time and data types on run time. This + * check requires that both method and request private data are talloc-created + * with talloc name set to data type name (which is done by talloc unless + * you use _size variations of talloc functions. + * + * This way we ensure that we always pass correct data and we can access them + * directly in request handler without the need to cast them explicitly + * from void pointer. */ +#define dp_set_method(methods, method, send_fn, recv_fn, method_data, \ + method_dtype, req_dtype, output_dtype) \ + do { \ + /* Check _send function parameter types. */ \ + struct tevent_req *(*__send_fn)(TALLOC_CTX *, method_dtype *, \ + req_dtype *, struct dp_req_params *params) = (send_fn); \ + \ + /* Check _recv function parameter types. */ \ + errno_t (*__recv_fn)(TALLOC_CTX *, struct tevent_req *, \ + output_dtype *) = (recv_fn); \ + _dp_set_method(methods, method, (dp_req_send_fn)__send_fn, \ + (dp_req_recv_fn)__recv_fn, method_data, \ + #method_dtype, #req_dtype, \ + #output_dtype, sizeof(output_dtype)); \ + } while (0) + +bool dp_method_enabled(struct data_provider *provider, + enum dp_targets target, + enum dp_methods method); + +void dp_terminate_domain_requests(struct data_provider *provider, + const char *domain); + +void dp_sbus_domain_active(struct data_provider *provider, + struct sss_domain_info *dom); +void dp_sbus_domain_inconsistent(struct data_provider *provider, + struct sss_domain_info *dom); + +void dp_sbus_reset_users_ncache(struct data_provider *provider, + struct sss_domain_info *dom); +void dp_sbus_reset_groups_ncache(struct data_provider *provider, + struct sss_domain_info *dom); + +void dp_sbus_reset_users_memcache(struct data_provider *provider); +void dp_sbus_reset_groups_memcache(struct data_provider *provider); +void dp_sbus_reset_initgr_memcache(struct data_provider *provider); +void dp_sbus_invalidate_group_memcache(struct data_provider *provider, + gid_t gid); + +/* + * A dummy handler for DPM_ACCT_DOMAIN_HANDLER. + * + * Its purpose is to always return ERR_GET_ACCT_DOM_NOT_SUPPORTED + * which the responder should evaluate as "this back end does not + * support locating entries' domain" and never call + * DPM_ACCT_DOMAIN_HANDLER again + * + * This request cannot fail, except for critical errors like OOM. + */ +struct tevent_req * +default_account_domain_send(TALLOC_CTX *mem_ctx, + void *unused_ctx, + struct dp_get_acct_domain_data *data, + struct dp_req_params *params); +errno_t default_account_domain_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct dp_reply_std *data); + +#endif /* _DP_H_ */ diff --git a/src/providers/data_provider/dp_builtin.c b/src/providers/data_provider/dp_builtin.c new file mode 100644 index 0000000..01d7f6d --- /dev/null +++ b/src/providers/data_provider/dp_builtin.c @@ -0,0 +1,118 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include "config.h" +#include "providers/data_provider/dp.h" +#include "providers/backend.h" +#include "util/util.h" + +struct dp_access_permit_handler_state { + struct pam_data *pd; +}; + +struct tevent_req * +dp_access_permit_handler_send(TALLOC_CTX *mem_ctx, + void *data, + struct pam_data *pd, + struct dp_req_params *params) +{ + struct dp_access_permit_handler_state *state; + struct tevent_req *req; + + req = tevent_req_create(mem_ctx, &state, + struct dp_access_permit_handler_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->pd = pd; + DEBUG(SSSDBG_TRACE_ALL, "Access permit, returning PAM_SUCCESS.\n"); + state->pd->pam_status = PAM_SUCCESS; + + tevent_req_done(req); + tevent_req_post(req, params->ev); + + return req; +} + +errno_t +dp_access_permit_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct pam_data **_data) +{ + struct dp_access_permit_handler_state *state = NULL; + + state = tevent_req_data(req, struct dp_access_permit_handler_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *_data = talloc_steal(mem_ctx, state->pd); + + return EOK; +} + +struct dp_access_deny_handler_state { + struct pam_data *pd; +}; + +struct tevent_req * +dp_access_deny_handler_send(TALLOC_CTX *mem_ctx, + void *data, + struct pam_data *pd, + struct dp_req_params *params) +{ + struct dp_access_deny_handler_state *state; + struct tevent_req *req; + + req = tevent_req_create(mem_ctx, &state, + struct dp_access_deny_handler_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->pd = pd; + DEBUG(SSSDBG_TRACE_ALL, "Access deny, returning PAM_PERM_DENIED.\n"); + state->pd->pam_status = PAM_PERM_DENIED; + + tevent_req_done(req); + tevent_req_post(req, params->ev); + + return req; +} + +errno_t +dp_access_deny_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct pam_data **_data) +{ + struct dp_access_deny_handler_state *state = NULL; + + state = tevent_req_data(req, struct dp_access_deny_handler_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *_data = talloc_steal(mem_ctx, state->pd); + + return EOK; +} diff --git a/src/providers/data_provider/dp_builtin.h b/src/providers/data_provider/dp_builtin.h new file mode 100644 index 0000000..6bd0329 --- /dev/null +++ b/src/providers/data_provider/dp_builtin.h @@ -0,0 +1,50 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _DP_SPECIAL_H_ +#define _DP_SPECIAL_H_ + +#include +#include +#include "providers/data_provider/dp.h" + +struct tevent_req * +dp_access_permit_handler_send(TALLOC_CTX *mem_ctx, + void *data, + struct pam_data *pd, + struct dp_req_params *params); + +errno_t +dp_access_permit_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct pam_data **_data); + +struct tevent_req * +dp_access_deny_handler_send(TALLOC_CTX *mem_ctx, + void *data, + struct pam_data *pd, + struct dp_req_params *params); + +errno_t +dp_access_deny_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct pam_data **_data); + +#endif /* _DP_SPECIAL_H_ */ diff --git a/src/providers/data_provider/dp_client.c b/src/providers/data_provider/dp_client.c new file mode 100644 index 0000000..b2da13d --- /dev/null +++ b/src/providers/data_provider/dp_client.c @@ -0,0 +1,259 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "providers/backend.h" +#include "providers/data_provider/dp_iface_generated.h" +#include "providers/data_provider/dp_private.h" +#include "providers/data_provider/dp_iface.h" +#include "providers/data_provider/dp.h" +#include "sbus/sssd_dbus.h" +#include "sbus/sssd_dbus_errors.h" +#include "util/util.h" + +struct dp_client { + struct data_provider *provider; + struct sbus_connection *conn; + struct tevent_timer *timeout; + const char *name; + bool initialized; +}; + +const char *dp_client_to_string(enum dp_clients client) +{ + switch (client) { + case DPC_NSS: + return "NSS"; + case DPC_PAM: + return "PAM"; + case DPC_IFP: + return "InfoPipe"; + case DPC_PAC: + return "PAC"; + case DPC_SUDO: + return "SUDO"; + case DPC_HOST: + return "SSH"; + case DPC_AUTOFS: + return "autofs"; + case DP_CLIENT_SENTINEL: + return "Invalid"; + } + + return "Invalid"; +} + +static int dp_client_destructor(struct dp_client *dp_cli) +{ + struct data_provider *provider; + enum dp_clients client; + + if (dp_cli->provider == NULL) { + return 0; + } + + provider = dp_cli->provider; + + for (client = 0; client != DP_CLIENT_SENTINEL; client++) { + if (provider->clients[client] == dp_cli) { + provider->clients[client] = NULL; + DEBUG(SSSDBG_TRACE_FUNC, "Removed %s client\n", + dp_client_to_string(client)); + break; + } + } + + if (client == DP_CLIENT_SENTINEL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unknown client removed...\n"); + } + + return 0; +} + +static int +dp_client_register(struct sbus_request *sbus_req, + void *data, + const char *client_name) +{ + struct data_provider *provider; + struct dp_client *dp_cli; + struct DBusError *error; + enum dp_clients client; + errno_t ret; + + dp_cli = talloc_get_type(data, struct dp_client); + if (dp_cli == NULL) { + /* Do not send D-Bus error here. */ + DEBUG(SSSDBG_CRIT_FAILURE, "Bug: dp_cli is NULL\n"); + return EINVAL; + } + + provider = dp_cli->provider; + dp_cli->name = talloc_strdup(dp_cli, client_name); + if (dp_cli->name == NULL) { + return ENOMEM; + } + + DEBUG(SSSDBG_CONF_SETTINGS, "Cancel DP ID timeout [%p]\n", dp_cli->timeout); + talloc_zfree(dp_cli->timeout); + + for (client = 0; client != DP_CLIENT_SENTINEL; client++) { + if (strcasecmp(client_name, dp_client_to_string(client)) == 0) { + provider->clients[client] = dp_cli; + break; + } + } + + if (client == DP_CLIENT_SENTINEL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unknown client! [%s]\n", client_name); + error = sbus_error_new(sbus_req, SBUS_ERROR_NOT_FOUND, + "Unknown client [%s]", client_name); + + /* Kill this client. */ + talloc_free(dp_cli); + return sbus_request_fail_and_finish(sbus_req, error); + } + + talloc_set_destructor(dp_cli, dp_client_destructor); + + ret = iface_dp_client_Register_finish(sbus_req); + if (ret != EOK) { + DEBUG(SSSDBG_CONF_SETTINGS, "Unable to send ack to the client [%s], " + "disconnecting...\n", client_name); + sbus_disconnect(sbus_req->conn); + return ret; + } + + DEBUG(SSSDBG_CONF_SETTINGS, "Added Frontend client [%s]\n", client_name); + + dp_cli->initialized = true; + return EOK; +} + +static void +dp_client_handshake_timeout(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval t, + void *ptr) +{ + struct dp_client *dp_cli; + + DEBUG(SSSDBG_OP_FAILURE, + "Client timed out before identification [%p]!\n", te); + + dp_cli = talloc_get_type(ptr, struct dp_client); + + sbus_disconnect(dp_cli->conn); + talloc_zfree(dp_cli); +} + +errno_t dp_client_init(struct sbus_connection *conn, void *data) +{ + struct data_provider *provider; + struct dp_client *dp_cli; + struct timeval tv; + errno_t ret; + + static struct iface_dp_client iface_dp_client = { + { &iface_dp_client_meta, 0 }, + + .Register = dp_client_register, + }; + + provider = talloc_get_type(data, struct data_provider); + + /* When connection is lost we also free the client. */ + dp_cli = talloc_zero(conn, struct dp_client); + if (dp_cli == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory, killing connection.\n"); + talloc_free(conn); + return ENOMEM; + } + + dp_cli->provider = provider; + dp_cli->conn = conn; + dp_cli->initialized = false; + dp_cli->timeout = NULL; + + /* Allow access from the SSSD user. */ + sbus_allow_uid(conn, &provider->uid); + + /* Setup timeout in case client fails to register himself in time. */ + tv = tevent_timeval_current_ofs(5, 0); + dp_cli->timeout = tevent_add_timer(provider->ev, dp_cli, tv, + dp_client_handshake_timeout, dp_cli); + if (dp_cli->timeout == NULL) { + /* Connection is closed in the caller. */ + DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory, killing connection\n"); + return ENOMEM; + } + + DEBUG(SSSDBG_CONF_SETTINGS, + "Set-up Backend ID timeout [%p]\n", dp_cli->timeout); + + /* Setup D-Bus interfaces and methods. */ + ret = sbus_conn_register_iface(conn, &iface_dp_client.vtable, + DP_PATH, dp_cli); + if (ret != EOK) { + /* Connection is closed in the caller. */ + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to register D-Bus interface, " + "killing connection [%d]: %s\n", ret, sss_strerror(ret)); + return ret; + } + + ret = dp_register_sbus_interface(conn, dp_cli); + if (ret != EOK) { + /* Connection is closed in the caller. */ + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to register D-Bus interface, " + "killing connection [%d]: %s\n", ret, sss_strerror(ret)); + return ret; + } + + return ret; +} + +struct data_provider * +dp_client_provider(struct dp_client *dp_cli) +{ + if (dp_cli == NULL) { + return NULL; + } + + return dp_cli->provider; +} + +struct be_ctx * +dp_client_be(struct dp_client *dp_cli) +{ + if (dp_cli == NULL || dp_cli->provider == NULL) { + return NULL; + } + + return dp_cli->provider->be_ctx; +} + +struct sbus_connection * +dp_client_conn(struct dp_client *dp_cli) +{ + if (dp_cli == NULL) { + return NULL; + } + + return dp_cli->conn; +} diff --git a/src/providers/data_provider/dp_custom_data.h b/src/providers/data_provider/dp_custom_data.h new file mode 100644 index 0000000..7c64bde --- /dev/null +++ b/src/providers/data_provider/dp_custom_data.h @@ -0,0 +1,79 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _DP_CUSTOM_DATA_H_ +#define _DP_CUSTOM_DATA_H_ + +#include "providers/data_provider/dp.h" + +/* Request handler private data. */ + +struct dp_sudo_data { + uint32_t type; + char **rules; +}; + +struct dp_hostid_data { + const char *name; + const char *alias; +}; + +struct dp_autofs_data { + const char *mapname; +}; + +struct dp_subdomains_data { + const char *domain_hint; +}; + +struct dp_get_acct_domain_data { + uint32_t entry_type; + uint32_t filter_type; + const char *filter_value; +}; + +struct dp_id_data { + uint32_t entry_type; + uint32_t filter_type; + const char *filter_value; + const char *extra_value; + const char *domain; +}; + +/* Reply private data. */ + +struct dp_reply_std { + int dp_error; + int error; + const char *message; +}; + +void dp_reply_std_set(struct dp_reply_std *reply, + int dp_error, + int error, + const char *msg); + +/* Reply callbacks. */ + +void dp_req_reply_std(const char *request_name, + struct sbus_request *sbus_req, + struct dp_reply_std *reply); + +#endif /* _DP_CUSTOM_DATA_H_ */ diff --git a/src/providers/data_provider/dp_flags.h b/src/providers/data_provider/dp_flags.h new file mode 100644 index 0000000..52e666d --- /dev/null +++ b/src/providers/data_provider/dp_flags.h @@ -0,0 +1,29 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _DP_FLAGS_H_ +#define _DP_FLAGS_H_ + +/** + * If backend is offline, respond with ERR_OFFLINE immediately. + */ +#define DP_FAST_REPLY 0x0001 + +#endif /* _DP_FLAGS_H_ */ diff --git a/src/providers/data_provider/dp_iface.c b/src/providers/data_provider/dp_iface.c new file mode 100644 index 0000000..124be00 --- /dev/null +++ b/src/providers/data_provider/dp_iface.c @@ -0,0 +1,70 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "sbus/sssd_dbus.h" +#include "providers/data_provider/dp_iface_generated.h" +#include "providers/data_provider/dp_iface.h" +#include "providers/data_provider/dp_private.h" +#include "providers/data_provider/dp.h" + +struct iface_dp iface_dp = { + {&iface_dp_meta, 0}, + .pamHandler = dp_pam_handler, + .sudoHandler = dp_sudo_handler, + .autofsHandler = dp_autofs_handler, + .hostHandler = dp_host_handler, + .getDomains = dp_subdomains_handler, + .getAccountInfo = dp_get_account_info_handler, + .getAccountDomain = dp_get_account_domain_handler, +}; + +struct iface_dp_backend iface_dp_backend = { + {&iface_dp_backend_meta, 0}, + .IsOnline = dp_backend_is_online +}; + +struct iface_dp_failover iface_dp_failover = { + { &iface_dp_failover_meta, 0 }, + .ListServices = dp_failover_list_services, + .ActiveServer = dp_failover_active_server, + .ListServers = dp_failover_list_servers +}; + +struct iface_dp_access_control iface_dp_access_control = { + { &iface_dp_access_control_meta, 0 }, + .RefreshRules = dp_access_control_refresh_rules_handler +}; + +static struct sbus_iface_map dp_map[] = { + { DP_PATH, &iface_dp.vtable }, + { DP_PATH, &iface_dp_backend.vtable }, + { DP_PATH, &iface_dp_failover.vtable }, + { DP_PATH, &iface_dp_access_control.vtable }, + { NULL, NULL } +}; + +errno_t +dp_register_sbus_interface(struct sbus_connection *conn, + struct dp_client *pvt) +{ + return sbus_conn_register_iface_map(conn, dp_map, pvt); +} diff --git a/src/providers/data_provider/dp_iface.h b/src/providers/data_provider/dp_iface.h new file mode 100644 index 0000000..0a2f81e --- /dev/null +++ b/src/providers/data_provider/dp_iface.h @@ -0,0 +1,100 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef DP_IFACE_H_ +#define DP_IFACE_H_ + +#include "sbus/sssd_dbus.h" +#include "providers/data_provider/dp_private.h" +#include "providers/data_provider/dp_responder_iface.h" +#include "providers/data_provider/dp.h" + +#define DP_PATH "/org/freedesktop/sssd/dataprovider" + +errno_t dp_register_sbus_interface(struct sbus_connection *conn, + struct dp_client *pvt); + +errno_t dp_get_account_info_handler(struct sbus_request *sbus_req, + void *dp_cli, + uint32_t dp_flags, + uint32_t entry_type, + const char *filter, + const char *domain, + const char *extra); + +errno_t dp_pam_handler(struct sbus_request *sbus_req, void *dp_cli); + +errno_t dp_sudo_handler(struct sbus_request *sbus_req, void *dp_cli); + +errno_t dp_host_handler(struct sbus_request *sbus_req, + void *dp_cli, + uint32_t dp_flags, + const char *name, + const char *alias); + +errno_t dp_autofs_handler(struct sbus_request *sbus_req, + void *dp_cli, + uint32_t dp_flags, + const char *mapname); + +errno_t dp_subdomains_handler(struct sbus_request *sbus_req, + void *dp_cli, + const char *domain_hint); + +/* + * Return a domain the account belongs to. + * + * The request uses the dp_reply_std structure for reply, with the following + * semantics: + * - DP_ERR_OK - it is expected that the string message contains the domain name + * the entry was found in. A 'negative' reply where the + * request returns DP_ERR_OK, but no domain should be treated + * as authoritative, as if the entry does not exist. + * - DP_ERR_* - the string message contains error string that corresponds + * to the errno field in dp_reply_std(). + */ +errno_t dp_get_account_domain_handler(struct sbus_request *sbus_req, + void *dp_cli, + uint32_t entry_type, + const char *filter); + +/* org.freedesktop.sssd.DataProvider.Backend */ +errno_t dp_backend_is_online(struct sbus_request *sbus_req, + void *dp_cli, + const char *domain); + +/* org.freedesktop.sssd.DataProvider.Failover */ +errno_t dp_failover_list_services(struct sbus_request *sbus_req, + void *dp_cli, + const char *domname); + +errno_t dp_failover_active_server(struct sbus_request *sbus_req, + void *dp_cli, + const char *service_name); + +errno_t dp_failover_list_servers(struct sbus_request *sbus_req, + void *dp_cli, + const char *service_name); + +/* org.freedesktop.sssd.DataProvider.AccessControl */ +errno_t dp_access_control_refresh_rules_handler(struct sbus_request *sbus_req, + void *dp_cli); + +#endif /* DP_IFACE_H_ */ diff --git a/src/providers/data_provider/dp_iface.xml b/src/providers/data_provider/dp_iface.xml new file mode 100644 index 0000000..c243185 --- /dev/null +++ b/src/providers/data_provider/dp_iface.xml @@ -0,0 +1,90 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/providers/data_provider/dp_iface_backend.c b/src/providers/data_provider/dp_iface_backend.c new file mode 100644 index 0000000..d9a84bf --- /dev/null +++ b/src/providers/data_provider/dp_iface_backend.c @@ -0,0 +1,60 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "sbus/sssd_dbus.h" +#include "sbus/sssd_dbus_errors.h" +#include "providers/data_provider/dp_private.h" +#include "providers/data_provider/dp_iface.h" +#include "providers/backend.h" +#include "util/util.h" + +errno_t dp_backend_is_online(struct sbus_request *sbus_req, + void *dp_cli, + const char *domname) +{ + struct be_ctx *be_ctx; + struct sss_domain_info *domain; + bool online; + + be_ctx = dp_client_be(dp_cli); + + if (SBUS_IS_STRING_EMPTY(domname)) { + domain = be_ctx->domain; + } else { + domain = find_domain_by_name(be_ctx->domain, domname, false); + if (domain == NULL) { + sbus_request_reply_error(sbus_req, SBUS_ERROR_UNKNOWN_DOMAIN, + "Unknown domain %s", domname); + return EOK; + } + } + + if (domain == be_ctx->domain) { + online = be_is_offline(be_ctx) == false; + } else { + online = domain->state == DOM_ACTIVE; + } + + iface_dp_backend_IsOnline_finish(sbus_req, online); + return EOK; +} diff --git a/src/providers/data_provider/dp_iface_failover.c b/src/providers/data_provider/dp_iface_failover.c new file mode 100644 index 0000000..7d95ffd --- /dev/null +++ b/src/providers/data_provider/dp_iface_failover.c @@ -0,0 +1,345 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "sbus/sssd_dbus.h" +#include "sbus/sssd_dbus_errors.h" +#include "providers/data_provider/dp_private.h" +#include "providers/data_provider/dp_iface.h" +#include "providers/backend.h" +#include "util/util.h" + +static errno_t +dp_failover_list_services_ldap(struct be_ctx *be_ctx, + const char **services, + int *_count) +{ + struct be_svc_data *svc; + int count; + + count = 0; + DLIST_FOR_EACH(svc, be_ctx->be_fo->svcs) { + services[count] = talloc_strdup(services, svc->name); + if (services[count] == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup() failed\n"); + return ENOMEM; + } + count++; + } + + *_count = count; + + return EOK; +} + +static errno_t +dp_failover_list_services_ad(struct be_ctx *be_ctx, + struct sss_domain_info *domain, + const char **services, + int *_count) +{ + char *fo_svc_name = NULL; + struct be_svc_data *svc; + errno_t ret; + int count; + + fo_svc_name = talloc_asprintf(services, "sd_%s", domain->name); + if (fo_svc_name == NULL) { + ret = ENOMEM; + goto done; + } + + count = 0; + DLIST_FOR_EACH(svc, be_ctx->be_fo->svcs) { + /* Drop each sd_gc_* since this service is not used with AD at all, + * we only connect to AD_GC for global catalog. */ + if (strncasecmp(svc->name, "sd_gc_", strlen("sd_gc_")) == 0) { + continue; + } + + /* Drop all subdomain services for different domain. */ + if (strncasecmp(svc->name, "sd_", strlen("sd_")) == 0) { + if (!IS_SUBDOMAIN(domain)) { + continue; + } + + if (strcasecmp(svc->name, fo_svc_name) != 0) { + continue; + } + } + + if (IS_SUBDOMAIN(domain)) { + /* Drop AD since we connect to subdomain.com for LDAP. */ + if (strcasecmp(svc->name, "AD") == 0) { + continue; + } + } + + services[count] = talloc_strdup(services, svc->name); + if (services[count] == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup() failed\n"); + ret = ENOMEM; + goto done; + } + count++; + } + + *_count = count; + + ret = EOK; + +done: + talloc_free(fo_svc_name); + return ret; +} + +static errno_t +dp_failover_list_services_ipa(struct be_ctx *be_ctx, + struct sss_domain_info *domain, + const char **services, + int *_count) +{ + struct be_svc_data *svc; + char *fo_svc_name = NULL; + char *fo_gc_name = NULL; + errno_t ret; + int count; + + fo_svc_name = talloc_asprintf(services, "sd_%s", domain->name); + if (fo_svc_name == NULL) { + ret = ENOMEM; + goto done; + } + + fo_gc_name = talloc_asprintf(services, "sd_gc_%s", domain->name); + if (fo_gc_name == NULL) { + ret = ENOMEM; + goto done; + } + + count = 0; + DLIST_FOR_EACH(svc, be_ctx->be_fo->svcs) { + /* Drop all subdomain services for different domain. */ + if (strncasecmp(svc->name, "sd_", strlen("sd_")) == 0) { + if (!IS_SUBDOMAIN(domain)) { + continue; + } + + if (strcasecmp(svc->name, fo_svc_name) != 0 + && strcasecmp(svc->name, fo_gc_name) != 0) { + continue; + } + } + + services[count] = talloc_strdup(services, svc->name); + if (services[count] == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup() failed\n"); + return ENOMEM; + } + count++; + } + + *_count = count; + + ret = EOK; + +done: + talloc_free(fo_svc_name); + talloc_free(fo_gc_name); + + return ret; +} + +enum dp_fo_svc_type { + DP_FO_SVC_LDAP = 0, + DP_FO_SVC_AD = 1, + DP_FO_SVC_IPA = 1 << 1, + DP_FO_SVC_MIXED = DP_FO_SVC_AD | DP_FO_SVC_IPA +}; + +errno_t dp_failover_list_services(struct sbus_request *sbus_req, + void *dp_cli, + const char *domname) +{ + enum dp_fo_svc_type svc_type = DP_FO_SVC_LDAP; + struct sss_domain_info *domain; + struct be_ctx *be_ctx; + struct be_svc_data *svc; + const char **services; + int num_services; + errno_t ret; + + be_ctx = dp_client_be(dp_cli); + + if (SBUS_IS_STRING_EMPTY(domname)) { + domain = be_ctx->domain; + } else { + domain = find_domain_by_name(be_ctx->domain, domname, false); + if (domain == NULL) { + sbus_request_reply_error(sbus_req, SBUS_ERROR_UNKNOWN_DOMAIN, + "Unknown domain %s", domname); + return EOK; + } + } + + /** + * Returning list of failover services is currently rather difficult + * since there is only one failover context for the whole backend. + * + * The list of services for the given domain depends on whether it is + * a master domain or a subdomain and whether we are using IPA, AD or + * LDAP backend. + * + * For LDAP we just return everything we have. + * For AD master domain we return AD, AD_GC. + * For AD subdomain we return subdomain.com, AD_GC. + * For IPA in client mode we return IPA. + * For IPA in server mode we return IPA for master domain and + * subdomain.com, gc_subdomain.com for subdomain. + * + * We also return everything else for all cases if any other service + * such as kerberos is configured separately. + */ + + /* Allocate enough space. */ + num_services = 0; + DLIST_FOR_EACH(svc, be_ctx->be_fo->svcs) { + num_services++; + + if (strcasecmp(svc->name, "AD") == 0) { + svc_type |= DP_FO_SVC_AD; + } else if (strcasecmp(svc->name, "IPA") == 0) { + svc_type |= DP_FO_SVC_IPA; + } + } + + services = talloc_zero_array(sbus_req, const char *, num_services); + if (services == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero_array() failed\n"); + return ENOMEM; + } + + /* Fill the list. */ + switch (svc_type) { + case DP_FO_SVC_LDAP: + case DP_FO_SVC_MIXED: + ret = dp_failover_list_services_ldap(be_ctx, services, &num_services); + break; + case DP_FO_SVC_AD: + ret = dp_failover_list_services_ad(be_ctx, domain, + services, &num_services); + break; + case DP_FO_SVC_IPA: + ret = dp_failover_list_services_ipa(be_ctx, domain, + services, &num_services); + break; + default: + ret = ERR_INTERNAL; + break; + } + + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create service list [%d]: %s\n", + ret, sss_strerror(ret)); + talloc_free(services); + return ret; + } + + iface_dp_failover_ListServices_finish(sbus_req, services, num_services); + return EOK; +} + +errno_t dp_failover_active_server(struct sbus_request *sbus_req, + void *dp_cli, + const char *service_name) +{ + struct be_ctx *be_ctx; + struct be_svc_data *svc; + const char *server; + bool found = false; + + be_ctx = dp_client_be(dp_cli); + + DLIST_FOR_EACH(svc, be_ctx->be_fo->svcs) { + if (strcmp(svc->name, service_name) == 0) { + found = true; + break; + } + } + + if (!found) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get server name\n"); + sbus_request_reply_error(sbus_req, SBUS_ERROR_NOT_FOUND, + "Unknown service name"); + return EOK; + } + + if (svc->last_good_srv == NULL) { + server = ""; + } else { + server = fo_get_server_name(svc->last_good_srv); + if (server == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get server name\n"); + sbus_request_reply_error(sbus_req, SBUS_ERROR_INTERNAL, + "Unable to get server name"); + return EOK; + } + } + + iface_dp_failover_ActiveServer_finish(sbus_req, server); + return EOK; +} + +errno_t dp_failover_list_servers(struct sbus_request *sbus_req, + void *dp_cli, + const char *service_name) +{ + struct be_ctx *be_ctx; + struct be_svc_data *svc; + const char **servers; + bool found = false; + size_t count; + + be_ctx = dp_client_be(dp_cli); + + DLIST_FOR_EACH(svc, be_ctx->be_fo->svcs) { + if (strcmp(svc->name, service_name) == 0) { + found = true; + break; + } + } + + if (!found) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get server list\n"); + sbus_request_reply_error(sbus_req, SBUS_ERROR_NOT_FOUND, + "Unknown service name"); + return EOK; + } + + servers = fo_svc_server_list(sbus_req, svc->fo_service, &count); + if (servers == NULL) { + return ENOMEM; + } + + iface_dp_failover_ListServers_finish(sbus_req, servers, (int)count); + return EOK; +} diff --git a/src/providers/data_provider/dp_iface_generated.c b/src/providers/data_provider/dp_iface_generated.c new file mode 100644 index 0000000..4d09344 --- /dev/null +++ b/src/providers/data_provider/dp_iface_generated.c @@ -0,0 +1,486 @@ +/* The following definitions are auto-generated from dp_iface.xml */ + +#include + +#include "dbus/dbus-protocol.h" +#include "util/util_errors.h" +#include "sbus/sssd_dbus.h" +#include "sbus/sssd_dbus_meta.h" +#include "sbus/sssd_dbus_invokers.h" +#include "dp_iface_generated.h" + +/* invokes a handler with a 's' DBus signature */ +static int invoke_s_method(struct sbus_request *dbus_req, void *function_ptr); + +/* invokes a handler with a 'us' DBus signature */ +static int invoke_us_method(struct sbus_request *dbus_req, void *function_ptr); + +/* invokes a handler with a 'uss' DBus signature */ +static int invoke_uss_method(struct sbus_request *dbus_req, void *function_ptr); + +/* invokes a handler with a 'uusss' DBus signature */ +static int invoke_uusss_method(struct sbus_request *dbus_req, void *function_ptr); + +/* arguments for org.freedesktop.sssd.DataProvider.Client.Register */ +const struct sbus_arg_meta iface_dp_client_Register__in[] = { + { "Name", "s" }, + { NULL, } +}; + +int iface_dp_client_Register_finish(struct sbus_request *req) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_INVALID); +} + +/* methods for org.freedesktop.sssd.DataProvider.Client */ +const struct sbus_method_meta iface_dp_client__methods[] = { + { + "Register", /* name */ + iface_dp_client_Register__in, + NULL, /* no out_args */ + offsetof(struct iface_dp_client, Register), + invoke_s_method, + }, + { NULL, } +}; + +/* interface info for org.freedesktop.sssd.DataProvider.Client */ +const struct sbus_interface_meta iface_dp_client_meta = { + "org.freedesktop.sssd.DataProvider.Client", /* name */ + iface_dp_client__methods, + NULL, /* no signals */ + NULL, /* no properties */ + sbus_invoke_get_all, /* GetAll invoker */ +}; + +/* arguments for org.freedesktop.sssd.DataProvider.Backend.IsOnline */ +const struct sbus_arg_meta iface_dp_backend_IsOnline__in[] = { + { "domain_name", "s" }, + { NULL, } +}; + +/* arguments for org.freedesktop.sssd.DataProvider.Backend.IsOnline */ +const struct sbus_arg_meta iface_dp_backend_IsOnline__out[] = { + { "status", "b" }, + { NULL, } +}; + +int iface_dp_backend_IsOnline_finish(struct sbus_request *req, bool arg_status) +{ + dbus_bool_t cast_status = arg_status; + return sbus_request_return_and_finish(req, + DBUS_TYPE_BOOLEAN, &cast_status, + DBUS_TYPE_INVALID); +} + +/* methods for org.freedesktop.sssd.DataProvider.Backend */ +const struct sbus_method_meta iface_dp_backend__methods[] = { + { + "IsOnline", /* name */ + iface_dp_backend_IsOnline__in, + iface_dp_backend_IsOnline__out, + offsetof(struct iface_dp_backend, IsOnline), + invoke_s_method, + }, + { NULL, } +}; + +/* interface info for org.freedesktop.sssd.DataProvider.Backend */ +const struct sbus_interface_meta iface_dp_backend_meta = { + "org.freedesktop.sssd.DataProvider.Backend", /* name */ + iface_dp_backend__methods, + NULL, /* no signals */ + NULL, /* no properties */ + sbus_invoke_get_all, /* GetAll invoker */ +}; + +/* arguments for org.freedesktop.sssd.DataProvider.Failover.ListServices */ +const struct sbus_arg_meta iface_dp_failover_ListServices__in[] = { + { "domain_name", "s" }, + { NULL, } +}; + +/* arguments for org.freedesktop.sssd.DataProvider.Failover.ListServices */ +const struct sbus_arg_meta iface_dp_failover_ListServices__out[] = { + { "services", "as" }, + { NULL, } +}; + +int iface_dp_failover_ListServices_finish(struct sbus_request *req, const char *arg_services[], int len_services) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, &arg_services, len_services, + DBUS_TYPE_INVALID); +} + +/* arguments for org.freedesktop.sssd.DataProvider.Failover.ActiveServer */ +const struct sbus_arg_meta iface_dp_failover_ActiveServer__in[] = { + { "service_name", "s" }, + { NULL, } +}; + +/* arguments for org.freedesktop.sssd.DataProvider.Failover.ActiveServer */ +const struct sbus_arg_meta iface_dp_failover_ActiveServer__out[] = { + { "server", "s" }, + { NULL, } +}; + +int iface_dp_failover_ActiveServer_finish(struct sbus_request *req, const char *arg_server) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_STRING, &arg_server, + DBUS_TYPE_INVALID); +} + +/* arguments for org.freedesktop.sssd.DataProvider.Failover.ListServers */ +const struct sbus_arg_meta iface_dp_failover_ListServers__in[] = { + { "service_name", "s" }, + { NULL, } +}; + +/* arguments for org.freedesktop.sssd.DataProvider.Failover.ListServers */ +const struct sbus_arg_meta iface_dp_failover_ListServers__out[] = { + { "servers", "as" }, + { NULL, } +}; + +int iface_dp_failover_ListServers_finish(struct sbus_request *req, const char *arg_servers[], int len_servers) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, &arg_servers, len_servers, + DBUS_TYPE_INVALID); +} + +/* methods for org.freedesktop.sssd.DataProvider.Failover */ +const struct sbus_method_meta iface_dp_failover__methods[] = { + { + "ListServices", /* name */ + iface_dp_failover_ListServices__in, + iface_dp_failover_ListServices__out, + offsetof(struct iface_dp_failover, ListServices), + invoke_s_method, + }, + { + "ActiveServer", /* name */ + iface_dp_failover_ActiveServer__in, + iface_dp_failover_ActiveServer__out, + offsetof(struct iface_dp_failover, ActiveServer), + invoke_s_method, + }, + { + "ListServers", /* name */ + iface_dp_failover_ListServers__in, + iface_dp_failover_ListServers__out, + offsetof(struct iface_dp_failover, ListServers), + invoke_s_method, + }, + { NULL, } +}; + +/* interface info for org.freedesktop.sssd.DataProvider.Failover */ +const struct sbus_interface_meta iface_dp_failover_meta = { + "org.freedesktop.sssd.DataProvider.Failover", /* name */ + iface_dp_failover__methods, + NULL, /* no signals */ + NULL, /* no properties */ + sbus_invoke_get_all, /* GetAll invoker */ +}; + +int iface_dp_access_control_RefreshRules_finish(struct sbus_request *req) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_INVALID); +} + +/* methods for org.freedesktop.sssd.DataProvider.AccessControl */ +const struct sbus_method_meta iface_dp_access_control__methods[] = { + { + "RefreshRules", /* name */ + NULL, /* no in_args */ + NULL, /* no out_args */ + offsetof(struct iface_dp_access_control, RefreshRules), + NULL, /* no invoker */ + }, + { NULL, } +}; + +/* interface info for org.freedesktop.sssd.DataProvider.AccessControl */ +const struct sbus_interface_meta iface_dp_access_control_meta = { + "org.freedesktop.sssd.DataProvider.AccessControl", /* name */ + iface_dp_access_control__methods, + NULL, /* no signals */ + NULL, /* no properties */ + sbus_invoke_get_all, /* GetAll invoker */ +}; + +/* arguments for org.freedesktop.sssd.dataprovider.autofsHandler */ +const struct sbus_arg_meta iface_dp_autofsHandler__in[] = { + { "dp_flags", "u" }, + { "mapname", "s" }, + { NULL, } +}; + +/* arguments for org.freedesktop.sssd.dataprovider.autofsHandler */ +const struct sbus_arg_meta iface_dp_autofsHandler__out[] = { + { "dp_error", "q" }, + { "error", "u" }, + { "error_message", "s" }, + { NULL, } +}; + +int iface_dp_autofsHandler_finish(struct sbus_request *req, uint16_t arg_dp_error, uint32_t arg_error, const char *arg_error_message) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_UINT16, &arg_dp_error, + DBUS_TYPE_UINT32, &arg_error, + DBUS_TYPE_STRING, &arg_error_message, + DBUS_TYPE_INVALID); +} + +/* arguments for org.freedesktop.sssd.dataprovider.hostHandler */ +const struct sbus_arg_meta iface_dp_hostHandler__in[] = { + { "dp_flags", "u" }, + { "name", "s" }, + { "alias", "s" }, + { NULL, } +}; + +/* arguments for org.freedesktop.sssd.dataprovider.hostHandler */ +const struct sbus_arg_meta iface_dp_hostHandler__out[] = { + { "dp_error", "q" }, + { "error", "u" }, + { "error_message", "s" }, + { NULL, } +}; + +int iface_dp_hostHandler_finish(struct sbus_request *req, uint16_t arg_dp_error, uint32_t arg_error, const char *arg_error_message) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_UINT16, &arg_dp_error, + DBUS_TYPE_UINT32, &arg_error, + DBUS_TYPE_STRING, &arg_error_message, + DBUS_TYPE_INVALID); +} + +/* arguments for org.freedesktop.sssd.dataprovider.getDomains */ +const struct sbus_arg_meta iface_dp_getDomains__in[] = { + { "domain_hint", "s" }, + { NULL, } +}; + +/* arguments for org.freedesktop.sssd.dataprovider.getDomains */ +const struct sbus_arg_meta iface_dp_getDomains__out[] = { + { "dp_error", "q" }, + { "error", "u" }, + { "error_message", "s" }, + { NULL, } +}; + +int iface_dp_getDomains_finish(struct sbus_request *req, uint16_t arg_dp_error, uint32_t arg_error, const char *arg_error_message) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_UINT16, &arg_dp_error, + DBUS_TYPE_UINT32, &arg_error, + DBUS_TYPE_STRING, &arg_error_message, + DBUS_TYPE_INVALID); +} + +/* arguments for org.freedesktop.sssd.dataprovider.getAccountInfo */ +const struct sbus_arg_meta iface_dp_getAccountInfo__in[] = { + { "dp_flags", "u" }, + { "entry_type", "u" }, + { "filter", "s" }, + { "domain", "s" }, + { "extra", "s" }, + { NULL, } +}; + +/* arguments for org.freedesktop.sssd.dataprovider.getAccountInfo */ +const struct sbus_arg_meta iface_dp_getAccountInfo__out[] = { + { "dp_error", "q" }, + { "error", "u" }, + { "error_message", "s" }, + { NULL, } +}; + +int iface_dp_getAccountInfo_finish(struct sbus_request *req, uint16_t arg_dp_error, uint32_t arg_error, const char *arg_error_message) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_UINT16, &arg_dp_error, + DBUS_TYPE_UINT32, &arg_error, + DBUS_TYPE_STRING, &arg_error_message, + DBUS_TYPE_INVALID); +} + +/* arguments for org.freedesktop.sssd.dataprovider.getAccountDomain */ +const struct sbus_arg_meta iface_dp_getAccountDomain__in[] = { + { "entry_type", "u" }, + { "filter", "s" }, + { NULL, } +}; + +/* arguments for org.freedesktop.sssd.dataprovider.getAccountDomain */ +const struct sbus_arg_meta iface_dp_getAccountDomain__out[] = { + { "dp_error", "q" }, + { "error", "u" }, + { "domain_name", "s" }, + { NULL, } +}; + +int iface_dp_getAccountDomain_finish(struct sbus_request *req, uint16_t arg_dp_error, uint32_t arg_error, const char *arg_domain_name) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_UINT16, &arg_dp_error, + DBUS_TYPE_UINT32, &arg_error, + DBUS_TYPE_STRING, &arg_domain_name, + DBUS_TYPE_INVALID); +} + +/* methods for org.freedesktop.sssd.dataprovider */ +const struct sbus_method_meta iface_dp__methods[] = { + { + "pamHandler", /* name */ + NULL, /* no in_args */ + NULL, /* no out_args */ + offsetof(struct iface_dp, pamHandler), + NULL, /* no invoker */ + }, + { + "sudoHandler", /* name */ + NULL, /* no in_args */ + NULL, /* no out_args */ + offsetof(struct iface_dp, sudoHandler), + NULL, /* no invoker */ + }, + { + "autofsHandler", /* name */ + iface_dp_autofsHandler__in, + iface_dp_autofsHandler__out, + offsetof(struct iface_dp, autofsHandler), + invoke_us_method, + }, + { + "hostHandler", /* name */ + iface_dp_hostHandler__in, + iface_dp_hostHandler__out, + offsetof(struct iface_dp, hostHandler), + invoke_uss_method, + }, + { + "getDomains", /* name */ + iface_dp_getDomains__in, + iface_dp_getDomains__out, + offsetof(struct iface_dp, getDomains), + invoke_s_method, + }, + { + "getAccountInfo", /* name */ + iface_dp_getAccountInfo__in, + iface_dp_getAccountInfo__out, + offsetof(struct iface_dp, getAccountInfo), + invoke_uusss_method, + }, + { + "getAccountDomain", /* name */ + iface_dp_getAccountDomain__in, + iface_dp_getAccountDomain__out, + offsetof(struct iface_dp, getAccountDomain), + invoke_us_method, + }, + { NULL, } +}; + +/* interface info for org.freedesktop.sssd.dataprovider */ +const struct sbus_interface_meta iface_dp_meta = { + "org.freedesktop.sssd.dataprovider", /* name */ + iface_dp__methods, + NULL, /* no signals */ + NULL, /* no properties */ + sbus_invoke_get_all, /* GetAll invoker */ +}; + +/* invokes a handler with a 's' DBus signature */ +static int invoke_s_method(struct sbus_request *dbus_req, void *function_ptr) +{ + const char * arg_0; + int (*handler)(struct sbus_request *, void *, const char *) = function_ptr; + + if (!sbus_request_parse_or_finish(dbus_req, + DBUS_TYPE_STRING, &arg_0, + DBUS_TYPE_INVALID)) { + return EOK; /* request handled */ + } + + return (handler)(dbus_req, dbus_req->intf->handler_data, + arg_0); +} + +/* invokes a handler with a 'uss' DBus signature */ +static int invoke_uss_method(struct sbus_request *dbus_req, void *function_ptr) +{ + uint32_t arg_0; + const char * arg_1; + const char * arg_2; + int (*handler)(struct sbus_request *, void *, uint32_t, const char *, const char *) = function_ptr; + + if (!sbus_request_parse_or_finish(dbus_req, + DBUS_TYPE_UINT32, &arg_0, + DBUS_TYPE_STRING, &arg_1, + DBUS_TYPE_STRING, &arg_2, + DBUS_TYPE_INVALID)) { + return EOK; /* request handled */ + } + + return (handler)(dbus_req, dbus_req->intf->handler_data, + arg_0, + arg_1, + arg_2); +} + +/* invokes a handler with a 'uusss' DBus signature */ +static int invoke_uusss_method(struct sbus_request *dbus_req, void *function_ptr) +{ + uint32_t arg_0; + uint32_t arg_1; + const char * arg_2; + const char * arg_3; + const char * arg_4; + int (*handler)(struct sbus_request *, void *, uint32_t, uint32_t, const char *, const char *, const char *) = function_ptr; + + if (!sbus_request_parse_or_finish(dbus_req, + DBUS_TYPE_UINT32, &arg_0, + DBUS_TYPE_UINT32, &arg_1, + DBUS_TYPE_STRING, &arg_2, + DBUS_TYPE_STRING, &arg_3, + DBUS_TYPE_STRING, &arg_4, + DBUS_TYPE_INVALID)) { + return EOK; /* request handled */ + } + + return (handler)(dbus_req, dbus_req->intf->handler_data, + arg_0, + arg_1, + arg_2, + arg_3, + arg_4); +} + +/* invokes a handler with a 'us' DBus signature */ +static int invoke_us_method(struct sbus_request *dbus_req, void *function_ptr) +{ + uint32_t arg_0; + const char * arg_1; + int (*handler)(struct sbus_request *, void *, uint32_t, const char *) = function_ptr; + + if (!sbus_request_parse_or_finish(dbus_req, + DBUS_TYPE_UINT32, &arg_0, + DBUS_TYPE_STRING, &arg_1, + DBUS_TYPE_INVALID)) { + return EOK; /* request handled */ + } + + return (handler)(dbus_req, dbus_req->intf->handler_data, + arg_0, + arg_1); +} diff --git a/src/providers/data_provider/dp_iface_generated.h b/src/providers/data_provider/dp_iface_generated.h new file mode 100644 index 0000000..b629ec7 --- /dev/null +++ b/src/providers/data_provider/dp_iface_generated.h @@ -0,0 +1,157 @@ +/* The following declarations are auto-generated from dp_iface.xml */ + +#ifndef __DP_IFACE_XML__ +#define __DP_IFACE_XML__ + +#include "sbus/sssd_dbus.h" +#include "sbus/sssd_dbus_meta.h" + +/* ------------------------------------------------------------------------ + * DBus Constants + * + * Various constants of interface and method names mostly for use by clients + */ + +/* constants for org.freedesktop.sssd.DataProvider.Client */ +#define IFACE_DP_CLIENT "org.freedesktop.sssd.DataProvider.Client" +#define IFACE_DP_CLIENT_REGISTER "Register" + +/* constants for org.freedesktop.sssd.DataProvider.Backend */ +#define IFACE_DP_BACKEND "org.freedesktop.sssd.DataProvider.Backend" +#define IFACE_DP_BACKEND_ISONLINE "IsOnline" + +/* constants for org.freedesktop.sssd.DataProvider.Failover */ +#define IFACE_DP_FAILOVER "org.freedesktop.sssd.DataProvider.Failover" +#define IFACE_DP_FAILOVER_LISTSERVICES "ListServices" +#define IFACE_DP_FAILOVER_ACTIVESERVER "ActiveServer" +#define IFACE_DP_FAILOVER_LISTSERVERS "ListServers" + +/* constants for org.freedesktop.sssd.DataProvider.AccessControl */ +#define IFACE_DP_ACCESS_CONTROL "org.freedesktop.sssd.DataProvider.AccessControl" +#define IFACE_DP_ACCESS_CONTROL_REFRESHRULES "RefreshRules" + +/* constants for org.freedesktop.sssd.dataprovider */ +#define IFACE_DP "org.freedesktop.sssd.dataprovider" +#define IFACE_DP_PAMHANDLER "pamHandler" +#define IFACE_DP_SUDOHANDLER "sudoHandler" +#define IFACE_DP_AUTOFSHANDLER "autofsHandler" +#define IFACE_DP_HOSTHANDLER "hostHandler" +#define IFACE_DP_GETDOMAINS "getDomains" +#define IFACE_DP_GETACCOUNTINFO "getAccountInfo" +#define IFACE_DP_GETACCOUNTDOMAIN "getAccountDomain" + +/* ------------------------------------------------------------------------ + * DBus handlers + * + * These structures are filled in by implementors of the different + * dbus interfaces to handle method calls. + * + * Handler functions of type sbus_msg_handler_fn accept raw messages, + * other handlers are typed appropriately. If a handler that is + * set to NULL is invoked it will result in a + * org.freedesktop.DBus.Error.NotSupported error for the caller. + * + * Handlers have a matching xxx_finish() function (unless the method has + * accepts raw messages). These finish functions the + * sbus_request_return_and_finish() with the appropriate arguments to + * construct a valid reply. Once a finish function has been called, the + * @dbus_req it was called with is freed and no longer valid. + */ + +/* vtable for org.freedesktop.sssd.DataProvider.Client */ +struct iface_dp_client { + struct sbus_vtable vtable; /* derive from sbus_vtable */ + int (*Register)(struct sbus_request *req, void *data, const char *arg_Name); +}; + +/* finish function for Register */ +int iface_dp_client_Register_finish(struct sbus_request *req); + +/* vtable for org.freedesktop.sssd.DataProvider.Backend */ +struct iface_dp_backend { + struct sbus_vtable vtable; /* derive from sbus_vtable */ + int (*IsOnline)(struct sbus_request *req, void *data, const char *arg_domain_name); +}; + +/* finish function for IsOnline */ +int iface_dp_backend_IsOnline_finish(struct sbus_request *req, bool arg_status); + +/* vtable for org.freedesktop.sssd.DataProvider.Failover */ +struct iface_dp_failover { + struct sbus_vtable vtable; /* derive from sbus_vtable */ + int (*ListServices)(struct sbus_request *req, void *data, const char *arg_domain_name); + int (*ActiveServer)(struct sbus_request *req, void *data, const char *arg_service_name); + int (*ListServers)(struct sbus_request *req, void *data, const char *arg_service_name); +}; + +/* finish function for ListServices */ +int iface_dp_failover_ListServices_finish(struct sbus_request *req, const char *arg_services[], int len_services); + +/* finish function for ActiveServer */ +int iface_dp_failover_ActiveServer_finish(struct sbus_request *req, const char *arg_server); + +/* finish function for ListServers */ +int iface_dp_failover_ListServers_finish(struct sbus_request *req, const char *arg_servers[], int len_servers); + +/* vtable for org.freedesktop.sssd.DataProvider.AccessControl */ +struct iface_dp_access_control { + struct sbus_vtable vtable; /* derive from sbus_vtable */ + int (*RefreshRules)(struct sbus_request *req, void *data); +}; + +/* finish function for RefreshRules */ +int iface_dp_access_control_RefreshRules_finish(struct sbus_request *req); + +/* vtable for org.freedesktop.sssd.dataprovider */ +struct iface_dp { + struct sbus_vtable vtable; /* derive from sbus_vtable */ + sbus_msg_handler_fn pamHandler; + sbus_msg_handler_fn sudoHandler; + int (*autofsHandler)(struct sbus_request *req, void *data, uint32_t arg_dp_flags, const char *arg_mapname); + int (*hostHandler)(struct sbus_request *req, void *data, uint32_t arg_dp_flags, const char *arg_name, const char *arg_alias); + int (*getDomains)(struct sbus_request *req, void *data, const char *arg_domain_hint); + int (*getAccountInfo)(struct sbus_request *req, void *data, uint32_t arg_dp_flags, uint32_t arg_entry_type, const char *arg_filter, const char *arg_domain, const char *arg_extra); + int (*getAccountDomain)(struct sbus_request *req, void *data, uint32_t arg_entry_type, const char *arg_filter); +}; + +/* finish function for autofsHandler */ +int iface_dp_autofsHandler_finish(struct sbus_request *req, uint16_t arg_dp_error, uint32_t arg_error, const char *arg_error_message); + +/* finish function for hostHandler */ +int iface_dp_hostHandler_finish(struct sbus_request *req, uint16_t arg_dp_error, uint32_t arg_error, const char *arg_error_message); + +/* finish function for getDomains */ +int iface_dp_getDomains_finish(struct sbus_request *req, uint16_t arg_dp_error, uint32_t arg_error, const char *arg_error_message); + +/* finish function for getAccountInfo */ +int iface_dp_getAccountInfo_finish(struct sbus_request *req, uint16_t arg_dp_error, uint32_t arg_error, const char *arg_error_message); + +/* finish function for getAccountDomain */ +int iface_dp_getAccountDomain_finish(struct sbus_request *req, uint16_t arg_dp_error, uint32_t arg_error, const char *arg_domain_name); + +/* ------------------------------------------------------------------------ + * DBus Interface Metadata + * + * These structure definitions are filled in with the information about + * the interfaces, methods, properties and so on. + * + * The actual definitions are found in the accompanying C file next + * to this header. + */ + +/* interface info for org.freedesktop.sssd.DataProvider.Client */ +extern const struct sbus_interface_meta iface_dp_client_meta; + +/* interface info for org.freedesktop.sssd.DataProvider.Backend */ +extern const struct sbus_interface_meta iface_dp_backend_meta; + +/* interface info for org.freedesktop.sssd.DataProvider.Failover */ +extern const struct sbus_interface_meta iface_dp_failover_meta; + +/* interface info for org.freedesktop.sssd.DataProvider.AccessControl */ +extern const struct sbus_interface_meta iface_dp_access_control_meta; + +/* interface info for org.freedesktop.sssd.dataprovider */ +extern const struct sbus_interface_meta iface_dp_meta; + +#endif /* __DP_IFACE_XML__ */ diff --git a/src/providers/data_provider/dp_methods.c b/src/providers/data_provider/dp_methods.c new file mode 100644 index 0000000..9e49c5f --- /dev/null +++ b/src/providers/data_provider/dp_methods.c @@ -0,0 +1,128 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "config.h" +#include "providers/data_provider/dp.h" +#include "providers/data_provider/dp_private.h" +#include "providers/backend.h" +#include "util/util.h" + +void _dp_set_method(struct dp_method *methods, + enum dp_methods method, + dp_req_send_fn send_fn, + dp_req_recv_fn recv_fn, + void *method_data, + const char *method_dtype, + const char *request_dtype, + const char *output_dtype, + uint32_t output_size) +{ + if (method >= DP_METHOD_SENTINEL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Bug: invalid method %d\n", method); + return; + } + + /* Each method can be set only once, if we attempt to set it twice it + * is a bug in module initialization. */ + if (methods[method].send_fn != NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Bug: method %d is already set!\n", method); + return; + } + + if (send_fn == NULL || recv_fn == NULL || method_dtype == NULL + || request_dtype == NULL || output_dtype == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Bug: one or more required parameter was " + "not provided for method %d\n", method); + return; + } + + methods[method].send_fn = send_fn; + methods[method].recv_fn = recv_fn; + methods[method].method_data = method_data; + + methods[method].method_dtype = method_dtype; + methods[method].request_dtype = request_dtype; + methods[method].output_dtype = output_dtype; + methods[method].output_size = output_size; +} + +bool dp_method_enabled(struct data_provider *provider, + enum dp_targets target, + enum dp_methods method) +{ + struct dp_target *dp_target; + + if (target >= DP_TARGET_SENTINEL || method >= DP_METHOD_SENTINEL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Bug: Invalid target or method ID\n"); + return false; + } + + if (provider == NULL || provider->targets == NULL) { + DEBUG(SSSDBG_TRACE_FUNC, "Target %s is not yet initialized\n", + dp_target_to_string(target)); + return false; + } + + dp_target = provider->targets[target]; + if (dp_target == NULL || dp_target->initialized == false) { + DEBUG(SSSDBG_TRACE_FUNC, "Target %s is not configured\n", + dp_target_to_string(target)); + return false; + } + + if (dp_target->methods[method].send_fn == NULL) { + return false; + } + + return true; +} + +errno_t dp_find_method(struct data_provider *provider, + enum dp_targets target, + enum dp_methods method, + struct dp_method **_execute) +{ + struct dp_method *execute; + + if (target >= DP_TARGET_SENTINEL || method >= DP_METHOD_SENTINEL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Bug: Invalid target or method ID\n"); + return ERR_INTERNAL; + } + + if (!dp_target_initialized(provider->targets, target)) { + DEBUG(SSSDBG_CONF_SETTINGS, "Target [%s] is not initialized\n", + dp_target_to_string(target)); + return ERR_MISSING_DP_TARGET; + } + + execute = &provider->targets[target]->methods[method]; + if (execute->send_fn == NULL || execute->recv_fn == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Bug: Invalid combination of target [%s] and method [%d]\n", + dp_target_to_string(target), method); + return ERR_INTERNAL; + } + + *_execute = execute; + + return EOK; +} diff --git a/src/providers/data_provider/dp_modules.c b/src/providers/data_provider/dp_modules.c new file mode 100644 index 0000000..2e6e33d --- /dev/null +++ b/src/providers/data_provider/dp_modules.c @@ -0,0 +1,224 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include "config.h" +#include "providers/data_provider/dp.h" +#include "providers/data_provider/dp_private.h" +#include "providers/backend.h" +#include "util/util.h" + +/* There can be at most the same number of different modules loaded at + * one time as the maximum number of defined targets. */ +#define DP_MAX_MODULES DP_TARGET_SENTINEL + +#define DP_MODULE_PATH DATA_PROVIDER_PLUGINS_PATH "/libsss_%s.so" +#define DP_MODULE_INIT_FN "sssm_%s_init" + +static errno_t dp_module_open_lib(struct dp_module *module) +{ + char *libpath = NULL; + errno_t ret; + + libpath = talloc_asprintf(module, DP_MODULE_PATH, module->name); + if (libpath == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf() failed\n"); + return ENOMEM; + } + + DEBUG(SSSDBG_TRACE_LIBS, "Loading module [%s] with path [%s]\n", + module->name, libpath); + + module->libhandle = dlopen(libpath, RTLD_NOW); + if (module->libhandle == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to load module [%s] with path " + "[%s]: %s\n", module->name, libpath, dlerror()); + ret = ELIBACC; + goto done; + } + + ret = EOK; + +done: + talloc_free(libpath); + return ret; +} + +static errno_t dp_module_run_constructor(struct dp_module *module, + struct be_ctx *be_ctx, + struct data_provider *provider) +{ + char *fn_name; + dp_module_init_fn fn; + errno_t ret; + + fn_name = talloc_asprintf(module, DP_MODULE_INIT_FN, module->name); + if (fn_name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf() failed\n"); + return ENOMEM; + } + + fn = (dp_module_init_fn)dlsym(module->libhandle, fn_name); + if (fn != NULL) { + DEBUG(SSSDBG_TRACE_FUNC, "Executing module [%s] constructor.\n", + module->name); + + ret = fn(module, be_ctx, provider, module->name, &module->module_data); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Module [%s] constructor failed " + "[%d]: %s\n", module->name, ret, sss_strerror(ret)); + goto done; + } + } else { + DEBUG(SSSDBG_TRACE_FUNC, "No constructor found for module [%s].\n", + module->name); + module->module_data = NULL; + ret = EOK; + goto done; + } + + ret = EOK; + +done: + talloc_free(fn_name); + return ret; +} + +static errno_t dp_module_find(struct dp_module **modules, + const char *name, + struct dp_module **_module, + unsigned int *_slot) +{ + unsigned int slot; + + for (slot = 0; modules[slot] != NULL; slot++) { + if (strcmp(modules[slot]->name, name) == 0) { + *_module = modules[slot]; + *_slot = slot; + + return EOK; + } + } + + if (slot == DP_MAX_MODULES) { + /* This should not happen. */ + DEBUG(SSSDBG_CRIT_FAILURE, "All module slots are taken.\n"); + + return ERR_INTERNAL; + } + + *_module = NULL; + *_slot = slot; + + return EOK; +} + +static struct dp_module *dp_module_create(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct data_provider *provider, + const char *name) +{ + struct dp_module *module; + errno_t ret; + + module = talloc_zero(mem_ctx, struct dp_module); + if (module == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero() failed\n"); + ret = ENOMEM; + goto done; + } + + module->name = talloc_strdup(module, name); + if (module->name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup() failed\n"); + ret = ENOMEM; + goto done; + } + + ret = dp_module_open_lib(module); + if (ret != EOK) { + goto done; + } + + ret = dp_module_run_constructor(module, be_ctx, provider); + if (ret != EOK) { + goto done; + } + + module->initialized = true; + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(module); + return NULL; + } + + return module; +} + +struct dp_module *dp_load_module(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct data_provider *provider, + struct dp_module **modules, + const char *name) +{ + struct dp_module *module; + unsigned int free_slot; + errno_t ret; + + ret = dp_module_find(modules, name, &module, &free_slot); + if (ret != EOK) { + return NULL; + } + + if (module != NULL) { + DEBUG(SSSDBG_TRACE_FUNC, "Module [%s] is already loaded.\n", name); + return module; + } + + DEBUG(SSSDBG_TRACE_FUNC, "About to load module [%s].\n", name); + + module = dp_module_create(mem_ctx, be_ctx, provider, name); + if (module == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create DP module.\n"); + return NULL; + } + + modules[free_slot] = module; + + return module; +} + +errno_t dp_init_modules(TALLOC_CTX *mem_ctx, struct dp_module ***_modules) +{ + struct dp_module **modules; + + modules = talloc_zero_array(mem_ctx, struct dp_module *, + DP_MAX_MODULES + 1); + if (modules == NULL) { + return ENOMEM; + } + + *_modules = modules; + + return EOK; +} diff --git a/src/providers/data_provider/dp_private.h b/src/providers/data_provider/dp_private.h new file mode 100644 index 0000000..028070f --- /dev/null +++ b/src/providers/data_provider/dp_private.h @@ -0,0 +1,248 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _DP_PRIVATE_H_ +#define _DP_PRIVATE_H_ + +#include +#include +#include "sbus/sssd_dbus.h" +#include "providers/data_provider/dp.h" +#include "util/util.h" + +#define DP_REQ_DEBUG(level, name, fmt, ...) \ + DEBUG(level, "DP Request [%s]: " fmt "\n", (name ?: "Unknown"), ##__VA_ARGS__) + +enum dp_clients { + DPC_NSS, + DPC_PAM, + DPC_IFP, + DPC_PAC, + DPC_SUDO, + DPC_HOST, + DPC_AUTOFS, + + DP_CLIENT_SENTINEL +}; + +struct dp_req; +struct dp_client; + +struct dp_module { + bool initialized; + const char *name; + void *module_data; + void *libhandle; +}; + +struct dp_target { + const char *name; + const char *module_name; + bool explicitly_configured; + + bool initialized; + enum dp_targets target; + struct dp_module *module; + struct dp_method *methods; +}; + +struct dp_method { + dp_req_send_fn send_fn; + dp_req_recv_fn recv_fn; + void *method_data; + const char *method_dtype; + const char *request_dtype; + const char *output_dtype; + uint32_t output_size; +}; + +struct data_provider { + uid_t uid; + gid_t gid; + struct be_ctx *be_ctx; + struct tevent_context *ev; + struct sbus_connection *srv_conn; + struct dp_client *clients[DP_CLIENT_SENTINEL]; + bool terminating; + + struct { + /* Numeric identificator that will be assigned to next request. */ + uint32_t index; + + /* List of all ongoing requests. */ + uint32_t num_active; + struct dp_req *active; + + /* Table containing list of sbus_requests where DP sends reply when + * a request is finished. Value of this table is pair + * + */ + hash_table_t *reply_table; + } requests; + + struct dp_module **modules; + struct dp_target **targets; +}; + +errno_t dp_find_method(struct data_provider *provider, + enum dp_targets target, + enum dp_methods method, + struct dp_method **_execute); + +struct dp_module *dp_load_module(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct data_provider *provider, + struct dp_module **modules, + const char *name); + +errno_t dp_init_modules(TALLOC_CTX *mem_ctx, struct dp_module ***_modules); + +const char *dp_target_to_string(enum dp_targets target); + +bool dp_target_initialized(struct dp_target **targets, enum dp_targets type); + +errno_t dp_init_targets(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct data_provider *provider, + struct dp_module **modules); + +/* Reply callbacks. */ + +typedef void (*dp_req_post_fn)(const char *req_name, + struct data_provider *provider, + void *post_data, + void *reply_data); + +typedef void (*dp_req_reply_fn)(const char *req_name, + struct sbus_request *sbus_req, + void *data); + +void dp_req_reply_default(const char *req_name, + struct sbus_request *sbus_req, + void **data); + +/* Data provider request table. */ + +struct dp_sbus_req_item; + +struct dp_table_value { + hash_table_t *table; + const char *key; + + struct tevent_req *req; + struct dp_sbus_req_item *list; +}; + +struct dp_sbus_req_item { + struct dp_table_value *parent; + struct sbus_request *sbus_req; + + struct dp_sbus_req_item *prev; + struct dp_sbus_req_item *next; +}; + +char *dp_req_table_key(TALLOC_CTX *mem_ctx, + enum dp_targets target, + enum dp_methods method, + uint32_t dp_flags, + const char *custom_part); + +errno_t dp_req_table_init(TALLOC_CTX *mem_ctx, hash_table_t **_table); + +struct dp_table_value *dp_req_table_lookup(hash_table_t *table, + const char *key); + +errno_t dp_req_table_add(hash_table_t *table, + const char *key, + struct tevent_req *req, + struct sbus_request *sbus_req); + +void dp_req_table_del(hash_table_t *table, + const char *key); + +void dp_req_table_del_and_free(hash_table_t *table, + const char *key); + +bool dp_req_table_has_key(hash_table_t *table, + const char *key); + +/* Data provider request. */ + +void dp_terminate_active_requests(struct data_provider *provider); + +void dp_req_reply_error(struct sbus_request *sbus_req, + const char *req_name, + errno_t ret); + +void _dp_req_with_reply(struct dp_client *dp_cli, + const char *domain, + const char *request_name, + const char *custom_key, + struct sbus_request *sbus_req, + enum dp_targets target, + enum dp_methods method, + uint32_t dp_flags, + void *request_data, + dp_req_post_fn postprocess_fn, + void *postprocess_data, + dp_req_reply_fn reply_fn, + const char *output_dtype); + +/** + * If @domain is NULL, be_ctx->domain is used. + * If req_key is NULL, address of sbus_req is used. + * + * If @pp_fn (post process function) is set it is call on a successful + * DP request before reply is sent. + */ +#define dp_req_with_reply_pp(dp_cli, domain, req_name, req_key, sbus_req, \ + target, method, dp_flags, req_data, pp_fn, \ + pp_data, pp_dtype, reply_fn, output_dtype) \ + do { \ + /* Check postprocess function parameter types. */ \ + void (*__pp_fn)(const char *, struct data_provider *, \ + pp_dtype *, output_dtype *) = (pp_fn); \ + pp_dtype *__pp_data = (pp_data); \ + \ + /* Check reply function parameter types. */ \ + void (*__reply_fn)(const char *, struct sbus_request *, \ + output_dtype *) = (reply_fn); \ + \ + _dp_req_with_reply(dp_cli, domain, req_name, req_key, sbus_req, \ + target, method, dp_flags, req_data, \ + (dp_req_post_fn)__pp_fn, __pp_data, \ + (dp_req_reply_fn)__reply_fn, #output_dtype); \ + } while(0) + +#define dp_req_with_reply(dp_cli, domain, req_name, req_key, sbus_req, target,\ + method, dp_flags, req_data, reply_fn, \ + output_dtype) \ + dp_req_with_reply_pp(dp_cli, domain, req_name, req_key, sbus_req, target, \ + method, dp_flags, req_data, NULL, NULL, void, \ + reply_fn, output_dtype) + +/* Client shared functions. */ + +errno_t dp_client_init(struct sbus_connection *conn, void *data); +struct data_provider *dp_client_provider(struct dp_client *dp_cli); +struct be_ctx *dp_client_be(struct dp_client *dp_cli); +struct sbus_connection *dp_client_conn(struct dp_client *dp_cli); + +#endif /* _DP_PRIVATE_H_ */ diff --git a/src/providers/data_provider/dp_reply_std.c b/src/providers/data_provider/dp_reply_std.c new file mode 100644 index 0000000..fc57615 --- /dev/null +++ b/src/providers/data_provider/dp_reply_std.c @@ -0,0 +1,131 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "sbus/sssd_dbus.h" +#include "providers/data_provider/dp_private.h" +#include "providers/backend.h" +#include "util/sss_utf8.h" +#include "util/util.h" + +static const char *dp_err_to_string(int dp_err_type) +{ + switch (dp_err_type) { + case DP_ERR_OK: + return "Success"; + case DP_ERR_OFFLINE: + return "Provider is Offline"; + case DP_ERR_TIMEOUT: + return "Request timed out"; + case DP_ERR_FATAL: + return "Internal Error"; + default: + break; + } + + return "Unknown Error"; +} + +static const char *safe_be_req_err_msg(const char *msg_in, + int dp_err_type) +{ + bool ok; + + if (msg_in == NULL) { + /* No custom error, just use default */ + return dp_err_to_string(dp_err_type); + } + + ok = sss_utf8_check((const uint8_t *) msg_in, + strlen(msg_in)); + if (!ok) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Back end message [%s] contains invalid non-UTF8 character, " \ + "using default\n", msg_in); + return dp_err_to_string(dp_err_type); + } + + return msg_in; +} + +void dp_req_reply_std(const char *request_name, + struct sbus_request *sbus_req, + struct dp_reply_std *reply) +{ + const char *safe_err_msg; + + safe_err_msg = safe_be_req_err_msg(reply->message, reply->dp_error); + + DP_REQ_DEBUG(SSSDBG_TRACE_LIBS, request_name, "Returning [%s]: %d,%d,%s", + dp_err_to_string(reply->dp_error), reply->dp_error, + reply->error, reply->message); + + sbus_request_return_and_finish(sbus_req, + DBUS_TYPE_UINT16, &reply->dp_error, + DBUS_TYPE_UINT32, &reply->error, + DBUS_TYPE_STRING, &safe_err_msg, + DBUS_TYPE_INVALID); +} + +void dp_reply_std_set(struct dp_reply_std *reply, + int dp_error, + int error, + const char *msg) +{ + const char *def_msg; + + if (dp_error == DP_ERR_DECIDE) { + switch (error) { + case EOK: + dp_error = DP_ERR_OK; + break; + case ERR_OFFLINE: + dp_error = DP_ERR_OFFLINE; + break; + case ETIMEDOUT: + dp_error = DP_ERR_TIMEOUT; + break; + default: + dp_error = DP_ERR_FATAL; + break; + } + } + + switch (dp_error) { + case DP_ERR_OK: + def_msg = "Success"; + break; + case DP_ERR_OFFLINE: + def_msg = "Offline"; + break; + default: + def_msg = sss_strerror(error); + break; + } + + if (dp_error == DP_ERR_OK && error != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "DP Error is OK on failed request?\n"); + } + + reply->dp_error = dp_error; + reply->error = error; + reply->message = msg == NULL ? def_msg : msg; +} diff --git a/src/providers/data_provider/dp_request.c b/src/providers/data_provider/dp_request.c new file mode 100644 index 0000000..6bc59c3 --- /dev/null +++ b/src/providers/data_provider/dp_request.c @@ -0,0 +1,465 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "sbus/sssd_dbus_errors.h" +#include "providers/data_provider/dp_private.h" +#include "providers/backend.h" +#include "util/dlinklist.h" +#include "util/util.h" +#include "util/probes.h" + +struct dp_req { + struct data_provider *provider; + struct dp_client *client; + uint32_t dp_flags; + + struct sss_domain_info *domain; + + enum dp_targets target; + enum dp_methods method; + struct dp_method *execute; + const char *name; + uint32_t num; + + struct tevent_req *req; + struct tevent_req *handler_req; + void *request_data; + + /* Active request list. */ + struct dp_req *prev; + struct dp_req *next; +}; + +static bool check_data_type(const char *expected, + const char *description, + void *ptr) +{ + void *tmp; + + /* If ptr is NULL we still return true since it is valid case. */ + tmp = talloc_check_name(ptr, expected); + if (tmp != NULL || ptr == NULL) { + return true; + } + + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid %s data type provided. Expected [%s], " + "got [%s].\n", description, expected, talloc_get_name(ptr)); + + return false; +} + +static bool check_method_data(struct dp_method *method, + void *request_data) +{ + if (!check_data_type(method->method_dtype, "method", method->method_data)) { + return false; + } + + if (!check_data_type(method->request_dtype, "request", request_data)) { + return false; + } + + return true; +} + +static int dp_req_destructor(struct dp_req *dp_req) +{ + DLIST_REMOVE(dp_req->provider->requests.active, dp_req); + + if (dp_req->provider->requests.num_active == 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Bug: there are no active requests!\n"); + return 0; + } + + dp_req->provider->requests.num_active--; + + DP_REQ_DEBUG(SSSDBG_TRACE_FUNC, dp_req->name, "Request removed."); + + DEBUG(SSSDBG_TRACE_FUNC, "Number of active DP request: %u\n", + dp_req->provider->requests.num_active); + + return 0; +} + +static errno_t dp_attach_req(struct dp_req *dp_req, + struct data_provider *provider, + const char *name, + uint32_t dp_flags) +{ + /* If we run out of numbers we simply overflow. */ + dp_req->num = provider->requests.index++; + dp_req->name = talloc_asprintf(dp_req, "%s #%u", name, dp_req->num); + if (dp_req->name == NULL) { + return ENOMEM; + } + + /* Attach this request to active request list. */ + DLIST_ADD(provider->requests.active, dp_req); + provider->requests.num_active++; + + talloc_set_destructor(dp_req, dp_req_destructor); + + DP_REQ_DEBUG(SSSDBG_TRACE_FUNC, dp_req->name, + "New request. Flags [%#.4x].", dp_flags); + + DEBUG(SSSDBG_TRACE_FUNC, "Number of active DP request: %u\n", + provider->requests.num_active); + + return EOK; +} + +static errno_t +dp_req_new(TALLOC_CTX *mem_ctx, + struct data_provider *provider, + struct dp_client *dp_cli, + const char *domainname, + const char *name, + enum dp_targets target, + enum dp_methods method, + uint32_t dp_flags, + void *request_data, + struct tevent_req *req, + struct dp_req **_dp_req) +{ + struct dp_req *dp_req; + struct be_ctx *be_ctx; + errno_t ret; + + /* We set output even for error to simplify code flow in the caller. */ + *_dp_req = NULL; + + dp_req = talloc_zero(mem_ctx, struct dp_req); + if (dp_req == NULL) { + return ENOMEM; + } + + dp_req->provider = provider; + dp_req->client = dp_cli; + dp_req->dp_flags = dp_flags; + dp_req->target = target; + dp_req->method = method; + dp_req->request_data = request_data; + dp_req->req = req; + + ret = dp_attach_req(dp_req, provider, name, dp_flags); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create DP request " + "[%s] [%d]: %s\n", name, ret, sss_strerror(ret)); + talloc_free(dp_req); + return ret; + } + + /* Now the request is created. We will return it even in case of error + * so we can get better debug messages. */ + + talloc_steal(dp_req, dp_req->request_data); + *_dp_req = dp_req; + + be_ctx = provider->be_ctx; + dp_req->domain = be_ctx->domain; + if (domainname != NULL) { + dp_req->domain = find_domain_by_name(be_ctx->domain, domainname, true); + if (dp_req->domain == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unknown domain: %s\n", domainname); + return ERR_DOMAIN_NOT_FOUND; + } + } + + ret = dp_find_method(provider, target, method, &dp_req->execute); + + return ret; +} + +static errno_t +file_dp_request(TALLOC_CTX *mem_ctx, + struct data_provider *provider, + struct dp_client *dp_cli, + const char *domainname, + const char *name, + enum dp_targets target, + enum dp_methods method, + uint32_t dp_flags, + void *request_data, + struct tevent_req *req, + struct dp_req **_dp_req) +{ + struct dp_req_params *dp_params; + dp_req_send_fn send_fn; + struct dp_req *dp_req; + struct be_ctx *be_ctx; + errno_t ret; + + be_ctx = provider->be_ctx; + + ret = dp_req_new(mem_ctx, provider, dp_cli, domainname, name, target, + method, dp_flags, request_data, req, &dp_req); + if (ret != EOK) { + *_dp_req = dp_req; + goto done; + } + + /* DP request is already created. We will always return it to get nice + * debug messages. */ + *_dp_req = dp_req; + + /* Check that provided data are of correct type. */ + + if (!check_method_data(dp_req->execute, dp_req->request_data)) { + ret = ERR_INVALID_DATA_TYPE; + goto done; + } + + /* Process data provider flags */ + + if (dp_flags & DP_FAST_REPLY && be_is_offline(be_ctx)) { + ret = ERR_OFFLINE; + goto done; + } + + /* File request */ + + dp_params = talloc_zero(dp_req, struct dp_req_params); + if (dp_params == NULL) { + ret = ENOMEM; + goto done; + } + + dp_params->ev = provider->ev; + dp_params->be_ctx = be_ctx; + dp_params->domain = dp_req->domain; + dp_params->target = dp_req->target; + dp_params->method = dp_req->method; + + send_fn = dp_req->execute->send_fn; + dp_req->handler_req = send_fn(dp_req, dp_req->execute->method_data, + dp_req->request_data, dp_params); + if (dp_req->handler_req == NULL) { + ret = ENOMEM; + goto done; + } + + *_dp_req = dp_req; + + ret = EOK; + +done: + return ret; +} + +struct dp_req_state { + struct dp_req *dp_req; + dp_req_recv_fn recv_fn; + void *output_data; +}; + +static void dp_req_done(struct tevent_req *subreq); + +struct tevent_req *dp_req_send(TALLOC_CTX *mem_ctx, + struct data_provider *provider, + struct dp_client *dp_cli, + const char *domain, + const char *name, + enum dp_targets target, + enum dp_methods method, + uint32_t dp_flags, + void *request_data, + const char **_request_name) +{ + struct dp_req_state *state; + const char *request_name; + struct tevent_req *req; + struct dp_req *dp_req; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct dp_req_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + ret = file_dp_request(state, provider, dp_cli, domain, name, target, + method, dp_flags, request_data, req, &dp_req); + + if (dp_req == NULL) { + /* An error occurred before request could be created. */ + if (_request_name != NULL) { + *_request_name = "Request Not Yet Created"; + } + + goto immediately; + } + + PROBE(DP_REQ_SEND, domain, dp_req->name, target, method); + state->dp_req = dp_req; + if (_request_name != NULL) { + request_name = talloc_strdup(mem_ctx, dp_req->name); + if (request_name == NULL) { + *_request_name = "Request Not Yet Created"; + ret = ENOMEM; + goto immediately; + } + *_request_name = request_name; + } + + if (ret != EOK) { + goto immediately; + } + + state->recv_fn = dp_req->execute->recv_fn; + state->output_data = talloc_zero_size(state, dp_req->execute->output_size); + if (state->output_data == NULL) { + ret = ENOMEM; + goto immediately; + } + + talloc_set_name_const(state->output_data, dp_req->execute->output_dtype); + + tevent_req_set_callback(dp_req->handler_req, dp_req_done, req); + + return req; + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, provider->ev); + + return req; +} + +static void dp_req_done(struct tevent_req *subreq) +{ + struct dp_req_state *state; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct dp_req_state); + + ret = state->recv_fn(state->output_data, subreq, state->output_data); + + /* subreq is the same as dp_req->handler_req */ + talloc_zfree(subreq); + state->dp_req->handler_req = NULL; + + PROBE(DP_REQ_DONE, state->dp_req->name, state->dp_req->target, + state->dp_req->method, ret, sss_strerror(ret)); + + DP_REQ_DEBUG(SSSDBG_TRACE_FUNC, state->dp_req->name, + "Request handler finished [%d]: %s", ret, sss_strerror(ret)); + + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +errno_t _dp_req_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + const char *output_dtype, + void **_output_data) +{ + struct dp_req_state *state; + + state = tevent_req_data(req, struct dp_req_state); + + if (state->dp_req != NULL) { + DP_REQ_DEBUG(SSSDBG_TRACE_FUNC, state->dp_req->name, + "Receiving request data."); + } else { + /* dp_req may be NULL in case we error when filing request */ + DEBUG(SSSDBG_TRACE_FUNC, + "Receiving data of prematurely interrupted request!\n"); + } + + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (!check_data_type(output_dtype, "output", state->output_data)) { + return ERR_INVALID_DATA_TYPE; + } + + *_output_data = talloc_steal(mem_ctx, state->output_data); + + return EOK; +} + +static void dp_terminate_request(struct dp_req *dp_req) +{ + if (dp_req->handler_req == NULL) { + /* This may occur when the handler already finished but the caller + * of dp request did not yet received data/free dp_req. We just + * return here. */ + return; + } + + /* We will end the handler request and mark dp request as terminated. */ + + DP_REQ_DEBUG(SSSDBG_TRACE_ALL, dp_req->name, "Terminating."); + + talloc_zfree(dp_req->handler_req); + tevent_req_error(dp_req->req, ERR_TERMINATED); +} + +static void dp_terminate_request_list(struct data_provider *provider, + const char *domain) +{ + struct dp_req *next; + struct dp_req *cur; + + if (provider == NULL || provider->requests.active == NULL) { + return; + } + + for (cur = provider->requests.active; cur != NULL; cur = next) { + next = cur->next; + if (domain == NULL || strcmp(cur->domain->name, domain) == 0) { + dp_terminate_request(cur); + } + } +} + +void dp_terminate_active_requests(struct data_provider *provider) +{ + DEBUG(SSSDBG_TRACE_FUNC, "Terminating active data provider requests\n"); + + dp_terminate_request_list(provider, NULL); +} + +void dp_terminate_domain_requests(struct data_provider *provider, + const char *domain) +{ + DEBUG(SSSDBG_TRACE_FUNC, "Terminating active data provider requests " + "for domain [%s]\n", domain); + + if (domain == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Bug: domain is NULL!\n"); + return; + } + + dp_terminate_request_list(provider, domain); +} diff --git a/src/providers/data_provider/dp_request.h b/src/providers/data_provider/dp_request.h new file mode 100644 index 0000000..361ab25 --- /dev/null +++ b/src/providers/data_provider/dp_request.h @@ -0,0 +1,77 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _DP_REQUEST_H_ +#define _DP_REQUEST_H_ + +#include + +#include "providers/data_provider/dp.h" + +struct data_provider; +struct dp_client; +enum dp_targets; +enum dp_methods; + +struct tevent_req *dp_req_send(TALLOC_CTX *mem_ctx, + struct data_provider *provider, + struct dp_client *dp_cli, + const char *domain, + const char *name, + enum dp_targets target, + enum dp_methods method, + uint32_t dp_flags, + void *request_data, + const char **_request_name); + +errno_t _dp_req_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + const char *data_type, + void **_data); + +/** + * Returns value of output data. + * + * @example + * struct dp_reply_std reply; + * ret = dp_req_recv(mem_ctx, req, struct dp_reply_std, &reply); + */ +#define dp_req_recv(mem_ctx, req, data_type, _data) \ +({ \ + data_type *__value = NULL; \ + errno_t __ret; \ + __ret = _dp_req_recv(mem_ctx, req, #data_type, (void**)&__value); \ + if (__ret == EOK) { \ + *(_data) = *__value; \ + } \ + __ret; \ +}) + +/** + * Returns pointer to output data type. + * + * @example + * struct dp_reply_std *reply; + * ret = dp_req_recv_ptr(mem_ctx, req, struct dp_reply_std, &reply); + */ +#define dp_req_recv_ptr(mem_ctx, req, data_type, _data) \ + _dp_req_recv(mem_ctx, req, #data_type, (void**)_data) + +#endif /* _DP_REQUEST_H_ */ diff --git a/src/providers/data_provider/dp_request_reply.c b/src/providers/data_provider/dp_request_reply.c new file mode 100644 index 0000000..34440fd --- /dev/null +++ b/src/providers/data_provider/dp_request_reply.c @@ -0,0 +1,372 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "sbus/sssd_dbus_errors.h" +#include "providers/data_provider/dp_private.h" +#include "providers/backend.h" +#include "util/dlinklist.h" +#include "util/sss_utf8.h" +#include "util/util.h" + +void dp_req_reply_default(const char *req_name, + struct sbus_request *sbus_req, + void **data) +{ + DP_REQ_DEBUG(SSSDBG_TRACE_FUNC, req_name, "Replying with empty message"); + + sbus_request_return_and_finish(sbus_req, DBUS_TYPE_INVALID); +} + +static DBusError *dp_req_reply_gen_error(TALLOC_CTX *mem_ctx, + const char *req_name, + errno_t ret) +{ + DBusError *error; + + switch (ret) { + case EOK: + DP_REQ_DEBUG(SSSDBG_CRIT_FAILURE, req_name, + "Bug: Success case must be handled by custom handler."); + error = sbus_error_new(mem_ctx, SBUS_ERROR_INTERNAL, + "Operation succeeded but result was not handled"); + break; + case ERR_OFFLINE: + DP_REQ_DEBUG(SSSDBG_MINOR_FAILURE, req_name, + "Finished. Backend is currently offline."); + + error = sbus_error_new(mem_ctx, SBUS_ERROR_DP_OFFLINE, + "Backend is currently offline"); + break; + case ERR_MISSING_DP_TARGET: + DP_REQ_DEBUG(SSSDBG_MINOR_FAILURE, req_name, + "Finished. Target is not supported " + "with this configuration."); + + error = sbus_error_new(mem_ctx, SBUS_ERROR_DP_NOTSUP, + "Target is not supported."); + break; + default: + DP_REQ_DEBUG(SSSDBG_CRIT_FAILURE, req_name, + "Finished. Error [%d]: %s", ret, sss_strerror(ret)); + + error = sbus_error_new(mem_ctx, SBUS_ERROR_DP_FATAL, + "An error occurred [%d]: %s", ret, sss_strerror(ret)); + break; + } + + return error; +} + +void dp_req_reply_error(struct sbus_request *sbus_req, + const char *req_name, + errno_t ret) +{ + DBusError *error; + + error = dp_req_reply_gen_error(sbus_req, req_name, ret); + if (error == NULL) { + DP_REQ_DEBUG(SSSDBG_CRIT_FAILURE, req_name, + "Out of memory, killing request..."); + talloc_free(sbus_req); + return; + } + + sbus_request_fail_and_finish(sbus_req, error); +} + +static void dp_req_reply_list_error(struct dp_sbus_req_item *list, + const char *req_name, + errno_t ret) +{ + struct dp_sbus_req_item *next_item; + struct dp_sbus_req_item *item; + DBusError *error; + + error = dp_req_reply_gen_error(NULL, req_name, ret); + if (error == NULL) { + DP_REQ_DEBUG(SSSDBG_CRIT_FAILURE, req_name, + "Out of memory, killing request..."); + + for (item = list; item != NULL; item = next_item) { + next_item = item->next; + talloc_free(item->sbus_req); + } + + return; + } + + for (item = list; item != NULL; item = next_item) { + next_item = item->next; + sbus_request_fail_and_finish(item->sbus_req, error); + } + + talloc_free(error); + return; +} + +static void dp_req_reply_list_success(struct dp_sbus_req_item *list, + dp_req_reply_fn reply_fn, + const char *request_name, + void *output_data) +{ + struct dp_sbus_req_item *next_item; + struct dp_sbus_req_item *item; + + DP_REQ_DEBUG(SSSDBG_TRACE_FUNC, request_name, "Finished. Success."); + + for (item = list; item != NULL; item = next_item) { + next_item = item->next; + reply_fn(request_name, item->sbus_req, output_data); + } +} + +struct dp_req_with_reply_state { + struct data_provider *provider; + + void *postprocess_data; + dp_req_post_fn postprocess_fn; + + const char *output_dtype; + dp_req_reply_fn reply_fn; + const char *key; + const char *name; +}; + +static errno_t dp_req_with_reply_step(struct data_provider *provider, + struct dp_client *dp_cli, + const char *domain, + const char *request_name, + const char *custom_key, + struct sbus_request *sbus_req, + enum dp_targets target, + enum dp_methods method, + uint32_t dp_flags, + void *request_data, + dp_req_post_fn postprocess_fn, + void *postprocess_data, + dp_req_reply_fn reply_fn, + const char *output_dtype); + +static void dp_req_with_reply_done(struct tevent_req *req); + +void _dp_req_with_reply(struct dp_client *dp_cli, + const char *domain, + const char *request_name, + const char *custom_key, + struct sbus_request *sbus_req, + enum dp_targets target, + enum dp_methods method, + uint32_t dp_flags, + void *request_data, + dp_req_post_fn postprocess_fn, + void *postprocess_data, + dp_req_reply_fn reply_fn, + const char *output_dtype) +{ + TALLOC_CTX *tmp_ctx; + struct data_provider *provider; + const char *key; + bool has_key; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + provider = dp_client_provider(dp_cli); + + if (custom_key == NULL) { + /* It may not be always possible or desirable to have a meaningful key + * to chain sbus request. In such cases, we generate a unique key from + * sbus_req address that allows us to use the same code but the + * chaining is logically disabled. */ + custom_key = talloc_asprintf(tmp_ctx, "%p", sbus_req); + if (custom_key == NULL) { + ret = ENOMEM; + goto done; + } + } + + key = dp_req_table_key(tmp_ctx, target, method, dp_flags, custom_key); + if (key == NULL) { + ret = ENOMEM; + goto done; + } + + has_key = dp_req_table_has_key(provider->requests.reply_table, key); + if (has_key) { + ret = dp_req_table_add(provider->requests.reply_table, + key, NULL, sbus_req); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to attach sbus request to " + "existing data provider request [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Attaching to DP request: %s\n", key); + + ret = EOK; + goto done; + } + + ret = dp_req_with_reply_step(provider, dp_cli, domain, request_name, key, + sbus_req, target, method, dp_flags, + request_data, postprocess_fn, postprocess_data, + reply_fn, output_dtype); + +done: + if (ret == ENOMEM) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to allocate memory for " + "new DP request, killing D-Bus request...\n"); + talloc_zfree(sbus_req); + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize " + "DP request [%d: %s], killing D-Bus request...\n", + ret, sss_strerror(ret)); + talloc_zfree(sbus_req); + } + + talloc_free(tmp_ctx); +} + +static errno_t dp_req_with_reply_step(struct data_provider *provider, + struct dp_client *dp_cli, + const char *domain, + const char *request_name, + const char *custom_key, + struct sbus_request *sbus_req, + enum dp_targets target, + enum dp_methods method, + uint32_t dp_flags, + void *request_data, + dp_req_post_fn postprocess_fn, + void *postprocess_data, + dp_req_reply_fn reply_fn, + const char *output_dtype) +{ + TALLOC_CTX *tmp_ctx; + struct dp_req_with_reply_state *state; + struct tevent_req *req; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + state = talloc_zero(tmp_ctx, struct dp_req_with_reply_state); + if (state == NULL) { + ret = ENOMEM; + goto done; + } + + state->provider = provider; + state->reply_fn = reply_fn; + state->key = talloc_strdup(state, custom_key); + if (state->key == NULL) { + ret = ENOMEM; + goto done; + } + + if (postprocess_fn != NULL) { + state->postprocess_data = postprocess_data; + state->postprocess_fn = postprocess_fn; + } + + state->output_dtype = talloc_strdup(state, output_dtype); + if (state->output_dtype == NULL) { + ret = ENOMEM; + goto done; + } + + req = dp_req_send(tmp_ctx, provider, dp_cli, domain, request_name, target, + method, dp_flags, request_data, &state->name); + if (req == NULL) { + ret = ENOMEM; + goto done; + } + + ret = dp_req_table_add(provider->requests.reply_table, + custom_key, req, sbus_req); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add request to table " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + tevent_req_set_callback(req, dp_req_with_reply_done, state); + + talloc_steal(provider, req); + talloc_steal(req, state); + talloc_steal(state, state->name); + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static void dp_req_with_reply_done(struct tevent_req *req) +{ + struct dp_req_with_reply_state *state; + struct dp_table_value *value; + void *output_data; + errno_t ret; + + state = tevent_req_callback_data(req, struct dp_req_with_reply_state); + + value = dp_req_table_lookup(state->provider->requests.reply_table, + state->key); + if (value == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to lookup table!\n"); + return; + } + + ret = _dp_req_recv(state, req, state->output_dtype, &output_data); + if (ret != EOK) { + dp_req_reply_list_error(value->list, state->name, ret); + goto done; + } + + /* Run postprocess function if any. */ + if (state->postprocess_fn != NULL) { + state->postprocess_fn(state->name, + state->provider, + state->postprocess_data, + output_data); + } + + /* Reply with data. */ + dp_req_reply_list_success(value->list, state->reply_fn, + state->name, output_data); + +done: + /* Freeing value will remove it from the table as well. */ + talloc_free(value); + talloc_free(req); +} diff --git a/src/providers/data_provider/dp_request_table.c b/src/providers/data_provider/dp_request_table.c new file mode 100644 index 0000000..3693d87 --- /dev/null +++ b/src/providers/data_provider/dp_request_table.c @@ -0,0 +1,263 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "sbus/sssd_dbus.h" +#include "providers/data_provider/dp_private.h" +#include "util/dlinklist.h" +#include "util/util.h" + +static int +dp_sbus_req_item_destructor(struct dp_sbus_req_item *item) +{ + DLIST_REMOVE(item->parent->list, item); + + return 0; +} + +static int +dp_table_value_destructor(struct dp_table_value *value) +{ + struct dp_sbus_req_item *next_item; + struct dp_sbus_req_item *item; + + DEBUG(SSSDBG_TRACE_FUNC, "Removing [%s] from reply table\n", value->key); + + dp_req_table_del(value->table, value->key); + + for (item = value->list; item != NULL; item = next_item) { + next_item = item->next; + talloc_free(item); + } + + return 0; +} + +static struct dp_sbus_req_item * +dp_sbus_req_item_new(struct dp_table_value *value, + struct sbus_request *sbus_req) +{ + struct dp_sbus_req_item *item; + + /* Attach to sbus_request so we ensure that this sbus_req is removed + * from the list when it is unexpectedly freed, for example when + * client connection is dropped. */ + item = talloc_zero(sbus_req, struct dp_sbus_req_item); + if (item == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero() failed\n"); + return NULL; + } + + item->parent = value; + item->sbus_req = sbus_req; + + talloc_set_destructor(item, dp_sbus_req_item_destructor); + + return item; +} + +char *dp_req_table_key(TALLOC_CTX *mem_ctx, + enum dp_targets target, + enum dp_methods method, + uint32_t dp_flags, + const char *custom_part) +{ + const char *str = custom_part == NULL ? "(null)" : custom_part; + + return talloc_asprintf(mem_ctx, "%u:%u:%#.4x:%s", + target, method, dp_flags, str); +} + +errno_t dp_req_table_init(TALLOC_CTX *mem_ctx, hash_table_t **_table) +{ + return sss_hash_create(mem_ctx, 100, _table); +} + +struct dp_table_value *dp_req_table_lookup(hash_table_t *table, + const char *key) +{ + hash_key_t hkey; + hash_value_t hvalue; + int hret; + + hkey.type = HASH_KEY_STRING; + hkey.str = discard_const_p(char, key); + + hret = hash_lookup(table, &hkey, &hvalue); + if (hret == HASH_ERROR_KEY_NOT_FOUND) { + return NULL; + } else if (hret != HASH_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to search hash table [%d]\n", hret); + return NULL; + } + + return hvalue.ptr; +} + +static errno_t dp_req_table_new_item(hash_table_t *table, + const char *key, + struct tevent_req *req, + struct sbus_request *sbus_req) +{ + hash_key_t hkey; + hash_value_t hvalue; + struct dp_table_value *table_value; + errno_t ret; + int hret; + + /* Attach it to request. */ + table_value = talloc_zero(req, struct dp_table_value); + if (table_value == NULL) { + return ENOMEM; + } + + table_value->table = table; + table_value->key = talloc_strdup(table_value, key); + if (table_value->key == NULL) { + ret = ENOMEM; + goto done; + } + + table_value->req = req; + table_value->list = dp_sbus_req_item_new(table_value, sbus_req); + if (table_value->list == NULL) { + ret = ENOMEM; + goto done; + } + + talloc_set_destructor(table_value, dp_table_value_destructor); + + hkey.type = HASH_KEY_STRING; + hkey.str = discard_const_p(char, key); + + hvalue.type = HASH_VALUE_PTR; + hvalue.ptr = table_value; + + hret = hash_enter(table, &hkey, &hvalue); + if (hret != HASH_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to enter value into hash table " + "[%d]\n", hret); + ret = EIO; + goto done; + } + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(table_value); + } + + return ret; +} + +static errno_t dp_req_table_mod_item(hash_table_t *table, + struct dp_table_value *table_value, + struct sbus_request *sbus_req) +{ + struct dp_sbus_req_item *item; + + item = dp_sbus_req_item_new(table_value, sbus_req); + if (item == NULL) { + return ENOMEM; + } + + DLIST_ADD(table_value->list, item); + + return EOK; +} + +errno_t dp_req_table_add(hash_table_t *table, + const char *key, + struct tevent_req *req, + struct sbus_request *sbus_req) +{ + struct dp_table_value *table_value; + + if (sbus_req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "SBUS request cannot be NULL\n"); + return EINVAL; + } + + table_value = dp_req_table_lookup(table, key); + if (table_value == NULL) { + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Tevent request cannot be NULL\n"); + return EINVAL; + } + + return dp_req_table_new_item(table, key, req, sbus_req); + } + + return dp_req_table_mod_item(table, table_value, sbus_req); +} + +void dp_req_table_del(hash_table_t *table, + const char *key) +{ + hash_key_t hkey; + int hret; + + if (table == NULL || key == NULL) { + return; + } + + hkey.type = HASH_KEY_STRING; + hkey.str = discard_const_p(char, key); + + hret = hash_delete(table, &hkey); + if (hret != HASH_SUCCESS && hret != HASH_ERROR_KEY_NOT_FOUND) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to remove key from table [%d]\n", + hret); + } + + return; +} + +void dp_req_table_del_and_free(hash_table_t *table, + const char *key) +{ + struct dp_table_value *value; + + value = dp_req_table_lookup(table, key); + if (value == NULL) { + /* We're done here. */ + return; + } + + dp_req_table_del(table, key); + talloc_free(value); + + return; +} + +bool dp_req_table_has_key(hash_table_t *table, + const char *key) +{ + hash_key_t hkey; + + hkey.type = HASH_KEY_STRING; + hkey.str = discard_const_p(char, key); + + return hash_has_key(table, &hkey); +} diff --git a/src/providers/data_provider/dp_resp_client.c b/src/providers/data_provider/dp_resp_client.c new file mode 100644 index 0000000..a61f7c5 --- /dev/null +++ b/src/providers/data_provider/dp_resp_client.c @@ -0,0 +1,236 @@ +/* + SSSD + + Data Provider Responder client - DP calls responder interface + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" +#include +#include + +#include "confdb/confdb.h" +#include "sbus/sssd_dbus.h" +#include "providers/data_provider.h" +#include "providers/data_provider/dp_private.h" +#include "responder/common/iface/responder_iface.h" +#include "responder/nss/nss_iface.h" + +/* List of DP clients that deal with users or groups */ +/* FIXME - it would be much cleaner to implement sbus signals + * and let the responder subscribe to these messages rather than + * keep a list here.. + * https://fedorahosted.org/sssd/ticket/2233 + */ +static enum dp_clients user_clients[] = { + DPC_NSS, + DPC_PAM, + DPC_IFP, + DPC_PAC, + DPC_SUDO, + + DP_CLIENT_SENTINEL +}; + +static void send_msg_to_all_clients(struct data_provider *provider, + struct DBusMessage *msg) +{ + struct dp_client *cli; + int i; + + for (i = 0; provider->clients[i] != NULL; i++) { + cli = provider->clients[i]; + if (cli != NULL) { + sbus_conn_send_reply(dp_client_conn(cli), msg); + } + } +} + +static void send_msg_to_selected_clients(struct data_provider *provider, + struct DBusMessage *msg, + enum dp_clients *clients) +{ + struct dp_client *cli; + int i; + + for (i = 0; clients[i] != DP_CLIENT_SENTINEL; i++) { + cli = provider->clients[clients[i]]; + if (cli != NULL) { + sbus_conn_send_reply(dp_client_conn(cli), msg); + } + } +} + +static void dp_sbus_set_domain_state(struct data_provider *provider, + struct sss_domain_info *dom, + enum sss_domain_state state) +{ + DBusMessage *msg; + const char *method = NULL; + + switch (state) { + case DOM_ACTIVE: + DEBUG(SSSDBG_TRACE_FUNC, "Ordering responders to enable domain %s\n", + dom->name); + method = IFACE_RESPONDER_DOMAIN_SETACTIVE; + break; + case DOM_INCONSISTENT: + DEBUG(SSSDBG_TRACE_FUNC, "Ordering responders to disable domain %s\n", + dom->name); + method = IFACE_RESPONDER_DOMAIN_SETINCONSISTENT; + break; + default: + /* No other methods provided at the moment */ + return; + } + + sss_domain_set_state(dom, state); + + msg = sbus_create_message(NULL, NULL, RESPONDER_PATH, + IFACE_RESPONDER_DOMAIN, method, + DBUS_TYPE_STRING, &dom->name); + if (msg == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory?!\n"); + return; + } + + send_msg_to_all_clients(provider, msg); + dbus_message_unref(msg); + return; +} + +void dp_sbus_domain_active(struct data_provider *provider, + struct sss_domain_info *dom) +{ + return dp_sbus_set_domain_state(provider, dom, DOM_ACTIVE); +} + +void dp_sbus_domain_inconsistent(struct data_provider *provider, + struct sss_domain_info *dom) +{ + return dp_sbus_set_domain_state(provider, dom, DOM_INCONSISTENT); +} + +static void dp_sbus_reset_ncache(struct data_provider *provider, + struct sss_domain_info *dom, + const char *method) +{ + DBusMessage *msg; + + msg = sbus_create_message(NULL, NULL, RESPONDER_PATH, + IFACE_RESPONDER_NCACHE, method); + if (msg == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory?!\n"); + return; + } + + send_msg_to_selected_clients(provider, msg, user_clients); + dbus_message_unref(msg); + return; +} + +void dp_sbus_reset_users_ncache(struct data_provider *provider, + struct sss_domain_info *dom) +{ + return dp_sbus_reset_ncache(provider, dom, + IFACE_RESPONDER_NCACHE_RESETUSERS); +} + +void dp_sbus_reset_groups_ncache(struct data_provider *provider, + struct sss_domain_info *dom) +{ + return dp_sbus_reset_ncache(provider, dom, + IFACE_RESPONDER_NCACHE_RESETGROUPS); +} + +static void dp_sbus_reset_memcache(struct data_provider *provider, + const char *method) +{ + DBusMessage *msg; + + msg = sbus_create_message(NULL, NULL, NSS_MEMORYCACHE_PATH, + IFACE_NSS_MEMORYCACHE, method); + if (msg == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory?!\n"); + return; + } + + send_msg_to_selected_clients(provider, msg, user_clients); + dbus_message_unref(msg); + return; +} + +void dp_sbus_reset_users_memcache(struct data_provider *provider) +{ + return dp_sbus_reset_memcache(provider, + IFACE_NSS_MEMORYCACHE_INVALIDATEALLUSERS); +} + +void dp_sbus_reset_groups_memcache(struct data_provider *provider) +{ + return dp_sbus_reset_memcache(provider, + IFACE_NSS_MEMORYCACHE_INVALIDATEALLGROUPS); +} + +void dp_sbus_reset_initgr_memcache(struct data_provider *provider) +{ + return dp_sbus_reset_memcache(provider, + IFACE_NSS_MEMORYCACHE_INVALIDATEALLINITGROUPS); +} + +void dp_sbus_invalidate_group_memcache(struct data_provider *provider, + gid_t gid) +{ + struct dp_client *dp_cli; + DBusMessage *msg; + dbus_bool_t dbret; + + if (provider == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "No provider pointer\n"); + return; + } + + dp_cli = provider->clients[DPC_NSS]; + if (dp_cli == NULL) { + return; + } + + msg = dbus_message_new_method_call(NULL, + NSS_MEMORYCACHE_PATH, + IFACE_NSS_MEMORYCACHE, + IFACE_NSS_MEMORYCACHE_INVALIDATEGROUPBYID); + if (msg == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory?!\n"); + return; + } + + dbret = dbus_message_append_args(msg, + DBUS_TYPE_UINT32, &gid, + DBUS_TYPE_INVALID); + if (!dbret) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory?!\n"); + dbus_message_unref(msg); + return; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Ordering NSS responder to invalidate the group %"PRIu32" \n", + gid); + + sbus_conn_send_reply(dp_client_conn(dp_cli), msg); + dbus_message_unref(msg); + + return; +} diff --git a/src/providers/data_provider/dp_responder_iface.h b/src/providers/data_provider/dp_responder_iface.h new file mode 100644 index 0000000..7fe6e0d --- /dev/null +++ b/src/providers/data_provider/dp_responder_iface.h @@ -0,0 +1,29 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef DP_RESPONDER_IFACE_H_ +#define DP_RESPONDER_IFACE_H_ + +#include "providers/data_provider/dp_iface_generated.h" +#include "providers/data_provider/dp_flags.h" + +#define DP_PATH "/org/freedesktop/sssd/dataprovider" + +#endif /* DP_RESPONDER_IFACE_H_ */ diff --git a/src/providers/data_provider/dp_sbus.c b/src/providers/data_provider/dp_sbus.c new file mode 100644 index 0000000..623d7dd --- /dev/null +++ b/src/providers/data_provider/dp_sbus.c @@ -0,0 +1,46 @@ +/* + SSSD + + Data Provider Helpers + + Copyright (C) Stephen Gallagher 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" +#include +#include + +#include "confdb/confdb.h" +#include "sbus/sssd_dbus.h" +#include "providers/data_provider.h" + +int dp_get_sbus_address(TALLOC_CTX *mem_ctx, + char **address, const char *domain_name) +{ + char *default_address; + + *address = NULL; + default_address = talloc_asprintf(mem_ctx, "unix:path=%s/%s_%s", + PIPE_PATH, DATA_PROVIDER_PIPE, + domain_name); + if (default_address == NULL) { + return ENOMEM; + } + + *address = default_address; + return EOK; +} + diff --git a/src/providers/data_provider/dp_target_auth.c b/src/providers/data_provider/dp_target_auth.c new file mode 100644 index 0000000..4b47975 --- /dev/null +++ b/src/providers/data_provider/dp_target_auth.c @@ -0,0 +1,322 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include + +#include "sbus/sssd_dbus.h" +#include "providers/data_provider/dp_private.h" +#include "providers/data_provider/dp_iface.h" +#include "providers/backend.h" +#include "util/util.h" + +static void dp_pam_reply(struct sbus_request *sbus_req, + const char *request_name, + struct pam_data *pd) +{ + DBusMessage *reply; + dbus_bool_t dbret; + + DP_REQ_DEBUG(SSSDBG_TRACE_LIBS, request_name, + "Sending result [%d][%s]", pd->pam_status, pd->domain); + + reply = dbus_message_new_method_return(sbus_req->message); + if (reply == NULL) { + DP_REQ_DEBUG(SSSDBG_TRACE_LIBS, request_name, + "Unable to acquire reply message"); + return; + } + + dbret = dp_pack_pam_response(reply, pd); + if (!dbret) { + DP_REQ_DEBUG(SSSDBG_TRACE_LIBS, request_name, + "Unable to generate reply message"); + dbus_message_unref(reply); + return; + } + + sbus_request_finish(sbus_req, reply); + dbus_message_unref(reply); + return; +} + +static errno_t pam_data_create(TALLOC_CTX *mem_ctx, + struct sbus_request *sbus_req, + struct be_ctx *be_ctx, + struct pam_data **_pd) +{ + DBusError dbus_error; + struct pam_data *pd; + bool bret; + + dbus_error_init(&dbus_error); + bret = dp_unpack_pam_request(sbus_req->message, mem_ctx, &pd, &dbus_error); + if (bret == false) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to parse message!\n"); + return EINVAL; + } + + pd->pam_status = PAM_SYSTEM_ERR; + if (pd->domain == NULL) { + pd->domain = talloc_strdup(pd, be_ctx->domain->name); + if (pd->domain == NULL) { + talloc_free(pd); + return ENOMEM; + } + } + + *_pd = pd; + + return EOK; +} + +static void choose_target(struct data_provider *provider, + struct pam_data *pd, + enum dp_targets *_target, + enum dp_methods *_method, + const char **_req_name) +{ + enum dp_targets target; + enum dp_methods method; + const char *name; + + switch (pd->cmd) { + case SSS_PAM_AUTHENTICATE: + target = DPT_AUTH; + method = DPM_AUTH_HANDLER; + name = "PAM Authenticate"; + break; + case SSS_PAM_PREAUTH: + target = DPT_AUTH; + method = DPM_AUTH_HANDLER; + name = "PAM Preauth"; + break; + case SSS_PAM_ACCT_MGMT: + target = DPT_ACCESS; + method = DPM_ACCESS_HANDLER; + name = "PAM Account"; + break; + case SSS_PAM_CHAUTHTOK_PRELIM: + target = DPT_CHPASS; + method = DPM_AUTH_HANDLER; + name = "PAM Chpass 1st"; + break; + case SSS_PAM_CHAUTHTOK: + target = DPT_CHPASS; + method = DPM_AUTH_HANDLER; + name = "PAM Chpass 2nd"; + break; + case SSS_PAM_OPEN_SESSION: + name = "PAM Open Session"; + if (dp_method_enabled(provider, DPT_SESSION, DPM_SESSION_HANDLER)) { + target = DPT_SESSION; + method = DPM_SESSION_HANDLER; + break; + } + + target = DP_TARGET_SENTINEL; + method = DP_METHOD_SENTINEL; + pd->pam_status = PAM_SUCCESS; + break; + case SSS_PAM_SETCRED: + target = DP_TARGET_SENTINEL; + method = DP_METHOD_SENTINEL; + name = "PAM Set Credentials"; + pd->pam_status = PAM_SUCCESS; + break; + case SSS_PAM_CLOSE_SESSION: + target = DP_TARGET_SENTINEL; + method = DP_METHOD_SENTINEL; + name = "PAM Close Session"; + pd->pam_status = PAM_SUCCESS; + break; + default: + DEBUG(SSSDBG_TRACE_LIBS, "Unsupported PAM command [%d].\n", + pd->cmd); + target = DP_TARGET_SENTINEL; + method = DP_METHOD_SENTINEL; + name = "PAM Unsupported"; + pd->pam_status = PAM_MODULE_UNKNOWN; + break; + } + + /* Check that target is configured. */ + if (target != DP_TARGET_SENTINEL + && !dp_target_enabled(provider, NULL, target)) { + target = DP_TARGET_SENTINEL; + method = DP_METHOD_SENTINEL; + pd->pam_status = PAM_MODULE_UNKNOWN; + } + + *_target = target; + *_method = method; + *_req_name = name; +} + +struct dp_pam_handler_state { + struct data_provider *provider; + struct dp_client *dp_cli; + struct sbus_request *sbus_req; + const char *request_name; +}; + +void dp_pam_handler_step_done(struct tevent_req *req); +void dp_pam_handler_selinux_done(struct tevent_req *req); + +errno_t dp_pam_handler(struct sbus_request *sbus_req, void *sbus_data) +{ + struct dp_pam_handler_state *state; + struct data_provider *provider; + struct pam_data *pd = NULL; + struct dp_client *dp_cli; + enum dp_targets target; + enum dp_methods method; + const char *req_name; + struct tevent_req *req; + errno_t ret; + + dp_cli = talloc_get_type(sbus_data, struct dp_client); + provider = dp_client_provider(dp_cli); + + state = talloc_zero(sbus_req, struct dp_pam_handler_state); + if (state == NULL) { + ret = ENOMEM; + goto done; + } + + ret = pam_data_create(state, sbus_req, provider->be_ctx, &pd); + if (ret != EOK) { + return ret; + } + + state->provider = provider; + state->dp_cli = dp_cli; + state->sbus_req = sbus_req; + + DEBUG(SSSDBG_CONF_SETTINGS, "Got request with the following data\n"); + DEBUG_PAM_DATA(SSSDBG_CONF_SETTINGS, pd); + + choose_target(provider, pd, &target, &method, &req_name); + if (target == DP_TARGET_SENTINEL) { + /* Just send the result. Pam data are freed with this call. */ + dp_pam_reply(sbus_req, req_name, pd); + return EOK; + } + + req = dp_req_send(state, provider, dp_cli, pd->domain, req_name, + target, method, 0, pd, &state->request_name); + if (req == NULL) { + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(req, dp_pam_handler_step_done, state); + +done: + if (ret != EOK) { + talloc_free(pd); + } + + return ret; +} + +static bool should_invoke_selinux(struct data_provider *provider, + struct pam_data *pd) +{ + if (!dp_method_enabled(provider, DPT_SELINUX, DPM_SELINUX_HANDLER)) { + return false; + } + + if (pd->cmd == SSS_PAM_ACCT_MGMT && pd->pam_status == PAM_SUCCESS) { + return true; + } + + return false; +} + +void dp_pam_handler_step_done(struct tevent_req *req) +{ + struct dp_pam_handler_state *state; + struct pam_data *pd; + errno_t ret; + + state = tevent_req_callback_data(req, struct dp_pam_handler_state); + + ret = dp_req_recv(state, req, struct pam_data *, &pd); + talloc_zfree(req); + if (ret != EOK) { + dp_req_reply_error(state->sbus_req, state->request_name, ret); + return; + } + + if (!should_invoke_selinux(state->provider, pd)) { + /* State and request related data are freed with sbus_req. */ + dp_pam_reply(state->sbus_req, state->request_name, pd); + return; + } + + req = dp_req_send(state, state->provider, state->dp_cli, pd->domain, + "PAM SELinux", DPT_SELINUX, DPM_SELINUX_HANDLER, + 0, pd, NULL); + if (req == NULL) { + DP_REQ_DEBUG(SSSDBG_CRIT_FAILURE, state->request_name, + "Unable to process SELinux, killing request..."); + talloc_free(state->sbus_req); + return; + } + + tevent_req_set_callback(req, dp_pam_handler_selinux_done, state); +} + +void dp_pam_handler_selinux_done(struct tevent_req *req) +{ + struct dp_pam_handler_state *state; + struct pam_data *pd; + errno_t ret; + + state = tevent_req_callback_data(req, struct dp_pam_handler_state); + + ret = dp_req_recv(state, req, struct pam_data *, &pd); + talloc_zfree(req); + if (ret != EOK) { + dp_req_reply_error(state->sbus_req, state->request_name, ret); + return; + } + + /* State and request related data are freed with sbus_req. */ + dp_pam_reply(state->sbus_req, state->request_name, pd); + return; +} + +errno_t dp_access_control_refresh_rules_handler(struct sbus_request *sbus_req, + void *dp_cli) +{ + const char *key; + + key = "RefreshRules"; + + dp_req_with_reply(dp_cli, NULL, "Refresh Access Control Rules", key, + sbus_req, DPT_ACCESS, DPM_REFRESH_ACCESS_RULES, 0, NULL, + dp_req_reply_default, void *); + + return EOK; +} diff --git a/src/providers/data_provider/dp_target_autofs.c b/src/providers/data_provider/dp_target_autofs.c new file mode 100644 index 0000000..13b12f5 --- /dev/null +++ b/src/providers/data_provider/dp_target_autofs.c @@ -0,0 +1,55 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "sbus/sssd_dbus.h" +#include "providers/data_provider/dp_private.h" +#include "providers/data_provider/dp_iface.h" +#include "providers/backend.h" +#include "util/util.h" + +errno_t dp_autofs_handler(struct sbus_request *sbus_req, + void *dp_cli, + uint32_t dp_flags, + const char *mapname) +{ + struct dp_autofs_data *data; + const char *key; + + if (mapname == NULL) { + return EINVAL; + } + + data = talloc_zero(sbus_req, struct dp_autofs_data); + if (data == NULL) { + return ENOMEM; + } + + data->mapname = mapname; + key = mapname; + + dp_req_with_reply(dp_cli, NULL, "AutoFS", key, sbus_req, DPT_AUTOFS, + DPM_AUTOFS_HANDLER, dp_flags, data, + dp_req_reply_std, struct dp_reply_std); + + return EOK; +} diff --git a/src/providers/data_provider/dp_target_hostid.c b/src/providers/data_provider/dp_target_hostid.c new file mode 100644 index 0000000..93f9fda --- /dev/null +++ b/src/providers/data_provider/dp_target_hostid.c @@ -0,0 +1,63 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "sbus/sssd_dbus.h" +#include "providers/data_provider/dp_private.h" +#include "providers/data_provider/dp_iface.h" +#include "providers/backend.h" +#include "util/util.h" + +errno_t dp_host_handler(struct sbus_request *sbus_req, + void *dp_cli, + uint32_t dp_flags, + const char *name, + const char *alias) +{ + struct dp_hostid_data *data; + const char *key; + + if (name == NULL) { + return EINVAL; + } + + data = talloc_zero(sbus_req, struct dp_hostid_data); + if (data == NULL) { + return ENOMEM; + } + + data->name = name; + data->alias = SBUS_SET_STRING(alias); + + key = talloc_asprintf(data, "%s:%s", name, + (data->alias == NULL ? "(null)" : data->alias)); + if (key == NULL) { + talloc_free(data); + return ENOMEM; + } + + dp_req_with_reply(dp_cli, NULL, "HostID", key, sbus_req, DPT_HOSTID, + DPM_HOSTID_HANDLER, dp_flags, data, + dp_req_reply_std, struct dp_reply_std); + + return EOK; +} diff --git a/src/providers/data_provider/dp_target_id.c b/src/providers/data_provider/dp_target_id.c new file mode 100644 index 0000000..d123638 --- /dev/null +++ b/src/providers/data_provider/dp_target_id.c @@ -0,0 +1,672 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "sbus/sssd_dbus.h" +#include "providers/data_provider/dp_private.h" +#include "providers/data_provider/dp_iface.h" +#include "providers/backend.h" +#include "responder/nss/nss_iface.h" +#include "util/util.h" + +#define FILTER_TYPE(str, type) {str "=", sizeof(str "=") - 1, type} + +static bool check_and_parse_filter(struct dp_id_data *data, + const char *filter, + const char *extra) +{ + /* We will use sizeof() to determine the length of a string so we don't + * call strlen over and over again with each request. Not a bottleneck, + * but unnecessary and simple to avoid. */ + static struct { + const char *name; + size_t lenght; + uint32_t type; + } types[] = {FILTER_TYPE("name", BE_FILTER_NAME), + FILTER_TYPE("idnumber", BE_FILTER_IDNUM), + FILTER_TYPE(DP_SEC_ID, BE_FILTER_SECID), + FILTER_TYPE(DP_CERT, BE_FILTER_CERT), + FILTER_TYPE(DP_WILDCARD, BE_FILTER_WILDCARD), + {0, 0, 0}}; + int i; + + if (SBUS_IS_STRING_EMPTY(filter)) { + return false; + } + + for (i = 0; types[i].name != NULL; i++) { + if (strncmp(filter, types[i].name, types[i].lenght) == 0) { + data->filter_type = types[i].type; + data->filter_value = SBUS_SET_STRING(&filter[types[i].lenght]); + data->extra_value = SBUS_SET_STRING(extra); + return true; + } + } + + if (strcmp(filter, ENUM_INDICATOR) == 0) { + data->filter_type = BE_FILTER_ENUM; + data->filter_value = NULL; + data->extra_value = NULL; + return true; + } + + return false; +} + +struct dp_initgr_ctx { + const char *domain; + struct sss_domain_info *domain_info; + const char *filter_value; + const char *username; + uint32_t gnum; + uint32_t *groups; +}; + +static struct dp_initgr_ctx *create_initgr_ctx( + TALLOC_CTX *mem_ctx, + const char *domain, + struct sss_domain_info *domain_info, + const char *filter_value, + struct ldb_result *res) +{ + struct dp_initgr_ctx *ctx; + const char *username; + unsigned int i; + errno_t ret; + + ctx = talloc_zero(mem_ctx, struct dp_initgr_ctx); + if (ctx == NULL) { + return NULL; + } + + /* Copy domain name */ + ctx->domain = talloc_strdup(ctx, domain); + if (ctx->domain == NULL) { + ret = ENOMEM; + goto done; + } + + /* Copy filter value */ + ctx->filter_value = talloc_strdup(ctx, filter_value); + if (ctx->filter_value == NULL) { + ret = ENOMEM; + goto done; + } + + /* Reference domain info */ + ctx->domain_info = domain_info; + + /* If we had the data in sysdb */ + if (res != NULL) { + /* Copy original username */ + username = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_NAME, NULL); + if (username == NULL) { + ret = EINVAL; + goto done; + } + ctx->username = talloc_strdup(ctx, username); + if (ctx->username == NULL) { + ret = ENOMEM; + goto done; + } + + /* Copy group IDs */ + ctx->groups = talloc_array(mem_ctx, uint32_t, res->count); + if (ctx->groups == NULL) { + ret = ENOMEM; + goto done; + } + + /* The first GID is the primary so it might be duplicated + * later in the list. */ + for (ctx->gnum = 0, i = 0; i < res->count; i++) { + ctx->groups[ctx->gnum] = ldb_msg_find_attr_as_uint(res->msgs[i], + SYSDB_GIDNUM, 0); + /* If 0 it may be a non-POSIX group, so we skip it. */ + if (ctx->groups[ctx->gnum] != 0) { + ctx->gnum++; + } + } + } + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(ctx); + return NULL; + } + + return ctx; +} + +static void dp_req_initgr_pp_nss_notify(const char *req_name, + struct data_provider *provider, + struct dp_initgr_ctx *ctx) +{ + struct dp_client *dp_cli; + DBusMessage *msg; + dbus_bool_t dbret; + int num; + + /* If user didn't exist in the cache previously */ + if (ctx->username == NULL) { + /* There is no point in contacting NSS responder */ + return; + } + + dp_cli = provider->clients[DPC_NSS]; + if (dp_cli == NULL) { + return; + } + + msg = dbus_message_new_method_call(NULL, + NSS_MEMORYCACHE_PATH, + IFACE_NSS_MEMORYCACHE, + IFACE_NSS_MEMORYCACHE_UPDATEINITGROUPS); + if (msg == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory?!\n"); + return; + } + + num = ctx->gnum; + dbret = dbus_message_append_args(msg, + DBUS_TYPE_STRING, &ctx->username, + DBUS_TYPE_STRING, &ctx->domain, + DBUS_TYPE_ARRAY, DBUS_TYPE_UINT32, + &ctx->groups, num, + DBUS_TYPE_INVALID); + if (!dbret) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory?!\n"); + dbus_message_unref(msg); + return; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Ordering NSS responder to update memory cache\n"); + + sbus_conn_send_reply(dp_client_conn(dp_cli), msg); + dbus_message_unref(msg); + + return; +} + +static void dp_req_initgr_pp_sr_overlay(struct data_provider *provider, + struct dp_initgr_ctx *ctx) +{ + bool enabled = false; + struct be_ctx *be = provider->be_ctx; + struct ldb_result *res; + struct ldb_message *msg; + const char *name; + char *output_name; + char **conf_user; + char **conf_group; + size_t i; + TALLOC_CTX *tmp_ctx = NULL; + errno_t ret; + struct ldb_message_element el = { 0, SYSDB_SESSION_RECORDING, 0, NULL }; + struct sysdb_attrs del_attrs = { 1, &el }; + struct sysdb_attrs *add_attrs; + + /* If selective session recording is not enabled */ + if (be->sr_conf.scope != SESSION_RECORDING_SCOPE_SOME) { + goto done; + } + + /* Allocate temporary talloc context */ + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed creating temporary talloc context\n"); + ret = ENOMEM; + goto done; + } + + /* Get updated initgroups data with overrides */ + ret = sysdb_initgroups_with_views(tmp_ctx, ctx->domain_info, + ctx->filter_value, &res); + if (ret == ENOENT || (ret == EOK && res->count == 0)) { + goto done; + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get initgroups: %s\n", + sss_strerror(ret)); + goto done; + } + + /* Delete sessionRecording attribute so we know when we failed */ + ret = sysdb_set_entry_attr(ctx->domain_info->sysdb, res->msgs[0]->dn, + &del_attrs, SYSDB_MOD_DEL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed removing %s attribute: %s\n", + SYSDB_SESSION_RECORDING, sss_strerror(ret)); + goto done; + } + + /* Format output username */ + name = sss_get_name_from_msg(ctx->domain_info, res->msgs[0]); + ret = sss_output_fqname(tmp_ctx, ctx->domain_info, name, + be->override_space, &output_name); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed formatting output username from \"%s\": %s\n", + name, sss_strerror(ret)); + goto done; + } + + /* For each user name in session recording config */ + conf_user = be->sr_conf.users; + if (conf_user != NULL) { + for (; *conf_user != NULL && !enabled; conf_user++) { + /* If it matches the requested user name */ + if (strcmp(*conf_user, output_name) == 0) { + enabled = true; + } + } + } + + /* If we have groups in config and are not yet enabled */ + if (be->sr_conf.groups != NULL && + be->sr_conf.groups[0] != NULL && + !enabled) { + /* For each group in response */ + for (i = 0; i < res->count && !enabled; i++) { + /* Get the group msg */ + if (i == 0) { + gid_t gid; + struct ldb_result *group_res; + + /* Get the primary group */ + gid = sss_view_ldb_msg_find_attr_as_uint64(ctx->domain_info, + res->msgs[i], + SYSDB_GIDNUM, 0); + if (gid == 0) { + continue; + } + ret = sysdb_getgrgid_with_views(tmp_ctx, ctx->domain_info, + gid, &group_res); + if (ret == ENOENT) { + continue; + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed retrieving group #%llu: %s\n", + (unsigned long long)gid, sss_strerror(ret)); + goto done; + } else if (group_res->count == 0) { + continue; + } + msg = group_res->msgs[0]; + } else { + msg = res->msgs[i]; + } + /* Get the group's output name */ + name = sss_get_name_from_msg(ctx->domain_info, msg); + if (name == NULL) { + continue; + } + ret = sss_output_fqname(tmp_ctx, ctx->domain_info, + name, be->override_space, + &output_name); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed formatting output group name from \"%s\": %s\n", + name, sss_strerror(ret)); + goto done; + } + /* For each group in configuration */ + for (conf_group = be->sr_conf.groups; + *conf_group != NULL && !enabled; + conf_group++) { + if (strcmp(*conf_group, output_name) == 0) { + enabled = true; + } + } + } + } + + /* Set sessionRecording attribute to enabled value */ + add_attrs = sysdb_new_attrs(tmp_ctx); + if (add_attrs == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed creating attributes\n"); + ret = ENOMEM; + goto done; + } + ret = sysdb_attrs_add_bool(add_attrs, SYSDB_SESSION_RECORDING, enabled); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed setting %s attribute: %s\n", + SYSDB_SESSION_RECORDING, sss_strerror(ret)); + goto done; + } + ret = sysdb_set_entry_attr(ctx->domain_info->sysdb, res->msgs[0]->dn, + add_attrs, SYSDB_MOD_ADD); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed storing %s attribute: %s\n", + SYSDB_SESSION_RECORDING, sss_strerror(ret)); + goto done; + } + +done: + talloc_free(tmp_ctx); +} + +static errno_t set_initgroups_expire_attribute(struct sss_domain_info *domain, + const char *name) +{ + errno_t ret; + time_t cache_timeout; + struct sysdb_attrs *attrs; + + attrs = sysdb_new_attrs(NULL); + if (attrs == NULL) { + return ENOMEM; + } + + cache_timeout = domain->user_timeout + ? time(NULL) + domain->user_timeout + : 0; + + ret = sysdb_attrs_add_time_t(attrs, SYSDB_INITGR_EXPIRE, cache_timeout); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not set up attrs\n"); + goto done; + } + + ret = sysdb_set_user_attr(domain, name, attrs, SYSDB_MOD_REP); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to set initgroups expire attribute\n"); + goto done; + } + +done: + talloc_zfree(attrs); + return ret; +} + +static void dp_req_initgr_pp_set_initgr_timestamp(struct dp_initgr_ctx *ctx, + struct dp_reply_std *reply) +{ + errno_t ret; + const char *cname; + + if (reply->dp_error != DP_ERR_OK || reply->error != EOK) { + /* Only bump the timestamp on successful lookups */ + return; + } + + ret = sysdb_get_real_name(ctx, + ctx->domain_info, + ctx->filter_value, + &cname); + if (ret == ENOENT) { + /* No point trying to bump timestamp of an entry that does not exist..*/ + return; + } else if (ret != EOK) { + cname = ctx->filter_value; + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to canonicalize name, using [%s]\n", cname); + } + + ret = set_initgroups_expire_attribute(ctx->domain_info, cname); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot set the initgroups expire attribute [%d]: %s\n", + ret, sss_strerror(ret)); + } +} + +static void dp_req_initgr_pp(const char *req_name, + struct data_provider *provider, + struct dp_initgr_ctx *ctx, + struct dp_reply_std *reply) +{ + (void)reply; + dp_req_initgr_pp_set_initgr_timestamp(ctx, reply); + dp_req_initgr_pp_nss_notify(req_name, provider, ctx); + dp_req_initgr_pp_sr_overlay(provider, ctx); +} + +static errno_t dp_initgroups(struct sbus_request *sbus_req, + struct dp_client *dp_cli, + const char *key, + uint32_t dp_flags, + struct dp_id_data *data) +{ + struct be_ctx *be_ctx; + struct sss_domain_info *domain; + struct dp_initgr_ctx *ctx; + struct ldb_result *res = NULL; + errno_t ret; + + be_ctx = dp_client_be(dp_cli); + + if (data->domain == NULL) { + domain = be_ctx->domain; + } else { + domain = find_domain_by_name(be_ctx->domain, data->domain, true); + if (domain == NULL) { + return ERR_DOMAIN_NOT_FOUND; + } + } + + ret = sysdb_initgroups(sbus_req, domain, data->filter_value, &res); + if (ret == ENOENT || (ret == EOK && res->count == 0)) { + talloc_zfree(res); + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get initgroups [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ctx = create_initgr_ctx(sbus_req, data->domain, domain, + data->filter_value, res); + if (ctx == NULL) { + ret = ENOMEM; + goto done; + } + + dp_req_with_reply_pp(dp_cli, data->domain, "Initgroups", key, + sbus_req, DPT_ID, DPM_ACCOUNT_HANDLER, dp_flags, data, + dp_req_initgr_pp, ctx, struct dp_initgr_ctx, + dp_req_reply_std, struct dp_reply_std); + + ret = EOK; + +done: + talloc_free(res); + return ret; +} + +errno_t dp_get_account_info_handler(struct sbus_request *sbus_req, + void *dp_cli, + uint32_t dp_flags, + uint32_t entry_type, + const char *filter, + const char *domain, + const char *extra) +{ + struct dp_id_data *data; + const char *key; + errno_t ret; + + data = talloc_zero(sbus_req, struct dp_id_data); + if (data == NULL) { + return ENOMEM; + } + + data->entry_type = entry_type; + data->domain = domain; + + if (!check_and_parse_filter(data, filter, extra)) { + ret = EINVAL; + goto done; + } + + DEBUG(SSSDBG_FUNC_DATA, + "Got request for [%#"PRIx32"][%s][%s]\n", + data->entry_type, be_req2str(data->entry_type), + filter); + + key = talloc_asprintf(data, "%u:%s:%s:%s", data->entry_type, + extra, domain, filter); + if (key == NULL) { + ret = ENOMEM; + goto done; + } + + if ((data->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_INITGROUPS) { + ret = dp_initgroups(sbus_req, dp_cli, key, dp_flags, data); + if (ret != EAGAIN) { + goto done; + } + } + + dp_req_with_reply(dp_cli, domain, "Account", key, + sbus_req, DPT_ID, DPM_ACCOUNT_HANDLER, dp_flags, data, + dp_req_reply_std, struct dp_reply_std); + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(data); + } + + return ret; +} + +static bool +check_and_parse_acct_domain_filter(struct dp_get_acct_domain_data *data, + const char *filter) +{ + /* We will use sizeof() to determine the length of a string so we don't + * call strlen over and over again with each request. Not a bottleneck, + * but unnecessary and simple to avoid. */ + static struct { + const char *name; + size_t lenght; + uint32_t type; + } types[] = {FILTER_TYPE("idnumber", BE_FILTER_IDNUM), + {0, 0, 0}}; + int i; + + if (SBUS_IS_STRING_EMPTY(filter)) { + return false; + } + + for (i = 0; types[i].name != NULL; i++) { + if (strncmp(filter, types[i].name, types[i].lenght) == 0) { + data->filter_type = types[i].type; + data->filter_value = SBUS_SET_STRING(&filter[types[i].lenght]); + return true; + } + } + + if (strcmp(filter, ENUM_INDICATOR) == 0) { + data->filter_type = BE_FILTER_ENUM; + data->filter_value = NULL; + return true; + } + + return false; +} + +errno_t dp_get_account_domain_handler(struct sbus_request *sbus_req, + void *dp_cli, + uint32_t entry_type, + const char *filter) +{ + struct dp_get_acct_domain_data *data; + const char *key = NULL; + errno_t ret; + + data = talloc_zero(sbus_req, struct dp_get_acct_domain_data); + if (data == NULL) { + return ENOMEM; + } + data->entry_type = entry_type; + + if (!check_and_parse_acct_domain_filter(data, filter)) { + ret = EINVAL; + goto done; + } + + dp_req_with_reply(dp_cli, NULL, "AccountDomain", key, sbus_req, + DPT_ID, DPM_ACCT_DOMAIN_HANDLER, 0, data, + dp_req_reply_std, struct dp_reply_std); + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(data); + } + + return ret; +} + +struct default_account_domain_state { + struct dp_reply_std reply; +}; + +struct tevent_req * +default_account_domain_send(TALLOC_CTX *mem_ctx, + void *unused_ctx, + struct dp_get_acct_domain_data *data, + struct dp_req_params *params) +{ + struct default_account_domain_state *state; + struct tevent_req *req; + + req = tevent_req_create(mem_ctx, &state, + struct default_account_domain_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + dp_reply_std_set(&state->reply, + DP_ERR_DECIDE, ERR_GET_ACCT_DOM_NOT_SUPPORTED, + NULL); + tevent_req_done(req); + tevent_req_post(req, params->ev); + return req; +} + +errno_t default_account_domain_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct dp_reply_std *data) +{ + struct default_account_domain_state *state = NULL; + + state = tevent_req_data(req, struct default_account_domain_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *data = state->reply; + + return EOK; +} diff --git a/src/providers/data_provider/dp_target_subdomains.c b/src/providers/data_provider/dp_target_subdomains.c new file mode 100644 index 0000000..e29a9b9 --- /dev/null +++ b/src/providers/data_provider/dp_target_subdomains.c @@ -0,0 +1,50 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "sbus/sssd_dbus.h" +#include "providers/data_provider/dp_private.h" +#include "providers/data_provider/dp_iface.h" +#include "providers/backend.h" +#include "util/util.h" + +errno_t dp_subdomains_handler(struct sbus_request *sbus_req, + void *dp_cli, + const char *domain_hint) +{ + struct dp_subdomains_data *data; + const char *key; + + data = talloc_zero(sbus_req, struct dp_subdomains_data); + if (data == NULL) { + return ENOMEM; + } + + data->domain_hint = domain_hint; + key = SBUS_IS_STRING_EMPTY(domain_hint) ? "" : domain_hint; + + dp_req_with_reply(dp_cli, NULL, "Subdomains", key, sbus_req, + DPT_SUBDOMAINS, DPM_DOMAINS_HANDLER, 0, data, + dp_req_reply_std, struct dp_reply_std); + + return EOK; +} diff --git a/src/providers/data_provider/dp_target_sudo.c b/src/providers/data_provider/dp_target_sudo.c new file mode 100644 index 0000000..37add97 --- /dev/null +++ b/src/providers/data_provider/dp_target_sudo.c @@ -0,0 +1,199 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "sbus/sssd_dbus.h" +#include "providers/data_provider/dp_private.h" +#include "providers/data_provider/dp_iface.h" +#include "providers/backend.h" +#include "util/util.h" + +static errno_t dp_sudo_parse_message(TALLOC_CTX *mem_ctx, + DBusMessage *msg, + uint32_t *_dp_flags, + uint32_t *_sudo_type, + char ***_rules) +{ + DBusError error; + DBusMessageIter iter; + DBusMessageIter array_iter; + uint32_t dp_flags; + uint32_t sudo_type; + uint32_t num_rules; + const char *rule; + char **rules = NULL; + uint32_t i; + errno_t ret; + + dbus_error_init(&error); + dbus_message_iter_init(msg, &iter); + + /* get dp flags */ + if (dbus_message_iter_get_arg_type(&iter) != DBUS_TYPE_UINT32) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed, to parse the message!\n"); + ret = EIO; + goto done; + } + + dbus_message_iter_get_basic(&iter, &dp_flags); + dbus_message_iter_next(&iter); /* step behind the request type */ + + /* get type of the request */ + if (dbus_message_iter_get_arg_type(&iter) != DBUS_TYPE_UINT32) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed, to parse the message!\n"); + ret = EIO; + goto done; + } + + dbus_message_iter_get_basic(&iter, &sudo_type); + dbus_message_iter_next(&iter); /* step behind the request type */ + + /* get additional arguments according to the request type */ + switch (sudo_type) { + case BE_REQ_SUDO_FULL: + /* no arguments required */ + break; + case BE_REQ_SUDO_RULES: + /* additional arguments: + * rules_num + * rules[rules_num] + */ + /* read rules_num */ + if (dbus_message_iter_get_arg_type(&iter) != DBUS_TYPE_UINT32) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed, to parse the message!\n"); + ret = EIO; + goto done; + } + + dbus_message_iter_get_basic(&iter, &num_rules); + + rules = talloc_zero_array(mem_ctx, char *, num_rules + 1); + if (rules == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_array() failed.\n"); + ret = ENOMEM; + goto done; + } + + dbus_message_iter_next(&iter); + + if (dbus_message_iter_get_arg_type(&iter) != DBUS_TYPE_ARRAY) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed, to parse the message!\n"); + ret = EIO; + goto done; + } + + dbus_message_iter_recurse(&iter, &array_iter); + + /* read the rules */ + for (i = 0; i < num_rules; i++) { + if (dbus_message_iter_get_arg_type(&array_iter) + != DBUS_TYPE_STRING) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed, to parse the message!\n"); + ret = EIO; + goto done; + } + + dbus_message_iter_get_basic(&array_iter, &rule); + rules[i] = talloc_strdup(rules, rule); + if (rules[i] == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup() failed.\n"); + ret = ENOMEM; + goto done; + } + + dbus_message_iter_next(&array_iter); + } + + rules[num_rules] = NULL; + + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid request type %d\n", sudo_type); + return EINVAL; + } + + *_dp_flags = dp_flags; + *_sudo_type = sudo_type; + *_rules = rules; + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(rules); + } + + return ret; +} + +static const char *dp_sudo_get_key(uint32_t type) +{ + switch (type) { + case BE_REQ_SUDO_FULL: + return "full-refresh"; + case BE_REQ_SUDO_RULES: + return NULL; + } + + return NULL; +} + +static const char *dp_sudo_get_name(uint32_t type) +{ + switch (type) { + case BE_REQ_SUDO_FULL: + return "SUDO Full Refresh"; + case BE_REQ_SUDO_RULES: + return "SUDO Rules Refresh"; + } + + return NULL; +} + +errno_t dp_sudo_handler(struct sbus_request *sbus_req, void *dp_cli) +{ + struct dp_sudo_data *data; + uint32_t dp_flags; + const char *key; + const char *name; + errno_t ret; + + data = talloc_zero(sbus_req, struct dp_sudo_data); + if (data == NULL) { + return ENOMEM; + } + + ret = dp_sudo_parse_message(data, sbus_req->message, &dp_flags, + &data->type, &data->rules); + if (ret != EOK) { + return ret; + } + + key = dp_sudo_get_key(data->type); + name = dp_sudo_get_name(data->type); + + dp_req_with_reply(dp_cli, NULL, name, key, sbus_req, DPT_SUDO, + DPM_SUDO_HANDLER, dp_flags, data, + dp_req_reply_std, struct dp_reply_std); + + return EOK; +} diff --git a/src/providers/data_provider/dp_targets.c b/src/providers/data_provider/dp_targets.c new file mode 100644 index 0000000..2dd15d8 --- /dev/null +++ b/src/providers/data_provider/dp_targets.c @@ -0,0 +1,466 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "config.h" +#include "providers/data_provider/dp.h" +#include "providers/data_provider/dp_private.h" +#include "providers/data_provider/dp_builtin.h" +#include "providers/backend.h" +#include "util/util.h" + +#define DP_TARGET_INIT_FN "sssm_%s_%s_init" + +#define DP_PROVIDER_OPT "%s_provider" +#define DP_ACCESS_PERMIT "permit" +#define DP_ACCESS_DENY "deny" +#define DP_NO_PROVIDER "none" + +bool _dp_target_enabled(struct data_provider *provider, + const char *module_name, + ...) +{ + struct dp_target *target; + enum dp_targets type; + va_list ap; + bool bret; + + if (provider == NULL || provider->targets == NULL) { + return false; + } + + bret = false; + va_start(ap, module_name); + while ((type = va_arg(ap, enum dp_targets)) != DP_TARGET_SENTINEL) { + target = provider->targets[type]; + if (target == NULL || target->module_name == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "Uninitialized target %s\n", + dp_target_to_string(type)); + continue; + } + + if (module_name == NULL) { + bret = true; + goto done; + } + + if (strcmp(target->module_name, module_name) == 0) { + bret = true; + goto done; + } + } + +done: + va_end(ap); + return bret; +} + +struct dp_module *dp_target_module(struct data_provider *provider, + enum dp_targets target) +{ + if (provider == NULL || provider->targets == NULL) { + return NULL; + } + + if (target >= DP_TARGET_SENTINEL || provider->targets[target] == NULL) { + return NULL; + } + + return provider->targets[target]->module; +} + +void *dp_get_module_data(struct dp_module *dp_module) +{ + return dp_module == NULL ? NULL : dp_module->module_data; +} + +const char *dp_target_to_string(enum dp_targets target) +{ + switch (target) { + case DPT_ID: + return "id"; + case DPT_AUTH: + return "auth"; + case DPT_ACCESS: + return "access"; + case DPT_CHPASS: + return "chpass"; + case DPT_SUDO: + return "sudo"; + case DPT_AUTOFS: + return "autofs"; + case DPT_SELINUX: + return "selinux"; + case DPT_HOSTID: + return "hostid"; + case DPT_SUBDOMAINS: + return "subdomains"; + case DPT_SESSION: + return "session"; + case DP_TARGET_SENTINEL: + return NULL; + } + + return NULL; +} + +bool dp_target_initialized(struct dp_target **targets, enum dp_targets type) +{ + if (targets == NULL || targets[type] == NULL) { + return false; + } + + return targets[type]->initialized; +} + +static const char *dp_target_module_name(struct dp_target **targets, + enum dp_targets type) +{ + if (targets[type] == NULL) { + return NULL; + } + + return targets[type]->module_name; +} + +static const char *dp_target_default_module(struct dp_target **targets, + enum dp_targets target) +{ + switch (target) { + case DPT_ID: + return NULL; + case DPT_ACCESS: + return "permit"; + case DPT_CHPASS: + return dp_target_module_name(targets, DPT_AUTH); + case DP_TARGET_SENTINEL: + return NULL; + default: + return dp_target_module_name(targets, DPT_ID); + } +} + +static errno_t dp_target_run_constructor(struct dp_target *target, + struct be_ctx *be_ctx) +{ + char *fn_name = NULL; + dp_target_init_fn fn; + char *error; + errno_t ret; + + fn_name = talloc_asprintf(target, DP_TARGET_INIT_FN, + target->module->name, target->name); + if (fn_name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf() failed\n"); + return ENOMEM; + } + + dlerror(); /* clear any error */ + fn = (dp_target_init_fn)dlsym(target->module->libhandle, fn_name); + if (fn != NULL) { + DEBUG(SSSDBG_TRACE_FUNC, "Executing target [%s] constructor\n", + target->name); + + ret = fn(target, be_ctx, target->module->module_data, target->methods); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Target [%s] constructor failed " + "[%d]: %s\n", target->name, ret, sss_strerror(ret)); + goto done; + } + } else { + error = dlerror(); + if (error == NULL || !target->explicitly_configured) { + /* Not found. */ + ret = ELIBBAD; + goto done; + } else { + /* Error. */ + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to load target [%s] " + "constructor: %s\n", target->name, error); + ret = ELIBBAD; + goto done; + } + } + + target->initialized = true; + ret = EOK; + +done: + talloc_free(fn_name); + return ret; +} + +static errno_t dp_target_special(struct be_ctx *be_ctx, + struct dp_target *target, + const char *module_name) +{ + if (strcasecmp(module_name, DP_NO_PROVIDER) == 0) { + DEBUG(SSSDBG_TRACE_FUNC, "Target [%s] is explicitly disabled.\n", + target->name); + target->initialized = false; + target->module = NULL; + return EOK; + } + + if (target->target == DPT_ACCESS) { + if (strcmp(module_name, DP_ACCESS_PERMIT) == 0) { + dp_set_method(target->methods, DPM_ACCESS_HANDLER, + dp_access_permit_handler_send, dp_access_permit_handler_recv, NULL, + void, struct pam_data, struct pam_data *); + target->module = NULL; + target->initialized = true; + return EOK; + } + + if (strcmp(module_name, DP_ACCESS_DENY) == 0) { + dp_set_method(target->methods, DPM_ACCESS_HANDLER, + dp_access_deny_handler_send, dp_access_deny_handler_recv, NULL, + void, struct pam_data, struct pam_data *); + target->module = NULL; + target->initialized = true; + return EOK; + } + } + + return EAGAIN; +} + +static errno_t dp_target_init(struct be_ctx *be_ctx, + struct data_provider *provider, + struct dp_module **modules, + struct dp_target *target) +{ + errno_t ret; + + DEBUG(SSSDBG_TRACE_FUNC, "Initializing target [%s] with module [%s]\n", + target->name, target->module_name); + + /* We have already name, module name and target set. We just load + * the module and initialize it. */ + + target->methods = talloc_zero_array(target, struct dp_method, + DP_METHOD_SENTINEL + 1); + if (target->methods == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero_array() failed\n"); + ret = ENOMEM; + goto done; + } + + /* Handle special cases that do not require opening a module. */ + ret = dp_target_special(be_ctx, target, target->module_name); + if (ret == EOK || ret != EAGAIN) { + goto done; + } + + /* Load module first. Memory context is modules, not target here. */ + target->module = dp_load_module(modules, be_ctx, provider, modules, + target->module_name); + if (target->module == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to load module %s\n", + target->module_name); + ret = ELIBBAD; + goto done; + } + + /* Run constructor. */ + ret = dp_target_run_constructor(target, be_ctx); + if (!target->explicitly_configured && (ret == ELIBBAD || ret == ENOTSUP)) { + /* Target not found but it wasn't explicitly + * configured so we shall just continue. */ + DEBUG(SSSDBG_CONF_SETTINGS, "Target [%s] is not supported by " + "module [%s].\n", target->name, target->module_name); + ret = EOK; + goto done; + } else if (ret != EOK) { + goto done; + } + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(target->methods); + } + + return ret; +} + +static char *dp_get_module_name(TALLOC_CTX *mem_ctx, + struct confdb_ctx *confdb_ctx, + const char *conf_path, + struct dp_target **targets, + enum dp_targets type, + bool *_is_default) +{ + const char *name; + const char *default_module; + char *module; + char *option; + errno_t ret; + + name = dp_target_to_string(type); + if (name == NULL) { + return NULL; + } + + option = talloc_asprintf(mem_ctx, DP_PROVIDER_OPT, name); + if (option == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf() failed\n"); + return NULL; + } + + ret = confdb_get_string(confdb_ctx, mem_ctx, conf_path, + option, NULL, &module); + talloc_free(option); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to read provider value " + "[%d]: %s\n", ret, sss_strerror(ret)); + return NULL; + } + + if (module != NULL) { + *_is_default = false; + return module; + } + + *_is_default = true; + default_module = dp_target_default_module(targets, type); + + return talloc_strdup(mem_ctx, default_module); +} + +static errno_t dp_load_configuration(struct confdb_ctx *cdb, + const char *conf_path, + struct dp_target **targets) +{ + enum dp_targets type; + const char *name; + bool is_default; + char *module; + errno_t ret; + + for (type = 0; type < DP_TARGET_SENTINEL; type++) { + name = dp_target_to_string(type); + if (name == NULL) { + ret = ERR_INTERNAL; + goto done; + } + + module = dp_get_module_name(NULL, cdb, conf_path, targets, + type, &is_default); + if (module == NULL) { + DEBUG(SSSDBG_CONF_SETTINGS, "No provider is specified for" + " [%s]\n", name); + continue; + } else { + DEBUG(SSSDBG_CONF_SETTINGS, "Using [%s] provider for [%s]\n", + module, name); + } + + targets[type]->explicitly_configured = is_default == false; + targets[type]->name = name; + targets[type]->target = type; + targets[type]->module_name = talloc_steal(targets[type], module); + } + + ret = EOK; + +done: + return ret; +} + +static errno_t dp_load_targets(struct be_ctx *be_ctx, + struct data_provider *provider, + struct dp_target **targets, + struct dp_module **modules) +{ + enum dp_targets type; + errno_t ret; + + /* We load the configuration first and store module name to each target. + * This way we ensure that we have this information available during + * module initialization. */ + + ret = dp_load_configuration(be_ctx->cdb, be_ctx->conf_path, targets); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to load DP configuration " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + for (type = 0; type < DP_TARGET_SENTINEL; type++) { + ret = dp_target_init(be_ctx, provider, modules, targets[type]); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to load target [%s] " + "[%d]: %s.\n", targets[type]->name, ret, sss_strerror(ret)); + ret = ERR_INTERNAL; + goto done; + } + } + + ret = EOK; + +done: + return ret; +} + +errno_t dp_init_targets(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct data_provider *provider, + struct dp_module **modules) +{ + struct dp_target **targets; + enum dp_targets type; + errno_t ret; + + /* Even though we know the exact number of targets we will allocate + * them all dynamically so we can have correct talloc hierarchy where + * all private data are attached to the target they belong to. */ + + targets = talloc_zero_array(mem_ctx, struct dp_target *, + DP_TARGET_SENTINEL + 1); + if (targets == NULL) { + ret = ENOMEM; + goto done; + } + + for (type = 0; type != DP_TARGET_SENTINEL; type++) { + targets[type] = talloc_zero(targets, struct dp_target); + if (targets[type] == NULL) { + ret = ENOMEM; + goto done; + } + } + + /* We want this to be already available. */ + provider->targets = targets; + + ret = dp_load_targets(be_ctx, provider, targets, modules); + +done: + if (ret != EOK) { + provider->targets = NULL; + talloc_free(targets); + } + + return ret; +} diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c new file mode 100644 index 0000000..fad6f28 --- /dev/null +++ b/src/providers/data_provider_be.c @@ -0,0 +1,682 @@ +/* + SSSD + + Data Provider Process + + Copyright (C) Simo Sorce 2008 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include + +#include "util/util.h" +#include "util/sss_utf8.h" +#include "confdb/confdb.h" +#include "db/sysdb.h" +#include "sbus/sssd_dbus.h" +#include "providers/backend.h" +#include "providers/fail_over.h" +#include "providers/be_refresh.h" +#include "providers/be_ptask.h" +#include "util/child_common.h" +#include "resolv/async_resolv.h" +#include "monitor/monitor_interfaces.h" + +static int data_provider_res_init(struct sbus_request *dbus_req, void *data); +static int data_provider_go_offline(struct sbus_request *dbus_req, void *data); +static int data_provider_reset_offline(struct sbus_request *dbus_req, void *data); +static int data_provider_logrotate(struct sbus_request *dbus_req, void *data); + +struct mon_cli_iface monitor_be_methods = { + { &mon_cli_iface_meta, 0 }, + .resInit = data_provider_res_init, + .goOffline = data_provider_go_offline, + .resetOffline = data_provider_reset_offline, + .rotateLogs = data_provider_logrotate, + .clearMemcache = NULL, + .clearEnumCache = NULL, + .sysbusReconnect = NULL, +}; + +bool be_is_offline(struct be_ctx *ctx) +{ + return ctx->offstat.offline; +} + +static void check_if_online(struct be_ctx *be_ctx); + +static errno_t +try_to_go_online(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct be_ptask *be_ptask, + void *be_ctx_void) +{ + struct be_ctx *ctx = (struct be_ctx*) be_ctx_void; + + check_if_online(ctx); + return EOK; +} + +static int get_offline_timeout(struct be_ctx *ctx) +{ + errno_t ret; + int offline_timeout; + + ret = confdb_get_int(ctx->cdb, ctx->conf_path, + CONFDB_DOMAIN_OFFLINE_TIMEOUT, 60, + &offline_timeout); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to get offline_timeout from confdb. " + "Will use 60 seconds.\n"); + offline_timeout = 60; + } + + return offline_timeout; +} + +void be_mark_offline(struct be_ctx *ctx) +{ + int offline_timeout; + errno_t ret; + + DEBUG(SSSDBG_TRACE_INTERNAL, "Going offline!\n"); + + ctx->offstat.went_offline = time(NULL); + ctx->offstat.offline = true; + ctx->run_online_cb = true; + + if (ctx->check_if_online_ptask == NULL) { + /* This is the first time we go offline - create a periodic task + * to check if we can switch to online. */ + DEBUG(SSSDBG_TRACE_INTERNAL, "Initialize check_if_online_ptask.\n"); + + offline_timeout = get_offline_timeout(ctx); + + ret = be_ptask_create_sync(ctx, ctx, + offline_timeout, offline_timeout, + offline_timeout, 30, offline_timeout, + BE_PTASK_OFFLINE_EXECUTE, + 3600 /* max_backoff */, + try_to_go_online, + ctx, "Check if online (periodic)", + &ctx->check_if_online_ptask); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "be_ptask_create_sync failed [%d]: %s\n", + ret, sss_strerror(ret)); + } + } else { + /* Periodic task was already created. Just enable it. */ + DEBUG(SSSDBG_TRACE_INTERNAL, "Enable check_if_online_ptask.\n"); + be_ptask_enable(ctx->check_if_online_ptask); + } + + be_run_offline_cb(ctx); +} + +static void be_subdom_reset_status(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval current_time, + void *pvt) +{ + struct sss_domain_info *subdom = talloc_get_type(pvt, + struct sss_domain_info); + + DEBUG(SSSDBG_TRACE_LIBS, "Resetting subdomain %s\n", subdom->name); + subdom->state = DOM_ACTIVE; +} + +static void be_mark_subdom_offline(struct sss_domain_info *subdom, + struct be_ctx *be_ctx) +{ + struct timeval tv; + struct tevent_timer *timeout = NULL; + int reset_status_timeout; + + reset_status_timeout = get_offline_timeout(be_ctx); + tv = tevent_timeval_current_ofs(reset_status_timeout, 0); + + switch (subdom->state) { + case DOM_INCONSISTENT: + case DOM_DISABLED: + DEBUG(SSSDBG_MINOR_FAILURE, + "Won't touch disabled or inconsistent subdomain\n"); + return; + case DOM_INACTIVE: + DEBUG(SSSDBG_TRACE_ALL, "Subdomain already inactive\n"); + return; + case DOM_ACTIVE: + DEBUG(SSSDBG_TRACE_LIBS, + "Marking subdomain %s as inactive\n", subdom->name); + break; + } + + timeout = tevent_add_timer(be_ctx->ev, be_ctx, tv, + be_subdom_reset_status, subdom); + if (timeout == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot create timer\n"); + return; + } + + subdom->state = DOM_INACTIVE; +} + +void be_mark_dom_offline(struct sss_domain_info *dom, struct be_ctx *ctx) +{ + if (IS_SUBDOMAIN(dom) == false) { + DEBUG(SSSDBG_TRACE_LIBS, "Marking back end offline\n"); + be_mark_offline(ctx); + } else { + DEBUG(SSSDBG_TRACE_LIBS, "Marking subdomain %s offline\n", dom->name); + be_mark_subdom_offline(dom, ctx); + } +} + +static void reactivate_subdoms(struct sss_domain_info *head) +{ + struct sss_domain_info *dom; + + DEBUG(SSSDBG_TRACE_LIBS, "Resetting all subdomains\n"); + + for (dom = head; dom; dom = get_next_domain(dom, true)) { + if (sss_domain_get_state(dom) == DOM_INACTIVE) { + sss_domain_set_state(dom, DOM_ACTIVE); + } + } +} + +static void be_reset_offline(struct be_ctx *ctx) +{ + ctx->offstat.went_offline = 0; + ctx->offstat.offline = false; + ctx->run_offline_cb = true; + + reactivate_subdoms(ctx->domain); + + be_ptask_disable(ctx->check_if_online_ptask); + be_run_online_cb(ctx); +} + +static void be_check_online_done(struct tevent_req *req); + +static errno_t be_check_online_request(struct be_ctx *be_ctx) +{ + struct tevent_req *req; + + be_ctx->offstat.went_offline = time(NULL); + reset_fo(be_ctx); + + req = dp_req_send(be_ctx, be_ctx->provider, NULL, NULL, "Online Check", + DPT_ID, DPM_CHECK_ONLINE, 0, NULL, NULL); + if (req == NULL) { + return ENOMEM; + } + + tevent_req_set_callback(req, be_check_online_done, be_ctx); + + return EOK; +} + +static void be_check_online_done(struct tevent_req *req) +{ + struct be_ctx *be_ctx; + struct dp_reply_std *reply; + errno_t ret; + + be_ctx = tevent_req_callback_data(req, struct be_ctx); + + ret = dp_req_recv_ptr(be_ctx, req, struct dp_reply_std, &reply); + talloc_zfree(req); + if (ret != EOK) { + goto done; + } + + switch (reply->dp_error) { + case DP_ERR_OK: + if (be_ctx->last_dp_state != DP_ERR_OK) { + be_ctx->last_dp_state = DP_ERR_OK; + sss_log(SSS_LOG_INFO, "Backend is online\n"); + } + DEBUG(SSSDBG_TRACE_FUNC, "Backend is online\n"); + break; + case DP_ERR_OFFLINE: + if (be_ctx->last_dp_state != DP_ERR_OFFLINE) { + be_ctx->last_dp_state = DP_ERR_OFFLINE; + sss_log(SSS_LOG_INFO, "Backend is offline\n"); + } + DEBUG(SSSDBG_TRACE_FUNC, "Backend is offline\n"); + break; + default: + DEBUG(SSSDBG_TRACE_FUNC, "Error during online check [%d]: %s\n", + ret, sss_strerror(ret)); + break; + } + + be_ctx->check_online_ref_count--; + + if (reply->dp_error != DP_ERR_OK && be_ctx->check_online_ref_count > 0) { + ret = be_check_online_request(be_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create check online req.\n"); + goto done; + } + return; + } + +done: + be_ctx->check_online_ref_count = 0; + if (reply->dp_error != DP_ERR_OFFLINE) { + if (reply->dp_error != DP_ERR_OK) { + reset_fo(be_ctx); + } + be_reset_offline(be_ctx); + } +} + +static void check_if_online(struct be_ctx *be_ctx) +{ + errno_t ret; + + be_run_unconditional_online_cb(be_ctx); + + if (!be_is_offline(be_ctx)) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "Backend is already online, nothing to do.\n"); + return; + } + + /* Make sure nobody tries to go online while we are checking */ + be_ctx->offstat.went_offline = time(NULL); + + DEBUG(SSSDBG_TRACE_INTERNAL, "Trying to go back online!\n"); + + be_ctx->check_online_ref_count++; + + if (be_ctx->check_online_ref_count != 1) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "There is an online check already running.\n"); + return; + } + + if (!dp_method_enabled(be_ctx->provider, DPT_ID, DPM_CHECK_ONLINE)) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "ID providers does not provide a check_online method.\n"); + goto failed; + } + + ret = be_check_online_request(be_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create check online req.\n"); + goto failed; + } + + return; + +failed: + be_ctx->check_online_ref_count--; + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to run a check_online test.\n"); + + if (be_ctx->check_online_ref_count == 0) { + reset_fo(be_ctx); + be_reset_offline(be_ctx); + } + + return; +} + +static void signal_be_offline(struct tevent_context *ev, + struct tevent_signal *se, + int signum, + int count, + void *siginfo, + void *private_data) +{ + struct be_ctx *ctx = talloc_get_type(private_data, struct be_ctx); + be_mark_offline(ctx); +} + +static void signal_be_reset_offline(struct tevent_context *ev, + struct tevent_signal *se, + int signum, + int count, + void *siginfo, + void *private_data) +{ + struct be_ctx *ctx = talloc_get_type(private_data, struct be_ctx); + check_if_online(ctx); +} + +errno_t be_process_init(TALLOC_CTX *mem_ctx, + const char *be_domain, + uid_t uid, + gid_t gid, + struct tevent_context *ev, + struct confdb_ctx *cdb) +{ + uint32_t refresh_interval; + struct tevent_signal *tes; + struct be_ctx *be_ctx; + char *str = NULL; + errno_t ret; + + be_ctx = talloc_zero(mem_ctx, struct be_ctx); + if (be_ctx == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "talloc_zero() failed\n"); + return ENOMEM; + } + + be_ctx->ev = ev; + be_ctx->cdb = cdb; + be_ctx->uid = uid; + be_ctx->gid = gid; + be_ctx->identity = talloc_asprintf(be_ctx, "%%BE_%s", be_domain); + be_ctx->conf_path = talloc_asprintf(be_ctx, CONFDB_DOMAIN_PATH_TMPL, be_domain); + if (be_ctx->identity == NULL || be_ctx->conf_path == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory!?\n"); + ret = ENOMEM; + goto done; + } + be_ctx->last_dp_state = -1; + + ret = be_init_failover(be_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to initialize failover\n"); + goto done; + } + + ret = sssd_domain_init(be_ctx, cdb, be_domain, DB_PATH, &be_ctx->domain); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to initialize domain\n"); + goto done; + } + + ret = sysdb_master_domain_update(be_ctx->domain); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to update master domain information!\n"); + goto done; + } + + ret = sss_monitor_init(be_ctx, be_ctx->ev, &monitor_be_methods, + be_ctx->identity, DATA_PROVIDER_VERSION, + MT_SVC_PROVIDER, be_ctx, NULL, + &be_ctx->mon_conn); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to initialize monitor connection\n"); + goto done; + } + + /* We need this for subdomains support, as they have to store fully + * qualified user and group names for now. */ + ret = sss_names_init(be_ctx->domain, cdb, be_ctx->domain->name, + &be_ctx->domain->names); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to setup fully qualified name " + "format for %s\n", be_ctx->domain->name); + goto done; + } + + /* Read the global override_space option, for output name formatting */ + ret = confdb_get_string(cdb, be_ctx, CONFDB_MONITOR_CONF_ENTRY, + CONFDB_MONITOR_OVERRIDE_SPACE, NULL, + &str); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot get the space substitution character [%d]: %s\n", + ret, strerror(ret)); + goto done; + } + + if (str != NULL) { + if (strlen(str) > 1) { + DEBUG(SSSDBG_MINOR_FAILURE, "Option %s is longer than 1 character " + "only the first character %c will be used\n", + CONFDB_MONITOR_OVERRIDE_SPACE, str[0]); + } + + be_ctx->override_space = str[0]; + } + + /* Read session_recording section */ + ret = session_recording_conf_load(be_ctx, cdb, &be_ctx->sr_conf); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed loading session recording configuration: %s\n", + strerror(ret)); + goto done; + } + + /* Initialize be_refresh periodic task. */ + be_ctx->refresh_ctx = be_refresh_ctx_init(be_ctx); + if (be_ctx->refresh_ctx == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to initialize refresh_ctx\n"); + ret = ENOMEM; + goto done; + } + + refresh_interval = be_ctx->domain->refresh_expired_interval; + if (refresh_interval > 0) { + ret = be_ptask_create(be_ctx, be_ctx, refresh_interval, 30, 5, 0, + refresh_interval, BE_PTASK_OFFLINE_SKIP, 0, + be_refresh_send, be_refresh_recv, + be_ctx->refresh_ctx, "Refresh Records", NULL); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Unable to initialize refresh periodic task\n"); + goto done; + } + } + + ret = dp_init(be_ctx->ev, be_ctx, be_ctx->uid, be_ctx->gid); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to setup data provider " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + /* Handle SIGUSR1 to force offline behavior */ + BlockSignals(false, SIGUSR1); + tes = tevent_add_signal(be_ctx->ev, be_ctx, SIGUSR1, 0, + signal_be_offline, be_ctx); + if (tes == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to setup SIGUSR1 handler\n"); + ret = EIO; + goto done; + } + + /* Handle SIGUSR2 to force going online */ + BlockSignals(false, SIGUSR2); + tes = tevent_add_signal(be_ctx->ev, be_ctx, SIGUSR2, 0, + signal_be_reset_offline, be_ctx); + if (tes == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to setup SIGUSR2 handler\n"); + ret = EIO; + goto done; + } + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(be_ctx); + } + + return ret; +} + +#ifndef UNIT_TESTING +int main(int argc, const char *argv[]) +{ + int opt; + poptContext pc; + char *opt_logger = NULL; + char *be_domain = NULL; + char *srv_name = NULL; + struct main_context *main_ctx; + char *confdb_path; + int ret; + uid_t uid; + gid_t gid; + + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_MAIN_OPTS + SSSD_LOGGER_OPTS + SSSD_SERVER_OPTS(uid, gid) + {"domain", 0, POPT_ARG_STRING, &be_domain, 0, + _("Domain of the information provider (mandatory)"), NULL }, + POPT_TABLEEND + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + + if (be_domain == NULL) { + fprintf(stderr, "\nMissing option, --domain is a mandatory option.\n\n"); + poptPrintUsage(pc, stderr, 0); + return 1; + } + + poptFreeContext(pc); + + DEBUG_INIT(debug_level); + + /* set up things like debug, signals, daemonization, etc. */ + debug_log_file = talloc_asprintf(NULL, "sssd_%s", be_domain); + if (!debug_log_file) return 2; + + sss_set_logger(opt_logger); + + srv_name = talloc_asprintf(NULL, "sssd[be[%s]]", be_domain); + if (!srv_name) return 2; + + confdb_path = talloc_asprintf(NULL, CONFDB_DOMAIN_PATH_TMPL, be_domain); + if (!confdb_path) return 2; + + ret = server_setup(srv_name, 0, 0, 0, confdb_path, &main_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Could not set up mainloop [%d]\n", ret); + return 2; + } + + ret = setenv(SSS_DOM_ENV, be_domain, 1); + if (ret != 0) { + DEBUG(SSSDBG_MINOR_FAILURE, "Setting "SSS_DOM_ENV" failed, journald " + "logging might not work as expected\n"); + } + + ret = die_if_parent_died(); + if (ret != EOK) { + /* This is not fatal, don't return */ + DEBUG(SSSDBG_OP_FAILURE, + "Could not set up to exit when parent process does\n"); + } + + ret = be_process_init(main_ctx, + be_domain, uid, gid, + main_ctx->event_ctx, + main_ctx->confdb_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Could not initialize backend [%d]\n", ret); + return 3; + } + + ret = chown_debug_file(NULL, uid, gid); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot chown the debug files, debugging might not work!\n"); + } + + ret = become_user(uid, gid); + if (ret != EOK) { + DEBUG(SSSDBG_FUNC_DATA, + "Cannot become user [%"SPRIuid"][%"SPRIgid"].\n", uid, gid); + return ret; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Backend provider (%s) started!\n", be_domain); + + /* loop on main */ + server_loop(main_ctx); + + return 0; +} +#endif + +static int data_provider_res_init(struct sbus_request *dbus_req, void *data) +{ + struct be_ctx *be_ctx; + be_ctx = talloc_get_type(data, struct be_ctx); + + resolv_reread_configuration(be_ctx->be_res->resolv); + check_if_online(be_ctx); + + return monitor_common_res_init(dbus_req, data); +} + +static int data_provider_go_offline(struct sbus_request *dbus_req, void *data) +{ + struct be_ctx *be_ctx; + be_ctx = talloc_get_type(data, struct be_ctx); + be_mark_offline(be_ctx); + return sbus_request_return_and_finish(dbus_req, DBUS_TYPE_INVALID); +} + +static int data_provider_reset_offline(struct sbus_request *dbus_req, void *data) +{ + struct be_ctx *be_ctx; + be_ctx = talloc_get_type(data, struct be_ctx); + check_if_online(be_ctx); + return sbus_request_return_and_finish(dbus_req, DBUS_TYPE_INVALID); +} + +static int data_provider_logrotate(struct sbus_request *dbus_req, void *data) +{ + errno_t ret; + struct be_ctx *be_ctx = talloc_get_type(data, struct be_ctx); + + ret = server_common_rotate_logs(be_ctx->cdb, be_ctx->conf_path); + if (ret != EOK) return ret; + + return sbus_request_return_and_finish(dbus_req, DBUS_TYPE_INVALID); +} diff --git a/src/providers/data_provider_callbacks.c b/src/providers/data_provider_callbacks.c new file mode 100644 index 0000000..24e125e --- /dev/null +++ b/src/providers/data_provider_callbacks.c @@ -0,0 +1,306 @@ +/* + SSSD + + Data Provider Process - Callback + + Authors: + + Stephen Gallagher + Sumit Bose + + Copyright (C) 2010 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "providers/backend.h" + +struct be_cb { + struct be_cb *prev; + struct be_cb *next; + + be_callback_t cb; + void *pvt; + + struct be_cb **list; + struct be_ctx *be; +}; + +struct be_cb_ctx { + struct be_ctx *be; + struct be_cb *callback; +}; + +static int cb_destructor(TALLOC_CTX *ptr) +{ + struct be_cb *cb = talloc_get_type(ptr, struct be_cb); + DLIST_REMOVE(*(cb->list), cb); + return 0; +} + +static int be_add_cb(TALLOC_CTX *mem_ctx, struct be_ctx *ctx, + be_callback_t cb, void *pvt, struct be_cb **cb_list, + struct be_cb **return_cb) +{ + struct be_cb *new_cb; + + if (!ctx || !cb) { + return EINVAL; + } + + new_cb = talloc(mem_ctx, struct be_cb); + if (!new_cb) { + return ENOMEM; + } + + new_cb->cb = cb; + new_cb->pvt = pvt; + new_cb->list = cb_list; + new_cb->be = ctx; + + DLIST_ADD(*cb_list, new_cb); + + talloc_set_destructor((TALLOC_CTX *) new_cb, cb_destructor); + + if (return_cb) { + *return_cb = new_cb; + } + + return EOK; +} + +static void be_run_cb_step(struct tevent_context *ev, struct tevent_timer *te, + struct timeval current_time, void *pvt) +{ + struct be_cb_ctx *cb_ctx = talloc_get_type(pvt, struct be_cb_ctx); + struct be_cb *next_cb; + struct tevent_timer *tev; + struct timeval soon; + + /* Store next callback in case this callback frees itself */ + next_cb = cb_ctx->callback->next; + + /* Call the callback */ + cb_ctx->callback->cb(cb_ctx->callback->pvt); + + if (next_cb) { + cb_ctx->callback = next_cb; + + /* Delay 30ms so we don't block any other events */ + soon = tevent_timeval_current_ofs(0, 30000); + tev = tevent_add_timer(cb_ctx->be->ev, cb_ctx, soon, + be_run_cb_step, + cb_ctx); + if (!tev) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Out of memory. Could not invoke callbacks\n"); + goto final; + } + return; + } + +final: + /* Steal the timer event onto the be_ctx so it doesn't + * get freed with the cb_ctx + */ + talloc_steal(cb_ctx->be, te); + talloc_free(cb_ctx); +} + +static errno_t be_run_cb(struct be_ctx *be, struct be_cb *cb_list) +{ + struct timeval soon; + struct tevent_timer *te; + struct be_cb_ctx *cb_ctx; + + if (cb_list == NULL) { + return EOK; + } + + cb_ctx = talloc(be, struct be_cb_ctx); + if (!cb_ctx) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Out of memory. Could not invoke callbacks\n"); + return ENOMEM; + } + cb_ctx->be = be; + cb_ctx->callback = cb_list; + + /* Delay 30ms so we don't block any other events */ + soon = tevent_timeval_current_ofs(0, 30000); + te = tevent_add_timer(be->ev, cb_ctx, soon, + be_run_cb_step, + cb_ctx); + if (!te) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Out of memory. Could not invoke callbacks\n"); + talloc_free(cb_ctx); + return ENOMEM; + } + + return EOK; +} + +int be_add_reconnect_cb(TALLOC_CTX *mem_ctx, struct be_ctx *ctx, be_callback_t cb, + void *pvt, struct be_cb **reconnect_cb) +{ + int ret; + + ret = be_add_cb(mem_ctx, ctx, cb, pvt, &ctx->reconnect_cb_list, reconnect_cb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "be_add_cb failed.\n"); + return ret; + } + + return EOK; +} + +void be_run_reconnect_cb(struct be_ctx *be) +{ + struct be_cb *callback = be->reconnect_cb_list; + struct be_cb *next_cb; + + if (callback) { + DEBUG(SSSDBG_TRACE_FUNC, "Reconnecting. Running callbacks.\n"); + + /** + * Call the callback: we have to call this right away + * so the provider doesn't go into offline even for + * a little while + */ + do { + /* Store next callback in case this callback frees itself */ + next_cb = callback->next; + + callback->cb(callback->pvt); + callback = next_cb; + } while(callback != NULL); + } else { + DEBUG(SSSDBG_TRACE_INTERNAL, "Reconnect call back list is empty, nothing to do.\n"); + } +} + +int be_add_online_cb(TALLOC_CTX *mem_ctx, struct be_ctx *ctx, be_callback_t cb, + void *pvt, struct be_cb **online_cb) +{ + int ret; + + ret = be_add_cb(mem_ctx, ctx, cb, pvt, &ctx->online_cb_list, online_cb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "be_add_cb failed.\n"); + return ret; + } + + /* Make sure we run the callback for the first + * connection after startup. + */ + ctx->run_online_cb = true; + + return EOK; +} + +void be_run_online_cb(struct be_ctx *be) { + int ret; + + if (be->run_online_cb) { + /* Reset the flag. We only want to run these + * callbacks when transitioning to online + */ + be->run_online_cb = false; + + if (be->online_cb_list) { + DEBUG(SSSDBG_MINOR_FAILURE, "Going online. Running callbacks.\n"); + + ret = be_run_cb(be, be->online_cb_list); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "be_run_cb failed.\n"); + } + + } else { + DEBUG(SSSDBG_TRACE_ALL, + "Online call back list is empty, nothing to do.\n"); + } + } +} + +int be_add_unconditional_online_cb(TALLOC_CTX *mem_ctx, struct be_ctx *ctx, + be_callback_t cb, void *pvt, + struct be_cb **unconditional_online_cb) +{ + return be_add_cb(mem_ctx, ctx, cb, pvt, &ctx->unconditional_online_cb_list, + unconditional_online_cb); +} + +void be_run_unconditional_online_cb(struct be_ctx *be) +{ + int ret; + + if (be->unconditional_online_cb_list) { + DEBUG(SSSDBG_TRACE_FUNC, "Running unconditional online callbacks.\n"); + + ret = be_run_cb(be, be->unconditional_online_cb_list); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "be_run_cb failed.\n"); + } + + } else { + DEBUG(SSSDBG_TRACE_ALL, + "List of unconditional online callbacks is empty, " \ + "nothing to do.\n"); + } +} + +int be_add_offline_cb(TALLOC_CTX *mem_ctx, struct be_ctx *ctx, be_callback_t cb, + void *pvt, struct be_cb **offline_cb) +{ + int ret; + + ret = be_add_cb(mem_ctx, ctx, cb, pvt, &ctx->offline_cb_list, offline_cb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "be_add_cb failed.\n"); + return ret; + } + + /* Make sure we run the callback when SSSD goes offline */ + ctx->run_offline_cb = true; + + return EOK; +} + +void be_run_offline_cb(struct be_ctx *be) { + int ret; + + if (be->run_offline_cb) { + /* Reset the flag, we only want to run these callbacks once when going + * offline */ + be->run_offline_cb = false; + + if (be->offline_cb_list) { + DEBUG(SSSDBG_MINOR_FAILURE, "Going offline. Running callbacks.\n"); + + ret = be_run_cb(be, be->offline_cb_list); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "be_run_cb failed.\n"); + } + + } else { + DEBUG(SSSDBG_TRACE_ALL, + "Offline call back list is empty, nothing to do.\n"); + } + } else { + DEBUG(SSSDBG_TRACE_ALL, + "Flag indicates that offline callback were already called.\n"); + } +} diff --git a/src/providers/data_provider_fo.c b/src/providers/data_provider_fo.c new file mode 100644 index 0000000..332174e --- /dev/null +++ b/src/providers/data_provider_fo.c @@ -0,0 +1,894 @@ +/* + SSSD + + Data Provider Helpers + + Copyright (C) Simo Sorce 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include "providers/backend.h" +#include "resolv/async_resolv.h" + +struct be_svc_callback { + struct be_svc_callback *prev; + struct be_svc_callback *next; + + struct be_svc_data *svc; + + be_svc_callback_fn_t *fn; + void *private_data; +}; + +static const char *proto_table[] = { FO_PROTO_TCP, FO_PROTO_UDP, NULL }; + +int be_fo_is_srv_identifier(const char *server) +{ + return server && strcasecmp(server, BE_SRV_IDENTIFIER) == 0; +} + +static int be_fo_get_options(struct be_ctx *ctx, + struct fo_options *opts) +{ + opts->service_resolv_timeout = dp_opt_get_int(ctx->be_res->opts, + DP_RES_OPT_RESOLVER_TIMEOUT); + opts->retry_timeout = 30; + opts->srv_retry_neg_timeout = 15; + opts->family_order = ctx->be_res->family_order; + + return EOK; +} + +int be_init_failover(struct be_ctx *ctx) +{ + int ret; + struct fo_options fopts; + + if (ctx->be_fo != NULL) { + return EOK; + } + + ctx->be_fo = talloc_zero(ctx, struct be_failover_ctx); + if (!ctx->be_fo) { + return ENOMEM; + } + + ret = be_res_init(ctx); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "fatal error initializing resolver context\n"); + talloc_zfree(ctx->be_fo); + return ret; + } + ctx->be_fo->be_res = ctx->be_res; + + ret = be_fo_get_options(ctx, &fopts); + if (ret != EOK) { + talloc_zfree(ctx->be_fo); + return ret; + } + + ctx->be_fo->fo_ctx = fo_context_init(ctx->be_fo, &fopts); + if (!ctx->be_fo->fo_ctx) { + talloc_zfree(ctx->be_fo); + return ENOMEM; + } + + return EOK; +} + +static int be_svc_data_destroy(void *memptr) +{ + struct be_svc_data *svc; + + svc = talloc_get_type(memptr, struct be_svc_data); + + while (svc->callbacks) { + /* callbacks removes themselves from the list, + * so this while will freem them all and then terminate */ + talloc_free(svc->callbacks); + } + + return 0; +} + +/* + * Find registered be_svc_data by service name. + */ +static struct be_svc_data *be_fo_find_svc_data(struct be_ctx *ctx, + const char *service_name) +{ + struct be_svc_data *svc; + + if (!ctx || !ctx->be_fo) { + return 0; + } + + DLIST_FOR_EACH(svc, ctx->be_fo->svcs) { + if (strcmp(svc->name, service_name) == 0) { + return svc; + } + } + + return 0; +} + +int be_fo_add_service(struct be_ctx *ctx, const char *service_name, + datacmp_fn user_data_cmp) +{ + struct fo_service *service; + struct be_svc_data *svc; + int ret; + + svc = be_fo_find_svc_data(ctx, service_name); + if (svc) { + DEBUG(SSSDBG_TRACE_FUNC, "Failover service already initialized!\n"); + /* we already have a service up and configured, + * can happen when using both id and auth provider + */ + return EOK; + } + + /* if not in the be service list, try to create new one */ + + ret = fo_new_service(ctx->be_fo->fo_ctx, service_name, user_data_cmp, + &service); + if (ret != EOK && ret != EEXIST) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to create failover service!\n"); + return ret; + } + + svc = talloc_zero(ctx->be_fo, struct be_svc_data); + if (!svc) { + return ENOMEM; + } + talloc_set_destructor((TALLOC_CTX *)svc, be_svc_data_destroy); + + svc->name = talloc_strdup(svc, service_name); + if (!svc->name) { + talloc_zfree(svc); + return ENOMEM; + } + svc->fo_service = service; + + DLIST_ADD(ctx->be_fo->svcs, svc); + + return EOK; +} + +static int be_svc_callback_destroy(void *memptr) +{ + struct be_svc_callback *callback; + + callback = talloc_get_type(memptr, struct be_svc_callback); + + if (callback->svc) { + DLIST_REMOVE(callback->svc->callbacks, callback); + } + + return 0; +} + +int be_fo_service_add_callback(TALLOC_CTX *memctx, + struct be_ctx *ctx, const char *service_name, + be_svc_callback_fn_t *fn, void *private_data) +{ + struct be_svc_callback *callback; + struct be_svc_data *svc; + + svc = be_fo_find_svc_data(ctx, service_name); + if (NULL == svc) { + return ENOENT; + } + + callback = talloc_zero(memctx, struct be_svc_callback); + if (!callback) { + return ENOMEM; + } + talloc_set_destructor((TALLOC_CTX *)callback, be_svc_callback_destroy); + + callback->svc = svc; + callback->fn = fn; + callback->private_data = private_data; + + DLIST_ADD(svc->callbacks, callback); + + return EOK; +} + +void be_fo_set_srv_lookup_plugin(struct be_ctx *ctx, + fo_srv_lookup_plugin_send_t send_fn, + fo_srv_lookup_plugin_recv_t recv_fn, + void *pvt, + const char *plugin_name) +{ + bool bret; + + DEBUG(SSSDBG_TRACE_FUNC, "Trying to set SRV lookup plugin to %s\n", + plugin_name); + + bret = fo_set_srv_lookup_plugin(ctx->be_fo->fo_ctx, send_fn, recv_fn, pvt); + if (bret) { + DEBUG(SSSDBG_TRACE_FUNC, "SRV lookup plugin is now %s\n", + plugin_name); + } else { + DEBUG(SSSDBG_MINOR_FAILURE, "Unable to set SRV lookup plugin, " + "another plugin may be already in place\n"); + } +} + +errno_t be_fo_set_dns_srv_lookup_plugin(struct be_ctx *be_ctx, + const char *hostname) +{ + struct fo_resolve_srv_dns_ctx *srv_ctx = NULL; + char resolved_hostname[HOST_NAME_MAX + 1]; + errno_t ret; + + if (hostname == NULL) { + ret = gethostname(resolved_hostname, HOST_NAME_MAX); + if (ret != EOK) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "gethostname() failed: [%d]: %s\n", ret, strerror(ret)); + return ret; + } + resolved_hostname[HOST_NAME_MAX] = '\0'; + hostname = resolved_hostname; + } + + srv_ctx = fo_resolve_srv_dns_ctx_init(be_ctx, be_ctx->be_res->resolv, + be_ctx->be_res->family_order, + default_host_dbs, hostname, + be_ctx->domain->name); + if (srv_ctx == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n"); + return ENOMEM; + } + + be_fo_set_srv_lookup_plugin(be_ctx, fo_resolve_srv_dns_send, + fo_resolve_srv_dns_recv, srv_ctx, "DNS"); + + return EOK; +} + +int be_fo_add_srv_server(struct be_ctx *ctx, + const char *service_name, + const char *query_service, + const char *default_discovery_domain, + enum be_fo_protocol proto, + bool proto_fallback, void *user_data) +{ + struct be_svc_data *svc; + const char *domain; + int ret; + int i; + + svc = be_fo_find_svc_data(ctx, service_name); + if (NULL == svc) { + return ENOENT; + } + + domain = dp_opt_get_string(ctx->be_res->opts, DP_RES_OPT_DNS_DOMAIN); + if (!domain) { + domain = default_discovery_domain; + } + + /* Add the first protocol as the primary lookup */ + ret = fo_add_srv_server(svc->fo_service, query_service, + domain, ctx->domain->name, + proto_table[proto], user_data); + if (ret && ret != EEXIST) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to add SRV lookup reference to failover service " + "[%d]: %s\n", ret, sss_strerror(ret)); + return ret; + } + + if (proto_fallback) { + i = (proto + 1) % BE_FO_PROTO_SENTINEL; + /* All the rest as fallback */ + while (i != proto) { + ret = fo_add_srv_server(svc->fo_service, query_service, + domain, ctx->domain->name, + proto_table[i], user_data); + if (ret && ret != EEXIST) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to add SRV lookup reference to failover " + "service [%d]: %s\n", ret, sss_strerror(ret)); + return ret; + } + + i = (i + 1) % BE_FO_PROTO_SENTINEL; + } + } + + return EOK; +} + +int be_fo_get_server_count(struct be_ctx *ctx, const char *service_name) +{ + struct be_svc_data *svc_data; + + svc_data = be_fo_find_svc_data(ctx, service_name); + if (!svc_data) { + return 0; + } + + return fo_get_server_count(svc_data->fo_service); +} + +int be_fo_add_server(struct be_ctx *ctx, const char *service_name, + const char *server, int port, void *user_data, + bool primary) +{ + struct be_svc_data *svc; + int ret; + + svc = be_fo_find_svc_data(ctx, service_name); + if (NULL == svc) { + return ENOENT; + } + + ret = fo_add_server(svc->fo_service, server, port, + user_data, primary); + if (ret && ret != EEXIST) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to add server to failover service [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + return EOK; +} + +struct be_resolve_server_state { + struct tevent_context *ev; + struct be_ctx *ctx; + + struct be_svc_data *svc; + int attempts; + + struct fo_server *srv; + bool first_try; +}; + +struct be_primary_server_ctx { + struct be_ctx *bctx; + struct tevent_context *ev; + + struct be_svc_data *svc; + unsigned long timeout; + + int attempts; +}; + +errno_t be_resolve_server_process(struct tevent_req *subreq, + struct be_resolve_server_state *state, + struct tevent_req **new_subreq); +static void be_primary_server_done(struct tevent_req *subreq); +static errno_t +be_primary_server_timeout_activate(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *bctx, + struct be_svc_data *svc, + const unsigned long timeout_seconds); + +static void +be_primary_server_timeout(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval tv, void *pvt) +{ + struct be_primary_server_ctx *ctx = talloc_get_type(pvt, struct be_primary_server_ctx); + struct tevent_req *subreq; + + ctx->bctx->be_fo->primary_server_handler = NULL; + + DEBUG(SSSDBG_TRACE_FUNC, "Looking for primary server!\n"); + subreq = fo_resolve_service_send(ctx->bctx, ctx->ev, + ctx->bctx->be_fo->be_res->resolv, + ctx->bctx->be_fo->fo_ctx, + ctx->svc->fo_service); + if (subreq == NULL) { + return; + } + tevent_req_set_callback(subreq, be_primary_server_done, ctx); +} + +static void be_primary_server_done(struct tevent_req *subreq) +{ + errno_t ret; + struct be_primary_server_ctx *ctx; + struct be_resolve_server_state *resolve_state; + struct tevent_req *new_subreq; + + ctx = tevent_req_callback_data(subreq, struct be_primary_server_ctx); + + resolve_state = talloc_zero(ctx->bctx, struct be_resolve_server_state); + if (resolve_state == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero() failed\n"); + return; + } + + resolve_state->attempts = ctx->attempts; + resolve_state->ctx = ctx->bctx; + resolve_state->ev = ctx->ev; + resolve_state->first_try = true; + resolve_state->srv = NULL; + resolve_state->svc = ctx->svc; + + ret = be_resolve_server_process(subreq, resolve_state, &new_subreq); + talloc_free(subreq); + if (ret == EAGAIN) { + ctx->attempts++; + tevent_req_set_callback(new_subreq, be_primary_server_done, ctx); + return; + } else if (ret == EIO || (ret == EOK && + !fo_is_server_primary(resolve_state->srv))) { + + /* Schedule another lookup + * (either no server could be found or it was not primary) + */ + ret = be_primary_server_timeout_activate(ctx->bctx, ctx->ev, ctx->bctx, + ctx->svc, ctx->timeout); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not schedule primary server lookup [%d]: %s\n", + ret, sss_strerror(ret)); + } + } else if (ret == EOK) { + be_run_reconnect_cb(ctx->bctx); + } + talloc_zfree(ctx); + + /* If an error occurred just end the routine */ +} + +static errno_t +be_primary_server_timeout_activate(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *bctx, + struct be_svc_data *svc, + const unsigned long timeout_seconds) +{ + struct timeval tv; + struct be_primary_server_ctx *ctx; + struct be_failover_ctx *fo_ctx = bctx->be_fo; + + if (fo_ctx->primary_server_handler != NULL) { + DEBUG(SSSDBG_TRACE_FUNC, "The primary server reconnection " + "is already scheduled\n"); + return EOK; + } + + ctx = talloc_zero(mem_ctx, struct be_primary_server_ctx); + if (ctx == NULL) { + return ENOMEM; + } + + ctx->bctx = bctx; + ctx->ev = ev; + ctx->svc = svc; + ctx->timeout = timeout_seconds; + + tv = tevent_timeval_current(); + tv = tevent_timeval_add(&tv, timeout_seconds, 0); + fo_ctx->primary_server_handler = tevent_add_timer(ev, bctx, tv, + be_primary_server_timeout, ctx); + if (fo_ctx->primary_server_handler == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_add_timer failed.\n"); + talloc_free(ctx); + return ENOMEM; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "Primary server reactivation timeout set " + "to %lu seconds\n", timeout_seconds); + return EOK; +} + + +static void be_resolve_server_done(struct tevent_req *subreq); + +struct tevent_req *be_resolve_server_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct be_ctx *ctx, + const char *service_name, + bool first_try) +{ + struct tevent_req *req, *subreq; + struct be_resolve_server_state *state; + struct be_svc_data *svc; + + req = tevent_req_create(memctx, &state, struct be_resolve_server_state); + if (!req) return NULL; + + state->ev = ev; + state->ctx = ctx; + + svc = be_fo_find_svc_data(ctx, service_name); + if (NULL == svc) { + tevent_req_error(req, EINVAL); + tevent_req_post(req, ev); + return req; + } + + state->svc = svc; + state->attempts = 0; + state->first_try = first_try; + + subreq = fo_resolve_service_send(state, ev, + ctx->be_fo->be_res->resolv, + ctx->be_fo->fo_ctx, + svc->fo_service); + if (!subreq) { + talloc_zfree(req); + return NULL; + } + tevent_req_set_callback(subreq, be_resolve_server_done, req); + + return req; +} + +static void be_resolve_server_done(struct tevent_req *subreq) +{ + struct tevent_req *new_subreq; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct be_resolve_server_state *state = tevent_req_data(req, + struct be_resolve_server_state); + time_t timeout = fo_get_service_retry_timeout(state->svc->fo_service) + 1; + int ret; + + ret = be_resolve_server_process(subreq, state, &new_subreq); + talloc_zfree(subreq); + if (ret == EAGAIN) { + tevent_req_set_callback(new_subreq, be_resolve_server_done, req); + return; + } else if (ret != EOK) { + goto fail; + } + + if (!fo_is_server_primary(state->srv)) { + /* FIXME: make the timeout configurable */ + ret = be_primary_server_timeout_activate(state->ctx, state->ev, + state->ctx, state->svc, + timeout); + if (ret != EOK) { + goto fail; + } + } + + tevent_req_done(req); + return; + +fail: + DEBUG(SSSDBG_TRACE_LIBS, + "Server resolution failed: [%d]: %s\n", ret, sss_strerror(ret)); + state->svc->first_resolved = NULL; + tevent_req_error(req, ret); +} + +errno_t be_resolve_server_process(struct tevent_req *subreq, + struct be_resolve_server_state *state, + struct tevent_req **new_subreq) +{ + errno_t ret; + time_t srv_status_change; + struct be_svc_callback *callback; + + ret = fo_resolve_service_recv(subreq, state, &state->srv); + switch (ret) { + case EOK: + if (!state->srv) { + return EFAULT; + } + break; + + case ENOENT: + /* all servers have been tried and none + * was found good, go offline */ + return EIO; + + default: + /* mark server as bad and retry */ + if (!state->srv) { + return EFAULT; + } + DEBUG(SSSDBG_MINOR_FAILURE, + "Couldn't resolve server (%s), resolver returned [%d]: %s\n", + fo_get_server_str_name(state->srv), ret, sss_strerror(ret)); + + state->attempts++; + if (state->attempts >= 10) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to find a server after 10 attempts\n"); + return EIO; + } + + /* now try next one */ + DEBUG(SSSDBG_TRACE_LIBS, "Trying with the next one!\n"); + subreq = fo_resolve_service_send(state, state->ev, + state->ctx->be_fo->be_res->resolv, + state->ctx->be_fo->fo_ctx, + state->svc->fo_service); + if (!subreq) { + return ENOMEM; + } + + if (new_subreq) { + *new_subreq = subreq; + } + + return EAGAIN; + } + + /* all fine we got the server */ + if (state->svc->first_resolved == NULL || state->first_try == true) { + DEBUG(SSSDBG_TRACE_LIBS, "Saving the first resolved server\n"); + state->svc->first_resolved = state->srv; + } else if (state->svc->first_resolved == state->srv) { + DEBUG(SSSDBG_OP_FAILURE, + "The fail over cycled through all available servers\n"); + return ENOENT; + } + + if (DEBUG_IS_SET(SSSDBG_FUNC_DATA) && fo_get_server_name(state->srv)) { + struct resolv_hostent *srvaddr; + char ipaddr[128]; + srvaddr = fo_get_server_hostent(state->srv); + if (!srvaddr) { + DEBUG(SSSDBG_CRIT_FAILURE, + "FATAL: No hostent available for server (%s)\n", + fo_get_server_str_name(state->srv)); + return EFAULT; + } + + inet_ntop(srvaddr->family, srvaddr->addr_list[0]->ipaddr, + ipaddr, 128); + + DEBUG(SSSDBG_FUNC_DATA, "Found address for server %s: [%s] TTL %d\n", + fo_get_server_str_name(state->srv), ipaddr, + srvaddr->addr_list[0]->ttl); + } + + srv_status_change = fo_get_server_hostname_last_change(state->srv); + + /* now call all svc callbacks if server changed or if it is explicitly + * requested or if the server is the same but changed status since last time*/ + if (state->srv != state->svc->last_good_srv || + state->svc->run_callbacks || + srv_status_change > state->svc->last_status_change) { + state->svc->last_good_srv = state->srv; + state->svc->last_status_change = srv_status_change; + state->svc->run_callbacks = false; + + DLIST_FOR_EACH(callback, state->svc->callbacks) { + callback->fn(callback->private_data, state->srv); + } + } + + return EOK; +} + +int be_resolve_server_recv(struct tevent_req *req, + TALLOC_CTX *ref_ctx, + struct fo_server **srv) +{ + struct be_resolve_server_state *state = tevent_req_data(req, + struct be_resolve_server_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (srv) { + fo_ref_server(ref_ctx, state->srv); + *srv = state->srv; + } + + return EOK; +} + +void be_fo_try_next_server(struct be_ctx *ctx, const char *service_name) +{ + struct be_svc_data *svc; + + svc = be_fo_find_svc_data(ctx, service_name); + if (svc) { + fo_try_next_server(svc->fo_service); + } +} + +const char *be_fo_get_active_server_name(struct be_ctx *ctx, + const char *service_name) +{ + struct be_svc_data *svc; + struct fo_server *server; + + svc = be_fo_find_svc_data(ctx, service_name); + if (svc != NULL) { + server = fo_get_active_server(svc->fo_service); + if (server != NULL) { + return fo_get_server_name(server); + } + } + + return NULL; +} + +int be_fo_run_callbacks_at_next_request(struct be_ctx *ctx, + const char *service_name) +{ + struct be_svc_data *svc; + + svc = be_fo_find_svc_data(ctx, service_name); + if (NULL == svc) { + return ENOENT; + } + + svc->run_callbacks = true; + + return EOK; +} + +void reset_fo(struct be_ctx *be_ctx) +{ + fo_reset_services(be_ctx->be_fo->fo_ctx); +} + +void be_fo_reset_svc(struct be_ctx *be_ctx, + const char *svc_name) +{ + struct fo_service *service; + int ret; + + DEBUG(SSSDBG_TRACE_LIBS, + "Resetting all servers in service %s\n", svc_name); + + ret = fo_get_service(be_ctx->be_fo->fo_ctx, svc_name, &service); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot retrieve service [%s]\n", svc_name); + return; + } + + fo_reset_servers(service); +} + +void _be_fo_set_port_status(struct be_ctx *ctx, + const char *service_name, + struct fo_server *server, + enum port_status status, + int line, + const char *file, + const char *function) +{ + struct be_svc_data *be_svc; + + /* Print debug info */ + switch (status) { + case PORT_NEUTRAL: + DEBUG(SSSDBG_BE_FO, + "Setting status: PORT_NEUTRAL. Called from: %s: %s: %d\n", + file, function, line); + break; + case PORT_WORKING: + DEBUG(SSSDBG_BE_FO, + "Setting status: PORT_WORKING. Called from: %s: %s: %d\n", + file, function, line); + break; + case PORT_NOT_WORKING: + DEBUG(SSSDBG_BE_FO, + "Setting status: PORT_NOT_WORKING. Called from: %s: %s: %d\n", + file, function, line); + break; + } + + be_svc = be_fo_find_svc_data(ctx, service_name); + if (be_svc == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "No service associated with name %s\n", service_name); + return; + } + + if (!fo_svc_has_server(be_svc->fo_service, server)) { + DEBUG(SSSDBG_OP_FAILURE, + "The server %p is not valid anymore, cannot set its status\n", + server); + return; + } + + /* Now we know that the server is valid */ + fo_set_port_status(server, status); + + if (status == PORT_WORKING) { + /* We were successful in connecting to the server. Cycle through all + * available servers next time */ + be_svc->first_resolved = NULL; + } +} + +/* Resolver back end interface */ +static struct dp_option dp_res_default_opts[] = { + { "lookup_family_order", DP_OPT_STRING, { "ipv4_first" }, NULL_STRING }, + { "dns_resolver_timeout", DP_OPT_NUMBER, { .number = 6 }, NULL_NUMBER }, + { "dns_resolver_op_timeout", DP_OPT_NUMBER, { .number = 6 }, NULL_NUMBER }, + { "dns_discovery_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + DP_OPTION_TERMINATOR +}; + +static errno_t be_res_get_opts(struct be_resolv_ctx *res_ctx, + struct confdb_ctx *cdb, + const char *conf_path) +{ + errno_t ret; + const char *str_family; + + ret = dp_get_options(res_ctx, cdb, conf_path, + dp_res_default_opts, + DP_RES_OPTS, + &res_ctx->opts); + if (ret != EOK) { + return ret; + } + + str_family = dp_opt_get_string(res_ctx->opts, DP_RES_OPT_FAMILY_ORDER); + DEBUG(SSSDBG_CONF_SETTINGS, "Lookup order: %s\n", str_family); + + if (strcasecmp(str_family, "ipv4_first") == 0) { + res_ctx->family_order = IPV4_FIRST; + } else if (strcasecmp(str_family, "ipv4_only") == 0) { + res_ctx->family_order = IPV4_ONLY; + } else if (strcasecmp(str_family, "ipv6_first") == 0) { + res_ctx->family_order = IPV6_FIRST; + } else if (strcasecmp(str_family, "ipv6_only") == 0) { + res_ctx->family_order = IPV6_ONLY; + } else { + DEBUG(SSSDBG_OP_FAILURE, "Unknown value for option %s: %s\n", + dp_res_default_opts[DP_RES_OPT_FAMILY_ORDER].opt_name, str_family); + return EINVAL; + } + + return EOK; +} + +errno_t be_res_init(struct be_ctx *ctx) +{ + errno_t ret; + + if (ctx->be_res != NULL) { + return EOK; + } + + ctx->be_res = talloc_zero(ctx, struct be_resolv_ctx); + if (!ctx->be_res) { + return ENOMEM; + } + + ret = be_res_get_opts(ctx->be_res, ctx->cdb, ctx->conf_path); + if (ret != EOK) { + talloc_zfree(ctx->be_res); + return ret; + } + + ret = resolv_init(ctx, ctx->ev, + dp_opt_get_int(ctx->be_res->opts, + DP_RES_OPT_RESOLVER_OP_TIMEOUT), + &ctx->be_res->resolv); + if (ret != EOK) { + talloc_zfree(ctx->be_res); + return ret; + } + + return EOK; +} diff --git a/src/providers/data_provider_opts.c b/src/providers/data_provider_opts.c new file mode 100644 index 0000000..9db43fc --- /dev/null +++ b/src/providers/data_provider_opts.c @@ -0,0 +1,474 @@ +/* + SSSD + + Data Provider Helpers + + Copyright (C) Simo Sorce 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "data_provider.h" + +/* =Copy-Option-From-Subdomain-If-Allowed================================= */ +void dp_option_inherit(char **inherit_opt_list, + int option, + struct dp_option *parent_opts, + struct dp_option *subdom_opts) +{ + errno_t ret; + bool inherit_option; + + inherit_option = string_in_list(parent_opts[option].opt_name, + inherit_opt_list, false); + if (inherit_option == false) { + DEBUG(SSSDBG_CONF_SETTINGS, + "Option %s is not set up to be inherited\n", + parent_opts[option].opt_name); + return; + } + + DEBUG(SSSDBG_CONF_SETTINGS, + "Will inherit option %s\n", parent_opts[option].opt_name); + switch (parent_opts[option].type) { + case DP_OPT_NUMBER: + ret = dp_opt_set_int(subdom_opts, + option, + dp_opt_get_int(parent_opts, + option)); + break; + case DP_OPT_STRING: + ret = dp_opt_set_string(subdom_opts, + option, + dp_opt_get_string(parent_opts, + option)); + break; + case DP_OPT_BLOB: + ret = dp_opt_set_blob(subdom_opts, + option, + dp_opt_get_blob(parent_opts, + option)); + break; + case DP_OPT_BOOL: + ret = dp_opt_set_bool(subdom_opts, + option, + dp_opt_get_bool(parent_opts, + option)); + break; + default: + ret = EINVAL; + break; + } + + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to inherit option %s\n", parent_opts[option].opt_name); + /* Not fatal */ + } +} + +/* =Retrieve-Options====================================================== */ + +int dp_get_options(TALLOC_CTX *memctx, + struct confdb_ctx *cdb, + const char *conf_path, + struct dp_option *def_opts, + int num_opts, + struct dp_option **_opts) +{ + struct dp_option *opts; + int i, ret; + + opts = talloc_zero_array(memctx, struct dp_option, num_opts); + if (!opts) return ENOMEM; + + for (i = 0; i < num_opts; i++) { + char *tmp; + + opts[i].opt_name = def_opts[i].opt_name; + opts[i].type = def_opts[i].type; + opts[i].def_val = def_opts[i].def_val; + + switch (def_opts[i].type) { + case DP_OPT_STRING: + ret = confdb_get_string(cdb, opts, conf_path, + opts[i].opt_name, + opts[i].def_val.cstring, + &opts[i].val.string); + if (ret != EOK || + ((opts[i].def_val.string != NULL) && + (opts[i].val.string == NULL))) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to retrieve value for option (%s)\n", + opts[i].opt_name); + if (ret == EOK) ret = EINVAL; + goto done; + } + DEBUG(SSSDBG_TRACE_FUNC, "Option %s has%s value %s\n", + opts[i].opt_name, + opts[i].val.cstring ? "" : " no", + opts[i].val.cstring ? opts[i].val.cstring : ""); + break; + + case DP_OPT_BLOB: + ret = confdb_get_string(cdb, opts, conf_path, + opts[i].opt_name, + NULL, &tmp); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to retrieve value for option (%s)\n", + opts[i].opt_name); + goto done; + } + + if (tmp) { + opts[i].val.blob.data = (uint8_t *)tmp; + opts[i].val.blob.length = strlen(tmp); + } else if (opts[i].def_val.blob.data != NULL) { + opts[i].val.blob.data = opts[i].def_val.blob.data; + opts[i].val.blob.length = opts[i].def_val.blob.length; + } else { + opts[i].val.blob.data = NULL; + opts[i].val.blob.length = 0; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Option %s has %s binary value.\n", + opts[i].opt_name, opts[i].val.blob.length?"a":"no"); + break; + + case DP_OPT_NUMBER: + ret = confdb_get_int(cdb, conf_path, + opts[i].opt_name, + opts[i].def_val.number, + &opts[i].val.number); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to retrieve value for option (%s)\n", + opts[i].opt_name); + goto done; + } + DEBUG(SSSDBG_TRACE_FUNC, "Option %s has value %d\n", + opts[i].opt_name, opts[i].val.number); + break; + + case DP_OPT_BOOL: + ret = confdb_get_bool(cdb, conf_path, + opts[i].opt_name, + opts[i].def_val.boolean, + &opts[i].val.boolean); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to retrieve value for option (%s)\n", + opts[i].opt_name); + goto done; + } + DEBUG(SSSDBG_TRACE_FUNC, "Option %s is %s\n", + opts[i].opt_name, opts[i].val.boolean?"TRUE":"FALSE"); + break; + } + } + + ret = EOK; + *_opts = opts; + +done: + if (ret != EOK) talloc_zfree(opts); + return ret; +} + +/* =Basic-Option-Helpers================================================== */ +static int dp_copy_options_ex(TALLOC_CTX *memctx, + bool copy_values, + struct dp_option *src_opts, + int num_opts, + struct dp_option **_opts) +{ + struct dp_option *opts; + int i, ret = EOK; + + opts = talloc_zero_array(memctx, struct dp_option, num_opts); + if (!opts) return ENOMEM; + + for (i = 0; i < num_opts; i++) { + opts[i].opt_name = src_opts[i].opt_name; + opts[i].type = src_opts[i].type; + opts[i].def_val = src_opts[i].def_val; + ret = EOK; + + switch (src_opts[i].type) { + case DP_OPT_STRING: + if (copy_values) { + ret = dp_opt_set_string(opts, i, src_opts[i].val.string); + } else { + ret = dp_opt_set_string(opts, i, src_opts[i].def_val.string); + } + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to copy value for option (%s)\n", + opts[i].opt_name); + goto done; + } + DEBUG(SSSDBG_TRACE_FUNC, "Option %s has%s value %s\n", + opts[i].opt_name, + opts[i].val.cstring ? "" : " no", + opts[i].val.cstring ? opts[i].val.cstring : ""); + break; + + case DP_OPT_BLOB: + if (copy_values) { + ret = dp_opt_set_blob(opts, i, src_opts[i].val.blob); + } else { + ret = dp_opt_set_blob(opts, i, src_opts[i].def_val.blob); + } + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to retrieve value for option (%s)\n", + opts[i].opt_name); + goto done; + } + DEBUG(SSSDBG_TRACE_FUNC, "Option %s has %s binary value.\n", + opts[i].opt_name, opts[i].val.blob.length?"a":"no"); + break; + + case DP_OPT_NUMBER: + if (copy_values) { + ret = dp_opt_set_int(opts, i, src_opts[i].val.number); + } else { + ret = dp_opt_set_int(opts, i, src_opts[i].def_val.number); + } + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to retrieve value for option (%s)\n", + opts[i].opt_name); + goto done; + } + DEBUG(SSSDBG_TRACE_FUNC, "Option %s has value %d\n", + opts[i].opt_name, opts[i].val.number); + break; + + case DP_OPT_BOOL: + if (copy_values) { + ret = dp_opt_set_bool(opts, i, src_opts[i].val.boolean); + } else { + ret = dp_opt_set_bool(opts, i, src_opts[i].def_val.boolean); + } + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to retrieve value for option (%s)\n", + opts[i].opt_name); + goto done; + } + DEBUG(SSSDBG_TRACE_FUNC, "Option %s is %s\n", + opts[i].opt_name, opts[i].val.boolean?"TRUE":"FALSE"); + break; + } + } + + *_opts = opts; + +done: + if (ret != EOK) talloc_zfree(opts); + return ret; +} + +int dp_copy_options(TALLOC_CTX *memctx, + struct dp_option *src_opts, + int num_opts, + struct dp_option **_opts) +{ + return dp_copy_options_ex(memctx, true, src_opts, num_opts, _opts); +} + +int dp_copy_defaults(TALLOC_CTX *memctx, + struct dp_option *src_opts, + int num_opts, + struct dp_option **_opts) +{ + return dp_copy_options_ex(memctx, false, src_opts, num_opts, _opts); +} + +static const char *dp_opt_type_to_string(enum dp_opt_type type) +{ + switch (type) { + case DP_OPT_STRING: + return "String"; + case DP_OPT_BLOB: + return "Blob"; + case DP_OPT_NUMBER: + return "Number"; + case DP_OPT_BOOL: + return "Boolean"; + } + return NULL; +} + +/* Getters */ +const char *_dp_opt_get_cstring(struct dp_option *opts, + int id, const char *location) +{ + if (opts[id].type != DP_OPT_STRING) { + DEBUG(SSSDBG_FATAL_FAILURE, + "[%s] Requested type 'String' for option '%s'" + " but value is of type '%s'!\n", + location, opts[id].opt_name, + dp_opt_type_to_string(opts[id].type)); + return NULL; + } + return opts[id].val.cstring; +} + +char *_dp_opt_get_string(struct dp_option *opts, + int id, const char *location) +{ + if (opts[id].type != DP_OPT_STRING) { + DEBUG(SSSDBG_FATAL_FAILURE, + "[%s] Requested type 'String' for option '%s'" + " but value is of type '%s'!\n", + location, opts[id].opt_name, + dp_opt_type_to_string(opts[id].type)); + return NULL; + } + return opts[id].val.string; +} + +struct dp_opt_blob _dp_opt_get_blob(struct dp_option *opts, + int id, const char *location) +{ + struct dp_opt_blob null_blob = { NULL, 0 }; + if (opts[id].type != DP_OPT_BLOB) { + DEBUG(SSSDBG_FATAL_FAILURE, "[%s] Requested type 'Blob' for option '%s'" + " but value is of type '%s'!\n", + location, opts[id].opt_name, + dp_opt_type_to_string(opts[id].type)); + return null_blob; + } + return opts[id].val.blob; +} + +int _dp_opt_get_int(struct dp_option *opts, + int id, const char *location) +{ + if (opts[id].type != DP_OPT_NUMBER) { + DEBUG(SSSDBG_FATAL_FAILURE, + "[%s] Requested type 'Number' for option '%s'" + " but value is of type '%s'!\n", + location, opts[id].opt_name, + dp_opt_type_to_string(opts[id].type)); + return 0; + } + return opts[id].val.number; +} + +bool _dp_opt_get_bool(struct dp_option *opts, + int id, const char *location) +{ + if (opts[id].type != DP_OPT_BOOL) { + DEBUG(SSSDBG_FATAL_FAILURE, + "[%s] Requested type 'Boolean' for option '%s'" + " but value is of type '%s'!\n", + location, opts[id].opt_name, + dp_opt_type_to_string(opts[id].type)); + return false; + } + return opts[id].val.boolean; +} + +/* Setters */ +int _dp_opt_set_string(struct dp_option *opts, int id, + const char *s, const char *location) +{ + if (opts[id].type != DP_OPT_STRING) { + DEBUG(SSSDBG_FATAL_FAILURE, + "[%s] Requested type 'String' for option '%s'" + " but type is '%s'!\n", + location, opts[id].opt_name, + dp_opt_type_to_string(opts[id].type)); + return EINVAL; + } + + if (opts[id].val.string) { + talloc_zfree(opts[id].val.string); + } + if (s) { + opts[id].val.string = talloc_strdup(opts, s); + if (!opts[id].val.string) { + DEBUG(SSSDBG_FATAL_FAILURE, "talloc_strdup() failed!\n"); + return ENOMEM; + } + } + + return EOK; +} + +int _dp_opt_set_blob(struct dp_option *opts, int id, + struct dp_opt_blob b, const char *location) +{ + if (opts[id].type != DP_OPT_BLOB) { + DEBUG(SSSDBG_FATAL_FAILURE, "[%s] Requested type 'Blob' for option '%s'" + " but type is '%s'!\n", + location, opts[id].opt_name, + dp_opt_type_to_string(opts[id].type)); + return EINVAL; + } + + if (opts[id].val.blob.data) { + talloc_zfree(opts[id].val.blob.data); + opts[id].val.blob.length = 0; + } + if (b.data) { + opts[id].val.blob.data = talloc_memdup(opts, b.data, b.length); + if (!opts[id].val.blob.data) { + DEBUG(SSSDBG_FATAL_FAILURE, "talloc_memdup() failed!\n"); + return ENOMEM; + } + } + opts[id].val.blob.length = b.length; + + return EOK; +} + +int _dp_opt_set_int(struct dp_option *opts, int id, + int i, const char *location) +{ + if (opts[id].type != DP_OPT_NUMBER) { + DEBUG(SSSDBG_FATAL_FAILURE, + "[%s] Requested type 'Number' for option '%s'" + " but type is '%s'!\n", + location, opts[id].opt_name, + dp_opt_type_to_string(opts[id].type)); + return EINVAL; + } + + opts[id].val.number = i; + + return EOK; +} + +int _dp_opt_set_bool(struct dp_option *opts, int id, + bool b, const char *location) +{ + if (opts[id].type != DP_OPT_BOOL) { + DEBUG(SSSDBG_FATAL_FAILURE, + "[%s] Requested type 'Boolean' for option '%s'" + " but type is '%s'!\n", + location, opts[id].opt_name, + dp_opt_type_to_string(opts[id].type)); + return EINVAL; + } + + opts[id].val.boolean = b; + + return EOK; +} + diff --git a/src/providers/data_provider_req.c b/src/providers/data_provider_req.c new file mode 100644 index 0000000..7750c2c --- /dev/null +++ b/src/providers/data_provider_req.c @@ -0,0 +1,53 @@ +/* + SSSD + + Data Provider -- backend request + + Copyright (C) Petr Cech 2015 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "providers/data_provider_req.h" + +#define be_req_to_str(be_req_t) #be_req_t + +const char *be_req2str(dbus_uint32_t req_type) +{ + switch (req_type & BE_REQ_TYPE_MASK) { + case BE_REQ_USER: + return be_req_to_str(BE_REQ_USER); + case BE_REQ_GROUP: + return be_req_to_str(BE_REQ_GROUP); + case BE_REQ_INITGROUPS: + return be_req_to_str(BE_REQ_INITGROUPS); + case BE_REQ_NETGROUP: + return be_req_to_str(BE_REQ_NETGROUP); + case BE_REQ_SERVICES: + return be_req_to_str(BE_REQ_SERVICES); + case BE_REQ_SUDO_FULL: + return be_req_to_str(BE_REQ_SUDO_FULL); + case BE_REQ_SUDO_RULES: + return be_req_to_str(BE_REQ_SUDO_RULES); + case BE_REQ_BY_SECID: + return be_req_to_str(BE_REQ_BY_SECID); + case BE_REQ_USER_AND_GROUP: + return be_req_to_str(BE_REQ_USER_AND_GROUP); + case BE_REQ_BY_UUID: + return be_req_to_str(BE_REQ_BY_UUID); + case BE_REQ_BY_CERT: + return be_req_to_str(BE_REQ_BY_CERT); + } + return "UNKNOWN_REQ"; +} diff --git a/src/providers/data_provider_req.h b/src/providers/data_provider_req.h new file mode 100644 index 0000000..2dde81e --- /dev/null +++ b/src/providers/data_provider_req.h @@ -0,0 +1,50 @@ +/* + SSSD + + Data Provider -- backend request + + Copyright (C) Petr Cech 2015 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __DATA_PROVIDER_REQ__ +#define __DATA_PROVIDER_REQ__ + +#include + +/* When changing these constants, also please change sssd_functions.stp + */ +#define BE_REQ_USER 0x0001 +#define BE_REQ_GROUP 0x0002 +#define BE_REQ_INITGROUPS 0x0003 +#define BE_REQ_NETGROUP 0x0004 +#define BE_REQ_SERVICES 0x0005 +#define BE_REQ_SUDO_FULL 0x0006 +#define BE_REQ_SUDO_RULES 0x0007 +#define BE_REQ_BY_SECID 0x0011 +#define BE_REQ_USER_AND_GROUP 0x0012 +#define BE_REQ_BY_UUID 0x0013 +#define BE_REQ_BY_CERT 0x0014 +#define BE_REQ_TYPE_MASK 0x00FF + +/** + * @brief Convert request type to string for logging purpose. + * + * @param[in] req_type Type of request. + * @return Pointer to string with request type. There could be 'fast' flag. + */ +const char *be_req2str(dbus_uint32_t req_type); + +#endif /* __DATA_PROVIDER_REQ__ */ diff --git a/src/providers/dp_auth_util.c b/src/providers/dp_auth_util.c new file mode 100644 index 0000000..35d22ab --- /dev/null +++ b/src/providers/dp_auth_util.c @@ -0,0 +1,323 @@ +/* + SSSD + + Data Provider, auth utils + + Copyright (C) Sumit Bose 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "data_provider.h" + +bool dp_pack_pam_request(DBusMessage *msg, struct pam_data *pd) +{ + dbus_bool_t db_ret; + const char *service; + const char *tty; + const char *ruser; + const char *rhost; + uint32_t authtok_type; + int authtok_length; + uint8_t *authtok_data; + uint32_t new_authtok_type; + int new_authtok_length; + uint8_t *new_authtok_data; + int32_t pd_priv; + int32_t pd_cmd; + + if (pd->user == NULL) return false; + service = pd->service ? pd->service : ""; + tty = pd->tty ? pd->tty : ""; + ruser = pd->ruser ? pd->ruser : ""; + rhost = pd->rhost ? pd->rhost : ""; + authtok_type = (uint32_t)sss_authtok_get_type(pd->authtok); + authtok_data = sss_authtok_get_data(pd->authtok); + authtok_length = sss_authtok_get_size(pd->authtok); + new_authtok_type = (uint32_t)sss_authtok_get_type(pd->newauthtok); + new_authtok_data = sss_authtok_get_data(pd->newauthtok); + new_authtok_length = sss_authtok_get_size(pd->newauthtok); + pd_priv = pd->priv; + pd_cmd = pd->cmd; + + db_ret = dbus_message_append_args(msg, + DBUS_TYPE_INT32, &pd_cmd, + DBUS_TYPE_STRING, &(pd->user), + DBUS_TYPE_STRING, &(pd->domain), + DBUS_TYPE_STRING, &service, + DBUS_TYPE_STRING, &tty, + DBUS_TYPE_STRING, &ruser, + DBUS_TYPE_STRING, &rhost, + DBUS_TYPE_UINT32, &authtok_type, + DBUS_TYPE_ARRAY, DBUS_TYPE_BYTE, + &authtok_data, authtok_length, + DBUS_TYPE_UINT32, &new_authtok_type, + DBUS_TYPE_ARRAY, DBUS_TYPE_BYTE, + &new_authtok_data, new_authtok_length, + DBUS_TYPE_INT32, &pd_priv, + DBUS_TYPE_UINT32, &(pd->cli_pid), + DBUS_TYPE_INVALID); + + return db_ret; +} + +bool dp_unpack_pam_request(DBusMessage *msg, TALLOC_CTX *mem_ctx, + struct pam_data **new_pd, DBusError *dbus_error) +{ + dbus_bool_t db_ret; + int ret; + struct pam_data pd; + uint32_t authtok_type; + int authtok_length; + uint8_t *authtok_data; + uint32_t new_authtok_type; + int new_authtok_length; + uint8_t *new_authtok_data; + int32_t pd_cmd; + int32_t pd_priv; + + memset(&pd, 0, sizeof(pd)); + + db_ret = dbus_message_get_args(msg, dbus_error, + DBUS_TYPE_INT32, &pd_cmd, + DBUS_TYPE_STRING, &(pd.user), + DBUS_TYPE_STRING, &(pd.domain), + DBUS_TYPE_STRING, &(pd.service), + DBUS_TYPE_STRING, &(pd.tty), + DBUS_TYPE_STRING, &(pd.ruser), + DBUS_TYPE_STRING, &(pd.rhost), + DBUS_TYPE_UINT32, &authtok_type, + DBUS_TYPE_ARRAY, DBUS_TYPE_BYTE, + &authtok_data, &authtok_length, + DBUS_TYPE_UINT32, &new_authtok_type, + DBUS_TYPE_ARRAY, DBUS_TYPE_BYTE, + &new_authtok_data, &new_authtok_length, + DBUS_TYPE_INT32, &pd_priv, + DBUS_TYPE_UINT32, &(pd.cli_pid), + DBUS_TYPE_INVALID); + + if (!db_ret) { + DEBUG(SSSDBG_CRIT_FAILURE, "dbus_message_get_args failed.\n"); + return false; + } + + pd.cmd = pd_cmd; + pd.priv = pd_priv; + + ret = copy_pam_data(mem_ctx, &pd, new_pd); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "copy_pam_data failed.\n"); + return false; + } + + ret = sss_authtok_set((*new_pd)->authtok, authtok_type, + authtok_data, authtok_length); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to set auth token: %d [%s]\n", ret, strerror(ret)); + return false; + } + ret = sss_authtok_set((*new_pd)->newauthtok, new_authtok_type, + new_authtok_data, new_authtok_length); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to set auth token: %d [%s]\n", ret, strerror(ret)); + return false; + } + + return true; +} + +bool dp_pack_pam_response(DBusMessage *msg, struct pam_data *pd) +{ + dbus_bool_t dbret; + struct response_data *resp; + DBusMessageIter iter; + DBusMessageIter array_iter; + DBusMessageIter struct_iter; + DBusMessageIter data_iter; + uint32_t pam_status; + uint32_t resp_type; + + dbus_message_iter_init_append(msg, &iter); + + /* Append the PAM status */ + pam_status = pd->pam_status; + dbret = dbus_message_iter_append_basic(&iter, + DBUS_TYPE_UINT32, &pam_status); + if (!dbret) { + return false; + } + + /* Append the lockout of account */ + dbret = dbus_message_iter_append_basic(&iter, + DBUS_TYPE_UINT32, + &pd->account_locked); + if (!dbret) { + return false; + } + + /* Create an array of response structures */ + dbret = dbus_message_iter_open_container(&iter, + DBUS_TYPE_ARRAY, "(uay)", + &array_iter); + if (!dbret) { + return false; + } + + resp = pd->resp_list; + while (resp != NULL) { + /* Create a DBUS struct */ + dbret = dbus_message_iter_open_container(&array_iter, + DBUS_TYPE_STRUCT, NULL, + &struct_iter); + if (!dbret) { + return false; + } + + /* Add the response type */ + resp_type = resp->type; + dbret = dbus_message_iter_append_basic(&struct_iter, + DBUS_TYPE_UINT32, + &resp_type); + if (!dbret) { + return false; + } + + /* Add the response message */ + dbret = dbus_message_iter_open_container(&struct_iter, + DBUS_TYPE_ARRAY, "y", + &data_iter); + if (!dbret) { + return false; + } + dbret = dbus_message_iter_append_fixed_array(&data_iter, + DBUS_TYPE_BYTE, &(resp->data), resp->len); + if (!dbret) { + return false; + } + dbret = dbus_message_iter_close_container(&struct_iter, &data_iter); + if (!dbret) { + return false; + } + + resp = resp->next; + dbret = dbus_message_iter_close_container(&array_iter, &struct_iter); + if (!dbret) { + return false; + } + } + + /* Close the struct array */ + dbret = dbus_message_iter_close_container(&iter, &array_iter); + if (!dbret) { + return false; + } + + return true; +} + +bool dp_unpack_pam_response(DBusMessage *msg, struct pam_data *pd, DBusError *dbus_error) +{ + DBusMessageIter iter; + DBusMessageIter array_iter; + DBusMessageIter struct_iter; + DBusMessageIter sub_iter; + int type; + int len; + const uint8_t *data; + + if (!dbus_message_iter_init(msg, &iter)) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam response has no arguments.\n"); + return false; + } + + if (dbus_message_iter_get_arg_type(&iter) != DBUS_TYPE_UINT32) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam response format error.\n"); + return false; + } + dbus_message_iter_get_basic(&iter, &(pd->pam_status)); + + if (!dbus_message_iter_next(&iter)) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam response has too few arguments.\n"); + return false; + } + + if (dbus_message_iter_get_arg_type(&iter) != DBUS_TYPE_UINT32) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam response format error.\n"); + return false; + } + dbus_message_iter_get_basic(&iter, &(pd->account_locked)); + + if (!dbus_message_iter_next(&iter)) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam response has too few arguments.\n"); + return false; + } + + /* After this point will be an array of pam data */ + if (dbus_message_iter_get_arg_type(&iter) != DBUS_TYPE_ARRAY) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam response format error.\n"); + DEBUG(SSSDBG_CRIT_FAILURE, + "Type was %c\n", (char)dbus_message_iter_get_arg_type(&iter)); + return false; + } + + if (dbus_message_iter_get_element_type(&iter) != DBUS_TYPE_STRUCT) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam response format error.\n"); + return false; + } + + dbus_message_iter_recurse(&iter, &array_iter); + while (dbus_message_iter_get_arg_type(&array_iter) != DBUS_TYPE_INVALID) { + /* Read in a pam data struct */ + if (dbus_message_iter_get_arg_type(&array_iter) != DBUS_TYPE_STRUCT) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam response format error.\n"); + return false; + } + + dbus_message_iter_recurse(&array_iter, &struct_iter); + + /* PAM data struct contains a type and a byte-array of data */ + + /* Get the pam data type */ + if (dbus_message_iter_get_arg_type(&struct_iter) != DBUS_TYPE_UINT32) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam response format error.\n"); + return false; + } + dbus_message_iter_get_basic(&struct_iter, &type); + + if (!dbus_message_iter_next(&struct_iter)) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam response format error.\n"); + return false; + } + + /* Get the byte array */ + if (dbus_message_iter_get_arg_type(&struct_iter) != DBUS_TYPE_ARRAY || + dbus_message_iter_get_element_type(&struct_iter) != DBUS_TYPE_BYTE) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam response format error.\n"); + return false; + } + + dbus_message_iter_recurse(&struct_iter, &sub_iter); + dbus_message_iter_get_fixed_array(&sub_iter, &data, &len); + + if (pam_add_response(pd, type, len, data) != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n"); + return false; + } + dbus_message_iter_next(&array_iter); + } + + return true; +} diff --git a/src/providers/dp_pam_data_util.c b/src/providers/dp_pam_data_util.c new file mode 100644 index 0000000..bed5db8 --- /dev/null +++ b/src/providers/dp_pam_data_util.c @@ -0,0 +1,198 @@ +/* + SSSD + + Utilities to for tha pam_data structure + + Authors: + Sumit Bose + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "providers/data_provider.h" +#include "util/sss_cli_cmd.h" + +#define PAM_SAFE_ITEM(item) item ? item : "not set" + +int pam_data_destructor(void *ptr) +{ + struct pam_data *pd = talloc_get_type(ptr, struct pam_data); + + /* make sure to wipe any password from memory before freeing */ + sss_authtok_wipe_password(pd->authtok); + sss_authtok_wipe_password(pd->newauthtok); + + return 0; +} + +struct pam_data *create_pam_data(TALLOC_CTX *mem_ctx) +{ + struct pam_data *pd; + + pd = talloc_zero(mem_ctx, struct pam_data); + if (pd == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n"); + goto failed; + } + + pd->pam_status = PAM_SYSTEM_ERR; + + pd->authtok = sss_authtok_new(pd); + if (pd->authtok == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n"); + goto failed; + } + + pd->newauthtok = sss_authtok_new(pd); + if (pd->newauthtok == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n"); + goto failed; + } + + talloc_set_destructor((TALLOC_CTX *) pd, pam_data_destructor); + + return pd; + +failed: + talloc_free(pd); + return NULL; +} + +errno_t copy_pam_data(TALLOC_CTX *mem_ctx, struct pam_data *src, + struct pam_data **dst) +{ + struct pam_data *pd = NULL; + errno_t ret; + + pd = create_pam_data(mem_ctx); + if (pd == NULL) { + ret = ENOMEM; + goto failed; + } + + pd->cmd = src->cmd; + pd->priv = src->priv; + + pd->domain = talloc_strdup(pd, src->domain); + if (pd->domain == NULL && src->domain != NULL) { + ret = ENOMEM; + goto failed; + } + pd->user = talloc_strdup(pd, src->user); + if (pd->user == NULL && src->user != NULL) { + ret = ENOMEM; + goto failed; + } + pd->service = talloc_strdup(pd, src->service); + if (pd->service == NULL && src->service != NULL) { + ret = ENOMEM; + goto failed; + } + pd->tty = talloc_strdup(pd, src->tty); + if (pd->tty == NULL && src->tty != NULL) { + ret = ENOMEM; + goto failed; + } + pd->ruser = talloc_strdup(pd, src->ruser); + if (pd->ruser == NULL && src->ruser != NULL) { + ret = ENOMEM; + goto failed; + } + pd->rhost = talloc_strdup(pd, src->rhost); + if (pd->rhost == NULL && src->rhost != NULL) { + ret = ENOMEM; + goto failed; + } + + pd->cli_pid = src->cli_pid; + + /* if structure pam_data was allocated on stack and zero initialized, + * than src->authtok and src->newauthtok are NULL, therefore + * instead of copying, new empty authtok will be created. + */ + if (src->authtok) { + ret = sss_authtok_copy(src->authtok, pd->authtok); + if (ret) { + goto failed; + } + } else { + pd->authtok = sss_authtok_new(pd); + if (pd->authtok == NULL) { + ret = ENOMEM; + goto failed; + } + } + + if (src->newauthtok) { + ret = sss_authtok_copy(src->newauthtok, pd->newauthtok); + if (ret) { + goto failed; + } + } else { + pd->newauthtok = sss_authtok_new(pd); + if (pd->newauthtok == NULL) { + ret = ENOMEM; + goto failed; + } + } + + *dst = pd; + + return EOK; + +failed: + talloc_free(pd); + DEBUG(SSSDBG_CRIT_FAILURE, + "copy_pam_data failed: (%d) %s.\n", ret, strerror(ret)); + return ret; +} + +void pam_print_data(int l, struct pam_data *pd) +{ + DEBUG(l, "command: %s\n", sss_cmd2str(pd->cmd)); + DEBUG(l, "domain: %s\n", PAM_SAFE_ITEM(pd->domain)); + DEBUG(l, "user: %s\n", PAM_SAFE_ITEM(pd->user)); + DEBUG(l, "service: %s\n", PAM_SAFE_ITEM(pd->service)); + DEBUG(l, "tty: %s\n", PAM_SAFE_ITEM(pd->tty)); + DEBUG(l, "ruser: %s\n", PAM_SAFE_ITEM(pd->ruser)); + DEBUG(l, "rhost: %s\n", PAM_SAFE_ITEM(pd->rhost)); + DEBUG(l, "authtok type: %d\n", sss_authtok_get_type(pd->authtok)); + DEBUG(l, "newauthtok type: %d\n", sss_authtok_get_type(pd->newauthtok)); + DEBUG(l, "priv: %d\n", pd->priv); + DEBUG(l, "cli_pid: %d\n", pd->cli_pid); + DEBUG(l, "logon name: %s\n", PAM_SAFE_ITEM(pd->logon_name)); +} + +int pam_add_response(struct pam_data *pd, enum response_type type, + int len, const uint8_t *data) +{ + struct response_data *new; + + new = talloc(pd, struct response_data); + if (new == NULL) return ENOMEM; + + new->type = type; + new->len = len; + new->data = talloc_memdup(pd, data, len); + if (new->data == NULL) return ENOMEM; + new->do_not_send_to_client = false; + new->next = pd->resp_list; + pd->resp_list = new; + + return EOK; +} diff --git a/src/providers/fail_over.c b/src/providers/fail_over.c new file mode 100644 index 0000000..168e59d --- /dev/null +++ b/src/providers/fail_over.c @@ -0,0 +1,1752 @@ +/* + SSSD + + Fail over helper functions. + + Authors: + Martin Nagy + Jakub Hrozek + + Copyright (C) Red Hat, Inc 2010 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include +#include +#include +#include + +#include "util/dlinklist.h" +#include "util/refcount.h" +#include "util/util.h" +#include "providers/fail_over.h" +#include "resolv/async_resolv.h" + +#define STATUS_DIFF(p, now) ((now).tv_sec - (p)->last_status_change.tv_sec) +#define SERVER_NAME(s) ((s)->common ? (s)->common->name : "(no name)") + +#define DEFAULT_PORT_STATUS PORT_NEUTRAL +#define DEFAULT_SERVER_STATUS SERVER_NAME_NOT_RESOLVED +#define DEFAULT_SRV_STATUS SRV_NEUTRAL + +enum srv_lookup_status { + SRV_NEUTRAL, /* We didn't try this SRV lookup yet */ + SRV_RESOLVED, /* This SRV lookup is resolved */ + SRV_RESOLVE_ERROR, /* Could not resolve this SRV lookup */ + SRV_EXPIRED /* Need to refresh the SRV query */ +}; + +struct fo_ctx { + struct fo_service *service_list; + struct server_common *server_common_list; + + struct fo_options *opts; + + fo_srv_lookup_plugin_send_t srv_send_fn; + fo_srv_lookup_plugin_recv_t srv_recv_fn; + void *srv_pvt; +}; + +struct fo_service { + struct fo_service *prev; + struct fo_service *next; + + struct fo_ctx *ctx; + char *name; + struct fo_server *active_server; + struct fo_server *last_tried_server; + struct fo_server *server_list; + + /* Function pointed by user_data_cmp returns 0 if user_data is equal + * or nonzero value if not. Set to NULL if no user data comparison + * is needed in fail over duplicate servers detection. + */ + datacmp_fn user_data_cmp; +}; + +struct fo_server { + REFCOUNT_COMMON; + + struct fo_server *prev; + struct fo_server *next; + + bool primary; + void *user_data; + int port; + enum port_status port_status; + struct srv_data *srv_data; + struct fo_service *service; + struct timeval last_status_change; + struct server_common *common; + + TALLOC_CTX *fo_internal_owner; +}; + +struct server_common { + REFCOUNT_COMMON; + + struct fo_ctx *ctx; + + struct server_common *prev; + struct server_common *next; + + char *name; + struct resolv_hostent *rhostent; + struct resolve_service_request *request_list; + enum server_status server_status; + struct timeval last_status_change; +}; + +struct srv_data { + char *dns_domain; + char *discovery_domain; + char *sssd_domain; + char *proto; + char *srv; + + struct fo_server *meta; + + int srv_lookup_status; + int ttl; + struct timeval last_status_change; +}; + +struct resolve_service_request { + struct resolve_service_request *prev; + struct resolve_service_request *next; + + struct server_common *server_common; + struct tevent_req *req; + struct tevent_context *ev; +}; + +struct status { + int value; + struct timeval last_change; +}; + +struct fo_ctx * +fo_context_init(TALLOC_CTX *mem_ctx, struct fo_options *opts) +{ + struct fo_ctx *ctx; + + ctx = talloc_zero(mem_ctx, struct fo_ctx); + if (ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "No memory\n"); + return NULL; + } + ctx->opts = talloc_zero(ctx, struct fo_options); + if (ctx->opts == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "No memory\n"); + return NULL; + } + + ctx->opts->srv_retry_neg_timeout = opts->srv_retry_neg_timeout; + ctx->opts->retry_timeout = opts->retry_timeout; + ctx->opts->family_order = opts->family_order; + ctx->opts->service_resolv_timeout = opts->service_resolv_timeout; + + DEBUG(SSSDBG_TRACE_FUNC, + "Created new fail over context, retry timeout is %ld\n", + ctx->opts->retry_timeout); + return ctx; +} + +static const char * +str_port_status(enum port_status status) +{ + switch (status) { + case PORT_NEUTRAL: + return "neutral"; + case PORT_WORKING: + return "working"; + case PORT_NOT_WORKING: + return "not working"; + } + + return "unknown port status"; +} + +static const char * +str_srv_data_status(enum srv_lookup_status status) +{ + switch (status) { + case SRV_NEUTRAL: + return "neutral"; + case SRV_RESOLVED: + return "resolved"; + case SRV_RESOLVE_ERROR: + return "not resolved"; + case SRV_EXPIRED: + return "expired"; + } + + return "unknown SRV lookup status"; +} + +static const char * +str_server_status(enum server_status status) +{ + switch (status) { + case SERVER_NAME_NOT_RESOLVED: + return "name not resolved"; + case SERVER_RESOLVING_NAME: + return "resolving name"; + case SERVER_NAME_RESOLVED: + return "name resolved"; + case SERVER_WORKING: + return "working"; + case SERVER_NOT_WORKING: + return "not working"; + } + + return "unknown server status"; +} + +int fo_is_srv_lookup(struct fo_server *s) +{ + return s && s->srv_data; +} + +static void fo_server_free(struct fo_server *server) +{ + if (server == NULL) { + return; + } + + talloc_free(server->fo_internal_owner); +} + +static struct fo_server * +collapse_srv_lookup(struct fo_server **_server) +{ + struct fo_server *tmp, *meta, *server; + + server = *_server; + meta = server->srv_data->meta; + DEBUG(SSSDBG_CONF_SETTINGS, "Need to refresh SRV lookup for domain %s\n", + meta->srv_data->dns_domain); + + if (server != meta) { + while (server->prev && server->prev->srv_data == meta->srv_data) { + tmp = server->prev; + DLIST_REMOVE(server->service->server_list, tmp); + fo_server_free(tmp); + } + while (server->next && server->next->srv_data == meta->srv_data) { + tmp = server->next; + DLIST_REMOVE(server->service->server_list, tmp); + fo_server_free(tmp); + } + + if (server == server->service->active_server) { + server->service->active_server = NULL; + } + if (server == server->service->last_tried_server) { + server->service->last_tried_server = meta; + } + + /* add back the meta server to denote SRV lookup */ + DLIST_ADD_AFTER(server->service->server_list, meta, server); + DLIST_REMOVE(server->service->server_list, server); + fo_server_free(server); + } + + meta->srv_data->srv_lookup_status = SRV_NEUTRAL; + meta->srv_data->last_status_change.tv_sec = 0; + + *_server = NULL; + + return meta; +} + +static enum srv_lookup_status +get_srv_data_status(struct srv_data *data) +{ + struct timeval tv; + time_t timeout; + + gettimeofday(&tv, NULL); + + /* Determine timeout value based on state of previous lookup. */ + if (data->srv_lookup_status == SRV_RESOLVE_ERROR) { + timeout = data->meta->service->ctx->opts->srv_retry_neg_timeout; + } else { + timeout = data->ttl; + } + + if (STATUS_DIFF(data, tv) > timeout) { + switch(data->srv_lookup_status) { + case SRV_EXPIRED: + case SRV_NEUTRAL: + break; + case SRV_RESOLVED: + data->srv_lookup_status = SRV_EXPIRED; + data->last_status_change.tv_sec = 0; + break; + case SRV_RESOLVE_ERROR: + data->srv_lookup_status = SRV_NEUTRAL; + data->last_status_change.tv_sec = 0; + DEBUG(SSSDBG_TRACE_FUNC, + "Changing state of SRV lookup from 'SRV_RESOLVE_ERROR' to " + "'SRV_NEUTRAL'.\n"); + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unknown state for SRV server!\n"); + } + } + + return data->srv_lookup_status; +} + +static void +set_srv_data_status(struct srv_data *data, enum srv_lookup_status status) +{ + DEBUG(SSSDBG_CONF_SETTINGS, "Marking SRV lookup of service '%s' as '%s'\n", + data->meta->service->name, str_srv_data_status(status)); + + gettimeofday(&data->last_status_change, NULL); + data->srv_lookup_status = status; +} + +/* + * This function will return the status of the server. If the status was + * last updated a long time ago, we will first reset the status. + */ +static enum server_status +get_server_status(struct fo_server *server) +{ + struct timeval tv; + time_t timeout; + + if (server->common == NULL) + return SERVER_NAME_RESOLVED; + + DEBUG(SSSDBG_TRACE_LIBS, + "Status of server '%s' is '%s'\n", SERVER_NAME(server), + str_server_status(server->common->server_status)); + + timeout = server->service->ctx->opts->retry_timeout; + gettimeofday(&tv, NULL); + if (timeout != 0 && server->common->server_status == SERVER_NOT_WORKING) { + if (STATUS_DIFF(server->common, tv) > timeout) { + DEBUG(SSSDBG_CONF_SETTINGS, "Reseting the server status of '%s'\n", + SERVER_NAME(server)); + server->common->server_status = SERVER_NAME_NOT_RESOLVED; + server->common->last_status_change.tv_sec = tv.tv_sec; + } + } + + if (server->common->rhostent && STATUS_DIFF(server->common, tv) > + server->common->rhostent->addr_list[0]->ttl) { + DEBUG(SSSDBG_CONF_SETTINGS, + "Hostname resolution expired, resetting the server " + "status of '%s'\n", SERVER_NAME(server)); + fo_set_server_status(server, SERVER_NAME_NOT_RESOLVED); + } + + return server->common->server_status; +} + +/* + * This function will return the status of the service. If the status was + * last updated a long time ago, we will first reset the status. + */ +static enum port_status +get_port_status(struct fo_server *server) +{ + struct timeval tv; + time_t timeout; + + DEBUG(SSSDBG_TRACE_LIBS, + "Port status of port %d for server '%s' is '%s'\n", server->port, + SERVER_NAME(server), str_port_status(server->port_status)); + + if (server->port_status == PORT_NOT_WORKING) { + DEBUG(SSSDBG_MINOR_FAILURE, "SSSD is unable to complete the full " + "connection request, this internal status does not necessarily " + "indicate network port issues.\n"); + } + + timeout = server->service->ctx->opts->retry_timeout; + if (timeout != 0 && server->port_status == PORT_NOT_WORKING) { + gettimeofday(&tv, NULL); + if (STATUS_DIFF(server, tv) > timeout) { + DEBUG(SSSDBG_CONF_SETTINGS, + "Resetting the status of port %d for server '%s'\n", + server->port, SERVER_NAME(server)); + server->port_status = PORT_NEUTRAL; + server->last_status_change.tv_sec = tv.tv_sec; + } + } + + return server->port_status; +} + +static int +server_works(struct fo_server *server) +{ + if (get_server_status(server) == SERVER_NOT_WORKING) + return 0; + + return 1; +} + +static int +service_works(struct fo_server *server) +{ + if (!server_works(server)) + return 0; + if (get_port_status(server) == PORT_NOT_WORKING) + return 0; + + return 1; +} + +static int +service_destructor(struct fo_service *service) +{ + DLIST_REMOVE(service->ctx->service_list, service); + return 0; +} + +int +fo_new_service(struct fo_ctx *ctx, const char *name, + datacmp_fn user_data_cmp, + struct fo_service **_service) +{ + struct fo_service *service; + int ret; + + DEBUG(SSSDBG_TRACE_FUNC, "Creating new service '%s'\n", name); + ret = fo_get_service(ctx, name, &service); + if (ret == EOK) { + DEBUG(SSSDBG_FUNC_DATA, "Service '%s' already exists\n", name); + if (_service) { + *_service = service; + } + return EEXIST; + } else if (ret != ENOENT) { + return ret; + } + + service = talloc_zero(ctx, struct fo_service); + if (service == NULL) + return ENOMEM; + + service->name = talloc_strdup(service, name); + if (service->name == NULL) { + talloc_free(service); + return ENOMEM; + } + + service->user_data_cmp = user_data_cmp; + + service->ctx = ctx; + DLIST_ADD(ctx->service_list, service); + + talloc_set_destructor(service, service_destructor); + if (_service) { + *_service = service; + } + + return EOK; +} + +int +fo_get_service(struct fo_ctx *ctx, const char *name, + struct fo_service **_service) +{ + struct fo_service *service; + + DLIST_FOR_EACH(service, ctx->service_list) { + if (!strcmp(name, service->name)) { + *_service = service; + return EOK; + } + } + + return ENOENT; +} + +static int +get_server_common(TALLOC_CTX *mem_ctx, struct fo_ctx *ctx, const char *name, + struct server_common **_common) +{ + struct server_common *common; + + DLIST_FOR_EACH(common, ctx->server_common_list) { + if (!strcasecmp(name, common->name)) { + *_common = rc_reference(mem_ctx, struct server_common, common); + if (*_common == NULL) + return ENOMEM; + return EOK; + } + } + + return ENOENT; +} + +static int server_common_destructor(void *memptr) +{ + struct server_common *common; + + common = talloc_get_type(memptr, struct server_common); + if (common->request_list) { + DEBUG(SSSDBG_CRIT_FAILURE, + "BUG: pending requests still associated with this server\n"); + return -1; + } + DLIST_REMOVE(common->ctx->server_common_list, common); + + return 0; +} + +static struct server_common * +create_server_common(TALLOC_CTX *mem_ctx, struct fo_ctx *ctx, const char *name) +{ + struct server_common *common; + + common = rc_alloc(mem_ctx, struct server_common); + if (common == NULL) { + return NULL; + } + + common->name = talloc_strdup(common, name); + if (common->name == NULL) { + return NULL; + } + + common->ctx = ctx; + common->prev = NULL; + common->next = NULL; + common->rhostent = NULL; + common->request_list = NULL; + common->server_status = DEFAULT_SERVER_STATUS; + common->last_status_change.tv_sec = 0; + common->last_status_change.tv_usec = 0; + + talloc_set_destructor((TALLOC_CTX *) common, server_common_destructor); + DLIST_ADD_END(ctx->server_common_list, common, struct server_common *); + return common; +} + +static struct fo_server * +fo_server_alloc(struct fo_service *service, int port, + void *user_data, bool primary) +{ + static struct fo_server *server; + TALLOC_CTX *server_owner; + + server_owner = talloc_new(service); + if (server_owner == NULL) { + return NULL; + } + + server = rc_alloc(server_owner, struct fo_server); + if (server == NULL) { + return NULL; + } + + server->fo_internal_owner = server_owner; + + server->common = NULL; + server->next = NULL; + server->prev = NULL; + server->srv_data = NULL; + server->last_status_change.tv_sec = 0; + server->last_status_change.tv_usec = 0; + + server->port = port; + server->user_data = user_data; + server->service = service; + server->port_status = DEFAULT_PORT_STATUS; + server->primary = primary; + + return server; +} + +int +fo_add_srv_server(struct fo_service *service, const char *srv, + const char *discovery_domain, const char *sssd_domain, + const char *proto, void *user_data) +{ + struct fo_server *server; + + DEBUG(SSSDBG_TRACE_FUNC, + "Adding new SRV server to service '%s' using '%s'.\n", + service->name, proto); + + DLIST_FOR_EACH(server, service->server_list) { + /* Compare user data only if user_data_cmp and both arguments + * are not NULL. + */ + if (server->service->user_data_cmp && user_data && server->user_data) { + if (server->service->user_data_cmp(server->user_data, user_data)) { + continue; + } + } + + if (fo_is_srv_lookup(server)) { + if (((discovery_domain == NULL && + server->srv_data->dns_domain == NULL) || + (discovery_domain != NULL && + server->srv_data->dns_domain != NULL && + strcasecmp(server->srv_data->dns_domain, discovery_domain) == 0)) && + strcasecmp(server->srv_data->proto, proto) == 0) { + return EEXIST; + } + } + } + + /* SRV servers are always primary */ + server = fo_server_alloc(service, 0, user_data, true); + if (server == NULL) { + return ENOMEM; + } + + /* add the SRV-specific data */ + server->srv_data = talloc_zero(service, struct srv_data); + if (server->srv_data == NULL) + return ENOMEM; + + server->srv_data->proto = talloc_strdup(server->srv_data, proto); + server->srv_data->srv = talloc_strdup(server->srv_data, srv); + if (server->srv_data->proto == NULL || + server->srv_data->srv == NULL) + return ENOMEM; + + if (discovery_domain) { + server->srv_data->discovery_domain = talloc_strdup(server->srv_data, + discovery_domain); + if (server->srv_data->discovery_domain == NULL) + return ENOMEM; + server->srv_data->dns_domain = talloc_strdup(server->srv_data, + discovery_domain); + if (server->srv_data->dns_domain == NULL) + return ENOMEM; + } + + server->srv_data->sssd_domain = + talloc_strdup(server->srv_data, sssd_domain); + if (server->srv_data->sssd_domain == NULL) + return ENOMEM; + + server->srv_data->meta = server; + server->srv_data->srv_lookup_status = DEFAULT_SRV_STATUS; + server->srv_data->last_status_change.tv_sec = 0; + + DLIST_ADD_END(service->server_list, server, struct fo_server *); + return EOK; +} + +static struct fo_server * +create_fo_server(struct fo_service *service, const char *name, + int port, void *user_data, bool primary) +{ + struct fo_server *server; + int ret; + + server = fo_server_alloc(service, port, user_data, primary); + if (server == NULL) + return NULL; + + server->port = port; + server->user_data = user_data; + server->service = service; + server->port_status = DEFAULT_PORT_STATUS; + server->primary = primary; + + if (name != NULL) { + ret = get_server_common(server, service->ctx, name, &server->common); + if (ret == ENOENT) { + server->common = create_server_common(server, service->ctx, name); + if (server->common == NULL) { + fo_server_free(server); + return NULL; + } + } else if (ret != EOK) { + fo_server_free(server); + return NULL; + } + } + + return server; +} + +int +fo_get_server_count(struct fo_service *service) +{ + struct fo_server *server; + int count = 0; + + DLIST_FOR_EACH(server, service->server_list) { + count++; + } + + return count; +} + +static bool fo_server_match(struct fo_server *server, + const char *name, + int port, + void *user_data) +{ + if (server->port != port) { + return false; + } + + /* Compare user data only if user_data_cmp and both arguments + * are not NULL. + */ + if (server->service->user_data_cmp && server->user_data && user_data) { + if (server->service->user_data_cmp(server->user_data, user_data)) { + return false; + } + } + + if (name == NULL && server->common == NULL) { + return true; + } + + if (name != NULL && + server->common != NULL && server->common->name != NULL) { + if (!strcasecmp(name, server->common->name)) + return true; + } + + return false; +} + +static bool fo_server_cmp(struct fo_server *s1, struct fo_server *s2) +{ + char *name = NULL; + + if (s2->common != NULL) { + name = s2->common->name; + } + + return fo_server_match(s1, name, s2->port, s2->user_data); +} + +static bool fo_server_exists(struct fo_server *list, + const char *name, + int port, + void *user_data) +{ + struct fo_server *server = NULL; + + DLIST_FOR_EACH(server, list) { + if (fo_server_match(server, name, port, user_data)) { + return true; + } + } + + return false; +} + +static errno_t fo_add_server_to_list(struct fo_server **to_list, + struct fo_server *check_list, + struct fo_server *server, + const char *service_name) +{ + const char *debug_name = NULL; + const char *name = NULL; + bool exists; + + if (server->common == NULL || server->common->name == NULL) { + debug_name = "(no name)"; + name = NULL; + } else { + debug_name = server->common->name; + name = server->common->name; + } + + exists = fo_server_exists(check_list, name, server->port, + server->user_data); + + if (exists) { + DEBUG(SSSDBG_TRACE_FUNC, "Server '%s:%d' for service '%s' " + "is already present\n", debug_name, server->port, service_name); + return EEXIST; + } + + DLIST_ADD_END(*to_list, server, struct fo_server *); + + DEBUG(SSSDBG_TRACE_FUNC, "Inserted %s server '%s:%d' to service " + "'%s'\n", (server->primary ? "primary" : "backup"), + debug_name, server->port, service_name); + + return EOK; +} + +static errno_t fo_add_server_list(struct fo_service *service, + struct fo_server *after_server, + struct fo_server_info *servers, + size_t num_servers, + struct srv_data *srv_data, + void *user_data, + bool primary, + struct fo_server **_last_server) +{ + struct fo_server *server = NULL; + struct fo_server *last_server = NULL; + struct fo_server *srv_list = NULL; + size_t i; + errno_t ret; + + for (i = 0; i < num_servers; i++) { + server = create_fo_server(service, servers[i].host, servers[i].port, + user_data, primary); + if (server == NULL) { + return ENOMEM; + } + + server->srv_data = srv_data; + + ret = fo_add_server_to_list(&srv_list, service->server_list, + server, service->name); + if (ret != EOK) { + fo_server_free(server); + continue; + } + + last_server = server; + } + + if (srv_list != NULL) { + DLIST_ADD_LIST_AFTER(service->server_list, after_server, + srv_list, struct fo_server *); + } + + if (_last_server != NULL) { + *_last_server = last_server == NULL ? after_server : last_server; + } + + return EOK; +} + +int +fo_add_server(struct fo_service *service, const char *name, int port, + void *user_data, bool primary) +{ + struct fo_server *server; + errno_t ret; + + server = create_fo_server(service, name, port, user_data, primary); + if (!server) { + return ENOMEM; + } + + ret = fo_add_server_to_list(&service->server_list, service->server_list, + server, service->name); + if (ret != EOK) { + fo_server_free(server); + } + + return ret; +} + +void fo_ref_server(TALLOC_CTX *ref_ctx, + struct fo_server *server) +{ + if (server) { + server = rc_reference(ref_ctx, struct fo_server, server); + } +} + +static int +get_first_server_entity(struct fo_service *service, struct fo_server **_server) +{ + struct fo_server *server; + + /* If we already have a working server, use that one. */ + server = service->active_server; + if (server != NULL) { + if (service_works(server) && fo_is_server_primary(server)) { + goto done; + } + service->active_server = NULL; + } + + /* + * Otherwise iterate through the server list. + */ + + /* First, try primary servers after the last one we tried. + * (only if the last one was primary as well) + */ + if (service->last_tried_server != NULL && + service->last_tried_server->primary) { + if (service->last_tried_server->port_status == PORT_NEUTRAL && + server_works(service->last_tried_server)) { + server = service->last_tried_server; + goto done; + } + + DLIST_FOR_EACH(server, service->last_tried_server->next) { + /* Go only through primary servers */ + if (!server->primary) continue; + + if (service_works(server)) { + goto done; + } + } + } + + /* If none were found, try at the start, primary first */ + DLIST_FOR_EACH(server, service->server_list) { + /* First iterate only over primary servers */ + if (!server->primary) continue; + + if (service_works(server)) { + goto done; + } + if (server == service->last_tried_server) { + break; + } + } + + DLIST_FOR_EACH(server, service->server_list) { + /* Now iterate only over backup servers */ + if (server->primary) continue; + + if (service_works(server)) { + goto done; + } + } + + service->last_tried_server = NULL; + return ENOENT; + +done: + service->last_tried_server = server; + *_server = server; + return EOK; +} + +static int +resolve_service_request_destructor(struct resolve_service_request *request) +{ + DLIST_REMOVE(request->server_common->request_list, request); + return 0; +} + +static int +set_lookup_hook(struct tevent_context *ev, + struct fo_server *server, + struct tevent_req *req) +{ + struct resolve_service_request *request; + + request = talloc(req, struct resolve_service_request); + if (request == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "No memory\n"); + talloc_free(request); + return ENOMEM; + } + request->server_common = rc_reference(request, struct server_common, + server->common); + if (request->server_common == NULL) { + talloc_free(request); + return ENOMEM; + } + request->ev = ev; + request->req = req; + DLIST_ADD(server->common->request_list, request); + talloc_set_destructor(request, resolve_service_request_destructor); + + return EOK; +} + + + +/******************************************************************* + * Get server to connect to. * + *******************************************************************/ + +struct resolve_service_state { + struct fo_server *server; + + struct resolv_ctx *resolv; + struct tevent_context *ev; + struct tevent_timer *timeout_handler; + struct fo_ctx *fo_ctx; +}; + +static errno_t fo_resolve_service_activate_timeout(struct tevent_req *req, + struct tevent_context *ev, const unsigned long timeout_seconds); +static void fo_resolve_service_cont(struct tevent_req *subreq); +static void fo_resolve_service_done(struct tevent_req *subreq); +static bool fo_resolve_service_server(struct tevent_req *req); + +/* Forward declarations for SRV resolving */ +static struct tevent_req * +resolve_srv_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, + struct resolv_ctx *resolv, struct fo_ctx *ctx, + struct fo_server *server); +static int +resolve_srv_recv(struct tevent_req *req, struct fo_server **server); + +struct tevent_req * +fo_resolve_service_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, + struct resolv_ctx *resolv, struct fo_ctx *ctx, + struct fo_service *service) +{ + int ret; + struct fo_server *server; + struct tevent_req *req; + struct tevent_req *subreq; + struct resolve_service_state *state; + + DEBUG(SSSDBG_CONF_SETTINGS, + "Trying to resolve service '%s'\n", service->name); + req = tevent_req_create(mem_ctx, &state, struct resolve_service_state); + if (req == NULL) + return NULL; + + state->resolv = resolv; + state->ev = ev; + state->fo_ctx = ctx; + + ret = get_first_server_entity(service, &server); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "No available servers for service '%s'\n", service->name); + goto done; + } + + /* Activate per-service timeout handler */ + ret = fo_resolve_service_activate_timeout(req, ev, + ctx->opts->service_resolv_timeout); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not set service timeout\n"); + goto done; + } + + if (fo_is_srv_lookup(server)) { + /* Don't know the server yet, must do a SRV lookup */ + subreq = resolve_srv_send(state, ev, resolv, + ctx, server); + if (subreq == NULL) { + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, + fo_resolve_service_cont, + req); + return req; + } + + /* This is a regular server, just do hostname lookup */ + state->server = server; + if (fo_resolve_service_server(req)) { + tevent_req_post(req, ev); + } + + ret = EOK; +done: + if (ret != EOK) { + tevent_req_error(req, ret); + tevent_req_post(req, ev); + } + return req; +} + +static void set_server_common_status(struct server_common *common, + enum server_status status); + +static void +fo_resolve_service_timeout(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval tv, void *pvt) +{ + struct tevent_req *req = talloc_get_type(pvt, struct tevent_req); + + DEBUG(SSSDBG_MINOR_FAILURE, "Service resolving timeout reached\n"); + tevent_req_error(req, ETIMEDOUT); +} + +static errno_t +fo_resolve_service_activate_timeout(struct tevent_req *req, + struct tevent_context *ev, + const unsigned long timeout_seconds) +{ + struct timeval tv; + struct resolve_service_state *state = tevent_req_data(req, + struct resolve_service_state); + + tv = tevent_timeval_current(); + tv = tevent_timeval_add(&tv, timeout_seconds, 0); + state->timeout_handler = tevent_add_timer(ev, state, tv, + fo_resolve_service_timeout, req); + if (state->timeout_handler == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_add_timer failed.\n"); + return ENOMEM; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "Resolve timeout set to %lu seconds\n", + timeout_seconds); + return EOK; +} + +/* SRV resolving finished, see if we got server to work with */ +static void +fo_resolve_service_cont(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct resolve_service_state *state = tevent_req_data(req, + struct resolve_service_state); + int ret; + + ret = resolve_srv_recv(subreq, &state->server); + talloc_zfree(subreq); + + /* We will proceed normally on ERR_SRV_DUPLICATES and if the server + * is already being resolved, we hook to that request. */ + if (ret != EOK && ret != ERR_SRV_DUPLICATES) { + tevent_req_error(req, ret); + return; + } + + fo_resolve_service_server(req); +} + +static bool +fo_resolve_service_server(struct tevent_req *req) +{ + struct resolve_service_state *state = tevent_req_data(req, + struct resolve_service_state); + struct tevent_req *subreq; + int ret; + + switch (get_server_status(state->server)) { + case SERVER_NAME_NOT_RESOLVED: /* Request name resolution. */ + subreq = resolv_gethostbyname_send(state->server->common, + state->ev, state->resolv, + state->server->common->name, + state->fo_ctx->opts->family_order, + default_host_dbs); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return true; + } + tevent_req_set_callback(subreq, fo_resolve_service_done, + state->server->common); + fo_set_server_status(state->server, SERVER_RESOLVING_NAME); + /* FALLTHROUGH */ + SSS_ATTRIBUTE_FALLTHROUGH; + case SERVER_RESOLVING_NAME: + /* Name resolution is already under way. Just add ourselves into the + * waiting queue so we get notified after the operation is finished. */ + ret = set_lookup_hook(state->ev, state->server, req); + if (ret != EOK) { + tevent_req_error(req, ret); + return true; + } + break; + default: /* The name is already resolved. Return immediately. */ + tevent_req_done(req); + return true; + } + + return false; +} + +static void +fo_resolve_service_done(struct tevent_req *subreq) +{ + struct server_common *common = tevent_req_callback_data(subreq, + struct server_common); + int resolv_status; + struct resolve_service_request *request; + int ret; + + if (common->rhostent != NULL) { + talloc_zfree(common->rhostent); + } + + ret = resolv_gethostbyname_recv(subreq, common, + &resolv_status, NULL, + &common->rhostent); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to resolve server '%s': %s\n", + common->name, + resolv_strerror(resolv_status)); + /* If the resolver failed to resolve a hostname but did not + * encounter an error, tell the caller to retry another server. + * + * If there are no more servers to try, the next request would + * just shortcut with ENOENT. + */ + if (ret == ENOENT) { + ret = EAGAIN; + } + set_server_common_status(common, SERVER_NOT_WORKING); + } else { + set_server_common_status(common, SERVER_NAME_RESOLVED); + } + + /* Take care of all requests for this server. */ + while ((request = common->request_list) != NULL) { + DLIST_REMOVE(common->request_list, request); + + /* If the request callback decresed refcount on the returned + * server, we would have crashed as common would not be valid + * anymore. Rather schedule the notify for next tev iteration + */ + tevent_req_defer_callback(request->req, request->ev); + + if (ret) { + tevent_req_error(request->req, ret); + } else { + tevent_req_done(request->req); + } + } +} + +int +fo_resolve_service_recv(struct tevent_req *req, + TALLOC_CTX *ref_ctx, + struct fo_server **server) +{ + struct resolve_service_state *state; + + state = tevent_req_data(req, struct resolve_service_state); + + /* always return the server if asked for, otherwise the caller + * cannot mark it as faulty in case we return an error */ + if (server != NULL) { + fo_ref_server(ref_ctx, state->server); + *server = state->server; + } + + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +/******************************************************************* + * Resolve the server to connect to using a SRV query. * + *******************************************************************/ + +static void resolve_srv_done(struct tevent_req *subreq); + +struct resolve_srv_state { + struct fo_server *meta; + struct fo_service *service; + + struct fo_server *out; + + struct resolv_ctx *resolv; + struct tevent_context *ev; + struct fo_ctx *fo_ctx; +}; + +static struct tevent_req * +resolve_srv_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, + struct resolv_ctx *resolv, struct fo_ctx *ctx, + struct fo_server *server) +{ + int ret; + struct tevent_req *req; + struct tevent_req *subreq; + struct resolve_srv_state *state; + int status; + + req = tevent_req_create(mem_ctx, &state, struct resolve_srv_state); + if (req == NULL) + return NULL; + + state->service = server->service; + state->ev = ev; + state->resolv = resolv; + state->fo_ctx = ctx; + state->meta = server->srv_data->meta; + + status = get_srv_data_status(server->srv_data); + DEBUG(SSSDBG_FUNC_DATA, "The status of SRV lookup is %s\n", + str_srv_data_status(status)); + switch(status) { + case SRV_EXPIRED: /* Need a refresh */ + state->meta = collapse_srv_lookup(&server); + /* FALLTHROUGH. + * "server" might be invalid now if the SRV + * query collapsed + * */ + SSS_ATTRIBUTE_FALLTHROUGH; + case SRV_NEUTRAL: /* Request SRV lookup */ + if (server != NULL && server != state->meta) { + /* A server created by expansion of meta server was marked as + * neutral. We have to collapse the servers and issue new + * SRV resolution. */ + state->meta = collapse_srv_lookup(&server); + } + + if (ctx->srv_send_fn == NULL || ctx->srv_recv_fn == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "No SRV lookup plugin is set\n"); + ret = ENOTSUP; + goto done; + } + + subreq = ctx->srv_send_fn(state, ev, + state->meta->srv_data->srv, + state->meta->srv_data->proto, + state->meta->srv_data->discovery_domain, + ctx->srv_pvt); + if (subreq == NULL) { + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, resolve_srv_done, req); + break; + case SRV_RESOLVE_ERROR: /* query could not be resolved but don't retry yet */ + ret = EIO; + state->out = server; + + /* The port status was reseted to neutral but we still haven't reached + * timeout to try to resolve SRV record again. We will set the port + * status back to not working. */ + fo_set_port_status(state->meta, PORT_NOT_WORKING); + goto done; + case SRV_RESOLVED: /* The query is resolved and valid. Return. */ + state->out = server; + tevent_req_done(req); + tevent_req_post(req, state->ev); + return req; + default: + DEBUG(SSSDBG_CRIT_FAILURE, + "Unexpected status %d for a SRV server\n", status); + ret = EIO; + goto done; + } + + ret = EOK; +done: + if (ret != EOK) { + tevent_req_error(req, ret); + tevent_req_post(req, ev); + } + return req; +} + +static void +resolve_srv_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct resolve_srv_state *state = tevent_req_data(req, + struct resolve_srv_state); + struct fo_server *last_server = NULL; + struct fo_server_info *primary_servers = NULL; + struct fo_server_info *backup_servers = NULL; + size_t num_primary_servers = 0; + size_t num_backup_servers = 0; + char *dns_domain = NULL; + int ret; + uint32_t ttl; + + ret = state->fo_ctx->srv_recv_fn(state, subreq, &dns_domain, &ttl, + &primary_servers, &num_primary_servers, + &backup_servers, &num_backup_servers); + talloc_free(subreq); + switch (ret) { + case EOK: + if ((num_primary_servers == 0 || primary_servers == NULL) + && (num_backup_servers == 0 || backup_servers == NULL)) { + DEBUG(SSSDBG_CRIT_FAILURE, "SRV lookup plugin returned EOK but " + "no servers\n"); + ret = EFAULT; + goto done; + } + + state->meta->srv_data->ttl = ttl; + talloc_zfree(state->meta->srv_data->dns_domain); + state->meta->srv_data->dns_domain = talloc_steal(state->meta->srv_data, + dns_domain); + + last_server = state->meta; + + if (primary_servers != NULL) { + ret = fo_add_server_list(state->service, last_server, + primary_servers, num_primary_servers, + state->meta->srv_data, + state->meta->user_data, + true, &last_server); + if (ret != EOK) { + goto done; + } + } + + if (backup_servers != NULL) { + ret = fo_add_server_list(state->service, last_server, + backup_servers, num_backup_servers, + state->meta->srv_data, + state->meta->user_data, + false, &last_server); + if (ret != EOK) { + goto done; + } + } + + if (last_server == state->meta) { + /* SRV lookup returned only those servers that are already present. + * This may happen only when an ongoing SRV resolution already + * exist. We will return server, but won't set any state. */ + DEBUG(SSSDBG_TRACE_FUNC, "SRV lookup did not return " + "any new server.\n"); + ret = ERR_SRV_DUPLICATES; + + /* Since no new server is returned, state->meta->next is NULL. + * We return last tried server if possible which is server + * from previous resolution of SRV record, and first server + * otherwise. */ + if (state->service->last_tried_server != NULL) { + state->out = state->service->last_tried_server; + goto done; + } + + state->out = state->service->server_list; + goto done; + } + + /* At least one new server was inserted. + * We will return the first new server. */ + if (state->meta->next == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "BUG: state->meta->next is NULL\n"); + ret = ERR_INTERNAL; + goto done; + } + + state->out = state->meta->next; + + /* And remove meta server from the server list. It will be + * inserted again during srv collapse. */ + DLIST_REMOVE(state->service->server_list, state->meta); + if (state->service->last_tried_server == state->meta) { + state->service->last_tried_server = state->out; + } + + set_srv_data_status(state->meta->srv_data, SRV_RESOLVED); + ret = EOK; + break; + case ERR_SRV_NOT_FOUND: + /* fall through */ + SSS_ATTRIBUTE_FALLTHROUGH; + case ERR_SRV_LOOKUP_ERROR: + fo_set_port_status(state->meta, PORT_NOT_WORKING); + /* fall through */ + SSS_ATTRIBUTE_FALLTHROUGH; + default: + DEBUG(SSSDBG_OP_FAILURE, "Unable to resolve SRV [%d]: %s\n", + ret, sss_strerror(ret)); + } + +done: + if (ret == ERR_SRV_DUPLICATES) { + tevent_req_error(req, ret); + return; + } else if (ret != EOK) { + state->out = state->meta; + set_srv_data_status(state->meta->srv_data, SRV_RESOLVE_ERROR); + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +static int +resolve_srv_recv(struct tevent_req *req, struct fo_server **server) +{ + struct resolve_srv_state *state = tevent_req_data(req, + struct resolve_srv_state); + + /* always return the server if asked for, otherwise the caller + * cannot mark it as faulty in case we return an error */ + if (server) { + *server = state->out; + } + + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +/******************************************************************* + * Get Fully Qualified Domain Name of the host machine * + *******************************************************************/ +static void +set_server_common_status(struct server_common *common, + enum server_status status) +{ + DEBUG(SSSDBG_CONF_SETTINGS, "Marking server '%s' as '%s'\n", common->name, + str_server_status(status)); + + common->server_status = status; + gettimeofday(&common->last_status_change, NULL); +} + +void +fo_set_server_status(struct fo_server *server, enum server_status status) +{ + if (server->common == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Bug: Trying to set server status of a name-less server\n"); + return; + } + + set_server_common_status(server->common, status); +} + +void +fo_set_port_status(struct fo_server *server, enum port_status status) +{ + struct fo_server *siter; + + DEBUG(SSSDBG_CONF_SETTINGS, + "Marking port %d of server '%s' as '%s'\n", server->port, + SERVER_NAME(server), str_port_status(status)); + + server->port_status = status; + gettimeofday(&server->last_status_change, NULL); + if (status == PORT_WORKING) { + fo_set_server_status(server, SERVER_WORKING); + server->service->active_server = server; + } + + if (!server->common || !server->common->name) return; + + /* It is possible to introduce duplicates when expanding SRV results + * into fo_server structures. Find the duplicates and set the same + * status */ + DLIST_FOR_EACH(siter, server->service->server_list) { + if (fo_server_cmp(siter, server)) { + DEBUG(SSSDBG_TRACE_FUNC, + "Marking port %d of duplicate server '%s' as '%s'\n", + siter->port, SERVER_NAME(siter), + str_port_status(status)); + siter->port_status = status; + gettimeofday(&siter->last_status_change, NULL); + } + } +} + +struct fo_server *fo_get_active_server(struct fo_service *service) +{ + return service->active_server; +} + +void fo_try_next_server(struct fo_service *service) +{ + struct fo_server *server; + + if (!service) { + DEBUG(SSSDBG_CRIT_FAILURE, "Bug: No service supplied\n"); + return; + } + + server = service->active_server; + if (!server) { + return; + } + + service->active_server = 0; + + if (server->port_status == PORT_WORKING) { + server->port_status = PORT_NOT_WORKING; + } +} + +void * +fo_get_server_user_data(struct fo_server *server) +{ + return server->user_data; +} + +int +fo_get_server_port(struct fo_server *server) +{ + return server->port; +} + +const char * +fo_get_server_name(struct fo_server *server) +{ + if (!server->common) { + return NULL; + } + return server->common->name; +} + +const char *fo_get_server_str_name(struct fo_server *server) +{ + if (!server->common) { + if (fo_is_srv_lookup(server)) { + return "SRV lookup meta-server"; + } + return "unknown name"; + } + + return server->common->name; +} + +struct resolv_hostent * +fo_get_server_hostent(struct fo_server *server) +{ + if (server->common == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Bug: Trying to get hostent from a name-less server\n"); + return NULL; + } + + return server->common->rhostent; +} + +bool +fo_is_server_primary(struct fo_server *server) +{ + return server->primary; +} + +time_t +fo_get_server_hostname_last_change(struct fo_server *server) +{ + if (server->common == NULL) { + return 0; + } + return server->common->last_status_change.tv_sec; +} + +time_t fo_get_service_retry_timeout(struct fo_service *svc) +{ + if (svc == NULL || svc->ctx == NULL || svc->ctx->opts == NULL) { + return 0; + } + + return svc->ctx->opts->retry_timeout; +} + +void fo_reset_servers(struct fo_service *service) +{ + struct fo_server *server; + + DLIST_FOR_EACH(server, service->server_list) { + if (server->srv_data != NULL) { + set_srv_data_status(server->srv_data, SRV_NEUTRAL); + } + + if (server->common) { + fo_set_server_status(server, SERVER_NAME_NOT_RESOLVED); + } + + fo_set_port_status(server, PORT_NEUTRAL); + } +} + + +void fo_reset_services(struct fo_ctx *fo_ctx) +{ + struct fo_service *service; + + DEBUG(SSSDBG_TRACE_LIBS, + "Resetting all servers in all services\n"); + + DLIST_FOR_EACH(service, fo_ctx->service_list) { + fo_reset_servers(service); + } +} + +bool fo_svc_has_server(struct fo_service *service, struct fo_server *server) +{ + struct fo_server *srv; + + DLIST_FOR_EACH(srv, service->server_list) { + if (srv == server) return true; + } + + return false; +} + +const char **fo_svc_server_list(TALLOC_CTX *mem_ctx, + struct fo_service *service, + size_t *_count) +{ + const char **list; + const char *server; + struct fo_server *srv; + size_t count; + + count = 0; + DLIST_FOR_EACH(srv, service->server_list) { + count++; + } + + list = talloc_zero_array(mem_ctx, const char *, count + 1); + if (list == NULL) { + return NULL; + } + + count = 0; + DLIST_FOR_EACH(srv, service->server_list) { + server = fo_get_server_name(srv); + if (server == NULL) { + /* _srv_ */ + continue; + } + + list[count] = talloc_strdup(list, server); + if (list[count] == NULL) { + talloc_free(list); + return NULL; + } + count++; + } + + if (_count != NULL) { + *_count = count; + } + + return list; +} + +bool fo_set_srv_lookup_plugin(struct fo_ctx *ctx, + fo_srv_lookup_plugin_send_t send_fn, + fo_srv_lookup_plugin_recv_t recv_fn, + void *pvt) +{ + if (ctx == NULL || send_fn == NULL || recv_fn == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid parameters\n"); + return false; + } + + if (ctx->srv_send_fn != NULL || ctx->srv_recv_fn != NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "SRV lookup plugin is already set\n"); + return false; + } + + ctx->srv_send_fn = send_fn; + ctx->srv_recv_fn = recv_fn; + ctx->srv_pvt = talloc_steal(ctx, pvt); + + return true; +} diff --git a/src/providers/fail_over.h b/src/providers/fail_over.h new file mode 100644 index 0000000..d70212f --- /dev/null +++ b/src/providers/fail_over.h @@ -0,0 +1,227 @@ +/* + SSSD + + Fail over helper functions. + + Authors: + Martin Nagy + + Copyright (C) Red Hat, Inc 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __FAIL_OVER_H__ +#define __FAIL_OVER_H__ + +#include +#include + +#include "resolv/async_resolv.h" +#include "providers/fail_over_srv.h" + +#define FO_PROTO_TCP "tcp" +#define FO_PROTO_UDP "udp" + +/* Some forward declarations that don't have to do anything with fail over. */ +struct hostent; +struct tevent_context; +struct tevent_req; + +enum port_status { + PORT_NEUTRAL, /* We didn't try this port yet. */ + PORT_WORKING, /* This port was reported to work. */ + PORT_NOT_WORKING /* This port was reported to not work. */ +}; + +enum server_status { + SERVER_NAME_NOT_RESOLVED, /* We didn't yet resolved the host name. */ + SERVER_RESOLVING_NAME, /* Name resolving is in progress. */ + SERVER_NAME_RESOLVED, /* We resolved the host name but didn't try to connect. */ + SERVER_WORKING, /* We successfully connected to the server. */ + SERVER_NOT_WORKING /* We tried and failed to connect to the server. */ +}; + +struct fo_ctx; +struct fo_service; +struct fo_server; + +/* + * Failover settings. + * + * The 'retry_timeout' member specifies the + * duration in seconds of how long a server or port will be considered + * non-working after being marked as such. + * + * The 'service_resolv_timeout' member specifies how long we wait for + * service resolution. When this timeout is reached, the resolve request + * is cancelled with an error + * + * The 'srv_retry_timeout' member specifies how long a SRV lookup + * is considered valid until we ask the server again. + * + * The 'srv_retry_neg_timeout' member specifies how long a SRV lookup + * waits before previously failed lookup is tried again. + * + * The family_order member specifies the order of address families to + * try when looking up the service. + */ +struct fo_options { + time_t srv_retry_neg_timeout; + time_t retry_timeout; + int service_resolv_timeout; + enum restrict_family family_order; +}; + +/* + * Create a new fail over context based on options passed in the + * opts parameter + */ +struct fo_ctx *fo_context_init(TALLOC_CTX *mem_ctx, + struct fo_options *opts); + +typedef int (*datacmp_fn)(void*, void*); + +/* + * Create a new service structure for 'ctx', saving it to the location pointed + * to by '_service'. The needed memory will be allocated from 'ctx'. + * Service name will be set to 'name'. + * + * Function pointed by user_data_cmp returns 0 if user_data is equal + * or nonzero value if not. Set to NULL if no user data comparison + * is needed in fail over duplicate servers detection. + */ +int fo_new_service(struct fo_ctx *ctx, + const char *name, + datacmp_fn user_data_cmp, + struct fo_service **_service); + +/* + * Look up service named 'name' from the 'ctx' service list. Target of + * '_service' will be set to the service if it was found. + */ +int fo_get_service(struct fo_ctx *ctx, + const char *name, + struct fo_service **_service); + +/* + * Get number of servers registered for the 'service'. + */ +int fo_get_server_count(struct fo_service *service); + +/* + * Adds a server 'name' to the 'service'. Port 'port' will be used for + * connection. If 'name' is NULL, no server resolution will be done. + */ +int fo_add_server(struct fo_service *service, + const char *name, int port, + void *user_data, bool primary); + +int fo_add_srv_server(struct fo_service *service, + const char *srv, + const char *discovery_domain, + const char *sssd_domain, + const char *proto, + void *user_data); + +/* + * Request the first server from the service's list of servers. It is only + * considered if it is not marked as not working (or the retry interval already + * passed). If the server address wasn't resolved yet, it will be done. + */ +struct tevent_req *fo_resolve_service_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resolv_ctx *resolv, + struct fo_ctx *ctx, + struct fo_service *service); + +int fo_resolve_service_recv(struct tevent_req *req, + TALLOC_CTX *ref_ctx, + struct fo_server **server); + + +/* To be used by async consumers of fo_resolve_service. If a server should be returned + * to an outer request, it should be referenced by a memory from that outer request, + * because the failover's server list might change with a subsequent call (see upstream + * bug #2829) + */ +void fo_ref_server(TALLOC_CTX *ref_ctx, struct fo_server *server); + +/* + * Set feedback about 'server'. Caller should use this to indicate a problem + * with the server itself, not only with the service on that server. This + * should be used, for example, when the IP address of the server can't be + * reached. This setting can affect other services as well, since they can + * share the same server. + */ +void fo_set_server_status(struct fo_server *server, + enum server_status status); + +/* + * Set feedback about the port status. This function should be used when + * the server itself is working but the service is not. When status is set + * to PORT_WORKING, 'server' is also marked as an "active server" for its + * service. When the next fo_resolve_service_send() function is called, this + * server will be preferred. This will hold as long as it is not marked as + * not-working. + */ +void fo_set_port_status(struct fo_server *server, + enum port_status status); + +/* + * Instruct fail-over to try next server on the next connect attempt. + * Should be used after connection to service was unexpectedly dropped + * but there is no authoritative information on whether active server is down. + */ +void fo_try_next_server(struct fo_service *service); + +void *fo_get_server_user_data(struct fo_server *server); + +int fo_get_server_port(struct fo_server *server); + +const char *fo_get_server_name(struct fo_server *server); + +const char *fo_get_server_str_name(struct fo_server *server); + +struct resolv_hostent *fo_get_server_hostent(struct fo_server *server); + +bool fo_is_server_primary(struct fo_server *server); + +time_t fo_get_server_hostname_last_change(struct fo_server *server); + +int fo_is_srv_lookup(struct fo_server *s); + +time_t fo_get_service_retry_timeout(struct fo_service *svc); + +void fo_reset_services(struct fo_ctx *fo_ctx); + +void fo_reset_servers(struct fo_service *svc); + +struct fo_server *fo_get_active_server(struct fo_service *service); + +bool fo_svc_has_server(struct fo_service *service, struct fo_server *server); + +const char **fo_svc_server_list(TALLOC_CTX *mem_ctx, + struct fo_service *service, + size_t *_count); + +/* + * pvt will be talloc_stealed to ctx + */ +bool fo_set_srv_lookup_plugin(struct fo_ctx *ctx, + fo_srv_lookup_plugin_send_t send_fn, + fo_srv_lookup_plugin_recv_t recv_fn, + void *pvt); + +#endif /* !__FAIL_OVER_H__ */ diff --git a/src/providers/fail_over_srv.c b/src/providers/fail_over_srv.c new file mode 100644 index 0000000..5f474ea --- /dev/null +++ b/src/providers/fail_over_srv.c @@ -0,0 +1,719 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "util/util.h" +#include "resolv/async_resolv.h" +#include "providers/fail_over_srv.h" + +struct fo_discover_srv_state { + char *dns_domain; + struct fo_server_info *servers; + size_t num_servers; + uint32_t ttl; +}; + +static void fo_discover_srv_done(struct tevent_req *subreq); + +struct tevent_req *fo_discover_srv_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resolv_ctx *resolv_ctx, + const char *service, + const char *protocol, + const char **discovery_domains) +{ + struct fo_discover_srv_state *state = NULL; + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct fo_discover_srv_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + subreq = resolv_discover_srv_send(state, ev, resolv_ctx, service, + protocol, discovery_domains); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, fo_discover_srv_done, req); + + return req; + +immediately: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + + return req; +} + +static void fo_discover_srv_done(struct tevent_req *subreq) +{ + struct fo_discover_srv_state *state = NULL; + struct tevent_req *req = NULL; + struct ares_srv_reply *reply_list = NULL; + struct ares_srv_reply *record = NULL; + int i; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct fo_discover_srv_state); + + ret = resolv_discover_srv_recv(state, subreq, + &reply_list, &state->ttl, &state->dns_domain); + talloc_zfree(subreq); + if (ret == ENOENT) { + ret = ERR_SRV_NOT_FOUND; + goto done; + } else if (ret == EIO) { + ret = ERR_SRV_LOOKUP_ERROR; + goto done; + } else if (ret != EOK) { + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Got answer. Processing...\n"); + + /* sort and store the answer */ + ret = resolv_sort_srv_reply(&reply_list); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not sort the answers from DNS " + "[%d]: %s\n", ret, strerror(ret)); + goto done; + } + + state->num_servers = 0; + for (record = reply_list; record != NULL; record = record->next) { + state->num_servers++; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Got %zu servers\n", state->num_servers); + + state->servers = talloc_array(state, struct fo_server_info, + state->num_servers); + if (state->servers == NULL) { + ret = ENOMEM; + goto done; + } + + for (record = reply_list, i = 0; + record != NULL; + record = record->next, i++) { + state->servers[i].host = talloc_steal(state->servers, record->host); + state->servers[i].port = record->port; + state->servers[i].priority = record->priority; + } + + talloc_zfree(reply_list); + + ret = EOK; + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +errno_t fo_discover_srv_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + char **_dns_domain, + uint32_t *_ttl, + struct fo_server_info **_servers, + size_t *_num_servers) +{ + struct fo_discover_srv_state *state = NULL; + state = tevent_req_data(req, struct fo_discover_srv_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (_dns_domain != NULL) { + *_dns_domain = talloc_steal(mem_ctx, state->dns_domain); + } + + if (_servers != NULL) { + *_servers = talloc_steal(mem_ctx, state->servers); + } + + if (_ttl != NULL) { + *_ttl = state->ttl; + } + + if (_num_servers != NULL) { + *_num_servers = state->num_servers; + } + + return EOK; +} + +struct fo_discover_servers_state { + struct tevent_context *ev; + struct resolv_ctx *resolv_ctx; + const char *service; + const char *protocol; + const char *primary_domain; + const char *backup_domain; + + char *dns_domain; + uint32_t ttl; + struct fo_server_info *primary_servers; + size_t num_primary_servers; + struct fo_server_info *backup_servers; + size_t num_backup_servers; +}; + +static void fo_discover_servers_primary_done(struct tevent_req *subreq); +static void fo_discover_servers_backup_done(struct tevent_req *subreq); + +struct tevent_req *fo_discover_servers_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resolv_ctx *resolv_ctx, + const char *service, + const char *protocol, + const char *primary_domain, + const char *backup_domain) +{ + struct fo_discover_servers_state *state = NULL; + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + const char **domains = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct fo_discover_servers_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + if (primary_domain == NULL) { + if (backup_domain == NULL) { + state->primary_servers = NULL; + state->num_primary_servers = 0; + state->backup_servers = NULL; + state->num_backup_servers = 0; + state->dns_domain = NULL; + state->ttl = 0; + + ret = EOK; + goto immediately; + } else { + primary_domain = backup_domain; + backup_domain = NULL; + } + } + + state->ev = ev; + state->resolv_ctx = resolv_ctx; + + state->service = talloc_strdup(state, service); + if (state->service == NULL) { + ret = ENOMEM; + goto immediately; + } + + state->protocol = talloc_strdup(state, protocol); + if (state->protocol == NULL) { + ret = ENOMEM; + goto immediately; + } + + state->primary_domain = talloc_strdup(state, primary_domain); + if (state->primary_domain == NULL) { + ret = ENOMEM; + goto immediately; + } + + state->backup_domain = talloc_strdup(state, backup_domain); + if (state->backup_domain == NULL && backup_domain != NULL) { + ret = ENOMEM; + goto immediately; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Looking up primary servers\n"); + + domains = talloc_zero_array(state, const char *, 3); + if (domains == NULL) { + ret = ENOMEM; + goto immediately; + } + + domains[0] = state->primary_domain; + domains[1] = state->backup_domain; + + subreq = fo_discover_srv_send(state, ev, resolv_ctx, + state->service, state->protocol, domains); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, fo_discover_servers_primary_done, req); + + return req; + +immediately: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + + return req; +} + +static void fo_discover_servers_primary_done(struct tevent_req *subreq) +{ + struct fo_discover_servers_state *state = NULL; + struct tevent_req *req = NULL; + const char **domains = NULL; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct fo_discover_servers_state); + + ret = fo_discover_srv_recv(state, subreq, + &state->dns_domain, + &state->ttl, + &state->primary_servers, + &state->num_primary_servers); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to retrieve primary servers " + "[%d]: %s\n", ret, sss_strerror(ret)); + if (ret != ERR_SRV_NOT_FOUND && ret != ERR_SRV_LOOKUP_ERROR) { + /* abort on system error */ + goto done; + } + } + + if (state->backup_domain == NULL) { + /* if there is no backup domain, we are done */ + DEBUG(SSSDBG_TRACE_FUNC, "No backup domain specified\n"); + goto done; + } + + if (state->dns_domain != NULL + && strcasecmp(state->dns_domain, state->backup_domain) == 0) { + /* If there was no error and dns_domain is the same as backup domain, + * it means that we were unable to resolve SRV in primary domain, but + * SRV from backup domain was resolved and those servers are considered + * to be primary. We are done. */ + state->backup_servers = NULL; + state->num_backup_servers = 0; + + ret = EOK; + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Looking up backup servers\n"); + + domains = talloc_zero_array(state, const char *, 2); + if (domains == NULL) { + ret = ENOMEM; + goto done; + } + + domains[0] = state->backup_domain; + + subreq = fo_discover_srv_send(state, state->ev, state->resolv_ctx, + state->service, state->protocol, domains); + if (subreq == NULL) { + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, fo_discover_servers_backup_done, req); + + ret = EAGAIN; + +done: + if (ret == EOK) { + tevent_req_done(req); + } else if (ret != EAGAIN) { + tevent_req_error(req, ret); + } + + return; +} + +static void fo_discover_servers_backup_done(struct tevent_req *subreq) +{ + struct fo_discover_servers_state *state = NULL; + struct tevent_req *req = NULL; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct fo_discover_servers_state); + + ret = fo_discover_srv_recv(state, subreq, NULL, + NULL, &state->backup_servers, + &state->num_backup_servers); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Unable to retrieve backup servers " + "[%d]: %s\n", ret, sss_strerror(ret)); + if (ret == ERR_SRV_NOT_FOUND || ret == ERR_SRV_LOOKUP_ERROR) { + /* we have successfully fetched primary servers, so we will + * finish the request normally on non system error */ + ret = EOK; + } + } + + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +errno_t fo_discover_servers_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + char **_dns_domain, + uint32_t *_ttl, + struct fo_server_info **_primary_servers, + size_t *_num_primary_servers, + struct fo_server_info **_backup_servers, + size_t *_num_backup_servers) +{ + struct fo_discover_servers_state *state = NULL; + state = tevent_req_data(req, struct fo_discover_servers_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (_primary_servers) { + *_primary_servers = talloc_steal(mem_ctx, state->primary_servers); + } + + if (_num_primary_servers) { + *_num_primary_servers = state->num_primary_servers; + } + + if (_backup_servers) { + *_backup_servers = talloc_steal(mem_ctx, state->backup_servers); + } + + if (_num_backup_servers) { + *_num_backup_servers = state->num_backup_servers; + } + + if (_dns_domain) { + *_dns_domain = talloc_steal(mem_ctx, state->dns_domain); + } + + if (_ttl) { + *_ttl = state->ttl; + } + + + return EOK; +} + +struct fo_resolve_srv_dns_ctx { + struct resolv_ctx *resolv_ctx; + enum restrict_family family_order; + enum host_database *host_dbs; + char *hostname; + char *sssd_domain; + char *detected_domain; +}; + +struct fo_resolve_srv_dns_state { + struct tevent_context *ev; + struct fo_resolve_srv_dns_ctx *ctx; + const char *service; + const char *protocol; + const char *discovery_domain; + + char *dns_domain; + uint32_t ttl; + struct fo_server_info *servers; + size_t num_servers; +}; + +static void fo_resolve_srv_dns_domain_done(struct tevent_req *subreq); +static errno_t fo_resolve_srv_dns_discover(struct tevent_req *req); +static void fo_resolve_srv_dns_done(struct tevent_req *subreq); + +struct fo_resolve_srv_dns_ctx * +fo_resolve_srv_dns_ctx_init(TALLOC_CTX *mem_ctx, + struct resolv_ctx *resolv_ctx, + enum restrict_family family_order, + enum host_database *host_dbs, + const char *hostname, + const char *sssd_domain) +{ + struct fo_resolve_srv_dns_ctx *ctx = NULL; + + ctx = talloc_zero(mem_ctx, struct fo_resolve_srv_dns_ctx); + if (ctx == NULL) { + return NULL; + } + + ctx->resolv_ctx = resolv_ctx; + ctx->family_order = family_order; + ctx->host_dbs = host_dbs; + + ctx->hostname = talloc_strdup(ctx, hostname); + if (ctx->hostname == NULL) { + goto fail; + } + + ctx->sssd_domain = talloc_strdup(ctx, sssd_domain); + if (ctx->sssd_domain == NULL) { + goto fail; + } + + return ctx; + +fail: + talloc_free(ctx); + return NULL; +} + +struct tevent_req *fo_resolve_srv_dns_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + const char *service, + const char *protocol, + const char *discovery_domain, + void *pvt) +{ + struct fo_resolve_srv_dns_state *state = NULL; + struct fo_resolve_srv_dns_ctx *ctx = NULL; + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct fo_resolve_srv_dns_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + ctx = talloc_get_type(pvt, struct fo_resolve_srv_dns_ctx); + if (ctx == NULL) { + ret = EINVAL; + goto immediately; + } + + state->ev = ev; + state->ctx = ctx; + state->service = service; + state->protocol = protocol; + + if (discovery_domain == NULL) { + state->discovery_domain = NULL; + } else { + state->discovery_domain = discovery_domain; + } + + if (discovery_domain == NULL && ctx->detected_domain == NULL) { + /* we will try to detect proper discovery domain */ + subreq = resolv_get_domain_send(state, state->ev, ctx->resolv_ctx, + ctx->hostname, ctx->host_dbs, + ctx->family_order); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, fo_resolve_srv_dns_domain_done, req); + } else { + /* we will use either provided or previously detected + * discovery domain */ + ret = fo_resolve_srv_dns_discover(req); + if (ret != EAGAIN) { + goto immediately; + } + } + + return req; + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + + return req; +} + +static void fo_resolve_srv_dns_domain_done(struct tevent_req *subreq) +{ + struct fo_resolve_srv_dns_state *state = NULL; + struct tevent_req *req = NULL; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct fo_resolve_srv_dns_state); + + ret = resolv_get_domain_recv(state->ctx, subreq, + &state->ctx->detected_domain); + talloc_zfree(subreq); + if (ret != EOK) { + goto done; + } + + ret = fo_resolve_srv_dns_discover(req); + +done: + if (ret == EOK) { + tevent_req_done(req); + } else if (ret != EAGAIN) { + tevent_req_error(req, ret); + } + + return; +} + +static errno_t fo_resolve_srv_dns_discover(struct tevent_req *req) +{ + struct fo_resolve_srv_dns_state *state = NULL; + struct fo_resolve_srv_dns_ctx *ctx = NULL; + struct tevent_req *subreq = NULL; + const char **domains = NULL; + errno_t ret; + + state = tevent_req_data(req, struct fo_resolve_srv_dns_state); + ctx = state->ctx; + + domains = talloc_zero_array(state, const char *, 3); + if (domains == NULL) { + ret = ENOMEM; + goto done; + } + + if (state->discovery_domain == NULL) { + /* we will use detected domain with SSSD domain as fallback */ + domains[0] = talloc_strdup(domains, ctx->detected_domain); + if (domains[0] == NULL) { + ret = ENOMEM; + goto done; + } + + if (strcasecmp(ctx->detected_domain, ctx->sssd_domain) != 0) { + domains[1] = talloc_strdup(domains, ctx->sssd_domain); + if (domains[1] == NULL) { + ret = ENOMEM; + goto done; + } + } + } else { + /* We will use only discovery domain that was provided via plugin + * interface. We don't have to dup here because it is already on + * state. */ + domains[0] = state->discovery_domain; + } + + subreq = fo_discover_srv_send(state, state->ev, ctx->resolv_ctx, + state->service, state->protocol, domains); + if (subreq == NULL) { + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, fo_resolve_srv_dns_done, req); + + ret = EAGAIN; + +done: + if (ret != EAGAIN) { + talloc_free(domains); + } + + return ret; +} + +static void fo_resolve_srv_dns_done(struct tevent_req *subreq) +{ + struct fo_resolve_srv_dns_state *state = NULL; + struct tevent_req *req = NULL; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct fo_resolve_srv_dns_state); + + ret = fo_discover_srv_recv(state, subreq, + &state->dns_domain, &state->ttl, + &state->servers, &state->num_servers); + talloc_zfree(subreq); + if (ret != EOK) { + goto done; + } + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +errno_t fo_resolve_srv_dns_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + char **_dns_domain, + uint32_t *_ttl, + struct fo_server_info **_primary_servers, + size_t *_num_primary_servers, + struct fo_server_info **_backup_servers, + size_t *_num_backup_servers) +{ + struct fo_resolve_srv_dns_state *state = NULL; + state = tevent_req_data(req, struct fo_resolve_srv_dns_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (_primary_servers) { + *_primary_servers = talloc_steal(mem_ctx, state->servers); + } + + if (_num_primary_servers) { + *_num_primary_servers = state->num_servers; + } + + /* backup servers are not supported by simple srv lookup */ + if (_backup_servers) { + *_backup_servers = NULL; + } + + if (_num_backup_servers) { + *_num_backup_servers = 0; + } + + if (_dns_domain) { + *_dns_domain = talloc_steal(mem_ctx, state->dns_domain); + } + + if (_ttl) { + *_ttl = state->ttl; + } + + return EOK; +} diff --git a/src/providers/fail_over_srv.h b/src/providers/fail_over_srv.h new file mode 100644 index 0000000..fe4088e --- /dev/null +++ b/src/providers/fail_over_srv.h @@ -0,0 +1,133 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __FAIL_OVER_SRV_H__ +#define __FAIL_OVER_SRV_H__ + +#include +#include + +#include "resolv/async_resolv.h" + +/* SRV lookup plugin interface */ + +struct fo_server_info { + char *host; + int port; + unsigned short priority; +}; + +/* + * If discovery_domain is NULL, it should be detected automatically. + */ +typedef struct tevent_req * +(*fo_srv_lookup_plugin_send_t)(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + const char *service, + const char *protocol, + const char *discovery_domain, + void *pvt); + +/* + * Returns: + * EOK - at least one primary or backup server was found + * ERR_SRV_NOT_FOUND - no primary nor backup server found + * ERR_SRV_LOOKUP_ERROR - error communicating with SRV database + * other code - depends on plugin + * + * If EOK is returned: + * - and no primary server is found: + * *_primary_servers = NULL + * *_num_primary_servers = 0 + * - and no backup server is found: + * *_backup_servers = NULL + * *_num_backup_servers = 0 + * - *_dns_domain = DNS domain name where the servers were found + */ +typedef errno_t +(*fo_srv_lookup_plugin_recv_t)(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + char **_dns_domain, + uint32_t *_ttl, + struct fo_server_info **_primary_servers, + size_t *_num_primary_servers, + struct fo_server_info **_backup_servers, + size_t *_num_backup_servers); + +struct tevent_req *fo_discover_srv_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resolv_ctx *resolv_ctx, + const char *service, + const char *protocol, + const char **discovery_domains); + +errno_t fo_discover_srv_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + char **_dns_domain, + uint32_t *_ttl, + struct fo_server_info **_servers, + size_t *_num_servers); + +struct tevent_req *fo_discover_servers_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resolv_ctx *resolv_ctx, + const char *service, + const char *protocol, + const char *primary_domain, + const char *backup_domain); + +errno_t fo_discover_servers_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + char **_dns_domain, + uint32_t *_ttl, + struct fo_server_info **_primary_servers, + size_t *_num_primary_servers, + struct fo_server_info **_backup_servers, + size_t *_num_backup_servers); + +/* Simple SRV lookup plugin */ + +struct fo_resolve_srv_dns_ctx; + +struct fo_resolve_srv_dns_ctx * +fo_resolve_srv_dns_ctx_init(TALLOC_CTX *mem_ctx, + struct resolv_ctx *resolv_ctx, + enum restrict_family family_order, + enum host_database *host_dbs, + const char *hostname, + const char *sssd_domain); + +struct tevent_req *fo_resolve_srv_dns_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + const char *service, + const char *protocol, + const char *discovery_domain, + void *pvt); + +errno_t fo_resolve_srv_dns_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + char **_dns_domain, + uint32_t *_ttl, + struct fo_server_info **_primary_servers, + size_t *_num_primary_servers, + struct fo_server_info **_backup_servers, + size_t *_num_backup_servers); + +#endif /* __FAIL_OVER_SRV_H__ */ diff --git a/src/providers/files/files_id.c b/src/providers/files/files_id.c new file mode 100644 index 0000000..41314c6 --- /dev/null +++ b/src/providers/files/files_id.c @@ -0,0 +1,179 @@ +/* + SSSD + + files_id.c - Identity operaions on the files provider + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "providers/data_provider/dp.h" +#include "providers/files/files_private.h" + +struct files_account_info_handler_state { + struct dp_reply_std reply; + + struct files_id_ctx *id_ctx; +}; + +struct tevent_req * +files_account_info_handler_send(TALLOC_CTX *mem_ctx, + struct files_id_ctx *id_ctx, + struct dp_id_data *data, + struct dp_req_params *params) +{ + struct files_account_info_handler_state *state; + struct tevent_req *req; + struct tevent_req **update_req = NULL; + bool needs_update; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct files_account_info_handler_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + state->id_ctx = id_ctx; + + switch (data->entry_type & BE_REQ_TYPE_MASK) { + case BE_REQ_USER: + if (data->filter_type != BE_FILTER_ENUM) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unexpected user filter type: %d\n", data->filter_type); + ret = EINVAL; + goto immediate; + } + update_req = &id_ctx->users_req; + needs_update = id_ctx->updating_passwd ? true : false; + break; + case BE_REQ_GROUP: + if (data->filter_type != BE_FILTER_ENUM) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unexpected group filter type: %d\n", data->filter_type); + ret = EINVAL; + goto immediate; + } + update_req = &id_ctx->groups_req; + needs_update = id_ctx->updating_groups ? true : false; + break; + case BE_REQ_INITGROUPS: + if (data->filter_type != BE_FILTER_NAME) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unexpected initgr filter type: %d\n", data->filter_type); + ret = EINVAL; + goto immediate; + } + if (strcmp(data->filter_value, DP_REQ_OPT_FILES_INITGR) != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unexpected initgr filter value: %d\n", data->filter_type); + ret = EINVAL; + goto immediate; + } + update_req = &id_ctx->initgroups_req; + needs_update = id_ctx->updating_groups || id_ctx->updating_passwd \ + ? true \ + : false; + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, + "Unexpected entry type: %d\n", data->entry_type & BE_REQ_TYPE_MASK); + ret = EINVAL; + goto immediate; + } + + if (needs_update == false) { + DEBUG(SSSDBG_TRACE_LIBS, "The files domain no longer needs an update\n"); + ret = EOK; + goto immediate; + } + + if (*update_req != NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "BUG: Received a concurrent update!\n"); + ret = EAGAIN; + goto immediate; + } + + /* id_ctx now must mark the requests as updated when the inotify-induced + * update finishes + */ + *update_req = req; + return req; + +immediate: + dp_reply_std_set(&state->reply, DP_ERR_DECIDE, ret, NULL); + + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + + tevent_req_post(req, params->ev); + return req; +} + +static void finish_update_req(struct tevent_req **update_req, + errno_t ret) +{ + if (*update_req == NULL) { + return; + } + + if (ret != EOK) { + tevent_req_error(*update_req, ret); + } else { + tevent_req_done(*update_req); + } + *update_req = NULL; +} + +void files_account_info_finished(struct files_id_ctx *id_ctx, + int req_type, + errno_t ret) +{ + switch (req_type) { + case BE_REQ_USER: + finish_update_req(&id_ctx->users_req, ret); + if (id_ctx->updating_groups == false) { + finish_update_req(&id_ctx->initgroups_req, ret); + } + break; + case BE_REQ_GROUP: + finish_update_req(&id_ctx->groups_req, ret); + if (id_ctx->updating_passwd == false) { + finish_update_req(&id_ctx->initgroups_req, ret); + } + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, + "Unexpected req_type %d\n", req_type); + return; + } +} + +errno_t files_account_info_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct dp_reply_std *data) +{ + struct files_account_info_handler_state *state = NULL; + + state = tevent_req_data(req, struct files_account_info_handler_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *data = state->reply; + return EOK; +} diff --git a/src/providers/files/files_init.c b/src/providers/files/files_init.c new file mode 100644 index 0000000..746c04a --- /dev/null +++ b/src/providers/files/files_init.c @@ -0,0 +1,226 @@ +/* + SSSD + + files_init.c - Initialization of the files provider + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "providers/data_provider/dp.h" +#include "providers/files/files_private.h" +#include "util/util.h" + +#define DEFAULT_PASSWD_FILE "/etc/passwd" +#define DEFAULT_GROUP_FILE "/etc/group" + +static errno_t files_init_file_sources(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + const char ***_passwd_files, + const char ***_group_files) +{ + TALLOC_CTX *tmp_ctx = NULL; + char *conf_passwd_files; + char *conf_group_files; + char **passwd_list = NULL; + char **group_list = NULL; + int num_passwd_files = 0; + int num_group_files = 0; + const char **passwd_files = NULL; + const char **group_files = NULL; + const char *dfl_passwd_files = NULL; + const char *env_group_files = NULL; + int i; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + dfl_passwd_files = getenv("SSS_FILES_PASSWD"); + if (dfl_passwd_files) { + sss_log(SSS_LOG_ALERT, + "Defaulting to %s for the passwd file, " + "this should only be used for testing!\n", + dfl_passwd_files); + } else { + dfl_passwd_files = DEFAULT_PASSWD_FILE; + } + DEBUG(SSSDBG_TRACE_FUNC, + "Using default passwd file: [%s].\n", dfl_passwd_files); + + env_group_files = getenv("SSS_FILES_GROUP"); + if (env_group_files) { + sss_log(SSS_LOG_ALERT, + "Defaulting to %s for the group file, " + "this should only be used for testing!\n", + env_group_files); + } else { + env_group_files = DEFAULT_GROUP_FILE; + } + DEBUG(SSSDBG_TRACE_FUNC, + "Using default group file: [%s].\n", DEFAULT_GROUP_FILE); + + ret = confdb_get_string(be_ctx->cdb, tmp_ctx, be_ctx->conf_path, + CONFDB_FILES_PASSWD, dfl_passwd_files, + &conf_passwd_files); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to retrieve confdb passwd files!\n"); + goto done; + } + + ret = confdb_get_string(be_ctx->cdb, tmp_ctx, be_ctx->conf_path, + CONFDB_FILES_GROUP, env_group_files, + &conf_group_files); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to retrieve confdb group files!\n"); + goto done; + } + + ret = split_on_separator(tmp_ctx, conf_passwd_files, ',', true, true, + &passwd_list, &num_passwd_files); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to parse passwd list!\n"); + goto done; + } + + passwd_files = talloc_zero_array(tmp_ctx, const char *, + num_passwd_files + 1); + if (passwd_files == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero_array() failed\n"); + ret = ENOMEM; + goto done; + } + + for (i = 0; i < num_passwd_files; i++) { + DEBUG(SSSDBG_TRACE_FUNC, + "Using passwd file: [%s].\n", passwd_list[i]); + + passwd_files[i] = talloc_strdup(passwd_files, passwd_list[i]); + if (passwd_files[i] == NULL) { + ret = ENOMEM; + goto done; + } + } + + /* Retrieve list of group files */ + ret = split_on_separator(tmp_ctx, conf_group_files, ',', true, true, + &group_list, &num_group_files); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to parse group files!\n"); + goto done; + } + + group_files = talloc_zero_array(tmp_ctx, const char *, + num_group_files + 1); + if (group_files == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero_array() failed\n"); + ret = ENOMEM; + goto done; + } + + for (i = 0; i < num_group_files; i++) { + DEBUG(SSSDBG_TRACE_FUNC, + "Using group file: [%s].\n", group_list[i]); + group_files[i] = talloc_strdup(group_files, group_list[i]); + if (group_files[i] == NULL) { + ret = ENOMEM; + goto done; + } + } + + *_passwd_files = talloc_steal(mem_ctx, passwd_files); + *_group_files = talloc_steal(mem_ctx, group_files); + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +int sssm_files_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct data_provider *provider, + const char *module_name, + void **_module_data) +{ + struct files_id_ctx *ctx; + errno_t ret; + + ctx = talloc_zero(mem_ctx, struct files_id_ctx); + if (ctx == NULL) { + return ENOMEM; + } + + ctx->be = be_ctx; + ctx->domain = be_ctx->domain; + + ret = files_init_file_sources(ctx, be_ctx, + &ctx->passwd_files, + &ctx->group_files); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot initialize the passwd/group source files\n"); + goto done; + } + + ctx->fctx = sf_init(ctx, be_ctx->ev, + ctx->passwd_files, + ctx->group_files, + ctx); + if (ctx->fctx == NULL) { + ret = ENOMEM; + goto done; + } + + *_module_data = ctx; + ret = EOK; +done: + if (ret != EOK) { + talloc_free(ctx); + } + return ret; +} + +int sssm_files_id_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + void *module_data, + struct dp_method *dp_methods) +{ + struct files_id_ctx *ctx; + + ctx = talloc_get_type(module_data, struct files_id_ctx); + if (ctx == NULL) { + return EINVAL; + } + + dp_set_method(dp_methods, DPM_ACCOUNT_HANDLER, + files_account_info_handler_send, + files_account_info_handler_recv, + ctx, struct files_id_ctx, + struct dp_id_data, struct dp_reply_std); + + dp_set_method(dp_methods, DPM_ACCT_DOMAIN_HANDLER, + default_account_domain_send, + default_account_domain_recv, + NULL, void, + struct dp_get_acct_domain_data, struct dp_reply_std); + + return EOK; +} diff --git a/src/providers/files/files_ops.c b/src/providers/files/files_ops.c new file mode 100644 index 0000000..f5a4029 --- /dev/null +++ b/src/providers/files/files_ops.c @@ -0,0 +1,964 @@ +/* + SSSD + + Files provider operations + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +#include + +#include "config.h" + +#include "providers/files/files_private.h" +#include "db/sysdb.h" +#include "util/inotify.h" +#include "util/util.h" + +/* When changing this constant, make sure to also adjust the files integration + * test for reallocation branch + */ +#define FILES_REALLOC_CHUNK 64 + +#define PWD_MAXSIZE 1024 +#define GRP_MAXSIZE 2048 + +#define SF_UPDATE_PASSWD 1<<0 +#define SF_UPDATE_GROUP 1<<1 +#define SF_UPDATE_BOTH (SF_UPDATE_PASSWD | SF_UPDATE_GROUP) + +struct files_ctx { + struct files_ops_ctx *ops; +}; + +static errno_t enum_files_users(TALLOC_CTX *mem_ctx, + struct files_id_ctx *id_ctx, + const char *passwd_file, + struct passwd ***_users) +{ + errno_t ret, close_ret; + struct passwd *pwd_iter = NULL; + struct passwd *pwd = NULL; + struct passwd **users = NULL; + FILE *pwd_handle = NULL; + size_t n_users = 0; + + pwd_handle = fopen(passwd_file, "r"); + if (pwd_handle == NULL) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot open passwd file %s [%d]\n", + passwd_file, ret); + goto done; + } + + users = talloc_zero_array(mem_ctx, struct passwd *, + FILES_REALLOC_CHUNK); + if (users == NULL) { + ret = ENOMEM; + goto done; + } + + while ((pwd_iter = fgetpwent(pwd_handle)) != NULL) { + /* FIXME - we might want to support paging of sorts to avoid allocating + * all users atop a memory context or only return users that differ from + * the local storage as a diff to minimize memory spikes + */ + DEBUG(SSSDBG_TRACE_LIBS, + "User found (%s, %s, %"SPRIuid", %"SPRIgid", %s, %s, %s)\n", + pwd_iter->pw_name, pwd_iter->pw_passwd, + pwd_iter->pw_uid, pwd_iter->pw_gid, + pwd_iter->pw_gecos, pwd_iter->pw_dir, + pwd_iter->pw_shell); + + pwd = talloc_zero(users, struct passwd); + if (pwd == NULL) { + ret = ENOMEM; + goto done; + } + + pwd->pw_uid = pwd_iter->pw_uid; + pwd->pw_gid = pwd_iter->pw_gid; + + pwd->pw_name = talloc_strdup(pwd, pwd_iter->pw_name); + if (pwd->pw_name == NULL) { + /* We only check pw_name here on purpose to allow broken + * records to be optionally rejected when saving them + * or fallback values to be used. + */ + ret = ENOMEM; + goto done; + } + + pwd->pw_dir = talloc_strdup(pwd, pwd_iter->pw_dir); + pwd->pw_gecos = talloc_strdup(pwd, pwd_iter->pw_gecos); + pwd->pw_shell = talloc_strdup(pwd, pwd_iter->pw_shell); + pwd->pw_passwd = talloc_strdup(pwd, pwd_iter->pw_passwd); + + users[n_users] = pwd; + n_users++; + if (n_users % FILES_REALLOC_CHUNK == 0) { + users = talloc_realloc(mem_ctx, + users, + struct passwd *, + talloc_array_length(users) + FILES_REALLOC_CHUNK); + if (users == NULL) { + ret = ENOMEM; + goto done; + } + } + } + + ret = EOK; + users[n_users] = NULL; + *_users = users; +done: + if (ret != EOK) { + talloc_free(users); + } + + if (pwd_handle) { + close_ret = fclose(pwd_handle); + if (close_ret != 0) { + close_ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot close passwd file %s [%d]\n", + passwd_file, close_ret); + } + } + return ret; +} + +static errno_t enum_files_groups(TALLOC_CTX *mem_ctx, + struct files_id_ctx *id_ctx, + const char *group_file, + struct group ***_groups) +{ + errno_t ret, close_ret; + struct group *grp_iter = NULL; + struct group *grp = NULL; + struct group **groups = NULL; + size_t n_groups = 0; + FILE *grp_handle = NULL; + + grp_handle = fopen(group_file, "r"); + if (grp_handle == NULL) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot open group file %s [%d]\n", + group_file, ret); + goto done; + } + + groups = talloc_zero_array(mem_ctx, struct group *, + FILES_REALLOC_CHUNK); + if (groups == NULL) { + ret = ENOMEM; + goto done; + } + + while ((grp_iter = fgetgrent(grp_handle)) != NULL) { + DEBUG(SSSDBG_TRACE_LIBS, + "Group found (%s, %"SPRIgid")\n", + grp_iter->gr_name, grp_iter->gr_gid); + + grp = talloc_zero(groups, struct group); + if (grp == NULL) { + ret = ENOMEM; + goto done; + } + + grp->gr_gid = grp_iter->gr_gid; + grp->gr_name = talloc_strdup(grp, grp_iter->gr_name); + if (grp->gr_name == NULL) { + /* We only check gr_name here on purpose to allow broken + * records to be optionally rejected when saving them + * or fallback values to be used. + */ + ret = ENOMEM; + goto done; + } + grp->gr_passwd = talloc_strdup(grp, grp_iter->gr_passwd); + + if (grp_iter->gr_mem != NULL) { + size_t nmem; + + for (nmem = 0; grp_iter->gr_mem[nmem] != NULL; nmem++); + + grp->gr_mem = talloc_zero_array(grp, char *, nmem + 1); + if (grp->gr_mem == NULL) { + ret = ENOMEM; + goto done; + } + + for (nmem = 0; grp_iter->gr_mem[nmem] != NULL; nmem++) { + grp->gr_mem[nmem] = talloc_strdup(grp, grp_iter->gr_mem[nmem]); + if (grp->gr_mem[nmem] == NULL) { + ret = ENOMEM; + goto done; + } + } + } + + groups[n_groups] = grp; + n_groups++; + if (n_groups % FILES_REALLOC_CHUNK == 0) { + groups = talloc_realloc(mem_ctx, + groups, + struct group *, + talloc_array_length(groups) + FILES_REALLOC_CHUNK); + if (groups == NULL) { + ret = ENOMEM; + goto done; + } + } + } + + ret = EOK; + groups[n_groups] = NULL; + *_groups = groups; +done: + if (ret != EOK) { + talloc_free(groups); + } + + if (grp_handle) { + close_ret = fclose(grp_handle); + if (close_ret != 0) { + close_ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot close group file %s [%d]\n", + group_file, close_ret); + } + } + return ret; +} + +static errno_t delete_all_users(struct sss_domain_info *dom) +{ + TALLOC_CTX *tmp_ctx; + struct ldb_dn *base_dn; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory!\n"); + return ENOMEM; + } + + base_dn = sysdb_user_base_dn(tmp_ctx, dom); + if (base_dn == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory!\n"); + ret = ENOMEM; + goto done; + } + + ret = sysdb_delete_recursive(dom->sysdb, base_dn, true); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to delete users subtree [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + + return ret; +} + +static errno_t save_file_user(struct files_id_ctx *id_ctx, + struct passwd *pw) +{ + errno_t ret; + char *fqname; + TALLOC_CTX *tmp_ctx = NULL; + const char *shell; + const char *gecos; + struct sysdb_attrs *attrs = NULL; + + if (strcmp(pw->pw_name, "root") == 0 + || pw->pw_uid == 0 + || pw->pw_gid == 0) { + DEBUG(SSSDBG_TRACE_FUNC, "Skipping %s\n", pw->pw_name); + return EOK; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + fqname = sss_create_internal_fqname(tmp_ctx, pw->pw_name, + id_ctx->domain->name); + if (fqname == NULL) { + ret = ENOMEM; + goto done; + } + + attrs = sysdb_new_attrs(tmp_ctx); + if (attrs == NULL) { + ret = ENOMEM; + goto done; + } + + if (pw->pw_shell && pw->pw_shell[0] != '\0') { + shell = pw->pw_shell; + } else { + shell = NULL; + } + + if (pw->pw_gecos && pw->pw_gecos[0] != '\0') { + gecos = pw->pw_gecos; + } else { + gecos = NULL; + } + + /* FIXME - optimize later */ + ret = sysdb_store_user(id_ctx->domain, + fqname, + pw->pw_passwd, + pw->pw_uid, + pw->pw_gid, + gecos, + pw->pw_dir, + shell, + NULL, attrs, + NULL, 0, 0); + if (ret != EOK) { + goto done; + } + + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} + +static errno_t refresh_override_attrs(struct files_id_ctx *id_ctx, + enum sysdb_member_type type) +{ + const char *override_attrs[] = { SYSDB_OVERRIDE_OBJECT_DN, + NULL}; + struct ldb_dn *base_dn; + size_t count; + struct ldb_message **msgs; + struct ldb_message *msg = NULL; + struct ldb_context *ldb_ctx; + size_t c; + TALLOC_CTX *tmp_ctx; + int ret; + const char *filter; + + ldb_ctx = sysdb_ctx_get_ldb(id_ctx->domain->sysdb); + if (ldb_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing ldb_context.\n"); + return EINVAL; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + filter = talloc_asprintf(tmp_ctx, "%s=%s", SYSDB_OBJECTCLASS, + type == SYSDB_MEMBER_USER ? + SYSDB_OVERRIDE_USER_CLASS : + SYSDB_OVERRIDE_GROUP_CLASS ); + if (filter == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto done; + } + + base_dn = ldb_dn_new(tmp_ctx, ldb_ctx, SYSDB_TMPL_VIEW_BASE); + if (base_dn == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_new failed.\n"); + ret = ENOMEM; + goto done; + } + + ret = sysdb_search_entry(tmp_ctx, id_ctx->domain->sysdb, base_dn, + LDB_SCOPE_SUBTREE, filter, + override_attrs, &count, &msgs); + if (ret != EOK) { + if (ret == ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, "No overrides, nothing to do.\n"); + ret = EOK; + } else { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_entry failed.\n"); + } + goto done; + } + + for (c = 0; c < count; c++) { + talloc_free(msg); + msg = ldb_msg_new(tmp_ctx); + if (msg == NULL) { + ret = ENOMEM; + goto done; + } + + msg->dn = ldb_msg_find_attr_as_dn(ldb_ctx, tmp_ctx, msgs[c], + SYSDB_OVERRIDE_OBJECT_DN); + if (msg->dn == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to get object DN, skipping.\n"); + continue; + } + + ret = ldb_msg_add_empty(msg, SYSDB_OVERRIDE_DN, LDB_FLAG_MOD_ADD, NULL); + if (ret != LDB_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, "ldb_msg_add_empty failed.\n"); + continue; + } + + ret = ldb_msg_add_string(msg, SYSDB_OVERRIDE_DN, + ldb_dn_get_linearized(msgs[c]->dn)); + if (ret != LDB_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, "ldb_msg_add_string failed.\n"); + continue; + } + + ret = ldb_modify(ldb_ctx, msg); + if (ret != LDB_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to store override DN: %s(%d)[%s], skipping.\n", + ldb_strerror(ret), ret, ldb_errstring(ldb_ctx)); + continue; + } + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + + return ret; +} + +static errno_t sf_enum_groups(struct files_id_ctx *id_ctx, + const char *group_file); + +errno_t sf_enum_users(struct files_id_ctx *id_ctx, + const char *passwd_file) +{ + errno_t ret; + TALLOC_CTX *tmp_ctx = NULL; + struct passwd **users = NULL; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + ret = enum_files_users(tmp_ctx, id_ctx, passwd_file, + &users); + if (ret != EOK) { + goto done; + } + + for (size_t i = 0; users[i]; i++) { + ret = save_file_user(id_ctx, users[i]); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot save user %s: [%d]: %s\n", + users[i]->pw_name, ret, sss_strerror(ret)); + continue; + } + } + + ret = refresh_override_attrs(id_ctx, SYSDB_MEMBER_USER); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to refresh override attributes, " + "override values might not be available.\n"); + } + + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} + +static const char **get_cached_user_names(TALLOC_CTX *mem_ctx, + struct sss_domain_info *dom) +{ + errno_t ret; + struct ldb_result *res = NULL; + const char **user_names = NULL; + unsigned c = 0; + + ret = sysdb_enumpwent(mem_ctx, dom, &res); + if (ret != EOK) { + goto done; + } + + user_names = talloc_zero_array(mem_ctx, const char *, res->count + 1); + if (user_names == NULL) { + goto done; + } + + for (unsigned i = 0; i < res->count; i++) { + user_names[c] = ldb_msg_find_attr_as_string(res->msgs[i], + SYSDB_NAME, + NULL); + if (user_names[c] == NULL) { + continue; + } + c++; + } + +done: + /* Don't free res and keep it around to avoid duplicating the names */ + return user_names; +} + +static errno_t delete_all_groups(struct sss_domain_info *dom) +{ + TALLOC_CTX *tmp_ctx; + struct ldb_dn *base_dn; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory!\n"); + return ENOMEM; + } + + base_dn = sysdb_group_base_dn(tmp_ctx, dom); + if (base_dn == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory!\n"); + ret = ENOMEM; + goto done; + } + + ret = sysdb_delete_recursive(dom->sysdb, base_dn, true); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to delete groups subtree [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + + return ret; +} + +static errno_t save_file_group(struct files_id_ctx *id_ctx, + struct group *grp, + const char **cached_users) +{ + errno_t ret; + char *fqname; + struct sysdb_attrs *attrs = NULL; + TALLOC_CTX *tmp_ctx = NULL; + char **fq_gr_files_mem; + const char **fq_gr_mem; + unsigned mi = 0; + + if (strcmp(grp->gr_name, "root") == 0 + || grp->gr_gid == 0) { + DEBUG(SSSDBG_TRACE_FUNC, "Skipping %s\n", grp->gr_name); + return EOK; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + fqname = sss_create_internal_fqname(tmp_ctx, grp->gr_name, + id_ctx->domain->name); + if (fqname == NULL) { + ret = ENOMEM; + goto done; + + } + + attrs = sysdb_new_attrs(tmp_ctx); + if (attrs == NULL) { + ret = ENOMEM; + goto done; + } + + if (grp->gr_mem && grp->gr_mem[0]) { + fq_gr_files_mem = sss_create_internal_fqname_list( + tmp_ctx, + (const char *const*) grp->gr_mem, + id_ctx->domain->name); + if (fq_gr_files_mem == NULL) { + ret = ENOMEM; + goto done; + } + + fq_gr_mem = talloc_zero_array(tmp_ctx, const char *, + talloc_array_length(fq_gr_files_mem)); + if (fq_gr_mem == NULL) { + ret = ENOMEM; + goto done; + } + + for (unsigned i=0; fq_gr_files_mem[i] != NULL; i++) { + if (string_in_list(fq_gr_files_mem[i], + discard_const(cached_users), + true)) { + fq_gr_mem[mi] = fq_gr_files_mem[i]; + mi++; + + DEBUG(SSSDBG_TRACE_LIBS, + "User %s is cached, will become a member of %s\n", + fq_gr_files_mem[i], grp->gr_name); + } else { + ret = sysdb_attrs_add_string(attrs, + SYSDB_GHOST, + fq_gr_files_mem[i]); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot add ghost %s for group %s\n", + fq_gr_files_mem[i], fqname); + continue; + } + + DEBUG(SSSDBG_TRACE_LIBS, + "User %s is not cached, will become a ghost of %s\n", + fq_gr_files_mem[i], grp->gr_name); + } + } + + if (fq_gr_mem != NULL && fq_gr_mem[0] != NULL) { + ret = sysdb_attrs_users_from_str_list( + attrs, SYSDB_MEMBER, id_ctx->domain->name, + (const char *const *) fq_gr_mem); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, "Could not add group members\n"); + goto done; + } + } + + } + + ret = sysdb_store_group(id_ctx->domain, fqname, grp->gr_gid, + attrs, 0, 0); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, "Could not add group to cache\n"); + goto done; + } + + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} + +static errno_t sf_enum_groups(struct files_id_ctx *id_ctx, + const char *group_file) +{ + errno_t ret; + TALLOC_CTX *tmp_ctx = NULL; + struct group **groups = NULL; + const char **cached_users = NULL; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + ret = enum_files_groups(tmp_ctx, id_ctx, group_file, + &groups); + if (ret != EOK) { + goto done; + } + + cached_users = get_cached_user_names(tmp_ctx, id_ctx->domain); + if (cached_users == NULL) { + goto done; + } + + for (size_t i = 0; groups[i]; i++) { + ret = save_file_group(id_ctx, groups[i], cached_users); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot save group %s\n", groups[i]->gr_name); + continue; + } + } + + ret = refresh_override_attrs(id_ctx, SYSDB_MEMBER_GROUP); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to refresh override attributes, " + "override values might not be available.\n"); + } + + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} + +static errno_t sf_enum_files(struct files_id_ctx *id_ctx, + uint8_t flags) +{ + errno_t ret; + errno_t tret; + bool in_transaction = false; + + ret = sysdb_transaction_start(id_ctx->domain->sysdb); + if (ret != EOK) { + goto done; + } + in_transaction = true; + + if (flags & SF_UPDATE_PASSWD) { + ret = delete_all_users(id_ctx->domain); + if (ret != EOK) { + goto done; + } + + /* All users were deleted, therefore we need to enumerate each file again */ + for (size_t i = 0; id_ctx->passwd_files[i] != NULL; i++) { + ret = sf_enum_users(id_ctx, id_ctx->passwd_files[i]); + if (ret == ENOENT) { + DEBUG(SSSDBG_MINOR_FAILURE, + "The file %s does not exist (yet), skipping\n", + id_ctx->passwd_files[i]); + continue; + } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot enumerate users from %s, aborting\n", + id_ctx->passwd_files[i]); + goto done; + } + } + } + + if (flags & SF_UPDATE_GROUP) { + ret = delete_all_groups(id_ctx->domain); + if (ret != EOK) { + goto done; + } + + /* All groups were deleted, therefore we need to enumerate each file again */ + for (size_t i = 0; id_ctx->group_files[i] != NULL; i++) { + ret = sf_enum_groups(id_ctx, id_ctx->group_files[i]); + if (ret == ENOENT) { + DEBUG(SSSDBG_MINOR_FAILURE, + "The file %s does not exist (yet), skipping\n", + id_ctx->group_files[i]); + continue; + } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot enumerate groups from %s, aborting\n", + id_ctx->group_files[i]); + goto done; + } + } + } + + ret = sysdb_transaction_commit(id_ctx->domain->sysdb); + if (ret != EOK) { + goto done; + } + in_transaction = false; + + ret = EOK; +done: + if (in_transaction) { + tret = sysdb_transaction_cancel(id_ctx->domain->sysdb); + if (tret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot cancel transaction: %d\n", ret); + } + } + + return ret; +} + +static void sf_cb_done(struct files_id_ctx *id_ctx) +{ + /* Only activate a domain when both callbacks are done */ + if (id_ctx->updating_passwd == false + && id_ctx->updating_groups == false) { + dp_sbus_domain_active(id_ctx->be->provider, + id_ctx->domain); + } +} + +static int sf_passwd_cb(const char *filename, uint32_t flags, void *pvt) +{ + struct files_id_ctx *id_ctx; + errno_t ret; + + id_ctx = talloc_get_type(pvt, struct files_id_ctx); + if (id_ctx == NULL) { + return EINVAL; + } + + DEBUG(SSSDBG_TRACE_FUNC, "passwd notification\n"); + + id_ctx->updating_passwd = true; + dp_sbus_domain_inconsistent(id_ctx->be->provider, id_ctx->domain); + + dp_sbus_reset_users_ncache(id_ctx->be->provider, id_ctx->domain); + dp_sbus_reset_users_memcache(id_ctx->be->provider); + dp_sbus_reset_initgr_memcache(id_ctx->be->provider); + + /* Using SF_UDPATE_BOTH here the case when someone edits /etc/group, adds a group member and + * only then edits passwd and adds the user. The reverse is not needed, + * because member/memberof links are established when groups are saved. + */ + ret = sf_enum_files(id_ctx, SF_UPDATE_BOTH); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not update files: [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = EOK; +done: + id_ctx->updating_passwd = false; + sf_cb_done(id_ctx); + files_account_info_finished(id_ctx, BE_REQ_USER, ret); + return ret; +} + +static int sf_group_cb(const char *filename, uint32_t flags, void *pvt) +{ + struct files_id_ctx *id_ctx; + errno_t ret; + + id_ctx = talloc_get_type(pvt, struct files_id_ctx); + if (id_ctx == NULL) { + return EINVAL; + } + + DEBUG(SSSDBG_TRACE_FUNC, "group notification\n"); + + id_ctx->updating_groups = true; + dp_sbus_domain_inconsistent(id_ctx->be->provider, id_ctx->domain); + + dp_sbus_reset_groups_ncache(id_ctx->be->provider, id_ctx->domain); + dp_sbus_reset_groups_memcache(id_ctx->be->provider); + dp_sbus_reset_initgr_memcache(id_ctx->be->provider); + + ret = sf_enum_files(id_ctx, SF_UPDATE_GROUP); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not update files: [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = EOK; +done: + id_ctx->updating_groups = false; + sf_cb_done(id_ctx); + files_account_info_finished(id_ctx, BE_REQ_GROUP, ret); + return ret; +} + +static void startup_enum_files(struct tevent_context *ev, + struct tevent_immediate *imm, + void *pvt) +{ + struct files_id_ctx *id_ctx = talloc_get_type(pvt, struct files_id_ctx); + errno_t ret; + + talloc_zfree(imm); + + ret = sf_enum_files(id_ctx, SF_UPDATE_BOTH); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not update files after startup: [%d]: %s\n", + ret, sss_strerror(ret)); + } +} + +static struct snotify_ctx *sf_setup_watch(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + const char *filename, + snotify_cb_fn fn, + struct files_id_ctx *id_ctx) +{ + return snotify_create(mem_ctx, ev, SNOTIFY_WATCH_DIR, + filename, NULL, + IN_DELETE_SELF | IN_CLOSE_WRITE | IN_MOVE_SELF | \ + IN_CREATE | IN_MOVED_TO, + fn, id_ctx); +} + +struct files_ctx *sf_init(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + const char **passwd_files, + const char **group_files, + struct files_id_ctx *id_ctx) +{ + struct files_ctx *fctx; + struct tevent_immediate *imm; + int i; + struct snotify_ctx *snctx; + + fctx = talloc(mem_ctx, struct files_ctx); + if (fctx == NULL) { + return NULL; + } + + for (i = 0; passwd_files[i]; i++) { + snctx = sf_setup_watch(fctx, ev, passwd_files[i], + sf_passwd_cb, id_ctx); + if (snctx == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Cannot set watch for passwd file %s\n", passwd_files[i]); + /* Rather than reporting incomplete or inconsistent information + * in case e.g. group memberships span multiple files, just abort + */ + talloc_free(fctx); + return NULL; + } + } + + for (i = 0; group_files[i]; i++) { + snctx = sf_setup_watch(fctx, ev, group_files[i], + sf_group_cb, id_ctx); + if (snctx == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Cannot set watch for group file %s\n", group_files[i]); + /* Rather than reporting incomplete or inconsistent information + * in case e.g. group memberships span multiple files, just abort + */ + talloc_free(fctx); + return NULL; + } + } + + /* Enumerate users and groups on startup to process any changes when + * sssd was down. We schedule a request here to minimize the time + * we spend in the init function + */ + imm = tevent_create_immediate(id_ctx); + if (imm == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "tevent_create_immediate failed.\n"); + talloc_free(fctx); + return NULL; + } + tevent_schedule_immediate(imm, ev, startup_enum_files, id_ctx); + + return fctx; +} diff --git a/src/providers/files/files_private.h b/src/providers/files/files_private.h new file mode 100644 index 0000000..f44e6d4 --- /dev/null +++ b/src/providers/files/files_private.h @@ -0,0 +1,74 @@ +/* + SSSD + + Files provider declarations + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __FILES_PRIVATE_H_ +#define __FILES_PRIVATE_H_ + +#include "config.h" + +#include +#include +#include +#include +#include +#include +#include + +#include "providers/data_provider/dp.h" + +struct files_id_ctx { + struct be_ctx *be; + struct sss_domain_info *domain; + struct files_ctx *fctx; + + const char **passwd_files; + const char **group_files; + + bool updating_passwd; + bool updating_groups; + + struct tevent_req *users_req; + struct tevent_req *groups_req; + struct tevent_req *initgroups_req; +}; + +/* files_ops.c */ +struct files_ctx *sf_init(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + const char **passwd_files, + const char **group_files, + struct files_id_ctx *id_ctx); + +/* files_id.c */ +struct tevent_req * +files_account_info_handler_send(TALLOC_CTX *mem_ctx, + struct files_id_ctx *id_ctx, + struct dp_id_data *data, + struct dp_req_params *params); + +errno_t files_account_info_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct dp_reply_std *data); + +void files_account_info_finished(struct files_id_ctx *id_ctx, + int req_type, + errno_t ret); +#endif /* __FILES_PRIVATE_H_ */ diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c new file mode 100644 index 0000000..de9f681 --- /dev/null +++ b/src/providers/ipa/ipa_access.c @@ -0,0 +1,761 @@ +/* + SSSD + + IPA Backend Module -- Access control + + Authors: + Sumit Bose + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "util/util.h" +#include "providers/ldap/sdap_async.h" +#include "providers/ldap/sdap_access.h" +#include "providers/ipa/ipa_common.h" +#include "providers/ipa/ipa_access.h" +#include "providers/ipa/ipa_hosts.h" +#include "providers/ipa/ipa_hbac_private.h" +#include "providers/ipa/ipa_hbac_rules.h" +#include "providers/ipa/ipa_rules_common.h" + +/* External logging function for HBAC. */ +void hbac_debug_messages(const char *file, int line, + const char *function, + enum hbac_debug_level level, + const char *fmt, ...) +{ + int loglevel; + + switch(level) { + case HBAC_DBG_FATAL: + loglevel = SSSDBG_FATAL_FAILURE; + break; + case HBAC_DBG_ERROR: + loglevel = SSSDBG_OP_FAILURE; + break; + case HBAC_DBG_WARNING: + loglevel = SSSDBG_MINOR_FAILURE; + break; + case HBAC_DBG_INFO: + loglevel = SSSDBG_CONF_SETTINGS; + break; + case HBAC_DBG_TRACE: + loglevel = SSSDBG_TRACE_INTERNAL; + break; + default: + loglevel = SSSDBG_UNRESOLVED; + break; + } + + if (DEBUG_IS_SET(loglevel)) { + va_list ap; + + va_start(ap, fmt); + sss_vdebug_fn(file, line, function, loglevel, 0, fmt, ap); + va_end(ap); + } +} + +enum hbac_result { + HBAC_ALLOW = 1, + HBAC_DENY, + HBAC_NOT_APPLICABLE +}; + +enum check_result { + RULE_APPLICABLE = 0, + RULE_NOT_APPLICABLE, + RULE_ERROR +}; + +struct ipa_fetch_hbac_state { + struct tevent_context *ev; + struct be_ctx *be_ctx; + struct sdap_id_ctx *sdap_ctx; + struct ipa_access_ctx *access_ctx; + struct sdap_id_op *sdap_op; + struct dp_option *ipa_options; + + struct sdap_search_base **search_bases; + + /* Hosts */ + struct ipa_common_entries *hosts; + struct sysdb_attrs *ipa_host; + + /* Rules */ + struct ipa_common_entries *rules; + + /* Services */ + struct ipa_common_entries *services; +}; + +static errno_t ipa_fetch_hbac_retry(struct tevent_req *req); +static void ipa_fetch_hbac_connect_done(struct tevent_req *subreq); +static errno_t ipa_fetch_hbac_hostinfo(struct tevent_req *req); +static void ipa_fetch_hbac_hostinfo_done(struct tevent_req *subreq); +static void ipa_fetch_hbac_services_done(struct tevent_req *subreq); +static void ipa_fetch_hbac_rules_done(struct tevent_req *subreq); + +static struct tevent_req * +ipa_fetch_hbac_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct ipa_access_ctx *access_ctx) +{ + struct ipa_fetch_hbac_state *state; + struct tevent_req *req; + time_t now, refresh_interval; + bool offline; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct ipa_fetch_hbac_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->ev = ev; + state->be_ctx = be_ctx; + state->access_ctx = access_ctx; + state->sdap_ctx = access_ctx->sdap_ctx; + state->ipa_options = access_ctx->ipa_options; + state->search_bases = access_ctx->hbac_search_bases; + state->hosts = talloc_zero(state, struct ipa_common_entries); + if (state->hosts == NULL) { + ret = ENOMEM; + goto immediately; + } + state->services = talloc_zero(state, struct ipa_common_entries); + if (state->hosts == NULL) { + ret = ENOMEM; + goto immediately; + } + state->rules = talloc_zero(state, struct ipa_common_entries); + if (state->rules == NULL) { + ret = ENOMEM; + goto immediately; + } + + if (state->search_bases == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "No HBAC search base found.\n"); + ret = EINVAL; + goto immediately; + } + + state->sdap_op = sdap_id_op_create(state, state->sdap_ctx->conn->conn_cache); + if (state->sdap_op == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create() failed\n"); + ret = ENOMEM; + goto immediately; + } + + offline = be_is_offline(be_ctx); + DEBUG(SSSDBG_TRACE_ALL, "Connection status is [%s].\n", + offline ? "offline" : "online"); + + refresh_interval = dp_opt_get_int(state->ipa_options, IPA_HBAC_REFRESH); + now = time(NULL); + + if (offline || now < access_ctx->last_update + refresh_interval) { + DEBUG(SSSDBG_TRACE_FUNC, "Performing cached HBAC evaluation\n"); + ret = EOK; + goto immediately; + } + + ret = ipa_fetch_hbac_retry(req); + if (ret != EAGAIN) { + goto immediately; + } + + return req; + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + + return req; +} + +static errno_t ipa_fetch_hbac_retry(struct tevent_req *req) +{ + struct ipa_fetch_hbac_state *state; + struct tevent_req *subreq; + int ret; + + state = tevent_req_data(req, struct ipa_fetch_hbac_state); + + subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "sdap_id_op_connect_send() failed: " + "%d(%s)\n", ret, strerror(ret)); + return ret; + } + + tevent_req_set_callback(subreq, ipa_fetch_hbac_connect_done, req); + + return EAGAIN; +} + +static void ipa_fetch_hbac_connect_done(struct tevent_req *subreq) +{ + struct tevent_req *req = NULL; + int dp_error; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + + ret = sdap_id_op_connect_recv(subreq, &dp_error); + talloc_zfree(subreq); + if (ret != EOK) { + goto done; + } + + if (dp_error == DP_ERR_OFFLINE) { + ret = EOK; + goto done; + } + + ret = ipa_fetch_hbac_hostinfo(req); + if (ret == EAGAIN) { + return; + } + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +static errno_t ipa_fetch_hbac_hostinfo(struct tevent_req *req) +{ + struct ipa_fetch_hbac_state *state; + struct tevent_req *subreq; + const char *hostname; + bool srchost; + + state = tevent_req_data(req, struct ipa_fetch_hbac_state); + + srchost = dp_opt_get_bool(state->ipa_options, IPA_HBAC_SUPPORT_SRCHOST); + if (srchost) { + /* Support srchost + * -> we don't want any particular host, + * we want all hosts + */ + hostname = NULL; + + /* THIS FEATURE IS DEPRECATED */ + DEBUG(SSSDBG_MINOR_FAILURE, "WARNING: Using deprecated option " + "ipa_hbac_support_srchost.\n"); + sss_log(SSS_LOG_NOTICE, "WARNING: Using deprecated option " + "ipa_hbac_support_srchost.\n"); + } else { + hostname = dp_opt_get_string(state->ipa_options, IPA_HOSTNAME); + } + + subreq = ipa_host_info_send(state, state->ev, + sdap_id_op_handle(state->sdap_op), + state->sdap_ctx->opts, hostname, + state->access_ctx->host_map, + state->access_ctx->hostgroup_map, + state->access_ctx->host_search_bases); + if (subreq == NULL) { + return ENOMEM; + } + + tevent_req_set_callback(subreq, ipa_fetch_hbac_hostinfo_done, req); + + return EAGAIN; +} + +static void ipa_fetch_hbac_hostinfo_done(struct tevent_req *subreq) +{ + struct ipa_fetch_hbac_state *state = NULL; + struct tevent_req *req = NULL; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_fetch_hbac_state); + + ret = ipa_host_info_recv(subreq, state, + &state->hosts->entry_count, + &state->hosts->entries, + &state->hosts->group_count, + &state->hosts->groups); + state->hosts->entry_subdir = HBAC_HOSTS_SUBDIR; + state->hosts->group_subdir = HBAC_HOSTGROUPS_SUBDIR; + talloc_zfree(subreq); + if (ret != EOK) { + goto done; + } + + subreq = ipa_hbac_service_info_send(state, state->ev, + sdap_id_op_handle(state->sdap_op), + state->sdap_ctx->opts, + state->search_bases); + if (subreq == NULL) { + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, ipa_fetch_hbac_services_done, req); + + return; + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +static void ipa_fetch_hbac_services_done(struct tevent_req *subreq) +{ + struct ipa_fetch_hbac_state *state; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_fetch_hbac_state); + + ret = ipa_hbac_service_info_recv(subreq, state, + &state->services->entry_count, + &state->services->entries, + &state->services->group_count, + &state->services->groups); + state->services->entry_subdir = HBAC_SERVICES_SUBDIR; + state->services->group_subdir = HBAC_SERVICEGROUPS_SUBDIR; + talloc_zfree(subreq); + if (ret != EOK) { + goto done; + } + + /* Get the ipa_host attrs */ + ret = ipa_get_host_attrs(state->ipa_options, + state->hosts->entry_count, + state->hosts->entries, + &state->ipa_host); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not locate IPA host.\n"); + goto done; + } + + subreq = ipa_hbac_rule_info_send(state, state->ev, + sdap_id_op_handle(state->sdap_op), + state->sdap_ctx->opts, + state->search_bases, + state->ipa_host); + if (subreq == NULL) { + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, ipa_fetch_hbac_rules_done, req); + + return; + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +static void ipa_fetch_hbac_rules_done(struct tevent_req *subreq) +{ + struct ipa_fetch_hbac_state *state = NULL; + struct tevent_req *req = NULL; + int dp_error; + errno_t ret; + bool found; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_fetch_hbac_state); + + ret = ipa_hbac_rule_info_recv(subreq, state, + &state->rules->entry_count, + &state->rules->entries); + state->rules->entry_subdir = HBAC_RULES_SUBDIR; + talloc_zfree(subreq); + if (ret == ENOENT) { + /* Set ret to EOK so we can safely call sdap_id_op_done. */ + found = false; + ret = EOK; + } else if (ret == EOK) { + found = true; + } else { + goto done; + } + + ret = sdap_id_op_done(state->sdap_op, ret, &dp_error); + if (dp_error == DP_ERR_OK && ret != EOK) { + /* retry */ + ret = ipa_fetch_hbac_retry(req); + if (ret != EAGAIN) { + tevent_req_error(req, ret); + } + return; + } else if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + if (found == false) { + /* No rules were found that apply to this host. */ + ret = ipa_common_purge_rules(state->be_ctx->domain, + HBAC_RULES_SUBDIR); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to remove HBAC rules\n"); + goto done; + } + + ret = ENOENT; + goto done; + } + + ret = ipa_common_save_rules(state->be_ctx->domain, + state->hosts, state->services, state->rules, + &state->access_ctx->last_update); + + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to save HBAC rules\n"); + goto done; + } + + ret = EOK; + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +static errno_t ipa_fetch_hbac_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +errno_t ipa_hbac_evaluate_rules(struct be_ctx *be_ctx, + struct dp_option *ipa_options, + struct pam_data *pd) +{ + TALLOC_CTX *tmp_ctx; + struct hbac_ctx hbac_ctx; + struct hbac_rule **hbac_rules; + struct hbac_eval_req *eval_req; + enum hbac_eval_result result; + struct hbac_info *info = NULL; + const char **attrs_get_cached_rules; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + hbac_ctx.be_ctx = be_ctx; + hbac_ctx.ipa_options = ipa_options; + hbac_ctx.pd = pd; + + /* Get HBAC rules from the sysdb */ + attrs_get_cached_rules = hbac_get_attrs_to_get_cached_rules(tmp_ctx); + if (attrs_get_cached_rules == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "hbac_get_attrs_to_get_cached_rules() failed\n"); + ret = ENOMEM; + goto done; + } + ret = ipa_common_get_cached_rules(tmp_ctx, be_ctx->domain, + IPA_HBAC_RULE, HBAC_RULES_SUBDIR, + attrs_get_cached_rules, + &hbac_ctx.rule_count, &hbac_ctx.rules); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not retrieve rules from the cache\n"); + goto done; + } + + ret = hbac_ctx_to_rules(tmp_ctx, &hbac_ctx, &hbac_rules, &eval_req); + if (ret == EPERM) { + DEBUG(SSSDBG_CRIT_FAILURE, + "DENY rules detected. Denying access to all users\n"); + ret = ERR_ACCESS_DENIED; + goto done; + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not construct HBAC rules\n"); + goto done; + } + + hbac_enable_debug(hbac_debug_messages); + + result = hbac_evaluate(hbac_rules, eval_req, &info); + if (result == HBAC_EVAL_ALLOW) { + DEBUG(SSSDBG_MINOR_FAILURE, "Access granted by HBAC rule [%s]\n", + info->rule_name); + ret = EOK; + goto done; + } else if (result == HBAC_EVAL_ERROR) { + DEBUG(SSSDBG_CRIT_FAILURE, "Error [%s] occurred in rule [%s]\n", + hbac_error_string(info->code), info->rule_name); + ret = EIO; + goto done; + } else if (result == HBAC_EVAL_OOM) { + DEBUG(SSSDBG_CRIT_FAILURE, "Insufficient memory\n"); + ret = ENOMEM; + goto done; + } + + DEBUG(SSSDBG_MINOR_FAILURE, "Access denied by HBAC rules\n"); + ret = ERR_ACCESS_DENIED; + +done: + hbac_free_info(info); + talloc_free(tmp_ctx); + return ret; +} + +struct ipa_pam_access_handler_state { + struct tevent_context *ev; + struct be_ctx *be_ctx; + struct ipa_access_ctx *access_ctx; + struct pam_data *pd; +}; + +static void ipa_pam_access_handler_sdap_done(struct tevent_req *subreq); +static void ipa_pam_access_handler_done(struct tevent_req *subreq); + +struct tevent_req * +ipa_pam_access_handler_send(TALLOC_CTX *mem_ctx, + struct ipa_access_ctx *access_ctx, + struct pam_data *pd, + struct dp_req_params *params) +{ + struct ipa_pam_access_handler_state *state; + struct tevent_req *subreq; + struct tevent_req *req; + + req = tevent_req_create(mem_ctx, &state, + struct ipa_pam_access_handler_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->pd = pd; + state->ev = params->ev; + state->be_ctx = params->be_ctx; + state->access_ctx = access_ctx; + + subreq = sdap_access_send(state, params->ev, params->be_ctx, + params->domain, access_ctx->sdap_access_ctx, + access_ctx->sdap_ctx->conn, pd); + if (subreq == NULL) { + state->pd->pam_status = PAM_SYSTEM_ERR; + goto immediately; + } + + tevent_req_set_callback(subreq, ipa_pam_access_handler_sdap_done, req); + + return req; + +immediately: + /* TODO For backward compatibility we always return EOK to DP now. */ + tevent_req_done(req); + tevent_req_post(req, params->ev); + + return req; +} + +static void ipa_pam_access_handler_sdap_done(struct tevent_req *subreq) +{ + struct ipa_pam_access_handler_state *state; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_pam_access_handler_state); + + ret = sdap_access_recv(subreq); + talloc_free(subreq); + switch (ret) { + case EOK: + /* Account wasn't locked. Continue below to HBAC processing. */ + break; + case ERR_ACCESS_DENIED: + /* Account was locked. Return permission denied here. */ + state->pd->pam_status = PAM_PERM_DENIED; + goto done; + case ERR_ACCOUNT_EXPIRED: + state->pd->pam_status = PAM_ACCT_EXPIRED; + goto done; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Error retrieving access check result " + "[%d]: %s.\n", ret, sss_strerror(ret)); + state->pd->pam_status = PAM_SYSTEM_ERR; + break; + } + + subreq = ipa_fetch_hbac_send(state, state->ev, state->be_ctx, + state->access_ctx); + if (subreq == NULL) { + state->pd->pam_status = PAM_SYSTEM_ERR; + goto done; + } + + tevent_req_set_callback(subreq, ipa_pam_access_handler_done, req); + + return; + +done: + /* TODO For backward compatibility we always return EOK to DP now. */ + tevent_req_done(req); +} + +static void ipa_pam_access_handler_done(struct tevent_req *subreq) +{ + struct ipa_pam_access_handler_state *state; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_pam_access_handler_state); + + ret = ipa_fetch_hbac_recv(subreq); + talloc_free(subreq); + + if (ret == ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, "No HBAC rules find, denying access\n"); + state->pd->pam_status = PAM_PERM_DENIED; + goto done; + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to fetch HBAC rules [%d]: %s\n", + ret, sss_strerror(ret)); + state->pd->pam_status = PAM_SYSTEM_ERR; + goto done; + } + + ret = ipa_hbac_evaluate_rules(state->be_ctx, + state->access_ctx->ipa_options, state->pd); + if (ret == EOK) { + state->pd->pam_status = PAM_SUCCESS; + } else if (ret == ERR_ACCESS_DENIED) { + state->pd->pam_status = PAM_PERM_DENIED; + } else { + state->pd->pam_status = PAM_SYSTEM_ERR; + } + +done: + /* TODO For backward compatibility we always return EOK to DP now. */ + tevent_req_done(req); +} + +errno_t +ipa_pam_access_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct pam_data **_data) +{ + struct ipa_pam_access_handler_state *state = NULL; + + state = tevent_req_data(req, struct ipa_pam_access_handler_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *_data = talloc_steal(mem_ctx, state->pd); + + return EOK; +} + +struct ipa_refresh_access_rules_state { + int dummy; +}; + +static void ipa_refresh_access_rules_done(struct tevent_req *subreq); + +struct tevent_req * +ipa_refresh_access_rules_send(TALLOC_CTX *mem_ctx, + struct ipa_access_ctx *access_ctx, + void *no_input_data, + struct dp_req_params *params) +{ + struct ipa_refresh_access_rules_state *state; + struct tevent_req *subreq; + struct tevent_req *req; + + DEBUG(SSSDBG_TRACE_FUNC, "Refreshing HBAC rules\n"); + + req = tevent_req_create(mem_ctx, &state, + struct ipa_refresh_access_rules_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n"); + return NULL; + } + + subreq = ipa_fetch_hbac_send(state, params->ev, params->be_ctx, access_ctx); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + tevent_req_post(req, params->ev); + return req; + } + + tevent_req_set_callback(subreq, ipa_refresh_access_rules_done, req); + + return req; +} + +static void ipa_refresh_access_rules_done(struct tevent_req *subreq) +{ + struct tevent_req *req; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + + ret = ipa_fetch_hbac_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); + return; +} + +errno_t ipa_refresh_access_rules_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + void **_no_output_data) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} diff --git a/src/providers/ipa/ipa_access.h b/src/providers/ipa/ipa_access.h new file mode 100644 index 0000000..9cec0d1 --- /dev/null +++ b/src/providers/ipa/ipa_access.h @@ -0,0 +1,76 @@ +/* + SSSD + + IPA Backend Module -- Access control + + Authors: + Sumit Bose + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _IPA_ACCESS_H_ +#define _IPA_ACCESS_H_ + +#include "providers/ldap/ldap_common.h" + +enum ipa_access_mode { + IPA_ACCESS_DENY = 0, + IPA_ACCESS_ALLOW +}; + +struct ipa_access_ctx { + struct sdap_id_ctx *sdap_ctx; + struct dp_option *ipa_options; + time_t last_update; + struct sdap_access_ctx *sdap_access_ctx; + + struct sdap_attr_map *host_map; + struct sdap_attr_map *hostgroup_map; + struct sdap_search_base **host_search_bases; + struct sdap_search_base **hbac_search_bases; +}; + +struct hbac_ctx { + struct be_ctx *be_ctx; + struct dp_option *ipa_options; + struct pam_data *pd; + size_t rule_count; + struct sysdb_attrs **rules; +}; + +struct tevent_req * +ipa_pam_access_handler_send(TALLOC_CTX *mem_ctx, + struct ipa_access_ctx *access_ctx, + struct pam_data *pd, + struct dp_req_params *params); + +errno_t +ipa_pam_access_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct pam_data **_data); + +struct tevent_req * +ipa_refresh_access_rules_send(TALLOC_CTX *mem_ctx, + struct ipa_access_ctx *access_ctx, + void *no_input_data, + struct dp_req_params *params); + +errno_t ipa_refresh_access_rules_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + void **_no_output_data); + +#endif /* _IPA_ACCESS_H_ */ diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c new file mode 100644 index 0000000..1bd0177 --- /dev/null +++ b/src/providers/ipa/ipa_auth.c @@ -0,0 +1,459 @@ +/* + SSSD + + IPA Backend Module -- Authentication + + Authors: + Sumit Bose + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "util/util.h" +#include "providers/ldap/ldap_common.h" +#include "providers/ldap/sdap_async.h" +#include "providers/krb5/krb5_auth.h" +#include "providers/ipa/ipa_auth.h" +#include "providers/ipa/ipa_common.h" +#include "providers/ipa/ipa_config.h" + +struct get_password_migration_flag_state { + struct tevent_context *ev; + struct sdap_id_op *sdap_op; + struct sdap_id_ctx *sdap_id_ctx; + struct fo_server *srv; + char *ipa_realm; + bool password_migration; +}; + +static void get_password_migration_flag_auth_done(struct tevent_req *subreq); +static void get_password_migration_flag_done(struct tevent_req *subreq); + +static struct tevent_req *get_password_migration_flag_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_id_ctx *sdap_id_ctx, + char *ipa_realm) +{ + int ret; + struct tevent_req *req, *subreq; + struct get_password_migration_flag_state *state; + + if (sdap_id_ctx == NULL || ipa_realm == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Missing parameter.\n"); + return NULL; + } + + req = tevent_req_create(memctx, &state, + struct get_password_migration_flag_state); + if (req == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "tevent_req_create failed.\n"); + return NULL; + } + + state->ev = ev; + state->sdap_id_ctx = sdap_id_ctx; + state->srv = NULL; + state->password_migration = false; + state->ipa_realm = ipa_realm; + + state->sdap_op = sdap_id_op_create(state, + state->sdap_id_ctx->conn->conn_cache); + if (state->sdap_op == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed.\n"); + goto fail; + } + + subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret); + if (!subreq) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_connect_send failed: %d(%s).\n", + ret, strerror(ret)); + goto fail; + } + + tevent_req_set_callback(subreq, get_password_migration_flag_auth_done, req); + + return req; + +fail: + talloc_zfree(req); + return NULL; +} + +static void get_password_migration_flag_auth_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct get_password_migration_flag_state *state = tevent_req_data(req, + struct get_password_migration_flag_state); + int ret, dp_error; + + ret = sdap_id_op_connect_recv(subreq, &dp_error); + talloc_zfree(subreq); + if (ret) { + if (dp_error == DP_ERR_OFFLINE) { + DEBUG(SSSDBG_MINOR_FAILURE, + "No IPA server is available, cannot get the " + "migration flag while offline\n"); + } else { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to connect to IPA server: [%d](%s)\n", + ret, strerror(ret)); + } + + tevent_req_error(req, ret); + return; + } + + subreq = ipa_get_config_send(state, state->ev, + sdap_id_op_handle(state->sdap_op), + state->sdap_id_ctx->opts, state->ipa_realm, NULL); + + tevent_req_set_callback(subreq, get_password_migration_flag_done, req); +} + +static void get_password_migration_flag_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct get_password_migration_flag_state *state = tevent_req_data(req, + struct get_password_migration_flag_state); + int ret; + struct sysdb_attrs *reply = NULL; + const char *value = NULL; + + ret = ipa_get_config_recv(subreq, state, &reply); + talloc_zfree(subreq); + if (ret) { + goto done; + } + + ret = sysdb_attrs_get_string(reply, IPA_CONFIG_MIGRATION_ENABLED, &value); + if (ret == EOK && strcasecmp(value, "true") == 0) { + state->password_migration = true; + } + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + } else { + tevent_req_done(req); + } +} + +static int get_password_migration_flag_recv(struct tevent_req *req, + bool *password_migration) +{ + struct get_password_migration_flag_state *state = tevent_req_data(req, + struct get_password_migration_flag_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *password_migration = state->password_migration; + return EOK; +} + +struct ipa_pam_auth_handler_state { + struct tevent_context *ev; + struct ipa_auth_ctx *auth_ctx; + struct be_ctx *be_ctx; + struct pam_data *pd; + struct sss_domain_info *dom; +}; + +static void ipa_pam_auth_handler_krb5_done(struct tevent_req *subreq); +static void ipa_pam_auth_handler_flag_done(struct tevent_req *subreq); +static void ipa_pam_auth_handler_connect_done(struct tevent_req *subreq); +static void ipa_pam_auth_handler_auth_done(struct tevent_req *subreq); +static void ipa_pam_auth_handler_retry_done(struct tevent_req *subreq); + +struct tevent_req * +ipa_pam_auth_handler_send(TALLOC_CTX *mem_ctx, + struct ipa_auth_ctx *auth_ctx, + struct pam_data *pd, + struct dp_req_params *params) +{ + struct ipa_pam_auth_handler_state *state; + struct tevent_req *subreq; + struct tevent_req *req; + + req = tevent_req_create(mem_ctx, &state, + struct ipa_pam_auth_handler_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->pd = pd; + state->ev = params->ev; + state->auth_ctx = auth_ctx; + state->be_ctx = params->be_ctx; + state->dom = find_domain_by_name(state->be_ctx->domain, + state->pd->domain, + true); + if (state->dom == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unknown domain %s\n", state->pd->domain); + pd->pam_status = PAM_SYSTEM_ERR; + goto immediately; + } + + pd->pam_status = PAM_SYSTEM_ERR; + + subreq = krb5_auth_queue_send(state, params->ev, params->be_ctx, + pd, auth_ctx->krb5_auth_ctx); + if (subreq == NULL) { + pd->pam_status = PAM_SYSTEM_ERR; + goto immediately; + } + + tevent_req_set_callback(subreq, ipa_pam_auth_handler_krb5_done, req); + + return req; + +immediately: + /* TODO For backward compatibility we always return EOK to DP now. */ + tevent_req_done(req); + tevent_req_post(req, params->ev); + + return req; +} + +static void ipa_pam_auth_handler_krb5_done(struct tevent_req *subreq) +{ + struct ipa_pam_auth_handler_state *state; + struct tevent_req *req; + int dp_err; + char *realm; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_pam_auth_handler_state); + + state->pd->pam_status = PAM_SYSTEM_ERR; + ret = krb5_auth_queue_recv(subreq, &state->pd->pam_status, &dp_err); + talloc_free(subreq); + if (ret != EOK && state->pd->pam_status != PAM_CRED_ERR) { + DEBUG(SSSDBG_OP_FAILURE, "KRB5 auth failed [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + if (dp_err != DP_ERR_OK) { + goto done; + } + + if (state->pd->cmd == SSS_PAM_AUTHENTICATE + && state->pd->pam_status == PAM_CRED_ERR + && !IS_SUBDOMAIN(state->dom)) { + realm = dp_opt_get_string(state->auth_ctx->ipa_options, IPA_KRB5_REALM); + subreq = get_password_migration_flag_send(state, state->ev, + state->auth_ctx->sdap_id_ctx, + realm); + if (subreq == NULL) { + goto done; + } + + tevent_req_set_callback(subreq, ipa_pam_auth_handler_flag_done, req); + return; + } + +done: + /* TODO For backward compatibility we always return EOK to DP now. */ + tevent_req_done(req); +} + +static void ipa_pam_auth_handler_flag_done(struct tevent_req *subreq) +{ + struct ipa_pam_auth_handler_state *state; + struct sdap_auth_ctx *sdap_auth_ctx; + bool password_migration = false; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_pam_auth_handler_state); + + ret = get_password_migration_flag_recv(subreq, &password_migration); + talloc_free(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to get password migration flag " + "[%d]: %s\n", ret, sss_strerror(ret)); + state->pd->pam_status = PAM_SYSTEM_ERR; + goto done; + } + + if (password_migration) { + sdap_auth_ctx = state->auth_ctx->sdap_auth_ctx; + subreq = sdap_cli_connect_send(state, state->ev, + sdap_auth_ctx->opts, + sdap_auth_ctx->be, + sdap_auth_ctx->service, + true, CON_TLS_ON, true); + if (subreq == NULL) { + state->pd->pam_status = PAM_SYSTEM_ERR; + goto done; + } + + tevent_req_set_callback(subreq, ipa_pam_auth_handler_connect_done, req); + return; + } + +done: + /* TODO For backward compatibility we always return EOK to DP now. */ + tevent_req_done(req); +} + +static void ipa_pam_auth_handler_connect_done(struct tevent_req *subreq) +{ + struct ipa_pam_auth_handler_state *state; + struct tevent_req *req; + struct sdap_handle *sh = NULL; + const char *attrs[] = {SYSDB_ORIG_DN, NULL}; + struct ldb_message *msg; + const char *dn; + int timeout; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_pam_auth_handler_state); + + state->pd->pam_status = PAM_SYSTEM_ERR; + + ret = sdap_cli_connect_recv(subreq, state, NULL, &sh, NULL); + talloc_free(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot connect to LDAP server to perform " + "migration [%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Assuming Kerberos password is missing, " + "starting password migration.\n"); + + ret = sysdb_search_user_by_name(state, state->be_ctx->domain, + state->pd->user, attrs, &msg); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_user_by_name failed.\n"); + goto done; + } + + dn = ldb_msg_find_attr_as_string(msg, SYSDB_ORIG_DN, NULL); + if (dn == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "Missing original DN for user [%s].\n", + state->pd->user); + goto done; + } + + timeout = dp_opt_get_int(state->auth_ctx->sdap_auth_ctx->opts->basic, + SDAP_OPT_TIMEOUT); + + subreq = sdap_auth_send(state, state->ev, sh, NULL, NULL, dn, + state->pd->authtok, timeout); + if (subreq == NULL) { + goto done; + } + + tevent_req_set_callback(subreq, ipa_pam_auth_handler_auth_done, req); + return; + +done: + /* TODO For backward compatibility we always return EOK to DP now. */ + tevent_req_done(req); +} + +static void ipa_pam_auth_handler_auth_done(struct tevent_req *subreq) +{ + struct ipa_pam_auth_handler_state *state; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_pam_auth_handler_state); + + ret = sdap_auth_recv(subreq, state, NULL); + + talloc_free(subreq); + switch (ret) { + case EOK: + break; + case ERR_AUTH_DENIED: + case ERR_AUTH_FAILED: + case ERR_PASSWORD_EXPIRED: + /* TODO: do we need to handle expired passwords? */ + DEBUG(SSSDBG_MINOR_FAILURE, "LDAP authentication failed, " + "password migration not possible.\n"); + state->pd->pam_status = PAM_CRED_INSUFFICIENT; + goto done; + default: + DEBUG(SSSDBG_OP_FAILURE, "auth_send request failed.\n"); + state->pd->pam_status = PAM_SYSTEM_ERR; + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "LDAP authentication succeeded, " + "trying Kerberos authentication again.\n"); + + subreq = krb5_auth_queue_send(state, state->ev, state->be_ctx, state->pd, + state->auth_ctx->krb5_auth_ctx); + if (subreq == NULL) { + goto done; + } + + tevent_req_set_callback(subreq, ipa_pam_auth_handler_retry_done, req); + return; + +done: + /* TODO For backward compatibility we always return EOK to DP now. */ + tevent_req_done(req); +} + +static void ipa_pam_auth_handler_retry_done(struct tevent_req *subreq) +{ + struct ipa_pam_auth_handler_state *state; + struct tevent_req *req; + int dp_err; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_pam_auth_handler_state); + + ret = krb5_auth_queue_recv(subreq, &state->pd->pam_status, &dp_err); + talloc_free(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "krb5_auth_recv request failed.\n"); + state->pd->pam_status = PAM_SYSTEM_ERR; + } + + /* TODO For backward compatibility we always return EOK to DP now. */ + tevent_req_done(req); +} + +errno_t +ipa_pam_auth_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct pam_data **_data) +{ + struct ipa_pam_auth_handler_state *state = NULL; + + state = tevent_req_data(req, struct ipa_pam_auth_handler_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *_data = talloc_steal(mem_ctx, state->pd); + + return EOK; +} diff --git a/src/providers/ipa/ipa_auth.h b/src/providers/ipa/ipa_auth.h new file mode 100644 index 0000000..53666eb --- /dev/null +++ b/src/providers/ipa/ipa_auth.h @@ -0,0 +1,42 @@ +/* + SSSD + + IPA Backend Module -- Authentication + + Authors: + Sumit Bose + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _IPA_AUTH_H_ +#define _IPA_AUTH_H_ + +#include "providers/backend.h" +#include "providers/ipa/ipa_common.h" + +struct tevent_req * +ipa_pam_auth_handler_send(TALLOC_CTX *mem_ctx, + struct ipa_auth_ctx *auth_ctx, + struct pam_data *pd, + struct dp_req_params *params); + +errno_t +ipa_pam_auth_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct pam_data **_data); + +#endif /* _IPA_AUTH_H_ */ diff --git a/src/providers/ipa/ipa_autofs.c b/src/providers/ipa/ipa_autofs.c new file mode 100644 index 0000000..b2e4cbc --- /dev/null +++ b/src/providers/ipa/ipa_autofs.c @@ -0,0 +1,55 @@ +/* + SSSD + + IPA Provider Initialization functions + + Authors: + Simo Sorce + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/child_common.h" +#include "providers/ipa/ipa_common.h" +#include "providers/krb5/krb5_auth.h" +#include "providers/ipa/ipa_id.h" +#include "providers/ipa/ipa_auth.h" +#include "providers/ipa/ipa_access.h" +#include "providers/ipa/ipa_dyndns.h" +#include "providers/ipa/ipa_selinux.h" + +errno_t ipa_autofs_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct ipa_id_ctx *id_ctx, + struct dp_method *dp_methods) +{ + int ret; + + DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing autofs IPA back end\n"); + + ret = ipa_get_autofs_options(id_ctx->ipa_options, be_ctx->cdb, + be_ctx->conf_path, &id_ctx->sdap_id_ctx->opts); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot get IPA autofs options\n"); + return ret; + } + + dp_set_method(dp_methods, DPM_AUTOFS_HANDLER, + sdap_autofs_handler_send, sdap_autofs_handler_recv, id_ctx->sdap_id_ctx, + struct sdap_id_ctx, struct dp_autofs_data, struct dp_reply_std); + + return ret; +} diff --git a/src/providers/ipa/ipa_common.c b/src/providers/ipa/ipa_common.c new file mode 100644 index 0000000..c71eca8 --- /dev/null +++ b/src/providers/ipa/ipa_common.c @@ -0,0 +1,1318 @@ +/* + SSSD + + IPA Provider Common Functions + + Authors: + Simo Sorce + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "db/sysdb_selinux.h" +#include "providers/ipa/ipa_common.h" +#include "providers/ipa/ipa_dyndns.h" +#include "providers/ldap/sdap_async_private.h" +#include "providers/be_dyndns.h" +#include "util/sss_krb5.h" +#include "db/sysdb_services.h" +#include "db/sysdb_autofs.h" + +#include "providers/ipa/ipa_opts.h" + +int ipa_get_options(TALLOC_CTX *memctx, + struct confdb_ctx *cdb, + const char *conf_path, + struct sss_domain_info *dom, + struct ipa_options **_opts) +{ + struct ipa_options *opts; + char *domain; + char *server; + char *realm; + char *ipa_hostname; + int ret; + char hostname[HOST_NAME_MAX + 1]; + + opts = talloc_zero(memctx, struct ipa_options); + if (!opts) return ENOMEM; + + ret = dp_get_options(opts, cdb, conf_path, + ipa_basic_opts, + IPA_OPTS_BASIC, + &opts->basic); + if (ret != EOK) { + goto done; + } + + domain = dp_opt_get_string(opts->basic, IPA_DOMAIN); + if (!domain) { + ret = dp_opt_set_string(opts->basic, IPA_DOMAIN, dom->name); + if (ret != EOK) { + goto done; + } + domain = dom->name; + } + + server = dp_opt_get_string(opts->basic, IPA_SERVER); + if (!server) { + DEBUG(SSSDBG_CRIT_FAILURE, + "No ipa server set, will use service discovery!\n"); + } + + ipa_hostname = dp_opt_get_string(opts->basic, IPA_HOSTNAME); + if (ipa_hostname == NULL) { + ret = gethostname(hostname, HOST_NAME_MAX); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "gethostname failed [%d][%s].\n", errno, + strerror(errno)); + ret = errno; + goto done; + } + hostname[HOST_NAME_MAX] = '\0'; + DEBUG(SSSDBG_TRACE_ALL, "Setting ipa_hostname to [%s].\n", hostname); + ret = dp_opt_set_string(opts->basic, IPA_HOSTNAME, hostname); + if (ret != EOK) { + goto done; + } + } + + /* First check whether the realm has been manually specified */ + realm = dp_opt_get_string(opts->basic, IPA_KRB5_REALM); + if (!realm) { + /* No explicit krb5_realm, use the IPA domain, transform to upper-case */ + realm = get_uppercase_realm(opts, domain); + if (!realm) { + ret = ENOMEM; + goto done; + } + + ret = dp_opt_set_string(opts->basic, IPA_KRB5_REALM, + realm); + if (ret != EOK) { + goto done; + } + } + + ret = EOK; + *_opts = opts; + +done: + if (ret != EOK) { + talloc_zfree(opts); + } + return ret; +} + +static errno_t ipa_parse_search_base(TALLOC_CTX *mem_ctx, + struct dp_option *opts, int class, + struct sdap_search_base ***_search_bases) +{ + const char *class_name; + char *unparsed_base; + + *_search_bases = NULL; + + switch (class) { + case IPA_HBAC_SEARCH_BASE: + class_name = "IPA_HBAC"; + break; + case IPA_SELINUX_SEARCH_BASE: + class_name = "IPA_SELINUX"; + break; + case IPA_SUBDOMAINS_SEARCH_BASE: + class_name = "IPA_SUBDOMAINS"; + break; + case IPA_MASTER_DOMAIN_SEARCH_BASE: + class_name = "IPA_MASTER_DOMAIN"; + break; + case IPA_RANGES_SEARCH_BASE: + class_name = "IPA_RANGES"; + break; + case IPA_VIEWS_SEARCH_BASE: + class_name = "IPA_VIEWS"; + break; + case IPA_DESKPROFILE_SEARCH_BASE: + class_name = "IPA_DESKPROFILE"; + break; + default: + DEBUG(SSSDBG_CONF_SETTINGS, + "Unknown search base type: [%d]\n", class); + class_name = "UNKNOWN"; + /* Non-fatal */ + break; + } + + unparsed_base = dp_opt_get_string(opts, class); + if (!unparsed_base || unparsed_base[0] == '\0') return ENOENT; + + return common_parse_search_base(mem_ctx, unparsed_base, + class_name, NULL, + _search_bases); +} + +int ipa_get_id_options(struct ipa_options *ipa_opts, + struct confdb_ctx *cdb, + const char *conf_path, + struct data_provider *dp, + struct sdap_options **_opts) +{ + TALLOC_CTX *tmpctx; + char *basedn; + char *realm; + char *value; + int ret; + int i; + bool server_mode; + + tmpctx = talloc_new(ipa_opts); + if (!tmpctx) { + return ENOMEM; + } + + ipa_opts->id = talloc_zero(ipa_opts, struct sdap_options); + if (!ipa_opts->id) { + ret = ENOMEM; + goto done; + } + ipa_opts->id->dp = dp; + + ret = sdap_domain_add(ipa_opts->id, + ipa_opts->id_ctx->sdap_id_ctx->be->domain, + NULL); + if (ret != EOK) { + goto done; + } + + /* get sdap options */ + ret = dp_get_options(ipa_opts->id, cdb, conf_path, + ipa_def_ldap_opts, + SDAP_OPTS_BASIC, + &ipa_opts->id->basic); + if (ret != EOK) { + goto done; + } + + ret = domain_to_basedn(tmpctx, + dp_opt_get_string(ipa_opts->basic, IPA_KRB5_REALM), + &basedn); + if (ret != EOK) { + goto done; + } + + if (NULL == dp_opt_get_string(ipa_opts->id->basic, SDAP_SEARCH_BASE)) { + /* FIXME: get values by querying IPA */ + /* set search base */ + value = talloc_asprintf(tmpctx, "cn=accounts,%s", basedn); + if (!value) { + ret = ENOMEM; + goto done; + } + ret = dp_opt_set_string(ipa_opts->id->basic, + SDAP_SEARCH_BASE, value); + if (ret != EOK) { + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Option %s set to %s\n", + ipa_opts->id->basic[SDAP_SEARCH_BASE].opt_name, + dp_opt_get_string(ipa_opts->id->basic, SDAP_SEARCH_BASE)); + } + ret = sdap_parse_search_base(ipa_opts->id, ipa_opts->id->basic, + SDAP_SEARCH_BASE, + &ipa_opts->id->sdom->search_bases); + if (ret != EOK) goto done; + + /* set krb realm */ + if (NULL == dp_opt_get_string(ipa_opts->id->basic, SDAP_KRB5_REALM)) { + realm = dp_opt_get_string(ipa_opts->basic, IPA_KRB5_REALM); + value = talloc_strdup(tmpctx, realm); + if (value == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + ret = dp_opt_set_string(ipa_opts->id->basic, + SDAP_KRB5_REALM, value); + if (ret != EOK) { + goto done; + } + DEBUG(SSSDBG_TRACE_FUNC, "Option %s set to %s\n", + ipa_opts->id->basic[SDAP_KRB5_REALM].opt_name, + dp_opt_get_string(ipa_opts->id->basic, SDAP_KRB5_REALM)); + } + + ret = sdap_set_sasl_options(ipa_opts->id, + dp_opt_get_string(ipa_opts->basic, + IPA_HOSTNAME), + dp_opt_get_string(ipa_opts->id->basic, + SDAP_KRB5_REALM), + dp_opt_get_string(ipa_opts->id->basic, + SDAP_KRB5_KEYTAB)); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot set the SASL-related options\n"); + goto done; + } + + /* fix schema to IPAv1 for now */ + ipa_opts->id->schema_type = SDAP_SCHEMA_IPA_V1; + + /* set user/group search bases if they are not specified */ + if (NULL == dp_opt_get_string(ipa_opts->id->basic, + SDAP_USER_SEARCH_BASE)) { + ret = dp_opt_set_string(ipa_opts->id->basic, SDAP_USER_SEARCH_BASE, + dp_opt_get_string(ipa_opts->id->basic, + SDAP_SEARCH_BASE)); + if (ret != EOK) { + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Option %s set to %s\n", + ipa_opts->id->basic[SDAP_USER_SEARCH_BASE].opt_name, + dp_opt_get_string(ipa_opts->id->basic, + SDAP_USER_SEARCH_BASE)); + } + ret = sdap_parse_search_base(ipa_opts->id, ipa_opts->id->basic, + SDAP_USER_SEARCH_BASE, + &ipa_opts->id->sdom->user_search_bases); + if (ret != EOK) goto done; + + /* In server mode we need to search both cn=accounts,$SUFFIX and + * cn=trusts,$SUFFIX to allow trusted domain object accounts to be found. + * If cn=trusts,$SUFFIX is missing in the user search bases, add one + */ + server_mode = dp_opt_get_bool(ipa_opts->basic, IPA_SERVER_MODE); + if (server_mode != false) { + /* bases is not NULL at this point already */ + struct sdap_search_base **bases = ipa_opts->id->sdom->user_search_bases; + struct sdap_search_base *new_base = NULL; + + for (i = 0; bases[i] != NULL; i++) { + if (strcasestr(bases[i]->basedn, "cn=trusts,") != NULL) { + break; + } + } + if (NULL == bases[i]) { + /* no cn=trusts in the base, add a new one */ + char *new_dn = talloc_asprintf(bases, + "cn=trusts,%s", + basedn); + if (NULL == new_dn) { + ret = ENOMEM; + goto done; + } + + ret = sdap_create_search_base(bases, new_dn, + LDAP_SCOPE_SUBTREE, + "(objectClass=ipaIDObject)", + &new_base); + if (ret != EOK) { + goto done; + } + + bases = talloc_realloc(ipa_opts->id, + ipa_opts->id->sdom->user_search_bases, + struct sdap_search_base*, + i + 2); + + if (NULL == bases) { + ret = ENOMEM; + goto done; + } + + bases[i] = new_base; + bases[i+1] = NULL; + ipa_opts->id->sdom->user_search_bases = bases; + + DEBUG(SSSDBG_TRACE_FUNC, + "Option %s expanded to cover cn=trusts base\n", + ipa_opts->id->basic[SDAP_USER_SEARCH_BASE].opt_name); + } + } + + if (NULL == dp_opt_get_string(ipa_opts->id->basic, + SDAP_GROUP_SEARCH_BASE)) { + ret = dp_opt_set_string(ipa_opts->id->basic, SDAP_GROUP_SEARCH_BASE, + dp_opt_get_string(ipa_opts->id->basic, + SDAP_SEARCH_BASE)); + if (ret != EOK) { + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Option %s set to %s\n", + ipa_opts->id->basic[SDAP_GROUP_SEARCH_BASE].opt_name, + dp_opt_get_string(ipa_opts->id->basic, + SDAP_GROUP_SEARCH_BASE)); + } + ret = sdap_parse_search_base(ipa_opts->id, ipa_opts->id->basic, + SDAP_GROUP_SEARCH_BASE, + &ipa_opts->id->sdom->group_search_bases); + if (ret != EOK) goto done; + + if (NULL == dp_opt_get_string(ipa_opts->id->basic, + SDAP_NETGROUP_SEARCH_BASE)) { + value = talloc_asprintf(tmpctx, "cn=ng,cn=alt,%s", basedn); + if (!value) { + ret = ENOMEM; + goto done; + } + ret = dp_opt_set_string(ipa_opts->id->basic, SDAP_NETGROUP_SEARCH_BASE, + value); + if (ret != EOK) { + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Option %s set to %s\n", + ipa_opts->id->basic[SDAP_NETGROUP_SEARCH_BASE].opt_name, + dp_opt_get_string(ipa_opts->id->basic, + SDAP_NETGROUP_SEARCH_BASE)); + } + ret = sdap_parse_search_base(ipa_opts->id, ipa_opts->id->basic, + SDAP_NETGROUP_SEARCH_BASE, + &ipa_opts->id->sdom->netgroup_search_bases); + if (ret != EOK) goto done; + + if (NULL == dp_opt_get_string(ipa_opts->id->basic, + SDAP_HOST_SEARCH_BASE)) { + + value = dp_opt_get_string(ipa_opts->basic, IPA_HOST_SEARCH_BASE); + if (!value) { + value = dp_opt_get_string(ipa_opts->id->basic, SDAP_SEARCH_BASE); + } + + ret = dp_opt_set_string(ipa_opts->id->basic, SDAP_HOST_SEARCH_BASE, + value); + if (ret != EOK) { + goto done; + } + + DEBUG(SSSDBG_CONF_SETTINGS, "Option %s set to %s\n", + ipa_opts->id->basic[SDAP_HOST_SEARCH_BASE].opt_name, + value); + } + ret = sdap_parse_search_base(ipa_opts->id->basic, ipa_opts->id->basic, + SDAP_HOST_SEARCH_BASE, + &ipa_opts->id->sdom->host_search_bases); + if (ret != EOK) goto done; + + if (NULL == dp_opt_get_string(ipa_opts->basic, + IPA_HBAC_SEARCH_BASE)) { + value = talloc_asprintf(tmpctx, "cn=hbac,%s", basedn); + if (!value) { + ret = ENOMEM; + goto done; + } + + ret = dp_opt_set_string(ipa_opts->basic, IPA_HBAC_SEARCH_BASE, value); + if (ret != EOK) { + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Option %s set to %s\n", + ipa_opts->basic[IPA_HBAC_SEARCH_BASE].opt_name, + dp_opt_get_string(ipa_opts->basic, + IPA_HBAC_SEARCH_BASE)); + } + ret = ipa_parse_search_base(ipa_opts->basic, ipa_opts->basic, + IPA_HBAC_SEARCH_BASE, + &ipa_opts->hbac_search_bases); + if (ret != EOK) goto done; + + if (NULL == dp_opt_get_string(ipa_opts->basic, + IPA_SELINUX_SEARCH_BASE)) { + value = talloc_asprintf(tmpctx, "cn=selinux,%s", basedn); + if (!value) { + ret = ENOMEM; + goto done; + } + + ret = dp_opt_set_string(ipa_opts->basic, IPA_SELINUX_SEARCH_BASE, value); + if (ret != EOK) { + goto done; + } + + DEBUG(SSSDBG_CONF_SETTINGS, "Option %s set to %s\n", + ipa_opts->basic[IPA_SELINUX_SEARCH_BASE].opt_name, + dp_opt_get_string(ipa_opts->basic, + IPA_SELINUX_SEARCH_BASE)); + } + ret = ipa_parse_search_base(ipa_opts->basic, ipa_opts->basic, + IPA_SELINUX_SEARCH_BASE, + &ipa_opts->selinux_search_bases); + if (ret != EOK) goto done; + + if (NULL == dp_opt_get_string(ipa_opts->basic, + IPA_DESKPROFILE_SEARCH_BASE)) { + value = talloc_asprintf(tmpctx, "cn=desktop-profile,%s", basedn); + if (!value) { + ret = ENOMEM; + goto done; + } + + ret = dp_opt_set_string(ipa_opts->basic, IPA_DESKPROFILE_SEARCH_BASE, value); + if (ret != EOK) { + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Option %s set to %s\n", + ipa_opts->basic[IPA_DESKPROFILE_SEARCH_BASE].opt_name, + dp_opt_get_string(ipa_opts->basic, + IPA_DESKPROFILE_SEARCH_BASE)); + } + ret = ipa_parse_search_base(ipa_opts->basic, ipa_opts->basic, + IPA_DESKPROFILE_SEARCH_BASE, + &ipa_opts->deskprofile_search_bases); + if (ret != EOK) goto done; + + value = dp_opt_get_string(ipa_opts->id->basic, SDAP_DEREF); + if (value != NULL) { + ret = deref_string_to_val(value, &i); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to verify ldap_deref option.\n"); + goto done; + } + } + + if (NULL == dp_opt_get_string(ipa_opts->id->basic, + SDAP_SERVICE_SEARCH_BASE)) { + ret = dp_opt_set_string(ipa_opts->id->basic, SDAP_SERVICE_SEARCH_BASE, + dp_opt_get_string(ipa_opts->id->basic, + SDAP_SEARCH_BASE)); + if (ret != EOK) { + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Option %s set to %s\n", + ipa_opts->id->basic[SDAP_GROUP_SEARCH_BASE].opt_name, + dp_opt_get_string(ipa_opts->id->basic, + SDAP_GROUP_SEARCH_BASE)); + } + ret = sdap_parse_search_base(ipa_opts->id, ipa_opts->id->basic, + SDAP_SERVICE_SEARCH_BASE, + &ipa_opts->id->sdom->service_search_bases); + if (ret != EOK) goto done; + + if (NULL == dp_opt_get_string(ipa_opts->basic, + IPA_SUBDOMAINS_SEARCH_BASE)) { + value = talloc_asprintf(tmpctx, "cn=trusts,%s", basedn); + if (value == NULL) { + ret = ENOMEM; + goto done; + } + + ret = dp_opt_set_string(ipa_opts->basic, IPA_SUBDOMAINS_SEARCH_BASE, value); + if (ret != EOK) { + goto done; + } + + DEBUG(SSSDBG_CONF_SETTINGS, "Option %s set to %s\n", + ipa_opts->basic[IPA_SUBDOMAINS_SEARCH_BASE].opt_name, + dp_opt_get_string(ipa_opts->basic, + IPA_SUBDOMAINS_SEARCH_BASE)); + } + ret = ipa_parse_search_base(ipa_opts, ipa_opts->basic, + IPA_SUBDOMAINS_SEARCH_BASE, + &ipa_opts->subdomains_search_bases); + if (ret != EOK) goto done; + + if (NULL == dp_opt_get_string(ipa_opts->basic, + IPA_MASTER_DOMAIN_SEARCH_BASE)) { + value = talloc_asprintf(tmpctx, "cn=ad,cn=etc,%s", basedn); + if (value == NULL) { + ret = ENOMEM; + goto done; + } + + ret = dp_opt_set_string(ipa_opts->basic, IPA_MASTER_DOMAIN_SEARCH_BASE, value); + if (ret != EOK) { + goto done; + } + + DEBUG(SSSDBG_CONF_SETTINGS, "Option %s set to %s\n", + ipa_opts->basic[IPA_MASTER_DOMAIN_SEARCH_BASE].opt_name, + dp_opt_get_string(ipa_opts->basic, + IPA_MASTER_DOMAIN_SEARCH_BASE)); + } + ret = ipa_parse_search_base(ipa_opts, ipa_opts->basic, + IPA_MASTER_DOMAIN_SEARCH_BASE, + &ipa_opts->master_domain_search_bases); + if (ret != EOK) goto done; + + if (NULL == dp_opt_get_string(ipa_opts->basic, + IPA_RANGES_SEARCH_BASE)) { + value = talloc_asprintf(tmpctx, "cn=ranges,cn=etc,%s", basedn); + if (value == NULL) { + ret = ENOMEM; + goto done; + } + + ret = dp_opt_set_string(ipa_opts->basic, IPA_RANGES_SEARCH_BASE, value); + if (ret != EOK) { + goto done; + } + + DEBUG(SSSDBG_CONF_SETTINGS, "Option %s set to %s\n", + ipa_opts->basic[IPA_RANGES_SEARCH_BASE].opt_name, + dp_opt_get_string(ipa_opts->basic, + IPA_RANGES_SEARCH_BASE)); + } + ret = ipa_parse_search_base(ipa_opts, ipa_opts->basic, + IPA_RANGES_SEARCH_BASE, + &ipa_opts->ranges_search_bases); + if (ret != EOK) goto done; + + if (NULL == dp_opt_get_string(ipa_opts->basic, + IPA_VIEWS_SEARCH_BASE)) { + value = talloc_asprintf(tmpctx, "cn=views,cn=accounts,%s", basedn); + if (value == NULL) { + ret = ENOMEM; + goto done; + } + + ret = dp_opt_set_string(ipa_opts->basic, IPA_VIEWS_SEARCH_BASE, value); + if (ret != EOK) { + goto done; + } + + DEBUG(SSSDBG_CONF_SETTINGS, "Option %s set to %s\n", + ipa_opts->basic[IPA_VIEWS_SEARCH_BASE].opt_name, + dp_opt_get_string(ipa_opts->basic, + IPA_VIEWS_SEARCH_BASE)); + } + ret = ipa_parse_search_base(ipa_opts, ipa_opts->basic, + IPA_VIEWS_SEARCH_BASE, + &ipa_opts->views_search_bases); + if (ret != EOK) goto done; + + ret = sdap_get_map(ipa_opts->id, cdb, conf_path, + ipa_attr_map, + SDAP_AT_GENERAL, + &ipa_opts->id->gen_map); + if (ret != EOK) { + goto done; + } + + ret = sdap_get_map(ipa_opts->id, + cdb, conf_path, + ipa_user_map, + SDAP_OPTS_USER, + &ipa_opts->id->user_map); + if (ret != EOK) { + goto done; + } + + ret = sdap_extend_map_with_list(ipa_opts->id, ipa_opts->id, + SDAP_USER_EXTRA_ATTRS, + ipa_opts->id->user_map, + SDAP_OPTS_USER, + &ipa_opts->id->user_map, + &ipa_opts->id->user_map_cnt); + if (ret != EOK) { + goto done; + } + + ret = sdap_get_map(ipa_opts->id, + cdb, conf_path, + ipa_group_map, + SDAP_OPTS_GROUP, + &ipa_opts->id->group_map); + if (ret != EOK) { + goto done; + } + + ret = sdap_get_map(ipa_opts->id, + cdb, conf_path, + ipa_netgroup_map, + IPA_OPTS_NETGROUP, + &ipa_opts->id->netgroup_map); + if (ret != EOK) { + goto done; + } + + ret = sdap_get_map(ipa_opts->id, + cdb, conf_path, + ipa_host_map, + SDAP_OPTS_HOST, + &ipa_opts->id->host_map); + if (ret != EOK) { + goto done; + } + + ret = sdap_get_map(ipa_opts->id, + cdb, conf_path, + ipa_hostgroup_map, + IPA_OPTS_HOSTGROUP, + &ipa_opts->hostgroup_map); + if (ret != EOK) { + goto done; + } + + ret = sdap_get_map(ipa_opts->id, + cdb, conf_path, + ipa_service_map, + SDAP_OPTS_SERVICES, + &ipa_opts->id->service_map); + if (ret != EOK) { + goto done; + } + + ret = sdap_get_map(ipa_opts->id, + cdb, conf_path, + ipa_selinux_user_map, + IPA_OPTS_SELINUX_USERMAP, + &ipa_opts->selinuxuser_map); + if (ret != EOK) { + goto done; + } + + ret = sdap_get_map(ipa_opts->id, + cdb, conf_path, + ipa_view_map, + IPA_OPTS_VIEW, + &ipa_opts->view_map); + if (ret != EOK) { + goto done; + } + + ret = sdap_get_map(ipa_opts->id, + cdb, conf_path, + ipa_override_map, + IPA_OPTS_OVERRIDE, + &ipa_opts->override_map); + if (ret != EOK) { + goto done; + } + + ret = EOK; + *_opts = ipa_opts->id; + +done: + talloc_zfree(tmpctx); + if (ret != EOK) { + talloc_zfree(ipa_opts->id); + } + return ret; +} + +int ipa_get_auth_options(struct ipa_options *ipa_opts, + struct confdb_ctx *cdb, + const char *conf_path, + struct dp_option **_opts) +{ + char *value; + char *copy = NULL; + int ret; + + ipa_opts->auth = talloc_zero(ipa_opts, struct dp_option); + if (ipa_opts->auth == NULL) { + ret = ENOMEM; + goto done; + } + + /* get krb5 options */ + ret = dp_get_options(ipa_opts, cdb, conf_path, + ipa_def_krb5_opts, + KRB5_OPTS, &ipa_opts->auth); + if (ret != EOK) { + goto done; + } + + /* If there is no KDC, try the deprecated krb5_kdcip option, too */ + /* FIXME - this can be removed in a future version */ + ret = krb5_try_kdcip(cdb, conf_path, ipa_opts->auth, KRB5_KDC); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sss_krb5_try_kdcip failed.\n"); + goto done; + } + + /* set krb realm */ + if (NULL == dp_opt_get_string(ipa_opts->auth, KRB5_REALM)) { + value = dp_opt_get_string(ipa_opts->basic, IPA_KRB5_REALM); + if (!value) { + ret = ENOMEM; + goto done; + } + copy = talloc_strdup(ipa_opts->auth, value); + if (copy == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + ret = dp_opt_set_string(ipa_opts->auth, KRB5_REALM, copy); + if (ret != EOK) { + goto done; + } + DEBUG(SSSDBG_TRACE_FUNC, "Option %s set to %s\n", + ipa_opts->auth[KRB5_REALM].opt_name, + dp_opt_get_string(ipa_opts->auth, KRB5_REALM)); + } + + /* If krb5_fast_principal was not set explicitly, default to + * host/$client_hostname@REALM + */ + value = dp_opt_get_string(ipa_opts->auth, KRB5_FAST_PRINCIPAL); + if (value == NULL) { + value = talloc_asprintf(ipa_opts->auth, "host/%s@%s", + dp_opt_get_string(ipa_opts->basic, + IPA_HOSTNAME), + dp_opt_get_string(ipa_opts->auth, + KRB5_REALM)); + if (value == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot set %s!\n", + ipa_opts->auth[KRB5_FAST_PRINCIPAL].opt_name); + ret = ENOMEM; + goto done; + } + + ret = dp_opt_set_string(ipa_opts->auth, KRB5_FAST_PRINCIPAL, + value); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot set %s!\n", + ipa_opts->auth[KRB5_FAST_PRINCIPAL].opt_name); + goto done; + } + + DEBUG(SSSDBG_CONF_SETTINGS, "Option %s set to %s\n", + ipa_opts->auth[KRB5_FAST_PRINCIPAL].opt_name, value); + } + + /* Set flag that controls whether we want to write the + * kdcinfo files at all + */ + ipa_opts->service->krb5_service->write_kdcinfo = \ + dp_opt_get_bool(ipa_opts->auth, KRB5_USE_KDCINFO); + DEBUG(SSSDBG_CONF_SETTINGS, "Option %s set to %s\n", + ipa_opts->auth[KRB5_USE_KDCINFO].opt_name, + ipa_opts->service->krb5_service->write_kdcinfo ? "true" : "false"); + + *_opts = ipa_opts->auth; + ret = EOK; + +done: + talloc_free(copy); + if (ret != EOK) { + talloc_zfree(ipa_opts->auth); + } + return ret; +} + +static void ipa_resolve_callback(void *private_data, struct fo_server *server) +{ + TALLOC_CTX *tmp_ctx = NULL; + struct ipa_service *service; + struct resolv_hostent *srvaddr; + struct sockaddr_storage *sockaddr; + char *address; + char *safe_addr_list[2] = { NULL, NULL }; + char *new_uri; + const char *srv_name; + int ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new failed\n"); + return; + } + + service = talloc_get_type(private_data, struct ipa_service); + if (!service) { + DEBUG(SSSDBG_CRIT_FAILURE, "FATAL: Bad private_data\n"); + talloc_free(tmp_ctx); + return; + } + + srvaddr = fo_get_server_hostent(server); + if (!srvaddr) { + DEBUG(SSSDBG_CRIT_FAILURE, + "FATAL: No hostent available for server (%s)\n", + fo_get_server_str_name(server)); + talloc_free(tmp_ctx); + return; + } + + sockaddr = resolv_get_sockaddr_address(tmp_ctx, srvaddr, LDAP_PORT); + if (sockaddr == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "resolv_get_sockaddr_address failed.\n"); + talloc_free(tmp_ctx); + return; + } + + address = resolv_get_string_address(tmp_ctx, srvaddr); + if (address == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "resolv_get_string_address failed.\n"); + talloc_free(tmp_ctx); + return; + } + + srv_name = fo_get_server_name(server); + if (srv_name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not get server host name\n"); + talloc_free(tmp_ctx); + return; + } + + new_uri = talloc_asprintf(service, "ldap://%s", srv_name); + if (!new_uri) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to copy URI ...\n"); + talloc_free(tmp_ctx); + return; + } + DEBUG(SSSDBG_TRACE_FUNC, "Constructed uri '%s'\n", new_uri); + + /* free old one and replace with new one */ + talloc_zfree(service->sdap->uri); + service->sdap->uri = new_uri; + talloc_zfree(service->sdap->sockaddr); + service->sdap->sockaddr = talloc_steal(service, sockaddr); + + if (service->krb5_service->write_kdcinfo) { + safe_addr_list[0] = sss_escape_ip_address(tmp_ctx, + srvaddr->family, + address); + if (safe_addr_list[0] == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "sss_escape_ip_address failed.\n"); + talloc_free(tmp_ctx); + return; + } + + ret = write_krb5info_file(service->krb5_service, + safe_addr_list, + SSS_KRB5KDC_FO_SRV); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "write_krb5info_file failed, authentication might fail.\n"); + } + } + + talloc_free(tmp_ctx); +} + +static errno_t _ipa_servers_init(struct be_ctx *ctx, + struct ipa_service *service, + struct ipa_options *options, + const char *servers, + bool primary) +{ + TALLOC_CTX *tmp_ctx; + char **list = NULL; + char *ipa_domain; + int ret = 0; + int i; + int j; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + return ENOMEM; + } + + /* split server parm into a list */ + ret = split_on_separator(tmp_ctx, servers, ',', true, true, &list, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to parse server list!\n"); + goto done; + } + + for (j = 0; list[j]; j++) { + if (resolv_is_address(list[j])) { + DEBUG(SSSDBG_IMPORTANT_INFO, + "ipa_server [%s] is detected as IP address, " + "this can cause GSSAPI problems\n", list[j]); + } + } + + /* now for each one add a new server to the failover service */ + for (i = 0; list[i]; i++) { + + talloc_steal(service, list[i]); + + if (be_fo_is_srv_identifier(list[i])) { + if (!primary) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to add server [%s] to failover service: " + "SRV resolution only allowed for primary servers!\n", + list[i]); + continue; + } + + ipa_domain = dp_opt_get_string(options->basic, IPA_DOMAIN); + ret = be_fo_add_srv_server(ctx, "IPA", "ldap", ipa_domain, + BE_FO_PROTO_TCP, false, NULL); + if (ret) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to add server\n"); + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Added service lookup for service IPA\n"); + continue; + } + + /* It could be ipv6 address in square brackets. Remove + * the brackets if needed. */ + ret = remove_ipv6_brackets(list[i]); + if (ret != EOK) { + goto done; + } + + ret = be_fo_add_server(ctx, "IPA", list[i], 0, NULL, primary); + if (ret && ret != EEXIST) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to add server\n"); + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Added Server %s\n", list[i]); + } + +done: + talloc_free(tmp_ctx); + return ret; +} + +static inline errno_t +ipa_primary_servers_init(struct be_ctx *ctx, struct ipa_service *service, + struct ipa_options *options, const char *servers) +{ + return _ipa_servers_init(ctx, service, options, servers, true); +} + +static inline errno_t +ipa_backup_servers_init(struct be_ctx *ctx, struct ipa_service *service, + struct ipa_options *options, const char *servers) +{ + return _ipa_servers_init(ctx, service, options, servers, false); +} + +static int ipa_user_data_cmp(void *ud1, void *ud2) +{ + return strcasecmp((char*) ud1, (char*) ud2); +} + +int ipa_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx, + const char *primary_servers, + const char *backup_servers, + struct ipa_options *options, + struct ipa_service **_service) +{ + TALLOC_CTX *tmp_ctx; + struct ipa_service *service; + char *realm; + int ret; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + return ENOMEM; + } + + realm = dp_opt_get_string(options->basic, IPA_KRB5_REALM); + if (!realm) { + DEBUG(SSSDBG_CRIT_FAILURE, "No Kerberos realm set\n"); + ret = EINVAL; + goto done; + } + + service = talloc_zero(tmp_ctx, struct ipa_service); + if (!service) { + ret = ENOMEM; + goto done; + } + service->sdap = talloc_zero(service, struct sdap_service); + if (!service->sdap) { + ret = ENOMEM; + goto done; + } + + service->krb5_service = krb5_service_new(service, ctx, + "IPA", realm, + true); /* The configured value + * will be set later when + * the auth provider is set up + */ + if (!service->krb5_service) { + ret = ENOMEM; + goto done; + } + + ret = be_fo_add_service(ctx, "IPA", ipa_user_data_cmp); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to create failover service!\n"); + goto done; + } + + service->sdap->name = talloc_strdup(service, "IPA"); + if (!service->sdap->name) { + ret = ENOMEM; + goto done; + } + + service->sdap->kinit_service_name = service->krb5_service->name; + + if (!primary_servers) { + DEBUG(SSSDBG_CONF_SETTINGS, + "No primary servers defined, using service discovery\n"); + primary_servers = BE_SRV_IDENTIFIER; + } + + ret = ipa_primary_servers_init(ctx, service, options, primary_servers); + if (ret != EOK) { + goto done; + } + + if (backup_servers) { + ret = ipa_backup_servers_init(ctx, service, options, backup_servers); + if (ret != EOK) { + goto done; + } + } + + ret = be_fo_service_add_callback(memctx, ctx, "IPA", + ipa_resolve_callback, service); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add failover callback!\n"); + goto done; + } + + ret = EOK; + +done: + if (ret == EOK) { + *_service = talloc_steal(memctx, service); + } + talloc_zfree(tmp_ctx); + return ret; +} + +int ipa_get_autofs_options(struct ipa_options *ipa_opts, + struct confdb_ctx *cdb, + const char *conf_path, + struct sdap_options **_opts) +{ + TALLOC_CTX *tmp_ctx; + char *basedn; + char *autofs_base; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + return ENOMEM; + } + + ret = domain_to_basedn(tmp_ctx, + dp_opt_get_string(ipa_opts->basic, IPA_KRB5_REALM), + &basedn); + if (ret != EOK) { + goto done; + } + + if (NULL == dp_opt_get_string(ipa_opts->id->basic, + SDAP_AUTOFS_SEARCH_BASE)) { + + autofs_base = talloc_asprintf(tmp_ctx, "cn=%s,cn=automount,%s", + dp_opt_get_string(ipa_opts->basic, + IPA_AUTOMOUNT_LOCATION), + basedn); + if (!autofs_base) { + ret = ENOMEM; + goto done; + } + + ret = dp_opt_set_string(ipa_opts->id->basic, + SDAP_AUTOFS_SEARCH_BASE, + autofs_base); + if (ret != EOK) { + goto done; + } + + DEBUG(SSSDBG_TRACE_LIBS, "Option %s set to %s\n", + ipa_opts->id->basic[SDAP_AUTOFS_SEARCH_BASE].opt_name, + dp_opt_get_string(ipa_opts->id->basic, + SDAP_AUTOFS_SEARCH_BASE)); + } + + ret = sdap_parse_search_base(ipa_opts->id, ipa_opts->id->basic, + SDAP_AUTOFS_SEARCH_BASE, + &ipa_opts->id->sdom->autofs_search_bases); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, "Could not parse autofs search base\n"); + goto done; + } + + ret = sdap_get_map(ipa_opts->id, cdb, conf_path, + ipa_autofs_mobject_map, + SDAP_OPTS_AUTOFS_MAP, + &ipa_opts->id->autofs_mobject_map); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not get autofs map object attribute map\n"); + goto done; + } + + ret = sdap_get_map(ipa_opts->id, cdb, conf_path, + ipa_autofs_entry_map, + SDAP_OPTS_AUTOFS_ENTRY, + &ipa_opts->id->autofs_entry_map); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not get autofs entry object attribute map\n"); + goto done; + } + + *_opts = ipa_opts->id; + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} + +errno_t ipa_get_dyndns_options(struct be_ctx *be_ctx, + struct ipa_options *ctx) +{ + errno_t ret; + char *val; + bool update; + int ttl; + + ret = be_nsupdate_init(ctx, be_ctx, ipa_dyndns_opts, &ctx->dyndns_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot initialize IPA dyndns opts [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + if (ctx->basic == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "IPA basic options not (yet) " + "initialized, cannot copy legacy options\n"); + return EOK; + } + + /* Reuse legacy option values */ + ret = confdb_get_string(be_ctx->cdb, ctx, be_ctx->conf_path, + "ipa_dyndns_update", NULL, &val); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot get the value of %s\n", + "ipa_dyndns_update"); + /* Not fatal */ + } else if (ret == EOK && val) { + if (strcasecmp(val, "FALSE") == 0) { + update = false; + } else if (strcasecmp(val, "TRUE") == 0) { + update = true; + } else { + DEBUG(SSSDBG_MINOR_FAILURE, + "ipa_dyndns_update value is not a boolean!\n"); + talloc_free(val); + return EINVAL; + } + + DEBUG(SSSDBG_MINOR_FAILURE, "Deprecation warning: The option %s is " + "deprecated and should not be used in favor of %s\n", + "ipa_dyndns_update", "dyndns_update"); + + ret = dp_opt_set_bool(ctx->dyndns_ctx->opts, + DP_OPT_DYNDNS_UPDATE, update); + talloc_free(val); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot set option value\n"); + return ret; + } + } + + ret = confdb_get_int(be_ctx->cdb, be_ctx->conf_path, + "ipa_dyndns_ttl", -1, &ttl); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot get the value of %s\n", + "ipa_dyndns_ttl"); + /* Not fatal */ + } else if (ret == EOK && ttl != -1) { + DEBUG(SSSDBG_MINOR_FAILURE, "Deprecation warning: The option %s is " + "deprecated and should not be used in favor of %s\n", + "ipa_dyndns_ttl", "dyndns_ttl"); + + ret = dp_opt_set_int(ctx->dyndns_ctx->opts, DP_OPT_DYNDNS_TTL, ttl); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot set option value\n"); + return ret; + } + } + + /* Reuse legacy option values */ + ret = confdb_get_string(be_ctx->cdb, ctx, be_ctx->conf_path, + "ipa_dyndns_iface", NULL, &val); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot get the value of %s\n", + "ipa_dyndns_iface"); + /* Not fatal */ + } else if (ret == EOK && val) { + DEBUG(SSSDBG_MINOR_FAILURE, "Deprecation warning: The option %s is " + "deprecated and should not be used in favor of %s\n", + "ipa_dyndns_iface", "dyndns_iface"); + + ret = dp_opt_set_string(ctx->dyndns_ctx->opts, + DP_OPT_DYNDNS_IFACE, val); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot set option value\n"); + return ret; + } + } + + return EOK; +} + +errno_t ipa_get_host_attrs(struct dp_option *ipa_options, + size_t host_count, + struct sysdb_attrs **hosts, + struct sysdb_attrs **_ipa_host) +{ + const char *ipa_hostname; + const char *hostname; + errno_t ret; + + *_ipa_host = NULL; + ipa_hostname = dp_opt_get_cstring(ipa_options, IPA_HOSTNAME); + if (ipa_hostname == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Missing ipa_hostname, this should never happen.\n"); + ret = EINVAL; + goto done; + } + + for (size_t i = 0; i < host_count; i++) { + ret = sysdb_attrs_get_string(hosts[i], SYSDB_FQDN, &hostname); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not locate IPA host\n"); + goto done; + } + + if (strcasecmp(hostname, ipa_hostname) == 0) { + *_ipa_host = hosts[i]; + break; + } + } + + if (*_ipa_host == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not locate IPA host\n"); + ret = EINVAL; + goto done; + } + + ret = EOK; + +done: + return ret; +} diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h new file mode 100644 index 0000000..31e671e --- /dev/null +++ b/src/providers/ipa/ipa_common.h @@ -0,0 +1,304 @@ +/* + SSSD + + IPA Common utility code + + Copyright (C) Simo Sorce 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _IPA_COMMON_H_ +#define _IPA_COMMON_H_ + +#include "util/util.h" +#include "confdb/confdb.h" +#include "providers/ldap/ldap_common.h" +#include "providers/krb5/krb5_common.h" +#include "providers/ad/ad_common.h" +#include "providers/ad/ad_srv.h" + +struct ipa_service { + struct sdap_service *sdap; + struct krb5_service *krb5_service; +}; + +struct ipa_init_ctx; + +enum ipa_basic_opt { + IPA_DOMAIN = 0, + IPA_SERVER, + IPA_BACKUP_SERVER, + IPA_HOSTNAME, + IPA_HBAC_SEARCH_BASE, + IPA_HOST_SEARCH_BASE, /* only used if ldap_host_search_base is not set */ + IPA_SELINUX_SEARCH_BASE, + IPA_SUBDOMAINS_SEARCH_BASE, + IPA_MASTER_DOMAIN_SEARCH_BASE, + IPA_KRB5_REALM, + IPA_HBAC_REFRESH, + IPA_SELINUX_REFRESH, + IPA_HBAC_SUPPORT_SRCHOST, + IPA_AUTOMOUNT_LOCATION, + IPA_RANGES_SEARCH_BASE, + IPA_ENABLE_DNS_SITES, + IPA_SERVER_MODE, + IPA_VIEWS_SEARCH_BASE, + IPA_KRB5_CONFD_PATH, + IPA_DESKPROFILE_SEARCH_BASE, + IPA_DESKPROFILE_REFRESH, + IPA_DESKPROFILE_REQUEST_INTERVAL, + + IPA_OPTS_BASIC /* opts counter */ +}; + +enum ipa_netgroup_attrs { + IPA_OC_NETGROUP = 0, + IPA_AT_NETGROUP_NAME, + IPA_AT_NETGROUP_MEMBER, + IPA_AT_NETGROUP_MEMBER_OF, + IPA_AT_NETGROUP_MEMBER_USER, + IPA_AT_NETGROUP_MEMBER_HOST, + IPA_AT_NETGROUP_EXTERNAL_HOST, + IPA_AT_NETGROUP_DOMAIN, + IPA_AT_NETGROUP_UUID, + + IPA_OPTS_NETGROUP /* attrs counter */ +}; + +enum ipa_hostgroup_attrs { + IPA_OC_HOSTGROUP = 0, + IPA_AT_HOSTGROUP_NAME, + IPA_AT_HOSTGROUP_MEMBER_OF, + IPA_AT_HOSTGROUP_UUID, + + IPA_OPTS_HOSTGROUP /* attrs counter */ +}; + +enum ipa_selinux_usermap_attrs { + IPA_OC_SELINUX_USERMAP = 0, + IPA_AT_SELINUX_USERMAP_NAME, + IPA_AT_SELINUX_USERMAP_MEMBER_USER, + IPA_AT_SELINUX_USERMAP_MEMBER_HOST, + IPA_AT_SELINUX_USERMAP_SEE_ALSO, + IPA_AT_SELINUX_USERMAP_SELINUX_USER, + IPA_AT_SELINUX_USERMAP_ENABLED, + IPA_AT_SELINUX_USERMAP_USERCAT, + IPA_AT_SELINUX_USERMAP_HOSTCAT, + IPA_AT_SELINUX_USERMAP_UUID, + + IPA_OPTS_SELINUX_USERMAP /* attrs counter */ +}; + +enum ipa_view_attrs { + IPA_OC_VIEW = 0, + IPA_AT_VIEW_NAME, + + IPA_OPTS_VIEW +}; + +enum ipa_override_attrs { + IPA_OC_OVERRIDE = 0, + IPA_AT_OVERRIDE_ANCHOR_UUID, + IPA_OC_OVERRIDE_USER, + IPA_OC_OVERRIDE_GROUP, + IPA_AT_OVERRIDE_USER_NAME, + IPA_AT_OVERRIDE_UID_NUMBER, + IPA_AT_OVERRIDE_USER_GID_NUMBER, + IPA_AT_OVERRIDE_GECOS, + IPA_AT_OVERRIDE_HOMEDIR, + IPA_AT_OVERRIDE_SHELL, + IPA_AT_OVERRIDE_GROUP_NAME, + IPA_AT_OVERRIDE_GROUP_GID_NUMBER, + IPA_AT_OVERRIDE_USER_SSH_PUBLIC_KEY, + IPA_AT_OVERRIDE_USER_CERT, + + IPA_OPTS_OVERRIDE +}; + +enum ipa_sudorule_attrs { + IPA_OC_SUDORULE = 0, + IPA_AT_SUDORULE_NAME, + IPA_AT_SUDORULE_UUID, + IPA_AT_SUDORULE_ENABLED, + IPA_AT_SUDORULE_OPTION, + IPA_AT_SUDORULE_RUNASUSER, + IPA_AT_SUDORULE_RUNASGROUP, + IPA_AT_SUDORULE_ALLOWCMD, + IPA_AT_SUDORULE_DENYCMD, + IPA_AT_SUDORULE_HOST, + IPA_AT_SUDORULE_USER, + IPA_AT_SUDORULE_NOTAFTER, + IPA_AT_SUDORULE_NOTBEFORE, + IPA_AT_SUDORULE_SUDOORDER, + IPA_AT_SUDORULE_CMDCATEGORY, + IPA_AT_SUDORULE_HOSTCATEGORY, + IPA_AT_SUDORULE_USERCATEGORY, + IPA_AT_SUDORULE_RUNASUSERCATEGORY, + IPA_AT_SUDORULE_RUNASGROUPCATEGORY, + IPA_AT_SUDORULE_RUNASEXTUSER, + IPA_AT_SUDORULE_RUNASEXTGROUP, + IPA_AT_SUDORULE_RUNASEXTUSERGROUP, + IPA_AT_SUDORULE_EXTUSER, + IPA_AT_SUDORULE_ENTRYUSN, + + IPA_OPTS_SUDORULE +}; + +enum ipa_sudocmdgroup_attrs { + IPA_OC_SUDOCMDGROUP = 0, + IPA_AT_SUDOCMDGROUP_UUID, + IPA_AT_SUDOCMDGROUP_NAME, + IPA_AT_SUDOCMDGROUP_MEMBER, + IPA_AT_SUDOCMDGROUP_ENTRYUSN, + + IPA_OPTS_SUDOCMDGROUP +}; + +enum ipa_sudocmd_attrs { + IPA_OC_SUDOCMD = 0, + IPA_AT_SUDOCMD_UUID, + IPA_AT_SUDOCMD_CMD, + IPA_AT_SUDOCMD_MEMBEROF, + + IPA_OPTS_SUDOCMD +}; + +enum ipa_cli_ad_subdom_attrs { + IPA_CLI_AD_SERVER, + IPA_CLI_AD_SITE, + + IPA_OPTS_CLI_AD_SUBDOM +}; + +struct ipa_auth_ctx { + struct krb5_ctx *krb5_auth_ctx; + struct sdap_id_ctx *sdap_id_ctx; + struct sdap_auth_ctx *sdap_auth_ctx; + struct dp_option *ipa_options; +}; + +/* In server mode, each subdomain corresponds to an AD context */ + +struct ipa_id_ctx { + struct sdap_id_ctx *sdap_id_ctx; + struct ipa_options *ipa_options; + + char *view_name; + /* Only used with server mode */ + struct ipa_server_mode_ctx *server_mode; +}; + +struct ipa_options { + struct dp_option *basic; + + struct sdap_attr_map *hostgroup_map; + struct sdap_attr_map *selinuxuser_map; + struct sdap_attr_map *view_map; + struct sdap_attr_map *override_map; + + struct sdap_search_base **hbac_search_bases; + struct sdap_search_base **selinux_search_bases; + struct sdap_search_base **subdomains_search_bases; + struct sdap_search_base **master_domain_search_bases; + struct sdap_search_base **ranges_search_bases; + struct sdap_search_base **views_search_bases; + struct sdap_search_base **deskprofile_search_bases; + struct ipa_service *service; + + /* id provider */ + struct sdap_options *id; + struct ipa_id_ctx *id_ctx; + struct be_resolv_ctx *be_res; + struct be_nsupdate_ctx *dyndns_ctx; + + /* auth and chpass provider */ + struct dp_option *auth; + struct ipa_auth_ctx *auth_ctx; +}; + +#define IPA_RANGE_LOCAL "ipa-local" +#define IPA_RANGE_AD_TRUST "ipa-ad-trust" +#define IPA_RANGE_AD_TRUST_POSIX "ipa-ad-trust-posix" + +/* options parsers */ +int ipa_get_options(TALLOC_CTX *memctx, + struct confdb_ctx *cdb, + const char *conf_path, + struct sss_domain_info *dom, + struct ipa_options **_opts); + +int ipa_get_id_options(struct ipa_options *ipa_opts, + struct confdb_ctx *cdb, + const char *conf_path, + struct data_provider *dp, + struct sdap_options **_opts); + +int ipa_get_auth_options(struct ipa_options *ipa_opts, + struct confdb_ctx *cdb, + const char *conf_path, + struct dp_option **_opts); + +int ipa_get_autofs_options(struct ipa_options *ipa_opts, + struct confdb_ctx *cdb, + const char *conf_path, + struct sdap_options **_opts); + +errno_t ipa_get_dyndns_options(struct be_ctx *be_ctx, + struct ipa_options *ctx); + +errno_t ipa_hostid_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct ipa_id_ctx *id_ctx, + struct dp_method *dp_methods); + +errno_t ipa_autofs_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct ipa_id_ctx *id_ctx, + struct dp_method *dp_methods); + +int ipa_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx, + const char *primary_servers, + const char *backup_servers, + struct ipa_options *options, + struct ipa_service **_service); + +int ipa_sudo_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct ipa_id_ctx *id_ctx, + struct dp_method *dp_methods); + +errno_t get_idmap_data_from_range(struct range_info *r, char *domain_name, + char **_name, char **_sid, uint32_t *_rid, + struct sss_idmap_range *_range, + bool *_external_mapping); + +errno_t ipa_idmap_get_ranges_from_sysdb(struct sdap_idmap_ctx *idmap_ctx, + const char *dom_name, + const char *dom_sid_str, + bool allow_collisions); + +errno_t ipa_idmap_init(TALLOC_CTX *mem_ctx, + struct sdap_id_ctx *id_ctx, + struct sdap_idmap_ctx **_idmap_ctx); + + +struct krb5_ctx *ipa_init_get_krb5_auth_ctx(void *data); + +errno_t ipa_get_host_attrs(struct dp_option *ipa_options, + size_t host_count, + struct sysdb_attrs **hosts, + struct sysdb_attrs **_ipa_host); + +#endif /* _IPA_COMMON_H_ */ diff --git a/src/providers/ipa/ipa_config.c b/src/providers/ipa/ipa_config.c new file mode 100644 index 0000000..0d564f5 --- /dev/null +++ b/src/providers/ipa/ipa_config.c @@ -0,0 +1,157 @@ +/* + SSSD + + IPA Backend Module -- configuration retrieval + + Authors: + Jan Zeleny + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "providers/ipa/ipa_config.h" +#include "providers/ipa/ipa_common.h" +#include "providers/ldap/sdap_async.h" + +struct ipa_get_config_state { + char *base; + const char **attrs; + + struct sysdb_attrs *config; +}; + +static void ipa_get_config_done(struct tevent_req *subreq); + +struct tevent_req * +ipa_get_config_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_handle *sh, + struct sdap_options *opts, + const char *domain, + const char **attrs) +{ + struct tevent_req *req; + struct tevent_req *subreq; + struct ipa_get_config_state *state; + errno_t ret; + char *ldap_basedn; + + req = tevent_req_create(mem_ctx, &state, struct ipa_get_config_state); + if (req == NULL) { + return NULL; + } + + if (attrs == NULL) { + state->attrs = talloc_zero_array(state, const char *, 4); + if (state->attrs == NULL) { + ret = ENOMEM; + goto done; + } + state->attrs[0] = IPA_CONFIG_MIGRATION_ENABLED; + state->attrs[1] = IPA_CONFIG_SELINUX_DEFAULT_USER_CTX; + state->attrs[2] = IPA_CONFIG_SELINUX_MAP_ORDER; + state->attrs[3] = NULL; + } else { + state->attrs = attrs; + } + + ret = domain_to_basedn(state, domain, &ldap_basedn); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "domain_to_basedn failed.\n"); + goto done; + } + + state->base = talloc_asprintf(state, IPA_CONFIG_SEARCH_BASE_TEMPLATE, + ldap_basedn); + if (state->base == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto done; + } + + subreq = sdap_get_generic_send(state, ev, opts, + sh, state->base, + LDAP_SCOPE_SUBTREE, IPA_CONFIG_FILTER, + state->attrs, NULL, 0, + dp_opt_get_int(opts->basic, + SDAP_ENUM_SEARCH_TIMEOUT), + false); + if (subreq == NULL) { + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, ipa_get_config_done, req); + + ret = EOK; + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + tevent_req_post(req, ev); + } + + return req; +} + +static void ipa_get_config_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ipa_get_config_state *state = tevent_req_data(req, + struct ipa_get_config_state); + size_t reply_count; + struct sysdb_attrs **reply = NULL; + errno_t ret; + + ret = sdap_get_generic_recv(subreq, state, &reply_count, &reply); + talloc_zfree(subreq); + if (ret) { + goto done; + } + + if (reply_count != 1) { + DEBUG(SSSDBG_OP_FAILURE, "Unexpected number of results, expected 1, " + "got %zu.\n", reply_count); + ret = EINVAL; + goto done; + } + + state->config = reply[0]; + + ret = EOK; + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + } else { + tevent_req_done(req); + } +} + +errno_t ipa_get_config_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + struct sysdb_attrs **config) +{ + struct ipa_get_config_state *state = tevent_req_data(req, + struct ipa_get_config_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *config = talloc_steal(mem_ctx, state->config); + + return EOK; +} diff --git a/src/providers/ipa/ipa_config.h b/src/providers/ipa/ipa_config.h new file mode 100644 index 0000000..60f2d5d --- /dev/null +++ b/src/providers/ipa/ipa_config.h @@ -0,0 +1,53 @@ +/* + SSSD + + IPA Backend Module -- configuration retrieval header + + Authors: + Jan Zeleny + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef IPA_CONFIG_H_ +#define IPA_CONFIG_H_ + +#include +#include + +#include "providers/ldap/ldap_common.h" +#include "db/sysdb.h" + +#define IPA_CONFIG_SELINUX_DEFAULT_USER_CTX "ipaSELinuxUserMapDefault" +#define IPA_CONFIG_SELINUX_MAP_ORDER "ipaSELinuxUserMapOrder" +#define IPA_CONFIG_MIGRATION_ENABLED "ipaMigrationEnabled" +#define IPA_CONFIG_SEARCH_BASE_TEMPLATE "cn=etc,%s" +#define IPA_CONFIG_FILTER "(&(cn=ipaConfig)(objectClass=ipaGuiConfig))" + +#define IPA_OC_CONFIG "ipaConfig" + +struct tevent_req * ipa_get_config_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_handle *sh, + struct sdap_options *opts, + const char *domain, + const char **attrs); + +errno_t ipa_get_config_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + struct sysdb_attrs **config); + +#endif /* IPA_CONFIG_H_ */ diff --git a/src/providers/ipa/ipa_deskprofile_config.c b/src/providers/ipa/ipa_deskprofile_config.c new file mode 100644 index 0000000..8c66dda --- /dev/null +++ b/src/providers/ipa/ipa_deskprofile_config.c @@ -0,0 +1,156 @@ +/* + SSSD + + Authors: + Fabiano Fidêncio + + Copyright (C) 2017 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "providers/ipa/ipa_common.h" +#include "providers/ipa/ipa_deskprofile_private.h" +#include "providers/ipa/ipa_deskprofile_config.h" +#include "providers/ldap/sdap_async.h" + +struct ipa_deskprofile_config_state { + struct sysdb_attrs *config; +}; + +static void +ipa_deskprofile_get_config_done(struct tevent_req *subreq); + +struct tevent_req * +ipa_deskprofile_get_config_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_handle *sh, + struct sdap_options *opts, + struct dp_option *ipa_opts) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq; + struct ipa_deskprofile_rule_state *state; + char *rule_filter; + const char *attrs[] = { IPA_DESKPROFILE_PRIORITY, NULL }; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct ipa_deskprofile_config_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed.\n"); + return NULL; + } + + rule_filter = talloc_asprintf(state, "(objectclass=%s)", + IPA_DESKPROFILE_CONFIG); + if (rule_filter == NULL) { + ret = ENOMEM; + goto done; + } + + subreq = sdap_get_generic_send(state, ev, opts, sh, + dp_opt_get_string(ipa_opts, + IPA_DESKPROFILE_SEARCH_BASE), + LDAP_SCOPE_BASE, rule_filter, + attrs, NULL, 0, + dp_opt_get_int(opts->basic, + SDAP_ENUM_SEARCH_TIMEOUT), + false); + if (subreq == NULL) { + ret = ENOMEM; + DEBUG(SSSDBG_CRIT_FAILURE, "sdap_get_generic_send failed.\n"); + goto done; + } + + tevent_req_set_callback(subreq, ipa_deskprofile_get_config_done, req); + + ret = EOK; + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + tevent_req_post(req, ev); + } + + return req; +} + +static void +ipa_deskprofile_get_config_done(struct tevent_req *subreq) +{ + struct tevent_req *req; + struct ipa_deskprofile_config_state *state; + size_t reply_count; + struct sysdb_attrs **reply = NULL; + errno_t ret; + + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_deskprofile_config_state); + + ret = sdap_get_generic_recv(subreq, state, &reply_count, &reply); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not retrieve Desktop Profile config\n"); + goto done; + } + + if (reply_count == 0) { + /* + * When connecting to an old server that doesn't support Desktop + * Profile, the reply_count will be zero. + * In order to not throw a unnecessary error and fail let's just + * return ENOENT and print a debug message about it. + */ + DEBUG(SSSDBG_MINOR_FAILURE, + "Server doesn't support Desktop Profile.\n"); + ret = ENOENT; + goto done; + } else if (reply_count != 1) { + DEBUG(SSSDBG_OP_FAILURE, + "Unexpected number of results, expected 1, got %zu.\n", + reply_count); + ret = EINVAL; + goto done; + } + + state->config = reply[0]; + + ret = EOK; + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +errno_t +ipa_deskprofile_get_config_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + struct sysdb_attrs **config) +{ + struct ipa_deskprofile_config_state *state; + + state = tevent_req_data(req, struct ipa_deskprofile_config_state); + TEVENT_REQ_RETURN_ON_ERROR(req); + + *config = talloc_steal(mem_ctx, state->config); + + return EOK; +} diff --git a/src/providers/ipa/ipa_deskprofile_config.h b/src/providers/ipa/ipa_deskprofile_config.h new file mode 100644 index 0000000..c4a05b2 --- /dev/null +++ b/src/providers/ipa/ipa_deskprofile_config.h @@ -0,0 +1,45 @@ +/* + SSSD + + Authors: + Fabiano Fidêncio + + Copyright (C) 2017 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef IPA_DESKPROFILE_CONFIG_H_ +#define IPA_DESKPROFILE_CONFIG_H_ + +#include +#include + +#include "providers/ldap/ldap_common.h" +#include "db/sysdb.h" + +/* From ipa_deskprofile_config.c */ +struct tevent_req * +ipa_deskprofile_get_config_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_handle *sh, + struct sdap_options *opts, + struct dp_option *ipa_opts); + +errno_t +ipa_deskprofile_get_config_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + struct sysdb_attrs **config); + +#endif /* IPA_DESKPROFILE_CONFIG_H_ */ diff --git a/src/providers/ipa/ipa_deskprofile_private.h b/src/providers/ipa/ipa_deskprofile_private.h new file mode 100644 index 0000000..1db154b --- /dev/null +++ b/src/providers/ipa/ipa_deskprofile_private.h @@ -0,0 +1,50 @@ +/* + SSSD + + Authors: + Fabiano Fidêncio + + Copyright (C) 2017 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef IPA_DESKPROFILE_PRIVATE_H_ +#define IPA_DESKPROFILE_PRIVATE_H_ + +#define IPA_DESKPROFILE_CONFIG "ipaDeskProfileConfig" +#define IPA_DESKPROFILE_RULE "ipaDeskProfileRule" +#define IPA_DESKPROFILE_PRIORITY "ipaDeskProfilePriority" +#define IPA_DESKPROFILE_DATA "ipaDeskData" + +#define DESKPROFILE_HOSTS_SUBDIR "deskprofile_hosts" +#define DESKPROFILE_HOSTGROUPS_SUBDIR "deskprofile_hostgroups" + +#define IPA_SESSION_RULE_TYPE "sessionRuleType" + +#define IPA_DESKPROFILE_BASE_TMPL "cn=desktop-profile,%s" + +#define SYSDB_DESKPROFILE_BASE_TMPL "cn=desktop-profile,"SYSDB_TMPL_CUSTOM_BASE + +#define DESKPROFILE_RULES_SUBDIR "deskprofile_rules" + +#define DESKPROFILE_CONFIG_SUBDIR "deskprofile_config" + +struct deskprofile_rule { + const char *name; + int priority; + const char *data; +}; + +#endif /* IPA_DESKPROFILE_PRIVATE_H_ */ diff --git a/src/providers/ipa/ipa_deskprofile_rules.c b/src/providers/ipa/ipa_deskprofile_rules.c new file mode 100644 index 0000000..6599435 --- /dev/null +++ b/src/providers/ipa/ipa_deskprofile_rules.c @@ -0,0 +1,367 @@ +/* + SSSD + + Authors: + Fabiano Fidêncio + + Copyright (C) 2017 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "providers/ldap/ldap_common.h" +#include "providers/ldap/sdap_async_private.h" +#include "providers/ipa/ipa_rules_common.h" +#include "providers/ipa/ipa_deskprofile_private.h" +#include "providers/ipa/ipa_deskprofile_rules.h" +#include "providers/ipa/ipa_deskprofile_rules_util.h" + +struct ipa_deskprofile_rule_state { + struct tevent_context *ev; + struct sdap_handle *sh; + struct sdap_options *opts; + + int search_base_iter; + struct sdap_search_base **search_bases; + + const char **attrs; + char *rules_filter; + char *cur_filter; + + size_t rule_count; + struct sysdb_attrs **rules; +}; + +static errno_t +ipa_deskprofile_rule_info_next(struct tevent_req *req, + struct ipa_deskprofile_rule_state *state); +static void +ipa_deskprofile_rule_info_done(struct tevent_req *subreq); + +struct tevent_req * +ipa_deskprofile_rule_info_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_handle *sh, + struct sdap_options *opts, + struct sdap_search_base **search_bases, + struct sysdb_attrs *ipa_host, + struct sss_domain_info *domain, + const char *username) +{ + struct tevent_req *req = NULL; + struct ipa_deskprofile_rule_state *state; + char *user; + char *group; + char *host_dn_clean; + char *group_clean; + char *host_group_clean; + char *rule_filter; + const char *host_dn; + const char **memberof_list; + char **groups_list; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct ipa_deskprofile_rule_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create failed.\n"); + return NULL; + } + + if (ipa_host == NULL) { + ret = EINVAL; + DEBUG(SSSDBG_CRIT_FAILURE, "Missing host\n"); + goto immediate; + } + + ret = sysdb_attrs_get_string(ipa_host, SYSDB_ORIG_DN, &host_dn); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not identify IPA hostname\n"); + goto immediate; + } + + ret = sss_filter_sanitize(state, host_dn, &host_dn_clean); + if (ret != EOK) { + goto immediate; + } + + state->ev = ev; + state->sh = sh; + state->opts = opts; + state->search_bases = search_bases; + state->search_base_iter = 0; + state->attrs = deskprofile_get_attrs_to_get_cached_rules(state); + if (state->attrs == NULL) { + ret = ENOMEM; + DEBUG(SSSDBG_CRIT_FAILURE, + "deskprofile_get_attrs_get_cached_rules() failed\n"); + goto immediate; + } + + rule_filter = talloc_asprintf(state, + "(&(objectclass=%s)" + "(%s=%s)" + "(|(%s=%s)(%s=%s)(%s=%s)", + IPA_DESKPROFILE_RULE, + IPA_ENABLED_FLAG, IPA_TRUE_VALUE, + IPA_HOST_CATEGORY, "all", + IPA_USER_CATEGORY, "all", + IPA_MEMBER_HOST, host_dn_clean); + if (rule_filter == NULL) { + ret = ENOMEM; + goto immediate; + } + + /* Add all parent groups of ipa_hostname to the filter */ + ret = sysdb_attrs_get_string_array(ipa_host, SYSDB_ORIG_MEMBEROF, + state, &memberof_list); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not identify.\n"); + } else if (ret == ENOENT) { + /* This host is not a member of any hostgroups */ + memberof_list = talloc_array(state, const char *, 1); + if (memberof_list == NULL) { + ret = ENOMEM; + goto immediate; + } + memberof_list[0] = NULL; + } + + for (size_t i = 0; memberof_list[i] != NULL; i++) { + ret = sss_filter_sanitize(state, + memberof_list[i], + &host_group_clean); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sss_filter_sanitize() failed [%d]: %s\n", + ret, sss_strerror(ret)); + goto immediate; + } + + rule_filter = talloc_asprintf_append(rule_filter, "(%s=%s)", + IPA_MEMBER_HOST, + host_group_clean); + if (rule_filter == NULL) { + ret = ENOMEM; + goto immediate; + } + } + + /* Add the username to the filter */ + ret = sss_parse_internal_fqname(state, username, &user, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sss_parse_internal_fqname() failed [%d]: %s\n", + ret, sss_strerror(ret)); + goto immediate; + } + + rule_filter = talloc_asprintf_append(rule_filter, "(%s=%s)", + IPA_MEMBER_USER, user); + if (rule_filter == NULL) { + ret = ENOMEM; + goto immediate; + } + + /* Add all parent groups of `username` to the filter */ + ret = get_sysdb_grouplist(state, domain->sysdb, domain, username, + &groups_list); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "get_sysdb_grouplist() failed [%d]: %s\n", + ret, sss_strerror(ret)); + goto immediate; + } + + for (size_t i = 0; groups_list[i] != NULL; i++) { + ret = sss_filter_sanitize(state, groups_list[i], &group_clean); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sss_filter_sanitize() failed [%d]: %s\n", + ret, sss_strerror(ret)); + goto immediate; + } + + ret = sss_parse_internal_fqname(state, group_clean, &group, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sss_parse_internal_fqname() failed [%d]: %s\n", + ret, sss_strerror(ret)); + goto immediate; + } + + rule_filter = talloc_asprintf_append(rule_filter, "(%s=%s)", + IPA_MEMBER_USER, group); + if (rule_filter == NULL) { + ret = ENOMEM; + goto immediate; + } + } + + rule_filter = talloc_asprintf_append(rule_filter, "))"); + if (rule_filter == NULL) { + ret = ENOMEM; + goto immediate; + } + state->rules_filter = talloc_steal(state, rule_filter); + + ret = ipa_deskprofile_rule_info_next(req, state); + if (ret != EAGAIN) { + if (ret == EOK) { + /* ipa_deskprofile_rule_info_next should always have a search base + * when called for the first time. + * + * For the subsequent iterations, not finding any more search bases + * is fine though (thus the function returns EOK). + * + * As, here, it's the first case happening, let's return EINVAL. + */ + DEBUG(SSSDBG_CRIT_FAILURE, "No search base found\n"); + ret = EINVAL; + } + goto immediate; + } + + return req; + +immediate: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + return req; +} + +static errno_t +ipa_deskprofile_rule_info_next(struct tevent_req *req, + struct ipa_deskprofile_rule_state *state) +{ + struct tevent_req *subreq; + struct sdap_search_base *base; + + base = state->search_bases[state->search_base_iter]; + if (base == NULL) { + return EOK; + } + + talloc_zfree(state->cur_filter); + state->cur_filter = sdap_combine_filters(state, state->rules_filter, + base->filter); + if (state->cur_filter == NULL) { + return ENOMEM; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Sending request for next search base: [%s][%d][%s]\n", + base->basedn, base->scope, state->cur_filter); + + subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh, + base->basedn, base->scope, + state->cur_filter, state->attrs, + NULL, 0, + dp_opt_get_int(state->opts->basic, + SDAP_ENUM_SEARCH_TIMEOUT), + true); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "sdap_get_generic_send failed.\n"); + return ENOMEM; + } + tevent_req_set_callback(subreq, ipa_deskprofile_rule_info_done, req); + + return EAGAIN; +} + +static void +ipa_deskprofile_rule_info_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req; + struct ipa_deskprofile_rule_state *state; + size_t rule_count; + size_t total_count; + struct sysdb_attrs **rules; + struct sysdb_attrs **target; + int i; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_deskprofile_rule_state); + + ret = sdap_get_generic_recv(subreq, state, + &rule_count, + &rules); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not retrieve Desktop Profile rules\n"); + goto fail; + } + + if (rule_count > 0) { + total_count = rule_count + state->rule_count; + state->rules = talloc_realloc(state, state->rules, + struct sysdb_attrs *, + total_count); + if (state->rules == NULL) { + ret = ENOMEM; + goto fail; + } + + i = 0; + while (state->rule_count < total_count) { + target = &state->rules[state->rule_count]; + *target = talloc_steal(state->rules, rules[i]); + + state->rule_count++; + i++; + } + } + + state->search_base_iter++; + ret = ipa_deskprofile_rule_info_next(req, state); + if (ret == EAGAIN) { + return; + } else if (ret != EOK) { + goto fail; + } else if (ret == EOK && state->rule_count == 0) { + DEBUG(SSSDBG_TRACE_FUNC, "No rules apply to this host\n"); + tevent_req_error(req, ENOENT); + return; + } + + /* We went through all search bases and we have some results */ + tevent_req_done(req); + + return; + +fail: + tevent_req_error(req, ret); +} + +errno_t +ipa_deskprofile_rule_info_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *_rule_count, + struct sysdb_attrs ***_rules) +{ + struct ipa_deskprofile_rule_state *state; + + TEVENT_REQ_RETURN_ON_ERROR(req); + + state = tevent_req_data(req, struct ipa_deskprofile_rule_state); + + *_rule_count = state->rule_count; + *_rules = talloc_steal(mem_ctx, state->rules); + + return EOK; +} diff --git a/src/providers/ipa/ipa_deskprofile_rules.h b/src/providers/ipa/ipa_deskprofile_rules.h new file mode 100644 index 0000000..313e526 --- /dev/null +++ b/src/providers/ipa/ipa_deskprofile_rules.h @@ -0,0 +1,43 @@ +/* + SSSD + + Authors: + Fabiano Fidêncio + + Copyright (C) 2017 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef IPA_DESKPROFILE_RULES_H_ +#define IPA_DESKPROFILE_RULES_H_ + +/* From ipa_deskprofile_rules.c */ +struct tevent_req * +ipa_deskprofile_rule_info_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_handle *sh, + struct sdap_options *opts, + struct sdap_search_base **search_bases, + struct sysdb_attrs *ipa_host, + struct sss_domain_info *domain, + const char *username); + +errno_t +ipa_deskprofile_rule_info_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *rule_count, + struct sysdb_attrs ***rules); + +#endif /* IPA_DESKPROFILE_RULES_H_ */ diff --git a/src/providers/ipa/ipa_deskprofile_rules_util.c b/src/providers/ipa/ipa_deskprofile_rules_util.c new file mode 100644 index 0000000..991c605 --- /dev/null +++ b/src/providers/ipa/ipa_deskprofile_rules_util.c @@ -0,0 +1,1149 @@ +/* + SSSD + + Authors: + Fabiano Fidêncio + + Copyright (C) 2017 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "providers/ipa/ipa_deskprofile_rules_util.h" +#include "providers/ipa/ipa_deskprofile_private.h" +#include "providers/ipa/ipa_rules_common.h" +#include +#include + +#define DESKPROFILE_GLOBAL_POLICY_MIN_VALUE 1 +#define DESKPROFILE_GLOBAL_POLICY_MAX_VALUE 24 + +enum deskprofile_name { + RULES_DIR = 0, + DOMAIN, + USERNAME, + PRIORITY, + USER, + GROUP, + HOST, + HOSTGROUP, + RULE_NAME, + EXTENSION, + DESKPROFILE_NAME_SENTINEL +}; + +/* + * The rule's filename has to follow a global policy, used by FleetCommander + * client that shows how the profile should be applied. + * + * This global policy is represented by an integer from 1 to 24 (inclusive) and + * has the following meaning: + * 1 = user, group, host, hostgroup + * 2 = user, group, hostgroup, host + * 3 = user, host, group, hostgroup + * 4 = user, host, hostgroup, group + * 5 = user, hostgroup, group, host + * 6 = user, hostgroup, host, group + * 7 = group, user, host, hostgroup + * 8 = group, user, hostgroup, host + * 9 = group, host, user, hostgroup + * 10 = group, host, hostgroup, user + * 11 = group, hostgroup, user, host + * 12 = group, hostgroup, host, user + * 13 = host, user, group, hostgroup + * 14 = host, user, hostgroup, group + * 15 = host, group, user, hostgroup + * 16 = host, group, hostgroup, user + * 17 = host, hostgroup, user, group + * 18 = host, hostgroup, group, user + * 19 = hostgroup, user, group, host + * 20 = hostgroup, user, host, group + * 21 = hostgroup, group, user, host + * 22 = hostgroup, group, host, user + * 23 = hostgroup, host, user, group + * 24 = hostgroup, host, group, user + * + * Having the table above in mind and considering the following example: + * - rule name: testrule + * - policy: 22 + * - priority: 420 + * - client's machine matches: host and group + * + * So, the filename will be: "000420_000000_000420_000420_000000_testrule.json" + * + * The function below not only helps us to create this filename in the correct + * format, but also create the whole path for this rule's file. + * + * An example of the full path would be: + * "/var/lib/sss/deskprofile/ipa.example/user_foobar/000420_000000_000420_000420_000000_testrule.json" + * | RULES DIR | DOMAIN | USERNAME | | |GROUP | HOST | USER | | + * PRIORITY RULE NAME + * HOSTGROUP EXTENSION + * + * In case a element has to be added/remove, please, remember to update: + * - deskprofile_name enum; + * - permuts's matrix; + * - vals array; + */ +errno_t +ipa_deskprofile_get_filename_path(TALLOC_CTX *mem_ctx, + uint16_t config_priority, + const char *rules_dir, + const char *domain, + const char *username, + const char *priority, + const char *user_priority, + const char *group_priority, + const char *host_priority, + const char *hostgroup_priority, + const char *rule_name, + const char *extension, + char **_filename_path) +{ + TALLOC_CTX *tmp_ctx; + static const uint8_t permuts[][DESKPROFILE_NAME_SENTINEL] = { + {RULES_DIR, DOMAIN, USERNAME, PRIORITY, USER, GROUP, HOST, HOSTGROUP, RULE_NAME, EXTENSION}, + {RULES_DIR, DOMAIN, USERNAME, PRIORITY, USER, GROUP, HOSTGROUP, HOST, RULE_NAME, EXTENSION}, + {RULES_DIR, DOMAIN, USERNAME, PRIORITY, USER, HOST, GROUP, HOSTGROUP, RULE_NAME, EXTENSION}, + {RULES_DIR, DOMAIN, USERNAME, PRIORITY, USER, HOST, HOSTGROUP, GROUP, RULE_NAME, EXTENSION}, + {RULES_DIR, DOMAIN, USERNAME, PRIORITY, USER, HOSTGROUP, GROUP, HOST, RULE_NAME, EXTENSION}, + {RULES_DIR, DOMAIN, USERNAME, PRIORITY, USER, HOSTGROUP, HOST, GROUP, RULE_NAME, EXTENSION}, + {RULES_DIR, DOMAIN, USERNAME, PRIORITY, GROUP, USER, HOST, HOSTGROUP, RULE_NAME, EXTENSION}, + {RULES_DIR, DOMAIN, USERNAME, PRIORITY, GROUP, USER, HOSTGROUP, HOST, RULE_NAME, EXTENSION}, + {RULES_DIR, DOMAIN, USERNAME, PRIORITY, GROUP, HOST, USER, HOSTGROUP, RULE_NAME, EXTENSION}, + {RULES_DIR, DOMAIN, USERNAME, PRIORITY, GROUP, HOST, HOSTGROUP, USER, RULE_NAME, EXTENSION}, + {RULES_DIR, DOMAIN, USERNAME, PRIORITY, GROUP, HOSTGROUP, USER, HOST, RULE_NAME, EXTENSION}, + {RULES_DIR, DOMAIN, USERNAME, PRIORITY, GROUP, HOSTGROUP, HOST, USER, RULE_NAME, EXTENSION}, + {RULES_DIR, DOMAIN, USERNAME, PRIORITY, HOST, USER, GROUP, HOSTGROUP, RULE_NAME, EXTENSION}, + {RULES_DIR, DOMAIN, USERNAME, PRIORITY, HOST, USER, HOSTGROUP, GROUP, RULE_NAME, EXTENSION}, + {RULES_DIR, DOMAIN, USERNAME, PRIORITY, HOST, GROUP, USER, HOSTGROUP, RULE_NAME, EXTENSION}, + {RULES_DIR, DOMAIN, USERNAME, PRIORITY, HOST, GROUP, HOSTGROUP, USER, RULE_NAME, EXTENSION}, + {RULES_DIR, DOMAIN, USERNAME, PRIORITY, HOST, HOSTGROUP, USER, GROUP, RULE_NAME, EXTENSION}, + {RULES_DIR, DOMAIN, USERNAME, PRIORITY, HOST, HOSTGROUP, GROUP, USER, RULE_NAME, EXTENSION}, + {RULES_DIR, DOMAIN, USERNAME, PRIORITY, HOSTGROUP, USER, GROUP, HOST, RULE_NAME, EXTENSION}, + {RULES_DIR, DOMAIN, USERNAME, PRIORITY, HOSTGROUP, USER, HOST, GROUP, RULE_NAME, EXTENSION}, + {RULES_DIR, DOMAIN, USERNAME, PRIORITY, HOSTGROUP, GROUP, USER, HOST, RULE_NAME, EXTENSION}, + {RULES_DIR, DOMAIN, USERNAME, PRIORITY, HOSTGROUP, GROUP, HOST, USER, RULE_NAME, EXTENSION}, + {RULES_DIR, DOMAIN, USERNAME, PRIORITY, HOSTGROUP, HOST, USER, GROUP, RULE_NAME, EXTENSION}, + {RULES_DIR, DOMAIN, USERNAME, PRIORITY, HOSTGROUP, HOST, GROUP, USER, RULE_NAME, EXTENSION}, + }; + const char *vals[] = { + rules_dir, + domain, + username, + priority, + user_priority, + group_priority, + host_priority, + hostgroup_priority, + rule_name, + extension, + NULL, + }; + const uint8_t *perms; + char *result; + errno_t ret; + + tmp_ctx = talloc_new(mem_ctx); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + if (config_priority < DESKPROFILE_GLOBAL_POLICY_MIN_VALUE || + config_priority > DESKPROFILE_GLOBAL_POLICY_MAX_VALUE) { + DEBUG(SSSDBG_CRIT_FAILURE, + "The configuration priority has an invalid value: %d!\n", + config_priority); + ret = EINVAL; + goto done; + } + + perms = permuts[config_priority - 1]; + + result = talloc_strdup(tmp_ctx, ""); + if (result == NULL) { + ret = ENOMEM; + goto done; + } + + for (int i = 0; i < DESKPROFILE_NAME_SENTINEL; i++) { + switch(perms[i]) { + case RULES_DIR: + case DOMAIN: + case USERNAME: + result = talloc_asprintf_append(result, "%s/", vals[perms[i]]); + break; + case PRIORITY: + case USER: + case GROUP: + case HOST: + case HOSTGROUP: + result = talloc_asprintf_append(result, "%s_", vals[perms[i]]); + break; + case RULE_NAME: + result = talloc_asprintf_append(result, "%s", vals[perms[i]]); + break; + case EXTENSION: + result = talloc_asprintf_append(result, ".%s", vals[perms[i]]); + break; + default: + DEBUG(SSSDBG_MINOR_FAILURE, + "This situation should never happen\n"); + ret = EINVAL; + goto done; + } + + if (result == NULL) { + ret = ENOMEM; + goto done; + } + } + + *_filename_path = talloc_steal(mem_ctx, result); + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +errno_t +ipa_deskprofile_rules_create_user_dir( + const char *username, /* fully-qualified */ + uid_t uid, + gid_t gid) +{ + TALLOC_CTX *tmp_ctx; + char *shortname; + char *domain; + char *domain_dir; + errno_t ret; + mode_t old_umask; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + ret = sss_parse_internal_fqname(tmp_ctx, username, &shortname, &domain); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sss_parse_internal_fqname() failed [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + old_umask = umask(0026); + ret = sss_create_dir(IPA_DESKPROFILE_RULES_USER_DIR, domain, 0751, + getuid(), getgid()); + umask(old_umask); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to create the directory \"%s/%s\" that would be used to " + "store the Desktop Profile rules users' directory [%d]: %s\n", + IPA_DESKPROFILE_RULES_USER_DIR, domain, + ret, sss_strerror(ret)); + goto done; + } + + domain_dir = talloc_asprintf(tmp_ctx, IPA_DESKPROFILE_RULES_USER_DIR"/%s", + domain); + if (domain_dir == NULL) { + ret = ENOMEM; + goto done; + } + + /* In order to read, create and traverse the directory, we need to have its + * permissions set as 'rwx------' (700). */ + old_umask = umask(0077); + ret = sss_create_dir(domain_dir, shortname, 0700, uid, gid); + umask(old_umask); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to create the directory \"%s/%s/%s\" that would be used " + "to store the Desktop Profile rules for the user \"%s\" [%d]: " + "%s\n", + IPA_DESKPROFILE_RULES_USER_DIR, domain, shortname, username, + ret, sss_strerror(ret)); + goto done; + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static errno_t +ipa_deskprofile_get_normalized_rule_name(TALLOC_CTX *mem_ctx, + const char *name, + char **_rule_name) +{ + char buffer[PATH_MAX]; + size_t buffer_len; + size_t name_len; + + name_len = strlen(name); + buffer_len = 0; + for (size_t i = 0; i < name_len; i++) { + char character; + bool replace; + + character = name[i]; + replace = false; + + if (isalnum(character) == 0) { + char next_character; + + next_character = name[i+1]; + if (i + 1 >= name_len || isalnum(next_character) == 0) { + continue; + } + + replace = true; + } + + buffer[buffer_len] = replace ? '_' : character; + buffer_len++; + } + buffer[buffer_len] = '\0'; + + *_rule_name = talloc_strdup(mem_ctx, buffer); + if (*_rule_name == NULL) { + return ENOMEM; + } + + return EOK; +} + +static errno_t +ipa_deskprofile_rule_check_memberuser( + TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + struct sysdb_attrs *rule, + const char *rule_name, + const char *rule_prio, + const char *base_dn, + const char *username, /* fully-qualified */ + char **_user_prio, + char **_group_prio) +{ + TALLOC_CTX *tmp_ctx; + struct ldb_message_element *el; + struct ldb_result *res; + size_t num_groups; + char **groups = NULL; + const char *fqgroupname = NULL; + char *groupname = NULL; + char *shortname; + char *domainname; + char *data; + char *memberuser; + char *membergroup; + char *user_prio; + char *group_prio; + bool user = false; + bool group = false; + errno_t ret; + + tmp_ctx = talloc_new(mem_ctx); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + ret = sss_parse_internal_fqname(tmp_ctx, username, + &shortname, &domainname); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sss_parse_internal_fqname() failed [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = sysdb_initgroups(tmp_ctx, domain, username, &res); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sysdb_initgroups() failed [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + if (res->count == 0) { + /* This really should NOT happen at this point */ + DEBUG(SSSDBG_MINOR_FAILURE, + "User [%s] not found in cache\n", username); + ret = ENOENT; + goto done; + } + + groups = talloc_array(tmp_ctx, char *, res->count); + if (groups == NULL) { + ret = ENOMEM; + goto done; + } + + num_groups = 0; + /* Start counting from 1 to exclude the user entry */ + for (size_t i = 1; i < res->count; i++) { + fqgroupname = ldb_msg_find_attr_as_string(res->msgs[i], + SYSDB_NAME, + NULL); + if (fqgroupname == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Skipping malformed entry [%s]\n", + ldb_dn_get_linearized(res->msgs[i]->dn)); + continue; + } + + ret = sss_parse_internal_fqname(tmp_ctx, fqgroupname, + &groupname, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Malformed name %s, skipping!\n", fqgroupname); + continue; + } + + groups[num_groups] = groupname; + num_groups++; + } + groups[num_groups] = NULL; + + ret = sysdb_attrs_get_el(rule, IPA_MEMBER_USER, &el); + if (ret != EOK) { + DEBUG(SSSDBG_TRACE_FUNC, + "Failed to get the Desktop Profile Rule memberUser for rule " + "\"%s\" [%d]: %s\n", + rule_name, ret, sss_strerror(ret)); + + goto done; + } + + memberuser = talloc_asprintf(tmp_ctx, "uid=%s,cn=users,cn=accounts,%s", + shortname, base_dn); + if (memberuser == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to allocate memberuser\n"); + ret = ENOMEM; + goto done; + } + + for (size_t i = 0; i < el->num_values; i++) { + if (user && group) { + break; + } + + data = (char *)el->values[i].data; + + if (!user && data != NULL && strcmp(memberuser, data) == 0) { + DEBUG(SSSDBG_TRACE_FUNC, + "Desktop Profile rule \"%s\" matches with the user \"%s\" " + "for the \"%s\" domain!\n", + rule_name, shortname, domainname); + user = true; + continue; + } + + if (!group && data != NULL) { + for (size_t j = 0; !group && groups[j] != NULL; j++) { + membergroup = talloc_asprintf(tmp_ctx, + "cn=%s,cn=groups,cn=accounts,%s", + groups[j], base_dn); + if (membergroup == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to allocate membergroup\n"); + ret = ENOMEM; + goto done; + } + + if (strcmp(membergroup, data) == 0) { + DEBUG(SSSDBG_TRACE_FUNC, + "Desktop Profile rule \"%s\" matches with (at least) " + "the group \"%s\" for the \"%s\" domain!\n", + rule_name, groups[j], domainname); + group = true; + } + } + } + } + + user_prio = user ? talloc_strdup(tmp_ctx, rule_prio) : + talloc_asprintf(tmp_ctx, "%06d", 0); + if (user_prio == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to allocate the user priority\n"); + ret = ENOMEM; + goto done; + } + + group_prio = group ? talloc_strdup(tmp_ctx, rule_prio) : + talloc_asprintf(tmp_ctx, "%06d", 0); + if (group_prio == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to allocate the group priority\n"); + ret = ENOMEM; + goto done; + } + + *_user_prio = talloc_steal(mem_ctx, user_prio); + *_group_prio = talloc_steal(mem_ctx, group_prio); + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static errno_t +ipa_deskprofile_rule_check_memberhost(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + struct sysdb_attrs *rule, + const char *rule_name, + const char *rule_prio, + const char *base_dn, + const char *hostname, + char **_host_prio, + char **_hostgroup_prio) +{ + TALLOC_CTX *tmp_ctx; + struct ldb_dn *host_dn; + struct ldb_message_element *el_orig_memberof = NULL; + struct ldb_message_element *el = NULL; + struct ldb_message **msgs; + size_t count; + size_t num_memberhostgroup; + char **memberhostgroups = NULL; + char *data; + char *memberhost; + char *memberhostgroup; + char *name; + char *host_prio; + char *hostgroup_prio; + const char *memberof_attrs[] = { SYSDB_ORIG_MEMBEROF, NULL }; + bool host = false; + bool hostgroup = false; + errno_t ret; + + tmp_ctx = talloc_new(mem_ctx); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + host_dn = sysdb_custom_dn(tmp_ctx, domain, hostname, + DESKPROFILE_HOSTS_SUBDIR); + if (host_dn == NULL) { + ret = ENOMEM; + goto done; + } + + ret = sysdb_search_entry(tmp_ctx, domain->sysdb, host_dn, + LDB_SCOPE_BASE, NULL, + memberof_attrs, + &count, &msgs); + if (ret == ENOENT || count == 0) { + memberhostgroups = talloc_array(tmp_ctx, char *, 1); + memberhostgroups[0] = NULL; + } else if (ret != EOK) { + goto done; + } else if (count > 1) { + DEBUG(SSSDBG_CRIT_FAILURE, + "More than one result for a BASE search!\n"); + ret = EIO; + goto done; + } else { /* ret == EOK && count == 1 */ + el_orig_memberof = ldb_msg_find_element(msgs[0], SYSDB_ORIG_MEMBEROF); + memberhostgroups = talloc_array(tmp_ctx, + char *, + el_orig_memberof->num_values); + } + + if (el_orig_memberof != NULL) { + num_memberhostgroup = 0; + for (size_t i = 0; i < el_orig_memberof->num_values; i++) { + data = (char *)el_orig_memberof->values[i].data; + + ret = ipa_common_get_hostgroupname(tmp_ctx, domain->sysdb, data, + &name); + + /* ERR_UNEXPECTED_ENTRY_TYPE means we had a memberOf entry that + * wasn't a host group, thus we'll just ignore those. + */ + if (ret != EOK && ret != ERR_UNEXPECTED_ENTRY_TYPE) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Skipping malformed entry [%s]\n", + data); + continue; + } else if (ret == EOK) { + memberhostgroups[num_memberhostgroup] = name; + num_memberhostgroup++; + } + } + memberhostgroups[num_memberhostgroup] = NULL; + } + + ret = sysdb_attrs_get_el(rule, IPA_MEMBER_HOST, &el); + if (ret != EOK) { + DEBUG(SSSDBG_TRACE_FUNC, + "Failed to get the Desktop Profile Rule memberHost for rule " + "\"%s\" [%d]: %s\n", + rule_name, ret, sss_strerror(ret)); + + goto done; + } + + memberhost = talloc_asprintf(tmp_ctx, "fqdn=%s,cn=computers,cn=accounts,%s", + hostname, base_dn); + if (memberhost == NULL) { + ret = ENOMEM; + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to allocate memberhost\n"); + goto done; + } + + for (size_t i = 0; i < el->num_values; i++) { + if (host && hostgroup) { + break; + } + + data = (char *)el->values[i].data; + + if (!host && data != NULL && strcmp(memberhost, data) == 0) { + host = true; + DEBUG(SSSDBG_TRACE_FUNC, + "Desktop Profile rule \"%s\" matches with the host \"%s\" " + "for the \"%s\" domain!\n", + rule_name, hostname, domain->name); + continue; + } + + if (!hostgroup && data != NULL) { + for (size_t j = 0; !hostgroup && memberhostgroups[j] != NULL; j++) { + memberhostgroup = talloc_asprintf( + tmp_ctx, + "cn=%s,cn=hostgroups,cn=accounts,%s", + memberhostgroups[j], base_dn); + + if (memberhostgroup == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to allocate memberhostgroup\n"); + ret = ENOMEM; + goto done; + } + + if (strcmp(memberhostgroup, data) == 0) { + hostgroup = true; + DEBUG(SSSDBG_TRACE_FUNC, + "Desktop Profile rule \"%s\" matches with (at least) " + "the hostgroup \"%s\" for the \"%s\" domain!\n", + rule_name, memberhostgroups[j], domain->name); + continue; + } + } + } + } + + host_prio = host ? talloc_strdup(tmp_ctx, rule_prio) : + talloc_asprintf(tmp_ctx, "%06d", 0); + if (host_prio == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to allocate the host priority\n"); + ret = ENOMEM; + goto done; + } + + hostgroup_prio = hostgroup ? talloc_strdup(tmp_ctx, rule_prio) : + talloc_asprintf(tmp_ctx, "%06d", 0); + if (hostgroup_prio == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to allocate the hostgroup priority\n"); + ret = ENOMEM; + goto done; + } + + *_host_prio = talloc_steal(mem_ctx, host_prio); + *_hostgroup_prio = talloc_steal(mem_ctx, hostgroup_prio); + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + + +errno_t +ipa_deskprofile_rules_save_rule_to_disk( + TALLOC_CTX *mem_ctx, + uint16_t priority, + struct sysdb_attrs *rule, + struct sss_domain_info *domain, + const char *hostname, + const char *username, /* fully-qualified */ + uid_t uid, + gid_t gid) +{ + TALLOC_CTX *tmp_ctx; + const char *rule_name; + const char *data; + const char *hostcat; + const char *usercat; + char *shortname; + char *domainname; + char *base_dn; + char *rule_prio; + char *user_prio; + char *group_prio; + char *host_prio; + char *hostgroup_prio; + char *normalized_rule_name = NULL; + char *filename_path = NULL; + const char *extension = "json"; + uint32_t prio; + int fd = -1; + gid_t orig_gid; + uid_t orig_uid; + errno_t ret; + + tmp_ctx = talloc_new(mem_ctx); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + orig_gid = getegid(); + orig_uid = geteuid(); + + ret = sysdb_attrs_get_string(rule, IPA_CN, &rule_name); + if (ret != EOK) { + DEBUG(SSSDBG_TRACE_FUNC, + "Failed to get the Desktop Profile Rule name [%d]: %s\n", + ret, sss_strerror(ret)); + + goto done; + } + + ret = sysdb_attrs_get_uint32_t(rule, IPA_DESKPROFILE_PRIORITY, &prio); + if (ret != EOK) { + DEBUG(SSSDBG_TRACE_FUNC, + "Failed to get the Desktop Profile Rule priority for rule " + "\"%s\" [%d]: %s\n", + rule_name, ret, sss_strerror(ret)); + goto done; + } + + ret = sysdb_attrs_get_string(rule, IPA_HOST_CATEGORY, &hostcat); + if (ret == ENOENT) { + hostcat = NULL; + } else if (ret != EOK) { + DEBUG(SSSDBG_TRACE_FUNC, + "Failed to get the Desktop Profile Rule host category for rule " + "\"%s\" [%d]: %s\n", + rule_name, ret, sss_strerror(ret)); + goto done; + } + + ret = sysdb_attrs_get_string(rule, IPA_USER_CATEGORY, &usercat); + if (ret == ENOENT) { + usercat = NULL; + } else if (ret != EOK) { + DEBUG(SSSDBG_TRACE_FUNC, + "Failed to get the Desktop Profile Rule user category for rule " + "\"%s\" [%d]: %s\n", + rule_name, ret, sss_strerror(ret)); + goto done; + } + + rule_prio = talloc_asprintf(tmp_ctx, "%06d", prio); + if (rule_prio == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to allocate rule priority\n"); + ret = ENOMEM; + goto done; + } + + ret = sysdb_attrs_get_string(rule, IPA_DESKPROFILE_DATA, &data); + if (ret != EOK) { + DEBUG(SSSDBG_TRACE_FUNC, + "Failed to get the Desktop Profile Rule data for rule \"%s\" " + "[%d]: %s\n", + rule_name, ret, sss_strerror(ret)); + goto done; + } + + ret = sss_parse_internal_fqname(tmp_ctx, username, &shortname, &domainname); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sss_parse_internal_fqname() failed [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = domain_to_basedn(tmp_ctx, domainname, &base_dn); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "domain_to_basedn() failed [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + if (usercat != NULL && strcasecmp(usercat, "all") == 0) { + user_prio = talloc_strdup(tmp_ctx, rule_prio); + if (user_prio == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to allocate the user priority " + "when user category is \"all\"\n"); + ret = ENOMEM; + goto done; + } + + group_prio = talloc_strdup(tmp_ctx, rule_prio); + if (group_prio == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to allocate the group priority " + "when user category is \"all\"\n"); + ret = ENOMEM; + goto done; + } + } else { + ret = ipa_deskprofile_rule_check_memberuser(tmp_ctx, domain, rule, + rule_name, rule_prio, + base_dn, username, + &user_prio, &group_prio); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ipa_deskprofile_rule_check_memberuser() failed [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + } + + if (hostcat != NULL && strcasecmp(hostcat, "all") == 0) { + host_prio = talloc_strdup(tmp_ctx, rule_prio); + if (host_prio == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to allocate the host priority " + "when host category is \"all\"\n"); + ret = ENOMEM; + goto done; + } + + hostgroup_prio = talloc_strdup(tmp_ctx, rule_prio); + if (hostgroup_prio == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to allocate the hostgroup priority " + "when host category is \"all\"\n"); + ret = ENOMEM; + goto done; + } + } else { + ret = ipa_deskprofile_rule_check_memberhost(tmp_ctx, domain, rule, + rule_name, rule_prio, + base_dn, hostname, + &host_prio, &hostgroup_prio); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ipa_deskprofile_rule_check_memberhost() failed [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + } + + ret = ipa_deskprofile_get_normalized_rule_name(mem_ctx, rule_name, + &normalized_rule_name); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ipa_deskprofile_get_normalized_rule_name() failed [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = ipa_deskprofile_get_filename_path(tmp_ctx, + priority, + IPA_DESKPROFILE_RULES_USER_DIR, + domainname, + shortname, + rule_prio, + user_prio, + group_prio, + host_prio, + hostgroup_prio, + normalized_rule_name, + extension, + &filename_path); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ipa_deskprofile_get_filename_path() failed [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = setegid(gid); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "Unable to set effective group id (%"PRIu32") of the domain's " + "process [%d]: %s\n", + gid, ret, sss_strerror(ret)); + goto done; + } + + ret = seteuid(uid); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "Unable to set effective user id (%"PRIu32") of the domain's " + "process [%d]: %s\n", + uid, ret, sss_strerror(ret)); + goto done; + } + + fd = open(filename_path, O_WRONLY | O_CREAT | O_TRUNC, 0400); + if (fd == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to create the Desktop Profile rule file \"%s\" " + "[%d]: %s\n", + filename_path, ret, sss_strerror(ret)); + goto done; + } + + ret = dprintf(fd, "%s", data); + if (ret < 0) { + ret = EIO; + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to write the content of the Desktop Profile rule for " + "the \"%s\" file.\n", + filename_path); + goto done; + } + + ret = seteuid(orig_uid); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to set the effect user id (%"PRIu32") of the domain's " + "process [%d]: %s\n", + orig_uid, ret, sss_strerror(ret)); + goto done; + } + + ret = setegid(orig_gid); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to set the effect group id (%"PRIu32") of the domain's " + "process [%d]: %s\n", + orig_gid, ret, sss_strerror(ret)); + goto done; + } + + ret = EOK; + +done: + if (fd != -1) { + close(fd); + } + if (geteuid() != orig_uid) { + ret = seteuid(orig_uid); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "Unable to set effective user id (%"PRIu32") of the " + "domain's process [%d]: %s\n", + orig_uid, ret, sss_strerror(ret)); + DEBUG(SSSDBG_CRIT_FAILURE, + "Sending SIGUSR2 to the process: %d\n", getpid()); + kill(getpid(), SIGUSR2); + } + } + if (getegid() != orig_gid) { + ret = setegid(orig_gid); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "Unable to set effective group id (%"PRIu32") of the " + "domain's process. Let's have the process restartd!\n", + orig_gid); + DEBUG(SSSDBG_CRIT_FAILURE, + "Sending SIGUSR2 to the process: %d\n", getpid()); + kill(getpid(), SIGUSR2); + } + } + talloc_free(tmp_ctx); + return ret; +} + +errno_t +ipa_deskprofile_rules_remove_user_dir(const char *user_dir, + uid_t uid, + gid_t gid) +{ + gid_t orig_gid; + uid_t orig_uid; + errno_t ret; + + orig_gid = getegid(); + orig_uid = geteuid(); + + ret = setegid(gid); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "Unable to set effective group id (%"PRIu32") of the domain's " + "process [%d]: %s\n", + gid, ret, sss_strerror(ret)); + goto done; + } + + ret = seteuid(uid); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "Unable to set effective user id (%"PRIu32") of the domain's " + "process [%d]: %s\n", + uid, ret, sss_strerror(ret)); + goto done; + } + + ret = sss_remove_subtree(user_dir); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot remove \"%s\" directory [%d]: %s\n", + user_dir, ret, sss_strerror(ret)); + goto done; + } + + ret = seteuid(orig_uid); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to set the effect user id (%"PRIu32") of the domain's " + "process [%d]: %s\n", + orig_uid, ret, sss_strerror(ret)); + goto done; + } + + ret = setegid(orig_gid); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to set the effect group id (%"PRIu32") of the domain's " + "process [%d]: %s\n", + orig_gid, ret, sss_strerror(ret)); + goto done; + } + + ret = sss_remove_tree(user_dir); + if (ret == ENOENT) { + ret = EOK; + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot remove \"%s\" directory [%d]: %s\n", + user_dir, ret, sss_strerror(ret)); + goto done; + } + + ret = EOK; + +done: + if (geteuid() != orig_uid) { + ret = seteuid(orig_uid); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "unable to set effective user id (%"PRIu32") of the " + "domain's process [%d]: %s\n", + orig_uid, ret, sss_strerror(ret)); + DEBUG(SSSDBG_CRIT_FAILURE, + "Sending SIGUSR2 to the process: %d\n", getpid()); + kill(getpid(), SIGUSR2); + } + } + if (getegid() != orig_gid) { + ret = setegid(orig_gid); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "Unable to set effective user id (%"PRIu32") of the " + "domain's process [%d]: %s\n", + orig_uid, ret, sss_strerror(ret)); + DEBUG(SSSDBG_CRIT_FAILURE, + "Sending SIGUSR2 to the process: %d\n", getpid()); + kill(getpid(), SIGUSR2); + } + } + return ret; +} + +errno_t +deskprofile_get_cached_priority(struct sss_domain_info *domain, + uint16_t *_priority) +{ + TALLOC_CTX *tmp_ctx; + const char *attrs[] = { IPA_DESKPROFILE_PRIORITY, NULL }; + struct ldb_message **resp; + size_t resp_count; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + ret = sysdb_search_custom_by_name(tmp_ctx, + domain, + IPA_DESKPROFILE_PRIORITY, + DESKPROFILE_CONFIG_SUBDIR, + attrs, &resp_count, &resp); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sysdb_search_custom_by_name() failed [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + if (resp_count != 1) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sysdb_search_custom_by_name() got more attributes than " + "expected. Expected (1), got (%zu)\n", resp_count); + ret = EINVAL; + goto done; + } + + *_priority = ldb_msg_find_attr_as_uint(resp[0], + IPA_DESKPROFILE_PRIORITY, + 0); + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +const char ** +deskprofile_get_attrs_to_get_cached_rules(TALLOC_CTX *mem_ctx) +{ + const char **attrs = talloc_zero_array(mem_ctx, const char *, 11); + if (attrs == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_array() failed\n"); + goto done; + } + + attrs[0] = OBJECTCLASS; + attrs[1] = IPA_CN; + attrs[2] = IPA_UNIQUE_ID; + attrs[3] = IPA_ENABLED_FLAG; + attrs[4] = IPA_MEMBER_USER; + attrs[5] = IPA_USER_CATEGORY; + attrs[6] = IPA_MEMBER_HOST; + attrs[7] = IPA_HOST_CATEGORY; + attrs[8] = IPA_DESKPROFILE_PRIORITY; + attrs[9] = IPA_DESKPROFILE_DATA; + attrs[10] = NULL; + +done: + return attrs; +} diff --git a/src/providers/ipa/ipa_deskprofile_rules_util.h b/src/providers/ipa/ipa_deskprofile_rules_util.h new file mode 100644 index 0000000..063bbd2 --- /dev/null +++ b/src/providers/ipa/ipa_deskprofile_rules_util.h @@ -0,0 +1,74 @@ +/* + SSSD + + Authors: + Fabiano Fidêncio + + Copyright (C) 2017 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef IPA_DESKPROFILE_RULES_UTIL_H_ +#define IPA_DESKPROFILE_RULES_UTIL_H_ + +#include "db/sysdb.h" + +#ifndef IPA_DESKPROFILE_RULES_USER_DIR +#define IPA_DESKPROFILE_RULES_USER_DIR SSS_STATEDIR"/deskprofile" +#endif /* IPA_DESKPROFILE_RULES_USER_DIR */ + +errno_t +ipa_deskprofile_get_filename_path(TALLOC_CTX *mem_ctx, + uint16_t config_priority, + const char *rules_dir, + const char *domain, + const char *username, + const char *priority, + const char *user_priority, + const char *group_priority, + const char *host_priority, + const char *hostgroup_priority, + const char *rule_name, + const char *extension, + char **_filename_path); + +errno_t +ipa_deskprofile_rules_create_user_dir( + const char *username, /* fully-qualified */ + uid_t uid, + gid_t gid); +errno_t +ipa_deskprofile_rules_save_rule_to_disk( + TALLOC_CTX *mem_ctx, + uint16_t priority, + struct sysdb_attrs *rule, + struct sss_domain_info *domain, + const char *hostname, + const char *username, /* fully-qualified */ + uid_t uid, + gid_t gid); +errno_t +ipa_deskprofile_rules_remove_user_dir(const char *user_dir, + uid_t uid, + gid_t gid); + +errno_t +deskprofile_get_cached_priority(struct sss_domain_info *domain, + uint16_t *_priority); + +const char ** +deskprofile_get_attrs_to_get_cached_rules(TALLOC_CTX *mem_ctx); + +#endif /* IPA_DESKPROFILE_RULES_UTIL_H_ */ diff --git a/src/providers/ipa/ipa_dn.c b/src/providers/ipa/ipa_dn.c new file mode 100644 index 0000000..c58e014 --- /dev/null +++ b/src/providers/ipa/ipa_dn.c @@ -0,0 +1,145 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include "db/sysdb.h" +#include "providers/ipa/ipa_dn.h" + +static bool check_dn(struct ldb_dn *dn, + const char *rdn_attr, + va_list in_ap) +{ + const struct ldb_val *ldbval; + const char *strval; + const char *ldbattr; + const char *attr; + const char *val; + va_list ap; + int num_comp; + int comp; + + /* check RDN attribute */ + ldbattr = ldb_dn_get_rdn_name(dn); + if (ldbattr == NULL || strcasecmp(ldbattr, rdn_attr) != 0) { + return false; + } + + /* Check DN components. First we check if all attr=value pairs match input. + * Then we check that the next attribute is a domain component. + */ + + comp = 1; + num_comp = ldb_dn_get_comp_num(dn); + + va_copy(ap, in_ap); + while ((attr = va_arg(ap, const char *)) != NULL) { + val = va_arg(ap, const char *); + if (val == NULL) { + goto vafail; + } + + if (comp > num_comp) { + goto vafail; + } + + ldbattr = ldb_dn_get_component_name(dn, comp); + if (ldbattr == NULL || strcasecmp(ldbattr, attr) != 0) { + goto vafail; + } + + ldbval = ldb_dn_get_component_val(dn, comp); + if (ldbval == NULL) { + goto vafail; + } + + strval = (const char *)ldbval->data; + if (strval == NULL || strncasecmp(strval, val, ldbval->length) != 0) { + goto vafail; + } + + comp++; + } + va_end(ap); + + ldbattr = ldb_dn_get_component_name(dn, comp); + if (ldbattr == NULL || strcmp(ldbattr, "dc") != 0) { + return false; + } + + return true; + +vafail: + va_end(ap); + return false; +} + +errno_t _ipa_get_rdn(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + const char *obj_dn, + char **_rdn_val, + const char *rdn_attr, + ...) +{ + const struct ldb_val *val; + struct ldb_dn *dn; + errno_t ret; + bool bret; + va_list ap; + char *rdn; + + dn = ldb_dn_new(mem_ctx, sysdb_ctx_get_ldb(sysdb), obj_dn); + if (dn == NULL) { + return ENOMEM; + } + + va_start(ap, rdn_attr); + bret = check_dn(dn, rdn_attr, ap); + va_end(ap); + if (bret == false) { + ret = ENOENT; + goto done; + } + + if (_rdn_val == NULL) { + ret = EOK; + goto done; + } + + val = ldb_dn_get_rdn_val(dn); + if (val == NULL || val->data == NULL) { + ret = EINVAL; + goto done; + } + + rdn = talloc_strndup(mem_ctx, (const char*)val->data, val->length); + if (rdn == NULL) { + ret = ENOMEM; + goto done; + } + + *_rdn_val = rdn; + + ret = EOK; + +done: + talloc_free(dn); + return ret; +} diff --git a/src/providers/ipa/ipa_dn.h b/src/providers/ipa/ipa_dn.h new file mode 100644 index 0000000..f889c3e --- /dev/null +++ b/src/providers/ipa/ipa_dn.h @@ -0,0 +1,43 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef IPA_DN_H_ +#define IPA_DN_H_ + +#include +#include "db/sysdb.h" + +errno_t _ipa_get_rdn(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + const char *obj_dn, + char **_rdn_val, + const char *rdn_attr, + ...); + +#define ipa_get_rdn(mem_ctx, sysdb, dn, _rdn_val, rdn_attr, ...) \ + _ipa_get_rdn(mem_ctx, sysdb, dn, _rdn_val, rdn_attr, ##__VA_ARGS__, NULL) + +#define ipa_check_rdn(sysdb, dn, rdn_attr, ...) \ + _ipa_get_rdn(NULL, sysdb, dn, NULL, rdn_attr, ##__VA_ARGS__, NULL) + +#define ipa_check_rdn_bool(sysdb, dn, rdn_attr, ...) \ + ((bool)(ipa_check_rdn(sysdb, dn, rdn_attr, ##__VA_ARGS__) == EOK)) + +#endif /* IPA_DN_H_ */ diff --git a/src/providers/ipa/ipa_dyndns.c b/src/providers/ipa/ipa_dyndns.c new file mode 100644 index 0000000..dc91077 --- /dev/null +++ b/src/providers/ipa/ipa_dyndns.c @@ -0,0 +1,256 @@ +/* + SSSD + + ipa_dyndns.c + + Authors: + Stephen Gallagher + + Copyright (C) 2010 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include "util/util.h" +#include "providers/ldap/sdap_dyndns.h" +#include "providers/ipa/ipa_common.h" +#include "providers/ipa/ipa_dyndns.h" +#include "providers/data_provider.h" +#include "providers/be_dyndns.h" + +void ipa_dyndns_update(void *pvt); + +errno_t ipa_dyndns_init(struct be_ctx *be_ctx, + struct ipa_options *ctx) +{ + errno_t ret; + + ctx->be_res = be_ctx->be_res; + if (ctx->be_res == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Resolver must be initialized in order " + "to use the IPA dynamic DNS updates\n"); + return EINVAL; + } + + ret = be_nsupdate_init_timer(ctx->dyndns_ctx, be_ctx->ev, + ipa_dyndns_timer, ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not set up periodic update\n"); + return ret; + } + + ret = be_add_online_cb(be_ctx, be_ctx, + ipa_dyndns_update, + ctx, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not set up online callback\n"); + return ret; + } + + return EOK; +} + +struct ipa_dyndns_timer_ctx { + struct sdap_id_op *sdap_op; + struct tevent_context *ev; + + struct ipa_options *ctx; +}; + +static void ipa_dyndns_timer_connected(struct tevent_req *req); + +void ipa_dyndns_timer(void *pvt) +{ + struct ipa_options *ctx = talloc_get_type(pvt, struct ipa_options); + struct sdap_id_ctx *sdap_ctx = ctx->id_ctx->sdap_id_ctx; + struct tevent_req *req; + + req = sdap_dyndns_timer_conn_send(ctx, sdap_ctx->be->ev, sdap_ctx, + ctx->dyndns_ctx); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory\n"); + /* Not much we can do. Just attempt to reschedule */ + be_nsupdate_timer_schedule(sdap_ctx->be->ev, ctx->dyndns_ctx); + return; + } + tevent_req_set_callback(req, ipa_dyndns_timer_connected, ctx); +} + +static void ipa_dyndns_timer_connected(struct tevent_req *req) +{ + errno_t ret; + struct ipa_options *ctx = tevent_req_callback_data(req, + struct ipa_options); + + ret = sdap_dyndns_timer_conn_recv(req); + talloc_zfree(req); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to connect to IPA: [%d](%s)\n", + ret, sss_strerror(ret)); + return; + } + + return ipa_dyndns_update(ctx); +} + +static struct tevent_req *ipa_dyndns_update_send(struct ipa_options *ctx); +static errno_t ipa_dyndns_update_recv(struct tevent_req *req); + +static void ipa_dyndns_nsupdate_done(struct tevent_req *subreq); + +void ipa_dyndns_update(void *pvt) +{ + struct ipa_options *ctx = talloc_get_type(pvt, struct ipa_options); + struct sdap_id_ctx *sdap_ctx = ctx->id_ctx->sdap_id_ctx; + + /* Schedule timer after provider went offline */ + be_nsupdate_timer_schedule(sdap_ctx->be->ev, ctx->dyndns_ctx); + + struct tevent_req *req = ipa_dyndns_update_send(ctx); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not update DNS\n"); + return; + } + tevent_req_set_callback(req, ipa_dyndns_nsupdate_done, NULL); +} + +static void ipa_dyndns_nsupdate_done(struct tevent_req *req) +{ + int ret = ipa_dyndns_update_recv(req); + talloc_free(req); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Updating DNS entry failed [%d]: %s\n", + ret, sss_strerror(ret)); + return; + } + + DEBUG(SSSDBG_OP_FAILURE, "DNS update finished\n"); +} + +struct ipa_dyndns_update_state { + struct ipa_options *ipa_ctx; +}; + +static void ipa_dyndns_sdap_update_done(struct tevent_req *subreq); + +static struct tevent_req * +ipa_dyndns_update_send(struct ipa_options *ctx) +{ + int ret; + struct ipa_dyndns_update_state *state; + struct tevent_req *req, *subreq; + struct sdap_id_ctx *sdap_ctx = ctx->id_ctx->sdap_id_ctx; + + DEBUG(SSSDBG_TRACE_FUNC, "Performing update\n"); + + req = tevent_req_create(ctx, &state, struct ipa_dyndns_update_state); + if (req == NULL) { + return NULL; + } + state->ipa_ctx = ctx; + + /* The following three checks are here to prevent SEGFAULT + * from ticket #3076. */ + if (ctx->service == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "service structure not initialized\n"); + ret = EINVAL; + goto done; + } + + if (ctx->service->sdap == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "sdap structure not initialized\n"); + ret = EINVAL; + goto done; + } + + if (ctx->service->sdap->uri == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "LDAP uri not set\n"); + ret = EINVAL; + goto done; + } + + if (ctx->dyndns_ctx->last_refresh + 60 > time(NULL) || + ctx->dyndns_ctx->timer_in_progress) { + DEBUG(SSSDBG_FUNC_DATA, "Last periodic update ran recently or timer " + "in progress, not scheduling another update\n"); + tevent_req_done(req); + tevent_req_post(req, sdap_ctx->be->ev); + return req; + } + state->ipa_ctx->dyndns_ctx->last_refresh = time(NULL); + + if (strncmp(ctx->service->sdap->uri, + "ldap://", 7) != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected format of LDAP URI.\n"); + ret = EIO; + goto done; + } + + subreq = sdap_dyndns_update_send(state, sdap_ctx->be->ev, + sdap_ctx->be, + ctx->dyndns_ctx->opts, + sdap_ctx, + ctx->dyndns_ctx->auth_type, + dp_opt_get_string(ctx->dyndns_ctx->opts, + DP_OPT_DYNDNS_IFACE), + dp_opt_get_string(ctx->basic, + IPA_HOSTNAME), + dp_opt_get_string(ctx->basic, + IPA_KRB5_REALM), + dp_opt_get_int(ctx->dyndns_ctx->opts, + DP_OPT_DYNDNS_TTL), + true); + if (!subreq) { + ret = EIO; + DEBUG(SSSDBG_OP_FAILURE, + "sdap_id_op_connect_send failed: [%d](%s)\n", + ret, sss_strerror(ret)); + goto done; + } + tevent_req_set_callback(subreq, ipa_dyndns_sdap_update_done, req); + + ret = EOK; +done: + if (ret != EOK) { + tevent_req_error(req, ret); + tevent_req_post(req, sdap_ctx->be->ev); + } + return req; +} + +static void ipa_dyndns_sdap_update_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, struct tevent_req); + errno_t ret; + + ret = sdap_dyndns_update_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Dynamic DNS update failed [%d]: %s\n", ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +static errno_t ipa_dyndns_update_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} diff --git a/src/providers/ipa/ipa_dyndns.h b/src/providers/ipa/ipa_dyndns.h new file mode 100644 index 0000000..38a68c0 --- /dev/null +++ b/src/providers/ipa/ipa_dyndns.h @@ -0,0 +1,38 @@ +/* + SSSD + + ipa_dyndns.h + + Authors: + Stephen Gallagher + + Copyright (C) 2010 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef IPA_DYNDNS_H_ +#define IPA_DYNDNS_H_ + +#include "util/util_errors.h" +#include "providers/ipa/ipa_common.h" +#include "providers/backend.h" + +void ipa_dyndns_update(void *pvt); +void ipa_dyndns_timer(void *pvt); + +errno_t ipa_dyndns_init(struct be_ctx *be_ctx, + struct ipa_options *ctx); + +#endif /* IPA_DYNDNS_H_ */ diff --git a/src/providers/ipa/ipa_hbac_common.c b/src/providers/ipa/ipa_hbac_common.c new file mode 100644 index 0000000..31e53d2 --- /dev/null +++ b/src/providers/ipa/ipa_hbac_common.c @@ -0,0 +1,748 @@ +/* + SSSD + + Authors: + Stephen Gallagher + + Copyright (C) 2011 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "providers/ipa/ipa_hbac_private.h" +#include "providers/ipa/ipa_common.h" +#include "providers/ipa/ipa_rules_common.h" + +errno_t +replace_attribute_name(const char *old_name, + const char *new_name, const size_t count, + struct sysdb_attrs **list) +{ + int ret; + int i; + + for (i = 0; i < count; i++) { + ret = sysdb_attrs_replace_name(list[i], old_name, new_name); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_attrs_replace_name failed.\n"); + return ret; + } + } + + return EOK; +} + +static errno_t +create_empty_grouplist(struct hbac_request_element *el) +{ + el->groups = talloc_array(el, const char *, 1); + if (!el->groups) return ENOMEM; + + el->groups[0] = NULL; + return EOK; +} + +/******************************************** + * Functions for handling conversion to the * + * HBAC evaluator format * + ********************************************/ + +static errno_t +hbac_attrs_to_rule(TALLOC_CTX *mem_ctx, + struct hbac_ctx *hbac_ctx, + size_t index, + struct hbac_rule **rule); + +static errno_t +hbac_ctx_to_eval_request(TALLOC_CTX *mem_ctx, + struct hbac_ctx *hbac_ctx, + struct hbac_eval_req **request); + +errno_t +hbac_ctx_to_rules(TALLOC_CTX *mem_ctx, + struct hbac_ctx *hbac_ctx, + struct hbac_rule ***rules, + struct hbac_eval_req **request) +{ + errno_t ret; + struct hbac_rule **new_rules; + struct hbac_eval_req *new_request = NULL; + size_t i; + TALLOC_CTX *tmp_ctx = NULL; + + if (!rules || !request) return EINVAL; + + tmp_ctx = talloc_new(mem_ctx); + if (tmp_ctx == NULL) return ENOMEM; + + /* First create an array of rules */ + new_rules = talloc_array(tmp_ctx, struct hbac_rule *, + hbac_ctx->rule_count + 1); + if (new_rules == NULL) { + ret = ENOMEM; + goto done; + } + + /* Create each rule one at a time */ + for (i = 0; i < hbac_ctx->rule_count ; i++) { + ret = hbac_attrs_to_rule(new_rules, hbac_ctx, i, &(new_rules[i])); + if (ret == EPERM) { + goto done; + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not construct rules\n"); + goto done; + } + } + new_rules[i] = NULL; + + /* Create the eval request */ + ret = hbac_ctx_to_eval_request(tmp_ctx, hbac_ctx, &new_request); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not construct eval request\n"); + goto done; + } + + *rules = talloc_steal(mem_ctx, new_rules); + *request = talloc_steal(mem_ctx, new_request); + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static errno_t +hbac_attrs_to_rule(TALLOC_CTX *mem_ctx, + struct hbac_ctx *hbac_ctx, + size_t idx, + struct hbac_rule **rule) +{ + errno_t ret; + struct hbac_rule *new_rule; + struct ldb_message_element *el; + const char *rule_type; + + new_rule = talloc_zero(mem_ctx, struct hbac_rule); + if (new_rule == NULL) return ENOMEM; + + ret = sysdb_attrs_get_el(hbac_ctx->rules[idx], + IPA_CN, &el); + if (ret != EOK || el->num_values == 0) { + DEBUG(SSSDBG_CONF_SETTINGS, "rule has no name, assuming '(none)'.\n"); + new_rule->name = talloc_strdup(new_rule, "(none)"); + } else { + new_rule->name = talloc_strndup(new_rule, + (const char*) el->values[0].data, + el->values[0].length); + } + + DEBUG(SSSDBG_TRACE_LIBS, "Processing rule [%s]\n", new_rule->name); + + ret = sysdb_attrs_get_bool(hbac_ctx->rules[idx], IPA_ENABLED_FLAG, + &new_rule->enabled); + if (ret != EOK) goto done; + + if (!new_rule->enabled) { + ret = EOK; + goto done; + } + + ret = sysdb_attrs_get_string(hbac_ctx->rules[idx], + IPA_ACCESS_RULE_TYPE, + &rule_type); + if (ret != EOK) goto done; + + if (strcasecmp(rule_type, IPA_HBAC_ALLOW) != 0) { + DEBUG(SSSDBG_TRACE_LIBS, + "Rule [%s] is not an ALLOW rule\n", new_rule->name); + ret = EPERM; + goto done; + } + + /* Get the users */ + ret = hbac_user_attrs_to_rule(new_rule, hbac_ctx->be_ctx->domain, + new_rule->name, + hbac_ctx->rules[idx], + &new_rule->users); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not parse users for rule [%s]\n", + new_rule->name); + goto done; + } + + /* Get the services */ + ret = hbac_service_attrs_to_rule(new_rule, hbac_ctx->be_ctx->domain, + new_rule->name, + hbac_ctx->rules[idx], + &new_rule->services); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not parse services for rule [%s]\n", + new_rule->name); + goto done; + } + + /* Get the target hosts */ + ret = hbac_thost_attrs_to_rule(new_rule, hbac_ctx->be_ctx->domain, + new_rule->name, + hbac_ctx->rules[idx], + &new_rule->targethosts); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not parse target hosts for rule [%s]\n", + new_rule->name); + goto done; + } + + /* Get the source hosts */ + + ret = hbac_shost_attrs_to_rule(new_rule, hbac_ctx->be_ctx->domain, + new_rule->name, + hbac_ctx->rules[idx], + dp_opt_get_bool(hbac_ctx->ipa_options, + IPA_HBAC_SUPPORT_SRCHOST), + &new_rule->srchosts); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not parse source hosts for rule [%s]\n", + new_rule->name); + goto done; + } + + *rule = new_rule; + ret = EOK; + +done: + if (ret != EOK) talloc_free(new_rule); + return ret; +} + +errno_t +hbac_get_category(struct sysdb_attrs *attrs, + const char *category_attr, + uint32_t *_categories) +{ + errno_t ret; + size_t i; + uint32_t cats = HBAC_CATEGORY_NULL; + const char **categories; + + TALLOC_CTX *tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) return ENOMEM; + + ret = sysdb_attrs_get_string_array(attrs, category_attr, + tmp_ctx, &categories); + if (ret != EOK && ret != ENOENT) goto done; + + if (ret != ENOENT) { + for (i = 0; categories[i]; i++) { + if (strcasecmp("all", categories[i]) == 0) { + DEBUG(SSSDBG_FUNC_DATA, "Category is set to 'all'.\n"); + cats |= HBAC_CATEGORY_ALL; + continue; + } + DEBUG(SSSDBG_TRACE_ALL, "Unsupported user category [%s].\n", + categories[i]); + } + } + + *_categories = cats; + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static errno_t +hbac_eval_user_element(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *username, + struct hbac_request_element **user_element); + +static errno_t +hbac_eval_service_element(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *servicename, + struct hbac_request_element **svc_element); + +static errno_t +hbac_eval_host_element(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *hostname, + struct hbac_request_element **host_element); + +static errno_t +hbac_ctx_to_eval_request(TALLOC_CTX *mem_ctx, + struct hbac_ctx *hbac_ctx, + struct hbac_eval_req **request) +{ + errno_t ret; + struct pam_data *pd = hbac_ctx->pd; + TALLOC_CTX *tmp_ctx; + struct hbac_eval_req *eval_req; + struct sss_domain_info *domain = hbac_ctx->be_ctx->domain; + const char *rhost; + const char *thost; + struct sss_domain_info *user_dom; + + tmp_ctx = talloc_new(mem_ctx); + if (tmp_ctx == NULL) return ENOMEM; + + eval_req = talloc_zero(tmp_ctx, struct hbac_eval_req); + if (eval_req == NULL) { + ret = ENOMEM; + goto done; + } + + eval_req->request_time = time(NULL); + + /* Get user the user name and groups, + * take care of subdomain users as well */ + if (strcasecmp(pd->domain, domain->name) != 0) { + user_dom = find_domain_by_name(domain, pd->domain, true); + if (user_dom == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "find_domain_by_name failed.\n"); + ret = ENOMEM; + goto done; + } + ret = hbac_eval_user_element(eval_req, user_dom, pd->user, + &eval_req->user); + } else { + ret = hbac_eval_user_element(eval_req, domain, pd->user, + &eval_req->user); + } + if (ret != EOK) goto done; + + /* Get the PAM service and service groups */ + ret = hbac_eval_service_element(eval_req, domain, pd->service, + &eval_req->service); + if (ret != EOK) goto done; + + /* Get the source host */ + if (pd->rhost == NULL || pd->rhost[0] == '\0') { + /* If we haven't been passed an rhost, + * the rhost is unknown. This will fail + * to match any rule requiring the + * source host. + */ + rhost = NULL; + } else { + rhost = pd->rhost; + } + + ret = hbac_eval_host_element(eval_req, domain, rhost, + &eval_req->srchost); + if (ret != EOK) goto done; + + /* The target host is always the current machine */ + thost = dp_opt_get_cstring(hbac_ctx->ipa_options, IPA_HOSTNAME); + if (thost == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Missing ipa_hostname, this should never happen.\n"); + ret = EINVAL; + goto done; + } + + ret = hbac_eval_host_element(eval_req, domain, thost, + &eval_req->targethost); + if (ret != EOK) goto done; + + *request = talloc_steal(mem_ctx, eval_req); + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static errno_t +hbac_eval_user_element(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *username, + struct hbac_request_element **user_element) +{ + errno_t ret; + unsigned int num_groups = 0; + TALLOC_CTX *tmp_ctx; + struct hbac_request_element *users; + char *shortname; + const char *fqgroupname = NULL; + struct sss_domain_info *ipa_domain; + struct ldb_dn *ipa_groups_basedn; + struct ldb_result *res; + int exp_comp; + + tmp_ctx = talloc_new(mem_ctx); + if (tmp_ctx == NULL) return ENOMEM; + + users = talloc_zero(tmp_ctx, struct hbac_request_element); + if (users == NULL) { + ret = ENOMEM; + goto done; + } + + ret = sss_parse_internal_fqname(tmp_ctx, username, &shortname, NULL); + if (ret != EOK) { + ret = ERR_WRONG_NAME_FORMAT; + goto done; + } + users->name = talloc_steal(users, shortname); + + ipa_domain = get_domains_head(domain); + if (ipa_domain == NULL) { + ret = EINVAL; + goto done; + } + + ipa_groups_basedn = ldb_dn_new_fmt(tmp_ctx, sysdb_ctx_get_ldb(domain->sysdb), + SYSDB_TMPL_GROUP_BASE, ipa_domain->name); + if (ipa_groups_basedn == NULL) { + ret = ENOMEM; + goto done; + } + + /* +1 because there will be a RDN preceding the base DN */ + exp_comp = ldb_dn_get_comp_num(ipa_groups_basedn) + 1; + + /* + * Get all the groups the user is a member of. + * This includes both POSIX and non-POSIX groups. + */ + ret = sysdb_initgroups(tmp_ctx, domain, username, &res); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sysdb_asq_search failed [%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + if (res->count == 0) { + /* This should not happen at this point */ + DEBUG(SSSDBG_MINOR_FAILURE, + "User [%s] not found in cache.\n", username); + ret = ENOENT; + goto done; + } else if (res->count == 1) { + /* The first item is the user entry */ + DEBUG(SSSDBG_TRACE_LIBS, "No groups for [%s]\n", users->name); + ret = create_empty_grouplist(users); + goto done; + } + DEBUG(SSSDBG_TRACE_LIBS, + "[%u] groups for [%s]\n", res->count - 1, username); + + /* This also includes the sentinel, b/c we'll skip the user entry below */ + users->groups = talloc_array(users, const char *, res->count); + if (users->groups == NULL) { + ret = ENOMEM; + goto done; + } + + /* Start counting from 1 to exclude the user entry */ + for (size_t i = 1; i < res->count; i++) { + /* Only groups from the IPA domain can be referenced from HBAC rules. To + * avoid evaluating groups which might even have the same name, but come + * from a trusted domain, we first copy the DN to a temporary one.. + */ + if (ldb_dn_get_comp_num(res->msgs[i]->dn) != exp_comp + || ldb_dn_compare_base(ipa_groups_basedn, + res->msgs[i]->dn) != 0) { + DEBUG(SSSDBG_FUNC_DATA, + "Skipping non-IPA group %s\n", + ldb_dn_get_linearized(res->msgs[i]->dn)); + continue; + } + + fqgroupname = ldb_msg_find_attr_as_string(res->msgs[i], SYSDB_NAME, NULL); + if (fqgroupname == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Skipping malformed entry [%s]\n", + ldb_dn_get_linearized(res->msgs[i]->dn)); + continue; + } + + ret = sss_parse_internal_fqname(tmp_ctx, fqgroupname, + &shortname, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Malformed name %s, skipping!\n", fqgroupname); + continue; + } + + users->groups[num_groups] = talloc_steal(users->groups, shortname); + DEBUG(SSSDBG_TRACE_LIBS, "Added group [%s] for user [%s]\n", + users->groups[num_groups], users->name); + num_groups++; + } + users->groups[num_groups] = NULL; + + if (num_groups < (res->count - 1)) { + /* Shrink the array memory */ + users->groups = talloc_realloc(users, users->groups, const char *, + num_groups+1); + if (users->groups == NULL) { + ret = ENOMEM; + goto done; + } + } + + ret = EOK; +done: + if (ret == EOK) { + *user_element = talloc_steal(mem_ctx, users); + } + talloc_free(tmp_ctx); + return ret; +} + +static errno_t +hbac_eval_service_element(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *servicename, + struct hbac_request_element **svc_element) +{ + errno_t ret; + size_t i, j, count; + TALLOC_CTX *tmp_ctx; + struct hbac_request_element *svc; + struct ldb_message **msgs; + struct ldb_message_element *el; + struct ldb_dn *svc_dn; + const char *memberof_attrs[] = { SYSDB_ORIG_MEMBEROF, NULL }; + char *name; + + tmp_ctx = talloc_new(mem_ctx); + if (tmp_ctx == NULL) return ENOMEM; + + svc = talloc_zero(tmp_ctx, struct hbac_request_element); + if (svc == NULL) { + ret = ENOMEM; + goto done; + } + + svc->name = servicename; + + svc_dn = sysdb_custom_dn(tmp_ctx, domain, svc->name, HBAC_SERVICES_SUBDIR); + if (svc_dn == NULL) { + ret = ENOMEM; + goto done; + } + + /* Look up the service to get its originalMemberOf entries */ + ret = sysdb_search_entry(tmp_ctx, domain->sysdb, svc_dn, + LDB_SCOPE_BASE, NULL, + memberof_attrs, + &count, &msgs); + if (ret == ENOENT || count == 0) { + /* We won't be able to identify any groups + * This rule will only match the name or + * a service category of ALL + */ + ret = create_empty_grouplist(svc); + goto done; + } else if (ret != EOK) { + goto done; + } else if (count > 1) { + DEBUG(SSSDBG_CRIT_FAILURE, "More than one result for a BASE search!\n"); + ret = EIO; + goto done; + } + + el = ldb_msg_find_element(msgs[0], SYSDB_ORIG_MEMBEROF); + if (!el) { + /* Service is not a member of any groups + * This rule will only match the name or + * a service category of ALL + */ + ret = create_empty_grouplist(svc); + goto done; + } + + + svc->groups = talloc_array(svc, const char *, el->num_values + 1); + if (svc->groups == NULL) { + ret = ENOMEM; + goto done; + } + + for (i = j = 0; i < el->num_values; i++) { + ret = get_ipa_servicegroupname(tmp_ctx, domain->sysdb, + (const char *)el->values[i].data, + &name); + if (ret != EOK && ret != ERR_UNEXPECTED_ENTRY_TYPE) { + DEBUG(SSSDBG_MINOR_FAILURE, "Skipping malformed entry [%s]\n", + (const char *)el->values[i].data); + continue; + } + + /* ERR_UNEXPECTED_ENTRY_TYPE means we had a memberOf entry that wasn't a + * service group. We'll just ignore those (could be + * HBAC rules) + */ + + if (ret == EOK) { + svc->groups[j] = talloc_steal(svc->groups, name); + j++; + } + } + svc->groups[j] = NULL; + + ret = EOK; + +done: + if (ret == EOK) { + *svc_element = talloc_steal(mem_ctx, svc); + } + talloc_free(tmp_ctx); + return ret; +} + +static errno_t +hbac_eval_host_element(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *hostname, + struct hbac_request_element **host_element) +{ + errno_t ret; + size_t i, j, count; + TALLOC_CTX *tmp_ctx; + struct hbac_request_element *host; + struct ldb_message **msgs; + struct ldb_message_element *el; + struct ldb_dn *host_dn; + const char *memberof_attrs[] = { SYSDB_ORIG_MEMBEROF, NULL }; + char *name; + + tmp_ctx = talloc_new(mem_ctx); + if (tmp_ctx == NULL) return ENOMEM; + + host = talloc_zero(tmp_ctx, struct hbac_request_element); + if (host == NULL) { + ret = ENOMEM; + goto done; + } + + host->name = hostname; + + if (host->name == NULL) { + /* We don't know the host (probably an rhost) + * So we can't determine it's groups either. + */ + ret = create_empty_grouplist(host); + goto done; + } + + host_dn = sysdb_custom_dn(tmp_ctx, domain, host->name, HBAC_HOSTS_SUBDIR); + if (host_dn == NULL) { + ret = ENOMEM; + goto done; + } + + /* Look up the host to get its originalMemberOf entries */ + ret = sysdb_search_entry(tmp_ctx, domain->sysdb, host_dn, + LDB_SCOPE_BASE, NULL, + memberof_attrs, + &count, &msgs); + if (ret == ENOENT || count == 0) { + /* We won't be able to identify any groups + * This rule will only match the name or + * a host category of ALL + */ + ret = create_empty_grouplist(host); + goto done; + } else if (ret != EOK) { + goto done; + } else if (count > 1) { + DEBUG(SSSDBG_CRIT_FAILURE, "More than one result for a BASE search!\n"); + ret = EIO; + goto done; + } + + el = ldb_msg_find_element(msgs[0], SYSDB_ORIG_MEMBEROF); + if (!el) { + /* Host is not a member of any groups + * This rule will only match the name or + * a host category of ALL + */ + ret = create_empty_grouplist(host); + goto done; + } + + + host->groups = talloc_array(host, const char *, el->num_values + 1); + if (host->groups == NULL) { + ret = ENOMEM; + goto done; + } + + for (i = j = 0; i < el->num_values; i++) { + ret = ipa_common_get_hostgroupname(tmp_ctx, domain->sysdb, + (const char *)el->values[i].data, + &name); + if (ret != EOK && ret != ERR_UNEXPECTED_ENTRY_TYPE) { + DEBUG(SSSDBG_MINOR_FAILURE, "Skipping malformed entry [%s]\n", + (const char *)el->values[i].data); + continue; + } + + /* ERR_UNEXPECTED_ENTRY_TYPE means we had a memberOf entry that wasn't a + * host group. We'll just ignore those (could be + * HBAC rules) + */ + + if (ret == EOK) { + host->groups[j] = talloc_steal(host->groups, name); + j++; + } + } + host->groups[j] = NULL; + + ret = EOK; + +done: + if (ret == EOK) { + *host_element = talloc_steal(mem_ctx, host); + } + talloc_free(tmp_ctx); + return ret; +} + +const char ** +hbac_get_attrs_to_get_cached_rules(TALLOC_CTX *mem_ctx) +{ + const char **attrs = talloc_zero_array(mem_ctx, const char *, 16); + if (attrs == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_array() failed\n"); + goto done; + } + + attrs[0] = OBJECTCLASS; + attrs[1] = IPA_CN; + attrs[2] = SYSDB_ORIG_DN; + attrs[3] = IPA_UNIQUE_ID; + attrs[4] = IPA_ENABLED_FLAG; + attrs[5] = IPA_ACCESS_RULE_TYPE; + attrs[6] = IPA_MEMBER_USER; + attrs[7] = IPA_USER_CATEGORY; + attrs[8] = IPA_MEMBER_SERVICE; + attrs[9] = IPA_SERVICE_CATEGORY; + attrs[10] = IPA_SOURCE_HOST; + attrs[11] = IPA_SOURCE_HOST_CATEGORY; + attrs[12] = IPA_EXTERNAL_HOST; + attrs[13] = IPA_MEMBER_HOST; + attrs[14] = IPA_HOST_CATEGORY; + attrs[15] = NULL; + +done: + return attrs; +} diff --git a/src/providers/ipa/ipa_hbac_hosts.c b/src/providers/ipa/ipa_hbac_hosts.c new file mode 100644 index 0000000..f85ce53 --- /dev/null +++ b/src/providers/ipa/ipa_hbac_hosts.c @@ -0,0 +1,335 @@ +/* + SSSD + + Authors: + Stephen Gallagher + + Copyright (C) 2011 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "db/sysdb.h" +#include "providers/ipa/ipa_hbac_private.h" +#include "providers/ipa/ipa_rules_common.h" +#include "providers/ldap/sdap_async.h" + +/* + * Functions to convert sysdb_attrs to the hbac_rule format + */ +static errno_t hbac_host_attrs_to_rule(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *rule_name, + struct sysdb_attrs *rule_attrs, + const char *category_attr, + const char *member_attr, + size_t *host_count, + struct hbac_rule_element **hosts) +{ + errno_t ret; + TALLOC_CTX *tmp_ctx; + struct hbac_rule_element *new_hosts; + const char *attrs[] = { SYSDB_FQDN, SYSDB_NAME, NULL }; + struct ldb_message_element *el; + size_t num_hosts = 0; + size_t num_hostgroups = 0; + size_t i; + char *member_dn; + char *filter; + size_t count; + struct ldb_message **msgs; + const char *name; + + tmp_ctx = talloc_new(mem_ctx); + if (tmp_ctx == NULL) return ENOMEM; + + new_hosts = talloc_zero(tmp_ctx, struct hbac_rule_element); + if (new_hosts == NULL) { + ret = ENOMEM; + goto done; + } + + /* First check for host category */ + ret = hbac_get_category(rule_attrs, category_attr, &new_hosts->category); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not identify host categories\n"); + goto done; + } + if (new_hosts->category & HBAC_CATEGORY_ALL) { + /* Short-cut to the exit */ + ret = EOK; + goto done; + } + + /* Get the list of DNs from the member_attr */ + ret = sysdb_attrs_get_el(rule_attrs, member_attr, &el); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_attrs_get_el failed.\n"); + goto done; + } + if (ret == ENOENT || el->num_values == 0) { + el->num_values = 0; + DEBUG(SSSDBG_CONF_SETTINGS, + "No host specified, rule will never apply.\n"); + } + + /* Assume maximum size; We'll trim it later */ + new_hosts->names = talloc_array(new_hosts, + const char *, + el->num_values +1); + if (new_hosts->names == NULL) { + ret = ENOMEM; + goto done; + } + + new_hosts->groups = talloc_array(new_hosts, + const char *, + el->num_values + 1); + if (new_hosts->groups == NULL) { + ret = ENOMEM; + goto done; + } + + for (i = 0; i < el->num_values; i++) { + ret = sss_filter_sanitize(tmp_ctx, + (const char *)el->values[i].data, + &member_dn); + if (ret != EOK) goto done; + + filter = talloc_asprintf(member_dn, "(%s=%s)", + SYSDB_ORIG_DN, member_dn); + if (filter == NULL) { + ret = ENOMEM; + goto done; + } + + /* First check if this is a specific host */ + ret = sysdb_search_custom(tmp_ctx, domain, filter, + HBAC_HOSTS_SUBDIR, attrs, + &count, &msgs); + if (ret != EOK && ret != ENOENT) goto done; + if (ret == EOK && count == 0) { + ret = ENOENT; + } + + if (ret == EOK) { + if (count > 1) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Original DN matched multiple hosts. Skipping \n"); + talloc_zfree(member_dn); + continue; + } + + /* Original DN matched a single host. Get the hostname */ + name = ldb_msg_find_attr_as_string(msgs[0], + SYSDB_FQDN, + NULL); + if (name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "FQDN is missing!\n"); + ret = EFAULT; + goto done; + } + + new_hosts->names[num_hosts] = talloc_strdup(new_hosts->names, + name); + if (new_hosts->names[num_hosts] == NULL) { + ret = ENOMEM; + goto done; + } + DEBUG(SSSDBG_TRACE_INTERNAL, "Added host [%s] to rule [%s]\n", + name, rule_name); + num_hosts++; + } else { /* ret == ENOENT */ + /* Check if this is a hostgroup */ + ret = sysdb_search_custom(tmp_ctx, domain, filter, + HBAC_HOSTGROUPS_SUBDIR, attrs, + &count, &msgs); + if (ret != EOK && ret != ENOENT) goto done; + if (ret == EOK && count == 0) { + ret = ENOENT; + } + + if (ret == EOK) { + if (count > 1) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Original DN matched multiple hostgroups. " + "Skipping\n"); + talloc_zfree(member_dn); + continue; + } + + /* Original DN matched a single group. Get the groupname */ + name = ldb_msg_find_attr_as_string(msgs[0], SYSDB_NAME, NULL); + if (name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Hostgroup name is missing!\n"); + ret = EFAULT; + goto done; + } + + new_hosts->groups[num_hostgroups] = + talloc_strdup(new_hosts->groups, name); + if (new_hosts->groups[num_hostgroups] == NULL) { + ret = ENOMEM; + goto done; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Added hostgroup [%s] to rule [%s]\n", + name, rule_name); + num_hostgroups++; + } else { /* ret == ENOENT */ + /* Neither a host nor a hostgroup? Skip it */ + DEBUG(SSSDBG_TRACE_LIBS, + "[%s] does not map to either a host or hostgroup. " + "Skipping\n", member_dn); + } + } + talloc_zfree(member_dn); + } + new_hosts->names[num_hosts] = NULL; + new_hosts->groups[num_hostgroups] = NULL; + + /* Shrink the arrays down to their real sizes */ + new_hosts->names = talloc_realloc(new_hosts, new_hosts->names, + const char *, num_hosts + 1); + if (new_hosts->names == NULL) { + ret = ENOMEM; + goto done; + } + + new_hosts->groups = talloc_realloc(new_hosts, new_hosts->groups, + const char *, num_hostgroups + 1); + if (new_hosts->groups == NULL) { + ret = ENOMEM; + goto done; + } + + ret = EOK; + +done: + if (ret == EOK) { + *hosts = talloc_steal(mem_ctx, new_hosts); + if (host_count) *host_count = num_hosts; + } + talloc_free(tmp_ctx); + return ret; +} + +errno_t +hbac_thost_attrs_to_rule(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *rule_name, + struct sysdb_attrs *rule_attrs, + struct hbac_rule_element **thosts) +{ + DEBUG(SSSDBG_TRACE_LIBS, + "Processing target hosts for rule [%s]\n", rule_name); + + return hbac_host_attrs_to_rule(mem_ctx, domain, + rule_name, rule_attrs, + IPA_HOST_CATEGORY, IPA_MEMBER_HOST, + NULL, thosts); +} + +errno_t +hbac_shost_attrs_to_rule(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *rule_name, + struct sysdb_attrs *rule_attrs, + bool support_srchost, + struct hbac_rule_element **source_hosts) +{ + errno_t ret; + size_t host_count; + TALLOC_CTX *tmp_ctx; + size_t idx; + struct ldb_message_element *el; + struct hbac_rule_element *shosts; + + tmp_ctx = talloc_new(mem_ctx); + if (tmp_ctx == NULL) return ENOMEM; + + DEBUG(SSSDBG_TRACE_FUNC, "Processing source hosts for rule [%s]\n", rule_name); + + if (!support_srchost) { + DEBUG(SSSDBG_TRACE_INTERNAL, "Source hosts disabled, setting ALL\n"); + shosts = talloc_zero(tmp_ctx, struct hbac_rule_element); + if (shosts == NULL) { + ret = ENOMEM; + goto done; + } + + shosts->category = HBAC_CATEGORY_ALL; + ret = EOK; + goto done; + } else { + DEBUG(SSSDBG_MINOR_FAILURE, "WARNING: Using deprecated option " + "ipa_hbac_support_srchost.\n"); + sss_log(SSS_LOG_NOTICE, "WARNING: Using deprecated option " + "ipa_hbac_support_srchost.\n"); + } + + ret = hbac_host_attrs_to_rule(tmp_ctx, domain, + rule_name, rule_attrs, + IPA_SOURCE_HOST_CATEGORY, IPA_SOURCE_HOST, + &host_count, &shosts); + if (ret != EOK) { + goto done; + } + + if (shosts->category & HBAC_CATEGORY_ALL) { + /* All hosts (including external) are + * allowed. + */ + goto done; + } + + /* Include external (non-IPA-managed) source hosts */ + ret = sysdb_attrs_get_el(rule_attrs, IPA_EXTERNAL_HOST, &el); + if (ret != EOK && ret != ENOENT) goto done; + if (ret == EOK && el->num_values == 0) ret = ENOENT; + + if (ret != ENOENT) { + shosts->names = talloc_realloc(shosts, shosts->names, const char *, + host_count + el->num_values + 1); + if (shosts->names == NULL) { + ret = ENOMEM; + goto done; + } + + for (idx = host_count; idx < host_count + el->num_values; idx++) { + shosts->names[idx] = + talloc_strdup(shosts->names, + (const char *)el->values[idx - host_count].data); + if (shosts->names[idx] == NULL) { + ret = ENOMEM; + goto done; + } + DEBUG(SSSDBG_TRACE_INTERNAL, + "Added external source host [%s] to rule [%s]\n", + shosts->names[idx], rule_name); + } + shosts->names[idx] = NULL; + } + + ret = EOK; + +done: + if (ret == EOK) { + *source_hosts = talloc_steal(mem_ctx, shosts); + } + talloc_free(tmp_ctx); + return ret; +} diff --git a/src/providers/ipa/ipa_hbac_private.h b/src/providers/ipa/ipa_hbac_private.h new file mode 100644 index 0000000..8ca7d09 --- /dev/null +++ b/src/providers/ipa/ipa_hbac_private.h @@ -0,0 +1,132 @@ +/* + SSSD + + Authors: + Stephen Gallagher + + Copyright (C) 2011 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef IPA_HBAC_PRIVATE_H_ +#define IPA_HBAC_PRIVATE_H_ + +#include "providers/ipa/ipa_access.h" +#include "lib/ipa_hbac/ipa_hbac.h" + +#define IPA_HBAC_RULE "ipaHBACRule" + +#define IPA_HBAC_SERVICE "ipaHBACService" +#define IPA_HBAC_SERVICE_GROUP "ipaHBACServiceGroup" + +#define IPA_MEMBER "member" +#define HBAC_HOSTS_SUBDIR "hbac_hosts" +#define HBAC_HOSTGROUPS_SUBDIR "hbac_hostgroups" + +#define IPA_MEMBEROF "memberOf" +#define IPA_ACCESS_RULE_TYPE "accessRuleType" +#define IPA_HBAC_ALLOW "allow" +#define IPA_SERVICE_NAME "serviceName" +#define IPA_SOURCE_HOST "sourceHost" +#define IPA_SOURCE_HOST_CATEGORY "sourceHostCategory" +#define IPA_MEMBER_SERVICE "memberService" +#define IPA_SERVICE_CATEGORY "serviceCategory" + +#define IPA_HBAC_BASE_TMPL "cn=hbac,%s" +#define IPA_SERVICES_BASE_TMPL "cn=hbacservices,cn=accounts,%s" + +#define SYSDB_HBAC_BASE_TMPL "cn=hbac,"SYSDB_TMPL_CUSTOM_BASE + +#define HBAC_RULES_SUBDIR "hbac_rules" +#define HBAC_SERVICES_SUBDIR "hbac_services" +#define HBAC_SERVICEGROUPS_SUBDIR "hbac_servicegroups" + +/* From ipa_hbac_common.c */ +errno_t +replace_attribute_name(const char *old_name, + const char *new_name, const size_t count, + struct sysdb_attrs **list); + +errno_t hbac_ctx_to_rules(TALLOC_CTX *mem_ctx, + struct hbac_ctx *hbac_ctx, + struct hbac_rule ***rules, + struct hbac_eval_req **request); + +errno_t +hbac_get_category(struct sysdb_attrs *attrs, + const char *category_attr, + uint32_t *_categories); + +errno_t +hbac_thost_attrs_to_rule(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *rule_name, + struct sysdb_attrs *rule_attrs, + struct hbac_rule_element **thosts); + +errno_t +hbac_shost_attrs_to_rule(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *rule_name, + struct sysdb_attrs *rule_attrs, + bool support_srchost, + struct hbac_rule_element **source_hosts); + +const char ** +hbac_get_attrs_to_get_cached_rules(TALLOC_CTX *mem_ctx); + +/* From ipa_hbac_services.c */ +struct tevent_req * +ipa_hbac_service_info_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_handle *sh, + struct sdap_options *opts, + struct sdap_search_base **search_bases); + +errno_t +ipa_hbac_service_info_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *service_count, + struct sysdb_attrs ***services, + size_t *servicegroup_count, + struct sysdb_attrs ***servicegroups); + +errno_t +hbac_service_attrs_to_rule(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *rule_name, + struct sysdb_attrs *rule_attrs, + struct hbac_rule_element **services); +errno_t +get_ipa_servicegroupname(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + const char *service_dn, + char **servicename); + +/* From ipa_hbac_users.c */ +errno_t +hbac_user_attrs_to_rule(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *rule_name, + struct sysdb_attrs *rule_attrs, + struct hbac_rule_element **users); + +errno_t +get_ipa_groupname(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + const char *group_dn, + const char **groupname); + +#endif /* IPA_HBAC_PRIVATE_H_ */ diff --git a/src/providers/ipa/ipa_hbac_rules.c b/src/providers/ipa/ipa_hbac_rules.c new file mode 100644 index 0000000..0634a27 --- /dev/null +++ b/src/providers/ipa/ipa_hbac_rules.c @@ -0,0 +1,313 @@ +/* + SSSD + + Authors: + Stephen Gallagher + + Copyright (C) 2011 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "providers/ipa/ipa_rules_common.h" +#include "providers/ipa/ipa_hbac_private.h" +#include "providers/ipa/ipa_hbac_rules.h" +#include "providers/ldap/sdap_async.h" + +struct ipa_hbac_rule_state { + struct tevent_context *ev; + struct sdap_handle *sh; + struct sdap_options *opts; + + int search_base_iter; + struct sdap_search_base **search_bases; + + const char **attrs; + char *rules_filter; + char *cur_filter; + + size_t rule_count; + struct sysdb_attrs **rules; +}; + +static errno_t +ipa_hbac_rule_info_next(struct tevent_req *req, + struct ipa_hbac_rule_state *state); +static void +ipa_hbac_rule_info_done(struct tevent_req *subreq); + +struct tevent_req * +ipa_hbac_rule_info_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_handle *sh, + struct sdap_options *opts, + struct sdap_search_base **search_bases, + struct sysdb_attrs *ipa_host) +{ + errno_t ret; + size_t i; + struct tevent_req *req = NULL; + struct ipa_hbac_rule_state *state; + const char *host_dn; + char *host_dn_clean; + char *host_group_clean; + char *rule_filter; + const char **memberof_list; + + req = tevent_req_create(mem_ctx, &state, struct ipa_hbac_rule_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create failed.\n"); + return NULL; + } + + if (ipa_host == NULL) { + ret = EINVAL; + DEBUG(SSSDBG_CRIT_FAILURE, "Missing host\n"); + goto immediate; + } + + ret = sysdb_attrs_get_string(ipa_host, SYSDB_ORIG_DN, &host_dn); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not identify IPA hostname\n"); + goto immediate; + } + + ret = sss_filter_sanitize(state, host_dn, &host_dn_clean); + if (ret != EOK) goto immediate; + + state->ev = ev; + state->sh = sh; + state->opts = opts; + state->search_bases = search_bases; + state->search_base_iter = 0; + state->attrs = talloc_zero_array(state, const char *, 15); + if (state->attrs == NULL) { + ret = ENOMEM; + goto immediate; + } + state->attrs[0] = OBJECTCLASS; + state->attrs[1] = IPA_CN; + state->attrs[2] = IPA_UNIQUE_ID; + state->attrs[3] = IPA_ENABLED_FLAG; + state->attrs[4] = IPA_ACCESS_RULE_TYPE; + state->attrs[5] = IPA_MEMBER_USER; + state->attrs[6] = IPA_USER_CATEGORY; + state->attrs[7] = IPA_MEMBER_SERVICE; + state->attrs[8] = IPA_SERVICE_CATEGORY; + state->attrs[9] = IPA_SOURCE_HOST; + state->attrs[10] = IPA_SOURCE_HOST_CATEGORY; + state->attrs[11] = IPA_EXTERNAL_HOST; + state->attrs[12] = IPA_MEMBER_HOST; + state->attrs[13] = IPA_HOST_CATEGORY; + state->attrs[14] = NULL; + + rule_filter = talloc_asprintf(state, + "(&(objectclass=%s)" + "(%s=%s)(%s=%s)" + "(|(%s=%s)(%s=%s)", + IPA_HBAC_RULE, + IPA_ENABLED_FLAG, IPA_TRUE_VALUE, + IPA_ACCESS_RULE_TYPE, IPA_HBAC_ALLOW, + IPA_HOST_CATEGORY, "all", + IPA_MEMBER_HOST, host_dn_clean); + if (rule_filter == NULL) { + ret = ENOMEM; + goto immediate; + } + + /* Add all parent groups of ipa_hostname to the filter */ + ret = sysdb_attrs_get_string_array(ipa_host, SYSDB_ORIG_MEMBEROF, + state, &memberof_list); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not identify.\n"); + } else if (ret == ENOENT) { + /* This host is not a member of any hostgroups */ + memberof_list = talloc_array(state, const char *, 1); + if (memberof_list == NULL) { + ret = ENOMEM; + goto immediate; + } + memberof_list[0] = NULL; + } + + for (i = 0; memberof_list[i]; i++) { + ret = sss_filter_sanitize(state, + memberof_list[i], + &host_group_clean); + if (ret != EOK) goto immediate; + + rule_filter = talloc_asprintf_append(rule_filter, "(%s=%s)", + IPA_MEMBER_HOST, + host_group_clean); + if (rule_filter == NULL) { + ret = ENOMEM; + goto immediate; + } + } + + rule_filter = talloc_asprintf_append(rule_filter, "))"); + if (rule_filter == NULL) { + ret = ENOMEM; + goto immediate; + } + state->rules_filter = talloc_steal(state, rule_filter); + + ret = ipa_hbac_rule_info_next(req, state); + if (ret != EAGAIN) { + if (ret == EOK) { + /* ipa_hbac_rule_info_next should always have a search base when + * called for the first time. + * + * For the subsequent iterations, not finding any more search bases + * is fine though (thus the function returns EOK). + * + * As, here, it's the first case happening, let's return EINVAL. + */ + DEBUG(SSSDBG_CRIT_FAILURE, "No search base found\n"); + ret = EINVAL; + } + goto immediate; + } + + return req; + +immediate: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + return req; +} + +static errno_t +ipa_hbac_rule_info_next(struct tevent_req *req, + struct ipa_hbac_rule_state *state) +{ + struct tevent_req *subreq; + struct sdap_search_base *base; + + base = state->search_bases[state->search_base_iter]; + if (base == NULL) { + return EOK; + } + + talloc_zfree(state->cur_filter); + state->cur_filter = sdap_combine_filters(state, state->rules_filter, + base->filter); + if (state->cur_filter == NULL) { + return ENOMEM; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Sending request for next search base: " + "[%s][%d][%s]\n", base->basedn, base->scope, + state->cur_filter); + + subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh, + base->basedn, base->scope, + state->cur_filter, state->attrs, + NULL, 0, + dp_opt_get_int(state->opts->basic, + SDAP_ENUM_SEARCH_TIMEOUT), + true); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "sdap_get_generic_send failed.\n"); + return ENOMEM; + } + tevent_req_set_callback(subreq, ipa_hbac_rule_info_done, req); + + return EAGAIN; +} + +static void +ipa_hbac_rule_info_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = + tevent_req_callback_data(subreq, struct tevent_req); + struct ipa_hbac_rule_state *state = + tevent_req_data(req, struct ipa_hbac_rule_state); + int i; + size_t rule_count; + size_t total_count; + struct sysdb_attrs **rules; + struct sysdb_attrs **target; + + ret = sdap_get_generic_recv(subreq, state, + &rule_count, + &rules); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Could not retrieve HBAC rules\n"); + goto fail; + } + + if (rule_count > 0) { + total_count = rule_count + state->rule_count; + state->rules = talloc_realloc(state, state->rules, + struct sysdb_attrs *, + total_count); + if (state->rules == NULL) { + ret = ENOMEM; + goto fail; + } + + i = 0; + while (state->rule_count < total_count) { + target = &state->rules[state->rule_count]; + *target = talloc_steal(state->rules, rules[i]); + + state->rule_count++; + i++; + } + } + + state->search_base_iter++; + ret = ipa_hbac_rule_info_next(req, state); + if (ret == EAGAIN) { + return; + } else if (ret != EOK) { + goto fail; + } else if (ret == EOK && state->rule_count == 0) { + DEBUG(SSSDBG_TRACE_FUNC, "No rules apply to this host\n"); + tevent_req_error(req, ENOENT); + return; + } + + /* We went through all search bases and we have some results */ + tevent_req_done(req); + + return; + +fail: + tevent_req_error(req, ret); +} + +errno_t +ipa_hbac_rule_info_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *_rule_count, + struct sysdb_attrs ***_rules) +{ + struct ipa_hbac_rule_state *state = + tevent_req_data(req, struct ipa_hbac_rule_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *_rule_count = state->rule_count; + *_rules = talloc_steal(mem_ctx, state->rules); + + return EOK; +} diff --git a/src/providers/ipa/ipa_hbac_rules.h b/src/providers/ipa/ipa_hbac_rules.h new file mode 100644 index 0000000..d8e5a14 --- /dev/null +++ b/src/providers/ipa/ipa_hbac_rules.h @@ -0,0 +1,41 @@ +/* + SSSD + + Authors: + Jan Zeleny + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef IPA_HBAC_RULES_H_ +#define IPA_HBAC_RULES_H_ + +/* From ipa_hbac_rules.c */ +struct tevent_req * +ipa_hbac_rule_info_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_handle *sh, + struct sdap_options *opts, + struct sdap_search_base **search_bases, + struct sysdb_attrs *ipa_host); + +errno_t +ipa_hbac_rule_info_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *_rule_count, + struct sysdb_attrs ***_rules); + +#endif /* IPA_HBAC_RULES_H_ */ diff --git a/src/providers/ipa/ipa_hbac_services.c b/src/providers/ipa/ipa_hbac_services.c new file mode 100644 index 0000000..79088ff --- /dev/null +++ b/src/providers/ipa/ipa_hbac_services.c @@ -0,0 +1,686 @@ +/* + SSSD + + Authors: + Stephen Gallagher + + Copyright (C) 2011 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "providers/ipa/ipa_rules_common.h" +#include "providers/ipa/ipa_hbac_private.h" +#include "providers/ldap/sdap_async.h" + +struct ipa_hbac_service_state { + struct tevent_context *ev; + struct sdap_handle *sh; + struct sdap_options *opts; + const char **attrs; + + char *service_filter; + char *cur_filter; + + struct sdap_search_base **search_bases; + int search_base_iter; + + /* Return values */ + size_t service_count; + struct sysdb_attrs **services; + + size_t servicegroup_count; + struct sysdb_attrs **servicegroups; +}; + +static errno_t +ipa_hbac_service_info_next(struct tevent_req *req, + struct ipa_hbac_service_state *state); +static void +ipa_hbac_service_info_done(struct tevent_req *subreq); +static errno_t +ipa_hbac_servicegroup_info_next(struct tevent_req *req, + struct ipa_hbac_service_state *state); +static void +ipa_hbac_servicegroup_info_done(struct tevent_req *subreq); + +struct tevent_req * +ipa_hbac_service_info_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_handle *sh, + struct sdap_options *opts, + struct sdap_search_base **search_bases) +{ + errno_t ret; + struct ipa_hbac_service_state *state; + struct tevent_req *req; + char *service_filter; + + req = tevent_req_create(mem_ctx, &state, struct ipa_hbac_service_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create failed.\n"); + return NULL; + } + + state->ev = ev; + state->sh = sh; + state->opts = opts; + + state->search_bases = search_bases; + state->search_base_iter = 0; + + service_filter = talloc_asprintf(state, "(objectClass=%s)", + IPA_HBAC_SERVICE); + if (service_filter == NULL) { + ret = ENOMEM; + goto immediate; + } + + state->service_filter = service_filter; + state->cur_filter = NULL; + + state->attrs = talloc_array(state, const char *, 6); + if (state->attrs == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to allocate service attribute list.\n"); + ret = ENOMEM; + goto immediate; + } + state->attrs[0] = OBJECTCLASS; + state->attrs[1] = IPA_CN; + state->attrs[2] = IPA_UNIQUE_ID; + state->attrs[3] = IPA_MEMBER; + state->attrs[4] = IPA_MEMBEROF; + state->attrs[5] = NULL; + + ret = ipa_hbac_service_info_next(req, state); + if (ret == EOK) { + ret = EINVAL; + } + + if (ret != EAGAIN) { + goto immediate; + } + + return req; + +immediate: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + return req; +} + +static errno_t ipa_hbac_service_info_next(struct tevent_req *req, + struct ipa_hbac_service_state *state) +{ + struct tevent_req *subreq; + struct sdap_search_base *base; + + base = state->search_bases[state->search_base_iter]; + if (base == NULL) { + return EOK; + } + + talloc_zfree(state->cur_filter); + state->cur_filter = sdap_combine_filters(state, state->service_filter, + base->filter); + if (state->cur_filter == NULL) { + return ENOMEM; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Sending request for next search base: " + "[%s][%d][%s]\n", base->basedn, base->scope, + state->cur_filter); + subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh, + base->basedn, base->scope, + state->cur_filter, + state->attrs, NULL, 0, + dp_opt_get_int(state->opts->basic, + SDAP_ENUM_SEARCH_TIMEOUT), + true); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Error requesting service info\n"); + return EIO; + } + tevent_req_set_callback(subreq, ipa_hbac_service_info_done, req); + + return EAGAIN; +} + +static void +ipa_hbac_service_info_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = + tevent_req_callback_data(subreq, struct tevent_req); + struct ipa_hbac_service_state *state = + tevent_req_data(req, struct ipa_hbac_service_state); + char *servicegroup_filter; + + ret = sdap_get_generic_recv(subreq, state, + &state->service_count, + &state->services); + talloc_zfree(subreq); + if (ret != EOK && ret != ENOENT) { + goto done; + } + + if (ret == ENOENT || state->service_count == 0) { + /* If there are no services, we'll shortcut out + * This is still valid, as rules can apply to + * all services + * + * There's no reason to try to process groups + */ + + state->search_base_iter++; + ret = ipa_hbac_service_info_next(req, state); + if (ret == EAGAIN) { + return; + } + + state->service_count = 0; + state->services = NULL; + goto done; + } + + ret = replace_attribute_name(IPA_MEMBEROF, SYSDB_ORIG_MEMBEROF, + state->service_count, + state->services); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not replace attribute names\n"); + goto done; + } + + servicegroup_filter = talloc_asprintf(state, "(objectClass=%s)", + IPA_HBAC_SERVICE_GROUP); + if (servicegroup_filter == NULL) { + ret = ENOMEM; + goto done; + } + + talloc_zfree(state->service_filter); + state->service_filter = servicegroup_filter; + + state->search_base_iter = 0; + ret = ipa_hbac_servicegroup_info_next(req, state); + if (ret == EOK) { + ret = EINVAL; + } + + if (ret != EAGAIN) { + goto done; + } + + return; + +done: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } +} + +static errno_t +ipa_hbac_servicegroup_info_next(struct tevent_req *req, + struct ipa_hbac_service_state *state) +{ + struct tevent_req *subreq; + struct sdap_search_base *base; + + base = state->search_bases[state->search_base_iter]; + if (base == NULL) { + return EOK; + } + + talloc_zfree(state->cur_filter); + state->cur_filter = sdap_combine_filters(state, state->service_filter, + base->filter); + if (state->cur_filter == NULL) { + return ENOMEM; + } + + /* Look up service groups */ + DEBUG(SSSDBG_TRACE_FUNC, "Sending request for next search base: " + "[%s][%d][%s]\n", base->basedn, base->scope, + state->cur_filter); + subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh, + base->basedn, base->scope, + state->cur_filter, state->attrs, NULL, 0, + dp_opt_get_int(state->opts->basic, + SDAP_ENUM_SEARCH_TIMEOUT), + true); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Error requesting servicegroup info\n"); + return EIO; + } + tevent_req_set_callback(subreq, ipa_hbac_servicegroup_info_done, req); + + return EAGAIN; +} + +static void +ipa_hbac_servicegroup_info_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = + tevent_req_callback_data(subreq, struct tevent_req); + struct ipa_hbac_service_state *state = + tevent_req_data(req, struct ipa_hbac_service_state); + size_t total_count; + size_t group_count; + struct sysdb_attrs **groups; + struct sysdb_attrs **target; + int i; + + ret = sdap_get_generic_recv(subreq, state, + &group_count, + &groups); + talloc_zfree(subreq); + if (ret != EOK) { + goto done; + } + + if (group_count > 0) { + ret = replace_attribute_name(IPA_MEMBER, SYSDB_ORIG_MEMBER, + group_count, + groups); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not replace attribute names\n"); + goto done; + } + + ret = replace_attribute_name(IPA_MEMBEROF, SYSDB_ORIG_MEMBEROF, + state->servicegroup_count, + state->servicegroups); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not replace attribute names\n"); + goto done; + } + + total_count = state->servicegroup_count + group_count; + state->servicegroups = talloc_realloc(state, state->servicegroups, + struct sysdb_attrs *, + total_count); + if (state->servicegroups == NULL) { + ret = ENOMEM; + goto done; + } + + i = 0; + while (state->servicegroup_count < total_count) { + target = &state->servicegroups[state->servicegroup_count]; + *target = talloc_steal(state->servicegroups, groups[i]); + + state->servicegroup_count++; + i++; + } + } + + state->search_base_iter++; + ret = ipa_hbac_servicegroup_info_next(req, state); + if (ret == EAGAIN) { + return; + } else if (ret != EOK) { + goto done; + } + +done: + if (ret == EOK) { + tevent_req_done(req); + } else { + DEBUG(SSSDBG_MINOR_FAILURE, "Error [%d][%s]\n", ret, strerror(ret)); + tevent_req_error(req, ret); + } +} + +errno_t +ipa_hbac_service_info_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *service_count, + struct sysdb_attrs ***services, + size_t *servicegroup_count, + struct sysdb_attrs ***servicegroups) +{ + size_t c; + struct ipa_hbac_service_state *state = + tevent_req_data(req, struct ipa_hbac_service_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *service_count = state->service_count; + *services = talloc_steal(mem_ctx, state->services); + for (c = 0; c < state->service_count; c++) { + /* Guarantee the memory heirarchy of the list */ + talloc_steal(state->services, state->services[c]); + } + + *servicegroup_count = state->servicegroup_count; + *servicegroups = talloc_steal(mem_ctx, state->servicegroups); + + return EOK; +} + +errno_t +hbac_service_attrs_to_rule(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *rule_name, + struct sysdb_attrs *rule_attrs, + struct hbac_rule_element **services) +{ + errno_t ret; + TALLOC_CTX *tmp_ctx; + struct hbac_rule_element *new_services; + const char *attrs[] = { IPA_CN, NULL }; + struct ldb_message_element *el; + size_t num_services = 0; + size_t num_servicegroups = 0; + size_t i; + char *member_dn; + char *filter; + size_t count; + struct ldb_message **msgs; + const char *name; + + DEBUG(SSSDBG_TRACE_LIBS, + "Processing PAM services for rule [%s]\n", rule_name); + + tmp_ctx = talloc_new(mem_ctx); + if (tmp_ctx == NULL) return ENOMEM; + + new_services = talloc_zero(tmp_ctx, struct hbac_rule_element); + if (new_services == NULL) { + ret = ENOMEM; + goto done; + } + + /* First check for service category */ + ret = hbac_get_category(rule_attrs, IPA_SERVICE_CATEGORY, + &new_services->category); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not identify service categories\n"); + goto done; + } + if (new_services->category & HBAC_CATEGORY_ALL) { + /* Short-cut to the exit */ + ret = EOK; + goto done; + } + + /* Get the list of DNs from the member attr */ + ret = sysdb_attrs_get_el(rule_attrs, IPA_MEMBER_SERVICE, &el); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_attrs_get_el failed.\n"); + goto done; + } + if (ret == ENOENT || el->num_values == 0) { + el->num_values = 0; + DEBUG(SSSDBG_CONF_SETTINGS, + "No services specified, rule will never apply.\n"); + } + + /* Assume maximum size; We'll trim it later */ + new_services->names = talloc_array(new_services, + const char *, + el->num_values +1); + if (new_services->names == NULL) { + ret = ENOMEM; + goto done; + } + + new_services->groups = talloc_array(new_services, + const char *, + el->num_values + 1); + if (new_services->groups == NULL) { + ret = ENOMEM; + goto done; + } + + for (i = 0; i < el->num_values; i++) { + ret = sss_filter_sanitize(tmp_ctx, + (const char *)el->values[i].data, + &member_dn); + if (ret != EOK) goto done; + + filter = talloc_asprintf(member_dn, "(%s=%s)", + SYSDB_ORIG_DN, member_dn); + if (filter == NULL) { + ret = ENOMEM; + goto done; + } + + /* First check if this is a specific service */ + ret = sysdb_search_custom(tmp_ctx, domain, filter, + HBAC_SERVICES_SUBDIR, attrs, + &count, &msgs); + if (ret != EOK && ret != ENOENT) goto done; + if (ret == EOK && count == 0) { + ret = ENOENT; + } + + if (ret == EOK) { + if (count > 1) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Original DN matched multiple services. " + "Skipping \n"); + talloc_zfree(member_dn); + continue; + } + + /* Original DN matched a single service. Get the service name */ + name = ldb_msg_find_attr_as_string(msgs[0], IPA_CN, NULL); + if (name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Attribute is missing!\n"); + ret = EFAULT; + goto done; + } + + new_services->names[num_services] = + talloc_strdup(new_services->names, name); + if (new_services->names[num_services] == NULL) { + ret = ENOMEM; + goto done; + } + DEBUG(SSSDBG_TRACE_INTERNAL, "Added service [%s] to rule [%s]\n", + name, rule_name); + num_services++; + } else { /* ret == ENOENT */ + /* Check if this is a service group */ + ret = sysdb_search_custom(tmp_ctx, domain, filter, + HBAC_SERVICEGROUPS_SUBDIR, attrs, + &count, &msgs); + if (ret != EOK && ret != ENOENT) goto done; + if (ret == EOK && count == 0) { + ret = ENOENT; + } + + if (ret == EOK) { + if (count > 1) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Original DN matched multiple service groups. " + "Skipping\n"); + talloc_zfree(member_dn); + continue; + } + + /* Original DN matched a single group. Get the groupname */ + name = ldb_msg_find_attr_as_string(msgs[0], IPA_CN, NULL); + if (name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Attribute is missing!\n"); + ret = EFAULT; + goto done; + } + + new_services->groups[num_servicegroups] = + talloc_strdup(new_services->groups, name); + if (new_services->groups[num_servicegroups] == NULL) { + ret = ENOMEM; + goto done; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Added service group [%s] to rule [%s]\n", + name, rule_name); + num_servicegroups++; + } else { /* ret == ENOENT */ + /* Neither a service nor a service group? Skip it */ + DEBUG(SSSDBG_CRIT_FAILURE, + "[%s] does not map to either a service or " + "service group. Skipping\n", member_dn); + } + } + talloc_zfree(member_dn); + } + new_services->names[num_services] = NULL; + new_services->groups[num_servicegroups] = NULL; + + /* Shrink the arrays down to their real sizes */ + new_services->names = talloc_realloc(new_services, new_services->names, + const char *, num_services + 1); + if (new_services->names == NULL) { + ret = ENOMEM; + goto done; + } + + new_services->groups = talloc_realloc(new_services, new_services->groups, + const char *, num_servicegroups + 1); + if (new_services->groups == NULL) { + ret = ENOMEM; + goto done; + } + + ret = EOK; + +done: + if (ret == EOK) { + *services = talloc_steal(mem_ctx, new_services); + } + talloc_free(tmp_ctx); + return ret; +} + +errno_t +get_ipa_servicegroupname(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + const char *service_dn, + char **servicegroupname) +{ + errno_t ret; + struct ldb_dn *dn; + const char *rdn_name; + const char *svc_comp_name; + const char *hbac_comp_name; + const struct ldb_val *rdn_val; + const struct ldb_val *svc_comp_val; + const struct ldb_val *hbac_comp_val; + + /* This is an IPA-specific hack. It may not + * work for non-IPA servers and will need to + * be changed if SSSD ever supports HBAC on + * a non-IPA server. + */ + *servicegroupname = NULL; + + dn = ldb_dn_new(mem_ctx, sysdb_ctx_get_ldb(sysdb), service_dn); + if (dn == NULL) { + ret = ENOMEM; + goto done; + } + + if (!ldb_dn_validate(dn)) { + ret = ERR_MALFORMED_ENTRY; + goto done; + } + + if (ldb_dn_get_comp_num(dn) < 4) { + /* RDN, services, hbac, and at least one DC= */ + /* If it's fewer, it's not a group DN */ + ret = ERR_UNEXPECTED_ENTRY_TYPE; + goto done; + } + + /* If the RDN name is 'cn' */ + rdn_name = ldb_dn_get_rdn_name(dn); + if (rdn_name == NULL) { + /* Shouldn't happen if ldb_dn_validate() + * passed, but we'll be careful. + */ + ret = ERR_MALFORMED_ENTRY; + goto done; + } + + if (strcasecmp("cn", rdn_name) != 0) { + /* RDN has the wrong attribute name. + * It's not a service. + */ + ret = ERR_UNEXPECTED_ENTRY_TYPE; + goto done; + } + + /* and the second component is "cn=hbacservicegroups" */ + svc_comp_name = ldb_dn_get_component_name(dn, 1); + if (strcasecmp("cn", svc_comp_name) != 0) { + /* The second component name is not "cn" */ + ret = ERR_UNEXPECTED_ENTRY_TYPE; + goto done; + } + + svc_comp_val = ldb_dn_get_component_val(dn, 1); + if (strncasecmp("hbacservicegroups", + (const char *) svc_comp_val->data, + svc_comp_val->length) != 0) { + /* The second component value is not "hbacservicegroups" */ + ret = ERR_UNEXPECTED_ENTRY_TYPE; + goto done; + } + + /* and the third component is "hbac" */ + hbac_comp_name = ldb_dn_get_component_name(dn, 2); + if (strcasecmp("cn", hbac_comp_name) != 0) { + /* The third component name is not "cn" */ + ret = ERR_UNEXPECTED_ENTRY_TYPE; + goto done; + } + + hbac_comp_val = ldb_dn_get_component_val(dn, 2); + if (strncasecmp("hbac", + (const char *) hbac_comp_val->data, + hbac_comp_val->length) != 0) { + /* The third component value is not "hbac" */ + ret = ERR_UNEXPECTED_ENTRY_TYPE; + goto done; + } + + /* Then the value of the RDN is the group name */ + rdn_val = ldb_dn_get_rdn_val(dn); + *servicegroupname = talloc_strndup(mem_ctx, + (const char *)rdn_val->data, + rdn_val->length); + if (*servicegroupname == NULL) { + ret = ENOMEM; + goto done; + } + + ret = EOK; + +done: + talloc_free(dn); + return ret; +} diff --git a/src/providers/ipa/ipa_hbac_users.c b/src/providers/ipa/ipa_hbac_users.c new file mode 100644 index 0000000..2801a31 --- /dev/null +++ b/src/providers/ipa/ipa_hbac_users.c @@ -0,0 +1,368 @@ +/* + SSSD + + Authors: + Stephen Gallagher + + Copyright (C) 2011 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "providers/ipa/ipa_rules_common.h" +#include "providers/ipa/ipa_hbac_private.h" +#include "providers/ldap/sdap_async.h" + +/* Returns EOK and populates groupname if + * the group_dn is actually a group. + * Returns ENOENT if group_dn does not point + * at a group. + * Returns EINVAL if there is a parsing error. + * Returns ENOMEM as appropriate + */ +errno_t +get_ipa_groupname(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + const char *group_dn, + const char **groupname) +{ + errno_t ret; + struct ldb_dn *dn; + const char *rdn_name; + const char *group_comp_name; + const char *account_comp_name; + const struct ldb_val *rdn_val; + const struct ldb_val *group_comp_val; + const struct ldb_val *account_comp_val; + + /* This is an IPA-specific hack. It may not + * work for non-IPA servers and will need to + * be changed if SSSD ever supports HBAC on + * a non-IPA server. + */ + *groupname = NULL; + + DEBUG(SSSDBG_TRACE_LIBS, "Parsing %s\n", group_dn); + + dn = ldb_dn_new(mem_ctx, sysdb_ctx_get_ldb(sysdb), group_dn); + if (dn == NULL) { + ret = ENOMEM; + goto done; + } + + if (!ldb_dn_validate(dn)) { + DEBUG(SSSDBG_CRIT_FAILURE, "DN %s does not validate\n", group_dn); + ret = ERR_MALFORMED_ENTRY; + goto done; + } + + if (ldb_dn_get_comp_num(dn) < 4) { + /* RDN, groups, accounts, and at least one DC= */ + /* If it's fewer, it's not a group DN */ + DEBUG(SSSDBG_CRIT_FAILURE, "DN %s has too few components\n", group_dn); + ret = ERR_UNEXPECTED_ENTRY_TYPE; + goto done; + } + + /* If the RDN name is 'cn' */ + rdn_name = ldb_dn_get_rdn_name(dn); + if (rdn_name == NULL) { + /* Shouldn't happen if ldb_dn_validate() + * passed, but we'll be careful. + */ + DEBUG(SSSDBG_CRIT_FAILURE, "No RDN name in %s\n", group_dn); + ret = ERR_MALFORMED_ENTRY; + goto done; + } + + if (strcasecmp("cn", rdn_name) != 0) { + /* RDN has the wrong attribute name. + * It's not a group. + */ + DEBUG(SSSDBG_CRIT_FAILURE, + "Expected cn in RDN, got %s\n", rdn_name); + ret = ERR_UNEXPECTED_ENTRY_TYPE; + goto done; + } + + /* and the second component is "cn=groups" */ + group_comp_name = ldb_dn_get_component_name(dn, 1); + if (strcasecmp("cn", group_comp_name) != 0) { + /* The second component name is not "cn" */ + DEBUG(SSSDBG_CRIT_FAILURE, + "Expected cn in second component, got %s\n", group_comp_name); + ret = ERR_UNEXPECTED_ENTRY_TYPE; + goto done; + } + + group_comp_val = ldb_dn_get_component_val(dn, 1); + if (strncasecmp("groups", + (const char *) group_comp_val->data, + group_comp_val->length) != 0) { + /* The second component value is not "groups" */ + DEBUG(SSSDBG_CRIT_FAILURE, + "Expected groups second component, got %s\n", + (const char *) group_comp_val->data); + ret = ERR_UNEXPECTED_ENTRY_TYPE; + goto done; + } + + /* and the third component is "accounts" */ + account_comp_name = ldb_dn_get_component_name(dn, 2); + if (strcasecmp("cn", account_comp_name) != 0) { + /* The third component name is not "cn" */ + DEBUG(SSSDBG_CRIT_FAILURE, + "Expected cn in second component, got %s\n", account_comp_name); + ret = ERR_UNEXPECTED_ENTRY_TYPE; + goto done; + } + + account_comp_val = ldb_dn_get_component_val(dn, 2); + if (strncasecmp("accounts", + (const char *) account_comp_val->data, + account_comp_val->length) != 0) { + /* The third component value is not "accounts" */ + DEBUG(SSSDBG_CRIT_FAILURE, + "Expected cn accounts second component, got %s\n", + (const char *) account_comp_val->data); + ret = ERR_UNEXPECTED_ENTRY_TYPE; + goto done; + } + + /* Then the value of the RDN is the group name */ + rdn_val = ldb_dn_get_rdn_val(dn); + *groupname = talloc_strndup(mem_ctx, + (const char *)rdn_val->data, + rdn_val->length); + if (*groupname == NULL) { + ret = ENOMEM; + goto done; + } + DEBUG(SSSDBG_TRACE_LIBS, "Parsed %s out of the DN\n", *groupname); + + ret = EOK; + +done: + talloc_free(dn); + return ret; +} + +errno_t +hbac_user_attrs_to_rule(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *rule_name, + struct sysdb_attrs *rule_attrs, + struct hbac_rule_element **users) +{ + errno_t ret; + TALLOC_CTX *tmp_ctx = NULL; + struct hbac_rule_element *new_users = NULL; + struct ldb_message_element *el = NULL; + struct ldb_message **msgs = NULL; + const char *member_dn; + const char *attrs[] = { SYSDB_NAME, NULL }; + size_t num_users = 0; + size_t num_groups = 0; + const char *sysdb_name; + char *shortname; + + size_t count; + size_t i; + + tmp_ctx = talloc_new(mem_ctx); + if (tmp_ctx == NULL) return ENOMEM; + + new_users = talloc_zero(tmp_ctx, struct hbac_rule_element); + if (new_users == NULL) { + ret = ENOMEM; + goto done; + } + + DEBUG(SSSDBG_TRACE_LIBS, "Processing users for rule [%s]\n", rule_name); + + ret = hbac_get_category(rule_attrs, IPA_USER_CATEGORY, + &new_users->category); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not identify user categories\n"); + goto done; + } + if (new_users->category & HBAC_CATEGORY_ALL) { + /* Short-cut to the exit */ + ret = EOK; + goto done; + } + + ret = sysdb_attrs_get_el(rule_attrs, IPA_MEMBER_USER, &el); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_attrs_get_el failed.\n"); + goto done; + } + if (ret == ENOENT || el->num_values == 0) { + el->num_values = 0; + DEBUG(SSSDBG_CONF_SETTINGS, + "No user specified, rule will never apply.\n"); + } + + new_users->names = talloc_array(new_users, + const char *, + el->num_values + 1); + if (new_users->names == NULL) { + ret = ENOMEM; + goto done; + } + + new_users->groups = talloc_array(new_users, + const char *, + el->num_values + 1); + if (new_users->groups == NULL) { + ret = ENOMEM; + goto done; + } + + for (i = 0; i < el->num_values; i++) { + member_dn = (const char *)el->values[i].data; + + /* First check if this is a user */ + ret = sysdb_search_users_by_orig_dn(tmp_ctx, domain, member_dn, attrs, + &count, &msgs); + if (ret != EOK && ret != ENOENT) goto done; + if (ret == EOK && count == 0) { + ret = ENOENT; + } + + if (ret == EOK) { + if (count > 1) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Original DN matched multiple users. Skipping \n"); + continue; + } + + /* Original DN matched a single user. Get the username */ + sysdb_name = ldb_msg_find_attr_as_string(msgs[0], SYSDB_NAME, NULL); + if (sysdb_name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Attribute is missing!\n"); + ret = EFAULT; + goto done; + } + + ret = sss_parse_internal_fqname(tmp_ctx, sysdb_name, + &shortname, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot parse %s, skipping\n", sysdb_name); + continue; + } + + new_users->names[num_users] = talloc_strdup(new_users->names, + shortname); + if (new_users->names[num_users] == NULL) { + ret = ENOMEM; + goto done; + } + DEBUG(SSSDBG_TRACE_INTERNAL, + "Added user [%s] to rule [%s]\n", sysdb_name, rule_name); + num_users++; + } else { + /* Check if it is a group instead */ + ret = sysdb_search_groups_by_orig_dn(tmp_ctx, domain, member_dn, + attrs, &count, &msgs); + if (ret != EOK && ret != ENOENT) goto done; + if (ret == EOK && count == 0) { + ret = ENOENT; + } + + if (ret == EOK) { + if (count > 1) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Original DN matched multiple groups. " + "Skipping\n"); + continue; + } + + /* Original DN matched a single group. Get the groupname */ + sysdb_name = ldb_msg_find_attr_as_string(msgs[0], + SYSDB_NAME, NULL); + if (sysdb_name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Attribute is missing!\n"); + ret = EFAULT; + goto done; + } + + ret = sss_parse_internal_fqname(tmp_ctx, sysdb_name, + &shortname, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot parse %s, skipping\n", sysdb_name); + continue; + } + + new_users->groups[num_groups] = + talloc_strdup(new_users->groups, shortname); + if (new_users->groups[num_groups] == NULL) { + ret = ENOMEM; + goto done; + } + DEBUG(SSSDBG_TRACE_INTERNAL, + "Added POSIX group [%s] to rule [%s]\n", + sysdb_name, rule_name); + num_groups++; + } else { + /* If the group still matches the group pattern, + * we can assume it is a non-POSIX group. + */ + ret = get_ipa_groupname(new_users->groups, domain->sysdb, + member_dn, + &new_users->groups[num_groups]); + if (ret == EOK) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "Added non-POSIX group [%s] to rule [%s]\n", + new_users->groups[num_groups], rule_name); + num_groups++; + } else { + /* Not a group, so we don't care about it */ + DEBUG(SSSDBG_CRIT_FAILURE, + "[%s] does not map to either a user or group. " + "Skipping\n", member_dn); + } + } + } + } + new_users->names[num_users] = NULL; + new_users->groups[num_groups] = NULL; + + /* Shrink the arrays down to their real sizes */ + new_users->names = talloc_realloc(new_users, new_users->names, + const char *, num_users + 1); + if (new_users->names == NULL) { + ret = ENOMEM; + goto done; + } + + new_users->groups = talloc_realloc(new_users, new_users->groups, + const char *, num_groups + 1); + if (new_users->groups == NULL) { + ret = ENOMEM; + goto done; + } + + ret = EOK; +done: + if (ret == EOK) { + *users = talloc_steal(mem_ctx, new_users); + } + talloc_free(tmp_ctx); + + return ret; +} diff --git a/src/providers/ipa/ipa_hostid.c b/src/providers/ipa/ipa_hostid.c new file mode 100644 index 0000000..891536f --- /dev/null +++ b/src/providers/ipa/ipa_hostid.c @@ -0,0 +1,30 @@ +/* + Authors: + Hristo Venev + + Copyright (C) 2017 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "providers/ipa/ipa_common.h" +#include "providers/ldap/sdap_hostid.h" + +errno_t ipa_hostid_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct ipa_id_ctx *id_ctx, + struct dp_method *dp_methods) +{ + return sdap_hostid_init(mem_ctx, be_ctx, id_ctx->sdap_id_ctx, dp_methods); +} diff --git a/src/providers/ipa/ipa_hosts.c b/src/providers/ipa/ipa_hosts.c new file mode 100644 index 0000000..288bfb8 --- /dev/null +++ b/src/providers/ipa/ipa_hosts.c @@ -0,0 +1,365 @@ +/* + SSSD + + Authors: + Jan Zeleny + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "providers/ldap/sdap_async.h" +#include "providers/ipa/ipa_hosts.h" +#include "providers/ipa/ipa_common.h" + +struct ipa_host_state { + struct tevent_context *ev; + struct sdap_handle *sh; + struct sdap_options *opts; + const char **attrs; + struct sdap_attr_map *hostgroup_map; + + struct sdap_search_base **search_bases; + int search_base_iter; + + char *cur_filter; + char *host_filter; + + const char *hostname; + + /* Return values */ + size_t host_count; + struct sysdb_attrs **hosts; + + size_t hostgroup_count; + struct sysdb_attrs **hostgroups; +}; + +static void +ipa_host_info_done(struct tevent_req *subreq); +static void +ipa_hostgroup_info_done(struct tevent_req *subreq); +static errno_t +ipa_hostgroup_info_next(struct tevent_req *req, + struct ipa_host_state *state); + +/** + * hostname == NULL -> look up all hosts / host groups + * hostname != NULL -> look up only given host and groups + * it's member of + * hostgroup_map == NULL -> skip looking up hostgroups + */ +struct tevent_req * +ipa_host_info_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_handle *sh, + struct sdap_options *opts, + const char *hostname, + struct sdap_attr_map *host_map, + struct sdap_attr_map *hostgroup_map, + struct sdap_search_base **search_bases) +{ + struct ipa_host_state *state; + struct tevent_req *req, *subreq; + + req = tevent_req_create(mem_ctx, &state, struct ipa_host_state); + if (req == NULL) { + return NULL; + } + + state->ev = ev; + state->sh = sh; + state->opts = opts; + state->hostname = hostname; + state->search_bases = search_bases; + state->search_base_iter = 0; + state->cur_filter = NULL; + state->hostgroup_map = hostgroup_map; + + subreq = sdap_host_info_send(mem_ctx, ev, sh, opts, hostname, host_map, + search_bases); + if (subreq == NULL) { + talloc_zfree(req); + return NULL; + } + tevent_req_set_callback(subreq, ipa_host_info_done, req); + + return req; +} + +static void +ipa_host_info_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = + tevent_req_callback_data(subreq, struct tevent_req); + struct ipa_host_state *state = + tevent_req_data(req, struct ipa_host_state); + const char *host_dn; + struct sdap_attr_map_info *maps; + const int num_maps = 1; + + ret = sdap_host_info_recv(subreq, state, + &state->host_count, + &state->hosts); + talloc_zfree(subreq); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + if (state->hostgroup_map) { + ret = build_attrs_from_map(state, state->hostgroup_map, + IPA_OPTS_HOSTGROUP, NULL, + &state->attrs, NULL); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + /* Look up host groups */ + if (state->hostname == NULL) { + talloc_zfree(state->host_filter); + state->host_filter = talloc_asprintf(state, "(objectClass=%s)", + state->hostgroup_map[IPA_OC_HOSTGROUP].name); + if (state->host_filter == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + state->search_base_iter = 0; + + ret = ipa_hostgroup_info_next(req, state); + if (ret == EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "No host search base configured?\n"); + tevent_req_error(req, EINVAL); + return; + } else if (ret != EAGAIN) { + tevent_req_error(req, ret); + return; + } + } else { + ret = sysdb_attrs_get_string(state->hosts[0], SYSDB_ORIG_DN, &host_dn); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + if (!sdap_has_deref_support(state->sh, state->opts)) { + DEBUG(SSSDBG_CRIT_FAILURE, "Server does not support deref\n"); + tevent_req_error(req, EIO); + return; + } + + maps = talloc_array(state, struct sdap_attr_map_info, num_maps + 1); + if (maps == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + maps[0].map = state->hostgroup_map; + maps[0].num_attrs = IPA_OPTS_HOSTGROUP; + maps[1].map = NULL; + + subreq = sdap_deref_search_send(state, state->ev, state->opts, state->sh, + host_dn, + state->hostgroup_map[IPA_AT_HOSTGROUP_MEMBER_OF].name, + state->attrs, + num_maps, maps, + dp_opt_get_int(state->opts->basic, + SDAP_ENUM_SEARCH_TIMEOUT)); + if (subreq == NULL) { + talloc_free(maps); + DEBUG(SSSDBG_CRIT_FAILURE, "Error requesting host info\n"); + tevent_req_error(req, EIO); + return; + } + tevent_req_set_callback(subreq, ipa_hostgroup_info_done, req); + } + } else { + /* Nothing else to do, just complete the req */ + tevent_req_done(req); + } +} + +static errno_t ipa_hostgroup_info_next(struct tevent_req *req, + struct ipa_host_state *state) +{ + struct sdap_search_base *base; + struct tevent_req *subreq; + + base = state->search_bases[state->search_base_iter]; + if (base == NULL) { + return EOK; + } + + talloc_zfree(state->cur_filter); + state->cur_filter = sdap_combine_filters(state, state->host_filter, + base->filter); + if (state->cur_filter == NULL) { + return ENOMEM; + } + + subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh, + base->basedn, base->scope, + state->cur_filter, state->attrs, + state->hostgroup_map, + IPA_OPTS_HOSTGROUP, + dp_opt_get_int(state->opts->basic, + SDAP_ENUM_SEARCH_TIMEOUT), + true); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Error requesting hostgroup info\n"); + talloc_zfree(state->cur_filter); + return EIO; + } + tevent_req_set_callback(subreq, ipa_hostgroup_info_done, req); + + return EAGAIN; +} + +static void +ipa_hostgroup_info_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = + tevent_req_callback_data(subreq, struct tevent_req); + struct ipa_host_state *state = + tevent_req_data(req, struct ipa_host_state); + + size_t hostgroups_total; + size_t hostgroup_count; + struct sysdb_attrs **hostgroups; + struct sdap_deref_attrs **deref_result; + const char *hostgroup_name; + const char *hostgroup_dn; + int i, j; + + if (state->hostname == NULL) { + ret = sdap_get_generic_recv(subreq, state, + &hostgroup_count, + &hostgroups); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sdap_get_generic_recv failed: [%d]\n", ret); + tevent_req_error(req, ret); + return; + } + + /* Merge the two arrays */ + if (hostgroup_count > 0) { + hostgroups_total = hostgroup_count + state->hostgroup_count; + state->hostgroups = talloc_realloc(state, state->hostgroups, + struct sysdb_attrs *, + hostgroups_total); + if (state->hostgroups == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + + i = 0; + while(state->hostgroup_count < hostgroups_total) { + state->hostgroups[state->hostgroup_count] = + talloc_steal(state->hostgroups, hostgroups[i]); + state->hostgroup_count++; + i++; + } + } + + /* Now look in the next base */ + state->search_base_iter++; + ret = ipa_hostgroup_info_next(req, state); + if (ret != EOK && ret != EAGAIN) { + tevent_req_error(req, ret); + } + + if (ret != EOK) { + /* Only continue if no error occurred + * and no req was created */ + return; + } + } else { + ret = sdap_deref_search_recv(subreq, state, + &state->hostgroup_count, + &deref_result); + talloc_zfree(subreq); + if (ret != EOK) goto done; + + if (state->hostgroup_count == 0) { + DEBUG(SSSDBG_FUNC_DATA, "No host groups were dereferenced\n"); + } else { + state->hostgroups = talloc_zero_array(state, struct sysdb_attrs *, + state->hostgroup_count); + if (state->hostgroups == NULL) { + ret = ENOMEM; + goto done; + } + + j = 0; + for (i = 0; i < state->hostgroup_count; i++) { + ret = sysdb_attrs_get_string(deref_result[i]->attrs, + SYSDB_ORIG_DN, &hostgroup_dn); + if (ret != EOK) goto done; + + if (!sss_ldap_dn_in_search_bases(state, hostgroup_dn, + state->search_bases, + NULL)) { + continue; + } + + ret = sysdb_attrs_get_string(deref_result[i]->attrs, + state->hostgroup_map[IPA_AT_HOSTGROUP_NAME].sys_name, + &hostgroup_name); + if (ret != EOK) goto done; + + DEBUG(SSSDBG_FUNC_DATA, "Dereferenced host group: %s\n", + hostgroup_name); + state->hostgroups[j] = talloc_steal(state->hostgroups, + deref_result[i]->attrs); + j++; + } + state->hostgroup_count = j; + } + } + +done: + if (ret == EOK) { + tevent_req_done(req); + } else { + DEBUG(SSSDBG_OP_FAILURE, "Error [%d][%s]\n", ret, strerror(ret)); + tevent_req_error(req, ret); + } +} + +errno_t ipa_host_info_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *host_count, + struct sysdb_attrs ***hosts, + size_t *hostgroup_count, + struct sysdb_attrs ***hostgroups) +{ + struct ipa_host_state *state = + tevent_req_data(req, struct ipa_host_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *host_count = state->host_count; + *hosts = talloc_steal(mem_ctx, state->hosts); + + if (hostgroup_count) *hostgroup_count = state->hostgroup_count; + if (hostgroups) *hostgroups = talloc_steal(mem_ctx, state->hostgroups); + + return EOK; +} diff --git a/src/providers/ipa/ipa_hosts.h b/src/providers/ipa/ipa_hosts.h new file mode 100644 index 0000000..a1ea7a2 --- /dev/null +++ b/src/providers/ipa/ipa_hosts.h @@ -0,0 +1,44 @@ +/* + SSSD + + Authors: + Jan Zeleny + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef IPA_HOSTS_H_ +#define IPA_HOSTS_H_ + +struct tevent_req * +ipa_host_info_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_handle *sh, + struct sdap_options *opts, + const char *hostname, + struct sdap_attr_map *host_map, + struct sdap_attr_map *hostgroup_map, + struct sdap_search_base **search_bases); + +errno_t +ipa_host_info_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *host_count, + struct sysdb_attrs ***hosts, + size_t *hostgroup_count, + struct sysdb_attrs ***hostgroups); + +#endif /* IPA_HOSTS_H_ */ diff --git a/src/providers/ipa/ipa_id.c b/src/providers/ipa/ipa_id.c new file mode 100644 index 0000000..e644af5 --- /dev/null +++ b/src/providers/ipa/ipa_id.c @@ -0,0 +1,1459 @@ +/* + SSSD + + IPA Identity Backend Module + + Authors: + Jan Zeleny + + Copyright (C) 2011 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "util/util.h" +#include "db/sysdb.h" +#include "providers/ldap/ldap_common.h" +#include "providers/ldap/sdap_async.h" +#include "providers/ipa/ipa_id.h" + +static struct tevent_req * +ipa_id_get_account_info_send(TALLOC_CTX *memctx, struct tevent_context *ev, + struct ipa_id_ctx *ipa_ctx, + struct dp_id_data *ar); + +static int ipa_id_get_account_info_recv(struct tevent_req *req, int *dp_error); + +static bool is_object_overridable(struct dp_id_data *ar) +{ + bool ret = false; + + switch (ar->entry_type & BE_REQ_TYPE_MASK) { + case BE_REQ_USER: + case BE_REQ_GROUP: + case BE_REQ_INITGROUPS: + case BE_REQ_BY_SECID: + case BE_REQ_USER_AND_GROUP: + case BE_REQ_BY_UUID: + case BE_REQ_BY_CERT: + ret = true; + break; + default: + break; + } + + return ret; +} + +struct ipa_resolve_user_list_state { + struct tevent_context *ev; + struct ipa_id_ctx *ipa_ctx; + struct ldb_message_element *users; + const char *domain_name; + struct sss_domain_info *domain; + struct sss_domain_info *user_domain; + size_t user_idx; + + int dp_error; +}; + +static errno_t ipa_resolve_user_list_get_user_step(struct tevent_req *req); +static void ipa_resolve_user_list_get_user_done(struct tevent_req *subreq); + +struct tevent_req * +ipa_resolve_user_list_send(TALLOC_CTX *memctx, struct tevent_context *ev, + struct ipa_id_ctx *ipa_ctx, + const char *domain_name, + struct ldb_message_element *users) +{ + int ret; + struct tevent_req *req; + struct ipa_resolve_user_list_state *state; + + req = tevent_req_create(memctx, &state, + struct ipa_resolve_user_list_state); + if (req == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "tevent_req_create failed.\n"); + return NULL; + } + + state->ev = ev; + state->ipa_ctx = ipa_ctx; + state->domain_name = domain_name; + state->domain = find_domain_by_name(state->ipa_ctx->sdap_id_ctx->be->domain, + state->domain_name, true); + state->users = users; + state->user_idx = 0; + state->dp_error = DP_ERR_FATAL; + + ret = ipa_resolve_user_list_get_user_step(req); + if (ret == EAGAIN) { + return req; + } else if (ret == EOK) { + state->dp_error = DP_ERR_OK; + tevent_req_done(req); + } else { + DEBUG(SSSDBG_OP_FAILURE, + "ipa_resolve_user_list_get_user_step failed.\n"); + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + return req; +} + +static errno_t ipa_resolve_user_list_get_user_step(struct tevent_req *req) +{ + int ret; + struct tevent_req *subreq; + struct dp_id_data *ar; + struct ipa_resolve_user_list_state *state = tevent_req_data(req, + struct ipa_resolve_user_list_state); + + if (state->user_idx >= state->users->num_values) { + return EOK; + } + + ret = get_dp_id_data_for_user_name(state, + (char *) state->users->values[state->user_idx].data, + state->domain_name, &ar); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "get_dp_id_data_for_user_name failed.\n"); + return ret; + } + + DEBUG(SSSDBG_TRACE_ALL, "Trying to resolve user [%s].\n", ar->filter_value); + + state->user_domain = find_domain_by_object_name_ex( + state->ipa_ctx->sdap_id_ctx->be->domain, + ar->filter_value, true); + /* Use provided domain as fallback because no known domain was found in the + * user name. */ + if (state->user_domain == NULL) { + state->user_domain = state->domain; + } + ar->domain = state->user_domain->name; + + if (state->user_domain != state->ipa_ctx->sdap_id_ctx->be->domain) { + subreq = ipa_subdomain_account_send(state, state->ev, state->ipa_ctx, + ar); + } else { + subreq = ipa_id_get_account_info_send(state, state->ev, state->ipa_ctx, + ar); + } + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_handle_acct_req_send failed.\n"); + return ENOMEM; + } + + tevent_req_set_callback(subreq, ipa_resolve_user_list_get_user_done, req); + + return EAGAIN; +} + +static void ipa_resolve_user_list_get_user_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ipa_resolve_user_list_state *state = tevent_req_data(req, + struct ipa_resolve_user_list_state); + int ret; + + if (state->user_domain != state->ipa_ctx->sdap_id_ctx->be->domain) { + ret = ipa_subdomain_account_recv(subreq, &state->dp_error); + } else { + ret = ipa_id_get_account_info_recv(subreq, &state->dp_error); + } + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_handle_acct request failed: %d\n", ret); + goto done; + } + + state->user_idx++; + + ret = ipa_resolve_user_list_get_user_step(req); + if (ret == EAGAIN) { + return; + } + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "ipa_resolve_user_list_get_user_step failed.\n"); + } + +done: + if (ret == EOK) { + state->dp_error = DP_ERR_OK; + tevent_req_done(req); + } else { + if (state->dp_error == DP_ERR_OK) { + state->dp_error = DP_ERR_FATAL; + } + tevent_req_error(req, ret); + } + return; +} + +int ipa_resolve_user_list_recv(struct tevent_req *req, int *dp_error) +{ + struct ipa_resolve_user_list_state *state = tevent_req_data(req, + struct ipa_resolve_user_list_state); + + if (dp_error) { + *dp_error = state->dp_error; + } + + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +struct ipa_initgr_get_overrides_state { + struct tevent_context *ev; + struct ipa_id_ctx *ipa_ctx; + struct sss_domain_info *user_dom; + const char *realm; + + struct ldb_message **groups; + size_t group_count; + const char *groups_id_attr; + size_t group_idx; + struct dp_id_data *ar; + + int dp_error; +}; + +static int ipa_initgr_get_overrides_step(struct tevent_req *req); + +struct tevent_req * +ipa_initgr_get_overrides_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct ipa_id_ctx *ipa_ctx, + struct sss_domain_info *user_dom, + size_t groups_count, + struct ldb_message **groups, + const char *groups_id_attr) +{ + int ret; + struct tevent_req *req; + struct ipa_initgr_get_overrides_state *state; + + req = tevent_req_create(memctx, &state, + struct ipa_initgr_get_overrides_state); + if (req == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "tevent_req_create failed.\n"); + return NULL; + } + state->ev = ev; + state->ipa_ctx = ipa_ctx; + state->user_dom = user_dom; + state->groups = groups; + state->group_count = groups_count; + state->group_idx = 0; + state->ar = NULL; + state->realm = dp_opt_get_string(state->ipa_ctx->ipa_options->basic, + IPA_KRB5_REALM); + if (state->realm == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "No Kerberos realm for IPA?\n"); + ret = EINVAL; + goto done; + } + state->groups_id_attr = talloc_strdup(state, groups_id_attr); + if (state->groups_id_attr == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + + ret = ipa_initgr_get_overrides_step(req); +done: + if (ret == EOK) { + tevent_req_done(req); + tevent_req_post(req, ev); + } else if (ret != EAGAIN) { + tevent_req_error(req, ret); + tevent_req_post(req, ev); + } + + return req; +} + +static void ipa_initgr_get_overrides_override_done(struct tevent_req *subreq); + +static int ipa_initgr_get_overrides_step(struct tevent_req *req) +{ + int ret; + struct tevent_req *subreq; + const char *ipa_uuid; + struct ipa_initgr_get_overrides_state *state = tevent_req_data(req, + struct ipa_initgr_get_overrides_state); + + DEBUG(SSSDBG_TRACE_LIBS, + "Processing group %zu/%zu\n", state->group_idx, state->group_count); + + if (state->group_idx >= state->group_count) { + return EOK; + } + + ipa_uuid = ldb_msg_find_attr_as_string(state->groups[state->group_idx], + state->groups_id_attr, NULL); + if (ipa_uuid == NULL) { + /* This should never happen, the search filter used to get the list + * of groups includes "uuid=*" + */ + DEBUG(SSSDBG_OP_FAILURE, + "The group %s has no UUID attribute %s, error!\n", + ldb_dn_get_linearized(state->groups[state->group_idx]->dn), + state->groups_id_attr); + return EINVAL; + } + + talloc_free(state->ar); /* Avoid spiking memory with many groups */ + + if (strcmp(state->groups_id_attr, SYSDB_UUID) == 0) { + ret = get_dp_id_data_for_uuid(state, ipa_uuid, + state->user_dom->name, &state->ar); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "get_dp_id_data_for_sid failed.\n"); + return ret; + } + } else if (strcmp(state->groups_id_attr, SYSDB_SID_STR) == 0) { + ret = get_dp_id_data_for_sid(state, ipa_uuid, + state->user_dom->name, &state->ar); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "get_dp_id_data_for_sid failed.\n"); + return ret; + } + } else { + DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported groups ID type [%s].\n", + state->groups_id_attr); + return EINVAL; + } + + DEBUG(SSSDBG_TRACE_LIBS, "Fetching group %s\n", ipa_uuid); + + subreq = ipa_get_ad_override_send(state, state->ev, + state->ipa_ctx->sdap_id_ctx, + state->ipa_ctx->ipa_options, + state->realm, + state->ipa_ctx->view_name, + state->ar); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_get_ad_override_send failed.\n"); + return ENOMEM; + } + tevent_req_set_callback(subreq, + ipa_initgr_get_overrides_override_done, req); + return EAGAIN; +} + +static void ipa_initgr_get_overrides_override_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ipa_initgr_get_overrides_state *state = tevent_req_data(req, + struct ipa_initgr_get_overrides_state); + int ret; + struct sysdb_attrs *override_attrs = NULL; + + ret = ipa_get_ad_override_recv(subreq, &state->dp_error, state, + &override_attrs); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "IPA override lookup failed: %d\n", ret); + tevent_req_error(req, ret); + return; + } + + if (is_default_view(state->ipa_ctx->view_name)) { + ret = sysdb_apply_default_override(state->user_dom, override_attrs, + state->groups[state->group_idx]->dn); + } else { + ret = sysdb_store_override(state->user_dom, + state->ipa_ctx->view_name, + SYSDB_MEMBER_GROUP, + override_attrs, + state->groups[state->group_idx]->dn); + } + talloc_free(override_attrs); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_override failed.\n"); + tevent_req_error(req, ret); + return; + } + + state->group_idx++; + + ret = ipa_initgr_get_overrides_step(req); + if (ret == EAGAIN) { + return; + } else if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +int ipa_initgr_get_overrides_recv(struct tevent_req *req, int *dp_error) +{ + struct ipa_initgr_get_overrides_state *state = tevent_req_data(req, + struct ipa_initgr_get_overrides_state); + + if (dp_error) { + *dp_error = state->dp_error; + } + + TEVENT_REQ_RETURN_ON_ERROR(req); + return EOK; +} + +/* Given a user name, retrieve an array of group UUIDs of groups that have + * no overrideDN attribute but do have an UUID attribute. + */ +static errno_t ipa_id_get_group_uuids(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + size_t *_msgs_count, + struct ldb_message ***_msgs) +{ + const char *filter; + TALLOC_CTX *tmp_ctx; + char **uuid_list = NULL; + errno_t ret; + struct ldb_dn *base_dn; + const char *attrs[] = { SYSDB_UUID, NULL }; + size_t msgs_count; + struct ldb_message **msgs; + + tmp_ctx = talloc_new(mem_ctx); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + filter = talloc_asprintf(tmp_ctx, + "(&(%s=%s)(!(%s=*))(%s=*))", + SYSDB_OBJECTCATEGORY, + SYSDB_GROUP_CLASS, SYSDB_OVERRIDE_DN, + SYSDB_UUID); + if (filter == NULL) { + ret = ENOMEM; + goto done; + } + + base_dn = sysdb_base_dn(sysdb, tmp_ctx); + if (base_dn == NULL) { + ret = ENOMEM; + goto done; + } + + ret = sysdb_search_entry(tmp_ctx, sysdb, base_dn, + LDB_SCOPE_SUBTREE, filter, attrs, + &msgs_count, &msgs); + if (ret == ENOENT) { + DEBUG(SSSDBG_TRACE_FUNC, + "No groups without %s in sysdb\n", SYSDB_OVERRIDE_DN); + ret = EOK; + goto done; + } else if (ret != EOK) { + goto done; + } + + uuid_list = talloc_zero_array(tmp_ctx, char *, msgs_count); + if (uuid_list == NULL) { + goto done; + } + + *_msgs_count = msgs_count; + *_msgs = talloc_steal(mem_ctx, msgs); + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} + +struct ipa_id_get_account_info_state { + struct tevent_context *ev; + struct ipa_id_ctx *ipa_ctx; + struct sdap_id_ctx *ctx; + struct sdap_id_op *op; + struct sysdb_ctx *sysdb; + struct sss_domain_info *domain; + struct dp_id_data *ar; + struct dp_id_data *orig_ar; + const char *realm; + + struct sysdb_attrs *override_attrs; + struct ldb_message *obj_msg; + struct ldb_message_element *ghosts; + + struct ldb_message **user_groups; + size_t group_cnt; + size_t group_idx; + + struct ldb_result *res; + size_t res_index; + int dp_error; +}; + +static void ipa_id_get_account_info_connected(struct tevent_req *subreq); +static void ipa_id_get_account_info_got_override(struct tevent_req *subreq); +static errno_t ipa_id_get_account_info_get_original_step(struct tevent_req *req, + struct dp_id_data *ar); +static void ipa_id_get_account_info_orig_done(struct tevent_req *subreq); +static void ipa_id_get_account_info_done(struct tevent_req *subreq); +static void ipa_id_get_user_list_done(struct tevent_req *subreq); + +static struct tevent_req * +ipa_id_get_account_info_send(TALLOC_CTX *memctx, struct tevent_context *ev, + struct ipa_id_ctx *ipa_ctx, + struct dp_id_data *ar) +{ + int ret; + struct tevent_req *req; + struct tevent_req *subreq; + struct ipa_id_get_account_info_state *state; + + req = tevent_req_create(memctx, &state, + struct ipa_id_get_account_info_state); + if (req == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "tevent_req_create failed.\n"); + return NULL; + } + + state->ev = ev; + state->ipa_ctx = ipa_ctx; + state->ctx = ipa_ctx->sdap_id_ctx; + state->dp_error = DP_ERR_FATAL; + + state->op = sdap_id_op_create(state, state->ctx->conn->conn_cache); + if (state->op == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed.\n"); + ret = ENOMEM; + goto fail; + } + + state->domain = find_domain_by_name(state->ctx->be->domain, + ar->domain, true); + if (state->domain == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "find_domain_by_name failed.\n"); + ret = ENOMEM; + goto fail; + } + state->sysdb = state->domain->sysdb; + state->ar = ar; + state->realm = dp_opt_get_string(state->ipa_ctx->ipa_options->basic, + IPA_KRB5_REALM); + if (state->realm == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "No Kerberos realm for IPA?\n"); + ret = EINVAL; + goto fail; + } + + /* We can skip the override lookup and go directly to the original object + * if + * - the lookup is by SID + * - there is no view set of it is the default view + * - if the EXTRA_INPUT_MAYBE_WITH_VIEW flag is not set + */ + if (is_default_view(state->ipa_ctx->view_name) + || state->ar->filter_type == BE_FILTER_SECID + || state->ar->extra_value == NULL + || strcmp(state->ar->extra_value, + EXTRA_INPUT_MAYBE_WITH_VIEW) != 0 + || ! is_object_overridable(state->ar)) { + ret = ipa_id_get_account_info_get_original_step(req, ar); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "ipa_subdomain_account_get_original_step failed.\n"); + goto fail; + } + } else { + subreq = sdap_id_op_connect_send(state->op, state, &ret); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_connect_send failed.\n"); + goto fail; + } + tevent_req_set_callback(subreq, ipa_id_get_account_info_connected, req); + } + + return req; + +fail: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void ipa_id_get_account_info_connected(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ipa_id_get_account_info_state *state = tevent_req_data(req, + struct ipa_id_get_account_info_state); + int dp_error = DP_ERR_FATAL; + int ret; + + ret = sdap_id_op_connect_recv(subreq, &dp_error); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_connect request failed.\n"); + goto fail; + } + + subreq = ipa_get_ad_override_send(state, state->ev, state->ctx, + state->ipa_ctx->ipa_options, state->realm, + state->ipa_ctx->view_name, state->ar); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_get_ad_override_send failed.\n"); + ret = ENOMEM; + goto fail; + } + + tevent_req_set_callback(subreq, ipa_id_get_account_info_got_override, req); + + return; + +fail: + state->dp_error = dp_error; + tevent_req_error(req, ret); + return; +} + +static void ipa_id_get_account_info_got_override(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ipa_id_get_account_info_state *state = tevent_req_data(req, + struct ipa_id_get_account_info_state); + int dp_error = DP_ERR_FATAL; + int ret; + const char *anchor = NULL; + char *anchor_domain; + char *ipa_uuid; + + ret = ipa_get_ad_override_recv(subreq, &dp_error, state, + &state->override_attrs); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "IPA override lookup failed: %d\n", ret); + goto fail; + } + + if (state->override_attrs != NULL) { + ret = sysdb_attrs_get_string(state->override_attrs, + SYSDB_OVERRIDE_ANCHOR_UUID, + &anchor); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); + goto fail; + } + + ret = split_ipa_anchor(state, anchor, &anchor_domain, &ipa_uuid); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unsupported override anchor [%s].\n", anchor); + ret = EINVAL; + goto fail; + } + + if (strcmp(state->ar->domain, anchor_domain) == 0) { + + state->orig_ar = state->ar; + + ret = get_dp_id_data_for_uuid(state, ipa_uuid, + state->ar->domain, + &state->ar); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "get_dp_id_data_for_uuid failed.\n"); + goto fail; + } + + if ((state->orig_ar->entry_type & BE_REQ_TYPE_MASK) + == BE_REQ_INITGROUPS) { + DEBUG(SSSDBG_TRACE_ALL, + "Switching back to BE_REQ_INITGROUPS.\n"); + state->ar->entry_type = BE_REQ_INITGROUPS; + state->ar->filter_type = BE_FILTER_UUID; + } + + } else { + DEBUG(SSSDBG_MINOR_FAILURE, + "Anchor from a different domain [%s], expected [%s]. " \ + "This is currently not supported, continue lookup in " \ + "local IPA domain.\n", + anchor_domain, state->ar->domain); + } + } + + ret = ipa_id_get_account_info_get_original_step(req, state->ar); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "ipa_subdomain_account_get_original_step failed.\n"); + goto fail; + } + + return; + +fail: + state->dp_error = dp_error; + tevent_req_error(req, ret); + return; +} + +static errno_t ipa_id_get_account_info_get_original_step(struct tevent_req *req, + struct dp_id_data *ar) +{ + struct ipa_id_get_account_info_state *state = tevent_req_data(req, + struct ipa_id_get_account_info_state); + struct tevent_req *subreq; + + subreq = sdap_handle_acct_req_send(state, state->ctx->be, ar, + state->ipa_ctx->sdap_id_ctx, + state->ipa_ctx->sdap_id_ctx->opts->sdom, + state->ipa_ctx->sdap_id_ctx->conn, true); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_handle_acct_req_send failed.\n"); + return ENOMEM; + } + tevent_req_set_callback(subreq, ipa_id_get_account_info_orig_done, req); + + return EOK; +} + +static int ipa_id_get_account_info_post_proc_step(struct tevent_req *req); +static void ipa_id_get_user_groups_done(struct tevent_req *subreq); + +static void ipa_id_get_account_info_orig_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ipa_id_get_account_info_state *state = tevent_req_data(req, + struct ipa_id_get_account_info_state); + int dp_error = DP_ERR_FATAL; + int ret; + const char *attrs[] = { SYSDB_NAME, + SYSDB_UIDNUM, + SYSDB_SID_STR, + SYSDB_OBJECTCATEGORY, + SYSDB_UUID, + SYSDB_GHOST, + SYSDB_HOMEDIR, + NULL }; + + ret = sdap_handle_acct_req_recv(subreq, &dp_error, NULL, NULL); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_handle_acct request failed: %d\n", ret); + goto fail; + } + + if (! is_object_overridable(state->ar)) { + state->dp_error = DP_ERR_OK; + tevent_req_done(req); + return; + } + + /* Lookups by certificate can return muliple results and need special + * handling because get_object_from_cache() expects a unique match */ + state->res = NULL; + state->res_index = 0; + if (state->ar->filter_type == BE_FILTER_CERT) { + ret = sysdb_search_object_by_cert(state, state->domain, + state->ar->filter_value, attrs, + &(state->res)); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to make request to our cache: [%d]: [%s]\n", + ret, sss_strerror(ret)); + goto fail; + } + if (state->res->count == 0) { + DEBUG(SSSDBG_OP_FAILURE, "Object not found in our cache.\n"); + ret = ENOENT; + goto fail; + } + + state->obj_msg = state->res->msgs[0]; + if (state->res->count == 1) { + /* Just process the unique result, no need to iterate */ + state->res = NULL; + } + } else { + ret = get_object_from_cache(state, state->domain, state->ar, + &state->obj_msg); + if (ret == ENOENT) { + DEBUG(SSSDBG_MINOR_FAILURE, "Object not found, ending request\n"); + state->dp_error = DP_ERR_OK; + tevent_req_done(req); + return; + } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "get_object_from_cache failed.\n"); + goto fail; + } + } + + ret = ipa_id_get_account_info_post_proc_step(req); + if (ret == EAGAIN) { + return; + } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_id_get_account_info_post_proc_step failed.\n"); + goto fail; + } + + state->dp_error = DP_ERR_OK; + tevent_req_done(req); + return; + +fail: + state->dp_error = dp_error; + tevent_req_error(req, ret); + return; +} + +static int ipa_id_get_account_info_post_proc_step(struct tevent_req *req) +{ + int ret; + const char *uuid; + const char *class; + enum sysdb_member_type type; + struct tevent_req *subreq; + struct ipa_id_get_account_info_state *state = tevent_req_data(req, + struct ipa_id_get_account_info_state); + + class = ldb_msg_find_attr_as_string(state->obj_msg, SYSDB_OBJECTCATEGORY, + NULL); + if (class == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot find an objectclass.\n"); + ret = EINVAL; + goto done; + } + + + if (!is_default_view(state->ipa_ctx->view_name)) { + + if ((state->ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_GROUP + || ((state->ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_BY_UUID + && strcmp(class, SYSDB_GROUP_CLASS) == 0)) { + /* check for ghost members because ghost members are not allowed + * if a view other than the default view is applied.*/ + state->ghosts = ldb_msg_find_element(state->obj_msg, SYSDB_GHOST); + } else if ((state->ar->entry_type & BE_REQ_TYPE_MASK) == \ + BE_REQ_INITGROUPS) { + /* Get UUID list of groups that have no overrideDN set. */ + ret = ipa_id_get_group_uuids(state, state->sysdb, + &state->group_cnt, + &state->user_groups); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot get UUID list: %d\n", ret); + goto done; + } + } + } + + + if (state->override_attrs == NULL) { + uuid = ldb_msg_find_attr_as_string(state->obj_msg, SYSDB_UUID, NULL); + if (uuid == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot find a UUID.\n"); + ret = EINVAL; + goto done; + } + + ret = get_dp_id_data_for_uuid(state, uuid, state->domain->name, + &state->ar); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "get_dp_id_data_for_sid failed.\n"); + goto done; + } + + subreq = ipa_get_ad_override_send(state, state->ev, + state->ipa_ctx->sdap_id_ctx, + state->ipa_ctx->ipa_options, + state->realm, + state->ipa_ctx->view_name, + state->ar); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_get_ad_override_send failed.\n"); + ret = ENOMEM; + goto done; + } + tevent_req_set_callback(subreq, ipa_id_get_account_info_done, req); + ret = EAGAIN; + goto done; + } else { + if (strcmp(class, SYSDB_USER_CLASS) == 0) { + type = SYSDB_MEMBER_USER; + } else { + type = SYSDB_MEMBER_GROUP; + } + + ret = sysdb_store_override(state->domain, state->ipa_ctx->view_name, + type, + state->override_attrs, state->obj_msg->dn); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_override failed.\n"); + goto done; + } + } + + if (state->ghosts != NULL) { + /* Resolve ghost members */ + subreq = ipa_resolve_user_list_send(state, state->ev, + state->ipa_ctx, + state->domain->name, + state->ghosts); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_resolve_user_list_send failed.\n"); + ret = ENOMEM; + goto done; + } + tevent_req_set_callback(subreq, ipa_id_get_user_list_done, req); + ret = EAGAIN; + goto done; + } + + if (state->user_groups != NULL) { + subreq = ipa_initgr_get_overrides_send(state, state->ev, state->ipa_ctx, + state->domain, state->group_cnt, + state->user_groups, + SYSDB_UUID); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_resolve_user_list_send failed.\n"); + ret = ENOMEM; + goto done; + } + tevent_req_set_callback(subreq, ipa_id_get_user_groups_done, req); + ret = EAGAIN; + goto done; + } + + ret = EOK; + +done: + if (ret == EOK && state->res != NULL + && ++state->res_index < state->res->count) { + state->obj_msg = state->res->msgs[state->res_index]; + ret = ipa_id_get_account_info_post_proc_step(req); + } + + return ret; +} + +static void ipa_id_get_account_info_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ipa_id_get_account_info_state *state = tevent_req_data(req, + struct ipa_id_get_account_info_state); + int dp_error = DP_ERR_FATAL; + int ret; + const char *class; + enum sysdb_member_type type; + + ret = ipa_get_ad_override_recv(subreq, &dp_error, state, + &state->override_attrs); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "IPA override lookup failed: %d\n", ret); + goto fail; + } + + class = ldb_msg_find_attr_as_string(state->obj_msg, SYSDB_OBJECTCATEGORY, + NULL); + if (class == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot find an objectclass.\n"); + ret = EINVAL; + goto fail; + } + + if (strcmp(class, SYSDB_USER_CLASS) == 0) { + type = SYSDB_MEMBER_USER; + } else { + type = SYSDB_MEMBER_GROUP; + } + + ret = sysdb_store_override(state->domain, state->ipa_ctx->view_name, + type, + state->override_attrs, state->obj_msg->dn); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_override failed.\n"); + goto fail; + } + + if (state->ghosts != NULL) { + /* Resolve ghost members */ + subreq = ipa_resolve_user_list_send(state, state->ev, + state->ipa_ctx, + state->domain->name, + state->ghosts); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_resolve_user_list_send failed.\n"); + ret = ENOMEM; + goto fail; + } + tevent_req_set_callback(subreq, ipa_id_get_user_list_done, req); + return; + } + + if (state->user_groups != NULL) { + subreq = ipa_initgr_get_overrides_send(state, state->ev, state->ipa_ctx, + state->domain, state->group_cnt, + state->user_groups, + SYSDB_UUID); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_resolve_user_list_send failed.\n"); + ret = ENOMEM; + goto fail; + } + tevent_req_set_callback(subreq, ipa_id_get_user_groups_done, req); + return; + } + + if (state->res != NULL && ++state->res_index < state->res->count) { + state->obj_msg = state->res->msgs[state->res_index]; + ret = ipa_id_get_account_info_post_proc_step(req); + if (ret == EAGAIN) { + return; + } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "ipa_id_get_account_info_post_proc_step failed.\n"); + goto fail; + } + } + + state->dp_error = DP_ERR_OK; + tevent_req_done(req); + return; + +fail: + state->dp_error = dp_error; + tevent_req_error(req, ret); + return; +} + +static void ipa_id_get_user_list_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ipa_id_get_account_info_state *state = tevent_req_data(req, + struct ipa_id_get_account_info_state); + int dp_error = DP_ERR_FATAL; + int ret; + + ret = ipa_resolve_user_list_recv(subreq, &dp_error); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "IPA resolve user list %d\n", ret); + goto fail; + } + + if (state->res != NULL && ++state->res_index < state->res->count) { + state->obj_msg = state->res->msgs[state->res_index]; + ret = ipa_id_get_account_info_post_proc_step(req); + if (ret == EAGAIN) { + return; + } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "ipa_id_get_account_info_post_proc_step failed.\n"); + goto fail; + } + } + + state->dp_error = DP_ERR_OK; + tevent_req_done(req); + return; + +fail: + state->dp_error = dp_error; + tevent_req_error(req, ret); + return; +} + +static void ipa_id_get_user_groups_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ipa_id_get_account_info_state *state = tevent_req_data(req, + struct ipa_id_get_account_info_state); + int dp_error = DP_ERR_FATAL; + int ret; + + ret = ipa_initgr_get_overrides_recv(subreq, &dp_error); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "IPA resolve user groups %d\n", ret); + goto fail; + } + + if (state->res != NULL && ++state->res_index < state->res->count) { + state->obj_msg = state->res->msgs[state->res_index]; + ret = ipa_id_get_account_info_post_proc_step(req); + if (ret == EAGAIN) { + return; + } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "ipa_id_get_account_info_post_proc_step failed.\n"); + goto fail; + } + } + + state->dp_error = DP_ERR_OK; + tevent_req_done(req); + return; + +fail: + state->dp_error = dp_error; + tevent_req_error(req, ret); + return; +} + +static int ipa_id_get_account_info_recv(struct tevent_req *req, int *dp_error) +{ + struct ipa_id_get_account_info_state *state = tevent_req_data(req, + struct ipa_id_get_account_info_state); + + if (dp_error) { + *dp_error = state->dp_error; + } + + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +/* Request for netgroups + * - first start here and then go to ipa_netgroups.c + */ +struct ipa_id_get_netgroup_state { + struct tevent_context *ev; + struct ipa_id_ctx *ctx; + struct sdap_id_op *op; + struct sysdb_ctx *sysdb; + struct sss_domain_info *domain; + + const char *name; + int timeout; + + char *filter; + const char **attrs; + + size_t count; + struct sysdb_attrs **netgroups; + + int dp_error; +}; + +static void ipa_id_get_netgroup_connected(struct tevent_req *subreq); +static void ipa_id_get_netgroup_done(struct tevent_req *subreq); + +static struct tevent_req *ipa_id_get_netgroup_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct ipa_id_ctx *ipa_ctx, + const char *name) +{ + struct tevent_req *req; + struct ipa_id_get_netgroup_state *state; + struct tevent_req *subreq; + struct sdap_id_ctx *ctx; + char *clean_name; + int ret; + + ctx = ipa_ctx->sdap_id_ctx; + + req = tevent_req_create(memctx, &state, struct ipa_id_get_netgroup_state); + if (!req) return NULL; + + state->ev = ev; + state->ctx = ipa_ctx; + state->dp_error = DP_ERR_FATAL; + + state->op = sdap_id_op_create(state, ctx->conn->conn_cache); + if (!state->op) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed\n"); + ret = ENOMEM; + goto fail; + } + + state->sysdb = ctx->be->domain->sysdb; + state->domain = ctx->be->domain; + state->name = name; + state->timeout = dp_opt_get_int(ctx->opts->basic, SDAP_SEARCH_TIMEOUT); + + ret = sss_filter_sanitize(state, name, &clean_name); + if (ret != EOK) { + goto fail; + } + + state->filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))", + ctx->opts->netgroup_map[IPA_AT_NETGROUP_NAME].name, + clean_name, + ctx->opts->netgroup_map[IPA_OC_NETGROUP].name); + if (!state->filter) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to build filter\n"); + ret = ENOMEM; + goto fail; + } + talloc_zfree(clean_name); + + ret = build_attrs_from_map(state, ctx->opts->netgroup_map, + IPA_OPTS_NETGROUP, NULL, + &state->attrs, NULL); + if (ret != EOK) goto fail; + + subreq = sdap_id_op_connect_send(state->op, state, &ret); + if (!subreq) { + goto fail; + } + tevent_req_set_callback(subreq, ipa_id_get_netgroup_connected, req); + + return req; + +fail: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void ipa_id_get_netgroup_connected(struct tevent_req *subreq) +{ + struct tevent_req *req = + tevent_req_callback_data(subreq, struct tevent_req); + struct ipa_id_get_netgroup_state *state = + tevent_req_data(req, struct ipa_id_get_netgroup_state); + int dp_error = DP_ERR_FATAL; + int ret; + struct sdap_id_ctx *sdap_ctx = state->ctx->sdap_id_ctx; + + ret = sdap_id_op_connect_recv(subreq, &dp_error); + talloc_zfree(subreq); + + if (ret != EOK) { + state->dp_error = dp_error; + tevent_req_error(req, ret); + return; + } + + subreq = ipa_get_netgroups_send(state, state->ev, state->sysdb, + state->domain, sdap_ctx->opts, + state->ctx->ipa_options, + sdap_id_op_handle(state->op), + state->attrs, state->filter, + state->timeout); + if (!subreq) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, ipa_id_get_netgroup_done, req); + + return; +} + +static void ipa_id_get_netgroup_done(struct tevent_req *subreq) +{ + struct tevent_req *req = + tevent_req_callback_data(subreq, struct tevent_req); + struct ipa_id_get_netgroup_state *state = + tevent_req_data(req, struct ipa_id_get_netgroup_state); + int dp_error = DP_ERR_FATAL; + int ret; + + ret = ipa_get_netgroups_recv(subreq, state, + &state->count, &state->netgroups); + talloc_zfree(subreq); + ret = sdap_id_op_done(state->op, ret, &dp_error); + + if (dp_error == DP_ERR_OK && ret != EOK) { + /* retry */ + subreq = sdap_id_op_connect_send(state->op, state, &ret); + if (!subreq) { + tevent_req_error(req, ret); + return; + } + tevent_req_set_callback(subreq, ipa_id_get_netgroup_connected, req); + return; + } + + if (ret && ret != ENOENT) { + state->dp_error = dp_error; + tevent_req_error(req, ret); + return; + } + + if (ret == EOK && state->count > 1) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Found more than one netgroup with the name [%s].\n", + state->name); + tevent_req_error(req, EINVAL); + return; + } + + if (ret == ENOENT) { + ret = sysdb_delete_netgroup(state->domain, state->name); + if (ret != EOK && ret != ENOENT) { + tevent_req_error(req, ret); + return; + } + } + + state->dp_error = DP_ERR_OK; + tevent_req_done(req); + return; +} + +static int ipa_id_get_netgroup_recv(struct tevent_req *req, int *dp_error) +{ + struct ipa_id_get_netgroup_state *state = + tevent_req_data(req, struct ipa_id_get_netgroup_state); + + if (dp_error) { + *dp_error = state->dp_error; + } + + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +enum ipa_account_info_type { + IPA_ACCOUNT_INFO_SUBDOMAIN, + IPA_ACCOUNT_INFO_NETGROUP, + IPA_ACCOUNT_INFO_OTHER +}; + +static enum ipa_account_info_type +ipa_decide_account_info_type(struct dp_id_data *data, struct be_ctx *be_ctx) +{ + if (strcasecmp(data->domain, be_ctx->domain->name) != 0) { + return IPA_ACCOUNT_INFO_SUBDOMAIN; + } else if ((data->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_NETGROUP) { + return IPA_ACCOUNT_INFO_NETGROUP; + } + + return IPA_ACCOUNT_INFO_OTHER; +} + +struct ipa_account_info_handler_state { + enum ipa_account_info_type type; + struct dp_reply_std reply; +}; + +static void ipa_account_info_handler_done(struct tevent_req *subreq); + +struct tevent_req * +ipa_account_info_handler_send(TALLOC_CTX *mem_ctx, + struct ipa_id_ctx *id_ctx, + struct dp_id_data *data, + struct dp_req_params *params) +{ + struct ipa_account_info_handler_state *state; + struct tevent_req *subreq = NULL; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct ipa_account_info_handler_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->type = ipa_decide_account_info_type(data, params->be_ctx); + + if (sdap_is_enum_request(data)) { + DEBUG(SSSDBG_TRACE_LIBS, "Skipping enumeration on demand\n"); + ret = EOK; + goto immediately; + } + + switch (state->type) { + case IPA_ACCOUNT_INFO_SUBDOMAIN: + /* Subdomain lookups are handled differently on server and client. */ + subreq = ipa_subdomain_account_send(state, params->ev, id_ctx, data); + break; + case IPA_ACCOUNT_INFO_NETGROUP: + if (data->filter_type != BE_FILTER_NAME) { + ret = EINVAL; + goto immediately; + } + + subreq = ipa_id_get_netgroup_send(state, params->ev, id_ctx, + data->filter_value); + break; + case IPA_ACCOUNT_INFO_OTHER: + subreq = ipa_id_get_account_info_send(state, params->ev, id_ctx, data); + break; + } + + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, ipa_account_info_handler_done, req); + + return req; + +immediately: + dp_reply_std_set(&state->reply, DP_ERR_DECIDE, ret, NULL); + + /* TODO For backward compatibility we always return EOK to DP now. */ + tevent_req_done(req); + tevent_req_post(req, params->ev); + + return req; +} + +static void ipa_account_info_handler_done(struct tevent_req *subreq) +{ + struct ipa_account_info_handler_state *state; + struct tevent_req *req; + int dp_error; + errno_t ret = ERR_INTERNAL; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_account_info_handler_state); + + switch (state->type) { + case IPA_ACCOUNT_INFO_SUBDOMAIN: + ret = ipa_subdomain_account_recv(subreq, &dp_error); + break; + case IPA_ACCOUNT_INFO_NETGROUP: + ret = ipa_id_get_netgroup_recv(subreq, &dp_error); + break; + case IPA_ACCOUNT_INFO_OTHER: + ret = ipa_id_get_account_info_recv(subreq, &dp_error); + break; + } + talloc_zfree(subreq); + + /* TODO For backward compatibility we always return EOK to DP now. */ + dp_reply_std_set(&state->reply, dp_error, ret, NULL); + tevent_req_done(req); +} + +errno_t ipa_account_info_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct dp_reply_std *data) +{ + struct ipa_account_info_handler_state *state = NULL; + + state = tevent_req_data(req, struct ipa_account_info_handler_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *data = state->reply; + + return EOK; +} diff --git a/src/providers/ipa/ipa_id.h b/src/providers/ipa/ipa_id.h new file mode 100644 index 0000000..4b25498 --- /dev/null +++ b/src/providers/ipa/ipa_id.h @@ -0,0 +1,146 @@ +/* + SSSD + + IPA Identity Backend Module + + Authors: + Jan Zeleny + + Copyright (C) 2011 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + + +#ifndef _IPA_ID_H_ +#define _IPA_ID_H_ + +#include "providers/ldap/ldap_common.h" +#include "providers/ipa/ipa_common.h" +#include "providers/ldap/sdap.h" +#include "providers/ipa/ipa_subdomains.h" + +#define IPA_DEFAULT_VIEW_NAME "Default Trust View" + +struct tevent_req * +ipa_account_info_handler_send(TALLOC_CTX *mem_ctx, + struct ipa_id_ctx *id_ctx, + struct dp_id_data *data, + struct dp_req_params *params); + +errno_t ipa_account_info_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct dp_reply_std *data); + +struct tevent_req *ipa_get_netgroups_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sysdb_ctx *sysdb, + struct sss_domain_info *dom, + struct sdap_options *opts, + struct ipa_options *ipa_options, + struct sdap_handle *sh, + const char **attrs, + const char *filter, + int timeout); + +int ipa_get_netgroups_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *reply_count, + struct sysdb_attrs ***reply); + +struct tevent_req *ipa_s2n_get_acct_info_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct ipa_id_ctx *ipa_ctx, + struct sdap_options *opts, + struct sss_domain_info *dom, + struct sysdb_attrs *override_attrs, + struct sdap_handle *sh, + int entry_type, + struct req_input *req_input); +int ipa_s2n_get_acct_info_recv(struct tevent_req *req); + +struct tevent_req *ipa_get_subdom_acct_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct ipa_id_ctx *ipa_ctx, + struct sysdb_attrs *override_attrs, + struct dp_id_data *ar); +int ipa_get_subdom_acct_recv(struct tevent_req *req, int *dp_error_out); + +errno_t get_dp_id_data_for_sid(TALLOC_CTX *mem_ctx, const char *sid, + const char *domain_name, + struct dp_id_data **_ar); + +errno_t get_dp_id_data_for_uuid(TALLOC_CTX *mem_ctx, const char *uuid, + const char *domain_name, + struct dp_id_data **_ar); + +errno_t get_dp_id_data_for_user_name(TALLOC_CTX *mem_ctx, + const char *user_name, + const char *domain_name, + struct dp_id_data **_ar); + +struct tevent_req *ipa_get_ad_override_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_id_ctx *sdap_id_ctx, + struct ipa_options *ipa_options, + const char *ipa_realm, + const char *view_name, + struct dp_id_data *ar); + +errno_t ipa_get_ad_override_recv(struct tevent_req *req, int *dp_error_out, + TALLOC_CTX *mem_ctx, + struct sysdb_attrs **override_attrs); + +struct tevent_req *ipa_subdomain_account_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct ipa_id_ctx *ipa_ctx, + struct dp_id_data *ar); + +errno_t ipa_subdomain_account_recv(struct tevent_req *req, int *dp_error_out); + +errno_t split_ipa_anchor(TALLOC_CTX *mem_ctx, const char *anchor, + char **_anchor_domain, char **_ipa_uuid); + +errno_t get_object_from_cache(TALLOC_CTX *mem_ctx, + struct sss_domain_info *dom, + struct dp_id_data *ar, + struct ldb_message **_msg); + +struct tevent_req * +ipa_initgr_get_overrides_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct ipa_id_ctx *ipa_ctx, + struct sss_domain_info *user_dom, + size_t groups_count, + struct ldb_message **groups, + const char *groups_id_attr); +int ipa_initgr_get_overrides_recv(struct tevent_req *req, int *dp_error); + +struct tevent_req *ipa_get_subdom_acct_process_pac_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_handle *sh, + struct ipa_id_ctx *ipa_ctx, + struct sss_domain_info *dom, + struct ldb_message *user_msg); + +errno_t ipa_get_subdom_acct_process_pac_recv(struct tevent_req *req); + +struct tevent_req * +ipa_resolve_user_list_send(TALLOC_CTX *memctx, struct tevent_context *ev, + struct ipa_id_ctx *ipa_ctx, + const char *domain_name, + struct ldb_message_element *users); +int ipa_resolve_user_list_recv(struct tevent_req *req, int *dp_error); + +#endif diff --git a/src/providers/ipa/ipa_idmap.c b/src/providers/ipa/ipa_idmap.c new file mode 100644 index 0000000..4e68310 --- /dev/null +++ b/src/providers/ipa/ipa_idmap.c @@ -0,0 +1,345 @@ +/* + SSSD + + Authors: + Sumit Bose + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + + +#include "util/util.h" +#include "providers/ldap/sdap_idmap.h" +#include "providers/ipa/ipa_common.h" +#include "util/util_sss_idmap.h" + +static errno_t ipa_idmap_check_posix_child(struct sdap_idmap_ctx *idmap_ctx, + const char *dom_name, + const char *dom_sid_str, + size_t range_count, + struct range_info **range_list) +{ + bool has_algorithmic_mapping; + enum idmap_error_code err; + struct sss_domain_info *dom; + struct sss_domain_info *forest_root; + size_t c; + struct sss_idmap_range range; + struct range_info *r; + char *range_id; + TALLOC_CTX *tmp_ctx; + bool found = false; + int ret; + + err = sss_idmap_domain_has_algorithmic_mapping(idmap_ctx->map, dom_sid_str, + &has_algorithmic_mapping); + if (err == IDMAP_SUCCESS) { + DEBUG(SSSDBG_TRACE_ALL, + "Idmap of domain [%s] already known, nothing to do.\n", + dom_sid_str); + return EOK; + } else { + err = sss_idmap_domain_by_name_has_algorithmic_mapping(idmap_ctx->map, + dom_name, + &has_algorithmic_mapping); + if (err == IDMAP_SUCCESS) { + DEBUG(SSSDBG_TRACE_ALL, + "Idmap of domain [%s] already known, nothing to do.\n", + dom_sid_str); + return EOK; + } + } + DEBUG(SSSDBG_TRACE_ALL, "Trying to add idmap for domain [%s].\n", + dom_sid_str); + + if (err != IDMAP_SID_UNKNOWN && err != IDMAP_NAME_UNKNOWN) { + DEBUG(SSSDBG_OP_FAILURE, + "sss_idmap_domain_has_algorithmic_mapping failed.\n"); + return EINVAL; + } + + dom = find_domain_by_sid(idmap_ctx->id_ctx->be->domain, dom_sid_str); + if (dom == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "find_domain_by_sid failed with SID [%s].\n", dom_sid_str); + return EINVAL; + } + + if (dom->forest == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "No forest available for domain [%s].\n", + dom_sid_str); + return EINVAL; + } + + forest_root = find_domain_by_name(idmap_ctx->id_ctx->be->domain, + dom->forest, true); + if (forest_root == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "find_domain_by_name failed to find forest root [%s].\n", + dom->forest); + return ENOENT; + } + + if (forest_root->domain_id == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "Forest root [%s] does not have a SID.\n", + dom->forest); + return EINVAL; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); + return ENOMEM; + } + + for (c = 0; c < range_count; c++) { + r = range_list[c]; + if (r->trusted_dom_sid != NULL + && strcmp(r->trusted_dom_sid, forest_root->domain_id) == 0) { + + if (r->range_type == NULL + || strcmp(r->range_type, IPA_RANGE_AD_TRUST_POSIX) != 0) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Forest root does not have range type [%s].\n", + IPA_RANGE_AD_TRUST_POSIX); + ret = EINVAL; + goto done; + } + + range.min = r->base_id; + range.max = r->base_id + r->id_range_size -1; + range_id = talloc_asprintf(tmp_ctx, "%s-%s", dom_sid_str, r->name); + if (range_id == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto done; + } + + err = sss_idmap_add_domain_ex(idmap_ctx->map, dom_name, dom_sid_str, + &range, range_id, 0, true); + if (err != IDMAP_SUCCESS && err != IDMAP_COLLISION) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not add range [%s] to ID map\n", range_id); + ret = EIO; + goto done; + } + + found = true; + } + } + + if (!found) { + DEBUG(SSSDBG_MINOR_FAILURE, "No idrange found for forest root [%s].\n", + forest_root->domain_id); + ret = ENOENT; + goto done; + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + + return ret; +} + +errno_t get_idmap_data_from_range(struct range_info *r, char *domain_name, + char **_name, char **_sid, uint32_t *_rid, + struct sss_idmap_range *_range, + bool *_external_mapping) +{ + if (r->range_type == NULL) { + /* Older IPA servers might not have the range_type attribute, but + * only support local ranges and trusts with algorithmic mapping. */ + + if (r->trusted_dom_sid == NULL && r->secondary_base_rid != 0) { + /* local IPA domain */ + *_rid = 0; + *_external_mapping = true; + *_name = domain_name; + *_sid = NULL; + } else if (r->trusted_dom_sid != NULL + && r->secondary_base_rid == 0) { + /* trusted domain */ + *_rid = r->base_rid; + *_external_mapping = false; + *_name = r->trusted_dom_sid; + *_sid = r->trusted_dom_sid; + } else { + DEBUG(SSSDBG_MINOR_FAILURE, "Cannot determine range type, " \ + "for id range [%s].\n", + r->name); + return EINVAL; + } + } else { + if (strcmp(r->range_type, IPA_RANGE_LOCAL) == 0) { + *_rid = 0; + *_external_mapping = true; + *_name = domain_name; + *_sid = NULL; + } else if (strcmp(r->range_type, IPA_RANGE_AD_TRUST_POSIX) == 0) { + *_rid = 0; + *_external_mapping = true; + *_name = r->trusted_dom_sid; + *_sid = r->trusted_dom_sid; + } else if (strcmp(r->range_type, IPA_RANGE_AD_TRUST) == 0) { + *_rid = r->base_rid; + *_external_mapping = false; + *_name = r->trusted_dom_sid; + *_sid = r->trusted_dom_sid; + } else { + DEBUG(SSSDBG_MINOR_FAILURE, "Range type [%s] of id range " \ + "[%s] not supported.\n", \ + r->range_type, r->name); + return EINVAL; + } + } + + _range->min = r->base_id; + _range->max = r->base_id + r->id_range_size -1; + + return EOK; +} + +errno_t ipa_idmap_get_ranges_from_sysdb(struct sdap_idmap_ctx *idmap_ctx, + const char *dom_name, + const char *dom_sid_str, + bool allow_collisions) +{ + int ret; + size_t range_count; + struct range_info **range_list; + TALLOC_CTX *tmp_ctx; + size_t c; + enum idmap_error_code err; + struct sss_idmap_range range; + uint32_t rid; + bool external_mapping; + char *name; + char *sid; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); + return ENOMEM; + } + + ret = sysdb_get_ranges(tmp_ctx, idmap_ctx->id_ctx->be->domain->sysdb, + &range_count, &range_list); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_ranges failed.\n"); + goto done; + } + + for (c = 0; c < range_count; c++) { + ret = get_idmap_data_from_range(range_list[c], + idmap_ctx->id_ctx->be->domain->name, + &name, &sid, &rid, &range, + &external_mapping); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "get_idmap_data_from_range failed for " \ + "id range [%s], skipping.\n", + range_list[c]->name); + continue; + } + + err = sss_idmap_add_domain_ex(idmap_ctx->map, name, sid, &range, + range_list[c]->name, rid, + external_mapping); + if (err != IDMAP_SUCCESS) { + if (!allow_collisions || err != IDMAP_COLLISION) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not add range [%s] to ID map\n", + range_list[c]->name); + ret = EIO; + goto done; + } + } + } + + if (dom_name != NULL || dom_sid_str != NULL) { + ret = ipa_idmap_check_posix_child(idmap_ctx, dom_name, dom_sid_str, + range_count, range_list); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_idmap_check_posix_child failed.\n"); + goto done; + } + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + + return ret; +} + +errno_t ipa_idmap_find_new_domain(struct sdap_idmap_ctx *idmap_ctx, + const char *dom_name, + const char *dom_sid_str) +{ + return ipa_idmap_get_ranges_from_sysdb(idmap_ctx, dom_name, dom_sid_str, + true); +} + +errno_t ipa_idmap_init(TALLOC_CTX *mem_ctx, + struct sdap_id_ctx *id_ctx, + struct sdap_idmap_ctx **_idmap_ctx) +{ + errno_t ret; + TALLOC_CTX *tmp_ctx; + enum idmap_error_code err; + struct sdap_idmap_ctx *idmap_ctx = NULL; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) return ENOMEM; + + idmap_ctx = talloc_zero(tmp_ctx, struct sdap_idmap_ctx); + if (!idmap_ctx) { + ret = ENOMEM; + goto done; + } + idmap_ctx->id_ctx = id_ctx; + idmap_ctx->find_new_domain = ipa_idmap_find_new_domain; + + /* Initialize the map */ + err = sss_idmap_init(sss_idmap_talloc, idmap_ctx, + sss_idmap_talloc_free, + &idmap_ctx->map); + if (err != IDMAP_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not initialize the ID map: [%s]\n", + idmap_error_string(err)); + if (err == IDMAP_OUT_OF_MEMORY) { + ret = ENOMEM; + } else { + ret = EINVAL; + } + goto done; + } + + ret = ipa_idmap_get_ranges_from_sysdb(idmap_ctx, NULL, NULL, false); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_idmap_get_ranges_from_sysdb failed.\n"); + goto done; + } + + *_idmap_ctx = talloc_steal(mem_ctx, idmap_ctx); + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} diff --git a/src/providers/ipa/ipa_init.c b/src/providers/ipa/ipa_init.c new file mode 100644 index 0000000..6818e21 --- /dev/null +++ b/src/providers/ipa/ipa_init.c @@ -0,0 +1,950 @@ +/* + SSSD + + IPA Provider Initialization functions + + Authors: + Simo Sorce + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include + +#include "util/child_common.h" +#include "providers/ipa/ipa_common.h" +#include "providers/krb5/krb5_auth.h" +#include "providers/krb5/krb5_init_shared.h" +#include "providers/ipa/ipa_id.h" +#include "providers/ipa/ipa_auth.h" +#include "providers/ipa/ipa_access.h" +#include "providers/ipa/ipa_dyndns.h" +#include "providers/ipa/ipa_selinux.h" +#include "providers/ldap/sdap_access.h" +#include "providers/ldap/sdap_idmap.h" +#include "providers/ipa/ipa_subdomains.h" +#include "providers/ipa/ipa_srv.h" +#include "providers/be_dyndns.h" +#include "providers/ipa/ipa_session.h" + +#define DNS_SRV_MISCONFIGURATION "SRV discovery is enabled on the IPA " \ + "server while using custom dns_discovery_domain. DNS discovery of " \ + "trusted AD domain will likely fail. It is recommended not to use " \ + "SRV discovery or the dns_discovery_domain option for the IPA " \ + "domain while running on the server itself\n" + +#define PREAUTH_INDICATOR_ERROR "Failed to create preauth indicator file, " \ + "special password prompting might not be available.\n" + +struct ipa_init_ctx { + struct ipa_options *options; + struct ipa_id_ctx *id_ctx; + struct ipa_auth_ctx *auth_ctx; +}; + + +struct krb5_ctx *ipa_init_get_krb5_auth_ctx(void *data) +{ + struct ipa_init_ctx *ipa_init_ctx; + + ipa_init_ctx = talloc_get_type(data, struct ipa_init_ctx); + if (ipa_init_ctx == NULL || ipa_init_ctx->auth_ctx == NULL) { + return NULL; + } + + return ipa_init_ctx->auth_ctx->krb5_auth_ctx; +} + +static bool srv_in_server_list(const char *servers) +{ + TALLOC_CTX *tmp_ctx; + char **list = NULL; + int ret = 0; + bool has_srv = false; + + if (servers == NULL) return true; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + return false; + } + + /* split server parm into a list */ + ret = split_on_separator(tmp_ctx, servers, ',', true, true, &list, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to parse server list!\n"); + goto done; + } + + for (int i = 0; list[i]; i++) { + has_srv = be_fo_is_srv_identifier(list[i]); + if (has_srv == true) { + break; + } + } + +done: + talloc_free(tmp_ctx); + return has_srv; +} + +static errno_t ipa_init_options(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct ipa_options **_ipa_options) +{ + struct ipa_options *ipa_options; + const char *ipa_servers; + const char *ipa_backup_servers; + errno_t ret; + + ret = ipa_get_options(mem_ctx, be_ctx->cdb, be_ctx->conf_path, + be_ctx->domain, &ipa_options); + if (ret != EOK) { + return ret; + } + + ipa_servers = dp_opt_get_string(ipa_options->basic, IPA_SERVER); + ipa_backup_servers = dp_opt_get_string(ipa_options->basic, IPA_BACKUP_SERVER); + + ret = ipa_service_init(ipa_options, be_ctx, ipa_servers, + ipa_backup_servers, ipa_options, + &ipa_options->service); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to init IPA service [%d]: %s\n", + ret, sss_strerror(ret)); + talloc_free(ipa_options); + return ret; + } + + *_ipa_options = ipa_options; + return EOK; +} + +static errno_t ipa_init_id_ctx(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct ipa_options *ipa_options, + struct ipa_id_ctx **_ipa_id_ctx) +{ + struct ipa_id_ctx *ipa_id_ctx = NULL; + struct sdap_id_ctx *sdap_id_ctx = NULL; + errno_t ret; + + ipa_id_ctx = talloc_zero(mem_ctx, struct ipa_id_ctx); + if (ipa_id_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + sdap_id_ctx = sdap_id_ctx_new(mem_ctx, be_ctx, ipa_options->service->sdap); + if (sdap_id_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + ipa_id_ctx->ipa_options = ipa_options; + ipa_id_ctx->sdap_id_ctx = sdap_id_ctx; + ipa_options->id_ctx = ipa_id_ctx; + + ret = ipa_get_id_options(ipa_options, + be_ctx->cdb, + be_ctx->conf_path, + be_ctx->provider, + &sdap_id_ctx->opts); + if (ret != EOK) { + goto done; + } + + *_ipa_id_ctx = ipa_id_ctx; + + ret = EOK; + +done: + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to init id context [%d]: %s\n", + ret, sss_strerror(ret)); + + talloc_free(ipa_id_ctx); + talloc_free(sdap_id_ctx); + } + + return ret; +} + + +static errno_t ipa_init_dyndns(struct be_ctx *be_ctx, + struct ipa_options *ipa_options) +{ + bool enabled; + errno_t ret; + + ret = ipa_get_dyndns_options(be_ctx, ipa_options); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get dyndns options [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + enabled = dp_opt_get_bool(ipa_options->dyndns_ctx->opts, + DP_OPT_DYNDNS_UPDATE); + if (!enabled) { + DEBUG(SSSDBG_CONF_SETTINGS, "Dynamic DNS updates are off.\n"); + return EOK; + } + + /* Perform automatic DNS updates when the IP address changes. + * Register a callback for successful LDAP reconnections. + * This is the easiest way to identify that we have gone online. + */ + + DEBUG(SSSDBG_CONF_SETTINGS, + "Dynamic DNS updates are on. Checking for nsupdate...\n"); + + ret = be_nsupdate_check(); + if (ret != EOK) { + DEBUG(SSSDBG_CONF_SETTINGS, "nsupdate is not availabe, " + "dynamic DNS updates will not work\n"); + return EOK; + } + + DEBUG(SSSDBG_CONF_SETTINGS, "nsupdate is available\n"); + + ret = ipa_dyndns_init(be_ctx, ipa_options); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failure setting up automatic DNS update\n"); + /* We will continue without DNS updating */ + } + + return EOK; +} + +static errno_t ipa_init_server_mode(struct be_ctx *be_ctx, + struct ipa_options *ipa_options, + struct ipa_id_ctx *ipa_id_ctx) +{ + const char *ipa_servers; + const char *dnsdomain; + const char *hostname; + bool sites_enabled; + errno_t ret; + + ipa_id_ctx->view_name = talloc_strdup(ipa_id_ctx, SYSDB_DEFAULT_VIEW_NAME); + if (ipa_id_ctx->view_name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup() failed.\n"); + return ENOMEM; + } + + ret = sysdb_update_view_name(be_ctx->domain->sysdb, ipa_id_ctx->view_name); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot add/update view name to sysdb.\n"); + return ret; + } + + hostname = dp_opt_get_string(ipa_options->basic, IPA_HOSTNAME); + ipa_servers = dp_opt_get_string(ipa_options->basic, IPA_SERVER); + sites_enabled = dp_opt_get_bool(ipa_options->basic, IPA_ENABLE_DNS_SITES); + dnsdomain = dp_opt_get_string(be_ctx->be_res->opts, DP_RES_OPT_DNS_DOMAIN); + + if (srv_in_server_list(ipa_servers) || sites_enabled) { + DEBUG(SSSDBG_IMPORTANT_INFO, "SSSD configuration uses either DNS " + "SRV resolution or IPA site discovery to locate IPA servers. " + "On IPA server itself, it is recommended that SSSD is " + "configured to only connect to the IPA server it's running at. "); + + /* If SRV discovery is enabled on the server and + * dns_discovery_domain is set explicitly, then + * the current failover code would use the dns_discovery + * domain to try to find AD servers and fail. + */ + if (dnsdomain != NULL) { + sss_log(SSS_LOG_ERR, DNS_SRV_MISCONFIGURATION); + DEBUG(SSSDBG_CRIT_FAILURE, DNS_SRV_MISCONFIGURATION); + } + + ret = be_fo_set_dns_srv_lookup_plugin(be_ctx, hostname); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set SRV lookup plugin " + "[%d]: %s\n", ret, sss_strerror(ret)); + return ret; + } + + return EOK; + } else { + /* In server mode we need to ignore the dns_discovery_domain if set + * and only discover servers based on AD domains. */ + ret = dp_opt_set_string(be_ctx->be_res->opts, DP_RES_OPT_DNS_DOMAIN, + NULL); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Could not reset the " + "dns_discovery_domain, trusted AD domains discovery " + "might fail. Please remove dns_discovery_domain " + "from the config file and restart the SSSD\n"); + } else { + DEBUG(SSSDBG_CONF_SETTINGS, "The value of dns_discovery_domain " + "will be ignored in ipa_server_mode\n"); + } + } + + return EOK; +} + +static errno_t ipa_init_client_mode(struct be_ctx *be_ctx, + struct ipa_options *ipa_options, + struct ipa_id_ctx *ipa_id_ctx) +{ + struct ipa_srv_plugin_ctx *srv_ctx; + const char *ipa_domain; + const char *hostname; + bool sites_enabled; + errno_t ret; + + ret = sysdb_get_view_name(ipa_id_ctx, be_ctx->domain->sysdb, + &ipa_id_ctx->view_name); + if (ret == ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot find view name in the cache. " + "Will do online lookup later.\n"); + } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_view_name() failed [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + hostname = dp_opt_get_string(ipa_options->basic, IPA_HOSTNAME); + sites_enabled = dp_opt_get_bool(ipa_options->basic, IPA_ENABLE_DNS_SITES); + + if (sites_enabled) { + /* use IPA plugin */ + ipa_domain = dp_opt_get_string(ipa_options->basic, IPA_DOMAIN); + srv_ctx = ipa_srv_plugin_ctx_init(be_ctx, be_ctx->be_res->resolv, + hostname, ipa_domain); + if (srv_ctx == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n"); + return ENOMEM; + } + + be_fo_set_srv_lookup_plugin(be_ctx, ipa_srv_plugin_send, + ipa_srv_plugin_recv, srv_ctx, "IPA"); + } else { + /* fall back to standard plugin on clients. */ + ret = be_fo_set_dns_srv_lookup_plugin(be_ctx, hostname); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set SRV lookup plugin " + "[%d]: %s\n", ret, strerror(ret)); + return ret; + } + } + + return EOK; +} + +static errno_t ipa_init_ipa_auth_ctx(TALLOC_CTX *mem_ctx, + struct ipa_options *ipa_options, + struct ipa_id_ctx *ipa_id_ctx, + struct ipa_auth_ctx **_ipa_auth_ctx) +{ + struct ipa_auth_ctx *ipa_auth_ctx; + errno_t ret; + + ipa_auth_ctx = talloc_zero(mem_ctx, struct ipa_auth_ctx); + if (ipa_auth_ctx == NULL) { + return ENOMEM; + } + + ipa_auth_ctx->sdap_id_ctx = ipa_id_ctx->sdap_id_ctx; + + ret = dp_copy_options(ipa_auth_ctx, ipa_options->basic, + IPA_OPTS_BASIC, &ipa_auth_ctx->ipa_options); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "dp_copy_options failed.\n"); + talloc_free(ipa_auth_ctx); + return ret; + } + + *_ipa_auth_ctx = ipa_auth_ctx; + + return EOK; +} + +static errno_t ipa_init_krb5_auth_ctx(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct ipa_options *ipa_options, + struct krb5_ctx **_krb5_auth_ctx) +{ + struct krb5_ctx *krb5_auth_ctx; + bool server_mode; + errno_t ret; + + krb5_auth_ctx = talloc_zero(mem_ctx, struct krb5_ctx); + if (krb5_auth_ctx == NULL) { + return ENOMEM; + } + + krb5_auth_ctx->service = ipa_options->service->krb5_service; + + server_mode = dp_opt_get_bool(ipa_options->basic, IPA_SERVER_MODE); + krb5_auth_ctx->config_type = server_mode ? K5C_IPA_SERVER : K5C_IPA_CLIENT; + + ret = ipa_get_auth_options(ipa_options, be_ctx->cdb, be_ctx->conf_path, + &krb5_auth_ctx->opts); + if (ret != EOK) { + talloc_free(krb5_auth_ctx); + return ret; + } + + *_krb5_auth_ctx = krb5_auth_ctx; + return EOK; +} + +static errno_t ipa_init_sdap_auth_ctx(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct ipa_options *ipa_options, + struct sdap_auth_ctx **_sdap_auth_ctx) +{ + struct sdap_auth_ctx *sdap_auth_ctx; + + sdap_auth_ctx = talloc_zero(mem_ctx, struct sdap_auth_ctx); + if (sdap_auth_ctx == NULL) { + return ENOMEM; + } + + sdap_auth_ctx->be = be_ctx; + sdap_auth_ctx->service = ipa_options->service->sdap; + + if (ipa_options->id == NULL) { + talloc_free(sdap_auth_ctx); + return EINVAL; + } + + sdap_auth_ctx->opts = ipa_options->id; + + *_sdap_auth_ctx = sdap_auth_ctx; + + return EOK; +} + +static struct sdap_ext_member_ctx * +ipa_create_ext_members_ctx(TALLOC_CTX *mem_ctx, + struct ipa_id_ctx *id_ctx) +{ + struct sdap_ext_member_ctx *ext_ctx = NULL; + + ext_ctx = talloc_zero(mem_ctx, struct sdap_ext_member_ctx); + if (ext_ctx == NULL) { + return NULL; + } + + ext_ctx->pvt = id_ctx; + ext_ctx->ext_member_resolve_send = ipa_ext_group_member_send; + ext_ctx->ext_member_resolve_recv = ipa_ext_group_member_recv; + + return ext_ctx; +} + +static errno_t ipa_init_auth_ctx(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct ipa_options *ipa_options, + struct ipa_id_ctx *id_ctx, + struct ipa_auth_ctx **_auth_ctx) +{ + struct sdap_auth_ctx *sdap_auth_ctx; + struct ipa_auth_ctx *ipa_auth_ctx; + struct krb5_ctx *krb5_auth_ctx; + errno_t ret; + + ret = ipa_init_ipa_auth_ctx(mem_ctx, ipa_options, id_ctx, &ipa_auth_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to init IPA auth context\n"); + return ret; + } + + ipa_options->auth_ctx = ipa_auth_ctx; + + ret = ipa_init_krb5_auth_ctx(ipa_auth_ctx, be_ctx, ipa_options, + &krb5_auth_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to init KRB5 auth context\n"); + goto done; + } + ipa_options->auth_ctx->krb5_auth_ctx = krb5_auth_ctx; + + ret = ipa_init_sdap_auth_ctx(ipa_auth_ctx, be_ctx, ipa_options, + &sdap_auth_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to init SDAP auth context\n"); + goto done; + } + ipa_options->auth_ctx->sdap_auth_ctx = sdap_auth_ctx; + + ret = setup_tls_config(sdap_auth_ctx->opts->basic); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "setup_tls_config failed [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + /* Initialize features needed by the krb5_child */ + ret = krb5_child_init(krb5_auth_ctx, be_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Could not initialize krb5_child " + "settings [%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + ret = create_preauth_indicator(); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, PREAUTH_INDICATOR_ERROR); + sss_log(SSSDBG_CRIT_FAILURE, PREAUTH_INDICATOR_ERROR); + } + + *_auth_ctx = ipa_auth_ctx; + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(ipa_auth_ctx); + } + + return ret; +} + +static bool ipa_check_fqdn(const char *str) +{ + return strchr(str, '.'); +} + +static errno_t ipa_init_misc(struct be_ctx *be_ctx, + struct ipa_options *ipa_options, + struct ipa_id_ctx *ipa_id_ctx, + struct sdap_id_ctx *sdap_id_ctx) +{ + errno_t ret; + + if (!ipa_check_fqdn(dp_opt_get_string(ipa_options->basic, + IPA_HOSTNAME))) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ipa_hostname is not Fully Qualified Domain Name.\n"); + } + + ret = ipa_init_dyndns(be_ctx, ipa_options); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to init dyndns [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + ret = setup_tls_config(sdap_id_ctx->opts->basic); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get TLS options [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + ret = ipa_idmap_init(sdap_id_ctx, sdap_id_ctx, + &sdap_id_ctx->opts->idmap_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Could not initialize ID mapping. In case ID mapping properties " + "changed on the server, please remove the SSSD database\n"); + return ret; + } + + ret = ldap_id_setup_tasks(sdap_id_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup background tasks " + "[%d]: %s\n", ret, sss_strerror(ret)); + return ret; + } + + ret = sdap_setup_child(); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup sdap child [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + if (dp_opt_get_bool(ipa_options->basic, IPA_SERVER_MODE)) { + ret = ipa_init_server_mode(be_ctx, ipa_options, ipa_id_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to init server mode " + "[%d]: %s\n", ret, sss_strerror(ret)); + return ret; + } + } else { + ret = ipa_init_client_mode(be_ctx, ipa_options, ipa_id_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to init client mode " + "[%d]: %s\n", ret, sss_strerror(ret)); + return ret; + } + } + + ret = sdap_refresh_init(be_ctx->refresh_ctx, sdap_id_ctx); + if (ret != EOK && ret != EEXIST) { + DEBUG(SSSDBG_MINOR_FAILURE, "Periodical refresh " + "will not work [%d]: %s\n", ret, sss_strerror(ret)); + } + + ipa_id_ctx->sdap_id_ctx->opts->ext_ctx = ipa_create_ext_members_ctx( + ipa_id_ctx->sdap_id_ctx->opts, ipa_id_ctx); + if (ipa_id_ctx->sdap_id_ctx->opts->ext_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set the extrernal group ctx\n"); + return ENOMEM; + } + + ret = sdap_init_certmap(sdap_id_ctx, sdap_id_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to initialized certificate mapping.\n"); + return ret; + } + + return EOK; +} + +errno_t sssm_ipa_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct data_provider *provider, + const char *module_name, + void **_module_data) +{ + struct ipa_init_ctx *init_ctx; + errno_t ret; + + init_ctx = talloc_zero(mem_ctx, struct ipa_init_ctx); + if (init_ctx == NULL) { + return ENOMEM; + } + + /* Always initialize options since it is needed everywhere. */ + ret = ipa_init_options(init_ctx, be_ctx, &init_ctx->options); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to init IPA options " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + /* Always initialize id_ctx since it is needed everywhere. */ + ret = ipa_init_id_ctx(init_ctx, be_ctx, init_ctx->options, + &init_ctx->id_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to init IPA ID context " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + /* Setup miscellaneous things. */ + ret = ipa_init_misc(be_ctx, init_ctx->options, init_ctx->id_ctx, + init_ctx->id_ctx->sdap_id_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to init IPA module " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + /* Initialize auth_ctx only if one of the target is enabled. */ + if (dp_target_enabled(provider, module_name, DPT_AUTH, DPT_CHPASS)) { + ret = ipa_init_auth_ctx(init_ctx, be_ctx, init_ctx->options, + init_ctx->id_ctx, &init_ctx->auth_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to init IPA auth context " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + } + + *_module_data = init_ctx; + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(init_ctx); + } + + return ret; +} + +errno_t sssm_ipa_id_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + void *module_data, + struct dp_method *dp_methods) +{ + struct ipa_init_ctx *init_ctx; + struct ipa_id_ctx *id_ctx; + + init_ctx = talloc_get_type(module_data, struct ipa_init_ctx); + id_ctx = init_ctx->id_ctx; + + dp_set_method(dp_methods, DPM_ACCOUNT_HANDLER, + ipa_account_info_handler_send, ipa_account_info_handler_recv, id_ctx, + struct ipa_id_ctx, struct dp_id_data, struct dp_reply_std); + + dp_set_method(dp_methods, DPM_CHECK_ONLINE, + sdap_online_check_handler_send, sdap_online_check_handler_recv, id_ctx->sdap_id_ctx, + struct sdap_id_ctx, void, struct dp_reply_std); + + dp_set_method(dp_methods, DPM_ACCT_DOMAIN_HANDLER, + default_account_domain_send, default_account_domain_recv, NULL, + void, struct dp_get_acct_domain_data, struct dp_reply_std); + + return EOK; +} + +errno_t sssm_ipa_auth_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + void *module_data, + struct dp_method *dp_methods) +{ + struct ipa_init_ctx *init_ctx; + struct ipa_auth_ctx *auth_ctx; + + init_ctx = talloc_get_type(module_data, struct ipa_init_ctx); + auth_ctx = init_ctx->auth_ctx; + + dp_set_method(dp_methods, DPM_AUTH_HANDLER, + ipa_pam_auth_handler_send, ipa_pam_auth_handler_recv, auth_ctx, + struct ipa_auth_ctx, struct pam_data, struct pam_data *); + + return EOK; +} + +errno_t sssm_ipa_chpass_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + void *module_data, + struct dp_method *dp_methods) +{ + return sssm_ipa_auth_init(mem_ctx, be_ctx, module_data, dp_methods); +} + +errno_t sssm_ipa_access_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + void *module_data, + struct dp_method *dp_methods) +{ + struct ipa_access_ctx *access_ctx; + struct ipa_init_ctx *init_ctx; + struct ipa_id_ctx *id_ctx; + errno_t ret; + + init_ctx = talloc_get_type(module_data, struct ipa_init_ctx); + id_ctx = init_ctx->id_ctx; + + access_ctx = talloc_zero(mem_ctx, struct ipa_access_ctx); + if (access_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero() failed.\n"); + return ENOMEM; + } + + access_ctx->sdap_ctx = id_ctx->sdap_id_ctx; + access_ctx->host_map = id_ctx->ipa_options->id->host_map; + access_ctx->hostgroup_map = id_ctx->ipa_options->hostgroup_map; + access_ctx->host_search_bases = id_ctx->ipa_options->id->sdom->host_search_bases; + access_ctx->hbac_search_bases = id_ctx->ipa_options->hbac_search_bases; + + ret = dp_copy_options(access_ctx, id_ctx->ipa_options->basic, + IPA_OPTS_BASIC, &access_ctx->ipa_options); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "dp_copy_options() failed.\n"); + goto done; + } + + /* Set up an sdap_access_ctx for checking expired/locked accounts. */ + access_ctx->sdap_access_ctx = talloc_zero(access_ctx, struct sdap_access_ctx); + if (access_ctx->sdap_access_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero() failed\n"); + ret = ENOMEM; + goto done; + } + + access_ctx->sdap_access_ctx->id_ctx = access_ctx->sdap_ctx; + access_ctx->sdap_access_ctx->access_rule[0] = LDAP_ACCESS_EXPIRE; + access_ctx->sdap_access_ctx->access_rule[1] = LDAP_ACCESS_EMPTY; + + dp_set_method(dp_methods, DPM_ACCESS_HANDLER, + ipa_pam_access_handler_send, ipa_pam_access_handler_recv, access_ctx, + struct ipa_access_ctx, struct pam_data, struct pam_data *); + + dp_set_method(dp_methods, DPM_REFRESH_ACCESS_RULES, + ipa_refresh_access_rules_send, ipa_refresh_access_rules_recv, access_ctx, + struct ipa_access_ctx, void, void *); + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(access_ctx); + } + + return ret; +} + +errno_t sssm_ipa_selinux_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + void *module_data, + struct dp_method *dp_methods) +{ +#if defined HAVE_SELINUX + struct ipa_selinux_ctx *selinux_ctx; + struct ipa_init_ctx *init_ctx; + struct ipa_options *opts; + + init_ctx = talloc_get_type(module_data, struct ipa_init_ctx); + opts = init_ctx->options; + + selinux_ctx = talloc_zero(mem_ctx, struct ipa_selinux_ctx); + if (selinux_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero() failed.\n"); + return ENOMEM; + } + + selinux_ctx->id_ctx = init_ctx->id_ctx; + selinux_ctx->hbac_search_bases = opts->hbac_search_bases; + selinux_ctx->host_search_bases = opts->id->sdom->host_search_bases; + selinux_ctx->selinux_search_bases = opts->selinux_search_bases; + + dp_set_method(dp_methods, DPM_SELINUX_HANDLER, + ipa_selinux_handler_send, ipa_selinux_handler_recv, selinux_ctx, + struct ipa_selinux_ctx, struct pam_data, struct pam_data *); + + return EOK; +#else + DEBUG(SSSDBG_MINOR_FAILURE, "SELinux init handler called but SSSD is " + "built without SELinux support, ignoring\n"); + return EOK; +#endif +} + +errno_t sssm_ipa_hostid_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + void *module_data, + struct dp_method *dp_methods) +{ +#ifdef BUILD_SSH + struct ipa_init_ctx *init_ctx; + + DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing IPA host handler\n"); + init_ctx = talloc_get_type(module_data, struct ipa_init_ctx); + + return ipa_hostid_init(mem_ctx, be_ctx, init_ctx->id_ctx, dp_methods); + +#else + DEBUG(SSSDBG_MINOR_FAILURE, "HostID init handler called but SSSD is " + "built without SSH support, ignoring\n"); + return EOK; +#endif +} + +errno_t sssm_ipa_autofs_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + void *module_data, + struct dp_method *dp_methods) +{ +#ifdef BUILD_AUTOFS + struct ipa_init_ctx *init_ctx; + + DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing IPA autofs handler\n"); + init_ctx = talloc_get_type(module_data, struct ipa_init_ctx); + + return ipa_autofs_init(mem_ctx, be_ctx, init_ctx->id_ctx, dp_methods); +#else + DEBUG(SSSDBG_MINOR_FAILURE, "Autofs init handler called but SSSD is " + "built without autofs support, ignoring\n"); + return EOK; +#endif +} + +errno_t sssm_ipa_subdomains_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + void *module_data, + struct dp_method *dp_methods) +{ + struct ipa_init_ctx *init_ctx; + + DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing IPA subdomains handler\n"); + init_ctx = talloc_get_type(module_data, struct ipa_init_ctx); + + return ipa_subdomains_init(mem_ctx, be_ctx, init_ctx->id_ctx, dp_methods); +} + +errno_t sssm_ipa_sudo_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + void *module_data, + struct dp_method *dp_methods) +{ +#ifdef BUILD_SUDO + struct ipa_init_ctx *init_ctx; + + DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing IPA sudo handler\n"); + init_ctx = talloc_get_type(module_data, struct ipa_init_ctx); + + return ipa_sudo_init(mem_ctx, be_ctx, init_ctx->id_ctx, dp_methods); +#else + DEBUG(SSSDBG_MINOR_FAILURE, "Sudo init handler called but SSSD is " + "built without sudo support, ignoring\n"); + return EOK; +#endif +} + +errno_t sssm_ipa_session_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + void *module_data, + struct dp_method *dp_methods) +{ + struct ipa_session_ctx *session_ctx; + struct ipa_init_ctx *init_ctx; + struct ipa_id_ctx *id_ctx; + errno_t ret; + + init_ctx = talloc_get_type(module_data, struct ipa_init_ctx); + id_ctx = init_ctx->id_ctx; + + session_ctx = talloc_zero(mem_ctx, struct ipa_session_ctx); + if (session_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero() failed.\n"); + + return ENOMEM; + } + + session_ctx->sdap_ctx = id_ctx->sdap_id_ctx; + session_ctx->host_map = id_ctx->ipa_options->id->host_map; + session_ctx->hostgroup_map = id_ctx->ipa_options->hostgroup_map; + session_ctx->host_search_bases = id_ctx->ipa_options->id->sdom->host_search_bases; + session_ctx->deskprofile_search_bases = id_ctx->ipa_options->deskprofile_search_bases; + + ret = dp_copy_options(session_ctx, id_ctx->ipa_options->basic, + IPA_OPTS_BASIC, &session_ctx->ipa_options); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "dp_copy_options() failed.\n"); + + goto done; + } + + dp_set_method(dp_methods, DPM_SESSION_HANDLER, + ipa_pam_session_handler_send, ipa_pam_session_handler_recv, session_ctx, + struct ipa_session_ctx, struct pam_data, struct pam_data *); + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(session_ctx); + } + + return ret; +} diff --git a/src/providers/ipa/ipa_netgroups.c b/src/providers/ipa/ipa_netgroups.c new file mode 100644 index 0000000..05ebac7 --- /dev/null +++ b/src/providers/ipa/ipa_netgroups.c @@ -0,0 +1,1026 @@ +/* + SSSD + + Async IPA Helper routines for netgroups + + Authors: + Jan Zeleny + + Copyright (C) 2011 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "db/sysdb.h" +#include "providers/ldap/sdap_async_private.h" +#include "providers/ipa/ipa_id.h" +#include "db/sysdb.h" +#include + +#define ENTITY_NG 1 +#define ENTITY_USER 2 +#define ENTITY_HOST 4 + +struct ipa_get_netgroups_state { + struct tevent_context *ev; + struct sdap_options *opts; + struct ipa_options *ipa_opts; + struct sdap_handle *sh; + struct sysdb_ctx *sysdb; + struct sss_domain_info *dom; + const char **attrs; + int timeout; + + char *filter; + const char *base_filter; + + size_t netgr_base_iter; + size_t host_base_iter; + size_t user_base_iter; + + /* Entities which have been already asked for + * and are scheduled for inspection */ + hash_table_t *new_netgroups; + hash_table_t *new_users; + hash_table_t *new_hosts; + + int current_entity; + int entities_found; + + struct sysdb_attrs **netgroups; + int netgroups_count; +}; + +static errno_t ipa_save_netgroup(TALLOC_CTX *mem_ctx, + struct sss_domain_info *dom, + struct sdap_options *opts, + struct sysdb_attrs *attrs) +{ + struct ldb_message_element *el; + struct sysdb_attrs *netgroup_attrs; + const char *name = NULL; + int ret; + size_t c; + + ret = sysdb_attrs_get_el(attrs, + opts->netgroup_map[IPA_AT_NETGROUP_NAME].sys_name, + &el); + if (ret) goto fail; + if (el->num_values == 0) { + ret = EINVAL; + goto fail; + } + name = (const char *)el->values[0].data; + DEBUG(SSSDBG_TRACE_INTERNAL, "Storing netgroup %s\n", name); + + netgroup_attrs = sysdb_new_attrs(mem_ctx); + if (!netgroup_attrs) { + ret = ENOMEM; + goto fail; + } + + ret = sysdb_attrs_get_el(attrs, SYSDB_ORIG_DN, &el); + if (ret) { + goto fail; + } + if (el->num_values == 0) { + DEBUG(SSSDBG_TRACE_LIBS, + "Original DN is not available for [%s].\n", name); + } else { + DEBUG(SSSDBG_TRACE_LIBS, + "Adding original DN [%s] to attributes of [%s].\n", + el->values[0].data, name); + ret = sysdb_attrs_add_string(netgroup_attrs, SYSDB_ORIG_DN, + (const char *)el->values[0].data); + if (ret) { + goto fail; + } + } + + ret = sysdb_attrs_get_el(attrs, SYSDB_NETGROUP_TRIPLE, &el); + if (ret) { + goto fail; + } + if (el->num_values == 0) { + DEBUG(SSSDBG_TRACE_INTERNAL, "No netgroup triples for netgroup [%s].\n", name); + ret = sysdb_attrs_get_el(netgroup_attrs, SYSDB_NETGROUP_TRIPLE, &el); + if (ret != EOK) { + goto fail; + } + } else { + for(c = 0; c < el->num_values; c++) { + ret = sysdb_attrs_add_string_safe(netgroup_attrs, + SYSDB_NETGROUP_TRIPLE, + (const char*)el->values[c].data); + if (ret) { + goto fail; + } + } + } + + ret = sysdb_attrs_get_el(attrs, + opts->netgroup_map[IPA_AT_NETGROUP_MEMBER].sys_name, + &el); + if (ret != EOK) { + goto fail; + } + if (el->num_values == 0) { + DEBUG(SSSDBG_TRACE_LIBS, + "No original members for netgroup [%s]\n", name); + + } else { + DEBUG(SSSDBG_TRACE_LIBS, + "Adding original members to netgroup [%s]\n", name); + for(c = 0; c < el->num_values; c++) { + ret = sysdb_attrs_add_string(netgroup_attrs, + opts->netgroup_map[IPA_AT_NETGROUP_MEMBER].sys_name, + (const char*)el->values[c].data); + if (ret) { + goto fail; + } + } + } + + + ret = sysdb_attrs_get_el(attrs, SYSDB_NETGROUP_MEMBER, &el); + if (ret != EOK) { + goto fail; + } + if (el->num_values == 0) { + DEBUG(SSSDBG_TRACE_LIBS, "No members for netgroup [%s]\n", name); + + } else { + DEBUG(SSSDBG_TRACE_LIBS, "Adding members to netgroup [%s]\n", name); + for(c = 0; c < el->num_values; c++) { + ret = sysdb_attrs_add_string(netgroup_attrs, SYSDB_NETGROUP_MEMBER, + (const char*)el->values[c].data); + if (ret) { + goto fail; + } + } + } + + DEBUG(SSSDBG_TRACE_FUNC, "Storing info for netgroup %s\n", name); + + ret = sysdb_add_netgroup(dom, name, NULL, netgroup_attrs, NULL, + dom->netgroup_timeout, 0); + if (ret) goto fail; + + return EOK; + +fail: + DEBUG(SSSDBG_OP_FAILURE, "Failed to save netgroup %s\n", name); + return ret; +} + +static errno_t ipa_netgr_next_base(struct tevent_req *req); +static void ipa_get_netgroups_process(struct tevent_req *subreq); +static int ipa_netgr_process_all(struct ipa_get_netgroups_state *state); + +struct tevent_req *ipa_get_netgroups_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sysdb_ctx *sysdb, + struct sss_domain_info *dom, + struct sdap_options *opts, + struct ipa_options *ipa_options, + struct sdap_handle *sh, + const char **attrs, + const char *filter, + int timeout) +{ + struct tevent_req *req; + struct ipa_get_netgroups_state *state; + int ret; + + req = tevent_req_create(memctx, &state, struct ipa_get_netgroups_state); + if (!req) return NULL; + + state->ev = ev; + state->opts = opts; + state->ipa_opts = ipa_options; + state->sh = sh; + state->sysdb = sysdb; + state->attrs = attrs; + state->timeout = timeout; + state->base_filter = filter; + state->netgr_base_iter = 0; + state->dom = dom; + + if (!ipa_options->id->sdom->netgroup_search_bases) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Netgroup lookup request without a search base\n"); + ret = EINVAL; + goto done; + } + + ret = sss_hash_create(state, 32, &state->new_netgroups); + if (ret != EOK) goto done; + ret = sss_hash_create(state, 32, &state->new_users); + if (ret != EOK) goto done; + ret = sss_hash_create(state, 32, &state->new_hosts); + if (ret != EOK) goto done; + + + ret = ipa_netgr_next_base(req); + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + tevent_req_post(req, ev); + } + + return req; +} + +static errno_t ipa_netgr_next_base(struct tevent_req *req) +{ + struct tevent_req *subreq; + struct ipa_get_netgroups_state *state; + struct sdap_search_base **netgr_bases; + + state = tevent_req_data(req, struct ipa_get_netgroups_state); + netgr_bases = state->ipa_opts->id->sdom->netgroup_search_bases; + + talloc_zfree(state->filter); + state->filter = sdap_combine_filters( + state, + state->base_filter, + netgr_bases[state->netgr_base_iter]->filter); + if (!state->filter) { + return ENOMEM; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Searching for netgroups with base [%s]\n", + netgr_bases[state->netgr_base_iter]->basedn); + + subreq = sdap_get_generic_send( + state, state->ev, state->opts, state->sh, + netgr_bases[state->netgr_base_iter]->basedn, + netgr_bases[state->netgr_base_iter]->scope, + state->filter, state->attrs, + state->opts->netgroup_map, IPA_OPTS_NETGROUP, + state->timeout, + true); + if (!subreq) { + return ENOMEM; + } + tevent_req_set_callback(subreq, ipa_get_netgroups_process, req); + + return EOK; +} + +static int ipa_netgr_fetch_netgroups(struct ipa_get_netgroups_state *state, + struct tevent_req *req); +static int ipa_netgr_fetch_users(struct ipa_get_netgroups_state *state, + struct tevent_req *req); +static int ipa_netgr_fetch_hosts(struct ipa_get_netgroups_state *state, + struct tevent_req *req); +static void ipa_netgr_members_process(struct tevent_req *subreq); + +static void ipa_get_netgroups_process(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ipa_get_netgroups_state *state = tevent_req_data(req, + struct ipa_get_netgroups_state); + int i, ret; + struct ldb_message_element *el; + struct sdap_search_base **netgr_bases; + struct sysdb_attrs **netgroups; + size_t netgroups_count; + const char *orig_dn; + char *dn; + char *filter; + bool fetch_members = false; + hash_key_t key; + hash_value_t value; + + netgr_bases = state->ipa_opts->id->sdom->netgroup_search_bases; + + ret = sdap_get_generic_recv(subreq, state, &netgroups_count, &netgroups); + talloc_zfree(subreq); + if (ret) { + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Search for netgroups, returned %zu results.\n", + netgroups_count); + + if (netgroups_count == 0) { + /* No netgroups found in this search */ + state->netgr_base_iter++; + if (netgr_bases[state->netgr_base_iter]) { + /* There are more search bases to try */ + ret = ipa_netgr_next_base(req); + if (ret != EOK) { + tevent_req_error(req, ENOENT); + } + return; + } + + ret = ENOENT; + goto done; + } + + filter = talloc_strdup(state, "(|"); + if (filter == NULL) { + ret = ENOMEM; + goto done; + } + + for (i = 0; i < netgroups_count; i++) { + ret = sysdb_attrs_get_el(netgroups[i], SYSDB_ORIG_NETGROUP_MEMBER, + &el); + if (ret != EOK) goto done; + if (el->num_values) state->entities_found |= ENTITY_NG; + + ret = sysdb_attrs_get_el(netgroups[i], SYSDB_ORIG_MEMBER_USER, + &el); + if (ret != EOK) goto done; + if (el->num_values) state->entities_found |= ENTITY_USER; + + ret = sysdb_attrs_get_el(netgroups[i], SYSDB_ORIG_MEMBER_HOST, + &el); + if (ret != EOK) goto done; + if (el->num_values) state->entities_found |= ENTITY_HOST; + + ret = sysdb_attrs_get_string(netgroups[i], SYSDB_ORIG_DN, &orig_dn); + if (ret != EOK) { + goto done; + } + + key.type = HASH_KEY_STRING; + value.type = HASH_VALUE_PTR; + key.str = discard_const(orig_dn); + value.ptr = netgroups[i]; + ret = hash_enter(state->new_netgroups, &key, &value); + if (ret != HASH_SUCCESS) { + ret = ENOMEM; + goto done; + } + + if (state->entities_found == 0) { + continue; + } + + ret = sss_filter_sanitize(state, orig_dn, &dn); + if (ret != EOK) { + goto done; + } + /* Add this to the filter */ + filter = talloc_asprintf_append(filter, "(%s=%s)", + state->opts->netgroup_map[IPA_AT_NETGROUP_MEMBER_OF].name, + dn); + if (filter == NULL) { + ret = ENOMEM; + goto done; + } + fetch_members = true; + } + + if (!fetch_members) { + ret = ipa_netgr_process_all(state); + if (ret != EOK) { + tevent_req_error(req, ret); + } else { + tevent_req_done(req); + } + return; + } + + state->filter = talloc_asprintf_append(filter, ")"); + if (state->filter == NULL) { + ret = ENOMEM; + goto done; + } + + if (state->entities_found & ENTITY_NG) { + state->netgr_base_iter = 0; + ret = ipa_netgr_fetch_netgroups(state, req); + if (ret != EOK) goto done; + } else if (state->entities_found & ENTITY_USER) { + ret = ipa_netgr_fetch_users(state, req); + if (ret != EOK) goto done; + } else if (state->entities_found & ENTITY_HOST) { + ret = ipa_netgr_fetch_hosts(state, req); + if (ret != EOK) goto done; + } + + return; +done: + tevent_req_error(req, ret); + return; +} + +static int ipa_netgr_fetch_netgroups(struct ipa_get_netgroups_state *state, + struct tevent_req *req) +{ + char *filter; + const char *base_filter; + struct tevent_req *subreq; + struct sdap_search_base **bases; + + bases = state->ipa_opts->id->sdom->netgroup_search_bases; + if (bases[state->netgr_base_iter] == NULL) { + /* No more bases to try */ + return ENOENT; + } + base_filter = bases[state->netgr_base_iter]->filter; + + filter = talloc_asprintf(state, "(&%s%s(objectclass=%s))", + state->filter, + base_filter?base_filter:"", + state->opts->netgroup_map[SDAP_OC_NETGROUP].name); + if (filter == NULL) + return ENOMEM; + + subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh, + bases[state->netgr_base_iter]->basedn, + bases[state->netgr_base_iter]->scope, + filter, state->attrs, state->opts->netgroup_map, + IPA_OPTS_NETGROUP, state->timeout, true); + + state->current_entity = ENTITY_NG; + if (subreq == NULL) { + return ENOMEM; + } + + tevent_req_set_callback(subreq, ipa_netgr_members_process, req); + + return EOK; +} + +static int ipa_netgr_fetch_users(struct ipa_get_netgroups_state *state, + struct tevent_req *req) +{ + const char *attrs[] = { state->opts->user_map[SDAP_AT_USER_NAME].name, + state->opts->user_map[SDAP_AT_USER_MEMBEROF].name, + "objectclass", NULL }; + char *filter; + const char *base_filter; + struct tevent_req *subreq; + struct sdap_search_base **bases; + + bases = state->ipa_opts->id->sdom->user_search_bases; + if (bases[state->user_base_iter] == NULL) { + return ENOENT; + } + base_filter = bases[state->user_base_iter]->filter; + + filter = talloc_asprintf(state, "(&%s%s(objectclass=%s))", + state->filter, + base_filter?base_filter:"", + state->opts->user_map[SDAP_OC_USER].name); + if (filter == NULL) + return ENOMEM; + + subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh, + dp_opt_get_string(state->opts->basic, + SDAP_USER_SEARCH_BASE), + LDAP_SCOPE_SUBTREE, + filter, attrs, state->opts->user_map, + state->opts->user_map_cnt, + state->timeout, true); + + state->current_entity = ENTITY_USER; + if (subreq == NULL) { + talloc_free(attrs); + return ENOMEM; + } + + tevent_req_set_callback(subreq, ipa_netgr_members_process, req); + + return EOK; +} + +static int ipa_netgr_fetch_hosts(struct ipa_get_netgroups_state *state, + struct tevent_req *req) +{ + const char **attrs; + char *filter; + const char *base_filter; + struct tevent_req *subreq; + int ret; + struct sdap_search_base **bases; + + bases = state->ipa_opts->id->sdom->host_search_bases; + if (bases[state->host_base_iter] == NULL) { + return ENOENT; + } + base_filter = bases[state->host_base_iter]->filter; + + filter = talloc_asprintf(state, "(&%s%s(objectclass=%s))", + state->filter, + base_filter ? base_filter : "", + state->ipa_opts->id->host_map[SDAP_OC_HOST].name); + if (filter == NULL) + return ENOMEM; + + ret = build_attrs_from_map(state, state->ipa_opts->id->host_map, + SDAP_OPTS_HOST, NULL, &attrs, NULL); + if (ret != EOK) { + talloc_free(filter); + return ret; + } + + subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh, + bases[state->host_base_iter]->basedn, + bases[state->host_base_iter]->scope, + filter, attrs, state->ipa_opts->id->host_map, + SDAP_OPTS_HOST, state->timeout, true); + + state->current_entity = ENTITY_HOST; + if (subreq == NULL) { + talloc_free(filter); + return ENOMEM; + } + + tevent_req_set_callback(subreq, ipa_netgr_members_process, req); + + return EOK; +} + +static void ipa_netgr_members_process(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ipa_get_netgroups_state *state = tevent_req_data(req, + struct ipa_get_netgroups_state); + struct sysdb_attrs **entities; + size_t count; + int ret, i; + const char *orig_dn; + hash_table_t *table; + hash_key_t key; + hash_value_t value; + int (* next_call)(struct ipa_get_netgroups_state *, + struct tevent_req *); + bool next_batch_scheduled = false; + + ret = sdap_get_generic_recv(subreq, state, &count, &entities); + talloc_zfree(subreq); + if (ret) { + goto fail; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "Found %zu members in current search base\n", + count); + + next_call = NULL; + /* While processing a batch of entities from one search base, + * schedule query for another search base if there is one + * + * If there is no other search base, another class of entities + * will be scheduled for lookup after processing of current + * batch. The order of lookup is: netgroups -> users -> hosts + */ + if (state->current_entity == ENTITY_NG) { + /* We just received a batch of netgroups */ + state->netgr_base_iter++; + ret = ipa_netgr_fetch_netgroups(state, req); + table = state->new_netgroups; + /* If there is a member netgroup, we always have to + * ask for both member users and hosts + * -> now schedule users + */ + next_call = ipa_netgr_fetch_users; + } else if (state->current_entity == ENTITY_USER) { + /* We just received a batch of users */ + state->user_base_iter++; + ret = ipa_netgr_fetch_users(state, req); + table = state->new_users; + if (state->entities_found & ENTITY_HOST || + state->entities_found & ENTITY_NG) { + next_call = ipa_netgr_fetch_hosts; + } + } else if (state->current_entity == ENTITY_HOST) { + /* We just received a batch of hosts */ + state->host_base_iter++; + ret = ipa_netgr_fetch_hosts(state, req); + table = state->new_hosts; + } else { + DEBUG(SSSDBG_CRIT_FAILURE, + "Invalid entity type given for processing: %d\n", + state->current_entity); + ret = EINVAL; + goto fail; + } + + if (ret == EOK) { + /* Next search base has been scheduled for inspection, + * don't try to look for other type of entities + */ + next_batch_scheduled = true; + } else if (ret != ENOENT) { + goto fail; + } + + /* Process all member entites and store them in the designated hash table */ + key.type = HASH_KEY_STRING; + value.type = HASH_VALUE_PTR; + for (i = 0; i < count; i++) { + ret = sysdb_attrs_get_string(entities[i], SYSDB_ORIG_DN, &orig_dn); + if (ret != EOK) { + goto fail; + } + + key.str = talloc_strdup(table, orig_dn); + if (key.str == NULL) { + ret = ENOMEM; + goto fail; + } + + value.ptr = entities[i]; + ret = hash_enter(table, &key, &value); + if (ret != HASH_SUCCESS) { + goto fail; + } + } + + if (next_batch_scheduled) { + /* The next search base is already scheduled to be searched */ + return; + } + + if (next_call) { + /* There is another class of members that has to be retrieved + * - schedule the lookup + */ + ret = next_call(state, req); + if (ret != EOK) goto fail; + } else { + /* All members, that could have been fetched, were fetched */ + ret = ipa_netgr_process_all(state); + if (ret != EOK) goto fail; + + tevent_req_done(req); + } + + return; + +fail: + tevent_req_error(req, ret); + return; +} + +static bool extract_netgroups(hash_entry_t *entry, void *pvt) +{ + struct ipa_get_netgroups_state *state; + state = talloc_get_type(pvt, struct ipa_get_netgroups_state); + + state->netgroups[state->netgroups_count] = talloc_get_type(entry->value.ptr, + struct sysdb_attrs); + state->netgroups_count++; + + return true; +} + +struct extract_state { + const char *group; + const char *appropriateMemberOf; + + const char **entries; + int entries_count; +}; + +static bool extract_entities(hash_entry_t *entry, void *pvt) +{ + int ret; + struct extract_state *state; + struct sysdb_attrs *member; + struct ldb_message_element *el; + struct ldb_message_element *name_el; + + state = talloc_get_type(pvt, struct extract_state); + member = talloc_get_type(entry->value.ptr, struct sysdb_attrs); + + ret = sysdb_attrs_get_el(member, state->appropriateMemberOf, &el); + if (ret != EOK) { + return false; + } + + ret = sysdb_attrs_get_el(member, SYSDB_NAME, &name_el); + if (ret != EOK || name_el == NULL || name_el->num_values == 0) { + return false; + } + + for (int j = 0; j < el->num_values; j++) { + if (strcmp((char *)el->values[j].data, state->group) == 0) { + state->entries = talloc_realloc(state, state->entries, + const char *, + state->entries_count + 1); + if (state->entries == NULL) { + return false; + } + + state->entries[state->entries_count] = (char *)name_el->values[0].data; + state->entries_count++; + break; + } + } + + return true; +} + +static int extract_members(TALLOC_CTX *mem_ctx, + struct sysdb_attrs *netgroup, + const char *member_type, + const char *appropriateMemberOf, + hash_table_t *lookup_table, + const char ***_ret_array, + int *_ret_count) +{ + struct extract_state *state; + struct ldb_message_element *el; + struct sysdb_attrs *member; + hash_key_t key; + hash_value_t value; + const char **process = NULL; + const char **ret_array = NULL; + int process_count = 0; + int ret_count = 0; + int ret, i, pi; + + key.type = HASH_KEY_STRING; + value.type = HASH_VALUE_PTR; + + state = talloc_zero(mem_ctx, struct extract_state); + if (state == NULL) { + ret = ENOMEM; + goto done; + } + + state->appropriateMemberOf = appropriateMemberOf; + + ret = sysdb_attrs_get_el(netgroup, member_type, &el); + if (ret != EOK && ret != ENOENT) { + goto done; + } + + if (ret == EOK) { + for (i = 0; i < el->num_values; i++) { + key.str = (char *)el->values[i].data; + ret = hash_lookup(lookup_table, &key, &value); + if (ret != HASH_SUCCESS && ret != HASH_ERROR_KEY_NOT_FOUND) { + ret = ENOENT; + goto done; + } + + if (ret == HASH_ERROR_KEY_NOT_FOUND) { + process = talloc_realloc(mem_ctx, process, const char *, process_count + 1); + if (process == NULL) { + ret = ENOMEM; + goto done; + } + + process[process_count] = (char *)el->values[i].data; + process_count++; + } else { + ret_array = talloc_realloc(mem_ctx, ret_array, const char *, ret_count + 1); + if (ret_array == NULL) { + ret = ENOMEM; + goto done; + } + member = talloc_get_type(value.ptr, struct sysdb_attrs); + ret = sysdb_attrs_get_string(member, SYSDB_NAME, &ret_array[ret_count]); + if (ret != EOK) { + goto done; + } + ret_count++; + } + + for (pi = 0; pi < process_count; pi++) { + state->group = process[pi]; + hash_iterate(lookup_table, extract_entities, state); + if (state->entries_count > 0) { + ret_array = talloc_realloc(mem_ctx, ret_array, const char *, + ret_count + state->entries_count); + if (ret_array == NULL) { + ret = ENOMEM; + goto done; + } + memcpy(&ret_array[ret_count], state->entries, + state->entries_count*sizeof(const char *)); + ret_count += state->entries_count; + } + state->entries_count = 0; + talloc_zfree(state->entries); + } + } + } else { + ret_array = NULL; + } + + *_ret_array = ret_array; + *_ret_count = ret_count; + ret = EOK; + +done: + return ret; +} + +static int ipa_netgr_process_all(struct ipa_get_netgroups_state *state) +{ + int i, j, k, ret; + const char **members; + struct sysdb_attrs *member; + const char *member_name; + struct extract_state *extract_state; + struct ldb_message_element *external_hosts; + const char *dash[] = {"-"}; + const char **uids = NULL; + const char **hosts = NULL; + int uids_count = 0; + int hosts_count = 0; + hash_key_t key; + hash_value_t value; + const char *domain; + char *triple; + + state->netgroups = talloc_zero_array(state, struct sysdb_attrs *, + hash_count(state->new_netgroups)); + if (state->netgroups == NULL) { + return ENOMEM; + } + + extract_state = talloc_zero(state, struct extract_state); + if (extract_state == NULL) { + ret = ENOMEM; + goto done; + } + + key.type = HASH_KEY_STRING; + value.type = HASH_VALUE_PTR; + + hash_iterate(state->new_netgroups, extract_netgroups, state); + for (i = 0; i < state->netgroups_count; i++) { + /* load all its member netgroups, translate */ + DEBUG(SSSDBG_TRACE_INTERNAL, "Extracting netgroup members of netgroup %d\n", i); + ret = sysdb_attrs_get_string_array(state->netgroups[i], + SYSDB_ORIG_NETGROUP_MEMBER, + state, &members); + if (ret != EOK && ret != ENOENT) { + goto done; + } + + j = 0; + if (ret == EOK) { + for (j = 0; members[j]; j++) { + key.str = discard_const(members[j]); + ret = hash_lookup(state->new_netgroups, &key, &value); + if (ret != HASH_SUCCESS) { + ret = ENOENT; + goto done; + } + + member = talloc_get_type(value.ptr, struct sysdb_attrs); + ret = sysdb_attrs_get_string(member, SYSDB_NAME, &member_name); + if (ret != EOK) { + goto done; + } + + ret = sysdb_attrs_add_string(state->netgroups[i], + SYSDB_NETGROUP_MEMBER, + member_name); + if (ret != EOK) { + goto done; + } + } + talloc_zfree(members); + } + DEBUG(SSSDBG_TRACE_INTERNAL, "Extracted %d netgroup members\n", j); + + /* Load all UIDs */ + DEBUG(SSSDBG_TRACE_ALL, "Extracting user members of netgroup %d\n", i); + ret = extract_members(state, state->netgroups[i], + SYSDB_ORIG_MEMBER_USER, + state->ipa_opts->id->user_map[SDAP_AT_USER_MEMBEROF].sys_name, + state->new_users, + &uids, &uids_count); + if (ret != EOK) { + goto done; + } + DEBUG(SSSDBG_TRACE_INTERNAL, "Extracted %d user members\n", uids_count); + + DEBUG(SSSDBG_TRACE_ALL, "Extracting host members of netgroup %d\n", i); + ret = extract_members(state, state->netgroups[i], + SYSDB_ORIG_MEMBER_HOST, + state->ipa_opts->id->host_map[SDAP_AT_HOST_MEMBER_OF].sys_name, + state->new_hosts, + &hosts, &hosts_count); + if (ret != EOK) { + goto done; + } + DEBUG(SSSDBG_TRACE_INTERNAL, "Extracted %d host members\n", hosts_count); + + ret = sysdb_attrs_get_el(state->netgroups[i], + SYSDB_ORIG_NETGROUP_EXTERNAL_HOST, + &external_hosts); + if (ret != EOK) { + goto done; + } + + if (external_hosts->num_values > 0) { + hosts = talloc_realloc(state, hosts, const char *, + hosts_count + external_hosts->num_values); + if (hosts == NULL) { + ret = ENOMEM; + goto done; + } + + for (j = 0; j < external_hosts->num_values; j++) { + hosts[hosts_count] = talloc_strdup(hosts, (char *)external_hosts->values[j].data); + if (hosts[hosts_count] == NULL) { + ret = ENOMEM; + goto done; + } + hosts_count++; + } + } + + ret = sysdb_attrs_get_string(state->netgroups[i], SYSDB_NETGROUP_DOMAIN, + &domain); + if (ret == ENOENT) { + domain = NULL; + } else if (ret != EOK) { + goto done; + } + + if (uids_count > 0 || hosts_count > 0) { + if (uids_count == 0) { + uids_count = 1; + uids = dash; + } + + if (hosts_count == 0) { + hosts_count = 1; + hosts = dash; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "Putting together triples of " + "netgroup %d\n", i); + for (j = 0; j < uids_count; j++) { + for (k = 0; k < hosts_count; k++) { + triple = talloc_asprintf(state, "(%s,%s,%s)", + hosts[k], uids[j], + domain ? domain : ""); + if (triple == NULL) { + ret = ENOMEM; + goto done; + } + + ret = sysdb_attrs_add_string(state->netgroups[i], + SYSDB_NETGROUP_TRIPLE, + triple); + if (ret != EOK) { + goto done; + } + } + } + } + + ret = ipa_save_netgroup(state, state->dom, + state->opts, state->netgroups[i]); + if (ret != EOK) { + goto done; + } + } + + ret = EOK; +done: + return ret; +} + +int ipa_get_netgroups_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *reply_count, + struct sysdb_attrs ***reply) +{ + struct ipa_get_netgroups_state *state = tevent_req_data(req, + struct ipa_get_netgroups_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (reply_count) { + *reply_count = state->netgroups_count; + } + + if (reply) { + *reply = talloc_steal(mem_ctx, state->netgroups); + } + + return EOK; +} diff --git a/src/providers/ipa/ipa_opts.c b/src/providers/ipa/ipa_opts.c new file mode 100644 index 0000000..485ad4f --- /dev/null +++ b/src/providers/ipa/ipa_opts.c @@ -0,0 +1,397 @@ +/* + SSSD + + Authors: + Stephen Gallagher + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "src/providers/data_provider.h" +#include "db/sysdb.h" +#include "db/sysdb_sudo.h" +#include "db/sysdb_autofs.h" +#include "db/sysdb_services.h" +#include "db/sysdb_selinux.h" +#include "providers/ldap/ldap_common.h" + +struct dp_option ipa_basic_opts[] = { + { "ipa_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ipa_server", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ipa_backup_server", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ipa_hostname", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ipa_hbac_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING}, + { "ipa_host_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ipa_selinux_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ipa_subdomains_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ipa_master_domain_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING}, + { "ipa_hbac_refresh", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER }, + { "ipa_selinux_refresh", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER }, + { "ipa_hbac_support_srchost", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ipa_automount_location", DP_OPT_STRING, { "default" }, NULL_STRING }, + { "ipa_ranges_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ipa_enable_dns_sites", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ipa_server_mode", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ipa_views_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_confd_path", DP_OPT_STRING, { KRB5_MAPPING_DIR }, NULL_STRING }, + { "ipa_deskprofile_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ipa_deskprofile_refresh", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER }, + { "ipa_deskprofile_request_interval", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER }, + DP_OPTION_TERMINATOR +}; + +struct dp_option ipa_dyndns_opts[] = { + { "dyndns_update", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "dyndns_refresh_interval", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER }, + { "dyndns_iface", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "dyndns_ttl", DP_OPT_NUMBER, { .number = 1200 }, NULL_NUMBER }, + { "dyndns_update_ptr", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "dyndns_force_tcp", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "dyndns_auth", DP_OPT_STRING, { "gss-tsig" }, NULL_STRING }, + { "dyndns_server", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + DP_OPTION_TERMINATOR +}; + +struct dp_option ipa_def_ldap_opts[] = { + { "ldap_uri", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_backup_uri", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_default_bind_dn", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_default_authtok_type", DP_OPT_STRING, NULL_STRING, NULL_STRING}, + { "ldap_default_authtok", DP_OPT_BLOB, NULL_BLOB, NULL_BLOB }, + { "ldap_search_timeout", DP_OPT_NUMBER, { .number = 6 }, NULL_NUMBER }, + { "ldap_network_timeout", DP_OPT_NUMBER, { .number = 6 }, NULL_NUMBER }, + { "ldap_opt_timeout", DP_OPT_NUMBER, { .number = 6 }, NULL_NUMBER }, + { "ldap_tls_reqcert", DP_OPT_STRING, { "hard" }, NULL_STRING }, + { "ldap_user_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_user_search_scope", DP_OPT_STRING, { "sub" }, NULL_STRING }, + { "ldap_user_search_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_user_extra_attrs", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_group_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_group_search_scope", DP_OPT_STRING, { "sub" }, NULL_STRING }, + { "ldap_group_search_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_host_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_service_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_sudo_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_sudo_full_refresh_interval", DP_OPT_NUMBER, { .number = 21600 }, NULL_NUMBER }, + { "ldap_sudo_smart_refresh_interval", DP_OPT_NUMBER, { .number = 900 }, NULL_NUMBER }, /* 15 mins */ + { "ldap_sudo_use_host_filter", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + { "ldap_sudo_hostnames", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_sudo_ip", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_sudo_include_netgroups", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + { "ldap_sudo_include_regexp", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + { "ldap_autofs_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_autofs_map_master_name", DP_OPT_STRING, { "auto.master" }, NULL_STRING }, + { "ldap_schema", DP_OPT_STRING, { "ipa_v1" }, NULL_STRING }, + { "ldap_offline_timeout", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER }, + { "ldap_force_upper_case_realm", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + { "ldap_enumeration_refresh_timeout", DP_OPT_NUMBER, { .number = 300 }, NULL_NUMBER }, + { "ldap_purge_cache_timeout", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER }, + { "ldap_tls_cacert", DP_OPT_STRING, { "/etc/ipa/ca.crt" }, NULL_STRING }, + { "ldap_tls_cacertdir", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_tls_cert", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_tls_key", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_tls_cipher_suite", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_id_use_start_tls", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_id_mapping", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_sasl_mech", DP_OPT_STRING, { "GSSAPI" } , NULL_STRING }, + { "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_sasl_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_sasl_minssf", DP_OPT_NUMBER, { .number = 56 }, NULL_NUMBER }, + { "ldap_krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + /* use the same parm name as the krb5 module so we set it only once */ + { "krb5_server", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_backup_server", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_canonicalize", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + { "krb5_use_kdcinfo", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + { "ldap_pwd_policy", DP_OPT_STRING, { "none" } , NULL_STRING }, + { "ldap_referrals", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + { "account_cache_expiration", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER }, + { "ldap_dns_service_name", DP_OPT_STRING, { SSS_LDAP_SRV_NAME }, NULL_STRING }, + { "ldap_krb5_ticket_lifetime", DP_OPT_NUMBER, { .number = (24 * 60 * 60) }, NULL_NUMBER }, + { "ldap_access_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_netgroup_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_group_nesting_level", DP_OPT_NUMBER, { .number = 2 }, NULL_NUMBER }, + { "ldap_deref", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_account_expire_policy", DP_OPT_STRING, { "ipa" }, NULL_STRING }, + { "ldap_access_order", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_chpass_uri", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_chpass_backup_uri", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_chpass_dns_service_name", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_chpass_update_last_change", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_enumeration_search_timeout", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER }, + /* Do not include ldap_auth_disable_tls_never_use_in_production in the + * manpages or SSSDConfig API + */ + { "ldap_auth_disable_tls_never_use_in_production", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_page_size", DP_OPT_NUMBER, { .number = 1000 }, NULL_NUMBER }, + { "ldap_deref_threshold", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER }, + { "ldap_sasl_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_connection_expire_timeout", DP_OPT_NUMBER, { .number = 900 }, NULL_NUMBER }, + { "ldap_disable_paging", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_idmap_range_min", DP_OPT_NUMBER, { .number = 200000 }, NULL_NUMBER }, + { "ldap_idmap_range_max", DP_OPT_NUMBER, { .number = 2000200000LL }, NULL_NUMBER }, + { "ldap_idmap_range_size", DP_OPT_NUMBER, { .number = 200000 }, NULL_NUMBER }, + { "ldap_idmap_autorid_compat", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_idmap_default_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_idmap_default_domain_sid", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_idmap_helper_table_size", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER }, + { "ldap_groups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_initgroups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_use_tokengroups", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE}, + { "ldap_rfc2307_fallback_to_local_users", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_disable_range_retrieval", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_min_id", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER}, + { "ldap_max_id", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER}, + { "ldap_pwdlockout_dn", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "wildcard_limit", DP_OPT_NUMBER, { .number = 1000 }, NULL_NUMBER}, + DP_OPTION_TERMINATOR +}; + +struct sdap_attr_map ipa_attr_map[] = { + { "ldap_entry_usn", "entryUSN", SYSDB_USN, NULL }, + { "ldap_rootdse_last_usn", "lastUSN", SYSDB_HIGH_USN, NULL }, + SDAP_ATTR_MAP_TERMINATOR +}; + +struct sdap_attr_map ipa_user_map[] = { + { "ldap_user_object_class", "posixAccount", SYSDB_USER_CLASS, NULL }, + { "ldap_user_name", "uid", SYSDB_NAME, NULL }, + { "ldap_user_pwd", "userPassword", SYSDB_PWD, NULL }, + { "ldap_user_uid_number", "uidNumber", SYSDB_UIDNUM, NULL }, + { "ldap_user_gid_number", "gidNumber", SYSDB_GIDNUM, NULL }, + { "ldap_user_gecos", "gecos", SYSDB_GECOS, NULL }, + { "ldap_user_home_directory", "homeDirectory", SYSDB_HOMEDIR, NULL }, + { "ldap_user_shell", "loginShell", SYSDB_SHELL, NULL }, + { "ldap_user_principal", "krbPrincipalName", SYSDB_UPN, NULL }, + { "ldap_user_fullname", "cn", SYSDB_FULLNAME, NULL }, + { "ldap_user_member_of", "memberOf", SYSDB_MEMBEROF, NULL }, + { "ldap_user_uuid", "ipaUniqueID", SYSDB_UUID, NULL }, + { "ldap_user_objectsid", "ipaNTSecurityIdentifier", SYSDB_SID_STR, NULL }, + { "ldap_user_primary_group", NULL, SYSDB_PRIMARY_GROUP, NULL }, + { "ldap_user_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL }, + { "ldap_user_entry_usn", NULL, SYSDB_USN, NULL }, + { "ldap_user_shadow_last_change", "shadowLastChange", SYSDB_SHADOWPW_LASTCHANGE, NULL }, + { "ldap_user_shadow_min", "shadowMin", SYSDB_SHADOWPW_MIN, NULL }, + { "ldap_user_shadow_max", "shadowMax", SYSDB_SHADOWPW_MAX, NULL }, + { "ldap_user_shadow_warning", "shadowWarning", SYSDB_SHADOWPW_WARNING, NULL }, + { "ldap_user_shadow_inactive", "shadowInactive", SYSDB_SHADOWPW_INACTIVE, NULL }, + { "ldap_user_shadow_expire", "shadowExpire", SYSDB_SHADOWPW_EXPIRE, NULL }, + { "ldap_user_shadow_flag", "shadowFlag", SYSDB_SHADOWPW_FLAG, NULL }, + { "ldap_user_krb_last_pwd_change", "krbLastPwdChange", SYSDB_KRBPW_LASTCHANGE, NULL }, + { "ldap_user_krb_password_expiration", "krbPasswordExpiration", SYSDB_KRBPW_EXPIRATION, NULL }, + { "ldap_pwd_attribute", "pwdAttribute", SYSDB_PWD_ATTRIBUTE, NULL }, + { "ldap_user_authorized_service", "authorizedService", SYSDB_AUTHORIZED_SERVICE, NULL }, + { "ldap_user_ad_account_expires", "accountExpires", SYSDB_AD_ACCOUNT_EXPIRES, NULL}, + { "ldap_user_ad_user_account_control", "userAccountControl", SYSDB_AD_USER_ACCOUNT_CONTROL, NULL}, + { "ldap_ns_account_lock", "nsAccountLock", SYSDB_NS_ACCOUNT_LOCK, NULL}, + { "ldap_user_authorized_host", "host", SYSDB_AUTHORIZED_HOST, NULL }, + { "ldap_user_authorized_rhost", NULL, SYSDB_AUTHORIZED_RHOST, NULL }, + { "ldap_user_nds_login_disabled", "loginDisabled", SYSDB_NDS_LOGIN_DISABLED, NULL }, + { "ldap_user_nds_login_expiration_time", "loginExpirationTime", SYSDB_NDS_LOGIN_EXPIRATION_TIME, NULL }, + { "ldap_user_nds_login_allowed_time_map", "loginAllowedTimeMap", SYSDB_NDS_LOGIN_ALLOWED_TIME_MAP, NULL }, + { "ldap_user_ssh_public_key", "ipaSshPubKey", SYSDB_SSH_PUBKEY, NULL }, + { "ldap_user_auth_type", "ipaUserAuthType", SYSDB_AUTH_TYPE, NULL }, + { "ldap_user_certificate", "userCertificate;binary", SYSDB_USER_CERT, NULL }, + { "ldap_user_email", "mail", SYSDB_USER_EMAIL, NULL }, + SDAP_ATTR_MAP_TERMINATOR +}; + +struct sdap_attr_map ipa_group_map[] = { + { "ldap_group_object_class", "ipaUserGroup", SYSDB_GROUP_CLASS, NULL }, + { "ldap_group_object_class_alt", "posixGroup", SYSDB_GROUP_CLASS, NULL }, + { "ldap_group_name", "cn", SYSDB_NAME, NULL }, + { "ldap_group_pwd", "userPassword", SYSDB_PWD, NULL }, + { "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL }, + { "ldap_group_member", "member", SYSDB_MEMBER, NULL }, + { "ldap_group_uuid", "ipaUniqueID", SYSDB_UUID, NULL }, + { "ldap_group_objectsid", "ipaNTSecurityIdentifier", SYSDB_SID_STR, NULL }, + { "ldap_group_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL }, + { "ldap_group_entry_usn", NULL, SYSDB_USN, NULL }, + { "ldap_group_type", NULL, SYSDB_GROUP_TYPE, NULL }, + { "ldap_group_external_member", "ipaExternalMember", SYSDB_EXTERNAL_MEMBER, NULL }, + SDAP_ATTR_MAP_TERMINATOR +}; + +struct sdap_attr_map ipa_netgroup_map[] = { + { "ipa_netgroup_object_class", "ipaNisNetgroup", SYSDB_NETGROUP_CLASS, NULL }, + { "ipa_netgroup_name", "cn", SYSDB_NAME, NULL }, + { "ipa_netgroup_member", "member", SYSDB_ORIG_NETGROUP_MEMBER, NULL }, + { "ipa_netgroup_member_of", "memberOf", SYSDB_MEMBEROF, NULL }, + { "ipa_netgroup_member_user", "memberUser", SYSDB_ORIG_MEMBER_USER, NULL }, + { "ipa_netgroup_member_host", "memberHost", SYSDB_ORIG_MEMBER_HOST, NULL }, + { "ipa_netgroup_member_ext_host", "externalHost", SYSDB_ORIG_NETGROUP_EXTERNAL_HOST, NULL }, + { "ipa_netgroup_domain", "nisDomainName", SYSDB_NETGROUP_DOMAIN, NULL }, + { "ipa_netgroup_uuid", "ipaUniqueID", SYSDB_UUID, NULL }, + SDAP_ATTR_MAP_TERMINATOR +}; + +struct sdap_attr_map ipa_host_map[] = { + { "ipa_host_object_class", "ipaHost", SYSDB_HOST_CLASS, NULL }, + { "ipa_host_name", "cn", SYSDB_NAME, NULL }, + { "ipa_host_fqdn", "fqdn", SYSDB_FQDN, NULL }, + { "ipa_host_serverhostname", "serverHostname", SYSDB_SERVERHOSTNAME, NULL }, + { "ipa_host_member_of", "memberOf", SYSDB_ORIG_MEMBEROF, NULL }, + { "ipa_host_ssh_public_key", "ipaSshPubKey", SYSDB_SSH_PUBKEY, NULL }, + { "ipa_host_uuid", "ipaUniqueID", SYSDB_UUID, NULL}, + SDAP_ATTR_MAP_TERMINATOR +}; + +struct sdap_attr_map ipa_hostgroup_map[] = { + { "ipa_hostgroup_objectclass", "ipaHostgroup", SYSDB_HOSTGROUP_CLASS, NULL}, + { "ipa_hostgroup_name", "cn", SYSDB_NAME, NULL}, + { "ipa_hostgroup_memberof", "memberOf", SYSDB_ORIG_MEMBEROF, NULL}, + { "ipa_hostgroup_uuid", "ipaUniqueID", SYSDB_UUID, NULL}, + SDAP_ATTR_MAP_TERMINATOR +}; + +struct sdap_attr_map ipa_selinux_user_map[] = { + { "ipa_selinux_usermap_object_class", "ipaselinuxusermap", SYSDB_SELINUX_USERMAP_CLASS, NULL}, + { "ipa_selinux_usermap_name", "cn", SYSDB_NAME, NULL}, + { "ipa_selinux_usermap_member_user", "memberUser", SYSDB_ORIG_MEMBER_USER, NULL}, + { "ipa_selinux_usermap_member_host", "memberHost", SYSDB_ORIG_MEMBER_HOST, NULL}, + { "ipa_selinux_usermap_see_also", "seeAlso", SYSDB_SELINUX_SEEALSO, NULL}, + { "ipa_selinux_usermap_selinux_user", "ipaSELinuxUser", SYSDB_SELINUX_USER, NULL}, + { "ipa_selinux_usermap_enabled", "ipaEnabledFlag", SYSDB_SELINUX_ENABLED, NULL}, + { "ipa_selinux_usermap_user_category", "userCategory", SYSDB_USER_CATEGORY, NULL}, + { "ipa_selinux_usermap_host_category", "hostCategory", SYSDB_HOST_CATEGORY, NULL}, + { "ipa_selinux_usermap_uuid", "ipaUniqueID", SYSDB_UUID, NULL}, + SDAP_ATTR_MAP_TERMINATOR +}; + +struct sdap_attr_map ipa_view_map[] = { + { "ipa_view_class", "nsContainer", SYSDB_VIEW_CLASS, NULL}, + { "ipa_view_name", "cn", SYSDB_VIEW_NAME, NULL}, + SDAP_ATTR_MAP_TERMINATOR +}; + +struct sdap_attr_map ipa_override_map[] = { + { "ipa_override_object_class", "ipaOverrideAnchor", SYSDB_OVERRIDE_CLASS, NULL}, + { "ipa_anchor_uuid", "ipaAnchorUUID", SYSDB_OVERRIDE_ANCHOR_UUID, NULL}, + { "ipa_user_override_object_class", "ipaUserOverride", SYSDB_OVERRIDE_USER_CLASS, NULL}, + { "ipa_group_override_object_class", "ipaGroupOverride", SYSDB_OVERRIDE_GROUP_CLASS, NULL}, + { "ldap_user_name", "uid", SYSDB_NAME, NULL }, + { "ldap_user_uid_number", "uidNumber", SYSDB_UIDNUM, NULL }, + { "ldap_user_gid_number", "gidNumber", SYSDB_GIDNUM, NULL }, + { "ldap_user_gecos", "gecos", SYSDB_GECOS, NULL }, + { "ldap_user_home_directory", "homeDirectory", SYSDB_HOMEDIR, NULL }, + { "ldap_user_shell", "loginShell", SYSDB_SHELL, NULL }, + { "ldap_group_name", "cn", SYSDB_NAME, NULL }, + { "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL }, + { "ldap_user_ssh_public_key", "ipaSshPubKey", SYSDB_SSH_PUBKEY, NULL }, + { "ldap_user_certificate", "userCertificate;binary", SYSDB_USER_CERT, NULL }, + SDAP_ATTR_MAP_TERMINATOR +}; + +struct dp_option ipa_def_krb5_opts[] = { + { "krb5_server", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_backup_server", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_ccachedir", DP_OPT_STRING, { DEFAULT_CCACHE_DIR }, NULL_STRING }, + { "krb5_ccname_template", DP_OPT_STRING, NULL_STRING, NULL_STRING}, + { "krb5_auth_timeout", DP_OPT_NUMBER, { .number = 6 }, NULL_NUMBER }, + { "krb5_keytab", DP_OPT_STRING, { "/etc/krb5.keytab" }, NULL_STRING }, + { "krb5_validate", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + { "krb5_kpasswd", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_backup_kpasswd", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_store_password_if_offline", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "krb5_renewable_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_renew_interval", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_use_fast", DP_OPT_STRING, { "try" }, NULL_STRING }, + { "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_canonicalize", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + { "krb5_use_enterprise_principal", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "krb5_use_kdcinfo", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + { "krb5_map_user", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + DP_OPTION_TERMINATOR +}; + +struct sdap_attr_map ipa_service_map[] = { + { "ldap_service_object_class", "ipService", SYSDB_SVC_CLASS, NULL }, + { "ldap_service_name", "cn", SYSDB_NAME, NULL }, + { "ldap_service_port", "ipServicePort", SYSDB_SVC_PORT, NULL }, + { "ldap_service_proto", "ipServiceProtocol", SYSDB_SVC_PROTO, NULL }, + { "ldap_service_entry_usn", NULL, SYSDB_USN, NULL }, + SDAP_ATTR_MAP_TERMINATOR +}; + +struct sdap_attr_map ipa_autofs_mobject_map[] = { + { "ldap_autofs_map_object_class", "automountMap", SYSDB_AUTOFS_MAP_OC, NULL }, + { "ldap_autofs_map_name", "automountMapName", SYSDB_AUTOFS_MAP_NAME, NULL }, + SDAP_ATTR_MAP_TERMINATOR +}; + +struct sdap_attr_map ipa_autofs_entry_map[] = { + { "ldap_autofs_entry_object_class", "automount", SYSDB_AUTOFS_ENTRY_OC, NULL }, + { "ldap_autofs_entry_key", "automountKey", SYSDB_AUTOFS_ENTRY_KEY, NULL }, + { "ldap_autofs_entry_value", "automountInformation", SYSDB_AUTOFS_ENTRY_VALUE, NULL }, + SDAP_ATTR_MAP_TERMINATOR +}; + +struct sdap_attr_map ipa_sudorule_map[] = { + { "ipa_sudorule_object_class", "ipasudorule", SYSDB_IPA_SUDORULE_OC, NULL }, + { "ipa_sudorule_name", "cn", SYSDB_NAME, NULL }, + { "ipa_sudorule_uuid", "ipaUniqueID", SYSDB_UUID, NULL }, + { "ipa_sudorule_enabled_flag", "ipaEnabledFlag", SYSDB_IPA_SUDORULE_ENABLED, NULL }, + { "ipa_sudorule_option", "ipaSudoOpt", SYSDB_IPA_SUDORULE_OPTION, NULL }, + { "ipa_sudorule_runasuser", "ipaSudoRunAs", SYSDB_IPA_SUDORULE_RUNASUSER, NULL }, + { "ipa_sudorule_runasgroup", "ipaSudoRunAsGroup", SYSDB_IPA_SUDORULE_RUNASGROUP, NULL }, + { "ipa_sudorule_allowcmd", "memberAllowCmd", SYSDB_IPA_SUDORULE_ALLOWCMD, NULL }, + { "ipa_sudorule_denycmd", "memberDenyCmd", SYSDB_IPA_SUDORULE_DENYCMD, NULL }, + { "ipa_sudorule_host", "memberHost", SYSDB_IPA_SUDORULE_HOST, NULL }, + { "ipa_sudorule_user", "memberUser", SYSDB_IPA_SUDORULE_USER, NULL }, + { "ipa_sudorule_notafter", "sudoNotAfter", SYSDB_IPA_SUDORULE_NOTAFTER, NULL }, + { "ipa_sudorule_notbefore", "sudoNotBefore", SYSDB_IPA_SUDORULE_NOTBEFORE, NULL }, + { "ipa_sudorule_sudoorder", "sudoOrder", SYSDB_IPA_SUDORULE_SUDOORDER, NULL }, + { "ipa_sudorule_cmdcategory", "cmdCategory", SYSDB_IPA_SUDORULE_CMDCATEGORY, NULL }, + { "ipa_sudorule_hostcategory", "hostCategory", SYSDB_IPA_SUDORULE_HOSTCATEGORY, NULL }, + { "ipa_sudorule_usercategory", "userCategory", SYSDB_IPA_SUDORULE_USERCATEGORY, NULL }, + { "ipa_sudorule_runasusercategory", "ipaSudoRunAsUserCategory", SYSDB_IPA_SUDORULE_RUNASUSERCATEGORY, NULL }, + { "ipa_sudorule_runasgroupcategory", "ipaSudoRunAsGroupCategory", SYSDB_IPA_SUDORULE_RUNASGROUPCATEGORY, NULL }, + { "ipa_sudorule_runasextuser", "ipaSudoRunAsExtUser", SYSDB_IPA_SUDORULE_RUNASEXTUSER, NULL }, + { "ipa_sudorule_runasextgroup", "ipaSudoRunAsExtGroup", SYSDB_IPA_SUDORULE_RUNASEXTGROUP, NULL }, + { "ipa_sudorule_runasextusergroup", "ipaSudoRunAsExtUserGroup", SYSDB_IPA_SUDORULE_RUNASEXTUSERGROUP, NULL }, + { "ipa_sudorule_externaluser", "externalUser", SYSDB_IPA_SUDORULE_EXTUSER, NULL }, + { "ipa_sudorule_entry_usn", "entryUSN", SYSDB_USN, NULL }, + SDAP_ATTR_MAP_TERMINATOR +}; + +struct sdap_attr_map ipa_sudocmdgroup_map[] = { + { "ipa_sudocmdgroup_object_class", "ipasudocmdgrp", SYSDB_IPA_SUDOCMDGROUP_OC, NULL }, + { "ipa_sudocmdgroup_uuid", "ipaUniqueID", SYSDB_UUID, NULL }, + { "ipa_sudocmdgroup_name", "cn", SYSDB_NAME, NULL }, + { "ipa_sudocmdgroup_member", "member", SYSDB_MEMBER, NULL }, + { "ipa_sudocmdgroup_entry_usn", "entryUSN", SYSDB_USN, NULL }, + SDAP_ATTR_MAP_TERMINATOR +}; + +struct sdap_attr_map ipa_sudocmd_map[] = { + { "ipa_sudocmd_object_class", "ipasudocmd", SYSDB_IPA_SUDOCMD_OC, NULL }, + { "ipa_sudocmd_uuid", "ipaUniqueID", SYSDB_UUID, NULL }, + { "ipa_sudocmd_sudoCmd", "sudoCmd", SYSDB_IPA_SUDOCMD_SUDOCMD, NULL }, + { "ipa_sudocmd_memberof", "memberOf", SYSDB_MEMBEROF, NULL }, + SDAP_ATTR_MAP_TERMINATOR +}; + +struct dp_option ipa_cli_ad_subdom_opts [] = { + { "ad_server", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ad_site", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + DP_OPTION_TERMINATOR +}; diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h new file mode 100644 index 0000000..378a992 --- /dev/null +++ b/src/providers/ipa/ipa_opts.h @@ -0,0 +1,69 @@ +/* + SSSD + + Authors: + Stephen Gallagher + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef IPA_OPTS_H_ +#define IPA_OPTS_H_ + +#include "src/providers/data_provider.h" +#include "providers/ldap/ldap_common.h" + +extern struct dp_option ipa_basic_opts[]; + +extern struct dp_option ipa_dyndns_opts[]; + +extern struct dp_option ipa_def_ldap_opts[]; + +extern struct sdap_attr_map ipa_attr_map[]; + +extern struct sdap_attr_map ipa_user_map[]; + +extern struct sdap_attr_map ipa_group_map[]; + +extern struct sdap_attr_map ipa_netgroup_map[]; + +extern struct sdap_attr_map ipa_host_map[]; + +extern struct sdap_attr_map ipa_hostgroup_map[]; + +extern struct sdap_attr_map ipa_selinux_user_map[]; + +extern struct sdap_attr_map ipa_view_map[]; + +extern struct sdap_attr_map ipa_override_map[]; + +extern struct dp_option ipa_def_krb5_opts[]; + +extern struct sdap_attr_map ipa_service_map[]; + +extern struct sdap_attr_map ipa_autofs_mobject_map[]; + +extern struct sdap_attr_map ipa_autofs_entry_map[]; + +extern struct sdap_attr_map ipa_sudorule_map[]; + +extern struct sdap_attr_map ipa_sudocmdgroup_map[]; + +extern struct sdap_attr_map ipa_sudocmd_map[]; + +extern struct dp_option ipa_cli_ad_subdom_opts[]; + +#endif /* IPA_OPTS_H_ */ diff --git a/src/providers/ipa/ipa_rules_common.c b/src/providers/ipa/ipa_rules_common.c new file mode 100644 index 0000000..1182347 --- /dev/null +++ b/src/providers/ipa/ipa_rules_common.c @@ -0,0 +1,455 @@ +/* + SSSD + + Authors: + Stephen Gallagher + + Copyright (C) 2011 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "providers/ipa/ipa_rules_common.h" + +static errno_t +ipa_common_save_list(struct sss_domain_info *domain, + bool delete_subdir, + const char *subdir, + const char *naming_attribute, + size_t count, + struct sysdb_attrs **list) +{ + int ret; + size_t c; + struct ldb_dn *base_dn; + const char *object_name; + struct ldb_message_element *el; + TALLOC_CTX *tmp_ctx; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new failed.\n"); + return ENOMEM; + } + + if (delete_subdir) { + base_dn = sysdb_custom_subtree_dn(tmp_ctx, domain, subdir); + if (base_dn == NULL) { + ret = ENOMEM; + goto done; + } + + ret = sysdb_delete_recursive(domain->sysdb, base_dn, true); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_delete_recursive failed.\n"); + goto done; + } + } + + for (c = 0; c < count; c++) { + ret = sysdb_attrs_get_el(list[c], naming_attribute, &el); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_attrs_get_el failed.\n"); + goto done; + } + if (el->num_values == 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "[%s] not found.\n", naming_attribute); + ret = EINVAL; + goto done; + } + object_name = talloc_strndup(tmp_ctx, (const char *)el->values[0].data, + el->values[0].length); + if (object_name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strndup failed.\n"); + ret = ENOMEM; + goto done; + } + DEBUG(SSSDBG_TRACE_ALL, "Object name: [%s].\n", object_name); + + ret = sysdb_store_custom(domain, object_name, subdir, list[c]); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_store_custom failed.\n"); + goto done; + } + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +errno_t +ipa_common_entries_and_groups_sysdb_save(struct sss_domain_info *domain, + const char *primary_subdir, + const char *attr_name, + size_t primary_count, + struct sysdb_attrs **primary, + const char *group_subdir, + const char *groupattr_name, + size_t group_count, + struct sysdb_attrs **groups) +{ + errno_t ret, sret; + bool in_transaction = false; + + if ((primary_count == 0 || primary == NULL) + || (group_count > 0 && groups == NULL)) { + /* There always has to be at least one + * primary entry. + */ + return EINVAL; + } + + /* Save the entries and groups to the cache */ + ret = sysdb_transaction_start(domain->sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n"); + goto done; + }; + in_transaction = true; + + /* First, save the specific entries */ + ret = ipa_common_save_list(domain, true, primary_subdir, + attr_name, primary_count, primary); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not save %s. [%d][%s]\n", + primary_subdir, ret, strerror(ret)); + goto done; + } + + /* Second, save the groups */ + if (group_count > 0) { + ret = ipa_common_save_list(domain, true, group_subdir, + groupattr_name, group_count, groups); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not save %s. [%d][%s]\n", + group_subdir, ret, strerror(ret)); + goto done; + } + } + + ret = sysdb_transaction_commit(domain->sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n"); + goto done; + } + in_transaction = false; + +done: + if (in_transaction) { + sret = sysdb_transaction_cancel(domain->sysdb); + if (sret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Could not cancel sysdb transaction\n"); + } + } + + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Error [%d][%s]\n", ret, strerror(ret)); + } + return ret; +} + +errno_t +ipa_common_get_cached_rules(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *rule, + const char *subtree_name, + const char **attrs, + size_t *_rule_count, + struct sysdb_attrs ***_rules) +{ + errno_t ret; + struct ldb_message **msgs; + struct sysdb_attrs **rules; + size_t rule_count; + TALLOC_CTX *tmp_ctx; + char *filter; + + tmp_ctx = talloc_new(mem_ctx); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + filter = talloc_asprintf(tmp_ctx, "(objectClass=%s)", rule); + if (filter == NULL) { + ret = ENOMEM; + goto done; + } + + ret = sysdb_search_custom(tmp_ctx, domain, filter, + subtree_name, attrs, + &rule_count, &msgs); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, "Error looking up HBAC rules\n"); + goto done; + } + + if (ret == ENOENT) { + rule_count = 0; + } + + ret = sysdb_msg2attrs(tmp_ctx, rule_count, msgs, &rules); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not convert ldb message to sysdb_attrs\n"); + goto done; + } + + if (_rules) { + *_rules = talloc_steal(mem_ctx, rules); + } + + if (_rule_count) { + *_rule_count = rule_count; + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +errno_t +ipa_common_purge_rules(struct sss_domain_info *domain, + const char *subtree_name) +{ + TALLOC_CTX *tmp_ctx; + struct ldb_dn *base_dn; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + base_dn = sysdb_custom_subtree_dn(tmp_ctx, domain, subtree_name); + if (base_dn == NULL) { + ret = ENOMEM; + goto done; + } + + ret = sysdb_delete_recursive(domain->sysdb, base_dn, true); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_delete_recursive failed.\n"); + goto done; + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +errno_t ipa_common_save_rules(struct sss_domain_info *domain, + struct ipa_common_entries *hosts, + struct ipa_common_entries *services, + struct ipa_common_entries *rules, + time_t *last_update) +{ + bool in_transaction = false; + errno_t ret; + errno_t sret; + + ret = sysdb_transaction_start(domain->sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Could not start transaction\n"); + goto done; + } + in_transaction = true; + + /* Save the hosts */ + if (hosts != NULL) { + ret = ipa_common_entries_and_groups_sysdb_save(domain, + hosts->entry_subdir, + SYSDB_FQDN, + hosts->entry_count, + hosts->entries, + hosts->group_subdir, + SYSDB_NAME, + hosts->group_count, + hosts->groups); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Error saving hosts [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + } + + /* Save the services */ + if (services != NULL) { + ret = ipa_common_entries_and_groups_sysdb_save(domain, + services->entry_subdir, + IPA_CN, + services->entry_count, + services->entries, + services->group_subdir, + IPA_CN, + services->group_count, + services->groups); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Error saving services [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + } + + /* Save the rules */ + if (rules != NULL) { + ret = ipa_common_entries_and_groups_sysdb_save(domain, + rules->entry_subdir, + IPA_UNIQUE_ID, + rules->entry_count, + rules->entries, + NULL, NULL, 0, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Error saving rules [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + } + + ret = sysdb_transaction_commit(domain->sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n"); + goto done; + } + in_transaction = false; + + *last_update = time(NULL); + + ret = EOK; + +done: + if (in_transaction) { + sret = sysdb_transaction_cancel(domain->sysdb); + if (sret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not cancel transaction\n"); + } + } + + return ret; +} + +errno_t +ipa_common_get_hostgroupname(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + const char *host_dn, + char **_hostgroupname) +{ + errno_t ret; + struct ldb_dn *dn; + const char *rdn_name; + const char *hostgroup_comp_name; + const char *account_comp_name; + const struct ldb_val *rdn_val; + const struct ldb_val *hostgroup_comp_val; + const struct ldb_val *account_comp_val; + + /* This is an IPA-specific hack. It may not + * work for non-IPA servers and will need to + * be changed if SSSD ever supports HBAC on + * a non-IPA server. + */ + *_hostgroupname = NULL; + + dn = ldb_dn_new(mem_ctx, sysdb_ctx_get_ldb(sysdb), host_dn); + if (dn == NULL) { + ret = ENOMEM; + goto done; + } + + if (!ldb_dn_validate(dn)) { + ret = ERR_MALFORMED_ENTRY; + goto done; + } + + if (ldb_dn_get_comp_num(dn) < 4) { + /* RDN, hostgroups, accounts, and at least one DC= */ + /* If it's fewer, it's not a group DN */ + ret = ERR_UNEXPECTED_ENTRY_TYPE; + goto done; + } + + /* If the RDN name is 'cn' */ + rdn_name = ldb_dn_get_rdn_name(dn); + if (rdn_name == NULL) { + /* Shouldn't happen if ldb_dn_validate() + * passed, but we'll be careful. + */ + ret = ERR_MALFORMED_ENTRY; + goto done; + } + + if (strcasecmp("cn", rdn_name) != 0) { + /* RDN has the wrong attribute name. + * It's not a host. + */ + ret = ERR_UNEXPECTED_ENTRY_TYPE; + goto done; + } + + /* and the second component is "cn=hostgroups" */ + hostgroup_comp_name = ldb_dn_get_component_name(dn, 1); + if (strcasecmp("cn", hostgroup_comp_name) != 0) { + /* The second component name is not "cn" */ + ret = ERR_UNEXPECTED_ENTRY_TYPE; + goto done; + } + + hostgroup_comp_val = ldb_dn_get_component_val(dn, 1); + if (strncasecmp("hostgroups", + (const char *) hostgroup_comp_val->data, + hostgroup_comp_val->length) != 0) { + /* The second component value is not "hostgroups" */ + ret = ERR_UNEXPECTED_ENTRY_TYPE; + goto done; + } + + /* and the third component is "accounts" */ + account_comp_name = ldb_dn_get_component_name(dn, 2); + if (strcasecmp("cn", account_comp_name) != 0) { + /* The third component name is not "cn" */ + ret = ERR_UNEXPECTED_ENTRY_TYPE; + goto done; + } + + account_comp_val = ldb_dn_get_component_val(dn, 2); + if (strncasecmp("accounts", + (const char *) account_comp_val->data, + account_comp_val->length) != 0) { + /* The third component value is not "accounts" */ + ret = ERR_UNEXPECTED_ENTRY_TYPE; + goto done; + } + + /* Then the value of the RDN is the group name */ + rdn_val = ldb_dn_get_rdn_val(dn); + *_hostgroupname = talloc_strndup(mem_ctx, + (const char *)rdn_val->data, + rdn_val->length); + if (*_hostgroupname == NULL) { + ret = ENOMEM; + goto done; + } + + ret = EOK; + +done: + talloc_free(dn); + return ret; +} diff --git a/src/providers/ipa/ipa_rules_common.h b/src/providers/ipa/ipa_rules_common.h new file mode 100644 index 0000000..6cf57eb --- /dev/null +++ b/src/providers/ipa/ipa_rules_common.h @@ -0,0 +1,89 @@ +/* + SSSD + + Authors: + Stephen Gallagher + + Copyright (C) 2011 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef IPA_RULES_COMMON_H_ +#define IPA_RULES_COMMON_H_ + +#include "providers/backend.h" + +#define IPA_UNIQUE_ID "ipauniqueid" + +#define OBJECTCLASS "objectclass" +#define IPA_MEMBER_USER "memberUser" +#define IPA_USER_CATEGORY "userCategory" +#define IPA_EXTERNAL_HOST "externalHost" +#define IPA_ENABLED_FLAG "ipaenabledflag" +#define IPA_MEMBER_HOST "memberHost" +#define IPA_HOST_CATEGORY "hostCategory" +#define IPA_CN "cn" +#define IPA_TRUE_VALUE "TRUE" + +/* From ipa_rules_common.c */ + +struct ipa_common_entries { + const char *entry_subdir; + size_t entry_count; + struct sysdb_attrs **entries; + + const char *group_subdir; + size_t group_count; + struct sysdb_attrs **groups; +}; + +errno_t +ipa_common_entries_and_groups_sysdb_save(struct sss_domain_info *domain, + const char *primary_subdir, + const char *attr_name, + size_t primary_count, + struct sysdb_attrs **primary, + const char *group_subdir, + const char *groupattr_name, + size_t group_count, + struct sysdb_attrs **groups); + +errno_t +ipa_common_get_cached_rules(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *rule, + const char *subtree_name, + const char **attrs, + size_t *_rule_count, + struct sysdb_attrs ***_rules); + +errno_t +ipa_common_purge_rules(struct sss_domain_info *domain, + const char *subtree_name); + +errno_t +ipa_common_save_rules(struct sss_domain_info *domain, + struct ipa_common_entries *hosts, + struct ipa_common_entries *services, + struct ipa_common_entries *rules, + time_t *last_update); + +errno_t +ipa_common_get_hostgroupname(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + const char *host_dn, + char **_hostgroupname); + +#endif /* IPA_RULES_COMMON_H_ */ diff --git a/src/providers/ipa/ipa_s2n_exop.c b/src/providers/ipa/ipa_s2n_exop.c new file mode 100644 index 0000000..6f39746 --- /dev/null +++ b/src/providers/ipa/ipa_s2n_exop.c @@ -0,0 +1,2935 @@ +/* + SSSD + + IPA Helper routines - external users and groups with s2n plugin + + Copyright (C) Sumit Bose - 2011 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "util/sss_nss.h" +#include "util/strtonum.h" +#include "util/crypto/sss_crypto.h" +#include "providers/ldap/sdap_async_private.h" +#include "providers/ldap/sdap_async_ad.h" +#include "providers/ldap/ldap_common.h" +#include "providers/ldap/sdap_idmap.h" +#include "providers/ipa/ipa_id.h" +#include "providers/ipa/ipa_subdomains.h" +#include "providers/ad/ad_pac.h" +#include "db/sysdb.h" + +enum input_types { + INP_SID = 1, + INP_NAME, + INP_POSIX_UID, + INP_POSIX_GID, + INP_CERT +}; + +enum request_types { + REQ_SIMPLE = 1, + REQ_FULL, + REQ_FULL_WITH_MEMBERS +}; + +enum response_types { + RESP_SID = 1, + RESP_NAME, + RESP_USER, + RESP_GROUP, + RESP_USER_GROUPLIST, + RESP_GROUP_MEMBERS, + RESP_NAME_LIST +}; + +/* ==Sid2Name Extended Operation============================================= */ +struct ipa_s2n_exop_state { + struct sdap_handle *sh; + + struct sdap_op *op; + + char *retoid; + struct berval *retdata; +}; + +static void ipa_s2n_exop_done(struct sdap_op *op, + struct sdap_msg *reply, + int error, void *pvt); + +static struct tevent_req *ipa_s2n_exop_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_handle *sh, + bool is_v1, + int timeout, + struct berval *bv) +{ + struct tevent_req *req = NULL; + struct ipa_s2n_exop_state *state; + int ret; + int msgid; + + req = tevent_req_create(mem_ctx, &state, struct ipa_s2n_exop_state); + if (!req) return NULL; + + state->sh = sh; + state->retoid = NULL; + state->retdata = NULL; + + DEBUG(SSSDBG_TRACE_FUNC, "Executing extended operation\n"); + + ret = ldap_extended_operation(state->sh->ldap, + is_v1 ? EXOP_SID2NAME_V1_OID : EXOP_SID2NAME_OID, + bv, NULL, NULL, &msgid); + if (ret == -1 || msgid == -1) { + DEBUG(SSSDBG_CRIT_FAILURE, "ldap_extended_operation failed\n"); + ret = ERR_NETWORK_IO; + goto fail; + } + DEBUG(SSSDBG_TRACE_INTERNAL, "ldap_extended_operation sent, msgid = %d\n", + msgid); + + ret = sdap_op_add(state, ev, state->sh, msgid, ipa_s2n_exop_done, req, + timeout, &state->op); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set up operation!\n"); + ret = ERR_INTERNAL; + goto fail; + } + + return req; + +fail: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void ipa_s2n_exop_done(struct sdap_op *op, + struct sdap_msg *reply, + int error, void *pvt) +{ + struct tevent_req *req = talloc_get_type(pvt, struct tevent_req); + struct ipa_s2n_exop_state *state = tevent_req_data(req, + struct ipa_s2n_exop_state); + int ret; + char *errmsg = NULL; + char *retoid = NULL; + struct berval *retdata = NULL; + int result; + + if (error) { + tevent_req_error(req, error); + return; + } + + ret = ldap_parse_result(state->sh->ldap, reply->msg, + &result, NULL, &errmsg, NULL, + NULL, 0); + if (ret != LDAP_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, "ldap_parse_result failed (%d)\n", + state->op->msgid); + ret = ERR_NETWORK_IO; + goto done; + } + + DEBUG(result == LDAP_SUCCESS ? SSSDBG_TRACE_FUNC : SSSDBG_OP_FAILURE, + "ldap_extended_operation result: %s(%d), %s.\n", + sss_ldap_err2string(result), result, errmsg); + + if (result != LDAP_SUCCESS) { + if (result == LDAP_NO_SUCH_OBJECT) { + ret = ENOENT; + } else { + DEBUG(SSSDBG_OP_FAILURE, "ldap_extended_operation failed, server " \ + "logs might contain more details.\n"); + ret = ERR_NETWORK_IO; + } + goto done; + } + + ret = ldap_parse_extended_result(state->sh->ldap, reply->msg, + &retoid, &retdata, 0); + if (ret != LDAP_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, "ldap_parse_extendend_result failed (%d)\n", + ret); + ret = ERR_NETWORK_IO; + goto done; + } + if (retdata == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing exop result data.\n"); + ret = EINVAL; + goto done; + } + + state->retoid = talloc_strdup(state, retoid); + if (state->retoid == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + + state->retdata = talloc(state, struct berval); + if (state->retdata == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc failed.\n"); + ret = ENOMEM; + goto done; + } + state->retdata->bv_len = retdata->bv_len; + state->retdata->bv_val = talloc_memdup(state->retdata, retdata->bv_val, + retdata->bv_len); + if (state->retdata->bv_val == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_memdup failed.\n"); + ret = ENOMEM; + goto done; + } + + ret = EOK; + +done: + ldap_memfree(errmsg); + ldap_memfree(retoid); + ber_bvfree(retdata); + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } +} + +static int ipa_s2n_exop_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, + char **retoid, struct berval **retdata) +{ + struct ipa_s2n_exop_state *state = tevent_req_data(req, + struct ipa_s2n_exop_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *retoid = talloc_steal(mem_ctx, state->retoid); + *retdata = talloc_steal(mem_ctx, state->retdata); + + return EOK; +} + +static errno_t talloc_ber_flatten(TALLOC_CTX *mem_ctx, BerElement *ber, + struct berval **_bv) +{ + int ret; + struct berval *bv = NULL; + struct berval *tbv = NULL; + + ret = ber_flatten(ber, &bv); + if (ret == -1) { + ret = EFAULT; + goto done; + } + + tbv = talloc_zero(mem_ctx, struct berval); + if (tbv == NULL) { + ret = ENOMEM; + goto done; + } + + tbv->bv_len = bv->bv_len; + tbv->bv_val = talloc_memdup(tbv, bv->bv_val, bv->bv_len); + if (tbv->bv_val == NULL) { + ret = ENOMEM; + goto done; + } + + ret = EOK; + +done: + ber_bvfree(bv); + if (ret == EOK) { + *_bv = tbv; + } else { + talloc_free(tbv); + } + + return ret; +} + +/* The extended operation expect the following ASN.1 encoded request data: + * + * ExtdomRequestValue ::= SEQUENCE { + * inputType ENUMERATED { + * sid (1), + * name (2), + * posix uid (3), + * posix gid (3) + * }, + * requestType ENUMERATED { + * simple (1), + * full (2) + * full_with_members (3) + * }, + * data InputData + * } + * + * InputData ::= CHOICE { + * sid OCTET STRING, + * name NameDomainData + * uid PosixUid, + * gid PosixGid + * } + * + * NameDomainData ::= SEQUENCE { + * domain_name OCTET STRING, + * object_name OCTET STRING + * } + * + * PosixUid ::= SEQUENCE { + * domain_name OCTET STRING, + * uid INTEGER + * } + * + * PosixGid ::= SEQUENCE { + * domain_name OCTET STRING, + * gid INTEGER + * } + * + */ + +static errno_t s2n_encode_request(TALLOC_CTX *mem_ctx, + const char *domain_name, + int entry_type, + enum request_types request_type, + struct req_input *req_input, + struct berval **_bv) +{ + BerElement *ber = NULL; + int ret; + + ber = ber_alloc_t( LBER_USE_DER ); + if (ber == NULL) { + return ENOMEM; + } + + switch (entry_type) { + case BE_REQ_USER: + case BE_REQ_USER_AND_GROUP: /* the extdom exop does not care if the + ID belongs to a user or a group */ + if (req_input->type == REQ_INP_NAME) { + ret = ber_printf(ber, "{ee{ss}}", INP_NAME, request_type, + domain_name, + req_input->inp.name); + } else if (req_input->type == REQ_INP_ID) { + ret = ber_printf(ber, "{ee{si}}", INP_POSIX_UID, request_type, + domain_name, + req_input->inp.id); + } else { + DEBUG(SSSDBG_OP_FAILURE, "Unexpected input type [%d].\n", + req_input->type == REQ_INP_ID); + ret = EINVAL; + goto done; + } + break; + case BE_REQ_GROUP: + if (req_input->type == REQ_INP_NAME) { + ret = ber_printf(ber, "{ee{ss}}", INP_NAME, request_type, + domain_name, + req_input->inp.name); + } else if (req_input->type == REQ_INP_ID) { + ret = ber_printf(ber, "{ee{si}}", INP_POSIX_GID, request_type, + domain_name, + req_input->inp.id); + } else { + DEBUG(SSSDBG_OP_FAILURE, "Unexpected input type [%d].\n", + req_input->type == REQ_INP_ID); + ret = EINVAL; + goto done; + } + break; + case BE_REQ_BY_SECID: + if (req_input->type == REQ_INP_SECID) { + ret = ber_printf(ber, "{ees}", INP_SID, request_type, + req_input->inp.secid); + } else { + DEBUG(SSSDBG_OP_FAILURE, "Unexpected input type [%d].\n", + req_input->type == REQ_INP_ID); + ret = EINVAL; + goto done; + } + break; + case BE_REQ_BY_CERT: + if (req_input->type == REQ_INP_CERT) { + ret = ber_printf(ber, "{ees}", INP_CERT, request_type, + req_input->inp.cert); + } else { + DEBUG(SSSDBG_OP_FAILURE, "Unexpected input type [%d].\n", + req_input->type); + ret = EINVAL; + goto done; + } + break; + default: + ret = EINVAL; + goto done; + } + if (ret == -1) { + ret = EFAULT; + goto done; + } + + ret = talloc_ber_flatten(mem_ctx, ber, _bv); + if (ret != EOK) { + goto done; + } + + ret = EOK; + +done: + ber_free(ber, 1); + + return ret; +} + +/* If the extendend operation is successful it returns the following ASN.1 + * encoded response: + * + * ExtdomResponseValue ::= SEQUENCE { + * responseType ENUMERATED { + * sid (1), + * name (2), + * posix_user (3), + * posix_group (4), + * posix_user_grouplist (5), + * posix_group_members (6) + * }, + * data OutputData + * } + * + * OutputData ::= CHOICE { + * sid OCTET STRING, + * name NameDomainData, + * user PosixUser, + * group PosixGroup, + * usergrouplist PosixUserGrouplist, + * groupmembers PosixGroupMembers + * + * } + * + * NameDomainData ::= SEQUENCE { + * domain_name OCTET STRING, + * object_name OCTET STRING + * } + * + * PosixUser ::= SEQUENCE { + * domain_name OCTET STRING, + * user_name OCTET STRING, + * uid INTEGER + * gid INTEGER + * } + * + * PosixGroup ::= SEQUENCE { + * domain_name OCTET STRING, + * group_name OCTET STRING, + * gid INTEGER + * } + * + * PosixUserGrouplist ::= SEQUENCE { + * domain_name OCTET STRING, + * user_name OCTET STRING, + * uid INTEGER, + * gid INTEGER, + * gecos OCTET STRING, + * home_directory OCTET STRING, + * shell OCTET STRING, + * grouplist GroupNameList + * } + * + * GroupNameList ::= SEQUENCE OF OCTET STRING + * + * PosixGroupMembers ::= SEQUENCE { + * domain_name OCTET STRING, + * group_name OCTET STRING, + * gid INTEGER, + * members GroupMemberList + * } + * + * GroupMemberList ::= SEQUENCE OF OCTET STRING + */ + +struct name_list { + char *domain_name; + char *name; +}; + +struct resp_attrs { + enum response_types response_type; + char *domain_name; + union { + struct passwd user; + struct group group; + char *sid_str; + char *name; + } a; + size_t ngroups; + char **groups; + struct sysdb_attrs *sysdb_attrs; + char **name_list; +}; + +static errno_t get_extra_attrs(BerElement *ber, struct resp_attrs *resp_attrs) +{ + ber_tag_t tag; + ber_len_t ber_len; + char *ber_cookie; + char *name; + struct berval **values; + struct ldb_val v; + int ret; + size_t c; + + if (resp_attrs->sysdb_attrs == NULL) { + resp_attrs->sysdb_attrs = sysdb_new_attrs(resp_attrs); + if (resp_attrs->sysdb_attrs == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_new_attrs failed.\n"); + return ENOMEM; + } + } + + DEBUG(SSSDBG_TRACE_ALL, "Found new sequence.\n"); + for (tag = ber_first_element(ber, &ber_len, &ber_cookie); + tag != LBER_DEFAULT; + tag = ber_next_element(ber, &ber_len, ber_cookie)) { + + tag = ber_scanf(ber, "{a{V}}", &name, &values); + if (tag == LBER_ERROR) { + DEBUG(SSSDBG_OP_FAILURE, "ber_scanf failed.\n"); + return EINVAL; + } + DEBUG(SSSDBG_TRACE_ALL, "Extra attribute [%s].\n", name); + + for (c = 0; values[c] != NULL; c++) { + + if (strcmp(name, SYSDB_USER_CERT) == 0) { + if (values[c]->bv_val[values[c]->bv_len] != '\0') { + DEBUG(SSSDBG_OP_FAILURE, + "base64 encoded certificate not 0-terminated.\n"); + return EINVAL; + } + + v.data = sss_base64_decode(NULL, values[c]->bv_val, &v.length); + if (v.data == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sss_base64_decode failed.\n"); + return EINVAL; + } + } else { + v.data = (uint8_t *)values[c]->bv_val; + v.length = values[c]->bv_len; + } + + ret = sysdb_attrs_add_val(resp_attrs->sysdb_attrs, name, &v); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_val failed.\n"); + ldap_memfree(name); + ber_bvecfree(values); + return ret; + } + } + + ldap_memfree(name); + ber_bvecfree(values); + } + + return EOK; +} + +static errno_t add_v1_user_data(struct sss_domain_info *dom, + BerElement *ber, + struct resp_attrs *attrs) +{ + ber_tag_t tag; + ber_len_t ber_len; + int ret; + char *gecos = NULL; + char *homedir = NULL; + char *name = NULL; + char *domain = NULL; + char *shell = NULL; + char **list = NULL; + size_t c, gc; + struct sss_domain_info *parent_domain; + struct sss_domain_info *obj_domain; + + tag = ber_scanf(ber, "aaa", &gecos, &homedir, &shell); + if (tag == LBER_ERROR) { + DEBUG(SSSDBG_OP_FAILURE, "ber_scanf failed.\n"); + ret = EINVAL; + goto done; + } + + if (gecos == NULL || *gecos == '\0') { + attrs->a.user.pw_gecos = NULL; + } else { + attrs->a.user.pw_gecos = talloc_strdup(attrs, gecos); + if (attrs->a.user.pw_gecos == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + } + + if (homedir == NULL || *homedir == '\0') { + attrs->a.user.pw_dir = NULL; + } else { + attrs->a.user.pw_dir = talloc_strdup(attrs, homedir); + if (attrs->a.user.pw_dir == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + } + + if (shell == NULL || *shell == '\0') { + attrs->a.user.pw_shell = NULL; + } else { + attrs->a.user.pw_shell = talloc_strdup(attrs, shell); + if (attrs->a.user.pw_shell == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + } + + tag = ber_scanf(ber, "{v}", &list); + if (tag == LBER_ERROR) { + DEBUG(SSSDBG_OP_FAILURE, "ber_scanf failed.\n"); + ret = EINVAL; + goto done; + } + + for (attrs->ngroups = 0; list[attrs->ngroups] != NULL; + attrs->ngroups++); + + if (attrs->ngroups > 0) { + attrs->groups = talloc_zero_array(attrs, char *, attrs->ngroups + 1); + if (attrs->groups == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_array failed.\n"); + ret = ENOMEM; + goto done; + } + + parent_domain = get_domains_head(dom); + + for (c = 0, gc = 0; c < attrs->ngroups; c++) { + ret = sss_parse_name(attrs, dom->names, list[c], + &domain, &name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot parse member %s\n", list[c]); + continue; + } + + if (domain != NULL) { + obj_domain = find_domain_by_name(parent_domain, domain, true); + if (obj_domain == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "find_domain_by_name failed.\n"); + return ENOMEM; + } + } else { + obj_domain = parent_domain; + } + + attrs->groups[gc] = sss_create_internal_fqname(attrs->groups, + name, obj_domain->name); + if (attrs->groups[gc] == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + gc++; + } + } + + tag = ber_peek_tag(ber, &ber_len); + DEBUG(SSSDBG_TRACE_ALL, "BER tag is [%d]\n", (int) tag); + if (tag == LBER_SEQUENCE) { + ret = get_extra_attrs(ber, attrs); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "get_extra_attrs failed.\n"); + goto done; + } + } + + + ret = EOK; + +done: + ber_memfree(gecos); + ber_memfree(homedir); + ber_memfree(shell); + ber_memvfree((void **) list); + + return ret; +} + +static errno_t add_v1_group_data(BerElement *ber, + struct sss_domain_info *dom, + struct resp_attrs *attrs) +{ + ber_tag_t tag; + ber_len_t ber_len; + int ret; + char **list = NULL; + size_t c, mc; + char *name = NULL; + char *domain = NULL; + + tag = ber_scanf(ber, "{v}", &list); + if (tag == LBER_ERROR) { + DEBUG(SSSDBG_OP_FAILURE, "ber_scanf failed.\n"); + ret = EINVAL; + goto done; + } + + if (list != NULL) { + for (attrs->ngroups = 0; list[attrs->ngroups] != NULL; + attrs->ngroups++); + + if (attrs->ngroups > 0) { + attrs->a.group.gr_mem = talloc_zero_array(attrs, char *, + attrs->ngroups + 1); + if (attrs->a.group.gr_mem == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_array failed.\n"); + ret = ENOMEM; + goto done; + } + + for (c = 0, mc=0; c < attrs->ngroups; c++) { + ret = sss_parse_name(attrs, dom->names, list[c], + &domain, &name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot parse member %s\n", list[c]); + continue; + } + + if (domain == NULL) { + domain = dom->name; + } + + attrs->a.group.gr_mem[mc] = + sss_create_internal_fqname(attrs->a.group.gr_mem, + name, domain); + if (attrs->a.group.gr_mem[mc] == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + mc++; + } + } + } else { + attrs->a.group.gr_mem = talloc_zero_array(attrs, char *, 1); + if (attrs->a.group.gr_mem == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_array failed.\n"); + ret = ENOMEM; + goto done; + } + } + + tag = ber_peek_tag(ber, &ber_len); + DEBUG(SSSDBG_TRACE_ALL, "BER tag is [%d]\n", (int) tag); + if (tag == LBER_SEQUENCE) { + ret = get_extra_attrs(ber, attrs); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "get_extra_attrs failed.\n"); + goto done; + } + } + + ret = EOK; + +done: + ber_memvfree((void **) list); + + return ret; +} + +static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom, + struct req_input *req_input, + struct resp_attrs *attrs, + struct resp_attrs *simple_attrs, + const char *view_name, + struct sysdb_attrs *override_attrs, + struct sysdb_attrs *mapped_attrs, + bool update_initgr_timeout); + +static errno_t s2n_response_to_attrs(TALLOC_CTX *mem_ctx, + struct sss_domain_info *dom, + char *retoid, + struct berval *retdata, + struct resp_attrs **resp_attrs) +{ + BerElement *ber = NULL; + ber_tag_t tag; + int ret; + enum response_types type; + char *domain_name = NULL; + char *name = NULL; + char *lc_name = NULL; + uid_t uid; + gid_t gid; + struct resp_attrs *attrs = NULL; + char *sid_str; + bool is_v1 = false; + char **name_list = NULL; + ber_len_t ber_len; + char *fq_name = NULL; + struct sss_domain_info *root_domain = NULL; + + if (retoid == NULL || retdata == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Missing OID or data.\n"); + return EINVAL; + } + + if (strcmp(retoid, EXOP_SID2NAME_V1_OID) == 0) { + is_v1 = true; + } else if (strcmp(retoid, EXOP_SID2NAME_OID) == 0) { + is_v1 = false; + } else { + DEBUG(SSSDBG_OP_FAILURE, + "Result has wrong OID, expected [%s] or [%s], got [%s].\n", + EXOP_SID2NAME_OID, EXOP_SID2NAME_V1_OID, retoid); + return EINVAL; + } + + ber = ber_init(retdata); + if (ber == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ber_init failed.\n"); + return EINVAL; + } + + tag = ber_scanf(ber, "{e", &type); + if (tag == LBER_ERROR) { + DEBUG(SSSDBG_OP_FAILURE, "ber_scanf failed.\n"); + ret = EINVAL; + goto done; + } + + attrs = talloc_zero(mem_ctx, struct resp_attrs); + if (attrs == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_zero failed.\n"); + ret = ENOMEM; + goto done; + } + + switch (type) { + case RESP_USER: + case RESP_USER_GROUPLIST: + tag = ber_scanf(ber, "{aaii", &domain_name, &name, &uid, &gid); + if (tag == LBER_ERROR) { + DEBUG(SSSDBG_OP_FAILURE, "ber_scanf failed.\n"); + ret = EINVAL; + goto done; + } + + /* Winbind is not consistent with the case of the returned user + * name. In general all names should be lower case but there are + * bug in some version of winbind which might lead to upper case + * letters in the name. To be on the safe side we explicitly + * lowercase the name. */ + lc_name = sss_tc_utf8_str_tolower(attrs, name); + if (lc_name == NULL) { + ret = ENOMEM; + goto done; + } + + attrs->a.user.pw_name = sss_create_internal_fqname(attrs, + lc_name, + domain_name); + talloc_free(lc_name); + if (attrs->a.user.pw_name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + + attrs->a.user.pw_uid = uid; + attrs->a.user.pw_gid = gid; + + if (is_v1 && type == RESP_USER_GROUPLIST) { + ret = add_v1_user_data(dom, ber, attrs); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "add_v1_user_data failed.\n"); + goto done; + } + } + + tag = ber_scanf(ber, "}}"); + if (tag == LBER_ERROR) { + DEBUG(SSSDBG_OP_FAILURE, "ber_scanf failed.\n"); + ret = EINVAL; + goto done; + } + + break; + case RESP_GROUP: + case RESP_GROUP_MEMBERS: + tag = ber_scanf(ber, "{aai", &domain_name, &name, &gid); + if (tag == LBER_ERROR) { + DEBUG(SSSDBG_OP_FAILURE, "ber_scanf failed.\n"); + ret = EINVAL; + goto done; + } + + /* Winbind is not consistent with the case of the returned user + * name. In general all names should be lower case but there are + * bug in some version of winbind which might lead to upper case + * letters in the name. To be on the safe side we explicitly + * lowercase the name. */ + lc_name = sss_tc_utf8_str_tolower(attrs, name); + if (lc_name == NULL) { + ret = ENOMEM; + goto done; + } + + attrs->a.group.gr_name = sss_create_internal_fqname(attrs, + lc_name, + domain_name); + talloc_free(lc_name); + if (attrs->a.group.gr_name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + + attrs->a.group.gr_gid = gid; + + if (is_v1 && type == RESP_GROUP_MEMBERS) { + ret = add_v1_group_data(ber, dom, attrs); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "add_v1_group_data failed.\n"); + goto done; + } + } + + tag = ber_scanf(ber, "}}"); + if (tag == LBER_ERROR) { + DEBUG(SSSDBG_OP_FAILURE, "ber_scanf failed.\n"); + ret = EINVAL; + goto done; + } + + break; + case RESP_SID: + tag = ber_scanf(ber, "a}", &sid_str); + if (tag == LBER_ERROR) { + DEBUG(SSSDBG_OP_FAILURE, "ber_scanf failed.\n"); + ret = EINVAL; + goto done; + } + + attrs->a.sid_str = talloc_strdup(attrs, sid_str); + if (attrs->a.sid_str == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + break; + case RESP_NAME: + tag = ber_scanf(ber, "{aa}", &domain_name, &name); + if (tag == LBER_ERROR) { + DEBUG(SSSDBG_OP_FAILURE, "ber_scanf failed.\n"); + ret = EINVAL; + goto done; + } + + attrs->a.name = sss_tc_utf8_str_tolower(attrs, name); + if (attrs->a.name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sss_tc_utf8_str_tolower failed.\n"); + ret = ENOMEM; + goto done; + } + break; + case RESP_NAME_LIST: + tag = ber_scanf(ber, "{"); + if (tag == LBER_ERROR) { + DEBUG(SSSDBG_OP_FAILURE, "ber_scanf failed.\n"); + ret = EINVAL; + goto done; + } + + root_domain = get_domains_head(dom); + + while (ber_peek_tag(ber, &ber_len) == LBER_SEQUENCE) { + tag = ber_scanf(ber, "{aa}", &domain_name, &name); + if (tag == LBER_ERROR) { + DEBUG(SSSDBG_OP_FAILURE, "ber_scanf failed.\n"); + ret = EINVAL; + goto done; + } + + fq_name = sss_create_internal_fqname(attrs, name, domain_name); + if (fq_name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "sss_create_internal_fqname failed.\n"); + ret = ENOMEM; + goto done; + } + DEBUG(SSSDBG_TRACE_ALL, "[%s][%s][%s].\n", domain_name, name, + fq_name); + + if (strcasecmp(root_domain->name, domain_name) != 0) { + ret = add_string_to_list(attrs, fq_name, &name_list); + } else { + DEBUG(SSSDBG_TRACE_ALL, + "[%s] from root domain, skipping.\n", fq_name); + ret = EOK; /* Free resources and continue in the loop */ + } + ber_memfree(domain_name); + ber_memfree(name); + talloc_free(fq_name); + domain_name = NULL; + name = NULL; + fq_name = NULL; + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "add_to_name_list failed.\n"); + goto done; + } + } + + tag = ber_scanf(ber, "}}"); + if (tag == LBER_ERROR) { + DEBUG(SSSDBG_OP_FAILURE, "ber_scanf failed.\n"); + ret = EINVAL; + goto done; + } + attrs->name_list = name_list; + break; + default: + DEBUG(SSSDBG_OP_FAILURE, "Unexpected response type [%d].\n", + type); + ret = EINVAL; + goto done; + } + + attrs->response_type = type; + if (type != RESP_SID && type != RESP_NAME_LIST) { + attrs->domain_name = talloc_strdup(attrs, domain_name); + if (attrs->domain_name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + } + + ret = EOK; + +done: + ber_memfree(domain_name); + ber_memfree(name); + talloc_free(fq_name); + ber_free(ber, 1); + + if (ret == EOK) { + *resp_attrs = attrs; + } else { + talloc_free(attrs); + } + + return ret; +} + +static const char *ipa_s2n_reqtype2str(enum request_types request_type) +{ + switch (request_type) { + case REQ_SIMPLE: + return "REQ_SIMPLE"; + case REQ_FULL: + return "REQ_FULL"; + case REQ_FULL_WITH_MEMBERS: + return "REQ_FULL_WITH_MEMBERS"; + default: + break; + } + + return "Unknown request type"; +} + +static const char *ipa_s2n_reqinp2str(TALLOC_CTX *mem_ctx, + struct req_input *req_input) +{ + const char *str = NULL; + + switch (req_input->type) { + case REQ_INP_NAME: + str = talloc_strdup(mem_ctx, req_input->inp.name); + break; + case REQ_INP_SECID: + str = talloc_strdup(mem_ctx, req_input->inp.secid); + break; + case REQ_INP_CERT: + str = talloc_strdup(mem_ctx, req_input->inp.cert); + break; + case REQ_INP_ID: + str = talloc_asprintf(mem_ctx, "%u", req_input->inp.id); + break; + } + + if (str == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory!\n"); + } + + return str; +} + +struct ipa_s2n_get_list_state { + struct tevent_context *ev; + struct ipa_id_ctx *ipa_ctx; + struct sss_domain_info *dom; + struct sdap_handle *sh; + struct req_input req_input; + char **list; + size_t list_idx; + int exop_timeout; + int entry_type; + enum request_types request_type; + struct resp_attrs *attrs; + struct sss_domain_info *obj_domain; + struct sysdb_attrs *override_attrs; + struct sysdb_attrs *mapped_attrs; +}; + +static errno_t ipa_s2n_get_list_step(struct tevent_req *req); +static void ipa_s2n_get_list_get_override_done(struct tevent_req *subreq); +static void ipa_s2n_get_list_next(struct tevent_req *subreq); +static errno_t ipa_s2n_get_list_save_step(struct tevent_req *req); + +static struct tevent_req *ipa_s2n_get_list_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct ipa_id_ctx *ipa_ctx, + struct sss_domain_info *dom, + struct sdap_handle *sh, + int exop_timeout, + int entry_type, + enum request_types request_type, + enum req_input_type list_type, + char **list, + struct sysdb_attrs *mapped_attrs) +{ + int ret; + struct ipa_s2n_get_list_state *state; + struct tevent_req *req; + + req = tevent_req_create(mem_ctx, &state, struct ipa_s2n_get_list_state); + if (req == NULL) { + return NULL; + } + + if ((entry_type == BE_REQ_BY_SECID && list_type != REQ_INP_SECID) + || (entry_type != BE_REQ_BY_SECID && list_type == REQ_INP_SECID)) { + DEBUG(SSSDBG_OP_FAILURE, "Invalid parameter combination [%d][%d].\n", + request_type, list_type); + ret = EINVAL; + goto done; + } + + state->ev = ev; + state->ipa_ctx = ipa_ctx; + state->dom = dom; + state->sh = sh; + state->list = list; + state->list_idx = 0; + state->req_input.type = list_type; + state->req_input.inp.name = NULL; + state->exop_timeout = exop_timeout; + state->entry_type = entry_type; + state->request_type = request_type; + state->attrs = NULL; + state->override_attrs = NULL; + state->mapped_attrs = mapped_attrs; + + ret = ipa_s2n_get_list_step(req); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_s2n_get_list_step failed.\n"); + goto done; + } + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + tevent_req_post(req, ev); + } + + return req; +} + +static errno_t ipa_s2n_get_list_step(struct tevent_req *req) +{ + int ret; + struct ipa_s2n_get_list_state *state = tevent_req_data(req, + struct ipa_s2n_get_list_state); + struct berval *bv_req; + struct tevent_req *subreq; + struct sss_domain_info *parent_domain; + char *short_name = NULL; + char *domain_name = NULL; + uint32_t id; + char *endptr; + bool need_v1 = false; + + parent_domain = get_domains_head(state->dom); + switch (state->req_input.type) { + case REQ_INP_NAME: + + ret = sss_parse_name(state, state->dom->names, state->list[state->list_idx], + &domain_name, &short_name); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse name '%s' [%d]: %s\n", + state->list[state->list_idx], + ret, sss_strerror(ret)); + return ret; + } + + if (domain_name) { + state->obj_domain = find_domain_by_name(parent_domain, + domain_name, true); + if (state->obj_domain == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "find_domain_by_name failed.\n"); + return ENOMEM; + } + } else { + state->obj_domain = parent_domain; + } + + state->req_input.inp.name = short_name; + + break; + case REQ_INP_ID: + errno = 0; + id = strtouint32(state->list[state->list_idx], &endptr, 10); + if (errno != 0 || *endptr != '\0' + || (state->list[state->list_idx] == endptr)) { + DEBUG(SSSDBG_OP_FAILURE, "strtouint32 failed.\n"); + return EINVAL; + } + state->req_input.inp.id = id; + state->obj_domain = state->dom; + + break; + case REQ_INP_SECID: + state->req_input.inp.secid = state->list[state->list_idx]; + state->obj_domain = find_domain_by_sid(parent_domain, + state->req_input.inp.secid); + if (state->obj_domain == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "find_domain_by_sid failed for SID [%s].\n", + state->req_input.inp.secid); + return EINVAL; + } + + break; + default: + DEBUG(SSSDBG_OP_FAILURE, "Unexpected input type [%d].\n", + state->req_input.type); + return EINVAL; + } + + ret = s2n_encode_request(state, state->obj_domain->name, state->entry_type, + state->request_type, + &state->req_input, &bv_req); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "s2n_encode_request failed.\n"); + return ret; + } + + if (state->request_type == REQ_FULL_WITH_MEMBERS) { + need_v1 = true; + } + + if (state->req_input.type == REQ_INP_NAME + && state->req_input.inp.name != NULL) { + DEBUG(SSSDBG_TRACE_FUNC, + "Sending request_type: [%s] for object [%s].\n", + ipa_s2n_reqtype2str(state->request_type), + state->list[state->list_idx]); + } + + subreq = ipa_s2n_exop_send(state, state->ev, state->sh, need_v1, + state->exop_timeout, bv_req); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_s2n_exop_send failed.\n"); + return ENOMEM; + } + tevent_req_set_callback(subreq, ipa_s2n_get_list_next, req); + + return EOK; +} + +static void ipa_s2n_get_list_next(struct tevent_req *subreq) +{ + int ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ipa_s2n_get_list_state *state = tevent_req_data(req, + struct ipa_s2n_get_list_state); + char *retoid = NULL; + struct berval *retdata = NULL; + const char *sid_str; + struct dp_id_data *ar; + + ret = ipa_s2n_exop_recv(subreq, state, &retoid, &retdata); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "s2n exop request failed.\n"); + goto fail; + } + + talloc_zfree(state->attrs); + ret = s2n_response_to_attrs(state, state->dom, retoid, retdata, + &state->attrs); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "s2n_response_to_attrs failed.\n"); + goto fail; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Received [%s] attributes from IPA server.\n", + state->attrs->a.name); + + if (is_default_view(state->ipa_ctx->view_name)) { + ret = ipa_s2n_get_list_save_step(req); + if (ret == EOK) { + tevent_req_done(req); + } else if (ret != EAGAIN) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_s2n_get_list_save_step failed.\n"); + goto fail; + } + + return; + } + + ret = sysdb_attrs_get_string(state->attrs->sysdb_attrs, SYSDB_SID_STR, + &sid_str); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Object [%s] has no SID, please check the " + "ipaNTSecurityIdentifier attribute on the server-side", + state->attrs->a.name); + goto fail; + } + + ret = get_dp_id_data_for_sid(state, sid_str, state->obj_domain->name, &ar); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "get_dp_id_data_for_sid failed.\n"); + goto fail; + } + + subreq = ipa_get_ad_override_send(state, state->ev, + state->ipa_ctx->sdap_id_ctx, + state->ipa_ctx->ipa_options, + dp_opt_get_string(state->ipa_ctx->ipa_options->basic, + IPA_KRB5_REALM), + state->ipa_ctx->view_name, + ar); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_get_ad_override_send failed.\n"); + ret = ENOMEM; + goto fail; + } + tevent_req_set_callback(subreq, ipa_s2n_get_list_get_override_done, req); + + return; + +fail: + tevent_req_error(req,ret); + return; +} + +static void ipa_s2n_get_list_get_override_done(struct tevent_req *subreq) +{ + int ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ipa_s2n_get_list_state *state = tevent_req_data(req, + struct ipa_s2n_get_list_state); + + ret = ipa_get_ad_override_recv(subreq, NULL, state, &state->override_attrs); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "IPA override lookup failed: %d\n", ret); + goto fail; + } + + ret = ipa_s2n_get_list_save_step(req); + if (ret == EOK) { + tevent_req_done(req); + } else if (ret != EAGAIN) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_s2n_get_list_save_step failed.\n"); + goto fail; + } + + return; + +fail: + tevent_req_error(req,ret); + return; +} + +static errno_t ipa_s2n_get_list_save_step(struct tevent_req *req) +{ + int ret; + struct ipa_s2n_get_list_state *state = tevent_req_data(req, + struct ipa_s2n_get_list_state); + + ret = ipa_s2n_save_objects(state->dom, &state->req_input, state->attrs, + NULL, state->ipa_ctx->view_name, + state->override_attrs, state->mapped_attrs, + false); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_s2n_save_objects failed.\n"); + return ret; + } + + state->list_idx++; + if (state->list[state->list_idx] == NULL) { + return EOK; + } + + ret = ipa_s2n_get_list_step(req); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_s2n_get_list_step failed.\n"); + return ret; + } + + return EAGAIN; +} + +static int ipa_s2n_get_list_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +struct ipa_s2n_get_user_state { + struct tevent_context *ev; + struct ipa_id_ctx *ipa_ctx; + struct sdap_options *opts; + struct sss_domain_info *dom; + struct sdap_handle *sh; + struct req_input *req_input; + int entry_type; + enum request_types request_type; + struct resp_attrs *attrs; + struct resp_attrs *simple_attrs; + struct sysdb_attrs *override_attrs; + struct sysdb_attrs *mapped_attrs; + int exop_timeout; +}; + +static void ipa_s2n_get_user_done(struct tevent_req *subreq); + +struct tevent_req *ipa_s2n_get_acct_info_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct ipa_id_ctx *ipa_ctx, + struct sdap_options *opts, + struct sss_domain_info *dom, + struct sysdb_attrs *override_attrs, + struct sdap_handle *sh, + int entry_type, + struct req_input *req_input) +{ + struct ipa_s2n_get_user_state *state; + struct tevent_req *req; + struct tevent_req *subreq; + struct berval *bv_req = NULL; + const char *input; + int ret = EFAULT; + bool is_v1 = false; + + req = tevent_req_create(mem_ctx, &state, struct ipa_s2n_get_user_state); + if (req == NULL) { + return NULL; + } + + state->ev = ev; + state->ipa_ctx = ipa_ctx; + state->opts = opts; + state->dom = dom; + state->sh = sh; + state->req_input = req_input; + state->entry_type = entry_type; + state->attrs = NULL; + state->simple_attrs = NULL; + state->exop_timeout = dp_opt_get_int(opts->basic, SDAP_SEARCH_TIMEOUT); + state->override_attrs = override_attrs; + + if (sdap_is_extension_supported(sh, EXOP_SID2NAME_V1_OID)) { + state->request_type = REQ_FULL_WITH_MEMBERS; + is_v1 = true; + } else if (sdap_is_extension_supported(sh, EXOP_SID2NAME_OID)) { + state->request_type = REQ_FULL; + is_v1 = false; + } else { + DEBUG(SSSDBG_CRIT_FAILURE, "Extdom not supported on the server, " + "cannot resolve objects from trusted domains.\n"); + ret = EIO; + goto fail; + } + + if (entry_type == BE_REQ_BY_CERT) { + /* Only REQ_SIMPLE is supported for BE_REQ_BY_CERT */ + state->request_type = REQ_SIMPLE; + } + + ret = s2n_encode_request(state, dom->name, entry_type, state->request_type, + req_input, &bv_req); + if (ret != EOK) { + goto fail; + } + + if (DEBUG_IS_SET(SSSDBG_TRACE_FUNC)) { + input = ipa_s2n_reqinp2str(state, req_input); + DEBUG(SSSDBG_TRACE_FUNC, + "Sending request_type: [%s] for trust user [%s] to IPA server\n", + ipa_s2n_reqtype2str(state->request_type), + input); + talloc_zfree(input); + } + + subreq = ipa_s2n_exop_send(state, state->ev, state->sh, is_v1, + state->exop_timeout, bv_req); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_s2n_exop_send failed.\n"); + ret = ENOMEM; + goto fail; + } + tevent_req_set_callback(subreq, ipa_s2n_get_user_done, req); + + return req; + +fail: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + + return req; +} + +static errno_t process_members(struct sss_domain_info *domain, + bool is_default_view, + struct sysdb_attrs *group_attrs, + char **members, + TALLOC_CTX *mem_ctx, char ***_missing_members) +{ + int ret; + size_t c; + TALLOC_CTX *tmp_ctx; + struct ldb_message *msg; + const char *dn_str; + struct sss_domain_info *obj_domain; + struct sss_domain_info *parent_domain; + char **missing_members = NULL; + size_t miss_count = 0; + const char *attrs[] = {SYSDB_NAME, SYSDB_OVERRIDE_DN, NULL}; + + if (members == NULL) { + DEBUG(SSSDBG_TRACE_INTERNAL, "No members\n"); + if (_missing_members != NULL) { + *_missing_members = NULL; + } + return EOK; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); + return ENOMEM; + } + + if (_missing_members != NULL && mem_ctx != NULL) { + /* count members */ + for (c = 0; members[c] != NULL; c++); + missing_members = talloc_zero_array(tmp_ctx, char *, c + 1); + if (missing_members == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_array_zero failed.\n"); + ret = ENOMEM; + goto done; + } + } + + parent_domain = get_domains_head(domain); + + for (c = 0; members[c] != NULL; c++) { + obj_domain = find_domain_by_object_name(parent_domain, members[c]); + if (obj_domain == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "find_domain_by_object_name failed.\n"); + ret = ENOMEM; + goto done; + } + + ret = sysdb_search_user_by_name(tmp_ctx, obj_domain, members[c], attrs, + &msg); + if (ret == EOK || ret == ENOENT) { + if (ret == ENOENT + || (!is_default_view + && ldb_msg_find_attr_as_string(msg, SYSDB_OVERRIDE_DN, + NULL) == NULL)) { + /* only add ghost if the member is really missing */ + if (group_attrs != NULL && ret == ENOENT) { + DEBUG(SSSDBG_TRACE_ALL, "Adding ghost member [%s]\n", + members[c]); + + /* There were cases where the server returned the same user + * multiple times */ + ret = sysdb_attrs_add_string_safe(group_attrs, SYSDB_GHOST, + members[c]); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_attrs_add_string failed.\n"); + goto done; + } + } + + if (missing_members != NULL) { + missing_members[miss_count] = talloc_strdup(missing_members, + members[c]); + if (missing_members[miss_count] == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + miss_count++; + } + } else { + if (group_attrs != NULL) { + dn_str = ldb_dn_get_linearized(msg->dn); + if (dn_str == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_get_linearized failed.\n"); + ret = EINVAL; + goto done; + } + + DEBUG(SSSDBG_TRACE_ALL, "Adding member [%s][%s]\n", + members[c], dn_str); + + ret = sysdb_attrs_add_string_safe(group_attrs, SYSDB_MEMBER, + dn_str); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_attrs_add_string_safe failed.\n"); + goto done; + } + } + } + } else { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_user_by_name failed.\n"); + goto done; + } + } + + if (_missing_members != NULL) { + if (miss_count == 0) { + *_missing_members = NULL; + } else { + if (mem_ctx != NULL) { + *_missing_members = talloc_steal(mem_ctx, missing_members); + } else { + DEBUG(SSSDBG_CRIT_FAILURE, + "Missing memory context for missing members list.\n"); + ret = EINVAL; + goto done; + } + } + } + + ret = EOK; +done: + talloc_free(tmp_ctx); + + return ret; +} + +static errno_t get_group_dn_list(TALLOC_CTX *mem_ctx, + bool is_default_view, + struct sss_domain_info *dom, + size_t ngroups, char **groups, + struct ldb_dn ***_dn_list, + char ***_missing_groups) +{ + int ret; + size_t c; + TALLOC_CTX *tmp_ctx; + struct ldb_dn **dn_list = NULL; + char **missing_groups = NULL; + struct ldb_message *msg = NULL; + size_t n_dns = 0; + size_t n_missing = 0; + struct sss_domain_info *obj_domain; + struct sss_domain_info *parent_domain; + const char *attrs[] = {SYSDB_NAME, SYSDB_OVERRIDE_DN, NULL}; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); + return ENOMEM; + } + + dn_list = talloc_zero_array(tmp_ctx, struct ldb_dn *, ngroups + 1); + missing_groups = talloc_zero_array(tmp_ctx, char *, ngroups + 1); + if (dn_list == NULL || missing_groups == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_array_zero failed.\n"); + ret = ENOMEM; + goto done; + } + + parent_domain = (dom->parent == NULL) ? dom : dom->parent; + + for (c = 0; c < ngroups; c++) { + obj_domain = find_domain_by_object_name(parent_domain, groups[c]); + if (obj_domain == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "find_domain_by_object_name failed.\n"); + ret = ENOMEM; + goto done; + } + + ret = sysdb_search_group_by_name(tmp_ctx, obj_domain, groups[c], attrs, + &msg); + if (ret == EOK || ret == ENOENT) { + if (ret == ENOENT + || (!is_default_view + && ldb_msg_find_attr_as_string(msg, SYSDB_OVERRIDE_DN, + NULL) == NULL)) { + missing_groups[n_missing] = talloc_strdup(missing_groups, + groups[c]); + if (missing_groups[n_missing] == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + n_missing++; + + } else { + dn_list[n_dns] = ldb_dn_copy(dn_list, msg->dn); + if (dn_list[n_dns] == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_copy failed.\n"); + ret = ENOMEM; + goto done; + } + n_dns++; + } + } else { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_group_by_name failed.\n"); + goto done; + } + } + + if (n_missing != 0) { + *_missing_groups = talloc_steal(mem_ctx, missing_groups); + } else { + *_missing_groups = NULL; + } + + if (n_dns != 0) { + *_dn_list = talloc_steal(mem_ctx, dn_list); + } else { + *dn_list = NULL; + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + + return ret; +} + +static void ipa_s2n_get_list_done(struct tevent_req *subreq); +static void ipa_s2n_get_user_get_override_done(struct tevent_req *subreq); +static void ipa_s2n_get_user_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ipa_s2n_get_user_state *state = tevent_req_data(req, + struct ipa_s2n_get_user_state); + int ret; + char *retoid = NULL; + struct berval *retdata = NULL; + struct resp_attrs *attrs = NULL; + struct berval *bv_req = NULL; + char **missing_list = NULL; + struct ldb_dn **group_dn_list = NULL; + const char *sid_str; + struct dp_id_data *ar; + + ret = ipa_s2n_exop_recv(subreq, state, &retoid, &retdata); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "s2n exop request failed.\n"); + if (state->req_input->type == REQ_INP_CERT) { + DEBUG(SSSDBG_OP_FAILURE, + "Maybe the server does not support lookups by " + "certificates.\n"); + } + goto done; + } + + switch (state->request_type) { + case REQ_FULL_WITH_MEMBERS: + case REQ_FULL: + ret = s2n_response_to_attrs(state, state->dom, retoid, retdata, + &attrs); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "s2n_response_to_attrs failed.\n"); + goto done; + } + + if (!(strcasecmp(state->dom->name, attrs->domain_name) == 0 || + (state->dom->flat_name != NULL && + strcasecmp(state->dom->flat_name, attrs->domain_name) == 0))) { + DEBUG(SSSDBG_OP_FAILURE, "Unexpected domain name returned, " + "expected [%s] or [%s], got [%s].\n", + state->dom->name, + state->dom->flat_name == NULL ? "" : + state->dom->flat_name, + attrs->domain_name); + ret = EINVAL; + goto done; + } + + state->attrs = attrs; + + if (attrs->response_type == RESP_USER_GROUPLIST) { + + if (DEBUG_IS_SET(SSSDBG_TRACE_FUNC)) { + size_t c; + + DEBUG(SSSDBG_TRACE_FUNC, "Received [%zu] groups in group list " + "from IPA Server\n", attrs->ngroups); + + for (c = 0; c < attrs->ngroups; c++) { + DEBUG(SSSDBG_TRACE_FUNC, "[%s].\n", attrs->groups[c]); + } + } + + + ret = get_group_dn_list(state, + is_default_view(state->ipa_ctx->view_name), + state->dom, + attrs->ngroups, attrs->groups, + &group_dn_list, &missing_list); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "get_group_dn_list failed.\n"); + goto done; + } + + if (missing_list != NULL) { + subreq = ipa_s2n_get_list_send(state, state->ev, + state->ipa_ctx, state->dom, + state->sh, state->exop_timeout, + BE_REQ_GROUP, + REQ_FULL_WITH_MEMBERS, + REQ_INP_NAME, + missing_list, NULL); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "ipa_s2n_get_list_send failed.\n"); + ret = ENOMEM; + goto done; + } + tevent_req_set_callback(subreq, ipa_s2n_get_list_done, + req); + + return; + } + break; + } else if (attrs->response_type == RESP_GROUP_MEMBERS) { + ret = process_members(state->dom, + is_default_view(state->ipa_ctx->view_name), + NULL, attrs->a.group.gr_mem, state, + &missing_list); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "process_members failed.\n"); + goto done; + } + + if (missing_list != NULL) { + subreq = ipa_s2n_get_list_send(state, state->ev, + state->ipa_ctx, state->dom, + state->sh, state->exop_timeout, + BE_REQ_USER, + REQ_FULL_WITH_MEMBERS, + REQ_INP_NAME, + missing_list, NULL); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "ipa_s2n_get_list_send failed.\n"); + ret = ENOMEM; + goto done; + } + tevent_req_set_callback(subreq, ipa_s2n_get_list_done, + req); + + return; + } + break; + } + + if (state->req_input->type == REQ_INP_SECID) { + /* We already know the SID, we do not have to read it. */ + break; + } + + state->request_type = REQ_SIMPLE; + + ret = s2n_encode_request(state, state->dom->name, state->entry_type, + state->request_type, state->req_input, + &bv_req); + if (ret != EOK) { + goto done; + } + + subreq = ipa_s2n_exop_send(state, state->ev, state->sh, false, + state->exop_timeout, bv_req); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_s2n_exop_send failed.\n"); + ret = ENOMEM; + goto done; + } + tevent_req_set_callback(subreq, ipa_s2n_get_user_done, req); + + return; + + case REQ_SIMPLE: + ret = s2n_response_to_attrs(state, state->dom, retoid, retdata, + &state->simple_attrs); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "s2n_response_to_attrs failed.\n"); + goto done; + } + + if (state->simple_attrs->response_type == RESP_NAME_LIST + && state->req_input->type == REQ_INP_CERT) { + + if (state->simple_attrs->name_list == NULL) { + /* No results from sub-domains, nothing to do */ + ret = EOK; + goto done; + } + + state->mapped_attrs = sysdb_new_attrs(state); + if (state->mapped_attrs == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_new_attrs failed.\n"); + ret = ENOMEM; + goto done; + } + + ret = sysdb_attrs_add_base64_blob(state->mapped_attrs, + SYSDB_USER_MAPPED_CERT, + state->req_input->inp.cert); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_base64_blob failed.\n"); + goto done; + } + + subreq = ipa_s2n_get_list_send(state, state->ev, + state->ipa_ctx, state->dom, + state->sh, state->exop_timeout, + BE_REQ_USER, + REQ_FULL_WITH_MEMBERS, + REQ_INP_NAME, + state->simple_attrs->name_list, + state->mapped_attrs); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "ipa_s2n_get_list_send failed.\n"); + ret = ENOMEM; + goto done; + } + tevent_req_set_callback(subreq, ipa_s2n_get_list_done, + req); + + return; + } + + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected request type.\n"); + ret = EINVAL; + goto done; + } + + if (state->attrs == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing data of full request.\n"); + ret = EINVAL; + goto done; + } + + if (state->simple_attrs != NULL + && state->simple_attrs->response_type == RESP_SID) { + sid_str = state->simple_attrs->a.sid_str; + ret = EOK; + } else if (state->attrs->sysdb_attrs != NULL) { + ret = sysdb_attrs_get_string(state->attrs->sysdb_attrs, SYSDB_SID_STR, + &sid_str); + } else if (state->req_input->type == REQ_INP_SECID) { + sid_str = state->req_input->inp.secid; + ret = EOK; + } else { + DEBUG(SSSDBG_TRACE_FUNC, "No SID available.\n"); + ret = ENOENT; + } + + if (ret == ENOENT || is_default_view(state->ipa_ctx->view_name)) { + ret = ipa_s2n_save_objects(state->dom, state->req_input, state->attrs, + state->simple_attrs, NULL, NULL, NULL, true); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_s2n_save_objects failed.\n"); + goto done; + } + } else if (ret == EOK) { + ret = get_dp_id_data_for_sid(state, sid_str, state->dom->name, &ar); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "get_dp_id_data_for_sid failed.\n"); + goto done; + } + + subreq = ipa_get_ad_override_send(state, state->ev, + state->ipa_ctx->sdap_id_ctx, + state->ipa_ctx->ipa_options, + dp_opt_get_string(state->ipa_ctx->ipa_options->basic, + IPA_KRB5_REALM), + state->ipa_ctx->view_name, + ar); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_get_ad_override_send failed.\n"); + ret = ENOMEM; + goto done; + } + tevent_req_set_callback(subreq, ipa_s2n_get_user_get_override_done, + req); + + return; + } else { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); + goto done; + } + +done: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + return; +} + +static errno_t get_groups_dns(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom, + char **name_list, char ***_dn_list) +{ + int ret; + TALLOC_CTX *tmp_ctx; + int c; + struct sss_domain_info *root_domain; + char **dn_list; + struct ldb_message *msg; + + if (name_list == NULL) { + *_dn_list = NULL; + return EOK; + } + + /* To handle cross-domain memberships we have to check the domain for + * each group the member should be added or deleted. Since sub-domains + * use fully-qualified names by default any short name can only belong + * to the root/head domain. find_domain_by_object_name() will return + * the domain given in the first argument if the second argument is a + * a short name hence we always use root_domain as first argument. */ + root_domain = get_domains_head(dom); + if (root_domain->fqnames) { + DEBUG(SSSDBG_TRACE_FUNC, + "Root domain uses fully-qualified names, " \ + "objects might not be correctly added to groups with " \ + "short names.\n"); + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); + return ENOMEM; + } + + for (c = 0; name_list[c] != NULL; c++); + + dn_list = talloc_zero_array(tmp_ctx, char *, c + 1); + if (dn_list == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_array failed.\n"); + ret = ENOMEM; + goto done; + } + + for (c = 0; name_list[c] != NULL; c++) { + dom = find_domain_by_object_name(root_domain, name_list[c]); + if (dom == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot find domain for [%s].\n", name_list[c]); + ret = ENOENT; + goto done; + } + + /* If the group name is overridden in the default view we have to + * search for the name and cannot construct it because the extdom + * plugin will return the overridden name but the DN of the related + * group object in the cache will contain the original name. */ + + ret = sysdb_search_group_by_name(tmp_ctx, dom, name_list[c], NULL, + &msg); + if (ret == EOK) { + dn_list[c] = ldb_dn_alloc_linearized(dn_list, msg->dn); + } else { + /* best effort, try to construct the DN */ + DEBUG(SSSDBG_TRACE_FUNC, + "sysdb_search_group_by_name failed with [%d], " + "generating DN for [%s] in domain [%s].\n", + ret, name_list[c], dom->name); + dn_list[c] = sysdb_group_strdn(dn_list, dom->name, name_list[c]); + } + if (dn_list[c] == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_alloc_linearized failed.\n"); + ret = ENOMEM; + goto done; + } + + DEBUG(SSSDBG_TRACE_ALL, "Added [%s][%s].\n", name_list[c], dn_list[c]); + } + + *_dn_list = talloc_steal(mem_ctx, dn_list); + ret = EOK; + +done: + talloc_free(tmp_ctx); + + return ret; +} + +static errno_t ipa_s2n_save_objects(struct sss_domain_info *dom, + struct req_input *req_input, + struct resp_attrs *attrs, + struct resp_attrs *simple_attrs, + const char *view_name, + struct sysdb_attrs *override_attrs, + struct sysdb_attrs *mapped_attrs, + bool update_initgr_timeout) +{ + int ret; + time_t now; + struct sss_nss_homedir_ctx homedir_ctx; + char *name = NULL; + char *realm; + char *short_name = NULL; + char *upn = NULL; + gid_t gid; + gid_t orig_gid = 0; + TALLOC_CTX *tmp_ctx; + const char *sid_str; + const char *tmp_str; + struct ldb_result *res; + enum sysdb_member_type type; + char **sysdb_grouplist; + char **add_groups_dns; + char **del_groups_dns; + char **groups_dns; + bool in_transaction = false; + int tret; + struct sysdb_attrs *gid_override_attrs = NULL; + struct ldb_message *msg; + struct ldb_message_element *el = NULL; + + /* The list of elements that might be missing are: + * - SYSDB_ORIG_MEMBEROF + * - SYSDB_SSH_PUBKEY + * - SYSDB_USER_CERT + * Note that the list includes the trailing NULL at the end. */ + size_t missing_count = 0; + const char *missing[] = {NULL, NULL, NULL, NULL}; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); + return ENOMEM; + } + + now = time(NULL); + + if (attrs->sysdb_attrs == NULL) { + attrs->sysdb_attrs = sysdb_new_attrs(attrs); + if (attrs->sysdb_attrs == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_new_attrs failed.\n"); + ret = ENOMEM; + goto done; + } + } + + if (attrs->sysdb_attrs != NULL) { + ret = sysdb_attrs_get_string(attrs->sysdb_attrs, + ORIGINALAD_PREFIX SYSDB_NAME, &tmp_str); + if (ret == EOK) { + name = talloc_strdup(tmp_ctx, tmp_str); + if (name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + DEBUG(SSSDBG_TRACE_ALL, "Found original AD name [%s].\n", name); + } else if (ret == ENOENT) { + name = NULL; + } else { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); + goto done; + } + + ret = sysdb_attrs_get_string(attrs->sysdb_attrs, + SYSDB_DEFAULT_OVERRIDE_NAME, &tmp_str); + if (ret == EOK) { + ret = sysdb_attrs_add_lc_name_alias_safe(attrs->sysdb_attrs, + tmp_str); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_attrs_add_lc_name_alias_safe failed.\n"); + goto done; + } + } else if (ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); + goto done; + } + + ret = sysdb_attrs_get_string(attrs->sysdb_attrs, SYSDB_UPN, &tmp_str); + if (ret == EOK) { + upn = talloc_strdup(tmp_ctx, tmp_str); + if (upn == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + DEBUG(SSSDBG_TRACE_ALL, "Found original AD upn [%s].\n", upn); + } else if (ret == ENOENT) { + upn = NULL; + } else { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); + goto done; + } + } + + if (strcmp(dom->name, attrs->domain_name) != 0) { + dom = find_domain_by_name(get_domains_head(dom), + attrs->domain_name, true); + if (dom == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot find domain: [%s]\n", attrs->domain_name); + ret = EINVAL; + goto done; + } + } + + switch (attrs->response_type) { + case RESP_USER: + case RESP_USER_GROUPLIST: + type = SYSDB_MEMBER_USER; + if (dom->subdomain_homedir + && attrs->a.user.pw_dir == NULL) { + ZERO_STRUCT(homedir_ctx); + homedir_ctx.username = attrs->a.user.pw_name; + homedir_ctx.uid = attrs->a.user.pw_uid; + homedir_ctx.domain = dom->name; + homedir_ctx.flatname = dom->flat_name; + homedir_ctx.config_homedir_substr = dom->homedir_substr; + + attrs->a.user.pw_dir = expand_homedir_template(attrs, + dom->subdomain_homedir, + dom->case_preserve, + &homedir_ctx); + if (attrs->a.user.pw_dir == NULL) { + ret = ENOMEM; + goto done; + } + } + + if (name == NULL) { + name = attrs->a.user.pw_name; + } + + ret = sysdb_attrs_add_lc_name_alias_safe(attrs->sysdb_attrs, name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_attrs_add_lc_name_alias_safe failed.\n"); + goto done; + } + + if (upn == NULL) { + /* We also have to store a fake UPN here, because otherwise the + * krb5 child later won't be able to properly construct one as + * the username is fully qualified but the child doesn't have + * access to the regex to deconstruct it */ + /* FIXME: The real UPN is available from the PAC, we should get + * it from there. */ + realm = get_uppercase_realm(tmp_ctx, dom->name); + if (!realm) { + DEBUG(SSSDBG_OP_FAILURE, "failed to get realm.\n"); + ret = ENOMEM; + goto done; + } + + ret = sss_parse_internal_fqname(tmp_ctx, attrs->a.user.pw_name, + &short_name, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot parse internal name %s\n", + attrs->a.user.pw_name); + goto done; + } + + upn = talloc_asprintf(tmp_ctx, "%s@%s", short_name, realm); + if (!upn) { + DEBUG(SSSDBG_OP_FAILURE, "failed to format UPN.\n"); + ret = ENOMEM; + goto done; + } + + /* We might already have the SID or the UPN from other sources + * hence sysdb_attrs_add_string_safe is used to avoid double + * entries. */ + ret = sysdb_attrs_add_string_safe(attrs->sysdb_attrs, SYSDB_UPN, + upn); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_attrs_add_string failed.\n"); + goto done; + } + } + + if (req_input->type == REQ_INP_SECID) { + ret = sysdb_attrs_add_string_safe(attrs->sysdb_attrs, + SYSDB_SID_STR, + req_input->inp.secid); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_attrs_add_string failed.\n"); + goto done; + } + } + + if (simple_attrs != NULL + && simple_attrs->response_type == RESP_SID) { + ret = sysdb_attrs_add_string_safe(attrs->sysdb_attrs, + SYSDB_SID_STR, + simple_attrs->a.sid_str); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_attrs_add_string failed.\n"); + goto done; + } + } + + if (attrs->response_type == RESP_USER_GROUPLIST + && update_initgr_timeout) { + /* Since RESP_USER_GROUPLIST contains all group memberships it + * is effectively an initgroups request hence + * SYSDB_INITGR_EXPIRE will be set.*/ + ret = sysdb_attrs_add_time_t(attrs->sysdb_attrs, + SYSDB_INITGR_EXPIRE, + time(NULL) + dom->user_timeout); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_attrs_add_time_t failed.\n"); + goto done; + } + } + + gid = 0; + if (dom->mpg == false) { + gid = attrs->a.user.pw_gid; + } else { + /* The extdom plugin always returns the objects with the + * default view applied. Since the GID is handled specially + * for MPG domains we have add any overridden GID separately. + */ + ret = sysdb_attrs_get_uint32_t(attrs->sysdb_attrs, + ORIGINALAD_PREFIX SYSDB_GIDNUM, + &orig_gid); + if (ret == EOK || ret == ENOENT) { + if ((orig_gid != 0 && orig_gid != attrs->a.user.pw_gid) + || attrs->a.user.pw_uid != attrs->a.user.pw_gid) { + + gid_override_attrs = sysdb_new_attrs(tmp_ctx); + if (gid_override_attrs == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_new_attrs failed.\n"); + ret = ENOMEM; + goto done; + } + + ret = sysdb_attrs_add_uint32(gid_override_attrs, + SYSDB_GIDNUM, + attrs->a.user.pw_gid); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_attrs_add_uint32 failed.\n"); + goto done; + } + } + } else { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_attrs_get_uint32_t failed.\n"); + goto done; + } + } + + ret = sysdb_attrs_get_el_ext(attrs->sysdb_attrs, + SYSDB_ORIG_MEMBEROF, false, &el); + if (ret == ENOENT) { + missing[missing_count++] = SYSDB_ORIG_MEMBEROF; + } + + ret = sysdb_attrs_get_el_ext(attrs->sysdb_attrs, + SYSDB_SSH_PUBKEY, false, &el); + if (ret == ENOENT) { + missing[missing_count++] = SYSDB_SSH_PUBKEY; + } + + ret = sysdb_attrs_get_el_ext(attrs->sysdb_attrs, + SYSDB_USER_CERT, false, &el); + if (ret == ENOENT) { + missing[missing_count++] = SYSDB_USER_CERT; + } + + ret = sysdb_transaction_start(dom->sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n"); + goto done; + } + in_transaction = true; + + ret = sysdb_store_user(dom, name, NULL, + attrs->a.user.pw_uid, + gid, attrs->a.user.pw_gecos, + attrs->a.user.pw_dir, attrs->a.user.pw_shell, + NULL, attrs->sysdb_attrs, + missing[0] == NULL ? NULL + : discard_const(missing), + dom->user_timeout, now); + if (ret == EEXIST && dom->mpg == true) { + /* This handles the case where getgrgid() was called for + * this user, so a group was created in the cache + */ + ret = sysdb_search_group_by_name(tmp_ctx, dom, name, NULL, &msg); + if (ret != EOK) { + /* Fail even on ENOENT, the group must be around */ + DEBUG(SSSDBG_OP_FAILURE, + "Could not delete MPG group [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = sysdb_delete_group(dom, NULL, attrs->a.user.pw_uid); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_delete_group failed for MPG group [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = sysdb_store_user(dom, name, NULL, + attrs->a.user.pw_uid, + gid, attrs->a.user.pw_gecos, + attrs->a.user.pw_dir, + attrs->a.user.pw_shell, + NULL, attrs->sysdb_attrs, NULL, + dom->user_timeout, now); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_store_user failed for MPG user [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_store_user failed [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + if (mapped_attrs != NULL) { + ret = sysdb_set_user_attr(dom, name, mapped_attrs, + SYSDB_MOD_ADD); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_set_user_attr failed.\n"); + goto done; + } + } + + if (gid_override_attrs != NULL) { + ret = sysdb_set_user_attr(dom, name, gid_override_attrs, + SYSDB_MOD_REP); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_set_user_attr failed.\n"); + goto done; + } + } + + if (attrs->response_type == RESP_USER_GROUPLIST) { + ret = get_sysdb_grouplist_dn(tmp_ctx, dom->sysdb, dom, name, + &sysdb_grouplist); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "get_sysdb_grouplist failed.\n"); + goto done; + } + + ret = get_groups_dns(tmp_ctx, dom, attrs->groups, &groups_dns); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "get_groups_dns failed.\n"); + goto done; + } + + ret = diff_string_lists(tmp_ctx, groups_dns, + sysdb_grouplist, &add_groups_dns, + &del_groups_dns, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "diff_string_lists failed.\n"); + goto done; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "Updating memberships for %s\n", + name); + ret = sysdb_update_members_dn(dom, name, SYSDB_MEMBER_USER, + (const char *const *) add_groups_dns, + (const char *const *) del_groups_dns); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Membership update failed [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + } + + ret = sysdb_transaction_commit(dom->sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n"); + goto done; + } + in_transaction = false; + + break; + case RESP_GROUP: + case RESP_GROUP_MEMBERS: + type = SYSDB_MEMBER_GROUP; + + if (name == NULL) { + name = attrs->a.group.gr_name; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Processing group %s\n", name); + + ret = sysdb_attrs_add_lc_name_alias_safe(attrs->sysdb_attrs, name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_attrs_add_lc_name_alias_safe failed.\n"); + goto done; + } + + /* We might already have the SID from other sources hence + * sysdb_attrs_add_string_safe is used to avoid double entries. */ + if (req_input->type == REQ_INP_SECID) { + ret = sysdb_attrs_add_string_safe(attrs->sysdb_attrs, + SYSDB_SID_STR, + req_input->inp.secid); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_attrs_add_string failed.\n"); + goto done; + } + } + + if (simple_attrs != NULL + && simple_attrs->response_type == RESP_SID) { + ret = sysdb_attrs_add_string_safe(attrs->sysdb_attrs, + SYSDB_SID_STR, + simple_attrs->a.sid_str); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_attrs_add_string failed.\n"); + goto done; + } + } + + ret = process_members(dom, is_default_view(view_name), + attrs->sysdb_attrs, attrs->a.group.gr_mem, + NULL, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "process_members failed.\n"); + goto done; + } + + ret = sysdb_store_group(dom, name, attrs->a.group.gr_gid, + attrs->sysdb_attrs, dom->group_timeout, + now); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_group failed.\n"); + goto done; + } + break; + default: + DEBUG(SSSDBG_OP_FAILURE, "Unexpected response type [%d].\n", + attrs->response_type); + ret = EINVAL; + goto done; + } + + ret = sysdb_attrs_get_string(attrs->sysdb_attrs, SYSDB_SID_STR, &sid_str); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot find SID of object.\n"); + if (name != NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Object [%s] has no SID, please check the " + "ipaNTSecurityIdentifier attribute on the server-side.\n", + name); + } + goto done; + } + + ret = sysdb_search_object_by_sid(tmp_ctx, dom, sid_str, NULL, &res); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot find object with override with SID [%s].\n", sid_str); + goto done; + } + + if (!is_default_view(view_name)) { + /* For the default view the data return by the extdom plugin already + * contains all needed data and it is not expected to have a separate + * override object. */ + ret = sysdb_store_override(dom, view_name, type, override_attrs, + res->msgs[0]->dn); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_override failed.\n"); + goto done; + } + } + +done: + if (in_transaction) { + tret = sysdb_transaction_cancel(dom->sysdb); + if (tret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to cancel transaction\n"); + } + } + + talloc_free(tmp_ctx); + + return ret; +} + +static void ipa_s2n_get_list_done(struct tevent_req *subreq) +{ + int ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ipa_s2n_get_user_state *state = tevent_req_data(req, + struct ipa_s2n_get_user_state); + const char *sid_str; + struct dp_id_data *ar; + + ret = ipa_s2n_get_list_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "s2n get_fqlist request failed.\n"); + tevent_req_error(req, ret); + return; + } + + if (state->attrs == NULL) { + /* If this is a request by certificate we are done */ + if (state->req_input->type == REQ_INP_CERT) { + tevent_req_done(req); + } else { + tevent_req_error(req, EINVAL); + } + return; + } + + ret = sysdb_attrs_get_string(state->attrs->sysdb_attrs, SYSDB_SID_STR, + &sid_str); + if (ret == ENOENT) { + ret = ipa_s2n_save_objects(state->dom, state->req_input, state->attrs, + state->simple_attrs, NULL, NULL, NULL, true); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_s2n_save_objects failed.\n"); + goto fail; + } + tevent_req_done(req); + return; + } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); + goto fail; + } + + ret = get_dp_id_data_for_sid(state, sid_str, state->dom->name, &ar); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "get_dp_id_data_for_sid failed.\n"); + goto fail; + } + + if (state->override_attrs == NULL + && !is_default_view(state->ipa_ctx->view_name)) { + subreq = ipa_get_ad_override_send(state, state->ev, + state->ipa_ctx->sdap_id_ctx, + state->ipa_ctx->ipa_options, + dp_opt_get_string(state->ipa_ctx->ipa_options->basic, + IPA_KRB5_REALM), + state->ipa_ctx->view_name, + ar); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_get_ad_override_send failed.\n"); + ret = ENOMEM; + goto fail; + } + tevent_req_set_callback(subreq, ipa_s2n_get_user_get_override_done, + req); + } else { + ret = ipa_s2n_save_objects(state->dom, state->req_input, state->attrs, + state->simple_attrs, + state->ipa_ctx->view_name, + state->override_attrs, NULL, true); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_s2n_save_objects failed.\n"); + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); + } + + return; + +fail: + tevent_req_error(req, ret); + return; +} + +static void ipa_s2n_get_user_get_override_done(struct tevent_req *subreq) +{ + int ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ipa_s2n_get_user_state *state = tevent_req_data(req, + struct ipa_s2n_get_user_state); + struct sysdb_attrs *override_attrs = NULL; + + ret = ipa_get_ad_override_recv(subreq, NULL, state, &override_attrs); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "IPA override lookup failed: %d\n", ret); + tevent_req_error(req, ret); + return; + } + + ret = ipa_s2n_save_objects(state->dom, state->req_input, state->attrs, + state->simple_attrs, state->ipa_ctx->view_name, + override_attrs, NULL, true); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_s2n_save_objects failed.\n"); + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); + return; +} + +int ipa_s2n_get_acct_info_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +struct ipa_get_subdom_acct_process_pac_state { + struct tevent_context *ev; + struct sdap_handle *sh; + struct sss_domain_info *dom; + char *username; + + size_t num_missing_sids; + char **missing_sids; + size_t num_cached_groups; + char **cached_groups; +}; + +static void ipa_get_subdom_acct_process_pac_done(struct tevent_req *subreq); + +struct tevent_req *ipa_get_subdom_acct_process_pac_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_handle *sh, + struct ipa_id_ctx *ipa_ctx, + struct sss_domain_info *dom, + struct ldb_message *user_msg) +{ + int ret; + struct ipa_get_subdom_acct_process_pac_state *state; + struct tevent_req *req; + struct tevent_req *subreq; + char *user_sid; + char *primary_group_sid; + size_t num_sids; + char **group_sids; + + req = tevent_req_create(mem_ctx, &state, + struct ipa_get_subdom_acct_process_pac_state); + if (req == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "tevent_req_create failed.\n"); + return NULL; + } + + state->ev = ev; + state->sh = sh; + state->dom = dom; + + ret = ad_get_pac_data_from_user_entry(state, user_msg, + ipa_ctx->sdap_id_ctx->opts->idmap_ctx->map, + &state->username, + &user_sid, &primary_group_sid, + &num_sids, &group_sids); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ad_get_pac_data_from_user_entry failed.\n"); + goto done; + } + + ret = sdap_ad_tokengroups_get_posix_members(state, state->dom, + num_sids, group_sids, + &state->num_missing_sids, + &state->missing_sids, + &state->num_cached_groups, + &state->cached_groups); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sdap_ad_tokengroups_get_posix_members failed.\n"); + goto done; + } + + + if (state->num_missing_sids == 0) { + ret = sdap_ad_tokengroups_update_members(state->username, + state->dom->sysdb, + state->dom, + state->cached_groups); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Membership update failed [%d]: %s\n", + ret, strerror(ret)); + } + + goto done; + } + + + subreq = ipa_s2n_get_list_send(state, state->ev, ipa_ctx, state->dom, + state->sh, + dp_opt_get_int(ipa_ctx->sdap_id_ctx->opts->basic, + SDAP_SEARCH_TIMEOUT), + BE_REQ_BY_SECID, REQ_FULL, REQ_INP_SECID, + state->missing_sids, NULL); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_s2n_get_list_send failed.\n"); + ret = ENOMEM; + goto done; + } + tevent_req_set_callback(subreq, ipa_get_subdom_acct_process_pac_done, req); + + return req; + +done: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + + return req; +} + +static void ipa_get_subdom_acct_process_pac_done(struct tevent_req *subreq) +{ + int ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ipa_get_subdom_acct_process_pac_state *state = tevent_req_data(req, + struct ipa_get_subdom_acct_process_pac_state); + char **cached_groups; + size_t num_cached_groups; + + ret = ipa_s2n_get_list_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "s2n get_fqlist request failed.\n"); + tevent_req_error(req, ret); + return; + } + + /* from ad_pac.c */ + ret = sdap_ad_tokengroups_get_posix_members(state, state->dom, + state->num_missing_sids, + state->missing_sids, + NULL, NULL, + &num_cached_groups, + &cached_groups); + if (ret != EOK){ + DEBUG(SSSDBG_MINOR_FAILURE, + "sdap_ad_tokengroups_get_posix_members failed [%d]: %s\n", + ret, strerror(ret)); + goto done; + } + + state->cached_groups = concatenate_string_array(state, + state->cached_groups, + state->num_cached_groups, + cached_groups, + num_cached_groups); + if (state->cached_groups == NULL) { + ret = ENOMEM; + goto done; + } + + /* update membership of existing groups */ + ret = sdap_ad_tokengroups_update_members(state->username, + state->dom->sysdb, + state->dom, + state->cached_groups); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Membership update failed [%d]: %s\n", + ret, strerror(ret)); + goto done; + } + + ret = EOK; + +done: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + + return; +} + +errno_t ipa_get_subdom_acct_process_pac_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c new file mode 100644 index 0000000..630f68a --- /dev/null +++ b/src/providers/ipa/ipa_selinux.c @@ -0,0 +1,1698 @@ +/* + SSSD + + IPA Backend Module -- selinux loading + + Authors: + Jan Zeleny + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +#include + +#include "db/sysdb_selinux.h" +#include "util/child_common.h" +#include "util/sss_selinux.h" +#include "providers/ldap/sdap_async.h" +#include "providers/ipa/ipa_common.h" +#include "providers/ipa/ipa_config.h" +#include "providers/ipa/ipa_selinux.h" +#include "providers/ipa/ipa_hosts.h" +#include "providers/ipa/ipa_hbac_rules.h" +#include "providers/ipa/ipa_hbac_private.h" +#include "providers/ipa/ipa_access.h" +#include "providers/ipa/ipa_selinux_maps.h" +#include "providers/ipa/ipa_subdomains.h" +#include "providers/ipa/ipa_rules_common.h" + +#ifndef SELINUX_CHILD_DIR +#ifndef SSSD_LIBEXEC_PATH +#error "SSSD_LIBEXEC_PATH not defined" +#endif /* SSSD_LIBEXEC_PATH */ + +#define SELINUX_CHILD_DIR SSSD_LIBEXEC_PATH +#endif /* SELINUX_CHILD_DIR */ + +#define SELINUX_CHILD SELINUX_CHILD_DIR"/selinux_child" +#define SELINUX_CHILD_LOG_FILE "selinux_child" + +#include + +/* fd used by the selinux_child process for logging */ +int selinux_child_debug_fd = -1; + +static struct tevent_req * +ipa_get_selinux_send(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct sysdb_attrs *user, + struct sysdb_attrs *host, + struct ipa_selinux_ctx *selinux_ctx); +static errno_t ipa_get_selinux_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *count, + struct sysdb_attrs ***maps, + size_t *hbac_count, + struct sysdb_attrs ***hbac_rules, + char **default_user, + char **map_order); + +static void ipa_get_selinux_connect_done(struct tevent_req *subreq); +static void ipa_get_selinux_hosts_done(struct tevent_req *subreq); +static void ipa_get_config_step(struct tevent_req *req); +static void ipa_get_selinux_config_done(struct tevent_req *subreq); +static void ipa_get_selinux_maps_done(struct tevent_req *subreq); +static void ipa_get_selinux_hbac_done(struct tevent_req *subreq); +static errno_t ipa_selinux_process_maps(TALLOC_CTX *mem_ctx, + struct sysdb_attrs *user, + struct sysdb_attrs *host, + struct sysdb_attrs **selinux_maps, + size_t selinux_map_count, + struct sysdb_attrs **hbac_rules, + size_t hbac_rule_count, + struct sysdb_attrs ***usermaps); + +static errno_t +ipa_save_user_maps(struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, + size_t map_count, + struct sysdb_attrs **maps) +{ + errno_t ret; + errno_t sret; + bool in_transaction = false; + int i; + + ret = sysdb_transaction_start(sysdb); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n"); + goto done; + } + in_transaction = true; + + for (i = 0; i < map_count; i++) { + ret = sysdb_store_selinux_usermap(domain, maps[i]); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to store user map %d. " + "Ignoring.\n", i); + } else { + DEBUG(SSSDBG_TRACE_FUNC, "User map %d processed.\n", i); + } + } + + ret = sysdb_transaction_commit(sysdb); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction!\n"); + goto done; + } + in_transaction = false; + ret = EOK; + +done: + if (in_transaction) { + sret = sysdb_transaction_cancel(sysdb); + if (sret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to cancel transaction\n"); + } + } + return ret; +} + +struct map_order_ctx { + char *order; + char **order_array; + size_t order_count; +}; + +struct selinux_child_input { + const char *seuser; + const char *mls_range; + const char *username; +}; + +static errno_t +ipa_selinux_process_seealso_maps(struct sysdb_attrs *user, + struct sysdb_attrs *host, + struct sysdb_attrs **seealso_rules, + size_t seealso_rules_count, + struct sysdb_attrs **hbac_rules, + size_t hbac_rule_count, + uint32_t top_priority, + struct sysdb_attrs **usermaps, + size_t best_match_maps_cnt); +static errno_t +ipa_selinux_process_maps(TALLOC_CTX *mem_ctx, + struct sysdb_attrs *user, + struct sysdb_attrs *host, + struct sysdb_attrs **selinux_maps, + size_t selinux_map_count, + struct sysdb_attrs **hbac_rules, + size_t hbac_rule_count, + struct sysdb_attrs ***_usermaps) +{ + TALLOC_CTX *tmp_ctx; + int i; + errno_t ret; + uint32_t priority = 0; + uint32_t top_priority = 0; + struct sysdb_attrs **seealso_rules; + size_t num_seealso_rules = 0; + const char *seealso_str; + struct sysdb_attrs **usermaps; + size_t best_match_maps_cnt = 0; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + return ENOMEM; + } + + seealso_rules = talloc_zero_array(tmp_ctx, struct sysdb_attrs *, + selinux_map_count + 1); + if (seealso_rules == NULL) { + ret = ENOMEM; + goto done; + } + + usermaps = talloc_zero_array(tmp_ctx, struct sysdb_attrs *, selinux_map_count + 1); + if (usermaps == NULL) { + ret = ENOMEM; + goto done; + } + + for (i = 0; i < selinux_map_count; i++) { + if (sss_selinux_match(selinux_maps[i], user, host, &priority)) { + if (priority < top_priority) { + /* This rule has lower priority than what we already have, + * skip it. */ + continue; + } else if (priority > top_priority) { + /* This rule has higher priority, drop what we already have */ + while (best_match_maps_cnt > 0) { + best_match_maps_cnt--; + usermaps[best_match_maps_cnt] = NULL; + } + top_priority = priority; + } + + usermaps[best_match_maps_cnt] = selinux_maps[i]; + best_match_maps_cnt++; + + continue; + } + + /* SELinux map did not matched -> check sealso attribute for + * possible HBAC match */ + ret = sysdb_attrs_get_string(selinux_maps[i], + SYSDB_SELINUX_SEEALSO, &seealso_str); + if (ret == ENOENT) { + continue; + } else if (ret != EOK) { + goto done; + } + + seealso_rules[num_seealso_rules] = selinux_maps[i]; + num_seealso_rules++; + } + + ret = ipa_selinux_process_seealso_maps(user, host, + seealso_rules, num_seealso_rules, + hbac_rules, hbac_rule_count, + top_priority, usermaps, best_match_maps_cnt); + if (ret != EOK) { + goto done; + } + + *_usermaps = talloc_steal(mem_ctx, usermaps); + + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} + +static errno_t +ipa_selinux_process_seealso_maps(struct sysdb_attrs *user, + struct sysdb_attrs *host, + struct sysdb_attrs **seealso_rules, + size_t seealso_rules_count, + struct sysdb_attrs **hbac_rules, + size_t hbac_rule_count, + uint32_t top_priority, + struct sysdb_attrs **usermaps, + size_t best_match_maps_cnt) +{ + int i, j; + errno_t ret; + struct ldb_message_element *el; + struct sysdb_attrs *usermap; + const char *seealso_dn; + const char *hbac_dn; + uint32_t priority; + + for (i = 0; i < hbac_rule_count; i++) { + ret = sysdb_attrs_get_string(hbac_rules[i], SYSDB_ORIG_DN, &hbac_dn); + if (ret != EOK) { + return ret; + } + + /* We need to do this translation for further processing. We have to + * do it manually because no map was used to retrieve HBAC rules. + */ + ret = sysdb_attrs_get_el(hbac_rules[i], IPA_MEMBER_HOST, &el); + if (ret != EOK) return ret; + el->name = SYSDB_ORIG_MEMBER_HOST; + + ret = sysdb_attrs_get_el(hbac_rules[i], IPA_MEMBER_USER, &el); + if (ret != EOK) return ret; + el->name = SYSDB_ORIG_MEMBER_USER; + + DEBUG(SSSDBG_TRACE_ALL, + "Matching HBAC rule %s with SELinux mappings\n", hbac_dn); + + if (!sss_selinux_match(hbac_rules[i], user, host, &priority)) { + DEBUG(SSSDBG_TRACE_ALL, "Rule did not match\n"); + continue; + } + + /* HBAC rule matched, find if it is in the "possible" list */ + for (j = 0; j < seealso_rules_count; j++) { + usermap = seealso_rules[j]; + if (usermap == NULL) { + continue; + } + + ret = sysdb_attrs_get_string(usermap, SYSDB_SELINUX_SEEALSO, &seealso_dn); + if (ret != EOK) { + return ret; + } + + if (strcasecmp(hbac_dn, seealso_dn) == 0) { + DEBUG(SSSDBG_TRACE_FUNC, "HBAC rule [%s] matched, copying its" + "attributes to SELinux user map [%s]\n", + hbac_dn, seealso_dn); + + /* Selinux maps priority evaluation removed --DELETE this comment before pushing*/ + if (priority < top_priority) { + /* This rule has lower priority than what we already have, + * skip it. */ + continue; + } else if (priority > top_priority) { + /* This rule has higher priority, drop what we already have */ + while (best_match_maps_cnt > 0) { + best_match_maps_cnt--; + usermaps[best_match_maps_cnt] = NULL; + } + top_priority = priority; + } + + usermaps[best_match_maps_cnt] = usermap; + best_match_maps_cnt++; + + ret = sysdb_attrs_copy_values(hbac_rules[i], usermap, SYSDB_ORIG_MEMBER_USER); + if (ret != EOK) { + return ret; + } + + ret = sysdb_attrs_copy_values(hbac_rules[i], usermap, SYSDB_USER_CATEGORY); + if (ret != EOK) { + return ret; + } + + /* Speed up the next iteration */ + seealso_rules[j] = NULL; + } + } + } + + return EOK; +} + +static errno_t init_map_order_ctx(TALLOC_CTX *mem_ctx, const char *map_order, + struct map_order_ctx **_mo_ctx) +{ + TALLOC_CTX *tmp_ctx; + errno_t ret; + int i; + int len; + struct map_order_ctx *mo_ctx; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + mo_ctx = talloc(tmp_ctx, struct map_order_ctx); + if (mo_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + /* The "order" string contains one or more SELinux user records + * separated by $. Now we need to create an array of string from + * this one string. First find out how many elements in the array + * will be. This way only one alloc will be necessary for the array + */ + mo_ctx->order_count = 1; + len = strlen(map_order); + for (i = 0; i < len; i++) { + if (map_order[i] == '$') mo_ctx->order_count++; + } + + mo_ctx->order_array = talloc_array(mo_ctx, char *, mo_ctx->order_count); + if (mo_ctx->order_array == NULL) { + ret = ENOMEM; + goto done; + } + + mo_ctx->order = talloc_strdup(mo_ctx, map_order); + if (mo_ctx->order == NULL) { + ret = ENOMEM; + goto done; + } + + /* Now fill the array with pointers to the original string. Also + * use binary zeros to make multiple string out of the one. + */ + mo_ctx->order_array[0] = mo_ctx->order; + mo_ctx->order_count = 1; + for (i = 0; i < len; i++) { + if (mo_ctx->order[i] == '$') { + mo_ctx->order[i] = '\0'; + mo_ctx->order_array[mo_ctx->order_count] = &mo_ctx->order[i+1]; + mo_ctx->order_count++; + } + } + + *_mo_ctx = talloc_steal(mem_ctx, mo_ctx); + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} + +static errno_t selinux_child_setup(TALLOC_CTX *mem_ctx, + const char *orig_name, + struct sss_domain_info *dom, + const char *seuser_mls_string, + struct selinux_child_input **_sci); + +/* Choose best selinux user based on given order and write + * the user to selinux login file. */ +static errno_t choose_best_seuser(TALLOC_CTX *mem_ctx, + struct sysdb_attrs **usermaps, + struct pam_data *pd, + struct sss_domain_info *user_domain, + struct map_order_ctx *mo_ctx, + const char *default_user, + struct selinux_child_input **_sci) +{ + TALLOC_CTX *tmp_ctx; + char *seuser_mls_str = NULL; + const char *tmp_str; + errno_t ret; + int i, j; + struct selinux_child_input *sci; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return ENOMEM; + } + + /* If no maps match, we'll use the default SELinux user from the + * config */ + seuser_mls_str = talloc_strdup(tmp_ctx, default_user ? default_user : ""); + if (seuser_mls_str == NULL) { + ret = ENOMEM; + goto done; + } + + /* Iterate through the order array and try to find SELinux users + * in fetched maps. The order array contains all SELinux users + * allowed in the domain in the same order they should appear + * in the SELinux config file. If any user from the order array + * is not in fetched user maps, it means it should not be allowed + * for the user who is just logging in. + * + * Right now we have empty content of the SELinux config file, + * we shall add only those SELinux users that are present both in + * the order array and user maps applicable to the user who is + * logging in. + */ + for (i = 0; i < mo_ctx->order_count; i++) { + for (j = 0; usermaps[j] != NULL; j++) { + tmp_str = sss_selinux_map_get_seuser(usermaps[j]); + + if (tmp_str && !strcasecmp(tmp_str, mo_ctx->order_array[i])) { + /* If seuser_mls_str contained something, overwrite it. + * This record has higher priority. + */ + talloc_zfree(seuser_mls_str); + seuser_mls_str = talloc_strdup(tmp_ctx, tmp_str); + if (seuser_mls_str == NULL) { + ret = ENOMEM; + goto done; + } + break; + } + } + } + + ret = selinux_child_setup(tmp_ctx, pd->user, user_domain, seuser_mls_str, &sci); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot set up child input buffer\n"); + goto done; + } + + *_sci = talloc_steal(mem_ctx, sci); + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} + +static errno_t +selinux_child_setup(TALLOC_CTX *mem_ctx, + const char *orig_name, + struct sss_domain_info *dom, + const char *seuser_mls_string, + struct selinux_child_input **_sci) +{ + errno_t ret; + char *seuser; + const char *mls_range; + char *ptr; + char *username_final; + TALLOC_CTX *tmp_ctx; + struct selinux_child_input *sci; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + /* Split seuser and mls_range */ + seuser = talloc_strdup(tmp_ctx, seuser_mls_string); + if (seuser == NULL) { + ret = ENOMEM; + goto done; + } + + ptr = seuser; + while (*ptr != ':' && *ptr != '\0') { + ptr++; + } + if (*ptr == '\0') { + /* No mls_range specified */ + mls_range = ""; + } else { + *ptr = '\0'; /* split */ + mls_range = ptr + 1; + } + + /* pam_selinux needs the username in the same format getpwnam() would + * return it + */ + username_final = sss_output_name(tmp_ctx, orig_name, + dom->case_preserve, 0); + if (dom->fqnames) { + username_final = sss_tc_fqname(tmp_ctx, dom->names, dom, username_final); + if (username_final == NULL) { + ret = ENOMEM; + goto done; + } + } + + sci = talloc(tmp_ctx, struct selinux_child_input); + if (sci == NULL) { + ret = ENOMEM; + goto done; + } + + sci->seuser = talloc_strdup(sci, seuser); + sci->mls_range = talloc_strdup(sci, mls_range); + sci->username = talloc_strdup(sci, username_final); + if (sci->seuser == NULL || sci->mls_range == NULL + || sci->username == NULL) { + ret = ENOMEM; + goto done; + } + + *_sci = talloc_steal(mem_ctx, sci); + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} + +struct selinux_child_state { + struct selinux_child_input *sci; + struct tevent_context *ev; + struct io_buffer *buf; + struct child_io_fds *io; +}; + +static errno_t selinux_child_init(void); +static errno_t selinux_child_create_buffer(struct selinux_child_state *state); +static errno_t selinux_fork_child(struct selinux_child_state *state); +static void selinux_child_step(struct tevent_req *subreq); +static void selinux_child_done(struct tevent_req *subreq); +static errno_t selinux_child_parse_response(uint8_t *buf, ssize_t len, + uint32_t *_child_result); + +static struct tevent_req *selinux_child_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct selinux_child_input *sci) +{ + struct tevent_req *req; + struct tevent_req *subreq; + struct selinux_child_state *state; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct selinux_child_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->sci = sci; + state->ev = ev; + state->io = talloc(state, struct child_io_fds); + state->buf = talloc(state, struct io_buffer); + if (state->io == NULL || state->buf == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc failed.\n"); + ret = ENOMEM; + goto immediately; + } + + state->io->write_to_child_fd = -1; + state->io->read_from_child_fd = -1; + talloc_set_destructor((void *) state->io, child_io_destructor); + + ret = selinux_child_init(); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to init the child\n"); + goto immediately; + } + + ret = selinux_child_create_buffer(state); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to create the send buffer\n"); + ret = ENOMEM; + goto immediately; + } + + ret = selinux_fork_child(state); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to fork the child\n"); + goto immediately; + } + + subreq = write_pipe_send(state, ev, state->buf->data, state->buf->size, + state->io->write_to_child_fd); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + tevent_req_set_callback(subreq, selinux_child_step, req); + + ret = EOK; +immediately: + if (ret != EOK) { + tevent_req_error(req, ret); + tevent_req_post(req, ev); + } + return req; +} + +static errno_t selinux_child_init(void) +{ + return child_debug_init(SELINUX_CHILD_LOG_FILE, &selinux_child_debug_fd); +} + +static errno_t selinux_child_create_buffer(struct selinux_child_state *state) +{ + size_t rp; + size_t seuser_len; + size_t mls_range_len; + size_t username_len; + + seuser_len = strlen(state->sci->seuser); + mls_range_len = strlen(state->sci->mls_range); + username_len = strlen(state->sci->username); + + state->buf->size = 3 * sizeof(uint32_t); + state->buf->size += seuser_len + mls_range_len + username_len; + + DEBUG(SSSDBG_TRACE_ALL, "buffer size: %zu\n", state->buf->size); + + state->buf->data = talloc_size(state->buf, state->buf->size); + if (state->buf->data == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_size failed.\n"); + return ENOMEM; + } + + rp = 0; + + /* seuser */ + SAFEALIGN_SET_UINT32(&state->buf->data[rp], seuser_len, &rp); + safealign_memcpy(&state->buf->data[rp], state->sci->seuser, + seuser_len, &rp); + + /* mls_range */ + SAFEALIGN_SET_UINT32(&state->buf->data[rp], mls_range_len, &rp); + safealign_memcpy(&state->buf->data[rp], state->sci->mls_range, + mls_range_len, &rp); + + /* username */ + SAFEALIGN_SET_UINT32(&state->buf->data[rp], username_len, &rp); + safealign_memcpy(&state->buf->data[rp], state->sci->username, + username_len, &rp); + + return EOK; +} + +static errno_t selinux_fork_child(struct selinux_child_state *state) +{ + int pipefd_to_child[2]; + int pipefd_from_child[2]; + pid_t pid; + errno_t ret; + + ret = pipe(pipefd_from_child); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "pipe failed [%d][%s].\n", errno, sss_strerror(errno)); + return ret; + } + + ret = pipe(pipefd_to_child); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "pipe failed [%d][%s].\n", errno, sss_strerror(errno)); + return ret; + } + + pid = fork(); + + if (pid == 0) { /* child */ + exec_child(state, pipefd_to_child, pipefd_from_child, + SELINUX_CHILD, selinux_child_debug_fd); + DEBUG(SSSDBG_CRIT_FAILURE, "Could not exec selinux_child: [%d][%s].\n", + ret, sss_strerror(ret)); + return ret; + } else if (pid > 0) { /* parent */ + state->io->read_from_child_fd = pipefd_from_child[0]; + close(pipefd_from_child[1]); + state->io->write_to_child_fd = pipefd_to_child[1]; + close(pipefd_to_child[0]); + sss_fd_nonblocking(state->io->read_from_child_fd); + sss_fd_nonblocking(state->io->write_to_child_fd); + + ret = child_handler_setup(state->ev, pid, NULL, NULL, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not set up child signal handler\n"); + return ret; + } + } else { /* error */ + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "fork failed [%d][%s].\n", errno, sss_strerror(errno)); + return ret; + } + + return EOK; +} + +static void selinux_child_step(struct tevent_req *subreq) +{ + struct tevent_req *req; + errno_t ret; + struct selinux_child_state *state; + + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct selinux_child_state); + + ret = write_pipe_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + close(state->io->write_to_child_fd); + state->io->write_to_child_fd = -1; + + subreq = read_pipe_send(state, state->ev, state->io->read_from_child_fd); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, selinux_child_done, req); +} + +static void selinux_child_done(struct tevent_req *subreq) +{ + struct tevent_req *req; + struct selinux_child_state *state; + uint32_t child_result; + errno_t ret; + ssize_t len; + uint8_t *buf; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct selinux_child_state); + + ret = read_pipe_recv(subreq, state, &buf, &len); + talloc_zfree(subreq); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + close(state->io->read_from_child_fd); + state->io->read_from_child_fd = -1; + + ret = selinux_child_parse_response(buf, len, &child_result); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "selinux_child_parse_response failed: [%d][%s]\n", + ret, strerror(ret)); + tevent_req_error(req, ret); + return; + } else if (child_result != 0){ + DEBUG(SSSDBG_CRIT_FAILURE, + "Error in selinux_child: [%d][%s]\n", + child_result, strerror(child_result)); + tevent_req_error(req, ERR_SELINUX_CONTEXT); + return; + } + + tevent_req_done(req); + return; +} + +static errno_t selinux_child_parse_response(uint8_t *buf, + ssize_t len, + uint32_t *_child_result) +{ + size_t p = 0; + uint32_t child_result; + + /* semanage retval */ + SAFEALIGN_COPY_UINT32_CHECK(&child_result, buf + p, len, &p); + + *_child_result = child_result; + return EOK; +} + +static errno_t selinux_child_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + return EOK; +} + +/* A more generic request to gather all SELinux and HBAC rules. Updates + * cache if necessary + */ +struct ipa_get_selinux_state { + struct be_ctx *be_ctx; + struct ipa_selinux_ctx *selinux_ctx; + struct sdap_id_op *op; + + struct sysdb_attrs *host; + struct sysdb_attrs *user; + + struct sysdb_attrs *defaults; + struct sysdb_attrs **selinuxmaps; + size_t nmaps; + + struct sysdb_attrs **hbac_rules; + size_t hbac_rule_count; +}; + +static errno_t +ipa_get_selinux_maps_offline(struct tevent_req *req); + +static struct tevent_req * +ipa_get_selinux_send(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct sysdb_attrs *user, + struct sysdb_attrs *host, + struct ipa_selinux_ctx *selinux_ctx) +{ + struct tevent_req *req; + struct tevent_req *subreq; + struct ipa_get_selinux_state *state; + bool offline; + int ret = EOK; + time_t now; + time_t refresh_interval; + struct ipa_options *ipa_options = selinux_ctx->id_ctx->ipa_options; + + DEBUG(SSSDBG_TRACE_FUNC, "Retrieving SELinux user mapping\n"); + req = tevent_req_create(mem_ctx, &state, struct ipa_get_selinux_state); + if (req == NULL) { + return NULL; + } + + state->be_ctx = be_ctx; + state->selinux_ctx = selinux_ctx; + state->user = user; + state->host = host; + + offline = be_is_offline(be_ctx); + DEBUG(SSSDBG_TRACE_INTERNAL, "Connection status is [%s].\n", + offline ? "offline" : "online"); + + if (!offline) { + refresh_interval = dp_opt_get_int(ipa_options->basic, + IPA_SELINUX_REFRESH); + now = time(NULL); + if (now < selinux_ctx->last_update + refresh_interval) { + /* SELinux maps were recently updated -> force offline */ + DEBUG(SSSDBG_TRACE_INTERNAL, + "Performing cached SELinux processing\n"); + offline = true; + } + } + + if (!offline) { + state->op = sdap_id_op_create(state, + selinux_ctx->id_ctx->sdap_id_ctx->conn->conn_cache); + if (!state->op) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed\n"); + ret = ENOMEM; + goto immediate; + } + + subreq = sdap_id_op_connect_send(state->op, state, &ret); + if (!subreq) { + DEBUG(SSSDBG_CRIT_FAILURE, "sdap_id_op_connect_send failed: " + "%d(%s).\n", ret, strerror(ret)); + talloc_zfree(state->op); + goto immediate; + } + + tevent_req_set_callback(subreq, ipa_get_selinux_connect_done, req); + } else { + ret = ipa_get_selinux_maps_offline(req); + goto immediate; + } + + return req; + +immediate: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, be_ctx->ev); + return req; +} + +static void ipa_get_selinux_connect_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ipa_get_selinux_state *state = tevent_req_data(req, + struct ipa_get_selinux_state); + int dp_error = DP_ERR_FATAL; + int ret; + struct ipa_id_ctx *id_ctx = state->selinux_ctx->id_ctx; + struct dp_module *access_mod; + struct dp_module *selinux_mod; + const char *hostname; + + ret = sdap_id_op_connect_recv(subreq, &dp_error); + talloc_zfree(subreq); + + if (dp_error == DP_ERR_OFFLINE) { + talloc_zfree(state->op); + ret = ipa_get_selinux_maps_offline(req); + if (ret == EOK) { + tevent_req_done(req); + return; + } + goto fail; + } + + if (ret != EOK) { + goto fail; + } + + access_mod = dp_target_module(state->be_ctx->provider, DPT_ACCESS); + selinux_mod = dp_target_module(state->be_ctx->provider, DPT_SELINUX); + if (access_mod == selinux_mod && state->host != NULL) { + /* If the access control module is the same as the selinux module + * and the access control had already discovered the host + */ + return ipa_get_config_step(req); + } + + hostname = dp_opt_get_string(state->selinux_ctx->id_ctx->ipa_options->basic, + IPA_HOSTNAME); + if (hostname == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot determine the host name\n"); + goto fail; + } + + subreq = ipa_host_info_send(state, state->be_ctx->ev, + sdap_id_op_handle(state->op), + id_ctx->sdap_id_ctx->opts, + hostname, + id_ctx->ipa_options->id->host_map, + NULL, + state->selinux_ctx->host_search_bases); + if (subreq == NULL) { + ret = ENOMEM; + goto fail; + } + + tevent_req_set_callback(subreq, ipa_get_selinux_hosts_done, req); + return; + +fail: + tevent_req_error(req, ret); +} + +static errno_t +ipa_get_selinux_maps_offline(struct tevent_req *req) +{ + errno_t ret; + size_t nmaps; + struct ldb_message **maps; + struct ldb_message *defaults; + const char *attrs[] = { SYSDB_NAME, + SYSDB_USER_CATEGORY, + SYSDB_HOST_CATEGORY, + SYSDB_ORIG_MEMBER_USER, + SYSDB_ORIG_MEMBER_HOST, + SYSDB_SELINUX_SEEALSO, + SYSDB_SELINUX_USER, + NULL }; + const char **attrs_get_cached_rules; + const char *default_user; + const char *order; + + struct ipa_get_selinux_state *state = tevent_req_data(req, + struct ipa_get_selinux_state); + + /* read the config entry */ + ret = sysdb_search_selinux_config(state, state->be_ctx->domain, + NULL, &defaults); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_selinux_config failed [%d]: %s\n", + ret, strerror(ret)); + return ret; + } + + default_user = ldb_msg_find_attr_as_string(defaults, + SYSDB_SELINUX_DEFAULT_USER, + NULL); + order = ldb_msg_find_attr_as_string(defaults, SYSDB_SELINUX_DEFAULT_ORDER, + NULL); + + state->defaults = sysdb_new_attrs(state); + if (state->defaults == NULL) { + return ENOMEM; + } + + if (default_user) { + ret = sysdb_attrs_add_string(state->defaults, + IPA_CONFIG_SELINUX_DEFAULT_USER_CTX, + default_user); + if (ret != EOK) { + return ret; + } + } + + ret = sysdb_attrs_add_string(state->defaults, + IPA_CONFIG_SELINUX_MAP_ORDER, order); + if (ret != EOK) { + return ret; + } + + /* read all the SELinux rules */ + ret = sysdb_get_selinux_usermaps(state, state->be_ctx->domain, + attrs, &nmaps, &maps); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_selinux_usermaps failed [%d]: %s\n", + ret, strerror(ret)); + return ret; + } + + ret = sysdb_msg2attrs(state, nmaps, maps, &state->selinuxmaps); + if (ret != EOK) { + return ret; + } + state->nmaps = nmaps; + + /* read all the HBAC rules */ + attrs_get_cached_rules = hbac_get_attrs_to_get_cached_rules(state); + if (attrs_get_cached_rules == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "hbac_get_attrs_to_get_cached_rules() failed\n"); + return ENOMEM; + } + + ret = ipa_common_get_cached_rules(state, state->be_ctx->domain, + IPA_HBAC_RULE, HBAC_RULES_SUBDIR, + attrs_get_cached_rules, + &state->hbac_rule_count, + &state->hbac_rules); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_common_get_cached_rules failed [%d]: %s\n", + ret, strerror(ret)); + return ret; + } + + return EOK; +} + +static void ipa_get_selinux_hosts_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ipa_get_selinux_state *state = tevent_req_data(req, + struct ipa_get_selinux_state); + size_t host_count, hostgroup_count; + struct sysdb_attrs **hostgroups; + struct sysdb_attrs **host; + + ret = ipa_host_info_recv(subreq, state, &host_count, &host, + &hostgroup_count, &hostgroups); + talloc_free(subreq); + if (ret != EOK) { + goto done; + } + state->host = host[0]; + + return ipa_get_config_step(req); + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + } +} + +static void ipa_get_config_step(struct tevent_req *req) +{ + const char *domain; + struct tevent_req *subreq; + struct ipa_get_selinux_state *state = tevent_req_data(req, + struct ipa_get_selinux_state); + struct ipa_id_ctx *id_ctx = state->selinux_ctx->id_ctx; + + domain = dp_opt_get_string(state->selinux_ctx->id_ctx->ipa_options->basic, + IPA_KRB5_REALM); + subreq = ipa_get_config_send(state, state->be_ctx->ev, + sdap_id_op_handle(state->op), + id_ctx->sdap_id_ctx->opts, + domain, NULL); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + } + tevent_req_set_callback(subreq, ipa_get_selinux_config_done, req); +} + +static void ipa_get_selinux_config_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ipa_get_selinux_state *state = tevent_req_data(req, + struct ipa_get_selinux_state); + struct sdap_id_ctx *id_ctx = state->selinux_ctx->id_ctx->sdap_id_ctx; + errno_t ret; + + ret = ipa_get_config_recv(subreq, state, &state->defaults); + talloc_free(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not get IPA config\n"); + goto done; + } + + subreq = ipa_selinux_get_maps_send(state, state->be_ctx->ev, + state->be_ctx->domain->sysdb, + sdap_id_op_handle(state->op), + id_ctx->opts, + state->selinux_ctx->id_ctx->ipa_options, + state->selinux_ctx->selinux_search_bases); + if (!subreq) { + ret = ENOMEM; + goto done; + } + tevent_req_set_callback(subreq, ipa_get_selinux_maps_done, req); + return; + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + } else { + tevent_req_done(req); + } +} + +static void ipa_get_selinux_maps_done(struct tevent_req *subreq) +{ + struct tevent_req *req; + struct ipa_get_selinux_state *state; + struct ipa_id_ctx *id_ctx; + struct dp_module *access_mod; + struct dp_module *selinux_mod; + const char **attrs_get_cached_rules; + const char *tmp_str; + bool check_hbac; + errno_t ret; + int i; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_get_selinux_state); + id_ctx = state->selinux_ctx->id_ctx; + + ret = ipa_selinux_get_maps_recv(subreq, state, + &state->nmaps, &state->selinuxmaps); + talloc_free(subreq); + if (ret != EOK) { + if (ret == ENOENT) { + /* This is returned if no SELinux mapping + * rules were found. In that case no error + * occurred, but we don't want any more processing.*/ + ret = EOK; + } + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Found %zu SELinux user maps\n", state->nmaps); + + check_hbac = false; + for (i = 0; i < state->nmaps; i++) { + ret = sysdb_attrs_get_string(state->selinuxmaps[i], + SYSDB_SELINUX_SEEALSO, &tmp_str); + if (ret == EOK) { + check_hbac = true; + break; + } + } + + if (check_hbac) { + access_mod = dp_target_module(state->be_ctx->provider, DPT_ACCESS); + selinux_mod = dp_target_module(state->be_ctx->provider, DPT_SELINUX); + if (access_mod == selinux_mod) { + attrs_get_cached_rules = hbac_get_attrs_to_get_cached_rules(state); + if (attrs_get_cached_rules == NULL) { + ret = ENOMEM; + goto done; + } + + ret = ipa_common_get_cached_rules(state, state->be_ctx->domain, + IPA_HBAC_RULE, HBAC_RULES_SUBDIR, + attrs_get_cached_rules, + &state->hbac_rule_count, + &state->hbac_rules); + /* Terminates the request */ + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "SELinux maps referenced an HBAC rule. " + "Need to refresh HBAC rules\n"); + subreq = ipa_hbac_rule_info_send(state, state->be_ctx->ev, + sdap_id_op_handle(state->op), + id_ctx->sdap_id_ctx->opts, + state->selinux_ctx->hbac_search_bases, + state->host); + if (subreq == NULL) { + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, ipa_get_selinux_hbac_done, req); + return; + } + + ret = EOK; +done: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } +} + +static void ipa_get_selinux_hbac_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ipa_get_selinux_state *state = tevent_req_data(req, + struct ipa_get_selinux_state); + errno_t ret; + + ret = ipa_hbac_rule_info_recv(subreq, state, &state->hbac_rule_count, + &state->hbac_rules); + DEBUG(SSSDBG_TRACE_INTERNAL, + "Received %zu HBAC rules\n", state->hbac_rule_count); + talloc_free(subreq); + + if (ret != EOK) { + tevent_req_error(req, ret); + } else { + tevent_req_done(req); + } +} + +static errno_t +ipa_get_selinux_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *count, + struct sysdb_attrs ***maps, + size_t *hbac_count, + struct sysdb_attrs ***hbac_rules, + char **default_user, + char **map_order) +{ + struct ipa_get_selinux_state *state = + tevent_req_data(req, struct ipa_get_selinux_state); + const char *tmp_str; + errno_t ret; + + TEVENT_REQ_RETURN_ON_ERROR(req); + + ret = sysdb_attrs_get_string(state->defaults, + IPA_CONFIG_SELINUX_DEFAULT_USER_CTX, + &tmp_str); + if (ret != EOK && ret != ENOENT) { + return ret; + } + + if (ret == EOK) { + *default_user = talloc_strdup(mem_ctx, tmp_str); + if (*default_user == NULL) { + return ENOMEM; + } + } + + ret = sysdb_attrs_get_string(state->defaults, IPA_CONFIG_SELINUX_MAP_ORDER, + &tmp_str); + if (ret != EOK) { + return ret; + } + + *map_order = talloc_strdup(mem_ctx, tmp_str); + if (*map_order == NULL) { + talloc_zfree(*default_user); + return ENOMEM; + } + + *count = state->nmaps; + *maps = talloc_steal(mem_ctx, state->selinuxmaps); + + *hbac_count = state->hbac_rule_count; + *hbac_rules = talloc_steal(mem_ctx, state->hbac_rules); + + return EOK; +} + +static errno_t +ipa_selinux_init_attrs(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + struct sss_domain_info *ipa_domain, + struct sss_domain_info *user_domain, + const char *username, + const char *hostname, + struct sysdb_attrs **_user, + struct sysdb_attrs **_host) +{ + TALLOC_CTX *tmp_ctx; + struct ldb_dn *host_dn; + const char *attrs[] = { SYSDB_ORIG_DN, + SYSDB_ORIG_MEMBEROF, + NULL }; + size_t count; + struct ldb_message **msgs; + struct sysdb_attrs **hosts; + struct sysdb_attrs *user = NULL; + struct sysdb_attrs *host = NULL; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + ret = sss_selinux_extract_user(tmp_ctx, user_domain, username, &user); + if (ret != EOK) { + goto done; + } + + host_dn = sysdb_custom_dn(tmp_ctx, ipa_domain, hostname, HBAC_HOSTS_SUBDIR); + if (host_dn == NULL) { + goto done; + } + + /* Look up the host to get its originalMemberOf entries */ + ret = sysdb_search_entry(tmp_ctx, sysdb, host_dn, LDB_SCOPE_BASE, NULL, + attrs, &count, &msgs); + if (ret == ENOENT || count == 0) { + host = NULL; + ret = EOK; + goto done; + } else if (ret != EOK) { + goto done; + } else if (count > 1) { + DEBUG(SSSDBG_OP_FAILURE, "More than one result for a BASE search!\n"); + goto done; + } + + ret = sysdb_msg2attrs(tmp_ctx, count, msgs, &hosts); + talloc_free(msgs); + if (ret != EOK) { + goto done; + } + + host = hosts[0]; + + ret = EOK; + +done: + if (ret == EOK) { + *_user = talloc_steal(mem_ctx, user); + *_host = talloc_steal(mem_ctx, host); + } + + talloc_free(tmp_ctx); + + return ret; +} + +static errno_t +ipa_selinux_store_config(struct sysdb_ctx *sysdb, + struct sss_domain_info *ipa_domain, + const char *default_user, + const char *map_order, + size_t map_count, + struct sysdb_attrs **maps) +{ + bool in_transaction = false; + errno_t sret; + errno_t ret; + + ret = sysdb_transaction_start(sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n"); + goto done; + } + in_transaction = true; + + ret = sysdb_delete_usermaps(ipa_domain); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot delete existing maps from sysdb\n"); + goto done; + } + + ret = sysdb_store_selinux_config(ipa_domain, default_user, map_order); + if (ret != EOK) { + goto done; + } + + if (map_count > 0) { + ret = ipa_save_user_maps(sysdb, ipa_domain, map_count, maps); + if (ret != EOK) { + goto done; + } + } + + ret = sysdb_transaction_commit(sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not commit transaction\n"); + goto done; + } + in_transaction = false; + + ret = EOK; + +done: + if (in_transaction) { + sret = sysdb_transaction_cancel(sysdb); + if (sret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not cancel transaction\n"); + } + } + + return ret; +} + +static errno_t +ipa_selinux_create_child_input(TALLOC_CTX *mem_ctx, + struct sysdb_attrs *user, + struct sysdb_attrs *host, + struct sysdb_attrs **maps, + size_t map_count, + struct sysdb_attrs **hbac_rules, + size_t hbac_count, + const char *map_order, + struct pam_data *pd, + struct sss_domain_info *user_domain, + const char *default_user, + struct selinux_child_input **_sci) +{ + struct sysdb_attrs **best_match_maps = NULL; + struct map_order_ctx *map_order_ctx = NULL; + struct selinux_child_input *sci = NULL; + errno_t ret; + + /* Process the maps and return list of best matches + * (maps with highest priority). */ + ret = ipa_selinux_process_maps(mem_ctx, user, host, maps, map_count, + hbac_rules, hbac_count, &best_match_maps); + if (ret != EOK) { + goto done; + } + + ret = init_map_order_ctx(mem_ctx, map_order, &map_order_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to create ordered SELinux users array.\n"); + goto done; + } + + ret = choose_best_seuser(mem_ctx, best_match_maps, pd, user_domain, + map_order_ctx, default_user, &sci); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to evaluate ordered SELinux users array.\n"); + goto done; + } + + *_sci = sci; + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(best_match_maps); + talloc_free(map_order_ctx); + talloc_free(sci); + } + + return ret; +} + +struct ipa_selinux_handler_state { + struct be_ctx *be_ctx; + struct tevent_context *ev; + struct pam_data *pd; + + struct sss_domain_info *user_domain; + struct sss_domain_info *ipa_domain; + struct ipa_selinux_ctx *selinux_ctx; + + struct sysdb_attrs *user; + struct sysdb_attrs *host; +}; + +static void ipa_selinux_handler_get_done(struct tevent_req *subreq); +static void ipa_selinux_handler_done(struct tevent_req *subreq); + +struct tevent_req * +ipa_selinux_handler_send(TALLOC_CTX *mem_ctx, + struct ipa_selinux_ctx *selinux_ctx, + struct pam_data *pd, + struct dp_req_params *params) +{ + struct ipa_selinux_handler_state *state; + struct tevent_req *subreq; + struct tevent_req *req; + const char *hostname; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct ipa_selinux_handler_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->be_ctx = params->be_ctx; + state->ev = params->ev; + state->pd = pd; + state->user_domain = params->domain; + state->ipa_domain = params->be_ctx->domain; + state->selinux_ctx = selinux_ctx; + + pd->pam_status = PAM_SYSTEM_ERR; + + hostname = dp_opt_get_string(selinux_ctx->id_ctx->ipa_options->basic, + IPA_HOSTNAME); + if (hostname == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot determine this machine's host name\n"); + ret = EINVAL; + goto immediately; + } + + ret = ipa_selinux_init_attrs(state, state->user_domain->sysdb, + state->ipa_domain, state->user_domain, + pd->user, hostname, + &state->user, &state->host); + if (ret != EOK) { + goto immediately; + } + + subreq = ipa_get_selinux_send(state, params->be_ctx, state->user, + state->host, selinux_ctx); + if (subreq == NULL) { + goto immediately; + } + + tevent_req_set_callback(subreq, ipa_selinux_handler_get_done, req); + + return req; + +immediately: + /* TODO For backward compatibility we always return EOK to DP now. */ + tevent_req_done(req); + tevent_req_post(req, params->ev); + + return req; +} + +static void ipa_selinux_handler_get_done(struct tevent_req *subreq) +{ + struct tevent_req *req; + struct ipa_selinux_handler_state *state; + struct selinux_child_input *sci; + struct sysdb_attrs **hbac_rules = NULL; + struct sysdb_attrs **maps = NULL; + size_t map_count = 0; + size_t hbac_count = 0; + char *default_user = NULL; + char *map_order = NULL; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_selinux_handler_state); + + ret = ipa_get_selinux_recv(subreq, state, &map_count, &maps, + &hbac_count, &hbac_rules, + &default_user, &map_order); + talloc_free(subreq); + if (ret != EOK) { + goto done; + } + + ret = ipa_selinux_store_config(state->ipa_domain->sysdb, state->ipa_domain, + default_user, map_order, map_count, maps); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to store SELinux config [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = ipa_selinux_create_child_input(state, state->user, state->host, + maps, map_count, hbac_rules, + hbac_count, map_order, state->pd, + state->user_domain, default_user, + &sci); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create child input [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + /* Update the SELinux context in a privileged child as the back end is + * running unprivileged + */ + subreq = selinux_child_send(state, state->ev, sci); + if (subreq == NULL) { + ret = ENOMEM; + goto done; + } + tevent_req_set_callback(subreq, ipa_selinux_handler_done, req); + return; + +done: + /* TODO For backward compatibility we always return EOK to DP now. */ + tevent_req_done(req); +} + +static void ipa_selinux_handler_done(struct tevent_req *subreq) +{ + struct ipa_selinux_handler_state *state; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_selinux_handler_state); + + ret = selinux_child_recv(subreq); + talloc_free(subreq); + if (ret != EOK) { + state->pd->pam_status = PAM_SYSTEM_ERR; + goto done; + } + + if (!be_is_offline(state->be_ctx)) { + state->selinux_ctx->last_update = time(NULL); + } + + state->pd->pam_status = PAM_SUCCESS; + +done: + /* TODO For backward compatibility we always return EOK to DP now. */ + tevent_req_done(req); +} + +errno_t +ipa_selinux_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct pam_data **_data) +{ + struct ipa_selinux_handler_state *state = NULL; + + state = tevent_req_data(req, struct ipa_selinux_handler_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *_data = talloc_steal(mem_ctx, state->pd); + + return EOK; +} diff --git a/src/providers/ipa/ipa_selinux.h b/src/providers/ipa/ipa_selinux.h new file mode 100644 index 0000000..dea8775 --- /dev/null +++ b/src/providers/ipa/ipa_selinux.h @@ -0,0 +1,50 @@ +/* + SSSD + + IPA Backend Module -- selinux loading + + Authors: + Jan Zeleny + + Copyright (C) 2011 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _IPA_SELINUX_H_ +#define _IPA_SELINUX_H_ + +#include "providers/ldap/ldap_common.h" + +struct ipa_selinux_ctx { + struct ipa_id_ctx *id_ctx; + time_t last_update; + + struct sdap_search_base **selinux_search_bases; + struct sdap_search_base **host_search_bases; + struct sdap_search_base **hbac_search_bases; +}; + +struct tevent_req * +ipa_selinux_handler_send(TALLOC_CTX *mem_ctx, + struct ipa_selinux_ctx *selinux_ctx, + struct pam_data *pd, + struct dp_req_params *params); + +errno_t +ipa_selinux_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct pam_data **_data); + +#endif diff --git a/src/providers/ipa/ipa_selinux_maps.c b/src/providers/ipa/ipa_selinux_maps.c new file mode 100644 index 0000000..9abac4d --- /dev/null +++ b/src/providers/ipa/ipa_selinux_maps.c @@ -0,0 +1,222 @@ +/* + SSSD + + IPA Backend Module -- SELinux user maps (maps retrieval) + + Authors: + Jan Zeleny + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "providers/ipa/ipa_common.h" +#include "providers/ipa/ipa_selinux_maps.h" + +struct ipa_selinux_get_maps_state { + struct tevent_context *ev; + struct sysdb_ctx *sysdb; + struct sdap_handle *sh; + struct sdap_options *opts; + struct ipa_options *ipa_opts; + const char **attrs; + + struct sdap_search_base **search_bases; + int search_base_iter; + + char *cur_filter; + char *maps_filter; + + size_t map_count; + struct sysdb_attrs **maps; +}; + +static errno_t +ipa_selinux_get_maps_next(struct tevent_req *req, + struct ipa_selinux_get_maps_state *state); +static void +ipa_selinux_get_maps_done(struct tevent_req *subreq); + +struct tevent_req *ipa_selinux_get_maps_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sysdb_ctx *sysdb, + struct sdap_handle *sh, + struct sdap_options *opts, + struct ipa_options *ipa_opts, + struct sdap_search_base **search_bases) +{ + struct tevent_req *req; + struct ipa_selinux_get_maps_state *state; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct ipa_selinux_get_maps_state); + if (req == NULL) { + return NULL; + } + + state->ev = ev; + state->sysdb = sysdb; + state->sh = sh; + state->opts = opts; + state->ipa_opts = ipa_opts; + state->search_bases = search_bases; + state->search_base_iter = 0; + state->map_count = 0; + state->maps = NULL; + + ret = build_attrs_from_map(state, ipa_opts->selinuxuser_map, + IPA_OPTS_SELINUX_USERMAP, NULL, + &state->attrs, NULL); + if (ret != EOK) goto fail; + + state->cur_filter = NULL; + state->maps_filter = talloc_asprintf(state, + "(&(objectclass=%s)(%s=TRUE))", + ipa_opts->selinuxuser_map[IPA_OC_SELINUX_USERMAP].name, + ipa_opts->selinuxuser_map[IPA_AT_SELINUX_USERMAP_ENABLED].name); + if (state->maps_filter == NULL) { + ret = ENOMEM; + goto fail; + } + + ret = ipa_selinux_get_maps_next(req, state); + if (ret == EOK) { + ret = EINVAL; + } + + if (ret != EAGAIN) { + goto fail; + } + + return req; + +fail: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static errno_t +ipa_selinux_get_maps_next(struct tevent_req *req, + struct ipa_selinux_get_maps_state *state) +{ + struct sdap_search_base *base; + struct tevent_req *subreq; + + base = state->search_bases[state->search_base_iter]; + if (base == NULL) { + return EOK; + } + + talloc_zfree(state->cur_filter); + state->cur_filter = sdap_combine_filters(state, state->maps_filter, + base->filter); + if (state->cur_filter == NULL) { + return ENOMEM; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Trying to fetch SELinux maps with following " + "parameters: [%d][%s][%s]\n", base->scope, + state->cur_filter, base->basedn); + subreq = sdap_get_generic_send(state, state->ev, state->opts, + state->sh, base->basedn, + base->scope, state->cur_filter, + state->attrs, + state->ipa_opts->selinuxuser_map, + IPA_OPTS_SELINUX_USERMAP, + dp_opt_get_int(state->opts->basic, + SDAP_ENUM_SEARCH_TIMEOUT), + true); + if (subreq == NULL) { + return ENOMEM; + } + + tevent_req_set_callback(subreq, ipa_selinux_get_maps_done, req); + return EAGAIN; +} + +static void ipa_selinux_get_maps_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ipa_selinux_get_maps_state *state = tevent_req_data(req, + struct ipa_selinux_get_maps_state); + struct sysdb_attrs **results; + size_t total_count; + size_t count; + int i; + + ret = sdap_get_generic_recv(subreq, state, &count, &results); + if (ret != EOK) { + goto done; + } + + if (count > 0) { + DEBUG(SSSDBG_TRACE_FUNC, + "Found %zu user maps in current search base\n", count); + + total_count = count + state->map_count; + state->maps = talloc_realloc(state, state->maps, struct sysdb_attrs *, total_count); + if (state->maps == NULL) { + ret = ENOMEM; + goto done; + } + + i = 0; + while (state->map_count < total_count) { + state->maps[state->map_count] = talloc_steal(state->maps, results[i]); + state->map_count++; + i++; + } + } + + state->search_base_iter++; + ret = ipa_selinux_get_maps_next(req, state); + if (ret == EAGAIN) { + return; + } else if (ret != EOK) { + goto done; + } + + if (state->map_count == 0) { + DEBUG(SSSDBG_TRACE_FUNC, "No SELinux user maps found!\n"); + ret = ENOENT; + } + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + } else { + tevent_req_done(req); + } +} + +errno_t +ipa_selinux_get_maps_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *count, + struct sysdb_attrs ***maps) +{ + struct ipa_selinux_get_maps_state *state = + tevent_req_data(req, struct ipa_selinux_get_maps_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *count = state->map_count; + *maps = talloc_steal(mem_ctx, state->maps); + + return EOK; +} diff --git a/src/providers/ipa/ipa_selinux_maps.h b/src/providers/ipa/ipa_selinux_maps.h new file mode 100644 index 0000000..d3abec1 --- /dev/null +++ b/src/providers/ipa/ipa_selinux_maps.h @@ -0,0 +1,45 @@ +/* + SSSD + + IPA Backend Module -- SELinux user maps (maps retrieval) + + Authors: + Jan Zeleny + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef IPA_SELINUX_MAPS_H_ +#define IPA_SELINUX_MAPS_H_ + +#include "providers/ldap/sdap_async.h" + +struct tevent_req * +ipa_selinux_get_maps_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sysdb_ctx *sysdb, + struct sdap_handle *sh, + struct sdap_options *opts, + struct ipa_options *ipa_opts, + struct sdap_search_base **search_bases); + +errno_t +ipa_selinux_get_maps_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *count, + struct sysdb_attrs ***maps); + +#endif /* IPA_SELINUX_MAPS_H_ */ diff --git a/src/providers/ipa/ipa_session.c b/src/providers/ipa/ipa_session.c new file mode 100644 index 0000000..33c64e5 --- /dev/null +++ b/src/providers/ipa/ipa_session.c @@ -0,0 +1,866 @@ +/* + SSSD + + IPA Backend Module -- Session Management + + Authors: + Fabiano Fidêncio + + Copyright (C) 2017 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +#include + +#include "util/child_common.h" +#include "providers/ldap/sdap_async.h" +#include "providers/ipa/ipa_common.h" +#include "providers/ipa/ipa_config.h" +#include "providers/ipa/ipa_hosts.h" +#include "providers/ipa/ipa_subdomains.h" +#include "providers/ipa/ipa_session.h" +#include "providers/ipa/ipa_rules_common.h" +#include "providers/ipa/ipa_deskprofile_private.h" +#include "providers/ipa/ipa_deskprofile_config.h" +#include "providers/ipa/ipa_deskprofile_rules.h" +#include "providers/ipa/ipa_deskprofile_rules_util.h" + +/* Those here are used for sending a message to the deskprofile client + * informing that our side is done. */ +#define SSS_FLEETCOMMANDERCLIENT_BUS "org.freedesktop.FleetCommanderClient" +#define SSS_FLEETCOMMANDERCLIENT_PATH "/org/freedesktop/FleetCommanderClient" +#define SSS_FLEETCOMMANDERCLIENT_IFACE "org.freedesktop.FleetCommanderClient" + +#define MINUTE_IN_SECONDS 60 + +struct ipa_fetch_deskprofile_state { + struct tevent_context *ev; + struct be_ctx *be_ctx; + struct sdap_id_ctx *sdap_ctx; + struct ipa_session_ctx *session_ctx; + struct sdap_id_op *sdap_op; + struct dp_option *ipa_options; + struct sdap_search_base **search_bases; + const char *username; + + /* Hosts */ + struct ipa_common_entries *hosts; + struct sysdb_attrs *ipa_host; + + /* Rules */ + struct ipa_common_entries *rules; + struct sysdb_attrs *config; + uint16_t priority; +}; + +static errno_t ipa_fetch_deskprofile_retry(struct tevent_req *req); +static void ipa_fetch_deskprofile_connect_done(struct tevent_req *subreq); +static errno_t ipa_fetch_deskprofile_hostinfo(struct tevent_req *req); +static void ipa_fetch_deskprofile_hostinfo_done(struct tevent_req *subreq); +static void ipa_fetch_deskprofile_config_done(struct tevent_req *subreq); +static void ipa_fetch_deskprofile_rules_done(struct tevent_req *subreq); + +static struct tevent_req * +ipa_fetch_deskprofile_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct ipa_session_ctx *session_ctx, + const char *username) +{ + struct ipa_fetch_deskprofile_state *state; + struct tevent_req *req; + time_t now; + time_t refresh_interval; + time_t request_interval; + time_t next_request; + bool offline; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct ipa_fetch_deskprofile_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->ev = ev; + state->be_ctx = be_ctx; + state->session_ctx = session_ctx; + state->sdap_ctx = session_ctx->sdap_ctx; + state->ipa_options = session_ctx->ipa_options; + state->search_bases = session_ctx->deskprofile_search_bases; + state->username = username; + state->hosts = talloc_zero(state, struct ipa_common_entries); + if (state->hosts == NULL) { + ret = ENOMEM; + goto immediately; + } + state->rules = talloc_zero(state, struct ipa_common_entries); + if (state->rules == NULL) { + ret = ENOMEM; + goto immediately; + } + + if (state->search_bases == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "No Desktop Profile search base found.\n"); + ret = EINVAL; + goto immediately; + } + + state->sdap_op = sdap_id_op_create(state, + state->sdap_ctx->conn->conn_cache); + if (state->sdap_op == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create() failed\n"); + ret = ENOMEM; + goto immediately; + } + + now = time(NULL); + + request_interval = dp_opt_get_int(state->ipa_options, + IPA_DESKPROFILE_REQUEST_INTERVAL); + /* This value is in minutes ... */ + request_interval *= MINUTE_IN_SECONDS; + + if (state->session_ctx->no_rules_found && + now < session_ctx->last_request + request_interval) { + next_request = (session_ctx->last_request + request_interval - now); + /* This value is in seconds ... */ + next_request /= 60; + DEBUG(SSSDBG_TRACE_FUNC, + "No rules were found in the last request.\n" + "Next request will happen in any login after %ld minutes\n", + next_request); + ret = ENOENT; + goto immediately; + } + + state->session_ctx->no_rules_found = false; + + offline = be_is_offline(be_ctx); + DEBUG(SSSDBG_TRACE_ALL, "Connection status is [%s].\n", + offline ? "offline" : "online"); + + refresh_interval = dp_opt_get_int(state->ipa_options, + IPA_DESKPROFILE_REFRESH); + + if (offline || now < session_ctx->last_update + refresh_interval) { + DEBUG(SSSDBG_TRACE_FUNC, + "Performing cached Desktop Profile evaluation\n"); + ret = EOK; + goto immediately; + } + + ret = ipa_fetch_deskprofile_retry(req); + if (ret != EAGAIN) { + goto immediately; + } + + return req; + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + + return req; +} + +static errno_t +ipa_fetch_deskprofile_retry(struct tevent_req *req) +{ + struct tevent_req *subreq; + struct ipa_fetch_deskprofile_state *state; + int ret; + + state = tevent_req_data(req, struct ipa_fetch_deskprofile_state); + + subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sdap_id_op_connect_send() failed: %d (%s)\n", + ret, strerror(ret)); + + return ret; + } + + tevent_req_set_callback(subreq, ipa_fetch_deskprofile_connect_done, req); + + return EAGAIN; +} + +static void +ipa_fetch_deskprofile_connect_done(struct tevent_req *subreq) +{ + struct tevent_req *req = NULL; + int dp_error; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + + ret = sdap_id_op_connect_recv(subreq, &dp_error); + talloc_zfree(subreq); + if (ret != EOK) { + goto done; + } + + ret = ipa_fetch_deskprofile_hostinfo(req); + if (ret == EAGAIN) { + return; + } + +done: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } +} + +static errno_t +ipa_fetch_deskprofile_hostinfo(struct tevent_req *req) +{ + struct tevent_req *subreq; + struct ipa_fetch_deskprofile_state *state; + const char *hostname; + + state = tevent_req_data(req, struct ipa_fetch_deskprofile_state); + hostname = dp_opt_get_string(state->ipa_options, IPA_HOSTNAME); + + subreq = ipa_host_info_send(state, + state->ev, + sdap_id_op_handle(state->sdap_op), + state->sdap_ctx->opts, + hostname, + state->session_ctx->host_map, + state->session_ctx->hostgroup_map, + state->session_ctx->host_search_bases); + if (subreq == NULL) { + return ENOMEM; + } + + tevent_req_set_callback(subreq, ipa_fetch_deskprofile_hostinfo_done, req); + + return EAGAIN; +} + +static void +ipa_fetch_deskprofile_hostinfo_done(struct tevent_req *subreq) +{ + struct tevent_req *req; + struct ipa_fetch_deskprofile_state *state; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_fetch_deskprofile_state); + + ret = ipa_host_info_recv(subreq, state, + &state->hosts->entry_count, + &state->hosts->entries, + &state->hosts->group_count, + &state->hosts->groups); + state->hosts->entry_subdir = DESKPROFILE_HOSTS_SUBDIR; + state->hosts->group_subdir = DESKPROFILE_HOSTGROUPS_SUBDIR; + talloc_zfree(subreq); + if (ret != EOK) { + goto done; + } + + ret = ipa_get_host_attrs(state->ipa_options, + state->hosts->entry_count, + state->hosts->entries, + &state->ipa_host); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not locate IPA host.\n"); + goto done; + } + + subreq = ipa_deskprofile_get_config_send(state, + state->ev, + sdap_id_op_handle(state->sdap_op), + state->sdap_ctx->opts, + state->ipa_options); + if (subreq == NULL) { + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, ipa_fetch_deskprofile_config_done, req); + return; + +done: + tevent_req_error(req, ret); +} + +static void +ipa_fetch_deskprofile_config_done(struct tevent_req *subreq) +{ + struct tevent_req *req; + struct ipa_fetch_deskprofile_state *state; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_fetch_deskprofile_state); + + ret = ipa_deskprofile_get_config_recv(subreq, state, &state->config); + talloc_zfree(subreq); + if (ret != EOK) { + goto done; + } + + ret = sysdb_store_custom(state->be_ctx->domain, IPA_DESKPROFILE_PRIORITY, + DESKPROFILE_CONFIG_SUBDIR, state->config); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to save Desktop Profile policy\n"); + goto done; + } + + subreq = ipa_deskprofile_rule_info_send(state, + state->ev, + sdap_id_op_handle(state->sdap_op), + state->sdap_ctx->opts, + state->search_bases, + state->ipa_host, + state->be_ctx->domain, + state->username); + if (subreq == NULL) { + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, ipa_fetch_deskprofile_rules_done, req); + return; + +done: + tevent_req_error(req, ret); +} + +static void +ipa_fetch_deskprofile_rules_done(struct tevent_req *subreq) +{ + struct tevent_req *req; + struct ipa_fetch_deskprofile_state *state; + int dp_error; + errno_t ret; + bool found; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_fetch_deskprofile_state); + + ret = ipa_deskprofile_rule_info_recv(subreq, + state, + &state->rules->entry_count, + &state->rules->entries); + state->rules->entry_subdir = DESKPROFILE_RULES_SUBDIR; + talloc_zfree(subreq); + if (ret == ENOENT) { + /* Set ret to EOK so we can safely call sdap_id_op_done. */ + ret = EOK; + found = false; + } else if (ret == EOK) { + found = true; + } else { + goto done; + } + + ret = sdap_id_op_done(state->sdap_op, ret, &dp_error); + if (dp_error == DP_ERR_OK && ret != EOK) { + /* retry */ + ret = ipa_fetch_deskprofile_retry(req); + if (ret != EAGAIN) { + tevent_req_error(req, ret); + } + return; + } else if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + /* For now, let's completely purge the previous stored + * rules before saving the new ones */ + ret = ipa_common_purge_rules(state->be_ctx->domain, + DESKPROFILE_RULES_SUBDIR); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unable to remove Desktop Profile rules\n"); + goto done; + } + + if (!found) { + ret = ENOENT; + goto done; + } + + ret = ipa_common_save_rules(state->be_ctx->domain, + state->hosts, NULL, state->rules, + &state->session_ctx->last_update); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to save Desktop Profile rules\n"); + goto done; + } + + ret = EOK; + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +static errno_t +ipa_fetch_deskprofile_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +struct ipa_pam_session_handler_state { + struct tevent_context *ev; + struct be_ctx *be_ctx; + struct ipa_session_ctx *session_ctx; + struct pam_data *pd; + + /* Those attributes are used for: + * - saving the deskprofile rules to the disk; + * - deleting the deskprofile rules from the disk; + * - contacting the deskprofile client that everything is ready; + */ + char *shortname; + char *domain; + char *user_dir; + uid_t uid; + gid_t gid; +}; + +static errno_t +ipa_pam_session_handler_get_deskprofile_user_info( + TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *username, + char **_shortname, + char **_domain, + char **_user_dir, + uid_t *uid, + gid_t *gid); +static void ipa_pam_session_handler_done(struct tevent_req *subreq); +static errno_t +ipa_pam_session_handler_save_deskprofile_rules( + struct be_ctx *be_ctx, + struct sss_domain_info *domain, + const char *username, /* fully-qualified */ + const char *user_dir, + const char *hostname, + uid_t uid, + gid_t gid); +static errno_t +ipa_pam_session_handler_notify_deskprofile_client(uid_t uid, + const char *user_dir, + uint16_t prio); + + +struct tevent_req * +ipa_pam_session_handler_send(TALLOC_CTX *mem_ctx, + struct ipa_session_ctx *session_ctx, + struct pam_data *pd, + struct dp_req_params *params) +{ + struct tevent_req *req; + struct tevent_req *subreq; + struct ipa_pam_session_handler_state *state; + errno_t ret; + + DEBUG(SSSDBG_TRACE_FUNC, "Retrieving Desktop Profile rules\n"); + req = tevent_req_create(mem_ctx, &state, + struct ipa_pam_session_handler_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->pd = pd; + state->ev = params->ev; + state->be_ctx = params->be_ctx; + state->session_ctx = session_ctx; + + /* Get all the user info that will be needed in order the delete the + * user's deskprofile directory from the disk, create the user's directory, + * save the fetched rules to the disk and notify the deskprofile client + * that this operation is done. */ + ret = ipa_pam_session_handler_get_deskprofile_user_info( + state, + state->be_ctx->domain, + pd->user, + &state->shortname, + &state->domain, + &state->user_dir, + &state->uid, + &state->gid); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ipa_deskprofile_get_user_info() failed [%d]: %s\n", + ret, sss_strerror(ret)); + state->pd->pam_status = PAM_SESSION_ERR; + goto done; + } + + /* As no proper merging mechanism has been implemented yet ... + * let's just remove the user directory stored in the disk as it's + * going to be created again in case there's any rule fetched. */ + ret = ipa_deskprofile_rules_remove_user_dir(state->user_dir, + state->uid, + state->gid); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ipa_deskprofile_rules_remove_user_dir() failed.\n"); + state->pd->pam_status = PAM_SESSION_ERR; + goto done; + } + + subreq = ipa_fetch_deskprofile_send(state, state->ev, state->be_ctx, + state->session_ctx, pd->user); + if (subreq == NULL) { + state->pd->pam_status = PAM_SESSION_ERR; + goto done; + } + + tevent_req_set_callback(subreq, ipa_pam_session_handler_done, req); + return req; + +done: + tevent_req_done(req); + tevent_req_post(req, params->ev); + + return req; +} + +static void +ipa_pam_session_handler_done(struct tevent_req *subreq) +{ + struct tevent_req *req; + struct ipa_pam_session_handler_state *state; + const char *hostname; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_pam_session_handler_state); + + ret = ipa_fetch_deskprofile_recv(subreq); + talloc_free(subreq); + + if (ret == ENOENT) { + DEBUG(SSSDBG_IMPORTANT_INFO, "No Desktop Profile rules found\n"); + if (!state->session_ctx->no_rules_found) { + state->session_ctx->no_rules_found = true; + state->session_ctx->last_request = time(NULL); + } + state->pd->pam_status = PAM_SUCCESS; + goto done; + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unable to fetch Desktop Profile rules [%d]: %s\n", + ret, sss_strerror(ret)); + state->pd->pam_status = PAM_SYSTEM_ERR; + goto done; + } + + state->session_ctx->last_request = time(NULL); + + hostname = dp_opt_get_string(state->session_ctx->ipa_options, IPA_HOSTNAME); + ret = ipa_pam_session_handler_save_deskprofile_rules(state->be_ctx, + state->be_ctx->domain, + state->pd->user, + state->user_dir, + hostname, + state->uid, + state->gid); + + state->pd->pam_status = (ret == EOK) ? PAM_SUCCESS : PAM_SESSION_ERR; + +done: + /* TODO For backward compatibility we always return EOK to DP now. */ + tevent_req_done(req); +} + +errno_t +ipa_pam_session_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct pam_data **_data) +{ + struct ipa_pam_session_handler_state *state = NULL; + + state = tevent_req_data(req, struct ipa_pam_session_handler_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *_data = talloc_steal(mem_ctx, state->pd); + + return EOK; +} + +static errno_t +ipa_pam_session_handler_get_deskprofile_user_info(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *username, + char **_shortname, + char **_domain, + char **_user_dir, + uid_t *_uid, + gid_t *_gid) +{ + TALLOC_CTX *tmp_ctx; + struct ldb_result *res = NULL; + char *shortname; + char *domain_name; + char *user_dir; + uid_t uid; + gid_t gid; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + ret = sss_parse_internal_fqname(tmp_ctx, username, + &shortname, &domain_name); + if (ret != EOK) { + DEBUG(SSSDBG_TRACE_FUNC, "Failed to parse \"%s\" [%d]: %s\n", + username, ret, sss_strerror(ret)); + goto done; + } + + user_dir = talloc_asprintf(tmp_ctx, IPA_DESKPROFILE_RULES_USER_DIR"/%s/%s", + domain_name, shortname); + if (user_dir == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf() failed!\n"); + ret = ENOMEM; + goto done; + } + + ret = sysdb_getpwnam(tmp_ctx, domain, username, &res); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_getpwnam() failed [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + if (res->count != 1) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sysdb_getpwnam() got more users than expected. " + "Expected [%d], got [%d]\n", 1, res->count); + ret = EINVAL; + goto done; + } + + uid = ldb_msg_find_attr_as_uint64(res->msgs[0], SYSDB_UIDNUM, 0); + gid = ldb_msg_find_attr_as_uint64(res->msgs[0], SYSDB_GIDNUM, 0); + if (uid == 0 || gid == 0) { + /* As IPA doesn't handle root users ou groups, we know for sure that's + * something wrong in case we get uid = 0 or gid = 0. + */ + ret = EINVAL; + goto done; + } + + ret = EOK; + + *_shortname = talloc_steal(mem_ctx, shortname); + *_domain = talloc_steal(mem_ctx, domain_name); + *_user_dir = talloc_steal(mem_ctx, user_dir); + *_uid = uid; + *_gid = gid; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static errno_t +ipa_pam_session_handler_save_deskprofile_rules( + struct be_ctx *be_ctx, + struct sss_domain_info *domain, + const char *username, /* fully-qualified */ + const char *user_dir, + const char *hostname, + uid_t uid, + gid_t gid) +{ + TALLOC_CTX *tmp_ctx; + const char **attrs_get_cached_rules; + size_t rule_count; + struct sysdb_attrs **rules; + uint16_t priority; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + /* Get Desktop Profile priority from sysdb */ + ret = deskprofile_get_cached_priority(be_ctx->domain, &priority); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "deskprofile_get_cached_priority() failed [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + + /* Get Desktop Profile rules from sysdb */ + attrs_get_cached_rules = deskprofile_get_attrs_to_get_cached_rules(tmp_ctx); + if (attrs_get_cached_rules == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "deskprofile_get_attrs_get_cached_rules() failed\n"); + ret = ENOMEM; + goto done; + } + ret = ipa_common_get_cached_rules(tmp_ctx, be_ctx->domain, + IPA_DESKPROFILE_RULE, + DESKPROFILE_RULES_SUBDIR, + attrs_get_cached_rules, + &rule_count, + &rules); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not retrieve Desktop Profile rules from the cache\n"); + goto done; + } + + /* Create the user directory where the rules are going to be stored */ + ret = ipa_deskprofile_rules_create_user_dir(username, uid, gid); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot create the user directory [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + /* Save the rules to the disk */ + for (size_t i = 0; i < rule_count; i++) { + ret = ipa_deskprofile_rules_save_rule_to_disk(tmp_ctx, + priority, + rules[i], + domain, + hostname, + username, + uid, + gid); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to save a Desktop Profile Rule to disk [%d]: %s\n", + ret, sss_strerror(ret)); + continue; + } + } + + /* Notify FleetCommander that our side is done */ + ret = ipa_pam_session_handler_notify_deskprofile_client(uid, + user_dir, + priority); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ipa_pam_session_handler_notify_deskprofile_client() " + "failed [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static DBusConnection * +ipa_deskprofile_client_connect(void) +{ + DBusConnection *conn; + DBusError error; + + dbus_error_init(&error); + conn = dbus_bus_get(DBUS_BUS_SYSTEM, &error); + if (dbus_error_is_set(&error)) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unable to connect to the FleetCommanderClient bus [%s]: %s\n", + error.name, error.message); + conn = NULL; + goto done; + } + +done: + dbus_error_free(&error); + return conn; +} + +static errno_t +ipa_pam_session_handler_notify_deskprofile_client(uid_t uid, + const char *user_dir, + uint16_t prio) +{ + DBusConnection *conn = NULL; + DBusMessage *msg = NULL; + DBusError error; + errno_t ret; + bool dbus_ret; + + dbus_error_init(&error); + + conn = ipa_deskprofile_client_connect(); + if (conn == NULL) { + ret = EIO; + goto done; + } + + msg = sbus_create_message(NULL, + SSS_FLEETCOMMANDERCLIENT_BUS, + SSS_FLEETCOMMANDERCLIENT_PATH, + SSS_FLEETCOMMANDERCLIENT_IFACE, + "ProcessSSSDFiles", + DBUS_TYPE_UINT32, &uid, + DBUS_TYPE_STRING, &user_dir, + DBUS_TYPE_UINT16, &prio); + if (msg == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create D-Bus Message!\n"); + ret = ENOMEM; + goto done; + } + + dbus_ret = dbus_connection_send(conn, msg, NULL); + if (dbus_ret == FALSE) { + ret = EIO; + goto done; + } + + ret = EOK; + +done: + if (msg != NULL) { + dbus_message_unref(msg); + } + + if (conn != NULL) { + dbus_connection_unref(conn); + } + + return ret; +} diff --git a/src/providers/ipa/ipa_session.h b/src/providers/ipa/ipa_session.h new file mode 100644 index 0000000..0c4d54f --- /dev/null +++ b/src/providers/ipa/ipa_session.h @@ -0,0 +1,54 @@ +/* + SSSD + + IPA Backend Module -- Session Management + + Authors: + Fabiano Fidêncio + + Copyright (C) 2017 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef IPA_SESSION_H_ +#define IPA_SESSION_H_ + +#include "providers/ldap/ldap_common.h" + +struct ipa_session_ctx { + struct sdap_id_ctx *sdap_ctx; + struct dp_option *ipa_options; + time_t last_update; + time_t last_request; + bool no_rules_found; + + struct sdap_attr_map *host_map; + struct sdap_attr_map *hostgroup_map; + struct sdap_search_base **deskprofile_search_bases; + struct sdap_search_base **host_search_bases; +}; + +struct tevent_req * +ipa_pam_session_handler_send(TALLOC_CTX *mem_ctx, + struct ipa_session_ctx *session_ctx, + struct pam_data *pd, + struct dp_req_params *params); + +errno_t +ipa_pam_session_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct pam_data **_data); + +#endif /* IPA_SESSION_H_ */ diff --git a/src/providers/ipa/ipa_srv.c b/src/providers/ipa/ipa_srv.c new file mode 100644 index 0000000..7477711 --- /dev/null +++ b/src/providers/ipa/ipa_srv.c @@ -0,0 +1,224 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "util/util.h" +#include "resolv/async_resolv.h" +#include "providers/fail_over_srv.h" +#include "providers/ipa/ipa_srv.h" + +#define IPA_DNS_LOCATION "_location" + +struct ipa_srv_plugin_ctx { + struct resolv_ctx *resolv_ctx; + const char *hostname; + const char *ipa_domain; +}; + +struct ipa_srv_plugin_ctx * +ipa_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx, + struct resolv_ctx *resolv_ctx, + const char *hostname, + const char *ipa_domain) +{ + struct ipa_srv_plugin_ctx *ctx = NULL; + + ctx = talloc_zero(mem_ctx, struct ipa_srv_plugin_ctx); + if (ctx == NULL) { + return NULL; + } + + ctx->resolv_ctx = resolv_ctx; + + ctx->hostname = talloc_strdup(ctx, hostname); + if (ctx->hostname == NULL) { + goto fail; + } + + ctx->ipa_domain = talloc_strdup(ctx, ipa_domain); + if (ctx->ipa_domain == NULL) { + goto fail; + } + + return ctx; + +fail: + talloc_free(ctx); + return NULL; +} + +struct ipa_srv_plugin_state { + char *dns_domain; + uint32_t ttl; + struct fo_server_info *primary_servers; + size_t num_primary_servers; + struct fo_server_info *backup_servers; + size_t num_backup_servers; +}; + +static void ipa_srv_plugin_done(struct tevent_req *subreq); + +/* If IPA server supports sites, we will use + * _locations.hostname.discovery_domain for primary servers and + * discovery_domain for backup servers. If the server does not support sites or + * client's SRV record is not found, we will use the latter for primary + * servers, setting backup servers to NULL */ +struct tevent_req *ipa_srv_plugin_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + const char *service, + const char *protocol, + const char *discovery_domain, + void *pvt) +{ + struct ipa_srv_plugin_state *state = NULL; + struct ipa_srv_plugin_ctx *ctx = NULL; + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + const char *primary_domain = NULL; + const char *backup_domain = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct ipa_srv_plugin_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + ctx = talloc_get_type(pvt, struct ipa_srv_plugin_ctx); + if (ctx == NULL) { + ret = EINVAL; + goto immediately; + } + + if (discovery_domain != NULL) { + backup_domain = talloc_strdup(state, discovery_domain); + } else { + backup_domain = talloc_strdup(state, ctx->ipa_domain); + } + if (backup_domain == NULL) { + ret = ENOMEM; + goto immediately; + } + + if (strchr(ctx->hostname, '.') == NULL) { + /* not FQDN, append domain name */ + primary_domain = talloc_asprintf(state, IPA_DNS_LOCATION ".%s.%s", + ctx->hostname, backup_domain); + } else { + primary_domain = talloc_asprintf(state, IPA_DNS_LOCATION ".%s", + ctx->hostname); + } + if (primary_domain == NULL) { + ret = ENOMEM; + goto immediately; + } + + DEBUG(SSSDBG_TRACE_FUNC, "About to discover primary and " + "backup servers\n"); + + subreq = fo_discover_servers_send(state, ev, ctx->resolv_ctx, service, + protocol, primary_domain, backup_domain); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, ipa_srv_plugin_done, req); + + return req; + +immediately: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + + return req; +} + +static void ipa_srv_plugin_done(struct tevent_req *subreq) +{ + struct ipa_srv_plugin_state *state = NULL; + struct tevent_req *req = NULL; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_srv_plugin_state); + + ret = fo_discover_servers_recv(state, subreq, &state->dns_domain, + &state->ttl, + &state->primary_servers, + &state->num_primary_servers, + &state->backup_servers, + &state->num_backup_servers); + talloc_zfree(subreq); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Got %zu primary and %zu backup servers\n", + state->num_primary_servers, state->num_backup_servers); + + tevent_req_done(req); +} + +errno_t ipa_srv_plugin_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + char **_dns_domain, + uint32_t *_ttl, + struct fo_server_info **_primary_servers, + size_t *_num_primary_servers, + struct fo_server_info **_backup_servers, + size_t *_num_backup_servers) +{ + struct ipa_srv_plugin_state *state = NULL; + state = tevent_req_data(req, struct ipa_srv_plugin_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (_primary_servers) { + *_primary_servers = talloc_steal(mem_ctx, state->primary_servers); + } + + if (_num_primary_servers) { + *_num_primary_servers = state->num_primary_servers; + } + + if (_backup_servers) { + *_backup_servers = talloc_steal(mem_ctx, state->backup_servers); + } + + if (_num_backup_servers) { + *_num_backup_servers = state->num_backup_servers; + } + + if (_dns_domain) { + *_dns_domain = talloc_steal(mem_ctx, state->dns_domain); + } + + if (_ttl) { + *_ttl = state->ttl; + } + + return EOK; +} diff --git a/src/providers/ipa/ipa_srv.h b/src/providers/ipa/ipa_srv.h new file mode 100644 index 0000000..d089c9f --- /dev/null +++ b/src/providers/ipa/ipa_srv.h @@ -0,0 +1,48 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __IPA_SRV_H__ +#define __IPA_SRV_H__ + +struct ipa_srv_plugin_ctx; + +struct ipa_srv_plugin_ctx * +ipa_srv_plugin_ctx_init(TALLOC_CTX *mem_ctx, + struct resolv_ctx *resolv_ctx, + const char *hostname, + const char *ipa_domain); + +struct tevent_req *ipa_srv_plugin_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + const char *service, + const char *protocol, + const char *discovery_domain, + void *pvt); + +errno_t ipa_srv_plugin_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + char **_dns_domain, + uint32_t *_ttl, + struct fo_server_info **_primary_servers, + size_t *_num_primary_servers, + struct fo_server_info **_backup_servers, + size_t *_num_backup_servers); + +#endif /* __IPA_SRV_H__ */ diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c new file mode 100644 index 0000000..1b44355 --- /dev/null +++ b/src/providers/ipa/ipa_subdomains.c @@ -0,0 +1,3147 @@ +/* + SSSD + + IPA Subdomains Module + + Authors: + Sumit Bose + + Copyright (C) 2011 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "providers/ldap/sdap_async.h" +#include "providers/ldap/sdap_idmap.h" +#include "providers/ldap/sdap_ops.h" +#include "providers/ipa/ipa_subdomains.h" +#include "providers/ipa/ipa_common.h" +#include "providers/ipa/ipa_id.h" +#include "providers/ipa/ipa_opts.h" +#include "providers/ipa/ipa_config.h" + +#include + +#define SUBDOMAINS_FILTER "objectclass=ipaNTTrustedDomain" +#define MASTER_DOMAIN_FILTER "objectclass=ipaNTDomainAttrs" +#define RANGE_FILTER "objectclass=ipaIDRange" + +#define IPA_CN "cn" +#define IPA_FLATNAME "ipaNTFlatName" +#define IPA_SID "ipaNTSecurityIdentifier" +#define IPA_TRUSTED_DOMAIN_SID "ipaNTTrustedDomainSID" +#define IPA_RANGE_TYPE "ipaRangeType" +#define IPA_ADDITIONAL_SUFFIXES "ipaNTAdditionalSuffixes" + +#define IPA_BASE_ID "ipaBaseID" +#define IPA_ID_RANGE_SIZE "ipaIDRangeSize" +#define IPA_BASE_RID "ipaBaseRID" +#define IPA_SECONDARY_BASE_RID "ipaSecondaryBaseRID" +#define OBJECTCLASS "objectClass" + +#define IPA_ASSIGNED_ID_VIEW "ipaAssignedIDView" + +#define IPA_DOMAIN_RESOLUTION_ORDER "ipaDomainResolutionOrder" + +/* do not refresh more often than every 5 seconds for now */ +#define IPA_SUBDOMAIN_REFRESH_LIMIT 5 + +#define IPA_SUBDOMAIN_DISABLED_PERIOD 3600 + +#define IPA_OC_CERTMAP_CONFIG_OBJECT "ipaCertMapConfigObject" +#define IPA_CERTMAP_PROMPT_USERNAME "ipaCertMapPromptUserName" + +#define IPA_OC_CERTMAP_RULE "ipaCertMapRule" +#define IPA_CERTMAP_MAPRULE "ipaCertMapMapRule" +#define IPA_CERTMAP_MATCHRULE "ipaCertMapMatchRule" +#define IPA_CERTMAP_PRIORITY "ipaCertMapPriority" +#define IPA_ENABLED_FLAG "ipaEnabledFlag" +#define IPA_TRUE_VALUE "TRUE" +#define IPA_ASSOCIATED_DOMAIN "associatedDomain" + +#define OBJECTCLASS "objectClass" + +#define CERTMAP_FILTER "(|(&("OBJECTCLASS"="IPA_OC_CERTMAP_RULE")" \ + "("IPA_ENABLED_FLAG"="IPA_TRUE_VALUE"))" \ + "("OBJECTCLASS"="IPA_OC_CERTMAP_CONFIG_OBJECT"))" + +/* It doesn't make sense to resolve more servers than this from the SRV + * lookup because kinit would time out before we are able to cycle + * through the whole list + */ +#define MAX_SERVERS_FROM_SRV 5 + +struct ipa_sd_k5_svc_list { + struct krb5_service *k5svc; + + struct ipa_sd_k5_svc_list *next; + struct ipa_sd_k5_svc_list *prev; +}; + +struct ipa_subdomains_ctx { + struct be_ctx *be_ctx; + struct ipa_id_ctx *ipa_id_ctx; + struct sdap_id_ctx *sdap_id_ctx; + struct sdap_search_base **search_bases; + struct sdap_search_base **master_search_bases; + struct sdap_search_base **ranges_search_bases; + struct sdap_search_base **host_search_bases; + + time_t last_refreshed; + bool view_read_at_init; + /* List of krb5_service structures for each subdomain + * in order to write the kdcinfo files. For use on + * the client only + */ + struct ipa_sd_k5_svc_list *k5svc_list; +}; + +static errno_t +ipa_subdom_reinit(struct ipa_subdomains_ctx *ctx) +{ + errno_t ret; + bool canonicalize = false; + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Re-initializing domain %s\n", ctx->be_ctx->domain->name); + + if (ctx->ipa_id_ctx->ipa_options->auth_ctx != NULL + && ctx->ipa_id_ctx->ipa_options->auth_ctx->krb5_auth_ctx != NULL + && ctx->ipa_id_ctx->ipa_options->auth_ctx->krb5_auth_ctx->opts != NULL + ) { + canonicalize = dp_opt_get_bool( + ctx->ipa_id_ctx->ipa_options->auth_ctx->krb5_auth_ctx->opts, + KRB5_CANONICALIZE); + } else { + DEBUG(SSSDBG_CONF_SETTINGS, "Auth provider data is not available, " + "most probably because the auth provider " + "is not 'ipa'. Kerberos configuration " + "snippet to set the 'canonicalize' option " + "will not be created.\n"); + } + + ret = sss_write_krb5_conf_snippet( + dp_opt_get_string(ctx->ipa_id_ctx->ipa_options->basic, + IPA_KRB5_CONFD_PATH), + canonicalize, false); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "sss_write_krb5_conf_snippet failed.\n"); + /* Just continue */ + } + + ret = sysdb_master_domain_update(ctx->be_ctx->domain); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_master_domain_update failed.\n"); + return ret; + } + + ret = sysdb_update_subdomains(ctx->be_ctx->domain, ctx->be_ctx->cdb); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_update_subdomains failed.\n"); + return ret; + } + + ret = sss_write_domain_mappings(ctx->be_ctx->domain); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "sss_krb5_write_mappings failed.\n"); + /* Just continue */ + } + + return EOK; +} + +static errno_t ipa_ranges_parse_results(TALLOC_CTX *mem_ctx, + char *domain_name, + size_t count, + struct sysdb_attrs **reply, + struct range_info ***_range_list) +{ + struct range_info **range_list = NULL; + struct range_info *r; + const char *value; + size_t c; + size_t d; + int ret; + enum idmap_error_code err; + char *name1; + char *name2; + char *sid1; + char *sid2; + uint32_t rid1; + uint32_t rid2; + struct sss_idmap_range range1; + struct sss_idmap_range range2; + bool mapping1; + bool mapping2; + + range_list = talloc_array(mem_ctx, struct range_info *, count + 1); + if (range_list == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_array failed.\n"); + return ENOMEM; + } + + for (c = 0; c < count; c++) { + r = talloc_zero(range_list, struct range_info); + if (r == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_zero failed.\n"); + ret = ENOMEM; + goto done; + } + + ret = sysdb_attrs_get_string(reply[c], IPA_CN, &value); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); + goto done; + } + + r->name = talloc_strdup(r, value); + if (r->name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + + ret = sysdb_attrs_get_string(reply[c], IPA_TRUSTED_DOMAIN_SID, &value); + if (ret == EOK) { + r->trusted_dom_sid = talloc_strdup(r, value); + if (r->trusted_dom_sid == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + } else if (ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); + goto done; + } + + ret = sysdb_attrs_get_uint32_t(reply[c], IPA_BASE_ID, + &r->base_id); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); + goto done; + } + + ret = sysdb_attrs_get_uint32_t(reply[c], IPA_ID_RANGE_SIZE, + &r->id_range_size); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); + goto done; + } + + ret = sysdb_attrs_get_uint32_t(reply[c], IPA_BASE_RID, + &r->base_rid); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); + goto done; + } + + ret = sysdb_attrs_get_uint32_t(reply[c], IPA_SECONDARY_BASE_RID, + &r->secondary_base_rid); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); + goto done; + } + + ret = sysdb_attrs_get_string(reply[c], IPA_RANGE_TYPE, &value); + if (ret == EOK) { + r->range_type = talloc_strdup(r, value); + if (r->range_type == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + } else if (ret == ENOENT) { + /* Older IPA servers might not have the range_type attribute, but + * only support local ranges and trusts with algorithmic mapping. */ + if (r->trusted_dom_sid == NULL) { + r->range_type = talloc_strdup(r, IPA_RANGE_LOCAL); + } else { + r->range_type = talloc_strdup(r, IPA_RANGE_AD_TRUST); + } + } else { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); + goto done; + } + if (r->range_type == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + + ret = get_idmap_data_from_range(r, domain_name, &name1, &sid1, &rid1, + &range1, &mapping1); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "get_idmap_data_from_range failed.\n"); + goto done; + } + for (d = 0; d < c; d++) { + ret = get_idmap_data_from_range(range_list[d], domain_name, &name2, + &sid2, &rid2, &range2, &mapping2); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "get_idmap_data_from_range failed.\n"); + goto done; + } + + err = sss_idmap_check_collision_ex(name1, sid1, &range1, rid1, + r->name, mapping1, + name2, sid2, &range2, rid2, + range_list[d]->name, mapping2); + if (err != IDMAP_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Collision of ranges [%s] and [%s] detected.\n", + r->name, range_list[d]->name); + ret = EINVAL; + goto done; + } + } + + range_list[c] = r; + } + + range_list[c] = NULL; + + *_range_list = range_list; + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(range_list); + } + + return ret; +} + +struct priv_sss_debug { + int level; +}; + +static errno_t ipa_certmap_parse_results(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + struct sdap_options *sdap_opts, + size_t count, + struct sysdb_attrs **reply, + struct certmap_info ***_certmap_list) +{ + struct certmap_info **certmap_list = NULL; + struct certmap_info *m; + const char *value; + const char **values; + size_t c; + size_t lc = 0; + int ret; + const char **ocs = NULL; + bool user_name_hint = false; + + certmap_list = talloc_zero_array(mem_ctx, struct certmap_info *, count + 1); + if (certmap_list == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_array failed.\n"); + return ENOMEM; + } + + for (c = 0; c < count; c++) { + ret = sysdb_attrs_get_string_array(reply[c], SYSDB_OBJECTCLASS, mem_ctx, + &ocs); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Missing objectclasses for config objects.\n"); + ret = EINVAL; + goto done; + } + + if (string_in_list(IPA_OC_CERTMAP_CONFIG_OBJECT, discard_const(ocs), + false)) { + ret = sysdb_attrs_get_bool(reply[c], IPA_CERTMAP_PROMPT_USERNAME, + &user_name_hint); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to read user name hint option, skipping.\n"); + } + continue; + } + + m = talloc_zero(certmap_list, struct certmap_info); + if (m == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_zero failed.\n"); + ret = ENOMEM; + goto done; + } + + ret = sysdb_attrs_get_string(reply[c], IPA_CN, &value); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); + goto done; + } + + m->name = talloc_strdup(m, value); + if (m->name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + + ret = sysdb_attrs_get_string(reply[c], IPA_CERTMAP_MATCHRULE, &value); + if (ret == EOK) { + m->match_rule = talloc_strdup(m, value); + if (m->match_rule == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + } else if (ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); + goto done; + } + + ret = sysdb_attrs_get_string(reply[c], IPA_CERTMAP_MAPRULE, &value); + if (ret == EOK) { + m->map_rule = talloc_strdup(m, value); + if (m->map_rule == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + } else if (ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); + goto done; + } + + ret = sysdb_attrs_get_string_array(reply[c], IPA_ASSOCIATED_DOMAIN, m, + &values); + if (ret == EOK) { + m->domains = values; + } else if (ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); + goto done; + } + + ret = sysdb_attrs_get_uint32_t(reply[c], IPA_CERTMAP_PRIORITY, + &m->priority); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); + goto done; + } else if (ret == ENOENT) { + m->priority = SSS_CERTMAP_MIN_PRIO; + } + + certmap_list[lc++] = m; + } + + certmap_list[lc] = NULL; + + ret = sdap_setup_certmap(sdap_opts->sdap_certmap_ctx, certmap_list); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_setup_certmap failed.\n"); + goto done; + } + + ret = sysdb_update_certmap(domain->sysdb, certmap_list, user_name_hint); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_update_certmap failed"); + goto done; + } + + if (_certmap_list != NULL) { + *_certmap_list = certmap_list; + } else { + talloc_free(certmap_list); + } + + ret = EOK; + +done: + talloc_free(ocs); + if (ret != EOK) { + talloc_free(certmap_list); + } + + return ret; +} + +static errno_t ipa_subdom_enumerates(struct sss_domain_info *parent, + struct sysdb_attrs *attrs, + bool *_enumerates) +{ + errno_t ret; + const char *name; + + ret = sysdb_attrs_get_string(attrs, IPA_CN, &name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); + return ret; + } + + *_enumerates = subdomain_enumerates(parent, name); + return EOK; +} + +static errno_t ipa_subdom_get_forest(TALLOC_CTX *mem_ctx, + struct ldb_context *ldb_ctx, + struct sysdb_attrs *attrs, + char **_forest) +{ + int ret; + struct ldb_dn *dn = NULL; + const char *name; + const struct ldb_val *val; + char *forest = NULL; + + dn = ipa_subdom_ldb_dn(mem_ctx, ldb_ctx, attrs); + if (dn == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_subdom_ldb_dn failed.\n"); + ret = EIO; + goto done; + } + + if (ipa_subdom_is_member_dom(dn) == false) { + ret = sysdb_attrs_get_string(attrs, IPA_CN, &name); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); + goto done; + } + + forest = talloc_strdup(mem_ctx, name); + if (forest == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n"); + ret = ENOMEM; + goto done; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "The forest name is %s\n", forest); + ret = EOK; + goto done; + } + + val = ldb_dn_get_component_val(dn, 1); + forest = talloc_strndup(mem_ctx, (const char *) val->data, val->length); + if (forest == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n"); + ret = ENOMEM; + goto done; + } + + ret = EOK; +done: + talloc_free(dn); + + if (ret == EOK) { + *_forest = forest; + } + + return ret; +} + +static errno_t ipa_get_sd_trust_direction(struct sysdb_attrs *sd, + struct ipa_id_ctx *id_ctx, + struct ldb_context *ldb_ctx, + uint32_t *_direction) +{ + if (id_ctx->server_mode != NULL) { + return ipa_server_get_trust_direction(sd, ldb_ctx, _direction); + } else { + /* Clients do not have access to the trust objects's trust direction + * and don't generally care + */ + *_direction = 0; + return EOK; + } +} + +static errno_t ipa_subdom_store(struct sss_domain_info *parent, + struct ipa_id_ctx *id_ctx, + struct sdap_idmap_ctx *sdap_idmap_ctx, + struct sysdb_attrs *attrs) +{ + TALLOC_CTX *tmp_ctx; + const char *name; + char *realm; + const char *flat; + const char *id; + char *forest = NULL; + int ret; + bool mpg; + bool enumerate; + uint32_t direction; + struct ldb_message_element *alternative_domain_suffixes = NULL; + + tmp_ctx = talloc_new(parent); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + ret = sysdb_attrs_get_string(attrs, IPA_CN, &name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); + goto done; + } + + realm = get_uppercase_realm(tmp_ctx, name); + if (!realm) { + ret = ENOMEM; + goto done; + } + + ret = sysdb_attrs_get_string(attrs, IPA_FLATNAME, &flat); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); + goto done; + } + + ret = sysdb_attrs_get_string(attrs, IPA_TRUSTED_DOMAIN_SID, &id); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); + goto done; + } + + ret = sysdb_attrs_get_el_ext(attrs, IPA_ADDITIONAL_SUFFIXES, false, + &alternative_domain_suffixes); + if (ret != EOK && ret != ENOENT) { + goto done; + } + + mpg = sdap_idmap_domain_has_algorithmic_mapping(sdap_idmap_ctx, name, id); + + ret = ipa_subdom_get_forest(tmp_ctx, sysdb_ctx_get_ldb(parent->sysdb), + attrs, &forest); + if (ret != EOK) { + goto done; + } + + ret = ipa_subdom_enumerates(parent, attrs, &enumerate); + if (ret != EOK) { + goto done; + } + + ret = ipa_get_sd_trust_direction(attrs, id_ctx, + sysdb_ctx_get_ldb(parent->sysdb), + &direction); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "ipa_get_sd_trust_direction failed: %d\n", ret); + goto done; + } + + if (id_ctx->server_mode != NULL) { + DEBUG(SSSDBG_FUNC_DATA, + "Trust type of [%s]: %s\n", name, ipa_trust_dir2str(direction)); + } + + ret = sysdb_subdomain_store(parent->sysdb, name, realm, flat, + id, mpg, enumerate, forest, + direction, alternative_domain_suffixes); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_subdomain_store failed.\n"); + goto done; + } + + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} + +static struct krb5_service * +ipa_subdom_get_k5_svc(struct ipa_subdomains_ctx *ctx, + struct sss_domain_info *dom, + bool use_kdcinfo) +{ + struct ipa_sd_k5_svc_list *k5svc_ent; + + /* get the service by realm */ + DLIST_FOR_EACH(k5svc_ent, ctx->k5svc_list) { + if (strcasecmp(dom->realm, k5svc_ent->k5svc->realm) == 0) { + break; + } + } + + if (k5svc_ent != NULL) { + /* Already exists */ + return k5svc_ent->k5svc; + } + + /* Create a new service */ + k5svc_ent = talloc_zero(ctx, struct ipa_sd_k5_svc_list); + if (k5svc_ent == NULL) { + return NULL; + } + + k5svc_ent->k5svc = krb5_service_new(k5svc_ent, + ctx->be_ctx, + "IPA", + dom->realm, + use_kdcinfo); + if (k5svc_ent->k5svc == NULL) { + talloc_free(k5svc_ent); + return NULL; + } + DLIST_ADD(ctx->k5svc_list, k5svc_ent); + + return k5svc_ent->k5svc; +} + +static void ipa_subdom_remove_k5_svc(struct ipa_subdomains_ctx *ctx) +{ + /* Domain going away is such a rare operation that it makes + * more sense to just throw away the whole k5svc_list and let + * the write_kdcinfo request recreate them all again instead + * of coding up complex logic.. + */ + talloc_zfree(ctx->k5svc_list); +} + +static void ipa_subdom_remove_step(struct ipa_subdomains_ctx *ctx, + struct sss_domain_info *dom) +{ + if (dp_opt_get_bool(ctx->ipa_id_ctx->ipa_options->basic, + IPA_SERVER_MODE) == false) { + /* IPA clients keep track of krb5_service wrappers */ + return ipa_subdom_remove_k5_svc(ctx); + } else { + /* IPA servers keeps track of AD contexts */ + return ipa_ad_subdom_remove(ctx->be_ctx, ctx->ipa_id_ctx, dom); + } + +} + +static void ipa_subdom_store_step(struct sss_domain_info *parent, + struct ipa_id_ctx *id_ctx, + struct sdap_idmap_ctx *sdap_idmap_ctx, + struct sysdb_attrs *attrs) +{ + int ret; + + ret = ipa_subdom_store(parent, id_ctx, sdap_idmap_ctx, attrs); + if (ret == ERR_TRUST_NOT_SUPPORTED) { + DEBUG(SSSDBG_MINOR_FAILURE, "Unsupported trust type, skipping\n"); + } else if (ret) { + /* Nothing we can do about the error. */ + DEBUG(SSSDBG_MINOR_FAILURE, "Failed to parse subdom data, " + "will try to use cached subdomain\n"); + } +} + +static errno_t ipa_subdomains_refresh(struct ipa_subdomains_ctx *ctx, + int count, struct sysdb_attrs **reply, + bool *changes) +{ + struct sss_domain_info *parent, *dom; + bool handled[count]; + const char *value; + int c, h; + int ret; + + parent = ctx->be_ctx->domain; + memset(handled, 0, sizeof(bool) * count); + h = 0; + + if (changes == NULL) { + return EINVAL; + } + *changes = false; + + /* check existing subdomains */ + for (dom = get_next_domain(parent, SSS_GND_DESCEND); + dom && IS_SUBDOMAIN(dom); /* if we get back to a parent, stop */ + dom = get_next_domain(dom, 0)) { + for (c = 0; c < count; c++) { + if (handled[c]) { + continue; + } + ret = sysdb_attrs_get_string(reply[c], IPA_CN, &value); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); + goto done; + } + if (strcmp(value, dom->name) == 0) { + break; + } + } + + if (c >= count) { + /* ok this subdomain does not exist anymore, let's clean up */ + sss_domain_set_state(dom, DOM_DISABLED); + ret = sysdb_subdomain_delete(dom->sysdb, dom->name); + if (ret != EOK) { + goto done; + } + + ipa_subdom_remove_step(ctx, dom); + } else { + /* ok let's try to update it */ + ipa_subdom_store_step(parent, ctx->ipa_id_ctx, + ctx->sdap_id_ctx->opts->idmap_ctx, + reply[c]); + handled[c] = true; + h++; + } + } + + if (count == h) { + /* all domains were already accounted for and have been updated */ + ret = EOK; + goto done; + } + + /* if we get here it means we have changes to the subdomains list */ + *changes = true; + + for (c = 0; c < count; c++) { + if (handled[c]) { + continue; + } + + ipa_subdom_store_step(parent, ctx->ipa_id_ctx, + ctx->sdap_id_ctx->opts->idmap_ctx, + reply[c]); + } + + ret = EOK; +done: + if (ret != EOK) { + ctx->last_refreshed = 0; + } else { + ctx->last_refreshed = time(NULL); + } + + return ret; +} + +static void clean_view_name(struct sss_domain_info *domain) +{ + struct sss_domain_info *dom = domain; + + while (dom) { + dom->has_views = false; + talloc_free(discard_const(dom->view_name)); + dom->view_name = NULL; + dom = get_next_domain(dom, SSS_GND_DESCEND); + } +} + +static errno_t ipa_apply_view(struct sss_domain_info *domain, + struct ipa_id_ctx *ipa_id_ctx, + const char *view_name, + bool read_at_init, + struct confdb_ctx *confdb) +{ + const char *current = ipa_id_ctx->view_name; + struct sysdb_ctx *sysdb = domain->sysdb; + bool in_transaction = false; + errno_t sret; + errno_t ret; + + DEBUG(SSSDBG_TRACE_ALL, "read_at_init [%s] current view [%s]\n", + read_at_init ? "true" : "false", ipa_id_ctx->view_name); + + if (current != NULL && strcmp(current, view_name) != 0 && read_at_init) { + DEBUG(SSSDBG_CRIT_FAILURE, "View name changed, this is not supported " + "at runtime. Please restart SSSD to get the new view applied.\n"); + return EOK; + } + + if (current != NULL && strcmp(current, view_name) == 0) { + DEBUG(SSSDBG_TRACE_FUNC, "View name did not change.\n"); + return EOK; + } + + DEBUG(SSSDBG_TRACE_FUNC, "View name changed to [%s].\n", view_name); + + /* View name changed. If there was a non-default non-local view + * was used the tree in cache containing the override values is + * removed. In all cases sysdb_invalidate_overrides() is called to + * remove the override attribute from the cached user objects. + * + * Typically ctx->sd_ctx->id_ctx->view_name == NULL means that the + * cache was empty but there was a bug in with caused that the + * view name was not written to the cache at all. In this case the + * cache must be invalidated if the new view is not the + * default-view as well. */ + + if (current != NULL || !is_default_view(view_name)) { + ret = sysdb_transaction_start(sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to start transaction " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + in_transaction = true; + + if (!is_default_view(current) && !is_local_view(current)) { + /* Old view was not the default view, delete view tree */ + ret = sysdb_delete_view_tree(sysdb, current); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to delete old view tree " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + } + + ret = sysdb_invalidate_overrides(sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, " Unable to invalidate overrides " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + ret = sysdb_transaction_commit(sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to commint transaction " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + in_transaction = false; + } + + ret = sysdb_update_view_name(sysdb, view_name); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot update view name " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + talloc_free(ipa_id_ctx->view_name); + ipa_id_ctx->view_name = talloc_strdup(ipa_id_ctx, view_name); + if (ipa_id_ctx->view_name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot copy view name.\n"); + ret = ENOMEM; + goto done; + } + + if (!read_at_init) { + /* refresh view data of all domains at startup, since + * sysdb_master_domain_update and sysdb_update_subdomains might have + * been called earlier without the proper view name the name is + * cleaned here before the calls. This is acceptable because this is + * the initial setup (!read_at_init). */ + clean_view_name(domain); + ret = sysdb_master_domain_update(domain); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_master_domain_update failed " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + ret = sysdb_update_subdomains(domain, confdb); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_update_subdomains failed " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + } + +done: + if (in_transaction) { + sret = sysdb_transaction_cancel(sysdb); + if (sret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not cancel transaction\n"); + } + } + + return ret; +} + +struct ipa_subdomains_ranges_state { + struct sss_domain_info *domain; +}; + +static void ipa_subdomains_ranges_done(struct tevent_req *subreq); + +static struct tevent_req * +ipa_subdomains_ranges_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct ipa_subdomains_ctx *sd_ctx, + struct sdap_handle *sh) +{ + struct ipa_subdomains_ranges_state *state; + struct tevent_req *subreq; + struct tevent_req *req; + errno_t ret; + const char *attrs[] = { OBJECTCLASS, IPA_CN, + IPA_BASE_ID, IPA_BASE_RID, IPA_SECONDARY_BASE_RID, + IPA_ID_RANGE_SIZE, IPA_TRUSTED_DOMAIN_SID, + IPA_RANGE_TYPE, NULL }; + + req = tevent_req_create(mem_ctx, &state, + struct ipa_subdomains_ranges_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + if (sd_ctx->ranges_search_bases == NULL) { + DEBUG(SSSDBG_TRACE_FUNC, "No search base is set\n"); + ret = EOK; + goto immediately; + } + + state->domain = sd_ctx->be_ctx->domain; + + subreq = sdap_search_bases_send(state, ev, sd_ctx->sdap_id_ctx->opts, sh, + sd_ctx->ranges_search_bases, NULL, false, + 0, RANGE_FILTER, attrs); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, ipa_subdomains_ranges_done, req); + + return req; + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + + return req; +} + +static void ipa_subdomains_ranges_done(struct tevent_req *subreq) +{ + struct ipa_subdomains_ranges_state *state; + struct tevent_req *req; + struct range_info **range_list; + struct sysdb_attrs **reply; + size_t reply_count; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_subdomains_ranges_state); + + ret = sdap_search_bases_recv(subreq, state, &reply_count, &reply); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get data from LDAP [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = ipa_ranges_parse_results(state, state->domain->name, + reply_count, reply, &range_list); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to parse range resulg [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = sysdb_update_ranges(state->domain->sysdb, range_list); + talloc_free(range_list); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to update ranges [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +static errno_t ipa_subdomains_ranges_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +#define IPA_CERTMAP_SEARCH_BASE_TEMPLATE "cn=certmap,%s" + +struct ipa_subdomains_certmap_state { + struct sss_domain_info *domain; + struct sdap_options *sdap_opts; +}; + +static void ipa_subdomains_certmap_done(struct tevent_req *subreq); + +static struct tevent_req * +ipa_subdomains_certmap_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct ipa_subdomains_ctx *sd_ctx, + struct sdap_handle *sh) +{ + struct ipa_subdomains_certmap_state *state; + struct tevent_req *subreq; + struct tevent_req *req; + errno_t ret; + char *ldap_basedn; + char *search_base; + const char *attrs[] = { OBJECTCLASS, IPA_CN, + IPA_CERTMAP_MAPRULE, IPA_CERTMAP_MATCHRULE, + IPA_CERTMAP_PRIORITY, IPA_ASSOCIATED_DOMAIN, + IPA_CERTMAP_PROMPT_USERNAME, + NULL }; + + req = tevent_req_create(mem_ctx, &state, + struct ipa_subdomains_certmap_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->domain = sd_ctx->be_ctx->domain; + state->sdap_opts = sd_ctx->sdap_id_ctx->opts; + + ret = domain_to_basedn(state, state->domain->name, &ldap_basedn); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "domain_to_basedn failed.\n"); + goto immediately; + } + + search_base = talloc_asprintf(state, IPA_CERTMAP_SEARCH_BASE_TEMPLATE, + ldap_basedn); + if (search_base == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto immediately; + } + + subreq = sdap_get_generic_send(state, ev, sd_ctx->sdap_id_ctx->opts, sh, + search_base, LDAP_SCOPE_SUBTREE, + CERTMAP_FILTER, + attrs, NULL, 0, 0, false); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, ipa_subdomains_certmap_done, req); + + return req; + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + + return req; +} + +static void ipa_subdomains_certmap_done(struct tevent_req *subreq) +{ + struct ipa_subdomains_certmap_state *state; + struct tevent_req *req; + struct sysdb_attrs **reply; + size_t reply_count; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_subdomains_certmap_state); + + ret = sdap_get_generic_recv(subreq, state, &reply_count, &reply); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get data from LDAP [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = ipa_certmap_parse_results(state, state->domain, + state->sdap_opts, + reply_count, reply, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to parse certmap results [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +static errno_t ipa_subdomains_certmap_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +struct ipa_subdomains_master_state { + struct sss_domain_info *domain; + struct ipa_options *ipa_options; +}; + +static void ipa_subdomains_master_done(struct tevent_req *subreq); + +static struct tevent_req * +ipa_subdomains_master_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct ipa_subdomains_ctx *sd_ctx, + struct sdap_handle *sh) +{ + struct ipa_subdomains_master_state *state; + struct sss_domain_info *domain; + struct tevent_req *subreq; + struct tevent_req *req; + errno_t ret; + const char *attrs[] = { IPA_CN, IPA_FLATNAME, IPA_SID, + IPA_ADDITIONAL_SUFFIXES, NULL }; + + req = tevent_req_create(mem_ctx, &state, + struct ipa_subdomains_master_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + if (sd_ctx->master_search_bases == NULL) { + DEBUG(SSSDBG_TRACE_FUNC, "No search base is set\n"); + ret = EOK; + goto immediately; + } + + state->domain = domain = sd_ctx->be_ctx->domain; + state->ipa_options = sd_ctx->ipa_id_ctx->ipa_options; + + ret = sysdb_master_domain_update(domain); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to update master domain [%d]: %s\n", + ret, sss_strerror(ret)); + goto immediately; + } + + if (domain->flat_name != NULL && domain->domain_id != NULL + && domain->realm != NULL) { + DEBUG(SSSDBG_TRACE_FUNC, "Master record is up to date.\n"); + ret = EOK; + goto immediately; + } + + subreq = sdap_search_bases_return_first_send(state, ev, + sd_ctx->sdap_id_ctx->opts, sh, + sd_ctx->master_search_bases, NULL, false, + 0, MASTER_DOMAIN_FILTER, attrs); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, ipa_subdomains_master_done, req); + + return req; + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + + return req; +} + +static void ipa_subdomains_master_done(struct tevent_req *subreq) +{ + struct ipa_subdomains_master_state *state; + struct tevent_req *req; + struct sysdb_attrs **reply; + size_t reply_count; + const char *flat = NULL; + const char *id = NULL; + const char *realm = NULL; + struct ldb_message_element *alternative_domain_suffixes = NULL; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_subdomains_master_state); + + ret = sdap_search_bases_return_first_recv(subreq, state, + &reply_count, &reply); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get data from LDAP [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + if (reply_count > 0) { + ret = sysdb_attrs_get_string(reply[0], IPA_FLATNAME, &flat); + if (ret != EOK) { + goto done; + } + + ret = sysdb_attrs_get_string(reply[0], IPA_SID, &id); + if (ret != EOK) { + goto done; + } + + ret = sysdb_attrs_get_el_ext(reply[0], IPA_ADDITIONAL_SUFFIXES, false, + &alternative_domain_suffixes); + if (ret != EOK && ret != ENOENT) { + goto done; + } + } else { + /* All search paths are searched and no master domain record was + * found. + * + * A default IPA installation will not have a master domain record, + * this is only created by ipa-adtrust-install. Nevertheless we should + * continue to read other data like the idview on IPA clients. */ + DEBUG(SSSDBG_TRACE_INTERNAL, "Master domain record not found!\n"); + } + + realm = dp_opt_get_string(state->ipa_options->basic, IPA_KRB5_REALM); + if (realm == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "No Kerberos realm for IPA?\n"); + ret = EINVAL; + goto done; + } + + ret = sysdb_master_domain_add_info(state->domain, realm, flat, id, NULL, + alternative_domain_suffixes); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add master domain info " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + ret = EOK; + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +static errno_t ipa_subdomains_master_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +struct ipa_subdomains_slave_state { + struct ipa_subdomains_ctx *sd_ctx; + struct be_ctx *be_ctx; + struct ipa_id_ctx *ipa_id_ctx; +}; + +static void ipa_subdomains_slave_search_done(struct tevent_req *subreq); +static void ipa_subdomains_slave_trusts_done(struct tevent_req *subreq); + +static struct tevent_req * +ipa_subdomains_slave_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct ipa_subdomains_ctx *sd_ctx, + struct sdap_handle *sh) +{ + struct ipa_subdomains_slave_state *state; + struct tevent_req *subreq; + struct tevent_req *req; + errno_t ret; + const char *attrs[] = { IPA_CN, IPA_FLATNAME, IPA_TRUSTED_DOMAIN_SID, + IPA_TRUST_DIRECTION, IPA_ADDITIONAL_SUFFIXES, + NULL }; + + req = tevent_req_create(mem_ctx, &state, + struct ipa_subdomains_slave_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + if (sd_ctx->search_bases == NULL) { + DEBUG(SSSDBG_TRACE_FUNC, "No search base is set\n"); + ret = EOK; + goto immediately; + } + + state->sd_ctx = sd_ctx; + state->be_ctx = sd_ctx->be_ctx; + state->ipa_id_ctx = sd_ctx->ipa_id_ctx; + + subreq = sdap_search_bases_send(state, ev, sd_ctx->sdap_id_ctx->opts, sh, + sd_ctx->search_bases, NULL, false, + 0, SUBDOMAINS_FILTER, attrs); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, ipa_subdomains_slave_search_done, req); + + return req; + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + + return req; +} + +static errno_t ipa_enable_enterprise_principals(struct be_ctx *be_ctx) +{ + int ret; + struct sss_domain_info *d; + TALLOC_CTX *tmp_ctx; + char **vals = NULL; + struct dp_module *auth; + struct krb5_ctx *krb5_auth_ctx; + + d = get_domains_head(be_ctx->domain); + + while (d != NULL) { + DEBUG(SSSDBG_TRACE_ALL, "checking [%s].\n", d->name); + if (d->upn_suffixes != NULL) { + break; + } + d = get_next_domain(d, SSS_GND_DESCEND); + } + + if (d == NULL) { + DEBUG(SSSDBG_TRACE_ALL, + "No UPN suffixes found, " + "no need to enable enterprise principals.\n"); + return EOK; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); + return ENOMEM; + } + + ret = confdb_get_param(be_ctx->cdb, tmp_ctx, be_ctx->conf_path, + ipa_def_krb5_opts[KRB5_USE_ENTERPRISE_PRINCIPAL].opt_name, + &vals); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "confdb_get_param failed.\n"); + goto done; + } + + if (vals[0]) { + DEBUG(SSSDBG_CONF_SETTINGS, + "Parameter [%s] set in config file and will not be changed.\n", + ipa_def_krb5_opts[KRB5_USE_ENTERPRISE_PRINCIPAL].opt_name); + return EOK; + } + + auth = dp_target_module(be_ctx->provider, DPT_AUTH); + if (auth == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to find auth proivder.\n"); + ret = EINVAL; + goto done; + } + + krb5_auth_ctx = ipa_init_get_krb5_auth_ctx(dp_get_module_data(auth)); + if (krb5_auth_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to find auth proivder data.\n"); + ret = EINVAL; + goto done; + } + + ret = dp_opt_set_bool(krb5_auth_ctx->opts, + KRB5_USE_ENTERPRISE_PRINCIPAL, true); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "dp_opt_set_bool failed.\n"); + goto done; + } + + DEBUG(SSSDBG_CONF_SETTINGS, "Enterprise principals enabled.\n"); + + ret = EOK; + +done: + talloc_free(tmp_ctx); + + return ret; +} + +static void ipa_subdomains_slave_search_done(struct tevent_req *subreq) +{ + struct ipa_subdomains_slave_state *state; + struct tevent_req *req; + struct sysdb_attrs **reply; + size_t reply_count; + bool has_changes = false; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_subdomains_slave_state); + + ret = sdap_search_bases_recv(subreq, state, &reply_count, &reply); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get data from LDAP [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = ipa_subdomains_refresh(state->sd_ctx, reply_count, reply, + &has_changes); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to refresh subdomains.\n"); + goto done; + } + + ret = ipa_enable_enterprise_principals(state->sd_ctx->be_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_enable_enterprise_principals failed. " + "Enterprise principals might not work as " + "expected.\n"); + } + + if (!has_changes) { + ret = EOK; + goto done; + } + + ret = ipa_subdom_reinit(state->sd_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not reinitialize subdomains\n"); + goto done; + } + + if (state->sd_ctx->ipa_id_ctx->server_mode == NULL) { + ret = EOK; + goto done; + } + + subreq = ipa_server_create_trusts_send(state, state->be_ctx->ev, + state->be_ctx, state->ipa_id_ctx, + state->be_ctx->domain); + if (subreq == NULL) { + ret = ENOMEM; + goto done; + } + tevent_req_set_callback(subreq, ipa_subdomains_slave_trusts_done, req); + return; + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +static void ipa_subdomains_slave_trusts_done(struct tevent_req *subreq) +{ + struct tevent_req *req; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + + ret = ipa_server_create_trusts_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create trusts [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +static errno_t ipa_subdomains_slave_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +struct ipa_subdomains_view_name_state { + struct ipa_subdomains_ctx *sd_ctx; +}; + +static void ipa_subdomains_view_name_done(struct tevent_req *subreq); + +static struct tevent_req * +ipa_subdomains_view_name_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct ipa_subdomains_ctx *sd_ctx, + struct sdap_handle *sh) +{ + struct ipa_subdomains_view_name_state *state; + struct sdap_attr_map_info *maps; + struct tevent_req *subreq; + struct tevent_req *req; + struct ipa_options *ipa_options; + const char *filter; + const char *attrs[] = {IPA_CN, OBJECTCLASS, NULL}; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct ipa_subdomains_view_name_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + if (sd_ctx->ipa_id_ctx->server_mode != NULL) { + /* Only get view on clients, on servers it is always 'default'. */ + ret = EOK; + goto immediately; + } + + state->sd_ctx = sd_ctx; + + ipa_options = sd_ctx->ipa_id_ctx->ipa_options; + + maps = talloc_zero_array(state, struct sdap_attr_map_info, 2); + if (maps == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_zero() failed\n"); + ret = ENOMEM; + goto immediately; + } + maps[0].map = ipa_options->view_map; + maps->num_attrs = IPA_OPTS_VIEW; + + filter = talloc_asprintf(state, "(&(objectClass=%s)(%s=%s))", + ipa_options->id->host_map[SDAP_OC_HOST].name, + ipa_options->id->host_map[SDAP_AT_HOST_FQDN].name, + dp_opt_get_string(ipa_options->basic, IPA_HOSTNAME)); + if (filter == NULL) { + ret = ENOMEM; + goto immediately; + } + + /* We add SDAP_DEREF_FLG_SILENT because old IPA servers don't have + * the attribute we dereference, causing the deref call to fail. */ + subreq = sdap_deref_bases_return_first_send(state, ev, + sd_ctx->sdap_id_ctx->opts, sh, sd_ctx->host_search_bases, + maps, filter, attrs, IPA_ASSIGNED_ID_VIEW, + SDAP_DEREF_FLG_SILENT, 0); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, ipa_subdomains_view_name_done, req); + + return req; + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + + return req; +} + +static void ipa_subdomains_view_name_done(struct tevent_req *subreq) +{ + struct ipa_subdomains_view_name_state *state; + struct tevent_req *req; + size_t reply_count; + struct sdap_deref_attrs **reply; + const char *view_name; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_subdomains_view_name_state); + + ret = sdap_deref_bases_return_first_recv(subreq, state, + &reply_count, &reply); + talloc_zfree(subreq); + if (ret != EOK) { + /* Depending on the version 389ds return a different error code if the + * search for the view name failed because our dereference attribute + * ipaAssignedIDView is not known. Newer version return + * LDAP_UNAVAILABLE_CRITICAL_EXTENSION(12) which is translated to + * EOPNOTSUPP and older versions return LDAP_PROTOCOL_ERROR(2) which + * is returned as EIO. In both cases we have to assume that the server + * is not view aware and keep the view name unset. */ + if (ret == EOPNOTSUPP || ret == EIO) { + DEBUG(SSSDBG_TRACE_FUNC, "Unable to get view name, looks " \ + "like server does not support views.\n"); + ret = EOK; + goto done; + } + + DEBUG(SSSDBG_OP_FAILURE, "Unable to get view name [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + if (reply_count == 0) { + DEBUG(SSSDBG_TRACE_FUNC, "No view found, using default.\n"); + view_name = SYSDB_DEFAULT_VIEW_NAME; + } else if (reply_count == 1) { + ret = sysdb_attrs_get_string(reply[0]->attrs, SYSDB_VIEW_NAME, + &view_name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); + goto done; + } + } else { + DEBUG(SSSDBG_CRIT_FAILURE, "More than one object returned.\n"); + ret = EINVAL; + goto done; + } + + ret = ipa_apply_view(state->sd_ctx->be_ctx->domain, + state->sd_ctx->ipa_id_ctx, view_name, + state->sd_ctx->view_read_at_init, + state->sd_ctx->be_ctx->cdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set view [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + state->sd_ctx->view_read_at_init = true; + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +static errno_t ipa_subdomains_view_name_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +struct ipa_subdomains_view_domain_resolution_order_state { + struct sss_domain_info *domain; + const char *view_name; +}; + +static void +ipa_subdomains_view_domain_resolution_order_done(struct tevent_req *subreq); + +static struct tevent_req * +ipa_subdomains_view_domain_resolution_order_send( + TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct ipa_subdomains_ctx *sd_ctx, + struct sdap_handle *sh) +{ + struct ipa_subdomains_view_domain_resolution_order_state *state; + struct tevent_req *subreq; + struct tevent_req *req; + const char *attrs[] = { IPA_DOMAIN_RESOLUTION_ORDER, NULL }; + char *ldap_basedn; + char *base; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct ipa_subdomains_view_domain_resolution_order_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->domain = sd_ctx->be_ctx->domain; + state->view_name = sd_ctx->ipa_id_ctx->view_name; + + ret = domain_to_basedn(state, sd_ctx->be_ctx->domain->name, &ldap_basedn); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "domain_to_basedn failed.\n"); + goto immediately; + } + + base = talloc_asprintf(state, "cn=%s,cn=views,cn=accounts,%s", + sd_ctx->ipa_id_ctx->view_name, ldap_basedn); + if (base == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto immediately; + } + + subreq = sdap_get_generic_send( + state, ev, sd_ctx->sdap_id_ctx->opts, sh, + base, LDAP_SCOPE_BASE, NULL, attrs, NULL, 0, + dp_opt_get_int(sd_ctx->sdap_id_ctx->opts->basic, + SDAP_ENUM_SEARCH_TIMEOUT), + false); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, ipa_subdomains_view_domain_resolution_order_done, + req); + + return req; + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + + return req; +} + +static void +ipa_subdomains_view_domain_resolution_order_done(struct tevent_req *subreq) +{ + struct ipa_subdomains_view_domain_resolution_order_state *state; + struct tevent_req *req; + size_t reply_count; + struct sysdb_attrs **reply; + const char *domain_resolution_order; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, + struct ipa_subdomains_view_domain_resolution_order_state); + + ret = sdap_get_generic_recv(subreq, state, &reply_count, &reply); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to get view name [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + if (reply_count > 1) { + DEBUG(SSSDBG_CRIT_FAILURE, "More than one object returned.\n"); + ret = EINVAL; + goto done; + } else if (reply_count == 0) { + domain_resolution_order = NULL; + } else { + /* reply_count == 1 */ + ret = sysdb_attrs_get_string(reply[0], IPA_DOMAIN_RESOLUTION_ORDER, + &domain_resolution_order); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to get the view domains' resolution order " + "configuration value for view [%s] [%d]: %s\n", + state->view_name, ret, sss_strerror(ret)); + goto done; + } else if (ret == ENOENT) { + domain_resolution_order = NULL; + } + } + + ret = sysdb_update_view_domain_resolution_order(state->domain->sysdb, + domain_resolution_order); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_update_view_domain_resolution_order() [%d]: [%s].\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = EOK; + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +static errno_t +ipa_subdomains_view_domain_resolution_order_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +struct ipa_domain_resolution_order_state { + struct sss_domain_info *domain; +}; + +static void ipa_domain_resolution_order_done(struct tevent_req *subreq); + +static struct tevent_req * +ipa_domain_resolution_order_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct ipa_subdomains_ctx *sd_ctx, + struct sdap_handle *sh) +{ + struct ipa_domain_resolution_order_state *state; + struct tevent_req *subreq; + struct tevent_req *req; + const char *attrs[] = {IPA_DOMAIN_RESOLUTION_ORDER, NULL}; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct ipa_domain_resolution_order_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->domain = sd_ctx->be_ctx->domain; + + subreq = ipa_get_config_send(state, ev, sh, sd_ctx->sdap_id_ctx->opts, + state->domain->name, attrs); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, ipa_domain_resolution_order_done, req); + + return req; + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + + return req; +} + +static void ipa_domain_resolution_order_done(struct tevent_req *subreq) +{ + struct ipa_domain_resolution_order_state *state; + struct tevent_req *req; + struct sysdb_attrs *config = NULL; + const char *domain_resolution_order = NULL; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_domain_resolution_order_state); + + ret = ipa_get_config_recv(subreq, state, &config); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to get the domains' resolution order configuration " + "from the server [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + if (config != NULL) { + ret = sysdb_attrs_get_string(config, IPA_DOMAIN_RESOLUTION_ORDER, + &domain_resolution_order); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to get the domains' resolution order configuration " + "value [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } else if (ret == ENOENT) { + domain_resolution_order = NULL; + } + } + + ret = sysdb_domain_update_domain_resolution_order( + state->domain->sysdb, state->domain->name, + domain_resolution_order); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_domain_update_resolution_order() [%d]: [%s].\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = EOK; + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +static errno_t ipa_domain_resolution_order_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +struct kdcinfo_from_server_list_state { + struct resolv_hostport *hostport_list; + enum host_database db[2]; + + struct resolv_hostport_addr **rhp_addrs; + size_t rhp_len; +}; + +static void kdcinfo_from_server_list_done(struct tevent_req *subreq); + +static struct tevent_req * +kdcinfo_from_server_list_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_resolv_ctx *be_res, + const char *servers) +{ + struct kdcinfo_from_server_list_state *state; + struct tevent_req *req; + struct tevent_req *subreq; + errno_t ret; + int server_list_len; + char **server_list; + + req = tevent_req_create(mem_ctx, &state, + struct kdcinfo_from_server_list_state); + if (req == NULL) { + return NULL; + } + state->db[0] = DB_DNS; + state->db[1] = DB_SENTINEL; + + if (servers == NULL) { + ret = EOK; + goto immediately; + } + + ret = split_on_separator(state, servers, ',', true, true, + &server_list, + &server_list_len); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to parse server list!\n"); + goto immediately; + } + + state->hostport_list = talloc_array(state, + struct resolv_hostport, + server_list_len); + if (state->hostport_list == NULL) { + ret = ENOMEM; + goto immediately; + } + + for (int i = 0; i < server_list_len; i++) { + state->hostport_list[i].host = server_list[i]; + state->hostport_list[i].port = 0; + } + + subreq = resolv_hostport_list_send(state, + ev, + be_res->resolv, + state->hostport_list, + server_list_len, + 0, + be_res->family_order, + state->db); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + tevent_req_set_callback(subreq, kdcinfo_from_server_list_done, req); + return req; + +immediately: + if (ret != EOK) { + tevent_req_error(req, ret); + } else { + tevent_req_done(req); + } + tevent_req_post(req, ev); + return req; +} + +static void kdcinfo_from_server_list_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = + tevent_req_callback_data(subreq, struct tevent_req); + struct kdcinfo_from_server_list_state *state = tevent_req_data(req, + struct kdcinfo_from_server_list_state); + + ret = resolv_hostport_list_recv(subreq, + state, + &state->rhp_len, + &state->rhp_addrs); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to resolve address list [%d]: %s\n", ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +static errno_t kdcinfo_from_server_list_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct resolv_hostport_addr ***_rhp_addrs, + size_t *_rhp_len) +{ + struct kdcinfo_from_server_list_state *state = tevent_req_data(req, + struct kdcinfo_from_server_list_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (_rhp_addrs != NULL) { + *_rhp_addrs = talloc_steal(mem_ctx, state->rhp_addrs); + } + + if (_rhp_len != NULL) { + *_rhp_len = state->rhp_len; + } + + return EOK; +} + +struct kdcinfo_from_site_state { + struct tevent_context *ev; + struct be_resolv_ctx *be_res; + + const char *discovery_domains[2]; + struct resolv_hostport *hostport_list; + enum host_database db[2]; + + struct resolv_hostport_addr **rhp_addrs; + size_t rhp_len; +}; + +static void kdcinfo_from_site_srv_done(struct tevent_req *subreq); +static void kdcinfo_from_site_server_list_done(struct tevent_req *subreq); + +static struct tevent_req * +kdcinfo_from_site_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_resolv_ctx *be_res, + const char *site, + const char *domain) +{ + struct kdcinfo_from_site_state *state; + struct tevent_req *req; + struct tevent_req *subreq; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct kdcinfo_from_site_state); + if (req == NULL) { + return NULL; + } + state->ev = ev; + state->be_res = be_res; + state->db[0] = DB_DNS; + state->db[1] = DB_SENTINEL; + + state->discovery_domains[0] = ad_site_dns_discovery_domain(state, + site, + domain); + if (state->discovery_domains[0] == NULL) { + ret = ENOMEM; + goto immediately; + } + state->discovery_domains[1] = NULL; + + subreq = fo_discover_srv_send(state, + state->ev, + state->be_res->resolv, + "kerberos", "tcp", + state->discovery_domains); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + tevent_req_set_callback(subreq, kdcinfo_from_site_srv_done, req); + return req; + +immediately: + if (ret != EOK) { + tevent_req_error(req, ret); + } else { + tevent_req_done(req); + } + tevent_req_post(req, ev); + return req; +} + +static void kdcinfo_from_site_srv_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = + tevent_req_callback_data(subreq, struct tevent_req); + struct kdcinfo_from_site_state *state = tevent_req_data(req, + struct kdcinfo_from_site_state); + struct fo_server_info *servers; + size_t num_servers; + + ret = fo_discover_srv_recv(state, subreq, + NULL, NULL, /* not interested in TTL etc */ + &servers, &num_servers); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not resolve the site [%d]: %s\n", ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + state->hostport_list = talloc_array(state, + struct resolv_hostport, + num_servers); + if (state->hostport_list == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + + for (size_t i = 0; i < num_servers; i++) { + state->hostport_list[i].host = servers[i].host; + state->hostport_list[i].port = servers[i].port; + } + + subreq = resolv_hostport_list_send(state, + state->ev, + state->be_res->resolv, + state->hostport_list, + num_servers, + MAX_SERVERS_FROM_SRV, + state->be_res->family_order, + state->db); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, kdcinfo_from_site_server_list_done, req); +} + +static void kdcinfo_from_site_server_list_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = + tevent_req_callback_data(subreq, struct tevent_req); + struct kdcinfo_from_site_state *state = tevent_req_data(req, + struct kdcinfo_from_site_state); + + ret = resolv_hostport_list_recv(subreq, + state, + &state->rhp_len, + &state->rhp_addrs); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to resolve address list [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + + +static errno_t kdcinfo_from_site_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct resolv_hostport_addr ***_rhp_addrs, + size_t *_rhp_len) +{ + struct kdcinfo_from_site_state *state = tevent_req_data(req, + struct kdcinfo_from_site_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (_rhp_addrs != NULL) { + *_rhp_addrs = talloc_steal(mem_ctx, state->rhp_addrs); + } + + if (_rhp_len != NULL) { + *_rhp_len = state->rhp_len; + } + + return EOK; +} + +/* Anything per-domain in this request goes here so that we + * can just free the whole struct without mixing data from + * different domains or the overhead of another request + */ +struct ipa_sd_per_dom_kdcinfo_ctx { + struct sss_domain_info *dom; + + const char *servers; + const char *site; + + const char *discovery_domains[2]; + struct krb5_service *krb5_service; +}; + +struct ipa_subdomains_write_kdcinfo_state { + struct tevent_context *ev; + struct ipa_subdomains_ctx *ipa_sd_ctx; + struct be_ctx *be_ctx; + + bool use_kdcinfo; + struct ipa_sd_per_dom_kdcinfo_ctx *pdctx; +}; + +static errno_t ipa_subdomains_write_kdcinfo_domain_step(struct sss_domain_info *start_dom, + struct tevent_req *req); +static void ipa_subdomains_write_kdcinfo_domain_done(struct tevent_req *subreq); +static errno_t ipa_subdomains_write_kdcinfo_write_step(struct sss_domain_info *dom, + struct krb5_service *krb5_service, + struct resolv_hostport_addr **rhp_addrs, + size_t rhp_len); + +static struct tevent_req * +ipa_subdomains_write_kdcinfo_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct ipa_subdomains_ctx *ipa_sd_ctx, + struct be_ctx *be_ctx) +{ + struct ipa_subdomains_write_kdcinfo_state *state; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct ipa_subdomains_write_kdcinfo_state); + if (req == NULL) { + return NULL; + } + state->ev = ev; + state->ipa_sd_ctx = ipa_sd_ctx; + state->be_ctx = be_ctx; + + if (ipa_sd_ctx->ipa_id_ctx->server_mode != NULL) { + /* This request is valid for clients only */ + ret = EOK; + goto immediately; + } + + state->use_kdcinfo = dp_opt_get_bool(ipa_sd_ctx->ipa_id_ctx->ipa_options->auth, + KRB5_USE_KDCINFO); + if (state->use_kdcinfo == false) { + DEBUG(SSSDBG_CONF_SETTINGS, "kdcinfo creation disabled\n"); + ret = EOK; + goto immediately; + } + + if (be_ctx->domain->subdomains == NULL) { + DEBUG(SSSDBG_CONF_SETTINGS, "No subdomains, done\n"); + ret = EOK; + goto immediately; + } + + ret = ipa_subdomains_write_kdcinfo_domain_step(be_ctx->domain->subdomains, + req); + if (ret != EAGAIN) { + goto immediately; + } + return req; + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + return req; +} + +static errno_t ipa_subdomains_write_kdcinfo_domain_step(struct sss_domain_info *start_dom, + struct tevent_req *req) +{ + struct ipa_subdomains_write_kdcinfo_state *state = \ + tevent_req_data(req, + struct ipa_subdomains_write_kdcinfo_state); + struct dp_option *ipa_ad_subdom_opts; + struct tevent_req *subreq = NULL; + char *subdom_conf_path; + errno_t ret; + const char *servers; + const char *site; + + for (struct sss_domain_info *dom = start_dom; + dom != NULL; + dom = get_next_domain(dom, 0)) { + + talloc_zfree(state->pdctx); + + subdom_conf_path = subdomain_create_conf_path(state, dom); + if (subdom_conf_path == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, + "subdom_conf_path failed for %s\n", dom->name); + /* Not fatal */ + continue; + } + + ret = dp_get_options(state, state->be_ctx->cdb, + subdom_conf_path, + ipa_cli_ad_subdom_opts, + IPA_OPTS_CLI_AD_SUBDOM, + &ipa_ad_subdom_opts); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot get options for %s: [%d]: %s\n", + dom->name, ret, sss_strerror(ret)); + /* Not fatal */ + continue; + } + + servers = dp_opt_get_string(ipa_ad_subdom_opts, IPA_CLI_AD_SERVER); + site = dp_opt_get_string(ipa_ad_subdom_opts, IPA_CLI_AD_SITE); + + if (servers == NULL && site == NULL) { + /* If neither is set, just go to the next domain */ + DEBUG(SSSDBG_TRACE_INTERNAL, + "No site or server defined for %s, skipping\n", + dom->name); + continue; + } + + /* We will resolve this domain, create a per-domain context */ + state->pdctx = talloc_zero(state, struct ipa_sd_per_dom_kdcinfo_ctx); + if (state->pdctx == NULL) { + return ENOMEM; + } + state->pdctx->dom = dom; + state->pdctx->servers = servers; + state->pdctx->site = site; + state->pdctx->krb5_service = ipa_subdom_get_k5_svc(state->ipa_sd_ctx, + dom, + state->use_kdcinfo); + if (state->pdctx->krb5_service == NULL) { + continue; + } + + if (state->pdctx->servers != NULL) { + DEBUG(SSSDBG_CONF_SETTINGS, + "Resolving servers [%s] for domain %s\n", + state->pdctx->servers, dom->name); + + subreq = kdcinfo_from_server_list_send(state, + state->ev, + state->be_ctx->be_res, + state->pdctx->servers); + } else if (state->pdctx->site != NULL) { + DEBUG(SSSDBG_CONF_SETTINGS, + "Resolving site %s for domain %s\n", + state->pdctx->site, dom->name); + + subreq = kdcinfo_from_site_send(state, + state->ev, + state->be_ctx->be_res, + state->pdctx->site, + state->pdctx->dom->name); + } else { + /* We should never get here */ + return EINVAL; + } + + if (subreq == NULL) { + return ENOMEM; + } + tevent_req_set_callback(subreq, ipa_subdomains_write_kdcinfo_domain_done, req); + return EAGAIN; + } + + return EOK; +} + +static void ipa_subdomains_write_kdcinfo_domain_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = + tevent_req_callback_data(subreq, struct tevent_req); + struct ipa_subdomains_write_kdcinfo_state *state = \ + tevent_req_data(req, + struct ipa_subdomains_write_kdcinfo_state); + struct sss_domain_info *next_domain; + struct resolv_hostport_addr **rhp_addrs; + size_t rhp_len; + + if (state->pdctx->servers != NULL) { + ret = kdcinfo_from_server_list_recv(state->pdctx, subreq, + &rhp_addrs, &rhp_len); + } else if (state->pdctx->site != NULL) { + ret = kdcinfo_from_site_recv(state->pdctx, subreq, + &rhp_addrs, &rhp_len); + } else { + DEBUG(SSSDBG_CRIT_FAILURE, "Neither site nor servers set\n"); + ret = EINVAL; + } + + if (ret == EOK) { + ret = ipa_subdomains_write_kdcinfo_write_step(state->pdctx->dom, + state->pdctx->krb5_service, + rhp_addrs, rhp_len); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not write kdcinfo file for %s\n", state->pdctx->dom->name); + /* Not fatal, loop to the next domain below */ + } + } else { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not get address list for %s\n", state->pdctx->dom->name); + /* Not fatal, loop to the next domain below */ + } + + next_domain = get_next_domain(state->pdctx->dom, 0); + ret = ipa_subdomains_write_kdcinfo_domain_step(next_domain, req); + if (ret == EOK) { + tevent_req_done(req); + return; + } else if (ret != EAGAIN) { + /* the loop in ipa_subdomains_write_kdcinfo_domain_step already + * tries to be quite permissive, so any error is fatal + */ + tevent_req_error(req, ret); + return; + } + + /* Continue to the next domain */ +} + +static errno_t ipa_subdomains_write_kdcinfo_write_step(struct sss_domain_info *dom, + struct krb5_service *krb5_service, + struct resolv_hostport_addr **rhp_addrs, + size_t rhp_len) +{ + errno_t ret; + char *address = NULL; + char *safe_address = NULL; + char **safe_addr_list; + int addr_index = 0; + TALLOC_CTX *tmp_ctx = NULL; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + safe_addr_list = talloc_zero_array(tmp_ctx, char *, rhp_len+1); + if (safe_addr_list == NULL) { + ret = ENOMEM; + goto done; + } + + for (size_t i = 0; i < rhp_len; i++) { + address = resolv_get_string_address(tmp_ctx, rhp_addrs[i]->reply); + if (address == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "resolv_get_string_address failed.\n"); + continue; + } + + if (rhp_addrs[i]->origin.port != 0) { + address = talloc_asprintf_append(address, + ":%d", + rhp_addrs[i]->origin.port); + } + + safe_address = sss_escape_ip_address(tmp_ctx, + rhp_addrs[i]->reply->family, + address); + talloc_zfree(address); + if (safe_address == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "sss_escape_ip_address failed.\n"); + continue; + } + + DEBUG(SSSDBG_CONF_SETTINGS, + "Will write [%s] for %s\n", + safe_address, dom->name); + + safe_addr_list[addr_index] = talloc_steal(safe_addr_list, + safe_address); + addr_index++; + } + + ret = write_krb5info_file(krb5_service, + safe_addr_list, + SSS_KRB5KDC_FO_SRV); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "write_krb5info_file failed, authentication might fail.\n"); + goto done; + } + + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} + +static errno_t ipa_subdomains_write_kdcinfo_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + return EOK; +} + +struct ipa_subdomains_refresh_state { + struct tevent_context *ev; + struct ipa_subdomains_ctx *sd_ctx; + struct sdap_id_op *sdap_op; +}; + +static errno_t ipa_subdomains_refresh_retry(struct tevent_req *req); +static void ipa_subdomains_refresh_connect_done(struct tevent_req *subreq); +static void ipa_subdomains_refresh_ranges_done(struct tevent_req *subreq); +static void ipa_subdomains_refresh_certmap_done(struct tevent_req *subreq); +static void ipa_subdomains_refresh_master_done(struct tevent_req *subreq); +static void ipa_subdomains_refresh_slave_done(struct tevent_req *subreq); +static void ipa_subdomains_refresh_view_name_done(struct tevent_req *subreq); +static void ipa_subdomains_refresh_view_domain_resolution_order_done( + struct tevent_req *subreq); +static void ipa_domain_refresh_resolution_order_done(struct tevent_req *subreq); +static void ipa_domain_refresh_kdcinfo_done(struct tevent_req *subreq); + +static struct tevent_req * +ipa_subdomains_refresh_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct ipa_subdomains_ctx *sd_ctx) +{ + struct ipa_subdomains_refresh_state *state; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct ipa_subdomains_refresh_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->ev = ev; + state->sd_ctx = sd_ctx; + + state->sdap_op = sdap_id_op_create(state, + sd_ctx->sdap_id_ctx->conn->conn_cache); + if (state->sdap_op == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create() failed\n"); + ret = ENOMEM; + goto immediately; + } + + ret = ipa_subdomains_refresh_retry(req); + if (ret == EAGAIN) { + /* asynchronous processing */ + return req; + } + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + + return req; +} + +static errno_t ipa_subdomains_refresh_retry(struct tevent_req *req) +{ + struct ipa_subdomains_refresh_state *state; + struct tevent_req *subreq; + int ret; + + state = tevent_req_data(req, struct ipa_subdomains_refresh_state); + + subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "sdap_id_op_connect_send() failed " + "[%d]: %s\n", ret, sss_strerror(ret)); + return ret; + } + + tevent_req_set_callback(subreq, ipa_subdomains_refresh_connect_done, req); + + return EAGAIN; +} + +static void ipa_subdomains_refresh_connect_done(struct tevent_req *subreq) +{ + struct ipa_subdomains_refresh_state *state; + struct tevent_req *req; + int dp_error; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_subdomains_refresh_state); + + ret = sdap_id_op_connect_recv(subreq, &dp_error); + talloc_zfree(subreq); + + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to connect to LDAP " + "[%d]: %s\n", ret, sss_strerror(ret)); + if (dp_error == DP_ERR_OFFLINE) { + DEBUG(SSSDBG_MINOR_FAILURE, "No IPA server is available, " + "cannot get the subdomain list while offline\n"); + ret = ERR_OFFLINE; + } + tevent_req_error(req, ret); + return; + } + + subreq = ipa_subdomains_ranges_send(state, state->ev, state->sd_ctx, + sdap_id_op_handle(state->sdap_op)); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + + tevent_req_set_callback(subreq, ipa_subdomains_refresh_ranges_done, req); + return; +} + +static void ipa_subdomains_refresh_ranges_done(struct tevent_req *subreq) +{ + struct ipa_subdomains_refresh_state *state; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_subdomains_refresh_state); + + ret = ipa_subdomains_ranges_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get IPA ranges " + "[%d]: %s\n", ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + subreq = ipa_subdomains_certmap_send(state, state->ev, state->sd_ctx, + sdap_id_op_handle(state->sdap_op)); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + + tevent_req_set_callback(subreq, ipa_subdomains_refresh_certmap_done, req); + return; +} + +static void ipa_subdomains_refresh_certmap_done(struct tevent_req *subreq) +{ + struct ipa_subdomains_refresh_state *state; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_subdomains_refresh_state); + + ret = ipa_subdomains_certmap_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to read certificate mapping rules " + "[%d]: %s\n", ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + subreq = ipa_subdomains_master_send(state, state->ev, state->sd_ctx, + sdap_id_op_handle(state->sdap_op)); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + + tevent_req_set_callback(subreq, ipa_subdomains_refresh_master_done, req); + return; +} + +static void ipa_subdomains_refresh_master_done(struct tevent_req *subreq) +{ + struct ipa_subdomains_refresh_state *state; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_subdomains_refresh_state); + + ret = ipa_subdomains_master_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get master domain " + "[%d]: %s\n", ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + subreq = ipa_subdomains_slave_send(state, state->ev, state->sd_ctx, + sdap_id_op_handle(state->sdap_op)); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + + tevent_req_set_callback(subreq, ipa_subdomains_refresh_slave_done, req); + return; +} + +static void ipa_subdomains_refresh_slave_done(struct tevent_req *subreq) +{ + struct ipa_subdomains_refresh_state *state; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_subdomains_refresh_state); + + ret = ipa_subdomains_slave_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get subdomains " + "[%d]: %s\n", ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + subreq = ipa_subdomains_view_name_send(state, state->ev, state->sd_ctx, + sdap_id_op_handle(state->sdap_op)); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + + tevent_req_set_callback(subreq, ipa_subdomains_refresh_view_name_done, + req); + return; +} + +static void ipa_subdomains_refresh_view_name_done(struct tevent_req *subreq) +{ + struct ipa_subdomains_refresh_state *state; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_subdomains_refresh_state); + + ret = ipa_subdomains_view_name_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unable to get view name [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + subreq = ipa_subdomains_view_domain_resolution_order_send( + state, + state->ev, + state->sd_ctx, + sdap_id_op_handle(state->sdap_op)); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + + tevent_req_set_callback(subreq, + ipa_subdomains_refresh_view_domain_resolution_order_done, + req); +} + +static void +ipa_subdomains_refresh_view_domain_resolution_order_done(struct tevent_req *subreq) +{ + struct ipa_subdomains_refresh_state *state; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_subdomains_refresh_state); + + ret = ipa_subdomains_view_domain_resolution_order_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unable to get view domain_resolution order [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + subreq = ipa_domain_resolution_order_send(state, state->ev, state->sd_ctx, + sdap_id_op_handle(state->sdap_op)); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + + tevent_req_set_callback(subreq, + ipa_domain_refresh_resolution_order_done, + req); +} + +static void +ipa_domain_refresh_resolution_order_done(struct tevent_req *subreq) +{ + struct ipa_subdomains_refresh_state *state; + struct tevent_req *req; + int dp_error; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_subdomains_refresh_state); + + ret = ipa_domain_resolution_order_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Unable to get the domains order resolution [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + ret = sdap_id_op_done(state->sdap_op, ret, &dp_error); + if (dp_error == DP_ERR_OK && ret != EOK) { + /* retry */ + ret = ipa_subdomains_refresh_retry(req); + } else if (dp_error == DP_ERR_OFFLINE) { + ret = ERR_OFFLINE; + } + + if (ret != EOK) { + DEBUG(SSSDBG_TRACE_FUNC, "Unable to refresh subdomains [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + subreq = ipa_subdomains_write_kdcinfo_send(state, + state->ev, + state->sd_ctx, + state->sd_ctx->be_ctx); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, ipa_domain_refresh_kdcinfo_done, req); +} + +static void +ipa_domain_refresh_kdcinfo_done(struct tevent_req *subreq) +{ + struct tevent_req *req; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + + ret = ipa_subdomains_write_kdcinfo_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Unable to write the kdc info files, authentication might " + "fail or time out [%d]: %s\n", + ret, sss_strerror(ret)); + /* Not fatal, let's hope DNS is set correctly */ + } + + tevent_req_done(req); +} + +static errno_t ipa_subdomains_refresh_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +struct ipa_subdomains_handler_state { + struct dp_reply_std reply; +}; + +static void ipa_subdomains_handler_done(struct tevent_req *subreq); + +static struct tevent_req * +ipa_subdomains_handler_send(TALLOC_CTX *mem_ctx, + struct ipa_subdomains_ctx *sd_ctx, + struct dp_subdomains_data *data, + struct dp_req_params *params) +{ + struct ipa_subdomains_handler_state *state; + struct tevent_req *req; + struct tevent_req *subreq; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct ipa_subdomains_handler_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + + if (sd_ctx->last_refreshed > time(NULL) - IPA_SUBDOMAIN_REFRESH_LIMIT) { + DEBUG(SSSDBG_TRACE_FUNC, "Subdomains were recently refreshed, " + "nothing to do\n"); + ret = EOK; + goto immediately; + } + + subreq = ipa_subdomains_refresh_send(state, params->ev, sd_ctx); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, ipa_subdomains_handler_done, req); + + return req; + +immediately: + dp_reply_std_set(&state->reply, DP_ERR_DECIDE, ret, NULL); + + /* TODO For backward compatibility we always return EOK to DP now. */ + tevent_req_done(req); + tevent_req_post(req, params->ev); + + return req; +} + +static void ipa_subdomains_handler_done(struct tevent_req *subreq) +{ + struct ipa_subdomains_handler_state *state; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_subdomains_handler_state); + + ret = ipa_subdomains_refresh_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to refresh subdomains [%d]: %s\n", + ret, sss_strerror(ret)); + } + + /* TODO For backward compatibility we always return EOK to DP now. */ + dp_reply_std_set(&state->reply, DP_ERR_DECIDE, ret, NULL); + tevent_req_done(req); +} + +static errno_t ipa_subdomains_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct dp_reply_std *data) +{ + struct ipa_subdomains_handler_state *state; + + state = tevent_req_data(req, struct ipa_subdomains_handler_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *data = state->reply; + + return EOK; +} + +static struct tevent_req * +ipa_subdomains_ptask_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct be_ptask *be_ptask, + void *pvt) +{ + struct ipa_subdomains_ctx *sd_ctx; + sd_ctx = talloc_get_type(pvt, struct ipa_subdomains_ctx); + + return ipa_subdomains_refresh_send(mem_ctx, ev, sd_ctx); +} + +static errno_t +ipa_subdomains_ptask_recv(struct tevent_req *req) +{ + return ipa_subdomains_refresh_recv(req); +} + +errno_t ipa_subdomains_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct ipa_id_ctx *ipa_id_ctx, + struct dp_method *dp_methods) +{ + struct ipa_subdomains_ctx *sd_ctx; + struct ipa_options *ipa_options; + time_t period; + errno_t ret; + /* Delay the first ptask that refreshes the trusted domains so that a race between + * the first responder-induced request and the ptask doesn't cause issues, see + * also upstream ticket #3601 + */ + const time_t ptask_first_delay = 600; + + ipa_options = ipa_id_ctx->ipa_options; + + sd_ctx = talloc_zero(mem_ctx, struct ipa_subdomains_ctx); + if (sd_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n"); + return ENOMEM; + } + + sd_ctx->be_ctx = be_ctx; + sd_ctx->ipa_id_ctx = ipa_id_ctx; + sd_ctx->sdap_id_ctx = ipa_id_ctx->sdap_id_ctx; + sd_ctx->search_bases = ipa_options->subdomains_search_bases; + sd_ctx->master_search_bases = ipa_options->master_domain_search_bases; + sd_ctx->ranges_search_bases = ipa_options->ranges_search_bases; + sd_ctx->host_search_bases = ipa_options->id->sdom->host_search_bases; + + dp_set_method(dp_methods, DPM_DOMAINS_HANDLER, + ipa_subdomains_handler_send, ipa_subdomains_handler_recv, sd_ctx, + struct ipa_subdomains_ctx, struct dp_subdomains_data, struct dp_reply_std); + + period = be_ctx->domain->subdomain_refresh_interval; + ret = be_ptask_create(sd_ctx, be_ctx, period, ptask_first_delay, 0, 0, period, + BE_PTASK_OFFLINE_DISABLE, 0, + ipa_subdomains_ptask_send, ipa_subdomains_ptask_recv, sd_ctx, + "Subdomains Refresh", NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup ptask " + "[%d]: %s\n", ret, sss_strerror(ret)); + /* Ignore, responders will trigger refresh from time to time. */ + } + + ret = ipa_subdom_reinit(sd_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Could not reinitialize subdomains. " + "Users from trusted domains might not be resolved correctly\n"); + /* Ignore this error and try to discover the subdomains later */ + } + + ret = ipa_ad_subdom_init(be_ctx, ipa_id_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "ipa_ad_subdom_init() failed.\n"); + return ret; + } + + return EOK; +} diff --git a/src/providers/ipa/ipa_subdomains.h b/src/providers/ipa/ipa_subdomains.h new file mode 100644 index 0000000..2f3b7b2 --- /dev/null +++ b/src/providers/ipa/ipa_subdomains.h @@ -0,0 +1,151 @@ +/* + SSSD + + IPA Subdomains Module + + Authors: + Sumit Bose + + Copyright (C) 2011 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _IPA_SUBDOMAINS_H_ +#define _IPA_SUBDOMAINS_H_ + +#include "providers/backend.h" +#include "providers/ipa/ipa_common.h" +#include "config.h" + +#ifndef IPA_TRUST_KEYTAB_DIR +#define IPA_TRUST_KEYTAB_DIR SSS_STATEDIR"/keytabs" +#endif /* IPA_TRUST_KEYTAB_DIR */ + +/* ==Sid2Name Extended Operation============================================= */ +#define EXOP_SID2NAME_OID "2.16.840.1.113730.3.8.10.4" +#define EXOP_SID2NAME_V1_OID "2.16.840.1.113730.3.8.10.4.1" + +errno_t ipa_subdomains_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct ipa_id_ctx *ipa_id_ctx, + struct dp_method *dp_methods); + +/* The following are used in server mode only */ +struct ipa_ad_server_ctx { + struct sss_domain_info *dom; + struct ad_id_ctx *ad_id_ctx; + + struct ipa_ad_server_ctx *next, *prev; +}; + +/* Can be used to set up trusted subdomain, for example fetch + * keytab in server mode + */ +struct tevent_req * +ipa_server_trusted_dom_setup_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct ipa_id_ctx *id_ctx, + struct sss_domain_info *subdom); +errno_t ipa_server_trusted_dom_setup_recv(struct tevent_req *req); + +/* To be used by ipa_subdomains.c only */ +struct tevent_req * +ipa_server_create_trusts_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct ipa_id_ctx *id_ctx, + struct sss_domain_info *parent); + +errno_t ipa_server_create_trusts_recv(struct tevent_req *req); + +void ipa_ad_subdom_remove(struct be_ctx *be_ctx, + struct ipa_id_ctx *id_ctx, + struct sss_domain_info *subdom); + +int ipa_ad_subdom_init(struct be_ctx *be_ctx, + struct ipa_id_ctx *id_ctx); + +errno_t ipa_server_get_trust_direction(struct sysdb_attrs *sd, + struct ldb_context *ldb_ctx, + uint32_t *_direction); + +const char *ipa_trust_dir2str(uint32_t direction); + +/* Utilities */ +#define IPA_TRUST_DIRECTION "ipaNTTrustDirection" + +struct ldb_dn *ipa_subdom_ldb_dn(TALLOC_CTX *mem_ctx, + struct ldb_context *ldb_ctx, + struct sysdb_attrs *attrs); + +bool ipa_subdom_is_member_dom(struct ldb_dn *dn); + +/* struct for external group memberships, defined in + * ipa_subdomains_ext_groups.c */ +struct ipa_ext_groups; + +struct ipa_server_mode_ctx { + const char *realm; + const char *hostname; + + struct ipa_ad_server_ctx *trusts; + struct ipa_ext_groups *ext_groups; + + uid_t kt_owner_uid; + uid_t kt_owner_gid; +}; + +int ipa_ad_subdom_init(struct be_ctx *be_ctx, + struct ipa_id_ctx *id_ctx); + +enum req_input_type { + REQ_INP_NAME, + REQ_INP_ID, + REQ_INP_SECID, + REQ_INP_CERT +}; + +struct req_input { + enum req_input_type type; + union { + const char *name; + uint32_t id; + const char *secid; + const char *cert; + } inp; +}; + +struct tevent_req *ipa_get_ad_memberships_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct dp_id_data *ar, + struct ipa_server_mode_ctx *server_mode, + struct sss_domain_info *user_dom, + struct sdap_id_ctx *sdap_id_ctx, + const char *domain); + +errno_t ipa_get_ad_memberships_recv(struct tevent_req *req, int *dp_error_out); + +struct tevent_req *ipa_ext_group_member_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + const char *ext_member, + void *pvt); +errno_t ipa_ext_group_member_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + enum sysdb_member_type *_member_type, + struct sss_domain_info **_dom, + struct sysdb_attrs **_member); + +#endif /* _IPA_SUBDOMAINS_H_ */ diff --git a/src/providers/ipa/ipa_subdomains_ext_groups.c b/src/providers/ipa/ipa_subdomains_ext_groups.c new file mode 100644 index 0000000..63ff7c7 --- /dev/null +++ b/src/providers/ipa/ipa_subdomains_ext_groups.c @@ -0,0 +1,1212 @@ +/* + SSSD + + IPA Identity Backend Module for sub-domains - evaluate external group + memberships + + Authors: + Sumit Bose + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "db/sysdb.h" +#include "providers/ldap/ldap_common.h" +#include "providers/ldap/sdap_async.h" +#include "providers/ldap/sdap_ops.h" +#include "providers/ipa/ipa_id.h" +#include "providers/ad/ad_id.h" +#include "providers/ipa/ipa_subdomains.h" + +#define IPA_EXT_GROUPS_FILTER "objectClass=ipaexternalgroup" + +struct ipa_ext_groups { + time_t next_update; + hash_table_t *ext_groups; +}; + +static errno_t process_ext_groups(TALLOC_CTX *mem_ctx, size_t reply_count, + struct sysdb_attrs **reply, + hash_table_t **_ext_group_hash) +{ + int ret; + hash_table_t *ext_group_hash = NULL; + hash_key_t key; + hash_value_t value; + hash_table_t *m_hash = NULL; + hash_key_t m_key; + hash_value_t m_value; + size_t g; + size_t s; + size_t m; + TALLOC_CTX *tmp_ctx = NULL; + const char **ext_sids; + const char **mof; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); + ret = ENOMEM; + goto done; + } + + ret = sss_hash_create(mem_ctx, reply_count, &ext_group_hash); + if (ret != HASH_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, "sss_hash_create failed.\n"); + goto done; + } + + key.type = HASH_KEY_STRING; + m_key.type = HASH_KEY_STRING; + m_value.type = HASH_VALUE_PTR; + m_value.ptr = NULL; + + for (g = 0; g < reply_count; g++) { + ret = sysdb_attrs_get_string_array(reply[g], "ipaExternalMember", + tmp_ctx, &ext_sids); + if (ret == ENOENT) { + /* no external members, try next external group. */ + continue; + } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_attrs_get_string_array failed.\n"); + goto done; + } + + ret = sysdb_attrs_get_string_array(reply[g], "memberOf", + tmp_ctx, &mof); + if (ret == ENOENT) { + /* no IPA groups, try next external group. */ + continue; + } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_attrs_get_string_array failed.\n"); + goto done; + } + + for (s = 0; ext_sids[s] != NULL; s++) { + /* hash_lookup does not modify key.str. */ + key.str = discard_const(ext_sids[s]); + ret = hash_lookup(ext_group_hash, &key, &value); + if (ret == HASH_SUCCESS) { + if (value.type != HASH_VALUE_PTR) { + DEBUG(SSSDBG_OP_FAILURE, "Unexpected value type.\n"); + ret = EINVAL; + goto done; + } + + for (m = 0; mof[m] != NULL; m++) { + /* hash_enter does not modify m_key.str. */ + m_key.str = discard_const(mof[m]); + DEBUG(SSSDBG_TRACE_ALL, "Adding group [%s] to SID [%s].\n", + m_key.str, key.str); + ret = hash_enter(value.ptr, &m_key, &m_value); + if (ret != HASH_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, "hash_enter failed.\n"); + goto done; + } + } + } else if (ret == HASH_ERROR_KEY_NOT_FOUND) { + ret = sss_hash_create(ext_group_hash, 5, &m_hash); + if (ret != HASH_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, "sss_hash_create failed.\n"); + goto done; + } + + value.type = HASH_VALUE_PTR; + value.ptr = m_hash; + + DEBUG(SSSDBG_TRACE_ALL, + "Adding SID [%s] to external group hash.\n", key.str); + ret = hash_enter(ext_group_hash, &key, &value); + if (ret != HASH_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, "hash_enter failed.\n"); + goto done; + } + + for (m = 0; mof[m] != NULL; m++) { + /* hash_enter does not modify m_key.str. */ + m_key.str = discard_const(mof[m]); + DEBUG(SSSDBG_TRACE_ALL, "Adding group [%s] to SID [%s].\n", + m_key.str, key.str); + ret = hash_enter(m_hash, &m_key, &m_value); + if (ret != HASH_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, "hash_enter failed.\n"); + goto done; + } + } + } else { + DEBUG(SSSDBG_OP_FAILURE, "hash_lookup failed.\n"); + goto done; + } + } + } + + ret = EOK; +done: + if (ret != EOK) { + talloc_free(ext_group_hash); + } else { + *_ext_group_hash = ext_group_hash; + } + + talloc_free(tmp_ctx); + + return ret; +} + +static errno_t find_ipa_ext_memberships(TALLOC_CTX *mem_ctx, + const char *user_name, + struct sss_domain_info *user_dom, + hash_table_t *ext_group_hash, + struct ldb_dn **_user_dn, + char ***_groups) +{ + int ret; + TALLOC_CTX *tmp_ctx = NULL; + struct ldb_result *result; + char **groups = NULL; + size_t c; + const char *sid; + hash_key_t key; + hash_value_t value; + hash_entry_t *entry; + struct hash_iter_context_t *iter; + hash_table_t *group_hash; + size_t g_count; + struct ldb_dn *user_dn = NULL; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + ret = sysdb_initgroups(tmp_ctx, user_dom, user_name, &result); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_initgroups failed.\n"); + goto done; + } + + if (result->count == 0) { + DEBUG(SSSDBG_MINOR_FAILURE, "User [%s] not found in cache.\n", + user_name); + ret = EOK; + goto done; + } + + ret = sss_hash_create(tmp_ctx, 10, &group_hash); + if (ret != HASH_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, "sss_hash_create failed.\n"); + goto done; + } + + key.type = HASH_KEY_STRING; + + /* The IPA external domains can have references to group and user SIDs. + * This means that we not only want to look up the group SIDs but the SID + * of the user (first element of result) as well. */ + for (c = 0; c < result->count; c++) { + sid = ldb_msg_find_attr_as_string(result->msgs[c], SYSDB_SID_STR, + NULL); + if (sid == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "Group [%s] does not have a SID.\n", + ldb_dn_get_linearized(result->msgs[c]->dn)); + continue; + } + + key.str = discard_const(sid); + ret = hash_lookup(ext_group_hash, &key, &value); + if (ret == HASH_ERROR_KEY_NOT_FOUND) { + DEBUG(SSSDBG_TRACE_ALL, "SID [%s] not found in ext group hash.\n", + sid); + } else if (ret == HASH_SUCCESS) { + iter = new_hash_iter_context(value.ptr); + if (iter == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "new_hash_iter_context failed.\n"); + ret = EINVAL; + goto done; + } + + while ((entry = iter->next(iter)) != NULL) { + ret = hash_enter(group_hash, &entry->key, &entry->value); + if (ret != HASH_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to add group [%s].\n", + entry->key.str); + } + } + + talloc_free(iter); + } else { + DEBUG(SSSDBG_OP_FAILURE, "hash_lookup failed for SID [%s].\n", + sid); + } + } + + g_count = hash_count(group_hash); + if (g_count == 0) { + DEBUG(SSSDBG_TRACE_FUNC, "No external groupmemberships found.\n"); + ret = EOK; + goto done; + } + + groups = talloc_zero_array(mem_ctx, char *, g_count + 1); + if (groups == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_array failed.\n"); + ret = ENOMEM; + goto done; + } + + iter = new_hash_iter_context(group_hash); + if (iter == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "new_hash_iter_context failed.\n"); + ret = EINVAL; + goto done; + } + + c = 0; + while ((entry = iter->next(iter)) != NULL) { + groups[c] = talloc_strdup(groups, entry->key.str); + if (groups[c] == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + c++; + } + + user_dn = ldb_dn_copy(mem_ctx, result->msgs[0]->dn); + if (user_dn == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_copy failed.\n"); + ret = ENOMEM; + goto done; + } + + ret = EOK; +done: + *_user_dn = user_dn; + *_groups = groups; + + talloc_free(tmp_ctx); + + return ret; +} + +static errno_t add_ad_user_to_cached_groups(struct ldb_dn *user_dn, + struct sss_domain_info *user_dom, + struct sss_domain_info *group_dom, + char **groups, + bool *missing_groups) +{ + size_t c; + struct sysdb_attrs *user_attrs; + size_t msgs_count; + struct ldb_message **msgs; + TALLOC_CTX *tmp_ctx; + int ret; + + *missing_groups = false; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); + return ENOMEM; + } + + for (c = 0; groups[c] != NULL; c++) { + if (groups[c][0] == '\0') { + continue; + } + + ret = sysdb_search_groups_by_orig_dn(tmp_ctx, group_dom, groups[c], + NULL, &msgs_count, &msgs); + if (ret != EOK) { + if (ret == ENOENT) { + DEBUG(SSSDBG_TRACE_ALL, "Group [%s] not in the cache.\n", + groups[c]); + *missing_groups = true; + continue; + } else { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_entry failed.\n"); + goto done; + } + } + +/* TODO? Do we have to remove members as well? I think not because the AD + * query before removes all memberships. */ + + ret = sysdb_mod_group_member(group_dom, user_dn, msgs[0]->dn, + LDB_FLAG_MOD_ADD); + if (ret != EOK && ret != EEXIST) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_mod_group_member failed.\n"); + goto done; + } + + user_attrs = sysdb_new_attrs(tmp_ctx); + if (user_attrs == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_new_attrs failed.\n"); + ret = ENOMEM; + goto done; + } + + ret = sysdb_attrs_add_string(user_attrs, SYSDB_ORIG_MEMBEROF, + groups[c]); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string failed.\n"); + goto done; + } + + ret = sysdb_set_entry_attr(user_dom->sysdb, user_dn, user_attrs, + LDB_FLAG_MOD_ADD); + if (ret != EOK && ret != EEXIST) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_set_entry_attr failed.\n"); + goto done; + } + + /* mark group as already processed */ + groups[c][0] = '\0'; + } + + ret = EOK; +done: + talloc_free(tmp_ctx); + + return ret; +} + +static struct tevent_req *ipa_add_ad_memberships_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_id_ctx *sdap_id_ctx, + struct ldb_dn *user_dn, + struct sss_domain_info *user_dom, + char **groups, + struct sss_domain_info *group_dom); +static void ipa_add_ad_memberships_done(struct tevent_req *subreq); + +struct get_ad_membership_state { + struct tevent_context *ev; + struct ipa_server_mode_ctx *server_mode; + struct sdap_id_op *sdap_op; + struct sdap_id_ctx *sdap_id_ctx; + struct fo_server *srv; + char *user_name; + struct sss_domain_info *user_dom; + + int dp_error; + const char *domain; + size_t reply_count; + struct sysdb_attrs **reply; +}; + +static void ipa_get_ad_memberships_connect_done(struct tevent_req *subreq); +static void ipa_get_ext_groups_done(struct tevent_req *subreq); +static errno_t ipa_add_ext_groups_step(struct tevent_req *req); +static errno_t ipa_add_ad_memberships_recv(struct tevent_req *req, + int *dp_error_out); + +struct tevent_req *ipa_get_ad_memberships_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct dp_id_data *ar, + struct ipa_server_mode_ctx *server_mode, + struct sss_domain_info *user_dom, + struct sdap_id_ctx *sdap_id_ctx, + const char *domain) +{ + int ret; + struct tevent_req *req; + struct tevent_req *subreq; + struct get_ad_membership_state *state; + + req = tevent_req_create(mem_ctx, &state, struct get_ad_membership_state); + if (req == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "tevent_req_create failed.\n"); + return NULL; + } + + state->ev = ev; + state->user_dom = user_dom; + state->sdap_id_ctx = sdap_id_ctx; + state->srv = NULL; + state->domain = domain; + state->dp_error = -1; + + if (((ar->entry_type & BE_REQ_TYPE_MASK) != BE_REQ_INITGROUPS + && (ar->entry_type & BE_REQ_TYPE_MASK) != BE_REQ_USER) + || ar->filter_type != BE_FILTER_NAME) { + DEBUG(SSSDBG_OP_FAILURE, "Unsupported request type.\n"); + ret = EINVAL; + goto done; + } + + state->user_name = talloc_strdup(state, ar->filter_value); + if (state->user_name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_Strdup failed.\n"); + ret = ENOMEM; + goto done; + } + + state->sdap_op = sdap_id_op_create(state, + state->sdap_id_ctx->conn->conn_cache); + if (state->sdap_op == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed\n"); + ret = ENOMEM; + goto done; + } + + state->server_mode = server_mode; + if (server_mode->ext_groups == NULL) { + server_mode->ext_groups = talloc_zero(server_mode, + struct ipa_ext_groups); + if (server_mode->ext_groups == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_zero failed.\n"); + ret = ENOMEM; + goto done; + } + } + + if (server_mode->ext_groups->next_update > time(NULL)) { + DEBUG(SSSDBG_TRACE_FUNC, "External group information still valid.\n"); + ret = ipa_add_ext_groups_step(req); + if (ret == EOK) { + goto done; + } else if (ret == EAGAIN) { + return req; + } else { + DEBUG(SSSDBG_OP_FAILURE, "ipa_add_ext_groups_step failed.\n"); + goto done; + } + + } + + subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_connect_send failed: %d(%s).\n", + ret, strerror(ret)); + goto done; + } + + tevent_req_set_callback(subreq, ipa_get_ad_memberships_connect_done, req); + + return req; + +done: + if (ret != EOK) { + state->dp_error = DP_ERR_FATAL; + tevent_req_error(req, ret); + } else { + state->dp_error = DP_ERR_OK; + tevent_req_done(req); + } + tevent_req_post(req, state->ev); + + return req; +} + +static void ipa_get_ad_memberships_connect_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct get_ad_membership_state *state = tevent_req_data(req, + struct get_ad_membership_state); + int ret; + + ret = sdap_id_op_connect_recv(subreq, &state->dp_error); + talloc_zfree(subreq); + if (ret != EOK) { + if (state->dp_error == DP_ERR_OFFLINE) { + DEBUG(SSSDBG_MINOR_FAILURE, + "No IPA server is available, going offline\n"); + } else { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to connect to IPA server: [%d](%s)\n", + ret, strerror(ret)); + } + + goto fail; + } + + subreq = sdap_search_bases_send(state, state->ev, state->sdap_id_ctx->opts, + sdap_id_op_handle(state->sdap_op), + state->sdap_id_ctx->opts->sdom->group_search_bases, + NULL, false, + dp_opt_get_int(state->sdap_id_ctx->opts->basic, + SDAP_ENUM_SEARCH_TIMEOUT), + IPA_EXT_GROUPS_FILTER, + NULL); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_get_generic_send failed.\n"); + ret = ENOMEM; + goto fail; + } + + tevent_req_set_callback(subreq, ipa_get_ext_groups_done, req); + return; + +fail: + tevent_req_error(req, ret); + return; +} + +static void ipa_get_ext_groups_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct get_ad_membership_state *state = tevent_req_data(req, + struct get_ad_membership_state); + int ret; + hash_table_t *ext_group_hash; + + ret = sdap_search_bases_recv(subreq, + state, + &state->reply_count, + &state->reply); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_get_ext_groups request failed.\n"); + tevent_req_error(req, ret); + return; + } + + DEBUG(SSSDBG_TRACE_FUNC, "[%zu] external groups found.\n", + state->reply_count); + + ret = process_ext_groups(state, + state->reply_count, + state->reply, + &ext_group_hash); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "process_ext_groups failed.\n"); + goto fail; + } + + talloc_free(state->server_mode->ext_groups->ext_groups); + state->server_mode->ext_groups->ext_groups = talloc_steal( + state->server_mode->ext_groups, + ext_group_hash); + /* Do we have to make the update timeout configurable? */ + state->server_mode->ext_groups->next_update = time(NULL) + 10; + + ret = ipa_add_ext_groups_step(req); + if (ret == EOK) { + tevent_req_done(req); + return; + } else if (ret == EAGAIN) { + return; + } else { + DEBUG(SSSDBG_OP_FAILURE, "ipa_add_ext_groups_step failed.\n"); + goto fail; + } + +fail: + tevent_req_error(req, ret); + return; +} + +static errno_t ipa_add_ext_groups_step(struct tevent_req *req) +{ + struct get_ad_membership_state *state = tevent_req_data(req, + struct get_ad_membership_state); + struct ldb_dn *user_dn; + int ret; + char **groups = NULL; + struct tevent_req *subreq; + + ret = find_ipa_ext_memberships(state, state->user_name, state->user_dom, + state->server_mode->ext_groups->ext_groups, + &user_dn, &groups); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "find_ipa_ext_memberships failed.\n"); + goto fail; + } + + if (groups == NULL) { + DEBUG(SSSDBG_TRACE_ALL, "No external groups memberships found.\n"); + state->dp_error = DP_ERR_OK; + return EOK; + } + + subreq = ipa_add_ad_memberships_send(state, state->ev, state->sdap_id_ctx, + user_dn, state->user_dom, groups, + state->sdap_id_ctx->be->domain); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_add_ad_memberships_send failed.\n"); + ret = ENOMEM; + goto fail; + } + + tevent_req_set_callback(subreq, ipa_add_ad_memberships_done, req); + return EAGAIN; + +fail: + tevent_req_error(req, ret); + return ret; +} + +static void ipa_add_ad_memberships_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct get_ad_membership_state *state = tevent_req_data(req, + struct get_ad_membership_state); + int ret; + + ret = ipa_add_ad_memberships_recv(subreq, &state->dp_error); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_add_ad_memberships request failed.\n"); + tevent_req_error(req, ret); + return; + } + + state->dp_error = DP_ERR_OK; + tevent_req_done(req); + return; +} + +errno_t ipa_get_ad_memberships_recv(struct tevent_req *req, int *dp_error_out) +{ + struct get_ad_membership_state *state = tevent_req_data(req, + struct get_ad_membership_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (dp_error_out) { + *dp_error_out = state->dp_error; + } + + return EOK; +} + +struct add_ad_membership_state { + struct tevent_context *ev; + struct sdap_id_ctx *sdap_id_ctx; + struct sdap_id_op *sdap_op; + struct ldb_dn *user_dn; + struct sss_domain_info *user_dom; + struct sss_domain_info *group_dom; + char **groups; + int dp_error; + size_t iter; + struct sdap_domain *group_sdom; +}; + +static void ipa_add_ad_memberships_connect_done(struct tevent_req *subreq); +static void ipa_add_ad_memberships_get_next(struct tevent_req *req); +static void ipa_add_ad_memberships_get_group_done(struct tevent_req *subreq); +static struct tevent_req *ipa_add_ad_memberships_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_id_ctx *sdap_id_ctx, + struct ldb_dn *user_dn, + struct sss_domain_info *user_dom, + char **groups, + struct sss_domain_info *group_dom) +{ + int ret; + struct tevent_req *req; + struct tevent_req *subreq; + struct add_ad_membership_state *state; + bool missing_groups = false; + + req = tevent_req_create(mem_ctx, &state, struct add_ad_membership_state); + if (req == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "tevent_req_create failed.\n"); + return NULL; + } + + state->ev = ev; + state->user_dom = user_dom; + state->sdap_id_ctx = sdap_id_ctx; + state->user_dn = user_dn; + state->group_dom = group_dom; + state->groups = groups; + state->dp_error = -1; + state->iter = 0; + state->group_sdom = sdap_domain_get(sdap_id_ctx->opts, group_dom); + if (state->group_sdom == NULL) { + ret = EIO; + goto done; + } + + ret = add_ad_user_to_cached_groups(user_dn, user_dom, group_dom, groups, + &missing_groups); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "add_ad_user_to_cached_groups failed.\n"); + goto done; + } + + if (!missing_groups) { + DEBUG(SSSDBG_TRACE_ALL, "All groups found in cache.\n"); + ret = EOK; + goto done; + } + + state->sdap_op = sdap_id_op_create(state, + state->sdap_id_ctx->conn->conn_cache); + if (state->sdap_op == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed\n"); + ret = ENOMEM; + goto done; + } + + subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_connect_send failed: %d(%s).\n", + ret, strerror(ret)); + goto done; + } + + tevent_req_set_callback(subreq, ipa_add_ad_memberships_connect_done, req); + + return req; + +done: + if (ret != EOK) { + state->dp_error = DP_ERR_FATAL; + tevent_req_error(req, ret); + } else { + state->dp_error = DP_ERR_OK; + tevent_req_done(req); + } + tevent_req_post(req, state->ev); + + return req; +} + +static void ipa_add_ad_memberships_connect_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct add_ad_membership_state *state = tevent_req_data(req, + struct add_ad_membership_state); + int ret; + + ret = sdap_id_op_connect_recv(subreq, &state->dp_error); + talloc_zfree(subreq); + if (ret != EOK) { + if (state->dp_error == DP_ERR_OFFLINE) { + DEBUG(SSSDBG_MINOR_FAILURE, + "No IPA server is available, going offline\n"); + } else { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to connect to IPA server: [%d](%s)\n", + ret, strerror(ret)); + } + + tevent_req_error(req, ret); + return; + } + + state->iter = 0; + ipa_add_ad_memberships_get_next(req); +} + +static void ipa_add_ad_memberships_get_next(struct tevent_req *req) +{ + struct add_ad_membership_state *state = tevent_req_data(req, + struct add_ad_membership_state); + struct tevent_req *subreq; + struct ldb_dn *group_dn; + int ret; + const struct ldb_val *val; + bool missing_groups; + const char *fq_name; + char *tmp_str; + + while (state->groups[state->iter] != NULL + && state->groups[state->iter][0] == '\0') { + state->iter++; + } + + if (state->groups[state->iter] == NULL) { + ret = add_ad_user_to_cached_groups(state->user_dn, state->user_dom, + state->group_dom, state->groups, + &missing_groups); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "add_ad_user_to_cached_groups failed.\n"); + goto fail; + } + + if (missing_groups) { + DEBUG(SSSDBG_CRIT_FAILURE, "There are unresolved external group " + "memberships even after all groups " + "have been looked up on the LDAP " + "server.\n"); + } + tevent_req_done(req); + return; + } + + group_dn = ldb_dn_new(state, sysdb_ctx_get_ldb(state->group_dom->sysdb), + state->groups[state->iter]); + if (group_dn == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_new failed.\n"); + ret = ENOMEM; + goto fail; + } + + val = ldb_dn_get_rdn_val(group_dn); + if (val == NULL || val->data == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "Invalid group DN [%s].\n", state->groups[state->iter]); + ret = EINVAL; + goto fail; + } + + fq_name = (const char *) val->data; + if (strchr(fq_name, '@') == NULL) { + tmp_str = sss_create_internal_fqname(state, fq_name, + state->group_dom->name); + /* keep using val->data if sss_create_internal_fqname() fails */ + if (tmp_str != NULL) { + fq_name = tmp_str; + } + } + +/* TODO: here is would be useful for have a filter type like BE_FILTER_DN to + * directly fetch the group with the corresponding DN. */ + subreq = groups_get_send(state, state->ev, + state->sdap_id_ctx, state->group_sdom, + state->sdap_id_ctx->conn, + fq_name, + BE_FILTER_NAME, + false, false); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "groups_get_send failed.\n"); + ret = ENOMEM; + goto fail; + } + + tevent_req_set_callback(subreq, ipa_add_ad_memberships_get_group_done, req); + return; + +fail: + tevent_req_error(req, ret); +} + +static void ipa_add_ad_memberships_get_group_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct add_ad_membership_state *state = tevent_req_data(req, + struct add_ad_membership_state); + int ret; + + ret = groups_get_recv(subreq, &state->dp_error, NULL); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to read group [%s] from LDAP [%d](%s)\n", + state->groups[state->iter], ret, strerror(ret)); + + tevent_req_error(req, ret); + return; + } + + state->iter++; + ipa_add_ad_memberships_get_next(req); +} + +static errno_t ipa_add_ad_memberships_recv(struct tevent_req *req, + int *dp_error_out) +{ + struct add_ad_membership_state *state = tevent_req_data(req, + struct add_ad_membership_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (dp_error_out) { + *dp_error_out = state->dp_error; + } + + return EOK; +} + +static errno_t +search_user_or_group_by_sid_str(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *sid_str, + enum sysdb_member_type *_member_type, + struct ldb_message **_msg) +{ + errno_t ret; + struct ldb_message *msg = NULL; + const char *attrs[] = { SYSDB_NAME, + SYSDB_SID_STR, + SYSDB_ORIG_DN, + SYSDB_OBJECTCATEGORY, + SYSDB_CACHE_EXPIRE, + NULL }; + TALLOC_CTX *tmp_ctx = NULL; + char *sanitized_sid = NULL; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return ENOMEM; + } + + /* In theory SID shouldn't contain any special LDAP characters, but let's + * be paranoid + */ + ret = sss_filter_sanitize(tmp_ctx, sid_str, &sanitized_sid); + if (ret != EOK) { + goto done; + } + + ret = sysdb_search_user_by_sid_str(tmp_ctx, domain, + sid_str, attrs, &msg); + if (ret == EOK) { + *_member_type = SYSDB_MEMBER_USER; + } else if (ret == ENOENT) { + ret = sysdb_search_group_by_sid_str(tmp_ctx, domain, + sid_str, attrs, &msg); + if (ret == EOK) { + *_member_type = SYSDB_MEMBER_GROUP; + } + } + + switch (ret) { + case EOK: + DEBUG(SSSDBG_TRACE_FUNC, "Found %s in sysdb\n", sid_str); + *_msg = talloc_steal(mem_ctx, msg); + break; + case ENOENT: + DEBUG(SSSDBG_TRACE_FUNC, + "Could not find %s in sysdb", sid_str); + break; + default: + DEBUG(SSSDBG_OP_FAILURE, + "Error looking for %s in sysdb [%d]: %s\n", + sid_str, ret, sss_strerror(ret)); + break; + } + +done: + talloc_free(tmp_ctx); + return ret; +} + +static errno_t +ipa_ext_group_member_check(TALLOC_CTX *mem_ctx, + struct sss_domain_info *member_dom, + const char *ext_member, + enum sysdb_member_type *_member_type, + struct sysdb_attrs **_member) +{ + TALLOC_CTX *tmp_ctx = NULL; + errno_t ret; + uint64_t expire; + time_t now = time(NULL); + struct ldb_message *msg; + struct sysdb_attrs **members; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return ENOMEM; + } + + ret = search_user_or_group_by_sid_str(tmp_ctx, member_dom, ext_member, + _member_type, &msg); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Error looking up sid %s: [%d]: %s\n", + ext_member, ret, sss_strerror(ret)); + goto done; + } + + ret = sysdb_msg2attrs(tmp_ctx, 1, &msg, &members); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not convert result to sysdb_attrs [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + /* Return the member both expired and valid */ + *_member = talloc_steal(mem_ctx, members[0]); + + expire = ldb_msg_find_attr_as_uint64(msg, SYSDB_CACHE_EXPIRE, 0); + if (expire != 0 && expire <= now) { + DEBUG(SSSDBG_TRACE_FUNC, "%s is expired", ext_member); + ret = EAGAIN; + goto done; + } + +done: + talloc_free(tmp_ctx); + return ret; +} + +/* For the IPA external member resolution, we expect a SID as the input. + * The _recv() function output is the member and a type (user/group) + * since nothing else can be a group member. + */ +struct ipa_ext_member_state { + const char *ext_member; + struct sss_domain_info *dom; + + enum sysdb_member_type member_type; + struct sysdb_attrs *member; +}; + +static void ipa_ext_group_member_done(struct tevent_req *subreq); + +struct tevent_req *ipa_ext_group_member_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + const char *ext_member, + void *pvt) +{ + struct ipa_id_ctx *ipa_ctx; + struct ipa_ext_member_state *state; + struct tevent_req *req; + struct tevent_req *subreq; + struct dp_id_data *ar; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct ipa_ext_member_state); + if (req == NULL) { + return NULL; + } + state->ext_member = ext_member; + + ipa_ctx = talloc_get_type(pvt, struct ipa_id_ctx); + if (ipa_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Wrong private context!\n"); + ret = EINVAL; + goto immediate; + } + + state->dom = find_domain_by_sid(ipa_ctx->sdap_id_ctx->be->domain, + ext_member); + if (state->dom == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot find domain of SID [%s]\n", ext_member); + ret = ENOENT; + goto immediate; + } + + ret = ipa_ext_group_member_check(state, state->dom, ext_member, + &state->member_type, &state->member); + if (ret == EOK) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "external member %s already cached\n", ext_member); + goto immediate; + } + + ret = get_dp_id_data_for_sid(state, ext_member, state->dom->name, &ar); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot create the account request for [%s]\n", ext_member); + goto immediate; + } + + subreq = dp_req_send(state, ipa_ctx->sdap_id_ctx->be->provider, NULL, + ar->domain, "External Member", + DPT_ID, DPM_ACCOUNT_HANDLER, 0, ar, NULL); + if (subreq == NULL) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, ipa_ext_group_member_done, req); + + return req; + +immediate: + if (ret != EOK) { + tevent_req_error(req, ret); + } else { + tevent_req_done(req); + } + tevent_req_post(req, ev); + return req; +} + +static void ipa_ext_group_member_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ipa_ext_member_state *state = tevent_req_data(req, + struct ipa_ext_member_state); + errno_t ret; + struct ldb_message *msg; + struct sysdb_attrs **members; + struct dp_reply_std *reply; + + + ret = dp_req_recv_ptr(state, subreq, struct dp_reply_std, &reply); + talloc_free(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "dp_req_recv failed\n"); + tevent_req_error(req, ret); + return; + } else if (reply->dp_error != DP_ERR_OK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot refresh data from DP: %u,%u: %s\n", + reply->dp_error, reply->error, reply->message); + tevent_req_error(req, EIO); + return; + } + + ret = search_user_or_group_by_sid_str(state, + state->dom, + state->ext_member, + &state->member_type, + &msg); + if (ret != EOK) { + DEBUG(ret == ENOENT ? SSSDBG_TRACE_FUNC : SSSDBG_OP_FAILURE, + "Could not find %s in sysdb [%d]: %s\n", + state->ext_member, ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + ret = sysdb_msg2attrs(state, 1, &msg, &members); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not convert result to sysdb_attrs [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + state->member = members[0]; + tevent_req_done(req); +} + +errno_t ipa_ext_group_member_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + enum sysdb_member_type *_member_type, + struct sss_domain_info **_dom, + struct sysdb_attrs **_member) +{ + struct ipa_ext_member_state *state = tevent_req_data(req, + struct ipa_ext_member_state); + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (_member_type != NULL) { + *_member_type = state->member_type; + } + + if (_dom) { + *_dom = state->dom; + } + + if (_member != NULL) { + *_member = talloc_steal(mem_ctx, state->member); + } + + return EOK; +} diff --git a/src/providers/ipa/ipa_subdomains_id.c b/src/providers/ipa/ipa_subdomains_id.c new file mode 100644 index 0000000..a16eed2 --- /dev/null +++ b/src/providers/ipa/ipa_subdomains_id.c @@ -0,0 +1,1754 @@ +/* + SSSD + + IPA Identity Backend Module for sub-domains + + Authors: + Sumit Bose + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "util/util.h" +#include "util/sss_nss.h" +#include "util/strtonum.h" +#include "db/sysdb.h" +#include "providers/ldap/ldap_common.h" +#include "providers/ldap/sdap_async.h" +#include "providers/ldap/sdap_async_ad.h" +#include "providers/ipa/ipa_id.h" +#include "providers/ad/ad_id.h" +#include "providers/ad/ad_pac.h" +#include "providers/ipa/ipa_subdomains.h" + +static struct tevent_req * +ipa_srv_ad_acct_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct ipa_id_ctx *ipa_ctx, + struct sysdb_attrs *override_attrs, + struct dp_id_data *ar); +static errno_t +ipa_srv_ad_acct_recv(struct tevent_req *req, int *dp_error_out); + +struct ipa_subdomain_account_state { + struct tevent_context *ev; + struct ipa_id_ctx *ipa_ctx; + struct sdap_id_ctx *ctx; + struct sdap_id_op *op; + struct sysdb_ctx *sysdb; + struct sss_domain_info *domain; + struct dp_id_data *ar; + + bool ipa_server_mode; + bool server_retry; + int entry_type; + const char *filter; + int filter_type; + struct sysdb_attrs *override_attrs; + struct sysdb_attrs *mapped_attrs; + char *object_sid; + + int dp_error; +}; + +static void ipa_subdomain_account_connected(struct tevent_req *subreq); +static void ipa_subdomain_account_got_override(struct tevent_req *subreq); +static void ipa_subdomain_account_done(struct tevent_req *subreq); +static errno_t ipa_subdomain_account_get_original_step(struct tevent_req *req, + struct dp_id_data *ar); + +struct tevent_req *ipa_subdomain_account_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct ipa_id_ctx *ipa_ctx, + struct dp_id_data *ar) +{ + struct tevent_req *req; + struct ipa_subdomain_account_state *state; + struct tevent_req *subreq; + int ret; + + req = tevent_req_create(memctx, &state, struct ipa_subdomain_account_state); + if (req == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "tevent_req_create failed.\n"); + return NULL; + } + + state->ev = ev; + state->ipa_ctx = ipa_ctx; + state->ctx = ipa_ctx->sdap_id_ctx; + state->dp_error = DP_ERR_FATAL; + + state->op = sdap_id_op_create(state, state->ctx->conn->conn_cache); + if (!state->op) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed\n"); + ret = ENOMEM; + goto fail; + } + + state->domain = find_domain_by_name(state->ctx->be->domain, + ar->domain, true); + if (state->domain == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "find_domain_by_name failed.\n"); + ret = ENOMEM; + goto fail; + } + state->sysdb = state->domain->sysdb; + state->ar = ar; + state->ipa_server_mode = dp_opt_get_bool(state->ipa_ctx->ipa_options->basic, + IPA_SERVER_MODE); + state->override_attrs = NULL; + state->mapped_attrs = NULL; + + /* With views we cannot got directly to the look up the AD objects but + * have to check first if the request matches an override in the given + * view. But there are cases where this can be skipped and the AD object + * can be searched directly: + * - if no view is defined, i.e. the server does not supprt views yet + * - searches by SID: because we do not override the SID + * - if the responder does not send the EXTRA_INPUT_MAYBE_WITH_VIEW flags, + * because in this case the entry was found in the cache and the + * original value is used for the search (e.g. during cache updates) */ + if (state->ipa_ctx->view_name == NULL + || state->ar->filter_type == BE_FILTER_SECID + || (!state->ipa_server_mode + && state->ar->extra_value != NULL + && strcmp(state->ar->extra_value, + EXTRA_INPUT_MAYBE_WITH_VIEW) != 0 )) { + ret = ipa_subdomain_account_get_original_step(req, state->ar); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "ipa_subdomain_account_get_original_step failed.\n"); + goto fail; + } + + return req; + } + + subreq = sdap_id_op_connect_send(state->op, state, &ret); + if (!subreq) { + goto fail; + } + tevent_req_set_callback(subreq, ipa_subdomain_account_connected, req); + + return req; + +fail: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void ipa_subdomain_account_connected(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ipa_subdomain_account_state *state = tevent_req_data(req, + struct ipa_subdomain_account_state); + int dp_error = DP_ERR_FATAL; + int ret; + + ret = sdap_id_op_connect_recv(subreq, &dp_error); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_connect request failed.\n"); + goto fail; + } + + subreq = ipa_get_ad_override_send(state, state->ev, state->ctx, + state->ipa_ctx->ipa_options, + dp_opt_get_string(state->ipa_ctx->ipa_options->basic, + IPA_KRB5_REALM), + state->ipa_ctx->view_name, state->ar); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_get_ad_override_send failed.\n"); + ret = ENOMEM; + goto fail; + } + + tevent_req_set_callback(subreq, ipa_subdomain_account_got_override, req); + + return; + +fail: + state->dp_error = dp_error; + tevent_req_error(req, ret); + return; +} + +#define OVERRIDE_ANCHOR_SID_PREFIX ":SID:" +#define OVERRIDE_ANCHOR_SID_PREFIX_LEN (sizeof(OVERRIDE_ANCHOR_SID_PREFIX) -1 ) + +static void ipa_subdomain_account_got_override(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ipa_subdomain_account_state *state = tevent_req_data(req, + struct ipa_subdomain_account_state); + int dp_error = DP_ERR_FATAL; + int ret; + const char *anchor = NULL; + struct dp_id_data *ar; + + ret = ipa_get_ad_override_recv(subreq, &dp_error, state, + &state->override_attrs); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "IPA override lookup failed: %d\n", ret); + goto fail; + } + + if (state->ar->filter_type == BE_FILTER_CERT + && is_default_view(state->ipa_ctx->view_name)) { + /* The override data was found with a lookup by certificate. for the + * default view the certificate will be added to + * SYSDB_USER_MAPPED_CERT so that cache lookups will find the same + * user. If no override data was found the mapping (if any) should be + * removed. For other view this is not needed because the override + * certificate is store in the cached override object in this case. */ + state->mapped_attrs = sysdb_new_attrs(state); + if (state->mapped_attrs == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_new_attrs failed, ignored.\n"); + } else { + ret = sysdb_attrs_add_base64_blob(state->mapped_attrs, + SYSDB_USER_MAPPED_CERT, + state->ar->filter_value); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_attrs_add_base64_blob failed, ignored.\n"); + talloc_free(state->mapped_attrs); + state->mapped_attrs = NULL; + } + } + } + + if (state->override_attrs != NULL) { + DEBUG(SSSDBG_TRACE_ALL, "Processing override.\n"); + + ret = sysdb_attrs_get_string(state->override_attrs, + SYSDB_OVERRIDE_ANCHOR_UUID, + &anchor); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed.\n"); + goto fail; + } + if (anchor != NULL && strncmp(OVERRIDE_ANCHOR_SID_PREFIX, anchor, + OVERRIDE_ANCHOR_SID_PREFIX_LEN) == 0) { + + ret = get_dp_id_data_for_sid(state, + anchor + OVERRIDE_ANCHOR_SID_PREFIX_LEN, + state->ar->domain, + &ar); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "get_dp_id_data_for_sid failed.\n"); + goto fail; + } + + if (state->mapped_attrs != NULL) { + /* save the SID so that SYSDB_USER_MAPPED_CERT can be added + * later to the object */ + state->object_sid = talloc_strdup(state, ar->filter_value); + if (state->object_sid == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "talloc_strdup failed, ignored.\n"); + talloc_free(state->mapped_attrs); + state->mapped_attrs = NULL; + } + } + + if (state->ipa_server_mode + && (state->ar->entry_type & BE_REQ_TYPE_MASK) + == BE_REQ_INITGROUPS) { + DEBUG(SSSDBG_TRACE_ALL, + "Switching back to BE_REQ_INITGROUPS.\n"); + ar->entry_type = BE_REQ_INITGROUPS; + ar->filter_type = BE_FILTER_SECID; + } + } else { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unsupported override anchor type [%s].\n", anchor); + ret = EINVAL; + goto fail; + } + } else { + if (state->mapped_attrs != NULL) { + /* remove certifcate (if any) if no matching override was found */ + ret = sysdb_remove_mapped_data(state->domain, state->mapped_attrs); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_remove_mapped_data failed, " + "some cached entries might contain " + "invalid mapping data.\n"); + } + talloc_free(state->mapped_attrs); + state->mapped_attrs = NULL; + } + ar = state->ar; + } + + ret = ipa_subdomain_account_get_original_step(req, ar); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "ipa_subdomain_account_get_original_step failed.\n"); + goto fail; + } + + return; + +fail: + state->dp_error = dp_error; + tevent_req_error(req, ret); + return; +} + +static errno_t ipa_subdomain_account_get_original_step(struct tevent_req *req, + struct dp_id_data *ar) +{ + struct ipa_subdomain_account_state *state = tevent_req_data(req, + struct ipa_subdomain_account_state); + struct tevent_req *subreq; + + if (state->ipa_server_mode) { + subreq = ipa_srv_ad_acct_send(state, state->ev, state->ipa_ctx, + state->override_attrs, ar); + } else { + subreq = ipa_get_subdom_acct_send(state, state->ev, state->ipa_ctx, + state->override_attrs, ar); + } + + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_get_*_acct_send failed.\n"); + return ENOMEM; + } + + tevent_req_set_callback(subreq, ipa_subdomain_account_done, req); + + return EOK; +} + + +static void ipa_subdomain_account_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ipa_subdomain_account_state *state = tevent_req_data(req, + struct ipa_subdomain_account_state); + int dp_error = DP_ERR_FATAL; + int ret; + struct ldb_result *res; + struct sss_domain_info *object_dom; + + if (state->ipa_server_mode) { + ret = ipa_srv_ad_acct_recv(subreq, &dp_error); + } else { + ret = ipa_get_subdom_acct_recv(subreq, &dp_error); + } + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_get_*_acct request failed: [%d]: %s.\n", + ret, sss_strerror(ret)); + state->dp_error = dp_error; + tevent_req_error(req, ret); + return; + } + + if (state->mapped_attrs != NULL) { + object_dom = sss_get_domain_by_sid_ldap_fallback(state->domain, + state->object_sid); + ret = sysdb_search_object_by_sid(state, + object_dom != NULL ? object_dom + : state->domain, + state->object_sid, NULL, &res); + if (ret == EOK) { + ret = sysdb_set_entry_attr(state->domain->sysdb, res->msgs[0]->dn, + state->mapped_attrs, SYSDB_MOD_ADD); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_set_entry_attr failed, ignoring.\n"); + } + } else if (ret == ENOENT) { + DEBUG(SSSDBG_TRACE_ALL, "No cached object found, cannot add " + "mapped attribute, ignoring.\n"); + } else { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_search_object_by_sid failed, cannot add mapped " + "attribute, ignoring.\n"); + } + } + + state->dp_error = DP_ERR_OK; + tevent_req_done(req); + return; +} + +errno_t ipa_subdomain_account_recv(struct tevent_req *req, int *dp_error_out) +{ + struct ipa_subdomain_account_state *state = tevent_req_data(req, + struct ipa_subdomain_account_state); + + if (dp_error_out) { + *dp_error_out = state->dp_error; + } + + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +struct ipa_get_subdom_acct { + struct tevent_context *ev; + struct ipa_id_ctx *ipa_ctx; + struct sdap_id_ctx *ctx; + struct sdap_id_op *op; + struct sysdb_ctx *sysdb; + struct sss_domain_info *domain; + struct sysdb_attrs *override_attrs; + + int entry_type; + const char *filter; + int filter_type; + const char *extra_value; + bool use_pac; + struct ldb_message *user_msg; + + int dp_error; +}; + +static void ipa_get_subdom_acct_connected(struct tevent_req *subreq); +static void ipa_get_subdom_acct_done(struct tevent_req *subreq); + +struct tevent_req *ipa_get_subdom_acct_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct ipa_id_ctx *ipa_ctx, + struct sysdb_attrs *override_attrs, + struct dp_id_data *ar) +{ + struct tevent_req *req; + struct ipa_get_subdom_acct *state; + struct tevent_req *subreq; + int ret; + + req = tevent_req_create(memctx, &state, struct ipa_get_subdom_acct); + if (!req) return NULL; + + state->ev = ev; + state->ipa_ctx = ipa_ctx; + state->ctx = ipa_ctx->sdap_id_ctx; + state->dp_error = DP_ERR_FATAL; + state->override_attrs = override_attrs; + state->use_pac = false; + + state->op = sdap_id_op_create(state, state->ctx->conn->conn_cache); + if (!state->op) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed\n"); + ret = ENOMEM; + goto fail; + } + + state->domain = find_domain_by_name(state->ctx->be->domain, + ar->domain, true); + if (state->domain == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "find_domain_by_name failed.\n"); + ret = ENOMEM; + goto fail; + } + state->sysdb = state->domain->sysdb; + + state->entry_type = (ar->entry_type & BE_REQ_TYPE_MASK); + state->filter = ar->filter_value; + state->filter_type = ar->filter_type; + state->extra_value = ar->extra_value; + + switch (state->entry_type) { + case BE_REQ_USER: + case BE_REQ_GROUP: + case BE_REQ_BY_SECID: + case BE_REQ_BY_CERT: + case BE_REQ_USER_AND_GROUP: + ret = EOK; + break; + case BE_REQ_INITGROUPS: + ret = check_if_pac_is_available(state, state->domain, ar, + &state->user_msg); + if (ret == EOK) { + state->use_pac = true; + } + + ret = EOK; + break; + default: + ret = EINVAL; + DEBUG(SSSDBG_OP_FAILURE, "Invalid sub-domain request type.\n"); + } + if (ret != EOK) goto fail; + + subreq = sdap_id_op_connect_send(state->op, state, &ret); + if (!subreq) { + goto fail; + } + tevent_req_set_callback(subreq, ipa_get_subdom_acct_connected, req); + + return req; + +fail: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void ipa_get_subdom_acct_connected(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ipa_get_subdom_acct *state = tevent_req_data(req, + struct ipa_get_subdom_acct); + int dp_error = DP_ERR_FATAL; + int ret; + char *endptr; + struct req_input *req_input; + char *shortname; + + ret = sdap_id_op_connect_recv(subreq, &dp_error); + talloc_zfree(subreq); + if (ret != EOK) { + state->dp_error = dp_error; + tevent_req_error(req, ret); + return; + } + + if (state->entry_type == BE_REQ_INITGROUPS) { + /* With V1 of the extdom plugin a user lookup will resolve the full + * group membership of the user. */ + if (sdap_is_extension_supported(sdap_id_op_handle(state->op), + EXOP_SID2NAME_V1_OID)) { + state->entry_type = BE_REQ_USER; + } else { + if (state->use_pac && state->user_msg != NULL) { + /* This means the user entry is already in the cache and has + * the pac attached, we only have look up the missing groups + * and add the user to all groups. */ + + subreq = ipa_get_subdom_acct_process_pac_send(state, state->ev, + sdap_id_op_handle(state->op), + state->ipa_ctx, + state->domain, + state->user_msg); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "ipa_get_subdom_acct_process_pac failed.\n"); + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, ipa_get_subdom_acct_done, req); + + return; + } + + /* Fall through if there is no PAC */ + + DEBUG(SSSDBG_TRACE_FUNC, "Initgroups requests are not handled " \ + "by the IPA provider but are resolved " \ + "by the responder directly from the " \ + "cache.\n"); + tevent_req_error(req, ENOTSUP); + return; + } + } + + req_input = talloc(state, struct req_input); + if (req_input == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc failed.\n"); + tevent_req_error(req, ENOMEM); + return; + } + + switch (state->filter_type) { + case BE_FILTER_NAME: + req_input->type = REQ_INP_NAME; + /* The extdom plugin expects the shortname and domain separately, + * but for UPN/email lookup we need to send the raw name */ + if (state->extra_value != NULL + && strcmp(state->extra_value, EXTRA_NAME_IS_UPN) == 0) { + req_input->inp.name = talloc_strdup(req_input, state->filter); + } else { + ret = sss_parse_internal_fqname(req_input, state->filter, + &shortname, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot parse internal name [%s]: %d\n", + state->filter, ret); + tevent_req_error(req, ret); + return; + } + + req_input->inp.name = talloc_steal(req_input, shortname); + } + if (req_input->inp.name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + tevent_req_error(req, ENOMEM); + return; + } + break; + case BE_FILTER_IDNUM: + req_input->type = REQ_INP_ID; + req_input->inp.id = strtouint32(state->filter, &endptr, 10); + if (errno || *endptr || (state->filter == endptr)) { + tevent_req_error(req, errno ? errno : EINVAL); + return; + } + break; + case BE_FILTER_SECID: + req_input->type = REQ_INP_SECID; + req_input->inp.secid = talloc_strdup(req_input, state->filter); + if (req_input->inp.secid == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + tevent_req_error(req, ENOMEM); + return; + } + break; + case BE_FILTER_CERT: + if (sdap_is_extension_supported(sdap_id_op_handle(state->op), + EXOP_SID2NAME_V1_OID)) { + req_input->type = REQ_INP_CERT; + req_input->inp.cert = talloc_strdup(req_input, state->filter); + if (req_input->inp.cert == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + tevent_req_error(req, ENOMEM); + return; + } + } else { + DEBUG(SSSDBG_OP_FAILURE, + "Lookup by certificate not supported by the server.\n"); + state->dp_error = DP_ERR_OK; + tevent_req_error(req, EINVAL); + return; + } + break; + default: + DEBUG(SSSDBG_OP_FAILURE, "Invalid sub-domain filter type.\n"); + state->dp_error = dp_error; + tevent_req_error(req, EINVAL); + return; + } + + subreq = ipa_s2n_get_acct_info_send(state, + state->ev, + state->ipa_ctx, + state->ctx->opts, + state->domain, + state->override_attrs, + sdap_id_op_handle(state->op), + state->entry_type, + req_input); + if (!subreq) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, ipa_get_subdom_acct_done, req); + + return; +} + +static void ipa_get_subdom_acct_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ipa_get_subdom_acct *state = tevent_req_data(req, + struct ipa_get_subdom_acct); + int dp_error = DP_ERR_FATAL; + int ret; + + ret = ipa_s2n_get_acct_info_recv(subreq); + talloc_zfree(subreq); + + ret = sdap_id_op_done(state->op, ret, &dp_error); + if (dp_error == DP_ERR_OK && ret != EOK) { + /* retry */ + subreq = sdap_id_op_connect_send(state->op, state, &ret); + if (!subreq) { + tevent_req_error(req, ret); + return; + } + tevent_req_set_callback(subreq, ipa_get_subdom_acct_connected, req); + return; + } + + if (ret && ret != ENOENT) { + state->dp_error = dp_error; + tevent_req_error(req, ret); + return; + } + + /* FIXME: do we need some special handling of ENOENT */ + + state->dp_error = DP_ERR_OK; + tevent_req_done(req); +} + +int ipa_get_subdom_acct_recv(struct tevent_req *req, int *dp_error_out) +{ + struct ipa_get_subdom_acct *state = tevent_req_data(req, + struct ipa_get_subdom_acct); + + if (dp_error_out) { + *dp_error_out = state->dp_error; + } + + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +/* IPA lookup for server mode. Directly to AD. */ +struct ipa_get_ad_acct_state { + int dp_error; + struct tevent_context *ev; + struct ipa_id_ctx *ipa_ctx; + struct dp_id_data *ar; + struct sss_domain_info *obj_dom; + char *object_sid; + struct sysdb_attrs *override_attrs; + struct ldb_message *obj_msg; +}; + +static void ipa_get_ad_acct_ad_part_done(struct tevent_req *subreq); +static void ipa_get_ad_override_done(struct tevent_req *subreq); +static errno_t ipa_get_ad_apply_override_step(struct tevent_req *req); +static errno_t ipa_get_ad_ipa_membership_step(struct tevent_req *req); +static void ipa_id_get_groups_overrides_done(struct tevent_req *subreq); +static void ipa_get_ad_acct_done(struct tevent_req *subreq); +static struct ad_id_ctx *ipa_get_ad_id_ctx(struct ipa_id_ctx *ipa_ctx, + struct sss_domain_info *dom); + +static struct tevent_req * +ipa_get_ad_acct_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct ipa_id_ctx *ipa_ctx, + struct sysdb_attrs *override_attrs, + struct dp_id_data *ar) +{ + errno_t ret; + struct tevent_req *req; + struct tevent_req *subreq; + struct ipa_get_ad_acct_state *state; + struct sdap_domain *sdom; + struct sdap_id_conn_ctx **clist; + struct sdap_id_ctx *sdap_id_ctx; + struct ad_id_ctx *ad_id_ctx; + + req = tevent_req_create(mem_ctx, &state, struct ipa_get_ad_acct_state); + if (req == NULL) return NULL; + + state->dp_error = -1; + state->ev = ev; + state->ipa_ctx = ipa_ctx; + state->ar = ar; + state->obj_msg = NULL; + state->override_attrs = override_attrs; + + /* This can only be a subdomain request, verify subdomain */ + state->obj_dom = find_domain_by_name(ipa_ctx->sdap_id_ctx->be->domain, + ar->domain, true); + if (state->obj_dom == NULL) { + ret = EINVAL; + goto fail; + } + + /* Let's see if this subdomain has a ad_id_ctx */ + ad_id_ctx = ipa_get_ad_id_ctx(ipa_ctx, state->obj_dom); + if (ad_id_ctx == NULL) { + ret = EINVAL; + goto fail; + } + sdap_id_ctx = ad_id_ctx->sdap_id_ctx; + + /* We read users and groups from GC. From groups, we may switch to + * using LDAP connection in the group request itself, but in order + * to resolve Universal group memberships, we also need the GC + * connection + */ + switch (state->ar->entry_type & BE_REQ_TYPE_MASK) { + case BE_REQ_INITGROUPS: + case BE_REQ_BY_SECID: + case BE_REQ_GROUP: + clist = ad_gc_conn_list(req, ad_id_ctx, state->obj_dom); + break; + default: + clist = ad_ldap_conn_list(req, ad_id_ctx, state->obj_dom); + break; + } + + if (clist == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot generate AD connection list!\n"); + ret = ENOMEM; + goto fail; + } + + /* Now we already need ad_id_ctx in particular sdap_id_conn_ctx */ + sdom = sdap_domain_get(sdap_id_ctx->opts, state->obj_dom); + if (sdom == NULL) { + ret = EIO; + goto fail; + } + + subreq = ad_handle_acct_info_send(req, ar, sdap_id_ctx, + ad_id_ctx->ad_options, sdom, clist); + if (subreq == NULL) { + ret = ENOMEM; + goto fail; + } + tevent_req_set_callback(subreq, ipa_get_ad_acct_ad_part_done, req); + return req; + +fail: + state->dp_error = DP_ERR_FATAL; + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static struct ad_id_ctx * +ipa_get_ad_id_ctx(struct ipa_id_ctx *ipa_ctx, + struct sss_domain_info *dom) +{ + struct ipa_ad_server_ctx *iter; + + DLIST_FOR_EACH(iter, ipa_ctx->server_mode->trusts) { + if (iter->dom == dom) break; + } + + return (iter) ? iter->ad_id_ctx : NULL; +} + +static errno_t +get_subdomain_homedir_of_user(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom, + const char *fqname, uint32_t uid, + const char *original, const char **_homedir) +{ + errno_t ret; + const char *homedir; + TALLOC_CTX *tmp_ctx; + struct sss_nss_homedir_ctx homedir_ctx; + + tmp_ctx = talloc_new(mem_ctx); + if (tmp_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + if (strstr(dom->subdomain_homedir, "%o") != NULL && original == NULL) { + DEBUG(SSSDBG_TRACE_ALL, + "Original home directory for user: %s is empty.\n", fqname); + ret = ERR_HOMEDIR_IS_NULL; + goto done; + } + + ZERO_STRUCT(homedir_ctx); + + homedir_ctx.uid = uid; + homedir_ctx.username = fqname; + homedir_ctx.domain = dom->name; + homedir_ctx.flatname = dom->flat_name; + homedir_ctx.config_homedir_substr = dom->homedir_substr; + homedir_ctx.original = original; + + /* To be compatible with the old winbind based user lookups and IPA + * clients the user name in the home directory path will be lower-case. */ + homedir = expand_homedir_template(tmp_ctx, dom->subdomain_homedir, + false, &homedir_ctx); + if (homedir == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "expand_homedir_template failed\n"); + ret = ENOMEM; + goto done; + } + + if (_homedir == NULL) { + ret = EINVAL; + goto done; + } + *_homedir = talloc_steal(mem_ctx, homedir); + + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} + +static errno_t +store_homedir_of_user(struct sss_domain_info *domain, + const char *fqname, const char *homedir) +{ + errno_t ret; + errno_t sret; + TALLOC_CTX *tmp_ctx; + bool in_transaction = false; + struct sysdb_attrs *attrs; + struct sysdb_ctx *sysdb = domain->sysdb; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + attrs = sysdb_new_attrs(tmp_ctx); + if (attrs == NULL) { + ret = ENOMEM; + goto done; + } + + ret = sysdb_attrs_add_string(attrs, SYSDB_HOMEDIR, homedir); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Error setting homedir: [%s]\n", + strerror(ret)); + goto done; + } + + ret = sysdb_transaction_start(sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n"); + goto done; + } + + in_transaction = true; + + ret = sysdb_set_user_attr(domain, fqname, attrs, SYSDB_MOD_REP); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to update homedir information!\n"); + goto done; + } + + ret = sysdb_transaction_commit(sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot commit sysdb transaction [%d]: %s.\n", + ret, strerror(ret)); + goto done; + } + + in_transaction = false; + +done: + if (in_transaction) { + sret = sysdb_transaction_cancel(sysdb); + if (sret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not cancel transaction.\n"); + } + } + talloc_free(tmp_ctx); + return ret; +} + +static errno_t +apply_subdomain_homedir(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom, + struct ldb_message *msg) +{ + errno_t ret; + uint32_t uid; + const char *fqname; + const char *original; + const char *homedir = NULL; + struct ldb_message_element *msg_el = NULL; + size_t c; + + msg_el = ldb_msg_find_element(msg, SYSDB_OBJECTCATEGORY); + if (msg_el == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ldb_msg_find_element failed.\n"); + ret = ENOENT; + goto done; + } + + /* The object is a user if SYSDB_OBJECTCATEGORY is SYSDB_USER_CLASS or in + * case of a MPG group lookup if SYSDB_OBJECTCATEGORY is SYSDB_GROUP_CLASS. + */ + for (c = 0; c < msg_el->num_values; c++) { + if (strncmp(SYSDB_USER_CLASS, (const char *)msg_el->values[c].data, + msg_el->values[c].length) == 0 + || (dom->mpg + && strncmp(SYSDB_GROUP_CLASS, + (const char *)msg_el->values[c].data, + msg_el->values[c].length) == 0)) { + break; + } + } + if (c == msg_el->num_values) { + DEBUG(SSSDBG_TRACE_ALL, + "User objectclass not found, object is not a user.\n"); + ret = ENOENT; + goto done; + } + + fqname = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); + if (fqname == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing user name.\n"); + ret = EINVAL; + goto done; + } + + uid = ldb_msg_find_attr_as_uint64(msg, SYSDB_UIDNUM, 0); + if (uid == 0) { + DEBUG(SSSDBG_OP_FAILURE, "UID for user [%s] is not known.\n", + fqname); + ret = ENOENT; + goto done; + } + + original = ldb_msg_find_attr_as_string(msg, SYSDB_HOMEDIR, NULL); + if (original == NULL) { + DEBUG(SSSDBG_TRACE_ALL, "Missing homedir of %s.\n", fqname); + } + + ret = get_subdomain_homedir_of_user(mem_ctx, dom, fqname, uid, original, + &homedir); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "get_subdomain_homedir_of_user failed: [%d]: [%s]\n", + ret, sss_strerror(ret)); + if (ret == ERR_HOMEDIR_IS_NULL) { + /* This is not fatal, fallback_homedir will be used. */ + ret = EOK; + } + goto done; + } + + ret = store_homedir_of_user(dom, fqname, homedir); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "store_homedir_of_user failed: [%d]: [%s]\n", + ret, sss_strerror(ret)); + goto done; + } + +done: + return ret; +} + +errno_t get_object_from_cache(TALLOC_CTX *mem_ctx, + struct sss_domain_info *dom, + struct dp_id_data *ar, + struct ldb_message **_msg) +{ + errno_t ret; + uint32_t id; + struct ldb_message *msg = NULL; + struct ldb_result *res = NULL; + const char *attrs[] = { SYSDB_NAME, + SYSDB_UIDNUM, + SYSDB_SID_STR, + SYSDB_OBJECTCATEGORY, + SYSDB_UUID, + SYSDB_GHOST, + SYSDB_HOMEDIR, + NULL }; + + if (ar->filter_type == BE_FILTER_SECID) { + ret = sysdb_search_object_by_sid(mem_ctx, dom, ar->filter_value, attrs, + &res); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to make request to our cache: [%d]: [%s]\n", + ret, sss_strerror(ret)); + goto done; + } + + *_msg = res->msgs[0]; + + ret = EOK; + goto done; + } else if (ar->filter_type == BE_FILTER_UUID) { + ret = sysdb_search_object_by_uuid(mem_ctx, dom, ar->filter_value, attrs, + &res); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to make request to our cache: [%d]: [%s]\n", + ret, sss_strerror(ret)); + goto done; + } + + *_msg = res->msgs[0]; + + ret = EOK; + goto done; + } else if (ar->filter_type == BE_FILTER_CERT) { + ret = sysdb_search_object_by_cert(mem_ctx, dom, ar->filter_value, attrs, + &res); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to make request to our cache: [%d]: [%s]\n", + ret, sss_strerror(ret)); + goto done; + } + if (res->count != 1) { + DEBUG(SSSDBG_OP_FAILURE, + "More than one result found in our cache\n"); + ret = EINVAL; + goto done; + } + + *_msg = res->msgs[0]; + + ret = EOK; + goto done; + } else if (ar->filter_type == BE_FILTER_IDNUM) { + errno = 0; + id = strtouint32(ar->filter_value, NULL, 10); + if (errno != 0) { + ret = errno; + DEBUG(SSSDBG_OP_FAILURE, "strtouint32 failed.\n"); + goto done; + } + + switch (ar->entry_type & BE_REQ_TYPE_MASK) { + case BE_REQ_GROUP: + ret = sysdb_getgrgid_attrs(mem_ctx, dom, id, attrs, &res); + if (ret == EOK) { + if (res->count == 0) { + ret = ENOENT; + } else { + msg = res->msgs[0]; + } + } + break; + case BE_REQ_INITGROUPS: + case BE_REQ_USER: + case BE_REQ_USER_AND_GROUP: + ret = sysdb_search_user_by_uid(mem_ctx, dom, id, attrs, &msg); + if (ret == ENOENT && (ar->entry_type & BE_REQ_TYPE_MASK) + == BE_REQ_USER_AND_GROUP) { + ret = sysdb_getgrgid_attrs(mem_ctx, dom, id, attrs, &res); + if (ret == EOK) { + if (res->count == 0) { + ret = ENOENT; + } else { + msg = res->msgs[0]; + } + } + } + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected entry type [%d].\n", + (ar->entry_type & BE_REQ_TYPE_MASK)); + ret = EINVAL; + goto done; + } + } else if (ar->filter_type == BE_FILTER_NAME) { + switch (ar->entry_type & BE_REQ_TYPE_MASK) { + case BE_REQ_GROUP: + ret = sysdb_search_group_by_name(mem_ctx, dom, ar->filter_value, + attrs, &msg); + break; + case BE_REQ_INITGROUPS: + case BE_REQ_USER: + case BE_REQ_USER_AND_GROUP: + if (ar->extra_value + && strcmp(ar->extra_value, EXTRA_NAME_IS_UPN) == 0) { + ret = sysdb_search_user_by_upn(mem_ctx, dom, false, ar->filter_value, + attrs, &msg); + } else { + ret = sysdb_search_user_by_name(mem_ctx, dom, ar->filter_value, + attrs, &msg); + if (ret == ENOENT && (ar->entry_type & BE_REQ_TYPE_MASK) + == BE_REQ_USER_AND_GROUP) { + ret = sysdb_search_group_by_name(mem_ctx, dom, + ar->filter_value, attrs, + &msg); + } + } + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected entry type [%d].\n", + (ar->entry_type & BE_REQ_TYPE_MASK)); + ret = EINVAL; + goto done; + } + } else { + DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected filter type.\n"); + ret = EINVAL; + goto done; + } + + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to make request to our cache: [%d]: [%s]\n", + ret, sss_strerror(ret)); + goto done; + } + + *_msg = msg; + +done: + return ret; +} + +static void +ipa_get_ad_acct_ad_part_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ipa_get_ad_acct_state *state = tevent_req_data(req, + struct ipa_get_ad_acct_state); + errno_t ret; + const char *sid; + struct dp_id_data *ar; + + ret = ad_handle_acct_info_recv(subreq, &state->dp_error, NULL); + talloc_zfree(subreq); + if (ret == ERR_SUBDOM_INACTIVE) { + tevent_req_error(req, ret); + return; + } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "AD lookup failed: %d\n", ret); + tevent_req_error(req, ret); + return; + } + + ret = get_object_from_cache(state, state->obj_dom, state->ar, + &state->obj_msg); + if (ret == ENOENT) { + DEBUG(SSSDBG_MINOR_FAILURE, "Object not found, ending request\n"); + tevent_req_done(req); + return; + } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "get_object_from_cache failed.\n"); + goto fail; + } + + ret = apply_subdomain_homedir(state, state->obj_dom, + state->obj_msg); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, + "apply_subdomain_homedir failed: [%d]: [%s].\n", + ret, sss_strerror(ret)); + goto fail; + } + + if (state->override_attrs == NULL) { + sid = ldb_msg_find_attr_as_string(state->obj_msg, SYSDB_SID_STR, NULL); + if (sid == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot find a SID.\n"); + ret = EINVAL; + goto fail; + } + + state->object_sid = talloc_strdup(state, sid); + if (state->object_sid == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto fail; + } + + ret = get_dp_id_data_for_sid(state, state->object_sid, + state->obj_dom->name, &ar); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "get_dp_id_data_for_sid failed.\n"); + goto fail; + } + + subreq = ipa_get_ad_override_send(state, state->ev, + state->ipa_ctx->sdap_id_ctx, + state->ipa_ctx->ipa_options, + state->ipa_ctx->server_mode->realm, + state->ipa_ctx->view_name, + ar); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_get_ad_override_send failed.\n"); + ret = ENOMEM; + goto fail; + } + tevent_req_set_callback(subreq, ipa_get_ad_override_done, req); + } else { + ret = ipa_get_ad_apply_override_step(req); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "ipa_get_ad_apply_override_step failed.\n"); + goto fail; + } + } + + return; + +fail: + state->dp_error = DP_ERR_FATAL; + tevent_req_error(req, ret); + return; +} + + +static void +ipa_get_ad_override_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ipa_get_ad_acct_state *state = tevent_req_data(req, + struct ipa_get_ad_acct_state); + errno_t ret; + + ret = ipa_get_ad_override_recv(subreq, &state->dp_error, state, + &state->override_attrs); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "IPA override lookup failed: %d\n", ret); + tevent_req_error(req, ret); + return; + + } + + ret = ipa_get_ad_apply_override_step(req); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_get_ad_apply_override_step failed.\n"); + goto fail; + } + + return; + +fail: + state->dp_error = DP_ERR_FATAL; + tevent_req_error(req, ret); + return; +} + +static void ipa_check_ghost_members_done(struct tevent_req *subreq); +static errno_t ipa_check_ghost_members(struct tevent_req *req) +{ + struct ipa_get_ad_acct_state *state = tevent_req_data(req, + struct ipa_get_ad_acct_state); + errno_t ret; + struct tevent_req *subreq; + struct ldb_message_element *ghosts = NULL; + + + if (state->obj_msg == NULL) { + ret = get_object_from_cache(state, state->obj_dom, state->ar, + &state->obj_msg); + if (ret == ENOENT) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Object not found, ending request\n"); + return EOK; + } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "get_object_from_cache failed.\n"); + return ret; + } + } + + ghosts = ldb_msg_find_element(state->obj_msg, SYSDB_GHOST); + + if (ghosts != NULL) { + /* Resolve ghost members */ + subreq = ipa_resolve_user_list_send(state, state->ev, + state->ipa_ctx, + state->obj_dom->name, + ghosts); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_resolve_user_list_send failed.\n"); + return ENOMEM; + } + tevent_req_set_callback(subreq, ipa_check_ghost_members_done, req); + return EAGAIN; + } + + return EOK; +} + +static void ipa_check_ghost_members_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + int ret; + + ret = ipa_resolve_user_list_recv(subreq, NULL); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_resolve_user_list request failed [%d]\n", + ret); + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); + return; +} + +static errno_t ipa_get_ad_apply_override_step(struct tevent_req *req) +{ + struct ipa_get_ad_acct_state *state = tevent_req_data(req, + struct ipa_get_ad_acct_state); + errno_t ret; + struct tevent_req *subreq; + const char *obj_name; + int entry_type; + size_t groups_count = 0; + struct ldb_message **groups = NULL; + const char *attrs[] = SYSDB_INITGR_ATTRS; + + if (state->override_attrs != NULL) { + /* We are in ipa-server-mode, so the view is the default view by + * definition. */ + ret = sysdb_apply_default_override(state->obj_dom, + state->override_attrs, + state->obj_msg->dn); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_apply_default_override failed.\n"); + return ret; + } + } + + entry_type = (state->ar->entry_type & BE_REQ_TYPE_MASK); + if (entry_type != BE_REQ_INITGROUPS + && entry_type != BE_REQ_USER + && entry_type != BE_REQ_BY_SECID + && entry_type != BE_REQ_GROUP) { + tevent_req_done(req); + return EOK; + } + + /* expand ghost members, if any, to get group members with overrides + * right. */ + if (entry_type == BE_REQ_GROUP) { + ret = ipa_check_ghost_members(req); + if (ret == EOK) { + tevent_req_done(req); + return EOK; + } else if (ret == EAGAIN) { + return EOK; + } else { + DEBUG(SSSDBG_OP_FAILURE, "ipa_check_ghost_members failed.\n"); + return ret; + } + } + + /* Replace ID with name in search filter */ + if ((entry_type == BE_REQ_USER && state->ar->filter_type == BE_FILTER_IDNUM) + || (entry_type == BE_REQ_INITGROUPS + && state->ar->filter_type == BE_FILTER_SECID) + || entry_type == BE_REQ_BY_SECID) { + if (state->obj_msg == NULL) { + ret = get_object_from_cache(state, state->obj_dom, state->ar, + &state->obj_msg); + if (ret == ENOENT) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Object not found, ending request\n"); + tevent_req_done(req); + return EOK; + } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "get_object_from_cache failed.\n"); + return ret; + } + } + + obj_name = ldb_msg_find_attr_as_string(state->obj_msg, SYSDB_NAME, + NULL); + if (obj_name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cached object has no name.\n"); + return EINVAL; + } + + state->ar->filter_value = talloc_strdup(state->ar, obj_name); + if (state->ar->filter_value == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + return ENOMEM; + } + state->ar->filter_type = BE_FILTER_NAME; + state->ar->entry_type = BE_REQ_USER; + } + + /* Lookup all groups the user is a member of which do not have ORIGINALAD + * attributes set, i.e. where overrides might not have been applied. */ + ret = sysdb_asq_search(state, state->obj_dom, state->obj_msg->dn, + "(&("SYSDB_GC")("SYSDB_GIDNUM"=*)" \ + "("SYSDB_POSIX"=TRUE)" \ + "(!("ORIGINALAD_PREFIX SYSDB_GIDNUM"=*))" \ + "(!("ORIGINALAD_PREFIX SYSDB_NAME"=*)))", + SYSDB_INITGR_ATTR, + attrs, &groups_count, &groups); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_get_ad_groups_without_orig failed.\n"); + return ret; + } + + if (groups != NULL) { + subreq = ipa_initgr_get_overrides_send(state, state->ev, state->ipa_ctx, + state->obj_dom, groups_count, + groups, SYSDB_SID_STR); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_initgr_get_overrides_send failed.\n"); + return ENOMEM; + } + tevent_req_set_callback(subreq, ipa_id_get_groups_overrides_done, req); + return EOK; + } + + ret = ipa_get_ad_ipa_membership_step(req); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_get_ad_ipa_membership_step failed.\n"); + return ret; + } + + return EOK; +} + +static void ipa_id_get_groups_overrides_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + errno_t ret; + + ret = ipa_initgr_get_overrides_recv(subreq, NULL); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "IPA resolve user groups overrides failed [%d].\n", ret); + tevent_req_error(req, ret); + return; + } + + ret = ipa_get_ad_ipa_membership_step(req); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_get_ad_ipa_membership_step failed.\n"); + tevent_req_error(req, ret); + return; + } + + return; +} + +static errno_t ipa_get_ad_ipa_membership_step(struct tevent_req *req) +{ + struct ipa_get_ad_acct_state *state = tevent_req_data(req, + struct ipa_get_ad_acct_state); + struct tevent_req *subreq; + + /* For initgroups request we have to check IPA group memberships of AD + * users. This has to be done for other user-request as well to make sure + * IPA related attributes are not overwritten. */ + subreq = ipa_get_ad_memberships_send(state, state->ev, state->ar, + state->ipa_ctx->server_mode, + state->obj_dom, + state->ipa_ctx->sdap_id_ctx, + state->ipa_ctx->server_mode->realm); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_get_ad_memberships_send failed.\n"); + return ENOMEM; + } + tevent_req_set_callback(subreq, ipa_get_ad_acct_done, req); + + return EOK; +} + +static void +ipa_get_ad_acct_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ipa_get_ad_acct_state *state = tevent_req_data(req, + struct ipa_get_ad_acct_state); + errno_t ret; + + ret = ipa_get_ad_memberships_recv(subreq, &state->dp_error); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "IPA external groups lookup failed: %d\n", + ret); + tevent_req_error(req, ret); + return; + + } + + tevent_req_done(req); +} + +static errno_t +ipa_get_ad_acct_recv(struct tevent_req *req, int *dp_error_out) +{ + struct ipa_get_ad_acct_state *state = tevent_req_data(req, + struct ipa_get_ad_acct_state); + + if (dp_error_out) { + *dp_error_out = state->dp_error; + } + + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +struct ipa_srv_ad_acct_state { + struct tevent_context *ev; + struct ipa_id_ctx *ipa_ctx; + struct sysdb_attrs *override_attrs; + struct dp_id_data *ar; + + struct sss_domain_info *obj_dom; + struct be_ctx *be_ctx; + bool retry; + + int dp_error; +}; + +static int ipa_srv_ad_acct_lookup_step(struct tevent_req *req); +static void ipa_srv_ad_acct_lookup_done(struct tevent_req *subreq); +static void ipa_srv_ad_acct_retried(struct tevent_req *subreq); + +static struct tevent_req * +ipa_srv_ad_acct_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct ipa_id_ctx *ipa_ctx, + struct sysdb_attrs *override_attrs, + struct dp_id_data *ar) +{ + errno_t ret; + struct tevent_req *req; + struct ipa_srv_ad_acct_state *state; + + req = tevent_req_create(mem_ctx, &state, struct ipa_srv_ad_acct_state); + if (req == NULL) { + return NULL; + } + + state->ev = ev; + state->ipa_ctx = ipa_ctx; + state->override_attrs = override_attrs; + state->ar = ar; + state->retry = true; + state->dp_error = DP_ERR_FATAL; + state->be_ctx = ipa_ctx->sdap_id_ctx->be; + + state->obj_dom = find_domain_by_name( + state->ipa_ctx->sdap_id_ctx->be->domain, + state->ar->domain, true); + if (state->obj_dom == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Domain not found\n"); + ret = ERR_DOMAIN_NOT_FOUND; + goto fail; + } + + ret = ipa_srv_ad_acct_lookup_step(req); + if (ret != EOK) { + goto fail; + } + + return req; + +fail: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static int ipa_srv_ad_acct_lookup_step(struct tevent_req *req) +{ + struct tevent_req *subreq; + struct ipa_srv_ad_acct_state *state = tevent_req_data(req, + struct ipa_srv_ad_acct_state); + + DEBUG(SSSDBG_TRACE_FUNC, "Looking up AD account\n"); + subreq = ipa_get_ad_acct_send(state, state->ev, state->ipa_ctx, + state->override_attrs, + state->ar); + if (subreq == NULL) { + return ENOMEM; + } + tevent_req_set_callback(subreq, ipa_srv_ad_acct_lookup_done, req); + + return EOK; +} + +static void ipa_srv_ad_acct_lookup_done(struct tevent_req *subreq) +{ + errno_t ret; + int dp_error = DP_ERR_FATAL; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ipa_srv_ad_acct_state *state = tevent_req_data(req, + struct ipa_srv_ad_acct_state); + + ret = ipa_get_ad_acct_recv(subreq, &dp_error); + talloc_free(subreq); + if (ret == ERR_SUBDOM_INACTIVE && state->retry == true) { + + state->retry = false; + + DEBUG(SSSDBG_MINOR_FAILURE, + "Subdomain lookup failed, will try to reset subdomain.\n"); + subreq = ipa_server_trusted_dom_setup_send(state, state->ev, + state->be_ctx, + state->ipa_ctx, + state->obj_dom); + if (subreq == NULL) { + goto fail; + } + tevent_req_set_callback(subreq, ipa_srv_ad_acct_retried, req); + return; + } else if (ret != EOK) { + be_mark_dom_offline(state->obj_dom, state->be_ctx); + + DEBUG(SSSDBG_OP_FAILURE, "ipa_get_*_acct request failed: [%d]: %s.\n", + ret, sss_strerror(ret)); + goto fail; + } + + state->dp_error = DP_ERR_OK; + tevent_req_done(req); + return; + +fail: + state->dp_error = dp_error; + tevent_req_error(req, ret); +} + +static void ipa_srv_ad_acct_retried(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ipa_srv_ad_acct_state *state = tevent_req_data(req, + struct ipa_srv_ad_acct_state); + + ret = ipa_server_trusted_dom_setup_recv(subreq); + talloc_free(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to re-set subdomain [%d]: %s\n", ret, sss_strerror(ret)); + state->dp_error = DP_ERR_FATAL; + tevent_req_error(req, ret); + } + + DEBUG(SSSDBG_TRACE_FUNC, "Subdomain re-set, will retry lookup\n"); + be_fo_reset_svc(state->be_ctx, state->obj_dom->name); + + ret = ipa_srv_ad_acct_lookup_step(req); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to look up AD acct [%d]: %s\n", ret, sss_strerror(ret)); + state->dp_error = DP_ERR_FATAL; + tevent_req_error(req, ret); + } +} + +static errno_t +ipa_srv_ad_acct_recv(struct tevent_req *req, int *dp_error_out) +{ + struct ipa_srv_ad_acct_state *state = tevent_req_data(req, + struct ipa_srv_ad_acct_state); + + if (dp_error_out) { + *dp_error_out = state->dp_error; + } + + TEVENT_REQ_RETURN_ON_ERROR(req); + return EOK; +} diff --git a/src/providers/ipa/ipa_subdomains_server.c b/src/providers/ipa/ipa_subdomains_server.c new file mode 100644 index 0000000..e5ea4bd --- /dev/null +++ b/src/providers/ipa/ipa_subdomains_server.c @@ -0,0 +1,1191 @@ +/* + SSSD + + IPA Subdomains Module - server mode + + Authors: + Sumit Bose + + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "providers/ldap/sdap_async.h" +#include "providers/ldap/sdap_idmap.h" +#include "providers/ipa/ipa_subdomains.h" +#include "providers/ipa/ipa_common.h" +#include "providers/ipa/ipa_id.h" + +/* These constants are defined in MS-ADTS 6.1.6.7.1 + * https://msdn.microsoft.com/en-us/library/cc223768.aspx + */ +#define LSA_TRUST_DIRECTION_INBOUND 0x00000001 +#define LSA_TRUST_DIRECTION_OUTBOUND 0x00000002 +#define LSA_TRUST_DIRECTION_MASK (LSA_TRUST_DIRECTION_INBOUND | LSA_TRUST_DIRECTION_OUTBOUND) + +static char *forest_keytab(TALLOC_CTX *mem_ctx, const char *forest) +{ + return talloc_asprintf(mem_ctx, + "%s/%s.keytab", IPA_TRUST_KEYTAB_DIR, forest); +} + +static char *subdomain_trust_princ(TALLOC_CTX *mem_ctx, + const char *forest_realm, + struct sss_domain_info *sd) +{ + if (sd->parent->flat_name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unknown flat name for parent %s\n", sd->parent->name); + return NULL; + } + + return talloc_asprintf(mem_ctx, "%s$@%s", + sd->parent->flat_name, forest_realm); +} + +static uint32_t default_direction(TALLOC_CTX *mem_ctx, + struct ldb_context *ldb_ctx, + struct sysdb_attrs *attrs) +{ + struct ldb_dn *dn = NULL; + uint32_t direction; + + dn = ipa_subdom_ldb_dn(mem_ctx, ldb_ctx, attrs); + if (dn == NULL) { + /* Shouldn't happen, but let's try system keytab in this case */ + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot determine subdomain DN, falling back to two-way trust\n"); + return (LSA_TRUST_DIRECTION_INBOUND|LSA_TRUST_DIRECTION_OUTBOUND); + } + + if (ipa_subdom_is_member_dom(dn) == true) { + /* It's expected member domains do not have the direction */ + direction = 0; + } else { + /* Old server? Default to 2way trust */ + direction = (LSA_TRUST_DIRECTION_INBOUND|LSA_TRUST_DIRECTION_OUTBOUND); + } + + talloc_free(dn); + return direction; +} + +errno_t ipa_server_get_trust_direction(struct sysdb_attrs *sd, + struct ldb_context *ldb_ctx, + uint32_t *_direction) +{ + uint32_t ipa_trust_direction = 0; + uint32_t direction; + int ret; + + ret = sysdb_attrs_get_uint32_t(sd, IPA_TRUST_DIRECTION, + &ipa_trust_direction); + DEBUG(SSSDBG_TRACE_INTERNAL, + "Raw %s value: %d\n", IPA_TRUST_DIRECTION, ipa_trust_direction); + if (ret == ENOENT) { + direction = default_direction(sd, ldb_ctx, sd); + } else if (ret == EOK) { + /* Just store the AD value in SYSDB, we will check it while we're + * trying to use the trust */ + direction = ipa_trust_direction; + } else { + return ret; + } + + *_direction = direction; + return EOK; +} + +const char *ipa_trust_dir2str(uint32_t direction) +{ + if ((direction & LSA_TRUST_DIRECTION_OUTBOUND) + && (direction & LSA_TRUST_DIRECTION_INBOUND)) { + return "two-way trust"; + } else if (direction & LSA_TRUST_DIRECTION_OUTBOUND) { + return "one-way outbound: local domain is trusted by remote domain"; + } else if (direction & LSA_TRUST_DIRECTION_INBOUND) { + return "one-way inbound: local domain trusts the remote domain"; + } else if (direction == 0) { + return "not set"; + } + + return "unknown"; +} + +#ifndef IPA_GETKEYTAB_TIMEOUT +#define IPA_GETKEYTAB_TIMEOUT 5 +#endif /* IPA_GETKEYTAB_TIMEOUT */ + +static struct ad_options * +ipa_create_1way_trust_ctx(struct ipa_id_ctx *id_ctx, + struct be_ctx *be_ctx, + const char *subdom_conf_path, + const char *forest, + const char *forest_realm, + struct sss_domain_info *subdom) +{ + char *keytab; + char *principal; + struct ad_options *ad_options; + + keytab = forest_keytab(id_ctx, forest); + principal = subdomain_trust_princ(id_ctx, forest_realm, subdom); + if (keytab == NULL || principal == NULL) { + return NULL; + } + + ad_options = ad_create_1way_trust_options(id_ctx, + be_ctx->cdb, + subdom_conf_path, + be_ctx->provider, + subdom, + id_ctx->server_mode->hostname, + keytab, + principal); + if (ad_options == NULL) { + talloc_free(keytab); + talloc_free(principal); + return NULL; + } + + return ad_options; +} + +static struct ad_options *ipa_ad_options_new(struct be_ctx *be_ctx, + struct ipa_id_ctx *id_ctx, + struct sss_domain_info *subdom) +{ + struct ad_options *ad_options = NULL; + uint32_t direction; + const char *forest; + const char *forest_realm; + char *subdom_conf_path; + + /* Trusts are only established with forest roots */ + direction = subdom->forest_root->trust_direction; + forest_realm = subdom->forest_root->realm; + forest = subdom->forest_root->forest; + + subdom_conf_path = subdomain_create_conf_path(id_ctx, subdom); + if (subdom_conf_path == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "subdom_conf_path failed\n"); + return NULL; + } + + /* In both inbound and outbound trust cases we should be + * using trusted domain object in a trusted domain space, + * thus we always should be initializing principals/keytabs + * as if we are running one-way trust */ + if (direction & LSA_TRUST_DIRECTION_MASK) { + ad_options = ipa_create_1way_trust_ctx(id_ctx, be_ctx, + subdom_conf_path, forest, + forest_realm, subdom); + } else { + DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported trust direction!\n"); + ad_options = NULL; + } + talloc_free(subdom_conf_path); + + if (ad_options == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD options\n"); + return NULL; + } + return ad_options; +} + + +static errno_t +ipa_ad_ctx_new(struct be_ctx *be_ctx, + struct ipa_id_ctx *id_ctx, + struct sss_domain_info *subdom, + struct ad_id_ctx **_ad_id_ctx) +{ + struct ad_options *ad_options; + struct ad_id_ctx *ad_id_ctx; + const char *gc_service_name; + const char *service_name; + struct ad_srv_plugin_ctx *srv_ctx; + const char *ad_domain; + const char *ad_site_override; + const char *ad_servers; + const char *ad_backup_servers; + struct sdap_domain *sdom; + errno_t ret; + const char *extra_attrs; + bool use_kdcinfo = false; + + ad_domain = subdom->name; + DEBUG(SSSDBG_TRACE_LIBS, "Setting up AD subdomain %s\n", subdom->name); + + ad_options = ipa_ad_options_new(be_ctx, id_ctx, subdom); + if (ad_options == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD options\n"); + talloc_free(ad_options); + return ENOMEM; + } + + extra_attrs = dp_opt_get_string(id_ctx->sdap_id_ctx->opts->basic, + SDAP_USER_EXTRA_ATTRS); + if (extra_attrs != NULL) { + DEBUG(SSSDBG_TRACE_ALL, + "Setting extra attrs for subdomain [%s] to [%s].\n", ad_domain, + extra_attrs); + + ret = dp_opt_set_string(ad_options->id->basic, SDAP_USER_EXTRA_ATTRS, + extra_attrs); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "dp_opt_set_string failed.\n"); + talloc_free(ad_options); + return ret; + } + + ret = sdap_extend_map_with_list(ad_options->id, ad_options->id, + SDAP_USER_EXTRA_ATTRS, + ad_options->id->user_map, + SDAP_OPTS_USER, + &ad_options->id->user_map, + &ad_options->id->user_map_cnt); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_extend_map_with_list failed.\n"); + talloc_free(ad_options); + return ret; + } + } else { + DEBUG(SSSDBG_TRACE_ALL, "No extra attrs set.\n"); + } + + gc_service_name = talloc_asprintf(ad_options, "sd_gc_%s", subdom->forest); + if (gc_service_name == NULL) { + talloc_free(ad_options); + return ENOMEM; + } + + service_name = talloc_asprintf(ad_options, "sd_%s", subdom->name); + if (service_name == NULL) { + talloc_free(ad_options); + return ENOMEM; + } + + ad_servers = dp_opt_get_string(ad_options->basic, AD_SERVER); + ad_backup_servers = dp_opt_get_string(ad_options->basic, AD_BACKUP_SERVER); + + if (id_ctx->ipa_options != NULL && id_ctx->ipa_options->auth != NULL) { + use_kdcinfo = dp_opt_get_bool(id_ctx->ipa_options->auth, + KRB5_USE_KDCINFO); + } + + DEBUG(SSSDBG_TRACE_ALL, + "Init failover for [%s][%s] with use_kdcinfo [%s].\n", + subdom->name, subdom->realm, use_kdcinfo ? "true" : "false"); + + /* Set KRB5 realm to same as the one of IPA when IPA + * is able to attach PAC. For testing, use hardcoded. */ + /* Why? */ + ret = ad_failover_init(ad_options, be_ctx, ad_servers, ad_backup_servers, + subdom->realm, + service_name, gc_service_name, + subdom->name, use_kdcinfo, + &ad_options->service); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD failover\n"); + talloc_free(ad_options); + return ret; + } + + ad_id_ctx = ad_id_ctx_init(ad_options, be_ctx); + if (ad_id_ctx == NULL) { + talloc_free(ad_options); + return ENOMEM; + } + ad_id_ctx->sdap_id_ctx->opts = ad_options->id; + ad_options->id_ctx = ad_id_ctx; + + ad_site_override = dp_opt_get_string(ad_options->basic, AD_SITE); + + /* use AD plugin */ + srv_ctx = ad_srv_plugin_ctx_init(be_ctx, be_ctx, be_ctx->be_res, + default_host_dbs, + ad_id_ctx->ad_options->id, + id_ctx->server_mode->hostname, + ad_domain, + ad_site_override); + if (srv_ctx == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n"); + return ENOMEM; + } + be_fo_set_srv_lookup_plugin(be_ctx, ad_srv_plugin_send, + ad_srv_plugin_recv, srv_ctx, "AD"); + + ret = sdap_domain_subdom_add(ad_id_ctx->sdap_id_ctx, + ad_id_ctx->sdap_id_ctx->opts->sdom, + subdom->parent); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize sdap domain\n"); + talloc_free(ad_options); + return ret; + } + + sdom = sdap_domain_get(ad_id_ctx->sdap_id_ctx->opts, subdom); + if (sdom == NULL) { + return EFAULT; + } + + ret = ad_set_search_bases(ad_options->id, sdom); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot initialize AD search bases\n"); + talloc_free(ad_options); + return ret; + } + + sdap_inherit_options(subdom->parent->sd_inherit, + id_ctx->sdap_id_ctx->opts, + ad_id_ctx->sdap_id_ctx->opts); + + ret = sdap_id_setup_tasks(be_ctx, + ad_id_ctx->sdap_id_ctx, + sdom, + ldap_enumeration_send, + ldap_enumeration_recv, + ad_id_ctx->sdap_id_ctx); + if (ret != EOK) { + talloc_free(ad_options); + return ret; + } + + sdom->pvt = ad_id_ctx; + + /* Set up the ID mapping object */ + ad_id_ctx->sdap_id_ctx->opts->idmap_ctx = + id_ctx->sdap_id_ctx->opts->idmap_ctx; + + /* Set up the certificate mapping context */ + ad_id_ctx->sdap_id_ctx->opts->sdap_certmap_ctx = + id_ctx->sdap_id_ctx->opts->sdap_certmap_ctx; + + *_ad_id_ctx = ad_id_ctx; + return EOK; +} + +struct ipa_getkeytab_state { + int child_status; + struct sss_child_ctx_old *child_ctx; + struct tevent_timer *timeout_handler; +}; + +static void ipa_getkeytab_exec(const char *ccache, + const char *server, + const char *principal, + const char *keytab_path); +static void ipa_getkeytab_done(int child_status, + struct tevent_signal *sige, + void *pvt); +static void ipa_getkeytab_timeout(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval tv, void *pvt); + +static struct tevent_req *ipa_getkeytab_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + const char *ccache, + const char *server, + const char *principal, + const char *keytab) + + +{ + errno_t ret; + struct tevent_req *req = NULL; + struct ipa_getkeytab_state *state; + pid_t child_pid; + struct timeval tv; + + req = tevent_req_create(mem_ctx, &state, struct ipa_getkeytab_state); + if (req == NULL) { + return NULL; + } + state->child_status = EFAULT; + + if (server == NULL || principal == NULL || keytab == NULL) { + ret = EINVAL; + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Retrieving keytab for %s from %s into %s using ccache %s\n", + principal, server, keytab, ccache); + + child_pid = fork(); + if (child_pid == 0) { /* child */ + ipa_getkeytab_exec(ccache, server, principal, keytab); + } else if (child_pid > 0) { /* parent */ + /* Set up SIGCHLD handler */ + ret = child_handler_setup(ev, child_pid, ipa_getkeytab_done, req, + &state->child_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not set up child handlers [%d]: %s\n", + ret, sss_strerror(ret)); + ret = ERR_IPA_GETKEYTAB_FAILED; + goto done; + } + + /* Set up timeout handler */ + tv = tevent_timeval_current_ofs(IPA_GETKEYTAB_TIMEOUT, 0); + state->timeout_handler = tevent_add_timer(ev, req, tv, + ipa_getkeytab_timeout, req); + if(state->timeout_handler == NULL) { + ret = ERR_IPA_GETKEYTAB_FAILED; + goto done; + } + + /* Now either wait for the timeout to fire or the child + * to finish + */ + } else { /* error */ + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "fork failed [%d][%s].\n", ret, sss_strerror(ret)); + goto done; + } + + ret = EOK; +done: + if (ret != EOK) { + tevent_req_error(req, ret); + tevent_req_post(req, ev); + } + return req; +} + +static void ipa_getkeytab_exec(const char *ccache, + const char *server, + const char *principal, + const char *keytab_path) +{ + errno_t ret; + int debug_fd; + const char *gkt_env[2] = { NULL, NULL }; + + if (debug_level >= SSSDBG_TRACE_LIBS) { + debug_fd = get_fd_from_debug_file(); + ret = dup2(debug_fd, STDERR_FILENO); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_MINOR_FAILURE, + "dup2 failed [%d][%s].\n", ret, sss_strerror(ret)); + /* stderr is not fatal */ + } + } + + gkt_env[0] = talloc_asprintf(NULL, "KRB5CCNAME=%s", ccache); + if (gkt_env[0] == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to format KRB5CCNAME\n"); + exit(1); + } + + /* ipa-getkeytab cannot add keys to an empty file, let's unlink it and only + * use the filename */ + ret = unlink(keytab_path); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to unlink the temporary ccname [%d][%s]\n", + ret, sss_strerror(ret)); + exit(1); + } + + errno = 0; + ret = execle(IPA_GETKEYTAB_PATH, IPA_GETKEYTAB_PATH, + "-r", "-s", server, "-p", principal, "-k", keytab_path, NULL, + gkt_env); + + DEBUG(SSSDBG_CRIT_FAILURE, + "execle returned %d, this shouldn't happen!\n", ret); + + /* The child should never end up here */ + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "execle failed [%d][%s].\n", ret, sss_strerror(ret)); + exit(1); +} + +static void ipa_getkeytab_done(int child_status, + struct tevent_signal *sige, + void *pvt) +{ + struct tevent_req *req = talloc_get_type(pvt, struct tevent_req); + struct ipa_getkeytab_state *state = + tevent_req_data(req, struct ipa_getkeytab_state); + + state->child_status = child_status; + + if (WIFEXITED(child_status) && WEXITSTATUS(child_status) != 0) { + DEBUG(SSSDBG_OP_FAILURE, + "ipa-getkeytab failed with status [%d]\n", child_status); + tevent_req_error(req, ERR_IPA_GETKEYTAB_FAILED); + return; + } + + if (WIFSIGNALED(child_status)) { + DEBUG(SSSDBG_OP_FAILURE, + "ipa-getkeytab was terminated by signal [%d]\n", + WTERMSIG(child_status)); + tevent_req_error(req, ERR_IPA_GETKEYTAB_FAILED); + return; + } + + tevent_req_done(req); +} + +static void ipa_getkeytab_timeout(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval tv, void *pvt) +{ + struct tevent_req *req = + talloc_get_type(pvt, struct tevent_req); + struct ipa_getkeytab_state *state = + tevent_req_data(req, struct ipa_getkeytab_state); + + DEBUG(SSSDBG_CRIT_FAILURE, "Timeout reached for retrieving keytab from IPA server\n"); + child_handler_destroy(state->child_ctx); + state->child_ctx = NULL; + state->child_status = ETIMEDOUT; + tevent_req_error(req, ERR_IPA_GETKEYTAB_FAILED); +} + +static errno_t ipa_getkeytab_recv(struct tevent_req *req, int *child_status) +{ + struct ipa_getkeytab_state *state = + tevent_req_data(req, struct ipa_getkeytab_state); + + DEBUG(SSSDBG_TRACE_INTERNAL, + "ipa-getkeytab status %d\n", state->child_status); + if (child_status) { + *child_status = state->child_status; + } + + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +static errno_t ipa_check_keytab(const char *keytab, + uid_t kt_owner_uid, + gid_t kt_owner_gid) +{ + errno_t ret; + + ret = check_file(keytab, getuid(), getgid(), S_IFREG|0600, 0, NULL, false); + if (ret == ENOENT) { + DEBUG(SSSDBG_TRACE_FUNC, "Keytab %s is not present\n", keytab); + goto done; + } else if (ret != EOK) { + if (kt_owner_uid) { + ret = check_file(keytab, kt_owner_uid, kt_owner_gid, + S_IFREG|0600, 0, NULL, false); + } + + if (ret != EOK) { + if (ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to check for %s\n", keytab); + } else { + DEBUG(SSSDBG_TRACE_FUNC, "Keytab %s is not present\n", keytab); + } + } + goto done; + } + + DEBUG(SSSDBG_TRACE_ALL, "keytab %s already exists\n", keytab); + ret = EOK; +done: + return ret; +} + +struct ipa_server_trusted_dom_setup_state { + struct tevent_context *ev; + struct be_ctx *be_ctx; + struct ipa_id_ctx *id_ctx; + struct sss_domain_info *subdom; + + uint32_t direction; + const char *forest; + const char *keytab; + char *new_keytab; + const char *principal; + const char *forest_realm; + const char *ccache; +}; + +static errno_t ipa_server_trusted_dom_setup_1way(struct tevent_req *req); +static void ipa_server_trust_1way_kt_done(struct tevent_req *subreq); + +struct tevent_req * +ipa_server_trusted_dom_setup_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct ipa_id_ctx *id_ctx, + struct sss_domain_info *subdom) +{ + struct tevent_req *req = NULL; + struct ipa_server_trusted_dom_setup_state *state = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct ipa_server_trusted_dom_setup_state); + if (req == NULL) { + return NULL; + } + state->ev = ev; + state->be_ctx = be_ctx; + state->id_ctx = id_ctx; + state->subdom = subdom; + + /* Trusts are only established with forest roots */ + if (subdom->forest_root == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "Subdomain %s has no forest root?\n", subdom->name); + ret = ERR_TRUST_FOREST_UNKNOWN; + goto immediate; + } + + state->direction = subdom->forest_root->trust_direction; + state->forest = subdom->forest_root->forest; + state->forest_realm = subdom->forest_root->realm; + state->ccache = talloc_asprintf(state, "%s/ccache_%s", + DB_PATH, subdom->parent->realm); + if (state->ccache == NULL) { + ret = ENOMEM; + goto immediate; + } + + DEBUG(SSSDBG_TRACE_LIBS, + "Trust direction of subdom %s from forest %s is: %s\n", + subdom->name, state->forest, + ipa_trust_dir2str(state->direction)); + + /* For both inbound and outbound trusts use a special keytab + * as this allows us to reuse the same logic in FreeIPA for + * both Microsoft AD and Samba AD */ + if (state->direction & LSA_TRUST_DIRECTION_MASK) { + /* Need special keytab */ + ret = ipa_server_trusted_dom_setup_1way(req); + if (ret == EAGAIN) { + /* In progress.. */ + return req; + } else if (ret == EOK) { + /* Keytab available, shortcut */ + ret = EOK; + goto immediate; + } + } else { + /* Even unset is an error at this point */ + DEBUG(SSSDBG_OP_FAILURE, + "Subdomain %s has trust direction %d\n", + subdom->name, subdom->trust_direction); + ret = ERR_TRUST_NOT_SUPPORTED; + } + +immediate: + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not add trusted subdomain %s from forest %s\n", + subdom->name, state->forest); + tevent_req_error(req, ret); + } else { + tevent_req_done(req); + } + tevent_req_post(req, ev); + return req; +} + +static errno_t ipa_server_trusted_dom_setup_1way(struct tevent_req *req) +{ + errno_t ret; + struct tevent_req *subreq = NULL; + struct ipa_server_trusted_dom_setup_state *state = + tevent_req_data(req, struct ipa_server_trusted_dom_setup_state); + const char *hostname; + + state->keytab = forest_keytab(state, state->forest); + if (state->keytab == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot set up ipa_get_keytab\n"); + return EIO; + } + + state->new_keytab = talloc_asprintf(state, "%sXXXXXX", state->keytab); + if (state->new_keytab == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot set up ipa_get_keytab\n"); + return ENOMEM; + } + + ret = sss_unique_filename(state, state->new_keytab); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create temporary keytab name\n"); + return ret; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Will re-fetch keytab for %s\n", state->subdom->name); + + hostname = dp_opt_get_string(state->id_ctx->ipa_options->basic, + IPA_HOSTNAME); + + state->principal = subdomain_trust_princ(state, + state->forest_realm, + state->subdom); + if (state->principal == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot set up ipa_get_keytab\n"); + return EIO; + } + + subreq = ipa_getkeytab_send(state->be_ctx, state->be_ctx->ev, + state->ccache, + hostname, + state->principal, + state->new_keytab); + if (subreq == NULL) { + return ENOMEM; + } + tevent_req_set_callback(subreq, ipa_server_trust_1way_kt_done, req); + return EAGAIN; +} + +static void ipa_server_trust_1way_kt_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ipa_server_trusted_dom_setup_state *state = + tevent_req_data(req, struct ipa_server_trusted_dom_setup_state); + + ret = ipa_getkeytab_recv(subreq, NULL); + talloc_zfree(subreq); + if (ret != EOK) { + /* Do not fail here, but try to check and use the previous keytab, + * if any */ + DEBUG(SSSDBG_MINOR_FAILURE, "ipa_getkeytab_recv failed: %d\n", ret); + } else { + DEBUG(SSSDBG_TRACE_FUNC, + "Keytab successfully retrieved to %s\n", state->new_keytab); + } + + ret = ipa_check_keytab(state->new_keytab, + state->id_ctx->server_mode->kt_owner_uid, + state->id_ctx->server_mode->kt_owner_gid); + if (ret == EOK) { + ret = rename(state->new_keytab, state->keytab); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "rename failed [%d][%s].\n", ret, strerror(ret)); + tevent_req_error(req, ret); + return; + } + DEBUG(SSSDBG_TRACE_INTERNAL, "Keytab renamed to %s\n", state->keytab); + } else if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Trying to recover and use the previous keytab, if available\n"); + ret = ipa_check_keytab(state->keytab, + state->id_ctx->server_mode->kt_owner_uid, + state->id_ctx->server_mode->kt_owner_gid); + if (ret == EOK) { + DEBUG(SSSDBG_TRACE_FUNC, + "The previous keytab %s contains the expected principal\n", + state->keytab); + } else { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot use the old keytab: %d\n", ret); + /* Nothing we can do now */ + tevent_req_error(req, ret); + return; + } + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Keytab %s contains the expected principals\n", state->new_keytab); + + DEBUG(SSSDBG_TRACE_FUNC, + "Established trust context for %s\n", state->subdom->name); + tevent_req_done(req); +} + +errno_t ipa_server_trusted_dom_setup_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + return EOK; +} + +struct ipa_server_create_trusts_state { + struct tevent_context *ev; + struct be_ctx *be_ctx; + struct ipa_id_ctx *id_ctx; + struct sss_domain_info *domiter; +}; + +static errno_t ipa_server_create_trusts_step(struct tevent_req *req); +static errno_t ipa_server_create_trusts_ctx(struct tevent_req *req); +static void ipa_server_create_trusts_done(struct tevent_req *subreq); + +struct tevent_req * +ipa_server_create_trusts_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct ipa_id_ctx *id_ctx, + struct sss_domain_info *parent) +{ + struct tevent_req *req = NULL; + struct ipa_server_create_trusts_state *state = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct ipa_server_create_trusts_state); + if (req == NULL) { + return NULL; + } + + state->ev = ev; + state->be_ctx = be_ctx; + state->id_ctx = id_ctx; + state->domiter = parent; + + ret = ipa_server_create_trusts_step(req); + if (ret != EAGAIN) { + goto immediate; + } + + return req; + +immediate: + if (ret != EOK) { + tevent_req_error(req, ret); + } else { + tevent_req_done(req); + } + tevent_req_post(req, ev); + return req; +} + +static errno_t ipa_server_create_trusts_step(struct tevent_req *req) +{ + struct tevent_req *subreq = NULL; + struct ipa_ad_server_ctx *trust_iter; + struct ipa_ad_server_ctx *trust_i; + struct ipa_server_create_trusts_state *state = NULL; + + state = tevent_req_data(req, struct ipa_server_create_trusts_state); + + for (state->domiter = get_next_domain(state->domiter, SSS_GND_DESCEND); + state->domiter && IS_SUBDOMAIN(state->domiter); + state->domiter = get_next_domain(state->domiter, 0)) { + + /* Check if we already have an ID context for this subdomain */ + DLIST_FOR_EACH(trust_iter, state->id_ctx->server_mode->trusts) { + if (trust_iter->dom == state->domiter) { + break; + } + } + + /* Newly detected trust */ + if (trust_iter == NULL) { + subreq = ipa_server_trusted_dom_setup_send(state, + state->ev, + state->be_ctx, + state->id_ctx, + state->domiter); + if (subreq == NULL) { + return ENOMEM; + } + tevent_req_set_callback(subreq, ipa_server_create_trusts_done, req); + return EAGAIN; + } + } + + /* Refresh all sdap_dom lists in all ipa_ad_server_ctx contexts */ + DLIST_FOR_EACH(trust_iter, state->id_ctx->server_mode->trusts) { + struct sdap_domain *sdom_a; + + sdom_a = sdap_domain_get(trust_iter->ad_id_ctx->sdap_id_ctx->opts, + trust_iter->dom); + if (sdom_a == NULL) { + continue; + } + + DLIST_FOR_EACH(trust_i, state->id_ctx->server_mode->trusts) { + struct sdap_domain *sdom_b; + + if (strcmp(trust_iter->dom->name, trust_i->dom->name) == 0) { + continue; + } + + sdom_b = sdap_domain_get(trust_i->ad_id_ctx->sdap_id_ctx->opts, + sdom_a->dom); + if (sdom_b == NULL) { + continue; + } + + /* Replace basedn and search bases from sdom_b with values + * from sdom_a */ + sdap_domain_copy_search_bases(sdom_b, sdom_a); + } + } + + return EOK; +} + +static void ipa_server_create_trusts_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + + ret = ipa_server_trusted_dom_setup_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + ret = ipa_server_create_trusts_ctx(req); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + ret = ipa_server_create_trusts_step(req); + if (ret == EOK) { + tevent_req_done(req); + return; + } else if (ret != EAGAIN) { + tevent_req_error(req, ret); + return; + } + + /* Will cycle back */ +} + +static errno_t ipa_server_create_trusts_ctx(struct tevent_req *req) +{ + struct ipa_ad_server_ctx *trust_ctx; + struct ad_id_ctx *ad_id_ctx; + errno_t ret; + struct ipa_server_create_trusts_state *state = NULL; + + state = tevent_req_data(req, struct ipa_server_create_trusts_state); + + ret = ipa_ad_ctx_new(state->be_ctx, state->id_ctx, state->domiter, &ad_id_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot create ad_id_ctx for subdomain %s\n", state->domiter->name); + return ret; + } + + trust_ctx = talloc(state->id_ctx->server_mode, struct ipa_ad_server_ctx); + if (trust_ctx == NULL) { + return ENOMEM; + } + trust_ctx->dom = state->domiter; + trust_ctx->ad_id_ctx = ad_id_ctx; + + DLIST_ADD(state->id_ctx->server_mode->trusts, trust_ctx); + return EOK; +} + +errno_t ipa_server_create_trusts_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + return EOK; +} + +void ipa_ad_subdom_remove(struct be_ctx *be_ctx, + struct ipa_id_ctx *id_ctx, + struct sss_domain_info *subdom) +{ + struct ipa_ad_server_ctx *iter; + struct sdap_domain *sdom; + + if (dp_opt_get_bool(id_ctx->ipa_options->basic, + IPA_SERVER_MODE) == false) { + return; + } + + DLIST_FOR_EACH(iter, id_ctx->server_mode->trusts) { + if (iter->dom == subdom) break; + } + + if (iter == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "No IPA-AD context for subdomain %s\n", + subdom->name); + return; + } + + sdom = sdap_domain_get(iter->ad_id_ctx->sdap_id_ctx->opts, subdom); + if (sdom == NULL) return; + be_ptask_destroy(&sdom->enum_task); + be_ptask_destroy(&sdom->cleanup_task); + + sdap_domain_remove(iter->ad_id_ctx->sdap_id_ctx->opts, subdom); + DLIST_REMOVE(id_ctx->server_mode->trusts, iter); + + /* terminate all requests for this subdomain so we can free it */ + dp_terminate_domain_requests(be_ctx->provider, subdom->name); + talloc_zfree(sdom); +} + +struct ipa_ad_subdom_reinit_state { + struct tevent_context *ev; + struct be_ctx *be_ctx; + struct ipa_id_ctx *id_ctx; + struct sss_domain_info *parent; +}; + +static void create_trusts_at_startup_done(struct tevent_req *req) +{ + errno_t ret; + + ret = ipa_server_create_trusts_recv(req); + talloc_free(req); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "ipa_server_create_trusts_send request failed [%d]: %s\n", + ret, sss_strerror(ret)); + } +} + +static void create_trusts_at_startup(struct tevent_context *ev, + struct tevent_immediate *imm, + void *pvt) +{ + struct tevent_req *req; + struct ipa_ad_subdom_reinit_state *state; + + state = talloc_get_type(pvt, struct ipa_ad_subdom_reinit_state); + + req = ipa_server_create_trusts_send(state, state->ev, state->be_ctx, + state->id_ctx, state->parent); + if (req == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_server_create_trusts_send failed.\n"); + talloc_free(state); + return; + } + + tevent_req_set_callback(req, create_trusts_at_startup_done, state); + return; +} + +static errno_t ipa_ad_subdom_reinit(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct ipa_id_ctx *id_ctx, + struct sss_domain_info *parent) +{ + struct tevent_immediate *imm; + struct ipa_ad_subdom_reinit_state *state; + + state = talloc(mem_ctx, struct ipa_ad_subdom_reinit_state); + if (state == NULL) { + return ENOMEM; + } + state->ev = ev; + state->be_ctx = be_ctx; + state->id_ctx = id_ctx; + state->parent = parent; + + if (dp_opt_get_bool(id_ctx->ipa_options->basic, + IPA_SERVER_MODE) == false) { + return EOK; + } + + imm = tevent_create_immediate(mem_ctx); + if (imm == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "tevent_create_immediate failed.\n"); + talloc_free(state); + return ENOMEM; + } + + tevent_schedule_immediate(imm, ev, create_trusts_at_startup, state); + return EOK; +} + +int ipa_ad_subdom_init(struct be_ctx *be_ctx, + struct ipa_id_ctx *id_ctx) +{ + char *realm; + char *hostname; + errno_t ret; + + if (dp_opt_get_bool(id_ctx->ipa_options->basic, + IPA_SERVER_MODE) == false) { + return EOK; + } + + /* The IPA code relies on the default FQDN format to unparse user + * names. Warn loudly if the full_name_format was customized on the + * IPA server + */ + if ((strcmp(be_ctx->domain->names->fq_fmt, + CONFDB_DEFAULT_FULL_NAME_FORMAT) != 0) + && (strcmp(be_ctx->domain->names->fq_fmt, + CONFDB_DEFAULT_FULL_NAME_FORMAT_INTERNAL) != 0)) { + DEBUG(SSSDBG_FATAL_FAILURE, "%s is set to a non-default value [%s] " \ + "lookups of subdomain users will likely fail!\n", + CONFDB_FULL_NAME_FORMAT, be_ctx->domain->names->fq_fmt); + sss_log(SSS_LOG_ERR, "%s is set to a non-default value [%s] " \ + "lookups of subdomain users will likely fail!\n", + CONFDB_FULL_NAME_FORMAT, be_ctx->domain->names->fq_fmt); + /* Attempt to continue */ + } + + realm = dp_opt_get_string(id_ctx->ipa_options->basic, IPA_KRB5_REALM); + if (realm == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "No Kerberos realm for IPA?\n"); + return EINVAL; + } + + hostname = dp_opt_get_string(id_ctx->ipa_options->basic, IPA_HOSTNAME); + if (hostname == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "No host name for IPA?\n"); + return EINVAL; + } + + id_ctx->server_mode = talloc_zero(id_ctx, struct ipa_server_mode_ctx); + if (id_ctx->server_mode == NULL) { + return ENOMEM; + } + id_ctx->server_mode->realm = realm; + id_ctx->server_mode->hostname = hostname; + id_ctx->server_mode->trusts = NULL; + id_ctx->server_mode->ext_groups = NULL; + id_ctx->server_mode->kt_owner_uid = 0; + id_ctx->server_mode->kt_owner_gid = 0; + + if (getuid() == 0) { + /* We need to handle keytabs created by IPA oddjob script gracefully + * even if we're running as root and IPA creates them as the SSSD user + */ + ret = sss_user_by_name_or_uid(SSSD_USER, + &id_ctx->server_mode->kt_owner_uid, + &id_ctx->server_mode->kt_owner_gid); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Failed to get ID of %s\n", SSSD_USER); + } + } + + ret = ipa_ad_subdom_reinit(be_ctx, be_ctx->ev, + be_ctx, id_ctx, be_ctx->domain); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_ad_subdom_refresh failed.\n"); + return ret; + } + + return EOK; +} diff --git a/src/providers/ipa/ipa_subdomains_utils.c b/src/providers/ipa/ipa_subdomains_utils.c new file mode 100644 index 0000000..27fc0a4 --- /dev/null +++ b/src/providers/ipa/ipa_subdomains_utils.c @@ -0,0 +1,100 @@ +/* + SSSD + + IPA Subdomains Module - utilities + + Authors: + Sumit Bose + + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "providers/ipa/ipa_subdomains.h" +#include "providers/ipa/ipa_common.h" +#include "providers/ipa/ipa_id.h" + +struct ldb_dn *ipa_subdom_ldb_dn(TALLOC_CTX *mem_ctx, + struct ldb_context *ldb_ctx, + struct sysdb_attrs *attrs) +{ + int ret; + const char *orig_dn; + struct ldb_dn *dn = NULL; + + if (attrs == NULL || ldb_ctx == NULL) { + return NULL; + } + + ret = sysdb_attrs_get_string(attrs, SYSDB_ORIG_DN, &orig_dn); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_string failed: %d\n", ret); + return NULL; + } + + dn = ldb_dn_new(mem_ctx, ldb_ctx, orig_dn); + if (dn == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_new failed.\n"); + return NULL; + } + + if (!ldb_dn_validate(dn)) { + DEBUG(SSSDBG_OP_FAILURE, "Original DN [%s] is not a valid DN.\n", + orig_dn); + talloc_free(dn); + return NULL; + } + + return dn; +} + +bool ipa_subdom_is_member_dom(struct ldb_dn *dn) +{ + const struct ldb_val *val; + + if (dn == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Wrong input!\n"); + return false; + } + + if (ldb_dn_get_comp_num(dn) < 5) { + /* We are only interested in the member domain objects. In IPA the + * forest root object is stored as e.g. + * cn=AD.DOM,cn=ad,cn=trusts,dc=example,dc=com. Member domains in the + * forest are children of the forest root object e.g. + * cn=SUB.AD.DOM,cn=AD.DOM,cn=ad,cn=trusts,dc=example,dc=com. Since + * the forest name is not stored in the member objects we derive it + * from the RDN of the forest root object. */ + DEBUG(SSSDBG_TRACE_FUNC, + "DN too short, not a member domain\n"); + return false; + } + + val = ldb_dn_get_component_val(dn, 3); + if (strncasecmp("trusts", (const char *) val->data, val->length) != 0) { + DEBUG(SSSDBG_TRACE_FUNC, + "4th component is not 'trust', not a member domain\n"); + return false; + } + + val = ldb_dn_get_component_val(dn, 2); + if (strncasecmp("ad", (const char *) val->data, val->length) != 0) { + DEBUG(SSSDBG_TRACE_FUNC, + "3rd component is not 'ad', not a member domain\n"); + return false; + } + + return true; +} diff --git a/src/providers/ipa/ipa_sudo.c b/src/providers/ipa/ipa_sudo.c new file mode 100644 index 0000000..f2c9112 --- /dev/null +++ b/src/providers/ipa/ipa_sudo.c @@ -0,0 +1,322 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "providers/ipa/ipa_opts.h" +#include "providers/ipa/ipa_common.h" +#include "providers/ldap/sdap_sudo.h" +#include "providers/ipa/ipa_sudo.h" +#include "db/sysdb_sudo.h" + +struct ipa_sudo_handler_state { + uint32_t type; + struct dp_reply_std reply; +}; + +static void ipa_sudo_handler_done(struct tevent_req *subreq); + +static struct tevent_req * +ipa_sudo_handler_send(TALLOC_CTX *mem_ctx, + struct ipa_sudo_ctx *sudo_ctx, + struct dp_sudo_data *data, + struct dp_req_params *params) +{ + struct ipa_sudo_handler_state *state; + struct tevent_req *subreq; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct ipa_sudo_handler_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->type = data->type; + + switch (data->type) { + case BE_REQ_SUDO_FULL: + DEBUG(SSSDBG_TRACE_FUNC, "Issuing a full refresh of sudo rules\n"); + subreq = ipa_sudo_full_refresh_send(state, params->ev, sudo_ctx); + break; + case BE_REQ_SUDO_RULES: + DEBUG(SSSDBG_TRACE_FUNC, "Issuing a refresh of specific sudo rules\n"); + subreq = ipa_sudo_rules_refresh_send(state, params->ev, sudo_ctx, + data->rules); + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid request type: %d\n", data->type); + ret = EINVAL; + goto immediately; + } + + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to send request: %d\n", data->type); + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, ipa_sudo_handler_done, req); + + return req; + +immediately: + dp_reply_std_set(&state->reply, DP_ERR_DECIDE, ret, NULL); + + /* TODO For backward compatibility we always return EOK to DP now. */ + tevent_req_done(req); + tevent_req_post(req, params->ev); + + return req; +} + +static void ipa_sudo_handler_done(struct tevent_req *subreq) +{ + struct ipa_sudo_handler_state *state; + struct tevent_req *req; + int dp_error; + bool deleted; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_sudo_handler_state); + + switch (state->type) { + case BE_REQ_SUDO_FULL: + ret = ipa_sudo_full_refresh_recv(subreq, &dp_error); + talloc_zfree(subreq); + break; + case BE_REQ_SUDO_RULES: + ret = ipa_sudo_rules_refresh_recv(subreq, &dp_error, &deleted); + talloc_zfree(subreq); + if (ret == EOK && deleted == true) { + ret = ENOENT; + } + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid request type: %d\n", state->type); + dp_error = DP_ERR_FATAL; + ret = ERR_INTERNAL; + break; + } + + /* TODO For backward compatibility we always return EOK to DP now. */ + dp_reply_std_set(&state->reply, dp_error, ret, NULL); + tevent_req_done(req); +} + +static errno_t +ipa_sudo_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct dp_reply_std *data) +{ + struct ipa_sudo_handler_state *state = NULL; + + state = tevent_req_data(req, struct ipa_sudo_handler_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *data = state->reply; + + return EOK; +} + +enum sudo_schema { + SUDO_SCHEMA_IPA, + SUDO_SCHEMA_LDAP +}; + +static errno_t +ipa_sudo_choose_schema(struct dp_option *ipa_opts, + struct dp_option *sdap_opts, + enum sudo_schema *_schema) +{ + TALLOC_CTX *tmp_ctx; + char *ipa_search_base; + char *search_base; + char *basedn; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return ENOMEM; + } + + ret = domain_to_basedn(tmp_ctx, dp_opt_get_string(ipa_opts, + IPA_KRB5_REALM), &basedn); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to obtain basedn\n"); + goto done; + } + + ipa_search_base = talloc_asprintf(tmp_ctx, "cn=sudo,%s", basedn); + if (ipa_search_base == NULL) { + ret = ENOMEM; + goto done; + } + + search_base = dp_opt_get_string(sdap_opts, SDAP_SUDO_SEARCH_BASE); + if (search_base == NULL) { + ret = dp_opt_set_string(sdap_opts, SDAP_SUDO_SEARCH_BASE, + ipa_search_base); + if (ret != EOK) { + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Option %s set to %s\n", + sdap_opts[SDAP_SUDO_SEARCH_BASE].opt_name, ipa_search_base); + + search_base = ipa_search_base; + } + + /* Use IPA schema only if search base is cn=sudo,$dc. */ + if (strcmp(ipa_search_base, search_base) == 0) { + *_schema = SUDO_SCHEMA_IPA; + } else { + *_schema = SUDO_SCHEMA_LDAP; + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static int +ipa_sudo_init_ipa_schema(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct ipa_id_ctx *id_ctx, + struct dp_method *dp_methods) +{ + struct ipa_sudo_ctx *sudo_ctx; + errno_t ret; + + sudo_ctx = talloc_zero(be_ctx, struct ipa_sudo_ctx); + if (sudo_ctx == NULL) { + return ENOMEM; + } + + sudo_ctx->id_ctx = id_ctx->sdap_id_ctx; + sudo_ctx->ipa_opts = id_ctx->ipa_options; + sudo_ctx->sdap_opts = id_ctx->sdap_id_ctx->opts; + + ret = sdap_get_map(sudo_ctx, be_ctx->cdb, be_ctx->conf_path, + ipa_sudorule_map, IPA_OPTS_SUDORULE, + &sudo_ctx->sudorule_map); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse attribute map " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + ret = sdap_get_map(sudo_ctx, be_ctx->cdb, be_ctx->conf_path, + ipa_sudocmdgroup_map, IPA_OPTS_SUDOCMDGROUP, + &sudo_ctx->sudocmdgroup_map); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse attribute map " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + ret = sdap_get_map(sudo_ctx, be_ctx->cdb, be_ctx->conf_path, + ipa_sudocmd_map, IPA_OPTS_SUDOCMD, + &sudo_ctx->sudocmd_map); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse attribute map " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + ret = confdb_get_int(be_ctx->cdb, CONFDB_SUDO_CONF_ENTRY, + CONFDB_SUDO_THRESHOLD, CONFDB_DEFAULT_SUDO_THRESHOLD, + &sudo_ctx->sudocmd_threshold); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not parse sudo search base\n"); + return ret; + } + + ret = sdap_parse_search_base(sudo_ctx, sudo_ctx->sdap_opts->basic, + SDAP_SUDO_SEARCH_BASE, + &sudo_ctx->sudo_sb); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not parse sudo search base\n"); + return ret; + } + + ret = ipa_sudo_ptask_setup(be_ctx, sudo_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup periodic tasks " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + dp_set_method(dp_methods, DPM_SUDO_HANDLER, + ipa_sudo_handler_send, ipa_sudo_handler_recv, sudo_ctx, + struct ipa_sudo_ctx, struct dp_sudo_data, struct dp_reply_std); + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(sudo_ctx); + } + + return ret; +} + +int ipa_sudo_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct ipa_id_ctx *id_ctx, + struct dp_method *dp_methods) +{ + enum sudo_schema schema; + errno_t ret; + + DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing IPA sudo back end\n"); + + ret = ipa_sudo_choose_schema(id_ctx->ipa_options->basic, + id_ctx->ipa_options->id->basic, + &schema); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to choose sudo schema [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + switch (schema) { + case SUDO_SCHEMA_IPA: + DEBUG(SSSDBG_TRACE_FUNC, "Using IPA schema for sudo\n"); + ret = ipa_sudo_init_ipa_schema(mem_ctx, be_ctx, id_ctx, dp_methods); + break; + case SUDO_SCHEMA_LDAP: + DEBUG(SSSDBG_TRACE_FUNC, "Using LDAP schema for sudo\n"); + ret = sdap_sudo_init(mem_ctx, be_ctx, id_ctx->sdap_id_ctx, dp_methods); + break; + } + + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize sudo provider" + "[%d]: %s\n", ret, sss_strerror(ret)); + return ret; + } + + return EOK; +} diff --git a/src/providers/ipa/ipa_sudo.h b/src/providers/ipa/ipa_sudo.h new file mode 100644 index 0000000..5fc2b9a --- /dev/null +++ b/src/providers/ipa/ipa_sudo.h @@ -0,0 +1,131 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _IPA_SUDO_H_ +#define _IPA_SUDO_H_ + +#include "providers/ipa/ipa_common.h" + +struct ipa_sudo_ctx { + struct sdap_id_ctx *id_ctx; + struct ipa_options *ipa_opts; + struct sdap_options *sdap_opts; + + /* sudo */ + struct sdap_attr_map *sudocmdgroup_map; + struct sdap_attr_map *sudorule_map; + struct sdap_attr_map *sudocmd_map; + struct sdap_search_base **sudo_sb; + int sudocmd_threshold; +}; + +errno_t +ipa_sudo_ptask_setup(struct be_ctx *be_ctx, struct ipa_sudo_ctx *sudo_ctx); + +struct tevent_req * +ipa_sudo_full_refresh_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct ipa_sudo_ctx *sudo_ctx); + +int +ipa_sudo_full_refresh_recv(struct tevent_req *req, + int *dp_error); + +int +ipa_sudo_rules_refresh_recv(struct tevent_req *req, + int *dp_error, + bool *deleted); + +struct tevent_req * +ipa_sudo_refresh_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct ipa_sudo_ctx *sudo_ctx, + const char *cmdgroups_filter, + const char *search_filter, + const char *delete_filter); + +struct tevent_req * +ipa_sudo_rules_refresh_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct ipa_sudo_ctx *sudo_ctx, + char **rules); + +errno_t +ipa_sudo_refresh_recv(struct tevent_req *req, + int *dp_error, + size_t *_num_rules); + +struct ipa_sudo_conv; + +struct ipa_sudo_conv * +ipa_sudo_conv_init(TALLOC_CTX *mem_ctx, + struct sss_domain_info *dom, + struct sdap_attr_map *map_rule, + struct sdap_attr_map *map_cmdgroup, + struct sdap_attr_map *map_cmd, + struct sdap_attr_map *map_user, + struct sdap_attr_map *map_group, + struct sdap_attr_map *map_host, + struct sdap_attr_map *map_hostgroup); + +errno_t +ipa_sudo_conv_rules(struct ipa_sudo_conv *conv, + struct sysdb_attrs **rules, + size_t num_rules); + +errno_t +ipa_sudo_conv_cmdgroups(struct ipa_sudo_conv *conv, + struct sysdb_attrs **cmdgroups, + size_t num_cmdgroups); + +errno_t +ipa_sudo_conv_cmds(struct ipa_sudo_conv *conv, + struct sysdb_attrs **cmds, + size_t num_cmds); + +bool +ipa_sudo_conv_has_cmdgroups(struct ipa_sudo_conv *conv); + +bool +ipa_sudo_conv_has_cmds(struct ipa_sudo_conv *conv); + +bool +ipa_sudo_cmdgroups_exceed_threshold(struct ipa_sudo_conv *conv, int threshold); + +bool +ipa_sudo_cmds_exceed_threshold(struct ipa_sudo_conv *conv, int threshold); + +char * +ipa_sudo_conv_cmdgroup_filter(TALLOC_CTX *mem_ctx, + struct ipa_sudo_conv *conv, + int cmd_threshold); + +char * +ipa_sudo_conv_cmd_filter(TALLOC_CTX *mem_ctx, + struct ipa_sudo_conv *conv, + int cmd_threshold); + +errno_t +ipa_sudo_conv_result(TALLOC_CTX *mem_ctx, + struct ipa_sudo_conv *conv, + struct sysdb_attrs ***_rules, + size_t *_num_rules); + +#endif /* _IPA_SUDO_H_ */ diff --git a/src/providers/ipa/ipa_sudo_async.c b/src/providers/ipa/ipa_sudo_async.c new file mode 100644 index 0000000..9b36df5 --- /dev/null +++ b/src/providers/ipa/ipa_sudo_async.c @@ -0,0 +1,1137 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "providers/ldap/sdap_ops.h" +#include "providers/ldap/sdap_sudo_shared.h" +#include "providers/ipa/ipa_common.h" +#include "providers/ipa/ipa_hosts.h" +#include "providers/ipa/ipa_sudo.h" +#include "providers/ipa/ipa_dn.h" +#include "db/sysdb.h" +#include "db/sysdb_sudo.h" + +struct ipa_hostinfo { + size_t num_hosts; + size_t num_hostgroups; + struct sysdb_attrs **hosts; + struct sysdb_attrs **hostgroups; +}; + +static char * +ipa_sudo_filter_append_origdn(char *filter, + struct sysdb_attrs *attrs, + const char *attr_name) +{ + const char *origdn; + char *sanitizeddn; + errno_t ret; + + ret = sysdb_attrs_get_string(attrs, SYSDB_ORIG_DN, &origdn); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get original DN " + "[%d]: %s\n", ret, sss_strerror(ret)); + return NULL; + } + + ret = sss_filter_sanitize(NULL, origdn, &sanitizeddn); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to sanitize DN " + "[%d]: %s\n", ret, sss_strerror(ret)); + return NULL; + } + + filter = talloc_asprintf_append(filter, "(%s=%s)", attr_name, sanitizeddn); + talloc_free(sanitizeddn); + if (filter == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf_append() failed\n"); + } + + return filter; +} + +/** + * (|(hostCategory=ALL)(memberHost=$DN(fqdn))(memberHost=$DN(hostgroup))...) + */ +static char * +ipa_sudo_host_filter(TALLOC_CTX *mem_ctx, + struct ipa_hostinfo *host, + struct sdap_attr_map *map) +{ + TALLOC_CTX *tmp_ctx; + char *filter; + size_t i; + + /* If realloc fails we will free all data through tmp_ctx. */ + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return NULL; + } + + filter = talloc_asprintf(tmp_ctx, "(!(%s=*))", + map[IPA_AT_SUDORULE_HOST].name); + if (filter == NULL) { + goto fail; + } + + /* Append hostCategory=ALL */ + filter = talloc_asprintf_append(filter, "(%s=ALL)", + map[IPA_AT_SUDORULE_HOSTCATEGORY].name); + if (filter == NULL) { + goto fail; + } + + /* Append client machine */ + for (i = 0; i < host->num_hosts; i++) { + filter = ipa_sudo_filter_append_origdn(filter, host->hosts[i], + map[IPA_AT_SUDORULE_HOST].name); + if (filter == NULL) { + goto fail; + } + } + + /* Append hostgroups */ + for (i = 0; i < host->num_hostgroups; i++) { + filter = ipa_sudo_filter_append_origdn(filter, host->hostgroups[i], + map[IPA_AT_SUDORULE_HOST].name); + if (filter == NULL) { + goto fail; + } + } + + /* OR filters */ + filter = talloc_asprintf(tmp_ctx, "(|%s)", filter); + if (filter == NULL) { + goto fail; + } + + talloc_steal(mem_ctx, filter); + talloc_free(tmp_ctx); + return filter; + +fail: + talloc_free(tmp_ctx); + return NULL; +} + +static errno_t +ipa_sudo_highest_usn(TALLOC_CTX *mem_ctx, + struct sysdb_attrs **attrs, + size_t num_attrs, + char **current_usn) +{ + errno_t ret; + char *usn; + + ret = sysdb_get_highest_usn(mem_ctx, attrs, num_attrs, &usn); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Unable to get highest USN [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + if (sysdb_compare_usn(usn, *current_usn) > 0) { + talloc_free(*current_usn); + *current_usn = usn; + return EOK; + } + + talloc_free(usn); + return EOK; +} + +static errno_t +ipa_sudo_assoc_rules_filter(TALLOC_CTX *mem_ctx, + struct sysdb_attrs **cmdgroups, + size_t num_cmdgroups, + char **_filter) +{ + TALLOC_CTX *tmp_ctx; + const char *origdn; + char *sanitized; + char *filter; + errno_t ret; + size_t i; + + if (num_cmdgroups == 0) { + return ENOENT; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + filter = talloc_strdup(tmp_ctx, ""); + if (filter == NULL) { + ret = ENOMEM; + goto done; + } + + for (i = 0; i < num_cmdgroups; i++) { + ret = sysdb_attrs_get_string(cmdgroups[i], SYSDB_ORIG_DN, &origdn); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get original dn [%d]: %s\n", + ret, sss_strerror(ret)); + ret = ERR_INTERNAL; + goto done; + } + + ret = sss_filter_sanitize(tmp_ctx, origdn, &sanitized); + if (ret != EOK) { + goto done; + } + + filter = talloc_asprintf_append(filter, "(%s=%s)", + SYSDB_IPA_SUDORULE_ORIGCMD, sanitized); + if (filter == NULL) { + ret = ENOMEM; + goto done; + } + } + + filter = talloc_asprintf(tmp_ctx, "(&(objectClass=%s)(|%s)))", + SYSDB_SUDO_CACHE_OC, filter); + if (filter == NULL) { + ret = ENOMEM; + goto done; + } + + *_filter = talloc_steal(mem_ctx, filter); + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static errno_t +ipa_sudo_assoc_rules(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + struct sysdb_attrs **cmdgroups, + size_t num_cmdgroups, + struct sysdb_attrs ***_rules, + size_t *_num_rules) +{ + TALLOC_CTX *tmp_ctx; + const char *attrs[] = {SYSDB_NAME, NULL}; + struct sysdb_attrs **rules; + struct ldb_message **msgs; + size_t num_rules; + char *filter; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + ret = ipa_sudo_assoc_rules_filter(tmp_ctx, cmdgroups, + num_cmdgroups, &filter); + if (ret != EOK) { + goto done; + } + + ret = sysdb_search_custom(tmp_ctx, domain, filter, + SUDORULE_SUBDIR, attrs, + &num_rules, &msgs); + if (ret == ENOENT) { + *_rules = NULL; + *_num_rules = 0; + ret = EOK; + goto done; + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Error looking up sudo rules [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = sysdb_msg2attrs(tmp_ctx, num_rules, msgs, &rules); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not convert ldb message to " + "sysdb_attrs [%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + *_rules = talloc_steal(mem_ctx, rules); + *_num_rules = num_rules; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static errno_t +ipa_sudo_filter_rules_bycmdgroups(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + struct sysdb_attrs **cmdgroups, + size_t num_cmdgroups, + struct sdap_attr_map *map_rule, + char **_filter) +{ + TALLOC_CTX *tmp_ctx; + struct sysdb_attrs **rules; + size_t num_rules; + const char *name; + char *sanitized; + char *filter; + errno_t ret; + size_t i; + + if (num_cmdgroups == 0) { + *_filter = NULL; + return EOK; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + ret = ipa_sudo_assoc_rules(tmp_ctx, domain, cmdgroups, num_cmdgroups, + &rules, &num_rules); + if (ret != EOK) { + goto done; + } + + if (num_rules == 0) { + *_filter = NULL; + ret = EOK; + goto done; + } + + filter = talloc_strdup(tmp_ctx, ""); + if (filter == NULL) { + ret = ENOMEM; + goto done; + } + + for (i = 0; i < num_rules; i++) { + ret = sysdb_attrs_get_string(rules[i], SYSDB_NAME, &name); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get name [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = sss_filter_sanitize(tmp_ctx, name, &sanitized); + if (ret != EOK) { + goto done; + } + + filter = talloc_asprintf_append(filter, "(%s=%s)", + map_rule[IPA_AT_SUDORULE_NAME].name, sanitized); + if (filter == NULL) { + ret = ENOMEM; + goto done; + } + } + + filter = talloc_asprintf(tmp_ctx, "(|%s)", filter); + if (filter == NULL) { + ret = ENOMEM; + goto done; + } + + *_filter = talloc_steal(mem_ctx, filter); + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +struct ipa_sudo_fetch_state { + struct tevent_context *ev; + struct sss_domain_info *domain; + struct ipa_sudo_ctx *sudo_ctx; + struct sdap_options *sdap_opts; + struct ipa_hostinfo *host; + struct sdap_handle *sh; + const char *search_filter; + const char *cmdgroups_filter; + + struct sdap_attr_map *map_cmdgroup; + struct sdap_attr_map *map_rule; + struct sdap_attr_map *map_cmd; + struct sdap_search_base **sudo_sb; + + struct ipa_sudo_conv *conv; + struct sysdb_attrs **rules; + size_t num_rules; + int cmd_threshold; + char *usn; +}; + +static errno_t ipa_sudo_fetch_addtl_cmdgroups(struct tevent_req *req); +static void ipa_sudo_fetch_addtl_cmdgroups_done(struct tevent_req *subreq); +static errno_t ipa_sudo_fetch_rules(struct tevent_req *req); +static void ipa_sudo_fetch_rules_done(struct tevent_req *subreq); +static errno_t ipa_sudo_fetch_cmdgroups(struct tevent_req *req); +static void ipa_sudo_fetch_cmdgroups_done(struct tevent_req *subreq); +static errno_t ipa_sudo_fetch_cmds(struct tevent_req *req); +static void ipa_sudo_fetch_cmds_done(struct tevent_req *subreq); +static void ipa_sudo_fetch_done(struct tevent_req *req); + +static struct tevent_req * +ipa_sudo_fetch_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sss_domain_info *domain, + struct ipa_sudo_ctx *sudo_ctx, + struct ipa_hostinfo *host, + struct sdap_attr_map *map_user, + struct sdap_attr_map *map_group, + struct sdap_attr_map *map_host, + struct sdap_attr_map *map_hostgroup, + struct sdap_handle *sh, + const char *cmdgroups_filter, + const char *search_filter) +{ + struct ipa_sudo_fetch_state *state = NULL; + struct tevent_req *req = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct ipa_sudo_fetch_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->ev = ev; + state->domain = domain; + state->sudo_ctx = sudo_ctx; + state->sdap_opts = sudo_ctx->sdap_opts; + state->host = host; + state->sh = sh; + state->search_filter = search_filter == NULL ? "" : search_filter; + state->cmdgroups_filter = cmdgroups_filter; + + state->map_cmdgroup = sudo_ctx->sudocmdgroup_map; + state->map_rule = sudo_ctx->sudorule_map; + state->map_cmd = sudo_ctx->sudocmd_map; + state->sudo_sb = sudo_ctx->sudo_sb; + state->cmd_threshold = sudo_ctx->sudocmd_threshold; + + state->conv = ipa_sudo_conv_init(state, domain, state->map_rule, + state->map_cmdgroup, state->map_cmd, + map_user, map_group, map_host, + map_hostgroup); + if (state->conv == NULL) { + ret = ENOMEM; + goto immediately; + } + + if (state->cmdgroups_filter != NULL) { + /* We need to fetch additional cmdgroups that may not be revealed + * during normal search. Such as when using entryUSN filter in smart + * refresh, some command groups may have change but none rule was + * modified but we need to fetch associated rules anyway. */ + ret = ipa_sudo_fetch_addtl_cmdgroups(req); + } else { + ret = ipa_sudo_fetch_rules(req); + } + if (ret != EAGAIN) { + goto immediately; + } + + return req; + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, state->ev); + + return req; +} + +static errno_t +ipa_sudo_fetch_addtl_cmdgroups(struct tevent_req *req) +{ + struct ipa_sudo_fetch_state *state; + struct tevent_req *subreq; + struct sdap_attr_map *map; + char *filter; + + DEBUG(SSSDBG_TRACE_FUNC, "About to fetch additional command groups\n"); + + state = tevent_req_data(req, struct ipa_sudo_fetch_state); + map = state->map_cmdgroup; + + filter = talloc_asprintf(state, "(&(objectClass=%s)%s)", + map[IPA_OC_SUDOCMDGROUP].name, + state->cmdgroups_filter); + if (filter == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to build filter\n"); + return ENOMEM; + } + + subreq = sdap_search_bases_send(state, state->ev, state->sdap_opts, + state->sh, state->sudo_sb, map, true, 0, + filter, NULL); + if (subreq == NULL) { + return ENOMEM; + } + + tevent_req_set_callback(subreq, ipa_sudo_fetch_addtl_cmdgroups_done, req); + return EAGAIN; +} + +static void +ipa_sudo_fetch_addtl_cmdgroups_done(struct tevent_req *subreq) +{ + struct ipa_sudo_fetch_state *state = NULL; + struct tevent_req *req = NULL; + struct sysdb_attrs **attrs; + size_t num_attrs; + char *filter; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_sudo_fetch_state); + + ret = sdap_search_bases_recv(subreq, state, &num_attrs, &attrs); + talloc_zfree(subreq); + if (ret != EOK) { + goto done; + } + + DEBUG(SSSDBG_IMPORTANT_INFO, "Received %zu additional command groups\n", + num_attrs); + + ret = ipa_sudo_filter_rules_bycmdgroups(state, state->domain, attrs, + num_attrs, state->map_rule, + &filter); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to construct rules filter " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + state->search_filter = sdap_or_filters(state, state->search_filter, filter); + if (state->search_filter == NULL) { + ret = ENOMEM; + goto done; + } + + ret = ipa_sudo_fetch_rules(req); + +done: + if (ret == EOK) { + ipa_sudo_fetch_done(req); + } else if (ret != EAGAIN) { + tevent_req_error(req, ret); + } + + return; +} + +static errno_t +ipa_sudo_fetch_rules(struct tevent_req *req) +{ + struct ipa_sudo_fetch_state *state; + struct tevent_req *subreq; + struct sdap_attr_map *map; + char *host_filter; + char *filter; + + DEBUG(SSSDBG_TRACE_FUNC, "About to fetch sudo rules\n"); + + state = tevent_req_data(req, struct ipa_sudo_fetch_state); + map = state->map_rule; + + host_filter = ipa_sudo_host_filter(state, state->host, map); + if (host_filter == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to build host filter\n"); + return ENOMEM; + } + + filter = talloc_asprintf(state, "(&(objectClass=%s)(%s=TRUE)%s%s)", + map[IPA_OC_SUDORULE].name, + map[IPA_AT_SUDORULE_ENABLED].name, + host_filter, state->search_filter); + talloc_zfree(host_filter); + if (filter == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to build filter\n"); + return ENOMEM; + } + + subreq = sdap_search_bases_send(state, state->ev, state->sdap_opts, + state->sh, state->sudo_sb, map, true, 0, + filter, NULL); + if (subreq == NULL) { + return ENOMEM; + } + + tevent_req_set_callback(subreq, ipa_sudo_fetch_rules_done, req); + return EAGAIN; +} + +static void +ipa_sudo_fetch_rules_done(struct tevent_req *subreq) +{ + struct ipa_sudo_fetch_state *state = NULL; + struct tevent_req *req = NULL; + struct sysdb_attrs **attrs; + size_t num_attrs; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_sudo_fetch_state); + + ret = sdap_search_bases_recv(subreq, state, &num_attrs, &attrs); + talloc_zfree(subreq); + if (ret != EOK) { + goto done; + } + + DEBUG(SSSDBG_IMPORTANT_INFO, "Received %zu sudo rules\n", num_attrs); + + ret = ipa_sudo_conv_rules(state->conv, attrs, num_attrs); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed when converting rules " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + ret = ipa_sudo_highest_usn(state, attrs, num_attrs, &state->usn); + if (ret != EOK) { + goto done; + } + + ret = ipa_sudo_fetch_cmdgroups(req); + +done: + if (ret == EOK) { + ipa_sudo_fetch_done(req); + } else if (ret != EAGAIN) { + tevent_req_error(req, ret); + } + + return; +} + +static errno_t +ipa_sudo_fetch_cmdgroups(struct tevent_req *req) +{ + struct ipa_sudo_fetch_state *state; + struct tevent_req *subreq; + char *filter; + + DEBUG(SSSDBG_TRACE_FUNC, "About to fetch sudo command groups\n"); + + state = tevent_req_data(req, struct ipa_sudo_fetch_state); + + if (ipa_sudo_conv_has_cmdgroups(state->conv)) { + DEBUG(SSSDBG_TRACE_FUNC, "No command groups needs to be downloaded\n"); + return ipa_sudo_fetch_cmds(req); + } + + filter = ipa_sudo_conv_cmdgroup_filter(state, state->conv, + state->cmd_threshold); + + if (filter == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to build filter\n"); + return ENOMEM; + } + + subreq = sdap_search_bases_send(state, state->ev, state->sdap_opts, + state->sh, state->sudo_sb, + state->map_cmdgroup, true, 0, + filter, NULL); + if (subreq == NULL) { + return ENOMEM; + } + + tevent_req_set_callback(subreq, ipa_sudo_fetch_cmdgroups_done, req); + return EAGAIN; +} + +static void +ipa_sudo_fetch_cmdgroups_done(struct tevent_req *subreq) +{ + struct ipa_sudo_fetch_state *state = NULL; + struct tevent_req *req = NULL; + struct sysdb_attrs **attrs; + size_t num_attrs; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_sudo_fetch_state); + + ret = sdap_search_bases_recv(subreq, state, &num_attrs, &attrs); + talloc_zfree(subreq); + if (ret != EOK) { + goto done; + } + + DEBUG(SSSDBG_IMPORTANT_INFO, "Received %zu sudo command groups\n", + num_attrs); + + ret = ipa_sudo_conv_cmdgroups(state->conv, attrs, num_attrs); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed when converting command groups " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + ret = ipa_sudo_highest_usn(state, attrs, num_attrs, &state->usn); + if (ret != EOK) { + goto done; + } + + ret = ipa_sudo_fetch_cmds(req); + +done: + if (ret == EOK) { + ipa_sudo_fetch_done(req); + } else if (ret != EAGAIN) { + tevent_req_error(req, ret); + } + + return; +} + +static errno_t +ipa_sudo_fetch_cmds(struct tevent_req *req) +{ + struct ipa_sudo_fetch_state *state; + struct tevent_req *subreq; + char *filter; + + DEBUG(SSSDBG_TRACE_FUNC, "About to fetch sudo commands\n"); + + state = tevent_req_data(req, struct ipa_sudo_fetch_state); + + if (ipa_sudo_conv_has_cmds(state->conv)) { + DEBUG(SSSDBG_TRACE_FUNC, "No commands needs to be downloaded\n"); + return EOK; + } + + filter = ipa_sudo_conv_cmd_filter(state, state->conv, state->cmd_threshold); + + if (filter == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to build filter\n"); + return ENOMEM; + } + + subreq = sdap_search_bases_send(state, state->ev, state->sdap_opts, + state->sh, state->sudo_sb, + state->map_cmd, true, 0, + filter, NULL); + if (subreq == NULL) { + return ENOMEM; + } + + tevent_req_set_callback(subreq, ipa_sudo_fetch_cmds_done, req); + return EAGAIN; +} + +static void +ipa_sudo_fetch_cmds_done(struct tevent_req *subreq) +{ + struct ipa_sudo_fetch_state *state = NULL; + struct tevent_req *req = NULL; + struct sysdb_attrs **attrs; + size_t num_attrs; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_sudo_fetch_state); + + ret = sdap_search_bases_recv(subreq, state, &num_attrs, &attrs); + talloc_zfree(subreq); + if (ret != EOK) { + goto done; + } + + DEBUG(SSSDBG_IMPORTANT_INFO, "Received %zu sudo commands\n", num_attrs); + + ret = ipa_sudo_conv_cmds(state->conv, attrs, num_attrs); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed when converting commands " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + +done: + if (ret == EOK) { + ipa_sudo_fetch_done(req); + } else if (ret != EAGAIN) { + tevent_req_error(req, ret); + } + + return; +} + +static void +ipa_sudo_fetch_done(struct tevent_req *req) +{ + struct ipa_sudo_fetch_state *state = NULL; + errno_t ret; + + state = tevent_req_data(req, struct ipa_sudo_fetch_state); + + DEBUG(SSSDBG_TRACE_FUNC, "About to convert rules\n"); + + ret = ipa_sudo_conv_result(state, state->conv, + &state->rules, &state->num_rules); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to convert rules [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = EOK; + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +static errno_t +ipa_sudo_fetch_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct sysdb_attrs ***_rules, + size_t *_num_rules, + char **_usn) +{ + struct ipa_sudo_fetch_state *state = NULL; + state = tevent_req_data(req, struct ipa_sudo_fetch_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *_rules = talloc_steal(mem_ctx, state->rules); + *_num_rules = state->num_rules; + *_usn = talloc_steal(mem_ctx, state->usn); + + return EOK; +} + + +struct ipa_sudo_refresh_state { + struct tevent_context *ev; + struct sysdb_ctx *sysdb; + struct sss_domain_info *domain; + struct ipa_sudo_ctx *sudo_ctx; + struct ipa_options *ipa_opts; + struct sdap_options *sdap_opts; + const char *cmdgroups_filter; + const char *search_filter; + const char *delete_filter; + + struct sdap_id_op *sdap_op; + struct sdap_handle *sh; + int dp_error; + + struct sysdb_attrs **rules; + size_t num_rules; +}; + +static errno_t ipa_sudo_refresh_retry(struct tevent_req *req); +static void ipa_sudo_refresh_connect_done(struct tevent_req *subreq); +static void ipa_sudo_refresh_host_done(struct tevent_req *subreq); +static void ipa_sudo_refresh_done(struct tevent_req *subreq); + +struct tevent_req * +ipa_sudo_refresh_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct ipa_sudo_ctx *sudo_ctx, + const char *cmdgroups_filter, + const char *search_filter, + const char *delete_filter) +{ + struct ipa_sudo_refresh_state *state; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct ipa_sudo_refresh_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->ev = ev; + state->sysdb = sudo_ctx->id_ctx->be->domain->sysdb; + state->domain = sudo_ctx->id_ctx->be->domain; + state->sudo_ctx = sudo_ctx; + state->ipa_opts = sudo_ctx->ipa_opts; + state->sdap_opts = sudo_ctx->sdap_opts; + state->dp_error = DP_ERR_FATAL; + + state->sdap_op = sdap_id_op_create(state, + sudo_ctx->id_ctx->conn->conn_cache); + if (!state->sdap_op) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create() failed\n"); + ret = ENOMEM; + goto immediately; + } + + state->cmdgroups_filter = talloc_strdup(state, cmdgroups_filter); + if (cmdgroups_filter != NULL && state->cmdgroups_filter == NULL) { + ret = ENOMEM; + goto immediately; + } + + state->search_filter = talloc_strdup(state, search_filter); + if (search_filter != NULL && state->search_filter == NULL) { + ret = ENOMEM; + goto immediately; + } + + state->delete_filter = talloc_strdup(state, delete_filter); + if (delete_filter != NULL && state->delete_filter == NULL) { + ret = ENOMEM; + goto immediately; + } + + ret = ipa_sudo_refresh_retry(req); + if (ret == EAGAIN) { + /* asynchronous processing */ + return req; + } + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, state->ev); + + return req; +} + +static errno_t +ipa_sudo_refresh_retry(struct tevent_req *req) +{ + struct ipa_sudo_refresh_state *state; + struct tevent_req *subreq; + int ret; + + state = tevent_req_data(req, struct ipa_sudo_refresh_state); + + subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "sdap_id_op_connect_send() failed: " + "%d(%s)\n", ret, strerror(ret)); + return ret; + } + + tevent_req_set_callback(subreq, ipa_sudo_refresh_connect_done, req); + + return EAGAIN; +} + +static void +ipa_sudo_refresh_connect_done(struct tevent_req *subreq) +{ + struct ipa_sudo_refresh_state *state; + const char *hostname; + struct tevent_req *req; + int dp_error; + int ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_sudo_refresh_state); + + ret = sdap_id_op_connect_recv(subreq, &dp_error); + talloc_zfree(subreq); + + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "SUDO LDAP connection failed " + "[%d]: %s\n", ret, strerror(ret)); + state->dp_error = dp_error; + tevent_req_error(req, ret); + return; + } + + state->sh = sdap_id_op_handle(state->sdap_op); + + DEBUG(SSSDBG_TRACE_FUNC, "SUDO LDAP connection successful\n"); + DEBUG(SSSDBG_TRACE_FUNC, "About to fetch host information\n"); + + /* Obtain host information. */ + hostname = dp_opt_get_string(state->ipa_opts->basic, IPA_HOSTNAME); + + subreq = ipa_host_info_send(state, state->ev, + state->sh, state->sdap_opts, hostname, + state->ipa_opts->id->host_map, + state->ipa_opts->hostgroup_map, + state->ipa_opts->id->sdom->host_search_bases); + if (subreq == NULL) { + state->dp_error = DP_ERR_FATAL; + tevent_req_error(req, ENOMEM); + return; + } + + tevent_req_set_callback(subreq, ipa_sudo_refresh_host_done, req); +} + +static void +ipa_sudo_refresh_host_done(struct tevent_req *subreq) +{ + struct ipa_sudo_refresh_state *state; + struct ipa_hostinfo *host; + struct tevent_req *req; + int ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_sudo_refresh_state); + + host = talloc_zero(state, struct ipa_hostinfo); + if (host == NULL) { + state->dp_error = DP_ERR_FATAL; + tevent_req_error(req, ENOMEM); + return; + } + + ret = ipa_host_info_recv(subreq, host, &host->num_hosts, &host->hosts, + &host->num_hostgroups, &host->hostgroups); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to retrieve host information " + "[%d]: %s\n", ret, sss_strerror(ret)); + state->dp_error = DP_ERR_FATAL; + tevent_req_error(req, ret); + return; + } + + subreq = ipa_sudo_fetch_send(state, state->ev, state->domain, + state->sudo_ctx, host, + state->sdap_opts->user_map, + state->sdap_opts->group_map, + state->ipa_opts->id->host_map, + state->ipa_opts->hostgroup_map, state->sh, + state->cmdgroups_filter, state->search_filter); + if (subreq == NULL) { + state->dp_error = DP_ERR_FATAL; + tevent_req_error(req, ENOMEM); + return; + } + + tevent_req_set_callback(subreq, ipa_sudo_refresh_done, req); +} + +static void +ipa_sudo_refresh_done(struct tevent_req *subreq) +{ + struct ipa_sudo_refresh_state *state; + struct tevent_req *req; + char *usn = NULL; + bool in_transaction = false; + errno_t sret; + int ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_sudo_refresh_state); + + ret = ipa_sudo_fetch_recv(state, subreq, &state->rules, + &state->num_rules, &usn); + talloc_zfree(subreq); + + ret = sdap_id_op_done(state->sdap_op, ret, &state->dp_error); + if (state->dp_error == DP_ERR_OK && ret != EOK) { + /* retry */ + ret = ipa_sudo_refresh_retry(req); + if (ret != EOK) { + tevent_req_error(req, ret); + } + return; + } else if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + ret = sysdb_transaction_start(state->sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n"); + goto done; + } + in_transaction = true; + + ret = sysdb_sudo_purge(state->domain, state->delete_filter, + state->rules, state->num_rules); + if (ret != EOK) { + goto done; + } + + ret = sysdb_sudo_store(state->domain, state->rules, state->num_rules); + if (ret != EOK) { + goto done; + } + + ret = sysdb_transaction_commit(state->sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n"); + goto done; + } + in_transaction = false; + + if (usn != NULL) { + sdap_sudo_set_usn(state->sudo_ctx->id_ctx->srv_opts, usn); + } + + DEBUG(SSSDBG_TRACE_FUNC, "Sudo rules are successfully stored in cache\n"); + +done: + if (in_transaction) { + sret = sysdb_transaction_cancel(state->sysdb); + if (sret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not cancel transaction\n"); + } + } + + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +errno_t +ipa_sudo_refresh_recv(struct tevent_req *req, + int *dp_error, + size_t *_num_rules) +{ + struct ipa_sudo_refresh_state *state = NULL; + state = tevent_req_data(req, struct ipa_sudo_refresh_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *dp_error = state->dp_error; + + if (_num_rules != NULL) { + *_num_rules = state->num_rules; + } + + return EOK; +} diff --git a/src/providers/ipa/ipa_sudo_conversion.c b/src/providers/ipa/ipa_sudo_conversion.c new file mode 100644 index 0000000..bfa66b2 --- /dev/null +++ b/src/providers/ipa/ipa_sudo_conversion.c @@ -0,0 +1,1338 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "providers/ldap/sdap.h" +#include "providers/ipa/ipa_common.h" +#include "providers/ipa/ipa_dn.h" +#include "db/sysdb_sudo.h" +#include "db/sysdb.h" +#include "util/util.h" + +#define SUDO_DN_CMDGROUPS "sudocmdgroups" +#define SUDO_DN_CMDS "sudocmds" +#define SUDO_DN_CONTAINER "sudo" +#define SUDO_DN_CN "cn" + +#define MATCHDN(cat) SUDO_DN_CN, (cat), SUDO_DN_CN, SUDO_DN_CONTAINER +#define MATCHDN_CMDGROUPS MATCHDN(SUDO_DN_CMDGROUPS) +#define MATCHDN_CMDS MATCHDN(SUDO_DN_CMDS) + +#define MATCHRDN_CMDGROUPS(map) (map)[IPA_AT_SUDOCMDGROUP_NAME].name, MATCHDN_CMDGROUPS +#define MATCHRDN_CMDS(attr, map) (map)[attr].name, MATCHDN_CMDS + +#define MATCHRDN_USER(map) (map)[SDAP_AT_USER_NAME].name, "cn", "users", "cn", "accounts" +#define MATCHRDN_GROUP(map) (map)[SDAP_AT_GROUP_NAME].name, "cn", "groups", "cn", "accounts" +#define MATCHRDN_HOST(map) (map)[SDAP_AT_HOST_FQDN].name, "cn", "computers", "cn", "accounts" +#define MATCHRDN_HOSTGROUP(map) (map)[IPA_AT_HOSTGROUP_NAME].name, "cn", "hostgroups", "cn", "accounts" + +struct ipa_sudo_conv { + struct sss_domain_info *dom; + + struct sdap_attr_map *map_rule; + struct sdap_attr_map *map_cmdgroup; + struct sdap_attr_map *map_cmd; + struct sdap_attr_map *map_user; + struct sdap_attr_map *map_group; + struct sdap_attr_map *map_host; + struct sdap_attr_map *map_hostgroup; + + hash_table_t *rules; + hash_table_t *cmdgroups; + hash_table_t *cmds; +}; + +struct ipa_sudo_dn_list { + struct ipa_sudo_dn_list *prev, *next; + const char *dn; +}; + +struct ipa_sudo_rulemember { + struct ipa_sudo_dn_list *cmdgroups; + struct ipa_sudo_dn_list *cmds; +}; + +struct ipa_sudo_rule { + struct sysdb_attrs *attrs; + struct ipa_sudo_rulemember allow; + struct ipa_sudo_rulemember deny; +}; + +struct ipa_sudo_cmdgroup { + struct ipa_sudo_dn_list *cmds; + const char **expanded; +}; + +static size_t +ipa_sudo_dn_list_count(struct ipa_sudo_dn_list *list) +{ + struct ipa_sudo_dn_list *item; + size_t i; + + for (i = 0, item = list; item != NULL; item = item->next, i++) { + /* no op */ + } + + return i; +} + +static errno_t +ipa_sudo_conv_store(hash_table_t *table, + const char *key, + void *value) +{ + hash_key_t hkey; + hash_value_t hvalue; + int hret; + + if (table == NULL || key == NULL) { + return EINVAL; + } + + hkey.type = HASH_KEY_STRING; + hkey.str = discard_const(key); + + /* If value is NULL we don't want to override existing entry. */ + if (value == NULL && hash_has_key(table, &hkey)) { + return EEXIST; + } + + hvalue.type = HASH_VALUE_PTR; + hvalue.ptr = value; + + hret = hash_enter(table, &hkey, &hvalue); + if (hret != HASH_SUCCESS) { + return EIO; + } + + if (value != NULL) { + talloc_steal(table, value); + } + + return EOK; +} + +static void * +ipa_sudo_conv_lookup(hash_table_t *table, + const char *key) +{ + hash_key_t hkey; + hash_value_t hvalue; + int hret; + + hkey.type = HASH_KEY_STRING; + hkey.str = discard_const(key); + + hret = hash_lookup(table, &hkey, &hvalue); + if (hret == HASH_ERROR_KEY_NOT_FOUND) { + DEBUG(SSSDBG_OP_FAILURE, "Key not found %s\n", key); + return NULL; + } else if (hret != HASH_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to lookup value [%d]\n", hret); + return NULL; + } + + return hvalue.ptr; +} + +static errno_t +store_rulemember(TALLOC_CTX *mem_ctx, + struct ipa_sudo_dn_list **list, + hash_table_t *table, + const char *dn) +{ + struct ipa_sudo_dn_list *item; + errno_t ret; + + item = talloc_zero(mem_ctx, struct ipa_sudo_dn_list); + if (item == NULL) { + return ENOMEM; + } + + ret = ipa_sudo_conv_store(table, dn, NULL); + if (ret != EOK && ret != EEXIST) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to store DN %s [%d]: %s\n", + dn, ret, sss_strerror(ret)); + goto done; + } + + item->dn = talloc_steal(item, dn); + DLIST_ADD(*list, item); + +done: + if (ret != EOK && ret != EEXIST) { + talloc_free(item); + } + + return ret; +} + +static bool is_ipacmdgroup(struct ipa_sudo_conv *conv, const char *dn) +{ + if (ipa_check_rdn_bool(conv->dom->sysdb, dn, + MATCHRDN_CMDGROUPS(conv->map_cmdgroup))) { + return true; + } + + return false; +} + +static bool is_ipacmd(struct ipa_sudo_conv *conv, const char *dn) +{ + if (ipa_check_rdn_bool(conv->dom->sysdb, dn, + MATCHRDN_CMDS(IPA_AT_SUDOCMD_UUID, conv->map_cmd))) { + return true; + } + + /* For older versions of FreeIPA than 3.1. */ + if (ipa_check_rdn_bool(conv->dom->sysdb, dn, + MATCHRDN_CMDS(IPA_AT_SUDOCMD_CMD, conv->map_cmd))) { + return true; + } + + return false; +} + +static errno_t +process_rulemember(TALLOC_CTX *mem_ctx, + struct ipa_sudo_conv *conv, + struct ipa_sudo_rulemember *rulemember, + struct sysdb_attrs *rule, + const char *attr) +{ + TALLOC_CTX *tmp_ctx; + const char **members; + errno_t ret; + int i; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + ret = sysdb_attrs_get_string_array(rule, attr, tmp_ctx, &members); + if (ret == ENOENT) { + ret = EOK; + goto done; + } else if (ret != EOK) { + goto done; + } + + for (i = 0; members[i] != NULL; i++) { + if (is_ipacmdgroup(conv, members[i])) { + ret = store_rulemember(mem_ctx, &rulemember->cmdgroups, + conv->cmdgroups, members[i]); + if (ret == EOK) { + DEBUG(SSSDBG_TRACE_INTERNAL, "Found sudo command group %s\n", + members[i]); + } else if (ret != EEXIST) { + goto done; + } + } else if (is_ipacmd(conv, members[i])) { + ret = store_rulemember(mem_ctx, &rulemember->cmds, + conv->cmds, members[i]); + if (ret == EOK) { + DEBUG(SSSDBG_TRACE_INTERNAL, "Found sudo command %s\n", + members[i]); + } else if (ret != EEXIST) { + goto done; + } + } else { + DEBUG(SSSDBG_MINOR_FAILURE, "Invalid member DN %s, skipping...\n", + members[i]); + continue; + } + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static errno_t +process_allowcmd(struct ipa_sudo_conv *conv, + struct ipa_sudo_rule *rule) +{ + return process_rulemember(rule, conv, &rule->allow, rule->attrs, + SYSDB_IPA_SUDORULE_ALLOWCMD); +} + +static errno_t +process_denycmd(struct ipa_sudo_conv *conv, + struct ipa_sudo_rule *rule) +{ + return process_rulemember(rule, conv, &rule->deny, rule->attrs, + SYSDB_IPA_SUDORULE_DENYCMD); +} + +static errno_t +process_cmdgroupmember(struct ipa_sudo_conv *conv, + struct ipa_sudo_cmdgroup *cmdgroup, + struct sysdb_attrs *attrs) +{ + TALLOC_CTX *tmp_ctx; + struct ipa_sudo_dn_list *item; + const char **members; + errno_t ret; + int i; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + ret = sysdb_attrs_get_string_array(attrs, SYSDB_MEMBER, tmp_ctx, &members); + if (ret == ENOENT) { + ret = EOK; + goto done; + } else if (ret != EOK) { + goto done; + } + + for (i = 0; members[i] != NULL; i++) { + ret = ipa_sudo_conv_store(conv->cmds, members[i], NULL); + if (ret == EOK) { + DEBUG(SSSDBG_TRACE_INTERNAL, "Found sudo command %s\n", + members[i]); + } else if (ret != EEXIST) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to store DN [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + item = talloc_zero(tmp_ctx, struct ipa_sudo_dn_list); + if (item == NULL) { + ret = ENOMEM; + goto done; + } + + item->dn = talloc_steal(item, members[i]); + DLIST_ADD(cmdgroup->cmds, item); + talloc_steal(cmdgroup, item); + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +struct ipa_sudo_conv * +ipa_sudo_conv_init(TALLOC_CTX *mem_ctx, + struct sss_domain_info *dom, + struct sdap_attr_map *map_rule, + struct sdap_attr_map *map_cmdgroup, + struct sdap_attr_map *map_cmd, + struct sdap_attr_map *map_user, + struct sdap_attr_map *map_group, + struct sdap_attr_map *map_host, + struct sdap_attr_map *map_hostgroup) +{ + struct ipa_sudo_conv *conv; + errno_t ret; + + conv = talloc_zero(mem_ctx, struct ipa_sudo_conv); + if (conv == NULL) { + return NULL; + } + + conv->dom = dom; + conv->map_rule = map_rule; + conv->map_cmdgroup = map_cmdgroup; + conv->map_cmd = map_cmd; + conv->map_user = map_user; + conv->map_group = map_group; + conv->map_host = map_host; + conv->map_hostgroup = map_hostgroup; + + ret = sss_hash_create(conv, 20, &conv->rules); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create hash table [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = sss_hash_create(conv, 20, &conv->cmdgroups); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create hash table [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = sss_hash_create(conv, 20, &conv->cmds); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create hash table [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + +done: + if (ret != EOK) { + talloc_free(conv); + return NULL; + } + + return conv; +} + +errno_t +ipa_sudo_conv_rules(struct ipa_sudo_conv *conv, + struct sysdb_attrs **rules, + size_t num_rules) +{ + struct ipa_sudo_rule *rule = NULL; + const char *key; + errno_t ret; + size_t i; + + if (num_rules == 0) { + /* We're done here. */ + return EOK; + } + + for (i = 0; i < num_rules; i++) { + ret = sysdb_attrs_get_string(rules[i], SYSDB_NAME, &key); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Failed to get rule name, skipping " + "[%d]: %s\n", ret, sss_strerror(ret)); + continue; + } + + rule = talloc_zero(conv->rules, struct ipa_sudo_rule); + if (rule == NULL) { + ret = ENOMEM; + goto done; + } + + rule->attrs = rules[i]; + + ret = process_allowcmd(conv, rule); + if (ret != EOK && ret != EEXIST) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to process memberAllowCmd " + "[%d]: %s\n", ret, sss_strerror(ret)); + return ret; + } + + ret = process_denycmd(conv, rule); + if (ret != EOK && ret != EEXIST) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to process memberDenyCmd " + "[%d]: %s\n", ret, sss_strerror(ret)); + return ret; + } + + ret = ipa_sudo_conv_store(conv->rules, key, rule); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to store rule into table " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + talloc_steal(rule, rule->attrs); + rule = NULL; + } + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(rule); + } + + return ret; +} + +errno_t +ipa_sudo_conv_cmdgroups(struct ipa_sudo_conv *conv, + struct sysdb_attrs **cmdgroups, + size_t num_cmdgroups) +{ + struct ipa_sudo_cmdgroup *cmdgroup = NULL; + const char *key; + errno_t ret; + size_t i; + + if (num_cmdgroups == 0) { + /* We're done here. */ + return EOK; + } + + for (i = 0; i < num_cmdgroups; i++) { + ret = sysdb_attrs_get_string(cmdgroups[i], SYSDB_ORIG_DN, &key); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Failed to get command group DN, " + "skipping [%d]: %s\n", ret, sss_strerror(ret)); + continue; + } + + cmdgroup = talloc_zero(conv->cmdgroups, struct ipa_sudo_cmdgroup); + if (cmdgroup == NULL) { + ret = ENOMEM; + goto done; + } + + ret = process_cmdgroupmember(conv, cmdgroup, cmdgroups[i]); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to process member " + "[%d]: %s\n", ret, sss_strerror(ret)); + return ret; + } + + ret = ipa_sudo_conv_store(conv->cmdgroups, key, cmdgroup); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to store command group into " + "table [%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + cmdgroup = NULL; + } + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(cmdgroup); + } + + return ret; +} + +errno_t +ipa_sudo_conv_cmds(struct ipa_sudo_conv *conv, + struct sysdb_attrs **cmds, + size_t num_cmds) +{ + const char *key; + const char *cmd; + errno_t ret; + size_t i; + + if (num_cmds == 0) { + /* We're done here. */ + return EOK; + } + + for (i = 0; i < num_cmds; i++) { + ret = sysdb_attrs_get_string(cmds[i], SYSDB_ORIG_DN, &key); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Failed to get command DN, skipping " + "[%d]: %s\n", ret, sss_strerror(ret)); + continue; + } + + ret = sysdb_attrs_get_string(cmds[i], SYSDB_IPA_SUDOCMD_SUDOCMD, &cmd); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Failed to get command, skipping " + "[%d]: %s\n", ret, sss_strerror(ret)); + continue; + } + + ret = ipa_sudo_conv_store(conv->cmds, key, discard_const(cmd)); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to store command into table " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + } + + ret = EOK; + +done: + return ret; +} + +bool +ipa_sudo_conv_has_cmdgroups(struct ipa_sudo_conv *conv) +{ + return hash_count(conv->cmdgroups) == 0; +} + +bool +ipa_sudo_conv_has_cmds(struct ipa_sudo_conv *conv) +{ + return hash_count(conv->cmds) == 0; +} + +bool +ipa_sudo_cmdgroups_exceed_threshold(struct ipa_sudo_conv *conv, int threshold) +{ + return (hash_count(conv->cmdgroups)) > threshold; +} +bool +ipa_sudo_cmds_exceed_threshold(struct ipa_sudo_conv *conv, int threshold) +{ + return (hash_count(conv->cmds)) > threshold; +} + +typedef errno_t (*ipa_sudo_conv_rdn_fn)(TALLOC_CTX *mem_ctx, + struct sdap_attr_map *map, + struct sysdb_ctx *sysdb, + const char *dn, + char **_rdn_val, + const char **_rdn_attr); + +static errno_t get_sudo_cmdgroup_rdn(TALLOC_CTX *mem_ctx, + struct sdap_attr_map *map, + struct sysdb_ctx *sysdb, + const char *dn, + char **_rdn_val, + const char **_rdn_attr) +{ + char *rdn_val; + errno_t ret; + + ret = ipa_get_rdn(mem_ctx, sysdb, dn, &rdn_val, + MATCHRDN_CMDGROUPS(map)); + if (ret != EOK) { + return ret; + } + + *_rdn_val = rdn_val; + *_rdn_attr = map[IPA_AT_SUDOCMDGROUP_NAME].name; + + return EOK; +} + +static errno_t get_sudo_cmd_rdn(TALLOC_CTX *mem_ctx, + struct sdap_attr_map *map, + struct sysdb_ctx *sysdb, + const char *dn, + char **_rdn_val, + const char **_rdn_attr) +{ + char *rdn_val; + errno_t ret; + + ret = ipa_get_rdn(mem_ctx, sysdb, dn, &rdn_val, + MATCHRDN_CMDS(IPA_AT_SUDOCMD_UUID, map)); + if (ret == EOK) { + *_rdn_val = rdn_val; + *_rdn_attr = map[IPA_AT_SUDOCMD_UUID].name; + + return EOK; + } else if (ret != ENOENT) { + return ret; + } + + /* For older versions of FreeIPA than 3.1. */ + ret = ipa_get_rdn(mem_ctx, sysdb, dn, &rdn_val, + MATCHRDN_CMDS(IPA_AT_SUDOCMD_CMD, map)); + if (ret != EOK) { + return ret; + } + + *_rdn_val = rdn_val; + *_rdn_attr = map[IPA_AT_SUDOCMD_CMD].name; + + return EOK; +} + +static char * +build_filter(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + hash_table_t *table, + struct sdap_attr_map *map, + ipa_sudo_conv_rdn_fn rdn_fn) +{ + TALLOC_CTX *tmp_ctx; + hash_key_t *keys; + unsigned long int count; + unsigned long int i; + char *filter; + char *rdn_val; + const char *rdn_attr; + char *safe_rdn; + errno_t ret; + int hret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return NULL; + } + + hret = hash_keys(table, &count, &keys); + if (hret != HASH_SUCCESS) { + ret = ENOMEM; + goto done; + } + + talloc_steal(tmp_ctx, keys); + + filter = talloc_strdup(tmp_ctx, ""); + if (filter == NULL) { + ret = ENOMEM; + goto done; + } + + for (i = 0; i < count; i++) { + ret = rdn_fn(tmp_ctx, map, sysdb, keys[i].str, &rdn_val, &rdn_attr); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get member %s [%d]: %s\n", + keys[i].str, ret, sss_strerror(ret)); + goto done; + } + + ret = sss_filter_sanitize(tmp_ctx, rdn_val, &safe_rdn); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to sanitize DN " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + filter = talloc_asprintf_append(filter, "(%s=%s)", rdn_attr, safe_rdn); + if (filter == NULL) { + ret = ENOMEM; + goto done; + } + } + + /* objectClass is always first */ + filter = talloc_asprintf(filter, "(&(objectClass=%s)(|%s))", + map[0].name, filter); + if (filter == NULL) { + ret = ENOMEM; + goto done; + } + + talloc_steal(mem_ctx, filter); + + ret = EOK; + +done: + talloc_free(tmp_ctx); + + if (ret != EOK) { + return NULL; + } + + return filter; +} + +char * +ipa_sudo_conv_cmdgroup_filter(TALLOC_CTX *mem_ctx, + struct ipa_sudo_conv *conv, + int cmd_threshold) +{ + if (ipa_sudo_cmdgroups_exceed_threshold(conv, cmd_threshold)) { + DEBUG(SSSDBG_TRACE_FUNC, + "Command threshold [%d] exceeded, retrieving all sudo command " + "groups\n", cmd_threshold); + return talloc_asprintf(mem_ctx, "(objectClass=%s)", + conv->map_cmdgroup->name); + } else { + return build_filter(mem_ctx, conv->dom->sysdb, conv->cmdgroups, + conv->map_cmdgroup, get_sudo_cmdgroup_rdn); + } +} + +char * +ipa_sudo_conv_cmd_filter(TALLOC_CTX *mem_ctx, + struct ipa_sudo_conv *conv, + int cmd_threshold) +{ + if (ipa_sudo_cmdgroups_exceed_threshold(conv, cmd_threshold)) { + DEBUG(SSSDBG_TRACE_FUNC, + "Command threshold [%d] exceeded, retrieving all sudo commands\n", + cmd_threshold); + return talloc_asprintf(mem_ctx, "(objectClass=%s)", + conv->map_cmd->name); + } else { + return build_filter(mem_ctx, conv->dom->sysdb, conv->cmds, + conv->map_cmd, get_sudo_cmd_rdn); + } +} + +struct ipa_sudo_conv_result_ctx { + struct ipa_sudo_conv *conv; + struct sysdb_attrs **rules; + size_t num_rules; + errno_t ret; +}; + +static const char * +convert_host(TALLOC_CTX *mem_ctx, + struct ipa_sudo_conv *conv, + const char *value, + bool *skip_entry) +{ + char *rdn; + const char *group; + errno_t ret; + + *skip_entry = false; + + ret = ipa_get_rdn(mem_ctx, conv->dom->sysdb, value, &rdn, + MATCHRDN_HOST(conv->map_host)); + if (ret == EOK) { + return rdn; + } else if (ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_get_rdn() failed on value %s [%d]: %s\n", + value, ret, sss_strerror(ret)); + return NULL; + } + + ret = ipa_get_rdn(mem_ctx, conv->dom->sysdb, value, &rdn, + MATCHRDN_HOSTGROUP(conv->map_hostgroup)); + if (ret == ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected DN %s: Skipping\n", value); + *skip_entry = true; + return NULL; + } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_get_rdn() failed on value %s [%d]: %s\n", + value, ret, sss_strerror(ret)); + return NULL; + } + + group = talloc_asprintf(mem_ctx, "+%s", rdn); + talloc_free(rdn); + + return group; +} + +static const char * +convert_user(TALLOC_CTX *mem_ctx, + struct ipa_sudo_conv *conv, + const char *value, + bool *skip_entry) +{ + char *rdn; + const char *group; + errno_t ret; + + *skip_entry = false; + + ret = ipa_get_rdn(mem_ctx, conv->dom->sysdb, value, &rdn, + MATCHRDN_USER(conv->map_user)); + if (ret == EOK) { + return rdn; + } else if (ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_get_rdn() failed on value %s [%d]: %s\n", + value, ret, sss_strerror(ret)); + return NULL; + } + + ret = ipa_get_rdn(mem_ctx, conv->dom->sysdb, value, &rdn, + MATCHRDN_GROUP(conv->map_group)); + if (ret == ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected DN %s: Skipping\n", value); + *skip_entry = true; + return NULL; + } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_get_rdn() failed on value %s [%d]: %s\n", + value, ret, sss_strerror(ret)); + return NULL; + } + + group = talloc_asprintf(mem_ctx, "%%%s", rdn); + talloc_free(rdn); + + return group; +} + +static const char * +convert_user_fqdn(TALLOC_CTX *mem_ctx, + struct ipa_sudo_conv *conv, + const char *value, + bool *skip_entry) +{ + const char *shortname = NULL; + char *fqdn = NULL; + + *skip_entry = false; + + shortname = convert_user(mem_ctx, conv, value, skip_entry); + if (shortname == NULL) { + return NULL; + } + + fqdn = sss_create_internal_fqname(mem_ctx, shortname, conv->dom->name); + talloc_free(discard_const(shortname)); + return fqdn; +} + +static const char * +convert_ext_user(TALLOC_CTX *mem_ctx, + struct ipa_sudo_conv *conv, + const char *value, + bool *skip_entry) +{ + return sss_create_internal_fqname(mem_ctx, value, conv->dom->name); +} + +static const char * +convert_group(TALLOC_CTX *mem_ctx, + struct ipa_sudo_conv *conv, + const char *value, + bool *skip_entry) +{ + char *rdn; + errno_t ret; + + *skip_entry = false; + + ret = ipa_get_rdn(mem_ctx, conv->dom->sysdb, value, &rdn, + MATCHRDN_GROUP(conv->map_group)); + if (ret == ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected DN %s: Skipping\n", value); + *skip_entry = true; + return NULL; + } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_get_rdn() failed on value %s [%d]: %s\n", + value, ret, sss_strerror(ret)); + return NULL; + } + + return rdn; +} + +static const char * +convert_runasextusergroup(TALLOC_CTX *mem_ctx, + struct ipa_sudo_conv *conv, + const char *value, + bool *skip_entry) +{ + return talloc_asprintf(mem_ctx, "%%%s", value); +} + +static const char * +convert_cat(TALLOC_CTX *mem_ctx, + struct ipa_sudo_conv *conv, + const char *value, + bool *skip_entry) +{ + + *skip_entry = false; + + if (strcmp(value, "all") == 0) { + return talloc_strdup(mem_ctx, "ALL"); + } + + return value; +} + +static errno_t +convert_attributes(struct ipa_sudo_conv *conv, + struct ipa_sudo_rule *rule, + struct sysdb_attrs *attrs) +{ + TALLOC_CTX *tmp_ctx; + const char **values; + const char *value; + errno_t ret; + int i, j; + bool skip_entry; + static struct { + const char *ipa; + const char *sudo; + const char *(*conv_fn)(TALLOC_CTX *mem_ctx, + struct ipa_sudo_conv *conv, + const char *value, + bool *skip_entry); + } table[] = {{SYSDB_NAME, SYSDB_SUDO_CACHE_AT_CN , NULL}, + {SYSDB_IPA_SUDORULE_HOST, SYSDB_SUDO_CACHE_AT_HOST , convert_host}, + {SYSDB_IPA_SUDORULE_USER, SYSDB_SUDO_CACHE_AT_USER , convert_user_fqdn}, + {SYSDB_IPA_SUDORULE_RUNASUSER, SYSDB_SUDO_CACHE_AT_RUNASUSER , convert_user}, + {SYSDB_IPA_SUDORULE_RUNASGROUP, SYSDB_SUDO_CACHE_AT_RUNASGROUP , convert_group}, + {SYSDB_IPA_SUDORULE_OPTION, SYSDB_SUDO_CACHE_AT_OPTION , NULL}, + {SYSDB_IPA_SUDORULE_NOTAFTER, SYSDB_SUDO_CACHE_AT_NOTAFTER , NULL}, + {SYSDB_IPA_SUDORULE_NOTBEFORE, SYSDB_SUDO_CACHE_AT_NOTBEFORE , NULL}, + {SYSDB_IPA_SUDORULE_SUDOORDER, SYSDB_SUDO_CACHE_AT_ORDER , NULL}, + {SYSDB_IPA_SUDORULE_CMDCATEGORY, SYSDB_SUDO_CACHE_AT_COMMAND , convert_cat}, + {SYSDB_IPA_SUDORULE_HOSTCATEGORY, SYSDB_SUDO_CACHE_AT_HOST , convert_cat}, + {SYSDB_IPA_SUDORULE_USERCATEGORY, SYSDB_SUDO_CACHE_AT_USER , convert_cat}, + {SYSDB_IPA_SUDORULE_RUNASUSERCATEGORY, SYSDB_SUDO_CACHE_AT_RUNASUSER , convert_cat}, + {SYSDB_IPA_SUDORULE_RUNASGROUPCATEGORY, SYSDB_SUDO_CACHE_AT_RUNASGROUP , convert_cat}, + {SYSDB_IPA_SUDORULE_RUNASEXTUSER, SYSDB_SUDO_CACHE_AT_RUNASUSER , NULL}, + {SYSDB_IPA_SUDORULE_RUNASEXTGROUP, SYSDB_SUDO_CACHE_AT_RUNASGROUP , NULL}, + {SYSDB_IPA_SUDORULE_RUNASEXTUSERGROUP, SYSDB_SUDO_CACHE_AT_RUNASUSER , convert_runasextusergroup}, + {SYSDB_IPA_SUDORULE_EXTUSER, SYSDB_SUDO_CACHE_AT_USER , convert_ext_user}, + {SYSDB_IPA_SUDORULE_ALLOWCMD, SYSDB_IPA_SUDORULE_ORIGCMD , NULL}, + {SYSDB_IPA_SUDORULE_DENYCMD, SYSDB_IPA_SUDORULE_ORIGCMD , NULL}, + {NULL, NULL, NULL}}; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + for (i = 0; table[i].ipa != NULL; i++) { + ret = sysdb_attrs_get_string_array(rule->attrs, table[i].ipa, + tmp_ctx, &values); + if (ret == ENOENT) { + continue; + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to read attribute " + "%s [%d]: %s\n", table[i].ipa, ret, sss_strerror(ret)); + goto done; + } + + for (j = 0; values[j] != NULL; j++) { + if (table[i].conv_fn != NULL) { + value = table[i].conv_fn(tmp_ctx, conv, values[j], &skip_entry); + if (value == NULL) { + if (skip_entry) { + continue; + } else { + ret = ENOMEM; + goto done; + } + } + } else { + value = values[j]; + } + + ret = sysdb_attrs_add_string_safe(attrs, table[i].sudo, value); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add attribute " + "%s [%d]: %s\n", table[i].sudo, ret, sss_strerror(ret)); + goto done; + } + } + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static const char ** +combine_cmdgroups(TALLOC_CTX *mem_ctx, + struct ipa_sudo_conv *conv, + struct ipa_sudo_dn_list *list) +{ + TALLOC_CTX *tmp_ctx; + struct ipa_sudo_cmdgroup *cmdgroup; + struct ipa_sudo_dn_list *listitem; + const char **values = NULL; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return NULL; + } + + values = talloc_zero_array(tmp_ctx, const char *, 1); + if (values == NULL) { + talloc_free(tmp_ctx); + return NULL; + } + + DLIST_FOR_EACH(listitem, list) { + cmdgroup = ipa_sudo_conv_lookup(conv->cmdgroups, listitem->dn); + if (cmdgroup == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, + "ipa_sudo_conv_lookup failed for DN:%s\n", listitem->dn); + continue; + } + + ret = add_strings_lists(mem_ctx, values, cmdgroup->expanded, + false, discard_const(&values)); + if (ret != EOK) { + talloc_free(tmp_ctx); + return NULL; + } + } + + talloc_steal(mem_ctx, values); + talloc_free(tmp_ctx); + + return values; +} + +static const char ** +combine_cmds(TALLOC_CTX *mem_ctx, + struct ipa_sudo_conv *conv, + struct ipa_sudo_dn_list *list) +{ + struct ipa_sudo_dn_list *listitem; + const char **values; + const char *command; + size_t count; + size_t i; + + count = ipa_sudo_dn_list_count(list); + + values = talloc_zero_array(mem_ctx, const char *, count + 1); + if (values == NULL) { + return NULL; + } + + i = 0; + DLIST_FOR_EACH(listitem, list) { + command = ipa_sudo_conv_lookup(conv->cmds, listitem->dn); + if (command == NULL) { + continue; + } + + values[i] = command; + i++; + } + + return values; +} + +static errno_t +build_sudocommand(struct ipa_sudo_conv *conv, + struct ipa_sudo_rulemember *mlist, + struct sysdb_attrs *attrs, + char prefix) +{ + TALLOC_CTX *tmp_ctx; + const char **cmds[2]; + const char *command; + errno_t ret; + int i, j; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + cmds[0] = combine_cmdgroups(tmp_ctx, conv, mlist->cmdgroups); + if (cmds[0] == NULL) { + ret = ENOMEM; + goto done; + } + + cmds[1] = combine_cmds(tmp_ctx, conv, mlist->cmds); + if (cmds[1] == NULL) { + ret = ENOMEM; + goto done; + } + + for (i = 0; i < 2; i++) { + for (j = 0; cmds[i][j] != NULL; j++) { + if (prefix == '\0') { + command = cmds[i][j]; + } else { + command = talloc_asprintf(tmp_ctx, "%c%s", prefix, cmds[i][j]); + if (command == NULL) { + ret = ENOMEM; + goto done; + } + } + + ret = sysdb_attrs_add_string_safe(attrs, + SYSDB_SUDO_CACHE_AT_COMMAND, command); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add attribute " + "%s [%d]: %s\n", SYSDB_SUDO_CACHE_AT_COMMAND, + ret, sss_strerror(ret)); + goto done; + } + } + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static errno_t +convert_sudocommand(struct ipa_sudo_conv *conv, + struct ipa_sudo_rule *rule, + struct sysdb_attrs *attrs) +{ + TALLOC_CTX *tmp_ctx; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + ret = build_sudocommand(conv, &rule->allow, attrs, '\0'); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to build allow commands " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + ret = build_sudocommand(conv, &rule->deny, attrs, '!'); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to build deny commands " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static bool +rules_iterator(hash_entry_t *item, + void *user_data) +{ + struct ipa_sudo_conv_result_ctx *ctx = user_data; + struct ipa_sudo_rule *rule = item->value.ptr; + struct sysdb_attrs *attrs; + + if (ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Bug: ctx is NULL\n"); + return false; + } + + if (rule == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Bug: rule is NULL\n"); + ctx->ret = ERR_INTERNAL; + return false; + } + + attrs = sysdb_new_attrs(ctx->rules); + if (attrs == NULL) { + ctx->ret = ENOMEM; + return false; + } + + ctx->ret = convert_attributes(ctx->conv, rule, attrs); + if (ctx->ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to convert attributes [%d]: %s\n", + ctx->ret, sss_strerror(ctx->ret)); + talloc_free(attrs); + return false; + } + + ctx->ret = convert_sudocommand(ctx->conv, rule, attrs); + if (ctx->ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to build sudoCommand [%d]: %s\n", + ctx->ret, sss_strerror(ctx->ret)); + talloc_free(attrs); + return false; + } + + ctx->rules[ctx->num_rules] = attrs; + ctx->num_rules++; + + return true; +} + +static bool +cmdgroups_iterator(hash_entry_t *item, + void *user_data) +{ + struct ipa_sudo_conv_result_ctx *ctx = user_data; + struct ipa_sudo_cmdgroup *cmdgroup = item->value.ptr; + const char **values; + + if (ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Bug: ctx is NULL\n"); + return false; + } + + if (cmdgroup == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Bug: rule is NULL\n"); + ctx->ret = ERR_INTERNAL; + return false; + } + + values = combine_cmds(cmdgroup, ctx->conv, cmdgroup->cmds); + if (values == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand commands\n"); + ctx->ret = ENOMEM; + return false; + } + + cmdgroup->expanded = values; + ctx->ret = EOK; + + return true; +} + +errno_t +ipa_sudo_conv_result(TALLOC_CTX *mem_ctx, + struct ipa_sudo_conv *conv, + struct sysdb_attrs ***_rules, + size_t *_num_rules) +{ + struct ipa_sudo_conv_result_ctx ctx; + struct sysdb_attrs **rules; + unsigned long num_rules; + int hret; + + num_rules = hash_count(conv->rules); + if (num_rules == 0) { + *_rules = NULL; + *_num_rules = 0; + return EOK; + } + + ctx.conv = conv; + ctx.rules = NULL; + ctx.num_rules = 0; + + /* If there are no cmdgroups the iterator is not called and ctx.ret is + * uninitialized. Since it is ok that there are no cmdgroups initializing + * ctx.ret to EOK. */ + ctx.ret = EOK; + + /* Expand commands in command groups. */ + hret = hash_iterate(conv->cmdgroups, cmdgroups_iterator, &ctx); + if (hret != HASH_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to iterate over command groups " + "[%d]\n", hret); + return EIO; + } + + if (ctx.ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to expand command groups " + "[%d]: %s\n", ctx.ret, sss_strerror(ctx.ret)); + return ctx.ret; + } + + /* Convert rules. */ + rules = talloc_zero_array(mem_ctx, struct sysdb_attrs *, num_rules); + if (rules == NULL) { + return ENOMEM; + } + + ctx.rules = rules; + ctx.num_rules = 0; + + hret = hash_iterate(conv->rules, rules_iterator, &ctx); + if (hret != HASH_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to iterate over rules [%d]\n", hret); + return EIO; + } + + if (ctx.ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to convert rules [%d]: %s\n", + ctx.ret, sss_strerror(ctx.ret)); + talloc_free(rules); + return ctx.ret; + } + + *_rules = ctx.rules; + *_num_rules = ctx.num_rules; + + return EOK; +} diff --git a/src/providers/ipa/ipa_sudo_refresh.c b/src/providers/ipa/ipa_sudo_refresh.c new file mode 100644 index 0000000..7874223 --- /dev/null +++ b/src/providers/ipa/ipa_sudo_refresh.c @@ -0,0 +1,460 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "util/util.h" +#include "providers/be_ptask.h" +#include "providers/ipa/ipa_sudo.h" +#include "providers/ldap/sdap_sudo_shared.h" +#include "db/sysdb_sudo.h" + +struct ipa_sudo_full_refresh_state { + struct ipa_sudo_ctx *sudo_ctx; + struct sss_domain_info *domain; + int dp_error; +}; + +static void ipa_sudo_full_refresh_done(struct tevent_req *subreq); + +struct tevent_req * +ipa_sudo_full_refresh_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct ipa_sudo_ctx *sudo_ctx) +{ + struct ipa_sudo_full_refresh_state *state; + struct tevent_req *subreq; + struct tevent_req *req; + char *delete_filter; + int ret; + + req = tevent_req_create(mem_ctx, &state, + struct ipa_sudo_full_refresh_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->domain = sudo_ctx->id_ctx->be->domain; + state->sudo_ctx = sudo_ctx; + + /* Remove all rules from cache */ + delete_filter = talloc_asprintf(state, "(%s=%s)", SYSDB_OBJECTCLASS, + SYSDB_SUDO_CACHE_OC); + if (delete_filter == NULL) { + ret = ENOMEM; + goto immediately; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Issuing a full refresh of sudo rules\n"); + + subreq = ipa_sudo_refresh_send(state, ev, sudo_ctx, + NULL, NULL, delete_filter); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, ipa_sudo_full_refresh_done, req); + + return req; + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + + return req; +} + +static void +ipa_sudo_full_refresh_done(struct tevent_req *subreq) +{ + struct ipa_sudo_full_refresh_state *state; + struct tevent_req *req; + int ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_sudo_full_refresh_state); + + ret = ipa_sudo_refresh_recv(subreq, &state->dp_error, NULL); + talloc_zfree(subreq); + if (ret != EOK || state->dp_error != DP_ERR_OK) { + goto done; + } + + ret = sysdb_sudo_set_last_full_refresh(state->domain, time(NULL)); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Unable to save time of " + "a successful full refresh\n"); + } + + DEBUG(SSSDBG_TRACE_FUNC, "Successful full refresh of sudo rules\n"); + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +int +ipa_sudo_full_refresh_recv(struct tevent_req *req, + int *dp_error) +{ + struct ipa_sudo_full_refresh_state *state; + state = tevent_req_data(req, struct ipa_sudo_full_refresh_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *dp_error = state->dp_error; + + return EOK; +} + +struct ipa_sudo_smart_refresh_state { + int dp_error; +}; + +static void ipa_sudo_smart_refresh_done(struct tevent_req *subreq); + +static struct tevent_req * +ipa_sudo_smart_refresh_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct ipa_sudo_ctx *sudo_ctx) +{ + struct sdap_server_opts *srv_opts = sudo_ctx->id_ctx->srv_opts; + struct ipa_sudo_smart_refresh_state *state; + struct tevent_req *subreq; + struct tevent_req *req; + char *cmdgroups_filter; + char *search_filter; + const char *usn; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct ipa_sudo_smart_refresh_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + /* Download all rules from LDAP that are newer than usn */ + if (srv_opts == NULL || srv_opts->max_sudo_value == 0) { + DEBUG(SSSDBG_TRACE_FUNC, "USN value is unknown, assuming zero.\n"); + usn = "0"; + search_filter = NULL; + } else { + usn = srv_opts->max_sudo_value; + search_filter = talloc_asprintf(state, "(%s>=%s)", + sudo_ctx->sudorule_map[IPA_AT_SUDORULE_ENTRYUSN].name, usn); + if (search_filter == NULL) { + ret = ENOMEM; + goto immediately; + } + } + + cmdgroups_filter = talloc_asprintf(state, "(%s>=%s)", + sudo_ctx->sudocmdgroup_map[IPA_AT_SUDOCMDGROUP_ENTRYUSN].name, usn); + if (cmdgroups_filter == NULL) { + ret = ENOMEM; + goto immediately; + } + + /* Do not remove any rules that are already in the sysdb. */ + + DEBUG(SSSDBG_TRACE_FUNC, "Issuing a smart refresh of sudo rules " + "(USN >= %s)\n", usn); + + subreq = ipa_sudo_refresh_send(state, ev, sudo_ctx, cmdgroups_filter, + search_filter, NULL); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, ipa_sudo_smart_refresh_done, req); + + return req; + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + + return req; +} + +static void ipa_sudo_smart_refresh_done(struct tevent_req *subreq) +{ + struct tevent_req *req = NULL; + struct ipa_sudo_smart_refresh_state *state = NULL; + int ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_sudo_smart_refresh_state); + + ret = ipa_sudo_refresh_recv(subreq, &state->dp_error, NULL); + talloc_zfree(subreq); + if (ret != EOK || state->dp_error != DP_ERR_OK) { + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Successful smart refresh of sudo rules\n"); + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +int ipa_sudo_smart_refresh_recv(struct tevent_req *req, + int *dp_error) +{ + struct ipa_sudo_smart_refresh_state *state = NULL; + state = tevent_req_data(req, struct ipa_sudo_smart_refresh_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *dp_error = state->dp_error; + + return EOK; +} + +struct ipa_sudo_rules_refresh_state { + size_t num_rules; + int dp_error; + bool deleted; +}; + +static void ipa_sudo_rules_refresh_done(struct tevent_req *subreq); + +struct tevent_req * +ipa_sudo_rules_refresh_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct ipa_sudo_ctx *sudo_ctx, + char **rules) +{ + TALLOC_CTX *tmp_ctx; + struct ipa_sudo_rules_refresh_state *state; + struct tevent_req *subreq; + struct tevent_req *req; + char *search_filter; + char *delete_filter; + char *safe_rule; + errno_t ret; + int i; + + req = tevent_req_create(mem_ctx, &state, struct ipa_sudo_rules_refresh_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + ret = ENOMEM; + goto immediately; + } + + if (rules == NULL || rules[0] == NULL) { + state->dp_error = DP_ERR_OK; + state->num_rules = 0; + state->deleted = false; + ret = EOK; + goto immediately; + } + + search_filter = talloc_zero(tmp_ctx, char); /* assign to tmp_ctx */ + delete_filter = talloc_zero(tmp_ctx, char); /* assign to tmp_ctx */ + + /* Download only selected rules from LDAP. */ + /* Remove all selected rules from cache. */ + for (i = 0; rules[i] != NULL; i++) { + ret = sss_filter_sanitize(tmp_ctx, rules[i], &safe_rule); + if (ret != EOK) { + ret = ENOMEM; + goto immediately; + } + + search_filter = talloc_asprintf_append_buffer(search_filter, "(%s=%s)", + sudo_ctx->sudorule_map[IPA_AT_SUDORULE_NAME].name, + safe_rule); + if (search_filter == NULL) { + ret = ENOMEM; + goto immediately; + } + + delete_filter = talloc_asprintf_append_buffer(delete_filter, "(%s=%s)", + SYSDB_NAME, safe_rule); + if (delete_filter == NULL) { + ret = ENOMEM; + goto immediately; + } + } + + state->num_rules = i; + + search_filter = talloc_asprintf(tmp_ctx, "(|%s)", search_filter); + if (search_filter == NULL) { + ret = ENOMEM; + goto immediately; + } + + delete_filter = talloc_asprintf(tmp_ctx, "(&(%s=%s)(|%s))", + SYSDB_OBJECTCLASS, SYSDB_SUDO_CACHE_OC, + delete_filter); + if (delete_filter == NULL) { + ret = ENOMEM; + goto immediately; + } + + subreq = ipa_sudo_refresh_send(req, ev, sudo_ctx, NULL, search_filter, + delete_filter); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, ipa_sudo_rules_refresh_done, req); + + ret = EOK; + +immediately: + talloc_free(tmp_ctx); + + if (ret != EOK) { + tevent_req_error(req, ret); + tevent_req_post(req, ev); + } + + return req; +} + +static void +ipa_sudo_rules_refresh_done(struct tevent_req *subreq) +{ + struct ipa_sudo_rules_refresh_state *state; + struct tevent_req *req = NULL; + size_t downloaded_rules_num; + int ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ipa_sudo_rules_refresh_state); + + ret = ipa_sudo_refresh_recv(subreq, &state->dp_error, &downloaded_rules_num); + talloc_zfree(subreq); + if (ret != EOK || state->dp_error != DP_ERR_OK) { + goto done; + } + + state->deleted = downloaded_rules_num != state->num_rules ? true : false; + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +int +ipa_sudo_rules_refresh_recv(struct tevent_req *req, + int *dp_error, + bool *deleted) +{ + struct ipa_sudo_rules_refresh_state *state; + state = tevent_req_data(req, struct ipa_sudo_rules_refresh_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *dp_error = state->dp_error; + *deleted = state->deleted; + + return EOK; +} + +static struct tevent_req * +ipa_sudo_ptask_full_refresh_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct be_ptask *be_ptask, + void *pvt) +{ + struct ipa_sudo_ctx *sudo_ctx; + sudo_ctx = talloc_get_type(pvt, struct ipa_sudo_ctx); + + return ipa_sudo_full_refresh_send(mem_ctx, be_ctx->ev, sudo_ctx); +} + +static errno_t +ipa_sudo_ptask_full_refresh_recv(struct tevent_req *req) +{ + int dp_error; + + return ipa_sudo_full_refresh_recv(req, &dp_error); +} + +static struct tevent_req * +ipa_sudo_ptask_smart_refresh_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct be_ptask *be_ptask, + void *pvt) +{ + struct ipa_sudo_ctx *sudo_ctx; + sudo_ctx = talloc_get_type(pvt, struct ipa_sudo_ctx); + + return ipa_sudo_smart_refresh_send(mem_ctx, be_ctx->ev, sudo_ctx); +} + +static errno_t +ipa_sudo_ptask_smart_refresh_recv(struct tevent_req *req) +{ + int dp_error; + + return ipa_sudo_smart_refresh_recv(req, &dp_error); +} + +errno_t +ipa_sudo_ptask_setup(struct be_ctx *be_ctx, struct ipa_sudo_ctx *sudo_ctx) +{ + return sdap_sudo_ptask_setup_generic(be_ctx, sudo_ctx->id_ctx->opts->basic, + ipa_sudo_ptask_full_refresh_send, + ipa_sudo_ptask_full_refresh_recv, + ipa_sudo_ptask_smart_refresh_send, + ipa_sudo_ptask_smart_refresh_recv, + sudo_ctx); +} diff --git a/src/providers/ipa/ipa_utils.c b/src/providers/ipa/ipa_utils.c new file mode 100644 index 0000000..86ba51c --- /dev/null +++ b/src/providers/ipa/ipa_utils.c @@ -0,0 +1,63 @@ +/* + SSSD + + IPA Module utility functions + + Authors: + Sumit Bose + + Copyright (C) 2014 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" + +#define OVERRIDE_ANCHOR_IPA_PREFIX ":IPA:" +#define OVERRIDE_ANCHOR_IPA_PREFIX_LEN (sizeof(OVERRIDE_ANCHOR_IPA_PREFIX) -1 ) + +errno_t split_ipa_anchor(TALLOC_CTX *mem_ctx, const char *anchor, + char **_anchor_domain, char **_ipa_uuid) +{ + const char *sep; + + if (anchor == NULL) { + return EINVAL; + } + if (strncmp(OVERRIDE_ANCHOR_IPA_PREFIX, anchor, + OVERRIDE_ANCHOR_IPA_PREFIX_LEN) != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "No IPA anchor [%s].\n", anchor); + return ENOMSG; + } + + sep = strchr(anchor + OVERRIDE_ANCHOR_IPA_PREFIX_LEN, ':'); + if (sep == NULL || sep[1] == '\0') { + DEBUG(SSSDBG_CRIT_FAILURE, "Broken IPA anchor [%s].\n", anchor); + return EINVAL; + } + + *_anchor_domain = talloc_strndup(mem_ctx, + anchor + OVERRIDE_ANCHOR_IPA_PREFIX_LEN, + sep - anchor - OVERRIDE_ANCHOR_IPA_PREFIX_LEN); + *_ipa_uuid = talloc_strdup(mem_ctx, sep + 1); + + if (*_anchor_domain == NULL || *_ipa_uuid == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n"); + talloc_free(*_anchor_domain); + talloc_free(*_ipa_uuid); + return ENOMEM; + } + + return EOK; +} diff --git a/src/providers/ipa/ipa_views.c b/src/providers/ipa/ipa_views.c new file mode 100644 index 0000000..2a918bd --- /dev/null +++ b/src/providers/ipa/ipa_views.c @@ -0,0 +1,533 @@ +/* + SSSD + + IPA Identity Backend Module for views and overrides + + Authors: + Sumit Bose + + Copyright (C) 2014 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "util/strtonum.h" +#include "util/cert.h" +#include "providers/ldap/sdap_async.h" +#include "providers/ipa/ipa_id.h" + +static errno_t dp_id_data_to_override_filter(TALLOC_CTX *mem_ctx, + struct ipa_options *ipa_opts, + struct dp_id_data *ar, + char **override_filter) +{ + char *filter; + uint32_t id; + char *endptr; + char *cert_filter; + int ret; + char *shortname; + char *sanitized_name; + + switch (ar->filter_type) { + case BE_FILTER_NAME: + ret = sss_parse_internal_fqname(mem_ctx, ar->filter_value, + &shortname, NULL); + if (ret != EOK) { + return ret; + } + + ret = sss_filter_sanitize(mem_ctx, shortname, &sanitized_name); + talloc_free(shortname); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_filter_sanitize failed.\n"); + return ret; + } + + switch ((ar->entry_type & BE_REQ_TYPE_MASK)) { + case BE_REQ_USER: + case BE_REQ_INITGROUPS: + filter = talloc_asprintf(mem_ctx, "(&(objectClass=%s)(%s=%s))", + ipa_opts->override_map[IPA_OC_OVERRIDE_USER].name, + ipa_opts->override_map[IPA_AT_OVERRIDE_USER_NAME].name, + sanitized_name); + break; + + case BE_REQ_GROUP: + filter = talloc_asprintf(mem_ctx, "(&(objectClass=%s)(%s=%s))", + ipa_opts->override_map[IPA_OC_OVERRIDE_GROUP].name, + ipa_opts->override_map[IPA_AT_OVERRIDE_GROUP_NAME].name, + sanitized_name); + break; + + case BE_REQ_USER_AND_GROUP: + filter = talloc_asprintf(mem_ctx, "(&(objectClass=%s)(|(%s=%s)(%s=%s)))", + ipa_opts->override_map[IPA_OC_OVERRIDE].name, + ipa_opts->override_map[IPA_AT_OVERRIDE_USER_NAME].name, + ar->filter_value, + ipa_opts->override_map[IPA_AT_OVERRIDE_GROUP_NAME].name, + sanitized_name); + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected entry type [%d] for name filter.\n", + ar->entry_type); + talloc_free(sanitized_name); + return EINVAL; + } + talloc_free(sanitized_name); + break; + + case BE_FILTER_IDNUM: + errno = 0; + id = strtouint32(ar->filter_value, &endptr, 10); + if (errno != 0|| *endptr != '\0' || (ar->filter_value == endptr)) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid id value [%s].\n", + ar->filter_value); + return EINVAL; + } + switch ((ar->entry_type & BE_REQ_TYPE_MASK)) { + case BE_REQ_USER: + case BE_REQ_INITGROUPS: + filter = talloc_asprintf(mem_ctx, "(&(objectClass=%s)(%s=%"PRIu32"))", + ipa_opts->override_map[IPA_OC_OVERRIDE_USER].name, + ipa_opts->override_map[IPA_AT_OVERRIDE_UID_NUMBER].name, + id); + break; + + case BE_REQ_GROUP: + filter = talloc_asprintf(mem_ctx, + "(&(objectClass=%s)(%s=%"PRIu32"))", + ipa_opts->override_map[IPA_OC_OVERRIDE_GROUP].name, + ipa_opts->override_map[IPA_AT_OVERRIDE_GROUP_GID_NUMBER].name, + id); + break; + + case BE_REQ_USER_AND_GROUP: + filter = talloc_asprintf(mem_ctx, + "(&(objectClass=%s)(|(%s=%"PRIu32")(%s=%"PRIu32")))", + ipa_opts->override_map[IPA_OC_OVERRIDE].name, + ipa_opts->override_map[IPA_AT_OVERRIDE_UID_NUMBER].name, + id, + ipa_opts->override_map[IPA_AT_OVERRIDE_GROUP_GID_NUMBER].name, + id); + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, + "Unexpected entry type [%d] for id filter.\n", + ar->entry_type); + return EINVAL; + } + break; + + case BE_FILTER_SECID: + if ((ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_BY_SECID) { + filter = talloc_asprintf(mem_ctx, "(&(objectClass=%s)(%s=:SID:%s))", + ipa_opts->override_map[IPA_OC_OVERRIDE].name, + ipa_opts->override_map[IPA_AT_OVERRIDE_ANCHOR_UUID].name, + ar->filter_value); + } else { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unexpected entry type [%d] for SID filter.\n", + ar->entry_type); + return EINVAL; + } + break; + + case BE_FILTER_UUID: + if ((ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_BY_UUID) { + filter = talloc_asprintf(mem_ctx, "(&(objectClass=%s)(%s=:IPA:%s:%s))", + ipa_opts->override_map[IPA_OC_OVERRIDE].name, + ipa_opts->override_map[IPA_AT_OVERRIDE_ANCHOR_UUID].name, + dp_opt_get_string(ipa_opts->basic, IPA_DOMAIN), + ar->filter_value); + } else { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unexpected entry type [%d] for UUID filter.\n", + ar->entry_type); + return EINVAL; + } + break; + + case BE_FILTER_CERT: + if ((ar->entry_type & BE_REQ_TYPE_MASK) == BE_REQ_BY_CERT) { + ret = sss_cert_derb64_to_ldap_filter(mem_ctx, ar->filter_value, + ipa_opts->override_map[IPA_AT_OVERRIDE_USER_CERT].name, + NULL, NULL, &cert_filter); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sss_cert_derb64_to_ldap_filter failed.\n"); + return ret; + } + filter = talloc_asprintf(mem_ctx, "(&(objectClass=%s)%s)", + ipa_opts->override_map[IPA_OC_OVERRIDE_USER].name, + cert_filter); + talloc_free(cert_filter); + } else { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unexpected entry type [%d] for certificate filter.\n", + ar->entry_type); + return EINVAL; + } + break; + + default: + DEBUG(SSSDBG_OP_FAILURE, "Invalid sub-domain filter type.\n"); + return EINVAL; + } + + if (filter == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); + return ENOMEM; + } + + *override_filter = filter; + + return EOK; +} + +static errno_t get_dp_id_data_for_xyz(TALLOC_CTX *mem_ctx, const char *val, + const char *domain_name, + int type, + struct dp_id_data **_ar) +{ + struct dp_id_data *ar; + + ar = talloc_zero(mem_ctx, struct dp_id_data); + if (ar == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_zero failed.\n"); + return ENOMEM; + } + + switch (type) { + case BE_REQ_BY_SECID: + ar->entry_type = BE_REQ_BY_SECID; + ar->filter_type = BE_FILTER_SECID; + break; + case BE_REQ_BY_UUID: + ar->entry_type = BE_REQ_BY_UUID; + ar->filter_type = BE_FILTER_UUID; + break; + case BE_REQ_USER: + ar->entry_type = BE_REQ_USER; + ar->filter_type = BE_FILTER_NAME; + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported request type [%d].\n", type); + talloc_free(ar); + return EINVAL; + } + + ar->filter_value = talloc_strdup(ar, val); + ar->domain = talloc_strdup(ar, domain_name); + if (ar->filter_value == NULL || ar->domain == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + talloc_free(ar); + return ENOMEM; + } + + + *_ar = ar; + + return EOK; +} + +errno_t get_dp_id_data_for_sid(TALLOC_CTX *mem_ctx, const char *sid, + const char *domain_name, + struct dp_id_data **_ar) +{ + return get_dp_id_data_for_xyz(mem_ctx, sid, domain_name, BE_REQ_BY_SECID, + _ar); +} + +errno_t get_dp_id_data_for_uuid(TALLOC_CTX *mem_ctx, const char *uuid, + const char *domain_name, + struct dp_id_data **_ar) +{ + return get_dp_id_data_for_xyz(mem_ctx, uuid, domain_name, BE_REQ_BY_UUID, + _ar); +} + +errno_t get_dp_id_data_for_user_name(TALLOC_CTX *mem_ctx, + const char *user_name, + const char *domain_name, + struct dp_id_data **_ar) +{ + return get_dp_id_data_for_xyz(mem_ctx, user_name, domain_name, BE_REQ_USER, + _ar); +} + +struct ipa_get_ad_override_state { + struct tevent_context *ev; + struct sdap_id_ctx *sdap_id_ctx; + struct ipa_options *ipa_options; + const char *ipa_realm; + const char *ipa_view_name; + struct dp_id_data *ar; + + struct sdap_id_op *sdap_op; + int dp_error; + struct sysdb_attrs *override_attrs; + char *filter; +}; + +static void ipa_get_ad_override_connect_done(struct tevent_req *subreq); +static errno_t ipa_get_ad_override_qualify_name( + struct ipa_get_ad_override_state *state); +static void ipa_get_ad_override_done(struct tevent_req *subreq); + +struct tevent_req *ipa_get_ad_override_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_id_ctx *sdap_id_ctx, + struct ipa_options *ipa_options, + const char *ipa_realm, + const char *view_name, + struct dp_id_data *ar) +{ + int ret; + struct tevent_req *req; + struct tevent_req *subreq; + struct ipa_get_ad_override_state *state; + + req = tevent_req_create(mem_ctx, &state, struct ipa_get_ad_override_state); + if (req == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "tevent_req_create failed.\n"); + return NULL; + } + + state->ev = ev; + state->sdap_id_ctx = sdap_id_ctx; + state->ipa_options = ipa_options; + state->ipa_realm = ipa_realm; + state->ar = ar; + state->dp_error = -1; + state->override_attrs = NULL; + state->filter = NULL; + + if (view_name == NULL) { + DEBUG(SSSDBG_TRACE_ALL, "View not defined, nothing to do.\n"); + ret = EOK; + goto done; + } + + if (is_default_view(view_name)) { + state->ipa_view_name = IPA_DEFAULT_VIEW_NAME; + } else { + state->ipa_view_name = view_name; + } + + state->sdap_op = sdap_id_op_create(state, + state->sdap_id_ctx->conn->conn_cache); + if (state->sdap_op == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed\n"); + ret = ENOMEM; + goto done; + } + + subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_connect_send failed: %d(%s).\n", + ret, strerror(ret)); + goto done; + } + + tevent_req_set_callback(subreq, ipa_get_ad_override_connect_done, req); + + return req; + +done: + if (ret != EOK) { + state->dp_error = DP_ERR_FATAL; + tevent_req_error(req, ret); + } else { + state->dp_error = DP_ERR_OK; + tevent_req_done(req); + } + tevent_req_post(req, state->ev); + + return req; +} + +static void ipa_get_ad_override_connect_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ipa_get_ad_override_state *state = tevent_req_data(req, + struct ipa_get_ad_override_state); + int ret; + char *basedn; + char *search_base; + struct ipa_options *ipa_opts = state->ipa_options; + + ret = sdap_id_op_connect_recv(subreq, &state->dp_error); + talloc_zfree(subreq); + if (ret != EOK) { + if (state->dp_error == DP_ERR_OFFLINE) { + DEBUG(SSSDBG_MINOR_FAILURE, + "No IPA server is available, going offline\n"); + } else { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to connect to IPA server: [%d](%s)\n", + ret, strerror(ret)); + } + + goto fail; + } + + ret = domain_to_basedn(state, state->ipa_realm, &basedn); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "domain_to_basedn failed.\n"); + goto fail; + } + + search_base = talloc_asprintf(state, "cn=%s,%s", state->ipa_view_name, + ipa_opts->views_search_bases[0]->basedn); + if (search_base == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto fail; + } + + ret = dp_id_data_to_override_filter(state, state->ipa_options, state->ar, + &state->filter); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "dp_id_data_to_override_filter failed.\n"); + goto fail; + } + + DEBUG(SSSDBG_TRACE_ALL, + "Searching for overrides in view [%s] with filter [%s].\n", + state->ipa_view_name, state->filter); + + subreq = sdap_get_generic_send(state, state->ev, state->sdap_id_ctx->opts, + sdap_id_op_handle(state->sdap_op), search_base, + LDAP_SCOPE_SUBTREE, + state->filter, NULL, + state->ipa_options->override_map, + IPA_OPTS_OVERRIDE, + dp_opt_get_int(state->sdap_id_ctx->opts->basic, + SDAP_SEARCH_TIMEOUT), + false); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_get_generic_send failed.\n"); + ret = ENOMEM; + goto fail; + } + + tevent_req_set_callback(subreq, ipa_get_ad_override_done, req); + return; + +fail: + state->dp_error = DP_ERR_FATAL; + tevent_req_error(req, ret); + return; +} + +static void ipa_get_ad_override_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ipa_get_ad_override_state *state = tevent_req_data(req, + struct ipa_get_ad_override_state); + int ret; + size_t reply_count = 0; + struct sysdb_attrs **reply = NULL; + + ret = sdap_get_generic_recv(subreq, state, &reply_count, &reply); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ipa_get_ad_override request failed.\n"); + goto fail; + } + + if (reply_count == 0) { + DEBUG(SSSDBG_TRACE_ALL, "No override found with filter [%s].\n", + state->filter); + state->dp_error = DP_ERR_OK; + tevent_req_done(req); + return; + } else if (reply_count > 1) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Found [%zu] overrides with filter [%s], expected only 1.\n", + reply_count, state->filter); + ret = EINVAL; + goto fail; + } + + DEBUG(SSSDBG_TRACE_ALL, "Found override for object with filter [%s].\n", + state->filter); + state->override_attrs = reply[0]; + + ret = ipa_get_ad_override_qualify_name(state); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot qualify object name\n"); + goto fail; + } + + state->dp_error = DP_ERR_OK; + tevent_req_done(req); + return; + +fail: + state->dp_error = DP_ERR_FATAL; + tevent_req_error(req, ret); + return; +} + +static errno_t ipa_get_ad_override_qualify_name( + struct ipa_get_ad_override_state *state) +{ + int ret; + struct ldb_message_element *name; + char *fqdn; + + ret = sysdb_attrs_get_el_ext(state->override_attrs, SYSDB_NAME, + false, &name); + if (ret == ENOENT) { + return EOK; /* Does not override name */ + } else if (ret != EOK && ret != ENOENT) { + return ret; + } + + fqdn = sss_create_internal_fqname(name->values, + (const char *) name->values[0].data, + state->ar->domain); + if (fqdn == NULL) { + return ENOMEM; + } + + name->values[0].data = (uint8_t *) fqdn; + name->values[0].length = strlen(fqdn); + return EOK; +} + +errno_t ipa_get_ad_override_recv(struct tevent_req *req, int *dp_error_out, + TALLOC_CTX *mem_ctx, + struct sysdb_attrs **override_attrs) +{ + struct ipa_get_ad_override_state *state = tevent_req_data(req, + struct ipa_get_ad_override_state); + + if (dp_error_out != NULL) { + *dp_error_out = state->dp_error; + } + + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (override_attrs != NULL) { + *override_attrs = talloc_steal(mem_ctx, state->override_attrs); + } + + return EOK; +} diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c new file mode 100644 index 0000000..d061417 --- /dev/null +++ b/src/providers/ipa/selinux_child.c @@ -0,0 +1,411 @@ +/* + SSSD + + IPA back end -- set SELinux context in a child module + + Authors: + Jakub Hrozek + + Copyright (C) 2014 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + + +#include +#include +#include +#include + +#include "util/util.h" +#include "util/child_common.h" +#include "providers/backend.h" + +struct input_buffer { + const char *seuser; + const char *mls_range; + const char *username; +}; + +static errno_t unpack_buffer(uint8_t *buf, + size_t size, + struct input_buffer *ibuf) +{ + size_t p = 0; + uint32_t len; + + /* seuser */ + SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p); + DEBUG(SSSDBG_TRACE_INTERNAL, "seuser length: %d\n", len); + if (len == 0) { + ibuf->seuser = ""; + DEBUG(SSSDBG_TRACE_INTERNAL, + "Empty SELinux user, will delete the mapping\n"); + } else { + if (len > size - p) return EINVAL; + ibuf->seuser = talloc_strndup(ibuf, (char *)(buf + p), len); + if (ibuf->seuser == NULL) return ENOMEM; + DEBUG(SSSDBG_TRACE_INTERNAL, "seuser: %s\n", ibuf->seuser); + p += len; + } + + /* MLS range */ + SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p); + DEBUG(SSSDBG_TRACE_INTERNAL, "mls_range length: %d\n", len); + if (len == 0) { + if (strcmp(ibuf->seuser, "") != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "No MLS mapping!\n"); + return EINVAL; + } + } else { + if (len > size - p) return EINVAL; + ibuf->mls_range = talloc_strndup(ibuf, (char *)(buf + p), len); + if (ibuf->mls_range == NULL) return ENOMEM; + DEBUG(SSSDBG_TRACE_INTERNAL, "mls_range: %s\n", ibuf->mls_range); + p += len; + } + + /* username */ + SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p); + DEBUG(SSSDBG_TRACE_INTERNAL, "username length: %d\n", len); + if (len == 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "No username set!\n"); + return EINVAL; + } else { + if (len > size - p) return EINVAL; + ibuf->username = talloc_strndup(ibuf, (char *)(buf + p), len); + if (ibuf->username == NULL) return ENOMEM; + DEBUG(SSSDBG_TRACE_INTERNAL, "username: %s\n", ibuf->username); + p += len; + } + + return EOK; +} + +static errno_t pack_buffer(struct response *r, int result) +{ + size_t p = 0; + + /* A buffer with the following structure must be created: + * uint32_t status of the request (required) + */ + r->size = sizeof(uint32_t); + + r->buf = talloc_array(r, uint8_t, r->size); + if(r->buf == NULL) { + return ENOMEM; + } + + DEBUG(SSSDBG_TRACE_FUNC, "result [%d]\n", result); + + /* result */ + SAFEALIGN_SET_UINT32(&r->buf[p], result, &p); + + return EOK; +} + +static errno_t prepare_response(TALLOC_CTX *mem_ctx, + int result, + struct response **rsp) +{ + int ret; + struct response *r = NULL; + + r = talloc_zero(mem_ctx, struct response); + if (r == NULL) { + return ENOMEM; + } + + r->buf = NULL; + r->size = 0; + + ret = pack_buffer(r, result); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "pack_buffer failed\n"); + return ret; + } + + *rsp = r; + DEBUG(SSSDBG_TRACE_ALL, "r->size: %zu\n", r->size); + return EOK; +} + +static int sc_set_seuser(const char *login_name, const char *seuser_name, + const char *mls) +{ + int ret; + mode_t old_mask; + + /* This is a workaround for + * https://bugzilla.redhat.com/show_bug.cgi?id=1186422 to make sure + * the directories are created with the expected permissions + */ + old_mask = umask(0); + if (strcmp(seuser_name, "") == 0) { + /* An empty SELinux user should cause SSSD to use the system + * default. We need to remove the SELinux user from the DB + * in that case + */ + ret = sss_del_seuser(login_name); + } else { + ret = sss_set_seuser(login_name, seuser_name, mls); + } + umask(old_mask); + return ret; +} + +static bool seuser_needs_update(const char *username, + const char *seuser, + const char *mls_range) +{ + bool needs_update = true; + char *db_seuser = NULL; + char *db_mls_range = NULL; + errno_t ret; + + ret = sss_get_seuser(username, &db_seuser, &db_mls_range); + DEBUG(SSSDBG_TRACE_INTERNAL, + "getseuserbyname: ret: %d seuser: %s mls: %s\n", + ret, db_seuser ? db_seuser : "unknown", + db_mls_range ? db_mls_range : "unknown"); + if (ret == EOK && db_seuser && db_mls_range && + strcmp(db_seuser, seuser) == 0 && + strcmp(db_mls_range, mls_range) == 0) { + needs_update = false; + } + /* OR */ + if (ret == ERR_SELINUX_NOT_MANAGED) { + needs_update = false; + } + + free(db_seuser); + free(db_mls_range); + return needs_update; +} + +int main(int argc, const char *argv[]) +{ + int opt; + poptContext pc; + int debug_fd = -1; + errno_t ret; + TALLOC_CTX *main_ctx = NULL; + uint8_t *buf = NULL; + ssize_t len = 0; + struct input_buffer *ibuf = NULL; + struct response *resp = NULL; + struct passwd *passwd = NULL; + ssize_t written; + bool needs_update; + const char *username; + const char *opt_logger = NULL; + + struct poptOption long_options[] = { + POPT_AUTOHELP + {"debug-level", 'd', POPT_ARG_INT, &debug_level, 0, + _("Debug level"), NULL}, + {"debug-timestamps", 0, POPT_ARG_INT, &debug_timestamps, 0, + _("Add debug timestamps"), NULL}, + {"debug-microseconds", 0, POPT_ARG_INT, &debug_microseconds, 0, + _("Show timestamps with microseconds"), NULL}, + {"debug-fd", 0, POPT_ARG_INT, &debug_fd, 0, + _("An open file descriptor for the debug logs"), NULL}, + {"debug-to-stderr", 0, POPT_ARG_NONE | POPT_ARGFLAG_DOC_HIDDEN, + &debug_to_stderr, 0, + _("Send the debug output to stderr directly."), NULL }, + SSSD_LOGGER_OPTS + POPT_TABLEEND + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + _exit(-1); + } + } + + poptFreeContext(pc); + + DEBUG_INIT(debug_level); + + debug_prg_name = talloc_asprintf(NULL, "[sssd[selinux_child[%d]]]", getpid()); + if (debug_prg_name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); + goto fail; + } + + if (debug_fd != -1) { + ret = set_debug_file_from_fd(debug_fd); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "set_debug_file_from_fd failed.\n"); + } + opt_logger = sss_logger_str[FILES_LOGGER]; + } + + sss_set_logger(opt_logger); + + DEBUG(SSSDBG_TRACE_FUNC, "selinux_child started.\n"); + DEBUG(SSSDBG_TRACE_INTERNAL, + "Running with effective IDs: [%"SPRIuid"][%"SPRIgid"].\n", + geteuid(), getegid()); + + /* The functions semanage_genhomedircon and getseuserbyname use gepwnam_r + * and they might fail to return values if they are not in memory cache. + * [main] (0x0400): performing selinux operations + * [seuser_needs_update] (0x2000): getseuserbyname: ret: 0 + * seuser: unconfined_u mls: s0-s0:c0.c15 + * [libsemanage] (0x0020): semanage_genhomedircon returned error code -1. + * [sss_set_seuser] (0x0020): Cannot commit SELinux transaction + * [main] (0x0020): Cannot set SELinux login context. + * [main] (0x0020): selinux_child failed! + */ + if (unsetenv("_SSS_LOOPS") != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to unset _SSS_LOOPS, some libsemanage functions might " + "fail.\n"); + } + + /* libsemanage calls access(2) which works with real IDs, not effective. + * We need to switch also the real ID to 0. + */ + if (getuid() != 0) { + ret = setuid(0); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "setuid failed: %d, selinux_child might not work!\n", ret); + } + } + + if (getgid() != 0) { + ret = setgid(0); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "setgid failed: %d, selinux_child might not work!\n", ret); + } + } + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Running with real IDs [%"SPRIuid"][%"SPRIgid"].\n", + getuid(), getgid()); + + main_ctx = talloc_new(NULL); + if (main_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new failed.\n"); + talloc_free(discard_const(debug_prg_name)); + goto fail; + } + talloc_steal(main_ctx, debug_prg_name); + + buf = talloc_size(main_ctx, sizeof(uint8_t)*IN_BUF_SIZE); + if (buf == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_size failed.\n"); + goto fail; + } + + ibuf = talloc_zero(main_ctx, struct input_buffer); + if (ibuf == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n"); + goto fail; + } + + DEBUG(SSSDBG_TRACE_FUNC, "context initialized\n"); + + errno = 0; + len = sss_atomic_read_s(STDIN_FILENO, buf, IN_BUF_SIZE); + if (len == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "read failed [%d][%s].\n", ret, strerror(ret)); + goto fail; + } + + close(STDIN_FILENO); + + ret = unpack_buffer(buf, len, ibuf); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "unpack_buffer failed.[%d][%s].\n", ret, strerror(ret)); + goto fail; + } + + DEBUG(SSSDBG_TRACE_FUNC, "performing selinux operations\n"); + + /* When using domain_resolution_order the username will always be + * fully-qualified, what has been causing some SELinux issues as mappings + * for user 'admin' are not applied for 'admin@ipa.example'. + * + * In order to work this around we can take advantage that selinux_child + * queries SSSD since commit 92addd7ba and call getpwnam() in order to get + * the username in the correct format. */ + passwd = getpwnam(ibuf->username); + if (passwd == NULL) { + username = ibuf->username; + DEBUG(SSSDBG_MINOR_FAILURE, + "getpwnam() failed to get info for the user \"%s\". SELinux label " + "setting might fail as well!\n", + ibuf->username); + } else { + username = passwd->pw_name; + } + + needs_update = seuser_needs_update(username, ibuf->seuser, + ibuf->mls_range); + if (needs_update == true) { + ret = sc_set_seuser(username, ibuf->seuser, ibuf->mls_range); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot set SELinux login context.\n"); + goto fail; + } + } + + ret = prepare_response(main_ctx, ret, &resp); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to prepare response buffer.\n"); + goto fail; + } + + errno = 0; + + written = sss_atomic_write_s(STDOUT_FILENO, resp->buf, resp->size); + if (written == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "write failed [%d][%s].\n", ret, + strerror(ret)); + goto fail; + } + + if (written != resp->size) { + DEBUG(SSSDBG_CRIT_FAILURE, "Expected to write %zu bytes, wrote %zu\n", + resp->size, written); + goto fail; + } + + DEBUG(SSSDBG_TRACE_FUNC, "selinux_child completed successfully\n"); + close(STDOUT_FILENO); + talloc_free(main_ctx); + return EXIT_SUCCESS; +fail: + DEBUG(SSSDBG_CRIT_FAILURE, "selinux_child failed!\n"); + close(STDOUT_FILENO); + talloc_free(main_ctx); + return EXIT_FAILURE; +} diff --git a/src/providers/krb5/krb5_access.c b/src/providers/krb5/krb5_access.c new file mode 100644 index 0000000..be9068c --- /dev/null +++ b/src/providers/krb5/krb5_access.c @@ -0,0 +1,219 @@ +/* + SSSD + + Kerberos 5 Backend Module - access control + + Authors: + Sumit Bose + + Copyright (C) 2010 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "providers/krb5/krb5_auth.h" +#include "providers/krb5/krb5_common.h" +#include "providers/krb5/krb5_utils.h" + +struct krb5_access_state { + struct tevent_context *ev; + struct be_ctx *be_ctx; + + struct pam_data *pd; + struct krb5_ctx *krb5_ctx; + struct krb5child_req *kr; + + bool access_allowed; +}; + +static void krb5_access_done(struct tevent_req *subreq); +struct tevent_req *krb5_access_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct pam_data *pd, + struct krb5_ctx *krb5_ctx) +{ + struct krb5_access_state *state; + struct tevent_req *req; + struct tevent_req *subreq; + int ret; + const char **attrs; + struct ldb_result *res; + struct sss_domain_info *dom; + + req = tevent_req_create(mem_ctx, &state, struct krb5_access_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create failed.\n"); + return NULL; + } + + state->ev = ev; + state->be_ctx = be_ctx; + state->pd = pd; + state->krb5_ctx = krb5_ctx; + state->access_allowed = false; + + ret = get_domain_or_subdomain(be_ctx, pd->domain, &dom); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "get_domain_or_subdomain failed.\n"); + goto done; + } + + ret = krb5_setup(state, pd, dom, krb5_ctx, &state->kr); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_setup failed.\n"); + goto done; + } + + if (pd->cmd != SSS_PAM_ACCT_MGMT) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected pam task.\n"); + ret = EINVAL; + goto done; + } + + attrs = talloc_array(state, const char *, 5); + if (attrs == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_array failed.\n"); + ret = ENOMEM; + goto done; + } + + attrs[0] = SYSDB_UPN; + attrs[1] = SYSDB_UIDNUM; + attrs[2] = SYSDB_GIDNUM; + attrs[3] = SYSDB_CANONICAL_UPN; + attrs[4] = NULL; + + ret = sysdb_get_user_attr(state, be_ctx->domain, state->pd->user, attrs, + &res); + if (ret) { + DEBUG(SSSDBG_FUNC_DATA, + "sysdb search for upn of user [%s] failed.\n", pd->user); + goto done; + } + + switch (res->count) { + case 0: + DEBUG(SSSDBG_FUNC_DATA, + "No attributes for user [%s] found.\n", pd->user); + ret = ENOENT; + goto done; + break; + case 1: + ret = find_or_guess_upn(state, res->msgs[0], krb5_ctx, be_ctx->domain, + state->kr->user, pd->domain, &state->kr->upn); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "find_or_guess_upn failed.\n"); + goto done; + } + + state->kr->uid = ldb_msg_find_attr_as_uint64(res->msgs[0], SYSDB_UIDNUM, + 0); + if (state->kr->uid == 0) { + DEBUG(SSSDBG_CONF_SETTINGS, + "UID for user [%s] not known.\n", pd->user); + ret = ENOENT; + goto done; + } + + state->kr->gid = ldb_msg_find_attr_as_uint64(res->msgs[0], SYSDB_GIDNUM, + 0); + if (state->kr->gid == 0) { + DEBUG(SSSDBG_CONF_SETTINGS, + "GID for user [%s] not known.\n", pd->user); + ret = ENOENT; + goto done; + } + + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, + "User search for [%s] returned > 1 results!\n", pd->user); + ret = EINVAL; + goto done; + break; + } + + subreq = handle_child_send(state, state->ev, state->kr); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "handle_child_send failed.\n"); + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, krb5_access_done, req); + return req; + +done: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, state->ev); + return req; +} + +static void krb5_access_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, struct tevent_req); + struct krb5_access_state *state = tevent_req_data(req, + struct krb5_access_state); + int ret; + uint8_t *buf = NULL; + ssize_t len = -1; + int32_t msg_status; + + ret = handle_child_recv(subreq, state, &buf, &len); + talloc_free(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "child failed [%d][%s].\n", ret, strerror(ret)); + goto fail; + } + + if ((size_t) len != sizeof(int32_t)) { + DEBUG(SSSDBG_CRIT_FAILURE, "message has the wrong size.\n"); + ret = EINVAL; + goto fail; + } + + SAFEALIGN_COPY_INT32(&msg_status, buf, NULL); + + if (msg_status == EOK) { + state->access_allowed = true; + } else { + state->access_allowed = false; + } + + tevent_req_done(req); + return; + +fail: + tevent_req_error(req, ret); + return; +} + +int krb5_access_recv(struct tevent_req *req, bool *access_allowed) +{ + struct krb5_access_state *state = tevent_req_data(req, + struct krb5_access_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *access_allowed = state->access_allowed; + + return EOK; +} diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c new file mode 100644 index 0000000..d40d2af --- /dev/null +++ b/src/providers/krb5/krb5_auth.c @@ -0,0 +1,1338 @@ +/* + SSSD + + Kerberos 5 Backend Module + + Authors: + Sumit Bose + + Copyright (C) 2009-2010 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include +#include +#include +#include + +#include + +#include "util/util.h" +#include "util/find_uid.h" +#include "util/auth_utils.h" +#include "db/sysdb.h" +#include "util/sss_utf8.h" +#include "util/child_common.h" +#include "providers/krb5/krb5_auth.h" +#include "providers/krb5/krb5_utils.h" +#include "providers/krb5/krb5_ccache.h" + +#define NON_POSIX_CCNAME_FMT "MEMORY:sssd_nonposix_dummy_%u" + +static int krb5_mod_ccname(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, + const char *name, + const char *ccname, + int mod_op) +{ + TALLOC_CTX *tmpctx; + struct sysdb_attrs *attrs; + int ret; + errno_t sret; + bool in_transaction = false; + + if (name == NULL || ccname == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing user or ccache name.\n"); + return EINVAL; + } + + if (mod_op != SYSDB_MOD_REP && mod_op != SYSDB_MOD_DEL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported operation [%d].\n", mod_op); + return EINVAL; + } + + DEBUG(SSSDBG_TRACE_ALL, "%s ccname [%s] for user [%s].\n", + mod_op == SYSDB_MOD_REP ? "Save" : "Delete", ccname, name); + + tmpctx = talloc_new(mem_ctx); + if (!tmpctx) { + return ENOMEM; + } + + attrs = sysdb_new_attrs(tmpctx); + if (!attrs) { + ret = ENOMEM; + goto done; + } + + ret = sysdb_attrs_add_string(attrs, SYSDB_CCACHE_FILE, ccname); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_attrs_add_string failed.\n"); + goto done; + } + + ret = sysdb_transaction_start(sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Error %d starting transaction (%s)\n", ret, strerror(ret)); + goto done; + } + in_transaction = true; + + ret = sysdb_set_user_attr(domain, name, attrs, mod_op); + if (ret != EOK) { + DEBUG(SSSDBG_TRACE_FUNC, "Error: %d (%s)\n", ret, strerror(ret)); + goto done; + } + + ret = sysdb_transaction_commit(sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction!\n"); + goto done; + } + in_transaction = false; + +done: + if (in_transaction) { + sret = sysdb_transaction_cancel(sysdb); + if (sret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to cancel transaction\n"); + } + } + talloc_zfree(tmpctx); + return ret; +} + +static int krb5_save_ccname(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, + const char *name, + const char *ccname) +{ + return krb5_mod_ccname(mem_ctx, sysdb, domain, name, ccname, + SYSDB_MOD_REP); +} + +static int krb5_delete_ccname(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, + const char *name, + const char *ccname) +{ + return krb5_mod_ccname(mem_ctx, sysdb, domain, name, ccname, + SYSDB_MOD_DEL); +} + +static int krb5_cleanup(void *ptr) +{ + struct krb5child_req *kr = talloc_get_type(ptr, struct krb5child_req); + + if (kr == NULL) return EOK; + + memset(kr, 0, sizeof(struct krb5child_req)); + + return EOK; +} + +static errno_t +get_krb_primary(struct map_id_name_to_krb_primary *name_to_primary, + char *id_prov_name, bool cs, const char **_krb_primary) +{ + errno_t ret; + int i = 0; + + while(name_to_primary != NULL && + name_to_primary[i].id_name != NULL && + name_to_primary[i].krb_primary != NULL) { + + if (sss_string_equal(cs, name_to_primary[i].id_name, id_prov_name)) { + *_krb_primary = name_to_primary[i].krb_primary; + ret = EOK; + goto done; + } + i++; + } + + /* Handle also the case of name_to_primary being NULL */ + ret = ENOENT; + +done: + return ret; +} + +errno_t krb5_setup(TALLOC_CTX *mem_ctx, + struct pam_data *pd, + struct sss_domain_info *dom, + struct krb5_ctx *krb5_ctx, + struct krb5child_req **_krb5_req) +{ + struct krb5child_req *kr; + const char *mapped_name; + TALLOC_CTX *tmp_ctx; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + kr = talloc_zero(tmp_ctx, struct krb5child_req); + if (kr == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc failed.\n"); + ret = ENOMEM; + goto done; + } + kr->is_offline = false; + talloc_set_destructor((TALLOC_CTX *) kr, krb5_cleanup); + + kr->pd = pd; + kr->dom = dom; + kr->krb5_ctx = krb5_ctx; + + ret = get_krb_primary(krb5_ctx->name_to_primary, + pd->user, dom->case_sensitive, &mapped_name); + if (ret == EOK) { + DEBUG(SSSDBG_TRACE_FUNC, "Setting mapped name to: %s\n", mapped_name); + kr->user = mapped_name; + + kr->kuserok_user = sss_output_name(kr, kr->user, + dom->case_sensitive, 0); + if (kr->kuserok_user == NULL) { + ret = ENOMEM; + goto done; + } + } else if (ret == ENOENT) { + DEBUG(SSSDBG_TRACE_ALL, "No mapping for: %s\n", pd->user); + kr->user = pd->user; + + kr->kuserok_user = sss_output_name(kr, kr->user, + dom->case_sensitive, 0); + if (kr->kuserok_user == NULL) { + ret = ENOMEM; + goto done; + } + } else { + DEBUG(SSSDBG_CRIT_FAILURE, "get_krb_primary failed - %s:[%d]\n", + sss_strerror(ret), ret); + goto done; + } + + ret = EOK; + +done: + if (ret == EOK) { + *_krb5_req = talloc_steal(mem_ctx, kr); + } + talloc_free(tmp_ctx); + return ret; +} + + +static void krb5_auth_cache_creds(struct krb5_ctx *krb5_ctx, + struct sss_domain_info *domain, + struct confdb_ctx *cdb, + struct pam_data *pd, uid_t uid, + int *pam_status, int *dp_err) +{ + const char *password = NULL; + errno_t ret; + + ret = sss_authtok_get_password(pd->authtok, &password, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to get password [%d] %s. Delayed authentication is only " + "available for password authentication (single factor).\n", + ret, strerror(ret)); + *pam_status = PAM_SYSTEM_ERR; + *dp_err = DP_ERR_OK; + return; + } + + ret = sysdb_cache_auth(domain, pd->user, + password, cdb, true, NULL, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Offline authentication failed\n"); + *pam_status = cached_login_pam_status(ret); + *dp_err = DP_ERR_OK; + return; + } + + ret = add_user_to_delayed_online_authentication(krb5_ctx, domain, pd, uid); + if (ret == ENOTSUP) { + /* This error is not fatal */ + DEBUG(SSSDBG_MINOR_FAILURE, "Delayed authentication not supported\n"); + } else if (ret != EOK) { + /* This error is not fatal */ + DEBUG(SSSDBG_CRIT_FAILURE, + "add_user_to_delayed_online_authentication failed.\n"); + } + *pam_status = PAM_AUTHINFO_UNAVAIL; + *dp_err = DP_ERR_OFFLINE; +} + +static errno_t krb5_auth_prepare_ccache_name(struct krb5child_req *kr, + struct ldb_message *user_msg, + struct be_ctx *be_ctx) +{ + const char *ccname_template; + + switch (kr->dom->type) { + case DOM_TYPE_POSIX: + ccname_template = dp_opt_get_cstring(kr->krb5_ctx->opts, KRB5_CCNAME_TMPL); + + kr->ccname = expand_ccname_template(kr, kr, ccname_template, + kr->krb5_ctx->illegal_path_re, true, + be_ctx->domain->case_sensitive); + if (kr->ccname == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "expand_ccname_template failed.\n"); + return ENOMEM; + } + + kr->old_ccname = ldb_msg_find_attr_as_string(user_msg, + SYSDB_CCACHE_FILE, NULL); + if (kr->old_ccname == NULL) { + DEBUG(SSSDBG_TRACE_LIBS, + "No ccache file for user [%s] found.\n", kr->pd->user); + } + break; + case DOM_TYPE_APPLICATION: + DEBUG(SSSDBG_TRACE_FUNC, + "Domain type application, will use in-memory ccache\n"); + /* We don't care about using cryptographic randomness, just + * a non-predictable ccname, so using rand() here is fine + */ + kr->ccname = talloc_asprintf(kr, + NON_POSIX_CCNAME_FMT, + rand() % UINT_MAX); + if (kr->ccname == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); + return ENOMEM; + } + + break; + default: + DEBUG(SSSDBG_FATAL_FAILURE, "Unsupported domain type\n"); + return EINVAL; + } + + return EOK; +} + +static void krb5_auth_store_creds(struct sss_domain_info *domain, + struct pam_data *pd) +{ + const char *password = NULL; + const char *fa2; + size_t password_len; + size_t fa2_len = 0; + int ret = EOK; + + switch(pd->cmd) { + case SSS_CMD_RENEW: + /* The authtok is set to the credential cache + * during renewal. We don't want to save this + * as the cached password. + */ + break; + case SSS_PAM_PREAUTH: + /* There are no credentials available during pre-authentication, + * nothing to do. */ + break; + case SSS_PAM_AUTHENTICATE: + case SSS_PAM_CHAUTHTOK_PRELIM: + if (sss_authtok_get_type(pd->authtok) == SSS_AUTHTOK_TYPE_2FA) { + ret = sss_authtok_get_2fa(pd->authtok, &password, &password_len, + &fa2, &fa2_len); + if (ret == EOK && password_len < + domain->cache_credentials_min_ff_length) { + DEBUG(SSSDBG_FATAL_FAILURE, + "First factor is too short to be cache, " + "minimum length is [%u].\n", + domain->cache_credentials_min_ff_length); + ret = EINVAL; + } + } else if (sss_authtok_get_type(pd->authtok) == + SSS_AUTHTOK_TYPE_PASSWORD) { + ret = sss_authtok_get_password(pd->authtok, &password, NULL); + } else { + DEBUG(SSSDBG_MINOR_FAILURE, "Cannot cache authtok type [%d].\n", + sss_authtok_get_type(pd->authtok)); + ret = EINVAL; + } + break; + case SSS_PAM_CHAUTHTOK: + ret = sss_authtok_get_password(pd->newauthtok, &password, NULL); + break; + default: + DEBUG(SSSDBG_FATAL_FAILURE, + "unsupported PAM command [%d].\n", pd->cmd); + } + + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to get password [%d] %s\n", ret, strerror(ret)); + /* password caching failures are not fatal errors */ + return; + } + + if (password == NULL) { + if (pd->cmd != SSS_CMD_RENEW && pd->cmd != SSS_PAM_PREAUTH) { + DEBUG(SSSDBG_FATAL_FAILURE, + "password not available, offline auth may not work.\n"); + /* password caching failures are not fatal errors */ + } + return; + } + + ret = sysdb_cache_password_ex(domain, pd->user, password, + sss_authtok_get_type(pd->authtok), fa2_len); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to cache password, offline auth may not work." + " (%d)[%s]!?\n", ret, strerror(ret)); + /* password caching failures are not fatal errors */ + } +} + +static bool is_otp_enabled(struct ldb_message *user_msg) +{ + struct ldb_message_element *el; + size_t i; + + el = ldb_msg_find_element(user_msg, SYSDB_AUTH_TYPE); + if (el == NULL) { + return false; + } + + for (i = 0; i < el->num_values; i++) { + if (strcmp((const char * )el->values[i].data, "otp") == 0) { + return true; + } + } + + return false; +} + +/* krb5_auth request */ + +struct krb5_auth_state { + struct tevent_context *ev; + struct be_ctx *be_ctx; + struct pam_data *pd; + struct sysdb_ctx *sysdb; + struct sss_domain_info *domain; + struct krb5_ctx *krb5_ctx; + struct krb5child_req *kr; + + bool search_kpasswd; + + int pam_status; + int dp_err; +}; + +static void krb5_auth_resolve_done(struct tevent_req *subreq); +static void krb5_auth_done(struct tevent_req *subreq); + +struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct pam_data *pd, + struct krb5_ctx *krb5_ctx) +{ + const char **attrs; + struct krb5_auth_state *state; + struct ldb_result *res; + struct krb5child_req *kr = NULL; + const char *realm; + struct tevent_req *req; + struct tevent_req *subreq; + enum sss_authtok_type authtok_type; + int ret; + bool otp; + + req = tevent_req_create(mem_ctx, &state, struct krb5_auth_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create failed.\n"); + return NULL; + } + + state->ev = ev; + state->be_ctx = be_ctx; + state->pd = pd; + state->krb5_ctx = krb5_ctx; + state->kr = NULL; + state->pam_status = PAM_SYSTEM_ERR; + state->dp_err = DP_ERR_FATAL; + + ret = get_domain_or_subdomain(be_ctx, pd->domain, &state->domain); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "get_domain_or_subdomain failed.\n"); + goto done; + } + + state->sysdb = state->domain->sysdb; + + authtok_type = sss_authtok_get_type(pd->authtok); + + switch (pd->cmd) { + case SSS_PAM_AUTHENTICATE: + case SSS_PAM_CHAUTHTOK: + if (authtok_type != SSS_AUTHTOK_TYPE_PASSWORD + && authtok_type != SSS_AUTHTOK_TYPE_2FA + && authtok_type != SSS_AUTHTOK_TYPE_SC_PIN + && authtok_type != SSS_AUTHTOK_TYPE_SC_KEYPAD) { + /* handle empty password gracefully */ + if (authtok_type == SSS_AUTHTOK_TYPE_EMPTY) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Illegal zero-length authtok for user [%s]\n", + pd->user); + state->pam_status = PAM_AUTH_ERR; + state->dp_err = DP_ERR_OK; + ret = EOK; + goto done; + } + + DEBUG(SSSDBG_CRIT_FAILURE, + "Wrong authtok type for user [%s]. " \ + "Expected [%d], got [%d]\n", pd->user, + SSS_AUTHTOK_TYPE_PASSWORD, + authtok_type); + state->pam_status = PAM_SYSTEM_ERR; + state->dp_err = DP_ERR_FATAL; + ret = EINVAL; + goto done; + } + break; + case SSS_PAM_CHAUTHTOK_PRELIM: + if (pd->priv == 1 && + authtok_type != SSS_AUTHTOK_TYPE_PASSWORD) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Password reset by root is not supported.\n"); + state->pam_status = PAM_PERM_DENIED; + state->dp_err = DP_ERR_OK; + ret = EOK; + goto done; + } + break; + case SSS_CMD_RENEW: + if (authtok_type != SSS_AUTHTOK_TYPE_CCFILE) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Wrong authtok type for user [%s]. " \ + "Expected [%d], got [%d]\n", pd->user, + SSS_AUTHTOK_TYPE_CCFILE, + authtok_type); + state->pam_status = PAM_SYSTEM_ERR; + state->dp_err = DP_ERR_FATAL; + ret = EINVAL; + goto done; + } + break; + case SSS_PAM_PREAUTH: + break; + default: + DEBUG(SSSDBG_CONF_SETTINGS, "Unexpected pam task %d.\n", pd->cmd); + state->pam_status = PAM_SYSTEM_ERR; + state->dp_err = DP_ERR_FATAL; + ret = EINVAL; + goto done; + } + + if (be_is_offline(be_ctx) && + (pd->cmd == SSS_PAM_CHAUTHTOK || pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM || + pd->cmd == SSS_CMD_RENEW)) { + DEBUG(SSSDBG_TRACE_ALL, + "Password changes and ticket renewal are not possible " + "while offline.\n"); + state->pam_status = PAM_AUTHINFO_UNAVAIL; + state->dp_err = DP_ERR_OFFLINE; + ret = EOK; + goto done; + } + + attrs = talloc_array(state, const char *, 8); + if (attrs == NULL) { + ret = ENOMEM; + goto done; + } + + attrs[0] = SYSDB_UPN; + attrs[1] = SYSDB_HOMEDIR; + attrs[2] = SYSDB_CCACHE_FILE; + attrs[3] = SYSDB_UIDNUM; + attrs[4] = SYSDB_GIDNUM; + attrs[5] = SYSDB_CANONICAL_UPN; + attrs[6] = SYSDB_AUTH_TYPE; + attrs[7] = NULL; + + ret = krb5_setup(state, pd, state->domain, krb5_ctx, + &state->kr); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_setup failed.\n"); + goto done; + } + kr = state->kr; + + ret = sysdb_get_user_attr_with_views(state, state->domain, state->pd->user, + attrs, &res); + if (ret) { + DEBUG(SSSDBG_FUNC_DATA, + "sysdb search for upn of user [%s] failed.\n", pd->user); + state->pam_status = PAM_SYSTEM_ERR; + state->dp_err = DP_ERR_OK; + goto done; + } + + realm = dp_opt_get_cstring(krb5_ctx->opts, KRB5_REALM); + if (realm == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing Kerberos realm.\n"); + ret = ENOENT; + goto done; + } + + switch (res->count) { + case 0: + DEBUG(SSSDBG_FUNC_DATA, + "No attributes for user [%s] found.\n", pd->user); + ret = ENOENT; + goto done; + break; + + case 1: + ret = find_or_guess_upn(state, res->msgs[0], krb5_ctx, be_ctx->domain, + kr->user, pd->domain, &kr->upn); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "find_or_guess_upn failed.\n"); + goto done; + } + + ret = compare_principal_realm(kr->upn, realm, + &kr->upn_from_different_realm); + if (ret != 0) { + DEBUG(SSSDBG_OP_FAILURE, "compare_principal_realm failed.\n"); + goto done; + } + + kr->homedir = sss_view_ldb_msg_find_attr_as_string(state->domain, + res->msgs[0], + SYSDB_HOMEDIR, + NULL); + if (kr->homedir == NULL) { + DEBUG(SSSDBG_CONF_SETTINGS, + "Home directory for user [%s] not known.\n", pd->user); + } + + kr->uid = sss_view_ldb_msg_find_attr_as_uint64(state->domain, + res->msgs[0], + SYSDB_UIDNUM, 0); + if (kr->uid == 0 && state->domain->type == DOM_TYPE_POSIX) { + DEBUG(SSSDBG_CONF_SETTINGS, + "UID for user [%s] not known.\n", pd->user); + ret = ENOENT; + goto done; + } + + kr->gid = sss_view_ldb_msg_find_attr_as_uint64(state->domain, + res->msgs[0], + SYSDB_GIDNUM, 0); + if (kr->gid == 0 && state->domain->type == DOM_TYPE_POSIX) { + DEBUG(SSSDBG_CONF_SETTINGS, + "GID for user [%s] not known.\n", pd->user); + ret = ENOENT; + goto done; + } + + ret = krb5_auth_prepare_ccache_name(kr, res->msgs[0], state->be_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot prepare ccache names!\n"); + goto done; + } + break; + + default: + DEBUG(SSSDBG_CRIT_FAILURE, + "User search for (%s) returned > 1 results!\n", pd->user); + ret = EINVAL; + goto done; + break; + } + + otp = is_otp_enabled(res->msgs[0]); + if (pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM && otp == true) { + /* To avoid consuming the OTP */ + DEBUG(SSSDBG_TRACE_FUNC, + "Skipping password checks for OTP-enabled user\n"); + state->pam_status = PAM_SUCCESS; + state->dp_err = DP_ERR_OK; + ret = EOK; + goto done; + } + + kr->srv = NULL; + kr->kpasswd_srv = NULL; + + state->search_kpasswd = false; + subreq = be_resolve_server_send(state, state->ev, state->be_ctx, + state->krb5_ctx->service->name, + state->kr->srv == NULL ? true : false); + if (!subreq) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed resolver request.\n"); + ret = EIO; + goto done; + } + tevent_req_set_callback(subreq, krb5_auth_resolve_done, req); + + return req; + +done: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, state->ev); + return req; +} + +static void krb5_auth_resolve_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, struct tevent_req); + struct krb5_auth_state *state = tevent_req_data(req, struct krb5_auth_state); + struct krb5child_req *kr = state->kr; + int ret; + + if (!state->search_kpasswd) { + ret = be_resolve_server_recv(subreq, kr, &kr->srv); + } else { + ret = be_resolve_server_recv(subreq, kr, &kr->kpasswd_srv); + } + talloc_zfree(subreq); + + if (state->search_kpasswd) { + if ((ret != EOK) && + (kr->pd->cmd == SSS_PAM_CHAUTHTOK || + kr->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM)) { + /* all kpasswd servers have been tried and none was found good, + * but the kdc seems ok. Password changes are not possible but + * authentication is. We return an PAM error here, but do not + * mark the backend offline. */ + state->pam_status = PAM_AUTHTOK_LOCK_BUSY; + state->dp_err = DP_ERR_OK; + ret = EOK; + goto done; + } + } else { + if (ret != EOK) { + /* all servers have been tried and none + * was found good, setting offline, + * but we still have to call the child to setup + * the ccache file if we are performing auth */ + be_mark_dom_offline(state->domain, state->be_ctx); + kr->is_offline = true; + + if (kr->pd->cmd == SSS_PAM_CHAUTHTOK || + kr->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM) { + DEBUG(SSSDBG_TRACE_FUNC, + "No KDC suitable for password change is available\n"); + state->pam_status = PAM_AUTHTOK_LOCK_BUSY; + state->dp_err = DP_ERR_OK; + ret = EOK; + goto done; + } + } else { + if (kr->krb5_ctx->kpasswd_service != NULL) { + state->search_kpasswd = true; + subreq = be_resolve_server_send(state, + state->ev, state->be_ctx, + state->krb5_ctx->kpasswd_service->name, + kr->kpasswd_srv == NULL ? true : false); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Resolver request failed.\n"); + ret = EIO; + goto done; + } + tevent_req_set_callback(subreq, krb5_auth_resolve_done, req); + return; + } + } + } + + if (!kr->is_offline) { + kr->is_offline = be_is_offline(state->be_ctx); + } + + if (!kr->is_offline + && sss_domain_get_state(state->domain) == DOM_INACTIVE) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "Subdomain %s is inactive, will proceed offline\n", + state->domain->name); + kr->is_offline = true; + } + + if (kr->is_offline + && sss_krb5_realm_has_proxy(dp_opt_get_cstring(kr->krb5_ctx->opts, + KRB5_REALM))) { + DEBUG(SSSDBG_TRACE_FUNC, + "Resetting offline status, KDC proxy is in use\n"); + kr->is_offline = false; + } + + subreq = handle_child_send(state, state->ev, kr); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "handle_child_send failed.\n"); + ret = ENOMEM; + goto done; + } + tevent_req_set_callback(subreq, krb5_auth_done, req); + return; + +done: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } +} + +static void krb5_auth_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, struct tevent_req); + struct krb5_auth_state *state = tevent_req_data(req, struct krb5_auth_state); + struct krb5child_req *kr = state->kr; + struct pam_data *pd = state->pd; + int ret; + uint8_t *buf = NULL; + ssize_t len = -1; + struct krb5_child_response *res; + struct fo_server *search_srv; + krb5_deltat renew_interval_delta; + char *renew_interval_str; + time_t renew_interval_time = 0; + bool use_enterprise_principal; + bool canonicalize; + + ret = handle_child_recv(subreq, pd, &buf, &len); + talloc_zfree(subreq); + if (ret == ETIMEDOUT) { + + DEBUG(SSSDBG_CRIT_FAILURE, "child timed out!\n"); + + switch (pd->cmd) { + case SSS_PAM_AUTHENTICATE: + case SSS_CMD_RENEW: + state->search_kpasswd = false; + search_srv = kr->srv; + break; + case SSS_PAM_CHAUTHTOK: + case SSS_PAM_CHAUTHTOK_PRELIM: + if (state->kr->kpasswd_srv) { + state->search_kpasswd = true; + search_srv = kr->kpasswd_srv; + break; + } else { + state->search_kpasswd = false; + search_srv = kr->srv; + break; + } + case SSS_PAM_PREAUTH: + state->pam_status = PAM_CRED_UNAVAIL; + state->dp_err = DP_ERR_OK; + ret = EOK; + goto done; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected PAM task\n"); + ret = EINVAL; + goto done; + } + + be_fo_set_port_status(state->be_ctx, state->krb5_ctx->service->name, + search_srv, PORT_NOT_WORKING); + subreq = be_resolve_server_send(state, state->ev, state->be_ctx, + state->krb5_ctx->service->name, + search_srv == NULL ? true : false); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed resolved request.\n"); + ret = ENOMEM; + goto done; + } + tevent_req_set_callback(subreq, krb5_auth_resolve_done, req); + return; + + } else if (ret != EOK) { + + DEBUG(SSSDBG_CRIT_FAILURE, + "child failed (%d [%s])\n", ret, strerror(ret)); + goto done; + } + + /* EOK */ + + ret = parse_krb5_child_response(state, buf, len, pd, + state->be_ctx->domain->pwd_expiration_warning, + &res); + if (ret) { + DEBUG(SSSDBG_IMPORTANT_INFO, + "The krb5_child process returned an error. Please inspect the " + "krb5_child.log file or the journal for more information\n"); + DEBUG(SSSDBG_OP_FAILURE, "Could not parse child response [%d]: %s\n", + ret, strerror(ret)); + goto done; + } + + if (res->ccname) { + kr->ccname = talloc_strdup(kr, res->ccname); + if (!kr->ccname) { + ret = ENOMEM; + goto done; + } + } + + use_enterprise_principal = dp_opt_get_bool(kr->krb5_ctx->opts, + KRB5_USE_ENTERPRISE_PRINCIPAL); + canonicalize = dp_opt_get_bool(kr->krb5_ctx->opts, KRB5_CANONICALIZE); + + /* Check if the cases of our upn are correct and update it if needed. + * Fail if the upn differs by more than just the case for non-enterprise + * principals. */ + if (res->correct_upn != NULL && + strcmp(kr->upn, res->correct_upn) != 0) { + if (strcasecmp(kr->upn, res->correct_upn) == 0 || + canonicalize == true || + use_enterprise_principal == true) { + talloc_free(kr->upn); + kr->upn = talloc_strdup(kr, res->correct_upn); + if (kr->upn == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + + ret = check_if_cached_upn_needs_update(state->sysdb, state->domain, + pd->user, res->correct_upn); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "check_if_cached_upn_needs_update failed.\n"); + goto done; + } + } else { + DEBUG(SSSDBG_CRIT_FAILURE, "UPN used in the request [%s] and " \ + "returned UPN [%s] differ by more " \ + "than just the case.\n", + kr->upn, res->correct_upn); + ret = EINVAL; + goto done; + } + } + + /* If the child request failed, but did not return an offline error code, + * return with the status */ + switch (res->msg_status) { + case ERR_OK: + /* If the child request was successful and we run the first pass of the + * change password request just return success. */ + if (pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM) { + state->pam_status = PAM_SUCCESS; + state->dp_err = DP_ERR_OK; + ret = EOK; + goto done; + } + break; + + case ERR_NETWORK_IO: + if (kr->kpasswd_srv != NULL && + (pd->cmd == SSS_PAM_CHAUTHTOK || + pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM)) { + /* if using a dedicated kpasswd server for a chpass operation... */ + + be_fo_set_port_status(state->be_ctx, + state->krb5_ctx->kpasswd_service->name, + kr->kpasswd_srv, PORT_NOT_WORKING); + /* ..try to resolve next kpasswd server */ + state->search_kpasswd = true; + subreq = be_resolve_server_send(state, state->ev, state->be_ctx, + state->krb5_ctx->kpasswd_service->name, + state->kr->kpasswd_srv == NULL ? true : false); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Resolver request failed.\n"); + ret = ENOMEM; + goto done; + } + tevent_req_set_callback(subreq, krb5_auth_resolve_done, req); + return; + } else if (kr->srv != NULL) { + /* failed to use the KDC... */ + be_fo_set_port_status(state->be_ctx, + state->krb5_ctx->service->name, + kr->srv, PORT_NOT_WORKING); + /* ..try to resolve next KDC */ + state->search_kpasswd = false; + subreq = be_resolve_server_send(state, state->ev, state->be_ctx, + state->krb5_ctx->service->name, + kr->srv == NULL ? true : false); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Resolver request failed.\n"); + ret = ENOMEM; + goto done; + } + tevent_req_set_callback(subreq, krb5_auth_resolve_done, req); + return; + } + break; + + case ERR_CREDS_EXPIRED_CCACHE: + ret = krb5_delete_ccname(state, state->sysdb, state->domain, + pd->user, kr->old_ccname); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_delete_ccname failed.\n"); + } + /* FALLTHROUGH */ + SSS_ATTRIBUTE_FALLTHROUGH; + + case ERR_CREDS_EXPIRED: + /* If the password is expired we can safely remove the ccache from the + * cache and disk if it is not actively used anymore. This will allow + * to create a new random ccache if sshd with privilege separation is + * used. */ + if (pd->cmd == SSS_PAM_AUTHENTICATE && !kr->active_ccache) { + if (kr->old_ccname != NULL) { + ret = krb5_delete_ccname(state, state->sysdb, state->domain, + pd->user, kr->old_ccname); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_delete_ccname failed.\n"); + } + } + } + + state->pam_status = PAM_NEW_AUTHTOK_REQD; + state->dp_err = DP_ERR_OK; + ret = EOK; + goto done; + + case ERR_CREDS_INVALID: + state->pam_status = PAM_CRED_ERR; + state->dp_err = DP_ERR_OK; + ret = EOK; + goto done; + + case ERR_ACCOUNT_EXPIRED: + state->pam_status = PAM_ACCT_EXPIRED; + state->dp_err = DP_ERR_OK; + ret = EOK; + goto done; + + case ERR_ACCOUNT_LOCKED: + state->pam_status = PAM_PERM_DENIED; + state->dp_err = DP_ERR_OK; + ret = EOK; + goto done; + + case ERR_NO_CREDS: + state->pam_status = PAM_CRED_UNAVAIL; + state->dp_err = DP_ERR_OK; + ret = EOK; + goto done; + + case ERR_AUTH_FAILED: + state->pam_status = PAM_AUTH_ERR; + state->dp_err = DP_ERR_OK; + ret = EOK; + goto done; + + case ERR_CHPASS_FAILED: + state->pam_status = PAM_AUTHTOK_ERR; + state->dp_err = DP_ERR_OK; + ret = EOK; + goto done; + + case ERR_NO_AUTH_METHOD_AVAILABLE: + state->pam_status = PAM_NO_MODULE_DATA; + state->dp_err = DP_ERR_OK; + ret = EOK; + goto done; + + default: + DEBUG(SSSDBG_IMPORTANT_INFO, + "The krb5_child process returned an error. Please inspect the " + "krb5_child.log file or the journal for more information\n"); + state->pam_status = PAM_SYSTEM_ERR; + state->dp_err = DP_ERR_OK; + ret = EOK; + goto done; + } + + if (kr->kpasswd_srv != NULL && + (pd->cmd == SSS_PAM_CHAUTHTOK || + pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM)) { + /* found a dedicated kpasswd server for a chpass operation */ + be_fo_set_port_status(state->be_ctx, + state->krb5_ctx->service->name, + kr->kpasswd_srv, PORT_WORKING); + } else if (kr->srv != NULL) { + /* found a KDC */ + be_fo_set_port_status(state->be_ctx, state->krb5_ctx->service->name, + kr->srv, PORT_WORKING); + } + + /* Now only a successful authentication or password change is left. + * + * We expect that one of the messages in the received buffer contains + * the name of the credential cache file. */ + if (kr->ccname == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing ccache name in child response.\n"); + ret = EINVAL; + goto done; + } + + ret = krb5_save_ccname(state, state->sysdb, state->domain, + pd->user, kr->ccname); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_save_ccname failed.\n"); + goto done; + } + renew_interval_str = dp_opt_get_string(kr->krb5_ctx->opts, + KRB5_RENEW_INTERVAL); + if (renew_interval_str != NULL) { + ret = krb5_string_to_deltat(renew_interval_str, &renew_interval_delta); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Reading krb5_renew_interval failed.\n"); + renew_interval_delta = 0; + } + renew_interval_time = renew_interval_delta; + } + if (res->msg_status == ERR_OK && renew_interval_time > 0 && + (pd->cmd == SSS_PAM_AUTHENTICATE || + pd->cmd == SSS_CMD_RENEW || + pd->cmd == SSS_PAM_CHAUTHTOK) && + (res->tgtt.renew_till > res->tgtt.endtime) && + (kr->ccname != NULL)) { + DEBUG(SSSDBG_TRACE_LIBS, + "Adding [%s] for automatic renewal.\n", kr->ccname); + ret = add_tgt_to_renew_table(kr->krb5_ctx, kr->ccname, &(res->tgtt), + pd, kr->upn); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "add_tgt_to_renew_table failed, " + "automatic renewal not possible.\n"); + } + } + + if (kr->is_offline) { + if (dp_opt_get_bool(kr->krb5_ctx->opts, + KRB5_STORE_PASSWORD_IF_OFFLINE) + && sss_authtok_get_type(pd->authtok) + == SSS_AUTHTOK_TYPE_PASSWORD) { + krb5_auth_cache_creds(state->kr->krb5_ctx, + state->domain, + state->be_ctx->cdb, + state->pd, state->kr->uid, + &state->pam_status, &state->dp_err); + } else { + DEBUG(SSSDBG_CONF_SETTINGS, + "Backend is marked offline, retry later!\n"); + state->pam_status = PAM_AUTHINFO_UNAVAIL; + state->dp_err = DP_ERR_OFFLINE; + } + ret = EOK; + goto done; + } + + if (state->be_ctx->domain->cache_credentials == TRUE + && (!res->otp + || (res->otp && sss_authtok_get_type(pd->authtok) == + SSS_AUTHTOK_TYPE_2FA))) { + krb5_auth_store_creds(state->domain, pd); + } + + /* The SSS_OTP message will prevent pam_sss from putting the entered + * password on the PAM stack for other modules to use. This is not needed + * when both factors were entered separately because here the first factor + * (long term password) can be passed to the other modules. */ + if (res->otp == true && pd->cmd == SSS_PAM_AUTHENTICATE + && sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_2FA) { + uint32_t otp_flag = 1; + ret = pam_add_response(pd, SSS_OTP, sizeof(uint32_t), + (const uint8_t *) &otp_flag); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "pam_add_response failed: %d (%s).\n", + ret, sss_strerror(ret)); + state->pam_status = PAM_SYSTEM_ERR; + state->dp_err = DP_ERR_OK; + goto done; + } + } + + state->pam_status = PAM_SUCCESS; + state->dp_err = DP_ERR_OK; + ret = EOK; + +done: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + +} + +int krb5_auth_recv(struct tevent_req *req, int *pam_status, int *dp_err) +{ + struct krb5_auth_state *state = tevent_req_data(req, struct krb5_auth_state); + *pam_status = state->pam_status; + *dp_err = state->dp_err; + + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +struct krb5_pam_handler_state { + struct pam_data *pd; +}; + +static void krb5_pam_handler_auth_done(struct tevent_req *subreq); +static void krb5_pam_handler_access_done(struct tevent_req *subreq); + +struct tevent_req * +krb5_pam_handler_send(TALLOC_CTX *mem_ctx, + struct krb5_ctx *krb5_ctx, + struct pam_data *pd, + struct dp_req_params *params) +{ + struct krb5_pam_handler_state *state; + struct tevent_req *subreq; + struct tevent_req *req; + + req = tevent_req_create(mem_ctx, &state, + struct krb5_pam_handler_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->pd = pd; + + switch (pd->cmd) { + case SSS_PAM_AUTHENTICATE: + case SSS_PAM_PREAUTH: + case SSS_CMD_RENEW: + case SSS_PAM_CHAUTHTOK_PRELIM: + case SSS_PAM_CHAUTHTOK: + subreq = krb5_auth_queue_send(state, params->ev, params->be_ctx, + pd, krb5_ctx); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_auth_send failed.\n"); + pd->pam_status = PAM_SYSTEM_ERR; + goto immediately; + } + + tevent_req_set_callback(subreq, krb5_pam_handler_auth_done, req); + break; + case SSS_PAM_ACCT_MGMT: + subreq = krb5_access_send(state, params->ev, params->be_ctx, + pd, krb5_ctx); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_access_send failed.\n"); + pd->pam_status = PAM_SYSTEM_ERR; + goto immediately; + } + + tevent_req_set_callback(subreq, krb5_pam_handler_access_done, req); + break; + case SSS_PAM_SETCRED: + case SSS_PAM_OPEN_SESSION: + case SSS_PAM_CLOSE_SESSION: + pd->pam_status = PAM_SUCCESS; + goto immediately; + break; + default: + DEBUG(SSSDBG_CONF_SETTINGS, + "krb5 does not handles pam task %d.\n", pd->cmd); + pd->pam_status = PAM_MODULE_UNKNOWN; + goto immediately; + } + + return req; + +immediately: + /* TODO For backward compatibility we always return EOK to DP now. */ + tevent_req_done(req); + tevent_req_post(req, params->ev); + + return req; +} + +static void krb5_pam_handler_auth_done(struct tevent_req *subreq) +{ + struct krb5_pam_handler_state *state; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct krb5_pam_handler_state); + + ret = krb5_auth_queue_recv(subreq, &state->pd->pam_status, NULL); + talloc_zfree(subreq); + if (ret != EOK) { + state->pd->pam_status = PAM_SYSTEM_ERR; + } + + /* TODO For backward compatibility we always return EOK to DP now. */ + tevent_req_done(req); +} + +static void krb5_pam_handler_access_done(struct tevent_req *subreq) +{ + struct krb5_pam_handler_state *state; + struct tevent_req *req; + bool access_allowed; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct krb5_pam_handler_state); + + ret = krb5_access_recv(subreq, &access_allowed); + talloc_zfree(subreq); + if (ret != EOK) { + state->pd->pam_status = PAM_SYSTEM_ERR; + } + + + DEBUG(SSSDBG_TRACE_LIBS, "Access %s for user [%s].\n", + access_allowed ? "allowed" : "denied", state->pd->user); + state->pd->pam_status = access_allowed ? PAM_SUCCESS : PAM_PERM_DENIED; + + /* TODO For backward compatibility we always return EOK to DP now. */ + tevent_req_done(req); +} + +errno_t +krb5_pam_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct pam_data **_data) +{ + struct krb5_pam_handler_state *state = NULL; + + state = tevent_req_data(req, struct krb5_pam_handler_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *_data = talloc_steal(mem_ctx, state->pd); + + return EOK; +} diff --git a/src/providers/krb5/krb5_auth.h b/src/providers/krb5/krb5_auth.h new file mode 100644 index 0000000..847fbf5 --- /dev/null +++ b/src/providers/krb5/krb5_auth.h @@ -0,0 +1,155 @@ +/* + SSSD + + Kerberos Backend, private header file + + Authors: + Sumit Bose + + Copyright (C) 2009 Red Hat + + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __KRB5_AUTH_H__ +#define __KRB5_AUTH_H__ + +#include + +#include "util/sss_krb5.h" +#include "providers/backend.h" +#include "util/child_common.h" +#include "providers/krb5/krb5_common.h" +#include "providers/krb5/krb5_ccache.h" + +#define CCACHE_ENV_NAME "KRB5CCNAME" + +#define ILLEGAL_PATH_PATTERN "//|/\\./|/\\.\\./" + +#define CHILD_OPT_FAST_CCACHE_UID "fast-ccache-uid" +#define CHILD_OPT_FAST_CCACHE_GID "fast-ccache-gid" +#define CHILD_OPT_REALM "realm" +#define CHILD_OPT_LIFETIME "lifetime" +#define CHILD_OPT_RENEWABLE_LIFETIME "renewable-lifetime" +#define CHILD_OPT_USE_FAST "use-fast" +#define CHILD_OPT_FAST_PRINCIPAL "fast-principal" +#define CHILD_OPT_CANONICALIZE "canonicalize" +#define CHILD_OPT_SSS_CREDS_PASSWORD "sss-creds-password" + +struct krb5child_req { + struct pam_data *pd; + struct krb5_ctx *krb5_ctx; + struct sss_domain_info *dom; + + const char *ccname; + const char *old_ccname; + const char *homedir; + char *upn; + uid_t uid; + gid_t gid; + bool is_offline; + struct fo_server *srv; + struct fo_server *kpasswd_srv; + bool active_ccache; + bool valid_tgt; + bool upn_from_different_realm; + bool send_pac; + + const char *user; + const char *kuserok_user; +}; + +errno_t krb5_setup(TALLOC_CTX *mem_ctx, + struct pam_data *pd, + struct sss_domain_info *dom, + struct krb5_ctx *krb5_ctx, + struct krb5child_req **_krb5_req); + +struct tevent_req * +krb5_pam_handler_send(TALLOC_CTX *mem_ctx, + struct krb5_ctx *krb5_ctx, + struct pam_data *pd, + struct dp_req_params *params); + +errno_t +krb5_pam_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct pam_data **_data); + +/* Please use krb5_auth_send/recv *only* if you're certain there can't + * be concurrent logins happening. With some ccache back ends, the ccache + * files might clobber one another. Please use krb5_auth_queue_send() + * instead that queues the requests + */ +struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct pam_data *pd, + struct krb5_ctx *krb5_ctx); +int krb5_auth_recv(struct tevent_req *req, int *pam_status, int *dp_err); + +struct tevent_req *handle_child_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct krb5child_req *kr); +int handle_child_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, + uint8_t **buf, ssize_t *len); + +struct krb5_child_response { + int32_t msg_status; + struct tgt_times tgtt; + char *ccname; + char *correct_upn; + bool otp; +}; + +errno_t +parse_krb5_child_response(TALLOC_CTX *mem_ctx, uint8_t *buf, ssize_t len, + struct pam_data *pd, int pwd_exp_warning, + struct krb5_child_response **_res); + +errno_t add_user_to_delayed_online_authentication(struct krb5_ctx *krb5_ctx, + struct sss_domain_info *domain, + struct pam_data *pd, + uid_t uid); +errno_t init_delayed_online_authentication(struct krb5_ctx *krb5_ctx, + struct be_ctx *be_ctx, + struct tevent_context *ev); + +errno_t init_renew_tgt(struct krb5_ctx *krb5_ctx, struct be_ctx *be_ctx, + struct tevent_context *ev, time_t renew_intv); +errno_t add_tgt_to_renew_table(struct krb5_ctx *krb5_ctx, const char *ccfile, + struct tgt_times *tgtt, struct pam_data *pd, + const char *upn); + +/* krb5_access.c */ +struct tevent_req *krb5_access_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct pam_data *pd, + struct krb5_ctx *krb5_ctx); +int krb5_access_recv(struct tevent_req *req, bool *access_allowed); + +/* krb5_wait_queue.c */ +struct tevent_req *krb5_auth_queue_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct pam_data *pd, + struct krb5_ctx *krb5_ctx); + +int krb5_auth_queue_recv(struct tevent_req *req, + int *_pam_status, + int *_dp_err); + +#endif /* __KRB5_AUTH_H__ */ diff --git a/src/providers/krb5/krb5_ccache.c b/src/providers/krb5/krb5_ccache.c new file mode 100644 index 0000000..2e28276 --- /dev/null +++ b/src/providers/krb5/krb5_ccache.c @@ -0,0 +1,789 @@ +/* + SSSD + + Kerberos 5 Backend Module -- ccache related utilities + + Authors: + Sumit Bose + Jakub Hrozek + + Copyright (C) 2014 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifdef HAVE_KRB5_KRB5_H +#include +#else +#include +#endif + +#include "providers/krb5/krb5_ccache.h" +#include "util/sss_krb5.h" +#include "util/util.h" + +struct string_list { + struct string_list *next; + struct string_list *prev; + char *s; +}; + +static errno_t find_ccdir_parent_data(TALLOC_CTX *mem_ctx, + const char *ccdirname, + struct stat *parent_stat, + struct string_list **missing_parents) +{ + int ret = EFAULT; + char *parent = NULL; + char *end; + struct string_list *li; + + ret = stat(ccdirname, parent_stat); + if (ret == EOK) { + if ( !S_ISDIR(parent_stat->st_mode) ) { + DEBUG(SSSDBG_MINOR_FAILURE, + "[%s] is not a directory.\n", ccdirname); + return EINVAL; + } + return EOK; + } else { + if (errno != ENOENT) { + ret = errno; + DEBUG(SSSDBG_MINOR_FAILURE, + "stat for [%s] failed: [%d][%s].\n", ccdirname, ret, + strerror(ret)); + return ret; + } + } + + li = talloc_zero(mem_ctx, struct string_list); + if (li == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "talloc_zero failed.\n"); + return ENOMEM; + } + + li->s = talloc_strdup(li, ccdirname); + if (li->s == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "talloc_strdup failed.\n"); + return ENOMEM; + } + + DLIST_ADD(*missing_parents, li); + + parent = talloc_strdup(mem_ctx, ccdirname); + if (parent == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "talloc_strdup failed.\n"); + return ENOMEM; + } + + /* We'll remove all trailing slashes from the back so that + * we only pass /some/path to find_ccdir_parent_data, not + * /some/path */ + do { + end = strrchr(parent, '/'); + if (end == NULL || end == parent) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot find parent directory of [%s], / is not allowed.\n", + ccdirname); + ret = EINVAL; + goto done; + } + *end = '\0'; + } while (*(end+1) == '\0'); + + ret = find_ccdir_parent_data(mem_ctx, parent, parent_stat, missing_parents); + +done: + talloc_free(parent); + return ret; +} + +static errno_t check_parent_stat(struct stat *parent_stat, uid_t uid) +{ + if (parent_stat->st_uid != 0 && parent_stat->st_uid != uid) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Private directory can only be created below a directory " + "belonging to root or to [%"SPRIuid"].\n", uid); + return EINVAL; + } + + if (parent_stat->st_uid == uid) { + if (!(parent_stat->st_mode & S_IXUSR)) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Parent directory does not have the search bit set for " + "the owner.\n"); + return EINVAL; + } + } else { + if (!(parent_stat->st_mode & S_IXOTH)) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Parent directory does not have the search bit set for " + "others.\n"); + return EINVAL; + } + } + + return EOK; +} + +static errno_t create_ccache_dir(const char *ccdirname, uid_t uid, gid_t gid) +{ + int ret = EFAULT; + struct stat parent_stat; + struct string_list *missing_parents = NULL; + struct string_list *li = NULL; + mode_t old_umask; + mode_t new_dir_mode; + TALLOC_CTX *tmp_ctx = NULL; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "talloc_new failed.\n"); + return ENOMEM; + } + + if (*ccdirname != '/') { + DEBUG(SSSDBG_MINOR_FAILURE, + "Only absolute paths are allowed, not [%s] .\n", ccdirname); + ret = EINVAL; + goto done; + } + + ret = find_ccdir_parent_data(tmp_ctx, ccdirname, &parent_stat, + &missing_parents); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "find_ccdir_parent_data failed.\n"); + goto done; + } + + ret = check_parent_stat(&parent_stat, uid); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Check the ownership and permissions of krb5_ccachedir: [%s].\n", + ccdirname); + goto done; + } + + DLIST_FOR_EACH(li, missing_parents) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "Creating directory [%s].\n", li->s); + new_dir_mode = 0700; + + old_umask = umask(0000); + ret = mkdir(li->s, new_dir_mode); + umask(old_umask); + if (ret != EOK) { + ret = errno; + DEBUG(SSSDBG_MINOR_FAILURE, + "mkdir [%s] failed: [%d][%s].\n", li->s, ret, + strerror(ret)); + goto done; + } + ret = chown(li->s, uid, gid); + if (ret != EOK) { + ret = errno; + DEBUG(SSSDBG_MINOR_FAILURE, + "chown failed [%d][%s].\n", ret, strerror(ret)); + goto done; + } + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +errno_t sss_krb5_precreate_ccache(const char *ccname, uid_t uid, gid_t gid) +{ + TALLOC_CTX *tmp_ctx = NULL; + const char *filename; + char *ccdirname; + char *end; + errno_t ret; + + if (ccname[0] == '/') { + filename = ccname; + } else if (strncmp(ccname, "FILE:", 5) == 0) { + filename = ccname + 5; + } else if (strncmp(ccname, "DIR:", 4) == 0) { + filename = ccname + 4; + } else { + /* only FILE and DIR types need precreation so far, we ignore any + * other type */ + return EOK; + } + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) return ENOMEM; + + ccdirname = talloc_strdup(tmp_ctx, filename); + if (ccdirname == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + + /* We'll remove all trailing slashes from the back so that + * we only pass /some/path to find_ccdir_parent_data, not + * /some/path/ */ + do { + end = strrchr(ccdirname, '/'); + if (end == NULL || end == ccdirname) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot find parent directory of [%s], " + "/ is not allowed.\n", ccdirname); + ret = EINVAL; + goto done; + } + *end = '\0'; + } while (*(end+1) == '\0'); + + ret = create_ccache_dir(ccdirname, uid, gid); +done: + talloc_free(tmp_ctx); + return ret; +} + +struct sss_krb5_ccache { + struct sss_creds *creds; + krb5_context context; + krb5_ccache ccache; +}; + +static int sss_free_krb5_ccache(void *mem) +{ + struct sss_krb5_ccache *cc = talloc_get_type(mem, struct sss_krb5_ccache); + + if (cc->ccache) { + krb5_cc_close(cc->context, cc->ccache); + } + krb5_free_context(cc->context); + restore_creds(cc->creds); + return 0; +} + +static errno_t sss_open_ccache_as_user(TALLOC_CTX *mem_ctx, + const char *ccname, + uid_t uid, gid_t gid, + struct sss_krb5_ccache **ccache) +{ + struct sss_krb5_ccache *cc; + krb5_error_code kerr; + errno_t ret; + + cc = talloc_zero(mem_ctx, struct sss_krb5_ccache); + if (!cc) { + return ENOMEM; + } + talloc_set_destructor((TALLOC_CTX *)cc, sss_free_krb5_ccache); + + ret = switch_creds(cc, uid, gid, 0, NULL, &cc->creds); + if (ret) { + goto done; + } + + kerr = sss_krb5_init_context(&cc->context); + if (kerr) { + ret = EIO; + goto done; + } + + kerr = krb5_cc_resolve(cc->context, ccname, &cc->ccache); + if (kerr == KRB5_FCC_NOFILE || cc->ccache == NULL) { + DEBUG(SSSDBG_TRACE_FUNC, "ccache %s is missing or empty\n", ccname); + ret = ERR_NOT_FOUND; + goto done; + } else if (kerr != 0) { + KRB5_DEBUG(SSSDBG_OP_FAILURE, cc->context, kerr); + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_cc_resolve failed.\n"); + ret = ERR_INTERNAL; + goto done; + } + + ret = EOK; + +done: + if (ret) { + talloc_free(cc); + } else { + *ccache = cc; + } + return ret; +} + +static errno_t sss_destroy_ccache(struct sss_krb5_ccache *cc) +{ + krb5_error_code kerr; + errno_t ret; + + kerr = krb5_cc_destroy(cc->context, cc->ccache); + if (kerr) { + KRB5_DEBUG(SSSDBG_OP_FAILURE, cc->context, kerr); + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_cc_destroy failed.\n"); + ret = EIO; + } else { + ret = EOK; + } + + /* krb5_cc_destroy frees cc->ccache in all events */ + cc->ccache = NULL; + + return ret; +} + +errno_t sss_krb5_cc_destroy(const char *ccname, uid_t uid, gid_t gid) +{ + struct sss_krb5_ccache *cc = NULL; + TALLOC_CTX *tmp_ctx; + errno_t ret; + + if (ccname == NULL) { + /* nothing to remove */ + return EOK; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); + return ENOMEM; + } + + ret = sss_open_ccache_as_user(tmp_ctx, ccname, uid, gid, &cc); + if (ret) { + goto done; + } + + ret = sss_destroy_ccache(cc); + +done: + talloc_free(tmp_ctx); + return ret; +} + +/* This function is called only as a way to validate that we have the + * right cache */ +errno_t sss_krb5_check_ccache_princ(krb5_context kctx, + const char *ccname, + krb5_principal user_princ) +{ + krb5_ccache kcc = NULL; + krb5_principal ccprinc = NULL; + krb5_error_code kerr; + const char *cc_type; + errno_t ret; + + kerr = krb5_cc_resolve(kctx, ccname, &kcc); + if (kerr) { + ret = ERR_INTERNAL; + goto done; + } + + cc_type = krb5_cc_get_type(kctx, kcc); + + kerr = krb5_cc_get_principal(kctx, kcc, &ccprinc); + if (kerr != 0) { + KRB5_DEBUG(SSSDBG_OP_FAILURE, kctx, kerr); + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_cc_get_principal failed.\n"); + } + + if (ccprinc) { + if (krb5_principal_compare(kctx, user_princ, ccprinc) == TRUE) { + /* found in the primary ccache */ + ret = EOK; + goto done; + } + } + +#ifdef HAVE_KRB5_CC_COLLECTION + + if (krb5_cc_support_switch(kctx, cc_type)) { + + krb5_cc_close(kctx, kcc); + kcc = NULL; + + kerr = krb5_cc_set_default_name(kctx, ccname); + if (kerr != 0) { + KRB5_DEBUG(SSSDBG_MINOR_FAILURE, kctx, kerr); + /* try to continue despite failure */ + } + + kerr = krb5_cc_cache_match(kctx, user_princ, &kcc); + if (kerr == 0) { + ret = EOK; + goto done; + } + KRB5_DEBUG(SSSDBG_TRACE_INTERNAL, kctx, kerr); + } + +#endif /* HAVE_KRB5_CC_COLLECTION */ + + ret = ERR_NOT_FOUND; + +done: + if (ccprinc) { + krb5_free_principal(kctx, ccprinc); + } + if (kcc) { + krb5_cc_close(kctx, kcc); + } + return ret; +} + +static errno_t sss_low_level_path_check(const char *ccname) +{ + const char *filename; + struct stat buf; + int ret; + + if (ccname[0] == '/') { + filename = ccname; + } else if (strncmp(ccname, "FILE:", 5) == 0) { + filename = ccname + 5; + } else if (strncmp(ccname, "DIR:", 4) == 0) { + filename = ccname + 4; + if (filename[0] == ':') filename += 1; + } else { + /* only FILE and DIR types need file checks so far, we ignore any + * other type */ + return EOK; + } + + ret = stat(filename, &buf); + if (ret == -1) return errno; + return EOK; +} + +errno_t sss_krb5_cc_verify_ccache(const char *ccname, uid_t uid, gid_t gid, + const char *realm, const char *principal) +{ + struct sss_krb5_ccache *cc = NULL; + TALLOC_CTX *tmp_ctx = NULL; + krb5_principal tgt_princ = NULL; + krb5_principal princ = NULL; + char *tgt_name; + krb5_creds mcred = { 0 }; + krb5_creds cred = { 0 }; + krb5_error_code kerr; + errno_t ret; + + /* first of all verify if the old ccache file/dir exists as we may be + * trying to verify if an old ccache exists at all. If no file/dir + * exists bail out immediately otherwise a following krb5_cc_resolve() + * call may actually create paths and files we do not want to have + * around */ + ret = sss_low_level_path_check(ccname); + if (ret) { + return ret; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new failed.\n"); + return ENOMEM; + } + + ret = sss_open_ccache_as_user(tmp_ctx, ccname, uid, gid, &cc); + if (ret) { + goto done; + } + + tgt_name = talloc_asprintf(tmp_ctx, "krbtgt/%s@%s", realm, realm); + if (!tgt_name) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new failed.\n"); + ret = ENOMEM; + goto done; + } + + kerr = krb5_parse_name(cc->context, tgt_name, &tgt_princ); + if (kerr) { + KRB5_DEBUG(SSSDBG_CRIT_FAILURE, cc->context, kerr); + if (kerr == KRB5_PARSE_MALFORMED) ret = EINVAL; + else ret = ERR_INTERNAL; + goto done; + } + + kerr = krb5_parse_name(cc->context, principal, &princ); + if (kerr) { + KRB5_DEBUG(SSSDBG_CRIT_FAILURE, cc->context, kerr); + if (kerr == KRB5_PARSE_MALFORMED) ret = EINVAL; + else ret = ERR_INTERNAL; + goto done; + } + + mcred.client = princ; + mcred.server = tgt_princ; + mcred.times.endtime = time(NULL); + + kerr = krb5_cc_retrieve_cred(cc->context, cc->ccache, + KRB5_TC_MATCH_TIMES, &mcred, &cred); + if (kerr) { + if (kerr == KRB5_CC_NOTFOUND || kerr == KRB5_FCC_NOFILE) { + DEBUG(SSSDBG_TRACE_INTERNAL, "TGT not found or expired.\n"); + ret = EINVAL; + } else { + KRB5_DEBUG(SSSDBG_CRIT_FAILURE, cc->context, kerr); + ret = ERR_INTERNAL; + } + } + krb5_free_cred_contents(cc->context, &cred); + +done: + if (tgt_princ) krb5_free_principal(cc->context, tgt_princ); + if (princ) krb5_free_principal(cc->context, princ); + talloc_free(tmp_ctx); + return ret; +} + +errno_t get_ccache_file_data(const char *ccache_file, const char *client_name, + struct tgt_times *tgtt) +{ + krb5_error_code kerr; + krb5_context ctx = NULL; + krb5_ccache cc = NULL; + krb5_principal client_princ = NULL; + krb5_principal server_princ = NULL; + char *server_name; + krb5_creds mcred; + krb5_creds cred; + const char *realm_name; + int realm_length; + + kerr = sss_krb5_init_context(&ctx); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "sss_krb5_init_context failed.\n"); + goto done; + } + + kerr = krb5_parse_name(ctx, client_name, &client_princ); + if (kerr != 0) { + KRB5_DEBUG(SSSDBG_OP_FAILURE, ctx, kerr); + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_parse_name failed.\n"); + goto done; + } + + sss_krb5_princ_realm(ctx, client_princ, &realm_name, &realm_length); + if (realm_length == 0) { + kerr = KRB5KRB_ERR_GENERIC; + DEBUG(SSSDBG_CRIT_FAILURE, "sss_krb5_princ_realm failed.\n"); + goto done; + } + + server_name = talloc_asprintf(NULL, "krbtgt/%.*s@%.*s", + realm_length, realm_name, + realm_length, realm_name); + if (server_name == NULL) { + kerr = KRB5_CC_NOMEM; + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); + goto done; + } + + kerr = krb5_parse_name(ctx, server_name, &server_princ); + talloc_free(server_name); + if (kerr != 0) { + KRB5_DEBUG(SSSDBG_OP_FAILURE, ctx, kerr); + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_parse_name failed.\n"); + goto done; + } + + kerr = krb5_cc_resolve(ctx, ccache_file, &cc); + if (kerr != 0) { + KRB5_DEBUG(SSSDBG_OP_FAILURE, ctx, kerr); + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_cc_resolve failed.\n"); + goto done; + } + + memset(&mcred, 0, sizeof(mcred)); + memset(&cred, 0, sizeof(mcred)); + + mcred.server = server_princ; + mcred.client = client_princ; + + kerr = krb5_cc_retrieve_cred(ctx, cc, 0, &mcred, &cred); + if (kerr != 0) { + KRB5_DEBUG(SSSDBG_OP_FAILURE, ctx, kerr); + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_cc_retrieve_cred failed.\n"); + goto done; + } + + tgtt->authtime = cred.times.authtime; + tgtt->starttime = cred.times.starttime; + tgtt->endtime = cred.times.endtime; + tgtt->renew_till = cred.times.renew_till; + + krb5_free_cred_contents(ctx, &cred); + + kerr = krb5_cc_close(ctx, cc); + if (kerr != 0) { + KRB5_DEBUG(SSSDBG_OP_FAILURE, ctx, kerr); + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_cc_close failed.\n"); + goto done; + } + cc = NULL; + + kerr = 0; + +done: + if (cc != NULL) { + krb5_cc_close(ctx, cc); + } + + if (client_princ != NULL) { + krb5_free_principal(ctx, client_princ); + } + + if (server_princ != NULL) { + krb5_free_principal(ctx, server_princ); + } + + if (ctx != NULL) { + krb5_free_context(ctx); + } + + if (kerr != 0) { + return EIO; + } + + return EOK; +} + +errno_t safe_remove_old_ccache_file(const char *old_ccache, + const char *new_ccache, + uid_t uid, gid_t gid) +{ + if ((old_ccache == new_ccache) + || (old_ccache && new_ccache + && (strcmp(old_ccache, new_ccache) == 0))) { + DEBUG(SSSDBG_TRACE_FUNC, "New and old ccache file are the same, " + "none will be deleted.\n"); + return EOK; + } + + return sss_krb5_cc_destroy(old_ccache, uid, gid); +} + +krb5_error_code copy_ccache_into_memory(TALLOC_CTX *mem_ctx, krb5_context kctx, + const char *ccache_file, + char **_mem_name) +{ + krb5_error_code kerr; + krb5_ccache ccache; + krb5_ccache mem_ccache = NULL; + char *ccache_name = NULL; + krb5_principal princ = NULL; + char *mem_name = NULL; + char *sep; + + kerr = krb5_cc_resolve(kctx, ccache_file, &ccache); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "error resolving ccache [%s].\n", + ccache_file); + return kerr; + } + + kerr = krb5_cc_get_full_name(kctx, ccache, &ccache_name); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to read name for ccache [%s].\n", + ccache_file); + goto done; + } + + sep = strchr(ccache_name, ':'); + if (sep == NULL || sep[1] == '\0') { + DEBUG(SSSDBG_CRIT_FAILURE, + "Ccache name [%s] does not have delimiter[:] .\n", ccache_name); + kerr = KRB5KRB_ERR_GENERIC; + goto done; + } + + if (strncmp(ccache_name, "MEMORY:", sizeof("MEMORY:") -1) == 0) { + DEBUG(SSSDBG_TRACE_FUNC, "Ccache [%s] is already memory ccache.\n", + ccache_name); + *_mem_name = talloc_strdup(mem_ctx, ccache_name); + if(*_mem_name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + kerr = KRB5KRB_ERR_GENERIC; + goto done; + } + kerr = 0; + goto done; + } + if (strncmp(ccache_name, "FILE:", sizeof("FILE:") -1) == 0) { + mem_name = talloc_asprintf(mem_ctx, "MEMORY:%s", sep + 1); + if (mem_name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); + kerr = KRB5KRB_ERR_GENERIC; + goto done; + } + } else { + DEBUG(SSSDBG_MINOR_FAILURE, "Unexpected ccache type for ccache [%s], " \ + "currently only FILE is supported.\n", + ccache_name); + kerr = KRB5KRB_ERR_GENERIC; + goto done; + } + + kerr = krb5_cc_resolve(kctx, mem_name, &mem_ccache); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "error resolving ccache [%s].\n", mem_name); + goto done; + } + + kerr = krb5_cc_get_principal(kctx, ccache, &princ); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "error reading principal from ccache [%s].\n", ccache_name); + goto done; + } + + kerr = krb5_cc_initialize(kctx, mem_ccache, princ); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to initialize ccache [%s].\n", mem_name); + goto done; + } + + kerr = krb5_cc_copy_creds(kctx, ccache, mem_ccache); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to copy ccache [%s] to [%s].\n", ccache_name, mem_name); + goto done; + } + + *_mem_name = mem_name; + kerr = 0; + +done: + if (kerr != 0) { + talloc_free(mem_name); + } + + free(ccache_name); + krb5_free_principal(kctx, princ); + + if (krb5_cc_close(kctx, ccache) != 0) { + DEBUG(SSSDBG_OP_FAILURE, "krb5_cc_close failed.\n"); + } + + if (krb5_cc_close(kctx, mem_ccache) != 0) { + DEBUG(SSSDBG_OP_FAILURE, "krb5_cc_close failed.\n"); + } + + return kerr; +} diff --git a/src/providers/krb5/krb5_ccache.h b/src/providers/krb5/krb5_ccache.h new file mode 100644 index 0000000..f3928e6 --- /dev/null +++ b/src/providers/krb5/krb5_ccache.h @@ -0,0 +1,73 @@ +/* + SSSD + + Kerberos 5 Backend Module -- ccache related utilities + + Authors: + Sumit Bose + Jakub Hrozek + + Copyright (C) 2014 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __KRB5_CCACHE_H__ +#define __KRB5_CCACHE_H__ + +#include "util/util.h" + +struct tgt_times { + time_t authtime; + time_t starttime; + time_t endtime; + time_t renew_till; +}; + +errno_t sss_krb5_precreate_ccache(const char *ccname, uid_t uid, gid_t gid); + +errno_t sss_krb5_cc_destroy(const char *ccname, uid_t uid, gid_t gid); + +errno_t sss_krb5_check_ccache_princ(krb5_context kctx, + const char *ccname, + krb5_principal user_princ); + +errno_t sss_krb5_cc_verify_ccache(const char *ccname, uid_t uid, gid_t gid, + const char *realm, const char *principal); + +errno_t get_ccache_file_data(const char *ccache_file, const char *client_name, + struct tgt_times *tgtt); + +errno_t safe_remove_old_ccache_file(const char *old_ccache, + const char *new_ccache, + uid_t uid, gid_t gid); + +/** + * @brief Copy given ccache into a MEMORY ccache + * + * @param[in] mem_ctx Talloc memory context the new ccache name should be + * allocated on + * @param[in] kctx Kerberos context + * @param[in] ccache_file Name of existing ccache + * @param[out] _mem_name Name of the new MEMORY ccache + * + * In contrast to MEMORY keytabs MEMORY ccaches can and must be removed + * explicitly with krb5_cc_destroy() from the memory. Just calling + * krb5_cc_close() will keep the MEMORY ccache in memory even if there are no + * open handles for the given MEMORY ccache. + */ +krb5_error_code copy_ccache_into_memory(TALLOC_CTX *mem_ctx, krb5_context kctx, + const char *ccache_file, + char **_mem_name); +#endif /* __KRB5_CCACHE_H__ */ diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c new file mode 100644 index 0000000..a578930 --- /dev/null +++ b/src/providers/krb5/krb5_child.c @@ -0,0 +1,3404 @@ +/* + SSSD + + Kerberos 5 Backend Module -- tgt_req and changepw child + + Authors: + Sumit Bose + + Copyright (C) 2009-2010 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include + +#include + +#include "util/util.h" +#include "util/sss_krb5.h" +#include "util/user_info_msg.h" +#include "util/child_common.h" +#include "util/find_uid.h" +#include "src/util/util_errors.h" +#include "providers/backend.h" +#include "providers/krb5/krb5_auth.h" +#include "providers/krb5/krb5_utils.h" +#include "sss_cli.h" + +#define SSSD_KRB5_CHANGEPW_PRINCIPAL "kadmin/changepw" + +#define IS_SC_AUTHTOK(tok) ( \ + sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_PIN \ + || sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_KEYPAD) + +typedef krb5_error_code +(*k5_init_creds_password_fn_t)(krb5_context context, krb5_creds *creds, + krb5_principal client, const char *password, + krb5_prompter_fct prompter, void *data, + krb5_deltat start_time, + const char *in_tkt_service, + krb5_get_init_creds_opt *k5_gic_options); + +enum k5c_fast_opt { + K5C_FAST_NEVER, + K5C_FAST_TRY, + K5C_FAST_DEMAND, +}; + +struct cli_opts { + char *realm; + char *lifetime; + char *rtime; + char *use_fast_str; + char *fast_principal; + bool canonicalize; +}; + +struct krb5_req { + krb5_context ctx; + krb5_principal princ; + krb5_principal princ_orig; + char* name; + krb5_creds *creds; + bool otp; + bool password_prompting; + bool pkinit_prompting; + char *otp_vendor; + char *otp_token_id; + char *otp_challenge; + krb5_get_init_creds_opt *options; + k5_init_creds_password_fn_t krb5_get_init_creds_password; + + struct pam_data *pd; + + char *realm; + char *ccname; + char *keytab; + bool validate; + bool posix_domain; + bool send_pac; + bool use_enterprise_princ; + char *fast_ccname; + + const char *upn; + uid_t uid; + gid_t gid; + + char *old_ccname; + bool old_cc_valid; + bool old_cc_active; + enum k5c_fast_opt fast_val; + + uid_t fast_uid; + gid_t fast_gid; + + struct cli_opts *cli_opts; +}; + +static krb5_context krb5_error_ctx; +#define KRB5_CHILD_DEBUG(level, error) KRB5_DEBUG(level, krb5_error_ctx, error) + +static errno_t k5c_become_user(uid_t uid, gid_t gid, bool is_posix) +{ + if (is_posix == false) { + DEBUG(SSSDBG_TRACE_FUNC, + "Will not drop privileges for a non-POSIX user\n"); + return EOK; + } + return become_user(uid, gid); +} + +static krb5_error_code set_lifetime_options(struct cli_opts *cli_opts, + krb5_get_init_creds_opt *options) +{ + krb5_error_code kerr; + krb5_deltat lifetime; + + if (cli_opts->rtime == NULL) { + DEBUG(SSSDBG_CONF_SETTINGS, + "No specific renewable lifetime requested.\n"); + + /* Unset option flag to make sure defaults from krb5.conf are used. */ + options->flags &= ~(KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE); + } else { + kerr = krb5_string_to_deltat(cli_opts->rtime, &lifetime); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "krb5_string_to_deltat failed for [%s].\n", cli_opts->rtime); + KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); + return kerr; + } + DEBUG(SSSDBG_CONF_SETTINGS, "Renewable lifetime is set to [%s]\n", + cli_opts->rtime); + krb5_get_init_creds_opt_set_renew_life(options, lifetime); + } + + if (cli_opts->lifetime == NULL) { + DEBUG(SSSDBG_CONF_SETTINGS, "No specific lifetime requested.\n"); + + /* Unset option flag to make sure defaults from krb5.conf are used. */ + options->flags &= ~(KRB5_GET_INIT_CREDS_OPT_TKT_LIFE); + } else { + kerr = krb5_string_to_deltat(cli_opts->lifetime, &lifetime); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "krb5_string_to_deltat failed for [%s].\n", + cli_opts->lifetime); + KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); + return kerr; + } + DEBUG(SSSDBG_CONF_SETTINGS, "Lifetime is set to [%s]\n", + cli_opts->lifetime); + krb5_get_init_creds_opt_set_tkt_life(options, lifetime); + } + + return 0; +} + +static void set_canonicalize_option(struct cli_opts *cli_opts, + krb5_get_init_creds_opt *opts) +{ + int canonicalize = 0; + + canonicalize = cli_opts->canonicalize ? 1 : 0; + DEBUG(SSSDBG_CONF_SETTINGS, "Canonicalization is set to [%s]\n", + cli_opts->canonicalize ? "true" : "false"); + sss_krb5_get_init_creds_opt_set_canonicalize(opts, canonicalize); +} + +static void set_changepw_options(krb5_get_init_creds_opt *options) +{ + sss_krb5_get_init_creds_opt_set_canonicalize(options, 0); + krb5_get_init_creds_opt_set_forwardable(options, 0); + krb5_get_init_creds_opt_set_proxiable(options, 0); + krb5_get_init_creds_opt_set_renew_life(options, 0); + krb5_get_init_creds_opt_set_tkt_life(options, 5*60); +} + +static void revert_changepw_options(struct cli_opts *cli_opts, + krb5_get_init_creds_opt *options) +{ + krb5_error_code kerr; + + set_canonicalize_option(cli_opts, options); + + /* Currently we do not set forwardable and proxiable explicitly, the flags + * must be removed so that libkrb5 can take the defaults from krb5.conf */ + options->flags &= ~(KRB5_GET_INIT_CREDS_OPT_FORWARDABLE); + options->flags &= ~(KRB5_GET_INIT_CREDS_OPT_PROXIABLE); + + kerr = set_lifetime_options(cli_opts, options); + if (kerr != 0) { + DEBUG(SSSDBG_OP_FAILURE, "set_lifetime_options failed.\n"); + } +} + + +static errno_t sss_send_pac(krb5_authdata **pac_authdata) +{ + struct sss_cli_req_data sss_data; + int ret; + int errnop; + + sss_data.len = pac_authdata[0]->length; + sss_data.data = pac_authdata[0]->contents; + + ret = sss_pac_make_request(SSS_PAC_ADD_PAC_USER, &sss_data, + NULL, NULL, &errnop); + if (ret != NSS_STATUS_SUCCESS || errnop != 0) { + DEBUG(SSSDBG_OP_FAILURE, "sss_pac_make_request failed [%d][%d].\n", + ret, errnop); + return EIO; + } + DEBUG(SSSDBG_TRACE_FUNC, + "PAC responder contacted. It might take a bit of time in case the " + "cache is not up to date.\n"); + + return EOK; +} + +static void sss_krb5_expire_callback_func(krb5_context context, void *data, + krb5_timestamp password_expiration, + krb5_timestamp account_expiration, + krb5_boolean is_last_req) +{ + int ret; + uint32_t *blob; + long exp_time; + struct krb5_req *kr = talloc_get_type(data, struct krb5_req); + + if (password_expiration == 0) { + return; + } + + exp_time = password_expiration - time(NULL); + if (exp_time < 0 || exp_time > UINT32_MAX) { + DEBUG(SSSDBG_CRIT_FAILURE, "Time to expire out of range.\n"); + return; + } + DEBUG(SSSDBG_TRACE_INTERNAL, "exp_time: [%ld]\n", exp_time); + + blob = talloc_array(kr->pd, uint32_t, 2); + if (blob == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_size failed.\n"); + return; + } + + blob[0] = SSS_PAM_USER_INFO_EXPIRE_WARN; + blob[1] = (uint32_t) exp_time; + + ret = pam_add_response(kr->pd, SSS_PAM_USER_INFO, 2 * sizeof(uint32_t), + (uint8_t *) blob); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n"); + } + + return; +} + +#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_RESPONDER +/* + * TODO: These features generally would requires a significant refactoring + * of SSSD and MIT krb5 doesn't support them anyway. They are listed here + * simply as a reminder of things that might become future feature potential. + * + * 1. tokeninfo selection + * 2. challenge + * 3. discreet token/PIN prompting + * 4. interactive OTP format correction + * 5. nextOTP + * + */ +typedef int (*checker)(int c); + +static inline checker pick_checker(int format) +{ + switch (format) { + case KRB5_RESPONDER_OTP_FORMAT_DECIMAL: + return isdigit; + case KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL: + return isxdigit; + case KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC: + return isalnum; + } + + return NULL; +} + +static int token_pin_destructor(char *mem) +{ + safezero(mem, strlen(mem)); + return 0; +} + +static krb5_error_code tokeninfo_matches_2fa(TALLOC_CTX *mem_ctx, + const krb5_responder_otp_tokeninfo *ti, + const char *fa1, size_t fa1_len, + const char *fa2, size_t fa2_len, + char **out_token, char **out_pin) +{ + char *token = NULL, *pin = NULL; + checker check = NULL; + int i; + + if (ti->flags & KRB5_RESPONDER_OTP_FLAGS_NEXTOTP) { + return ENOTSUP; + } + + if (ti->challenge != NULL) { + return ENOTSUP; + } + + /* This is a non-sensical value. */ + if (ti->length == 0) { + return EPROTO; + } + + if (ti->flags & KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN) { + if (ti->length > 0 && ti->length != fa2_len) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Expected [%d] and given [%zu] token size " + "do not match.\n", ti->length, fa2_len); + return EMSGSIZE; + } + + if (ti->flags & KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN) { + if (ti->flags & KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN) { + + pin = talloc_strndup(mem_ctx, fa1, fa1_len); + if (pin == NULL) { + talloc_free(token); + return ENOMEM; + } + talloc_set_destructor(pin, token_pin_destructor); + + token = talloc_strndup(mem_ctx, fa2, fa2_len); + if (token == NULL) { + return ENOMEM; + } + talloc_set_destructor(token, token_pin_destructor); + + check = pick_checker(ti->format); + } + } else { + token = talloc_asprintf(mem_ctx, "%s%s", fa1, fa2); + if (token == NULL) { + return ENOMEM; + } + talloc_set_destructor(token, token_pin_destructor); + + check = pick_checker(ti->format); + } + } else { + /* Assuming PIN only required */ + pin = talloc_strndup(mem_ctx, fa1, fa1_len); + if (pin == NULL) { + return ENOMEM; + } + talloc_set_destructor(pin, token_pin_destructor); + } + + /* If check is set, we need to verify the contents of the token. */ + for (i = 0; check != NULL && token[i] != '\0'; i++) { + if (!check(token[i])) { + talloc_free(token); + talloc_free(pin); + return EBADMSG; + } + } + + *out_token = token; + *out_pin = pin; + return 0; +} +static krb5_error_code tokeninfo_matches_pwd(TALLOC_CTX *mem_ctx, + const krb5_responder_otp_tokeninfo *ti, + const char *pwd, size_t len, + char **out_token, char **out_pin) +{ + char *token = NULL, *pin = NULL; + checker check = NULL; + int i; + + + if (ti->flags & KRB5_RESPONDER_OTP_FLAGS_NEXTOTP) { + return ENOTSUP; + } + + if (ti->challenge != NULL) { + return ENOTSUP; + } + + /* This is a non-sensical value. */ + if (ti->length == 0) { + return EPROTO; + } + + if (ti->flags & KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN) { + /* ASSUMPTION: authtok has one of the following formats: + * 1. TokenValue + * 2. PIN+TokenValue + */ + token = talloc_strndup(mem_ctx, pwd, len); + if (token == NULL) { + return ENOMEM; + } + talloc_set_destructor(token, token_pin_destructor); + + if (ti->flags & KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN) { + /* If the server desires a separate PIN, we will split it. + * ASSUMPTION: Format of authtok is PIN+TokenValue. */ + if (ti->flags & KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN) { + if (ti->length < 1) { + talloc_free(token); + return ENOTSUP; + } + + if (ti->length >= len) { + talloc_free(token); + return EMSGSIZE; + } + + /* Copy the PIN from the front of the value. */ + pin = talloc_strndup(NULL, pwd, len - ti->length); + if (pin == NULL) { + talloc_free(token); + return ENOMEM; + } + talloc_set_destructor(pin, token_pin_destructor); + + /* Remove the PIN from the front of the token value. */ + memmove(token, token + len - ti->length, ti->length + 1); + + check = pick_checker(ti->format); + } else { + if (ti->length > 0 && ti->length > len) { + talloc_free(token); + return EMSGSIZE; + } + } + } else { + if (ti->length > 0 && ti->length != len) { + talloc_free(token); + return EMSGSIZE; + } + + check = pick_checker(ti->format); + } + } else { + pin = talloc_strndup(mem_ctx, pwd, len); + if (pin == NULL) { + return ENOMEM; + } + talloc_set_destructor(pin, token_pin_destructor); + } + + /* If check is set, we need to verify the contents of the token. */ + for (i = 0; check != NULL && token[i] != '\0'; i++) { + if (!check(token[i])) { + talloc_free(token); + talloc_free(pin); + return EBADMSG; + } + } + + *out_token = token; + *out_pin = pin; + return 0; +} + +static krb5_error_code tokeninfo_matches(TALLOC_CTX *mem_ctx, + const krb5_responder_otp_tokeninfo *ti, + struct sss_auth_token *auth_tok, + char **out_token, char **out_pin) +{ + int ret; + const char *pwd; + size_t len; + const char *fa2; + size_t fa2_len; + + switch (sss_authtok_get_type(auth_tok)) { + case SSS_AUTHTOK_TYPE_PASSWORD: + ret = sss_authtok_get_password(auth_tok, &pwd, &len); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_authtok_get_password failed.\n"); + return ret; + } + + return tokeninfo_matches_pwd(mem_ctx, ti, pwd, len, out_token, out_pin); + break; + case SSS_AUTHTOK_TYPE_2FA: + ret = sss_authtok_get_2fa(auth_tok, &pwd, &len, &fa2, &fa2_len); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_authtok_get_2fa failed.\n"); + return ret; + } + + return tokeninfo_matches_2fa(mem_ctx, ti, pwd, len, fa2, fa2_len, + out_token, out_pin); + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported authtok type.\n"); + } + + return EINVAL; +} + +static krb5_error_code answer_otp(krb5_context ctx, + struct krb5_req *kr, + krb5_responder_context rctx) +{ + krb5_responder_otp_challenge *chl; + char *token = NULL, *pin = NULL; + krb5_error_code ret; + size_t i; + + ret = krb5_responder_otp_get_challenge(ctx, rctx, &chl); + if (ret != EOK || chl == NULL) { + /* Either an error, or nothing to do. */ + return ret; + } + + if (chl->tokeninfo == NULL || chl->tokeninfo[0] == NULL) { + /* No tokeninfos? Absurd! */ + ret = EINVAL; + goto done; + } + + kr->otp = true; + + if (kr->pd->cmd == SSS_PAM_PREAUTH) { + for (i = 0; chl->tokeninfo[i] != NULL; i++) { + DEBUG(SSSDBG_TRACE_ALL, "[%zu] Vendor [%s].\n", + i, chl->tokeninfo[i]->vendor); + DEBUG(SSSDBG_TRACE_ALL, "[%zu] Token-ID [%s].\n", + i, chl->tokeninfo[i]->token_id); + DEBUG(SSSDBG_TRACE_ALL, "[%zu] Challenge [%s].\n", + i, chl->tokeninfo[i]->challenge); + DEBUG(SSSDBG_TRACE_ALL, "[%zu] Flags [%d].\n", + i, chl->tokeninfo[i]->flags); + } + + if (chl->tokeninfo[0]->vendor != NULL) { + kr->otp_vendor = talloc_strdup(kr, chl->tokeninfo[0]->vendor); + } + if (chl->tokeninfo[0]->token_id != NULL) { + kr->otp_token_id = talloc_strdup(kr, chl->tokeninfo[0]->token_id); + } + if (chl->tokeninfo[0]->challenge != NULL) { + kr->otp_challenge = talloc_strdup(kr, chl->tokeninfo[0]->challenge); + } + /* Allocation errors are ignored on purpose */ + + DEBUG(SSSDBG_TRACE_INTERNAL, "Exit answer_otp during pre-auth.\n"); + return EAGAIN; + } + + /* Find the first supported tokeninfo which matches our authtoken. */ + for (i = 0; chl->tokeninfo[i] != NULL; i++) { + ret = tokeninfo_matches(kr, chl->tokeninfo[i], kr->pd->authtok, + &token, &pin); + if (ret == EOK) { + break; + } + + switch (ret) { + case EBADMSG: + case EMSGSIZE: + case ENOTSUP: + case EPROTO: + break; + default: + goto done; + } + } + if (chl->tokeninfo[i] == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "No tokeninfos found which match our credentials.\n"); + ret = EOK; + goto done; + } + + if (chl->tokeninfo[i]->flags & KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN) { + /* Don't let SSSD cache the OTP authtoken since it is single-use. */ + ret = pam_add_response(kr->pd, SSS_OTP, 0, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n"); + goto done; + } + } + + /* Respond with the appropriate answer. */ + ret = krb5_responder_otp_set_answer(ctx, rctx, i, token, pin); +done: + talloc_free(token); + talloc_free(pin); + krb5_responder_otp_challenge_free(ctx, rctx, chl); + return ret; +} + +static bool pkinit_identity_matches(const char *identity, + const char *token_name, + const char *module_name) +{ + TALLOC_CTX *tmp_ctx = NULL; + char *str; + bool res = false; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new failed.\n"); + return false; + } + + str = talloc_asprintf(tmp_ctx, "module_name=%s", module_name); + if (str == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); + goto done; + } + + if (strstr(identity, str) == NULL) { + DEBUG(SSSDBG_TRACE_ALL, "Identity [%s] does not contain [%s].\n", + identity, str); + goto done; + } + DEBUG(SSSDBG_TRACE_ALL, "Found [%s] in identity [%s].\n", str, identity); + + str = talloc_asprintf(tmp_ctx, "token=%s", token_name); + if (str == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); + goto done; + } + + if (strstr(identity, str) == NULL) { + DEBUG(SSSDBG_TRACE_ALL, "Identity [%s] does not contain [%s].\n", + identity, str); + goto done; + } + DEBUG(SSSDBG_TRACE_ALL, "Found [%s] in identity [%s].\n", str, identity); + + res = true; + +done: + talloc_free(tmp_ctx); + + return res; +} + +static krb5_error_code answer_pkinit(krb5_context ctx, + struct krb5_req *kr, + krb5_responder_context rctx) +{ + krb5_error_code kerr; + const char *pin = NULL; + const char *token_name = NULL; + const char *module_name = NULL; + krb5_responder_pkinit_challenge *chl = NULL; + size_t c; + + kerr = krb5_responder_pkinit_get_challenge(ctx, rctx, &chl); + if (kerr != EOK || chl == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "krb5_responder_pkinit_get_challenge failed.\n"); + return kerr; + } + if (chl->identities == NULL || chl->identities[0] == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "No identities for pkinit!\n"); + kerr = EINVAL; + goto done; + } + + if (DEBUG_IS_SET(SSSDBG_TRACE_ALL)) { + for (c = 0; chl->identities[c] != NULL; c++) { + DEBUG(SSSDBG_TRACE_ALL, "[%zu] Identity [%s] flags [%"PRId32"].\n", + c, chl->identities[c]->identity, + chl->identities[c]->token_flags); + } + } + + DEBUG(SSSDBG_TRACE_ALL, "Setting pkinit_prompting.\n"); + kr->pkinit_prompting = true; + + if (kr->pd->cmd == SSS_PAM_AUTHENTICATE + && (sss_authtok_get_type(kr->pd->authtok) + == SSS_AUTHTOK_TYPE_SC_PIN + || sss_authtok_get_type(kr->pd->authtok) + == SSS_AUTHTOK_TYPE_SC_KEYPAD)) { + kerr = sss_authtok_get_sc(kr->pd->authtok, &pin, NULL, + &token_name, NULL, + &module_name, NULL, + NULL, NULL); + if (kerr != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sss_authtok_get_sc failed.\n"); + goto done; + } + + for (c = 0; chl->identities[c] != NULL; c++) { + if (chl->identities[c]->identity != NULL + && pkinit_identity_matches(chl->identities[c]->identity, + token_name, module_name)) { + break; + } + } + + if (chl->identities[c] == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "No matching identity for [%s][%s] found in pkinit challenge.\n", + token_name, module_name); + kerr = EINVAL; + goto done; + } + + kerr = krb5_responder_pkinit_set_answer(ctx, rctx, + chl->identities[c]->identity, + pin); + if (kerr != 0) { + DEBUG(SSSDBG_OP_FAILURE, + "krb5_responder_set_answer failed.\n"); + } + + goto done; + } + + kerr = EOK; + +done: + krb5_responder_pkinit_challenge_free(ctx, rctx, chl); + + return kerr; +} + +static krb5_error_code sss_krb5_responder(krb5_context ctx, + void *data, + krb5_responder_context rctx) +{ + struct krb5_req *kr = talloc_get_type(data, struct krb5_req); + const char * const *question_list; + size_t c; + const char *pwd; + int ret; + krb5_error_code kerr; + + if (kr == NULL) { + return EINVAL; + } + + question_list = krb5_responder_list_questions(ctx, rctx); + + if (question_list != NULL) { + for (c = 0; question_list[c] != NULL; c++) { + DEBUG(SSSDBG_TRACE_ALL, "Got question [%s].\n", question_list[c]); + + if (strcmp(question_list[c], + KRB5_RESPONDER_QUESTION_PASSWORD) == 0) { + kr->password_prompting = true; + + if ((kr->pd->cmd == SSS_PAM_AUTHENTICATE + || kr->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM + || kr->pd->cmd == SSS_PAM_CHAUTHTOK) + && sss_authtok_get_type(kr->pd->authtok) + == SSS_AUTHTOK_TYPE_PASSWORD) { + ret = sss_authtok_get_password(kr->pd->authtok, &pwd, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sss_authtok_get_password failed.\n"); + return ret; + } + + kerr = krb5_responder_set_answer(ctx, rctx, + KRB5_RESPONDER_QUESTION_PASSWORD, + pwd); + if (kerr != 0) { + DEBUG(SSSDBG_OP_FAILURE, + "krb5_responder_set_answer failed.\n"); + } + + return kerr; + } + } else if (strcmp(question_list[c], + KRB5_RESPONDER_QUESTION_PKINIT) == 0) { + return answer_pkinit(ctx, kr, rctx); + } + } + } + + return answer_otp(ctx, kr, rctx); +} +#endif /* HAVE_KRB5_GET_INIT_CREDS_OPT_SET_RESPONDER */ + +static char *password_or_responder(const char *password) +{ +#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_RESPONDER + /* If the new responder interface is available, we will handle even simple + * passwords in the responder. */ + return NULL; +#else + return discard_const(password); +#endif +} + +static krb5_error_code sss_krb5_prompter(krb5_context context, void *data, + const char *name, const char *banner, + int num_prompts, krb5_prompt prompts[]) +{ + int ret; + size_t c; + struct krb5_req *kr = talloc_get_type(data, struct krb5_req); + + if (kr == NULL) { + return EINVAL; + } + + DEBUG(SSSDBG_TRACE_ALL, + "sss_krb5_prompter name [%s] banner [%s] num_prompts [%d] EINVAL.\n", + name, banner, num_prompts); + + if (num_prompts != 0) { + if (DEBUG_IS_SET(SSSDBG_TRACE_ALL)) { + for (c = 0; c < num_prompts; c++) { + DEBUG(SSSDBG_TRACE_ALL, "Prompt [%zu][%s].\n", c, + prompts[c].prompt); + } + } + + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot handle password prompts.\n"); + return KRB5_LIBOS_CANTREADPWD; + } + + if (banner == NULL || *banner == '\0') { + DEBUG(SSSDBG_FUNC_DATA, + "Prompter called with empty banner, nothing to do.\n"); + return EOK; + } + + DEBUG(SSSDBG_FUNC_DATA, "Prompter called with [%s].\n", banner); + + ret = pam_add_response(kr->pd, SSS_PAM_TEXT_MSG, strlen(banner)+1, + (const uint8_t *) banner); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n"); + } + + return EOK; +} + + +static krb5_error_code create_empty_cred(krb5_context ctx, krb5_principal princ, + krb5_creds **_cred) +{ + krb5_error_code kerr; + krb5_creds *cred = NULL; + krb5_data *krb5_realm; + + cred = calloc(sizeof(krb5_creds), 1); + if (cred == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "calloc failed.\n"); + return ENOMEM; + } + + kerr = krb5_copy_principal(ctx, princ, &cred->client); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_copy_principal failed.\n"); + goto done; + } + + krb5_realm = krb5_princ_realm(ctx, princ); + + kerr = krb5_build_principal_ext(ctx, &cred->server, + krb5_realm->length, krb5_realm->data, + KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME, + krb5_realm->length, krb5_realm->data, 0); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_build_principal_ext failed.\n"); + goto done; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "Created empty krb5_creds.\n"); + +done: + if (kerr != 0) { + krb5_free_cred_contents(ctx, cred); + free(cred); + } else { + *_cred = cred; + } + + return kerr; +} + + +static errno_t handle_randomized(char *in) +{ + size_t ccname_len; + char *ccname = NULL; + int ret; + + /* We only treat the FILE type case in a special way due to the history + * of storing FILE type ccache in /tmp and associated security issues */ + if (in[0] == '/') { + ccname = in; + } else if (strncmp(in, "FILE:", 5) == 0) { + ccname = in + 5; + } else { + return EOK; + } + + ccname_len = strlen(ccname); + if (ccname_len >= 6 && strcmp(ccname + (ccname_len - 6), "XXXXXX") == 0) { + /* NOTE: this call is only used to create a unique name, as later + * krb5_cc_initialize() will unlink and recreate the file. + * This is ok because this part of the code is called with + * privileges already dropped when handling user ccache, or the ccache + * is stored in a private directory. So we do not have huge issues if + * something races, we mostly care only about not accidentally use + * an existing name and thus failing in the process of saving the + * cache. Malicious races can only be avoided by libkrb5 itself. */ + ret = sss_unique_filename(NULL, ccname); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "mkstemp(\"%s\") failed [%d]: %s!\n", + ccname, ret, strerror(ret)); + return ret; + } + } + + return EOK; +} + +/* NOTE: callers rely on 'name' being *changed* if it needs to be randomized, + * as they will then send the name back to the new name via the return call + * k5c_attach_ccname_msg(). Callers will send in a copy of the name if they + * do not care for changes. */ +static krb5_error_code create_ccache(char *ccname, krb5_creds *creds) +{ + krb5_context kctx = NULL; + krb5_ccache kcc = NULL; + const char *type; + krb5_error_code kerr; +#ifdef HAVE_KRB5_CC_COLLECTION + krb5_ccache cckcc; + bool switch_to_cc = false; +#endif + + /* Set a restrictive umask, just in case we end up creating any file */ + umask(SSS_DFL_UMASK); + + /* we create a new context here as the main process one may have been + * opened as root and contain possibly references (even open handles?) + * to resources we do not have or do not want to have access to */ + kerr = krb5_init_context(&kctx); + if (kerr) { + KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); + return ERR_INTERNAL; + } + + kerr = handle_randomized(ccname); + if (kerr) { + DEBUG(SSSDBG_CRIT_FAILURE, "handle_randomized failed: %d\n", kerr); + goto done; + } + + kerr = krb5_cc_resolve(kctx, ccname, &kcc); + if (kerr) { + KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); + goto done; + } + + type = krb5_cc_get_type(kctx, kcc); + DEBUG(SSSDBG_TRACE_ALL, "Initializing ccache of type [%s]\n", type); + +#ifdef HAVE_KRB5_CC_COLLECTION + if (krb5_cc_support_switch(kctx, type)) { + DEBUG(SSSDBG_TRACE_ALL, "CC supports switch\n"); + kerr = krb5_cc_set_default_name(kctx, ccname); + if (kerr) { + DEBUG(SSSDBG_TRACE_ALL, "Cannot set default name!\n"); + KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); + goto done; + } + + kerr = krb5_cc_cache_match(kctx, creds->client, &cckcc); + if (kerr == KRB5_CC_NOTFOUND) { + DEBUG(SSSDBG_TRACE_ALL, "Match not found\n"); + kerr = krb5_cc_new_unique(kctx, type, NULL, &cckcc); + switch_to_cc = true; + } + if (kerr) { + DEBUG(SSSDBG_TRACE_ALL, "krb5_cc_cache_match failed\n"); + KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); + goto done; + } + krb5_cc_close(kctx, kcc); + kcc = cckcc; + } +#endif + + kerr = krb5_cc_initialize(kctx, kcc, creds->client); + if (kerr) { + DEBUG(SSSDBG_TRACE_ALL, "krb5_cc_initialize failed\n"); + KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); + goto done; + } + + kerr = krb5_cc_store_cred(kctx, kcc, creds); + if (kerr) { + DEBUG(SSSDBG_TRACE_ALL, "krb5_cc_store_cred failed\n"); + KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); + goto done; + } + +#ifdef HAVE_KRB5_CC_COLLECTION + if (switch_to_cc) { + DEBUG(SSSDBG_TRACE_ALL, "switch_to_cc\n"); + kerr = krb5_cc_switch(kctx, kcc); + if (kerr) { + DEBUG(SSSDBG_TRACE_ALL, "krb5_cc_switch\n"); + KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); + goto done; + } + } +#endif + + DEBUG(SSSDBG_TRACE_ALL, "returning: %d\n", kerr); +done: + if (kcc) { + /* FIXME: should we krb5_cc_destroy in case of error? */ + krb5_cc_close(kctx, kcc); + } + return kerr; +} + +static errno_t pack_response_packet(TALLOC_CTX *mem_ctx, errno_t error, + struct response_data *resp_list, + uint8_t **_buf, size_t *_len) +{ + uint8_t *buf; + size_t size = 0; + size_t p = 0; + struct response_data *pdr; + + /* A buffer with the following structure must be created: + * int32_t status of the request (required) + * message (zero or more) + * + * A message consists of: + * int32_t type of the message + * int32_t length of the following data + * uint8_t[len] data + */ + + size = sizeof(int32_t); + + for (pdr = resp_list; pdr != NULL; pdr = pdr->next) { + size += 2*sizeof(int32_t) + pdr->len; + } + + buf = talloc_array(mem_ctx, uint8_t, size); + if (!buf) { + DEBUG(SSSDBG_CRIT_FAILURE, "Insufficient memory to create message.\n"); + return ENOMEM; + } + + SAFEALIGN_SET_INT32(&buf[p], error, &p); + + for (pdr = resp_list; pdr != NULL; pdr = pdr->next) { + SAFEALIGN_SET_INT32(&buf[p], pdr->type, &p); + SAFEALIGN_SET_INT32(&buf[p], pdr->len, &p); + safealign_memcpy(&buf[p], pdr->data, pdr->len, &p); + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "response packet size: [%zu]\n", p); + + *_buf = buf; + *_len = p; + return EOK; +} + +static errno_t k5c_attach_otp_info_msg(struct krb5_req *kr) +{ + uint8_t *msg = NULL; + size_t msg_len; + int ret; + size_t vendor_len = 0; + size_t token_id_len = 0; + size_t challenge_len = 0; + size_t idx = 0; + + msg_len = 3; + if (kr->otp_vendor != NULL) { + vendor_len = strlen(kr->otp_vendor); + msg_len += vendor_len; + } + + if (kr->otp_token_id != NULL) { + token_id_len = strlen(kr->otp_token_id); + msg_len += token_id_len; + } + + if (kr->otp_challenge != NULL) { + challenge_len = strlen(kr->otp_challenge); + msg_len += challenge_len; + } + + msg = talloc_zero_size(kr, msg_len); + if (msg == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_size failed.\n"); + return ENOMEM; + } + + if (kr->otp_vendor != NULL) { + memcpy(msg, kr->otp_vendor, vendor_len); + } + idx += vendor_len +1; + + if (kr->otp_token_id != NULL) { + memcpy(msg + idx, kr->otp_token_id, token_id_len); + } + idx += token_id_len +1; + + if (kr->otp_challenge != NULL) { + memcpy(msg + idx, kr->otp_challenge, challenge_len); + } + + ret = pam_add_response(kr->pd, SSS_PAM_OTP_INFO, msg_len, msg); + talloc_zfree(msg); + + return ret; +} + +static errno_t k5c_attach_ccname_msg(struct krb5_req *kr) +{ + char *msg = NULL; + int ret; + + if (kr->ccname == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Error obtaining ccname.\n"); + return ERR_INTERNAL; + } + + msg = talloc_asprintf(kr, "%s=%s",CCACHE_ENV_NAME, kr->ccname); + if (msg == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); + return ENOMEM; + } + + ret = pam_add_response(kr->pd, SSS_PAM_ENV_ITEM, + strlen(msg) + 1, (uint8_t *)msg); + talloc_zfree(msg); + + return ret; +} + +static errno_t k5c_send_data(struct krb5_req *kr, int fd, errno_t error) +{ + ssize_t written; + uint8_t *buf; + size_t len; + int ret; + + DEBUG(SSSDBG_FUNC_DATA, "Received error code %d\n", error); + + ret = pack_response_packet(kr, error, kr->pd->resp_list, &buf, &len); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "pack_response_packet failed.\n"); + return ret; + } + + errno = 0; + written = sss_atomic_write_s(fd, buf, len); + if (written == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "write failed [%d][%s].\n", ret, strerror(ret)); + return ret; + } + + if (written != len) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Write error, wrote [%zu] bytes, expected [%zu]\n", + written, len); + return EOK; + } + + DEBUG(SSSDBG_TRACE_ALL, "Response sent.\n"); + + return EOK; +} + +static errno_t get_pkinit_identity(TALLOC_CTX *mem_ctx, + struct sss_auth_token *authtok, + char **_identity) +{ + int ret; + char *identity; + const char *token_name; + const char *module_name; + const char *key_id; + + ret = sss_authtok_get_sc(authtok, NULL, NULL, + &token_name, NULL, + &module_name, NULL, + &key_id, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_authtok_get_sc failed.\n"); + return ret; + } + + DEBUG(SSSDBG_TRACE_ALL, "Got [%s][%s].\n", token_name, module_name); + + if (module_name == NULL || *module_name == '\0') { + module_name = "p11-kit-proxy.so"; + } + + identity = talloc_asprintf(mem_ctx, "PKCS11:module_name=%s", module_name); + if (identity == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + return ENOMEM; + } + + if (token_name != NULL && *token_name != '\0') { + identity = talloc_asprintf_append(identity, ":token=%s", + token_name); + if (identity == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "talloc_asprintf_append failed.\n"); + return ENOMEM; + } + } + + if (key_id != NULL && *key_id != '\0') { + identity = talloc_asprintf_append(identity, ":certid=%s", key_id); + if (identity == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "talloc_asprintf_append failed.\n"); + return ENOMEM; + } + } + + *_identity = identity; + + DEBUG(SSSDBG_TRACE_ALL, "Using pkinit identity [%s].\n", identity); + + return EOK; +} + +static errno_t add_ticket_times_and_upn_to_response(struct krb5_req *kr) +{ + int ret; + int64_t t[4]; + krb5_error_code kerr; + char *upn = NULL; + unsigned int upn_len = 0; + + t[0] = (int64_t) kr->creds->times.authtime; + t[1] = (int64_t) kr->creds->times.starttime; + t[2] = (int64_t) kr->creds->times.endtime; + t[3] = (int64_t) kr->creds->times.renew_till; + + ret = pam_add_response(kr->pd, SSS_KRB5_INFO_TGT_LIFETIME, + 4*sizeof(int64_t), (uint8_t *) t); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "pack_response_packet failed.\n"); + goto done; + } + + kerr = krb5_unparse_name_ext(kr->ctx, kr->creds->client, &upn, &upn_len); + if (kerr != 0) { + DEBUG(SSSDBG_OP_FAILURE, "krb5_unparse_name failed.\n"); + goto done; + } + + ret = pam_add_response(kr->pd, SSS_KRB5_INFO_UPN, upn_len, + (uint8_t *) upn); + krb5_free_unparsed_name(kr->ctx, upn); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "pack_response_packet failed.\n"); + goto done; + } + +done: + return ret; +} + +static krb5_error_code validate_tgt(struct krb5_req *kr) +{ + krb5_error_code kerr; + krb5_error_code kt_err; + char *principal = NULL; + krb5_keytab keytab; + krb5_kt_cursor cursor; + krb5_keytab_entry entry; + krb5_verify_init_creds_opt opt; + krb5_principal validation_princ = NULL; + bool realm_entry_found = false; + krb5_ccache validation_ccache = NULL; + krb5_authdata **pac_authdata = NULL; + + memset(&keytab, 0, sizeof(keytab)); + kerr = krb5_kt_resolve(kr->ctx, kr->keytab, &keytab); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "error resolving keytab [%s], " \ + "not verifying TGT.\n", kr->keytab); + return kerr; + } + + memset(&cursor, 0, sizeof(cursor)); + kerr = krb5_kt_start_seq_get(kr->ctx, keytab, &cursor); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "error reading keytab [%s], " \ + "not verifying TGT.\n", kr->keytab); + return kerr; + } + + /* We look for the first entry from our realm or take the last one */ + memset(&entry, 0, sizeof(entry)); + while ((kt_err = krb5_kt_next_entry(kr->ctx, keytab, &entry, &cursor)) == 0) { + if (validation_princ != NULL) { + krb5_free_principal(kr->ctx, validation_princ); + validation_princ = NULL; + } + kerr = krb5_copy_principal(kr->ctx, entry.principal, + &validation_princ); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_copy_principal failed.\n"); + goto done; + } + + kerr = sss_krb5_free_keytab_entry_contents(kr->ctx, &entry); + if (kerr != 0) { + DEBUG(SSSDBG_MINOR_FAILURE, "Failed to free keytab entry.\n"); + } + memset(&entry, 0, sizeof(entry)); + + if (krb5_realm_compare(kr->ctx, validation_princ, kr->creds->client)) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "Found keytab entry with the realm of the credential.\n"); + realm_entry_found = true; + break; + } + } + + if (!realm_entry_found) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "Keytab entry with the realm of the credential not found " + "in keytab. Using the last entry.\n"); + } + + /* Close the keytab here. Even though we're using cursors, the file + * handle is stored in the krb5_keytab structure, and it gets + * overwritten when the verify_init_creds() call below creates its own + * cursor, creating a leak. */ + kerr = krb5_kt_end_seq_get(kr->ctx, keytab, &cursor); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_kt_end_seq_get failed, " \ + "not verifying TGT.\n"); + goto done; + } + + /* check if we got any errors from krb5_kt_next_entry */ + if (kt_err != 0 && kt_err != KRB5_KT_END) { + DEBUG(SSSDBG_CRIT_FAILURE, "error reading keytab [%s], " \ + "not verifying TGT.\n", kr->keytab); + goto done; + } + + /* Get the principal to which the key belongs, for logging purposes. */ + principal = NULL; + kerr = krb5_unparse_name(kr->ctx, validation_princ, &principal); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "internal error parsing principal name, " + "not verifying TGT.\n"); + KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); + goto done; + } + + + krb5_verify_init_creds_opt_init(&opt); + kerr = krb5_verify_init_creds(kr->ctx, kr->creds, validation_princ, keytab, + &validation_ccache, &opt); + + if (kerr == 0) { + DEBUG(SSSDBG_TRACE_FUNC, "TGT verified using key for [%s].\n", + principal); + } else { + DEBUG(SSSDBG_CRIT_FAILURE ,"TGT failed verification using key " \ + "for [%s].\n", principal); + goto done; + } + + /* Try to find and send the PAC to the PAC responder. + * Failures are not critical. */ + if (kr->send_pac) { + kerr = sss_extract_pac(kr->ctx, validation_ccache, validation_princ, + kr->creds->client, keytab, &pac_authdata); + if (kerr != 0) { + DEBUG(SSSDBG_OP_FAILURE, "sss_extract_and_send_pac failed, group " \ + "membership for user with principal [%s] " \ + "might not be correct.\n", kr->name); + kerr = 0; + goto done; + } + + kerr = sss_send_pac(pac_authdata); + krb5_free_authdata(kr->ctx, pac_authdata); + if (kerr != 0) { + DEBUG(SSSDBG_OP_FAILURE, "sss_send_pac failed, group " \ + "membership for user with principal [%s] " \ + "might not be correct.\n", kr->name); + kerr = 0; + } + } + +done: + if (validation_ccache != NULL) { + krb5_cc_destroy(kr->ctx, validation_ccache); + } + + if (krb5_kt_close(kr->ctx, keytab) != 0) { + DEBUG(SSSDBG_MINOR_FAILURE, "krb5_kt_close failed\n"); + } + if (validation_princ != NULL) { + krb5_free_principal(kr->ctx, validation_princ); + } + if (principal != NULL) { + sss_krb5_free_unparsed_name(kr->ctx, principal); + } + + return kerr; + +} + +static krb5_error_code get_and_save_tgt_with_keytab(krb5_context ctx, + struct cli_opts *cli_opts, + krb5_principal princ, + krb5_keytab keytab, + char *ccname) +{ + krb5_error_code kerr = 0; + krb5_creds creds; + krb5_get_init_creds_opt options; + + memset(&creds, 0, sizeof(creds)); + memset(&options, 0, sizeof(options)); + + krb5_get_init_creds_opt_set_address_list(&options, NULL); + krb5_get_init_creds_opt_set_forwardable(&options, 0); + krb5_get_init_creds_opt_set_proxiable(&options, 0); + set_canonicalize_option(cli_opts, &options); + + kerr = krb5_get_init_creds_keytab(ctx, &creds, princ, keytab, 0, NULL, + &options); + if (kerr != 0) { + KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); + return kerr; + } + + /* Use the updated principal in the creds in case canonicalized */ + kerr = create_ccache(ccname, &creds); + if (kerr != 0) { + goto done; + } + kerr = 0; + +done: + krb5_free_cred_contents(ctx, &creds); + + return kerr; + +} + +/* [MS-KILE]: Kerberos Protocol Extensions + * https://msdn.microsoft.com/en-us/library/cc233855.aspx + * http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/%5BMS-KILE%5D.pdf + * 2.2.1 KERB-EXT-ERROR + */ +bool have_ms_kile_ext_error(unsigned char *data, unsigned int length, + uint32_t *_ntstatus) +{ + /* [MS-KILE] 2.2.2 KERB-ERROR-DATA + * Kerberos V5 messages are defined using Abstract Syntax Notation One + * (ASN.1) + * KERB-ERROR-DATA ::= SEQUENCE { + * data-type [1] INTEGER, + * data-value [2] OCTET STRING OPTIONAL + * } + * We are interested in data-type 3 KERB_ERR_TYPE_EXTENDED + */ + uint8_t kile_asn1_begining[] = { + 0x30, 0x15, /* 0x30 is SEQUENCE, 0x15 length */ + 0xA1, 0x03, /* 0xA1 is 1st element of sequence, 0x03 length */ + 0x02, 0x01, 0x03, /* 0x02 is INTEGER, 0x01 length, 0x03 value */ + 0xA2, 0x0E, /* 0xA2 is 2nd element of sequence, 0x0E length */ + 0x04, 0x0C, /* 0x04 is OCTET STRING, 0x0C length (12 bytes) */ + }; + const size_t offset = sizeof(kile_asn1_begining); + uint32_t value; + + if (length != 23 || data == NULL) { + return false; + } + + if (memcmp(data, kile_asn1_begining, offset) != 0) { + return false; + } + + /* [MS-KILE] 2.2.1 KERB-EXT-ERROR + * typedef struct KERB_EXT_ERROR { + * unsigned long status; + * unsigned long reserved; + * unsigned long flags; + * } KERB_EXT_ERROR; + * Status: An NTSTATUS value. See [MS-ERREF] section 2.3. + */ + value = data[offset + 3] << 24 + | data[offset + 2] << 16 + | data[offset + 1] << 8 + | data[offset + 0]; + + *_ntstatus = value; + return true; +} + +/* Following NTSTATUS values are from: + * [MS-ERREF]: Windows Error Codes -> Section 2.3.1 + * https://msdn.microsoft.com/en-us/library/cc231196.aspx + * http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/%5BMS-ERREF%5D.pdf + */ +#define NT_STATUS_ACCOUNT_EXPIRED 0xC0000193 +#define NT_STATUS_ACCOUNT_DISABLED 0xC0000072 + +void check_ms_kile_ext_krb5err(krb5_context context, + krb5_init_creds_context init_cred_ctx, + krb5_error_code *_kerr) +{ + krb5_error_code err; + krb5_error *error = NULL; + uint32_t ntstatus; + + err = krb5_init_creds_get_error(context, init_cred_ctx, &error); + if (err != 0 || error == NULL) { + KRB5_CHILD_DEBUG(SSSDBG_TRACE_FUNC, err); + return; + } + + if (have_ms_kile_ext_error((unsigned char *)error->e_data.data, error->e_data.length, + &ntstatus)) { + switch (ntstatus) { + case NT_STATUS_ACCOUNT_EXPIRED: + *_kerr = KRB5KDC_ERR_NAME_EXP; + break; + case NT_STATUS_ACCOUNT_DISABLED: + *_kerr = KRB5KDC_ERR_CLIENT_REVOKED; + break; + } + } +} + +krb5_error_code +sss_krb5_get_init_creds_password(krb5_context context, krb5_creds *creds, + krb5_principal client, const char *password, + krb5_prompter_fct prompter, void *data, + krb5_deltat start_time, + const char *in_tkt_service, + krb5_get_init_creds_opt *k5_gic_options) +{ + krb5_error_code kerr; + krb5_init_creds_context init_cred_ctx = NULL; + + kerr = krb5_init_creds_init(context, client, prompter, data, + start_time, k5_gic_options, + &init_cred_ctx); + if (kerr != 0) { + KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); + goto done; + } + + if (password != NULL) { + kerr = krb5_init_creds_set_password(context, init_cred_ctx, password); + if (kerr != 0) { + KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); + goto done; + } + } + + if (in_tkt_service != NULL) { + kerr = krb5_init_creds_set_service(context, init_cred_ctx, + in_tkt_service); + if (kerr != 0) { + KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); + goto done; + } + } + + kerr = krb5_init_creds_get(context, init_cred_ctx); + if (kerr == KRB5KDC_ERR_CLIENT_REVOKED) { + check_ms_kile_ext_krb5err(context, init_cred_ctx, &kerr); + } + + if (kerr != 0) { + KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); + goto done; + } + + kerr = krb5_init_creds_get_creds(context, init_cred_ctx, creds); + +done: + krb5_init_creds_free(context, init_cred_ctx); + return kerr; +} + +static krb5_error_code get_and_save_tgt(struct krb5_req *kr, + const char *password) +{ + const char *realm_name; + int realm_length; + krb5_error_code kerr; + char *cc_name; + int ret; + char *identity = NULL; + + kerr = sss_krb5_get_init_creds_opt_set_expire_callback(kr->ctx, kr->options, + sss_krb5_expire_callback_func, + kr); + if (kerr != 0) { + KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to set expire callback, continue without.\n"); + } + + sss_krb5_princ_realm(kr->ctx, kr->princ, &realm_name, &realm_length); + if (realm_length == 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "sss_krb5_princ_realm failed.\n"); + return KRB5KRB_ERR_GENERIC; + } + + if (sss_authtok_get_type(kr->pd->authtok) == SSS_AUTHTOK_TYPE_SC_PIN + || sss_authtok_get_type(kr->pd->authtok) + == SSS_AUTHTOK_TYPE_SC_KEYPAD) { + DEBUG(SSSDBG_TRACE_ALL, + "Found Smartcard credentials, trying pkinit.\n"); + + ret = get_pkinit_identity(kr, kr->pd->authtok, &identity); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "get_pkinit_identity failed.\n"); + return ret; + } + + kerr = krb5_get_init_creds_opt_set_pa(kr->ctx, kr->options, + "X509_user_identity", identity); + talloc_free(identity); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "krb5_get_init_creds_opt_set_pa failed.\n"); + return kerr; + } + + /* TODO: Maybe X509_anchors should be added here as well */ + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Attempting kinit for realm [%s]\n",realm_name); + kerr = kr->krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ, + password_or_responder(password), + sss_krb5_prompter, kr, 0, NULL, + kr->options); + if (kr->pd->cmd == SSS_PAM_PREAUTH && kerr != KRB5KDC_ERR_KEY_EXP) { + /* Any errors except KRB5KDC_ERR_KEY_EXP are ignored during pre-auth, + * only data is collected to be send back to the client. + * KRB5KDC_ERR_KEY_EXP must be handled separately to figure out the + * possible authentication methods to update the password. */ + DEBUG(SSSDBG_TRACE_FUNC, + "krb5_get_init_creds_password returned [%d] during pre-auth.\n", + kerr); + return 0; + } else { + if (kerr != 0) { + KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); + + /* Special case for IPA password migration */ + if (kr->pd->cmd == SSS_PAM_AUTHENTICATE + && kerr == KRB5_PREAUTH_FAILED + && kr->pkinit_prompting == false + && kr->password_prompting == false + && kr->otp == false + && sss_authtok_get_type(kr->pd->authtok) + == SSS_AUTHTOK_TYPE_PASSWORD) { + return ERR_CREDS_INVALID; + } + + /* If during authentication either the MIT Kerberos pkinit + * pre-auth module is missing or no Smartcard is inserted and only + * pkinit is available KRB5_PREAUTH_FAILED is returned. + * ERR_NO_AUTH_METHOD_AVAILABLE is used to indicate to the + * frontend that local authentication might be tried. + * Same is true if Smartcard credentials are given but only other + * authentication methods are available. */ + if (kr->pd->cmd == SSS_PAM_AUTHENTICATE + && kerr == KRB5_PREAUTH_FAILED + && kr->pkinit_prompting == false + && (( kr->password_prompting == false + && kr->otp == false) + || ((kr->otp == true + || kr->password_prompting == true) + && IS_SC_AUTHTOK(kr->pd->authtok))) ) { + return ERR_NO_AUTH_METHOD_AVAILABLE; + } + return kerr; + } + } + + if (kr->validate) { + kerr = validate_tgt(kr); + if (kerr != 0) { + KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); + return kerr; + } + + } else { + DEBUG(SSSDBG_CONF_SETTINGS, "TGT validation is disabled.\n"); + } + + /* In a non-POSIX environment, we only care about the return code from + * krb5_child, so let's not even attempt to create the ccache + */ + if (kr->posix_domain == false) { + DEBUG(SSSDBG_TRACE_LIBS, + "Finished authentication in a non-POSIX domain\n"); + goto done; + } + + /* If kr->ccname is cache collection (DIR:/...), we want to work + * directly with file ccache (DIR::/...), but cache collection + * should be returned back to back end. + */ + cc_name = sss_get_ccache_name_for_principal(kr->pd, kr->ctx, + kr->creds->client, + kr->ccname); + if (cc_name == NULL) { + cc_name = kr->ccname; + } + + /* Use the updated principal in the creds in case canonicalized */ + kerr = create_ccache(cc_name, kr->creds); + if (kerr != 0) { + goto done; + } + + /* Successful authentication! Check if ccache contains the + * right principal... + */ + kerr = sss_krb5_check_ccache_princ(kr->ctx, kr->ccname, kr->creds->client); + if (kerr) { + DEBUG(SSSDBG_CRIT_FAILURE, + "No ccache for %s in %s?\n", kr->upn, kr->ccname); + goto done; + } + + kerr = safe_remove_old_ccache_file(kr->old_ccname, kr->ccname, + kr->uid, kr->gid); + if (kerr != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to remove old ccache file [%s], " + "please remove it manually.\n", kr->old_ccname); + } + + kerr = add_ticket_times_and_upn_to_response(kr); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "add_ticket_times_and_upn_to_response failed.\n"); + } + + kerr = 0; + +done: + krb5_free_cred_contents(kr->ctx, kr->creds); + + return kerr; + +} + +static errno_t map_krb5_error(krb5_error_code kerr) +{ + /* just pass SSSD's internal error codes */ + if (kerr > 0 && IS_SSSD_ERROR(kerr)) { + DEBUG(SSSDBG_CRIT_FAILURE, "[%d][%s].\n", kerr, sss_strerror(kerr)); + return kerr; + } + + if (kerr != 0) { + KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); + } + + switch (kerr) { + case 0: + return ERR_OK; + + case KRB5_LIBOS_CANTREADPWD: + return ERR_NO_CREDS; + + case KRB5_KDCREP_SKEW: + case KRB5KRB_AP_ERR_SKEW: + case KRB5KRB_AP_ERR_TKT_EXPIRED: + case KRB5KRB_AP_ERR_TKT_NYV: + case KRB5_KDC_UNREACH: + case KRB5_REALM_CANT_RESOLVE: + case KRB5_REALM_UNKNOWN: + return ERR_NETWORK_IO; + + case KRB5KDC_ERR_CLIENT_REVOKED: + return ERR_ACCOUNT_LOCKED; + + case KRB5KDC_ERR_NAME_EXP: + return ERR_ACCOUNT_EXPIRED; + + case KRB5KDC_ERR_KEY_EXP: + return ERR_CREDS_EXPIRED; + + case KRB5KRB_AP_ERR_BAD_INTEGRITY: + return ERR_AUTH_FAILED; + + /* ERR_CREDS_INVALID is used to indicate to the IPA provider that trying + * password migration would make sense. All Kerberos error codes which can + * be seen while migrating LDAP users to IPA should be added here. */ + case KRB5_PROG_ETYPE_NOSUPP: + case KRB5_PREAUTH_FAILED: + case KRB5KDC_ERR_PREAUTH_FAILED: + return ERR_CREDS_INVALID; + + /* Please do not remove KRB5KRB_ERR_GENERIC here, it is a _generic_ error + * code and we cannot make any assumptions about the reason for the error. + * As a consequence we cannot return a different error code than a generic + * one which unfortunately might result in a unspecific system error + * message to the user. + * + * If there are cases where libkrb5 calls return KRB5KRB_ERR_GENERIC where + * SSSD should behave differently this has to be detected by different + * means, e.g. by evaluation error messages, and then the error code + * should be changed to a more suitable KRB5* error code or immediately to + * an SSSD ERR_* error code to avoid the default handling here. */ + case KRB5KRB_ERR_GENERIC: + default: + return ERR_INTERNAL; + } +} + +static errno_t changepw_child(struct krb5_req *kr, bool prelim) +{ + int ret; + krb5_error_code kerr = 0; + const char *password = NULL; + const char *newpassword = NULL; + int result_code = -1; + krb5_data result_code_string; + krb5_data result_string; + char *user_error_message = NULL; + size_t user_resp_len; + uint8_t *user_resp; + krb5_prompter_fct prompter = NULL; + const char *realm_name; + int realm_length; + size_t msg_len; + uint8_t *msg; + uint32_t user_info_type; + + DEBUG(SSSDBG_TRACE_LIBS, "Password change operation\n"); + + if (sss_authtok_get_type(kr->pd->authtok) == SSS_AUTHTOK_TYPE_PASSWORD) { + ret = sss_authtok_get_password(kr->pd->authtok, &password, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to fetch current password [%d] %s.\n", + ret, strerror(ret)); + return ERR_NO_CREDS; + } + } + + if (!prelim) { + /* We do not need a password expiration warning here. */ + prompter = sss_krb5_prompter; + } + + set_changepw_options(kr->options); + sss_krb5_princ_realm(kr->ctx, kr->princ, &realm_name, &realm_length); + if (realm_length == 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "sss_krb5_princ_realm failed.\n"); + return ERR_INTERNAL; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Attempting kinit for realm [%s]\n",realm_name); + kerr = kr->krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ, + password_or_responder(password), + prompter, kr, 0, + SSSD_KRB5_CHANGEPW_PRINCIPAL, + kr->options); + DEBUG(SSSDBG_TRACE_INTERNAL, + "chpass is%s using OTP\n", kr->otp ? "" : " not"); + if (kerr != 0) { + ret = pack_user_info_chpass_error(kr->pd, "Old password not accepted.", + &msg_len, &msg); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "pack_user_info_chpass_error failed.\n"); + } else { + ret = pam_add_response(kr->pd, SSS_PAM_USER_INFO, msg_len, + msg); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "pam_add_response failed.\n"); + } + } + return kerr; + } + + sss_authtok_set_empty(kr->pd->authtok); + + if (prelim) { + DEBUG(SSSDBG_TRACE_LIBS, + "Initial authentication for change password operation " + "successful.\n"); + krb5_free_cred_contents(kr->ctx, kr->creds); + return EOK; + } + + ret = sss_authtok_get_password(kr->pd->newauthtok, &newpassword, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to fetch new password [%d] %s.\n", + ret, strerror(ret)); + return ERR_NO_CREDS; + } + + memset(&result_code_string, 0, sizeof(krb5_data)); + memset(&result_string, 0, sizeof(krb5_data)); + kerr = krb5_change_password(kr->ctx, kr->creds, + discard_const(newpassword), &result_code, + &result_code_string, &result_string); + + if (kerr == KRB5_KDC_UNREACH) { + return ERR_NETWORK_IO; + } + + if (kerr != 0 || result_code != 0) { + if (kerr != 0) { + KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); + } + + if (result_code_string.length > 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "krb5_change_password failed [%d][%.*s].\n", result_code, + result_code_string.length, result_code_string.data); + user_error_message = talloc_strndup(kr->pd, result_code_string.data, + result_code_string.length); + if (user_error_message == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strndup failed.\n"); + } + } + + if (result_string.length > 0 && result_string.data[0] != '\0') { + DEBUG(SSSDBG_CRIT_FAILURE, + "krb5_change_password failed [%d][%.*s].\n", result_code, + result_string.length, result_string.data); + talloc_free(user_error_message); + user_error_message = talloc_strndup(kr->pd, result_string.data, + result_string.length); + if (user_error_message == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strndup failed.\n"); + } + } else if (result_code == KRB5_KPASSWD_SOFTERROR) { + user_error_message = talloc_strdup(kr->pd, "Please make sure the " + "password meets the complexity constraints."); + if (user_error_message == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strndup failed.\n"); + } + } + + if (user_error_message != NULL) { + ret = pack_user_info_chpass_error(kr->pd, user_error_message, + &user_resp_len, &user_resp); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "pack_user_info_chpass_error failed.\n"); + } else { + ret = pam_add_response(kr->pd, SSS_PAM_USER_INFO, user_resp_len, + user_resp); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "pack_response_packet failed.\n"); + } + } + } + + return ERR_CHPASS_FAILED; + } + + krb5_free_cred_contents(kr->ctx, kr->creds); + + if (kr->otp == true) { + user_info_type = SSS_PAM_USER_INFO_OTP_CHPASS; + ret = pam_add_response(kr->pd, SSS_PAM_USER_INFO, sizeof(uint32_t), + (const uint8_t *) &user_info_type); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n"); + /* Not fatal */ + } + + sss_authtok_set_empty(kr->pd->newauthtok); + return map_krb5_error(kerr); + } + + /* We changed some of the GIC options for the password change, now we have + * to change them back to get a fresh TGT. */ + revert_changepw_options(kr->cli_opts, kr->options); + + ret = sss_authtok_set_password(kr->pd->authtok, newpassword, 0); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set password for fresh TGT.\n"); + return ret; + } + + kerr = get_and_save_tgt(kr, newpassword); + + sss_authtok_set_empty(kr->pd->authtok); + sss_authtok_set_empty(kr->pd->newauthtok); + + if (kerr == 0) { + kerr = k5c_attach_ccname_msg(kr); + } + return map_krb5_error(kerr); +} + +static errno_t pam_add_prompting(struct krb5_req *kr) +{ + int ret; + + /* add OTP tokeninfo message if available */ + if (kr->otp) { + ret = k5c_attach_otp_info_msg(kr); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "k5c_attach_otp_info_msg failed.\n"); + return ret; + } + } + + if (kr->password_prompting) { + ret = pam_add_response(kr->pd, SSS_PASSWORD_PROMPTING, 0, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n"); + return ret; + } + } + + if (kr->pkinit_prompting) { + ret = pam_add_response(kr->pd, SSS_CERT_AUTH_PROMPTING, 0, + NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n"); + return ret; + } + } + + return EOK; +} + +static errno_t tgt_req_child(struct krb5_req *kr) +{ + const char *password = NULL; + krb5_error_code kerr; + int ret; + + DEBUG(SSSDBG_TRACE_LIBS, "Attempting to get a TGT\n"); + + /* No password is needed for pre-auth or if we have 2FA or SC */ + if (kr->pd->cmd != SSS_PAM_PREAUTH + && sss_authtok_get_type(kr->pd->authtok) != SSS_AUTHTOK_TYPE_2FA + && sss_authtok_get_type(kr->pd->authtok) != SSS_AUTHTOK_TYPE_SC_PIN + && sss_authtok_get_type(kr->pd->authtok) + != SSS_AUTHTOK_TYPE_SC_KEYPAD) { + ret = sss_authtok_get_password(kr->pd->authtok, &password, NULL); + switch (ret) { + case EOK: + break; + + case EACCES: + DEBUG(SSSDBG_OP_FAILURE, "Invalid authtok type\n"); + return ERR_INVALID_CRED_TYPE; + break; + + default: + DEBUG(SSSDBG_OP_FAILURE, "No credentials available\n"); + return ERR_NO_CREDS; + break; + } + } + + kerr = get_and_save_tgt(kr, password); + + if (kerr != KRB5KDC_ERR_KEY_EXP) { + if (kr->pd->cmd == SSS_PAM_PREAUTH) { + ret = pam_add_prompting(kr); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_prompting failed.\n"); + goto done; + } + } else { + if (kerr == 0) { + kerr = k5c_attach_ccname_msg(kr); + } + } + ret = map_krb5_error(kerr); + goto done; + } + + /* If the password is expired, the KDC will always return + KRB5KDC_ERR_KEY_EXP regardless if the supplied password is correct or + not. In general the password can still be used to get a changepw ticket. + So we validate the password by trying to get a changepw ticket. */ + DEBUG(SSSDBG_TRACE_LIBS, "Password was expired\n"); + kerr = sss_krb5_get_init_creds_opt_set_expire_callback(kr->ctx, + kr->options, + NULL, NULL); + if (kerr != 0) { + KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to unset expire callback, continue ...\n"); + } + + set_changepw_options(kr->options); + kerr = kr->krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ_orig, + password_or_responder(password), + sss_krb5_prompter, kr, 0, + SSSD_KRB5_CHANGEPW_PRINCIPAL, + kr->options); + + krb5_free_cred_contents(kr->ctx, kr->creds); + + if (kr->pd->cmd == SSS_PAM_PREAUTH) { + /* Any errors are ignored during pre-auth, only data is collected to + * be send back to the client. Even if the password is expired we + * should now know which authentication methods are available to + * update the password. */ + DEBUG(SSSDBG_TRACE_FUNC, + "krb5_get_init_creds_password returned [%d] during pre-auth, " + "ignored.\n", kerr); + ret = pam_add_prompting(kr); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_prompting failed.\n"); + goto done; + } + goto done; + } + + if (kerr == 0) { + ret = ERR_CREDS_EXPIRED; + + /* If the password is expired, we can safely remove the ccache from the + * cache and disk if it is not actively used anymore. This will allow + * to create a new random ccache if sshd with privilege separation is + * used. */ + if (kr->old_cc_active == false && kr->old_ccname) { + ret = safe_remove_old_ccache_file(kr->old_ccname, NULL, + kr->uid, kr->gid); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to remove old ccache file [%s], " + "please remove it manually.\n", kr->old_ccname); + } + ret = ERR_CREDS_EXPIRED_CCACHE; + } + } else { + ret = map_krb5_error(kerr); + } + +done: + sss_authtok_set_empty(kr->pd->authtok); + return ret; +} + +static errno_t kuserok_child(struct krb5_req *kr) +{ + krb5_boolean access_allowed; + krb5_error_code kerr; + + DEBUG(SSSDBG_TRACE_LIBS, "Verifying if principal can log in as user\n"); + + /* krb5_kuserok tries to verify that kr->pd->user is a locally known + * account, so we have to unset _SSS_LOOPS to make getpwnam() work. */ + if (unsetenv("_SSS_LOOPS") != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to unset _SSS_LOOPS, " + "krb5_kuserok will most certainly fail.\n"); + } + + kerr = krb5_set_default_realm(kr->ctx, kr->realm); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_set_default_realm failed, " + "krb5_kuserok may fail.\n"); + } + + access_allowed = krb5_kuserok(kr->ctx, kr->princ, kr->pd->user); + DEBUG(SSSDBG_TRACE_LIBS, + "Access was %s\n", access_allowed ? "allowed" : "denied"); + + if (access_allowed) { + return EOK; + } + + return ERR_AUTH_DENIED; +} + +static errno_t renew_tgt_child(struct krb5_req *kr) +{ + const char *ccname; + krb5_ccache ccache = NULL; + krb5_error_code kerr; + int ret; + + DEBUG(SSSDBG_TRACE_LIBS, "Renewing a ticket\n"); + + ret = sss_authtok_get_ccfile(kr->pd->authtok, &ccname, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Unsupported authtok type for TGT renewal [%d].\n", + sss_authtok_get_type(kr->pd->authtok)); + return ERR_INVALID_CRED_TYPE; + } + + kerr = krb5_cc_resolve(kr->ctx, ccname, &ccache); + if (kerr != 0) { + KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); + goto done; + } + + kerr = krb5_get_renewed_creds(kr->ctx, kr->creds, kr->princ, ccache, NULL); + if (kerr != 0) { + goto done; + } + + if (kr->validate) { + kerr = validate_tgt(kr); + if (kerr != 0) { + KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); + goto done; + } + + } else { + DEBUG(SSSDBG_CONF_SETTINGS, "TGT validation is disabled.\n"); + } + + kerr = krb5_cc_initialize(kr->ctx, ccache, kr->princ); + if (kerr != 0) { + KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); + goto done; + } + + kerr = krb5_cc_store_cred(kr->ctx, ccache, kr->creds); + if (kerr != 0) { + KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); + goto done; + } + + kerr = add_ticket_times_and_upn_to_response(kr); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "add_ticket_times_and_upn_to_response failed.\n"); + } + + kerr = k5c_attach_ccname_msg(kr); + +done: + krb5_free_cred_contents(kr->ctx, kr->creds); + + if (ccache != NULL) { + krb5_cc_close(kr->ctx, ccache); + } + + if (kerr == KRB5KRB_AP_ERR_TKT_EXPIRED) { + DEBUG(SSSDBG_TRACE_LIBS, + "Attempted to renew an expired TGT, changing the error code " + "to expired creds internally\n"); + /* map_krb5_error() won't touch the SSSD-internal code */ + kerr = ERR_CREDS_EXPIRED; + } + + return map_krb5_error(kerr); +} + +static errno_t create_empty_ccache(struct krb5_req *kr) +{ + krb5_creds *creds = NULL; + krb5_error_code kerr; + + if (kr->old_cc_valid == false) { + DEBUG(SSSDBG_TRACE_LIBS, "Creating empty ccache\n"); + kerr = create_empty_cred(kr->ctx, kr->princ, &creds); + if (kerr == 0) { + kerr = create_ccache(kr->ccname, creds); + } + } else { + DEBUG(SSSDBG_TRACE_LIBS, "Existing ccache still valid, reusing\n"); + kerr = 0; + } + + if (kerr == 0) { + kerr = k5c_attach_ccname_msg(kr); + } + + krb5_free_creds(kr->ctx, creds); + + return map_krb5_error(kerr); +} + +static errno_t unpack_authtok(struct sss_auth_token *tok, + uint8_t *buf, size_t size, size_t *p) +{ + uint32_t auth_token_type; + uint32_t auth_token_length; + errno_t ret = EOK; + + SAFEALIGN_COPY_UINT32_CHECK(&auth_token_type, buf + *p, size, p); + SAFEALIGN_COPY_UINT32_CHECK(&auth_token_length, buf + *p, size, p); + if ((*p + auth_token_length) > size) { + return EINVAL; + } + switch (auth_token_type) { + case SSS_AUTHTOK_TYPE_EMPTY: + sss_authtok_set_empty(tok); + break; + case SSS_AUTHTOK_TYPE_PASSWORD: + ret = sss_authtok_set_password(tok, (char *)(buf + *p), 0); + break; + case SSS_AUTHTOK_TYPE_CCFILE: + ret = sss_authtok_set_ccfile(tok, (char *)(buf + *p), 0); + break; + case SSS_AUTHTOK_TYPE_2FA: + case SSS_AUTHTOK_TYPE_SC_PIN: + case SSS_AUTHTOK_TYPE_SC_KEYPAD: + ret = sss_authtok_set(tok, auth_token_type, (buf + *p), + auth_token_length); + break; + default: + return EINVAL; + } + + if (ret == EOK) { + *p += auth_token_length; + } + return ret; +} + +static errno_t unpack_buffer(uint8_t *buf, size_t size, + struct krb5_req *kr, uint32_t *offline) +{ + size_t p = 0; + uint32_t len; + uint32_t validate; + uint32_t posix_domain; + uint32_t send_pac; + uint32_t use_enterprise_princ; + struct pam_data *pd; + errno_t ret; + + DEBUG(SSSDBG_TRACE_LIBS, "total buffer size: [%zu]\n", size); + + if (!offline || !kr) return EINVAL; + + pd = create_pam_data(kr); + if (pd == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n"); + return ENOMEM; + } + kr->pd = pd; + + SAFEALIGN_COPY_UINT32_CHECK(&pd->cmd, buf + p, size, &p); + SAFEALIGN_COPY_UINT32_CHECK(&kr->uid, buf + p, size, &p); + SAFEALIGN_COPY_UINT32_CHECK(&kr->gid, buf + p, size, &p); + SAFEALIGN_COPY_UINT32_CHECK(&validate, buf + p, size, &p); + kr->validate = (validate == 0) ? false : true; + SAFEALIGN_COPY_UINT32_CHECK(&posix_domain, buf + p, size, &p); + kr->posix_domain = (posix_domain == 0) ? false : true; + SAFEALIGN_COPY_UINT32_CHECK(offline, buf + p, size, &p); + SAFEALIGN_COPY_UINT32_CHECK(&send_pac, buf + p, size, &p); + kr->send_pac = (send_pac == 0) ? false : true; + SAFEALIGN_COPY_UINT32_CHECK(&use_enterprise_princ, buf + p, size, &p); + kr->use_enterprise_princ = (use_enterprise_princ == 0) ? false : true; + SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p); + if (len > size - p) return EINVAL; + kr->upn = talloc_strndup(pd, (char *)(buf + p), len); + if (kr->upn == NULL) return ENOMEM; + p += len; + + DEBUG(SSSDBG_CONF_SETTINGS, + "cmd [%d] uid [%llu] gid [%llu] validate [%s] " + "enterprise principal [%s] offline [%s] UPN [%s]\n", + pd->cmd, (unsigned long long) kr->uid, + (unsigned long long) kr->gid, kr->validate ? "true" : "false", + kr->use_enterprise_princ ? "true" : "false", + *offline ? "true" : "false", kr->upn ? kr->upn : "none"); + + if (pd->cmd == SSS_PAM_AUTHENTICATE || + pd->cmd == SSS_PAM_PREAUTH || + pd->cmd == SSS_CMD_RENEW || + pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM || pd->cmd == SSS_PAM_CHAUTHTOK) { + SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p); + if (len > size - p) return EINVAL; + kr->ccname = talloc_strndup(pd, (char *)(buf + p), len); + if (kr->ccname == NULL) return ENOMEM; + p += len; + + SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p); + if (len > size - p) return EINVAL; + + if (len > 0) { + kr->old_ccname = talloc_strndup(pd, (char *)(buf + p), len); + if (kr->old_ccname == NULL) return ENOMEM; + p += len; + } else { + DEBUG(SSSDBG_TRACE_INTERNAL, "No old ccache\n"); + } + + SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p); + if (len > size - p) return EINVAL; + kr->keytab = talloc_strndup(pd, (char *)(buf + p), len); + if (kr->keytab == NULL) return ENOMEM; + p += len; + + ret = unpack_authtok(pd->authtok, buf, size, &p); + if (ret) { + return ret; + } + + DEBUG(SSSDBG_CONF_SETTINGS, + "ccname: [%s] old_ccname: [%s] keytab: [%s]\n", + kr->ccname, + kr->old_ccname ? kr->old_ccname : "not set", + kr->keytab); + } else { + kr->ccname = NULL; + kr->old_ccname = NULL; + kr->keytab = NULL; + sss_authtok_set_empty(pd->authtok); + } + + if (pd->cmd == SSS_PAM_CHAUTHTOK) { + ret = unpack_authtok(pd->newauthtok, buf, size, &p); + if (ret) { + return ret; + } + } else { + sss_authtok_set_empty(pd->newauthtok); + } + + if (pd->cmd == SSS_PAM_ACCT_MGMT) { + SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p); + if (len > size - p) return EINVAL; + pd->user = talloc_strndup(pd, (char *)(buf + p), len); + if (pd->user == NULL) return ENOMEM; + p += len; + DEBUG(SSSDBG_CONF_SETTINGS, "user: [%s]\n", pd->user); + } else { + pd->user = NULL; + } + + return EOK; +} + +static int krb5_cleanup(struct krb5_req *kr) +{ + if (kr == NULL) return EOK; + + if (kr->options != NULL) { + sss_krb5_get_init_creds_opt_free(kr->ctx, kr->options); + } + + if (kr->creds != NULL) { + krb5_free_cred_contents(kr->ctx, kr->creds); + krb5_free_creds(kr->ctx, kr->creds); + } + if (kr->name != NULL) + sss_krb5_free_unparsed_name(kr->ctx, kr->name); + if (kr->princ != NULL) + krb5_free_principal(kr->ctx, kr->princ); + if (kr->princ_orig != NULL) + krb5_free_principal(kr->ctx, kr->princ_orig); + if (kr->ctx != NULL) + krb5_free_context(kr->ctx); + + memset(kr, 0, sizeof(struct krb5_req)); + + return EOK; +} + +static krb5_error_code get_tgt_times(krb5_context ctx, const char *ccname, + krb5_principal server_principal, + krb5_principal client_principal, + sss_krb5_ticket_times *tgtt) +{ + krb5_error_code krberr; + krb5_ccache ccache = NULL; + krb5_creds mcred; + krb5_creds cred; + + krberr = krb5_cc_resolve(ctx, ccname, &ccache); + if (krberr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_cc_resolve failed.\n"); + KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, krberr); + goto done; + } + + memset(&mcred, 0, sizeof(mcred)); + memset(&cred, 0, sizeof(mcred)); + + mcred.server = server_principal; + mcred.client = client_principal; + + krberr = krb5_cc_retrieve_cred(ctx, ccache, 0, &mcred, &cred); + if (krberr == KRB5_FCC_NOFILE) { + DEBUG(SSSDBG_TRACE_LIBS, "FAST ccache must be recreated\n"); + } else if (krberr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_cc_retrieve_cred failed\n"); + KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, krberr); + krberr = 0; + goto done; + } + + tgtt->authtime = cred.times.authtime; + tgtt->starttime = cred.times.starttime; + tgtt->endtime = cred.times.endtime; + tgtt->renew_till = cred.times.renew_till; + + krb5_free_cred_contents(ctx, &cred); + + krberr = 0; + +done: + if (ccache != NULL) { + krb5_cc_close(ctx, ccache); + } + + return krberr; +} + +static krb5_error_code check_fast_ccache(TALLOC_CTX *mem_ctx, + krb5_context ctx, + uid_t fast_uid, + gid_t fast_gid, + bool posix_domain, + struct cli_opts *cli_opts, + const char *primary, + const char *realm, + const char *keytab_name, + char **fast_ccname) +{ + TALLOC_CTX *tmp_ctx = NULL; + krb5_error_code kerr; + char *ccname; + char *server_name; + sss_krb5_ticket_times tgtt; + krb5_keytab keytab = NULL; + krb5_principal client_princ = NULL; + krb5_principal server_princ = NULL; + pid_t fchild_pid; + int status; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new failed.\n"); + return ENOMEM; + } + + ccname = talloc_asprintf(tmp_ctx, "FILE:%s/fast_ccache_%s", DB_PATH, realm); + if (ccname == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); + kerr = ENOMEM; + goto done; + } + + if (keytab_name != NULL) { + kerr = krb5_kt_resolve(ctx, keytab_name, &keytab); + } else { + kerr = krb5_kt_default(ctx, &keytab); + } + if (kerr) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to read keytab file [%s]: %s\n", + KEYTAB_CLEAN_NAME, + sss_krb5_get_error_message(ctx, kerr)); + goto done; + } + + kerr = find_principal_in_keytab(ctx, keytab, primary, realm, &client_princ); + if (kerr != 0) { + DEBUG(SSSDBG_MINOR_FAILURE, + "find_principal_in_keytab failed for principal %s@%s.\n", + primary, realm); + goto done; + } + + server_name = talloc_asprintf(tmp_ctx, "krbtgt/%s@%s", realm, realm); + if (server_name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); + kerr = ENOMEM; + goto done; + } + + kerr = krb5_parse_name(ctx, server_name, &server_princ); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_parse_name failed.\n"); + goto done; + } + + memset(&tgtt, 0, sizeof(tgtt)); + kerr = get_tgt_times(ctx, ccname, server_princ, client_princ, &tgtt); + if (kerr == 0) { + if (tgtt.endtime > time(NULL)) { + DEBUG(SSSDBG_FUNC_DATA, "FAST TGT is still valid.\n"); + goto done; + } + } + + /* Need to recreate the FAST ccache */ + fchild_pid = fork(); + switch (fchild_pid) { + case -1: + DEBUG(SSSDBG_CRIT_FAILURE, "fork failed\n"); + kerr = EIO; + goto done; + case 0: + /* Child */ + debug_prg_name = talloc_asprintf(NULL, "[sssd[krb5_child[%d]]]", getpid()); + if (debug_prg_name == NULL) { + debug_prg_name = "[sssd[krb5_child]]"; + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); + /* Try to carry on */ + } + + kerr = k5c_become_user(fast_uid, fast_gid, posix_domain); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "become_user failed: %d\n", kerr); + exit(1); + } + DEBUG(SSSDBG_TRACE_INTERNAL, + "Running as [%"SPRIuid"][%"SPRIgid"].\n", geteuid(), getegid()); + + kerr = get_and_save_tgt_with_keytab(ctx, cli_opts, client_princ, + keytab, ccname); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "get_and_save_tgt_with_keytab failed: %d\n", kerr); + exit(2); + } + exit(0); + default: + /* Parent */ + do { + errno = 0; + kerr = waitpid(fchild_pid, &status, 0); + } while (kerr == -1 && errno == EINTR); + + if (kerr > 0) { + if (WIFEXITED(status)) { + kerr = WEXITSTATUS(status); + /* Don't blindly fail if the child fails, but check + * the ccache again */ + if (kerr != 0) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Creating FAST ccache failed, krb5_child will " + "likely fail!\n"); + } + } else { + DEBUG(SSSDBG_CRIT_FAILURE, + "krb5_child subprocess %d terminated unexpectedly\n", + fchild_pid); + } + } else { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to wait for child %d\n", fchild_pid); + /* Let the code re-check the TGT times and fail if we + * can't find the updated principal */ + } + } + + /* Check the ccache times again. Should be updated ... */ + memset(&tgtt, 0, sizeof(tgtt)); + kerr = get_tgt_times(ctx, ccname, server_princ, client_princ, &tgtt); + if (kerr != 0) { + DEBUG(SSSDBG_OP_FAILURE, "get_tgt_times() failed\n"); + goto done; + } + + if (tgtt.endtime < time(NULL)) { + DEBUG(SSSDBG_OP_FAILURE, + "FAST TGT was renewed but is already expired, please check that " + "time is synchronized with server.\n"); + kerr = ERR_CREDS_EXPIRED; + goto done; + } + DEBUG(SSSDBG_FUNC_DATA, "FAST TGT was successfully recreated!\n"); + +done: + if (client_princ != NULL) { + krb5_free_principal(ctx, client_princ); + } + if (server_princ != NULL) { + krb5_free_principal(ctx, server_princ); + } + + if (kerr == 0) { + *fast_ccname = talloc_steal(mem_ctx, ccname); + } + talloc_free(tmp_ctx); + + if (keytab != NULL) { + krb5_kt_close(ctx, keytab); + } + + return kerr; +} + +static errno_t k5c_recv_data(struct krb5_req *kr, int fd, uint32_t *offline) +{ + uint8_t buf[IN_BUF_SIZE]; + ssize_t len; + errno_t ret; + + errno = 0; + len = sss_atomic_read_s(fd, buf, IN_BUF_SIZE); + if (len == -1) { + ret = errno; + ret = (ret == 0) ? EINVAL: ret; + DEBUG(SSSDBG_CRIT_FAILURE, + "read failed [%d][%s].\n", ret, strerror(ret)); + return ret; + } + + ret = unpack_buffer(buf, len, kr, offline); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "unpack_buffer failed.\n"); + } + + return ret; +} + +static int k5c_setup_fast(struct krb5_req *kr, bool demand) +{ + krb5_principal fast_princ_struct; + krb5_data *realm_data; + char *fast_principal_realm; + char *fast_principal; + krb5_error_code kerr; + char *tmp_str = NULL; + char *new_ccname; + + if (kr->cli_opts->fast_principal) { + DEBUG(SSSDBG_CONF_SETTINGS, "Fast principal is set to [%s]\n", + kr->cli_opts->fast_principal); + kerr = krb5_parse_name(kr->ctx, kr->cli_opts->fast_principal, + &fast_princ_struct); + if (kerr) { + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_parse_name failed.\n"); + return kerr; + } + kerr = sss_krb5_unparse_name_flags(kr->ctx, fast_princ_struct, + KRB5_PRINCIPAL_UNPARSE_NO_REALM, + &tmp_str); + if (kerr) { + DEBUG(SSSDBG_CRIT_FAILURE, "sss_krb5_unparse_name_flags failed.\n"); + return kerr; + } + fast_principal = talloc_strdup(kr, tmp_str); + if (!fast_principal) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed.\n"); + return KRB5KRB_ERR_GENERIC; + } + free(tmp_str); + realm_data = krb5_princ_realm(kr->ctx, fast_princ_struct); + fast_principal_realm = talloc_asprintf(kr, "%.*s", realm_data->length, + realm_data->data); + if (!fast_principal_realm) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); + return ENOMEM; + } + } else { + fast_principal_realm = kr->realm; + fast_principal = NULL; + } + + kerr = check_fast_ccache(kr, kr->ctx, kr->fast_uid, kr->fast_gid, + kr->posix_domain, kr->cli_opts, + fast_principal, fast_principal_realm, + kr->keytab, &kr->fast_ccname); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "check_fast_ccache failed.\n"); + KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); + return kerr; + } + + kerr = copy_ccache_into_memory(kr, kr->ctx, kr->fast_ccname, &new_ccname); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "copy_ccache_into_memory failed.\n"); + return kerr; + } + + talloc_free(kr->fast_ccname); + kr->fast_ccname = new_ccname; + + kerr = sss_krb5_get_init_creds_opt_set_fast_ccache_name(kr->ctx, + kr->options, + kr->fast_ccname); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sss_krb5_get_init_creds_opt_set_fast_ccache_name " + "failed.\n"); + KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); + return kerr; + } + + if (demand) { + kerr = sss_krb5_get_init_creds_opt_set_fast_flags(kr->ctx, + kr->options, + SSS_KRB5_FAST_REQUIRED); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sss_krb5_get_init_creds_opt_set_fast_flags " + "failed.\n"); + KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); + return kerr; + } + } + + return EOK; +} + +static errno_t check_use_fast(const char *use_fast_str, + enum k5c_fast_opt *_fast_val) +{ + enum k5c_fast_opt fast_val; + + if (use_fast_str == NULL || strcasecmp(use_fast_str, "never") == 0) { + DEBUG(SSSDBG_CONF_SETTINGS, "Not using FAST.\n"); + fast_val = K5C_FAST_NEVER; + } else if (strcasecmp(use_fast_str, "try") == 0) { + fast_val = K5C_FAST_TRY; + } else if (strcasecmp(use_fast_str, "demand") == 0) { + fast_val = K5C_FAST_DEMAND; + } else { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unsupported value [%s] for krb5_use_fast.\n", + use_fast_str); + return EINVAL; + } + + *_fast_val = fast_val; + return EOK; +} + +static errno_t old_ccache_valid(struct krb5_req *kr, bool *_valid) +{ + errno_t ret; + bool valid; + + valid = false; + + ret = sss_krb5_cc_verify_ccache(kr->old_ccname, + kr->uid, kr->gid, + kr->realm, kr->upn); + switch (ret) { + case ERR_NOT_FOUND: + case ENOENT: + DEBUG(SSSDBG_TRACE_FUNC, + "Saved ccache %s doesn't exist, ignoring\n", kr->old_ccname); + break; + case EINVAL: + /* cache found but no TGT or expired */ + case EOK: + valid = true; + break; + default: + DEBUG(SSSDBG_OP_FAILURE, + "Cannot check if saved ccache %s is valid\n", + kr->old_ccname); + return ret; + } + + *_valid = valid; + return EOK; +} + +static int k5c_check_old_ccache(struct krb5_req *kr) +{ + errno_t ret; + + if (kr->old_ccname) { + ret = old_ccache_valid(kr, &kr->old_cc_valid); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "old_ccache_valid failed.\n"); + return ret; + } + + ret = check_if_uid_is_active(kr->uid, &kr->old_cc_active); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "check_if_uid_is_active failed.\n"); + return ret; + } + + DEBUG(SSSDBG_TRACE_ALL, + "Ccache_file is [%s] and is %s active and TGT is %s valid.\n", + kr->old_ccname ? kr->old_ccname : "not set", + kr->old_cc_active ? "" : "not", + kr->old_cc_valid ? "" : "not"); + } + + return EOK; +} + +static int k5c_precreate_ccache(struct krb5_req *kr, uint32_t offline) +{ + errno_t ret; + + /* The ccache file should be (re)created if one of the following conditions + * is true: + * - it doesn't exist (kr->old_ccname == NULL) + * - the backend is online and the current ccache file is not used, i.e + * the related user is currently not logged in and it is not a renewal + * request + * (offline && !kr->old_cc_active && kr->pd->cmd != SSS_CMD_RENEW) + * - the backend is offline and the current cache file not used and + * it does not contain a valid TGT + * (offline && !kr->old_cc_active && !kr->valid_tgt) + */ + if (kr->old_ccname == NULL || + (offline && !kr->old_cc_active && !kr->old_cc_valid) || + (!offline && !kr->old_cc_active && kr->pd->cmd != SSS_CMD_RENEW)) { + DEBUG(SSSDBG_TRACE_ALL, "Recreating ccache\n"); + + ret = sss_krb5_precreate_ccache(kr->ccname, kr->uid, kr->gid); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ccache creation failed.\n"); + return ret; + } + } else { + /* We can reuse the old ccache */ + kr->ccname = kr->old_ccname; + } + + return EOK; +} + +static int k5c_ccache_setup(struct krb5_req *kr, uint32_t offline) +{ + errno_t ret; + + if (kr->pd->cmd == SSS_PAM_ACCT_MGMT) { + return EOK; + } + + ret = k5c_check_old_ccache(kr); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot check old ccache [%s]: [%d][%s]. " \ + "Assuming old cache is invalid " \ + "and not used.\n", + kr->old_ccname, ret, sss_strerror(ret)); + } + + /* Pre-creating the ccache must be done as root, otherwise we can't mkdir + * some of the DIR: cache components. One example is /run/user/$UID because + * logind doesn't create the directory until the session phase, whereas + * we need the directory during the auth phase already + */ + ret = k5c_precreate_ccache(kr, offline); + if (ret != 0) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot precreate ccache\n"); + return ret; + } + + return EOK; +} + +static int k5c_setup(struct krb5_req *kr, uint32_t offline) +{ + krb5_error_code kerr; + int parse_flags; + + if (offline || (kr->fast_val == K5C_FAST_NEVER && kr->validate == false)) { + /* If krb5_child was started as setuid, but we don't need to + * perform either validation or FAST, just drop privileges to + * the user who is logging in. The same applies to the offline case. + */ + kerr = k5c_become_user(kr->uid, kr->gid, kr->posix_domain); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "become_user failed.\n"); + return kerr; + } + } + DEBUG(SSSDBG_TRACE_INTERNAL, + "Running as [%"SPRIuid"][%"SPRIgid"].\n", geteuid(), getegid()); + + /* Set the global error context */ + krb5_error_ctx = kr->ctx; + + if (debug_level & SSSDBG_TRACE_ALL) { + kerr = sss_child_set_krb5_tracing(kr->ctx); + if (kerr != 0) { + KRB5_CHILD_DEBUG(SSSDBG_MINOR_FAILURE, kerr); + return EIO; + } + } + + /* Enterprise principals require that a default realm is available. To + * make SSSD more robust in the case that the default realm option is + * missing in krb5.conf or to allow SSSD to work with multiple unconnected + * realms (e.g. AD domains without trust between them) the default realm + * will be set explicitly. */ + if (kr->use_enterprise_princ) { + kerr = krb5_set_default_realm(kr->ctx, kr->realm); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_set_default_realm failed.\n"); + } + } + + parse_flags = kr->use_enterprise_princ ? KRB5_PRINCIPAL_PARSE_ENTERPRISE : 0; + kerr = sss_krb5_parse_name_flags(kr->ctx, kr->upn, parse_flags, &kr->princ); + if (kerr != 0) { + KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); + return kerr; + } + + kerr = krb5_parse_name(kr->ctx, kr->upn, &kr->princ_orig); + if (kerr != 0) { + KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); + return kerr; + } + + kerr = krb5_unparse_name(kr->ctx, kr->princ, &kr->name); + if (kerr != 0) { + KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); + return kerr; + } + + kr->creds = calloc(1, sizeof(krb5_creds)); + if (kr->creds == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n"); + return ENOMEM; + } + +#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_RESPONDER + kerr = krb5_get_init_creds_opt_set_responder(kr->ctx, kr->options, + sss_krb5_responder, kr); + if (kerr != 0) { + KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); + return kerr; + } +#endif + +#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_CHANGE_PASSWORD_PROMPT + /* A prompter is used to catch messages about when a password will + * expire. The library shall not use the prompter to ask for a new password + * but shall return KRB5KDC_ERR_KEY_EXP. */ + krb5_get_init_creds_opt_set_change_password_prompt(kr->options, 0); +#endif + + kerr = set_lifetime_options(kr->cli_opts, kr->options); + if (kerr != 0) { + DEBUG(SSSDBG_OP_FAILURE, "set_lifetime_options failed.\n"); + return kerr; + } + + if (!offline) { + set_canonicalize_option(kr->cli_opts, kr->options); + } + +/* TODO: set options, e.g. + * krb5_get_init_creds_opt_set_forwardable + * krb5_get_init_creds_opt_set_proxiable + * krb5_get_init_creds_opt_set_etype_list + * krb5_get_init_creds_opt_set_address_list + * krb5_get_init_creds_opt_set_preauth_list + * krb5_get_init_creds_opt_set_salt + * krb5_get_init_creds_opt_set_change_password_prompt + * krb5_get_init_creds_opt_set_pa + */ + + return kerr; +} + +static krb5_error_code privileged_krb5_setup(struct krb5_req *kr, + uint32_t offline) +{ + krb5_error_code kerr; + int ret; + char *mem_keytab; + + kr->realm = kr->cli_opts->realm; + if (kr->realm == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "Realm not available.\n"); + } + + kerr = krb5_init_context(&kr->ctx); + if (kerr != 0) { + KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); + return kerr; + } + + kerr = sss_krb5_get_init_creds_opt_alloc(kr->ctx, &kr->options); + if (kerr != 0) { + KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); + return kerr; + } + + ret = check_use_fast(kr->cli_opts->use_fast_str, &kr->fast_val); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "check_use_fast failed.\n"); + return ret; + } + + /* For ccache types FILE: and DIR: we might need to create some directory + * components as root. Cache files are not needed during preauth. */ + if (kr->pd->cmd != SSS_PAM_PREAUTH) { + ret = k5c_ccache_setup(kr, offline); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "k5c_ccache_setup failed.\n"); + return ret; + } + } + + if (!(offline || + (kr->fast_val == K5C_FAST_NEVER && kr->validate == false))) { + kerr = copy_keytab_into_memory(kr, kr->ctx, kr->keytab, &mem_keytab, + NULL); + if (kerr != 0) { + DEBUG(SSSDBG_OP_FAILURE, "copy_keytab_into_memory failed.\n"); + return kerr; + } + + talloc_free(kr->keytab); + kr->keytab = mem_keytab; + + if (kr->fast_val != K5C_FAST_NEVER) { + kerr = k5c_setup_fast(kr, kr->fast_val == K5C_FAST_DEMAND); + if (kerr != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot set up FAST\n"); + return kerr; + } + } + } + + if (kr->send_pac) { + ret = sss_pac_check_and_open(); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Cannot open the PAC responder socket\n"); + /* Not fatal */ + } + } + + return 0; +} + +static void try_open_krb5_conf(void) +{ + int fd; + int ret; + + fd = open("/etc/krb5.conf", O_RDONLY); + if (fd != -1) { + close(fd); + } else { + ret = errno; + if (ret == EACCES || ret == EPERM) { + DEBUG(SSSDBG_CRIT_FAILURE, + "User with uid:%"SPRIuid" gid:%"SPRIgid" cannot read " + "/etc/krb5.conf. It might cause problems\n", + geteuid(), getegid()); + } else { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot open /etc/krb5.conf [%d]: %s\n", + ret, strerror(ret)); + } + } +} + +int main(int argc, const char *argv[]) +{ + struct krb5_req *kr = NULL; + uint32_t offline; + int opt; + poptContext pc; + int debug_fd = -1; + const char *opt_logger = NULL; + errno_t ret; + krb5_error_code kerr; + uid_t fast_uid; + gid_t fast_gid; + struct cli_opts cli_opts = { 0 }; + int sss_creds_password = 0; + + struct poptOption long_options[] = { + POPT_AUTOHELP + {"debug-level", 'd', POPT_ARG_INT, &debug_level, 0, + _("Debug level"), NULL}, + {"debug-timestamps", 0, POPT_ARG_INT, &debug_timestamps, 0, + _("Add debug timestamps"), NULL}, + {"debug-microseconds", 0, POPT_ARG_INT, &debug_microseconds, 0, + _("Show timestamps with microseconds"), NULL}, + {"debug-fd", 0, POPT_ARG_INT, &debug_fd, 0, + _("An open file descriptor for the debug logs"), NULL}, + {"debug-to-stderr", 0, POPT_ARG_NONE | POPT_ARGFLAG_DOC_HIDDEN, + &debug_to_stderr, 0, + _("Send the debug output to stderr directly."), NULL }, + SSSD_LOGGER_OPTS + {CHILD_OPT_FAST_CCACHE_UID, 0, POPT_ARG_INT, &fast_uid, 0, + _("The user to create FAST ccache as"), NULL}, + {CHILD_OPT_FAST_CCACHE_GID, 0, POPT_ARG_INT, &fast_gid, 0, + _("The group to create FAST ccache as"), NULL}, + {CHILD_OPT_REALM, 0, POPT_ARG_STRING, &cli_opts.realm, 0, + _("Kerberos realm to use"), NULL}, + {CHILD_OPT_LIFETIME, 0, POPT_ARG_STRING, &cli_opts.lifetime, 0, + _("Requested lifetime of the ticket"), NULL}, + {CHILD_OPT_RENEWABLE_LIFETIME, 0, POPT_ARG_STRING, &cli_opts.rtime, 0, + _("Requested renewable lifetime of the ticket"), NULL}, + {CHILD_OPT_USE_FAST, 0, POPT_ARG_STRING, &cli_opts.use_fast_str, 0, + _("FAST options ('never', 'try', 'demand')"), NULL}, + {CHILD_OPT_FAST_PRINCIPAL, 0, POPT_ARG_STRING, + &cli_opts.fast_principal, 0, + _("Specifies the server principal to use for FAST"), NULL}, + {CHILD_OPT_CANONICALIZE, 0, POPT_ARG_NONE, NULL, 'C', + _("Requests canonicalization of the principal name"), NULL}, + {CHILD_OPT_SSS_CREDS_PASSWORD, 0, POPT_ARG_NONE, &sss_creds_password, + 0, _("Use custom version of krb5_get_init_creds_password"), NULL}, + POPT_TABLEEND + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + cli_opts.canonicalize = false; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + case 'C': + cli_opts.canonicalize = true; + break; + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + _exit(-1); + } + } + + poptFreeContext(pc); + + DEBUG_INIT(debug_level); + + debug_prg_name = talloc_asprintf(NULL, "[sssd[krb5_child[%d]]]", getpid()); + if (!debug_prg_name) { + debug_prg_name = "[sssd[krb5_child]]"; + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto done; + } + + if (debug_fd != -1) { + ret = set_debug_file_from_fd(debug_fd); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "set_debug_file_from_fd failed.\n"); + } + opt_logger = sss_logger_str[FILES_LOGGER]; + } + + sss_set_logger(opt_logger); + + DEBUG(SSSDBG_TRACE_FUNC, "krb5_child started.\n"); + + kr = talloc_zero(NULL, struct krb5_req); + if (kr == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc failed.\n"); + ret = ENOMEM; + goto done; + } + talloc_steal(kr, debug_prg_name); + + kr->fast_uid = fast_uid; + kr->fast_gid = fast_gid; + kr->cli_opts = &cli_opts; + if (sss_creds_password != 0) { + kr->krb5_get_init_creds_password = sss_krb5_get_init_creds_password; + } else { + kr->krb5_get_init_creds_password = krb5_get_init_creds_password; + } + + ret = k5c_recv_data(kr, STDIN_FILENO, &offline); + if (ret != EOK) { + goto done; + } + + close(STDIN_FILENO); + + kerr = privileged_krb5_setup(kr, offline); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "privileged_krb5_setup failed.\n"); + ret = EFAULT; + goto done; + } + + /* pkinit needs access to pcscd */ + if ((sss_authtok_get_type(kr->pd->authtok) != SSS_AUTHTOK_TYPE_SC_PIN + && sss_authtok_get_type(kr->pd->authtok) + != SSS_AUTHTOK_TYPE_SC_KEYPAD)) { + kerr = k5c_become_user(kr->uid, kr->gid, kr->posix_domain); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "become_user failed.\n"); + ret = EFAULT; + goto done; + } + } + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Running as [%"SPRIuid"][%"SPRIgid"].\n", geteuid(), getegid()); + try_open_krb5_conf(); + + ret = k5c_setup(kr, offline); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_child_setup failed.\n"); + goto done; + } + + switch(kr->pd->cmd) { + case SSS_PAM_AUTHENTICATE: + /* If we are offline, we need to create an empty ccache file */ + if (offline) { + DEBUG(SSSDBG_TRACE_FUNC, "Will perform offline auth\n"); + ret = create_empty_ccache(kr); + } else { + DEBUG(SSSDBG_TRACE_FUNC, "Will perform online auth\n"); + ret = tgt_req_child(kr); + } + break; + case SSS_PAM_CHAUTHTOK: + DEBUG(SSSDBG_TRACE_FUNC, "Will perform password change\n"); + ret = changepw_child(kr, false); + break; + case SSS_PAM_CHAUTHTOK_PRELIM: + DEBUG(SSSDBG_TRACE_FUNC, "Will perform password change checks\n"); + ret = changepw_child(kr, true); + break; + case SSS_PAM_ACCT_MGMT: + DEBUG(SSSDBG_TRACE_FUNC, "Will perform account management\n"); + ret = kuserok_child(kr); + break; + case SSS_CMD_RENEW: + if (offline) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot renew TGT while offline\n"); + ret = KRB5_KDC_UNREACH; + goto done; + } + DEBUG(SSSDBG_TRACE_FUNC, "Will perform ticket renewal\n"); + ret = renew_tgt_child(kr); + break; + case SSS_PAM_PREAUTH: + DEBUG(SSSDBG_TRACE_FUNC, "Will perform pre-auth\n"); + ret = tgt_req_child(kr); + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, + "PAM command [%d] not supported.\n", kr->pd->cmd); + ret = EINVAL; + goto done; + } + + ret = k5c_send_data(kr, STDOUT_FILENO, ret); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to send reply\n"); + } + +done: + if (ret == EOK) { + DEBUG(SSSDBG_TRACE_FUNC, "krb5_child completed successfully\n"); + ret = 0; + } else { + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_child failed!\n"); + ret = -1; + } + krb5_cleanup(kr); + talloc_free(kr); + exit(ret); +} diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c new file mode 100644 index 0000000..352ff98 --- /dev/null +++ b/src/providers/krb5/krb5_child_handler.c @@ -0,0 +1,785 @@ +/* + SSSD + + Kerberos 5 Backend Module - Manage krb5_child + + Authors: + Sumit Bose + + Copyright (C) 2010 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "util/util.h" +#include "util/child_common.h" +#include "providers/krb5/krb5_common.h" +#include "providers/krb5/krb5_auth.h" +#include "src/providers/krb5/krb5_utils.h" + +#ifndef KRB5_CHILD_DIR +#ifndef SSSD_LIBEXEC_PATH +#error "SSSD_LIBEXEC_PATH not defined" +#endif /* SSSD_LIBEXEC_PATH */ + +#define KRB5_CHILD_DIR SSSD_LIBEXEC_PATH +#endif /* KRB5_CHILD_DIR */ + +#define KRB5_CHILD KRB5_CHILD_DIR"/krb5_child" + +#define TIME_T_MAX LONG_MAX +#define int64_to_time_t(val) ((time_t)((val) < TIME_T_MAX ? val : TIME_T_MAX)) + +struct handle_child_state { + struct tevent_context *ev; + struct krb5child_req *kr; + uint8_t *buf; + ssize_t len; + + struct tevent_timer *timeout_handler; + pid_t child_pid; + + struct child_io_fds *io; +}; + +static errno_t pack_authtok(struct io_buffer *buf, size_t *rp, + struct sss_auth_token *tok) +{ + uint32_t auth_token_type; + uint32_t auth_token_length = 0; + const char *data; + size_t len; + errno_t ret = EOK; + + auth_token_type = sss_authtok_get_type(tok); + + switch (auth_token_type) { + case SSS_AUTHTOK_TYPE_EMPTY: + auth_token_length = 0; + data = ""; + break; + case SSS_AUTHTOK_TYPE_PASSWORD: + ret = sss_authtok_get_password(tok, &data, &len); + auth_token_length = len + 1; + break; + case SSS_AUTHTOK_TYPE_CCFILE: + ret = sss_authtok_get_ccfile(tok, &data, &len); + auth_token_length = len + 1; + break; + case SSS_AUTHTOK_TYPE_2FA: + case SSS_AUTHTOK_TYPE_SC_PIN: + case SSS_AUTHTOK_TYPE_SC_KEYPAD: + data = (char *) sss_authtok_get_data(tok); + auth_token_length = sss_authtok_get_size(tok); + break; + default: + ret = EINVAL; + } + + if (ret == EOK) { + SAFEALIGN_COPY_UINT32(&buf->data[*rp], &auth_token_type, rp); + SAFEALIGN_COPY_UINT32(&buf->data[*rp], &auth_token_length, rp); + if (data != NULL) { + safealign_memcpy(&buf->data[*rp], data, auth_token_length, rp); + } + } + + return ret; +} + +static errno_t create_send_buffer(struct krb5child_req *kr, + struct io_buffer **io_buf) +{ + struct io_buffer *buf; + size_t rp; + const char *keytab; + uint32_t validate; + uint32_t send_pac; + uint32_t use_enterprise_principal; + uint32_t posix_domain; + size_t username_len = 0; + errno_t ret; + + keytab = dp_opt_get_cstring(kr->krb5_ctx->opts, KRB5_KEYTAB); + if (keytab == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing keytab option.\n"); + return EINVAL; + } + + validate = dp_opt_get_bool(kr->krb5_ctx->opts, KRB5_VALIDATE) ? 1 : 0; + + /* Always send PAC except for local IPA users and IPA server mode */ + switch (kr->krb5_ctx->config_type) { + case K5C_IPA_CLIENT: + send_pac = kr->upn_from_different_realm ? 1 : 0; + break; + case K5C_IPA_SERVER: + send_pac = 0; + break; + default: + send_pac = 1; + break; + } + + switch (kr->dom->type) { + case DOM_TYPE_POSIX: + posix_domain = 1; + break; + case DOM_TYPE_APPLICATION: + posix_domain = 0; + break; + default: + return EINVAL; + } + + if (kr->pd->cmd == SSS_CMD_RENEW || kr->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM + || kr->pd->cmd == SSS_PAM_CHAUTHTOK || kr->is_offline) { + use_enterprise_principal = false; + } else { + use_enterprise_principal = dp_opt_get_bool(kr->krb5_ctx->opts, + KRB5_USE_ENTERPRISE_PRINCIPAL) ? 1 : 0; + } + + buf = talloc(kr, struct io_buffer); + if (buf == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc failed.\n"); + return ENOMEM; + } + + buf->size = 9*sizeof(uint32_t) + strlen(kr->upn); + + if (kr->pd->cmd == SSS_PAM_AUTHENTICATE || + kr->pd->cmd == SSS_PAM_PREAUTH || + kr->pd->cmd == SSS_CMD_RENEW || + kr->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM || + kr->pd->cmd == SSS_PAM_CHAUTHTOK) { + buf->size += 4*sizeof(uint32_t) + strlen(kr->ccname) + strlen(keytab) + + sss_authtok_get_size(kr->pd->authtok); + + buf->size += sizeof(uint32_t); + if (kr->old_ccname) { + buf->size += strlen(kr->old_ccname); + } + } + + if (kr->pd->cmd == SSS_PAM_CHAUTHTOK) { + buf->size += 2*sizeof(uint32_t) + + sss_authtok_get_size(kr->pd->newauthtok); + } + + if (kr->pd->cmd == SSS_PAM_ACCT_MGMT) { + username_len = strlen(kr->kuserok_user); + buf->size += sizeof(uint32_t) + username_len; + } + + buf->data = talloc_size(kr, buf->size); + if (buf->data == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_size failed.\n"); + talloc_free(buf); + return ENOMEM; + } + + rp = 0; + SAFEALIGN_COPY_UINT32(&buf->data[rp], &kr->pd->cmd, &rp); + SAFEALIGN_COPY_UINT32(&buf->data[rp], &kr->uid, &rp); + SAFEALIGN_COPY_UINT32(&buf->data[rp], &kr->gid, &rp); + SAFEALIGN_COPY_UINT32(&buf->data[rp], &validate, &rp); + SAFEALIGN_COPY_UINT32(&buf->data[rp], &posix_domain, &rp); + SAFEALIGN_COPY_UINT32(&buf->data[rp], &kr->is_offline, &rp); + SAFEALIGN_COPY_UINT32(&buf->data[rp], &send_pac, &rp); + SAFEALIGN_COPY_UINT32(&buf->data[rp], &use_enterprise_principal, &rp); + + SAFEALIGN_SET_UINT32(&buf->data[rp], strlen(kr->upn), &rp); + safealign_memcpy(&buf->data[rp], kr->upn, strlen(kr->upn), &rp); + + if (kr->pd->cmd == SSS_PAM_AUTHENTICATE || + kr->pd->cmd == SSS_PAM_PREAUTH || + kr->pd->cmd == SSS_CMD_RENEW || + kr->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM || + kr->pd->cmd == SSS_PAM_CHAUTHTOK) { + SAFEALIGN_SET_UINT32(&buf->data[rp], strlen(kr->ccname), &rp); + safealign_memcpy(&buf->data[rp], kr->ccname, strlen(kr->ccname), &rp); + + if (kr->old_ccname) { + SAFEALIGN_SET_UINT32(&buf->data[rp], strlen(kr->old_ccname), &rp); + safealign_memcpy(&buf->data[rp], kr->old_ccname, + strlen(kr->old_ccname), &rp); + } else { + SAFEALIGN_SET_UINT32(&buf->data[rp], 0, &rp); + } + + SAFEALIGN_SET_UINT32(&buf->data[rp], strlen(keytab), &rp); + safealign_memcpy(&buf->data[rp], keytab, strlen(keytab), &rp); + + ret = pack_authtok(buf, &rp, kr->pd->authtok); + if (ret) { + return ret; + } + } + + if (kr->pd->cmd == SSS_PAM_CHAUTHTOK) { + ret = pack_authtok(buf, &rp, kr->pd->newauthtok); + if (ret) { + return ret; + } + } + + if (kr->pd->cmd == SSS_PAM_ACCT_MGMT) { + SAFEALIGN_SET_UINT32(&buf->data[rp], username_len, &rp); + safealign_memcpy(&buf->data[rp], kr->kuserok_user, username_len, &rp); + } + + *io_buf = buf; + + return EOK; +} + + +static void krb5_child_timeout(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval tv, void *pvt) +{ + struct tevent_req *req = talloc_get_type(pvt, struct tevent_req); + struct handle_child_state *state = tevent_req_data(req, + struct handle_child_state); + int ret; + + if (state->timeout_handler == NULL) { + return; + } + + DEBUG(SSSDBG_IMPORTANT_INFO, + "Timeout for child [%d] reached. In case KDC is distant or network " + "is slow you may consider increasing value of krb5_auth_timeout.\n", + state->child_pid); + + ret = kill(state->child_pid, SIGKILL); + if (ret == -1) { + DEBUG(SSSDBG_CRIT_FAILURE, + "kill failed [%d][%s].\n", errno, strerror(errno)); + } + + tevent_req_error(req, ETIMEDOUT); +} + +static errno_t activate_child_timeout_handler(struct tevent_req *req, + struct tevent_context *ev, + const uint32_t timeout_seconds) +{ + struct timeval tv; + struct handle_child_state *state = tevent_req_data(req, + struct handle_child_state); + + tv = tevent_timeval_current(); + tv = tevent_timeval_add(&tv, timeout_seconds, 0); + state->timeout_handler = tevent_add_timer(ev, state, tv, + krb5_child_timeout, req); + if (state->timeout_handler == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_add_timer failed.\n"); + return ENOMEM; + } + + return EOK; +} + +errno_t set_extra_args(TALLOC_CTX *mem_ctx, struct krb5_ctx *krb5_ctx, + const char ***krb5_child_extra_args) +{ + const char **extra_args; + size_t c = 0; + int ret; + + if (krb5_ctx == NULL || krb5_child_extra_args == NULL) { + return EINVAL; + } + + extra_args = talloc_zero_array(mem_ctx, const char *, 10); + if (extra_args == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_array failed.\n"); + return ENOMEM; + } + + extra_args[c] = talloc_asprintf(extra_args, + "--"CHILD_OPT_FAST_CCACHE_UID"=%"SPRIuid, + getuid()); + if (extra_args[c] == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto done; + } + c++; + + extra_args[c] = talloc_asprintf(extra_args, + "--"CHILD_OPT_FAST_CCACHE_GID"=%"SPRIgid, + getgid()); + if (extra_args[c] == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto done; + } + c++; + + if (krb5_ctx->realm != NULL) { + extra_args[c] = talloc_asprintf(extra_args, "--"CHILD_OPT_REALM"=%s", + krb5_ctx->realm); + if (extra_args[c] == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto done; + } + c++; + } + + if (krb5_ctx->lifetime_str != NULL) { + extra_args[c] = talloc_asprintf(extra_args, "--"CHILD_OPT_LIFETIME"=%s", + krb5_ctx->lifetime_str); + if (extra_args[c] == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto done; + } + c++; + } + + if (krb5_ctx->rlife_str != NULL) { + extra_args[c] = talloc_asprintf(extra_args, + "--"CHILD_OPT_RENEWABLE_LIFETIME"=%s", + krb5_ctx->rlife_str); + if (extra_args[c] == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto done; + } + c++; + } + + if (krb5_ctx->use_fast_str != NULL) { + extra_args[c] = talloc_asprintf(extra_args, "--"CHILD_OPT_USE_FAST"=%s", + krb5_ctx->use_fast_str); + if (extra_args[c] == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto done; + } + c++; + + if (krb5_ctx->fast_principal != NULL) { + extra_args[c] = talloc_asprintf(extra_args, + "--"CHILD_OPT_FAST_PRINCIPAL"=%s", + krb5_ctx->fast_principal); + if (extra_args[c] == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto done; + } + c++; + } + } + + if (krb5_ctx->canonicalize) { + extra_args[c] = talloc_strdup(extra_args, + "--" CHILD_OPT_CANONICALIZE); + if (extra_args[c] == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + c++; + } + + if (krb5_ctx->sss_creds_password) { + extra_args[c] = talloc_strdup(extra_args, + "--" CHILD_OPT_SSS_CREDS_PASSWORD); + if (extra_args[c] == NULL) { + ret = ENOMEM; + goto done; + } + c++; + } + + extra_args[c] = NULL; + + *krb5_child_extra_args = extra_args; + + ret = EOK; + +done: + + if (ret != EOK) { + talloc_free(extra_args); + } + + return ret; +} + +static errno_t fork_child(struct tevent_req *req) +{ + int pipefd_to_child[2] = PIPE_INIT; + int pipefd_from_child[2] = PIPE_INIT; + pid_t pid; + errno_t ret; + const char **krb5_child_extra_args; + struct handle_child_state *state = tevent_req_data(req, + struct handle_child_state); + + ret = set_extra_args(state, state->kr->krb5_ctx, &krb5_child_extra_args); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "set_extra_args failed.\n"); + goto fail; + } + + ret = pipe(pipefd_from_child); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "pipe failed [%d][%s].\n", errno, strerror(errno)); + goto fail; + } + ret = pipe(pipefd_to_child); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "pipe failed [%d][%s].\n", errno, strerror(errno)); + goto fail; + } + + pid = fork(); + + if (pid == 0) { /* child */ + exec_child_ex(state, + pipefd_to_child, pipefd_from_child, + KRB5_CHILD, state->kr->krb5_ctx->child_debug_fd, + krb5_child_extra_args, false, + STDIN_FILENO, STDOUT_FILENO); + + /* We should never get here */ + DEBUG(SSSDBG_CRIT_FAILURE, "BUG: Could not exec KRB5 child\n"); + } else if (pid > 0) { /* parent */ + state->child_pid = pid; + state->io->read_from_child_fd = pipefd_from_child[0]; + PIPE_FD_CLOSE(pipefd_from_child[1]); + state->io->write_to_child_fd = pipefd_to_child[1]; + PIPE_FD_CLOSE(pipefd_to_child[0]); + sss_fd_nonblocking(state->io->read_from_child_fd); + sss_fd_nonblocking(state->io->write_to_child_fd); + + ret = child_handler_setup(state->ev, pid, NULL, NULL, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not set up child signal handler\n"); + goto fail; + } + + ret = activate_child_timeout_handler(req, state->ev, + dp_opt_get_int(state->kr->krb5_ctx->opts, KRB5_AUTH_TIMEOUT)); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "activate_child_timeout_handler failed.\n"); + } + + } else { /* error */ + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "fork failed [%d][%s].\n", errno, strerror(ret)); + goto fail; + } + + return EOK; + +fail: + PIPE_CLOSE(pipefd_from_child); + PIPE_CLOSE(pipefd_to_child); + return ret; +} + +static void handle_child_step(struct tevent_req *subreq); +static void handle_child_done(struct tevent_req *subreq); + +struct tevent_req *handle_child_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct krb5child_req *kr) +{ + struct tevent_req *req, *subreq; + struct handle_child_state *state; + int ret; + struct io_buffer *buf = NULL; + + req = tevent_req_create(mem_ctx, &state, struct handle_child_state); + if (req == NULL) { + return NULL; + } + + state->ev = ev; + state->kr = kr; + state->buf = NULL; + state->len = 0; + state->child_pid = -1; + state->timeout_handler = NULL; + + state->io = talloc(state, struct child_io_fds); + if (state->io == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc failed.\n"); + ret = ENOMEM; + goto fail; + } + state->io->write_to_child_fd = -1; + state->io->read_from_child_fd = -1; + talloc_set_destructor((void *) state->io, child_io_destructor); + + ret = create_send_buffer(kr, &buf); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "create_send_buffer failed.\n"); + goto fail; + } + + ret = fork_child(req); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "fork_child failed.\n"); + goto fail; + } + + subreq = write_pipe_send(state, ev, buf->data, buf->size, + state->io->write_to_child_fd); + if (!subreq) { + ret = ENOMEM; + goto fail; + } + tevent_req_set_callback(subreq, handle_child_step, req); + + return req; + +fail: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void handle_child_step(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct handle_child_state *state = tevent_req_data(req, + struct handle_child_state); + int ret; + + ret = write_pipe_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + PIPE_FD_CLOSE(state->io->write_to_child_fd); + + subreq = read_pipe_send(state, state->ev, state->io->read_from_child_fd); + if (!subreq) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, handle_child_done, req); +} + +static void handle_child_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct handle_child_state *state = tevent_req_data(req, + struct handle_child_state); + int ret; + + talloc_zfree(state->timeout_handler); + + ret = read_pipe_recv(subreq, state, &state->buf, &state->len); + talloc_zfree(subreq); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + PIPE_FD_CLOSE(state->io->read_from_child_fd); + + tevent_req_done(req); + return; +} + +int handle_child_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, + uint8_t **buf, ssize_t *len) +{ + struct handle_child_state *state = tevent_req_data(req, + struct handle_child_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *buf = talloc_move(mem_ctx, &state->buf); + *len = state->len; + + return EOK; +} + +errno_t +parse_krb5_child_response(TALLOC_CTX *mem_ctx, uint8_t *buf, ssize_t len, + struct pam_data *pd, int pwd_exp_warning, + struct krb5_child_response **_res) +{ + ssize_t pref_len; + size_t p; + errno_t ret; + bool skip; + char *ccname = NULL; + size_t ccname_len = 0; + int32_t msg_status; + int32_t msg_type; + int32_t msg_len; + int64_t time_data; + struct tgt_times tgtt; + uint32_t expiration; + uint32_t msg_subtype; + struct krb5_child_response *res; + const char *upn = NULL; + size_t upn_len = 0; + bool otp = false; + + if ((size_t) len < sizeof(int32_t)) { + DEBUG(SSSDBG_CRIT_FAILURE, "message too short.\n"); + return EINVAL; + } + + memset(&tgtt, 0, sizeof(struct tgt_times)); + + if (pwd_exp_warning < 0) { + pwd_exp_warning = KERBEROS_PWEXPIRE_WARNING_TIME; + } + + /* A buffer with the following structure is expected. + * int32_t status of the request (required) + * message (zero or more) + * + * A message consists of: + * int32_t type of the message + * int32_t length of the following data + * uint8_t[len] data + */ + + p=0; + SAFEALIGN_COPY_INT32(&msg_status, buf+p, &p); + + while (p < len) { + skip = false; + SAFEALIGN_COPY_INT32(&msg_type, buf+p, &p); + SAFEALIGN_COPY_INT32(&msg_len, buf+p, &p); + + DEBUG(SSSDBG_TRACE_LIBS, "child response [%d][%d][%d].\n", + msg_status, msg_type, msg_len); + + if (msg_len > len - p) { + DEBUG(SSSDBG_CRIT_FAILURE, "message format error [%d] > [%zu].\n", + msg_len, len - p); + return EINVAL; + } + + /* We need to save the name of the credential cache file. To find it + * we check if the data part of a message starts with + * CCACHE_ENV_NAME"=". pref_len also counts the trailing '=' because + * sizeof() counts the trailing '\0' of a string. */ + pref_len = sizeof(CCACHE_ENV_NAME); + if ((msg_type == SSS_PAM_ENV_ITEM) && + (msg_len > pref_len) && + (strncmp((const char *) &buf[p], CCACHE_ENV_NAME"=", pref_len) == 0)) { + ccname = (char *) &buf[p+pref_len]; + ccname_len = msg_len-pref_len; + } + + if (msg_type == SSS_KRB5_INFO_TGT_LIFETIME && + msg_len == 4*sizeof(int64_t)) { + SAFEALIGN_COPY_INT64(&time_data, buf+p, NULL); + tgtt.authtime = int64_to_time_t(time_data); + SAFEALIGN_COPY_INT64(&time_data, buf+p+sizeof(int64_t), NULL); + tgtt.starttime = int64_to_time_t(time_data); + SAFEALIGN_COPY_INT64(&time_data, buf+p+2*sizeof(int64_t), NULL); + tgtt.endtime = int64_to_time_t(time_data); + SAFEALIGN_COPY_INT64(&time_data, buf+p+3*sizeof(int64_t), NULL); + tgtt.renew_till = int64_to_time_t(time_data); + DEBUG(SSSDBG_TRACE_LIBS, "TGT times are [%ld][%ld][%ld][%ld].\n", + tgtt.authtime, tgtt.starttime, tgtt.endtime, tgtt.renew_till); + } + + if (msg_type == SSS_KRB5_INFO_UPN) { + upn = (char *) buf + p; + upn_len = msg_len; + } + + if (msg_type == SSS_PAM_USER_INFO) { + SAFEALIGN_COPY_UINT32(&msg_subtype, buf + p, NULL); + if (msg_subtype == SSS_PAM_USER_INFO_EXPIRE_WARN) { + SAFEALIGN_COPY_UINT32(&expiration, + buf + p + sizeof(uint32_t), NULL); + if (pwd_exp_warning > 0 && + difftime(pwd_exp_warning, expiration) < 0.0) { + skip = true; + } + } + } + + if (msg_type == SSS_OTP) { + otp = true; + skip = true; + } + + if (!skip) { + ret = pam_add_response(pd, msg_type, msg_len, &buf[p]); + if (ret != EOK) { + /* This is not a fatal error */ + DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n"); + } + } + + p += msg_len; + + if ((p < len) && (p + 2*sizeof(int32_t) > len)) { + DEBUG(SSSDBG_CRIT_FAILURE, + "The remainder of the message is too short.\n"); + return EINVAL; + } + } + + res = talloc_zero(mem_ctx, struct krb5_child_response); + if (!res) return ENOMEM; + + res->otp = otp; + res->msg_status = msg_status; + memcpy(&res->tgtt, &tgtt, sizeof(tgtt)); + + if (ccname) { + res->ccname = talloc_strndup(res, ccname, ccname_len); + if (res->ccname == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strndup failed.\n"); + talloc_free(res); + return ENOMEM; + } + } + + if (upn != NULL) { + res->correct_upn = talloc_strndup(res, upn, upn_len); + if (res->correct_upn == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strndup failed.\n"); + talloc_free(res); + return ENOMEM; + } + } + + *_res = res; + return EOK; +} diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c new file mode 100644 index 0000000..2b003e1 --- /dev/null +++ b/src/providers/krb5/krb5_common.c @@ -0,0 +1,1151 @@ +/* + SSSD + + Kerberos Provider Common Functions + + Authors: + Sumit Bose + + Copyright (C) 2008-2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +#include +#include +#include +#include +#include +#include +#include + +#include "providers/backend.h" +#include "providers/krb5/krb5_common.h" +#include "providers/krb5/krb5_opts.h" +#include "providers/krb5/krb5_utils.h" + +#ifdef HAVE_KRB5_CC_COLLECTION +/* krb5 profile functions */ +#include +#endif + +static errno_t check_lifetime(TALLOC_CTX *mem_ctx, struct dp_option *opts, + const int opt_id, char **lifetime_str) +{ + int ret; + char *str = NULL; + krb5_deltat lifetime; + + str = dp_opt_get_string(opts, opt_id); + if (str == NULL || *str == '\0') { + DEBUG(SSSDBG_FUNC_DATA, "No lifetime configured.\n"); + *lifetime_str = NULL; + return EOK; + } + + if (isdigit(str[strlen(str)-1])) { + str = talloc_asprintf(mem_ctx, "%ss", str); + if (str == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto done; + } + + ret = dp_opt_set_string(opts, opt_id, str); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "dp_opt_set_string failed.\n"); + goto done; + } + } else { + str = talloc_strdup(mem_ctx, str); + if (str == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + } + + ret = krb5_string_to_deltat(str, &lifetime); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid value [%s] for a lifetime.\n", str); + ret = EINVAL; + goto done; + } + + *lifetime_str = str; + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(str); + } + + return ret; +} + +#ifdef HAVE_KRB5_CC_COLLECTION +/* source default_ccache_name from krb5.conf */ +static errno_t sss_get_system_ccname_template(TALLOC_CTX *mem_ctx, + char **ccname) +{ + krb5_context ctx; + profile_t p; + char *value = NULL; + long ret; + + *ccname = NULL; + + ret = sss_krb5_init_context(&ctx); + if (ret) return ret; + + ret = krb5_get_profile(ctx, &p); + if (ret) goto done; + + ret = profile_get_string(p, "libdefaults", "default_ccache_name", + NULL, NULL, &value); + profile_release(p); + if (ret) goto done; + + if (!value) { + ret = ERR_NOT_FOUND; + goto done; + } + + *ccname = talloc_strdup(mem_ctx, value); + if (*ccname == NULL) { + ret = ENOMEM; + goto done; + } + + ret = EOK; + +done: + krb5_free_context(ctx); + free(value); + return ret; +} +#else +static errno_t sss_get_system_ccname_template(TALLOC_CTX *mem_ctx, + char **ccname) +{ + DEBUG(SSSDBG_CONF_SETTINGS, + "Your kerberos library does not support the default_ccache_name " + "option or the profile library. Please use krb5_ccname_template " + "in sssd.conf if you want to change the default\n"); + *ccname = NULL; + return ERR_NOT_FOUND; +} +#endif + +static void sss_check_cc_template(const char *cc_template) +{ + size_t template_len; + + template_len = strlen(cc_template); + if (template_len >= 6 && + strcmp(cc_template + (template_len - 6), "XXXXXX") != 0) { + DEBUG(SSSDBG_CONF_SETTINGS, "ccache file name template [%s] doesn't " + "contain randomizing characters (XXXXXX), file might not " + "be rewritable\n", cc_template); + } +} + +errno_t sss_krb5_check_options(struct dp_option *opts, + struct sss_domain_info *dom, + struct krb5_ctx *krb5_ctx) +{ + TALLOC_CTX *tmp_ctx = NULL; + int ret; + const char *realm; + const char *dummy; + char *ccname; + + if (opts == NULL || dom == NULL || krb5_ctx == NULL) { + return EINVAL; + } + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + ret = ENOMEM; + goto done; + } + + realm = dp_opt_get_cstring(opts, KRB5_REALM); + if (realm == NULL) { + ret = dp_opt_set_string(opts, KRB5_REALM, dom->name); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "dp_opt_set_string failed.\n"); + goto done; + } + realm = dom->name; + } + + krb5_ctx->realm = talloc_strdup(krb5_ctx, realm); + if (krb5_ctx->realm == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to set realm, krb5_child might not work as expected.\n"); + } + + ret = check_lifetime(krb5_ctx, opts, KRB5_RENEWABLE_LIFETIME, + &krb5_ctx->rlife_str); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to check value of krb5_renewable_lifetime. [%d][%s]\n", + ret, strerror(ret)); + goto done; + } + + ret = check_lifetime(krb5_ctx, opts, KRB5_LIFETIME, + &krb5_ctx->lifetime_str); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to check value of krb5_lifetime. [%d][%s]\n", + ret, strerror(ret)); + goto done; + } + + krb5_ctx->use_fast_str = dp_opt_get_cstring(opts, KRB5_USE_FAST); + if (krb5_ctx->use_fast_str != NULL) { + ret = check_fast(krb5_ctx->use_fast_str, &krb5_ctx->use_fast); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "check_fast failed.\n"); + goto done; + } + + if (krb5_ctx->use_fast) { + krb5_ctx->fast_principal = dp_opt_get_cstring(opts, + KRB5_FAST_PRINCIPAL); + } + } + + /* In contrast to MIT KDCs AD does not automatically canonicalize the + * enterprise principal in an AS request but requires the canonicalize + * flags to be set. To be on the safe side we always enable + * canonicalization if enterprise principals are used. */ + krb5_ctx->canonicalize = false; + if (dp_opt_get_bool(opts, KRB5_CANONICALIZE) + || dp_opt_get_bool(opts, KRB5_USE_ENTERPRISE_PRINCIPAL)) { + krb5_ctx->canonicalize = true; + } + + dummy = dp_opt_get_cstring(opts, KRB5_KDC); + if (dummy == NULL) { + DEBUG(SSSDBG_CONF_SETTINGS, "No KDC explicitly configured, using defaults.\n"); + } + + dummy = dp_opt_get_cstring(opts, KRB5_KPASSWD); + if (dummy == NULL) { + DEBUG(SSSDBG_CONF_SETTINGS, "No kpasswd server explicitly configured, " + "using the KDC or defaults.\n"); + } + + ccname = dp_opt_get_string(opts, KRB5_CCNAME_TMPL); + if (ccname != NULL) { + DEBUG(SSSDBG_CONF_SETTINGS, + "The credential ccache name template has been explicitly set " + "in sssd.conf, it is recommended to set default_ccache_name " + "in krb5.conf instead so that a system default is used\n"); + ccname = talloc_strdup(tmp_ctx, ccname); + if (!ccname) { + ret = ENOMEM; + goto done; + } + } else { + ret = sss_get_system_ccname_template(tmp_ctx, &ccname); + if (ret && ret != ERR_NOT_FOUND) { + goto done; + } + if (ret == ERR_NOT_FOUND) { + /* Use fallback default */ + ccname = talloc_strdup(tmp_ctx, DEFAULT_CCNAME_TEMPLATE); + if (!ccname) { + ret = ENOMEM; + goto done; + } + } + + /* set back in opts */ + ret = dp_opt_set_string(opts, KRB5_CCNAME_TMPL, ccname); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "dp_opt_set_string failed.\n"); + goto done; + } + } + + if ((ccname[0] == '/') || (strncmp(ccname, "FILE:", 5) == 0)) { + DEBUG(SSSDBG_CONF_SETTINGS, "ccache is of type FILE\n"); + /* warn if the file type (which is usally created in a sticky bit + * laden directory) does not have randomizing chracters */ + sss_check_cc_template(ccname); + + if (ccname[0] == '/') { + /* /path/to/cc prepend FILE: */ + DEBUG(SSSDBG_CONF_SETTINGS, "The ccname template was " + "missing an explicit type, but is an absolute " + "path specifier. Assuming FILE:\n"); + + ccname = talloc_asprintf(tmp_ctx, "FILE:%s", ccname); + if (!ccname) { + ret = ENOMEM; + goto done; + } + + ret = dp_opt_set_string(opts, KRB5_CCNAME_TMPL, ccname); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "dp_opt_set_string failed.\n"); + goto done; + } + } + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +errno_t krb5_try_kdcip(struct confdb_ctx *cdb, const char *conf_path, + struct dp_option *opts, int opt_id) +{ + char *krb5_servers = NULL; + errno_t ret; + + krb5_servers = dp_opt_get_string(opts, opt_id); + if (krb5_servers == NULL) { + DEBUG(SSSDBG_CONF_SETTINGS, + "No KDC found in configuration, trying legacy option\n"); + ret = confdb_get_string(cdb, NULL, conf_path, + "krb5_kdcip", NULL, &krb5_servers); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "confdb_get_string failed.\n"); + return ret; + } + + if (krb5_servers != NULL) + { + ret = dp_opt_set_string(opts, opt_id, krb5_servers); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "dp_opt_set_string failed.\n"); + talloc_free(krb5_servers); + return ret; + } + + DEBUG(SSSDBG_CONF_SETTINGS, + "Set krb5 server [%s] based on legacy krb5_kdcip option\n", + krb5_servers); + DEBUG(SSSDBG_FATAL_FAILURE, + "Your configuration uses the deprecated option " + "'krb5_kdcip' to specify the KDC. Please change the " + "configuration to use the 'krb5_server' option " + "instead.\n"); + talloc_free(krb5_servers); + } + } + + return EOK; +} + +errno_t sss_krb5_get_options(TALLOC_CTX *memctx, struct confdb_ctx *cdb, + const char *conf_path, struct dp_option **_opts) +{ + int ret; + struct dp_option *opts; + + ret = dp_get_options(memctx, cdb, conf_path, default_krb5_opts, + KRB5_OPTS, &opts); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "dp_get_options failed.\n"); + goto done; + } + + /* If there is no KDC, try the deprecated krb5_kdcip option, too */ + /* FIXME - this can be removed in a future version */ + ret = krb5_try_kdcip(cdb, conf_path, opts, KRB5_KDC); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sss_krb5_try_kdcip failed.\n"); + goto done; + } + + *_opts = opts; + ret = EOK; + +done: + if (ret != EOK) { + talloc_zfree(opts); + } + + return ret; +} + +static int remove_info_files_destructor(void *p) +{ + int ret; + struct remove_info_files_ctx *ctx = talloc_get_type(p, + struct remove_info_files_ctx); + + ret = remove_krb5_info_files(ctx, ctx->realm); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "remove_krb5_info_files failed.\n"); + } + ctx->krb5_service->removal_callback_available = false; + + return 0; +} + +static errno_t +krb5_add_krb5info_offline_callback(struct krb5_service *krb5_service) +{ + int ret; + struct remove_info_files_ctx *ctx = NULL; + + if (krb5_service == NULL || krb5_service->name == NULL + || krb5_service->realm == NULL + || krb5_service->be_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing KDC service name or realm!\n"); + return EINVAL; + } + + if (krb5_service->removal_callback_available) { + DEBUG(SSSDBG_TRACE_ALL, + "Removal callback already available for service [%s].\n", + krb5_service->name); + return EOK; + } + + ctx = talloc_zero(krb5_service->be_ctx, struct remove_info_files_ctx); + if (ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zfree failed.\n"); + return ENOMEM; + } + + ctx->realm = talloc_strdup(ctx, krb5_service->realm); + if (ctx->realm == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed!\n"); + ret = ENOMEM; + goto done; + } + + ctx->be_ctx = krb5_service->be_ctx; + ctx->krb5_service = krb5_service; + ctx->kdc_service_name = talloc_strdup(ctx, krb5_service->name); + if (ctx->kdc_service_name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed!\n"); + ret = ENOMEM; + goto done; + } + + ret = be_add_offline_cb(ctx, krb5_service->be_ctx, + remove_krb5_info_files_callback, ctx, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "be_add_offline_cb failed.\n"); + goto done; + } + + talloc_set_destructor((TALLOC_CTX *) ctx, remove_info_files_destructor); + krb5_service->removal_callback_available = true; + + ret = EOK; + +done: + if (ret != EOK) { + talloc_zfree(ctx); + } + + return ret; +} + +static errno_t write_krb5info_file_contents(struct krb5_service *krb5_service, + const char *contents, + const char *service) +{ + int ret; + int fd = -1; + char *tmp_name = NULL; + char *krb5info_name = NULL; + TALLOC_CTX *tmp_ctx = NULL; + const char *name_tmpl = NULL; + size_t server_len; + ssize_t written; + + if (krb5_service == NULL || krb5_service->realm == NULL + || *krb5_service->realm == '\0' + || contents == NULL || *contents == '\0' + || service == NULL || *service == '\0') { + DEBUG(SSSDBG_CRIT_FAILURE, + "Missing or empty realm, server or service.\n"); + return EINVAL; + } + + if (sss_krb5_realm_has_proxy(krb5_service->realm)) { + DEBUG(SSSDBG_CONF_SETTINGS, + "KDC Proxy available for realm [%s], no kdcinfo file created.\n", + krb5_service->realm); + return EOK; + } + + if (strcmp(service, SSS_KRB5KDC_FO_SRV) == 0) { + name_tmpl = KDCINFO_TMPL; + } else if (strcmp(service, SSS_KRB5KPASSWD_FO_SRV) == 0) { + name_tmpl = KPASSWDINFO_TMPL; + } else { + DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported service [%s].\n", service); + return EINVAL; + } + + server_len = strlen(contents); + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new failed.\n"); + return ENOMEM; + } + + tmp_name = talloc_asprintf(tmp_ctx, PUBCONF_PATH"/.krb5info_dummy_XXXXXX"); + if (tmp_name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto done; + } + + krb5info_name = talloc_asprintf(tmp_ctx, name_tmpl, krb5_service->realm); + if (krb5info_name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto done; + } + + fd = sss_unique_file(tmp_ctx, tmp_name, &ret); + if (fd == -1) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sss_unique_file failed [%d][%s].\n", ret, strerror(ret)); + goto done; + } + + errno = 0; + written = sss_atomic_write_s(fd, discard_const(contents), server_len); + if (written == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "write failed [%d][%s].\n", ret, strerror(ret)); + goto done; + } + + if (written != server_len) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Write error, wrote [%zd] bytes, expected [%zu]\n", + written, server_len); + ret = EIO; + goto done; + } + + ret = fchmod(fd, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "fchmod failed [%d][%s].\n", ret, strerror(ret)); + goto done; + } + + ret = close(fd); + fd = -1; + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "close failed [%d][%s].\n", ret, strerror(ret)); + goto done; + } + + ret = rename(tmp_name, krb5info_name); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "rename failed [%d][%s].\n", ret, strerror(ret)); + goto done; + } + + ret = krb5_add_krb5info_offline_callback(krb5_service); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to add offline callback, krb5info " + "file might not be removed properly.\n"); + } + + ret = EOK; +done: + if (fd != -1) { + close(fd); + } + + talloc_free(tmp_ctx); + return ret; +} + +errno_t write_krb5info_file(struct krb5_service *krb5_service, + char **server_list, + const char *service) +{ + int i; + errno_t ret; + TALLOC_CTX *tmp_ctx = NULL; + char *contents = NULL; + + if (krb5_service == NULL || server_list == NULL || service == NULL) { + return EINVAL; + } + + if (server_list[0] == NULL) { + return EOK; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + contents = talloc_strdup(tmp_ctx, ""); + if (contents == NULL) { + ret = ENOMEM; + goto done; + } + + i = 0; + do { + contents = talloc_asprintf_append(contents, "%s\n", server_list[i]); + if (contents == NULL) { + ret = ENOMEM; + goto done; + } + i++; + } while (server_list[i] != NULL); + + ret = write_krb5info_file_contents(krb5_service, contents, service); +done: + talloc_free(tmp_ctx); + return ret; +} + +static void krb5_resolve_callback(void *private_data, struct fo_server *server) +{ + struct krb5_service *krb5_service; + struct resolv_hostent *srvaddr; + char *address; + char *safe_addr_list[2] = { NULL, NULL }; + int ret; + TALLOC_CTX *tmp_ctx = NULL; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new failed\n"); + return; + } + + krb5_service = talloc_get_type(private_data, struct krb5_service); + if (!krb5_service) { + DEBUG(SSSDBG_CRIT_FAILURE, "FATAL: Bad private_data\n"); + talloc_free(tmp_ctx); + return; + } + + srvaddr = fo_get_server_hostent(server); + if (!srvaddr) { + DEBUG(SSSDBG_CRIT_FAILURE, + "FATAL: No hostent available for server (%s)\n", + fo_get_server_str_name(server)); + talloc_free(tmp_ctx); + return; + } + + address = resolv_get_string_address(tmp_ctx, srvaddr); + if (address == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "resolv_get_string_address failed.\n"); + talloc_free(tmp_ctx); + return; + } + + safe_addr_list[0] = sss_escape_ip_address(tmp_ctx, + srvaddr->family, + address); + if (safe_addr_list[0] == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "sss_escape_ip_address failed.\n"); + talloc_free(tmp_ctx); + return; + } + + if (krb5_service->write_kdcinfo) { + safe_addr_list[0] = talloc_asprintf_append(safe_addr_list[0], ":%d", + fo_get_server_port(server)); + if (safe_addr_list[0] == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf_append failed.\n"); + talloc_free(tmp_ctx); + return; + } + + ret = write_krb5info_file(krb5_service, + safe_addr_list, + krb5_service->name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "write_krb5info_file failed, authentication might fail.\n"); + } + } + + talloc_free(tmp_ctx); + return; +} + +static errno_t _krb5_servers_init(struct be_ctx *ctx, + struct krb5_service *service, + const char *service_name, + const char *servers, + bool primary) +{ + TALLOC_CTX *tmp_ctx; + char **list = NULL; + errno_t ret = 0; + int i; + char *port_str; + long port; + char *server_spec; + char *endptr; + struct servent *servent; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + return ENOMEM; + } + + ret = split_on_separator(tmp_ctx, servers, ',', true, true, &list, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to parse server list!\n"); + goto done; + } + + for (i = 0; list[i]; i++) { + talloc_steal(service, list[i]); + server_spec = talloc_strdup(service, list[i]); + if (!server_spec) { + ret = ENOMEM; + goto done; + } + + if (be_fo_is_srv_identifier(server_spec)) { + if (!primary) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to add server [%s] to failover service: " + "SRV resolution only allowed for primary servers!\n", + list[i]); + continue; + } + + ret = be_fo_add_srv_server(ctx, service_name, service_name, NULL, + BE_FO_PROTO_UDP, true, NULL); + if (ret) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to add server\n"); + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Added service lookup\n"); + continue; + } + + /* Do not try to get port number if last character is ']' */ + if (server_spec[strlen(server_spec) - 1] != ']') { + port_str = strrchr(server_spec, ':'); + } else { + port_str = NULL; + } + + if (port_str == NULL) { + port = 0; + } else { + *port_str = '\0'; + ++port_str; + if (isdigit(*port_str)) { + errno = 0; + port = strtol(port_str, &endptr, 10); + if (errno != 0) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "strtol failed on [%s]: [%d][%s].\n", port_str, + ret, strerror(ret)); + goto done; + } + if (*endptr != '\0') { + DEBUG(SSSDBG_CRIT_FAILURE, "Found additional characters [%s] in port number " + "[%s].\n", endptr, port_str); + ret = EINVAL; + goto done; + } + + if (port < 1 || port > 65535) { + DEBUG(SSSDBG_CRIT_FAILURE, "Illegal port number [%ld].\n", port); + ret = EINVAL; + goto done; + } + } else if (isalpha(*port_str)) { + servent = getservbyname(port_str, NULL); + if (servent == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "getservbyname cannot find service [%s].\n", + port_str); + ret = EINVAL; + goto done; + } + + port = servent->s_port; + } else { + DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported port specifier in [%s].\n", list[i]); + ret = EINVAL; + goto done; + } + } + + /* It could be ipv6 address in square brackets. Remove + * the brackets if needed. */ + ret = remove_ipv6_brackets(server_spec); + if (ret != EOK) { + goto done; + } + + ret = be_fo_add_server(ctx, service_name, server_spec, (int) port, + list[i], primary); + if (ret && ret != EEXIST) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to add server\n"); + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Added Server %s\n", list[i]); + } + +done: + talloc_free(tmp_ctx); + return ret; +} + +static inline errno_t +krb5_primary_servers_init(struct be_ctx *ctx, struct krb5_service *service, + const char *service_name, const char *servers) +{ + return _krb5_servers_init(ctx, service, service_name, servers, true); +} + +static inline errno_t +krb5_backup_servers_init(struct be_ctx *ctx, struct krb5_service *service, + const char *service_name, const char *servers) +{ + return _krb5_servers_init(ctx, service, service_name, servers, false); +} + +static int krb5_user_data_cmp(void *ud1, void *ud2) +{ + return strcasecmp((char*) ud1, (char*) ud2); +} + +struct krb5_service *krb5_service_new(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + const char *service_name, + const char *realm, + bool use_kdcinfo) +{ + struct krb5_service *service; + + service = talloc_zero(mem_ctx, struct krb5_service); + if (service == NULL) { + return NULL; + } + + service->name = talloc_strdup(service, service_name); + if (service->name == NULL) { + talloc_free(service); + return NULL; + } + + service->realm = talloc_strdup(service, realm); + if (service->realm == NULL) { + talloc_free(service); + return NULL; + } + + DEBUG(SSSDBG_CONF_SETTINGS, + "write_kdcinfo for realm %s set to %s\n", + realm, + use_kdcinfo ? "true" : "false"); + service->write_kdcinfo = use_kdcinfo; + service->be_ctx = be_ctx; + return service; +} + +int krb5_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx, + const char *service_name, + const char *primary_servers, + const char *backup_servers, + const char *realm, + bool use_kdcinfo, + struct krb5_service **_service) +{ + TALLOC_CTX *tmp_ctx; + struct krb5_service *service; + int ret; + + tmp_ctx = talloc_new(memctx); + if (!tmp_ctx) { + return ENOMEM; + } + + service = krb5_service_new(tmp_ctx, ctx, service_name, realm, use_kdcinfo); + if (!service) { + ret = ENOMEM; + goto done; + } + + ret = be_fo_add_service(ctx, service_name, krb5_user_data_cmp); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to create failover service!\n"); + goto done; + } + + if (!primary_servers) { + DEBUG(SSSDBG_CONF_SETTINGS, + "No primary servers defined, using service discovery\n"); + primary_servers = BE_SRV_IDENTIFIER; + } + + ret = krb5_primary_servers_init(ctx, service, service_name, primary_servers); + if (ret != EOK) { + goto done; + } + + if (backup_servers) { + ret = krb5_backup_servers_init(ctx, service, service_name, + backup_servers); + if (ret != EOK) { + goto done; + } + } + + ret = be_fo_service_add_callback(memctx, ctx, service_name, + krb5_resolve_callback, service); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add failover callback!\n"); + goto done; + } + + ret = EOK; + +done: + if (ret == EOK) { + *_service = talloc_steal(memctx, service); + } + talloc_zfree(tmp_ctx); + return ret; +} + + +errno_t remove_krb5_info_files(TALLOC_CTX *mem_ctx, const char *realm) +{ + int ret; + errno_t err; + char *file; + + file = talloc_asprintf(mem_ctx, KDCINFO_TMPL, realm); + if(file == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); + return ENOMEM; + } + + errno = 0; + ret = unlink(file); + if (ret == -1) { + err = errno; + DEBUG(SSSDBG_FUNC_DATA, "Could not remove [%s], [%d][%s]\n", file, + err, strerror(err)); + } + + file = talloc_asprintf(mem_ctx, KPASSWDINFO_TMPL, realm); + if(file == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); + return ENOMEM; + } + + errno = 0; + ret = unlink(file); + if (ret == -1) { + err = errno; + DEBUG(SSSDBG_FUNC_DATA, "Could not remove [%s], [%d][%s]\n", file, + err, strerror(err)); + } + + return EOK; +} + +void remove_krb5_info_files_callback(void *pvt) +{ + int ret; + struct remove_info_files_ctx *ctx = talloc_get_type(pvt, + struct remove_info_files_ctx); + + ret = be_fo_run_callbacks_at_next_request(ctx->be_ctx, + ctx->kdc_service_name); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "be_fo_run_callbacks_at_next_request failed, " + "krb5 info files will not be removed, because " + "it is unclear if they will be recreated properly.\n"); + return; + } + if (ctx->kpasswd_service_name != NULL) { + ret = be_fo_run_callbacks_at_next_request(ctx->be_ctx, + ctx->kpasswd_service_name); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "be_fo_run_callbacks_at_next_request failed, " + "krb5 info files will not be removed, because " + "it is unclear if they will be recreated properly.\n"); + return; + } + } + + /* Freeing the remove_info_files_ctx will remove the related krb5info + * file. Additionally the callback from the list of callbacks is removed, + * it will be added again when a new krb5info file is created. */ + talloc_free(ctx); +} + +void krb5_finalize(struct tevent_context *ev, + struct tevent_signal *se, + int signum, + int count, + void *siginfo, + void *private_data) +{ + orderly_shutdown(0); +} + +errno_t krb5_install_sigterm_handler(struct tevent_context *ev, + struct krb5_ctx *krb5_ctx) +{ + const char *krb5_realm; + char *sig_realm; + struct tevent_signal *sige; + + BlockSignals(false, SIGTERM); + + krb5_realm = dp_opt_get_cstring(krb5_ctx->opts, KRB5_REALM); + if (krb5_realm == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing krb5_realm option!\n"); + return EINVAL; + } + + sig_realm = talloc_strdup(krb5_ctx, krb5_realm); + if (sig_realm == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed!\n"); + return ENOMEM; + } + + sige = tevent_add_signal(ev, krb5_ctx, SIGTERM, SA_SIGINFO, krb5_finalize, + sig_realm); + if (sige == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_add_signal failed.\n"); + talloc_free(sig_realm); + return ENOMEM; + } + talloc_steal(sige, sig_realm); + + return EOK; +} + +errno_t krb5_get_simple_upn(TALLOC_CTX *mem_ctx, struct krb5_ctx *krb5_ctx, + struct sss_domain_info *dom, const char *username, + const char *user_dom, char **_upn) +{ + const char *realm = NULL; + char *uc_dom = NULL; + char *upn; + char *name; + TALLOC_CTX *tmp_ctx = NULL; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new failed.\n"); + return ENOMEM; + } + + if (user_dom != NULL && dom->name != NULL && + strcasecmp(dom->name, user_dom) != 0) { + uc_dom = get_uppercase_realm(tmp_ctx, user_dom); + if (uc_dom == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "get_uppercase_realm failed.\n"); + ret = ENOMEM; + goto done; + } + } else { + realm = dp_opt_get_cstring(krb5_ctx->opts, KRB5_REALM); + if (realm == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Missing Kerberos realm.\n"); + ret = ENOMEM; + goto done; + } + } + + /* The internal username is qualified, but we are only interested in + * the name part + */ + ret = sss_parse_internal_fqname(tmp_ctx, username, &name, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not parse [%s] into name and " + "domain components, login might fail\n", username); + upn = talloc_strdup(tmp_ctx, username); + } else { + /* NOTE: this is a hack, works only in some environments */ + upn = talloc_asprintf(tmp_ctx, "%s@%s", + name, realm != NULL ? realm : uc_dom); + } + + if (upn == NULL) { + ret = ENOMEM; + goto done; + } + + DEBUG(SSSDBG_TRACE_ALL, "Using simple UPN [%s].\n", upn); + *_upn = talloc_steal(mem_ctx, upn); + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} + +errno_t compare_principal_realm(const char *upn, const char *realm, + bool *different_realm) +{ + char *at_sign; + + if (upn == NULL || realm == NULL || different_realm == NULL || + *upn == '\0' || *realm == '\0') { + return EINVAL; + } + + at_sign = strchr(upn, '@'); + + if (at_sign == NULL) { + return EINVAL; + } + + if (strcmp(realm, at_sign + 1) == 0) { + *different_realm = false; + } else { + *different_realm = true; + } + + return EOK; +} diff --git a/src/providers/krb5/krb5_common.h b/src/providers/krb5/krb5_common.h new file mode 100644 index 0000000..bf36a55 --- /dev/null +++ b/src/providers/krb5/krb5_common.h @@ -0,0 +1,236 @@ +/* + SSSD + + Kerberos Backend, common header file + + Authors: + Sumit Bose + + Copyright (C) 2009 Red Hat + + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __KRB5_COMMON_H__ +#define __KRB5_COMMON_H__ + +#include "config.h" +#include + +#include "providers/backend.h" +#include "util/util.h" +#include "util/sss_krb5.h" + +#define KDCINFO_TMPL PUBCONF_PATH"/kdcinfo.%s" +#define KPASSWDINFO_TMPL PUBCONF_PATH"/kpasswdinfo.%s" + +#define SSS_KRB5KDC_FO_SRV "KERBEROS" +#define SSS_KRB5KPASSWD_FO_SRV "KPASSWD" + +enum krb5_opts { + KRB5_KDC = 0, + KRB5_BACKUP_KDC, + KRB5_REALM, + KRB5_CCACHEDIR, + KRB5_CCNAME_TMPL, + KRB5_AUTH_TIMEOUT, + KRB5_KEYTAB, + KRB5_VALIDATE, + KRB5_KPASSWD, + KRB5_BACKUP_KPASSWD, + KRB5_STORE_PASSWORD_IF_OFFLINE, + KRB5_RENEWABLE_LIFETIME, + KRB5_LIFETIME, + KRB5_RENEW_INTERVAL, + KRB5_USE_FAST, + KRB5_FAST_PRINCIPAL, + KRB5_CANONICALIZE, + KRB5_USE_ENTERPRISE_PRINCIPAL, + KRB5_USE_KDCINFO, + KRB5_MAP_USER, + + KRB5_OPTS +}; + +typedef enum { INIT_PW, INIT_KT, RENEW, VALIDATE } action_type; + +struct krb5_service { + struct be_ctx *be_ctx; + char *name; + char *realm; + bool write_kdcinfo; + bool removal_callback_available; +}; + +struct fo_service; +struct deferred_auth_ctx; +struct renew_tgt_ctx; + +enum krb5_config_type { + K5C_GENERIC, + K5C_IPA_CLIENT, + K5C_IPA_SERVER +}; + +struct map_id_name_to_krb_primary { + const char *id_name; + const char* krb_primary; +}; + +struct krb5_ctx { + /* opts taken from kinit */ + /* in seconds */ + krb5_deltat starttime; + krb5_deltat lifetime; + char *lifetime_str; + krb5_deltat rlife; + char *rlife_str; + + int forwardable; + int proxiable; + int addresses; + + int not_forwardable; + int not_proxiable; + int no_addresses; + + int verbose; + + char* principal_name; + char* service_name; + char* keytab_name; + char* k5_cache_name; + char* k4_cache_name; + + action_type action; + + struct dp_option *opts; + struct krb5_service *service; + struct krb5_service *kpasswd_service; + int child_debug_fd; + + pcre *illegal_path_re; + + struct deferred_auth_ctx *deferred_auth_ctx; + struct renew_tgt_ctx *renew_tgt_ctx; + bool use_fast; + bool sss_creds_password; + + hash_table_t *wait_queue_hash; + + enum krb5_config_type config_type; + + struct map_id_name_to_krb_primary *name_to_primary; + + char *realm; + + const char *use_fast_str; + const char *fast_principal; + + bool canonicalize; +}; + +struct remove_info_files_ctx { + char *realm; + struct be_ctx *be_ctx; + const char *kdc_service_name; + const char *kpasswd_service_name; + struct krb5_service *krb5_service; +}; + +errno_t sss_krb5_check_options(struct dp_option *opts, + struct sss_domain_info *dom, + struct krb5_ctx *krb5_ctx); + +errno_t krb5_try_kdcip(struct confdb_ctx *cdb, const char *conf_path, + struct dp_option *opts, int opt_id); + +errno_t sss_krb5_get_options(TALLOC_CTX *memctx, struct confdb_ctx *cdb, + const char *conf_path, struct dp_option **_opts); + +errno_t write_krb5info_file(struct krb5_service *krb5_service, + char **server_list, + const char *service); + +struct krb5_service *krb5_service_new(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + const char *service_name, + const char *realm, + bool use_kdcinfo); + +int krb5_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx, + const char *service_name, + const char *primary_servers, + const char *backup_servers, + const char *realm, + bool use_kdcinfo, + struct krb5_service **_service); + +void remove_krb5_info_files_callback(void *pvt); + +void krb5_finalize(struct tevent_context *ev, + struct tevent_signal *se, + int signum, + int count, + void *siginfo, + void *private_data); + +errno_t krb5_install_sigterm_handler(struct tevent_context *ev, + struct krb5_ctx *krb5_ctx); + +errno_t remove_krb5_info_files(TALLOC_CTX *mem_ctx, const char *realm); + +errno_t krb5_get_simple_upn(TALLOC_CTX *mem_ctx, struct krb5_ctx *krb5_ctx, + struct sss_domain_info *dom, const char *username, + const char *user_dom, char **_upn); + +errno_t compare_principal_realm(const char *upn, const char *realm, + bool *different_realm); + +/* from krb5_keytab.c */ + +/** + * @brief Copy given keytab into a MEMORY keytab + * + * @param[in] mem_ctx Talloc memory context the new keytab name should be + * allocated on + * @param[in] kctx Kerberos context + * @param[in] inp_keytab_file Existing keytab, if set to NULL the default + * keytab will be used + * @param[out] _mem_name Name of the new MEMORY keytab + * @param[out] _mem_keytab Krb5 keytab handle for the new MEMORY keytab, NULL + * may be passed here if the caller has no use for the + * handle + * + * The memory for the MEMORY keytab is handled by libkrb5 internally and + * a reference counter is used. If the reference counter of the specific + * MEMORY keytab reaches 0, i.e. no open ones are left, the memory is free. + * This means we cannot call krb5_kt_close() for the new MEMORY keytab in + * copy_keytab_into_memory() because this would destroy it immediately. Hence + * we have to return the handle so that the caller can safely remove the + * MEMORY keytab if the is not needed anymore. Since libkrb5 frees the + * internal memory when the library is unloaded short running processes can + * safely pass NULL as the 5th argument because on exit all memory is freed. + * Long running processes which need more control over the memory consumption + * should close the handle for free the memory at runtime. + */ +krb5_error_code copy_keytab_into_memory(TALLOC_CTX *mem_ctx, krb5_context kctx, + const char *inp_keytab_file, + char **_mem_name, + krb5_keytab *_mem_keytab); + +errno_t set_extra_args(TALLOC_CTX *mem_ctx, struct krb5_ctx *krb5_ctx, + const char ***krb5_child_extra_args); +#endif /* __KRB5_COMMON_H__ */ diff --git a/src/providers/krb5/krb5_delayed_online_authentication.c b/src/providers/krb5/krb5_delayed_online_authentication.c new file mode 100644 index 0000000..1cb7ead --- /dev/null +++ b/src/providers/krb5/krb5_delayed_online_authentication.c @@ -0,0 +1,388 @@ +/* + SSSD + + Kerberos 5 Backend Module -- Request a TGT when the system gets online + + Authors: + Sumit Bose + + Copyright (C) 2010 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#ifdef USE_KEYRING +#include +#include +#endif +#include + +#include "providers/krb5/krb5_auth.h" +#include "util/util.h" +#include "util/find_uid.h" + +#define INITIAL_USER_TABLE_SIZE 10 + +struct deferred_auth_ctx { + hash_table_t *user_table; + struct be_ctx *be_ctx; + struct tevent_context *ev; + struct krb5_ctx *krb5_ctx; +}; + +struct auth_data { + struct be_ctx *be_ctx; + struct krb5_ctx *krb5_ctx; + struct pam_data *pd; +}; + +static void *hash_talloc(const size_t size, void *pvt) +{ + return talloc_size(pvt, size); +} + +static void hash_talloc_free(void *ptr, void *pvt) +{ + talloc_free(ptr); +} + +static void authenticate_user_done(struct tevent_req *req); +static void authenticate_user(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval current_time, + void *private_data) +{ + struct auth_data *auth_data = talloc_get_type(private_data, + struct auth_data); + struct pam_data *pd = auth_data->pd; + struct tevent_req *req; + + DEBUG_PAM_DATA(SSSDBG_TRACE_ALL, pd); + +#ifdef USE_KEYRING + char *password; + long keysize; + long keyrevoke; + errno_t ret; + + keysize = keyctl_read_alloc(pd->key_serial, (void **)&password); + if (keysize == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "keyctl_read failed [%d][%s].\n", ret, strerror(ret)); + return; + } + + ret = sss_authtok_set_password(pd->authtok, password, keysize); + safezero(password, keysize); + free(password); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, + "failed to set password in auth token [%d][%s].\n", + ret, strerror(ret)); + return; + } + + keyrevoke = keyctl_revoke(pd->key_serial); + if (keyrevoke == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "keyctl_revoke failed [%d][%s].\n", ret, strerror(ret)); + } +#endif + + req = krb5_auth_queue_send(auth_data, ev, auth_data->be_ctx, + auth_data->pd, auth_data->krb5_ctx); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_auth_send failed.\n"); + talloc_free(auth_data); + return; + } + + tevent_req_set_callback(req, authenticate_user_done, auth_data); +} + +static void authenticate_user_done(struct tevent_req *req) +{ + struct auth_data *auth_data = tevent_req_callback_data(req, + struct auth_data); + int ret; + int pam_status = PAM_SYSTEM_ERR; + int dp_err = DP_ERR_OK; + + ret = krb5_auth_queue_recv(req, &pam_status, &dp_err); + talloc_free(req); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_auth request failed.\n"); + } else { + if (pam_status == PAM_SUCCESS) { + DEBUG(SSSDBG_CONF_SETTINGS, + "Successfully authenticated user [%s].\n", + auth_data->pd->user); + } else { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to authenticate user [%s].\n", + auth_data->pd->user); + } + } + + talloc_free(auth_data); +} + +static errno_t authenticate_stored_users( + struct deferred_auth_ctx *deferred_auth_ctx) +{ + int ret; + hash_table_t *uid_table; + struct hash_iter_context_t *iter; + hash_entry_t *entry; + hash_key_t key; + hash_value_t value; + struct pam_data *pd; + struct auth_data *auth_data; + struct tevent_timer *te; + + ret = get_uid_table(deferred_auth_ctx, &uid_table); + if (ret != HASH_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "get_uid_table failed.\n"); + return ret; + } + + iter = new_hash_iter_context(deferred_auth_ctx->user_table); + if (iter == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "new_hash_iter_context failed.\n"); + return EINVAL; + } + + while ((entry = iter->next(iter)) != NULL) { + key.type = HASH_KEY_ULONG; + key.ul = entry->key.ul; + pd = talloc_get_type(entry->value.ptr, struct pam_data); + + ret = hash_lookup(uid_table, &key, &value); + + if (ret == HASH_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "User [%s] is still logged in, " + "trying online authentication.\n", pd->user); + + auth_data = talloc_zero(deferred_auth_ctx->be_ctx, + struct auth_data); + if (auth_data == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n"); + } else { + auth_data->pd = talloc_steal(auth_data, pd); + auth_data->krb5_ctx = deferred_auth_ctx->krb5_ctx; + auth_data->be_ctx = deferred_auth_ctx->be_ctx; + + te = tevent_add_timer(deferred_auth_ctx->ev, + auth_data, tevent_timeval_current(), + authenticate_user, auth_data); + if (te == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_add_timer failed.\n"); + } + } + } else { + DEBUG(SSSDBG_CRIT_FAILURE, "User [%s] is not logged in anymore, " + "discarding online authentication.\n", pd->user); + talloc_free(pd); + } + + ret = hash_delete(deferred_auth_ctx->user_table, + &entry->key); + if (ret != HASH_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "hash_delete failed [%s].\n", + hash_error_string(ret)); + } + } + + talloc_free(iter); + + return EOK; +} + +static void delayed_online_authentication_callback(void *private_data) +{ + struct deferred_auth_ctx *deferred_auth_ctx = + talloc_get_type(private_data, struct deferred_auth_ctx); + int ret; + + if (deferred_auth_ctx->user_table == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Delayed online authentication activated, " + "but user table does not exists.\n"); + return; + } + + DEBUG(SSSDBG_FUNC_DATA, + "Backend is online, starting delayed online authentication.\n"); + ret = authenticate_stored_users(deferred_auth_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "authenticate_stored_users failed.\n"); + } + + return; +} + +errno_t add_user_to_delayed_online_authentication(struct krb5_ctx *krb5_ctx, + struct sss_domain_info *domain, + struct pam_data *pd, + uid_t uid) +{ + int ret; + hash_key_t key; + hash_value_t value; + struct pam_data *new_pd; + + if (domain->type != DOM_TYPE_POSIX) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Domain type does not support delayed authentication\n"); + return ENOTSUP; + } + + if (krb5_ctx->deferred_auth_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Missing context for delayed online authentication.\n"); + return EINVAL; + } + + if (krb5_ctx->deferred_auth_ctx->user_table == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "user_table not available.\n"); + return EINVAL; + } + + if (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Invalid authtok for user [%s].\n", pd->user); + return EINVAL; + } + + ret = copy_pam_data(krb5_ctx->deferred_auth_ctx, pd, &new_pd); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "copy_pam_data failed\n"); + return ENOMEM; + } + + +#ifdef USE_KEYRING + const char *password; + size_t len; + + ret = sss_authtok_get_password(new_pd->authtok, &password, &len); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to get password [%d][%s].\n", ret, strerror(ret)); + sss_authtok_set_empty(new_pd->authtok); + talloc_free(new_pd); + return ret; + } + + new_pd->key_serial = add_key("user", new_pd->user, password, len, + KEY_SPEC_SESSION_KEYRING); + if (new_pd->key_serial == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "add_key failed [%d][%s].\n", ret, strerror(ret)); + sss_authtok_set_empty(new_pd->authtok); + talloc_free(new_pd); + return ret; + } + DEBUG(SSSDBG_TRACE_ALL, + "Saved authtok of user [%s] with serial [%"SPRIkey_ser"].\n", + new_pd->user, new_pd->key_serial); + sss_authtok_set_empty(new_pd->authtok); +#endif + + key.type = HASH_KEY_ULONG; + key.ul = uid; + value.type = HASH_VALUE_PTR; + value.ptr = new_pd; + + ret = hash_enter(krb5_ctx->deferred_auth_ctx->user_table, + &key, &value); + if (ret != HASH_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot add user [%s] to table [%s], " + "delayed online authentication not possible.\n", + pd->user, hash_error_string(ret)); + talloc_free(new_pd); + return ENOMEM; + } + + DEBUG(SSSDBG_TRACE_ALL, "Added user [%s] successfully to " + "delayed online authentication.\n", pd->user); + + return EOK; +} + +errno_t init_delayed_online_authentication(struct krb5_ctx *krb5_ctx, + struct be_ctx *be_ctx, + struct tevent_context *ev) +{ + int ret; + hash_table_t *tmp_table; + + ret = get_uid_table(krb5_ctx, &tmp_table); + if (ret != EOK) { + if (ret == ENOSYS) { + DEBUG(SSSDBG_FATAL_FAILURE, "Delayed online auth was requested " + "on an unsupported system.\n"); + } else { + DEBUG(SSSDBG_FATAL_FAILURE, "Delayed online auth was requested " + "but initialisation failed.\n"); + } + return ret; + } + ret = hash_destroy(tmp_table); + if (ret != HASH_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, + "hash_destroy failed [%s].\n", hash_error_string(ret)); + return EFAULT; + } + + krb5_ctx->deferred_auth_ctx = talloc_zero(krb5_ctx, + struct deferred_auth_ctx); + if (krb5_ctx->deferred_auth_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n"); + return ENOMEM; + } + + ret = hash_create_ex(INITIAL_USER_TABLE_SIZE, + &krb5_ctx->deferred_auth_ctx->user_table, + 0, 0, 0, 0, hash_talloc, hash_talloc_free, + krb5_ctx->deferred_auth_ctx, + NULL, NULL); + if (ret != HASH_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, + "hash_create_ex failed [%s]\n", hash_error_string(ret)); + ret = ENOMEM; + goto fail; + } + + krb5_ctx->deferred_auth_ctx->be_ctx = be_ctx; + krb5_ctx->deferred_auth_ctx->krb5_ctx = krb5_ctx; + krb5_ctx->deferred_auth_ctx->ev = ev; + + ret = be_add_online_cb(krb5_ctx, be_ctx, + delayed_online_authentication_callback, + krb5_ctx->deferred_auth_ctx, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "be_add_online_cb failed.\n"); + goto fail; + } + + /* TODO: add destructor */ + + return EOK; +fail: + talloc_zfree(krb5_ctx->deferred_auth_ctx); + return ret; +} diff --git a/src/providers/krb5/krb5_init.c b/src/providers/krb5/krb5_init.c new file mode 100644 index 0000000..66ae68f --- /dev/null +++ b/src/providers/krb5/krb5_init.c @@ -0,0 +1,234 @@ +/* + SSSD + + Kerberos 5 Backend Module + + Authors: + Sumit Bose + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include "util/child_common.h" +#include "providers/krb5/krb5_auth.h" +#include "providers/krb5/krb5_common.h" +#include "providers/krb5/krb5_init_shared.h" +#include "providers/data_provider.h" + +static errno_t krb5_init_kpasswd(struct krb5_ctx *ctx, + struct be_ctx *be_ctx) +{ + const char *realm; + const char *primary_servers; + const char *backup_servers; + const char *kdc_servers; + bool use_kdcinfo; + errno_t ret; + + realm = dp_opt_get_string(ctx->opts, KRB5_REALM); + if (realm == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Missing krb5_realm option!\n"); + return EINVAL; + } + + kdc_servers = dp_opt_get_string(ctx->opts, KRB5_KDC); + primary_servers = dp_opt_get_string(ctx->opts, KRB5_KPASSWD); + backup_servers = dp_opt_get_string(ctx->opts, KRB5_BACKUP_KPASSWD); + use_kdcinfo = dp_opt_get_bool(ctx->opts, KRB5_USE_KDCINFO); + + if (primary_servers == NULL && backup_servers != NULL) { + DEBUG(SSSDBG_CONF_SETTINGS, "kpasswd server wasn't specified but " + "backup_servers kpasswd given. Using it as primary_servers\n"); + primary_servers = backup_servers; + backup_servers = NULL; + } + + if (primary_servers == NULL && kdc_servers != NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Missing krb5_kpasswd option and KDC set " + "explicitly, will use KDC for pasword change operations!\n"); + ctx->kpasswd_service = NULL; + } else { + ret = krb5_service_init(ctx, be_ctx, SSS_KRB5KPASSWD_FO_SRV, + primary_servers, backup_servers, realm, + use_kdcinfo, &ctx->kpasswd_service); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to init KRB5KPASSWD failover service!\n"); + return ret; + } + } + + return EOK; +} + +static errno_t krb5_init_kdc(struct krb5_ctx *ctx, struct be_ctx *be_ctx) +{ + const char *primary_servers; + const char *backup_servers; + const char *realm; + bool use_kdcinfo; + errno_t ret; + + realm = dp_opt_get_string(ctx->opts, KRB5_REALM); + if (realm == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Missing krb5_realm option!\n"); + return EINVAL; + } + + primary_servers = dp_opt_get_string(ctx->opts, KRB5_KDC); + backup_servers = dp_opt_get_string(ctx->opts, KRB5_BACKUP_KDC); + + use_kdcinfo = dp_opt_get_bool(ctx->opts, KRB5_USE_KDCINFO); + + ret = krb5_service_init(ctx, be_ctx, SSS_KRB5KDC_FO_SRV, + primary_servers, backup_servers, realm, + use_kdcinfo, &ctx->service); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to init KRB5 failover service!\n"); + return ret; + } + + return EOK; +} + +int krb5_ctx_re_destructor(struct krb5_ctx *ctx) +{ + if (ctx->illegal_path_re != NULL) { + pcre_free(ctx->illegal_path_re); + ctx->illegal_path_re = NULL; + } + + return 0; +} + +errno_t sssm_krb5_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct data_provider *provider, + const char *module_name, + void **_module_data) +{ + struct krb5_ctx *ctx; + const char *errstr; + int errval; + int errpos; + errno_t ret; + + ctx = talloc_zero(mem_ctx, struct krb5_ctx); + if (ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero() failed\n"); + return ENOMEM; + } + + /* Only needed to generate random ccache names for non-POSIX domains */ + srand(time(NULL) * getpid()); + + ret = sss_krb5_get_options(ctx, be_ctx->cdb, be_ctx->conf_path, &ctx->opts); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get krb5 options [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ctx->action = INIT_PW; + ctx->config_type = K5C_GENERIC; + + ret = krb5_init_kdc(ctx, be_ctx); + if (ret != EOK) { + goto done; + } + + ret = krb5_init_kpasswd(ctx, be_ctx); + if (ret != EOK) { + goto done; + } + + ret = krb5_child_init(ctx, be_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Could not initialize krb5_child settings " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + ctx->illegal_path_re = pcre_compile2(ILLEGAL_PATH_PATTERN, 0, + &errval, &errstr, &errpos, NULL); + if (ctx->illegal_path_re == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid Regular Expression pattern " + "at position %d. (Error: %d [%s])\n", errpos, errval, errstr); + ret = EFAULT; + goto done; + } + talloc_set_destructor(ctx, krb5_ctx_re_destructor); + + ret = be_fo_set_dns_srv_lookup_plugin(be_ctx, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set SRV lookup plugin " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + *_module_data = ctx; + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(ctx); + } + + return ret; +} + +errno_t sssm_krb5_auth_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + void *module_data, + struct dp_method *dp_methods) +{ + struct krb5_ctx *ctx; + + ctx = talloc_get_type(module_data, struct krb5_ctx); + dp_set_method(dp_methods, DPM_AUTH_HANDLER, + krb5_pam_handler_send, krb5_pam_handler_recv, ctx, + struct krb5_ctx, struct pam_data, struct pam_data *); + + return EOK; +} + +errno_t sssm_krb5_chpass_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + void *module_data, + struct dp_method *dp_methods) +{ + return sssm_krb5_auth_init(mem_ctx, be_ctx, module_data, dp_methods); +} + +errno_t sssm_krb5_access_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + void *module_data, + struct dp_method *dp_methods) +{ + struct krb5_ctx *ctx; + + ctx = talloc_get_type(module_data, struct krb5_ctx); + dp_set_method(dp_methods, DPM_ACCESS_HANDLER, + krb5_pam_handler_send, krb5_pam_handler_recv, ctx, + struct krb5_ctx, struct pam_data, struct pam_data *); + + return EOK; +} diff --git a/src/providers/krb5/krb5_init_shared.c b/src/providers/krb5/krb5_init_shared.c new file mode 100644 index 0000000..368d6f7 --- /dev/null +++ b/src/providers/krb5/krb5_init_shared.c @@ -0,0 +1,103 @@ +/* + SSSD + + Authors: + Stephen Gallagher + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "providers/krb5/krb5_common.h" +#include "providers/krb5/krb5_auth.h" +#include "providers/krb5/krb5_utils.h" +#include "providers/krb5/krb5_init_shared.h" + +errno_t krb5_child_init(struct krb5_ctx *krb5_auth_ctx, + struct be_ctx *bectx) +{ + errno_t ret; + time_t renew_intv = 0; + krb5_deltat renew_interval_delta; + char *renew_interval_str; + + if (dp_opt_get_bool(krb5_auth_ctx->opts, KRB5_STORE_PASSWORD_IF_OFFLINE)) { + ret = init_delayed_online_authentication(krb5_auth_ctx, bectx, + bectx->ev); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "init_delayed_online_authentication failed.\n"); + goto done; + } + } + renew_interval_str = dp_opt_get_string(krb5_auth_ctx->opts, + KRB5_RENEW_INTERVAL); + if (renew_interval_str != NULL) { + ret = krb5_string_to_deltat(renew_interval_str, &renew_interval_delta); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Reading krb5_renew_interval failed.\n"); + renew_interval_delta = 0; + } + renew_intv = renew_interval_delta; + } + + if (renew_intv > 0) { + ret = init_renew_tgt(krb5_auth_ctx, bectx, bectx->ev, renew_intv); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "init_renew_tgt failed.\n"); + goto done; + } + } + + ret = sss_krb5_check_options(krb5_auth_ctx->opts, bectx->domain, + krb5_auth_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sss_krb5_check_options failed.\n"); + goto done; + } + + ret = krb5_install_sigterm_handler(bectx->ev, krb5_auth_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_install_sigterm_handler failed.\n"); + goto done; + } + + krb5_auth_ctx->child_debug_fd = -1; /* -1 means not initialized */ + ret = child_debug_init(KRB5_CHILD_LOG_FILE, + &krb5_auth_ctx->child_debug_fd); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not set krb5_child debugging!\n"); + goto done; + } + + ret = parse_krb5_map_user(krb5_auth_ctx, + dp_opt_get_cstring(krb5_auth_ctx->opts, + KRB5_MAP_USER), + bectx->domain->name, + &krb5_auth_ctx->name_to_primary); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "parse_krb5_map_user failed: %s:[%d]\n", + sss_strerror(ret), ret); + goto done; + } + + ret = EOK; + +done: + return ret; +} diff --git a/src/providers/krb5/krb5_init_shared.h b/src/providers/krb5/krb5_init_shared.h new file mode 100644 index 0000000..883b84f --- /dev/null +++ b/src/providers/krb5/krb5_init_shared.h @@ -0,0 +1,29 @@ +/* + SSSD + + Authors: + Stephen Gallagher + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef KRB5_INIT_SHARED_H_ +#define KRB5_INIT_SHARED_H_ + +errno_t krb5_child_init(struct krb5_ctx *krb5_auth_ctx, + struct be_ctx *bectx); + +#endif /* KRB5_INIT_SHARED_H_ */ diff --git a/src/providers/krb5/krb5_keytab.c b/src/providers/krb5/krb5_keytab.c new file mode 100644 index 0000000..e70408b --- /dev/null +++ b/src/providers/krb5/krb5_keytab.c @@ -0,0 +1,228 @@ +/* + SSSD + + Kerberos 5 Backend Module -- keytab related utilities + + Authors: + Sumit Bose + + Copyright (C) 2014 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "util/sss_krb5.h" +#include "providers/krb5/krb5_common.h" + +static krb5_error_code do_keytab_copy(krb5_context kctx, krb5_keytab s_keytab, + krb5_keytab d_keytab) +{ + krb5_error_code kerr; + krb5_error_code kt_err; + krb5_kt_cursor cursor; + krb5_keytab_entry entry; + + memset(&cursor, 0, sizeof(cursor)); + kerr = krb5_kt_start_seq_get(kctx, s_keytab, &cursor); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "error reading keytab.\n"); + return kerr; + } + + memset(&entry, 0, sizeof(entry)); + while ((kt_err = krb5_kt_next_entry(kctx, s_keytab, &entry, + &cursor)) == 0) { + kerr = krb5_kt_add_entry(kctx, d_keytab, &entry); + if (kerr != 0) { + DEBUG(SSSDBG_OP_FAILURE, "krb5_kt_add_entry failed.\n"); + kt_err = krb5_kt_end_seq_get(kctx, s_keytab, &cursor); + if (kt_err != 0) { + DEBUG(SSSDBG_TRACE_ALL, + "krb5_kt_end_seq_get failed with [%d], ignored.\n", + kt_err); + } + return kerr; + } + + kerr = sss_krb5_free_keytab_entry_contents(kctx, &entry); + if (kerr != 0) { + DEBUG(SSSDBG_MINOR_FAILURE, "Failed to free keytab entry.\n"); + kt_err = krb5_kt_end_seq_get(kctx, s_keytab, &cursor); + if (kt_err != 0) { + DEBUG(SSSDBG_TRACE_ALL, + "krb5_kt_end_seq_get failed with [%d], ignored.\n", + kt_err); + } + return kerr; + } + memset(&entry, 0, sizeof(entry)); + } + + kerr = krb5_kt_end_seq_get(kctx, s_keytab, &cursor); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_kt_end_seq_get failed.\n"); + return kerr; + } + + /* check if we got any errors from krb5_kt_next_entry */ + if (kt_err != 0 && kt_err != KRB5_KT_END) { + DEBUG(SSSDBG_CRIT_FAILURE, "error reading keytab.\n"); + return kt_err; + } + + return 0; +} + +krb5_error_code copy_keytab_into_memory(TALLOC_CTX *mem_ctx, krb5_context kctx, + const char *inp_keytab_file, + char **_mem_name, + krb5_keytab *_mem_keytab) +{ + krb5_error_code kerr; + krb5_keytab keytab = NULL; + krb5_keytab mem_keytab = NULL; + krb5_keytab tmp_mem_keytab = NULL; + char keytab_name[MAX_KEYTAB_NAME_LEN]; + char *sep; + char *mem_name = NULL; + char *tmp_mem_name = NULL; + const char *keytab_file; + char default_keytab_name[MAX_KEYTAB_NAME_LEN]; + + keytab_file = inp_keytab_file; + if (keytab_file == NULL) { + kerr = krb5_kt_default_name(kctx, default_keytab_name, + sizeof(default_keytab_name)); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_kt_default_name failed.\n"); + return kerr; + } + + keytab_file = default_keytab_name; + } + + kerr = krb5_kt_resolve(kctx, keytab_file, &keytab); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "error resolving keytab [%s].\n", + keytab_file); + return kerr; + } + + kerr = sss_krb5_kt_have_content(kctx, keytab); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "keytab [%s] has not entries.\n", + keytab_file); + goto done; + } + + kerr = krb5_kt_get_name(kctx, keytab, keytab_name, sizeof(keytab_name)); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to read name for keytab [%s].\n", + keytab_file); + goto done; + } + + sep = strchr(keytab_name, ':'); + if (sep == NULL || sep[1] == '\0') { + DEBUG(SSSDBG_CRIT_FAILURE, + "Keytab name [%s] does not have delimiter[:] .\n", keytab_name); + kerr = KRB5KRB_ERR_GENERIC; + goto done; + } + + if (strncmp(keytab_name, "MEMORY:", sizeof("MEMORY:") -1) == 0) { + DEBUG(SSSDBG_TRACE_FUNC, "Keytab [%s] is already memory keytab.\n", + keytab_name); + *_mem_name = talloc_strdup(mem_ctx, keytab_name); + if(*_mem_name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + kerr = KRB5KRB_ERR_GENERIC; + goto done; + } + kerr = 0; + goto done; + } + + mem_name = talloc_asprintf(mem_ctx, "MEMORY:%s", sep + 1); + if (mem_name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); + kerr = KRB5KRB_ERR_GENERIC; + goto done; + } + + tmp_mem_name = talloc_asprintf(mem_ctx, "MEMORY:%s.tmp", sep + 1); + if (tmp_mem_name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); + kerr = KRB5KRB_ERR_GENERIC; + goto done; + } + + kerr = krb5_kt_resolve(kctx, mem_name, &mem_keytab); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "error resolving keytab [%s].\n", + mem_name); + goto done; + } + + kerr = krb5_kt_resolve(kctx, tmp_mem_name, &tmp_mem_keytab); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "error resolving keytab [%s].\n", + tmp_mem_name); + goto done; + } + + kerr = do_keytab_copy(kctx, keytab, tmp_mem_keytab); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to copy keytab [%s] into [%s].\n", + keytab_file, tmp_mem_name); + goto done; + } + + /* krb5_kt_add_entry() adds new entries into MEMORY keytabs at the + * beginning and not at the end as for FILE keytabs. Since we want to keep + * the processing order we have to copy the MEMORY keytab again to retain + * the order from the FILE keytab. */ + + kerr = do_keytab_copy(kctx, tmp_mem_keytab, mem_keytab); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to copy keytab [%s] into [%s].\n", + tmp_mem_name, mem_name); + goto done; + } + + *_mem_name = mem_name; + if (_mem_keytab != NULL) { + *_mem_keytab = mem_keytab; + } + + kerr = 0; +done: + + talloc_free(tmp_mem_name); + + if (kerr != 0) { + talloc_free(mem_name); + } + + if (tmp_mem_keytab != NULL && krb5_kt_close(kctx, tmp_mem_keytab) != 0) { + DEBUG(SSSDBG_MINOR_FAILURE, "krb5_kt_close failed.\n"); + } + + if (keytab != NULL && krb5_kt_close(kctx, keytab) != 0) { + DEBUG(SSSDBG_MINOR_FAILURE, "krb5_kt_close failed.\n"); + } + + return kerr; +} diff --git a/src/providers/krb5/krb5_opts.c b/src/providers/krb5/krb5_opts.c new file mode 100644 index 0000000..6bec527 --- /dev/null +++ b/src/providers/krb5/krb5_opts.c @@ -0,0 +1,47 @@ +/* + SSSD + + Authors: + Stephen Gallagher + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "src/providers/data_provider.h" + +struct dp_option default_krb5_opts[] = { + { "krb5_server", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_backup_server", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_ccachedir", DP_OPT_STRING, { DEFAULT_CCACHE_DIR }, NULL_STRING }, + { "krb5_ccname_template", DP_OPT_STRING, NULL_STRING, NULL_STRING}, + { "krb5_auth_timeout", DP_OPT_NUMBER, { .number = 6 }, NULL_NUMBER }, + { "krb5_keytab", DP_OPT_STRING, { "/etc/krb5.keytab" }, NULL_STRING }, + { "krb5_validate", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "krb5_kpasswd", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_backup_kpasswd", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_store_password_if_offline", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "krb5_renewable_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_lifetime", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_renew_interval", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_use_fast", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_fast_principal", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "krb5_use_enterprise_principal", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "krb5_use_kdcinfo", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + { "krb5_map_user", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + DP_OPTION_TERMINATOR +}; diff --git a/src/providers/krb5/krb5_opts.h b/src/providers/krb5/krb5_opts.h new file mode 100644 index 0000000..798008d --- /dev/null +++ b/src/providers/krb5/krb5_opts.h @@ -0,0 +1,30 @@ +/* + SSSD + + Authors: + Stephen Gallagher + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef KRB5_OPTS_H_ +#define KRB5_OPTS_H_ + +#include "src/providers/data_provider.h" + +extern struct dp_option default_krb5_opts[]; + +#endif /* KRB5_OPTS_H_ */ diff --git a/src/providers/krb5/krb5_renew_tgt.c b/src/providers/krb5/krb5_renew_tgt.c new file mode 100644 index 0000000..549c08c --- /dev/null +++ b/src/providers/krb5/krb5_renew_tgt.c @@ -0,0 +1,633 @@ +/* + SSSD + + Kerberos 5 Backend Module -- Renew a TGT automatically + + Authors: + Sumit Bose + + Copyright (C) 2010 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +#include + +#include "util/util.h" +#include "providers/krb5/krb5_common.h" +#include "providers/krb5/krb5_auth.h" +#include "providers/krb5/krb5_utils.h" +#include "providers/krb5/krb5_ccache.h" + +#define INITIAL_TGT_TABLE_SIZE 10 + +struct renew_tgt_ctx { + hash_table_t *tgt_table; + struct be_ctx *be_ctx; + struct tevent_context *ev; + struct krb5_ctx *krb5_ctx; + time_t timer_interval; + struct tevent_timer *te; +}; + +struct renew_data { + const char *ccfile; + time_t start_time; + time_t lifetime; + time_t start_renew_at; + struct pam_data *pd; +}; + +struct auth_data { + struct be_ctx *be_ctx; + struct krb5_ctx *krb5_ctx; + struct pam_data *pd; + struct renew_data *renew_data; + hash_table_t *table; + hash_key_t key; +}; + + +static void renew_tgt_done(struct tevent_req *req); +static void renew_tgt(struct tevent_context *ev, struct tevent_timer *te, + struct timeval current_time, void *private_data) +{ + struct auth_data *auth_data = talloc_get_type(private_data, + struct auth_data); + struct tevent_req *req; + + req = krb5_auth_queue_send(auth_data, ev, auth_data->be_ctx, auth_data->pd, + auth_data->krb5_ctx); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_auth_send failed.\n"); +/* Give back the pam data to the renewal item to be able to retry at the next + * time the renewals re run. */ + auth_data->renew_data->pd = talloc_steal(auth_data->renew_data, + auth_data->pd); + talloc_free(auth_data); + return; + } + + tevent_req_set_callback(req, renew_tgt_done, auth_data); +} + +static void renew_tgt_done(struct tevent_req *req) +{ + struct auth_data *auth_data = tevent_req_callback_data(req, + struct auth_data); + int ret; + int pam_status = PAM_SYSTEM_ERR; + int dp_err; + hash_value_t value; + + ret = krb5_auth_queue_recv(req, &pam_status, &dp_err); + talloc_free(req); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_auth request failed.\n"); + if (auth_data->renew_data != NULL) { + DEBUG(SSSDBG_FUNC_DATA, "Giving back pam data.\n"); + auth_data->renew_data->pd = talloc_steal(auth_data->renew_data, + auth_data->pd); + } + } else { + switch (pam_status) { + case PAM_SUCCESS: + DEBUG(SSSDBG_CONF_SETTINGS, + "Successfully renewed TGT for user [%s].\n", + auth_data->pd->user); +/* In general a successful renewal will update the renewal item and free the + * old data. But if the TGT has reached the end of his renewable lifetime it + * will not be put into the list of renewable tickets again. In this case the + * renewal item is not updated and the value from the hash and the one we have + * stored are the same. Since the TGT cannot be renewed anymore we want to + * remove it from the list of renewable tickets. */ + ret = hash_lookup(auth_data->table, &auth_data->key, &value); + if (ret == HASH_SUCCESS) { + if (value.type == HASH_VALUE_PTR && + auth_data->renew_data == talloc_get_type(value.ptr, + struct renew_data)) { + DEBUG(SSSDBG_FUNC_DATA, + "New TGT was not added for renewal, " + "removing list entry for user [%s].\n", + auth_data->pd->user); + ret = hash_delete(auth_data->table, &auth_data->key); + if (ret != HASH_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "hash_delete failed.\n"); + } + } + } + break; + case PAM_AUTHINFO_UNAVAIL: + case PAM_AUTHTOK_LOCK_BUSY: + DEBUG(SSSDBG_CONF_SETTINGS, + "Cannot renewed TGT for user [%s] while offline, " + "will retry later.\n", + auth_data->pd->user); + if (auth_data->renew_data != NULL) { + DEBUG(SSSDBG_FUNC_DATA, "Giving back pam data.\n"); + auth_data->renew_data->pd = talloc_steal(auth_data->renew_data, + auth_data->pd); + } + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to renew TGT for user [%s].\n", + auth_data->pd->user); + ret = hash_delete(auth_data->table, &auth_data->key); + if (ret != HASH_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "hash_delete failed.\n"); + } + } + } + + talloc_zfree(auth_data); +} + +static errno_t renew_all_tgts(struct renew_tgt_ctx *renew_tgt_ctx) +{ + int ret; + hash_entry_t *entries; + unsigned long count; + size_t c; + time_t now; + struct auth_data *auth_data; + struct renew_data *renew_data; + struct tevent_timer *te = NULL; + + ret = hash_entries(renew_tgt_ctx->tgt_table, &count, &entries); + if (ret != HASH_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "hash_entries failed.\n"); + return ENOMEM; + } + + now = time(NULL); + + for (c = 0; c < count; c++) { + renew_data = talloc_get_type(entries[c].value.ptr, struct renew_data); + DEBUG(SSSDBG_TRACE_ALL, + "Checking [%s] for renewal at [%.24s].\n", renew_data->ccfile, + ctime(&renew_data->start_renew_at)); + /* If renew_data->pd == NULL a renewal request for this data is + * currently running so we skip it. */ + if (renew_data->start_renew_at < now && renew_data->pd != NULL) { + auth_data = talloc_zero(renew_tgt_ctx, struct auth_data); + if (auth_data == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n"); + } else { +/* We need to steal the pam_data here, because a successful renewal of the + * ticket might add a new renewal item to the list with the same key (upn). + * This would delete renew_data and all its children. But we cannot be sure + * that adding the new renewal item is the last operation of the renewal + * process with access the pam_data. To be on the safe side we steal the + * pam_data and make it a child of auth_data which is only freed after the + * renewal process is finished. In the case of an error during renewal we + * might want to steal the pam_data back to renew_data before freeing + * auth_data to allow a new renewal attempt. */ + auth_data->pd = talloc_move(auth_data, &renew_data->pd); + auth_data->krb5_ctx = renew_tgt_ctx->krb5_ctx; + auth_data->be_ctx = renew_tgt_ctx->be_ctx; + auth_data->table = renew_tgt_ctx->tgt_table; + auth_data->renew_data = renew_data; + auth_data->key.type = entries[c].key.type; + auth_data->key.str = talloc_strdup(auth_data, + entries[c].key.str); + if (auth_data->key.str == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed.\n"); + } else { + te = tevent_add_timer(renew_tgt_ctx->ev, + auth_data, tevent_timeval_current(), + renew_tgt, auth_data); + if (te == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "tevent_add_timer failed.\n"); + } + } + } + + if (auth_data == NULL || te == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to renew TGT in [%s].\n", renew_data->ccfile); + ret = hash_delete(renew_tgt_ctx->tgt_table, &entries[c].key); + if (ret != HASH_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "hash_delete failed.\n"); + } + } + } + } + + talloc_free(entries); + + return EOK; +} + +static void renew_handler(struct renew_tgt_ctx *renew_tgt_ctx); + +static void renew_tgt_offline_callback(void *private_data) +{ + struct renew_tgt_ctx *renew_tgt_ctx = talloc_get_type(private_data, + struct renew_tgt_ctx); + + talloc_zfree(renew_tgt_ctx->te); +} + +static void renew_tgt_online_callback(void *private_data) +{ + struct renew_tgt_ctx *renew_tgt_ctx = talloc_get_type(private_data, + struct renew_tgt_ctx); + + renew_handler(renew_tgt_ctx); +} + +static void renew_tgt_timer_handler(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval current_time, void *data) +{ + struct renew_tgt_ctx *renew_tgt_ctx = talloc_get_type(data, + struct renew_tgt_ctx); + + /* forget the timer event, it will be freed by the tevent timer loop */ + renew_tgt_ctx->te = NULL; + + renew_handler(renew_tgt_ctx); +} + +static void renew_handler(struct renew_tgt_ctx *renew_tgt_ctx) +{ + struct timeval next; + int ret; + + if (be_is_offline(renew_tgt_ctx->be_ctx)) { + DEBUG(SSSDBG_CONF_SETTINGS, "Offline, disable renew timer.\n"); + return; + } + + ret = renew_all_tgts(renew_tgt_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "renew_all_tgts failed. " + "Disabling automatic TGT renewal\n"); + sss_log(SSS_LOG_ERR, "Disabling automatic TGT renewal."); + talloc_zfree(renew_tgt_ctx); + return; + } + + if (renew_tgt_ctx->te != NULL) { + DEBUG(SSSDBG_TRACE_LIBS, + "There is an active renewal timer, doing nothing.\n"); + return; + } + + DEBUG(SSSDBG_TRACE_LIBS, "Adding new renew timer.\n"); + + next = tevent_timeval_current_ofs(renew_tgt_ctx->timer_interval, + 0); + renew_tgt_ctx->te = tevent_add_timer(renew_tgt_ctx->ev, renew_tgt_ctx, + next, renew_tgt_timer_handler, + renew_tgt_ctx); + if (renew_tgt_ctx->te == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_add_timer failed.\n"); + sss_log(SSS_LOG_ERR, "Disabling automatic TGT renewal."); + talloc_zfree(renew_tgt_ctx); + } + + return; +} + +static void renew_del_cb(hash_entry_t *entry, hash_destroy_enum type, void *pvt) +{ + struct renew_data *renew_data; + + if (entry->value.type == HASH_VALUE_PTR) { + renew_data = talloc_get_type(entry->value.ptr, struct renew_data); + talloc_zfree(renew_data); + return; + } + + DEBUG(SSSDBG_CRIT_FAILURE, + "Unexpected value type [%d].\n", entry->value.type); +} + +static errno_t check_ccache_file(struct renew_tgt_ctx *renew_tgt_ctx, + const char *ccache_file, const char *upn, + const char *user_name) +{ + int ret; + struct stat stat_buf; + struct tgt_times tgtt; + struct pam_data pd; + time_t now; + const char *filename; + + if (ccache_file == NULL || upn == NULL || user_name == NULL) { + DEBUG(SSSDBG_TRACE_FUNC, + "Missing one of the needed attributes: [%s][%s][%s].\n", + ccache_file == NULL ? "cache file missing" : ccache_file, + upn == NULL ? "principal missing" : upn, + user_name == NULL ? "user name missing" : user_name); + return EINVAL; + } + + if (strncmp(ccache_file, "FILE:", 5) == 0) { + filename = ccache_file + 5; + } else { + filename = ccache_file; + } + + ret = stat(filename, &stat_buf); + if (ret != EOK) { + if (ret == ENOENT) { + return EOK; + } + return ret; + } + + DEBUG(SSSDBG_TRACE_ALL, "Found ccache file [%s].\n", ccache_file); + + memset(&tgtt, 0, sizeof(tgtt)); + ret = get_ccache_file_data(ccache_file, upn, &tgtt); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "get_ccache_file_data failed.\n"); + return ret; + } + + memset(&pd, 0, sizeof(pd)); + pd.cmd = SSS_CMD_RENEW; + pd.user = discard_const_p(char, user_name); + now = time(NULL); + if (tgtt.renew_till > tgtt.endtime && tgtt.renew_till > now && + tgtt.endtime > now) { + DEBUG(SSSDBG_TRACE_LIBS, + "Adding [%s] for automatic renewal.\n", ccache_file); + ret = add_tgt_to_renew_table(renew_tgt_ctx->krb5_ctx, ccache_file, + &tgtt, &pd, upn); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "add_tgt_to_renew_table failed, " + "automatic renewal not possible.\n"); + } + } else { + DEBUG(SSSDBG_TRACE_ALL, + "TGT in [%s] for [%s] is too old.\n", ccache_file, upn); + } + + return EOK; +} + +static errno_t check_ccache_files(struct renew_tgt_ctx *renew_tgt_ctx) +{ + TALLOC_CTX *tmp_ctx; + int ret; + const char *ccache_filter = "(&("SYSDB_CCACHE_FILE"=*)("SYSDB_UC"))"; + const char *ccache_attrs[] = { SYSDB_CCACHE_FILE, SYSDB_UPN, SYSDB_NAME, + SYSDB_CANONICAL_UPN, NULL }; + size_t msgs_count = 0; + struct ldb_message **msgs = NULL; + size_t c; + const char *ccache_file; + char *upn; + const char *user_name; + struct ldb_dn *base_dn; + char *user_dom; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new failed.\n"); + return ENOMEM; + } + + base_dn = sysdb_base_dn(renew_tgt_ctx->be_ctx->domain->sysdb, tmp_ctx); + if (base_dn == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_base_dn failed.\n"); + ret = ENOMEM; + goto done; + } + + ret = sysdb_search_entry(tmp_ctx, renew_tgt_ctx->be_ctx->domain->sysdb, base_dn, + LDB_SCOPE_SUBTREE, ccache_filter, ccache_attrs, + &msgs_count, &msgs); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_search_entry failed.\n"); + goto done; + } + + if (msgs_count == 0) { + DEBUG(SSSDBG_TRACE_ALL, + "No entries with ccache file found in cache.\n"); + ret = EOK; + goto done; + } + DEBUG(SSSDBG_TRACE_ALL, + "Found [%zu] entries with ccache file in cache.\n", msgs_count); + + for (c = 0; c < msgs_count; c++) { + user_name = ldb_msg_find_attr_as_string(msgs[c], SYSDB_NAME, NULL); + if (user_name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "No user name found, this is a severe error, " + "but we ignore it here.\n"); + continue; + } + + ret = sss_parse_internal_fqname(tmp_ctx, user_name, NULL, &user_dom); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot parse internal fqname [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = find_or_guess_upn(tmp_ctx, msgs[c], renew_tgt_ctx->krb5_ctx, + renew_tgt_ctx->be_ctx->domain, + user_name, user_dom, &upn); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "find_or_guess_upn failed.\n"); + goto done; + } + + ccache_file = ldb_msg_find_attr_as_string(msgs[c], SYSDB_CCACHE_FILE, + NULL); + + ret = check_ccache_file(renew_tgt_ctx, ccache_file, upn, user_name); + if (ret != EOK) { + DEBUG(SSSDBG_FUNC_DATA, + "Failed to check ccache file [%s].\n", ccache_file); + } + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + + return ret; +} + +errno_t init_renew_tgt(struct krb5_ctx *krb5_ctx, struct be_ctx *be_ctx, + struct tevent_context *ev, time_t renew_intv) +{ + int ret; + struct timeval next; + + krb5_ctx->renew_tgt_ctx = talloc_zero(krb5_ctx, struct renew_tgt_ctx); + if (krb5_ctx->renew_tgt_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n"); + return ENOMEM; + } + + ret = sss_hash_create_ex(krb5_ctx->renew_tgt_ctx, INITIAL_TGT_TABLE_SIZE, + &krb5_ctx->renew_tgt_ctx->tgt_table, 0, 0, 0, 0, + renew_del_cb, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sss_hash_create failed.\n"); + goto fail; + } + + krb5_ctx->renew_tgt_ctx->be_ctx = be_ctx; + krb5_ctx->renew_tgt_ctx->krb5_ctx = krb5_ctx; + krb5_ctx->renew_tgt_ctx->ev = ev; + krb5_ctx->renew_tgt_ctx->timer_interval = renew_intv; + + ret = check_ccache_files(krb5_ctx->renew_tgt_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to read ccache files, continuing ...\n"); + } + + next = tevent_timeval_current_ofs(krb5_ctx->renew_tgt_ctx->timer_interval, + 0); + krb5_ctx->renew_tgt_ctx->te = tevent_add_timer(ev, krb5_ctx->renew_tgt_ctx, + next, renew_tgt_timer_handler, + krb5_ctx->renew_tgt_ctx); + if (krb5_ctx->renew_tgt_ctx->te == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_add_timer failed.\n"); + ret = ENOMEM; + goto fail; + } + + DEBUG(SSSDBG_TRACE_LIBS, + "Adding offline callback to remove renewal timer.\n"); + ret = be_add_offline_cb(krb5_ctx->renew_tgt_ctx, be_ctx, + renew_tgt_offline_callback, krb5_ctx->renew_tgt_ctx, + NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add offline callback.\n"); + goto fail; + } + + DEBUG(SSSDBG_TRACE_LIBS, "Adding renewal task to online callbacks.\n"); + ret = be_add_online_cb(krb5_ctx->renew_tgt_ctx, be_ctx, + renew_tgt_online_callback, krb5_ctx->renew_tgt_ctx, + NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to add renewal task to online callbacks.\n"); + goto fail; + } + + return EOK; + +fail: + talloc_zfree(krb5_ctx->renew_tgt_ctx); + return ret; +} + +errno_t add_tgt_to_renew_table(struct krb5_ctx *krb5_ctx, const char *ccfile, + struct tgt_times *tgtt, struct pam_data *pd, + const char *upn) +{ + int ret; + hash_key_t key; + hash_value_t value; + struct renew_data *renew_data = NULL; + + if (krb5_ctx->renew_tgt_ctx == NULL) { + DEBUG(SSSDBG_TRACE_LIBS ,"Renew context not initialized, " + "automatic renewal not available.\n"); + return EOK; + } + + if (pd->cmd != SSS_PAM_AUTHENTICATE && pd->cmd != SSS_CMD_RENEW && + pd->cmd != SSS_PAM_CHAUTHTOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected pam task [%d].\n", pd->cmd); + return EINVAL; + } + + if (upn == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing user principal name.\n"); + return EINVAL; + } + + /* hash_enter copies the content of the hash string, so it is safe to use + * discard_const_p here. */ + key.type = HASH_KEY_STRING; + key.str = discard_const_p(char, upn); + + renew_data = talloc_zero(krb5_ctx->renew_tgt_ctx, struct renew_data); + if (renew_data == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n"); + ret = ENOMEM; + goto done; + } + + if (ccfile[0] == '/') { + renew_data->ccfile = talloc_asprintf(renew_data, "FILE:%s", ccfile); + if (renew_data->ccfile == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto done; + } + } else { + renew_data->ccfile = talloc_strdup(renew_data, ccfile); + } + + renew_data->start_time = tgtt->starttime; + renew_data->lifetime = tgtt->endtime; + renew_data->start_renew_at = (time_t) (tgtt->starttime + + 0.5 *(tgtt->endtime - tgtt->starttime)); + + ret = copy_pam_data(renew_data, pd, &renew_data->pd); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "copy_pam_data failed.\n"); + goto done; + } + + sss_authtok_set_empty(renew_data->pd->newauthtok); + + ret = sss_authtok_set_ccfile(renew_data->pd->authtok, renew_data->ccfile, 0); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to store ccfile in auth token.\n"); + goto done; + } + + renew_data->pd->cmd = SSS_CMD_RENEW; + + value.type = HASH_VALUE_PTR; + value.ptr = renew_data; + + ret = hash_enter(krb5_ctx->renew_tgt_ctx->tgt_table, &key, &value); + if (ret != HASH_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "hash_enter failed.\n"); + ret = EFAULT; + goto done; + } + + DEBUG(SSSDBG_TRACE_LIBS, + "Added [%s] for renewal at [%.24s].\n", renew_data->ccfile, + ctime(&renew_data->start_renew_at)); + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(renew_data); + } + return ret; +} diff --git a/src/providers/krb5/krb5_utils.c b/src/providers/krb5/krb5_utils.c new file mode 100644 index 0000000..1389596 --- /dev/null +++ b/src/providers/krb5/krb5_utils.c @@ -0,0 +1,605 @@ +/* + SSSD + + Kerberos 5 Backend Module -- Utilities + + Authors: + Sumit Bose + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +#include +#include +#include + +#include "providers/krb5/krb5_utils.h" +#include "providers/krb5/krb5_ccache.h" +#include "providers/krb5/krb5_auth.h" +#include "src/util/find_uid.h" +#include "util/util.h" + +errno_t find_or_guess_upn(TALLOC_CTX *mem_ctx, struct ldb_message *msg, + struct krb5_ctx *krb5_ctx, + struct sss_domain_info *dom, const char *user, + const char *user_dom, char **_upn) +{ + const char *upn = NULL; + int ret; + + if (krb5_ctx == NULL || dom == NULL || user == NULL || _upn == NULL) { + return EINVAL; + } + + if (msg != NULL) { + upn = ldb_msg_find_attr_as_string(msg, SYSDB_CANONICAL_UPN, NULL); + if (upn != NULL) { + ret = EOK; + goto done; + } + + upn = ldb_msg_find_attr_as_string(msg, SYSDB_UPN, NULL); + if (upn != NULL) { + ret = EOK; + goto done; + } + } + + ret = krb5_get_simple_upn(mem_ctx, krb5_ctx, dom, user, + user_dom, _upn); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "krb5_get_simple_upn failed.\n"); + return ret; + } + +done: + if (ret == EOK && upn != NULL) { + *_upn = talloc_strdup(mem_ctx, upn); + if (*_upn == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + return ENOMEM; + } + } + + return ret; +} + +errno_t check_if_cached_upn_needs_update(struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, + const char *user, + const char *upn) +{ + TALLOC_CTX *tmp_ctx; + int ret; + int sret; + const char *attrs[] = {SYSDB_UPN, SYSDB_CANONICAL_UPN, NULL}; + struct sysdb_attrs *new_attrs; + struct ldb_result *res; + bool in_transaction = false; + const char *cached_upn; + const char *cached_canonical_upn; + + if (sysdb == NULL || user == NULL || upn == NULL) { + return EINVAL; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); + return ENOMEM; + } + + ret = sysdb_get_user_attr(tmp_ctx, domain, user, attrs, &res); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_user_attr failed.\n"); + goto done; + } + + if (res->count != 1) { + DEBUG(SSSDBG_OP_FAILURE, "[%d] user objects for name [%s] found, " \ + "expected 1.\n", res->count, user); + ret = EINVAL; + goto done; + } + + cached_upn = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_UPN, NULL); + + if (cached_upn != NULL && strcmp(cached_upn, upn) == 0) { + DEBUG(SSSDBG_TRACE_ALL, "Cached UPN and new one match, " + "nothing to do.\n"); + ret = EOK; + goto done; + } + + cached_canonical_upn = ldb_msg_find_attr_as_string(res->msgs[0], + SYSDB_CANONICAL_UPN, + NULL); + + if (cached_canonical_upn != NULL + && strcmp(cached_canonical_upn, upn) == 0) { + DEBUG(SSSDBG_TRACE_ALL, "Cached canonical UPN and new one match, " + "nothing to do.\n"); + ret = EOK; + goto done; + } + + DEBUG(SSSDBG_TRACE_LIBS, "Replacing canonical UPN [%s] with [%s] " \ + "for user [%s].\n", + cached_canonical_upn == NULL ? + "empty" : cached_canonical_upn, + upn, user); + + new_attrs = sysdb_new_attrs(tmp_ctx); + if (new_attrs == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_new_attrs failed.\n"); + ret = ENOMEM; + goto done; + } + + ret = sysdb_attrs_add_string(new_attrs, SYSDB_CANONICAL_UPN, upn); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string failed.\n"); + goto done; + } + + ret = sysdb_transaction_start(sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Error %d starting transaction (%s)\n", ret, strerror(ret)); + goto done; + } + in_transaction = true; + + ret = sysdb_set_entry_attr(sysdb, res->msgs[0]->dn, new_attrs, + cached_canonical_upn == NULL ? SYSDB_MOD_ADD : + SYSDB_MOD_REP); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_set_entry_attr failed [%d][%s].\n", + ret, strerror(ret)); + goto done; + } + + ret = sysdb_transaction_commit(sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to commit transaction!\n"); + goto done; + } + in_transaction = false; + + ret = EOK; + +done: + if (in_transaction) { + sret = sysdb_transaction_cancel(sysdb); + if (sret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to cancel transaction\n"); + } + } + + talloc_free(tmp_ctx); + + return ret; +} + +#define S_EXP_UID "{uid}" +#define L_EXP_UID (sizeof(S_EXP_UID) - 1) +#define S_EXP_USERID "{USERID}" +#define L_EXP_USERID (sizeof(S_EXP_USERID) - 1) +#define S_EXP_EUID "{euid}" +#define L_EXP_EUID (sizeof(S_EXP_EUID) - 1) +#define S_EXP_USERNAME "{username}" +#define L_EXP_USERNAME (sizeof(S_EXP_USERNAME) - 1) + +static errno_t +check_ccache_re(const char *filename, pcre *illegal_re) +{ + errno_t ret; + + ret = pcre_exec(illegal_re, NULL, filename, strlen(filename), + 0, 0, NULL, 0); + if (ret == 0) { + DEBUG(SSSDBG_OP_FAILURE, + "Illegal pattern in ccache directory name [%s].\n", filename); + return EINVAL; + } else if (ret == PCRE_ERROR_NOMATCH) { + DEBUG(SSSDBG_TRACE_LIBS, + "Ccache directory name [%s] does not contain " + "illegal patterns.\n", filename); + return EOK; + } + + DEBUG(SSSDBG_CRIT_FAILURE, "pcre_exec failed [%d].\n", ret); + return EFAULT; +} + +char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr, + const char *template, pcre *illegal_re, + bool file_mode, bool case_sensitive) +{ + char *copy; + char *p; + char *n; + char *result = NULL; + char *dummy; + char *name; + char *res = NULL; + const char *cache_dir_tmpl; + TALLOC_CTX *tmp_ctx = NULL; + char action; + bool rerun; + int ret; + + if (template == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing template.\n"); + return NULL; + } + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) return NULL; + + copy = talloc_strdup(tmp_ctx, template); + if (copy == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed.\n"); + goto done; + } + + result = talloc_strdup(tmp_ctx, ""); + if (result == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed.\n"); + goto done; + } + + p = copy; + while ( (n = strchr(p, '%')) != NULL) { + *n = '\0'; + n++; + if ( *n == '\0' ) { + DEBUG(SSSDBG_CRIT_FAILURE, + "format error, single %% at the end of the template.\n"); + goto done; + } + + rerun = true; + action = *n; + while (rerun) { + rerun = false; + switch (action) { + case 'u': + if (kr->pd->user == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot expand user name template " + "because user name is empty.\n"); + goto done; + } + + name = sss_output_name(tmp_ctx, kr->pd->user, case_sensitive, 0); + if (name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sss_get_cased_name failed\n"); + goto done; + } + + result = talloc_asprintf_append(result, "%s%s", p, + name); + break; + case 'U': + if (kr->uid <= 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot expand uid template " + "because uid is invalid.\n"); + goto done; + } + result = talloc_asprintf_append(result, "%s%"SPRIuid, p, + kr->uid); + break; + case 'p': + if (kr->upn == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot expand user principal name template " + "because upn is empty.\n"); + goto done; + } + result = talloc_asprintf_append(result, "%s%s", p, kr->upn); + break; + case '%': + result = talloc_asprintf_append(result, "%s%%", p); + break; + case 'r': + dummy = dp_opt_get_string(kr->krb5_ctx->opts, KRB5_REALM); + if (dummy == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing kerberos realm.\n"); + goto done; + } + result = talloc_asprintf_append(result, "%s%s", p, dummy); + break; + case 'h': + if (kr->homedir == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot expand home directory template " + "because the path is not available.\n"); + goto done; + } + result = talloc_asprintf_append(result, "%s%s", p, kr->homedir); + break; + case 'd': + if (file_mode) { + cache_dir_tmpl = dp_opt_get_string(kr->krb5_ctx->opts, + KRB5_CCACHEDIR); + if (cache_dir_tmpl == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Missing credential cache directory.\n"); + goto done; + } + + dummy = expand_ccname_template(tmp_ctx, kr, cache_dir_tmpl, + illegal_re, false, case_sensitive); + if (dummy == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Expanding credential cache directory " + "template failed.\n"); + goto done; + } + result = talloc_asprintf_append(result, "%s%s", p, dummy); + talloc_zfree(dummy); + } else { + DEBUG(SSSDBG_CRIT_FAILURE, + "'%%d' is not allowed in this template.\n"); + goto done; + } + break; + case 'P': + if (!file_mode) { + DEBUG(SSSDBG_CRIT_FAILURE, + "'%%P' is not allowed in this template.\n"); + goto done; + } + if (kr->pd->cli_pid == 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot expand PID template " + "because PID is not available.\n"); + goto done; + } + result = talloc_asprintf_append(result, "%s%d", p, + kr->pd->cli_pid); + break; + + /* Additional syntax from krb5.conf default_ccache_name */ + case '{': + if (strncmp(n , S_EXP_UID, L_EXP_UID) == 0) { + action = 'U'; + n += L_EXP_UID - 1; + rerun = true; + continue; + } else if (strncmp(n , S_EXP_USERID, L_EXP_USERID) == 0) { + action = 'U'; + n += L_EXP_USERID - 1; + rerun = true; + continue; + } else if (strncmp(n , S_EXP_EUID, L_EXP_EUID) == 0) { + /* SSSD does not distinguish between uid and euid, + * so we treat both the same way */ + action = 'U'; + n += L_EXP_EUID - 1; + rerun = true; + continue; + } else if (strncmp(n , S_EXP_USERNAME, L_EXP_USERNAME) == 0) { + action = 'u'; + n += L_EXP_USERNAME - 1; + rerun = true; + continue; + } else { + /* ignore any expansion variable we do not understand and + * let libkrb5 hndle it or fail */ + name = n; + n = strchr(name, '}'); + if (!n) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Invalid substitution sequence in cache " + "template. Missing closing '}' in [%s].\n", + template); + goto done; + } + result = talloc_asprintf_append(result, "%s%%%.*s", p, + (int)(n - name + 1), name); + } + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, + "format error, unknown template [%%%c].\n", *n); + goto done; + } + } + + if (result == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf_append failed.\n"); + goto done; + } + + p = n + 1; + } + + result = talloc_asprintf_append(result, "%s", p); + if (result == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf_append failed.\n"); + goto done; + } + + if (illegal_re != NULL) { + ret = check_ccache_re(result, illegal_re); + if (ret != EOK) { + goto done; + } + } + + res = talloc_move(mem_ctx, &result); +done: + talloc_zfree(tmp_ctx); + return res; +} + +errno_t get_domain_or_subdomain(struct be_ctx *be_ctx, + char *domain_name, + struct sss_domain_info **dom) +{ + + if (domain_name != NULL && + strcasecmp(domain_name, be_ctx->domain->name) != 0) { + *dom = find_domain_by_name(be_ctx->domain, domain_name, true); + if (*dom == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "find_domain_by_name failed.\n"); + return ENOMEM; + } + } else { + *dom = be_ctx->domain; + } + + return EOK; +} + +static errno_t split_tuple(TALLOC_CTX *mem_ctx, const char *tuple, + const char **_first, const char **_second) +{ + errno_t ret; + char **list; + int n; + + ret = split_on_separator(mem_ctx, tuple, ':', true, true, &list, &n); + + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "split_on_separator failed - %s:[%d]\n", + sss_strerror(ret), ret); + goto done; + } else if (n != 2) { + DEBUG(SSSDBG_MINOR_FAILURE, + "split_on_separator failed - Expected format is: " + "'username:primary' but got: '%s'.\n", tuple); + ret = EINVAL; + goto done; + } + + *_first = list[0]; + *_second = list[1]; + +done: + return ret; +} + +static errno_t +fill_name_to_primary_map(TALLOC_CTX *mem_ctx, char **map, + struct map_id_name_to_krb_primary *name_to_primary, + size_t size) +{ + int i; + errno_t ret; + + for (i = 0; i < size; i++) { + ret = split_tuple(mem_ctx, map[i], + &name_to_primary[i].id_name, + &name_to_primary[i].krb_primary); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "split_tuple failed - %s:[%d]\n", sss_strerror(ret), ret); + goto done; + } + } + + ret = EOK; + +done: + return ret; +} + +errno_t +parse_krb5_map_user(TALLOC_CTX *mem_ctx, + const char *krb5_map_user, + const char *dom_name, + struct map_id_name_to_krb_primary **_name_to_primary) +{ + int size; + char **map; + errno_t ret; + TALLOC_CTX *tmp_ctx; + struct map_id_name_to_krb_primary *name_to_primary; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + if (krb5_map_user == NULL || strlen(krb5_map_user) == 0) { + DEBUG(SSSDBG_CONF_SETTINGS, "krb5_map_user is empty!\n"); + size = 0; + } else { + ret = split_on_separator(tmp_ctx, krb5_map_user, ',', true, true, + &map, &size); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to parse krb5_map_user!\n"); + goto done; + } + } + + name_to_primary = talloc_zero_array(tmp_ctx, + struct map_id_name_to_krb_primary, + size + 1); + if (name_to_primary == NULL) { + ret = ENOMEM; + goto done; + } + /* sentinel */ + name_to_primary[size].id_name = NULL; + name_to_primary[size].krb_primary = NULL; + + if (size > 0) { + ret = fill_name_to_primary_map(name_to_primary, map, name_to_primary, + size); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "fill_name_to_primary_map failed: %s:[%d]\n", + sss_strerror(ret), ret); + goto done; + } + } + + /* conversion names to fully-qualified names */ + for (int i = 0; i < size; i++) { + name_to_primary[i].id_name = sss_create_internal_fqname( + name_to_primary, + name_to_primary[i].id_name, + dom_name); + if (name_to_primary[i].id_name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sss_create_internal_fqname failed\n"); + ret = ENOMEM; + goto done; + } + + name_to_primary[i].krb_primary = sss_create_internal_fqname( + name_to_primary, + name_to_primary[i].krb_primary, + dom_name); + if (name_to_primary[i].krb_primary == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sss_create_internal_fqname failed\n"); + ret = ENOMEM; + goto done; + } + } + ret = EOK; + +done: + if (ret == EOK) { + *_name_to_primary = talloc_steal(mem_ctx, name_to_primary); + } + talloc_free(tmp_ctx); + return ret; +} diff --git a/src/providers/krb5/krb5_utils.h b/src/providers/krb5/krb5_utils.h new file mode 100644 index 0000000..3051a99 --- /dev/null +++ b/src/providers/krb5/krb5_utils.h @@ -0,0 +1,59 @@ +/* + SSSD + + Kerberos Backend, header file for utilities + + Authors: + Sumit Bose + + Copyright (C) 2009 Red Hat + + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __KRB5_UTILS_H__ +#define __KRB5_UTILS_H__ + +#include +#include "config.h" + +#include "providers/krb5/krb5_auth.h" +#include "providers/data_provider.h" + +errno_t find_or_guess_upn(TALLOC_CTX *mem_ctx, struct ldb_message *msg, + struct krb5_ctx *krb5_ctx, + struct sss_domain_info *dom, const char *user, + const char *user_dom, char **_upn); + +errno_t check_if_cached_upn_needs_update(struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, + const char *user, + const char *upn); + +char *expand_ccname_template(TALLOC_CTX *mem_ctx, struct krb5child_req *kr, + const char *template, pcre *illegal_re, + bool file_mode, bool case_sensitive); + +errno_t get_domain_or_subdomain(struct be_ctx *be_ctx, + char *domain_name, + struct sss_domain_info **dom); + +errno_t +parse_krb5_map_user(TALLOC_CTX *mem_ctx, + const char *krb5_map_user, + const char *dom_name, + struct map_id_name_to_krb_primary **_name_to_primary); + +#endif /* __KRB5_UTILS_H__ */ diff --git a/src/providers/krb5/krb5_wait_queue.c b/src/providers/krb5/krb5_wait_queue.c new file mode 100644 index 0000000..b4d3f90 --- /dev/null +++ b/src/providers/krb5/krb5_wait_queue.c @@ -0,0 +1,375 @@ +/* + SSSD + + Kerberos 5 Backend Module - Serialize the request of a user + + Authors: + Sumit Bose + + Copyright (C) 2010 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include + +#include "src/providers/krb5/krb5_auth.h" + +#define INIT_HASH_SIZE 5 + +struct queue_entry { + struct queue_entry *prev; + struct queue_entry *next; + + struct be_ctx *be_ctx; + struct be_req *be_req; + struct tevent_req *parent_req; + struct pam_data *pd; + struct krb5_ctx *krb5_ctx; +}; + +static void wait_queue_auth_done(struct tevent_req *req); + +static void krb5_auth_queue_finish(struct tevent_req *req, errno_t ret, + int pam_status, int dp_err); + +static void wait_queue_auth(struct tevent_context *ev, struct tevent_timer *te, + struct timeval current_time, void *private_data) +{ + struct queue_entry *qe = talloc_get_type(private_data, struct queue_entry); + struct tevent_req *req; + + req = krb5_auth_send(qe->parent_req, qe->be_ctx->ev, + qe->be_ctx, qe->pd, qe->krb5_ctx); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_auth_send failed.\n"); + } else { + tevent_req_set_callback(req, wait_queue_auth_done, + qe->parent_req); + } + + talloc_zfree(qe); +} + +static void wait_queue_auth_done(struct tevent_req *req) +{ + struct tevent_req *parent_req = \ + tevent_req_callback_data(req, struct tevent_req); + int pam_status; + int dp_err; + errno_t ret; + + ret = krb5_auth_recv(req, &pam_status, &dp_err); + talloc_zfree(req); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "krb5_auth_recv failed: %d\n", ret); + } + + krb5_auth_queue_finish(parent_req, ret, pam_status, dp_err); +} + +static void wait_queue_del_cb(hash_entry_t *entry, hash_destroy_enum type, + void *pvt) +{ + struct queue_entry *head; + + if (entry->value.type == HASH_VALUE_PTR) { + head = talloc_get_type(entry->value.ptr, struct queue_entry); + talloc_zfree(head); + return; + } + + DEBUG(SSSDBG_CRIT_FAILURE, + "Unexpected value type [%d].\n", entry->value.type); +} + +static errno_t add_to_wait_queue(struct be_ctx *be_ctx, + struct tevent_req *parent_req, + struct pam_data *pd, + struct krb5_ctx *krb5_ctx) +{ + int ret; + hash_key_t key; + hash_value_t value; + struct queue_entry *head; + struct queue_entry *queue_entry; + + if (krb5_ctx->wait_queue_hash == NULL) { + ret = sss_hash_create_ex(krb5_ctx, INIT_HASH_SIZE, + &krb5_ctx->wait_queue_hash, 0, 0, 0, 0, + wait_queue_del_cb, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sss_hash_create failed\n"); + return ret; + } + } + + key.type = HASH_KEY_STRING; + key.str = pd->user; + + ret = hash_lookup(krb5_ctx->wait_queue_hash, &key, &value); + switch (ret) { + case HASH_SUCCESS: + if (value.type != HASH_VALUE_PTR) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected hash value type.\n"); + return EINVAL; + } + + head = talloc_get_type(value.ptr, struct queue_entry); + + queue_entry = talloc_zero(head, struct queue_entry); + if (queue_entry == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n"); + return ENOMEM; + } + + queue_entry->be_ctx = be_ctx; + queue_entry->parent_req = parent_req; + queue_entry->pd = pd; + queue_entry->krb5_ctx = krb5_ctx; + + DLIST_ADD_END(head, queue_entry, struct queue_entry *); + + break; + case HASH_ERROR_KEY_NOT_FOUND: + value.type = HASH_VALUE_PTR; + head = talloc_zero(krb5_ctx->wait_queue_hash, struct queue_entry); + if (head == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n"); + return ENOMEM; + } + value.ptr = head; + + ret = hash_enter(krb5_ctx->wait_queue_hash, &key, &value); + if (ret != HASH_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "hash_enter failed.\n"); + talloc_free(head); + return EIO; + } + + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "hash_lookup failed.\n"); + return EIO; + } + + if (head->next == NULL) { + return ENOENT; + } else { + return EOK; + } +} + +static void check_wait_queue(struct krb5_ctx *krb5_ctx, char *username) +{ + int ret; + hash_key_t key; + hash_value_t value; + struct queue_entry *head; + struct queue_entry *queue_entry; + struct tevent_timer *te; + + if (krb5_ctx->wait_queue_hash == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "No wait queue available.\n"); + return; + } + + key.type = HASH_KEY_STRING; + key.str = username; + + ret = hash_lookup(krb5_ctx->wait_queue_hash, &key, &value); + + switch (ret) { + case HASH_SUCCESS: + if (value.type != HASH_VALUE_PTR) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected hash value type.\n"); + return; + } + + head = talloc_get_type(value.ptr, struct queue_entry); + + if (head->next == NULL) { + DEBUG(SSSDBG_TRACE_LIBS, + "Wait queue for user [%s] is empty.\n", username); + } else { + queue_entry = head->next; + + DLIST_REMOVE(head, queue_entry); + + te = tevent_add_timer(queue_entry->be_ctx->ev, krb5_ctx, + tevent_timeval_current(), wait_queue_auth, + queue_entry); + if (te == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_add_timer failed.\n"); + } else { + return; + } + } + + ret = hash_delete(krb5_ctx->wait_queue_hash, &key); + if (ret != HASH_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to remove wait queue for user [%s].\n", + username); + } + + break; + case HASH_ERROR_KEY_NOT_FOUND: + DEBUG(SSSDBG_CRIT_FAILURE, + "No wait queue for user [%s] found.\n", username); + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "hash_lookup failed.\n"); + } + + return; +} + +struct krb5_auth_queue_state { + struct krb5_ctx *krb5_ctx; + struct pam_data *pd; + + int pam_status; + int dp_err; +}; + +static void krb5_auth_queue_done(struct tevent_req *subreq); + +struct tevent_req *krb5_auth_queue_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct pam_data *pd, + struct krb5_ctx *krb5_ctx) +{ + errno_t ret; + struct tevent_req *req; + struct tevent_req *subreq; + struct krb5_auth_queue_state *state; + + req = tevent_req_create(mem_ctx, &state, struct krb5_auth_queue_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create failed.\n"); + return NULL; + } + state->krb5_ctx = krb5_ctx; + state->pd = pd; + + ret = add_to_wait_queue(be_ctx, req, pd, krb5_ctx); + if (ret == EOK) { + DEBUG(SSSDBG_TRACE_LIBS, + "Request [%p] successfully added to wait queue " + "of user [%s].\n", req, pd->user); + ret = EOK; + goto immediate; + } else if (ret == ENOENT) { + DEBUG(SSSDBG_TRACE_LIBS, "Wait queue of user [%s] is empty, " + "running request [%p] immediately.\n", pd->user, req); + } else { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to add request to wait queue of user [%s], " + "running request [%p] immediately.\n", pd->user, req); + } + + subreq = krb5_auth_send(req, ev, be_ctx, pd, krb5_ctx); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_auth_send failed.\n"); + ret = ENOMEM; + goto immediate; + } + + tevent_req_set_callback(subreq, krb5_auth_queue_done, req); + + ret = EOK; + +immediate: + if (ret != EOK) { + tevent_req_error(req, ret); + tevent_req_post(req, ev); + } + return req; +} + +static void krb5_auth_queue_done(struct tevent_req *subreq) +{ + struct tevent_req *req = \ + tevent_req_callback_data(subreq, struct tevent_req); + struct krb5_auth_queue_state *state = \ + tevent_req_data(req, struct krb5_auth_queue_state); + errno_t ret; + + ret = krb5_auth_recv(subreq, &state->pam_status, &state->dp_err); + talloc_zfree(subreq); + + check_wait_queue(state->krb5_ctx, state->pd->user); + + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "krb5_auth_recv failed with: %d\n", ret); + tevent_req_error(req, ret); + return; + } + + DEBUG(SSSDBG_TRACE_LIBS, "krb5_auth_queue request [%p] done.\n", req); + tevent_req_done(req); +} + +/* This is a violation of the tevent_req style. Ideally, the wait queue would + * be rewritten to the tevent_req style in the future, expose per-request recv + * and not hide the request underneath. But this function allows us to expose + * a tevent_req API for users of this module + */ +static void krb5_auth_queue_finish(struct tevent_req *req, + errno_t ret, + int pam_status, + int dp_err) +{ + struct krb5_auth_queue_state *state = \ + tevent_req_data(req, struct krb5_auth_queue_state); + + check_wait_queue(state->krb5_ctx, state->pd->user); + + state->pam_status = pam_status; + state->dp_err = dp_err; + if (ret != EOK) { + tevent_req_error(req, ret); + } else { + DEBUG(SSSDBG_TRACE_LIBS, "krb5_auth_queue request [%p] done.\n", req); + tevent_req_done(req); + } +} + +int krb5_auth_queue_recv(struct tevent_req *req, + int *_pam_status, + int *_dp_err) +{ + struct krb5_auth_queue_state *state = \ + tevent_req_data(req, struct krb5_auth_queue_state); + + /* Returning values even on failure is not typical, but IPA password migration + * relies on receiving PAM_CRED_ERR even if the request fails.. + */ + if (_pam_status) { + *_pam_status = state->pam_status; + } + + if (_dp_err) { + *_dp_err = state->dp_err; + } + + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} diff --git a/src/providers/ldap/ldap_access.c b/src/providers/ldap/ldap_access.c new file mode 100644 index 0000000..4ec4702 --- /dev/null +++ b/src/providers/ldap/ldap_access.c @@ -0,0 +1,128 @@ +/* + SSSD + + ldap_access.c + + Authors: + Simo Sorce + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include "src/util/util.h" +#include "src/providers/data_provider.h" +#include "src/providers/backend.h" +#include "src/providers/ldap/sdap_access.h" +#include "providers/ldap/ldap_common.h" + +struct sdap_pam_access_handler_state { + struct pam_data *pd; +}; + +static void sdap_pam_access_handler_done(struct tevent_req *subreq); + +struct tevent_req * +sdap_pam_access_handler_send(TALLOC_CTX *mem_ctx, + struct sdap_access_ctx *access_ctx, + struct pam_data *pd, + struct dp_req_params *params) +{ + struct sdap_pam_access_handler_state *state; + struct tevent_req *subreq; + struct tevent_req *req; + + req = tevent_req_create(mem_ctx, &state, + struct sdap_pam_access_handler_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->pd = pd; + + subreq = sdap_access_send(state, params->ev, params->be_ctx, + params->domain, access_ctx, + access_ctx->id_ctx->conn, pd); + if (subreq == NULL) { + pd->pam_status = PAM_SYSTEM_ERR; + goto immediately; + } + + tevent_req_set_callback(subreq, sdap_pam_access_handler_done, req); + + return req; + +immediately: + /* TODO For backward compatibility we always return EOK to DP now. */ + tevent_req_done(req); + tevent_req_post(req, params->ev); + + return req; +} + +static void sdap_pam_access_handler_done(struct tevent_req *subreq) +{ + struct sdap_pam_access_handler_state *state; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_pam_access_handler_state); + + ret = sdap_access_recv(subreq); + talloc_free(subreq); + switch (ret) { + case EOK: + case ERR_PASSWORD_EXPIRED_WARN: + state->pd->pam_status = PAM_SUCCESS; + break; + case ERR_ACCOUNT_EXPIRED: + state->pd->pam_status = PAM_ACCT_EXPIRED; + break; + case ERR_ACCESS_DENIED: + case ERR_PASSWORD_EXPIRED: + case ERR_PASSWORD_EXPIRED_REJECT: + state->pd->pam_status = PAM_PERM_DENIED; + break; + case ERR_PASSWORD_EXPIRED_RENEW: + state->pd->pam_status = PAM_NEW_AUTHTOK_REQD; + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Error retrieving access check result.\n"); + state->pd->pam_status = PAM_SYSTEM_ERR; + break; + } + + /* TODO For backward compatibility we always return EOK to DP now. */ + tevent_req_done(req); +} + +errno_t +sdap_pam_access_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct pam_data **_data) +{ + struct sdap_pam_access_handler_state *state = NULL; + + state = tevent_req_data(req, struct sdap_pam_access_handler_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *_data = talloc_steal(mem_ctx, state->pd); + + return EOK; +} diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c new file mode 100644 index 0000000..d40bc94 --- /dev/null +++ b/src/providers/ldap/ldap_auth.c @@ -0,0 +1,1344 @@ +/* + SSSD + + LDAP Backend Module + + Authors: + Sumit Bose + + Copyright (C) 2008 Red Hat + Copyright (C) 2010, rhafer@suse.de, Novell Inc. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifdef WITH_MOZLDAP +#define LDAP_OPT_SUCCESS LDAP_SUCCESS +#define LDAP_TAG_EXOP_MODIFY_PASSWD_ID ((ber_tag_t) 0x80U) +#define LDAP_TAG_EXOP_MODIFY_PASSWD_OLD ((ber_tag_t) 0x81U) +#define LDAP_TAG_EXOP_MODIFY_PASSWD_NEW ((ber_tag_t) 0x82U) +#endif + +#include "config.h" + +#include +#include +#include +#include + +#include +#include + +#include "util/util.h" +#include "util/user_info_msg.h" +#include "db/sysdb.h" +#include "providers/ldap/ldap_common.h" +#include "providers/ldap/sdap_async.h" +#include "providers/ldap/sdap_async_private.h" +#include "providers/ldap/ldap_auth.h" +#include "providers/ldap/sdap_access.h" + + +#define LDAP_PWEXPIRE_WARNING_TIME 0 + +static errno_t add_expired_warning(struct pam_data *pd, long exp_time) +{ + int ret; + uint32_t *data; + + if (exp_time < 0 || exp_time > UINT32_MAX) { + DEBUG(SSSDBG_CRIT_FAILURE, "Time to expire out of range.\n"); + return EINVAL; + } + + data = talloc_array(pd, uint32_t, 2); + if (data == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_size failed.\n"); + return ENOMEM; + } + + data[0] = SSS_PAM_USER_INFO_EXPIRE_WARN; + data[1] = (uint32_t) exp_time; + + ret = pam_add_response(pd, SSS_PAM_USER_INFO, 2 * sizeof(uint32_t), + (uint8_t *) data); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n"); + } + + return EOK; +} + +static errno_t check_pwexpire_kerberos(const char *expire_date, time_t now, + struct pam_data *pd, + int pwd_exp_warning) +{ + time_t expire_time; + int expiration_warning; + int ret = ERR_INTERNAL; + + ret = sss_utc_to_time_t(expire_date, "%Y%m%d%H%M%SZ", + &expire_time); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "sss_utc_to_time_t failed with %d:%s.\n", + ret, sss_strerror(ret)); + return ret; + } + + DEBUG(SSSDBG_TRACE_ALL, + "Time info: tzname[0] [%s] tzname[1] [%s] timezone [%ld] " + "daylight [%d] now [%ld] expire_time [%ld].\n", tzname[0], + tzname[1], timezone, daylight, now, expire_time); + + if (difftime(now, expire_time) > 0.0) { + DEBUG(SSSDBG_CONF_SETTINGS, "Kerberos password expired.\n"); + ret = ERR_PASSWORD_EXPIRED; + } else { + if (pwd_exp_warning >= 0) { + expiration_warning = pwd_exp_warning; + } else { + expiration_warning = KERBEROS_PWEXPIRE_WARNING_TIME; + } + if (pd != NULL && + (difftime(now + expiration_warning, expire_time) > 0.0 || + expiration_warning == 0)) { + ret = add_expired_warning(pd, (long) difftime(expire_time, now)); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "add_expired_warning failed.\n"); + } + } + ret = EOK; + } + + return ret; +} + +static errno_t check_pwexpire_shadow(struct spwd *spwd, time_t now, + struct pam_data *pd) +{ + long today; + long password_age; + long exp; + int ret; + + if (spwd->sp_lstchg <= 0) { + DEBUG(SSSDBG_CONF_SETTINGS, + "Last change day is not set, new password needed.\n"); + return ERR_PASSWORD_EXPIRED; + } + + today = (long) (now / (60 * 60 *24)); + password_age = today - spwd->sp_lstchg; + if (password_age < 0) { + DEBUG(SSSDBG_OP_FAILURE, + "The last password change time is in the future!.\n"); + return EOK; + } + + if ((spwd->sp_expire != -1 && today > spwd->sp_expire) || + (spwd->sp_max != -1 && spwd->sp_inact != -1 && + password_age > spwd->sp_max + spwd->sp_inact)) + { + DEBUG(SSSDBG_CONF_SETTINGS, "Account expired.\n"); + return ERR_ACCOUNT_EXPIRED; + } + + if (spwd->sp_max != -1 && password_age > spwd->sp_max) { + DEBUG(SSSDBG_CONF_SETTINGS, "Password expired.\n"); + return ERR_PASSWORD_EXPIRED; + } + + if (pd != NULL && spwd->sp_max != -1 && spwd->sp_warn != -1 && + password_age > spwd->sp_max - spwd->sp_warn ) { + + /* add_expired_warning() expects time in seconds */ + exp = (spwd->sp_max - password_age) * (60 * 60 * 24); + if (exp == 0) { + /* Seconds until next midnight */ + exp = ((today + 1) * (60 * 60 * 24)) - now; + } + + ret = add_expired_warning(pd, exp); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "add_expired_warning failed.\n"); + } + } + + return EOK; +} + +static errno_t check_pwexpire_ldap(struct pam_data *pd, + struct sdap_ppolicy_data *ppolicy, + int pwd_exp_warning) +{ + int ret = EOK; + + if (ppolicy->grace >= 0 || ppolicy->expire > 0) { + uint32_t *data; + uint32_t *ptr; + + if (pwd_exp_warning < 0) { + pwd_exp_warning = 0; + } + + data = talloc_size(pd, 2* sizeof(uint32_t)); + if (data == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_size failed.\n"); + return ENOMEM; + } + + ptr = data; + if (ppolicy->grace >= 0) { + *ptr = SSS_PAM_USER_INFO_GRACE_LOGIN; + ptr++; + *ptr = ppolicy->grace; + } else if (ppolicy->expire > 0) { + if (pwd_exp_warning != 0 && ppolicy->expire > pwd_exp_warning) { + /* do not warn */ + goto done; + } + + /* send warning */ + *ptr = SSS_PAM_USER_INFO_EXPIRE_WARN; + ptr++; + *ptr = ppolicy->expire; + } + + ret = pam_add_response(pd, SSS_PAM_USER_INFO, 2* sizeof(uint32_t), + (uint8_t*)data); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n"); + } + } + +done: + return ret; +} + +errno_t check_pwexpire_policy(enum pwexpire pw_expire_type, + void *pw_expire_data, + struct pam_data *pd, + int pwd_expiration_warning) +{ + errno_t ret; + + switch (pw_expire_type) { + case PWEXPIRE_SHADOW: + ret = check_pwexpire_shadow(pw_expire_data, time(NULL), pd); + break; + case PWEXPIRE_KERBEROS: + ret = check_pwexpire_kerberos(pw_expire_data, time(NULL), pd, + pwd_expiration_warning); + break; + case PWEXPIRE_LDAP_PASSWORD_POLICY: + ret = check_pwexpire_ldap(pd, pw_expire_data, + pwd_expiration_warning); + break; + case PWEXPIRE_NONE: + ret = EOK; + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unknown password expiration type.\n"); + ret = EINVAL; + } + + return ret; +} + +static errno_t +find_password_expiration_attributes(TALLOC_CTX *mem_ctx, + const struct ldb_message *msg, + struct dp_option *opts, + enum pwexpire *type, void **data) +{ + const char *mark; + const char *val; + struct spwd *spwd; + const char *pwd_policy; + int ret; + + *type = PWEXPIRE_NONE; + *data = NULL; + + pwd_policy = dp_opt_get_string(opts, SDAP_PWD_POLICY); + if (pwd_policy == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing password policy.\n"); + return EINVAL; + } + + if (strcasecmp(pwd_policy, PWD_POL_OPT_NONE) == 0) { + DEBUG(SSSDBG_TRACE_ALL, "No password policy requested.\n"); + return EOK; + } else if (strcasecmp(pwd_policy, PWD_POL_OPT_MIT) == 0) { + mark = ldb_msg_find_attr_as_string(msg, SYSDB_KRBPW_LASTCHANGE, NULL); + if (mark != NULL) { + DEBUG(SSSDBG_TRACE_ALL, + "Found Kerberos password expiration attributes.\n"); + val = ldb_msg_find_attr_as_string(msg, SYSDB_KRBPW_EXPIRATION, + NULL); + if (val != NULL) { + *data = talloc_strdup(mem_ctx, val); + if (*data == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed.\n"); + return ENOMEM; + } + *type = PWEXPIRE_KERBEROS; + + return EOK; + } + } else { + DEBUG(SSSDBG_CRIT_FAILURE, + "No Kerberos password expiration attributes found, " + "but MIT Kerberos password policy was requested. " + "Access will be denied.\n"); + return EACCES; + } + } else if (strcasecmp(pwd_policy, PWD_POL_OPT_SHADOW) == 0) { + mark = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_LASTCHANGE, NULL); + if (mark != NULL) { + DEBUG(SSSDBG_TRACE_ALL, + "Found shadow password expiration attributes.\n"); + spwd = talloc_zero(mem_ctx, struct spwd); + if (spwd == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc failed.\n"); + return ENOMEM; + } + + val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_LASTCHANGE, NULL); + ret = string_to_shadowpw_days(val, &spwd->sp_lstchg); + if (ret != EOK) goto shadow_fail; + + val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_MIN, NULL); + ret = string_to_shadowpw_days(val, &spwd->sp_min); + if (ret != EOK) goto shadow_fail; + + val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_MAX, NULL); + ret = string_to_shadowpw_days(val, &spwd->sp_max); + if (ret != EOK) goto shadow_fail; + + val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_WARNING, NULL); + ret = string_to_shadowpw_days(val, &spwd->sp_warn); + if (ret != EOK) goto shadow_fail; + + val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_INACTIVE, NULL); + ret = string_to_shadowpw_days(val, &spwd->sp_inact); + if (ret != EOK) goto shadow_fail; + + val = ldb_msg_find_attr_as_string(msg, SYSDB_SHADOWPW_EXPIRE, NULL); + ret = string_to_shadowpw_days(val, &spwd->sp_expire); + if (ret != EOK) goto shadow_fail; + + *data = spwd; + *type = PWEXPIRE_SHADOW; + + return EOK; + } else { + DEBUG(SSSDBG_CRIT_FAILURE, "No shadow password attributes found, " + "but shadow password policy was requested. " + "Access will be denied.\n"); + return EACCES; + } + } + + DEBUG(SSSDBG_TRACE_ALL, "No password expiration attributes found.\n"); + return EOK; + +shadow_fail: + talloc_free(spwd); + return ret; +} + +/* ==Get-User-DN========================================================== */ +struct get_user_dn_state { + char *username; + + char *orig_dn; +}; + +static void get_user_dn_done(struct tevent_req *subreq); + +static struct tevent_req *get_user_dn_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sss_domain_info *domain, + struct sdap_handle *sh, + struct sdap_options *opts, + const char *username) +{ + struct tevent_req *req; + struct tevent_req *subreq; + struct get_user_dn_state *state; + char *clean_name; + char *filter; + const char **attrs; + errno_t ret; + + req = tevent_req_create(memctx, &state, struct get_user_dn_state); + if (!req) return NULL; + + ret = sss_parse_internal_fqname(state, username, + &state->username, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot parse %s\n", username); + goto done; + } + + ret = sss_filter_sanitize(state, state->username, &clean_name); + if (ret != EOK) { + goto done; + } + + filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))", + opts->user_map[SDAP_AT_USER_NAME].name, + clean_name, + opts->user_map[SDAP_OC_USER].name); + talloc_zfree(clean_name); + if (filter == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to build the base filter\n"); + ret = ENOMEM; + goto done; + } + + /* We're mostly interested in the DN anyway */ + attrs = talloc_array(state, const char *, 3); + if (attrs == NULL) { + ret = ENOMEM; + goto done; + } + attrs[0] = "objectclass"; + attrs[1] = opts->user_map[SDAP_AT_USER_NAME].name; + attrs[2] = NULL; + + subreq = sdap_search_user_send(state, ev, domain, opts, + opts->sdom->user_search_bases, + sh, attrs, filter, + dp_opt_get_int(opts->basic, + SDAP_SEARCH_TIMEOUT), + SDAP_LOOKUP_SINGLE); + if (!subreq) { + ret = ENOMEM; + goto done; + } + tevent_req_set_callback(subreq, get_user_dn_done, req); + return req; + +done: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + return req; +} + +static void get_user_dn_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct get_user_dn_state *state = tevent_req_data(req, + struct get_user_dn_state); + struct ldb_message_element *el; + struct sysdb_attrs **users; + size_t count; + + ret = sdap_search_user_recv(state, subreq, NULL, &users, &count); + talloc_zfree(subreq); + if (ret && ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to retrieve users\n"); + tevent_req_error(req, ret); + return; + } + + if (count == 0) { + DEBUG(SSSDBG_OP_FAILURE, "No such user\n"); + tevent_req_error(req, ENOMEM); + return; + } else if (count > 1) { + DEBUG(SSSDBG_OP_FAILURE, "Multiple users matched\n"); + tevent_req_error(req, EIO); + return; + } + + /* exactly one user. Get the originalDN */ + ret = sysdb_attrs_get_el_ext(users[0], SYSDB_ORIG_DN, false, &el); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "originalDN is not available for [%s].\n", state->username); + tevent_req_error(req, ret); + return; + } + + state->orig_dn = talloc_strdup(state, (const char *) el->values[0].data); + if (state->orig_dn == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "Found originalDN [%s] for [%s]\n", + state->orig_dn, state->username); + tevent_req_done(req); +} + +static int get_user_dn_recv(TALLOC_CTX *mem_ctx, struct tevent_req *req, + char **orig_dn) +{ + struct get_user_dn_state *state = tevent_req_data(req, + struct get_user_dn_state); + + if (orig_dn) { + *orig_dn = talloc_move(mem_ctx, &state->orig_dn); + } + + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +int get_user_dn(TALLOC_CTX *memctx, + struct sss_domain_info *domain, + struct sdap_options *opts, + const char *username, + char **user_dn, + enum pwexpire *user_pw_expire_type, + void **user_pw_expire_data) +{ + TALLOC_CTX *tmpctx; + enum pwexpire pw_expire_type; + void *pw_expire_data; + struct ldb_result *res; + const char **attrs; + const char *dn; + int ret; + + tmpctx = talloc_new(memctx); + if (!tmpctx) { + return ENOMEM; + } + + attrs = talloc_array(tmpctx, const char *, 11); + if (!attrs) { + ret = ENOMEM; + goto done; + } + + attrs[0] = SYSDB_ORIG_DN; + attrs[1] = SYSDB_SHADOWPW_LASTCHANGE; + attrs[2] = SYSDB_SHADOWPW_MIN; + attrs[3] = SYSDB_SHADOWPW_MAX; + attrs[4] = SYSDB_SHADOWPW_WARNING; + attrs[5] = SYSDB_SHADOWPW_INACTIVE; + attrs[6] = SYSDB_SHADOWPW_EXPIRE; + attrs[7] = SYSDB_KRBPW_LASTCHANGE; + attrs[8] = SYSDB_KRBPW_EXPIRATION; + attrs[9] = SYSDB_PWD_ATTRIBUTE; + attrs[10] = NULL; + + ret = sysdb_get_user_attr(tmpctx, domain, username, attrs, &res); + if (ret) { + goto done; + } + + switch (res->count) { + case 0: + /* No such user entry? Look it up */ + ret = EAGAIN; + break; + + case 1: + dn = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_ORIG_DN, NULL); + if (dn == NULL) { + /* The user entry has no original DN. This is the case when the ID + * provider is not LDAP-based (proxy perhaps) */ + ret = EAGAIN; + break; + } + + dn = talloc_strdup(tmpctx, dn); + if (!dn) { + ret = ENOMEM; + break; + } + + ret = find_password_expiration_attributes(tmpctx, + res->msgs[0], + opts->basic, + &pw_expire_type, + &pw_expire_data); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "find_password_expiration_attributes failed.\n"); + } + break; + + default: + DEBUG(SSSDBG_CRIT_FAILURE, + "User search by name (%s) returned > 1 results!\n", + username); + ret = EFAULT; + break; + } + +done: + if (ret == EOK) { + *user_dn = talloc_strdup(memctx, dn); + if (!*user_dn) { + ret = ENOMEM; + } + /* pw_expire_data may be NULL */ + *user_pw_expire_data = talloc_steal(memctx, pw_expire_data); + *user_pw_expire_type = pw_expire_type; + } + + talloc_zfree(tmpctx); + return ret; +} + +/* ==Authenticate-User==================================================== */ + +struct auth_state { + struct tevent_context *ev; + struct sdap_auth_ctx *ctx; + const char *username; + struct sss_auth_token *authtok; + struct sdap_service *sdap_service; + + struct sdap_handle *sh; + + char *dn; + enum pwexpire pw_expire_type; + void *pw_expire_data; +}; + +static struct tevent_req *auth_connect_send(struct tevent_req *req); +static void auth_get_dn_done(struct tevent_req *subreq); +static void auth_do_bind(struct tevent_req *req); +static void auth_connect_done(struct tevent_req *subreq); +static void auth_bind_user_done(struct tevent_req *subreq); + +static struct tevent_req *auth_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_auth_ctx *ctx, + const char *username, + struct sss_auth_token *authtok, + bool try_chpass_service) +{ + struct tevent_req *req; + struct auth_state *state; + + req = tevent_req_create(memctx, &state, struct auth_state); + if (!req) return NULL; + + /* The token must be a password token */ + if (sss_authtok_get_type(authtok) != SSS_AUTHTOK_TYPE_PASSWORD) { + if (sss_authtok_get_type(authtok) == SSS_AUTHTOK_TYPE_SC_PIN + || sss_authtok_get_type(authtok) == SSS_AUTHTOK_TYPE_SC_KEYPAD) { + /* Tell frontend that we do not support Smartcard authentication */ + tevent_req_error(req, ERR_SC_AUTH_NOT_SUPPORTED); + } else { + tevent_req_error(req, ERR_AUTH_FAILED); + } + return tevent_req_post(req, ev); + } + + state->ev = ev; + state->ctx = ctx; + state->username = username; + state->authtok = authtok; + if (try_chpass_service && ctx->chpass_service != NULL && + ctx->chpass_service->name != NULL) { + state->sdap_service = ctx->chpass_service; + } else { + state->sdap_service = ctx->service; + } + + if (!auth_connect_send(req)) goto fail; + + return req; + +fail: + talloc_zfree(req); + return NULL; +} + +static struct tevent_req *auth_connect_send(struct tevent_req *req) +{ + struct tevent_req *subreq; + struct auth_state *state = tevent_req_data(req, + struct auth_state); + bool use_tls; + + /* Check for undocumented debugging feature to disable TLS + * for authentication. This should never be used in production + * for obvious reasons. + */ + use_tls = !dp_opt_get_bool(state->ctx->opts->basic, SDAP_DISABLE_AUTH_TLS); + if (!use_tls) { + sss_log(SSS_LOG_ALERT, "LDAP authentication being performed over " + "insecure connection. This should be done " + "for debugging purposes only."); + } + + subreq = sdap_cli_connect_send(state, state->ev, state->ctx->opts, + state->ctx->be, + state->sdap_service, false, + use_tls ? CON_TLS_ON : CON_TLS_OFF, false); + + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return NULL; + } + + tevent_req_set_callback(subreq, auth_connect_done, req); + + return subreq; +} + +static void auth_connect_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct auth_state *state = tevent_req_data(req, + struct auth_state); + int ret; + + ret = sdap_cli_connect_recv(subreq, state, NULL, &state->sh, NULL); + talloc_zfree(subreq); + if (ret != EOK) { + /* As sdap_cli_connect_recv() returns EIO in case all the servers are + * down and we have to go offline, let's treat it accordingly here and + * allow the PAM responder to switch to offline authentication. + * + * Unfortunately, there's not much pattern within our code and the way + * to indicate we're going down in this part of the code is returning + * an ETIMEDOUT. + */ + if (ret == EIO) { + tevent_req_error(req, ETIMEDOUT); + } else { + if (auth_connect_send(req) == NULL) { + tevent_req_error(req, ENOMEM); + } + } + return; + } + + ret = get_user_dn(state, state->ctx->be->domain, + state->ctx->opts, state->username, &state->dn, + &state->pw_expire_type, &state->pw_expire_data); + if (ret == EOK) { + /* All required user data was pre-cached during an identity lookup. + * We can proceed with the bind */ + auth_do_bind(req); + return; + } else if (ret == EAGAIN) { + /* The cached user entry was missing the bind DN. Need to look + * it up based on user name in order to perform the bind */ + subreq = get_user_dn_send(req, state->ev, state->ctx->be->domain, + state->sh, state->ctx->opts, state->username); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, auth_get_dn_done, req); + return; + } + + tevent_req_error(req, ret); + return; +} + +static void auth_get_dn_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct auth_state *state = tevent_req_data(req, struct auth_state); + errno_t ret; + + ret = get_user_dn_recv(state, subreq, &state->dn); + talloc_zfree(subreq); + if (ret != EOK) { + tevent_req_error(req, ERR_ACCOUNT_UNKNOWN); + return; + } + + /* The DN was found with an LDAP lookup + * We can proceed with the bind */ + return auth_do_bind(req); +} + +static void auth_do_bind(struct tevent_req *req) +{ + struct auth_state *state = tevent_req_data(req, struct auth_state); + struct tevent_req *subreq; + + subreq = sdap_auth_send(state, state->ev, state->sh, + NULL, NULL, state->dn, + state->authtok, + dp_opt_get_int(state->ctx->opts->basic, + SDAP_OPT_TIMEOUT)); + if (!subreq) { + tevent_req_error(req, ENOMEM); + return; + } + + tevent_req_set_callback(subreq, auth_bind_user_done, req); +} + +static void auth_bind_user_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct auth_state *state = tevent_req_data(req, + struct auth_state); + int ret; + struct sdap_ppolicy_data *ppolicy = NULL; + + ret = sdap_auth_recv(subreq, state, &ppolicy); + talloc_zfree(subreq); + if (ppolicy != NULL) { + DEBUG(SSSDBG_TRACE_ALL,"Found ppolicy data, " + "assuming LDAP password policies are active.\n"); + state->pw_expire_type = PWEXPIRE_LDAP_PASSWORD_POLICY; + state->pw_expire_data = ppolicy; + } + switch (ret) { + case EOK: + break; + case ETIMEDOUT: + case ERR_NETWORK_IO: + if (auth_connect_send(req) == NULL) { + tevent_req_error(req, ENOMEM); + } + return; + default: + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +static errno_t auth_recv(struct tevent_req *req, TALLOC_CTX *memctx, + struct sdap_handle **sh, char **dn, + enum pwexpire *pw_expire_type, void **pw_expire_data) +{ + struct auth_state *state = tevent_req_data(req, struct auth_state); + + if (sh != NULL) { + *sh = talloc_steal(memctx, state->sh); + if (*sh == NULL) return ENOMEM; + } + + if (dn != NULL) { + *dn = talloc_steal(memctx, state->dn); + if (*dn == NULL) return ENOMEM; + } + + if (pw_expire_data != NULL) { + *pw_expire_data = talloc_steal(memctx, state->pw_expire_data); + } + + *pw_expire_type = state->pw_expire_type; + + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +struct sdap_pam_auth_handler_state { + struct pam_data *pd; + struct be_ctx *be_ctx; +}; + +static void sdap_pam_auth_handler_done(struct tevent_req *subreq); + +struct tevent_req * +sdap_pam_auth_handler_send(TALLOC_CTX *mem_ctx, + struct sdap_auth_ctx *auth_ctx, + struct pam_data *pd, + struct dp_req_params *params) +{ + struct sdap_pam_auth_handler_state *state; + struct tevent_req *subreq; + struct tevent_req *req; + + req = tevent_req_create(mem_ctx, &state, + struct sdap_pam_auth_handler_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->pd = pd; + state->be_ctx = params->be_ctx; + pd->pam_status = PAM_SYSTEM_ERR; + + switch (pd->cmd) { + case SSS_PAM_AUTHENTICATE: + subreq = auth_send(state, params->ev, auth_ctx, + pd->user, pd->authtok, false); + if (subreq == NULL) { + pd->pam_status = PAM_SYSTEM_ERR; + goto immediately; + } + + tevent_req_set_callback(subreq, sdap_pam_auth_handler_done, req); + break; + case SSS_PAM_CHAUTHTOK_PRELIM: + subreq = auth_send(state, params->ev, auth_ctx, + pd->user, pd->authtok, true); + if (subreq == NULL) { + pd->pam_status = PAM_SYSTEM_ERR; + goto immediately; + } + + tevent_req_set_callback(subreq, sdap_pam_auth_handler_done, req); + break; + case SSS_PAM_CHAUTHTOK: + pd->pam_status = PAM_SYSTEM_ERR; + goto immediately; + + case SSS_PAM_ACCT_MGMT: + case SSS_PAM_SETCRED: + case SSS_PAM_OPEN_SESSION: + case SSS_PAM_CLOSE_SESSION: + pd->pam_status = PAM_SUCCESS; + goto immediately; + default: + pd->pam_status = PAM_MODULE_UNKNOWN; + goto immediately; + } + + return req; + +immediately: + /* TODO For backward compatibility we always return EOK to DP now. */ + tevent_req_done(req); + tevent_req_post(req, params->ev); + + return req; +} + +static void sdap_pam_auth_handler_done(struct tevent_req *subreq) +{ + struct sdap_pam_auth_handler_state *state; + struct tevent_req *req; + enum pwexpire pw_expire_type; + void *pw_expire_data; + const char *password; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_pam_auth_handler_state); + + ret = auth_recv(subreq, state, NULL, NULL, + &pw_expire_type, &pw_expire_data); + talloc_free(subreq); + + if (ret == EOK) { + ret = check_pwexpire_policy(pw_expire_type, pw_expire_data, state->pd, + state->be_ctx->domain->pwd_expiration_warning); + if (ret == EINVAL) { + /* Unknown password expiration type. */ + state->pd->pam_status = PAM_SYSTEM_ERR; + goto done; + } + } + + switch (ret) { + case EOK: + state->pd->pam_status = PAM_SUCCESS; + break; + case ERR_AUTH_DENIED: + state->pd->pam_status = PAM_PERM_DENIED; + break; + case ERR_AUTH_FAILED: + state->pd->pam_status = PAM_AUTH_ERR; + break; + case ETIMEDOUT: + case ERR_NETWORK_IO: + state->pd->pam_status = PAM_AUTHINFO_UNAVAIL; + be_mark_offline(state->be_ctx); + break; + case ERR_ACCOUNT_EXPIRED: + state->pd->pam_status = PAM_ACCT_EXPIRED; + break; + case ERR_PASSWORD_EXPIRED: + state->pd->pam_status = PAM_NEW_AUTHTOK_REQD; + break; + case ERR_ACCOUNT_LOCKED: + state->pd->account_locked = true; + state->pd->pam_status = PAM_PERM_DENIED; + break; + case ERR_SC_AUTH_NOT_SUPPORTED: + state->pd->pam_status = PAM_BAD_ITEM; + break; + default: + state->pd->pam_status = PAM_SYSTEM_ERR; + break; + } + + if (ret == EOK && state->be_ctx->domain->cache_credentials) { + ret = sss_authtok_get_password(state->pd->authtok, &password, NULL); + if (ret == EOK) { + ret = sysdb_cache_password(state->be_ctx->domain, state->pd->user, + password); + } + + /* password caching failures are not fatal errors */ + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to cache password for %s\n", + state->pd->user); + } else { + DEBUG(SSSDBG_CONF_SETTINGS, "Password successfully cached for %s\n", + state->pd->user); + } + } + +done: + /* TODO For backward compatibility we always return EOK to DP now. */ + tevent_req_done(req); +} + +errno_t +sdap_pam_auth_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct pam_data **_data) +{ + struct sdap_pam_auth_handler_state *state = NULL; + + state = tevent_req_data(req, struct sdap_pam_auth_handler_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *_data = talloc_steal(mem_ctx, state->pd); + + return EOK; +} + +struct sdap_pam_chpass_handler_state { + struct be_ctx *be_ctx; + struct tevent_context *ev; + struct sdap_auth_ctx *auth_ctx; + struct pam_data *pd; + struct sdap_handle *sh; + char *dn; +}; + +static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq); +static void sdap_pam_chpass_handler_chpass_done(struct tevent_req *subreq); +static void sdap_pam_chpass_handler_last_done(struct tevent_req *subreq); + +struct tevent_req * +sdap_pam_chpass_handler_send(TALLOC_CTX *mem_ctx, + struct sdap_auth_ctx *auth_ctx, + struct pam_data *pd, + struct dp_req_params *params) +{ + struct sdap_pam_chpass_handler_state *state; + struct tevent_req *subreq; + struct tevent_req *req; + + req = tevent_req_create(mem_ctx, &state, + struct sdap_pam_chpass_handler_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->pd = pd; + state->be_ctx = params->be_ctx; + state->auth_ctx = auth_ctx; + state->ev = params->ev; + + if (be_is_offline(state->be_ctx)) { + pd->pam_status = PAM_AUTHINFO_UNAVAIL; + goto immediately; + } + + if ((pd->priv == 1) && (pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM) && + (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD)) { + DEBUG(SSSDBG_CONF_SETTINGS, + "Password reset by root is not supported.\n"); + pd->pam_status = PAM_PERM_DENIED; + goto immediately; + } + + DEBUG(SSSDBG_OP_FAILURE, + "starting password change request for user [%s].\n", pd->user); + + pd->pam_status = PAM_SYSTEM_ERR; + + if (pd->cmd != SSS_PAM_CHAUTHTOK && pd->cmd != SSS_PAM_CHAUTHTOK_PRELIM) { + DEBUG(SSSDBG_OP_FAILURE, + "chpass target was called by wrong pam command.\n"); + goto immediately; + } + + subreq = auth_send(state, params->ev, auth_ctx, + pd->user, pd->authtok, true); + if (subreq == NULL) { + pd->pam_status = PAM_SYSTEM_ERR; + goto immediately; + } + + tevent_req_set_callback(subreq, sdap_pam_chpass_handler_auth_done, req); + + return req; + +immediately: + /* TODO For backward compatibility we always return EOK to DP now. */ + tevent_req_done(req); + tevent_req_post(req, params->ev); + + return req; +} + +static void sdap_pam_chpass_handler_auth_done(struct tevent_req *subreq) +{ + struct sdap_pam_chpass_handler_state *state; + struct tevent_req *req; + enum pwexpire pw_expire_type; + void *pw_expire_data; + size_t msg_len; + uint8_t *msg; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_pam_chpass_handler_state); + + ret = auth_recv(subreq, state, &state->sh, &state->dn, + &pw_expire_type, &pw_expire_data); + talloc_free(subreq); + + if ((ret == EOK || ret == ERR_PASSWORD_EXPIRED) && + state->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM) { + DEBUG(SSSDBG_TRACE_ALL, "Initial authentication for change " + "password operation successful.\n"); + state->pd->pam_status = PAM_SUCCESS; + goto done; + } + + if (ret == EOK) { + switch (pw_expire_type) { + case PWEXPIRE_SHADOW: + ret = check_pwexpire_shadow(pw_expire_data, time(NULL), NULL); + break; + case PWEXPIRE_KERBEROS: + ret = check_pwexpire_kerberos(pw_expire_data, time(NULL), NULL, + state->be_ctx->domain->pwd_expiration_warning); + + if (ret == ERR_PASSWORD_EXPIRED) { + DEBUG(SSSDBG_CRIT_FAILURE, "LDAP provider cannot change " + "kerberos passwords.\n"); + state->pd->pam_status = PAM_SYSTEM_ERR; + goto done; + } + break; + case PWEXPIRE_LDAP_PASSWORD_POLICY: + case PWEXPIRE_NONE: + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unknown password expiration type.\n"); + state->pd->pam_status = PAM_SYSTEM_ERR; + goto done; + } + } + + switch (ret) { + case EOK: + case ERR_PASSWORD_EXPIRED: + DEBUG(SSSDBG_TRACE_LIBS, + "user [%s] successfully authenticated.\n", state->dn); + if (pw_expire_type == PWEXPIRE_SHADOW) { + /* TODO: implement async ldap modify request */ + DEBUG(SSSDBG_CRIT_FAILURE, + "Changing shadow password attributes not implemented.\n"); + state->pd->pam_status = PAM_MODULE_UNKNOWN; + goto done; + } else { + const char *password; + const char *new_password; + int timeout; + + ret = sss_authtok_get_password(state->pd->authtok, + &password, NULL); + if (ret) { + state->pd->pam_status = PAM_SYSTEM_ERR; + goto done; + } + ret = sss_authtok_get_password(state->pd->newauthtok, + &new_password, NULL); + if (ret) { + state->pd->pam_status = PAM_SYSTEM_ERR; + goto done; + } + + timeout = dp_opt_get_int(state->auth_ctx->opts->basic, + SDAP_OPT_TIMEOUT); + + subreq = sdap_exop_modify_passwd_send(state, state->ev, + state->sh, state->dn, + password, new_password, + timeout); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to change password for " + "%s\n", state->pd->user); + state->pd->pam_status = PAM_SYSTEM_ERR; + goto done; + } + + tevent_req_set_callback(subreq, + sdap_pam_chpass_handler_chpass_done, + req); + return; + } + break; + case ERR_AUTH_DENIED: + case ERR_AUTH_FAILED: + state->pd->pam_status = PAM_AUTH_ERR; + ret = pack_user_info_chpass_error(state->pd, "Old password not " + "accepted.", &msg_len, &msg); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "pack_user_info_chpass_error failed.\n"); + } else { + ret = pam_add_response(state->pd, SSS_PAM_USER_INFO, + msg_len, msg); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n"); + } + } + break; + case ETIMEDOUT: + case ERR_NETWORK_IO: + state->pd->pam_status = PAM_AUTHINFO_UNAVAIL; + be_mark_offline(state->be_ctx); + break; + default: + state->pd->pam_status = PAM_SYSTEM_ERR; + break; + } + +done: + /* TODO For backward compatibility we always return EOK to DP now. */ + tevent_req_done(req); +} + +static void sdap_pam_chpass_handler_chpass_done(struct tevent_req *subreq) +{ + struct sdap_pam_chpass_handler_state *state; + struct tevent_req *req; + char *user_error_message = NULL; + char *lastchanged_name; + size_t msg_len; + uint8_t *msg; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_pam_chpass_handler_state); + + ret = sdap_exop_modify_passwd_recv(subreq, state, &user_error_message); + talloc_free(subreq); + + switch (ret) { + case EOK: + state->pd->pam_status = PAM_SUCCESS; + break; + case ERR_CHPASS_DENIED: + state->pd->pam_status = PAM_NEW_AUTHTOK_REQD; + break; + case ERR_NETWORK_IO: + state->pd->pam_status = PAM_AUTHTOK_ERR; + break; + default: + state->pd->pam_status = PAM_SYSTEM_ERR; + break; + } + + if (state->pd->pam_status != PAM_SUCCESS && user_error_message != NULL) { + ret = pack_user_info_chpass_error(state->pd, user_error_message, + &msg_len, &msg); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "pack_user_info_chpass_error failed.\n"); + } else { + ret = pam_add_response(state->pd, SSS_PAM_USER_INFO, msg_len, msg); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n"); + } + } + } + + if (state->pd->pam_status == PAM_SUCCESS && + dp_opt_get_bool(state->auth_ctx->opts->basic, + SDAP_CHPASS_UPDATE_LAST_CHANGE)) { + lastchanged_name = state->auth_ctx->opts->user_map[SDAP_AT_SP_LSTCHG].name; + + subreq = sdap_modify_shadow_lastchange_send(state, state->ev, + state->sh, state->dn, + lastchanged_name); + if (subreq == NULL) { + state->pd->pam_status = PAM_SYSTEM_ERR; + goto done; + } + + tevent_req_set_callback(subreq, sdap_pam_chpass_handler_last_done, req); + return; + } + +done: + /* TODO For backward compatibility we always return EOK to DP now. */ + tevent_req_done(req); +} + +static void sdap_pam_chpass_handler_last_done(struct tevent_req *subreq) +{ + struct sdap_pam_chpass_handler_state *state; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_pam_chpass_handler_state); + + ret = sdap_modify_shadow_lastchange_recv(subreq); + talloc_free(subreq); + + if (ret != EOK) { + state->pd->pam_status = PAM_SYSTEM_ERR; + goto done; + } + + state->pd->pam_status = PAM_SUCCESS; + +done: + /* TODO For backward compatibility we always return EOK to DP now. */ + tevent_req_done(req); +} + +errno_t +sdap_pam_chpass_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct pam_data **_data) +{ + struct sdap_pam_chpass_handler_state *state = NULL; + + state = tevent_req_data(req, struct sdap_pam_chpass_handler_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *_data = talloc_steal(mem_ctx, state->pd); + + return EOK; +} diff --git a/src/providers/ldap/ldap_auth.h b/src/providers/ldap/ldap_auth.h new file mode 100644 index 0000000..5fbddd7 --- /dev/null +++ b/src/providers/ldap/ldap_auth.h @@ -0,0 +1,46 @@ +/* + SSSD + + Copyright (C) Pavel Reichl 2015 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _LDAP_AUTH_H_ +#define _LDAP_AUTH_H_ + +#include "config.h" + +enum pwexpire { + PWEXPIRE_NONE = 0, + PWEXPIRE_LDAP_PASSWORD_POLICY, + PWEXPIRE_KERBEROS, + PWEXPIRE_SHADOW +}; + +int get_user_dn(TALLOC_CTX *memctx, + struct sss_domain_info *domain, + struct sdap_options *opts, + const char *username, + char **user_dn, + enum pwexpire *user_pw_expire_type, + void **user_pw_expire_data); + +errno_t check_pwexpire_policy(enum pwexpire pw_expire_type, + void *pw_expire_data, + struct pam_data *pd, + errno_t checkb); + + +#endif /* _LDAP_AUTH_H_ */ diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c new file mode 100644 index 0000000..8c11d78 --- /dev/null +++ b/src/providers/ldap/ldap_child.c @@ -0,0 +1,756 @@ +/* + SSSD + + LDAP Backend Module -- prime ccache with TGT in a child process + + Authors: + Jakub Hrozek + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include + +#include "util/util.h" +#include "util/sss_krb5.h" +#include "util/child_common.h" +#include "providers/backend.h" +#include "providers/krb5/krb5_common.h" + +char *global_ccname_file_dummy = NULL; + +static void sig_term_handler(int sig) +{ + if (global_ccname_file_dummy != NULL) { + /* Cast to void to avoid a complaint by Coverity */ + (void) unlink(global_ccname_file_dummy); + } + + _exit(CHILD_TIMEOUT_EXIT_CODE); +} + +static krb5_context krb5_error_ctx; +#define LDAP_CHILD_DEBUG(level, error) KRB5_DEBUG(level, krb5_error_ctx, error) + +struct input_buffer { + const char *realm_str; + const char *princ_str; + char *keytab_name; + krb5_deltat lifetime; + krb5_context context; + uid_t uid; + gid_t gid; +}; + +static errno_t unpack_buffer(uint8_t *buf, size_t size, + struct input_buffer *ibuf) +{ + size_t p = 0; + uint32_t len; + + DEBUG(SSSDBG_TRACE_LIBS, "total buffer size: %zu\n", size); + + /* realm_str size and length */ + SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p); + + DEBUG(SSSDBG_TRACE_LIBS, "realm_str size: %d\n", len); + if (len) { + if (len > size - p) return EINVAL; + ibuf->realm_str = talloc_strndup(ibuf, (char *)(buf + p), len); + DEBUG(SSSDBG_TRACE_LIBS, "got realm_str: %s\n", ibuf->realm_str); + if (ibuf->realm_str == NULL) return ENOMEM; + p += len; + } + + /* princ_str size and length */ + SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p); + + DEBUG(SSSDBG_TRACE_LIBS, "princ_str size: %d\n", len); + if (len) { + if (len > size - p) return EINVAL; + ibuf->princ_str = talloc_strndup(ibuf, (char *)(buf + p), len); + DEBUG(SSSDBG_TRACE_LIBS, "got princ_str: %s\n", ibuf->princ_str); + if (ibuf->princ_str == NULL) return ENOMEM; + p += len; + } + + /* keytab_name size and length */ + SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p); + + DEBUG(SSSDBG_TRACE_LIBS, "keytab_name size: %d\n", len); + if (len) { + if (len > size - p) return EINVAL; + ibuf->keytab_name = talloc_strndup(ibuf, (char *)(buf + p), len); + DEBUG(SSSDBG_TRACE_LIBS, "got keytab_name: %s\n", ibuf->keytab_name); + if (ibuf->keytab_name == NULL) return ENOMEM; + p += len; + } + + /* ticket lifetime */ + SAFEALIGN_COPY_UINT32_CHECK(&ibuf->lifetime, buf + p, size, &p); + DEBUG(SSSDBG_TRACE_LIBS, "lifetime: %u\n", ibuf->lifetime); + + /* UID and GID to run as */ + SAFEALIGN_COPY_UINT32_CHECK(&ibuf->uid, buf + p, size, &p); + SAFEALIGN_COPY_UINT32_CHECK(&ibuf->gid, buf + p, size, &p); + DEBUG(SSSDBG_FUNC_DATA, + "Will run as [%"SPRIuid"][%"SPRIgid"].\n", ibuf->uid, ibuf->gid); + + return EOK; +} + +static int pack_buffer(struct response *r, int result, krb5_error_code krberr, + const char *msg, time_t expire_time) +{ + int len; + size_t p = 0; + + len = strlen(msg); + r->size = 2 * sizeof(uint32_t) + sizeof(krb5_error_code) + + len + sizeof(time_t); + + DEBUG(SSSDBG_TRACE_INTERNAL, "response size: %zu\n",r->size); + + r->buf = talloc_array(r, uint8_t, r->size); + if(!r->buf) { + return ENOMEM; + } + + DEBUG(SSSDBG_TRACE_LIBS, + "result [%d] krberr [%d] msgsize [%d] msg [%s]\n", + result, krberr, len, msg); + + /* result */ + SAFEALIGN_SET_UINT32(&r->buf[p], result, &p); + + /* krb5 error code */ + safealign_memcpy(&r->buf[p], &krberr, sizeof(krberr), &p); + + /* message size */ + SAFEALIGN_SET_UINT32(&r->buf[p], len, &p); + + /* message itself */ + safealign_memcpy(&r->buf[p], msg, len, &p); + + /* ticket expiration time */ + safealign_memcpy(&r->buf[p], &expire_time, sizeof(expire_time), &p); + + return EOK; +} + +static errno_t +set_child_debugging(krb5_context ctx) +{ + krb5_error_code kerr; + + /* Set the global error context */ + krb5_error_ctx = ctx; + + if (debug_level & SSSDBG_TRACE_ALL) { + kerr = sss_child_set_krb5_tracing(ctx); + if (kerr) { + LDAP_CHILD_DEBUG(SSSDBG_MINOR_FAILURE, kerr); + return EIO; + } + } + + return EOK; +} + +static int lc_verify_keytab_ex(const char *principal, + const char *keytab_name, + krb5_context context, + krb5_keytab keytab) +{ + bool found; + char *kt_principal; + krb5_error_code krberr; + krb5_kt_cursor cursor; + krb5_keytab_entry entry; + + krberr = krb5_kt_start_seq_get(context, keytab, &cursor); + if (krberr) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Cannot read keytab [%s].\n", KEYTAB_CLEAN_NAME); + + sss_log(SSS_LOG_ERR, "Error reading keytab file [%s]: [%d][%s]. " + "Unable to create GSSAPI-encrypted LDAP " + "connection.", + KEYTAB_CLEAN_NAME, krberr, + sss_krb5_get_error_message(context, krberr)); + + return EIO; + } + + found = false; + while ((krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0) { + krberr = krb5_unparse_name(context, entry.principal, &kt_principal); + if (krberr) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Could not parse keytab entry\n"); + sss_log(SSS_LOG_ERR, "Could not parse keytab entry\n"); + return EIO; + } + + if (strcmp(principal, kt_principal) == 0) { + found = true; + } + free(kt_principal); + krberr = sss_krb5_free_keytab_entry_contents(context, &entry); + if (krberr) { + /* This should never happen. The API docs for this function + * specify only success for this function + */ + DEBUG(SSSDBG_CRIT_FAILURE,"Could not free keytab entry contents\n"); + /* This is non-fatal, so we'll continue here */ + } + + if (found) { + break; + } + } + + krberr = krb5_kt_end_seq_get(context, keytab, &cursor); + if (krberr) { + DEBUG(SSSDBG_FATAL_FAILURE, "Could not close keytab.\n"); + sss_log(SSS_LOG_ERR, "Could not close keytab file [%s].", + KEYTAB_CLEAN_NAME); + return EIO; + } + + if (!found) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Principal [%s] not found in keytab [%s]\n", + principal, + KEYTAB_CLEAN_NAME); + sss_log(SSS_LOG_ERR, "Error processing keytab file [%s]: " + "Principal [%s] was not found. " + "Unable to create GSSAPI-encrypted LDAP connection.", + KEYTAB_CLEAN_NAME, principal); + + return EFAULT; + } + + return EOK; +} + +static krb5_error_code ldap_child_get_tgt_sync(TALLOC_CTX *memctx, + krb5_context context, + const char *realm_str, + const char *princ_str, + const char *keytab_name, + const krb5_deltat lifetime, + const char **ccname_out, + time_t *expire_time_out, + char **_krb5_msg) +{ + char *ccname; + char *ccname_dummy; + char *realm_name = NULL; + char *full_princ = NULL; + char *default_realm = NULL; + char *tmp_str = NULL; + krb5_keytab keytab = NULL; + krb5_ccache ccache = NULL; + krb5_principal kprinc; + krb5_creds my_creds; + krb5_get_init_creds_opt options; + krb5_error_code krberr; + krb5_timestamp kdc_time_offset; + int canonicalize = 0; + int kdc_time_offset_usec; + int ret; + TALLOC_CTX *tmp_ctx; + char *ccname_file_dummy = NULL; + char *ccname_file; + + tmp_ctx = talloc_new(memctx); + if (tmp_ctx == NULL) { + krberr = KRB5KRB_ERR_GENERIC; + goto done; + } + + krberr = set_child_debugging(context); + if (krberr != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Cannot set krb5_child debugging\n"); + } + + if (!realm_str) { + krberr = krb5_get_default_realm(context, &default_realm); + if (krberr) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to get default realm name: %s\n", + sss_krb5_get_error_message(context, krberr)); + goto done; + } + + realm_name = talloc_strdup(tmp_ctx, default_realm); + krb5_free_default_realm(context, default_realm); + if (!realm_name) { + krberr = KRB5KRB_ERR_GENERIC; + goto done; + } + } else { + realm_name = talloc_strdup(tmp_ctx, realm_str); + if (!realm_name) { + krberr = KRB5KRB_ERR_GENERIC; + goto done; + } + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "got realm_name: [%s]\n", realm_name); + + if (princ_str) { + if (!strchr(princ_str, '@')) { + full_princ = talloc_asprintf(tmp_ctx, "%s@%s", + princ_str, realm_name); + } else { + full_princ = talloc_strdup(tmp_ctx, princ_str); + } + } else { + char hostname[HOST_NAME_MAX + 1]; + + ret = gethostname(hostname, HOST_NAME_MAX); + if (ret == -1) { + krberr = KRB5KRB_ERR_GENERIC; + goto done; + } + hostname[HOST_NAME_MAX] = '\0'; + + DEBUG(SSSDBG_TRACE_LIBS, "got hostname: [%s]\n", hostname); + + ret = select_principal_from_keytab(tmp_ctx, hostname, realm_name, + keytab_name, &full_princ, NULL, NULL); + if (ret) { + krberr = KRB5_KT_IOERR; + goto done; + } + } + if (!full_princ) { + krberr = KRB5KRB_ERR_GENERIC; + goto done; + } + DEBUG(SSSDBG_CONF_SETTINGS, "Principal name is: [%s]\n", full_princ); + + krberr = krb5_parse_name(context, full_princ, &kprinc); + if (krberr) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to build principal: %s\n", + sss_krb5_get_error_message(context, krberr)); + goto done; + } + + if (keytab_name) { + krberr = krb5_kt_resolve(context, keytab_name, &keytab); + } else { + krberr = krb5_kt_default(context, &keytab); + } + DEBUG(SSSDBG_CONF_SETTINGS, "Using keytab [%s]\n", KEYTAB_CLEAN_NAME); + if (krberr) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to read keytab file [%s]: %s\n", + KEYTAB_CLEAN_NAME, + sss_krb5_get_error_message(context, krberr)); + goto done; + } + + /* Verify the keytab */ + ret = lc_verify_keytab_ex(full_princ, keytab_name, context, keytab); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, + "Unable to verify principal is present in the keytab\n"); + krberr = KRB5_KT_IOERR; + goto done; + } + + memset(&my_creds, 0, sizeof(my_creds)); + memset(&options, 0, sizeof(options)); + + krb5_get_init_creds_opt_set_address_list(&options, NULL); + krb5_get_init_creds_opt_set_forwardable(&options, 0); + krb5_get_init_creds_opt_set_proxiable(&options, 0); + krb5_get_init_creds_opt_set_tkt_life(&options, lifetime); + + tmp_str = getenv("KRB5_CANONICALIZE"); + if (tmp_str != NULL && strcasecmp(tmp_str, "true") == 0) { + DEBUG(SSSDBG_CONF_SETTINGS, "Will canonicalize principals\n"); + canonicalize = 1; + } + sss_krb5_get_init_creds_opt_set_canonicalize(&options, canonicalize); + + ccname_file = talloc_asprintf(tmp_ctx, "%s/ccache_%s", + DB_PATH, realm_name); + if (ccname_file == NULL) { + krberr = ENOMEM; + DEBUG(SSSDBG_CRIT_FAILURE, + "talloc_asprintf failed: %s:[%d].\n", + strerror(krberr), krberr); + goto done; + } + + ccname_file_dummy = talloc_asprintf(tmp_ctx, "%s/ccache_%s_XXXXXX", + DB_PATH, realm_name); + if (ccname_file_dummy == NULL) { + krberr = ENOMEM; + DEBUG(SSSDBG_CRIT_FAILURE, + "talloc_asprintf failed: %s:[%d].\n", + strerror(krberr), krberr); + goto done; + } + global_ccname_file_dummy = ccname_file_dummy; + + ret = sss_unique_filename(tmp_ctx, ccname_file_dummy); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sss_unique_filename failed: %s:[%d].\n", + strerror(ret), ret); + krberr = KRB5KRB_ERR_GENERIC; + goto done; + } + + krberr = krb5_get_init_creds_keytab(context, &my_creds, kprinc, + keytab, 0, NULL, &options); + krb5_kt_close(context, keytab); + keytab = NULL; + if (krberr) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to init credentials: %s\n", + sss_krb5_get_error_message(context, krberr)); + goto done; + } + DEBUG(SSSDBG_TRACE_INTERNAL, "credentials initialized\n"); + + ccname_dummy = talloc_asprintf(tmp_ctx, "FILE:%s", ccname_file_dummy); + ccname = talloc_asprintf(tmp_ctx, "FILE:%s", ccname_file); + if (ccname_dummy == NULL || ccname == NULL) { + krberr = ENOMEM; + goto done; + } + DEBUG(SSSDBG_TRACE_INTERNAL, "keytab ccname: [%s]\n", ccname_dummy); + + krberr = krb5_cc_resolve(context, ccname_dummy, &ccache); + if (krberr) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to set cache name: %s\n", + sss_krb5_get_error_message(context, krberr)); + goto done; + } + + /* Use updated principal if changed due to canonicalization. */ + krberr = krb5_cc_initialize(context, ccache, my_creds.client); + if (krberr) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to init ccache: %s\n", + sss_krb5_get_error_message(context, krberr)); + goto done; + } + + krberr = krb5_cc_store_cred(context, ccache, &my_creds); + if (krberr) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to store creds: %s\n", + sss_krb5_get_error_message(context, krberr)); + goto done; + } + DEBUG(SSSDBG_TRACE_INTERNAL, "credentials stored\n"); + +#ifdef HAVE_KRB5_GET_TIME_OFFSETS + krberr = krb5_get_time_offsets(context, &kdc_time_offset, + &kdc_time_offset_usec); + if (krberr) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to get KDC time offset: %s\n", + sss_krb5_get_error_message(context, krberr)); + kdc_time_offset = 0; + } else { + if (kdc_time_offset_usec > 0) { + kdc_time_offset++; + } + } + DEBUG(SSSDBG_TRACE_INTERNAL, "Got KDC time offset\n"); +#else + /* If we don't have this function, just assume no offset */ + kdc_time_offset = 0; +#endif + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Renaming [%s] to [%s]\n", ccname_file_dummy, ccname_file); + ret = rename(ccname_file_dummy, ccname_file); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "rename failed [%d][%s].\n", ret, strerror(ret)); + goto done; + } + global_ccname_file_dummy = NULL; + + krberr = 0; + *ccname_out = talloc_steal(memctx, ccname); + *expire_time_out = my_creds.times.endtime - kdc_time_offset; + +done: + if (krberr != 0) { + const char *krb5_msg; + + sss_log(SSS_LOG_ERR, + "Failed to initialize credentials using keytab [%s]: %s. " + "Unable to create GSSAPI-encrypted LDAP connection.", + KEYTAB_CLEAN_NAME, + sss_krb5_get_error_message(context, krberr)); + krb5_msg = sss_krb5_get_error_message(context, krberr); + *_krb5_msg = talloc_strdup(memctx, krb5_msg); + sss_krb5_free_error_message(context, krb5_msg); + } + if (keytab) krb5_kt_close(context, keytab); + if (context) krb5_free_context(context); + talloc_free(tmp_ctx); + return krberr; +} + +static int prepare_response(TALLOC_CTX *mem_ctx, + const char *ccname, + time_t expire_time, + krb5_error_code kerr, + char *krb5_msg, + struct response **rsp) +{ + int ret; + struct response *r = NULL; + + r = talloc_zero(mem_ctx, struct response); + if (!r) return ENOMEM; + + r->buf = NULL; + r->size = 0; + + DEBUG(SSSDBG_TRACE_FUNC, "Building response for result [%d]\n", kerr); + + if (kerr == 0) { + ret = pack_buffer(r, EOK, kerr, ccname, expire_time); + } else { + if (krb5_msg == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Empty krb5 error message for non-zero kerr: %"PRIi32"\n", + kerr); + return ENOMEM; + } + ret = pack_buffer(r, EFAULT, kerr, krb5_msg, 0); + } + + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "pack_buffer failed\n"); + return ret; + } + + *rsp = r; + return EOK; +} + +static krb5_error_code privileged_krb5_setup(struct input_buffer *ibuf) +{ + krb5_error_code kerr; + char *keytab_name; + + kerr = sss_krb5_init_context(&ibuf->context); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to init kerberos context\n"); + return kerr; + } + DEBUG(SSSDBG_TRACE_INTERNAL, "Kerberos context initialized\n"); + + kerr = copy_keytab_into_memory(ibuf, ibuf->context, ibuf->keytab_name, + &keytab_name, NULL); + if (kerr != 0) { + DEBUG(SSSDBG_OP_FAILURE, "copy_keytab_into_memory failed.\n"); + return kerr; + } + talloc_free(ibuf->keytab_name); + ibuf->keytab_name = keytab_name; + + return 0; +} + +int main(int argc, const char *argv[]) +{ + int ret; + int kerr; + int opt; + int debug_fd = -1; + const char *opt_logger = NULL; + poptContext pc; + TALLOC_CTX *main_ctx = NULL; + uint8_t *buf = NULL; + ssize_t len = 0; + const char *ccname = NULL; + char *krb5_msg = NULL; + time_t expire_time = 0; + struct input_buffer *ibuf = NULL; + struct response *resp = NULL; + ssize_t written; + + struct poptOption long_options[] = { + POPT_AUTOHELP + {"debug-level", 'd', POPT_ARG_INT, &debug_level, 0, + _("Debug level"), NULL}, + {"debug-timestamps", 0, POPT_ARG_INT, &debug_timestamps, 0, + _("Add debug timestamps"), NULL}, + {"debug-microseconds", 0, POPT_ARG_INT, &debug_microseconds, 0, + _("Show timestamps with microseconds"), NULL}, + {"debug-fd", 0, POPT_ARG_INT, &debug_fd, 0, + _("An open file descriptor for the debug logs"), NULL}, + {"debug-to-stderr", 0, POPT_ARG_NONE | POPT_ARGFLAG_DOC_HIDDEN, &debug_to_stderr, 0, \ + _("Send the debug output to stderr directly."), NULL }, \ + SSSD_LOGGER_OPTS + POPT_TABLEEND + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + _exit(-1); + } + } + + poptFreeContext(pc); + + DEBUG_INIT(debug_level); + + debug_prg_name = talloc_asprintf(NULL, "[sssd[ldap_child[%d]]]", getpid()); + if (!debug_prg_name) { + debug_prg_name = "[sssd[ldap_child]]"; + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); + goto fail; + } + + if (debug_fd != -1) { + ret = set_debug_file_from_fd(debug_fd); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "set_debug_file_from_fd failed.\n"); + } + opt_logger = sss_logger_str[FILES_LOGGER]; + } + + sss_set_logger(opt_logger); + + BlockSignals(false, SIGTERM); + CatchSignal(SIGTERM, sig_term_handler); + + DEBUG(SSSDBG_TRACE_FUNC, "ldap_child started.\n"); + + main_ctx = talloc_new(NULL); + if (main_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new failed.\n"); + talloc_free(discard_const(debug_prg_name)); + goto fail; + } + talloc_steal(main_ctx, debug_prg_name); + + buf = talloc_size(main_ctx, sizeof(uint8_t)*IN_BUF_SIZE); + if (buf == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_size failed.\n"); + goto fail; + } + + ibuf = talloc_zero(main_ctx, struct input_buffer); + if (ibuf == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_size failed.\n"); + goto fail; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "context initialized\n"); + + errno = 0; + len = sss_atomic_read_s(STDIN_FILENO, buf, IN_BUF_SIZE); + if (len == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "read failed [%d][%s].\n", ret, strerror(ret)); + goto fail; + } + + close(STDIN_FILENO); + + ret = unpack_buffer(buf, len, ibuf); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "unpack_buffer failed.[%d][%s].\n", ret, strerror(ret)); + goto fail; + } + + kerr = privileged_krb5_setup(ibuf); + if (kerr != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Privileged Krb5 setup failed.\n"); + goto fail; + } + DEBUG(SSSDBG_TRACE_INTERNAL, "Kerberos context initialized\n"); + + kerr = become_user(ibuf->uid, ibuf->gid); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "become_user failed.\n"); + goto fail; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Running as [%"SPRIuid"][%"SPRIgid"].\n", geteuid(), getegid()); + + DEBUG(SSSDBG_TRACE_INTERNAL, "getting TGT sync\n"); + kerr = ldap_child_get_tgt_sync(main_ctx, ibuf->context, + ibuf->realm_str, ibuf->princ_str, + ibuf->keytab_name, ibuf->lifetime, + &ccname, &expire_time, &krb5_msg); + if (kerr != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "ldap_child_get_tgt_sync failed.\n"); + /* Do not return, must report failure */ + } + + ret = prepare_response(main_ctx, ccname, expire_time, kerr, krb5_msg, + &resp); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "prepare_response failed. [%d][%s].\n", + ret, strerror(ret)); + goto fail; + } + + errno = 0; + written = sss_atomic_write_s(STDOUT_FILENO, resp->buf, resp->size); + if (written == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "write failed [%d][%s].\n", ret, + strerror(ret)); + goto fail; + } + + if (written != resp->size) { + DEBUG(SSSDBG_CRIT_FAILURE, "Expected to write %zu bytes, wrote %zu\n", + resp->size, written); + goto fail; + } + + DEBUG(SSSDBG_TRACE_FUNC, "ldap_child completed successfully\n"); + close(STDOUT_FILENO); + talloc_free(main_ctx); + _exit(0); + +fail: + DEBUG(SSSDBG_CRIT_FAILURE, "ldap_child failed!\n"); + close(STDOUT_FILENO); + talloc_free(main_ctx); + _exit(-1); +} diff --git a/src/providers/ldap/ldap_common.c b/src/providers/ldap/ldap_common.c new file mode 100644 index 0000000..9cd8ec0 --- /dev/null +++ b/src/providers/ldap/ldap_common.c @@ -0,0 +1,886 @@ +/* + SSSD + + LDAP Provider Common Functions + + Authors: + Simo Sorce + + Copyright (C) 2008-2010 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "providers/ldap/ldap_common.h" +#include "providers/fail_over.h" +#include "providers/ldap/sdap_async_private.h" +#include "providers/krb5/krb5_common.h" +#include "db/sysdb_sudo.h" +#include "db/sysdb_services.h" +#include "db/sysdb_autofs.h" + +#include "util/sss_krb5.h" +#include "util/crypto/sss_crypto.h" + +#include "providers/ldap/sdap_idmap.h" + +/* a fd the child process would log into */ +int ldap_child_debug_fd = -1; + +int ldap_id_setup_tasks(struct sdap_id_ctx *ctx) +{ + return sdap_id_setup_tasks(ctx->be, ctx, ctx->opts->sdom, + ldap_enumeration_send, + ldap_enumeration_recv, + ctx); +} + +int sdap_id_setup_tasks(struct be_ctx *be_ctx, + struct sdap_id_ctx *ctx, + struct sdap_domain *sdom, + be_ptask_send_t send_fn, + be_ptask_recv_t recv_fn, + void *pvt) +{ + int ret; + + /* set up enumeration task */ + if (sdom->dom->enumerate) { + DEBUG(SSSDBG_TRACE_FUNC, "Setting up enumeration for %s\n", + sdom->dom->name); + ret = ldap_setup_enumeration(be_ctx, ctx->opts, sdom, + send_fn, recv_fn, pvt); + } else { + /* the enumeration task, runs the cleanup process by itself, + * but if enumeration is not running we need to schedule it */ + DEBUG(SSSDBG_TRACE_FUNC, "Setting up cleanup task for %s\n", + sdom->dom->name); + ret = ldap_setup_cleanup(ctx, sdom); + } + + return ret; +} + +static void sdap_uri_callback(void *private_data, struct fo_server *server) +{ + TALLOC_CTX *tmp_ctx = NULL; + struct sdap_service *service; + struct resolv_hostent *srvaddr; + struct sockaddr_storage *sockaddr; + const char *tmp; + const char *srv_name; + char *new_uri; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new failed\n"); + return; + } + + service = talloc_get_type(private_data, struct sdap_service); + if (!service) { + talloc_free(tmp_ctx); + return; + } + + tmp = (const char *)fo_get_server_user_data(server); + + srvaddr = fo_get_server_hostent(server); + if (!srvaddr) { + DEBUG(SSSDBG_CRIT_FAILURE, + "FATAL: No hostent available for server (%s)\n", + fo_get_server_str_name(server)); + talloc_free(tmp_ctx); + return; + } + + sockaddr = resolv_get_sockaddr_address(tmp_ctx, srvaddr, + fo_get_server_port(server)); + if (sockaddr == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "resolv_get_sockaddr_address failed.\n"); + talloc_free(tmp_ctx); + return; + } + + if (fo_is_srv_lookup(server)) { + if (!tmp) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unknown service, using ldap\n"); + tmp = SSS_LDAP_SRV_NAME; + } + + srv_name = fo_get_server_name(server); + if (srv_name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not get server host name\n"); + talloc_free(tmp_ctx); + return; + } + + new_uri = talloc_asprintf(service, "%s://%s:%d", + tmp, srv_name, + fo_get_server_port(server)); + } else { + new_uri = talloc_strdup(service, tmp); + } + + if (!new_uri) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to copy URI ...\n"); + talloc_free(tmp_ctx); + return; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Constructed uri '%s'\n", new_uri); + + /* free old one and replace with new one */ + talloc_zfree(service->uri); + service->uri = new_uri; + talloc_zfree(service->sockaddr); + service->sockaddr = talloc_steal(service, sockaddr); + talloc_free(tmp_ctx); +} + +static void sdap_finalize(struct tevent_context *ev, + struct tevent_signal *se, + int signum, + int count, + void *siginfo, + void *private_data) +{ + orderly_shutdown(0); +} + +errno_t sdap_install_sigterm_handler(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + const char *realm) +{ + char *sig_realm; + struct tevent_signal *sige; + + BlockSignals(false, SIGTERM); + + sig_realm = talloc_strdup(mem_ctx, realm); + if (sig_realm == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed!\n"); + return ENOMEM; + } + + sige = tevent_add_signal(ev, mem_ctx, SIGTERM, SA_SIGINFO, sdap_finalize, + sig_realm); + if (sige == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_add_signal failed.\n"); + talloc_free(sig_realm); + return ENOMEM; + } + talloc_steal(sige, sig_realm); + + return EOK; +} + +errno_t +sdap_set_sasl_options(struct sdap_options *id_opts, + char *default_primary, + char *default_realm, + const char *keytab_path) +{ + errno_t ret; + TALLOC_CTX *tmp_ctx; + char *sasl_primary; + char *desired_primary; + char *primary_realm; + char *sasl_realm; + char *desired_realm; + bool primary_requested = true; + bool realm_requested = true; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) return ENOMEM; + + /* Configuration of SASL auth ID and realm */ + desired_primary = dp_opt_get_string(id_opts->basic, SDAP_SASL_AUTHID); + if (!desired_primary) { + primary_requested = false; + desired_primary = default_primary; + } + + if ((primary_realm = strchr(desired_primary, '@'))) { + *primary_realm = '\0'; + desired_realm = primary_realm+1; + DEBUG(SSSDBG_TRACE_INTERNAL, + "authid contains realm [%s]\n", desired_realm); + } else { + desired_realm = dp_opt_get_string(id_opts->basic, SDAP_SASL_REALM); + if (!desired_realm) { + realm_requested = false; + desired_realm = default_realm; + } + } + + DEBUG(SSSDBG_CONF_SETTINGS, "Will look for %s@%s in %s\n", + desired_primary, desired_realm, + keytab_path ? keytab_path : "default keytab"); + + ret = select_principal_from_keytab(tmp_ctx, + desired_primary, desired_realm, + keytab_path, + NULL, &sasl_primary, &sasl_realm); + if (ret != EOK) { + goto done; + } + + if (primary_requested && strcmp(desired_primary, sasl_primary) != 0) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Configured SASL auth ID not found in keytab. " + "Requested %s, found %s\n", desired_primary, sasl_primary); + } + + if (realm_requested && strcmp(desired_realm, sasl_realm) != 0) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Configured SASL realm not found in keytab. " + "Requested %s, found %s\n", desired_realm, sasl_realm); + } + + ret = dp_opt_set_string(id_opts->basic, + SDAP_SASL_AUTHID, sasl_primary); + if (ret != EOK) { + goto done; + } + DEBUG(SSSDBG_CONF_SETTINGS, "Option %s set to %s\n", + id_opts->basic[SDAP_SASL_AUTHID].opt_name, + dp_opt_get_string(id_opts->basic, SDAP_SASL_AUTHID)); + + ret = dp_opt_set_string(id_opts->basic, + SDAP_SASL_REALM, sasl_realm); + if (ret != EOK) { + goto done; + } + + DEBUG(SSSDBG_CONF_SETTINGS, "Option %s set to %s\n", + id_opts->basic[SDAP_SASL_REALM].opt_name, + dp_opt_get_string(id_opts->basic, SDAP_SASL_REALM)); + + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} + +static const char * +sdap_gssapi_get_default_realm(TALLOC_CTX *mem_ctx) +{ + char *krb5_realm = NULL; + const char *realm = NULL; + krb5_error_code krberr; + krb5_context context = NULL; + + krberr = sss_krb5_init_context(&context); + if (krberr) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to init kerberos context\n"); + goto done; + } + + krberr = krb5_get_default_realm(context, &krb5_realm); + if (krberr) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to get default realm name: %s\n", + sss_krb5_get_error_message(context, krberr)); + goto done; + } + + realm = talloc_strdup(mem_ctx, krb5_realm); + krb5_free_default_realm(context, krb5_realm); + if (!realm) { + DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory\n"); + goto done; + } + + DEBUG(SSSDBG_TRACE_LIBS, "Will use default realm %s\n", realm); +done: + if (context) krb5_free_context(context); + return realm; +} + +const char *sdap_gssapi_realm(struct dp_option *opts) +{ + const char *realm; + + realm = dp_opt_get_cstring(opts, SDAP_SASL_REALM); + if (!realm) { + realm = dp_opt_get_cstring(opts, SDAP_KRB5_REALM); + } + + return realm; +} + +int sdap_gssapi_init(TALLOC_CTX *mem_ctx, + struct dp_option *opts, + struct be_ctx *bectx, + struct sdap_service *sdap_service, + struct krb5_service **krb5_service) +{ + int ret; + const char *krb5_servers; + const char *krb5_backup_servers; + const char *krb5_realm; + const char *krb5_opt_realm; + struct krb5_service *service = NULL; + TALLOC_CTX *tmp_ctx; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) return ENOMEM; + + krb5_servers = dp_opt_get_string(opts, SDAP_KRB5_KDC); + krb5_backup_servers = dp_opt_get_string(opts, SDAP_KRB5_BACKUP_KDC); + + krb5_opt_realm = sdap_gssapi_realm(opts); + if (krb5_opt_realm == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "Missing krb5_realm option, will use libkrb default\n"); + krb5_realm = sdap_gssapi_get_default_realm(tmp_ctx); + if (krb5_realm == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Cannot determine the Kerberos realm, aborting\n"); + ret = EIO; + goto done; + } + } else { + krb5_realm = talloc_strdup(tmp_ctx, krb5_opt_realm); + if (krb5_realm == NULL) { + ret = ENOMEM; + goto done; + } + } + + ret = krb5_service_init(mem_ctx, bectx, + SSS_KRB5KDC_FO_SRV, krb5_servers, + krb5_backup_servers, krb5_realm, + dp_opt_get_bool(opts, + SDAP_KRB5_USE_KDCINFO), + &service); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to init KRB5 failover service!\n"); + goto done; + } + + ret = sdap_install_sigterm_handler(mem_ctx, bectx->ev, krb5_realm); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to install sigterm handler\n"); + goto done; + } + + sdap_service->kinit_service_name = talloc_strdup(sdap_service, + service->name); + if (sdap_service->kinit_service_name == NULL) { + ret = ENOMEM; + goto done; + } + + ret = EOK; + *krb5_service = service; +done: + talloc_free(tmp_ctx); + if (ret != EOK) talloc_free(service); + return ret; +} + +static errno_t _sdap_urls_init(struct be_ctx *ctx, + struct sdap_service *service, + const char *service_name, + const char *dns_service_name, + const char *urls, + bool primary) +{ + TALLOC_CTX *tmp_ctx; + char *srv_user_data; + char **list = NULL; + LDAPURLDesc *lud; + errno_t ret = 0; + int i; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + return ENOMEM; + } + + + /* split server parm into a list */ + ret = split_on_separator(tmp_ctx, urls, ',', true, true, &list, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to parse server list!\n"); + goto done; + } + + /* now for each URI add a new server to the failover service */ + for (i = 0; list[i]; i++) { + if (be_fo_is_srv_identifier(list[i])) { + if (!primary) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to add server [%s] to failover service: " + "SRV resolution only allowed for primary servers!\n", + list[i]); + continue; + } + + if (!dns_service_name) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Missing DNS service name for service [%s].\n", + service_name); + ret = EINVAL; + goto done; + } + srv_user_data = talloc_strdup(service, dns_service_name); + if (!srv_user_data) { + ret = ENOMEM; + goto done; + } + + ret = be_fo_add_srv_server(ctx, service_name, + dns_service_name, NULL, + BE_FO_PROTO_TCP, false, srv_user_data); + if (ret) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to add server\n"); + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Added service lookup\n"); + continue; + } + + ret = ldap_url_parse(list[i], &lud); + if (ret != LDAP_SUCCESS) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to parse ldap URI (%s)!\n", list[i]); + ret = EINVAL; + goto done; + } + + if (lud->lud_host == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "The LDAP URI (%s) did not contain a host name\n", + list[i]); + ldap_free_urldesc(lud); + continue; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Added URI %s\n", list[i]); + + talloc_steal(service, list[i]); + + /* It could be ipv6 address in square brackets. Remove + * the brackets if needed. */ + ret = remove_ipv6_brackets(lud->lud_host); + if (ret != EOK) { + goto done; + } + + ret = be_fo_add_server(ctx, service->name, lud->lud_host, + lud->lud_port, list[i], primary); + ldap_free_urldesc(lud); + if (ret) { + goto done; + } + } + +done: + talloc_free(tmp_ctx); + return ret; +} + + +static inline errno_t +sdap_primary_urls_init(struct be_ctx *ctx, struct sdap_service *service, + const char *service_name, const char *dns_service_name, + const char *urls) +{ + return _sdap_urls_init(ctx, service, service_name, + dns_service_name, urls, true); +} + +static inline errno_t +sdap_backup_urls_init(struct be_ctx *ctx, struct sdap_service *service, + const char *service_name, const char *dns_service_name, + const char *urls) +{ + return _sdap_urls_init(ctx, service, service_name, + dns_service_name, urls, false); +} + +static int ldap_user_data_cmp(void *ud1, void *ud2) +{ + return strcasecmp((char*) ud1, (char*) ud2); +} + +int sdap_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx, + const char *service_name, const char *dns_service_name, + const char *urls, const char *backup_urls, + struct sdap_service **_service) +{ + TALLOC_CTX *tmp_ctx; + struct sdap_service *service; + int ret; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + return ENOMEM; + } + + service = talloc_zero(tmp_ctx, struct sdap_service); + if (!service) { + ret = ENOMEM; + goto done; + } + + ret = be_fo_add_service(ctx, service_name, ldap_user_data_cmp); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to create failover service!\n"); + goto done; + } + + service->name = talloc_strdup(service, service_name); + if (!service->name) { + ret = ENOMEM; + goto done; + } + + if (!urls) { + DEBUG(SSSDBG_CONF_SETTINGS, + "No primary servers defined, using service discovery\n"); + urls = BE_SRV_IDENTIFIER; + } + + ret = sdap_primary_urls_init(ctx, service, service_name, dns_service_name, + urls); + if (ret != EOK) { + goto done; + } + + if (backup_urls) { + ret = sdap_backup_urls_init(ctx, service, service_name, + dns_service_name, backup_urls); + if (ret != EOK) { + goto done; + } + } + + ret = be_fo_service_add_callback(memctx, ctx, service->name, + sdap_uri_callback, service); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add failover callback!\n"); + goto done; + } + + ret = EOK; + +done: + if (ret == EOK) { + *_service = talloc_steal(memctx, service); + } + talloc_zfree(tmp_ctx); + return ret; +} + +errno_t string_to_shadowpw_days(const char *s, long *d) +{ + long l; + char *endptr; + + if (s == NULL || *s == '\0') { + *d = -1; + return EOK; + } + + errno = 0; + l = strtol(s, &endptr, 10); + if (errno != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "strtol failed [%d][%s].\n", errno, strerror(errno)); + return errno; + } + + if (*endptr != '\0') { + DEBUG(SSSDBG_CRIT_FAILURE, "Input string [%s] is invalid.\n", s); + return EINVAL; + } + + if (l < -1) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Input string contains not allowed negative value [%ld].\n", + l); + return EINVAL; + } + + *d = l; + + return EOK; +} + +errno_t get_sysdb_attr_name(TALLOC_CTX *mem_ctx, + struct sdap_attr_map *map, + size_t map_size, + const char *ldap_name, + char **sysdb_name) +{ + size_t i; + + for (i = 0; i < map_size; i++) { + /* Skip map entries with no name (may depend on + * schema selected) + */ + if (!map[i].name) continue; + + /* Check if it is a mapped attribute */ + if(strcasecmp(ldap_name, map[i].name) == 0) break; + } + + if (i < map_size) { + /* We found a mapped name, return that */ + *sysdb_name = talloc_strdup(mem_ctx, map[i].sys_name); + } else { + /* Not mapped, use the same name */ + *sysdb_name = talloc_strdup(mem_ctx, ldap_name); + } + + if (!*sysdb_name) { + return ENOMEM; + } + + return EOK; +} + +errno_t list_missing_attrs(TALLOC_CTX *mem_ctx, + struct sdap_attr_map *map, + size_t map_size, + struct sysdb_attrs *recvd_attrs, + char ***missing_attrs) +{ + errno_t ret; + size_t attr_count = 0; + size_t i, j, k; + char **missing = NULL; + const char **expected_attrs; + char *sysdb_name; + TALLOC_CTX *tmp_ctx; + + if (!recvd_attrs || !missing_attrs) { + return EINVAL; + } + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + return ENOMEM; + } + + ret = build_attrs_from_map(tmp_ctx, map, map_size, NULL, + &expected_attrs, &attr_count); + if (ret != EOK) { + goto done; + } + + /* Allocate the maximum possible values for missing_attrs, to + * be on the safe side + */ + missing = talloc_array(tmp_ctx, char *, attr_count + 2); + if (!missing) { + ret = ENOMEM; + goto done; + } + + k = 0; + /* Check for each expected attribute */ + for (i = 0; i < attr_count; i++) { + ret = get_sysdb_attr_name(tmp_ctx, map, map_size, + expected_attrs[i], + &sysdb_name); + if (ret != EOK) { + goto done; + } + + /* objectClass is a special-case and we need to + * check for it explicitly. + */ + if (strcasecmp(sysdb_name, "objectClass") == 0) { + talloc_free(sysdb_name); + continue; + } + + /* GECOS is another special case. Its value can come + * either from the 'gecos' attribute or the 'cn' + * attribute. It's best if we just never remove it. + */ + if (strcasecmp(sysdb_name, SYSDB_GECOS) == 0) { + talloc_free(sysdb_name); + continue; + } + + for (j = 0; j < recvd_attrs->num; j++) { + /* Check whether this expected attribute appeared in the + * received attributes and had a non-zero number of + * values. + */ + if ((strcasecmp(recvd_attrs->a[j].name, sysdb_name) == 0) && + (recvd_attrs->a[j].num_values > 0)) { + break; + } + } + + if (j < recvd_attrs->num) { + /* Attribute was found, therefore not missing */ + talloc_free(sysdb_name); + } else { + /* Attribute could not be found. Add to the missing list */ + missing[k] = talloc_steal(missing, sysdb_name); + k++; + + /* Remove originalMemberOf as well if MemberOf is missing */ + if (strcmp(sysdb_name, SYSDB_MEMBEROF) == 0) { + missing[k] = talloc_strdup(missing, SYSDB_ORIG_MEMBEROF); + k++; + } + } + } + + if (k == 0) { + *missing_attrs = NULL; + } else { + /* Terminate the list */ + missing[k] = NULL; + *missing_attrs = talloc_steal(mem_ctx, missing); + } + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +bool sdap_is_secure_uri(const char *uri) +{ + /* LDAPS URI's are secure channels */ + if (strncasecmp(uri, LDAP_SSL_URI, strlen(LDAP_SSL_URI)) == 0) { + return true; + } + return false; +} + +char *sdap_get_access_filter(TALLOC_CTX *mem_ctx, + const char *base_filter) +{ + char *filter = NULL; + + if (base_filter == NULL) return NULL; + + if (base_filter[0] == '(') { + /* This filter is wrapped in parentheses. + * Pass it as-is to the openldap libraries. + */ + filter = talloc_strdup(mem_ctx, base_filter); + } else { + filter = talloc_asprintf(mem_ctx, "(%s)", base_filter); + } + + return filter; +} + +errno_t +sdap_attrs_get_sid_str(TALLOC_CTX *mem_ctx, + struct sdap_idmap_ctx *idmap_ctx, + struct sysdb_attrs *sysdb_attrs, + const char *sid_attr, + char **_sid_str) +{ + errno_t ret; + enum idmap_error_code err; + struct ldb_message_element *el; + char *sid_str; + + ret = sysdb_attrs_get_el(sysdb_attrs, sid_attr, &el); + if (ret != EOK || el->num_values != 1) { + DEBUG(SSSDBG_TRACE_LIBS, + "No [%s] attribute. [%d][%s]\n", + sid_attr, el->num_values, strerror(ret)); + return ENOENT; + } + + if (el->values[0].length > 2 && + el->values[0].data[0] == 'S' && + el->values[0].data[1] == '-') { + sid_str = talloc_strndup(mem_ctx, (char *) el->values[0].data, + el->values[0].length); + if (sid_str == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n"); + return ENOMEM; + } + } else { + err = sss_idmap_bin_sid_to_sid(idmap_ctx->map, + el->values[0].data, + el->values[0].length, + &sid_str); + if (err != IDMAP_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not convert SID: [%s]\n", + idmap_error_string(err)); + return EIO; + } + } + + *_sid_str = talloc_steal(mem_ctx, sid_str); + + return EOK; +} + +struct sdap_id_conn_ctx * +sdap_id_ctx_conn_add(struct sdap_id_ctx *id_ctx, + struct sdap_service *sdap_service) +{ + struct sdap_id_conn_ctx *conn; + errno_t ret; + + conn = talloc_zero(id_ctx, struct sdap_id_conn_ctx); + if (conn == NULL) { + return NULL; + } + conn->service = talloc_steal(conn, sdap_service); + conn->id_ctx = id_ctx; + + /* Create a connection cache */ + ret = sdap_id_conn_cache_create(conn, conn, &conn->conn_cache); + if (ret != EOK) { + talloc_free(conn); + return NULL; + } + DLIST_ADD_END(id_ctx->conn, conn, struct sdap_id_conn_ctx *); + + return conn; +} + +struct sdap_id_ctx * +sdap_id_ctx_new(TALLOC_CTX *mem_ctx, struct be_ctx *bectx, + struct sdap_service *sdap_service) +{ + struct sdap_id_ctx *sdap_ctx; + + sdap_ctx = talloc_zero(mem_ctx, struct sdap_id_ctx); + if (sdap_ctx == NULL) { + return NULL; + } + sdap_ctx->be = bectx; + + /* There should be at least one connection context */ + sdap_ctx->conn = sdap_id_ctx_conn_add(sdap_ctx, sdap_service); + if (sdap_ctx->conn == NULL) { + talloc_free(sdap_ctx); + return NULL; + } + + return sdap_ctx; +} diff --git a/src/providers/ldap/ldap_common.h b/src/providers/ldap/ldap_common.h new file mode 100644 index 0000000..6c08d78 --- /dev/null +++ b/src/providers/ldap/ldap_common.h @@ -0,0 +1,373 @@ +/* + SSSD + + LDAP Common utility code + + Copyright (C) Simo Sorce 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _LDAP_COMMON_H_ +#define _LDAP_COMMON_H_ + +#include "providers/backend.h" +#include "providers/ldap/sdap.h" +#include "providers/ldap/sdap_id_op.h" +#include "providers/fail_over.h" +#include "providers/krb5/krb5_common.h" +#include "lib/idmap/sss_idmap.h" + +#define PWD_POL_OPT_NONE "none" +#define PWD_POL_OPT_SHADOW "shadow" +#define PWD_POL_OPT_MIT "mit_kerberos" + +#define SSS_LDAP_SRV_NAME "ldap" + +#define LDAP_STANDARD_URI "ldap://" +#define LDAP_SSL_URI "ldaps://" +#define LDAP_LDAPI_URI "ldapi://" + +/* Only the asterisk is allowed in wildcard requests */ +#define LDAP_ALLOWED_WILDCARDS "*" + +/* a fd the child process would log into */ +extern int ldap_child_debug_fd; + +struct sdap_id_ctx; + +struct sdap_id_conn_ctx { + struct sdap_id_ctx *id_ctx; + + struct sdap_service *service; + /* LDAP connection cache */ + struct sdap_id_conn_cache *conn_cache; + /* dlinklist pointers */ + struct sdap_id_conn_ctx *prev, *next; + /* do not go offline, try another connection */ + bool ignore_mark_offline; + /* do not fall back to user lookups for mpg domains on this connection */ + bool no_mpg_user_fallback; +}; + +struct sdap_id_ctx { + struct be_ctx *be; + struct sdap_options *opts; + + /* If using GSSAPI */ + struct krb5_service *krb5_service; + /* connection to a server */ + struct sdap_id_conn_ctx *conn; + + struct sdap_server_opts *srv_opts; +}; + +struct sdap_auth_ctx { + struct be_ctx *be; + struct sdap_options *opts; + struct sdap_service *service; + struct sdap_service *chpass_service; +}; + +struct tevent_req * +sdap_online_check_handler_send(TALLOC_CTX *mem_ctx, + struct sdap_id_ctx *id_ctx, + void *data, + struct dp_req_params *params); + +errno_t sdap_online_check_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct dp_reply_std *data); + +struct tevent_req* sdap_reinit_cleanup_send(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct sdap_id_ctx *id_ctx); + +errno_t sdap_reinit_cleanup_recv(struct tevent_req *req); + +/* id */ +struct tevent_req * +sdap_account_info_handler_send(TALLOC_CTX *mem_ctx, + struct sdap_id_ctx *id_ctx, + struct dp_id_data *data, + struct dp_req_params *params); + +errno_t sdap_account_info_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct dp_reply_std *data); + +/* Set up enumeration and/or cleanup */ +int ldap_id_setup_tasks(struct sdap_id_ctx *ctx); +int sdap_id_setup_tasks(struct be_ctx *be_ctx, + struct sdap_id_ctx *ctx, + struct sdap_domain *sdom, + be_ptask_send_t send_fn, + be_ptask_recv_t recv_fn, + void *pvt); + +/* Allow shortcutting an enumeration request */ +bool sdap_is_enum_request(struct dp_id_data *ar); + +struct tevent_req * +sdap_handle_acct_req_send(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct dp_id_data *ar, + struct sdap_id_ctx *id_ctx, + struct sdap_domain *sdom, + struct sdap_id_conn_ctx *conn, + bool noexist_delete); +errno_t +sdap_handle_acct_req_recv(struct tevent_req *req, + int *_dp_error, const char **_err, + int *sdap_ret); + +struct tevent_req * +sdap_pam_auth_handler_send(TALLOC_CTX *mem_ctx, + struct sdap_auth_ctx *auth_ctx, + struct pam_data *pd, + struct dp_req_params *params); + +errno_t +sdap_pam_auth_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct pam_data **_data); + +struct tevent_req * +sdap_pam_chpass_handler_send(TALLOC_CTX *mem_ctx, + struct sdap_auth_ctx *auth_ctx, + struct pam_data *pd, + struct dp_req_params *params); + +errno_t +sdap_pam_chpass_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct pam_data **_data); + +/* autofs */ +struct tevent_req * +sdap_autofs_handler_send(TALLOC_CTX *mem_ctx, + struct sdap_id_ctx *id_ctx, + struct dp_autofs_data *data, + struct dp_req_params *params); + +errno_t +sdap_autofs_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct dp_reply_std *data); + +int sdap_service_init(TALLOC_CTX *memctx, struct be_ctx *ctx, + const char *service_name, const char *dns_service_name, + const char *urls, const char *backup_urls, + struct sdap_service **_service); + +const char *sdap_gssapi_realm(struct dp_option *opts); + +int sdap_gssapi_init(TALLOC_CTX *mem_ctx, + struct dp_option *opts, + struct be_ctx *bectx, + struct sdap_service *sdap_service, + struct krb5_service **krb5_service); + +errno_t sdap_install_offline_callback(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + const char *realm, + const char *service_name); + +errno_t sdap_install_sigterm_handler(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + const char *realm); + +void sdap_remove_kdcinfo_files_callback(void *pvt); + +/* options parser */ +int ldap_get_options(TALLOC_CTX *memctx, + struct sss_domain_info *dom, + struct confdb_ctx *cdb, + const char *conf_path, + struct data_provider *dp, + struct sdap_options **_opts); + +int ldap_get_sudo_options(struct confdb_ctx *cdb, + const char *conf_path, + struct sdap_options *opts, + bool *use_host_filter, + bool *include_regexp, + bool *include_netgroups); + +int ldap_get_autofs_options(TALLOC_CTX *memctx, + struct confdb_ctx *cdb, + const char *conf_path, + struct sdap_options *opts); + +/* Calling ldap_setup_enumeration will set up a periodic task + * that would periodically call send_fn/recv_fn request. The + * send_fn's pvt parameter will be a pointer to ldap_enum_ctx + * structure that contains the request data + */ +struct ldap_enum_ctx { + struct sdap_domain *sdom; + void *pvt; +}; + +errno_t ldap_setup_enumeration(struct be_ctx *be_ctx, + struct sdap_options *opts, + struct sdap_domain *sdom, + be_ptask_send_t send_fn, + be_ptask_recv_t recv_fn, + void *pvt); +struct tevent_req * +ldap_enumeration_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct be_ptask *be_ptask, + void *pvt); +errno_t ldap_enumeration_recv(struct tevent_req *req); + +errno_t ldap_setup_cleanup(struct sdap_id_ctx *id_ctx, + struct sdap_domain *sdom); + +errno_t ldap_id_cleanup(struct sdap_options *opts, + struct sdap_domain *sdom); + +struct tevent_req *groups_get_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_id_ctx *ctx, + struct sdap_domain *sdom, + struct sdap_id_conn_ctx *conn, + const char *name, + int filter_type, + bool noexist_delete, + bool no_members); +int groups_get_recv(struct tevent_req *req, int *dp_error_out, int *sdap_ret); + +struct tevent_req *ldap_netgroup_get_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_id_ctx *ctx, + struct sdap_domain *sdom, + struct sdap_id_conn_ctx *conn, + const char *name, + bool noexist_delete); +int ldap_netgroup_get_recv(struct tevent_req *req, int *dp_error_out, int *sdap_ret); + +struct tevent_req * +services_get_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_id_ctx *id_ctx, + struct sdap_domain *sdom, + struct sdap_id_conn_ctx *conn, + const char *name, + const char *protocol, + int filter_type, + bool noexist_delete); + +errno_t +services_get_recv(struct tevent_req *req, int *dp_error_out, int *sdap_ret); + +/* setup child logging */ +int sdap_setup_child(void); + + +errno_t string_to_shadowpw_days(const char *s, long *d); + +errno_t get_sysdb_attr_name(TALLOC_CTX *mem_ctx, + struct sdap_attr_map *map, + size_t map_size, + const char *ldap_name, + char **sysdb_name); + +errno_t list_missing_attrs(TALLOC_CTX *mem_ctx, + struct sdap_attr_map *map, + size_t map_size, + struct sysdb_attrs *recvd_attrs, + char ***missing_attrs); + +bool sdap_is_secure_uri(const char *uri); + +char *sdap_or_filters(TALLOC_CTX *mem_ctx, + const char *base_filter, + const char *extra_filter); + +char *sdap_combine_filters(TALLOC_CTX *mem_ctx, + const char *base_filter, + const char *extra_filter); + +char *get_enterprise_principal_string_filter(TALLOC_CTX *mem_ctx, + const char *attr_name, + const char *princ, + struct dp_option *sdap_basic_opts); + +char *sdap_get_access_filter(TALLOC_CTX *mem_ctx, + const char *base_filter); + +errno_t msgs2attrs_array(TALLOC_CTX *mem_ctx, size_t count, + struct ldb_message **msgs, + struct sysdb_attrs ***attrs); + +errno_t sdap_domain_add(struct sdap_options *opts, + struct sss_domain_info *dom, + struct sdap_domain **_sdom); +errno_t +sdap_domain_subdom_add(struct sdap_id_ctx *sdap_id_ctx, + struct sdap_domain *sdom_list, + struct sss_domain_info *parent); + +void +sdap_domain_remove(struct sdap_options *opts, + struct sss_domain_info *dom); + +struct sdap_domain *sdap_domain_get(struct sdap_options *opts, + struct sss_domain_info *dom); + +struct sdap_domain *sdap_domain_get_by_dn(struct sdap_options *opts, + const char *dn); + +errno_t sdap_parse_search_base(TALLOC_CTX *mem_ctx, + struct dp_option *opts, int class, + struct sdap_search_base ***_search_bases); +errno_t common_parse_search_base(TALLOC_CTX *mem_ctx, + const char *unparsed_base, + const char *class_name, + const char *old_filter, + struct sdap_search_base ***_search_bases); + +errno_t +sdap_attrs_get_sid_str(TALLOC_CTX *mem_ctx, + struct sdap_idmap_ctx *idmap_ctx, + struct sysdb_attrs *sysdb_attrs, + const char *sid_attr, + char **_sid_str); + +errno_t +sdap_set_sasl_options(struct sdap_options *id_opts, + char *default_primary, + char *default_realm, + const char *keytab_path); + +struct sdap_id_conn_ctx * +sdap_id_ctx_conn_add(struct sdap_id_ctx *id_ctx, + struct sdap_service *sdap_service); + +struct sdap_id_ctx * +sdap_id_ctx_new(TALLOC_CTX *mem_ctx, struct be_ctx *bectx, + struct sdap_service *sdap_service); + +errno_t sdap_refresh_init(struct be_refresh_ctx *refresh_ctx, + struct sdap_id_ctx *id_ctx); + +errno_t sdap_init_certmap(TALLOC_CTX *mem_ctx, struct sdap_id_ctx *id_ctx); + +errno_t sdap_setup_certmap(struct sdap_certmap_ctx *sdap_certmap_ctx, + struct certmap_info **certmap_list); +struct sss_certmap_ctx *sdap_get_sss_certmap(struct sdap_certmap_ctx *ctx); +#endif /* _LDAP_COMMON_H_ */ diff --git a/src/providers/ldap/ldap_id.c b/src/providers/ldap/ldap_id.c new file mode 100644 index 0000000..9e82899 --- /dev/null +++ b/src/providers/ldap/ldap_id.c @@ -0,0 +1,1898 @@ +/* + SSSD + + LDAP Identity Backend Module + + Authors: + Simo Sorce + + Copyright (C) 2008 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "util/util.h" +#include "util/probes.h" +#include "util/strtonum.h" +#include "util/cert.h" +#include "db/sysdb.h" +#include "providers/ldap/ldap_common.h" +#include "providers/ldap/sdap_async.h" +#include "providers/ldap/sdap_idmap.h" +#include "providers/ldap/sdap_users.h" +#include "providers/ad/ad_common.h" + +/* =Users-Related-Functions-(by-name,by-uid)============================== */ + +struct users_get_state { + struct tevent_context *ev; + struct sdap_id_ctx *ctx; + struct sdap_domain *sdom; + struct sdap_id_conn_ctx *conn; + struct sdap_id_op *op; + struct sysdb_ctx *sysdb; + struct sss_domain_info *domain; + char *shortname; + + const char *filter_value; + int filter_type; + bool name_is_upn; + + char *filter; + const char **attrs; + bool use_id_mapping; + bool non_posix; + + int dp_error; + int sdap_ret; + bool noexist_delete; + struct sysdb_attrs *extra_attrs; +}; + +static int users_get_retry(struct tevent_req *req); +static void users_get_connect_done(struct tevent_req *subreq); +static void users_get_search(struct tevent_req *req); +static void users_get_done(struct tevent_req *subreq); + +struct tevent_req *users_get_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_id_ctx *ctx, + struct sdap_domain *sdom, + struct sdap_id_conn_ctx *conn, + const char *filter_value, + int filter_type, + const char *extra_value, + bool noexist_delete) +{ + struct tevent_req *req; + struct users_get_state *state; + const char *attr_name = NULL; + char *clean_value = NULL; + char *endptr; + int ret; + uid_t uid; + enum idmap_error_code err; + char *sid; + char *user_filter = NULL; + char *ep_filter; + + req = tevent_req_create(memctx, &state, struct users_get_state); + if (!req) return NULL; + + state->ev = ev; + state->ctx = ctx; + state->sdom = sdom; + state->conn = conn; + state->dp_error = DP_ERR_FATAL; + state->noexist_delete = noexist_delete; + state->extra_attrs = NULL; + + state->op = sdap_id_op_create(state, state->conn->conn_cache); + if (!state->op) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed\n"); + ret = ENOMEM; + goto done; + } + + state->domain = sdom->dom; + state->sysdb = sdom->dom->sysdb; + state->filter_value = filter_value; + state->filter_type = filter_type; + + if (state->domain->type == DOM_TYPE_APPLICATION) { + state->non_posix = true; + } + + state->use_id_mapping = sdap_idmap_domain_has_algorithmic_mapping( + ctx->opts->idmap_ctx, + sdom->dom->name, + sdom->dom->domain_id); + switch (filter_type) { + case BE_FILTER_WILDCARD: + attr_name = ctx->opts->user_map[SDAP_AT_USER_NAME].name; + ret = sss_filter_sanitize_ex(state, filter_value, &clean_value, + LDAP_ALLOWED_WILDCARDS); + if (ret != EOK) { + goto done; + } + break; + case BE_FILTER_NAME: + if (extra_value && strcmp(extra_value, EXTRA_NAME_IS_UPN) == 0) { + ret = sss_filter_sanitize(state, filter_value, &clean_value); + if (ret != EOK) { + goto done; + } + + ep_filter = get_enterprise_principal_string_filter(state, + ctx->opts->user_map[SDAP_AT_USER_PRINC].name, + clean_value, ctx->opts->basic); + /* TODO: Do we have to check the attribute names more carefully? */ + user_filter = talloc_asprintf(state, "(|(%s=%s)(%s=%s)%s)", + ctx->opts->user_map[SDAP_AT_USER_PRINC].name, + clean_value, + ctx->opts->user_map[SDAP_AT_USER_EMAIL].name, + clean_value, + ep_filter == NULL ? "" : ep_filter); + talloc_zfree(clean_value); + if (user_filter == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto done; + } + } else { + attr_name = ctx->opts->user_map[SDAP_AT_USER_NAME].name; + + ret = sss_parse_internal_fqname(state, filter_value, + &state->shortname, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot parse %s\n", filter_value); + goto done; + } + + ret = sss_filter_sanitize(state, state->shortname, &clean_value); + if (ret != EOK) { + goto done; + } + } + break; + case BE_FILTER_IDNUM: + if (state->use_id_mapping) { + /* If we're ID-mapping, we need to use the objectSID + * in the search filter. + */ + uid = strtouint32(filter_value, &endptr, 10); + if (errno != EOK) { + ret = EINVAL; + goto done; + } + + /* Convert the UID to its objectSID */ + err = sss_idmap_unix_to_sid(ctx->opts->idmap_ctx->map, + uid, &sid); + if (err == IDMAP_NO_DOMAIN) { + DEBUG(SSSDBG_MINOR_FAILURE, + "[%s] did not match any configured ID mapping domain\n", + filter_value); + + ret = sysdb_delete_user(state->domain, NULL, uid); + if (ret == ENOENT) { + /* Ignore errors to remove users that were not cached previously */ + ret = EOK; + } + + goto done; + } else if (err != IDMAP_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Mapping ID [%s] to SID failed: [%s]\n", + filter_value, idmap_error_string(err)); + ret = EIO; + goto done; + } + + attr_name = ctx->opts->user_map[SDAP_AT_USER_OBJECTSID].name; + ret = sss_filter_sanitize(state, sid, &clean_value); + sss_idmap_free_sid(ctx->opts->idmap_ctx->map, sid); + if (ret != EOK) { + goto done; + } + + } else { + attr_name = ctx->opts->user_map[SDAP_AT_USER_UID].name; + ret = sss_filter_sanitize(state, filter_value, &clean_value); + if (ret != EOK) { + goto done; + } + } + break; + case BE_FILTER_SECID: + attr_name = ctx->opts->user_map[SDAP_AT_USER_OBJECTSID].name; + + ret = sss_filter_sanitize(state, filter_value, &clean_value); + if (ret != EOK) { + goto done; + } + break; + case BE_FILTER_UUID: + attr_name = ctx->opts->user_map[SDAP_AT_USER_UUID].name; + if (attr_name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "UUID search not configured for this backend.\n"); + ret = EINVAL; + goto done; + } + + ret = sss_filter_sanitize(state, filter_value, &clean_value); + if (ret != EOK) { + goto done; + } + break; + case BE_FILTER_CERT: + attr_name = ctx->opts->user_map[SDAP_AT_USER_CERT].name; + if (attr_name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Certificate search not configured for this backend.\n"); + ret = EINVAL; + goto done; + } + + ret = sss_cert_derb64_to_ldap_filter(state, filter_value, attr_name, + sdap_get_sss_certmap(ctx->opts->sdap_certmap_ctx), + state->domain, &user_filter); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sss_cert_derb64_to_ldap_filter failed.\n"); + + /* Typically sss_cert_derb64_to_ldap_filter() will fail if there + * is no mapping rule matching the current certificate. But this + * just means that no matching user can be found so we can finish + * the request with this result. Even if + * sss_cert_derb64_to_ldap_filter() would fail for other reason + * there is no need to return an error which might cause the + * domain go offline. */ + + if (noexist_delete) { + ret = sysdb_remove_cert(state->domain, filter_value); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Ignoring error while removing user certificate " + "[%d]: %s\n", ret, sss_strerror(ret)); + } + } + + ret = EOK; + state->sdap_ret = ENOENT; + state->dp_error = DP_ERR_OK; + goto done; + } + + state->extra_attrs = sysdb_new_attrs(state); + if (state->extra_attrs == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_new_attrs failed.\n"); + ret = ENOMEM; + goto done; + } + + ret = sysdb_attrs_add_base64_blob(state->extra_attrs, + SYSDB_USER_MAPPED_CERT, filter_value); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_base64_blob failed.\n"); + goto done; + } + + break; + default: + ret = EINVAL; + goto done; + } + + if (attr_name == NULL && user_filter == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Missing search attribute name or filter.\n"); + ret = EINVAL; + goto done; + } + + if (user_filter == NULL) { + user_filter = talloc_asprintf(state, "(%s=%s)", attr_name, clean_value); + talloc_free(clean_value); + if (user_filter == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto done; + } + } + + if (state->non_posix) { + state->filter = talloc_asprintf(state, + "(&%s(objectclass=%s)(%s=*))", + user_filter, + ctx->opts->user_map[SDAP_OC_USER].name, + ctx->opts->user_map[SDAP_AT_USER_NAME].name); + } else if (state->use_id_mapping || filter_type == BE_FILTER_SECID) { + /* When mapping IDs or looking for SIDs, we don't want to limit + * ourselves to users with a UID value. But there must be a SID to map + * from. + */ + state->filter = talloc_asprintf(state, + "(&%s(objectclass=%s)(%s=*)(%s=*))", + user_filter, + ctx->opts->user_map[SDAP_OC_USER].name, + ctx->opts->user_map[SDAP_AT_USER_NAME].name, + ctx->opts->user_map[SDAP_AT_USER_OBJECTSID].name); + } else { + /* When not ID-mapping or looking up POSIX users, + * make sure there is a non-NULL UID */ + state->filter = talloc_asprintf(state, + "(&%s(objectclass=%s)(%s=*)(&(%s=*)(!(%s=0))))", + user_filter, + ctx->opts->user_map[SDAP_OC_USER].name, + ctx->opts->user_map[SDAP_AT_USER_NAME].name, + ctx->opts->user_map[SDAP_AT_USER_UID].name, + ctx->opts->user_map[SDAP_AT_USER_UID].name); + } + + talloc_zfree(user_filter); + if (!state->filter) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to build the base filter\n"); + ret = ENOMEM; + goto done; + } + + ret = build_attrs_from_map(state, ctx->opts->user_map, + ctx->opts->user_map_cnt, + NULL, &state->attrs, NULL); + if (ret != EOK) goto done; + + ret = users_get_retry(req); + if (ret != EOK) { + goto done; + } + + return req; + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + } else { + tevent_req_done(req); + } + return tevent_req_post(req, ev); +} + +static int users_get_retry(struct tevent_req *req) +{ + struct users_get_state *state = tevent_req_data(req, + struct users_get_state); + struct tevent_req *subreq; + int ret = EOK; + + subreq = sdap_id_op_connect_send(state->op, state, &ret); + if (!subreq) { + return ret; + } + + tevent_req_set_callback(subreq, users_get_connect_done, req); + return EOK; +} + +static void users_get_connect_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct users_get_state *state = tevent_req_data(req, + struct users_get_state); + int dp_error = DP_ERR_FATAL; + int ret; + + ret = sdap_id_op_connect_recv(subreq, &dp_error); + talloc_zfree(subreq); + + if (ret != EOK) { + state->dp_error = dp_error; + tevent_req_error(req, ret); + return; + } + + users_get_search(req); +} + +static void users_get_search(struct tevent_req *req) +{ + struct users_get_state *state = tevent_req_data(req, + struct users_get_state); + struct tevent_req *subreq; + enum sdap_entry_lookup_type lookup_type; + + if (state->filter_type == BE_FILTER_WILDCARD) { + lookup_type = SDAP_LOOKUP_WILDCARD; + } else { + lookup_type = SDAP_LOOKUP_SINGLE; + } + + subreq = sdap_get_users_send(state, state->ev, + state->domain, state->sysdb, + state->ctx->opts, + state->sdom->user_search_bases, + sdap_id_op_handle(state->op), + state->attrs, state->filter, + dp_opt_get_int(state->ctx->opts->basic, + SDAP_SEARCH_TIMEOUT), + lookup_type, state->extra_attrs); + if (!subreq) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, users_get_done, req); +} + +static void users_get_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct users_get_state *state = tevent_req_data(req, + struct users_get_state); + char *endptr; + uid_t uid; + int dp_error = DP_ERR_FATAL; + int ret; + const char *del_name; + struct ldb_message *msg; + + ret = sdap_get_users_recv(subreq, NULL, NULL); + talloc_zfree(subreq); + + ret = sdap_id_op_done(state->op, ret, &dp_error); + if (dp_error == DP_ERR_OK && ret != EOK) { + /* retry */ + ret = users_get_retry(req); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + return; + } + + if ((ret == ENOENT) && + (state->ctx->opts->schema_type == SDAP_SCHEMA_RFC2307) && + (dp_opt_get_bool(state->ctx->opts->basic, + SDAP_RFC2307_FALLBACK_TO_LOCAL_USERS) == true)) { + struct sysdb_attrs **usr_attrs; + bool fallback; + + switch (state->filter_type) { + case BE_FILTER_NAME: + uid = -1; + fallback = true; + break; + case BE_FILTER_IDNUM: + uid = (uid_t) strtouint32(state->filter_value, &endptr, 10); + if (errno || *endptr || (state->filter_value == endptr)) { + tevent_req_error(req, errno ? errno : EINVAL); + return; + } + fallback = true; + break; + default: + fallback = false; + break; + } + + if (fallback) { + ret = sdap_fallback_local_user(state, state->shortname, uid, &usr_attrs); + if (ret == EOK) { + ret = sdap_save_user(state, state->ctx->opts, state->domain, + usr_attrs[0], NULL, NULL, 0); + } + } + } + state->sdap_ret = ret; + + if (ret && ret != ENOENT) { + state->dp_error = dp_error; + tevent_req_error(req, ret); + return; + } + + if (ret == ENOENT && state->noexist_delete == true) { + switch (state->filter_type) { + case BE_FILTER_ENUM: + tevent_req_error(req, ret); + return; + case BE_FILTER_NAME: + if (state->name_is_upn == true) { + ret = sysdb_search_user_by_upn(state, state->domain, false, + state->filter_value, + NULL, &msg); + if (ret != EOK) { + break; + } + del_name = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); + } else { + del_name = state->filter_value; + } + + if (del_name == NULL) { + break; + } + + ret = sysdb_delete_user(state->domain, state->filter_value, 0); + if (ret != EOK && ret != ENOENT) { + tevent_req_error(req, ret); + return; + } + break; + + case BE_FILTER_IDNUM: + uid = (uid_t) strtouint32(state->filter_value, &endptr, 10); + if (errno || *endptr || (state->filter_value == endptr)) { + tevent_req_error(req, errno ? errno : EINVAL); + return; + } + + ret = sysdb_delete_user(state->domain, NULL, uid); + if (ret != EOK && ret != ENOENT) { + tevent_req_error(req, ret); + return; + } + break; + + case BE_FILTER_SECID: + case BE_FILTER_UUID: + /* Since it is not clear if the SID/UUID belongs to a user or a + * group we have nothing to do here. */ + break; + + case BE_FILTER_WILDCARD: + /* We can't know if all users are up-to-date, especially in a large + * environment. Do not delete any records, let the responder fetch + * the entries they are requested in + */ + break; + + case BE_FILTER_CERT: + ret = sysdb_remove_cert(state->domain, state->filter_value); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to remove user certificate" + "[%d]: %s\n", ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + break; + + default: + tevent_req_error(req, EINVAL); + return; + } + } + + state->dp_error = DP_ERR_OK; + /* FIXME - return sdap error so that we know the user was not found */ + tevent_req_done(req); +} + +int users_get_recv(struct tevent_req *req, int *dp_error_out, int *sdap_ret) +{ + struct users_get_state *state = tevent_req_data(req, + struct users_get_state); + + if (dp_error_out) { + *dp_error_out = state->dp_error; + } + + if (sdap_ret) { + *sdap_ret = state->sdap_ret; + } + + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +/* =Groups-Related-Functions-(by-name,by-uid)============================= */ + +struct groups_get_state { + struct tevent_context *ev; + struct sdap_id_ctx *ctx; + struct sdap_domain *sdom; + struct sdap_id_conn_ctx *conn; + struct sdap_id_op *op; + struct sysdb_ctx *sysdb; + struct sss_domain_info *domain; + + const char *filter_value; + int filter_type; + + char *filter; + const char **attrs; + bool use_id_mapping; + bool non_posix; + + int dp_error; + int sdap_ret; + bool noexist_delete; + bool no_members; +}; + +static int groups_get_retry(struct tevent_req *req); +static void groups_get_connect_done(struct tevent_req *subreq); +static void groups_get_mpg_done(struct tevent_req *subreq); +static errno_t groups_get_handle_no_group(struct tevent_req *req); +static void groups_get_search(struct tevent_req *req); +static void groups_get_done(struct tevent_req *subreq); + +struct tevent_req *groups_get_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_id_ctx *ctx, + struct sdap_domain *sdom, + struct sdap_id_conn_ctx *conn, + const char *filter_value, + int filter_type, + bool noexist_delete, + bool no_members) +{ + struct tevent_req *req; + struct groups_get_state *state; + const char *attr_name = NULL; + char *shortname = NULL; + char *clean_value; + char *endptr; + int ret; + gid_t gid; + enum idmap_error_code err; + char *sid; + const char *member_filter[2]; + char *oc_list; + + req = tevent_req_create(memctx, &state, struct groups_get_state); + if (!req) return NULL; + + state->ev = ev; + state->ctx = ctx; + state->sdom = sdom; + state->conn = conn; + state->dp_error = DP_ERR_FATAL; + state->noexist_delete = noexist_delete; + state->no_members = no_members; + + state->op = sdap_id_op_create(state, state->conn->conn_cache); + if (!state->op) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed\n"); + ret = ENOMEM; + goto done; + } + + state->domain = sdom->dom; + state->sysdb = sdom->dom->sysdb; + state->filter_value = filter_value; + state->filter_type = filter_type; + + if (state->domain->type == DOM_TYPE_APPLICATION) { + state->non_posix = true; + } + + state->use_id_mapping = sdap_idmap_domain_has_algorithmic_mapping( + ctx->opts->idmap_ctx, + sdom->dom->name, + sdom->dom->domain_id); + + switch(filter_type) { + case BE_FILTER_WILDCARD: + attr_name = ctx->opts->group_map[SDAP_AT_GROUP_NAME].name; + ret = sss_filter_sanitize_ex(state, filter_value, &clean_value, + LDAP_ALLOWED_WILDCARDS); + if (ret != EOK) { + goto done; + } + break; + case BE_FILTER_NAME: + attr_name = ctx->opts->group_map[SDAP_AT_GROUP_NAME].name; + + ret = sss_parse_internal_fqname(state, filter_value, + &shortname, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot parse %s\n", filter_value); + goto done; + } + + ret = sss_filter_sanitize(state, shortname, &clean_value); + if (ret != EOK) { + goto done; + } + break; + case BE_FILTER_IDNUM: + if (state->use_id_mapping) { + /* If we're ID-mapping, we need to use the objectSID + * in the search filter. + */ + gid = strtouint32(filter_value, &endptr, 10); + if (errno != EOK) { + ret = EINVAL; + goto done; + } + + /* Convert the GID to its objectSID */ + err = sss_idmap_unix_to_sid(ctx->opts->idmap_ctx->map, + gid, &sid); + if (err == IDMAP_NO_DOMAIN) { + DEBUG(SSSDBG_MINOR_FAILURE, + "[%s] did not match any configured ID mapping domain\n", + filter_value); + + ret = sysdb_delete_group(state->domain, NULL, gid); + if (ret == ENOENT) { + /* Ignore errors to remove users that were not cached previously */ + ret = EOK; + } + + goto done; + } else if (err != IDMAP_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Mapping ID [%s] to SID failed: [%s]\n", + filter_value, idmap_error_string(err)); + ret = EIO; + goto done; + } + + attr_name = ctx->opts->group_map[SDAP_AT_GROUP_OBJECTSID].name; + ret = sss_filter_sanitize(state, sid, &clean_value); + sss_idmap_free_sid(ctx->opts->idmap_ctx->map, sid); + if (ret != EOK) { + goto done; + } + + } else { + attr_name = ctx->opts->group_map[SDAP_AT_GROUP_GID].name; + ret = sss_filter_sanitize(state, filter_value, &clean_value); + if (ret != EOK) { + goto done; + } + } + break; + case BE_FILTER_SECID: + attr_name = ctx->opts->group_map[SDAP_AT_GROUP_OBJECTSID].name; + + ret = sss_filter_sanitize(state, filter_value, &clean_value); + if (ret != EOK) { + goto done; + } + break; + case BE_FILTER_UUID: + attr_name = ctx->opts->group_map[SDAP_AT_GROUP_UUID].name; + if (attr_name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "UUID search not configured for this backend.\n"); + ret = EINVAL; + goto done; + } + + ret = sss_filter_sanitize(state, filter_value, &clean_value); + if (ret != EOK) { + goto done; + } + break; + default: + ret = EINVAL; + goto done; + } + + if (attr_name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Missing search attribute name.\n"); + ret = EINVAL; + goto done; + } + + oc_list = sdap_make_oc_list(state, ctx->opts->group_map); + if (oc_list == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to create objectClass list.\n"); + ret = ENOMEM; + goto done; + } + + if (state->non_posix + || state->use_id_mapping + || filter_type == BE_FILTER_SECID) { + /* When mapping IDs or looking for SIDs, or when in a non-POSIX domain, + * we don't want to limit ourselves to groups with a GID value + */ + + state->filter = talloc_asprintf(state, + "(&(%s=%s)(%s)(%s=*))", + attr_name, clean_value, oc_list, + ctx->opts->group_map[SDAP_AT_GROUP_NAME].name); + } else { + state->filter = talloc_asprintf(state, + "(&(%s=%s)(%s)(%s=*)(&(%s=*)(!(%s=0))))", + attr_name, clean_value, oc_list, + ctx->opts->group_map[SDAP_AT_GROUP_NAME].name, + ctx->opts->group_map[SDAP_AT_GROUP_GID].name, + ctx->opts->group_map[SDAP_AT_GROUP_GID].name); + } + + talloc_zfree(clean_value); + if (!state->filter) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to build filter\n"); + ret = ENOMEM; + goto done; + } + + member_filter[0] = (const char *)ctx->opts->group_map[SDAP_AT_GROUP_MEMBER].name; + member_filter[1] = NULL; + + ret = build_attrs_from_map(state, ctx->opts->group_map, SDAP_OPTS_GROUP, + (state->domain->ignore_group_members + || state->no_members) ? + (const char **)member_filter : NULL, + &state->attrs, NULL); + + if (ret != EOK) goto done; + + ret = groups_get_retry(req); + if (ret != EOK) { + goto done; + } + + return req; + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + } else { + tevent_req_done(req); + } + return tevent_req_post(req, ev); +} + +static int groups_get_retry(struct tevent_req *req) +{ + struct groups_get_state *state = tevent_req_data(req, + struct groups_get_state); + struct tevent_req *subreq; + int ret = EOK; + + subreq = sdap_id_op_connect_send(state->op, state, &ret); + if (!subreq) { + return ret; + } + + tevent_req_set_callback(subreq, groups_get_connect_done, req); + return EOK; +} + +static void groups_get_connect_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct groups_get_state *state = tevent_req_data(req, + struct groups_get_state); + int dp_error = DP_ERR_FATAL; + int ret; + + ret = sdap_id_op_connect_recv(subreq, &dp_error); + talloc_zfree(subreq); + + if (ret != EOK) { + state->dp_error = dp_error; + tevent_req_error(req, ret); + return; + } + + groups_get_search(req); +} + +static void groups_get_search(struct tevent_req *req) +{ + struct groups_get_state *state = tevent_req_data(req, + struct groups_get_state); + struct tevent_req *subreq; + enum sdap_entry_lookup_type lookup_type; + + if (state->filter_type == BE_FILTER_WILDCARD) { + lookup_type = SDAP_LOOKUP_WILDCARD; + } else { + lookup_type = SDAP_LOOKUP_SINGLE; + } + + subreq = sdap_get_groups_send(state, state->ev, + state->sdom, + state->ctx->opts, + sdap_id_op_handle(state->op), + state->attrs, state->filter, + dp_opt_get_int(state->ctx->opts->basic, + SDAP_SEARCH_TIMEOUT), + lookup_type, + state->no_members); + if (!subreq) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, groups_get_done, req); +} + +static void groups_get_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct groups_get_state *state = tevent_req_data(req, + struct groups_get_state); + int dp_error = DP_ERR_FATAL; + int ret; + + ret = sdap_get_groups_recv(subreq, NULL, NULL); + talloc_zfree(subreq); + ret = sdap_id_op_done(state->op, ret, &dp_error); + + if (dp_error == DP_ERR_OK && ret != EOK) { + /* retry */ + ret = groups_get_retry(req); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + return; + } + state->sdap_ret = ret; + + if (ret && ret != ENOENT) { + state->dp_error = dp_error; + tevent_req_error(req, ret); + return; + } + + if (ret == ENOENT + && state->domain->mpg == true + && !state->conn->no_mpg_user_fallback) { + /* The requested filter did not find a group. Before giving up, we must + * also check if the GID can be resolved through a primary group of a + * user + */ + subreq = users_get_send(state, + state->ev, + state->ctx, + state->sdom, + state->conn, + state->filter_value, + state->filter_type, + NULL, + state->noexist_delete); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, groups_get_mpg_done, req); + return; + } else if (ret == ENOENT && state->noexist_delete == true) { + ret = groups_get_handle_no_group(req); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not delete group [%d]: %s\n", ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + } + + state->dp_error = DP_ERR_OK; + tevent_req_done(req); +} + +static void groups_get_mpg_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct groups_get_state *state = tevent_req_data(req, + struct groups_get_state); + + ret = users_get_recv(subreq, &state->dp_error, &state->sdap_ret); + talloc_zfree(subreq); + + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + if (state->sdap_ret == ENOENT && state->noexist_delete == true) { + ret = groups_get_handle_no_group(req); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not delete group [%d]: %s\n", ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + } + + /* GID resolved to a user private group, done */ + tevent_req_done(req); + return; +} + +static errno_t groups_get_handle_no_group(struct tevent_req *req) +{ + struct groups_get_state *state = tevent_req_data(req, + struct groups_get_state); + errno_t ret; + char *endptr; + gid_t gid; + + switch (state->filter_type) { + case BE_FILTER_ENUM: + ret = ENOENT; + break; + case BE_FILTER_NAME: + ret = sysdb_delete_group(state->domain, state->filter_value, 0); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot delete group %s [%d]: %s\n", + state->filter_value, ret, sss_strerror(ret)); + return ret; + } + ret = EOK; + break; + case BE_FILTER_IDNUM: + gid = (gid_t) strtouint32(state->filter_value, &endptr, 10); + if (errno || *endptr || (state->filter_value == endptr)) { + ret = errno ? errno : EINVAL; + break; + } + + ret = sysdb_delete_group(state->domain, NULL, gid); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot delete group %"SPRIgid" [%d]: %s\n", + gid, ret, sss_strerror(ret)); + return ret; + } + ret = EOK; + break; + case BE_FILTER_SECID: + case BE_FILTER_UUID: + /* Since it is not clear if the SID/UUID belongs to a user or a + * group we have nothing to do here. */ + ret = EOK; + break; + case BE_FILTER_WILDCARD: + /* We can't know if all groups are up-to-date, especially in + * a large environment. Do not delete any records, let the + * responder fetch the entries they are requested in. + */ + ret = EOK; + break; + default: + ret = EINVAL; + break; + } + + return ret; +} + +int groups_get_recv(struct tevent_req *req, int *dp_error_out, int *sdap_ret) +{ + struct groups_get_state *state = tevent_req_data(req, + struct groups_get_state); + + if (dp_error_out) { + *dp_error_out = state->dp_error; + } + + if (sdap_ret) { + *sdap_ret = state->sdap_ret; + } + + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + + +/* =Get-Groups-for-User================================================== */ + +struct groups_by_user_state { + struct tevent_context *ev; + struct sdap_id_ctx *ctx; + struct sdap_domain *sdom; + struct sdap_id_conn_ctx *conn; + struct sdap_id_op *op; + struct sysdb_ctx *sysdb; + struct sss_domain_info *domain; + + const char *filter_value; + int filter_type; + const char *extra_value; + const char **attrs; + bool non_posix; + + int dp_error; + int sdap_ret; + bool noexist_delete; +}; + +static int groups_by_user_retry(struct tevent_req *req); +static void groups_by_user_connect_done(struct tevent_req *subreq); +static void groups_by_user_done(struct tevent_req *subreq); + +static struct tevent_req *groups_by_user_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_id_ctx *ctx, + struct sdap_domain *sdom, + struct sdap_id_conn_ctx *conn, + const char *filter_value, + int filter_type, + const char *extra_value, + bool noexist_delete) +{ + struct tevent_req *req; + struct groups_by_user_state *state; + int ret; + + req = tevent_req_create(memctx, &state, struct groups_by_user_state); + if (!req) return NULL; + + state->ev = ev; + state->ctx = ctx; + state->dp_error = DP_ERR_FATAL; + state->conn = conn; + state->sdom = sdom; + state->noexist_delete = noexist_delete; + + state->op = sdap_id_op_create(state, state->conn->conn_cache); + if (!state->op) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed\n"); + ret = ENOMEM; + goto fail; + } + + state->filter_value = filter_value; + state->filter_type = filter_type; + state->extra_value = extra_value; + state->domain = sdom->dom; + state->sysdb = sdom->dom->sysdb; + + if (state->domain->type == DOM_TYPE_APPLICATION) { + state->non_posix = true; + } + + ret = build_attrs_from_map(state, ctx->opts->group_map, SDAP_OPTS_GROUP, + NULL, &state->attrs, NULL); + if (ret != EOK) goto fail; + + ret = groups_by_user_retry(req); + if (ret != EOK) { + goto fail; + } + + return req; + +fail: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static int groups_by_user_retry(struct tevent_req *req) +{ + struct groups_by_user_state *state = tevent_req_data(req, + struct groups_by_user_state); + struct tevent_req *subreq; + int ret = EOK; + + subreq = sdap_id_op_connect_send(state->op, state, &ret); + if (!subreq) { + return ret; + } + + tevent_req_set_callback(subreq, groups_by_user_connect_done, req); + return EOK; +} + +static void groups_by_user_connect_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct groups_by_user_state *state = tevent_req_data(req, + struct groups_by_user_state); + int dp_error = DP_ERR_FATAL; + int ret; + + ret = sdap_id_op_connect_recv(subreq, &dp_error); + talloc_zfree(subreq); + + if (ret != EOK) { + state->dp_error = dp_error; + tevent_req_error(req, ret); + return; + } + + subreq = sdap_get_initgr_send(state, + state->ev, + state->sdom, + sdap_id_op_handle(state->op), + state->ctx, + state->conn, + state->filter_value, + state->filter_type, + state->extra_value, + state->attrs); + if (!subreq) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, groups_by_user_done, req); +} + +static void groups_by_user_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct groups_by_user_state *state = tevent_req_data(req, + struct groups_by_user_state); + int dp_error = DP_ERR_FATAL; + int ret; + + ret = sdap_get_initgr_recv(subreq); + talloc_zfree(subreq); + ret = sdap_id_op_done(state->op, ret, &dp_error); + + if (dp_error == DP_ERR_OK && ret != EOK) { + /* retry */ + ret = groups_by_user_retry(req); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + return; + } + state->sdap_ret = ret; + + switch (state->sdap_ret) { + case ENOENT: + if (state->noexist_delete == true) { + const char *cname; + + /* state->filter_value is still the name used for the original + * req. The cached object might have a different name, e.g. a + * fully-qualified name. */ + ret = sysdb_get_real_name(state, + state->domain, + state->filter_value, + &cname); + if (ret != EOK) { + cname = state->filter_value; + DEBUG(SSSDBG_TRACE_INTERNAL, + "Failed to canonicalize name, using [%s] [%d]: %s.\n", + cname, ret, sss_strerror(ret)); + } + + ret = sysdb_delete_user(state->domain, cname, 0); + if (ret != EOK && ret != ENOENT) { + tevent_req_error(req, ret); + return; + } + } + break; + case EOK: + break; + default: + state->dp_error = dp_error; + tevent_req_error(req, ret); + return; + } + + state->dp_error = DP_ERR_OK; + tevent_req_done(req); +} + +int groups_by_user_recv(struct tevent_req *req, int *dp_error_out, int *sdap_ret) +{ + struct groups_by_user_state *state = tevent_req_data(req, + struct groups_by_user_state); + + if (dp_error_out) { + *dp_error_out = state->dp_error; + } + + if (sdap_ret) { + *sdap_ret = state->sdap_ret; + } + + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +/* =Get-Account-Info-Call================================================= */ + +/* FIXME: embed this function in sssd_be and only call out + * specific functions from modules? */ + +static struct tevent_req *get_user_and_group_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_id_ctx *ctx, + struct sdap_domain *sdom, + struct sdap_id_conn_ctx *conn, + const char *filter_value, + int filter_type, + bool noexist_delete); + +errno_t sdap_get_user_and_group_recv(struct tevent_req *req, + int *dp_error_out, int *sdap_ret); + +bool sdap_is_enum_request(struct dp_id_data *ar) +{ + switch (ar->entry_type & BE_REQ_TYPE_MASK) { + case BE_REQ_USER: + case BE_REQ_GROUP: + case BE_REQ_SERVICES: + if (ar->filter_type == BE_FILTER_ENUM) { + return true; + } + } + + return false; +} + +/* A generic LDAP account info handler */ +struct sdap_handle_acct_req_state { + struct dp_id_data *ar; + const char *err; + int dp_error; + int sdap_ret; +}; + +static void sdap_handle_acct_req_done(struct tevent_req *subreq); + +struct tevent_req * +sdap_handle_acct_req_send(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct dp_id_data *ar, + struct sdap_id_ctx *id_ctx, + struct sdap_domain *sdom, + struct sdap_id_conn_ctx *conn, + bool noexist_delete) +{ + struct tevent_req *req; + struct tevent_req *subreq; + struct sdap_handle_acct_req_state *state; + errno_t ret; + + + req = tevent_req_create(mem_ctx, &state, + struct sdap_handle_acct_req_state); + if (!req) { + return NULL; + } + state->ar = ar; + + if (ar == NULL) { + ret = EINVAL; + goto done; + } + + PROBE(SDAP_ACCT_REQ_SEND, + state->ar->entry_type & BE_REQ_TYPE_MASK, + state->ar->filter_type, state->ar->filter_value, + PROBE_SAFE_STR(state->ar->extra_value)); + + switch (ar->entry_type & BE_REQ_TYPE_MASK) { + case BE_REQ_USER: /* user */ + subreq = users_get_send(state, be_ctx->ev, id_ctx, + sdom, conn, + ar->filter_value, + ar->filter_type, + ar->extra_value, + noexist_delete); + break; + + case BE_REQ_GROUP: /* group */ + subreq = groups_get_send(state, be_ctx->ev, id_ctx, + sdom, conn, + ar->filter_value, + ar->filter_type, + noexist_delete, false); + break; + + case BE_REQ_INITGROUPS: /* init groups for user */ + if (ar->filter_type != BE_FILTER_NAME + && ar->filter_type != BE_FILTER_SECID + && ar->filter_type != BE_FILTER_UUID) { + ret = EINVAL; + state->err = "Invalid filter type"; + goto done; + } + + subreq = groups_by_user_send(state, be_ctx->ev, id_ctx, + sdom, conn, + ar->filter_value, + ar->filter_type, + ar->extra_value, + noexist_delete); + break; + + case BE_REQ_NETGROUP: + if (ar->filter_type != BE_FILTER_NAME) { + ret = EINVAL; + state->err = "Invalid filter type"; + goto done; + } + + subreq = ldap_netgroup_get_send(state, be_ctx->ev, id_ctx, + sdom, conn, + ar->filter_value, + noexist_delete); + break; + + case BE_REQ_SERVICES: + if (ar->filter_type == BE_FILTER_SECID + || ar->filter_type == BE_FILTER_UUID) { + ret = EINVAL; + state->err = "Invalid filter type"; + goto done; + } + + subreq = services_get_send(state, be_ctx->ev, id_ctx, + sdom, conn, + ar->filter_value, + ar->extra_value, + ar->filter_type, + noexist_delete); + break; + + case BE_REQ_BY_SECID: + if (ar->filter_type != BE_FILTER_SECID) { + ret = EINVAL; + state->err = "Invalid filter type"; + goto done; + } + + subreq = get_user_and_group_send(state, be_ctx->ev, id_ctx, + sdom, conn, + ar->filter_value, + ar->filter_type, + noexist_delete); + break; + + case BE_REQ_BY_UUID: + if (ar->filter_type != BE_FILTER_UUID) { + ret = EINVAL; + state->err = "Invalid filter type"; + goto done; + } + + subreq = get_user_and_group_send(state, be_ctx->ev, id_ctx, + sdom, conn, + ar->filter_value, + ar->filter_type, + noexist_delete); + break; + + case BE_REQ_USER_AND_GROUP: + if (!(ar->filter_type == BE_FILTER_NAME || + ar->filter_type == BE_FILTER_IDNUM)) { + ret = EINVAL; + state->err = "Invalid filter type"; + goto done; + } + + subreq = get_user_and_group_send(state, be_ctx->ev, id_ctx, + sdom, conn, + ar->filter_value, + ar->filter_type, + noexist_delete); + break; + + case BE_REQ_BY_CERT: + subreq = users_get_send(state, be_ctx->ev, id_ctx, + sdom, conn, + ar->filter_value, + ar->filter_type, + ar->extra_value, + noexist_delete); + break; + + default: /*fail*/ + ret = EINVAL; + state->err = "Invalid request type"; + goto done; + } + + if (!subreq) { + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, sdap_handle_acct_req_done, req); + return req; + +done: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + + tevent_req_post(req, be_ctx->ev); + return req; +} + +static void +sdap_handle_acct_req_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, struct tevent_req); + struct sdap_handle_acct_req_state *state; + errno_t ret; + const char *err = "Invalid request type"; + + state = tevent_req_data(req, struct sdap_handle_acct_req_state); + + switch (state->ar->entry_type & BE_REQ_TYPE_MASK) { + case BE_REQ_USER: /* user */ + err = "User lookup failed"; + ret = users_get_recv(subreq, &state->dp_error, &state->sdap_ret); + break; + case BE_REQ_GROUP: /* group */ + err = "Group lookup failed"; + ret = groups_get_recv(subreq, &state->dp_error, &state->sdap_ret); + break; + case BE_REQ_INITGROUPS: /* init groups for user */ + err = "Init group lookup failed"; + ret = groups_by_user_recv(subreq, &state->dp_error, &state->sdap_ret); + break; + case BE_REQ_NETGROUP: + err = "Netgroup lookup failed"; + ret = ldap_netgroup_get_recv(subreq, &state->dp_error, &state->sdap_ret); + break; + case BE_REQ_SERVICES: + err = "Service lookup failed"; + ret = services_get_recv(subreq, &state->dp_error, &state->sdap_ret); + break; + case BE_REQ_BY_SECID: + /* Fall through */ + case BE_REQ_BY_UUID: + /* Fall through */ + case BE_REQ_USER_AND_GROUP: + err = "Lookup by SID failed"; + ret = sdap_get_user_and_group_recv(subreq, &state->dp_error, + &state->sdap_ret); + break; + case BE_REQ_BY_CERT: + err = "User lookup by certificate failed"; + ret = users_get_recv(subreq, &state->dp_error, &state->sdap_ret); + break; + default: /* fail */ + ret = EINVAL; + break; + } + talloc_zfree(subreq); + + if (ret != EOK) { + state->err = err; + tevent_req_error(req, ret); + return; + } + + state->err = "Success"; + tevent_req_done(req); +} + +errno_t +sdap_handle_acct_req_recv(struct tevent_req *req, + int *_dp_error, const char **_err, + int *sdap_ret) +{ + struct sdap_handle_acct_req_state *state; + + state = tevent_req_data(req, struct sdap_handle_acct_req_state); + + PROBE(SDAP_ACCT_REQ_RECV, + state->ar->entry_type & BE_REQ_TYPE_MASK, + state->ar->filter_type, state->ar->filter_value, + PROBE_SAFE_STR(state->ar->extra_value)); + + if (_dp_error) { + *_dp_error = state->dp_error; + } + + if (_err) { + *_err = state->err; + } + + if (sdap_ret) { + *sdap_ret = state->sdap_ret; + } + + TEVENT_REQ_RETURN_ON_ERROR(req); + return EOK; +} + +struct get_user_and_group_state { + struct tevent_context *ev; + struct sdap_id_ctx *id_ctx; + struct sdap_domain *sdom; + struct sdap_id_conn_ctx *conn; + struct sdap_id_op *op; + struct sysdb_ctx *sysdb; + struct sss_domain_info *domain; + + const char *filter_val; + int filter_type; + + char *filter; + const char **attrs; + + int dp_error; + int sdap_ret; + bool noexist_delete; +}; + +static void get_user_and_group_users_done(struct tevent_req *subreq); +static void get_user_and_group_groups_done(struct tevent_req *subreq); + +static struct tevent_req *get_user_and_group_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_id_ctx *id_ctx, + struct sdap_domain *sdom, + struct sdap_id_conn_ctx *conn, + const char *filter_val, + int filter_type, + bool noexist_delete) +{ + struct tevent_req *req; + struct tevent_req *subreq; + struct get_user_and_group_state *state; + int ret; + + req = tevent_req_create(memctx, &state, struct get_user_and_group_state); + if (req == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "tevent_req_create failed.\n"); + return NULL; + } + + state->ev = ev; + state->id_ctx = id_ctx; + state->sdom = sdom; + state->conn = conn; + state->dp_error = DP_ERR_FATAL; + state->noexist_delete = noexist_delete; + + state->op = sdap_id_op_create(state, state->conn->conn_cache); + if (!state->op) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed\n"); + ret = ENOMEM; + goto fail; + } + + state->domain = sdom->dom; + state->sysdb = sdom->dom->sysdb; + state->filter_val = filter_val; + state->filter_type = filter_type; + + subreq = groups_get_send(req, state->ev, state->id_ctx, + state->sdom, state->conn, + state->filter_val, state->filter_type, + state->noexist_delete, false); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "groups_get_send failed.\n"); + ret = ENOMEM; + goto fail; + } + + tevent_req_set_callback(subreq, get_user_and_group_groups_done, req); + + return req; + +fail: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void get_user_and_group_groups_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct get_user_and_group_state *state = tevent_req_data(req, + struct get_user_and_group_state); + int ret; + struct ad_id_ctx *ad_id_ctx; + struct sdap_id_conn_ctx *user_conn; + + ret = groups_get_recv(subreq, &state->dp_error, &state->sdap_ret); + talloc_zfree(subreq); + + if (ret != EOK) { /* Fatal error while looking up group */ + tevent_req_error(req, ret); + return; + } + + if (state->sdap_ret == EOK) { /* Matching group found */ + tevent_req_done(req); + return; + } else if (state->sdap_ret != ENOENT) { + tevent_req_error(req, EIO); + return; + } + + /* Now the search finished fine but did not find an entry. + * Retry with users. */ + + user_conn = state->conn; + /* Prefer LDAP over GC for users */ + if (state->id_ctx->opts->schema_type == SDAP_SCHEMA_AD + && state->sdom->pvt != NULL) { + ad_id_ctx = talloc_get_type(state->sdom->pvt, struct ad_id_ctx); + if (ad_id_ctx != NULL && ad_id_ctx->ldap_ctx != NULL + && state->conn == ad_id_ctx->gc_ctx) { + DEBUG(SSSDBG_TRACE_ALL, + "Switching to LDAP connection for user lookup.\n"); + user_conn = ad_id_ctx->ldap_ctx; + } + } + + subreq = users_get_send(req, state->ev, state->id_ctx, + state->sdom, user_conn, + state->filter_val, state->filter_type, NULL, + state->noexist_delete); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "users_get_send failed.\n"); + tevent_req_error(req, ENOMEM); + return; + } + + tevent_req_set_callback(subreq, get_user_and_group_users_done, req); +} + +static void get_user_and_group_users_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct get_user_and_group_state *state = tevent_req_data(req, + struct get_user_and_group_state); + int ret; + + ret = users_get_recv(subreq, &state->dp_error, &state->sdap_ret); + talloc_zfree(subreq); + + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + if (state->sdap_ret == ENOENT) { + if (state->noexist_delete == true) { + /* The search ran to completion, but nothing was found. + * Delete the existing entry, if any. */ + ret = sysdb_delete_by_sid(state->sysdb, state->domain, + state->filter_val); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not delete entry by SID!\n"); + tevent_req_error(req, ret); + return; + } + } + } else if (state->sdap_ret != EOK) { + tevent_req_error(req, EIO); + return; + } + + /* Both ret and sdap->ret are EOK. Matching user found */ + tevent_req_done(req); + return; +} + +errno_t sdap_get_user_and_group_recv(struct tevent_req *req, + int *dp_error_out, int *sdap_ret) +{ + struct get_user_and_group_state *state = tevent_req_data(req, + struct get_user_and_group_state); + + if (dp_error_out) { + *dp_error_out = state->dp_error; + } + + if (sdap_ret) { + *sdap_ret = state->sdap_ret; + } + + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +struct sdap_account_info_handler_state { + struct dp_reply_std reply; +}; + +static void sdap_account_info_handler_done(struct tevent_req *subreq); + +struct tevent_req * +sdap_account_info_handler_send(TALLOC_CTX *mem_ctx, + struct sdap_id_ctx *id_ctx, + struct dp_id_data *data, + struct dp_req_params *params) +{ + struct sdap_account_info_handler_state *state; + struct tevent_req *subreq; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct sdap_account_info_handler_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + if (sdap_is_enum_request(data)) { + DEBUG(SSSDBG_TRACE_LIBS, "Skipping enumeration on demand\n"); + ret = EOK; + goto immediately; + } + + subreq = sdap_handle_acct_req_send(state, params->be_ctx, data, id_ctx, + id_ctx->opts->sdom, id_ctx->conn, true); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, sdap_account_info_handler_done, req); + + return req; + +immediately: + dp_reply_std_set(&state->reply, DP_ERR_DECIDE, ret, NULL); + + /* TODO For backward compatibility we always return EOK to DP now. */ + tevent_req_done(req); + tevent_req_post(req, params->ev); + + return req; +} + +static void sdap_account_info_handler_done(struct tevent_req *subreq) +{ + struct sdap_account_info_handler_state *state; + struct tevent_req *req; + const char *error_msg; + int dp_error; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_account_info_handler_state); + + ret = sdap_handle_acct_req_recv(subreq, &dp_error, &error_msg, NULL); + talloc_zfree(subreq); + + /* TODO For backward compatibility we always return EOK to DP now. */ + dp_reply_std_set(&state->reply, dp_error, ret, error_msg); + tevent_req_done(req); +} + +errno_t sdap_account_info_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct dp_reply_std *data) +{ + struct sdap_account_info_handler_state *state = NULL; + + state = tevent_req_data(req, struct sdap_account_info_handler_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *data = state->reply; + + return EOK; +} diff --git a/src/providers/ldap/ldap_id_cleanup.c b/src/providers/ldap/ldap_id_cleanup.c new file mode 100644 index 0000000..8c0f0c1 --- /dev/null +++ b/src/providers/ldap/ldap_id_cleanup.c @@ -0,0 +1,498 @@ +/* + SSSD + + LDAP Identity Cleanup Functions + + Authors: + Simo Sorce + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "util/util.h" +#include "util/find_uid.h" +#include "db/sysdb.h" +#include "providers/ldap/ldap_common.h" +#include "providers/ldap/sdap_async.h" + +/* ==Cleanup-Task========================================================= */ +struct ldap_id_cleanup_ctx { + struct sdap_id_ctx *ctx; + struct sdap_domain *sdom; +}; + +static errno_t ldap_cleanup_task(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct be_ptask *be_ptask, + void *pvt) +{ + struct ldap_id_cleanup_ctx *cleanup_ctx = NULL; + + cleanup_ctx = talloc_get_type(pvt, struct ldap_id_cleanup_ctx); + return ldap_id_cleanup(cleanup_ctx->ctx->opts, cleanup_ctx->sdom); +} + +errno_t ldap_setup_cleanup(struct sdap_id_ctx *id_ctx, + struct sdap_domain *sdom) +{ + errno_t ret; + time_t first_delay; + time_t period; + struct ldap_id_cleanup_ctx *cleanup_ctx = NULL; + char *name = NULL; + + period = dp_opt_get_int(id_ctx->opts->basic, SDAP_PURGE_CACHE_TIMEOUT); + if (period == 0) { + /* Cleanup has been explicitly disabled, so we won't + * create any cleanup tasks. */ + ret = EOK; + goto done; + } + + /* Run the first one in a couple of seconds so that we have time to + * finish initializations first. */ + first_delay = 10; + + cleanup_ctx = talloc_zero(sdom, struct ldap_id_cleanup_ctx); + if (cleanup_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + cleanup_ctx->ctx = id_ctx; + cleanup_ctx->sdom = sdom; + + name = talloc_asprintf(cleanup_ctx, "Cleanup of %s", sdom->dom->name); + if (name == NULL) { + return ENOMEM; + } + + ret = be_ptask_create_sync(sdom, id_ctx->be, period, first_delay, + 5 /* enabled delay */, 0 /* random offset */, + period /* timeout */, BE_PTASK_OFFLINE_SKIP, 0, + ldap_cleanup_task, cleanup_ctx, name, + &sdom->cleanup_task); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to initialize cleanup periodic " + "task for %s\n", sdom->dom->name); + goto done; + } + + talloc_steal(sdom->cleanup_task, cleanup_ctx); + ret = EOK; + +done: + talloc_free(name); + if (ret != EOK) { + talloc_free(cleanup_ctx); + } + + return ret; +} + +static int cleanup_users(struct sdap_options *opts, + struct sss_domain_info *dom); +static int cleanup_groups(TALLOC_CTX *memctx, + struct sysdb_ctx *sysdb, + struct sss_domain_info *domain); + +errno_t ldap_id_cleanup(struct sdap_options *opts, + struct sdap_domain *sdom) +{ + int ret, tret; + bool in_transaction = false; + TALLOC_CTX *tmp_ctx; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + ret = sysdb_transaction_start(sdom->dom->sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n"); + goto done; + } + in_transaction = true; + + ret = cleanup_users(opts, sdom->dom); + if (ret && ret != ENOENT) { + goto done; + } + + ret = cleanup_groups(tmp_ctx, sdom->dom->sysdb, sdom->dom); + if (ret) { + goto done; + } + + ret = sysdb_transaction_commit(sdom->dom->sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n"); + goto done; + } + in_transaction = false; + + sdom->last_purge = tevent_timeval_current(); + ret = EOK; +done: + if (in_transaction) { + tret = sysdb_transaction_cancel(sdom->dom->sysdb); + if (tret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not cancel transaction\n"); + } + } + talloc_free(tmp_ctx); + return ret; +} + + +/* ==User-Cleanup-Process================================================= */ + +static int cleanup_users_logged_in(hash_table_t *table, + const struct ldb_message *msg); + +static errno_t expire_memberof_target_groups(struct sss_domain_info *dom, + struct ldb_message *user); + +static int cleanup_users(struct sdap_options *opts, + struct sss_domain_info *dom) +{ + TALLOC_CTX *tmpctx; + const char *attrs[] = { SYSDB_NAME, SYSDB_UIDNUM, SYSDB_MEMBEROF, NULL }; + time_t now = time(NULL); + char *subfilter = NULL; + int account_cache_expiration; + hash_table_t *uid_table; + struct ldb_message **msgs; + size_t count; + const char *name; + int ret; + int i; + + tmpctx = talloc_new(NULL); + if (!tmpctx) { + return ENOMEM; + } + + account_cache_expiration = dp_opt_get_int(opts->basic, SDAP_ACCOUNT_CACHE_EXPIRATION); + DEBUG(SSSDBG_TRACE_ALL, "Cache expiration is set to %d days\n", + account_cache_expiration); + + if (account_cache_expiration > 0) { + subfilter = talloc_asprintf(tmpctx, + "(&(!(%s=0))(%s<=%ld)(|(!(%s=*))(%s<=%ld)))", + SYSDB_CACHE_EXPIRE, + SYSDB_CACHE_EXPIRE, + (long) now, + SYSDB_LAST_LOGIN, + SYSDB_LAST_LOGIN, + (long) (now - (account_cache_expiration * 86400))); + } else { + subfilter = talloc_asprintf(tmpctx, + "(&(!(%s=0))(%s<=%ld)(!(%s=*)))", + SYSDB_CACHE_EXPIRE, + SYSDB_CACHE_EXPIRE, + (long) now, + SYSDB_LAST_LOGIN); + } + if (!subfilter) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to build filter\n"); + ret = ENOMEM; + goto done; + } + + ret = sysdb_search_users_by_timestamp(tmpctx, dom, subfilter, attrs, + &count, &msgs); + if (ret == ENOENT) { + count = 0; + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_search_users failed: %d\n", ret); + goto done; + } + DEBUG(SSSDBG_FUNC_DATA, "Found %zu expired user entries!\n", count); + + if (count == 0) { + ret = EOK; + goto done; + } + + ret = get_uid_table(tmpctx, &uid_table); + /* get_uid_table returns ENOSYS on non-Linux platforms. We proceed with + * the cleanup in that case + */ + if (ret != EOK && ret != ENOSYS) { + DEBUG(SSSDBG_CRIT_FAILURE, "get_uid_table failed: %d\n", ret); + goto done; + } + + for (i = 0; i < count; i++) { + name = ldb_msg_find_attr_as_string(msgs[i], SYSDB_NAME, NULL); + if (!name) { + DEBUG(SSSDBG_OP_FAILURE, "Entry %s has no Name Attribute ?!?\n", + ldb_dn_get_linearized(msgs[i]->dn)); + ret = EFAULT; + goto done; + } + DEBUG(SSSDBG_TRACE_ALL, "Processing user %s\n", name); + + if (uid_table) { + ret = cleanup_users_logged_in(uid_table, msgs[i]); + if (ret == EOK) { + /* If the user is logged in, proceed to the next one */ + DEBUG(SSSDBG_FUNC_DATA, + "User %s is still logged in or a dummy entry, " + "keeping data\n", name); + continue; + } else if (ret != ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot check if user is logged in: %d\n", ret); + goto done; + } + } + + /* If not logged in or cannot check the table, delete him */ + DEBUG(SSSDBG_TRACE_ALL, "About to delete user %s\n", name); + ret = sysdb_delete_user(dom, name, 0); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_delete_user failed: %d\n", ret); + goto done; + } + + /* Mark all groups of which user was a member as expired in cache, + * so that its ghost/member attributes are refreshed on next + * request. */ + ret = expire_memberof_target_groups(dom, msgs[i]); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, + "expire_memberof_target_groups failed: [%d]:%s\n", + ret, sss_strerror(ret)); + goto done; + } + } + +done: + talloc_zfree(tmpctx); + return ret; +} + +static errno_t expire_memberof_target_groups(struct sss_domain_info *dom, + struct ldb_message *user) +{ + struct ldb_message_element *memberof_el = NULL; + errno_t ret; + TALLOC_CTX *tmp_ctx; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + memberof_el = ldb_msg_find_element(user, SYSDB_MEMBEROF); + if (memberof_el == NULL) { + /* User has no cached groups. Nothing to be marked as expired. */ + ret = EOK; + goto done; + } + + for (unsigned int i = 0; i < memberof_el->num_values; i++) { + ret = sysdb_mark_entry_as_expired_ldb_val(dom, + &memberof_el->values[i]); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sysdb_mark_entry_as_expired_ldb_val failed: [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static int cleanup_users_logged_in(hash_table_t *table, + const struct ldb_message *msg) +{ + uid_t uid; + hash_key_t key; + hash_value_t value; + int ret; + + uid = ldb_msg_find_attr_as_uint64(msg, + SYSDB_UIDNUM, 0); + if (!uid) { + DEBUG(SSSDBG_OP_FAILURE, "Entry %s has no UID Attribute!\n", + ldb_dn_get_linearized(msg->dn)); + return ENOENT; + } + + key.type = HASH_KEY_ULONG; + key.ul = (unsigned long) uid; + + ret = hash_lookup(table, &key, &value); + if (ret == HASH_SUCCESS) { + return EOK; + } else if (ret == HASH_ERROR_KEY_NOT_FOUND) { + return ENOENT; + } + + DEBUG(SSSDBG_OP_FAILURE, "hash_lookup failed: %d\n", ret); + return EIO; +} + +/* ==Group-Cleanup-Process================================================ */ + +static int cleanup_groups(TALLOC_CTX *memctx, + struct sysdb_ctx *sysdb, + struct sss_domain_info *domain) +{ + TALLOC_CTX *tmpctx; + const char *attrs[] = { SYSDB_NAME, SYSDB_GIDNUM, NULL }; + time_t now = time(NULL); + char *subfilter; + const char *dn; + gid_t gid; + struct ldb_message **msgs; + size_t count; + struct ldb_message **u_msgs; + size_t u_count; + int ret; + int i; + const char *posix; + struct ldb_dn *base_dn; + + tmpctx = talloc_new(memctx); + if (!tmpctx) { + return ENOMEM; + } + + subfilter = talloc_asprintf(tmpctx, "(&(!(%s=0))(%s<=%ld))", + SYSDB_CACHE_EXPIRE, + SYSDB_CACHE_EXPIRE, (long)now); + if (!subfilter) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to build filter\n"); + ret = ENOMEM; + goto done; + } + + ret = sysdb_search_groups_by_timestamp(tmpctx, domain, subfilter, attrs, + &count, &msgs); + if (ret == ENOENT) { + count = 0; + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_search_groups failed: %d\n", ret); + goto done; + } + + DEBUG(SSSDBG_FUNC_DATA, "Found %zu expired group entries!\n", count); + + if (count == 0) { + ret = EOK; + goto done; + } + + for (i = 0; i < count; i++) { + char *sanitized_dn; + + dn = ldb_dn_get_linearized(msgs[i]->dn); + if (!dn) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot linearize DN!\n"); + ret = EFAULT; + goto done; + } + + /* sanitize dn */ + ret = sss_filter_sanitize(tmpctx, dn, &sanitized_dn); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "sss_filter_sanitize failed: %s:[%d]\n", + sss_strerror(ret), ret); + goto done; + } + + posix = ldb_msg_find_attr_as_string(msgs[i], SYSDB_POSIX, NULL); + if (!posix || strcmp(posix, "TRUE") == 0) { + /* Search for users that are members of this group, or + * that have this group as their primary GID. + * Include subdomain users as well. + */ + gid = (gid_t) ldb_msg_find_attr_as_uint(msgs[i], SYSDB_GIDNUM, 0); + subfilter = talloc_asprintf(tmpctx, "(&(%s=%s)(|(%s=%s)(%s=%lu)))", + SYSDB_OBJECTCATEGORY, SYSDB_USER_CLASS, + SYSDB_MEMBEROF, sanitized_dn, + SYSDB_GIDNUM, (long unsigned) gid); + } else { + subfilter = talloc_asprintf(tmpctx, "(%s=%s)", SYSDB_MEMBEROF, + sanitized_dn); + } + talloc_zfree(sanitized_dn); + + if (!subfilter) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to build filter\n"); + ret = ENOMEM; + goto done; + } + + base_dn = sysdb_base_dn(sysdb, tmpctx); + if (base_dn == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to build base dn\n"); + ret = ENOMEM; + goto done; + } + + DEBUG(SSSDBG_TRACE_LIBS, "Searching with: %s\n", subfilter); + + ret = sysdb_search_entry(tmpctx, sysdb, base_dn, + LDB_SCOPE_SUBTREE, subfilter, NULL, + &u_count, &u_msgs); + if (ret == ENOENT) { + const char *name; + + name = ldb_msg_find_attr_as_string(msgs[i], SYSDB_NAME, NULL); + if (!name) { + DEBUG(SSSDBG_OP_FAILURE, "Entry %s has no Name Attribute ?!?\n", + ldb_dn_get_linearized(msgs[i]->dn)); + ret = EFAULT; + goto done; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "About to delete group %s\n", name); + ret = sysdb_delete_group(domain, name, 0); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, "Group delete returned %d (%s)\n", + ret, strerror(ret)); + goto done; + } + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to search sysdb using %s: [%d] %s\n", + subfilter, ret, sss_strerror(ret)); + goto done; + } + talloc_zfree(u_msgs); + } + +done: + talloc_zfree(tmpctx); + return ret; +} diff --git a/src/providers/ldap/ldap_id_enum.c b/src/providers/ldap/ldap_id_enum.c new file mode 100644 index 0000000..8832eb5 --- /dev/null +++ b/src/providers/ldap/ldap_id_enum.c @@ -0,0 +1,197 @@ +/* + SSSD + + LDAP Identity Enumeration + + Authors: + Simo Sorce + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "db/sysdb.h" +#include "providers/ldap/ldap_common.h" +#include "providers/ldap/sdap_async_enum.h" + +#define LDAP_ENUM_PURGE_TIMEOUT 10800 + +errno_t ldap_setup_enumeration(struct be_ctx *be_ctx, + struct sdap_options *opts, + struct sdap_domain *sdom, + be_ptask_send_t send_fn, + be_ptask_recv_t recv_fn, + void *pvt) +{ + errno_t ret; + time_t first_delay; + time_t period; + time_t cleanup; + bool has_enumerated; + struct ldap_enum_ctx *ectx; + + ret = sysdb_has_enumerated(sdom->dom, &has_enumerated); + if (ret == ENOENT) { + /* default value */ + has_enumerated = false; + } else if (ret != EOK) { + return ret; + } + + if (has_enumerated) { + /* At least one enumeration has previously run, + * so clients will get cached data. We will delay + * starting to enumerate by 10s so we don't slow + * down the startup process if this is happening + * during system boot. + */ + first_delay = 10; + } else { + /* This is our first startup. Schedule the + * enumeration to start immediately once we + * enter the mainloop. + */ + first_delay = 0; + } + + cleanup = dp_opt_get_int(opts->basic, SDAP_PURGE_CACHE_TIMEOUT); + if (cleanup == 0) { + /* We need to cleanup the cache once in a while when enumerating, otherwise + * enumeration would only download deltas since the previous lastUSN and would + * not detect removed entries + */ + ret = dp_opt_set_int(opts->basic, SDAP_PURGE_CACHE_TIMEOUT, + LDAP_ENUM_PURGE_TIMEOUT); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot set cleanup timeout, enumeration wouldn't " + "detect removed entries!\n"); + return ret; + } + } + + period = dp_opt_get_int(opts->basic, SDAP_ENUM_REFRESH_TIMEOUT); + + ectx = talloc(sdom, struct ldap_enum_ctx); + if (ectx == NULL) { + return ENOMEM; + } + ectx->sdom = sdom; + ectx->pvt = pvt; + + ret = be_ptask_create(sdom, be_ctx, + period, /* period */ + first_delay, /* first_delay */ + 5, /* enabled delay */ + 0, /* random offset */ + period, /* timeout */ + BE_PTASK_OFFLINE_SKIP, + 0, /* max_backoff */ + send_fn, recv_fn, + ectx, "enumeration", &sdom->enum_task); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Unable to initialize enumeration periodic task\n"); + talloc_free(ectx); + return ret; + } + + talloc_steal(sdom->enum_task, ectx); + return EOK; +} + +struct ldap_enumeration_state { + struct ldap_enum_ctx *ectx; + struct sdap_id_ctx *id_ctx; + struct sss_domain_info *dom; +}; + +static void ldap_enumeration_done(struct tevent_req *subreq); + +struct tevent_req * +ldap_enumeration_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct be_ptask *be_ptask, + void *pvt) +{ + struct ldap_enumeration_state *state; + struct tevent_req *req; + struct tevent_req *subreq; + struct ldap_enum_ctx *ectx; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct ldap_enumeration_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + ectx = talloc_get_type(pvt, struct ldap_enum_ctx); + if (ectx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot retrieve ldap_enum_ctx!\n"); + ret = EFAULT; + goto fail; + } + state->ectx = ectx; + state->dom = ectx->sdom->dom; + state->id_ctx = talloc_get_type_abort(ectx->pvt, struct sdap_id_ctx); + + subreq = sdap_dom_enum_send(state, ev, state->id_ctx, ectx->sdom, + state->id_ctx->conn); + if (subreq == NULL) { + /* The ptask API will reschedule the enumeration on its own on + * failure */ + DEBUG(SSSDBG_OP_FAILURE, + "Failed to schedule enumeration, retrying later!\n"); + ret = EIO; + goto fail; + } + + tevent_req_set_callback(subreq, ldap_enumeration_done, req); + return req; + +fail: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void +ldap_enumeration_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + + ret = sdap_dom_enum_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +errno_t +ldap_enumeration_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} diff --git a/src/providers/ldap/ldap_id_netgroup.c b/src/providers/ldap/ldap_id_netgroup.c new file mode 100644 index 0000000..1fb01cf --- /dev/null +++ b/src/providers/ldap/ldap_id_netgroup.c @@ -0,0 +1,247 @@ +/* + SSSD + + LDAP Identity Backend Module - Netgroup support + + Authors: + Sumit Bose + + Copyright (C) 2010 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "util/util.h" +#include "db/sysdb.h" +#include "providers/ldap/ldap_common.h" +#include "providers/ldap/sdap_async.h" + + +struct ldap_netgroup_get_state { + struct tevent_context *ev; + struct sdap_id_ctx *ctx; + struct sdap_domain *sdom; + struct sdap_id_op *op; + struct sdap_id_conn_ctx *conn; + struct sysdb_ctx *sysdb; + struct sss_domain_info *domain; + + const char *name; + int timeout; + + char *filter; + const char **attrs; + + size_t count; + struct sysdb_attrs **netgroups; + + int dp_error; + int sdap_ret; + bool noexist_delete; +}; + +static int ldap_netgroup_get_retry(struct tevent_req *req); +static void ldap_netgroup_get_connect_done(struct tevent_req *subreq); +static void ldap_netgroup_get_done(struct tevent_req *subreq); + +struct tevent_req *ldap_netgroup_get_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_id_ctx *ctx, + struct sdap_domain *sdom, + struct sdap_id_conn_ctx *conn, + const char *name, + bool noexist_delete) +{ + struct tevent_req *req; + struct ldap_netgroup_get_state *state; + char *clean_name; + int ret; + + req = tevent_req_create(memctx, &state, struct ldap_netgroup_get_state); + if (!req) return NULL; + + state->ev = ev; + state->ctx = ctx; + state->sdom = sdom; + state->conn = conn; + state->dp_error = DP_ERR_FATAL; + state->noexist_delete = noexist_delete; + + state->op = sdap_id_op_create(state, state->conn->conn_cache); + if (!state->op) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed\n"); + ret = ENOMEM; + goto fail; + } + + state->domain = sdom->dom; + state->sysdb = sdom->dom->sysdb; + state->name = name; + state->timeout = dp_opt_get_int(ctx->opts->basic, SDAP_SEARCH_TIMEOUT); + + ret = sss_filter_sanitize(state, name, &clean_name); + if (ret != EOK) { + goto fail; + } + + state->filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))", + ctx->opts->netgroup_map[SDAP_AT_NETGROUP_NAME].name, + clean_name, + ctx->opts->netgroup_map[SDAP_OC_NETGROUP].name); + if (!state->filter) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to build filter\n"); + ret = ENOMEM; + goto fail; + } + talloc_zfree(clean_name); + + ret = build_attrs_from_map(state, ctx->opts->netgroup_map, SDAP_OPTS_NETGROUP, + NULL, &state->attrs, NULL); + if (ret != EOK) goto fail; + + ret = ldap_netgroup_get_retry(req); + if (ret != EOK) { + goto fail; + } + + return req; + +fail: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static int ldap_netgroup_get_retry(struct tevent_req *req) +{ + struct ldap_netgroup_get_state *state = tevent_req_data(req, + struct ldap_netgroup_get_state); + struct tevent_req *subreq; + int ret = EOK; + + subreq = sdap_id_op_connect_send(state->op, state, &ret); + if (!subreq) { + return ret; + } + + tevent_req_set_callback(subreq, ldap_netgroup_get_connect_done, req); + return EOK; +} + +static void ldap_netgroup_get_connect_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ldap_netgroup_get_state *state = tevent_req_data(req, + struct ldap_netgroup_get_state); + int dp_error = DP_ERR_FATAL; + int ret; + + ret = sdap_id_op_connect_recv(subreq, &dp_error); + talloc_zfree(subreq); + + if (ret != EOK) { + state->dp_error = dp_error; + tevent_req_error(req, ret); + return; + } + + subreq = sdap_get_netgroups_send(state, state->ev, + state->domain, state->sysdb, + state->ctx->opts, + state->sdom->netgroup_search_bases, + sdap_id_op_handle(state->op), + state->attrs, state->filter, + state->timeout); + if (!subreq) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, ldap_netgroup_get_done, req); + + return; +} + +static void ldap_netgroup_get_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ldap_netgroup_get_state *state = tevent_req_data(req, + struct ldap_netgroup_get_state); + int dp_error = DP_ERR_FATAL; + int ret; + + ret = sdap_get_netgroups_recv(subreq, state, NULL, &state->count, + &state->netgroups); + talloc_zfree(subreq); + ret = sdap_id_op_done(state->op, ret, &dp_error); + + if (dp_error == DP_ERR_OK && ret != EOK) { + /* retry */ + ret = ldap_netgroup_get_retry(req); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + return; + } + state->sdap_ret = ret; + + if (ret && ret != ENOENT) { + state->dp_error = dp_error; + tevent_req_error(req, ret); + return; + } + + if (ret == EOK && state->count > 1) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Found more than one netgroup with the name [%s].\n", + state->name); + tevent_req_error(req, EINVAL); + return; + } + + if (ret == ENOENT && state->noexist_delete == true) { + ret = sysdb_delete_netgroup(state->domain, state->name); + if (ret != EOK && ret != ENOENT) { + tevent_req_error(req, ret); + return; + } + } + + state->dp_error = DP_ERR_OK; + tevent_req_done(req); + return; +} + +int ldap_netgroup_get_recv(struct tevent_req *req, int *dp_error_out, int *sdap_ret) +{ + struct ldap_netgroup_get_state *state = tevent_req_data(req, + struct ldap_netgroup_get_state); + + if (dp_error_out) { + *dp_error_out = state->dp_error; + } + + if (sdap_ret) { + *sdap_ret = state->sdap_ret; + } + + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} diff --git a/src/providers/ldap/ldap_id_services.c b/src/providers/ldap/ldap_id_services.c new file mode 100644 index 0000000..638cb61 --- /dev/null +++ b/src/providers/ldap/ldap_id_services.c @@ -0,0 +1,307 @@ +/* + SSSD + + Authors: + Stephen Gallagher + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + + +#include + +#include "util/util.h" +#include "util/strtonum.h" +#include "db/sysdb.h" +#include "db/sysdb_services.h" +#include "providers/ldap/ldap_common.h" +#include "providers/ldap/sdap_async.h" + +struct sdap_services_get_state { + struct tevent_context *ev; + struct sdap_id_ctx *id_ctx; + struct sdap_domain *sdom; + struct sdap_id_op *op; + struct sysdb_ctx *sysdb; + struct sss_domain_info *domain; + struct sdap_id_conn_ctx *conn; + + const char *name; + const char *protocol; + + char *filter; + const char **attrs; + + int filter_type; + + int dp_error; + int sdap_ret; + bool noexist_delete; +}; + +static errno_t +services_get_retry(struct tevent_req *req); +static void +services_get_connect_done(struct tevent_req *subreq); +static void +services_get_done(struct tevent_req *subreq); + +struct tevent_req * +services_get_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_id_ctx *id_ctx, + struct sdap_domain *sdom, + struct sdap_id_conn_ctx *conn, + const char *name, + const char *protocol, + int filter_type, + bool noexist_delete) +{ + errno_t ret; + struct tevent_req *req; + struct sdap_services_get_state *state; + const char *attr_name; + char *clean_name; + char *clean_protocol = NULL; + + req = tevent_req_create(mem_ctx, &state, struct sdap_services_get_state); + if (!req) return NULL; + + state->ev = ev; + state->id_ctx = id_ctx; + state->sdom = sdom; + state->conn = conn; + state->dp_error = DP_ERR_FATAL; + state->domain = sdom->dom; + state->sysdb = sdom->dom->sysdb; + state->name = name; + state->protocol = protocol; + state->filter_type = filter_type; + state->noexist_delete = noexist_delete; + + state->op = sdap_id_op_create(state, state->conn->conn_cache); + if (!state->op) { + DEBUG(SSSDBG_MINOR_FAILURE, "sdap_id_op_create failed\n"); + ret = ENOMEM; + goto error; + } + + switch(filter_type) { + case BE_FILTER_NAME: + attr_name = id_ctx->opts->service_map[SDAP_AT_SERVICE_NAME].name; + break; + case BE_FILTER_IDNUM: + attr_name = id_ctx->opts->service_map[SDAP_AT_SERVICE_PORT].name; + break; + default: + ret = EINVAL; + goto error; + } + + ret = sss_filter_sanitize(state, name, &clean_name); + if (ret != EOK) goto error; + + if (protocol != NULL) { + ret = sss_filter_sanitize(state, protocol, &clean_protocol); + if (ret != EOK) goto error; + } + + if (clean_protocol) { + state->filter = talloc_asprintf( + state, "(&(%s=%s)(%s=%s)(objectclass=%s))", + attr_name, clean_name, + id_ctx->opts->service_map[SDAP_AT_SERVICE_PROTOCOL].name, + clean_protocol, + id_ctx->opts->service_map[SDAP_OC_SERVICE].name); + } else { + state->filter = + talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))", + attr_name, clean_name, + id_ctx->opts->service_map[SDAP_OC_SERVICE].name); + } + talloc_zfree(clean_name); + talloc_zfree(clean_protocol); + if (!state->filter) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to build the base filter\n"); + ret = ENOMEM; + goto error; + } + DEBUG(SSSDBG_TRACE_LIBS, + "Preparing to search for services with filter [%s]\n", + state->filter); + + ret = build_attrs_from_map(state, id_ctx->opts->service_map, + SDAP_OPTS_SERVICES, NULL, + &state->attrs, NULL); + if (ret != EOK) goto error; + + ret = services_get_retry(req); + if (ret != EOK) goto error; + + return req; + +error: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static errno_t +services_get_retry(struct tevent_req *req) +{ + errno_t ret; + struct sdap_services_get_state *state = + tevent_req_data(req, struct sdap_services_get_state); + struct tevent_req *subreq; + + subreq = sdap_id_op_connect_send(state->op, state, &ret); + if (!subreq) { + return ret; + } + + tevent_req_set_callback(subreq, services_get_connect_done, req); + return EOK; +} + +static void +services_get_connect_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = + tevent_req_callback_data(subreq, struct tevent_req); + struct sdap_services_get_state *state = + tevent_req_data(req, struct sdap_services_get_state); + int dp_error = DP_ERR_FATAL; + + ret = sdap_id_op_connect_recv(subreq, &dp_error); + talloc_zfree(subreq); + + if (ret != EOK) { + state->dp_error = dp_error; + tevent_req_error(req, ret); + return; + } + + subreq = sdap_get_services_send(state, state->ev, + state->domain, state->sysdb, + state->id_ctx->opts, + state->sdom->service_search_bases, + sdap_id_op_handle(state->op), + state->attrs, state->filter, + dp_opt_get_int(state->id_ctx->opts->basic, + SDAP_SEARCH_TIMEOUT), + false); + if (!subreq) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, services_get_done, req); +} + +static void +services_get_done(struct tevent_req *subreq) +{ + errno_t ret; + uint16_t port; + struct tevent_req *req = + tevent_req_callback_data(subreq, struct tevent_req); + struct sdap_services_get_state *state = + tevent_req_data(req, struct sdap_services_get_state); + int dp_error = DP_ERR_FATAL; + + ret = sdap_get_services_recv(NULL, subreq, NULL); + talloc_zfree(subreq); + + /* Check whether we need to try again with another + * failover server. + */ + ret = sdap_id_op_done(state->op, ret, &dp_error); + if (dp_error == DP_ERR_OK && ret != EOK) { + /* retry */ + ret = services_get_retry(req); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + /* Return to the mainloop to retry */ + return; + } + state->sdap_ret = ret; + + /* An error occurred. */ + if (ret && ret != ENOENT) { + state->dp_error = dp_error; + tevent_req_error(req, ret); + return; + } + + if (ret == ENOENT && state->noexist_delete == true) { + /* Ensure that this entry is removed from the sysdb */ + switch(state->filter_type) { + case BE_FILTER_NAME: + ret = sysdb_svc_delete(state->domain, state->name, + 0, state->protocol); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + break; + + case BE_FILTER_IDNUM: + port = strtouint16(state->name, NULL, 10); + if (errno) { + tevent_req_error(req, errno); + return; + } + + ret = sysdb_svc_delete(state->domain, NULL, port, + state->protocol); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + break; + + default: + tevent_req_error(req, EINVAL); + return; + } + } + + state->dp_error = DP_ERR_OK; + tevent_req_done(req); +} + +errno_t +services_get_recv(struct tevent_req *req, int *dp_error_out, int *sdap_ret) +{ + struct sdap_services_get_state *state = + tevent_req_data(req, struct sdap_services_get_state); + + if (dp_error_out) { + *dp_error_out = state->dp_error; + } + + if (sdap_ret) { + *sdap_ret = state->sdap_ret; + } + + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} diff --git a/src/providers/ldap/ldap_init.c b/src/providers/ldap/ldap_init.c new file mode 100644 index 0000000..44b3e9a --- /dev/null +++ b/src/providers/ldap/ldap_init.c @@ -0,0 +1,685 @@ +/* + SSSD + + LDAP Provider Initialization functions + + Authors: + Simo Sorce + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/child_common.h" +#include "providers/ldap/ldap_common.h" +#include "providers/ldap/sdap_async_private.h" +#include "providers/ldap/sdap_access.h" +#include "providers/ldap/sdap_hostid.h" +#include "providers/ldap/sdap_sudo.h" +#include "providers/ldap/sdap_autofs.h" +#include "providers/ldap/sdap_idmap.h" +#include "providers/fail_over_srv.h" +#include "providers/be_refresh.h" + +struct ldap_init_ctx { + struct sdap_options *options; + struct sdap_id_ctx *id_ctx; + struct sdap_auth_ctx *auth_ctx; +}; + +/* Please use this only for short lists */ +errno_t check_order_list_for_duplicates(char **list, + bool case_sensitive) +{ + size_t c; + size_t d; + int cmp; + + for (c = 0; list[c] != NULL; c++) { + for (d = c + 1; list[d] != NULL; d++) { + if (case_sensitive) { + cmp = strcmp(list[c], list[d]); + } else { + cmp = strcasecmp(list[c], list[d]); + } + if (cmp == 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Duplicate string [%s] found.\n", list[c]); + return EINVAL; + } + } + } + + return EOK; +} + +static errno_t ldap_init_auth_ctx(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct sdap_id_ctx *id_ctx, + struct sdap_options *options, + struct sdap_auth_ctx **_auth_ctx) +{ + struct sdap_auth_ctx *auth_ctx; + + auth_ctx = talloc(mem_ctx, struct sdap_auth_ctx); + if (auth_ctx == NULL) { + return ENOMEM; + } + + auth_ctx->be = be_ctx; + auth_ctx->opts = options; + auth_ctx->service = id_ctx->conn->service; + auth_ctx->chpass_service = NULL; + + *_auth_ctx = auth_ctx; + + return EOK; +} + +static errno_t init_chpass_service(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct sdap_options *opts, + struct sdap_service **_chpass_service) +{ + errno_t ret; + const char *urls; + const char *backup_urls; + const char *dns_service_name; + struct sdap_service *chpass_service; + + dns_service_name = dp_opt_get_string(opts->basic, + SDAP_CHPASS_DNS_SERVICE_NAME); + if (dns_service_name != NULL) { + DEBUG(SSSDBG_TRACE_LIBS, + "Service name for chpass discovery set to %s\n", + dns_service_name); + } + + urls = dp_opt_get_string(opts->basic, SDAP_CHPASS_URI); + backup_urls = dp_opt_get_string(opts->basic, SDAP_CHPASS_BACKUP_URI); + + if (urls != NULL || backup_urls != NULL || dns_service_name != NULL) { + ret = sdap_service_init(mem_ctx, + be_ctx, + "LDAP_CHPASS", + dns_service_name, + urls, + backup_urls, + &chpass_service); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to initialize failover service!\n"); + return ret; + } + } else { + DEBUG(SSSDBG_TRACE_ALL, + "ldap_chpass_uri and ldap_chpass_dns_service_name not set, " + "using ldap_uri.\n"); + chpass_service = NULL; + } + + *_chpass_service = chpass_service; + return EOK; +} + +static errno_t get_access_order_list(TALLOC_CTX *mem_ctx, + const char *order, + char ***_order_list) +{ + errno_t ret; + char **order_list; + int order_list_len; + + ret = split_on_separator(mem_ctx, order, ',', true, true, + &order_list, &order_list_len); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "split_on_separator failed.\n"); + goto done; + } + + ret = check_order_list_for_duplicates(order_list, false); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "check_order_list_for_duplicates failed.\n"); + goto done; + } + + if (order_list_len > LDAP_ACCESS_LAST) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Currently only [%d] different access rules are supported.\n", + LDAP_ACCESS_LAST); + ret = EINVAL; + goto done; + } + + *_order_list = order_list; + +done: + if (ret != EOK) { + talloc_free(order_list); + } + + return ret; +} + +static errno_t check_expire_policy(struct sdap_options *opts) +{ + const char *expire_policy; + bool matched_policy = false; + const char *policies[] = {LDAP_ACCOUNT_EXPIRE_SHADOW, + LDAP_ACCOUNT_EXPIRE_AD, + LDAP_ACCOUNT_EXPIRE_NDS, + LDAP_ACCOUNT_EXPIRE_RHDS, + LDAP_ACCOUNT_EXPIRE_IPA, + LDAP_ACCOUNT_EXPIRE_389DS, + NULL}; + + expire_policy = dp_opt_get_cstring(opts->basic, + SDAP_ACCOUNT_EXPIRE_POLICY); + if (expire_policy == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Warning: LDAP access rule 'expire' is set, " + "but no ldap_account_expire_policy configured. " + "All domain users will be denied access.\n"); + return EOK; + } + + for (unsigned i = 0; policies[i] != NULL; i++) { + if (strcasecmp(expire_policy, policies[i]) == 0) { + matched_policy = true; + break; + } + } + + if (matched_policy == false) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unsupported LDAP account expire policy [%s].\n", + expire_policy); + return EINVAL; + } + + return EOK; +} + +static errno_t get_access_filter(TALLOC_CTX *mem_ctx, + struct sdap_options *opts, + const char **_filter) +{ + const char *filter; + + filter = dp_opt_get_cstring(opts->basic, SDAP_ACCESS_FILTER); + if (filter == NULL) { + /* It's okay if this is NULL. In that case we will simply act + * like the 'deny' provider. + */ + DEBUG(SSSDBG_FATAL_FAILURE, + "Warning: LDAP access rule 'filter' is set, " + "but no ldap_access_filter configured. " + "All domain users will be denied access.\n"); + return EOK; + } + + filter = sdap_get_access_filter(mem_ctx, filter); + if (filter == NULL) { + return ENOMEM; + } + + *_filter = filter; + + return EOK; +} + +static errno_t set_access_rules(TALLOC_CTX *mem_ctx, + struct sdap_access_ctx *access_ctx, + struct sdap_options *opts) +{ + errno_t ret; + char **order_list = NULL; + const char *order; + size_t c; + + /* To make sure that in case of failure it's safe to be freed */ + access_ctx->filter = NULL; + + order = dp_opt_get_cstring(access_ctx->id_ctx->opts->basic, + SDAP_ACCESS_ORDER); + if (order == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ldap_access_order not given, using 'filter'.\n"); + order = "filter"; + } + + ret = get_access_order_list(mem_ctx, order, &order_list); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "get_access_order_list failed: [%d][%s].\n", + ret, sss_strerror(ret)); + goto done; + } + + for (c = 0; order_list[c] != NULL; c++) { + + if (strcasecmp(order_list[c], LDAP_ACCESS_FILTER_NAME) == 0) { + access_ctx->access_rule[c] = LDAP_ACCESS_FILTER; + if (get_access_filter(mem_ctx, opts, &access_ctx->filter) != EOK) { + goto done; + } + + } else if (strcasecmp(order_list[c], LDAP_ACCESS_EXPIRE_NAME) == 0) { + access_ctx->access_rule[c] = LDAP_ACCESS_EXPIRE; + if (check_expire_policy(opts) != EOK) { + goto done; + } + + } else if (strcasecmp(order_list[c], LDAP_ACCESS_SERVICE_NAME) == 0) { + access_ctx->access_rule[c] = LDAP_ACCESS_SERVICE; + } else if (strcasecmp(order_list[c], LDAP_ACCESS_HOST_NAME) == 0) { + access_ctx->access_rule[c] = LDAP_ACCESS_HOST; + } else if (strcasecmp(order_list[c], LDAP_ACCESS_RHOST_NAME) == 0) { + access_ctx->access_rule[c] = LDAP_ACCESS_RHOST; + } else if (strcasecmp(order_list[c], LDAP_ACCESS_LOCK_NAME) == 0) { + access_ctx->access_rule[c] = LDAP_ACCESS_LOCKOUT; + } else if (strcasecmp(order_list[c], + LDAP_ACCESS_EXPIRE_POLICY_REJECT_NAME) == 0) { + access_ctx->access_rule[c] = LDAP_ACCESS_EXPIRE_POLICY_REJECT; + } else if (strcasecmp(order_list[c], + LDAP_ACCESS_EXPIRE_POLICY_WARN_NAME) == 0) { + access_ctx->access_rule[c] = LDAP_ACCESS_EXPIRE_POLICY_WARN; + } else if (strcasecmp(order_list[c], + LDAP_ACCESS_EXPIRE_POLICY_RENEW_NAME) == 0) { + access_ctx->access_rule[c] = LDAP_ACCESS_EXPIRE_POLICY_RENEW; + } else if (strcasecmp(order_list[c], LDAP_ACCESS_PPOLICY_NAME) == 0) { + access_ctx->access_rule[c] = LDAP_ACCESS_PPOLICY; + } else { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unexpected access rule name [%s].\n", order_list[c]); + ret = EINVAL; + goto done; + } + } + access_ctx->access_rule[c] = LDAP_ACCESS_EMPTY; + if (c == 0) { + DEBUG(SSSDBG_FATAL_FAILURE, "Warning: access_provider=ldap set, " + "but ldap_access_order is empty. " + "All domain users will be denied access.\n"); + } + +done: + talloc_free(order_list); + if (ret != EOK) { + talloc_zfree(access_ctx->filter); + } + return ret; +} + +static errno_t get_sdap_service(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct sdap_options *opts, + struct sdap_service **_sdap_service) +{ + errno_t ret; + const char *urls; + const char *backup_urls; + const char *dns_service_name; + struct sdap_service *sdap_service; + + urls = dp_opt_get_string(opts->basic, SDAP_URI); + backup_urls = dp_opt_get_string(opts->basic, SDAP_BACKUP_URI); + dns_service_name = dp_opt_get_string(opts->basic, SDAP_DNS_SERVICE_NAME); + if (dns_service_name != NULL) { + DEBUG(SSSDBG_CONF_SETTINGS, + "Service name for discovery set to %s\n", dns_service_name); + } + + ret = sdap_service_init(mem_ctx, be_ctx, "LDAP", + dns_service_name, + urls, + backup_urls, + &sdap_service); + if (ret != EOK) { + return ret; + } + + *_sdap_service = sdap_service; + return EOK; +} + +static bool should_call_gssapi_init(struct sdap_options *opts) +{ + const char *sasl_mech; + + sasl_mech = dp_opt_get_string(opts->basic, SDAP_SASL_MECH); + if (sasl_mech == NULL) { + return false; + } + + if (strcasecmp(sasl_mech, "GSSAPI") != 0) { + return false; + } + + if (dp_opt_get_bool(opts->basic, SDAP_KRB5_KINIT) == false) { + return false; + } + + return true; +} + +static errno_t ldap_init_misc(struct be_ctx *be_ctx, + struct sdap_options *options, + struct sdap_id_ctx *id_ctx) +{ + errno_t ret; + + if (should_call_gssapi_init(options)) { + ret = sdap_gssapi_init(id_ctx, options->basic, be_ctx, + id_ctx->conn->service, &id_ctx->krb5_service); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sdap_gssapi_init failed [%d][%s].\n", + ret, sss_strerror(ret)); + return ret; + } + } + + ret = setup_tls_config(options->basic); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get TLS options [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + /* Setup the ID mapping object */ + ret = sdap_idmap_init(id_ctx, id_ctx, &options->idmap_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Could not initialize ID mapping. In case ID mapping properties " + "changed on the server, please remove the SSSD database\n"); + return ret; + } + + ret = ldap_id_setup_tasks(id_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup background tasks " + "[%d]: %s\n", ret, sss_strerror(ret)); + return ret; + } + + ret = sdap_setup_child(); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup sdap child [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + /* Setup SRV lookup plugin */ + ret = be_fo_set_dns_srv_lookup_plugin(be_ctx, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set SRV lookup plugin " + "[%d]: %s\n", ret, sss_strerror(ret)); + return ret; + } + + /* Setup periodical refresh of expired records */ + ret = sdap_refresh_init(be_ctx->refresh_ctx, id_ctx); + if (ret != EOK && ret != EEXIST) { + DEBUG(SSSDBG_MINOR_FAILURE, "Periodical refresh will not work " + "[%d]: %s\n", ret, sss_strerror(ret)); + } + + return EOK; +} + +errno_t sssm_ldap_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct data_provider *provider, + const char *module_name, + void **_module_data) +{ + struct sdap_service *sdap_service; + struct ldap_init_ctx *init_ctx; + errno_t ret; + + init_ctx = talloc_zero(mem_ctx, struct ldap_init_ctx); + if (init_ctx == NULL) { + return ENOMEM; + } + + /* Always initialize options since it is needed everywhere. */ + ret = ldap_get_options(init_ctx, be_ctx->domain, be_ctx->cdb, + be_ctx->conf_path, be_ctx->provider, + &init_ctx->options); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize LDAP options " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + /* Always initialize id_ctx since it is needed everywhere. */ + ret = get_sdap_service(init_ctx, be_ctx, init_ctx->options, &sdap_service); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to initialize failover service " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + init_ctx->id_ctx = sdap_id_ctx_new(init_ctx, be_ctx, sdap_service); + if (init_ctx->id_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize LDAP ID context\n"); + ret = ENOMEM; + goto done; + } + + init_ctx->id_ctx->opts = init_ctx->options; + + /* Setup miscellaneous things. */ + ret = ldap_init_misc(be_ctx, init_ctx->options, init_ctx->id_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to init LDAP module " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + /* Initialize auth_ctx only if one of the target is enabled. */ + if (dp_target_enabled(provider, module_name, DPT_AUTH, DPT_CHPASS)) { + ret = ldap_init_auth_ctx(init_ctx, be_ctx, init_ctx->id_ctx, + init_ctx->options, &init_ctx->auth_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create auth context " + "[%d]: %s\n", ret, sss_strerror(ret)); + return ret; + } + } + + *_module_data = init_ctx; + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(init_ctx); + } + + return ret; +} + +errno_t sssm_ldap_id_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + void *module_data, + struct dp_method *dp_methods) +{ + struct ldap_init_ctx *init_ctx; + struct sdap_id_ctx *id_ctx; + + init_ctx = talloc_get_type(module_data, struct ldap_init_ctx); + id_ctx = init_ctx->id_ctx; + + dp_set_method(dp_methods, DPM_ACCOUNT_HANDLER, + sdap_account_info_handler_send, sdap_account_info_handler_recv, id_ctx, + struct sdap_id_ctx, struct dp_id_data, struct dp_reply_std); + + dp_set_method(dp_methods, DPM_CHECK_ONLINE, + sdap_online_check_handler_send, sdap_online_check_handler_recv, id_ctx, + struct sdap_id_ctx, void, struct dp_reply_std); + + dp_set_method(dp_methods, DPM_ACCT_DOMAIN_HANDLER, + default_account_domain_send, default_account_domain_recv, NULL, + void, struct dp_get_acct_domain_data, struct dp_reply_std); + + return EOK; +} + +errno_t sssm_ldap_auth_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + void *module_data, + struct dp_method *dp_methods) +{ + struct ldap_init_ctx *init_ctx; + struct sdap_auth_ctx *auth_ctx; + + init_ctx = talloc_get_type(module_data, struct ldap_init_ctx); + auth_ctx = init_ctx->auth_ctx; + + dp_set_method(dp_methods, DPM_AUTH_HANDLER, + sdap_pam_auth_handler_send, sdap_pam_auth_handler_recv, auth_ctx, + struct sdap_auth_ctx, struct pam_data, struct pam_data *); + + return EOK; +} + +errno_t sssm_ldap_chpass_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + void *module_data, + struct dp_method *dp_methods) +{ + struct ldap_init_ctx *init_ctx; + struct sdap_auth_ctx *auth_ctx; + errno_t ret; + + init_ctx = talloc_get_type(module_data, struct ldap_init_ctx); + auth_ctx = init_ctx->auth_ctx; + + ret = init_chpass_service(auth_ctx, be_ctx, init_ctx->options, + &auth_ctx->chpass_service); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize chpass service " + "[%d]: %s\n", ret, sss_strerror(ret)); + return ret; + } + + dp_set_method(dp_methods, DPM_AUTH_HANDLER, + sdap_pam_chpass_handler_send, sdap_pam_chpass_handler_recv, auth_ctx, + struct sdap_auth_ctx, struct pam_data, struct pam_data *); + + return EOK; +} + +errno_t sssm_ldap_access_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + void *module_data, + struct dp_method *dp_methods) +{ + struct ldap_init_ctx *init_ctx; + struct sdap_access_ctx *access_ctx; + errno_t ret; + + init_ctx = talloc_get_type(module_data, struct ldap_init_ctx); + + access_ctx = talloc_zero(mem_ctx, struct sdap_access_ctx); + if(access_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + access_ctx->id_ctx = init_ctx->id_ctx; + + ret = set_access_rules(access_ctx, access_ctx, access_ctx->id_ctx->opts); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "set_access_rules failed: [%d][%s].\n", + ret, sss_strerror(ret)); + goto done; + } + + dp_set_method(dp_methods, DPM_ACCESS_HANDLER, + sdap_pam_access_handler_send, sdap_pam_access_handler_recv, access_ctx, + struct sdap_access_ctx, struct pam_data, struct pam_data *); + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(access_ctx); + } + + return ret; +} + +errno_t sssm_ldap_hostid_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + void *module_data, + struct dp_method *dp_methods) +{ +#ifdef BUILD_SSH + struct ldap_init_ctx *init_ctx; + + DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing LDAP host handler\n"); + init_ctx = talloc_get_type(module_data, struct ldap_init_ctx); + + return sdap_hostid_init(mem_ctx, be_ctx, init_ctx->id_ctx, dp_methods); + +#else + DEBUG(SSSDBG_MINOR_FAILURE, "HostID init handler called but SSSD is " + "built without SSH support, ignoring\n"); + return EOK; +#endif +} + +errno_t sssm_ldap_autofs_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + void *module_data, + struct dp_method *dp_methods) +{ +#ifdef BUILD_AUTOFS + struct ldap_init_ctx *init_ctx; + + DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing LDAP autofs handler\n"); + init_ctx = talloc_get_type(module_data, struct ldap_init_ctx); + + return sdap_autofs_init(mem_ctx, be_ctx, init_ctx->id_ctx, dp_methods); +#else + DEBUG(SSSDBG_MINOR_FAILURE, "Autofs init handler called but SSSD is " + "built without autofs support, ignoring\n"); + return EOK; +#endif +} + +errno_t sssm_ldap_sudo_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + void *module_data, + struct dp_method *dp_methods) +{ +#ifdef BUILD_SUDO + struct ldap_init_ctx *init_ctx; + + DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing LDAP sudo handler\n"); + init_ctx = talloc_get_type(module_data, struct ldap_init_ctx); + + return sdap_sudo_init(mem_ctx, be_ctx, init_ctx->id_ctx, dp_methods); +#else + DEBUG(SSSDBG_MINOR_FAILURE, "Sudo init handler called but SSSD is " + "built without sudo support, ignoring\n"); + return EOK; +#endif +} diff --git a/src/providers/ldap/ldap_options.c b/src/providers/ldap/ldap_options.c new file mode 100644 index 0000000..0b79715 --- /dev/null +++ b/src/providers/ldap/ldap_options.c @@ -0,0 +1,845 @@ +/* + Authors: + Simo Sorce + + Copyright (C) 2008-2010 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "providers/ldap/ldap_common.h" +#include "providers/ldap/ldap_opts.h" +#include "providers/ldap/sdap_async_private.h" +#include "util/crypto/sss_crypto.h" + +int ldap_get_options(TALLOC_CTX *memctx, + struct sss_domain_info *dom, + struct confdb_ctx *cdb, + const char *conf_path, + struct data_provider *dp, + struct sdap_options **_opts) +{ + struct sdap_attr_map *default_attr_map; + struct sdap_attr_map *default_user_map; + struct sdap_attr_map *default_group_map; + struct sdap_attr_map *default_netgroup_map; + struct sdap_attr_map *default_host_map; + struct sdap_attr_map *default_service_map; + struct sdap_options *opts; + char *schema; + const char *search_base; + const char *pwd_policy; + int ret; + int account_cache_expiration; + int offline_credentials_expiration; + const char *ldap_deref; + int ldap_deref_val; + int o; + const char *authtok_type; + struct dp_opt_blob authtok_blob; + char *cleartext; + const int search_base_options[] = { SDAP_USER_SEARCH_BASE, + SDAP_GROUP_SEARCH_BASE, + SDAP_NETGROUP_SEARCH_BASE, + SDAP_HOST_SEARCH_BASE, + SDAP_SERVICE_SEARCH_BASE, + -1 }; + + opts = talloc_zero(memctx, struct sdap_options); + if (!opts) return ENOMEM; + opts->dp = dp; + + ret = sdap_domain_add(opts, dom, NULL); + if (ret != EOK) { + goto done; + } + + ret = dp_get_options(opts, cdb, conf_path, + default_basic_opts, + SDAP_OPTS_BASIC, + &opts->basic); + if (ret != EOK) { + goto done; + } + + /* Handle search bases */ + search_base = dp_opt_get_string(opts->basic, SDAP_SEARCH_BASE); + if (search_base != NULL) { + /* set user/group/netgroup search bases if they are not */ + for (o = 0; search_base_options[o] != -1; o++) { + if (NULL == dp_opt_get_string(opts->basic, search_base_options[o])) { + ret = dp_opt_set_string(opts->basic, search_base_options[o], + search_base); + if (ret != EOK) { + goto done; + } + DEBUG(SSSDBG_TRACE_FUNC, "Option %s set to %s\n", + opts->basic[search_base_options[o]].opt_name, + dp_opt_get_string(opts->basic, + search_base_options[o])); + } + } + } else { + DEBUG(SSSDBG_FUNC_DATA, + "Search base not set, trying to discover it later when " + "connecting to the LDAP server.\n"); + } + + /* Default search */ + ret = sdap_parse_search_base(opts, opts->basic, + SDAP_SEARCH_BASE, + &opts->sdom->search_bases); + if (ret != EOK && ret != ENOENT) goto done; + + /* User search */ + ret = sdap_parse_search_base(opts, opts->basic, + SDAP_USER_SEARCH_BASE, + &opts->sdom->user_search_bases); + if (ret != EOK && ret != ENOENT) goto done; + + /* Group search base */ + ret = sdap_parse_search_base(opts, opts->basic, + SDAP_GROUP_SEARCH_BASE, + &opts->sdom->group_search_bases); + if (ret != EOK && ret != ENOENT) goto done; + + /* Netgroup search */ + ret = sdap_parse_search_base(opts, opts->basic, + SDAP_NETGROUP_SEARCH_BASE, + &opts->sdom->netgroup_search_bases); + if (ret != EOK && ret != ENOENT) goto done; + + /* Netgroup search */ + ret = sdap_parse_search_base(opts, opts->basic, + SDAP_HOST_SEARCH_BASE, + &opts->sdom->host_search_bases); + if (ret != EOK && ret != ENOENT) goto done; + + /* Service search */ + ret = sdap_parse_search_base(opts, opts->basic, + SDAP_SERVICE_SEARCH_BASE, + &opts->sdom->service_search_bases); + if (ret != EOK && ret != ENOENT) goto done; + + pwd_policy = dp_opt_get_string(opts->basic, SDAP_PWD_POLICY); + if (pwd_policy == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Missing password policy, this may not happen.\n"); + ret = EINVAL; + goto done; + } + if (strcasecmp(pwd_policy, PWD_POL_OPT_NONE) != 0 && + strcasecmp(pwd_policy, PWD_POL_OPT_SHADOW) != 0 && + strcasecmp(pwd_policy, PWD_POL_OPT_MIT) != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unsupported password policy [%s].\n", pwd_policy); + ret = EINVAL; + goto done; + } + + /* account_cache_expiration must be >= than offline_credentials_expiration */ + ret = confdb_get_int(cdb, CONFDB_PAM_CONF_ENTRY, + CONFDB_PAM_CRED_TIMEOUT, 0, + &offline_credentials_expiration); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot get value of %s from confdb \n", + CONFDB_PAM_CRED_TIMEOUT); + goto done; + } + + account_cache_expiration = dp_opt_get_int(opts->basic, + SDAP_ACCOUNT_CACHE_EXPIRATION); + + /* account cache_expiration must not be smaller than + * offline_credentials_expiration to prevent deleting entries that + * still contain credentials valid for offline login. + * + * offline_credentials_expiration == 0 is a special case that says + * that the cached credentials are valid forever. Therefore, the cached + * entries must not be purged from cache. + */ + if (!offline_credentials_expiration && account_cache_expiration) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Conflicting values for options %s (unlimited) " + "and %s (%d)\n", + opts->basic[SDAP_ACCOUNT_CACHE_EXPIRATION].opt_name, + CONFDB_PAM_CRED_TIMEOUT, + offline_credentials_expiration); + ret = EINVAL; + goto done; + } + if (offline_credentials_expiration && account_cache_expiration && + offline_credentials_expiration > account_cache_expiration) { + DEBUG(SSSDBG_CRIT_FAILURE, "Value of %s (now %d) must be larger " + "than value of %s (now %d)\n", + opts->basic[SDAP_ACCOUNT_CACHE_EXPIRATION].opt_name, + account_cache_expiration, + CONFDB_PAM_CRED_TIMEOUT, + offline_credentials_expiration); + ret = EINVAL; + goto done; + } + + ldap_deref = dp_opt_get_string(opts->basic, SDAP_DEREF); + if (ldap_deref != NULL) { + ret = deref_string_to_val(ldap_deref, &ldap_deref_val); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to verify ldap_deref option.\n"); + goto done; + } + } + +#ifndef HAVE_LDAP_CONNCB + bool ldap_referrals; + + ldap_referrals = dp_opt_get_bool(opts->basic, SDAP_REFERRALS); + if (ldap_referrals) { + DEBUG(SSSDBG_CRIT_FAILURE, + "LDAP referrals are not supported, because the LDAP library " + "is too old, see sssd-ldap(5) for details.\n"); + ret = dp_opt_set_bool(opts->basic, SDAP_REFERRALS, false); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "dp_opt_set_string failed.\n"); + goto done; + } + } +#endif + + /* schema type */ + schema = dp_opt_get_string(opts->basic, SDAP_SCHEMA); + if (strcasecmp(schema, "rfc2307") == 0) { + opts->schema_type = SDAP_SCHEMA_RFC2307; + default_attr_map = generic_attr_map; + default_user_map = rfc2307_user_map; + default_group_map = rfc2307_group_map; + default_netgroup_map = netgroup_map; + default_host_map = host_map; + default_service_map = service_map; + } else + if (strcasecmp(schema, "rfc2307bis") == 0) { + opts->schema_type = SDAP_SCHEMA_RFC2307BIS; + default_attr_map = generic_attr_map; + default_user_map = rfc2307bis_user_map; + default_group_map = rfc2307bis_group_map; + default_netgroup_map = netgroup_map; + default_host_map = host_map; + default_service_map = service_map; + } else + if (strcasecmp(schema, "IPA") == 0) { + opts->schema_type = SDAP_SCHEMA_IPA_V1; + default_attr_map = gen_ipa_attr_map; + default_user_map = rfc2307bis_user_map; + default_group_map = rfc2307bis_group_map; + default_netgroup_map = netgroup_map; + default_host_map = host_map; + default_service_map = service_map; + } else + if (strcasecmp(schema, "AD") == 0) { + opts->schema_type = SDAP_SCHEMA_AD; + default_attr_map = gen_ad_attr_map; + default_user_map = gen_ad2008r2_user_map; + default_group_map = gen_ad2008r2_group_map; + default_netgroup_map = netgroup_map; + default_host_map = host_map; + default_service_map = service_map; + } else { + DEBUG(SSSDBG_FATAL_FAILURE, "Unrecognized schema type: %s\n", schema); + ret = EINVAL; + goto done; + } + + ret = sdap_get_map(opts, cdb, conf_path, + default_attr_map, + SDAP_AT_GENERAL, + &opts->gen_map); + if (ret != EOK) { + goto done; + } + + ret = sdap_get_map(opts, cdb, conf_path, + default_user_map, + SDAP_OPTS_USER, + &opts->user_map); + if (ret != EOK) { + goto done; + } + + ret = sdap_extend_map_with_list(opts, opts, SDAP_USER_EXTRA_ATTRS, + opts->user_map, SDAP_OPTS_USER, + &opts->user_map, &opts->user_map_cnt); + if (ret != EOK) { + goto done; + } + + ret = sdap_get_map(opts, cdb, conf_path, + default_group_map, + SDAP_OPTS_GROUP, + &opts->group_map); + if (ret != EOK) { + goto done; + } + + ret = sdap_get_map(opts, cdb, conf_path, + default_netgroup_map, + SDAP_OPTS_NETGROUP, + &opts->netgroup_map); + if (ret != EOK) { + goto done; + } + + ret = sdap_get_map(opts, cdb, conf_path, + default_host_map, + SDAP_OPTS_HOST, + &opts->host_map); + if (ret != EOK) { + goto done; + } + + ret = sdap_get_map(opts, cdb, conf_path, + default_service_map, + SDAP_OPTS_SERVICES, + &opts->service_map); + if (ret != EOK) { + goto done; + } + + /* If there is no KDC, try the deprecated krb5_kdcip option, too */ + /* FIXME - this can be removed in a future version */ + ret = krb5_try_kdcip(cdb, conf_path, opts->basic, SDAP_KRB5_KDC); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sss_krb5_try_kdcip failed.\n"); + goto done; + } + + authtok_type = dp_opt_get_string(opts->basic, SDAP_DEFAULT_AUTHTOK_TYPE); + if (authtok_type != NULL && + strcasecmp(authtok_type,"obfuscated_password") == 0) { + DEBUG(SSSDBG_TRACE_ALL, "Found obfuscated password, " + "trying to convert to cleartext.\n"); + + authtok_blob = dp_opt_get_blob(opts->basic, SDAP_DEFAULT_AUTHTOK); + if (authtok_blob.data == NULL || authtok_blob.length == 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing obfuscated password string.\n"); + ret = EINVAL; + goto done; + } + + ret = sss_password_decrypt(memctx, (char *) authtok_blob.data, + &cleartext); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot convert the obfuscated " + "password back to cleartext\n"); + goto done; + } + + authtok_blob.data = (uint8_t *) cleartext; + authtok_blob.length = strlen(cleartext); + ret = dp_opt_set_blob(opts->basic, SDAP_DEFAULT_AUTHTOK, authtok_blob); + talloc_free(cleartext); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "dp_opt_set_string failed.\n"); + goto done; + } + + ret = dp_opt_set_string(opts->basic, SDAP_DEFAULT_AUTHTOK_TYPE, + "password"); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "dp_opt_set_string failed.\n"); + goto done; + } + } + + ret = EOK; + *_opts = opts; + +done: + if (ret != EOK) { + talloc_zfree(opts); + } + return ret; +} + +int ldap_get_sudo_options(struct confdb_ctx *cdb, + const char *conf_path, + struct sdap_options *opts, + bool *use_host_filter, + bool *include_regexp, + bool *include_netgroups) +{ + const char *search_base; + int ret; + + /* search base */ + search_base = dp_opt_get_string(opts->basic, SDAP_SEARCH_BASE); + if (search_base != NULL) { + /* set sudo search bases if they are not */ + if (dp_opt_get_string(opts->basic, SDAP_SUDO_SEARCH_BASE) == NULL) { + ret = dp_opt_set_string(opts->basic, SDAP_SUDO_SEARCH_BASE, + search_base); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not set SUDO search base" + "to default value\n"); + return ret; + } + + DEBUG(SSSDBG_FUNC_DATA, "Option %s set to %s\n", + opts->basic[SDAP_SUDO_SEARCH_BASE].opt_name, + dp_opt_get_string(opts->basic, SDAP_SUDO_SEARCH_BASE)); + } + } else { + DEBUG(SSSDBG_TRACE_FUNC, "Search base not set, trying to discover it later " + "connecting to the LDAP server.\n"); + } + + ret = sdap_parse_search_base(opts, opts->basic, + SDAP_SUDO_SEARCH_BASE, + &opts->sdom->sudo_search_bases); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, "Could not parse SUDO search base\n"); + return ret; + } + + /* attrs map */ + ret = sdap_get_map(opts, cdb, conf_path, + native_sudorule_map, + SDAP_OPTS_SUDO, + &opts->sudorule_map); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not get SUDO attribute map\n"); + return ret; + } + + /* host filter */ + *use_host_filter = dp_opt_get_bool(opts->basic, SDAP_SUDO_USE_HOST_FILTER); + *include_netgroups = dp_opt_get_bool(opts->basic, SDAP_SUDO_INCLUDE_NETGROUPS); + *include_regexp = dp_opt_get_bool(opts->basic, SDAP_SUDO_INCLUDE_REGEXP); + + return EOK; +} + +static bool has_defaults(struct confdb_ctx *cdb, + const char *conf_path, + const char *attrs[]) +{ + errno_t ret; + TALLOC_CTX *tmp_ctx; + char *val; + bool found_default = false; + tmp_ctx = talloc_new(NULL); + + if (tmp_ctx == NULL) { + return false; + } + + for (size_t i = 0; attrs[i] != NULL; i++) { + ret = confdb_get_string(cdb, tmp_ctx, conf_path, + attrs[i], NULL, &val); + if (ret != EOK) { + continue; + } + + if (val == NULL) { + found_default = true; + break; + } + } + + talloc_free(tmp_ctx); + return found_default; +} + +/* Return true if rfc2307 schema is used and all autofs options use + * defaults. Should be removed in future, see + * https://fedorahosted.org/sssd/ticket/2858 + */ +static bool ldap_rfc2307_autofs_defaults(struct confdb_ctx *cdb, + const char *conf_path) +{ + char **services = NULL; + errno_t ret; + bool has_autofs_defaults = false; + + const char *attrs[] = { + rfc2307_autofs_entry_map[SDAP_OC_AUTOFS_ENTRY].opt_name, + /* SDAP_AT_AUTOFS_ENTRY_KEY missing on purpose, its value was + * the same between the wrong and correct schema + */ + rfc2307_autofs_entry_map[SDAP_AT_AUTOFS_ENTRY_VALUE].opt_name, + rfc2307_autofs_mobject_map[SDAP_OC_AUTOFS_MAP].opt_name, + rfc2307_autofs_mobject_map[SDAP_AT_AUTOFS_MAP_NAME].opt_name, + NULL, + }; + + ret = confdb_get_string_as_list(cdb, cdb, + CONFDB_MONITOR_CONF_ENTRY, + CONFDB_MONITOR_ACTIVE_SERVICES, &services); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to read from confdb [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + if (string_in_list("autofs", services, true) == false) { + goto done; + } + + has_autofs_defaults = has_defaults(cdb, conf_path, attrs); +done: + talloc_free(services); + + return has_autofs_defaults; +} + +int ldap_get_autofs_options(TALLOC_CTX *memctx, + struct confdb_ctx *cdb, + const char *conf_path, + struct sdap_options *opts) +{ + const char *search_base; + struct sdap_attr_map *default_entry_map; + struct sdap_attr_map *default_mobject_map; + int ret; + + /* search base */ + search_base = dp_opt_get_string(opts->basic, SDAP_SEARCH_BASE); + if (search_base != NULL) { + /* set autofs search bases if they are not */ + if (dp_opt_get_string(opts->basic, SDAP_AUTOFS_SEARCH_BASE) == NULL) { + ret = dp_opt_set_string(opts->basic, SDAP_AUTOFS_SEARCH_BASE, + search_base); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not set autofs search base" + "to default value\n"); + return ret; + } + + DEBUG(SSSDBG_FUNC_DATA, "Option %s set to %s\n", + opts->basic[SDAP_AUTOFS_SEARCH_BASE].opt_name, + dp_opt_get_string(opts->basic, SDAP_AUTOFS_SEARCH_BASE)); + } + } else { + DEBUG(SSSDBG_TRACE_FUNC, "Search base not set, trying to discover it later " + "connecting to the LDAP server.\n"); + } + + if (opts->schema_type == SDAP_SCHEMA_RFC2307 && + ldap_rfc2307_autofs_defaults(cdb, conf_path) == true) { + DEBUG(SSSDBG_IMPORTANT_INFO, + "Your configuration uses the autofs provider " + "with schema set to rfc2307 and default attribute mappings. " + "The default map has changed in this release, please make " + "sure the configuration matches the server attributes.\n"); + sss_log(SSS_LOG_NOTICE, + _("Your configuration uses the autofs provider " + "with schema set to rfc2307 and default attribute mappings. " + "The default map has changed in this release, please make " + "sure the configuration matches the server attributes.\n")); + } + + ret = sdap_parse_search_base(opts, opts->basic, + SDAP_AUTOFS_SEARCH_BASE, + &opts->sdom->autofs_search_bases); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, "Could not parse autofs search base\n"); + return ret; + } + + /* attribute maps */ + switch (opts->schema_type) { + case SDAP_SCHEMA_RFC2307: + default_mobject_map = rfc2307_autofs_mobject_map; + default_entry_map = rfc2307_autofs_entry_map; + break; + case SDAP_SCHEMA_RFC2307BIS: + case SDAP_SCHEMA_IPA_V1: + case SDAP_SCHEMA_AD: + default_mobject_map = rfc2307bis_autofs_mobject_map; + default_entry_map = rfc2307bis_autofs_entry_map; + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unknown LDAP schema!\n"); + return EINVAL; + } + + ret = sdap_get_map(opts, cdb, conf_path, + default_mobject_map, + SDAP_OPTS_AUTOFS_MAP, + &opts->autofs_mobject_map); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not get autofs map object attribute map\n"); + return ret; + } + + ret = sdap_get_map(opts, cdb, conf_path, + default_entry_map, + SDAP_OPTS_AUTOFS_ENTRY, + &opts->autofs_entry_map); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not get autofs entry object attribute map\n"); + return ret; + } + + return EOK; +} + +errno_t sdap_parse_search_base(TALLOC_CTX *mem_ctx, + struct dp_option *opts, int class, + struct sdap_search_base ***_search_bases) +{ + const char *class_name; + char *unparsed_base; + const char *old_filter = NULL; + + switch (class) { + case SDAP_SEARCH_BASE: + class_name = "DEFAULT"; + break; + case SDAP_USER_SEARCH_BASE: + class_name = "USER"; + old_filter = dp_opt_get_string(opts, SDAP_USER_SEARCH_FILTER); + break; + case SDAP_GROUP_SEARCH_BASE: + class_name = "GROUP"; + old_filter = dp_opt_get_string(opts, SDAP_GROUP_SEARCH_FILTER); + break; + case SDAP_NETGROUP_SEARCH_BASE: + class_name = "NETGROUP"; + break; + case SDAP_HOST_SEARCH_BASE: + class_name = "HOST"; + break; + case SDAP_SUDO_SEARCH_BASE: + class_name = "SUDO"; + break; + case SDAP_SERVICE_SEARCH_BASE: + class_name = "SERVICE"; + break; + case SDAP_AUTOFS_SEARCH_BASE: + class_name = "AUTOFS"; + break; + default: + DEBUG(SSSDBG_CONF_SETTINGS, + "Unknown search base type: [%d]\n", class); + class_name = "UNKNOWN"; + /* Non-fatal */ + break; + } + + unparsed_base = dp_opt_get_string(opts, class); + if (!unparsed_base || unparsed_base[0] == '\0') return ENOENT; + + return common_parse_search_base(mem_ctx, unparsed_base, + class_name, old_filter, + _search_bases); +} + +errno_t common_parse_search_base(TALLOC_CTX *mem_ctx, + const char *unparsed_base, + const char *class_name, + const char *old_filter, + struct sdap_search_base ***_search_bases) +{ + errno_t ret; + struct sdap_search_base **search_bases; + TALLOC_CTX *tmp_ctx; + struct ldb_context *ldb; + struct ldb_dn *ldn; + struct ldb_parse_tree *tree; + char **split_bases; + char *filter; + int count; + int i, c; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + ret = ENOMEM; + goto done; + } + + /* Create a throwaway LDB context for validating the DN */ + ldb = ldb_init(tmp_ctx, NULL); + if (!ldb) { + ret = ENOMEM; + goto done; + } + + ret = split_on_separator(tmp_ctx, unparsed_base, '?', false, false, + &split_bases, &count); + if (ret != EOK) goto done; + + /* The split must be either exactly one value or a multiple of + * three in order to be valid. + * One value: just a base, backwards-compatible with pre-1.7.0 versions + * Multiple: search_base?scope?filter[?search_base?scope?filter]* + */ + if (count > 1 && (count % 3)) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unparseable search base: [%s][%d]\n", unparsed_base, count); + ret = EINVAL; + goto done; + } + + if (count == 1) { + search_bases = talloc_array(tmp_ctx, struct sdap_search_base *, 2); + if (!search_bases) { + ret = ENOMEM; + goto done; + } + + if (old_filter != NULL) { + /* Using a deprecated ldap_{user,group}_search_filter */ + DEBUG(SSSDBG_IMPORTANT_INFO, "WARNING: Using a deprecated filter " + "option for %s. Please see the documentation on LDAP search " + "bases to see how the obsolete option can be migrated\n", + class_name); + sss_log(SSS_LOG_NOTICE, "WARNING: Using a deprecated filter option" + "for %s. Please see the documentation on LDAP search bases " + "to see how the obsolete option can be migrated\n", + class_name); + } + + ret = sdap_create_search_base(search_bases, unparsed_base, + LDAP_SCOPE_SUBTREE, old_filter, + &search_bases[0]); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot create new sdap search base\n"); + goto done; + } + + DEBUG(SSSDBG_CONF_SETTINGS, + "Search base added: [%s][%s][%s][%s]\n", + class_name, + search_bases[0]->basedn, + "SUBTREE", + search_bases[0]->filter ? search_bases[0]->filter : ""); + + search_bases[1] = NULL; + } else { + search_bases = talloc_array(tmp_ctx, struct sdap_search_base *, + (count / 3) + 1); + if (!search_bases) { + ret = ENOMEM; + goto done; + } + + i = 0; + for (c = 0; c < count; c += 3) { + search_bases[i] = talloc_zero(search_bases, + struct sdap_search_base); + if (!search_bases[i]) { + ret = ENOMEM; + goto done; + } + + if (split_bases[c][0] == '\0') { + DEBUG(SSSDBG_CRIT_FAILURE, + "Zero-length search base: [%s]\n", unparsed_base); + ret = EINVAL; + goto done; + } + + /* Validate the basedn */ + ldn = ldb_dn_new(tmp_ctx, ldb, split_bases[c]); + if (!ldn) { + ret = ENOMEM; + goto done; + } + + if (!ldb_dn_validate(ldn)) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Invalid base DN [%s]\n", + split_bases[c]); + ret = EINVAL; + goto done; + } + talloc_zfree(ldn); + + /* Set the search base DN */ + search_bases[i]->basedn = talloc_strdup(search_bases[i], + split_bases[c]); + if (!search_bases[i]->basedn) { + ret = ENOMEM; + goto done; + } + + /* Set the search scope for this base DN */ + if ((split_bases[c+1][0] == '\0') + || strcasecmp(split_bases[c+1], "sub") == 0 + || strcasecmp(split_bases[c+1], "subtree") == 0) { + /* If unspecified, default to subtree */ + search_bases[i]->scope = LDAP_SCOPE_SUBTREE; + } else if (strcasecmp(split_bases[c+1], "one") == 0 + || strcasecmp(split_bases[c+1], "onelevel") == 0) { + search_bases[i]->scope = LDAP_SCOPE_ONELEVEL; + } else if (strcasecmp(split_bases[c+1], "base") == 0) { + search_bases[i]->scope = LDAP_SCOPE_BASE; + } else { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unknown search scope: [%s]\n", split_bases[c+1]); + ret = EINVAL; + goto done; + } + + /* Get a specialized filter if provided */ + if (split_bases[c+2][0] == '\0') { + search_bases[i]->filter = NULL; + } else { + if (split_bases[c+2][0] != '(') { + /* Filters need to be enclosed in parentheses + * to be validated properly by ldb_parse_tree() + */ + filter = talloc_asprintf(tmp_ctx, "(%s)", + split_bases[c+2]); + } else { + filter = talloc_strdup(tmp_ctx, split_bases[c+2]); + } + if (!filter) { + ret = ENOMEM; + goto done; + } + + tree = ldb_parse_tree(tmp_ctx, filter); + if(!tree) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Invalid search filter: [%s]\n", filter); + ret = EINVAL; + goto done; + } + talloc_zfree(tree); + + search_bases[i]->filter = talloc_steal(search_bases[i], + filter); + } + + DEBUG(SSSDBG_CONF_SETTINGS, + "Search base added: [%s][%s][%s][%s]\n", + class_name, + search_bases[i]->basedn, + split_bases[c+1][0] ? split_bases[c+1] : "SUBTREE", + search_bases[i]->filter ? search_bases[i]->filter : ""); + + i++; + } + search_bases[i] = NULL; + } + + *_search_bases = talloc_steal(mem_ctx, search_bases); + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} diff --git a/src/providers/ldap/ldap_opts.c b/src/providers/ldap/ldap_opts.c new file mode 100644 index 0000000..8b82e92 --- /dev/null +++ b/src/providers/ldap/ldap_opts.c @@ -0,0 +1,393 @@ +/* + SSSD + + Authors: + Stephen Gallagher + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "src/providers/data_provider.h" +#include "db/sysdb.h" +#include "db/sysdb_sudo.h" +#include "db/sysdb_autofs.h" +#include "db/sysdb_services.h" +#include "providers/ldap/ldap_common.h" + +struct dp_option default_basic_opts[] = { + { "ldap_uri", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_backup_uri", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_default_bind_dn", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_default_authtok_type", DP_OPT_STRING, { "password" }, NULL_STRING}, + { "ldap_default_authtok", DP_OPT_BLOB, NULL_BLOB, NULL_BLOB }, + { "ldap_search_timeout", DP_OPT_NUMBER, { .number = 6 }, NULL_NUMBER }, + { "ldap_network_timeout", DP_OPT_NUMBER, { .number = 6 }, NULL_NUMBER }, + { "ldap_opt_timeout", DP_OPT_NUMBER, { .number = 6 }, NULL_NUMBER }, + { "ldap_tls_reqcert", DP_OPT_STRING, { "hard" }, NULL_STRING }, + { "ldap_user_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_user_search_scope", DP_OPT_STRING, { "sub" }, NULL_STRING }, + { "ldap_user_search_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_user_extra_attrs", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_group_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_group_search_scope", DP_OPT_STRING, { "sub" }, NULL_STRING }, + { "ldap_group_search_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_host_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_service_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_sudo_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_sudo_full_refresh_interval", DP_OPT_NUMBER, { .number = 21600 }, NULL_NUMBER }, /* 360 mins */ + { "ldap_sudo_smart_refresh_interval", DP_OPT_NUMBER, { .number = 900 }, NULL_NUMBER }, /* 15 mins */ + { "ldap_sudo_use_host_filter", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + { "ldap_sudo_hostnames", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_sudo_ip", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_sudo_include_netgroups", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + { "ldap_sudo_include_regexp", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + { "ldap_autofs_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_autofs_map_master_name", DP_OPT_STRING, { "auto.master" }, NULL_STRING }, + { "ldap_schema", DP_OPT_STRING, { "rfc2307" }, NULL_STRING }, + { "ldap_offline_timeout", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER }, + { "ldap_force_upper_case_realm", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_enumeration_refresh_timeout", DP_OPT_NUMBER, { .number = 300 }, NULL_NUMBER }, + { "ldap_purge_cache_timeout", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER }, + { "ldap_tls_cacert", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_tls_cacertdir", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_tls_cert", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_tls_key", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_tls_cipher_suite", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_id_use_start_tls", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_id_mapping", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_sasl_mech", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_sasl_authid", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_sasl_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_sasl_minssf", DP_OPT_NUMBER, { .number = -1 }, NULL_NUMBER }, + { "ldap_krb5_keytab", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_krb5_init_creds", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + /* use the same parm name as the krb5 module so we set it only once */ + { "krb5_server", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_backup_server", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "krb5_canonicalize", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + { "krb5_use_kdcinfo", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + { "ldap_pwd_policy", DP_OPT_STRING, { "none" }, NULL_STRING }, + { "ldap_referrals", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + { "account_cache_expiration", DP_OPT_NUMBER, { .number = 0 }, NULL_NUMBER }, + { "ldap_dns_service_name", DP_OPT_STRING, { SSS_LDAP_SRV_NAME }, NULL_STRING }, + { "ldap_krb5_ticket_lifetime", DP_OPT_NUMBER, { .number = (24 * 60 * 60) }, NULL_NUMBER }, + { "ldap_access_filter", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_netgroup_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_group_nesting_level", DP_OPT_NUMBER, { .number = 2 }, NULL_NUMBER }, + { "ldap_deref", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_account_expire_policy", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_access_order", DP_OPT_STRING, { "filter" }, NULL_STRING }, + { "ldap_chpass_uri", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_chpass_backup_uri", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_chpass_dns_service_name", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_chpass_update_last_change", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_enumeration_search_timeout", DP_OPT_NUMBER, { .number = 60 }, NULL_NUMBER }, + /* Do not include ldap_auth_disable_tls_never_use_in_production in the + * manpages or SSSDConfig API + */ + { "ldap_auth_disable_tls_never_use_in_production", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_page_size", DP_OPT_NUMBER, { .number = 1000 }, NULL_NUMBER }, + { "ldap_deref_threshold", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER }, + { "ldap_sasl_canonicalize", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_connection_expire_timeout", DP_OPT_NUMBER, { .number = 900 }, NULL_NUMBER }, + { "ldap_disable_paging", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_idmap_range_min", DP_OPT_NUMBER, { .number = 200000 }, NULL_NUMBER }, + { "ldap_idmap_range_max", DP_OPT_NUMBER, { .number = 2000200000LL }, NULL_NUMBER }, + { "ldap_idmap_range_size", DP_OPT_NUMBER, { .number = 200000 }, NULL_NUMBER }, + { "ldap_idmap_autorid_compat", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_idmap_default_domain", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_idmap_default_domain_sid", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "ldap_idmap_helper_table_size", DP_OPT_NUMBER, { .number = 10 }, NULL_NUMBER }, + { "ldap_groups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_initgroups_use_matching_rule_in_chain", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_use_tokengroups", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE}, + { "ldap_rfc2307_fallback_to_local_users", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_disable_range_retrieval", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + { "ldap_min_id", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER}, + { "ldap_max_id", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER}, + { "ldap_pwdlockout_dn", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "wildcard_limit", DP_OPT_NUMBER, { .number = 1000 }, NULL_NUMBER}, + DP_OPTION_TERMINATOR +}; + +struct sdap_attr_map generic_attr_map[] = { + { "ldap_entry_usn", NULL, SYSDB_USN, NULL }, + { "ldap_rootdse_last_usn", NULL, SYSDB_HIGH_USN, NULL }, + SDAP_ATTR_MAP_TERMINATOR +}; + +struct sdap_attr_map gen_ipa_attr_map[] = { + { "ldap_entry_usn", SDAP_IPA_USN, SYSDB_USN, NULL }, + { "ldap_rootdse_last_usn", SDAP_IPA_LAST_USN, SYSDB_HIGH_USN, NULL }, + SDAP_ATTR_MAP_TERMINATOR +}; + +struct sdap_attr_map gen_ad_attr_map[] = { + { "ldap_entry_usn", SDAP_AD_USN, SYSDB_USN, NULL }, + { "ldap_rootdse_last_usn", SDAP_AD_LAST_USN, SYSDB_HIGH_USN, NULL }, + SDAP_ATTR_MAP_TERMINATOR +}; + +struct sdap_attr_map rfc2307_user_map[] = { + { "ldap_user_object_class", "posixAccount", SYSDB_USER_CLASS, NULL }, + { "ldap_user_name", "uid", SYSDB_NAME, NULL }, + { "ldap_user_pwd", "userPassword", SYSDB_PWD, NULL }, + { "ldap_user_uid_number", "uidNumber", SYSDB_UIDNUM, NULL }, + { "ldap_user_gid_number", "gidNumber", SYSDB_GIDNUM, NULL }, + { "ldap_user_gecos", "gecos", SYSDB_GECOS, NULL }, + { "ldap_user_home_directory", "homeDirectory", SYSDB_HOMEDIR, NULL }, + { "ldap_user_shell", "loginShell", SYSDB_SHELL, NULL }, + { "ldap_user_principal", "krbPrincipalName", SYSDB_UPN, NULL }, + { "ldap_user_fullname", "cn", SYSDB_FULLNAME, NULL }, + { "ldap_user_member_of", NULL, SYSDB_MEMBEROF, NULL }, + { "ldap_user_uuid", NULL, SYSDB_UUID, NULL }, + { "ldap_user_objectsid", NULL, SYSDB_SID, NULL }, + { "ldap_user_primary_group", NULL, SYSDB_PRIMARY_GROUP, NULL }, + { "ldap_user_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL }, + { "ldap_user_entry_usn", NULL, SYSDB_USN, NULL }, + { "ldap_user_shadow_last_change", "shadowLastChange", SYSDB_SHADOWPW_LASTCHANGE, NULL }, + { "ldap_user_shadow_min", "shadowMin", SYSDB_SHADOWPW_MIN, NULL }, + { "ldap_user_shadow_max", "shadowMax", SYSDB_SHADOWPW_MAX, NULL }, + { "ldap_user_shadow_warning", "shadowWarning", SYSDB_SHADOWPW_WARNING, NULL }, + { "ldap_user_shadow_inactive", "shadowInactive", SYSDB_SHADOWPW_INACTIVE, NULL }, + { "ldap_user_shadow_expire", "shadowExpire", SYSDB_SHADOWPW_EXPIRE, NULL }, + { "ldap_user_shadow_flag", "shadowFlag", SYSDB_SHADOWPW_FLAG, NULL }, + { "ldap_user_krb_last_pwd_change", "krbLastPwdChange", SYSDB_KRBPW_LASTCHANGE, NULL }, + { "ldap_user_krb_password_expiration", "krbPasswordExpiration", SYSDB_KRBPW_EXPIRATION, NULL }, + { "ldap_pwd_attribute", "pwdAttribute", SYSDB_PWD_ATTRIBUTE, NULL }, + { "ldap_user_authorized_service", "authorizedService", SYSDB_AUTHORIZED_SERVICE, NULL }, + { "ldap_user_ad_account_expires", "accountExpires", SYSDB_AD_ACCOUNT_EXPIRES, NULL}, + { "ldap_user_ad_user_account_control", "userAccountControl", SYSDB_AD_USER_ACCOUNT_CONTROL, NULL}, + { "ldap_ns_account_lock", "nsAccountLock", SYSDB_NS_ACCOUNT_LOCK, NULL}, + { "ldap_user_authorized_host", "host", SYSDB_AUTHORIZED_HOST, NULL }, + { "ldap_user_authorized_rhost", "rhost", SYSDB_AUTHORIZED_RHOST, NULL }, + { "ldap_user_nds_login_disabled", "loginDisabled", SYSDB_NDS_LOGIN_DISABLED, NULL }, + { "ldap_user_nds_login_expiration_time", "loginExpirationTime", SYSDB_NDS_LOGIN_EXPIRATION_TIME, NULL }, + { "ldap_user_nds_login_allowed_time_map", "loginAllowedTimeMap", SYSDB_NDS_LOGIN_ALLOWED_TIME_MAP, NULL }, + { "ldap_user_ssh_public_key", "sshPublicKey", SYSDB_SSH_PUBKEY, NULL }, + { "ldap_user_auth_type", NULL, SYSDB_AUTH_TYPE, NULL }, + { "ldap_user_certificate", "userCertificate;binary", SYSDB_USER_CERT, NULL }, + { "ldap_user_email", "mail", SYSDB_USER_EMAIL, NULL }, + SDAP_ATTR_MAP_TERMINATOR +}; + +struct sdap_attr_map rfc2307_group_map[] = { + { "ldap_group_object_class", "posixGroup", SYSDB_GROUP_CLASS, NULL }, + { "ldap_group_object_class_alt", NULL, SYSDB_GROUP_CLASS, NULL }, + { "ldap_group_name", "cn", SYSDB_NAME, NULL }, + { "ldap_group_pwd", "userPassword", SYSDB_PWD, NULL }, + { "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL }, + { "ldap_group_member", "memberuid", SYSDB_MEMBER, NULL }, + { "ldap_group_uuid", NULL, SYSDB_UUID, NULL }, + { "ldap_group_objectsid", NULL, SYSDB_SID, NULL }, + { "ldap_group_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL }, + { "ldap_group_entry_usn", NULL, SYSDB_USN, NULL }, + { "ldap_group_type", NULL, SYSDB_GROUP_TYPE, NULL }, + { "ldap_group_external_member", NULL, SYSDB_EXTERNAL_MEMBER, NULL }, + SDAP_ATTR_MAP_TERMINATOR +}; + +struct sdap_attr_map rfc2307bis_user_map[] = { + { "ldap_user_object_class", "posixAccount", SYSDB_USER_CLASS, NULL }, + { "ldap_user_name", "uid", SYSDB_NAME, NULL }, + { "ldap_user_pwd", "userPassword", SYSDB_PWD, NULL }, + { "ldap_user_uid_number", "uidNumber", SYSDB_UIDNUM, NULL }, + { "ldap_user_gid_number", "gidNumber", SYSDB_GIDNUM, NULL }, + { "ldap_user_gecos", "gecos", SYSDB_GECOS, NULL }, + { "ldap_user_home_directory", "homeDirectory", SYSDB_HOMEDIR, NULL }, + { "ldap_user_shell", "loginShell", SYSDB_SHELL, NULL }, + { "ldap_user_principal", "krbPrincipalName", SYSDB_UPN, NULL }, + { "ldap_user_fullname", "cn", SYSDB_FULLNAME, NULL }, + { "ldap_user_member_of", "memberOf", SYSDB_MEMBEROF, NULL }, + { "ldap_user_uuid", NULL, SYSDB_UUID, NULL }, + { "ldap_user_objectsid", NULL, SYSDB_SID, NULL }, + { "ldap_user_primary_group", NULL, SYSDB_PRIMARY_GROUP, NULL }, + { "ldap_user_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL }, + { "ldap_user_entry_usn", NULL, SYSDB_USN, NULL }, + { "ldap_user_shadow_last_change", "shadowLastChange", SYSDB_SHADOWPW_LASTCHANGE, NULL }, + { "ldap_user_shadow_min", "shadowMin", SYSDB_SHADOWPW_MIN, NULL }, + { "ldap_user_shadow_max", "shadowMax", SYSDB_SHADOWPW_MAX, NULL }, + { "ldap_user_shadow_warning", "shadowWarning", SYSDB_SHADOWPW_WARNING, NULL }, + { "ldap_user_shadow_inactive", "shadowInactive", SYSDB_SHADOWPW_INACTIVE, NULL }, + { "ldap_user_shadow_expire", "shadowExpire", SYSDB_SHADOWPW_EXPIRE, NULL }, + { "ldap_user_shadow_flag", "shadowFlag", SYSDB_SHADOWPW_FLAG, NULL }, + { "ldap_user_krb_last_pwd_change", "krbLastPwdChange", SYSDB_KRBPW_LASTCHANGE, NULL }, + { "ldap_user_krb_password_expiration", "krbPasswordExpiration", SYSDB_KRBPW_EXPIRATION, NULL }, + { "ldap_pwd_attribute", "pwdAttribute", SYSDB_PWD_ATTRIBUTE, NULL }, + { "ldap_user_authorized_service", "authorizedService", SYSDB_AUTHORIZED_SERVICE, NULL }, + { "ldap_user_ad_account_expires", "accountExpires", SYSDB_AD_ACCOUNT_EXPIRES, NULL}, + { "ldap_user_ad_user_account_control", "userAccountControl", SYSDB_AD_USER_ACCOUNT_CONTROL, NULL}, + { "ldap_ns_account_lock", "nsAccountLock", SYSDB_NS_ACCOUNT_LOCK, NULL}, + { "ldap_user_authorized_host", "host", SYSDB_AUTHORIZED_HOST, NULL }, + { "ldap_user_authorized_rhost", "rhost", SYSDB_AUTHORIZED_RHOST, NULL }, + { "ldap_user_nds_login_disabled", "loginDisabled", SYSDB_NDS_LOGIN_DISABLED, NULL }, + { "ldap_user_nds_login_expiration_time", "loginExpirationTime", SYSDB_NDS_LOGIN_EXPIRATION_TIME, NULL }, + { "ldap_user_nds_login_allowed_time_map", "loginAllowedTimeMap", SYSDB_NDS_LOGIN_ALLOWED_TIME_MAP, NULL }, + { "ldap_user_ssh_public_key", "sshPublicKey", SYSDB_SSH_PUBKEY, NULL }, + { "ldap_user_auth_type", NULL, SYSDB_AUTH_TYPE, NULL }, + { "ldap_user_certificate", "userCertificate;binary", SYSDB_USER_CERT, NULL }, + { "ldap_user_email", "mail", SYSDB_USER_EMAIL, NULL }, + SDAP_ATTR_MAP_TERMINATOR +}; + +struct sdap_attr_map rfc2307bis_group_map[] = { + { "ldap_group_object_class", "posixGroup", SYSDB_GROUP_CLASS, NULL }, + { "ldap_group_object_class_alt", NULL, SYSDB_GROUP_CLASS, NULL }, + { "ldap_group_name", "cn", SYSDB_NAME, NULL }, + { "ldap_group_pwd", "userPassword", SYSDB_PWD, NULL }, + { "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL }, + { "ldap_group_member", "member", SYSDB_MEMBER, NULL }, + { "ldap_group_uuid", NULL, SYSDB_UUID, NULL }, + { "ldap_group_objectsid", NULL, SYSDB_SID, NULL }, + { "ldap_group_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL }, + { "ldap_group_entry_usn", NULL, SYSDB_USN, NULL }, + { "ldap_group_type", NULL, SYSDB_GROUP_TYPE, NULL }, + { "ldap_group_external_member", NULL, SYSDB_EXTERNAL_MEMBER, NULL }, + SDAP_ATTR_MAP_TERMINATOR +}; + +struct sdap_attr_map gen_ad2008r2_user_map[] = { + { "ldap_user_object_class", "user", SYSDB_USER_CLASS, NULL }, + { "ldap_user_name", "sAMAccountName", SYSDB_NAME, NULL }, + { "ldap_user_pwd", "unixUserPassword", SYSDB_PWD, NULL }, + { "ldap_user_uid_number", "uidNumber", SYSDB_UIDNUM, NULL }, + { "ldap_user_gid_number", "gidNumber", SYSDB_GIDNUM, NULL }, + { "ldap_user_gecos", "gecos", SYSDB_GECOS, NULL }, + { "ldap_user_home_directory", "unixHomeDirectory", SYSDB_HOMEDIR, NULL }, + { "ldap_user_shell", "loginShell", SYSDB_SHELL, NULL }, + { "ldap_user_principal", "userPrincipalName", SYSDB_UPN, NULL }, + { "ldap_user_fullname", "name", SYSDB_FULLNAME, NULL }, + { "ldap_user_member_of", "memberOf", SYSDB_MEMBEROF, NULL }, + { "ldap_user_uuid", "objectGUID", SYSDB_UUID, NULL }, + { "ldap_user_objectsid", "objectSID", SYSDB_SID, NULL }, + { "ldap_user_primary_group", "primaryGroupID", SYSDB_PRIMARY_GROUP, NULL }, + { "ldap_user_modify_timestamp", "whenChanged", SYSDB_ORIG_MODSTAMP, NULL }, + { "ldap_user_entry_usn", SDAP_AD_USN, SYSDB_USN, NULL }, + { "ldap_user_shadow_last_change", NULL, SYSDB_SHADOWPW_LASTCHANGE, NULL }, + { "ldap_user_shadow_min", NULL, SYSDB_SHADOWPW_MIN, NULL }, + { "ldap_user_shadow_max", NULL, SYSDB_SHADOWPW_MAX, NULL }, + { "ldap_user_shadow_warning", NULL, SYSDB_SHADOWPW_WARNING, NULL }, + { "ldap_user_shadow_inactive", NULL, SYSDB_SHADOWPW_INACTIVE, NULL }, + { "ldap_user_shadow_expire", NULL, SYSDB_SHADOWPW_EXPIRE, NULL }, + { "ldap_user_shadow_flag", NULL, SYSDB_SHADOWPW_FLAG, NULL }, + { "ldap_user_krb_last_pwd_change", NULL, SYSDB_KRBPW_LASTCHANGE, NULL }, + { "ldap_user_krb_password_expiration", NULL, SYSDB_KRBPW_EXPIRATION, NULL }, + { "ldap_pwd_attribute", NULL, SYSDB_PWD_ATTRIBUTE, NULL }, + { "ldap_user_authorized_service", NULL, SYSDB_AUTHORIZED_SERVICE, NULL }, + { "ldap_user_ad_account_expires", "accountExpires", SYSDB_AD_ACCOUNT_EXPIRES, NULL}, + { "ldap_user_ad_user_account_control", "userAccountControl", SYSDB_AD_USER_ACCOUNT_CONTROL, NULL}, + { "ldap_ns_account_lock", NULL, SYSDB_NS_ACCOUNT_LOCK, NULL}, + { "ldap_user_authorized_host", NULL, SYSDB_AUTHORIZED_HOST, NULL }, + { "ldap_user_authorized_rhost", NULL, SYSDB_AUTHORIZED_RHOST, NULL }, + { "ldap_user_nds_login_disabled", NULL, SYSDB_NDS_LOGIN_DISABLED, NULL }, + { "ldap_user_nds_login_expiration_time", NULL, SYSDB_NDS_LOGIN_EXPIRATION_TIME, NULL }, + { "ldap_user_nds_login_allowed_time_map", NULL, SYSDB_NDS_LOGIN_ALLOWED_TIME_MAP, NULL }, + { "ldap_user_ssh_public_key", NULL, SYSDB_SSH_PUBKEY, NULL }, + { "ldap_user_auth_type", NULL, SYSDB_AUTH_TYPE, NULL }, + { "ldap_user_certificate", "userCertificate;binary", SYSDB_USER_CERT, NULL }, + { "ldap_user_email", "mail", SYSDB_USER_EMAIL, NULL }, + SDAP_ATTR_MAP_TERMINATOR +}; + +struct sdap_attr_map gen_ad2008r2_group_map[] = { + { "ldap_group_object_class", "group", SYSDB_GROUP_CLASS, NULL }, + { "ldap_group_object_class_alt", NULL, SYSDB_GROUP_CLASS, NULL }, + { "ldap_group_name", "name", SYSDB_NAME, NULL }, + { "ldap_group_pwd", NULL, SYSDB_PWD, NULL }, + { "ldap_group_gid_number", "gidNumber", SYSDB_GIDNUM, NULL }, + { "ldap_group_member", "member", SYSDB_MEMBER, NULL }, + { "ldap_group_uuid", "objectGUID", SYSDB_UUID, NULL }, + { "ldap_group_objectsid", "objectSID", SYSDB_SID, NULL }, + { "ldap_group_modify_timestamp", "whenChanged", SYSDB_ORIG_MODSTAMP, NULL }, + { "ldap_group_entry_usn", SDAP_AD_USN, SYSDB_USN, NULL }, + { "ldap_group_type", "groupType", SYSDB_GROUP_TYPE, NULL }, + { "ldap_group_external_member", NULL, SYSDB_EXTERNAL_MEMBER, NULL }, + SDAP_ATTR_MAP_TERMINATOR +}; + +struct sdap_attr_map netgroup_map[] = { + { "ldap_netgroup_object_class", "nisNetgroup", SYSDB_NETGROUP_CLASS, NULL }, + { "ldap_netgroup_name", "cn", SYSDB_NAME, NULL }, + { "ldap_netgroup_member", "memberNisNetgroup", SYSDB_ORIG_NETGROUP_MEMBER, NULL }, + { "ldap_netgroup_triple", "nisNetgroupTriple", SYSDB_NETGROUP_TRIPLE, NULL }, + { "ldap_netgroup_modify_timestamp", "modifyTimestamp", SYSDB_ORIG_MODSTAMP, NULL }, + SDAP_ATTR_MAP_TERMINATOR +}; + +struct sdap_attr_map host_map[] = { + { "ldap_host_object_class", "ipHost", SYSDB_HOST_CLASS, NULL }, + { "ldap_host_name", "cn", SYSDB_NAME, NULL }, + { "ldap_host_fqdn", "fqdn", SYSDB_FQDN, NULL }, + { "ldap_host_serverhostname", "serverHostname", SYSDB_SERVERHOSTNAME, NULL }, + { "ldap_host_member_of", NULL, SYSDB_ORIG_MEMBEROF, NULL }, + { "ldap_host_ssh_public_key", "sshPublicKey", SYSDB_SSH_PUBKEY, NULL }, + { "ldap_host_uuid", NULL, SYSDB_UUID, NULL}, + SDAP_ATTR_MAP_TERMINATOR +}; + +struct sdap_attr_map native_sudorule_map[] = { + { "ldap_sudorule_object_class", "sudoRole", SYSDB_SUDO_CACHE_OC, NULL }, + { "ldap_sudorule_name", "cn", SYSDB_SUDO_CACHE_AT_CN, NULL }, + { "ldap_sudorule_command", "sudoCommand", SYSDB_SUDO_CACHE_AT_COMMAND, NULL }, + { "ldap_sudorule_host", "sudoHost", SYSDB_SUDO_CACHE_AT_HOST, NULL }, + { "ldap_sudorule_user", "sudoUser", SYSDB_SUDO_CACHE_AT_USER, NULL }, + { "ldap_sudorule_option", "sudoOption", SYSDB_SUDO_CACHE_AT_OPTION, NULL }, + { "ldap_sudorule_runas", "sudoRunAs", SYSDB_SUDO_CACHE_AT_RUNAS, NULL }, + { "ldap_sudorule_runasuser", "sudoRunAsUser", SYSDB_SUDO_CACHE_AT_RUNASUSER, NULL }, + { "ldap_sudorule_runasgroup", "sudoRunAsGroup", SYSDB_SUDO_CACHE_AT_RUNASGROUP, NULL }, + { "ldap_sudorule_notbefore", "sudoNotBefore", SYSDB_SUDO_CACHE_AT_NOTBEFORE, NULL }, + { "ldap_sudorule_notafter", "sudoNotAfter", SYSDB_SUDO_CACHE_AT_NOTAFTER, NULL }, + { "ldap_sudorule_order", "sudoOrder", SYSDB_SUDO_CACHE_AT_ORDER, NULL }, + { "ldap_sudorule_entry_usn", NULL, SYSDB_USN, NULL }, + SDAP_ATTR_MAP_TERMINATOR +}; + +struct sdap_attr_map service_map[] = { + { "ldap_service_object_class", "ipService", SYSDB_SVC_CLASS, NULL }, + { "ldap_service_name", "cn", SYSDB_NAME, NULL }, + { "ldap_service_port", "ipServicePort", SYSDB_SVC_PORT, NULL }, + { "ldap_service_proto", "ipServiceProtocol", SYSDB_SVC_PROTO, NULL }, + { "ldap_service_entry_usn", NULL, SYSDB_USN, NULL }, + SDAP_ATTR_MAP_TERMINATOR +}; + +struct sdap_attr_map rfc2307_autofs_mobject_map[] = { + { "ldap_autofs_map_object_class", "nisMap", SYSDB_AUTOFS_MAP_OC, NULL }, + { "ldap_autofs_map_name", "nisMapName", SYSDB_AUTOFS_MAP_NAME, NULL }, + SDAP_ATTR_MAP_TERMINATOR +}; + +struct sdap_attr_map rfc2307_autofs_entry_map[] = { + { "ldap_autofs_entry_object_class", "nisObject", SYSDB_AUTOFS_ENTRY_OC, NULL }, + { "ldap_autofs_entry_key", "cn", SYSDB_AUTOFS_ENTRY_KEY, NULL }, + { "ldap_autofs_entry_value", "nisMapEntry", SYSDB_AUTOFS_ENTRY_VALUE, NULL }, + SDAP_ATTR_MAP_TERMINATOR +}; + +struct sdap_attr_map rfc2307bis_autofs_mobject_map[] = { + { "ldap_autofs_map_object_class", "automountMap", SYSDB_AUTOFS_MAP_OC, NULL }, + { "ldap_autofs_map_name", "automountMapName", SYSDB_AUTOFS_MAP_NAME, NULL }, + SDAP_ATTR_MAP_TERMINATOR +}; + +struct sdap_attr_map rfc2307bis_autofs_entry_map[] = { + { "ldap_autofs_entry_object_class", "automount", SYSDB_AUTOFS_ENTRY_OC, NULL }, + { "ldap_autofs_entry_key", "automountKey", SYSDB_AUTOFS_ENTRY_KEY, NULL }, + { "ldap_autofs_entry_value", "automountInformation", SYSDB_AUTOFS_ENTRY_VALUE, NULL }, + SDAP_ATTR_MAP_TERMINATOR +}; diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h new file mode 100644 index 0000000..3c9a7fc --- /dev/null +++ b/src/providers/ldap/ldap_opts.h @@ -0,0 +1,65 @@ +/* + SSSD + + Authors: + Stephen Gallagher + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef LDAP_OPTS_H_ +#define LDAP_OPTS_H_ + +#include "src/providers/data_provider.h" +#include "providers/ldap/ldap_common.h" + +extern struct dp_option default_basic_opts[]; + +extern struct sdap_attr_map generic_attr_map[]; + +extern struct sdap_attr_map gen_ipa_attr_map[]; + +extern struct sdap_attr_map gen_ad_attr_map[]; + +extern struct sdap_attr_map rfc2307_user_map[]; + +extern struct sdap_attr_map rfc2307_group_map[]; + +extern struct sdap_attr_map rfc2307bis_user_map[]; + +extern struct sdap_attr_map rfc2307bis_group_map[]; + +extern struct sdap_attr_map gen_ad2008r2_user_map[]; + +extern struct sdap_attr_map gen_ad2008r2_group_map[]; + +extern struct sdap_attr_map netgroup_map[]; + +extern struct sdap_attr_map host_map[]; + +extern struct sdap_attr_map native_sudorule_map[]; + +extern struct sdap_attr_map service_map[]; + +extern struct sdap_attr_map rfc2307_autofs_mobject_map[]; + +extern struct sdap_attr_map rfc2307_autofs_entry_map[]; + +extern struct sdap_attr_map rfc2307bis_autofs_mobject_map[]; + +extern struct sdap_attr_map rfc2307bis_autofs_entry_map[]; + +#endif /* LDAP_OPTS_H_ */ diff --git a/src/providers/ldap/sdap.c b/src/providers/ldap/sdap.c new file mode 100644 index 0000000..5c9d0a4 --- /dev/null +++ b/src/providers/ldap/sdap.c @@ -0,0 +1,1782 @@ +/* + SSSD + + LDAP Helper routines + + Copyright (C) Simo Sorce + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "util/crypto/sss_crypto.h" +#include "confdb/confdb.h" +#include "providers/ldap/ldap_common.h" +#include "providers/ldap/sdap.h" +#include "providers/ldap/sdap_range.h" + +/* =Retrieve-Options====================================================== */ + +errno_t sdap_copy_map_entry(const struct sdap_attr_map *src_map, + struct sdap_attr_map *dst_map, + int entry_index) +{ + if (src_map[entry_index].name != NULL) { + dst_map[entry_index].name = talloc_strdup(dst_map, + src_map[entry_index].name); + if (dst_map[entry_index].name == NULL) { + return ENOMEM; + } + } else { + dst_map->name = NULL; + } + + return EOK; +} + +int sdap_copy_map(TALLOC_CTX *memctx, + struct sdap_attr_map *src_map, + int num_entries, + struct sdap_attr_map **_map) +{ + struct sdap_attr_map *map; + int i; + + map = talloc_array(memctx, struct sdap_attr_map, num_entries + 1); + if (!map) { + return ENOMEM; + } + + for (i = 0; i < num_entries; i++) { + map[i].opt_name = talloc_strdup(map, src_map[i].opt_name); + map[i].sys_name = talloc_strdup(map, src_map[i].sys_name); + if (map[i].opt_name == NULL || map[i].sys_name == NULL) { + return ENOMEM; + } + + if (src_map[i].def_name != NULL) { + map[i].def_name = talloc_strdup(map, src_map[i].def_name); + map[i].name = talloc_strdup(map, src_map[i].def_name); + if (map[i].def_name == NULL || map[i].name == NULL) { + return ENOMEM; + } + } else { + map[i].def_name = NULL; + map[i].name = NULL; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Option %s has%s value %s\n", + map[i].opt_name, map[i].name ? "" : " no", + map[i].name ? map[i].name : ""); + } + + /* Include the sentinel */ + memset(&map[num_entries], 0, sizeof(struct sdap_attr_map)); + + *_map = map; + return EOK; +} + +static errno_t split_extra_attr(TALLOC_CTX *mem_ctx, + char *conf_attr, + char **_sysdb_attr, + char **_ldap_attr) +{ + char *ldap_attr; + char *sysdb_attr; + char *sep; + + ldap_attr = conf_attr; + + sep = strchr(conf_attr, ':'); + if (sep == NULL) { + sysdb_attr = talloc_strdup(mem_ctx, conf_attr); + ldap_attr = talloc_strdup(mem_ctx, conf_attr); + } else { + if (sep == conf_attr || *(sep + 1) == '\0') { + return ERR_INVALID_EXTRA_ATTR; + } + + sysdb_attr = talloc_strndup(mem_ctx, ldap_attr, + sep - ldap_attr); + ldap_attr = talloc_strdup(mem_ctx, sep+1); + } + + if (sysdb_attr == NULL || ldap_attr == NULL) { + return ENOMEM; + } + + *_sysdb_attr = sysdb_attr; + *_ldap_attr = ldap_attr; + return EOK; +} + +enum duplicate_t { + NOT_FOUND = 0, + ALREADY_IN_MAP, /* nothing to add */ + CONFLICT_WITH_MAP /* attempt to redefine attribute */ +}; + +static enum duplicate_t check_duplicate(struct sdap_attr_map *map, + int num_entries, + const char *sysdb_attr, + const char *ldap_attr) +{ + int i; + + for (i = 0; i < num_entries; i++) { + if (strcmp(map[i].sys_name, sysdb_attr) == 0) { + if (map[i].name != NULL && strcmp(map[i].name, ldap_attr) == 0) { + return ALREADY_IN_MAP; + } else { + return CONFLICT_WITH_MAP; + } + } + } + + return NOT_FOUND; +} + +int sdap_extend_map(TALLOC_CTX *memctx, + struct sdap_attr_map *src_map, + size_t num_entries, + char **extra_attrs, + struct sdap_attr_map **_map, + size_t *_new_size) +{ + struct sdap_attr_map *map; + size_t nextra = 0; + size_t i; + char *ldap_attr; + char *sysdb_attr; + errno_t ret; + + *_map = src_map; + if (extra_attrs == NULL) { + DEBUG(SSSDBG_FUNC_DATA, "No extra attributes\n"); + *_new_size = num_entries; + return EOK; + } + + for (nextra = 0; extra_attrs[nextra]; nextra++) ; + DEBUG(SSSDBG_FUNC_DATA, "%zu extra attributes\n", nextra); + + map = talloc_realloc(memctx, src_map, struct sdap_attr_map, + num_entries + nextra + 1); + if (map == NULL) { + return ENOMEM; + } + *_map = map; + + for (i = 0; *extra_attrs != NULL; extra_attrs++) { + ret = split_extra_attr(map, *extra_attrs, &sysdb_attr, &ldap_attr); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Cannot split %s\n", *extra_attrs); + continue; + } + + ret = check_duplicate(map, num_entries, sysdb_attr, ldap_attr); + if (ret == ALREADY_IN_MAP) { + DEBUG(SSSDBG_TRACE_FUNC, + "Attribute %s (%s in LDAP) is already in map.\n", + sysdb_attr, ldap_attr); + continue; + } else if (ret == CONFLICT_WITH_MAP) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Attribute %s (%s in LDAP) is already used by SSSD, please " + "choose a different cache name\n", sysdb_attr, ldap_attr); + return ERR_DUP_EXTRA_ATTR; + } + + map[num_entries+i].name = ldap_attr; + map[num_entries+i].sys_name = sysdb_attr; + map[num_entries+i].opt_name = talloc_strdup(map, + map[num_entries+i].name); + map[num_entries+i].def_name = talloc_strdup(map, + map[num_entries+i].name); + if (map[num_entries+i].opt_name == NULL || + map[num_entries+i].sys_name == NULL || + map[num_entries+i].name == NULL || + map[num_entries+i].def_name == NULL) { + return ENOMEM; + } + DEBUG(SSSDBG_TRACE_FUNC, "Extending map with %s\n", *extra_attrs); + + /* index must be incremented only for appended entry. */ + i++; + } + + nextra = i; + + /* Sentinel */ + memset(&map[num_entries+nextra], 0, sizeof(struct sdap_attr_map)); + + *_new_size = num_entries + nextra; + return EOK; +} + +int sdap_extend_map_with_list(TALLOC_CTX *mem_ctx, + struct sdap_options *opts, + int extra_attr_index, + struct sdap_attr_map *src_map, + size_t num_entries, + struct sdap_attr_map **_map, + size_t *_new_size) +{ + const char *extra_attrs; + char **extra_attrs_list; + errno_t ret; + + extra_attrs = dp_opt_get_string(opts->basic, extra_attr_index); + if (extra_attrs == NULL) { + *_map = src_map; + *_new_size = num_entries; + return EOK; + } + + /* split server parm into a list */ + ret = split_on_separator(mem_ctx, extra_attrs, ',', true, true, + &extra_attrs_list, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to parse server list!\n"); + return ret; + } + + + ret = sdap_extend_map(mem_ctx, src_map, + num_entries, extra_attrs_list, + _map, _new_size); + talloc_free(extra_attrs_list); + if (ret != EOK) { + return ret; + } + + return EOK; +} + +static void sdap_inherit_basic_options(char **inherit_opt_list, + struct dp_option *parent_opts, + struct dp_option *subdom_opts) +{ + int inherit_options[] = { + SDAP_PURGE_CACHE_TIMEOUT, + SDAP_AD_USE_TOKENGROUPS, + SDAP_KRB5_KEYTAB, + SDAP_OPTS_BASIC /* sentinel */ + }; + int i; + + for (i = 0; inherit_options[i] != SDAP_OPTS_BASIC; i++) { + dp_option_inherit(inherit_opt_list, + inherit_options[i], + parent_opts, + subdom_opts); + } +} + +static void sdap_inherit_user_options(char **inherit_opt_list, + struct sdap_attr_map *parent_user_map, + struct sdap_attr_map *child_user_map) +{ + int inherit_options[] = { + SDAP_AT_USER_PRINC, + SDAP_OPTS_USER /* sentinel */ + }; + int i; + int opt_index; + bool inherit_option; + + for (i = 0; inherit_options[i] != SDAP_OPTS_USER; i++) { + opt_index = inherit_options[i]; + + inherit_option = string_in_list(parent_user_map[opt_index].opt_name, + inherit_opt_list, + false); + if (inherit_option == false) { + continue; + } + + sdap_copy_map_entry(parent_user_map, child_user_map, opt_index); + } +} + +void sdap_inherit_options(char **inherit_opt_list, + struct sdap_options *parent_sdap_opts, + struct sdap_options *child_sdap_opts) +{ + sdap_inherit_basic_options(inherit_opt_list, + parent_sdap_opts->basic, + child_sdap_opts->basic); + + sdap_inherit_user_options(inherit_opt_list, + parent_sdap_opts->user_map, + child_sdap_opts->user_map); +} + +int sdap_get_map(TALLOC_CTX *memctx, + struct confdb_ctx *cdb, + const char *conf_path, + struct sdap_attr_map *def_map, + int num_entries, + struct sdap_attr_map **_map) +{ + struct sdap_attr_map *map; + char *name; + int i, ret; + + map = talloc_zero_array(memctx, struct sdap_attr_map, num_entries + 1); + if (!map) { + return ENOMEM; + } + + for (i = 0; i < num_entries; i++) { + + map[i].opt_name = def_map[i].opt_name; + map[i].def_name = def_map[i].def_name; + map[i].sys_name = def_map[i].sys_name; + + ret = confdb_get_string(cdb, map, conf_path, + map[i].opt_name, + map[i].def_name, + &name); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to retrieve value for %s\n", map[i].opt_name); + talloc_zfree(map); + return EINVAL; + } + + if (name) { + ret = sss_filter_sanitize(map, name, &map[i].name); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not sanitize attribute [%s]\n", name); + talloc_zfree(map); + return EINVAL; + } + talloc_zfree(name); + } else { + map[i].name = NULL; + } + + if (map[i].def_name && !map[i].name) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to retrieve value for %s\n", map[i].opt_name); + talloc_zfree(map); + return EINVAL; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Option %s has%s value %s\n", + map[i].opt_name, map[i].name ? "" : " no", + map[i].name ? map[i].name : ""); + } + + *_map = map; + return EOK; +} + +/* =Parse-msg============================================================= */ + +static bool objectclass_matched(struct sdap_attr_map *map, + const char *objcl, int len); +int sdap_parse_entry(TALLOC_CTX *memctx, + struct sdap_handle *sh, struct sdap_msg *sm, + struct sdap_attr_map *map, int attrs_num, + struct sysdb_attrs **_attrs, + bool disable_range_retrieval) +{ + struct sysdb_attrs *attrs; + BerElement *ber = NULL; + struct berval **vals; + struct ldb_val v; + char *str; + int lerrno; + int i, ret, ai; + int base_attr_idx = 0; + const char *name; + bool store; + bool base64; + char *base_attr; + uint32_t range_offset; + TALLOC_CTX *tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) return ENOMEM; + + lerrno = 0; + ret = ldap_set_option(sh->ldap, LDAP_OPT_RESULT_CODE, &lerrno); + if (ret != LDAP_OPT_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, "ldap_set_option failed [%s], ignored.\n", + sss_ldap_err2string(ret)); + } + + attrs = sysdb_new_attrs(tmp_ctx); + if (!attrs) { + ret = ENOMEM; + goto done; + } + + str = ldap_get_dn(sh->ldap, sm->msg); + if (!str) { + ldap_get_option(sh->ldap, LDAP_OPT_RESULT_CODE, &lerrno); + DEBUG(SSSDBG_CRIT_FAILURE, "ldap_get_dn failed: %d(%s)\n", + lerrno, sss_ldap_err2string(lerrno)); + ret = EIO; + goto done; + } + + DEBUG(SSSDBG_TRACE_LIBS, "OriginalDN: [%s].\n", str); + ret = sysdb_attrs_add_string(attrs, SYSDB_ORIG_DN, str); + ldap_memfree(str); + if (ret) goto done; + + if (map) { + vals = ldap_get_values_len(sh->ldap, sm->msg, "objectClass"); + if (!vals) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unknown entry type, no objectClasses found!\n"); + ret = EINVAL; + goto done; + } + + for (i = 0; vals[i]; i++) { + if (objectclass_matched(map, vals[i]->bv_val, vals[i]->bv_len)) { + /* ok it's an entry of the right type */ + break; + } + } + if (!vals[i]) { + DEBUG(SSSDBG_CRIT_FAILURE, "objectClass not matching: %s\n", + map[0].name); + ldap_value_free_len(vals); + ret = EINVAL; + goto done; + } + ldap_value_free_len(vals); + } + + str = ldap_first_attribute(sh->ldap, sm->msg, &ber); + if (!str) { + ldap_get_option(sh->ldap, LDAP_OPT_RESULT_CODE, &lerrno); + DEBUG(lerrno == LDAP_SUCCESS + ? SSSDBG_TRACE_LIBS + : SSSDBG_MINOR_FAILURE, + "Entry has no attributes [%d(%s)]!?\n", + lerrno, sss_ldap_err2string(lerrno)); + if (map) { + ret = EINVAL; + goto done; + } + } + while (str) { + base64 = false; + + ret = sdap_parse_range(tmp_ctx, str, &base_attr, &range_offset, + disable_range_retrieval); + switch(ret) { + case EAGAIN: + /* This attribute contained range values and needs more to + * be retrieved + */ + /* TODO: return the set of attributes that need additional retrieval + * For now, we'll continue below and treat it as regular values. + */ + /* FALLTHROUGH */ + case ECANCELED: + /* FALLTHROUGH */ + case EOK: + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not determine if attribute [%s] was ranged\n", str); + goto done; + } + + if (map) { + for (i = 1; i < attrs_num; i++) { + /* check if this attr is valid with the chosen schema */ + if (!map[i].name) continue; + /* check if it is an attr we are interested in */ + if (strcasecmp(base_attr, map[i].name) == 0) break; + } + /* interesting attr */ + if (i < attrs_num) { + store = true; + name = map[i].sys_name; + base_attr_idx = i; + if (strcmp(name, SYSDB_SSH_PUBKEY) == 0) { + base64 = true; + } + } else { + store = false; + name = NULL; + } + } else { + name = base_attr; + store = true; + } + + if (ret == ECANCELED) { + ret = EOK; + store = false; + } + + if (store) { + vals = ldap_get_values_len(sh->ldap, sm->msg, str); + if (!vals) { + ldap_get_option(sh->ldap, LDAP_OPT_RESULT_CODE, &lerrno); + if (lerrno != LDAP_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "LDAP Library error: %d(%s)\n", + lerrno, sss_ldap_err2string(lerrno)); + ret = EIO; + goto done; + } + + DEBUG(SSSDBG_TRACE_LIBS, + "Attribute [%s] has no values, skipping.\n", str); + + } else { + if (!vals[0]) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Missing value after ldap_get_values() ??\n"); + ldap_value_free_len(vals); + ret = EINVAL; + goto done; + } + for (i = 0; vals[i]; i++) { + if (vals[i]->bv_len == 0) { + DEBUG(SSSDBG_TRACE_LIBS, + "Value of attribute [%s] is empty. " + "Skipping this value.\n", str); + continue; + } + if (base64) { + v.data = (uint8_t *) sss_base64_encode(attrs, + (uint8_t *) vals[i]->bv_val, vals[i]->bv_len); + if (!v.data) { + ldap_value_free_len(vals); + ret = ENOMEM; + goto done; + } + v.length = strlen((const char *)v.data); + } else { + v.data = (uint8_t *)vals[i]->bv_val; + v.length = vals[i]->bv_len; + } + + if (map) { + /* The same LDAP attr might be used for more sysdb + * attrs in case there is a map. Find all that match + * and copy the value + */ + for (ai = base_attr_idx; ai < attrs_num; ai++) { + /* check if this attr is valid with the chosen + * schema */ + if (!map[ai].name) continue; + + /* check if it is an attr we are interested in */ + if (strcasecmp(base_attr, map[ai].name) == 0) { + ret = sysdb_attrs_add_val(attrs, + map[ai].sys_name, + &v); + if (ret) { + ldap_value_free_len(vals); + goto done; + } + } + } + } else { + /* No map, just store the attribute */ + ret = sysdb_attrs_add_val(attrs, name, &v); + if (ret) { + ldap_value_free_len(vals); + goto done; + } + } + } + ldap_value_free_len(vals); + } + } + + ldap_memfree(str); + str = ldap_next_attribute(sh->ldap, sm->msg, ber); + } + ber_free(ber, 0); + ber = NULL; + + ldap_get_option(sh->ldap, LDAP_OPT_RESULT_CODE, &lerrno); + if (lerrno) { + DEBUG(SSSDBG_CRIT_FAILURE, "LDAP Library error: %d(%s)\n", + lerrno, sss_ldap_err2string(lerrno)); + ret = EIO; + goto done; + } + + *_attrs = talloc_steal(memctx, attrs); + ret = EOK; + +done: + if (ber) ber_free(ber, 0); + talloc_free(tmp_ctx); + return ret; +} + +static bool objectclass_matched(struct sdap_attr_map *map, + const char *objcl, int len) +{ + if (len == 0) { + len = strlen(objcl) + 1; + } + + if (strncasecmp(map[SDAP_OC_GROUP].name, objcl, len) == 0) { + return true; + } + + if (map[SDAP_OC_GROUP_ALT].name != NULL + && strncasecmp(map[SDAP_OC_GROUP_ALT].name, objcl, len) == 0) { + return true; + } + + return false; +} + +/* Parses an LDAPDerefRes into sdap_deref_attrs structure */ +errno_t sdap_parse_deref(TALLOC_CTX *mem_ctx, + struct sdap_attr_map_info *minfo, + size_t num_maps, + LDAPDerefRes *dref, + struct sdap_deref_attrs ***_deref_res) +{ + TALLOC_CTX *tmp_ctx; + LDAPDerefVal *dval; + const char *orig_dn; + const char **ocs; + struct sdap_attr_map *map; + int num_attrs; + int ret, i, a, mi; + const char *name; + size_t len; + struct sdap_deref_attrs **res; + + if (!dref || !minfo) return EINVAL; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) return ENOMEM; + + res = talloc_array(tmp_ctx, struct sdap_deref_attrs *, num_maps); + if (!res) { + ret = ENOMEM; + goto done; + } + + for (i=0; i < num_maps; i++) { + res[i] = talloc_zero(res, struct sdap_deref_attrs); + if (!res[i]) { + ret = ENOMEM; + goto done; + } + + res[i]->map = minfo[i].map; + } + + if (!dref->derefVal.bv_val) { + DEBUG(SSSDBG_OP_FAILURE, "Entry has no DN?\n"); + ret = EINVAL; + goto done; + } + + orig_dn = dref->derefVal.bv_val; + DEBUG(SSSDBG_TRACE_LIBS, + "Dereferenced DN: %s\n", orig_dn); + + if (!dref->attrVals) { + DEBUG(SSSDBG_FUNC_DATA, + "Dereferenced entry [%s] has no attributes, skipping\n", + orig_dn); + *_deref_res = NULL; + ret = EOK; + goto done; + } + + ocs = NULL; + for (dval = dref->attrVals; dval != NULL; dval = dval->next) { + if (strcasecmp("objectClass", dval->type) == 0) { + if (dval->vals == NULL) { + DEBUG(SSSDBG_CONF_SETTINGS, + "No value for objectClass, skipping\n"); + continue; + } + + for(len=0; dval->vals[len].bv_val; len++); + + ocs = talloc_array(tmp_ctx, const char *, len+1); + if (!ocs) { + ret = ENOMEM; + goto done; + } + + for (i=0; ivals[i].bv_val); + ocs[i] = talloc_strdup(ocs, dval->vals[i].bv_val); + if (!ocs[i]) { + ret = ENOMEM; + goto done; + } + } + ocs[i] = NULL; + break; + } + } + if (!ocs) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unknown entry type, no objectClasses found!\n"); + ret = EINVAL; + goto done; + } + + for (mi = 0; mi < num_maps; mi++) { + map = NULL; + + for (i=0; ocs[i]; i++) { + /* the objectclass is always the first name in the map */ + if (objectclass_matched(minfo[mi].map, ocs[i], 0)) { + DEBUG(SSSDBG_TRACE_ALL, + "Found map for objectclass '%s'\n", ocs[i]); + map = minfo[mi].map; + num_attrs = minfo[mi].num_attrs; + break; + } + } + if (!map) continue; + + res[mi]->attrs = sysdb_new_attrs(res[mi]); + if (!res[mi]->attrs) { + ret = ENOMEM; + goto done; + } + + ret = sysdb_attrs_add_string(res[mi]->attrs, SYSDB_ORIG_DN, + orig_dn); + if (ret) { + goto done; + } + + for (dval = dref->attrVals; dval != NULL; dval = dval->next) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "Dereferenced attribute: %s\n", dval->type); + + for (a = 1; a < num_attrs; a++) { + /* check if this attr is valid with the chosen schema */ + if (!map[a].name) continue; + /* check if it is an attr we are interested in */ + if (strcasecmp(dval->type, map[a].name) == 0) break; + } + + /* interesting attr */ + if (a < num_attrs) { + name = map[a].sys_name; + } else { + continue; + } + + if (dval->vals == NULL) { + DEBUG(SSSDBG_CONF_SETTINGS, + "No value for attribute %s, skipping\n", name); + continue; + } + + for (i=0; dval->vals[i].bv_val; i++) { + DEBUG(SSSDBG_TRACE_ALL, "Dereferenced attribute value: %s\n", + dval->vals[i].bv_val); + ret = sysdb_attrs_add_mem(res[mi]->attrs, name, + dval->vals[i].bv_val, + dval->vals[i].bv_len); + if (ret) goto done; + } + } + } + + + *_deref_res = talloc_steal(mem_ctx, res); + ret = EOK; +done: + talloc_zfree(tmp_ctx); + return ret; +} + +errno_t setup_tls_config(struct dp_option *basic_opts) +{ + int ret; + int ldap_opt_x_tls_require_cert; + const char *tls_opt; + tls_opt = dp_opt_get_string(basic_opts, SDAP_TLS_REQCERT); + if (tls_opt) { + if (strcasecmp(tls_opt, "never") == 0) { + ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_NEVER; + } + else if (strcasecmp(tls_opt, "allow") == 0) { + ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_ALLOW; + } + else if (strcasecmp(tls_opt, "try") == 0) { + ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_TRY; + } + else if (strcasecmp(tls_opt, "demand") == 0) { + ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_DEMAND; + } + else if (strcasecmp(tls_opt, "hard") == 0) { + ldap_opt_x_tls_require_cert = LDAP_OPT_X_TLS_HARD; + } + else { + DEBUG(SSSDBG_CRIT_FAILURE, "Unknown value for tls_reqcert.\n"); + return EINVAL; + } + /* LDAP_OPT_X_TLS_REQUIRE_CERT has to be set as a global option, + * because the SSL/TLS context is initialized from this value. */ + ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, + &ldap_opt_x_tls_require_cert); + if (ret != LDAP_OPT_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ldap_set_option failed: %s\n", sss_ldap_err2string(ret)); + return EIO; + } + } + + tls_opt = dp_opt_get_string(basic_opts, SDAP_TLS_CACERT); + if (tls_opt) { + ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, tls_opt); + if (ret != LDAP_OPT_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ldap_set_option failed: %s\n", sss_ldap_err2string(ret)); + return EIO; + } + } + + tls_opt = dp_opt_get_string(basic_opts, SDAP_TLS_CACERTDIR); + if (tls_opt) { + ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTDIR, tls_opt); + if (ret != LDAP_OPT_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ldap_set_option failed: %s\n", sss_ldap_err2string(ret)); + return EIO; + } + } + + tls_opt = dp_opt_get_string(basic_opts, SDAP_TLS_CERT); + if (tls_opt) { + ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CERTFILE, tls_opt); + if (ret != LDAP_OPT_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ldap_set_option failed: %s\n", sss_ldap_err2string(ret)); + return EIO; + } + } + + tls_opt = dp_opt_get_string(basic_opts, SDAP_TLS_KEY); + if (tls_opt) { + ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_KEYFILE, tls_opt); + if (ret != LDAP_OPT_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ldap_set_option failed: %s\n", sss_ldap_err2string(ret)); + return EIO; + } + } + + tls_opt = dp_opt_get_string(basic_opts, SDAP_TLS_CIPHER_SUITE); + if (tls_opt) { + ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CIPHER_SUITE, tls_opt); + if (ret != LDAP_OPT_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ldap_set_option failed: %s\n", sss_ldap_err2string(ret)); + return EIO; + } + } + + return EOK; +} + + +bool sdap_check_sup_list(struct sup_list *l, const char *val) +{ + int i; + + if (!val) { + return false; + } + + for (i = 0; i < l->num_vals; i++) { + if (strcasecmp(val, (char *)l->vals[i])) { + continue; + } + return true; + } + + return false; +} + +static int sdap_init_sup_list(TALLOC_CTX *memctx, + struct sup_list *list, + int num, struct ldb_val *vals) +{ + int i; + + list->vals = talloc_array(memctx, char *, num); + if (!list->vals) { + return ENOMEM; + } + + for (i = 0; i < num; i++) { + list->vals[i] = talloc_strndup(list->vals, + (char *)vals[i].data, vals[i].length); + if (!list->vals[i]) { + return ENOMEM; + } + } + + list->num_vals = num; + + return EOK; +} + +int sdap_set_rootdse_supported_lists(struct sysdb_attrs *rootdse, + struct sdap_handle *sh) +{ + struct ldb_message_element *el = NULL; + int ret; + int i; + + for (i = 0; i < rootdse->num; i++) { + el = &rootdse->a[i]; + if (strcasecmp(el->name, "supportedControl") == 0) { + + ret = sdap_init_sup_list(sh, &sh->supported_controls, + el->num_values, el->values); + if (ret) { + return ret; + } + } else if (strcasecmp(el->name, "supportedExtension") == 0) { + + ret = sdap_init_sup_list(sh, &sh->supported_extensions, + el->num_values, el->values); + if (ret) { + return ret; + } + } else if (strcasecmp(el->name, "supportedSASLMechanisms") == 0) { + + ret = sdap_init_sup_list(sh, &sh->supported_saslmechs, + el->num_values, el->values); + if (ret) { + return ret; + } + } + } + + return EOK; + +} + +static char *get_single_value_as_string(TALLOC_CTX *mem_ctx, + struct ldb_message_element *el) +{ + char *str = NULL; + + if (el->num_values == 0) { + DEBUG(SSSDBG_MINOR_FAILURE, "Missing value.\n"); + } else if (el->num_values == 1) { + str = talloc_strndup(mem_ctx, (char *) el->values[0].data, + el->values[0].length); + if (str == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strndup failed.\n"); + } + } else { + DEBUG(SSSDBG_MINOR_FAILURE, "More than one value found.\n"); + } + + return str; +} + +static char *get_naming_context(TALLOC_CTX *mem_ctx, + struct sysdb_attrs *rootdse) +{ + struct ldb_message_element *nc = NULL; + struct ldb_message_element *dnc = NULL; + int i; + char *naming_context = NULL; + + for (i = 0; i < rootdse->num; i++) { + if (strcasecmp(rootdse->a[i].name, + SDAP_ROOTDSE_ATTR_NAMING_CONTEXTS) == 0) { + nc = &rootdse->a[i]; + } else if (strcasecmp(rootdse->a[i].name, + SDAP_ROOTDSE_ATTR_DEFAULT_NAMING_CONTEXT) == 0) { + dnc = &rootdse->a[i]; + } + } + + if (dnc == NULL && nc == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, + "No attributes [%s] or [%s] found in rootDSE.\n", + SDAP_ROOTDSE_ATTR_NAMING_CONTEXTS, + SDAP_ROOTDSE_ATTR_DEFAULT_NAMING_CONTEXT); + } else { + if (dnc != NULL) { + DEBUG(SSSDBG_FUNC_DATA, + "Using value from [%s] as naming context.\n", + SDAP_ROOTDSE_ATTR_DEFAULT_NAMING_CONTEXT); + naming_context = get_single_value_as_string(mem_ctx, dnc); + } + + if (naming_context == NULL && nc != NULL) { + DEBUG(SSSDBG_FUNC_DATA, + "Using value from [%s] as naming context.\n", + SDAP_ROOTDSE_ATTR_NAMING_CONTEXTS); + naming_context = get_single_value_as_string(mem_ctx, nc); + } + } + + /* Some directory servers such as Novell eDirectory will return + * a zero-length namingContexts value in some situations. In this + * case, we should return it as NULL so things fail gracefully. + */ + if (naming_context && naming_context[0] == '\0') { + talloc_zfree(naming_context); + } + + return naming_context; +} + +errno_t +sdap_create_search_base(TALLOC_CTX *mem_ctx, + const char *unparsed_base, + int scope, + const char *filter, + struct sdap_search_base **_base) +{ + struct sdap_search_base *base; + TALLOC_CTX *tmp_ctx; + errno_t ret; + struct ldb_dn *ldn; + struct ldb_context *ldb; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + ret = ENOMEM; + goto done; + } + + /* Create a throwaway LDB context for validating the DN */ + ldb = ldb_init(tmp_ctx, NULL); + if (!ldb) { + ret = ENOMEM; + goto done; + } + + base = talloc_zero(tmp_ctx, struct sdap_search_base); + if (base == NULL) { + ret = ENOMEM; + goto done; + } + + base->basedn = talloc_strdup(base, unparsed_base); + if (base->basedn == NULL) { + ret = ENOMEM; + goto done; + } + + /* Validate the basedn */ + ldn = ldb_dn_new(tmp_ctx, ldb, unparsed_base); + if (!ldn) { + ret = ENOMEM; + goto done; + } + + if (!ldb_dn_validate(ldn)) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid base DN [%s]\n", unparsed_base); + ret = EINVAL; + goto done; + } + + base->scope = scope; + base->filter = filter; + + *_base = talloc_steal(mem_ctx, base); + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} + +static errno_t sdap_set_search_base(struct sdap_options *opts, + struct sdap_domain *sdom, + enum sdap_basic_opt class, + char *naming_context) +{ + errno_t ret; + struct sdap_search_base ***bases; + + switch(class) { + case SDAP_SEARCH_BASE: + bases = &sdom->search_bases; + break; + case SDAP_USER_SEARCH_BASE: + bases = &sdom->user_search_bases; + break; + case SDAP_GROUP_SEARCH_BASE: + bases = &sdom->group_search_bases; + break; + case SDAP_NETGROUP_SEARCH_BASE: + bases = &sdom->netgroup_search_bases; + break; + case SDAP_HOST_SEARCH_BASE: + bases = &sdom->host_search_bases; + break; + case SDAP_SUDO_SEARCH_BASE: + bases = &sdom->sudo_search_bases; + break; + case SDAP_SERVICE_SEARCH_BASE: + bases = &sdom->service_search_bases; + break; + case SDAP_AUTOFS_SEARCH_BASE: + bases = &sdom->autofs_search_bases; + break; + default: + return EINVAL; + } + + DEBUG(SSSDBG_CONF_SETTINGS, + "Setting option [%s] to [%s].\n", + opts->basic[class].opt_name, naming_context); + + ret = dp_opt_set_string(opts->basic, class, naming_context); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "dp_opt_set_string failed.\n"); + goto done; + } + + ret = sdap_parse_search_base(opts, opts->basic, class, bases); + if (ret != EOK) goto done; + + ret = EOK; +done: + return ret; +} + +errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse, + struct sdap_options *opts, + struct sdap_domain *sdom) +{ + int ret; + char *naming_context = NULL; + + if (!sdom->search_bases + || !sdom->user_search_bases + || !sdom->group_search_bases + || !sdom->netgroup_search_bases + || !sdom->host_search_bases + || !sdom->sudo_search_bases + || !sdom->autofs_search_bases) { + naming_context = get_naming_context(opts->basic, rootdse); + if (naming_context == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "get_naming_context failed.\n"); + + /* This has to be non-fatal, since some servers offer + * multiple namingContexts entries. We will just + * add NULL checks for the search bases in the lookups. + */ + ret = EOK; + goto done; + } + } + + /* Default */ + if (!sdom->search_bases) { + ret = sdap_set_search_base(opts, sdom, + SDAP_SEARCH_BASE, + naming_context); + if (ret != EOK) goto done; + } + + /* Users */ + if (!sdom->user_search_bases) { + ret = sdap_set_search_base(opts, sdom, + SDAP_USER_SEARCH_BASE, + naming_context); + if (ret != EOK) goto done; + } + + /* Groups */ + if (!sdom->group_search_bases) { + ret = sdap_set_search_base(opts, sdom, + SDAP_GROUP_SEARCH_BASE, + naming_context); + if (ret != EOK) goto done; + } + + /* Netgroups */ + if (!sdom->netgroup_search_bases) { + ret = sdap_set_search_base(opts, sdom, + SDAP_NETGROUP_SEARCH_BASE, + naming_context); + if (ret != EOK) goto done; + } + + /* Hosts */ + if (!sdom->host_search_bases) { + ret = sdap_set_search_base(opts, sdom, + SDAP_HOST_SEARCH_BASE, + naming_context); + if (ret != EOK) goto done; + } + + /* Sudo */ + if (!sdom->sudo_search_bases) { + ret = sdap_set_search_base(opts, sdom, + SDAP_SUDO_SEARCH_BASE, + naming_context); + if (ret != EOK) goto done; + } + + /* Services */ + if (!sdom->service_search_bases) { + ret = sdap_set_search_base(opts, sdom, + SDAP_SERVICE_SEARCH_BASE, + naming_context); + if (ret != EOK) goto done; + } + + /* autofs */ + if (!sdom->autofs_search_bases) { + ret = sdap_set_search_base(opts, sdom, + SDAP_AUTOFS_SEARCH_BASE, + naming_context); + if (ret != EOK) goto done; + } + + ret = EOK; + +done: + talloc_free(naming_context); + return ret; +} + +int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx, + const char *server, + struct sysdb_attrs *rootdse, + struct sdap_options *opts, + struct sdap_server_opts **srv_opts) +{ + struct sdap_server_opts *so; + struct { + const char *last_name; + const char *entry_name; + } usn_attrs[] = { { SDAP_IPA_LAST_USN, SDAP_IPA_USN }, + { SDAP_AD_LAST_USN, SDAP_AD_USN }, + { NULL, NULL } }; + const char *last_usn_name; + const char *last_usn_value; + const char *entry_usn_name; + const char *schema_nc = NULL; + char *endptr = NULL; + int ret; + int i; + uint32_t dc_level; + + so = talloc_zero(memctx, struct sdap_server_opts); + if (!so) { + return ENOMEM; + } + so->server_id = talloc_strdup(so, server); + if (!so->server_id) { + talloc_zfree(so); + return ENOMEM; + } + + last_usn_name = opts->gen_map[SDAP_AT_LAST_USN].name; + entry_usn_name = opts->gen_map[SDAP_AT_ENTRY_USN].name; + if (rootdse) { + if (last_usn_name) { + ret = sysdb_attrs_get_string(rootdse, + last_usn_name, &last_usn_value); + if (ret != EOK) { + switch (ret) { + case ENOENT: + DEBUG(SSSDBG_CRIT_FAILURE, + "%s configured but not found in rootdse!\n", + opts->gen_map[SDAP_AT_LAST_USN].opt_name); + break; + case ERANGE: + DEBUG(SSSDBG_CRIT_FAILURE, + "Multiple values of %s found in rootdse!\n", + opts->gen_map[SDAP_AT_LAST_USN].opt_name); + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, + "Unknown error (%d) checking rootdse!\n", ret); + } + } else { + if (!entry_usn_name) { + DEBUG(SSSDBG_CRIT_FAILURE, + "%s found in rootdse but %s is not set!\n", + last_usn_name, + opts->gen_map[SDAP_AT_ENTRY_USN].opt_name); + } else { + so->supports_usn = true; + so->last_usn = strtoul(last_usn_value, &endptr, 10); + if (endptr != NULL && (*endptr != '\0' || endptr == last_usn_value)) { + DEBUG(SSSDBG_MINOR_FAILURE, + "USN is not valid (value: %s)\n", last_usn_value); + so->last_usn = 0; + } else { + DEBUG(SSSDBG_TRACE_ALL, + "USN value: %s (int: %lu)\n", last_usn_value, so->last_usn); + } + } + } + } else { + /* no usn option configure, let's try to autodetect. */ + for (i = 0; usn_attrs[i].last_name; i++) { + ret = sysdb_attrs_get_string(rootdse, + usn_attrs[i].last_name, + &last_usn_value); + if (ret == EOK) { + /* Fixate discovered configuration */ + opts->gen_map[SDAP_AT_LAST_USN].name = + talloc_strdup(opts->gen_map, usn_attrs[i].last_name); + opts->gen_map[SDAP_AT_ENTRY_USN].name = + talloc_strdup(opts->gen_map, usn_attrs[i].entry_name); + so->supports_usn = true; + so->last_usn = strtoul(last_usn_value, &endptr, 10); + if (endptr != NULL && (*endptr != '\0' || endptr == last_usn_value)) { + DEBUG(SSSDBG_MINOR_FAILURE, + "USN is not valid (value: %s)\n", last_usn_value); + so->last_usn = 0; + } else { + DEBUG(SSSDBG_TRACE_ALL, + "USN value: %s (int: %lu)\n", last_usn_value, so->last_usn); + } + last_usn_name = usn_attrs[i].last_name; + break; + } + } + } + + /* Detect Active Directory version if available */ + ret = sysdb_attrs_get_uint32_t(rootdse, + SDAP_ROOTDSE_ATTR_AD_VERSION, + &dc_level); + if (ret == EOK) { + /* Validate that the DC level matches an expected value */ + switch(dc_level) { + case DS_BEHAVIOR_WIN2000: + case DS_BEHAVIOR_WIN2003: + case DS_BEHAVIOR_WIN2008: + case DS_BEHAVIOR_WIN2008R2: + case DS_BEHAVIOR_WIN2012: + case DS_BEHAVIOR_WIN2012R2: + case DS_BEHAVIOR_WIN2016: + opts->dc_functional_level = dc_level; + DEBUG(SSSDBG_CONF_SETTINGS, + "Setting AD compatibility level to [%d]\n", + opts->dc_functional_level); + break; + default: + DEBUG(SSSDBG_MINOR_FAILURE, + "Received invalid value [%d] for AD compatibility level. " + "Using the lowest-common compatibility level\n", + dc_level); + opts->dc_functional_level = DS_BEHAVIOR_WIN2003; + } + } else if (ret != ENOENT) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Error detecting Active Directory compatibility level " + "(%s). Continuing without AD performance enhancements\n", + strerror(ret)); + } + + ret = sysdb_attrs_get_string(rootdse, + SDAP_ROOTDSE_ATTR_AD_SCHEMA_NC, + &schema_nc); + if (ret == EOK) { + DEBUG(SSSDBG_CONF_SETTINGS, + "Will look for schema at [%s]\n", schema_nc); + opts->schema_basedn = talloc_strdup(opts, schema_nc); + } + } + + if (!last_usn_name) { + DEBUG(SSSDBG_FUNC_DATA, + "No known USN scheme is supported by this server!\n"); + if (!entry_usn_name) { + DEBUG(SSSDBG_FUNC_DATA, + "Will use modification timestamp as usn!\n"); + opts->gen_map[SDAP_AT_ENTRY_USN].name = + talloc_strdup(opts->gen_map, "modifyTimestamp"); + } + } + + if (!opts->user_map[SDAP_AT_USER_USN].name) { + opts->user_map[SDAP_AT_USER_USN].name = + talloc_strdup(opts->user_map, + opts->gen_map[SDAP_AT_ENTRY_USN].name); + } + if (!opts->group_map[SDAP_AT_GROUP_USN].name) { + opts->group_map[SDAP_AT_GROUP_USN].name = + talloc_strdup(opts->group_map, + opts->gen_map[SDAP_AT_ENTRY_USN].name); + } + if (!opts->service_map[SDAP_AT_SERVICE_USN].name) { + opts->service_map[SDAP_AT_SERVICE_USN].name = + talloc_strdup(opts->service_map, + opts->gen_map[SDAP_AT_ENTRY_USN].name); + } + if (opts->sudorule_map && + !opts->sudorule_map[SDAP_AT_SUDO_USN].name) { + opts->sudorule_map[SDAP_AT_SUDO_USN].name = + talloc_strdup(opts->sudorule_map, + opts->gen_map[SDAP_AT_ENTRY_USN].name); + } + + *srv_opts = so; + return EOK; +} + +void sdap_steal_server_opts(struct sdap_id_ctx *id_ctx, + struct sdap_server_opts **srv_opts) +{ + if (!id_ctx || !srv_opts || !*srv_opts) { + return; + } + + if (!id_ctx->srv_opts) { + id_ctx->srv_opts = talloc_move(id_ctx, srv_opts); + return; + } + + /* discard if same as previous so we do not reset max usn values + * unnecessarily */ + if (strcmp(id_ctx->srv_opts->server_id, (*srv_opts)->server_id) == 0) { + talloc_zfree(*srv_opts); + return; + } + + talloc_zfree(id_ctx->srv_opts); + id_ctx->srv_opts = talloc_move(id_ctx, srv_opts); +} + +static bool attr_is_filtered(const char *attr, const char **filter) +{ + int i; + + if (filter) { + i = 0; + while (filter[i]) { + if (filter[i] == attr || + strcasecmp(filter[i], attr) == 0) { + return true; + } + i++; + } + } + + return false; +} + +int build_attrs_from_map(TALLOC_CTX *memctx, + struct sdap_attr_map *map, + size_t size, + const char **filter, + const char ***_attrs, + size_t *attr_count) +{ + errno_t ret; + const char **attrs; + int i, j; + TALLOC_CTX *tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) return ENOMEM; + + /* Assume that all entries in the map have values */ + attrs = talloc_zero_array(tmp_ctx, const char *, size + 1); + if (!attrs) { + ret = ENOMEM; + goto done; + } + + /* first attribute is "objectclass" not the specifc one */ + attrs[0] = talloc_strdup(memctx, "objectClass"); + if (!attrs[0]) return ENOMEM; + + /* add the others */ + for (i = j = 1; i < size; i++) { + if (map[i].name && !attr_is_filtered(map[i].name, filter)) { + attrs[j] = map[i].name; + j++; + } + } + attrs[j] = NULL; + + /* Trim down the used memory if some attributes were NULL */ + attrs = talloc_realloc(tmp_ctx, attrs, const char *, j + 1); + if (!attrs) { + ret = ENOMEM; + goto done; + } + + *_attrs = talloc_steal(memctx, attrs); + if (attr_count) *attr_count = j; + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +int sdap_control_create(struct sdap_handle *sh, const char *oid, int iscritical, + struct berval *value, int dupval, LDAPControl **ctrlp) +{ + int ret; + + if (sdap_is_control_supported(sh, oid)) { + ret = sss_ldap_control_create(oid, iscritical, value, dupval, ctrlp); + if (ret != LDAP_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sss_ldap_control_create failed [%d][%s].\n", + ret, sss_ldap_err2string(ret)); + } + } else { + DEBUG(SSSDBG_MINOR_FAILURE, + "Server does not support the requested control [%s].\n", oid); + ret = LDAP_NOT_SUPPORTED; + } + + return ret; +} + +int sdap_replace_id(struct sysdb_attrs *entry, const char *attr, id_t val) +{ + char *str; + errno_t ret; + struct ldb_message_element *el; + + ret = sysdb_attrs_get_el_ext(entry, attr, false, &el); + if (ret == ENOENT) { + return sysdb_attrs_add_uint32(entry, attr, val); + } else if (ret) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot get attribute [%s]\n", attr); + return ret; + } + + if (el->num_values != 1) { + DEBUG(SSSDBG_OP_FAILURE, + "Expected 1 value for %s, got %d\n", attr, el->num_values); + return EINVAL; + } + + str = talloc_asprintf(entry, "%llu", (unsigned long long) val); + if (!str) { + return ENOMEM; + } + + el->values[0].data = (uint8_t *) str; + el->values[0].length = strlen(str); + + return EOK; +} + +static errno_t +sdap_get_primary_name(TALLOC_CTX *memctx, + const char *attr_name, + struct sysdb_attrs *attrs, + struct sss_domain_info *dom, + const char **_primary_name) +{ + errno_t ret; + const char *orig_name = NULL; + + ret = sysdb_attrs_primary_name(dom->sysdb, attrs, attr_name, &orig_name); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "The object has no name attribute\n"); + return EINVAL; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Processing object %s\n", orig_name); + + *_primary_name = talloc_strdup(memctx, orig_name); + return EOK; +} + +static errno_t +sdap_get_primary_fqdn(TALLOC_CTX *mem_ctx, + const char *attr_name, + struct sysdb_attrs *attrs, + struct sss_domain_info *dom, + const char **_primary_fqdn) +{ + errno_t ret; + const char *shortname = NULL; + const char *primary_fqdn = NULL; + TALLOC_CTX *tmp_ctx; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + ret = sdap_get_primary_name(tmp_ctx, attr_name, attrs, dom, &shortname); + if (ret != EOK) { + goto done; + } + + primary_fqdn = sss_create_internal_fqname(tmp_ctx, shortname, dom->name); + if (primary_fqdn == NULL) { + ret = ENOMEM; + goto done; + } + + ret = EOK; + *_primary_fqdn = talloc_steal(mem_ctx, primary_fqdn); +done: + talloc_free(tmp_ctx); + return ret; +} + +errno_t sdap_get_user_primary_name(TALLOC_CTX *memctx, + struct sdap_options *opts, + struct sysdb_attrs *attrs, + struct sss_domain_info *dom, + const char **_user_name) +{ + return sdap_get_primary_fqdn(memctx, + opts->user_map[SDAP_AT_USER_NAME].name, + attrs, dom, _user_name); +} + +errno_t sdap_get_group_primary_name(TALLOC_CTX *memctx, + struct sdap_options *opts, + struct sysdb_attrs *attrs, + struct sss_domain_info *dom, + const char **_group_name) +{ + return sdap_get_primary_fqdn(memctx, + opts->group_map[SDAP_AT_GROUP_NAME].name, + attrs, dom, _group_name); +} + +errno_t sdap_get_netgroup_primary_name(TALLOC_CTX *memctx, + struct sdap_options *opts, + struct sysdb_attrs *attrs, + struct sss_domain_info *dom, + const char **_netgroup_name) +{ + return sdap_get_primary_name(memctx, + opts->netgroup_map[SDAP_AT_NETGROUP_NAME].name, + attrs, dom, _netgroup_name); +} + +char *sdap_make_oc_list(TALLOC_CTX *mem_ctx, struct sdap_attr_map *map) +{ + if (map[SDAP_OC_GROUP_ALT].name == NULL) { + return talloc_asprintf(mem_ctx, "objectClass=%s", + map[SDAP_OC_GROUP].name); + } else { + return talloc_asprintf(mem_ctx, + "|(objectClass=%s)(objectClass=%s)", + map[SDAP_OC_GROUP].name, + map[SDAP_OC_GROUP_ALT].name); + } +} + +struct sss_domain_info *sdap_get_object_domain(struct sdap_options *opts, + struct sysdb_attrs *obj, + struct sss_domain_info *dom) +{ + errno_t ret; + const char *original_dn = NULL; + struct sdap_domain *sdmatch = NULL; + + ret = sysdb_attrs_get_string(obj, SYSDB_ORIG_DN, &original_dn); + if (ret) { + DEBUG(SSSDBG_FUNC_DATA, + "The group has no original DN, assuming our domain\n"); + return dom; + } + + sdmatch = sdap_domain_get_by_dn(opts, original_dn); + if (sdmatch == NULL) { + DEBUG(SSSDBG_FUNC_DATA, + "The original DN of the group cannot " + "be related to any search base\n"); + return dom; + } + + return sdmatch->dom; +} + +bool sdap_object_in_domain(struct sdap_options *opts, + struct sysdb_attrs *obj, + struct sss_domain_info *dom) +{ + struct sss_domain_info *obj_dom; + + obj_dom = sdap_get_object_domain(opts, obj, dom); + if (obj_dom == NULL) { + return false; + } + + return (obj_dom == dom); +} + +size_t sdap_steal_objects_in_dom(struct sdap_options *opts, + struct sysdb_attrs **dom_objects, + size_t offset, + struct sss_domain_info *dom, + struct sysdb_attrs **all_objects, + size_t count, + bool filter) +{ + size_t copied = 0; + + /* Own objects from all_objects by dom_objects in case they belong + * to domain dom. + * + * Don't copy objects from other domains in case + * the search was for parent domain but a child domain would match, + * too, such as: + * dc=example,dc=com + * dc=child,dc=example,dc=com + * while searching for an object from dc=example. + */ + for (size_t i = 0; i < count; i++) { + if (filter && + sdap_object_in_domain(opts, all_objects[i], dom) == false) { + continue; + } + + dom_objects[offset + copied] = + talloc_steal(dom_objects, all_objects[i]); + copied++; + } + + return copied; +} + +void sdap_domain_copy_search_bases(struct sdap_domain *to, + struct sdap_domain *from) +{ + to->search_bases = from->search_bases; + to->user_search_bases = from->user_search_bases; + to->group_search_bases = from->group_search_bases; + to->netgroup_search_bases = from->netgroup_search_bases; + to->sudo_search_bases = from->sudo_search_bases; + to->service_search_bases = from->service_search_bases; + to->autofs_search_bases = from->autofs_search_bases; +} diff --git a/src/providers/ldap/sdap.h b/src/providers/ldap/sdap.h new file mode 100644 index 0000000..31c25c3 --- /dev/null +++ b/src/providers/ldap/sdap.h @@ -0,0 +1,676 @@ +/* + SSSD + + LDAP Helper routines + + Copyright (C) Simo Sorce + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _SDAP_H_ +#define _SDAP_H_ + +#include "providers/backend.h" +#include +#include "util/sss_ldap.h" +#include "lib/certmap/sss_certmap.h" + +struct sdap_msg { + struct sdap_msg *next; + LDAPMessage *msg; +}; + +struct sdap_op; + +typedef void (sdap_op_callback_t)(struct sdap_op *op, + struct sdap_msg *, int, void *); + +struct sdap_handle; + +struct sdap_op { + struct sdap_op *prev, *next; + struct sdap_handle *sh; + + int msgid; + bool done; + + sdap_op_callback_t *callback; + void *data; + + struct tevent_context *ev; + struct sdap_msg *list; + struct sdap_msg *last; +}; + +struct fd_event_item { + struct fd_event_item *prev; + struct fd_event_item *next; + + int fd; + struct tevent_fd *fde; +}; + +struct ldap_cb_data { + struct sdap_handle *sh; + struct tevent_context *ev; + struct fd_event_item *fd_list; +}; + +struct sup_list { + int num_vals; + char **vals; +}; + +struct sdap_handle { + LDAP *ldap; + bool connected; + /* Authentication ticket expiration time (if any) */ + time_t expire_time; + ber_int_t page_size; + bool disable_deref; + + struct sdap_fd_events *sdap_fd_events; + + struct sup_list supported_saslmechs; + struct sup_list supported_controls; + struct sup_list supported_extensions; + + struct sdap_op *ops; + + /* during release we need to lock access to the handler + * from the destructor to avoid recursion */ + bool destructor_lock; + /* mark when it is safe to finally release the handler memory */ + bool release_memory; +}; + +struct sdap_service { + char *name; + char *uri; + char *kinit_service_name; + struct sockaddr_storage *sockaddr; +}; + +struct sdap_ppolicy_data { + int grace; + int expire; +}; + +#define SYSDB_SHADOWPW_LASTCHANGE "shadowLastChange" +#define SYSDB_SHADOWPW_MIN "shadowMin" +#define SYSDB_SHADOWPW_MAX "shadowMax" +#define SYSDB_SHADOWPW_WARNING "shadowWarning" +#define SYSDB_SHADOWPW_INACTIVE "shadowInactive" +#define SYSDB_SHADOWPW_EXPIRE "shadowExpire" +#define SYSDB_SHADOWPW_FLAG "shadowFlag" + +#define SYSDB_NS_ACCOUNT_LOCK "nsAccountLock" + +#define SYSDB_KRBPW_LASTCHANGE "krbLastPwdChange" +#define SYSDB_KRBPW_EXPIRATION "krbPasswordExpiration" + +#define SYSDB_PWD_ATTRIBUTE "pwdAttribute" + +#define SYSDB_NDS_LOGIN_DISABLED "ndsLoginDisabled" +#define SYSDB_NDS_LOGIN_EXPIRATION_TIME "ndsLoginExpirationTime" +#define SYSDB_NDS_LOGIN_ALLOWED_TIME_MAP "ndsLoginAllowedTimeMap" + +#define SDAP_ROOTDSE_ATTR_NAMING_CONTEXTS "namingContexts" +#define SDAP_ROOTDSE_ATTR_DEFAULT_NAMING_CONTEXT "defaultNamingContext" +#define SDAP_ROOTDSE_ATTR_AD_VERSION "domainControllerFunctionality" +#define SDAP_ROOTDSE_ATTR_AD_SCHEMA_NC "schemaNamingContext" + +#define SDAP_IPA_USN "entryUSN" +#define SDAP_IPA_LAST_USN "lastUSN" +#define SDAP_AD_USN "uSNChanged" +#define SDAP_AD_LAST_USN "highestCommittedUSN" + +#define SDAP_AD_GROUP_TYPE_BUILTIN 0x00000001 +#define SDAP_AD_GROUP_TYPE_GLOBAL 0x00000002 +#define SDAP_AD_GROUP_TYPE_DOMAIN_LOCAL 0x00000004 +#define SDAP_AD_GROUP_TYPE_UNIVERSAL 0x00000008 +#define SDAP_AD_GROUP_TYPE_APP_BASIC 0x00000010 +#define SDAP_AD_GROUP_TYPE_APP_QUERY 0x00000020 +#define SDAP_AD_GROUP_TYPE_SECURITY 0x80000000 + +enum sdap_basic_opt { + SDAP_URI = 0, + SDAP_BACKUP_URI, + SDAP_SEARCH_BASE, + SDAP_DEFAULT_BIND_DN, + SDAP_DEFAULT_AUTHTOK_TYPE, + SDAP_DEFAULT_AUTHTOK, + SDAP_SEARCH_TIMEOUT, + SDAP_NETWORK_TIMEOUT, + SDAP_OPT_TIMEOUT, + SDAP_TLS_REQCERT, + SDAP_USER_SEARCH_BASE, + SDAP_USER_SEARCH_SCOPE, + SDAP_USER_SEARCH_FILTER, + SDAP_USER_EXTRA_ATTRS, + SDAP_GROUP_SEARCH_BASE, + SDAP_GROUP_SEARCH_SCOPE, + SDAP_GROUP_SEARCH_FILTER, + SDAP_HOST_SEARCH_BASE, + SDAP_SERVICE_SEARCH_BASE, + SDAP_SUDO_SEARCH_BASE, + SDAP_SUDO_FULL_REFRESH_INTERVAL, + SDAP_SUDO_SMART_REFRESH_INTERVAL, + SDAP_SUDO_USE_HOST_FILTER, + SDAP_SUDO_HOSTNAMES, + SDAP_SUDO_IP, + SDAP_SUDO_INCLUDE_NETGROUPS, + SDAP_SUDO_INCLUDE_REGEXP, + SDAP_AUTOFS_SEARCH_BASE, + SDAP_AUTOFS_MAP_MASTER_NAME, + SDAP_SCHEMA, + SDAP_OFFLINE_TIMEOUT, + SDAP_FORCE_UPPER_CASE_REALM, + SDAP_ENUM_REFRESH_TIMEOUT, + SDAP_PURGE_CACHE_TIMEOUT, + SDAP_TLS_CACERT, + SDAP_TLS_CACERTDIR, + SDAP_TLS_CERT, + SDAP_TLS_KEY, + SDAP_TLS_CIPHER_SUITE, + SDAP_ID_TLS, + SDAP_ID_MAPPING, + SDAP_SASL_MECH, + SDAP_SASL_AUTHID, + SDAP_SASL_REALM, + SDAP_SASL_MINSSF, + SDAP_KRB5_KEYTAB, + SDAP_KRB5_KINIT, + SDAP_KRB5_KDC, + SDAP_KRB5_BACKUP_KDC, + SDAP_KRB5_REALM, + SDAP_KRB5_CANONICALIZE, + SDAP_KRB5_USE_KDCINFO, + SDAP_PWD_POLICY, + SDAP_REFERRALS, + SDAP_ACCOUNT_CACHE_EXPIRATION, + SDAP_DNS_SERVICE_NAME, + SDAP_KRB5_TICKET_LIFETIME, + SDAP_ACCESS_FILTER, + SDAP_NETGROUP_SEARCH_BASE, + SDAP_NESTING_LEVEL, + SDAP_DEREF, + SDAP_ACCOUNT_EXPIRE_POLICY, + SDAP_ACCESS_ORDER, + SDAP_CHPASS_URI, + SDAP_CHPASS_BACKUP_URI, + SDAP_CHPASS_DNS_SERVICE_NAME, + SDAP_CHPASS_UPDATE_LAST_CHANGE, + SDAP_ENUM_SEARCH_TIMEOUT, + SDAP_DISABLE_AUTH_TLS, + SDAP_PAGE_SIZE, + SDAP_DEREF_THRESHOLD, + SDAP_SASL_CANONICALIZE, + SDAP_EXPIRE_TIMEOUT, + SDAP_DISABLE_PAGING, + SDAP_IDMAP_LOWER, + SDAP_IDMAP_UPPER, + SDAP_IDMAP_RANGESIZE, + SDAP_IDMAP_AUTORID_COMPAT, + SDAP_IDMAP_DEFAULT_DOMAIN, + SDAP_IDMAP_DEFAULT_DOMAIN_SID, + SDAP_IDMAP_EXTRA_SLICE_INIT, + SDAP_AD_MATCHING_RULE_GROUPS, + SDAP_AD_MATCHING_RULE_INITGROUPS, + SDAP_AD_USE_TOKENGROUPS, + SDAP_RFC2307_FALLBACK_TO_LOCAL_USERS, + SDAP_DISABLE_RANGE_RETRIEVAL, + SDAP_MIN_ID, + SDAP_MAX_ID, + SDAP_PWDLOCKOUT_DN, + SDAP_WILDCARD_LIMIT, + + SDAP_OPTS_BASIC /* opts counter */ +}; + +enum sdap_gen_attrs { + SDAP_AT_ENTRY_USN = 0, + SDAP_AT_LAST_USN, + + SDAP_AT_GENERAL /* attrs counter */ +}; + +/* the objectclass must be the first attribute. + * Functions depend on this */ +enum sdap_user_attrs { + SDAP_OC_USER = 0, + SDAP_AT_USER_NAME, + SDAP_AT_USER_PWD, + SDAP_AT_USER_UID, + SDAP_AT_USER_GID, + SDAP_AT_USER_GECOS, + SDAP_AT_USER_HOME, + SDAP_AT_USER_SHELL, + SDAP_AT_USER_PRINC, + SDAP_AT_USER_FULLNAME, + SDAP_AT_USER_MEMBEROF, + SDAP_AT_USER_UUID, + SDAP_AT_USER_OBJECTSID, + SDAP_AT_USER_PRIMARY_GROUP, + SDAP_AT_USER_MODSTAMP, + SDAP_AT_USER_USN, + SDAP_AT_SP_LSTCHG, + SDAP_AT_SP_MIN, + SDAP_AT_SP_MAX, + SDAP_AT_SP_WARN, + SDAP_AT_SP_INACT, + SDAP_AT_SP_EXPIRE, + SDAP_AT_SP_FLAG, + SDAP_AT_KP_LASTCHANGE, + SDAP_AT_KP_EXPIRATION, + SDAP_AT_PWD_ATTRIBUTE, + SDAP_AT_AUTH_SVC, + SDAP_AT_AD_ACCOUNT_EXPIRES, + SDAP_AT_AD_USER_ACCOUNT_CONTROL, + SDAP_AT_NS_ACCOUNT_LOCK, + SDAP_AT_AUTHORIZED_HOST, + SDAP_AT_AUTHORIZED_RHOST, + SDAP_AT_NDS_LOGIN_DISABLED, + SDAP_AT_NDS_LOGIN_EXPIRATION_TIME, + SDAP_AT_NDS_LOGIN_ALLOWED_TIME_MAP, + SDAP_AT_USER_SSH_PUBLIC_KEY, + SDAP_AT_USER_AUTH_TYPE, + SDAP_AT_USER_CERT, + SDAP_AT_USER_EMAIL, + + SDAP_OPTS_USER /* attrs counter */ +}; + +#define SDAP_FIRST_EXTRA_USER_AT SDAP_AT_SP_LSTCHG + +/* the objectclass must be the first attribute. + * Functions depend on this */ +enum sdap_group_attrs { + SDAP_OC_GROUP = 0, + SDAP_OC_GROUP_ALT, + SDAP_AT_GROUP_NAME, + SDAP_AT_GROUP_PWD, + SDAP_AT_GROUP_GID, + SDAP_AT_GROUP_MEMBER, + SDAP_AT_GROUP_UUID, + SDAP_AT_GROUP_OBJECTSID, + SDAP_AT_GROUP_MODSTAMP, + SDAP_AT_GROUP_USN, + SDAP_AT_GROUP_TYPE, + SDAP_AT_GROUP_EXT_MEMBER, + + SDAP_OPTS_GROUP /* attrs counter */ +}; + +enum sdap_netgroup_attrs { + SDAP_OC_NETGROUP = 0, + SDAP_AT_NETGROUP_NAME, + SDAP_AT_NETGROUP_MEMBER, + SDAP_AT_NETGROUP_TRIPLE, + SDAP_AT_NETGROUP_MODSTAMP, + + SDAP_OPTS_NETGROUP /* attrs counter */ +}; + +enum sdap_sudorule_attrs { + SDAP_OC_SUDORULE = 0, + SDAP_AT_SUDO_NAME, + SDAP_AT_SUDO_COMMAND, + SDAP_AT_SUDO_HOST, + SDAP_AT_SUDO_USER, + SDAP_AT_SUDO_OPTION, + SDAP_AT_SUDO_RUNAS, + SDAP_AT_SUDO_RUNASUSER, + SDAP_AT_SUDO_RUNASGROUP, + SDAP_AT_SUDO_NOTBEFORE, + SDAP_AT_SUDO_NOTAFTER, + SDAP_AT_SUDO_ORDER, + SDAP_AT_SUDO_USN, + + SDAP_OPTS_SUDO /* attrs counter */ +}; + +enum sdap_host_attrs { + SDAP_OC_HOST = 0, + SDAP_AT_HOST_NAME, + SDAP_AT_HOST_FQDN, + SDAP_AT_HOST_SERVERHOSTNAME, + SDAP_AT_HOST_MEMBER_OF, + SDAP_AT_HOST_SSH_PUBLIC_KEY, + SDAP_AT_HOST_UUID, + + SDAP_OPTS_HOST /* attrs counter */ +}; + +enum sdap_service_attrs { + SDAP_OC_SERVICE = 0, + SDAP_AT_SERVICE_NAME, + SDAP_AT_SERVICE_PORT, + SDAP_AT_SERVICE_PROTOCOL, + SDAP_AT_SERVICE_USN, + SDAP_OPTS_SERVICES /* attrs counter */ +}; + +enum sdap_autofs_map_attrs { + SDAP_OC_AUTOFS_MAP, + SDAP_AT_AUTOFS_MAP_NAME, + + SDAP_OPTS_AUTOFS_MAP /* attrs counter */ +}; + +enum sdap_autofs_entry_attrs { + SDAP_OC_AUTOFS_ENTRY, + SDAP_AT_AUTOFS_ENTRY_KEY, + SDAP_AT_AUTOFS_ENTRY_VALUE, + + SDAP_OPTS_AUTOFS_ENTRY /* attrs counter */ +}; + +struct sdap_attr_map { + const char *opt_name; + const char *def_name; + const char *sys_name; + char *name; +}; +#define SDAP_ATTR_MAP_TERMINATOR { NULL, NULL, NULL, NULL } + +struct sdap_search_base { + const char *basedn; + int scope; + const char *filter; +}; + +errno_t +sdap_create_search_base(TALLOC_CTX *mem_ctx, + const char *unparsed_base, + int scope, + const char *filter, + struct sdap_search_base **_base); + +/* Values from + * http://msdn.microsoft.com/en-us/library/cc223272%28v=prot.13%29.aspx + */ +enum dc_functional_level { + DS_BEHAVIOR_WIN2000 = 0, + DS_BEHAVIOR_WIN2003 = 2, + DS_BEHAVIOR_WIN2008 = 3, + DS_BEHAVIOR_WIN2008R2 = 4, + DS_BEHAVIOR_WIN2012 = 5, + DS_BEHAVIOR_WIN2012R2 = 6, + DS_BEHAVIOR_WIN2016 = 7, +}; + +struct sdap_domain { + struct sss_domain_info *dom; + + char *basedn; + + struct sdap_search_base **search_bases; + struct sdap_search_base **user_search_bases; + struct sdap_search_base **group_search_bases; + struct sdap_search_base **netgroup_search_bases; + struct sdap_search_base **host_search_bases; + struct sdap_search_base **sudo_search_bases; + struct sdap_search_base **service_search_bases; + struct sdap_search_base **autofs_search_bases; + + struct sdap_domain *next, *prev; + /* Need to modify the list from a talloc destructor */ + struct sdap_domain **head; + + /* Enumeration and cleanup periodic task */ + struct be_ptask *enum_task; + struct be_ptask *cleanup_task; + + /* enumeration loop timer */ + struct timeval last_enum; + /* cleanup loop timer */ + struct timeval last_purge; + + void *pvt; +}; + +typedef struct tevent_req * +(*ext_member_send_fn_t)(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + const char *ext_member, + void *pvt); +typedef errno_t +(*ext_member_recv_fn_t)(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + enum sysdb_member_type *member_type, + struct sss_domain_info **_dom, + struct sysdb_attrs **_member); + +struct sdap_ext_member_ctx { + /* Typically ID context of the external ID provider */ + void *pvt; + + ext_member_send_fn_t ext_member_resolve_send; + ext_member_recv_fn_t ext_member_resolve_recv; +}; + +struct sdap_certmap_ctx; + +struct sdap_options { + struct dp_option *basic; + struct data_provider *dp; + struct sdap_attr_map *gen_map; + struct sdap_attr_map *user_map; + size_t user_map_cnt; + struct sdap_attr_map *group_map; + struct sdap_attr_map *netgroup_map; + struct sdap_attr_map *host_map; + struct sdap_attr_map *service_map; + + /* ID-mapping support */ + struct sdap_idmap_ctx *idmap_ctx; + + /* Resolving external members */ + struct sdap_ext_member_ctx *ext_ctx; + + /* FIXME - should this go to a special struct to avoid mixing with name-service-switch maps? */ + struct sdap_attr_map *sudorule_map; + struct sdap_attr_map *autofs_mobject_map; + struct sdap_attr_map *autofs_entry_map; + + /* supported schema types */ + enum schema_type { + SDAP_SCHEMA_RFC2307 = 1, /* memberUid = uid */ + SDAP_SCHEMA_RFC2307BIS = 2, /* member = dn */ + SDAP_SCHEMA_IPA_V1 = 3, /* member/memberof */ + SDAP_SCHEMA_AD = 4 /* AD's member/memberof */ + } schema_type; + + /* The search bases for the domain or its subdomain */ + struct sdap_domain *sdom; + + /* The options below are normally only used with AD */ + bool support_matching_rule; + enum dc_functional_level dc_functional_level; + const char *schema_basedn; + + /* Certificate mapping support */ + struct sdap_certmap_ctx *sdap_certmap_ctx; +}; + +struct sdap_server_opts { + char *server_id; + bool supports_usn; + unsigned long last_usn; + char *max_user_value; + char *max_group_value; + char *max_service_value; + char *max_sudo_value; +}; + +struct sdap_id_ctx; + +struct sdap_attr_map_info { + struct sdap_attr_map *map; + int num_attrs; +}; + +struct sdap_deref_attrs { + struct sdap_attr_map *map; + struct sysdb_attrs *attrs; +}; + +errno_t sdap_copy_map_entry(const struct sdap_attr_map *src_map, + struct sdap_attr_map *dst_map, + int entry_index); + +int sdap_copy_map(TALLOC_CTX *memctx, + struct sdap_attr_map *src_map, + int num_entries, + struct sdap_attr_map **_map); + +/** + * @brief Add attributes to a map + * + * sdap_extend_map() will call talloc_realloc() on the second argument so the + * original storage location might change. The return value _map will always + * contain the current memory location which can be used with talloc_free() + * even if there is an error. + * + * @param[in] memctx Talloc memory context + * @param[in] src_map Original map, should not be accessed anymore + * @param[in] num_entries Number of entries in the original map + * @param[in] extra_attrs NULL-terminated array of extra attribute pairs + * sysdb_attr:ldap_attr + * @param[out] _map New map + * @param[out] _new_size Number of entries in the new map + * + * @return + * - EOK success + * - ENOMEM memory allocation failed + * - ERR_DUP_EXTRA_ATTR sysdb attribute is already used + */ +int sdap_extend_map(TALLOC_CTX *memctx, + struct sdap_attr_map *src_map, + size_t num_entries, + char **extra_attrs, + struct sdap_attr_map **_map, + size_t *_new_size); + +int sdap_extend_map_with_list(TALLOC_CTX *mem_ctx, + struct sdap_options *opts, + int extra_attr_index, + struct sdap_attr_map *src_map, + size_t num_entries, + struct sdap_attr_map **_map, + size_t *_new_size); + +void sdap_inherit_options(char **inherit_opt_list, + struct sdap_options *parent_sdap_opts, + struct sdap_options *child_sdap_opts); + +int sdap_get_map(TALLOC_CTX *memctx, + struct confdb_ctx *cdb, + const char *conf_path, + struct sdap_attr_map *def_map, + int num_entries, + struct sdap_attr_map **_map); + +int sdap_parse_entry(TALLOC_CTX *memctx, + struct sdap_handle *sh, struct sdap_msg *sm, + struct sdap_attr_map *map, int attrs_num, + struct sysdb_attrs **_attrs, + bool disable_range_retrieval); + +errno_t sdap_parse_deref(TALLOC_CTX *mem_ctx, + struct sdap_attr_map_info *minfo, + size_t num_maps, + LDAPDerefRes *dref, + struct sdap_deref_attrs ***_deref_res); + +errno_t setup_tls_config(struct dp_option *basic_opts); + +int sdap_set_rootdse_supported_lists(struct sysdb_attrs *rootdse, + struct sdap_handle *sh); +bool sdap_check_sup_list(struct sup_list *l, const char *val); + +#define sdap_is_sasl_mech_supported(sh, sasl_mech) \ + sdap_check_sup_list(&((sh)->supported_saslmechs), sasl_mech) + +#define sdap_is_control_supported(sh, ctrl_oid) \ + sdap_check_sup_list(&((sh)->supported_controls), ctrl_oid) + +#define sdap_is_extension_supported(sh, ext_oid) \ + sdap_check_sup_list(&((sh)->supported_extensions), ext_oid) + +int build_attrs_from_map(TALLOC_CTX *memctx, + struct sdap_attr_map *map, + size_t size, + const char **filter, + const char ***_attrs, + size_t *attr_count); + +int sdap_control_create(struct sdap_handle *sh, const char *oid, int iscritical, + struct berval *value, int dupval, LDAPControl **ctrlp); + +int sdap_replace_id(struct sysdb_attrs *entry, const char *attr, id_t val); + +errno_t sdap_get_group_primary_name(TALLOC_CTX *memctx, + struct sdap_options *opts, + struct sysdb_attrs *attrs, + struct sss_domain_info *dom, + const char **_group_name); + +errno_t sdap_get_user_primary_name(TALLOC_CTX *memctx, + struct sdap_options *opts, + struct sysdb_attrs *attrs, + struct sss_domain_info *dom, + const char **_user_name); + +errno_t sdap_get_netgroup_primary_name(TALLOC_CTX *memctx, + struct sdap_options *opts, + struct sysdb_attrs *attrs, + struct sss_domain_info *dom, + const char **_netgroup_name); + +errno_t sdap_set_config_options_with_rootdse(struct sysdb_attrs *rootdse, + struct sdap_options *opts, + struct sdap_domain *sdom); +int sdap_get_server_opts_from_rootdse(TALLOC_CTX *memctx, + const char *server, + struct sysdb_attrs *rootdse, + struct sdap_options *opts, + struct sdap_server_opts **srv_opts); +void sdap_steal_server_opts(struct sdap_id_ctx *id_ctx, + struct sdap_server_opts **srv_opts); + +char *sdap_make_oc_list(TALLOC_CTX *mem_ctx, struct sdap_attr_map *map); + +size_t sdap_steal_objects_in_dom(struct sdap_options *opts, + struct sysdb_attrs **dom_objects, + size_t offset, + struct sss_domain_info *dom, + struct sysdb_attrs **all_objects, + size_t count, + bool filter); + +struct sss_domain_info *sdap_get_object_domain(struct sdap_options *opts, + struct sysdb_attrs *obj, + struct sss_domain_info *dom); + +bool sdap_object_in_domain(struct sdap_options *opts, + struct sysdb_attrs *obj, + struct sss_domain_info *dom); + +void sdap_domain_copy_search_bases(struct sdap_domain *to, + struct sdap_domain *from); + +#endif /* _SDAP_H_ */ diff --git a/src/providers/ldap/sdap_access.c b/src/providers/ldap/sdap_access.c new file mode 100644 index 0000000..1ee4dcd --- /dev/null +++ b/src/providers/ldap/sdap_access.c @@ -0,0 +1,2045 @@ +/* + SSSD + + sdap_access.c + + Authors: + Stephen Gallagher + + Copyright (C) 2010 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include +#include +#include +#include +#include + +#include "util/util.h" +#include "util/strtonum.h" +#include "db/sysdb.h" +#include "providers/ldap/ldap_common.h" +#include "providers/ldap/sdap.h" +#include "providers/ldap/sdap_access.h" +#include "providers/ldap/sdap_async.h" +#include "providers/data_provider.h" +#include "providers/backend.h" +#include "providers/ldap/ldap_auth.h" + +#define PERMANENTLY_LOCKED_ACCOUNT "000001010000Z" +#define MALFORMED_FILTER "Malformed access control filter [%s]\n" + +enum sdap_pwpolicy_mode { + PWP_LOCKOUT_ONLY, + PWP_LOCKOUT_EXPIRE, + PWP_SENTINEL, +}; + +static errno_t perform_pwexpire_policy(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + struct pam_data *pd, + struct sdap_options *opts); + +static errno_t sdap_save_user_cache_bool(struct sss_domain_info *domain, + const char *username, + const char *attr_name, + bool value); + +static errno_t sdap_get_basedn_user_entry(struct ldb_message *user_entry, + const char *username, + const char **_basedn); + +static struct tevent_req * +sdap_access_ppolicy_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct sss_domain_info *domain, + struct sdap_access_ctx *access_ctx, + struct sdap_id_conn_ctx *conn, + const char *username, + struct ldb_message *user_entry, + enum sdap_pwpolicy_mode pwpol_mod); + +static struct tevent_req *sdap_access_filter_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct sss_domain_info *domain, + struct sdap_access_ctx *access_ctx, + struct sdap_id_conn_ctx *conn, + const char *username, + struct ldb_message *user_entry); + +static errno_t sdap_access_filter_recv(struct tevent_req *req); + +static errno_t sdap_access_ppolicy_recv(struct tevent_req *req); + +static errno_t sdap_account_expired(struct sdap_access_ctx *access_ctx, + struct pam_data *pd, + struct ldb_message *user_entry); + +static errno_t sdap_access_service(struct pam_data *pd, + struct ldb_message *user_entry); + +static errno_t sdap_access_host(struct ldb_message *user_entry); + +errno_t sdap_access_rhost(struct ldb_message *user_entry, char *rhost); + +enum sdap_access_control_type { + SDAP_ACCESS_CONTROL_FILTER, + SDAP_ACCESS_CONTROL_PPOLICY_LOCK, +}; + +struct sdap_access_req_ctx { + struct pam_data *pd; + struct tevent_context *ev; + struct sdap_access_ctx *access_ctx; + struct sdap_id_conn_ctx *conn; + struct be_ctx *be_ctx; + struct sss_domain_info *domain; + struct ldb_message *user_entry; + size_t current_rule; + enum sdap_access_control_type ac_type; +}; + +static errno_t sdap_access_check_next_rule(struct sdap_access_req_ctx *state, + struct tevent_req *req); +static void sdap_access_done(struct tevent_req *subreq); + +struct tevent_req * +sdap_access_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct sss_domain_info *domain, + struct sdap_access_ctx *access_ctx, + struct sdap_id_conn_ctx *conn, + struct pam_data *pd) +{ + errno_t ret; + struct sdap_access_req_ctx *state; + struct tevent_req *req; + struct ldb_result *res; + const char *attrs[] = { "*", NULL }; + + req = tevent_req_create(mem_ctx, &state, struct sdap_access_req_ctx); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create failed.\n"); + return NULL; + } + + state->be_ctx = be_ctx; + state->domain = domain; + state->pd = pd; + state->ev = ev; + state->access_ctx = access_ctx; + state->conn = conn; + state->current_rule = 0; + + DEBUG(SSSDBG_TRACE_FUNC, + "Performing access check for user [%s]\n", pd->user); + + if (access_ctx->access_rule[0] == LDAP_ACCESS_EMPTY) { + DEBUG(SSSDBG_MINOR_FAILURE, + "No access rules defined, access denied.\n"); + ret = ERR_ACCESS_DENIED; + goto done; + } + + /* Get original user DN, domain already points to the right (sub)domain */ + ret = sysdb_get_user_attr(state, domain, pd->user, attrs, &res); + if (ret != EOK) { + if (ret == ENOENT) { + /* If we can't find the user, return access denied */ + ret = ERR_ACCESS_DENIED; + goto done; + } + goto done; + } + else { + if (res->count == 0) { + /* If we can't find the user, return access denied */ + ret = ERR_ACCESS_DENIED; + goto done; + } + + if (res->count != 1) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Invalid response from sysdb_get_user_attr\n"); + ret = EINVAL; + goto done; + } + } + + state->user_entry = res->msgs[0]; + + ret = sdap_access_check_next_rule(state, req); + if (ret == EAGAIN) { + return req; + } + +done: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + return req; +} + +static errno_t sdap_access_check_next_rule(struct sdap_access_req_ctx *state, + struct tevent_req *req) +{ + struct tevent_req *subreq; + int ret = EOK; + + while (ret == EOK) { + switch (state->access_ctx->access_rule[state->current_rule]) { + case LDAP_ACCESS_EMPTY: + /* we are done with no errors */ + return EOK; + + /* This option is deprecated by LDAP_ACCESS_PPOLICY */ + case LDAP_ACCESS_LOCKOUT: + DEBUG(SSSDBG_MINOR_FAILURE, + "WARNING: %s option is deprecated and might be removed in " + "a future release. Please migrate to %s option instead.\n", + LDAP_ACCESS_LOCK_NAME, LDAP_ACCESS_PPOLICY_NAME); + + subreq = sdap_access_ppolicy_send(state, state->ev, state->be_ctx, + state->domain, + state->access_ctx, + state->conn, + state->pd->user, + state->user_entry, + PWP_LOCKOUT_ONLY); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sdap_access_ppolicy_send failed.\n"); + return ENOMEM; + } + + state->ac_type = SDAP_ACCESS_CONTROL_PPOLICY_LOCK; + + tevent_req_set_callback(subreq, sdap_access_done, req); + return EAGAIN; + + case LDAP_ACCESS_PPOLICY: + subreq = sdap_access_ppolicy_send(state, state->ev, state->be_ctx, + state->domain, + state->access_ctx, + state->conn, + state->pd->user, + state->user_entry, + PWP_LOCKOUT_EXPIRE); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sdap_access_ppolicy_send failed.\n"); + return ENOMEM; + } + + state->ac_type = SDAP_ACCESS_CONTROL_PPOLICY_LOCK; + + tevent_req_set_callback(subreq, sdap_access_done, req); + return EAGAIN; + + case LDAP_ACCESS_FILTER: + subreq = sdap_access_filter_send(state, state->ev, state->be_ctx, + state->domain, + state->access_ctx, + state->conn, + state->pd->user, + state->user_entry); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "sdap_access_filter_send failed.\n"); + return ENOMEM; + } + + state->ac_type = SDAP_ACCESS_CONTROL_FILTER; + + tevent_req_set_callback(subreq, sdap_access_done, req); + return EAGAIN; + + case LDAP_ACCESS_EXPIRE: + ret = sdap_account_expired(state->access_ctx, + state->pd, state->user_entry); + break; + + case LDAP_ACCESS_EXPIRE_POLICY_REJECT: + ret = perform_pwexpire_policy(state, state->domain, state->pd, + state->access_ctx->id_ctx->opts); + if (ret == ERR_PASSWORD_EXPIRED) { + ret = ERR_PASSWORD_EXPIRED_REJECT; + } + break; + + case LDAP_ACCESS_EXPIRE_POLICY_WARN: + ret = perform_pwexpire_policy(state, state->domain, state->pd, + state->access_ctx->id_ctx->opts); + if (ret == ERR_PASSWORD_EXPIRED) { + ret = ERR_PASSWORD_EXPIRED_WARN; + } + break; + + case LDAP_ACCESS_EXPIRE_POLICY_RENEW: + ret = perform_pwexpire_policy(state, state->domain, state->pd, + state->access_ctx->id_ctx->opts); + if (ret == ERR_PASSWORD_EXPIRED) { + ret = ERR_PASSWORD_EXPIRED_RENEW; + } + break; + + case LDAP_ACCESS_SERVICE: + ret = sdap_access_service( state->pd, state->user_entry); + break; + + case LDAP_ACCESS_HOST: + ret = sdap_access_host(state->user_entry); + break; + + case LDAP_ACCESS_RHOST: + ret = sdap_access_rhost(state->user_entry, state->pd->rhost); + break; + + default: + DEBUG(SSSDBG_CRIT_FAILURE, + "Unexpected access rule type. Access denied.\n"); + ret = ERR_ACCESS_DENIED; + } + + state->current_rule++; + } + + return ret; +} + +static void sdap_access_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req; + struct sdap_access_req_ctx *state; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_access_req_ctx); + + /* process subrequest */ + switch(state->ac_type) { + case SDAP_ACCESS_CONTROL_FILTER: + ret = sdap_access_filter_recv(subreq); + break; + case SDAP_ACCESS_CONTROL_PPOLICY_LOCK: + ret = sdap_access_ppolicy_recv(subreq); + break; + default: + ret = EINVAL; + DEBUG(SSSDBG_MINOR_FAILURE, "Unknown access control type: %d.\n", + state->ac_type); + break; + } + + talloc_zfree(subreq); + if (ret != EOK) { + if (ret == ERR_ACCESS_DENIED) { + DEBUG(SSSDBG_TRACE_FUNC, "Access was denied.\n"); + } else { + DEBUG(SSSDBG_CRIT_FAILURE, + "Error retrieving access check result.\n"); + } + tevent_req_error(req, ret); + return; + } + + state->current_rule++; + + ret = sdap_access_check_next_rule(state, req); + switch (ret) { + case EAGAIN: + return; + case EOK: + tevent_req_done(req); + return; + default: + tevent_req_error(req, ret); + return; + } +} + +errno_t sdap_access_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +#define SHADOW_EXPIRE_MSG "Account expired according to shadow attributes" + +static errno_t sdap_account_expired_shadow(struct pam_data *pd, + struct ldb_message *user_entry) +{ + int ret; + const char *val; + long sp_expire; + long today; + + DEBUG(SSSDBG_TRACE_FUNC, + "Performing access shadow check for user [%s]\n", pd->user); + + val = ldb_msg_find_attr_as_string(user_entry, SYSDB_SHADOWPW_EXPIRE, NULL); + if (val == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "Shadow expire attribute not found. " + "Access will be granted.\n"); + return EOK; + } + ret = string_to_shadowpw_days(val, &sp_expire); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to retrieve shadow expire date.\n"); + return ret; + } + + today = (long) (time(NULL) / (60 * 60 * 24)); + if (sp_expire > 0 && today > sp_expire) { + + ret = pam_add_response(pd, SSS_PAM_SYSTEM_INFO, + sizeof(SHADOW_EXPIRE_MSG), + (const uint8_t *) SHADOW_EXPIRE_MSG); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n"); + } + + return ERR_ACCOUNT_EXPIRED; + } + + return EOK; +} + +#define UAC_ACCOUNTDISABLE 0x00000002 +#define AD_NEVER_EXP 0x7fffffffffffffffLL +#define AD_TO_UNIX_TIME_CONST 11644473600LL +#define AD_DISABLE_MESSAGE "The user account is disabled on the AD server" +#define AD_EXPIRED_MESSAGE "The user account is expired on the AD server" + +static bool ad_account_expired(uint64_t expiration_time) +{ + time_t now; + int err; + uint64_t nt_now; + + if (expiration_time == 0 || expiration_time == AD_NEVER_EXP) { + return false; + } + + now = time(NULL); + if (now == ((time_t) -1)) { + err = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "time failed [%d][%s].\n", err, strerror(err)); + return true; + } + + /* NT timestamps start at 1601-01-01 and use a 100ns base */ + nt_now = (now + AD_TO_UNIX_TIME_CONST) * 1000 * 1000 * 10; + + if (nt_now > expiration_time) { + return true; + } + + return false; +} + +static errno_t sdap_account_expired_ad(struct pam_data *pd, + struct ldb_message *user_entry) +{ + uint32_t uac; + uint64_t expiration_time; + int ret; + + DEBUG(SSSDBG_TRACE_FUNC, + "Performing AD access check for user [%s]\n", pd->user); + + uac = ldb_msg_find_attr_as_uint(user_entry, SYSDB_AD_USER_ACCOUNT_CONTROL, + 0); + DEBUG(SSSDBG_TRACE_ALL, "User account control for user [%s] is [%X].\n", + pd->user, uac); + + expiration_time = ldb_msg_find_attr_as_uint64(user_entry, + SYSDB_AD_ACCOUNT_EXPIRES, 0); + DEBUG(SSSDBG_TRACE_ALL, + "Expiration time for user [%s] is [%"PRIu64"].\n", + pd->user, expiration_time); + + if (uac & UAC_ACCOUNTDISABLE) { + + ret = pam_add_response(pd, SSS_PAM_SYSTEM_INFO, + sizeof(AD_DISABLE_MESSAGE), + (const uint8_t *) AD_DISABLE_MESSAGE); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n"); + } + + return ERR_ACCESS_DENIED; + + } else if (ad_account_expired(expiration_time)) { + + ret = pam_add_response(pd, SSS_PAM_SYSTEM_INFO, + sizeof(AD_EXPIRED_MESSAGE), + (const uint8_t *) AD_EXPIRED_MESSAGE); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n"); + } + + return ERR_ACCOUNT_EXPIRED; + } + + return EOK; +} + +#define RHDS_LOCK_MSG "The user account is locked on the server" + +static errno_t sdap_account_expired_rhds(struct pam_data *pd, + struct ldb_message *user_entry) +{ + bool locked; + int ret; + + DEBUG(SSSDBG_TRACE_FUNC, + "Performing RHDS access check for user [%s]\n", pd->user); + + locked = ldb_msg_find_attr_as_bool(user_entry, SYSDB_NS_ACCOUNT_LOCK, false); + DEBUG(SSSDBG_TRACE_ALL, "Account for user [%s] is%s locked.\n", pd->user, + locked ? "" : " not" ); + + if (locked) { + ret = pam_add_response(pd, SSS_PAM_SYSTEM_INFO, + sizeof(RHDS_LOCK_MSG), + (const uint8_t *) RHDS_LOCK_MSG); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n"); + } + + return ERR_ACCESS_DENIED; + } + + return EOK; +} + +#define NDS_DISABLE_MSG "The user account is disabled on the server" +#define NDS_EXPIRED_MSG "The user account is expired" +#define NDS_TIME_MAP_MSG "The user account is not allowed at this time" + +bool nds_check_expired(const char *exp_time_str) +{ + time_t expire_time; + time_t now; + errno_t ret; + + if (exp_time_str == NULL) { + DEBUG(SSSDBG_TRACE_ALL, + "ndsLoginExpirationTime is not set, access granted.\n"); + return false; + } + + ret = sss_utc_to_time_t(exp_time_str, "%Y%m%d%H%M%SZ", + &expire_time); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "sss_utc_to_time_t failed with %d:%s.\n", + ret, sss_strerror(ret)); + return true; + } + + now = time(NULL); + DEBUG(SSSDBG_TRACE_ALL, + "Time info: tzname[0] [%s] tzname[1] [%s] timezone [%ld] " + "daylight [%d] now [%ld] expire_time [%ld].\n", tzname[0], + tzname[1], timezone, daylight, now, expire_time); + + if (difftime(now, expire_time) > 0.0) { + DEBUG(SSSDBG_CONF_SETTINGS, "NDS account expired.\n"); + return true; + } + + return false; +} + +/* There is no real documentation of the byte string value of + * loginAllowedTimeMap, but some good example code in + * http://http://developer.novell.com/documentation/samplecode/extjndi_sample/CheckBind.java.html + */ +static bool nds_check_time_map(const struct ldb_val *time_map) +{ + time_t now; + struct tm *tm_now; + size_t map_index; + div_t q; + uint8_t mask = 0; + + if (time_map == NULL) { + DEBUG(SSSDBG_TRACE_ALL, + "loginAllowedTimeMap is missing, access granted.\n"); + return false; + } + + if (time_map->length != 42) { + DEBUG(SSSDBG_FUNC_DATA, + "Allowed time map has the wrong size, " + "got [%zu], expected 42.\n", time_map->length); + return true; + } + + now = time(NULL); + tm_now = gmtime(&now); + + map_index = tm_now->tm_wday * 48 + tm_now->tm_hour * 2 + + (tm_now->tm_min < 30 ? 0 : 1); + + if (map_index > 335) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unexpected index value [%zu] for time map.\n", map_index); + return true; + } + + q = div(map_index, 8); + + if (q.quot > 41 || q.quot < 0 || q.rem > 7 || q.rem < 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unexpected result of div(), [%zu][%d][%d].\n", + map_index, q.quot, q.rem); + return true; + } + + if (q.rem > 0) { + mask = 1 << q.rem; + } + + if (time_map->data[q.quot] & mask) { + DEBUG(SSSDBG_CONF_SETTINGS, "Access allowed by time map.\n"); + return false; + } + + return true; +} + +static errno_t sdap_account_expired_nds(struct pam_data *pd, + struct ldb_message *user_entry) +{ + bool locked = true; + int ret; + const char *exp_time_str; + const struct ldb_val *time_map; + + DEBUG(SSSDBG_TRACE_FUNC, + "Performing NDS access check for user [%s]\n", pd->user); + + locked = ldb_msg_find_attr_as_bool(user_entry, SYSDB_NDS_LOGIN_DISABLED, + false); + DEBUG(SSSDBG_TRACE_ALL, "Account for user [%s] is%s disabled.\n", pd->user, + locked ? "" : " not"); + + if (locked) { + ret = pam_add_response(pd, SSS_PAM_SYSTEM_INFO, + sizeof(NDS_DISABLE_MSG), + (const uint8_t *) NDS_DISABLE_MSG); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n"); + } + + return ERR_ACCESS_DENIED; + + } else { + exp_time_str = ldb_msg_find_attr_as_string(user_entry, + SYSDB_NDS_LOGIN_EXPIRATION_TIME, + NULL); + locked = nds_check_expired(exp_time_str); + + DEBUG(SSSDBG_TRACE_ALL, + "Account for user [%s] is%s expired.\n", pd->user, + locked ? "" : " not"); + + if (locked) { + ret = pam_add_response(pd, SSS_PAM_SYSTEM_INFO, + sizeof(NDS_EXPIRED_MSG), + (const uint8_t *) NDS_EXPIRED_MSG); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n"); + } + + return ERR_ACCESS_DENIED; + + } else { + time_map = ldb_msg_find_ldb_val(user_entry, + SYSDB_NDS_LOGIN_ALLOWED_TIME_MAP); + + locked = nds_check_time_map(time_map); + + DEBUG(SSSDBG_TRACE_ALL, + "Account for user [%s] is%s locked at this time.\n", + pd->user, locked ? "" : " not"); + + if (locked) { + ret = pam_add_response(pd, SSS_PAM_SYSTEM_INFO, + sizeof(NDS_TIME_MAP_MSG), + (const uint8_t *) NDS_TIME_MAP_MSG); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n"); + } + + return ERR_ACCESS_DENIED; + } + } + } + + return EOK; +} + +static errno_t sdap_account_expired(struct sdap_access_ctx *access_ctx, + struct pam_data *pd, + struct ldb_message *user_entry) +{ + const char *expire; + int ret; + + expire = dp_opt_get_cstring(access_ctx->id_ctx->opts->basic, + SDAP_ACCOUNT_EXPIRE_POLICY); + if (expire == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Missing account expire policy. Access denied\n"); + return ERR_ACCESS_DENIED; + } else { + if (strcasecmp(expire, LDAP_ACCOUNT_EXPIRE_SHADOW) == 0) { + ret = sdap_account_expired_shadow(pd, user_entry); + if (ret == ERR_ACCOUNT_EXPIRED) { + DEBUG(SSSDBG_TRACE_FUNC, + "sdap_account_expired_shadow: %s.\n", sss_strerror(ret)); + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sdap_account_expired_shadow failed.\n"); + } + } else if (strcasecmp(expire, LDAP_ACCOUNT_EXPIRE_AD) == 0) { + ret = sdap_account_expired_ad(pd, user_entry); + if (ret == ERR_ACCOUNT_EXPIRED || ret == ERR_ACCESS_DENIED) { + DEBUG(SSSDBG_TRACE_FUNC, + "sdap_account_expired_ad: %s.\n", sss_strerror(ret)); + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sdap_account_expired_ad failed.\n"); + } + } else if (strcasecmp(expire, LDAP_ACCOUNT_EXPIRE_RHDS) == 0 || + strcasecmp(expire, LDAP_ACCOUNT_EXPIRE_IPA) == 0 || + strcasecmp(expire, LDAP_ACCOUNT_EXPIRE_389DS) == 0) { + ret = sdap_account_expired_rhds(pd, user_entry); + if (ret == ERR_ACCESS_DENIED) { + DEBUG(SSSDBG_TRACE_FUNC, + "sdap_account_expired_rhds: %s.\n", sss_strerror(ret)); + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sdap_account_expired_rhds failed.\n"); + } + + if (ret == EOK && + strcasecmp(expire, LDAP_ACCOUNT_EXPIRE_IPA) == 0) { + DEBUG(SSSDBG_TRACE_FUNC, + "IPA access control succeeded, checking AD " + "access control\n"); + ret = sdap_account_expired_ad(pd, user_entry); + if (ret == ERR_ACCOUNT_EXPIRED || ret == ERR_ACCESS_DENIED) { + DEBUG(SSSDBG_TRACE_FUNC, + "sdap_account_expired_ad: %s.\n", sss_strerror(ret)); + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sdap_account_expired_ad failed.\n"); + } + } + } else if (strcasecmp(expire, LDAP_ACCOUNT_EXPIRE_NDS) == 0) { + ret = sdap_account_expired_nds(pd, user_entry); + if (ret == ERR_ACCESS_DENIED) { + DEBUG(SSSDBG_TRACE_FUNC, + "sdap_account_expired_nds: %s.\n", sss_strerror(ret)); + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sdap_account_expired_nds failed.\n"); + } + } else { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unsupported LDAP account expire policy [%s]. " + "Access denied.\n", expire); + ret = ERR_ACCESS_DENIED; + } + } + + return ret; +} + +static errno_t perform_pwexpire_policy(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + struct pam_data *pd, + struct sdap_options *opts) +{ + enum pwexpire pw_expire_type; + void *pw_expire_data; + errno_t ret; + char *dn; + + ret = get_user_dn(mem_ctx, domain, opts, pd->user, &dn, &pw_expire_type, + &pw_expire_data); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "get_user_dn returned %d:[%s].\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = check_pwexpire_policy(pw_expire_type, pw_expire_data, pd, + domain->pwd_expiration_warning); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "check_pwexpire_policy returned %d:[%s].\n", + ret, sss_strerror(ret)); + goto done; + } + +done: + return ret; +} + +struct sdap_access_filter_req_ctx { + const char *username; + const char *filter; + struct tevent_context *ev; + struct sdap_access_ctx *access_ctx; + struct sdap_options *opts; + struct sdap_id_conn_ctx *conn; + struct sdap_id_op *sdap_op; + struct sysdb_handle *handle; + struct sss_domain_info *domain; + /* cached result of access control checks */ + bool cached_access; + const char *basedn; +}; + +static errno_t sdap_access_decide_offline(bool cached_ac); +static int sdap_access_filter_retry(struct tevent_req *req); +static void sdap_access_ppolicy_connect_done(struct tevent_req *subreq); +static errno_t sdap_access_ppolicy_get_lockout_step(struct tevent_req *req); +static void sdap_access_filter_connect_done(struct tevent_req *subreq); +static void sdap_access_filter_done(struct tevent_req *req); +static struct tevent_req *sdap_access_filter_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct sss_domain_info *domain, + struct sdap_access_ctx *access_ctx, + struct sdap_id_conn_ctx *conn, + const char *username, + struct ldb_message *user_entry) +{ + struct sdap_access_filter_req_ctx *state; + struct tevent_req *req; + char *clean_username; + errno_t ret = ERR_INTERNAL; + char *name; + + req = tevent_req_create(mem_ctx, &state, struct sdap_access_filter_req_ctx); + if (req == NULL) { + return NULL; + } + + if (access_ctx->filter == NULL || *access_ctx->filter == '\0') { + /* If no filter is set, default to restrictive */ + DEBUG(SSSDBG_TRACE_FUNC, "No filter set. Access is denied.\n"); + ret = ERR_ACCESS_DENIED; + goto done; + } + + state->filter = NULL; + state->username = username; + state->opts = access_ctx->id_ctx->opts; + state->conn = conn; + state->ev = ev; + state->access_ctx = access_ctx; + state->domain = domain; + + DEBUG(SSSDBG_TRACE_FUNC, + "Performing access filter check for user [%s]\n", username); + + state->cached_access = ldb_msg_find_attr_as_bool(user_entry, + SYSDB_LDAP_ACCESS_FILTER, + false); + + /* Ok, we have one result, check if we are online or offline */ + if (be_is_offline(be_ctx)) { + /* Ok, we're offline. Return from the cache */ + ret = sdap_access_decide_offline(state->cached_access); + goto done; + } + + ret = sdap_get_basedn_user_entry(user_entry, state->username, + &state->basedn); + if (ret != EOK) { + goto done; + } + + /* Construct the filter */ + ret = sss_parse_internal_fqname(state, username, &name, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not parse [%s] into name and " + "domain components, access might fail\n", username); + name = discard_const(username); + } + + ret = sss_filter_sanitize(state, name, &clean_username); + if (ret != EOK) { + goto done; + } + + state->filter = talloc_asprintf( + state, + "(&(%s=%s)(objectclass=%s)%s)", + state->opts->user_map[SDAP_AT_USER_NAME].name, + clean_username, + state->opts->user_map[SDAP_OC_USER].name, + state->access_ctx->filter); + if (state->filter == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Could not construct access filter\n"); + ret = ENOMEM; + goto done; + } + talloc_zfree(clean_username); + + DEBUG(SSSDBG_TRACE_FUNC, "Checking filter against LDAP\n"); + + state->sdap_op = sdap_id_op_create(state, + state->conn->conn_cache); + if (!state->sdap_op) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed\n"); + ret = ENOMEM; + goto done; + } + + ret = sdap_access_filter_retry(req); + if (ret != EOK) { + goto done; + } + + return req; + +done: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + return req; +} + +/* Helper function, + * cached_ac => access granted + * !cached_ac => access denied + */ +static errno_t sdap_access_decide_offline(bool cached_ac) +{ + if (cached_ac) { + DEBUG(SSSDBG_TRACE_FUNC, "Access granted by cached credentials\n"); + return EOK; + } else { + DEBUG(SSSDBG_TRACE_FUNC, "Access denied by cached credentials\n"); + return ERR_ACCESS_DENIED; + } +} + +static int sdap_access_filter_retry(struct tevent_req *req) +{ + struct sdap_access_filter_req_ctx *state = + tevent_req_data(req, struct sdap_access_filter_req_ctx); + struct tevent_req *subreq; + int ret; + + subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret); + if (!subreq) { + DEBUG(SSSDBG_OP_FAILURE, + "sdap_id_op_connect_send failed: %d (%s)\n", ret, strerror(ret)); + return ret; + } + + tevent_req_set_callback(subreq, sdap_access_filter_connect_done, req); + return EOK; +} + +static void sdap_access_filter_connect_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sdap_access_filter_req_ctx *state = + tevent_req_data(req, struct sdap_access_filter_req_ctx); + int ret, dp_error; + + ret = sdap_id_op_connect_recv(subreq, &dp_error); + talloc_zfree(subreq); + + if (ret != EOK) { + if (dp_error == DP_ERR_OFFLINE) { + ret = sdap_access_decide_offline(state->cached_access); + if (ret == EOK) { + tevent_req_done(req); + return; + } + } + + tevent_req_error(req, ret); + return; + } + + /* Connection to LDAP succeeded + * Send filter request + */ + subreq = sdap_get_generic_send(state, + state->ev, + state->opts, + sdap_id_op_handle(state->sdap_op), + state->basedn, + LDAP_SCOPE_BASE, + state->filter, NULL, + NULL, 0, + dp_opt_get_int(state->opts->basic, + SDAP_SEARCH_TIMEOUT), + false); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not start LDAP communication\n"); + tevent_req_error(req, EIO); + return; + } + + tevent_req_set_callback(subreq, sdap_access_filter_done, req); +} + +static void sdap_access_filter_done(struct tevent_req *subreq) +{ + int ret, tret, dp_error; + size_t num_results; + bool found = false; + struct sysdb_attrs **results; + struct tevent_req *req = + tevent_req_callback_data(subreq, struct tevent_req); + struct sdap_access_filter_req_ctx *state = + tevent_req_data(req, struct sdap_access_filter_req_ctx); + + ret = sdap_get_generic_recv(subreq, state, + &num_results, &results); + talloc_zfree(subreq); + + ret = sdap_id_op_done(state->sdap_op, ret, &dp_error); + if (ret != EOK) { + if (dp_error == DP_ERR_OK) { + /* retry */ + tret = sdap_access_filter_retry(req); + if (tret == EOK) { + return; + } + } else if (dp_error == DP_ERR_OFFLINE) { + ret = sdap_access_decide_offline(state->cached_access); + } else if (ret == ERR_INVALID_FILTER) { + sss_log(SSS_LOG_ERR, MALFORMED_FILTER, state->filter); + DEBUG(SSSDBG_CRIT_FAILURE, MALFORMED_FILTER, state->filter); + ret = ERR_ACCESS_DENIED; + } else { + DEBUG(SSSDBG_CRIT_FAILURE, + "sdap_get_generic_send() returned error [%d][%s]\n", + ret, sss_strerror(ret)); + } + + goto done; + } + + /* Check the number of responses we got + * If it's exactly 1, we passed the check + * If it's < 1, we failed the check + * Anything else is an error + */ + if (num_results < 1) { + DEBUG(SSSDBG_CONF_SETTINGS, + "User [%s] was not found with the specified filter. " + "Denying access.\n", state->username); + found = false; + } + else if (results == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "num_results > 0, but results is NULL\n"); + ret = ERR_INTERNAL; + goto done; + } + else if (num_results > 1) { + /* It should not be possible to get more than one reply + * here, since we're doing a base-scoped search + */ + DEBUG(SSSDBG_CRIT_FAILURE, "Received multiple replies\n"); + ret = ERR_INTERNAL; + goto done; + } + else { /* Ok, we got a single reply */ + found = true; + } + + if (found) { + /* Save "allow" to the cache for future offline access checks. */ + DEBUG(SSSDBG_TRACE_FUNC, "Access granted by online lookup\n"); + ret = EOK; + } + else { + /* Save "disallow" to the cache for future offline + * access checks. + */ + DEBUG(SSSDBG_TRACE_FUNC, "Access denied by online lookup\n"); + ret = ERR_ACCESS_DENIED; + } + + tret = sdap_save_user_cache_bool(state->domain, state->username, + SYSDB_LDAP_ACCESS_FILTER, found); + if (tret != EOK) { + /* Failing to save to the cache is non-fatal. + * Just return the result. + */ + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set user access attribute\n"); + goto done; + } + +done: + if (ret == EOK) { + tevent_req_done(req); + } + else { + tevent_req_error(req, ret); + } +} + +static errno_t sdap_access_filter_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +#define AUTHR_SRV_MISSING_MSG "Authorized service attribute missing, " \ + "access denied" +#define AUTHR_SRV_DENY_MSG "Access denied by authorized service attribute" +#define AUTHR_SRV_NO_MATCH_MSG "Authorized service attribute has " \ + "no matching rule, access denied" + +static errno_t sdap_access_service(struct pam_data *pd, + struct ldb_message *user_entry) +{ + errno_t ret, tret; + struct ldb_message_element *el; + unsigned int i; + char *service; + + el = ldb_msg_find_element(user_entry, SYSDB_AUTHORIZED_SERVICE); + if (!el || el->num_values == 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Missing authorized services. Access denied\n"); + + tret = pam_add_response(pd, SSS_PAM_SYSTEM_INFO, + sizeof(AUTHR_SRV_MISSING_MSG), + (const uint8_t *) AUTHR_SRV_MISSING_MSG); + if (tret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n"); + } + + return ERR_ACCESS_DENIED; + } + + ret = ENOENT; + + for (i = 0; i < el->num_values; i++) { + service = (char *)el->values[i].data; + if (service[0] == '!' && + strcasecmp(pd->service, service+1) == 0) { + /* This service is explicitly denied */ + DEBUG(SSSDBG_CONF_SETTINGS, "Access denied by [%s]\n", service); + + tret = pam_add_response(pd, SSS_PAM_SYSTEM_INFO, + sizeof(AUTHR_SRV_DENY_MSG), + (const uint8_t *) AUTHR_SRV_DENY_MSG); + if (tret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n"); + } + + /* A denial trumps all. Break here */ + return ERR_ACCESS_DENIED; + + } else if (strcasecmp(pd->service, service) == 0) { + /* This service is explicitly allowed */ + DEBUG(SSSDBG_CONF_SETTINGS, "Access granted for [%s]\n", service); + /* We still need to loop through to make sure + * that it's not also explicitly denied + */ + ret = EOK; + } else if (strcmp("*", service) == 0) { + /* This user has access to all services */ + DEBUG(SSSDBG_CONF_SETTINGS, "Access granted to all services\n"); + /* We still need to loop through to make sure + * that it's not also explicitly denied + */ + ret = EOK; + } + } + + if (ret == ENOENT) { + DEBUG(SSSDBG_CONF_SETTINGS, "No matching service rule found\n"); + + tret = pam_add_response(pd, SSS_PAM_SYSTEM_INFO, + sizeof(AUTHR_SRV_NO_MATCH_MSG), + (const uint8_t *) AUTHR_SRV_NO_MATCH_MSG); + if (tret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n"); + } + + ret = ERR_ACCESS_DENIED; + } + + return ret; +} + +static errno_t sdap_save_user_cache_bool(struct sss_domain_info *domain, + const char *username, + const char *attr_name, + bool value) +{ + errno_t ret; + struct sysdb_attrs *attrs; + + attrs = sysdb_new_attrs(NULL); + if (attrs == NULL) { + ret = ENOMEM; + DEBUG(SSSDBG_CRIT_FAILURE, "Could not set up attrs\n"); + goto done; + } + + ret = sysdb_attrs_add_bool(attrs, attr_name, value); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not set up attrs\n"); + goto done; + } + + ret = sysdb_set_user_attr(domain, username, attrs, SYSDB_MOD_REP); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set user access attribute\n"); + goto done; + } + +done: + talloc_free(attrs); + return ret; +} + +static errno_t sdap_access_host(struct ldb_message *user_entry) +{ + errno_t ret; + struct ldb_message_element *el; + unsigned int i; + char *host; + char hostname[HOST_NAME_MAX + 1]; + + el = ldb_msg_find_element(user_entry, SYSDB_AUTHORIZED_HOST); + if (!el || el->num_values == 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing hosts. Access denied\n"); + return ERR_ACCESS_DENIED; + } + + if (gethostname(hostname, HOST_NAME_MAX) == -1) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unable to get system hostname. Access denied\n"); + return ERR_ACCESS_DENIED; + } + hostname[HOST_NAME_MAX] = '\0'; + + /* FIXME: PADL's pam_ldap also calls gethostbyname() on the hostname + * in some attempt to get aliases and/or FQDN for the machine. + * Not sure this is a good idea, but we might want to add it in + * order to be compatible... + */ + + ret = ENOENT; + + for (i = 0; i < el->num_values; i++) { + host = (char *)el->values[i].data; + if (host[0] == '!' && + strcasecmp(hostname, host+1) == 0) { + /* This host is explicitly denied */ + DEBUG(SSSDBG_CONF_SETTINGS, "Access denied by [%s]\n", host); + /* A denial trumps all. Break here */ + return ERR_ACCESS_DENIED; + + } else if (strcasecmp(hostname, host) == 0) { + /* This host is explicitly allowed */ + DEBUG(SSSDBG_CONF_SETTINGS, "Access granted for [%s]\n", host); + /* We still need to loop through to make sure + * that it's not also explicitly denied + */ + ret = EOK; + } else if (strcmp("*", host) == 0) { + /* This user has access to all hosts */ + DEBUG(SSSDBG_CONF_SETTINGS, "Access granted to all hosts\n"); + /* We still need to loop through to make sure + * that it's not also explicitly denied + */ + ret = EOK; + } + } + + if (ret == ENOENT) { + DEBUG(SSSDBG_CONF_SETTINGS, "No matching host rule found\n"); + ret = ERR_ACCESS_DENIED; + } + + return ret; +} + +errno_t sdap_access_rhost(struct ldb_message *user_entry, char *pam_rhost) +{ + errno_t ret; + struct ldb_message_element *el; + char *be_rhost_rule; + unsigned int i; + + /* If user_entry is NULL do not perform any checks */ + if (user_entry == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "user_entry is NULL, that is not possible, " + "so we just reject access\n"); + return ERR_ACCESS_DENIED; + } + + /* If pam_rhost is NULL do not perform any checks */ + if (pam_rhost == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "pam_rhost is NULL, no rhost check is possible\n"); + return EOK; + } + + /* When the access is local we get empty string as pam_rhost + in which case we should not evaluate rhost access rules */ + /* FIXME: I think ideally should have LDAP to define what to do in + * this case */ + if (pam_rhost[0] == '\0') { + DEBUG(SSSDBG_CRIT_FAILURE, + "pam_rhost is empty, possible local access, " + "no rhost check possible\n"); + return EOK; + } + + /* If rhost validation is enabled and entry has no relevant attribute - + * deny access */ + el = ldb_msg_find_element(user_entry, SYSDB_AUTHORIZED_RHOST); + if (!el || el->num_values == 0) { + DEBUG(SSSDBG_CONF_SETTINGS, "Missing rhost entries. Access denied\n"); + return ERR_ACCESS_DENIED; + } + + ret = ENOENT; + + for (i = 0; i < el->num_values; i++) { + be_rhost_rule = (char *)el->values[i].data; + if (be_rhost_rule[0] == '!' + && strcasecmp(pam_rhost, be_rhost_rule+1) == 0) { + /* This rhost is explicitly denied */ + DEBUG(SSSDBG_CONF_SETTINGS, + "Access from [%s] denied by [%s]\n", + pam_rhost, be_rhost_rule); + /* A denial trumps all. Break here */ + return ERR_ACCESS_DENIED; + } else if (strcasecmp(pam_rhost, be_rhost_rule) == 0) { + /* This rhost is explicitly allowed */ + DEBUG(SSSDBG_CONF_SETTINGS, + "Access from [%s] granted by [%s]\n", + pam_rhost, be_rhost_rule); + /* We still need to loop through to make sure + * that it's not also explicitly denied + */ + ret = EOK; + } else if (strcmp("*", be_rhost_rule) == 0) { + /* This user has access from anywhere */ + DEBUG(SSSDBG_CONF_SETTINGS, + "Access from [%s] granted by [*]\n", pam_rhost); + /* We still need to loop through to make sure + * that it's not also explicitly denied + */ + ret = EOK; + } + } + + if (ret == ENOENT) { + DEBUG(SSSDBG_CONF_SETTINGS, + "No matching rhost rules found\n"); + ret = ERR_ACCESS_DENIED; + } + + return ret; +} + +static void sdap_access_ppolicy_get_lockout_done(struct tevent_req *subreq); +static int sdap_access_ppolicy_retry(struct tevent_req *req); +static errno_t sdap_access_ppolicy_step(struct tevent_req *req); +static void sdap_access_ppolicy_step_done(struct tevent_req *subreq); + +struct sdap_access_ppolicy_req_ctx { + const char *username; + const char *filter; + struct tevent_context *ev; + struct sdap_access_ctx *access_ctx; + struct sdap_options *opts; + struct sdap_id_conn_ctx *conn; + struct sdap_id_op *sdap_op; + struct sysdb_handle *handle; + struct sss_domain_info *domain; + /* cached results of access control checks */ + bool cached_access; + const char *basedn; + /* default DNs to ppolicy */ + const char **ppolicy_dns; + unsigned int ppolicy_dns_index; + enum sdap_pwpolicy_mode pwpol_mode; +}; + +static struct tevent_req * +sdap_access_ppolicy_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct sss_domain_info *domain, + struct sdap_access_ctx *access_ctx, + struct sdap_id_conn_ctx *conn, + const char *username, + struct ldb_message *user_entry, + enum sdap_pwpolicy_mode pwpol_mode) +{ + struct sdap_access_ppolicy_req_ctx *state; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_create(mem_ctx, + &state, struct sdap_access_ppolicy_req_ctx); + if (req == NULL) { + return NULL; + } + + state->filter = NULL; + state->username = username; + state->opts = access_ctx->id_ctx->opts; + state->conn = conn; + state->ev = ev; + state->access_ctx = access_ctx; + state->domain = domain; + state->ppolicy_dns_index = 0; + state->pwpol_mode = pwpol_mode; + + DEBUG(SSSDBG_TRACE_FUNC, + "Performing access ppolicy check for user [%s]\n", username); + + state->cached_access = ldb_msg_find_attr_as_bool( + user_entry, SYSDB_LDAP_ACCESS_CACHED_LOCKOUT, false); + + /* Ok, we have one result, check if we are online or offline */ + if (be_is_offline(be_ctx)) { + /* Ok, we're offline. Return from the cache */ + ret = sdap_access_decide_offline(state->cached_access); + goto done; + } + + ret = sdap_get_basedn_user_entry(user_entry, state->username, + &state->basedn); + if (ret != EOK) { + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Checking ppolicy against LDAP\n"); + + state->sdap_op = sdap_id_op_create(state, + state->conn->conn_cache); + if (!state->sdap_op) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed\n"); + ret = ENOMEM; + goto done; + } + + ret = sdap_access_ppolicy_retry(req); + if (ret != EOK) { + goto done; + } + + return req; + +done: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + return req; +} + +static int sdap_access_ppolicy_retry(struct tevent_req *req) +{ + struct sdap_access_ppolicy_req_ctx *state; + struct tevent_req *subreq; + int ret; + + state = tevent_req_data(req, struct sdap_access_ppolicy_req_ctx); + subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret); + if (!subreq) { + DEBUG(SSSDBG_OP_FAILURE, + "sdap_id_op_connect_send failed: %d (%s)\n", + ret, sss_strerror(ret)); + return ret; + } + + tevent_req_set_callback(subreq, sdap_access_ppolicy_connect_done, req); + return EOK; +} + +static const char** +get_default_ppolicy_dns(TALLOC_CTX *mem_ctx, struct sdap_domain *sdom) +{ + const char **ppolicy_dns; + int count = 0; + int i; + + while(sdom->search_bases[count] != NULL) { + count++; + } + + /* +1 to have space for final NULL */ + ppolicy_dns = talloc_array(mem_ctx, const char*, count + 1); + + for(i = 0; i < count; i++) { + ppolicy_dns[i] = talloc_asprintf(mem_ctx, "cn=ppolicy,ou=policies,%s", + sdom->search_bases[i]->basedn); + } + + ppolicy_dns[count] = NULL; + return ppolicy_dns; +} + +static void sdap_access_ppolicy_connect_done(struct tevent_req *subreq) +{ + struct tevent_req *req; + struct sdap_access_ppolicy_req_ctx *state; + int ret, dp_error; + const char *ppolicy_dn; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_access_ppolicy_req_ctx); + + ret = sdap_id_op_connect_recv(subreq, &dp_error); + talloc_zfree(subreq); + + if (ret != EOK) { + if (dp_error == DP_ERR_OFFLINE) { + ret = sdap_access_decide_offline(state->cached_access); + if (ret == EOK) { + tevent_req_done(req); + return; + } + } + + tevent_req_error(req, ret); + return; + } + + ppolicy_dn = dp_opt_get_string(state->opts->basic, + SDAP_PWDLOCKOUT_DN); + + /* option was configured */ + if (ppolicy_dn != NULL) { + state->ppolicy_dns = talloc_array(state, const char*, 2); + if (state->ppolicy_dns == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not allocate ppolicy_dns.\n"); + tevent_req_error(req, ERR_INTERNAL); + return; + } + + state->ppolicy_dns[0] = ppolicy_dn; + state->ppolicy_dns[1] = NULL; + + } else { + /* try to determine default value */ + DEBUG(SSSDBG_CONF_SETTINGS, + "ldap_pwdlockout_dn was not defined in configuration file.\n"); + + state->ppolicy_dns = get_default_ppolicy_dns(state, state->opts->sdom); + if (state->ppolicy_dns == NULL) { + tevent_req_error(req, ERR_INTERNAL); + return; + } + } + + /* Connection to LDAP succeeded + * Send 'pwdLockout' request + */ + ret = sdap_access_ppolicy_get_lockout_step(req); + if (ret != EOK && ret != EAGAIN) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sdap_access_ppolicy_get_lockout_step failed: [%d][%s]\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ERR_INTERNAL); + return; + } + + if (ret == EOK) { + tevent_req_done(req); + } +} + +static errno_t +sdap_access_ppolicy_get_lockout_step(struct tevent_req *req) +{ + const char *attrs[] = { SYSDB_LDAP_ACCESS_LOCKOUT, NULL }; + struct sdap_access_ppolicy_req_ctx *state; + struct tevent_req *subreq; + errno_t ret; + + state = tevent_req_data(req, struct sdap_access_ppolicy_req_ctx); + + /* no more DNs to try */ + if (state->ppolicy_dns[state->ppolicy_dns_index] == NULL) { + DEBUG(SSSDBG_TRACE_FUNC, "No more DNs to try.\n"); + ret = EOK; + goto done; + } + + DEBUG(SSSDBG_CONF_SETTINGS, + "Trying to find out if ppolicy is enabled using the DN: %s\n", + state->ppolicy_dns[state->ppolicy_dns_index]); + + subreq = sdap_get_generic_send(state, + state->ev, + state->opts, + sdap_id_op_handle(state->sdap_op), + state->ppolicy_dns[state->ppolicy_dns_index], + LDAP_SCOPE_BASE, + NULL, attrs, + NULL, 0, + dp_opt_get_int(state->opts->basic, + SDAP_SEARCH_TIMEOUT), + false); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not start LDAP communication\n"); + ret = EIO; + goto done; + } + + /* try next basedn */ + state->ppolicy_dns_index++; + tevent_req_set_callback(subreq, sdap_access_ppolicy_get_lockout_done, req); + + ret = EAGAIN; + +done: + return ret; +} + +static void sdap_access_ppolicy_get_lockout_done(struct tevent_req *subreq) +{ + int ret, tret, dp_error; + size_t num_results; + bool pwdLockout = false; + struct sysdb_attrs **results; + struct tevent_req *req; + struct sdap_access_ppolicy_req_ctx *state; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_access_ppolicy_req_ctx); + + ret = sdap_get_generic_recv(subreq, state, &num_results, &results); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot retrieve ppolicy\n"); + ret = ERR_NETWORK_IO; + goto done; + } + + /* Check the number of responses we got + * If it's exactly 1, we passed the check + * If it's < 1, we failed the check + * Anything else is an error + */ + /* Didn't find ppolicy attribute */ + if (num_results < 1) { + /* Try using next $search_base */ + ret = sdap_access_ppolicy_get_lockout_step(req); + if (ret == EOK) { + /* No more search bases to try */ + DEBUG(SSSDBG_CONF_SETTINGS, + "[%s] was not found. Granting access.\n", + SYSDB_LDAP_ACCESS_LOCKOUT); + } else { + if (ret != EAGAIN) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sdap_access_ppolicy_get_lockout_step failed: " + "[%d][%s]\n", + ret, sss_strerror(ret)); + } + goto done; + } + } else if (results == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "num_results > 0, but results is NULL\n"); + ret = ERR_INTERNAL; + goto done; + } else if (num_results > 1) { + /* It should not be possible to get more than one reply + * here, since we're doing a base-scoped search + */ + DEBUG(SSSDBG_CRIT_FAILURE, "Received multiple replies\n"); + ret = ERR_INTERNAL; + goto done; + } else { /* Ok, we got a single reply */ + ret = sysdb_attrs_get_bool(results[0], SYSDB_LDAP_ACCESS_LOCKOUT, + &pwdLockout); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Error reading %s: [%s]\n", SYSDB_LDAP_ACCESS_LOCKOUT, + sss_strerror(ret)); + ret = ERR_INTERNAL; + goto done; + } + } + + if (pwdLockout) { + DEBUG(SSSDBG_TRACE_FUNC, + "Password policy is enabled on LDAP server.\n"); + + /* ppolicy is enabled => find out if account is locked */ + ret = sdap_access_ppolicy_step(req); + if (ret != EOK && ret != EAGAIN) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sdap_access_ppolicy_step failed: [%d][%s].\n", + ret, sss_strerror(ret)); + } + goto done; + } else { + DEBUG(SSSDBG_TRACE_FUNC, + "Password policy is disabled on LDAP server " + "- storing 'access granted' in sysdb.\n"); + tret = sdap_save_user_cache_bool(state->domain, state->username, + SYSDB_LDAP_ACCESS_CACHED_LOCKOUT, + true); + if (tret != EOK) { + /* Failing to save to the cache is non-fatal. + * Just return the result. + */ + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to set user locked attribute\n"); + goto done; + } + + ret = EOK; + goto done; + } + +done: + if (ret != EAGAIN) { + /* release connection */ + tret = sdap_id_op_done(state->sdap_op, ret, &dp_error); + if (tret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sdap_get_generic_send() returned error [%d][%s]\n", + ret, sss_strerror(ret)); + } + + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + } +} + +errno_t sdap_access_ppolicy_step(struct tevent_req *req) +{ + errno_t ret; + struct tevent_req *subreq; + struct sdap_access_ppolicy_req_ctx *state; + const char *attrs[] = { SYSDB_LDAP_ACCESS_LOCKED_TIME, + SYSDB_LDAP_ACESS_LOCKOUT_DURATION, + NULL }; + + state = tevent_req_data(req, struct sdap_access_ppolicy_req_ctx); + + subreq = sdap_get_generic_send(state, + state->ev, + state->opts, + sdap_id_op_handle(state->sdap_op), + state->basedn, + LDAP_SCOPE_BASE, + NULL, attrs, + NULL, 0, + dp_opt_get_int(state->opts->basic, + SDAP_SEARCH_TIMEOUT), + false); + + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "sdap_access_ppolicy_send failed.\n"); + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, sdap_access_ppolicy_step_done, req); + ret = EAGAIN; + +done: + return ret; +} + +static errno_t +is_account_locked(const char *pwdAccountLockedTime, + const char *pwdAccountLockedDurationTime, + enum sdap_pwpolicy_mode pwpol_mode, + const char *username, + bool *_locked) +{ + errno_t ret; + time_t lock_time; + time_t duration; + time_t now; + bool locked; + + /* Default action is to consider account to be locked. */ + locked = true; + + /* account is permanently locked */ + if (strcasecmp(pwdAccountLockedTime, + PERMANENTLY_LOCKED_ACCOUNT) == 0) { + ret = EOK; + goto done; + } + + switch(pwpol_mode) { + case PWP_LOCKOUT_ONLY: + /* We do *not* care about exact value of account locked time, we + * only *do* care if the value is equal to + * PERMANENTLY_LOCKED_ACCOUNT, which means that account is locked + * permanently. + */ + DEBUG(SSSDBG_TRACE_FUNC, + "Account of: %s is being blocked by password policy, " + "but value: [%s] value is ignored by SSSD.\n", + username, pwdAccountLockedTime); + locked = false; + break; + case PWP_LOCKOUT_EXPIRE: + /* Account may be locked out from natural reasons (too many attempts, + * expired password). In this case, pwdAccountLockedTime is also set, + * to the time of lock out. + */ + ret = sss_utc_to_time_t(pwdAccountLockedTime, "%Y%m%d%H%M%SZ", + &lock_time); + if (ret != EOK) { + DEBUG(SSSDBG_TRACE_FUNC, "sss_utc_to_time_t failed with %d:%s.\n", + ret, sss_strerror(ret)); + goto done; + } + + now = time(NULL); + + /* Account was NOT locked in past. */ + if (difftime(lock_time, now) > 0.0) { + locked = false; + } else if (pwdAccountLockedDurationTime != NULL) { + errno = 0; + duration = strtouint32(pwdAccountLockedDurationTime, NULL, 0); + if (errno) { + ret = errno; + goto done; + } + /* Lockout has expired */ + if (duration != 0 && difftime(now, lock_time) > duration) { + locked = false; + } + } + break; + case PWP_SENTINEL: + default: + DEBUG(SSSDBG_MINOR_FAILURE, + "Unexpected value of password policy mode: %d.\n", pwpol_mode); + ret = EINVAL; + goto done; + } + + ret = EOK; + +done: + if (ret == EOK) { + *_locked = locked; + } + + return ret; +} + +static void sdap_access_ppolicy_step_done(struct tevent_req *subreq) +{ + int ret, tret, dp_error; + size_t num_results; + bool locked = false; + const char *pwdAccountLockedTime; + const char *pwdAccountLockedDurationTime; + struct sysdb_attrs **results; + struct tevent_req *req; + struct sdap_access_ppolicy_req_ctx *state; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_access_ppolicy_req_ctx); + + ret = sdap_get_generic_recv(subreq, state, &num_results, &results); + talloc_zfree(subreq); + + ret = sdap_id_op_done(state->sdap_op, ret, &dp_error); + if (ret != EOK) { + if (dp_error == DP_ERR_OK) { + /* retry */ + tret = sdap_access_ppolicy_retry(req); + if (tret == EOK) { + return; + } + } else if (dp_error == DP_ERR_OFFLINE) { + ret = sdap_access_decide_offline(state->cached_access); + } else { + DEBUG(SSSDBG_CRIT_FAILURE, + "sdap_get_generic_send() returned error [%d][%s]\n", + ret, sss_strerror(ret)); + } + + goto done; + } + + /* Check the number of responses we got + * If it's exactly 1, we passed the check + * If it's < 1, we failed the check + * Anything else is an error + */ + if (num_results < 1) { + DEBUG(SSSDBG_CONF_SETTINGS, + "User [%s] was not found with the specified filter. " + "Denying access.\n", state->username); + } else if (results == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "num_results > 0, but results is NULL\n"); + ret = ERR_INTERNAL; + goto done; + } else if (num_results > 1) { + /* It should not be possible to get more than one reply + * here, since we're doing a base-scoped search + */ + DEBUG(SSSDBG_CRIT_FAILURE, "Received multiple replies\n"); + ret = ERR_INTERNAL; + goto done; + } else { /* Ok, we got a single reply */ + ret = sysdb_attrs_get_string(results[0], SYSDB_LDAP_ACESS_LOCKOUT_DURATION, + &pwdAccountLockedDurationTime); + if (ret != EOK) { + /* This attribute might not be set even if account is locked */ + pwdAccountLockedDurationTime = NULL; + } + + ret = sysdb_attrs_get_string(results[0], SYSDB_LDAP_ACCESS_LOCKED_TIME, + &pwdAccountLockedTime); + if (ret == EOK) { + + ret = is_account_locked(pwdAccountLockedTime, + pwdAccountLockedDurationTime, + state->pwpol_mode, + state->username, + &locked); + if (ret != EOK) { + if (ret == ERR_TIMESPEC_NOT_SUPPORTED) { + DEBUG(SSSDBG_MINOR_FAILURE, + "timezone specifier in ppolicy is not supported\n"); + } else { + DEBUG(SSSDBG_MINOR_FAILURE, + "is_account_locked failed: %d:[%s].\n", + ret, sss_strerror(ret)); + } + + DEBUG(SSSDBG_MINOR_FAILURE, + "Account will be considered to be locked.\n"); + locked = true; + } + } else { + /* Attribute SYSDB_LDAP_ACCESS_LOCKED_TIME in not be present unless + * user's account is blocked by password policy. + */ + DEBUG(SSSDBG_TRACE_INTERNAL, + "Attribute %s failed to be obtained - [%d][%s].\n", + SYSDB_LDAP_ACCESS_LOCKED_TIME, ret, strerror(ret)); + } + } + + if (locked) { + DEBUG(SSSDBG_TRACE_FUNC, + "Access denied by online lookup - account is locked.\n"); + ret = ERR_ACCESS_DENIED; + } else { + DEBUG(SSSDBG_TRACE_FUNC, + "Access granted by online lookup - account is not locked.\n"); + ret = EOK; + } + + /* Save '!locked' to the cache for future offline access checks. + * Locked == true => access denied, + * Locked == false => access granted + */ + tret = sdap_save_user_cache_bool(state->domain, state->username, + SYSDB_LDAP_ACCESS_CACHED_LOCKOUT, + !locked); + + if (tret != EOK) { + /* Failing to save to the cache is non-fatal. + * Just return the result. + */ + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set user locked attribute\n"); + goto done; + } + +done: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } +} + +static errno_t sdap_access_ppolicy_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +static errno_t sdap_get_basedn_user_entry(struct ldb_message *user_entry, + const char *username, + const char **_basedn) +{ + const char *basedn; + errno_t ret; + + basedn = ldb_msg_find_attr_as_string(user_entry, SYSDB_ORIG_DN, NULL); + if (basedn == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE,"Could not find originalDN for user [%s]\n", + username); + ret = EINVAL; + goto done; + } + + *_basedn = basedn; + ret = EOK; + +done: + return ret; +} diff --git a/src/providers/ldap/sdap_access.h b/src/providers/ldap/sdap_access.h new file mode 100644 index 0000000..86969d4 --- /dev/null +++ b/src/providers/ldap/sdap_access.h @@ -0,0 +1,101 @@ +/* + SSSD + + sdap_access.h + + Authors: + Stephen Gallagher + + Copyright (C) 2010 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef SDAP_ACCESS_H_ +#define SDAP_ACCESS_H_ + +#include "providers/backend.h" +#include "providers/ldap/ldap_common.h" + +/* Attributes in sysdb, used for caching last values of lockout or filter + * access control checks. + */ +#define SYSDB_LDAP_ACCESS_FILTER "ldap_access_filter_allow" +#define SYSDB_LDAP_ACCESS_CACHED_LOCKOUT "ldap_access_lockout_allow" +/* names of ppolicy attributes */ +#define SYSDB_LDAP_ACCESS_LOCKED_TIME "pwdAccountLockedTime" +#define SYSDB_LDAP_ACESS_LOCKOUT_DURATION "pwdLockoutDuration" +#define SYSDB_LDAP_ACCESS_LOCKOUT "pwdLockout" + +#define LDAP_ACCESS_FILTER_NAME "filter" +#define LDAP_ACCESS_EXPIRE_NAME "expire" +#define LDAP_ACCESS_EXPIRE_POLICY_REJECT_NAME "pwd_expire_policy_reject" +#define LDAP_ACCESS_EXPIRE_POLICY_WARN_NAME "pwd_expire_policy_warn" +#define LDAP_ACCESS_EXPIRE_POLICY_RENEW_NAME "pwd_expire_policy_renew" +#define LDAP_ACCESS_SERVICE_NAME "authorized_service" +#define LDAP_ACCESS_HOST_NAME "host" +#define LDAP_ACCESS_RHOST_NAME "rhost" +#define LDAP_ACCESS_LOCK_NAME "lockout" +#define LDAP_ACCESS_PPOLICY_NAME "ppolicy" + +#define LDAP_ACCOUNT_EXPIRE_SHADOW "shadow" +#define LDAP_ACCOUNT_EXPIRE_AD "ad" +#define LDAP_ACCOUNT_EXPIRE_RHDS "rhds" +#define LDAP_ACCOUNT_EXPIRE_IPA "ipa" +#define LDAP_ACCOUNT_EXPIRE_389DS "389ds" +#define LDAP_ACCOUNT_EXPIRE_NDS "nds" + +enum ldap_access_rule { + LDAP_ACCESS_EMPTY = -1, + LDAP_ACCESS_FILTER = 0, + LDAP_ACCESS_EXPIRE, + LDAP_ACCESS_SERVICE, + LDAP_ACCESS_HOST, + LDAP_ACCESS_RHOST, + LDAP_ACCESS_LOCKOUT, + LDAP_ACCESS_EXPIRE_POLICY_REJECT, + LDAP_ACCESS_EXPIRE_POLICY_WARN, + LDAP_ACCESS_EXPIRE_POLICY_RENEW, + LDAP_ACCESS_PPOLICY, + LDAP_ACCESS_LAST +}; + +struct sdap_access_ctx { + struct sdap_id_ctx *id_ctx; + const char *filter; + int access_rule[LDAP_ACCESS_LAST + 1]; +}; + +struct tevent_req * +sdap_pam_access_handler_send(TALLOC_CTX *mem_ctx, + struct sdap_access_ctx *access_ctx, + struct pam_data *pd, + struct dp_req_params *params); + +errno_t +sdap_pam_access_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct pam_data **_data); + +struct tevent_req * +sdap_access_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct sss_domain_info *domain, + struct sdap_access_ctx *access_ctx, + struct sdap_id_conn_ctx *conn, + struct pam_data *pd); +errno_t sdap_access_recv(struct tevent_req *req); + +#endif /* SDAP_ACCESS_H_ */ diff --git a/src/providers/ldap/sdap_ad_groups.c b/src/providers/ldap/sdap_ad_groups.c new file mode 100644 index 0000000..0e36328 --- /dev/null +++ b/src/providers/ldap/sdap_ad_groups.c @@ -0,0 +1,68 @@ +/* + SSSD + + AD groups helper routines + + Authors: + Lukas Slebodnik + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "db/sysdb.h" +#include "providers/ldap/sdap.h" +#include "providers/ldap/sdap_async_private.h" + +/* ==Group-Parsing Routines=============================================== */ + +errno_t sdap_check_ad_group_type(struct sss_domain_info *dom, + struct sdap_options *opts, + struct sysdb_attrs *group_attrs, + const char *group_name, + bool *_need_filter) +{ + int32_t ad_group_type; + errno_t ret = EOK; + *_need_filter = false; + + if (opts->schema_type == SDAP_SCHEMA_AD) { + ret = sysdb_attrs_get_int32_t(group_attrs, SYSDB_GROUP_TYPE, + &ad_group_type); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_int32_t failed.\n"); + return ret; + } + + DEBUG(SSSDBG_TRACE_ALL, + "AD group [%s] has type flags %#x.\n", + group_name, ad_group_type); + + /* Only security groups from AD are considered for POSIX groups. + * Additionally only global and universal group are taken to account + * for trusted domains. */ + if (!(ad_group_type & SDAP_AD_GROUP_TYPE_SECURITY) + || (IS_SUBDOMAIN(dom) + && (!((ad_group_type & SDAP_AD_GROUP_TYPE_GLOBAL) + || (ad_group_type & SDAP_AD_GROUP_TYPE_UNIVERSAL))))) { + DEBUG(SSSDBG_TRACE_FUNC, + "Filtering AD group [%s].\n", group_name); + + *_need_filter = true; + } + } + + return ret; +} diff --git a/src/providers/ldap/sdap_async.c b/src/providers/ldap/sdap_async.c new file mode 100644 index 0000000..8fc832a --- /dev/null +++ b/src/providers/ldap/sdap_async.c @@ -0,0 +1,2817 @@ +/* + SSSD + + Async LDAP Helper routines + + Copyright (C) Simo Sorce - 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + + +#include +#include "util/util.h" +#include "util/strtonum.h" +#include "util/probes.h" +#include "providers/ldap/sdap_async_private.h" + +#define REPLY_REALLOC_INCREMENT 10 + +/* ==LDAP-Memory-Handling================================================= */ + +static int lmsg_destructor(void *mem) +{ + ldap_msgfree((LDAPMessage *)mem); + return 0; +} + +static int sdap_msg_attach(TALLOC_CTX *memctx, LDAPMessage *msg) +{ + void *h; + + if (!msg) return EINVAL; + + h = sss_mem_attach(memctx, msg, lmsg_destructor); + if (!h) return ENOMEM; + + return EOK; +} + +/* ==sdap-handle-utility-functions======================================== */ + +static inline void sdap_handle_release(struct sdap_handle *sh); +static int sdap_handle_destructor(void *mem); + +struct sdap_handle *sdap_handle_create(TALLOC_CTX *memctx) +{ + struct sdap_handle *sh; + + sh = talloc_zero(memctx, struct sdap_handle); + if (!sh) return NULL; + + talloc_set_destructor((TALLOC_CTX *)sh, sdap_handle_destructor); + + return sh; +} + +static int sdap_handle_destructor(void *mem) +{ + struct sdap_handle *sh = talloc_get_type(mem, struct sdap_handle); + + /* if the structure is currently locked, then mark it to be released + * and prevent talloc from freeing the memory */ + if (sh->destructor_lock) { + sh->release_memory = true; + return -1; + } + + sdap_handle_release(sh); + return 0; +} + +static void sdap_handle_release(struct sdap_handle *sh) +{ + struct sdap_op *op; + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Trace: sh[%p], connected[%d], ops[%p], ldap[%p], " + "destructor_lock[%d], release_memory[%d]\n", + sh, (int)sh->connected, sh->ops, sh->ldap, + (int)sh->destructor_lock, (int)sh->release_memory); + + if (sh->destructor_lock) return; + sh->destructor_lock = true; + + /* make sure nobody tries to reuse this connection from now on */ + sh->connected = false; + + remove_ldap_connection_callbacks(sh); + + while (sh->ops) { + op = sh->ops; + op->callback(op, NULL, EIO, op->data); + /* calling the callback may result in freeing the op */ + /* check if it is still the same or avoid freeing */ + if (op == sh->ops) talloc_free(op); + } + + if (sh->ldap) { + ldap_unbind_ext(sh->ldap, NULL, NULL); + sh->ldap = NULL; + } + + /* ok, we have done the job, unlock now */ + sh->destructor_lock = false; + + /* finally if a destructor was ever called, free sh before + * exiting */ + if (sh->release_memory) { + /* neutralize the destructor as we already handled + * all was needed to be released */ + talloc_set_destructor((TALLOC_CTX *)sh, NULL); + talloc_free(sh); + } +} + +/* ==Parse-Results-And-Handle-Disconnections============================== */ +static void sdap_process_message(struct tevent_context *ev, + struct sdap_handle *sh, LDAPMessage *msg); +static void sdap_process_result(struct tevent_context *ev, void *pvt); +static void sdap_process_next_reply(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval tv, void *pvt); + +void sdap_ldap_result(struct tevent_context *ev, struct tevent_fd *fde, + uint16_t flags, void *pvt) +{ + sdap_process_result(ev, pvt); +} + +static void sdap_ldap_next_result(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval tv, void *pvt) +{ + sdap_process_result(ev, pvt); +} + +static void sdap_process_result(struct tevent_context *ev, void *pvt) +{ + struct sdap_handle *sh = talloc_get_type(pvt, struct sdap_handle); + struct timeval no_timeout = {0, 0}; + struct tevent_timer *te; + LDAPMessage *msg; + int ret; + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Trace: sh[%p], connected[%d], ops[%p], ldap[%p]\n", + sh, (int)sh->connected, sh->ops, sh->ldap); + + if (!sh->connected || !sh->ldap) { + DEBUG(SSSDBG_OP_FAILURE, "ERROR: LDAP connection is not connected!\n"); + sdap_handle_release(sh); + return; + } + + ret = ldap_result(sh->ldap, LDAP_RES_ANY, 0, &no_timeout, &msg); + if (ret == 0) { + /* this almost always means we have reached the end of + * the list of received messages */ + DEBUG(SSSDBG_TRACE_INTERNAL, "Trace: end of ldap_result list\n"); + return; + } + + if (ret == -1) { + ldap_get_option(sh->ldap, LDAP_OPT_RESULT_CODE, &ret); + DEBUG(SSSDBG_OP_FAILURE, + "ldap_result error: [%s]\n", ldap_err2string(ret)); + sdap_handle_release(sh); + return; + } + + /* We don't know if this will be the last result. + * + * important: we must do this before actually processing the message + * because the message processing might even free the sdap_handler + * so it must be the last operation. + * FIXME: use tevent_immediate/tevent_queues, when available */ + memset(&no_timeout, 0, sizeof(struct timeval)); + + te = tevent_add_timer(ev, sh, no_timeout, sdap_ldap_next_result, sh); + if (!te) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to add critical timer to fetch next result!\n"); + } + + /* now process this message */ + sdap_process_message(ev, sh, msg); +} + +static const char *sdap_ldap_result_str(int msgtype) +{ + switch (msgtype) { + case LDAP_RES_BIND: + return "LDAP_RES_BIND"; + + case LDAP_RES_SEARCH_ENTRY: + return "LDAP_RES_SEARCH_ENTRY"; + + case LDAP_RES_SEARCH_REFERENCE: + return "LDAP_RES_SEARCH_REFERENCE"; + + case LDAP_RES_SEARCH_RESULT: + return "LDAP_RES_SEARCH_RESULT"; + + case LDAP_RES_MODIFY: + return "LDAP_RES_MODIFY"; + + case LDAP_RES_ADD: + return "LDAP_RES_ADD"; + + case LDAP_RES_DELETE: + return "LDAP_RES_DELETE"; + + case LDAP_RES_MODDN: + /* These are the same result + case LDAP_RES_MODRDN: + case LDAP_RES_RENAME: + */ + return "LDAP_RES_RENAME"; + + case LDAP_RES_COMPARE: + return "LDAP_RES_COMPARE"; + + case LDAP_RES_EXTENDED: + return "LDAP_RES_EXTENDED"; + + case LDAP_RES_INTERMEDIATE: + return "LDAP_RES_INTERMEDIATE"; + + case LDAP_RES_ANY: + return "LDAP_RES_ANY"; + + case LDAP_RES_UNSOLICITED: + return "LDAP_RES_UNSOLICITED"; + + default: + /* Unmatched, fall through */ + break; + } + + /* Unknown result type */ + return "Unknown result type!"; +} + +/* process a message calling the right operation callback. + * msg is completely taken care of (including freeing it) + * NOTE: this function may even end up freeing the sdap_handle + * so sdap_handle must not be used after this function is called + */ +static void sdap_process_message(struct tevent_context *ev, + struct sdap_handle *sh, LDAPMessage *msg) +{ + struct sdap_msg *reply; + struct sdap_op *op; + int msgid; + int msgtype; + int ret; + + msgid = ldap_msgid(msg); + if (msgid == -1) { + DEBUG(SSSDBG_OP_FAILURE, "can't fire callback, message id invalid!\n"); + ldap_msgfree(msg); + return; + } + + msgtype = ldap_msgtype(msg); + + for (op = sh->ops; op; op = op->next) { + if (op->msgid == msgid) break; + } + + if (op == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "Unmatched msgid, discarding message (type: %0x)\n", + msgtype); + ldap_msgfree(msg); + return; + } + + /* shouldn't happen */ + if (op->done) { + DEBUG(SSSDBG_OP_FAILURE, + "Operation [%p] already handled (type: %0x)\n", op, msgtype); + ldap_msgfree(msg); + return; + } + + DEBUG(SSSDBG_TRACE_ALL, + "Message type: [%s]\n", sdap_ldap_result_str(msgtype)); + + switch (msgtype) { + case LDAP_RES_SEARCH_ENTRY: + case LDAP_RES_SEARCH_REFERENCE: + /* go and process entry */ + break; + + case LDAP_RES_BIND: + case LDAP_RES_SEARCH_RESULT: + case LDAP_RES_MODIFY: + case LDAP_RES_ADD: + case LDAP_RES_DELETE: + case LDAP_RES_MODDN: + case LDAP_RES_COMPARE: + case LDAP_RES_EXTENDED: + case LDAP_RES_INTERMEDIATE: + /* no more results expected with this msgid */ + op->done = true; + break; + + default: + /* unknown msg type?? */ + DEBUG(SSSDBG_CRIT_FAILURE, + "Couldn't figure out the msg type! [%0x]\n", msgtype); + ldap_msgfree(msg); + return; + } + + reply = talloc_zero(op, struct sdap_msg); + if (!reply) { + ldap_msgfree(msg); + ret = ENOMEM; + } else { + reply->msg = msg; + ret = sdap_msg_attach(reply, msg); + if (ret != EOK) { + ldap_msgfree(msg); + talloc_zfree(reply); + } + } + + if (op->list) { + /* list exist, queue it */ + + op->last->next = reply; + op->last = reply; + + } else { + /* create list, then call callback */ + op->list = op->last = reply; + + /* must be the last operation as it may end up freeing all memory + * including all ops handlers */ + op->callback(op, reply, ret, op->data); + } +} + +static void sdap_unlock_next_reply(struct sdap_op *op) +{ + struct timeval tv; + struct tevent_timer *te; + struct sdap_msg *next_reply; + + if (op->list) { + next_reply = op->list->next; + /* get rid of the previous reply, it has been processed already */ + talloc_zfree(op->list); + op->list = next_reply; + } + + /* if there are still replies to parse, queue a new operation */ + if (op->list) { + /* use a very small timeout, so that fd operations have a chance to be + * served while processing a long reply */ + tv = tevent_timeval_current(); + + /* wait 5 microsecond */ + tv.tv_usec += 5; + tv.tv_sec += tv.tv_usec / 1000000; + tv.tv_usec = tv.tv_usec % 1000000; + + te = tevent_add_timer(op->ev, op, tv, + sdap_process_next_reply, op); + if (!te) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to add critical timer for next reply!\n"); + op->callback(op, NULL, EFAULT, op->data); + } + } +} + +static void sdap_process_next_reply(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval tv, void *pvt) +{ + struct sdap_op *op = talloc_get_type(pvt, struct sdap_op); + + op->callback(op, op->list, EOK, op->data); +} + +/* ==LDAP-Operations-Helpers============================================== */ + +static int sdap_op_destructor(void *mem) +{ + struct sdap_op *op = (struct sdap_op *)mem; + + DLIST_REMOVE(op->sh->ops, op); + + if (op->done) { + DEBUG(SSSDBG_TRACE_INTERNAL, "Operation %d finished\n", op->msgid); + return 0; + } + + /* we don't check the result here, if a message was really abandoned, + * hopefully the server will get an abandon. + * If the operation was already fully completed, this is going to be + * just a noop */ + DEBUG(SSSDBG_TRACE_LIBS, "Abandoning operation %d\n", op->msgid); + ldap_abandon_ext(op->sh->ldap, op->msgid, NULL, NULL); + + return 0; +} + +static void sdap_op_timeout(struct tevent_req *req) +{ + struct sdap_op *op = tevent_req_callback_data(req, struct sdap_op); + + /* should never happen, but just in case */ + if (op->done) { + DEBUG(SSSDBG_OP_FAILURE, "Timeout happened after op was finished !?\n"); + return; + } + + /* signal the caller that we have a timeout */ + DEBUG(SSSDBG_TRACE_LIBS, "Issuing timeout for %d\n", op->msgid); + op->callback(op, NULL, ETIMEDOUT, op->data); +} + +int sdap_op_add(TALLOC_CTX *memctx, struct tevent_context *ev, + struct sdap_handle *sh, int msgid, + sdap_op_callback_t *callback, void *data, + int timeout, struct sdap_op **_op) +{ + struct sdap_op *op; + + op = talloc_zero(memctx, struct sdap_op); + if (!op) return ENOMEM; + + op->sh = sh; + op->msgid = msgid; + op->callback = callback; + op->data = data; + op->ev = ev; + + DEBUG(SSSDBG_TRACE_INTERNAL, + "New operation %d timeout %d\n", op->msgid, timeout); + + /* check if we need to set a timeout */ + if (timeout) { + struct tevent_req *req; + struct timeval tv; + + tv = tevent_timeval_current(); + tv = tevent_timeval_add(&tv, timeout, 0); + + /* allocate on op, so when it get freed the timeout is removed */ + req = tevent_wakeup_send(op, ev, tv); + if (!req) { + talloc_zfree(op); + return ENOMEM; + } + tevent_req_set_callback(req, sdap_op_timeout, op); + } + + DLIST_ADD(sh->ops, op); + + talloc_set_destructor((TALLOC_CTX *)op, sdap_op_destructor); + + *_op = op; + return EOK; +} + +/* ==Modify-Password====================================================== */ + +struct sdap_exop_modify_passwd_state { + struct sdap_handle *sh; + + struct sdap_op *op; + + char *user_error_message; +}; + +static void sdap_exop_modify_passwd_done(struct sdap_op *op, + struct sdap_msg *reply, + int error, void *pvt); + +struct tevent_req *sdap_exop_modify_passwd_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_handle *sh, + char *user_dn, + const char *password, + const char *new_password, + int timeout) +{ + struct tevent_req *req = NULL; + struct sdap_exop_modify_passwd_state *state; + int ret; + BerElement *ber = NULL; + struct berval *bv = NULL; + int msgid; + LDAPControl **request_controls = NULL; + LDAPControl *ctrls[2] = { NULL, NULL }; + + req = tevent_req_create(memctx, &state, + struct sdap_exop_modify_passwd_state); + if (!req) return NULL; + + state->sh = sh; + state->user_error_message = NULL; + + ber = ber_alloc_t( LBER_USE_DER ); + if (ber == NULL) { + DEBUG(SSSDBG_TRACE_LIBS, "ber_alloc_t failed.\n"); + talloc_zfree(req); + return NULL; + } + + ret = ber_printf( ber, "{tststs}", LDAP_TAG_EXOP_MODIFY_PASSWD_ID, + user_dn, + LDAP_TAG_EXOP_MODIFY_PASSWD_OLD, password, + LDAP_TAG_EXOP_MODIFY_PASSWD_NEW, new_password); + if (ret == -1) { + DEBUG(SSSDBG_CRIT_FAILURE, "ber_printf failed.\n"); + ber_free(ber, 1); + talloc_zfree(req); + return NULL; + } + + ret = ber_flatten(ber, &bv); + ber_free(ber, 1); + if (ret == -1) { + DEBUG(SSSDBG_CRIT_FAILURE, "ber_flatten failed.\n"); + talloc_zfree(req); + return NULL; + } + + ret = sdap_control_create(state->sh, LDAP_CONTROL_PASSWORDPOLICYREQUEST, + 0, NULL, 0, &ctrls[0]); + if (ret != LDAP_SUCCESS && ret != LDAP_NOT_SUPPORTED) { + DEBUG(SSSDBG_CRIT_FAILURE, "sdap_control_create failed to create " + "Password Policy control.\n"); + ret = ERR_INTERNAL; + goto fail; + } + request_controls = ctrls; + + DEBUG(SSSDBG_CONF_SETTINGS, "Executing extended operation\n"); + + ret = ldap_extended_operation(state->sh->ldap, LDAP_EXOP_MODIFY_PASSWD, + bv, request_controls, NULL, &msgid); + ber_bvfree(bv); + if (ctrls[0]) ldap_control_free(ctrls[0]); + if (ret == -1 || msgid == -1) { + DEBUG(SSSDBG_CRIT_FAILURE, "ldap_extended_operation failed\n"); + ret = ERR_NETWORK_IO; + goto fail; + } + DEBUG(SSSDBG_TRACE_INTERNAL, + "ldap_extended_operation sent, msgid = %d\n", msgid); + + ret = sdap_op_add(state, ev, state->sh, msgid, + sdap_exop_modify_passwd_done, req, timeout, &state->op); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set up operation!\n"); + ret = ERR_INTERNAL; + goto fail; + } + + return req; + +fail: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void sdap_exop_modify_passwd_done(struct sdap_op *op, + struct sdap_msg *reply, + int error, void *pvt) +{ + struct tevent_req *req = talloc_get_type(pvt, struct tevent_req); + struct sdap_exop_modify_passwd_state *state = tevent_req_data(req, + struct sdap_exop_modify_passwd_state); + char *errmsg = NULL; + int ret; + LDAPControl **response_controls = NULL; + int c; + ber_int_t pp_grace; + ber_int_t pp_expire; + LDAPPasswordPolicyError pp_error; + int result; + + if (error) { + tevent_req_error(req, error); + return; + } + + ret = ldap_parse_result(state->sh->ldap, reply->msg, + &result, NULL, &errmsg, NULL, + &response_controls, 0); + if (ret != LDAP_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, + "ldap_parse_result failed (%d)\n", state->op->msgid); + ret = ERR_INTERNAL; + goto done; + } + + if (response_controls == NULL) { + DEBUG(SSSDBG_FUNC_DATA, "Server returned no controls.\n"); + } else { + for (c = 0; response_controls[c] != NULL; c++) { + DEBUG(SSSDBG_TRACE_ALL, "Server returned control [%s].\n", + response_controls[c]->ldctl_oid); + if (strcmp(response_controls[c]->ldctl_oid, + LDAP_CONTROL_PASSWORDPOLICYRESPONSE) == 0) { + ret = ldap_parse_passwordpolicy_control(state->sh->ldap, + response_controls[c], + &pp_expire, &pp_grace, + &pp_error); + if (ret != LDAP_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ldap_parse_passwordpolicy_control failed.\n"); + ret = ERR_NETWORK_IO; + goto done; + } + + DEBUG(SSSDBG_TRACE_LIBS, + "Password Policy Response: expire [%d] grace [%d] " + "error [%s].\n", pp_expire, pp_grace, + ldap_passwordpolicy_err2txt(pp_error)); + } + } + } + + DEBUG(SSSDBG_MINOR_FAILURE, "ldap_extended_operation result: %s(%d), %s\n", + sss_ldap_err2string(result), result, errmsg); + + switch (result) { + case LDAP_SUCCESS: + ret = EOK; + break; + case LDAP_CONSTRAINT_VIOLATION: + if (errmsg && strlen(errmsg) != 0) { + state->user_error_message = talloc_strdup(state, errmsg); + } else { + state->user_error_message = talloc_strdup(state, + "Please make sure the password meets the " + "complexity constraints."); + } + + if (state->user_error_message == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed\n"); + ret = ENOMEM; + goto done; + } + + ret = ERR_CHPASS_DENIED; + break; + default: + if (errmsg) { + state->user_error_message = talloc_strdup(state, errmsg); + if (state->user_error_message == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + } + ret = ERR_NETWORK_IO; + break; + } + +done: + ldap_controls_free(response_controls); + ldap_memfree(errmsg); + + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } +} + +errno_t sdap_exop_modify_passwd_recv(struct tevent_req *req, + TALLOC_CTX * mem_ctx, + char **user_error_message) +{ + struct sdap_exop_modify_passwd_state *state = tevent_req_data(req, + struct sdap_exop_modify_passwd_state); + + *user_error_message = talloc_steal(mem_ctx, state->user_error_message); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +/* ==Update-passwordLastChanged-attribute====================== */ +struct update_last_changed_state { + struct tevent_context *ev; + struct sdap_handle *sh; + struct sdap_op *op; + + const char *dn; + LDAPMod **mods; +}; + +static void sdap_modify_shadow_lastchange_done(struct sdap_op *op, + struct sdap_msg *reply, + int error, void *pvt); + +struct tevent_req * +sdap_modify_shadow_lastchange_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_handle *sh, + const char *dn, + char *lastchanged_name) +{ + struct tevent_req *req; + struct update_last_changed_state *state; + char **values; + errno_t ret; + int msgid; + + req = tevent_req_create(mem_ctx, &state, struct update_last_changed_state); + if (req == NULL) { + return NULL; + } + + state->ev = ev; + state->sh = sh; + state->dn = dn; + state->mods = talloc_zero_array(state, LDAPMod *, 2); + if (state->mods == NULL) { + ret = ENOMEM; + goto done; + } + state->mods[0] = talloc_zero(state->mods, LDAPMod); + state->mods[1] = talloc_zero(state->mods, LDAPMod); + if (!state->mods[0] || !state->mods[1]) { + ret = ENOMEM; + goto done; + } + values = talloc_zero_array(state->mods[0], char *, 2); + if (values == NULL) { + ret = ENOMEM; + goto done; + } + /* The attribute contains number of days since the epoch */ + values[0] = talloc_asprintf(values, "%ld", (long)time(NULL)/86400); + if (values[0] == NULL) { + ret = ENOMEM; + goto done; + } + state->mods[0]->mod_op = LDAP_MOD_REPLACE; + state->mods[0]->mod_type = lastchanged_name; + state->mods[0]->mod_vals.modv_strvals = values; + state->mods[1] = NULL; + + ret = ldap_modify_ext(state->sh->ldap, state->dn, state->mods, + NULL, NULL, &msgid); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to send operation!\n"); + goto done; + } + + ret = sdap_op_add(state, state->ev, state->sh, msgid, + sdap_modify_shadow_lastchange_done, req, 5, &state->op); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set up operation!\n"); + goto done; + } + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + tevent_req_post(req, ev); + } + return req; +} + +static void sdap_modify_shadow_lastchange_done(struct sdap_op *op, + struct sdap_msg *reply, + int error, void *pvt) +{ + struct tevent_req *req = talloc_get_type(pvt, struct tevent_req); + struct update_last_changed_state *state; + state = tevent_req_data(req, struct update_last_changed_state); + char *errmsg; + int result; + errno_t ret = EOK; + int lret; + + if (error) { + tevent_req_error(req, error); + return; + } + + lret = ldap_parse_result(state->sh->ldap, reply->msg, + &result, NULL, &errmsg, NULL, + NULL, 0); + if (lret != LDAP_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, "ldap_parse_result failed (%d)\n", + state->op->msgid); + ret = EIO; + goto done; + } + + DEBUG(SSSDBG_TRACE_LIBS, "Updating lastPwdChange result: %s(%d), %s\n", + sss_ldap_err2string(result), + result, errmsg); + +done: + ldap_memfree(errmsg); + + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } +} + +errno_t sdap_modify_shadow_lastchange_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + + +/* ==Fetch-RootDSE============================================= */ + +struct sdap_get_rootdse_state { + struct tevent_context *ev; + struct sdap_options *opts; + struct sdap_handle *sh; + + struct sysdb_attrs *rootdse; +}; + +static void sdap_get_rootdse_done(struct tevent_req *subreq); +static void sdap_get_matching_rule_done(struct tevent_req *subreq); + +struct tevent_req *sdap_get_rootdse_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_options *opts, + struct sdap_handle *sh) +{ + struct tevent_req *req, *subreq; + struct sdap_get_rootdse_state *state; + const char *attrs[] = { + "*", + "altServer", + SDAP_ROOTDSE_ATTR_NAMING_CONTEXTS, + "supportedControl", + "supportedExtension", + "supportedFeatures", + "supportedLDAPVersion", + "supportedSASLMechanisms", + SDAP_ROOTDSE_ATTR_AD_VERSION, + SDAP_ROOTDSE_ATTR_DEFAULT_NAMING_CONTEXT, + SDAP_IPA_LAST_USN, SDAP_AD_LAST_USN, + NULL + }; + + DEBUG(SSSDBG_TRACE_ALL, "Getting rootdse\n"); + + req = tevent_req_create(memctx, &state, struct sdap_get_rootdse_state); + if (!req) return NULL; + + state->ev = ev; + state->opts = opts; + state->sh = sh; + state->rootdse = NULL; + + subreq = sdap_get_generic_send(state, ev, opts, sh, + "", LDAP_SCOPE_BASE, + "(objectclass=*)", attrs, NULL, 0, + dp_opt_get_int(state->opts->basic, + SDAP_SEARCH_TIMEOUT), + false); + if (!subreq) { + talloc_zfree(req); + return NULL; + } + tevent_req_set_callback(subreq, sdap_get_rootdse_done, req); + + return req; +} + +/* This is not a real attribute, it's just there to avoid + * actually pulling real data down, to save bandwidth + */ +#define SDAP_MATCHING_RULE_TEST_ATTR "sssmatchingruletest" + +static void sdap_get_rootdse_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sdap_get_rootdse_state *state = tevent_req_data(req, + struct sdap_get_rootdse_state); + struct sysdb_attrs **results; + size_t num_results; + int ret; + const char *filter; + const char *attrs[] = { SDAP_MATCHING_RULE_TEST_ATTR, NULL }; + + ret = sdap_get_generic_recv(subreq, state, &num_results, &results); + talloc_zfree(subreq); + if (ret) { + tevent_req_error(req, ret); + return; + } + + if (num_results == 0 || !results) { + DEBUG(SSSDBG_OP_FAILURE, "RootDSE could not be retrieved. " + "Please check that anonymous access to RootDSE is allowed\n" + ); + tevent_req_error(req, ENOENT); + return; + } + + if (num_results > 1) { + DEBUG(SSSDBG_OP_FAILURE, + "Multiple replies when searching for RootDSE??\n"); + tevent_req_error(req, EIO); + return; + } + + state->rootdse = talloc_steal(state, results[0]); + talloc_zfree(results); + + DEBUG(SSSDBG_TRACE_INTERNAL, "Got rootdse\n"); + + /* Auto-detect the LDAP matching rule if requested */ + if ((!dp_opt_get_bool(state->opts->basic, + SDAP_AD_MATCHING_RULE_INITGROUPS)) + && !dp_opt_get_bool(state->opts->basic, + SDAP_AD_MATCHING_RULE_GROUPS)) { + /* This feature is disabled for both groups + * and initgroups. Skip the auto-detection + * lookup. + */ + DEBUG(SSSDBG_TRACE_INTERNAL, + "Skipping auto-detection of match rule\n"); + tevent_req_done(req); + return; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Auto-detecting support for match rule\n"); + + /* Create a filter using the matching rule. It need not point + * at any valid data. We're only going to be looking for the + * error code. + */ + filter = "("SDAP_MATCHING_RULE_TEST_ATTR":" + SDAP_MATCHING_RULE_IN_CHAIN":=)"; + + /* Perform a trivial query with the matching rule in play. + * If it returns success, we know it is available. If it + * returns EIO, we know it isn't. + */ + subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh, + "", LDAP_SCOPE_BASE, filter, attrs, NULL, + 0, dp_opt_get_int(state->opts->basic, + SDAP_SEARCH_TIMEOUT), + false); + if (!subreq) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, sdap_get_matching_rule_done, req); +} + +static void sdap_get_matching_rule_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sdap_get_rootdse_state *state = tevent_req_data(req, + struct sdap_get_rootdse_state); + size_t num_results; + struct sysdb_attrs **results; + + ret = sdap_get_generic_recv(subreq, state, &num_results, &results); + talloc_zfree(subreq); + if (ret == EOK) { + /* The search succeeded */ + state->opts->support_matching_rule = true; + } else if (ret == EIO) { + /* The search failed. Disable support for + * matching rule lookups. + */ + state->opts->support_matching_rule = false; + } else { + DEBUG(SSSDBG_MINOR_FAILURE, + "Unexpected error while testing for matching rule support\n"); + tevent_req_error(req, ret); + return; + } + + DEBUG(SSSDBG_CONF_SETTINGS, + "LDAP server %s the matching rule extension\n", + state->opts->support_matching_rule + ? "supports" + : "does not support"); + + tevent_req_done(req); +} + +int sdap_get_rootdse_recv(struct tevent_req *req, + TALLOC_CTX *memctx, + struct sysdb_attrs **rootdse) +{ + struct sdap_get_rootdse_state *state = tevent_req_data(req, + struct sdap_get_rootdse_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *rootdse = talloc_steal(memctx, state->rootdse); + + return EOK; +} + +/* ==Helpers for parsing replies============================== */ +struct sdap_reply { + size_t reply_max; + size_t reply_count; + struct sysdb_attrs **reply; +}; + +static errno_t add_to_reply(TALLOC_CTX *mem_ctx, + struct sdap_reply *sreply, + struct sysdb_attrs *msg) +{ + if (sreply->reply == NULL || sreply->reply_max == sreply->reply_count) { + sreply->reply_max += REPLY_REALLOC_INCREMENT; + sreply->reply = talloc_realloc(mem_ctx, sreply->reply, + struct sysdb_attrs *, + sreply->reply_max); + if (sreply->reply == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_realloc failed.\n"); + return ENOMEM; + } + } + + sreply->reply[sreply->reply_count++] = talloc_steal(sreply->reply, msg); + + return EOK; +} + +struct sdap_deref_reply { + size_t reply_max; + size_t reply_count; + struct sdap_deref_attrs **reply; +}; + +static errno_t add_to_deref_reply(TALLOC_CTX *mem_ctx, + int num_maps, + struct sdap_deref_reply *dreply, + struct sdap_deref_attrs **res) +{ + int i; + + if (res == NULL) { + /* Nothing to add, probably ACIs prevented us from dereferencing + * the attribute */ + return EOK; + } + + for (i=0; i < num_maps; i++) { + if (res[i]->attrs == NULL) continue; /* Nothing in this map */ + + if (dreply->reply == NULL || + dreply->reply_max == dreply->reply_count) { + dreply->reply_max += REPLY_REALLOC_INCREMENT; + dreply->reply = talloc_realloc(mem_ctx, dreply->reply, + struct sdap_deref_attrs *, + dreply->reply_max); + if (dreply->reply == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_realloc failed.\n"); + return ENOMEM; + } + } + + dreply->reply[dreply->reply_count++] = + talloc_steal(dreply->reply, res[i]); + } + + return EOK; +} + +static void sdap_print_server(struct sdap_handle *sh) +{ + int ret; + int fd; + struct sockaddr_storage ss; + socklen_t ss_len = sizeof(ss); + struct sockaddr *s_addr = (struct sockaddr *)&ss; + char ip[NI_MAXHOST]; + int port; + + if (!DEBUG_IS_SET(SSSDBG_TRACE_INTERNAL)) { + return; + } + + ret = get_fd_from_ldap(sh->ldap, &fd); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "cannot get sdap fd\n"); + return; + } + + ret = getpeername(fd, s_addr, &ss_len); + if (ret == -1) { + DEBUG(SSSDBG_MINOR_FAILURE, "getsockname failed\n"); + return; + } + + ret = getnameinfo(s_addr, ss_len, + ip, sizeof(ip), NULL, 0, NI_NUMERICHOST); + if (ret != 0) { + DEBUG(SSSDBG_MINOR_FAILURE, "getnameinfo failed\n"); + return; + } + + switch (s_addr->sa_family) { + case AF_INET: + port = ntohs(((struct sockaddr_in *)s_addr)->sin_port); + DEBUG(SSSDBG_TRACE_INTERNAL, "Searching %s:%d\n", ip, port); + break; + case AF_INET6: + port = ntohs(((struct sockaddr_in6 *)s_addr)->sin6_port); + DEBUG(SSSDBG_TRACE_INTERNAL, "Searching %s:%d\n", ip, port); + break; + default: + DEBUG(SSSDBG_TRACE_INTERNAL, "Searching %s\n", ip); + } +} + +/* ==Generic Search exposing all options======================= */ +typedef errno_t (*sdap_parse_cb)(struct sdap_handle *sh, + struct sdap_msg *msg, + void *pvt); + +struct sdap_get_generic_ext_state { + struct tevent_context *ev; + struct sdap_options *opts; + struct sdap_handle *sh; + const char *search_base; + int scope; + const char *filter; + const char **attrs; + int timeout; + int sizelimit; + + struct sdap_op *op; + + struct berval cookie; + + LDAPControl **serverctrls; + int nserverctrls; + LDAPControl **clientctrls; + + size_t ref_count; + char **refs; + + sdap_parse_cb parse_cb; + void *cb_data; + + unsigned int flags; +}; + +static errno_t sdap_get_generic_ext_step(struct tevent_req *req); + +static void sdap_get_generic_op_finished(struct sdap_op *op, + struct sdap_msg *reply, + int error, void *pvt); + +enum { + /* Be silent about exceeded size limit */ + SDAP_SRCH_FLG_SIZELIMIT_SILENT = 1 << 0, + + /* Allow paging */ + SDAP_SRCH_FLG_PAGING = 1 << 1, + + /* Only attribute descriptions are requested */ + SDAP_SRCH_FLG_ATTRS_ONLY = 1 << 2, +}; + +static struct tevent_req * +sdap_get_generic_ext_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_options *opts, + struct sdap_handle *sh, + const char *search_base, + int scope, + const char *filter, + const char **attrs, + LDAPControl **serverctrls, + LDAPControl **clientctrls, + int sizelimit, + int timeout, + sdap_parse_cb parse_cb, + void *cb_data, + unsigned int flags) +{ + errno_t ret; + struct sdap_get_generic_ext_state *state; + struct tevent_req *req; + int i; + LDAPControl *control; + + req = tevent_req_create(memctx, &state, struct sdap_get_generic_ext_state); + if (!req) return NULL; + + state->ev = ev; + state->opts = opts; + state->sh = sh; + state->search_base = search_base; + state->scope = scope; + state->filter = filter; + state->attrs = attrs; + state->op = NULL; + state->sizelimit = sizelimit; + state->timeout = timeout; + state->cookie.bv_len = 0; + state->cookie.bv_val = NULL; + state->parse_cb = parse_cb; + state->cb_data = cb_data; + state->clientctrls = clientctrls; + state->flags = flags; + + if (state->sh == NULL || state->sh->ldap == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Trying LDAP search while not connected.\n"); + tevent_req_error(req, EIO); + tevent_req_post(req, ev); + return req; + } + + sdap_print_server(sh); + + /* Be extra careful and never allow paging for BASE searches, + * even if requested. + */ + if (scope == LDAP_SCOPE_BASE && (flags & SDAP_SRCH_FLG_PAGING)) { + /* Disable paging */ + state->flags &= ~SDAP_SRCH_FLG_PAGING; + DEBUG(SSSDBG_TRACE_FUNC, + "WARNING: Disabling paging because scope is set to base.\n"); + } + + /* Also check for deref/asq requests and force + * paging on for those requests + */ + /* X-DEREF */ + control = ldap_control_find(LDAP_CONTROL_X_DEREF, + serverctrls, + NULL); + if (control) { + state->flags |= SDAP_SRCH_FLG_PAGING; + } + + /* ASQ */ + control = ldap_control_find(LDAP_SERVER_ASQ_OID, + serverctrls, + NULL); + if (control) { + state->flags |= SDAP_SRCH_FLG_PAGING; + } + + for (state->nserverctrls=0; + serverctrls && serverctrls[state->nserverctrls]; + state->nserverctrls++) ; + + /* One extra space for NULL, one for page control */ + state->serverctrls = talloc_array(state, LDAPControl *, + state->nserverctrls+2); + if (!state->serverctrls) { + tevent_req_error(req, ENOMEM); + tevent_req_post(req, ev); + return req; + } + + for (i=0; i < state->nserverctrls; i++) { + state->serverctrls[i] = serverctrls[i]; + } + state->serverctrls[i] = NULL; + + PROBE(SDAP_GET_GENERIC_EXT_SEND, state->search_base, + state->scope, state->filter); + + ret = sdap_get_generic_ext_step(req); + if (ret != EOK) { + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; + } + + return req; +} + +static errno_t sdap_get_generic_ext_step(struct tevent_req *req) +{ + struct sdap_get_generic_ext_state *state = + tevent_req_data(req, struct sdap_get_generic_ext_state); + char *errmsg; + int lret; + int optret; + errno_t ret; + int msgid; + bool disable_paging; + + LDAPControl *page_control = NULL; + + /* Make sure to free any previous operations so + * if we are handling a large number of pages we + * don't waste memory. + */ + talloc_zfree(state->op); + + DEBUG(SSSDBG_TRACE_FUNC, + "calling ldap_search_ext with [%s][%s].\n", + state->filter ? state->filter : "no filter", + state->search_base); + if (DEBUG_IS_SET(SSSDBG_TRACE_LIBS)) { + int i; + + if (state->attrs) { + for (i = 0; state->attrs[i]; i++) { + DEBUG(SSSDBG_TRACE_LIBS, + "Requesting attrs: [%s]\n", state->attrs[i]); + } + } + } + + disable_paging = dp_opt_get_bool(state->opts->basic, SDAP_DISABLE_PAGING); + + if (!disable_paging + && (state->flags & SDAP_SRCH_FLG_PAGING) + && sdap_is_control_supported(state->sh, + LDAP_CONTROL_PAGEDRESULTS)) { + lret = ldap_create_page_control(state->sh->ldap, + state->sh->page_size, + state->cookie.bv_val ? + &state->cookie : + NULL, + false, + &page_control); + if (lret != LDAP_SUCCESS) { + ret = EIO; + goto done; + } + state->serverctrls[state->nserverctrls] = page_control; + state->serverctrls[state->nserverctrls+1] = NULL; + } + + lret = ldap_search_ext(state->sh->ldap, state->search_base, + state->scope, state->filter, + discard_const(state->attrs), + (state->flags & SDAP_SRCH_FLG_ATTRS_ONLY), + state->serverctrls, + state->clientctrls, NULL, state->sizelimit, &msgid); + ldap_control_free(page_control); + state->serverctrls[state->nserverctrls] = NULL; + if (lret != LDAP_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, + "ldap_search_ext failed: %s\n", sss_ldap_err2string(lret)); + if (lret == LDAP_SERVER_DOWN) { + ret = ETIMEDOUT; + optret = sss_ldap_get_diagnostic_msg(state, state->sh->ldap, + &errmsg); + if (optret == LDAP_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, "Connection error: %s\n", errmsg); + sss_log(SSS_LOG_ERR, "LDAP connection error: %s", errmsg); + } + else { + sss_log(SSS_LOG_ERR, "LDAP connection error, %s", + sss_ldap_err2string(lret)); + } + } else if (lret == LDAP_FILTER_ERROR) { + ret = ERR_INVALID_FILTER; + } else { + ret = EIO; + } + goto done; + } + DEBUG(SSSDBG_TRACE_INTERNAL, "ldap_search_ext called, msgid = %d\n", msgid); + + ret = sdap_op_add(state, state->ev, state->sh, msgid, + sdap_get_generic_op_finished, req, + state->timeout, + &state->op); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set up operation!\n"); + goto done; + } + +done: + return ret; +} + +static errno_t +sdap_get_generic_ext_add_references(struct sdap_get_generic_ext_state *state, + char **refs) +{ + int i; + + if (refs == NULL) { + /* Rare, but it's possible that we might get a reference result with + * no references attached. + */ + return EOK; + } + + for (i = 0; refs[i]; i++) { + DEBUG(SSSDBG_TRACE_LIBS, "Additional References: %s\n", refs[i]); + } + + /* Extend the size of the ref array */ + state->refs = talloc_realloc(state, state->refs, char *, + state->ref_count + i); + if (state->refs == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "talloc_realloc failed extending ref_array.\n"); + return ENOMEM; + } + + /* Copy in all the references */ + for (i = 0; refs[i]; i++) { + state->refs[state->ref_count + i] = + talloc_strdup(state->refs, refs[i]); + + if (state->refs[state->ref_count + i] == NULL) { + return ENOMEM; + } + } + + state->ref_count += i; + + return EOK; +} + +static void sdap_get_generic_op_finished(struct sdap_op *op, + struct sdap_msg *reply, + int error, void *pvt) +{ + struct tevent_req *req = talloc_get_type(pvt, struct tevent_req); + struct sdap_get_generic_ext_state *state = tevent_req_data(req, + struct sdap_get_generic_ext_state); + char *errmsg = NULL; + char **refs = NULL; + int result; + int ret; + int lret; + ber_int_t total_count; + struct berval cookie; + LDAPControl **returned_controls = NULL; + LDAPControl *page_control; + + if (error) { + tevent_req_error(req, error); + return; + } + + switch (ldap_msgtype(reply->msg)) { + case LDAP_RES_SEARCH_REFERENCE: + ret = ldap_parse_reference(state->sh->ldap, reply->msg, + &refs, NULL, 0); + if (ret != LDAP_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, + "ldap_parse_reference failed (%d)\n", state->op->msgid); + tevent_req_error(req, EIO); + return; + } + + ret = sdap_get_generic_ext_add_references(state, refs); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sdap_get_generic_ext_add_references failed: %s(%d)\n", + sss_strerror(ret), ret); + ldap_memvfree((void **)refs); + tevent_req_error(req, ret); + return; + } + + /* Remove the original strings */ + ldap_memvfree((void **)refs); + + /* unlock the operation so that we can proceed with the next result */ + sdap_unlock_next_reply(state->op); + break; + + case LDAP_RES_SEARCH_ENTRY: + ret = state->parse_cb(state->sh, reply, state->cb_data); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "reply parsing callback failed.\n"); + tevent_req_error(req, ret); + return; + } + + sdap_unlock_next_reply(state->op); + break; + + case LDAP_RES_SEARCH_RESULT: + ret = ldap_parse_result(state->sh->ldap, reply->msg, + &result, NULL, &errmsg, &refs, + &returned_controls, 0); + if (ret != LDAP_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, + "ldap_parse_result failed (%d)\n", state->op->msgid); + tevent_req_error(req, EIO); + return; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Search result: %s(%d), %s\n", + sss_ldap_err2string(result), result, + errmsg ? errmsg : "no errmsg set"); + + if (result == LDAP_SIZELIMIT_EXCEEDED + || result == LDAP_ADMINLIMIT_EXCEEDED) { + /* Try to return what we've got */ + + if ( ! (state->flags & SDAP_SRCH_FLG_SIZELIMIT_SILENT)) { + DEBUG(SSSDBG_MINOR_FAILURE, + "LDAP sizelimit was exceeded, " + "returning incomplete data\n"); + } + } else if (result == LDAP_INAPPROPRIATE_MATCHING) { + /* This error should only occur when we're testing for + * specialized functionality like the LDAP matching rule + * filter for Active Directory. Warn at a higher log + * level and return EIO. + */ + DEBUG(SSSDBG_TRACE_INTERNAL, + "LDAP_INAPPROPRIATE_MATCHING: %s\n", + errmsg ? errmsg : "no errmsg set"); + ldap_memfree(errmsg); + tevent_req_error(req, EIO); + return; + } else if (result == LDAP_UNAVAILABLE_CRITICAL_EXTENSION) { + ldap_memfree(errmsg); + tevent_req_error(req, ENOTSUP); + return; + } else if (result == LDAP_REFERRAL) { + ret = sdap_get_generic_ext_add_references(state, refs); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sdap_get_generic_ext_add_references failed: %s(%d)\n", + sss_strerror(ret), ret); + tevent_req_error(req, ret); + } + /* For referrals, we need to fall through as if it was LDAP_SUCCESS */ + } else if (result != LDAP_SUCCESS && result != LDAP_NO_SUCH_OBJECT) { + DEBUG(SSSDBG_OP_FAILURE, + "Unexpected result from ldap: %s(%d), %s\n", + sss_ldap_err2string(result), result, + errmsg ? errmsg : "no errmsg set"); + ldap_memfree(errmsg); + tevent_req_error(req, EIO); + return; + } + ldap_memfree(errmsg); + + /* Determine if there are more pages to retrieve */ + page_control = ldap_control_find(LDAP_CONTROL_PAGEDRESULTS, + returned_controls, NULL ); + if (!page_control) { + /* No paging support. We are done */ + tevent_req_done(req); + return; + } + + lret = ldap_parse_pageresponse_control(state->sh->ldap, page_control, + &total_count, &cookie); + ldap_controls_free(returned_controls); + if (lret != LDAP_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not determine page control\n"); + tevent_req_error(req, EIO); + return; + } + DEBUG(SSSDBG_TRACE_INTERNAL, "Total count [%d]\n", total_count); + + if (cookie.bv_val != NULL && cookie.bv_len > 0) { + /* Cookie contains data, which means there are more requests + * to be processed. + */ + talloc_zfree(state->cookie.bv_val); + state->cookie.bv_len = cookie.bv_len; + state->cookie.bv_val = talloc_memdup(state, + cookie.bv_val, + cookie.bv_len); + if (!state->cookie.bv_val) { + tevent_req_error(req, ENOMEM); + return; + } + ber_memfree(cookie.bv_val); + + ret = sdap_get_generic_ext_step(req); + if (ret != EOK) { + tevent_req_error(req, ENOMEM); + return; + } + + return; + } + /* The cookie must be freed even if len == 0 */ + ber_memfree(cookie.bv_val); + + /* This was the last page. We're done */ + + tevent_req_done(req); + return; + + default: + /* what is going on here !? */ + tevent_req_error(req, EIO); + return; + } +} + +static int +sdap_get_generic_ext_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *ref_count, + char ***refs) +{ + struct sdap_get_generic_ext_state *state = + tevent_req_data(req, struct sdap_get_generic_ext_state); + + PROBE(SDAP_GET_GENERIC_EXT_RECV, state->search_base, + state->scope, state->filter); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (ref_count) { + *ref_count = state->ref_count; + } + + if (refs) { + *refs = talloc_steal(mem_ctx, state->refs); + } + + return EOK; +} + +/* This search handler can be used by most calls */ +static void generic_ext_search_handler(struct tevent_req *subreq, + struct sdap_options *opts) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + int ret; + size_t ref_count, i; + char **refs; + + ret = sdap_get_generic_ext_recv(subreq, req, &ref_count, &refs); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sdap_get_generic_ext_recv failed [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + if (ref_count > 0) { + /* We will ignore referrals in the generic handler */ + DEBUG(SSSDBG_TRACE_ALL, + "Request included referrals which were ignored.\n"); + if (debug_level & SSSDBG_TRACE_ALL) { + for(i = 0; i < ref_count; i++) { + DEBUG(SSSDBG_TRACE_ALL, + " Ref: %s\n", refs[i]); + } + } + } + + talloc_free(refs); + tevent_req_done(req); +} + +/* ==Generic Search exposing all options======================= */ +struct sdap_get_and_parse_generic_state { + struct sdap_attr_map *map; + int map_num_attrs; + + struct sdap_reply sreply; + struct sdap_options *opts; +}; + +static void sdap_get_and_parse_generic_done(struct tevent_req *subreq); +static errno_t sdap_get_and_parse_generic_parse_entry(struct sdap_handle *sh, + struct sdap_msg *msg, + void *pvt); + +struct tevent_req *sdap_get_and_parse_generic_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_options *opts, + struct sdap_handle *sh, + const char *search_base, + int scope, + const char *filter, + const char **attrs, + struct sdap_attr_map *map, + int map_num_attrs, + int attrsonly, + LDAPControl **serverctrls, + LDAPControl **clientctrls, + int sizelimit, + int timeout, + bool allow_paging) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct sdap_get_and_parse_generic_state *state = NULL; + unsigned int flags = 0; + + req = tevent_req_create(memctx, &state, + struct sdap_get_and_parse_generic_state); + if (!req) return NULL; + + state->map = map; + state->map_num_attrs = map_num_attrs; + state->opts = opts; + + if (allow_paging) { + flags |= SDAP_SRCH_FLG_PAGING; + } + + if (attrsonly) { + flags |= SDAP_SRCH_FLG_ATTRS_ONLY; + } + + subreq = sdap_get_generic_ext_send(state, ev, opts, sh, search_base, + scope, filter, attrs, serverctrls, + clientctrls, sizelimit, timeout, + sdap_get_and_parse_generic_parse_entry, + state, flags); + if (!subreq) { + talloc_zfree(req); + return NULL; + } + tevent_req_set_callback(subreq, sdap_get_and_parse_generic_done, req); + + return req; +} + +static errno_t sdap_get_and_parse_generic_parse_entry(struct sdap_handle *sh, + struct sdap_msg *msg, + void *pvt) +{ + errno_t ret; + struct sysdb_attrs *attrs; + struct sdap_get_and_parse_generic_state *state = + talloc_get_type(pvt, struct sdap_get_and_parse_generic_state); + + bool disable_range_rtrvl = dp_opt_get_bool(state->opts->basic, + SDAP_DISABLE_RANGE_RETRIEVAL); + + ret = sdap_parse_entry(state, sh, msg, + state->map, state->map_num_attrs, + &attrs, disable_range_rtrvl); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "sdap_parse_entry failed [%d]: %s\n", ret, strerror(ret)); + return ret; + } + + ret = add_to_reply(state, &state->sreply, attrs); + if (ret != EOK) { + talloc_free(attrs); + DEBUG(SSSDBG_CRIT_FAILURE, "add_to_reply failed.\n"); + return ret; + } + + /* add_to_reply steals attrs, no need to free them here */ + return EOK; +} + +static void sdap_get_and_parse_generic_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sdap_get_and_parse_generic_state *state = + tevent_req_data(req, struct sdap_get_and_parse_generic_state); + + return generic_ext_search_handler(subreq, state->opts); +} + +int sdap_get_and_parse_generic_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *reply_count, + struct sysdb_attrs ***reply) +{ + struct sdap_get_and_parse_generic_state *state = tevent_req_data(req, + struct sdap_get_and_parse_generic_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *reply_count = state->sreply.reply_count; + *reply = talloc_steal(mem_ctx, state->sreply.reply); + + return EOK; +} + + +/* ==Simple generic search============================================== */ +struct sdap_get_generic_state { + size_t reply_count; + struct sysdb_attrs **reply; +}; + +static void sdap_get_generic_done(struct tevent_req *subreq); + +struct tevent_req *sdap_get_generic_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_options *opts, + struct sdap_handle *sh, + const char *search_base, + int scope, + const char *filter, + const char **attrs, + struct sdap_attr_map *map, + int map_num_attrs, + int timeout, + bool allow_paging) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct sdap_get_generic_state *state = NULL; + + req = tevent_req_create(memctx, &state, struct sdap_get_generic_state); + if (!req) return NULL; + + subreq = sdap_get_and_parse_generic_send(memctx, ev, opts, sh, search_base, + scope, filter, attrs, + map, map_num_attrs, + false, NULL, NULL, 0, timeout, + allow_paging); + if (subreq == NULL) { + return NULL; + } + tevent_req_set_callback(subreq, sdap_get_generic_done, req); + + return req; +} + +static void sdap_get_generic_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sdap_get_generic_state *state = + tevent_req_data(req, struct sdap_get_generic_state); + errno_t ret; + + ret = sdap_get_and_parse_generic_recv(subreq, state, + &state->reply_count, &state->reply); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + tevent_req_done(req); +} + +int sdap_get_generic_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *reply_count, + struct sysdb_attrs ***reply) +{ + struct sdap_get_generic_state *state = + tevent_req_data(req, struct sdap_get_generic_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *reply_count = state->reply_count; + *reply = talloc_steal(mem_ctx, state->reply); + + return EOK; +} + +/* ==OpenLDAP deref search============================================== */ +static int sdap_x_deref_create_control(struct sdap_handle *sh, + const char *deref_attr, + const char **attrs, + LDAPControl **ctrl); + +static void sdap_x_deref_search_done(struct tevent_req *subreq); +static int sdap_x_deref_search_ctrls_destructor(void *ptr); + +static errno_t sdap_x_deref_parse_entry(struct sdap_handle *sh, + struct sdap_msg *msg, + void *pvt); +struct sdap_x_deref_search_state { + struct sdap_handle *sh; + struct sdap_op *op; + struct sdap_attr_map_info *maps; + LDAPControl **ctrls; + struct sdap_options *opts; + + struct sdap_deref_reply dreply; + int num_maps; +}; + +static struct tevent_req * +sdap_x_deref_search_send(TALLOC_CTX *memctx, struct tevent_context *ev, + struct sdap_options *opts, struct sdap_handle *sh, + const char *base_dn, const char *filter, + const char *deref_attr, const char **attrs, + struct sdap_attr_map_info *maps, int num_maps, + int timeout) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct sdap_x_deref_search_state *state; + int ret; + + req = tevent_req_create(memctx, &state, struct sdap_x_deref_search_state); + if (!req) return NULL; + + state->sh = sh; + state->maps = maps; + state->op = NULL; + state->opts = opts; + state->num_maps = num_maps; + state->ctrls = talloc_zero_array(state, LDAPControl *, 2); + if (state->ctrls == NULL) { + talloc_zfree(req); + return NULL; + } + talloc_set_destructor((TALLOC_CTX *) state->ctrls, + sdap_x_deref_search_ctrls_destructor); + + ret = sdap_x_deref_create_control(sh, deref_attr, + attrs, &state->ctrls[0]); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not create OpenLDAP deref control\n"); + talloc_zfree(req); + return NULL; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Dereferencing entry [%s] using OpenLDAP deref\n", base_dn); + subreq = sdap_get_generic_ext_send(state, ev, opts, sh, base_dn, + filter == NULL ? LDAP_SCOPE_BASE + : LDAP_SCOPE_SUBTREE, + filter, attrs, + state->ctrls, NULL, 0, timeout, + sdap_x_deref_parse_entry, + state, SDAP_SRCH_FLG_PAGING); + if (!subreq) { + talloc_zfree(req); + return NULL; + } + tevent_req_set_callback(subreq, sdap_x_deref_search_done, req); + + return req; +} + +static int sdap_x_deref_create_control(struct sdap_handle *sh, + const char *deref_attr, + const char **attrs, + LDAPControl **ctrl) +{ + struct berval derefval; + int ret; + struct LDAPDerefSpec ds[2]; + + ds[0].derefAttr = discard_const(deref_attr); + ds[0].attributes = discard_const(attrs); + + ds[1].derefAttr = NULL; /* sentinel */ + + ret = ldap_create_deref_control_value(sh->ldap, ds, &derefval); + if (ret != LDAP_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "sss_ldap_control_create failed: %s\n", + ldap_err2string(ret)); + return ret; + } + + ret = sdap_control_create(sh, LDAP_CONTROL_X_DEREF, + 1, &derefval, 1, ctrl); + ldap_memfree(derefval.bv_val); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sss_ldap_control_create failed\n"); + return ret; + } + + return EOK; +} + +static errno_t sdap_x_deref_parse_entry(struct sdap_handle *sh, + struct sdap_msg *msg, + void *pvt) +{ + errno_t ret; + LDAPControl **ctrls = NULL; + LDAPControl *derefctrl = NULL; + LDAPDerefRes *deref_res = NULL; + LDAPDerefRes *dref; + struct sdap_deref_attrs **res; + TALLOC_CTX *tmp_ctx; + + struct sdap_x_deref_search_state *state = talloc_get_type(pvt, + struct sdap_x_deref_search_state); + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) return ENOMEM; + + ret = ldap_get_entry_controls(state->sh->ldap, msg->msg, + &ctrls); + if (ret != LDAP_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, "ldap_parse_result failed\n"); + goto done; + } + + if (!ctrls) { + /* When we attempt to request attributes that are not present in + * the dereferenced links, some serves might not send the dereference + * control back at all. Be permissive and treat the search as if + * it didn't find anything. + */ + DEBUG(SSSDBG_MINOR_FAILURE, "No controls found for entry\n"); + ret = EOK; + goto done; + } + + res = NULL; + + derefctrl = ldap_control_find(LDAP_CONTROL_X_DEREF, ctrls, NULL); + if (!derefctrl) { + DEBUG(SSSDBG_FUNC_DATA, "No deref controls found\n"); + ret = EOK; + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Got deref control\n"); + + ret = ldap_parse_derefresponse_control(state->sh->ldap, + derefctrl, + &deref_res); + if (ret != LDAP_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, + "ldap_parse_derefresponse_control failed: %s\n", + ldap_err2string(ret)); + goto done; + } + + for (dref = deref_res; dref; dref=dref->next) { + ret = sdap_parse_deref(tmp_ctx, state->maps, state->num_maps, + dref, &res); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_parse_deref failed [%d]: %s\n", + ret, strerror(ret)); + goto done; + } + + ret = add_to_deref_reply(state, state->num_maps, + &state->dreply, res); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "add_to_deref_reply failed.\n"); + goto done; + } + } + + DEBUG(SSSDBG_TRACE_FUNC, + "All deref results from a single control parsed\n"); + ldap_derefresponse_free(deref_res); + deref_res = NULL; + + ret = EOK; +done: + talloc_zfree(tmp_ctx); + ldap_controls_free(ctrls); + ldap_derefresponse_free(deref_res); + return ret; +} + +static void sdap_x_deref_search_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sdap_x_deref_search_state *state = + tevent_req_data(req, struct sdap_x_deref_search_state); + + return generic_ext_search_handler(subreq, state->opts); +} + +static int sdap_x_deref_search_ctrls_destructor(void *ptr) +{ + LDAPControl **ctrls = talloc_get_type(ptr, LDAPControl *); + + if (ctrls && ctrls[0]) { + ldap_control_free(ctrls[0]); + } + + return 0; +} + +static int +sdap_x_deref_search_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *reply_count, + struct sdap_deref_attrs ***reply) +{ + struct sdap_x_deref_search_state *state = tevent_req_data(req, + struct sdap_x_deref_search_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *reply_count = state->dreply.reply_count; + *reply = talloc_steal(mem_ctx, state->dreply.reply); + + return EOK; +} + +/* ==Security Descriptor (ACL) search=================================== */ +struct sdap_sd_search_state { + LDAPControl **ctrls; + struct sdap_options *opts; + size_t reply_count; + struct sysdb_attrs **reply; + struct sdap_reply sreply; + + /* Referrals returned by the search */ + size_t ref_count; + char **refs; +}; + +static int sdap_sd_search_create_control(struct sdap_handle *sh, + int val, + LDAPControl **ctrl); +static int sdap_sd_search_ctrls_destructor(void *ptr); +static errno_t sdap_sd_search_parse_entry(struct sdap_handle *sh, + struct sdap_msg *msg, + void *pvt); +static void sdap_sd_search_done(struct tevent_req *subreq); + +struct tevent_req * +sdap_sd_search_send(TALLOC_CTX *memctx, struct tevent_context *ev, + struct sdap_options *opts, struct sdap_handle *sh, + const char *base_dn, int sd_flags, + const char **attrs, int timeout) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct sdap_sd_search_state *state; + int ret; + + req = tevent_req_create(memctx, &state, struct sdap_sd_search_state); + if (!req) return NULL; + + state->ctrls = talloc_zero_array(state, LDAPControl *, 2); + state->opts = opts; + if (state->ctrls == NULL) { + ret = EIO; + goto fail; + } + talloc_set_destructor((TALLOC_CTX *) state->ctrls, + sdap_sd_search_ctrls_destructor); + + ret = sdap_sd_search_create_control(sh, sd_flags, &state->ctrls[0]); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not create SD control\n"); + ret = EIO; + goto fail; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Searching entry [%s] using SD\n", base_dn); + subreq = sdap_get_generic_ext_send(state, ev, opts, sh, base_dn, + LDAP_SCOPE_BASE, "(objectclass=*)", attrs, + state->ctrls, NULL, 0, timeout, + sdap_sd_search_parse_entry, + state, SDAP_SRCH_FLG_PAGING); + if (!subreq) { + ret = EIO; + goto fail; + } + tevent_req_set_callback(subreq, sdap_sd_search_done, req); + return req; + +fail: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static int sdap_sd_search_create_control(struct sdap_handle *sh, + int val, + LDAPControl **ctrl) +{ + struct berval *sdval; + int ret; + BerElement *ber = NULL; + ber = ber_alloc_t(LBER_USE_DER); + if (ber == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ber_alloc_t failed.\n"); + return ENOMEM; + } + + ret = ber_printf(ber, "{i}", val); + if (ret == -1) { + DEBUG(SSSDBG_OP_FAILURE, "ber_printf failed.\n"); + ber_free(ber, 1); + return EIO; + } + + ret = ber_flatten(ber, &sdval); + ber_free(ber, 1); + if (ret == -1) { + DEBUG(SSSDBG_CRIT_FAILURE, "ber_flatten failed.\n"); + return EIO; + } + + ret = sdap_control_create(sh, LDAP_SERVER_SD_OID, 1, sdval, 1, ctrl); + ber_bvfree(sdval); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sdap_control_create failed\n"); + return ret; + } + + return EOK; +} + +static errno_t sdap_sd_search_parse_entry(struct sdap_handle *sh, + struct sdap_msg *msg, + void *pvt) +{ + errno_t ret; + struct sysdb_attrs *attrs; + struct sdap_sd_search_state *state = + talloc_get_type(pvt, struct sdap_sd_search_state); + + bool disable_range_rtrvl = dp_opt_get_bool(state->opts->basic, + SDAP_DISABLE_RANGE_RETRIEVAL); + + ret = sdap_parse_entry(state, sh, msg, + NULL, 0, + &attrs, disable_range_rtrvl); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "sdap_parse_entry failed [%d]: %s\n", ret, strerror(ret)); + return ret; + } + + ret = add_to_reply(state, &state->sreply, attrs); + if (ret != EOK) { + talloc_free(attrs); + DEBUG(SSSDBG_CRIT_FAILURE, "add_to_reply failed.\n"); + return ret; + } + + /* add_to_reply steals attrs, no need to free them here */ + return EOK; +} + +static void sdap_sd_search_done(struct tevent_req *subreq) +{ + int ret; + + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sdap_sd_search_state *state = + tevent_req_data(req, struct sdap_sd_search_state); + + ret = sdap_get_generic_ext_recv(subreq, state, + &state->ref_count, + &state->refs); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sdap_get_generic_ext_recv failed [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +static int sdap_sd_search_ctrls_destructor(void *ptr) +{ + LDAPControl **ctrls = talloc_get_type(ptr, LDAPControl *); + if (ctrls && ctrls[0]) { + ldap_control_free(ctrls[0]); + } + + return 0; +} + +int sdap_sd_search_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *_reply_count, + struct sysdb_attrs ***_reply, + size_t *_ref_count, + char ***_refs) +{ + struct sdap_sd_search_state *state = tevent_req_data(req, + struct sdap_sd_search_state); + TEVENT_REQ_RETURN_ON_ERROR(req); + + *_reply_count = state->sreply.reply_count; + *_reply = talloc_steal(mem_ctx, state->sreply.reply); + + if(_ref_count) { + *_ref_count = state->ref_count; + } + + if (_refs) { + *_refs = talloc_steal(mem_ctx, state->refs); + } + + return EOK; +} + +/* ==Attribute scoped search============================================ */ +struct sdap_asq_search_state { + struct sdap_attr_map_info *maps; + int num_maps; + LDAPControl **ctrls; + struct sdap_options *opts; + + struct sdap_deref_reply dreply; +}; + +static int sdap_asq_search_create_control(struct sdap_handle *sh, + const char *attr, + LDAPControl **ctrl); +static int sdap_asq_search_ctrls_destructor(void *ptr); +static errno_t sdap_asq_search_parse_entry(struct sdap_handle *sh, + struct sdap_msg *msg, + void *pvt); +static void sdap_asq_search_done(struct tevent_req *subreq); + +static struct tevent_req * +sdap_asq_search_send(TALLOC_CTX *memctx, struct tevent_context *ev, + struct sdap_options *opts, struct sdap_handle *sh, + const char *base_dn, const char *deref_attr, + const char **attrs, struct sdap_attr_map_info *maps, + int num_maps, int timeout) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct sdap_asq_search_state *state; + int ret; + + req = tevent_req_create(memctx, &state, struct sdap_asq_search_state); + if (!req) return NULL; + + state->maps = maps; + state->num_maps = num_maps; + state->ctrls = talloc_zero_array(state, LDAPControl *, 2); + state->opts = opts; + if (state->ctrls == NULL) { + talloc_zfree(req); + return NULL; + } + talloc_set_destructor((TALLOC_CTX *) state->ctrls, + sdap_asq_search_ctrls_destructor); + + ret = sdap_asq_search_create_control(sh, deref_attr, &state->ctrls[0]); + if (ret != EOK) { + talloc_zfree(req); + DEBUG(SSSDBG_CRIT_FAILURE, "Could not create ASQ control\n"); + return NULL; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Dereferencing entry [%s] using ASQ\n", base_dn); + subreq = sdap_get_generic_ext_send(state, ev, opts, sh, base_dn, + LDAP_SCOPE_BASE, NULL, attrs, + state->ctrls, NULL, 0, timeout, + sdap_asq_search_parse_entry, + state, SDAP_SRCH_FLG_PAGING); + if (!subreq) { + talloc_zfree(req); + return NULL; + } + tevent_req_set_callback(subreq, sdap_asq_search_done, req); + + return req; +} + + +static int sdap_asq_search_create_control(struct sdap_handle *sh, + const char *attr, + LDAPControl **ctrl) +{ + struct berval *asqval; + int ret; + BerElement *ber = NULL; + + ber = ber_alloc_t(LBER_USE_DER); + if (ber == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ber_alloc_t failed.\n"); + return ENOMEM; + } + + ret = ber_printf(ber, "{s}", attr); + if (ret == -1) { + DEBUG(SSSDBG_OP_FAILURE, "ber_printf failed.\n"); + ber_free(ber, 1); + return EIO; + } + + ret = ber_flatten(ber, &asqval); + ber_free(ber, 1); + if (ret == -1) { + DEBUG(SSSDBG_CRIT_FAILURE, "ber_flatten failed.\n"); + return EIO; + } + + ret = sdap_control_create(sh, LDAP_SERVER_ASQ_OID, 1, asqval, 1, ctrl); + ber_bvfree(asqval); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sdap_control_create failed\n"); + return ret; + } + + return EOK; +} + +static errno_t sdap_asq_search_parse_entry(struct sdap_handle *sh, + struct sdap_msg *msg, + void *pvt) +{ + errno_t ret; + struct sdap_asq_search_state *state = + talloc_get_type(pvt, struct sdap_asq_search_state); + struct berval **vals; + int i, mi; + struct sdap_attr_map *map; + int num_attrs; + struct sdap_deref_attrs **res; + char *tmp; + char *dn; + TALLOC_CTX *tmp_ctx; + bool disable_range_rtrvl; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) return ENOMEM; + + res = talloc_array(tmp_ctx, struct sdap_deref_attrs *, + state->num_maps); + if (!res) { + ret = ENOMEM; + goto done; + } + + for (mi =0; mi < state->num_maps; mi++) { + res[mi] = talloc_zero(res, struct sdap_deref_attrs); + if (!res[mi]) { + ret = ENOMEM; + goto done; + } + res[mi]->map = state->maps[mi].map; + res[mi]->attrs = NULL; + } + + + tmp = ldap_get_dn(sh->ldap, msg->msg); + if (!tmp) { + ret = EINVAL; + goto done; + } + + dn = talloc_strdup(tmp_ctx, tmp); + ldap_memfree(tmp); + if (!dn) { + ret = ENOMEM; + goto done; + } + + /* Find all suitable maps in the list */ + vals = ldap_get_values_len(sh->ldap, msg->msg, "objectClass"); + if (!vals) { + DEBUG(SSSDBG_OP_FAILURE, + "Unknown entry type, no objectClass found for DN [%s]!\n", dn); + ret = EINVAL; + goto done; + } + for (mi =0; mi < state->num_maps; mi++) { + map = NULL; + for (i = 0; vals[i]; i++) { + /* the objectclass is always the first name in the map */ + if (strncasecmp(state->maps[mi].map[0].name, + vals[i]->bv_val, vals[i]->bv_len) == 0) { + /* it's an entry of the right type */ + DEBUG(SSSDBG_TRACE_INTERNAL, + "Matched objectclass [%s] on DN [%s], will use associated map\n", + state->maps[mi].map[0].name, dn); + map = state->maps[mi].map; + num_attrs = state->maps[mi].num_attrs; + break; + } + } + if (!map) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "DN [%s] did not match the objectClass [%s]\n", + dn, state->maps[mi].map[0].name); + continue; + } + + disable_range_rtrvl = dp_opt_get_bool(state->opts->basic, + SDAP_DISABLE_RANGE_RETRIEVAL); + + ret = sdap_parse_entry(res[mi], sh, msg, + map, num_attrs, + &res[mi]->attrs, disable_range_rtrvl); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "sdap_parse_entry failed [%d]: %s\n", ret, strerror(ret)); + goto done; + } + } + ldap_value_free_len(vals); + + ret = add_to_deref_reply(state, state->num_maps, + &state->dreply, res); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "add_to_deref_reply failed.\n"); + goto done; + } + + ret = EOK; +done: + talloc_zfree(tmp_ctx); + return ret; +} + +static void sdap_asq_search_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sdap_asq_search_state *state = + tevent_req_data(req, struct sdap_asq_search_state); + + return generic_ext_search_handler(subreq, state->opts); +} + +static int sdap_asq_search_ctrls_destructor(void *ptr) +{ + LDAPControl **ctrls = talloc_get_type(ptr, LDAPControl *); + + if (ctrls && ctrls[0]) { + ldap_control_free(ctrls[0]); + } + + return 0; +} + +int sdap_asq_search_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *reply_count, + struct sdap_deref_attrs ***reply) +{ + struct sdap_asq_search_state *state = tevent_req_data(req, + struct sdap_asq_search_state); + TEVENT_REQ_RETURN_ON_ERROR(req); + + *reply_count = state->dreply.reply_count; + *reply = talloc_steal(mem_ctx, state->dreply.reply); + + return EOK; +} + +/* ==Generic Deref Search============================================ */ +enum sdap_deref_type { + SDAP_DEREF_OPENLDAP, + SDAP_DEREF_ASQ +}; + +struct sdap_deref_search_state { + struct sdap_handle *sh; + const char *base_dn; + const char *deref_attr; + + size_t reply_count; + struct sdap_deref_attrs **reply; + enum sdap_deref_type deref_type; + unsigned flags; +}; + +static void sdap_deref_search_done(struct tevent_req *subreq); +static void sdap_deref_search_with_filter_done(struct tevent_req *subreq); + +struct tevent_req * +sdap_deref_search_with_filter_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_options *opts, + struct sdap_handle *sh, + const char *search_base, + const char *filter, + const char *deref_attr, + const char **attrs, + int num_maps, + struct sdap_attr_map_info *maps, + int timeout, + unsigned flags) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct sdap_deref_search_state *state; + + req = tevent_req_create(memctx, &state, struct sdap_deref_search_state); + if (!req) return NULL; + + state->sh = sh; + state->reply_count = 0; + state->reply = NULL; + state->flags = flags; + + if (sdap_is_control_supported(sh, LDAP_CONTROL_X_DEREF)) { + DEBUG(SSSDBG_TRACE_INTERNAL, "Server supports OpenLDAP deref\n"); + state->deref_type = SDAP_DEREF_OPENLDAP; + + subreq = sdap_x_deref_search_send(state, ev, opts, sh, search_base, + filter, deref_attr, attrs, maps, + num_maps, timeout); + if (!subreq) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot start OpenLDAP deref search\n"); + goto fail; + } + } else { + DEBUG(SSSDBG_OP_FAILURE, + "Server does not support any known deref method!\n"); + goto fail; + } + + tevent_req_set_callback(subreq, sdap_deref_search_with_filter_done, req); + return req; + +fail: + talloc_zfree(req); + return NULL; +} + +static void sdap_deref_search_with_filter_done(struct tevent_req *subreq) +{ + sdap_deref_search_done(subreq); +} + +int sdap_deref_search_with_filter_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *reply_count, + struct sdap_deref_attrs ***reply) +{ + return sdap_deref_search_recv(req, mem_ctx, reply_count, reply); +} + +struct tevent_req * +sdap_deref_search_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_options *opts, + struct sdap_handle *sh, + const char *base_dn, + const char *deref_attr, + const char **attrs, + int num_maps, + struct sdap_attr_map_info *maps, + int timeout) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct sdap_deref_search_state *state; + + req = tevent_req_create(memctx, &state, struct sdap_deref_search_state); + if (!req) return NULL; + + state->sh = sh; + state->reply_count = 0; + state->reply = NULL; + state->base_dn = base_dn; + state->deref_attr = deref_attr; + + PROBE(SDAP_DEREF_SEARCH_SEND, state->base_dn, state->deref_attr); + + if (sdap_is_control_supported(sh, LDAP_SERVER_ASQ_OID)) { + DEBUG(SSSDBG_TRACE_INTERNAL, "Server supports ASQ\n"); + state->deref_type = SDAP_DEREF_ASQ; + + subreq = sdap_asq_search_send(state, ev, opts, sh, base_dn, + deref_attr, attrs, maps, num_maps, + timeout); + if (!subreq) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot start ASQ search\n"); + goto fail; + } + } else if (sdap_is_control_supported(sh, LDAP_CONTROL_X_DEREF)) { + DEBUG(SSSDBG_TRACE_INTERNAL, "Server supports OpenLDAP deref\n"); + state->deref_type = SDAP_DEREF_OPENLDAP; + + subreq = sdap_x_deref_search_send(state, ev, opts, sh, base_dn, NULL, + deref_attr, attrs, maps, num_maps, + timeout); + if (!subreq) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot start OpenLDAP deref search\n"); + goto fail; + } + } else { + DEBUG(SSSDBG_OP_FAILURE, + "Server does not support any known deref method!\n"); + goto fail; + } + + tevent_req_set_callback(subreq, sdap_deref_search_done, req); + return req; + +fail: + talloc_zfree(req); + return NULL; +} + +static void sdap_deref_search_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sdap_deref_search_state *state = tevent_req_data(req, + struct sdap_deref_search_state); + int ret; + + switch (state->deref_type) { + case SDAP_DEREF_OPENLDAP: + ret = sdap_x_deref_search_recv(subreq, state, + &state->reply_count, &state->reply); + break; + case SDAP_DEREF_ASQ: + ret = sdap_asq_search_recv(subreq, state, + &state->reply_count, &state->reply); + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unknown deref method\n"); + tevent_req_error(req, EINVAL); + return; + } + + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "dereference processing failed [%d]: %s\n", ret, strerror(ret)); + if (ret == ENOTSUP) { + state->sh->disable_deref = true; + } + + if (!(state->flags & SDAP_DEREF_FLG_SILENT)) { + if (ret == ENOTSUP) { + sss_log(SSS_LOG_WARNING, + "LDAP server claims to support deref, but deref search " + "failed. Disabling deref for further requests. You can " + "permanently disable deref by setting " + "ldap_deref_threshold to 0 in domain configuration."); + } else { + sss_log(SSS_LOG_WARNING, + "dereference processing failed : %s", strerror(ret)); + } + } + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +int sdap_deref_search_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *reply_count, + struct sdap_deref_attrs ***reply) +{ + struct sdap_deref_search_state *state = tevent_req_data(req, + struct sdap_deref_search_state); + + PROBE(SDAP_DEREF_SEARCH_RECV, state->base_dn, state->deref_attr); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *reply_count = state->reply_count; + *reply = talloc_steal(mem_ctx, state->reply); + + return EOK; +} + +bool sdap_has_deref_support(struct sdap_handle *sh, struct sdap_options *opts) +{ + const char *deref_oids[][2] = { { LDAP_SERVER_ASQ_OID, "ASQ" }, + { LDAP_CONTROL_X_DEREF, "OpenLDAP" }, + { NULL, NULL } + }; + int i; + int deref_threshold; + + if (sh->disable_deref) { + return false; + } + + deref_threshold = dp_opt_get_int(opts->basic, SDAP_DEREF_THRESHOLD); + if (deref_threshold == 0) { + return false; + } + + for (i=0; deref_oids[i][0]; i++) { + if (sdap_is_control_supported(sh, deref_oids[i][0])) { + DEBUG(SSSDBG_TRACE_FUNC, "The server supports deref method %s\n", + deref_oids[i][1]); + return true; + } + } + + return false; +} diff --git a/src/providers/ldap/sdap_async.h b/src/providers/ldap/sdap_async.h new file mode 100644 index 0000000..6d09aca --- /dev/null +++ b/src/providers/ldap/sdap_async.h @@ -0,0 +1,413 @@ +/* + SSSD + + Async LDAP Helper routines + + Copyright (C) Simo Sorce + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _SDAP_ASYNC_H_ +#define _SDAP_ASYNC_H_ + +#include +#include +#include +#include +#include "providers/backend.h" +#include "providers/ldap/sdap.h" +#include "providers/ldap/sdap_id_op.h" +#include "providers/fail_over.h" + +#define AD_TOKENGROUPS_ATTR "tokenGroups" + +struct tevent_req *sdap_connect_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_options *opts, + const char *uri, + struct sockaddr_storage *sockaddr, + bool use_start_tls); +int sdap_connect_recv(struct tevent_req *req, + TALLOC_CTX *memctx, + struct sdap_handle **sh); + +struct tevent_req *sdap_connect_host_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_options *opts, + struct resolv_ctx *resolv_ctx, + enum restrict_family family_order, + enum host_database *host_db, + const char *protocol, + const char *host, + int port, + bool use_start_tls); + +errno_t sdap_connect_host_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct sdap_handle **_sh); + +/* Search users in LDAP, return them as attrs */ +enum sdap_entry_lookup_type { + SDAP_LOOKUP_SINGLE, /* Direct single-user/group lookup */ + SDAP_LOOKUP_WILDCARD, /* Multiple entries with a limit */ + SDAP_LOOKUP_ENUMERATE, /* Fetch all entries from the server */ +}; + +struct tevent_req *sdap_search_user_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sss_domain_info *dom, + struct sdap_options *opts, + struct sdap_search_base **search_bases, + struct sdap_handle *sh, + const char **attrs, + const char *filter, + int timeout, + enum sdap_entry_lookup_type lookup_type); +int sdap_search_user_recv(TALLOC_CTX *memctx, struct tevent_req *req, + char **higher_usn, struct sysdb_attrs ***users, + size_t *count); + +/* Search users in LDAP using the request above, save them to cache */ +struct tevent_req *sdap_get_users_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sss_domain_info *dom, + struct sysdb_ctx *sysdb, + struct sdap_options *opts, + struct sdap_search_base **search_bases, + struct sdap_handle *sh, + const char **attrs, + const char *filter, + int timeout, + enum sdap_entry_lookup_type lookup_type, + struct sysdb_attrs *mapped_attrs); +int sdap_get_users_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, char **timestamp); + +struct tevent_req *sdap_get_groups_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_domain *sdom, + struct sdap_options *opts, + struct sdap_handle *sh, + const char **attrs, + const char *filter, + int timeout, + enum sdap_entry_lookup_type lookup_type, + bool no_members); +int sdap_get_groups_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, char **timestamp); + +struct tevent_req *sdap_get_netgroups_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sss_domain_info *dom, + struct sysdb_ctx *sysdb, + struct sdap_options *opts, + struct sdap_search_base **search_bases, + struct sdap_handle *sh, + const char **attrs, + const char *filter, + int timeout); +int sdap_get_netgroups_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, char **timestamp, + size_t *reply_count, + struct sysdb_attrs ***reply); + +struct tevent_req * +sdap_host_info_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_handle *sh, + struct sdap_options *opts, + const char *hostname, + struct sdap_attr_map *host_map, + struct sdap_search_base **search_bases); + +errno_t +sdap_host_info_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *host_count, + struct sysdb_attrs ***hosts); + +struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_handle *sh, + const char *sasl_mech, + const char *sasl_user, + const char *user_dn, + struct sss_auth_token *authtok, + int simple_bind_timeout); + +errno_t sdap_auth_recv(struct tevent_req *req, + TALLOC_CTX *memctx, + struct sdap_ppolicy_data **ppolicy); + +struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_domain *sdom, + struct sdap_handle *sh, + struct sdap_id_ctx *id_ctx, + struct sdap_id_conn_ctx *conn, + const char *name, + int filter_type, + const char *extra_value, + const char **grp_attrs); +int sdap_get_initgr_recv(struct tevent_req *req); + +struct tevent_req *sdap_exop_modify_passwd_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_handle *sh, + char *user_dn, + const char *password, + const char *new_password, + int timeout); +errno_t sdap_exop_modify_passwd_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + char **user_error_msg); + +struct tevent_req * +sdap_modify_shadow_lastchange_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_handle *sh, + const char *dn, + char *lastchanged_name); + +errno_t sdap_modify_shadow_lastchange_recv(struct tevent_req *req); + +enum connect_tls { + CON_TLS_DFL, + CON_TLS_ON, + CON_TLS_OFF +}; + +struct tevent_req *sdap_cli_connect_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_options *opts, + struct be_ctx *be, + struct sdap_service *service, + bool skip_rootdse, + enum connect_tls force_tls, + bool skip_auth); +int sdap_cli_connect_recv(struct tevent_req *req, + TALLOC_CTX *memctx, + bool *can_retry, + struct sdap_handle **gsh, + struct sdap_server_opts **srv_opts); + +/* Exposes all options of generic send while allowing to parse by map */ +struct tevent_req *sdap_get_and_parse_generic_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_options *opts, + struct sdap_handle *sh, + const char *search_base, + int scope, + const char *filter, + const char **attrs, + struct sdap_attr_map *map, + int map_num_attrs, + int attrsonly, + LDAPControl **serverctrls, + LDAPControl **clientctrls, + int sizelimit, + int timeout, + bool allow_paging); +int sdap_get_and_parse_generic_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *reply_count, + struct sysdb_attrs ***reply); + +struct tevent_req *sdap_get_generic_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_options *opts, + struct sdap_handle *sh, + const char *search_base, + int scope, + const char *filter, + const char **attrs, + struct sdap_attr_map *map, + int map_num_attrs, + int timeout, + bool allow_paging); +int sdap_get_generic_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, size_t *reply_count, + struct sysdb_attrs ***reply_list); + +bool sdap_has_deref_support(struct sdap_handle *sh, struct sdap_options *opts); + +enum sdap_deref_flags { + SDAP_DEREF_FLG_SILENT = 1 << 0, /* Do not warn if dereference fails */ +}; + +struct tevent_req * +sdap_deref_search_with_filter_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_options *opts, + struct sdap_handle *sh, + const char *search_base, + const char *filter, + const char *deref_attr, + const char **attrs, + int num_maps, + struct sdap_attr_map_info *maps, + int timeout, + unsigned flags); +int sdap_deref_search_with_filter_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *reply_count, + struct sdap_deref_attrs ***reply); + +struct tevent_req * +sdap_deref_search_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_options *opts, + struct sdap_handle *sh, + const char *base_dn, + const char *deref_attr, + const char **attrs, + int num_maps, + struct sdap_attr_map_info *maps, + int timeout); +int sdap_deref_search_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *reply_count, + struct sdap_deref_attrs ***reply); + + +struct tevent_req * +sdap_sd_search_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_options *opts, + struct sdap_handle *sh, + const char *base_dn, + int sd_flags, + const char **attrs, + int timeout); +int sdap_sd_search_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *_reply_count, + struct sysdb_attrs ***_reply, + size_t *_ref_count, + char ***_refs); + +errno_t +sdap_attrs_add_ldap_attr(struct sysdb_attrs *ldap_attrs, + const char *attr_name, + const char *attr_desc, + bool multivalued, + const char *name, + struct sysdb_attrs *attrs); + +#define sdap_attrs_add_string(ldap_attrs, attr_name, attr_desc, name, attrs) \ + sdap_attrs_add_ldap_attr(ldap_attrs, attr_name, attr_desc, \ + false, name, attrs) + +#define sdap_attrs_add_list(ldap_attrs, attr_name, attr_desc, name, attrs) \ + sdap_attrs_add_ldap_attr(ldap_attrs, attr_name, attr_desc, \ + true, name, attrs) + +errno_t +sdap_save_all_names(const char *name, + struct sysdb_attrs *ldap_attrs, + struct sss_domain_info *dom, + enum sysdb_member_type entry_type, + struct sysdb_attrs *attrs); + +struct tevent_req * +sdap_get_services_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sss_domain_info *dom, + struct sysdb_ctx *sysdb, + struct sdap_options *opts, + struct sdap_search_base **search_bases, + struct sdap_handle *sh, + const char **attrs, + const char *filter, + int timeout, + bool enumeration); +errno_t +sdap_get_services_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + char **usn_value); + +struct tevent_req * +enum_services_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_id_ctx *id_ctx, + struct sdap_id_op *op, + bool purge); + +errno_t +enum_services_recv(struct tevent_req *req); + +/* OID documented in + * http://msdn.microsoft.com/en-us/library/windows/desktop/aa746475%28v=vs.85%29.aspx + */ +#define SDAP_MATCHING_RULE_IN_CHAIN "1.2.840.113556.1.4.1941" + +struct tevent_req * +sdap_get_ad_match_rule_members_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_options *opts, + struct sdap_handle *sh, + struct sysdb_attrs *group, + int timeout); + +errno_t +sdap_get_ad_match_rule_members_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *num_users, + struct sysdb_attrs ***users); + +struct tevent_req * +sdap_get_ad_match_rule_initgroups_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_options *opts, + struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, + struct sdap_handle *sh, + const char *name, + const char *orig_dn, + int timeout); + +errno_t +sdap_get_ad_match_rule_initgroups_recv(struct tevent_req *req); + + +struct tevent_req * +sdap_ad_tokengroups_initgroups_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_id_ctx *id_ctx, + struct sdap_id_conn_ctx *conn, + struct sdap_options *opts, + struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, + struct sdap_handle *sh, + const char *name, + const char *orig_dn, + int timeout, + bool use_id_mapping); + +errno_t +sdap_ad_tokengroups_initgroups_recv(struct tevent_req *req); + +errno_t +sdap_handle_id_collision_for_incomplete_groups(struct data_provider *dp, + struct sss_domain_info *domain, + const char *name, + gid_t gid, + const char *original_dn, + const char *sid_str, + const char *uuid, + bool posix, + time_t now); + +#endif /* _SDAP_ASYNC_H_ */ diff --git a/src/providers/ldap/sdap_async_ad.h b/src/providers/ldap/sdap_async_ad.h new file mode 100644 index 0000000..a5f47a1 --- /dev/null +++ b/src/providers/ldap/sdap_async_ad.h @@ -0,0 +1,59 @@ +/* + SSSD - header files for AD specific enhancement in the common LDAP/SDAP + code + + Authors: + Sumit Bose + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef SDAP_ASYNC_AD_H_ +#define SDAP_ASYNC_AD_H_ + +errno_t sdap_ad_save_group_membership_with_idmapping(const char *username, + struct sdap_options *opts, + struct sss_domain_info *user_dom, + struct sdap_idmap_ctx *idmap_ctx, + size_t num_sids, + char **sids); + +errno_t +sdap_ad_tokengroups_get_posix_members(TALLOC_CTX *mem_ctx, + struct sss_domain_info *user_domain, + size_t num_sids, + char **sids, + size_t *_num_missing, + char ***_missing, + size_t *_num_valid, + char ***_valid_groups); + +errno_t +sdap_ad_tokengroups_update_members(const char *username, + struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, + char **ldap_groups); +struct tevent_req * +sdap_ad_resolve_sids_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_id_ctx *id_ctx, + struct sdap_id_conn_ctx *conn, + struct sdap_options *opts, + struct sss_domain_info *domain, + char **sids); + +errno_t sdap_ad_resolve_sids_recv(struct tevent_req *req); +#endif /* SDAP_ASYNC_AD_H_ */ diff --git a/src/providers/ldap/sdap_async_autofs.c b/src/providers/ldap/sdap_async_autofs.c new file mode 100644 index 0000000..8d1742a --- /dev/null +++ b/src/providers/ldap/sdap_async_autofs.c @@ -0,0 +1,958 @@ +/* + SSSD + + Async LDAP Helper routines for autofs + + Authors: + Jakub Hrozek + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "db/sysdb.h" +#include "providers/ldap/sdap_async_private.h" +#include "db/sysdb_autofs.h" +#include "providers/ldap/ldap_common.h" +#include "providers/ldap/sdap_autofs.h" + +enum autofs_map_op { + AUTOFS_MAP_OP_ADD, + AUTOFS_MAP_OP_DEL +}; + +/* ====== Utility functions ====== */ +static const char * +get_autofs_map_name(struct sysdb_attrs *map, struct sdap_options *opts) +{ + errno_t ret; + struct ldb_message_element *el; + + ret = sysdb_attrs_get_el(map, + opts->autofs_mobject_map[SDAP_AT_AUTOFS_MAP_NAME].sys_name, + &el); + if (ret) return NULL; + if (el->num_values == 0) return NULL; + + return (const char *)el->values[0].data; +} + +static const char * +get_autofs_entry_attr(struct sysdb_attrs *entry, struct sdap_options *opts, + enum sdap_autofs_entry_attrs attr) +{ + errno_t ret; + struct ldb_message_element *el; + + ret = sysdb_attrs_get_el(entry, + opts->autofs_entry_map[attr].sys_name, + &el); + if (ret) return NULL; + if (el->num_values != 1) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Expected one entry got %d\n", el->num_values); + return NULL; + } + + return (const char *)el->values[0].data; +} + +static const char * +get_autofs_entry_key(struct sysdb_attrs *entry, struct sdap_options *opts) +{ + return get_autofs_entry_attr(entry, opts, SDAP_AT_AUTOFS_ENTRY_KEY); +} + +static const char * +get_autofs_entry_value(struct sysdb_attrs *entry, struct sdap_options *opts) +{ + return get_autofs_entry_attr(entry, opts, SDAP_AT_AUTOFS_ENTRY_VALUE); +} + +static errno_t +add_autofs_entry(struct sss_domain_info *domain, + const char *map, + struct sdap_options *opts, + struct sysdb_attrs *entry) +{ + const char *key; + const char *value; + + key = get_autofs_entry_key(entry, opts); + if (!key) { + DEBUG(SSSDBG_OP_FAILURE, "Could not get autofs entry key\n"); + return EINVAL; + } + + value = get_autofs_entry_value(entry, opts); + if (!value) { + DEBUG(SSSDBG_OP_FAILURE, "Could not get autofs entry value\n"); + return EINVAL; + } + + return sysdb_save_autofsentry(domain, map, key, value, NULL); +} + +static errno_t +save_autofs_entries(struct sss_domain_info *domain, + struct sdap_options *opts, + const char *map, + char **add_dn_list, + hash_table_t *entry_hash) +{ + hash_key_t key; + hash_value_t value; + size_t i; + int hret; + errno_t ret; + struct sysdb_attrs *entry; + + if (!add_dn_list) { + return EOK; + } + + for (i=0; add_dn_list[i]; i++) { + key.type = HASH_KEY_STRING; + key.str = (char *) add_dn_list[i]; + + hret = hash_lookup(entry_hash, &key, &value); + if (hret != HASH_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot retrieve entry [%s] from hash\n", add_dn_list[i]); + continue; + } + + entry = talloc_get_type(value.ptr, struct sysdb_attrs); + if (!entry) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot retrieve entry [%s] from ptr\n", add_dn_list[i]); + continue; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Saving autofs entry [%s]\n", add_dn_list[i]); + ret = add_autofs_entry(domain, map, opts, entry); + if (ret) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot save entry [%s] to cache\n", add_dn_list[i]); + continue; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Saved entry [%s]\n", add_dn_list[i]); + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "All entries saved\n"); + return EOK; +} + +static errno_t +del_autofs_entries(struct sss_domain_info *dom, + char **del_dn_list) +{ + size_t i; + errno_t ret; + + for (i=0; del_dn_list[i]; i++) { + DEBUG(SSSDBG_TRACE_FUNC, + "Removing autofs entry [%s]\n", del_dn_list[i]); + + ret = sysdb_del_autofsentry(dom, del_dn_list[i]); + if (ret) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot delete entry %s\n", del_dn_list[i]); + continue; + } + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "All entries removed\n"); + return EOK; +} + +static errno_t +save_autofs_map(struct sss_domain_info *dom, + struct sdap_options *opts, + struct sysdb_attrs *map) +{ + const char *mapname; + errno_t ret; + time_t now; + + mapname = get_autofs_map_name(map, opts); + if (!mapname) return EINVAL; + + now = time(NULL); + + ret = sysdb_save_autofsmap(dom, mapname, mapname, + NULL, dom->autofsmap_timeout, now); + if (ret != EOK) { + return ret; + } + + return EOK; +} + +struct automntmaps_process_members_state { + struct tevent_context *ev; + struct sdap_options *opts; + struct sdap_handle *sh; + struct sss_domain_info *dom; + int timeout; + + const char *orig_dn; + char *base_filter; + char *filter; + const char **attrs; + size_t base_iter; + struct sdap_search_base **search_bases; + + struct sysdb_attrs *map; + + struct sysdb_attrs **entries; + size_t entries_count; +}; + +static void +automntmaps_process_members_done(struct tevent_req *subreq); +static errno_t +automntmaps_process_members_next_base(struct tevent_req *req); + +static struct tevent_req * +automntmaps_process_members_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_options *opts, + struct sdap_handle *sh, + struct sss_domain_info *dom, + struct sdap_search_base **search_bases, + int timeout, + struct sysdb_attrs *map) +{ + errno_t ret; + struct tevent_req *req; + struct automntmaps_process_members_state *state; + + req = tevent_req_create(mem_ctx, &state, + struct automntmaps_process_members_state); + if (!req) return NULL; + + state->ev = ev; + state->opts = opts; + state->dom = dom; + state->sh = sh; + state->timeout = timeout; + state->base_iter = 0; + state->map = map; + state->search_bases = search_bases; + + state->base_filter = talloc_asprintf(state, "(&(%s=*)(objectclass=%s))", + opts->autofs_entry_map[SDAP_AT_AUTOFS_ENTRY_KEY].name, + opts->autofs_entry_map[SDAP_OC_AUTOFS_ENTRY].name); + if (!state->base_filter) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to build filter\n"); + ret = ENOMEM; + goto immediate; + } + + ret = build_attrs_from_map(state, opts->autofs_entry_map, + SDAP_OPTS_AUTOFS_ENTRY, NULL, + &state->attrs, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to build attributes from map\n"); + ret = ENOMEM; + goto immediate; + } + + + ret = sysdb_attrs_get_string(state->map, SYSDB_ORIG_DN, &state->orig_dn); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot get originalDN\n"); + goto immediate; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Examining autofs map [%s]\n", state->orig_dn); + + ret = automntmaps_process_members_next_base(req); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "search failed [%d]: %s\n", ret, strerror(ret)); + goto immediate; + } + + return req; + +immediate: + if (ret != EOK) { + tevent_req_error(req, ret); + } else { + tevent_req_done(req); + } + tevent_req_post(req, ev); + return req; +} + +static errno_t +automntmaps_process_members_next_base(struct tevent_req *req) +{ + struct tevent_req *subreq; + struct automntmaps_process_members_state *state = + tevent_req_data(req, struct automntmaps_process_members_state); + + talloc_zfree(state->filter); + state->filter = sdap_combine_filters(state, state->base_filter, + state->search_bases[state->base_iter]->filter); + if (!state->filter) { + return ENOMEM; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Searching for automount map entries with base [%s]\n", + state->search_bases[state->base_iter]->basedn); + + subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh, + state->orig_dn, + state->search_bases[state->base_iter]->scope, + state->filter, state->attrs, + state->opts->autofs_entry_map, + SDAP_OPTS_AUTOFS_ENTRY, + state->timeout, true); + if (!subreq) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot start search for entries\n"); + return EIO; + } + tevent_req_set_callback(subreq, automntmaps_process_members_done, req); + + return EOK; +} + +static void +automntmaps_process_members_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct automntmaps_process_members_state *state = + tevent_req_data(req, struct automntmaps_process_members_state); + errno_t ret; + struct sysdb_attrs **entries; + size_t entries_count, i; + + ret = sdap_get_generic_recv(subreq, state, + &entries_count, &entries); + talloc_zfree(subreq); + if (ret) { + tevent_req_error(req, ret); + return; + } + + if (entries_count > 0) { + state->entries = talloc_realloc(state, state->entries, + struct sysdb_attrs *, + state->entries_count + entries_count + 1); + if (state->entries == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + + for (i=0; i < entries_count; i++) { + state->entries[state->entries_count + i] = + talloc_steal(state->entries, entries[i]); + } + + state->entries_count += entries_count; + state->entries[state->entries_count] = NULL; + } + + state->base_iter++; + if (state->search_bases[state->base_iter]) { + ret = automntmaps_process_members_next_base(req); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "No more search bases to try\n"); + + DEBUG(SSSDBG_TRACE_FUNC, + "Search for autofs entries, returned %zu results.\n", + state->entries_count); + + tevent_req_done(req); + return; +} + +static errno_t +automntmaps_process_members_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *entries_count, + struct sysdb_attrs ***entries) +{ + struct automntmaps_process_members_state *state; + state = tevent_req_data(req, struct automntmaps_process_members_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (entries_count) { + *entries_count = state->entries_count; + } + + if (entries) { + *entries = talloc_steal(mem_ctx, state->entries); + } + + return EOK; +} + +struct sdap_get_automntmap_state { + struct tevent_context *ev; + struct sdap_options *opts; + struct sdap_handle *sh; + struct sss_domain_info *dom; + const char **attrs; + const char *base_filter; + char *filter; + int timeout; + + char *higher_timestamp; + + struct sysdb_attrs **map; + size_t count; + + struct sysdb_attrs **entries; + size_t entries_count; + + size_t base_iter; + struct sdap_search_base **search_bases; +}; + +static errno_t +sdap_get_automntmap_next_base(struct tevent_req *req); +static void +sdap_get_automntmap_process(struct tevent_req *subreq); + +static struct tevent_req * +sdap_get_automntmap_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sss_domain_info *dom, + struct sdap_options *opts, + struct sdap_search_base **search_bases, + struct sdap_handle *sh, + const char **attrs, + const char *filter, + int timeout) +{ + errno_t ret; + struct tevent_req *req; + struct sdap_get_automntmap_state *state; + + req = tevent_req_create(memctx, &state, struct sdap_get_automntmap_state); + if (!req) return NULL; + + state->ev = ev; + state->opts = opts; + state->dom = dom; + state->sh = sh; + state->attrs = attrs; + state->higher_timestamp = NULL; + state->map = NULL; + state->count = 0; + state->timeout = timeout; + state->base_filter = filter; + state->base_iter = 0; + state->search_bases = search_bases; + + ret = sdap_get_automntmap_next_base(req); + if (ret != EOK) { + tevent_req_error(req, ret); + tevent_req_post(req, state->ev); + } + return req; +} + +static errno_t +sdap_get_automntmap_next_base(struct tevent_req *req) +{ + struct tevent_req *subreq; + struct sdap_get_automntmap_state *state; + + state = tevent_req_data(req, struct sdap_get_automntmap_state); + + talloc_zfree(state->filter); + state->filter = sdap_combine_filters(state, state->base_filter, + state->search_bases[state->base_iter]->filter); + if (!state->filter) { + return ENOMEM; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Searching for automount maps with base [%s]\n", + state->search_bases[state->base_iter]->basedn); + + subreq = sdap_get_generic_send( + state, state->ev, state->opts, state->sh, + state->search_bases[state->base_iter]->basedn, + state->search_bases[state->base_iter]->scope, + state->filter, state->attrs, + state->opts->autofs_mobject_map, SDAP_OPTS_AUTOFS_MAP, + state->timeout, + false); + if (!subreq) { + return EIO; + } + tevent_req_set_callback(subreq, sdap_get_automntmap_process, req); + + return EOK; +} + +static void +sdap_get_automntmap_done(struct tevent_req *subreq); + +static void +sdap_get_automntmap_process(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sdap_get_automntmap_state *state = tevent_req_data(req, + struct sdap_get_automntmap_state); + errno_t ret; + + ret = sdap_get_generic_recv(subreq, state, + &state->count, &state->map); + talloc_zfree(subreq); + if (ret) { + tevent_req_error(req, ret); + return; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Search for autofs maps, returned %zu results.\n", state->count); + + if (state->count == 0) { + /* No maps found in this search */ + state->base_iter++; + if (state->search_bases[state->base_iter]) { + /* There are more search bases to try */ + ret = sdap_get_automntmap_next_base(req); + if (ret != EOK) { + tevent_req_error(req, ENOENT); + } + return; + } + + tevent_req_error(req, ENOENT); + return; + } else if (state->count > 1) { + DEBUG(SSSDBG_OP_FAILURE, + "The search yielded more than one autofs map\n"); + tevent_req_error(req, EIO); + return; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "Processing autofs maps\n"); + subreq = automntmaps_process_members_send(state, state->ev, state->opts, + state->sh, state->dom, + state->search_bases, + state->timeout, + state->map[0]); + if (!subreq) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, sdap_get_automntmap_done, req); + + return; +} + +static void +sdap_get_automntmap_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sdap_get_automntmap_state *state = tevent_req_data(req, + struct sdap_get_automntmap_state); + errno_t ret; + + ret = automntmaps_process_members_recv(subreq, state, &state->entries_count, + &state->entries); + talloc_zfree(subreq); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + DEBUG(SSSDBG_TRACE_FUNC, "automount map members received\n"); + tevent_req_done(req); + return; +} + +static errno_t +sdap_get_automntmap_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + struct sysdb_attrs **map, + size_t *entries_count, + struct sysdb_attrs ***entries) +{ + struct sdap_get_automntmap_state *state = tevent_req_data(req, + struct sdap_get_automntmap_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (map) { + *map = talloc_steal(mem_ctx, state->map[0]); + } + + if (entries_count) { + *entries_count = state->entries_count; + } + + if (entries) { + *entries = talloc_steal(mem_ctx, state->entries); + } + + return EOK; +} + +struct sdap_autofs_setautomntent_state { + char *filter; + const char **attrs; + struct sdap_options *opts; + struct sdap_handle *sh; + struct sysdb_ctx *sysdb; + struct sdap_id_op *sdap_op; + struct sss_domain_info *dom; + + const char *mapname; + struct sysdb_attrs *map; + struct sysdb_attrs **entries; + size_t entries_count; + + int dp_error; +}; + +static void +sdap_autofs_setautomntent_done(struct tevent_req *subreq); + +struct tevent_req * +sdap_autofs_setautomntent_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sss_domain_info *dom, + struct sysdb_ctx *sysdb, + struct sdap_handle *sh, + struct sdap_id_op *op, + struct sdap_options *opts, + const char *mapname) +{ + struct tevent_req *req; + struct tevent_req *subreq; + struct sdap_autofs_setautomntent_state *state; + char *clean_mapname; + errno_t ret; + + req = tevent_req_create(memctx, &state, + struct sdap_autofs_setautomntent_state); + if (!req) return NULL; + + if (!mapname) { + DEBUG(SSSDBG_CRIT_FAILURE, "No map name given\n"); + ret = EINVAL; + goto fail; + } + + state->sh = sh; + state->sysdb = sysdb; + state->opts = opts; + state->sdap_op = op; + state->dom = dom; + state->mapname = mapname; + + ret = sss_filter_sanitize(state, mapname, &clean_mapname); + if (ret != EOK) { + goto fail; + } + + state->filter = talloc_asprintf(state, "(&(%s=%s)(objectclass=%s))", + state->opts->autofs_mobject_map[SDAP_AT_AUTOFS_MAP_NAME].name, + clean_mapname, + state->opts->autofs_mobject_map[SDAP_OC_AUTOFS_MAP].name); + if (!state->filter) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to build filter\n"); + ret = ENOMEM; + goto fail; + } + talloc_free(clean_mapname); + + ret = build_attrs_from_map(state, state->opts->autofs_mobject_map, + SDAP_OPTS_AUTOFS_MAP, NULL, + &state->attrs, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to build attributes from map\n"); + ret = ENOMEM; + goto fail; + } + + subreq = sdap_get_automntmap_send(state, ev, dom, + state->opts, + state->opts->sdom->autofs_search_bases, + state->sh, + state->attrs, state->filter, + dp_opt_get_int(state->opts->basic, + SDAP_SEARCH_TIMEOUT)); + if (!subreq) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory\n"); + ret = ENOMEM; + goto fail; + } + tevent_req_set_callback(subreq, sdap_autofs_setautomntent_done, req); + return req; + +fail: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static errno_t +sdap_autofs_setautomntent_save(struct tevent_req *req); + +static void +sdap_autofs_setautomntent_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sdap_autofs_setautomntent_state *state = tevent_req_data(req, + struct sdap_autofs_setautomntent_state); + + ret = sdap_get_automntmap_recv(subreq, state, &state->map, + &state->entries_count, &state->entries); + talloc_zfree(subreq); + if (ret != EOK) { + if (ret == ENOENT) { + DEBUG(SSSDBG_MINOR_FAILURE, "Could not find automount map\n"); + } else { + DEBUG(SSSDBG_OP_FAILURE, + "sdap_get_automntmap_recv failed [%d]: %s\n", + ret, strerror(ret)); + } + tevent_req_error(req, ret); + return; + } + + ret = sdap_autofs_setautomntent_save(req); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not save automount map\n"); + tevent_req_error(req, ret); + return; + } + + state->dp_error = DP_ERR_OK; + tevent_req_done(req); + return; +} + +static errno_t +sdap_autofs_setautomntent_save(struct tevent_req *req) +{ + struct sdap_autofs_setautomntent_state *state = tevent_req_data(req, + struct sdap_autofs_setautomntent_state); + errno_t ret, tret; + bool in_transaction = false; + TALLOC_CTX *tmp_ctx; + struct ldb_message **entries = NULL; + size_t count; + const char *key; + const char *val; + char **sysdb_entrylist; + char **ldap_entrylist; + char **add_entries; + char **del_entries; + size_t i, j; + + hash_table_t *entry_hash; + hash_key_t hkey; + hash_value_t value; + int hret; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) return ENOMEM; + + DEBUG(SSSDBG_TRACE_LIBS, + "Got %zu map entries from LDAP\n", state->entries_count); + if (state->entries_count == 0) { + /* No entries for this map in LDAP. + * We need to ensure that there are no entries + * in the sysdb either. + */ + ldap_entrylist = NULL; + } else { + ldap_entrylist = talloc_array(tmp_ctx, char *, + state->entries_count+1); + if (!ldap_entrylist) { + ret = ENOMEM; + goto done; + } + + ret = sss_hash_create(state, 32, &entry_hash); + if (ret) { + goto done; + } + + /* Get a list of the map members by DN */ + for (i=0, j=0; i < state->entries_count; i++) { + key = get_autofs_entry_key(state->entries[i], state->opts); + val = get_autofs_entry_value(state->entries[i], state->opts); + if (!key || !val) { + DEBUG(SSSDBG_MINOR_FAILURE, "Malformed entry, skipping\n"); + continue; + } + + ldap_entrylist[j] = sysdb_autofsentry_strdn(ldap_entrylist, + state->dom, + state->mapname, + key, val); + if (!ldap_entrylist[j]) { + ret = ENOMEM; + goto done; + } + + hkey.type = HASH_KEY_STRING; + hkey.str = ldap_entrylist[j]; + value.type = HASH_VALUE_PTR; + value.ptr = state->entries[i]; + + hret = hash_enter(entry_hash, &hkey, &value); + if (hret != HASH_SUCCESS) { + ret = EIO; + goto done; + } + + j++; + } + /* terminate array with NULL after the last retrieved entry */ + ldap_entrylist[j] = NULL; + } + + ret = sysdb_autofs_entries_by_map(tmp_ctx, state->dom, state->mapname, + &count, &entries); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, + "cache lookup for the map failed [%d]: %s\n", + ret, strerror(ret)); + goto done; + } + + DEBUG(SSSDBG_TRACE_LIBS, "Got %zu map entries from sysdb\n", count); + if (count == 0) { + /* No map members for this map in sysdb currently */ + sysdb_entrylist = NULL; + } else { + sysdb_entrylist = talloc_array(state, char *, count+1); + if (!sysdb_entrylist) { + ret = ENOMEM; + goto done; + } + + /* Get a list of the map members by DN */ + for (i=0; i < count; i++) { + sysdb_entrylist[i] = talloc_strdup(sysdb_entrylist, + ldb_dn_get_linearized(entries[i]->dn)); + if (!sysdb_entrylist[i]) { + ret = ENOMEM; + goto done; + } + } + sysdb_entrylist[count] = NULL; + } + + /* Find the differences between the sysdb and LDAP lists + * Entries in the sysdb only must be removed. + */ + ret = diff_string_lists(tmp_ctx, ldap_entrylist, sysdb_entrylist, + &add_entries, &del_entries, NULL); + if (ret != EOK) goto done; + + ret = sysdb_transaction_start(state->sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot start sysdb transaction [%d]: %s\n", + ret, strerror(ret)); + goto done; + } + in_transaction = true; + + /* Save the map itself */ + ret = save_autofs_map(state->dom, state->opts, state->map); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot save autofs map entry [%d]: %s\n", + ret, strerror(ret)); + goto done; + } + + /* Create entries that don't exist yet */ + if (add_entries && add_entries[0]) { + ret = save_autofs_entries(state->dom, state->opts, + state->mapname, add_entries, + entry_hash); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot save autofs entries [%d]: %s\n", + ret, strerror(ret)); + goto done; + } + } + + /* Delete entries that don't exist anymore */ + if (del_entries && del_entries[0]) { + ret = del_autofs_entries(state->dom, del_entries); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot delete autofs entries [%d]: %s\n", + ret, strerror(ret)); + goto done; + } + } + + + ret = sysdb_transaction_commit(state->sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot commit sysdb transaction [%d]: %s\n", + ret, strerror(ret)); + goto done; + } + in_transaction = false; + + ret = EOK; +done: + if (in_transaction) { + tret = sysdb_transaction_cancel(state->sysdb); + if (tret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot cancel sysdb transaction [%d]: %s\n", + ret, strerror(ret)); + } + } + talloc_zfree(tmp_ctx); + return ret; +} + +errno_t +sdap_autofs_setautomntent_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + return EOK; +} + diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c new file mode 100644 index 0000000..8aacd67 --- /dev/null +++ b/src/providers/ldap/sdap_async_connection.c @@ -0,0 +1,2290 @@ +/* + SSSD + + Async LDAP Helper routines + + Copyright (C) Simo Sorce - 2009 + Copyright (C) 2010, rhafer@suse.de, Novell Inc. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include "util/util.h" +#include "util/sss_krb5.h" +#include "util/sss_ldap.h" +#include "util/strtonum.h" +#include "providers/ldap/sdap_async_private.h" +#include "providers/ldap/ldap_common.h" + +/* ==Connect-to-LDAP-Server=============================================== */ + +struct sdap_rebind_proc_params { + struct sdap_options *opts; + struct sdap_handle *sh; + bool use_start_tls; +}; + +static int sdap_rebind_proc(LDAP *ldap, LDAP_CONST char *url, ber_tag_t request, + ber_int_t msgid, void *params); + +struct sdap_connect_state { + struct tevent_context *ev; + struct sdap_options *opts; + struct sdap_handle *sh; + const char *uri; + bool use_start_tls; + + struct sdap_op *op; + + struct sdap_msg *reply; + int result; +}; + +static void sdap_sys_connect_done(struct tevent_req *subreq); +static void sdap_connect_done(struct sdap_op *op, + struct sdap_msg *reply, + int error, void *pvt); + +struct tevent_req *sdap_connect_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_options *opts, + const char *uri, + struct sockaddr_storage *sockaddr, + bool use_start_tls) +{ + struct tevent_req *req; + struct tevent_req *subreq; + struct sdap_connect_state *state; + int ret; + int timeout; + + req = tevent_req_create(memctx, &state, struct sdap_connect_state); + if (!req) return NULL; + + if (uri == NULL || sockaddr == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid uri or sockaddr\n"); + ret = EINVAL; + goto fail; + } + + state->reply = talloc(state, struct sdap_msg); + if (!state->reply) { + talloc_zfree(req); + return NULL; + } + + state->ev = ev; + state->opts = opts; + state->use_start_tls = use_start_tls; + + state->uri = talloc_asprintf(state, "%s", uri); + if (!state->uri) { + talloc_zfree(req); + return NULL; + } + + state->sh = sdap_handle_create(state); + if (!state->sh) { + talloc_zfree(req); + return NULL; + } + + state->sh->page_size = dp_opt_get_int(state->opts->basic, + SDAP_PAGE_SIZE); + + timeout = dp_opt_get_int(state->opts->basic, SDAP_NETWORK_TIMEOUT); + + subreq = sss_ldap_init_send(state, ev, state->uri, sockaddr, + sizeof(struct sockaddr_storage), + timeout); + if (subreq == NULL) { + ret = ENOMEM; + DEBUG(SSSDBG_CRIT_FAILURE, "sss_ldap_init_send failed.\n"); + goto fail; + } + + tevent_req_set_callback(subreq, sdap_sys_connect_done, req); + return req; + +fail: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void sdap_sys_connect_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sdap_connect_state *state = tevent_req_data(req, + struct sdap_connect_state); + struct timeval tv; + int ver; + int lret; + int optret; + int ret = EOK; + int msgid; + char *errmsg = NULL; + bool ldap_referrals; + const char *ldap_deref; + int ldap_deref_val; + struct sdap_rebind_proc_params *rebind_proc_params; + int sd; + bool sasl_nocanon; + const char *sasl_mech; + int sasl_minssf; + ber_len_t ber_sasl_minssf; + + ret = sss_ldap_init_recv(subreq, &state->sh->ldap, &sd); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sdap_async_connect_call request failed: [%d]: %s.\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + ret = setup_ldap_connection_callbacks(state->sh, state->ev); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "setup_ldap_connection_callbacks failed: [%d]: %s.\n", + ret, sss_strerror(ret)); + goto fail; + } + + /* If sss_ldap_init_recv() does not return a valid file descriptor we have + * to assume that the connection callback will be called by internally by + * the OpenLDAP client library. */ + if (sd != -1) { + ret = sdap_call_conn_cb(state->uri, sd, state->sh); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sdap_call_conn_cb failed.\n"); + goto fail; + } + } + + /* Force ldap version to 3 */ + ver = LDAP_VERSION3; + lret = ldap_set_option(state->sh->ldap, LDAP_OPT_PROTOCOL_VERSION, &ver); + if (lret != LDAP_OPT_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set ldap version to 3\n"); + goto fail; + } + + /* TODO: maybe this can be remove when we go async, currently we need it + * to handle EINTR during poll(). */ + ret = ldap_set_option(state->sh->ldap, LDAP_OPT_RESTART, LDAP_OPT_ON); + if (ret != LDAP_OPT_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set restart option.\n"); + } + + /* Set Network Timeout */ + tv.tv_sec = dp_opt_get_int(state->opts->basic, SDAP_NETWORK_TIMEOUT); + tv.tv_usec = 0; + lret = ldap_set_option(state->sh->ldap, LDAP_OPT_NETWORK_TIMEOUT, &tv); + if (lret != LDAP_OPT_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set network timeout to %d\n", + dp_opt_get_int(state->opts->basic, SDAP_NETWORK_TIMEOUT)); + goto fail; + } + + /* Set Default Timeout */ + tv.tv_sec = dp_opt_get_int(state->opts->basic, SDAP_OPT_TIMEOUT); + tv.tv_usec = 0; + lret = ldap_set_option(state->sh->ldap, LDAP_OPT_TIMEOUT, &tv); + if (lret != LDAP_OPT_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set default timeout to %d\n", + dp_opt_get_int(state->opts->basic, SDAP_OPT_TIMEOUT)); + goto fail; + } + + /* Set Referral chasing */ + ldap_referrals = dp_opt_get_bool(state->opts->basic, SDAP_REFERRALS); + lret = ldap_set_option(state->sh->ldap, LDAP_OPT_REFERRALS, + (ldap_referrals ? LDAP_OPT_ON : LDAP_OPT_OFF)); + if (lret != LDAP_OPT_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set referral chasing to %s\n", + (ldap_referrals ? "LDAP_OPT_ON" : "LDAP_OPT_OFF")); + goto fail; + } + + if (ldap_referrals) { + rebind_proc_params = talloc_zero(state->sh, + struct sdap_rebind_proc_params); + if (rebind_proc_params == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n"); + ret = ENOMEM; + goto fail; + } + + rebind_proc_params->opts = state->opts; + rebind_proc_params->sh = state->sh; + rebind_proc_params->use_start_tls = state->use_start_tls; + + lret = ldap_set_rebind_proc(state->sh->ldap, sdap_rebind_proc, + rebind_proc_params); + if (lret != LDAP_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "ldap_set_rebind_proc failed.\n"); + goto fail; + } + } + + /* Set alias dereferencing */ + ldap_deref = dp_opt_get_string(state->opts->basic, SDAP_DEREF); + if (ldap_deref != NULL) { + ret = deref_string_to_val(ldap_deref, &ldap_deref_val); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "deref_string_to_val failed.\n"); + goto fail; + } + + lret = ldap_set_option(state->sh->ldap, LDAP_OPT_DEREF, &ldap_deref_val); + if (lret != LDAP_OPT_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to set deref option to %d\n", ldap_deref_val); + goto fail; + } + + } + + /* Set host name canonicalization for LDAP SASL bind */ + sasl_nocanon = !dp_opt_get_bool(state->opts->basic, SDAP_SASL_CANONICALIZE); + lret = ldap_set_option(state->sh->ldap, LDAP_OPT_X_SASL_NOCANON, + sasl_nocanon ? LDAP_OPT_ON : LDAP_OPT_OFF); + if (lret != LDAP_OPT_SUCCESS) { + /* Do not fail, just warn into both debug logs and syslog */ + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to set LDAP SASL nocanon option to %s. If your system " + "is configured to use SASL, LDAP operations might fail.\n", + sasl_nocanon ? "true" : "false"); + sss_log(SSS_LOG_INFO, + "Failed to set LDAP SASL nocanon option to %s. If your system " + "is configured to use SASL, LDAP operations might fail.\n", + sasl_nocanon ? "true" : "false"); + } + + sasl_mech = dp_opt_get_string(state->opts->basic, SDAP_SASL_MECH); + if (sasl_mech != NULL) { + sasl_minssf = dp_opt_get_int(state->opts->basic, SDAP_SASL_MINSSF); + if (sasl_minssf >= 0) { + ber_sasl_minssf = (ber_len_t)sasl_minssf; + lret = ldap_set_option(state->sh->ldap, LDAP_OPT_X_SASL_SSF_MIN, + &ber_sasl_minssf); + if (lret != LDAP_OPT_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set LDAP MIN SSF option " + "to %d\n", sasl_minssf); + goto fail; + } + } + } + + /* if we do not use start_tls the connection is not really connected yet + * just fake an async procedure and leave connection to the bind call */ + if (!state->use_start_tls) { + tevent_req_done(req); + return; + } + + DEBUG(SSSDBG_CONF_SETTINGS, "Executing START TLS\n"); + + lret = ldap_start_tls(state->sh->ldap, NULL, NULL, &msgid); + if (lret != LDAP_SUCCESS) { + optret = sss_ldap_get_diagnostic_msg(state, state->sh->ldap, + &errmsg); + if (optret == LDAP_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, "ldap_start_tls failed: [%s] [%s]\n", + sss_ldap_err2string(lret), + errmsg); + sss_log(SSS_LOG_ERR, "Could not start TLS. %s", errmsg); + } + else { + DEBUG(SSSDBG_MINOR_FAILURE, "ldap_start_tls failed: [%s]\n", + sss_ldap_err2string(lret)); + sss_log(SSS_LOG_ERR, "Could not start TLS. " + "Check for certificate issues."); + } + goto fail; + } + + ret = sdap_set_connected(state->sh, state->ev); + if (ret) goto fail; + + ret = sdap_op_add(state, state->ev, state->sh, msgid, + sdap_connect_done, req, + dp_opt_get_int(state->opts->basic, SDAP_OPT_TIMEOUT), + &state->op); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set up operation!\n"); + goto fail; + } + + return; + +fail: + if (ret) { + tevent_req_error(req, ret); + } else { + if (lret == LDAP_SERVER_DOWN) { + tevent_req_error(req, ETIMEDOUT); + } else { + tevent_req_error(req, EIO); + } + } + return; +} + +static void sdap_connect_done(struct sdap_op *op, + struct sdap_msg *reply, + int error, void *pvt) +{ + struct tevent_req *req = talloc_get_type(pvt, struct tevent_req); + struct sdap_connect_state *state = tevent_req_data(req, + struct sdap_connect_state); + char *errmsg = NULL; + char *tlserr; + int ret; + int optret; + + if (error) { + tevent_req_error(req, error); + return; + } + + state->reply = talloc_steal(state, reply); + + ret = ldap_parse_result(state->sh->ldap, state->reply->msg, + &state->result, NULL, &errmsg, NULL, NULL, 0); + if (ret != LDAP_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, + "ldap_parse_result failed (%d)\n", state->op->msgid); + tevent_req_error(req, EIO); + return; + } + + DEBUG(SSSDBG_MINOR_FAILURE, "START TLS result: %s(%d), %s\n", + sss_ldap_err2string(state->result), state->result, errmsg); + ldap_memfree(errmsg); + + if (ldap_tls_inplace(state->sh->ldap)) { + DEBUG(SSSDBG_TRACE_ALL, "SSL/TLS handler already in place.\n"); + tevent_req_done(req); + return; + } + +/* FIXME: take care that ldap_install_tls might block */ + ret = ldap_install_tls(state->sh->ldap); + if (ret != LDAP_SUCCESS) { + + optret = sss_ldap_get_diagnostic_msg(state, state->sh->ldap, + &tlserr); + if (optret == LDAP_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, "ldap_install_tls failed: [%s] [%s]\n", + sss_ldap_err2string(ret), + tlserr); + sss_log(SSS_LOG_ERR, "Could not start TLS encryption. %s", tlserr); + } + else { + DEBUG(SSSDBG_MINOR_FAILURE, "ldap_install_tls failed: [%s]\n", + sss_ldap_err2string(ret)); + sss_log(SSS_LOG_ERR, "Could not start TLS encryption. " + "Check for certificate issues."); + } + + state->result = ret; + tevent_req_error(req, EIO); + return; + } + + tevent_req_done(req); +} + +int sdap_connect_recv(struct tevent_req *req, + TALLOC_CTX *memctx, + struct sdap_handle **sh) +{ + struct sdap_connect_state *state = tevent_req_data(req, + struct sdap_connect_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *sh = talloc_steal(memctx, state->sh); + if (!*sh) { + return ENOMEM; + } + return EOK; +} + +struct sdap_connect_host_state { + struct tevent_context *ev; + struct sdap_options *opts; + char *uri; + char *protocol; + char *host; + int port; + bool use_start_tls; + + struct sdap_handle *sh; +}; + +static void sdap_connect_host_resolv_done(struct tevent_req *subreq); +static void sdap_connect_host_done(struct tevent_req *subreq); + +struct tevent_req *sdap_connect_host_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_options *opts, + struct resolv_ctx *resolv_ctx, + enum restrict_family family_order, + enum host_database *host_db, + const char *protocol, + const char *host, + int port, + bool use_start_tls) +{ + struct sdap_connect_host_state *state = NULL; + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct sdap_connect_host_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->ev = ev; + state->opts = opts; + state->port = port; + state->use_start_tls = use_start_tls; + + state->protocol = talloc_strdup(state, protocol); + if (state->protocol == NULL) { + ret = ENOMEM; + goto immediately; + } + + state->host = talloc_strdup(state, host); + if (state->host == NULL) { + ret = ENOMEM; + goto immediately; + } + + state->uri = talloc_asprintf(state, "%s://%s:%d", protocol, host, port); + if (state->uri == NULL) { + ret = ENOMEM; + goto immediately; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Resolving host %s\n", host); + + subreq = resolv_gethostbyname_send(state, state->ev, resolv_ctx, + host, family_order, host_db); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, sdap_connect_host_resolv_done, req); + + return req; + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + + return req; +} + +static void sdap_connect_host_resolv_done(struct tevent_req *subreq) +{ + struct tevent_req *req = NULL; + struct sdap_connect_host_state *state = NULL; + struct resolv_hostent *hostent = NULL; + struct sockaddr_storage *sockaddr = NULL; + int status; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_connect_host_state); + + ret = resolv_gethostbyname_recv(subreq, state, &status, NULL, &hostent); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to resolve host %s: %s\n", + state->host, resolv_strerror(status)); + goto done; + } + + sockaddr = resolv_get_sockaddr_address(state, hostent, state->port); + if (sockaddr == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "resolv_get_sockaddr_address() failed\n"); + ret = EIO; + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Connecting to %s\n", state->uri); + + subreq = sdap_connect_send(state, state->ev, state->opts, + state->uri, sockaddr, state->use_start_tls); + if (subreq == NULL) { + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, sdap_connect_host_done, req); + + ret = EAGAIN; + +done: + if (ret == EOK) { + tevent_req_done(req); + } else if (ret != EAGAIN) { + tevent_req_error(req, ret); + } + + return; +} + +static void sdap_connect_host_done(struct tevent_req *subreq) +{ + struct sdap_connect_host_state *state = NULL; + struct tevent_req *req = NULL; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_connect_host_state); + + ret = sdap_connect_recv(subreq, state, &state->sh); + talloc_zfree(subreq); + if (ret != EOK) { + goto done; + } + + /* if TLS was used, the sdap handle is already marked as connected */ + if (!state->use_start_tls) { + /* we need to mark handle as connected to allow anonymous bind */ + ret = sdap_set_connected(state->sh, state->ev); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sdap_set_connected() failed\n"); + goto done; + } + } + + DEBUG(SSSDBG_TRACE_FUNC, "Successful connection to %s\n", state->uri); + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +errno_t sdap_connect_host_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct sdap_handle **_sh) +{ + struct sdap_connect_host_state *state = NULL; + state = tevent_req_data(req, struct sdap_connect_host_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *_sh = talloc_steal(mem_ctx, state->sh); + + return EOK; +} + + +/* ==Simple-Bind========================================================== */ + +struct simple_bind_state { + struct tevent_context *ev; + struct sdap_handle *sh; + const char *user_dn; + struct berval *pw; + + struct sdap_op *op; + + struct sdap_msg *reply; + struct sdap_ppolicy_data *ppolicy; +}; + +static void simple_bind_done(struct sdap_op *op, + struct sdap_msg *reply, + int error, void *pvt); + +static struct tevent_req *simple_bind_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_handle *sh, + int timeout, + const char *user_dn, + struct berval *pw) +{ + struct tevent_req *req; + struct simple_bind_state *state; + int ret = EOK; + int msgid; + int ldap_err; + LDAPControl **request_controls = NULL; + LDAPControl *ctrls[2] = { NULL, NULL }; + + req = tevent_req_create(memctx, &state, struct simple_bind_state); + if (!req) return NULL; + + state->reply = talloc(state, struct sdap_msg); + if (!state->reply) { + talloc_zfree(req); + return NULL; + } + + state->ev = ev; + state->sh = sh; + state->user_dn = user_dn; + state->pw = pw; + + ret = sss_ldap_control_create(LDAP_CONTROL_PASSWORDPOLICYREQUEST, + 0, NULL, 0, &ctrls[0]); + if (ret != LDAP_SUCCESS && ret != LDAP_NOT_SUPPORTED) { + DEBUG(SSSDBG_CRIT_FAILURE, "sss_ldap_control_create failed to create " + "Password Policy control.\n"); + goto fail; + } + request_controls = ctrls; + + DEBUG(SSSDBG_CONF_SETTINGS, + "Executing simple bind as: %s\n", state->user_dn); + + ret = ldap_sasl_bind(state->sh->ldap, state->user_dn, LDAP_SASL_SIMPLE, + pw, request_controls, NULL, &msgid); + if (ctrls[0]) ldap_control_free(ctrls[0]); + if (ret == -1 || msgid == -1) { + ret = ldap_get_option(state->sh->ldap, + LDAP_OPT_RESULT_CODE, &ldap_err); + if (ret != LDAP_OPT_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ldap_bind failed (couldn't get ldap error)\n"); + ret = LDAP_LOCAL_ERROR; + } else { + DEBUG(SSSDBG_CRIT_FAILURE, "ldap_bind failed (%d)[%s]\n", + ldap_err, sss_ldap_err2string(ldap_err)); + ret = ldap_err; + } + goto fail; + } + DEBUG(SSSDBG_TRACE_INTERNAL, "ldap simple bind sent, msgid = %d\n", msgid); + + if (!sh->connected) { + ret = sdap_set_connected(sh, ev); + if (ret) goto fail; + } + + ret = sdap_op_add(state, ev, sh, msgid, + simple_bind_done, req, timeout, &state->op); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set up operation!\n"); + goto fail; + } + + return req; + +fail: + if (ret == LDAP_SERVER_DOWN) { + tevent_req_error(req, ETIMEDOUT); + } else { + tevent_req_error(req, ERR_NETWORK_IO); + } + tevent_req_post(req, ev); + return req; +} + +static void simple_bind_done(struct sdap_op *op, + struct sdap_msg *reply, + int error, void *pvt) +{ + struct tevent_req *req = talloc_get_type(pvt, struct tevent_req); + struct simple_bind_state *state = tevent_req_data(req, + struct simple_bind_state); + char *errmsg = NULL; + char *nval; + errno_t ret = ERR_INTERNAL; + int lret; + LDAPControl **response_controls; + int c; + ber_int_t pp_grace; + ber_int_t pp_expire; + LDAPPasswordPolicyError pp_error; + int result = LDAP_OTHER; + bool on_grace_login_limit = false; + + if (error) { + tevent_req_error(req, error); + return; + } + + state->reply = talloc_steal(state, reply); + + lret = ldap_parse_result(state->sh->ldap, state->reply->msg, + &result, NULL, &errmsg, NULL, + &response_controls, 0); + if (lret != LDAP_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, + "ldap_parse_result failed (%d)\n", state->op->msgid); + ret = ERR_INTERNAL; + goto done; + } + + if (result == LDAP_SUCCESS) { + ret = EOK; + } else if (result == LDAP_INVALID_CREDENTIALS + && errmsg != NULL && strstr(errmsg, "data 775,") != NULL) { + /* Value 775 is described in + * https://msdn.microsoft.com/en-us/library/windows/desktop/ms681386%28v=vs.85%29.aspx + * for more details please see commit message. */ + ret = ERR_ACCOUNT_LOCKED; + } else { + ret = ERR_AUTH_FAILED; + } + + if (response_controls == NULL) { + DEBUG(SSSDBG_TRACE_LIBS, "Server returned no controls.\n"); + state->ppolicy = NULL; + } else { + for (c = 0; response_controls[c] != NULL; c++) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "Server returned control [%s].\n", + response_controls[c]->ldctl_oid); + + if (strcmp(response_controls[c]->ldctl_oid, + LDAP_CONTROL_PASSWORDPOLICYRESPONSE) == 0) { + lret = ldap_parse_passwordpolicy_control(state->sh->ldap, + response_controls[c], + &pp_expire, &pp_grace, + &pp_error); + if (lret != LDAP_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, + "ldap_parse_passwordpolicy_control failed.\n"); + ret = ERR_INTERNAL; + goto done; + } + + DEBUG(SSSDBG_TRACE_LIBS, + "Password Policy Response: expire [%d] grace [%d] " + "error [%s].\n", pp_expire, pp_grace, + ldap_passwordpolicy_err2txt(pp_error)); + if (!state->ppolicy) + state->ppolicy = talloc_zero(state, + struct sdap_ppolicy_data); + if (state->ppolicy == NULL) { + ret = ENOMEM; + goto done; + } + state->ppolicy->grace = pp_grace; + state->ppolicy->expire = pp_expire; + if (result == LDAP_SUCCESS) { + /* We have to set the on_grace_login_limit as when going + * through the response controls 389-ds may return both + * an warning and an error (and the order is not ensured) + * for the GraceLimit: + * - [1.3.6.1.4.1.42.2.27.8.5.1] for the GraceLimit itself + * - [2.16.840.1.113730.3.4.4] for the PasswordExpired + * + * So, in order to avoid bulldozing the GraceLimit, let's + * set it to true when pp_grace >= 0 and, in the end of + * this function, just return EOK when LDAP returns the + * PasswordExpired error but the GraceLimit is still valid. + */ + on_grace_login_limit = false; + if (pp_error == PP_changeAfterReset) { + DEBUG(SSSDBG_TRACE_LIBS, + "Password was reset. " + "User must set a new password.\n"); + ret = ERR_PASSWORD_EXPIRED; + } else if (pp_grace >= 0) { + on_grace_login_limit = true; + DEBUG(SSSDBG_TRACE_LIBS, + "Password expired. " + "[%d] grace logins remaining.\n", + pp_grace); + } else if (pp_expire > 0) { + DEBUG(SSSDBG_TRACE_LIBS, + "Password will expire in [%d] seconds.\n", + pp_expire); + } + } else if (result == LDAP_INVALID_CREDENTIALS && + pp_error == PP_passwordExpired) { + DEBUG(SSSDBG_TRACE_LIBS, + "Password expired user must set a new password.\n"); + ret = ERR_PASSWORD_EXPIRED; + } + } else if (strcmp(response_controls[c]->ldctl_oid, + LDAP_CONTROL_PWEXPIRED) == 0) { + DEBUG(SSSDBG_TRACE_LIBS, + "Password expired user must set a new password.\n"); + ret = ERR_PASSWORD_EXPIRED; + } else if (strcmp(response_controls[c]->ldctl_oid, + LDAP_CONTROL_PWEXPIRING) == 0) { + /* ignore controls with suspiciously long values */ + if (response_controls[c]->ldctl_value.bv_len > 32) { + continue; + } + + if (!state->ppolicy) { + state->ppolicy = talloc(state, struct sdap_ppolicy_data); + } + + if (state->ppolicy == NULL) { + ret = ENOMEM; + goto done; + } + /* ensure that bv_val is a null-terminated string */ + nval = talloc_strndup(NULL, + response_controls[c]->ldctl_value.bv_val, + response_controls[c]->ldctl_value.bv_len); + if (nval == NULL) { + ret = ENOMEM; + goto done; + } + state->ppolicy->expire = strtouint32(nval, NULL, 10); + lret = errno; + talloc_zfree(nval); + if (lret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Couldn't convert control response " + "to an integer [%s].\n", strerror(lret)); + ret = ERR_INTERNAL; + goto done; + } + + DEBUG(SSSDBG_TRACE_LIBS, + "Password will expire in [%d] seconds.\n", + state->ppolicy->expire); + } + } + } + + DEBUG(SSSDBG_TRACE_FUNC, "Bind result: %s(%d), %s\n", + sss_ldap_err2string(result), result, + errmsg ? errmsg : "no errmsg set"); + + if (result != LDAP_SUCCESS && ret == EOK) { + ret = ERR_AUTH_FAILED; + } + + if (ret == ERR_PASSWORD_EXPIRED && on_grace_login_limit) { + ret = EOK; + } + +done: + ldap_controls_free(response_controls); + ldap_memfree(errmsg); + + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } +} + +static errno_t simple_bind_recv(struct tevent_req *req, + TALLOC_CTX *memctx, + struct sdap_ppolicy_data **ppolicy) +{ + struct simple_bind_state *state = tevent_req_data(req, + struct simple_bind_state); + + if (ppolicy != NULL) { + *ppolicy = talloc_steal(memctx, state->ppolicy); + } + + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +/* ==SASL-Bind============================================================ */ + +struct sasl_bind_state { + struct tevent_context *ev; + struct sdap_handle *sh; + + const char *sasl_mech; + const char *sasl_user; + struct berval *sasl_cred; +}; + +static int sdap_sasl_interact(LDAP *ld, unsigned flags, + void *defaults, void *interact); + +static struct tevent_req *sasl_bind_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_handle *sh, + const char *sasl_mech, + const char *sasl_user, + struct berval *sasl_cred) +{ + struct tevent_req *req; + struct sasl_bind_state *state; + int ret = EOK; + int optret; + char *diag_msg = NULL; + + req = tevent_req_create(memctx, &state, struct sasl_bind_state); + if (!req) return NULL; + + state->ev = ev; + state->sh = sh; + state->sasl_mech = sasl_mech; + state->sasl_user = sasl_user; + state->sasl_cred = sasl_cred; + + DEBUG(SSSDBG_CONF_SETTINGS, "Executing sasl bind mech: %s, user: %s\n", + sasl_mech, sasl_user); + + /* FIXME: Warning, this is a sync call! + * No async variant exist in openldap libraries yet */ + + if (state->sh == NULL || state->sh->ldap == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Trying LDAP search while not connected.\n"); + ret = ERR_NETWORK_IO; + goto fail; + } + + ret = ldap_sasl_interactive_bind_s(state->sh->ldap, NULL, + sasl_mech, NULL, NULL, + LDAP_SASL_QUIET, + (*sdap_sasl_interact), state); + if (ret != LDAP_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ldap_sasl_bind failed (%d)[%s]\n", + ret, sss_ldap_err2string(ret)); + + optret = sss_ldap_get_diagnostic_msg(state, state->sh->ldap, + &diag_msg); + if (optret == EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Extended failure message: [%s]\n", diag_msg); + } + talloc_zfree(diag_msg); + + goto fail; + } + + if (!sh->connected) { + ret = sdap_set_connected(sh, ev); + if (ret) goto fail; + } + + /* This is a hack, relies on the fact that tevent_req_done() will always + * set the state but will not complain if no callback has been set. + * tevent_req_post() will only set the immediate event and then just call + * the async callback set by the caller right after we return using the + * state value set previously by tevent_req_done() */ + tevent_req_done(req); + tevent_req_post(req, ev); + return req; + +fail: + if (ret == LDAP_SERVER_DOWN || ret == LDAP_TIMEOUT) { + tevent_req_error(req, ETIMEDOUT); + } else { + tevent_req_error(req, ERR_AUTH_FAILED); + } + tevent_req_post(req, ev); + return req; +} + +static int sdap_sasl_interact(LDAP *ld, unsigned flags, + void *defaults, void *interact) +{ + struct sasl_bind_state *state = talloc_get_type(defaults, + struct sasl_bind_state); + sasl_interact_t *in = (sasl_interact_t *)interact; + + if (!ld) return LDAP_PARAM_ERROR; + + while (in->id != SASL_CB_LIST_END) { + + switch (in->id) { + case SASL_CB_GETREALM: + case SASL_CB_USER: + case SASL_CB_PASS: + if (in->defresult) { + in->result = in->defresult; + } else { + in->result = ""; + } + in->len = strlen(in->result); + break; + case SASL_CB_AUTHNAME: + if (state->sasl_user) { + in->result = state->sasl_user; + } else if (in->defresult) { + in->result = in->defresult; + } else { + in->result = ""; + } + in->len = strlen(in->result); + break; + case SASL_CB_NOECHOPROMPT: + case SASL_CB_ECHOPROMPT: + goto fail; + } + + in++; + } + + return LDAP_SUCCESS; + +fail: + return LDAP_UNAVAILABLE; +} + +static errno_t sasl_bind_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +/* ==Perform-Kinit-given-keytab-and-principal============================= */ + +struct sdap_kinit_state { + const char *keytab; + const char *principal; + const char *realm; + int timeout; + int lifetime; + + const char *krb_service_name; + struct tevent_context *ev; + struct be_ctx *be; + + struct fo_server *kdc_srv; + time_t expire_time; +}; + +static void sdap_kinit_done(struct tevent_req *subreq); +static struct tevent_req *sdap_kinit_next_kdc(struct tevent_req *req); +static void sdap_kinit_kdc_resolved(struct tevent_req *subreq); + +static +struct tevent_req *sdap_kinit_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct be_ctx *be, + struct sdap_handle *sh, + const char *krb_service_name, + int timeout, + const char *keytab, + const char *principal, + const char *realm, + bool canonicalize, + int lifetime) +{ + struct tevent_req *req; + struct tevent_req *subreq; + struct sdap_kinit_state *state; + int ret; + + DEBUG(SSSDBG_TRACE_FUNC, "Attempting kinit (%s, %s, %s, %d)\n", + keytab ? keytab : "default", + principal, realm, lifetime); + + if (lifetime < 0 || lifetime > INT32_MAX) { + DEBUG(SSSDBG_CRIT_FAILURE, "Ticket lifetime out of range.\n"); + return NULL; + } + + req = tevent_req_create(memctx, &state, struct sdap_kinit_state); + if (!req) return NULL; + + state->keytab = keytab; + state->principal = principal; + state->realm = realm; + state->ev = ev; + state->be = be; + state->timeout = timeout; + state->lifetime = lifetime; + state->krb_service_name = krb_service_name; + + if (canonicalize) { + ret = setenv("KRB5_CANONICALIZE", "true", 1); + } else { + ret = setenv("KRB5_CANONICALIZE", "false", 1); + } + if (ret == -1) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to set KRB5_CANONICALIZE to %s\n", + ((canonicalize)?"true":"false")); + talloc_free(req); + return NULL; + } + + subreq = sdap_kinit_next_kdc(req); + if (!subreq) { + talloc_free(req); + return NULL; + } + + return req; +} + +static struct tevent_req *sdap_kinit_next_kdc(struct tevent_req *req) +{ + struct tevent_req *next_req; + struct sdap_kinit_state *state = tevent_req_data(req, + struct sdap_kinit_state); + + DEBUG(SSSDBG_TRACE_LIBS, + "Resolving next KDC for service %s\n", state->krb_service_name); + + next_req = be_resolve_server_send(state, state->ev, + state->be, + state->krb_service_name, + state->kdc_srv == NULL ? true : false); + if (next_req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "be_resolve_server_send failed.\n"); + return NULL; + } + tevent_req_set_callback(next_req, sdap_kinit_kdc_resolved, req); + + return next_req; +} + +static void sdap_kinit_kdc_resolved(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sdap_kinit_state *state = tevent_req_data(req, + struct sdap_kinit_state); + struct tevent_req *tgtreq; + int ret; + + ret = be_resolve_server_recv(subreq, state, &state->kdc_srv); + talloc_zfree(subreq); + if (ret != EOK) { + /* all servers have been tried and none + * was found good, go offline */ + tevent_req_error(req, ERR_NETWORK_IO); + return; + } + + DEBUG(SSSDBG_TRACE_LIBS, "KDC resolved, attempting to get TGT...\n"); + + tgtreq = sdap_get_tgt_send(state, state->ev, state->realm, + state->principal, state->keytab, + state->lifetime, state->timeout); + if (!tgtreq) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(tgtreq, sdap_kinit_done, req); +} + +static void sdap_kinit_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sdap_kinit_state *state = tevent_req_data(req, + struct sdap_kinit_state); + + int ret; + int result; + char *ccname = NULL; + time_t expire_time = 0; + krb5_error_code kerr; + struct tevent_req *nextreq; + + ret = sdap_get_tgt_recv(subreq, state, &result, + &kerr, &ccname, &expire_time); + talloc_zfree(subreq); + if (ret == ETIMEDOUT) { + /* The child didn't even respond. Perhaps the KDC is too busy, + * retry with another KDC */ + DEBUG(SSSDBG_MINOR_FAILURE, + "Communication with KDC timed out, trying the next one\n"); + be_fo_set_port_status(state->be, state->krb_service_name, + state->kdc_srv, PORT_NOT_WORKING); + nextreq = sdap_kinit_next_kdc(req); + if (!nextreq) { + tevent_req_error(req, ENOMEM); + } + return; + } else if (ret != EOK) { + /* A severe error while executing the child. Abort the operation. */ + DEBUG(SSSDBG_CRIT_FAILURE, + "child failed (%d [%s])\n", ret, strerror(ret)); + tevent_req_error(req, ret); + return; + } + + if (result == EOK) { + ret = setenv("KRB5CCNAME", ccname, 1); + if (ret == -1) { + DEBUG(SSSDBG_OP_FAILURE, + "Unable to set env. variable KRB5CCNAME!\n"); + tevent_req_error(req, ERR_AUTH_FAILED); + return; + } + + state->expire_time = expire_time; + tevent_req_done(req); + return; + } else { + if (kerr == KRB5_KDC_UNREACH) { + be_fo_set_port_status(state->be, state->krb_service_name, + state->kdc_srv, PORT_NOT_WORKING); + nextreq = sdap_kinit_next_kdc(req); + if (!nextreq) { + tevent_req_error(req, ENOMEM); + } + return; + } + + } + + DEBUG(SSSDBG_CONF_SETTINGS, + "Could not get TGT: %d [%s]\n", result, sss_strerror(result)); + tevent_req_error(req, ERR_AUTH_FAILED); +} + +static errno_t sdap_kinit_recv(struct tevent_req *req, + time_t *expire_time) +{ + struct sdap_kinit_state *state = tevent_req_data(req, + struct sdap_kinit_state); + enum tevent_req_state tstate; + uint64_t err_uint64 = ERR_INTERNAL; + errno_t err; + + if (tevent_req_is_error(req, &tstate, &err_uint64)) { + if (tstate != TEVENT_REQ_IN_PROGRESS) { + err = (errno_t)err_uint64; + if (err == EOK) { + return ERR_INTERNAL; + } + return err; + } + } + + *expire_time = state->expire_time; + return EOK; +} + + +/* ==Authenticaticate-User-by-DN========================================== */ + +struct sdap_auth_state { + struct sdap_ppolicy_data *ppolicy; + bool is_sasl; +}; + +static void sdap_auth_done(struct tevent_req *subreq); + +/* TODO: handle sasl_cred */ +struct tevent_req *sdap_auth_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_handle *sh, + const char *sasl_mech, + const char *sasl_user, + const char *user_dn, + struct sss_auth_token *authtok, + int simple_bind_timeout) +{ + struct tevent_req *req, *subreq; + struct sdap_auth_state *state; + + req = tevent_req_create(memctx, &state, struct sdap_auth_state); + if (!req) return NULL; + + if (sasl_mech) { + state->is_sasl = true; + subreq = sasl_bind_send(state, ev, sh, sasl_mech, sasl_user, NULL); + if (!subreq) { + tevent_req_error(req, ENOMEM); + return tevent_req_post(req, ev); + } + } else { + const char *password = NULL; + struct berval pw; + size_t pwlen; + errno_t ret; + + ret = sss_authtok_get_password(authtok, &password, &pwlen); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot parse authtok.\n"); + tevent_req_error(req, ret); + return tevent_req_post(req, ev); + } + /* Treat a zero-length password as a failure */ + if (*password == '\0') { + tevent_req_error(req, ENOENT); + return tevent_req_post(req, ev); + } + pw.bv_val = discard_const(password); + pw.bv_len = pwlen; + + state->is_sasl = false; + subreq = simple_bind_send(state, ev, sh, simple_bind_timeout, user_dn, &pw); + if (!subreq) { + tevent_req_error(req, ENOMEM); + return tevent_req_post(req, ev); + } + } + + tevent_req_set_callback(subreq, sdap_auth_done, req); + return req; +} + +static int sdap_auth_get_authtok(const char *authtok_type, + struct dp_opt_blob authtok, + struct berval *pw) +{ + if (!authtok_type) return EOK; + if (!pw) return EINVAL; + + if (strcasecmp(authtok_type,"password") == 0) { + pw->bv_len = authtok.length; + pw->bv_val = (char *) authtok.data; + } else { + DEBUG(SSSDBG_CRIT_FAILURE, + "Authentication token type [%s] is not supported\n", + authtok_type); + return EINVAL; + } + + return EOK; +} + +static void sdap_auth_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sdap_auth_state *state = tevent_req_data(req, + struct sdap_auth_state); + int ret; + + if (state->is_sasl) { + ret = sasl_bind_recv(subreq); + state->ppolicy = NULL; + } else { + ret = simple_bind_recv(subreq, state, &state->ppolicy); + } + + if (tevent_req_error(req, ret)) { + return; + } + + tevent_req_done(req); +} + +errno_t sdap_auth_recv(struct tevent_req *req, + TALLOC_CTX *memctx, + struct sdap_ppolicy_data **ppolicy) +{ + struct sdap_auth_state *state = tevent_req_data(req, + struct sdap_auth_state); + + if (ppolicy != NULL) { + *ppolicy = talloc_steal(memctx, state->ppolicy); + } + + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +/* ==Client connect============================================ */ + +struct sdap_cli_connect_state { + struct tevent_context *ev; + struct sdap_options *opts; + struct sdap_service *service; + struct be_ctx *be; + + bool use_rootdse; + struct sysdb_attrs *rootdse; + + struct sdap_handle *sh; + + struct fo_server *srv; + + struct sdap_server_opts *srv_opts; + + enum connect_tls force_tls; + bool do_auth; + bool use_tls; +}; + +static int sdap_cli_resolve_next(struct tevent_req *req); +static void sdap_cli_resolve_done(struct tevent_req *subreq); +static void sdap_cli_connect_done(struct tevent_req *subreq); +static void sdap_cli_rootdse_step(struct tevent_req *req); +static void sdap_cli_rootdse_done(struct tevent_req *subreq); +static errno_t sdap_cli_use_rootdse(struct sdap_cli_connect_state *state); +static void sdap_cli_kinit_step(struct tevent_req *req); +static void sdap_cli_kinit_done(struct tevent_req *subreq); +static void sdap_cli_auth_step(struct tevent_req *req); +static void sdap_cli_auth_done(struct tevent_req *subreq); +static errno_t sdap_cli_auth_reconnect(struct tevent_req *subreq); +static void sdap_cli_auth_reconnect_done(struct tevent_req *subreq); +static void sdap_cli_rootdse_auth_done(struct tevent_req *subreq); + +static errno_t +decide_tls_usage(enum connect_tls force_tls, struct dp_option *basic, + const char *uri, bool *_use_tls) +{ + bool use_tls = true; + + switch (force_tls) { + case CON_TLS_DFL: + use_tls = dp_opt_get_bool(basic, SDAP_ID_TLS); + break; + case CON_TLS_ON: + use_tls = true; + break; + case CON_TLS_OFF: + use_tls = false; + break; + default: + return EINVAL; + break; + } + + if (use_tls && sdap_is_secure_uri(uri)) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "[%s] is a secure channel. No need to run START_TLS\n", uri); + use_tls = false; + } + + *_use_tls = use_tls; + return EOK; +} + +struct tevent_req *sdap_cli_connect_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_options *opts, + struct be_ctx *be, + struct sdap_service *service, + bool skip_rootdse, + enum connect_tls force_tls, + bool skip_auth) +{ + struct sdap_cli_connect_state *state; + struct tevent_req *req; + int ret; + + req = tevent_req_create(memctx, &state, struct sdap_cli_connect_state); + if (!req) return NULL; + + state->ev = ev; + state->opts = opts; + state->service = service; + state->be = be; + state->srv = NULL; + state->srv_opts = NULL; + state->use_rootdse = !skip_rootdse; + state->force_tls = force_tls; + state->do_auth = !skip_auth; + + ret = sdap_cli_resolve_next(req); + if (ret) { + tevent_req_error(req, ret); + tevent_req_post(req, ev); + } + return req; +} + +static int sdap_cli_resolve_next(struct tevent_req *req) +{ + struct sdap_cli_connect_state *state = tevent_req_data(req, + struct sdap_cli_connect_state); + struct tevent_req *subreq; + + /* Before stepping to next server destroy any connection from previous attempt */ + talloc_zfree(state->sh); + + /* NOTE: this call may cause service->uri to be refreshed + * with a new valid server. Do not use service->uri before */ + subreq = be_resolve_server_send(state, state->ev, + state->be, state->service->name, + state->srv == NULL ? true : false); + if (!subreq) { + return ENOMEM; + } + + tevent_req_set_callback(subreq, sdap_cli_resolve_done, req); + return EOK; +} + +static void sdap_cli_resolve_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sdap_cli_connect_state *state = tevent_req_data(req, + struct sdap_cli_connect_state); + int ret; + + ret = be_resolve_server_recv(subreq, state, &state->srv); + talloc_zfree(subreq); + if (ret) { + state->srv = NULL; + /* all servers have been tried and none + * was found good, go offline */ + tevent_req_error(req, EIO); + return; + } + + ret = decide_tls_usage(state->force_tls, state->opts->basic, + state->service->uri, &state->use_tls); + + if (ret != EOK) { + tevent_req_error(req, EINVAL); + return; + } + + subreq = sdap_connect_send(state, state->ev, state->opts, + state->service->uri, + state->service->sockaddr, + state->use_tls); + if (!subreq) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, sdap_cli_connect_done, req); +} + +static void sdap_cli_connect_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sdap_cli_connect_state *state = tevent_req_data(req, + struct sdap_cli_connect_state); + const char *sasl_mech; + int ret; + + talloc_zfree(state->sh); + ret = sdap_connect_recv(subreq, state, &state->sh); + talloc_zfree(subreq); + if (ret) { + /* retry another server */ + be_fo_set_port_status(state->be, state->service->name, + state->srv, PORT_NOT_WORKING); + ret = sdap_cli_resolve_next(req); + if (ret != EOK) { + tevent_req_error(req, ret); + } + return; + } + + if (state->use_rootdse) { + /* fetch the rootDSE this time */ + sdap_cli_rootdse_step(req); + return; + } + + sasl_mech = dp_opt_get_string(state->opts->basic, SDAP_SASL_MECH); + + if (state->do_auth && sasl_mech && state->use_rootdse) { + /* check if server claims to support GSSAPI */ + if (!sdap_is_sasl_mech_supported(state->sh, sasl_mech)) { + tevent_req_error(req, ENOTSUP); + return; + } + } + + if (state->do_auth && sasl_mech && (strcasecmp(sasl_mech, "GSSAPI") == 0)) { + if (dp_opt_get_bool(state->opts->basic, SDAP_KRB5_KINIT)) { + sdap_cli_kinit_step(req); + return; + } + } + + sdap_cli_auth_step(req); +} + +static void sdap_cli_rootdse_step(struct tevent_req *req) +{ + struct sdap_cli_connect_state *state = tevent_req_data(req, + struct sdap_cli_connect_state); + struct tevent_req *subreq; + int ret; + + subreq = sdap_get_rootdse_send(state, state->ev, state->opts, state->sh); + if (!subreq) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, sdap_cli_rootdse_done, req); + + if (!state->sh->connected) { + /* this rootdse search is performed before we actually do a bind, + * so we need to set up the callbacks or we will never get notified + * of a reply */ + + ret = sdap_set_connected(state->sh, state->ev); + if (ret) { + tevent_req_error(req, ret); + } + } +} + +static void sdap_cli_rootdse_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sdap_cli_connect_state *state = tevent_req_data(req, + struct sdap_cli_connect_state); + const char *sasl_mech; + int ret; + + ret = sdap_get_rootdse_recv(subreq, state, &state->rootdse); + talloc_zfree(subreq); + if (ret) { + if (ret == ETIMEDOUT) { /* retry another server */ + be_fo_set_port_status(state->be, state->service->name, + state->srv, PORT_NOT_WORKING); + ret = sdap_cli_resolve_next(req); + if (ret != EOK) { + tevent_req_error(req, ret); + } + return; + } + + /* RootDSE was not available on + * the server. + * Continue, and just assume that the + * features requested by the config + * work properly. + */ + state->rootdse = NULL; + } + + + ret = sdap_cli_use_rootdse(state); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_cli_use_rootdse failed\n"); + tevent_req_error(req, ret); + return; + } + + sasl_mech = dp_opt_get_string(state->opts->basic, SDAP_SASL_MECH); + + if (state->do_auth && sasl_mech && state->rootdse) { + /* check if server claims to support GSSAPI */ + if (!sdap_is_sasl_mech_supported(state->sh, sasl_mech)) { + tevent_req_error(req, ENOTSUP); + return; + } + } + + if (state->do_auth && sasl_mech && (strcasecmp(sasl_mech, "GSSAPI") == 0)) { + if (dp_opt_get_bool(state->opts->basic, SDAP_KRB5_KINIT)) { + sdap_cli_kinit_step(req); + return; + } + } + + sdap_cli_auth_step(req); +} + +static errno_t sdap_cli_use_rootdse(struct sdap_cli_connect_state *state) +{ + errno_t ret; + + if (state->rootdse) { + /* save rootdse data about supported features */ + ret = sdap_set_rootdse_supported_lists(state->rootdse, state->sh); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, + "sdap_set_rootdse_supported_lists failed\n"); + return ret; + } + + ret = sdap_set_config_options_with_rootdse(state->rootdse, state->opts, + state->opts->sdom); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, + "sdap_set_config_options_with_rootdse failed.\n"); + return ret; + } + + } + + ret = sdap_get_server_opts_from_rootdse(state, + state->service->uri, + state->rootdse, + state->opts, &state->srv_opts); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, + "sdap_get_server_opts_from_rootdse failed.\n"); + return ret; + } + + return EOK; +} + +static void sdap_cli_kinit_step(struct tevent_req *req) +{ + struct sdap_cli_connect_state *state = tevent_req_data(req, + struct sdap_cli_connect_state); + struct tevent_req *subreq; + + subreq = sdap_kinit_send(state, state->ev, + state->be, + state->sh, + state->service->kinit_service_name, + dp_opt_get_int(state->opts->basic, + SDAP_OPT_TIMEOUT), + dp_opt_get_string(state->opts->basic, + SDAP_KRB5_KEYTAB), + dp_opt_get_string(state->opts->basic, + SDAP_SASL_AUTHID), + sdap_gssapi_realm(state->opts->basic), + dp_opt_get_bool(state->opts->basic, + SDAP_KRB5_CANONICALIZE), + dp_opt_get_int(state->opts->basic, + SDAP_KRB5_TICKET_LIFETIME)); + if (!subreq) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, sdap_cli_kinit_done, req); +} + +static void sdap_cli_kinit_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sdap_cli_connect_state *state = tevent_req_data(req, + struct sdap_cli_connect_state); + time_t expire_time = 0; + errno_t ret; + + ret = sdap_kinit_recv(subreq, &expire_time); + talloc_zfree(subreq); + if (ret != EOK) { + /* We're not able to authenticate to the LDAP server. + * There's not much we can do except for going offline */ + DEBUG(SSSDBG_TRACE_FUNC, + "Cannot get a TGT: ret [%d](%s)\n", ret, sss_strerror(ret)); + tevent_req_error(req, EACCES); + return; + } + state->sh->expire_time = expire_time; + + sdap_cli_auth_step(req); +} + +static void sdap_cli_auth_step(struct tevent_req *req) +{ + struct sdap_cli_connect_state *state = tevent_req_data(req, + struct sdap_cli_connect_state); + struct tevent_req *subreq; + time_t now; + int expire_timeout; + const char *sasl_mech = dp_opt_get_string(state->opts->basic, + SDAP_SASL_MECH); + const char *user_dn = dp_opt_get_string(state->opts->basic, + SDAP_DEFAULT_BIND_DN); + const char *authtok_type; + struct dp_opt_blob authtok_blob; + struct sss_auth_token *authtok; + errno_t ret; + + /* It's possible that connection was terminated by server (e.g. #2435), + to overcome this try to connect again. */ + if (state->sh == NULL || !state->sh->connected) { + DEBUG(SSSDBG_TRACE_FUNC, "No connection available. " + "Trying to reconnect.\n"); + ret = sdap_cli_auth_reconnect(req); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "sdap_cli_auth_reconnect failed: %d:[%s]\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + } + return; + } + + /* Set the LDAP expiration time + * If SASL has already set it, use the sooner of the two + */ + now = time(NULL); + expire_timeout = dp_opt_get_int(state->opts->basic, SDAP_EXPIRE_TIMEOUT); + DEBUG(SSSDBG_CONF_SETTINGS, "expire timeout is %d\n", expire_timeout); + if (!state->sh->expire_time + || (state->sh->expire_time > (now + expire_timeout))) { + state->sh->expire_time = now + expire_timeout; + DEBUG(SSSDBG_TRACE_LIBS, + "the connection will expire at %ld\n", state->sh->expire_time); + } + + if (!state->do_auth || + (sasl_mech == NULL && user_dn == NULL)) { + DEBUG(SSSDBG_TRACE_LIBS, + "No authentication requested or SASL auth forced off\n"); + tevent_req_done(req); + return; + } + + authtok_type = dp_opt_get_string(state->opts->basic, + SDAP_DEFAULT_AUTHTOK_TYPE); + authtok = sss_authtok_new(state); + if(authtok == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + + if (authtok_type != NULL) { + if (strcasecmp(authtok_type, "password") != 0) { + DEBUG(SSSDBG_TRACE_LIBS, "Invalid authtoken type\n"); + tevent_req_error(req, EINVAL); + return; + } + + authtok_blob = dp_opt_get_blob(state->opts->basic, + SDAP_DEFAULT_AUTHTOK); + if (authtok_blob.data) { + ret = sss_authtok_set_password(authtok, + (const char *)authtok_blob.data, + authtok_blob.length); + if (ret) { + tevent_req_error(req, ret); + return; + } + } + } + + subreq = sdap_auth_send(state, state->ev, + state->sh, sasl_mech, + dp_opt_get_string(state->opts->basic, + SDAP_SASL_AUTHID), + user_dn, authtok, + dp_opt_get_int(state->opts->basic, + SDAP_OPT_TIMEOUT)); + if (!subreq) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, sdap_cli_auth_done, req); +} + +static errno_t sdap_cli_auth_reconnect(struct tevent_req *req) +{ + struct sdap_cli_connect_state *state; + struct tevent_req *subreq; + errno_t ret; + + state = tevent_req_data(req, struct sdap_cli_connect_state); + + ret = decide_tls_usage(state->force_tls, state->opts->basic, + state->service->uri, &state->use_tls); + if (ret != EOK) { + goto done; + } + + subreq = sdap_connect_send(state, state->ev, state->opts, + state->service->uri, + state->service->sockaddr, + state->use_tls); + + if (subreq == NULL) { + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, sdap_cli_auth_reconnect_done, req); + + ret = EOK; + +done: + return ret; +} + +static void sdap_cli_auth_reconnect_done(struct tevent_req *subreq) +{ + struct sdap_cli_connect_state *state; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_cli_connect_state); + + talloc_zfree(state->sh); + + ret = sdap_connect_recv(subreq, state, &state->sh); + talloc_zfree(subreq); + if (ret != EOK) { + goto done; + } + + /* if TLS was used, the sdap handle is already marked as connected */ + if (!state->use_tls) { + /* we need to mark handle as connected to allow anonymous bind */ + ret = sdap_set_connected(state->sh, state->ev); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sdap_set_connected() failed.\n"); + goto done; + } + } + + /* End request if reconnecting failed to avoid endless loop */ + if (state->sh == NULL || !state->sh->connected) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to reconnect.\n"); + ret = EIO; + goto done; + } + + sdap_cli_auth_step(req); + + ret = EOK; + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + } +} + +static void sdap_cli_auth_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sdap_cli_connect_state *state = tevent_req_data(req, + struct sdap_cli_connect_state); + int ret; + + ret = sdap_auth_recv(subreq, NULL, NULL); + talloc_zfree(subreq); + if (ret) { + tevent_req_error(req, ret); + return; + } + + if (state->use_rootdse && !state->rootdse) { + /* We weren't able to read rootDSE during unauthenticated bind. + * Let's try again now that we are authenticated */ + subreq = sdap_get_rootdse_send(state, state->ev, + state->opts, state->sh); + if (!subreq) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, sdap_cli_rootdse_auth_done, req); + return; + } + + tevent_req_done(req); +} + +static void sdap_cli_rootdse_auth_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sdap_cli_connect_state *state = tevent_req_data(req, + struct sdap_cli_connect_state); + + ret = sdap_get_rootdse_recv(subreq, state, &state->rootdse); + talloc_zfree(subreq); + if (ret) { + if (ret == ETIMEDOUT) { + /* The server we authenticated against went down. Retry another + * one */ + be_fo_set_port_status(state->be, state->service->name, + state->srv, PORT_NOT_WORKING); + ret = sdap_cli_resolve_next(req); + if (ret != EOK) { + tevent_req_error(req, ret); + } + return; + } + + /* RootDSE was not available on + * the server. + * Continue, and just assume that the + * features requested by the config + * work properly. + */ + state->use_rootdse = false; + state->rootdse = NULL; + tevent_req_done(req); + return; + } + + /* We were able to get rootDSE after authentication */ + ret = sdap_cli_use_rootdse(state); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_cli_use_rootdse failed\n"); + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +int sdap_cli_connect_recv(struct tevent_req *req, + TALLOC_CTX *memctx, + bool *can_retry, + struct sdap_handle **gsh, + struct sdap_server_opts **srv_opts) +{ + struct sdap_cli_connect_state *state = tevent_req_data(req, + struct sdap_cli_connect_state); + enum tevent_req_state tstate; + uint64_t err_uint64; + int err; + + if (can_retry) { + *can_retry = true; + } + if (tevent_req_is_error(req, &tstate, &err_uint64)) { + /* mark the server as bad if connection failed */ + if (state->srv) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to establish connection " + "[%"PRIu64"]: %s\n", err_uint64, sss_strerror(err_uint64)); + + be_fo_set_port_status(state->be, state->service->name, + state->srv, PORT_NOT_WORKING); + } else { + if (can_retry) { + *can_retry = false; + } + } + + if (tstate == TEVENT_REQ_USER_ERROR) { + err = (int)err_uint64; + if (err == EOK) { + return EINVAL; + } + return err; + } + return EIO; + } else if (state->srv) { + DEBUG(SSSDBG_TRACE_FUNC, "Connection established.\n"); + + be_fo_set_port_status(state->be, state->service->name, + state->srv, PORT_WORKING); + } + + if (gsh) { + if (*gsh) { + talloc_zfree(*gsh); + } + *gsh = talloc_steal(memctx, state->sh); + if (!*gsh) { + return ENOMEM; + } + } else { + talloc_zfree(state->sh); + } + + if (srv_opts) { + *srv_opts = talloc_steal(memctx, state->srv_opts); + } + + return EOK; +} + +static int synchronous_tls_setup(LDAP *ldap) +{ + int lret; + int optret; + int ldaperr; + int msgid; + char *errmsg = NULL; + char *diag_msg; + LDAPMessage *result = NULL; + TALLOC_CTX *tmp_ctx; + + DEBUG(SSSDBG_CONF_SETTINGS, "Executing START TLS\n"); + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) return LDAP_NO_MEMORY; + + lret = ldap_start_tls(ldap, NULL, NULL, &msgid); + if (lret != LDAP_SUCCESS) { + optret = sss_ldap_get_diagnostic_msg(tmp_ctx, ldap, &diag_msg); + if (optret == LDAP_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, "ldap_start_tls failed: [%s] [%s]\n", + sss_ldap_err2string(lret), diag_msg); + sss_log(SSS_LOG_ERR, "Could not start TLS. %s", diag_msg); + } else { + DEBUG(SSSDBG_MINOR_FAILURE, + "ldap_start_tls failed: [%s]\n", sss_ldap_err2string(lret)); + sss_log(SSS_LOG_ERR, "Could not start TLS. " + "Check for certificate issues."); + } + goto done; + } + + lret = ldap_result(ldap, msgid, 1, NULL, &result); + if (lret != LDAP_RES_EXTENDED) { + DEBUG(SSSDBG_OP_FAILURE, + "Unexpected ldap_result, expected [%lu] got [%d].\n", + LDAP_RES_EXTENDED, lret); + lret = LDAP_PARAM_ERROR; + goto done; + } + + lret = ldap_parse_result(ldap, result, &ldaperr, NULL, &errmsg, NULL, NULL, + 0); + if (lret != LDAP_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, + "ldap_parse_result failed (%d) [%d][%s]\n", msgid, lret, + sss_ldap_err2string(lret)); + goto done; + } + + DEBUG(SSSDBG_MINOR_FAILURE, "START TLS result: %s(%d), %s\n", + sss_ldap_err2string(ldaperr), ldaperr, errmsg); + + if (ldap_tls_inplace(ldap)) { + DEBUG(SSSDBG_TRACE_ALL, "SSL/TLS handler already in place.\n"); + lret = LDAP_SUCCESS; + goto done; + } + + lret = ldap_install_tls(ldap); + if (lret != LDAP_SUCCESS) { + + optret = sss_ldap_get_diagnostic_msg(tmp_ctx, ldap, &diag_msg); + if (optret == LDAP_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, "ldap_install_tls failed: [%s] [%s]\n", + sss_ldap_err2string(lret), diag_msg); + sss_log(SSS_LOG_ERR, "Could not start TLS encryption. %s", diag_msg); + } else { + DEBUG(SSSDBG_MINOR_FAILURE, "ldap_install_tls failed: [%s]\n", + sss_ldap_err2string(lret)); + sss_log(SSS_LOG_ERR, "Could not start TLS encryption. " + "Check for certificate issues."); + } + + goto done; + } + + lret = LDAP_SUCCESS; +done: + if (result) ldap_msgfree(result); + if (errmsg) ldap_memfree(errmsg); + talloc_zfree(tmp_ctx); + return lret; +} + +static int sdap_rebind_proc(LDAP *ldap, LDAP_CONST char *url, ber_tag_t request, + ber_int_t msgid, void *params) +{ + struct sdap_rebind_proc_params *p = talloc_get_type(params, + struct sdap_rebind_proc_params); + const char *sasl_mech; + const char *user_dn; + struct berval password = {0, NULL}; + LDAPControl **request_controls = NULL; + LDAPControl *ctrls[2] = { NULL, NULL }; + TALLOC_CTX *tmp_ctx = NULL; + struct sasl_bind_state *sasl_bind_state; + int ret; + + if (ldap == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Trying LDAP rebind while not connected.\n"); + return ERR_NETWORK_IO; + } + + if (p->use_start_tls) { + ret = synchronous_tls_setup(ldap); + if (ret != LDAP_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "synchronous_tls_setup failed.\n"); + return ret; + } + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new failed.\n"); + return LDAP_NO_MEMORY; + } + + sasl_mech = dp_opt_get_string(p->opts->basic, SDAP_SASL_MECH); + + if (sasl_mech == NULL) { + ret = sss_ldap_control_create(LDAP_CONTROL_PASSWORDPOLICYREQUEST, + 0, NULL, 0, &ctrls[0]); + if (ret != LDAP_SUCCESS && ret != LDAP_NOT_SUPPORTED) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sss_ldap_control_create failed to create " + "Password Policy control.\n"); + goto done; + } + request_controls = ctrls; + + user_dn = dp_opt_get_string(p->opts->basic, SDAP_DEFAULT_BIND_DN); + if (user_dn != NULL) { + ret = sdap_auth_get_authtok(dp_opt_get_string(p->opts->basic, + SDAP_DEFAULT_AUTHTOK_TYPE), + dp_opt_get_blob(p->opts->basic, + SDAP_DEFAULT_AUTHTOK), + &password); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sdap_auth_get_authtok failed.\n"); + ret = LDAP_LOCAL_ERROR; + goto done; + } + } + + ret = ldap_sasl_bind_s(ldap, user_dn, LDAP_SASL_SIMPLE, &password, + request_controls, NULL, NULL); + if (ret != LDAP_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ldap_sasl_bind_s failed (%d)[%s]\n", ret, + sss_ldap_err2string(ret)); + } + } else { + sasl_bind_state = talloc_zero(tmp_ctx, struct sasl_bind_state); + if (sasl_bind_state == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n"); + ret = LDAP_NO_MEMORY; + goto done; + } + sasl_bind_state->sasl_user = dp_opt_get_string(p->opts->basic, + SDAP_SASL_AUTHID); + ret = ldap_sasl_interactive_bind_s(ldap, NULL, + sasl_mech, NULL, NULL, + LDAP_SASL_QUIET, + (*sdap_sasl_interact), + sasl_bind_state); + if (ret != LDAP_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ldap_sasl_interactive_bind_s failed (%d)[%s]\n", ret, + sss_ldap_err2string(ret)); + } + } + + DEBUG(SSSDBG_TRACE_LIBS, "%s bind to [%s].\n", + (ret == LDAP_SUCCESS ? "Successfully" : "Failed to"), url); + +done: + if (ctrls[0]) ldap_control_free(ctrls[0]); + talloc_free(tmp_ctx); + return ret; +} diff --git a/src/providers/ldap/sdap_async_enum.c b/src/providers/ldap/sdap_async_enum.c new file mode 100644 index 0000000..899d59d --- /dev/null +++ b/src/providers/ldap/sdap_async_enum.c @@ -0,0 +1,771 @@ +/* + SSSD + + LDAP Enumeration Module + + Authors: + Simo Sorce + Jakub Hrozek + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "util/util.h" +#include "db/sysdb.h" +#include "providers/ldap/ldap_common.h" +#include "providers/ldap/sdap_async.h" +#include "providers/ldap/sdap_async_enum.h" +#include "providers/ldap/sdap_idmap.h" + +static struct tevent_req *enum_users_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_id_ctx *ctx, + struct sdap_domain *sdom, + struct sdap_id_op *op, + bool purge); +static errno_t enum_users_recv(struct tevent_req *req); + +static struct tevent_req *enum_groups_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_id_ctx *ctx, + struct sdap_domain *sdom, + struct sdap_id_op *op, + bool purge); +static errno_t enum_groups_recv(struct tevent_req *req); + +/* ==Enumeration-Request-with-connections=================================== */ +struct sdap_dom_enum_ex_state { + struct tevent_context *ev; + struct sdap_id_ctx *ctx; + struct sdap_domain *sdom; + + struct sdap_id_conn_ctx *user_conn; + struct sdap_id_conn_ctx *group_conn; + struct sdap_id_conn_ctx *svc_conn; + struct sdap_id_op *user_op; + struct sdap_id_op *group_op; + struct sdap_id_op *svc_op; + + bool purge; +}; + +static errno_t sdap_dom_enum_ex_retry(struct tevent_req *req, + struct sdap_id_op *op, + tevent_req_fn tcb); +static bool sdap_dom_enum_ex_connected(struct tevent_req *subreq); +static void sdap_dom_enum_ex_get_users(struct tevent_req *subreq); +static void sdap_dom_enum_ex_users_done(struct tevent_req *subreq); +static void sdap_dom_enum_ex_get_groups(struct tevent_req *subreq); +static void sdap_dom_enum_ex_groups_done(struct tevent_req *subreq); +static void sdap_dom_enum_ex_get_svcs(struct tevent_req *subreq); +static void sdap_dom_enum_ex_svcs_done(struct tevent_req *subreq); + +struct tevent_req * +sdap_dom_enum_ex_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_id_ctx *ctx, + struct sdap_domain *sdom, + struct sdap_id_conn_ctx *user_conn, + struct sdap_id_conn_ctx *group_conn, + struct sdap_id_conn_ctx *svc_conn) +{ + struct tevent_req *req; + struct sdap_dom_enum_ex_state *state; + int t; + errno_t ret; + + req = tevent_req_create(memctx, &state, struct sdap_dom_enum_ex_state); + if (req == NULL) return NULL; + + state->ev = ev; + state->ctx = ctx; + state->sdom = sdom; + state->user_conn = user_conn; + state->group_conn = group_conn; + state->svc_conn = svc_conn; + sdom->last_enum = tevent_timeval_current(); + + t = dp_opt_get_int(ctx->opts->basic, SDAP_PURGE_CACHE_TIMEOUT); + if ((sdom->last_purge.tv_sec + t) < sdom->last_enum.tv_sec) { + state->purge = true; + } + + state->user_op = sdap_id_op_create(state, user_conn->conn_cache); + if (state->user_op == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "sdap_id_op_create failed for users\n"); + ret = EIO; + goto fail; + } + + ret = sdap_dom_enum_ex_retry(req, state->user_op, + sdap_dom_enum_ex_get_users); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_dom_enum_ex_retry failed\n"); + goto fail; + } + + return req; + +fail: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static errno_t sdap_dom_enum_ex_retry(struct tevent_req *req, + struct sdap_id_op *op, + tevent_req_fn tcb) +{ + struct sdap_dom_enum_ex_state *state = tevent_req_data(req, + struct sdap_dom_enum_ex_state); + struct tevent_req *subreq; + errno_t ret; + + subreq = sdap_id_op_connect_send(op, state, &ret); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "sdap_id_op_connect_send failed: %d\n", ret); + return ret; + } + + tevent_req_set_callback(subreq, tcb, req); + return EOK; +} + +static bool sdap_dom_enum_ex_connected(struct tevent_req *subreq) +{ + errno_t ret; + int dp_error; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + + ret = sdap_id_op_connect_recv(subreq, &dp_error); + talloc_zfree(subreq); + if (ret != EOK) { + if (dp_error == DP_ERR_OFFLINE) { + DEBUG(SSSDBG_TRACE_FUNC, + "Backend is marked offline, retry later!\n"); + tevent_req_done(req); + } else { + DEBUG(SSSDBG_MINOR_FAILURE, + "Domain enumeration failed to connect to " \ + "LDAP server: (%d)[%s]\n", ret, strerror(ret)); + tevent_req_error(req, ret); + } + return false; + } + + return true; +} + +static void sdap_dom_enum_ex_get_users(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sdap_dom_enum_ex_state *state = tevent_req_data(req, + struct sdap_dom_enum_ex_state); + + if (sdap_dom_enum_ex_connected(subreq) == false) { + return; + } + + subreq = enum_users_send(state, state->ev, + state->ctx, state->sdom, + state->user_op, state->purge); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, sdap_dom_enum_ex_users_done, req); +} + +static void sdap_dom_enum_ex_users_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sdap_dom_enum_ex_state *state = tevent_req_data(req, + struct sdap_dom_enum_ex_state); + errno_t ret; + int dp_error; + + ret = enum_users_recv(subreq); + talloc_zfree(subreq); + ret = sdap_id_op_done(state->user_op, ret, &dp_error); + if (dp_error == DP_ERR_OK && ret != EOK) { + /* retry */ + ret = sdap_dom_enum_ex_retry(req, state->user_op, + sdap_dom_enum_ex_get_users); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + return; + } else if (dp_error == DP_ERR_OFFLINE) { + DEBUG(SSSDBG_TRACE_FUNC, "Backend is offline, retrying later\n"); + tevent_req_done(req); + return; + } else if (ret != EOK && ret != ENOENT) { + /* Non-recoverable error */ + DEBUG(SSSDBG_OP_FAILURE, + "User enumeration failed: %d: %s\n", ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + state->group_op = sdap_id_op_create(state, state->group_conn->conn_cache); + if (state->group_op == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "sdap_id_op_create failed for groups\n"); + tevent_req_error(req, EIO); + return; + } + + ret = sdap_dom_enum_ex_retry(req, state->group_op, + sdap_dom_enum_ex_get_groups); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + /* Continues to sdap_dom_enum_ex_get_groups */ +} + +static void sdap_dom_enum_ex_get_groups(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sdap_dom_enum_ex_state *state = tevent_req_data(req, + struct sdap_dom_enum_ex_state); + + if (sdap_dom_enum_ex_connected(subreq) == false) { + return; + } + + subreq = enum_groups_send(state, state->ev, state->ctx, + state->sdom, + state->group_op, state->purge); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, sdap_dom_enum_ex_groups_done, req); +} + +static void sdap_dom_enum_ex_groups_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sdap_dom_enum_ex_state *state = tevent_req_data(req, + struct sdap_dom_enum_ex_state); + int ret; + int dp_error; + + ret = enum_groups_recv(subreq); + talloc_zfree(subreq); + ret = sdap_id_op_done(state->group_op, ret, &dp_error); + if (dp_error == DP_ERR_OK && ret != EOK) { + /* retry */ + ret = sdap_dom_enum_ex_retry(req, state->group_op, + sdap_dom_enum_ex_get_groups); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + return; + } else if (dp_error == DP_ERR_OFFLINE) { + DEBUG(SSSDBG_TRACE_FUNC, "Backend is offline, retrying later\n"); + tevent_req_done(req); + return; + } else if (ret != EOK && ret != ENOENT) { + /* Non-recoverable error */ + DEBUG(SSSDBG_OP_FAILURE, + "Group enumeration failed: %d: %s\n", ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + + state->svc_op = sdap_id_op_create(state, state->svc_conn->conn_cache); + if (state->svc_op == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "sdap_id_op_create failed for svcs\n"); + tevent_req_error(req, EIO); + return; + } + + ret = sdap_dom_enum_ex_retry(req, state->svc_op, + sdap_dom_enum_ex_get_svcs); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } +} + +static void sdap_dom_enum_ex_get_svcs(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sdap_dom_enum_ex_state *state = tevent_req_data(req, + struct sdap_dom_enum_ex_state); + + if (sdap_dom_enum_ex_connected(subreq) == false) { + return; + } + + subreq = enum_services_send(state, state->ev, state->ctx, + state->svc_op, state->purge); + if (!subreq) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, sdap_dom_enum_ex_svcs_done, req); +} + +static void sdap_dom_enum_ex_svcs_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sdap_dom_enum_ex_state *state = tevent_req_data(req, + struct sdap_dom_enum_ex_state); + int ret; + int dp_error; + + ret = enum_services_recv(subreq); + talloc_zfree(subreq); + ret = sdap_id_op_done(state->svc_op, ret, &dp_error); + if (dp_error == DP_ERR_OK && ret != EOK) { + /* retry */ + ret = sdap_dom_enum_ex_retry(req, state->user_op, + sdap_dom_enum_ex_get_svcs); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + return; + } else if (dp_error == DP_ERR_OFFLINE) { + DEBUG(SSSDBG_TRACE_FUNC, "Backend is offline, retrying later\n"); + tevent_req_done(req); + return; + } else if (ret != EOK && ret != ENOENT) { + /* Non-recoverable error */ + DEBUG(SSSDBG_OP_FAILURE, + "Service enumeration failed: %d: %s\n", ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + /* Ok, we've completed an enumeration. Save this to the + * sysdb so we can postpone starting up the enumeration + * process on the next SSSD service restart (to avoid + * slowing down system boot-up + */ + ret = sysdb_set_enumerated(state->sdom->dom, true); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not mark domain as having enumerated.\n"); + /* This error is non-fatal, so continue */ + } + + if (state->purge) { + ret = ldap_id_cleanup(state->ctx->opts, state->sdom); + if (ret != EOK) { + /* Not fatal, worst case we'll have stale entries that would be + * removed on a subsequent online lookup + */ + DEBUG(SSSDBG_MINOR_FAILURE, "Cleanup failed: [%d]: %s\n", + ret, sss_strerror(ret)); + } + } + + tevent_req_done(req); +} + +errno_t sdap_dom_enum_ex_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +/* ==Enumeration-Request==================================================== */ +struct tevent_req * +sdap_dom_enum_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_id_ctx *ctx, + struct sdap_domain *sdom, + struct sdap_id_conn_ctx *conn) +{ + return sdap_dom_enum_ex_send(memctx, ev, ctx, sdom, conn, conn, conn); +} + +errno_t sdap_dom_enum_recv(struct tevent_req *req) +{ + return sdap_dom_enum_ex_recv(req); +} + +/* ==User-Enumeration===================================================== */ +struct enum_users_state { + struct tevent_context *ev; + struct sdap_id_ctx *ctx; + struct sdap_domain *sdom; + struct sdap_id_op *op; + + char *filter; + const char **attrs; +}; + +static void enum_users_done(struct tevent_req *subreq); + +static struct tevent_req *enum_users_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_id_ctx *ctx, + struct sdap_domain *sdom, + struct sdap_id_op *op, + bool purge) +{ + struct tevent_req *req, *subreq; + struct enum_users_state *state; + int ret; + bool use_mapping; + + req = tevent_req_create(memctx, &state, struct enum_users_state); + if (!req) return NULL; + + state->ev = ev; + state->sdom = sdom; + state->ctx = ctx; + state->op = op; + + use_mapping = sdap_idmap_domain_has_algorithmic_mapping( + ctx->opts->idmap_ctx, + sdom->dom->name, + sdom->dom->domain_id); + + /* We always want to filter on objectclass and an available name */ + state->filter = talloc_asprintf(state, + "(&(objectclass=%s)(%s=*)", + ctx->opts->user_map[SDAP_OC_USER].name, + ctx->opts->user_map[SDAP_AT_USER_NAME].name); + if (!state->filter) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to build base filter\n"); + ret = ENOMEM; + goto fail; + } + + if (use_mapping) { + /* If we're ID-mapping, check for the objectSID as well */ + state->filter = talloc_asprintf_append_buffer( + state->filter, "(%s=*)", + ctx->opts->user_map[SDAP_AT_USER_OBJECTSID].name); + } else { + /* We're not ID-mapping, so make sure to only get entries + * that have UID and GID + */ + state->filter = talloc_asprintf_append_buffer( + state->filter, "(%s=*)(%s=*)", + ctx->opts->user_map[SDAP_AT_USER_UID].name, + ctx->opts->user_map[SDAP_AT_USER_GID].name); + } + if (!state->filter) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to build base filter\n"); + ret = ENOMEM; + goto fail; + } + + if (ctx->srv_opts && ctx->srv_opts->max_user_value && !purge) { + /* If we have lastUSN available and we're not doing a full + * refresh, limit to changes with a higher entryUSN value. + */ + state->filter = talloc_asprintf_append_buffer( + state->filter, + "(%s>=%s)(!(%s=%s))", + ctx->opts->user_map[SDAP_AT_USER_USN].name, + ctx->srv_opts->max_user_value, + ctx->opts->user_map[SDAP_AT_USER_USN].name, + ctx->srv_opts->max_user_value); + + if (!state->filter) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to build base filter\n"); + ret = ENOMEM; + goto fail; + } + } + + /* Terminate the search filter */ + state->filter = talloc_asprintf_append_buffer(state->filter, ")"); + if (!state->filter) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to build base filter\n"); + ret = ENOMEM; + goto fail; + } + + ret = build_attrs_from_map(state, ctx->opts->user_map, + ctx->opts->user_map_cnt, + NULL, &state->attrs, NULL); + if (ret != EOK) goto fail; + + /* TODO: restrict the enumerations to using a single + * search base at a time. + */ + + subreq = sdap_get_users_send(state, state->ev, + state->sdom->dom, + state->sdom->dom->sysdb, + state->ctx->opts, + state->sdom->user_search_bases, + sdap_id_op_handle(state->op), + state->attrs, state->filter, + dp_opt_get_int(state->ctx->opts->basic, + SDAP_ENUM_SEARCH_TIMEOUT), + SDAP_LOOKUP_ENUMERATE, NULL); + if (!subreq) { + ret = ENOMEM; + goto fail; + } + tevent_req_set_callback(subreq, enum_users_done, req); + + return req; + +fail: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void enum_users_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct enum_users_state *state = tevent_req_data(req, + struct enum_users_state); + char *usn_value; + char *endptr = NULL; + unsigned usn_number; + int ret; + + ret = sdap_get_users_recv(subreq, state, &usn_value); + talloc_zfree(subreq); + if (ret) { + tevent_req_error(req, ret); + return; + } + + if (usn_value) { + talloc_zfree(state->ctx->srv_opts->max_user_value); + state->ctx->srv_opts->max_user_value = + talloc_steal(state->ctx, usn_value); + + usn_number = strtoul(usn_value, &endptr, 10); + if ((endptr == NULL || (*endptr == '\0' && endptr != usn_value)) + && (usn_number > state->ctx->srv_opts->last_usn)) { + state->ctx->srv_opts->last_usn = usn_number; + } + } + + DEBUG(SSSDBG_CONF_SETTINGS, "Users higher USN value: [%s]\n", + state->ctx->srv_opts->max_user_value); + + tevent_req_done(req); +} + +static errno_t enum_users_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +/* =Group-Enumeration===================================================== */ +struct enum_groups_state { + struct tevent_context *ev; + struct sdap_id_ctx *ctx; + struct sdap_domain *sdom; + struct sdap_id_op *op; + + char *filter; + const char **attrs; +}; + +static void enum_groups_done(struct tevent_req *subreq); + +static struct tevent_req *enum_groups_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_id_ctx *ctx, + struct sdap_domain *sdom, + struct sdap_id_op *op, + bool purge) +{ + struct tevent_req *req, *subreq; + struct enum_groups_state *state; + int ret; + bool use_mapping; + bool non_posix = false; + char *oc_list; + + req = tevent_req_create(memctx, &state, struct enum_groups_state); + if (!req) return NULL; + + state->ev = ev; + state->sdom = sdom; + state->ctx = ctx; + state->op = op; + + if (sdom->dom->type == DOM_TYPE_APPLICATION) { + non_posix = true; + } + + use_mapping = sdap_idmap_domain_has_algorithmic_mapping( + ctx->opts->idmap_ctx, + sdom->dom->name, + sdom->dom->domain_id); + + /* We always want to filter on objectclass and an available name */ + oc_list = sdap_make_oc_list(state, ctx->opts->group_map); + if (oc_list == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to create objectClass list.\n"); + ret = ENOMEM; + goto fail; + } + + state->filter = talloc_asprintf(state, "(&(%s)(%s=*)", oc_list, + ctx->opts->group_map[SDAP_AT_GROUP_NAME].name); + if (!state->filter) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to build base filter\n"); + ret = ENOMEM; + goto fail; + } + + if (!non_posix && use_mapping) { + /* If we're ID-mapping, check for the objectSID as well */ + state->filter = talloc_asprintf_append_buffer( + state->filter, "(%s=*)", + ctx->opts->group_map[SDAP_AT_GROUP_OBJECTSID].name); + } else { + /* We're not ID-mapping, so make sure to only get entries + * that have a non-zero GID. + */ + state->filter = talloc_asprintf_append_buffer( + state->filter, "(&(%s=*)(!(%s=0)))", + ctx->opts->group_map[SDAP_AT_GROUP_GID].name, + ctx->opts->group_map[SDAP_AT_GROUP_GID].name); + } + if (!state->filter) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to build base filter\n"); + ret = ENOMEM; + goto fail; + } + + if (ctx->srv_opts && ctx->srv_opts->max_group_value && !purge) { + state->filter = talloc_asprintf_append_buffer( + state->filter, + "(%s>=%s)(!(%s=%s))", + ctx->opts->group_map[SDAP_AT_GROUP_USN].name, + ctx->srv_opts->max_group_value, + ctx->opts->group_map[SDAP_AT_GROUP_USN].name, + ctx->srv_opts->max_group_value); + if (!state->filter) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to build base filter\n"); + ret = ENOMEM; + goto fail; + } + } + + /* Terminate the search filter */ + state->filter = talloc_asprintf_append_buffer(state->filter, ")"); + if (!state->filter) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to build base filter\n"); + ret = ENOMEM; + goto fail; + } + + ret = build_attrs_from_map(state, ctx->opts->group_map, SDAP_OPTS_GROUP, + NULL, &state->attrs, NULL); + if (ret != EOK) goto fail; + + /* TODO: restrict the enumerations to using a single + * search base at a time. + */ + + subreq = sdap_get_groups_send(state, state->ev, + state->sdom, + state->ctx->opts, + sdap_id_op_handle(state->op), + state->attrs, state->filter, + dp_opt_get_int(state->ctx->opts->basic, + SDAP_ENUM_SEARCH_TIMEOUT), + SDAP_LOOKUP_ENUMERATE, false); + if (!subreq) { + ret = ENOMEM; + goto fail; + } + tevent_req_set_callback(subreq, enum_groups_done, req); + + return req; + +fail: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void enum_groups_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct enum_groups_state *state = tevent_req_data(req, + struct enum_groups_state); + char *usn_value; + char *endptr = NULL; + unsigned usn_number; + int ret; + + ret = sdap_get_groups_recv(subreq, state, &usn_value); + talloc_zfree(subreq); + if (ret) { + tevent_req_error(req, ret); + return; + } + + if (usn_value) { + talloc_zfree(state->ctx->srv_opts->max_group_value); + state->ctx->srv_opts->max_group_value = + talloc_steal(state->ctx, usn_value); + usn_number = strtoul(usn_value, &endptr, 10); + if ((endptr == NULL || (*endptr == '\0' && endptr != usn_value)) + && (usn_number > state->ctx->srv_opts->last_usn)) { + state->ctx->srv_opts->last_usn = usn_number; + } + } + + DEBUG(SSSDBG_CONF_SETTINGS, "Groups higher USN value: [%s]\n", + state->ctx->srv_opts->max_group_value); + + tevent_req_done(req); +} + +static errno_t enum_groups_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} diff --git a/src/providers/ldap/sdap_async_enum.h b/src/providers/ldap/sdap_async_enum.h new file mode 100644 index 0000000..2da38f9 --- /dev/null +++ b/src/providers/ldap/sdap_async_enum.h @@ -0,0 +1,49 @@ +/* + SSSD + + LDAP Enumeration Module + + Authors: + Simo Sorce + Jakub Hrozek + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _SDAP_ASYNC_ENUM_H_ +#define _SDAP_ASYNC_ENUM_H_ + +struct tevent_req * +sdap_dom_enum_ex_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_id_ctx *ctx, + struct sdap_domain *sdom, + struct sdap_id_conn_ctx *user_conn, + struct sdap_id_conn_ctx *group_conn, + struct sdap_id_conn_ctx *svc_conn); + +errno_t sdap_dom_enum_ex_recv(struct tevent_req *req); + +struct tevent_req * +sdap_dom_enum_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_id_ctx *ctx, + struct sdap_domain *sdom, + struct sdap_id_conn_ctx *conn); + +errno_t sdap_dom_enum_recv(struct tevent_req *req); + +#endif /* _SDAP_ASYNC_ENUM_H_ */ diff --git a/src/providers/ldap/sdap_async_groups.c b/src/providers/ldap/sdap_async_groups.c new file mode 100644 index 0000000..77acded --- /dev/null +++ b/src/providers/ldap/sdap_async_groups.c @@ -0,0 +1,2649 @@ +/* + SSSD + + Async LDAP Helper routines - retrieving groups + + Copyright (C) Simo Sorce - 2009 + Copyright (C) 2010, Ralf Haferkamp , Novell Inc. + Copyright (C) Jan Zeleny - 2011 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "util/probes.h" +#include "db/sysdb.h" +#include "providers/ldap/sdap_async_private.h" +#include "providers/ldap/ldap_common.h" +#include "providers/ldap/sdap_idmap.h" +#include "providers/ad/ad_common.h" + +/* ==Group-Parsing Routines=============================================== */ + +static int sdap_find_entry_by_origDN(TALLOC_CTX *memctx, + struct sysdb_ctx *ctx, + struct sss_domain_info *domain, + const char *orig_dn, + char **_localdn, + bool *_is_group) +{ + TALLOC_CTX *tmpctx; + const char *attrs[] = {SYSDB_OBJECTCLASS, SYSDB_OBJECTCATEGORY, NULL}; + struct ldb_dn *base_dn; + char *filter; + struct ldb_message **msgs; + size_t num_msgs; + int ret; + char *sanitized_dn; + const char *objectclass; + + tmpctx = talloc_new(NULL); + if (!tmpctx) { + return ENOMEM; + } + + ret = sss_filter_sanitize(tmpctx, orig_dn, &sanitized_dn); + if (ret != EOK) { + ret = ENOMEM; + goto done; + } + + filter = talloc_asprintf(tmpctx, "%s=%s", SYSDB_ORIG_DN, sanitized_dn); + if (!filter) { + ret = ENOMEM; + goto done; + } + + base_dn = sysdb_domain_dn(tmpctx, domain); + if (!base_dn) { + ret = ENOMEM; + goto done; + } + + DEBUG(SSSDBG_TRACE_ALL, "Searching cache for [%s].\n", sanitized_dn); + ret = sysdb_search_entry(tmpctx, ctx, + base_dn, LDB_SCOPE_SUBTREE, filter, attrs, + &num_msgs, &msgs); + if (ret) { + goto done; + } + if (num_msgs != 1) { + ret = ENOENT; + goto done; + } + + *_localdn = talloc_strdup(memctx, ldb_dn_get_linearized(msgs[0]->dn)); + if (!*_localdn) { + ret = ENOENT; + goto done; + } + + if (_is_group != NULL) { + objectclass = ldb_msg_find_attr_as_string(msgs[0], SYSDB_OBJECTCATEGORY, + NULL); + if (objectclass == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "An entry without a %s?\n", + SYSDB_OBJECTCATEGORY); + ret = EINVAL; + goto done; + } + + *_is_group = strcmp(SYSDB_GROUP_CLASS, objectclass) == 0; + } + + ret = EOK; + +done: + talloc_zfree(tmpctx); + return ret; +} + +static errno_t +sdap_get_members_with_primary_gid(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + gid_t gid, char ***_localdn, size_t *_ndn) +{ + static const char *search_attrs[] = { SYSDB_NAME, NULL }; + char *filter; + struct ldb_message **msgs; + size_t count; + size_t i; + errno_t ret; + char **localdn; + + /* Don't search if the group is non-POSIX */ + if (!gid) return EOK; + + filter = talloc_asprintf(mem_ctx, "(%s=%llu)", SYSDB_GIDNUM, + (unsigned long long) gid); + if (!filter) { + return ENOMEM; + } + + ret = sysdb_search_users(mem_ctx, domain, filter, + search_attrs, &count, &msgs); + talloc_free(filter); + if (ret == ENOENT) { + *_localdn = NULL; + *_ndn = 0; + return EOK; + } else if (ret != EOK) { + return ret; + } + + localdn = talloc_array(mem_ctx, char *, count); + if (!localdn) { + talloc_free(msgs); + return ENOMEM; + } + + for (i=0; i < count; i++) { + localdn[i] = talloc_strdup(localdn, + ldb_dn_get_linearized(msgs[i]->dn)); + if (!localdn[i]) { + talloc_free(localdn); + talloc_free(msgs); + return ENOMEM; + } + } + + talloc_free(msgs); + *_localdn = localdn; + *_ndn = count; + return EOK; +} + +static errno_t +sdap_dn_by_primary_gid(TALLOC_CTX *mem_ctx, struct sysdb_attrs *ldap_attrs, + struct sss_domain_info *domain, + struct sdap_options *opts, + char ***_dn_list, size_t *_count) +{ + gid_t gid; + errno_t ret; + + ret = sysdb_attrs_get_uint32_t(ldap_attrs, + opts->group_map[SDAP_AT_GROUP_GID].sys_name, + &gid); + if (ret == ENOENT) { + /* Non-POSIX AD group. Skip. */ + *_dn_list = NULL; + *_count = 0; + return EOK; + } else if (ret && ret != ENOENT) { + return ret; + } + + ret = sdap_get_members_with_primary_gid(mem_ctx, domain, gid, + _dn_list, _count); + if (ret) return ret; + + return EOK; +} + +static bool has_member(struct ldb_message_element *member_el, + char *member) +{ + struct ldb_val val; + + val.data = (uint8_t *) member; + val.length = strlen(member); + + /* This is bad complexity, but this loop should only be invoked in + * the very rare scenario of AD POSIX group that is primary group of + * some users but has user member attributes at the same time + */ + if (ldb_msg_find_val(member_el, &val) != NULL) { + return true; + } + + return false; +} + +static void link_pgroup_members(struct sysdb_attrs *group_attrs, + struct ldb_message_element *member_el, + char **userdns, + size_t nuserdns) +{ + int i, j; + + j = 0; + for (i=0; i < nuserdns; i++) { + if (has_member(member_el, userdns[i])) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "Member %s already included, skipping\n", userdns[i]); + continue; + } + + member_el->values[member_el->num_values + j].data = (uint8_t *) \ + talloc_steal(group_attrs, userdns[i]); + member_el->values[member_el->num_values + j].length = \ + strlen(userdns[i]); + j++; + } + member_el->num_values += j; +} + +static int sdap_fill_memberships(struct sdap_options *opts, + struct sysdb_attrs *group_attrs, + struct sysdb_ctx *ctx, + struct sss_domain_info *domain, + hash_table_t *ghosts, + struct ldb_val *values, + int num_values, + char **userdns, + size_t nuserdns) +{ + struct ldb_message_element *el; + int i, j; + int ret; + errno_t hret; + hash_key_t key; + hash_value_t value; + struct sdap_domain *sdom; + struct sysdb_ctx *member_sysdb; + struct sss_domain_info *member_dom; + + ret = sysdb_attrs_get_el(group_attrs, SYSDB_MEMBER, &el); + if (ret) { + DEBUG(SSSDBG_MINOR_FAILURE, "sysdb_attrs_get_el failed\n"); + goto done; + } + + /* Just allocate both big enough to contain all members for now */ + el->values = talloc_realloc(group_attrs, el->values, struct ldb_val, + el->num_values + num_values + nuserdns); + if (!el->values) { + DEBUG(SSSDBG_MINOR_FAILURE, "No memory to allocate group attrs\n"); + ret = ENOMEM; + goto done; + } + + j = el->num_values; + for (i = 0; i < num_values; i++) { + if (ghosts == NULL) { + hret = HASH_ERROR_KEY_NOT_FOUND; + } else { + key.type = HASH_KEY_STRING; + key.str = (char *)values[i].data; + hret = hash_lookup(ghosts, &key, &value); + } + + if (hret == HASH_ERROR_KEY_NOT_FOUND) { + sdom = sdap_domain_get_by_dn(opts, (char *)values[i].data); + if (sdom == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "Member [%s] is it out of domain " + "scope?\n", (char *)values[i].data); + member_sysdb = ctx; + member_dom = domain; + } else { + member_sysdb = sdom->dom->sysdb; + member_dom = sdom->dom; + } + + /* sync search entry with this as origDN */ + ret = sdap_find_entry_by_origDN(el->values, member_sysdb, + member_dom, (char *)values[i].data, + (char **)&el->values[j].data, + NULL); + if (ret == ENOENT) { + /* member may be outside of the configured search bases + * or out of scope of nesting limit */ + DEBUG(SSSDBG_MINOR_FAILURE, "Member [%s] was not found in " + "cache. Is it out of scope?\n", (char *)values[i].data); + continue; + } + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "'sdap_find_entry_by_origDN' failed for member [%s].\n", + (char *)values[i].data); + goto done; + } + + DEBUG(SSSDBG_TRACE_LIBS, " member #%d (%s): [%s]\n", + i, (char *)values[i].data, + (char *)el->values[j].data); + + el->values[j].length = strlen((char *)el->values[j].data); + j++; + } else if (hret != HASH_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, + "hash_lookup failed: [%d]: %s\n", hret, strerror(hret)); + ret = EFAULT; + goto done; + } + + /* If the member is in ghost table, it has + * already been processed - just skip it */ + } + el->num_values = j; + + link_pgroup_members(group_attrs, el, userdns, nuserdns); + ret = EOK; + +done: + return ret; +} + +/* ==Save-Group-Entry===================================================== */ + + /* FIXME: support non legacy */ + /* FIXME: support storing additional attributes */ + +static errno_t +sdap_store_group_with_gid(struct sss_domain_info *domain, + const char *name, + gid_t gid, + struct sysdb_attrs *group_attrs, + uint64_t cache_timeout, + bool posix_group, + time_t now) +{ + errno_t ret; + + /* make sure that non-POSIX (empty or explicit gid=0) groups have the + * gidNumber set to zero even if updating existing group */ + if (!posix_group) { + ret = sysdb_attrs_add_uint32(group_attrs, SYSDB_GIDNUM, 0); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not set explicit GID 0 for %s\n", name); + return ret; + } + } + + ret = sysdb_store_group(domain, name, gid, group_attrs, + cache_timeout, now); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, "Could not store group %s\n", name); + return ret; + } + + return ret; +} + +static errno_t +sdap_process_ghost_members(struct sysdb_attrs *attrs, + struct sdap_options *opts, + hash_table_t *ghosts, + bool populate_members, + bool store_original_member, + struct sysdb_attrs *sysdb_attrs) +{ + errno_t ret; + struct ldb_message_element *gh; + struct ldb_message_element *memberel; + struct ldb_message_element *sysdb_memberel; + struct ldb_message_element *ghostel; + size_t cnt; + int i; + int hret; + hash_key_t key; + hash_value_t value; + + ret = sysdb_attrs_get_el(attrs, SYSDB_GHOST, &gh); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Error reading ghost attributes: [%s]\n", + strerror(ret)); + return ret; + } + + ret = sysdb_attrs_get_el_ext(attrs, + opts->group_map[SDAP_AT_GROUP_MEMBER].sys_name, + false, &memberel); + if (ret == ENOENT) { + /* Create a dummy element with no values in order for the loop to just + * fall through and make sure the attrs array is not reallocated. + */ + memberel = talloc(attrs, struct ldb_message_element); + if (memberel == NULL) { + return ENOMEM; + } + memberel->num_values = 0; + memberel->values = NULL; + } else if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Error reading members: [%s]\n", strerror(ret)); + return ret; + } + + if (store_original_member) { + DEBUG(SSSDBG_TRACE_FUNC, "The group has %d members\n", memberel->num_values); + for (i = 0; i < memberel->num_values; i++) { + ret = sysdb_attrs_add_string(sysdb_attrs, SYSDB_ORIG_MEMBER, + (const char *) memberel->values[i].data); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, "Could not add member [%s]\n", + (const char *) memberel->values[i].data); + return ret; + } + } + } + + if (populate_members) { + ret = sysdb_attrs_get_el(sysdb_attrs, SYSDB_MEMBER, &sysdb_memberel); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Error reading group members from group_attrs: [%s]\n", + strerror(ret)); + return ret; + } + sysdb_memberel->values = memberel->values; + sysdb_memberel->num_values = memberel->num_values; + } + + ret = sysdb_attrs_get_el(sysdb_attrs, SYSDB_GHOST, &ghostel); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Error getting ghost element: [%s]\n", strerror(ret)); + return ret; + } + ghostel->values = gh->values; + ghostel->num_values = gh->num_values; + + cnt = ghostel->num_values + memberel->num_values; + DEBUG(SSSDBG_TRACE_FUNC, "Group has %zu members\n", cnt); + + /* Now process RFC2307bis ghost hash table */ + if (ghosts && cnt > 0) { + ghostel->values = talloc_realloc(sysdb_attrs, ghostel->values, + struct ldb_val, cnt); + if (ghostel->values == NULL) { + return ENOMEM; + } + + for (i = 0; i < memberel->num_values; i++) { + key.type = HASH_KEY_STRING; + key.str = (char *) memberel->values[i].data; + hret = hash_lookup(ghosts, &key, &value); + if (hret == HASH_ERROR_KEY_NOT_FOUND) { + continue; + } else if (hret != HASH_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Error checking hash table: [%s]\n", + hash_error_string(hret)); + return EFAULT; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Adding ghost member for group [%s]\n", (char *) value.ptr); + ghostel->values[ghostel->num_values].data = \ + (uint8_t *) talloc_strdup(ghostel->values, value.ptr); + if (ghostel->values[ghostel->num_values].data == NULL) { + return ENOMEM; + } + ghostel->values[ghostel->num_values].length = strlen(value.ptr); + ghostel->num_values++; + } + } + + return EOK; +} + +static int sdap_save_group(TALLOC_CTX *memctx, + struct sdap_options *opts, + struct sss_domain_info *dom, + struct sysdb_attrs *attrs, + bool populate_members, + bool store_original_member, + hash_table_t *ghosts, + char **_usn_value, + time_t now) +{ + struct ldb_message_element *el; + struct sysdb_attrs *group_attrs; + const char *group_name = NULL; + gid_t gid; + errno_t ret; + char *usn_value = NULL; + TALLOC_CTX *tmpctx = NULL; + bool posix_group; + bool use_id_mapping; + bool need_filter; + char *sid_str; + struct sss_domain_info *subdomain; + + tmpctx = talloc_new(NULL); + if (!tmpctx) { + ret = ENOMEM; + goto done; + } + + group_attrs = sysdb_new_attrs(tmpctx); + if (group_attrs == NULL) { + ret = ENOMEM; + goto done; + } + + /* Always store SID string if available */ + ret = sdap_attrs_get_sid_str(tmpctx, opts->idmap_ctx, attrs, + opts->group_map[SDAP_AT_GROUP_OBJECTSID].sys_name, + &sid_str); + if (ret == EOK) { + ret = sysdb_attrs_add_string(group_attrs, SYSDB_SID_STR, sid_str); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Could not add SID string: [%s]\n", + sss_strerror(ret)); + goto done; + } + } else if (ret == ENOENT) { + DEBUG(SSSDBG_TRACE_ALL, "objectSID: not available for group [%s].\n", + group_name); + sid_str = NULL; + } else { + DEBUG(SSSDBG_MINOR_FAILURE, "Could not identify objectSID: [%s]\n", + sss_strerror(ret)); + sid_str = NULL; + } + + /* Always store UUID if available */ + ret = sysdb_handle_original_uuid( + opts->group_map[SDAP_AT_GROUP_UUID].def_name, + attrs, + opts->group_map[SDAP_AT_GROUP_UUID].sys_name, + group_attrs, SYSDB_UUID); + if (ret != EOK) { + DEBUG((ret == ENOENT) ? SSSDBG_TRACE_ALL : SSSDBG_MINOR_FAILURE, + "Failed to retrieve UUID [%d][%s].\n", ret, sss_strerror(ret)); + } + + /* If this object has a SID available, we will determine the correct + * domain by its SID. */ + if (sid_str != NULL) { + subdomain = sss_get_domain_by_sid_ldap_fallback(get_domains_head(dom), + sid_str); + if (subdomain) { + dom = subdomain; + } else { + DEBUG(SSSDBG_TRACE_FUNC, "SID %s does not belong to any known " + "domain\n", sid_str); + } + } + + ret = sdap_get_group_primary_name(tmpctx, opts, attrs, dom, &group_name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to get group name\n"); + goto done; + } + DEBUG(SSSDBG_TRACE_FUNC, "Processing group %s\n", group_name); + + posix_group = true; + ret = sdap_check_ad_group_type(dom, opts, attrs, group_name, + &need_filter); + if (ret != EOK) { + goto done; + } + if (need_filter) { + posix_group = false; + gid = 0; + + ret = sysdb_attrs_add_bool(group_attrs, SYSDB_POSIX, false); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Error: Failed to mark group as non-POSIX!\n"); + goto done; + } + } + + if (posix_group) { + use_id_mapping = sdap_idmap_domain_has_algorithmic_mapping(opts->idmap_ctx, + dom->name, + sid_str); + if (use_id_mapping) { + posix_group = true; + + if (sid_str == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "SID not available, cannot map a " \ + "unix ID to group [%s].\n", group_name); + ret = ENOENT; + goto done; + } + + DEBUG(SSSDBG_TRACE_LIBS, + "Mapping group [%s] objectSID [%s] to unix ID\n", + group_name, sid_str); + + /* Convert the SID into a UNIX group ID */ + ret = sdap_idmap_sid_to_unix(opts->idmap_ctx, sid_str, &gid); + if (ret == ENOTSUP) { + /* ENOTSUP is returned if built-in SID was provided + * => do not store the group, but return EOK */ + DEBUG(SSSDBG_TRACE_FUNC, "Skipping built-in object.\n"); + ret = EOK; + goto done; + } else if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not convert SID string: [%s]\n", + sss_strerror(ret)); + goto done; + } + + /* Store the GID in the ldap_attrs so it doesn't get + * treated as a missing attribute from LDAP and removed. + */ + ret = sdap_replace_id(attrs, SYSDB_GIDNUM, gid); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot set the id-mapped GID\n"); + goto done; + } + } else { + ret = sysdb_attrs_get_bool(attrs, SYSDB_POSIX, &posix_group); + if (ret == ENOENT) { + posix_group = true; + } else if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Error reading posix attribute: [%s]\n", + sss_strerror(ret)); + goto done; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, + "This is%s a posix group\n", (posix_group)?"":" not"); + ret = sysdb_attrs_add_bool(group_attrs, SYSDB_POSIX, posix_group); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Error setting posix attribute: [%s]\n", + sss_strerror(ret)); + goto done; + } + + ret = sysdb_attrs_get_uint32_t(attrs, + opts->group_map[SDAP_AT_GROUP_GID].sys_name, + &gid); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "no gid provided for [%s] in domain [%s].\n", + group_name, dom->name); + ret = EINVAL; + goto done; + } + } + } + + /* check that the gid is valid for this domain */ + if (posix_group) { + if (OUT_OF_ID_RANGE(gid, dom->id_min, dom->id_max)) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Group [%s] filtered out! (id out of range)\n", group_name); + ret = EINVAL; + goto done; + } + /* Group ID OK */ + } + + ret = sdap_attrs_add_string(attrs, SYSDB_ORIG_DN, "original DN", + group_name, group_attrs); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Error setting original DN: [%s]\n", + sss_strerror(ret)); + goto done; + } + + ret = sdap_attrs_add_string(attrs, + opts->group_map[SDAP_AT_GROUP_MODSTAMP].sys_name, + "original mod-Timestamp", + group_name, group_attrs); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Error setting mod timestamp: [%s]\n", + sss_strerror(ret)); + goto done; + } + + ret = sysdb_attrs_get_el(attrs, + opts->group_map[SDAP_AT_GROUP_USN].sys_name, &el); + if (ret) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Error looking up group USN: [%s]\n", + sss_strerror(ret)); + goto done; + } + if (el->num_values == 0) { + DEBUG(SSSDBG_TRACE_FUNC, + "Original USN value is not available for [%s].\n", group_name); + } else { + ret = sysdb_attrs_add_string(group_attrs, + opts->group_map[SDAP_AT_GROUP_USN].sys_name, + (const char*)el->values[0].data); + if (ret) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Error setting group USN: [%s]\n", + sss_strerror(ret)); + goto done; + } + usn_value = talloc_strdup(tmpctx, (const char*)el->values[0].data); + if (!usn_value) { + ret = ENOMEM; + goto done; + } + } + + ret = sdap_process_ghost_members(attrs, opts, ghosts, + populate_members, store_original_member, + group_attrs); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to save ghost members\n"); + goto done; + } + + ret = sdap_save_all_names(group_name, attrs, dom, + SYSDB_MEMBER_GROUP, group_attrs); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to save group names\n"); + goto done; + } + DEBUG(SSSDBG_TRACE_FUNC, "Storing info for group %s\n", group_name); + + ret = sdap_store_group_with_gid(dom, group_name, gid, group_attrs, + dom->group_timeout, + posix_group, now); + if (ret) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not store group with GID: [%s]\n", + sss_strerror(ret)); + goto done; + } + + if (_usn_value) { + *_usn_value = talloc_steal(memctx, usn_value); + } + + talloc_steal(memctx, group_attrs); + ret = EOK; + +done: + if (ret) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to save group [%s]: [%s]\n", + group_name ? group_name : "Unknown", + sss_strerror(ret)); + } + talloc_free(tmpctx); + return ret; +} + +static errno_t +are_sids_from_same_dom(const char *sid1, const char *sid2, bool *_result) +{ + size_t len_prefix_sid1; + size_t len_prefix_sid2; + char *rid1, *rid2; + bool result; + + rid1 = strrchr(sid1, '-'); + if (rid1 == NULL) { + return EINVAL; + } + + rid2 = strrchr(sid2, '-'); + if (rid2 == NULL) { + return EINVAL; + } + + len_prefix_sid1 = rid1 - sid1; + len_prefix_sid2 = rid2 - sid2; + + result = (len_prefix_sid1 == len_prefix_sid2) && + (strncmp(sid1, sid2, len_prefix_sid1) == 0); + + *_result = result; + + return EOK; +} + +static errno_t +retain_extern_members(TALLOC_CTX *mem_ctx, + struct sss_domain_info *dom, + const char *group_name, + const char *group_sid, + char ***_userdns, + size_t *_nuserdns) +{ + TALLOC_CTX *tmp_ctx; + const char **sids, **dns; + bool same_domain; + errno_t ret; + size_t i, n; + size_t nuserdns = 0; + const char **userdns = NULL; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + ret = sysdb_get_sids_of_members(tmp_ctx, dom, group_name, &sids, &dns, &n); + if (ret != EOK) { + if (ret != ENOENT) { + DEBUG(SSSDBG_TRACE_ALL, + "get_sids_of_members failed: %d [%s]\n", + ret, sss_strerror(ret)); + } + goto done; + } + + for (i=0; i < n; i++) { + ret = are_sids_from_same_dom(group_sid, sids[i], &same_domain); + if (ret == EOK && !same_domain) { + DEBUG(SSSDBG_TRACE_ALL, "extern member: %s\n", dns[i]); + nuserdns++; + userdns = talloc_realloc(tmp_ctx, userdns, const char*, nuserdns); + if (userdns == NULL) { + ret = ENOMEM; + goto done; + } + userdns[nuserdns-1] = talloc_steal(userdns, dns[i]); + } + } + *_nuserdns = nuserdns; + *_userdns = discard_const(talloc_steal(mem_ctx, userdns)); + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +/* ==Save-Group-Members=================================================== */ + + /* FIXME: support non-legacy */ + /* FIXME: support storing additional attributes */ + +static int sdap_save_grpmem(TALLOC_CTX *memctx, + struct sysdb_ctx *ctx, + struct sdap_options *opts, + struct sss_domain_info *dom, + struct sysdb_attrs *attrs, + hash_table_t *ghosts, + time_t now) +{ + struct ldb_message_element *el; + struct sysdb_attrs *group_attrs = NULL; + const char *group_sid; + const char *group_name; + char **userdns = NULL; + size_t nuserdns = 0; + struct sss_domain_info *group_dom = NULL; + int ret; + const char *remove_attrs[] = {SYSDB_MEMBER, SYSDB_ORIG_MEMBER, SYSDB_GHOST, + NULL}; + const char *check_dom; + const char *check_name; + + if (dom->ignore_group_members) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Group members are ignored, nothing to do. If you see this " \ + "message it might indicate an error in the group processing " \ + "logic.\n"); + return EOK; + } + + ret = sysdb_attrs_get_string(attrs, SYSDB_SID_STR, &group_sid); + if (ret != EOK) { + /* Try harder. */ + ret = sdap_attrs_get_sid_str(memctx, opts->idmap_ctx, attrs, + opts->group_map[SDAP_AT_GROUP_OBJECTSID].sys_name, + discard_const(&group_sid)); + if (ret != EOK) { + DEBUG(SSSDBG_TRACE_FUNC, "Failed to get group sid\n"); + group_sid = NULL; + } + } + + if (group_sid != NULL) { + group_dom = sss_get_domain_by_sid_ldap_fallback(get_domains_head(dom), + group_sid); + if (group_dom == NULL) { + ret = well_known_sid_to_name(group_sid, &check_dom, &check_name); + if (ret == EOK) { + DEBUG(SSSDBG_TRACE_FUNC, + "Skipping group with SID [%s][%s\\%s] which is " + "currently not handled by SSSD.\n", + group_sid, check_dom, check_name); + return EOK; + } + + DEBUG(SSSDBG_TRACE_FUNC, "SID [%s] does not belong to any known " + "domain, using [%s].\n", group_sid, + dom->name); + } + } + + if (group_dom == NULL) { + group_dom = dom; + } + + ret = sdap_get_group_primary_name(memctx, opts, attrs, group_dom, + &group_name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to get group name\n"); + goto fail; + } + DEBUG(SSSDBG_TRACE_FUNC, "Processing group %s\n", group_name); + + /* With AD we also want to merge in parent groups of primary GID as they + * are reported with tokenGroups, too + */ + if (opts->schema_type == SDAP_SCHEMA_AD) { + ret = sdap_dn_by_primary_gid(memctx, attrs, group_dom, opts, + &userdns, &nuserdns); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "sdap_dn_by_primary_gid failed: [%d][%s].\n", + ret, strerror(ret)); + goto fail; + } + } + + /* This is a temporal solution until the IPA provider is able to + * resolve external group membership. + * https://fedorahosted.org/sssd/ticket/2522 + */ + if (opts->schema_type == SDAP_SCHEMA_IPA_V1) { + if (group_sid != NULL) { + ret = retain_extern_members(memctx, group_dom, group_name, + group_sid, &userdns, &nuserdns); + if (ret != EOK) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "retain_extern_members failed: %d:[%s].\n", + ret, sss_strerror(ret)); + } + } + } + + ret = sysdb_attrs_get_el(attrs, + opts->group_map[SDAP_AT_GROUP_MEMBER].sys_name, &el); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "sysdb_attrs_get_el failed: [%d][%s].\n", + ret, strerror(ret)); + goto fail; + } + + if (el->num_values == 0 && nuserdns == 0) { + DEBUG(SSSDBG_TRACE_FUNC, + "No members for group [%s]\n", group_name); + + ret = sysdb_remove_attrs(group_dom, group_name, SYSDB_MEMBER_GROUP, + discard_const(remove_attrs)); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_remove_attrs failed.\n"); + goto fail; + } + } else { + DEBUG(SSSDBG_TRACE_FUNC, + "Adding member users to group [%s]\n", group_name); + + group_attrs = sysdb_new_attrs(memctx); + if (!group_attrs) { + DEBUG(SSSDBG_MINOR_FAILURE, "sysdb_new_attrs failed\n"); + ret = ENOMEM; + goto fail; + } + + ret = sdap_fill_memberships(opts, group_attrs, ctx, group_dom, ghosts, + el->values, el->num_values, + userdns, nuserdns); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sdap_fill_memberships failed with [%d]: %s\n", ret, + strerror(ret)); + goto fail; + } + } + + ret = sysdb_store_group(group_dom, group_name, 0, group_attrs, + group_dom->group_timeout, now); + if (ret) { + DEBUG(SSSDBG_MINOR_FAILURE, "sysdb_store_group failed: [%d][%s].\n", + ret, strerror(ret)); + goto fail; + } + + return EOK; + +fail: + DEBUG(SSSDBG_OP_FAILURE, + "Failed to save members of group %s\n", group_name); + return ret; +} + + +/* ==Generic-Function-to-save-multiple-groups============================= */ + +static int sdap_save_groups(TALLOC_CTX *memctx, + struct sysdb_ctx *sysdb, + struct sss_domain_info *dom, + struct sdap_options *opts, + struct sysdb_attrs **groups, + int num_groups, + bool populate_members, + hash_table_t *ghosts, + bool save_orig_member, + char **_usn_value) +{ + TALLOC_CTX *tmpctx; + char *higher_usn = NULL; + char *usn_value; + bool twopass; + bool has_nesting = false; + int ret; + errno_t sret; + int i; + struct sysdb_attrs **saved_groups = NULL; + int nsaved_groups = 0; + time_t now; + bool in_transaction = false; + + switch (opts->schema_type) { + case SDAP_SCHEMA_RFC2307: + twopass = false; + break; + + case SDAP_SCHEMA_RFC2307BIS: + case SDAP_SCHEMA_IPA_V1: + case SDAP_SCHEMA_AD: + twopass = true; + has_nesting = true; + break; + + default: + return EINVAL; + } + + tmpctx = talloc_new(memctx); + if (!tmpctx) { + return ENOMEM; + } + + ret = sysdb_transaction_start(sysdb); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n"); + goto done; + } + in_transaction = true; + + if (twopass && !populate_members) { + saved_groups = talloc_array(tmpctx, struct sysdb_attrs *, + num_groups); + if (!saved_groups) { + ret = ENOMEM; + goto done; + } + } + + now = time(NULL); + for (i = 0; i < num_groups; i++) { + usn_value = NULL; + + /* if 2 pass savemembers = false */ + ret = sdap_save_group(tmpctx, opts, dom, groups[i], + populate_members, + has_nesting && save_orig_member, + ghosts, &usn_value, now); + + /* Do not fail completely on errors. + * Just report the failure to save and go on */ + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to store group %d. Ignoring.\n", i); + } else { + DEBUG(SSSDBG_TRACE_ALL, "Group %d processed!\n", i); + if (twopass && !populate_members) { + saved_groups[nsaved_groups] = groups[i]; + nsaved_groups++; + } + } + + if (usn_value) { + if (higher_usn) { + if ((strlen(usn_value) > strlen(higher_usn)) || + (strcmp(usn_value, higher_usn) > 0)) { + talloc_zfree(higher_usn); + higher_usn = usn_value; + } else { + talloc_zfree(usn_value); + } + } else { + higher_usn = usn_value; + } + } + } + + if (twopass && !populate_members) { + + for (i = 0; i < nsaved_groups; i++) { + + ret = sdap_save_grpmem(tmpctx, sysdb, opts, dom, saved_groups[i], + ghosts, now); + /* Do not fail completely on errors. + * Just report the failure to save and go on */ + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to store group %d members.\n", i); + } else { + DEBUG(SSSDBG_TRACE_ALL, "Group %d members processed!\n", i); + } + } + } + + ret = sysdb_transaction_commit(sysdb); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction!\n"); + goto done; + } + in_transaction = false; + + if (_usn_value) { + *_usn_value = talloc_steal(memctx, higher_usn); + } + +done: + if (in_transaction) { + sret = sysdb_transaction_cancel(sysdb); + if (sret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to cancel transaction\n"); + } + } + talloc_zfree(tmpctx); + return ret; +} + + +/* ==Process-Groups======================================================= */ + +struct sdap_process_group_state { + struct tevent_context *ev; + struct sdap_options *opts; + struct sdap_handle *sh; + struct sss_domain_info *dom; + struct sysdb_ctx *sysdb; + + struct sysdb_attrs *group; + struct ldb_message_element* sysdb_dns; + struct ldb_message_element* ghost_dns; + char **queued_members; + int queue_len; + const char **attrs; + const char *filter; + size_t queue_idx; + size_t count; + size_t check_count; + + bool enumeration; +}; + +#define GROUPMEMBER_REQ_PARALLEL 50 +static void sdap_process_group_members(struct tevent_req *subreq); + +static int sdap_process_group_members_2307bis(struct tevent_req *req, + struct sdap_process_group_state *state, + struct ldb_message_element *memberel); +static int sdap_process_group_members_2307(struct sdap_process_group_state *state, + struct ldb_message_element *memberel, + struct ldb_message_element *ghostel); + +static errno_t sdap_process_group_create_dns(TALLOC_CTX *mem_ctx, + size_t num_values, + struct ldb_message_element **_dns) +{ + struct ldb_message_element *dns; + + dns = talloc(mem_ctx, struct ldb_message_element); + if (dns == NULL) { + return ENOMEM; + } + + dns->num_values = 0; + dns->values = talloc_array(dns, struct ldb_val, + num_values); + if (dns->values == NULL) { + talloc_zfree(dns); + return ENOMEM; + } + + *_dns = dns; + + return EOK; +} + +static struct tevent_req * +sdap_process_group_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sss_domain_info *dom, + struct sysdb_ctx *sysdb, + struct sdap_options *opts, + struct sdap_handle *sh, + struct sysdb_attrs *group, + bool enumeration) +{ + struct ldb_message_element *el; + struct ldb_message_element *ghostel; + struct sdap_process_group_state *grp_state; + struct tevent_req *req = NULL; + const char **attrs; + char* filter; + int ret; + + req = tevent_req_create(memctx, &grp_state, + struct sdap_process_group_state); + if (!req) return NULL; + + ret = build_attrs_from_map(grp_state, opts->user_map, opts->user_map_cnt, + NULL, &attrs, NULL); + if (ret) { + goto done; + } + + /* FIXME: we ignore nested rfc2307bis groups for now */ + filter = talloc_asprintf(grp_state, "(objectclass=%s)", + opts->user_map[SDAP_OC_USER].name); + if (!filter) { + talloc_zfree(req); + return NULL; + } + + grp_state->ev = ev; + grp_state->opts = opts; + grp_state->dom = dom; + grp_state->sh = sh; + grp_state->sysdb = sysdb; + grp_state->group = group; + grp_state->check_count = 0; + grp_state->queue_idx = 0; + grp_state->queued_members = NULL; + grp_state->queue_len = 0; + grp_state->filter = filter; + grp_state->attrs = attrs; + grp_state->enumeration = enumeration; + + ret = sysdb_attrs_get_el(group, + opts->group_map[SDAP_AT_GROUP_MEMBER].sys_name, + &el); + if (ret) { + goto done; + } + + /* Group without members */ + if (el->num_values == 0) { + DEBUG(SSSDBG_OP_FAILURE, "No Members. Done!\n"); + ret = EOK; + goto done; + } + + ret = sysdb_attrs_get_el(group, + SYSDB_GHOST, + &ghostel); + if (ret) { + goto done; + } + + if (ghostel->num_values == 0) { + /* Element was probably newly created, look for "member" again */ + ret = sysdb_attrs_get_el(group, + opts->group_map[SDAP_AT_GROUP_MEMBER].sys_name, + &el); + if (ret != EOK) { + goto done; + } + } + + + ret = sdap_process_group_create_dns(grp_state, el->num_values, + &grp_state->sysdb_dns); + if (ret != EOK) { + goto done; + } + + ret = sdap_process_group_create_dns(grp_state, el->num_values, + &grp_state->ghost_dns); + if (ret != EOK) { + goto done; + } + + switch (opts->schema_type) { + case SDAP_SCHEMA_RFC2307: + ret = sdap_process_group_members_2307(grp_state, el, ghostel); + break; + + case SDAP_SCHEMA_IPA_V1: + case SDAP_SCHEMA_AD: + case SDAP_SCHEMA_RFC2307BIS: + /* Note that this code branch will be used only if + * ldap_nesting_level = 0 is set in config file + */ + ret = sdap_process_group_members_2307bis(req, grp_state, el); + break; + + default: + DEBUG(SSSDBG_CRIT_FAILURE, + "Unknown schema type %d\n", opts->schema_type); + ret = EINVAL; + break; + } + +done: + /* We managed to process all the entries */ + /* EBUSY means we need to wait for entries in LDAP */ + if (ret == EOK) { + DEBUG(SSSDBG_TRACE_LIBS, "All group members processed\n"); + tevent_req_done(req); + tevent_req_post(req, ev); + } + + if (ret != EOK && ret != EBUSY) { + tevent_req_error(req, ret); + tevent_req_post(req, ev); + } + return req; +} + +static int +sdap_process_missing_member_2307bis(struct tevent_req *req, + char *user_dn, + unsigned num_users) +{ + struct sdap_process_group_state *grp_state = + tevent_req_data(req, struct sdap_process_group_state); + struct tevent_req *subreq; + + /* + * Issue at most GROUPMEMBER_REQ_PARALLEL LDAP searches at once. + * The rest is sent while the results are being processed. + * We limit the number as of request here, as the Server might + * enforce limits on the number of pending operations per + * connection. + */ + if (grp_state->check_count > GROUPMEMBER_REQ_PARALLEL) { + DEBUG(SSSDBG_TRACE_LIBS, " queueing search for: %s\n", user_dn); + if (!grp_state->queued_members) { + DEBUG(SSSDBG_TRACE_LIBS, + "Allocating queue for %zu members\n", + num_users - grp_state->check_count); + + grp_state->queued_members = talloc_array(grp_state, char *, + num_users - grp_state->check_count + 1); + if (!grp_state->queued_members) { + return ENOMEM; + } + } + grp_state->queued_members[grp_state->queue_len] = user_dn; + grp_state->queue_len++; + } else { + subreq = sdap_get_generic_send(grp_state, + grp_state->ev, + grp_state->opts, + grp_state->sh, + user_dn, + LDAP_SCOPE_BASE, + grp_state->filter, + grp_state->attrs, + grp_state->opts->user_map, + grp_state->opts->user_map_cnt, + dp_opt_get_int(grp_state->opts->basic, + SDAP_SEARCH_TIMEOUT), + false); + if (!subreq) { + return ENOMEM; + } + tevent_req_set_callback(subreq, sdap_process_group_members, req); + } + + grp_state->check_count++; + return EOK; +} + +static int +sdap_process_group_members_2307bis(struct tevent_req *req, + struct sdap_process_group_state *state, + struct ldb_message_element *memberel) +{ + char *member_dn; + char *strdn; + int ret; + int i; + int nesting_level; + bool is_group; + + nesting_level = dp_opt_get_int(state->opts->basic, SDAP_NESTING_LEVEL); + + for (i=0; i < memberel->num_values; i++) { + member_dn = (char *)memberel->values[i].data; + + ret = sdap_find_entry_by_origDN(state->sysdb_dns->values, + state->sysdb, + state->dom, + member_dn, + &strdn, + &is_group); + + if (ret == EOK) { + if (nesting_level == 0 && is_group) { + /* Ignore group members which are groups themselves. */ + continue; + } + + /* + * User already cached in sysdb. Remember the sysdb DN for later + * use by sdap_save_groups() + */ + DEBUG(SSSDBG_TRACE_LIBS, "sysdbdn: %s\n", strdn); + state->sysdb_dns->values[state->sysdb_dns->num_values].data = + (uint8_t*) strdn; + state->sysdb_dns->values[state->sysdb_dns->num_values].length = + strlen(strdn); + state->sysdb_dns->num_values++; + } else if (ret == ENOENT) { + if (!state->enumeration) { + /* The user is not in sysdb, need to add it + * We don't need to do this if we're in an enumeration, + * because all real members should all be populated + * already by the first pass of the enumeration. + * Also, we don't want to be holding the sysdb + * transaction while we're performing LDAP lookups. + */ + DEBUG(SSSDBG_TRACE_LIBS, + "Searching LDAP for missing user entry\n"); + ret = sdap_process_missing_member_2307bis(req, + member_dn, + memberel->num_values); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Error processing missing member #%d (%s):\n", + i, member_dn); + return ret; + } + } + } else { + DEBUG(SSSDBG_CRIT_FAILURE, + "Error checking cache for member #%d (%s):\n", + i, (char *)memberel->values[i].data); + return ret; + } + } + + if (state->queue_len > 0) { + state->queued_members[state->queue_len]=NULL; + } + + if (state->check_count == 0) { + /* + * All group members are already cached in sysdb, we are done + * with this group. To avoid redundant sysdb lookups, populate the + * "member" attribute of the group entry with the sysdb DNs of + * the members. + */ + ret = EOK; + memberel->values = talloc_steal(state->group, state->sysdb_dns->values); + memberel->num_values = state->sysdb_dns->num_values; + } else { + state->count = state->check_count; + ret = EBUSY; + } + + return ret; +} + +static int +sdap_add_group_member_2307(struct ldb_message_element *sysdb_dns, + const char *username) +{ + sysdb_dns->values[sysdb_dns->num_values].data = + (uint8_t *) talloc_strdup(sysdb_dns->values, username); + if (sysdb_dns->values[sysdb_dns->num_values].data == NULL) { + return ENOMEM; + } + sysdb_dns->values[sysdb_dns->num_values].length = + strlen(username); + sysdb_dns->num_values++; + + return EOK; +} + +static int +sdap_process_missing_member_2307(struct sdap_process_group_state *state, + char *member_name) +{ + int ret; + TALLOC_CTX *tmp_ctx; + const char *filter; + const char *username; + const char *user_dn; + char *sanitized_name; + size_t count; + struct ldb_message **msgs = NULL; + static const char *attrs[] = { SYSDB_NAME, NULL }; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) return ENOMEM; + + ret = sss_filter_sanitize(tmp_ctx, member_name, &sanitized_name); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to sanitize the given name:'%s'.\n", member_name); + goto done; + } + + /* Check for the alias in the sysdb */ + filter = talloc_asprintf(tmp_ctx, "(%s=%s)", SYSDB_NAME_ALIAS, + sanitized_name); + if (!filter) { + ret = ENOMEM; + goto done; + } + + ret = sysdb_search_users(tmp_ctx, state->dom, filter, + attrs, &count, &msgs); + if (ret == EOK && count > 0) { + /* Entry exists but the group references it with an alias. */ + + if (count != 1) { + DEBUG(SSSDBG_CRIT_FAILURE, + "More than one entry with this alias?\n"); + ret = EIO; + goto done; + } + + /* fill username with primary name */ + username = ldb_msg_find_attr_as_string(msgs[0], SYSDB_NAME, NULL); + if (username == NULL) { + ret = EINVAL; + DEBUG(SSSDBG_MINOR_FAILURE, "Inconsistent sysdb: user " + "without primary name?\n"); + goto done; + } + user_dn = sysdb_user_strdn(tmp_ctx, state->dom->name, username); + if (user_dn == NULL) { + return ENOMEM; + } + + ret = sdap_add_group_member_2307(state->sysdb_dns, user_dn); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not add group member %s\n", username); + } + } else if (ret == ENOENT) { + /* The entry really does not exist, add a ghost */ + DEBUG(SSSDBG_TRACE_FUNC, "Adding a ghost entry\n"); + ret = sdap_add_group_member_2307(state->ghost_dns, member_name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not add group member %s\n", member_name); + } + } else { + ret = EIO; + } + +done: + talloc_free(tmp_ctx); + return ret; +} + +static int +sdap_process_group_members_2307(struct sdap_process_group_state *state, + struct ldb_message_element *memberel, + struct ldb_message_element *ghostel) +{ + struct ldb_message *msg; + char *member_attr_val; + char *member_name; + char *userdn; + int ret; + int i; + + for (i=0; i < memberel->num_values; i++) { + member_attr_val = (char *)memberel->values[i].data; + + /* We need to skip over zero-length usernames */ + if (member_attr_val[0] == '\0') continue; + + /* RFC2307 stores members as plain usernames in the member attribute. + * Internally, we use FQDNs in the cache. + */ + member_name = sss_create_internal_fqname(state, member_attr_val, + state->dom->name); + if (member_name == NULL) { + return ENOMEM; + } + + ret = sysdb_search_user_by_name(state, state->dom, member_name, + NULL, &msg); + if (ret == EOK) { + /* + * User already cached in sysdb. Remember the sysdb DN for later + * use by sdap_save_groups() + */ + DEBUG(SSSDBG_TRACE_LIBS, + "Member already cached in sysdb: %s\n", member_name); + + userdn = sysdb_user_strdn(state->sysdb_dns, state->dom->name, member_name); + if (userdn == NULL) { + return ENOMEM; + } + + ret = sdap_add_group_member_2307(state->sysdb_dns, userdn); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not add member %s into sysdb\n", member_name); + goto done; + } + } else if (ret == ENOENT) { + /* The user is not in sysdb, need to add it */ + DEBUG(SSSDBG_TRACE_LIBS, "member #%d (%s): not found in sysdb\n", + i, member_name); + + ret = sdap_process_missing_member_2307(state, member_name); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Error processing missing member #%d (%s):\n", + i, member_name); + goto done; + } + } else { + DEBUG(SSSDBG_CRIT_FAILURE, + "Error checking cache for member #%d (%s):\n", + i, (char *) memberel->values[i].data); + goto done; + } + } + + ret = EOK; + talloc_free(memberel->values); + memberel->values = talloc_steal(state->group, state->sysdb_dns->values); + memberel->num_values = state->sysdb_dns->num_values; + talloc_free(ghostel->values); + ghostel->values = talloc_steal(state->group, state->ghost_dns->values); + ghostel->num_values = state->ghost_dns->num_values; + +done: + return ret; +} + +static void sdap_process_group_members(struct tevent_req *subreq) +{ + struct sysdb_attrs **usr_attrs; + size_t count; + int ret; + struct tevent_req *req = + tevent_req_callback_data(subreq, struct tevent_req); + struct sdap_process_group_state *state = + tevent_req_data(req, struct sdap_process_group_state); + struct ldb_message_element *el; + char *name_string; + + state->check_count--; + DEBUG(SSSDBG_TRACE_ALL, "Members remaining: %zu\n", state->check_count); + + ret = sdap_get_generic_recv(subreq, state, &count, &usr_attrs); + talloc_zfree(subreq); + if (ret) { + goto next; + } + if (count != 1) { + ret = EINVAL; + DEBUG(SSSDBG_TRACE_LIBS, + "Expected one user entry and got %zu\n", count); + goto next; + } + ret = sysdb_attrs_get_el(usr_attrs[0], + state->opts->user_map[SDAP_AT_USER_NAME].sys_name, &el); + if (el->num_values == 0) { + ret = EINVAL; + } + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to get the member's name\n"); + goto next; + } + + name_string = sss_create_internal_fqname(state, + (const char *) el[0].values[0].data, + state->dom->name); + if (name_string == NULL) { + ret = ENOMEM; + goto next; + } + + state->ghost_dns->values[state->ghost_dns->num_values].data = + talloc_steal(state->ghost_dns->values, (uint8_t *) name_string); + state->ghost_dns->values[state->ghost_dns->num_values].length = + strlen(name_string); + state->ghost_dns->num_values++; + +next: + if (ret) { + DEBUG(SSSDBG_TRACE_FUNC, + "Error reading group member[%d]: %s. Skipping\n", + ret, strerror(ret)); + state->count--; + } + /* Are there more searches for uncached users to submit? */ + if (state->queued_members && state->queued_members[state->queue_idx]) { + subreq = sdap_get_generic_send(state, + state->ev, state->opts, state->sh, + state->queued_members[state->queue_idx], + LDAP_SCOPE_BASE, + state->filter, + state->attrs, + state->opts->user_map, + state->opts->user_map_cnt, + dp_opt_get_int(state->opts->basic, + SDAP_SEARCH_TIMEOUT), + false); + if (!subreq) { + tevent_req_error(req, ENOMEM); + return; + } + + tevent_req_set_callback(subreq, + sdap_process_group_members, req); + state->queue_idx++; + } + + if (state->check_count == 0) { + /* + * To avoid redundant sysdb lookups, populate the "member" attribute + * of the group entry with the sysdb DNs of the members. + */ + ret = sysdb_attrs_get_el(state->group, + state->opts->group_map[SDAP_AT_GROUP_MEMBER].sys_name, + &el); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to get the group member attribute [%d]: %s\n", + ret, strerror(ret)); + tevent_req_error(req, ret); + return; + } + el->values = talloc_steal(state->group, state->sysdb_dns->values); + el->num_values = state->sysdb_dns->num_values; + + ret = sysdb_attrs_get_el(state->group, SYSDB_GHOST, &el); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + el->values = talloc_steal(state->group, state->ghost_dns->values); + el->num_values = state->ghost_dns->num_values; + DEBUG(SSSDBG_TRACE_ALL, "Processed Group - Done\n"); + tevent_req_done(req); + } +} + +static int sdap_process_group_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + + +/* ==Search-Groups-with-filter============================================ */ + +struct sdap_get_groups_state { + struct tevent_context *ev; + struct sdap_options *opts; + struct sdap_handle *sh; + struct sss_domain_info *dom; + struct sdap_domain *sdom; + struct sysdb_ctx *sysdb; + const char **attrs; + const char *base_filter; + char *filter; + int timeout; + enum sdap_entry_lookup_type lookup_type; + bool no_members; + + char *higher_usn; + struct sysdb_attrs **groups; + size_t count; + size_t check_count; + hash_table_t *missing_external; + + hash_table_t *user_hash; + hash_table_t *group_hash; + + size_t base_iter; + struct sdap_search_base **search_bases; + + struct sdap_handle *ldap_sh; + struct sdap_id_op *op; +}; + +static errno_t sdap_get_groups_next_base(struct tevent_req *req); +static void sdap_get_groups_ldap_connect_done(struct tevent_req *subreq); +static void sdap_get_groups_process(struct tevent_req *subreq); +static void sdap_get_groups_done(struct tevent_req *subreq); + +struct tevent_req *sdap_get_groups_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_domain *sdom, + struct sdap_options *opts, + struct sdap_handle *sh, + const char **attrs, + const char *filter, + int timeout, + enum sdap_entry_lookup_type lookup_type, + bool no_members) +{ + errno_t ret; + struct tevent_req *req; + struct tevent_req *subreq; + struct sdap_get_groups_state *state; + struct ad_id_ctx *subdom_id_ctx; + + req = tevent_req_create(memctx, &state, struct sdap_get_groups_state); + if (!req) return NULL; + + state->ev = ev; + state->opts = opts; + state->sdom = sdom; + state->dom = sdom->dom; + state->sh = sh; + state->sysdb = sdom->dom->sysdb; + state->attrs = attrs; + state->higher_usn = NULL; + state->groups = NULL; + state->count = 0; + state->timeout = timeout; + state->lookup_type = lookup_type; + state->no_members = no_members; + state->base_filter = filter; + state->base_iter = 0; + state->search_bases = sdom->group_search_bases; + + if (!state->search_bases) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Group lookup request without a search base\n"); + ret = EINVAL; + goto done; + } + + /* With AD by default the Global Catalog is used for lookup. But the GC + * group object might not have full group membership data. To make sure we + * connect to an LDAP server of the group's domain. */ + if (state->opts->schema_type == SDAP_SCHEMA_AD && sdom->pvt != NULL) { + subdom_id_ctx = talloc_get_type(sdom->pvt, struct ad_id_ctx); + state->op = sdap_id_op_create(state, subdom_id_ctx->ldap_ctx->conn_cache); + if (!state->op) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed\n"); + ret = ENOMEM; + goto done; + } + + subreq = sdap_id_op_connect_send(state->op, state, &ret); + if (subreq == NULL) { + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, + sdap_get_groups_ldap_connect_done, + req); + return req; + } + + ret = sdap_get_groups_next_base(req); + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + tevent_req_post(req, ev); + } + + return req; +} + +static void sdap_get_groups_ldap_connect_done(struct tevent_req *subreq) +{ + struct tevent_req *req; + struct sdap_get_groups_state *state; + int ret; + int dp_error; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_get_groups_state); + + ret = sdap_id_op_connect_recv(subreq, &dp_error); + talloc_zfree(subreq); + + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + state->ldap_sh = sdap_id_op_handle(state->op); + + ret = sdap_get_groups_next_base(req); + if (ret != EOK) { + tevent_req_error(req, ret); + } + + return; +} + +static errno_t sdap_get_groups_next_base(struct tevent_req *req) +{ + struct tevent_req *subreq; + struct sdap_get_groups_state *state; + bool need_paging = false; + int sizelimit = 0; + + state = tevent_req_data(req, struct sdap_get_groups_state); + + talloc_zfree(state->filter); + state->filter = sdap_combine_filters(state, state->base_filter, + state->search_bases[state->base_iter]->filter); + if (!state->filter) { + return ENOMEM; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Searching for groups with base [%s]\n", + state->search_bases[state->base_iter]->basedn); + + switch (state->lookup_type) { + case SDAP_LOOKUP_SINGLE: + break; + /* Only requests that can return multiple entries should require + * the paging control + */ + case SDAP_LOOKUP_WILDCARD: + sizelimit = dp_opt_get_int(state->opts->basic, SDAP_WILDCARD_LIMIT); + need_paging = true; + break; + case SDAP_LOOKUP_ENUMERATE: + need_paging = true; + break; + } + + subreq = sdap_get_and_parse_generic_send( + state, state->ev, state->opts, + state->ldap_sh != NULL ? state->ldap_sh : state->sh, + state->search_bases[state->base_iter]->basedn, + state->search_bases[state->base_iter]->scope, + state->filter, state->attrs, + state->opts->group_map, SDAP_OPTS_GROUP, + 0, NULL, NULL, sizelimit, state->timeout, + need_paging); + if (!subreq) { + return ENOMEM; + } + tevent_req_set_callback(subreq, sdap_get_groups_process, req); + + return EOK; +} + +static void sdap_nested_done(struct tevent_req *req); +static void sdap_search_group_copy_batch(struct sdap_get_groups_state *state, + struct sysdb_attrs **groups, + size_t count); +static void sdap_ad_match_rule_members_process(struct tevent_req *subreq); + +static void sdap_get_groups_process(struct tevent_req *subreq) +{ + struct tevent_req *req = + tevent_req_callback_data(subreq, struct tevent_req); + struct sdap_get_groups_state *state = + tevent_req_data(req, struct sdap_get_groups_state); + int ret; + int i; + bool next_base = false; + size_t count; + struct sysdb_attrs **groups; + char **sysdb_groupnamelist; + + ret = sdap_get_and_parse_generic_recv(subreq, state, + &count, &groups); + talloc_zfree(subreq); + if (ret) { + tevent_req_error(req, ret); + return; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Search for groups, returned %zu results.\n", count); + + if (state->lookup_type == SDAP_LOOKUP_WILDCARD || \ + state->lookup_type == SDAP_LOOKUP_ENUMERATE || \ + count == 0) { + /* No users found in this search or looking up multiple entries */ + next_base = true; + } + + /* Add this batch of groups to the list */ + if (count > 0) { + state->groups = + talloc_realloc(state, + state->groups, + struct sysdb_attrs *, + state->count + count + 1); + if (!state->groups) { + tevent_req_error(req, ENOMEM); + return; + } + + sdap_search_group_copy_batch(state, groups, count); + } + + if (next_base) { + state->base_iter++; + if (state->search_bases[state->base_iter]) { + /* There are more search bases to try */ + ret = sdap_get_groups_next_base(req); + if (ret != EOK) { + tevent_req_error(req, ret); + } + return; + } + } + + /* No more search bases + * Return ENOENT if no groups were found + */ + if (state->count == 0) { + tevent_req_error(req, ENOENT); + return; + } + + if (state->no_members) { + ret = sysdb_attrs_primary_fqdn_list(state->dom, state, + state->groups, state->count, + state->opts->group_map[SDAP_AT_GROUP_NAME].name, + &sysdb_groupnamelist); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_attrs_primary_name_list failed.\n"); + tevent_req_error(req, ret); + return; + } + + ret = sdap_add_incomplete_groups(state->sysdb, state->dom, state->opts, + sysdb_groupnamelist, state->groups, + state->count); + if (ret == EOK) { + DEBUG(SSSDBG_TRACE_LIBS, + "Writing only group data without members was successful.\n"); + tevent_req_done(req); + } else { + DEBUG(SSSDBG_OP_FAILURE, "sdap_add_incomplete_groups failed.\n"); + tevent_req_error(req, ret); + } + return; + } + + /* Check whether we need to do nested searches + * for RFC2307bis/FreeIPA/ActiveDirectory + * We don't need to do this for enumeration, + * because all groups will be picked up anyway. + * + * We can also skip this if we're using the + * LDAP_MATCHING_RULE_IN_CHAIN available in + * AD 2008 and later + */ + if (state->lookup_type == SDAP_LOOKUP_SINGLE) { + if ((state->opts->schema_type != SDAP_SCHEMA_RFC2307) + && (dp_opt_get_int(state->opts->basic, SDAP_NESTING_LEVEL) != 0) + && !dp_opt_get_bool(state->opts->basic, SDAP_AD_MATCHING_RULE_GROUPS)) { + subreq = sdap_nested_group_send(state, state->ev, state->sdom, + state->opts, state->sh, + state->groups[0]); + if (!subreq) { + tevent_req_error(req, EIO); + return; + } + + tevent_req_set_callback(subreq, sdap_nested_done, req); + return; + } + } + + /* We have all of the groups. Save them to the sysdb */ + state->check_count = state->count; + + /* If we're using LDAP_MATCHING_RULE_IN_CHAIN, start a subreq to + * retrieve the members so we can save them in a single step. + */ + if (state->lookup_type == SDAP_LOOKUP_SINGLE + && (state->opts->schema_type != SDAP_SCHEMA_RFC2307) + && state->opts->support_matching_rule + && dp_opt_get_bool(state->opts->basic, SDAP_AD_MATCHING_RULE_GROUPS)) { + subreq = sdap_get_ad_match_rule_members_send( + state, state->ev, state->opts, state->sh, + state->groups[0], state->timeout); + if (!subreq) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, + sdap_ad_match_rule_members_process, + req); + return; + } + + ret = sysdb_transaction_start(state->sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to start transaction\n"); + tevent_req_error(req, ret); + return; + } + + if ((state->lookup_type == SDAP_LOOKUP_ENUMERATE + || state->lookup_type == SDAP_LOOKUP_WILDCARD) + && state->opts->schema_type != SDAP_SCHEMA_RFC2307 + && dp_opt_get_int(state->opts->basic, SDAP_NESTING_LEVEL) != 0) { + DEBUG(SSSDBG_TRACE_ALL, "Saving groups without members first " + "to allow unrolling of nested groups.\n"); + ret = sdap_save_groups(state, state->sysdb, state->dom, state->opts, + state->groups, state->count, false, + NULL, true, NULL); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to store groups.\n"); + tevent_req_error(req, ret); + return; + } + } + + for (i = 0; i < state->count; i++) { + subreq = sdap_process_group_send(state, state->ev, state->dom, + state->sysdb, state->opts, + state->sh, state->groups[i], + state->lookup_type == SDAP_LOOKUP_ENUMERATE); + + if (!subreq) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, sdap_get_groups_done, req); + } +} + +static void sdap_search_group_copy_batch(struct sdap_get_groups_state *state, + struct sysdb_attrs **groups, + size_t count) +{ + size_t copied; + bool filter; + + /* Always copy all objects for wildcard lookups. */ + filter = state->lookup_type == SDAP_LOOKUP_SINGLE ? true : false; + + copied = sdap_steal_objects_in_dom(state->opts, + state->groups, + state->count, + state->dom, + groups, count, filter); + + state->count += copied; + state->groups[state->count] = NULL; +} + +static void sdap_get_groups_done(struct tevent_req *subreq) +{ + struct tevent_req *req = + tevent_req_callback_data(subreq, struct tevent_req); + struct sdap_get_groups_state *state = + tevent_req_data(req, struct sdap_get_groups_state); + + int ret; + errno_t sysret; + + ret = sdap_process_group_recv(subreq); + talloc_zfree(subreq); + if (ret) { + sysret = sysdb_transaction_cancel(state->sysdb); + if (sysret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Could not cancel sysdb transaction\n"); + } + tevent_req_error(req, ret); + return; + } + + state->check_count--; + DEBUG(SSSDBG_TRACE_ALL, "Groups remaining: %zu\n", state->check_count); + + + if (state->check_count == 0) { + DEBUG(SSSDBG_TRACE_ALL, "All groups processed\n"); + + /* If ignore_group_members is set for the domain, don't update + * group memberships in the cache. + * + * If enumeration is on, don't overwrite orig_members as they've been + * saved earlier. + */ + ret = sdap_save_groups(state, state->sysdb, state->dom, state->opts, + state->groups, state->count, + !state->dom->ignore_group_members, NULL, + state->lookup_type == SDAP_LOOKUP_SINGLE, + &state->higher_usn); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to store groups.\n"); + tevent_req_error(req, ret); + return; + } + DEBUG(SSSDBG_TRACE_ALL, "Saving %zu Groups - Done\n", state->count); + sysret = sysdb_transaction_commit(state->sysdb); + if (sysret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Couldn't commit transaction\n"); + tevent_req_error(req, sysret); + } else { + tevent_req_done(req); + } + } +} + +static errno_t sdap_nested_group_populate_users(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, + struct sdap_options *opts, + struct sysdb_attrs **users, + int num_users, + hash_table_t **_ghosts); + +static void sdap_ad_match_rule_members_process(struct tevent_req *subreq) +{ + errno_t ret; + TALLOC_CTX *tmp_ctx = NULL; + struct tevent_req *req = + tevent_req_callback_data(subreq, struct tevent_req); + struct sdap_get_groups_state *state = tevent_req_data(req, + struct sdap_get_groups_state); + struct sysdb_attrs **users; + struct sysdb_attrs *group = state->groups[0]; + struct ldb_message_element *member_el; + struct ldb_message_element *orig_dn_el; + size_t count = 0; + size_t i; + hash_table_t *ghosts; + + ret = sdap_get_ad_match_rule_members_recv(subreq, state, + &count, &users); + talloc_zfree(subreq); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not retrieve members using AD match rule. [%s]\n", + strerror(ret)); + + goto done; + } + + /* Save the group and users to the cache */ + + /* Truncate the member attribute of the group. + * It will be repopulated below, and it may currently + * be incomplete anyway, thanks to the range extension. + */ + + ret = sysdb_attrs_get_el(group, SYSDB_MEMBER, &member_el); + if (ret != EOK) { + goto done; + } + + member_el->num_values = 0; + talloc_zfree(member_el->values); + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + ret = ENOMEM; + goto done; + } + + /* Figure out which users are already cached in the sysdb and + * which ones need to be added as ghost users. + */ + ret = sdap_nested_group_populate_users(tmp_ctx, state->sysdb, state->dom, + state->opts, users, count, + &ghosts); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not determine which users are ghosts: [%s]\n", + strerror(ret)); + goto done; + } + + /* Add any entries that aren't in the ghost hash table to the + * member element of the group. This will get converted to a + * native sysdb representation later in sdap_save_groups(). + */ + + /* Add all of the users as members + */ + member_el->values = talloc_zero_array(tmp_ctx, struct ldb_val, count); + if (!member_el->values) { + ret = ENOMEM; + goto done; + } + + /* Copy the origDN values of the users into the member element */ + for (i = 0; i < count; i++) { + ret = sysdb_attrs_get_el(users[i], SYSDB_ORIG_DN, + &orig_dn_el); + if (ret != EOK) { + /* This should never happen. Every entry should have + * an originalDN. + */ + DEBUG(SSSDBG_MINOR_FAILURE, + "BUG: Missing originalDN for user?\n"); + goto done; + } + + /* These values will have the same lifespan, so instead + * of copying them, just point at the data. + */ + member_el->values[i].data = orig_dn_el->values[0].data; + member_el->values[i].length = orig_dn_el->values[0].length; + } + member_el->num_values = count; + + /* Now save the group, users and ghosts to the cache */ + ret = sdap_save_groups(tmp_ctx, state->sysdb, state->dom, + state->opts, state->groups, 1, + false, ghosts, true, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not save group to the cache: [%s]\n", + strerror(ret)); + goto done; + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } +} + +int sdap_get_groups_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, char **usn_value) +{ + struct sdap_get_groups_state *state = tevent_req_data(req, + struct sdap_get_groups_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (usn_value) { + *usn_value = talloc_steal(mem_ctx, state->higher_usn); + } + + return EOK; +} + +static void sdap_nested_ext_done(struct tevent_req *subreq); + +static void sdap_nested_done(struct tevent_req *subreq) +{ + errno_t ret, tret; + unsigned long user_count; + unsigned long group_count; + bool in_transaction = false; + struct sysdb_attrs **users = NULL; + struct sysdb_attrs **groups = NULL; + hash_table_t *ghosts; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sdap_get_groups_state *state = tevent_req_data(req, + struct sdap_get_groups_state); + + ret = sdap_nested_group_recv(state, subreq, &user_count, &users, + &group_count, &groups, + &state->missing_external); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Nested group processing failed: [%d][%s]\n", + ret, strerror(ret)); + goto fail; + } + + /* Save all of the users first so that they are in + * place for the groups to add them. + */ + ret = sysdb_transaction_start(state->sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n"); + goto fail; + } + in_transaction = true; + + PROBE(SDAP_NESTED_GROUP_POPULATE_PRE); + ret = sdap_nested_group_populate_users(state, state->sysdb, + state->dom, state->opts, + users, user_count, &ghosts); + PROBE(SDAP_NESTED_GROUP_POPULATE_POST); + if (ret != EOK) { + goto fail; + } + + PROBE(SDAP_NESTED_GROUP_SAVE_PRE); + ret = sdap_save_groups(state, state->sysdb, state->dom, state->opts, + groups, group_count, false, ghosts, true, + &state->higher_usn); + PROBE(SDAP_NESTED_GROUP_SAVE_POST); + if (ret != EOK) { + goto fail; + } + + ret = sysdb_transaction_commit(state->sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n"); + goto fail; + } + in_transaction = false; + + if (hash_count(state->missing_external) == 0) { + /* No external members. Processing complete */ + DEBUG(SSSDBG_TRACE_INTERNAL, "No external members, done"); + tevent_req_done(req); + return; + } + + /* At the moment, we need to save the direct groups & members in one + * transaction and then query the others in a separate requests + */ + subreq = sdap_nested_group_lookup_external_send(state, state->ev, + state->dom, + state->opts->ext_ctx, + state->missing_external); + if (subreq == NULL) { + ret = ENOMEM; + goto fail; + } + tevent_req_set_callback(subreq, sdap_nested_ext_done, req); + return; + +fail: + if (in_transaction) { + tret = sysdb_transaction_cancel(state->sysdb); + if (tret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to cancel transaction\n"); + } + } + tevent_req_error(req, ret); +} + +static void sdap_nested_ext_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sdap_get_groups_state *state = tevent_req_data(req, + struct sdap_get_groups_state); + + ret = sdap_nested_group_lookup_external_recv(state, subreq); + talloc_free(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot resolve external members [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); + return; +} + +static errno_t sdap_nested_group_populate_users(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, + struct sdap_options *opts, + struct sysdb_attrs **users, + int num_users, + hash_table_t **_ghosts) +{ + int i; + errno_t ret, sret; + struct ldb_message_element *el; + const char *username; + const char *original_dn; + struct sss_domain_info *user_dom; + struct sdap_domain *sdap_dom; + + TALLOC_CTX *tmp_ctx; + struct ldb_message **msgs; + const char *sysdb_name; + struct sysdb_attrs *attrs; + static const char *search_attrs[] = { SYSDB_NAME, NULL }; + hash_table_t *ghosts; + hash_key_t key; + hash_value_t value; + size_t count; + bool in_transaction = false; + + if (_ghosts == NULL) { + return EINVAL; + } + + if (num_users == 0) { + /* Nothing to do if there are no users */ + *_ghosts = NULL; + return EOK; + } + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) return ENOMEM; + + ret = sss_hash_create(tmp_ctx, num_users, &ghosts); + if (ret != HASH_SUCCESS) { + ret = ENOMEM; + goto done; + } + + ret = sysdb_transaction_start(sysdb); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction!\n"); + goto done; + } + in_transaction = true; + + for (i = 0; i < num_users; i++) { + ret = sysdb_attrs_get_el(users[i], SYSDB_ORIG_DN, &el); + if (el->num_values == 0) { + ret = EINVAL; + } + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "User entry %d has no originalDN attribute\n", i); + goto done; + } + original_dn = (const char *) el->values[0].data; + + sdap_dom = sdap_domain_get_by_dn(opts, original_dn); + user_dom = sdap_dom == NULL ? domain : sdap_dom->dom; + + ret = sdap_get_user_primary_name(tmp_ctx, opts, users[i], + user_dom, &username); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "User entry %d has no name attribute. Skipping\n", i); + continue; + } + + /* Check for the specified origDN in the sysdb */ + PROBE(SDAP_NESTED_GROUP_POPULATE_SEARCH_USERS_PRE); + ret = sysdb_search_users_by_orig_dn(tmp_ctx, user_dom, original_dn, + search_attrs, &count, &msgs); + PROBE(SDAP_NESTED_GROUP_POPULATE_SEARCH_USERS_POST); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, "Error checking cache for user entry\n"); + goto done; + } else if (ret == EOK) { + /* The entry is cached but expired. Update the username + * if needed. */ + if (count != 1) { + DEBUG(SSSDBG_CRIT_FAILURE, + "More than one entry with this origDN? Skipping\n"); + continue; + } + + sysdb_name = ldb_msg_find_attr_as_string(msgs[0], SYSDB_NAME, NULL); + if (strcmp(sysdb_name, username) == 0) { + /* Username is correct, continue */ + continue; + } + + attrs = sysdb_new_attrs(tmp_ctx); + if (!attrs) { + ret = ENOMEM; + goto done; + } + + ret = sysdb_attrs_add_string(attrs, SYSDB_NAME, username); + if (ret) goto done; + ret = sysdb_set_entry_attr(user_dom->sysdb, msgs[0]->dn, attrs, + SYSDB_MOD_REP); + if (ret != EOK) goto done; + } else { + key.type = HASH_KEY_STRING; + key.str = talloc_steal(ghosts, discard_const(original_dn)); + value.type = HASH_VALUE_PTR; + /* Already qualified from sdap_get_user_primary_name() */ + value.ptr = talloc_steal(ghosts, discard_const(username)); + ret = hash_enter(ghosts, &key, &value); + if (ret != HASH_SUCCESS) { + talloc_free(key.str); + talloc_free(value.ptr); + ret = ENOMEM; + goto done; + } + } + } + + ret = sysdb_transaction_commit(sysdb); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction!\n"); + goto done; + } + in_transaction = false; + + ret = EOK; +done: + if (in_transaction) { + sret = sysdb_transaction_cancel(sysdb); + if (sret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not cancel transaction\n"); + } + } + + if (ret != EOK) { + *_ghosts = NULL; + } else { + *_ghosts = talloc_steal(mem_ctx, ghosts); + } + talloc_zfree(tmp_ctx); + return ret; +} diff --git a/src/providers/ldap/sdap_async_groups_ad.c b/src/providers/ldap/sdap_async_groups_ad.c new file mode 100644 index 0000000..3f842b2 --- /dev/null +++ b/src/providers/ldap/sdap_async_groups_ad.c @@ -0,0 +1,249 @@ +/* + SSSD + + Authors: + Stephen Gallagher + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "providers/ldap/sdap_async.h" +#include "providers/ldap/ldap_common.h" + +struct sdap_ad_match_rule_state { + struct tevent_context *ev; + struct sdap_handle *sh; + const char **attrs; + + struct sdap_options *opts; + const char *base_filter; + char *filter; + int timeout; + + size_t base_iter; + struct sdap_search_base **search_bases; + + size_t count; + struct sysdb_attrs **users; +}; + +static errno_t +sdap_get_ad_match_rule_members_next_base(struct tevent_req *req); +static void +sdap_get_ad_match_rule_members_step(struct tevent_req *subreq); + +struct tevent_req * +sdap_get_ad_match_rule_members_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_options *opts, + struct sdap_handle *sh, + struct sysdb_attrs *group, + int timeout) +{ + errno_t ret; + struct tevent_req *req; + struct sdap_ad_match_rule_state *state; + const char *group_dn; + char *sanitized_group_dn; + + req = tevent_req_create(mem_ctx, &state, struct sdap_ad_match_rule_state); + if (!req) return NULL; + + state->ev = ev; + state->opts = opts; + state->sh = sh; + state->timeout = timeout; + state->count = 0; + state->base_iter = 0; + state->search_bases = opts->sdom->user_search_bases; + + /* Request all of the user attributes that we know about. */ + ret = build_attrs_from_map(state, opts->user_map, opts->user_map_cnt, + NULL, &state->attrs, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not build attribute map: [%s]\n", + strerror(ret)); + goto immediate; + } + + /* Get the DN of the group */ + ret = sysdb_attrs_get_string(group, SYSDB_ORIG_DN, &group_dn); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not retrieve originalDN for group: %s\n", + strerror(ret)); + goto immediate; + } + + /* Sanitize it in case we have special characters in DN */ + ret = sss_filter_sanitize(state, group_dn, &sanitized_group_dn); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not sanitize group DN: %s\n", + strerror(ret)); + goto immediate; + } + + /* Craft a special filter according to + * http://msdn.microsoft.com/en-us/library/windows/desktop/aa746475%28v=vs.85%29.aspx + */ + state->base_filter = + talloc_asprintf(state, + "(&(%s:%s:=%s)(objectClass=%s))", + state->opts->user_map[SDAP_AT_USER_MEMBEROF].name, + SDAP_MATCHING_RULE_IN_CHAIN, + sanitized_group_dn, + state->opts->user_map[SDAP_OC_USER].name); + talloc_zfree(sanitized_group_dn); + if (!state->base_filter) { + ret = ENOMEM; + goto immediate; + } + + /* Start the loop through the search bases to get all of the users */ + ret = sdap_get_ad_match_rule_members_next_base(req); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "sdap_get_ad_match_rule_members_next_base failed: [%s]\n", + strerror(ret)); + goto immediate; + } + + return req; + +immediate: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static errno_t +sdap_get_ad_match_rule_members_next_base(struct tevent_req *req) +{ + struct tevent_req *subreq; + struct sdap_ad_match_rule_state *state; + + state = tevent_req_data(req, struct sdap_ad_match_rule_state); + + talloc_zfree(state->filter); + state->filter = sdap_combine_filters(state, state->base_filter, + state->search_bases[state->base_iter]->filter); + if (!state->filter) { + return ENOMEM; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Searching for users with base [%s]\n", + state->search_bases[state->base_iter]->basedn); + + subreq = sdap_get_generic_send( + state, state->ev, state->opts, state->sh, + state->search_bases[state->base_iter]->basedn, + state->search_bases[state->base_iter]->scope, + state->filter, state->attrs, + state->opts->user_map, state->opts->user_map_cnt, + state->timeout, true); + if (!subreq) { + return ENOMEM; + } + + tevent_req_set_callback(subreq, sdap_get_ad_match_rule_members_step, req); + + return EOK; +} + +static void +sdap_get_ad_match_rule_members_step(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = + tevent_req_callback_data(subreq, struct tevent_req); + struct sdap_ad_match_rule_state *state = + tevent_req_data(req, struct sdap_ad_match_rule_state); + size_t count, i; + struct sysdb_attrs **users; + + ret = sdap_get_generic_recv(subreq, state, &count, &users); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "LDAP search failed: [%s]\n", sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + DEBUG(SSSDBG_TRACE_LIBS, + "Search for users returned %zu results\n", count); + + /* Add this batch of users to the list */ + if (count > 0) { + state->users = talloc_realloc(state, state->users, + struct sysdb_attrs *, + state->count + count + 1); + if (!state->users) { + tevent_req_error(req, ENOMEM); + return; + } + + /* Copy the new users into the list */ + for (i = 0; i < count; i++) { + state->users[state->count + i] = + talloc_steal(state->users, users[i]); + } + + state->count += count; + state->users[state->count] = NULL; + } + + /* Continue checking other search bases */ + state->base_iter++; + if (state->search_bases[state->base_iter]) { + /* There are more search bases to try */ + ret = sdap_get_ad_match_rule_members_next_base(req); + if (ret != EOK) { + tevent_req_error(req, ret); + } + return; + } + + /* No more search bases. We're done here. */ + if (state->count == 0) { + DEBUG(SSSDBG_TRACE_LIBS, + "No users matched in any search base\n"); + tevent_req_error(req, ENOENT); + return; + } + + tevent_req_done(req); +} + +errno_t +sdap_get_ad_match_rule_members_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *num_users, + struct sysdb_attrs ***users) +{ + struct sdap_ad_match_rule_state *state = + tevent_req_data(req, struct sdap_ad_match_rule_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *num_users = state->count; + *users = talloc_steal(mem_ctx, state->users); + return EOK; +} diff --git a/src/providers/ldap/sdap_async_hosts.c b/src/providers/ldap/sdap_async_hosts.c new file mode 100644 index 0000000..0633a3f --- /dev/null +++ b/src/providers/ldap/sdap_async_hosts.c @@ -0,0 +1,209 @@ +/* + SSSD + + Authors: + Jan Zeleny + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "providers/ldap/sdap_async_private.h" +#include "providers/ldap/ldap_common.h" + +struct sdap_host_state { + struct tevent_context *ev; + struct sdap_handle *sh; + struct sdap_options *opts; + const char **attrs; + struct sdap_attr_map *host_map; + + struct sdap_search_base **search_bases; + int search_base_iter; + + char *cur_filter; + char *host_filter; + + const char *hostname; + + /* Return values */ + size_t host_count; + struct sysdb_attrs **hosts; +}; + +static void +sdap_host_info_done(struct tevent_req *subreq); + +static errno_t +sdap_host_info_next(struct tevent_req *req, + struct sdap_host_state *state); + +/** + * hostname == NULL -> look up all hosts / host groups + * hostname != NULL -> look up only given host and groups + * it's member of + */ +struct tevent_req * +sdap_host_info_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_handle *sh, + struct sdap_options *opts, + const char *hostname, + struct sdap_attr_map *host_map, + struct sdap_search_base **search_bases) +{ + errno_t ret; + struct sdap_host_state *state; + struct tevent_req *req; + + req = tevent_req_create(mem_ctx, &state, struct sdap_host_state); + if (req == NULL) { + return NULL; + } + + state->ev = ev; + state->sh = sh; + state->opts = opts; + state->hostname = hostname; + state->search_bases = search_bases; + state->search_base_iter = 0; + state->cur_filter = NULL; + state->host_map = host_map; + + ret = build_attrs_from_map(state, host_map, SDAP_OPTS_HOST, + NULL, &state->attrs, NULL); + if (ret != EOK) { + goto immediate; + } + + if (hostname == NULL) { + state->host_filter = talloc_asprintf(state, "(objectClass=%s)", + host_map[SDAP_OC_HOST].name); + } else { + state->host_filter = talloc_asprintf(state, "(&(objectClass=%s)(%s=%s))", + host_map[SDAP_OC_HOST].name, + host_map[SDAP_AT_HOST_FQDN].name, + hostname); + } + if (state->host_filter == NULL) { + ret = ENOMEM; + goto immediate; + } + + ret = sdap_host_info_next(req, state); + if (ret == EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "No host search base configured?\n"); + ret = EINVAL; + } + + if (ret != EAGAIN) { + goto immediate; + } + + return req; + +immediate: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + return req; +} + +static errno_t sdap_host_info_next(struct tevent_req *req, + struct sdap_host_state *state) +{ + struct sdap_search_base *base; + struct tevent_req *subreq; + + base = state->search_bases[state->search_base_iter]; + if (base == NULL) { + return EOK; + } + + talloc_zfree(state->cur_filter); + state->cur_filter = sdap_combine_filters(state, state->host_filter, + base->filter); + if (state->cur_filter == NULL) { + return ENOMEM; + } + + subreq = sdap_get_generic_send(state, state->ev, state->opts, + state->sh, base->basedn, + base->scope, state->cur_filter, + state->attrs, state->host_map, + SDAP_OPTS_HOST, + dp_opt_get_int(state->opts->basic, + SDAP_ENUM_SEARCH_TIMEOUT), + true); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Error requesting host info\n"); + talloc_zfree(state->cur_filter); + return EIO; + } + tevent_req_set_callback(subreq, sdap_host_info_done, req); + + return EAGAIN; +} + +static void +sdap_host_info_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, struct tevent_req); + struct sdap_host_state *state = tevent_req_data(req, struct sdap_host_state); + + ret = sdap_get_generic_recv(subreq, state, + &state->host_count, + &state->hosts); + talloc_zfree(subreq); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + if (state->host_count == 0) { + state->search_base_iter++; + ret = sdap_host_info_next(req, state); + if (ret == EOK) { + /* No more search bases to try */ + tevent_req_error(req, ENOENT); + } else if (ret != EAGAIN) { + tevent_req_error(req, ret); + } + return; + } + + /* Nothing else to do, just complete the req */ + tevent_req_done(req); +} + +errno_t sdap_host_info_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *host_count, + struct sysdb_attrs ***hosts) +{ + struct sdap_host_state *state = tevent_req_data(req, struct sdap_host_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *host_count = state->host_count; + *hosts = talloc_steal(mem_ctx, state->hosts); + + return EOK; +} diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c new file mode 100644 index 0000000..cbe8a4c --- /dev/null +++ b/src/providers/ldap/sdap_async_initgroups.c @@ -0,0 +1,3594 @@ +/* + SSSD + + Async LDAP Helper routines - initgroups operation + + Copyright (C) Simo Sorce - 2009 + Copyright (C) 2010, Ralf Haferkamp , Novell Inc. + Copyright (C) Jan Zeleny - 2011 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "db/sysdb.h" +#include "providers/ldap/sdap.h" +#include "providers/ldap/sdap_async_private.h" +#include "providers/ldap/ldap_common.h" +#include "providers/ldap/sdap_idmap.h" +#include "providers/ldap/sdap_users.h" + +/* ==Save-fake-group-list=====================================*/ +errno_t sdap_add_incomplete_groups(struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, + struct sdap_options *opts, + char **sysdb_groupnames, + struct sysdb_attrs **ldap_groups, + int ldap_groups_count) +{ + TALLOC_CTX *tmp_ctx; + struct ldb_message *msg; + int i, mi, ai; + const char *groupname; + const char *original_dn; + const char *uuid = NULL; + char **missing; + gid_t gid; + int ret; + errno_t sret; + bool in_transaction = false; + bool posix; + time_t now; + char *sid_str = NULL; + bool use_id_mapping; + bool need_filter; + + /* There are no groups in LDAP but we should add user to groups?? */ + if (ldap_groups_count == 0) return EOK; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) return ENOMEM; + + missing = talloc_array(tmp_ctx, char *, ldap_groups_count+1); + if (!missing) { + ret = ENOMEM; + goto done; + } + mi = 0; + + for (i=0; sysdb_groupnames[i]; i++) { + ret = sysdb_search_group_by_name(tmp_ctx, domain, sysdb_groupnames[i], NULL, + &msg); + if (ret == EOK) { + continue; + } else if (ret == ENOENT) { + missing[mi] = talloc_strdup(missing, sysdb_groupnames[i]); + DEBUG(SSSDBG_TRACE_LIBS, "Group #%d [%s][%s] is not cached, " \ + "need to add a fake entry\n", + i, sysdb_groupnames[i], missing[mi]); + mi++; + continue; + } else if (ret != ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, "search for group failed [%d]: %s\n", + ret, strerror(ret)); + goto done; + } + } + missing[mi] = NULL; + + /* All groups are cached, nothing to do */ + if (mi == 0) { + ret = EOK; + goto done; + } + + use_id_mapping = sdap_idmap_domain_has_algorithmic_mapping(opts->idmap_ctx, + domain->name, + domain->domain_id); + + ret = sysdb_transaction_start(sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot start sysdb transaction [%d]: %s\n", + ret, strerror(ret)); + goto done; + } + in_transaction = true; + + + now = time(NULL); + for (i=0; missing[i]; i++) { + /* The group is not in sysdb, need to add a fake entry */ + for (ai=0; ai < ldap_groups_count; ai++) { + ret = sdap_get_group_primary_name(tmp_ctx, opts, ldap_groups[ai], + domain, &groupname); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "The group has no name attribute\n"); + goto done; + } + + if (strcmp(groupname, missing[i]) == 0) { + posix = true; + + ret = sdap_attrs_get_sid_str( + tmp_ctx, opts->idmap_ctx, ldap_groups[ai], + opts->group_map[SDAP_AT_GROUP_OBJECTSID].sys_name, + &sid_str); + if (ret != EOK && ret != ENOENT) goto done; + + if (use_id_mapping) { + if (sid_str == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "No SID for group [%s] " \ + "while id-mapping.\n", + groupname); + ret = EINVAL; + goto done; + } + + DEBUG(SSSDBG_TRACE_LIBS, + "Mapping group [%s] objectSID to unix ID\n", groupname); + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Group [%s] has objectSID [%s]\n", + groupname, sid_str); + + /* Convert the SID into a UNIX group ID */ + ret = sdap_idmap_sid_to_unix(opts->idmap_ctx, sid_str, + &gid); + if (ret == EOK) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "Group [%s] has mapped gid [%lu]\n", + groupname, (unsigned long)gid); + } else { + posix = false; + gid = 0; + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Group [%s] cannot be mapped. " + "Treating as a non-POSIX group\n", + groupname); + } + + } else { + ret = sysdb_attrs_get_uint32_t(ldap_groups[ai], + SYSDB_GIDNUM, + &gid); + if (ret == ENOENT || (ret == EOK && gid == 0)) { + DEBUG(SSSDBG_TRACE_LIBS, "The group %s gid was %s\n", + groupname, ret == ENOENT ? "missing" : "zero"); + DEBUG(SSSDBG_TRACE_FUNC, + "Marking group %s as non-POSIX and setting GID=0!\n", + groupname); + gid = 0; + posix = false; + } else if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, + "The GID attribute is malformed\n"); + goto done; + } + } + + ret = sysdb_attrs_get_string(ldap_groups[ai], + SYSDB_ORIG_DN, + &original_dn); + if (ret) { + DEBUG(SSSDBG_FUNC_DATA, + "The group has no original DN\n"); + original_dn = NULL; + } + + ret = sysdb_handle_original_uuid( + opts->group_map[SDAP_AT_GROUP_UUID].def_name, + ldap_groups[ai], + opts->group_map[SDAP_AT_GROUP_UUID].sys_name, + ldap_groups[ai], "uniqueIDstr"); + if (ret != EOK) { + DEBUG((ret == ENOENT) ? SSSDBG_TRACE_ALL : SSSDBG_MINOR_FAILURE, + "Failed to retrieve UUID [%d][%s].\n", + ret, sss_strerror(ret)); + } + + ret = sysdb_attrs_get_string(ldap_groups[ai], + "uniqueIDstr", + &uuid); + if (ret) { + DEBUG(SSSDBG_FUNC_DATA, + "The group has no UUID\n"); + uuid = NULL; + } + + ret = sdap_check_ad_group_type(domain, opts, ldap_groups[ai], + groupname, &need_filter); + if (ret != EOK) { + goto done; + } + + if (need_filter) { + posix = false; + gid = 0; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Adding fake group %s to sysdb\n", groupname); + ret = sysdb_add_incomplete_group(domain, groupname, gid, + original_dn, sid_str, + uuid, posix, now); + if (ret == ERR_GID_DUPLICATED) { + /* In case o group id-collision, do: + * - Delete the group from sysdb + * - Add the new incomplete group + * - Notify the NSS responder that the entry has also to be + * removed from the memory cache + */ + ret = sdap_handle_id_collision_for_incomplete_groups( + opts->dp, domain, groupname, gid, + original_dn, sid_str, uuid, posix, + now); + } + + if (ret != EOK) { + goto done; + } + break; + } + } + + if (ai == ldap_groups_count) { + DEBUG(SSSDBG_OP_FAILURE, + "Group %s not present in LDAP\n", missing[i]); + ret = EINVAL; + goto done; + } + } + + ret = sysdb_transaction_commit(sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_transaction_commit failed.\n"); + goto done; + } + in_transaction = false; + ret = EOK; + +done: + if (in_transaction) { + sret = sysdb_transaction_cancel(sysdb); + if (sret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to cancel transaction\n"); + } + } + talloc_free(tmp_ctx); + return ret; +} + +int sdap_initgr_common_store(struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, + struct sdap_options *opts, + const char *name, + enum sysdb_member_type type, + char **sysdb_grouplist, + struct sysdb_attrs **ldap_groups, + int ldap_groups_count) +{ + TALLOC_CTX *tmp_ctx; + char **ldap_grouplist = NULL; + char **ldap_fqdnlist = NULL; + char **add_groups; + char **del_groups; + int ret, tret; + bool in_transaction = false; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) return ENOMEM; + + if (ldap_groups_count == 0) { + /* No groups for this user in LDAP. + * We need to ensure that there are no groups + * in the sysdb either. + */ + ldap_grouplist = NULL; + } else { + ret = sysdb_attrs_primary_name_list( + domain, tmp_ctx, + ldap_groups, ldap_groups_count, + opts->group_map[SDAP_AT_GROUP_NAME].name, + &ldap_grouplist); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sysdb_attrs_primary_name_list failed [%d]: %s\n", + ret, strerror(ret)); + goto done; + } + } + + /* Find the differences between the sysdb and LDAP lists + * Groups in the sysdb only must be removed. + */ + if (ldap_grouplist != NULL) { + ldap_fqdnlist = sss_create_internal_fqname_list( + tmp_ctx, + (const char * const *) ldap_grouplist, + domain->name); + if (ldap_fqdnlist == NULL) { + ret = ENOMEM; + goto done; + } + } + + ret = diff_string_lists(tmp_ctx, ldap_fqdnlist, sysdb_grouplist, + &add_groups, &del_groups, NULL); + if (ret != EOK) goto done; + + ret = sysdb_transaction_start(sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n"); + goto done; + } + in_transaction = true; + + /* Add fake entries for any groups the user should be added as + * member of but that are not cached in sysdb + */ + if (add_groups && add_groups[0]) { + ret = sdap_add_incomplete_groups(sysdb, domain, opts, + add_groups, ldap_groups, + ldap_groups_count); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Adding incomplete users failed\n"); + goto done; + } + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "Updating memberships for %s\n", name); + ret = sysdb_update_members(domain, name, type, + (const char *const *) add_groups, + (const char *const *) del_groups); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Membership update failed [%d]: %s\n", + ret, strerror(ret)); + goto done; + } + + ret = sysdb_transaction_commit(sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n"); + goto done; + } + in_transaction = false; + + ret = EOK; +done: + if (in_transaction) { + tret = sysdb_transaction_cancel(sysdb); + if (tret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to cancel transaction\n"); + } + } + talloc_zfree(tmp_ctx); + return ret; +} + +/* ==Initgr-call-(groups-a-user-is-member-of)-RFC2307===================== */ + +struct sdap_initgr_rfc2307_state { + struct tevent_context *ev; + struct sysdb_ctx *sysdb; + struct sss_domain_info *domain; + struct sdap_options *opts; + struct sdap_handle *sh; + const char **attrs; + const char *name; + char *base_filter; + const char *orig_dn; + char *filter; + int timeout; + + struct sdap_op *op; + + struct sysdb_attrs **ldap_groups; + size_t ldap_groups_count; + + size_t base_iter; + struct sdap_search_base **search_bases; +}; + +static errno_t sdap_initgr_rfc2307_next_base(struct tevent_req *req); +static void sdap_initgr_rfc2307_process(struct tevent_req *subreq); +struct tevent_req *sdap_initgr_rfc2307_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_options *opts, + struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, + struct sdap_handle *sh, + const char *name) +{ + struct tevent_req *req; + struct sdap_initgr_rfc2307_state *state; + const char **attr_filter; + char *clean_name; + char *shortname; + errno_t ret; + char *oc_list; + + req = tevent_req_create(memctx, &state, struct sdap_initgr_rfc2307_state); + if (!req) return NULL; + + state->ev = ev; + state->opts = opts; + state->sysdb = sysdb; + state->domain = domain; + state->sh = sh; + state->op = NULL; + state->timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT); + state->ldap_groups = NULL; + state->ldap_groups_count = 0; + state->base_iter = 0; + state->search_bases = opts->sdom->group_search_bases; + + if (!state->search_bases) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Initgroups lookup request without a group search base\n"); + ret = EINVAL; + goto done; + } + + state->name = talloc_strdup(state, name); + if (!state->name) { + talloc_zfree(req); + return NULL; + } + + attr_filter = talloc_array(state, const char *, 2); + if (!attr_filter) { + talloc_free(req); + return NULL; + } + + attr_filter[0] = opts->group_map[SDAP_AT_GROUP_MEMBER].name; + attr_filter[1] = NULL; + + ret = build_attrs_from_map(state, opts->group_map, SDAP_OPTS_GROUP, + attr_filter, &state->attrs, NULL); + if (ret != EOK) { + talloc_free(req); + return NULL; + } + + ret = sss_parse_internal_fqname(state, name, + &shortname, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot parse %s\n", name); + goto done; + } + + ret = sss_filter_sanitize(state, shortname, &clean_name); + if (ret != EOK) { + talloc_free(req); + return NULL; + } + + oc_list = sdap_make_oc_list(state, opts->group_map); + if (oc_list == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to create objectClass list.\n"); + ret = ENOMEM; + goto done; + } + + state->base_filter = talloc_asprintf(state, + "(&(%s=%s)(%s)(%s=*)", + opts->group_map[SDAP_AT_GROUP_MEMBER].name, + clean_name, oc_list, + opts->group_map[SDAP_AT_GROUP_NAME].name); + if (!state->base_filter) { + talloc_zfree(req); + return NULL; + } + talloc_zfree(clean_name); + + switch (domain->type) { + case DOM_TYPE_APPLICATION: + state->base_filter = talloc_asprintf_append(state->base_filter, ")"); + break; + case DOM_TYPE_POSIX: + state->base_filter = talloc_asprintf_append(state->base_filter, + "(&(%s=*)(!(%s=0))))", + opts->group_map[SDAP_AT_GROUP_GID].name, + opts->group_map[SDAP_AT_GROUP_GID].name); + break; + } + if (!state->base_filter) { + ret = ENOMEM; + goto done; + } + + ret = sdap_initgr_rfc2307_next_base(req); + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + tevent_req_post(req, ev); + } + + return req; +} + +static errno_t sdap_initgr_rfc2307_next_base(struct tevent_req *req) +{ + struct tevent_req *subreq; + struct sdap_initgr_rfc2307_state *state; + + state = tevent_req_data(req, struct sdap_initgr_rfc2307_state); + + talloc_zfree(state->filter); + + state->filter = sdap_combine_filters( state, state->base_filter, + state->search_bases[state->base_iter]->filter); + if (!state->filter) { + return ENOMEM; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Searching for groups with base [%s]\n", + state->search_bases[state->base_iter]->basedn); + + subreq = sdap_get_generic_send( + state, state->ev, state->opts, state->sh, + state->search_bases[state->base_iter]->basedn, + state->search_bases[state->base_iter]->scope, + state->filter, state->attrs, + state->opts->group_map, SDAP_OPTS_GROUP, + state->timeout, + true); + if (!subreq) { + return ENOMEM; + } + + tevent_req_set_callback(subreq, sdap_initgr_rfc2307_process, req); + + return EOK; +} + +static void sdap_initgr_rfc2307_process(struct tevent_req *subreq) +{ + struct tevent_req *req; + struct sdap_initgr_rfc2307_state *state; + struct sysdb_attrs **ldap_groups; + char **sysdb_grouplist = NULL; + size_t count; + int ret; + int i; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_initgr_rfc2307_state); + + ret = sdap_get_generic_recv(subreq, state, &count, &ldap_groups); + talloc_zfree(subreq); + if (ret) { + tevent_req_error(req, ret); + return; + } + + /* Add this batch of groups to the list */ + if (count > 0) { + state->ldap_groups = + talloc_realloc(state, + state->ldap_groups, + struct sysdb_attrs *, + state->ldap_groups_count + count + 1); + if (!state->ldap_groups) { + tevent_req_error(req, ENOMEM); + return; + } + + /* Copy the new groups into the list. + */ + for (i = 0; i < count; i++) { + state->ldap_groups[state->ldap_groups_count + i] = + talloc_steal(state->ldap_groups, ldap_groups[i]); + } + + state->ldap_groups_count += count; + + state->ldap_groups[state->ldap_groups_count] = NULL; + } + + state->base_iter++; + + /* Check for additional search bases, and iterate + * through again. + */ + if (state->search_bases[state->base_iter] != NULL) { + ret = sdap_initgr_rfc2307_next_base(req); + if (ret != EOK) { + tevent_req_error(req, ret); + } + return; + } + + /* Search for all groups for which this user is a member */ + ret = get_sysdb_grouplist(state, state->sysdb, state->domain, + state->name, &sysdb_grouplist); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + /* There are no nested groups here so we can just update the + * memberships */ + ret = sdap_initgr_common_store(state->sysdb, + state->domain, + state->opts, + state->name, + SYSDB_MEMBER_USER, + sysdb_grouplist, + state->ldap_groups, + state->ldap_groups_count); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +static int sdap_initgr_rfc2307_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +/* ==Common code for pure RFC2307bis and IPA/AD========================= */ +errno_t +sdap_nested_groups_store(struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, + struct sdap_options *opts, + struct sysdb_attrs **groups, + unsigned long count) +{ + errno_t ret, tret; + TALLOC_CTX *tmp_ctx; + char **groupnamelist = NULL; + bool in_transaction = false; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) return ENOMEM; + + if (count > 0) { + ret = sysdb_attrs_primary_fqdn_list(domain, tmp_ctx, + groups, count, + opts->group_map[SDAP_AT_GROUP_NAME].name, + &groupnamelist); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "sysdb_attrs_primary_name_list failed [%d]: %s\n", + ret, strerror(ret)); + goto done; + } + } + + ret = sysdb_transaction_start(sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n"); + goto done; + } + in_transaction = true; + + ret = sdap_add_incomplete_groups(sysdb, domain, opts, groupnamelist, + groups, count); + if (ret != EOK) { + DEBUG(SSSDBG_TRACE_FUNC, "Could not add incomplete groups [%d]: %s\n", + ret, strerror(ret)); + goto done; + } + + ret = sysdb_transaction_commit(sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n"); + goto done; + } + in_transaction = false; + + ret = EOK; +done: + if (in_transaction) { + tret = sysdb_transaction_cancel(sysdb); + if (tret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to cancel transaction\n"); + } + } + + talloc_free(tmp_ctx); + return ret; +} + +struct membership_diff { + struct membership_diff *prev; + struct membership_diff *next; + + const char *name; + char **add; + char **del; +}; + +static errno_t +build_membership_diff(TALLOC_CTX *mem_ctx, const char *name, + char **ldap_parent_names, char **sysdb_parent_names, + struct membership_diff **_mdiff) +{ + TALLOC_CTX *tmp_ctx; + struct membership_diff *mdiff; + errno_t ret; + char **add_groups; + char **del_groups; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + ret = ENOMEM; + goto done; + } + + mdiff = talloc_zero(tmp_ctx, struct membership_diff); + if (!mdiff) { + ret = ENOMEM; + goto done; + } + mdiff->name = talloc_strdup(mdiff, name); + if (!mdiff->name) { + ret = ENOMEM; + goto done; + } + + /* Find the differences between the sysdb and ldap lists + * Groups in ldap only must be added to the sysdb; + * groups in the sysdb only must be removed. + */ + ret = diff_string_lists(tmp_ctx, + ldap_parent_names, sysdb_parent_names, + &add_groups, &del_groups, NULL); + if (ret != EOK) { + goto done; + } + mdiff->add = talloc_steal(mdiff, add_groups); + mdiff->del = talloc_steal(mdiff, del_groups); + + ret = EOK; + *_mdiff = talloc_steal(mem_ctx, mdiff); +done: + talloc_free(tmp_ctx); + return ret; +} + +/* ==Initgr-call-(groups-a-user-is-member-of)-nested-groups=============== */ + +struct sdap_initgr_nested_state { + struct tevent_context *ev; + struct sysdb_ctx *sysdb; + struct sdap_options *opts; + struct sss_domain_info *dom; + struct sdap_handle *sh; + + struct sysdb_attrs *user; + const char *username; + const char *orig_dn; + + const char **grp_attrs; + + struct ldb_message_element *memberof; + char *filter; + char **group_dns; + int cur; + + struct sdap_op *op; + + struct sysdb_attrs **groups; + int groups_cur; +}; + +static errno_t sdap_initgr_nested_deref_search(struct tevent_req *req); +static errno_t sdap_initgr_nested_noderef_search(struct tevent_req *req); +static void sdap_initgr_nested_search(struct tevent_req *subreq); +static void sdap_initgr_nested_store(struct tevent_req *req); +static struct tevent_req *sdap_initgr_nested_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_options *opts, + struct sysdb_ctx *sysdb, + struct sss_domain_info *dom, + struct sdap_handle *sh, + struct sysdb_attrs *user, + const char **grp_attrs) +{ + struct tevent_req *req; + struct sdap_initgr_nested_state *state; + errno_t ret; + int deref_threshold; + + req = tevent_req_create(memctx, &state, struct sdap_initgr_nested_state); + if (!req) return NULL; + + state->ev = ev; + state->opts = opts; + state->sysdb = sysdb; + state->dom = dom; + state->sh = sh; + state->grp_attrs = grp_attrs; + state->user = user; + state->op = NULL; + + ret = sdap_get_user_primary_name(memctx, opts, user, dom, &state->username); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "User entry had no username\n"); + goto immediate; + } + + ret = sysdb_attrs_get_el(state->user, SYSDB_MEMBEROF, &state->memberof); + if (ret || !state->memberof || state->memberof->num_values == 0) { + DEBUG(SSSDBG_CONF_SETTINGS, "User entry lacks original memberof ?\n"); + /* We can't find any groups for this user, so we'll + * have to assume there aren't any. Just return + * success here. + */ + ret = EOK; + goto immediate; + } + + state->groups = talloc_zero_array(state, struct sysdb_attrs *, + state->memberof->num_values + 1); + if (!state->groups) { + ret = ENOMEM; + goto immediate; + } + state->groups_cur = 0; + + deref_threshold = dp_opt_get_int(state->opts->basic, + SDAP_DEREF_THRESHOLD); + if (sdap_has_deref_support(state->sh, state->opts) && + deref_threshold < state->memberof->num_values) { + ret = sysdb_attrs_get_string(user, SYSDB_ORIG_DN, + &state->orig_dn); + if (ret != EOK) goto immediate; + + ret = sdap_initgr_nested_deref_search(req); + if (ret != EAGAIN) goto immediate; + } else { + ret = sdap_initgr_nested_noderef_search(req); + if (ret != EAGAIN) goto immediate; + } + + return req; + +immediate: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + return req; +} + +static errno_t sdap_initgr_nested_noderef_search(struct tevent_req *req) +{ + int i; + struct tevent_req *subreq; + struct sdap_initgr_nested_state *state; + char *oc_list; + + state = tevent_req_data(req, struct sdap_initgr_nested_state); + + state->group_dns = talloc_array(state, char *, + state->memberof->num_values + 1); + if (!state->group_dns) { + return ENOMEM; + } + for (i = 0; i < state->memberof->num_values; i++) { + state->group_dns[i] = talloc_strdup(state->group_dns, + (char *)state->memberof->values[i].data); + if (!state->group_dns[i]) { + return ENOMEM; + } + } + state->group_dns[i] = NULL; /* terminate */ + state->cur = 0; + + oc_list = sdap_make_oc_list(state, state->opts->group_map); + if (oc_list == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to create objectClass list.\n"); + return ENOMEM; + } + + state->filter = talloc_asprintf(state, "(&(%s)(%s=*))", oc_list, + state->opts->group_map[SDAP_AT_GROUP_NAME].name); + if (!state->filter) { + return ENOMEM; + } + + subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh, + state->group_dns[state->cur], + LDAP_SCOPE_BASE, + state->filter, state->grp_attrs, + state->opts->group_map, SDAP_OPTS_GROUP, + dp_opt_get_int(state->opts->basic, + SDAP_SEARCH_TIMEOUT), + false); + if (!subreq) { + return ENOMEM; + } + tevent_req_set_callback(subreq, sdap_initgr_nested_search, req); + + return EAGAIN; +} + +static void sdap_initgr_nested_deref_done(struct tevent_req *subreq); + +static errno_t sdap_initgr_nested_deref_search(struct tevent_req *req) +{ + struct tevent_req *subreq; + struct sdap_attr_map_info *maps; + const int num_maps = 1; + const char **sdap_attrs; + errno_t ret; + int timeout; + struct sdap_initgr_nested_state *state; + + state = tevent_req_data(req, struct sdap_initgr_nested_state); + + maps = talloc_array(state, struct sdap_attr_map_info, num_maps+1); + if (!maps) return ENOMEM; + + maps[0].map = state->opts->group_map; + maps[0].num_attrs = SDAP_OPTS_GROUP; + maps[1].map = NULL; + + ret = build_attrs_from_map(state, state->opts->group_map, SDAP_OPTS_GROUP, + NULL, &sdap_attrs, NULL); + if (ret != EOK) goto fail; + + timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT); + + subreq = sdap_deref_search_send(state, state->ev, state->opts, + state->sh, state->orig_dn, + state->opts->user_map[SDAP_AT_USER_MEMBEROF].name, + sdap_attrs, num_maps, maps, timeout); + if (!subreq) { + ret = EIO; + goto fail; + } + talloc_steal(subreq, sdap_attrs); + talloc_steal(subreq, maps); + + tevent_req_set_callback(subreq, sdap_initgr_nested_deref_done, req); + return EAGAIN; + +fail: + talloc_free(sdap_attrs); + talloc_free(maps); + return ret; +} + +static void sdap_initgr_nested_deref_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req; + struct sdap_initgr_nested_state *state; + size_t num_results; + size_t i; + struct sdap_deref_attrs **deref_result; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_initgr_nested_state); + + ret = sdap_deref_search_recv(subreq, state, + &num_results, + &deref_result); + talloc_zfree(subreq); + if (ret == ENOTSUP) { + ret = sdap_initgr_nested_noderef_search(req); + if (ret != EAGAIN) { + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + } + return; + } else if (ret != EOK && ret != ENOENT) { + tevent_req_error(req, ret); + return; + } else if (ret == ENOENT || deref_result == NULL) { + /* Nothing could be dereferenced. Done. */ + tevent_req_done(req); + return; + } + + for (i=0; i < num_results; i++) { + state->groups[i] = talloc_steal(state->groups, + deref_result[i]->attrs); + } + + state->groups_cur = num_results; + sdap_initgr_nested_store(req); +} + +static void sdap_initgr_nested_search(struct tevent_req *subreq) +{ + struct tevent_req *req; + struct sdap_initgr_nested_state *state; + struct sysdb_attrs **groups; + size_t count; + int ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_initgr_nested_state); + + ret = sdap_get_generic_recv(subreq, state, &count, &groups); + talloc_zfree(subreq); + if (ret) { + tevent_req_error(req, ret); + return; + } + + if (count == 1) { + state->groups[state->groups_cur] = talloc_steal(state->groups, + groups[0]); + state->groups_cur++; + } else { + DEBUG(SSSDBG_OP_FAILURE, + "Search for group %s, returned %zu results. Skipping\n", + state->group_dns[state->cur], count); + } + + state->cur++; + /* note that state->memberof->num_values is the count of original + * memberOf which might not be only groups, but permissions, etc. + * Use state->groups_cur for group index cap */ + if (state->cur < state->memberof->num_values) { + subreq = sdap_get_generic_send(state, state->ev, + state->opts, state->sh, + state->group_dns[state->cur], + LDAP_SCOPE_BASE, + state->filter, state->grp_attrs, + state->opts->group_map, + SDAP_OPTS_GROUP, + dp_opt_get_int(state->opts->basic, + SDAP_SEARCH_TIMEOUT), + false); + if (!subreq) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, sdap_initgr_nested_search, req); + } else { + sdap_initgr_nested_store(req); + } +} + +static errno_t +sdap_initgr_store_groups(struct sdap_initgr_nested_state *state); +static errno_t +sdap_initgr_store_group_memberships(struct sdap_initgr_nested_state *state); +static errno_t +sdap_initgr_store_user_memberships(struct sdap_initgr_nested_state *state); + +static void sdap_initgr_nested_store(struct tevent_req *req) +{ + errno_t ret; + struct sdap_initgr_nested_state *state; + bool in_transaction = false; + errno_t tret; + + state = tevent_req_data(req, struct sdap_initgr_nested_state); + + ret = sysdb_transaction_start(state->sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n"); + goto fail; + } + in_transaction = true; + + /* save the groups if they are not already */ + ret = sdap_initgr_store_groups(state); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Could not save groups [%d]: %s\n", + ret, strerror(ret)); + goto fail; + } + + /* save the group memberships */ + ret = sdap_initgr_store_group_memberships(state); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not save group memberships [%d]: %s\n", + ret, strerror(ret)); + goto fail; + } + + /* save the user memberships */ + ret = sdap_initgr_store_user_memberships(state); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not save user memberships [%d]: %s\n", + ret, strerror(ret)); + goto fail; + } + + ret = sysdb_transaction_commit(state->sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n"); + goto fail; + } + in_transaction = false; + + tevent_req_done(req); + return; + +fail: + if (in_transaction) { + tret = sysdb_transaction_cancel(state->sysdb); + if (tret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to cancel transaction\n"); + } + } + tevent_req_error(req, ret); + return; +} + +static errno_t +sdap_initgr_store_groups(struct sdap_initgr_nested_state *state) +{ + return sdap_nested_groups_store(state->sysdb, state->dom, + state->opts, state->groups, + state->groups_cur); +} + +static errno_t +sdap_initgr_nested_get_membership_diff(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + struct sdap_options *opts, + struct sss_domain_info *dom, + struct sysdb_attrs *group, + struct sysdb_attrs **all_groups, + int groups_count, + struct membership_diff **mdiff); + +static int sdap_initgr_nested_get_direct_parents(TALLOC_CTX *mem_ctx, + struct sysdb_attrs *attrs, + struct sysdb_attrs **groups, + int ngroups, + struct sysdb_attrs ***_direct_parents, + int *_ndirect); + +static errno_t +sdap_initgr_store_group_memberships(struct sdap_initgr_nested_state *state) +{ + errno_t ret; + int i, tret; + TALLOC_CTX *tmp_ctx; + struct membership_diff *miter = NULL; + struct membership_diff *memberships = NULL; + bool in_transaction = false; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) return ENOMEM; + + /* Compute the diffs first in order to keep the transaction as small + * as possible + */ + for (i=0; i < state->groups_cur; i++) { + ret = sdap_initgr_nested_get_membership_diff(tmp_ctx, state->sysdb, + state->opts, state->dom, + state->groups[i], + state->groups, + state->groups_cur, + &miter); + if (ret) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not compute memberships for group %d [%d]: %s\n", + i, ret, strerror(ret)); + goto done; + } + + DLIST_ADD(memberships, miter); + } + + ret = sysdb_transaction_start(state->sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n"); + goto done; + } + in_transaction = true; + + DLIST_FOR_EACH(miter, memberships) { + ret = sysdb_update_members(state->dom, miter->name, + SYSDB_MEMBER_GROUP, + (const char *const *) miter->add, + (const char *const *) miter->del); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Failed to update memberships\n"); + goto done; + } + } + + ret = sysdb_transaction_commit(state->sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n"); + goto done; + } + in_transaction = false; + + ret = EOK; +done: + if (in_transaction) { + tret = sysdb_transaction_cancel(state->sysdb); + if (tret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to cancel transaction\n"); + } + } + talloc_free(tmp_ctx); + return ret; +} + +static errno_t +sdap_initgr_store_user_memberships(struct sdap_initgr_nested_state *state) +{ + errno_t ret; + int tret; + const char *orig_dn; + + char **sysdb_parent_name_list = NULL; + char **ldap_parent_name_list = NULL; + char **ldap_fqdnlist = NULL; + + int nparents; + struct sysdb_attrs **ldap_parentlist; + struct ldb_message_element *el; + int i, mi; + char **add_groups; + char **del_groups; + TALLOC_CTX *tmp_ctx; + bool in_transaction = false; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + ret = ENOMEM; + goto done; + } + + /* Get direct LDAP parents */ + ret = sysdb_attrs_get_string(state->user, SYSDB_ORIG_DN, &orig_dn); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "The user has no original DN\n"); + goto done; + } + + ldap_parentlist = talloc_zero_array(tmp_ctx, struct sysdb_attrs *, + state->groups_cur + 1); + if (!ldap_parentlist) { + ret = ENOMEM; + goto done; + } + nparents = 0; + + for (i=0; i < state->groups_cur ; i++) { + ret = sysdb_attrs_get_el(state->groups[i], SYSDB_MEMBER, &el); + if (ret) { + DEBUG(SSSDBG_MINOR_FAILURE, + "A group with no members during initgroups?\n"); + goto done; + } + + for (mi = 0; mi < el->num_values; mi++) { + if (strcasecmp((const char *) el->values[mi].data, orig_dn) != 0) { + continue; + } + + ldap_parentlist[nparents] = state->groups[i]; + nparents++; + } + } + + DEBUG(SSSDBG_TRACE_LIBS, + "The user %s is a direct member of %d LDAP groups\n", + state->username, nparents); + + if (nparents == 0) { + ldap_parent_name_list = NULL; + } else { + ret = sysdb_attrs_primary_name_list(state->dom, tmp_ctx, + ldap_parentlist, + nparents, + state->opts->group_map[SDAP_AT_GROUP_NAME].name, + &ldap_parent_name_list); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sysdb_attrs_primary_name_list failed [%d]: %s\n", + ret, strerror(ret)); + goto done; + } + } + + if (ldap_parent_name_list) { + ldap_fqdnlist = sss_create_internal_fqname_list( + tmp_ctx, + (const char * const *) ldap_parent_name_list, + state->dom->name); + if (ldap_fqdnlist == NULL) { + ret = ENOMEM; + goto done; + } + } + + ret = sysdb_get_direct_parents(tmp_ctx, state->dom, state->dom, + SYSDB_MEMBER_USER, + state->username, &sysdb_parent_name_list); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not get direct sysdb parents for %s: %d [%s]\n", + state->username, ret, strerror(ret)); + goto done; + } + + ret = diff_string_lists(tmp_ctx, + ldap_fqdnlist, sysdb_parent_name_list, + &add_groups, &del_groups, NULL); + if (ret != EOK) { + goto done; + } + + ret = sysdb_transaction_start(state->sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n"); + goto done; + } + in_transaction = true; + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Updating memberships for %s\n", state->username); + ret = sysdb_update_members(state->dom, state->username, SYSDB_MEMBER_USER, + (const char *const *) add_groups, + (const char *const *) del_groups); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not update sysdb memberships for %s: %d [%s]\n", + state->username, ret, strerror(ret)); + goto done; + } + + ret = sysdb_transaction_commit(state->sysdb); + if (ret != EOK) { + goto done; + } + in_transaction = false; + + ret = EOK; +done: + if (in_transaction) { + tret = sysdb_transaction_cancel(state->sysdb); + if (tret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to cancel transaction\n"); + } + } + talloc_zfree(tmp_ctx); + return ret; +} + +static errno_t +sdap_initgr_nested_get_membership_diff(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + struct sdap_options *opts, + struct sss_domain_info *dom, + struct sysdb_attrs *group, + struct sysdb_attrs **all_groups, + int groups_count, + struct membership_diff **_mdiff) +{ + errno_t ret; + struct membership_diff *mdiff; + const char *group_name; + + struct sysdb_attrs **ldap_parentlist; + int parents_count; + + char **ldap_parent_names_list = NULL; + char **sysdb_parents_names_list = NULL; + + TALLOC_CTX *tmp_ctx; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + ret = ENOMEM; + goto done; + } + + /* Get direct sysdb parents */ + ret = sdap_get_group_primary_name(tmp_ctx, opts, group, dom, &group_name); + if (ret != EOK) { + goto done; + } + + ret = sysdb_get_direct_parents(tmp_ctx, dom, dom, SYSDB_MEMBER_GROUP, + group_name, &sysdb_parents_names_list); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not get direct sysdb parents for %s: %d [%s]\n", + group_name, ret, strerror(ret)); + goto done; + } + + /* For each group, filter only parents from full set */ + ret = sdap_initgr_nested_get_direct_parents(tmp_ctx, + group, + all_groups, + groups_count, + &ldap_parentlist, + &parents_count); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot get parent groups for %s [%d]: %s\n", + group_name, ret, strerror(ret)); + goto done; + } + DEBUG(SSSDBG_TRACE_LIBS, + "The group %s is a direct member of %d LDAP groups\n", + group_name, parents_count); + + if (parents_count > 0) { + ret = sysdb_attrs_primary_fqdn_list(dom, tmp_ctx, + ldap_parentlist, + parents_count, + opts->group_map[SDAP_AT_GROUP_NAME].name, + &ldap_parent_names_list); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sysdb_attrs_primary_name_list failed [%d]: %s\n", + ret, strerror(ret)); + goto done; + } + } + + ret = build_membership_diff(tmp_ctx, group_name, ldap_parent_names_list, + sysdb_parents_names_list, &mdiff); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not build membership diff for %s [%d]: %s\n", + group_name, ret, strerror(ret)); + goto done; + } + + ret = EOK; + *_mdiff = talloc_steal(mem_ctx, mdiff); +done: + talloc_free(tmp_ctx); + return ret; +} + +static int sdap_initgr_nested_get_direct_parents(TALLOC_CTX *mem_ctx, + struct sysdb_attrs *attrs, + struct sysdb_attrs **groups, + int ngroups, + struct sysdb_attrs ***_direct_parents, + int *_ndirect) +{ + TALLOC_CTX *tmp_ctx; + struct ldb_message_element *member; + int i, mi; + int ret; + const char *orig_dn; + + int ndirect; + struct sysdb_attrs **direct_groups; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) return ENOMEM; + + direct_groups = talloc_zero_array(tmp_ctx, struct sysdb_attrs *, + ngroups + 1); + if (!direct_groups) { + ret = ENOMEM; + goto done; + } + ndirect = 0; + + ret = sysdb_attrs_get_string(attrs, SYSDB_ORIG_DN, &orig_dn); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Missing originalDN\n"); + goto done; + } + DEBUG(SSSDBG_TRACE_ALL, + "Looking up direct parents for group [%s]\n", orig_dn); + + /* FIXME - Filter only parents from full set to avoid searching + * through all members of huge groups. That requires asking for memberOf + * with the group LDAP search + */ + + /* Filter only direct parents from the list of all groups */ + for (i=0; i < ngroups; i++) { + ret = sysdb_attrs_get_el(groups[i], SYSDB_MEMBER, &member); + if (ret) { + DEBUG(SSSDBG_TRACE_LIBS, + "A group with no members during initgroups?\n"); + continue; + } + + for (mi = 0; mi < member->num_values; mi++) { + if (strcasecmp((const char *) member->values[mi].data, orig_dn) != 0) { + continue; + } + + direct_groups[ndirect] = groups[i]; + ndirect++; + } + } + direct_groups[ndirect] = NULL; + + DEBUG(SSSDBG_TRACE_ALL, + "The group [%s] has %d direct parents\n", orig_dn, ndirect); + + *_direct_parents = talloc_steal(mem_ctx, direct_groups); + *_ndirect = ndirect; + ret = EOK; +done: + talloc_zfree(tmp_ctx); + return ret; +} + +static int sdap_initgr_nested_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +/* ==Initgr-call-(groups-a-user-is-member-of)-RFC2307-BIS================= */ +struct sdap_initgr_rfc2307bis_state { + struct tevent_context *ev; + struct sysdb_ctx *sysdb; + struct sdap_options *opts; + struct sss_domain_info *dom; + struct sdap_handle *sh; + const char *name; + char *base_filter; + char *filter; + const char **attrs; + const char *orig_dn; + + int timeout; + + size_t base_iter; + struct sdap_search_base **search_bases; + + struct sdap_op *op; + + hash_table_t *group_hash; + size_t num_direct_parents; + struct sysdb_attrs **direct_groups; +}; + +struct sdap_nested_group { + struct sysdb_attrs *group; + struct sysdb_attrs **ldap_parents; + size_t parents_count; +}; + +static errno_t sdap_initgr_rfc2307bis_next_base(struct tevent_req *req); +static void sdap_initgr_rfc2307bis_process(struct tevent_req *subreq); +static void sdap_initgr_rfc2307bis_done(struct tevent_req *subreq); +errno_t save_rfc2307bis_user_memberships( + struct sdap_initgr_rfc2307bis_state *state); + +static struct tevent_req *sdap_initgr_rfc2307bis_send( + TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_options *opts, + struct sdap_domain *sdom, + struct sdap_handle *sh, + const char *name, + const char *orig_dn) +{ + errno_t ret; + struct tevent_req *req; + struct sdap_initgr_rfc2307bis_state *state; + const char **attr_filter; + char *clean_orig_dn; + bool use_id_mapping; + char *oc_list; + + req = tevent_req_create(memctx, &state, struct sdap_initgr_rfc2307bis_state); + if (!req) return NULL; + + state->ev = ev; + state->opts = opts; + state->sysdb = sdom->dom->sysdb; + state->dom = sdom->dom; + state->sh = sh; + state->op = NULL; + state->name = name; + state->direct_groups = NULL; + state->num_direct_parents = 0; + state->timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT); + state->base_iter = 0; + state->search_bases = sdom->group_search_bases; + state->orig_dn = orig_dn; + + if (!state->search_bases) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Initgroups lookup request without a group search base\n"); + ret = EINVAL; + goto done; + } + + ret = sss_hash_create(state, 32, &state->group_hash); + if (ret != EOK) { + talloc_free(req); + return NULL; + } + + attr_filter = talloc_array(state, const char *, 2); + if (!attr_filter) { + ret = ENOMEM; + goto done; + } + + attr_filter[0] = opts->group_map[SDAP_AT_GROUP_MEMBER].name; + attr_filter[1] = NULL; + + ret = build_attrs_from_map(state, opts->group_map, SDAP_OPTS_GROUP, + attr_filter, &state->attrs, NULL); + if (ret != EOK) goto done; + + ret = sss_filter_sanitize(state, orig_dn, &clean_orig_dn); + if (ret != EOK) goto done; + + use_id_mapping = sdap_idmap_domain_has_algorithmic_mapping( + opts->idmap_ctx, + sdom->dom->name, + sdom->dom->domain_id); + + oc_list = sdap_make_oc_list(state, opts->group_map); + if (oc_list == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to create objectClass list.\n"); + ret = ENOMEM; + goto done; + } + + state->base_filter = + talloc_asprintf(state, + "(&(%s=%s)(%s)(%s=*)", + opts->group_map[SDAP_AT_GROUP_MEMBER].name, + clean_orig_dn, oc_list, + opts->group_map[SDAP_AT_GROUP_NAME].name); + if (!state->base_filter) { + ret = ENOMEM; + goto done; + } + + if (use_id_mapping) { + /* When mapping IDs or looking for SIDs, we don't want to limit + * ourselves to groups with a GID value. But there must be a SID to map + * from. + */ + state->base_filter = talloc_asprintf_append(state->base_filter, + "(%s=*))", + opts->group_map[SDAP_AT_GROUP_OBJECTSID].name); + } else { + state->base_filter = talloc_asprintf_append(state->base_filter, ")"); + } + if (!state->base_filter) { + talloc_zfree(req); + return NULL; + } + + + talloc_zfree(clean_orig_dn); + + ret = sdap_initgr_rfc2307bis_next_base(req); + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + tevent_req_post(req, ev); + } + return req; +} + +static errno_t sdap_initgr_rfc2307bis_next_base(struct tevent_req *req) +{ + struct tevent_req *subreq; + struct sdap_initgr_rfc2307bis_state *state; + + state = tevent_req_data(req, struct sdap_initgr_rfc2307bis_state); + + talloc_zfree(state->filter); + state->filter = sdap_combine_filters(state, state->base_filter, + state->search_bases[state->base_iter]->filter); + if (!state->filter) { + return ENOMEM; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Searching for parent groups for user [%s] with base [%s]\n", + state->orig_dn, state->search_bases[state->base_iter]->basedn); + + subreq = sdap_get_generic_send( + state, state->ev, state->opts, state->sh, + state->search_bases[state->base_iter]->basedn, + state->search_bases[state->base_iter]->scope, + state->filter, state->attrs, + state->opts->group_map, SDAP_OPTS_GROUP, + state->timeout, + true); + if (!subreq) { + return ENOMEM; + } + tevent_req_set_callback(subreq, sdap_initgr_rfc2307bis_process, req); + + return EOK; +} + +static void sdap_initgr_rfc2307bis_process(struct tevent_req *subreq) +{ + struct tevent_req *req; + struct sdap_initgr_rfc2307bis_state *state; + struct sysdb_attrs **ldap_groups; + size_t count; + size_t i; + int ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_initgr_rfc2307bis_state); + + ret = sdap_get_generic_recv(subreq, state, + &count, + &ldap_groups); + talloc_zfree(subreq); + if (ret) { + tevent_req_error(req, ret); + return; + } + DEBUG(SSSDBG_TRACE_LIBS, + "Found %zu parent groups for user [%s]\n", count, state->name); + + /* Add this batch of groups to the list */ + if (count > 0) { + state->direct_groups = + talloc_realloc(state, + state->direct_groups, + struct sysdb_attrs *, + state->num_direct_parents + count + 1); + if (!state->direct_groups) { + tevent_req_error(req, ENOMEM); + return; + } + + /* Copy the new groups into the list. + */ + for (i = 0; i < count; i++) { + state->direct_groups[state->num_direct_parents + i] = + talloc_steal(state->direct_groups, ldap_groups[i]); + } + + state->num_direct_parents += count; + + state->direct_groups[state->num_direct_parents] = NULL; + } + + state->base_iter++; + + /* Check for additional search bases, and iterate + * through again. + */ + if (state->search_bases[state->base_iter] != NULL) { + ret = sdap_initgr_rfc2307bis_next_base(req); + if (ret != EOK) { + tevent_req_error(req, ret); + } + return; + } + + if (state->num_direct_parents == 0) { + /* Start a transaction to look up the groups in the sysdb + * and update them with LDAP data + */ + ret = save_rfc2307bis_user_memberships(state); + if (ret != EOK) { + tevent_req_error(req, ret); + } else { + tevent_req_done(req); + } + return; + } + + subreq = rfc2307bis_nested_groups_send(state, state->ev, state->opts, + state->sysdb, state->dom, + state->sh, + state->search_bases, + state->direct_groups, + state->num_direct_parents, + state->group_hash, 0); + if (!subreq) { + tevent_req_error(req, EIO); + return; + } + tevent_req_set_callback(subreq, sdap_initgr_rfc2307bis_done, req); +} + +static errno_t +save_rfc2307bis_groups(struct sdap_initgr_rfc2307bis_state *state); +static errno_t +save_rfc2307bis_group_memberships(struct sdap_initgr_rfc2307bis_state *state); + +static void sdap_initgr_rfc2307bis_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = + tevent_req_callback_data(subreq, struct tevent_req); + struct sdap_initgr_rfc2307bis_state *state = + tevent_req_data(req, struct sdap_initgr_rfc2307bis_state); + bool in_transaction = false; + errno_t tret; + + ret = rfc2307bis_nested_groups_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + ret = sysdb_transaction_start(state->sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n"); + goto fail; + } + in_transaction = true; + + /* save the groups if they are not cached */ + ret = save_rfc2307bis_groups(state); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not save groups memberships [%d]\n", ret); + goto fail; + } + + /* save the group membership */ + ret = save_rfc2307bis_group_memberships(state); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not save group memberships [%d]\n", ret); + goto fail; + } + + /* save the user memberships */ + ret = save_rfc2307bis_user_memberships(state); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not save user memberships [%d]\n", ret); + goto fail; + } + + ret = sysdb_transaction_commit(state->sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n"); + goto fail; + } + in_transaction = false; + + tevent_req_done(req); + return; + +fail: + if (in_transaction) { + tret = sysdb_transaction_cancel(state->sysdb); + if (tret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to cancel transaction\n"); + } + } + tevent_req_error(req, ret); + return; +} + +static int sdap_initgr_rfc2307bis_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + return EOK; +} + +struct rfc2307bis_group_memberships_state { + struct sysdb_ctx *sysdb; + struct sdap_options *opts; + struct sss_domain_info *dom; + + hash_table_t *group_hash; + + struct membership_diff *memberships; + + int ret; +}; + +static errno_t +save_rfc2307bis_groups(struct sdap_initgr_rfc2307bis_state *state) +{ + struct sysdb_attrs **groups = NULL; + unsigned long count; + hash_value_t *values; + int hret, i; + errno_t ret; + TALLOC_CTX *tmp_ctx; + struct sdap_nested_group *gr; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) return ENOMEM; + + hret = hash_values(state->group_hash, &count, &values); + if (hret != HASH_SUCCESS) { + ret = EIO; + goto done; + } + + groups = talloc_array(tmp_ctx, struct sysdb_attrs *, count); + if (!groups) { + ret = ENOMEM; + goto done; + } + + for (i = 0; i < count; i++) { + gr = talloc_get_type(values[i].ptr, + struct sdap_nested_group); + groups[i] = gr->group; + } + talloc_zfree(values); + + ret = sdap_nested_groups_store(state->sysdb, state->dom, state->opts, + groups, count); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Could not save groups [%d]: %s\n", + ret, strerror(ret)); + goto done; + } + + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} + +static bool rfc2307bis_group_memberships_build(hash_entry_t *item, void *user_data); + +static errno_t +save_rfc2307bis_group_memberships(struct sdap_initgr_rfc2307bis_state *state) +{ + errno_t ret, tret; + int hret; + TALLOC_CTX *tmp_ctx; + struct rfc2307bis_group_memberships_state *membership_state; + struct membership_diff *iter; + struct membership_diff *iter_start; + struct membership_diff *iter_tmp; + bool in_transaction = false; + int num_added; + int i; + int grp_count; + char **add = NULL; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) return ENOMEM; + + membership_state = talloc_zero(tmp_ctx, + struct rfc2307bis_group_memberships_state); + if (!membership_state) { + ret = ENOMEM; + goto done; + } + + membership_state->sysdb = state->sysdb; + membership_state->dom = state->dom; + membership_state->opts = state->opts; + membership_state->group_hash = state->group_hash; + + hret = hash_iterate(state->group_hash, + rfc2307bis_group_memberships_build, + membership_state); + if (hret != HASH_SUCCESS) { + ret = membership_state->ret; + goto done; + } + + ret = sysdb_transaction_start(state->sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n"); + goto done; + } + in_transaction = true; + + iter_start = membership_state->memberships; + + DLIST_FOR_EACH(iter, membership_state->memberships) { + /* Create a copy of iter->add array but do not include groups outside + * nesting limit. This array must be NULL terminated. + */ + for (grp_count = 0; iter->add[grp_count]; grp_count++); + add = talloc_zero_array(tmp_ctx, char *, grp_count + 1); + if (add == NULL) { + ret = ENOMEM; + goto done; + } + + num_added = 0; + for (i = 0; i < grp_count; i++) { + DLIST_FOR_EACH(iter_tmp, iter_start) { + if (!strcmp(iter_tmp->name,iter->add[i])) { + add[num_added] = iter->add[i]; + num_added++; + break; + } + } + } + + if (num_added == 0) { + add = NULL; + } else { + add[num_added] = NULL; + } + ret = sysdb_update_members(state->dom, iter->name, + SYSDB_MEMBER_GROUP, + (const char *const *) add, + (const char *const *) iter->del); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Failed to update memberships\n"); + goto done; + } + } + + ret = sysdb_transaction_commit(state->sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n"); + goto done; + } + in_transaction = false; + + ret = EOK; +done: + if (in_transaction) { + tret = sysdb_transaction_cancel(state->sysdb); + if (tret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to cancel transaction\n"); + } + } + talloc_free(tmp_ctx); + return ret; +} + +static bool +rfc2307bis_group_memberships_build(hash_entry_t *item, void *user_data) +{ + struct rfc2307bis_group_memberships_state *mstate = talloc_get_type( + user_data, struct rfc2307bis_group_memberships_state); + struct sdap_nested_group *group; + char *group_name; + TALLOC_CTX *tmp_ctx; + errno_t ret; + char **sysdb_parents_names_list; + char **ldap_parents_names_list = NULL; + + struct membership_diff *mdiff; + + group_name = (char *) item->key.str; + group = (struct sdap_nested_group *) item->value.ptr; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + ret = ENOMEM; + goto done; + } + + ret = sysdb_get_direct_parents(tmp_ctx, mstate->dom, mstate->dom, + SYSDB_MEMBER_GROUP, + group_name, &sysdb_parents_names_list); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not get direct sysdb parents for %s: %d [%s]\n", + group_name, ret, strerror(ret)); + goto done; + } + + if (group->parents_count > 0) { + ret = sysdb_attrs_primary_fqdn_list(mstate->dom, tmp_ctx, + group->ldap_parents, group->parents_count, + mstate->opts->group_map[SDAP_AT_GROUP_NAME].name, + &ldap_parents_names_list); + if (ret != EOK) { + goto done; + } + } + + ret = build_membership_diff(tmp_ctx, group_name, ldap_parents_names_list, + sysdb_parents_names_list, &mdiff); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not build membership diff for %s [%d]: %s\n", + group_name, ret, strerror(ret)); + goto done; + } + + talloc_steal(mstate, mdiff); + DLIST_ADD(mstate->memberships, mdiff); + ret = EOK; +done: + talloc_free(tmp_ctx); + mstate->ret = ret; + return ret == EOK ? true : false; +} + +errno_t save_rfc2307bis_user_memberships( + struct sdap_initgr_rfc2307bis_state *state) +{ + errno_t ret, tret; + char **ldap_grouplist; + char **sysdb_parent_name_list; + char **add_groups; + char **del_groups; + bool in_transaction = false; + + TALLOC_CTX *tmp_ctx = talloc_new(NULL); + if(!tmp_ctx) { + return ENOMEM; + } + + DEBUG(SSSDBG_TRACE_LIBS, "Save parent groups to sysdb\n"); + ret = sysdb_transaction_start(state->sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n"); + goto error; + } + in_transaction = true; + + ret = sysdb_get_direct_parents(tmp_ctx, state->dom, state->dom, + SYSDB_MEMBER_USER, + state->name, &sysdb_parent_name_list); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not get direct sysdb parents for %s: %d [%s]\n", + state->name, ret, strerror(ret)); + goto error; + } + + if (state->num_direct_parents == 0) { + ldap_grouplist = NULL; + } + else { + ret = sysdb_attrs_primary_fqdn_list( + state->dom, tmp_ctx, + state->direct_groups, state->num_direct_parents, + state->opts->group_map[SDAP_AT_GROUP_NAME].name, + &ldap_grouplist); + if (ret != EOK) { + goto error; + } + } + + /* Find the differences between the sysdb and ldap lists + * Groups in ldap only must be added to the sysdb; + * groups in the sysdb only must be removed. + */ + ret = diff_string_lists(tmp_ctx, + ldap_grouplist, sysdb_parent_name_list, + &add_groups, &del_groups, NULL); + if (ret != EOK) { + goto error; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "Updating memberships for %s\n", state->name); + ret = sysdb_update_members(state->dom, state->name, SYSDB_MEMBER_USER, + (const char *const *)add_groups, + (const char *const *)del_groups); + if (ret != EOK) { + goto error; + } + + ret = sysdb_transaction_commit(state->sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n"); + goto error; + } + in_transaction = false; + + talloc_free(tmp_ctx); + return EOK; + +error: + if (in_transaction) { + tret = sysdb_transaction_cancel(state->sysdb); + if (tret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to cancel transaction\n"); + } + } + talloc_free(tmp_ctx); + return ret; +} + +struct sdap_rfc2307bis_nested_ctx { + struct tevent_context *ev; + struct sdap_options *opts; + struct sysdb_ctx *sysdb; + struct sss_domain_info *dom; + struct sdap_handle *sh; + int timeout; + const char *base_filter; + char *filter; + const char *orig_dn; + const char **attrs; + struct sysdb_attrs **groups; + size_t num_groups; + + size_t nesting_level; + + size_t group_iter; + struct sdap_nested_group **processed_groups; + + hash_table_t *group_hash; + const char *primary_name; + + struct sysdb_handle *handle; + + size_t base_iter; + struct sdap_search_base **search_bases; +}; + +static errno_t rfc2307bis_nested_groups_step(struct tevent_req *req); +struct tevent_req *rfc2307bis_nested_groups_send( + TALLOC_CTX *mem_ctx, struct tevent_context *ev, + struct sdap_options *opts, struct sysdb_ctx *sysdb, + struct sss_domain_info *dom, struct sdap_handle *sh, + struct sdap_search_base **search_bases, + struct sysdb_attrs **groups, size_t num_groups, + hash_table_t *group_hash, size_t nesting) +{ + errno_t ret; + struct tevent_req *req; + struct sdap_rfc2307bis_nested_ctx *state; + + DEBUG(SSSDBG_TRACE_INTERNAL, + "About to process %zu groups in nesting level %zu\n", + num_groups, nesting); + + req = tevent_req_create(mem_ctx, &state, + struct sdap_rfc2307bis_nested_ctx); + if (!req) return NULL; + + if ((num_groups == 0) || + (nesting > dp_opt_get_int(opts->basic, SDAP_NESTING_LEVEL))) { + /* No parent groups to process or too deep*/ + ret = EOK; + goto done; + } + + state->ev = ev; + state->opts = opts; + state->sysdb = sysdb; + state->dom = dom; + state->sh = sh; + state->groups = groups; + state->num_groups = num_groups; + state->group_iter = 0; + state->nesting_level = nesting; + state->group_hash = group_hash; + state->filter = NULL; + state->timeout = dp_opt_get_int(state->opts->basic, + SDAP_SEARCH_TIMEOUT); + state->base_iter = 0; + state->search_bases = search_bases; + if (!state->search_bases) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Initgroups nested lookup request " + "without a group search base\n"); + ret = EINVAL; + goto done; + } + + state->processed_groups = talloc_array(state, + struct sdap_nested_group *, + state->num_groups); + if (state->processed_groups == NULL) { + ret = ENOMEM; + goto done; + } + + while (state->group_iter < state->num_groups) { + ret = rfc2307bis_nested_groups_step(req); + if (ret == EOK) { + /* This group had already been looked up. Continue to + * another group in the same level + */ + state->group_iter++; + continue; + } else { + goto done; + } + } + + ret = EOK; + +done: + if (ret == EOK) { + /* All parent groups were already processed */ + tevent_req_done(req); + tevent_req_post(req, ev); + } else if (ret != EAGAIN) { + tevent_req_error(req, ret); + tevent_req_post(req, ev); + } + + /* EAGAIN means a lookup is in progress */ + return req; +} + +static errno_t rfc2307bis_nested_groups_next_base(struct tevent_req *req); +static void rfc2307bis_nested_groups_process(struct tevent_req *subreq); +static errno_t rfc2307bis_nested_groups_step(struct tevent_req *req) +{ + errno_t ret; + TALLOC_CTX *tmp_ctx = NULL; + const char **attr_filter; + char *clean_orig_dn; + hash_key_t key; + hash_value_t value; + struct sdap_rfc2307bis_nested_ctx *state = + tevent_req_data(req, struct sdap_rfc2307bis_nested_ctx); + char *oc_list; + const char *class; + + tmp_ctx = talloc_new(state); + if (!tmp_ctx) { + ret = ENOMEM; + goto done; + } + + ret = sysdb_attrs_get_string(state->groups[state->group_iter], + SYSDB_OBJECTCATEGORY, &class); + if (ret == EOK) { + /* If there is a objectClass attribute the object is coming from the + * cache and the name attribute of the object already has the primary + * name. + * If the objectClass attribute is missing the object is coming from + * LDAP and we have to find the primary name first. */ + ret = sysdb_attrs_get_string(state->groups[state->group_iter], + SYSDB_NAME, &state->primary_name); + } else { + ret = sdap_get_group_primary_name(state, state->opts, + state->groups[state->group_iter], + state->dom, &state->primary_name); + } + if (ret != EOK) { + goto done; + } + + key.type = HASH_KEY_STRING; + key.str = talloc_strdup(state, state->primary_name); + if (!key.str) { + ret = ENOMEM; + goto done; + } + + DEBUG(SSSDBG_TRACE_LIBS, "Processing group [%s]\n", state->primary_name); + + ret = hash_lookup(state->group_hash, &key, &value); + if (ret == HASH_SUCCESS) { + DEBUG(SSSDBG_TRACE_INTERNAL, "Group [%s] was already processed, " + "taking a shortcut\n", state->primary_name); + state->processed_groups[state->group_iter] = + talloc_get_type(value.ptr, struct sdap_nested_group); + talloc_free(key.str); + ret = EOK; + goto done; + } + + /* Need to try to find parent groups for this group. */ + state->processed_groups[state->group_iter] = + talloc_zero(state->processed_groups, struct sdap_nested_group); + if (!state->processed_groups[state->group_iter]) { + ret = ENOMEM; + goto done; + } + + /* this steal doesn't change much now, but will be helpful later on + * if we steal the whole processed_group on the hash table */ + state->processed_groups[state->group_iter]->group = + talloc_steal(state->processed_groups[state->group_iter], + state->groups[state->group_iter]); + + /* Get any parent groups for this group */ + ret = sysdb_attrs_get_string(state->groups[state->group_iter], + SYSDB_ORIG_DN, + &state->orig_dn); + if (ret != EOK) { + goto done; + } + + attr_filter = talloc_array(state, const char *, 2); + if (!attr_filter) { + ret = ENOMEM; + goto done; + } + + attr_filter[0] = state->opts->group_map[SDAP_AT_GROUP_MEMBER].name; + attr_filter[1] = NULL; + + ret = build_attrs_from_map(state, state->opts->group_map, SDAP_OPTS_GROUP, + attr_filter, &state->attrs, NULL); + if (ret != EOK) { + goto done; + } + + ret = sss_filter_sanitize(tmp_ctx, state->orig_dn, &clean_orig_dn); + if (ret != EOK) { + goto done; + } + + oc_list = sdap_make_oc_list(state, state->opts->group_map); + if (oc_list == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to create objectClass list.\n"); + ret = ENOMEM; + goto done; + } + + state->base_filter = talloc_asprintf( + state, "(&(%s=%s)(%s)(%s=*))", + state->opts->group_map[SDAP_AT_GROUP_MEMBER].name, + clean_orig_dn, oc_list, + state->opts->group_map[SDAP_AT_GROUP_NAME].name); + if (!state->base_filter) { + ret = ENOMEM; + goto done; + } + + ret = rfc2307bis_nested_groups_next_base(req); + if (ret != EOK) goto done; + + /* Still processing parent groups */ + ret = EAGAIN; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static errno_t rfc2307bis_nested_groups_next_base(struct tevent_req *req) +{ + struct tevent_req *subreq; + struct sdap_rfc2307bis_nested_ctx *state; + + state = tevent_req_data(req, struct sdap_rfc2307bis_nested_ctx); + + talloc_zfree(state->filter); + state->filter = sdap_combine_filters(state, state->base_filter, + state->search_bases[state->base_iter]->filter); + if (!state->filter) { + return ENOMEM; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Searching for parent groups of group [%s] with base [%s]\n", + state->orig_dn, + state->search_bases[state->base_iter]->basedn); + + subreq = sdap_get_generic_send( + state, state->ev, state->opts, state->sh, + state->search_bases[state->base_iter]->basedn, + state->search_bases[state->base_iter]->scope, + state->filter, state->attrs, + state->opts->group_map, SDAP_OPTS_GROUP, + state->timeout, + true); + if (!subreq) { + return ENOMEM; + } + tevent_req_set_callback(subreq, + rfc2307bis_nested_groups_process, + req); + + return EOK; +} + +static void +rfc2307bis_nested_groups_iterate(struct tevent_req *req, + struct sdap_rfc2307bis_nested_ctx *state) +{ + errno_t ret; + + state->group_iter++; + while (state->group_iter < state->num_groups) { + ret = rfc2307bis_nested_groups_step(req); + if (ret == EAGAIN) { + /* Looking up parent groups.. */ + return; + } else if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + /* EOK means this group has already been processed + * in another nesting level */ + state->group_iter++; + } + + if (state->group_iter == state->num_groups) { + /* All groups processed. Done. */ + tevent_req_done(req); + } +} + +static void rfc2307bis_nested_groups_done(struct tevent_req *subreq); +static void rfc2307bis_nested_groups_process(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = + tevent_req_callback_data(subreq, struct tevent_req); + struct sdap_rfc2307bis_nested_ctx *state = + tevent_req_data(req, struct sdap_rfc2307bis_nested_ctx); + size_t count; + size_t i; + struct sysdb_attrs **ldap_groups; + struct sdap_nested_group *ngr; + hash_value_t value; + hash_key_t key; + int hret; + + ret = sdap_get_generic_recv(subreq, state, + &count, + &ldap_groups); + talloc_zfree(subreq); + if (ret) { + tevent_req_error(req, ret); + return; + } + + DEBUG(SSSDBG_TRACE_LIBS, + "Found %zu parent groups of [%s]\n", count, state->orig_dn); + ngr = state->processed_groups[state->group_iter]; + + /* Add this batch of groups to the list */ + if (count > 0) { + ngr->ldap_parents = + talloc_realloc(ngr, + ngr->ldap_parents, + struct sysdb_attrs *, + ngr->parents_count + count + 1); + if (!ngr->ldap_parents) { + tevent_req_error(req, ENOMEM); + return; + } + + /* Copy the new groups into the list. + * They're allocated on 'state' so we need to move them + * onto ldap_parents so that the data won't disappear when + * we finish this nesting level. + */ + for (i = 0; i < count; i++) { + ngr->ldap_parents[ngr->parents_count + i] = + talloc_steal(ngr->ldap_parents, ldap_groups[i]); + } + + ngr->parents_count += count; + + ngr->ldap_parents[ngr->parents_count] = NULL; + DEBUG(SSSDBG_TRACE_INTERNAL, + "Total of %zu direct parents after this iteration\n", + ngr->parents_count); + } + + state->base_iter++; + + /* Check for additional search bases, and iterate + * through again. + */ + if (state->search_bases[state->base_iter] != NULL) { + ret = rfc2307bis_nested_groups_next_base(req); + if (ret != EOK) { + tevent_req_error(req, ret); + } + return; + } + + /* Reset the base iterator for future lookups */ + state->base_iter = 0; + + /* Save the group into the hash table */ + key.type = HASH_KEY_STRING; + key.str = talloc_strdup(state, state->primary_name); + if (!key.str) { + tevent_req_error(req, ENOMEM); + return; + } + + /* Steal the nested group entry on the group_hash context so it can + * outlive this request */ + talloc_steal(state->group_hash, ngr); + + value.type = HASH_VALUE_PTR; + value.ptr = ngr; + + hret = hash_enter(state->group_hash, &key, &value); + if (hret != HASH_SUCCESS) { + talloc_free(key.str); + tevent_req_error(req, EIO); + return; + } + talloc_free(key.str); + + if (ngr->parents_count == 0) { + /* No parent groups for this group in LDAP + * Move on to the next group + */ + rfc2307bis_nested_groups_iterate(req, state); + return; + } + + /* Otherwise, recurse into the groups */ + subreq = rfc2307bis_nested_groups_send( + state, state->ev, state->opts, state->sysdb, + state->dom, state->sh, + state->search_bases, + ngr->ldap_parents, + ngr->parents_count, + state->group_hash, + state->nesting_level+1); + if (!subreq) { + tevent_req_error(req, EIO); + return; + } + tevent_req_set_callback(subreq, rfc2307bis_nested_groups_done, req); +} + +errno_t rfc2307bis_nested_groups_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + return EOK; +} + +static void rfc2307bis_nested_groups_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = + tevent_req_callback_data(subreq, struct tevent_req); + struct sdap_rfc2307bis_nested_ctx *state = + tevent_req_data(req, struct sdap_rfc2307bis_nested_ctx); + + ret = rfc2307bis_nested_groups_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_TRACE_FUNC, "rfc2307bis_nested failed [%d][%s]\n", + ret, strerror(ret)); + tevent_req_error(req, ret); + return; + } + + rfc2307bis_nested_groups_iterate(req, state); +} + +/* ==Initgr-call-(groups-a-user-is-member-of)============================= */ + +struct sdap_get_initgr_state { + struct tevent_context *ev; + struct sysdb_ctx *sysdb; + struct sdap_options *opts; + struct sss_domain_info *dom; + struct sdap_domain *sdom; + struct sdap_handle *sh; + struct sdap_id_ctx *id_ctx; + struct sdap_id_conn_ctx *conn; + const char *filter_value; + const char **grp_attrs; + const char **user_attrs; + char *user_base_filter; + char *shortname; + char *filter; + int timeout; + bool non_posix; + + struct sysdb_attrs *orig_user; + + size_t user_base_iter; + struct sdap_search_base **user_search_bases; + + bool use_id_mapping; +}; + +static errno_t sdap_get_initgr_next_base(struct tevent_req *req); +static void sdap_get_initgr_user(struct tevent_req *subreq); +static void sdap_get_initgr_done(struct tevent_req *subreq); + +struct tevent_req *sdap_get_initgr_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_domain *sdom, + struct sdap_handle *sh, + struct sdap_id_ctx *id_ctx, + struct sdap_id_conn_ctx *conn, + const char *filter_value, + int filter_type, + const char *extra_value, + const char **grp_attrs) +{ + struct tevent_req *req; + struct sdap_get_initgr_state *state; + int ret; + char *clean_name; + bool use_id_mapping; + const char *search_attr = NULL; + char *ep_filter; + + DEBUG(SSSDBG_TRACE_ALL, "Retrieving info for initgroups call\n"); + + req = tevent_req_create(memctx, &state, struct sdap_get_initgr_state); + if (!req) return NULL; + + state->ev = ev; + state->opts = id_ctx->opts; + state->dom = sdom->dom; + state->sysdb = sdom->dom->sysdb; + state->sdom = sdom; + state->sh = sh; + state->id_ctx = id_ctx; + state->conn = conn; + state->filter_value = filter_value; + state->grp_attrs = grp_attrs; + state->orig_user = NULL; + state->timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT); + state->user_base_iter = 0; + state->user_search_bases = sdom->user_search_bases; + if (!state->user_search_bases) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Initgroups lookup request without a user search base\n"); + ret = EINVAL; + goto done; + } + + if (state->dom->type == DOM_TYPE_APPLICATION) { + state->non_posix = true; + } + + use_id_mapping = sdap_idmap_domain_has_algorithmic_mapping( + id_ctx->opts->idmap_ctx, + sdom->dom->name, + sdom->dom->domain_id); + + switch (filter_type) { + case BE_FILTER_SECID: + search_attr = state->opts->user_map[SDAP_AT_USER_OBJECTSID].name; + + ret = sss_filter_sanitize(state, state->filter_value, &clean_name); + if (ret != EOK) { + talloc_zfree(req); + return NULL; + } + break; + case BE_FILTER_UUID: + search_attr = state->opts->user_map[SDAP_AT_USER_UUID].name; + + ret = sss_filter_sanitize(state, state->filter_value, &clean_name); + if (ret != EOK) { + talloc_zfree(req); + return NULL; + } + break; + case BE_FILTER_NAME: + if (extra_value && strcmp(extra_value, EXTRA_NAME_IS_UPN) == 0) { + + ret = sss_filter_sanitize(state, state->filter_value, &clean_name); + if (ret != EOK) { + talloc_zfree(req); + return NULL; + } + + ep_filter = get_enterprise_principal_string_filter(state, + state->opts->user_map[SDAP_AT_USER_PRINC].name, + clean_name, state->opts->basic); + state->user_base_filter = + talloc_asprintf(state, + "(&(|(%s=%s)(%s=%s)%s)(objectclass=%s)", + state->opts->user_map[SDAP_AT_USER_PRINC].name, + clean_name, + state->opts->user_map[SDAP_AT_USER_EMAIL].name, + clean_name, + ep_filter == NULL ? "" : ep_filter, + state->opts->user_map[SDAP_OC_USER].name); + if (state->user_base_filter == NULL) { + talloc_zfree(req); + return NULL; + } + } else { + search_attr = state->opts->user_map[SDAP_AT_USER_NAME].name; + + ret = sss_parse_internal_fqname(state, filter_value, + &state->shortname, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot parse %s\n", filter_value); + goto done; + } + + ret = sss_filter_sanitize(state, state->shortname, &clean_name); + if (ret != EOK) { + talloc_zfree(req); + return NULL; + } + } + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported filter type [%d].\n", + filter_type); + return NULL; + } + + if (search_attr == NULL && state->user_base_filter == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Missing search attribute name or filter.\n"); + talloc_zfree(req); + return NULL; + } + + if (state->user_base_filter == NULL) { + state->user_base_filter = + talloc_asprintf(state, "(&(%s=%s)(objectclass=%s)", + search_attr, clean_name, + state->opts->user_map[SDAP_OC_USER].name); + if (!state->user_base_filter) { + talloc_zfree(req); + return NULL; + } + } + + if (state->non_posix) { + state->user_base_filter = talloc_asprintf_append(state->user_base_filter, + ")"); + } else if (use_id_mapping) { + /* When mapping IDs or looking for SIDs, we don't want to limit + * ourselves to users with a UID value. But there must be a SID to map + * from. + */ + state->user_base_filter = talloc_asprintf_append(state->user_base_filter, + "(%s=*))", + id_ctx->opts->user_map[SDAP_AT_USER_OBJECTSID].name); + } else { + /* When not ID-mapping or looking up app users, make sure there + * is a non-NULL UID */ + state->user_base_filter = talloc_asprintf_append(state->user_base_filter, + "(&(%s=*)(!(%s=0))))", + id_ctx->opts->user_map[SDAP_AT_USER_UID].name, + id_ctx->opts->user_map[SDAP_AT_USER_UID].name); + } + if (!state->user_base_filter) { + talloc_zfree(req); + return NULL; + } + + ret = build_attrs_from_map(state, + state->opts->user_map, + state->opts->user_map_cnt, + NULL, &state->user_attrs, NULL); + if (ret) { + talloc_zfree(req); + return NULL; + } + + state->use_id_mapping = sdap_idmap_domain_has_algorithmic_mapping( + state->opts->idmap_ctx, + state->dom->name, + state->dom->domain_id); + + ret = sdap_get_initgr_next_base(req); + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + tevent_req_post(req, ev); + } + + return req; +} + +static errno_t sdap_get_initgr_next_base(struct tevent_req *req) +{ + struct tevent_req *subreq; + struct sdap_get_initgr_state *state; + + state = tevent_req_data(req, struct sdap_get_initgr_state); + + talloc_zfree(state->filter); + state->filter = sdap_combine_filters(state, state->user_base_filter, + state->user_search_bases[state->user_base_iter]->filter); + if (!state->filter) { + return ENOMEM; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Searching for users with base [%s]\n", + state->user_search_bases[state->user_base_iter]->basedn); + + subreq = sdap_get_generic_send( + state, state->ev, state->opts, state->sh, + state->user_search_bases[state->user_base_iter]->basedn, + state->user_search_bases[state->user_base_iter]->scope, + state->filter, state->user_attrs, + state->opts->user_map, state->opts->user_map_cnt, + state->timeout, + false); + if (!subreq) { + return ENOMEM; + } + tevent_req_set_callback(subreq, sdap_get_initgr_user, req); + return EOK; +} + +static int sdap_search_initgr_user_in_batch(struct sdap_get_initgr_state *state, + struct sysdb_attrs **users, + size_t count) +{ + int ret = EINVAL; + + for (size_t i = 0; i < count; i++) { + if (sdap_object_in_domain(state->opts, users[i], state->dom) == false) { + continue; + } + + state->orig_user = talloc_steal(state, users[i]); + ret = EOK; + break; + } + + return ret; +} + +static void sdap_get_initgr_user(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sdap_get_initgr_state *state = tevent_req_data(req, + struct sdap_get_initgr_state); + struct sysdb_attrs **usr_attrs; + size_t count; + int ret; + errno_t sret; + const char *orig_dn; + const char *cname; + bool in_transaction = false; + + DEBUG(SSSDBG_TRACE_ALL, "Receiving info for the user\n"); + + ret = sdap_get_generic_recv(subreq, state, &count, &usr_attrs); + talloc_zfree(subreq); + if (ret) { + tevent_req_error(req, ret); + return; + } + + if (count == 0) { + /* No users found in this search */ + state->user_base_iter++; + if (state->user_search_bases[state->user_base_iter]) { + /* There are more search bases to try */ + ret = sdap_get_initgr_next_base(req); + if (ret != EOK) { + tevent_req_error(req, ret); + } + return; + } + + /* fallback to fetch a local user if required */ + if ((state->opts->schema_type == SDAP_SCHEMA_RFC2307) && + (dp_opt_get_bool(state->opts->basic, + SDAP_RFC2307_FALLBACK_TO_LOCAL_USERS) == true)) { + ret = sdap_fallback_local_user(state, state->shortname, -1, &usr_attrs); + if (ret == EOK) { + state->orig_user = usr_attrs[0]; + } + } else { + ret = ENOENT; + } + + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + } else if (count == 1) { + state->orig_user = usr_attrs[0]; + } else if (count != 1) { + DEBUG(SSSDBG_FUNC_DATA, + "The search returned %zu entries, need to match the correct one\n", + count); + + /* When matching against a search base, it's sufficient to pick only + * the first search base because all bases in a single domain would + * have the same DC= components + */ + ret = sdap_search_initgr_user_in_batch(state, usr_attrs, count); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sdap_search_initgr_user_in_batch failed [%d]: %s :" + "SSSD can't select a user that matches domain %s\n", + ret, sss_strerror(ret), state->dom->name); + tevent_req_error(req, ret); + return; + } + } + + ret = sysdb_transaction_start(state->sysdb); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n"); + goto fail; + } + in_transaction = true; + + DEBUG(SSSDBG_TRACE_ALL, "Storing the user\n"); + + ret = sdap_save_user(state, state->opts, state->dom, state->orig_user, + NULL, NULL, 0); + if (ret) { + goto fail; + } + + DEBUG(SSSDBG_TRACE_ALL, "Commit change\n"); + + ret = sysdb_transaction_commit(state->sysdb); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n"); + goto fail; + } + in_transaction = false; + + ret = sysdb_get_real_name(state, state->dom, state->filter_value, &cname); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot canonicalize username\n"); + tevent_req_error(req, ret); + return; + } + + DEBUG(SSSDBG_TRACE_ALL, "Process user's groups\n"); + + switch (state->opts->schema_type) { + case SDAP_SCHEMA_RFC2307: + subreq = sdap_initgr_rfc2307_send(state, state->ev, state->opts, + state->sysdb, state->dom, state->sh, + cname); + if (!subreq) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, sdap_get_initgr_done, req); + break; + + case SDAP_SCHEMA_RFC2307BIS: + case SDAP_SCHEMA_AD: + ret = sysdb_attrs_get_string(state->orig_user, + SYSDB_ORIG_DN, + &orig_dn); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + if (state->opts->dc_functional_level >= DS_BEHAVIOR_WIN2003 + && dp_opt_get_bool(state->opts->basic, SDAP_AD_USE_TOKENGROUPS)) { + /* Take advantage of AD's tokenGroups mechanism to look up all + * parent groups in a single request. + */ + subreq = sdap_ad_tokengroups_initgroups_send(state, state->ev, + state->id_ctx, + state->conn, + state->opts, + state->sysdb, + state->dom, + state->sh, + cname, orig_dn, + state->timeout, + state->use_id_mapping); + } else if (state->opts->support_matching_rule + && dp_opt_get_bool(state->opts->basic, + SDAP_AD_MATCHING_RULE_INITGROUPS)) { + /* Take advantage of AD's extensibleMatch filter to look up + * all parent groups in a single request. + */ + subreq = sdap_get_ad_match_rule_initgroups_send(state, state->ev, + state->opts, + state->sysdb, + state->dom, + state->sh, + cname, orig_dn, + state->timeout); + } else { + subreq = sdap_initgr_rfc2307bis_send( + state, state->ev, state->opts, + state->sdom, state->sh, + cname, orig_dn); + } + if (!subreq) { + tevent_req_error(req, ENOMEM); + return; + } + + talloc_steal(subreq, orig_dn); + tevent_req_set_callback(subreq, sdap_get_initgr_done, req); + break; + + case SDAP_SCHEMA_IPA_V1: + subreq = sdap_initgr_nested_send(state, state->ev, state->opts, + state->sysdb, state->dom, state->sh, + state->orig_user, state->grp_attrs); + if (!subreq) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, sdap_get_initgr_done, req); + return; + + default: + tevent_req_error(req, EINVAL); + return; + } + + return; +fail: + if (in_transaction) { + sret = sysdb_transaction_cancel(state->sysdb); + if (sret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to cancel transaction\n"); + } + } + tevent_req_error(req, ret); +} + +static void sdap_ad_check_domain_local_groups_done(struct tevent_req *subreq); + +errno_t sdap_ad_check_domain_local_groups(struct tevent_req *req) +{ + struct sdap_get_initgr_state *state = tevent_req_data(req, + struct sdap_get_initgr_state); + int ret; + struct sdap_domain *local_sdom; + const char *orig_name; + const char *sysdb_name; + struct ldb_result *res; + struct tevent_req *subreq; + struct sysdb_attrs **groups; + + /* We only need to check for domain local groups in the AD case and if the + * user is not from our domain, i.e. if the user comes from a sub-domain. + */ + if (state->opts->schema_type != SDAP_SCHEMA_AD + || !IS_SUBDOMAIN(state->dom) + || !dp_target_enabled(state->id_ctx->be->provider, "ad", DPT_ID)) { + return EOK; + } + + local_sdom = sdap_domain_get(state->id_ctx->opts, state->dom->parent); + if (local_sdom == NULL || local_sdom->pvt == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "No ID ctx available for [%s].\n", + state->dom->parent->name); + return EINVAL; + } + + ret = sysdb_attrs_get_string(state->orig_user, SYSDB_NAME, &orig_name); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing name in user object.\n"); + return ret; + } + + sysdb_name = sss_create_internal_fqname(state, orig_name, state->dom->name); + if (sysdb_name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sss_create_internal_fqname failed.\n"); + return ENOMEM; + } + + ret = sysdb_initgroups(state, state->dom, sysdb_name, &res); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_initgroups failed for user [%s].\n", + sysdb_name); + return ret; + } + + if (res->count == 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sysdb_initgroups returned no results for user [%s].\n", + sysdb_name); + return EINVAL; + } + + /* The user object, the first entry in the res->msgs, is included as well + * to cover the case where the remote user is directly added to + * a domain local group. */ + ret = sysdb_msg2attrs(state, res->count, res->msgs, &groups); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_msg2attrs failed.\n"); + return ret; + } + + subreq = sdap_ad_get_domain_local_groups_send(state, state->ev, local_sdom, + state->opts, state->sysdb, state->dom->parent, + groups, res->count); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_ad_get_domain_local_groups_send failed.\n"); + return ENOMEM; + } + + tevent_req_set_callback(subreq, sdap_ad_check_domain_local_groups_done, + req); + + return EAGAIN; +} + +static void sdap_ad_check_domain_local_groups_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + int ret; + + ret = sdap_ad_get_domain_local_groups_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); + + return; +} + +static void sdap_get_initgr_pgid(struct tevent_req *req); +static void sdap_get_initgr_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sdap_get_initgr_state *state = tevent_req_data(req, + struct sdap_get_initgr_state); + int ret; + TALLOC_CTX *tmp_ctx; + gid_t primary_gid; + char *gid; + char *sid_str; + char *dom_sid_str; + char *group_sid_str; + struct sdap_options *opts = state->opts; + struct ldb_message *msg; + + DEBUG(SSSDBG_TRACE_ALL, "Initgroups done\n"); + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + tevent_req_error(req, ENOMEM); + return; + } + + switch (state->opts->schema_type) { + case SDAP_SCHEMA_RFC2307: + ret = sdap_initgr_rfc2307_recv(subreq); + break; + + case SDAP_SCHEMA_RFC2307BIS: + case SDAP_SCHEMA_AD: + if (state->opts->dc_functional_level >= DS_BEHAVIOR_WIN2003 + && dp_opt_get_bool(state->opts->basic, SDAP_AD_USE_TOKENGROUPS)) { + + ret = sdap_ad_tokengroups_initgroups_recv(subreq); + } + else if (state->opts->support_matching_rule + && dp_opt_get_bool(state->opts->basic, + SDAP_AD_MATCHING_RULE_INITGROUPS)) { + ret = sdap_get_ad_match_rule_initgroups_recv(subreq); + } else { + ret = sdap_initgr_rfc2307bis_recv(subreq); + } + break; + + case SDAP_SCHEMA_IPA_V1: + ret = sdap_initgr_nested_recv(subreq); + break; + + default: + + ret = EINVAL; + break; + } + + talloc_zfree(subreq); + if (ret) { + DEBUG(SSSDBG_TRACE_ALL, "Error in initgroups: [%d][%s]\n", + ret, strerror(ret)); + goto done; + } + + /* We also need to update the user's primary group, since + * the user may not be an explicit member of that group + */ + + if (state->use_id_mapping) { + DEBUG(SSSDBG_TRACE_LIBS, + "Mapping primary group to unix ID\n"); + + /* The primary group ID is just the RID part of the objectSID + * of the group. Generate the GID by adding this to the domain + * SID value. + */ + + /* Get the user SID so we can extract the domain SID + * from it. + */ + ret = sdap_attrs_get_sid_str( + tmp_ctx, opts->idmap_ctx, state->orig_user, + opts->user_map[SDAP_AT_USER_OBJECTSID].sys_name, + &sid_str); + if (ret != EOK) goto done; + + /* Get the domain SID from the user SID */ + ret = sdap_idmap_get_dom_sid_from_object(tmp_ctx, sid_str, + &dom_sid_str); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not parse domain SID from [%s]\n", sid_str); + goto done; + } + + ret = sysdb_attrs_get_uint32_t( + state->orig_user, + opts->user_map[SDAP_AT_USER_PRIMARY_GROUP].sys_name, + &primary_gid); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "no primary group ID provided\n"); + ret = EINVAL; + goto done; + } + + /* Add the RID to the end */ + group_sid_str = talloc_asprintf(tmp_ctx, "%s-%lu", + dom_sid_str, + (unsigned long)primary_gid); + if (!group_sid_str) { + ret = ENOMEM; + goto done; + } + + /* Convert the SID into a UNIX group ID */ + ret = sdap_idmap_sid_to_unix(opts->idmap_ctx, group_sid_str, + &primary_gid); + if (ret != EOK) goto done; + } else { + ret = sysdb_attrs_get_uint32_t(state->orig_user, SYSDB_GIDNUM, + &primary_gid); + if (ret != EOK) { + DEBUG(SSSDBG_TRACE_FUNC, "Could not find user's primary GID\n"); + goto done; + } + } + + ret = sysdb_search_group_by_gid(tmp_ctx, state->dom, primary_gid, NULL, + &msg); + if (ret == EOK) { + DEBUG(SSSDBG_TRACE_FUNC, + "Primary group already cached, nothing to do.\n"); + } else { + gid = talloc_asprintf(state, "%lu", (unsigned long)primary_gid); + if (gid == NULL) { + ret = ENOMEM; + goto done; + } + + subreq = groups_get_send(req, state->ev, state->id_ctx, + state->id_ctx->opts->sdom, state->conn, + gid, BE_FILTER_IDNUM, false, + false); + if (!subreq) { + ret = ENOMEM; + goto done; + } + tevent_req_set_callback(subreq, sdap_get_initgr_pgid, req); + + talloc_free(tmp_ctx); + return; + } + + ret = sdap_ad_check_domain_local_groups(req); + if (ret == EAGAIN) { + DEBUG(SSSDBG_TRACE_ALL, + "Checking for domain local group memberships.\n"); + talloc_free(tmp_ctx); + return; + } else if (ret == EOK) { + DEBUG(SSSDBG_TRACE_ALL, + "No need to check for domain local group memberships.\n"); + } else { + DEBUG(SSSDBG_OP_FAILURE, + "sdap_ad_check_domain_local_groups failed, " + "memberships to domain local groups might be missing.\n"); + /* do not let the request fail completely because we already have at + * least "some" groups */ + ret = EOK; + } + +done: + talloc_free(tmp_ctx); + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + return; +} + +static void sdap_get_initgr_pgid(struct tevent_req *subreq) +{ + struct tevent_req *req = + tevent_req_callback_data(subreq, struct tevent_req); + errno_t ret; + + ret = groups_get_recv(subreq, NULL, NULL); + talloc_zfree(subreq); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + ret = sdap_ad_check_domain_local_groups(req); + if (ret == EAGAIN) { + DEBUG(SSSDBG_TRACE_ALL, + "Checking for domain local group memberships.\n"); + return; + } else if (ret == EOK) { + DEBUG(SSSDBG_TRACE_ALL, + "No need to check for domain local group memberships.\n"); + } else { + DEBUG(SSSDBG_OP_FAILURE, + "sdap_ad_check_domain_local_groups failed, " + "memberships to domain local groups might be missing.\n"); + /* do not let the request fail completely because we already have at + * least "some" groups */ + } + + tevent_req_done(req); + return; +} + +int sdap_get_initgr_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +static errno_t get_sysdb_grouplist_ex(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, + const char *name, + char ***grouplist, + bool get_dn) +{ + errno_t ret; + const char *attrs[2]; + struct ldb_message *msg; + TALLOC_CTX *tmp_ctx; + struct ldb_message_element *groups; + char **sysdb_grouplist = NULL; + unsigned int i; + + attrs[0] = SYSDB_MEMBEROF; + attrs[1] = NULL; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) return ENOMEM; + + ret = sysdb_search_user_by_name(tmp_ctx, domain, name, + attrs, &msg); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Error searching user [%s] by name: [%s]\n", + name, strerror(ret)); + goto done; + } + + groups = ldb_msg_find_element(msg, SYSDB_MEMBEROF); + if (!groups || groups->num_values == 0) { + /* No groups for this user in sysdb currently */ + sysdb_grouplist = NULL; + } else { + sysdb_grouplist = talloc_array(tmp_ctx, char *, groups->num_values+1); + if (!sysdb_grouplist) { + ret = ENOMEM; + goto done; + } + + if (get_dn) { + /* Get distinguish name */ + for (i=0; i < groups->num_values; i++) { + sysdb_grouplist[i] = talloc_strdup(sysdb_grouplist, + (const char *)groups->values[i].data); + if (sysdb_grouplist[i] == NULL) { + ret = ENOMEM; + goto done; + } + } + } else { + /* Get a list of the groups by groupname only */ + for (i=0; i < groups->num_values; i++) { + ret = sysdb_group_dn_name(sysdb, + sysdb_grouplist, + (const char *)groups->values[i].data, + &sysdb_grouplist[i]); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not determine group name from [%s]: [%s]\n", + (const char *)groups->values[i].data, strerror(ret)); + goto done; + } + } + } + + sysdb_grouplist[groups->num_values] = NULL; + } + + *grouplist = talloc_steal(mem_ctx, sysdb_grouplist); + +done: + talloc_free(tmp_ctx); + return ret; +} + +errno_t get_sysdb_grouplist(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, + const char *name, + char ***grouplist) +{ + return get_sysdb_grouplist_ex(mem_ctx, sysdb, domain, + name, grouplist, false); +} + +errno_t get_sysdb_grouplist_dn(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, + const char *name, + char ***grouplist) +{ + return get_sysdb_grouplist_ex(mem_ctx, sysdb, domain, + name, grouplist, true); +} + +errno_t +sdap_handle_id_collision_for_incomplete_groups(struct data_provider *dp, + struct sss_domain_info *domain, + const char *name, + gid_t gid, + const char *original_dn, + const char *sid_str, + const char *uuid, + bool posix, + time_t now) +{ + errno_t ret; + + ret = sysdb_delete_group(domain, NULL, gid); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Due to an id collision, the new group with gid [\"%"PRIu32"\"] " + "will not be added as the old group (with the same gid) could " + "not be removed from the sysdb!", + gid); + return ret; + } + + ret = sysdb_add_incomplete_group(domain, name, gid, original_dn, sid_str, + uuid, posix, now); + if (ret != EOK) { + return ret; + } + + dp_sbus_invalidate_group_memcache(dp, gid); + + return EOK; +} diff --git a/src/providers/ldap/sdap_async_initgroups_ad.c b/src/providers/ldap/sdap_async_initgroups_ad.c new file mode 100644 index 0000000..22209ea --- /dev/null +++ b/src/providers/ldap/sdap_async_initgroups_ad.c @@ -0,0 +1,2000 @@ +/* + SSSD + + Authors: + Stephen Gallagher + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "providers/ldap/sdap_async.h" +#include "providers/ldap/sdap_async_ad.h" +#include "providers/ldap/ldap_common.h" +#include "providers/ldap/sdap_async_private.h" +#include "providers/ldap/sdap_idmap.h" +#include "providers/ad/ad_common.h" +#include "lib/idmap/sss_idmap.h" + +struct sdap_ad_match_rule_initgr_state { + struct tevent_context *ev; + struct sdap_options *opts; + struct sysdb_ctx *sysdb; + struct sss_domain_info *domain; + struct sdap_handle *sh; + const char *name; + const char *orig_dn; + const char **attrs; + int timeout; + const char *base_filter; + char *filter; + + size_t count; + struct sysdb_attrs **groups; + + size_t base_iter; + struct sdap_search_base **search_bases; +}; + +static errno_t +sdap_get_ad_match_rule_initgroups_next_base(struct tevent_req *req); + +static void +sdap_get_ad_match_rule_initgroups_step(struct tevent_req *subreq); + +struct tevent_req * +sdap_get_ad_match_rule_initgroups_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_options *opts, + struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, + struct sdap_handle *sh, + const char *name, + const char *orig_dn, + int timeout) +{ + errno_t ret; + struct tevent_req *req; + struct sdap_ad_match_rule_initgr_state *state; + const char **filter_members; + char *sanitized_user_dn; + char *oc_list; + + req = tevent_req_create(mem_ctx, &state, + struct sdap_ad_match_rule_initgr_state); + if (!req) return NULL; + + state->ev = ev; + state->opts = opts; + state->sysdb = sysdb; + state->domain = domain; + state->sh = sh; + state->name = name; + state->orig_dn = orig_dn; + state->base_iter = 0; + state->search_bases = opts->sdom->group_search_bases; + + /* Request all of the group attributes that we know + * about, except for 'member' because that wastes a + * lot of bandwidth here and we only really + * care about a single member (the one we already + * have). + */ + filter_members = talloc_array(state, const char *, 2); + if (!filter_members) { + ret = ENOMEM; + goto immediate; + } + filter_members[0] = opts->group_map[SDAP_AT_GROUP_MEMBER].name; + filter_members[1] = NULL; + + ret = build_attrs_from_map(state, opts->group_map, + SDAP_OPTS_GROUP, + filter_members, + &state->attrs, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not build attribute map: [%s]\n", + strerror(ret)); + goto immediate; + } + + /* Sanitize the user DN in case we have special characters in DN */ + ret = sss_filter_sanitize(state, state->orig_dn, &sanitized_user_dn); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not sanitize user DN: %s\n", + strerror(ret)); + goto immediate; + } + + /* Craft a special filter according to + * http://msdn.microsoft.com/en-us/library/windows/desktop/aa746475%28v=vs.85%29.aspx + */ + oc_list = sdap_make_oc_list(state, state->opts->group_map); + if (oc_list == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to create objectClass list.\n"); + ret = ENOMEM; + goto immediate; + } + + state->base_filter = + talloc_asprintf(state, + "(&(%s:%s:=%s)(%s))", + state->opts->group_map[SDAP_AT_GROUP_MEMBER].name, + SDAP_MATCHING_RULE_IN_CHAIN, + sanitized_user_dn, oc_list); + talloc_zfree(sanitized_user_dn); + if (!state->base_filter) { + ret = ENOMEM; + goto immediate; + } + + /* Start the loop through the search bases to get all of the + * groups to which this user belongs. + */ + ret = sdap_get_ad_match_rule_initgroups_next_base(req); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "sdap_get_ad_match_rule_members_next_base failed: [%s]\n", + strerror(ret)); + goto immediate; + } + + return req; + +immediate: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static errno_t +sdap_get_ad_match_rule_initgroups_next_base(struct tevent_req *req) +{ + struct tevent_req *subreq; + struct sdap_ad_match_rule_initgr_state *state; + + state = tevent_req_data(req, struct sdap_ad_match_rule_initgr_state); + + talloc_zfree(state->filter); + state->filter = sdap_combine_filters(state, state->base_filter, + state->search_bases[state->base_iter]->filter); + if (!state->filter) { + return ENOMEM; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Searching for groups with base [%s]\n", + state->search_bases[state->base_iter]->basedn); + + subreq = sdap_get_generic_send( + state, state->ev, state->opts, state->sh, + state->search_bases[state->base_iter]->basedn, + state->search_bases[state->base_iter]->scope, + state->filter, state->attrs, + state->opts->group_map, SDAP_OPTS_GROUP, + state->timeout, true); + if (!subreq) { + return ENOMEM; + } + + tevent_req_set_callback(subreq, + sdap_get_ad_match_rule_initgroups_step, + req); + + return EOK; +} + +static void +sdap_get_ad_match_rule_initgroups_step(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = + tevent_req_callback_data(subreq, struct tevent_req); + struct sdap_ad_match_rule_initgr_state *state = + tevent_req_data(req, struct sdap_ad_match_rule_initgr_state); + size_t count, i; + struct sysdb_attrs **groups; + char **sysdb_grouplist; + + ret = sdap_get_generic_recv(subreq, state, &count, &groups); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "LDAP search failed: [%s]\n", sss_strerror(ret)); + goto error; + } + + DEBUG(SSSDBG_TRACE_LIBS, + "Search for users returned %zu results\n", count); + + /* Add this batch of groups to the list */ + if (count > 0) { + state->groups = talloc_realloc(state, state->groups, + struct sysdb_attrs *, + state->count + count + 1); + if (!state->groups) { + tevent_req_error(req, ENOMEM); + return; + } + + /* Copy the new groups into the list */ + for (i = 0; i < count; i++) { + state->groups[state->count + i] = + talloc_steal(state->groups, groups[i]); + } + + state->count += count; + state->groups[state->count] = NULL; + } + + /* Continue checking other search bases */ + state->base_iter++; + if (state->search_bases[state->base_iter]) { + /* There are more search bases to try */ + ret = sdap_get_ad_match_rule_initgroups_next_base(req); + if (ret != EOK) { + goto error; + } + return; + } + + /* No more search bases. Save the groups. */ + + if (state->count == 0) { + DEBUG(SSSDBG_TRACE_LIBS, + "User is not a member of any group in the search bases\n"); + } + + /* Get the current sysdb group list for this user + * so we can update it. + */ + ret = get_sysdb_grouplist(state, state->sysdb, state->domain, + state->name, &sysdb_grouplist); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not get the list of groups for [%s] in the sysdb: " + "[%s]\n", + state->name, strerror(ret)); + goto error; + } + + /* The extensibleMatch search rule eliminates the need for + * nested group searches, so we can just update the + * memberships now. + */ + ret = sdap_initgr_common_store(state->sysdb, + state->domain, + state->opts, + state->name, + SYSDB_MEMBER_USER, + sysdb_grouplist, + state->groups, + state->count); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not store groups for user [%s]: [%s]\n", + state->name, strerror(ret)); + goto error; + } + + tevent_req_done(req); + return; + +error: + tevent_req_error(req, ret); +} + +errno_t +sdap_get_ad_match_rule_initgroups_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + return EOK; +} + +struct sdap_get_ad_tokengroups_state { + struct tevent_context *ev; + struct sss_idmap_ctx *idmap_ctx; + const char *username; + + char **sids; + size_t num_sids; +}; + +static void sdap_get_ad_tokengroups_done(struct tevent_req *subreq); + +static struct tevent_req * +sdap_get_ad_tokengroups_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_options *opts, + struct sdap_handle *sh, + const char *name, + const char *orig_dn, + int timeout) +{ + struct sdap_get_ad_tokengroups_state *state = NULL; + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + const char *attrs[] = {AD_TOKENGROUPS_ATTR, NULL}; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct sdap_get_ad_tokengroups_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->idmap_ctx = opts->idmap_ctx->map; + state->ev = ev; + state->username = talloc_strdup(state, name); + if (state->username == NULL) { + ret = ENOMEM; + goto immediately; + } + + subreq = sdap_get_generic_send(state, state->ev, opts, sh, orig_dn, + LDAP_SCOPE_BASE, NULL, attrs, + NULL, 0, timeout, false); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, sdap_get_ad_tokengroups_done, req); + + return req; + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + + return req; +} + +static void sdap_get_ad_tokengroups_done(struct tevent_req *subreq) +{ + struct sdap_get_ad_tokengroups_state *state = NULL; + struct tevent_req *req = NULL; + struct sysdb_attrs **users = NULL; + struct ldb_message_element *el = NULL; + enum idmap_error_code err; + char *sid_str = NULL; + size_t num_users; + size_t i; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_get_ad_tokengroups_state); + + ret = sdap_get_generic_recv(subreq, state, &num_users, &users); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "LDAP search failed: [%s]\n", sss_strerror(ret)); + goto done; + } + + if (num_users != 1) { + DEBUG(SSSDBG_MINOR_FAILURE, + "More than one result on a base search!\n"); + ret = EINVAL; + goto done; + } + + /* get the list of sids from tokengroups */ + ret = sysdb_attrs_get_el_ext(users[0], AD_TOKENGROUPS_ATTR, false, &el); + if (ret == ENOENT) { + DEBUG(SSSDBG_TRACE_LIBS, "No tokenGroups entries for [%s]\n", + state->username); + + state->sids = NULL; + state->num_sids = 0; + ret = EOK; + goto done; + } else if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Could not read tokenGroups attribute: " + "[%s]\n", strerror(ret)); + goto done; + } + + state->num_sids = 0; + state->sids = talloc_zero_array(state, char*, el->num_values); + if (state->sids == NULL) { + ret = ENOMEM; + goto done; + } + + /* convert binary sid to string */ + for (i = 0; i < el->num_values; i++) { + err = sss_idmap_bin_sid_to_sid(state->idmap_ctx, el->values[i].data, + el->values[i].length, &sid_str); + if (err != IDMAP_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not convert binary SID to string: [%s]. Skipping\n", + idmap_error_string(err)); + continue; + } + + state->sids[i] = talloc_move(state->sids, &sid_str); + state->num_sids++; + } + + /* shrink array to final number of elements */ + state->sids = talloc_realloc(state, state->sids, char*, state->num_sids); + if (state->sids == NULL) { + ret = ENOMEM; + goto done; + } + + ret = EOK; + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +static errno_t sdap_get_ad_tokengroups_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + size_t *_num_sids, + char ***_sids) +{ + struct sdap_get_ad_tokengroups_state *state = NULL; + state = tevent_req_data(req, struct sdap_get_ad_tokengroups_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (_num_sids != NULL) { + *_num_sids = state->num_sids; + } + + if (_sids != NULL) { + *_sids = talloc_steal(mem_ctx, state->sids); + } + + return EOK; +} + +errno_t +sdap_ad_tokengroups_update_members(const char *username, + struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, + char **ldap_groups) +{ + TALLOC_CTX *tmp_ctx = NULL; + char **sysdb_groups = NULL; + char **add_groups = NULL; + char **del_groups = NULL; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return ENOMEM; + } + + /* Get the current sysdb group list for this user so we can update it. */ + ret = get_sysdb_grouplist_dn(tmp_ctx, sysdb, domain, + username, &sysdb_groups); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Could not get the list of groups for " + "[%s] in the sysdb: [%s]\n", username, strerror(ret)); + goto done; + } + + /* Find the differences between the sysdb and LDAP lists. + * Groups in the sysdb only must be removed. */ + ret = diff_string_lists(tmp_ctx, ldap_groups, sysdb_groups, + &add_groups, &del_groups, NULL); + if (ret != EOK) { + goto done; + } + + DEBUG(SSSDBG_TRACE_LIBS, "Updating memberships for [%s]\n", username); + + ret = sysdb_update_members_dn(domain, username, SYSDB_MEMBER_USER, + (const char *const *) add_groups, + (const char *const *) del_groups); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Membership update failed [%d]: %s\n", + ret, strerror(ret)); + goto done; + } + +done: + talloc_free(tmp_ctx); + return ret; +} + +struct sdap_ad_resolve_sids_state { + struct tevent_context *ev; + struct sdap_id_ctx *id_ctx; + struct sdap_id_conn_ctx *conn; + struct sdap_options *opts; + struct sss_domain_info *domain; + char **sids; + + const char *current_sid; + int index; +}; + +static errno_t sdap_ad_resolve_sids_step(struct tevent_req *req); +static void sdap_ad_resolve_sids_done(struct tevent_req *subreq); + +struct tevent_req * +sdap_ad_resolve_sids_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_id_ctx *id_ctx, + struct sdap_id_conn_ctx *conn, + struct sdap_options *opts, + struct sss_domain_info *domain, + char **sids) +{ + struct sdap_ad_resolve_sids_state *state = NULL; + struct tevent_req *req = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct sdap_ad_resolve_sids_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->ev = ev; + state->id_ctx = id_ctx; + state->conn = conn; + state->opts = opts; + state->domain = get_domains_head(domain); + state->sids = sids; + state->index = 0; + + if (state->sids == NULL || state->sids[0] == NULL) { + ret = EOK; + goto immediately; + } + + ret = sdap_ad_resolve_sids_step(req); + if (ret != EAGAIN) { + goto immediately; + } + + return req; + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + + return req; +} + +static errno_t sdap_ad_resolve_sids_step(struct tevent_req *req) +{ + struct sdap_ad_resolve_sids_state *state = NULL; + struct tevent_req *subreq = NULL; + struct sdap_domain *sdap_domain = NULL; + struct sss_domain_info *domain = NULL; + + state = tevent_req_data(req, struct sdap_ad_resolve_sids_state); + + do { + state->current_sid = state->sids[state->index]; + if (state->current_sid == NULL) { + return EOK; + } + state->index++; + + domain = sss_get_domain_by_sid_ldap_fallback(state->domain, + state->current_sid); + + if (domain == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "SID %s does not belong to any known " + "domain\n", state->current_sid); + } + } while (domain == NULL); + + sdap_domain = sdap_domain_get(state->opts, domain); + if (sdap_domain == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "SDAP domain does not exist?\n"); + return ERR_INTERNAL; + } + + subreq = groups_get_send(state, state->ev, state->id_ctx, sdap_domain, + state->conn, state->current_sid, + BE_FILTER_SECID, false, true); + if (subreq == NULL) { + return ENOMEM; + } + + tevent_req_set_callback(subreq, sdap_ad_resolve_sids_done, req); + + return EAGAIN; +} + +static void sdap_ad_resolve_sids_done(struct tevent_req *subreq) +{ + struct sdap_ad_resolve_sids_state *state = NULL; + struct tevent_req *req = NULL; + int dp_error; + int sdap_error; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_ad_resolve_sids_state); + + ret = groups_get_recv(subreq, &dp_error, &sdap_error); + talloc_zfree(subreq); + + if (ret == EOK && sdap_error == ENOENT && dp_error == DP_ERR_OK) { + /* Group was not found, we will ignore the error and continue with + * next group. This may happen for example if the group is built-in, + * but a custom search base is provided. */ + DEBUG(SSSDBG_CRIT_FAILURE, + "Unable to resolve SID %s - will try next sid.\n", + state->current_sid); + } else if (ret != EOK || sdap_error != EOK || dp_error != DP_ERR_OK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to resolve SID %s [dp_error: %d, " + "sdap_error: %d, ret: %d]: %s\n", state->current_sid, dp_error, + sdap_error, ret, strerror(ret)); + goto done; + } + + ret = sdap_ad_resolve_sids_step(req); + if (ret == EAGAIN) { + /* continue with next SID */ + return; + } + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +errno_t sdap_ad_resolve_sids_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + + +struct sdap_ad_tokengroups_initgr_mapping_state { + struct tevent_context *ev; + struct sdap_options *opts; + struct sdap_handle *sh; + struct sdap_idmap_ctx *idmap_ctx; + struct sysdb_ctx *sysdb; + struct sss_domain_info *domain; + const char *orig_dn; + int timeout; + const char *username; + + struct sdap_id_op *op; +}; + +static void +sdap_ad_tokengroups_initgr_mapping_connect_done(struct tevent_req *subreq); +static void sdap_ad_tokengroups_initgr_mapping_done(struct tevent_req *subreq); +static errno_t handle_missing_pvt(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_options *opts, + const char *orig_dn, + int timeout, + const char *username, + struct sdap_handle *sh, + struct tevent_req *req, + tevent_req_fn callback); + +static struct tevent_req * +sdap_ad_tokengroups_initgr_mapping_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_options *opts, + struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, + struct sdap_handle *sh, + const char *name, + const char *orig_dn, + int timeout) +{ + struct sdap_ad_tokengroups_initgr_mapping_state *state = NULL; + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct sdap_domain *sdom; + struct ad_id_ctx *subdom_id_ctx; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct sdap_ad_tokengroups_initgr_mapping_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->ev = ev; + state->opts = opts; + state->sh = sh; + state->idmap_ctx = opts->idmap_ctx; + state->sysdb = sysdb; + state->domain = domain; + state->timeout = timeout; + state->orig_dn = orig_dn; + state->username = talloc_strdup(state, name); + if (state->username == NULL) { + ret = ENOMEM; + goto immediately; + } + + sdom = sdap_domain_get(opts, domain); + if (sdom == NULL || sdom->pvt == NULL) { + ret = handle_missing_pvt(mem_ctx, ev, opts, orig_dn, timeout, + state->username, sh, req, + sdap_ad_tokengroups_initgr_mapping_done); + if (ret == EOK) { + return req; + } else { + DEBUG(SSSDBG_CRIT_FAILURE, "No ID ctx available for [%s].\n", + domain->name); + goto immediately; + } + } + + subdom_id_ctx = talloc_get_type(sdom->pvt, struct ad_id_ctx); + state->op = sdap_id_op_create(state, subdom_id_ctx->ldap_ctx->conn_cache); + if (!state->op) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed\n"); + ret = ENOMEM; + goto immediately; + } + + subreq = sdap_id_op_connect_send(state->op, state, &ret); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, + sdap_ad_tokengroups_initgr_mapping_connect_done, + req); + + return req; + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + + return req; +} + +static void +sdap_ad_tokengroups_initgr_mapping_connect_done(struct tevent_req *subreq) +{ + struct sdap_ad_tokengroups_initgr_mapping_state *state = NULL; + struct tevent_req *req = NULL; + int ret; + int dp_error = DP_ERR_FATAL; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, + struct sdap_ad_tokengroups_initgr_mapping_state); + + + ret = sdap_id_op_connect_recv(subreq, &dp_error); + talloc_zfree(subreq); + + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + subreq = sdap_get_ad_tokengroups_send(state, state->ev, state->opts, + sdap_id_op_handle(state->op), + state->username, + state->orig_dn, state->timeout); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + + tevent_req_set_callback(subreq, sdap_ad_tokengroups_initgr_mapping_done, + req); + + return; +} + +errno_t sdap_ad_save_group_membership_with_idmapping(const char *username, + struct sdap_options *opts, + struct sss_domain_info *user_dom, + struct sdap_idmap_ctx *idmap_ctx, + size_t num_sids, + char **sids) +{ + TALLOC_CTX *tmp_ctx = NULL; + struct sss_domain_info *domain = NULL; + struct ldb_message *msg = NULL; + const char *attrs[] = {SYSDB_NAME, NULL}; + const char *name = NULL; + const char *sid = NULL; + size_t i; + time_t now; + gid_t gid; + char **groups = NULL; + size_t num_groups; + errno_t ret; + errno_t sret; + bool in_transaction = false; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); + return ENOMEM; + } + + num_groups = 0; + groups = talloc_zero_array(tmp_ctx, char*, num_sids + 1); + if (groups == NULL) { + ret = ENOMEM; + goto done; + } + + now = time(NULL); + ret = sysdb_transaction_start(user_dom->sysdb); + if (ret != EOK) { + goto done; + } + in_transaction = true; + + for (i = 0; i < num_sids; i++) { + sid = sids[i]; + DEBUG(SSSDBG_TRACE_LIBS, "Processing membership SID [%s]\n", sid); + + ret = sdap_idmap_sid_to_unix(idmap_ctx, sid, &gid); + if (ret == ENOTSUP) { + DEBUG(SSSDBG_TRACE_FUNC, "Skipping built-in object.\n"); + continue; + } else if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Could not convert SID to GID: [%s]. " + "Skipping\n", strerror(ret)); + continue; + } + + domain = sss_get_domain_by_sid_ldap_fallback(user_dom, sid); + if (domain == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "Domain not found for SID %s\n", sid); + continue; + } + + DEBUG(SSSDBG_TRACE_LIBS, "SID [%s] maps to GID [%"SPRIgid"]\n", + sid, gid); + + /* Check whether this GID already exists in the sysdb */ + ret = sysdb_search_group_by_gid(tmp_ctx, domain, gid, attrs, &msg); + if (ret == EOK) { + name = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); + if (name == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not retrieve group name from sysdb\n"); + ret = EINVAL; + goto done; + } + } else if (ret == ENOENT) { + /* This is a new group. For now, we will store it under the name + * of its SID. When a direct lookup of the group or its GID occurs, + * it will replace this temporary entry. */ + name = sss_create_internal_fqname(tmp_ctx, sid, domain->name); + if (name == NULL) { + ret = ENOMEM; + goto done; + } + + ret = sysdb_add_incomplete_group(domain, name, gid, + NULL, sid, NULL, false, now); + if (ret == ERR_GID_DUPLICATED) { + /* In case o group id-collision, do: + * - Delete the group from sysdb + * - Add the new incomplete group + * - Notify the NSS responder that the entry has also to be + * removed from the memory cache + */ + ret = sdap_handle_id_collision_for_incomplete_groups( + idmap_ctx->id_ctx->be->provider, + domain, name, gid, NULL, sid, NULL, + false, now); + } + + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Could not create incomplete " + "group: [%s]\n", strerror(ret)); + goto done; + } + } else { + /* Unexpected error */ + DEBUG(SSSDBG_MINOR_FAILURE, "Could not look up group in sysdb: " + "[%s]\n", strerror(ret)); + goto done; + } + + groups[num_groups] = sysdb_group_strdn(tmp_ctx, domain->name, name); + if (groups[num_groups] == NULL) { + ret = ENOMEM; + goto done; + } + num_groups++; + } + + groups[num_groups] = NULL; + + ret = sdap_ad_tokengroups_update_members(username, + user_dom->sysdb, user_dom, + groups); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Membership update failed [%d]: %s\n", + ret, strerror(ret)); + goto done; + } + + ret = sysdb_transaction_commit(user_dom->sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not commit transaction! [%s]\n", + strerror(ret)); + goto done; + } + in_transaction = false; + +done: + talloc_free(tmp_ctx); + + if (in_transaction) { + sret = sysdb_transaction_cancel(user_dom->sysdb); + DEBUG(SSSDBG_FATAL_FAILURE, "Could not cancel transaction! [%s]\n", + strerror(sret)); + } + + return ret; +} + +static void sdap_ad_tokengroups_initgr_mapping_done(struct tevent_req *subreq) +{ + struct sdap_ad_tokengroups_initgr_mapping_state *state = NULL; + struct tevent_req *req = NULL; + char **sids = NULL; + size_t num_sids = 0; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_ad_tokengroups_initgr_mapping_state); + + ret = sdap_get_ad_tokengroups_recv(state, subreq, &num_sids, &sids); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to acquire tokengroups [%d]: %s\n", + ret, strerror(ret)); + goto done; + } + + ret = sdap_ad_save_group_membership_with_idmapping(state->username, + state->opts, + state->domain, + state->idmap_ctx, + num_sids, + sids); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sdap_ad_save_group_membership_with_idmapping failed.\n"); + goto done; + } + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +static int sdap_ad_tokengroups_initgr_mapping_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +struct sdap_ad_tokengroups_initgr_posix_state { + struct tevent_context *ev; + struct sdap_id_ctx *id_ctx; + struct sdap_id_conn_ctx *conn; + struct sdap_options *opts; + struct sdap_handle *sh; + struct sysdb_ctx *sysdb; + struct sss_domain_info *domain; + const char *orig_dn; + int timeout; + const char *username; + + struct sdap_id_op *op; + char **missing_sids; + size_t num_missing_sids; + char **cached_groups; + size_t num_cached_groups; +}; + +static void +sdap_ad_tokengroups_initgr_posix_tg_done(struct tevent_req *subreq); + +static void +sdap_ad_tokengroups_initgr_posix_sids_connect_done(struct tevent_req *subreq); +static void +sdap_ad_tokengroups_initgr_posix_sids_done(struct tevent_req *subreq); + +static struct tevent_req * +sdap_ad_tokengroups_initgr_posix_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_id_ctx *id_ctx, + struct sdap_id_conn_ctx *conn, + struct sdap_options *opts, + struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, + struct sdap_handle *sh, + const char *name, + const char *orig_dn, + int timeout) +{ + struct sdap_ad_tokengroups_initgr_posix_state *state = NULL; + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct sdap_domain *sdom; + struct ad_id_ctx *subdom_id_ctx; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct sdap_ad_tokengroups_initgr_posix_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->ev = ev; + state->id_ctx = id_ctx; + state->conn = conn; + state->opts = opts; + state->sh = sh; + state->sysdb = sysdb; + state->domain = domain; + state->orig_dn = orig_dn; + state->timeout = timeout; + state->username = talloc_strdup(state, name); + if (state->username == NULL) { + ret = ENOMEM; + goto immediately; + } + + sdom = sdap_domain_get(opts, domain); + if (sdom == NULL || sdom->pvt == NULL) { + ret = handle_missing_pvt(mem_ctx, ev, opts, orig_dn, timeout, + state->username, sh, req, + sdap_ad_tokengroups_initgr_posix_tg_done); + if (ret == EOK) { + return req; + } else { + DEBUG(SSSDBG_CRIT_FAILURE, "No ID ctx available for [%s].\n", + domain->name); + goto immediately; + } + } + subdom_id_ctx = talloc_get_type(sdom->pvt, struct ad_id_ctx); + state->op = sdap_id_op_create(state, subdom_id_ctx->ldap_ctx->conn_cache); + if (!state->op) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed\n"); + ret = ENOMEM; + goto immediately; + } + + subreq = sdap_id_op_connect_send(state->op, state, &ret); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, + sdap_ad_tokengroups_initgr_posix_sids_connect_done, + req); + + return req; + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + + return req; +} + +static void +sdap_ad_tokengroups_initgr_posix_sids_connect_done(struct tevent_req *subreq) +{ + struct sdap_ad_tokengroups_initgr_posix_state *state = NULL; + struct tevent_req *req = NULL; + int ret; + int dp_error = DP_ERR_FATAL; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, + struct sdap_ad_tokengroups_initgr_posix_state); + + + ret = sdap_id_op_connect_recv(subreq, &dp_error); + talloc_zfree(subreq); + + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + subreq = sdap_get_ad_tokengroups_send(state, state->ev, state->opts, + sdap_id_op_handle(state->op), + state->username, state->orig_dn, + state->timeout); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + + tevent_req_set_callback(subreq, sdap_ad_tokengroups_initgr_posix_tg_done, + req); + + return; +} + +errno_t +sdap_ad_tokengroups_get_posix_members(TALLOC_CTX *mem_ctx, + struct sss_domain_info *user_domain, + size_t num_sids, + char **sids, + size_t *_num_missing, + char ***_missing, + size_t *_num_valid, + char ***_valid_groups) +{ + TALLOC_CTX *tmp_ctx = NULL; + struct sss_domain_info *domain = NULL; + struct ldb_message *msg = NULL; + const char *attrs[] = {SYSDB_NAME, NULL}; + const char *name = NULL; + char *sid = NULL; + char **valid_groups = NULL; + size_t num_valid_groups; + char **missing_sids = NULL; + size_t num_missing_sids; + size_t i; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + ret = ENOMEM; + goto done; + } + + num_valid_groups = 0; + valid_groups = talloc_zero_array(tmp_ctx, char*, num_sids + 1); + if (valid_groups == NULL) { + ret = ENOMEM; + goto done; + } + + num_missing_sids = 0; + missing_sids = talloc_zero_array(tmp_ctx, char*, num_sids + 1); + if (missing_sids == NULL) { + ret = ENOMEM; + goto done; + } + + /* For each SID check if it is already present in the cache. If yes, we + * will get name of the group and update the membership. Otherwise we need + * to remember the SID and download missing groups one by one. */ + for (i = 0; i < num_sids; i++) { + sid = sids[i]; + DEBUG(SSSDBG_TRACE_LIBS, "Processing membership SID [%s]\n", sid); + + domain = sss_get_domain_by_sid_ldap_fallback(user_domain, sid); + if (domain == NULL) { + const char *check_dom; + const char *check_name; + + ret = well_known_sid_to_name(sid, &check_dom, &check_name); + if (ret == EOK) { + DEBUG(SSSDBG_TRACE_FUNC, + "Skipping SID [%s][%s\\%s] which is " + "currently not handled by SSSD.\n", + sid, check_dom, check_name); + } else { + DEBUG(SSSDBG_MINOR_FAILURE, "Domain not found for SID %s\n", sid); + } + continue; + } + + ret = sysdb_search_group_by_sid_str(tmp_ctx, domain, sid, attrs, &msg); + if (ret == EOK) { + /* we will update membership of this group */ + name = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); + if (name == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not retrieve group name from sysdb\n"); + ret = EINVAL; + goto done; + } + + valid_groups[num_valid_groups] = sysdb_group_strdn(valid_groups, + domain->name, + name); + if (valid_groups[num_valid_groups] == NULL) { + ret = ENOMEM; + goto done; + } + num_valid_groups++; + } else if (ret == ENOENT) { + if (_missing != NULL) { + /* we need to download this group */ + missing_sids[num_missing_sids] = talloc_steal(missing_sids, + sid); + num_missing_sids++; + + DEBUG(SSSDBG_TRACE_FUNC, "Missing SID %s will be downloaded\n", + sid); + } + + /* else: We have downloaded missing groups but some of them may + * remained missing because they are outside of search base. We + * will just ignore them and continue with the next group. */ + } else { + DEBUG(SSSDBG_MINOR_FAILURE, "Could not look up SID %s in sysdb: " + "[%s]\n", sid, strerror(ret)); + goto done; + } + } + + valid_groups[num_valid_groups] = NULL; + missing_sids[num_missing_sids] = NULL; + + /* return list of missing groups */ + if (_missing != NULL) { + *_missing = talloc_steal(mem_ctx, missing_sids); + *_num_missing = num_missing_sids; + } + + /* return list of missing groups */ + if (_valid_groups != NULL) { + *_valid_groups = talloc_steal(mem_ctx, valid_groups); + *_num_valid = num_valid_groups; + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static void +sdap_ad_tokengroups_initgr_posix_tg_done(struct tevent_req *subreq) +{ + struct sdap_ad_tokengroups_initgr_posix_state *state = NULL; + struct tevent_req *req = NULL; + char **sids = NULL; + size_t num_sids = 0; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_ad_tokengroups_initgr_posix_state); + + ret = sdap_get_ad_tokengroups_recv(state, subreq, &num_sids, &sids); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to acquire tokengroups [%d]: %s\n", + ret, strerror(ret)); + goto done; + } + + ret = sdap_ad_tokengroups_get_posix_members(state, state->domain, + num_sids, sids, + &state->num_missing_sids, + &state->missing_sids, + &state->num_cached_groups, + &state->cached_groups); + if (ret != EOK) { + goto done; + } + + /* download missing SIDs */ + subreq = sdap_ad_resolve_sids_send(state, state->ev, state->id_ctx, + state->conn, + state->opts, state->domain, + state->missing_sids); + if (subreq == NULL) { + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, sdap_ad_tokengroups_initgr_posix_sids_done, + req); + + return; + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +static void +sdap_ad_tokengroups_initgr_posix_sids_done(struct tevent_req *subreq) +{ + struct sdap_ad_tokengroups_initgr_posix_state *state = NULL; + struct tevent_req *req = NULL; + errno_t ret; + char **cached_groups; + size_t num_cached_groups; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_ad_tokengroups_initgr_posix_state); + + ret = sdap_ad_resolve_sids_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to resolve missing SIDs " + "[%d]: %s\n", ret, strerror(ret)); + goto done; + } + + ret = sdap_ad_tokengroups_get_posix_members(state, state->domain, + state->num_missing_sids, + state->missing_sids, + NULL, NULL, + &num_cached_groups, + &cached_groups); + if (ret != EOK){ + DEBUG(SSSDBG_MINOR_FAILURE, + "sdap_ad_tokengroups_get_posix_members failed [%d]: %s\n", + ret, strerror(ret)); + goto done; + } + + state->cached_groups = concatenate_string_array(state, + state->cached_groups, + state->num_cached_groups, + cached_groups, + num_cached_groups); + if (state->cached_groups == NULL) { + ret = ENOMEM; + goto done; + } + + /* update membership of existing groups */ + ret = sdap_ad_tokengroups_update_members(state->username, + state->sysdb, state->domain, + state->cached_groups); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Membership update failed [%d]: %s\n", + ret, strerror(ret)); + goto done; + } + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +static errno_t sdap_ad_tokengroups_initgr_posix_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +struct sdap_ad_get_domain_local_groups_state { + struct tevent_context *ev; + struct sdap_id_conn_ctx *conn; + struct sdap_options *opts; + struct sdap_id_op *op; + struct sysdb_ctx *sysdb; + struct sss_domain_info *dom; + int dp_error; + + struct sdap_search_base **search_bases; + struct sysdb_attrs **groups; + size_t num_groups; + hash_table_t *group_hash; +}; + +static void +sdap_ad_get_domain_local_groups_connect_done(struct tevent_req *subreq); +static void sdap_ad_get_domain_local_groups_done(struct tevent_req *subreq); + +struct tevent_req * +sdap_ad_get_domain_local_groups_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_domain *local_sdom, + struct sdap_options *opts, + struct sysdb_ctx *sysdb, + struct sss_domain_info *dom, + struct sysdb_attrs **groups, + size_t num_groups) +{ + struct sdap_ad_get_domain_local_groups_state *state; + struct tevent_req *req; + struct tevent_req *subreq; + struct ad_id_ctx *ad_id_ctx; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct sdap_ad_get_domain_local_groups_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->ev = ev; + ad_id_ctx = talloc_get_type(local_sdom->pvt, struct ad_id_ctx); + state->conn = ad_id_ctx->ldap_ctx; + state->opts = opts; + state->sysdb = sysdb; + state->dom = dom; + state->search_bases = state->conn->id_ctx->opts->sdom->group_search_bases; + state->groups = groups; + state->num_groups = num_groups; + + ret = sss_hash_create(state, 32, &state->group_hash); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_hash_create failed.\n"); + goto fail; + } + + state->op = sdap_id_op_create(state, state->conn->conn_cache); + if (state->op == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed\n"); + ret = ENOMEM; + goto fail; + } + + subreq = sdap_id_op_connect_send(state->op, state, &ret); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_connect_send failed.\n"); + goto fail; + } + + tevent_req_set_callback(subreq, + sdap_ad_get_domain_local_groups_connect_done, req); + + return req; + +fail: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void +sdap_ad_get_domain_local_groups_connect_done(struct tevent_req *subreq) +{ + + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sdap_ad_get_domain_local_groups_state *state = tevent_req_data(req, + struct sdap_ad_get_domain_local_groups_state); + int dp_error = DP_ERR_FATAL; + int ret; + + ret = sdap_id_op_connect_recv(subreq, &dp_error); + talloc_zfree(subreq); + + if (ret != EOK) { + state->dp_error = dp_error; + tevent_req_error(req, ret); + return; + } + subreq = rfc2307bis_nested_groups_send(state, state->ev, state->opts, + state->sysdb, state->dom, + sdap_id_op_handle(state->op), + state->search_bases, + state->groups, state->num_groups, + state->group_hash, 0); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "rfc2307bis_nested_groups_send failed.\n"); + state->dp_error = DP_ERR_FATAL; + tevent_req_error(req, ENOMEM); + return; + } + + tevent_req_set_callback(subreq, + sdap_ad_get_domain_local_groups_done, req); + + return; +} + +struct sdap_nested_group { + struct sysdb_attrs *group; + struct sysdb_attrs **ldap_parents; + size_t parents_count; +}; + +static errno_t +sdap_ad_get_domain_local_groups_parse_parents(TALLOC_CTX *mem_ctx, + struct sdap_nested_group *gr, + struct sss_domain_info *dom, + struct sysdb_ctx *sysdb, + struct sdap_options *opts, + const char **_sysdb_name, + enum sysdb_member_type *_type, + char ***_add_list, + char ***_del_list) +{ + int ret; + size_t c; + char **groupnamelist = NULL; + struct sysdb_attrs *groups[1]; + enum sysdb_member_type type; + const char *sysdb_name; + const char *group_name; + const char *class; + struct sss_domain_info *obj_dom; + char *local_groups_base_dn; + char **cached_local_parents = NULL; + char **add_list = NULL; + char **del_list = NULL; + TALLOC_CTX *tmp_ctx; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); + return ENOMEM; + } + + local_groups_base_dn = talloc_asprintf(tmp_ctx, SYSDB_TMPL_GROUP_BASE, + dom->name); + if (local_groups_base_dn == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto done; + } + + if (gr->parents_count != 0) { + /* Store the parents if needed */ + ret = sdap_nested_groups_store(sysdb, dom, opts, + gr->ldap_parents, gr->parents_count); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Could not save groups [%d]: %s\n", + ret, strerror(ret)); + goto done; + } + + ret = sysdb_attrs_primary_fqdn_list(dom, tmp_ctx, + gr->ldap_parents, gr->parents_count, + opts->group_map[SDAP_AT_GROUP_NAME].name, + &groupnamelist); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_primary_fqdn_list failed.\n"); + goto done; + } + } + + ret = sysdb_attrs_get_string(gr->group, SYSDB_NAME, &sysdb_name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_attrs_get_string failed to get SYSDB_NAME, " + "skipping.\n"); + goto done; + } + + ret = sysdb_attrs_get_string(gr->group, SYSDB_OBJECTCATEGORY, &class); + if (ret != EOK) { + /* If objectcategory is missing, gr->group is a nested parent found during + * the nested group lookup. It might not already be stored in the cache. + */ + DEBUG(SSSDBG_TRACE_LIBS, + "sysdb_attrs_get_string failed to get %s for [%s], assuming " + "group.\n", SYSDB_OBJECTCATEGORY, sysdb_name); + + /* make sure group exists in cache */ + groups[0]= gr->group; + ret = sdap_nested_groups_store(sysdb, dom, opts, groups, 1); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Could not save groups [%d]: %s\n", + ret, strerror(ret)); + goto done; + } + + /* Since the object is coming from LDAP it cannot have the internal + * fully-qualified name, so we can expand it unconditionally. */ + group_name = NULL; + ret = sysdb_attrs_primary_name(dom->sysdb, gr->group, + opts->group_map[SDAP_AT_GROUP_NAME].name, + &group_name); + if (ret != EOK || group_name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Could not determine primary name\n"); + group_name = sysdb_name; + } + + group_name = sss_create_internal_fqname(tmp_ctx, group_name, + dom->name); + if (group_name != NULL) { + sysdb_name = group_name; + } + + type = SYSDB_MEMBER_GROUP; + } else { + if (class != NULL && strcmp(class, SYSDB_USER_CLASS) == 0) { + type = SYSDB_MEMBER_USER; + } else { + type = SYSDB_MEMBER_GROUP; + } + } + + /* We need to get the cached list of groups form the local domain the + * object is a member of to compare them with the current list just + * retrieved (groupnamelist). Even if this list is empty we have to + * proceed because the membership might have been removed recently on the + * server. */ + + obj_dom = find_domain_by_object_name(get_domains_head(dom), + sysdb_name); + if (obj_dom == NULL) { + obj_dom = dom; + DEBUG(SSSDBG_OP_FAILURE, "Cannot find domain for [%s], " + "trying with local domain [%s].\n", + sysdb_name, obj_dom->name); + } + + ret = sysdb_get_direct_parents(tmp_ctx, obj_dom, dom, type, sysdb_name, + &cached_local_parents); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE,"sysdb_get_direct_parents failed.\n"); + goto done; + } + + if (cached_local_parents != NULL && cached_local_parents[0] == NULL) { + talloc_zfree(cached_local_parents); + } + + if (DEBUG_IS_SET(SSSDBG_TRACE_ALL)) { + if (cached_local_parents != NULL) { + for (c = 0; cached_local_parents[c] != NULL; c++) { + DEBUG(SSSDBG_TRACE_ALL, "[%s] cached_local_parents [%s].\n", + sysdb_name, cached_local_parents[c]); + } + } + + if (groupnamelist != NULL) { + for (c = 0; groupnamelist[c] != NULL; c++) { + DEBUG(SSSDBG_TRACE_ALL, "[%s] groupnamelist [%s].\n", + sysdb_name, groupnamelist[c]); + } + } + } + + ret = diff_string_lists(tmp_ctx, cached_local_parents, groupnamelist, + &del_list, &add_list, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "diff_string_lists failed.\n"); + goto done; + } + + if (DEBUG_IS_SET(SSSDBG_TRACE_ALL)) { + if (add_list != NULL) { + for (c = 0; add_list[c] != NULL; c++) { + DEBUG(SSSDBG_TRACE_ALL, "add: [%s] will be member of [%s].\n", + sysdb_name, add_list[c]); + } + } + if (del_list != NULL) { + for (c = 0; del_list[c] != NULL; c++) { + DEBUG(SSSDBG_TRACE_ALL, "del: [%s] was member of [%s].\n", + sysdb_name, del_list[c]); + } + } + } + + *_type = type; + *_sysdb_name = talloc_steal(mem_ctx, sysdb_name); + *_add_list = talloc_steal(mem_ctx, groupnamelist); + *_del_list = talloc_steal(mem_ctx, del_list); + ret = EOK; + +done: + talloc_free(tmp_ctx); + + return ret; +} + +static void sdap_ad_get_domain_local_groups_done(struct tevent_req *subreq) +{ + + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sdap_ad_get_domain_local_groups_state *state = tevent_req_data(req, + struct sdap_ad_get_domain_local_groups_state); + int ret; + int hret; + unsigned long count; + hash_value_t *values = NULL; + struct sdap_nested_group *gr; + size_t c; + const char *sysdb_name = NULL; + enum sysdb_member_type type; + char **add_list = NULL; + char **del_list = NULL; + + ret = rfc2307bis_nested_groups_recv(subreq); + talloc_zfree(subreq); + if (ret == ENOENT) { + /* In case of ENOENT we can just proceed without making + * sdap_get_initgr_user() fail because there's no nested + * groups for this user/group. */ + ret = EOK; + goto done; + } else if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + hret = hash_values(state->group_hash, &count, &values); + if (hret != HASH_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, "hash_values failed.\n"); + ret = EIO; + goto done; + } + + for (c = 0; c < count; c++) { + gr = talloc_get_type(values[c].ptr, + struct sdap_nested_group); + + /* The values from the hash are either user or group objects returned + * by sysdb_initgroups() which where used to start the request or + * nested parents found during the request. The nested parents contain + * the processed LDAP data and can be identified by a missing + * objectclass attribute. */ + ret = sdap_ad_get_domain_local_groups_parse_parents(state, gr, + state->dom, + state->sysdb, + state->opts, + &sysdb_name, + &type, + &add_list, + &del_list); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sdap_ad_get_domain_local_groups_parse_parents failed.\n"); + continue; + } + + if ((add_list == NULL && del_list == NULL) + || (add_list == NULL && del_list != NULL && del_list[0] == NULL) + || (add_list != NULL && add_list[0] == NULL && del_list == NULL) + || (add_list != NULL && add_list[0] == NULL + && del_list != NULL && del_list[0] == NULL) ) { + continue; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "Updating domain local memberships for %s\n", + sysdb_name); + ret = sysdb_update_members(state->dom, sysdb_name, type, + (const char *const *) add_list, + (const char *const *) del_list); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_update_members failed.\n"); + goto done; + } + } + + ret = EOK; +done: + talloc_zfree(values); + + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + + return; +} + +errno_t sdap_ad_get_domain_local_groups_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + return EOK; +} + +struct sdap_ad_tokengroups_initgroups_state { + bool use_id_mapping; + struct sss_domain_info *domain; +}; + +static void sdap_ad_tokengroups_initgroups_done(struct tevent_req *subreq); + +struct tevent_req * +sdap_ad_tokengroups_initgroups_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_id_ctx *id_ctx, + struct sdap_id_conn_ctx *conn, + struct sdap_options *opts, + struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, + struct sdap_handle *sh, + const char *name, + const char *orig_dn, + int timeout, + bool use_id_mapping) +{ + struct sdap_ad_tokengroups_initgroups_state *state = NULL; + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct sdap_ad_tokengroups_initgroups_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->use_id_mapping = use_id_mapping; + state->domain = domain; + + /* We can compute the gidNumber attribute from SIDs obtained from + * the tokenGroups lookup in case ID mapping is used for a user from the + * parent domain. For trusted domains, we need to know the group type + * to be able to filter out domain-local groups. Additionally, as a + * temporary workaround until https://fedorahosted.org/sssd/ticket/2656 + * is fixed, we also fetch the group object if group members are ignored + * to avoid having to transfer and retain members when the fake + * tokengroups object without name is replaced by the full group object + */ + if (state->use_id_mapping + && !IS_SUBDOMAIN(state->domain) + && state->domain->ignore_group_members == false) { + subreq = sdap_ad_tokengroups_initgr_mapping_send(state, ev, opts, + sysdb, domain, sh, + name, orig_dn, + timeout); + } else { + subreq = sdap_ad_tokengroups_initgr_posix_send(state, ev, id_ctx, conn, + opts, sysdb, domain, sh, + name, orig_dn, + timeout); + } + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, sdap_ad_tokengroups_initgroups_done, req); + + return req; + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + + return req; +} + +static void sdap_ad_tokengroups_initgroups_done(struct tevent_req *subreq) +{ + struct sdap_ad_tokengroups_initgroups_state *state = NULL; + struct tevent_req *req = NULL; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_ad_tokengroups_initgroups_state); + + if (state->use_id_mapping + && !IS_SUBDOMAIN(state->domain) + && state->domain->ignore_group_members == false) { + ret = sdap_ad_tokengroups_initgr_mapping_recv(subreq); + } else { + ret = sdap_ad_tokengroups_initgr_posix_recv(subreq); + } + talloc_zfree(subreq); + if (ret != EOK) { + goto done; + } + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +errno_t sdap_ad_tokengroups_initgroups_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +static errno_t handle_missing_pvt(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_options *opts, + const char *orig_dn, + int timeout, + const char *username, + struct sdap_handle *sh, + struct tevent_req *req, + tevent_req_fn callback) +{ + struct tevent_req *subreq = NULL; + errno_t ret; + + if (sh != NULL) { + /* plain LDAP provider already has a sdap_handle */ + subreq = sdap_get_ad_tokengroups_send(mem_ctx, ev, opts, sh, username, + orig_dn, timeout); + if (subreq == NULL) { + ret = ENOMEM; + tevent_req_error(req, ret); + goto done; + } + + tevent_req_set_callback(subreq, callback, req); + ret = EOK; + goto done; + + } else { + ret = EINVAL; + goto done; + } + +done: + return ret; +} diff --git a/src/providers/ldap/sdap_async_nested_groups.c b/src/providers/ldap/sdap_async_nested_groups.c new file mode 100644 index 0000000..055de29 --- /dev/null +++ b/src/providers/ldap/sdap_async_nested_groups.c @@ -0,0 +1,2887 @@ +/* + SSSD + + Authors: + Pavel Březina + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include +#include + +#include "util/util.h" +#include "util/probes.h" +#include "db/sysdb.h" +#include "providers/ldap/ldap_common.h" +#include "providers/ldap/sdap_async.h" +#include "providers/ldap/sdap_async_private.h" +#include "providers/ldap/sdap_idmap.h" +#include "providers/ipa/ipa_dn.h" + +#define sdap_nested_group_sysdb_search_users(domain, dn) \ + sdap_nested_group_sysdb_search((domain), (dn), true) + +#define sdap_nested_group_sysdb_search_groups(domain, dn) \ + sdap_nested_group_sysdb_search((domain), (dn), false) + +enum sdap_nested_group_dn_type { + SDAP_NESTED_GROUP_DN_USER, + SDAP_NESTED_GROUP_DN_GROUP, + SDAP_NESTED_GROUP_DN_UNKNOWN +}; + +struct sdap_nested_group_member { + enum sdap_nested_group_dn_type type; + const char *dn; + const char *user_filter; + const char *group_filter; +}; + +#ifndef EXTERNAL_MEMBERS_CHUNK +#define EXTERNAL_MEMBERS_CHUNK 16 +#endif /* EXTERNAL_MEMBERS_CHUNK */ + +struct sdap_external_missing_member { + const char **parent_group_dns; + size_t parent_dn_idx; +}; + +struct sdap_nested_group_ctx { + struct sss_domain_info *domain; + struct sdap_options *opts; + struct sdap_search_base **user_search_bases; + struct sdap_search_base **group_search_bases; + struct sdap_handle *sh; + hash_table_t *users; + hash_table_t *groups; + hash_table_t *missing_external; + bool try_deref; + int deref_threshold; + int max_nesting_level; +}; + +static struct tevent_req * +sdap_nested_group_process_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_nested_group_ctx *group_ctx, + int nesting_level, + struct sysdb_attrs *group); + +static errno_t sdap_nested_group_process_recv(struct tevent_req *req); + +static struct tevent_req * +sdap_nested_group_single_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_nested_group_ctx *group_ctx, + struct sdap_nested_group_member *members, + int num_members, + int num_groups_max, + int nesting_level); + +static errno_t sdap_nested_group_single_recv(struct tevent_req *req); + +static struct tevent_req * +sdap_nested_group_lookup_user_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_nested_group_ctx *group_ctx, + struct sdap_nested_group_member *member); + +static errno_t sdap_nested_group_lookup_user_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct sysdb_attrs **_user); + +static struct tevent_req * +sdap_nested_group_lookup_group_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_nested_group_ctx *group_ctx, + struct sdap_nested_group_member *member); + +static errno_t sdap_nested_group_lookup_group_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct sysdb_attrs **_group); + +static struct tevent_req * +sdap_nested_group_lookup_unknown_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_nested_group_ctx *group_ctx, + struct sdap_nested_group_member *member); + +static errno_t +sdap_nested_group_lookup_unknown_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct sysdb_attrs **_entry, + enum sdap_nested_group_dn_type *_type); + +static struct tevent_req * +sdap_nested_group_deref_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_nested_group_ctx *group_ctx, + struct ldb_message_element *members, + const char *group_dn, + int nesting_level); + +static errno_t sdap_nested_group_deref_recv(struct tevent_req *req); + +static errno_t +sdap_nested_group_extract_hash_table(TALLOC_CTX *mem_ctx, + hash_table_t *table, + unsigned long *_num_entries, + struct sysdb_attrs ***_entries) +{ + struct sysdb_attrs **entries = NULL; + struct sysdb_attrs *entry = NULL; + hash_value_t *values; + unsigned long num_entries; + unsigned int i; + bool hret; + errno_t ret; + + hret = hash_values(table, &num_entries, &values); + if (hret != HASH_SUCCESS) { + ret = EIO; + goto done; + } + + if (num_entries > 0) { + entries = talloc_array(mem_ctx, struct sysdb_attrs *, num_entries); + if (entries == NULL) { + ret = ENOMEM; + goto done; + } + + for (i = 0; i < num_entries; i++) { + entry = talloc_get_type(values[i].ptr, struct sysdb_attrs); + entries[i] = talloc_steal(entries, entry); + } + } + + if (_num_entries != NULL) { + *_num_entries = num_entries; + } + + if (_entries != NULL) { + *_entries = entries; + } + + ret = EOK; + +done: + talloc_free(values); + + if (ret != EOK) { + talloc_free(entries); + } + + return ret; +} + +static errno_t sdap_nested_group_hash_insert(hash_table_t *table, + const char *entry_key, + void *entry_value, + bool overwrite, + const char *table_name) +{ + hash_key_t key; + hash_value_t value; + int hret; + + DEBUG(SSSDBG_TRACE_ALL, "Inserting [%s] into hash table [%s]\n", + entry_key, table_name); + + key.type = HASH_KEY_STRING; + key.str = talloc_strdup(NULL, entry_key); + if (key.str == NULL) { + return ENOMEM; + } + + if (overwrite == false && hash_has_key(table, &key)) { + talloc_free(key.str); + return EEXIST; + } + + value.type = HASH_VALUE_PTR; + value.ptr = entry_value; + + hret = hash_enter(table, &key, &value); + if (hret != HASH_SUCCESS) { + talloc_free(key.str); + return EIO; + } + + talloc_steal(table, key.str); + talloc_steal(table, value.ptr); + + return EOK; +} + +static errno_t sdap_nested_group_hash_entry(hash_table_t *table, + struct sysdb_attrs *entry, + const char *table_name) +{ + const char *name = NULL; + errno_t ret; + + ret = sysdb_attrs_get_string(entry, SYSDB_ORIG_DN, &name); + if (ret != EOK) { + return ret; + } + + return sdap_nested_group_hash_insert(table, name, entry, false, table_name); +} + +static errno_t +sdap_nested_group_hash_user(struct sdap_nested_group_ctx *group_ctx, + struct sysdb_attrs *user) +{ + return sdap_nested_group_hash_entry(group_ctx->users, user, "users"); +} + +static errno_t +sdap_nested_group_hash_group(struct sdap_nested_group_ctx *group_ctx, + struct sysdb_attrs *group) +{ + struct sdap_attr_map *map = group_ctx->opts->group_map; + gid_t gid; + errno_t ret; + bool posix_group = true; + bool use_id_mapping; + bool can_find_gid; + bool need_filter; + + ret = sdap_check_ad_group_type(group_ctx->domain, group_ctx->opts, + group, "", &need_filter); + if (ret != EOK) { + return ret; + } + + if (need_filter) { + posix_group = false; + gid = 0; + } + + use_id_mapping = sdap_idmap_domain_has_algorithmic_mapping( + group_ctx->opts->idmap_ctx, + group_ctx->domain->name, + group_ctx->domain->domain_id); + + can_find_gid = posix_group && !use_id_mapping; + if (can_find_gid) { + ret = sysdb_attrs_get_uint32_t(group, map[SDAP_AT_GROUP_GID].sys_name, + &gid); + } + if (!can_find_gid || ret == ENOENT || (ret == EOK && gid == 0)) { + DEBUG(SSSDBG_TRACE_ALL, + "The group's gid was %s\n", ret == ENOENT ? "missing" : "zero"); + DEBUG(SSSDBG_TRACE_INTERNAL, + "Marking group as non-POSIX and setting GID=0!\n"); + + if (ret == ENOENT || !posix_group) { + ret = sysdb_attrs_add_uint32(group, + map[SDAP_AT_GROUP_GID].sys_name, 0); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to add a GID to non-POSIX group!\n"); + return ret; + } + } + + ret = sysdb_attrs_add_bool(group, SYSDB_POSIX, false); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Error: Failed to mark group as non-POSIX!\n"); + return ret; + } + } else if (ret != EOK) { + return ret; + } + + return sdap_nested_group_hash_entry(group_ctx->groups, group, "groups"); +} + +static errno_t sdap_nested_group_external_add(hash_table_t *table, + const char *ext_member, + const char *parent_group_dn) +{ + hash_key_t key; + hash_value_t value; + int hret; + int ret; + struct sdap_external_missing_member *ext_mem; + + key.type = HASH_KEY_STRING; + key.str = discard_const(ext_member); + + DEBUG(SSSDBG_TRACE_ALL, + "Inserting external member [%s] into external members hash table\n", + ext_member); + + hret = hash_lookup(table, &key, &value); + switch (hret) { + case HASH_ERROR_KEY_NOT_FOUND: + ext_mem = talloc_zero(table, struct sdap_external_missing_member); + if (ext_mem == NULL) { + return ENOMEM; + } + ext_mem->parent_group_dns = talloc_zero_array(ext_mem, + const char *, + EXTERNAL_MEMBERS_CHUNK); + if (ext_mem->parent_group_dns == NULL) { + talloc_free(ext_mem); + return ENOMEM; + } + + ret = sdap_nested_group_hash_insert(table, ext_member, ext_mem, + true, "missing external users"); + if (ret != EOK) { + return ret; + } + break; + + case HASH_SUCCESS: + ext_mem = talloc_get_type(value.ptr, + struct sdap_external_missing_member); + if (ext_mem->parent_dn_idx == \ + talloc_array_length(ext_mem->parent_group_dns)) { + ext_mem->parent_group_dns = talloc_realloc(ext_mem, + ext_mem->parent_group_dns, + const char *, + ext_mem->parent_dn_idx + \ + EXTERNAL_MEMBERS_CHUNK); + if (ext_mem->parent_group_dns == NULL) { + talloc_free(ext_mem); + return ENOMEM; + } + } + break; + default: + return EIO; + } + + ext_mem->parent_group_dns[ext_mem->parent_dn_idx] = \ + talloc_strdup(ext_mem->parent_group_dns, + parent_group_dn); + if (ext_mem->parent_group_dns[ext_mem->parent_dn_idx] == NULL) { + return ENOMEM; + } + ext_mem->parent_dn_idx++; + + return EOK; +} + +static errno_t sdap_nested_group_sysdb_search(struct sss_domain_info *domain, + const char *dn, + bool user) +{ + static const char *attrs[] = {SYSDB_CACHE_EXPIRE, + SYSDB_UIDNUM, + NULL}; + struct ldb_message **msgs = NULL; + size_t count; + time_t now = time(NULL); + uint64_t expire; + uid_t uid; + errno_t ret; + + if (user) { + ret = sysdb_search_users_by_orig_dn(NULL, domain, dn, attrs, + &count, &msgs); + } else { + ret = sysdb_search_groups_by_orig_dn(NULL, domain, dn, attrs, + &count, &msgs); + } + if (ret != EOK) { + goto done; + } + + if (count != 1) { + DEBUG(SSSDBG_OP_FAILURE, "More than one entry found?\n"); + ret = EFAULT; + goto done; + } + + /* we found an object with this origDN in the sysdb, + * check if it is valid */ + if (user) { + uid = ldb_msg_find_attr_as_uint64(msgs[0], SYSDB_UIDNUM, 0); + if (uid == 0) { + DEBUG(SSSDBG_OP_FAILURE, "User with no UID?\n"); + ret = EINVAL; + goto done; + } + } + + expire = ldb_msg_find_attr_as_uint64(msgs[0], SYSDB_CACHE_EXPIRE, 0); + if (expire != 0 && expire <= now) { + /* needs refresh */ + ret = EAGAIN; + goto done; + } + + /* valid object */ + ret = EOK; + +done: + talloc_zfree(msgs); + return ret; +} + +static errno_t +sdap_nested_group_check_cache(struct sdap_options *opts, + struct sss_domain_info *domain, + const char *member_dn, + enum sdap_nested_group_dn_type *_type) +{ + struct sdap_domain *sdap_domain = NULL; + struct sss_domain_info *member_domain = NULL; + errno_t ret; + + /* determine correct domain of this member */ + sdap_domain = sdap_domain_get_by_dn(opts, member_dn); + member_domain = sdap_domain == NULL ? domain : sdap_domain->dom; + + /* search in users */ + PROBE(SDAP_NESTED_GROUP_SYSDB_SEARCH_USERS_PRE); + ret = sdap_nested_group_sysdb_search_users(member_domain, member_dn); + PROBE(SDAP_NESTED_GROUP_SYSDB_SEARCH_USERS_POST); + if (ret == EOK || ret == EAGAIN) { + /* user found */ + *_type = SDAP_NESTED_GROUP_DN_USER; + goto done; + } else if (ret != ENOENT) { + /* error */ + goto done; + } + + /* search in groups */ + PROBE(SDAP_NESTED_GROUP_SYSDB_SEARCH_GROUPS_PRE); + ret = sdap_nested_group_sysdb_search_groups(member_domain, member_dn); + PROBE(SDAP_NESTED_GROUP_SYSDB_SEARCH_GROUPS_POST); + if (ret == EOK || ret == EAGAIN) { + /* group found */ + *_type = SDAP_NESTED_GROUP_DN_GROUP; + goto done; + } else if (ret != ENOENT) { + /* error */ + goto done; + } + + /* not found in the sysdb */ + ret = ENOENT; + +done: + return ret; +} + +static bool +sdap_nested_member_is_ent(struct sdap_nested_group_ctx *group_ctx, + const char *dn, char **filter, bool is_user) +{ + struct sdap_domain *sditer = NULL; + bool ret = false; + struct sdap_search_base **search_bases; + + DLIST_FOR_EACH(sditer, group_ctx->opts->sdom) { + search_bases = is_user ? sditer->user_search_bases : \ + sditer->group_search_bases; + + ret = sss_ldap_dn_in_search_bases(group_ctx, dn, search_bases, + filter); + if (ret == true) { + break; + } + } + + return ret; +} + +static inline bool +sdap_nested_member_is_user(struct sdap_nested_group_ctx *group_ctx, + const char *dn, char **filter) +{ + return sdap_nested_member_is_ent(group_ctx, dn, filter, true); +} + +static inline bool +sdap_nested_member_is_group(struct sdap_nested_group_ctx *group_ctx, + const char *dn, char **filter) +{ + return sdap_nested_member_is_ent(group_ctx, dn, filter, false); +} + +static errno_t +sdap_nested_group_split_members(TALLOC_CTX *mem_ctx, + struct sdap_nested_group_ctx *group_ctx, + int threshold, + int nesting_level, + struct ldb_message_element *members, + struct sdap_nested_group_member **_missing, + int *_num_missing, + int *_num_groups) +{ + TALLOC_CTX *tmp_ctx = NULL; + struct sdap_nested_group_member *missing = NULL; + enum sdap_nested_group_dn_type type; + char *dn = NULL; + char *user_filter = NULL; + char *group_filter = NULL; + int num_missing = 0; + int num_groups = 0; + hash_key_t key; + bool bret; + bool is_user; + bool is_group; + errno_t ret; + int i; + + if (members == NULL) { + *_missing = NULL; + *_num_missing = 0; + *_num_groups = 0; + return EOK; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return ENOMEM; + } + + missing = talloc_zero_array(tmp_ctx, struct sdap_nested_group_member, + members->num_values); + if (missing == NULL) { + ret = ENOMEM; + goto done; + } + + /* create list of missing members + * skip dn if: + * - is present in user or group hash table + * - is present in sysdb and not expired + * - it is a group and we have reached the maximal nesting level + * - it is not under user nor group search bases + * + * if dn is in sysdb but expired + * - we know what object type it is + * + * if dn is not in hash table or sysdb + * - try to determine type of object by search base that match dn + */ + for (i = 0; i < members->num_values; i++) { + dn = (char*)members->values[i].data; + type = SDAP_NESTED_GROUP_DN_UNKNOWN; + + /* check hash tables */ + key.type = HASH_KEY_STRING; + key.str = dn; + + bret = hash_has_key(group_ctx->users, &key); + if (bret) { + continue; + } + + bret = hash_has_key(group_ctx->groups, &key); + if (bret) { + continue; + } + + /* check sysdb */ + PROBE(SDAP_NESTED_GROUP_CHECK_CACHE_PRE); + ret = sdap_nested_group_check_cache(group_ctx->opts, group_ctx->domain, + dn, &type); + PROBE(SDAP_NESTED_GROUP_CHECK_CACHE_POST); + if (ret == EOK) { + /* found and valid */ + DEBUG(SSSDBG_TRACE_ALL, "[%s] found in cache, skipping\n", dn); + continue; + } else if (ret != EAGAIN && ret != ENOENT) { + /* error */ + goto done; + } + + /* try to determine type by dn */ + if (type == SDAP_NESTED_GROUP_DN_UNKNOWN) { + /* user */ + is_user = sdap_nested_member_is_user(group_ctx, dn, + &user_filter); + + is_group = sdap_nested_member_is_group(group_ctx, dn, + &group_filter); + + if (is_user && is_group) { + /* search bases overlap */ + DEBUG(SSSDBG_TRACE_ALL, "[%s] is unknown object\n", dn); + type = SDAP_NESTED_GROUP_DN_UNKNOWN; + } else if (is_user) { + DEBUG(SSSDBG_TRACE_ALL, "[%s] is a user\n", dn); + type = SDAP_NESTED_GROUP_DN_USER; + } else if (is_group) { + DEBUG(SSSDBG_TRACE_ALL, "[%s] is a group\n", dn); + type = SDAP_NESTED_GROUP_DN_GROUP; + } else { + /* dn is outside search bases */ + DEBUG(SSSDBG_TRACE_ALL, "[%s] is out of scope of configured " + "search bases, skipping\n", dn); + continue; + } + } + + /* check nesting level */ + if (type == SDAP_NESTED_GROUP_DN_GROUP) { + if (nesting_level >= group_ctx->max_nesting_level) { + DEBUG(SSSDBG_TRACE_ALL, "[%s] is outside nesting limit " + "(level %d), skipping\n", dn, nesting_level); + talloc_zfree(user_filter); + talloc_zfree(group_filter); + continue; + } + } + + missing[num_missing].dn = talloc_strdup(missing, dn); + if (missing[num_missing].dn == NULL) { + ret = ENOMEM; + goto done; + } + + missing[num_missing].type = type; + missing[num_missing].user_filter = talloc_steal(missing, user_filter); + missing[num_missing].group_filter = talloc_steal(missing, group_filter); + + num_missing++; + if (threshold > 0 && num_missing > threshold) { + if (_num_missing) { + *_num_missing = num_missing; + } + + ret = ERR_DEREF_THRESHOLD; + goto done; + } + + if (type != SDAP_NESTED_GROUP_DN_USER) { + num_groups++; + } + } + + missing = talloc_realloc(mem_ctx, missing, + struct sdap_nested_group_member, num_missing); + /* talloc_realloc behaves as talloc_free if 3rd parameter (count) is 0, + * so it's OK to return NULL then + */ + if (missing == NULL && num_missing > 0) { + ret = ENOMEM; + goto done; + } + + if (_missing) { + *_missing = talloc_steal(mem_ctx, missing); + } + + if (_num_missing) { + *_num_missing = num_missing; + } + + if (_num_groups) { + *_num_groups = num_groups; + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + + return ret; +} + +static errno_t +sdap_nested_group_add_ext_members(struct sdap_nested_group_ctx *group_ctx, + struct sysdb_attrs *group, + struct ldb_message_element *ext_members) +{ + errno_t ret; + const char *ext_member_attr; + const char *orig_dn; + + if (ext_members == NULL) { + return EOK; + } + + ret = sysdb_attrs_get_string(group, SYSDB_ORIG_DN, &orig_dn); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "A group with no originalDN!?!\n"); + return ret; + } + + for (size_t i = 0; i < ext_members->num_values; i++) { + ext_member_attr = (const char *) ext_members->values[i].data; + + ret = sdap_nested_group_external_add(group_ctx->missing_external, + ext_member_attr, + orig_dn); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot add %s into external members [%d]: %s\n", + ext_member_attr, ret, sss_strerror(ret)); + return ret; + } + } + + return EOK; +} + +static struct ldb_message_element * +sdap_nested_group_ext_members(struct sdap_options *opts, + struct sysdb_attrs *group) +{ + errno_t ret; + struct ldb_message_element *ext_members = NULL; + + if (opts->ext_ctx == NULL) { + return NULL; + } + + ret = sysdb_attrs_get_el_ext(group, + opts->group_map[SDAP_AT_GROUP_EXT_MEMBER].sys_name, + false, &ext_members); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to retrieve external member list " + "[%d]: %s\n", ret, sss_strerror(ret)); + } + + return ext_members; +} + + +struct sdap_nested_group_state { + struct sdap_nested_group_ctx *group_ctx; +}; + +static void sdap_nested_group_done(struct tevent_req *subreq); + +struct tevent_req * +sdap_nested_group_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_domain *sdom, + struct sdap_options *opts, + struct sdap_handle *sh, + struct sysdb_attrs *group) +{ + struct sdap_nested_group_state *state = NULL; + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + errno_t ret; + int i; + + PROBE(SDAP_NESTED_GROUP_SEND); + + req = tevent_req_create(mem_ctx, &state, struct sdap_nested_group_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + /* create main nested group context */ + state->group_ctx = talloc_zero(state, struct sdap_nested_group_ctx); + if (state->group_ctx == NULL) { + ret = ENOMEM; + goto immediately; + } + + ret = sss_hash_create(state->group_ctx, 32, &state->group_ctx->users); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create hash table [%d]: %s\n", + ret, strerror(ret)); + goto immediately; + } + + ret = sss_hash_create(state->group_ctx, 32, &state->group_ctx->groups); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create hash table [%d]: %s\n", + ret, strerror(ret)); + goto immediately; + } + + ret = sss_hash_create(state->group_ctx, 32, + &state->group_ctx->missing_external); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create hash table [%d]: %s\n", + ret, strerror(ret)); + goto immediately; + } + + state->group_ctx->try_deref = true; + state->group_ctx->deref_threshold = dp_opt_get_int(opts->basic, + SDAP_DEREF_THRESHOLD); + state->group_ctx->max_nesting_level = dp_opt_get_int(opts->basic, + SDAP_NESTING_LEVEL); + state->group_ctx->domain = sdom->dom; + state->group_ctx->opts = opts; + state->group_ctx->user_search_bases = sdom->user_search_bases; + state->group_ctx->group_search_bases = sdom->group_search_bases; + state->group_ctx->sh = sh; + state->group_ctx->try_deref = sdap_has_deref_support(sh, opts); + + /* disable deref if threshold <= 0 */ + if (state->group_ctx->deref_threshold <= 0) { + state->group_ctx->try_deref = false; + } + + /* if any search base contains filter, disable dereference. */ + if (state->group_ctx->try_deref) { + for (i = 0; opts->sdom->user_search_bases[i] != NULL; i++) { + if (opts->sdom->user_search_bases[i]->filter != NULL) { + DEBUG(SSSDBG_TRACE_FUNC, "User search base contains filter, " + "dereference will be disabled\n"); + state->group_ctx->try_deref = false; + break; + } + } + } + + if (state->group_ctx->try_deref) { + for (i = 0; opts->sdom->group_search_bases[i] != NULL; i++) { + if (opts->sdom->group_search_bases[i]->filter != NULL) { + DEBUG(SSSDBG_TRACE_FUNC, "Group search base contains filter, " + "dereference will be disabled\n"); + state->group_ctx->try_deref = false; + break; + } + } + } + + /* insert initial group into hash table */ + ret = sdap_nested_group_hash_group(state->group_ctx, group); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to insert group into hash table " + "[%d]: %s\n", ret, strerror(ret)); + goto immediately; + } + + /* resolve group */ + subreq = sdap_nested_group_process_send(state, ev, state->group_ctx, + 0, group); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, sdap_nested_group_done, req); + + return req; + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + + return req; +} + +static void sdap_nested_group_done(struct tevent_req *subreq) +{ + struct tevent_req *req = NULL; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + + ret = sdap_nested_group_process_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +errno_t sdap_nested_group_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + unsigned long *_num_users, + struct sysdb_attrs ***_users, + unsigned long *_num_groups, + struct sysdb_attrs ***_groups, + hash_table_t **_missing_external) +{ + struct sdap_nested_group_state *state = NULL; + struct sysdb_attrs **users = NULL; + struct sysdb_attrs **groups = NULL; + unsigned long num_users; + unsigned long num_groups; + errno_t ret; + + state = tevent_req_data(req, struct sdap_nested_group_state); + + PROBE(SDAP_NESTED_GROUP_RECV); + TEVENT_REQ_RETURN_ON_ERROR(req); + + ret = sdap_nested_group_extract_hash_table(state, state->group_ctx->users, + &num_users, &users); + if (ret != EOK) { + return ret; + } + + DEBUG(SSSDBG_TRACE_FUNC, "%lu users found in the hash table\n", + num_users); + + ret = sdap_nested_group_extract_hash_table(state, state->group_ctx->groups, + &num_groups, &groups); + if (ret != EOK) { + return ret; + } + + DEBUG(SSSDBG_TRACE_FUNC, "%lu groups found in the hash table\n", + num_groups); + + if (_num_users != NULL) { + *_num_users = num_users; + } + + if (_users != NULL) { + *_users = talloc_steal(mem_ctx, users); + } + + if (_num_groups!= NULL) { + *_num_groups = num_groups; + } + + if (_groups != NULL) { + *_groups = talloc_steal(mem_ctx, groups); + } + + if (_missing_external) { + *_missing_external = talloc_steal(mem_ctx, + state->group_ctx->missing_external); + } + + return EOK; +} + +struct sdap_nested_group_process_state { + struct tevent_context *ev; + struct sdap_nested_group_ctx *group_ctx; + struct sdap_nested_group_member *missing; + int num_missing_total; + int num_missing_groups; + struct ldb_message_element *ext_members; + struct ldb_message_element *members; + int nesting_level; + char *group_dn; + bool deref; + bool deref_shortcut; +}; + +static void sdap_nested_group_process_done(struct tevent_req *subreq); + +static struct tevent_req * +sdap_nested_group_process_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_nested_group_ctx *group_ctx, + int nesting_level, + struct sysdb_attrs *group) +{ + struct sdap_nested_group_process_state *state = NULL; + struct sdap_attr_map *group_map = NULL; + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + const char *orig_dn = NULL; + errno_t ret; + int split_threshold; + + req = tevent_req_create(mem_ctx, &state, + struct sdap_nested_group_process_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->ev = ev; + state->group_ctx = group_ctx; + state->nesting_level = nesting_level; + group_map = state->group_ctx->opts->group_map; + + /* get original dn */ + ret = sysdb_attrs_get_string(group, SYSDB_ORIG_DN, &orig_dn); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to retrieve original dn " + "[%d]: %s\n", ret, strerror(ret)); + goto immediately; + } + + state->group_dn = talloc_strdup(state, orig_dn); + if (state->group_dn == NULL) { + ret = ENOMEM; + goto immediately; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "About to process group [%s]\n", orig_dn); + PROBE(SDAP_NESTED_GROUP_PROCESS_SEND, state->group_dn); + + /* get member list, both direct and external */ + state->ext_members = sdap_nested_group_ext_members(state->group_ctx->opts, + group); + + ret = sysdb_attrs_get_el_ext(group, group_map[SDAP_AT_GROUP_MEMBER].sys_name, + false, &state->members); + if (ret == ENOENT && state->ext_members == NULL) { + ret = EOK; /* no members, direct or external */ + goto immediately; + } else if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to retrieve member list " + "[%d]: %s\n", ret, strerror(ret)); + goto immediately; + } + + split_threshold = state->group_ctx->try_deref ? \ + state->group_ctx->deref_threshold : \ + -1; + + /* get members that need to be refreshed */ + PROBE(SDAP_NESTED_GROUP_PROCESS_SPLIT_PRE); + ret = sdap_nested_group_split_members(state, state->group_ctx, + split_threshold, + state->nesting_level, + state->members, + &state->missing, + &state->num_missing_total, + &state->num_missing_groups); + PROBE(SDAP_NESTED_GROUP_PROCESS_SPLIT_POST); + if (ret == ERR_DEREF_THRESHOLD) { + DEBUG(SSSDBG_TRACE_FUNC, + "More members were missing than the deref threshold\n"); + state->deref_shortcut = true; + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to split member list " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto immediately; + } + + ret = sdap_nested_group_add_ext_members(state->group_ctx, + group, + state->ext_members); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to split external member list " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto immediately; + } + + if (state->num_missing_total == 0 + && hash_count(state->group_ctx->missing_external) == 0) { + ret = EOK; /* we're done */ + goto immediately; + } + + /* If there are only indirect members of the group, it's still safe to + * proceed and let the direct lookup code just fall through. + */ + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Looking up %d/%d members of group [%s]\n", + state->num_missing_total, + state->members ? state->members->num_values : 0, + orig_dn); + + /* process members */ + if (group_ctx->try_deref + && state->num_missing_total > group_ctx->deref_threshold) { + DEBUG(SSSDBG_TRACE_INTERNAL, "Dereferencing members of group [%s]\n", + orig_dn); + state->deref = true; + subreq = sdap_nested_group_deref_send(state, ev, group_ctx, + state->members, orig_dn, + state->nesting_level); + } else { + DEBUG(SSSDBG_TRACE_INTERNAL, "Members of group [%s] will be " + "processed individually\n", orig_dn); + state->deref = false; + subreq = sdap_nested_group_single_send(state, ev, group_ctx, + state->missing, + state->num_missing_total, + state->num_missing_groups, + state->nesting_level); + } + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, sdap_nested_group_process_done, req); + + return req; + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + + return req; +} + +static void sdap_nested_group_process_done(struct tevent_req *subreq) +{ + struct sdap_nested_group_process_state *state = NULL; + struct tevent_req *req = NULL; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_nested_group_process_state); + + if (state->deref) { + ret = sdap_nested_group_deref_recv(subreq); + talloc_zfree(subreq); + if (ret == ENOTSUP) { + /* dereference is not supported, try again without dereference */ + state->group_ctx->try_deref = false; + state->deref = false; + + DEBUG(SSSDBG_TRACE_INTERNAL, "Members of group [%s] will be " + "processed individually\n", state->group_dn); + + if (state->deref_shortcut == true) { + /* If we previously short-cut dereference, we need to split the + * members again to get full list of missing member types + */ + PROBE(SDAP_NESTED_GROUP_PROCESS_SPLIT_PRE); + ret = sdap_nested_group_split_members(state, state->group_ctx, + -1, + state->nesting_level, + state->members, + &state->missing, + &state->num_missing_total, + &state->num_missing_groups); + PROBE(SDAP_NESTED_GROUP_PROCESS_SPLIT_POST); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to split member list " + "[%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + } + + subreq = sdap_nested_group_single_send(state, + state->ev, + state->group_ctx, + state->missing, + state->num_missing_total, + state->num_missing_groups, + state->nesting_level); + if (subreq == NULL) { + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, sdap_nested_group_process_done, + req); + + ret = EAGAIN; + } + } else { + ret = sdap_nested_group_single_recv(subreq); + talloc_zfree(subreq); + } + +done: + if (ret == EOK) { + tevent_req_done(req); + } else if (ret != EAGAIN) { + tevent_req_error(req, ret); + } +} + +static errno_t sdap_nested_group_process_recv(struct tevent_req *req) +{ +#ifdef HAVE_SYSTEMTAP + struct sdap_nested_group_process_state *state = NULL; + state = tevent_req_data(req, struct sdap_nested_group_process_state); + + PROBE(SDAP_NESTED_GROUP_PROCESS_RECV, state->group_dn); +#endif + + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +struct sdap_nested_group_recurse_state { + struct tevent_context *ev; + struct sdap_nested_group_ctx *group_ctx; + struct sysdb_attrs **groups; + int num_groups; + int index; + int nesting_level; +}; + +static errno_t sdap_nested_group_recurse_step(struct tevent_req *req); +static void sdap_nested_group_recurse_done(struct tevent_req *subreq); + +static struct tevent_req * +sdap_nested_group_recurse_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_nested_group_ctx *group_ctx, + struct sysdb_attrs **nested_groups, + int num_groups, + int nesting_level) +{ + struct sdap_nested_group_recurse_state *state = NULL; + struct tevent_req *req = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct sdap_nested_group_recurse_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->ev = ev; + state->group_ctx = group_ctx; + state->groups = nested_groups; + state->num_groups = num_groups; + state->index = 0; + state->nesting_level = nesting_level; + + /* process each group individually */ + ret = sdap_nested_group_recurse_step(req); + if (ret != EAGAIN) { + goto immediately; + } + + return req; + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + + return req; +} + +static errno_t sdap_nested_group_recurse_step(struct tevent_req *req) +{ + struct sdap_nested_group_recurse_state *state = NULL; + struct tevent_req *subreq = NULL; + + state = tevent_req_data(req, struct sdap_nested_group_recurse_state); + + if (state->index >= state->num_groups) { + /* we're done */ + return EOK; + } + + subreq = sdap_nested_group_process_send(state, state->ev, state->group_ctx, + state->nesting_level, + state->groups[state->index]); + if (subreq == NULL) { + return ENOMEM; + } + + tevent_req_set_callback(subreq, sdap_nested_group_recurse_done, req); + + state->index++; + + return EAGAIN; +} + +static void sdap_nested_group_recurse_done(struct tevent_req *subreq) +{ + struct tevent_req *req = NULL; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + + ret = sdap_nested_group_process_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + goto done; + } + + ret = sdap_nested_group_recurse_step(req); + +done: + if (ret == EOK) { + tevent_req_done(req); + } else if (ret != EAGAIN) { + tevent_req_error(req, ret); + } + + return; +} + +static errno_t sdap_nested_group_recurse_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +struct sdap_nested_group_single_state { + struct tevent_context *ev; + struct sdap_nested_group_ctx *group_ctx; + struct sdap_nested_group_member *members; + int nesting_level; + + struct sdap_nested_group_member *current_member; + int num_members; + int member_index; + + struct sysdb_attrs **nested_groups; + int num_groups; +}; + +static errno_t sdap_nested_group_single_step(struct tevent_req *req); +static void sdap_nested_group_single_step_done(struct tevent_req *subreq); +static void sdap_nested_group_single_done(struct tevent_req *subreq); + +static struct tevent_req * +sdap_nested_group_single_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_nested_group_ctx *group_ctx, + struct sdap_nested_group_member *members, + int num_members, + int num_groups_max, + int nesting_level) +{ + struct sdap_nested_group_single_state *state = NULL; + struct tevent_req *req = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct sdap_nested_group_single_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->ev = ev; + state->group_ctx = group_ctx; + state->members = members; + state->nesting_level = nesting_level; + state->current_member = NULL; + state->num_members = num_members; + state->member_index = 0; + state->nested_groups = talloc_zero_array(state, struct sysdb_attrs *, + num_groups_max); + if (state->nested_groups == NULL) { + ret = ENOMEM; + goto immediately; + } + state->num_groups = 0; /* we will count exact number of the groups */ + + /* process each member individually */ + ret = sdap_nested_group_single_step(req); + if (ret != EAGAIN) { + goto immediately; + } + + return req; + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + + return req; +} + +static errno_t sdap_nested_group_single_step(struct tevent_req *req) +{ + struct sdap_nested_group_single_state *state = NULL; + struct tevent_req *subreq = NULL; + + state = tevent_req_data(req, struct sdap_nested_group_single_state); + + if (state->member_index >= state->num_members) { + /* we're done */ + return EOK; + } + + state->current_member = &state->members[state->member_index]; + state->member_index++; + + switch (state->current_member->type) { + case SDAP_NESTED_GROUP_DN_USER: + subreq = sdap_nested_group_lookup_user_send(state, state->ev, + state->group_ctx, + state->current_member); + break; + case SDAP_NESTED_GROUP_DN_GROUP: + subreq = sdap_nested_group_lookup_group_send(state, state->ev, + state->group_ctx, + state->current_member); + break; + case SDAP_NESTED_GROUP_DN_UNKNOWN: + subreq = sdap_nested_group_lookup_unknown_send(state, state->ev, + state->group_ctx, + state->current_member); + break; + } + + if (subreq == NULL) { + return ENOMEM; + } + + tevent_req_set_callback(subreq, sdap_nested_group_single_step_done, req); + + return EAGAIN; +} + +static errno_t +sdap_nested_group_single_step_process(struct tevent_req *subreq) +{ + struct sdap_nested_group_single_state *state = NULL; + struct tevent_req *req = NULL; + struct sysdb_attrs *entry = NULL; + enum sdap_nested_group_dn_type type = SDAP_NESTED_GROUP_DN_UNKNOWN; + const char *orig_dn = NULL; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_nested_group_single_state); + + /* set correct type if possible */ + if (state->current_member->type == SDAP_NESTED_GROUP_DN_UNKNOWN) { + ret = sdap_nested_group_lookup_unknown_recv(state, subreq, + &entry, &type); + if (ret != EOK) { + goto done; + } + + if (entry != NULL) { + state->current_member->type = type; + } + } + + switch (state->current_member->type) { + case SDAP_NESTED_GROUP_DN_USER: + if (entry == NULL) { + /* type was not unknown, receive data */ + ret = sdap_nested_group_lookup_user_recv(state, subreq, &entry); + if (ret != EOK) { + goto done; + } + + if (entry == NULL) { + /* user not found, continue */ + break; + } + } + + /* save user in hash table */ + ret = sdap_nested_group_hash_user(state->group_ctx, entry); + if (ret == EEXIST) { + /* the user is already present, skip it */ + talloc_zfree(entry); + ret = EOK; + goto done; + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to save user in hash table " + "[%d]: %s\n", ret, strerror(ret)); + goto done; + } + break; + case SDAP_NESTED_GROUP_DN_GROUP: + if (entry == NULL) { + /* type was not unknown, receive data */ + ret = sdap_nested_group_lookup_group_recv(state, subreq, &entry); + if (ret != EOK) { + goto done; + } + + if (entry == NULL) { + /* group not found, continue */ + break; + } + } else { + /* the type was unknown so we had to pull the group, + * but we don't want to process it if we have reached + * the nesting level */ + if (state->nesting_level >= state->group_ctx->max_nesting_level) { + ret = sysdb_attrs_get_string(entry, SYSDB_ORIG_DN, &orig_dn); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "The entry has no originalDN\n"); + orig_dn = "invalid"; + } + + DEBUG(SSSDBG_TRACE_ALL, "[%s] is outside nesting limit " + "(level %d), skipping\n", orig_dn, state->nesting_level); + break; + } + } + + /* save group in hash table */ + ret = sdap_nested_group_hash_group(state->group_ctx, entry); + if (ret == EEXIST) { + /* the group is already present, skip it */ + talloc_zfree(entry); + ret = EOK; + goto done; + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to save group in hash table " + "[%d]: %s\n", ret, strerror(ret)); + goto done; + } + + /* remember the group for later processing */ + state->nested_groups[state->num_groups] = entry; + state->num_groups++; + + break; + case SDAP_NESTED_GROUP_DN_UNKNOWN: + /* not found in users nor nested_groups, continue */ + break; + } + + ret = EOK; + +done: + return ret; +} + +static void sdap_nested_group_single_step_done(struct tevent_req *subreq) +{ + struct sdap_nested_group_single_state *state = NULL; + struct tevent_req *req = NULL; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_nested_group_single_state); + + /* process direct members */ + ret = sdap_nested_group_single_step_process(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Error processing direct membership " + "[%d]: %s\n", ret, strerror(ret)); + goto done; + } + + ret = sdap_nested_group_single_step(req); + if (ret == EOK) { + /* we have processed all direct members, + * now recurse and process nested groups */ + subreq = sdap_nested_group_recurse_send(state, state->ev, + state->group_ctx, + state->nested_groups, + state->num_groups, + state->nesting_level + 1); + if (subreq == NULL) { + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, sdap_nested_group_single_done, req); + } else if (ret != EAGAIN) { + /* error */ + goto done; + } + + /* we're not done yet */ + ret = EAGAIN; + +done: + if (ret == EOK) { + /* tevent_req_error() cannot cope with EOK */ + DEBUG(SSSDBG_CRIT_FAILURE, "We should not get here with EOK\n"); + tevent_req_error(req, EINVAL); + } else if (ret != EAGAIN) { + tevent_req_error(req, ret); + } + + return; +} + +static void sdap_nested_group_single_done(struct tevent_req *subreq) +{ + struct tevent_req *req = NULL; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + + /* all nested groups are completed */ + ret = sdap_nested_group_recurse_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Error processing nested groups " + "[%d]: %s.\n", ret, strerror(ret)); + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); + + return; +} + +static errno_t sdap_nested_group_single_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +static errno_t sdap_nested_group_get_ipa_user(TALLOC_CTX *mem_ctx, + const char *user_dn, + struct sysdb_ctx *sysdb, + struct sysdb_attrs **_user) +{ + TALLOC_CTX *tmp_ctx; + struct sysdb_attrs *user; + char *name; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + ret = ipa_get_rdn(tmp_ctx, sysdb, user_dn, &name, "uid", + "cn", "users", "cn", "accounts"); + if (ret != EOK) { + goto done; + } + + user = sysdb_new_attrs(tmp_ctx); + if (user == NULL) { + ret = ENOMEM; + goto done; + } + + ret = sysdb_attrs_add_string(user, SYSDB_NAME, name); + if (ret != EOK) { + goto done; + } + + ret = sysdb_attrs_add_string(user, SYSDB_ORIG_DN, user_dn); + if (ret != EOK) { + goto done; + } + + ret = sysdb_attrs_add_string(user, SYSDB_OBJECTCATEGORY, SYSDB_USER_CLASS); + if (ret != EOK) { + goto done; + } + + *_user = talloc_steal(mem_ctx, user); + +done: + talloc_free(tmp_ctx); + return ret; +} + +struct sdap_nested_group_lookup_user_state { + struct sysdb_attrs *user; +}; + +static void sdap_nested_group_lookup_user_done(struct tevent_req *subreq); + +static struct tevent_req * +sdap_nested_group_lookup_user_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_nested_group_ctx *group_ctx, + struct sdap_nested_group_member *member) +{ + struct sdap_nested_group_lookup_user_state *state = NULL; + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + const char **attrs = NULL; + const char *base_filter = NULL; + const char *filter = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct sdap_nested_group_lookup_user_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + PROBE(SDAP_NESTED_GROUP_LOOKUP_USER_SEND); + + if (group_ctx->opts->schema_type == SDAP_SCHEMA_IPA_V1) { + /* if the schema is IPA, then just shortcut and guess the name */ + ret = sdap_nested_group_get_ipa_user(state, member->dn, + group_ctx->domain->sysdb, + &state->user); + if (ret == EOK) { + goto immediately; + } + + DEBUG(SSSDBG_MINOR_FAILURE, "Couldn't parse out user information " + "based on DN %s, falling back to an LDAP lookup\n", member->dn); + } + + /* only pull down username and originalDN */ + attrs = talloc_array(state, const char *, 3); + if (attrs == NULL) { + ret = ENOMEM; + goto immediately; + } + + attrs[0] = "objectClass"; + attrs[1] = group_ctx->opts->user_map[SDAP_AT_USER_NAME].name; + attrs[2] = NULL; + + /* create filter */ + base_filter = talloc_asprintf(state, "(objectclass=%s)", + group_ctx->opts->user_map[SDAP_OC_USER].name); + if (base_filter == NULL) { + ret = ENOMEM; + goto immediately; + } + + /* use search base filter if needed */ + filter = sdap_combine_filters(state, base_filter, member->user_filter); + if (filter == NULL) { + ret = ENOMEM; + goto immediately; + } + + /* search */ + subreq = sdap_get_generic_send(state, ev, group_ctx->opts, group_ctx->sh, + member->dn, LDAP_SCOPE_BASE, filter, attrs, + group_ctx->opts->user_map, + group_ctx->opts->user_map_cnt, + dp_opt_get_int(group_ctx->opts->basic, + SDAP_SEARCH_TIMEOUT), + false); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, sdap_nested_group_lookup_user_done, req); + + return req; + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + + return req; +} + +static void sdap_nested_group_lookup_user_done(struct tevent_req *subreq) +{ + struct sdap_nested_group_lookup_user_state *state = NULL; + struct tevent_req *req = NULL; + struct sysdb_attrs **user = NULL; + size_t count = 0; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_nested_group_lookup_user_state); + + ret = sdap_get_generic_recv(subreq, state, &count, &user); + talloc_zfree(subreq); + if (ret == ENOENT) { + count = 0; + } else if (ret != EOK) { + goto done; + } + + if (count == 1) { + state->user = user[0]; + } else if (count == 0) { + /* group not found */ + state->user = NULL; + } else { + DEBUG(SSSDBG_OP_FAILURE, + "BASE search returned more than one records\n"); + ret = EIO; + goto done; + } + + ret = EOK; + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +static errno_t sdap_nested_group_lookup_user_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct sysdb_attrs **_user) +{ + struct sdap_nested_group_lookup_user_state *state = NULL; + state = tevent_req_data(req, struct sdap_nested_group_lookup_user_state); + + PROBE(SDAP_NESTED_GROUP_LOOKUP_USER_RECV); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (_user != NULL) { + *_user = talloc_steal(mem_ctx, state->user); + } + + return EOK; +} + +struct sdap_nested_group_lookup_group_state { + struct sysdb_attrs *group; +}; + +static void sdap_nested_group_lookup_group_done(struct tevent_req *subreq); + +static struct tevent_req * +sdap_nested_group_lookup_group_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_nested_group_ctx *group_ctx, + struct sdap_nested_group_member *member) +{ + struct sdap_nested_group_lookup_group_state *state = NULL; + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct sdap_attr_map *map = group_ctx->opts->group_map; + const char **attrs = NULL; + const char *base_filter = NULL; + const char *filter = NULL; + char *oc_list; + errno_t ret; + + PROBE(SDAP_NESTED_GROUP_LOOKUP_GROUP_SEND); + + req = tevent_req_create(mem_ctx, &state, + struct sdap_nested_group_lookup_group_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + ret = build_attrs_from_map(state, group_ctx->opts->group_map, + SDAP_OPTS_GROUP, NULL, &attrs, NULL); + if (ret != EOK) { + goto immediately; + } + + /* create filter */ + oc_list = sdap_make_oc_list(state, map); + if (oc_list == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to create objectClass list.\n"); + ret = ENOMEM; + goto immediately; + } + + base_filter = talloc_asprintf(attrs, "(&(%s)(%s=*))", oc_list, + map[SDAP_AT_GROUP_NAME].name); + if (base_filter == NULL) { + ret = ENOMEM; + goto immediately; + } + + /* use search base filter if needed */ + filter = sdap_combine_filters(state, base_filter, member->group_filter); + if (filter == NULL) { + ret = ENOMEM; + goto immediately; + } + + /* search */ + subreq = sdap_get_generic_send(state, ev, group_ctx->opts, group_ctx->sh, + member->dn, LDAP_SCOPE_BASE, filter, attrs, + map, SDAP_OPTS_GROUP, + dp_opt_get_int(group_ctx->opts->basic, + SDAP_SEARCH_TIMEOUT), + false); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, sdap_nested_group_lookup_group_done, req); + + return req; + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + + return req; +} + +static void sdap_nested_group_lookup_group_done(struct tevent_req *subreq) +{ + struct sdap_nested_group_lookup_group_state *state = NULL; + struct tevent_req *req = NULL; + struct sysdb_attrs **group = NULL; + size_t count = 0; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_nested_group_lookup_group_state); + + ret = sdap_get_generic_recv(subreq, state, &count, &group); + talloc_zfree(subreq); + if (ret == ENOENT) { + count = 0; + } else if (ret != EOK) { + goto done; + } + + if (count == 1) { + state->group = group[0]; + } else if (count == 0) { + /* group not found */ + state->group = NULL; + } else { + DEBUG(SSSDBG_OP_FAILURE, + "BASE search returned more than one records\n"); + ret = EIO; + goto done; + } + + ret = EOK; + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +static errno_t sdap_nested_group_lookup_group_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct sysdb_attrs **_group) +{ + struct sdap_nested_group_lookup_group_state *state = NULL; + state = tevent_req_data(req, struct sdap_nested_group_lookup_group_state); + + PROBE(SDAP_NESTED_GROUP_LOOKUP_GROUP_RECV); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (_group != NULL) { + *_group = talloc_steal(mem_ctx, state->group); + } + + return EOK; +} + +struct sdap_nested_group_lookup_unknown_state { + struct tevent_context *ev; + struct sdap_nested_group_ctx *group_ctx; + struct sdap_nested_group_member *member; + enum sdap_nested_group_dn_type type; + struct sysdb_attrs *entry; +}; + +static void +sdap_nested_group_lookup_unknown_user_done(struct tevent_req *subreq); + +static void +sdap_nested_group_lookup_unknown_group_done(struct tevent_req *subreq); + +static struct tevent_req * +sdap_nested_group_lookup_unknown_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_nested_group_ctx *group_ctx, + struct sdap_nested_group_member *member) +{ + struct sdap_nested_group_lookup_unknown_state *state = NULL; + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct sdap_nested_group_lookup_unknown_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + PROBE(SDAP_NESTED_GROUP_LOOKUP_UNKNOWN_SEND); + + state->ev = ev; + state->group_ctx = group_ctx; + state->member = member; + + /* try users first */ + subreq = sdap_nested_group_lookup_user_send(state, + state->ev, + state->group_ctx, + state->member); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, sdap_nested_group_lookup_unknown_user_done, + req); + + return req; + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + + return req; +} + +static void +sdap_nested_group_lookup_unknown_user_done(struct tevent_req *subreq) +{ + struct sdap_nested_group_lookup_unknown_state *state = NULL; + struct tevent_req *req = NULL; + struct sysdb_attrs *entry = NULL; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_nested_group_lookup_unknown_state); + + ret = sdap_nested_group_lookup_user_recv(state, subreq, &entry); + talloc_zfree(subreq); + if (ret != EOK) { + goto done; + } + + if (entry != NULL) { + /* found in users */ + state->entry = entry; + state->type = SDAP_NESTED_GROUP_DN_USER; + ret = EOK; + goto done; + } + + /* not found in users, try group */ + subreq = sdap_nested_group_lookup_group_send(state, + state->ev, + state->group_ctx, + state->member); + if (subreq == NULL) { + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, sdap_nested_group_lookup_unknown_group_done, + req); + + ret = EAGAIN; + +done: + if (ret == EOK) { + tevent_req_done(req); + } else if (ret != EAGAIN) { + tevent_req_error(req, ret); + } + + return; +} + +static void +sdap_nested_group_lookup_unknown_group_done(struct tevent_req *subreq) +{ + struct sdap_nested_group_lookup_unknown_state *state = NULL; + struct tevent_req *req = NULL; + struct sysdb_attrs *entry = NULL; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_nested_group_lookup_unknown_state); + + ret = sdap_nested_group_lookup_group_recv(state, subreq, &entry); + talloc_zfree(subreq); + if (ret != EOK) { + goto done; + } + + if (entry == NULL) { + /* not found, end request */ + state->entry = NULL; + state->type = SDAP_NESTED_GROUP_DN_UNKNOWN; + } else { + /* found in groups */ + state->entry = entry; + state->type = SDAP_NESTED_GROUP_DN_GROUP; + } + + ret = EOK; + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +static errno_t +sdap_nested_group_lookup_unknown_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct sysdb_attrs **_entry, + enum sdap_nested_group_dn_type *_type) +{ + struct sdap_nested_group_lookup_unknown_state *state = NULL; + state = tevent_req_data(req, struct sdap_nested_group_lookup_unknown_state); + + PROBE(SDAP_NESTED_GROUP_LOOKUP_UNKNOWN_RECV); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (_entry != NULL) { + *_entry = talloc_steal(mem_ctx, state->entry); + } + + if (_type != NULL) { + *_type = state->type; + } + + + return EOK; +} + +struct sdap_nested_group_deref_state { + struct tevent_context *ev; + struct sdap_nested_group_ctx *group_ctx; + struct ldb_message_element *members; + int nesting_level; + + struct sysdb_attrs **nested_groups; + int num_groups; +}; + +static void sdap_nested_group_deref_direct_done(struct tevent_req *subreq); +static void sdap_nested_group_deref_done(struct tevent_req *subreq); + +static struct tevent_req * +sdap_nested_group_deref_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_nested_group_ctx *group_ctx, + struct ldb_message_element *members, + const char *group_dn, + int nesting_level) +{ + struct sdap_nested_group_deref_state *state = NULL; + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct sdap_attr_map_info *maps = NULL; + static const int num_maps = 2; + struct sdap_options *opts = group_ctx->opts; + const char **attrs = NULL; + size_t num_attrs = 0; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct sdap_nested_group_deref_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + PROBE(SDAP_NESTED_GROUP_DEREF_SEND); + + state->ev = ev; + state->group_ctx = group_ctx; + state->members = members; + state->nesting_level = nesting_level; + state->num_groups = 0; /* we will count exact number of the groups */ + + maps = talloc_array(state, struct sdap_attr_map_info, num_maps); + if (maps == NULL) { + ret = ENOMEM; + goto immediately; + } + + maps[0].map = opts->user_map; + maps[0].num_attrs = opts->user_map_cnt; + maps[1].map = opts->group_map; + maps[1].num_attrs = SDAP_OPTS_GROUP; + + /* pull down the whole group map, + * but only pull down username and originalDN for users */ + ret = build_attrs_from_map(state, opts->group_map, SDAP_OPTS_GROUP, + NULL, &attrs, &num_attrs); + if (ret != EOK) { + goto immediately; + } + + attrs = talloc_realloc(state, attrs, const char *, num_attrs + 2); + if (attrs == NULL) { + ret = ENOMEM; + goto immediately; + } + + attrs[num_attrs] = group_ctx->opts->user_map[SDAP_AT_USER_NAME].name; + attrs[num_attrs + 1] = NULL; + + /* send request */ + subreq = sdap_deref_search_send(state, ev, opts, group_ctx->sh, group_dn, + opts->group_map[SDAP_AT_GROUP_MEMBER].name, + attrs, num_maps, maps, + dp_opt_get_int(opts->basic, + SDAP_SEARCH_TIMEOUT)); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, sdap_nested_group_deref_direct_done, req); + + return req; + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + + return req; +} + +static errno_t +sdap_nested_group_deref_direct_process(struct tevent_req *subreq) +{ + struct sdap_nested_group_deref_state *state = NULL; + struct tevent_req *req = NULL; + struct sdap_options *opts = NULL; + struct sdap_deref_attrs **entries = NULL; + struct ldb_message_element *members = NULL; + const char *orig_dn = NULL; + const char *member_dn = NULL; + size_t num_entries = 0; + size_t i, j; + bool member_found; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_nested_group_deref_state); + + opts = state->group_ctx->opts; + members = state->members; + + ret = sdap_deref_search_recv(subreq, state, &num_entries, &entries); + if (ret != EOK) { + goto done; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "Received %zu dereference results, " + "about to process them\n", num_entries); + + /* + * We don't have any knowledge about possible number of groups when + * dereferencing. We expect that every member is a group and we will + * allocate enough space to hold it. We will shrink the memory later. + */ + state->nested_groups = talloc_zero_array(state, struct sysdb_attrs *, + num_entries); + if (state->nested_groups == NULL) { + ret = ENOMEM; + goto done; + } + + PROBE(SDAP_NESTED_GROUP_DEREF_PROCESS_PRE); + for (i = 0; i < num_entries; i++) { + ret = sysdb_attrs_get_string(entries[i]->attrs, + SYSDB_ORIG_DN, &orig_dn); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "The entry has no originalDN\n"); + goto done; + } + + /* Ensure that all members returned from the deref request are included + * in the member processing. Sometimes we will get more results back + * from deref/asq than we got from the initial lookup, as is the case + * with Active Directory and its range retrieval mechanism. + */ + member_found = false; + for (j = 0; j < members->num_values; j++) { + /* FIXME: This is inefficient for very large sets of groups */ + member_dn = (const char *)members->values[j].data; + if (strcasecmp(orig_dn, member_dn) == 0) { + member_found = true; + break; + } + } + + if (!member_found) { + /* Append newly found member to member list. + * Changes in state->members will propagate into sysdb_attrs of + * the group. */ + state->members->values = talloc_realloc(members, members->values, + struct ldb_val, + members->num_values + 1); + if (members->values == NULL) { + ret = ENOMEM; + goto done; + } + + members->values[members->num_values].data = + (uint8_t *)talloc_strdup(members->values, orig_dn); + if (members->values[members->num_values].data == NULL) { + ret = ENOMEM; + goto done; + } + + members->values[members->num_values].length = strlen(orig_dn); + members->num_values++; + } + + if (entries[i]->map == opts->user_map) { + /* we found a user */ + + /* skip the user if it is not amongst configured search bases */ + if (!sdap_nested_member_is_user(state->group_ctx, orig_dn, NULL)) { + continue; + } + + /* save user in hash table */ + ret = sdap_nested_group_hash_user(state->group_ctx, + entries[i]->attrs); + if (ret != EOK && ret != EEXIST) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unable to save user in hash table " + "[%d]: %s\n", ret, strerror(ret)); + goto done; + } + + } else if (entries[i]->map == opts->group_map) { + /* we found a group */ + + /* skip the group if we have reached the nesting limit */ + if (state->nesting_level >= state->group_ctx->max_nesting_level) { + DEBUG(SSSDBG_TRACE_ALL, "[%s] is outside nesting limit " + "(level %d), skipping\n", orig_dn, state->nesting_level); + continue; + } + + /* skip the group if it is not amongst configured search bases */ + if (!sdap_nested_member_is_group(state->group_ctx, orig_dn, NULL)) { + continue; + } + + /* save group in hash table */ + ret = sdap_nested_group_hash_group(state->group_ctx, + entries[i]->attrs); + if (ret == EEXIST) { + continue; + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unable to save group in hash table " + "[%d]: %s\n", ret, strerror(ret)); + goto done; + } + + /* remember the group for later processing */ + state->nested_groups[state->num_groups] = entries[i]->attrs; + state->num_groups++; + + } else { + /* this should never happen, but if it does, do not loop forever */ + DEBUG(SSSDBG_MINOR_FAILURE, + "Entry does not match any known map, skipping\n"); + continue; + } + } + PROBE(SDAP_NESTED_GROUP_DEREF_PROCESS_POST); + + /* adjust size of nested groups array */ + if (state->num_groups > 0) { + state->nested_groups = talloc_realloc(state, state->nested_groups, + struct sysdb_attrs *, + state->num_groups); + if (state->nested_groups == NULL) { + ret = ENOMEM; + goto done; + } + } else { + talloc_zfree(state->nested_groups); + } + + ret = EOK; + +done: + return ret; +} + +static void sdap_nested_group_deref_direct_done(struct tevent_req *subreq) +{ + struct sdap_nested_group_deref_state *state = NULL; + struct tevent_req *req = NULL; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_nested_group_deref_state); + + /* process direct members */ + ret = sdap_nested_group_deref_direct_process(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Error processing direct membership " + "[%d]: %s\n", ret, strerror(ret)); + goto done; + } + + /* we have processed all direct members, + * now recurse and process nested groups */ + subreq = sdap_nested_group_recurse_send(state, state->ev, + state->group_ctx, + state->nested_groups, + state->num_groups, + state->nesting_level + 1); + if (subreq == NULL) { + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, sdap_nested_group_deref_done, req); + + ret = EAGAIN; + +done: + if (ret == EOK) { + /* tevent_req_error() cannot cope with EOK */ + DEBUG(SSSDBG_CRIT_FAILURE, "We should not get here with EOK\n"); + tevent_req_error(req, EINVAL); + } else if (ret != EAGAIN) { + tevent_req_error(req, ret); + } + + return; + +} + +static void sdap_nested_group_deref_done(struct tevent_req *subreq) +{ + struct tevent_req *req = NULL; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + + /* process nested groups */ + ret = sdap_nested_group_recurse_recv(subreq); + talloc_zfree(subreq); + + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + + return; +} + +static errno_t sdap_nested_group_deref_recv(struct tevent_req *req) +{ + PROBE(SDAP_NESTED_GROUP_DEREF_RECV); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +struct sdap_ext_member { + struct sdap_external_missing_member *missing_mem; + const char *ext_member_attr; + + enum sysdb_member_type member_type; + struct sss_domain_info *dom; + struct sysdb_attrs *attrs; +}; + +struct sdap_nested_group_lookup_external_state { + struct tevent_context *ev; + struct sdap_ext_member_ctx *ext_ctx; + struct sss_domain_info *group_dom; + hash_table_t *missing_external; + + hash_entry_t *entries; + unsigned long n_entries; + unsigned long eniter; + + struct sdap_ext_member *ext_members; + + ext_member_send_fn_t ext_member_resolve_send; + ext_member_recv_fn_t ext_member_resolve_recv; +}; + +static errno_t +sdap_nested_group_lookup_external_step(struct tevent_req *req); +static void +sdap_nested_group_lookup_external_done(struct tevent_req *subreq); +static errno_t +sdap_nested_group_lookup_external_link(struct tevent_req *req); +static errno_t +sdap_nested_group_lookup_external_link_member( + struct sdap_nested_group_lookup_external_state *state, + struct sdap_ext_member *member); +static errno_t +sdap_nested_group_memberof_dn_by_original_dn( + TALLOC_CTX *mem_ctx, + struct sss_domain_info *group_dom, + const char *original_dn, + const char ***_parents); + +struct tevent_req * +sdap_nested_group_lookup_external_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sss_domain_info *group_dom, + struct sdap_ext_member_ctx *ext_ctx, + hash_table_t *missing_external) +{ + struct sdap_nested_group_lookup_external_state *state = NULL; + struct tevent_req *req = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct sdap_nested_group_lookup_external_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->ev = ev; + state->group_dom = group_dom; + state->ext_ctx = ext_ctx; + state->missing_external = missing_external; + + if (state->ext_ctx->ext_member_resolve_send == NULL + || state->ext_ctx->ext_member_resolve_recv == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Wrong private context\n"); + ret = EINVAL; + goto immediately; + } + + ret = hash_entries(state->missing_external, + &state->n_entries, &state->entries); + if (ret != HASH_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "hash_entries returned %d\n", ret); + ret = EIO; + goto immediately; + } + state->eniter = 0; + + state->ext_members = talloc_zero_array(state, + struct sdap_ext_member, + state->n_entries); + if (state->ext_members == NULL) { + ret = ENOMEM; + goto immediately; + } + + ret = sdap_nested_group_lookup_external_step(req); + if (ret != EAGAIN) { + goto immediately; + } + + return req; + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + return req; +} + +static errno_t +sdap_nested_group_lookup_external_step(struct tevent_req *req) +{ + struct tevent_req *subreq = NULL; + struct sdap_nested_group_lookup_external_state *state = NULL; + state = tevent_req_data(req, + struct sdap_nested_group_lookup_external_state); + + subreq = state->ext_ctx->ext_member_resolve_send(state, + state->ev, + state->entries[state->eniter].key.str, + state->ext_ctx->pvt); + if (subreq == NULL) { + return ENOMEM; + } + DEBUG(SSSDBG_TRACE_FUNC, "Refreshing member %lu/%lu\n", + state->eniter, state->n_entries); + tevent_req_set_callback(subreq, + sdap_nested_group_lookup_external_done, + req); + + return EAGAIN; +} + +static void +sdap_nested_group_lookup_external_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = NULL; + struct sdap_nested_group_lookup_external_state *state = NULL; + enum sysdb_member_type member_type; + struct sysdb_attrs *member; + struct sss_domain_info *member_dom; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, + struct sdap_nested_group_lookup_external_state); + + ret = state->ext_ctx->ext_member_resolve_recv(state, subreq, + &member_type, + &member_dom, + &member); + talloc_free(subreq); + if (ret == EOK) { + DEBUG(SSSDBG_TRACE_FUNC, "Refreshed member %lu\n", state->eniter); + state->ext_members[state->eniter].missing_mem = \ + state->entries[state->eniter].value.ptr; + state->ext_members[state->eniter].dom = member_dom; + + state->ext_members[state->eniter].ext_member_attr = \ + talloc_steal(state->ext_members, + state->entries[state->eniter].key.str); + state->ext_members[state->eniter].member_type = member_type; + state->ext_members[state->eniter].attrs = \ + talloc_steal(state->ext_members, member); + } + + state->eniter++; + if (state->eniter >= state->n_entries) { + DEBUG(SSSDBG_TRACE_FUNC, "All external members processed\n"); + ret = sdap_nested_group_lookup_external_link(req); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + tevent_req_done(req); + return; + } + + ret = sdap_nested_group_lookup_external_step(req); + if (ret != EOK && ret != EAGAIN) { + tevent_req_error(req, ret); + return; + } + + return; +} + +static errno_t +sdap_nested_group_lookup_external_link(struct tevent_req *req) +{ + errno_t ret, tret; + bool in_transaction = false; + struct sdap_nested_group_lookup_external_state *state = NULL; + state = tevent_req_data(req, + struct sdap_nested_group_lookup_external_state); + + ret = sysdb_transaction_start(state->group_dom->sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n"); + goto fail; + } + in_transaction = true; + + + for (size_t i = 0; i < state->eniter; i++) { + if (state->ext_members[i].attrs == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "The member %s could not be resolved\n", + state->ext_members[i].ext_member_attr); + continue; + } + + ret = sdap_nested_group_lookup_external_link_member(state, + &state->ext_members[i]); + if (ret != EOK) { + goto fail; + } + } + + ret = sysdb_transaction_commit(state->group_dom->sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n"); + goto fail; + } + in_transaction = false; + + return EOK; + +fail: + if (in_transaction) { + tret = sysdb_transaction_cancel(state->group_dom->sysdb); + if (tret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to cancel transaction\n"); + } + } + return EFAULT; +} + +static errno_t +sdap_nested_group_lookup_external_link_member( + struct sdap_nested_group_lookup_external_state *state, + struct sdap_ext_member *member) +{ + const char *name; + int ret; + const char **parents = NULL; + size_t i; + TALLOC_CTX *tmp_ctx; + const char *orig_dn; + + tmp_ctx = talloc_new(state); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + ret = sysdb_attrs_get_string(member->attrs, SYSDB_NAME, &name); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "No name for a user\n"); + goto done; + } + + /* This only works because the groups were saved in a previous + * transaction */ + for (i=0; i < member->missing_mem->parent_dn_idx; i++) { + orig_dn = member->missing_mem->parent_group_dns[i]; + DEBUG(SSSDBG_TRACE_INTERNAL, + "Linking external members %s from domain %s to parents of %s\n", + name, member->dom->name, orig_dn); + ret = sdap_nested_group_memberof_dn_by_original_dn(tmp_ctx, + state->group_dom, + orig_dn, + &parents); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot find parents of %s\n", orig_dn); + continue; + } + + /* We don't have to remove the members here, since all members attributes + * are always written anew + */ + ret = sysdb_update_members_dn(member->dom, name, member->member_type, + parents, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot link %s@%s to its parents\n", + name, member->dom->name); + goto done; + } + + } + + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} + +static errno_t +sdap_nested_group_memberof_dn_by_original_dn( + TALLOC_CTX *mem_ctx, + struct sss_domain_info *group_dom, + const char *original_dn, + const char ***_parents) +{ + errno_t ret; + const char *attrs[] = { SYSDB_NAME, + SYSDB_MEMBEROF, + NULL }; + struct ldb_message **msgs = NULL; + size_t count; + TALLOC_CTX *tmp_ctx; + struct ldb_message_element *memberof; + const char **parents; + + tmp_ctx = talloc_new(mem_ctx); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + ret = sysdb_search_groups_by_orig_dn(tmp_ctx, group_dom, original_dn, + attrs, &count, &msgs); + if (ret != EOK) { + goto done; + } + + if (count != 1) { + DEBUG(SSSDBG_OP_FAILURE, + "More than one entry found by originalDN?\n"); + goto done; + } + + memberof = ldb_msg_find_element(msgs[0], SYSDB_MEMBEROF); + if (memberof == NULL || memberof->num_values == 0) { + DEBUG(SSSDBG_MINOR_FAILURE, + "The external group is not a member of any groups\n"); + ret = ENOENT; + goto done; + } + + parents = talloc_zero_array(tmp_ctx, + const char *, + memberof->num_values + 1); + if (parents == NULL) { + ret = ENOMEM; + goto done; + } + + for (size_t i = 0; i < memberof->num_values; i++) { + parents[i] = talloc_strdup(parents, + (const char *) memberof->values[i].data); + if (parents[i] == NULL) { + ret = ENOMEM; + goto done; + } + } + + *_parents = talloc_steal(mem_ctx, parents); + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} + +errno_t +sdap_nested_group_lookup_external_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} diff --git a/src/providers/ldap/sdap_async_netgroups.c b/src/providers/ldap/sdap_async_netgroups.c new file mode 100644 index 0000000..f4a1d16 --- /dev/null +++ b/src/providers/ldap/sdap_async_netgroups.c @@ -0,0 +1,778 @@ +/* + SSSD + + Async LDAP Helper routines for netgroups + + Authors: + Sumit Bose + + Copyright (C) 2010 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "db/sysdb.h" +#include "providers/ldap/sdap_async_private.h" +#include "providers/ldap/ldap_common.h" + +bool is_dn(const char *str) +{ + int ret; + LDAPDN dn; + + ret = ldap_str2dn(str, &dn, LDAP_DN_FORMAT_LDAPV3); + ldap_dnfree(dn); + + return (ret == LDAP_SUCCESS ? true : false); +} + +static errno_t sdap_save_netgroup(TALLOC_CTX *memctx, + struct sss_domain_info *dom, + struct sdap_options *opts, + struct sysdb_attrs *attrs, + char **_timestamp, + time_t now) +{ + struct ldb_message_element *el; + struct sysdb_attrs *netgroup_attrs; + const char *name = NULL; + int ret; + char *timestamp = NULL; + char **missing = NULL; + + ret = sdap_get_netgroup_primary_name(memctx, opts, attrs, dom, &name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to get netgroup name\n"); + goto fail; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Processing netgroup %s\n", name); + + netgroup_attrs = sysdb_new_attrs(memctx); + if (!netgroup_attrs) { + ret = ENOMEM; + goto fail; + } + + ret = sdap_attrs_add_string(attrs, SYSDB_ORIG_DN, + "original DN", + name, netgroup_attrs); + if (ret != EOK) { + goto fail; + } + + ret = sysdb_attrs_get_el(attrs, + opts->netgroup_map[SDAP_AT_NETGROUP_MODSTAMP].sys_name, + &el); + if (ret) { + goto fail; + } + if (el->num_values == 0) { + DEBUG(SSSDBG_TRACE_LIBS, + "Original mod-Timestamp is not available for [%s].\n", + name); + } else { + ret = sysdb_attrs_add_string(netgroup_attrs, + opts->netgroup_map[SDAP_AT_NETGROUP_MODSTAMP].sys_name, + (const char*)el->values[0].data); + if (ret) { + goto fail; + } + timestamp = talloc_strdup(memctx, (const char*)el->values[0].data); + if (!timestamp) { + ret = ENOMEM; + goto fail; + } + } + + ret = sdap_attrs_add_list(attrs, + opts->netgroup_map[SDAP_AT_NETGROUP_TRIPLE].sys_name, + "netgroup triple", + name, netgroup_attrs); + if (ret != EOK) { + goto fail; + } + + ret = sdap_attrs_add_list(attrs, + opts->netgroup_map[SDAP_AT_NETGROUP_MEMBER].sys_name, + "original members", + name, netgroup_attrs); + if (ret != EOK) { + goto fail; + } + + ret = sdap_attrs_add_list(attrs, SYSDB_NETGROUP_MEMBER, + "members", name, netgroup_attrs); + if (ret != EOK) { + goto fail; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Storing info for netgroup %s\n", name); + + ret = sdap_save_all_names(name, attrs, dom, SYSDB_MEMBER_NETGROUP, + netgroup_attrs); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to save netgroup names\n"); + goto fail; + } + + /* Make sure that any attributes we requested from LDAP that we + * did not receive are also removed from the sysdb + */ + ret = list_missing_attrs(attrs, opts->netgroup_map, SDAP_OPTS_NETGROUP, + attrs, &missing); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to list missing attributes\n"); + goto fail; + } + + /* We store memberNisNetgroup from LDAP as originalMemberNisNetgroup in + * sysdb. It may contain simple name or DN. That's the reason why we always + * translate/generate simple name and store it in SYSDB_NETGROUP_MEMBER + * (memberNisNetgroup) in sysdb which is internally used for searching + * netgropus. + * We need to ensure if originalMemberNisNetgroup is missing, + * memberNisNetgroup is missing too. + */ + if (string_in_list(SYSDB_ORIG_NETGROUP_MEMBER, missing, false)) { + ret = add_string_to_list(attrs, SYSDB_NETGROUP_MEMBER, &missing); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to add string into list\n"); + goto fail; + } + } + + ret = sysdb_add_netgroup(dom, name, NULL, netgroup_attrs, missing, + dom->netgroup_timeout, now); + if (ret) goto fail; + + if (_timestamp) { + *_timestamp = timestamp; + } + + return EOK; + +fail: + DEBUG(SSSDBG_OP_FAILURE, "Failed to save netgroup %s\n", name); + return ret; +} + +errno_t update_dn_list(struct dn_item *dn_list, const size_t count, + struct ldb_message **res, bool *all_resolved) +{ + struct dn_item *dn_item; + size_t c; + const char *dn; + const char *cn; + bool not_resolved = false; + + *all_resolved = false; + + DLIST_FOR_EACH(dn_item, dn_list) { + if (dn_item->cn != NULL) { + continue; + } + + for(c = 0; c < count; c++) { + dn = ldb_msg_find_attr_as_string(res[c], SYSDB_ORIG_DN, NULL); + if (dn == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing original DN.\n"); + return EINVAL; + } + if (strcmp(dn, dn_item->dn) == 0) { + DEBUG(SSSDBG_TRACE_ALL, + "Found matching entry for [%s].\n", dn_item->dn); + cn = ldb_msg_find_attr_as_string(res[c], SYSDB_NAME, NULL); + if (cn == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing name.\n"); + return EINVAL; + } + dn_item->cn = talloc_strdup(dn_item, cn); + break; + } + } + + if (dn_item->cn == NULL) { + not_resolved = true; + } + } + + *all_resolved = !not_resolved; + + return EOK; +} + +struct netgr_translate_members_state { + struct tevent_context *ev; + struct sdap_options *opts; + struct sdap_handle *sh; + + struct sysdb_attrs **netgroups; + size_t count; + struct dn_item *dn_list; + struct dn_item *dn_item; + struct dn_item *dn_idx; +}; + +static errno_t netgr_translate_members_ldap_step(struct tevent_req *req); +static void netgr_translate_members_ldap_done(struct tevent_req *subreq); + +struct tevent_req *netgr_translate_members_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_options *opts, + struct sdap_handle *sh, + struct sss_domain_info *dom, + struct sysdb_ctx *sysdb, + const size_t count, + struct sysdb_attrs **netgroups) +{ + struct tevent_req *req; + struct netgr_translate_members_state *state; + size_t c; + size_t mc; + const char **member_list; + size_t sysdb_count; + int ret; + struct ldb_message **sysdb_res; + struct dn_item *dn_item; + char *dn_filter; + char *sysdb_filter; + struct ldb_dn *netgr_basedn; + bool all_resolved; + const char *cn_attr[] = { SYSDB_NAME, SYSDB_ORIG_DN, NULL }; + + req = tevent_req_create(memctx, &state, + struct netgr_translate_members_state); + if (req == NULL) { + return NULL; + } + + state->ev = ev; + state->opts = opts; + state->sh = sh; + state->netgroups = netgroups; + state->count = count; + state->dn_list = NULL; + state->dn_item = NULL; + state->dn_idx = NULL; + + for (c = 0; c < count; c++) { + ret = sysdb_attrs_get_string_array(netgroups[c], + SYSDB_ORIG_NETGROUP_MEMBER, state, + &member_list); + if (ret != EOK) { + DEBUG(SSSDBG_TRACE_LIBS, "Missing netgroup members.\n"); + continue; + } + + for (mc = 0; member_list[mc] != NULL; mc++) { + if (is_dn(member_list[mc])) { + dn_item = talloc_zero(state, struct dn_item); + if (dn_item == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc failed.\n"); + ret = ENOMEM; + goto fail; + } + + DEBUG(SSSDBG_TRACE_ALL, + "Adding [%s] to DN list.\n", member_list[mc]); + dn_item->netgroup = netgroups[c]; + dn_item->dn = member_list[mc]; + DLIST_ADD(state->dn_list, dn_item); + } else { + ret = sysdb_attrs_add_string(netgroups[c], SYSDB_NETGROUP_MEMBER, + member_list[mc]); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sysdb_attrs_add_string failed.\n"); + goto fail; + } + } + } + } + + if (state->dn_list == NULL) { + DEBUG(SSSDBG_TRACE_ALL, "No DNs found among netgroup members.\n"); + tevent_req_done(req); + tevent_req_post(req, ev); + return req; + } + + dn_filter = talloc_strdup(state, "(|"); + if (dn_filter == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto fail; + } + + DLIST_FOR_EACH(dn_item, state->dn_list) { + dn_filter = talloc_asprintf_append(dn_filter, "(%s=%s)", + SYSDB_ORIG_DN, dn_item->dn); + if (dn_filter == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf_append failed.\n"); + ret = ENOMEM; + goto fail; + } + } + + dn_filter = talloc_asprintf_append(dn_filter, ")"); + if (dn_filter == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf_append failed.\n"); + ret = ENOMEM; + goto fail; + } + + sysdb_filter = talloc_asprintf(state, "(&(%s)%s)", SYSDB_NC, dn_filter); + if (sysdb_filter == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto fail; + } + + netgr_basedn = sysdb_netgroup_base_dn(state, dom); + if (netgr_basedn == NULL) { + ret = ENOMEM; + goto fail; + } + + ret = sysdb_search_entry(state, sysdb, netgr_basedn, LDB_SCOPE_BASE, + sysdb_filter, cn_attr, &sysdb_count, &sysdb_res); + talloc_zfree(netgr_basedn); + talloc_zfree(sysdb_filter); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_search_entry failed.\n"); + goto fail; + } + + if (ret == EOK) { + ret = update_dn_list(state->dn_list, sysdb_count, sysdb_res, + &all_resolved); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "update_dn_list failed.\n"); + goto fail; + } + + if (all_resolved) { + DLIST_FOR_EACH(dn_item, state->dn_list) { + ret = sysdb_attrs_add_string(dn_item->netgroup, + SYSDB_NETGROUP_MEMBER, + dn_item->cn); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sysdb_attrs_add_string failed.\n"); + goto fail; + } + } + + tevent_req_done(req); + tevent_req_post(req, ev); + return req; + } + } + + state->dn_idx = state->dn_list; + ret = netgr_translate_members_ldap_step(req); + if (ret != EOK && ret != EAGAIN) { + DEBUG(SSSDBG_CRIT_FAILURE, + "netgr_translate_members_ldap_step failed.\n"); + goto fail; + } + + if (ret == EOK) { + tevent_req_done(req); + tevent_req_post(req, ev); + } + return req; + +fail: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +/* netgr_translate_members_ldap_step() returns + * EOK: if everthing is translated, the caller can call tevent_req_done + * EAGAIN: if there are still members waiting to be translated, the caller + * should return to the mainloop + * Exyz: every other return code indicates an error and tevent_req_error + * should be called + */ +static errno_t netgr_translate_members_ldap_step(struct tevent_req *req) +{ + struct netgr_translate_members_state *state = tevent_req_data(req, + struct netgr_translate_members_state); + const char **cn_attr; + char *filter = NULL; + struct tevent_req *subreq; + int ret; + + DLIST_FOR_EACH(state->dn_item, state->dn_idx) { + if (state->dn_item->cn == NULL) { + break; + } + } + if (state->dn_item == NULL) { + DLIST_FOR_EACH(state->dn_item, state->dn_list) { + ret = sysdb_attrs_add_string(state->dn_item->netgroup, + SYSDB_NETGROUP_MEMBER, + state->dn_item->cn); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sysdb_attrs_add_string failed.\n"); + tevent_req_error(req, ret); + return ret; + } + } + + return EOK; + } + + if (!sss_ldap_dn_in_search_bases(state, state->dn_item->dn, + state->opts->sdom->netgroup_search_bases, + &filter)) { + /* not in search base, skip it */ + state->dn_idx = state->dn_item->next; + DLIST_REMOVE(state->dn_list, state->dn_item); + return netgr_translate_members_ldap_step(req); + } + + cn_attr = talloc_array(state, const char *, 3); + if (cn_attr == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_array failed.\n"); + return ENOMEM; + } + cn_attr[0] = state->opts->netgroup_map[SDAP_AT_NETGROUP_NAME].name; + cn_attr[1] = "objectclass"; + cn_attr[2] = NULL; + + DEBUG(SSSDBG_TRACE_ALL, "LDAP base search for [%s].\n", state->dn_item->dn); + subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh, + state->dn_item->dn, LDAP_SCOPE_BASE, filter, + cn_attr, state->opts->netgroup_map, + SDAP_OPTS_NETGROUP, + dp_opt_get_int(state->opts->basic, + SDAP_SEARCH_TIMEOUT), + false); + if (!subreq) { + DEBUG(SSSDBG_CRIT_FAILURE, "sdap_get_generic_send failed.\n"); + return ENOMEM; + } + talloc_steal(subreq, cn_attr); + + tevent_req_set_callback(subreq, netgr_translate_members_ldap_done, req); + return EAGAIN; +} + +static void netgr_translate_members_ldap_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct netgr_translate_members_state *state = tevent_req_data(req, + struct netgr_translate_members_state); + int ret; + size_t count; + struct sysdb_attrs **netgroups; + const char *str; + + ret = sdap_get_generic_recv(subreq, state, &count, &netgroups); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sdap_get_generic request failed.\n"); + goto fail; + } + + switch (count) { + case 0: + DEBUG(SSSDBG_FATAL_FAILURE, + "sdap_get_generic_recv found no entry for [%s].\n", + state->dn_item->dn); + break; + case 1: + ret = sysdb_attrs_get_string(netgroups[0], SYSDB_NAME, &str); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_attrs_add_string failed.\n"); + break; + } + state->dn_item->cn = talloc_strdup(state->dn_item, str); + if (state->dn_item->cn == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed.\n"); + } + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, + "Unexpected number of results [%zu] for base search.\n", + count); + } + + if (state->dn_item->cn == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to resolve netgroup name for DN [%s], using DN.\n", + state->dn_item->dn); + state->dn_item->cn = talloc_strdup(state->dn_item, state->dn_item->dn); + } + + state->dn_idx = state->dn_item->next; + ret = netgr_translate_members_ldap_step(req); + if (ret != EOK && ret != EAGAIN) { + DEBUG(SSSDBG_CRIT_FAILURE, + "netgr_translate_members_ldap_step failed.\n"); + goto fail; + } + + if (ret == EOK) { + tevent_req_done(req); + } + return; + +fail: + tevent_req_error(req, ret); + return; +} + +static errno_t netgroup_translate_ldap_members_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *count, + struct sysdb_attrs ***netgroups) +{ + struct netgr_translate_members_state *state = tevent_req_data(req, + struct netgr_translate_members_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *count = state->count; + *netgroups = talloc_steal(mem_ctx, state->netgroups); + + return EOK; +} + +/* ==Search-Netgroups-with-filter============================================ */ + +struct sdap_get_netgroups_state { + struct tevent_context *ev; + struct sdap_options *opts; + struct sdap_handle *sh; + struct sss_domain_info *dom; + struct sysdb_ctx *sysdb; + const char **attrs; + const char *base_filter; + char *filter; + int timeout; + + char *higher_timestamp; + struct sysdb_attrs **netgroups; + size_t count; + + size_t base_iter; + struct sdap_search_base **search_bases; +}; + +static errno_t sdap_get_netgroups_next_base(struct tevent_req *req); +static void sdap_get_netgroups_process(struct tevent_req *subreq); +static void netgr_translate_members_done(struct tevent_req *subreq); + +struct tevent_req *sdap_get_netgroups_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sss_domain_info *dom, + struct sysdb_ctx *sysdb, + struct sdap_options *opts, + struct sdap_search_base **search_bases, + struct sdap_handle *sh, + const char **attrs, + const char *filter, + int timeout) +{ + errno_t ret; + struct tevent_req *req; + struct sdap_get_netgroups_state *state; + + req = tevent_req_create(memctx, &state, struct sdap_get_netgroups_state); + if (!req) return NULL; + + state->ev = ev; + state->opts = opts; + state->dom = dom; + state->sh = sh; + state->sysdb = sysdb; + state->attrs = attrs; + state->higher_timestamp = NULL; + state->netgroups = NULL; + state->count = 0; + state->timeout = timeout; + state->base_filter = filter; + state->base_iter = 0; + state->search_bases = search_bases; + + if (!state->search_bases) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Netgroup lookup request without a netgroup search base\n"); + ret = EINVAL; + goto done; + } + + + ret = sdap_get_netgroups_next_base(req); + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + tevent_req_post(req, state->ev); + } + return req; +} + +static errno_t sdap_get_netgroups_next_base(struct tevent_req *req) +{ + struct tevent_req *subreq; + struct sdap_get_netgroups_state *state; + + state = tevent_req_data(req, struct sdap_get_netgroups_state); + + talloc_zfree(state->filter); + state->filter = sdap_combine_filters(state, state->base_filter, + state->search_bases[state->base_iter]->filter); + if (!state->filter) { + return ENOMEM; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Searching for netgroups with base [%s]\n", + state->search_bases[state->base_iter]->basedn); + + subreq = sdap_get_generic_send( + state, state->ev, state->opts, state->sh, + state->search_bases[state->base_iter]->basedn, + state->search_bases[state->base_iter]->scope, + state->filter, state->attrs, + state->opts->netgroup_map, SDAP_OPTS_NETGROUP, + state->timeout, + false); + if (!subreq) { + return ENOMEM; + } + tevent_req_set_callback(subreq, sdap_get_netgroups_process, req); + + return EOK; +} + +static void sdap_get_netgroups_process(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sdap_get_netgroups_state *state = tevent_req_data(req, + struct sdap_get_netgroups_state); + int ret; + + ret = sdap_get_generic_recv(subreq, state, + &state->count, &state->netgroups); + talloc_zfree(subreq); + if (ret) { + tevent_req_error(req, ret); + return; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Search for netgroups, returned %zu results.\n", state->count); + + if (state->count == 0) { + /* No netgroups found in this search */ + state->base_iter++; + if (state->search_bases[state->base_iter]) { + /* There are more search bases to try */ + ret = sdap_get_netgroups_next_base(req); + if (ret != EOK) { + tevent_req_error(req, ENOENT); + } + return; + } + + tevent_req_error(req, ENOENT); + return; + } + + subreq = netgr_translate_members_send(state, state->ev, state->opts, + state->sh, state->dom, state->sysdb, + state->count, state->netgroups); + if (!subreq) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, netgr_translate_members_done, req); + + return; + +} + +static void netgr_translate_members_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sdap_get_netgroups_state *state = tevent_req_data(req, + struct sdap_get_netgroups_state); + int ret; + size_t c; + time_t now; + + ret = netgroup_translate_ldap_members_recv(subreq, state, &state->count, + &state->netgroups); + talloc_zfree(subreq); + if (ret) { + tevent_req_error(req, ret); + return; + } + + now = time(NULL); + for (c = 0; c < state->count; c++) { + ret = sdap_save_netgroup(state, + state->dom, + state->opts, + state->netgroups[c], + &state->higher_timestamp, + now); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to store netgroups.\n"); + tevent_req_error(req, ret); + return; + } + } + + DEBUG(SSSDBG_TRACE_ALL, "Saving %zu Netgroups - Done\n", state->count); + + tevent_req_done(req); +} + +int sdap_get_netgroups_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, char **timestamp, + size_t *reply_count, + struct sysdb_attrs ***reply) +{ + struct sdap_get_netgroups_state *state = tevent_req_data(req, + struct sdap_get_netgroups_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (timestamp) { + *timestamp = talloc_steal(mem_ctx, state->higher_timestamp); + } + + if (reply_count) { + *reply_count = state->count; + } + + if (reply) { + *reply = talloc_steal(mem_ctx, state->netgroups); + } + + return EOK; +} diff --git a/src/providers/ldap/sdap_async_private.h b/src/providers/ldap/sdap_async_private.h new file mode 100644 index 0000000..7250744 --- /dev/null +++ b/src/providers/ldap/sdap_async_private.h @@ -0,0 +1,187 @@ +/* + SSSD + + Async LDAP Helper routines + + Copyright (C) Simo Sorce + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _SDAP_ASYNC_PRIVATE_H_ +#define _SDAP_ASYNC_PRIVATE_H_ + +#include "config.h" +#include "util/sss_krb5.h" +#include "providers/ldap/sdap_async.h" + +struct dn_item { + const char *dn; + /* Parent netgroup containing this record */ + struct sysdb_attrs *netgroup; + char *cn; + struct dn_item *next; + struct dn_item *prev; +}; + +bool is_dn(const char *str); +errno_t update_dn_list(struct dn_item *dn_list, + const size_t count, + struct ldb_message **res, + bool *all_resolved); + +struct sdap_handle *sdap_handle_create(TALLOC_CTX *memctx); + +void sdap_ldap_result(struct tevent_context *ev, struct tevent_fd *fde, + uint16_t flags, void *pvt); + +int setup_ldap_connection_callbacks(struct sdap_handle *sh, + struct tevent_context *ev); +int remove_ldap_connection_callbacks(struct sdap_handle *sh); + +int get_fd_from_ldap(LDAP *ldap, int *fd); + +errno_t sdap_set_connected(struct sdap_handle *sh, struct tevent_context *ev); + +errno_t sdap_call_conn_cb(const char *uri,int fd, struct sdap_handle *sh); + +int sdap_op_add(TALLOC_CTX *memctx, struct tevent_context *ev, + struct sdap_handle *sh, int msgid, + sdap_op_callback_t *callback, void *data, + int timeout, struct sdap_op **_op); + +struct tevent_req *sdap_get_rootdse_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_options *opts, + struct sdap_handle *sh); +int sdap_get_rootdse_recv(struct tevent_req *req, + TALLOC_CTX *memctx, + struct sysdb_attrs **rootdse); + +errno_t deref_string_to_val(const char *str, int *val); + +/* from sdap_child_helpers.c */ + +struct tevent_req *sdap_get_tgt_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + const char *realm_str, + const char *princ_str, + const char *keytab_name, + int32_t lifetime, + int timeout); + +int sdap_get_tgt_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + int *result, + krb5_error_code *kerr, + char **ccname, + time_t *expire_time_out); + +int sdap_save_users(TALLOC_CTX *memctx, + struct sysdb_ctx *sysdb, + struct sss_domain_info *dom, + struct sdap_options *opts, + struct sysdb_attrs **users, + int num_users, + struct sysdb_attrs *mapped_attrs, + char **_usn_value); + +int sdap_initgr_common_store(struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, + struct sdap_options *opts, + const char *name, + enum sysdb_member_type type, + char **sysdb_grouplist, + struct sysdb_attrs **ldap_groups, + int ldap_groups_count); + +errno_t get_sysdb_grouplist(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, + const char *name, + char ***grouplist); + +errno_t get_sysdb_grouplist_dn(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, + const char *name, + char ***grouplist); + +/* from sdap_async_nested_groups.c */ +struct tevent_req *sdap_nested_group_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_domain *sdom, + struct sdap_options *opts, + struct sdap_handle *sh, + struct sysdb_attrs *group); + +errno_t sdap_nested_group_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + unsigned long *_num_users, + struct sysdb_attrs ***_users, + unsigned long *_num_groups, + struct sysdb_attrs ***_groups, + hash_table_t **missing_external); + +struct tevent_req * +sdap_nested_group_lookup_external_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sss_domain_info *group_dom, + struct sdap_ext_member_ctx *ext_ctx, + hash_table_t *missing_external); +errno_t +sdap_nested_group_lookup_external_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req); + +/* from sdap_async_initgroups.c */ +errno_t sdap_add_incomplete_groups(struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, + struct sdap_options *opts, + char **sysdb_groupnames, + struct sysdb_attrs **ldap_groups, + int ldap_groups_count); + +/* from sdap_ad_groups.c */ +errno_t sdap_check_ad_group_type(struct sss_domain_info *dom, + struct sdap_options *opts, + struct sysdb_attrs *group_attrs, + const char *group_name, + bool *_need_filter); + +struct tevent_req *rfc2307bis_nested_groups_send( + TALLOC_CTX *mem_ctx, struct tevent_context *ev, + struct sdap_options *opts, struct sysdb_ctx *sysdb, + struct sss_domain_info *dom, struct sdap_handle *sh, + struct sdap_search_base **search_bases, + struct sysdb_attrs **groups, size_t num_groups, + hash_table_t *group_hash, size_t nesting); +errno_t rfc2307bis_nested_groups_recv(struct tevent_req *req); + +errno_t sdap_nested_groups_store(struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, + struct sdap_options *opts, + struct sysdb_attrs **groups, + unsigned long count); + +struct tevent_req * +sdap_ad_get_domain_local_groups_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_domain *local_sdom, + struct sdap_options *opts, + struct sysdb_ctx *sysdb, + struct sss_domain_info *dom, + struct sysdb_attrs **groups, + size_t num_groups); +errno_t sdap_ad_get_domain_local_groups_recv(struct tevent_req *req); +#endif /* _SDAP_ASYNC_PRIVATE_H_ */ diff --git a/src/providers/ldap/sdap_async_services.c b/src/providers/ldap/sdap_async_services.c new file mode 100644 index 0000000..eebe239 --- /dev/null +++ b/src/providers/ldap/sdap_async_services.c @@ -0,0 +1,646 @@ +/* + SSSD + + Authors: + Stephen Gallagher + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "db/sysdb.h" +#include "db/sysdb_services.h" +#include "providers/ldap/sdap_async_private.h" +#include "providers/ldap/ldap_common.h" + +struct sdap_get_services_state { + struct tevent_context *ev; + struct sdap_options *opts; + struct sdap_handle *sh; + struct sss_domain_info *dom; + struct sysdb_ctx *sysdb; + const char **attrs; + const char *base_filter; + char *filter; + int timeout; + bool enumeration; + + char *higher_usn; + struct sysdb_attrs **services; + size_t count; + + size_t base_iter; + struct sdap_search_base **search_bases; +}; + +static errno_t +sdap_get_services_next_base(struct tevent_req *req); +static void +sdap_get_services_process(struct tevent_req *subreq); +static errno_t +sdap_save_services(TALLOC_CTX *memctx, + struct sysdb_ctx *sysdb, + struct sss_domain_info *dom, + struct sdap_options *opts, + struct sysdb_attrs **services, + size_t num_services, + char **_usn_value); +static errno_t +sdap_save_service(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + struct sdap_options *opts, + struct sss_domain_info *dom, + struct sysdb_attrs *attrs, + char **_usn_value, + time_t now); + +struct tevent_req * +sdap_get_services_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sss_domain_info *dom, + struct sysdb_ctx *sysdb, + struct sdap_options *opts, + struct sdap_search_base **search_bases, + struct sdap_handle *sh, + const char **attrs, + const char *filter, + int timeout, + bool enumeration) +{ + errno_t ret; + struct tevent_req *req; + struct sdap_get_services_state *state; + + req = tevent_req_create(memctx, &state, struct sdap_get_services_state); + if (!req) return NULL; + + state->ev = ev; + state->opts = opts; + state->dom = dom; + state->sh = sh; + state->sysdb = sysdb; + state->attrs = attrs; + state->higher_usn = NULL; + state->services = NULL; + state->count = 0; + state->timeout = timeout; + state->base_filter = filter; + state->base_iter = 0; + state->search_bases = search_bases; + state->enumeration = enumeration; + + if (!state->search_bases) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Services lookup request without a search base\n"); + ret = EINVAL; + goto done; + } + + ret = sdap_get_services_next_base(req); + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + tevent_req_post(req, state->ev); + } + + return req; +} + +static errno_t +sdap_get_services_next_base(struct tevent_req *req) +{ + struct tevent_req *subreq; + struct sdap_get_services_state *state; + + state = tevent_req_data(req, struct sdap_get_services_state); + + talloc_zfree(state->filter); + state->filter = sdap_combine_filters(state, state->base_filter, + state->search_bases[state->base_iter]->filter); + if (!state->filter) { + return ENOMEM; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Searching for services with base [%s]\n", + state->search_bases[state->base_iter]->basedn); + + subreq = sdap_get_generic_send( + state, state->ev, state->opts, state->sh, + state->search_bases[state->base_iter]->basedn, + state->search_bases[state->base_iter]->scope, + state->filter, state->attrs, + state->opts->service_map, SDAP_OPTS_SERVICES, + state->timeout, + state->enumeration); /* If we're enumerating, we need paging */ + if (!subreq) { + return ENOMEM; + } + tevent_req_set_callback(subreq, sdap_get_services_process, req); + + return EOK; +} + +static void +sdap_get_services_process(struct tevent_req *subreq) +{ + struct tevent_req *req = + tevent_req_callback_data(subreq, struct tevent_req); + struct sdap_get_services_state *state = + tevent_req_data(req, struct sdap_get_services_state); + int ret; + size_t count, i; + struct sysdb_attrs **services; + bool next_base = false; + + ret = sdap_get_generic_recv(subreq, state, + &count, &services); + talloc_zfree(subreq); + if (ret) { + tevent_req_error(req, ret); + return; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Search for services, returned %zu results.\n", + count); + + if (state->enumeration || count == 0) { + /* No services found in this search or enumerating */ + next_base = true; + } + + /* Add this batch of sevices to the list */ + if (count > 0) { + state->services = + talloc_realloc(state, + state->services, + struct sysdb_attrs *, + state->count + count + 1); + if (!state->services) { + tevent_req_error(req, ENOMEM); + return; + } + + /* Copy the new services into the list + */ + for (i = 0; i < count; i++) { + state->services[state->count + i] = + talloc_steal(state->services, services[i]); + } + + state->count += count; + state->services[state->count] = NULL; + } + + if (next_base) { + state->base_iter++; + if (state->search_bases[state->base_iter]) { + /* There are more search bases to try */ + ret = sdap_get_services_next_base(req); + if (ret != EOK) { + tevent_req_error(req, ret); + } + return; + } + } + + /* No more search bases + * Return ENOENT if no services were found + */ + if (state->count == 0) { + tevent_req_error(req, ENOENT); + return; + } + + ret = sdap_save_services(state, state->sysdb, + state->dom, state->opts, + state->services, state->count, + &state->higher_usn); + if (ret) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to store services.\n"); + tevent_req_error(req, ret); + return; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Saving %zu services - Done\n", state->count); + + tevent_req_done(req); +} + +static errno_t +sdap_save_services(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + struct sss_domain_info *dom, + struct sdap_options *opts, + struct sysdb_attrs **services, + size_t num_services, + char **_usn_value) +{ + errno_t ret, sret; + time_t now; + size_t i; + bool in_transaction = false; + char *higher_usn = NULL; + char *usn_value; + TALLOC_CTX *tmp_ctx; + + if (num_services == 0) { + /* Nothing to do */ + return ENOENT; + } + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + return ENOMEM; + } + + ret = sysdb_transaction_start(sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n"); + goto done; + } + + in_transaction = true; + + now = time(NULL); + for (i = 0; i < num_services; i++) { + usn_value = NULL; + + ret = sdap_save_service(tmp_ctx, sysdb, opts, dom, + services[i], + &usn_value, now); + + /* Do not fail completely on errors. + * Just report the failure to save and go on */ + if (ret) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to store service %zu. Ignoring.\n", i); + } else { + DEBUG(SSSDBG_TRACE_INTERNAL, + "Service [%zu/%zu] processed!\n", i, num_services); + } + + if (usn_value) { + if (higher_usn) { + if ((strlen(usn_value) > strlen(higher_usn)) || + (strcmp(usn_value, higher_usn) > 0)) { + talloc_zfree(higher_usn); + higher_usn = usn_value; + } else { + talloc_zfree(usn_value); + } + } else { + higher_usn = usn_value; + } + } + } + + ret = sysdb_transaction_commit(sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to commit transaction!\n"); + goto done; + } + in_transaction = false; + + if (_usn_value) { + *_usn_value = talloc_steal(mem_ctx, higher_usn); + } + +done: + if (in_transaction) { + sret = sysdb_transaction_cancel(sysdb); + if (sret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to cancel transaction!\n"); + } + } + talloc_free(tmp_ctx); + return ret; +} + +static errno_t +sdap_save_service(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + struct sdap_options *opts, + struct sss_domain_info *dom, + struct sysdb_attrs *attrs, + char **_usn_value, + time_t now) +{ + errno_t ret; + TALLOC_CTX *tmp_ctx = NULL; + struct sysdb_attrs *svc_attrs; + struct ldb_message_element *el; + char *usn_value = NULL; + const char *name = NULL; + const char **aliases; + const char **protocols; + const char **cased_protocols; + const char **store_protocols; + char **missing; + uint16_t port; + uint64_t cache_timeout; + + DEBUG(SSSDBG_TRACE_ALL, "Saving service\n"); + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + ret = ENOMEM; + goto done; + } + + svc_attrs = sysdb_new_attrs(tmp_ctx); + if (!svc_attrs) { + ret = ENOMEM; + goto done; + } + + /* Identify the primary name of this services */ + ret = sysdb_attrs_primary_name( + sysdb, attrs, + opts->service_map[SDAP_AT_SERVICE_NAME].name, + &name); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not determine the primary name of the service\n"); + goto done; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "Primary name: [%s]\n", name); + + + /* Handle any available aliases */ + ret = sysdb_attrs_get_aliases(tmp_ctx, attrs, name, + !dom->case_sensitive, + &aliases); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to identify service aliases\n"); + goto done; + } + + /* Get the port number */ + ret = sysdb_attrs_get_uint16_t(attrs, SYSDB_SVC_PORT, &port); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to identify service port: [%s]\n", + strerror(ret)); + goto done; + } + + /* Get the protocols this service offers on that port */ + ret = sysdb_attrs_get_string_array(attrs, SYSDB_SVC_PROTO, + tmp_ctx, &protocols); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to identify service protocols: [%s]\n", + strerror(ret)); + goto done; + } + + if (dom->case_sensitive == false) { + /* Don't perform the extra mallocs if not necessary */ + ret = sss_get_cased_name_list(tmp_ctx, protocols, + dom->case_sensitive, &cased_protocols); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to get case_sensitive protocols names: [%s]\n", + strerror(ret)); + goto done; + } + } + + store_protocols = dom->case_sensitive ? protocols : cased_protocols; + + /* Get the USN value, if available */ + ret = sysdb_attrs_get_el(attrs, + opts->service_map[SDAP_AT_SERVICE_USN].sys_name, &el); + if (ret && ret != ENOENT) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to retrieve USN value: [%s]\n", + strerror(ret)); + goto done; + } + if (ret == ENOENT || el->num_values == 0) { + DEBUG(SSSDBG_TRACE_LIBS, + "Original USN value is not available for [%s].\n", + name); + } else { + ret = sysdb_attrs_add_string(svc_attrs, + opts->service_map[SDAP_AT_SERVICE_USN].sys_name, + (const char*)el->values[0].data); + if (ret) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to add USN value: [%s]\n", + strerror(ret)); + goto done; + } + usn_value = talloc_strdup(tmp_ctx, (const char*)el->values[0].data); + if (!usn_value) { + ret = ENOMEM; + goto done; + } + } + + /* Make sure to remove any extra attributes from the sysdb + * that have been removed from LDAP + */ + ret = list_missing_attrs(svc_attrs, opts->service_map, SDAP_OPTS_SERVICES, + attrs, &missing); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to identify removed attributes: [%s]\n", + strerror(ret)); + goto done; + } + + cache_timeout = dom->service_timeout; + + ret = sysdb_store_service(dom, name, port, aliases, store_protocols, + svc_attrs, missing, cache_timeout, now); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to store service in the sysdb: [%s]\n", + strerror(ret)); + goto done; + } + + *_usn_value = talloc_steal(mem_ctx, usn_value); + +done: + talloc_free(tmp_ctx); + return ret; +} + +errno_t +sdap_get_services_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + char **usn_value) +{ + struct sdap_get_services_state *state = + tevent_req_data(req, struct sdap_get_services_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (usn_value) { + *usn_value = talloc_steal(mem_ctx, state->higher_usn); + } + + return EOK; +} + + +/* Enumeration routines */ + +struct enum_services_state { + struct tevent_context *ev; + struct sdap_id_ctx *id_ctx; + struct sdap_id_op *op; + struct sss_domain_info *domain; + struct sysdb_ctx *sysdb; + + char *filter; + const char **attrs; +}; + +static void +enum_services_op_done(struct tevent_req *subreq); + +struct tevent_req * +enum_services_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_id_ctx *id_ctx, + struct sdap_id_op *op, + bool purge) +{ + errno_t ret; + struct tevent_req *req; + struct tevent_req *subreq; + struct enum_services_state *state; + + req = tevent_req_create(memctx, &state, struct enum_services_state); + if (!req) return NULL; + + state->ev = ev; + state->id_ctx = id_ctx; + state->domain = id_ctx->be->domain; + state->sysdb = id_ctx->be->domain->sysdb; + state->op = op; + + if (id_ctx->srv_opts && id_ctx->srv_opts->max_service_value && !purge) { + state->filter = talloc_asprintf( + state, + "(&(objectclass=%s)(%s=*)(%s=*)(%s=*)(%s>=%s)(!(%s=%s)))", + id_ctx->opts->service_map[SDAP_OC_SERVICE].name, + id_ctx->opts->service_map[SDAP_AT_SERVICE_NAME].name, + id_ctx->opts->service_map[SDAP_AT_SERVICE_PORT].name, + id_ctx->opts->service_map[SDAP_AT_SERVICE_PROTOCOL].name, + id_ctx->opts->service_map[SDAP_AT_SERVICE_USN].name, + id_ctx->srv_opts->max_service_value, + id_ctx->opts->service_map[SDAP_AT_SERVICE_USN].name, + id_ctx->srv_opts->max_service_value); + } else { + state->filter = talloc_asprintf( + state, + "(&(objectclass=%s)(%s=*)(%s=*)(%s=*))", + id_ctx->opts->service_map[SDAP_OC_SERVICE].name, + id_ctx->opts->service_map[SDAP_AT_SERVICE_NAME].name, + id_ctx->opts->service_map[SDAP_AT_SERVICE_PORT].name, + id_ctx->opts->service_map[SDAP_AT_SERVICE_PROTOCOL].name); + } + if (!state->filter) { + DEBUG(SSSDBG_MINOR_FAILURE, "Failed to build base filter\n"); + ret = ENOMEM; + goto fail; + } + + ret = build_attrs_from_map(state, id_ctx->opts->service_map, + SDAP_OPTS_SERVICES, NULL, + &state->attrs, NULL); + if (ret != EOK) goto fail; + + subreq = sdap_get_services_send(state, state->ev, + state->domain, state->sysdb, + state->id_ctx->opts, + state->id_ctx->opts->sdom->service_search_bases, + sdap_id_op_handle(state->op), + state->attrs, state->filter, + dp_opt_get_int(state->id_ctx->opts->basic, + SDAP_SEARCH_TIMEOUT), + true); + if (!subreq) { + ret = ENOMEM; + goto fail; + } + tevent_req_set_callback(subreq, enum_services_op_done, req); + + return req; + +fail: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void +enum_services_op_done(struct tevent_req *subreq) +{ + struct tevent_req *req = + tevent_req_callback_data(subreq, struct tevent_req); + struct enum_services_state *state = + tevent_req_data(req, struct enum_services_state); + char *usn_value; + char *endptr = NULL; + unsigned usn_number; + int ret; + + ret = sdap_get_services_recv(state, subreq, &usn_value); + talloc_zfree(subreq); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + if (usn_value) { + talloc_zfree(state->id_ctx->srv_opts->max_service_value); + state->id_ctx->srv_opts->max_service_value = + talloc_steal(state->id_ctx, usn_value); + + usn_number = strtoul(usn_value, &endptr, 10); + if ((endptr == NULL || (*endptr == '\0' && endptr != usn_value)) + && (usn_number > state->id_ctx->srv_opts->last_usn)) { + state->id_ctx->srv_opts->last_usn = usn_number; + } + } + + DEBUG(SSSDBG_FUNC_DATA, "Services higher USN value: [%s]\n", + state->id_ctx->srv_opts->max_service_value); + + tevent_req_done(req); +} + +errno_t +enum_services_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} diff --git a/src/providers/ldap/sdap_async_sudo.c b/src/providers/ldap/sdap_async_sudo.c new file mode 100644 index 0000000..5ccfad6 --- /dev/null +++ b/src/providers/ldap/sdap_async_sudo.c @@ -0,0 +1,693 @@ +/* + SSSD + + Async LDAP Helper routines for sudo + + Authors: + Pavel Březina + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "providers/backend.h" +#include "providers/ldap/ldap_common.h" +#include "providers/ldap/sdap.h" +#include "providers/ldap/sdap_ops.h" +#include "providers/ldap/sdap_sudo.h" +#include "providers/ldap/sdap_sudo_shared.h" +#include "db/sysdb_sudo.h" + +struct sdap_sudo_load_sudoers_state { + struct sysdb_attrs **rules; + size_t num_rules; +}; + +static void sdap_sudo_load_sudoers_done(struct tevent_req *subreq); + +static struct tevent_req * +sdap_sudo_load_sudoers_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_options *opts, + struct sdap_handle *sh, + const char *ldap_filter) +{ + struct tevent_req *req; + struct tevent_req *subreq; + struct sdap_sudo_load_sudoers_state *state; + struct sdap_search_base **sb; + int ret; + + req = tevent_req_create(mem_ctx, &state, + struct sdap_sudo_load_sudoers_state); + if (!req) { + return NULL; + } + + state->rules = NULL; + state->num_rules = 0; + + sb = opts->sdom->sudo_search_bases; + if (sb == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "SUDOERS lookup request without a search base\n"); + ret = EINVAL; + goto immediately; + } + + DEBUG(SSSDBG_TRACE_FUNC, "About to fetch sudo rules\n"); + + subreq = sdap_search_bases_send(state, ev, opts, sh, sb, + opts->sudorule_map, true, 0, + ldap_filter, NULL); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, sdap_sudo_load_sudoers_done, req); + + ret = EOK; + +immediately: + if (ret != EOK) { + tevent_req_error(req, ret); + tevent_req_post(req, ev); + } + + return req; +} + +static void sdap_sudo_load_sudoers_done(struct tevent_req *subreq) +{ + struct tevent_req *req; + struct sdap_sudo_load_sudoers_state *state; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_sudo_load_sudoers_state); + + ret = sdap_search_bases_recv(subreq, state, &state->num_rules, + &state->rules); + talloc_zfree(subreq); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + DEBUG(SSSDBG_IMPORTANT_INFO, "Received %zu sudo rules\n", + state->num_rules); + + tevent_req_done(req); + + return; +} + +static int sdap_sudo_load_sudoers_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *num_rules, + struct sysdb_attrs ***rules) +{ + struct sdap_sudo_load_sudoers_state *state; + + state = tevent_req_data(req, struct sdap_sudo_load_sudoers_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *num_rules = state->num_rules; + *rules = talloc_steal(mem_ctx, state->rules); + + return EOK; +} + +static char *sdap_sudo_build_host_filter(TALLOC_CTX *mem_ctx, + struct sdap_attr_map *map, + char **hostnames, + char **ip_addr, + bool netgroups, + bool regexp) +{ + TALLOC_CTX *tmp_ctx = NULL; + char *filter = NULL; + int i; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return NULL; + } + + filter = talloc_strdup(tmp_ctx, "(|"); + if (filter == NULL) { + goto done; + } + + /* sudoHost is not specified and it is a cn=defaults rule */ + filter = talloc_asprintf_append_buffer(filter, "(&(!(%s=*))(%s=defaults))", + map[SDAP_AT_SUDO_HOST].name, + map[SDAP_AT_SUDO_NAME].name); + if (filter == NULL) { + goto done; + } + + /* ALL */ + filter = talloc_asprintf_append_buffer(filter, "(%s=ALL)", + map[SDAP_AT_SUDO_HOST].name); + if (filter == NULL) { + goto done; + } + + /* hostnames */ + if (hostnames != NULL) { + for (i = 0; hostnames[i] != NULL; i++) { + filter = talloc_asprintf_append_buffer(filter, "(%s=%s)", + map[SDAP_AT_SUDO_HOST].name, + hostnames[i]); + if (filter == NULL) { + goto done; + } + } + } + + /* ip addresses and networks */ + if (ip_addr != NULL) { + for (i = 0; ip_addr[i] != NULL; i++) { + filter = talloc_asprintf_append_buffer(filter, "(%s=%s)", + map[SDAP_AT_SUDO_HOST].name, + ip_addr[i]); + if (filter == NULL) { + goto done; + } + } + } + + /* sudoHost contains netgroup - will be filtered more by sudo */ + if (netgroups) { + filter = talloc_asprintf_append_buffer(filter, SDAP_SUDO_FILTER_NETGROUP, + map[SDAP_AT_SUDO_HOST].name, + "*"); + if (filter == NULL) { + goto done; + } + } + + /* sudoHost contains regexp - will be filtered more by sudo */ + /* from sudo match.c : + * #define has_meta(s) (strpbrk(s, "\\?*[]") != NULL) + */ + if (regexp) { + filter = talloc_asprintf_append_buffer(filter, + "(|(%s=*\\\\*)(%s=*?*)(%s=*\\2A*)" + "(%s=*[*]*))", + map[SDAP_AT_SUDO_HOST].name, + map[SDAP_AT_SUDO_HOST].name, + map[SDAP_AT_SUDO_HOST].name, + map[SDAP_AT_SUDO_HOST].name); + if (filter == NULL) { + goto done; + } + } + + filter = talloc_strdup_append_buffer(filter, ")"); + if (filter == NULL) { + goto done; + } + + talloc_steal(mem_ctx, filter); + +done: + talloc_free(tmp_ctx); + + return filter; +} + +static char *sdap_sudo_get_filter(TALLOC_CTX *mem_ctx, + struct sdap_attr_map *map, + struct sdap_sudo_ctx *sudo_ctx, + const char *rule_filter) +{ + TALLOC_CTX *tmp_ctx = NULL; + char *host_filter = NULL; + char *filter = NULL; + + if (!sudo_ctx->use_host_filter) { + return talloc_strdup(mem_ctx, rule_filter); + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return NULL; + } + + host_filter = sdap_sudo_build_host_filter(tmp_ctx, map, + sudo_ctx->hostnames, + sudo_ctx->ip_addr, + sudo_ctx->include_netgroups, + sudo_ctx->include_regexp); + if (host_filter == NULL) { + goto done; + } + + filter = sdap_combine_filters(tmp_ctx, rule_filter, host_filter); + if (filter == NULL) { + goto done; + } + + talloc_steal(mem_ctx, filter); + +done: + talloc_free(tmp_ctx); + return filter; +} + +struct sdap_sudo_refresh_state { + struct sdap_sudo_ctx *sudo_ctx; + struct tevent_context *ev; + struct sdap_options *opts; + struct sdap_id_op *sdap_op; + struct sysdb_ctx *sysdb; + struct sss_domain_info *domain; + + const char *search_filter; + const char *delete_filter; + + int dp_error; + size_t num_rules; +}; + +static errno_t sdap_sudo_refresh_retry(struct tevent_req *req); +static void sdap_sudo_refresh_connect_done(struct tevent_req *subreq); +static void sdap_sudo_refresh_hostinfo_done(struct tevent_req *subreq); +static errno_t sdap_sudo_refresh_sudoers(struct tevent_req *req); +static void sdap_sudo_refresh_done(struct tevent_req *subreq); + +struct tevent_req *sdap_sudo_refresh_send(TALLOC_CTX *mem_ctx, + struct sdap_sudo_ctx *sudo_ctx, + const char *search_filter, + const char *delete_filter) +{ + struct tevent_req *req; + struct sdap_sudo_refresh_state *state; + struct sdap_id_ctx *id_ctx = sudo_ctx->id_ctx; + int ret; + + req = tevent_req_create(mem_ctx, &state, struct sdap_sudo_refresh_state); + if (!req) { + return NULL; + } + + /* if we don't have a search filter, this request is meaningless */ + if (search_filter == NULL) { + ret = EINVAL; + goto immediately; + } + + state->sudo_ctx = sudo_ctx; + state->ev = id_ctx->be->ev; + state->opts = id_ctx->opts; + state->domain = id_ctx->be->domain; + state->sysdb = id_ctx->be->domain->sysdb; + state->dp_error = DP_ERR_FATAL; + + state->sdap_op = sdap_id_op_create(state, id_ctx->conn->conn_cache); + if (!state->sdap_op) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create() failed\n"); + ret = ENOMEM; + goto immediately; + } + + state->search_filter = talloc_strdup(state, search_filter); + if (state->search_filter == NULL) { + ret = ENOMEM; + goto immediately; + } + + state->delete_filter = talloc_strdup(state, delete_filter); + if (delete_filter != NULL && state->delete_filter == NULL) { + ret = ENOMEM; + goto immediately; + } + + ret = sdap_sudo_refresh_retry(req); + if (ret == EAGAIN) { + /* asynchronous processing */ + return req; + } + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, id_ctx->be->ev); + + return req; +} + +static errno_t sdap_sudo_refresh_retry(struct tevent_req *req) +{ + struct sdap_sudo_refresh_state *state; + struct tevent_req *subreq; + int ret; + + state = tevent_req_data(req, struct sdap_sudo_refresh_state); + + subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "sdap_id_op_connect_send() failed: " + "%d(%s)\n", ret, strerror(ret)); + return ret; + } + + tevent_req_set_callback(subreq, sdap_sudo_refresh_connect_done, req); + + return EAGAIN; +} + +static void sdap_sudo_refresh_connect_done(struct tevent_req *subreq) +{ + struct tevent_req *req; + struct sdap_sudo_refresh_state *state; + int dp_error; + int ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_sudo_refresh_state); + + ret = sdap_id_op_connect_recv(subreq, &dp_error); + talloc_zfree(subreq); + + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "SUDO LDAP connection failed " + "[%d]: %s\n", ret, strerror(ret)); + state->dp_error = dp_error; + tevent_req_error(req, ret); + return; + } + + DEBUG(SSSDBG_TRACE_FUNC, "SUDO LDAP connection successful\n"); + + /* Renew host information if needed. */ + if (state->sudo_ctx->run_hostinfo) { + subreq = sdap_sudo_get_hostinfo_send(state, state->opts, + state->sudo_ctx->id_ctx->be); + if (subreq == NULL) { + state->dp_error = DP_ERR_FATAL; + tevent_req_error(req, ENOMEM); + return; + } + + tevent_req_set_callback(subreq, sdap_sudo_refresh_hostinfo_done, req); + state->sudo_ctx->run_hostinfo = false; + return; + } + + ret = sdap_sudo_refresh_sudoers(req); + if (ret != EAGAIN) { + state->dp_error = DP_ERR_FATAL; + tevent_req_error(req, ret); + } +} + +static void sdap_sudo_refresh_hostinfo_done(struct tevent_req *subreq) +{ + struct sdap_sudo_ctx *sudo_ctx; + struct sdap_sudo_refresh_state *state; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_sudo_refresh_state); + + sudo_ctx = state->sudo_ctx; + + ret = sdap_sudo_get_hostinfo_recv(sudo_ctx, subreq, &sudo_ctx->hostnames, + &sudo_ctx->ip_addr); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to retrieve host information, " + "host filter will be disabled [%d]: %s\n", + ret, sss_strerror(ret)); + sudo_ctx->use_host_filter = false; + } else { + sudo_ctx->use_host_filter = true; + } + + ret = sdap_sudo_refresh_sudoers(req); + if (ret != EAGAIN) { + state->dp_error = DP_ERR_FATAL; + tevent_req_error(req, ret); + } +} + +static errno_t sdap_sudo_refresh_sudoers(struct tevent_req *req) +{ + struct sdap_sudo_refresh_state *state; + struct tevent_req *subreq; + char *filter; + + state = tevent_req_data(req, struct sdap_sudo_refresh_state); + + /* We are connected. Host information may have changed during transition + * from offline to online state. At this point we can combine search + * and host filter. */ + filter = sdap_sudo_get_filter(state, state->opts->sudorule_map, + state->sudo_ctx, state->search_filter); + if (filter == NULL) { + return ENOMEM; + } + + subreq = sdap_sudo_load_sudoers_send(state, state->ev, + state->opts, + sdap_id_op_handle(state->sdap_op), + filter); + if (subreq == NULL) { + talloc_free(filter); + return ENOMEM; + } + + tevent_req_set_callback(subreq, sdap_sudo_refresh_done, req); + + return EAGAIN; +} + +static errno_t sdap_sudo_qualify_names(struct sss_domain_info *dom, + struct sysdb_attrs **rules, + size_t rules_count) +{ + errno_t ret; + bool qualify; + struct ldb_message_element *el; + char *domain; + char *name; + const char *orig_name; + struct ldb_message_element unique_el; + + for (size_t i = 0; i < rules_count; i++) { + ret = sysdb_attrs_get_el_ext(rules[i], SYSDB_SUDO_CACHE_AT_USER, + false, &el); + if (ret != EOK) { + continue; + } + + unique_el.values = talloc_zero_array(rules, struct ldb_val, el->num_values); + if (unique_el.values == NULL) { + return ENOMEM; + } + unique_el.num_values = 0; + + for (size_t ii = 0; ii < el->num_values; ii++) { + orig_name = (const char *) el->values[ii].data; + + qualify = is_user_or_group_name(orig_name); + if (qualify) { + struct ldb_val fqval; + struct ldb_val *dup; + + ret = sss_parse_name(rules, dom->names, orig_name, + &domain, &name); + if (ret != EOK) { + continue; + } + + if (domain == NULL) { + domain = talloc_strdup(rules, dom->name); + if (domain == NULL) { + talloc_zfree(name); + return ENOMEM; + } + } + + fqval.data = (uint8_t * ) sss_create_internal_fqname(rules, + name, + domain); + talloc_zfree(domain); + talloc_zfree(name); + if (fqval.data == NULL) { + return ENOMEM; + } + fqval.length = strlen((const char *) fqval.data); + + /* Prevent saving duplicates in case the sudo rule contains + * e.g. foo and foo@domain + */ + dup = ldb_msg_find_val(&unique_el, &fqval); + if (dup != NULL) { + DEBUG(SSSDBG_TRACE_FUNC, + "Discarding duplicate value %s\n", (const char *) fqval.data); + talloc_free(fqval.data); + continue; + } + unique_el.values[unique_el.num_values].data = talloc_steal(unique_el.values, fqval.data); + unique_el.values[unique_el.num_values].length = fqval.length; + unique_el.num_values++; + } else { + unique_el.values[unique_el.num_values] = ldb_val_dup(unique_el.values, + &el->values[ii]); + unique_el.num_values++; + } + } + + talloc_zfree(el->values); + el->values = unique_el.values; + el->num_values = unique_el.num_values; + } + + return EOK; +} + +static void sdap_sudo_refresh_done(struct tevent_req *subreq) +{ + struct tevent_req *req; + struct sdap_sudo_refresh_state *state; + struct sysdb_attrs **rules = NULL; + size_t rules_count = 0; + char *usn = NULL; + int dp_error; + int ret; + errno_t sret; + bool in_transaction = false; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_sudo_refresh_state); + + ret = sdap_sudo_load_sudoers_recv(subreq, state, &rules_count, &rules); + talloc_zfree(subreq); + + ret = sdap_id_op_done(state->sdap_op, ret, &dp_error); + if (dp_error == DP_ERR_OK && ret != EOK) { + /* retry */ + ret = sdap_sudo_refresh_retry(req); + if (ret != EOK) { + tevent_req_error(req, ret); + } + return; + } else if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Received %zu rules\n", rules_count); + + /* Save users and groups fully qualified */ + ret = sdap_sudo_qualify_names(state->domain, rules, rules_count); + if (ret != EOK) { + goto done; + } + + /* start transaction */ + ret = sysdb_transaction_start(state->sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n"); + goto done; + } + in_transaction = true; + + /* purge cache */ + ret = sysdb_sudo_purge(state->domain, state->delete_filter, + rules, rules_count); + if (ret != EOK) { + goto done; + } + + /* store rules */ + ret = sysdb_sudo_store(state->domain, rules, rules_count); + if (ret != EOK) { + goto done; + } + + /* commit transaction */ + ret = sysdb_transaction_commit(state->sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n"); + goto done; + } + in_transaction = false; + + DEBUG(SSSDBG_TRACE_FUNC, "Sudoers is successfully stored in cache\n"); + + /* remember new usn */ + ret = sysdb_get_highest_usn(state, rules, rules_count, &usn); + if (ret == EOK) { + sdap_sudo_set_usn(state->sudo_ctx->id_ctx->srv_opts, usn); + } else { + DEBUG(SSSDBG_MINOR_FAILURE, "Unable to get highest USN [%d]: %s\n", + ret, sss_strerror(ret)); + } + + ret = EOK; + state->num_rules = rules_count; + +done: + if (in_transaction) { + sret = sysdb_transaction_cancel(state->sysdb); + if (sret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not cancel transaction\n"); + } + } + + state->dp_error = dp_error; + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } +} + +int sdap_sudo_refresh_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + int *dp_error, + size_t *num_rules) +{ + struct sdap_sudo_refresh_state *state; + + state = tevent_req_data(req, struct sdap_sudo_refresh_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *dp_error = state->dp_error; + + if (num_rules != NULL) { + *num_rules = state->num_rules; + } + + return EOK; +} diff --git a/src/providers/ldap/sdap_async_sudo_hostinfo.c b/src/providers/ldap/sdap_async_sudo_hostinfo.c new file mode 100644 index 0000000..42f95df --- /dev/null +++ b/src/providers/ldap/sdap_async_sudo_hostinfo.c @@ -0,0 +1,516 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "util/util.h" +#include "providers/ldap/sdap.h" +#include "providers/ldap/sdap_id_op.h" +#include "providers/ldap/sdap_sudo.h" +#include "resolv/async_resolv.h" + +static int sdap_sudo_get_ip_addresses(TALLOC_CTX *mem_ctx, char ***_ip_addr); + +struct sdap_sudo_get_hostinfo_state { + char **hostnames; + char **ip_addr; +}; + +struct sdap_sudo_get_hostnames_state { + struct tevent_context *ev; + struct resolv_ctx *resolv_ctx; + enum host_database *host_db; + enum restrict_family family_order; + char **hostnames; +}; + +static void sdap_sudo_get_hostinfo_done(struct tevent_req *req); + +static struct tevent_req *sdap_sudo_get_hostnames_send(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx); + +static void sdap_sudo_get_hostnames_done(struct tevent_req *subreq); + +static int sdap_sudo_get_hostnames_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + char ***hostnames); + + +struct tevent_req * sdap_sudo_get_hostinfo_send(TALLOC_CTX *mem_ctx, + struct sdap_options *opts, + struct be_ctx *be_ctx) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct sdap_sudo_get_hostinfo_state *state = NULL; + char *conf_hostnames = NULL; + char *conf_ip_addr = NULL; + int ret = EOK; + + /* create request */ + req = tevent_req_create(mem_ctx, &state, + struct sdap_sudo_get_hostinfo_state); + if (req == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->hostnames = NULL; + state->ip_addr = NULL; + + /* load info from configuration */ + conf_hostnames = dp_opt_get_string(opts->basic, SDAP_SUDO_HOSTNAMES); + conf_ip_addr = dp_opt_get_string(opts->basic, SDAP_SUDO_IP); + + if (conf_hostnames != NULL) { + ret = split_on_separator(state, conf_hostnames, ' ', true, true, + &state->hostnames, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Unable to parse hostnames [%d]: %s\n", ret, strerror(ret)); + goto done; + } else { + DEBUG(SSSDBG_CONF_SETTINGS, + "Hostnames set to: %s\n", conf_hostnames); + } + } + + if (conf_ip_addr != NULL) { + ret = split_on_separator(state, conf_ip_addr, ' ', true, true, + &state->ip_addr, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Unable to parse IP addresses [%d]: %s\n", + ret, strerror(ret)); + goto done; + } else { + DEBUG(SSSDBG_CONF_SETTINGS, "IP addresses set to: %s\n", + conf_ip_addr); + } + } + + /* if IP addresses are not specified, configure it automatically */ + if (state->ip_addr == NULL) { + ret = sdap_sudo_get_ip_addresses(state, &state->ip_addr); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Unable to detect IP addresses [%d]: %s\n", + ret, strerror(ret)); + } + } + + /* if hostnames are not specified, configure it automatically */ + if (state->hostnames == NULL) { + subreq = sdap_sudo_get_hostnames_send(state, be_ctx); + if (subreq == NULL) { + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, sdap_sudo_get_hostinfo_done, req); + ret = EAGAIN; + } + +done: + if (ret != EAGAIN) { + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, be_ctx->ev); + } + + return req; +} + +static void sdap_sudo_get_hostinfo_done(struct tevent_req *subreq) +{ + struct tevent_req *req = NULL; + struct sdap_sudo_get_hostinfo_state *state = NULL; + int ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_sudo_get_hostinfo_state); + + ret = sdap_sudo_get_hostnames_recv(state, subreq, &state->hostnames); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to retrieve hostnames [%d]: %s\n", + ret, strerror(ret)); + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +int sdap_sudo_get_hostinfo_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + char ***hostnames, char ***ip_addr) +{ + struct sdap_sudo_get_hostinfo_state *state = NULL; + state = tevent_req_data(req, struct sdap_sudo_get_hostinfo_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *hostnames = talloc_steal(mem_ctx, state->hostnames); + *ip_addr = talloc_steal(mem_ctx, state->ip_addr); + + return EOK; +} + +static int sdap_sudo_get_ip_addresses(TALLOC_CTX *mem_ctx, + char ***_ip_addr_list) +{ + TALLOC_CTX *tmp_ctx = NULL; + char **ip_addr_list = NULL; + struct ifaddrs *ifaces = NULL; + struct ifaddrs *iface = NULL; + struct sockaddr_in ip4_addr; + struct sockaddr_in ip4_network; + struct sockaddr_in6 ip6_addr; + struct sockaddr_in6 ip6_network; + char ip_addr[INET6_ADDRSTRLEN + 1]; + char network_addr[INET6_ADDRSTRLEN + 1]; + in_addr_t ip4_netmask = 0; + uint32_t ip6_netmask = 0; + unsigned int netmask = 0; + void *sinx_addr = NULL; + void *sinx_network = NULL; + int addr_count = 0; + int ret; + int i; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return ENOMEM; + } + + errno = 0; + ret = getifaddrs(&ifaces); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "Could not read interfaces [%d][%s]\n", + ret, strerror(ret)); + goto done; + } + + for (iface = ifaces; iface != NULL; iface = iface->ifa_next) { + /* Some interfaces don't have an ifa_addr */ + if (!iface->ifa_addr) continue; + + netmask = 0; + switch (iface->ifa_addr->sa_family) { + case AF_INET: + memcpy(&ip4_addr, iface->ifa_addr, sizeof(struct sockaddr_in)); + memcpy(&ip4_network, iface->ifa_netmask, sizeof(struct sockaddr_in)); + + if (!check_ipv4_addr(&ip4_addr.sin_addr, + SSS_NO_LOOPBACK|SSS_NO_MULTICAST + |SSS_NO_BROADCAST)) { + continue; + } + + /* get network mask length */ + ip4_netmask = ntohl(ip4_network.sin_addr.s_addr); + while (ip4_netmask) { + netmask++; + ip4_netmask <<= 1; + } + + /* get network address */ + ip4_network.sin_addr.s_addr = ip4_addr.sin_addr.s_addr + & ip4_network.sin_addr.s_addr; + + sinx_addr = &ip4_addr.sin_addr; + sinx_network = &ip4_network.sin_addr; + break; + case AF_INET6: + memcpy(&ip6_addr, iface->ifa_addr, sizeof(struct sockaddr_in6)); + memcpy(&ip6_network, iface->ifa_netmask, sizeof(struct sockaddr_in6)); + + if (!check_ipv6_addr(&ip6_addr.sin6_addr, + SSS_NO_LOOPBACK|SSS_NO_MULTICAST)) { + continue; + } + + /* get network mask length */ + for (i = 0; i < 4; i++) { + ip6_netmask = ntohl(((uint32_t*)(&ip6_network.sin6_addr))[i]); + while (ip6_netmask) { + netmask++; + ip6_netmask <<= 1; + } + } + + /* get network address */ + for (i = 0; i < 4; i++) { + ((uint32_t*)(&ip6_network.sin6_addr))[i] = + ((uint32_t*)(&ip6_addr.sin6_addr))[i] + & ((uint32_t*)(&ip6_network.sin6_addr))[i]; + } + + sinx_addr = &ip6_addr.sin6_addr; + sinx_network = &ip6_network.sin6_addr; + break; + default: + /* skip other families */ + continue; + } + + /* ip address */ + errno = 0; + if (inet_ntop(iface->ifa_addr->sa_family, sinx_addr, + ip_addr, INET6_ADDRSTRLEN) == NULL) { + ret = errno; + DEBUG(SSSDBG_MINOR_FAILURE, "inet_ntop() failed [%d]: %s\n", + ret, strerror(ret)); + goto done; + } + + /* network */ + errno = 0; + if (inet_ntop(iface->ifa_addr->sa_family, sinx_network, + network_addr, INET6_ADDRSTRLEN) == NULL) { + ret = errno; + DEBUG(SSSDBG_MINOR_FAILURE, "inet_ntop() failed [%d]: %s\n", + ret, strerror(ret)); + goto done; + } + + addr_count += 2; + ip_addr_list = talloc_realloc(tmp_ctx, ip_addr_list, char*, + addr_count + 1); + if (ip_addr_list == NULL) { + ret = ENOMEM; + goto done; + } + + ip_addr_list[addr_count - 2] = talloc_strdup(ip_addr_list, ip_addr); + if (ip_addr_list[addr_count - 2] == NULL) { + ret = ENOMEM; + goto done; + } + + ip_addr_list[addr_count - 1] = talloc_asprintf(ip_addr_list, "%s/%d", + network_addr, netmask); + if (ip_addr_list[addr_count - 1] == NULL) { + ret = ENOMEM; + goto done; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Found IP address: %s in network %s/%d\n", + ip_addr, network_addr, netmask); + } + + if (ip_addr_list) { + ip_addr_list[addr_count] = NULL; + } + *_ip_addr_list = talloc_steal(mem_ctx, ip_addr_list); + +done: + freeifaddrs(ifaces); + talloc_free(tmp_ctx); + + return ret; +} + +/* + * SUDO allows only one hostname that is returned from gethostname() + * (and set to "localhost" if the returned value is empty) + * and then - if allowed - resolves its fqdn using gethostbyname() or + * getaddrinfo() if available. + */ +static struct tevent_req *sdap_sudo_get_hostnames_send(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct sdap_sudo_get_hostnames_state *state = NULL; + char *dot = NULL; + char hostname[HOST_NAME_MAX + 1]; + int ret; + + req = tevent_req_create(mem_ctx, &state, + struct sdap_sudo_get_hostnames_state); + if (req == NULL) { + return NULL; + } + + state->ev = be_ctx->ev; + state->hostnames = NULL; + + /* hostname, fqdn and NULL */ + state->hostnames = talloc_zero_array(state, char*, 3); + if (state->hostnames == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero_array() failed\n"); + ret = ENOMEM; + goto done; + } + + /* get hostname */ + + errno = 0; + ret = gethostname(hostname, HOST_NAME_MAX); + if (ret != EOK) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to retrieve machine hostname " + "[%d]: %s\n", ret, strerror(ret)); + goto done; + } + hostname[HOST_NAME_MAX] = '\0'; + + state->hostnames[0] = talloc_strdup(state->hostnames, hostname); + if (state->hostnames[0] == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup() failed\n"); + ret = ENOMEM; + goto done; + } + + dot = strchr(hostname, '.'); + if (dot != NULL) { + /* already a fqdn, determine hostname and finish */ + DEBUG(SSSDBG_TRACE_INTERNAL, "Found fqdn: %s\n", hostname); + + *dot = '\0'; + DEBUG(SSSDBG_TRACE_INTERNAL, "Found hostname: %s\n", hostname); + + state->hostnames[1] = talloc_strdup(state->hostnames, hostname); + if (state->hostnames[1] == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup() failed\n"); + ret = ENOMEM; + goto done; + } + + ret = EOK; + goto done; + } else { + DEBUG(SSSDBG_TRACE_INTERNAL, "Found hostname: %s\n", hostname); + } + + state->resolv_ctx = be_ctx->be_res->resolv; + state->host_db = default_host_dbs; + + /* get fqdn */ + subreq = resolv_gethostbyname_send(state, state->ev, state->resolv_ctx, + hostname, be_ctx->be_res->family_order, + state->host_db); + if (subreq == NULL) { + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, sdap_sudo_get_hostnames_done, req); + + ret = EAGAIN; + +done: + if (ret != EAGAIN) { + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, be_ctx->ev); + } + + return req; +} + +static void sdap_sudo_get_hostnames_done(struct tevent_req *subreq) +{ + struct tevent_req *req = NULL; + struct sdap_sudo_get_hostnames_state *state = NULL; + struct resolv_hostent *rhostent = NULL; + int resolv_status; + int ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_sudo_get_hostnames_state); + + ret = resolv_gethostbyname_recv(subreq, state, &resolv_status, NULL, + &rhostent); + talloc_zfree(subreq); + if (ret == ENOENT) { + /* Empty result, just quit */ + DEBUG(SSSDBG_TRACE_INTERNAL, "No hostent found\n"); + goto done; + } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not resolve fqdn for this machine, error [%d]: %s, " + "resolver returned: [%d]: %s\n", ret, strerror(ret), + resolv_status, resolv_strerror(resolv_status)); + tevent_req_error(req, ret); + return; + } + + /* EOK */ + + DEBUG(SSSDBG_TRACE_INTERNAL, "Found fqdn: %s\n", rhostent->name); + + if (state->hostnames == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "state->hostnames is NULL\n"); + ret = EINVAL; + goto done; + } + + state->hostnames[1] = talloc_strdup(state->hostnames, rhostent->name); + if (state->hostnames[1] == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup() failed\n"); + ret = ENOMEM; + goto done; + } + + ret = EOK; + +done: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } +} + +static int sdap_sudo_get_hostnames_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + char ***hostnames) +{ + struct sdap_sudo_get_hostnames_state *state = NULL; + + state = tevent_req_data(req, struct sdap_sudo_get_hostnames_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *hostnames = talloc_steal(mem_ctx, state->hostnames); + + return EOK; +} diff --git a/src/providers/ldap/sdap_async_users.c b/src/providers/ldap/sdap_async_users.c new file mode 100644 index 0000000..5ffba77 --- /dev/null +++ b/src/providers/ldap/sdap_async_users.c @@ -0,0 +1,1208 @@ +/* + SSSD + + Async LDAP Helper routines - retrieving users + + Copyright (C) Simo Sorce - 2009 + Copyright (C) 2010, Ralf Haferkamp , Novell Inc. + Copyright (C) Jan Zeleny - 2011 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "util/util.h" +#include "util/probes.h" +#include "db/sysdb.h" +#include "providers/ldap/sdap_async_private.h" +#include "providers/ldap/ldap_common.h" +#include "providers/ldap/sdap_idmap.h" +#include "providers/ldap/sdap_users.h" + +#define REALM_SEPARATOR '@' + +static void make_realm_upper_case(const char *upn) +{ + char *c; + + c = strchr(upn, REALM_SEPARATOR); + if (c == NULL) { + DEBUG(SSSDBG_TRACE_ALL, "No realm delimiter found in upn [%s].\n", upn); + return; + } + + while(*(++c) != '\0') { + c[0] = toupper(*c); + } + + return; +} + +/* ==Save-User-Entry====================================================== */ + +static errno_t +sdap_get_idmap_primary_gid(struct sdap_options *opts, + struct sysdb_attrs *attrs, + char *sid_str, + char *dom_sid_str, + gid_t *_gid) +{ + errno_t ret; + TALLOC_CTX *tmpctx = NULL; + gid_t gid, primary_gid; + char *group_sid_str; + + tmpctx = talloc_new(NULL); + if (!tmpctx) { + ret = ENOMEM; + goto done; + } + + ret = sysdb_attrs_get_uint32_t(attrs, + opts->user_map[SDAP_AT_USER_PRIMARY_GROUP].sys_name, + &primary_gid); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "no primary group ID provided\n"); + ret = EINVAL; + goto done; + } + + /* The primary group ID is just the RID part of the objectSID + * of the group. Generate the GID by adding this to the domain + * SID value. + */ + + /* First, get the domain SID if we didn't do so above */ + if (!dom_sid_str) { + ret = sdap_idmap_get_dom_sid_from_object(tmpctx, sid_str, + &dom_sid_str); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not parse domain SID from [%s]\n", sid_str); + goto done; + } + } + + /* Add the RID to the end */ + group_sid_str = talloc_asprintf(tmpctx, "%s-%lu", dom_sid_str, + (unsigned long) primary_gid); + if (!group_sid_str) { + ret = ENOMEM; + goto done; + } + + /* Convert the SID into a UNIX group ID */ + ret = sdap_idmap_sid_to_unix(opts->idmap_ctx, group_sid_str, &gid); + if (ret != EOK) goto done; + + ret = EOK; + *_gid = gid; +done: + talloc_free(tmpctx); + return ret; +} + +static errno_t sdap_set_non_posix_flag(struct sysdb_attrs *attrs, + const char *pkey) +{ + errno_t ret; + + ret = sysdb_attrs_add_uint32(attrs, pkey, 0); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to add a zero ID to a non-POSIX object!\n"); + return ret; + } + + ret = sysdb_attrs_add_bool(attrs, SYSDB_POSIX, false); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Error: Failed to mark objects as non-POSIX!\n"); + return ret; + } + + return EOK; +} + +static int sdap_user_set_mpg(struct sysdb_attrs *user_attrs, + gid_t *_gid) +{ + errno_t ret; + + if (_gid == NULL) { + return EINVAL; + } + + if (*_gid == 0) { + /* The original entry had no GID number. This is OK, we just won't add + * the SYSDB_PRIMARY_GROUP_GIDNUM attribute + */ + return EOK; + } + + ret = sysdb_attrs_add_uint32(user_attrs, + SYSDB_PRIMARY_GROUP_GIDNUM, + (uint32_t) *_gid); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_uint32 failed.\n"); + return ret; + } + + /* We won't really store gidNumber=0, but the zero value tells + * the sysdb layer that no GID is set, which sysdb requires for + * MPG-enabled domains + */ + *_gid = 0; + return EOK; +} + +/* FIXME: support storing additional attributes */ +int sdap_save_user(TALLOC_CTX *memctx, + struct sdap_options *opts, + struct sss_domain_info *dom, + struct sysdb_attrs *attrs, + struct sysdb_attrs *mapped_attrs, + char **_usn_value, + time_t now) +{ + struct ldb_message_element *el; + int ret; + const char *user_name = NULL; + const char *fullname = NULL; + const char *pwd; + const char *gecos; + const char *homedir; + const char *shell; + const char *orig_dn = NULL; + uid_t uid = 0; + gid_t gid = 0; + struct sysdb_attrs *user_attrs; + char *upn = NULL; + size_t i; + int cache_timeout; + char *usn_value = NULL; + char **missing = NULL; + TALLOC_CTX *tmpctx = NULL; + bool use_id_mapping; + char *sid_str; + char *dom_sid_str = NULL; + struct sss_domain_info *subdomain; + size_t c; + char *p1; + char *p2; + bool is_posix = true; + + DEBUG(SSSDBG_TRACE_FUNC, "Save user\n"); + + tmpctx = talloc_new(NULL); + if (!tmpctx) { + ret = ENOMEM; + goto done; + } + + user_attrs = sysdb_new_attrs(tmpctx); + if (user_attrs == NULL) { + ret = ENOMEM; + goto done; + } + + /* Always store SID string if available */ + ret = sdap_attrs_get_sid_str(tmpctx, opts->idmap_ctx, attrs, + opts->user_map[SDAP_AT_USER_OBJECTSID].sys_name, + &sid_str); + if (ret == EOK) { + ret = sysdb_attrs_add_string(user_attrs, SYSDB_SID_STR, sid_str); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Could not add SID string: [%s]\n", + sss_strerror(ret)); + goto done; + } + } else if (ret == ENOENT) { + DEBUG(SSSDBG_TRACE_ALL, "objectSID: not available for user\n"); + sid_str = NULL; + } else { + DEBUG(SSSDBG_MINOR_FAILURE, "Could not identify objectSID: [%s]\n", + sss_strerror(ret)); + sid_str = NULL; + } + + /* Always store UUID if available */ + ret = sysdb_handle_original_uuid(opts->user_map[SDAP_AT_USER_UUID].def_name, + attrs, + opts->user_map[SDAP_AT_USER_UUID].sys_name, + user_attrs, SYSDB_UUID); + if (ret != EOK) { + DEBUG((ret == ENOENT) ? SSSDBG_TRACE_ALL : SSSDBG_MINOR_FAILURE, + "Failed to retrieve UUID [%d][%s].\n", ret, sss_strerror(ret)); + } + + /* If this object has a SID available, we will determine the correct + * domain by its SID. */ + if (sid_str != NULL) { + subdomain = find_domain_by_sid(get_domains_head(dom), sid_str); + if (subdomain) { + dom = subdomain; + } else { + DEBUG(SSSDBG_TRACE_FUNC, "SID %s does not belong to any known " + "domain\n", sid_str); + } + } + + ret = sdap_get_user_primary_name(memctx, opts, attrs, dom, &user_name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to get user name\n"); + goto done; + } + DEBUG(SSSDBG_TRACE_FUNC, "Processing user %s\n", user_name); + + if (opts->schema_type == SDAP_SCHEMA_AD) { + ret = sysdb_attrs_get_string(attrs, + opts->user_map[SDAP_AT_USER_FULLNAME].sys_name, &fullname); + if (ret == EOK) { + ret = sysdb_attrs_add_string(user_attrs, SYSDB_FULLNAME, fullname); + if (ret != EOK) { + goto done; + } + } else if (ret != ENOENT) { + goto done; + } + } + + ret = sysdb_attrs_get_el(attrs, + opts->user_map[SDAP_AT_USER_PWD].sys_name, &el); + if (ret) goto done; + if (el->num_values == 0) pwd = NULL; + else pwd = (const char *)el->values[0].data; + + ret = sysdb_attrs_get_el(attrs, + opts->user_map[SDAP_AT_USER_GECOS].sys_name, &el); + if (ret) goto done; + if (el->num_values == 0) gecos = NULL; + else gecos = (const char *)el->values[0].data; + + if (!gecos) { + /* Fall back to the user's full name */ + ret = sysdb_attrs_get_el( + attrs, + opts->user_map[SDAP_AT_USER_FULLNAME].sys_name, &el); + if (ret) goto done; + if (el->num_values > 0) gecos = (const char *)el->values[0].data; + } + + ret = sysdb_attrs_get_el(attrs, + opts->user_map[SDAP_AT_USER_HOME].sys_name, &el); + if (ret) goto done; + if (el->num_values == 0) homedir = NULL; + else homedir = (const char *)el->values[0].data; + + ret = sysdb_attrs_get_el(attrs, + opts->user_map[SDAP_AT_USER_SHELL].sys_name, &el); + if (ret) goto done; + if (el->num_values == 0) shell = NULL; + else shell = (const char *)el->values[0].data; + + use_id_mapping = sdap_idmap_domain_has_algorithmic_mapping(opts->idmap_ctx, + dom->name, + sid_str); + + /* Retrieve or map the UID as appropriate */ + if (use_id_mapping) { + + if (sid_str == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "SID not available, cannot map a " \ + "unix ID to user [%s].\n", user_name); + ret = ENOENT; + goto done; + } + + DEBUG(SSSDBG_TRACE_LIBS, + "Mapping user [%s] objectSID [%s] to unix ID\n", user_name, sid_str); + + /* Convert the SID into a UNIX user ID */ + ret = sdap_idmap_sid_to_unix(opts->idmap_ctx, sid_str, &uid); + if (ret == ENOTSUP) { + DEBUG(SSSDBG_TRACE_FUNC, "Skipping built-in object.\n"); + ret = EOK; + goto done; + } else if (ret != EOK) { + goto done; + } + + /* Store the UID in the ldap_attrs so it doesn't get + * treated as a missing attribute from LDAP and removed. + */ + ret = sdap_replace_id(attrs, SYSDB_UIDNUM, uid); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot set the id-mapped UID\n"); + goto done; + } + } else { + ret = sysdb_attrs_get_uint32_t(attrs, + opts->user_map[SDAP_AT_USER_UID].sys_name, + &uid); + if (ret == ENOENT && dom->type == DOM_TYPE_APPLICATION) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "Marking object as non-POSIX and setting ID=0!\n"); + ret = sdap_set_non_posix_flag(user_attrs, + opts->user_map[SDAP_AT_USER_UID].sys_name); + if (ret != EOK) { + goto done; + } + is_posix = false; + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot retrieve UID for [%s] in domain [%s].\n", + user_name, dom->name); + ret = ERR_NO_POSIX; + goto done; + } + } + + /* check that the uid is valid for this domain if the user is a POSIX one */ + if (is_posix == true && OUT_OF_ID_RANGE(uid, dom->id_min, dom->id_max)) { + DEBUG(SSSDBG_OP_FAILURE, + "User [%s] filtered out! (uid out of range)\n", + user_name); + ret = EINVAL; + goto done; + } + + if (use_id_mapping) { + ret = sdap_get_idmap_primary_gid(opts, attrs, sid_str, dom_sid_str, + &gid); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot get the GID for [%s] in domain [%s].\n", + user_name, dom->name); + goto done; + } + + if (IS_SUBDOMAIN(dom) || dom->mpg == true) { + /* For subdomain users, only create the private group as + * the subdomain is an MPG domain. + * But we have to save the GID of the original primary group + * because otherwise this information might be lost because + * typically (UNIX and AD) the user is not listed in his primary + * group as a member. + */ + ret = sdap_user_set_mpg(user_attrs, &gid); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sdap_user_set_mpg failed [%d]: %s\n", ret, + sss_strerror(ret)); + goto done; + } + } + + /* Store the GID in the ldap_attrs so it doesn't get + * treated as a missing attribute from LDAP and removed. + */ + ret = sysdb_attrs_add_uint32(attrs, SYSDB_GIDNUM, gid); + if (ret != EOK) goto done; + } else if (dom->mpg) { + /* Likewise, if a domain is set to contain 'magic private groups', do + * not process the real GID, but save it in the cache as originalGID + * (if available) + */ + ret = sysdb_attrs_get_uint32_t(attrs, + opts->user_map[SDAP_AT_USER_GID].sys_name, + &gid); + if (ret == ENOENT) { + DEBUG(SSSDBG_TRACE_LIBS, + "Missing GID, won't save the %s attribute\n", + SYSDB_PRIMARY_GROUP_GIDNUM); + + /* Store the UID as GID (since we're in a MPG domain so that it doesn't + * get treated as a missing attribute and removed + */ + ret = sdap_replace_id(attrs, SYSDB_GIDNUM, uid); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot set the id-mapped UID\n"); + goto done; + } + gid = 0; + } else if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot retrieve GID, won't save the %s attribute\n", + SYSDB_PRIMARY_GROUP_GIDNUM); + gid = 0; + } + + ret = sdap_user_set_mpg(user_attrs, &gid); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sdap_user_set_mpg failed [%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + } else { + ret = sysdb_attrs_get_uint32_t(attrs, + opts->user_map[SDAP_AT_USER_GID].sys_name, + &gid); + if (ret == ENOENT && dom->type == DOM_TYPE_APPLICATION) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "Marking object as non-POSIX and setting ID=0!\n"); + ret = sdap_set_non_posix_flag(attrs, + opts->user_map[SDAP_AT_USER_GID].sys_name); + if (ret != EOK) { + goto done; + } + is_posix = false; + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot retrieve GID for [%s] in domain [%s].\n", + user_name, dom->name); + ret = ERR_NO_POSIX; + goto done; + } + } + + /* check that the gid is valid for this domain */ + if (is_posix == true && IS_SUBDOMAIN(dom) == false + && dom->mpg == false + && OUT_OF_ID_RANGE(gid, dom->id_min, dom->id_max)) { + DEBUG(SSSDBG_CRIT_FAILURE, + "User [%s] filtered out! (primary gid out of range)\n", + user_name); + ret = EINVAL; + goto done; + } + + ret = sysdb_attrs_get_el(attrs, SYSDB_ORIG_DN, &el); + if (ret) { + goto done; + } + if (!el || el->num_values == 0) { + DEBUG(SSSDBG_MINOR_FAILURE, + "originalDN is not available for [%s].\n", user_name); + } else { + orig_dn = (const char *) el->values[0].data; + DEBUG(SSSDBG_TRACE_INTERNAL, "Adding originalDN [%s] to attributes " + "of [%s].\n", orig_dn, user_name); + + ret = sysdb_attrs_add_string(user_attrs, SYSDB_ORIG_DN, orig_dn); + if (ret) { + goto done; + } + } + + ret = sysdb_attrs_get_el(attrs, SYSDB_MEMBEROF, &el); + if (ret) { + goto done; + } + if (el->num_values == 0) { + DEBUG(SSSDBG_TRACE_FUNC, + "Original memberOf is not available for [%s].\n", user_name); + } else { + DEBUG(SSSDBG_TRACE_FUNC, + "Adding original memberOf attributes to [%s].\n", user_name); + for (i = 0; i < el->num_values; i++) { + ret = sysdb_attrs_add_string(user_attrs, SYSDB_ORIG_MEMBEROF, + (const char *) el->values[i].data); + if (ret) { + goto done; + } + } + } + + ret = sdap_attrs_add_string(attrs, + opts->user_map[SDAP_AT_USER_MODSTAMP].sys_name, + "original mod-Timestamp", + user_name, user_attrs); + if (ret != EOK) { + goto done; + } + + ret = sysdb_attrs_get_el(attrs, + opts->user_map[SDAP_AT_USER_USN].sys_name, &el); + if (ret) { + goto done; + } + if (el->num_values == 0) { + DEBUG(SSSDBG_TRACE_FUNC, + "Original USN value is not available for [%s].\n", user_name); + } else { + ret = sysdb_attrs_add_string(user_attrs, + opts->user_map[SDAP_AT_USER_USN].sys_name, + (const char*)el->values[0].data); + if (ret) { + goto done; + } + usn_value = talloc_strdup(tmpctx, (const char*)el->values[0].data); + if (!usn_value) { + ret = ENOMEM; + goto done; + } + } + + ret = sysdb_attrs_get_el(attrs, + opts->user_map[SDAP_AT_USER_PRINC].sys_name, &el); + if (ret) { + goto done; + } + if (el->num_values == 0) { + DEBUG(SSSDBG_TRACE_FUNC, + "User principal is not available for [%s].\n", user_name); + } else { + for (c = 0; c < el->num_values; c++) { + upn = talloc_strdup(tmpctx, (const char*) el->values[c].data); + if (!upn) { + ret = ENOMEM; + goto done; + } + + /* Check for IPA Kerberos enterprise principal strings + * 'user\@my.realm@IPA.REALM' and use 'user@my.realm' */ + if ( (p1 = strchr(upn,'\\')) != NULL + && *(p1 + 1) == '@' + && (p2 = strchr(p1 + 2, '@')) != NULL) { + *p1 = '\0'; + *p2 = '\0'; + upn = talloc_asprintf(tmpctx, "%s%s", upn, p1 + 1); + if (upn == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto done; + } + } + + if (dp_opt_get_bool(opts->basic, SDAP_FORCE_UPPER_CASE_REALM)) { + make_realm_upper_case(upn); + } + DEBUG(SSSDBG_TRACE_FUNC, + "Adding user principal [%s] to attributes of [%s].\n", + upn, user_name); + ret = sysdb_attrs_add_string(user_attrs, SYSDB_UPN, upn); + if (ret) { + goto done; + } + } + } + + for (i = SDAP_FIRST_EXTRA_USER_AT; i < opts->user_map_cnt; i++) { + ret = sdap_attrs_add_list(attrs, opts->user_map[i].sys_name, + NULL, user_name, user_attrs); + if (ret) { + goto done; + } + } + + cache_timeout = dom->user_timeout; + + ret = sdap_save_all_names(user_name, attrs, dom, + SYSDB_MEMBER_USER, user_attrs); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to save user names\n"); + goto done; + } + + /* Make sure that any attributes we requested from LDAP that we + * did not receive are also removed from the sysdb + */ + ret = list_missing_attrs(user_attrs, opts->user_map, opts->user_map_cnt, + attrs, &missing); + if (ret != EOK) { + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Storing info for user %s\n", user_name); + + ret = sysdb_store_user(dom, user_name, pwd, uid, gid, + gecos, homedir, shell, orig_dn, + user_attrs, missing, cache_timeout, now); + if (ret) goto done; + + if (mapped_attrs != NULL) { + ret = sysdb_set_user_attr(dom, user_name, mapped_attrs, SYSDB_MOD_ADD); + if (ret) return ret; + } + + if (_usn_value) { + *_usn_value = talloc_steal(memctx, usn_value); + } + + talloc_steal(memctx, user_attrs); + ret = EOK; + +done: + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to save user [%s]\n", + user_name ? user_name : "Unknown"); + } + talloc_free(tmpctx); + return ret; +} + + +/* ==Generic-Function-to-save-multiple-users============================= */ + +int sdap_save_users(TALLOC_CTX *memctx, + struct sysdb_ctx *sysdb, + struct sss_domain_info *dom, + struct sdap_options *opts, + struct sysdb_attrs **users, + int num_users, + struct sysdb_attrs *mapped_attrs, + char **_usn_value) +{ + TALLOC_CTX *tmpctx; + char *higher_usn = NULL; + char *usn_value; + int ret; + errno_t sret; + int i; + time_t now; + bool in_transaction = false; + + if (num_users == 0) { + /* Nothing to do if there are no users */ + return EOK; + } + + tmpctx = talloc_new(memctx); + if (!tmpctx) { + return ENOMEM; + } + + ret = sysdb_transaction_start(sysdb); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n"); + goto done; + } + in_transaction = true; + + if (mapped_attrs != NULL) { + ret = sysdb_remove_mapped_data(dom, mapped_attrs); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_remove_mapped_data failed, " + "some cached entries might contain invalid mapping data.\n"); + } + } + + now = time(NULL); + for (i = 0; i < num_users; i++) { + usn_value = NULL; + + ret = sdap_save_user(tmpctx, opts, dom, users[i], mapped_attrs, + &usn_value, now); + + /* Do not fail completely on errors. + * Just report the failure to save and go on */ + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to store user %d. Ignoring.\n", i); + } else { + DEBUG(SSSDBG_TRACE_ALL, "User %d processed!\n", i); + } + + if (usn_value) { + if (higher_usn) { + if ((strlen(usn_value) > strlen(higher_usn)) || + (strcmp(usn_value, higher_usn) > 0)) { + talloc_zfree(higher_usn); + higher_usn = usn_value; + } else { + talloc_zfree(usn_value); + } + } else { + higher_usn = usn_value; + } + } + } + + ret = sysdb_transaction_commit(sysdb); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction!\n"); + goto done; + } + in_transaction = false; + + if (_usn_value) { + *_usn_value = talloc_steal(memctx, higher_usn); + } + +done: + if (in_transaction) { + sret = sysdb_transaction_cancel(sysdb); + if (sret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to cancel transaction\n"); + } + } + talloc_zfree(tmpctx); + return ret; +} + + +/* ==Search-Users-with-filter============================================= */ + +struct sdap_search_user_state { + struct tevent_context *ev; + struct sdap_options *opts; + struct sdap_handle *sh; + struct sss_domain_info *dom; + + const char **attrs; + const char *base_filter; + const char *filter; + int timeout; + enum sdap_entry_lookup_type lookup_type; + + char *higher_usn; + struct sysdb_attrs **users; + size_t count; + + size_t base_iter; + struct sdap_search_base **search_bases; +}; + +static errno_t sdap_search_user_next_base(struct tevent_req *req); +static void sdap_search_user_copy_batch(struct sdap_search_user_state *state, + struct sysdb_attrs **users, + size_t count); +static void sdap_search_user_process(struct tevent_req *subreq); + +struct tevent_req *sdap_search_user_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sss_domain_info *dom, + struct sdap_options *opts, + struct sdap_search_base **search_bases, + struct sdap_handle *sh, + const char **attrs, + const char *filter, + int timeout, + enum sdap_entry_lookup_type lookup_type) +{ + errno_t ret; + struct tevent_req *req; + struct sdap_search_user_state *state; + + req = tevent_req_create(memctx, &state, struct sdap_search_user_state); + if (req == NULL) return NULL; + + state->ev = ev; + state->opts = opts; + state->dom = dom; + state->sh = sh; + state->attrs = attrs; + state->higher_usn = NULL; + state->users = NULL; + state->count = 0; + state->timeout = timeout; + state->base_filter = filter; + state->base_iter = 0; + state->search_bases = search_bases; + state->lookup_type = lookup_type; + + if (!state->search_bases) { + DEBUG(SSSDBG_CRIT_FAILURE, + "User lookup request without a search base\n"); + ret = EINVAL; + goto done; + } + + ret = sdap_search_user_next_base(req); + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + tevent_req_post(req, state->ev); + } + + return req; +} + +static errno_t sdap_search_user_next_base(struct tevent_req *req) +{ + struct tevent_req *subreq; + struct sdap_search_user_state *state; + bool need_paging = false; + int sizelimit = 0; + + state = tevent_req_data(req, struct sdap_search_user_state); + + talloc_zfree(state->filter); + state->filter = sdap_combine_filters(state, state->base_filter, + state->search_bases[state->base_iter]->filter); + if (state->filter == NULL) { + return ENOMEM; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Searching for users with base [%s]\n", + state->search_bases[state->base_iter]->basedn); + + switch (state->lookup_type) { + case SDAP_LOOKUP_SINGLE: + break; + /* Only requests that can return multiple entries should require + * the paging control + */ + case SDAP_LOOKUP_WILDCARD: + sizelimit = dp_opt_get_int(state->opts->basic, SDAP_WILDCARD_LIMIT); + need_paging = true; + break; + case SDAP_LOOKUP_ENUMERATE: + need_paging = true; + break; + } + + subreq = sdap_get_and_parse_generic_send( + state, state->ev, state->opts, state->sh, + state->search_bases[state->base_iter]->basedn, + state->search_bases[state->base_iter]->scope, + state->filter, state->attrs, + state->opts->user_map, state->opts->user_map_cnt, + 0, NULL, NULL, sizelimit, state->timeout, + need_paging); + if (subreq == NULL) { + return ENOMEM; + } + tevent_req_set_callback(subreq, sdap_search_user_process, req); + + return EOK; +} + +static void sdap_search_user_process(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sdap_search_user_state *state = tevent_req_data(req, + struct sdap_search_user_state); + int ret; + size_t count; + struct sysdb_attrs **users; + bool next_base = false; + + ret = sdap_get_and_parse_generic_recv(subreq, state, + &count, &users); + talloc_zfree(subreq); + if (ret) { + tevent_req_error(req, ret); + return; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Search for users, returned %zu results.\n", count); + + if (state->lookup_type == SDAP_LOOKUP_WILDCARD || \ + state->lookup_type == SDAP_LOOKUP_ENUMERATE || \ + count == 0) { + /* No users found in this search or looking up multiple entries */ + next_base = true; + } + + /* Add this batch of users to the list */ + if (count > 0) { + state->users = + talloc_realloc(state, + state->users, + struct sysdb_attrs *, + state->count + count + 1); + if (!state->users) { + tevent_req_error(req, ENOMEM); + return; + } + + sdap_search_user_copy_batch(state, users, count); + } + + if (next_base) { + state->base_iter++; + if (state->search_bases[state->base_iter]) { + /* There are more search bases to try */ + ret = sdap_search_user_next_base(req); + if (ret != EOK) { + tevent_req_error(req, ret); + } + return; + } + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "Retrieved total %zu users\n", state->count); + + /* No more search bases + * Return ENOENT if no users were found + */ + if (state->count == 0) { + tevent_req_error(req, ENOENT); + return; + } + + tevent_req_done(req); +} + +static void sdap_search_user_copy_batch(struct sdap_search_user_state *state, + struct sysdb_attrs **users, + size_t count) +{ + size_t copied; + bool filter; + + /* Always copy all objects for wildcard lookups. */ + filter = state->lookup_type == SDAP_LOOKUP_SINGLE ? true : false; + + copied = sdap_steal_objects_in_dom(state->opts, + state->users, + state->count, + state->dom, + users, count, filter); + + state->count += copied; + state->users[state->count] = NULL; +} + +int sdap_search_user_recv(TALLOC_CTX *memctx, struct tevent_req *req, + char **higher_usn, struct sysdb_attrs ***users, + size_t *count) +{ + struct sdap_search_user_state *state = tevent_req_data(req, + struct sdap_search_user_state); + + if (higher_usn) { + *higher_usn = talloc_steal(memctx, state->higher_usn); + } + + if (users) { + *users = talloc_steal(memctx, state->users); + } + + if (count) { + *count = state->count; + } + + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +/* ==Search-And-Save-Users-with-filter============================================= */ +struct sdap_get_users_state { + struct sysdb_ctx *sysdb; + struct sdap_options *opts; + struct sss_domain_info *dom; + const char *filter; + + char *higher_usn; + struct sysdb_attrs **users; + struct sysdb_attrs *mapped_attrs; + size_t count; +}; + +static void sdap_get_users_done(struct tevent_req *subreq); + +struct tevent_req *sdap_get_users_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sss_domain_info *dom, + struct sysdb_ctx *sysdb, + struct sdap_options *opts, + struct sdap_search_base **search_bases, + struct sdap_handle *sh, + const char **attrs, + const char *filter, + int timeout, + enum sdap_entry_lookup_type lookup_type, + struct sysdb_attrs *mapped_attrs) +{ + errno_t ret; + struct tevent_req *req; + struct tevent_req *subreq; + struct sdap_get_users_state *state; + + req = tevent_req_create(memctx, &state, struct sdap_get_users_state); + if (!req) return NULL; + + state->sysdb = sysdb; + state->opts = opts; + state->dom = dom; + + state->filter = filter; + PROBE(SDAP_SEARCH_USER_SEND, state->filter); + + if (mapped_attrs == NULL) { + state->mapped_attrs = NULL; + } else { + state->mapped_attrs = sysdb_new_attrs(state); + if (state->mapped_attrs == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_new_attrs failed.\n"); + ret = ENOMEM; + goto done; + } + + ret = sysdb_attrs_copy(mapped_attrs, state->mapped_attrs); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_copy failed.\n"); + goto done; + } + } + + subreq = sdap_search_user_send(state, ev, dom, opts, search_bases, + sh, attrs, filter, timeout, lookup_type); + if (subreq == NULL) { + ret = ENOMEM; + goto done; + } + tevent_req_set_callback(subreq, sdap_get_users_done, req); + + ret = EOK; +done: + if (ret != EOK) { + tevent_req_error(req, ret); + tevent_req_post(req, ev); + } + + return req; +} + +static void sdap_get_users_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sdap_get_users_state *state = tevent_req_data(req, + struct sdap_get_users_state); + int ret; + + ret = sdap_search_user_recv(state, subreq, &state->higher_usn, + &state->users, &state->count); + if (ret) { + if (ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to retrieve users [%d][%s].\n", + ret, sss_strerror(ret)); + } + tevent_req_error(req, ret); + return; + } + + PROBE(SDAP_SEARCH_USER_SAVE_BEGIN, state->filter); + + ret = sdap_save_users(state, state->sysdb, + state->dom, state->opts, + state->users, state->count, + state->mapped_attrs, + &state->higher_usn); + PROBE(SDAP_SEARCH_USER_SAVE_END, state->filter); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to store users [%d][%s].\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + DEBUG(SSSDBG_TRACE_ALL, "Saving %zu Users - Done\n", state->count); + + tevent_req_done(req); +} + +int sdap_get_users_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, char **usn_value) +{ + struct sdap_get_users_state *state = tevent_req_data(req, + struct sdap_get_users_state); + + PROBE(SDAP_SEARCH_USER_RECV, state->filter); + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (usn_value) { + *usn_value = talloc_steal(mem_ctx, state->higher_usn); + } + + return EOK; +} + +/* ==Fetch-Fallback-local-user============================================ */ + +errno_t sdap_fallback_local_user(TALLOC_CTX *memctx, + const char *name, uid_t uid, + struct sysdb_attrs ***reply) +{ + struct sysdb_attrs **ua; + struct sysdb_attrs *user; + struct passwd *pwd; + int ret; + + if (name) { + pwd = getpwnam(name); + } else { + pwd = getpwuid(uid); + } + + if (!pwd) { + return errno ? errno : ENOENT; + } + + ua = talloc_array(memctx, struct sysdb_attrs *, 2); + if (!ua) { + ret = ENOMEM; + goto done; + } + ua[1] = NULL; + + user = sysdb_new_attrs(ua); + if (!user) { + ret = ENOMEM; + goto done; + } + ua[0] = user; + + ret = sysdb_attrs_add_string(user, SYSDB_NAME, pwd->pw_name); + if (ret != EOK) { + goto done; + } + + if (pwd->pw_passwd) { + ret = sysdb_attrs_add_string(user, SYSDB_PWD, pwd->pw_passwd); + if (ret != EOK) { + goto done; + } + } + + ret = sysdb_attrs_add_long(user, SYSDB_UIDNUM, (long)pwd->pw_uid); + if (ret != EOK) { + goto done; + } + + ret = sysdb_attrs_add_long(user, SYSDB_GIDNUM, (long)pwd->pw_gid); + if (ret != EOK) { + goto done; + } + + if (pwd->pw_gecos) { + ret = sysdb_attrs_add_string(user, SYSDB_GECOS, pwd->pw_gecos); + if (ret != EOK) { + goto done; + } + } + + if (pwd->pw_dir) { + ret = sysdb_attrs_add_string(user, SYSDB_HOMEDIR, pwd->pw_dir); + if (ret != EOK) { + goto done; + } + } + + if (pwd->pw_shell) { + ret = sysdb_attrs_add_string(user, SYSDB_SHELL, pwd->pw_shell); + if (ret != EOK) { + goto done; + } + } + +done: + if (ret != EOK) { + talloc_free(ua); + } else { + *reply = ua; + } + + return ret; +} diff --git a/src/providers/ldap/sdap_autofs.c b/src/providers/ldap/sdap_autofs.c new file mode 100644 index 0000000..c02c04d --- /dev/null +++ b/src/providers/ldap/sdap_autofs.c @@ -0,0 +1,321 @@ +/* + SSSD + + LDAP handler for autofs + + Authors: + Jakub Hrozek + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "providers/ldap/ldap_common.h" +#include "providers/ldap/sdap_autofs.h" +#include "providers/ldap/sdap.h" +#include "providers/ldap/sdap_async.h" +#include "providers/backend.h" +#include "providers/data_provider.h" +#include "db/sysdb_autofs.h" +#include "util/util.h" + +struct autofs_get_map_state { + struct tevent_context *ev; + struct sdap_id_ctx *ctx; + struct sdap_id_op *op; + const char *map_name; + + int dp_error; +}; + +static errno_t +sdap_autofs_get_map_retry(struct tevent_req *req); +static void +sdap_autofs_get_map_connect_done(struct tevent_req *subreq); +static void +sdap_autofs_get_map_done(struct tevent_req *req); + +static struct tevent_req * +sdap_autofs_get_map_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_id_ctx *ctx, + const char *map_name) +{ + struct tevent_req *req; + struct autofs_get_map_state *state; + int ret; + + req = tevent_req_create(mem_ctx, &state, struct autofs_get_map_state); + if (!req) return NULL; + + state->ev = ev; + state->ctx = ctx; + state->dp_error = DP_ERR_FATAL; + state->map_name = map_name; + + state->op = sdap_id_op_create(state, state->ctx->conn->conn_cache); + if (!state->op) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed\n"); + ret = ENOMEM; + goto fail; + } + + ret = sdap_autofs_get_map_retry(req); + if (ret != EOK) { + goto fail; + } + + return req; + +fail: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static errno_t +sdap_autofs_get_map_retry(struct tevent_req *req) +{ + struct autofs_get_map_state *state = + tevent_req_data(req, struct autofs_get_map_state); + struct tevent_req *subreq; + int ret = EOK; + + subreq = sdap_id_op_connect_send(state->op, state, &ret); + if (!subreq) { + return ret; + } + + tevent_req_set_callback(subreq, sdap_autofs_get_map_connect_done, req); + return EOK; +} + +static void +sdap_autofs_get_map_connect_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct autofs_get_map_state *state = + tevent_req_data(req, struct autofs_get_map_state); + int dp_error = DP_ERR_FATAL; + int ret; + + ret = sdap_id_op_connect_recv(subreq, &dp_error); + talloc_zfree(subreq); + + if (ret != EOK) { + state->dp_error = dp_error; + tevent_req_error(req, ret); + return; + } + + subreq = sdap_autofs_setautomntent_send(state, state->ev, + state->ctx->be->domain, + state->ctx->be->domain->sysdb, + sdap_id_op_handle(state->op), + state->op, + state->ctx->opts, + state->map_name); + if (!subreq) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sdap_autofs_setautomntent_send failed\n"); + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, sdap_autofs_get_map_done, req); + +} + +static void +sdap_autofs_get_map_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct autofs_get_map_state *state = + tevent_req_data(req, struct autofs_get_map_state); + int dp_error = DP_ERR_FATAL; + int ret; + + ret = sdap_autofs_setautomntent_recv(subreq); + talloc_zfree(subreq); + + ret = sdap_id_op_done(state->op, ret, &dp_error); + if (dp_error == DP_ERR_OK && ret != EOK) { + /* retry */ + ret = sdap_autofs_get_map_retry(req); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + return; + } + + if (ret && ret != ENOENT) { + state->dp_error = dp_error; + tevent_req_error(req, ret); + return; + } + + if (ret == ENOENT) { + ret = sysdb_delete_autofsmap(state->ctx->be->domain, state->map_name); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot delete autofs map %s [%d]: %s\n", + state->map_name, ret, strerror(ret)); + tevent_req_error(req, ret); + return; + } + } + + state->dp_error = DP_ERR_OK; + tevent_req_done(req); +} + +static errno_t +sdap_autofs_get_map_recv(struct tevent_req *req, int *dp_error_out) +{ + struct autofs_get_map_state *state = + tevent_req_data(req, struct autofs_get_map_state); + + if (dp_error_out) { + *dp_error_out = state->dp_error; + } + + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +struct sdap_autofs_handler_state { + struct dp_reply_std reply; +}; + +static void sdap_autofs_handler_done(struct tevent_req *subreq); + +struct tevent_req * +sdap_autofs_handler_send(TALLOC_CTX *mem_ctx, + struct sdap_id_ctx *id_ctx, + struct dp_autofs_data *data, + struct dp_req_params *params) +{ + struct sdap_autofs_handler_state *state; + struct tevent_req *subreq; + struct tevent_req *req; + const char *master_map; + + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct sdap_autofs_handler_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + DEBUG(SSSDBG_FUNC_DATA, "Requested refresh for: %s\n", data->mapname); + + master_map = dp_opt_get_string(id_ctx->opts->basic, + SDAP_AUTOFS_MAP_MASTER_NAME); + if (strcmp(master_map, data->mapname) == 0) { + DEBUG(SSSDBG_FUNC_DATA, "Refresh of automount master map triggered: " + "%s\n", data->mapname); + + ret = sysdb_invalidate_autofs_maps(id_ctx->be->domain); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Could not invalidate autofs maps, " + "backend might return stale entries\n"); + } + } + + subreq = sdap_autofs_get_map_send(mem_ctx, params->ev, + id_ctx, data->mapname); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to send request for %s.\n", + data->mapname); + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, sdap_autofs_handler_done, req); + + return req; + +immediately: + dp_reply_std_set(&state->reply, DP_ERR_DECIDE, ret, NULL); + + /* TODO For backward compatibility we always return EOK to DP now. */ + tevent_req_done(req); + tevent_req_post(req, params->ev); + + return req; +} + +static void sdap_autofs_handler_done(struct tevent_req *subreq) +{ + struct sdap_autofs_handler_state *state; + struct tevent_req *req; + int dp_error; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_autofs_handler_state); + + ret = sdap_autofs_get_map_recv(subreq, &dp_error); + talloc_zfree(subreq); + + /* TODO For backward compatibility we always return EOK to DP now. */ + dp_reply_std_set(&state->reply, dp_error, ret, NULL); + tevent_req_done(req); +} + +errno_t +sdap_autofs_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct dp_reply_std *data) +{ + struct sdap_autofs_handler_state *state = NULL; + + state = tevent_req_data(req, struct sdap_autofs_handler_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *data = state->reply; + + return EOK; +} + +errno_t sdap_autofs_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct sdap_id_ctx *id_ctx, + struct dp_method *dp_methods) +{ + errno_t ret; + + DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing autofs LDAP back end\n"); + + ret = ldap_get_autofs_options(id_ctx, be_ctx->cdb, be_ctx->conf_path, + id_ctx->opts); + if (ret != EOK) { + return ret; + } + + dp_set_method(dp_methods, DPM_AUTOFS_HANDLER, + sdap_autofs_handler_send, sdap_autofs_handler_recv, id_ctx, + struct sdap_id_ctx, struct dp_autofs_data, struct dp_reply_std); + + return EOK; +} diff --git a/src/providers/ldap/sdap_autofs.h b/src/providers/ldap/sdap_autofs.h new file mode 100644 index 0000000..593d8c9 --- /dev/null +++ b/src/providers/ldap/sdap_autofs.h @@ -0,0 +1,47 @@ +/* + SSSD + + LDAP handler for autofs + + Authors: + Jakub Hrozek + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _SDAP_AUTOFS_H_ +#define _SDAP_AUTOFS_H_ + +errno_t sdap_autofs_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct sdap_id_ctx *id_ctx, + struct dp_method *dp_methods); + +struct tevent_req * +sdap_autofs_setautomntent_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sss_domain_info *dom, + struct sysdb_ctx *sysdb, + struct sdap_handle *sh, + struct sdap_id_op *op, + struct sdap_options *opts, + const char *mapname); + +errno_t +sdap_autofs_setautomntent_recv(struct tevent_req *req); + +#endif /* _SDAP_AUTOFS_H_ */ + diff --git a/src/providers/ldap/sdap_certmap.c b/src/providers/ldap/sdap_certmap.c new file mode 100644 index 0000000..fcf88a9 --- /dev/null +++ b/src/providers/ldap/sdap_certmap.c @@ -0,0 +1,152 @@ + +/* + SSSD + + Authors: + Sumit Bose + + Copyright (C) 2017 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "lib/certmap/sss_certmap.h" +#include "providers/ldap/ldap_common.h" + +struct sdap_certmap_ctx { + struct sss_certmap_ctx *certmap_ctx; +}; + +struct priv_sss_debug { + int level; +}; + +static void ext_debug(void *private, const char *file, long line, + const char *function, const char *format, ...) +{ + va_list ap; + struct priv_sss_debug *data = private; + int level = SSSDBG_OP_FAILURE; + + if (data != NULL) { + level = data->level; + } + + if (DEBUG_IS_SET(level)) { + va_start(ap, format); + sss_vdebug_fn(file, line, function, level, APPEND_LINE_FEED, + format, ap); + va_end(ap); + } +} + +struct sss_certmap_ctx *sdap_get_sss_certmap(struct sdap_certmap_ctx *ctx) +{ + return ctx == NULL ? NULL : ctx->certmap_ctx; +} + +errno_t sdap_setup_certmap(struct sdap_certmap_ctx *sdap_certmap_ctx, + struct certmap_info **certmap_list) +{ + int ret; + struct sss_certmap_ctx *sss_certmap_ctx = NULL; + size_t c; + + if (sdap_certmap_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing sdap_certmap_ctx.\n"); + return EINVAL; + } + + if (certmap_list == NULL || *certmap_list == NULL) { + DEBUG(SSSDBG_TRACE_ALL, "No certmap data, nothing to do.\n"); + ret = EOK; + goto done; + } + + ret = sss_certmap_init(sdap_certmap_ctx, ext_debug, NULL, &sss_certmap_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_certmap_init failed.\n"); + goto done; + } + + for (c = 0; certmap_list[c] != NULL; c++) { + DEBUG(SSSDBG_TRACE_ALL, "Trying to add rule [%s][%d][%s][%s].\n", + certmap_list[c]->name, + certmap_list[c]->priority, + certmap_list[c]->match_rule, + certmap_list[c]->map_rule); + + ret = sss_certmap_add_rule(sss_certmap_ctx, certmap_list[c]->priority, + certmap_list[c]->match_rule, + certmap_list[c]->map_rule, + certmap_list[c]->domains); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sss_certmap_add_rule failed for rule [%s] " + "with error [%d][%s], skipping. " + "Please check for typos and if rule syntax is supported.\n", + certmap_list[c]->name, ret, sss_strerror(ret)); + continue; + } + } + + ret = EOK; + +done: + if (ret == EOK) { + sss_certmap_free_ctx(sdap_certmap_ctx->certmap_ctx); + sdap_certmap_ctx->certmap_ctx = sss_certmap_ctx; + } else { + sss_certmap_free_ctx(sss_certmap_ctx); + } + + return ret; +} + +errno_t sdap_init_certmap(TALLOC_CTX *mem_ctx, struct sdap_id_ctx *id_ctx) +{ + int ret; + bool hint; + struct certmap_info **certmap_list = NULL; + + if (id_ctx->opts->sdap_certmap_ctx == NULL) { + id_ctx->opts->sdap_certmap_ctx = talloc_zero(mem_ctx, + struct sdap_certmap_ctx); + if (id_ctx->opts->sdap_certmap_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_zero failed.\n"); + return ENOMEM; + } + } + + ret = sysdb_get_certmap(mem_ctx, id_ctx->be->domain->sysdb, + &certmap_list, &hint); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_certmap failed.\n"); + goto done; + } + + ret = sdap_setup_certmap(id_ctx->opts->sdap_certmap_ctx, certmap_list); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_setup_certmap failed.\n"); + goto done; + } + + ret = EOK; + +done: + talloc_free(certmap_list); + + return ret; +} diff --git a/src/providers/ldap/sdap_child_helpers.c b/src/providers/ldap/sdap_child_helpers.c new file mode 100644 index 0000000..a03d28c --- /dev/null +++ b/src/providers/ldap/sdap_child_helpers.c @@ -0,0 +1,522 @@ +/* + SSSD + + LDAP Backend Module -- child helpers + + Authors: + Jakub Hrozek + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include + +#include "util/util.h" +#include "util/sss_krb5.h" +#include "providers/ldap/ldap_common.h" +#include "providers/ldap/sdap_async_private.h" +#include "util/child_common.h" + +#ifndef SSSD_LIBEXEC_PATH +#error "SSSD_LIBEXEC_PATH not defined" +#else +#define LDAP_CHILD SSSD_LIBEXEC_PATH"/ldap_child" +#endif + +#ifndef LDAP_CHILD_USER +#define LDAP_CHILD_USER "nobody" +#endif + +struct sdap_child { + /* child info */ + pid_t pid; + struct child_io_fds *io; +}; + +static void sdap_close_fd(int *fd) +{ + int ret; + + if (*fd == -1) { + DEBUG(SSSDBG_TRACE_FUNC, "fd already closed\n"); + return; + } + + ret = close(*fd); + if (ret) { + ret = errno; + DEBUG(SSSDBG_OP_FAILURE, "Closing fd %d, return error %d (%s)\n", + *fd, ret, strerror(ret)); + } + + *fd = -1; +} + +static void child_callback(int child_status, + struct tevent_signal *sige, + void *pvt) +{ + if (WEXITSTATUS(child_status) == CHILD_TIMEOUT_EXIT_CODE) { + DEBUG(SSSDBG_CRIT_FAILURE, + "LDAP child was terminated due to timeout\n"); + + struct tevent_req *req = talloc_get_type(pvt, struct tevent_req); + tevent_req_error(req, ETIMEDOUT); + } +} + +static errno_t sdap_fork_child(struct tevent_context *ev, + struct sdap_child *child, struct tevent_req *req) +{ + int pipefd_to_child[2] = PIPE_INIT; + int pipefd_from_child[2] = PIPE_INIT; + pid_t pid; + errno_t ret; + + ret = pipe(pipefd_from_child); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "pipe failed [%d][%s].\n", ret, strerror(ret)); + goto fail; + } + ret = pipe(pipefd_to_child); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "pipe failed [%d][%s].\n", ret, strerror(ret)); + goto fail; + } + + pid = fork(); + + if (pid == 0) { /* child */ + exec_child(child, + pipefd_to_child, pipefd_from_child, + LDAP_CHILD, ldap_child_debug_fd); + + /* We should never get here */ + DEBUG(SSSDBG_CRIT_FAILURE, "BUG: Could not exec LDAP child\n"); + } else if (pid > 0) { /* parent */ + child->pid = pid; + child->io->read_from_child_fd = pipefd_from_child[0]; + PIPE_FD_CLOSE(pipefd_from_child[1]); + child->io->write_to_child_fd = pipefd_to_child[1]; + PIPE_FD_CLOSE(pipefd_to_child[0]); + sss_fd_nonblocking(child->io->read_from_child_fd); + sss_fd_nonblocking(child->io->write_to_child_fd); + + ret = child_handler_setup(ev, pid, child_callback, req, NULL); + if (ret != EOK) { + goto fail; + } + + } else { /* error */ + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "fork failed [%d][%s].\n", ret, strerror(ret)); + goto fail; + } + + return EOK; + +fail: + PIPE_CLOSE(pipefd_from_child); + PIPE_CLOSE(pipefd_to_child); + return ret; +} + +static errno_t create_tgt_req_send_buffer(TALLOC_CTX *mem_ctx, + const char *realm_str, + const char *princ_str, + const char *keytab_name, + int32_t lifetime, + struct io_buffer **io_buf) +{ + struct io_buffer *buf; + size_t rp; + + buf = talloc(mem_ctx, struct io_buffer); + if (buf == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc failed.\n"); + return ENOMEM; + } + + buf->size = 6 * sizeof(uint32_t); + if (realm_str) { + buf->size += strlen(realm_str); + } + if (princ_str) { + buf->size += strlen(princ_str); + } + if (keytab_name) { + buf->size += strlen(keytab_name); + } + + DEBUG(SSSDBG_TRACE_FUNC, "buffer size: %zu\n", buf->size); + + buf->data = talloc_size(buf, buf->size); + if (buf->data == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_size failed.\n"); + talloc_free(buf); + return ENOMEM; + } + + rp = 0; + + /* realm */ + if (realm_str) { + SAFEALIGN_SET_UINT32(&buf->data[rp], strlen(realm_str), &rp); + safealign_memcpy(&buf->data[rp], realm_str, strlen(realm_str), &rp); + } else { + SAFEALIGN_SET_UINT32(&buf->data[rp], 0, &rp); + } + + /* principal */ + if (princ_str) { + SAFEALIGN_SET_UINT32(&buf->data[rp], strlen(princ_str), &rp); + safealign_memcpy(&buf->data[rp], princ_str, strlen(princ_str), &rp); + } else { + SAFEALIGN_SET_UINT32(&buf->data[rp], 0, &rp); + } + + /* keytab */ + if (keytab_name) { + SAFEALIGN_SET_UINT32(&buf->data[rp], strlen(keytab_name), &rp); + safealign_memcpy(&buf->data[rp], keytab_name, strlen(keytab_name), &rp); + } else { + SAFEALIGN_SET_UINT32(&buf->data[rp], 0, &rp); + } + + /* lifetime */ + SAFEALIGN_SET_UINT32(&buf->data[rp], lifetime, &rp); + + /* UID and GID to drop privileges to, if needed. The ldap_child process runs as + * setuid if the back end runs unprivileged as it needs to access the keytab + */ + SAFEALIGN_SET_UINT32(&buf->data[rp], geteuid(), &rp); + SAFEALIGN_SET_UINT32(&buf->data[rp], getegid(), &rp); + + *io_buf = buf; + return EOK; +} + +static int parse_child_response(TALLOC_CTX *mem_ctx, + uint8_t *buf, ssize_t size, + int *result, krb5_error_code *kerr, + char **ccache, time_t *expire_time_out) +{ + size_t p = 0; + uint32_t len; + uint32_t res; + char *ccn; + time_t expire_time; + krb5_error_code krberr; + + /* operation result code */ + SAFEALIGN_COPY_UINT32_CHECK(&res, buf + p, size, &p); + + /* krb5 error code */ + safealign_memcpy(&krberr, buf+p, sizeof(krberr), &p); + + /* ccache name size */ + SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p); + + if (len > size - p) return EINVAL; + + ccn = talloc_size(mem_ctx, sizeof(char) * (len + 1)); + if (ccn == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_size failed.\n"); + return ENOMEM; + } + safealign_memcpy(ccn, buf+p, sizeof(char) * len, &p); + ccn[len] = '\0'; + + if (p + sizeof(time_t) > size) { + talloc_free(ccn); + return EINVAL; + } + safealign_memcpy(&expire_time, buf+p, sizeof(time_t), &p); + + *result = res; + *ccache = ccn; + *expire_time_out = expire_time; + *kerr = krberr; + return EOK; +} + +/* ==The-public-async-interface============================================*/ + +struct sdap_get_tgt_state { + struct tevent_context *ev; + struct sdap_child *child; + ssize_t len; + uint8_t *buf; + + struct tevent_timer *kill_te; +}; + +static errno_t set_tgt_child_timeout(struct tevent_req *req, + struct tevent_context *ev, + int timeout); +static void sdap_get_tgt_step(struct tevent_req *subreq); +static void sdap_get_tgt_done(struct tevent_req *subreq); + +struct tevent_req *sdap_get_tgt_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + const char *realm_str, + const char *princ_str, + const char *keytab_name, + int32_t lifetime, + int timeout) +{ + struct tevent_req *req, *subreq; + struct sdap_get_tgt_state *state; + struct io_buffer *buf; + int ret; + + req = tevent_req_create(mem_ctx, &state, struct sdap_get_tgt_state); + if (!req) { + return NULL; + } + + state->ev = ev; + + state->child = talloc_zero(state, struct sdap_child); + if (!state->child) { + ret = ENOMEM; + goto fail; + } + + state->child->io = talloc(state, struct child_io_fds); + if (state->child->io == NULL) { + ret = ENOMEM; + goto fail; + } + state->child->io->read_from_child_fd = -1; + state->child->io->write_to_child_fd = -1; + talloc_set_destructor((TALLOC_CTX *) state->child->io, child_io_destructor); + + /* prepare the data to pass to child */ + ret = create_tgt_req_send_buffer(state, + realm_str, princ_str, keytab_name, lifetime, + &buf); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "create_tgt_req_send_buffer failed.\n"); + goto fail; + } + + ret = sdap_fork_child(state->ev, state->child, req); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sdap_fork_child failed.\n"); + goto fail; + } + + ret = set_tgt_child_timeout(req, ev, timeout); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "activate_child_timeout_handler failed.\n"); + goto fail; + } + + subreq = write_pipe_send(state, ev, buf->data, buf->size, + state->child->io->write_to_child_fd); + if (!subreq) { + ret = ENOMEM; + goto fail; + } + tevent_req_set_callback(subreq, sdap_get_tgt_step, req); + + return req; + +fail: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void sdap_get_tgt_step(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sdap_get_tgt_state *state = tevent_req_data(req, + struct sdap_get_tgt_state); + int ret; + + ret = write_pipe_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + sdap_close_fd(&state->child->io->write_to_child_fd); + + subreq = read_pipe_send(state, state->ev, + state->child->io->read_from_child_fd); + if (!subreq) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, sdap_get_tgt_done, req); +} + +static void sdap_get_tgt_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sdap_get_tgt_state *state = tevent_req_data(req, + struct sdap_get_tgt_state); + int ret; + + ret = read_pipe_recv(subreq, state, &state->buf, &state->len); + talloc_zfree(subreq); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + sdap_close_fd(&state->child->io->read_from_child_fd); + + if (state->kill_te == NULL) { + tevent_req_done(req); + return; + } + + /* wait for child callback to terminate the request */ +} + +int sdap_get_tgt_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + int *result, + krb5_error_code *kerr, + char **ccname, + time_t *expire_time_out) +{ + struct sdap_get_tgt_state *state = tevent_req_data(req, + struct sdap_get_tgt_state); + char *ccn; + time_t expire_time; + int res; + int ret; + krb5_error_code krberr; + + TEVENT_REQ_RETURN_ON_ERROR(req); + + ret = parse_child_response(mem_ctx, state->buf, state->len, + &res, &krberr, &ccn, &expire_time); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot parse child response: [%d][%s]\n", ret, strerror(ret)); + return ret; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Child responded: %d [%s], expired on [%ld]\n", res, ccn, (long)expire_time); + *result = res; + *kerr = krberr; + *ccname = ccn; + *expire_time_out = expire_time; + return EOK; +} + +static void get_tgt_sigkill_handler(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval tv, void *pvt) +{ + struct tevent_req *req = talloc_get_type(pvt, struct tevent_req); + struct sdap_get_tgt_state *state = tevent_req_data(req, + struct sdap_get_tgt_state); + int ret; + + DEBUG(SSSDBG_TRACE_ALL, + "timeout for sending SIGKILL to TGT child [%d] reached.\n", + state->child->pid); + + ret = kill(state->child->pid, SIGKILL); + if (ret == -1) { + DEBUG(SSSDBG_CRIT_FAILURE, + "kill failed [%d][%s].\n", errno, strerror(errno)); + } + + tevent_req_error(req, ETIMEDOUT); +} + +static void get_tgt_timeout_handler(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval tv, void *pvt) +{ + struct tevent_req *req = talloc_get_type(pvt, struct tevent_req); + struct sdap_get_tgt_state *state = tevent_req_data(req, + struct sdap_get_tgt_state); + int ret; + + DEBUG(SSSDBG_TRACE_ALL, + "timeout for sending SIGTERM to TGT child [%d] reached.\n", + state->child->pid); + + ret = kill(state->child->pid, SIGTERM); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "Sending SIGTERM failed [%d][%s].\n", ret, strerror(ret)); + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Setting %d seconds timeout for sending SIGKILL to TGT child\n", + SIGTERM_TO_SIGKILL_TIME); + + tv = tevent_timeval_current_ofs(SIGTERM_TO_SIGKILL_TIME, 0); + + state->kill_te = tevent_add_timer(ev, req, tv, get_tgt_sigkill_handler, req); + if (state->kill_te == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_add_timer failed.\n"); + tevent_req_error(req, ECANCELED); + } +} + +static errno_t set_tgt_child_timeout(struct tevent_req *req, + struct tevent_context *ev, + int timeout) +{ + struct tevent_timer *te; + struct timeval tv; + + DEBUG(SSSDBG_TRACE_FUNC, + "Setting %d seconds timeout for TGT child\n", timeout); + + tv = tevent_timeval_current_ofs(timeout, 0); + + te = tevent_add_timer(ev, req, tv, get_tgt_timeout_handler, req); + if (te == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_add_timer failed.\n"); + return ENOMEM; + } + + return EOK; +} + + + +/* Setup child logging */ +int sdap_setup_child(void) +{ + return child_debug_init(LDAP_CHILD_LOG_FILE, &ldap_child_debug_fd); +} diff --git a/src/providers/ldap/sdap_domain.c b/src/providers/ldap/sdap_domain.c new file mode 100644 index 0000000..d384b2e --- /dev/null +++ b/src/providers/ldap/sdap_domain.c @@ -0,0 +1,202 @@ +/* + Authors: + Simo Sorce + + Copyright (C) 2008-2010 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "providers/ldap/ldap_common.h" + +int +sdap_domain_destructor(void *mem) +{ + struct sdap_domain *dom = + talloc_get_type(mem, struct sdap_domain); + DLIST_REMOVE(*(dom->head), dom); + return 0; +} + +struct sdap_domain * +sdap_domain_get(struct sdap_options *opts, + struct sss_domain_info *dom) +{ + struct sdap_domain *sditer = NULL; + + DLIST_FOR_EACH(sditer, opts->sdom) { + if (sditer->dom == dom) { + break; + } + } + + return sditer; +} + +struct sdap_domain * +sdap_domain_get_by_dn(struct sdap_options *opts, + const char *dn) +{ + struct sdap_domain *sditer = NULL; + struct sdap_domain *sdmatch = NULL; + TALLOC_CTX *tmp_ctx = NULL; + int match_len; + int best_match_len = 0; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return NULL; + } + + DLIST_FOR_EACH(sditer, opts->sdom) { + if (sss_ldap_dn_in_search_bases_len(tmp_ctx, dn, sditer->search_bases, + NULL, &match_len) + || sss_ldap_dn_in_search_bases_len(tmp_ctx, dn, + sditer->user_search_bases, NULL, &match_len) + || sss_ldap_dn_in_search_bases_len(tmp_ctx, dn, + sditer->group_search_bases, NULL, &match_len) + || sss_ldap_dn_in_search_bases_len(tmp_ctx, dn, + sditer->netgroup_search_bases, NULL, &match_len) + || sss_ldap_dn_in_search_bases_len(tmp_ctx, dn, + sditer->sudo_search_bases, NULL, &match_len) + || sss_ldap_dn_in_search_bases_len(tmp_ctx, dn, + sditer->service_search_bases, NULL, &match_len) + || sss_ldap_dn_in_search_bases_len(tmp_ctx, dn, + sditer->autofs_search_bases, NULL, &match_len)) { + if (best_match_len < match_len) { + /*this is a longer match*/ + best_match_len = match_len; + sdmatch = sditer; + } + } + } + talloc_free(tmp_ctx); + return sdmatch; +} + +errno_t +sdap_domain_add(struct sdap_options *opts, + struct sss_domain_info *dom, + struct sdap_domain **_sdom) +{ + struct sdap_domain *sdom; + errno_t ret; + + sdom = talloc_zero(opts, struct sdap_domain); + if (sdom == NULL) { + return ENOMEM; + } + sdom->dom = dom; + sdom->head = &opts->sdom; + + /* Convert the domain name into search base */ + ret = domain_to_basedn(sdom, sdom->dom->name, &sdom->basedn); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot convert domain name [%s] to base DN [%d]: %s\n", + dom->name, ret, strerror(ret)); + goto done; + } + + talloc_set_destructor((TALLOC_CTX *)sdom, sdap_domain_destructor); + DLIST_ADD_END(opts->sdom, sdom, struct sdap_domain *); + + if (_sdom) *_sdom = sdom; + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(sdom); + } + + return ret; +} + +errno_t +sdap_domain_subdom_add(struct sdap_id_ctx *sdap_id_ctx, + struct sdap_domain *sdom_list, + struct sss_domain_info *parent) +{ + struct sss_domain_info *dom; + struct sdap_domain *sdom, *sditer; + errno_t ret; + + for (dom = get_next_domain(parent, SSS_GND_DESCEND); + dom && IS_SUBDOMAIN(dom); /* if we get back to a parent, stop */ + dom = get_next_domain(dom, 0)) { + + DLIST_FOR_EACH(sditer, sdom_list) { + if (sditer->dom == dom) { + break; + } + } + + if (sditer == NULL) { + /* New sdap domain */ + DEBUG(SSSDBG_TRACE_FUNC, "subdomain %s is a new one, will " + "create a new sdap domain object\n", dom->name); + + ret = sdap_domain_add(sdap_id_ctx->opts, dom, &sdom); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot add new sdap domain for domain %s [%d]: %s\n", + parent->name, ret, strerror(ret)); + return ret; + } + } else if (sditer->search_bases != NULL) { + DEBUG(SSSDBG_TRACE_FUNC, + "subdomain %s has already initialized search bases\n", + dom->name); + continue; + } else { + sdom = sditer; + } + + /* Update search bases */ + talloc_zfree(sdom->search_bases); + sdom->search_bases = talloc_array(sdom, struct sdap_search_base *, 2); + if (sdom->search_bases == NULL) { + return ENOMEM; + } + sdom->search_bases[1] = NULL; + + ret = sdap_create_search_base(sdom, sdom->basedn, LDAP_SCOPE_SUBTREE, + NULL, &sdom->search_bases[0]); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot create new sdap search base\n"); + return ret; + } + + sdom->user_search_bases = sdom->search_bases; + sdom->group_search_bases = sdom->search_bases; + sdom->netgroup_search_bases = sdom->search_bases; + sdom->sudo_search_bases = sdom->search_bases; + sdom->service_search_bases = sdom->search_bases; + sdom->autofs_search_bases = sdom->search_bases; + } + + return EOK; +} + +void +sdap_domain_remove(struct sdap_options *opts, + struct sss_domain_info *dom) +{ + struct sdap_domain *sdom; + + sdom = sdap_domain_get(opts, dom); + if (sdom == NULL) return; + + DLIST_REMOVE(*(sdom->head), sdom); +} diff --git a/src/providers/ldap/sdap_dyndns.c b/src/providers/ldap/sdap_dyndns.c new file mode 100644 index 0000000..20d97ca --- /dev/null +++ b/src/providers/ldap/sdap_dyndns.c @@ -0,0 +1,922 @@ +/* + SSSD + + sdap_dyndns.c: LDAP specific dynamic DNS update + + Authors: + Jakub Hrozek + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "resolv/async_resolv.h" +#include "providers/backend.h" +#include "providers/be_dyndns.h" +#include "providers/ldap/sdap_async_private.h" +#include "providers/ldap/sdap_dyndns.h" +#include "providers/ldap/sdap_id_op.h" +#include "providers/ldap/ldap_common.h" + +static struct tevent_req * +sdap_dyndns_get_addrs_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_id_ctx *sdap_ctx, + const char *iface); +static errno_t +sdap_dyndns_get_addrs_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + struct sss_iface_addr **_addresses); + +struct sdap_dyndns_update_state { + struct tevent_context *ev; + struct be_resolv_ctx *be_res; + struct dp_option *opts; + + const char *hostname; + const char *realm; + const char *servername; + int ttl; + + struct sss_iface_addr *addresses; + struct sss_iface_addr *dns_addrlist; + uint8_t remove_af; + + bool update_ptr; + bool check_diff; + enum be_nsupdate_auth auth_type; + bool fallback_mode; + char *update_msg; + struct sss_iface_addr *ptr_addr_iter; + bool del_phase; +}; + +static void sdap_dyndns_update_addrs_done(struct tevent_req *subreq); +static void sdap_dyndns_dns_addrs_done(struct tevent_req *subreq); +static errno_t sdap_dyndns_addrs_diff(struct sdap_dyndns_update_state *state, + bool *_do_update); +static errno_t sdap_dyndns_update_step(struct tevent_req *req); +static errno_t sdap_dyndns_update_ptr_step(struct tevent_req *req); +static void sdap_dyndns_update_done(struct tevent_req *subreq); +static void sdap_dyndns_update_ptr_done(struct tevent_req *subreq); +static errno_t +sdap_dyndns_next_ptr_record(struct sdap_dyndns_update_state *state, + struct tevent_req *req); +static struct sss_iface_addr* +sdap_get_address_to_delete(struct sss_iface_addr *address_it, + uint8_t remove_af); + +static bool should_retry(int nsupdate_ret, int child_status) +{ + if ((WIFEXITED(child_status) && WEXITSTATUS(child_status) != 0) + || nsupdate_ret == ERR_DYNDNS_TIMEOUT) { + return true; + } + + return false; +} + +struct tevent_req * +sdap_dyndns_update_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct dp_option *opts, + struct sdap_id_ctx *sdap_ctx, + enum be_nsupdate_auth auth_type, + const char *ifname, + const char *hostname, + const char *realm, + const int ttl, + bool check_diff) +{ + errno_t ret; + struct tevent_req *req; + struct tevent_req *subreq; + struct sdap_dyndns_update_state *state; + const char *conf_servername; + + req = tevent_req_create(mem_ctx, &state, struct sdap_dyndns_update_state); + if (req == NULL) { + return NULL; + } + state->check_diff = check_diff; + state->update_ptr = dp_opt_get_bool(opts, DP_OPT_DYNDNS_UPDATE_PTR); + state->hostname = hostname; + state->realm = realm; + state->servername = NULL; + state->fallback_mode = false; + state->ttl = ttl; + state->be_res = be_ctx->be_res; + state->ev = ev; + state->opts = opts; + state->auth_type = auth_type; + state->ptr_addr_iter = NULL; + state->del_phase = true; + + /* fallback servername is overriden by user option */ + conf_servername = dp_opt_get_string(opts, DP_OPT_DYNDNS_SERVER); + if (conf_servername != NULL) { + state->servername = conf_servername; + } + + if (ifname) { + /* Unless one family is restricted, just replace all + * address families during the update + */ + switch (state->be_res->family_order) { + case IPV4_ONLY: + state->remove_af |= DYNDNS_REMOVE_A; + break; + case IPV6_ONLY: + state->remove_af |= DYNDNS_REMOVE_AAAA; + break; + case IPV4_FIRST: + case IPV6_FIRST: + state->remove_af |= (DYNDNS_REMOVE_A | + DYNDNS_REMOVE_AAAA); + break; + } + } else { + /* If the interface isn't specified, we ONLY want to have the address + * that's connected to the LDAP server stored, so we need to check + * (and later remove) both address families. + */ + state->remove_af = (DYNDNS_REMOVE_A | DYNDNS_REMOVE_AAAA); + } + + subreq = sdap_dyndns_get_addrs_send(state, state->ev, sdap_ctx, ifname); + if (!subreq) { + ret = EIO; + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_connect_send failed: [%d](%s)\n", + ret, sss_strerror(ret)); + goto done; + } + tevent_req_set_callback(subreq, sdap_dyndns_update_addrs_done, req); + + ret = EOK; +done: + if (ret != EOK) { + tevent_req_error(req, ret); + tevent_req_post(req, ev); + } + return req; +} + +static void +sdap_dyndns_update_addrs_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req; + struct sdap_dyndns_update_state *state; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_dyndns_update_state); + + ret = sdap_dyndns_get_addrs_recv(subreq, state, &state->addresses); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Can't get addresses for DNS update\n"); + tevent_req_error(req, ret); + return; + } + + if (state->check_diff || state->update_ptr) { + /* Check if we need the update at all. In case we are updating the PTR + * records as well, we need to know the old addresses to be able to + * reliably delete the PTR records */ + subreq = nsupdate_get_addrs_send(state, state->ev, + state->be_res, state->hostname); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Can't initiate address check\n"); + tevent_req_error(req, ret); + return; + } + tevent_req_set_callback(subreq, sdap_dyndns_dns_addrs_done, req); + return; + } + + /* Perform update */ + ret = sdap_dyndns_update_step(req); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + /* Execution will resume in sdap_dyndns_update_done */ +} + +static void +sdap_dyndns_dns_addrs_done(struct tevent_req *subreq) +{ + struct tevent_req *req; + struct sdap_dyndns_update_state *state; + errno_t ret; + bool do_update; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_dyndns_update_state); + + ret = nsupdate_get_addrs_recv(subreq, state, &state->dns_addrlist, NULL); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not receive list of current addresses [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + if (state->check_diff) { + ret = sdap_dyndns_addrs_diff(state, &do_update); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not check the diff between DNS " + "and current addresses [%d]: %s\n", ret, strerror(ret)); + tevent_req_error(req, ret); + return; + } + + if (do_update == false) { + DEBUG(SSSDBG_TRACE_FUNC, + "No DNS update needed, addresses did not change\n"); + tevent_req_done(req); + return; + } + DEBUG(SSSDBG_TRACE_FUNC, + "Detected IP addresses change, will perform an update\n"); + } + + /* Either we needed the addresses for updating PTR records only or + * the addresses have changed (or both) */ + ret = sdap_dyndns_update_step(req); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not start the update [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + } + return; +} + +static errno_t +sdap_dyndns_addrs_diff(struct sdap_dyndns_update_state *state, bool *_do_update) +{ + errno_t ret; + int i; + char **str_dnslist = NULL, **str_local_list = NULL; + char **dns_only = NULL, **local_only = NULL; + bool do_update = false; + + ret = sss_iface_addr_list_as_str_list(state, + state->dns_addrlist, &str_dnslist); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Converting DNS IP addresses to strings failed: [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + ret = sss_iface_addr_list_as_str_list(state, + state->addresses, &str_local_list); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Converting local IP addresses to strings failed: [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + /* Compare the lists */ + ret = diff_string_lists(state, str_dnslist, str_local_list, + &dns_only, &local_only, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "diff_string_lists failed: [%d]: %s\n", ret, sss_strerror(ret)); + return ret; + } + + if (dns_only) { + for (i=0; dns_only[i]; i++) { + DEBUG(SSSDBG_TRACE_LIBS, + "Address in DNS only: %s\n", dns_only[i]); + do_update = true; + } + } + + if (local_only) { + for (i=0; local_only[i]; i++) { + DEBUG(SSSDBG_TRACE_LIBS, + "Address on localhost only: %s\n", local_only[i]); + do_update = true; + } + } + + *_do_update = do_update; + return EOK; +} + +static errno_t +sdap_dyndns_update_step(struct tevent_req *req) +{ + errno_t ret; + struct sdap_dyndns_update_state *state; + const char *servername; + const char *realm; + struct tevent_req *subreq; + + state = tevent_req_data(req, struct sdap_dyndns_update_state); + + servername = NULL; + realm = NULL; + if (state->fallback_mode) { + servername = state->servername; + realm = state->realm; + } + + ret = be_nsupdate_create_fwd_msg(state, realm, servername, + state->hostname, + state->ttl, state->remove_af, + state->addresses, + &state->update_msg); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Can't get addresses for DNS update\n"); + return ret; + } + + /* Fork a child process to perform the DNS update */ + subreq = be_nsupdate_send(state, state->ev, state->auth_type, + state->update_msg, + dp_opt_get_bool(state->opts, + DP_OPT_DYNDNS_FORCE_TCP)); + if (subreq == NULL) { + return EIO; + } + + tevent_req_set_callback(subreq, sdap_dyndns_update_done, req); + return EOK; +} + +static void +sdap_dyndns_update_done(struct tevent_req *subreq) +{ + errno_t ret; + int child_status; + struct tevent_req *req; + struct sdap_dyndns_update_state *state; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_dyndns_update_state); + + ret = be_nsupdate_recv(subreq, &child_status); + talloc_zfree(subreq); + if (ret != EOK) { + /* If the update didn't succeed, we can retry using the server name */ + if (state->fallback_mode == false + && should_retry(ret, child_status)) { + state->fallback_mode = true; + DEBUG(SSSDBG_MINOR_FAILURE, + "nsupdate failed, retrying.\n"); + ret = sdap_dyndns_update_step(req); + if (ret == EOK) { + return; + } + } + } + + if (state->update_ptr == false) { + DEBUG(SSSDBG_TRACE_FUNC, "No PTR update requested, done\n"); + tevent_req_done(req); + return; + } + + talloc_free(state->update_msg); + + /* init iterator for addresses to be deleted */ + state->ptr_addr_iter = sdap_get_address_to_delete(state->dns_addrlist, + state->remove_af); + if (state->ptr_addr_iter == NULL) { + /* init iterator for addresses to be added */ + state->del_phase = false; + state->ptr_addr_iter = state->addresses; + } + + ret = sdap_dyndns_update_ptr_step(req); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + /* Execution will resume in sdap_dyndns_update_ptr_done */ +} + + +static bool remove_addr(int address_family, uint8_t remove_af) +{ + bool ret = false; + + switch(address_family) { + case AF_INET: + if (remove_af & DYNDNS_REMOVE_A) { + ret = true; + } + break; + case AF_INET6: + if (remove_af & DYNDNS_REMOVE_AAAA) { + ret = true; + } + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unknown address family\n"); + ret = false; + } + + return ret; +} + +static struct sss_iface_addr* +sdap_get_address_to_delete(struct sss_iface_addr *address_it, + uint8_t remove_af) +{ + struct sockaddr_storage* address; + + while (address_it != NULL) { + address = sss_iface_addr_get_address(address_it); + + /* skip addresses that are not to be deleted */ + if (remove_addr(address->ss_family, remove_af)) { + break; + } + + address_it = sss_iface_addr_get_next(address_it); + } + + return address_it; +} + +static errno_t +sdap_dyndns_update_ptr_step(struct tevent_req *req) +{ + errno_t ret; + struct sdap_dyndns_update_state *state; + const char *servername; + const char *realm; + struct tevent_req *subreq; + struct sockaddr_storage *address; + + state = tevent_req_data(req, struct sdap_dyndns_update_state); + + servername = NULL; + realm = NULL; + if (state->fallback_mode == true) { + servername = state->servername; + realm = state->realm; + } + + address = sss_iface_addr_get_address(state->ptr_addr_iter); + if (address == NULL) { + return EIO; + } + + ret = be_nsupdate_create_ptr_msg(state, realm, servername, state->hostname, + state->ttl, address, state->del_phase, + &state->update_msg); + + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Can't get addresses for DNS update\n"); + return ret; + } + + /* Fork a child process to perform the DNS update */ + subreq = be_nsupdate_send(state, state->ev, state->auth_type, + state->update_msg, + dp_opt_get_bool(state->opts, + DP_OPT_DYNDNS_FORCE_TCP)); + if (subreq == NULL) { + return EIO; + } + + tevent_req_set_callback(subreq, sdap_dyndns_update_ptr_done, req); + return EOK; +} + +static void +sdap_dyndns_update_ptr_done(struct tevent_req *subreq) +{ + errno_t ret; + int child_status; + struct tevent_req *req; + struct sdap_dyndns_update_state *state; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_dyndns_update_state); + + ret = be_nsupdate_recv(subreq, &child_status); + talloc_zfree(subreq); + if (ret != EOK) { + /* If the update didn't succeed, we can retry using the server name */ + if (state->fallback_mode == false + && should_retry(ret, child_status)) { + state->fallback_mode = true; + DEBUG(SSSDBG_MINOR_FAILURE, "nsupdate failed, retrying\n"); + ret = sdap_dyndns_update_ptr_step(req); + if (ret == EOK) { + return; + } + } + + ret = sdap_dyndns_next_ptr_record(state, req); + if (ret == EAGAIN) { + return; + } + + tevent_req_error(req, ret); + return; + } + + ret = sdap_dyndns_next_ptr_record(state, req); + if (ret == EAGAIN) { + return; + } + + tevent_req_done(req); +} + +static errno_t +sdap_dyndns_next_ptr_record(struct sdap_dyndns_update_state *state, + struct tevent_req *req) +{ + errno_t ret; + + if (state->del_phase) { + /* iterate to next address to delete */ + state->ptr_addr_iter = sdap_get_address_to_delete( + sss_iface_addr_get_next(state->ptr_addr_iter), state->remove_af); + if (state->ptr_addr_iter == NULL) { + /* init iterator for addresses to be added */ + state->del_phase = false; + state->ptr_addr_iter = state->addresses; + } + } else { + /* iterate to next address to add */ + state->ptr_addr_iter = sss_iface_addr_get_next(state->ptr_addr_iter); + } + + if (state->ptr_addr_iter != NULL) { + + state->fallback_mode = false; + ret = sdap_dyndns_update_ptr_step(req); + if (ret == EOK) { + return EAGAIN; + } + } + + return EOK; +} + +errno_t +sdap_dyndns_update_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + return EOK; +} + +/* A request to get addresses to update with */ +struct sdap_dyndns_get_addrs_state { + struct sdap_id_op* sdap_op; + struct sss_iface_addr *addresses; +}; + +static void sdap_dyndns_get_addrs_done(struct tevent_req *subreq); +static errno_t sdap_dyndns_add_ldap_conn(struct sdap_dyndns_get_addrs_state *state, + struct sdap_handle *sh); + +static errno_t get_ifaces_addrs(TALLOC_CTX *mem_ctx, + const char *iface, + struct sss_iface_addr **_result) +{ + struct sss_iface_addr *result_addrs = NULL; + struct sss_iface_addr *intf_addrs; + TALLOC_CTX *tmp_ctx; + char **list_of_intfs; + int num_of_intfs; + errno_t ret; + int i; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + ret = split_on_separator(tmp_ctx, iface, ',', true, true, &list_of_intfs, + &num_of_intfs); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Parsing names of interfaces failed - %d:[%s].\n", + ret, sss_strerror(ret)); + goto done; + } + + for (i = 0; i < num_of_intfs; i++) { + ret = sss_iface_addr_list_get(tmp_ctx, list_of_intfs[i], &intf_addrs); + if (ret == EOK) { + if (result_addrs != NULL) { + /* If there is already an existing list, head of this existing + * list will be considered as parent talloc context for the + * new list. + */ + talloc_steal(result_addrs, intf_addrs); + } + sss_iface_addr_concatenate(&result_addrs, intf_addrs); + } else if (ret == ENOENT) { + /* non-critical failure */ + DEBUG(SSSDBG_TRACE_FUNC, + "Cannot get interface %s or there are no addresses " + "bind to it.\n", list_of_intfs[i]); + } else { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot get list of addresses from interface %s - %d:[%s]\n", + list_of_intfs[i], ret, sss_strerror(ret)); + goto done; + } + } + + ret = EOK; + *_result = talloc_steal(mem_ctx, result_addrs); + +done: + talloc_free(tmp_ctx); + return ret; +} + +static struct tevent_req * +sdap_dyndns_get_addrs_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_id_ctx *sdap_ctx, + const char *iface) +{ + errno_t ret; + struct tevent_req *req; + struct tevent_req *subreq; + struct sdap_dyndns_get_addrs_state *state; + + req = tevent_req_create(mem_ctx, &state, + struct sdap_dyndns_get_addrs_state); + if (req == NULL) { + return NULL; + } + + if (iface) { + ret = get_ifaces_addrs(state, iface, &state->addresses); + if (ret != EOK || state->addresses == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, + "get_ifaces_addrs() failed: %d:[%s]\n", + ret, sss_strerror(ret)); + } + /* We're done. Just fake an async request completion */ + goto done; + } + + /* Detect DYNDNS address from LDAP connection */ + state->sdap_op = sdap_id_op_create(state, sdap_ctx->conn->conn_cache); + if (!state->sdap_op) { + ret = ENOMEM; + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed\n"); + goto done; + } + + subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret); + if (!subreq) { + ret = EIO; + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_connect_send failed: [%d](%s)\n", + ret, sss_strerror(ret)); + goto done; + } + tevent_req_set_callback(subreq, sdap_dyndns_get_addrs_done, req); + + ret = EAGAIN; +done: + if (ret == EOK) { + tevent_req_done(req); + tevent_req_post(req, ev); + } else if (ret != EAGAIN) { + tevent_req_error(req, ret); + tevent_req_post(req, ev); + } + + /* EAGAIN - resolution in progress */ + return req; +} + +static void +sdap_dyndns_get_addrs_done(struct tevent_req *subreq) +{ + errno_t ret; + int dp_error; + struct tevent_req *req; + struct sdap_dyndns_get_addrs_state *state; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_dyndns_get_addrs_state); + + ret = sdap_id_op_connect_recv(subreq, &dp_error); + talloc_zfree(subreq); + if (ret != EOK) { + if (dp_error == DP_ERR_OFFLINE) { + DEBUG(SSSDBG_MINOR_FAILURE, "No LDAP server is available, " + "dynamic DNS update is skipped in offline mode.\n"); + ret = ERR_DYNDNS_OFFLINE; + } else { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to connect to LDAP server: [%d](%s)\n", + ret, sss_strerror(ret)); + } + tevent_req_error(req, ret); + return; + } + + ret = sdap_dyndns_add_ldap_conn(state, sdap_id_op_handle(state->sdap_op)); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Can't get addresses from LDAP connection\n"); + tevent_req_error(req, ret); + return; + } + + /* Got the address! Done! */ + tevent_req_done(req); +} + +static errno_t +sdap_dyndns_add_ldap_conn(struct sdap_dyndns_get_addrs_state *state, + struct sdap_handle *sh) +{ + int ret; + int fd; + struct sockaddr_storage ss; + socklen_t ss_len = sizeof(ss); + + if (sh == NULL) { + return EINVAL; + } + + /* Get the file descriptor for the primary LDAP connection */ + ret = get_fd_from_ldap(sh->ldap, &fd); + if (ret != EOK) { + return ret; + } + + errno = 0; + ret = getsockname(fd, (struct sockaddr *) &ss, &ss_len); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to get socket name\n"); + return ret; + } + + if (ss.ss_family != AF_INET && ss.ss_family != AF_INET6) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Connection to LDAP is neither IPv4 nor IPv6\n"); + return EIO; + } + + ret = sss_get_dualstack_addresses(state, (struct sockaddr *) &ss, + &state->addresses); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "sss_get_dualstack_addresses failed: %d:[%s]\n", + ret, sss_strerror(ret)); + return ret; + } + + return EOK; +} + +static errno_t +sdap_dyndns_get_addrs_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + struct sss_iface_addr **_addresses) +{ + struct sdap_dyndns_get_addrs_state *state; + + state = tevent_req_data(req, struct sdap_dyndns_get_addrs_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *_addresses = talloc_steal(mem_ctx, state->addresses); + return EOK; +} + +struct sdap_dyndns_timer_state { + struct tevent_context *ev; + struct sdap_id_ctx *sdap_ctx; + struct be_nsupdate_ctx *dyndns_ctx; + + struct sdap_id_op *sdap_op; +}; + +static void sdap_dyndns_timer_conn_done(struct tevent_req *req); + +struct tevent_req * +sdap_dyndns_timer_conn_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_id_ctx *sdap_ctx, + struct be_nsupdate_ctx *dyndns_ctx) +{ + struct sdap_dyndns_timer_state *state; + struct tevent_req *req; + struct tevent_req *subreq; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct sdap_dyndns_timer_state); + if (req == NULL) { + return NULL; + } + state->ev = ev; + state->sdap_ctx = sdap_ctx; + state->dyndns_ctx = dyndns_ctx; + + /* In order to prevent the connection triggering an + * online callback which would in turn trigger a concurrent DNS + * update + */ + state->dyndns_ctx->timer_in_progress = true; + + /* Make sure to have a valid LDAP connection */ + state->sdap_op = sdap_id_op_create(state, state->sdap_ctx->conn->conn_cache); + if (state->sdap_op == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed\n"); + ret = ENOMEM; + goto fail; + } + + subreq = sdap_id_op_connect_send(state->sdap_op, state, &ret); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_connect_send failed: [%d](%s)\n", + ret, sss_strerror(ret)); + ret = ENOMEM; + goto fail; + } + tevent_req_set_callback(subreq, sdap_dyndns_timer_conn_done, req); + return req; + +fail: + dyndns_ctx->timer_in_progress = false; + be_nsupdate_timer_schedule(ev, dyndns_ctx); + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void +sdap_dyndns_timer_conn_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sdap_dyndns_timer_state *state = tevent_req_data(req, + struct sdap_dyndns_timer_state); + errno_t ret; + int dp_error; + + state->dyndns_ctx->timer_in_progress = false; + + ret = sdap_id_op_connect_recv(subreq, &dp_error); + talloc_zfree(subreq); + if (ret != EOK) { + if (dp_error == DP_ERR_OFFLINE) { + DEBUG(SSSDBG_MINOR_FAILURE, "No server is available, " + "dynamic DNS update is skipped in offline mode.\n"); + /* Another timer will be scheduled when provider goes online */ + tevent_req_error(req, ERR_DYNDNS_OFFLINE); + } else { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to connect to LDAP server: [%d](%s)\n", + ret, sss_strerror(ret)); + + /* Just schedule another dyndns retry */ + be_nsupdate_timer_schedule(state->ev, state->dyndns_ctx); + tevent_req_error(req, ERR_NETWORK_IO); + } + return; + } + + /* All OK, schedule another refresh and let the user call its + * provider-specific update + */ + be_nsupdate_timer_schedule(state->ev, state->dyndns_ctx); + tevent_req_done(req); +} + +errno_t +sdap_dyndns_timer_conn_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + return EOK; +} diff --git a/src/providers/ldap/sdap_dyndns.h b/src/providers/ldap/sdap_dyndns.h new file mode 100644 index 0000000..b31c373 --- /dev/null +++ b/src/providers/ldap/sdap_dyndns.h @@ -0,0 +1,61 @@ +/* + SSSD + + sdap_dyndns.h: LDAP specific dynamic DNS update + + Authors: + Jakub Hrozek + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef SDAP_DYNDNS_H_ +#define SDAP_DYNDNS_H_ + +#include "util/util.h" +#include "providers/backend.h" +#include "providers/be_dyndns.h" +#include "providers/ldap/ldap_common.h" + +struct tevent_req * +sdap_dyndns_update_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct dp_option *opts, + struct sdap_id_ctx *sdap_ctx, + enum be_nsupdate_auth auth_type, + const char *ifname, + const char *hostname, + const char *realm, + const int ttl, + bool check_diff); + +errno_t sdap_dyndns_update_recv(struct tevent_req *req); + +/* Connects to the LDAP server in order to read the address from the + * socket and be able to perform dynamic DNS updates. Reschedules the + * task automatically on errors and sets/resets the timer_in_progress + * guard in be_nsupdate_ctx. + */ +struct tevent_req * +sdap_dyndns_timer_conn_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_id_ctx *sdap_ctx, + struct be_nsupdate_ctx *dyndns_ctx); + +errno_t sdap_dyndns_timer_conn_recv(struct tevent_req *req); + +#endif /* SDAP_DYNDNS_H_ */ diff --git a/src/providers/ldap/sdap_fd_events.c b/src/providers/ldap/sdap_fd_events.c new file mode 100644 index 0000000..eeb4c95 --- /dev/null +++ b/src/providers/ldap/sdap_fd_events.c @@ -0,0 +1,323 @@ +/* + SSSD + + Helper routines for file descriptor events + + Authors: + Sumit Bose + + Copyright (C) 2010 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "providers/ldap/sdap_async_private.h" + +struct sdap_fd_events { +#ifdef HAVE_LDAP_CONNCB + struct ldap_conncb *conncb; +#else + struct tevent_fd *fde; +#endif +}; + +int get_fd_from_ldap(LDAP *ldap, int *fd) +{ + int ret; + + ret = ldap_get_option(ldap, LDAP_OPT_DESC, fd); + if (ret != LDAP_OPT_SUCCESS || *fd < 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to get fd from ldap!!\n"); + *fd = -1; + return EIO; + } + + return EOK; +} + +int remove_ldap_connection_callbacks(struct sdap_handle *sh) +{ + /* sdap_fd_events might be NULL here if the back end was marked offline + * before a connection was established. + */ + if (sh->sdap_fd_events) { +#ifdef HAVE_LDAP_CONNCB + talloc_zfree(sh->sdap_fd_events->conncb); +#else + talloc_zfree(sh->sdap_fd_events->fde); +#endif + } + return EOK; +} + +#ifdef HAVE_LDAP_CONNCB + +static int remove_connection_callback(TALLOC_CTX *mem_ctx) +{ + int lret; + struct ldap_conncb *conncb = talloc_get_type(mem_ctx, struct ldap_conncb); + + struct ldap_cb_data *cb_data = talloc_get_type(conncb->lc_arg, + struct ldap_cb_data); + + lret = ldap_get_option(cb_data->sh->ldap, LDAP_OPT_CONNECT_CB, conncb); + if (lret != LDAP_OPT_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to remove connection callback.\n"); + } else { + DEBUG(SSSDBG_TRACE_ALL, "Successfully removed connection callback.\n"); + } + return EOK; +} + +static int sdap_ldap_connect_callback_add(LDAP *ld, Sockbuf *sb, + LDAPURLDesc *srv, + struct sockaddr *addr, + struct ldap_conncb *ctx) +{ + int ret; + ber_socket_t ber_fd; + struct fd_event_item *fd_event_item; + struct ldap_cb_data *cb_data = talloc_get_type(ctx->lc_arg, + struct ldap_cb_data); + + if (cb_data == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sdap_ldap_connect_callback_add called without " + "callback data.\n"); + return EINVAL; + } + + ret = ber_sockbuf_ctrl(sb, LBER_SB_OPT_GET_FD, &ber_fd); + if (ret == -1) { + DEBUG(SSSDBG_CRIT_FAILURE, "ber_sockbuf_ctrl failed.\n"); + return EINVAL; + } + + if (DEBUG_IS_SET(SSSDBG_TRACE_LIBS)) { + char *uri = ldap_url_desc2str(srv); + DEBUG(SSSDBG_TRACE_LIBS, "New LDAP connection to [%s] with fd [%d].\n", + uri, ber_fd); + free(uri); + } + + fd_event_item = talloc_zero(cb_data, struct fd_event_item); + if (fd_event_item == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc failed.\n"); + return ENOMEM; + } + + fd_event_item->fde = tevent_add_fd(cb_data->ev, fd_event_item, ber_fd, + TEVENT_FD_READ, sdap_ldap_result, + cb_data->sh); + if (fd_event_item->fde == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_add_fd failed.\n"); + talloc_free(fd_event_item); + return ENOMEM; + } + fd_event_item->fd = ber_fd; + + DLIST_ADD(cb_data->fd_list, fd_event_item); + + return LDAP_SUCCESS; +} + +static void sdap_ldap_connect_callback_del(LDAP *ld, Sockbuf *sb, + struct ldap_conncb *ctx) +{ + int ret; + ber_socket_t ber_fd; + struct fd_event_item *fd_event_item; + struct ldap_cb_data *cb_data = talloc_get_type(ctx->lc_arg, + struct ldap_cb_data); + + if (sb == NULL || cb_data == NULL) { + return; + } + + ret = ber_sockbuf_ctrl(sb, LBER_SB_OPT_GET_FD, &ber_fd); + if (ret == -1) { + DEBUG(SSSDBG_CRIT_FAILURE, "ber_sockbuf_ctrl failed.\n"); + return; + } + DEBUG(SSSDBG_TRACE_ALL, "Closing LDAP connection with fd [%d].\n", ber_fd); + + DLIST_FOR_EACH(fd_event_item, cb_data->fd_list) { + if (fd_event_item->fd == ber_fd) { + break; + } + } + if (fd_event_item == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "No event for fd [%d] found.\n", ber_fd); + return; + } + + DLIST_REMOVE(cb_data->fd_list, fd_event_item); + talloc_zfree(fd_event_item); + + return; +} + +#else + +static int sdap_install_ldap_callbacks(struct sdap_handle *sh, + struct tevent_context *ev) +{ + int fd; + int ret; + + if (sh->sdap_fd_events) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sdap_install_ldap_callbacks is called with already " + "initialized sdap_fd_events.\n"); + return EINVAL; + } + + sh->sdap_fd_events = talloc_zero(sh, struct sdap_fd_events); + if (!sh->sdap_fd_events) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n"); + return ENOMEM; + } + + ret = get_fd_from_ldap(sh->ldap, &fd); + if (ret) return ret; + + sh->sdap_fd_events->fde = tevent_add_fd(ev, sh->sdap_fd_events, fd, + TEVENT_FD_READ, sdap_ldap_result, + sh); + if (!sh->sdap_fd_events->fde) { + talloc_zfree(sh->sdap_fd_events); + return ENOMEM; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Trace: sh[%p], connected[%d], ops[%p], fde[%p], ldap[%p]\n", + sh, (int)sh->connected, sh->ops, sh->sdap_fd_events->fde, + sh->ldap); + + return EOK; +} + +#endif + + +errno_t setup_ldap_connection_callbacks(struct sdap_handle *sh, + struct tevent_context *ev) +{ +#ifdef HAVE_LDAP_CONNCB + int ret; + struct ldap_cb_data *cb_data; + + sh->sdap_fd_events = talloc_zero(sh, struct sdap_fd_events); + if (sh->sdap_fd_events == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n"); + ret = ENOMEM; + goto fail; + } + + sh->sdap_fd_events->conncb = talloc_zero(sh->sdap_fd_events, + struct ldap_conncb); + if (sh->sdap_fd_events->conncb == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n"); + ret = ENOMEM; + goto fail; + } + + cb_data = talloc_zero(sh->sdap_fd_events->conncb, struct ldap_cb_data); + if (cb_data == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n"); + ret = ENOMEM; + goto fail; + } + cb_data->sh = sh; + cb_data->ev = ev; + + sh->sdap_fd_events->conncb->lc_add = sdap_ldap_connect_callback_add; + sh->sdap_fd_events->conncb->lc_del = sdap_ldap_connect_callback_del; + sh->sdap_fd_events->conncb->lc_arg = cb_data; + + ret = ldap_set_option(sh->ldap, LDAP_OPT_CONNECT_CB, + sh->sdap_fd_events->conncb); + if (ret != LDAP_OPT_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set connection callback\n"); + ret = EFAULT; + goto fail; + } + + talloc_set_destructor((TALLOC_CTX *) sh->sdap_fd_events->conncb, + remove_connection_callback); + + return EOK; + +fail: + talloc_zfree(sh->sdap_fd_events); + return ret; +#else + DEBUG(SSSDBG_TRACE_ALL, "LDAP connection callbacks are not supported.\n"); + return EOK; +#endif +} + +errno_t sdap_set_connected(struct sdap_handle *sh, struct tevent_context *ev) +{ + int ret = EOK; + + sh->connected = true; + +#ifndef HAVE_LDAP_CONNCB + ret = sdap_install_ldap_callbacks(sh, ev); +#endif + + return ret; +} + +errno_t sdap_call_conn_cb(const char *uri,int fd, struct sdap_handle *sh) +{ +#ifdef HAVE_LDAP_CONNCB + int ret; + Sockbuf *sb; + LDAPURLDesc *lud; + + sb = ber_sockbuf_alloc(); + if (sb == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "ber_sockbuf_alloc failed.\n"); + return ENOMEM; + } + + ret = ber_sockbuf_ctrl(sb, LBER_SB_OPT_SET_FD, &fd); + if (ret != 1) { + DEBUG(SSSDBG_CRIT_FAILURE, "ber_sockbuf_ctrl failed.\n"); + return EFAULT; + } + + ret = ldap_url_parse(uri, &lud); + if (ret != 0) { + ber_sockbuf_free(sb); + DEBUG(SSSDBG_CRIT_FAILURE, + "ldap_url_parse failed to validate [%s] on fd [%d].\n", + uri, fd); + return EFAULT; + } + + ret = sdap_ldap_connect_callback_add(NULL, sb, lud, NULL, + sh->sdap_fd_events->conncb); + + ldap_free_urldesc(lud); + ber_sockbuf_free(sb); + return ret; +#else + DEBUG(SSSDBG_TRACE_ALL, "LDAP connection callbacks are not supported.\n"); + return EOK; +#endif +} diff --git a/src/providers/ldap/sdap_hostid.c b/src/providers/ldap/sdap_hostid.c new file mode 100644 index 0000000..d90a838 --- /dev/null +++ b/src/providers/ldap/sdap_hostid.c @@ -0,0 +1,324 @@ +/* + Authors: + Jan Cholasta + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "util/crypto/sss_crypto.h" +#include "db/sysdb_ssh.h" +#include "providers/ldap/ldap_common.h" +#include "providers/ldap/sdap_async.h" +#include "providers/ldap/sdap_hostid.h" + +struct hosts_get_state { + struct tevent_context *ev; + struct sdap_id_ctx *id_ctx; + struct sdap_id_op *op; + struct sss_domain_info *domain; + const char *name; + const char *alias; + + size_t count; + struct sysdb_attrs **hosts; + int dp_error; +}; + +static errno_t +hosts_get_retry(struct tevent_req *req); +static void +hosts_get_connect_done(struct tevent_req *subreq); +static void +hosts_get_done(struct tevent_req *subreq); + +struct tevent_req * +hosts_get_send(TALLOC_CTX *memctx, + struct tevent_context *ev, + struct sdap_id_ctx *id_ctx, + const char *name, + const char *alias) +{ + struct tevent_req *req; + struct hosts_get_state *state; + errno_t ret; + + req = tevent_req_create(memctx, &state, struct hosts_get_state); + if (!req) return NULL; + + state->ev = ev; + state->id_ctx = id_ctx; + state->dp_error = DP_ERR_FATAL; + + state->op = sdap_id_op_create(state, id_ctx->conn->conn_cache); + if (!state->op) { + DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed\n"); + ret = ENOMEM; + goto fail; + } + + state->domain = id_ctx->be->domain; + state->name = name; + state->alias = alias; + + ret = hosts_get_retry(req); + if (ret != EOK) { + goto fail; + } + + return req; + +fail: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static errno_t +hosts_get_retry(struct tevent_req *req) +{ + struct hosts_get_state *state = tevent_req_data(req, + struct hosts_get_state); + struct tevent_req *subreq; + errno_t ret = EOK; + + subreq = sdap_id_op_connect_send(state->op, state, &ret); + if (!subreq) { + return ret; + } + + tevent_req_set_callback(subreq, hosts_get_connect_done, req); + return EOK; +} + +static void +hosts_get_connect_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct hosts_get_state *state = tevent_req_data(req, + struct hosts_get_state); + int dp_error = DP_ERR_FATAL; + errno_t ret; + + ret = sdap_id_op_connect_recv(subreq, &dp_error); + talloc_zfree(subreq); + + if (ret != EOK) { + state->dp_error = dp_error; + tevent_req_error(req, ret); + return; + } + + subreq = sdap_host_info_send(state, state->ev, + sdap_id_op_handle(state->op), + state->id_ctx->opts, state->name, + state->id_ctx->opts->host_map, + state->id_ctx->opts->sdom->host_search_bases); + if (!subreq) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, hosts_get_done, req); +} + +static void +hosts_get_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct hosts_get_state *state = tevent_req_data(req, + struct hosts_get_state); + int dp_error = DP_ERR_FATAL; + errno_t ret; + struct sysdb_attrs *attrs; + time_t now = time(NULL); + + ret = sdap_host_info_recv(subreq, state, + &state->count, &state->hosts); + talloc_zfree(subreq); + + ret = sdap_id_op_done(state->op, ret, &dp_error); + if (dp_error == DP_ERR_OK && ret != EOK) { + /* retry */ + ret = hosts_get_retry(req); + if (ret != EOK) { + goto done; + } + return; + } + + if (ret != EOK && ret != ENOENT) { + goto done; + } + + if (state->count == 0) { + DEBUG(SSSDBG_OP_FAILURE, + "No host with name [%s] found.\n", state->name); + + ret = sysdb_delete_ssh_host(state->domain, state->name); + if (ret != EOK && ret != ENOENT) { + goto done; + } + + ret = EINVAL; + goto done; + } + + if (state->count > 1) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Found more than one host with name [%s].\n", state->name); + ret = EINVAL; + goto done; + } + + attrs = sysdb_new_attrs(state); + if (!attrs) { + ret = ENOMEM; + goto done; + } + + /* we are interested only in the host keys */ + ret = sysdb_attrs_copy_values(state->hosts[0], attrs, SYSDB_SSH_PUBKEY); + if (ret != EOK) { + goto done; + } + + ret = sysdb_store_ssh_host(state->domain, state->name, state->alias, + state->domain->ssh_host_timeout, now, attrs); + if (ret != EOK) { + goto done; + } + + dp_error = DP_ERR_OK; + +done: + state->dp_error = dp_error; + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } +} + +static errno_t +hosts_get_recv(struct tevent_req *req, + int *dp_error_out) +{ + struct hosts_get_state *state = tevent_req_data(req, + struct hosts_get_state); + + if (dp_error_out) { + *dp_error_out = state->dp_error; + } + + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +struct sdap_hostid_handler_state { + struct dp_reply_std reply; +}; + +static void sdap_hostid_handler_done(struct tevent_req *subreq); + +struct tevent_req * +sdap_hostid_handler_send(TALLOC_CTX *mem_ctx, + struct sdap_id_ctx *id_ctx, + struct dp_hostid_data *data, + struct dp_req_params *params) +{ + struct sdap_hostid_handler_state *state; + struct tevent_req *subreq; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct sdap_hostid_handler_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + subreq = hosts_get_send(state, params->ev, id_ctx, + data->name, data->alias); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to send request\n"); + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, sdap_hostid_handler_done, req); + + return req; + +immediately: + dp_reply_std_set(&state->reply, DP_ERR_DECIDE, ret, NULL); + + /* TODO For backward compatibility we always return EOK to DP now. */ + tevent_req_done(req); + tevent_req_post(req, params->ev); + + return req; +} + +static void sdap_hostid_handler_done(struct tevent_req *subreq) +{ + struct sdap_hostid_handler_state *state; + struct tevent_req *req; + int dp_error; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_hostid_handler_state); + + ret = hosts_get_recv(subreq, &dp_error); + talloc_zfree(subreq); + + /* TODO For backward compatibility we always return EOK to DP now. */ + dp_reply_std_set(&state->reply, dp_error, ret, NULL); + tevent_req_done(req); +} + +errno_t +sdap_hostid_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct dp_reply_std *data) +{ + struct sdap_hostid_handler_state *state = NULL; + + state = tevent_req_data(req, struct sdap_hostid_handler_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *data = state->reply; + + return EOK; +} + +errno_t sdap_hostid_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct sdap_id_ctx *id_ctx, + struct dp_method *dp_methods) +{ + (void)be_ctx; + + dp_set_method(dp_methods, DPM_HOSTID_HANDLER, + sdap_hostid_handler_send, sdap_hostid_handler_recv, id_ctx, + struct sdap_id_ctx, struct dp_hostid_data, struct dp_reply_std); + + return EOK; +} diff --git a/src/providers/ldap/sdap_hostid.h b/src/providers/ldap/sdap_hostid.h new file mode 100644 index 0000000..6234f9f --- /dev/null +++ b/src/providers/ldap/sdap_hostid.h @@ -0,0 +1,40 @@ +/* + Authors: + Jan Cholasta + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _SDAP_HOSTID_H_ +#define _SDAP_HOSTID_H_ + +errno_t sdap_hostid_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct sdap_id_ctx *id_ctx, + struct dp_method *dp_methods); + +struct tevent_req * +sdap_hostid_handler_send(TALLOC_CTX *mem_ctx, + struct sdap_id_ctx *id_ctx, + struct dp_hostid_data *data, + struct dp_req_params *params); + +errno_t +sdap_hostid_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct dp_reply_std *data); + +#endif /* _SDAP_HOSTID_H_ */ diff --git a/src/providers/ldap/sdap_id_op.c b/src/providers/ldap/sdap_id_op.c new file mode 100644 index 0000000..e7ff546 --- /dev/null +++ b/src/providers/ldap/sdap_id_op.c @@ -0,0 +1,892 @@ +/* + SSSD + + LDAP ID backend operation retry logic and connection cache + + Authors: + Eugene Indenbom + + Copyright (C) 2008-2010 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "providers/ldap/ldap_common.h" +#include "providers/ldap/sdap_async.h" +#include "providers/ldap/sdap_id_op.h" + +/* LDAP async connection cache */ +struct sdap_id_conn_cache { + struct sdap_id_conn_ctx *id_conn; + + /* list of all open connections */ + struct sdap_id_conn_data *connections; + /* cached (current) connection */ + struct sdap_id_conn_data *cached_connection; +}; + +/* LDAP async operation tracker: + * - keeps track of connection usage + * - keeps track of operation retries */ +struct sdap_id_op { + /* ID backend context */ + struct sdap_id_conn_cache *conn_cache; + /* double linked list pointers */ + struct sdap_id_op *prev, *next; + /* current connection */ + struct sdap_id_conn_data *conn_data; + /* number of reconnects for this operation */ + int reconnect_retry_count; + /* connection request + * It is required as we need to know which requests to notify + * when shared connection request to sdap_handle completes. + * This member is cleared when sdap_id_op_connect_state + * associated with request is destroyed */ + struct tevent_req *connect_req; +}; + +/* LDAP connection cache connection attempt/established connection data */ +struct sdap_id_conn_data { + /* LDAP connection cache */ + struct sdap_id_conn_cache *conn_cache; + /* double linked list pointers */ + struct sdap_id_conn_data *prev, *next; + /* sdap handle */ + struct sdap_handle *sh; + /* connection request */ + struct tevent_req *connect_req; + /* timer for connection expiration */ + struct tevent_timer *expire_timer; + /* number of running connection notifies */ + int notify_lock; + /* list of operations using connect */ + struct sdap_id_op *ops; + /* A flag which is signalizing that this + * connection will be disconnected and should + * not be used any more */ + bool disconnecting; +}; + +static void sdap_id_conn_cache_be_offline_cb(void *pvt); +static void sdap_id_conn_cache_fo_reconnect_cb(void *pvt); + +static void sdap_id_release_conn_data(struct sdap_id_conn_data *conn_data); +static int sdap_id_conn_data_destroy(struct sdap_id_conn_data *conn_data); +static bool sdap_is_connection_expired(struct sdap_id_conn_data *conn_data, int timeout); +static bool sdap_can_reuse_connection(struct sdap_id_conn_data *conn_data); +static void sdap_id_conn_data_expire_handler(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval current_time, + void *pvt); +static int sdap_id_conn_data_set_expire_timer(struct sdap_id_conn_data *conn_data); + +static void sdap_id_op_hook_conn_data(struct sdap_id_op *op, struct sdap_id_conn_data *conn_data); +static int sdap_id_op_destroy(void *pvt); +static bool sdap_id_op_can_reconnect(struct sdap_id_op *op); + +static void sdap_id_op_connect_req_complete(struct sdap_id_op *op, int dp_error, int ret); +static int sdap_id_op_connect_state_destroy(void *pvt); +static int sdap_id_op_connect_step(struct tevent_req *req); +static void sdap_id_op_connect_done(struct tevent_req *subreq); + +/* Create a connection cache */ +int sdap_id_conn_cache_create(TALLOC_CTX *memctx, + struct sdap_id_conn_ctx *id_conn, + struct sdap_id_conn_cache** conn_cache_out) +{ + int ret; + struct sdap_id_conn_cache *conn_cache = talloc_zero(memctx, struct sdap_id_conn_cache); + if (!conn_cache) { + DEBUG(SSSDBG_CRIT_FAILURE, + "talloc_zero(struct sdap_id_conn_cache) failed.\n"); + ret = ENOMEM; + goto fail; + } + + conn_cache->id_conn = id_conn; + + ret = be_add_offline_cb(conn_cache, id_conn->id_ctx->be, + sdap_id_conn_cache_be_offline_cb, conn_cache, + NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "be_add_offline_cb failed.\n"); + goto fail; + } + + ret = be_add_reconnect_cb(conn_cache, id_conn->id_ctx->be, + sdap_id_conn_cache_fo_reconnect_cb, conn_cache, + NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "be_add_reconnect_cb failed.\n"); + goto fail; + } + + *conn_cache_out = conn_cache; + return EOK; + +fail: + talloc_zfree(conn_cache); + return ret; +} + +/* Callback on BE going offline */ +static void sdap_id_conn_cache_be_offline_cb(void *pvt) +{ + struct sdap_id_conn_cache *conn_cache = talloc_get_type(pvt, struct sdap_id_conn_cache); + struct sdap_id_conn_data *cached_connection = conn_cache->cached_connection; + + /* Release any cached connection on going offline */ + if (cached_connection != NULL) { + conn_cache->cached_connection = NULL; + sdap_id_release_conn_data(cached_connection); + } +} + +/* Callback for attempt to reconnect to primary server */ +static void sdap_id_conn_cache_fo_reconnect_cb(void *pvt) +{ + struct sdap_id_conn_cache *conn_cache = talloc_get_type(pvt, struct sdap_id_conn_cache); + struct sdap_id_conn_data *cached_connection = conn_cache->cached_connection; + + /* Release any cached connection on going offline */ + if (cached_connection != NULL) { + cached_connection->disconnecting = true; + } +} + +/* Release sdap_id_conn_data and destroy it if no longer needed */ +static void sdap_id_release_conn_data(struct sdap_id_conn_data *conn_data) +{ + struct sdap_id_conn_cache *conn_cache; + if (!conn_data || conn_data->ops || conn_data->notify_lock) { + /* connection is in use */ + return; + } + + conn_cache = conn_data->conn_cache; + if (conn_data == conn_cache->cached_connection) { + return; + } + + DEBUG(SSSDBG_TRACE_ALL, "releasing unused connection\n"); + + DLIST_REMOVE(conn_cache->connections, conn_data); + talloc_zfree(conn_data); +} + +/* Destructor for struct sdap_id_conn_data */ +static int sdap_id_conn_data_destroy(struct sdap_id_conn_data *conn_data) +{ + struct sdap_id_op *op; + + /* we clean out list of ops to make sure that order of destruction does not matter */ + while ((op = conn_data->ops) != NULL) { + op->conn_data = NULL; + DLIST_REMOVE(conn_data->ops, op); + } + + return 0; +} + +/* Check whether connection will expire after timeout seconds */ +static bool sdap_is_connection_expired(struct sdap_id_conn_data *conn_data, int timeout) +{ + time_t expire_time; + if (!conn_data || !conn_data->sh || !conn_data->sh->connected) { + return true; + } + + expire_time = conn_data->sh->expire_time; + if ((expire_time != 0) && (expire_time < time( NULL ) + timeout) ) { + return true; + } + + return false; +} + +/* Check whether connection can be reused for next LDAP ID operation */ +static bool sdap_can_reuse_connection(struct sdap_id_conn_data *conn_data) +{ + int timeout; + + if (!conn_data || !conn_data->sh || + !conn_data->sh->connected || conn_data->disconnecting) { + return false; + } + + timeout = dp_opt_get_int(conn_data->conn_cache->id_conn->id_ctx->opts->basic, + SDAP_OPT_TIMEOUT); + return !sdap_is_connection_expired(conn_data, timeout); +} + +/* Set expiration timer for connection if needed */ +static int sdap_id_conn_data_set_expire_timer(struct sdap_id_conn_data *conn_data) +{ + int timeout; + struct timeval tv; + + memset(&tv, 0, sizeof(tv)); + + tv.tv_sec = conn_data->sh->expire_time; + if (tv.tv_sec <= 0) { + return EOK; + } + + timeout = dp_opt_get_int(conn_data->conn_cache->id_conn->id_ctx->opts->basic, + SDAP_OPT_TIMEOUT); + if (timeout > 0) { + tv.tv_sec -= timeout; + } + + if (tv.tv_sec <= time(NULL)) { + return EOK; + } + + talloc_zfree(conn_data->expire_timer); + + conn_data->expire_timer = + tevent_add_timer(conn_data->conn_cache->id_conn->id_ctx->be->ev, + conn_data, tv, + sdap_id_conn_data_expire_handler, + conn_data); + if (!conn_data->expire_timer) { + return ENOMEM; + } + + return EOK; +} + +/* Handler for connection expiration timer */ +static void sdap_id_conn_data_expire_handler(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval current_time, + void *pvt) +{ + struct sdap_id_conn_data *conn_data = talloc_get_type(pvt, + struct sdap_id_conn_data); + struct sdap_id_conn_cache *conn_cache = conn_data->conn_cache; + + DEBUG(SSSDBG_MINOR_FAILURE, + "connection is about to expire, releasing it\n"); + + if (conn_cache->cached_connection == conn_data) { + conn_cache->cached_connection = NULL; + + sdap_id_release_conn_data(conn_data); + } +} + +/* Create an operation object */ +struct sdap_id_op *sdap_id_op_create(TALLOC_CTX *memctx, struct sdap_id_conn_cache *conn_cache) +{ + struct sdap_id_op *op = talloc_zero(memctx, struct sdap_id_op); + if (!op) { + return NULL; + } + + op->conn_cache = conn_cache; + + talloc_set_destructor((void*)op, sdap_id_op_destroy); + return op; +} + +/* Attach/detach connection to sdap_id_op */ +static void sdap_id_op_hook_conn_data(struct sdap_id_op *op, struct sdap_id_conn_data *conn_data) +{ + if (!op) { + DEBUG(SSSDBG_FATAL_FAILURE, "NULL op passed!!!\n"); + return; + } + + struct sdap_id_conn_data *current = op->conn_data; + if (conn_data == current) { + return; + } + + if (current) { + DLIST_REMOVE(current->ops, op); + } + + op->conn_data = conn_data; + + if (conn_data) { + DLIST_ADD_END(conn_data->ops, op, struct sdap_id_op*); + } + + if (current) { + sdap_id_release_conn_data(current); + } +} + +/* Destructor for sdap_id_op */ +static int sdap_id_op_destroy(void *pvt) +{ + struct sdap_id_op *op = talloc_get_type(pvt, struct sdap_id_op); + + if (op->conn_data) { + DEBUG(SSSDBG_TRACE_ALL, "releasing operation connection\n"); + sdap_id_op_hook_conn_data(op, NULL); + } + + return 0; +} + +/* Check whether retry with reconnect can be performed for the operation */ +static bool sdap_id_op_can_reconnect(struct sdap_id_op *op) +{ + /* we allow 2 retries for failover server configured: + * - one for connection broken during request execution + * - one for the following (probably failed) reconnect attempt */ + int max_retries; + int count; + + count = be_fo_get_server_count(op->conn_cache->id_conn->id_ctx->be, + op->conn_cache->id_conn->service->name); + max_retries = 2 * count -1; + if (max_retries < 1) { + max_retries = 1; + } + + return op->reconnect_retry_count < max_retries; +} + +/* state of connect request */ +struct sdap_id_op_connect_state { + struct sdap_id_conn_ctx *id_conn; + struct tevent_context *ev; + struct sdap_id_op *op; + int dp_error; + int result; +}; + +/* Destructor for operation connection request */ +static int sdap_id_op_connect_state_destroy(void *pvt) +{ + struct sdap_id_op_connect_state *state = talloc_get_type(pvt, + struct sdap_id_op_connect_state); + if (state->op != NULL) { + /* clear destroyed connection request */ + state->op->connect_req = NULL; + } + + return 0; +} + +/* Begin to connect to LDAP server */ +struct tevent_req *sdap_id_op_connect_send(struct sdap_id_op *op, + TALLOC_CTX *memctx, + int *ret_out) +{ + struct tevent_req *req = NULL; + struct sdap_id_op_connect_state *state; + int ret = EOK; + + if (!memctx) { + DEBUG(SSSDBG_CRIT_FAILURE, "Bug: no memory context passed.\n"); + ret = EINVAL; + goto done; + } + + if (op->connect_req) { + /* Connection already in progress, invalid operation */ + DEBUG(SSSDBG_CRIT_FAILURE, + "Bug: connection request is already running or completed and leaked.\n"); + ret = EINVAL; + goto done; + } + + req = tevent_req_create(memctx, &state, struct sdap_id_op_connect_state); + if (!req) { + ret = ENOMEM; + goto done; + } + + talloc_set_destructor((void*)state, sdap_id_op_connect_state_destroy); + + state->id_conn = op->conn_cache->id_conn; + state->ev = state->id_conn->id_ctx->be->ev; + state->op = op; + op->connect_req = req; + + if (op->conn_data) { + /* If the operation is already connected, + * reuse existing connection regardless of its status */ + DEBUG(SSSDBG_TRACE_ALL, "reusing operation connection\n"); + ret = EOK; + goto done; + } + + ret = sdap_id_op_connect_step(req); + if (ret != EOK) { + goto done; + } + +done: + if (ret != EOK) { + talloc_zfree(req); + } else if (op->conn_data && !op->conn_data->connect_req) { + /* Connection is already established */ + tevent_req_done(req); + tevent_req_post(req, state->ev); + } + + if (ret_out) { + *ret_out = ret; + } + + return req; +} + +/* Begin a connection retry to LDAP server */ +static int sdap_id_op_connect_step(struct tevent_req *req) +{ + struct sdap_id_op_connect_state *state = + tevent_req_data(req, struct sdap_id_op_connect_state); + struct sdap_id_op *op = state->op; + struct sdap_id_conn_cache *conn_cache = op->conn_cache; + + int ret = EOK; + struct sdap_id_conn_data *conn_data; + struct tevent_req *subreq = NULL; + + /* Try to reuse context cached connection */ + conn_data = conn_cache->cached_connection; + if (conn_data) { + if (conn_data->connect_req) { + DEBUG(SSSDBG_TRACE_ALL, "waiting for connection to complete\n"); + sdap_id_op_hook_conn_data(op, conn_data); + goto done; + } + + if (sdap_can_reuse_connection(conn_data)) { + DEBUG(SSSDBG_TRACE_ALL, "reusing cached connection\n"); + sdap_id_op_hook_conn_data(op, conn_data); + goto done; + } + + DEBUG(SSSDBG_TRACE_ALL, "releasing expired cached connection\n"); + conn_cache->cached_connection = NULL; + sdap_id_release_conn_data(conn_data); + } + + DEBUG(SSSDBG_TRACE_ALL, "beginning to connect\n"); + + conn_data = talloc_zero(conn_cache, struct sdap_id_conn_data); + if (!conn_data) { + ret = ENOMEM; + goto done; + } + + talloc_set_destructor(conn_data, sdap_id_conn_data_destroy); + + conn_data->conn_cache = conn_cache; + subreq = sdap_cli_connect_send(conn_data, state->ev, + state->id_conn->id_ctx->opts, + state->id_conn->id_ctx->be, + state->id_conn->service, false, + CON_TLS_DFL, false); + + if (!subreq) { + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, sdap_id_op_connect_done, conn_data); + conn_data->connect_req = subreq; + + DLIST_ADD(conn_cache->connections, conn_data); + conn_cache->cached_connection = conn_data; + + sdap_id_op_hook_conn_data(op, conn_data); + +done: + if (ret != EOK && conn_data) { + sdap_id_release_conn_data(conn_data); + } + + if (ret != EOK) { + talloc_zfree(subreq); + } + + return ret; +} + +static void sdap_id_op_connect_reinit_done(struct tevent_req *req); + +/* Subrequest callback for connection completion */ +static void sdap_id_op_connect_done(struct tevent_req *subreq) +{ + struct sdap_id_conn_data *conn_data = + tevent_req_callback_data(subreq, struct sdap_id_conn_data); + struct sdap_id_conn_cache *conn_cache = conn_data->conn_cache; + struct sdap_server_opts *srv_opts = NULL; + struct sdap_server_opts *current_srv_opts = NULL; + bool can_retry = false; + bool is_offline = false; + struct tevent_req *reinit_req = NULL; + bool reinit = false; + int ret; + + ret = sdap_cli_connect_recv(subreq, conn_data, &can_retry, + &conn_data->sh, &srv_opts); + conn_data->connect_req = NULL; + talloc_zfree(subreq); + + conn_data->notify_lock++; + + if (ret == ENOTSUP) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Authentication mechanism not Supported by server\n"); + } + + if (ret == EOK && (!conn_data->sh || !conn_data->sh->connected)) { + DEBUG(SSSDBG_FATAL_FAILURE, + "sdap_cli_connect_recv returned bogus connection\n"); + ret = EFAULT; + } + + if (ret != EOK && !can_retry) { + if (conn_cache->id_conn->ignore_mark_offline) { + DEBUG(SSSDBG_TRACE_FUNC, + "Failed to connect to server, but ignore mark offline " + "is enabled.\n"); + } else { + /* be is going offline as there is no more servers to try */ + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to connect, going offline (%d [%s])\n", + ret, strerror(ret)); + is_offline = true; + be_mark_offline(conn_cache->id_conn->id_ctx->be); + } + } + + if (ret == EOK) { + current_srv_opts = conn_cache->id_conn->id_ctx->srv_opts; + if (current_srv_opts) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "Old USN: %lu, New USN: %lu\n", current_srv_opts->last_usn, srv_opts->last_usn); + + if (strcmp(srv_opts->server_id, current_srv_opts->server_id) == 0 && + srv_opts->supports_usn && + current_srv_opts->last_usn > srv_opts->last_usn) { + DEBUG(SSSDBG_FUNC_DATA, "Server was probably re-initialized\n"); + + current_srv_opts->max_user_value = 0; + current_srv_opts->max_group_value = 0; + current_srv_opts->max_service_value = 0; + current_srv_opts->max_sudo_value = 0; + current_srv_opts->last_usn = srv_opts->last_usn; + + reinit = true; + } + } + ret = sdap_id_conn_data_set_expire_timer(conn_data); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "sdap_id_conn_data_set_expire_timer() failed [%d]: %s", + ret, sss_strerror(ret)); + /* Avoid causing the whole backend to be marked as offline because + * this operation failed. */ + ret = EOK; + } + sdap_steal_server_opts(conn_cache->id_conn->id_ctx, &srv_opts); + } + + if (can_retry) { + switch (ret) { + case EOK: + case ENOTSUP: + case EACCES: + case EIO: + case EFAULT: + case ETIMEDOUT: + case ERR_AUTH_FAILED: + break; + + default: + /* do not attempt to retry on errors like ENOMEM */ + DEBUG(SSSDBG_TRACE_FUNC, + "Marking the backend \"%s\" offline [%d]: %s\n", + conn_cache->id_conn->id_ctx->be->domain->name, + ret, sss_strerror(ret)); + can_retry = false; + is_offline = true; + be_mark_offline(conn_cache->id_conn->id_ctx->be); + break; + } + } + + int notify_count = 0; + + /* Notify about connection */ + for(;;) { + struct sdap_id_op *op; + + if (ret == EOK && !conn_data->sh->connected) { + DEBUG(SSSDBG_TRACE_ALL, + "connection was broken after %d notifies\n", notify_count); + } + + DLIST_FOR_EACH(op, conn_data->ops) { + if (op->connect_req) { + break; + } + } + + if (!op) { + break; + } + + /* another operation to notify */ + notify_count++; + + if (ret != EOK || !conn_data->sh->connected) { + /* failed to connect or connection got broken during notify */ + bool retry = false; + + /* drop connection from cache now */ + if (conn_cache->cached_connection == conn_data) { + conn_cache->cached_connection = NULL; + } + + if (can_retry) { + /* determining whether retry is possible */ + if (be_is_offline(conn_cache->id_conn->id_ctx->be)) { + /* be is offline, no retry possible */ + if (ret == EOK) { + DEBUG(SSSDBG_TRACE_ALL, + "skipping automatic retry on op #%d as be is offline\n", notify_count); + ret = EIO; + } + + can_retry = false; + is_offline = true; + } else { + if (ret == EOK) { + DEBUG(SSSDBG_TRACE_ALL, + "attempting automatic retry on op #%d\n", notify_count); + retry = true; + } else if (sdap_id_op_can_reconnect(op)) { + DEBUG(SSSDBG_TRACE_ALL, + "attempting failover retry on op #%d\n", notify_count); + op->reconnect_retry_count++; + retry = true; + } + } + } + + if (retry && op->connect_req) { + int retry_ret = sdap_id_op_connect_step(op->connect_req); + if (retry_ret != EOK) { + can_retry = false; + sdap_id_op_connect_req_complete(op, DP_ERR_FATAL, retry_ret); + } + + continue; + } + } + + if (ret == EOK) { + DEBUG(SSSDBG_TRACE_ALL, + "notify connected to op #%d\n", notify_count); + sdap_id_op_connect_req_complete(op, DP_ERR_OK, ret); + } else if (is_offline) { + DEBUG(SSSDBG_TRACE_ALL, "notify offline to op #%d\n", notify_count); + sdap_id_op_connect_req_complete(op, DP_ERR_OFFLINE, EAGAIN); + } else { + DEBUG(SSSDBG_TRACE_ALL, + "notify error to op #%d: %d [%s]\n", notify_count, ret, strerror(ret)); + sdap_id_op_connect_req_complete(op, DP_ERR_FATAL, ret); + } + } + + /* all operations notified */ + if (conn_data->notify_lock > 0) { + conn_data->notify_lock--; + } + + if ((ret == EOK) && + conn_data->sh->connected && + !be_is_offline(conn_cache->id_conn->id_ctx->be)) { + DEBUG(SSSDBG_TRACE_ALL, + "caching successful connection after %d notifies\n", notify_count); + conn_cache->cached_connection = conn_data; + + /* Run any post-connection routines */ + be_run_unconditional_online_cb(conn_cache->id_conn->id_ctx->be); + be_run_online_cb(conn_cache->id_conn->id_ctx->be); + + } else { + if (conn_cache->cached_connection == conn_data) { + conn_cache->cached_connection = NULL; + } + + sdap_id_release_conn_data(conn_data); + } + + if (reinit) { + DEBUG(SSSDBG_TRACE_FUNC, "Server reinitialization detected. " + "Cleaning cache.\n"); + reinit_req = sdap_reinit_cleanup_send(conn_cache->id_conn->id_ctx->be, + conn_cache->id_conn->id_ctx->be, + conn_cache->id_conn->id_ctx); + if (reinit_req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to perform reinitialization " + "clean up.\n"); + return; + } + + tevent_req_set_callback(reinit_req, sdap_id_op_connect_reinit_done, + NULL); + } +} + +static void sdap_id_op_connect_reinit_done(struct tevent_req *req) +{ + errno_t ret; + + ret = sdap_reinit_cleanup_recv(req); + talloc_zfree(req); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to perform reinitialization " + "clean up [%d]: %s\n", ret, strerror(ret)); + /* not fatal */ + return; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Reinitialization clean up completed\n"); +} + +/* Mark operation connection request as complete */ +static void sdap_id_op_connect_req_complete(struct sdap_id_op *op, int dp_error, int ret) +{ + struct tevent_req *req = op->connect_req; + struct sdap_id_op_connect_state *state; + + if (!req) { + return; + } + + op->connect_req = NULL; + + state = tevent_req_data(req, struct sdap_id_op_connect_state); + state->dp_error = dp_error; + state->result = ret; + + if (ret == EOK) { + tevent_req_done(req); + } else { + sdap_id_op_hook_conn_data(op, NULL); + tevent_req_error(req, ret); + } +} + +/* Get the result of an asynchronous connect operation on sdap_id_op + * + * In dp_error data provider error code is returned: + * DP_ERR_OK - connection established + * DP_ERR_OFFLINE - backend is offline, operation result is set EAGAIN + * DP_ERR_FATAL - operation failed + */ +int sdap_id_op_connect_recv(struct tevent_req *req, int *dp_error) +{ + struct sdap_id_op_connect_state *state = tevent_req_data(req, + struct sdap_id_op_connect_state); + + *dp_error = state->dp_error; + return state->result; +} + +/* Report completion of LDAP operation and release associated connection. + * Returns operation result (possible updated) passed in ret parameter. + * + * In dp_error data provider error code is returned: + * DP_ERR_OK (operation result = EOK) - operation completed + * DP_ERR_OK (operation result != EOK) - operation can be retried + * DP_ERR_OFFLINE - backend is offline, operation result is set EAGAIN + * DP_ERR_FATAL - operation failed */ +int sdap_id_op_done(struct sdap_id_op *op, int retval, int *dp_err_out) +{ + bool communication_error; + struct sdap_id_conn_data *current_conn = op->conn_data; + switch (retval) { + case EIO: + case ETIMEDOUT: + /* this currently the only possible communication error after connection is established */ + communication_error = true; + break; + + default: + communication_error = false; + break; + } + + if (communication_error && current_conn != 0 + && current_conn == op->conn_cache->cached_connection) { + /* do not reuse failed connection */ + op->conn_cache->cached_connection = NULL; + + DEBUG(SSSDBG_FUNC_DATA, + "communication error on cached connection, moving to next server\n"); + be_fo_try_next_server(op->conn_cache->id_conn->id_ctx->be, + op->conn_cache->id_conn->service->name); + } + + int dp_err; + if (retval == EOK) { + dp_err = DP_ERR_OK; + } else if (be_is_offline(op->conn_cache->id_conn->id_ctx->be)) { + /* if backend is already offline, just report offline, do not duplicate errors */ + dp_err = DP_ERR_OFFLINE; + retval = EAGAIN; + DEBUG(SSSDBG_TRACE_ALL, "falling back to offline data...\n"); + } else if (communication_error) { + /* communication error, can try to reconnect */ + + if (!sdap_id_op_can_reconnect(op)) { + dp_err = DP_ERR_FATAL; + DEBUG(SSSDBG_TRACE_ALL, + "too many communication failures, giving up...\n"); + } else { + dp_err = DP_ERR_OK; + retval = EAGAIN; + } + } else { + dp_err = DP_ERR_FATAL; + } + + if (dp_err == DP_ERR_OK && retval != EOK) { + /* reconnect retry */ + op->reconnect_retry_count++; + DEBUG(SSSDBG_TRACE_ALL, + "advising for connection retry #%i\n", op->reconnect_retry_count); + } else { + /* end of request */ + op->reconnect_retry_count = 0; + } + + if (current_conn) { + DEBUG(SSSDBG_TRACE_ALL, "releasing operation connection\n"); + sdap_id_op_hook_conn_data(op, NULL); + } + + *dp_err_out = dp_err; + return retval; +} + +/* Get SDAP handle associated with operation by sdap_id_op_connect */ +struct sdap_handle *sdap_id_op_handle(struct sdap_id_op *op) +{ + return op && op->conn_data ? op->conn_data->sh : NULL; +} diff --git a/src/providers/ldap/sdap_id_op.h b/src/providers/ldap/sdap_id_op.h new file mode 100644 index 0000000..f7f230a --- /dev/null +++ b/src/providers/ldap/sdap_id_op.h @@ -0,0 +1,76 @@ +/* + SSSD + + LDAP ID backend operation retry logic and connection cache + + Authors: + Eugene Indenbom + + Copyright (C) 2008-2010 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _SDAP_ID_OP_H_ +#define _SDAP_ID_OP_H_ + +struct sdap_id_ctx; +struct sdap_id_conn_ctx; + +/* LDAP async connection cache */ +struct sdap_id_conn_cache; + +/* LDAP async operation tracker: + * - keeps track of connection usage + * - keeps track of operation retries */ +struct sdap_id_op; + +/* Create a connection cache */ +int sdap_id_conn_cache_create(TALLOC_CTX *memctx, + struct sdap_id_conn_ctx *id_conn, + struct sdap_id_conn_cache** conn_cache_out); + +/* Create an operation object */ +struct sdap_id_op *sdap_id_op_create(TALLOC_CTX *memctx, struct sdap_id_conn_cache *cache); + +/* Begin to connect to LDAP server. */ +struct tevent_req *sdap_id_op_connect_send(struct sdap_id_op *op, + TALLOC_CTX *memctx, + int *ret_out); + +/* Get the result of an asynchronous connect operation on sdap_id_op + * + * In dp_error data provider error code is returned: + * DP_ERR_OK - connection established + * DP_ERR_OFFLINE - backend is offline, operation result is set EAGAIN + * DP_ERR_FATAL - operation failed + */ +int sdap_id_op_connect_recv(struct tevent_req *req, int *dp_error); + +/* Report completion of LDAP operation and release associated connection. + * Returns operation result (possible updated) passed in ret parameter. + * + * In dp_error data provider error code is returned: + * DP_ERR_OK (operation result = EOK) - operation completed + * DP_ERR_OK (operation result != EOK) - operation can be retried + * DP_ERR_OFFLINE - backend is offline, operation result is set EAGAIN + * DP_ERR_FATAL - operation failed */ +int sdap_id_op_done(struct sdap_id_op*, int ret, int *dp_error); + +/* Get SDAP handle associated with operation by sdap_id_op_connect */ +struct sdap_handle *sdap_id_op_handle(struct sdap_id_op *op); +/* Get root DSE entry of connected LDAP server */ +const struct sysdb_attrs *sdap_id_op_rootDSE(struct sdap_id_op *op); + +#endif /* _SDAP_ID_OP_H_ */ diff --git a/src/providers/ldap/sdap_idmap.c b/src/providers/ldap/sdap_idmap.c new file mode 100644 index 0000000..f5ac511 --- /dev/null +++ b/src/providers/ldap/sdap_idmap.c @@ -0,0 +1,619 @@ +/* + SSSD + + Authors: + Stephen Gallagher + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "shared/murmurhash3.h" +#include "util/util.h" +#include "util/dlinklist.h" +#include "providers/ldap/sdap_idmap.h" +#include "util/util_sss_idmap.h" + +static errno_t +sdap_idmap_get_configured_external_range(struct sdap_idmap_ctx *idmap_ctx, + struct sss_idmap_range *range) +{ + int int_id; + struct sdap_id_ctx *id_ctx; + uint32_t min; + uint32_t max; + + if (idmap_ctx == NULL) { + return EINVAL; + } + + id_ctx = idmap_ctx->id_ctx; + + int_id = dp_opt_get_int(id_ctx->opts->basic, SDAP_MIN_ID); + if (int_id < 0) { + DEBUG(SSSDBG_CONF_SETTINGS, "ldap_min_id must be greater than 0.\n"); + return EINVAL; + } + min = int_id; + + int_id = dp_opt_get_int(id_ctx->opts->basic, SDAP_MAX_ID); + if (int_id < 0) { + DEBUG(SSSDBG_CONF_SETTINGS, "ldap_max_id must be greater than 0.\n"); + return EINVAL; + } + max = int_id; + + if ((min == 0 && max != 0) || (min != 0 && max == 0)) { + DEBUG(SSSDBG_CONF_SETTINGS, "Both ldap_min_id and ldap_max_id " \ + "either must be 0 (not set) " \ + "or positive integers.\n"); + return EINVAL; + } + + if (min == 0 && max == 0) { + /* ldap_min_id and ldap_max_id not set, using min_id and max_id */ + min = id_ctx->be->domain->id_min; + max = id_ctx->be->domain->id_max; + if (max == 0) { + max = UINT32_MAX; + } + } + + range->min = min; + range->max =max; + + return EOK; +} + +static errno_t +sdap_idmap_add_configured_external_range(struct sdap_idmap_ctx *idmap_ctx) +{ + int ret; + struct sss_idmap_range range; + struct sdap_id_ctx *id_ctx; + enum idmap_error_code err; + + ret = sdap_idmap_get_configured_external_range(idmap_ctx, &range); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sdap_idmap_get_configured_external_range failed.\n"); + return ret; + } + + id_ctx = idmap_ctx->id_ctx; + + err = sss_idmap_add_auto_domain_ex(idmap_ctx->map, + id_ctx->be->domain->name, + id_ctx->be->domain->domain_id, &range, + NULL, 0, true, NULL, NULL); + if (err != IDMAP_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not add domain [%s] to the map: [%d]\n", + id_ctx->be->domain->name, err); + return EIO; + } + + return EOK; +} + +errno_t sdap_idmap_find_new_domain(struct sdap_idmap_ctx *idmap_ctx, + const char *dom_name, + const char *dom_sid_str) +{ + int ret; + + ret = sdap_idmap_add_domain(idmap_ctx, + dom_name, dom_sid_str, + -1); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not add new domain [%s]\n", dom_name); + return ret; + } + + return EOK; +} + +errno_t +sdap_idmap_init(TALLOC_CTX *mem_ctx, + struct sdap_id_ctx *id_ctx, + struct sdap_idmap_ctx **_idmap_ctx) +{ + errno_t ret; + TALLOC_CTX *tmp_ctx; + enum idmap_error_code err; + size_t i; + struct ldb_result *res; + const char *dom_name; + const char *sid_str; + id_t slice_num; + id_t idmap_lower; + id_t idmap_upper; + id_t rangesize; + bool autorid_mode; + int extra_slice_init; + struct sdap_idmap_ctx *idmap_ctx = NULL; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) return ENOMEM; + + idmap_ctx = talloc_zero(tmp_ctx, struct sdap_idmap_ctx); + if (!idmap_ctx) { + ret = ENOMEM; + goto done; + } + idmap_ctx->id_ctx = id_ctx; + idmap_ctx->find_new_domain = sdap_idmap_find_new_domain; + + idmap_lower = dp_opt_get_int(idmap_ctx->id_ctx->opts->basic, + SDAP_IDMAP_LOWER); + idmap_upper = dp_opt_get_int(idmap_ctx->id_ctx->opts->basic, + SDAP_IDMAP_UPPER); + rangesize = dp_opt_get_int(idmap_ctx->id_ctx->opts->basic, + SDAP_IDMAP_RANGESIZE); + autorid_mode = dp_opt_get_bool(idmap_ctx->id_ctx->opts->basic, + SDAP_IDMAP_AUTORID_COMPAT); + extra_slice_init = dp_opt_get_int(idmap_ctx->id_ctx->opts->basic, + SDAP_IDMAP_EXTRA_SLICE_INIT); + + /* Validate that the values make sense */ + if (rangesize <= 0 + || idmap_upper <= idmap_lower + || (idmap_upper-idmap_lower) < rangesize) + { + DEBUG(SSSDBG_FATAL_FAILURE, + "Invalid settings for range selection: " + "[%"SPRIid"][%"SPRIid"][%"SPRIid"]\n", + idmap_lower, idmap_upper, rangesize); + ret = EINVAL; + goto done; + } + + if (((idmap_upper - idmap_lower) % rangesize) != 0) { + DEBUG(SSSDBG_CONF_SETTINGS, + "Range size does not divide evenly. Uppermost range will " + "not be used\n"); + } + + /* Initialize the map */ + err = sss_idmap_init(sss_idmap_talloc, idmap_ctx, + sss_idmap_talloc_free, + &idmap_ctx->map); + if (err != IDMAP_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not initialize the ID map: [%s]\n", + idmap_error_string(err)); + if (err == IDMAP_OUT_OF_MEMORY) { + ret = ENOMEM; + } else { + ret = EINVAL; + } + goto done; + } + + err = sss_idmap_ctx_set_autorid(idmap_ctx->map, autorid_mode); + err |= sss_idmap_ctx_set_lower(idmap_ctx->map, idmap_lower); + err |= sss_idmap_ctx_set_upper(idmap_ctx->map, idmap_upper); + err |= sss_idmap_ctx_set_rangesize(idmap_ctx->map, rangesize); + err |= sss_idmap_ctx_set_extra_slice_init(idmap_ctx->map, extra_slice_init); + if (err != IDMAP_SUCCESS) { + /* This should never happen */ + DEBUG(SSSDBG_CRIT_FAILURE, "sss_idmap_ctx corrupted\n"); + ret = EIO; + goto done; + } + + + /* Setup range for externally managed IDs, i.e. IDs are read from the + * ldap_user_uid_number and ldap_group_gid_number attributes. */ + if (!dp_opt_get_bool(idmap_ctx->id_ctx->opts->basic, SDAP_ID_MAPPING)) { + ret = sdap_idmap_add_configured_external_range(idmap_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sdap_idmap_add_configured_external_range failed.\n"); + goto done; + } + } + + /* Read in any existing mappings from the cache */ + ret = sysdb_idmap_get_mappings(tmp_ctx, id_ctx->be->domain, &res); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Could not read ID mappings from the cache: [%s]\n", + strerror(ret)); + goto done; + } + + if (ret == EOK) { + DEBUG(SSSDBG_CONF_SETTINGS, + "Initializing [%d] domains for ID-mapping\n", res->count); + + for (i = 0; i < res->count; i++) { + dom_name = ldb_msg_find_attr_as_string(res->msgs[i], + SYSDB_NAME, + NULL); + if (!dom_name) { + /* This should never happen */ + ret = EINVAL; + goto done; + } + + sid_str = ldb_msg_find_attr_as_string(res->msgs[i], + SYSDB_IDMAP_SID_ATTR, + NULL); + if (!sid_str) { + /* This should never happen */ + ret = EINVAL; + goto done; + } + + slice_num = ldb_msg_find_attr_as_int(res->msgs[i], + SYSDB_IDMAP_SLICE_ATTR, + -1); + if (slice_num == -1) { + /* This should never happen */ + ret = EINVAL; + goto done; + } + + ret = sdap_idmap_add_domain(idmap_ctx, dom_name, + sid_str, slice_num); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not add domain [%s][%s][%"SPRIid"] " + "to ID map: [%s]\n", + dom_name, sid_str, slice_num, strerror(ret)); + goto done; + } + } + } else { + /* This is the first time we're setting up id-mapping + * Store the default domain as slice 0 + */ + dom_name = dp_opt_get_string(idmap_ctx->id_ctx->opts->basic, SDAP_IDMAP_DEFAULT_DOMAIN); + if (!dom_name) { + /* If it's not explicitly specified, use the SSSD domain name */ + dom_name = idmap_ctx->id_ctx->be->domain->name; + ret = dp_opt_set_string(idmap_ctx->id_ctx->opts->basic, + SDAP_IDMAP_DEFAULT_DOMAIN, + dom_name); + if (ret != EOK) goto done; + } + + sid_str = dp_opt_get_string(idmap_ctx->id_ctx->opts->basic, SDAP_IDMAP_DEFAULT_DOMAIN_SID); + if (sid_str) { + struct sss_domain_info *domain = idmap_ctx->id_ctx->be->domain; + domain->domain_id = talloc_strdup(domain, sid_str); + if (domain->domain_id == NULL) { + ret = ENOMEM; + goto done; + } + + /* Set the default domain as slice 0 */ + ret = sdap_idmap_add_domain(idmap_ctx, dom_name, + sid_str, 0); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not add domain [%s][%s][%u] to ID map: [%s]\n", + dom_name, sid_str, 0, strerror(ret)); + goto done; + } + } else { + if (dp_opt_get_bool(idmap_ctx->id_ctx->opts->basic, SDAP_IDMAP_AUTORID_COMPAT)) { + /* In autorid compatibility mode, we MUST have a slice 0 */ + DEBUG(SSSDBG_CRIT_FAILURE, + "WARNING: Autorid compatibility mode selected, " + "but %s is not set. UID/GID values may differ " + "between clients.\n", + idmap_ctx->id_ctx->opts->basic[SDAP_IDMAP_DEFAULT_DOMAIN_SID].opt_name); + } + /* Otherwise, we'll just fall back to hash values as they are seen */ + } + } + + *_idmap_ctx = talloc_steal(mem_ctx, idmap_ctx); + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +errno_t +sdap_idmap_add_domain(struct sdap_idmap_ctx *idmap_ctx, + const char *dom_name, + const char *dom_sid, + id_t slice) +{ + errno_t ret; + struct sss_idmap_range range; + enum idmap_error_code err; + id_t idmap_upper; + bool external_mapping = true; + + ret = sss_idmap_ctx_get_upper(idmap_ctx->map, &idmap_upper); + if (ret != IDMAP_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to get upper bound of available ID range.\n"); + ret = EIO; + goto done; + } + + if (dp_opt_get_bool(idmap_ctx->id_ctx->opts->basic, SDAP_ID_MAPPING)) { + external_mapping = false; + ret = sss_idmap_calculate_range(idmap_ctx->map, dom_sid, &slice, &range); + if (ret != IDMAP_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to calculate range for domain [%s]: [%d]\n", dom_name, + ret); + ret = EIO; + goto done; + } + DEBUG(SSSDBG_TRACE_LIBS, + "Adding domain [%s] as slice [%"SPRIid"]\n", dom_sid, slice); + + if (range.max > idmap_upper) { + /* This should never happen */ + DEBUG(SSSDBG_CRIT_FAILURE, + "BUG: Range maximum exceeds the global maximum: " + "%u > %"SPRIid"\n", range.max, idmap_upper); + ret = EINVAL; + goto done; + } + } else { + ret = sdap_idmap_get_configured_external_range(idmap_ctx, &range); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sdap_idmap_get_configured_external_range failed.\n"); + return ret; + } + } + + /* Add this domain to the map */ + err = sss_idmap_add_auto_domain_ex(idmap_ctx->map, dom_name, dom_sid, + &range, NULL, 0, external_mapping, + NULL, NULL); + if (err != IDMAP_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not add domain [%s] to the map: [%d]\n", + dom_name, err); + ret = EIO; + goto done; + } + + /* If algorithmic mapping is used add this domain to the SYSDB cache so it + * will survive reboot */ + if (!external_mapping) { + ret = sysdb_idmap_store_mapping(idmap_ctx->id_ctx->be->domain, + dom_name, dom_sid, + slice); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_idmap_store_mapping failed.\n"); + goto done; + } + } + +done: + return ret; +} + +errno_t +sdap_idmap_get_dom_sid_from_object(TALLOC_CTX *mem_ctx, + const char *object_sid, + char **dom_sid_str) +{ + const char *p; + long long a; + size_t c; + char *endptr; + + if (object_sid == NULL + || strncmp(object_sid, DOM_SID_PREFIX, DOM_SID_PREFIX_LEN) != 0) { + return EINVAL; + } + + p = object_sid + DOM_SID_PREFIX_LEN; + c = 0; + + do { + errno = 0; + a = strtoull(p, &endptr, 10); + if (errno != 0 || a > UINT32_MAX) { + return EINVAL; + } + + if (*endptr == '-') { + p = endptr + 1; + } else { + return EINVAL; + } + c++; + } while(c < 3); + + /* If we made it here, we are now one character past + * the last hyphen in the object-sid. + * Copy the dom-sid substring. + */ + *dom_sid_str = talloc_strndup(mem_ctx, object_sid, + (endptr-object_sid)); + if (!*dom_sid_str) return ENOMEM; + + return EOK; +} + +errno_t +sdap_idmap_sid_to_unix(struct sdap_idmap_ctx *idmap_ctx, + const char *sid_str, + id_t *id) +{ + errno_t ret; + enum idmap_error_code err; + char *dom_sid_str = NULL; + + /* Convert the SID into a UNIX ID */ + err = sss_idmap_sid_to_unix(idmap_ctx->map, + sid_str, + (uint32_t *)id); + switch (err) { + case IDMAP_SUCCESS: + break; + case IDMAP_NO_DOMAIN: + /* This is the first time we've seen this domain + * Create a new domain for it. We'll use the dom-sid + * as the domain name for now, since we don't have + * any way to get the real name. + */ + ret = sdap_idmap_get_dom_sid_from_object(NULL, sid_str, + &dom_sid_str); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not parse domain SID from [%s]\n", sid_str); + goto done; + } + + ret = idmap_ctx->find_new_domain(idmap_ctx, dom_sid_str, dom_sid_str); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not add new domain for sid [%s]\n", sid_str); + goto done; + } + + /* Now try converting to a UNIX ID again */ + err = sss_idmap_sid_to_unix(idmap_ctx->map, + sid_str, + (uint32_t *)id); + if (err != IDMAP_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not convert objectSID [%s] to a UNIX ID\n", + sid_str); + ret = EIO; + goto done; + } + break; + case IDMAP_BUILTIN_SID: + DEBUG(SSSDBG_TRACE_FUNC, + "Object SID [%s] is a built-in one.\n", sid_str); + /* ENOTSUP indicates built-in SID */ + ret = ENOTSUP; + goto done; + break; + case IDMAP_NO_RANGE: + DEBUG(SSSDBG_IMPORTANT_INFO, + "Object SID [%s] has a RID that is larger than the " + "ldap_idmap_range_size. See the \"ID MAPPING\" section of " + "sssd-ad(5) for an explanation of how to resolve this issue.\n", + sid_str); + /* Fall through intentionally */ + SSS_ATTRIBUTE_FALLTHROUGH; + default: + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not convert objectSID [%s] to a UNIX ID\n", + sid_str); + ret = EIO; + goto done; + } + + ret = EOK; + +done: + talloc_free(dom_sid_str); + return ret; +} + +bool sdap_idmap_domain_has_algorithmic_mapping(struct sdap_idmap_ctx *ctx, + const char *dom_name, + const char *dom_sid) +{ + enum idmap_error_code err; + bool has_algorithmic_mapping; + char *new_dom_sid; + int ret; + TALLOC_CTX *tmp_ctx = NULL; + + if (dp_opt_get_bool(ctx->id_ctx->opts->basic, SDAP_ID_MAPPING) + && dp_target_enabled(ctx->id_ctx->be->provider, "ldap", DPT_ID)) { + return true; + } + + err = sss_idmap_domain_has_algorithmic_mapping(ctx->map, dom_sid, + &has_algorithmic_mapping); + switch (err){ + case IDMAP_SUCCESS: + return has_algorithmic_mapping; + case IDMAP_SID_INVALID: /* FALLTHROUGH */ + case IDMAP_SID_UNKNOWN: /* FALLTHROUGH */ + case IDMAP_NO_DOMAIN: /* FALLTHROUGH */ + /* continue with idmap_domain_by_name */ + break; + default: + return false; + } + + err = sss_idmap_domain_by_name_has_algorithmic_mapping(ctx->map, + dom_name, + &has_algorithmic_mapping); + if (err == IDMAP_SUCCESS) { + return has_algorithmic_mapping; + } else if (err != IDMAP_NAME_UNKNOWN && err != IDMAP_NO_DOMAIN) { + return false; + } + + /* If there is no SID, e.g. IPA without enabled trust support, we cannot + * have algorithmic mapping */ + if (dom_sid == NULL) { + return false; + } + + /* This is the first time we've seen this domain + * Create a new domain for it. We'll use the dom-sid + * as the domain name for now, since we don't have + * any way to get the real name. + */ + + if (is_domain_sid(dom_sid)) { + new_dom_sid = discard_const(dom_sid); + } else { + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); + return false; + } + + ret = sdap_idmap_get_dom_sid_from_object(tmp_ctx, dom_sid, + &new_dom_sid); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not parse domain SID from [%s]\n", dom_sid); + talloc_free(tmp_ctx); + return false; + } + } + + ret = ctx->find_new_domain(ctx, dom_name, new_dom_sid); + talloc_free(tmp_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not add new domain for sid [%s]\n", dom_sid); + return false; + } + + err = sss_idmap_domain_has_algorithmic_mapping(ctx->map, dom_sid, + &has_algorithmic_mapping); + if (err == IDMAP_SUCCESS) { + return has_algorithmic_mapping; + } + + return false; +} diff --git a/src/providers/ldap/sdap_idmap.h b/src/providers/ldap/sdap_idmap.h new file mode 100644 index 0000000..07499dc --- /dev/null +++ b/src/providers/ldap/sdap_idmap.h @@ -0,0 +1,63 @@ +/* + SSSD + + Authors: + Stephen Gallagher + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef SDAP_IDMAP_H_ +#define SDAP_IDMAP_H_ + +#include "src/providers/ldap/sdap.h" +#include "src/providers/ldap/ldap_common.h" + +typedef errno_t (find_new_domain_fn_t)(struct sdap_idmap_ctx *idmap_ctx, + const char *dom_name, + const char *dom_sid_str); +struct sdap_idmap_ctx { + struct sss_idmap_ctx *map; + + struct sdap_id_ctx *id_ctx; + find_new_domain_fn_t *find_new_domain; +}; + +errno_t sdap_idmap_init(TALLOC_CTX *mem_ctx, + struct sdap_id_ctx *id_ctx, + struct sdap_idmap_ctx **_idmap_ctx); + +errno_t +sdap_idmap_add_domain(struct sdap_idmap_ctx *idmap_ctx, + const char *dom_name, + const char *dom_sid, + id_t slice); + +errno_t +sdap_idmap_get_dom_sid_from_object(TALLOC_CTX *mem_ctx, + const char *object_sid, + char **dom_sid_str); + +errno_t +sdap_idmap_sid_to_unix(struct sdap_idmap_ctx *idmap_ctx, + const char *sid_str, + id_t *id); + +bool sdap_idmap_domain_has_algorithmic_mapping(struct sdap_idmap_ctx *ctx, + const char *name, + const char *dom_sid); + +#endif /* SDAP_IDMAP_H_ */ diff --git a/src/providers/ldap/sdap_online_check.c b/src/providers/ldap/sdap_online_check.c new file mode 100644 index 0000000..f721a5f --- /dev/null +++ b/src/providers/ldap/sdap_online_check.c @@ -0,0 +1,249 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include "util/util.h" +#include "providers/backend.h" +#include "providers/ldap/sdap_async.h" +#include "providers/ldap/ldap_common.h" + +struct sdap_online_check_state { + struct sdap_id_ctx *id_ctx; + struct be_ctx *be_ctx; +}; + +static void sdap_online_check_connect_done(struct tevent_req *subreq); +static void sdap_online_check_reinit_done(struct tevent_req *subreq); + +static struct tevent_req *sdap_online_check_send(TALLOC_CTX *mem_ctx, + struct sdap_id_ctx *id_ctx) +{ + struct sdap_online_check_state *state; + struct tevent_req *subreq; + struct tevent_req *req; + struct be_ctx *be_ctx; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct sdap_online_check_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->id_ctx = id_ctx; + state->be_ctx = be_ctx = id_ctx->be; + + subreq = sdap_cli_connect_send(state, be_ctx->ev, id_ctx->opts, be_ctx, + id_ctx->conn->service, false, + CON_TLS_DFL, false); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, sdap_online_check_connect_done, req); + + return req; + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, be_ctx->ev); + + return req; +} + +static void sdap_online_check_connect_done(struct tevent_req *subreq) +{ + struct sdap_online_check_state *state; + struct sdap_server_opts *srv_opts; + struct sdap_id_ctx *id_ctx; + struct tevent_req *req; + bool can_retry; + bool reinit = false; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_online_check_state); + + id_ctx = state->id_ctx; + + ret = sdap_cli_connect_recv(subreq, state, &can_retry, NULL, &srv_opts); + talloc_zfree(subreq); + if (ret != EOK) { + if (can_retry == false) { + ret = ERR_OFFLINE; + } + + goto done; + } else { + if (id_ctx->srv_opts == NULL) { + srv_opts->max_user_value = 0; + srv_opts->max_group_value = 0; + srv_opts->max_service_value = 0; + srv_opts->max_sudo_value = 0; + } else if (strcmp(srv_opts->server_id, id_ctx->srv_opts->server_id) == 0 + && srv_opts->supports_usn + && id_ctx->srv_opts->last_usn > srv_opts->last_usn) { + id_ctx->srv_opts->max_user_value = 0; + id_ctx->srv_opts->max_group_value = 0; + id_ctx->srv_opts->max_service_value = 0; + id_ctx->srv_opts->max_sudo_value = 0; + id_ctx->srv_opts->last_usn = srv_opts->last_usn; + + reinit = true; + } + + sdap_steal_server_opts(id_ctx, &srv_opts); + } + + if (reinit) { + DEBUG(SSSDBG_TRACE_FUNC, "Server reinitialization detected. " + "Cleaning cache.\n"); + subreq = sdap_reinit_cleanup_send(state, state->be_ctx, id_ctx); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to perform reinitialization " + "clean up.\n"); + /* not fatal */ + goto done; + } + + tevent_req_set_callback(subreq, sdap_online_check_reinit_done, req); + return; + } + + ret = EOK; + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +static void sdap_online_check_reinit_done(struct tevent_req *subreq) +{ + struct tevent_req *req; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + + ret = sdap_reinit_cleanup_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to perform reinitialization " + "clean up [%d]: %s\n", ret, strerror(ret)); + /* not fatal */ + } else { + DEBUG(SSSDBG_TRACE_FUNC, "Reinitialization clean up completed\n"); + } + + tevent_req_done(req); +} + +static errno_t sdap_online_check_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +struct sdap_online_check_handler_state { + struct dp_reply_std reply; +}; + +static void sdap_online_check_handler_done(struct tevent_req *subreq); + +struct tevent_req * +sdap_online_check_handler_send(TALLOC_CTX *mem_ctx, + struct sdap_id_ctx *id_ctx, + void *data, + struct dp_req_params *params) +{ + struct sdap_online_check_handler_state *state; + struct tevent_req *subreq; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct sdap_online_check_handler_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + subreq = sdap_online_check_send(state, id_ctx); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, sdap_online_check_handler_done, req); + + return req; + +immediately: + dp_reply_std_set(&state->reply, DP_ERR_DECIDE, ret, NULL); + + /* TODO For backward compatibility we always return EOK to DP now. */ + tevent_req_done(req); + tevent_req_post(req, params->ev); + + return req; +} + +static void sdap_online_check_handler_done(struct tevent_req *subreq) +{ + struct sdap_online_check_handler_state *state; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_online_check_handler_state); + + ret = sdap_online_check_recv(subreq); + talloc_zfree(subreq); + + /* TODO For backward compatibility we always return EOK to DP now. */ + dp_reply_std_set(&state->reply, DP_ERR_DECIDE, ret, NULL); + tevent_req_done(req); +} + +errno_t sdap_online_check_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct dp_reply_std *data) +{ + struct sdap_online_check_handler_state *state = NULL; + + state = tevent_req_data(req, struct sdap_online_check_handler_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *data = state->reply; + + return EOK; +} diff --git a/src/providers/ldap/sdap_ops.c b/src/providers/ldap/sdap_ops.c new file mode 100644 index 0000000..a908574 --- /dev/null +++ b/src/providers/ldap/sdap_ops.c @@ -0,0 +1,547 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "util/util.h" +#include "providers/ldap/sdap.h" +#include "providers/ldap/sdap_async.h" +#include "providers/ldap/ldap_common.h" + +struct sdap_search_bases_ex_state { + struct tevent_context *ev; + struct sdap_options *opts; + struct sdap_handle *sh; + const char *filter; + const char **attrs; + struct sdap_attr_map *map; + int map_num_attrs; + int timeout; + bool allow_paging; + bool return_first_reply; + + size_t base_iter; + struct sdap_search_base *cur_base; + struct sdap_search_base **bases; + + size_t reply_count; + struct sysdb_attrs **reply; +}; + +static errno_t sdap_search_bases_ex_next_base(struct tevent_req *req); +static void sdap_search_bases_ex_done(struct tevent_req *subreq); + +static struct tevent_req * +sdap_search_bases_ex_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_options *opts, + struct sdap_handle *sh, + struct sdap_search_base **bases, + struct sdap_attr_map *map, + bool allow_paging, + bool return_first_reply, + int timeout, + const char *filter, + const char **attrs) +{ + struct tevent_req *req; + struct sdap_search_bases_ex_state *state; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct sdap_search_bases_ex_state); + if (req == NULL) { + return NULL; + } + + if (bases == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "No search base specified!\n"); + ret = ERR_INTERNAL; + goto immediately; + } + + state->ev = ev; + state->opts = opts; + state->sh = sh; + state->bases = bases; + state->map = map; + state->filter = filter; + state->attrs = attrs; + state->allow_paging = allow_paging; + state->return_first_reply = return_first_reply; + + state->timeout = timeout == 0 + ? dp_opt_get_int(opts->basic, SDAP_SEARCH_TIMEOUT) + : timeout; + + if (state->map != NULL) { + for (state->map_num_attrs = 0; + state->map[state->map_num_attrs].opt_name != NULL; + state->map_num_attrs++) { + /* no op */; + } + } else { + state->map_num_attrs = 0; + } + + if (state->attrs == NULL && state->map != NULL) { + ret = build_attrs_from_map(state, state->map, state->map_num_attrs, + NULL, &state->attrs, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to build attrs from map " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto immediately; + } + } + + state->base_iter = 0; + ret = sdap_search_bases_ex_next_base(req); + if (ret == EAGAIN) { + /* asynchronous processing */ + return req; + } + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + + return req; +} + +static errno_t sdap_search_bases_ex_next_base(struct tevent_req *req) +{ + struct sdap_search_bases_ex_state *state; + struct tevent_req *subreq; + char *filter; + + state = tevent_req_data(req, struct sdap_search_bases_ex_state); + state->cur_base = state->bases[state->base_iter]; + if (state->cur_base == NULL) { + return EOK; + } + + /* Combine lookup and search base filters. */ + filter = sdap_combine_filters(state, state->filter, + state->cur_base->filter); + if (filter == NULL) { + return ENOMEM; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Issuing LDAP lookup with base [%s]\n", + state->cur_base->basedn); + + subreq = sdap_get_generic_send(state, state->ev, state->opts, state->sh, + state->cur_base->basedn, + state->cur_base->scope, filter, + state->attrs, state->map, + state->map_num_attrs, state->timeout, + state->allow_paging); + if (subreq == NULL) { + return ENOMEM; + } + + tevent_req_set_callback(subreq, sdap_search_bases_ex_done, req); + + state->base_iter++; + return EAGAIN; +} + +static void sdap_search_bases_ex_done(struct tevent_req *subreq) +{ + struct tevent_req *req; + struct sdap_search_bases_ex_state *state; + struct sysdb_attrs **attrs; + size_t count; + size_t i; + int ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_search_bases_ex_state); + + DEBUG(SSSDBG_TRACE_FUNC, "Receiving data from base [%s]\n", + state->cur_base->basedn); + + ret = sdap_get_generic_recv(subreq, state, &count, &attrs); + talloc_zfree(subreq); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + /* Add rules to result. */ + if (count > 0) { + if (state->return_first_reply == false) { + /* Merge with previous reply. */ + state->reply = talloc_realloc(state, state->reply, + struct sysdb_attrs *, + state->reply_count + count); + if (state->reply == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + + for (i = 0; i < count; i++) { + state->reply[state->reply_count + i] = talloc_steal(state->reply, + attrs[i]); + } + + state->reply_count += count; + } else { + /* Return the first successful search result. */ + state->reply_count = count; + state->reply = attrs; + tevent_req_done(req); + return; + } + } + + /* Try next search base. */ + ret = sdap_search_bases_ex_next_base(req); + if (ret == EOK) { + tevent_req_done(req); + } else if (ret != EAGAIN) { + tevent_req_error(req, ret); + } + + return; +} + +static int sdap_search_bases_ex_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *reply_count, + struct sysdb_attrs ***reply) +{ + struct sdap_search_bases_ex_state *state = + tevent_req_data(req, struct sdap_search_bases_ex_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *reply_count = state->reply_count; + *reply = talloc_steal(mem_ctx, state->reply); + + return EOK; +} + +struct tevent_req * +sdap_search_bases_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_options *opts, + struct sdap_handle *sh, + struct sdap_search_base **bases, + struct sdap_attr_map *map, + bool allow_paging, + int timeout, + const char *filter, + const char **attrs) +{ + return sdap_search_bases_ex_send(mem_ctx, ev, opts, sh, bases, map, + allow_paging, false, timeout, + filter, attrs); +} + +int sdap_search_bases_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *_reply_count, + struct sysdb_attrs ***_reply) +{ + return sdap_search_bases_ex_recv(req, mem_ctx, _reply_count, _reply); +} + +struct tevent_req * +sdap_search_bases_return_first_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_options *opts, + struct sdap_handle *sh, + struct sdap_search_base **bases, + struct sdap_attr_map *map, + bool allow_paging, + int timeout, + const char *filter, + const char **attrs) +{ + return sdap_search_bases_ex_send(mem_ctx, ev, opts, sh, bases, map, + allow_paging, true, timeout, + filter, attrs); +} + +int sdap_search_bases_return_first_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *_reply_count, + struct sysdb_attrs ***_reply) +{ + return sdap_search_bases_ex_recv(req, mem_ctx, _reply_count, _reply); +} + +struct sdap_deref_bases_ex_state { + struct tevent_context *ev; + struct sdap_options *opts; + struct sdap_handle *sh; + const char *filter; + const char **attrs; + const char *deref_attr; + struct sdap_attr_map_info *maps; + size_t num_maps; + unsigned int flags; + bool return_first_reply; + int timeout; + + size_t base_iter; + struct sdap_search_base *cur_base; + struct sdap_search_base **bases; + + size_t reply_count; + struct sdap_deref_attrs **reply; +}; + +static errno_t sdap_deref_bases_ex_next_base(struct tevent_req *req); +static void sdap_deref_bases_ex_done(struct tevent_req *subreq); + +static struct tevent_req * +sdap_deref_bases_ex_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_options *opts, + struct sdap_handle *sh, + struct sdap_search_base **bases, + struct sdap_attr_map_info *maps, + const char *filter, + const char **attrs, + const char *deref_attr, + unsigned int flags, + bool return_first_reply, + int timeout) +{ + struct tevent_req *req; + struct sdap_deref_bases_ex_state *state; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct sdap_deref_bases_ex_state); + if (req == NULL) { + return NULL; + } + + if (bases == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "No search base specified!\n"); + ret = ERR_INTERNAL; + goto immediately; + } + + if (maps == NULL || attrs == NULL || deref_attr == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "No attributes or map specified!\n"); + ret = ERR_INTERNAL; + goto immediately; + } + + state->ev = ev; + state->opts = opts; + state->sh = sh; + state->bases = bases; + state->maps = maps; + state->filter = filter; + state->attrs = attrs; + state->deref_attr = deref_attr; + state->return_first_reply = return_first_reply; + state->flags = flags; + + state->timeout = timeout == 0 + ? dp_opt_get_int(opts->basic, SDAP_SEARCH_TIMEOUT) + : timeout; + + for (state->num_maps = 0; maps[state->num_maps].map != NULL; + state->num_maps++) { + /* no op */; + } + + state->base_iter = 0; + ret = sdap_deref_bases_ex_next_base(req); + if (ret == EAGAIN) { + /* asynchronous processing */ + return req; + } + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + + return req; +} + +static errno_t sdap_deref_bases_ex_next_base(struct tevent_req *req) +{ + struct sdap_deref_bases_ex_state *state; + struct tevent_req *subreq; + + state = tevent_req_data(req, struct sdap_deref_bases_ex_state); + state->cur_base = state->bases[state->base_iter]; + if (state->cur_base == NULL) { + return EOK; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Issuing LDAP deref lookup with base [%s]\n", + state->cur_base->basedn); + + subreq = sdap_deref_search_with_filter_send(state, state->ev, state->opts, + state->sh, state->cur_base->basedn, state->filter, + state->deref_attr, state->attrs, state->num_maps, state->maps, + state->timeout, state->flags); + if (subreq == NULL) { + return ENOMEM; + } + + tevent_req_set_callback(subreq, sdap_deref_bases_ex_done, req); + + state->base_iter++; + return EAGAIN; +} + +static void sdap_deref_bases_ex_done(struct tevent_req *subreq) +{ + struct tevent_req *req; + struct sdap_deref_bases_ex_state *state; + struct sdap_deref_attrs **attrs; + size_t count; + size_t i; + int ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_deref_bases_ex_state); + + DEBUG(SSSDBG_TRACE_FUNC, "Receiving data from base [%s]\n", + state->cur_base->basedn); + + ret = sdap_deref_search_with_filter_recv(subreq, state, &count, &attrs); + talloc_zfree(subreq); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + /* Add rules to result. */ + if (count > 0) { + if (state->return_first_reply == false) { + /* Merge with previous reply. */ + state->reply = talloc_realloc(state, state->reply, + struct sdap_deref_attrs *, + state->reply_count + count); + if (state->reply == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + + for (i = 0; i < count; i++) { + state->reply[state->reply_count + i] = talloc_steal(state->reply, + attrs[i]); + } + + state->reply_count += count; + } else { + /* Return the first successful search result. */ + state->reply_count = count; + state->reply = attrs; + tevent_req_done(req); + return; + } + } + + /* Try next search base. */ + ret = sdap_deref_bases_ex_next_base(req); + if (ret == EOK) { + tevent_req_done(req); + } else if (ret != EAGAIN) { + tevent_req_error(req, ret); + } + + return; +} + +static int sdap_deref_bases_ex_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *reply_count, + struct sdap_deref_attrs ***reply) +{ + struct sdap_deref_bases_ex_state *state = + tevent_req_data(req, struct sdap_deref_bases_ex_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *reply_count = state->reply_count; + *reply = talloc_steal(mem_ctx, state->reply); + + return EOK; +} + +struct tevent_req * +sdap_deref_bases_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_options *opts, + struct sdap_handle *sh, + struct sdap_search_base **bases, + struct sdap_attr_map_info *maps, + const char *filter, + const char **attrs, + const char *deref_attr, + unsigned int flags, + int timeout) +{ + return sdap_deref_bases_ex_send(mem_ctx, ev, opts, sh, bases, maps, + filter, attrs, deref_attr, flags, + false, timeout); +} + +int sdap_deref_bases_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *_reply_count, + struct sdap_deref_attrs ***_reply) +{ + return sdap_deref_bases_ex_recv(req, mem_ctx, _reply_count, _reply); +} + +struct tevent_req * +sdap_deref_bases_return_first_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_options *opts, + struct sdap_handle *sh, + struct sdap_search_base **bases, + struct sdap_attr_map_info *maps, + const char *filter, + const char **attrs, + const char *deref_attr, + unsigned int flags, + int timeout) +{ + return sdap_deref_bases_ex_send(mem_ctx, ev, opts, sh, bases, maps, + filter, attrs, deref_attr, flags, + true, timeout); +} + +int sdap_deref_bases_return_first_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *_reply_count, + struct sdap_deref_attrs ***_reply) +{ + return sdap_deref_bases_ex_recv(req, mem_ctx, _reply_count, _reply); +} diff --git a/src/providers/ldap/sdap_ops.h b/src/providers/ldap/sdap_ops.h new file mode 100644 index 0000000..cc9de00 --- /dev/null +++ b/src/providers/ldap/sdap_ops.h @@ -0,0 +1,97 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _SDAP_OPS_H_ +#define _SDAP_OPS_H_ + +#include +#include +#include "providers/ldap/ldap_common.h" + +struct tevent_req *sdap_search_bases_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_options *opts, + struct sdap_handle *sh, + struct sdap_search_base **bases, + struct sdap_attr_map *map, + bool allow_paging, + int timeout, + const char *filter, + const char **attrs); + +int sdap_search_bases_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *reply_count, + struct sysdb_attrs ***reply); + +struct tevent_req * +sdap_search_bases_return_first_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_options *opts, + struct sdap_handle *sh, + struct sdap_search_base **bases, + struct sdap_attr_map *map, + bool allow_paging, + int timeout, + const char *filter, + const char **attrs); + +int sdap_search_bases_return_first_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *_reply_count, + struct sysdb_attrs ***_reply); + +struct tevent_req * +sdap_deref_bases_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_options *opts, + struct sdap_handle *sh, + struct sdap_search_base **bases, + struct sdap_attr_map_info *maps, + const char *filter, + const char **attrs, + const char *deref_attr, + unsigned int flags, + int timeout); + +int sdap_deref_bases_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *_reply_count, + struct sdap_deref_attrs ***_reply); + +struct tevent_req * +sdap_deref_bases_return_first_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_options *opts, + struct sdap_handle *sh, + struct sdap_search_base **bases, + struct sdap_attr_map_info *maps, + const char *filter, + const char **attrs, + const char *deref_attr, + unsigned int flags, + int timeout); + +int sdap_deref_bases_return_first_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *_reply_count, + struct sdap_deref_attrs ***_reply); + +#endif /* _SDAP_OPS_H_ */ diff --git a/src/providers/ldap/sdap_range.c b/src/providers/ldap/sdap_range.c new file mode 100644 index 0000000..d88def6 --- /dev/null +++ b/src/providers/ldap/sdap_range.c @@ -0,0 +1,142 @@ +/* + SSSD + + Authors: + Stephen Gallagher + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "providers/ldap/sdap_range.h" +#include "util/util.h" +#include "util/strtonum.h" + +#define SDAP_RANGE_STRING "range=" + +errno_t sdap_parse_range(TALLOC_CTX *mem_ctx, + const char *attr_desc, + char **base_attr, + uint32_t *range_offset, + bool disable_range_retrieval) +{ + errno_t ret; + TALLOC_CTX *tmp_ctx; + char *endptr; + char *end_range; + char *base; + size_t rangestringlen = sizeof(SDAP_RANGE_STRING) - 1; + + *range_offset = 0; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) return ENOMEM; + + /* The base_attr is the portion before the semicolon (if it exists) */ + endptr = strchr(attr_desc, ';'); + if (endptr == NULL) { + /* Not a ranged attribute. Just copy the attribute desc */ + *base_attr = talloc_strdup(mem_ctx, attr_desc); + if (!*base_attr) { + ret = ENOMEM; + } else { + ret = EOK; + } + DEBUG(SSSDBG_TRACE_INTERNAL, + "No sub-attributes for [%s]\n", attr_desc); + goto done; + } + + /* This is a complex attribute. First get the base attribute name */ + base = talloc_strndup(tmp_ctx, attr_desc, + endptr - attr_desc); + if (!base) { + ret = ENOMEM; + goto done; + } + DEBUG(SSSDBG_TRACE_LIBS, + "Base attribute of [%s] is [%s]\n", + attr_desc, base); + + /* Next, determine if this is a ranged attribute */ + if (strncmp(endptr+1, SDAP_RANGE_STRING, rangestringlen) != 0) { + /* This is some other sub-attribute. We'll just return the whole + * thing in case it's dealt with elsewhere. + */ + *base_attr = talloc_strdup(mem_ctx, attr_desc); + if (!*base_attr) { + ret = ENOMEM; + } else { + ret = EOK; + } + DEBUG(SSSDBG_TRACE_LIBS, + "[%s] contains sub-attribute other than a range, returning whole\n", + attr_desc); + goto done; + } else if (disable_range_retrieval) { + /* This is range sub-attribute, but we want to ignore it. + */ + *base_attr = talloc_strdup(mem_ctx, attr_desc); + if (!*base_attr) { + ret = ENOMEM; + } else { + ret = ECANCELED; + } + goto done; + } + + /* Get the end of the range */ + end_range = strchr(endptr + rangestringlen +1, '-'); + if (!end_range) { + ret = EINVAL; + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot find hyphen in [%s]\n", + endptr + rangestringlen +1); + goto done; + } + end_range++; /* advance past the hyphen */ + + if (*end_range == '*') { + /* this was the last iteration of range retrievals */ + *base_attr = talloc_steal(mem_ctx, base); + *range_offset = 0; + DEBUG(SSSDBG_TRACE_LIBS, + "[%s] contained the last set of values for this attribute\n", + attr_desc); + ret = EOK; + goto done; + } + + *range_offset = strtouint32(end_range, &endptr, 10); + if (*endptr != '\0') { + *range_offset = 0; + ret = errno; + DEBUG(SSSDBG_MINOR_FAILURE, + "[%s] did not parse as an unsigned integer: [%s]\n", + end_range, strerror(ret)); + goto done; + } + (*range_offset)++; + + *base_attr = talloc_steal(mem_ctx, base); + DEBUG(SSSDBG_TRACE_LIBS, + "Parsed range values: [%s][%d]\n", + base, *range_offset); + + ret = EAGAIN; +done: + talloc_free(tmp_ctx); + return ret; +} diff --git a/src/providers/ldap/sdap_range.h b/src/providers/ldap/sdap_range.h new file mode 100644 index 0000000..f11b3be --- /dev/null +++ b/src/providers/ldap/sdap_range.h @@ -0,0 +1,34 @@ +/* + SSSD + + Authors: + Stephen Gallagher + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef SDAP_RANGE_H_ +#define SDAP_RANGE_H_ + +#include "src/util/util.h" + +errno_t sdap_parse_range(TALLOC_CTX *mem_ctx, + const char *attr_desc, + char **base_attr, + uint32_t *range_offset, + bool disable_range_retrieval); + +#endif /* SDAP_RANGE_H_ */ diff --git a/src/providers/ldap/sdap_refresh.c b/src/providers/ldap/sdap_refresh.c new file mode 100644 index 0000000..6d6c43e --- /dev/null +++ b/src/providers/ldap/sdap_refresh.c @@ -0,0 +1,291 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "providers/ldap/sdap.h" +#include "providers/ldap/ldap_common.h" + +struct sdap_refresh_state { + struct tevent_context *ev; + struct be_ctx *be_ctx; + struct dp_id_data *account_req; + struct sdap_id_ctx *id_ctx; + struct sdap_domain *sdom; + const char *type; + char **names; + size_t index; +}; + +static errno_t sdap_refresh_step(struct tevent_req *req); +static void sdap_refresh_done(struct tevent_req *subreq); + +static struct tevent_req *sdap_refresh_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct sss_domain_info *domain, + int entry_type, + char **names, + void *pvt) +{ + struct sdap_refresh_state *state = NULL; + struct tevent_req *req = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct sdap_refresh_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + if (names == NULL) { + ret = EOK; + goto immediately; + } + + state->ev = ev; + state->be_ctx = be_ctx; + state->id_ctx = talloc_get_type(pvt, struct sdap_id_ctx); + state->names = names; + state->index = 0; + + state->sdom = sdap_domain_get(state->id_ctx->opts, domain); + if (state->sdom == NULL) { + ret = ERR_DOMAIN_NOT_FOUND; + goto immediately; + } + + switch (entry_type) { + case BE_REQ_USER: + state->type = "user"; + break; + case BE_REQ_GROUP: + state->type = "group"; + break; + case BE_REQ_NETGROUP: + state->type = "netgroup"; + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid entry type [%d]!\n", entry_type); + } + + state->account_req = talloc_zero(state, struct dp_id_data); + if (state->account_req == NULL) { + ret = ENOMEM; + goto immediately; + } + + state->account_req->entry_type = entry_type; + state->account_req->filter_type = BE_FILTER_NAME; + state->account_req->extra_value = NULL; + state->account_req->domain = domain->name; + /* filter will be filled later */ + + ret = sdap_refresh_step(req); + if (ret == EOK) { + DEBUG(SSSDBG_TRACE_FUNC, "Nothing to refresh\n"); + goto immediately; + } else if (ret != EAGAIN) { + DEBUG(SSSDBG_CRIT_FAILURE, "sdap_refresh_step() failed " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto immediately; + } + + return req; + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + + return req; +} + +static errno_t sdap_refresh_step(struct tevent_req *req) +{ + struct sdap_refresh_state *state = NULL; + struct tevent_req *subreq = NULL; + errno_t ret; + + state = tevent_req_data(req, struct sdap_refresh_state); + + if (state->names == NULL) { + ret = EOK; + goto done; + } + + state->account_req->filter_value = state->names[state->index]; + if (state->account_req->filter_value == NULL) { + ret = EOK; + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Issuing refresh of %s %s\n", + state->type, state->account_req->filter_value); + + subreq = sdap_handle_acct_req_send(state, state->be_ctx, + state->account_req, state->id_ctx, + state->sdom, state->id_ctx->conn, true); + if (subreq == NULL) { + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, sdap_refresh_done, req); + + state->index++; + ret = EAGAIN; + +done: + return ret; +} + +static void sdap_refresh_done(struct tevent_req *subreq) +{ + struct sdap_refresh_state *state = NULL; + struct tevent_req *req = NULL; + const char *err_msg = NULL; + errno_t dp_error; + int sdap_ret; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_refresh_state); + + ret = sdap_handle_acct_req_recv(subreq, &dp_error, &err_msg, &sdap_ret); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to refresh %s [dp_error: %d, " + "sdap_ret: %d, errno: %d]: %s\n", state->type, + dp_error, sdap_ret, ret, err_msg); + goto done; + } + + ret = sdap_refresh_step(req); + if (ret == EAGAIN) { + return; + } + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +static errno_t sdap_refresh_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +static struct tevent_req * +sdap_refresh_users_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct sss_domain_info *domain, + char **names, + void *pvt) +{ + return sdap_refresh_send(mem_ctx, ev, be_ctx, domain, + BE_REQ_USER, names, pvt); +} + +static errno_t sdap_refresh_users_recv(struct tevent_req *req) +{ + return sdap_refresh_recv(req); +} + +static struct tevent_req * +sdap_refresh_groups_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct sss_domain_info *domain, + char **names, + void *pvt) +{ + return sdap_refresh_send(mem_ctx, ev, be_ctx, domain, + BE_REQ_GROUP, names, pvt); +} + +static errno_t sdap_refresh_groups_recv(struct tevent_req *req) +{ + return sdap_refresh_recv(req); +} + +static struct tevent_req * +sdap_refresh_netgroups_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct sss_domain_info *domain, + char **names, + void *pvt) +{ + return sdap_refresh_send(mem_ctx, ev, be_ctx, domain, + BE_REQ_NETGROUP, names, pvt); +} + +static errno_t sdap_refresh_netgroups_recv(struct tevent_req *req) +{ + return sdap_refresh_recv(req); +} + +errno_t sdap_refresh_init(struct be_refresh_ctx *refresh_ctx, + struct sdap_id_ctx *id_ctx) +{ + errno_t ret; + + ret = be_refresh_add_cb(refresh_ctx, BE_REFRESH_TYPE_USERS, + sdap_refresh_users_send, + sdap_refresh_users_recv, + id_ctx); + if (ret != EOK && ret != EEXIST) { + DEBUG(SSSDBG_MINOR_FAILURE, "Periodical refresh of users " + "will not work [%d]: %s\n", ret, strerror(ret)); + } + + ret = be_refresh_add_cb(refresh_ctx, BE_REFRESH_TYPE_GROUPS, + sdap_refresh_groups_send, + sdap_refresh_groups_recv, + id_ctx); + if (ret != EOK && ret != EEXIST) { + DEBUG(SSSDBG_MINOR_FAILURE, "Periodical refresh of groups " + "will not work [%d]: %s\n", ret, strerror(ret)); + } + + ret = be_refresh_add_cb(refresh_ctx, BE_REFRESH_TYPE_NETGROUPS, + sdap_refresh_netgroups_send, + sdap_refresh_netgroups_recv, + id_ctx); + if (ret != EOK && ret != EEXIST) { + DEBUG(SSSDBG_MINOR_FAILURE, "Periodical refresh of netgroups " + "will not work [%d]: %s\n", ret, strerror(ret)); + } + + return ret; +} diff --git a/src/providers/ldap/sdap_reinit.c b/src/providers/ldap/sdap_reinit.c new file mode 100644 index 0000000..d5c8967 --- /dev/null +++ b/src/providers/ldap/sdap_reinit.c @@ -0,0 +1,335 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include + +#include "util/util.h" +#include "providers/ldap/ldap_common.h" +#include "providers/ldap/sdap_async_enum.h" +#include "db/sysdb.h" +#include "db/sysdb_services.h" + +struct sdap_reinit_cleanup_state { + struct sss_domain_info *domain; + struct sysdb_ctx *sysdb; +}; + +static errno_t sdap_reinit_clear_usn(struct sysdb_ctx *sysdb, + struct sss_domain_info *domain); +static void sdap_reinit_cleanup_done(struct tevent_req *subreq); +static errno_t sdap_reinit_delete_records(struct sss_domain_info *domain); + +struct tevent_req* sdap_reinit_cleanup_send(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct sdap_id_ctx *id_ctx) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct sdap_reinit_cleanup_state *state; + int ret; + + /* + * 1. remove entryUSN attribute from all entries + * 2. run enumeration + * 3. remove records that doesn't have entryUSN attribute updated + * + * We don't need to do this for sudo rules, they will be refreshed + * automatically during next smart/full refresh, or when an expired rule + * is deleted. + */ + + req = tevent_req_create(mem_ctx, &state, struct sdap_reinit_cleanup_state); + if (req == NULL) { + return NULL; + } + + state->sysdb = be_ctx->domain->sysdb; + state->domain = be_ctx->domain; + + if (!be_ctx->domain->enumerate) { + /* enumeration is disabled, this whole process is meaningless */ + ret = EOK; + goto immediately; + } + + ret = sdap_reinit_clear_usn(state->sysdb, state->domain); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to clear USN attributes [%d]: %s\n", + ret, strerror(ret)); + goto immediately; + } + + subreq = sdap_dom_enum_send(id_ctx, be_ctx->ev, id_ctx, + id_ctx->opts->sdom, id_ctx->conn); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to issue enumeration request\n"); + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, sdap_reinit_cleanup_done, req); + + return req; + +immediately: + if (ret != EOK) { + tevent_req_error(req, ret); + } else { + tevent_req_done(req); + } + tevent_req_post(req, be_ctx->ev); + + return req; +} + +static void sdap_delete_msgs_usn(struct sysdb_ctx *sysdb, + struct ldb_message **msgs, + size_t msgs_num) +{ + struct ldb_message_element el = { 0, SYSDB_USN, 0, NULL }; + struct sysdb_attrs usn_el = { 1, &el }; + errno_t ret; + int i; + + for (i = 0; i < msgs_num; i++) { + ret = sysdb_set_entry_attr(sysdb, msgs[i]->dn, &usn_el, SYSDB_MOD_DEL); + if (ret) { + DEBUG(SSSDBG_TRACE_FUNC, "Failed to clean USN on entry: [%s]\n", + ldb_dn_get_linearized(msgs[i]->dn)); + } + } +} + +static errno_t sdap_reinit_clear_usn(struct sysdb_ctx *sysdb, + struct sss_domain_info *domain) +{ + TALLOC_CTX *tmp_ctx = NULL; + bool in_transaction = false; + struct ldb_message **msgs = NULL; + size_t msgs_num = 0; + const char *attrs[] = { "dn", NULL }; + int sret; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return ENOMEM; + } + + ret = sysdb_transaction_start(sysdb); + if (ret != EOK) { + goto done; + } + in_transaction = true; + + /* reset users' usn */ + ret = sysdb_search_users(tmp_ctx, domain, + "", attrs, &msgs_num, &msgs); + if (ret != EOK) { + goto done; + } + sdap_delete_msgs_usn(sysdb, msgs, msgs_num); + talloc_zfree(msgs); + msgs_num = 0; + + /* reset groups' usn */ + ret = sysdb_search_groups(tmp_ctx, domain, "", attrs, &msgs_num, &msgs); + if (ret != EOK) { + goto done; + } + sdap_delete_msgs_usn(sysdb, msgs, msgs_num); + talloc_zfree(msgs); + msgs_num = 0; + + /* reset services' usn */ + ret = sysdb_search_services(tmp_ctx, domain, "", attrs, &msgs_num, &msgs); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot search services [%d]: %s\n", ret, strerror(ret)); + goto done; + } + + sdap_delete_msgs_usn(sysdb, msgs, msgs_num); + talloc_zfree(msgs); + msgs_num = 0; + + ret = sysdb_transaction_commit(sysdb); + if (ret == EOK) { + in_transaction = false; + } else { + DEBUG(SSSDBG_MINOR_FAILURE, "Could not commit transaction\n"); + } + +done: + if (in_transaction) { + sret = sysdb_transaction_cancel(sysdb); + if (sret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not cancel transaction\n"); + } + } + + talloc_free(tmp_ctx); + + return ret; +} + +static void sdap_reinit_cleanup_done(struct tevent_req *subreq) +{ + struct tevent_req *req = NULL; + struct sdap_reinit_cleanup_state *state = NULL; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_reinit_cleanup_state); + + ret = sdap_dom_enum_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Domain enumeration failed [%d]: %s\n", + ret, strerror(ret)); + goto fail; + } + + /* Ok, we've completed an enumeration. Save this to the + * sysdb so we can postpone starting up the enumeration + * process on the next SSSD service restart (to avoid + * slowing down system boot-up + */ + ret = sysdb_set_enumerated(state->domain, true); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Could not mark domain as having " + "enumerated.\n"); + /* This error is non-fatal, so continue */ + } + + ret = sdap_reinit_delete_records(state->domain); + if (ret != EOK) { + goto fail; + } + + tevent_req_done(req); + return; + +fail: + tevent_req_error(req, ret); +} + +static void sdap_delete_msgs_dn(struct sysdb_ctx *sysdb, + struct ldb_message **msgs, + size_t msgs_num) +{ + errno_t ret; + int i; + + for (i = 0; i < msgs_num; i++) { + ret = sysdb_delete_entry(sysdb, msgs[i]->dn, true); + if (ret) { + DEBUG(SSSDBG_TRACE_FUNC, "Failed to delete entry: [%s]\n", + ldb_dn_get_linearized(msgs[i]->dn)); + } + } +} + +static errno_t sdap_reinit_delete_records(struct sss_domain_info *domain) +{ + TALLOC_CTX *tmp_ctx = NULL; + bool in_transaction = false; + struct ldb_message **msgs = NULL; + size_t msgs_num = 0; + const char *attrs[] = { "dn", NULL }; + int sret; + errno_t ret; + struct sysdb_ctx *sysdb = domain->sysdb; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return ENOMEM; + } + + ret = sysdb_transaction_start(sysdb); + if (ret != EOK) { + goto done; + } + in_transaction = true; + + /* purge untouched users */ + ret = sysdb_search_users(tmp_ctx, domain, "(!("SYSDB_USN"=*))", + attrs, &msgs_num, &msgs); + if (ret != EOK) { + goto done; + } + sdap_delete_msgs_dn(sysdb, msgs, msgs_num); + talloc_zfree(msgs); + msgs_num = 0; + + /* purge untouched groups */ + ret = sysdb_search_groups(tmp_ctx, domain, "(!("SYSDB_USN"=*))", + attrs, &msgs_num, &msgs); + if (ret != EOK) { + goto done; + } + sdap_delete_msgs_dn(sysdb, msgs, msgs_num); + talloc_zfree(msgs); + msgs_num = 0; + + /* purge untouched services */ + ret = sysdb_search_services(tmp_ctx, domain, "(!("SYSDB_USN"=*))", + attrs, &msgs_num, &msgs); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot search services [%d]: %s\n", ret, strerror(ret)); + goto done; + } + + sdap_delete_msgs_dn(sysdb, msgs, msgs_num); + talloc_zfree(msgs); + msgs_num = 0; + + ret = sysdb_transaction_commit(sysdb); + if (ret == EOK) { + in_transaction = false; + } else { + DEBUG(SSSDBG_MINOR_FAILURE, "Could not commit transaction\n"); + } + +done: + if (in_transaction) { + sret = sysdb_transaction_cancel(sysdb); + if (sret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not cancel transaction\n"); + } + } + + talloc_free(tmp_ctx); + + return ret; +} + +errno_t sdap_reinit_cleanup_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} diff --git a/src/providers/ldap/sdap_sudo.c b/src/providers/ldap/sdap_sudo.c new file mode 100644 index 0000000..bf73f7b --- /dev/null +++ b/src/providers/ldap/sdap_sudo.c @@ -0,0 +1,220 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2011 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "providers/backend.h" +#include "providers/ldap/ldap_common.h" +#include "providers/ldap/sdap.h" +#include "providers/ldap/sdap_async.h" +#include "providers/ldap/sdap_sudo.h" +#include "db/sysdb_sudo.h" + +struct sdap_sudo_handler_state { + uint32_t type; + struct dp_reply_std reply; +}; + +static void sdap_sudo_handler_done(struct tevent_req *subreq); + +static struct tevent_req * +sdap_sudo_handler_send(TALLOC_CTX *mem_ctx, + struct sdap_sudo_ctx *sudo_ctx, + struct dp_sudo_data *data, + struct dp_req_params *params) +{ + struct sdap_sudo_handler_state *state; + struct tevent_req *subreq; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct sdap_sudo_handler_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->type = data->type; + + switch (data->type) { + case BE_REQ_SUDO_FULL: + DEBUG(SSSDBG_TRACE_FUNC, "Issuing a full refresh of sudo rules\n"); + subreq = sdap_sudo_full_refresh_send(state, sudo_ctx); + break; + case BE_REQ_SUDO_RULES: + DEBUG(SSSDBG_TRACE_FUNC, "Issuing a refresh of specific sudo rules\n"); + subreq = sdap_sudo_rules_refresh_send(state, sudo_ctx, data->rules); + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid request type: %d\n", data->type); + ret = EINVAL; + goto immediately; + } + + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to send request: %d\n", data->type); + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, sdap_sudo_handler_done, req); + + return req; + +immediately: + dp_reply_std_set(&state->reply, DP_ERR_DECIDE, ret, NULL); + + /* TODO For backward compatibility we always return EOK to DP now. */ + tevent_req_done(req); + tevent_req_post(req, params->ev); + + return req; +} + +static void sdap_sudo_handler_done(struct tevent_req *subreq) +{ + struct sdap_sudo_handler_state *state; + struct tevent_req *req; + int dp_error; + bool deleted; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_sudo_handler_state); + + switch (state->type) { + case BE_REQ_SUDO_FULL: + ret = sdap_sudo_full_refresh_recv(subreq, &dp_error); + talloc_zfree(subreq); + break; + case BE_REQ_SUDO_RULES: + ret = sdap_sudo_rules_refresh_recv(subreq, &dp_error, &deleted); + talloc_zfree(subreq); + if (ret == EOK && deleted == true) { + ret = ENOENT; + } + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid request type: %d\n", state->type); + dp_error = DP_ERR_FATAL; + ret = ERR_INTERNAL; + break; + } + + /* TODO For backward compatibility we always return EOK to DP now. */ + dp_reply_std_set(&state->reply, dp_error, ret, NULL); + tevent_req_done(req); +} + +static errno_t +sdap_sudo_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct dp_reply_std *data) +{ + struct sdap_sudo_handler_state *state = NULL; + + state = tevent_req_data(req, struct sdap_sudo_handler_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *data = state->reply; + + return EOK; +} + +static void sdap_sudo_online_cb(void *pvt) +{ + struct sdap_sudo_ctx *sudo_ctx; + + sudo_ctx = talloc_get_type(pvt, struct sdap_sudo_ctx); + if (sudo_ctx == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "BUG: sudo_ctx is NULL\n"); + return; + } + + DEBUG(SSSDBG_TRACE_FUNC, "We are back online. SUDO host information will " + "be renewed on next refresh.\n"); + sudo_ctx->run_hostinfo = true; +} + +errno_t sdap_sudo_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct sdap_id_ctx *id_ctx, + struct dp_method *dp_methods) +{ + struct sdap_sudo_ctx *sudo_ctx; + int ret; + + DEBUG(SSSDBG_TRACE_INTERNAL, "Initializing sudo LDAP back end\n"); + + sudo_ctx = talloc_zero(mem_ctx, struct sdap_sudo_ctx); + if (sudo_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc() failed\n"); + return ENOMEM; + } + + sudo_ctx->id_ctx = id_ctx; + + ret = ldap_get_sudo_options(be_ctx->cdb, be_ctx->conf_path, id_ctx->opts, + &sudo_ctx->use_host_filter, + &sudo_ctx->include_regexp, + &sudo_ctx->include_netgroups); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot get SUDO options [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + if (sudo_ctx->use_host_filter) { + ret = be_add_online_cb(sudo_ctx, be_ctx, sdap_sudo_online_cb, + sudo_ctx, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to install online callback " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + /* Obtain hostinfo with the first refresh. */ + sudo_ctx->run_hostinfo = true; + } + + ret = sdap_sudo_ptask_setup(be_ctx, sudo_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to setup periodical refresh of " + "sudo rules [%d]: %s\n", ret, sss_strerror(ret)); + /* periodical updates will not work, but specific-rule update + * is no affected by this, therefore we don't have to fail here */ + } + + dp_set_method(dp_methods, DPM_SUDO_HANDLER, + sdap_sudo_handler_send, sdap_sudo_handler_recv, sudo_ctx, + struct sdap_sudo_ctx, struct dp_sudo_data, struct dp_reply_std); + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(sudo_ctx); + } + + return ret; +} diff --git a/src/providers/ldap/sdap_sudo.h b/src/providers/ldap/sdap_sudo.h new file mode 100644 index 0000000..0e732ab --- /dev/null +++ b/src/providers/ldap/sdap_sudo.h @@ -0,0 +1,102 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2011 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _SDAP_SUDO_H_ +#define _SDAP_SUDO_H_ + +#include "providers/backend.h" +#include "providers/ldap/ldap_common.h" + +struct sdap_sudo_ctx { + struct sdap_id_ctx *id_ctx; + + char **hostnames; + char **ip_addr; + bool include_netgroups; + bool include_regexp; + bool use_host_filter; + + bool full_refresh_done; + + bool run_hostinfo; +}; + +/* Common functions from ldap_sudo.c */ + +errno_t sdap_sudo_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct sdap_id_ctx *id_ctx, + struct dp_method *dp_methods); + +/* sdap async interface */ +struct tevent_req *sdap_sudo_refresh_send(TALLOC_CTX *mem_ctx, + struct sdap_sudo_ctx *sudo_ctx, + const char *ldap_filter, + const char *sysdb_filter); + +int sdap_sudo_refresh_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + int *dp_error, + size_t *num_rules); + +struct tevent_req *sdap_sudo_full_refresh_send(TALLOC_CTX *mem_ctx, + struct sdap_sudo_ctx *sudo_ctx); + +int sdap_sudo_full_refresh_recv(struct tevent_req *req, + int *dp_error); + +struct tevent_req *sdap_sudo_smart_refresh_send(TALLOC_CTX *mem_ctx, + struct sdap_sudo_ctx *sudo_ctx); + +int sdap_sudo_smart_refresh_recv(struct tevent_req *req, + int *dp_error); + +struct tevent_req *sdap_sudo_rules_refresh_send(TALLOC_CTX *mem_ctx, + struct sdap_sudo_ctx *sudo_ctx, + char **rules); + +int sdap_sudo_rules_refresh_recv(struct tevent_req *req, + int *dp_error, + bool *deleted); + +errno_t +sdap_sudo_ptask_setup(struct be_ctx *be_ctx, struct sdap_sudo_ctx *sudo_ctx); + +/* host info */ +struct tevent_req * sdap_sudo_get_hostinfo_send(TALLOC_CTX *mem_ctx, + struct sdap_options *opts, + struct be_ctx *be_ctx); + +int sdap_sudo_get_hostinfo_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + char ***hostnames, char ***ip_addr); + +/* (&(objectClass=sudoRole)(|(cn=defaults)(sudoUser=ALL)%s)) */ +#define SDAP_SUDO_FILTER_USER "(&(objectClass=%s)(|(%s=%s)(%s=ALL)%s))" +#define SDAP_SUDO_FILTER_CLASS "(objectClass=%s)" +#define SDAP_SUDO_FILTER_DEFAULTS "(&(objectClass=%s)(%s=%s))" +#define SDAP_SUDO_DEFAULTS "defaults" + +#define SDAP_SUDO_FILTER_USERNAME "(%s=%s)" +#define SDAP_SUDO_FILTER_UID "(%s=#%u)" +#define SDAP_SUDO_FILTER_GROUP "(%s=%%%s)" +#define SDAP_SUDO_FILTER_NETGROUP "(%s=+%s)" + +#endif /* _SDAP_SUDO_H_ */ diff --git a/src/providers/ldap/sdap_sudo_refresh.c b/src/providers/ldap/sdap_sudo_refresh.c new file mode 100644 index 0000000..c54c3fa --- /dev/null +++ b/src/providers/ldap/sdap_sudo_refresh.c @@ -0,0 +1,469 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "util/util.h" +#include "providers/be_ptask.h" +#include "providers/ldap/sdap_sudo.h" +#include "providers/ldap/sdap_sudo_shared.h" +#include "db/sysdb_sudo.h" + +struct sdap_sudo_full_refresh_state { + struct sdap_sudo_ctx *sudo_ctx; + struct sdap_id_ctx *id_ctx; + struct sysdb_ctx *sysdb; + struct sss_domain_info *domain; + int dp_error; +}; + +static void sdap_sudo_full_refresh_done(struct tevent_req *subreq); + +struct tevent_req *sdap_sudo_full_refresh_send(TALLOC_CTX *mem_ctx, + struct sdap_sudo_ctx *sudo_ctx) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct sdap_id_ctx *id_ctx = sudo_ctx->id_ctx; + struct sdap_sudo_full_refresh_state *state = NULL; + char *search_filter = NULL; + char *delete_filter = NULL; + int ret; + + req = tevent_req_create(mem_ctx, &state, struct sdap_sudo_full_refresh_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->sudo_ctx = sudo_ctx; + state->id_ctx = id_ctx; + state->sysdb = id_ctx->be->domain->sysdb; + state->domain = id_ctx->be->domain; + + /* Download all rules from LDAP */ + search_filter = talloc_asprintf(state, SDAP_SUDO_FILTER_CLASS, + id_ctx->opts->sudorule_map[SDAP_OC_SUDORULE].name); + if (search_filter == NULL) { + ret = ENOMEM; + goto immediately; + } + + /* Remove all rules from cache */ + delete_filter = talloc_asprintf(state, "(%s=%s)", + SYSDB_OBJECTCLASS, SYSDB_SUDO_CACHE_OC); + if (delete_filter == NULL) { + ret = ENOMEM; + goto immediately; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Issuing a full refresh of sudo rules\n"); + + subreq = sdap_sudo_refresh_send(state, sudo_ctx, search_filter, + delete_filter); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, sdap_sudo_full_refresh_done, req); + + return req; + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, id_ctx->be->ev); + + return req; +} + +static void sdap_sudo_full_refresh_done(struct tevent_req *subreq) +{ + struct tevent_req *req = NULL; + struct sdap_sudo_full_refresh_state *state = NULL; + int ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_sudo_full_refresh_state); + + ret = sdap_sudo_refresh_recv(state, subreq, &state->dp_error, NULL); + talloc_zfree(subreq); + if (ret != EOK || state->dp_error != DP_ERR_OK) { + goto done; + } + + /* save the time in the sysdb */ + ret = sysdb_sudo_set_last_full_refresh(state->domain, time(NULL)); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Unable to save time of " + "a successful full refresh\n"); + /* this is only a minor error that does not affect the functionality, + * therefore there is no need to report it with tevent_req_error() + * which would cause problems in the consumers */ + } + + DEBUG(SSSDBG_TRACE_FUNC, "Successful full refresh of sudo rules\n"); + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +int sdap_sudo_full_refresh_recv(struct tevent_req *req, + int *dp_error) +{ + struct sdap_sudo_full_refresh_state *state = NULL; + state = tevent_req_data(req, struct sdap_sudo_full_refresh_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *dp_error = state->dp_error; + + return EOK; +} + +struct sdap_sudo_smart_refresh_state { + struct sdap_id_ctx *id_ctx; + struct sysdb_ctx *sysdb; + int dp_error; +}; + +static void sdap_sudo_smart_refresh_done(struct tevent_req *subreq); + +struct tevent_req *sdap_sudo_smart_refresh_send(TALLOC_CTX *mem_ctx, + struct sdap_sudo_ctx *sudo_ctx) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct sdap_id_ctx *id_ctx = sudo_ctx->id_ctx; + struct sdap_attr_map *map = id_ctx->opts->sudorule_map; + struct sdap_server_opts *srv_opts = id_ctx->srv_opts; + struct sdap_sudo_smart_refresh_state *state = NULL; + char *search_filter = NULL; + const char *usn; + int ret; + + req = tevent_req_create(mem_ctx, &state, struct sdap_sudo_smart_refresh_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->id_ctx = id_ctx; + state->sysdb = id_ctx->be->domain->sysdb; + + /* Download all rules from LDAP that are newer than usn */ + if (srv_opts == NULL || srv_opts->max_sudo_value == 0) { + DEBUG(SSSDBG_TRACE_FUNC, "USN value is unknown, assuming zero.\n"); + usn = "0"; + search_filter = talloc_asprintf(state, "(objectclass=%s)", + map[SDAP_OC_SUDORULE].name); + } else { + usn = srv_opts->max_sudo_value; + search_filter = talloc_asprintf(state, "(&(objectclass=%s)(%s>=%s))", + map[SDAP_OC_SUDORULE].name, + map[SDAP_AT_SUDO_USN].name, usn); + } + if (search_filter == NULL) { + ret = ENOMEM; + goto immediately; + } + + /* Do not remove any rules that are already in the sysdb + * sysdb_filter = NULL; */ + + DEBUG(SSSDBG_TRACE_FUNC, "Issuing a smart refresh of sudo rules " + "(USN >= %s)\n", usn); + + subreq = sdap_sudo_refresh_send(state, sudo_ctx, search_filter, NULL); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, sdap_sudo_smart_refresh_done, req); + + return req; + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, id_ctx->be->ev); + + return req; +} + +static void sdap_sudo_smart_refresh_done(struct tevent_req *subreq) +{ + struct tevent_req *req = NULL; + struct sdap_sudo_smart_refresh_state *state = NULL; + int ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_sudo_smart_refresh_state); + + ret = sdap_sudo_refresh_recv(state, subreq, &state->dp_error, NULL); + talloc_zfree(subreq); + if (ret != EOK || state->dp_error != DP_ERR_OK) { + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Successful smart refresh of sudo rules\n"); + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +int sdap_sudo_smart_refresh_recv(struct tevent_req *req, + int *dp_error) +{ + struct sdap_sudo_smart_refresh_state *state = NULL; + state = tevent_req_data(req, struct sdap_sudo_smart_refresh_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *dp_error = state->dp_error; + + return EOK; +} + +struct sdap_sudo_rules_refresh_state { + struct sdap_id_ctx *id_ctx; + size_t num_rules; + int dp_error; + bool deleted; +}; + +static void sdap_sudo_rules_refresh_done(struct tevent_req *subreq); + +struct tevent_req *sdap_sudo_rules_refresh_send(TALLOC_CTX *mem_ctx, + struct sdap_sudo_ctx *sudo_ctx, + char **rules) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct sdap_sudo_rules_refresh_state *state = NULL; + struct sdap_id_ctx *id_ctx = sudo_ctx->id_ctx; + struct sdap_options *opts = id_ctx->opts; + TALLOC_CTX *tmp_ctx = NULL; + char *search_filter = NULL; + char *delete_filter = NULL; + char *safe_rule = NULL; + int ret; + int i; + + if (rules == NULL) { + return NULL; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return NULL; + } + + req = tevent_req_create(mem_ctx, &state, struct sdap_sudo_rules_refresh_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + search_filter = talloc_zero(tmp_ctx, char); /* assign to tmp_ctx */ + delete_filter = talloc_zero(tmp_ctx, char); /* assign to tmp_ctx */ + + /* Download only selected rules from LDAP */ + /* Remove all selected rules from cache */ + for (i = 0; rules[i] != NULL; i++) { + ret = sss_filter_sanitize(tmp_ctx, rules[i], &safe_rule); + if (ret != EOK) { + ret = ENOMEM; + goto immediately; + } + + search_filter = talloc_asprintf_append_buffer(search_filter, "(%s=%s)", + opts->sudorule_map[SDAP_AT_SUDO_NAME].name, + safe_rule); + if (search_filter == NULL) { + ret = ENOMEM; + goto immediately; + } + + delete_filter = talloc_asprintf_append_buffer(delete_filter, "(%s=%s)", + SYSDB_SUDO_CACHE_AT_CN, + safe_rule); + if (delete_filter == NULL) { + ret = ENOMEM; + goto immediately; + } + } + + state->id_ctx = sudo_ctx->id_ctx; + state->num_rules = i; + + search_filter = talloc_asprintf(tmp_ctx, "(&"SDAP_SUDO_FILTER_CLASS"(|%s))", + opts->sudorule_map[SDAP_OC_SUDORULE].name, + search_filter); + if (search_filter == NULL) { + ret = ENOMEM; + goto immediately; + } + + delete_filter = talloc_asprintf(tmp_ctx, "(&(%s=%s)(|%s))", + SYSDB_OBJECTCLASS, SYSDB_SUDO_CACHE_OC, + delete_filter); + if (delete_filter == NULL) { + ret = ENOMEM; + goto immediately; + } + + subreq = sdap_sudo_refresh_send(req, sudo_ctx, search_filter, + delete_filter); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, sdap_sudo_rules_refresh_done, req); + + ret = EOK; +immediately: + talloc_free(tmp_ctx); + + if (ret != EOK) { + tevent_req_error(req, ret); + tevent_req_post(req, id_ctx->be->ev); + } + + return req; +} + +static void sdap_sudo_rules_refresh_done(struct tevent_req *subreq) +{ + struct tevent_req *req = NULL; + struct sdap_sudo_rules_refresh_state *state = NULL; + size_t downloaded_rules_num; + int ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sdap_sudo_rules_refresh_state); + + ret = sdap_sudo_refresh_recv(state, subreq, &state->dp_error, + &downloaded_rules_num); + talloc_zfree(subreq); + if (ret != EOK || state->dp_error != DP_ERR_OK) { + goto done; + } + + state->deleted = downloaded_rules_num != state->num_rules ? true : false; + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +int sdap_sudo_rules_refresh_recv(struct tevent_req *req, + int *dp_error, + bool *deleted) +{ + struct sdap_sudo_rules_refresh_state *state = NULL; + state = tevent_req_data(req, struct sdap_sudo_rules_refresh_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *dp_error = state->dp_error; + *deleted = state->deleted; + + return EOK; +} + +static struct tevent_req * +sdap_sudo_ptask_full_refresh_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct be_ptask *be_ptask, + void *pvt) +{ + struct sdap_sudo_ctx *sudo_ctx; + sudo_ctx = talloc_get_type(pvt, struct sdap_sudo_ctx); + + return sdap_sudo_full_refresh_send(mem_ctx, sudo_ctx); +} + +static errno_t +sdap_sudo_ptask_full_refresh_recv(struct tevent_req *req) +{ + int dp_error; + + return sdap_sudo_full_refresh_recv(req, &dp_error); +} + +static struct tevent_req * +sdap_sudo_ptask_smart_refresh_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct be_ptask *be_ptask, + void *pvt) +{ + struct sdap_sudo_ctx *sudo_ctx; + sudo_ctx = talloc_get_type(pvt, struct sdap_sudo_ctx); + + return sdap_sudo_smart_refresh_send(mem_ctx, sudo_ctx); +} + +static errno_t +sdap_sudo_ptask_smart_refresh_recv(struct tevent_req *req) +{ + int dp_error; + + return sdap_sudo_smart_refresh_recv(req, &dp_error); +} + +errno_t +sdap_sudo_ptask_setup(struct be_ctx *be_ctx, struct sdap_sudo_ctx *sudo_ctx) +{ + return sdap_sudo_ptask_setup_generic(be_ctx, sudo_ctx->id_ctx->opts->basic, + sdap_sudo_ptask_full_refresh_send, + sdap_sudo_ptask_full_refresh_recv, + sdap_sudo_ptask_smart_refresh_send, + sdap_sudo_ptask_smart_refresh_recv, + sudo_ctx); +} diff --git a/src/providers/ldap/sdap_sudo_shared.c b/src/providers/ldap/sdap_sudo_shared.c new file mode 100644 index 0000000..66b7887 --- /dev/null +++ b/src/providers/ldap/sdap_sudo_shared.c @@ -0,0 +1,202 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "util/util.h" +#include "providers/be_ptask.h" +#include "providers/ldap/sdap.h" +#include "providers/ldap/sdap_sudo_shared.h" +#include "db/sysdb_sudo.h" + +errno_t +sdap_sudo_ptask_setup_generic(struct be_ctx *be_ctx, + struct dp_option *opts, + be_ptask_send_t full_send_fn, + be_ptask_recv_t full_recv_fn, + be_ptask_send_t smart_send_fn, + be_ptask_recv_t smart_recv_fn, + void *pvt) +{ + time_t smart; + time_t full; + time_t delay; + time_t last_refresh; + errno_t ret; + + smart = dp_opt_get_int(opts, SDAP_SUDO_SMART_REFRESH_INTERVAL); + full = dp_opt_get_int(opts, SDAP_SUDO_FULL_REFRESH_INTERVAL); + + if (smart == 0 && full == 0) { + /* We don't allow both types to be disabled. At least smart refresh + * needs to be enabled. In this case smart refresh will catch up new + * and modified rules and deleted rules are caught when expired. */ + smart = opts[SDAP_SUDO_SMART_REFRESH_INTERVAL].def_val.number; + + DEBUG(SSSDBG_CONF_SETTINGS, "At least smart refresh needs to be " + "enabled. Setting smart refresh interval to default value " + "(%ld) seconds.\n", smart); + } else if (full > 0 && full <= smart) { + /* In this case it does not make any sense to run smart refresh. */ + smart = 0; + + DEBUG(SSSDBG_CONF_SETTINGS, "Smart refresh interval has to be lower " + "than full refresh interval. Periodical smart refresh will be " + "disabled.\n"); + } + + ret = sysdb_sudo_get_last_full_refresh(be_ctx->domain, &last_refresh); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Unable to obtain time of last full " + "refresh. Assuming none was performed so far.\n"); + last_refresh = 0; + } + + if (last_refresh == 0) { + /* If this is the first startup, we need to kick off an refresh + * immediately, to close a window where clients requesting sudo + * information won't get an immediate reply with no entries */ + delay = 0; + } else { + /* At least one update has previously run, so clients will get cached + * data. We will delay the refresh so we don't slow down the startup + * process if this is happening during system boot. */ + delay = 10; + } + + /* Full refresh. + * + * Disable when offline and run immediately when SSSD goes back online. + * Since we have periodical online check we don't have to run this task + * when offline. */ + if (full > 0) { + ret = be_ptask_create(be_ctx, be_ctx, full, delay, 0, 0, full, + BE_PTASK_OFFLINE_DISABLE, 0, + full_send_fn, full_recv_fn, pvt, + "SUDO Full Refresh", NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup full refresh ptask " + "[%d]: %s\n", ret, sss_strerror(ret)); + return ret; + } + } + + /* Smart refresh. + * + * Disable when offline and reschedule normally when SSSD goes back online. + * Since we have periodical online check we don't have to run this task + * when offline. */ + if (smart > 0) { + ret = be_ptask_create(be_ctx, be_ctx, smart, delay + smart, smart, 0, + smart, BE_PTASK_OFFLINE_DISABLE, 0, + smart_send_fn, smart_recv_fn, pvt, + "SUDO Smart Refresh", NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup smart refresh ptask " + "[%d]: %s\n", ret, sss_strerror(ret)); + return ret; + } + } + + return EOK; +} + +static char * +sdap_sudo_new_usn(TALLOC_CTX *mem_ctx, + unsigned long usn, + const char *leftover) +{ + const char *str = leftover == NULL ? "" : leftover; + char *newusn; + + /* We increment USN number so that we can later use simplify filter + * (just usn >= last+1 instead of usn >= last && usn != last). + */ + usn++; + + /* Convert back to string appending non-converted values since it + * is an indicator that modifyTimestamp is used instead of entryUSN. + * modifyTimestamp contains also timezone specification, usually Z. + * We can't really handle any errors here so we just use what we got. */ + newusn = talloc_asprintf(mem_ctx, "%lu%s", usn, str); + if (newusn == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "Unable to change USN value (OOM)!\n"); + return NULL; + } + + return newusn; +} + +void +sdap_sudo_set_usn(struct sdap_server_opts *srv_opts, + const char *usn) +{ + unsigned long usn_number; + char *newusn; + char *endptr = NULL; + errno_t ret; + + if (srv_opts == NULL) { + DEBUG(SSSDBG_TRACE_FUNC, "Bug: srv_opts is NULL\n"); + return; + } + + if (usn == NULL) { + DEBUG(SSSDBG_TRACE_FUNC, "Bug: usn is NULL\n"); + return; + } + + errno = 0; + usn_number = strtoul(usn, &endptr, 10); + if (errno != 0) { + ret = errno; + DEBUG(SSSDBG_MINOR_FAILURE, "Unable to convert USN %s [%d]: %s\n", + usn, ret, sss_strerror(ret)); + return; + } + + if (usn_number == 0) { + /* Zero means that there were no rules on the server, so we have + * nothing to store. */ + DEBUG(SSSDBG_TRACE_FUNC, "SUDO USN value is empty.\n"); + return; + } + + newusn = sdap_sudo_new_usn(srv_opts, usn_number, endptr); + if (newusn == NULL) { + return; + } + + if (sysdb_compare_usn(newusn, srv_opts->max_sudo_value) > 0) { + talloc_zfree(srv_opts->max_sudo_value); + srv_opts->max_sudo_value = newusn; + } else { + talloc_zfree(newusn); + } + + if (usn_number > srv_opts->last_usn) { + srv_opts->last_usn = usn_number; + } + + DEBUG(SSSDBG_FUNC_DATA, "SUDO higher USN value: [%s]\n", + srv_opts->max_sudo_value); +} diff --git a/src/providers/ldap/sdap_sudo_shared.h b/src/providers/ldap/sdap_sudo_shared.h new file mode 100644 index 0000000..dd49a67 --- /dev/null +++ b/src/providers/ldap/sdap_sudo_shared.h @@ -0,0 +1,40 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _SDAP_SUDO_SHARED_H_ +#define _SDAP_SUDO_SHARED_H_ + +#include "providers/backend.h" +#include "providers/be_ptask.h" + +errno_t +sdap_sudo_ptask_setup_generic(struct be_ctx *be_ctx, + struct dp_option *opts, + be_ptask_send_t full_send_fn, + be_ptask_recv_t full_recv_fn, + be_ptask_send_t smart_send_fn, + be_ptask_recv_t smart_recv_fn, + void *pvt); + +void +sdap_sudo_set_usn(struct sdap_server_opts *srv_opts, + const char *usn); + +#endif /* _SDAP_SUDO_SHARED_H_ */ diff --git a/src/providers/ldap/sdap_users.h b/src/providers/ldap/sdap_users.h new file mode 100644 index 0000000..a6d088a --- /dev/null +++ b/src/providers/ldap/sdap_users.h @@ -0,0 +1,41 @@ +/* + SSSD + + Async LDAP Helper routines + + Copyright (C) Simo Sorce + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _SDAP_USERS_H_ +#define _SDAP_USERS_H_ + +#include "config.h" + +/* shared non-async user functions */ + +errno_t sdap_fallback_local_user(TALLOC_CTX *memctx, + const char *name, uid_t uid, + struct sysdb_attrs ***reply); + +int sdap_save_user(TALLOC_CTX *memctx, + struct sdap_options *opts, + struct sss_domain_info *dom, + struct sysdb_attrs *attrs, + struct sysdb_attrs *mapped_attrs, + char **_usn_value, + time_t now); + +#endif /* _SDAP_USERS_H_ */ diff --git a/src/providers/ldap/sdap_utils.c b/src/providers/ldap/sdap_utils.c new file mode 100644 index 0000000..6d54310 --- /dev/null +++ b/src/providers/ldap/sdap_utils.c @@ -0,0 +1,235 @@ +/* + Authors: + Simo Sorce + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include "util/util.h" +#include "providers/ldap/sdap_async.h" + +errno_t +sdap_attrs_add_ldap_attr(struct sysdb_attrs *ldap_attrs, + const char *attr_name, + const char *attr_desc, + bool multivalued, + const char *name, + struct sysdb_attrs *attrs) +{ + errno_t ret; + struct ldb_message_element *el; + const char *objname = name ?: "object"; + const char *desc = attr_desc ?: attr_name; + unsigned int num_values, i; + char *printable; + + ret = sysdb_attrs_get_el(ldap_attrs, attr_name, &el); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, "Could not get %s from the " + "list of the LDAP attributes [%d]: %s\n", + attr_name, ret, strerror(ret)); + return ret; + } + + if (el->num_values == 0) { + DEBUG(SSSDBG_TRACE_INTERNAL, "%s is not available " + "for [%s].\n", desc, objname); + } else { + num_values = multivalued ? el->num_values : 1; + for (i = 0; i < num_values; i++) { + printable = ldb_binary_encode(ldap_attrs, el->values[i]); + if (printable == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "ldb_binary_encode failed..\n"); + continue; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "Adding %s [%s] to attributes " + "of [%s].\n", desc, printable, objname); + + talloc_zfree(printable); + + ret = sysdb_attrs_add_mem(attrs, attr_name, el->values[i].data, + el->values[i].length); + if (ret) { + return ret; + } + } + } + + return EOK; +} + +errno_t +sdap_save_all_names(const char *name, + struct sysdb_attrs *ldap_attrs, + struct sss_domain_info *dom, + enum sysdb_member_type entry_type, + struct sysdb_attrs *attrs) +{ + const char **aliases = NULL; + const char *sysdb_alias; + errno_t ret; + TALLOC_CTX *tmp_ctx; + int i; + bool lowercase = !dom->case_sensitive; + bool store_as_fqdn; + + switch (entry_type) { + case SYSDB_MEMBER_USER: + case SYSDB_MEMBER_GROUP: + store_as_fqdn = true; + break; + default: + store_as_fqdn = false; + break; + } + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + ret = ENOMEM; + goto done; + } + + ret = sysdb_attrs_get_aliases(tmp_ctx, ldap_attrs, name, + lowercase, &aliases); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to get the alias list\n"); + goto done; + } + + for (i = 0; aliases[i]; i++) { + if (store_as_fqdn) { + sysdb_alias = sss_create_internal_fqname(tmp_ctx, aliases[i], + dom->name); + } else { + sysdb_alias = aliases[i]; + } + + if (sysdb_alias == NULL) { + ret = ENOMEM; + goto done; + } + + if (lowercase) { + ret = sysdb_attrs_add_lc_name_alias(attrs, sysdb_alias); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to add lower-cased version " + "of alias [%s] into the " + "attribute list\n", aliases[i]); + goto done; + } + } else { + ret = sysdb_attrs_add_string(attrs, SYSDB_NAME_ALIAS, sysdb_alias); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to add alias [%s] into the " + "attribute list\n", aliases[i]); + goto done; + } + } + + } + + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} + +errno_t deref_string_to_val(const char *str, int *val) +{ + if (strcasecmp(str, "never") == 0) { + *val = LDAP_DEREF_NEVER; + } else if (strcasecmp(str, "searching") == 0) { + *val = LDAP_DEREF_SEARCHING; + } else if (strcasecmp(str, "finding") == 0) { + *val = LDAP_DEREF_FINDING; + } else if (strcasecmp(str, "always") == 0) { + *val = LDAP_DEREF_ALWAYS; + } else { + DEBUG(SSSDBG_CRIT_FAILURE, "Illegal deref option [%s].\n", str); + return EINVAL; + } + + return EOK; +} + +static char * +sdap_combine_filters_ex(TALLOC_CTX *mem_ctx, + char operator, + const char *base_filter, + const char *extra_filter) +{ + char *filter = NULL; + + if (extra_filter == NULL || extra_filter[0] == '\0') { + return talloc_strdup(mem_ctx, base_filter); + } else if (base_filter == NULL || base_filter[0] == '\0') { + return talloc_strdup(mem_ctx, extra_filter); + } + + if (extra_filter[0] == '(') { + filter = talloc_asprintf(mem_ctx, "(%c%s%s)", + operator, base_filter, extra_filter); + } else { + filter = talloc_asprintf(mem_ctx, "(%c%s(%s))", + operator, base_filter, extra_filter); + } + + return filter; /* NULL or not */ +} + +char *sdap_or_filters(TALLOC_CTX *mem_ctx, + const char *base_filter, + const char *extra_filter) +{ + return sdap_combine_filters_ex(mem_ctx, '|', base_filter, extra_filter); +} + +char *sdap_combine_filters(TALLOC_CTX *mem_ctx, + const char *base_filter, + const char *extra_filter) +{ + return sdap_combine_filters_ex(mem_ctx, '&', base_filter, extra_filter); +} + +char *get_enterprise_principal_string_filter(TALLOC_CTX *mem_ctx, + const char *attr_name, + const char *princ, + struct dp_option *sdap_basic_opts) +{ + const char *realm; + char *p; + + if (attr_name == NULL || princ == NULL || sdap_basic_opts == NULL) { + return NULL; + } + + realm = dp_opt_get_cstring(sdap_basic_opts, SDAP_KRB5_REALM); + if (realm == NULL) { + return NULL; + } + + p = strchr(princ, '@'); + if (p == NULL) { + return NULL; + } + + return talloc_asprintf(mem_ctx, "(%s=%.*s\\\\@%s@%s)", attr_name, + (int) (p - princ), + princ, + p + 1, realm); +} diff --git a/src/providers/proxy/proxy.h b/src/providers/proxy/proxy.h new file mode 100644 index 0000000..3b0475d --- /dev/null +++ b/src/providers/proxy/proxy.h @@ -0,0 +1,193 @@ +/* + SSSD + + Proxy provider, private header file + + Authors: + Sumit Bose + + Copyright (C) 2010 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __PROXY_H__ +#define __PROXY_H__ + +#include +#include +#include +#include +#include +#include +#include + +#include +#include + +#include "util/util.h" +#include "providers/backend.h" +#include "db/sysdb.h" +#include "sss_client/nss_compat.h" +#include + +#define PROXY_CHILD_PATH "/org/freedesktop/sssd/proxychild" + +struct proxy_nss_ops { + enum nss_status (*getpwnam_r)(const char *name, struct passwd *result, + char *buffer, size_t buflen, int *errnop); + enum nss_status (*getpwuid_r)(uid_t uid, struct passwd *result, + char *buffer, size_t buflen, int *errnop); + enum nss_status (*setpwent)(void); + enum nss_status (*getpwent_r)(struct passwd *result, + char *buffer, size_t buflen, int *errnop); + enum nss_status (*endpwent)(void); + + enum nss_status (*getgrnam_r)(const char *name, struct group *result, + char *buffer, size_t buflen, int *errnop); + enum nss_status (*getgrgid_r)(gid_t gid, struct group *result, + char *buffer, size_t buflen, int *errnop); + enum nss_status (*setgrent)(void); + enum nss_status (*getgrent_r)(struct group *result, + char *buffer, size_t buflen, int *errnop); + enum nss_status (*endgrent)(void); + enum nss_status (*initgroups_dyn)(const char *user, gid_t group, + long int *start, long int *size, + gid_t **groups, long int limit, + int *errnop); + enum nss_status (*setnetgrent)(const char *netgroup, + struct __netgrent *result); + enum nss_status (*getnetgrent_r)(struct __netgrent *result, char *buffer, + size_t buflen, int *errnop); + enum nss_status (*endnetgrent)(struct __netgrent *result); + + /* Services */ + enum nss_status (*getservbyname_r)(const char *name, + const char *protocol, + struct servent *result, + char *buffer, size_t buflen, + int *errnop); + enum nss_status (*getservbyport_r)(int port, const char *protocol, + struct servent *result, + char *buffer, size_t buflen, + int *errnop); + enum nss_status (*setservent)(void); + enum nss_status (*getservent_r)(struct servent *result, + char *buffer, size_t buflen, + int *errnop); + enum nss_status (*endservent)(void); +}; + +struct authtok_conv { + struct sss_auth_token *authtok; + struct sss_auth_token *newauthtok; + + bool sent_old; +}; + +struct proxy_id_ctx { + struct be_ctx *be; + bool fast_alias; + struct proxy_nss_ops ops; + void *handle; +}; + +struct proxy_auth_ctx { + struct be_ctx *be; + char *pam_target; + + uint32_t max_children; + uint32_t running; + uint32_t next_id; + hash_table_t *request_table; + struct sbus_connection *sbus_srv; + int timeout_ms; +}; + +struct proxy_child_ctx { + struct proxy_auth_ctx *auth_ctx; + struct be_req *be_req; + struct pam_data *pd; + + uint32_t id; + pid_t pid; + bool running; + + struct sbus_connection *conn; + struct tevent_timer *timer; + + struct tevent_req *init_req; +}; + +struct pc_init_ctx { + char *command; + pid_t pid; + struct tevent_timer *timeout; + struct tevent_signal *sige; + struct proxy_child_ctx *child_ctx; + struct sbus_connection *conn; +}; + +//int proxy_client_init(struct sbus_connection *conn, void *data); + +#define PROXY_CHILD_PIPE "private/proxy_child" +#define DEFAULT_BUFSIZE 4096 +#define MAX_BUF_SIZE 1024*1024 /* max 1MiB */ + +/* From proxy_id.c */ +struct tevent_req * +proxy_account_info_handler_send(TALLOC_CTX *mem_ctx, + struct proxy_id_ctx *id_ctx, + struct dp_id_data *data, + struct dp_req_params *params); + +errno_t proxy_account_info_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct dp_reply_std *data); + +/* From proxy_auth.c */ +struct tevent_req * +proxy_pam_handler_send(TALLOC_CTX *mem_ctx, + struct proxy_auth_ctx *proxy_auth_ctx, + struct pam_data *pd, + struct dp_req_params *params); + +errno_t +proxy_pam_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct pam_data **_data); + +/* From proxy_netgroup.c */ +errno_t get_netgroup(struct proxy_id_ctx *ctx, + struct sss_domain_info *dom, + const char *name); + +errno_t get_serv_byname(struct proxy_id_ctx *ctx, + struct sss_domain_info *dom, + const char *name, + const char *protocol); + +errno_t +get_serv_byport(struct proxy_id_ctx *ctx, + struct sss_domain_info *dom, + const char *be_filter, + const char *protocol); + +errno_t enum_services(struct proxy_id_ctx *ctx, + struct sysdb_ctx *sysdb, + struct sss_domain_info *dom); + +int proxy_client_init(struct sbus_connection *conn, void *data); + +#endif /* __PROXY_H__ */ diff --git a/src/providers/proxy/proxy_auth.c b/src/providers/proxy/proxy_auth.c new file mode 100644 index 0000000..665a29c --- /dev/null +++ b/src/providers/proxy/proxy_auth.c @@ -0,0 +1,860 @@ +/* + SSSD + + proxy_auth.c + + Authors: + Stephen Gallagher + + Copyright (C) 2010 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "providers/proxy/proxy.h" +#include "providers/proxy/proxy_iface_generated.h" + +struct pc_init_ctx; + +static int proxy_child_destructor(TALLOC_CTX *ctx) +{ + struct proxy_child_ctx *child_ctx = + talloc_get_type(ctx, struct proxy_child_ctx); + hash_key_t key; + int hret; + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Removing proxy child id [%d]\n", child_ctx->id); + key.type = HASH_KEY_ULONG; + key.ul = child_ctx->id; + hret = hash_delete(child_ctx->auth_ctx->request_table, &key); + if (!(hret == HASH_SUCCESS || + hret == HASH_ERROR_KEY_NOT_FOUND)) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Hash error [%d][%s]\n", hret, hash_error_string(hret)); + /* Nothing we can do about this, so just continue */ + } + return 0; +} + +static struct tevent_req *proxy_child_init_send(TALLOC_CTX *mem_ctx, + struct proxy_child_ctx *child_ctx, + struct proxy_auth_ctx *auth_ctx); +static void proxy_child_init_done(struct tevent_req *subreq); +static struct tevent_req *proxy_child_send(TALLOC_CTX *mem_ctx, + struct proxy_auth_ctx *auth_ctx, + struct pam_data *pd) +{ + struct tevent_req *req; + struct tevent_req *subreq; + struct proxy_child_ctx *state; + int hret; + hash_key_t key; + hash_value_t value; + uint32_t first; + + req = tevent_req_create(mem_ctx, &state, struct proxy_child_ctx); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not send PAM request to child\n"); + return NULL; + } + + state->auth_ctx = auth_ctx; + state->pd = pd; + + /* Find an available key */ + key.type = HASH_KEY_ULONG; + key.ul = auth_ctx->next_id; + + first = auth_ctx->next_id; + while (auth_ctx->next_id == 0 || + hash_has_key(auth_ctx->request_table, &key)) { + /* Handle overflow, zero is a reserved value + * Also handle the unlikely case where the next ID + * is still awaiting being run + */ + auth_ctx->next_id++; + key.ul = auth_ctx->next_id; + + if (auth_ctx->next_id == first) { + /* We've looped through all possible integers! */ + DEBUG(SSSDBG_FATAL_FAILURE, "Serious error: queue is too long!\n"); + talloc_zfree(req); + return NULL; + } + } + + state->id = auth_ctx->next_id; + auth_ctx->next_id++; + + value.type = HASH_VALUE_PTR; + value.ptr = req; + DEBUG(SSSDBG_TRACE_INTERNAL, "Queueing request [%lu]\n", key.ul); + hret = hash_enter(auth_ctx->request_table, + &key, &value); + if (hret != HASH_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not add request to the queue\n"); + talloc_zfree(req); + return NULL; + } + + talloc_set_destructor((TALLOC_CTX *) state, + proxy_child_destructor); + + if (auth_ctx->running < auth_ctx->max_children) { + /* There's an available slot; start a child + * to handle the request + */ + + auth_ctx->running++; + subreq = proxy_child_init_send(auth_ctx, state, auth_ctx); + if (!subreq) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not fork child process\n"); + auth_ctx->running--; + talloc_zfree(req); + return NULL; + } + tevent_req_set_callback(subreq, proxy_child_init_done, req); + + state->running = true; + } + else { + /* If there was no available slot, it will be queued + * until a slot is available + */ + DEBUG(SSSDBG_TRACE_INTERNAL, + "All available child slots are full, queuing request\n"); + } + return req; +} + +static int pc_init_destructor (TALLOC_CTX *ctx) +{ + struct pc_init_ctx *init_ctx = + talloc_get_type(ctx, struct pc_init_ctx); + + /* If the init request has died, forcibly kill the child */ + kill(init_ctx->pid, SIGKILL); + return 0; +} + +static void pc_init_sig_handler(struct tevent_context *ev, + struct tevent_signal *sige, int signum, + int count, void *__siginfo, void *pvt); +static void pc_init_timeout(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval t, void *ptr); +static struct tevent_req *proxy_child_init_send(TALLOC_CTX *mem_ctx, + struct proxy_child_ctx *child_ctx, + struct proxy_auth_ctx *auth_ctx) +{ + struct tevent_req *req; + struct pc_init_ctx *state; + char **proxy_child_args; + struct timeval tv; + errno_t ret; + pid_t pid; + + req = tevent_req_create(mem_ctx, &state, struct pc_init_ctx); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not create tevent_req\n"); + return NULL; + } + + state->child_ctx = child_ctx; + + state->command = talloc_asprintf(req, + "%s/proxy_child -d %#.4x --debug-timestamps=%d " + "--debug-microseconds=%d --logger=%s --domain %s --id %d", + SSSD_LIBEXEC_PATH, debug_level, debug_timestamps, + debug_microseconds, sss_logger_str[sss_logger], + auth_ctx->be->domain->name, + child_ctx->id); + if (state->command == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); + return NULL; + } + + DEBUG(SSSDBG_TRACE_LIBS, + "Starting proxy child with args [%s]\n", state->command); + + pid = fork(); + if (pid < 0) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "fork failed [%d][%s].\n", ret, strerror(ret)); + talloc_zfree(req); + return NULL; + } + + if (pid == 0) { /* child */ + proxy_child_args = parse_args(state->command); + execvp(proxy_child_args[0], proxy_child_args); + + ret = errno; + DEBUG(SSSDBG_FATAL_FAILURE, + "Could not start proxy child [%s]: [%d][%s].\n", + state->command, ret, strerror(ret)); + + _exit(1); + } + + else { /* parent */ + state->pid = pid; + /* Make sure to kill the child process if we abort */ + talloc_set_destructor((TALLOC_CTX *)state, pc_init_destructor); + + state->sige = tevent_add_signal(auth_ctx->be->ev, req, + SIGCHLD, 0, + pc_init_sig_handler, req); + if (state->sige == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_add_signal failed.\n"); + talloc_zfree(req); + return NULL; + } + + /* Save the init request to the child context. + * This is technically a layering violation, + * but it's the only sane way to be able to + * identify which client is which when it + * connects to the backend in + * client_registration() + */ + child_ctx->init_req = req; + + /* Wait six seconds for the child to connect + * This is because the connection handler will add + * its own five-second timeout, and we don't want to + * be faster here. + */ + tv = tevent_timeval_current_ofs(6, 0); + state->timeout = tevent_add_timer(auth_ctx->be->ev, req, + tv, pc_init_timeout, req); + + /* processing will continue once the connection is received + * in proxy_client_init() + */ + return req; + } +} + +static void pc_init_sig_handler(struct tevent_context *ev, + struct tevent_signal *sige, int signum, + int count, void *__siginfo, void *pvt) +{ + int ret; + int child_status; + struct tevent_req *req; + struct pc_init_ctx *init_ctx; + + if (count <= 0) { + DEBUG(SSSDBG_FATAL_FAILURE, + "SIGCHLD handler called with invalid child count\n"); + return; + } + + req = talloc_get_type(pvt, struct tevent_req); + init_ctx = tevent_req_data(req, struct pc_init_ctx); + + DEBUG(SSSDBG_TRACE_LIBS, "Waiting for child [%d].\n", init_ctx->pid); + + errno = 0; + ret = waitpid(init_ctx->pid, &child_status, WNOHANG); + + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "waitpid failed [%d][%s].\n", ret, strerror(ret)); + } else if (ret == 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "waitpid did not find a child with changed status.\n"); + } else { + if (WIFEXITED(child_status)) { + DEBUG(SSSDBG_CONF_SETTINGS, + "child [%d] exited with status [%d].\n", ret, + WEXITSTATUS(child_status)); + tevent_req_error(req, EIO); + } else if (WIFSIGNALED(child_status)) { + DEBUG(SSSDBG_CONF_SETTINGS, + "child [%d] was terminate by signal [%d].\n", ret, + WTERMSIG(child_status)); + tevent_req_error(req, EIO); + } else { + if (WIFSTOPPED(child_status)) { + DEBUG(SSSDBG_CRIT_FAILURE, + "child [%d] was stopped by signal [%d].\n", ret, + WSTOPSIG(child_status)); + } + if (WIFCONTINUED(child_status) == true) { + DEBUG(SSSDBG_CRIT_FAILURE, + "child [%d] was resumed by delivery of SIGCONT.\n", + ret); + } + DEBUG(SSSDBG_CRIT_FAILURE, + "Child is still running, no new child is started.\n"); + return; + } + } +} + +static void pc_init_timeout(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval t, void *ptr) +{ + struct tevent_req *req; + + DEBUG(SSSDBG_OP_FAILURE, "Client timed out before Identification!\n"); + req = talloc_get_type(ptr, struct tevent_req); + tevent_req_error(req, ETIMEDOUT); +} + +static errno_t proxy_child_init_recv(struct tevent_req *req, + pid_t *pid, + struct sbus_connection **conn) +{ + struct pc_init_ctx *state; + + TEVENT_REQ_RETURN_ON_ERROR(req); + + state = tevent_req_data(req, struct pc_init_ctx); + + /* Unset the destructor since we initialized successfully. + * We don't want to kill the child now that it's properly + * set up. + */ + talloc_set_destructor((TALLOC_CTX *)state, NULL); + + *pid = state->pid; + *conn = state->conn; + + return EOK; +} + +struct proxy_child_sig_ctx { + struct proxy_auth_ctx *auth_ctx; + pid_t pid; +}; +static void proxy_child_sig_handler(struct tevent_context *ev, + struct tevent_signal *sige, int signum, + int count, void *__siginfo, void *pvt); +static struct tevent_req *proxy_pam_conv_send(TALLOC_CTX *mem_ctx, + struct proxy_auth_ctx *auth_ctx, + struct sbus_connection *conn, + struct pam_data *pd, + pid_t pid); +static void proxy_pam_conv_done(struct tevent_req *subreq); +static void proxy_child_init_done(struct tevent_req *subreq) { + int ret; + struct tevent_signal *sige; + struct tevent_req *req = + tevent_req_callback_data(subreq, struct tevent_req); + struct proxy_child_ctx *child_ctx = + tevent_req_data(req, struct proxy_child_ctx); + struct proxy_child_sig_ctx *sig_ctx; + + ret = proxy_child_init_recv(subreq, &child_ctx->pid, &child_ctx->conn); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_TRACE_FUNC, "Proxy child init failed [%d]\n", ret); + tevent_req_error(req, ret); + return; + } + + /* An initialized child is available, awaiting the PAM command */ + subreq = proxy_pam_conv_send(req, child_ctx->auth_ctx, + child_ctx->conn, child_ctx->pd, + child_ctx->pid); + if (!subreq) { + DEBUG(SSSDBG_CRIT_FAILURE,"Could not start PAM conversation\n"); + tevent_req_error(req, EIO); + return; + } + tevent_req_set_callback(subreq, proxy_pam_conv_done, req); + + /* Add a signal handler for the child under the auth_ctx, + * that way if the child exits after completion of the + * request, it will still be handled. + */ + sig_ctx = talloc_zero(child_ctx->auth_ctx, struct proxy_child_sig_ctx); + if(sig_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_add_signal failed.\n"); + tevent_req_error(req, ENOMEM); + return; + } + sig_ctx->auth_ctx = child_ctx->auth_ctx; + sig_ctx->pid = child_ctx->pid; + + sige = tevent_add_signal(child_ctx->auth_ctx->be->ev, + child_ctx->auth_ctx, + SIGCHLD, 0, + proxy_child_sig_handler, + sig_ctx); + if (sige == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_add_signal failed.\n"); + tevent_req_error(req, ENOMEM); + return; + } + + /* Steal the signal context onto the signal event + * so that when the signal is freed, the context + * will go with it. + */ + talloc_steal(sige, sig_ctx); +} + +static void remove_sige(struct tevent_context *ev, + struct tevent_immediate *imm, + void *pvt); +static void run_proxy_child_queue(struct tevent_context *ev, + struct tevent_immediate *imm, + void *pvt); +static void proxy_child_sig_handler(struct tevent_context *ev, + struct tevent_signal *sige, int signum, + int count, void *__siginfo, void *pvt) +{ + int ret; + int child_status; + struct proxy_child_sig_ctx *sig_ctx; + struct tevent_immediate *imm; + struct tevent_immediate *imm2; + + if (count <= 0) { + DEBUG(SSSDBG_FATAL_FAILURE, + "SIGCHLD handler called with invalid child count\n"); + return; + } + + sig_ctx = talloc_get_type(pvt, struct proxy_child_sig_ctx); + DEBUG(SSSDBG_TRACE_LIBS, "Waiting for child [%d].\n", sig_ctx->pid); + + errno = 0; + ret = waitpid(sig_ctx->pid, &child_status, WNOHANG); + + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "waitpid failed [%d][%s].\n", ret, strerror(ret)); + } else if (ret == 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "waitpid did not found a child with changed status.\n"); + } else { + if (WIFEXITED(child_status)) { + DEBUG(SSSDBG_CONF_SETTINGS, + "child [%d] exited with status [%d].\n", ret, + WEXITSTATUS(child_status)); + } else if (WIFSIGNALED(child_status) == true) { + DEBUG(SSSDBG_CONF_SETTINGS, + "child [%d] was terminated by signal [%d].\n", ret, + WTERMSIG(child_status)); + } else { + if (WIFSTOPPED(child_status)) { + DEBUG(SSSDBG_CRIT_FAILURE, + "child [%d] was stopped by signal [%d].\n", ret, + WSTOPSIG(child_status)); + } + if (WIFCONTINUED(child_status) == true) { + DEBUG(SSSDBG_CRIT_FAILURE, + "child [%d] was resumed by delivery of SIGCONT.\n", + ret); + } + DEBUG(SSSDBG_CRIT_FAILURE, + "Child is still running, no new child is started.\n"); + return; + } + + imm = tevent_create_immediate(ev); + if (imm == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_create_immediate failed.\n"); + return; + } + + tevent_schedule_immediate(imm, ev, run_proxy_child_queue, + sig_ctx->auth_ctx); + + /* schedule another immediate timer to delete the sigchld handler */ + imm2 = tevent_create_immediate(ev); + if (imm2 == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_create_immediate failed.\n"); + return; + } + + tevent_schedule_immediate(imm2, ev, remove_sige, sige); + } + + return; +} + +static void remove_sige(struct tevent_context *ev, + struct tevent_immediate *imm, + void *pvt) +{ + talloc_free(pvt); +} + +struct proxy_conv_ctx { + struct proxy_auth_ctx *auth_ctx; + struct sbus_connection *conn; + struct pam_data *pd; + pid_t pid; +}; +static void proxy_pam_conv_reply(DBusPendingCall *pending, void *ptr); +static struct tevent_req *proxy_pam_conv_send(TALLOC_CTX *mem_ctx, + struct proxy_auth_ctx *auth_ctx, + struct sbus_connection *conn, + struct pam_data *pd, + pid_t pid) +{ + errno_t ret; + bool dp_ret; + DBusMessage *msg; + struct tevent_req *req; + struct proxy_conv_ctx *state; + + req = tevent_req_create(mem_ctx, &state, struct proxy_conv_ctx); + if (req == NULL) { + return NULL; + } + + state->auth_ctx = auth_ctx; + state->conn = conn; + state->pd = pd; + state->pid = pid; + + msg = dbus_message_new_method_call(NULL, + PROXY_CHILD_PATH, + IFACE_PROXY_AUTH, + IFACE_PROXY_AUTH_PAM); + if (msg == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "dbus_message_new_method_call failed.\n"); + talloc_zfree(req); + return NULL; + } + + DEBUG(SSSDBG_CONF_SETTINGS, "Sending request with the following data:\n"); + DEBUG_PAM_DATA(SSSDBG_CONF_SETTINGS, pd); + + dp_ret = dp_pack_pam_request(msg, pd); + if (!dp_ret) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to build message\n"); + dbus_message_unref(msg); + talloc_zfree(req); + return NULL; + } + + ret = sbus_conn_send(state->conn, msg, state->auth_ctx->timeout_ms, + proxy_pam_conv_reply, req, NULL); + if (ret != EOK) { + dbus_message_unref(msg); + talloc_zfree(req); + return NULL; + } + + dbus_message_unref(msg); + return req; +} + +static void proxy_pam_conv_reply(DBusPendingCall *pending, void *ptr) +{ + struct tevent_req *req; + struct proxy_conv_ctx *state; + DBusError dbus_error; + DBusMessage *reply; + int type; + int ret; + + DEBUG(SSSDBG_TRACE_INTERNAL, "Handling pam conversation reply\n"); + + req = talloc_get_type(ptr, struct tevent_req); + state = tevent_req_data(req, struct proxy_conv_ctx); + + dbus_error_init(&dbus_error); + + reply = dbus_pending_call_steal_reply(pending); + dbus_pending_call_unref(pending); + if (reply == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Severe error. A reply callback was called but no reply was" + "received and no timeout occurred\n"); + state->pd->pam_status = PAM_SYSTEM_ERR; + tevent_req_error(req, EIO); + } + + type = dbus_message_get_type(reply); + switch (type) { + case DBUS_MESSAGE_TYPE_METHOD_RETURN: + ret = dp_unpack_pam_response(reply, state->pd, &dbus_error); + if (!ret) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse reply.\n"); + state->pd->pam_status = PAM_SYSTEM_ERR; + dbus_message_unref(reply); + tevent_req_error(req, EIO); + return; + } + DEBUG(SSSDBG_CONF_SETTINGS, "received: [%d][%s]\n", + state->pd->pam_status, + state->pd->domain); + break; + case DBUS_MESSAGE_TYPE_ERROR: + DEBUG(SSSDBG_FATAL_FAILURE, "Reply error [%s].\n", + dbus_message_get_error_name(reply)); + state->pd->pam_status = PAM_SYSTEM_ERR; + break; + default: + DEBUG(SSSDBG_FATAL_FAILURE, "Default... what now?.\n"); + state->pd->pam_status = PAM_SYSTEM_ERR; + } + dbus_message_unref(reply); + + /* Kill the child */ + kill(state->pid, SIGKILL); + + /* Conversation is finished */ + tevent_req_done(req); +} + +static errno_t proxy_pam_conv_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +static void proxy_pam_conv_done(struct tevent_req *subreq) +{ + struct tevent_req *req; + int ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + + ret = proxy_pam_conv_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_TRACE_FUNC, "Proxy PAM conversation failed [%d]\n", ret); + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +static int proxy_child_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + struct pam_data **pd) +{ + struct proxy_child_ctx *ctx; + + TEVENT_REQ_RETURN_ON_ERROR(req); + + ctx = tevent_req_data(req, struct proxy_child_ctx); + *pd = talloc_steal(mem_ctx, ctx->pd); + + return EOK; +} + +static void run_proxy_child_queue(struct tevent_context *ev, + struct tevent_immediate *imm, + void *pvt) +{ + struct proxy_auth_ctx *auth_ctx; + struct hash_iter_context_t *iter; + struct hash_entry_t *entry; + struct tevent_req *req; + struct tevent_req *subreq; + struct proxy_child_ctx *state; + + auth_ctx = talloc_get_type(pvt, struct proxy_auth_ctx); + + /* Launch next queued request */ + iter = new_hash_iter_context(auth_ctx->request_table); + while ((entry = iter->next(iter)) != NULL) { + req = talloc_get_type(entry->value.ptr, struct tevent_req); + state = tevent_req_data(req, struct proxy_child_ctx); + if (!state->running) { + break; + } + } + free(iter); + + if (!entry) { + /* Nothing pending on the queue */ + return; + } + + if (auth_ctx->running < auth_ctx->max_children) { + /* There's an available slot; start a child + * to handle the request + */ + auth_ctx->running++; + subreq = proxy_child_init_send(auth_ctx, state, auth_ctx); + if (!subreq) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not fork child process\n"); + auth_ctx->running--; + talloc_zfree(req); + return; + } + tevent_req_set_callback(subreq, proxy_child_init_done, req); + + state->running = true; + } +} + +struct proxy_pam_handler_state { + struct pam_data *pd; + struct proxy_auth_ctx *auth_ctx; + struct be_ctx *be_ctx; +}; + +static void proxy_pam_handler_done(struct tevent_req *subreq); + +struct tevent_req * +proxy_pam_handler_send(TALLOC_CTX *mem_ctx, + struct proxy_auth_ctx *proxy_auth_ctx, + struct pam_data *pd, + struct dp_req_params *params) +{ + struct proxy_pam_handler_state *state; + struct tevent_req *subreq; + struct tevent_req *req; + + req = tevent_req_create(mem_ctx, &state, struct proxy_pam_handler_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->pd = pd; + state->auth_ctx = proxy_auth_ctx; + state->be_ctx = params->be_ctx; + + /* Tell frontend that we do not support Smartcard authentication */ + if (sss_authtok_get_type(pd->authtok) == SSS_AUTHTOK_TYPE_SC_PIN + || sss_authtok_get_type(pd->authtok) == SSS_AUTHTOK_TYPE_SC_KEYPAD) { + pd->pam_status = PAM_BAD_ITEM; + goto immediately; + } + + + switch (pd->cmd) { + case SSS_PAM_AUTHENTICATE: + case SSS_PAM_CHAUTHTOK: + case SSS_PAM_CHAUTHTOK_PRELIM: + case SSS_PAM_ACCT_MGMT: + /* Queue the request and spawn a child if there is an available slot. */ + subreq = proxy_child_send(state, proxy_auth_ctx, state->pd); + if (subreq == NULL) { + pd->pam_status = PAM_SYSTEM_ERR; + goto immediately; + } + tevent_req_set_callback(subreq, proxy_pam_handler_done, req); + break; + case SSS_PAM_SETCRED: + case SSS_PAM_OPEN_SESSION: + case SSS_PAM_CLOSE_SESSION: + pd->pam_status = PAM_SUCCESS; + goto immediately; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported PAM task.\n"); + pd->pam_status = PAM_MODULE_UNKNOWN; + goto immediately; + } + + return req; + +immediately: + /* TODO For backward compatibility we always return EOK to DP now. */ + tevent_req_done(req); + tevent_req_post(req, params->ev); + + return req; +} + +static void proxy_pam_handler_done(struct tevent_req *subreq) +{ + struct proxy_pam_handler_state *state; + struct tevent_immediate *imm; + struct tevent_req *req; + const char *password; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct proxy_pam_handler_state); + + ret = proxy_child_recv(subreq, state, &state->pd); + talloc_zfree(subreq); + if (ret != EOK) { + state->pd->pam_status = PAM_SYSTEM_ERR; + goto done; + } + + /* Start the next auth in the queue, if any */ + state->auth_ctx->running--; + imm = tevent_create_immediate(state->be_ctx->ev); + if (imm == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_create_immediate failed.\n"); + /* We'll still finish the current request, but we're + * likely to have problems if there are queued events + * if we've gotten into this state. + * Hopefully this is impossible, since freeing req + * above should guarantee that we have enough memory + * to create this immediate event. + */ + } else { + tevent_schedule_immediate(imm, state->be_ctx->ev, + run_proxy_child_queue, + state->auth_ctx); + } + + /* Check if we need to save the cached credentials */ + if ((state->pd->cmd == SSS_PAM_AUTHENTICATE || state->pd->cmd == SSS_PAM_CHAUTHTOK) + && (state->pd->pam_status == PAM_SUCCESS) && state->be_ctx->domain->cache_credentials) { + + ret = sss_authtok_get_password(state->pd->authtok, &password, NULL); + if (ret) { + /* password caching failures are not fatal errors */ + DEBUG(SSSDBG_OP_FAILURE, "Failed to cache password\n"); + goto done; + } + + ret = sysdb_cache_password(state->be_ctx->domain, state->pd->user, password); + + /* password caching failures are not fatal errors */ + /* so we just log it any return */ + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to cache password (%d)[%s]!?\n", + ret, sss_strerror(ret)); + } + } + +done: + /* TODO For backward compatibility we always return EOK to DP now. */ + tevent_req_done(req); +} + +errno_t +proxy_pam_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct pam_data **_data) +{ + struct proxy_pam_handler_state *state = NULL; + + state = tevent_req_data(req, struct proxy_pam_handler_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *_data = talloc_steal(mem_ctx, state->pd); + + return EOK; +} diff --git a/src/providers/proxy/proxy_child.c b/src/providers/proxy/proxy_child.c new file mode 100644 index 0000000..f5f2e8d --- /dev/null +++ b/src/providers/proxy/proxy_child.c @@ -0,0 +1,621 @@ +/* + SSSD + + Pam Proxy Child + + Authors: + + Sumit Bose + + Copyright (C) 2010 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include + +#include "util/util.h" +#include "confdb/confdb.h" +#include "sbus/sssd_dbus.h" +#include "providers/proxy/proxy.h" +#include "providers/proxy/proxy_iface_generated.h" + +#include "providers/backend.h" + +struct pc_ctx { + struct tevent_context *ev; + struct confdb_ctx *cdb; + struct sss_domain_info *domain; + const char *identity; + const char *conf_path; + struct sbus_connection *mon_conn; + struct sbus_connection *conn; + const char *pam_target; + uint32_t id; +}; + +static int proxy_internal_conv(int num_msg, const struct pam_message **msgm, + struct pam_response **response, + void *appdata_ptr) { + int i; + struct pam_response *reply; + struct authtok_conv *auth_data; + const char *password; + size_t pwlen; + errno_t ret; + + auth_data = talloc_get_type(appdata_ptr, struct authtok_conv); + + if (num_msg <= 0) return PAM_CONV_ERR; + + reply = (struct pam_response *) calloc(num_msg, + sizeof(struct pam_response)); + if (reply == NULL) return PAM_CONV_ERR; + + for (i=0; i < num_msg; i++) { + switch( msgm[i]->msg_style ) { + case PAM_PROMPT_ECHO_OFF: + DEBUG(SSSDBG_CONF_SETTINGS, + "Conversation message: [%s]\n", msgm[i]->msg); + reply[i].resp_retcode = 0; + + ret = sss_authtok_get_password(auth_data->authtok, + &password, &pwlen); + if (ret) goto failed; + reply[i].resp = calloc(pwlen + 1, sizeof(char)); + if (reply[i].resp == NULL) goto failed; + memcpy(reply[i].resp, password, pwlen + 1); + + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, + "Conversation style %d not supported.\n", + msgm[i]->msg_style); + goto failed; + } + } + + *response = reply; + reply = NULL; + + return PAM_SUCCESS; + +failed: + free(reply); + return PAM_CONV_ERR; +} + +static int proxy_chauthtok_conv(int num_msg, const struct pam_message **msgm, + struct pam_response **response, + void *appdata_ptr) { + int i; + struct pam_response *reply; + struct authtok_conv *auth_data; + const char *password; + size_t pwlen; + errno_t ret; + + auth_data = talloc_get_type(appdata_ptr, struct authtok_conv); + + if (num_msg <= 0) return PAM_CONV_ERR; + + reply = (struct pam_response *) calloc(num_msg, + sizeof(struct pam_response)); + if (reply == NULL) return PAM_CONV_ERR; + + for (i=0; i < num_msg; i++) { + switch( msgm[i]->msg_style ) { + case PAM_PROMPT_ECHO_OFF: + DEBUG(SSSDBG_CONF_SETTINGS, + "Conversation message: [%s]\n", msgm[i]->msg); + + reply[i].resp_retcode = 0; + if (!auth_data->sent_old) { + /* The first prompt will be asking for the old authtok */ + ret = sss_authtok_get_password(auth_data->authtok, + &password, &pwlen); + if (ret) goto failed; + reply[i].resp = calloc(pwlen + 1, sizeof(char)); + if (reply[i].resp == NULL) goto failed; + memcpy(reply[i].resp, password, pwlen + 1); + auth_data->sent_old = true; + } + else { + /* Subsequent prompts are looking for the new authtok */ + ret = sss_authtok_get_password(auth_data->newauthtok, + &password, &pwlen); + if (ret) goto failed; + reply[i].resp = calloc(pwlen + 1, sizeof(char)); + if (reply[i].resp == NULL) goto failed; + memcpy(reply[i].resp, password, pwlen + 1); + auth_data->sent_old = true; + } + + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, + "Conversation style %d not supported.\n", + msgm[i]->msg_style); + goto failed; + } + } + + *response = reply; + reply = NULL; + + return PAM_SUCCESS; + +failed: + free(reply); + return PAM_CONV_ERR; +} + +static errno_t call_pam_stack(const char *pam_target, struct pam_data *pd) +{ + int ret; + int pam_status; + pam_handle_t *pamh=NULL; + struct authtok_conv *auth_data; + struct pam_conv conv; + char *shortname; + + if (pd->cmd == SSS_PAM_CHAUTHTOK) { + conv.conv=proxy_chauthtok_conv; + } + else { + conv.conv=proxy_internal_conv; + } + auth_data = talloc_zero(pd, struct authtok_conv); + if (auth_data == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n"); + return ENOMEM; + } + auth_data->authtok = sss_authtok_new(auth_data); + if (auth_data->authtok == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "sss_authtok_new failed.\n"); + ret = ENOMEM; + goto fail; + } + auth_data->newauthtok = sss_authtok_new(auth_data); + if (auth_data->newauthtok == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "sss_authtok_new failed.\n"); + ret = ENOMEM; + goto fail; + } + + conv.appdata_ptr=auth_data; + + ret = sss_parse_internal_fqname(auth_data, pd->user, &shortname, NULL); + if (ret != EOK) { + goto fail; + } + + ret = pam_start(pam_target, shortname, &conv, &pamh); + if (ret == PAM_SUCCESS) { + DEBUG(SSSDBG_TRACE_LIBS, + "Pam transaction started with service name [%s].\n", + pam_target); + ret = pam_set_item(pamh, PAM_TTY, pd->tty); + if (ret != PAM_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "Setting PAM_TTY failed: %s.\n", + pam_strerror(pamh, ret)); + } + ret = pam_set_item(pamh, PAM_RUSER, pd->ruser); + if (ret != PAM_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "Setting PAM_RUSER failed: %s.\n", + pam_strerror(pamh, ret)); + } + ret = pam_set_item(pamh, PAM_RHOST, pd->rhost); + if (ret != PAM_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "Setting PAM_RHOST failed: %s.\n", + pam_strerror(pamh, ret)); + } + switch (pd->cmd) { + case SSS_PAM_AUTHENTICATE: + sss_authtok_copy(pd->authtok, auth_data->authtok); + pam_status = pam_authenticate(pamh, 0); + break; + case SSS_PAM_SETCRED: + pam_status=pam_setcred(pamh, 0); + break; + case SSS_PAM_ACCT_MGMT: + pam_status=pam_acct_mgmt(pamh, 0); + break; + case SSS_PAM_OPEN_SESSION: + pam_status=pam_open_session(pamh, 0); + break; + case SSS_PAM_CLOSE_SESSION: + pam_status=pam_close_session(pamh, 0); + break; + case SSS_PAM_CHAUTHTOK: + sss_authtok_copy(pd->authtok, auth_data->authtok); + if (pd->priv != 1) { + pam_status = pam_authenticate(pamh, 0); + auth_data->sent_old = false; + if (pam_status != PAM_SUCCESS) break; + } + sss_authtok_copy(pd->newauthtok, auth_data->newauthtok); + pam_status = pam_chauthtok(pamh, 0); + break; + case SSS_PAM_CHAUTHTOK_PRELIM: + if (pd->priv != 1) { + sss_authtok_copy(pd->authtok, auth_data->authtok); + pam_status = pam_authenticate(pamh, 0); + } else { + pam_status = PAM_SUCCESS; + } + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "unknown PAM call\n"); + pam_status=PAM_ABORT; + } + + DEBUG(SSSDBG_CONF_SETTINGS, "Pam result: [%d][%s]\n", pam_status, + pam_strerror(pamh, pam_status)); + + ret = pam_end(pamh, pam_status); + if (ret != PAM_SUCCESS) { + pamh=NULL; + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot terminate pam transaction.\n"); + } + + } else { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to initialize pam transaction.\n"); + pam_status = PAM_SYSTEM_ERR; + } + + pd->pam_status = pam_status; + + return EOK; +fail: + talloc_free(auth_data); + return ret; +} + +static int pc_pam_handler(struct sbus_request *dbus_req, void *user_data) +{ + DBusError dbus_error; + DBusMessage *reply; + struct pc_ctx *pc_ctx; + errno_t ret; + struct pam_data *pd = NULL; + + pc_ctx = talloc_get_type(user_data, struct pc_ctx); + if (!pc_ctx) { + ret = EINVAL; + goto done; + } + + reply = dbus_message_new_method_return(dbus_req->message); + if (!reply) { + DEBUG(SSSDBG_CRIT_FAILURE, "dbus_message_new_method_return failed, " + "cannot send reply.\n"); + ret = ENOMEM; + goto done; + } + + dbus_error_init(&dbus_error); + + ret = dp_unpack_pam_request(dbus_req->message, pc_ctx, &pd, &dbus_error); + if (!ret) { + DEBUG(SSSDBG_CRIT_FAILURE,"Failed, to parse message!\n"); + ret = EIO; + goto done; + } + + pd->pam_status = PAM_SYSTEM_ERR; + pd->domain = talloc_strdup(pd, pc_ctx->domain->name); + if (pd->domain == NULL) { + talloc_free(pd); + ret = ENOMEM; + goto done; + } + + DEBUG(SSSDBG_CONF_SETTINGS, "Got request with the following data\n"); + DEBUG_PAM_DATA(SSSDBG_CONF_SETTINGS, pd); + + ret = call_pam_stack(pc_ctx->pam_target, pd); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "call_pam_stack failed.\n"); + } + + DEBUG(SSSDBG_CONF_SETTINGS, "Sending result [%d][%s]\n", + pd->pam_status, pd->domain); + + ret = dp_pack_pam_response(reply, pd); + if (!ret) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to generate dbus reply\n"); + talloc_free(pd); + dbus_message_unref(reply); + ret = EIO; + goto done; + } + + ret = sbus_request_finish(dbus_req, reply); + dbus_message_unref(reply); + talloc_free(pd); + + /* We'll return the message and let the + * parent process kill us. + */ + return ret; + +done: + exit(ret); +} + +static void proxy_child_id_callback(DBusPendingCall *pending, void *ptr) +{ + DBusMessage *reply; + errno_t ret; + + reply = dbus_pending_call_steal_reply(pending); + if (reply == NULL) { + /* reply should never be null. This function shouldn't be called + * until reply is valid or timeout has occurred. If reply is NULL + * here, something is seriously wrong and we should bail out. + */ + DEBUG(SSSDBG_FATAL_FAILURE, "Severe error. A reply callback was " + "called but no reply was received and no timeout occurred\n"); + goto done; + } + + ret = sbus_parse_reply(reply); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get ID ack [%d]: %s\n", + ret, sss_strerror(ret)); + } + + DEBUG(SSSDBG_TRACE_FUNC, "Got id ack from proxy child\n"); + +done: + dbus_pending_call_unref(pending); + dbus_message_unref(reply); +} + +static errno_t proxy_child_send_id(struct sbus_connection *conn, uint32_t id) +{ + DBusMessage *msg; + errno_t ret; + + msg = sbus_create_message(NULL, NULL, PROXY_CHILD_PATH, IFACE_PROXY_CLIENT, + IFACE_PROXY_CLIENT_REGISTER, + DBUS_TYPE_UINT32, &id); + if (msg == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?!\n"); + return ENOMEM; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Sending ID to Proxy Backend: (%"PRIu32")\n", id); + + ret = sbus_conn_send(conn, msg, 30000, proxy_child_id_callback, NULL, NULL); + + dbus_message_unref(msg); + + return ret; +} + +static int proxy_cli_init(struct pc_ctx *ctx) +{ + char *sbus_address; + int ret; + + static struct iface_proxy_auth iface_proxy_auth = { + { &iface_proxy_auth_meta, 0 }, + + .PAM = pc_pam_handler, + }; + + sbus_address = talloc_asprintf(ctx, "unix:path=%s/%s_%s", + PIPE_PATH, PROXY_CHILD_PIPE, + ctx->domain->name); + if (sbus_address == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); + return ENOMEM; + } + + ret = sbus_client_init(ctx, ctx->ev, sbus_address, NULL, &ctx->conn); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sbus_client_init failed.\n"); + return ret; + } + + ret = sbus_conn_register_iface(ctx->conn, &iface_proxy_auth.vtable, + PROXY_CHILD_PATH, ctx); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to export proxy.\n"); + return ret; + } + + ret = proxy_child_send_id(ctx->conn, ctx->id); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "dp_common_send_id failed.\n"); + return ret; + } + + return EOK; +} + +int proxy_child_process_init(TALLOC_CTX *mem_ctx, const char *domain, + struct tevent_context *ev, struct confdb_ctx *cdb, + const char *pam_target, uint32_t id) +{ + struct pc_ctx *ctx; + int ret; + + ctx = talloc_zero(mem_ctx, struct pc_ctx); + if (!ctx) { + DEBUG(SSSDBG_FATAL_FAILURE, "fatal error initializing pc_ctx\n"); + return ENOMEM; + } + ctx->ev = ev; + ctx->cdb = cdb; + ctx->pam_target = talloc_steal(ctx, pam_target); + ctx->id = id; + ctx->conf_path = talloc_asprintf(ctx, CONFDB_DOMAIN_PATH_TMPL, domain); + if (!ctx->conf_path) { + DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory!?\n"); + return ENOMEM; + } + + ret = confdb_get_domain(cdb, domain, &ctx->domain); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "fatal error retrieving domain configuration\n"); + return ret; + } + + ret = proxy_cli_init(ctx); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "fatal error setting up server bus\n"); + return ret; + } + + return EOK; +} + +int main(int argc, const char *argv[]) +{ + int opt; + poptContext pc; + char *opt_logger = NULL; + char *domain = NULL; + char *srv_name = NULL; + char *conf_entry = NULL; + struct main_context *main_ctx; + int ret; + long id; + char *pam_target = NULL; + uid_t uid; + gid_t gid; + + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_MAIN_OPTS + SSSD_LOGGER_OPTS + SSSD_SERVER_OPTS(uid, gid) + {"domain", 0, POPT_ARG_STRING, &domain, 0, + _("Domain of the information provider (mandatory)"), NULL }, + {"id", 0, POPT_ARG_LONG, &id, 0, + _("Child identifier (mandatory)"), NULL }, + POPT_TABLEEND + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + + if (domain == NULL) { + fprintf(stderr, "\nMissing option, " + "--domain is a mandatory option.\n\n"); + poptPrintUsage(pc, stderr, 0); + return 1; + } + + if (id == 0) { + fprintf(stderr, "\nMissing option, " + "--id is a mandatory option.\n\n"); + poptPrintUsage(pc, stderr, 0); + return 1; + } + + poptFreeContext(pc); + + DEBUG_INIT(debug_level); + + /* set up things like debug, signals, daemonization, etc. */ + debug_log_file = talloc_asprintf(NULL, "proxy_child_%s", domain); + if (!debug_log_file) return 2; + + sss_set_logger(opt_logger); + + srv_name = talloc_asprintf(NULL, "sssd[proxy_child[%s]]", domain); + if (!srv_name) return 2; + + conf_entry = talloc_asprintf(NULL, CONFDB_DOMAIN_PATH_TMPL, domain); + if (!conf_entry) return 2; + + ret = server_setup(srv_name, 0, 0, 0, conf_entry, &main_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Could not set up mainloop [%d]\n", ret); + return 2; + } + + ret = unsetenv("_SSS_LOOPS"); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to unset _SSS_LOOPS, " + "pam modules might not work as expected.\n"); + } + + ret = confdb_get_string(main_ctx->confdb_ctx, main_ctx, conf_entry, + CONFDB_PROXY_PAM_TARGET, NULL, &pam_target); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Error reading from confdb (%d) [%s]\n", + ret, strerror(ret)); + return 4; + } + if (pam_target == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing option proxy_pam_target.\n"); + return 4; + } + + ret = die_if_parent_died(); + if (ret != EOK) { + /* This is not fatal, don't return */ + DEBUG(SSSDBG_OP_FAILURE, + "Could not set up to exit when parent process does\n"); + } + + ret = proxy_child_process_init(main_ctx, domain, main_ctx->event_ctx, + main_ctx->confdb_ctx, pam_target, + (uint32_t)id); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Could not initialize proxy child [%d].\n", ret); + return 3; + } + + DEBUG(SSSDBG_CRIT_FAILURE, + "Proxy child for domain [%s] started!\n", domain); + + /* loop on main */ + server_loop(main_ctx); + + return 0; +} diff --git a/src/providers/proxy/proxy_client.c b/src/providers/proxy/proxy_client.c new file mode 100644 index 0000000..74957ca --- /dev/null +++ b/src/providers/proxy/proxy_client.c @@ -0,0 +1,178 @@ +/* + SSSD + + proxy_init.c + + Authors: + Stephen Gallagher + + Copyright (C) 2010 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "providers/proxy/proxy_iface_generated.h" +#include "providers/proxy/proxy.h" + +struct proxy_client { + struct proxy_auth_ctx *proxy_auth_ctx; + struct sbus_connection *conn; + struct tevent_timer *timeout; + bool initialized; +}; + +static int proxy_client_register(struct sbus_request *sbus_req, + void *data, + uint32_t cli_id) +{ + struct sbus_connection *conn; + struct proxy_client *proxy_cli; + int hret; + hash_key_t key; + hash_value_t value; + struct tevent_req *req; + struct proxy_child_ctx *child_ctx; + struct pc_init_ctx *init_ctx; + + conn = sbus_req->conn; + proxy_cli = talloc_get_type(data, struct proxy_client); + if (proxy_cli == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Connection holds no valid init data\n"); + return EINVAL; + } + + /* First thing, cancel the timeout */ + DEBUG(SSSDBG_CONF_SETTINGS, + "Cancel proxy client ID timeout [%p]\n", proxy_cli->timeout); + talloc_zfree(proxy_cli->timeout); + + DEBUG(SSSDBG_FUNC_DATA, "Proxy client [%"PRIu32"] connected\n", cli_id); + + /* Check the hash table */ + key.type = HASH_KEY_ULONG; + key.ul = cli_id; + if (!hash_has_key(proxy_cli->proxy_auth_ctx->request_table, &key)) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unknown child ID. Killing the connection\n"); + sbus_disconnect(proxy_cli->conn); + return EIO; + } + + iface_proxy_client_Register_finish(sbus_req); + + hret = hash_lookup(proxy_cli->proxy_auth_ctx->request_table, &key, &value); + if (hret != HASH_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Hash error [%d]: %s\n", hret, hash_error_string(hret)); + sbus_disconnect(conn); + return EIO; + } + + /* Signal that the child is up and ready to receive the request */ + req = talloc_get_type(value.ptr, struct tevent_req); + child_ctx = tevent_req_data(req, struct proxy_child_ctx); + + if (!child_ctx->running) { + /* This should hopefully be impossible, but protect + * against it anyway. If we're not marked running, then + * the init_req will be NULL below and things will + * break. + */ + DEBUG(SSSDBG_CRIT_FAILURE, "Client connection from a request " + "that's not marked as running\n"); + return EIO; + } + + init_ctx = tevent_req_data(child_ctx->init_req, struct pc_init_ctx); + init_ctx->conn = conn; + tevent_req_done(child_ctx->init_req); + child_ctx->init_req = NULL; + + return EOK; +} + +static void proxy_client_timeout(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval t, + void *ptr) +{ + struct proxy_client *proxy_cli; + + DEBUG(SSSDBG_OP_FAILURE, + "Client timed out before Identification [%p]!\n", te); + + proxy_cli = talloc_get_type(ptr, struct proxy_client); + + sbus_disconnect(proxy_cli->conn); + talloc_zfree(proxy_cli); + + /* If we time out here, we will also time out to + * pc_init_timeout(), so we'll finish the request + * there. + */ +} + +int proxy_client_init(struct sbus_connection *conn, void *data) +{ + struct proxy_auth_ctx *auth_ctx; + struct proxy_client *proxy_cli; + struct timeval tv; + errno_t ret; + + static struct iface_proxy_client iface_proxy_client = { + { &iface_proxy_client_meta, 0 }, + + .Register = proxy_client_register, + }; + + auth_ctx = talloc_get_type(data, struct proxy_auth_ctx); + + /* When connection is lost we also free the client. */ + proxy_cli = talloc_zero(conn, struct proxy_client); + if (proxy_cli == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory, killing connection.\n"); + talloc_free(conn); + return ENOMEM; + } + + proxy_cli->proxy_auth_ctx = auth_ctx; + proxy_cli->conn = conn; + proxy_cli->initialized = false; + + /* Setup timeout in case client fails to register himself in time. */ + tv = tevent_timeval_current_ofs(5, 0); + proxy_cli->timeout = tevent_add_timer(auth_ctx->be->ev, proxy_cli, tv, + proxy_client_timeout, proxy_cli); + if (proxy_cli->timeout == NULL) { + /* Connection is closed in the caller. */ + DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory, killing connection\n"); + return ENOMEM; + } + + DEBUG(SSSDBG_CONF_SETTINGS, + "Set-up proxy client ID timeout [%p]\n", proxy_cli->timeout); + + /* Setup D-Bus interfaces and methods. */ + ret = sbus_conn_register_iface(conn, &iface_proxy_client.vtable, + PROXY_CHILD_PATH, proxy_cli); + if (ret != EOK) { + /* Connection is closed in the caller. */ + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to register D-Bus interface, " + "killing connection [%d]: %s\n", ret, sss_strerror(ret)); + return ret; + } + + return ret; +} diff --git a/src/providers/proxy/proxy_id.c b/src/providers/proxy/proxy_id.c new file mode 100644 index 0000000..e82e603 --- /dev/null +++ b/src/providers/proxy/proxy_id.c @@ -0,0 +1,1786 @@ +/* + SSSD + + proxy_id.c + + Authors: + Stephen Gallagher + + Copyright (C) 2010 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include "config.h" + +#include "util/sss_format.h" +#include "util/strtonum.h" +#include "providers/proxy/proxy.h" + +/* =Getpwnam-wrapper======================================================*/ + +static int save_user(struct sss_domain_info *domain, + struct passwd *pwd, const char *real_name, + const char *alias); + +static int +handle_getpw_result(enum nss_status status, struct passwd *pwd, + struct sss_domain_info *dom, bool *del_user); + +static int +delete_user(struct sss_domain_info *domain, + const char *name, uid_t uid); + +static int get_pw_name(struct proxy_id_ctx *ctx, + struct sss_domain_info *dom, + const char *i_name) +{ + TALLOC_CTX *tmpctx; + struct passwd *pwd; + enum nss_status status; + char *buffer; + size_t buflen; + int ret; + uid_t uid; + bool del_user; + struct ldb_result *cached_pwd = NULL; + const char *real_name = NULL; + char *shortname_or_alias; + + DEBUG(SSSDBG_TRACE_FUNC, "Searching user by name (%s)\n", i_name); + + tmpctx = talloc_new(NULL); + if (!tmpctx) { + return ENOMEM; + } + + ret = sss_parse_internal_fqname(tmpctx, i_name, &shortname_or_alias, NULL); + if (ret != EOK) { + goto done; + } + + pwd = talloc_zero(tmpctx, struct passwd); + if (!pwd) { + ret = ENOMEM; + goto done; + } + + buflen = DEFAULT_BUFSIZE; + buffer = talloc_size(tmpctx, buflen); + if (!buffer) { + ret = ENOMEM; + goto done; + } + + /* FIXME: should we move this call outside the transaction to keep the + * transaction as short as possible? */ + status = ctx->ops.getpwnam_r(shortname_or_alias, pwd, buffer, buflen, &ret); + ret = handle_getpw_result(status, pwd, dom, &del_user); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, + "getpwnam failed [%d]: %s\n", ret, strerror(ret)); + goto done; + } + + if (del_user) { + ret = delete_user(dom, i_name, 0); + goto done; + } + + uid = pwd->pw_uid; + + /* Canonicalize the username in case it was actually an alias */ + + if (ctx->fast_alias == true) { + ret = sysdb_getpwuid(tmpctx, dom, uid, &cached_pwd); + if (ret != EOK) { + /* Non-fatal, attempt to canonicalize online */ + DEBUG(SSSDBG_TRACE_FUNC, "Request to cache failed [%d]: %s\n", + ret, strerror(ret)); + } + + if (ret == EOK && cached_pwd->count == 1) { + real_name = ldb_msg_find_attr_as_string(cached_pwd->msgs[0], + SYSDB_NAME, NULL); + if (!real_name) { + DEBUG(SSSDBG_MINOR_FAILURE, "Cached user has no name?\n"); + } + } + } + + if (real_name == NULL) { + memset(buffer, 0, buflen); + + status = ctx->ops.getpwuid_r(uid, pwd, buffer, buflen, &ret); + ret = handle_getpw_result(status, pwd, dom, &del_user); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, + "getpwuid failed [%d]: %s\n", ret, strerror(ret)); + goto done; + } + + real_name = sss_create_internal_fqname(tmpctx, pwd->pw_name, dom->name); + if (real_name == NULL) { + ret = ENOMEM; + goto done; + } + } + + if (del_user) { + ret = delete_user(dom, i_name, uid); + goto done; + } + + /* Both lookups went fine, we can save the user now */ + ret = save_user(dom, pwd, real_name, i_name); + +done: + talloc_zfree(tmpctx); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, + "proxy -> getpwnam_r failed for '%s' <%d>: %s\n", + i_name, ret, strerror(ret)); + } + return ret; +} + +static int +handle_getpw_result(enum nss_status status, struct passwd *pwd, + struct sss_domain_info *dom, bool *del_user) +{ + int ret = EOK; + + if (!del_user) { + return EINVAL; + } + *del_user = false; + + switch (status) { + case NSS_STATUS_NOTFOUND: + + DEBUG(SSSDBG_MINOR_FAILURE, "User not found.\n"); + *del_user = true; + break; + + case NSS_STATUS_SUCCESS: + + DEBUG(SSSDBG_TRACE_FUNC, "User found: (%s, %"SPRIuid", %"SPRIgid")\n", + pwd->pw_name, pwd->pw_uid, pwd->pw_gid); + + /* uid=0 or gid=0 are invalid values */ + /* also check that the id is in the valid range for this domain */ + if (OUT_OF_ID_RANGE(pwd->pw_uid, dom->id_min, dom->id_max) || + OUT_OF_ID_RANGE(pwd->pw_gid, dom->id_min, dom->id_max)) { + + DEBUG(SSSDBG_MINOR_FAILURE, + "User filtered out! (id out of range)\n"); + *del_user = true; + break; + } + break; + + case NSS_STATUS_UNAVAIL: + DEBUG(SSSDBG_MINOR_FAILURE, + "Remote back end is not available. Entering offline mode\n"); + ret = ENXIO; + break; + + default: + DEBUG(SSSDBG_OP_FAILURE, "Unknown return code %d\n", status); + ret = EIO; + break; + } + + return ret; +} + +static int +delete_user(struct sss_domain_info *domain, + const char *name, uid_t uid) +{ + int ret = EOK; + + DEBUG(SSSDBG_TRACE_FUNC, + "User %s does not exist (or is invalid) on remote server," + " deleting!\n", name); + ret = sysdb_delete_user(domain, name, uid); + if (ret == ENOENT) { + ret = EOK; + } + + return ret; +} + +static int +prepare_attrs_for_saving_ops(TALLOC_CTX *mem_ctx, + bool case_sensitive, + const char *real_name, /* already_qualified */ + const char *alias, /* already qualified */ + struct sysdb_attrs **attrs) +{ + const char *lc_name = NULL; + const char *cased_alias = NULL; + errno_t ret; + + if (!case_sensitive || alias != NULL) { + if (*attrs == NULL) { + *attrs = sysdb_new_attrs(mem_ctx); + if (*attrs == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Allocation error?!\n"); + ret = ENOMEM; + goto done; + } + } + } + + if (!case_sensitive) { + lc_name = sss_tc_utf8_str_tolower(*attrs, real_name); + if (lc_name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n"); + ret = ENOMEM; + goto done; + } + + ret = sysdb_attrs_add_string(*attrs, SYSDB_NAME_ALIAS, lc_name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not add name alias\n"); + ret = ENOMEM; + goto done; + } + + } + + if (alias != NULL) { + cased_alias = sss_get_cased_name(*attrs, alias, case_sensitive); + if (cased_alias == NULL) { + ret = ENOMEM; + goto done; + } + + /* Add the alias only if it differs from lowercased pw_name */ + if (lc_name == NULL || strcmp(cased_alias, lc_name) != 0) { + ret = sysdb_attrs_add_string(*attrs, SYSDB_NAME_ALIAS, + cased_alias); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not add name alias\n"); + goto done; + } + } + } + + ret = EOK; +done: + return ret; +} + +static int save_user(struct sss_domain_info *domain, + struct passwd *pwd, + const char *real_name, /* already qualified */ + const char *alias) /* already qualified */ +{ + const char *shell; + const char *gecos; + struct sysdb_attrs *attrs = NULL; + errno_t ret; + + if (pwd->pw_shell && pwd->pw_shell[0] != '\0') { + shell = pwd->pw_shell; + } else { + shell = NULL; + } + + if (pwd->pw_gecos && pwd->pw_gecos[0] != '\0') { + gecos = pwd->pw_gecos; + } else { + gecos = NULL; + } + + ret = prepare_attrs_for_saving_ops(NULL, domain->case_sensitive, + real_name, alias, &attrs); + if (ret != EOK) { + goto done; + } + + ret = sysdb_store_user(domain, + real_name, + pwd->pw_passwd, + pwd->pw_uid, + pwd->pw_gid, + gecos, + pwd->pw_dir, + shell, + NULL, + attrs, + NULL, + domain->user_timeout, + 0); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, "Could not add user to cache\n"); + goto done; + } + +done: + talloc_zfree(attrs); + return ret; +} + +/* =Getpwuid-wrapper======================================================*/ + +static int get_pw_uid(struct proxy_id_ctx *ctx, + struct sss_domain_info *dom, + uid_t uid) +{ + TALLOC_CTX *tmpctx; + struct passwd *pwd; + enum nss_status status; + char *buffer; + size_t buflen; + bool del_user = false; + int ret; + char *name; + + DEBUG(SSSDBG_TRACE_FUNC, "Searching user by uid (%"SPRIuid")\n", uid); + + tmpctx = talloc_new(NULL); + if (!tmpctx) { + return ENOMEM; + } + + pwd = talloc_zero(tmpctx, struct passwd); + if (!pwd) { + ret = ENOMEM; + goto done; + } + + buflen = DEFAULT_BUFSIZE; + buffer = talloc_size(tmpctx, buflen); + if (!buffer) { + ret = ENOMEM; + goto done; + } + + status = ctx->ops.getpwuid_r(uid, pwd, buffer, buflen, &ret); + ret = handle_getpw_result(status, pwd, dom, &del_user); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, + "getpwuid failed [%d]: %s\n", ret, strerror(ret)); + goto done; + } + + if (del_user) { + ret = delete_user(dom, NULL, uid); + goto done; + } + + name = sss_create_internal_fqname(tmpctx, pwd->pw_name, dom->name); + if (name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "failed to qualify name '%s'\n", + pwd->pw_name); + goto done; + } + ret = save_user(dom, pwd, name, NULL); + +done: + talloc_zfree(tmpctx); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, + "proxy -> getpwuid_r failed for '%"SPRIuid"' <%d>: %s\n", + uid, ret, strerror(ret)); + } + return ret; +} + +/* =Getpwent-wrapper======================================================*/ + +static int enum_users(TALLOC_CTX *mem_ctx, + struct proxy_id_ctx *ctx, + struct sysdb_ctx *sysdb, + struct sss_domain_info *dom) +{ + TALLOC_CTX *tmpctx; + bool in_transaction = false; + struct passwd *pwd; + enum nss_status status; + size_t buflen; + char *buffer; + char *newbuf; + int ret; + errno_t sret; + bool again; + char *name; + + DEBUG(SSSDBG_TRACE_LIBS, "Enumerating users\n"); + + tmpctx = talloc_new(mem_ctx); + if (!tmpctx) { + return ENOMEM; + } + + pwd = talloc_zero(tmpctx, struct passwd); + if (!pwd) { + ret = ENOMEM; + goto done; + } + + buflen = DEFAULT_BUFSIZE; + buffer = talloc_size(tmpctx, buflen); + if (!buffer) { + ret = ENOMEM; + goto done; + } + + ret = sysdb_transaction_start(sysdb); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n"); + goto done; + } + in_transaction = true; + + status = ctx->ops.setpwent(); + if (status != NSS_STATUS_SUCCESS) { + ret = EIO; + goto done; + } + + do { + again = false; + + /* always zero out the pwd structure */ + memset(pwd, 0, sizeof(struct passwd)); + + /* get entry */ + status = ctx->ops.getpwent_r(pwd, buffer, buflen, &ret); + + switch (status) { + case NSS_STATUS_TRYAGAIN: + /* buffer too small? */ + if (buflen < MAX_BUF_SIZE) { + buflen *= 2; + } + if (buflen > MAX_BUF_SIZE) { + buflen = MAX_BUF_SIZE; + } + newbuf = talloc_realloc_size(tmpctx, buffer, buflen); + if (!newbuf) { + ret = ENOMEM; + goto done; + } + buffer = newbuf; + again = true; + break; + + case NSS_STATUS_NOTFOUND: + + /* we are done here */ + DEBUG(SSSDBG_TRACE_LIBS, "Enumeration completed.\n"); + + ret = sysdb_transaction_commit(sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n"); + goto done; + } + in_transaction = false; + break; + + case NSS_STATUS_SUCCESS: + + DEBUG(SSSDBG_TRACE_LIBS, + "User found (%s, %"SPRIuid", %"SPRIgid")\n", + pwd->pw_name, pwd->pw_uid, pwd->pw_gid); + + /* uid=0 or gid=0 are invalid values */ + /* also check that the id is in the valid range for this domain + */ + if (OUT_OF_ID_RANGE(pwd->pw_uid, dom->id_min, dom->id_max) || + OUT_OF_ID_RANGE(pwd->pw_gid, dom->id_min, dom->id_max)) { + + DEBUG(SSSDBG_OP_FAILURE, "User [%s] filtered out! (id out" + " of range)\n", pwd->pw_name); + + again = true; + break; + } + + name = sss_create_internal_fqname(tmpctx, pwd->pw_name, dom->name); + if (name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "failed to create internal name '%s'\n", + pwd->pw_name); + goto done; + } + ret = save_user(dom, pwd, name, NULL); + if (ret) { + /* Do not fail completely on errors. + * Just report the failure to save and go on */ + DEBUG(SSSDBG_OP_FAILURE, "Failed to store user %s." + " Ignoring.\n", pwd->pw_name); + } + again = true; + break; + + case NSS_STATUS_UNAVAIL: + /* "remote" backend unavailable. Enter offline mode */ + ret = ENXIO; + break; + + default: + ret = EIO; + DEBUG(SSSDBG_OP_FAILURE, "proxy -> getpwent_r failed (%d)[%s]" + "\n", ret, strerror(ret)); + break; + } + } while (again); + +done: + talloc_zfree(tmpctx); + if (in_transaction) { + sret = sysdb_transaction_cancel(sysdb); + if (sret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to cancel transaction\n"); + } + } + ctx->ops.endpwent(); + return ret; +} + +/* =Save-group-utilities=================================================*/ +#define DEBUG_GR_MEM(level, grp) \ + do { \ + if (DEBUG_IS_SET(level)) { \ + if (!grp->gr_mem || !grp->gr_mem[0]) { \ + DEBUG(level, "Group %s has no members!\n", \ + grp->gr_name); \ + } else { \ + int i = 0; \ + while (grp->gr_mem[i]) { \ + /* count */ \ + i++; \ + } \ + DEBUG(level, "Group %s has %d members!\n", \ + grp->gr_name, i); \ + } \ + } \ + } while(0) + + +static errno_t remove_duplicate_group_members(TALLOC_CTX *mem_ctx, + struct group *orig_grp, + struct group **_grp) +{ + TALLOC_CTX *tmp_ctx; + hash_table_t *member_tbl = NULL; + struct hash_iter_context_t *iter; + hash_entry_t *entry; + hash_key_t key; + hash_value_t value; + struct group *grp; + size_t orig_member_count= 0; + size_t member_count= 0; + size_t i; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc failed.\n"); + return ENOMEM; + } + + if (orig_grp->gr_mem == NULL) { + ret = ENOENT; + goto done; + } + + for (i=0; orig_grp->gr_mem[i] != NULL; i++) { + orig_member_count++; + } + + if (orig_member_count == 0) { + ret = ENOENT; + goto done; + } + + ret = sss_hash_create(tmp_ctx, orig_member_count, &member_tbl); + if (ret != HASH_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to create hash table.\n"); + ret = ENOMEM; + goto done; + } + + for (i=0; orig_grp->gr_mem[i] != NULL; i++) { + key.type = HASH_KEY_STRING; + key.str = talloc_strdup(member_tbl, orig_grp->gr_mem[i]); + if (key.str == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + + value.type = HASH_VALUE_PTR; + value.ptr = talloc_strdup(member_tbl, orig_grp->gr_mem[i]); + if (key.str == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + + ret = hash_enter(member_tbl, &key, &value); + if (ret != HASH_SUCCESS) { + talloc_free(key.str); + ret = ENOMEM; + goto done; + } + } + + member_count = hash_count(member_tbl); + if (member_count == 0) { + ret = ENOENT; + goto done; + } + + grp = talloc(mem_ctx, struct group); + if (grp == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc failed.\n"); + ret = ENOMEM; + goto done; + } + + grp->gr_mem = talloc_zero_array(grp, char *, member_count + 1); + if (grp->gr_mem == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_array failed.\n"); + ret = ENOMEM; + goto done; + } + + iter = new_hash_iter_context(member_tbl); + if (iter == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "new_hash_iter_context failed.\n"); + ret = EINVAL; + goto done; + } + + i = 0; + while ((entry = iter->next(iter)) != NULL) { + grp->gr_mem[i] = talloc_strdup(grp, entry->key.str); + if (grp->gr_mem[i] == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + i++; + } + grp->gr_mem[i] = NULL; + + grp->gr_gid = orig_grp->gr_gid; + + grp->gr_name = talloc_strdup(grp, orig_grp->gr_name); + if (grp->gr_name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + + grp->gr_passwd = talloc_strdup(grp, orig_grp->gr_passwd); + if (grp->gr_passwd == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + + *_grp = talloc_steal(mem_ctx, grp); + ret = EOK; + +done: + talloc_zfree(tmp_ctx); + + if (ret == ENOENT) { + *_grp = talloc_steal(mem_ctx, orig_grp); + ret = EOK; + } + + return ret; +} + +static errno_t proxy_process_missing_users(struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, + struct sysdb_attrs *group_attrs, + const char *const*fq_gr_mem, + time_t now); +static int save_group(struct sysdb_ctx *sysdb, struct sss_domain_info *dom, + struct group *grp, + const char *real_name, /* already qualified */ + const char *alias) /* already qualified */ +{ + errno_t ret, sret; + struct group *ngroup = NULL; + struct sysdb_attrs *attrs = NULL; + TALLOC_CTX *tmp_ctx; + time_t now = time(NULL); + bool in_transaction = false; + char **fq_gr_mem; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + return ENOMEM; + } + + ret = remove_duplicate_group_members(tmp_ctx, grp, &ngroup); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to remove duplicate group members\n"); + goto done; + } + + DEBUG_GR_MEM(SSSDBG_TRACE_LIBS, ngroup); + + ret = sysdb_transaction_start(sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n"); + goto done; + } + in_transaction = true; + + if (ngroup->gr_mem && ngroup->gr_mem[0]) { + attrs = sysdb_new_attrs(tmp_ctx); + if (!attrs) { + DEBUG(SSSDBG_CRIT_FAILURE, "Allocation error?!\n"); + ret = ENOMEM; + goto done; + } + + fq_gr_mem = sss_create_internal_fqname_list( + tmp_ctx, + (const char *const*) ngroup->gr_mem, + dom->name); + if (fq_gr_mem == NULL) { + ret = ENOMEM; + goto done; + } + + ret = sysdb_attrs_users_from_str_list( + attrs, SYSDB_MEMBER, dom->name, + (const char *const *) fq_gr_mem); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, "Could not add group members\n"); + goto done; + } + + /* Create ghost users */ + ret = proxy_process_missing_users(sysdb, dom, attrs, + (const char *const*) fq_gr_mem, now); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not add missing members\n"); + goto done; + } + } + + ret = prepare_attrs_for_saving_ops(tmp_ctx, dom->case_sensitive, + real_name, alias, &attrs); + if (ret != EOK) { + goto done; + } + + ret = sysdb_store_group(dom, + real_name, + ngroup->gr_gid, + attrs, + dom->group_timeout, + now); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, "Could not add group to cache\n"); + goto done; + } + + ret = sysdb_transaction_commit(sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not commit transaction: [%s]\n", + strerror(ret)); + goto done; + } + in_transaction = false; + +done: + if (in_transaction) { + sret = sysdb_transaction_cancel(sysdb); + if (sret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not cancel transaction\n"); + } + } + talloc_free(tmp_ctx); + return ret; +} + +static errno_t proxy_process_missing_users(struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, + struct sysdb_attrs *group_attrs, + const char *const*fq_gr_mem, + time_t now) +{ + errno_t ret; + size_t i; + TALLOC_CTX *tmp_ctx = NULL; + struct ldb_message *msg; + + if (!sysdb || !fq_gr_mem) return EINVAL; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) return ENOMEM; + + for (i = 0; fq_gr_mem[i]; i++) { + ret = sysdb_search_user_by_name(tmp_ctx, domain, fq_gr_mem[i], + NULL, &msg); + if (ret == EOK) { + /* Member already exists in the cache */ + DEBUG(SSSDBG_TRACE_INTERNAL, + "Member [%s] already cached\n", fq_gr_mem[i]); + /* clean up */ + talloc_zfree(msg); + continue; + } else if (ret == ENOENT) { + /* No entry for this user. Create a ghost user */ + DEBUG(SSSDBG_TRACE_LIBS, + "Member [%s] not cached, creating ghost user entry\n", + fq_gr_mem[i]); + + ret = sysdb_attrs_add_string(group_attrs, SYSDB_GHOST, fq_gr_mem[i]); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot store ghost user entry: [%d]: %s\n", + ret, strerror(ret)); + goto done; + } + } else { + /* Unexpected error */ + DEBUG(SSSDBG_MINOR_FAILURE, + "Error searching cache for user [%s]: [%s]\n", + fq_gr_mem[i], strerror(ret)); + goto done; + } + } + + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} + +/* =Getgrnam-wrapper======================================================*/ +static char * +grow_group_buffer(TALLOC_CTX *mem_ctx, + char **buffer, size_t *buflen) +{ + char *newbuf; + + if (*buflen == 0) { + *buflen = DEFAULT_BUFSIZE; + } + if (*buflen < MAX_BUF_SIZE) { + *buflen *= 2; + } + if (*buflen > MAX_BUF_SIZE) { + *buflen = MAX_BUF_SIZE; + } + + newbuf = talloc_realloc_size(mem_ctx, *buffer, *buflen); + if (!newbuf) { + return NULL; + } + *buffer = newbuf; + + return *buffer; +} + +static errno_t +handle_getgr_result(enum nss_status status, struct group *grp, + struct sss_domain_info *dom, + bool *delete_group) +{ + switch (status) { + case NSS_STATUS_TRYAGAIN: + DEBUG(SSSDBG_MINOR_FAILURE, "Buffer too small\n"); + return EAGAIN; + + case NSS_STATUS_NOTFOUND: + DEBUG(SSSDBG_MINOR_FAILURE, "Group not found.\n"); + *delete_group = true; + break; + + case NSS_STATUS_SUCCESS: + DEBUG(SSSDBG_FUNC_DATA, "Group found: (%s, %"SPRIgid")\n", + grp->gr_name, grp->gr_gid); + + /* gid=0 is an invalid value */ + /* also check that the id is in the valid range for this domain */ + if (OUT_OF_ID_RANGE(grp->gr_gid, dom->id_min, dom->id_max)) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Group filtered out! (id out of range)\n"); + *delete_group = true; + break; + } + break; + + case NSS_STATUS_UNAVAIL: + DEBUG(SSSDBG_MINOR_FAILURE, + "Remote back end is not available. Entering offline mode\n"); + return ENXIO; + + default: + DEBUG(SSSDBG_OP_FAILURE, "Unknown return code %d\n", status); + return EIO; + } + + return EOK; +} + +static int get_gr_name(struct proxy_id_ctx *ctx, + struct sysdb_ctx *sysdb, + struct sss_domain_info *dom, + const char *i_name) +{ + TALLOC_CTX *tmpctx; + struct group *grp; + enum nss_status status; + char *buffer = 0; + size_t buflen = 0; + bool delete_group = false; + int ret; + gid_t gid; + struct ldb_result *cached_grp = NULL; + const char *real_name = NULL; + char *shortname_or_alias; + + DEBUG(SSSDBG_FUNC_DATA, "Searching group by name (%s)\n", i_name); + + tmpctx = talloc_new(NULL); + if (!tmpctx) { + return ENOMEM; + } + + ret = sss_parse_internal_fqname(tmpctx, i_name, &shortname_or_alias, NULL); + if (ret != EOK) { + goto done; + } + + grp = talloc(tmpctx, struct group); + if (!grp) { + ret = ENOMEM; + DEBUG(SSSDBG_CRIT_FAILURE, + "proxy -> getgrnam_r failed for '%s': [%d] %s\n", + i_name, ret, strerror(ret)); + goto done; + } + + do { + /* always zero out the grp structure */ + memset(grp, 0, sizeof(struct group)); + buffer = grow_group_buffer(tmpctx, &buffer, &buflen); + if (!buffer) { + ret = ENOMEM; + goto done; + } + + status = ctx->ops.getgrnam_r(shortname_or_alias, grp, buffer, + buflen, &ret); + ret = handle_getgr_result(status, grp, dom, &delete_group); + } while (ret == EAGAIN); + + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "getgrnam failed [%d]: %s\n", ret, strerror(ret)); + goto done; + } + + if (delete_group) { + DEBUG(SSSDBG_TRACE_FUNC, + "Group %s does not exist (or is invalid) on remote server," + " deleting!\n", i_name); + + ret = sysdb_delete_group(dom, i_name, 0); + if (ret == ENOENT) { + ret = EOK; + } + goto done; + } + + gid = grp->gr_gid; + + /* Canonicalize the group name in case it was actually an alias */ + if (ctx->fast_alias == true) { + ret = sysdb_getgrgid(tmpctx, dom, gid, &cached_grp); + if (ret != EOK) { + /* Non-fatal, attempt to canonicalize online */ + DEBUG(SSSDBG_TRACE_FUNC, "Request to cache failed [%d]: %s\n", + ret, strerror(ret)); + } + + if (ret == EOK && cached_grp->count == 1) { + real_name = ldb_msg_find_attr_as_string(cached_grp->msgs[0], + SYSDB_NAME, NULL); + if (!real_name) { + DEBUG(SSSDBG_MINOR_FAILURE, "Cached group has no name?\n"); + } + } + } + + if (real_name == NULL) { + talloc_zfree(buffer); + buflen = 0; + + do { + memset(grp, 0, sizeof(struct group)); + buffer = grow_group_buffer(tmpctx, &buffer, &buflen); + if (!buffer) { + ret = ENOMEM; + goto done; + } + + status = ctx->ops.getgrgid_r(gid, grp, buffer, buflen, &ret); + + ret = handle_getgr_result(status, grp, dom, &delete_group); + } while (ret == EAGAIN); + + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "getgrgid failed [%d]: %s\n", ret, strerror(ret)); + goto done; + } + + real_name = sss_create_internal_fqname(tmpctx, grp->gr_name, dom->name); + if (real_name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to create fqdn '%s'\n", + grp->gr_name); + ret = ENOMEM; + goto done; + } + } + + if (delete_group) { + DEBUG(SSSDBG_TRACE_FUNC, + "Group %s does not exist (or is invalid) on remote server," + " deleting!\n", i_name); + + ret = sysdb_delete_group(dom, i_name, gid); + if (ret == ENOENT) { + ret = EOK; + } + goto done; + } + + ret = save_group(sysdb, dom, grp, real_name, i_name); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot save group [%d]: %s\n", ret, strerror(ret)); + goto done; + } + +done: + talloc_zfree(tmpctx); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, + "proxy -> getgrnam_r failed for '%s' <%d>: %s\n", + i_name, ret, strerror(ret)); + } + return ret; +} + +/* =Getgrgid-wrapper======================================================*/ +static int get_gr_gid(TALLOC_CTX *mem_ctx, + struct proxy_id_ctx *ctx, + struct sysdb_ctx *sysdb, + struct sss_domain_info *dom, + gid_t gid, + time_t now) +{ + TALLOC_CTX *tmpctx; + struct group *grp; + enum nss_status status; + char *buffer = NULL; + size_t buflen = 0; + bool delete_group = false; + int ret; + char *name; + + DEBUG(SSSDBG_TRACE_FUNC, "Searching group by gid (%"SPRIgid")\n", gid); + + tmpctx = talloc_new(mem_ctx); + if (!tmpctx) { + return ENOMEM; + } + + grp = talloc(tmpctx, struct group); + if (!grp) { + ret = ENOMEM; + goto done; + } + + do { + /* always zero out the grp structure */ + memset(grp, 0, sizeof(struct group)); + buffer = grow_group_buffer(tmpctx, &buffer, &buflen); + if (!buffer) { + ret = ENOMEM; + goto done; + } + + status = ctx->ops.getgrgid_r(gid, grp, buffer, buflen, &ret); + + ret = handle_getgr_result(status, grp, dom, &delete_group); + } while (ret == EAGAIN); + + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "getgrgid failed [%d]: %s\n", ret, strerror(ret)); + goto done; + } + + if (delete_group) { + DEBUG(SSSDBG_TRACE_FUNC, + "Group %"SPRIgid" does not exist (or is invalid) on remote " + "server, deleting!\n", gid); + + ret = sysdb_delete_group(dom, NULL, gid); + if (ret == ENOENT) { + ret = EOK; + } + goto done; + } + + name = sss_create_internal_fqname(tmpctx, grp->gr_name, dom->name); + if (name == NULL) { + ret = ENOMEM; + goto done; + } + + ret = save_group(sysdb, dom, grp, name, NULL); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot save user [%d]: %s\n", ret, strerror(ret)); + goto done; + } + +done: + talloc_zfree(tmpctx); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, + "proxy -> getgrgid_r failed for '%"SPRIgid"' <%d>: %s\n", + gid, ret, strerror(ret)); + } + return ret; +} + +/* =Getgrent-wrapper======================================================*/ + +static int enum_groups(TALLOC_CTX *mem_ctx, + struct proxy_id_ctx *ctx, + struct sysdb_ctx *sysdb, + struct sss_domain_info *dom) +{ + TALLOC_CTX *tmpctx; + bool in_transaction = false; + struct group *grp; + enum nss_status status; + size_t buflen; + char *buffer; + char *newbuf; + int ret; + errno_t sret; + bool again; + char *name; + + DEBUG(SSSDBG_TRACE_LIBS, "Enumerating groups\n"); + + tmpctx = talloc_new(mem_ctx); + if (!tmpctx) { + return ENOMEM; + } + + grp = talloc(tmpctx, struct group); + if (!grp) { + ret = ENOMEM; + goto done; + } + + buflen = DEFAULT_BUFSIZE; + buffer = talloc_size(tmpctx, buflen); + if (!buffer) { + ret = ENOMEM; + goto done; + } + + ret = sysdb_transaction_start(sysdb); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n"); + goto done; + } + in_transaction = true; + + status = ctx->ops.setgrent(); + if (status != NSS_STATUS_SUCCESS) { + ret = EIO; + goto done; + } + + do { + again = false; + + /* always zero out the grp structure */ + memset(grp, 0, sizeof(struct group)); + + /* get entry */ + status = ctx->ops.getgrent_r(grp, buffer, buflen, &ret); + + switch (status) { + case NSS_STATUS_TRYAGAIN: + /* buffer too small? */ + if (buflen < MAX_BUF_SIZE) { + buflen *= 2; + } + if (buflen > MAX_BUF_SIZE) { + buflen = MAX_BUF_SIZE; + } + newbuf = talloc_realloc_size(tmpctx, buffer, buflen); + if (!newbuf) { + ret = ENOMEM; + goto done; + } + buffer = newbuf; + again = true; + break; + + case NSS_STATUS_NOTFOUND: + + /* we are done here */ + DEBUG(SSSDBG_TRACE_LIBS, "Enumeration completed.\n"); + + ret = sysdb_transaction_commit(sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n"); + goto done; + } + in_transaction = false; + break; + + case NSS_STATUS_SUCCESS: + + DEBUG(SSSDBG_OP_FAILURE, "Group found (%s, %"SPRIgid")\n", + grp->gr_name, grp->gr_gid); + + /* gid=0 is an invalid value */ + /* also check that the id is in the valid range for this domain + */ + if (OUT_OF_ID_RANGE(grp->gr_gid, dom->id_min, dom->id_max)) { + + DEBUG(SSSDBG_OP_FAILURE, "Group [%s] filtered out! (id" + "out of range)\n", grp->gr_name); + + again = true; + break; + } + + name = sss_create_internal_fqname(tmpctx, grp->gr_name, + dom->name); + if (name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to create internal fqname " + "Ignoring\n"); + ret = ENOMEM; + } + ret = save_group(sysdb, dom, grp, name, NULL); + if (ret) { + /* Do not fail completely on errors. + * Just report the failure to save and go on */ + DEBUG(SSSDBG_OP_FAILURE, "Failed to store group." + "Ignoring\n"); + } + again = true; + break; + + case NSS_STATUS_UNAVAIL: + /* "remote" backend unavailable. Enter offline mode */ + ret = ENXIO; + break; + + default: + ret = EIO; + DEBUG(SSSDBG_OP_FAILURE, "proxy -> getgrent_r failed (%d)[%s]" + "\n", ret, strerror(ret)); + break; + } + } while (again); + +done: + talloc_zfree(tmpctx); + if (in_transaction) { + sret = sysdb_transaction_cancel(sysdb); + if (sret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to cancel transaction\n"); + } + } + ctx->ops.endgrent(); + return ret; +} + + +/* =Initgroups-wrapper====================================================*/ + +static int get_initgr_groups_process(TALLOC_CTX *memctx, + struct proxy_id_ctx *ctx, + struct sysdb_ctx *sysdb, + struct sss_domain_info *dom, + struct passwd *pwd); + +static int get_initgr(TALLOC_CTX *mem_ctx, + struct proxy_id_ctx *ctx, + struct sysdb_ctx *sysdb, + struct sss_domain_info *dom, + const char *i_name) +{ + TALLOC_CTX *tmpctx; + bool in_transaction = false; + struct passwd *pwd; + enum nss_status status; + char *buffer; + size_t buflen; + int ret; + errno_t sret; + bool del_user; + uid_t uid; + struct ldb_result *cached_pwd = NULL; + const char *real_name = NULL; + char *shortname_or_alias; + + tmpctx = talloc_new(mem_ctx); + if (!tmpctx) { + return ENOMEM; + } + + ret = sss_parse_internal_fqname(tmpctx, i_name, &shortname_or_alias, NULL); + if (ret != EOK) { + goto done; + } + + pwd = talloc_zero(tmpctx, struct passwd); + if (!pwd) { + ret = ENOMEM; + goto fail; + } + + buflen = DEFAULT_BUFSIZE; + buffer = talloc_size(tmpctx, buflen); + if (!buffer) { + ret = ENOMEM; + goto fail; + } + + ret = sysdb_transaction_start(sysdb); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n"); + goto fail; + } + in_transaction = true; + + /* FIXME: should we move this call outside the transaction to keep the + * transaction as short as possible? */ + status = ctx->ops.getpwnam_r(shortname_or_alias, pwd, + buffer, buflen, &ret); + ret = handle_getpw_result(status, pwd, dom, &del_user); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, + "getpwnam failed [%d]: %s\n", ret, strerror(ret)); + goto fail; + } + + if (del_user) { + ret = delete_user(dom, i_name, 0); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, "Could not delete user\n"); + goto fail; + } + goto done; + } + + uid = pwd->pw_uid; + memset(buffer, 0, buflen); + + /* Canonicalize the username in case it was actually an alias */ + if (ctx->fast_alias == true) { + ret = sysdb_getpwuid(tmpctx, dom, uid, &cached_pwd); + if (ret != EOK) { + /* Non-fatal, attempt to canonicalize online */ + DEBUG(SSSDBG_TRACE_FUNC, "Request to cache failed [%d]: %s\n", + ret, strerror(ret)); + } + + if (ret == EOK && cached_pwd->count == 1) { + real_name = ldb_msg_find_attr_as_string(cached_pwd->msgs[0], + SYSDB_NAME, NULL); + if (!real_name) { + DEBUG(SSSDBG_MINOR_FAILURE, "Cached user has no name?\n"); + } + } + } + + if (real_name == NULL) { + memset(buffer, 0, buflen); + + status = ctx->ops.getpwuid_r(uid, pwd, buffer, buflen, &ret); + ret = handle_getpw_result(status, pwd, dom, &del_user); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, + "getpwuid failed [%d]: %s\n", ret, strerror(ret)); + goto done; + } + + real_name = sss_create_internal_fqname(tmpctx, pwd->pw_name, dom->name); + if (real_name == NULL) { + ret = ENOMEM; + goto done; + } + } + + if (del_user) { + ret = delete_user(dom, i_name, uid); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, "Could not delete user\n"); + goto fail; + } + goto done; + } + + ret = save_user(dom, pwd, real_name, i_name); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, "Could not save user\n"); + goto fail; + } + + ret = get_initgr_groups_process(tmpctx, ctx, sysdb, dom, pwd); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not process initgroups\n"); + goto fail; + } + +done: + ret = sysdb_transaction_commit(sysdb); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to commit transaction\n"); + goto fail; + } + in_transaction = false; + +fail: + talloc_zfree(tmpctx); + if (in_transaction) { + sret = sysdb_transaction_cancel(sysdb); + if (sret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to cancel transaction\n"); + } + } + return ret; +} + +static int get_initgr_groups_process(TALLOC_CTX *memctx, + struct proxy_id_ctx *ctx, + struct sysdb_ctx *sysdb, + struct sss_domain_info *dom, + struct passwd *pwd) +{ + enum nss_status status; + long int limit; + long int size; + long int num; + long int num_gids; + gid_t *gids; + int ret; + int i; + time_t now; + + num_gids = 0; + limit = 4096; + num = 4096; + size = num*sizeof(gid_t); + gids = talloc_size(memctx, size); + if (!gids) { + return ENOMEM; + } + + /* nss modules may skip the primary group when we pass it in so always add + * it in advance */ + gids[0] = pwd->pw_gid; + num_gids++; + + /* FIXME: should we move this call outside the transaction to keep the + * transaction as short as possible? */ + do { + status = ctx->ops.initgroups_dyn(pwd->pw_name, pwd->pw_gid, &num_gids, + &num, &gids, limit, &ret); + + if (status == NSS_STATUS_TRYAGAIN) { + /* buffer too small? */ + if (size < MAX_BUF_SIZE) { + num *= 2; + size = num*sizeof(gid_t); + } + if (size > MAX_BUF_SIZE) { + size = MAX_BUF_SIZE; + num = size/sizeof(gid_t); + } + limit = num; + gids = talloc_realloc_size(memctx, gids, size); + if (!gids) { + return ENOMEM; + } + } + } while(status == NSS_STATUS_TRYAGAIN); + + switch (status) { + case NSS_STATUS_NOTFOUND: + DEBUG(SSSDBG_FUNC_DATA, "The initgroups call returned 'NOTFOUND'. " + "Assume the user is only member of its " + "primary group (%"SPRIgid")\n", pwd->pw_gid); + /* fall through */ + SSS_ATTRIBUTE_FALLTHROUGH; + case NSS_STATUS_SUCCESS: + DEBUG(SSSDBG_CONF_SETTINGS, "User [%s] appears to be member of %lu " + "groups\n", pwd->pw_name, num_gids); + + now = time(NULL); + for (i = 0; i < num_gids; i++) { + ret = get_gr_gid(memctx, ctx, sysdb, dom, gids[i], now); + if (ret) { + return ret; + } + } + ret = EOK; + + break; + + default: + DEBUG(SSSDBG_OP_FAILURE, "proxy -> initgroups_dyn failed (%d)[%s]\n", + ret, strerror(ret)); + ret = EIO; + break; + } + + return ret; +} + +/* =Proxy_Id-Functions====================================================*/ + +static struct dp_reply_std +proxy_account_info(TALLOC_CTX *mem_ctx, + struct proxy_id_ctx *ctx, + struct dp_id_data *data, + struct be_ctx *be_ctx, + struct sss_domain_info *domain) +{ + struct dp_reply_std reply; + struct sysdb_ctx *sysdb; + uid_t uid; + gid_t gid; + errno_t ret; + char *endptr; + + sysdb = domain->sysdb; + + /* Proxy provider does not support security ID lookups. */ + if (data->filter_type == BE_FILTER_SECID) { + dp_reply_std_set(&reply, DP_ERR_FATAL, ENOSYS, + "Security lookups are not supported"); + return reply; + } + + switch (data->entry_type & BE_REQ_TYPE_MASK) { + case BE_REQ_USER: /* user */ + switch (data->filter_type) { + case BE_FILTER_ENUM: + ret = enum_users(mem_ctx, ctx, sysdb, domain); + break; + + case BE_FILTER_NAME: + ret = get_pw_name(ctx, domain, data->filter_value); + break; + + case BE_FILTER_IDNUM: + uid = (uid_t) strtouint32(data->filter_value, &endptr, 10); + if (errno || *endptr || (data->filter_value == endptr)) { + dp_reply_std_set(&reply, DP_ERR_FATAL, EINVAL, + "Invalid attr type"); + return reply; + } + ret = get_pw_uid(ctx, domain, uid); + break; + default: + dp_reply_std_set(&reply, DP_ERR_FATAL, EINVAL, + "Invalid filter type"); + return reply; + } + break; + + case BE_REQ_GROUP: /* group */ + switch (data->filter_type) { + case BE_FILTER_ENUM: + ret = enum_groups(mem_ctx, ctx, sysdb, domain); + break; + case BE_FILTER_NAME: + ret = get_gr_name(ctx, sysdb, domain, data->filter_value); + break; + case BE_FILTER_IDNUM: + gid = (gid_t) strtouint32(data->filter_value, &endptr, 10); + if (errno || *endptr || (data->filter_value == endptr)) { + dp_reply_std_set(&reply, DP_ERR_FATAL, EINVAL, + "Invalid attr type"); + return reply; + } + ret = get_gr_gid(mem_ctx, ctx, sysdb, domain, gid, 0); + break; + default: + dp_reply_std_set(&reply, DP_ERR_FATAL, EINVAL, + "Invalid filter type"); + return reply; + } + break; + + case BE_REQ_INITGROUPS: /* init groups for user */ + if (data->filter_type != BE_FILTER_NAME) { + dp_reply_std_set(&reply, DP_ERR_FATAL, EINVAL, + "Invalid filter type"); + return reply; + } + if (ctx->ops.initgroups_dyn == NULL) { + dp_reply_std_set(&reply, DP_ERR_FATAL, ENODEV, + "Initgroups call not supported"); + return reply; + } + ret = get_initgr(mem_ctx, ctx, sysdb, domain, data->filter_value); + break; + + case BE_REQ_NETGROUP: + if (data->filter_type != BE_FILTER_NAME) { + dp_reply_std_set(&reply, DP_ERR_FATAL, EINVAL, + "Invalid filter type"); + return reply; + } + if (ctx->ops.setnetgrent == NULL || ctx->ops.getnetgrent_r == NULL || + ctx->ops.endnetgrent == NULL) { + dp_reply_std_set(&reply, DP_ERR_FATAL, ENODEV, + "Netgroups are not supported"); + return reply; + } + + ret = get_netgroup(ctx, domain, data->filter_value); + break; + + case BE_REQ_SERVICES: + switch (data->filter_type) { + case BE_FILTER_NAME: + if (ctx->ops.getservbyname_r == NULL) { + dp_reply_std_set(&reply, DP_ERR_FATAL, ENODEV, + "Services are not supported"); + return reply; + } + ret = get_serv_byname(ctx, domain, + data->filter_value, + data->extra_value); + break; + case BE_FILTER_IDNUM: + if (ctx->ops.getservbyport_r == NULL) { + dp_reply_std_set(&reply, DP_ERR_FATAL, ENODEV, + "Services are not supported"); + return reply; + } + ret = get_serv_byport(ctx, domain, + data->filter_value, + data->extra_value); + break; + case BE_FILTER_ENUM: + if (!ctx->ops.setservent + || !ctx->ops.getservent_r + || !ctx->ops.endservent) { + dp_reply_std_set(&reply, DP_ERR_FATAL, ENODEV, + "Services are not supported"); + return reply; + } + ret = enum_services(ctx, sysdb, domain); + break; + default: + dp_reply_std_set(&reply, DP_ERR_FATAL, EINVAL, + "Invalid filter type"); + return reply; + } + break; + + default: /*fail*/ + dp_reply_std_set(&reply, DP_ERR_FATAL, EINVAL, + "Invalid filter type"); + return reply; + } + + if (ret) { + if (ret == ENXIO) { + DEBUG(SSSDBG_OP_FAILURE, + "proxy returned UNAVAIL error, going offline!\n"); + be_mark_offline(be_ctx); + } + + dp_reply_std_set(&reply, DP_ERR_FATAL, ret, NULL); + return reply; + } + + dp_reply_std_set(&reply, DP_ERR_OK, EOK, NULL); + return reply; +} + +struct proxy_account_info_handler_state { + struct dp_reply_std reply; +}; + +struct tevent_req * +proxy_account_info_handler_send(TALLOC_CTX *mem_ctx, + struct proxy_id_ctx *id_ctx, + struct dp_id_data *data, + struct dp_req_params *params) +{ + struct proxy_account_info_handler_state *state; + struct tevent_req *req; + + req = tevent_req_create(mem_ctx, &state, + struct proxy_account_info_handler_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->reply = proxy_account_info(state, id_ctx, data, params->be_ctx, + params->be_ctx->domain); + + /* TODO For backward compatibility we always return EOK to DP now. */ + tevent_req_done(req); + tevent_req_post(req, params->ev); + + return req; +} + +errno_t proxy_account_info_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct dp_reply_std *data) +{ + struct proxy_account_info_handler_state *state = NULL; + + state = tevent_req_data(req, struct proxy_account_info_handler_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *data = state->reply; + + return EOK; +} diff --git a/src/providers/proxy/proxy_iface.xml b/src/providers/proxy/proxy_iface.xml new file mode 100644 index 0000000..39b0b03 --- /dev/null +++ b/src/providers/proxy/proxy_iface.xml @@ -0,0 +1,17 @@ + + + + + + + + + + + + + + + + diff --git a/src/providers/proxy/proxy_iface_generated.c b/src/providers/proxy/proxy_iface_generated.c new file mode 100644 index 0000000..9fb5b2c --- /dev/null +++ b/src/providers/proxy/proxy_iface_generated.c @@ -0,0 +1,83 @@ +/* The following definitions are auto-generated from proxy_iface.xml */ + +#include + +#include "dbus/dbus-protocol.h" +#include "util/util_errors.h" +#include "sbus/sssd_dbus.h" +#include "sbus/sssd_dbus_meta.h" +#include "sbus/sssd_dbus_invokers.h" +#include "proxy_iface_generated.h" + +/* invokes a handler with a 'u' DBus signature */ +static int invoke_u_method(struct sbus_request *dbus_req, void *function_ptr); + +/* arguments for org.freedesktop.sssd.ProxyChild.Client.Register */ +const struct sbus_arg_meta iface_proxy_client_Register__in[] = { + { "ID", "u" }, + { NULL, } +}; + +int iface_proxy_client_Register_finish(struct sbus_request *req) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_INVALID); +} + +/* methods for org.freedesktop.sssd.ProxyChild.Client */ +const struct sbus_method_meta iface_proxy_client__methods[] = { + { + "Register", /* name */ + iface_proxy_client_Register__in, + NULL, /* no out_args */ + offsetof(struct iface_proxy_client, Register), + invoke_u_method, + }, + { NULL, } +}; + +/* interface info for org.freedesktop.sssd.ProxyChild.Client */ +const struct sbus_interface_meta iface_proxy_client_meta = { + "org.freedesktop.sssd.ProxyChild.Client", /* name */ + iface_proxy_client__methods, + NULL, /* no signals */ + NULL, /* no properties */ + sbus_invoke_get_all, /* GetAll invoker */ +}; + +/* methods for org.freedesktop.sssd.ProxyChild.Auth */ +const struct sbus_method_meta iface_proxy_auth__methods[] = { + { + "PAM", /* name */ + NULL, /* no in_args */ + NULL, /* no out_args */ + offsetof(struct iface_proxy_auth, PAM), + NULL, /* no invoker */ + }, + { NULL, } +}; + +/* interface info for org.freedesktop.sssd.ProxyChild.Auth */ +const struct sbus_interface_meta iface_proxy_auth_meta = { + "org.freedesktop.sssd.ProxyChild.Auth", /* name */ + iface_proxy_auth__methods, + NULL, /* no signals */ + NULL, /* no properties */ + sbus_invoke_get_all, /* GetAll invoker */ +}; + +/* invokes a handler with a 'u' DBus signature */ +static int invoke_u_method(struct sbus_request *dbus_req, void *function_ptr) +{ + uint32_t arg_0; + int (*handler)(struct sbus_request *, void *, uint32_t) = function_ptr; + + if (!sbus_request_parse_or_finish(dbus_req, + DBUS_TYPE_UINT32, &arg_0, + DBUS_TYPE_INVALID)) { + return EOK; /* request handled */ + } + + return (handler)(dbus_req, dbus_req->intf->handler_data, + arg_0); +} diff --git a/src/providers/proxy/proxy_iface_generated.h b/src/providers/proxy/proxy_iface_generated.h new file mode 100644 index 0000000..6471eaf --- /dev/null +++ b/src/providers/proxy/proxy_iface_generated.h @@ -0,0 +1,72 @@ +/* The following declarations are auto-generated from proxy_iface.xml */ + +#ifndef __PROXY_IFACE_XML__ +#define __PROXY_IFACE_XML__ + +#include "sbus/sssd_dbus.h" +#include "sbus/sssd_dbus_meta.h" + +/* ------------------------------------------------------------------------ + * DBus Constants + * + * Various constants of interface and method names mostly for use by clients + */ + +/* constants for org.freedesktop.sssd.ProxyChild.Client */ +#define IFACE_PROXY_CLIENT "org.freedesktop.sssd.ProxyChild.Client" +#define IFACE_PROXY_CLIENT_REGISTER "Register" + +/* constants for org.freedesktop.sssd.ProxyChild.Auth */ +#define IFACE_PROXY_AUTH "org.freedesktop.sssd.ProxyChild.Auth" +#define IFACE_PROXY_AUTH_PAM "PAM" + +/* ------------------------------------------------------------------------ + * DBus handlers + * + * These structures are filled in by implementors of the different + * dbus interfaces to handle method calls. + * + * Handler functions of type sbus_msg_handler_fn accept raw messages, + * other handlers are typed appropriately. If a handler that is + * set to NULL is invoked it will result in a + * org.freedesktop.DBus.Error.NotSupported error for the caller. + * + * Handlers have a matching xxx_finish() function (unless the method has + * accepts raw messages). These finish functions the + * sbus_request_return_and_finish() with the appropriate arguments to + * construct a valid reply. Once a finish function has been called, the + * @dbus_req it was called with is freed and no longer valid. + */ + +/* vtable for org.freedesktop.sssd.ProxyChild.Client */ +struct iface_proxy_client { + struct sbus_vtable vtable; /* derive from sbus_vtable */ + int (*Register)(struct sbus_request *req, void *data, uint32_t arg_ID); +}; + +/* finish function for Register */ +int iface_proxy_client_Register_finish(struct sbus_request *req); + +/* vtable for org.freedesktop.sssd.ProxyChild.Auth */ +struct iface_proxy_auth { + struct sbus_vtable vtable; /* derive from sbus_vtable */ + sbus_msg_handler_fn PAM; +}; + +/* ------------------------------------------------------------------------ + * DBus Interface Metadata + * + * These structure definitions are filled in with the information about + * the interfaces, methods, properties and so on. + * + * The actual definitions are found in the accompanying C file next + * to this header. + */ + +/* interface info for org.freedesktop.sssd.ProxyChild.Client */ +extern const struct sbus_interface_meta iface_proxy_client_meta; + +/* interface info for org.freedesktop.sssd.ProxyChild.Auth */ +extern const struct sbus_interface_meta iface_proxy_auth_meta; + +#endif /* __PROXY_IFACE_XML__ */ diff --git a/src/providers/proxy/proxy_init.c b/src/providers/proxy/proxy_init.c new file mode 100644 index 0000000..7d997cb --- /dev/null +++ b/src/providers/proxy/proxy_init.c @@ -0,0 +1,406 @@ +/* + SSSD + + proxy_init.c + + Authors: + Stephen Gallagher + + Copyright (C) 2010 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include "util/sss_format.h" +#include "providers/proxy/proxy.h" + +#define NSS_FN_NAME "_nss_%s_%s" + +#define OPT_MAX_CHILDREN_DEFAULT 10 + +#define ERROR_INITGR "The '%s' library does not provides the " \ + "_nss_XXX_initgroups_dyn function!\n" \ + "initgroups will be slow as it will require " \ + "full groups enumeration!\n" +#define ERROR_NETGR "The '%s' library does not support netgroups.\n" +#define ERROR_SERV "The '%s' library does not support services.\n" + +static void *proxy_dlsym(void *handle, + const char *name, + const char *libname) +{ + char *funcname; + void *funcptr; + + funcname = talloc_asprintf(NULL, NSS_FN_NAME, libname, name); + if (funcname == NULL) { + return NULL; + } + + funcptr = dlsym(handle, funcname); + talloc_free(funcname); + + return funcptr; +} + +static errno_t proxy_id_conf(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + char **_libname, + char **_libpath, + bool *_fast_alias) +{ + TALLOC_CTX *tmp_ctx; + char *libname; + char *libpath; + bool fast_alias; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return ENOMEM; + } + + ret = confdb_get_string(be_ctx->cdb, tmp_ctx, be_ctx->conf_path, + CONFDB_PROXY_LIBNAME, NULL, &libname); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to read confdb [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } else if (libname == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "No library name given\n"); + ret = ENOENT; + goto done; + } + + ret = confdb_get_bool(be_ctx->cdb, be_ctx->conf_path, + CONFDB_PROXY_FAST_ALIAS, false, &fast_alias); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to read confdb [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + libpath = talloc_asprintf(tmp_ctx, "libnss_%s.so.2", libname); + if (libpath == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf() failed\n"); + ret = ENOMEM; + goto done; + } + + *_libname = talloc_steal(mem_ctx, libname); + *_libpath = talloc_steal(mem_ctx, libpath); + *_fast_alias = fast_alias; + + ret = EOK; + +done: + talloc_free(tmp_ctx); + + return ret; +} + +static errno_t proxy_id_load_symbols(struct proxy_nss_ops *ops, + const char *libname, + void *handle) +{ + int i; + struct {void **dest; + const char *name; + const char *custom_error; + bool is_fatal; + } symbols[] = { + {(void**)&ops->getpwnam_r, "getpwnam_r", NULL, true}, + {(void**)&ops->getpwuid_r, "getpwuid_r", NULL, true}, + {(void**)&ops->setpwent, "setpwent", NULL, true}, + {(void**)&ops->getpwent_r, "getpwent_r", NULL, true}, + {(void**)&ops->endpwent, "endpwent", NULL, true}, + {(void**)&ops->getgrnam_r, "getgrnam_r", NULL, true}, + {(void**)&ops->getgrgid_r, "getgrgid_r", NULL, true}, + {(void**)&ops->setgrent, "setgrent", NULL, true}, + {(void**)&ops->getgrent_r, "getgrent_r", NULL, true}, + {(void**)&ops->endgrent, "endgrent", NULL, true}, + {(void**)&ops->initgroups_dyn, "initgroups_dyn", ERROR_INITGR, false}, + {(void**)&ops->setnetgrent, "setnetgrent", ERROR_NETGR, false}, + {(void**)&ops->getnetgrent_r, "getnetgrent_r", ERROR_NETGR, false}, + {(void**)&ops->endnetgrent, "endnetgrent", ERROR_NETGR, false}, + {(void**)&ops->getservbyname_r, "getservbyname_r", ERROR_SERV, false}, + {(void**)&ops->getservbyport_r, "getservbyport_r", ERROR_SERV, false}, + {(void**)&ops->setservent, "setservent", ERROR_SERV, false}, + {(void**)&ops->getservent_r, "getservent_r", ERROR_SERV, false}, + {(void**)&ops->endservent, "endservent", ERROR_SERV, false}, + {NULL, NULL, NULL, false} + }; + + for (i = 0; symbols[i].dest != NULL; i++) { + *symbols[i].dest = proxy_dlsym(handle, symbols[i].name, libname); + if (*symbols[i].dest == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to load _nss_%s_%s, " + "error: %s.\n", libname, symbols[i].name, dlerror()); + + if (symbols[i].custom_error != NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, symbols[i].custom_error, libname); + } + + if (symbols[i].is_fatal) { + return ELIBBAD; + } + } + } + + return EOK; +} + +static errno_t proxy_setup_sbus(TALLOC_CTX *mem_ctx, + struct proxy_auth_ctx *ctx, + struct be_ctx *be_ctx) +{ + char *sbus_address; + errno_t ret; + + sbus_address = talloc_asprintf(mem_ctx, "unix:path=%s/%s_%s", PIPE_PATH, + PROXY_CHILD_PIPE, be_ctx->domain->name); + if (sbus_address == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf() failed.\n"); + return ENOMEM; + } + + ret = sbus_new_server(mem_ctx, be_ctx->ev, sbus_address, 0, be_ctx->gid, + false, &ctx->sbus_srv, proxy_client_init, ctx, NULL); + talloc_free(sbus_address); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Could not set up sbus server.\n"); + return ret; + } + + return EOK; +} + +static errno_t proxy_auth_conf(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + char **_pam_target) +{ + char *pam_target; + errno_t ret; + + ret = confdb_get_string(be_ctx->cdb, mem_ctx, be_ctx->conf_path, + CONFDB_PROXY_PAM_TARGET, NULL, &pam_target); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to read confdb [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + if (pam_target == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing option %s.\n", + CONFDB_PROXY_PAM_TARGET); + return EINVAL; + } + + *_pam_target = pam_target; + + return EOK; +} + +static errno_t proxy_init_auth_ctx(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct proxy_auth_ctx **_auth_ctx) +{ + struct proxy_auth_ctx *auth_ctx; + errno_t ret; + int hret; + int max_children; + + auth_ctx = talloc_zero(mem_ctx, struct proxy_auth_ctx); + if (auth_ctx == NULL) { + return ENOMEM; + } + + auth_ctx->be = be_ctx; + auth_ctx->timeout_ms = SSS_CLI_SOCKET_TIMEOUT / 4; + auth_ctx->next_id = 1; + + ret = proxy_auth_conf(auth_ctx, be_ctx, &auth_ctx->pam_target); + if (ret != EOK) { + goto done; + } + + ret = proxy_setup_sbus(auth_ctx, auth_ctx, be_ctx); + if (ret != EOK) { + goto done; + } + + /* Set up request hash table */ + ret = confdb_get_int(be_ctx->cdb, be_ctx->conf_path, + CONFDB_PROXY_MAX_CHILDREN, + OPT_MAX_CHILDREN_DEFAULT, + &max_children); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unable to read confdb [%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + if (max_children < 1) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Option " CONFDB_PROXY_MAX_CHILDREN " must be higher then 0\n"); + ret = EINVAL; + goto done; + } + auth_ctx->max_children = max_children; + + hret = hash_create(auth_ctx->max_children * 2, &auth_ctx->request_table, + NULL, NULL); + if (hret != HASH_SUCCESS) { + DEBUG(SSSDBG_FATAL_FAILURE, "Could not initialize request table\n"); + ret = EIO; + goto done; + } + + *_auth_ctx = auth_ctx; + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(auth_ctx); + } + + return ret; +} + +errno_t sssm_proxy_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct data_provider *provider, + const char *module_name, + void **_module_data) +{ + struct proxy_auth_ctx *auth_ctx; + errno_t ret; + + if (!dp_target_enabled(provider, module_name, + DPT_ACCESS, DPT_AUTH, DPT_CHPASS)) { + return EOK; + } + + /* Initialize auth_ctx since one of the access, auth or chpass is set. */ + + ret = proxy_init_auth_ctx(mem_ctx, be_ctx, &auth_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create auth context [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + *_module_data = auth_ctx; + + return EOK; +} + +errno_t sssm_proxy_id_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + void *module_data, + struct dp_method *dp_methods) +{ + struct proxy_id_ctx *ctx; + char *libname; + char *libpath; + errno_t ret; + + ctx = talloc_zero(mem_ctx, struct proxy_id_ctx); + if (ctx == NULL) { + return ENOMEM; + } + + ctx->be = be_ctx; + + ret = proxy_id_conf(ctx, be_ctx, &libname, &libpath, &ctx->fast_alias); + if (ret != EOK) { + goto done; + } + + ctx->handle = dlopen(libpath, RTLD_NOW); + if (ctx->handle == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to load %s module, " + "error: %s\n", libpath, dlerror()); + ret = ELIBACC; + goto done; + } + + ret = proxy_id_load_symbols(&ctx->ops, libname, ctx->handle); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to load NSS symbols [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + dp_set_method(dp_methods, DPM_ACCOUNT_HANDLER, + proxy_account_info_handler_send, proxy_account_info_handler_recv, ctx, + struct proxy_id_ctx, struct dp_id_data, struct dp_reply_std); + + dp_set_method(dp_methods, DPM_ACCT_DOMAIN_HANDLER, + default_account_domain_send, default_account_domain_recv, NULL, + void, struct dp_get_acct_domain_data, struct dp_reply_std); + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(ctx); + } + + return ret; +} + +errno_t sssm_proxy_auth_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + void *module_data, + struct dp_method *dp_methods) +{ + struct proxy_auth_ctx *auth_ctx; + + auth_ctx = talloc_get_type(module_data, struct proxy_auth_ctx); + + dp_set_method(dp_methods, DPM_AUTH_HANDLER, + proxy_pam_handler_send, proxy_pam_handler_recv, auth_ctx, + struct proxy_auth_ctx, struct pam_data, struct pam_data *); + + return EOK; +} + +errno_t sssm_proxy_chpass_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + void *module_data, + struct dp_method *dp_methods) +{ + return sssm_proxy_auth_init(mem_ctx, be_ctx, module_data, dp_methods); +} + +errno_t sssm_proxy_access_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + void *module_data, + struct dp_method *dp_methods) +{ + struct proxy_auth_ctx *auth_ctx; + + auth_ctx = talloc_get_type(module_data, struct proxy_auth_ctx); + + dp_set_method(dp_methods, DPM_ACCESS_HANDLER, + proxy_pam_handler_send, proxy_pam_handler_recv, auth_ctx, + struct proxy_auth_ctx, struct pam_data, struct pam_data *); + + return EOK; +} diff --git a/src/providers/proxy/proxy_netgroup.c b/src/providers/proxy/proxy_netgroup.c new file mode 100644 index 0000000..566af74 --- /dev/null +++ b/src/providers/proxy/proxy_netgroup.c @@ -0,0 +1,206 @@ +/* + SSSD + + Proxy netgroup handler + + Authors: + + Sumit Bose + + Copyright (C) 2010 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "providers/proxy/proxy.h" +#include "util/util.h" + +#define BUFLEN 1024 + +#define get_triple_el(s) ((s) ? (s) : "") + +static errno_t make_netgroup_attr(struct __netgrent netgrent, + struct sysdb_attrs *attrs) +{ + int ret; + char *dummy; + + if (netgrent.type == group_val) { + ret =sysdb_attrs_add_string(attrs, SYSDB_NETGROUP_MEMBER, + netgrent.val.group); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_attrs_add_string failed.\n"); + return ret; + } + } else if (netgrent.type == triple_val) { + dummy = talloc_asprintf(attrs, "(%s,%s,%s)", + get_triple_el(netgrent.val.triple.host), + get_triple_el(netgrent.val.triple.user), + get_triple_el(netgrent.val.triple.domain)); + if (dummy == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); + return ENOMEM; + } + + ret = sysdb_attrs_add_string(attrs, SYSDB_NETGROUP_TRIPLE, dummy); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_attrs_add_string failed.\n"); + return ret; + } + } else { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unknown netgrent entry type [%d].\n", netgrent.type); + return EINVAL; + } + + return EOK; +} + +static errno_t save_netgroup(struct sss_domain_info *domain, + const char *name, + struct sysdb_attrs *attrs, + bool lowercase, + uint64_t cache_timeout) +{ + errno_t ret; + + if (lowercase) { + ret = sysdb_attrs_add_lc_name_alias(attrs, name); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, "Could not add name alias\n"); + return ret; + } + } + + ret = sysdb_add_netgroup(domain, name, NULL, attrs, NULL, + cache_timeout, 0); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_add_netgroup failed.\n"); + return ret; + } + + return EOK; +} + +static errno_t handle_error(enum nss_status status, + struct sss_domain_info *domain, const char *name) +{ + errno_t ret; + + switch (status) { + case NSS_STATUS_SUCCESS: + DEBUG(SSSDBG_TRACE_INTERNAL, "Netgroup lookup succeeded\n"); + ret = EOK; + break; + + case NSS_STATUS_NOTFOUND: + DEBUG(SSSDBG_MINOR_FAILURE, "The netgroup was not found\n"); + ret = sysdb_delete_netgroup(domain, name); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot delete netgroup: %d\n", ret); + ret = EIO; + } + break; + + case NSS_STATUS_UNAVAIL: + DEBUG(SSSDBG_TRACE_LIBS, + "The proxy target did not respond, going offline\n"); + ret = ENXIO; + break; + + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected error looking up netgroup\n"); + ret = EIO; + break; + } + + return ret; +} + +errno_t get_netgroup(struct proxy_id_ctx *ctx, + struct sss_domain_info *dom, + const char *name) +{ + struct __netgrent result; + enum nss_status status; + char buffer[BUFLEN]; + int ret; + TALLOC_CTX *tmp_ctx = NULL; + struct sysdb_attrs *attrs; + + memset(&result, 0, sizeof(result)); + status = ctx->ops.setnetgrent(name, &result); + if (status != NSS_STATUS_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, + "setnetgrent failed for netgroup [%s].\n", name); + ret = handle_error(status, dom, name); + goto done; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new failed.\n"); + ret = ENOMEM; + goto done; + } + + attrs = sysdb_new_attrs(tmp_ctx); + if (attrs == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_new_attrs failed.\n"); + ret = ENOMEM; + goto done; + } + + do { + status = ctx->ops.getnetgrent_r(&result, buffer, BUFLEN, &ret); + if (status != NSS_STATUS_SUCCESS && + status != NSS_STATUS_RETURN && + status != NSS_STATUS_NOTFOUND) { + ret = handle_error(status, dom, name); + DEBUG(SSSDBG_OP_FAILURE, + "getnetgrent_r failed for netgroup [%s]: [%d][%s].\n", + name, ret, strerror(ret)); + goto done; + } + + if (status == NSS_STATUS_SUCCESS) { + ret = make_netgroup_attr(result, attrs); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "make_netgroup_attr failed.\n"); + goto done; + } + } + } while (status != NSS_STATUS_RETURN && status != NSS_STATUS_NOTFOUND); + + status = ctx->ops.endnetgrent(&result); + if (status != NSS_STATUS_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, "endnetgrent failed.\n"); + ret = handle_error(status, dom, name); + goto done; + } + + ret = save_netgroup(dom, name, attrs, + !dom->case_sensitive, + dom->netgroup_timeout); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "save_netgroup failed.\n"); + goto done; + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} diff --git a/src/providers/proxy/proxy_services.c b/src/providers/proxy/proxy_services.c new file mode 100644 index 0000000..2f7bbeb --- /dev/null +++ b/src/providers/proxy/proxy_services.c @@ -0,0 +1,373 @@ +/* + SSSD + + Authors: + Stephen Gallagher + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "providers/proxy/proxy.h" +#include "util/util.h" +#include "util/strtonum.h" +#include "db/sysdb_services.h" + +#define BUFLEN 1024 + +errno_t +proxy_save_service(struct sss_domain_info *domain, + struct servent *svc, + bool lowercase, + uint64_t cache_timeout) +{ + errno_t ret; + char *cased_name; + const char **protocols; + const char **cased_aliases; + TALLOC_CTX *tmp_ctx; + char *lc_alias = NULL; + time_t now = time(NULL); + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) return ENOMEM; + + cased_name = sss_get_cased_name(tmp_ctx, svc->s_name, + domain->case_preserve); + if (!cased_name) { + ret = ENOMEM; + goto done; + } + + protocols = talloc_array(tmp_ctx, const char *, 2); + if (!protocols) { + ret = ENOMEM; + goto done; + } + + protocols[0] = sss_get_cased_name(protocols, svc->s_proto, + !lowercase); + if (!protocols[0]) { + ret = ENOMEM; + goto done; + } + protocols[1] = NULL; + + /* Count the aliases */ + ret = sss_get_cased_name_list(tmp_ctx, + (const char * const *) svc->s_aliases, + !lowercase, &cased_aliases); + if (ret != EOK) { + goto done; + } + + if (domain->case_preserve) { + /* Add lowercased alias to allow case-insensitive lookup */ + lc_alias = sss_tc_utf8_str_tolower(tmp_ctx, svc->s_name); + if (lc_alias == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n"); + ret = ENOMEM; + goto done; + } + + ret = add_string_to_list(tmp_ctx, lc_alias, + discard_const_p(char **, &cased_aliases)); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to add lowercased name alias.\n"); + goto done; + } + } + + ret = sysdb_store_service(domain, + cased_name, + ntohs(svc->s_port), + cased_aliases, + protocols, + NULL, NULL, + cache_timeout, + now); +done: + talloc_free(tmp_ctx); + return ret; +} + +errno_t +get_serv_byname(struct proxy_id_ctx *ctx, + struct sss_domain_info *dom, + const char *name, + const char *protocol) +{ + errno_t ret; + enum nss_status status; + struct servent *result; + TALLOC_CTX *tmp_ctx; + char buffer[BUFLEN]; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) return ENOMEM; + + result = talloc_zero(tmp_ctx, struct servent); + if (!result) { + ret = ENOMEM; + goto done; + } + + status = ctx->ops.getservbyname_r(name, protocol, result, + buffer, BUFLEN, &ret); + if (status != NSS_STATUS_SUCCESS && status != NSS_STATUS_NOTFOUND) { + DEBUG(SSSDBG_MINOR_FAILURE, + "getservbyname_r failed for service [%s].\n", name); + goto done; + } + + if (status == NSS_STATUS_NOTFOUND) { + /* Make sure we remove it from the cache */ + ret = sysdb_svc_delete(dom, name, 0, protocol); + } else { + + /* Results found. Save them into the cache */ + ret = proxy_save_service(dom, result, + !dom->case_sensitive, + dom->service_timeout); + } + +done: + talloc_free(tmp_ctx); + return ret; +} + +errno_t +get_serv_byport(struct proxy_id_ctx *ctx, + struct sss_domain_info *dom, + const char *be_filter, + const char *protocol) +{ + errno_t ret; + enum nss_status status; + struct servent *result; + TALLOC_CTX *tmp_ctx; + uint16_t port; + char buffer[BUFLEN]; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) return ENOMEM; + + result = talloc_zero(tmp_ctx, struct servent); + if (!result) { + ret = ENOMEM; + goto done; + } + + errno = 0; + port = htons(strtouint16(be_filter, NULL, 0)); + if (errno) { + ret = errno; + goto done; + } + + status = ctx->ops.getservbyport_r(port, protocol, result, + buffer, BUFLEN, &ret); + if (status != NSS_STATUS_SUCCESS && status != NSS_STATUS_NOTFOUND) { + DEBUG(SSSDBG_MINOR_FAILURE, + "getservbyport_r failed for service [%s].\n", be_filter); + goto done; + } + + if (status == NSS_STATUS_NOTFOUND) { + /* Make sure we remove it from the cache */ + ret = sysdb_svc_delete(dom, NULL, port, protocol); + } else { + /* Results found. Save them into the cache */ + ret = proxy_save_service(dom, result, + !dom->case_sensitive, + dom->service_timeout); + } + +done: + talloc_free(tmp_ctx); + return ret; +} + +errno_t +enum_services(struct proxy_id_ctx *ctx, + struct sysdb_ctx *sysdb, + struct sss_domain_info *dom) +{ + TALLOC_CTX *tmpctx; + bool in_transaction = false; + struct servent *svc; + enum nss_status status; + size_t buflen; + char *buffer; + char *newbuf; + errno_t ret, sret; + time_t now = time(NULL); + const char **protocols; + const char **cased_aliases; + bool again; + + DEBUG(SSSDBG_TRACE_FUNC, "Enumerating services\n"); + + tmpctx = talloc_new(NULL); + if (!tmpctx) { + return ENOMEM; + } + + svc = talloc(tmpctx, struct servent); + if (!svc) { + ret = ENOMEM; + goto done; + } + + buflen = DEFAULT_BUFSIZE; + buffer = talloc_size(tmpctx, buflen); + if (!buffer) { + ret = ENOMEM; + goto done; + } + + protocols = talloc_zero_array(tmpctx, const char *, 2); + if (protocols == NULL) { + ret = ENOMEM; + goto done; + } + + ret = sysdb_transaction_start(sysdb); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n"); + goto done; + } + in_transaction = true; + + status = ctx->ops.setservent(); + if (status != NSS_STATUS_SUCCESS) { + ret = EIO; + goto done; + } + + do { + again = false; + + /* always zero out the svc structure */ + memset(svc, 0, sizeof(struct servent)); + + /* get entry */ + status = ctx->ops.getservent_r(svc, buffer, buflen, &ret); + + switch (status) { + case NSS_STATUS_TRYAGAIN: + /* buffer too small? */ + if (buflen < MAX_BUF_SIZE) { + buflen *= 2; + } + if (buflen > MAX_BUF_SIZE) { + buflen = MAX_BUF_SIZE; + } + newbuf = talloc_realloc_size(tmpctx, buffer, buflen); + if (!newbuf) { + ret = ENOMEM; + goto done; + } + buffer = newbuf; + again = true; + break; + + case NSS_STATUS_NOTFOUND: + + /* we are done here */ + DEBUG(SSSDBG_TRACE_FUNC, "Enumeration completed.\n"); + + ret = sysdb_transaction_commit(sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n"); + goto done; + } + + in_transaction = false; + break; + + case NSS_STATUS_SUCCESS: + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Service found (%s, %d/%s)\n", + svc->s_name, svc->s_port, svc->s_proto); + + protocols[0] = sss_get_cased_name(protocols, svc->s_proto, + dom->case_sensitive); + if (!protocols[0]) { + ret = ENOMEM; + goto done; + } + protocols[1] = NULL; + + ret = sss_get_cased_name_list(tmpctx, + (const char * const *) svc->s_aliases, + dom->case_sensitive, &cased_aliases); + if (ret != EOK) { + /* Do not fail completely on errors. + * Just report the failure to save and go on */ + DEBUG(SSSDBG_OP_FAILURE, + "Failed to store service [%s]. Ignoring.\n", + strerror(ret)); + again = true; + break; + } + + ret = sysdb_store_service(dom, + svc->s_name, + svc->s_port, + cased_aliases, + protocols, + NULL, NULL, + dom->service_timeout, + now); + if (ret) { + /* Do not fail completely on errors. + * Just report the failure to save and go on */ + DEBUG(SSSDBG_OP_FAILURE, + "Failed to store service [%s]. Ignoring.\n", + strerror(ret)); + } + again = true; + break; + + case NSS_STATUS_UNAVAIL: + /* "remote" backend unavailable. Enter offline mode */ + ret = ENXIO; + break; + + default: + ret = EIO; + DEBUG(SSSDBG_CRIT_FAILURE, + "proxy -> getservent_r failed (%d)[%s]\n", + ret, strerror(ret)); + break; + } + } while (again); + +done: + talloc_zfree(tmpctx); + if (in_transaction) { + sret = sysdb_transaction_cancel(sysdb); + if (sret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not cancel transaction! [%s]\n", + strerror(sret)); + } + } + ctx->ops.endservent(); + return ret; +} diff --git a/src/providers/simple/simple_access.c b/src/providers/simple/simple_access.c new file mode 100644 index 0000000..1868569 --- /dev/null +++ b/src/providers/simple/simple_access.c @@ -0,0 +1,332 @@ +/* + SSSD + + Simple access control + + Copyright (C) Sumit Bose 2010 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "providers/simple/simple_access.h" +#include "providers/simple/simple_access_pvt.h" +#include "util/sss_utf8.h" +#include "providers/backend.h" +#include "db/sysdb.h" + +#define CONFDB_SIMPLE_ALLOW_USERS "simple_allow_users" +#define CONFDB_SIMPLE_DENY_USERS "simple_deny_users" + +#define CONFDB_SIMPLE_ALLOW_GROUPS "simple_allow_groups" +#define CONFDB_SIMPLE_DENY_GROUPS "simple_deny_groups" + +#define TIMEOUT_OF_REFRESH_FILTER_LISTS 5 + +static errno_t simple_access_parse_names(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + char **list, + char ***_out) +{ + TALLOC_CTX *tmp_ctx = NULL; + char **out = NULL; + size_t size; + size_t i; + errno_t ret; + char *domname = NULL; + char *shortname = NULL; + struct sss_domain_info *domain; + + if (list == NULL) { + *_out = NULL; + return EOK; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + ret = ENOMEM; + goto done; + } + + for (size = 0; list[size] != NULL; size++) { + /* count size */ + } + + out = talloc_zero_array(tmp_ctx, char*, size + 1); + if (out == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero_array() failed\n"); + ret = ENOMEM; + goto done; + } + + /* Since this is access provider, we should fail on any error so we don't + * allow unauthorized access. */ + for (i = 0; i < size; i++) { + ret = sss_parse_name(tmp_ctx, be_ctx->domain->names, list[i], + &domname, &shortname); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_parse_name failed [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + if (domname != NULL) { + domain = find_domain_by_name(be_ctx->domain, domname, true); + if (domain == NULL) { + ret = ERR_DOMAIN_NOT_FOUND; + goto done; + } + } else { + domain = be_ctx->domain; + } + + out[i] = sss_create_internal_fqname(out, shortname, domain->name); + if (out[i] == NULL) { + ret = EIO; + goto done; + } + } + + *_out = talloc_steal(mem_ctx, out); + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +int simple_access_obtain_filter_lists(struct simple_ctx *ctx) +{ + struct be_ctx *bectx = ctx->be_ctx; + int ret; + int i; + struct { + const char *name; + const char *option; + char **orig_list; + char ***ctx_list; + } lists[] = {{"Allow users", CONFDB_SIMPLE_ALLOW_USERS, NULL, NULL}, + {"Deny users", CONFDB_SIMPLE_DENY_USERS, NULL, NULL}, + {"Allow groups", CONFDB_SIMPLE_ALLOW_GROUPS, NULL, NULL}, + {"Deny groups", CONFDB_SIMPLE_DENY_GROUPS, NULL, NULL}, + {NULL, NULL, NULL, NULL}}; + + lists[0].ctx_list = &ctx->allow_users; + lists[1].ctx_list = &ctx->deny_users; + lists[2].ctx_list = &ctx->allow_groups; + lists[3].ctx_list = &ctx->deny_groups; + + ret = sysdb_master_domain_update(bectx->domain); + if (ret != EOK) { + DEBUG(SSSDBG_FUNC_DATA, "Update of master domain failed [%d]: %s.\n", + ret, sss_strerror(ret)); + goto failed; + } + + for (i = 0; lists[i].name != NULL; i++) { + ret = confdb_get_string_as_list(bectx->cdb, ctx, bectx->conf_path, + lists[i].option, &lists[i].orig_list); + if (ret == ENOENT) { + DEBUG(SSSDBG_FUNC_DATA, "%s list is empty.\n", lists[i].name); + *lists[i].ctx_list = NULL; + continue; + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "confdb_get_string_as_list failed.\n"); + goto failed; + } + + ret = simple_access_parse_names(ctx, bectx, lists[i].orig_list, + lists[i].ctx_list); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse %s list [%d]: %s\n", + lists[i].name, ret, sss_strerror(ret)); + goto failed; + } + } + + if (!ctx->allow_users && + !ctx->allow_groups && + !ctx->deny_users && + !ctx->deny_groups) { + DEBUG(SSSDBG_OP_FAILURE, + "No rules supplied for simple access provider. " + "Access will be granted for all users.\n"); + } + return EOK; + +failed: + return ret; +} + +struct simple_access_handler_state { + struct pam_data *pd; +}; + +static void simple_access_handler_done(struct tevent_req *subreq); + +struct tevent_req * +simple_access_handler_send(TALLOC_CTX *mem_ctx, + struct simple_ctx *simple_ctx, + struct pam_data *pd, + struct dp_req_params *params) +{ + struct simple_access_handler_state *state; + struct tevent_req *subreq; + struct tevent_req *req; + errno_t ret; + time_t now; + + req = tevent_req_create(mem_ctx, &state, + struct simple_access_handler_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->pd = pd; + + pd->pam_status = PAM_SYSTEM_ERR; + if (pd->cmd != SSS_PAM_ACCT_MGMT) { + DEBUG(SSSDBG_CONF_SETTINGS, + "simple access does not handle pam task %d.\n", pd->cmd); + pd->pam_status = PAM_MODULE_UNKNOWN; + goto immediately; + } + + now = time(NULL); + if ((now - simple_ctx->last_refresh_of_filter_lists) + > TIMEOUT_OF_REFRESH_FILTER_LISTS) { + + ret = simple_access_obtain_filter_lists(simple_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to refresh filter lists, denying all access\n"); + pd->pam_status = PAM_PERM_DENIED; + goto immediately; + } + simple_ctx->last_refresh_of_filter_lists = now; + } + + subreq = simple_access_check_send(state, params->ev, simple_ctx, pd->user); + if (subreq == NULL) { + pd->pam_status = PAM_SYSTEM_ERR; + goto immediately; + } + + tevent_req_set_callback(subreq, simple_access_handler_done, req); + + return req; + +immediately: + /* TODO For backward compatibility we always return EOK to DP now. */ + tevent_req_done(req); + tevent_req_post(req, params->ev); + + return req; +} + +static void simple_access_handler_done(struct tevent_req *subreq) +{ + struct simple_access_handler_state *state; + struct tevent_req *req; + bool access_granted; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct simple_access_handler_state); + + ret = simple_access_check_recv(subreq, &access_granted); + talloc_free(subreq); + if (ret != EOK) { + state->pd->pam_status = PAM_SYSTEM_ERR; + goto done; + } + + if (access_granted) { + state->pd->pam_status = PAM_SUCCESS; + } else { + state->pd->pam_status = PAM_PERM_DENIED; + } + +done: + /* TODO For backward compatibility we always return EOK to DP now. */ + tevent_req_done(req); +} + +errno_t +simple_access_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct pam_data **_data) +{ + struct simple_access_handler_state *state = NULL; + + state = tevent_req_data(req, struct simple_access_handler_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *_data = talloc_steal(mem_ctx, state->pd); + + return EOK; +} + +errno_t sssm_simple_access_init(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + void *module_data, + struct dp_method *dp_methods) +{ + struct simple_ctx *ctx; + int ret; + int i; + char *simple_list_values = NULL; + const char *simple_access_lists[] = {CONFDB_SIMPLE_ALLOW_USERS, + CONFDB_SIMPLE_DENY_USERS, + CONFDB_SIMPLE_ALLOW_GROUPS, + CONFDB_SIMPLE_DENY_GROUPS, + NULL}; + + ctx = talloc_zero(mem_ctx, struct simple_ctx); + if (ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero() failed.\n"); + return ENOMEM; + } + + for (i = 0; simple_access_lists[i] != NULL; i++) { + ret = confdb_get_string(be_ctx->cdb, mem_ctx, be_ctx->conf_path, + simple_access_lists[i], NULL, + &simple_list_values); + + if (simple_list_values == NULL) { + continue; + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "confdb_get_string failed.\n"); + return ret; + } + + DEBUG(SSSDBG_CONF_SETTINGS, "%s values: [%s]\n", + simple_access_lists[i], + simple_list_values); + } + + ctx->domain = be_ctx->domain; + ctx->be_ctx = be_ctx; + ctx->last_refresh_of_filter_lists = 0; + + dp_set_method(dp_methods, DPM_ACCESS_HANDLER, + simple_access_handler_send, simple_access_handler_recv, ctx, + struct simple_ctx, struct pam_data, struct pam_data *); + + return EOK; +} diff --git a/src/providers/simple/simple_access.h b/src/providers/simple/simple_access.h new file mode 100644 index 0000000..a618b2e --- /dev/null +++ b/src/providers/simple/simple_access.h @@ -0,0 +1,47 @@ +/* + SSSD + + Simple access control + + Copyright (C) Sumit Bose 2010 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __SIMPLE_ACCESS_H__ +#define __SIMPLE_ACCESS_H__ + +#include "util/util.h" + +struct simple_ctx { + struct sss_domain_info *domain; + struct be_ctx *be_ctx; + + char **allow_users; + char **deny_users; + char **allow_groups; + char **deny_groups; + + time_t last_refresh_of_filter_lists; +}; + +struct tevent_req *simple_access_check_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct simple_ctx *ctx, + const char *username); + +errno_t simple_access_check_recv(struct tevent_req *req, + bool *access_granted); + +#endif /* __SIMPLE_ACCESS_H__ */ diff --git a/src/providers/simple/simple_access_check.c b/src/providers/simple/simple_access_check.c new file mode 100644 index 0000000..c0ba62b --- /dev/null +++ b/src/providers/simple/simple_access_check.c @@ -0,0 +1,847 @@ +/* + SSSD + + Simple access control + + Copyright (C) Sumit Bose 2010 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "providers/backend.h" +#include "providers/simple/simple_access.h" +#include "util/sss_utf8.h" +#include "db/sysdb.h" + +#define NON_EXIST_USR_ALLOW "The user %s does not exist. Possible typo in simple_allow_users.\n" +#define NON_EXIST_USR_DENY "The user %s does not exist. Possible typo in simple_deny_users.\n" +#define NON_EXIST_GRP_ALLOW "The group %s does not exist. Possible typo in simple_allow_groups.\n" +#define NON_EXIST_GRP_DENY "The group %s does not exist. Possible typo in simple_deny_groups.\n" + +static bool +is_posix(const struct ldb_message *group) +{ + const char *val; + + val = ldb_msg_find_attr_as_string(group, SYSDB_POSIX, NULL); + if (!val || /* Groups are posix by default */ + strcasecmp(val, "TRUE") == 0) { + return true; + } + + return false; +} + +/* Returns EOK if the result is definitive, EAGAIN if only partial result + */ +static errno_t +simple_check_users(struct simple_ctx *ctx, const char *username, + bool *access_granted) +{ + struct sss_domain_info *domain = NULL; + int i; + + /* First, check whether the user is in the allowed users list */ + if (ctx->allow_users != NULL) { + for(i = 0; ctx->allow_users[i] != NULL; i++) { + DEBUG(SSSDBG_TRACE_ALL, + "Checking against allow list username [%s].\n", + ctx->allow_users[i]); + domain = find_domain_by_object_name(ctx->domain, + ctx->allow_users[i]); + if (domain == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, NON_EXIST_USR_ALLOW, + ctx->allow_users[i]); + sss_log(SSS_LOG_CRIT, NON_EXIST_USR_ALLOW, + ctx->allow_users[i]); + continue; + } + + if (sss_string_equal(domain->case_sensitive, username, + ctx->allow_users[i])) { + DEBUG(SSSDBG_TRACE_LIBS, + "User [%s] found in allow list, access granted.\n", + username); + + /* Do not return immediately on explicit allow + * We need to make sure none of the user's groups + * are denied. But there's no need to check username + * matches any more. + */ + *access_granted = true; + break; + } + } + } else if (!ctx->allow_groups) { + /* If neither allow rule is in place, we'll assume allowed + * unless a deny rule disables us below. + */ + DEBUG(SSSDBG_TRACE_LIBS, + "No allow rule, assuming allow unless explicitly denied\n"); + *access_granted = true; + } + + /* Next check whether this user has been specifically denied */ + if (ctx->deny_users != NULL) { + for(i = 0; ctx->deny_users[i] != NULL; i++) { + DEBUG(SSSDBG_TRACE_ALL, + "Checking against deny list username [%s].\n", + ctx->deny_users[i]); + domain = find_domain_by_object_name(ctx->domain, + ctx->deny_users[i]); + if (domain == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, NON_EXIST_USR_DENY, + ctx->deny_users[i]); + sss_log(SSS_LOG_CRIT, NON_EXIST_USR_DENY, + ctx->deny_users[i]); + return EINVAL; + } + + if (sss_string_equal(domain->case_sensitive, username, + ctx->deny_users[i])) { + DEBUG(SSSDBG_TRACE_LIBS, + "User [%s] found in deny list, access denied.\n", + ctx->deny_users[i]); + + /* Return immediately on explicit denial */ + *access_granted = false; + return EOK; + } + } + } + + return EAGAIN; +} + +static errno_t +simple_check_groups(struct simple_ctx *ctx, const char **group_names, + bool *access_granted) +{ + struct sss_domain_info *domain = NULL; + bool matched; + int i, j; + + /* Now process allow and deny group rules + * If access was already granted above, we'll skip + * this redundant rule check + */ + if (ctx->allow_groups && !*access_granted) { + matched = false; + for (i = 0; ctx->allow_groups[i]; i++) { + DEBUG(SSSDBG_TRACE_ALL, + "Checking against allow list group name [%s].\n", + ctx->allow_groups[i]); + domain = find_domain_by_object_name(ctx->domain, + ctx->allow_groups[i]); + if (domain == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, NON_EXIST_GRP_ALLOW, + ctx->allow_groups[i]); + sss_log(SSS_LOG_CRIT, NON_EXIST_GRP_ALLOW, + ctx->allow_groups[i]); + + continue; + } + + for(j = 0; group_names[j]; j++) { + if (sss_string_equal(domain->case_sensitive, + group_names[j], ctx->allow_groups[i])) { + matched = true; + break; + } + } + + /* If any group has matched, we can skip out on the + * processing early + */ + if (matched) { + DEBUG(SSSDBG_TRACE_LIBS, + "Group [%s] found in allow list, access granted.\n", + group_names[j]); + *access_granted = true; + break; + } + } + } + + /* Finally, process the deny group rules */ + if (ctx->deny_groups) { + matched = false; + for (i = 0; ctx->deny_groups[i]; i++) { + DEBUG(SSSDBG_TRACE_ALL, + "Checking against deny list group name [%s].\n", + ctx->deny_groups[i]); + domain = find_domain_by_object_name(ctx->domain, + ctx->deny_groups[i]); + if (domain == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, NON_EXIST_GRP_DENY, + ctx->deny_groups[i]); + sss_log(SSS_LOG_CRIT, NON_EXIST_GRP_DENY, + ctx->deny_groups[i]); + + return EINVAL; + } + + for(j = 0; group_names[j]; j++) { + if (sss_string_equal(domain->case_sensitive, + group_names[j], ctx->deny_groups[i])) { + matched = true; + break; + } + } + + /* If any group has matched, we can skip out on the + * processing early + */ + if (matched) { + DEBUG(SSSDBG_TRACE_LIBS, + "Group [%s] found in deny list, access denied.\n", + group_names[j]); + *access_granted = false; + break; + } + } + } + + return EOK; +} + +struct simple_resolve_group_state { + struct sss_domain_info *domain; + gid_t gid; + struct simple_ctx *ctx; + + const char *name; +}; + +static errno_t +simple_resolve_group_check(struct simple_resolve_group_state *state); +static void simple_resolve_group_done(struct tevent_req *subreq); + +static struct tevent_req * +simple_resolve_group_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct simple_ctx *ctx, + struct sss_domain_info *domain, + gid_t gid) +{ + errno_t ret; + struct tevent_req *req; + struct tevent_req *subreq; + struct simple_resolve_group_state *state; + struct dp_id_data *ar; + + req = tevent_req_create(mem_ctx, &state, + struct simple_resolve_group_state); + if (!req) return NULL; + + state->domain = domain; + state->gid = gid; + state->ctx = ctx; + + /* First check if the group was updated already. If it was (maybe its + * parent was updated first), then just shortcut */ + ret = simple_resolve_group_check(state); + if (ret == EOK) { + DEBUG(SSSDBG_TRACE_LIBS, "Group already updated\n"); + ret = EOK; + goto done; + } else if (ret != EAGAIN) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot check if group was already updated [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + /* EAGAIN - still needs update */ + + ar = talloc(state, struct dp_id_data); + if (!ar) { + ret = ENOMEM; + goto done; + } + + ar->entry_type = BE_REQ_GROUP; + ar->filter_type = BE_FILTER_IDNUM; + ar->filter_value = talloc_asprintf(ar, "%llu", (unsigned long long) gid); + ar->domain = talloc_strdup(ar, state->domain->name); + if (!ar->domain || !ar->filter_value) { + ret = ENOMEM; + goto done; + } + + subreq = dp_req_send(state, ctx->be_ctx->provider, NULL, ar->domain, + "Simple Resolve Group", DPT_ID, DPM_ACCOUNT_HANDLER, + 0, ar, NULL); + if (!subreq) { + ret = ENOMEM; + goto done; + } + tevent_req_set_callback(subreq, simple_resolve_group_done, req); + + return req; + +done: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + return req; +} + +static errno_t +simple_resolve_group_check(struct simple_resolve_group_state *state) +{ + errno_t ret; + struct ldb_message *group; + const char *group_attrs[] = { SYSDB_NAME, SYSDB_POSIX, + SYSDB_GIDNUM, NULL }; + + /* Check the cache by GID again and fetch the name */ + ret = sysdb_search_group_by_gid(state, state->domain, state->gid, + group_attrs, &group); + if (ret == ENOENT) { + /* The group is missing, we will try to update it. */ + return EAGAIN; + } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not look up group by gid [%"SPRIgid"]: [%d][%s]\n", + state->gid, ret, sss_strerror(ret)); + return ret; + } + + state->name = ldb_msg_find_attr_as_string(group, SYSDB_NAME, NULL); + if (!state->name) { + DEBUG(SSSDBG_OP_FAILURE, "No group name\n"); + return ERR_ACCOUNT_UNKNOWN; + } + + if (is_posix(group) == false) { + DEBUG(SSSDBG_TRACE_LIBS, + "The group is still non-POSIX\n"); + return EAGAIN; + } + + DEBUG(SSSDBG_TRACE_LIBS, "Got POSIX group\n"); + return EOK; +} + +static void simple_resolve_group_done(struct tevent_req *subreq) +{ + struct tevent_req *req; + struct simple_resolve_group_state *state; + struct dp_reply_std *reply; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct simple_resolve_group_state); + + ret = dp_req_recv_ptr(state, subreq, struct dp_reply_std, &reply); + talloc_zfree(subreq); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, "dp_req_recv failed\n"); + tevent_req_error(req, ret); + return; + } + + if (reply->dp_error != DP_ERR_OK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot refresh data from DP: %u,%u: %s\n", + reply->dp_error, reply->error, reply->message); + tevent_req_error(req, EIO); + return; + } + + /* Check the cache by GID again and fetch the name */ + ret = simple_resolve_group_check(state); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Refresh failed\n"); + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +static errno_t +simple_resolve_group_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + const char **name) +{ + struct simple_resolve_group_state *state; + + state = tevent_req_data(req, struct simple_resolve_group_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *name = talloc_strdup(mem_ctx, state->name); + return EOK; +} + +struct simple_group { + struct sss_domain_info *domain; + gid_t gid; +}; + +struct simple_check_groups_state { + struct tevent_context *ev; + struct simple_ctx *ctx; + struct sss_domain_info *domain; + + struct simple_group *lookup_groups; + size_t num_groups; + size_t giter; + + const char **group_names; + size_t num_names; + + bool failed_to_resolve_groups; +}; + +static void simple_check_get_groups_next(struct tevent_req *subreq); + +static errno_t +simple_check_get_groups_primary(struct simple_check_groups_state *state, + gid_t gid); +static errno_t +simple_check_process_group(struct simple_check_groups_state *state, + struct ldb_message *group); + +static struct tevent_req * +simple_check_get_groups_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct simple_ctx *ctx, + const char *username) +{ + errno_t ret; + struct tevent_req *req; + struct tevent_req *subreq; + struct simple_check_groups_state *state; + const char *attrs[] = { SYSDB_NAME, SYSDB_POSIX, SYSDB_GIDNUM, + SYSDB_SID_STR, NULL }; + size_t group_count; + struct ldb_message *user; + struct ldb_message **groups; + int i; + gid_t gid; + + req = tevent_req_create(mem_ctx, &state, + struct simple_check_groups_state); + if (!req) return NULL; + + state->ev = ev; + state->ctx = ctx; + state->failed_to_resolve_groups = false; + + DEBUG(SSSDBG_TRACE_LIBS, "Looking up groups for user %s\n", username); + + /* get domain from username */ + state->domain = find_domain_by_object_name(ctx->domain, username); + if (state->domain == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid user %s!\n", username); + ret = EINVAL; + goto done; + } + + ret = sysdb_search_user_by_name(state, state->domain, username, attrs, + &user); + if (ret == ENOENT) { + DEBUG(SSSDBG_MINOR_FAILURE, "No such user %s\n", username); + ret = ERR_ACCOUNT_UNKNOWN; + goto done; + } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not look up username [%s]: [%d][%s]\n", + username, ret, sss_strerror(ret)); + goto done; + } + + ret = sysdb_asq_search(state, state->domain, + user->dn, NULL, SYSDB_MEMBEROF, + attrs, &group_count, &groups); + if (ret != EOK) { + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "User %s is a member of %zu supplemental groups\n", + username, group_count); + + /* One extra space for terminator, one extra space for private group */ + state->group_names = talloc_zero_array(state, const char *, group_count + 2); + state->lookup_groups = talloc_zero_array(state, struct simple_group, + group_count + 2); + if (!state->group_names || !state->lookup_groups) { + ret = ENOMEM; + goto done; + } + + for (i=0; i < group_count; i++) { + /* Some providers (like the AD provider) might perform initgroups + * without resolving the group names. In order for the simple access + * provider to work correctly, we need to resolve the groups before + * performing the access check. In AD provider, the situation is + * even more tricky b/c the groups HAVE name, but their name + * attribute is set to SID and they are set as non-POSIX + */ + ret = simple_check_process_group(state, groups[i]); + if (ret != EOK) { + goto done; + } + } + + gid = ldb_msg_find_attr_as_uint64(user, SYSDB_GIDNUM, 0); + if (!gid) { + DEBUG(SSSDBG_MINOR_FAILURE, "User %s has no gid?\n", username); + ret = EINVAL; + goto done; + } + + ret = simple_check_get_groups_primary(state, gid); + if (ret != EOK) { + goto done; + } + + if (state->num_groups == 0) { + /* If all groups could have been resolved by name, we are + * done + */ + DEBUG(SSSDBG_TRACE_FUNC, "All groups had name attribute\n"); + ret = EOK; + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Need to resolve %zu groups\n", + state->num_groups); + state->giter = 0; + subreq = simple_resolve_group_send(req, state->ev, state->ctx, + state->lookup_groups[state->giter].domain, + state->lookup_groups[state->giter].gid); + if (!subreq) { + ret = ENOMEM; + goto done; + } + tevent_req_set_callback(subreq, simple_check_get_groups_next, req); + + return req; + +done: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + return req; +} + +static void simple_check_get_groups_next(struct tevent_req *subreq) +{ + struct tevent_req *req = + tevent_req_callback_data(subreq, struct tevent_req); + struct simple_check_groups_state *state = + tevent_req_data(req, struct simple_check_groups_state); + errno_t ret; + + ret = simple_resolve_group_recv(subreq, state->group_names, + &state->group_names[state->num_names]); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not resolve name of group with GID %"SPRIgid"\n", + state->lookup_groups[state->giter].gid); + state->failed_to_resolve_groups = true; + } else { + state->num_names++; + } + state->giter++; + + if (state->giter < state->num_groups) { + subreq = simple_resolve_group_send(req, state->ev, state->ctx, + state->lookup_groups[state->giter].domain, + state->lookup_groups[state->giter].gid); + if (!subreq) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, simple_check_get_groups_next, req); + return; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "All groups resolved. Done.\n"); + tevent_req_done(req); +} + +static errno_t +simple_check_process_group(struct simple_check_groups_state *state, + struct ldb_message *group) +{ + const char *name; + const char *group_sid; + struct sss_domain_info *domain; + gid_t gid; + bool posix; + + posix = is_posix(group); + name = ldb_msg_find_attr_as_string(group, SYSDB_NAME, NULL); + gid = ldb_msg_find_attr_as_uint64(group, SYSDB_GIDNUM, 0); + + /* With the current sysdb layout, every group has a name */ + if (name == NULL) { + return EINVAL; + } + + if (gid == 0) { + if (posix == true) { + DEBUG(SSSDBG_CRIT_FAILURE, "POSIX group without GID\n"); + return EINVAL; + } + + /* Non-POSIX group with a name. Still can be used for access + * control as the name should point to the real name, no SID + */ + state->group_names[state->num_names] = talloc_strdup(state->group_names, + name); + if (!state->group_names[state->num_names]) { + return ENOMEM; + } + DEBUG(SSSDBG_TRACE_INTERNAL, "Adding group %s\n", name); + state->num_names++; + return EOK; + } + + /* Here are only groups with a name and gid. POSIX group can already + * be used, non-POSIX groups can be resolved */ + if (posix) { + state->group_names[state->num_names] = talloc_strdup(state->group_names, + name); + if (!state->group_names[state->num_names]) { + return ENOMEM; + } + DEBUG(SSSDBG_TRACE_INTERNAL, "Adding group %s\n", name); + state->num_names++; + return EOK; + } + + /* Try to get group SID and assign it a domain */ + group_sid = ldb_msg_find_attr_as_string(group, SYSDB_SID_STR, NULL); + if (group_sid == NULL) { + /* We will look it up in main domain. */ + domain = state->ctx->domain; + } else { + domain = find_domain_by_sid(state->ctx->domain, group_sid); + if (domain == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "There is no domain information for " + "SID %s\n", group_sid); + return ENOENT; + } + } + + /* It is a non-POSIX group with a GID. Needs resolving */ + state->lookup_groups[state->num_groups].domain = domain; + state->lookup_groups[state->num_groups].gid = gid; + DEBUG(SSSDBG_TRACE_INTERNAL, "Adding GID %"SPRIgid"\n", gid); + state->num_groups++; + return EOK; +} + +static errno_t +simple_check_get_groups_primary(struct simple_check_groups_state *state, + gid_t gid) +{ + errno_t ret; + const char *group_attrs[] = { SYSDB_NAME, SYSDB_POSIX, + SYSDB_GIDNUM, SYSDB_SID_STR, NULL }; + struct ldb_message *msg; + + ret = sysdb_search_group_by_gid(state, state->domain, gid, group_attrs, + &msg); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not look up primary group [%"SPRIgid"]: [%d][%s]\n", + gid, ret, sss_strerror(ret)); + /* We have to treat this as non-fatal, because the primary + * group may be local to the machine and not available in + * our ID provider. + */ + } else { + ret = simple_check_process_group(state, msg); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot process primary group\n"); + return ret; + } + } + + return EOK; +} + +static errno_t +simple_check_get_groups_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + const char ***_group_names) +{ + struct simple_check_groups_state *state; + + state = tevent_req_data(req, struct simple_check_groups_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *_group_names = talloc_steal(mem_ctx, state->group_names); + if (state->failed_to_resolve_groups) { + return ERR_SIMPLE_GROUPS_MISSING; + } + return EOK; +} + +struct simple_access_check_state { + bool access_granted; + struct simple_ctx *ctx; + const char *username; + + const char **group_names; +}; + +static void simple_access_check_done(struct tevent_req *subreq); + +struct tevent_req *simple_access_check_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct simple_ctx *ctx, + const char *username) +{ + errno_t ret; + struct tevent_req *req; + struct tevent_req *subreq; + struct simple_access_check_state *state; + + req = tevent_req_create(mem_ctx, &state, + struct simple_access_check_state); + if (!req) return NULL; + + state->access_granted = false; + state->ctx = ctx; + state->username = talloc_strdup(state, username); + if (!state->username) { + ret = ENOMEM; + goto immediate; + } + + DEBUG(SSSDBG_FUNC_DATA, "Simple access check for %s\n", username); + + ret = simple_check_users(ctx, username, &state->access_granted); + if (ret == EOK) { + goto immediate; + } else if (ret != EAGAIN) { + ret = ERR_INTERNAL; + goto immediate; + } + + /* EAGAIN -- check groups */ + + if (!ctx->allow_groups && !ctx->deny_groups) { + /* There are no group restrictions, so just return + * here with whatever we've decided. + */ + DEBUG(SSSDBG_TRACE_LIBS, "No group restrictions, end request\n"); + ret = EOK; + goto immediate; + } + + /* The group names might not be available. Fire a request to + * gather them. In most cases, the request will just shortcut + */ + subreq = simple_check_get_groups_send(state, ev, ctx, username); + if (!subreq) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, simple_access_check_done, req); + + return req; + +immediate: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + return req; +} + + +static void simple_access_check_done(struct tevent_req *subreq) +{ + struct tevent_req *req = + tevent_req_callback_data(subreq, struct tevent_req); + struct simple_access_check_state *state = + tevent_req_data(req, struct simple_access_check_state); + errno_t ret; + + /* We know the names now. Run the check. */ + ret = simple_check_get_groups_recv(subreq, state, &state->group_names); + + talloc_zfree(subreq); + if (ret == ENOENT) { + /* If the user wasn't found, just shortcut */ + state->access_granted = false; + tevent_req_done(req); + return; + } else if (ret == ERR_SIMPLE_GROUPS_MISSING) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not collect groups of user %s\n", state->username); + if (state->ctx->deny_groups == NULL) { + DEBUG(SSSDBG_TRACE_FUNC, + "But no deny groups were defined so we can continue.\n"); + } else { + DEBUG(SSSDBG_OP_FAILURE, + "Some deny groups were defined, we can't continue\n"); + tevent_req_error(req, ret); + return; + } + } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not collect groups of user %s\n", state->username); + tevent_req_error(req, ret); + return; + } + + ret = simple_check_groups(state->ctx, state->group_names, + &state->access_granted); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not check group access [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ERR_INTERNAL); + return; + } + + /* Now just return whatever we decided */ + DEBUG(SSSDBG_TRACE_INTERNAL, "Group check done\n"); + tevent_req_done(req); +} + +errno_t simple_access_check_recv(struct tevent_req *req, bool *access_granted) +{ + struct simple_access_check_state *state = + tevent_req_data(req, struct simple_access_check_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + DEBUG(SSSDBG_TRACE_LIBS, + "Access %sgranted\n", state->access_granted ? "" : "not "); + if (access_granted) { + *access_granted = state->access_granted; + } + + return EOK; +} diff --git a/src/providers/simple/simple_access_pvt.h b/src/providers/simple/simple_access_pvt.h new file mode 100644 index 0000000..c133e1c --- /dev/null +++ b/src/providers/simple/simple_access_pvt.h @@ -0,0 +1,43 @@ +/* + SSSD + + Simple access control + + Copyright (C) Sumit Bose 2010 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __SIMPLE_ACCESS_PVT_H__ +#define __SIMPLE_ACCESS_PVT_H__ + +#include "providers/data_provider/dp.h" + +/* We only 'export' the functions in a private header file to be able to call + * them from unit tests + */ +struct tevent_req * +simple_access_handler_send(TALLOC_CTX *mem_ctx, + struct simple_ctx *simple_ctx, + struct pam_data *pd, + struct dp_req_params *params); + +errno_t +simple_access_handler_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct pam_data **_data); + +int simple_access_obtain_filter_lists(struct simple_ctx *ctx); + +#endif /* __SIMPLE_ACCESS_PVT_H__ */ diff --git a/src/providers/sssd_be.exports b/src/providers/sssd_be.exports new file mode 100644 index 0000000..9afa106 --- /dev/null +++ b/src/providers/sssd_be.exports @@ -0,0 +1,4 @@ +{ + global: + *; +}; diff --git a/src/python/pyhbac.c b/src/python/pyhbac.c new file mode 100644 index 0000000..d78452c --- /dev/null +++ b/src/python/pyhbac.c @@ -0,0 +1,1998 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2011 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include +#include + +#include "util/util.h" +#include "util/sss_python.h" +#include "lib/ipa_hbac/ipa_hbac.h" + +#define PYTHON_MODULE_NAME "pyhbac" + +#ifndef PYHBAC_ENCODING +#define PYHBAC_ENCODING "UTF-8" +#endif + +#define PYHBAC_ENCODING_ERRORS "strict" + +#define CHECK_ATTRIBUTE_DELETE(attr, attrname) do { \ + if (attr == NULL) { \ + PyErr_Format(PyExc_TypeError, \ + "Cannot delete the %s attribute", \ + attrname); \ + return -1; \ + } \ +} while(0) + +static PyObject *PyExc_HbacError; + +/* ==================== Utility functions ========================*/ +static char * +py_strdup(const char *string) +{ + char *copy; + + copy = PyMem_New(char, strlen(string)+1); + if (copy == NULL) { + PyErr_NoMemory(); + return NULL; + } + + return strcpy(copy, string); +} + +static char * +py_strcat_realloc(char *first, const char *second) +{ + char *new_first; + new_first = PyMem_Realloc(first, strlen(first) + strlen(second) + 1); + if (new_first == NULL) { + PyErr_NoMemory(); + return NULL; + } + + return strcat(new_first, second); +} + +static PyObject * +get_utf8_string(PyObject *obj, const char *attrname) +{ + const char *a = attrname ? attrname : "attribute"; + PyObject *obj_utf8 = NULL; + + if (PyBytes_Check(obj)) { + obj_utf8 = obj; + Py_INCREF(obj_utf8); /* Make sure we can DECREF later */ + } else if (PyUnicode_Check(obj)) { + if ((obj_utf8 = PyUnicode_AsUTF8String(obj)) == NULL) { + return NULL; + } + } else { + PyErr_Format(PyExc_TypeError, "%s must be a string", a); + return NULL; + } + + return obj_utf8; +} + +static void +free_string_list(const char **list) +{ + int i; + + if (!list) return; + + for (i=0; list[i]; i++) { + PyMem_Free(discard_const_p(char, list[i])); + } + PyMem_Free(list); +} + +static const char ** +sequence_as_string_list(PyObject *seq, const char *paramname) +{ + const char *p = paramname ? paramname : "attribute values"; + const char **ret; + PyObject *utf_item; + int i; + Py_ssize_t len; + PyObject *item; + + if (!PySequence_Check(seq)) { + PyErr_Format(PyExc_TypeError, + "The object must be a sequence\n"); + return NULL; + } + + len = PySequence_Size(seq); + if (len == -1) return NULL; + + ret = PyMem_New(const char *, (len+1)); + if (!ret) { + PyErr_NoMemory(); + return NULL; + } + + for (i = 0; i < len; i++) { + item = PySequence_GetItem(seq, i); + if (item == NULL) { + break; + } + + utf_item = get_utf8_string(item, p); + if (utf_item == NULL) { + Py_DECREF(item); + return NULL; + } + + ret[i] = py_strdup(PyBytes_AsString(utf_item)); + Py_DECREF(utf_item); + if (!ret[i]) { + Py_DECREF(item); + return NULL; + } + Py_DECREF(item); + } + + ret[i] = NULL; + return ret; +} + +static bool +verify_sequence(PyObject *seq, const char *attrname) +{ + const char *a = attrname ? attrname : "attribute"; + + if (!PySequence_Check(seq)) { + PyErr_Format(PyExc_TypeError, "%s must be a sequence", a); + return false; + } + + return true; +} + +static int +pyobject_to_category(PyObject *o) +{ + long c; + + c = PYNUMBER_ASLONG(o); + if (c == -1 && PyErr_Occurred()) { + PyErr_Format(PyExc_TypeError, + "Invalid type for category element - must be an int\n"); + return -1; + } + + switch (c) { + case HBAC_CATEGORY_NULL: + case HBAC_CATEGORY_ALL: + return c; + } + + PyErr_Format(PyExc_ValueError, "Invalid value %ld for category\n", c); + return -1; +} + +static int +native_category(PyObject *pycat, uint32_t *_category) +{ + PyObject *iterator; + PyObject *item; + uint32_t cat; + int ret; + + iterator = PyObject_GetIter(pycat); + if (iterator == NULL) { + PyErr_Format(PyExc_RuntimeError, "Cannot iterate category\n"); + return -1; + } + + cat = 0; + while ((item = PyIter_Next(iterator))) { + ret = pyobject_to_category(item); + Py_DECREF(item); + if (ret == -1) { + Py_DECREF(iterator); + return -1; + } + + cat |= ret; + } + + Py_DECREF(iterator); + + *_category = cat; + return 0; +} + +static char * +str_concat_sequence(PyObject *seq, const char *delim) +{ + Py_ssize_t size; + Py_ssize_t i; + PyObject *item; + char *s = NULL; + const char *part; + + size = PySequence_Size(seq); + + if (size == 0) { + s = py_strdup(""); + if (s == NULL) { + return NULL; + } + return s; + } + + for (i=0; i < size; i++) { + item = PySequence_GetItem(seq, i); + if (item == NULL) goto fail; + +#ifdef IS_PY3K + part = PyUnicode_AsUTF8(item); +#else + part = PyString_AsString(item); +#endif + + if (s) { + s = py_strcat_realloc(s, delim); + if (s == NULL) goto fail; + s = py_strcat_realloc(s, part); + if (s == NULL) goto fail; + } else { + s = py_strdup(part); + if (s == NULL) goto fail; + } + Py_DECREF(item); + } + + return s; + +fail: + Py_XDECREF(item); + PyMem_Free(s); + return NULL; +} + +/* ================= HBAC Exception handling =====================*/ +static void +set_hbac_exception(PyObject *exc, struct hbac_info *error) +{ + PyObject *obj; + + obj = Py_BuildValue(sss_py_const_p(char, "(i,s)"), error->code, + error->rule_name ? error->rule_name : "no rule"); + + PyErr_SetObject(exc, obj); + Py_XDECREF(obj); +} + +/* ==================== HBAC Rule Element ========================*/ +typedef struct { + PyObject_HEAD + + PyObject *category; + PyObject *names; + PyObject *groups; +} HbacRuleElement; + +static PyObject * +HbacRuleElement_new(PyTypeObject *type, PyObject *args, PyObject *kwds) +{ + HbacRuleElement *self; + + self = (HbacRuleElement *) type->tp_alloc(type, 0); + if (self == NULL) { + PyErr_NoMemory(); + return NULL; + } + + self->category = PySet_New(NULL); + self->names = PyList_New(0); + self->groups = PyList_New(0); + if (!self->names || !self->groups || !self->category) { + Py_DECREF(self); + PyErr_NoMemory(); + return NULL; + } + + return (PyObject *) self; +} + +static int +HbacRuleElement_clear(HbacRuleElement *self) +{ + Py_CLEAR(self->names); + Py_CLEAR(self->groups); + Py_CLEAR(self->category); + return 0; +} + +static void +HbacRuleElement_dealloc(HbacRuleElement *self) +{ + HbacRuleElement_clear(self); + Py_TYPE(self)->tp_free((PyObject*) self); +} + +static int +HbacRuleElement_traverse(HbacRuleElement *self, visitproc visit, void *arg) +{ + Py_VISIT(self->groups); + Py_VISIT(self->names); + Py_VISIT(self->category); + return 0; +} + +static int +hbac_rule_element_set_names(HbacRuleElement *self, PyObject *names, + void *closure); +static int +hbac_rule_element_set_groups(HbacRuleElement *self, PyObject *groups, + void *closure); +static int +hbac_rule_element_set_category(HbacRuleElement *self, PyObject *category, + void *closure); + +static int +HbacRuleElement_init(HbacRuleElement *self, PyObject *args, PyObject *kwargs) +{ + const char * const kwlist[] = { "names", "groups", "category", NULL }; + PyObject *names = NULL; + PyObject *groups = NULL; + PyObject *category = NULL; + PyObject *tmp = NULL; + + if (!PyArg_ParseTupleAndKeywords(args, kwargs, + sss_py_const_p(char, "|OOO"), + discard_const_p(char *, kwlist), + &names, &groups, &category)) { + return -1; + } + + if (names) { + if (hbac_rule_element_set_names(self, names, NULL) != 0) { + return -1; + } + } + + if (groups) { + if (hbac_rule_element_set_groups(self, groups, NULL) != 0) { + return -1; + } + } + + if (category) { + if (hbac_rule_element_set_category(self, category, NULL) != 0) { + return -1; + } + } else { + tmp = PYNUMBER_FROMLONG(HBAC_CATEGORY_NULL); + if (!tmp) { + return -1; + } + + if (PySet_Add(self->category, tmp) != 0) { + Py_DECREF(tmp); + return -1; + } + } + + return 0; +} + +static int +hbac_rule_element_set_names(HbacRuleElement *self, + PyObject *names, + void *closure) +{ + CHECK_ATTRIBUTE_DELETE(names, "names"); + + if (!verify_sequence(names, "names")) { + return -1; + } + + SAFE_SET(self->names, names); + return 0; +} + +static PyObject * +hbac_rule_element_get_names(HbacRuleElement *self, void *closure) +{ + Py_INCREF(self->names); + return self->names; +} + +static int +hbac_rule_element_set_groups(HbacRuleElement *self, + PyObject *groups, + void *closure) +{ + CHECK_ATTRIBUTE_DELETE(groups, "groups"); + + if (!verify_sequence(groups, "groups")) { + return -1; + } + + SAFE_SET(self->groups, groups); + return 0; +} + +static PyObject * +hbac_rule_element_get_groups(HbacRuleElement *self, void *closure) +{ + Py_INCREF(self->groups); + return self->groups; +} + +static int +hbac_rule_element_set_category(HbacRuleElement *self, + PyObject *category, + void *closure) +{ + PyObject *iterator; + PyObject *item; + int ret; + + CHECK_ATTRIBUTE_DELETE(category, "category"); + + if (!PySet_Check(category)) { + PyErr_Format(PyExc_TypeError, "The category must be a set type\n"); + return -1; + } + + /* Check the values, too */ + iterator = PyObject_GetIter(category); + if (iterator == NULL) { + PyErr_Format(PyExc_RuntimeError, "Cannot iterate a set?\n"); + return -1; + } + + while ((item = PyIter_Next(iterator))) { + ret = pyobject_to_category(item); + Py_DECREF(item); + if (ret == -1) { + Py_DECREF(iterator); + return -1; + } + } + + SAFE_SET(self->category, category); + Py_DECREF(iterator); + return 0; +} + +static PyObject * +hbac_rule_element_get_category(HbacRuleElement *self, void *closure) +{ + Py_INCREF(self->category); + return self->category; +} + +static PyObject * +HbacRuleElement_repr(HbacRuleElement *self) +{ + char *strnames = NULL; + char *strgroups = NULL; + uint32_t category; + int ret; + PyObject *o, *format, *args; + + format = PyUnicode_FromString(""); + if (format == NULL) { + return NULL; + } + + strnames = str_concat_sequence(self->names, + discard_const_p(char, ",")); + strgroups = str_concat_sequence(self->groups, + discard_const_p(char, ",")); + ret = native_category(self->category, &category); + if (strnames == NULL || strgroups == NULL || ret == -1) { + PyMem_Free(strnames); + PyMem_Free(strgroups); + Py_DECREF(format); + return NULL; + } + + args = Py_BuildValue(sss_py_const_p(char, "Kss"), + (unsigned long long ) category, + strnames, strgroups); + if (args == NULL) { + PyMem_Free(strnames); + PyMem_Free(strgroups); + Py_DECREF(format); + return NULL; + } + + o = PyUnicode_Format(format, args); + PyMem_Free(strnames); + PyMem_Free(strgroups); + Py_DECREF(format); + Py_DECREF(args); + return o; +} + +PyDoc_STRVAR(HbacRuleElement_names__doc__, +"(sequence of strings) A list of object names this element applies to"); +PyDoc_STRVAR(HbacRuleElement_groups__doc__, +"(sequence of strings) A list of group names this element applies to"); +PyDoc_STRVAR(HbacRuleElement_category__doc__, +"(set) A set of categories this rule falls into"); + +static PyGetSetDef py_hbac_rule_element_getset[] = { + { discard_const_p(char, "names"), + (getter) hbac_rule_element_get_names, + (setter) hbac_rule_element_set_names, + HbacRuleElement_names__doc__, + NULL }, + + { discard_const_p(char, "groups"), + (getter) hbac_rule_element_get_groups, + (setter) hbac_rule_element_set_groups, + HbacRuleElement_groups__doc__, + NULL }, + + { discard_const_p(char, "category"), + (getter) hbac_rule_element_get_category, + (setter) hbac_rule_element_set_category, + HbacRuleElement_category__doc__, + NULL }, + + { NULL, 0, 0, 0, NULL } /* Sentinel */ +}; + +PyDoc_STRVAR(HbacRuleElement__doc__, +"IPA HBAC Rule Element\n\n" +"HbacRuleElement() -> new empty rule element\n" +"HbacRuleElement([names], [groups], [category]) -> optionally, provide\n" +"names and/or groups and/or category\n"); + +static PyTypeObject pyhbac_hbacrule_element_type = { + PyVarObject_HEAD_INIT(NULL, 0) + .tp_name = sss_py_const_p(char, "pyhbac.HbacRuleElement"), + .tp_basicsize = sizeof(HbacRuleElement), + .tp_new = HbacRuleElement_new, + .tp_dealloc = (destructor) HbacRuleElement_dealloc, + .tp_traverse = (traverseproc) HbacRuleElement_traverse, + .tp_clear = (inquiry) HbacRuleElement_clear, + .tp_init = (initproc) HbacRuleElement_init, + .tp_repr = (reprfunc) HbacRuleElement_repr, + .tp_getset = py_hbac_rule_element_getset, + .tp_flags = Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE | Py_TPFLAGS_HAVE_GC, + .tp_doc = HbacRuleElement__doc__ +}; + +static void +free_hbac_rule_element(struct hbac_rule_element *el) +{ + if (!el) return; + + free_string_list(el->names); + free_string_list(el->groups); + PyMem_Free(el); +} + +struct hbac_rule_element * +HbacRuleElement_to_native(HbacRuleElement *pyel) +{ + struct hbac_rule_element *el = NULL; + int ret; + + /* check the type, None would wreak havoc here because for some reason + * it would pass the sequence check */ + if (!PyObject_IsInstance((PyObject *) pyel, + (PyObject *) &pyhbac_hbacrule_element_type)) { + PyErr_Format(PyExc_TypeError, + "The element must be of type HbacRuleElement\n"); + goto fail; + } + + el = PyMem_Malloc(sizeof(struct hbac_rule_element)); + if (!el) { + PyErr_NoMemory(); + goto fail; + } + + ret = native_category(pyel->category, &el->category); + el->names = sequence_as_string_list(pyel->names, "names"); + el->groups = sequence_as_string_list(pyel->groups, "groups"); + if (!el->names || !el->groups || ret == -1) { + goto fail; + } + + return el; + +fail: + free_hbac_rule_element(el); + return NULL; +} + +/* ==================== HBAC Rule ========================*/ +typedef struct { + PyObject_HEAD + + PyObject *name; + bool enabled; + + HbacRuleElement *users; + HbacRuleElement *services; + HbacRuleElement *targethosts; + HbacRuleElement *srchosts; +} HbacRuleObject; + +static void +free_hbac_rule(struct hbac_rule *rule); +static struct hbac_rule * +HbacRule_to_native(HbacRuleObject *pyrule); + +static PyObject * +HbacRule_new(PyTypeObject *type, PyObject *args, PyObject *kwds) +{ + HbacRuleObject *self; + + self = (HbacRuleObject *) type->tp_alloc(type, 0); + if (self == NULL) { + PyErr_NoMemory(); + return NULL; + } + + self->name = PyUnicode_FromString(""); + if (self->name == NULL) { + Py_DECREF(self); + PyErr_NoMemory(); + return NULL; + } + + self->enabled = false; + + self->services = (HbacRuleElement *) HbacRuleElement_new( + &pyhbac_hbacrule_element_type, + NULL, NULL); + self->users = (HbacRuleElement *) HbacRuleElement_new( + &pyhbac_hbacrule_element_type, + NULL, NULL); + self->targethosts = (HbacRuleElement *) HbacRuleElement_new( + &pyhbac_hbacrule_element_type, + NULL, NULL); + self->srchosts = (HbacRuleElement *) HbacRuleElement_new( + &pyhbac_hbacrule_element_type, + NULL, NULL); + if (self->services == NULL || self->users == NULL || + self->targethosts == NULL || self->srchosts == NULL) { + Py_XDECREF(self->services); + Py_XDECREF(self->users); + Py_XDECREF(self->targethosts); + Py_XDECREF(self->srchosts); + Py_DECREF(self->name); + Py_DECREF(self); + PyErr_NoMemory(); + return NULL; + } + + return (PyObject *) self; +} + +static int +HbacRule_clear(HbacRuleObject *self) +{ + Py_CLEAR(self->name); + Py_CLEAR(self->services); + Py_CLEAR(self->users); + Py_CLEAR(self->targethosts); + Py_CLEAR(self->srchosts); + return 0; +} + +static void +HbacRule_dealloc(HbacRuleObject *self) +{ + HbacRule_clear(self); + Py_TYPE(self)->tp_free((PyObject*) self); +} + +static int +HbacRule_traverse(HbacRuleObject *self, visitproc visit, void *arg) +{ + Py_VISIT((PyObject *) self->name); + Py_VISIT((PyObject *) self->services); + Py_VISIT((PyObject *) self->users); + Py_VISIT((PyObject *) self->targethosts); + Py_VISIT((PyObject *) self->srchosts); + return 0; +} + +static int +hbac_rule_set_enabled(HbacRuleObject *self, PyObject *enabled, void *closure); +static int +hbac_rule_set_name(HbacRuleObject *self, PyObject *name, void *closure); + +static int +HbacRule_init(HbacRuleObject *self, PyObject *args, PyObject *kwargs) +{ + const char * const kwlist[] = { "name", "enabled", NULL }; + PyObject *name = NULL; + PyObject *empty_tuple = NULL; + PyObject *enabled=NULL; + + if (!PyArg_ParseTupleAndKeywords(args, kwargs, + sss_py_const_p(char, "O|O"), + discard_const_p(char *, kwlist), + &name, &enabled)) { + return -1; + } + + if (enabled) { + if (hbac_rule_set_enabled(self, enabled, NULL) == -1) { + return -1; + } + } + + if (hbac_rule_set_name(self, name, NULL) == -1) { + return -1; + } + + empty_tuple = PyTuple_New(0); + if (!empty_tuple) { + return -1; + } + + if (HbacRuleElement_init(self->users, empty_tuple, NULL) == -1 || + HbacRuleElement_init(self->services, empty_tuple, NULL) == -1 || + HbacRuleElement_init(self->targethosts, empty_tuple, NULL) == -1 || + HbacRuleElement_init(self->srchosts, empty_tuple, NULL) == -1) { + Py_DECREF(empty_tuple); + return -1; + } + + Py_DECREF(empty_tuple); + return 0; +} + +static int +hbac_rule_set_enabled(HbacRuleObject *self, PyObject *enabled, void *closure) +{ + CHECK_ATTRIBUTE_DELETE(enabled, "enabled"); + + if (PyBytes_Check(enabled) || PyUnicode_Check(enabled)) { + PyObject *utf8_str; + char *str; + + utf8_str = get_utf8_string(enabled, "enabled"); + if (!utf8_str) return -1; + str = PyBytes_AsString(utf8_str); + if (!str) { + Py_DECREF(utf8_str); + return -1; + } + + if (strcasecmp(str, "true") == 0) { + self->enabled = true; + } else if (strcasecmp(str, "false") == 0) { + self->enabled = false; + } else { + PyErr_Format(PyExc_ValueError, + "enabled only accepts 'true' of 'false' " + "string literals"); + Py_DECREF(utf8_str); + return -1; + } + + Py_DECREF(utf8_str); + return 0; + } else if (PyBool_Check(enabled) == true) { + self->enabled = (enabled == Py_True); + return 0; + } else if (PYNUMBER_CHECK(enabled)) { + switch(PYNUMBER_ASLONG(enabled)) { + case 0: + self->enabled = false; + break; + case 1: + self->enabled = true; + break; + default: + PyErr_Format(PyExc_ValueError, + "enabled only accepts '0' of '1' " + "integer constants"); + return -1; + } + return 0; + } + + PyErr_Format(PyExc_TypeError, "enabled must be a boolean, an integer " + "1 or 0 or a string constant true/false"); + return -1; + +} + +static PyObject * +hbac_rule_get_enabled(HbacRuleObject *self, void *closure) +{ + if (self->enabled) { + Py_RETURN_TRUE; + } + + Py_RETURN_FALSE; +} + +static int +hbac_rule_set_name(HbacRuleObject *self, PyObject *name, void *closure) +{ + CHECK_ATTRIBUTE_DELETE(name, "name"); + + if (!PyBytes_Check(name) && !PyUnicode_Check(name)) { + PyErr_Format(PyExc_TypeError, "name must be a string or Unicode"); + return -1; + } + + SAFE_SET(self->name, name); + return 0; +} + +static PyObject * +hbac_rule_get_name(HbacRuleObject *self, void *closure) +{ + if (PyUnicode_Check(self->name)) { + Py_INCREF(self->name); + return self->name; + } else if (PyBytes_Check(self->name)) { + return PyUnicode_FromEncodedObject(self->name, + PYHBAC_ENCODING, PYHBAC_ENCODING_ERRORS); + } + + /* setter does typechecking but let us be paranoid */ + PyErr_Format(PyExc_TypeError, "name must be a string or Unicode"); + return NULL; +} + +static PyObject * +HbacRule_repr(HbacRuleObject *self) +{ + PyObject *users_repr; + PyObject *services_repr; + PyObject *targethosts_repr; + PyObject *srchosts_repr; + PyObject *o, *format, *args; + + format = PyUnicode_FromString(""); + if (format == NULL) { + return NULL; + } + + users_repr = HbacRuleElement_repr(self->users); + services_repr = HbacRuleElement_repr(self->services); + targethosts_repr = HbacRuleElement_repr(self->targethosts); + srchosts_repr = HbacRuleElement_repr(self->srchosts); + if (users_repr == NULL || services_repr == NULL || + targethosts_repr == NULL || srchosts_repr == NULL) { + Py_XDECREF(users_repr); + Py_XDECREF(services_repr); + Py_XDECREF(targethosts_repr); + Py_XDECREF(srchosts_repr); + Py_DECREF(format); + return NULL; + } + + args = Py_BuildValue(sss_py_const_p(char, "OiOOOO"), + self->name, self->enabled, + users_repr, services_repr, + targethosts_repr, srchosts_repr); + if (args == NULL) { + Py_DECREF(users_repr); + Py_DECREF(services_repr); + Py_DECREF(targethosts_repr); + Py_DECREF(srchosts_repr); + Py_DECREF(format); + return NULL; + } + + o = PyUnicode_Format(format, args); + Py_DECREF(users_repr); + Py_DECREF(services_repr); + Py_DECREF(targethosts_repr); + Py_DECREF(srchosts_repr); + Py_DECREF(format); + Py_DECREF(args); + return o; +} + +static PyObject * +py_hbac_rule_validate(HbacRuleObject *self, PyObject *args) +{ + struct hbac_rule *rule; + bool is_valid; + uint32_t missing; + uint32_t attr; + PyObject *ret = NULL; + PyObject *py_is_valid = NULL; + PyObject *py_missing = NULL; + PyObject *py_attr = NULL; + + rule = HbacRule_to_native(self); + if (!rule) { + /* Make sure there is at least a generic exception */ + if (!PyErr_Occurred()) { + PyErr_Format(PyExc_IOError, + "Could not convert HbacRule to native type\n"); + } + goto fail; + } + + is_valid = hbac_rule_is_complete(rule, &missing); + free_hbac_rule(rule); + + ret = PyTuple_New(2); + if (!ret) { + PyErr_NoMemory(); + goto fail; + } + + py_is_valid = PyBool_FromLong(is_valid); + py_missing = PySet_New(NULL); + if (!py_missing || !py_is_valid) { + PyErr_NoMemory(); + goto fail; + } + + for (attr = HBAC_RULE_ELEMENT_USERS; + attr <= HBAC_RULE_ELEMENT_SOURCEHOSTS; + attr <<= 1) { + if (!(missing & attr)) continue; + + py_attr = PYNUMBER_FROMLONG(attr); + if (!py_attr) { + PyErr_NoMemory(); + goto fail; + } + + if (PySet_Add(py_missing, py_attr) != 0) { + /* If the set-add succeeded, it would steal the reference */ + Py_DECREF(py_attr); + goto fail; + } + } + + PyTuple_SET_ITEM(ret, 0, py_is_valid); + PyTuple_SET_ITEM(ret, 1, py_missing); + return ret; + +fail: + Py_XDECREF(ret); + Py_XDECREF(py_missing); + Py_XDECREF(py_is_valid); + return NULL; +} + +PyDoc_STRVAR(py_hbac_rule_validate__doc__, +"validate() -> (valid, missing)\n\n" +"Validate an HBAC rule\n" +"Returns a tuple of (bool, set). The boolean value describes whether\n" +"the rule is valid. If it is False, then the set lists all the missing " +"rule elements as HBAC_RULE_ELEMENT_* constants\n"); + +static PyMethodDef py_hbac_rule_methods[] = { + { sss_py_const_p(char, "validate"), + (PyCFunction) py_hbac_rule_validate, + METH_VARARGS, py_hbac_rule_validate__doc__, + }, + { NULL, NULL, 0, NULL } /* Sentinel */ +}; + +PyDoc_STRVAR(HbacRuleObject_users__doc__, +"(HbacRuleElement) Users and user groups for which this rule applies"); +PyDoc_STRVAR(HbacRuleObject_services__doc__, +"(HbacRuleElement) Services and service groups for which this rule applies"); +PyDoc_STRVAR(HbacRuleObject_targethosts__doc__, +"(HbacRuleElement) Target hosts for which this rule applies"); +PyDoc_STRVAR(HbacRuleObject_srchosts__doc__, +"(HbacRuleElement) Source hosts for which this rule applies"); + +static PyMemberDef py_hbac_rule_members[] = { + { discard_const_p(char, "users"), T_OBJECT_EX, + offsetof(HbacRuleObject, users), 0, + HbacRuleObject_users__doc__ }, + + { discard_const_p(char, "services"), T_OBJECT_EX, + offsetof(HbacRuleObject, services), 0, + HbacRuleObject_services__doc__ }, + + { discard_const_p(char, "targethosts"), T_OBJECT_EX, + offsetof(HbacRuleObject, targethosts), 0, + HbacRuleObject_targethosts__doc__}, + + { discard_const_p(char, "srchosts"), T_OBJECT_EX, + offsetof(HbacRuleObject, srchosts), 0, + HbacRuleObject_srchosts__doc__}, + + { NULL, 0, 0, 0, NULL } /* Sentinel */ +}; + +PyDoc_STRVAR(HbacRuleObject_enabled__doc__, +"(bool) Is the rule enabled"); +PyDoc_STRVAR(HbacRuleObject_name__doc__, +"(string) The name of the rule"); + +static PyGetSetDef py_hbac_rule_getset[] = { + { discard_const_p(char, "enabled"), + (getter) hbac_rule_get_enabled, + (setter) hbac_rule_set_enabled, + HbacRuleObject_enabled__doc__, + NULL }, + + { discard_const_p(char, "name"), + (getter) hbac_rule_get_name, + (setter) hbac_rule_set_name, + HbacRuleObject_name__doc__, + NULL }, + + {NULL, 0, 0, 0, NULL} /* Sentinel */ +}; + +PyDoc_STRVAR(HbacRuleObject__doc__, +"IPA HBAC Rule\n\n" +"HbacRule(name, [enabled]) -> instantiate an empty rule, optionally\n" +"specify whether it is enabled. Rules are created disabled by default and\n" +"contain empty HbacRuleElement instances in services, users, targethosts\n" +"and srchosts attributes.\n"); + +static PyTypeObject pyhbac_hbacrule_type = { + PyVarObject_HEAD_INIT(NULL, 0) + .tp_name = sss_py_const_p(char, "pyhbac.HbacRule"), + .tp_basicsize = sizeof(HbacRuleObject), + .tp_new = HbacRule_new, + .tp_dealloc = (destructor) HbacRule_dealloc, + .tp_traverse = (traverseproc) HbacRule_traverse, + .tp_clear = (inquiry) HbacRule_clear, + .tp_init = (initproc) HbacRule_init, + .tp_repr = (reprfunc) HbacRule_repr, + .tp_members = py_hbac_rule_members, + .tp_methods = py_hbac_rule_methods, + .tp_getset = py_hbac_rule_getset, + .tp_flags = Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE | Py_TPFLAGS_HAVE_GC, + .tp_doc = HbacRuleObject__doc__ +}; + +static void +free_hbac_rule(struct hbac_rule *rule) +{ + if (!rule) return; + + free_hbac_rule_element(rule->services); + free_hbac_rule_element(rule->users); + free_hbac_rule_element(rule->targethosts); + free_hbac_rule_element(rule->srchosts); + + PyMem_Free(discard_const_p(char, rule->name)); + PyMem_Free(rule); +} + +static struct hbac_rule * +HbacRule_to_native(HbacRuleObject *pyrule) +{ + struct hbac_rule *rule = NULL; + PyObject *utf_name; + + rule = PyMem_Malloc(sizeof(struct hbac_rule)); + if (!rule) { + PyErr_NoMemory(); + goto fail; + } + + if (!PyObject_IsInstance((PyObject *) pyrule, + (PyObject *) &pyhbac_hbacrule_type)) { + PyErr_Format(PyExc_TypeError, + "The rule must be of type HbacRule\n"); + goto fail; + } + + utf_name = get_utf8_string(pyrule->name, "name"); + if (utf_name == NULL) { + return NULL; + } + + rule->name = py_strdup(PyBytes_AsString(utf_name)); + Py_DECREF(utf_name); + if (rule->name == NULL) { + goto fail; + } + + rule->services = HbacRuleElement_to_native(pyrule->services); + rule->users = HbacRuleElement_to_native(pyrule->users); + rule->targethosts = HbacRuleElement_to_native(pyrule->targethosts); + rule->srchosts = HbacRuleElement_to_native(pyrule->srchosts); + if (!rule->services || !rule->users || + !rule->targethosts || !rule->srchosts) { + goto fail; + } + + rule->enabled = pyrule->enabled; + return rule; + +fail: + free_hbac_rule(rule); + return NULL; +} + +/* ==================== HBAC Request Element ========================*/ +typedef struct { + PyObject_HEAD + + PyObject *name; + PyObject *groups; +} HbacRequestElement; + +static PyObject * +HbacRequestElement_new(PyTypeObject *type, PyObject *args, PyObject *kwds) +{ + HbacRequestElement *self; + + self = (HbacRequestElement *) type->tp_alloc(type, 0); + if (self == NULL) { + PyErr_NoMemory(); + return NULL; + } + + self->name = PyUnicode_FromString(""); + if (self->name == NULL) { + PyErr_NoMemory(); + Py_DECREF(self); + return NULL; + } + + self->groups = PyList_New(0); + if (self->groups == NULL) { + Py_DECREF(self->name); + Py_DECREF(self); + PyErr_NoMemory(); + return NULL; + } + + return (PyObject *) self; +} + +static int +HbacRequestElement_clear(HbacRequestElement *self) +{ + Py_CLEAR(self->name); + Py_CLEAR(self->groups); + return 0; +} + +static void +HbacRequestElement_dealloc(HbacRequestElement *self) +{ + HbacRequestElement_clear(self); + Py_TYPE(self)->tp_free((PyObject*) self); +} + +static int +HbacRequestElement_traverse(HbacRequestElement *self, + visitproc visit, void *arg) +{ + Py_VISIT(self->name); + Py_VISIT(self->groups); + return 0; +} + +static int +hbac_request_element_set_groups(HbacRequestElement *self, + PyObject *groups, + void *closure); +static int +hbac_request_element_set_name(HbacRequestElement *self, + PyObject *name, + void *closure); + +static int +HbacRequestElement_init(HbacRequestElement *self, + PyObject *args, + PyObject *kwargs) +{ + const char * const kwlist[] = { "name", "groups", NULL }; + PyObject *name = NULL; + PyObject *groups = NULL; + + if (!PyArg_ParseTupleAndKeywords(args, kwargs, + sss_py_const_p(char, "|OO"), + discard_const_p(char *, kwlist), + &name, &groups)) { + return -1; + } + + if (name) { + if (hbac_request_element_set_name(self, name, NULL) != 0) { + return -1; + } + } + + if (groups) { + if (hbac_request_element_set_groups(self, groups, NULL) != 0) { + return -1; + } + } + + return 0; +} + +static int +hbac_request_element_set_name(HbacRequestElement *self, + PyObject *name, + void *closure) +{ + CHECK_ATTRIBUTE_DELETE(name, "name"); + + if (!PyBytes_Check(name) && !PyUnicode_Check(name)) { + PyErr_Format(PyExc_TypeError, "name must be a string or Unicode"); + return -1; + } + + SAFE_SET(self->name, name); + return 0; +} + +static PyObject * +hbac_request_element_get_name(HbacRequestElement *self, void *closure) +{ + if (PyUnicode_Check(self->name)) { + Py_INCREF(self->name); + return self->name; + } else if (PyBytes_Check(self->name)) { + return PyUnicode_FromEncodedObject(self->name, + PYHBAC_ENCODING, PYHBAC_ENCODING_ERRORS); + } + + /* setter does typechecking but let us be paranoid */ + PyErr_Format(PyExc_TypeError, "name must be a string or Unicode"); + return NULL; +} + +static int +hbac_request_element_set_groups(HbacRequestElement *self, + PyObject *groups, + void *closure) +{ + CHECK_ATTRIBUTE_DELETE(groups, "groups"); + + if (!verify_sequence(groups, "groups")) { + return -1; + } + + SAFE_SET(self->groups, groups); + return 0; +} + +static PyObject * +hbac_request_element_get_groups(HbacRequestElement *self, void *closure) +{ + Py_INCREF(self->groups); + return self->groups; +} + +static PyObject * +HbacRequestElement_repr(HbacRequestElement *self) +{ + char *strgroups; + PyObject *o, *format, *args; + + format = PyUnicode_FromString(""); + if (format == NULL) { + return NULL; + } + + strgroups = str_concat_sequence(self->groups, discard_const_p(char, ",")); + if (strgroups == NULL) { + Py_DECREF(format); + return NULL; + } + + args = Py_BuildValue(sss_py_const_p(char, "Os"), self->name, strgroups); + if (args == NULL) { + PyMem_Free(strgroups); + Py_DECREF(format); + return NULL; + } + + o = PyUnicode_Format(format, args); + PyMem_Free(strgroups); + Py_DECREF(format); + Py_DECREF(args); + return o; +} + +PyDoc_STRVAR(HbacRequestElement_name__doc__, +"(string) An object name this element applies to"); +PyDoc_STRVAR(HbacRequestElement_groups__doc__, +"(list of strings) A list of group names this element applies to"); + +static PyGetSetDef py_hbac_request_element_getset[] = { + { discard_const_p(char, "name"), + (getter) hbac_request_element_get_name, + (setter) hbac_request_element_set_name, + HbacRequestElement_name__doc__, + NULL }, + + { discard_const_p(char, "groups"), + (getter) hbac_request_element_get_groups, + (setter) hbac_request_element_set_groups, + HbacRequestElement_groups__doc__, + NULL }, + + { NULL, 0, 0, 0, NULL } /* Sentinel */ +}; + +PyDoc_STRVAR(HbacRequestElement__doc__, +"IPA HBAC Request Element\n\n" +"HbacRequestElement() -> new empty request element\n" +"HbacRequestElement([name], [groups]) -> optionally, provide name and/or " +"groups\n"); + +static PyTypeObject pyhbac_hbacrequest_element_type = { + PyVarObject_HEAD_INIT(NULL, 0) + .tp_name = sss_py_const_p(char, "pyhbac.HbacRequestElement"), + .tp_basicsize = sizeof(HbacRequestElement), + .tp_new = HbacRequestElement_new, + .tp_dealloc = (destructor) HbacRequestElement_dealloc, + .tp_traverse = (traverseproc) HbacRequestElement_traverse, + .tp_clear = (inquiry) HbacRequestElement_clear, + .tp_init = (initproc) HbacRequestElement_init, + .tp_repr = (reprfunc) HbacRequestElement_repr, + .tp_getset = py_hbac_request_element_getset, + .tp_flags = Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE | Py_TPFLAGS_HAVE_GC, + .tp_doc = HbacRequestElement__doc__ +}; + +static void +free_hbac_request_element(struct hbac_request_element *el) +{ + if (!el) return; + + PyMem_Free(discard_const_p(char, el->name)); + free_string_list(el->groups); + PyMem_Free(el); +} + +static struct hbac_request_element * +HbacRequestElement_to_native(HbacRequestElement *pyel) +{ + struct hbac_request_element *el = NULL; + PyObject *utf_name; + + if (!PyObject_IsInstance((PyObject *) pyel, + (PyObject *) &pyhbac_hbacrequest_element_type)) { + PyErr_Format(PyExc_TypeError, + "The element must be of type HbacRequestElement\n"); + goto fail; + } + + el = PyMem_Malloc(sizeof(struct hbac_request_element)); + if (!el) { + PyErr_NoMemory(); + goto fail; + } + + utf_name = get_utf8_string(pyel->name, "name"); + if (utf_name == NULL) { + return NULL; + } + + el->name = py_strdup(PyBytes_AsString(utf_name)); + Py_DECREF(utf_name); + if (!el->name) { + goto fail; + } + + el->groups = sequence_as_string_list(pyel->groups, "groups"); + if (!el->groups) { + goto fail; + } + + return el; + +fail: + free_hbac_request_element(el); + return NULL; +} + +/* ==================== HBAC Request ========================*/ +typedef struct { + PyObject_HEAD + + HbacRequestElement *service; + HbacRequestElement *user; + HbacRequestElement *targethost; + HbacRequestElement *srchost; + + PyObject *rule_name; +} HbacRequest; + +static PyObject * +HbacRequest_new(PyTypeObject *type, PyObject *args, PyObject *kwds) +{ + HbacRequest *self; + + self = (HbacRequest *) type->tp_alloc(type, 0); + if (self == NULL) { + PyErr_NoMemory(); + return NULL; + } + + self->service = (HbacRequestElement *) HbacRequestElement_new( + &pyhbac_hbacrequest_element_type, + NULL, NULL); + self->user = (HbacRequestElement *) HbacRequestElement_new( + &pyhbac_hbacrequest_element_type, + NULL, NULL); + self->targethost = (HbacRequestElement *) HbacRequestElement_new( + &pyhbac_hbacrequest_element_type, + NULL, NULL); + self->srchost = (HbacRequestElement *) HbacRequestElement_new( + &pyhbac_hbacrequest_element_type, + NULL, NULL); + if (self->service == NULL || self->user == NULL || + self->targethost == NULL || self->srchost == NULL) { + Py_XDECREF(self->service); + Py_XDECREF(self->user); + Py_XDECREF(self->targethost); + Py_XDECREF(self->srchost); + Py_DECREF(self); + PyErr_NoMemory(); + return NULL; + } + + return (PyObject *) self; +} + +static int +HbacRequest_clear(HbacRequest *self) +{ + Py_CLEAR(self->service); + Py_CLEAR(self->user); + Py_CLEAR(self->targethost); + Py_CLEAR(self->srchost); + Py_CLEAR(self->rule_name); + return 0; +} + +static void +HbacRequest_dealloc(HbacRequest *self) +{ + HbacRequest_clear(self); + Py_TYPE(self)->tp_free((PyObject*) self); +} + +static int +HbacRequest_traverse(HbacRequest *self, visitproc visit, void *arg) +{ + Py_VISIT((PyObject *) self->service); + Py_VISIT((PyObject *) self->user); + Py_VISIT((PyObject *) self->targethost); + Py_VISIT((PyObject *) self->srchost); + return 0; +} + +static int +HbacRequest_init(HbacRequest *self, PyObject *args, PyObject *kwargs) +{ + PyObject *empty_tuple = NULL; + + empty_tuple = PyTuple_New(0); + if (!empty_tuple) { + PyErr_NoMemory(); + return -1; + } + + self->rule_name = NULL; + + if (HbacRequestElement_init(self->user, empty_tuple, NULL) == -1 || + HbacRequestElement_init(self->service, empty_tuple, NULL) == -1 || + HbacRequestElement_init(self->targethost, empty_tuple, NULL) == -1 || + HbacRequestElement_init(self->srchost, empty_tuple, NULL) == -1) { + Py_DECREF(empty_tuple); + return -1; + } + + Py_DECREF(empty_tuple); + return 0; +} + +PyDoc_STRVAR(py_hbac_evaluate__doc__, +"evaluate(rules) -> int\n\n" +"Evaluate a set of HBAC rules.\n" +"rules is a sequence of HbacRule objects. The returned value describes\n" +"the result of evaluation and will have one of HBAC_EVAL_* values.\n" +"Use hbac_result_string() to get textual representation of the result\n" +"On error, HbacError exception is raised.\n" +"If HBAC_EVAL_ALLOW is returned, the class attribute rule_name would\n" +"contain the name of the rule that matched. Otherwise, the attribute\n" +"contains None\n"); + +static struct hbac_eval_req * +HbacRequest_to_native(HbacRequest *pyreq); + +static void +free_hbac_rule_list(struct hbac_rule **rules) +{ + int i; + + if (!rules) return; + + for(i=0; rules[i]; i++) { + free_hbac_rule(rules[i]); + } + PyMem_Free(rules); +} + +static void +free_hbac_eval_req(struct hbac_eval_req *req); + +static PyObject * +py_hbac_evaluate(HbacRequest *self, PyObject *args) +{ + PyObject *py_rules_list = NULL; + PyObject *py_rule = NULL; + Py_ssize_t num_rules; + struct hbac_rule **rules = NULL; + struct hbac_eval_req *hbac_req = NULL; + enum hbac_eval_result eres; + struct hbac_info *info = NULL; + PyObject *ret = NULL; + long i; + + if (!PyArg_ParseTuple(args, sss_py_const_p(char, "O"), &py_rules_list)) { + goto fail; + } + + if (!PySequence_Check(py_rules_list)) { + PyErr_Format(PyExc_TypeError, + "The parameter rules must be a sequence\n"); + goto fail; + } + + num_rules = PySequence_Size(py_rules_list); + rules = PyMem_New(struct hbac_rule *, num_rules+1); + if (!rules) { + PyErr_NoMemory(); + goto fail; + } + + for (i=0; i < num_rules; i++) { + py_rule = PySequence_GetItem(py_rules_list, i); + + if (!PyObject_IsInstance(py_rule, + (PyObject *) &pyhbac_hbacrule_type)) { + PyErr_Format(PyExc_TypeError, + "A rule must be of type HbacRule\n"); + goto fail; + } + + rules[i] = HbacRule_to_native((HbacRuleObject *) py_rule); + if (!rules[i]) { + /* Make sure there is at least a generic exception */ + if (!PyErr_Occurred()) { + PyErr_Format(PyExc_IOError, + "Could not convert HbacRule to native type\n"); + } + goto fail; + } + } + rules[num_rules] = NULL; + + hbac_req = HbacRequest_to_native(self); + if (!hbac_req) { + if (!PyErr_Occurred()) { + PyErr_Format(PyExc_IOError, + "Could not convert HbacRequest to native type\n"); + } + goto fail; + } + + Py_XDECREF(self->rule_name); + self->rule_name = NULL; + + eres = hbac_evaluate(rules, hbac_req, &info); + switch (eres) { + case HBAC_EVAL_ALLOW: + self->rule_name = PyUnicode_FromString(info->rule_name); + if (!self->rule_name) { + PyErr_NoMemory(); + goto fail; + } + /* FALLTHROUGH */ + SSS_ATTRIBUTE_FALLTHROUGH; + case HBAC_EVAL_DENY: + ret = PYNUMBER_FROMLONG(eres); + break; + case HBAC_EVAL_ERROR: + set_hbac_exception(PyExc_HbacError, info); + goto fail; + case HBAC_EVAL_OOM: + PyErr_NoMemory(); + goto fail; + } + + free_hbac_eval_req(hbac_req); + free_hbac_rule_list(rules); + hbac_free_info(info); + return ret; + +fail: + hbac_free_info(info); + free_hbac_eval_req(hbac_req); + free_hbac_rule_list(rules); + return NULL; +} + +static PyObject * +hbac_request_element_get_rule_name(HbacRequest *self, void *closure) +{ + if (self->rule_name == NULL) { + Py_INCREF(Py_None); + return Py_None; + } else if (PyUnicode_Check(self->rule_name)) { + Py_INCREF(self->rule_name); + return self->rule_name; + } + + PyErr_Format(PyExc_TypeError, "rule_name is not Unicode"); + return NULL; +} + +static PyObject * +HbacRequest_repr(HbacRequest *self) +{ + PyObject *user_repr; + PyObject *service_repr; + PyObject *targethost_repr; + PyObject *srchost_repr; + PyObject *o, *format, *args; + + format = PyUnicode_FromString(""); + if (format == NULL) { + return NULL; + } + + user_repr = HbacRequestElement_repr(self->user); + service_repr = HbacRequestElement_repr(self->service); + targethost_repr = HbacRequestElement_repr(self->targethost); + srchost_repr = HbacRequestElement_repr(self->srchost); + if (user_repr == NULL || service_repr == NULL || + targethost_repr == NULL || srchost_repr == NULL) { + Py_XDECREF(user_repr); + Py_XDECREF(service_repr); + Py_XDECREF(targethost_repr); + Py_XDECREF(srchost_repr); + Py_DECREF(format); + return NULL; + } + + args = Py_BuildValue(sss_py_const_p(char, "OOOO"), + user_repr, service_repr, + targethost_repr, srchost_repr); + if (args == NULL) { + Py_DECREF(user_repr); + Py_DECREF(service_repr); + Py_DECREF(targethost_repr); + Py_DECREF(srchost_repr); + Py_DECREF(format); + return NULL; + } + + o = PyUnicode_Format(format, args); + Py_DECREF(user_repr); + Py_DECREF(service_repr); + Py_DECREF(targethost_repr); + Py_DECREF(srchost_repr); + Py_DECREF(format); + Py_DECREF(args); + return o; +} + +static PyMethodDef py_hbac_request_methods[] = { + { sss_py_const_p(char, "evaluate"), + (PyCFunction) py_hbac_evaluate, + METH_VARARGS, py_hbac_evaluate__doc__ + }, + { NULL, NULL, 0, NULL } /* Sentinel */ +}; + +PyDoc_STRVAR(HbacRequest_service__doc__, +"(HbacRequestElement) This is a list of service DNs to check, it must\n" +"consist of the actual service requested, as well as all parent groups\n" +"containing that service"); +PyDoc_STRVAR(HbacRequest_user__doc__, +"(HbacRequestElement) This is a list of user DNs to check, it must consist\n" +"of the actual user requested, as well as all parent groups containing\n" +"that user."); +PyDoc_STRVAR(HbacRequest_targethost__doc__, +"(HbacRequestElement) This is a list of target hosts to check, it must\n" +"consist of the actual target host requested, as well as all parent groups\n" +"containing that target host."); +PyDoc_STRVAR(HbacRequest_srchost__doc__, +"(HbacRequestElement) This is a list of source hosts to check, it must\n" +"consist of the actual source host requested, as well as all parent groups\n" +"containing that source host."); + +static PyMemberDef py_hbac_request_members[] = { + { discard_const_p(char, "service"), T_OBJECT_EX, + offsetof(HbacRequest, service), 0, + HbacRequest_service__doc__ }, + + { discard_const_p(char, "user"), T_OBJECT_EX, + offsetof(HbacRequest, user), 0, + HbacRequest_user__doc__ }, + + { discard_const_p(char, "targethost"), T_OBJECT_EX, + offsetof(HbacRequest, targethost), 0, + HbacRequest_targethost__doc__ }, + + { discard_const_p(char, "srchost"), T_OBJECT_EX, + offsetof(HbacRequest, srchost), 0, + HbacRequest_srchost__doc__ }, + + { NULL, 0, 0, 0, NULL } /* Sentinel */ +}; + +PyDoc_STRVAR(HbacRequest_rule_name__doc__, +"(string) If result of evaluation was to allow access, this member contains\n" +"the name of the rule that allowed it. Otherwise, this attribute contains \n" +"None. This attribute is read-only.\n"); + +static PyGetSetDef py_hbac_request_getset[] = { + { discard_const_p(char, "rule_name"), + (getter) hbac_request_element_get_rule_name, + NULL, /* read only */ + HbacRequest_rule_name__doc__, + NULL }, + + { NULL, 0, 0, 0, NULL } /* Sentinel */ +}; + +PyDoc_STRVAR(HbacRequest__doc__, +"IPA HBAC Request\n\n" +"HbacRequest() -> new empty HBAC request"); + +static PyTypeObject pyhbac_hbacrequest_type = { + PyVarObject_HEAD_INIT(NULL, 0) + .tp_name = sss_py_const_p(char, "pyhbac.HbacRequest"), + .tp_basicsize = sizeof(HbacRequest), + .tp_new = HbacRequest_new, + .tp_dealloc = (destructor) HbacRequest_dealloc, + .tp_traverse = (traverseproc) HbacRequest_traverse, + .tp_clear = (inquiry) HbacRequest_clear, + .tp_init = (initproc) HbacRequest_init, + .tp_repr = (reprfunc) HbacRequest_repr, + .tp_methods = py_hbac_request_methods, + .tp_members = py_hbac_request_members, + .tp_getset = py_hbac_request_getset, + .tp_flags = Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE, + .tp_doc = HbacRequest__doc__ +}; + +static void +free_hbac_eval_req(struct hbac_eval_req *req) +{ + if (!req) return; + + free_hbac_request_element(req->service); + free_hbac_request_element(req->user); + free_hbac_request_element(req->targethost); + free_hbac_request_element(req->srchost); + + PyMem_Free(req); +} + +static struct hbac_eval_req * +HbacRequest_to_native(HbacRequest *pyreq) +{ + struct hbac_eval_req *req = NULL; + + req = PyMem_Malloc(sizeof(struct hbac_eval_req)); + if (!req) { + PyErr_NoMemory(); + goto fail; + } + + if (!PyObject_IsInstance((PyObject *) pyreq, + (PyObject *) &pyhbac_hbacrequest_type)) { + PyErr_Format(PyExc_TypeError, + "The request must be of type HbacRequest\n"); + goto fail; + } + + req->service = HbacRequestElement_to_native(pyreq->service); + req->user = HbacRequestElement_to_native(pyreq->user); + req->targethost = HbacRequestElement_to_native(pyreq->targethost); + req->srchost = HbacRequestElement_to_native(pyreq->srchost); + if (!req->service || !req->user || + !req->targethost || !req->srchost) { + goto fail; + } + return req; + +fail: + free_hbac_eval_req(req); + return NULL; +} + +/* =================== the pyhbac module initialization =====================*/ +PyDoc_STRVAR(py_hbac_result_string__doc__, +"hbac_result_string(code) -> string\n" +"Returns a string representation of the HBAC result code"); + +static PyObject * +py_hbac_result_string(PyObject *module, PyObject *args) +{ + enum hbac_eval_result result; + const char *str; + + if (!PyArg_ParseTuple(args, sss_py_const_p(char, "i"), &result)) { + return NULL; + } + + str = hbac_result_string(result); + if (str == NULL) { + /* None needs to be referenced, too */ + Py_INCREF(Py_None); + return Py_None; + } + + return PyUnicode_FromString(str); +} + +PyDoc_STRVAR(py_hbac_error_string__doc__, +"hbac_error_string(code) -> string\n" +"Returns a string representation of the HBAC error code"); + +static PyObject * +py_hbac_error_string(PyObject *module, PyObject *args) +{ + enum hbac_error_code code; + const char *str; + + if (!PyArg_ParseTuple(args, sss_py_const_p(char, "i"), &code)) { + return NULL; + } + + str = hbac_error_string(code); + if (str == NULL) { + /* None needs to be referenced, too */ + Py_INCREF(Py_None); + return Py_None; + } + + return PyUnicode_FromString(str); +} + +static PyMethodDef pyhbac_module_methods[] = { + { sss_py_const_p(char, "hbac_result_string"), + (PyCFunction) py_hbac_result_string, + METH_VARARGS, + py_hbac_result_string__doc__, + }, + + { sss_py_const_p(char, "hbac_error_string"), + (PyCFunction) py_hbac_error_string, + METH_VARARGS, + py_hbac_error_string__doc__, + }, + + {NULL, NULL, 0, NULL} /* Sentinel */ +}; + +PyDoc_STRVAR(HbacError__doc__, +"An HBAC processing exception\n\n" +"This exception is raised when there is an internal error during the\n" +"HBAC processing, such as an Out-Of-Memory situation or unparseable\n" +"rule. HbacError.args argument is a tuple that contains error code and\n" +"the name of the rule that was being processed. Use hbac_error_string()\n" +"to get the text representation of the HBAC error"); + +#ifdef IS_PY3K +static struct PyModuleDef pyhbacdef = { + PyModuleDef_HEAD_INIT, + PYTHON_MODULE_NAME, + NULL, + -1, + pyhbac_module_methods, + NULL, + NULL, + NULL, + NULL +}; + +PyMODINIT_FUNC +PyInit_pyhbac(void) +#else +PyMODINIT_FUNC +initpyhbac(void) +#endif +{ + PyObject *m; + int ret; + +#ifdef IS_PY3K + m = PyModule_Create(&pyhbacdef); +#else + m = Py_InitModule(sss_py_const_p(char, PYTHON_MODULE_NAME), + pyhbac_module_methods); +#endif + if (m == NULL) MODINITERROR; + + /* The HBAC module exception */ + PyExc_HbacError = sss_exception_with_doc( + discard_const_p(char, "hbac.HbacError"), + HbacError__doc__, + PyExc_EnvironmentError, NULL); + Py_INCREF(PyExc_HbacError); + ret = PyModule_AddObject(m, sss_py_const_p(char, "HbacError"), PyExc_HbacError); + if (ret == -1) MODINITERROR; + + /* HBAC rule categories */ + ret = PyModule_AddIntMacro(m, HBAC_CATEGORY_NULL); + if (ret == -1) MODINITERROR; + ret = PyModule_AddIntMacro(m, HBAC_CATEGORY_ALL); + if (ret == -1) MODINITERROR; + + /* HBAC rule elements */ + ret = PyModule_AddIntMacro(m, HBAC_RULE_ELEMENT_USERS); + if (ret == -1) MODINITERROR; + ret = PyModule_AddIntMacro(m, HBAC_RULE_ELEMENT_SERVICES); + if (ret == -1) MODINITERROR; + ret = PyModule_AddIntMacro(m, HBAC_RULE_ELEMENT_TARGETHOSTS); + if (ret == -1) MODINITERROR; + ret = PyModule_AddIntMacro(m, HBAC_RULE_ELEMENT_SOURCEHOSTS); + if (ret == -1) MODINITERROR; + + /* enum hbac_eval_result */ + ret = PyModule_AddIntMacro(m, HBAC_EVAL_ALLOW); + if (ret == -1) MODINITERROR; + ret = PyModule_AddIntMacro(m, HBAC_EVAL_DENY); + if (ret == -1) MODINITERROR; + ret = PyModule_AddIntMacro(m, HBAC_EVAL_ERROR); + if (ret == -1) MODINITERROR; + + /* enum hbac_error_code */ + ret = PyModule_AddIntMacro(m, HBAC_ERROR_UNKNOWN); + if (ret == -1) MODINITERROR; + ret = PyModule_AddIntMacro(m, HBAC_SUCCESS); + if (ret == -1) MODINITERROR; + ret = PyModule_AddIntMacro(m, HBAC_ERROR_NOT_IMPLEMENTED); + if (ret == -1) MODINITERROR; + ret = PyModule_AddIntMacro(m, HBAC_ERROR_OUT_OF_MEMORY); + if (ret == -1) MODINITERROR; + ret = PyModule_AddIntMacro(m, HBAC_ERROR_UNPARSEABLE_RULE); + if (ret == -1) MODINITERROR; + + TYPE_READY(m, pyhbac_hbacrule_type, "HbacRule"); + TYPE_READY(m, pyhbac_hbacrule_element_type, "HbacRuleElement"); + TYPE_READY(m, pyhbac_hbacrequest_element_type, "HbacRequestElement"); + TYPE_READY(m, pyhbac_hbacrequest_type, "HbacRequest"); + +#ifdef IS_PY3K + return m; +#endif +} diff --git a/src/python/pysss.c b/src/python/pysss.c new file mode 100644 index 0000000..cdabe9c --- /dev/null +++ b/src/python/pysss.c @@ -0,0 +1,1173 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include +#include +#include +#include +#include + +#include "util/util.h" +#include "util/sss_python.h" +#include "db/sysdb.h" +#include "tools/tools_util.h" +#include "tools/sss_sync_ops.h" +#include "util/crypto/sss_crypto.h" + +/* + * function taken from samba sources tree as of Aug 20 2009, + * file source4/lib/ldb/pyldb.c + */ +static char **PyList_AsStringList(TALLOC_CTX *mem_ctx, PyObject *list, + const char *paramname) +{ + char **ret; + int i; + + ret = talloc_array(mem_ctx, char *, PyList_Size(list)+1); + for (i = 0; i < PyList_Size(list); i++) { + const char *itemstr; + Py_ssize_t itemlen; + PyObject *item = PyList_GetItem(list, i); +#ifdef IS_PY3K + if (!PyUnicode_Check(item)) { +#else + if (!PyString_Check(item)) { +#endif + PyErr_Format(PyExc_TypeError, "%s should be strings", paramname); + return NULL; + } +#ifdef IS_PY3K + itemstr = PyUnicode_AsUTF8AndSize(item, &itemlen); +#else + itemstr = PyString_AsString(item); + itemlen = strlen(itemstr); +#endif + ret[i] = talloc_strndup(ret, itemstr, itemlen); + } + + ret[i] = NULL; + return ret; +} + +/* ======================= sysdb python wrappers ==========================*/ + +/* + * The sss.password object + */ +typedef struct { + PyObject_HEAD + + TALLOC_CTX *mem_ctx; + struct tevent_context *ev; + struct sysdb_ctx *sysdb; + struct confdb_ctx *confdb; + + struct sss_domain_info *local; + + int lock; + int unlock; +} PySssLocalObject; + +/* + * Error reporting + */ +static void PyErr_SetSssErrorWithMessage(int ret, const char *message) +{ + PyObject *exc = Py_BuildValue(discard_const_p(char, "(is)"), + ret, message); + + PyErr_SetObject(PyExc_IOError, exc); + Py_XDECREF(exc); +} + +static void PyErr_SetSssError(int ret) +{ + PyErr_SetSssErrorWithMessage(ret, strerror(ret)); +} + +/* + * Common init of all methods + */ +static struct tools_ctx *init_ctx(PySssLocalObject *self) +{ + struct ops_ctx *octx = NULL; + struct tools_ctx *tctx = NULL; + + tctx = talloc_zero(self->mem_ctx, struct tools_ctx); + if (tctx == NULL) { + return NULL; + } + + tctx->confdb = self->confdb; + tctx->sysdb = self->sysdb; + tctx->local = self->local; + /* tctx->nctx is NULL here, which is OK since we don't parse domains + * in the python bindings (yet?) */ + + octx = talloc_zero(tctx, struct ops_ctx); + if (octx == NULL) { + PyErr_NoMemory(); + return NULL; + } + octx->domain = self->local; + + tctx->octx = octx; + return tctx; +} + +/* + * Add a user + */ +PyDoc_STRVAR(py_sss_useradd__doc__, + "Add a user named ``username``.\n\n" + ":param username: name of the user\n\n" + ":param kwargs: Keyword arguments that customize the operation\n\n" + "* useradd can be customized further with keyword arguments:\n" + " * ``uid``: The UID of the user\n" + " * ``gid``: The GID of the user\n" + " * ``gecos``: The comment string\n" + " * ``homedir``: Home directory\n" + " * ``shell``: Login shell\n" + " * ``skel``: Specify an alternative skeleton directory\n" + " * ``create_home``: (bool) Force creation of home directory on or off\n" + " * ``groups``: List of groups the user is member of\n"); + + +static PyObject *py_sss_useradd(PySssLocalObject *self, + PyObject *args, + PyObject *kwds) +{ + struct tools_ctx *tctx = NULL; + unsigned long uid = 0; + unsigned long gid = 0; + const char *gecos = NULL; + const char *home = NULL; + const char *shell = NULL; + const char *skel = NULL; + char *username = NULL; + int ret; + const char * const kwlist[] = { "username", "uid", "gid", "gecos", + "homedir", "shell", "skel", + "create_home", "groups", NULL }; + PyObject *py_groups = Py_None; + PyObject *py_create_home = Py_None; + int create_home = 0; + bool in_transaction = false; + + /* parse arguments */ + if (!PyArg_ParseTupleAndKeywords(args, kwds, + discard_const_p(char, "s|kkssssO!O!"), + discard_const_p(char *, kwlist), + &username, + &uid, + &gid, + &gecos, + &home, + &shell, + &skel, + &PyBool_Type, + &py_create_home, + &PyList_Type, + &py_groups)) { + goto fail; + } + + tctx = init_ctx(self); + if (!tctx) { + PyErr_NoMemory(); + return NULL; + } + + if (py_groups != Py_None) { + tctx->octx->addgroups = PyList_AsStringList(tctx, py_groups, "groups"); + if (!tctx->octx->addgroups) { + PyErr_NoMemory(); + return NULL; + } + } + + /* user-wise the parameter is only bool - do or don't, + * however we must have a third state - undecided, pick default */ + if (py_create_home == Py_True) { + create_home = DO_CREATE_HOME; + } else if (py_create_home == Py_False) { + create_home = DO_NOT_CREATE_HOME; + } + + tctx->octx->name = username; + tctx->octx->uid = uid; + + /* fill in defaults */ + ret = useradd_defaults(tctx, + self->confdb, + tctx->octx, gecos, + home, shell, + create_home, + skel); + if (ret != EOK) { + PyErr_SetSssError(ret); + goto fail; + } + + /* Add the user within a transaction */ + tctx->error = sysdb_transaction_start(tctx->sysdb); + if (tctx->error != EOK) { + PyErr_SetSssError(tctx->error); + goto fail; + } + in_transaction = true; + + /* useradd */ + tctx->error = useradd(tctx, tctx->octx); + if (tctx->error) { + PyErr_SetSssError(tctx->error); + goto fail; + } + + tctx->error = sysdb_transaction_commit(tctx->sysdb); + if (tctx->error) { + PyErr_SetSssError(tctx->error); + goto fail; + } + in_transaction = false; + + /* Create user's home directory and/or mail spool */ + if (tctx->octx->create_homedir) { + /* We need to know the UID and GID of the user, if + * sysdb did assign it automatically, do a lookup */ + if (tctx->octx->uid == 0 || tctx->octx->gid == 0) { + ret = sysdb_getpwnam_sync(tctx, + tctx->octx->name, + tctx->octx); + if (ret != EOK) { + PyErr_SetSssError(ret); + goto fail; + } + } + + ret = create_homedir(tctx->octx->skeldir, + tctx->octx->home, + tctx->octx->uid, + tctx->octx->gid, + tctx->octx->umask); + if (ret != EOK) { + PyErr_SetSssError(ret); + goto fail; + } + + /* failure here should not be fatal */ + create_mail_spool(tctx, + tctx->octx->name, + tctx->octx->maildir, + tctx->octx->uid, + tctx->octx->gid); + } + + talloc_zfree(tctx); + Py_RETURN_NONE; + +fail: + if (in_transaction) { + /* We do not handle return value of sysdb_transaction_cancel() + * because we don't want to overwrite previous error code. + */ + sysdb_transaction_cancel(tctx->sysdb); + } + talloc_zfree(tctx); + return NULL; +} + +/* + * Delete a user + */ +PyDoc_STRVAR(py_sss_userdel__doc__, + "Remove the user named ``username``.\n\n" + ":param username: Name of user being removed\n" + ":param kwargs: Keyword arguments that customize the operation\n\n" + "* userdel can be customized further with keyword arguments:\n" + " * ``force``: (bool) Force removal of files not owned by the user\n" + " * ``remove``: (bool) Toggle removing home directory and mail spool\n"); + +static PyObject *py_sss_userdel(PySssLocalObject *self, + PyObject *args, + PyObject *kwds) +{ + struct tools_ctx *tctx = NULL; + char *username = NULL; + int ret; + PyObject *py_remove = Py_None; + int remove_home = 0; + PyObject *py_force = Py_None; + const char * const kwlist[] = { "username", "remove", "force", NULL }; + + if(!PyArg_ParseTupleAndKeywords(args, kwds, + discard_const_p(char, "s|O!O!"), + discard_const_p(char *, kwlist), + &username, + &PyBool_Type, + &py_remove, + &PyBool_Type, + &py_force)) { + goto fail; + } + + tctx = init_ctx(self); + if (!tctx) { + PyErr_NoMemory(); + return NULL; + } + + tctx->octx->name = username; + + if (py_remove == Py_True) { + remove_home = DO_REMOVE_HOME; + } else if (py_remove == Py_False) { + remove_home = DO_NOT_REMOVE_HOME; + } + + /* + * Fills in defaults for ops_ctx user did not specify. + */ + ret = userdel_defaults(tctx, + tctx->confdb, + tctx->octx, + remove_home); + if (ret != EOK) { + PyErr_SetSssError(ret); + goto fail; + } + + ret = run_userdel_cmd(tctx); + if (ret != EOK) { + PyErr_SetSssError(ret); + goto fail; + } + + if (tctx->octx->remove_homedir) { + ret = sysdb_getpwnam_sync(tctx, + tctx->octx->name, + tctx->octx); + if (ret != EOK) { + PyErr_SetSssError(ret); + goto fail; + } + } + + /* Delete the user */ + ret = userdel(tctx, self->sysdb, tctx->octx); + if (ret != EOK) { + PyErr_SetSssError(ret); + goto fail; + } + + if (tctx->octx->remove_homedir) { + ret = remove_homedir(tctx, + tctx->octx->home, + tctx->octx->maildir, + tctx->octx->name, + tctx->octx->uid, + (py_force == Py_True)); + if (ret != EOK) { + PyErr_SetSssError(ret); + goto fail; + } + } + + talloc_zfree(tctx); + Py_RETURN_NONE; + +fail: + talloc_zfree(tctx); + return NULL; +} + +/* + * Modify a user + */ +PyDoc_STRVAR(py_sss_usermod__doc__, + "Modify a user.\n\n" + ":param username: Name of user being modified\n\n" + ":param kwargs: Keyword arguments that customize the operation\n\n" + "* usermod can be customized further with keyword arguments:\n" + " * ``uid``: The UID of the user\n" + " * ``gid``: The GID of the user\n" + " * ``gecos``: The comment string\n" + " * ``homedir``: Home directory\n" + " * ``shell``: Login shell\n" + " * ``addgroups``: List of groups to add the user to\n" + " * ``rmgroups``: List of groups to remove the user from\n" + " * ``lock``: Lock or unlock the account\n"); + +static PyObject *py_sss_usermod(PySssLocalObject *self, + PyObject *args, + PyObject *kwds) +{ + struct tools_ctx *tctx = NULL; + PyObject *py_addgroups = Py_None; + PyObject *py_rmgroups = Py_None; + unsigned long uid = 0; + unsigned long gid = 0; + char *gecos = NULL; + char *home = NULL; + char *shell = NULL; + char *username = NULL; + unsigned long lock = 0; + const char * const kwlist[] = { "username", "uid", "gid", "lock", + "gecos", "homedir", "shell", + "addgroups", "rmgroups", NULL }; + bool in_transaction = false; + + /* parse arguments */ + if (!PyArg_ParseTupleAndKeywords(args, kwds, + discard_const_p(char, "s|kkksssO!O!"), + discard_const_p(char *, kwlist), + &username, + &uid, + &gid, + &lock, + &gecos, + &home, + &shell, + &PyList_Type, + &py_addgroups, + &PyList_Type, + &py_rmgroups)) { + goto fail; + } + + tctx = init_ctx(self); + if (!tctx) { + PyErr_NoMemory(); + return NULL; + } + + if (lock && lock != DO_LOCK && lock != DO_UNLOCK) { + PyErr_SetString(PyExc_ValueError, + "Unknown value for lock parameter"); + goto fail; + } + + if (py_addgroups != Py_None) { + tctx->octx->addgroups = PyList_AsStringList(tctx, + py_addgroups, + "addgroups"); + if (!tctx->octx->addgroups) { + return NULL; + } + } + + if (py_rmgroups != Py_None) { + tctx->octx->rmgroups = PyList_AsStringList(tctx, + py_rmgroups, + "rmgroups"); + if (!tctx->octx->rmgroups) { + return NULL; + } + } + + tctx->octx->name = username; + tctx->octx->uid = uid; + tctx->octx->gid = gid; + tctx->octx->gecos = gecos; + tctx->octx->home = home; + tctx->octx->shell = shell; + tctx->octx->lock = lock; + + /* Modify the user within a transaction */ + tctx->error = sysdb_transaction_start(tctx->sysdb); + if (tctx->error != EOK) { + PyErr_SetSssError(tctx->error); + goto fail; + } + in_transaction = true; + + /* usermod */ + tctx->error = usermod(tctx, tctx->octx); + if (tctx->error) { + PyErr_SetSssError(tctx->error); + goto fail; + } + + tctx->error = sysdb_transaction_commit(tctx->sysdb); + if (tctx->error) { + PyErr_SetSssError(tctx->error); + goto fail; + } + in_transaction = false; + + talloc_zfree(tctx); + Py_RETURN_NONE; + +fail: + if (in_transaction) { + /* We do not handle return value of sysdb_transaction_cancel() + * because we don't want to overwrite previous error code. + */ + sysdb_transaction_cancel(tctx->sysdb); + } + talloc_zfree(tctx); + return NULL; +} + +/* + * Add a group + */ +PyDoc_STRVAR(py_sss_groupadd__doc__, + "Add a group.\n\n" + ":param groupname: Name of group being added\n\n" + ":param kwargs: Keyword arguments ro customize the operation\n\n" + "* groupmod can be customized further with keyword arguments:\n" + " * ``gid``: The GID of the group\n"); + +static PyObject *py_sss_groupadd(PySssLocalObject *self, + PyObject *args, + PyObject *kwds) +{ + struct tools_ctx *tctx = NULL; + char *groupname; + unsigned long gid = 0; + const char * const kwlist[] = { "groupname", "gid", NULL }; + bool in_transaction = false; + + /* parse arguments */ + if (!PyArg_ParseTupleAndKeywords(args, kwds, + discard_const_p(char, "s|k"), + discard_const_p(char *, kwlist), + &groupname, + &gid)) { + goto fail; + } + + tctx = init_ctx(self); + if (!tctx) { + PyErr_NoMemory(); + return NULL; + } + + tctx->octx->name = groupname; + tctx->octx->gid = gid; + + /* Add the group within a transaction */ + tctx->error = sysdb_transaction_start(tctx->sysdb); + if (tctx->error != EOK) { + PyErr_SetSssError(tctx->error); + goto fail; + } + in_transaction = true; + + /* groupadd */ + tctx->error = groupadd(tctx->octx); + if (tctx->error) { + PyErr_SetSssError(tctx->error); + goto fail; + } + + tctx->error = sysdb_transaction_commit(tctx->sysdb); + if (tctx->error) { + PyErr_SetSssError(tctx->error); + goto fail; + } + in_transaction = false; + + talloc_zfree(tctx); + Py_RETURN_NONE; + +fail: + if (in_transaction) { + /* We do not handle return value of sysdb_transaction_cancel() + * because we don't want to overwrite previous error code. + */ + sysdb_transaction_cancel(tctx->sysdb); + } + talloc_zfree(tctx); + return NULL; +} + +/* + * Delete a group + */ +PyDoc_STRVAR(py_sss_groupdel__doc__, + "Remove a group.\n\n" + ":param groupname: Name of group being removed\n"); + +static PyObject *py_sss_groupdel(PySssLocalObject *self, + PyObject *args, + PyObject *kwds) +{ + struct tools_ctx *tctx = NULL; + char *groupname = NULL; + int ret; + + if(!PyArg_ParseTuple(args, discard_const_p(char, "s"), &groupname)) { + goto fail; + } + + tctx = init_ctx(self); + if (!tctx) { + PyErr_NoMemory(); + return NULL; + } + + tctx->octx->name = groupname; + + /* Remove the group */ + ret = groupdel(tctx, self->sysdb, tctx->octx); + if (ret != EOK) { + PyErr_SetSssError(ret); + goto fail; + } + + talloc_zfree(tctx); + Py_RETURN_NONE; + +fail: + talloc_zfree(tctx); + return NULL; +} + +/* + * Modify a group + */ +PyDoc_STRVAR(py_sss_groupmod__doc__, +"Modify a group.\n\n" +":param groupname: Name of group being modified\n\n" +":param kwargs: Keyword arguments ro customize the operation\n\n" +"* groupmod can be customized further with keyword arguments:\n" +" * ``gid``: The GID of the group\n\n" +" * ``addgroups``: Groups to add the group to\n\n" +" * ``rmgroups``: Groups to remove the group from\n\n"); + +static PyObject *py_sss_groupmod(PySssLocalObject *self, + PyObject *args, + PyObject *kwds) +{ + struct tools_ctx *tctx = NULL; + PyObject *py_addgroups = Py_None; + PyObject *py_rmgroups = Py_None; + unsigned long gid = 0; + char *groupname = NULL; + const char * const kwlist[] = { "groupname", "gid", "addgroups", + "rmgroups", NULL }; + bool in_transaction = false; + + /* parse arguments */ + if (!PyArg_ParseTupleAndKeywords(args, kwds, + discard_const_p(char, "s|kO!O!"), + discard_const_p(char *, kwlist), + &groupname, + &gid, + &PyList_Type, + &py_addgroups, + &PyList_Type, + &py_rmgroups)) { + goto fail; + } + + tctx = init_ctx(self); + if (!tctx) { + PyErr_NoMemory(); + return NULL; + } + + if (py_addgroups != Py_None) { + tctx->octx->addgroups = PyList_AsStringList(tctx, + py_addgroups, + "addgroups"); + if (!tctx->octx->addgroups) { + return NULL; + } + } + + if (py_rmgroups != Py_None) { + tctx->octx->rmgroups = PyList_AsStringList(tctx, + py_rmgroups, + "rmgroups"); + if (!tctx->octx->rmgroups) { + return NULL; + } + } + + tctx->octx->name = groupname; + tctx->octx->gid = gid; + + /* Modify the group within a transaction */ + tctx->error = sysdb_transaction_start(tctx->sysdb); + if (tctx->error != EOK) { + PyErr_SetSssError(tctx->error); + goto fail; + } + in_transaction = true; + + /* groupmod */ + tctx->error = groupmod(tctx, tctx->octx); + if (tctx->error) { + PyErr_SetSssError(tctx->error); + goto fail; + } + + tctx->error = sysdb_transaction_commit(tctx->sysdb); + if (tctx->error) { + PyErr_SetSssError(tctx->error); + goto fail; + } + in_transaction = false; + + talloc_zfree(tctx); + Py_RETURN_NONE; + +fail: + if (in_transaction) { + /* We do not handle return value of sysdb_transaction_cancel() + * because we don't want to overwrite previous error code. + */ + sysdb_transaction_cancel(tctx->sysdb); + } + talloc_zfree(tctx); + return NULL; +} + +/* + * Get list of groups user belongs to + */ +PyDoc_STRVAR(py_sss_getgrouplist__doc__, + "Get list of groups user belongs to.\n\n" + "NOTE: The interface uses the system NSS calls and is not limited to " + "users served by the SSSD!\n" + ":param username: name of user to get list for\n"); + +static PyObject *py_sss_getgrouplist(PyObject *self, PyObject *args) +{ + char *username = NULL; + gid_t *groups = NULL; + struct passwd *pw; + struct group *gr; + int ngroups; + int ret; + Py_ssize_t i, idx; + PyObject *groups_tuple; + + if(!PyArg_ParseTuple(args, discard_const_p(char, "s"), &username)) { + goto fail; + } + + pw = getpwnam(username); + if (pw == NULL) { + goto fail; + } + + ngroups = 32; + groups = malloc(sizeof(gid_t) * ngroups); + if (groups == NULL) { + goto fail; + } + + do { + ret = getgrouplist(username, pw->pw_gid, groups, &ngroups); + if (ret < ngroups) { + gid_t *tmp_groups = realloc(groups, ngroups * sizeof(gid_t)); + if (tmp_groups == NULL) { + goto fail; + } + groups = tmp_groups; + } + } while (ret != ngroups); + + groups_tuple = PyTuple_New((Py_ssize_t) ngroups); + if (groups_tuple == NULL) { + goto fail; + } + + /* Populate a tuple with names of groups + * In unlikely case of group not being able to resolve, skip it + * We also need to resize resulting tuple to avoid empty elements there */ + idx = 0; + for (i = 0; i < ngroups; i++) { + gr = getgrgid(groups[i]); + if (gr) { + PyTuple_SetItem(groups_tuple, idx, +#ifdef IS_PY3K + PyUnicode_FromString(gr->gr_name) +#else + PyString_FromString(gr->gr_name) +#endif + ); + idx++; + } + } + free(groups); + groups = NULL; + + if (i != idx) { + _PyTuple_Resize(&groups_tuple, idx); + } + + return groups_tuple; + +fail: + free(groups); + return NULL; +} + +/*** python plumbing begins here ***/ + +/* + * The sss.local destructor + */ +static void PySssLocalObject_dealloc(PySssLocalObject *self) +{ + talloc_free(self->mem_ctx); + Py_TYPE(self)->tp_free((PyObject *)self); +} + +/* + * The sss.local constructor + */ +static PyObject *PySssLocalObject_new(PyTypeObject *type, + PyObject *args, + PyObject *kwds) +{ + TALLOC_CTX *mem_ctx; + PySssLocalObject *self; + char *confdb_path; + int ret; + + mem_ctx = talloc_new(NULL); + if (mem_ctx == NULL) { + PyErr_NoMemory(); + return NULL; + } + + self = (PySssLocalObject *) type->tp_alloc(type, 0); + if (self == NULL) { + talloc_free(mem_ctx); + PyErr_NoMemory(); + return NULL; + } + self->mem_ctx = mem_ctx; + + confdb_path = talloc_asprintf(self->mem_ctx, "%s/%s", DB_PATH, CONFDB_FILE); + if (confdb_path == NULL) { + PyErr_NoMemory(); + goto fail; + } + + /* Connect to the conf db */ + ret = confdb_init(self->mem_ctx, &self->confdb, confdb_path); + if (ret != EOK) { + PyErr_SetSssErrorWithMessage(ret, + "Could not initialize connection to the confdb\n"); + goto fail; + } + + ret = sssd_domain_init(self->mem_ctx, self->confdb, "local", + DB_PATH, &self->local); + if (ret != EOK) { + PyErr_SetSssErrorWithMessage(ret, + "Could not initialize connection to the sysdb\n"); + goto fail; + } + self->sysdb = self->local->sysdb; + + self->lock = DO_LOCK; + self->unlock = DO_UNLOCK; + + return (PyObject *) self; + +fail: + Py_DECREF(self); + return NULL; +} + +/* + * sss.local object methods + */ +static PyMethodDef sss_local_methods[] = { + { sss_py_const_p(char, "useradd"), (PyCFunction)(void *) py_sss_useradd, + METH_KEYWORDS, py_sss_useradd__doc__ + }, + { sss_py_const_p(char, "userdel"), (PyCFunction)(void *) py_sss_userdel, + METH_KEYWORDS, py_sss_userdel__doc__ + }, + { sss_py_const_p(char, "usermod"), (PyCFunction)(void *) py_sss_usermod, + METH_KEYWORDS, py_sss_usermod__doc__ + }, + { sss_py_const_p(char, "groupadd"), (PyCFunction)(void *) py_sss_groupadd, + METH_KEYWORDS, py_sss_groupadd__doc__ + }, + { sss_py_const_p(char, "groupdel"), (PyCFunction)(void *) py_sss_groupdel, + METH_KEYWORDS, py_sss_groupdel__doc__ + }, + { sss_py_const_p(char, "groupmod"), (PyCFunction)(void *) py_sss_groupmod, + METH_KEYWORDS, py_sss_groupmod__doc__ + }, + {NULL, NULL, 0, NULL} /* Sentinel */ +}; + +static PyMemberDef sss_local_members[] = { + { discard_const_p(char, "lock"), T_INT, + offsetof(PySssLocalObject, lock), READONLY, NULL}, + { discard_const_p(char, "unlock"), T_INT, + offsetof(PySssLocalObject, unlock), READONLY, NULL}, + {NULL, 0, 0, 0, NULL} /* Sentinel */ +}; + +/* + * sss.local object properties + */ +static PyTypeObject pysss_local_type = { + PyVarObject_HEAD_INIT(NULL, 0) + .tp_name = sss_py_const_p(char, "sss.local"), + .tp_basicsize = sizeof(PySssLocalObject), + .tp_new = PySssLocalObject_new, + .tp_dealloc = (destructor) PySssLocalObject_dealloc, + .tp_methods = sss_local_methods, + .tp_members = sss_local_members, + .tp_flags = Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE, + .tp_doc = sss_py_const_p(char, "SSS DB manipulation"), +}; + +/* ==================== obfuscation python wrappers ========================*/ + +/* + * The sss.local object + */ +typedef struct { + PyObject_HEAD + + int aes_256; +} PySssPasswordObject; + +PyDoc_STRVAR(py_sss_encrypt__doc__, +"Obfuscate a password\n\n" +":param password: The password to obfuscate\n\n" +":param method: The obfuscation method\n\n"); + +static PyObject *py_sss_encrypt(PySssPasswordObject *self, + PyObject *args) +{ + char *password = NULL; + int plen; /* may contain NULL bytes */ + char *obfpwd = NULL; + TALLOC_CTX *tctx = NULL; + int ret; + int mode; + PyObject *retval = NULL; + + /* parse arguments */ + if (!PyArg_ParseTuple(args, discard_const_p(char, "s#i"), + &password, &plen, &mode)) { + return NULL; + } + + tctx = talloc_new(NULL); + if (!tctx) { + PyErr_NoMemory(); + return NULL; + } + + ret = sss_password_encrypt(tctx, password, plen+1, + mode, &obfpwd); + if (ret != EOK) { + PyErr_SetSssError(ret); + goto fail; + } + + retval = Py_BuildValue(sss_py_const_p(char, "s"), obfpwd); + if (retval == NULL) { + goto fail; + } + +fail: + talloc_zfree(tctx); + return retval; +} + +#if 0 +PyDoc_STRVAR(py_sss_decrypt__doc__, +"Deobfuscate a password\n\n" +":param obfpwd: The password to convert back to clear text\n\n"); + +static PyObject *py_sss_decrypt(PySssPasswordObject *self, + PyObject *args, + PyObject *kwds) +{ + char *password = NULL; + char *obfpwd = NULL; + TALLOC_CTX *tctx = NULL; + int ret; + PyObject *retval = NULL; + + /* parse arguments */ + if (!PyArg_ParseTuple(args, discard_const_p(char, "s"), + &obfpwd)) { + return NULL; + } + + tctx = talloc_new(NULL); + if (!tctx) { + PyErr_NoMemory(); + return NULL; + } + + ret = sss_password_decrypt(tctx, obfpwd, &password); + if (ret != EOK) { + PyErr_SetSssError(ret); + goto fail; + } + + retval = Py_BuildValue("s", password); + if (retval == NULL) { + goto fail; + } + +fail: + talloc_zfree(tctx); + return retval; +} +#endif + +/* + * The sss.password destructor + */ +static void PySssPasswordObject_dealloc(PySssPasswordObject *self) +{ + Py_TYPE(self)->tp_free((PyObject*) self); +} + +/* + * The sss.password constructor + */ +static PyObject *PySssPasswordObject_new(PyTypeObject *type, + PyObject *args, + PyObject *kwds) +{ + PySssPasswordObject *self; + + self = (PySssPasswordObject *) type->tp_alloc(type, 0); + if (self == NULL) { + PyErr_NoMemory(); + return NULL; + } + + self->aes_256 = AES_256; + + return (PyObject *) self; +} + +/* + * sss.password object methods + */ +static PyMethodDef sss_password_methods[] = { + { sss_py_const_p(char, "encrypt"), (PyCFunction) py_sss_encrypt, + METH_VARARGS | METH_STATIC, py_sss_encrypt__doc__ + }, +#if 0 + { "decrypt", (PyCFunction) py_sss_decrypt, + METH_VARARGS | METH_STATIC, py_sss_decrypt__doc__ + }, +#endif + {NULL, NULL, 0, NULL} /* Sentinel */ +}; + +/* + * sss.password object members + */ +static PyMemberDef sss_password_members[] = { + { discard_const_p(char, "AES_256"), T_INT, + offsetof(PySssPasswordObject, aes_256), READONLY, NULL}, + {NULL, 0, 0, 0, NULL} /* Sentinel */ +}; + +/* + * sss.password object properties + */ +static PyTypeObject pysss_password_type = { + PyVarObject_HEAD_INIT(NULL, 0) + .tp_name = sss_py_const_p(char, "sss.password"), + .tp_basicsize = sizeof(PySssPasswordObject), + .tp_new = PySssPasswordObject_new, + .tp_dealloc = (destructor) PySssPasswordObject_dealloc, + .tp_methods = sss_password_methods, + .tp_members = sss_password_members, + .tp_flags = Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE, + .tp_doc = sss_py_const_p(char, "SSS password obfuscation"), +}; + +/* ==================== the sss module initialization =======================*/ + +/* + * Module methods + */ +static PyMethodDef module_methods[] = { + {"getgrouplist", py_sss_getgrouplist, METH_VARARGS, py_sss_getgrouplist__doc__}, + {NULL, NULL, 0, NULL} /* Sentinel */ +}; + +/* + * Module initialization + */ +#ifdef IS_PY3K +static struct PyModuleDef pysssdef = { + PyModuleDef_HEAD_INIT, + "pysss", + NULL, + -1, + module_methods, + NULL, + NULL, + NULL, + NULL +}; + +PyMODINIT_FUNC +PyInit_pysss(void) +#else +PyMODINIT_FUNC +initpysss(void) +#endif +{ + PyObject *m; + + if (PyType_Ready(&pysss_local_type) < 0) + MODINITERROR; + if (PyType_Ready(&pysss_password_type) < 0) + MODINITERROR; + +#ifdef IS_PY3K + m = PyModule_Create(&pysssdef); +#else + m = Py_InitModule(discard_const_p(char, "pysss"), module_methods); +#endif + if (m == NULL) + MODINITERROR; + + Py_INCREF(&pysss_local_type); + PyModule_AddObject(m, discard_const_p(char, "local"), (PyObject *)&pysss_local_type); + Py_INCREF(&pysss_password_type); + PyModule_AddObject(m, discard_const_p(char, "password"), (PyObject *)&pysss_password_type); + +#ifdef IS_PY3K + return m; +#endif +} + diff --git a/src/python/pysss_murmur.c b/src/python/pysss_murmur.c new file mode 100644 index 0000000..bcb2b81 --- /dev/null +++ b/src/python/pysss_murmur.c @@ -0,0 +1,98 @@ +/* + Authors: + Sumit Bose + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include + +#include "util/sss_python.h" +#include "shared/murmurhash3.h" + +PyDoc_STRVAR(murmurhash3_doc, +"murmurhash3(key, key_len, seed) -> 32bit integer hash\n\ +\n\ +Calculate the murmur hash version 3 of the first key_len bytes from key\n\ +using the given seed." +); + +static PyObject * py_murmurhash3(PyObject *module, PyObject *args) +{ + const char *key; + long key_len; + long long seed; + uint32_t hash; + int input_len; + + if (!PyArg_ParseTuple(args, sss_py_const_p(char, "z#lL"), + &key, &input_len, &key_len, &seed)) { + PyErr_Format(PyExc_ValueError, "Invalid argument\n"); + return NULL; + } + + if (seed > UINT32_MAX || key_len > INT_MAX || key_len < 0 || + key_len > input_len) { + PyErr_Format(PyExc_ValueError, "Invalid value\n"); + return NULL; + } + + hash = murmurhash3(key, key_len, seed); + + return PyLong_FromUnsignedLong((unsigned long) hash); +} + +static PyMethodDef methods[] = { + { sss_py_const_p(char, "murmurhash3"), (PyCFunction) py_murmurhash3, + METH_VARARGS, murmurhash3_doc }, + { NULL,NULL, 0, NULL } +}; + +#ifdef IS_PY3K +static struct PyModuleDef pysss_murmurdef = { + PyModuleDef_HEAD_INIT, + "pysss_murmur", + NULL, + -1, + methods, + NULL, + NULL, + NULL, + NULL +}; + +PyMODINIT_FUNC +PyInit_pysss_murmur(void) +#else +PyMODINIT_FUNC +initpysss_murmur(void) +#endif +{ + PyObject *m; +#ifdef IS_PY3K + m = PyModule_Create(&pysss_murmurdef); +#else + m = Py_InitModule3(sss_py_const_p(char, "pysss_murmur"), + methods, sss_py_const_p(char, "murmur hash functions")); +#endif + if (m == NULL) + MODINITERROR; +#ifdef IS_PY3K + return m; +#endif +} diff --git a/src/python/pysss_nss_idmap.c b/src/python/pysss_nss_idmap.c new file mode 100644 index 0000000..2bbec7d --- /dev/null +++ b/src/python/pysss_nss_idmap.c @@ -0,0 +1,599 @@ +/* + Authors: + Sumit Bose + Alexander Bokovoy + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include + +#include "util/sss_python.h" +#include "sss_client/idmap/sss_nss_idmap.h" + +#define SSS_NAME_KEY "name" +#define SSS_SID_KEY "sid" +#define SSS_ID_KEY "id" +#define SSS_TYPE_KEY "type" + +enum lookup_type { + SIDBYNAME, + SIDBYID, + SIDBYUID, + SIDBYGID, + NAMEBYSID, + IDBYSID, + NAMEBYCERT, + LISTBYCERT +}; + +static int add_dict_to_list(PyObject *py_list, PyObject *res_type, + PyObject *res, PyObject *id_type) +{ + int ret; + PyObject *py_dict; + + py_dict = PyDict_New(); + if (py_dict == NULL) { + return ENOMEM; + } + + ret = PyDict_SetItem(py_dict, res_type, res); + if (ret != 0) { + Py_XDECREF(py_dict); + return ret; + } + + ret = PyDict_SetItem(py_dict, PyUnicode_FromString(SSS_TYPE_KEY), id_type); + if (ret != 0) { + Py_XDECREF(py_dict); + return ret; + } + + ret = PyList_Append(py_list, py_dict); + + return ret; +} +static int add_dict(PyObject *py_result, PyObject *key, PyObject *res_type, + PyObject *res, PyObject *id_type) +{ + int ret; + PyObject *py_dict; + + py_dict = PyDict_New(); + if (py_dict == NULL) { + return ENOMEM; + } + + ret = PyDict_SetItem(py_dict, res_type, res); + if (ret != 0) { + Py_XDECREF(py_dict); + return ret; + } + + ret = PyDict_SetItem(py_dict, PyUnicode_FromString(SSS_TYPE_KEY), id_type); + if (ret != 0) { + Py_XDECREF(py_dict); + return ret; + } + + ret = PyDict_SetItem(py_result, key, py_dict); + + return ret; +} + +static char *py_string_or_unicode_as_string(PyObject *inp) +{ + PyObject *py_str = NULL; + + if (PyUnicode_Check(inp)) { + py_str = PyUnicode_AsUTF8String(inp); + } else if (PyBytes_Check(inp)) { + py_str = inp; + } else { + PyErr_Format(PyExc_TypeError, "input must be unicode or a string"); + return NULL; + } + + return PyBytes_AS_STRING(py_str); +} + +static int do_getsidbyname(PyObject *py_result, PyObject *py_name) +{ + int ret; + const char *name; + char *sid = NULL; + enum sss_id_type id_type; + + name = py_string_or_unicode_as_string(py_name); + if (name == NULL) { + return EINVAL; + } + + ret = sss_nss_getsidbyname(name, &sid, &id_type); + if (ret == 0) { + ret = add_dict(py_result, py_name, PyUnicode_FromString(SSS_SID_KEY), + PyUnicode_FromString(sid), PYNUMBER_FROMLONG(id_type)); + } + free(sid); + + return ret; +} + +static int do_getnamebysid(PyObject *py_result, PyObject *py_sid) +{ + int ret; + const char *sid; + char *name = NULL; + enum sss_id_type id_type; + + sid = py_string_or_unicode_as_string(py_sid); + if (sid == NULL) { + return EINVAL; + } + + ret = sss_nss_getnamebysid(sid, &name, &id_type); + if (ret == 0) { + ret = add_dict(py_result, py_sid, PyUnicode_FromString(SSS_NAME_KEY), + PyUnicode_FromString(name), PYNUMBER_FROMLONG(id_type)); + } + free(name); + + return ret; +} + +static int do_getsidbyid(enum lookup_type type, PyObject *py_result, + PyObject *py_id) +{ + long id; + const char *id_str; + char *endptr; + char *sid = NULL; + int ret; + enum sss_id_type id_type; + +#ifndef IS_PY3K + if (PyInt_Check(py_id)) { + id = PyInt_AS_LONG(py_id); + } else +#endif + if (PyLong_Check(py_id)) { + id = PyLong_AsLong(py_id); + } else { + id_str = py_string_or_unicode_as_string(py_id); + if (id_str == NULL) { + return EINVAL; + } + errno = 0; + id = strtol(id_str, &endptr, 10); + if (errno != 0 || *endptr != '\0') { + return EINVAL; + } + } + + if (id < 0 || id > UINT32_MAX) { + return EINVAL; + } + + switch (type) { + case SIDBYID: + ret = sss_nss_getsidbyid((uint32_t) id, &sid, &id_type); + break; + case SIDBYUID: + ret = sss_nss_getsidbyuid((uint32_t) id, &sid, &id_type); + break; + case SIDBYGID: + ret = sss_nss_getsidbygid((uint32_t) id, &sid, &id_type); + break; + default: + return EINVAL; + } + if (ret == 0) { + ret = add_dict(py_result, py_id, PyUnicode_FromString(SSS_SID_KEY), + PyUnicode_FromString(sid), PYNUMBER_FROMLONG(id_type)); + } + free(sid); + + return ret; +} + +static int do_getnamebycert(PyObject *py_result, PyObject *py_cert) +{ + int ret; + const char *cert; + char *name = NULL; + enum sss_id_type id_type; + + cert = py_string_or_unicode_as_string(py_cert); + if (cert == NULL) { + return EINVAL; + } + + ret = sss_nss_getnamebycert(cert, &name, &id_type); + if (ret == 0) { + ret = add_dict(py_result, py_cert, PyUnicode_FromString(SSS_NAME_KEY), + PyUnicode_FromString(name), PYNUMBER_FROMLONG(id_type)); + } + free(name); + + return ret; +} + +static int do_getlistbycert(PyObject *py_result, PyObject *py_cert) +{ + int ret; + const char *cert; + char **names = NULL; + enum sss_id_type *id_types = NULL; + size_t c; + + cert = py_string_or_unicode_as_string(py_cert); + if (cert == NULL) { + return EINVAL; + } + + ret = sss_nss_getlistbycert(cert, &names, &id_types); + if (ret == 0) { + + PyObject *py_list; + + py_list = PyList_New(0); + if (py_list == NULL) { + return ENOMEM; + } + + for (c = 0; names[c] != NULL; c++) { + ret = add_dict_to_list(py_list, + PyUnicode_FromString(SSS_NAME_KEY), + PyUnicode_FromString(names[c]), + PYNUMBER_FROMLONG(id_types[c])); + if (ret != 0) { + goto done; + } + } + ret = PyDict_SetItem(py_result, py_cert, py_list); + if (ret != 0) { + goto done; + } + } + +done: + free(id_types); + if (names != NULL) { + for (c = 0; names[c] != NULL; c++) { + free(names[c]); + } + free(names); + } + + return ret; +} + + +static int do_getidbysid(PyObject *py_result, PyObject *py_sid) +{ + const char *sid; + uint32_t id; + enum sss_id_type id_type; + int ret; + + sid = py_string_or_unicode_as_string(py_sid); + if (sid == NULL) { + return EINVAL; + } + + ret = sss_nss_getidbysid(sid, &id, &id_type); + if (ret == 0) { + ret = add_dict(py_result, py_sid, PyUnicode_FromString(SSS_ID_KEY), + PYNUMBER_FROMLONG(id), PYNUMBER_FROMLONG(id_type)); + } + + return ret; +} + +static int do_lookup(enum lookup_type type, PyObject *py_result, + PyObject *py_inp) +{ + switch(type) { + case SIDBYNAME: + return do_getsidbyname(py_result, py_inp); + break; + case NAMEBYSID: + return do_getnamebysid(py_result, py_inp); + break; + case SIDBYID: + case SIDBYUID: + case SIDBYGID: + return do_getsidbyid(type, py_result, py_inp); + break; + case IDBYSID: + return do_getidbysid(py_result, py_inp); + break; + case NAMEBYCERT: + return do_getnamebycert(py_result, py_inp); + break; + case LISTBYCERT: + return do_getlistbycert(py_result, py_inp); + break; + default: + return ENOSYS; + } + + return ENOSYS; +} + +static PyObject *check_args(enum lookup_type type, PyObject *args) +{ + PyObject *obj, *py_value; + int ret; + Py_ssize_t len, i; + PyObject *py_result; + + if (!PyArg_ParseTuple(args, sss_py_const_p(char, "O"), &obj)) { + PyErr_Format(PyExc_ValueError, "Unable to retrieve argument\n"); + return NULL; + } + + if (!(PyList_Check(obj) || PyTuple_Check(obj) || + PyBytes_Check(obj) || PyUnicode_Check(obj) || + ((type == SIDBYID + || type == SIDBYUID + || type == SIDBYGID) && (PYNUMBER_CHECK(obj))))) { + PyErr_Format(PyExc_ValueError, + "Only string, long or list or tuples of them " \ + "are accepted\n"); + return NULL; + } + + py_result = PyDict_New(); + Py_XINCREF(py_result); + if (py_result == NULL) { + PyErr_Format(PyExc_MemoryError, + "Unable to allocate resulting dictionary\n"); + return NULL; + } + + if (PyList_Check(obj) || PyTuple_Check(obj)) { + len = PySequence_Size(obj); + for(i=0; i < len; i++) { + py_value = PySequence_GetItem(obj, i); + if ((py_value != NULL) && + (PyBytes_Check(py_value) || PyUnicode_Check(py_value) || + ((type == SIDBYID + || type == SIDBYUID + || type == SIDBYGID) && PYNUMBER_CHECK(py_value)))) { + ret = do_lookup(type, py_result, py_value); + if (ret != 0) { + /* Skip this name */ + continue; + } + } + } + } else { + ret = do_lookup(type, py_result, obj); + switch (ret) { + case 0: + case ENOENT: /* nothing found, return empty dict */ + break; + case EINVAL: + PyErr_Format(PyExc_ValueError, "Unable to retrieve result\n"); + Py_XDECREF(py_result); + return NULL; + break; + default: + PyErr_Format(PyExc_IOError, "Operation not supported\n"); + Py_XDECREF(py_result); + return NULL; + } + } + + Py_XDECREF(py_result); + return py_result; + +} + +PyDoc_STRVAR(getsidbyname_doc, +"getsidbyname(name or list/tuple of names) -> dict(name => dict(results))\n\ +\n\ +Returns a dictionary with a dictionary of results for each given name.\n\ +The result dictionary contain the SID and the type of the object which can be\n\ +accessed with the key constants SID_KEY and TYPE_KEY, respectively.\n\ +\n\ +The return type can be one of the following constants:\n\ +- ID_NOT_SPECIFIED\n\ +- ID_USER\n\ +- ID_GROUP\n\ +- ID_BOTH" +); + +static PyObject * py_getsidbyname(PyObject *module, PyObject *args) +{ + return check_args(SIDBYNAME, args); +} + +PyDoc_STRVAR(getsidbyid_doc, +"getsidbyid(id or list/tuple of id) -> dict(id => dict(results))\n\ +\n\ +Returns a dictionary with a dictionary of results for each given POSIX ID.\n\ +The result dictionary contain the SID and the type of the object which can be\n\ +accessed with the key constants SID_KEY and TYPE_KEY, respectively." +); + +static PyObject * py_getsidbyid(PyObject *module, PyObject *args) +{ + return check_args(SIDBYID, args); +} + +PyDoc_STRVAR(getsidbyuid_doc, +"getsidbyuid(uid or list/tuple of uid) -> dict(uid => dict(results))\n\ +\n\ +Returns a dictionary with a dictionary of results for each given POSIX UID.\n\ +The result dictionary contain the SID and the type of the object which can be\n\ +accessed with the key constants SID_KEY and TYPE_KEY, respectively. Since \n\ +given ID is assumed to be a user ID is is not expected that group objects are\n\ +returned." +); + +static PyObject * py_getsidbyuid(PyObject *module, PyObject *args) +{ + return check_args(SIDBYUID, args); +} + +PyDoc_STRVAR(getsidbygid_doc, +"getsidbygid(gid or list/tuple of gid) -> dict(gid => dict(results))\n\ +\n\ +Returns a dictionary with a dictionary of results for each given POSIX GID.\n\ +The result dictionary contain the SID and the type of the object which can be\n\ +accessed with the key constants SID_KEY and TYPE_KEY, respectively. Since \n\ +given ID is assumed to be a group ID is is not expected that user objects are\n\ +returned." +); + +static PyObject * py_getsidbygid(PyObject *module, PyObject *args) +{ + return check_args(SIDBYGID, args); +} + +PyDoc_STRVAR(getnamebysid_doc, +"getnamebysid(sid or list/tuple of sid) -> dict(sid => dict(results))\n\ +\n\ +Returns a dictionary with a dictionary of results for each given SID.\n\ +The result dictionary contain the name and the type of the object which can be\n\ +accessed with the key constants NAME_KEY and TYPE_KEY, respectively.\n\ +\n\ +NOTE: getnamebysid currently works only with id_provider set as \"ad\" or \"ipa\"" +); + +static PyObject * py_getnamebysid(PyObject *module, PyObject *args) +{ + return check_args(NAMEBYSID, args); +} + +PyDoc_STRVAR(getidbysid_doc, +"getidbysid(sid) -> POSIX ID\n\ +\n\ +Returns the POSIX ID of the object with the given SID." +"getidbysid(sid or list/tuple of sid) -> dict(sid => dict(results))\n\ +\n\ +Returns a dictionary with a dictionary of results for each given SID.\n\ +The result dictionary contain the POSIX ID and the type of the object which\n\ +can be accessed with the key constants ID_KEY and TYPE_KEY, respectively." +); + +static PyObject * py_getidbysid(PyObject *module, PyObject *args) +{ + return check_args(IDBYSID, args); +} + +PyDoc_STRVAR(getnamebycert_doc, +"getnamebycert(certificate or list/tuple of certificates) -> dict(certificate => dict(results))\n\ +\n\ +Returns a dictionary with a dictionary of results for each given certificates.\n\ +The result dictionary contain the name and the type of the object which can be\n\ +accessed with the key constants NAME_KEY and TYPE_KEY, respectively.\n\ +\n\ +NOTE: getnamebycert currently works only with id_provider set as \"ad\" or \"ipa\"" +); + +static PyObject * py_getnamebycert(PyObject *module, PyObject *args) +{ + return check_args(NAMEBYCERT, args); +} + +PyDoc_STRVAR(getlistbycert_doc, +"getnamebycert(certificate or list/tuple of certificates) -> dict(certificate => dict(results))\n\ +\n\ +Returns a dictionary with a dictionary of results for each given certificates.\n\ +The result dictionary contain the name and the type of the object which can be\n\ +accessed with the key constants NAME_KEY and TYPE_KEY, respectively.\n\ +\n\ +NOTE: getlistbycert currently works only with id_provider set as \"ad\" or \"ipa\"" +); + +static PyObject * py_getlistbycert(PyObject *module, PyObject *args) +{ + return check_args(LISTBYCERT, args); +} + +static PyMethodDef methods[] = { + { sss_py_const_p(char, "getsidbyname"), (PyCFunction) py_getsidbyname, + METH_VARARGS, getsidbyname_doc }, + { sss_py_const_p(char, "getsidbyid"), (PyCFunction) py_getsidbyid, + METH_VARARGS, getsidbyid_doc }, + { sss_py_const_p(char, "getsidbyuid"), (PyCFunction) py_getsidbyuid, + METH_VARARGS, getsidbyuid_doc }, + { sss_py_const_p(char, "getsidbygid"), (PyCFunction) py_getsidbygid, + METH_VARARGS, getsidbygid_doc }, + { sss_py_const_p(char, "getnamebysid"), (PyCFunction) py_getnamebysid, + METH_VARARGS, getnamebysid_doc }, + { sss_py_const_p(char, "getidbysid"), (PyCFunction) py_getidbysid, + METH_VARARGS, getidbysid_doc }, + { sss_py_const_p(char, "getnamebycert"), (PyCFunction) py_getnamebycert, + METH_VARARGS, getnamebycert_doc }, + { sss_py_const_p(char, "getlistbycert"), (PyCFunction) py_getlistbycert, + METH_VARARGS, getlistbycert_doc }, + { NULL,NULL, 0, NULL } +}; + +#ifdef IS_PY3K +static struct PyModuleDef pysss_nss_idmap_def = { + PyModuleDef_HEAD_INIT, + "pysss_nss_idmap", + NULL, + -1, + methods, + NULL, + NULL, + NULL, + NULL +}; + +PyMODINIT_FUNC +PyInit_pysss_nss_idmap(void) +#else +PyMODINIT_FUNC +initpysss_nss_idmap(void) +#endif +{ + PyObject *module; + +#ifdef IS_PY3K + module = PyModule_Create(&pysss_nss_idmap_def); +#else + module = Py_InitModule3(sss_py_const_p(char, "pysss_nss_idmap"), + methods, + sss_py_const_p(char, "SSSD ID-mapping functions")); +#endif + if (module == NULL) + MODINITERROR; + + PyModule_AddIntConstant(module, "ID_NOT_SPECIFIED", + SSS_ID_TYPE_NOT_SPECIFIED); + PyModule_AddIntConstant(module, "ID_USER", SSS_ID_TYPE_UID); + PyModule_AddIntConstant(module, "ID_GROUP", SSS_ID_TYPE_GID); + PyModule_AddIntConstant(module, "ID_BOTH", SSS_ID_TYPE_BOTH); + + PyModule_AddStringConstant(module, "SID_KEY", SSS_SID_KEY); + PyModule_AddStringConstant(module, "NAME_KEY", SSS_NAME_KEY); + PyModule_AddStringConstant(module, "ID_KEY", SSS_ID_KEY); + PyModule_AddStringConstant(module, "TYPE_KEY", SSS_TYPE_KEY); + +#ifdef IS_PY3K + return module; +#endif +} diff --git a/src/resolv/async_resolv.c b/src/resolv/async_resolv.c new file mode 100644 index 0000000..bb27011 --- /dev/null +++ b/src/resolv/async_resolv.c @@ -0,0 +1,2511 @@ +/* + SSSD + + Async resolver + + Authors: + Martin Nagy + Jakub Hrozek + + Copyright (C) Red Hat, Inc 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include +#include +#include + +#include +#include +#include +#include +#include +#include + +#include "config.h" +#include "resolv/async_resolv.h" +#include "util/dlinklist.h" +#include "util/util.h" + +#define DNS__16BIT(p) (((p)[0] << 8) | (p)[1]) + +/* + * Macro DNS__32BIT reads a network long (32 bit) given in network + * byte order, and returns its value as an unsigned int. Copied + * from c-ares source code. + */ +#define DNS__32BIT(p) ((unsigned int) \ + (((unsigned int)((unsigned char)(p)[0]) << 24U) | \ + ((unsigned int)((unsigned char)(p)[1]) << 16U) | \ + ((unsigned int)((unsigned char)(p)[2]) << 8U) | \ + ((unsigned int)((unsigned char)(p)[3])))) + +#define DNS_HEADER_ANCOUNT(h) DNS__16BIT((h) + 6) +#define DNS_RR_LEN(r) DNS__16BIT((r) + 8) +#define DNS_RR_TTL(r) DNS__32BIT((r) + 4) + +#define RESOLV_TIMEOUTMS 2000 + +enum host_database default_host_dbs[] = { DB_FILES, DB_DNS, DB_SENTINEL }; + +struct fd_watch { + struct fd_watch *prev; + struct fd_watch *next; + + int fd; + struct resolv_ctx *ctx; + struct tevent_fd *fde; +}; + +struct resolv_ctx { + struct tevent_context *ev_ctx; + ares_channel channel; + + /* List of file descriptors that are watched by tevent. */ + struct fd_watch *fds; + + /* Time in milliseconds before canceling a DNS request */ + int timeout; + + /* The timeout watcher periodically calls ares_process_fd() to check + * if our pending requests didn't timeout. */ + int pending_requests; + struct tevent_timer *timeout_watcher; +}; + +struct request_watch { + struct tevent_req *req; + struct resolv_request *rr; +}; + +struct resolv_request { + struct resolv_ctx *ctx; + struct request_watch *rwatch; + struct tevent_timer *request_timeout; +}; + +static int +return_code(int ares_code) +{ + switch (ares_code) { + case ARES_SUCCESS: + return EOK; + case ARES_ENOMEM: + return ENOMEM; + case ARES_EFILE: + default: + return EIO; + } +} + +const char * +resolv_strerror(int ares_code) +{ + return ares_strerror(ares_code); +} + +static int +fd_watch_destructor(struct fd_watch *f) +{ + DLIST_REMOVE(f->ctx->fds, f); + f->fd = -1; + + return 0; +} + +static void +fd_input_available(struct tevent_context *ev, struct tevent_fd *fde, + uint16_t flags, void *data) +{ + struct fd_watch *watch = talloc_get_type(data, struct fd_watch); + + if (watch->ctx->channel == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Invalid ares channel - this is likely a bug\n"); + return; + } + + ares_process_fd(watch->ctx->channel, + flags & TEVENT_FD_READ ? watch->fd : ARES_SOCKET_BAD, + flags & TEVENT_FD_WRITE ? watch->fd : ARES_SOCKET_BAD); +} + +static void +check_fd_timeouts(struct tevent_context *ev, struct tevent_timer *te, + struct timeval current_time, void *private_data); + +static void +add_timeout_timer(struct tevent_context *ev, struct resolv_ctx *ctx) +{ + struct timeval tv = { 0, 0 }; + struct timeval *tvp; + + if (ctx->timeout_watcher) { + return; + } + + tvp = ares_timeout(ctx->channel, NULL, &tv); + + if (tvp == NULL) { + tvp = &tv; + } + + /* Enforce a minimum of 1 second. */ + if (tvp->tv_sec < 1) { + tv = tevent_timeval_current_ofs(1, 0); + } else { + tv = tevent_timeval_current_ofs(tvp->tv_sec, tvp->tv_usec); + } + + ctx->timeout_watcher = tevent_add_timer(ev, ctx, tv, check_fd_timeouts, + ctx); + if (ctx->timeout_watcher == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory\n"); + } +} + +static void +check_fd_timeouts(struct tevent_context *ev, struct tevent_timer *te, + struct timeval current_time, void *private_data) +{ + struct resolv_ctx *ctx = talloc_get_type(private_data, struct resolv_ctx); + + DEBUG(SSSDBG_TRACE_ALL, "Checking for DNS timeouts\n"); + + /* NULLify the timeout_watcher so we don't + * free it in the _done() function if it + * gets called. Now that we're already in + * the handler, tevent will take care of + * freeing it when it returns. + */ + ctx->timeout_watcher = NULL; + + ares_process_fd(ctx->channel, ARES_SOCKET_BAD, ARES_SOCKET_BAD); + + if (ctx->pending_requests > 0) { + add_timeout_timer(ev, ctx); + } +} + +static void +resolv_request_timeout(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval tv, void *pvt) +{ + struct resolv_request *rreq; + + DEBUG(SSSDBG_MINOR_FAILURE, "The resolve request timed out\n"); + + rreq = talloc_get_type(pvt, struct resolv_request); + if (rreq->rwatch == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "The request already completed\n"); + return; + } + + tevent_req_error(rreq->rwatch->req, ETIMEDOUT); + rreq->rwatch = NULL; +} + +static int +request_watch_destructor(struct request_watch *rwatch) +{ + DEBUG(SSSDBG_TRACE_FUNC, "Deleting request watch\n"); + if (rwatch->rr) rwatch->rr->rwatch = NULL; + return 0; +} + +static struct resolv_request * +schedule_request_timeout(struct tevent_context *ev, struct resolv_ctx *ctx, + struct tevent_req *req) +{ + struct resolv_request *rreq; + struct timeval tv; + + DEBUG(SSSDBG_TRACE_INTERNAL, "Scheduling a timeout of %d seconds\n", + ctx->timeout); + tv = tevent_timeval_current_ofs(ctx->timeout, 0); + + /* Intentionally allocating on ctx, because the request might go away + * before c-ares returns */ + rreq = talloc(ctx, struct resolv_request); + if (!rreq) { + talloc_zfree(req); + return NULL; + } + rreq->ctx = ctx; + rreq->request_timeout = tevent_add_timer(ev, rreq, tv, + resolv_request_timeout, + rreq); + if (rreq->request_timeout == NULL) { + talloc_free(rreq); + return NULL; + } + + /* The watch will go away when the request finishes */ + rreq->rwatch = talloc(req, struct request_watch); + if (!rreq->rwatch) { + talloc_zfree(req); + return NULL; + } + + rreq->rwatch->req = req; + rreq->rwatch->rr = rreq; + talloc_set_destructor(rreq->rwatch, request_watch_destructor); + + return rreq; +} + +static struct resolv_request * +schedule_timeout_watcher(struct tevent_context *ev, struct resolv_ctx *ctx, + struct tevent_req *req) +{ + struct resolv_request *rreq; + + rreq = schedule_request_timeout(ev, ctx, req); + if (!rreq) return NULL; + + ctx->pending_requests++; + + DEBUG(SSSDBG_TRACE_INTERNAL, "Scheduling DNS timeout watcher\n"); + add_timeout_timer(ev, ctx); + return rreq; +} + +static void +unschedule_timeout_watcher(struct resolv_ctx *ctx, struct resolv_request *rreq) +{ + /* Unlink the watch if the request is still active */ + if (rreq->rwatch) { + rreq->rwatch->rr = NULL; + } + talloc_free(rreq); /* Cancels the tevent timeout as well */ + + if (ctx->pending_requests <= 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Pending DNS requests mismatch\n"); + return; + } + + ctx->pending_requests--; + if (ctx->pending_requests == 0) { + DEBUG(SSSDBG_TRACE_ALL, "Unscheduling DNS timeout watcher\n"); + talloc_zfree(ctx->timeout_watcher); + } +} + +static void fd_event_add(struct resolv_ctx *ctx, int s, int flags); +static void fd_event_close(struct resolv_ctx *ctx, int s); + +/* + * When ares is ready to read or write to a file descriptor, it will + * call this callback. If both read and write are 0, it means that ares + * will soon close the socket. We are mainly using this function to register + * new file descriptors with tevent. + */ +static void +fd_event(void *data, int s, int fd_read, int fd_write) +{ + struct resolv_ctx *ctx = talloc_get_type(data, struct resolv_ctx); + struct fd_watch *watch; + int flags; + + /* The socket is about to get closed. */ + if (fd_read == 0 && fd_write == 0) { + fd_event_close(ctx, s); + return; + } + + flags = fd_read ? TEVENT_FD_READ : 0; + flags |= fd_write ? TEVENT_FD_WRITE : 0; + + /* Are we already watching this file descriptor? */ + watch = ctx->fds; + while (watch) { + if (watch->fd == s) { + tevent_fd_set_flags(watch->fde, flags); + return; + } + watch = watch->next; + } + + fd_event_add(ctx, s, flags); +} + +static void +fd_event_add(struct resolv_ctx *ctx, int s, int flags) +{ + struct fd_watch *watch; + + /* The file descriptor is new, register it with tevent. */ + watch = talloc(ctx, struct fd_watch); + if (watch == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Out of memory allocating fd_watch structure\n"); + return; + } + talloc_set_destructor(watch, fd_watch_destructor); + + watch->fd = s; + watch->ctx = ctx; + + watch->fde = tevent_add_fd(ctx->ev_ctx, watch, s, flags, + fd_input_available, watch); + if (watch->fde == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_add_fd() failed\n"); + talloc_free(watch); + return; + } + DLIST_ADD(ctx->fds, watch); +} + +static void +fd_event_close(struct resolv_ctx *ctx, int s) +{ + struct fd_watch *watch; + + /* Remove the socket from list */ + watch = ctx->fds; + while (watch) { + if (watch->fd == s) { + talloc_free(watch); + return; + } + watch = watch->next; + } +} + +static int +resolv_ctx_destructor(struct resolv_ctx *ctx) +{ + ares_channel channel; + + if (ctx->channel == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Ares channel already destroyed?\n"); + return -1; + } + + /* Set ctx->channel to NULL first, so that callbacks that get + * ARES_EDESTRUCTION won't retry. */ + channel = ctx->channel; + ctx->channel = NULL; + ares_destroy(channel); + + return 0; +} + +static int +recreate_ares_channel(struct resolv_ctx *ctx) +{ + int ret; + ares_channel new_channel; + ares_channel old_channel; + struct ares_options options; + + DEBUG(SSSDBG_CONF_SETTINGS, "Initializing new c-ares channel\n"); + /* FIXME: the options would contain + * the nameservers to contact, the domains + * to search... => get from confdb + */ + options.sock_state_cb = fd_event; + options.sock_state_cb_data = ctx; + options.timeout = RESOLV_TIMEOUTMS; + /* Only affects ares_gethostbyname */ + options.lookups = discard_const("f"); + options.tries = 1; + ret = ares_init_options(&new_channel, &options, + ARES_OPT_SOCK_STATE_CB | + ARES_OPT_TIMEOUTMS | + ARES_OPT_LOOKUPS | + ARES_OPT_TRIES); + if (ret != ARES_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to initialize ares channel: %s\n", + resolv_strerror(ret)); + return return_code(ret); + } + + old_channel = ctx->channel; + ctx->channel = new_channel; + if (old_channel != NULL) { + DEBUG(SSSDBG_CONF_SETTINGS, "Destroying the old c-ares channel\n"); + ares_destroy(old_channel); + } + + return EOK; +} + +int +resolv_init(TALLOC_CTX *mem_ctx, struct tevent_context *ev_ctx, + int timeout, struct resolv_ctx **ctxp) +{ + int ret; + struct resolv_ctx *ctx; + + if (timeout < 1) { + DEBUG(SSSDBG_MINOR_FAILURE, + "The timeout is too short, DNS operations are going to fail. " + "This is a bug outside unit tests\n"); + } + + ctx = talloc_zero(mem_ctx, struct resolv_ctx); + if (ctx == NULL) + return ENOMEM; + + ctx->ev_ctx = ev_ctx; + ctx->timeout = timeout; + + ret = recreate_ares_channel(ctx); + if (ret != EOK) { + goto done; + } + + talloc_set_destructor(ctx, resolv_ctx_destructor); + + *ctxp = ctx; + return EOK; + +done: + talloc_free(ctx); + return ret; +} + +void +resolv_reread_configuration(struct resolv_ctx *ctx) +{ + recreate_ares_channel(ctx); +} + +static errno_t +resolv_copy_in_addr(TALLOC_CTX *mem_ctx, struct resolv_addr *ret, + struct ares_addrttl *attl) +{ + ret->ipaddr = talloc_array(mem_ctx, uint8_t, sizeof(struct in_addr)); + if (!ret->ipaddr) return ENOMEM; + + memcpy(ret->ipaddr, &attl->ipaddr, sizeof(struct in_addr)); + ret->ttl = attl->ttl; + + return EOK; +} + +static errno_t +resolv_copy_in6_addr(TALLOC_CTX *mem_ctx, struct resolv_addr *ret, + struct ares_addr6ttl *a6ttl) +{ + ret->ipaddr = talloc_array(mem_ctx, uint8_t, sizeof(struct in6_addr)); + if (!ret->ipaddr) return ENOMEM; + + memcpy(ret->ipaddr, &a6ttl->ip6addr, sizeof(struct in6_addr)); + ret->ttl = a6ttl->ttl; + + return EOK; +} + +static struct resolv_hostent * +resolv_copy_hostent_common(TALLOC_CTX *mem_ctx, struct hostent *src) +{ + struct resolv_hostent *ret; + int len; + int i; + + ret = talloc_zero(mem_ctx, struct resolv_hostent); + if (ret == NULL) { + return NULL; + } + + if (src->h_name != NULL) { + ret->name = talloc_strdup(ret, src->h_name); + if (ret->name == NULL) { + goto fail; + } + } + if (src->h_aliases != NULL) { + for (len = 0; src->h_aliases[len] != NULL; len++); + + ret->aliases = talloc_array(ret, char *, len + 1); + if (ret->aliases == NULL) { + goto fail; + } + + for (i = 0; i < len; i++) { + ret->aliases[i] = talloc_strdup(ret->aliases, src->h_aliases[i]); + if (ret->aliases[i] == NULL) { + goto fail; + } + } + ret->aliases[len] = NULL; + } + + ret->family = src->h_addrtype; + return ret; + +fail: + talloc_free(ret); + return NULL; +} + +struct resolv_hostent * +resolv_copy_hostent(TALLOC_CTX *mem_ctx, struct hostent *src) +{ + struct resolv_hostent *ret; + int len; + int i; + + ret = resolv_copy_hostent_common(mem_ctx, src); + if (ret == NULL) { + return NULL; + } + + if (src->h_addr_list != NULL) { + for (len = 0; src->h_addr_list[len] != NULL; len++); + + ret->addr_list = talloc_array(ret, struct resolv_addr *, len + 1); + if (ret->addr_list == NULL) { + goto fail; + } + + for (i = 0; i < len; i++) { + ret->addr_list[i] = talloc_zero(ret->addr_list, + struct resolv_addr); + if (ret->addr_list[i] == NULL) { + goto fail; + } + + ret->addr_list[i]->ipaddr = talloc_memdup(ret->addr_list[i], + src->h_addr_list[i], + src->h_length); + if (ret->addr_list[i]->ipaddr == NULL) { + goto fail; + } + ret->addr_list[i]->ttl = RESOLV_DEFAULT_TTL; + } + ret->addr_list[len] = NULL; + } + return ret; + +fail: + talloc_free(ret); + return NULL; +} + +struct resolv_hostent * +resolv_copy_hostent_ares(TALLOC_CTX *mem_ctx, struct hostent *src, + int family, void *ares_ttl_data, + int num_ares_ttl_data) +{ + struct resolv_hostent *ret; + errno_t cret; + int i; + + ret = resolv_copy_hostent_common(mem_ctx, src); + if (ret == NULL) { + return NULL; + } + + if (num_ares_ttl_data > 0) { + ret->addr_list = talloc_array(ret, struct resolv_addr *, + num_ares_ttl_data + 1); + if (ret->addr_list == NULL) { + goto fail; + } + + for (i = 0; i < num_ares_ttl_data; i++) { + ret->addr_list[i] = talloc_zero(ret->addr_list, + struct resolv_addr); + if (ret->addr_list[i] == NULL) { + goto fail; + } + + switch (family) { + case AF_INET: + cret = resolv_copy_in_addr(ret->addr_list, ret->addr_list[i], + &((struct ares_addrttl *) ares_ttl_data)[i]); + break; + case AF_INET6: + cret = resolv_copy_in6_addr(ret->addr_list, ret->addr_list[i], + &((struct ares_addr6ttl *) ares_ttl_data)[i]); + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, + "Unknown address family %d\n", family); + goto fail; + } + + if (cret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not copy address\n"); + goto fail; + } + } + ret->addr_list[num_ares_ttl_data] = NULL; + } + + ret->family = family; + return ret; + +fail: + talloc_free(ret); + return NULL; +} + +/* =================== Resolve host name in files =========================*/ +struct gethostbyname_files_state { + struct resolv_ctx *resolv_ctx; + + /* Part of the query. */ + const char *name; + int family; + + /* query result */ + struct resolv_hostent *rhostent; + + /* returned by ares. */ + int status; +}; + +/* Fake up an async interface even though files would + * always be blocking */ +static struct tevent_req * +resolv_gethostbyname_files_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resolv_ctx *ctx, + const char *name, + int family) +{ + struct tevent_req *req; + struct gethostbyname_files_state *state; + struct hostent *hostent = NULL; + + req = tevent_req_create(mem_ctx, &state, + struct gethostbyname_files_state); + if (req == NULL) { + return NULL; + } + + state->resolv_ctx = ctx; + state->name = name; + state->rhostent = NULL; + state->family = family; + + DEBUG(SSSDBG_CONF_SETTINGS, + "Trying to resolve %s record of '%s' in files\n", + state->family == AF_INET ? "A" : "AAAA", state->name); + + state->status = ares_gethostbyname_file(state->resolv_ctx->channel, + state->name, state->family, + &hostent); + + if (state->status == ARES_SUCCESS) { + state->rhostent = resolv_copy_hostent(state, hostent); + if (state->rhostent == NULL) { + tevent_req_error(req, ENOMEM); + goto done; + } + } else if (state->status == ARES_ENOTFOUND || + state->status == ARES_ENODATA) { + /* Just say we didn't find anything and let the caller decide + * about retrying */ + tevent_req_error(req, ENOENT); + goto done; + } else { + tevent_req_error(req, return_code(state->status)); + goto done; + } + + tevent_req_done(req); +done: + if (hostent) ares_free_hostent(hostent); + tevent_req_post(req, ev); + return req; +} + +static errno_t +resolv_gethostbyname_files_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, + int *status, struct resolv_hostent **rhostent) +{ + struct gethostbyname_files_state *state = tevent_req_data(req, + struct gethostbyname_files_state); + + /* Fill in even in case of error as status contains the + * c-ares return code */ + if (status) { + *status = state->status; + } + if (rhostent) { + *rhostent = talloc_steal(mem_ctx, state->rhostent); + } + + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +/* ==================== Resolve host name in DNS =========================*/ +struct gethostbyname_dns_state { + struct resolv_ctx *resolv_ctx; + struct tevent_context *ev; + + /* Part of the query. */ + const char *name; + int family; + + /* query result */ + struct resolv_hostent *rhostent; + + /* These are returned by ares. */ + int status; + int timeouts; + int retrying; +}; + +static void +resolv_gethostbyname_dns_wakeup(struct tevent_req *subreq); +static void +resolv_gethostbyname_dns_query(struct tevent_req *req, + struct gethostbyname_dns_state *state); +static void +resolv_gethostbyname_dns_query_done(void *arg, int status, int timeouts, + unsigned char *abuf, int alen); +static int +resolv_gethostbyname_dns_parse(struct gethostbyname_dns_state *state, + int status, unsigned char *abuf, int alen); + +static struct tevent_req * +resolv_gethostbyname_dns_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, + struct resolv_ctx *ctx, const char *name, + int family) +{ + struct tevent_req *req, *subreq; + struct gethostbyname_dns_state *state; + struct timeval tv = { 0, 0 }; + + if (ctx->channel == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Invalid ares channel - this is likely a bug\n"); + return NULL; + } + + req = tevent_req_create(mem_ctx, &state, struct gethostbyname_dns_state); + if (req == NULL) { + return NULL; + } + + state->resolv_ctx = ctx; + state->ev = ev; + state->name = name; + state->rhostent = NULL; + state->status = 0; + state->timeouts = 0; + state->retrying = 0; + state->family = family; + + /* We need to have a wrapper around ares async calls, because + * they can in some cases call it's callback immediately. + * This would not let our caller to set a callback for req. */ + subreq = tevent_wakeup_send(req, ev, tv); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to add critical timer to run next operation!\n"); + talloc_zfree(req); + return NULL; + } + tevent_req_set_callback(subreq, resolv_gethostbyname_dns_wakeup, req); + + return req; +} + +static void +resolv_gethostbyname_dns_wakeup(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct gethostbyname_dns_state *state = tevent_req_data(req, + struct gethostbyname_dns_state); + + if (!tevent_wakeup_recv(subreq)) { + tevent_req_error(req, EIO); + return; + } + talloc_zfree(subreq); + + if (state->resolv_ctx->channel == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Invalid ares channel - this is likely a bug\n"); + tevent_req_error(req, EIO); + return; + } + + resolv_gethostbyname_dns_query(req, state); +} + +static void +resolv_gethostbyname_dns_query(struct tevent_req *req, + struct gethostbyname_dns_state *state) +{ + struct resolv_request *rreq; + + DEBUG(SSSDBG_CONF_SETTINGS, "Trying to resolve %s record of '%s' in DNS\n", + state->family == AF_INET ? "A" : "AAAA", state->name); + + rreq = schedule_timeout_watcher(state->ev, state->resolv_ctx, req); + if (!rreq) { + tevent_req_error(req, ENOMEM); + return; + } + + ares_search(state->resolv_ctx->channel, + state->name, ns_c_in, + (state->family == AF_INET) ? ns_t_a : ns_t_aaaa, + resolv_gethostbyname_dns_query_done, rreq); +} + +static void +resolv_gethostbyname_dns_query_done(void *arg, int status, int timeouts, + unsigned char *abuf, int alen) +{ + errno_t ret; + struct gethostbyname_dns_state *state; + struct resolv_request *rreq = talloc_get_type(arg, struct resolv_request); + struct tevent_req *req; + + + if (rreq->rwatch == NULL) { + /* The tevent request was cancelled while the ares call was still in + * progress so nobody cares about the result now. Quit. */ + unschedule_timeout_watcher(rreq->ctx, rreq); + return; + } + + req = rreq->rwatch->req; + unschedule_timeout_watcher(rreq->ctx, rreq); + + state = tevent_req_data(req, struct gethostbyname_dns_state); + + state->status = status; + state->timeouts = timeouts; + + /* If resolv.conf changed during processing of a request we might + * destroy the old channel before the request has a chance to finish. + * We must resend the request in this case */ + if (state->retrying == 0 && status == ARES_EDESTRUCTION + && state->resolv_ctx->channel != NULL) { + state->retrying = 1; + resolv_gethostbyname_dns_query(req, state); + return; + } + + if (status == ARES_ENOTFOUND || status == ARES_ENODATA) { + /* Just say we didn't find anything and let the caller decide + * about retrying */ + tevent_req_error(req, ENOENT); + return; + } + + if (status != ARES_SUCCESS) { + /* Any other error indicates a server error, + * so don't bother trying again + */ + tevent_req_error(req, return_code(status)); + return; + } + + ret = resolv_gethostbyname_dns_parse(state, status, abuf, alen); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +static int +resolv_gethostbyname_dns_parse(struct gethostbyname_dns_state *state, + int status, unsigned char *abuf, int alen) +{ + struct hostent *hostent; + int naddrttls; + errno_t ret; + void *addr = NULL; + + naddrttls = DNS_HEADER_ANCOUNT(abuf); + + switch (state->family) { + case AF_INET: + DEBUG(SSSDBG_TRACE_LIBS, "Parsing an A reply\n"); + + addr = talloc_array(state, struct ares_addrttl, naddrttls); + if (!addr) { + ret = ENOMEM; + goto fail; + } + + status = ares_parse_a_reply(abuf, alen, &hostent, + (struct ares_addrttl *) addr, + &naddrttls); + break; + case AF_INET6: + DEBUG(SSSDBG_TRACE_LIBS, "Parsing an AAAA reply\n"); + + addr = talloc_array(state, struct ares_addr6ttl, naddrttls); + if (!addr) { + ret = ENOMEM; + goto fail; + } + + status = ares_parse_aaaa_reply(abuf, alen, &hostent, + (struct ares_addr6ttl *) addr, + &naddrttls); + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unknown family %d\n", state->family); + ret = EAFNOSUPPORT; + goto fail; + } + + if (hostent != NULL) { + state->rhostent = resolv_copy_hostent_ares(state, hostent, + state->family, + addr, naddrttls); + ares_free_hostent(hostent); + if (state->rhostent == NULL) { + ret = ENOMEM; + goto fail; + } + + /* The address list is NULL. This is probably a bug in + * c-ares, but we need to handle it gracefully. + */ + if (state->rhostent->addr_list == NULL) { + talloc_zfree(state->rhostent); + return ENOENT; + } + } + + talloc_free(addr); + return return_code(status); + +fail: + talloc_free(addr); + return ret; +} + +static int +resolv_gethostbyname_dns_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, + int *status, int *timeouts, + struct resolv_hostent **rhostent) +{ + struct gethostbyname_dns_state *state = tevent_req_data(req, + struct gethostbyname_dns_state); + + /* Fill in even in case of error as status contains the + * c-ares return code */ + if (status) { + *status = state->status; + } + if (timeouts) { + *timeouts = state->timeouts; + } + + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (rhostent) { + *rhostent = talloc_steal(mem_ctx, state->rhostent); + } + + return EOK; +} + +/******************************************************************* + * Get host by name. * + *******************************************************************/ + +struct gethostbyname_state { + struct resolv_ctx *resolv_ctx; + struct tevent_context *ev; + + /* Part of the query. */ + const char *name; + int family; + + /* In which order to use IPv4, or v6 */ + enum restrict_family family_order; + + /* Known hosts databases and index to the current one */ + enum host_database *db; + int dbi; + + /* These are returned by ares. The hostent struct will be freed + * when the user callback returns. */ + struct resolv_hostent *rhostent; + int status; + int timeouts; + int retrying; +}; + +static errno_t +resolv_gethostbyname_address(TALLOC_CTX *mem_ctx, const char *address, + struct resolv_hostent **_rhostent); +static inline int +resolv_gethostbyname_family_init(enum restrict_family family_order); +static errno_t +resolv_gethostbyname_step(struct tevent_req *req); + +struct tevent_req * +resolv_gethostbyname_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, + struct resolv_ctx *ctx, const char *name, + enum restrict_family family_order, + enum host_database *db) +{ + struct tevent_req *req; + struct gethostbyname_state *state; + errno_t ret; + + if (ctx->channel == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Invalid ares channel - this is likely a bug\n"); + return NULL; + } + + req = tevent_req_create(mem_ctx, &state, struct gethostbyname_state); + if (req == NULL) { + return NULL; + } + + state->resolv_ctx = ctx; + state->ev = ev; + state->name = talloc_strdup(state, name); + if (state->name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup() failed\n"); + goto fail; + } + + state->rhostent = NULL; + state->status = 0; + state->timeouts = 0; + state->retrying = 0; + state->family_order = family_order; + state->family = resolv_gethostbyname_family_init(state->family_order); + state->db = db; + state->dbi = 0; + + /* Do not attempt to resolve IP addresses */ + if (resolv_is_address(state->name)) { + ret = resolv_gethostbyname_address(state, state->name, + &state->rhostent); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot create a fake hostent structure\n"); + goto fail; + } + + tevent_req_done(req); + tevent_req_post(req, ev); + return req; + } + + ret = resolv_gethostbyname_step(req); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot start the resolving\n"); + goto fail; + } + + return req; + +fail: + talloc_zfree(req); + return NULL; +} + +bool +resolv_is_address(const char *name) +{ + struct addrinfo hints; + struct addrinfo *res = NULL; + int ret; + + memset((void *) &hints, 0, sizeof(struct addrinfo)); + hints.ai_family = AF_UNSPEC; + hints.ai_flags = AI_NUMERICHOST; /* No network lookups */ + + ret = getaddrinfo(name, NULL, &hints, &res); + if (ret != 0) { + if (ret == -2) { + DEBUG(SSSDBG_TRACE_ALL, + "[%s] does not look like an IP address\n", name); + } else { + DEBUG(SSSDBG_OP_FAILURE, "getaddrinfo failed [%d]: %s\n", + ret, gai_strerror(ret)); + } + } else { /* ret == 0 */ + freeaddrinfo(res); + } + + return ret == 0; +} + +static errno_t +resolv_gethostbyname_address(TALLOC_CTX *mem_ctx, const char *address, + struct resolv_hostent **_rhostent) +{ + struct resolv_hostent *rhostent; + TALLOC_CTX *tmp_ctx; + errno_t ret; + int family; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) return ENOMEM; + + rhostent = talloc_zero(tmp_ctx, struct resolv_hostent); + if (!rhostent) { + ret = ENOMEM; + goto done; + } + + rhostent->name = talloc_strdup(rhostent, address); + rhostent->addr_list = talloc_array(rhostent, struct resolv_addr *, 2); + + if (!rhostent->name || + !rhostent->addr_list) { + ret = ENOMEM; + goto done; + } + + rhostent->addr_list[0] = talloc_zero(rhostent->addr_list, + struct resolv_addr); + if (!rhostent->addr_list[0]) { + ret = ENOMEM; + goto done; + } + rhostent->addr_list[0]->ipaddr = talloc_array(rhostent->addr_list[0], + uint8_t, + sizeof(struct in6_addr)); + if (!rhostent->addr_list[0]->ipaddr) { + ret = ENOMEM; + goto done; + } + + family = AF_INET; + ret = inet_pton(family, address, + rhostent->addr_list[0]->ipaddr); + if (ret != 1) { + family = AF_INET6; + ret = inet_pton(family, address, + rhostent->addr_list[0]->ipaddr); + if (ret != 1) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not parse address as neither v4 nor v6\n"); + ret = EINVAL; + goto done; + } + } + + rhostent->addr_list[0]->ttl = RESOLV_DEFAULT_TTL; + rhostent->addr_list[1] = NULL; + rhostent->family = family; + rhostent->aliases = NULL; + + *_rhostent = talloc_move(mem_ctx, &rhostent); + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} + +static inline int +resolv_gethostbyname_family_init(enum restrict_family family_order) +{ + switch(family_order) { + case IPV4_ONLY: + case IPV4_FIRST: + return AF_INET; + case IPV6_ONLY: + case IPV6_FIRST: + return AF_INET6; + } + + DEBUG(SSSDBG_CRIT_FAILURE, + "Unknown address family order %d\n", family_order); + return -1; +} + +static int +resolv_gethostbyname_next(struct gethostbyname_state *state) +{ + if (state->family_order == IPV4_FIRST && + state->family == AF_INET) { + state->family = AF_INET6; + return EOK; + } else if (state->family_order == IPV6_FIRST && + state->family == AF_INET6) { + state->family = AF_INET; + return EOK; + } else { + /* No more address families for this DB, check if + * there is another DB to try */ + DEBUG(SSSDBG_FUNC_DATA, "No more address families to retry\n"); + state->dbi++; + if (state->db[state->dbi] != DB_SENTINEL) { + state->family = resolv_gethostbyname_family_init( + state->family_order); + return EOK; + } + } + + DEBUG(SSSDBG_CONF_SETTINGS, "No more hosts databases to retry\n"); + return ENOENT; +} + +static void +resolv_gethostbyname_done(struct tevent_req *subreq); + +static errno_t +resolv_gethostbyname_step(struct tevent_req *req) +{ + struct gethostbyname_state *state = tevent_req_data(req, + struct gethostbyname_state); + struct tevent_req *subreq; + + switch(state->db[state->dbi]) { + case DB_FILES: + DEBUG(SSSDBG_TRACE_INTERNAL, "Querying files\n"); + subreq = resolv_gethostbyname_files_send(state, state->ev, + state->resolv_ctx, + state->name, + state->family); + break; + case DB_DNS: + DEBUG(SSSDBG_TRACE_INTERNAL, "Querying DNS\n"); + subreq = resolv_gethostbyname_dns_send(state, state->ev, + state->resolv_ctx, + state->name, + state->family); + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid hosts database\n"); + return EINVAL; + } + + if (subreq == NULL) { + return ENOMEM; + } + + tevent_req_set_callback(subreq, resolv_gethostbyname_done, req); + return EOK; +} + +static void +resolv_gethostbyname_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct gethostbyname_state *state = tevent_req_data(req, + struct gethostbyname_state); + errno_t ret; + + switch(state->db[state->dbi]) { + case DB_FILES: + ret = resolv_gethostbyname_files_recv(subreq, state, + &state->status, + &state->rhostent); + /* files is synchronous, there can be no timeouts */ + state->timeouts = 0; + break; + case DB_DNS: + ret = resolv_gethostbyname_dns_recv(subreq, state, + &state->status, &state->timeouts, + &state->rhostent); + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid hosts database\n"); + tevent_req_error(req, EINVAL); + return; + } + + talloc_zfree(subreq); + + if (ret == ENOENT) { + ret = resolv_gethostbyname_next(state); + if (ret == EOK) { + ret = resolv_gethostbyname_step(req); + if (ret != EOK) { + tevent_req_error(req, ret); + } + return; + } + + /* No more databases and/or address families */ + tevent_req_error(req, ENOENT); + return; + } else if (ret == ETIMEDOUT) { + /* In case we killed the request before c-ares answered */ + state->status = ARES_ETIMEOUT; + } + + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "querying hosts database failed [%d]: %s\n", + ret, strerror(ret)); + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +int +resolv_gethostbyname_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, + int *status, int *timeouts, + struct resolv_hostent **rhostent) +{ + struct gethostbyname_state *state = tevent_req_data(req, struct gethostbyname_state); + + /* Fill in even in case of error as status contains the + * c-ares return code */ + if (status) { + *status = state->status; + } + if (timeouts) { + *timeouts = state->timeouts; + } + if (rhostent) { + *rhostent = talloc_steal(mem_ctx, state->rhostent); + } + + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +char * +resolv_get_string_address_index(TALLOC_CTX *mem_ctx, + struct resolv_hostent *hostent, + unsigned int addrindex) +{ + char *address; + + if (!hostent) return NULL; + + address = talloc_zero_size(mem_ctx, 128); + if (address == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n"); + return NULL; + } + + errno = 0; + if (inet_ntop(hostent->family, hostent->addr_list[addrindex]->ipaddr, + address, 128) == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "inet_ntop failed [%d][%s].\n", errno, strerror(errno)); + talloc_free(address); + return NULL; + } + + return address; +} + +char * +resolv_get_string_ptr_address(TALLOC_CTX *mem_ctx, + int family, uint8_t *address) +{ + char *straddr; + + if (family == AF_INET6) { + int i; + char hexbyte[3]; + + straddr = talloc_strdup(mem_ctx, "\0"); + if (!straddr) { + return NULL; + } + + for (i = 15; i >= 0; i--) { + snprintf(hexbyte, 3, "%02x", address[i]); + straddr = talloc_asprintf_append(straddr, "%c.%c.", + hexbyte[1], hexbyte[0]); + } + straddr = talloc_asprintf_append(straddr, "ip6.arpa."); + } else if (family == AF_INET) { + straddr = talloc_asprintf(mem_ctx, + "%u.%u.%u.%u.in-addr.arpa.", + (address[3]), + (address[2]), + (address[1]), + (address[0])); + } else { + DEBUG(SSSDBG_CRIT_FAILURE, "Unknown address family\n"); + return NULL; + } + + return straddr; +} + +struct sockaddr_storage * +resolv_get_sockaddr_address_index(TALLOC_CTX *mem_ctx, + struct resolv_hostent *hostent, + int port, int addrindex) +{ + struct sockaddr_storage *sockaddr; + + if (!hostent) return NULL; + + sockaddr = talloc_zero(mem_ctx, struct sockaddr_storage); + if (sockaddr == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n"); + return NULL; + } + + switch(hostent->family) { + case AF_INET: + sockaddr->ss_family = AF_INET; + memcpy(&((struct sockaddr_in *) sockaddr)->sin_addr, + hostent->addr_list[addrindex]->ipaddr, + sizeof(struct in_addr)); + ((struct sockaddr_in *) sockaddr)->sin_port = (in_port_t) htons(port); + + break; + case AF_INET6: + sockaddr->ss_family = AF_INET6; + memcpy(&((struct sockaddr_in6 *) sockaddr)->sin6_addr, + hostent->addr_list[addrindex]->ipaddr, + sizeof(struct in6_addr)); + ((struct sockaddr_in6 *) sockaddr)->sin6_port = (in_port_t) htons(port); + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, + "Unknown address family %d\n", hostent->family); + return NULL; + } + + return sockaddr; +} + +/* + * A simple helper function that will take an array of struct ares_srv_reply that + * was allocated by malloc() in c-ares and copies it using talloc. The old one + * is freed and the talloc one is put into 'reply_list' instead. + */ +static int +rewrite_talloc_srv_reply(TALLOC_CTX *mem_ctx, struct ares_srv_reply **reply_list) +{ + struct ares_srv_reply *ptr = NULL; + struct ares_srv_reply *new_list = NULL; + struct ares_srv_reply *old_list = *reply_list; + + /* Nothing to do, but not an error */ + if (!old_list) { + return EOK; + } + + /* Copy the linked list */ + while (old_list) { + /* Special case for the first node */ + if (!new_list) { + new_list = talloc_zero(mem_ctx, struct ares_srv_reply); + if (new_list == NULL) { + ares_free_data(*reply_list); + return ENOMEM; + } + ptr = new_list; + } else { + ptr->next = talloc_zero(new_list, struct ares_srv_reply); + if (ptr->next == NULL) { + ares_free_data(*reply_list); + talloc_free(new_list); + return ENOMEM; + } + ptr = ptr->next; + } + + ptr->weight = old_list->weight; + ptr->priority = old_list->priority; + ptr->port = old_list->port; + ptr->host = talloc_strdup(ptr, old_list->host); + if (ptr->host == NULL) { + ares_free_data(*reply_list); + talloc_free(new_list); + return ENOMEM; + } + + old_list = old_list->next; + } + + /* Free the old one (uses malloc). */ + ares_free_data(*reply_list); + + /* And now put our own new_list in place. */ + *reply_list = new_list; + + return EOK; +} + +/******************************************************************* + * Get SRV record * + *******************************************************************/ + +struct getsrv_state { + struct tevent_context *ev; + struct resolv_ctx *resolv_ctx; + /* the SRV query - for example _ldap._tcp.example.com */ + const char *query; + + /* parsed data returned by ares */ + struct ares_srv_reply *reply_list; + uint32_t ttl; + int status; + int timeouts; + int retrying; +}; + +static void +ares_getsrv_wakeup(struct tevent_req *subreq); +static void +resolv_getsrv_query(struct tevent_req *req, + struct getsrv_state *state); + +struct tevent_req * +resolv_getsrv_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, + struct resolv_ctx *ctx, const char *query) +{ + struct tevent_req *req, *subreq; + struct getsrv_state *state; + struct timeval tv = { 0, 0 }; + + DEBUG(SSSDBG_CONF_SETTINGS, + "Trying to resolve SRV record of '%s'\n", query); + + if (ctx->channel == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Invalid ares channel - this is likely a bug\n"); + return NULL; + } + + req = tevent_req_create(mem_ctx, &state, struct getsrv_state); + if (req == NULL) + return NULL; + + state->resolv_ctx = ctx; + state->query = query; + state->reply_list = NULL; + state->ttl = 0; + state->status = 0; + state->timeouts = 0; + state->retrying = 0; + state->ev = ev; + + subreq = tevent_wakeup_send(req, ev, tv); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to add critical timer to run next operation!\n"); + talloc_zfree(req); + return NULL; + } + tevent_req_set_callback(subreq, ares_getsrv_wakeup, req); + + return req; +} + +/* + * Implemented based on http://tools.ietf.org/html/rfc2181#section-5 + * + * Especially: + * 5.2. TTLs of RRs in an RRSet + * Consequently the use of differing TTLs in an RRSet is hereby + * deprecated, the TTLs of all RRs in an RRSet must be the same. + * ... + * Should an authoritative source send such a malformed RRSet, the + * client should treat the RRs for all purposes as if all TTLs in the + * RRSet had been set to the value of the lowest TTL in the RRSet. + * + * On success, returns true and sets the TTL in the _ttl parameter. On + * failure, returns false and _ttl is undefined. + */ +static bool +resolv_get_ttl(const unsigned char *abuf, const int alen, uint32_t *_ttl) +{ + const unsigned char *aptr; + int ret; + char *name = NULL; + long len; + uint32_t ttl = 0; + uint32_t rr_ttl; + unsigned int rr_len; + unsigned int ancount; + unsigned int i; + + /* Read the number of RRs and then skip past the header */ + if (alen < NS_HFIXEDSZ) { + return false; + } + + ancount = DNS_HEADER_ANCOUNT(abuf); + if (ancount == 0) { + return false; + } + + aptr = abuf + NS_HFIXEDSZ; + + /* We only care about len from the question data, + * so that we can move past hostname */ + ret = ares_expand_name(aptr, abuf, alen, &name, &len); + ares_free_string(name); + if (ret != ARES_SUCCESS) { + return false; + } + + /* Skip past the question */ + aptr += len + NS_QFIXEDSZ; + if (aptr > abuf + alen) { + return false; + } + + /* Examine each RR in turn and read the lowest TTL */ + for (i = 0; i < ancount; i++) { + /* Decode the RR up to the data field. */ + ret = ares_expand_name(aptr, abuf, alen, &name, &len); + ares_free_string(name); + if (ret != ARES_SUCCESS) { + return false; + } + + aptr += len; + if (aptr + NS_RRFIXEDSZ > abuf + alen) { + return false; + } + + rr_len = DNS_RR_LEN(aptr); + rr_ttl = DNS_RR_TTL(aptr); + if (aptr + rr_len > abuf + alen) { + return false; + } + aptr += NS_RRFIXEDSZ + rr_len; + + if (ttl > 0) { + ttl = MIN(ttl, rr_ttl); + } else { + ttl = rr_ttl; /* special-case for first TTL */ + } + } + + *_ttl = ttl; + return true; +} + +static void +resolv_getsrv_done(void *arg, int status, int timeouts, unsigned char *abuf, int alen) +{ + struct resolv_request *rreq = talloc_get_type(arg, struct resolv_request); + struct tevent_req *req; + struct getsrv_state *state; + int ret; + bool ok; + struct ares_srv_reply *reply_list; + + if (rreq->rwatch == NULL) { + /* The tevent request was cancelled while the ares call was still in + * progress so nobody cares about the result now. Quit. */ + unschedule_timeout_watcher(rreq->ctx, rreq); + return; + } + + req = rreq->rwatch->req; + unschedule_timeout_watcher(rreq->ctx, rreq); + state = tevent_req_data(req, struct getsrv_state); + + if (state->retrying == 0 && status == ARES_EDESTRUCTION + && state->resolv_ctx->channel != NULL) { + state->retrying = 1; + resolv_getsrv_query(req, state); + return; + } + + state->status = status; + state->timeouts = timeouts; + + if (status != ARES_SUCCESS) { + ret = return_code(status); + goto fail; + } + + ret = ares_parse_srv_reply(abuf, alen, &reply_list); + if (ret != ARES_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, + "SRV record parsing failed: %d: %s\n", ret, ares_strerror(ret)); + ret = return_code(ret); + goto fail; + } + ret = rewrite_talloc_srv_reply(req, &reply_list); + if (ret != EOK) { + goto fail; + } + state->reply_list = reply_list; + ok = resolv_get_ttl(abuf, alen, &state->ttl); + if (ok == false) { + DEBUG(SSSDBG_MINOR_FAILURE, "Could not read TTL, using the default..\n"); + state->ttl = RESOLV_DEFAULT_SRV_TTL; + } + DEBUG(SSSDBG_TRACE_LIBS, "Using TTL [%"PRIu32"]\n", state->ttl); + + tevent_req_done(req); + return; + +fail: + state->reply_list = NULL; + tevent_req_error(req, ret); +} + +int +resolv_getsrv_recv(TALLOC_CTX *mem_ctx, struct tevent_req *req, int *status, + int *timeouts, struct ares_srv_reply **reply_list, + uint32_t *ttl) +{ + struct getsrv_state *state = tevent_req_data(req, struct getsrv_state); + + if (status) + *status = state->status; + if (timeouts) + *timeouts = state->timeouts; + if (reply_list) + *reply_list = talloc_steal(mem_ctx, state->reply_list); + if (ttl) { + *ttl = state->ttl; + } + + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +static void +ares_getsrv_wakeup(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct getsrv_state *state = tevent_req_data(req, + struct getsrv_state); + + if (!tevent_wakeup_recv(subreq)) { + return; + } + talloc_zfree(subreq); + + if (state->resolv_ctx->channel == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Invalid ares channel - this is likely a bug\n"); + tevent_req_error(req, EIO); + return; + } + + return resolv_getsrv_query(req, state); +} + +static void +resolv_getsrv_query(struct tevent_req *req, + struct getsrv_state *state) +{ + struct resolv_request *rreq; + + rreq = schedule_timeout_watcher(state->ev, state->resolv_ctx, req); + if (!rreq) { + tevent_req_error(req, ENOMEM); + return; + } + + ares_query(state->resolv_ctx->channel, state->query, + ns_c_in, ns_t_srv, resolv_getsrv_done, rreq); +} + +/* TXT parsing is not used anywhere in the code yet, so we disable it + * for now + */ +#ifdef BUILD_TXT + +/* + * A simple helper function that will take an array of struct txt_reply that + * was allocated by malloc() in c-ares and copies it using talloc. The old one + * is freed and the talloc one is put into 'reply_list' instead. + */ +static int +rewrite_talloc_txt_reply(TALLOC_CTX *mem_ctx, struct ares_txt_reply **reply_list) +{ + struct ares_txt_reply *ptr = NULL; + struct ares_txt_reply *new_list = NULL; + struct ares_txt_reply *old_list = *reply_list; + + /* Nothing to do, but not an error */ + if (!old_list) { + return EOK; + } + + /* Copy the linked list */ + while (old_list) { + + /* Special case for the first node */ + if (!new_list) { + new_list = talloc_zero(mem_ctx, struct ares_txt_reply); + if (new_list == NULL) { + ares_free_data(*reply_list); + talloc_free(new_list); + return ENOMEM; + } + ptr = new_list; + } else { + ptr->next = talloc_zero(new_list, struct ares_txt_reply); + if (ptr->next == NULL) { + ares_free_data(*reply_list); + talloc_free(new_list); + return ENOMEM; + } + ptr = ptr->next; + } + + ptr->length = old_list->length; + ptr->txt = talloc_memdup(ptr, old_list->txt, + old_list->length); + if (ptr->txt == NULL) { + ares_free_data(*reply_list); + talloc_free(new_list); + return ENOMEM; + } + + old_list = old_list->next; + } + + ares_free_data(*reply_list); + + /* And now put our own new_list in place. */ + *reply_list = new_list; + + return EOK; +} + +/******************************************************************* + * Get TXT record * + *******************************************************************/ + +struct gettxt_state { + struct tevent_context *ev; + struct resolv_ctx *resolv_ctx; + /* the TXT query */ + const char *query; + + /* parsed data returned by ares */ + struct ares_txt_reply *reply_list; + int status; + int timeouts; + int retrying; +}; + +static void +ares_gettxt_wakeup(struct tevent_req *subreq); +static void +resolv_gettxt_query(struct tevent_req *req, + struct gettxt_state *state); + +struct tevent_req * +resolv_gettxt_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, + struct resolv_ctx *ctx, const char *query) +{ + struct tevent_req *req, *subreq; + struct gettxt_state *state; + struct timeval tv = { 0, 0 }; + + DEBUG(SSSDBG_CONF_SETTINGS, + "Trying to resolve TXT record of '%s'\n", query); + + if (ctx->channel == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Invalid ares channel - this is likely a bug\n"); + return NULL; + } + + req = tevent_req_create(mem_ctx, &state, struct gettxt_state); + if (req == NULL) + return NULL; + + state->resolv_ctx = ctx; + state->query = query; + state->reply_list = NULL; + state->status = 0; + state->timeouts = 0; + state->retrying = 0; + state->ev = ev; + + subreq = tevent_wakeup_send(req, ev, tv); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to add critical timer to run next operation!\n"); + talloc_zfree(req); + return NULL; + } + tevent_req_set_callback(subreq, ares_gettxt_wakeup, req); + + return req; +} + +static void +resolv_gettxt_done(void *arg, int status, int timeouts, unsigned char *abuf, int alen) +{ + struct resolv_request *rreq = talloc_get_type(arg, struct resolv_request); + struct tevent_req *req; + struct gettxt_state *state; + int ret; + struct ares_txt_reply *reply_list; + + if (rreq->rwatch == NULL) { + /* The tevent request was cancelled while the ares call was still in + * progress so nobody cares about the result now. Quit. */ + unschedule_timeout_watcher(rreq->ctx, rreq); + return; + } + + req = rreq->rwatch->req; + unschedule_timeout_watcher(rreq->ctx, rreq); + state = tevent_req_data(req, struct gettxt_state); + + if (state->retrying == 0 && status == ARES_EDESTRUCTION + && state->resolv_ctx->channel != NULL) { + state->retrying = 1; + ares_query(state->resolv_ctx->channel, state->query, + ns_c_in, ns_t_txt, resolv_gettxt_done, req); + return; + } + + state->status = status; + state->timeouts = timeouts; + + if (status != ARES_SUCCESS) { + ret = return_code(status); + goto fail; + } + + ret = ares_parse_txt_reply(abuf, alen, &reply_list); + if (status != ARES_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, + "TXT record parsing failed: %d: %s\n", ret, ares_strerror(ret)); + ret = return_code(ret); + goto fail; + } + ret = rewrite_talloc_txt_reply(req, &reply_list); + if (ret != EOK) { + goto fail; + } + state->reply_list = reply_list; + + tevent_req_done(req); + return; + +fail: + state->reply_list = NULL; + tevent_req_error(req, ret); +} + +int +resolv_gettxt_recv(TALLOC_CTX *mem_ctx, struct tevent_req *req, int *status, + int *timeouts, struct ares_txt_reply **reply_list) +{ + struct gettxt_state *state = tevent_req_data(req, struct gettxt_state); + + if (status) + *status = state->status; + if (timeouts) + *timeouts = state->timeouts; + if (reply_list) + *reply_list = talloc_steal(mem_ctx, state->reply_list); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +static void +ares_gettxt_wakeup(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct gettxt_state *state = tevent_req_data(req, + struct gettxt_state); + + if (!tevent_wakeup_recv(subreq)) { + return; + } + talloc_zfree(subreq); + + if (state->resolv_ctx->channel == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Invalid ares channel - this is likely a bug\n"); + tevent_req_error(req, EIO); + return; + } + + return resolv_gettxt_query(req, state); +} + +static void +resolv_gettxt_query(struct tevent_req *req, + struct gettxt_state *state) +{ + struct resolv_request *rreq; + + rreq = schedule_timeout_watcher(state->ev, state->resolv_ctx, req); + if (!rreq) { + tevent_req_error(req, ENOMEM); + return; + } + + ares_query(state->resolv_ctx->channel, state->query, + ns_c_in, ns_t_txt, resolv_gettxt_done, rreq); +} + +#endif + +static struct ares_srv_reply *split_reply_list(struct ares_srv_reply *list) +{ + struct ares_srv_reply *single_step, *double_step, *prev; + + if (!list) { + return NULL; + } + + prev = list; + single_step = list->next; + double_step = single_step->next; + + while (double_step && double_step->next) { + prev = single_step; + single_step = single_step->next; + double_step = double_step->next->next; + } + + prev->next = NULL; + return single_step; +} + +static struct ares_srv_reply *merge_reply_list(struct ares_srv_reply *left, + struct ares_srv_reply *right) +{ + struct ares_srv_reply *l, *r; + struct ares_srv_reply *res, *res_start; + + if (!left) + return right; + if (!right) + return left; + + if (left->priority < right->priority) { + res_start = left; + l = left->next; + r = right; + } else { + res_start = right; + l = left; + r = right->next; + } + + res = res_start; + + while(l && r) { + if (l->priority < r->priority) { + res->next = l; + res = l; + l = l->next; + } else { + res->next = r; + res = r; + r = r->next; + } + } + + res->next = l ? l : r; + + return res_start; +} + +/** + * sort linked list of struct ares_srv_reply by priority using merge sort. + * + * Merge sort is ideal for sorting linked lists as there is no problem + * with absence of random access into the list. The complexity is O(n log n) + * + * For reference, see Robert Sedgewick's "Algorithms in C", Addison-Wesley, + * ISBN 0-201-51425 + */ +static struct ares_srv_reply *reply_priority_sort(struct ares_srv_reply *list) +{ + struct ares_srv_reply *half; + + if (!list || !list->next) + return list; + + half = split_reply_list(list); + list = merge_reply_list(reply_priority_sort(list), + reply_priority_sort(half)); + + return list; +} + +static int reply_weight_rearrange(int len, + struct ares_srv_reply **start, + struct ares_srv_reply **end) +{ + int i; + int total, selected; + int *totals; + struct ares_srv_reply *r, *prev, *tmp; + struct ares_srv_reply *new_start = NULL; + struct ares_srv_reply *new_end = NULL; + int ret; + + if (len <= 1) { + return EOK; + } + + totals = talloc_array(NULL, int, len); + if (!totals) { + return ENOMEM; + } + + srand(time(NULL) * getpid()); + + /* promote all servers with weight==0 to the top */ + r = *(start); + prev = NULL; + while (r != NULL) { + if (r->weight == 0 && r != *start) { + /* remove from the old list */ + prev->next = r->next; + + /* add to the head of the new list */ + tmp = r; + r = r->next; + + tmp->next = *start; + *start = tmp; + } else { + prev = r; + r = r->next; + } + } + *end = prev ? prev : *start; + + while (*start != NULL) { + /* Compute the sum of the weights of those RRs, and with each RR + * associate the running sum in the selected order. + */ + total = 0; + memset(totals, -1, sizeof(int) * len); + for (i = 0, r = *start; r != NULL; r=r->next, ++i) { + totals[i] = r->weight + total; + total = totals[i]; + } + + /* choose a uniform random number between 0 and the sum computed + * (inclusive), and select the RR whose running sum value is the + * first in the selected order which is greater than or equal to + * the random number selected. + */ + selected = (int)((total + 1) * (rand()/(RAND_MAX + 1.0))); + for (i = 0, r = *start, prev = NULL; r != NULL; r=r->next, ++i) { + if (totals[i] >= selected) + break; + + prev = r; + } + + if (r == NULL || totals[i] == -1) { + DEBUG(SSSDBG_CRIT_FAILURE, "Bug: did not select any server!\n"); + ret = EIO; + goto done; + } + + /* remove r from the old list */ + if (prev) { + prev->next = r->next; + } else { + *start = r->next; + } + + /* add r to the end of the new list */ + if (!new_start) { + new_start = r; + new_end = r; + } else { + new_end->next = r; + new_end = r; + } + } + + if (new_end == NULL) { + ret = EINVAL; + DEBUG(SSSDBG_CRIT_FAILURE, + "Bug: no new server has been selected!\n"); + goto done; + } + new_end->next = NULL; + + /* return the rearranged list */ + *start = new_start; + *end = new_end; + ret = EOK; + +done: + talloc_free(totals); + return ret; +} + +int +resolv_sort_srv_reply(struct ares_srv_reply **reply) +{ + int ret; + struct ares_srv_reply *pri_start, *pri_end, *next, *prev_end; + int len; + + /* RFC 2782 says: If there is precisely one SRV RR, and its Target is "." + * (the root domain), abort. + */ + if (*reply && !(*reply)->next && strcmp((*reply)->host, ".") == 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "DNS returned only the root domain, aborting\n"); + return EIO; + } + + /* sort the list by priority */ + *reply = reply_priority_sort(*reply); + + pri_start = *reply; + prev_end = NULL; + + while (pri_start) { + pri_end = pri_start; + + /* Find nodes with the same priority */ + len = 1; + while (pri_end->next && pri_end->priority == pri_end->next->priority) { + pri_end = pri_end->next; + len++; + } + + /* rearrange each priority level according to the weight field */ + next = pri_end->next; + pri_end->next = NULL; + ret = reply_weight_rearrange(len, &pri_start, &pri_end); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Error rearranging priority level [%d]: %s\n", + ret, strerror(ret)); + return ret; + } + + /* Hook the level back into the list */ + if (prev_end) { + prev_end->next = pri_start; + } else { + *reply = pri_start; + } + pri_end->next = next; + + /* Move on to the next level */ + prev_end = pri_end; + pri_start = next; + } + + return EOK; +} + +struct resolv_hostport_list_state { + struct tevent_context *ev; + struct resolv_ctx *ctx; + struct resolv_hostport *hostport_list; + size_t list_size; + size_t limit; + enum restrict_family family_order; + enum host_database *db; + + size_t hpindex; + + struct resolv_hostport_addr **rhp_addrs; + size_t addrindex; +}; + +static errno_t resolv_hostport_list_step(struct tevent_req *req); +static void resolv_hostport_list_resolv_hostname_done(struct tevent_req *subreq); + +struct tevent_req *resolv_hostport_list_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resolv_ctx *ctx, + struct resolv_hostport *hostport_list, + size_t list_size, + size_t limit, + enum restrict_family family_order, + enum host_database *db) +{ + struct resolv_hostport_list_state *state; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct resolv_hostport_list_state); + if (req == NULL) { + return NULL; + } + state->ev = ev; + state->ctx = ctx; + state->hostport_list = hostport_list; + state->family_order = family_order; + state->db = db; + state->list_size = list_size; + state->limit = limit; + + state->rhp_addrs = talloc_array(state, + struct resolv_hostport_addr *, + state->list_size); + if (state->rhp_addrs == NULL) { + ret = ENOMEM; + goto immediately; + } + + ret = resolv_hostport_list_step(req); + if (ret != EAGAIN) { + goto immediately; + } + + return req; + +immediately: + if (ret != EOK) { + tevent_req_error(req, ret); + } else { + tevent_req_done(req); + } + tevent_req_post(req, ev); + return req; +} + +static errno_t resolv_hostport_list_step(struct tevent_req *req) +{ + struct tevent_req *subreq = NULL; + struct resolv_hostport_list_state *state = tevent_req_data(req, + struct resolv_hostport_list_state); + + if (state->hpindex >= state->list_size) { + DEBUG(SSSDBG_TRACE_INTERNAL, "Done\n"); + return EOK; + } + + subreq = resolv_gethostbyname_send(state, + state->ev, + state->ctx, + state->hostport_list[state->hpindex].host, + state->family_order, + state->db); + if (subreq == NULL) { + return ENOMEM; + } + tevent_req_set_callback(subreq, + resolv_hostport_list_resolv_hostname_done, req); + return EAGAIN; +} + +static struct resolv_hostport_addr* +resolv_hostport_addr_new(TALLOC_CTX *mem_ctx, + const char *host, + int port, + struct resolv_hostent *reply) +{ + struct resolv_hostport_addr *rhp_addr; + + rhp_addr = talloc_zero(mem_ctx, struct resolv_hostport_addr); + if (rhp_addr == NULL) { + return NULL; + } + + rhp_addr->origin.host = talloc_strdup(rhp_addr, host); + if (rhp_addr->origin.host == NULL) { + return NULL; + } + + rhp_addr->origin.port = port; + rhp_addr->reply = talloc_steal(rhp_addr, reply); + return rhp_addr; +} + +static void resolv_hostport_list_resolv_hostname_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = + tevent_req_callback_data(subreq, struct tevent_req); + struct resolv_hostport_list_state *state = tevent_req_data(req, + struct resolv_hostport_list_state); + struct resolv_hostent *rhostent; + int resolv_status; + + ret = resolv_gethostbyname_recv(subreq, state, &resolv_status, NULL, + &rhostent); + talloc_zfree(subreq); + + if (ret != EOK) { + /* Don't abort the request, just go to the next one */ + DEBUG(SSSDBG_OP_FAILURE, + "Could not resolve address for this machine, error [%d]: %s, " + "resolver returned: [%d]: %s\n", ret, sss_strerror(ret), + resolv_status, resolv_strerror(resolv_status)); + } else { + state->rhp_addrs[state->addrindex] = \ + resolv_hostport_addr_new(state->rhp_addrs, + state->hostport_list[state->hpindex].host, + state->hostport_list[state->hpindex].port, + rhostent); + state->addrindex++; + + if (state->limit > 0 && state->addrindex >= state->limit) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "Reached the limit or addresses to resolve\n"); + tevent_req_done(req); + return; + } + } + + state->hpindex++; + + ret = resolv_hostport_list_step(req); + if (ret == EOK) { + tevent_req_done(req); + return; + } else if (ret != EAGAIN) { + tevent_req_error(req, ret); + return; + } + /* Next iteration .. */ +} + +int resolv_hostport_list_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *_rhp_len, + struct resolv_hostport_addr ***_rhp_addrs) +{ + struct resolv_hostport_list_state *state = tevent_req_data(req, + struct resolv_hostport_list_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (_rhp_len) { + *_rhp_len = state->addrindex; + } + + if (_rhp_addrs) { + *_rhp_addrs = talloc_steal(mem_ctx, state->rhp_addrs); + } + + return EOK; +} diff --git a/src/resolv/async_resolv.h b/src/resolv/async_resolv.h new file mode 100644 index 0000000..90ed037 --- /dev/null +++ b/src/resolv/async_resolv.h @@ -0,0 +1,224 @@ +/* + SSSD + + Async resolver header + + Authors: + Martin Nagy + Jakub Hrozek + + Copyright (C) Red Hat, Inc 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __ASYNC_RESOLV_H__ +#define __ASYNC_RESOLV_H__ + +#include +#include + +#include "config.h" +#include "confdb/confdb.h" + +#ifndef RESOLV_DEFAULT_TTL +#define RESOLV_DEFAULT_TTL 7200 +#endif /* RESOLV_DEFAULT_TTL */ + +#ifndef RESOLV_DEFAULT_SRV_TTL +#define RESOLV_DEFAULT_SRV_TTL 14400 +#endif /* RESOLV_DEFAULT_SRV_TTL */ + +#include "util/util.h" + +/* + * An opaque structure which holds context for a module using the async + * resolver. Is should be used as a "local-global" variable - in sssd, + * every backend should have its own. + + * Do NOT free the context until there are any pending resolv_ calls + */ +struct resolv_ctx; + +int resolv_init(TALLOC_CTX *mem_ctx, struct tevent_context *ev_ctx, + int timeout, struct resolv_ctx **ctxp); + +void resolv_reread_configuration(struct resolv_ctx *ctx); + +const char *resolv_strerror(int ares_code); + +struct resolv_hostent * +resolv_copy_hostent(TALLOC_CTX *mem_ctx, struct hostent *src); + +struct resolv_hostent * +resolv_copy_hostent_ares(TALLOC_CTX *mem_ctx, struct hostent *src, + int family, void *ares_ttl_data, + int num_ares_ttl_data); + +/** Get host by name **/ +enum host_database { + DB_FILES, + DB_DNS, + + DB_SENTINEL +}; + +enum restrict_family { + IPV4_ONLY, + IPV4_FIRST, + IPV6_ONLY, + IPV6_FIRST +}; + +/* If resolv_hostent->family is AF_INET, then ipaddr points to + * struct in_addr, else if family is AF_INET6, ipaddr points to + * struct in6_addr + */ +struct resolv_addr { + uint8_t *ipaddr; + int ttl; +}; + +struct resolv_hostent { + char *name; /* official name of host */ + char **aliases; /* alias list */ + int family; /* host address type */ + + struct resolv_addr **addr_list; /* list of addresses */ +}; + +/* The default database order */ +extern enum host_database default_host_dbs[]; + +struct tevent_req *resolv_gethostbyname_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resolv_ctx *ctx, + const char *name, + enum restrict_family family_order, + enum host_database *db); + +int resolv_gethostbyname_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, + int *status, int *timeouts, + struct resolv_hostent **rhostent); + +struct resolv_hostport { + const char *host; + int port; +}; + +struct resolv_hostport_addr { + struct resolv_hostport origin; + struct resolv_hostent *reply; +}; + +/* Resolves a list of resolv_hostport tuples into a list of + * resolv_hostport_addr. Any unresolvable addresses are skipped. + * + * Optionally takes a limit argument and stops after the request + * had resolved addresses up to the limit. + */ +struct tevent_req *resolv_hostport_list_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resolv_ctx *ctx, + struct resolv_hostport *hostport_list, + size_t list_size, + size_t limit, + enum restrict_family family_order, + enum host_database *db); + +int resolv_hostport_list_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *_rhp_len, + struct resolv_hostport_addr ***_rhp_addrs); + +char * +resolv_get_string_address_index(TALLOC_CTX *mem_ctx, + struct resolv_hostent *hostent, + unsigned int addrindex); + +char * +resolv_get_string_ptr_address(TALLOC_CTX *mem_ctx, + int family, uint8_t *address); + +#define resolv_get_string_address(mem_ctx, hostent) \ + resolv_get_string_address_index(mem_ctx, hostent, 0) + +struct sockaddr_storage * +resolv_get_sockaddr_address_index(TALLOC_CTX *mem_ctx, + struct resolv_hostent *hostent, + int port, int addrindex); + +#define resolv_get_sockaddr_address(mem_ctx, rhostent, port) \ + resolv_get_sockaddr_address_index(mem_ctx, rhostent, port, 0) + +/** Get SRV record **/ +struct tevent_req *resolv_getsrv_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resolv_ctx *ctx, + const char *query); + +int resolv_getsrv_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + int *status, + int *timeouts, + struct ares_srv_reply **reply_list, + uint32_t *ttl); + +/* This is an implementation of section "Usage rules" of RFC 2782 */ +int +resolv_sort_srv_reply(struct ares_srv_reply **reply); + +/** Get TXT record **/ +struct tevent_req *resolv_gettxt_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resolv_ctx *ctx, + const char *query); + +int resolv_gettxt_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + int *status, + int *timeouts, + struct ares_txt_reply **reply_list); + +/** Utils **/ + +struct tevent_req * +resolv_get_domain_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resolv_ctx *resolv_ctx, + const char *hostname, + enum host_database *host_dbs, + enum restrict_family family_order); + +errno_t resolv_get_domain_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + char **_dns_domain); + +struct tevent_req * +resolv_discover_srv_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resolv_ctx *resolv_ctx, + const char *service, + const char *protocol, + const char **discovery_domains); + +errno_t resolv_discover_srv_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct ares_srv_reply **_reply_list, + uint32_t *_ttl, + char **_dns_domain); + +bool +resolv_is_address(const char *name); +#endif /* __ASYNC_RESOLV_H__ */ diff --git a/src/resolv/async_resolv_utils.c b/src/resolv/async_resolv_utils.c new file mode 100644 index 0000000..8d077d0 --- /dev/null +++ b/src/resolv/async_resolv_utils.c @@ -0,0 +1,343 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include + +#include "util/util.h" +#include "resolv/async_resolv.h" + +struct resolv_get_domain_state { + char *fqdn; + char *hostname; +}; + +static void resolv_get_domain_done(struct tevent_req *subreq); + +struct tevent_req * +resolv_get_domain_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resolv_ctx *resolv_ctx, + const char *hostname, + enum host_database *host_dbs, + enum restrict_family family_order) +{ + struct resolv_get_domain_state *state = NULL; + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + char system_hostname[HOST_NAME_MAX + 1]; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct resolv_get_domain_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + if (hostname == NULL) { + /* use system hostname */ + ret = gethostname(system_hostname, HOST_NAME_MAX); + if (ret) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "gethostname() failed: [%d]: %s\n", + ret, strerror(ret)); + goto immediately; + } + system_hostname[HOST_NAME_MAX] = '\0'; + hostname = system_hostname; + } + + state->fqdn = NULL; + state->hostname = talloc_strdup(state, hostname); + if (state->hostname == NULL) { + ret = ENOMEM; + goto immediately; + } + + DEBUG(SSSDBG_TRACE_LIBS, "Host name is: %s\n", state->hostname); + + subreq = resolv_gethostbyname_send(state, ev, resolv_ctx, state->hostname, + family_order, host_dbs); + if (subreq == NULL) { + talloc_zfree(req); + return NULL; + } + + tevent_req_set_callback(subreq, resolv_get_domain_done, req); + + return req; + +immediately: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + + return req; +} + +static void resolv_get_domain_done(struct tevent_req *subreq) +{ + struct resolv_get_domain_state *state = NULL; + struct tevent_req *req = NULL; + struct resolv_hostent *rhostent; + int resolv_status; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct resolv_get_domain_state); + + ret = resolv_gethostbyname_recv(subreq, req, &resolv_status, + NULL, &rhostent); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not get fully qualified name for host name %s " + "error [%d]: %s, resolver returned: [%d]: %s\n", + state->hostname, ret, strerror(ret), resolv_status, + resolv_strerror(resolv_status)); + state->fqdn = state->hostname; + } else { + DEBUG(SSSDBG_TRACE_LIBS, "The FQDN is: %s\n", rhostent->name); + state->fqdn = talloc_steal(state, rhostent->name); + talloc_zfree(rhostent); + } + + tevent_req_done(req); +} + +errno_t resolv_get_domain_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + char **_dns_domain) +{ + struct resolv_get_domain_state *state = NULL; + char *dns_domain = NULL; + char *domptr = NULL; + + state = tevent_req_data(req, struct resolv_get_domain_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + domptr = strchr(state->fqdn, '.'); + if (domptr == NULL || (*(domptr+1) == '\0')) { + /* If the FQDN did not contain a dot or the dot was the last character + * (broken DNS server perhaps) */ + dns_domain = state->fqdn; + } else { + dns_domain = domptr + 1; + } + + *_dns_domain = talloc_strdup(mem_ctx, dns_domain); + if (*_dns_domain == NULL) { + return ENOMEM; + } + + return EOK; +} + +struct resolv_discover_srv_state { + struct tevent_context *ev; + struct resolv_ctx *resolv_ctx; + const char *service; + const char *protocol; + const char **discovery_domains; + int domain_index; + + struct ares_srv_reply *reply_list; + uint32_t ttl; +}; + +static errno_t resolv_discover_srv_next_domain(struct tevent_req *req); +static void resolv_discover_srv_done(struct tevent_req *subreq); + +struct tevent_req *resolv_discover_srv_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resolv_ctx *resolv_ctx, + const char *service, + const char *protocol, + const char **discovery_domains) +{ + struct resolv_discover_srv_state *state = NULL; + struct tevent_req *req = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct resolv_discover_srv_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + if (resolv_ctx == NULL || service == NULL || protocol == NULL + || discovery_domains == NULL) { + ret = EINVAL; + goto immediately; + } + + state->ev = ev; + state->resolv_ctx = resolv_ctx; + state->discovery_domains = discovery_domains; + state->service = service; + state->protocol = protocol; + state->domain_index = 0; + + ret = resolv_discover_srv_next_domain(req); + if (ret != EAGAIN) { + goto immediately; + } + + return req; + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + + return req; +} + +static errno_t resolv_discover_srv_next_domain(struct tevent_req *req) +{ + struct resolv_discover_srv_state *state = NULL; + struct tevent_req *subreq = NULL; + const char *domain = NULL; + char *query = NULL; + errno_t ret; + + state = tevent_req_data(req, struct resolv_discover_srv_state); + + domain = state->discovery_domains[state->domain_index]; + if (domain == NULL) { + ret = EOK; + goto done; + } + + query = talloc_asprintf(state, "_%s._%s.%s", state->service, + state->protocol, domain); + if (query == NULL) { + ret = ENOMEM; + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "SRV resolution of service '%s'. Will use DNS " + "discovery domain '%s'\n", state->service, domain); + + subreq = resolv_getsrv_send(state, state->ev, + state->resolv_ctx, query); + if (subreq == NULL) { + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, resolv_discover_srv_done, req); + + state->domain_index++; + ret = EAGAIN; + +done: + if (ret != EAGAIN) { + talloc_free(query); + } + + return ret; +} + +static void resolv_discover_srv_done(struct tevent_req *subreq) +{ + struct resolv_discover_srv_state *state = NULL; + struct tevent_req *req = NULL; + int status; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct resolv_discover_srv_state); + + ret = resolv_getsrv_recv(state, subreq, &status, NULL, + &state->reply_list, &state->ttl); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "SRV query failed [%d]: %s\n", + status, resolv_strerror(status)); + + if (status == ARES_ENOTFOUND) { + /* continue with next discovery domain */ + ret = resolv_discover_srv_next_domain(req); + if (ret == EOK) { + /* there are no more domains to try */ + ret = ENOENT; + } + + goto done; + } + + /* critical error when fetching SRV record */ + ret = EIO; + goto done; + } + +done: + if (ret == EOK) { + tevent_req_done(req); + } else if (ret != EAGAIN) { + tevent_req_error(req, ret); + } + + return; +} + +errno_t resolv_discover_srv_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct ares_srv_reply **_reply_list, + uint32_t *_ttl, + char **_dns_domain) +{ + struct resolv_discover_srv_state *state = NULL; + char *domain = NULL; + + state = tevent_req_data(req, struct resolv_discover_srv_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (_dns_domain != NULL) { + /* domain_index now points to selected domain + 1 */ + domain = talloc_strdup(mem_ctx, + state->discovery_domains[state->domain_index - 1]); + if (domain == NULL) { + return ENOMEM; + } + + *_dns_domain = domain; + } + + if (_reply_list != NULL) { + *_reply_list = talloc_steal(mem_ctx, state->reply_list); + } + + if (_ttl != NULL) { + *_ttl = state->ttl; + } + + return EOK; +} diff --git a/src/responder/autofs/autofs_private.h b/src/responder/autofs/autofs_private.h new file mode 100644 index 0000000..6a39b17 --- /dev/null +++ b/src/responder/autofs/autofs_private.h @@ -0,0 +1,107 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _AUTOFSSRV_PRIVATE_H_ +#define _AUTOFSSRV_PRIVATE_H_ + +#include "responder/common/responder_sbus.h" + +#define SSS_AUTOFS_PROTO_VERSION 0x001 + +struct autofs_ctx { + struct resp_ctx *rctx; + + int neg_timeout; + + hash_table_t *maps; +}; + +struct autofs_state_ctx { + char *automntmap_name; +}; + +struct autofs_cmd_ctx { + struct cli_ctx *cctx; + char *mapname; + char *key; + uint32_t cursor; + uint32_t max_entries; + bool check_next; +}; + +struct autofs_dom_ctx { + struct autofs_cmd_ctx *cmd_ctx; + struct sss_domain_info *domain; + bool check_provider; + + /* cache results */ + struct ldb_message *map; + + size_t entry_count; + struct ldb_message **entries; + + struct autofs_map_ctx *map_ctx; +}; + +struct autofs_map_ctx { + /* state of the map entry */ + bool ready; + bool found; + + /* requests */ + struct setent_req_list *reqs; + + hash_table_t *map_table; + char *mapname; + + /* map entry */ + struct ldb_message *map; + size_t entry_count; + struct ldb_message **entries; +}; + +struct sss_cmd_table *get_autofs_cmds(void); +int autofs_connection_setup(struct cli_ctx *cctx); + +void autofs_map_hash_delete_cb(hash_entry_t *item, + hash_destroy_enum deltype, void *pvt); + +errno_t autofs_orphan_maps(struct autofs_ctx *actx); + +enum sss_dp_autofs_type { + SSS_DP_AUTOFS +}; + +struct tevent_req * +sss_dp_get_autofs_send(TALLOC_CTX *mem_ctx, + struct resp_ctx *rctx, + struct sss_domain_info *dom, + bool fast_reply, + enum sss_dp_autofs_type type, + const char *name); + +errno_t +sss_dp_get_autofs_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + dbus_uint16_t *dp_err, + dbus_uint32_t *dp_ret, + char **err_msg); + +#endif /* _AUTOFSSRV_PRIVATE_H_ */ diff --git a/src/responder/autofs/autofssrv.c b/src/responder/autofs/autofssrv.c new file mode 100644 index 0000000..7d236f4 --- /dev/null +++ b/src/responder/autofs/autofssrv.c @@ -0,0 +1,252 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2012 Red Hat + + Autofs responder: the responder server + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "util/util.h" +#include "confdb/confdb.h" +#include "monitor/monitor_interfaces.h" +#include "responder/common/responder.h" +#include "providers/data_provider.h" +#include "responder/autofs/autofs_private.h" + +static int autofs_clean_hash_table(struct sbus_request *dbus_req, void *data); + +struct mon_cli_iface monitor_autofs_methods = { + { &mon_cli_iface_meta, 0 }, + .resInit = monitor_common_res_init, + .goOffline = NULL, + .resetOffline = NULL, + .rotateLogs = responder_logrotate, + .clearMemcache = NULL, + .clearEnumCache = autofs_clean_hash_table, + .sysbusReconnect = NULL, +}; + +static errno_t +autofs_get_config(struct autofs_ctx *actx, + struct confdb_ctx *cdb) +{ + errno_t ret; + + ret = confdb_get_int(cdb, CONFDB_AUTOFS_CONF_ENTRY, + CONFDB_AUTOFS_MAP_NEG_TIMEOUT, 15, + &actx->neg_timeout); + return ret; +} + +static void +autofs_dp_reconnect_init(struct sbus_connection *conn, + int status, void *pvt) +{ + struct be_conn *be_conn = talloc_get_type(pvt, struct be_conn); + int ret; + + /* Did we reconnect successfully? */ + if (status == SBUS_RECONNECT_SUCCESS) { + DEBUG(SSSDBG_TRACE_FUNC, "Reconnected to the Data Provider.\n"); + + /* Identify ourselves to the data provider */ + ret = rdp_register_client(be_conn, "autofs"); + /* all fine */ + if (ret == EOK) { + handle_requests_after_reconnect(be_conn->rctx); + return; + } + } + + /* Failed to reconnect */ + DEBUG(SSSDBG_FATAL_FAILURE, "Could not reconnect to %s provider.\n", + be_conn->domain->name); +} + +static int autofs_clean_hash_table(struct sbus_request *dbus_req, void *data) +{ + struct resp_ctx *rctx = talloc_get_type(data, struct resp_ctx); + struct autofs_ctx *actx = + talloc_get_type(rctx->pvt_ctx, struct autofs_ctx); + errno_t ret; + + ret = autofs_orphan_maps(actx); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not invalidate maps\n"); + return ret; + } + + return sbus_request_return_and_finish(dbus_req, DBUS_TYPE_INVALID); +} + +static int +autofs_process_init(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct confdb_ctx *cdb) +{ + struct resp_ctx *rctx; + struct sss_cmd_table *autofs_cmds; + struct autofs_ctx *autofs_ctx; + struct be_conn *iter; + int ret; + int hret; + int max_retries; + + autofs_cmds = get_autofs_cmds(); + ret = sss_process_init(mem_ctx, ev, cdb, + autofs_cmds, + SSS_AUTOFS_SOCKET_NAME, -1, NULL, -1, + CONFDB_AUTOFS_CONF_ENTRY, + SSS_AUTOFS_SBUS_SERVICE_NAME, + SSS_AUTOFS_SBUS_SERVICE_VERSION, + &monitor_autofs_methods, + "autofs", + NULL, + autofs_connection_setup, + &rctx); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "sss_process_init() failed\n"); + return ret; + } + + autofs_ctx = talloc_zero(rctx, struct autofs_ctx); + if (!autofs_ctx) { + DEBUG(SSSDBG_FATAL_FAILURE, "fatal error initializing autofs_ctx\n"); + ret = ENOMEM; + goto fail; + } + + ret = autofs_get_config(autofs_ctx, cdb); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Cannot read autofs configuration\n"); + goto fail; + } + + autofs_ctx->rctx = rctx; + autofs_ctx->rctx->pvt_ctx = autofs_ctx; + + /* Enable automatic reconnection to the Data Provider */ + ret = confdb_get_int(autofs_ctx->rctx->cdb, + CONFDB_AUTOFS_CONF_ENTRY, + CONFDB_SERVICE_RECON_RETRIES, + 3, &max_retries); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to set up automatic reconnection\n"); + goto fail; + } + + for (iter = autofs_ctx->rctx->be_conns; iter; iter = iter->next) { + sbus_reconnect_init(iter->conn, max_retries, + autofs_dp_reconnect_init, iter); + } + + /* Create the lookup table for setautomntent results */ + hret = sss_hash_create_ex(autofs_ctx, 10, &autofs_ctx->maps, 0, 0, 0, 0, + autofs_map_hash_delete_cb, NULL); + if (hret != HASH_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unable to initialize automount maps hash table\n"); + ret = EIO; + goto fail; + } + + ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n"); + goto fail; + } + + DEBUG(SSSDBG_TRACE_FUNC, "autofs Initialization complete\n"); + return EOK; + +fail: + talloc_free(rctx); + return ret; +} + +int main(int argc, const char *argv[]) +{ + int opt; + poptContext pc; + char *opt_logger = NULL; + struct main_context *main_ctx; + int ret; + uid_t uid; + gid_t gid; + + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_MAIN_OPTS + SSSD_LOGGER_OPTS + SSSD_SERVER_OPTS(uid, gid) + SSSD_RESPONDER_OPTS + POPT_TABLEEND + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + umask(DFL_RSP_UMASK); + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + + poptFreeContext(pc); + + DEBUG_INIT(debug_level); + + /* set up things like debug, signals, daemonization, etc. */ + debug_log_file = "sssd_autofs"; + + sss_set_logger(opt_logger); + + ret = server_setup("sssd[autofs]", 0, uid, gid, + CONFDB_AUTOFS_CONF_ENTRY, &main_ctx); + if (ret != EOK) { + return 2; + } + + ret = die_if_parent_died(); + if (ret != EOK) { + /* This is not fatal, don't return */ + DEBUG(SSSDBG_OP_FAILURE, "Could not set up to exit " + "when parent process does\n"); + } + + ret = autofs_process_init(main_ctx, + main_ctx->event_ctx, + main_ctx->confdb_ctx); + if (ret != EOK) { + return 3; + } + + /* loop on main */ + server_loop(main_ctx); + + return 0; +} diff --git a/src/responder/autofs/autofssrv_cmd.c b/src/responder/autofs/autofssrv_cmd.c new file mode 100644 index 0000000..9ea2ab7 --- /dev/null +++ b/src/responder/autofs/autofssrv_cmd.c @@ -0,0 +1,1527 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2012 Red Hat + + Autofs responder: commands + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "util/util.h" +#include "responder/common/responder.h" +#include "responder/common/responder_packet.h" +#include "responder/autofs/autofs_private.h" +#include "db/sysdb.h" +#include "db/sysdb_autofs.h" +#include "confdb/confdb.h" + +static int autofs_cmd_send_error(struct autofs_cmd_ctx *cmdctx, int err) +{ + return sss_cmd_send_error(cmdctx->cctx, err); +} + +static int +autofs_cmd_send_empty(struct autofs_cmd_ctx *cmdctx) +{ + return sss_cmd_send_empty(cmdctx->cctx); +} + +static int +autofs_cmd_done(struct autofs_cmd_ctx *cmdctx, int ret) +{ + switch (ret) { + case EOK: + /* all fine, just return here */ + break; + + case ENOENT: + ret = autofs_cmd_send_empty(cmdctx); + if (ret) { + return EFAULT; + } + sss_cmd_done(cmdctx->cctx, cmdctx); + break; + + case EAGAIN: + /* async processing, just return here */ + break; + + case EFAULT: + /* very bad error */ + return EFAULT; + + default: + ret = autofs_cmd_send_error(cmdctx, ret); + if (ret) { + return EFAULT; + } + sss_cmd_done(cmdctx->cctx, cmdctx); + break; + } + + return EOK; +} + +static errno_t +autofs_setent_add_ref(TALLOC_CTX *memctx, + struct autofs_map_ctx *map_ctx, + struct tevent_req *req) +{ + return setent_add_ref(memctx, &map_ctx->reqs, req); +} + +static void +autofs_setent_notify(struct autofs_map_ctx *map_ctx, errno_t ret) +{ + setent_notify(&map_ctx->reqs, ret); +} + +errno_t +autofs_orphan_maps(struct autofs_ctx *actx) +{ + int hret; + unsigned long mcount; + unsigned long i; + hash_key_t *maps; + + if (!actx || !actx->maps) { + return EINVAL; + } + + hret = hash_keys(actx->maps, &mcount, &maps); + if (hret != HASH_SUCCESS) { + return EIO; + } + + for (i = 0; i < mcount; i++) { + hret = hash_delete(actx->maps, &maps[i]); + if (hret != HASH_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, "Could not delete key from hash\n"); + continue; + } + } + + return EOK; +} + +static errno_t +get_autofs_map(struct autofs_ctx *actx, + char *mapname, + struct autofs_map_ctx **map) +{ + hash_key_t key; + hash_value_t value; + int hret; + + key.type = HASH_KEY_STRING; + key.str = mapname; + + hret = hash_lookup(actx->maps, &key, &value); + if (hret == HASH_SUCCESS) { + *map = talloc_get_type(value.ptr, struct autofs_map_ctx); + return EOK; + } else if (hret == HASH_ERROR_KEY_NOT_FOUND) { + return ENOENT; + } + + DEBUG(SSSDBG_CRIT_FAILURE, + "Unexpected error reading from autofs map hash [%d][%s]\n", + hret, hash_error_string(hret)); + return EIO; +} + +static int autofs_map_hash_remove (TALLOC_CTX *ctx); + +void +autofs_map_hash_delete_cb(hash_entry_t *item, + hash_destroy_enum deltype, void *pvt) +{ + struct autofs_map_ctx *map; + + if (deltype != HASH_ENTRY_DESTROY) { + return; + } + + map = talloc_get_type(item->value.ptr, struct autofs_map_ctx); + if (!map) { + DEBUG(SSSDBG_OP_FAILURE, "Invalid autofs map\n"); + return; + } + + /* So that the destructor wouldn't attempt to remove the map from hash + * table */ + map->map_table = NULL; +} + +static errno_t +set_autofs_map(struct autofs_ctx *actx, + struct autofs_map_ctx *map) +{ + hash_key_t key; + hash_value_t value; + int hret; + + if (map->mapname == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing autofs map name.\n"); + return EINVAL; + } + + /* Add this entry to the hash table */ + key.type = HASH_KEY_STRING; + key.str = map->mapname; + value.type = HASH_VALUE_PTR; + value.ptr = map; + hret = hash_enter(actx->maps, &key, &value); + if (hret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unable to add hash table entry for [%s]\n", key.str); + DEBUG(SSSDBG_MINOR_FAILURE, + "Hash error [%d][%s]\n", hret, hash_error_string(hret)); + return EIO; + } + talloc_steal(actx->maps, map); + talloc_set_destructor((TALLOC_CTX *) map, autofs_map_hash_remove); + + return EOK; +} + +static int +autofs_map_hash_remove(TALLOC_CTX *ctx) +{ + int hret; + hash_key_t key; + struct autofs_map_ctx *map = + talloc_get_type(ctx, struct autofs_map_ctx); + + if (map->map_table == NULL) { + DEBUG(SSSDBG_TRACE_LIBS, "autofs map [%s] was already removed\n", + map->mapname); + return 0; + } + + key.type = HASH_KEY_STRING; + key.str = map->mapname; + + /* Remove the autofs map result object from the lookup table */ + hret = hash_delete(map->map_table, &key); + if (hret != HASH_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not remove key from table! [%d][%s]\n", + hret, hash_error_string(hret)); + return -1; + } + return 0; +} + +static struct tevent_req * +setautomntent_send(TALLOC_CTX *mem_ctx, + const char *rawname, + struct autofs_cmd_ctx *cmdctx); +static errno_t setautomntent_recv(struct tevent_req *req); +static void sss_autofs_cmd_setautomntent_done(struct tevent_req *req); + +/* FIXME - file a ticket to have per-responder private + * data instead of growing the cli_ctx structure */ +static int +sss_autofs_cmd_setautomntent(struct cli_ctx *client) +{ + struct autofs_cmd_ctx *cmdctx; + struct cli_protocol *pctx; + uint8_t *body; + size_t blen; + errno_t ret = EOK; + const char *rawname; + struct tevent_req *req; + + DEBUG(SSSDBG_TRACE_INTERNAL, "sss_autofs_cmd_setautomntent\n"); + + cmdctx = talloc_zero(client, struct autofs_cmd_ctx); + if (!cmdctx) { + return ENOMEM; + } + cmdctx->cctx = client; + + pctx = talloc_get_type(cmdctx->cctx->protocol_ctx, struct cli_protocol); + + sss_packet_get_body(pctx->creq->in, &body, &blen); + + /* if not terminated fail */ + if (body[blen -1] != '\0') { + ret = EINVAL; + goto done; + } + + /* If the body isn't valid UTF-8, fail */ + if (!sss_utf8_check(body, blen -1)) { + ret = EINVAL; + goto done; + } + + rawname = (const char *)body; + DEBUG(SSSDBG_TRACE_FUNC, + "Got request for automount map named %s\n", rawname); + + req = setautomntent_send(cmdctx, rawname, cmdctx); + if (!req) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Fatal error calling setautomntent_send\n"); + ret = EIO; + goto done; + } + tevent_req_set_callback(req, sss_autofs_cmd_setautomntent_done, cmdctx); + + ret = EOK; +done: + return autofs_cmd_done(cmdctx, ret); +} + +static void sss_autofs_cmd_setautomntent_done(struct tevent_req *req) +{ + struct autofs_cmd_ctx *cmdctx = + tevent_req_callback_data(req, struct autofs_cmd_ctx); + struct cli_protocol *pctx; + errno_t ret; + errno_t reqret; + uint8_t *body; + size_t blen; + + DEBUG(SSSDBG_TRACE_INTERNAL, "setautomntent done\n"); + + reqret = setautomntent_recv(req); + talloc_zfree(req); + if (reqret != EOK && reqret != ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, "setautomntent_recv failed\n"); + autofs_cmd_done(cmdctx, reqret); + return; + } + + pctx = talloc_get_type(cmdctx->cctx->protocol_ctx, struct cli_protocol); + + /* Either we succeeded or no domains were eligible */ + ret = sss_packet_new(pctx->creq, 0, + sss_packet_get_cmd(pctx->creq->in), + &pctx->creq->out); + if (ret == EOK) { + if (reqret == ENOENT) { + DEBUG(SSSDBG_TRACE_FUNC, "setautomntent did not find requested map\n"); + /* Notify the caller that this entry wasn't found */ + ret = sss_cmd_empty_packet(pctx->creq->out); + if (ret != EOK) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "sss_cmd_empty_packet() failed: %s [%d]\n", + sss_strerror(ret), ret); + } + } else { + DEBUG(SSSDBG_TRACE_FUNC, "setautomntent found data\n"); + ret = sss_packet_grow(pctx->creq->out, 2*sizeof(uint32_t)); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Couldn't grow the packet\n"); + talloc_free(cmdctx); + return; + } + + sss_packet_get_body(pctx->creq->out, &body, &blen); + + /* Got some results */ + SAFEALIGN_SETMEM_UINT32(body, 1, NULL); + + /* Reserved padding */ + SAFEALIGN_SETMEM_UINT32(body + sizeof(uint32_t), 0, NULL); + } + + sss_cmd_done(cmdctx->cctx, NULL); + return; + } + + DEBUG(SSSDBG_CRIT_FAILURE, "Error creating packet\n"); + return; +} + +struct setautomntent_state { + struct autofs_cmd_ctx *cmdctx; + struct autofs_dom_ctx *dctx; + + char *mapname; + struct autofs_map_ctx *map; +}; + +struct setautomntent_lookup_ctx { + struct autofs_ctx *actx; + struct autofs_dom_ctx *dctx; + struct resp_ctx *rctx; + struct cli_ctx *cctx; + + bool returned_to_mainloop; + + char *mapname; + struct autofs_map_ctx *map; +}; + +static errno_t +lookup_automntmap_step(struct setautomntent_lookup_ctx *lookup_ctx); + +static void +autofs_map_result_timeout(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval current_time, + void *pvt) +{ + struct autofs_map_ctx *map = + talloc_get_type(pvt, struct autofs_map_ctx); + + /* Free the autofs map result context + * The destructor for the autofs map will remove itself + * from the hash table + */ + talloc_free(map); +} + +static void +set_autofs_map_lifetime(uint32_t lifetime, + struct setautomntent_lookup_ctx *lookup_ctx, + struct autofs_map_ctx *map) +{ + struct timeval tv; + struct tevent_timer *te; + + tv = tevent_timeval_current_ofs(lifetime, 0); + te = tevent_add_timer(lookup_ctx->rctx->ev, + map, tv, + autofs_map_result_timeout, + map); + if (!te) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not set up life timer for autofs maps. " + "Entries may become stale.\n"); + } +} + +static errno_t +setautomntent_get_autofs_map(struct autofs_ctx *actx, + char *mapname, + struct autofs_map_ctx **map); + +static struct tevent_req * +setautomntent_send(TALLOC_CTX *mem_ctx, + const char *rawname, + struct autofs_cmd_ctx *cmdctx) +{ + char *domname; + errno_t ret; + struct tevent_req *req; + struct setautomntent_state *state; + struct cli_ctx *client = cmdctx->cctx; + struct autofs_dom_ctx *dctx; + struct autofs_ctx *actx; + struct autofs_state_ctx *state_ctx; + struct setautomntent_lookup_ctx *lookup_ctx; + + actx = talloc_get_type(client->rctx->pvt_ctx, struct autofs_ctx); + state_ctx = talloc_get_type(client->state_ctx, struct autofs_state_ctx); + + req = tevent_req_create(mem_ctx, &state, struct setautomntent_state); + if (!req) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Could not create tevent request for setautomntent\n"); + return NULL; + } + state->cmdctx = cmdctx; + + dctx = talloc_zero(state, struct autofs_dom_ctx); + if (!dctx) { + DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory\n"); + ret = ENOMEM; + goto fail; + } + dctx->cmd_ctx = state->cmdctx; + state->dctx = dctx; + + ret = sss_parse_name_for_domains(state, client->rctx->domains, + NULL, rawname, + &domname, &state->mapname); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Invalid name received [%s]\n", rawname); + goto fail; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Requesting info for automount map [%s] from [%s]\n", + state->mapname, domname?domname:""); + + if (domname) { + dctx->domain = responder_get_domain(client->rctx, domname); + if (!dctx->domain) { + ret = EINVAL; + goto fail; + } + + state_ctx->automntmap_name = talloc_strdup(client, rawname); + if (!state_ctx->automntmap_name) { + ret = ENOMEM; + goto fail; + } + } else { + /* this is a multidomain search */ + dctx->domain = client->rctx->domains; + cmdctx->check_next = true; + + state_ctx->automntmap_name = talloc_strdup(client, state->mapname); + if (!state_ctx->automntmap_name) { + ret = ENOMEM; + goto fail; + } + } + + dctx->check_provider = NEED_CHECK_PROVIDER(dctx->domain->provider); + /* Is the result context already available? + * Check for existing lookups for this map + */ + ret = setautomntent_get_autofs_map(actx, state->mapname, &state->map); + if (ret == EOK) { + /* Another process already requested this map + * Check whether it's ready for processing. + */ + if (state->map->ready) { + if (state->map->found) { + DEBUG(SSSDBG_TRACE_LIBS, + "Map %s is ready to be processed\n", state->mapname); + tevent_req_done(req); + tevent_req_post(req, actx->rctx->ev); + return req; + } else { + DEBUG(SSSDBG_TRACE_LIBS, + "Map %s was marked as nonexistent\n", state->mapname); + tevent_req_error(req, ENOENT); + tevent_req_post(req, actx->rctx->ev); + return req; + } + } + + /* Result object is still being constructed + * Register for notification when it's ready + */ + DEBUG(SSSDBG_TRACE_LIBS, + "Map %s is being looked up, registering for notification\n", + state->mapname); + ret = autofs_setent_add_ref(state, state->map, req); + if (ret != EOK) { + goto fail; + } + /* Will return control below */ + } else if (ret == ENOENT) { + DEBUG(SSSDBG_TRACE_LIBS, + "Map %s needs to be looked up\n", state->mapname); + + state->map = talloc_zero(actx, struct autofs_map_ctx); + if (!state->map) { + ret = ENOMEM; + goto fail; + } + dctx->map_ctx = state->map; + + state->map->mapname = talloc_strdup(state->map, state->mapname); + if (!state->map->mapname) { + talloc_free(state->map); + ret = ENOMEM; + goto fail; + } + state->map->map_table = actx->maps; + + ret = autofs_setent_add_ref(state, state->map, req); + if (ret != EOK) { + talloc_free(state->map); + goto fail; + } + + ret = set_autofs_map(actx, state->map); + if (ret != EOK) { + talloc_free(state->map); + goto fail; + } + + /* Perform lookup */ + lookup_ctx = talloc_zero(state->map, struct setautomntent_lookup_ctx); + if (!lookup_ctx) { + talloc_free(state->map); + ret = ENOMEM; + goto fail; + } + + /* Steal the dom_ctx onto the lookup_ctx so it doesn't go out of scope if + * this request is canceled while other requests are in-progress. + */ + lookup_ctx->dctx = talloc_steal(lookup_ctx, state->dctx); + lookup_ctx->actx = actx; + lookup_ctx->map = state->map; + lookup_ctx->rctx = client->rctx; + lookup_ctx->mapname = + talloc_strdup(lookup_ctx, state->mapname); + if (!lookup_ctx->mapname) { + talloc_free(state->map); + ret = ENOMEM; + goto fail; + } + + ret = lookup_automntmap_step(lookup_ctx); + if (ret == EAGAIN) { + DEBUG(SSSDBG_TRACE_INTERNAL, "lookup_automntmap_step " + "is refreshing the cache, re-entering the mainloop\n"); + return req; + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not get data from cache\n"); + talloc_free(state->map); + ret = ENOMEM; + goto fail; + } + + tevent_req_done(req); + tevent_req_post(req, cmdctx->cctx->ev); + return req; + } else { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unexpected error from get_autofs_map [%d]: %s\n", + ret, strerror(ret)); + goto fail; + } + + return req; + +fail: + tevent_req_error(req, ret); + tevent_req_post(req, actx->rctx->ev); + return req; +} + +static errno_t +setautomntent_get_autofs_map(struct autofs_ctx *actx, + char *mapname, + struct autofs_map_ctx **map) +{ + errno_t ret; + + if (strcmp(mapname, "auto.master") == 0) { + /* Iterate over the hash and remove all maps */ + ret = autofs_orphan_maps(actx); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Could not remove existing maps from hash\n"); + } + return ENOENT; + } + + return get_autofs_map(actx, mapname, map); +} + +static errno_t +lookup_automntmap_update_cache(struct setautomntent_lookup_ctx *lookup_ctx); + +static errno_t +lookup_automntmap_step(struct setautomntent_lookup_ctx *lookup_ctx) +{ + errno_t ret; + struct sss_domain_info *dom = lookup_ctx->dctx->domain; + struct autofs_dom_ctx *dctx = lookup_ctx->dctx; + struct sysdb_ctx *sysdb; + struct autofs_map_ctx *map; + + /* Check each domain for this map name */ + while (dom) { + if (dom != dctx->domain) { + /* make sure we reset the check_provider flag when we check + * a new domain */ + dctx->check_provider = + NEED_CHECK_PROVIDER(dom->provider); + } + + /* make sure to update the dctx if we changed domain */ + dctx->domain = dom; + + DEBUG(SSSDBG_TRACE_FUNC, "Requesting info for [%s@%s]\n", + lookup_ctx->mapname, dom->name); + sysdb = dom->sysdb; + if (sysdb == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Fatal: Sysdb CTX not found for this domain!\n"); + return EIO; + } + + /* Look into the cache */ + talloc_free(dctx->map); + ret = sysdb_get_map_byname(dctx, dom, lookup_ctx->mapname, + &dctx->map); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, "Could not check cache\n"); + return ret; + } else if (ret == ENOENT) { + DEBUG(SSSDBG_MINOR_FAILURE, + "No automount map [%s] in cache for domain [%s]\n", + lookup_ctx->mapname, dom->name); + if (!dctx->check_provider) { + if (dctx->cmd_ctx->check_next) { + DEBUG(SSSDBG_TRACE_INTERNAL, "Moving on to next domain\n"); + dom = get_next_domain(dom, 0); + continue; + } + else break; + } + } + + ret = get_autofs_map(lookup_ctx->actx, lookup_ctx->mapname, &map); + if (ret != EOK) { + /* Something really bad happened! */ + DEBUG(SSSDBG_CRIT_FAILURE, "Autofs map entry was lost!\n"); + return ret; + } + + if (dctx->map == NULL && !dctx->check_provider) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Autofs map not found, setting negative cache\n"); + map->ready = true; + map->found = false; + set_autofs_map_lifetime(lookup_ctx->actx->neg_timeout, lookup_ctx, map); + return ENOENT; + } + + if (dctx->check_provider) { + ret = lookup_automntmap_update_cache(lookup_ctx); + if (ret == EAGAIN) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "Looking up automount maps from the DP\n"); + return EAGAIN; + } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Error looking up automount maps [%d]: %s\n", + ret, strerror(ret)); + return ret; + } + } + + /* OK, the map is in cache and valid. + * Let's get all members and return it + */ + ret = sysdb_autofs_entries_by_map(map, dom, map->mapname, + &map->entry_count, + &map->entries); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, + "Error looking automount map entries [%d]: %s\n", + ret, strerror(ret)); + map->ready = true; + map->found = false; + set_autofs_map_lifetime(lookup_ctx->actx->neg_timeout, lookup_ctx, map); + return EIO; + } + + map->map = talloc_steal(map, dctx->map); + + DEBUG(SSSDBG_TRACE_FUNC, + "setautomntent done for map %s\n", lookup_ctx->mapname); + map->ready = true; + map->found = true; + set_autofs_map_lifetime(dom->autofsmap_timeout, lookup_ctx, map); + return EOK; + } + + map = talloc_zero(lookup_ctx->actx, struct autofs_map_ctx); + if (!map) { + return ENOMEM; + } + + map->ready = true; + map->found = false; + map->map_table = lookup_ctx->actx->maps; + + map->mapname = talloc_strdup(map, lookup_ctx->mapname); + if (!map->mapname) { + talloc_free(map); + return ENOMEM; + } + + ret = set_autofs_map(lookup_ctx->actx, map); + if (ret != EOK) { + talloc_free(map); + return ENOMEM; + } + + set_autofs_map_lifetime(lookup_ctx->actx->neg_timeout, lookup_ctx, map); + + /* If we've gotten here, then no domain contained this map */ + return ENOENT; +} + +static void lookup_automntmap_cache_updated(uint16_t err_maj, uint32_t err_min, + const char *err_msg, void *ptr); +static void autofs_dp_send_map_req_done(struct tevent_req *req); + +static errno_t +lookup_automntmap_update_cache(struct setautomntent_lookup_ctx *lookup_ctx) +{ + errno_t ret; + uint64_t cache_expire = 0; + struct autofs_dom_ctx *dctx = lookup_ctx->dctx; + struct tevent_req *req = NULL; + struct dp_callback_ctx *cb_ctx = NULL; + + if (dctx->map != NULL) { + if (strcmp(lookup_ctx->mapname, "auto.master") != 0) { + cache_expire = ldb_msg_find_attr_as_uint64(dctx->map, + SYSDB_CACHE_EXPIRE, 0); + } + + /* if we have any reply let's check cache validity */ + ret = sss_cmd_check_cache(dctx->map, 0, cache_expire); + if (ret == EOK) { + DEBUG(SSSDBG_TRACE_FUNC, "Cached entry is valid, returning..\n"); + return EOK; + } else if (ret != EAGAIN && ret != ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, "Error checking cache: %d\n", ret); + goto error; + } + } + + /* dont loop forever :-) */ + dctx->check_provider = false; + + /* keep around current data in case backend is offline */ + /* FIXME - do this by default */ +#if 0 + if (dctx->res->count) { + dctx->res = talloc_steal(dctx, dctx->res); + } +#endif + + req = sss_dp_get_autofs_send(lookup_ctx->cctx, lookup_ctx->rctx, + lookup_ctx->dctx->domain, true, + SSS_DP_AUTOFS, lookup_ctx->mapname); + if (!req) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Out of memory sending data provider request\n"); + ret = ENOMEM; + goto error; + } + + cb_ctx = talloc_zero(lookup_ctx->dctx, struct dp_callback_ctx); + if(!cb_ctx) { + talloc_zfree(req); + ret = ENOMEM; + goto error; + } + cb_ctx->callback = lookup_automntmap_cache_updated; + cb_ctx->ptr = lookup_ctx; + cb_ctx->cctx = lookup_ctx->dctx->cmd_ctx->cctx; + cb_ctx->mem_ctx = lookup_ctx->dctx; + + tevent_req_set_callback(req, autofs_dp_send_map_req_done, cb_ctx); + + return EAGAIN; + +error: + ret = autofs_cmd_send_error(lookup_ctx->dctx->cmd_ctx, ret); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Fatal error, killing connection!\n"); + talloc_free(lookup_ctx->cctx); + return ret; + } + autofs_cmd_done(lookup_ctx->dctx->cmd_ctx, ret); + return EOK; +} + +static void autofs_dp_send_map_req_done(struct tevent_req *req) +{ + struct dp_callback_ctx *cb_ctx = + tevent_req_callback_data(req, struct dp_callback_ctx); + struct setautomntent_lookup_ctx *lookup_ctx = + talloc_get_type(cb_ctx->ptr, struct setautomntent_lookup_ctx); + + errno_t ret; + dbus_uint16_t err_maj; + dbus_uint32_t err_min; + char *err_msg; + + ret = sss_dp_get_autofs_recv(cb_ctx->mem_ctx, req, + &err_maj, &err_min, + &err_msg); + talloc_free(req); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Fatal error, killing connection!\n"); + talloc_free(lookup_ctx->cctx); + return; + } + + cb_ctx->callback(err_maj, err_min, err_msg, cb_ctx->ptr); +} + +static void lookup_automntmap_cache_updated(uint16_t err_maj, uint32_t err_min, + const char *err_msg, void *ptr) +{ + struct setautomntent_lookup_ctx *lookup_ctx = + talloc_get_type(ptr, struct setautomntent_lookup_ctx); + struct autofs_dom_ctx *dctx = lookup_ctx->dctx; + errno_t ret; + + if (err_maj) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unable to get information from Data Provider\n" + "Error: %u, %u, %s\n" + "Will try to return what we have in cache\n", + (unsigned int)err_maj, (unsigned int)err_min, err_msg); + + /* Try to fall back to cache */ + ret = lookup_automntmap_step(lookup_ctx); + if (ret == EOK) { + /* We have cached results to return */ + autofs_setent_notify(lookup_ctx->map, ret); + return; + } + + /* Otherwise try the next domain */ + if (dctx->cmd_ctx->check_next + && (dctx->domain = get_next_domain(dctx->domain, 0))) { + dctx->check_provider = NEED_CHECK_PROVIDER(dctx->domain->provider); + } + } + + ret = lookup_automntmap_step(lookup_ctx); + if (ret != EOK) { + if (ret == EAGAIN) { + return; + } + } + + /* We have results to return */ + autofs_setent_notify(lookup_ctx->map, ret); +} + +static errno_t +setautomntent_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + return EOK; +} + +static errno_t +getautomntent_process(struct autofs_cmd_ctx *cmdctx, + struct autofs_map_ctx *map, + uint32_t cursor, uint32_t max_entries); +static void +getautomntent_implicit_done(struct tevent_req *req); +static errno_t +fill_autofs_entry(struct ldb_message *entry, struct sss_packet *packet, size_t *rp); + + +static int +sss_autofs_cmd_getautomntent(struct cli_ctx *client) +{ + struct autofs_cmd_ctx *cmdctx; + struct autofs_map_ctx *map; + struct autofs_ctx *actx; + struct cli_protocol *pctx; + uint8_t *body; + size_t blen; + errno_t ret; + uint32_t namelen; + size_t c = 0; + struct tevent_req *req; + + DEBUG(SSSDBG_TRACE_INTERNAL, "sss_autofs_cmd_getautomntent\n"); + + cmdctx = talloc_zero(client, struct autofs_cmd_ctx); + if (!cmdctx) { + return ENOMEM; + } + cmdctx->cctx = client; + + actx = talloc_get_type(client->rctx->pvt_ctx, struct autofs_ctx); + if (!actx) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing autofs context\n"); + return EIO; + } + + pctx = talloc_get_type(cmdctx->cctx->protocol_ctx, struct cli_protocol); + + /* get autofs map name and index to query */ + sss_packet_get_body(pctx->creq->in, &body, &blen); + + SAFEALIGN_COPY_UINT32_CHECK(&namelen, body+c, blen, &c); + + if (namelen == 0 || namelen > blen - c) { + ret = EINVAL; + goto done; + } + + cmdctx->mapname = (char *) body+c; + + /* if not null-terminated fail */ + if (cmdctx->mapname[namelen] != '\0') { + ret = EINVAL; + goto done; + } + + /* If the name isn't valid UTF-8, fail */ + if (!sss_utf8_check((const uint8_t *) cmdctx->mapname, namelen -1)) { + ret = EINVAL; + goto done; + } + + SAFEALIGN_COPY_UINT32_CHECK(&cmdctx->cursor, body+c+namelen+1, blen, &c); + SAFEALIGN_COPY_UINT32_CHECK(&cmdctx->max_entries, body+c+namelen+1, blen, &c); + + DEBUG(SSSDBG_TRACE_FUNC, + "Requested data of map %s cursor %d max entries %d\n", + cmdctx->mapname, cmdctx->cursor, cmdctx->max_entries); + + ret = get_autofs_map(actx, cmdctx->mapname, &map); + if (ret == ENOENT) { + DEBUG(SSSDBG_TRACE_FUNC, "Performing implicit setautomntent\n"); + req = setautomntent_send(cmdctx, cmdctx->mapname, cmdctx); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "setautomntent_send failed\n"); + ret = EIO; + goto done; + } + + tevent_req_set_callback(req, getautomntent_implicit_done, cmdctx); + ret = EOK; + goto done; + } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "An unexpected error occurred: [%d][%s]\n", + ret, strerror(ret)); + goto done; + } + + if (map->ready == false) { + DEBUG(SSSDBG_TRACE_FUNC, "Performing implicit setautomntent\n"); + req = setautomntent_send(cmdctx, cmdctx->mapname, cmdctx); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "setautomntent_send failed\n"); + ret = EIO; + goto done; + } + + tevent_req_set_callback(req, getautomntent_implicit_done, cmdctx); + ret = EOK; + goto done; + } else if (map->found == false) { + DEBUG(SSSDBG_TRACE_FUNC, "negative cache hit\n"); + ret = ENOENT; + goto done; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, + "returning entries for [%s]\n", map->mapname); + + ret = getautomntent_process(cmdctx, map, cmdctx->cursor, cmdctx->max_entries); + +done: + return autofs_cmd_done(cmdctx, ret); +} + +static void +getautomntent_implicit_done(struct tevent_req *req) +{ + errno_t ret; + struct autofs_map_ctx *map; + struct autofs_cmd_ctx *cmdctx = + tevent_req_callback_data(req, struct autofs_cmd_ctx); + struct autofs_ctx *actx = + talloc_get_type(cmdctx->cctx->rctx->pvt_ctx, struct autofs_ctx); + + ret = setautomntent_recv(req); + talloc_zfree(req); + if (ret != EOK) { + if (ret != ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, "setautomntent_recv failed\n"); + } else { + DEBUG(SSSDBG_MINOR_FAILURE, "No such map\n"); + } + goto done; + } + + ret = get_autofs_map(actx, cmdctx->mapname, &map); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot get map after setautomntent succeeded?\n"); + goto done; + } + + if (map->ready == false) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Map not ready after setautomntent succeeded\n"); + goto done; + } + + ret = getautomntent_process(cmdctx, map, + cmdctx->cursor, cmdctx->max_entries); +done: + autofs_cmd_done(cmdctx, ret); + return; +} + +static errno_t +getautomntent_process(struct autofs_cmd_ctx *cmdctx, + struct autofs_map_ctx *map, + uint32_t cursor, uint32_t max_entries) +{ + struct cli_protocol *pctx; + errno_t ret; + struct ldb_message *entry; + size_t rp; + uint32_t i, stop, left, nentries; + uint8_t *body; + size_t blen; + + pctx = talloc_get_type(cmdctx->cctx->protocol_ctx, struct cli_protocol); + + /* create response packet */ + ret = sss_packet_new(pctx->creq, 0, + sss_packet_get_cmd(pctx->creq->in), + &pctx->creq->out); + if (ret != EOK) { + return ret; + } + + if (!map->map || !map->entries || !map->entries[0] || + cursor >= map->entry_count) { + DEBUG(SSSDBG_MINOR_FAILURE, "No entries found\n"); + ret = sss_cmd_empty_packet(pctx->creq->out); + if (ret != EOK) { + return autofs_cmd_done(cmdctx, ret); + } + goto done; + } + + /* allocate memory for number of entries in the packet */ + ret = sss_packet_grow(pctx->creq->out, sizeof(uint32_t)); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot grow packet\n"); + goto done; + } + + rp = sizeof(uint32_t); /* We'll write the number of entries here */ + + left = map->entry_count - cursor; + stop = max_entries < left ? max_entries : left; + + nentries = 0; + for (i=0; i < stop; i++) { + entry = map->entries[cursor]; + cursor++; + + ret = fill_autofs_entry(entry, pctx->creq->out, &rp); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot fill entry %d/%d, skipping\n", i, stop); + continue; + } + nentries++; + } + + /* packet grows in fill_autofs_entry, body pointer may change, + * thus we have to obtain it here */ + sss_packet_get_body(pctx->creq->out, &body, &blen); + + rp = 0; + SAFEALIGN_SET_UINT32(&body[rp], nentries, &rp); + + ret = EOK; +done: + sss_packet_set_error(pctx->creq->out, ret); + sss_cmd_done(cmdctx->cctx, cmdctx); + + return EOK; +} + +static errno_t +fill_autofs_entry(struct ldb_message *entry, struct sss_packet *packet, size_t *rp) +{ + errno_t ret; + const char *key; + size_t keylen; + const char *value; + size_t valuelen; + uint8_t *body; + size_t blen; + size_t len; + + key = ldb_msg_find_attr_as_string(entry, SYSDB_AUTOFS_ENTRY_KEY, NULL); + value = ldb_msg_find_attr_as_string(entry, SYSDB_AUTOFS_ENTRY_VALUE, NULL); + if (!key || !value) { + DEBUG(SSSDBG_MINOR_FAILURE, "Incomplete entry\n"); + return EINVAL; + } + + keylen = 1 + strlen(key); + valuelen = 1 + strlen(value); + len = sizeof(uint32_t) + sizeof(uint32_t) + keylen + sizeof(uint32_t) + valuelen; + + ret = sss_packet_grow(packet, len); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot grow packet\n"); + return ret; + } + + sss_packet_get_body(packet, &body, &blen); + + SAFEALIGN_SET_UINT32(&body[*rp], len, rp); + SAFEALIGN_SET_UINT32(&body[*rp], keylen, rp); + + if (keylen == 1) { + body[*rp] = '\0'; + } else { + memcpy(&body[*rp], key, keylen); + } + *rp += keylen; + + SAFEALIGN_SET_UINT32(&body[*rp], valuelen, rp); + if (valuelen == 1) { + body[*rp] = '\0'; + } else { + memcpy(&body[*rp], value, valuelen); + } + *rp += valuelen; + + return EOK; +} + +static errno_t +getautomntbyname_process(struct autofs_cmd_ctx *cmdctx, + struct autofs_map_ctx *map, + const char *key); +static void +getautomntbyname_implicit_done(struct tevent_req *req); + +static int +sss_autofs_cmd_getautomntbyname(struct cli_ctx *client) +{ + errno_t ret; + struct autofs_cmd_ctx *cmdctx; + struct autofs_map_ctx *map; + struct autofs_ctx *actx; + struct cli_protocol *pctx; + uint8_t *body; + size_t blen; + uint32_t namelen; + uint32_t keylen; + size_t c = 0; + struct tevent_req *req; + + DEBUG(SSSDBG_TRACE_INTERNAL, "sss_autofs_cmd_getautomntbyname\n"); + + cmdctx = talloc_zero(client, struct autofs_cmd_ctx); + if (!cmdctx) { + return ENOMEM; + } + cmdctx->cctx = client; + + actx = talloc_get_type(client->rctx->pvt_ctx, struct autofs_ctx); + if (!actx) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing autofs context\n"); + return EIO; + } + + pctx = talloc_get_type(cmdctx->cctx->protocol_ctx, struct cli_protocol); + + /* get autofs map name and index to query */ + sss_packet_get_body(pctx->creq->in, &body, &blen); + + /* FIXME - split out a function to get string from \0 */ + SAFEALIGN_COPY_UINT32_CHECK(&namelen, body+c, blen, &c); + + if (namelen == 0 || namelen > blen - c) { + ret = EINVAL; + goto done; + } + + cmdctx->mapname = (char *) body+c; + + /* if not null-terminated fail */ + if (cmdctx->mapname[namelen] != '\0') { + ret = EINVAL; + goto done; + } + + /* If the name isn't valid UTF-8, fail */ + if (!sss_utf8_check((const uint8_t *) cmdctx->mapname, namelen -1)) { + ret = EINVAL; + goto done; + } + + c += namelen + 1; + + /* FIXME - split out a function to get string from \0 */ + SAFEALIGN_COPY_UINT32_CHECK(&keylen, body+c, blen, &c); + + if (keylen == 0 || keylen > blen - c) { + ret = EINVAL; + goto done; + } + + cmdctx->key = (char *) body+c; + + /* if not null-terminated fail */ + if (cmdctx->key[keylen] != '\0') { + ret = EINVAL; + goto done; + } + + /* If the key isn't valid UTF-8, fail */ + if (!sss_utf8_check((const uint8_t *) cmdctx->key, keylen -1)) { + ret = EINVAL; + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Requested data of map %s key %s\n", cmdctx->mapname, cmdctx->key); + + ret = get_autofs_map(actx, cmdctx->mapname, &map); + if (ret == ENOENT) { + DEBUG(SSSDBG_TRACE_FUNC, "Performing implicit setautomntent\n"); + req = setautomntent_send(cmdctx, cmdctx->mapname, cmdctx); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "setautomntent_send failed\n"); + ret = EIO; + goto done; + } + + tevent_req_set_callback(req, getautomntbyname_implicit_done, cmdctx); + ret = EOK; + goto done; + } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "An unexpected error occurred: [%d][%s]\n", + ret, strerror(ret)); + goto done; + } + + if (map->ready == false) { + DEBUG(SSSDBG_TRACE_FUNC, "Performing implicit setautomntent\n"); + req = setautomntent_send(cmdctx, cmdctx->mapname, cmdctx); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "setautomntent_send failed\n"); + ret = EIO; + goto done; + } + + tevent_req_set_callback(req, getautomntbyname_implicit_done, cmdctx); + ret = EOK; + goto done; + } else if (map->found == false) { + DEBUG(SSSDBG_TRACE_FUNC, "negative cache hit\n"); + ret = ENOENT; + goto done; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Looking up value for [%s] in [%s]\n", cmdctx->key, map->mapname); + + ret = getautomntbyname_process(cmdctx, map, cmdctx->key); + +done: + return autofs_cmd_done(cmdctx, ret); +} + +static void +getautomntbyname_implicit_done(struct tevent_req *req) +{ + errno_t ret; + struct autofs_map_ctx *map; + struct autofs_cmd_ctx *cmdctx = + tevent_req_callback_data(req, struct autofs_cmd_ctx); + struct autofs_ctx *actx = + talloc_get_type(cmdctx->cctx->rctx->pvt_ctx, struct autofs_ctx); + + ret = setautomntent_recv(req); + talloc_zfree(req); + if (ret != EOK) { + if (ret != ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, "setautomntent_recv failed\n"); + } else { + DEBUG(SSSDBG_MINOR_FAILURE, "No such map\n"); + } + goto done; + } + + ret = get_autofs_map(actx, cmdctx->mapname, &map); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot get map after setautomntent succeeded?\n"); + goto done; + } + + if (map->ready == false) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Map not ready after setautomntent succeeded\n"); + goto done; + } + + ret = getautomntbyname_process(cmdctx, map, cmdctx->key); +done: + autofs_cmd_done(cmdctx, ret); + return; +} + +static errno_t +getautomntbyname_process(struct autofs_cmd_ctx *cmdctx, + struct autofs_map_ctx *map, + const char *key) +{ + struct cli_protocol *pctx; + errno_t ret; + size_t i; + const char *k; + const char *value; + size_t valuelen; + size_t len; + uint8_t *body; + size_t blen, rp; + + pctx = talloc_get_type(cmdctx->cctx->protocol_ctx, struct cli_protocol); + + /* create response packet */ + ret = sss_packet_new(pctx->creq, 0, + sss_packet_get_cmd(pctx->creq->in), + &pctx->creq->out); + if (ret != EOK) { + return ret; + } + + if (!map->map || !map->entries || !map->entries[0]) { + DEBUG(SSSDBG_MINOR_FAILURE, "No entries found\n"); + ret = sss_cmd_empty_packet(pctx->creq->out); + if (ret != EOK) { + return autofs_cmd_done(cmdctx, ret); + } + goto done; + } + + for (i=0; i < map->entry_count; i++) { + k = ldb_msg_find_attr_as_string(map->entries[i], + SYSDB_AUTOFS_ENTRY_KEY, NULL); + if (!k) { + DEBUG(SSSDBG_MINOR_FAILURE, "Skipping incomplete entry\n"); + continue; + } + + if (strcmp(k, key) == 0) { + DEBUG(SSSDBG_TRACE_INTERNAL, "Found key [%s]\n", key); + break; + } + } + + if (i >= map->entry_count) { + DEBUG(SSSDBG_MINOR_FAILURE, "No key named [%s] found\n", key); + ret = sss_cmd_empty_packet(pctx->creq->out); + if (ret != EOK) { + return autofs_cmd_done(cmdctx, ret); + } + goto done; + } + + value = ldb_msg_find_attr_as_string(map->entries[i], + SYSDB_AUTOFS_ENTRY_VALUE, NULL); + + valuelen = 1 + strlen(value); + len = sizeof(uint32_t) + sizeof(uint32_t) + valuelen; + + ret = sss_packet_grow(pctx->creq->out, len); + if (ret != EOK) { + goto done; + } + + sss_packet_get_body(pctx->creq->out, &body, &blen); + + rp = 0; + SAFEALIGN_SET_UINT32(&body[rp], len, &rp); + + SAFEALIGN_SET_UINT32(&body[rp], valuelen, &rp); + if (valuelen == 1) { + body[rp] = '\0'; + } else { + memcpy(&body[rp], value, valuelen); + } + rp += valuelen; + + ret = EOK; +done: + sss_packet_set_error(pctx->creq->out, ret); + sss_cmd_done(cmdctx->cctx, cmdctx); + + return EOK; +} + +static int +sss_autofs_cmd_endautomntent(struct cli_ctx *client) +{ + struct cli_protocol *pctx; + errno_t ret; + + DEBUG(SSSDBG_TRACE_FUNC, "endautomntent called\n"); + + pctx = talloc_get_type(client->protocol_ctx, struct cli_protocol); + + /* create response packet */ + ret = sss_packet_new(pctx->creq, 0, + sss_packet_get_cmd(pctx->creq->in), + &pctx->creq->out); + + if (ret != EOK) { + return ret; + } + + sss_cmd_done(client, NULL); + return EOK; +} + +struct cli_protocol_version *register_cli_protocol_version(void) +{ + static struct cli_protocol_version autofs_cli_protocol_version[] = { + { SSS_AUTOFS_PROTO_VERSION, NULL, NULL } + }; + + return autofs_cli_protocol_version; +} + +struct sss_cmd_table *get_autofs_cmds(void) +{ + static struct sss_cmd_table autofs_cmds[] = { + { SSS_GET_VERSION, sss_cmd_get_version }, + { SSS_AUTOFS_SETAUTOMNTENT, sss_autofs_cmd_setautomntent }, + { SSS_AUTOFS_GETAUTOMNTENT, sss_autofs_cmd_getautomntent }, + { SSS_AUTOFS_GETAUTOMNTBYNAME, sss_autofs_cmd_getautomntbyname }, + { SSS_AUTOFS_ENDAUTOMNTENT, sss_autofs_cmd_endautomntent }, + { SSS_CLI_NULL, NULL} + }; + + return autofs_cmds; +} + +int autofs_connection_setup(struct cli_ctx *cctx) +{ + int ret; + + ret = sss_connection_setup(cctx); + if (ret != EOK) return ret; + + cctx->state_ctx = talloc_zero(cctx, struct autofs_state_ctx); + if (!cctx->state_ctx) { + return ENOMEM; + } + + return EOK; +} diff --git a/src/responder/autofs/autofssrv_dp.c b/src/responder/autofs/autofssrv_dp.c new file mode 100644 index 0000000..bb8c2a4 --- /dev/null +++ b/src/responder/autofs/autofssrv_dp.c @@ -0,0 +1,150 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2011 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include "sbus/sssd_dbus.h" + +#include "util/util.h" +#include "sbus/sbus_client.h" +#include "providers/data_provider/dp_responder_iface.h" +#include "responder/common/responder.h" +#include "responder/autofs/autofs_private.h" + +struct sss_dp_get_autofs_info { + struct sss_domain_info *dom; + + bool fast_reply; + enum sss_dp_autofs_type type; + const char *name; +}; + +static DBusMessage * +sss_dp_get_autofs_msg(void *pvt); + +struct tevent_req * +sss_dp_get_autofs_send(TALLOC_CTX *mem_ctx, + struct resp_ctx *rctx, + struct sss_domain_info *dom, + bool fast_reply, + enum sss_dp_autofs_type type, + const char *name) +{ + struct tevent_req *req; + struct sss_dp_req_state *state; + struct sss_dp_get_autofs_info *info; + errno_t ret; + char *key; + + req = tevent_req_create(mem_ctx, &state, struct sss_dp_req_state); + if (!req) { + return NULL; + } + + if (!dom) { + ret = EINVAL; + goto error; + } + + info = talloc_zero(state, struct sss_dp_get_autofs_info); + if (info == NULL) { + ret = ENOMEM; + goto error; + } + info->fast_reply = fast_reply; + info->type = type; + info->name = name; + info->dom = dom; + + key = talloc_asprintf(state, "%d:%s@%s", type, name, dom->name); + if (!key) { + ret = ENOMEM; + goto error; + } + + ret = sss_dp_issue_request(state, rctx, key, dom, sss_dp_get_autofs_msg, + info, req); + talloc_free(key); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not issue DP request [%d]: %s\n", + ret, strerror(ret)); + goto error; + } + + return req; + +error: + tevent_req_error(req, ret); + tevent_req_post(req, rctx->ev); + return req; +} + +static DBusMessage * +sss_dp_get_autofs_msg(void *pvt) +{ + DBusMessage *msg; + dbus_bool_t dbret; + struct sss_dp_get_autofs_info *info; + uint32_t dp_flags = 0; + + info = talloc_get_type(pvt, struct sss_dp_get_autofs_info); + + if (info->fast_reply) { + dp_flags |= DP_FAST_REPLY; + } + + msg = dbus_message_new_method_call(NULL, + DP_PATH, + IFACE_DP, + IFACE_DP_AUTOFSHANDLER); + if (msg == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory?!\n"); + return NULL; + } + + /* create the message */ + DEBUG(SSSDBG_TRACE_FUNC, + "Creating autofs request for [%s][%u][%s]\n", + info->dom->name, dp_flags, info->name); + + dbret = dbus_message_append_args(msg, + DBUS_TYPE_UINT32, &dp_flags, + DBUS_TYPE_STRING, &info->name, + DBUS_TYPE_INVALID); + if (!dbret) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to build message\n"); + dbus_message_unref(msg); + return NULL; + } + + return msg; +} + +errno_t +sss_dp_get_autofs_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + dbus_uint16_t *dp_err, + dbus_uint32_t *dp_ret, + char **err_msg) +{ + return sss_dp_req_recv(mem_ctx, req, dp_err, dp_ret, err_msg); +} diff --git a/src/responder/common/cache_req/cache_req.c b/src/responder/common/cache_req/cache_req.c new file mode 100644 index 0000000..28b5633 --- /dev/null +++ b/src/responder/common/cache_req/cache_req.c @@ -0,0 +1,1559 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include + +#include "util/util.h" +#include "responder/common/responder.h" +#include "responder/common/cache_req/cache_req_private.h" +#include "responder/common/cache_req/cache_req_private.h" +#include "responder/common/cache_req/cache_req_plugin.h" + +static const struct cache_req_plugin * +cache_req_get_plugin(enum cache_req_type type) +{ + static const struct cache_req_plugin *plugins[CACHE_REQ_SENTINEL] = { + &cache_req_user_by_name, + &cache_req_user_by_upn, + &cache_req_user_by_id, + &cache_req_user_by_cert, + &cache_req_user_by_filter, + + &cache_req_group_by_name, + &cache_req_group_by_id, + &cache_req_group_by_filter, + + &cache_req_initgroups_by_name, + &cache_req_initgroups_by_upn, + + &cache_req_object_by_sid, + &cache_req_object_by_name, + &cache_req_object_by_id, + + &cache_req_enum_users, + &cache_req_enum_groups, + &cache_req_enum_svc, + + &cache_req_svc_by_name, + &cache_req_svc_by_port, + + &cache_req_netgroup_by_name, + + &cache_req_host_by_name, + }; + + if (type >= CACHE_REQ_SENTINEL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Bug: invalid plugin type!"); + return NULL; + } + + return plugins[type]; +} + +static errno_t cache_req_set_plugin(struct cache_req *cr, + enum cache_req_type type) +{ + const struct cache_req_plugin *plugin; + + plugin = cache_req_get_plugin(type); + if (plugin == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Bug: unset plugin!"); + return EINVAL; + } + + cr->reqname = plugin->name; + cr->plugin = plugin; + + CACHE_REQ_DEBUG(SSSDBG_TRACE_INTERNAL, cr, "Setting \"%s\" plugin\n", + plugin->name); + + return EOK; +} + +static const char * +cache_req_dom_type_as_str(struct cache_req *cr) +{ + if (cr == NULL) { + return "BUG: Invalid cache_req pointer\n"; + } + switch (cr->req_dom_type) { + case CACHE_REQ_POSIX_DOM: + return "POSIX-only"; + case CACHE_REQ_APPLICATION_DOM: + return "Application-only"; + case CACHE_REQ_ANY_DOM: + return "Any"; + } + + return "Unknown"; +} + +static struct cache_req * +cache_req_create(TALLOC_CTX *mem_ctx, + struct resp_ctx *rctx, + struct cache_req_data *data, + struct sss_nc_ctx *ncache, + int midpoint, + enum cache_req_dom_type req_dom_type) +{ + struct cache_req *cr; + errno_t ret; + + cr = talloc_zero(mem_ctx, struct cache_req); + if (cr == NULL) { + return NULL; + } + + cr->rctx = rctx; + cr->data = data; + cr->ncache = ncache; + cr->midpoint = midpoint; + cr->req_dom_type = req_dom_type; + cr->req_start = time(NULL); + + /* It is perfectly fine to just overflow here. */ + cr->reqid = rctx->cache_req_num++; + + ret = cache_req_set_plugin(cr, data->type); + if (ret != EOK) { + talloc_free(cr); + return NULL; + } + + cr->cache_first = rctx->cache_first; + cr->bypass_cache = cr->plugin->bypass_cache || cr->data->bypass_cache; + cr->bypass_dp = cr->data->bypass_dp; + if (cr->bypass_cache && cr->bypass_dp) { + CACHE_REQ_DEBUG(SSSDBG_CRIT_FAILURE, cr, + "Cannot bypass cache and dp at the same time!"); + talloc_free(cr); + return NULL; + } + + return cr; +} + +static errno_t +cache_req_set_name(struct cache_req *cr, const char *name) +{ + const char *dup_name; + + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr, "Setting name [%s]\n", name); + + dup_name = talloc_strdup(cr->data, name); + if (dup_name == NULL) { + CACHE_REQ_DEBUG(SSSDBG_CRIT_FAILURE, cr, "Unable to set name!\n"); + return ENOMEM; + } + + talloc_zfree(cr->data->name.name); + cr->data->name.name = dup_name; + + return EOK; +} + +static bool +cache_req_validate_domain_enumeration(struct cache_req *cr, + struct sss_domain_info *domain) +{ + if (!cr->plugin->require_enumeration) { + return true; + } + + if (domain->enumerate == false) { + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr, "Domain %s does not support " + "enumeration, skipping...\n", domain->name); + if (cr->rctx->enumeration_warn_logged == false) { + sss_log(SSS_LOG_NOTICE, "Enumeration requested but not enabled\n"); + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr, + "Enumeration requested but not enabled\n"); + cr->rctx->enumeration_warn_logged = true; + } + return false; + } + + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr, "Domain %s supports enumeration\n", + domain->name); + + return true; +} + +static bool +cache_req_validate_domain_type(struct cache_req *cr, + struct sss_domain_info *domain) +{ + bool valid = false; + + switch (cr->req_dom_type) { + case CACHE_REQ_POSIX_DOM: + valid = domain->type == DOM_TYPE_POSIX ? true : false; + break; + case CACHE_REQ_APPLICATION_DOM: + valid = domain->type == DOM_TYPE_APPLICATION ? true : false; + break; + case CACHE_REQ_ANY_DOM: + valid = true; + break; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Request type %s for domain %s type %s is %svalid\n", + cache_req_dom_type_as_str(cr), + domain->name, + sss_domain_type_str(domain), + valid ? "" : "not "); + return valid; +} + +static bool +cache_req_validate_domain(struct cache_req *cr, + struct sss_domain_info *domain) +{ + bool ok; + + ok = cache_req_validate_domain_enumeration(cr, domain); + if (ok == false) { + return false; + } + + ok = cache_req_validate_domain_type(cr, domain); + if (ok == false) { + return false; + } + + return true; +} + +static errno_t +cache_req_is_well_known_object(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_result **_result) +{ + errno_t ret; + + if (cr->plugin->is_well_known_fn == NULL) { + return ENOENT; + } + + ret = cr->plugin->is_well_known_fn(mem_ctx, cr, cr->data, _result); + if (ret == EOK) { + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr, "Object is well known!\n"); + (*_result)->well_known_object = true; + } else if (ret != ENOENT) { + CACHE_REQ_DEBUG(SSSDBG_CRIT_FAILURE, cr, + "Unable to prepare data [%d]: %s\n", + ret, sss_strerror(ret)); + } + + return ret; +} + +static errno_t +cache_req_prepare_domain_data(struct cache_req *cr, + struct sss_domain_info *domain) +{ + errno_t ret; + + if (cr->plugin->prepare_domain_data_fn == NULL) { + return EOK; + } + + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr, + "Preparing input data for domain [%s] rules\n", + domain->name); + + ret = cr->plugin->prepare_domain_data_fn(cr, cr->data, domain); + if (ret != EOK) { + CACHE_REQ_DEBUG(SSSDBG_CRIT_FAILURE, cr, + "Unable to prepare data [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + return EOK; +} + +static errno_t +cache_req_create_debug_name(struct cache_req *cr, + struct sss_domain_info *domain) +{ + if (cr->plugin->create_debug_name_fn == NULL) { + CACHE_REQ_DEBUG(SSSDBG_CRIT_FAILURE, cr, + "Bug: no create debug name function specified!\n"); + return ERR_INTERNAL; + } + + talloc_zfree(cr->debugobj); + + cr->debugobj = cr->plugin->create_debug_name_fn(cr, cr->data, domain); + if (cr->debugobj == NULL) { + CACHE_REQ_DEBUG(SSSDBG_CRIT_FAILURE, cr, + "Unable to create debug name!\n"); + return ENOMEM; + } + + return EOK; +} + +static errno_t +cache_req_set_domain(struct cache_req *cr, + struct sss_domain_info *domain) +{ + errno_t ret; + + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr, "Using domain [%s]\n", domain->name); + + ret = cache_req_prepare_domain_data(cr, domain); + if (ret != EOK) { + return ret; + } + + ret = cache_req_create_debug_name(cr, domain); + if (ret != EOK) { + return ret; + } + + cr->domain = domain; + + return EOK; +} + +static void cache_req_global_ncache_add(struct cache_req *cr) +{ + errno_t ret; + + if (cr->plugin->global_ncache_add_fn == NULL) { + CACHE_REQ_DEBUG(SSSDBG_TRACE_INTERNAL, cr, + "This request type does not support " + "global negative cache\n"); + return; + } + + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr, "Adding [%s] to global " + "negative cache\n", cr->debugobj); + + ret = cr->plugin->global_ncache_add_fn(cr->ncache, cr->data); + if (ret != EOK) { + CACHE_REQ_DEBUG(SSSDBG_MINOR_FAILURE, cr, + "Cannot set negative cache for [%s] [%d]: %s\n", + cr->debugobj, ret, sss_strerror(ret)); + /* not fatal */ + } + + return; +} + +static bool cache_req_check_acct_domain_lookup_type(struct cache_req *cr, + struct sss_domain_info *dom) +{ + struct sss_domain_info *head; + int nret; + + head = get_domains_head(dom); + if (head == NULL) { + return false; + } + + nret = sss_ncache_check_domain_locate_type(cr->rctx->ncache, + head, + cr->plugin->name); + if (nret == ENOENT) { + return true; + } + return false; +} + +static errno_t cache_req_set_acct_domain_lookup_type(struct cache_req *cr, + struct sss_domain_info *dom) +{ + struct sss_domain_info *head; + + head = get_domains_head(dom); + if (head == NULL) { + return EINVAL; + } + + return sss_ncache_set_domain_locate_type(cr->rctx->ncache, + head, + cr->plugin->name); +} + +static void cache_req_domain_set_locate_flag(struct cache_req_domain *domains, + struct cache_req *cr) +{ + struct cache_req_domain *crd_iter; + + DLIST_FOR_EACH(crd_iter, domains) { + if (cache_req_check_acct_domain_lookup_type(cr, crd_iter->domain)) { + crd_iter->locate_domain = true; + } + } +} + +static bool +cache_req_assume_upn(struct cache_req *cr) +{ + errno_t ret; + + if (cr->plugin->allow_switch_to_upn == false + || cr->data->name.input == NULL + || strchr(cr->data->name.input, '@') == NULL) { + return false; + } + + ret = cache_req_set_plugin(cr, cr->plugin->upn_equivalent); + if (ret != EOK) { + return false; + } + + ret = cache_req_set_name(cr, cr->data->name.input); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "cache_req_set_name() failed\n"); + return false; + } + + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr, "Assuming UPN [%s]\n", + cr->data->name.input); + + return true; +} + +struct cache_req_locate_dom_state { + /* input data */ + struct tevent_context *ev; + struct cache_req *cr; + struct cache_req_domain *req_domains; + + /* Return values in case the first cache lookup succeeds */ + struct ldb_result *result; + bool dp_success; +}; + +static void cache_req_locate_dom_cache_done(struct tevent_req *subreq); +static void cache_req_locate_dom_done(struct tevent_req *subreq); +static void cache_req_locate_dom_mark_neg_all( + struct cache_req_locate_dom_state *state); +static void cache_req_locate_dom_mark_neg_domains( + struct cache_req_locate_dom_state *state, + const char *found_domain_name); + +static struct tevent_req *cache_req_locate_dom_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct cache_req *cr, + struct cache_req_domain *req_domains) +{ + struct tevent_req *req; + struct tevent_req *subreq; + struct cache_req_locate_dom_state *state = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct cache_req_locate_dom_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + state->ev = ev; + state->cr = cr; + state->req_domains = req_domains; + + /* It is wasteful to run the domain locator request if the results are + * present in the cache, because the domain locator always contacts + * the DP. Therefore, first run a cache-only search and only if the + * requested data is not available, run the locator + * + * FIXME - this could be optimized further if we are running the + * second iteration with cache_first, then we don't need to search + * again + */ + subreq = cache_req_search_send(state, + state->ev, + state->cr, + false, /* Don't bypass cache */ + true); /* Do bypass DP */ + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + tevent_req_set_callback(subreq, cache_req_locate_dom_cache_done, req); + + return req; + +immediately: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void cache_req_locate_dom_cache_done(struct tevent_req *subreq) +{ + struct cache_req_locate_dom_state *state = NULL; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct cache_req_locate_dom_state); + + ret = cache_req_search_recv(state, subreq, &state->result, &state->dp_success); + talloc_zfree(subreq); + + switch (ret) { + case EOK: + /* Just finish the request and let the caller handle the result */ + DEBUG(SSSDBG_TRACE_INTERNAL, "Result found in the cache\n"); + tevent_req_done(req); + return; + case ERR_ID_OUTSIDE_RANGE: + case ENOENT: + /* Not cached and locator was requested, run the locator + * DP request plugin + */ + subreq = cache_req_locate_domain_send(state, + state->ev, + state->cr); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, cache_req_locate_dom_done, req); + return; + default: + DEBUG(SSSDBG_OP_FAILURE, + "cache_req_search_recv returned [%d]: %s\n", ret, sss_strerror(ret)); + break; + } + + tevent_req_error(req, ret); + return; +} + +static void cache_req_locate_dom_done(struct tevent_req *subreq) +{ + struct cache_req_locate_dom_state *state; + struct tevent_req *req; + errno_t ret; + char *found_domain_name; + int nret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct cache_req_locate_dom_state); + + ret = cache_req_locate_domain_recv(state, subreq, &found_domain_name); + talloc_zfree(subreq); + switch (ret) { + case ERR_GET_ACCT_DOM_NOT_SUPPORTED: + nret = cache_req_set_acct_domain_lookup_type(state->cr, + state->cr->domain); + if (nret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to disable domain locating functionality for %s\n", + state->cr->plugin->name); + } + DEBUG(SSSDBG_CONF_SETTINGS, + "Disabled domain locating functionality for %s\n", + state->cr->plugin->name); + break; + case ERR_NOT_FOUND: + cache_req_locate_dom_mark_neg_all(state); + break; + case EOK: + cache_req_locate_dom_mark_neg_domains(state, found_domain_name); + break; + default: + /* We explicitly ignore errors here */ + break; + } + + tevent_req_done(req); + return; +} + +static void cache_req_locate_dom_mark_neg_all( + struct cache_req_locate_dom_state *state) +{ + struct cache_req_domain *iter; + + DLIST_FOR_EACH(iter, state->req_domains) { + if (get_domains_head(state->cr->domain) != get_domains_head(iter->domain)) { + /* Only add to negative cache for domains from the same "main" + * domain" */ + continue; + } + cache_req_search_ncache_add_to_domain(state->cr, iter->domain); + } +} + +static void cache_req_locate_dom_mark_neg_domains( + struct cache_req_locate_dom_state *state, + const char *found_domain_name) +{ + struct sss_domain_info *found_domain; + struct cache_req_domain *iter; + + found_domain = find_domain_by_name(get_domains_head(state->cr->domain), + found_domain_name, + true); + if (found_domain == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot find domain %s\n", found_domain_name); + return; + } + + /* Set negcache in all subdomains of the one being examined + * except the found one */ + DLIST_FOR_EACH(iter, state->req_domains) { + if (strcasecmp(found_domain_name, + iter->domain->name) == 0) { + continue; + } + + if (get_domains_head(found_domain) != get_domains_head(iter->domain)) { + /* Don't set negative cache for domains outside the main + * domain/subdomain tree b/c the locator request is not + * authoritative for them + */ + continue; + } + cache_req_search_ncache_add_to_domain(state->cr, iter->domain); + } +} + +static errno_t cache_req_locate_dom_cache_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct ldb_result **_result, + bool *_dp_success) +{ + struct cache_req_locate_dom_state *state; + + state = tevent_req_data(req, struct cache_req_locate_dom_state); + + if (_dp_success != NULL) { + *_dp_success = state->dp_success; + } + + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (_result != NULL) { + *_result = talloc_steal(mem_ctx, state->result); + } + + return EOK; +} + +struct cache_req_search_domains_state { + /* input data */ + struct tevent_context *ev; + struct cache_req *cr; + + /* work data */ + struct cache_req_domain *cr_domain; + struct cache_req_domain *req_domains; + struct sss_domain_info *selected_domain; + struct cache_req_result **results; + size_t num_results; + bool check_next; + bool dp_success; + bool bypass_cache; + bool bypass_dp; +}; + +static errno_t cache_req_search_domains_next(struct tevent_req *req); +static errno_t cache_req_handle_result(struct tevent_req *req, + struct ldb_result *result); + +static void cache_req_search_domains_locate_done(struct tevent_req *subreq); + +static void cache_req_search_domains_done(struct tevent_req *subreq); + +struct tevent_req * +cache_req_search_domains_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct cache_req *cr, + struct cache_req_domain *cr_domain, + bool check_next, + bool first_iteration, + bool bypass_cache, + bool bypass_dp) +{ + struct tevent_req *req; + struct cache_req_search_domains_state *state = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct cache_req_search_domains_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->ev = ev; + state->cr = cr; + + state->cr_domain = cr_domain; + state->req_domains = cr_domain; + state->check_next = check_next; + state->dp_success = true; + state->bypass_cache = bypass_cache; + state->bypass_dp = bypass_dp; + + if (cr->plugin->dp_get_domain_send_fn != NULL + && ((state->check_next && cr_domain->next != NULL) + || (state->bypass_cache && !first_iteration))) { + /* If the request is not qualified with a domain name AND + * there are multiple domains to search OR if this is the second + * pass during the "check-cache-first" schema, it makes sense + * to try to run the domain-locator plugin + */ + cache_req_domain_set_locate_flag(cr_domain, cr); + } + + ret = cache_req_search_domains_next(req); + if (ret == EAGAIN) { + return req; + } + + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + + tevent_req_post(req, ev); + return req; +} + +static errno_t cache_req_search_domains_next(struct tevent_req *req) +{ + struct cache_req_search_domains_state *state; + struct tevent_req *subreq; + struct cache_req *cr; + struct sss_domain_info *domain; + uint32_t next_domain_flag; + bool is_domain_valid; + bool allow_no_fqn; + errno_t ret; + + state = tevent_req_data(req, struct cache_req_search_domains_state); + cr = state->cr; + + next_domain_flag = cr->plugin->get_next_domain_flags; + allow_no_fqn = cr->plugin->allow_missing_fqn; + + while (state->cr_domain != NULL) { + domain = state->cr_domain->domain; + /* As the cr_domain list is a flatten version of the domains + * list, we have to ensure to only go through the subdomains in + * case it's specified in the plugin to do so. + */ + if (next_domain_flag == 0 && IS_SUBDOMAIN(domain)) { + state->cr_domain = state->cr_domain->next; + continue; + } + + /* Check if this domain is valid for this request. */ + is_domain_valid = cache_req_validate_domain(cr, domain); + if (!is_domain_valid) { + state->cr_domain = state->cr_domain->next; + continue; + } + + /* If not specified otherwise, we skip domains that require fully + * qualified names on domain less search. We do not descend into + * subdomains here since those are implicitly qualified. + */ + if (state->check_next && !allow_no_fqn && state->cr_domain->fqnames) { + state->cr_domain = state->cr_domain->next; + continue; + } + + state->selected_domain = domain; + + if (domain == NULL) { + break; + } + + ret = cache_req_set_domain(cr, domain); + if (ret != EOK) { + return ret; + } + + if (state->cr_domain->locate_domain) { + subreq = cache_req_locate_dom_send(state, + state->ev, + cr, + state->req_domains); + if (subreq == NULL) { + return ENOMEM; + } + tevent_req_set_callback(subreq, cache_req_search_domains_locate_done, req); + return EAGAIN; + } + + subreq = cache_req_search_send(state, state->ev, cr, + state->bypass_cache, state->bypass_dp); + if (subreq == NULL) { + return ENOMEM; + } + tevent_req_set_callback(subreq, cache_req_search_domains_done, req); + + /* we will continue with the following domain the next time */ + if (state->check_next) { + state->cr_domain = state->cr_domain->next; + } + + return EAGAIN; + } + + /* If we've got some result from previous searches we want to return + * EOK here so the whole cache request is successfully finished. */ + if (state->num_results > 0) { + return EOK; + } + + /* We have searched all available domains and no result was found. + * + * If the plug-in uses a negative cache which is shared among all domains + * (e.g. unique identifiers such as user or group id or sid), we add it + * here and return object not found error. + * + * However, we can only set the negative cache if all data provider + * requests succeeded because only then we can be sure that it does + * not exist- + */ + if (state->dp_success) { + cache_req_global_ncache_add(cr); + } + + return ENOENT; +} + +static void cache_req_search_domains_locate_done(struct tevent_req *subreq) +{ + struct cache_req_search_domains_state *state; + struct ldb_result *result = NULL; + struct tevent_req *req; + bool dp_success; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct cache_req_search_domains_state); + + ret = cache_req_locate_dom_cache_recv(state, subreq, &result, &dp_success); + talloc_zfree(subreq); + + /* Remember if any DP request fails, but here it shouldn't matter + * as the only DP request that should realistically happen is midpoint + * refresh */ + state->dp_success = !dp_success ? false : state->dp_success; + + /* Don't locate the domain again */ + state->cr_domain->locate_domain = false; + + switch (ret) { + case EOK: + if (result != NULL) { + /* Handle result as normally */ + ret = cache_req_handle_result(req, result); + if (ret != EAGAIN) { + goto done; + } + } + break; + default: + /* Some serious error has happened. Finish. */ + goto done; + } + + /* This is a domain less search, continue with the next domain. */ + ret = cache_req_search_domains_next(req); + +done: + switch (ret) { + case EOK: + tevent_req_done(req); + break; + case EAGAIN: + break; + default: + tevent_req_error(req, ret); + break; + } + return; +} + +static errno_t cache_req_handle_result(struct tevent_req *req, + struct ldb_result *result) +{ + struct cache_req_search_domains_state *state; + errno_t ret; + + state = tevent_req_data(req, struct cache_req_search_domains_state); + + /* We got some data from this search. Save it. */ + ret = cache_req_create_and_add_result(state, + state->cr, + state->selected_domain, + result, + state->cr->data->name.lookup, + &state->results, + &state->num_results); + if (ret != EOK) { + /* We were unable to save data. */ + return ret; + } + + if (!state->check_next || !state->cr->plugin->search_all_domains) { + /* We are not interested in more results. */ + return EOK; + } + + return EAGAIN; +} + +static void cache_req_search_domains_done(struct tevent_req *subreq) +{ + struct cache_req_search_domains_state *state; + struct ldb_result *result; + struct tevent_req *req; + bool dp_success; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct cache_req_search_domains_state); + + ret = cache_req_search_recv(state, subreq, &result, &dp_success); + talloc_zfree(subreq); + + /* Remember if any DP request fails. */ + state->dp_success = !dp_success ? false : state->dp_success; + + switch (ret) { + case EOK: + ret = cache_req_handle_result(req, result); + if (ret != EAGAIN) { + goto done; + } + break; + case ERR_ID_OUTSIDE_RANGE: + case ENOENT: + if (state->check_next == false) { + /* Not found. */ + ret = ENOENT; + goto done; + } + + /* Continue with next domain. */ + break; + default: + /* Some serious error has happened. Finish. */ + goto done; + } + + /* This is a domain less search, continue with the next domain. */ + ret = cache_req_search_domains_next(req); + +done: + if (ret == ENOENT && state->results != NULL) { + /* We have at least one result. */ + ret = EOK; + } + + switch (ret) { + case EOK: + tevent_req_done(req); + break; + case EAGAIN: + break; + default: + tevent_req_error(req, ret); + break; + } + + return; +} + +static errno_t +cache_req_search_domains_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct cache_req_result ***_results, + size_t *_num_results) +{ + struct cache_req_search_domains_state *state; + + state = tevent_req_data(req, struct cache_req_search_domains_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (_results != NULL) { + *_results = talloc_steal(mem_ctx, state->results); + } + if (_num_results != NULL) { + *_num_results = state->num_results; + } + + return EOK; +} + +/** + * Return true if we should issue another search. + */ +static bool cache_req_search_schema(struct cache_req *cr, + const char *input_domain, + bool first_iteration, + bool *_bypass_cache, + bool *_bypass_dp) +{ + bool bypass_cache; + bool bypass_dp; + + if (cr->bypass_cache) { + /* The caller wants to contact Data Provider first + * or it is inferred by cache_req plug-in. */ + bypass_cache = true; + bypass_dp = false; + + if (!first_iteration) { + return false; + } + } else if (cr->bypass_dp) { + /* The caller wants to lookup only in the cache */ + bypass_cache = false; + bypass_dp = true; + + if (!first_iteration) { + return false; + } + } else if (input_domain != NULL) { + /* We will search only one domain. */ + bypass_cache = false; + bypass_dp = false; + + if (!first_iteration) { + return false; + } + } else if (!cr->cache_first) { + /* We will search cache and on cache-miss + * contact domain provider sequentially. */ + bypass_cache = false; + bypass_dp = false; + + if (!first_iteration) { + return false; + } + } else { + /* We will first search the cache in all domains. If we don't get + * any match we will then contact Data Provider starting with the + * first domain again. */ + bypass_cache = first_iteration ? false : true; + bypass_dp = first_iteration ? true : false; + } + + *_bypass_cache = bypass_cache; + *_bypass_dp = bypass_dp; + + return true; +} + +struct cache_req_state { + /* input data */ + struct tevent_context *ev; + struct cache_req *cr; + const char *domain_name; + + /* work data */ + struct cache_req_domain *cr_domains; + struct cache_req_result **results; + size_t num_results; + bool first_iteration; +}; + +static errno_t cache_req_process_input(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct cache_req *cr, + const char *domain); + +static errno_t cache_req_update_domains(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct cache_req *cr, + const char *domain); + +static void cache_req_domains_updated(struct tevent_req *subreq); + +static void cache_req_input_parsed(struct tevent_req *subreq); + +static errno_t cache_req_select_domains(struct tevent_req *req, + const char *domain_name); + +static errno_t +cache_req_search_domains(struct tevent_req *req, + struct cache_req_domain *oredered_domain, + bool check_next, + bool bypass_cache, + bool bypass_dp); + +static void cache_req_process_result(struct tevent_req *subreq); + +static void cache_req_done(struct tevent_req *subreq); + +struct tevent_req *cache_req_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_nc_ctx *ncache, + int midpoint, + enum cache_req_dom_type req_dom_type, + const char *domain, + struct cache_req_data *data) +{ + struct cache_req_state *state; + struct cache_req_result *result; + struct cache_req *cr; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct cache_req_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->ev = ev; + state->cr = cr = cache_req_create(state, rctx, data, + ncache, midpoint, req_dom_type); + if (state->cr == NULL) { + ret = ENOMEM; + goto done; + } + state->first_iteration = true; + + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr, "New request '%s'\n", cr->reqname); + + ret = cache_req_is_well_known_object(state, cr, &result); + if (ret == EOK) { + ret = cache_req_add_result(state, result, &state->results, + &state->num_results); + goto done; + } else if (ret != ENOENT) { + goto done; + } + + state->domain_name = domain; + ret = cache_req_process_input(state, req, cr, domain); + if (ret != EOK) { + goto done; + } + + ret = cache_req_select_domains(req, state->domain_name); + +done: + if (ret == EOK) { + tevent_req_done(req); + tevent_req_post(req, ev); + } else if (ret != EAGAIN) { + tevent_req_error(req, ret); + tevent_req_post(req, ev); + } + + return req; +} + +static errno_t cache_req_process_input(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct cache_req *cr, + const char *domain) +{ + struct tevent_req *subreq; + const char *default_domain; + errno_t ret; + + if (cr->data->name.input == NULL) { + /* Call cache_req_update_domains() in order to get a up to date list + * of domains and subdomains, if needed. Otherwise just return EOK as + * the input was not a name, thus there's no need to process it + * further. */ + return cache_req_update_domains(mem_ctx, req, cr, domain); + } + + if (cr->plugin->parse_name == false || domain != NULL) { + /* Call cache_req_update_domains() in order to get a up to date list + * of domains and subdomains, if needed. Otherwise, just use the input + * name as it is. */ + ret = cache_req_update_domains(mem_ctx, req, cr, domain); + if (ret != EOK) { + return ret; + } + + return cache_req_set_name(cr, cr->data->name.input); + } + + default_domain = NULL; + if (!cr->plugin->ignore_default_domain) { + default_domain = cr->rctx->default_domain; + } + + /* Parse name since it may contain a domain name. */ + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr, + "Parsing input name [%s]\n", cr->data->name.input); + + subreq = sss_parse_inp_send(mem_ctx, cr->rctx, default_domain, + cr->data->name.input); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n"); + return ENOMEM; + } + + tevent_req_set_callback(subreq, cache_req_input_parsed, req); + + return EAGAIN; +} + +static errno_t cache_req_update_domains(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct cache_req *cr, + const char *domain) +{ + struct tevent_req *subreq; + + if (cr->rctx->get_domains_last_call.tv_sec != 0) { + return EOK; + } + + subreq = sss_dp_get_domains_send(mem_ctx, cr->rctx, false, domain); + if (subreq == NULL) { + return ENOMEM; + } + + tevent_req_set_callback(subreq, cache_req_domains_updated, req); + return EAGAIN; +} + +static void cache_req_domains_updated(struct tevent_req *subreq) +{ + struct tevent_req *req; + struct cache_req_state *state; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct cache_req_state); + + ret = sss_dp_get_domains_recv(subreq); + talloc_free(subreq); + if (ret != EOK) { + goto done; + } + + if (state->cr->data->name.input == NULL) { + /* Input was not name, there is no need to process it further. */ + goto immediately; + } + + if (state->cr->plugin->parse_name == false || state->domain_name != NULL) { + /* We do not want to parse the name. */ + ret = cache_req_set_name(state->cr, state->cr->data->name.input); + if (ret != EOK) { + goto done; + } + } + +immediately: + ret = cache_req_select_domains(req, state->domain_name); + +done: + if (ret != EOK && ret != EAGAIN) { + tevent_req_error(req, ret); + return; + } +} + +static void cache_req_input_parsed(struct tevent_req *subreq) +{ + struct tevent_req *req; + struct cache_req_state *state; + char *name; + char *domain; + bool maybe_upn; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct cache_req_state); + + ret = sss_parse_inp_recv(subreq, state, &name, &domain); + switch (ret) { + case EOK: + ret = cache_req_set_name(state->cr, name); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + break; + case ERR_DOMAIN_NOT_FOUND: + maybe_upn = cache_req_assume_upn(state->cr); + if (!maybe_upn) { + tevent_req_error(req, ret); + return; + } + + domain = NULL; + break; + default: + tevent_req_error(req, ret); + return; + } + + state->domain_name = domain; + ret = cache_req_select_domains(req, domain); + if (ret != EAGAIN) { + tevent_req_error(req, ret); + return; + } +} + +static errno_t cache_req_select_domains(struct tevent_req *req, + const char *domain_name) +{ + struct cache_req_state *state = NULL; + struct cache_req_domain *cr_domain; + bool check_next; + bool bypass_cache; + bool bypass_dp; + bool search; + errno_t ret; + + state = tevent_req_data(req, struct cache_req_state); + + search = cache_req_search_schema(state->cr, domain_name, + state->first_iteration, + &bypass_cache, &bypass_dp); + if (!search) { + /* We're done here. */ + return EOK; + } + + ret = cache_req_domain_copy_cr_domains(state, + state->cr->rctx->cr_domains, + &state->cr_domains); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "cache_req_copy_cr_domains() failed\n"); + return EINVAL; + } + + if (domain_name != NULL) { + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, state->cr, + "Performing a single domain search\n"); + + cr_domain = cache_req_domain_get_domain_by_name( + state->cr_domains, domain_name); + if (cr_domain == NULL) { + return ERR_DOMAIN_NOT_FOUND; + } + check_next = false; + } else { + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, state->cr, + "Performing a multi-domain search\n"); + + cr_domain = state->cr_domains; + check_next = true; + } + + return cache_req_search_domains(req, cr_domain, check_next, + bypass_cache, bypass_dp); +} + +static errno_t +cache_req_search_domains(struct tevent_req *req, + struct cache_req_domain *cr_domain, + bool check_next, + bool bypass_cache, + bool bypass_dp) +{ + struct tevent_req *subreq; + struct cache_req_state *state = NULL; + + state = tevent_req_data(req, struct cache_req_state); + + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, state->cr, + "Search will %s the cache and %s the data provider\n", + bypass_cache ? "bypass" : "check", + bypass_dp ? "bypass" : "check"); + + subreq = cache_req_search_domains_send(state, state->ev, state->cr, + cr_domain, check_next, + state->first_iteration, + bypass_cache, bypass_dp); + if (subreq == NULL) { + return ENOMEM; + } + + tevent_req_set_callback(subreq, cache_req_process_result, req); + return EAGAIN; +} + +static void cache_req_process_result(struct tevent_req *subreq) +{ + struct cache_req_state *state; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct cache_req_state); + + ret = cache_req_search_domains_recv(state, subreq, + &state->results, &state->num_results); + talloc_zfree(subreq); + + if (ret == ENOENT && state->first_iteration) { + /* Try again different search schema. */ + state->first_iteration = false; + ret = cache_req_select_domains(req, state->domain_name); + if (ret == EOK) { + /* We're done searching and we have found nothing. */ + ret = ENOENT; + + if (state->domain_name != NULL) { + /* Lookup domain was specified as input. Since we haven't + * found anything yet we may want to try UPN search with + * some plug-ins. */ + + if (cache_req_assume_upn(state->cr)) { + /* Try UPN now. */ + state->first_iteration = true; + ret = cache_req_select_domains(req, NULL); + } + } + } + } + + /* Overlay each result with session recording flag */ + if (ret == EOK) { + subreq = cache_req_sr_overlay_send(state, state->ev, state->cr, + state->results, + state->num_results); + if (subreq == NULL) { + CACHE_REQ_DEBUG(SSSDBG_CRIT_FAILURE, state->cr, + "Failed creating a session recording " + "overlay request\n"); + ret = ENOMEM; + } else { + tevent_req_set_callback(subreq, cache_req_done, req); + ret = EAGAIN; + } + } + + switch (ret) { + case EAGAIN: + break; + case ENOENT: + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, state->cr, "Finished: Not found\n"); + tevent_req_error(req, ret); + break; + default: + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, state->cr, + "Finished: Error %d: %s\n", ret, sss_strerror(ret)); + tevent_req_error(req, ret); + break; + } + + return; +} + +static void cache_req_done(struct tevent_req *subreq) +{ + struct cache_req_state *state; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct cache_req_state); + ret = cache_req_sr_overlay_recv(subreq); + talloc_zfree(subreq); + + switch (ret) { + case EOK: + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, state->cr, "Finished: Success\n"); + tevent_req_done(req); + break; + default: + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, state->cr, + "Finished: Error %d: %s\n", ret, sss_strerror(ret)); + tevent_req_error(req, ret); + break; + } +} + +errno_t cache_req_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct cache_req_result ***_results) +{ + struct cache_req_state *state; + + state = tevent_req_data(req, struct cache_req_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (_results != NULL) { + *_results = talloc_steal(mem_ctx, state->results); + } + + return EOK; +} + +errno_t cache_req_single_domain_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct cache_req_result **_result) +{ + struct cache_req_state *state; + + state = tevent_req_data(req, struct cache_req_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (_result != NULL) { + *_result = talloc_steal(mem_ctx, state->results[0]); + } + + return EOK; +} + +struct tevent_req * +cache_req_steal_data_and_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_nc_ctx *ncache, + int cache_refresh_percent, + enum cache_req_dom_type req_dom_type, + const char *domain, + struct cache_req_data *data) +{ + struct tevent_req *req; + + req = cache_req_send(mem_ctx, ev, rctx, ncache, + cache_refresh_percent, + req_dom_type, domain, data); + if (req == NULL) { + talloc_zfree(data); + return NULL; + } + + talloc_steal(req, data); + + return req; +} diff --git a/src/responder/common/cache_req/cache_req.h b/src/responder/common/cache_req/cache_req.h new file mode 100644 index 0000000..2c88853 --- /dev/null +++ b/src/responder/common/cache_req/cache_req.h @@ -0,0 +1,428 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _CACHE_REQ_H_ +#define _CACHE_REQ_H_ + +#include "util/util.h" +#include "confdb/confdb.h" +#include "responder/common/negcache.h" + +enum cache_req_type { + CACHE_REQ_USER_BY_NAME, + CACHE_REQ_USER_BY_UPN, + CACHE_REQ_USER_BY_ID, + CACHE_REQ_USER_BY_CERT, + CACHE_REQ_USER_BY_FILTER, + + CACHE_REQ_GROUP_BY_NAME, + CACHE_REQ_GROUP_BY_ID, + CACHE_REQ_GROUP_BY_FILTER, + + CACHE_REQ_INITGROUPS, + CACHE_REQ_INITGROUPS_BY_UPN, + + CACHE_REQ_OBJECT_BY_SID, + CACHE_REQ_OBJECT_BY_NAME, + CACHE_REQ_OBJECT_BY_ID, + + CACHE_REQ_ENUM_USERS, + CACHE_REQ_ENUM_GROUPS, + CACHE_REQ_ENUM_SVC, + + CACHE_REQ_SVC_BY_NAME, + CACHE_REQ_SVC_BY_PORT, + + CACHE_REQ_NETGROUP_BY_NAME, + + CACHE_REQ_HOST_BY_NAME, + + CACHE_REQ_SENTINEL +}; + +/* Whether to limit the request type to a certain domain type + * (POSIX/non-POSIX) + */ +enum cache_req_dom_type { + /* Only look up data in POSIX domains */ + CACHE_REQ_POSIX_DOM, + /* Only look up data in application domains */ + CACHE_REQ_APPLICATION_DOM, + /* Look up data in any domain type */ + CACHE_REQ_ANY_DOM +}; + +/* Input data. */ + +struct cache_req_data; + +struct cache_req_data * +cache_req_data_name(TALLOC_CTX *mem_ctx, + enum cache_req_type type, + const char *name); + +struct cache_req_data * +cache_req_data_name_attrs(TALLOC_CTX *mem_ctx, + enum cache_req_type type, + const char *name, + const char **attrs); + +struct cache_req_data * +cache_req_data_id(TALLOC_CTX *mem_ctx, + enum cache_req_type type, + uint32_t id); + +struct cache_req_data * +cache_req_data_id_attrs(TALLOC_CTX *mem_ctx, + enum cache_req_type type, + uint32_t id, + const char **attrs); + +struct cache_req_data * +cache_req_data_cert(TALLOC_CTX *mem_ctx, + enum cache_req_type type, + const char *cert); + +struct cache_req_data * +cache_req_data_sid(TALLOC_CTX *mem_ctx, + enum cache_req_type type, + const char *sid, + const char **attrs); + +struct cache_req_data * +cache_req_data_enum(TALLOC_CTX *mem_ctx, + enum cache_req_type type); + +struct cache_req_data * +cache_req_data_svc(TALLOC_CTX *mem_ctx, + enum cache_req_type type, + const char *name, + const char *protocol, + uint16_t port); + +struct cache_req_data * +cache_req_data_host(TALLOC_CTX *mem_ctx, + enum cache_req_type type, + const char *name, + const char *alias, + const char **attrs); +void +cache_req_data_set_bypass_cache(struct cache_req_data *data, + bool bypass_cache); + +void +cache_req_data_set_bypass_dp(struct cache_req_data *data, + bool bypass_dp); +/* Output data. */ + +struct cache_req_result { + /** + * SSSD domain where the result was obtained. + */ + struct sss_domain_info *domain; + + /** + * Result from ldb lookup. + */ + struct ldb_result *ldb_result; + + /** + * Shortcuts into ldb_result. This shortens the code a little since + * callers usually don't don't need to work with ldb_result directly. + */ + unsigned int count; + struct ldb_message **msgs; + + /** + * If name was used as a lookup parameter, @lookup_name contains name + * normalized to @domain rules. + */ + const char *lookup_name; + + /** + * If true the result contain attributes of a well known object. + * Since this result is manually created it may not contain all + * requested attributes, depending on the plug-in. + */ + bool well_known_object; + + /* If this is a well known object, it may not be part of any particular + * SSSD domain, but still may be associated with a well known domain + * name such as "BUILTIN", or "LOCAL AUTHORITY". + */ + const char *well_known_domain; +}; + +/** + * Shallow copy of cache request result, limiting the result to a maximum + * numbers of records. + */ +struct cache_req_result * +cache_req_copy_limited_result(TALLOC_CTX *mem_ctx, + struct cache_req_result *result, + uint32_t start, + uint32_t limit); + +/* Generic request. */ + +struct tevent_req *cache_req_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_nc_ctx *ncache, + int midpoint, + enum cache_req_dom_type req_dom_type, + const char *domain, + struct cache_req_data *data); + +errno_t cache_req_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct cache_req_result ***_results); + +errno_t cache_req_single_domain_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct cache_req_result **_result); + +/* Plug-ins. */ + +struct tevent_req * +cache_req_user_by_name_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_nc_ctx *ncache, + int cache_refresh_percent, + enum cache_req_dom_type req_dom_type, + const char *domain, + const char *name); + +#define cache_req_user_by_name_recv(mem_ctx, req, _result) \ + cache_req_single_domain_recv(mem_ctx, req, _result) + +struct tevent_req * +cache_req_user_by_name_attrs_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_nc_ctx *ncache, + int cache_refresh_percent, + const char *domain, + const char *name, + const char **attrs); + +#define cache_req_user_by_name_attrs_recv(mem_ctx, req, _result) \ + cache_req_single_domain_recv(mem_ctx, req, _result) + +struct tevent_req * +cache_req_user_by_id_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_nc_ctx *ncache, + int cache_refresh_percent, + const char *domain, + uid_t uid); + +#define cache_req_user_by_id_recv(mem_ctx, req, _result) \ + cache_req_single_domain_recv(mem_ctx, req, _result); + +struct tevent_req * +cache_req_user_by_cert_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_nc_ctx *ncache, + int cache_refresh_percent, + enum cache_req_dom_type req_dom_type, + const char *domain, + const char *pem_cert); + +#define cache_req_user_by_cert_recv(mem_ctx, req, _result) \ + cache_req_single_domain_recv(mem_ctx, req, _result) + +struct tevent_req * +cache_req_group_by_name_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_nc_ctx *ncache, + int cache_refresh_percent, + enum cache_req_dom_type req_dom_type, + const char *domain, + const char *name); + +#define cache_req_group_by_name_recv(mem_ctx, req, _result) \ + cache_req_single_domain_recv(mem_ctx, req, _result) + +struct tevent_req * +cache_req_group_by_id_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_nc_ctx *ncache, + int cache_refresh_percent, + const char *domain, + gid_t gid); + +#define cache_req_group_by_id_recv(mem_ctx, req, _result) \ + cache_req_single_domain_recv(mem_ctx, req, _result) + +struct tevent_req * +cache_req_initgr_by_name_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_nc_ctx *ncache, + int cache_refresh_percent, + enum cache_req_dom_type req_dom_type, + const char *domain, + const char *name); + +#define cache_req_initgr_by_name_recv(mem_ctx, req, _result) \ + cache_req_single_domain_recv(mem_ctx, req, _result) + +struct tevent_req * +cache_req_user_by_filter_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + enum cache_req_dom_type req_dom_type, + const char *domain, + const char *filter); + +#define cache_req_user_by_filter_recv(mem_ctx, req, _result) \ + cache_req_single_domain_recv(mem_ctx, req, _result) + +struct tevent_req * +cache_req_group_by_filter_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + enum cache_req_dom_type req_dom_type, + const char *domain, + const char *filter); + +#define cache_req_group_by_filter_recv(mem_ctx, req, _result) \ + cache_req_single_domain_recv(mem_ctx, req, _result) + +struct tevent_req * +cache_req_object_by_sid_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_nc_ctx *ncache, + int cache_refresh_percent, + const char *domain, + const char *sid, + const char **attrs); + +#define cache_req_object_by_sid_recv(mem_ctx, req, _result) \ + cache_req_single_domain_recv(mem_ctx, req, _result) + +struct tevent_req * +cache_req_object_by_name_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_nc_ctx *ncache, + int cache_refresh_percent, + const char *domain, + const char *name, + const char **attrs); + +#define cache_req_object_by_name_recv(mem_ctx, req, _result) \ + cache_req_single_domain_recv(mem_ctx, req, _result) + +struct tevent_req * +cache_req_object_by_id_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_nc_ctx *ncache, + int cache_refresh_percent, + const char *domain, + uint32_t id, + const char **attrs); + +#define cache_req_object_by_id_recv(mem_ctx, req, _result) \ + cache_req_single_domain_recv(mem_ctx, req, _result) + +struct tevent_req * +cache_req_enum_users_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_nc_ctx *ncache, + int cache_refresh_percent, + const char *domain); + +#define cache_req_enum_users_recv(mem_ctx, req, _result) \ + cache_req_recv(mem_ctx, req, _result) + +struct tevent_req * +cache_req_enum_groups_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_nc_ctx *ncache, + int cache_refresh_percent, + const char *domain); + +#define cache_req_enum_groups_recv(mem_ctx, req, _result) \ + cache_req_recv(mem_ctx, req, _result) + +struct tevent_req * +cache_req_svc_by_name_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_nc_ctx *ncache, + int cache_refresh_percent, + const char *domain, + const char *name, + const char *protocol); + +#define cache_req_svc_by_name_recv(mem_ctx, req, _result) \ + cache_req_single_domain_recv(mem_ctx, req, _result) + +struct tevent_req * +cache_req_svc_by_port_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_nc_ctx *ncache, + int cache_refresh_percent, + const char *domain, + uint16_t port, + const char *protocol); + +#define cache_req_svc_by_port_recv(mem_ctx, req, _result) \ + cache_req_single_domain_recv(mem_ctx, req, _result) + +struct tevent_req * +cache_req_netgroup_by_name_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_nc_ctx *ncache, + int cache_refresh_percent, + const char *domain, + const char *name); + +#define cache_req_netgroup_by_name_recv(mem_ctx, req, _result) \ + cache_req_single_domain_recv(mem_ctx, req, _result) + +struct tevent_req * +cache_req_host_by_name_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_nc_ctx *ncache, + int cache_refresh_percent, + const char *domain, + const char *name, + const char *alias, + const char **attrs); + +#define cache_req_host_by_name_recv(mem_ctx, req, _result) \ + cache_req_single_domain_recv(mem_ctx, req, _result) + +#endif /* _CACHE_REQ_H_ */ diff --git a/src/responder/common/cache_req/cache_req_data.c b/src/responder/common/cache_req/cache_req_data.c new file mode 100644 index 0000000..ed37827 --- /dev/null +++ b/src/responder/common/cache_req/cache_req_data.c @@ -0,0 +1,379 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "responder/common/cache_req/cache_req_private.h" + +static const char ** +cache_req_data_create_attrs(TALLOC_CTX *mem_ctx, + const char **requested) +{ + static const char *defattrs[] = { SYSDB_DEFAULT_ATTRS, SYSDB_NAME, + OVERRIDE_PREFIX SYSDB_NAME, + SYSDB_DEFAULT_OVERRIDE_NAME }; + static size_t defnum = sizeof(defattrs) / sizeof(defattrs[0]); + const char **attrs; + size_t reqnum; + size_t total; + size_t i; + + for (reqnum = 0; requested[reqnum] != NULL; reqnum++); + + total = defnum + reqnum; + + /* We always want to get default attributes. */ + attrs = talloc_zero_array(mem_ctx, const char *, total + 1); + if (attrs == NULL) { + return NULL; + } + + i = 0; + + for (i = 0; i < reqnum; i++) { + attrs[i] = talloc_strdup(attrs, requested[i]); + if (attrs[i] == NULL) { + talloc_free(attrs); + return NULL; + } + } + + for (; i < total; i++) { + attrs[i] = talloc_strdup(attrs, defattrs[i - reqnum]); + if (attrs[i] == NULL) { + talloc_free(attrs); + return NULL; + } + } + + return attrs; +} + +static struct cache_req_data * +cache_req_data_create(TALLOC_CTX *mem_ctx, + enum cache_req_type type, + struct cache_req_data *input) +{ + struct cache_req_data *data; + errno_t ret; + + data = talloc_zero(mem_ctx, struct cache_req_data); + if (data == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero() failed\n"); + return NULL; + } + + data->type = type; + data->svc.name = &data->name; + + switch (type) { + case CACHE_REQ_USER_BY_NAME: + case CACHE_REQ_USER_BY_UPN: + case CACHE_REQ_GROUP_BY_NAME: + case CACHE_REQ_USER_BY_FILTER: + case CACHE_REQ_GROUP_BY_FILTER: + case CACHE_REQ_INITGROUPS: + case CACHE_REQ_INITGROUPS_BY_UPN: + case CACHE_REQ_NETGROUP_BY_NAME: + case CACHE_REQ_OBJECT_BY_NAME: + if (input->name.input == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Bug: name cannot be NULL!\n"); + ret = ERR_INTERNAL; + goto done; + } + + data->name.input = talloc_strdup(data, input->name.input); + if (data->name.input == NULL) { + ret = ENOMEM; + goto done; + } + break; + case CACHE_REQ_USER_BY_CERT: + if (input->cert == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Bug: certificate cannot be NULL!\n"); + ret = ERR_INTERNAL; + goto done; + } + + data->cert = talloc_strdup(data, input->cert); + if (data->cert == NULL) { + ret = ENOMEM; + goto done; + } + break; + case CACHE_REQ_USER_BY_ID: + case CACHE_REQ_GROUP_BY_ID: + case CACHE_REQ_OBJECT_BY_ID: + data->id = input->id; + break; + case CACHE_REQ_OBJECT_BY_SID: + if (input->sid == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Bug: SID cannot be NULL!\n"); + ret = ERR_INTERNAL; + goto done; + } + + data->sid = talloc_strdup(data, input->sid); + if (data->sid == NULL) { + ret = ENOMEM; + goto done; + } + break; + case CACHE_REQ_ENUM_USERS: + case CACHE_REQ_ENUM_GROUPS: + case CACHE_REQ_ENUM_SVC: + break; + case CACHE_REQ_SVC_BY_NAME: + if (input->svc.name->input == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Bug: name cannot be NULL!\n"); + ret = ERR_INTERNAL; + goto done; + } + + data->svc.name->input = talloc_strdup(data, input->svc.name->input); + if (data->svc.name->input == NULL) { + ret = ENOMEM; + goto done; + } + + if (input->svc.protocol.name == NULL) { + break; + } + + data->svc.protocol.name = talloc_strdup(data, input->svc.protocol.name); + if (data->svc.protocol.name == NULL) { + ret = ENOMEM; + goto done; + } + + break; + case CACHE_REQ_SVC_BY_PORT: + if (input->svc.port == 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Bug: port cannot be 0!\n"); + ret = ERR_INTERNAL; + goto done; + } + + data->svc.port = input->svc.port; + + if (input->svc.protocol.name == NULL) { + break; + } + + data->svc.protocol.name = talloc_strdup(data, input->svc.protocol.name); + if (data->svc.protocol.name == NULL) { + ret = ENOMEM; + goto done; + } + + break; + case CACHE_REQ_HOST_BY_NAME: + if (input->name.input == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Bug: name cannot be NULL!\n"); + ret = ERR_INTERNAL; + goto done; + } + + data->name.input = talloc_strdup(data, input->name.input); + if (data->name.input == NULL) { + ret = ENOMEM; + goto done; + } + + if (input->alias == NULL) { + break; + } + + data->alias = talloc_strdup(data, input->alias); + if (data->alias == NULL) { + ret = ENOMEM; + goto done; + } + break; + case CACHE_REQ_SENTINEL: + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid cache request type!\n"); + ret = ERR_INTERNAL; + goto done; + } + + if (input->attrs != NULL) { + data->attrs = cache_req_data_create_attrs(data, input->attrs); + if (data->attrs == NULL) { + ret = ENOMEM; + goto done; + } + } + + ret = EOK; + +done: + if (ret != EOK) { + talloc_zfree(data); + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create cache_req data " + "[%d]: %s\n", ret, sss_strerror(ret)); + return NULL; + } + + return data; +} + +struct cache_req_data * +cache_req_data_name(TALLOC_CTX *mem_ctx, + enum cache_req_type type, + const char *name) +{ + struct cache_req_data input = {0}; + + input.name.input = name; + + return cache_req_data_create(mem_ctx, type, &input); +} + +struct cache_req_data * +cache_req_data_name_attrs(TALLOC_CTX *mem_ctx, + enum cache_req_type type, + const char *name, + const char **attrs) +{ + struct cache_req_data input = { 0 }; + + input.name.input = name; + input.attrs = attrs; + + return cache_req_data_create(mem_ctx, type, &input); +} + +struct cache_req_data * +cache_req_data_id(TALLOC_CTX *mem_ctx, + enum cache_req_type type, + uint32_t id) +{ + struct cache_req_data input = {0}; + + input.id = id; + + return cache_req_data_create(mem_ctx, type, &input); +} + +struct cache_req_data * +cache_req_data_id_attrs(TALLOC_CTX *mem_ctx, + enum cache_req_type type, + uint32_t id, + const char **attrs) +{ + struct cache_req_data input = { 0 }; + + input.id = id; + input.attrs = attrs; + + return cache_req_data_create(mem_ctx, type, &input); +} + +struct cache_req_data * +cache_req_data_cert(TALLOC_CTX *mem_ctx, + enum cache_req_type type, + const char *cert) +{ + struct cache_req_data input = {0}; + + input.cert = cert; + + return cache_req_data_create(mem_ctx, type, &input); +} + +struct cache_req_data * +cache_req_data_sid(TALLOC_CTX *mem_ctx, + enum cache_req_type type, + const char *sid, + const char **attrs) +{ + struct cache_req_data input = {0}; + + input.sid = sid; + input.attrs = attrs; + + return cache_req_data_create(mem_ctx, type, &input); +} + +struct cache_req_data * +cache_req_data_enum(TALLOC_CTX *mem_ctx, + enum cache_req_type type) +{ + struct cache_req_data input = { 0 }; + + return cache_req_data_create(mem_ctx, type, &input); +} + +struct cache_req_data * +cache_req_data_svc(TALLOC_CTX *mem_ctx, + enum cache_req_type type, + const char *name, + const char *protocol, + uint16_t port) +{ + struct cache_req_data input = { 0 }; + + input.name.input = name; + input.svc.name = &input.name; + input.svc.protocol.name = protocol; + input.svc.port = port; + + return cache_req_data_create(mem_ctx, type, &input); +} + +struct cache_req_data * +cache_req_data_host(TALLOC_CTX *mem_ctx, + enum cache_req_type type, + const char *name, + const char *alias, + const char **attrs) +{ + struct cache_req_data input = {0}; + + input.name.input = name; + input.alias = alias; + input.attrs = attrs; + + return cache_req_data_create(mem_ctx, type, &input); +} + +void +cache_req_data_set_bypass_cache(struct cache_req_data *data, + bool bypass_cache) +{ + if (data == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "cache_req_data should never be NULL\n"); + return; + } + + data->bypass_cache = bypass_cache; +} + +void +cache_req_data_set_bypass_dp(struct cache_req_data *data, + bool bypass_dp) +{ + if (data == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "cache_req_data should never be NULL\n"); + return; + } + + data->bypass_dp = bypass_dp; +} diff --git a/src/responder/common/cache_req/cache_req_domain.c b/src/responder/common/cache_req/cache_req_domain.c new file mode 100644 index 0000000..d1621cb --- /dev/null +++ b/src/responder/common/cache_req/cache_req_domain.c @@ -0,0 +1,299 @@ +/* + Authors: + Fabiano Fidêncio + + Copyright (C) 2017 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "responder/common/cache_req/cache_req_domain.h" + +struct cache_req_domain * +cache_req_domain_get_domain_by_name(struct cache_req_domain *domains, + const char *name) +{ + struct cache_req_domain *dom; + struct cache_req_domain *ret = NULL; + + DLIST_FOR_EACH(dom, domains) { + if (sss_domain_get_state(dom->domain) == DOM_DISABLED) { + continue; + } + + if (strcasecmp(dom->domain->name, name) == 0 || + (dom->domain->flat_name != NULL && + strcasecmp(dom->domain->flat_name, name) == 0)) { + ret = dom; + break; + } + } + + if (ret == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Unknown domains [%s].\n", name); + } + + return ret; +} + +errno_t +cache_req_domain_copy_cr_domains(TALLOC_CTX *mem_ctx, + struct cache_req_domain *src, + struct cache_req_domain **_dest) +{ + struct cache_req_domain *cr_domains = NULL; + struct cache_req_domain *cr_domain; + struct cache_req_domain *iter; + errno_t ret; + + if (src == NULL) { + return EINVAL; + } + + DLIST_FOR_EACH(iter, src) { + cr_domain = talloc_zero(mem_ctx, struct cache_req_domain); + if (cr_domain == NULL) { + ret = ENOMEM; + goto done; + } + + cr_domain->domain = iter->domain; + cr_domain->fqnames = iter->fqnames; + + DLIST_ADD_END(cr_domains, cr_domain, struct cache_req_domain *); + } + + *_dest = cr_domains; + ret = EOK; + +done: + if (ret != EOK) { + cache_req_domain_list_zfree(&cr_domains); + } + + return ret; +} + +void cache_req_domain_list_zfree(struct cache_req_domain **cr_domains) +{ + struct cache_req_domain *p, *q, *r; + + DLIST_FOR_EACH_SAFE(p, q, *cr_domains) { + r = p; + DLIST_REMOVE(*cr_domains, p); + talloc_zfree(r); + } + + *cr_domains = NULL; +} + +static bool +cache_req_domain_use_fqnames(struct sss_domain_info *domain, + bool enforce_non_fqnames) +{ + struct sss_domain_info *head; + + head = get_domains_head(domain); + + /* + * In order to decide whether fully_qualified_names must be used on the + * lookups we have to take into consideration: + * - use_fully_qualified_name value of the head of the domains; + * (head->fqnames) + * - the presence of a domains' resolution order list; + * (non_fqnames_enforced) + * + * The relationship between those two can be described by: + * - head->fqnames: + * - true: in this case doesn't matter whether it's enforced or not, + * fully-qualified-names will _always_ be used + * - false: in this case (which is also the default case), the usage + * depends on it being enforced; + * + * - enforce_non_fqnames: + * - true: in this case, the usage of fully-qualified-names is not + * needed; + * - false: in this case, the usage of fully-qualified-names will be + * done accordingly to what's set for the domain itself. + */ + if (head->fqnames) { + return true; + } else if (enforce_non_fqnames) { + return false; + } else { + return domain->fqnames; + } +} + +static struct cache_req_domain * +cache_req_domain_new_list_from_string_list(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domains, + char **resolution_order) +{ + struct cache_req_domain *cr_domains = NULL; + struct cache_req_domain *cr_domain; + struct sss_domain_info *dom; + char *name; + int flag = SSS_GND_ALL_DOMAINS; + int i; + bool enforce_non_fqnames = false; + bool files_provider = false; + errno_t ret; + + /* Firstly, in case a domains' resolution order is passed ... iterate over + * the list adding its domains to the flatten cache req domains' list */ + if (resolution_order != NULL) { + enforce_non_fqnames = true; + for (i = 0; resolution_order[i] != NULL; i++) { + name = resolution_order[i]; + for (dom = domains; dom; dom = get_next_domain(dom, flag)) { + if (strcasecmp(name, dom->name) != 0) { + continue; + } + + cr_domain = talloc_zero(mem_ctx, struct cache_req_domain); + if (cr_domain == NULL) { + ret = ENOMEM; + goto done; + } + cr_domain->domain = dom; + cr_domain->fqnames = + cache_req_domain_use_fqnames(dom, enforce_non_fqnames); + + /* when using the domain resolution order, using shortnames as + * input is allowed by default. However, we really want to use + * the fully qualified name as output in order to avoid + * conflicts whith users who have the very same name. */ + sss_domain_info_set_output_fqnames(cr_domain->domain, true); + + DLIST_ADD_END(cr_domains, cr_domain, + struct cache_req_domain *); + break; + } + } + } + + /* Then iterate through all the other domains (and subdomains) and add them + * to the flatten cache req domains' list */ + for (dom = domains; dom; dom = get_next_domain(dom, flag)) { + if (string_in_list(dom->name, resolution_order, false)) { + continue; + } + + files_provider = is_files_provider(dom); + + cr_domain = talloc_zero(mem_ctx, struct cache_req_domain); + if (cr_domain == NULL) { + ret = ENOMEM; + goto done; + } + cr_domain->domain = dom; + cr_domain->fqnames = + cache_req_domain_use_fqnames(dom, enforce_non_fqnames); + + /* when using the domain resolution order, using shortnames as input + * is allowed by default. However, we really want to use the fully + * qualified name as output in order to avoid conflicts whith users + * who have the very same name. + * + * NOTE: we do *not* want to use fully qualified names for the + * files provider.*/ + if (resolution_order != NULL) { + if (!files_provider) { + sss_domain_info_set_output_fqnames(cr_domain->domain, true); + } + } + + /* The implicit files provider should always be searched firstly, + * doesn't matter whether the domain_resolution_order set! + * + * By doing this we avoid querying other domains for local users. + */ + if (files_provider) { + DLIST_ADD(cr_domains, cr_domain); + continue; + } + + DLIST_ADD_END(cr_domains, cr_domain, struct cache_req_domain *); + } + + ret = EOK; + +done: + if (ret != EOK) { + cache_req_domain_list_zfree(&cr_domains); + } + + return cr_domains; +} + +errno_t +cache_req_domain_new_list_from_domain_resolution_order( + TALLOC_CTX *mem_ctx, + struct sss_domain_info *domains, + const char *domain_resolution_order, + struct cache_req_domain **_cr_domains) +{ + TALLOC_CTX *tmp_ctx; + struct cache_req_domain *cr_domains; + char **list = NULL; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + if (domain_resolution_order != NULL) { + if (strcmp(domain_resolution_order, ":") != 0) { + DEBUG(SSSDBG_TRACE_FUNC, + "Domain resolution order list (split by ':'): \"%s\"\n", + domain_resolution_order); + + ret = split_on_separator(tmp_ctx, domain_resolution_order, ':', + true, true, &list, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "split_on_separator() failed [%d]: [%s].\n", + ret, sss_strerror(ret)); + goto done; + } + } else { + DEBUG(SSSDBG_TRACE_FUNC, + "Domain resolution order list: ':' " + "(do not use any specific order)\n"); + } + } else { + DEBUG(SSSDBG_TRACE_FUNC, + "Domain resolution order list: not set\n"); + } + + cr_domains = cache_req_domain_new_list_from_string_list(mem_ctx, domains, + list); + if (cr_domains == NULL) { + ret = ENOMEM; + DEBUG(SSSDBG_OP_FAILURE, + "cache_req_domain_new_list_from_domain_resolution_order() " + "failed [%d]: [%s].\n", + ret, sss_strerror(ret)); + goto done; + } + + *_cr_domains = cr_domains; + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} diff --git a/src/responder/common/cache_req/cache_req_domain.h b/src/responder/common/cache_req/cache_req_domain.h new file mode 100644 index 0000000..5769b6a --- /dev/null +++ b/src/responder/common/cache_req/cache_req_domain.h @@ -0,0 +1,62 @@ +/* + Authors: + Fabiano Fidêncio + + Copyright (C) 2017 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _CACHE_REQ_DOMAIN_H_ +#define _CACHE_REQ_DOMAIN_H_ + +#include "responder/common/responder.h" + +struct cache_req_domain { + struct sss_domain_info *domain; + bool fqnames; + bool locate_domain; + + struct cache_req_domain *prev; + struct cache_req_domain *next; +}; + +struct cache_req_domain * +cache_req_domain_get_domain_by_name(struct cache_req_domain *domains, + const char *name); + +/* + * This function may have a side effect of setting the output_fqnames' domain + * property when it's called. + * + * It happens as the output_fqnames' domain property must only be set depending + * on whether a domain resolution order is set or not, and the saner place to + * set it to all domains is when flattening those (thus, in this function). + */ +errno_t +cache_req_domain_new_list_from_domain_resolution_order( + TALLOC_CTX *mem_ctx, + struct sss_domain_info *domains, + const char *domain_resolution_order, + struct cache_req_domain **_cr_domains); + +errno_t +cache_req_domain_copy_cr_domains(TALLOC_CTX *mem_ctx, + struct cache_req_domain *src, + struct cache_req_domain **_dest); + +void cache_req_domain_list_zfree(struct cache_req_domain **cr_domains); + + +#endif /* _CACHE_REQ_DOMAIN_H_ */ diff --git a/src/responder/common/cache_req/cache_req_plugin.h b/src/responder/common/cache_req/cache_req_plugin.h new file mode 100644 index 0000000..d547c9b --- /dev/null +++ b/src/responder/common/cache_req/cache_req_plugin.h @@ -0,0 +1,318 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _CACHE_REQ_PLUGIN_H_ +#define _CACHE_REQ_PLUGIN_H_ + +#include "responder/common/cache_req/cache_req_private.h" + +enum cache_object_status { + CACHE_OBJECT_VALID, + CACHE_OBJECT_EXPIRED, + CACHE_OBJECT_MISSING, + CACHE_OBJECT_MIDPOINT +}; + +/** + * Create cache request result manually, if the searched object is well known + * and thus can not be found in the cache. + * + * + * @return EOK If it is a well known object and a result was created. + * @return ENOENT If it is not a well known object. + * @return Other errno code in case of an error. + */ +typedef errno_t +(*cache_req_is_well_known_result_fn)(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct cache_req_result **_result); + +/** + * Prepare domain data. Some plug-ins may require to alter lookup data + * per specific domain rules, such as case sensitivity, fully qualified + * format etc. + * + * @return EOK If everything went fine. + * @return Other errno code in case of an error. + */ +typedef errno_t +(*cache_req_prepare_domain_data_fn)(struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain); + +/** + * Create an object debug name that is used in debug messages to identify + * this object. + * + * @return Debug name or NULL in case of an error. + **/ +typedef const char * +(*cache_req_create_debug_name_fn)(TALLOC_CTX *mem_ctx, + struct cache_req_data *data, + struct sss_domain_info *domain); + +/** + * Check if an object is stored in negative cache. + * + * @return EOK If the object is not found. + * @return EEXIST If the object is found in negative cache. + * @return Other errno code in case of an error. + */ +typedef errno_t +(*cache_req_ncache_check_fn)(struct sss_nc_ctx *ncache, + struct sss_domain_info *domain, + struct cache_req_data *data); + +/** + * Add an object into negative cache. + * + * @return EOK If everything went fine. + * @return Other errno code in case of an error. + */ +typedef errno_t +(*cache_req_ncache_add_fn)(struct sss_nc_ctx *ncache, + struct sss_domain_info *domain, + struct cache_req_data *data); + +/** + * Filter the result through the negative cache. + * + * This is useful for plugins which don't use name as an input + * token but can be affected by filter_users and filter_groups + * options. + */ +typedef errno_t +(*cache_req_ncache_filter_fn)(struct sss_nc_ctx *ncache, + struct sss_domain_info *domain, + const char *name); + +/** + * Add an object into global negative cache. + * + * @return EOK If everything went fine. + * @return Other errno code in case of an error. + */ +typedef errno_t +(*cache_req_global_ncache_add_fn)(struct sss_nc_ctx *ncache, + struct cache_req_data *data); + +/** + * Lookup object in sysdb. + * + * @return EOK If the object is found. + * @return ENOENT If the object is not found. + * @return Other errno code in case of an error. + */ +typedef errno_t +(*cache_req_lookup_fn)(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain, + struct ldb_result **_result); + +/** + * Send Data Provider request. + * + * @return Tevent request on success. + * @return NULL on error. + */ +typedef struct tevent_req * +(*cache_req_dp_send_fn)(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain, + struct ldb_result *result); + +/** + * Process result of Data Provider request. + * + * Do not free subreq! It will be freed in the caller. + * + * @return True if data provider request succeeded. + * @return False if there was an error. + */ +typedef bool +(*cache_req_dp_recv_fn)(struct tevent_req *subreq, + struct cache_req *cr); + +/** + * Check whether the results of the domain locator can still + * be considered valid or whether it is time to call the request + * again. + * + * @param resp_ctx The responder context. + * @param domain The domain to check. This should be the domain-head, + * because the locator works across a domain and its + * subdomains. + * @param data The cache request data that contains primarily the key + * to look for. + * + * @return True if the locator plugin should be ran again. + * @return False if the lookup should just proceed with the + * data that is already in the negative cache. + */ +typedef bool +(*cache_req_dp_get_domain_check_fn)(struct resp_ctx *rctx, + struct sss_domain_info *domain, + struct cache_req_data *data); +/** + * Send Data Provider request to locate the domain + * of an entry + * + * @param resp_ctx The responder context. + * @param domain The domain to check. This should be the domain-head, + * because the locator works across a domain and its + * subdomains. + * @param data The cache request data that contains primarily the key + * to look for. + * + * + * @return Tevent request on success. + * @return NULL on error. + */ +typedef struct tevent_req * +(*cache_req_dp_get_domain_send_fn)(TALLOC_CTX *mem_ctx, + struct resp_ctx *rctx, + struct sss_domain_info *domain, + struct cache_req_data *data); + +/** + * Process result of Data Provider find-domain request. + * + * Do not free subreq! It will be freed in the caller. + * + * @param mem_ctx The memory context that owns the _found_domain + * result parameter. + * @param subreq The request to finish. + * @param cr The cache_req being processed. + * @param _found_domain The domain the request account belongs to. This + * parameter can be NULL even on success, in that + * case the account was not found and no lookups are + * needed, all domains can be skipped in this case. + * + * @return EOK if the request did not encounter any error. In this + * case, the _found_domain parameter can be considered authoritative, + * regarless of its value + * @return errno on error. _found_domain should be NULL in this case. + */ +typedef errno_t +(*cache_req_dp_get_domain_recv_fn)(TALLOC_CTX *mem_ctx, + struct tevent_req *subreq, + struct cache_req *cr, + char **_found_domain); + +struct cache_req_plugin { + /** + * Plugin name. + */ + const char *name; + + /** + * Expiration timestamp attribute name. + */ + const char *attr_expiration; + + /** + * Flags that are passed to get_next_domain(). + */ + uint32_t get_next_domain_flags; + + /** + * True if input name should be parsed for domain. + */ + bool parse_name; + + /** + * True if default domain suffix should be ignored when parsing name. + */ + bool ignore_default_domain; + + /** + * True if we always contact data provider. + */ + bool bypass_cache; + + /** + * True if only one result is expected. + */ + bool only_one_result; + + /** + * If true, cache request will iterate over all domains on domain-less + * search and merge acquired results. + */ + bool search_all_domains; + + /** + * True if only domains with enumeration enabled are searched. + */ + bool require_enumeration; + + /** + * Allow missing domain part even if domain requires fully qualified name + * on domain less searches. + */ + bool allow_missing_fqn; + + /** + * True if this plugin can be swapped for equivalent search with UPN. + */ + bool allow_switch_to_upn; + enum cache_req_type upn_equivalent; + + /* Operations */ + cache_req_is_well_known_result_fn is_well_known_fn; + cache_req_prepare_domain_data_fn prepare_domain_data_fn; + cache_req_create_debug_name_fn create_debug_name_fn; + cache_req_global_ncache_add_fn global_ncache_add_fn; + cache_req_ncache_check_fn ncache_check_fn; + cache_req_ncache_add_fn ncache_add_fn; + cache_req_ncache_filter_fn ncache_filter_fn; + cache_req_lookup_fn lookup_fn; + cache_req_dp_send_fn dp_send_fn; + cache_req_dp_recv_fn dp_recv_fn; + cache_req_dp_get_domain_check_fn dp_get_domain_check_fn; + cache_req_dp_get_domain_send_fn dp_get_domain_send_fn; + cache_req_dp_get_domain_recv_fn dp_get_domain_recv_fn; +}; + +extern const struct cache_req_plugin cache_req_user_by_name; +extern const struct cache_req_plugin cache_req_user_by_upn; +extern const struct cache_req_plugin cache_req_user_by_id; +extern const struct cache_req_plugin cache_req_group_by_name; +extern const struct cache_req_plugin cache_req_group_by_id; +extern const struct cache_req_plugin cache_req_initgroups_by_name; +extern const struct cache_req_plugin cache_req_initgroups_by_upn; +extern const struct cache_req_plugin cache_req_user_by_cert; +extern const struct cache_req_plugin cache_req_user_by_filter; +extern const struct cache_req_plugin cache_req_group_by_filter; +extern const struct cache_req_plugin cache_req_object_by_sid; +extern const struct cache_req_plugin cache_req_object_by_name; +extern const struct cache_req_plugin cache_req_object_by_id; +extern const struct cache_req_plugin cache_req_enum_users; +extern const struct cache_req_plugin cache_req_enum_groups; +extern const struct cache_req_plugin cache_req_enum_svc; +extern const struct cache_req_plugin cache_req_svc_by_name; +extern const struct cache_req_plugin cache_req_svc_by_port; +extern const struct cache_req_plugin cache_req_netgroup_by_name; +extern const struct cache_req_plugin cache_req_host_by_name; + +#endif /* _CACHE_REQ_PLUGIN_H_ */ diff --git a/src/responder/common/cache_req/cache_req_private.h b/src/responder/common/cache_req/cache_req_private.h new file mode 100644 index 0000000..a88c838 --- /dev/null +++ b/src/responder/common/cache_req/cache_req_private.h @@ -0,0 +1,198 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _CACHE_REQ_PRIVATE_H_ +#define _CACHE_REQ_PRIVATE_H_ + +#include + +#include "responder/common/responder.h" +#include "responder/common/cache_req/cache_req.h" + +#define CACHE_REQ_DEBUG(level, cr, fmt, ...) \ + DEBUG(level, "CR #%u: " fmt, (cr)->reqid, ##__VA_ARGS__) + +struct cache_req { + /* Provided input. */ + struct cache_req_data *data; + + const struct cache_req_plugin *plugin; + struct resp_ctx *rctx; + struct sss_nc_ctx *ncache; + int midpoint; + + /* Domain related informations. */ + struct sss_domain_info *domain; + bool cache_first; + bool bypass_cache; + bool bypass_dp; + /* Only contact domains with this type */ + enum cache_req_dom_type req_dom_type; + + /* Debug information */ + uint32_t reqid; + const char *reqname; + const char *debugobj; + + /* Time when the request started. Useful for by-filter lookups */ + time_t req_start; +}; + +/** + * Structure to hold the input strings that + * should be parsed into name and domain parts. + */ +struct cache_req_parsed_name { + const char *input; /* Original input. */ + const char *name; /* Parsed name or UPN. */ + const char *lookup; /* Converted per domain rules. */ +}; + +/** + * Structure to hold the input strings that cannot contain domain + * part but are transferred per each domain's case sensitivity. + */ +struct cache_req_cased_name { + const char *name; /* Parsed name or UPN. */ + const char *lookup; /* Converted per domain rules. */ +}; + +/* Input data. */ +struct cache_req_data { + enum cache_req_type type; + struct cache_req_parsed_name name; + uint32_t id; + const char *cert; + const char *sid; + const char *alias; + const char **attrs; + + struct { + struct cache_req_parsed_name *name; + struct cache_req_cased_name protocol; + uint16_t port; + } svc; + + bool bypass_cache; + bool bypass_dp; +}; + +struct tevent_req * +cache_req_search_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct cache_req *cr, + bool bypass_cache, + bool bypass_dp); + +errno_t cache_req_search_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct ldb_result **_result, + bool *_dp_success); + +struct tevent_req *cache_req_locate_domain_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct cache_req *cr); +errno_t cache_req_locate_domain_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + char **_found_domain); + +struct tevent_req * +cache_req_steal_data_and_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_nc_ctx *ncache, + int cache_refresh_percent, + enum cache_req_dom_type req_dom_type, + const char *domain, + struct cache_req_data *data); + +void cache_req_search_ncache_add_to_domain(struct cache_req *cr, + struct sss_domain_info *domain); + +errno_t +cache_req_add_result(TALLOC_CTX *mem_ctx, + struct cache_req_result *new_result, + struct cache_req_result ***_results, + size_t *_num_results); + +struct cache_req_result * +cache_req_create_result(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + struct ldb_result *ldb_result, + const char *lookup_name, + const char *well_known_domain); + +errno_t +cache_req_create_and_add_result(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct sss_domain_info *domain, + struct ldb_result *ldb_result, + const char *name, + struct cache_req_result ***_results, + size_t *_num_results); + +struct ldb_result * +cache_req_create_ldb_result_from_msg_list(TALLOC_CTX *mem_ctx, + struct ldb_message **ldb_msgs, + size_t ldb_msg_count); + +struct ldb_result * +cache_req_create_ldb_result_from_msg(TALLOC_CTX *mem_ctx, + struct ldb_message *ldb_msg); + +struct cache_req_result * +cache_req_create_result_from_msg(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + struct ldb_message *ldb_msg, + const char *lookup_name, + const char *well_known_domain); + +struct tevent_req * +cache_req_sr_overlay_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct cache_req *cr, + struct cache_req_result **results, + size_t num_results); + +errno_t +cache_req_sr_overlay_recv(struct tevent_req *req); + +/* Plug-in common. */ + +struct cache_req_result * +cache_req_well_known_sid_result(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + const char *domname, + const char *sid, + const char *name); + +bool +cache_req_common_dp_recv(struct tevent_req *subreq, + struct cache_req *cr); + +errno_t +cache_req_common_get_acct_domain_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *subreq, + struct cache_req *cr, + char **_domain); + +errno_t cache_req_idminmax_check(struct cache_req_data *data, + struct sss_domain_info *domain); +#endif /* _CACHE_REQ_PRIVATE_H_ */ diff --git a/src/responder/common/cache_req/cache_req_result.c b/src/responder/common/cache_req/cache_req_result.c new file mode 100644 index 0000000..c1a3732 --- /dev/null +++ b/src/responder/common/cache_req/cache_req_result.c @@ -0,0 +1,274 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "util/util.h" +#include "responder/common/cache_req/cache_req_private.h" + +errno_t +cache_req_add_result(TALLOC_CTX *mem_ctx, + struct cache_req_result *new_result, + struct cache_req_result ***_results, + size_t *_num_results) +{ + struct cache_req_result **results = *_results; + size_t idx; + size_t count; + + /* Make space for new results. */ + idx = *_num_results; + count = *_num_results + 1; + + results = talloc_realloc(mem_ctx, results, struct cache_req_result *, + count + 1); + if (results == NULL) { + return ENOMEM; + } + + results[idx] = talloc_steal(results, new_result); + results[idx + 1] = NULL; + + *_results = results; + *_num_results = count; + + return EOK; +} + +struct cache_req_result * +cache_req_create_result(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + struct ldb_result *ldb_result, + const char *lookup_name, + const char *well_known_domain) +{ + struct cache_req_result *result; + + result = talloc_zero(mem_ctx, struct cache_req_result); + if (result == NULL) { + return NULL; + } + + result->domain = domain; + result->ldb_result = talloc_steal(result, ldb_result); + result->count = ldb_result != NULL ? ldb_result->count : 0; + result->msgs = ldb_result != NULL ? ldb_result->msgs : NULL; + + if (lookup_name != NULL) { + result->lookup_name = talloc_strdup(result, lookup_name); + if (result->lookup_name == NULL) { + talloc_free(result); + return NULL; + } + } + + if (well_known_domain != NULL) { + result->well_known_domain = talloc_strdup(result, well_known_domain); + if (result->well_known_domain == NULL) { + talloc_free(result); + return NULL; + } + } + + return result; +} + +errno_t +cache_req_create_and_add_result(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct sss_domain_info *domain, + struct ldb_result *ldb_result, + const char *name, + struct cache_req_result ***_results, + size_t *_num_results) +{ + struct cache_req_result *item; + errno_t ret; + + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr, + "Found %u entries in domain %s\n", + ldb_result->count, domain->name); + + item = cache_req_create_result(mem_ctx, domain, ldb_result, name, NULL); + if (item == NULL) { + return ENOMEM; + } + + ret = cache_req_add_result(mem_ctx, item, _results, _num_results); + if (ret != EOK) { + talloc_free(item); + } + + return ret; +} + +struct ldb_result * +cache_req_create_ldb_result_from_msg_list(TALLOC_CTX *mem_ctx, + struct ldb_message **ldb_msgs, + size_t ldb_msg_count) +{ + struct ldb_result *ldb_result; + + if (ldb_msgs == NULL || ldb_msgs[0] == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "No message set!\n"); + return NULL; + } + + ldb_result = talloc_zero(NULL, struct ldb_result); + if (ldb_result == NULL) { + return NULL; + } + + ldb_result->extended = NULL; + ldb_result->controls = NULL; + ldb_result->refs = NULL; + ldb_result->count = ldb_msg_count; + ldb_result->msgs = talloc_zero_array(ldb_result, struct ldb_message *, + ldb_msg_count + 1); + if (ldb_result->msgs == NULL) { + talloc_free(ldb_result); + return NULL; + } + + for (size_t i = 0; i < ldb_msg_count; i++) { + ldb_result->msgs[i] = talloc_steal(ldb_result->msgs, ldb_msgs[i]); + } + + return ldb_result; +} + +struct ldb_result * +cache_req_create_ldb_result_from_msg(TALLOC_CTX *mem_ctx, + struct ldb_message *ldb_msg) +{ + struct ldb_result *ldb_result; + + if (ldb_msg == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "No message set!\n"); + return NULL; + } + + ldb_result = talloc_zero(NULL, struct ldb_result); + if (ldb_result == NULL) { + return NULL; + } + + ldb_result->extended = NULL; + ldb_result->controls = NULL; + ldb_result->refs = NULL; + ldb_result->count = 1; + ldb_result->msgs = talloc_zero_array(ldb_result, struct ldb_message *, 2); + if (ldb_result->msgs == NULL) { + talloc_free(ldb_result); + return NULL; + } + + ldb_result->msgs[0] = talloc_steal(ldb_result->msgs, ldb_msg); + + return ldb_result; +} + +struct cache_req_result * +cache_req_create_result_from_msg(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + struct ldb_message *ldb_msg, + const char *lookup_name, + const char *well_known_domain) +{ + struct cache_req_result *result; + struct ldb_result *ldb_result; + + if (ldb_msg == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "No message set!\n"); + return NULL; + } + + ldb_result = cache_req_create_ldb_result_from_msg(mem_ctx, ldb_msg); + if (ldb_result == NULL) { + return NULL; + } + + result = cache_req_create_result(mem_ctx, domain, ldb_result, + lookup_name, well_known_domain); + if (result == NULL) { + talloc_free(ldb_result); + return NULL; + } + + return result; +} + +struct cache_req_result * +cache_req_copy_limited_result(TALLOC_CTX *mem_ctx, + struct cache_req_result *result, + uint32_t start, + uint32_t limit) +{ + struct cache_req_result *out = NULL; + struct ldb_result *ldb_result; + unsigned int left; + errno_t ret; + + if (start >= result->count) { + ret = ERANGE; + goto done; + } + + out = talloc_zero(mem_ctx, struct cache_req_result); + if (out == NULL) { + ret = ENOMEM; + goto done; + } + + ldb_result = talloc_zero(out, struct ldb_result); + if (ldb_result == NULL) { + ret = ENOMEM; + goto done; + } + + left = result->count - start; + + ldb_result->extended = result->ldb_result->extended; + ldb_result->controls = result->ldb_result->controls; + ldb_result->refs = result->ldb_result->refs; + ldb_result->msgs = &(result->ldb_result->msgs[start]); + ldb_result->count = left < limit ? left : limit; + + out->domain = result->domain; + out->ldb_result = ldb_result; + out->lookup_name = result->lookup_name; + out->count = ldb_result->count; + out->msgs = ldb_result->msgs; + + ret = EOK; + +done: + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create cache request result " + "[%d]: %s\n", ret, sss_strerror(ret)); + + talloc_free(out); + return NULL; + } + + return out; +} diff --git a/src/responder/common/cache_req/cache_req_search.c b/src/responder/common/cache_req/cache_req_search.c new file mode 100644 index 0000000..7423feb --- /dev/null +++ b/src/responder/common/cache_req/cache_req_search.c @@ -0,0 +1,585 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "util/util.h" +#include "responder/common/cache_req/cache_req_private.h" +#include "responder/common/cache_req/cache_req_plugin.h" + +static errno_t cache_req_search_ncache(struct cache_req *cr) +{ + errno_t ret; + + if (cr->plugin->ncache_check_fn == NULL) { + CACHE_REQ_DEBUG(SSSDBG_TRACE_INTERNAL, cr, + "This request type does not support negative cache\n"); + return EOK; + } + + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr, + "Checking negative cache for [%s]\n", + cr->debugobj); + + ret = cr->plugin->ncache_check_fn(cr->ncache, cr->domain, cr->data); + if (ret == EEXIST) { + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr, + "[%s] does not exist (negative cache)\n", + cr->debugobj); + return ENOENT; + } else if (ret != EOK && ret != ENOENT) { + CACHE_REQ_DEBUG(SSSDBG_CRIT_FAILURE, cr, + "Unable to check negative cache [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr, + "[%s] is not present in negative cache\n", + cr->debugobj); + + return EOK; +} + +void cache_req_search_ncache_add_to_domain(struct cache_req *cr, + struct sss_domain_info *domain) +{ + errno_t ret; + + if (cr->plugin->ncache_add_fn == NULL) { + CACHE_REQ_DEBUG(SSSDBG_TRACE_INTERNAL, cr, + "This request type does not support negative cache\n"); + return; + } + + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr, "Adding [%s] to negative cache\n", + cr->debugobj); + + ret = cr->plugin->ncache_add_fn(cr->ncache, domain, cr->data); + if (ret != EOK) { + CACHE_REQ_DEBUG(SSSDBG_MINOR_FAILURE, cr, + "Cannot set negative cache for [%s] [%d]: %s\n", + cr->debugobj, ret, sss_strerror(ret)); + /* not fatal */ + } + + return; +} + +static void cache_req_search_ncache_add(struct cache_req *cr) +{ + return cache_req_search_ncache_add_to_domain(cr, cr->domain); +} + +static errno_t cache_req_search_ncache_filter(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct ldb_result **_result) +{ + TALLOC_CTX *tmp_ctx; + struct ldb_result *filtered_result; + struct ldb_message **msgs; + size_t msg_count; + const char *name; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + if (cr->plugin->ncache_filter_fn == NULL) { + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr, + "This request type does not support filtering " + "result by negative cache\n"); + + ret = EOK; + goto done; + } + + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr, + "Filtering out results by negative cache\n"); + + msgs = talloc_zero_array(tmp_ctx, struct ldb_message *, (*_result)->count); + msg_count = 0; + + for (size_t i = 0; i < (*_result)->count; i++) { + name = sss_get_name_from_msg(cr->domain, (*_result)->msgs[i]); + if (name == NULL) { + CACHE_REQ_DEBUG(SSSDBG_CRIT_FAILURE, cr, + "sss_get_name_from_msg() returned NULL, which should never " + "happen in this scenario!\n"); + ret = ERR_INTERNAL; + goto done; + } + + ret = cr->plugin->ncache_filter_fn(cr->ncache, cr->domain, name); + if (ret == EEXIST) { + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr, + "[%s] filtered out! (negative cache)\n", + name); + continue; + } else if (ret != EOK && ret != ENOENT) { + CACHE_REQ_DEBUG(SSSDBG_CRIT_FAILURE, cr, + "Unable to check negative cache [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + msgs[msg_count] = talloc_steal(msgs, (*_result)->msgs[i]); + msg_count++; + } + + if (msg_count == 0) { + ret = ENOENT; + goto done; + } + + filtered_result = cache_req_create_ldb_result_from_msg_list(tmp_ctx, msgs, + msg_count); + if (filtered_result == NULL) { + ret = ENOMEM; + goto done; + } + + talloc_zfree(*_result); + *_result = talloc_steal(mem_ctx, filtered_result); + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static errno_t cache_req_search_cache(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct ldb_result **_result) +{ + struct ldb_result *result = NULL; + errno_t ret; + + if (cr->plugin->lookup_fn == NULL) { + CACHE_REQ_DEBUG(SSSDBG_CRIT_FAILURE, cr, + "Bug: No cache lookup function specified\n"); + return ERR_INTERNAL; + } + + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr, + "Looking up [%s] in cache\n", + cr->debugobj); + + ret = cr->plugin->lookup_fn(mem_ctx, cr, cr->data, cr->domain, &result); + if (ret == EOK && (result == NULL || result->count == 0)) { + ret = ENOENT; + } + + switch (ret) { + case EOK: + if (cr->plugin->only_one_result && result->count > 1) { + CACHE_REQ_DEBUG(SSSDBG_CRIT_FAILURE, cr, + "Multiple objects were found when " + "only one was expected!\n"); + ret = ERR_INTERNAL; + goto done; + } + + *_result = result; + break; + case ERR_ID_OUTSIDE_RANGE: + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr, + "ID [%s] was filtered out\n", + cr->debugobj); + break; + case ENOENT: + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr, + "Object [%s] was not found in cache\n", + cr->debugobj); + break; + default: + CACHE_REQ_DEBUG(SSSDBG_CRIT_FAILURE, cr, + "Unable to lookup [%s] in cache [%d]: %s\n", + cr->debugobj, ret, sss_strerror(ret)); + break; + } + +done: + if (ret != EOK) { + talloc_free(result); + } + + return ret; +} + +static enum cache_object_status +cache_req_expiration_status(struct cache_req *cr, + struct ldb_result *result) +{ + time_t expire; + errno_t ret; + + if (result == NULL || result->count == 0 || cr->plugin->bypass_cache) { + return CACHE_OBJECT_MISSING; + } + + expire = ldb_msg_find_attr_as_uint64(result->msgs[0], + cr->plugin->attr_expiration, 0); + + ret = sss_cmd_check_cache(result->msgs[0], cr->midpoint, expire); + if (ret == EOK) { + return CACHE_OBJECT_VALID; + } else if (ret == EAGAIN) { + return CACHE_OBJECT_MIDPOINT; + } + + return CACHE_OBJECT_EXPIRED; +} + +struct cache_req_search_state { + /* input data */ + struct tevent_context *ev; + struct resp_ctx *rctx; + struct cache_req *cr; + + /* output data */ + struct ldb_result *result; + bool dp_success; +}; + +static errno_t cache_req_search_dp(struct tevent_req *req, + enum cache_object_status status); +static void cache_req_search_oob_done(struct tevent_req *subreq); +static void cache_req_search_done(struct tevent_req *subreq); + +struct tevent_req * +cache_req_search_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct cache_req *cr, + bool bypass_cache, + bool bypass_dp) +{ + struct cache_req_search_state *state; + enum cache_object_status status; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct cache_req_search_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr, "Looking up %s\n", cr->debugobj); + + state->ev = ev; + state->cr = cr; + + ret = cache_req_search_ncache(cr); + if (ret != EOK) { + goto done; + } + + /* If bypass_cache is enabled we always contact data provider before + * searching the cache. Thus we set expiration status to missing, + * which will trigger data provider request later. + * + * If disabled, we want to search the cache here to see if the + * object is already cached and valid or if data provider needs + * to be contacted. + */ + state->result = NULL; + status = CACHE_OBJECT_MISSING; + if (!bypass_cache) { + ret = cache_req_search_cache(state, cr, &state->result); + if (ret != EOK && ret != ENOENT) { + goto done; + } + + status = cache_req_expiration_status(cr, state->result); + if (status == CACHE_OBJECT_VALID) { + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr, + "Returning [%s] from cache\n", cr->debugobj); + ret = EOK; + goto done; + } + + /* If bypass_dp is true but we found the object in this domain, + * we will contact the data provider anyway to refresh it so + * we can return it without searching the rest of the domains. + */ + if (status != CACHE_OBJECT_MISSING) { + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr, + "Object found, but needs to be refreshed.\n"); + bypass_dp = false; + } else { + ret = ENOENT; + } + } + + if (!bypass_dp) { + ret = cache_req_search_dp(req, status); + } + + if (ret != EAGAIN) { + goto done; + } + + return req; + +done: + if (ret == EOK) { + ret = cache_req_search_ncache_filter(state, cr, &state->result); + } + + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + + return req; +} + +static errno_t cache_req_search_dp(struct tevent_req *req, + enum cache_object_status status) +{ + struct cache_req_search_state *state; + struct tevent_req *subreq; + errno_t ret; + + state = tevent_req_data(req, struct cache_req_search_state); + + switch (status) { + case CACHE_OBJECT_MIDPOINT: + /* Out of band update. The calling function will return the cached + * entry immediately. We need to use rctx so the request is not + * removed when state is freed. */ + + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, state->cr, + "Performing midpoint cache update of [%s]\n", + state->cr->debugobj); + + subreq = state->cr->plugin->dp_send_fn(state->rctx, state->cr, + state->cr->data, + state->cr->domain, + state->result); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory sending out-of-band " + "data provider request\n"); + /* This is non-fatal, so we'll continue here */ + } else { + tevent_req_set_callback(subreq, cache_req_search_oob_done, req); + } + + ret = EOK; + break; + case CACHE_OBJECT_EXPIRED: + case CACHE_OBJECT_MISSING: + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, state->cr, + "Looking up [%s] in data provider\n", + state->cr->debugobj); + + subreq = state->cr->plugin->dp_send_fn(state->cr, state->cr, + state->cr->data, + state->cr->domain, + state->result); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Out of memory sending data provider request\n"); + ret = ENOMEM; + break; + } + + tevent_req_set_callback(subreq, cache_req_search_done, req); + ret = EAGAIN; + break; + default: + /* error */ + CACHE_REQ_DEBUG(SSSDBG_CRIT_FAILURE, state->cr, + "Unexpected status [%d]\n", status); + ret = ERR_INTERNAL; + break; + } + + return ret; +} + +static void cache_req_search_oob_done(struct tevent_req *subreq) +{ + DEBUG(SSSDBG_TRACE_INTERNAL, "Out of band request finished\n"); + talloc_zfree(subreq); + + return; +} + +static void cache_req_search_done(struct tevent_req *subreq) +{ + struct cache_req_search_state *state; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct cache_req_search_state); + + state->dp_success = state->cr->plugin->dp_recv_fn(subreq, state->cr); + talloc_zfree(subreq); + + /* Get result from cache again. */ + ret = cache_req_search_cache(state, state->cr, &state->result); + if (ret != EOK) { + if (ret == ENOENT) { + /* Only store entry in negative cache if DP request succeeded + * because only then we know that the entry does not exist. */ + if (state->dp_success) { + cache_req_search_ncache_add(state->cr); + } + } + goto done; + } + + /* ret == EOK */ + ret = cache_req_search_ncache_filter(state, state->cr, &state->result); + if (ret != EOK) { + goto done; + } + + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, state->cr, + "Returning updated object [%s]\n", state->cr->debugobj); + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); + return; +} + +errno_t cache_req_search_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct ldb_result **_result, + bool *_dp_success) +{ + struct cache_req_search_state *state = NULL; + state = tevent_req_data(req, struct cache_req_search_state); + + *_dp_success = state->dp_success; + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *_result = talloc_steal(mem_ctx, state->result); + + return EOK; +} + +struct cache_req_locate_domain_state { + struct cache_req *cr; + + char *found_domain; +}; + +static void cache_req_locate_domain_done(struct tevent_req *subreq); + +struct tevent_req *cache_req_locate_domain_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct cache_req *cr) +{ + struct cache_req_locate_domain_state *state; + struct tevent_req *req; + struct tevent_req *subreq; + errno_t ret; + bool should_run; + + req = tevent_req_create(mem_ctx, &state, struct cache_req_locate_domain_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + state->cr = cr; + + should_run = cr->plugin->dp_get_domain_check_fn(cr->rctx, + get_domains_head(cr->domain), + cr->data); + if (should_run == false) { + /* The request was tried too recently, don't issue a new one + * as its results are still valid + */ + ret = ERR_GET_ACCT_DOM_CACHED; + goto immediate; + } + + subreq = cr->plugin->dp_get_domain_send_fn(state, + cr->rctx, + get_domains_head(cr->domain), + cr->data); + if (subreq == NULL) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, cache_req_locate_domain_done, req); + return req; + +immediate: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + return req; +} + +static void cache_req_locate_domain_done(struct tevent_req *subreq) +{ + struct tevent_req *req; + struct cache_req_locate_domain_state *state; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct cache_req_locate_domain_state); + + ret = state->cr->plugin->dp_get_domain_recv_fn(state, + subreq, + state->cr, + &state->found_domain); + talloc_zfree(subreq); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +errno_t cache_req_locate_domain_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + char **_found_domain) +{ + struct cache_req_locate_domain_state *state = NULL; + + state = tevent_req_data(req, struct cache_req_locate_domain_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *_found_domain = talloc_steal(mem_ctx, state->found_domain); + return EOK; +} diff --git a/src/responder/common/cache_req/cache_req_sr_overlay.c b/src/responder/common/cache_req/cache_req_sr_overlay.c new file mode 100644 index 0000000..6193f7b --- /dev/null +++ b/src/responder/common/cache_req/cache_req_sr_overlay.c @@ -0,0 +1,328 @@ +/* + Authors: + Nikolai Kondrashov + + Copyright (C) 2017 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "responder/common/cache_req/cache_req_private.h" + +struct cache_req_sr_overlay_state { + /* Input data */ + struct tevent_context *ev; + struct cache_req *cr; + struct cache_req_result **results; + size_t num_results; + /* Work data */ + size_t res_idx; + size_t msg_idx; +}; + +static errno_t cache_req_sr_overlay_match_users( + struct cache_req_sr_overlay_state *state); + +static errno_t cache_req_sr_overlay_match_users( + struct cache_req_sr_overlay_state *state); + +static struct tevent_req *cache_req_sr_overlay_match_all_step_send( + struct cache_req_sr_overlay_state *state); + +static void cache_req_sr_overlay_match_all_step_done( + struct tevent_req *subreq); + +struct tevent_req *cache_req_sr_overlay_send( + TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct cache_req *cr, + struct cache_req_result **results, + size_t num_results) +{ + errno_t ret = EOK; + struct tevent_req *req; + struct tevent_req *subreq; + struct cache_req_sr_overlay_state *state; + struct resp_ctx *rctx = cr->rctx; + + req = tevent_req_create(mem_ctx, &state, + struct cache_req_sr_overlay_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->ev = ev; + state->cr = cr; + state->results = results; + state->num_results = num_results; + + /* If session recording is selective */ + if (rctx->sr_conf.scope == SESSION_RECORDING_SCOPE_SOME) { + /* If it's a request for a user/users */ + switch (cr->data->type) { + case CACHE_REQ_USER_BY_NAME: + case CACHE_REQ_USER_BY_UPN: + case CACHE_REQ_USER_BY_ID: + case CACHE_REQ_ENUM_USERS: + /* If we have group names to match against */ + if (rctx->sr_conf.groups != NULL && + rctx->sr_conf.groups[0] != NULL) { + /* Pull and match group and user names for each user entry */ + subreq = cache_req_sr_overlay_match_all_step_send(state); + if (subreq == NULL) { + CACHE_REQ_DEBUG(SSSDBG_CRIT_FAILURE, state->cr, + "Failed allocating a session recording " + "user overlay request\n"); + ret = ENOMEM; + goto done; + } + tevent_req_set_callback( + subreq, cache_req_sr_overlay_match_all_step_done, req); + ret = EAGAIN; + } else { + /* Only match user names for each user entry */ + ret = cache_req_sr_overlay_match_users(state); + } + break; + default: + break; + } + } + +done: + if (ret != EAGAIN) { + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + } + + return req; +} + +static errno_t cache_req_sr_overlay_match_users( + struct cache_req_sr_overlay_state *state) +{ + struct cache_req *cr; + struct resp_ctx *rctx; + errno_t ret; + int lret; + TALLOC_CTX *tmp_ctx = NULL; + struct cache_req_result *result; + struct ldb_message *msg; + const char *name; + char *output_name; + char **conf_user; + bool enabled; + char *enabled_str; + + cr = state->cr; + rctx = cr->rctx; + + /* Create per-message talloc context */ + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + CACHE_REQ_DEBUG(SSSDBG_CRIT_FAILURE, cr, + "Failed creating temporary talloc context\n"); + ret = ENOMEM; + goto done; + } + + /* For each result */ + for (state->res_idx = 0; + state->res_idx < state->num_results; + state->res_idx++) { + result = state->results[state->res_idx]; + + /* For each message */ + for (state->msg_idx = 0; + state->msg_idx < result->count; + state->msg_idx++) { + msg = result->msgs[state->msg_idx]; + + /* Format output username */ + name = sss_get_name_from_msg(result->domain, msg); + ret = sss_output_fqname(tmp_ctx, result->domain, name, + rctx->override_space, + &output_name); + if (ret != EOK) { + CACHE_REQ_DEBUG(SSSDBG_CRIT_FAILURE, cr, + "Failed formatting output username from %s: %s\n", + name, sss_strerror(ret)); + goto done; + } + + /* For each user name in session recording config */ + enabled = false; + conf_user = rctx->sr_conf.users; + if (conf_user != NULL) { + for (; *conf_user != NULL; conf_user++) { + /* If it matches the requested user name */ + if (strcmp(*conf_user, output_name) == 0) { + enabled = true; + break; + } + } + } + + /* Set sessionRecording attribute to enabled value */ + ldb_msg_remove_attr(msg, SYSDB_SESSION_RECORDING); + enabled_str = talloc_strdup(tmp_ctx, enabled ? "TRUE" : "FALSE"); + if (enabled_str == NULL) { + CACHE_REQ_DEBUG(SSSDBG_CRIT_FAILURE, cr, + "Failed to allocate a %s attribute value\n", + SYSDB_SESSION_RECORDING); + ret = ENOMEM; + goto done; + } + lret = ldb_msg_add_string(msg, SYSDB_SESSION_RECORDING, enabled_str); + if (lret != LDB_SUCCESS) { + ret = sysdb_error_to_errno(lret); + CACHE_REQ_DEBUG(SSSDBG_CRIT_FAILURE, cr, + "Failed adding %s attribute: %s\n", + SYSDB_SESSION_RECORDING, sss_strerror(ret)); + goto done; + } + talloc_steal(msg, enabled_str); + + /* Free per-message allocations */ + talloc_free_children(tmp_ctx); + } + } + + ret = EOK; + +done: + talloc_zfree(tmp_ctx); + return ret; +} + +static struct tevent_req *cache_req_sr_overlay_match_all_step_send( + struct cache_req_sr_overlay_state *state) +{ + struct cache_req *cr = state->cr; + struct cache_req_result *result = + state->results[state->res_idx]; + const char *name; + + name = ldb_msg_find_attr_as_string(result->msgs[state->msg_idx], + SYSDB_NAME, NULL); + return cache_req_initgr_by_name_send(state, state->ev, cr->rctx, cr->ncache, + cr->midpoint, CACHE_REQ_ANY_DOM, + NULL, name); +} + +static void cache_req_sr_overlay_match_all_step_done( + struct tevent_req *subreq) +{ + int lret; + errno_t ret; + TALLOC_CTX *tmp_ctx = NULL; + struct tevent_req *req; + struct cache_req_sr_overlay_state *state; + struct cache_req_result *result; + struct ldb_message *msg; + const char *enabled; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct cache_req_sr_overlay_state); + msg = state->results[state->res_idx]-> + msgs[state->msg_idx]; + + /* Create temporary allocation context */ + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + CACHE_REQ_DEBUG(SSSDBG_CRIT_FAILURE, state->cr, + "Failed creating temporary talloc context\n"); + ret = ENOMEM; + goto done; + } + + /* Get initgroups result */ + ret = cache_req_initgr_by_name_recv(tmp_ctx, subreq, &result); + talloc_zfree(subreq); + if (ret != EOK) { + CACHE_REQ_DEBUG(SSSDBG_CRIT_FAILURE, state->cr, + "Failed retrieving initgr request results: %s\n", + sss_strerror(ret)); + goto done; + } + + /* Overwrite sessionRecording attribute */ + ldb_msg_remove_attr(msg, SYSDB_SESSION_RECORDING); + enabled = ldb_msg_find_attr_as_string(result->msgs[0], + SYSDB_SESSION_RECORDING, NULL); + if (enabled != NULL) { + char *enabled_copy; + enabled_copy = talloc_strdup(tmp_ctx, enabled); + if (enabled_copy == NULL) { + CACHE_REQ_DEBUG(SSSDBG_CRIT_FAILURE, state->cr, + "Failed to allocate a copy of %s attribute\n", + SYSDB_SESSION_RECORDING); + ret = ENOMEM; + goto done; + } + lret = ldb_msg_add_string(msg, SYSDB_SESSION_RECORDING, enabled_copy); + if (lret != LDB_SUCCESS) { + ret = sysdb_error_to_errno(lret); + CACHE_REQ_DEBUG(SSSDBG_CRIT_FAILURE, state->cr, + "Failed adding %s attribute: %s\n", + SYSDB_SESSION_RECORDING, sss_strerror(ret)); + goto done; + } + talloc_steal(msg, enabled_copy); + } + + /* Move onto next entry, if any */ + state->msg_idx++; + if (state->msg_idx >= + state->results[state->res_idx]->count) { + state->res_idx++; + if (state->res_idx >= state->num_results) { + ret = EOK; + goto done; + } + state->msg_idx = 0; + } + + /* Schedule next entry overlay */ + subreq = cache_req_sr_overlay_match_all_step_send(state); + if (subreq == NULL) { + ret = ENOMEM; + CACHE_REQ_DEBUG(SSSDBG_CRIT_FAILURE, state->cr, + "Failed allocating a session recording " + "user overlay request\n"); + goto done; + } + tevent_req_set_callback(subreq, + cache_req_sr_overlay_match_all_step_done, req); + ret = EAGAIN; + +done: + if (ret == EOK) { + tevent_req_done(req); + } else if (ret != EAGAIN) { + tevent_req_error(req, ret); + } + talloc_free(tmp_ctx); +} + +errno_t cache_req_sr_overlay_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + return EOK; +} diff --git a/src/responder/common/cache_req/plugins/cache_req_common.c b/src/responder/common/cache_req/plugins/cache_req_common.c new file mode 100644 index 0000000..d19ca89 --- /dev/null +++ b/src/responder/common/cache_req/plugins/cache_req_common.c @@ -0,0 +1,177 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "db/sysdb.h" +#include "util/util.h" +#include "providers/data_provider.h" +#include "responder/common/cache_req/cache_req_plugin.h" + +errno_t cache_req_idminmax_check(struct cache_req_data *data, + struct sss_domain_info *domain) +{ + if (((domain->id_min != 0) && (data->id < domain->id_min)) || + ((domain->id_max != 0) && (data->id > domain->id_max))) { + DEBUG(SSSDBG_FUNC_DATA, "id exceeds min/max boundaries\n"); + return ERR_ID_OUTSIDE_RANGE; + } + return EOK; +} + +static struct ldb_message * +cache_req_well_known_sid_msg(TALLOC_CTX *mem_ctx, + const char *sid, + const char *name) +{ + struct ldb_message *msg; + const char *dup_sid; + const char *dup_name; + int ldberr; + + msg = ldb_msg_new(NULL); + if (msg == NULL) { + return NULL; + } + + dup_sid = talloc_strdup(msg, sid); + if (dup_sid == NULL) { + ldberr = LDB_ERR_OTHER; + goto done; + } + + dup_name = talloc_strdup(msg, name); + if (name == NULL) { + ldberr = LDB_ERR_OTHER; + goto done; + } + + ldberr = ldb_msg_add_string(msg, SYSDB_OBJECTCATEGORY, SYSDB_GROUP_CLASS); + if (ldberr != LDB_SUCCESS) { + goto done; + } + + ldberr = ldb_msg_add_string(msg, SYSDB_NAME, dup_name); + if (ldberr != LDB_SUCCESS) { + goto done; + } + + ldberr = ldb_msg_add_string(msg, SYSDB_SID_STR, dup_sid); + if (ldberr != LDB_SUCCESS) { + goto done; + } + +done: + if (ldberr != LDB_SUCCESS) { + talloc_free(msg); + return NULL; + } + + return msg; +} + +struct cache_req_result * +cache_req_well_known_sid_result(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + const char *domname, + const char *sid, + const char *name) +{ + struct cache_req_result *result; + struct sss_domain_info *domain; + struct ldb_message *msg; + + msg = cache_req_well_known_sid_msg(NULL, sid, name); + if (msg == NULL) { + return NULL; + } + + if (domname != NULL) { + domain = find_domain_by_name(cr->rctx->domains, domname, true); + } else { + domain = NULL; + } + + result = cache_req_create_result_from_msg(mem_ctx, domain, msg, + name, domname); + if (result == NULL) { + talloc_free(msg); + } + + return result; +} + +bool +cache_req_common_dp_recv(struct tevent_req *subreq, + struct cache_req *cr) +{ + char *err_msg; + dbus_uint16_t err_maj; + dbus_uint32_t err_min; + errno_t ret; + bool bret; + + ret = sss_dp_req_recv(NULL, subreq, &err_maj, &err_min, &err_msg); + if (ret != EOK) { + CACHE_REQ_DEBUG(SSSDBG_OP_FAILURE, cr, + "Could not get account info [%d]: %s\n", + ret, sss_strerror(ret)); + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr, + "Due to an error we will return cached data\n"); + + bret = false; + goto done; + } + + if (err_maj) { + CACHE_REQ_DEBUG(SSSDBG_OP_FAILURE, cr, + "Data Provider Error: %u, %u, %s\n", + (unsigned int)err_maj, (unsigned int)err_min, err_msg); + CACHE_REQ_DEBUG(SSSDBG_TRACE_FUNC, cr, + "Due to an error we will return cached data\n"); + + bret = false; + goto done; + } + + bret = true; + +done: + talloc_free(err_msg); + return bret; +} + +errno_t +cache_req_common_get_acct_domain_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *subreq, + struct cache_req *cr, + char **_domain) +{ + errno_t ret; + + ret = sss_dp_get_account_domain_recv(mem_ctx, subreq, _domain); + if (ret != EOK) { + CACHE_REQ_DEBUG(SSSDBG_MINOR_FAILURE, cr, + "Could not get account domain [%d]: %s\n", + ret, sss_strerror(ret)); + } + return ret; +} diff --git a/src/responder/common/cache_req/plugins/cache_req_enum_groups.c b/src/responder/common/cache_req/plugins/cache_req_enum_groups.c new file mode 100644 index 0000000..d302994 --- /dev/null +++ b/src/responder/common/cache_req/plugins/cache_req_enum_groups.c @@ -0,0 +1,114 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "db/sysdb.h" +#include "util/util.h" +#include "providers/data_provider.h" +#include "responder/common/cache_req/cache_req_plugin.h" + +static const char * +cache_req_enum_groups_create_debug_name(TALLOC_CTX *mem_ctx, + struct cache_req_data *data, + struct sss_domain_info *domain) +{ + return talloc_strdup(mem_ctx, "Groups enumeration"); +} + +static errno_t +cache_req_enum_groups_lookup(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain, + struct ldb_result **_result) +{ + return sysdb_enumgrent_with_views(mem_ctx, domain, _result); +} + +static struct tevent_req * +cache_req_enum_groups_dp_send(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain, + struct ldb_result *result) +{ + return sss_dp_get_account_send(mem_ctx, cr->rctx, domain, true, + SSS_DP_GROUP, NULL, 0, NULL); +} + +static errno_t +cache_req_enum_groups_ncache_filter(struct sss_nc_ctx *ncache, + struct sss_domain_info *domain, + const char *name) +{ + return sss_ncache_check_group(ncache, domain, name); +} + +const struct cache_req_plugin cache_req_enum_groups = { + .name = "Enumerate groups", + .attr_expiration = SYSDB_CACHE_EXPIRE, + .parse_name = false, + .ignore_default_domain = false, + .bypass_cache = true, + .only_one_result = false, + .search_all_domains = true, + .require_enumeration = true, + .allow_missing_fqn = true, + .allow_switch_to_upn = false, + .upn_equivalent = CACHE_REQ_SENTINEL, + .get_next_domain_flags = SSS_GND_DESCEND, + + .is_well_known_fn = NULL, + .prepare_domain_data_fn = NULL, + .create_debug_name_fn = cache_req_enum_groups_create_debug_name, + .global_ncache_add_fn = NULL, + .ncache_check_fn = NULL, + .ncache_add_fn = NULL, + .ncache_filter_fn = cache_req_enum_groups_ncache_filter, + .lookup_fn = cache_req_enum_groups_lookup, + .dp_send_fn = cache_req_enum_groups_dp_send, + .dp_recv_fn = cache_req_common_dp_recv, + .dp_get_domain_check_fn = NULL, + .dp_get_domain_send_fn = NULL, + .dp_get_domain_recv_fn = NULL, +}; + +struct tevent_req * +cache_req_enum_groups_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_nc_ctx *ncache, + int cache_refresh_percent, + const char *domain) +{ + struct cache_req_data *data; + + data = cache_req_data_enum(mem_ctx, CACHE_REQ_ENUM_GROUPS); + if (data == NULL) { + return NULL; + } + + return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache, + cache_refresh_percent, + CACHE_REQ_POSIX_DOM, domain, + data); +} diff --git a/src/responder/common/cache_req/plugins/cache_req_enum_svc.c b/src/responder/common/cache_req/plugins/cache_req_enum_svc.c new file mode 100644 index 0000000..282dc1c --- /dev/null +++ b/src/responder/common/cache_req/plugins/cache_req_enum_svc.c @@ -0,0 +1,106 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "db/sysdb.h" +#include "db/sysdb_services.h" +#include "util/util.h" +#include "providers/data_provider.h" +#include "responder/common/cache_req/cache_req_plugin.h" + +static const char * +cache_req_enum_svc_create_debug_name(TALLOC_CTX *mem_ctx, + struct cache_req_data *data, + struct sss_domain_info *domain) +{ + return talloc_strdup(mem_ctx, "Services enumeration"); +} + +static errno_t +cache_req_enum_svc_lookup(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain, + struct ldb_result **_result) +{ + return sysdb_enumservent(mem_ctx, domain, _result); +} + +static struct tevent_req * +cache_req_enum_svc_dp_send(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain, + struct ldb_result *result) +{ + return sss_dp_get_account_send(mem_ctx, cr->rctx, domain, true, + SSS_DP_SERVICES, NULL, 0, NULL); +} + +const struct cache_req_plugin cache_req_enum_svc = { + .name = "Enumerate services", + .attr_expiration = SYSDB_CACHE_EXPIRE, + .parse_name = false, + .ignore_default_domain = false, + .bypass_cache = true, + .only_one_result = false, + .search_all_domains = true, + .require_enumeration = true, + .allow_missing_fqn = true, + .allow_switch_to_upn = false, + .upn_equivalent = CACHE_REQ_SENTINEL, + .get_next_domain_flags = SSS_GND_DESCEND, + + .is_well_known_fn = NULL, + .prepare_domain_data_fn = NULL, + .create_debug_name_fn = cache_req_enum_svc_create_debug_name, + .global_ncache_add_fn = NULL, + .ncache_check_fn = NULL, + .ncache_add_fn = NULL, + .ncache_filter_fn = NULL, + .lookup_fn = cache_req_enum_svc_lookup, + .dp_send_fn = cache_req_enum_svc_dp_send, + .dp_recv_fn = cache_req_common_dp_recv, + .dp_get_domain_check_fn = NULL, + .dp_get_domain_send_fn = NULL, + .dp_get_domain_recv_fn = NULL, +}; + +struct tevent_req * +cache_req_enum_svc_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_nc_ctx *ncache, + int cache_refresh_percent, + const char *domain) +{ + struct cache_req_data *data; + + data = cache_req_data_enum(mem_ctx, CACHE_REQ_ENUM_SVC); + if (data == NULL) { + return NULL; + } + + return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache, + cache_refresh_percent, + CACHE_REQ_POSIX_DOM, domain, data); +} diff --git a/src/responder/common/cache_req/plugins/cache_req_enum_users.c b/src/responder/common/cache_req/plugins/cache_req_enum_users.c new file mode 100644 index 0000000..f83ff30 --- /dev/null +++ b/src/responder/common/cache_req/plugins/cache_req_enum_users.c @@ -0,0 +1,114 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "db/sysdb.h" +#include "util/util.h" +#include "providers/data_provider.h" +#include "responder/common/cache_req/cache_req_plugin.h" + +static const char * +cache_req_enum_users_create_debug_name(TALLOC_CTX *mem_ctx, + struct cache_req_data *data, + struct sss_domain_info *domain) +{ + return talloc_strdup(mem_ctx, "Users enumeration"); +} + +static errno_t +cache_req_enum_users_lookup(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain, + struct ldb_result **_result) +{ + return sysdb_enumpwent_with_views(mem_ctx, domain, _result); +} + +static struct tevent_req * +cache_req_enum_users_dp_send(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain, + struct ldb_result *result) +{ + return sss_dp_get_account_send(mem_ctx, cr->rctx, domain, true, + SSS_DP_USER, NULL, 0, NULL); +} + +static errno_t +cache_req_enum_users_ncache_filter(struct sss_nc_ctx *ncache, + struct sss_domain_info *domain, + const char *name) +{ + return sss_ncache_check_user(ncache, domain, name); +} + +const struct cache_req_plugin cache_req_enum_users = { + .name = "Enumerate users", + .attr_expiration = SYSDB_CACHE_EXPIRE, + .parse_name = false, + .ignore_default_domain = false, + .bypass_cache = true, + .only_one_result = false, + .search_all_domains = true, + .require_enumeration = true, + .allow_missing_fqn = true, + .allow_switch_to_upn = false, + .upn_equivalent = CACHE_REQ_SENTINEL, + .get_next_domain_flags = SSS_GND_DESCEND, + + .is_well_known_fn = NULL, + .prepare_domain_data_fn = NULL, + .create_debug_name_fn = cache_req_enum_users_create_debug_name, + .global_ncache_add_fn = NULL, + .ncache_check_fn = NULL, + .ncache_add_fn = NULL, + .ncache_filter_fn = cache_req_enum_users_ncache_filter, + .lookup_fn = cache_req_enum_users_lookup, + .dp_send_fn = cache_req_enum_users_dp_send, + .dp_recv_fn = cache_req_common_dp_recv, + .dp_get_domain_check_fn = NULL, + .dp_get_domain_send_fn = NULL, + .dp_get_domain_recv_fn = NULL, +}; + +struct tevent_req * +cache_req_enum_users_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_nc_ctx *ncache, + int cache_refresh_percent, + const char *domain) +{ + struct cache_req_data *data; + + data = cache_req_data_enum(mem_ctx, CACHE_REQ_ENUM_USERS); + if (data == NULL) { + return NULL; + } + + return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache, + cache_refresh_percent, + CACHE_REQ_POSIX_DOM, domain, + data); +} diff --git a/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c b/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c new file mode 100644 index 0000000..009f0f8 --- /dev/null +++ b/src/responder/common/cache_req/plugins/cache_req_group_by_filter.c @@ -0,0 +1,162 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "db/sysdb.h" +#include "util/util.h" +#include "providers/data_provider.h" +#include "responder/common/cache_req/cache_req_plugin.h" + +static errno_t +cache_req_group_by_filter_prepare_domain_data(struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain) +{ + TALLOC_CTX *tmp_ctx; + const char *name; + errno_t ret; + + if (cr->data->name.name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Bug: parsed name is NULL?\n"); + return ERR_INTERNAL; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + name = sss_get_cased_name(tmp_ctx, cr->data->name.name, + domain->case_sensitive); + if (name == NULL) { + ret = ENOMEM; + goto done; + } + + name = sss_reverse_replace_space(tmp_ctx, name, cr->rctx->override_space); + if (name == NULL) { + ret = ENOMEM; + goto done; + } + + talloc_zfree(data->name.lookup); + data->name.lookup = talloc_steal(data, name); + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static const char * +cache_req_group_by_filter_create_debug_name(TALLOC_CTX *mem_ctx, + struct cache_req_data *data, + struct sss_domain_info *domain) +{ + return talloc_strdup(mem_ctx, data->name.lookup); +} + +static errno_t +cache_req_group_by_filter_lookup(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain, + struct ldb_result **_result) +{ + char *recent_filter; + errno_t ret; + + recent_filter = talloc_asprintf(mem_ctx, "(%s>=%lu)", SYSDB_LAST_UPDATE, + cr->req_start); + if (recent_filter == NULL) { + return ENOMEM; + } + + ret = sysdb_enumgrent_filter_with_views(mem_ctx, domain, data->name.lookup, + recent_filter, _result); + talloc_free(recent_filter); + + return ret; +} + +static struct tevent_req * +cache_req_group_by_filter_dp_send(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain, + struct ldb_result *result) +{ + return sss_dp_get_account_send(mem_ctx, cr->rctx, domain, true, + SSS_DP_WILDCARD_GROUP, + cr->data->name.lookup, cr->data->id, NULL); +} + +const struct cache_req_plugin cache_req_group_by_filter = { + .name = "Group by filter", + .attr_expiration = SYSDB_CACHE_EXPIRE, + .parse_name = true, + .ignore_default_domain = false, + .bypass_cache = true, + .only_one_result = false, + .search_all_domains = false, + .require_enumeration = false, + .allow_missing_fqn = false, + .allow_switch_to_upn = false, + .upn_equivalent = CACHE_REQ_SENTINEL, + .get_next_domain_flags = SSS_GND_DESCEND, + + .is_well_known_fn = NULL, + .prepare_domain_data_fn = cache_req_group_by_filter_prepare_domain_data, + .create_debug_name_fn = cache_req_group_by_filter_create_debug_name, + .global_ncache_add_fn = NULL, + .ncache_check_fn = NULL, + .ncache_add_fn = NULL, + .ncache_filter_fn = NULL, + .lookup_fn = cache_req_group_by_filter_lookup, + .dp_send_fn = cache_req_group_by_filter_dp_send, + .dp_recv_fn = cache_req_common_dp_recv, + .dp_get_domain_check_fn = NULL, + .dp_get_domain_send_fn = NULL, + .dp_get_domain_recv_fn = NULL, +}; + +struct tevent_req * +cache_req_group_by_filter_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + enum cache_req_dom_type req_dom_type, + const char *domain, + const char *filter) +{ + struct cache_req_data *data; + + data = cache_req_data_name(mem_ctx, CACHE_REQ_GROUP_BY_FILTER, filter); + if (data == NULL) { + return NULL; + } + + return cache_req_steal_data_and_send(mem_ctx, ev, rctx, NULL, + 0, + req_dom_type, domain, + data); +} diff --git a/src/responder/common/cache_req/plugins/cache_req_group_by_id.c b/src/responder/common/cache_req/plugins/cache_req_group_by_id.c new file mode 100644 index 0000000..e0c6b65 --- /dev/null +++ b/src/responder/common/cache_req/plugins/cache_req_group_by_id.c @@ -0,0 +1,244 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "db/sysdb.h" +#include "util/util.h" +#include "providers/data_provider.h" +#include "responder/common/cache_req/cache_req_plugin.h" + +static const char * +cache_req_group_by_id_create_debug_name(TALLOC_CTX *mem_ctx, + struct cache_req_data *data, + struct sss_domain_info *domain) +{ + return talloc_asprintf(mem_ctx, "GID:%"PRIu32"@%s", data->id, domain->name); +} + +static errno_t +cache_req_group_by_id_ncache_check(struct sss_nc_ctx *ncache, + struct sss_domain_info *domain, + struct cache_req_data *data) +{ + errno_t ret; + + if (domain != NULL) { + ret = sss_ncache_check_gid(ncache, domain, data->id); + if (ret == EEXIST) { + return ret; + } + } + + return sss_ncache_check_gid(ncache, NULL, data->id); +} + +static errno_t +cache_req_group_by_id_ncache_filter(struct sss_nc_ctx *ncache, + struct sss_domain_info *domain, + const char *name) +{ + return sss_ncache_check_group(ncache, domain, name); +} + +static errno_t +cache_req_group_by_id_global_ncache_add(struct sss_nc_ctx *ncache, + struct cache_req_data *data) +{ + return sss_ncache_set_gid(ncache, false, NULL, data->id); +} + +static errno_t +cache_req_group_by_id_ncache_add(struct sss_nc_ctx *ncache, + struct sss_domain_info *domain, + struct cache_req_data *data) +{ + return sss_ncache_set_gid(ncache, false, domain, data->id); +} + +static errno_t +cache_req_group_by_id_lookup(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain, + struct ldb_result **_result) +{ + errno_t ret; + + ret = cache_req_idminmax_check(data, domain); + if (ret != EOK) { + return ret; + } + return sysdb_getgrgid_with_views(mem_ctx, domain, data->id, _result); +} + +static errno_t +cache_req_group_by_id_dpreq_params(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct ldb_result *result, + const char **_string, + uint32_t *_id, + const char **_flag) +{ + uint32_t id; + + *_id = cr->data->id; + *_string = NULL; + *_flag = NULL; + + if (!DOM_HAS_VIEWS(cr->domain)) { + return EOK; + } + + /* We must search with views. */ + if (result == NULL || result->count == 0) { + *_flag = EXTRA_INPUT_MAYBE_WITH_VIEW; + return EOK; + } + + /* If domain has views we will try to use original values instead of the + * overridden ones. This is a must for the LOCAL view since we can't look + * it up otherwise. But it is also a shortcut for non-local views where + * we will not fail over to the overridden value. */ + + id = ldb_msg_find_attr_as_uint64(result->msgs[0], SYSDB_GIDNUM, 0); + if (id == 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Bug: id cannot be 0\n"); + *_flag = EXTRA_INPUT_MAYBE_WITH_VIEW; + return EOK; + } + + /* Now we have the original name and id. We don't have to search with + * views unless some error occurred. */ + *_id = id; + + return EOK; +} + +static struct tevent_req * +cache_req_group_by_id_dp_send(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain, + struct ldb_result *result) +{ + const char *string; + const char *flag; + uint32_t id; + errno_t ret; + + ret = cache_req_group_by_id_dpreq_params(mem_ctx, cr, result, + &string, &id, &flag); + if (ret != EOK) { + return NULL; + } + + return sss_dp_get_account_send(mem_ctx, cr->rctx, domain, true, + SSS_DP_GROUP, string, id, flag); +} + +static bool +cache_req_group_by_id_get_domain_check(struct resp_ctx *rctx, + struct sss_domain_info *domain, + struct cache_req_data *data) +{ + int nret; + + nret = sss_ncache_check_locate_gid(rctx->ncache, domain, data->id); + if (nret == EEXIST) { + return false; + } + + return true; +} + +static struct tevent_req * +cache_req_group_by_id_get_domain_send(TALLOC_CTX *mem_ctx, + struct resp_ctx *rctx, + struct sss_domain_info *domain, + struct cache_req_data *data) +{ + int nret; + + nret = sss_ncache_set_locate_gid(rctx->ncache, domain, data->id); + if (nret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot set negative cache, this might result in performance degradation\n"); + /* Not fatal */ + } + + return sss_dp_get_account_domain_send(mem_ctx, + rctx, + domain, + SSS_DP_GROUP, + data->id); +} + +const struct cache_req_plugin cache_req_group_by_id = { + .name = "Group by ID", + .attr_expiration = SYSDB_CACHE_EXPIRE, + .parse_name = false, + .ignore_default_domain = false, + .bypass_cache = false, + .only_one_result = true, + .search_all_domains = false, + .require_enumeration = false, + .allow_missing_fqn = true, + .allow_switch_to_upn = false, + .upn_equivalent = CACHE_REQ_SENTINEL, + .get_next_domain_flags = SSS_GND_DESCEND, + + .is_well_known_fn = NULL, + .prepare_domain_data_fn = NULL, + .create_debug_name_fn = cache_req_group_by_id_create_debug_name, + .global_ncache_add_fn = cache_req_group_by_id_global_ncache_add, + .ncache_check_fn = cache_req_group_by_id_ncache_check, + .ncache_add_fn = cache_req_group_by_id_ncache_add, + .ncache_filter_fn = cache_req_group_by_id_ncache_filter, + .lookup_fn = cache_req_group_by_id_lookup, + .dp_send_fn = cache_req_group_by_id_dp_send, + .dp_recv_fn = cache_req_common_dp_recv, + .dp_get_domain_check_fn = cache_req_group_by_id_get_domain_check, + .dp_get_domain_send_fn = cache_req_group_by_id_get_domain_send, + .dp_get_domain_recv_fn = cache_req_common_get_acct_domain_recv, +}; + +struct tevent_req * +cache_req_group_by_id_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_nc_ctx *ncache, + int cache_refresh_percent, + const char *domain, + gid_t gid) +{ + struct cache_req_data *data; + + data = cache_req_data_id(mem_ctx, CACHE_REQ_GROUP_BY_ID, gid); + if (data == NULL) { + return NULL; + } + + return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache, + cache_refresh_percent, + CACHE_REQ_POSIX_DOM, domain, + data); +} diff --git a/src/responder/common/cache_req/plugins/cache_req_group_by_name.c b/src/responder/common/cache_req/plugins/cache_req_group_by_name.c new file mode 100644 index 0000000..3be0d5e --- /dev/null +++ b/src/responder/common/cache_req/plugins/cache_req_group_by_name.c @@ -0,0 +1,227 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "db/sysdb.h" +#include "util/util.h" +#include "providers/data_provider.h" +#include "responder/common/cache_req/cache_req_plugin.h" + +static errno_t +cache_req_group_by_name_prepare_domain_data(struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain) +{ + TALLOC_CTX *tmp_ctx; + const char *name; + errno_t ret; + + if (cr->data->name.name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Bug: parsed name is NULL?\n"); + return ERR_INTERNAL; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + name = sss_get_cased_name(tmp_ctx, cr->data->name.name, + domain->case_sensitive); + if (name == NULL) { + ret = ENOMEM; + goto done; + } + + name = sss_reverse_replace_space(tmp_ctx, name, cr->rctx->override_space); + if (name == NULL) { + ret = ENOMEM; + goto done; + } + + name = sss_create_internal_fqname(tmp_ctx, name, domain->name); + if (name == NULL) { + ret = ENOMEM; + goto done; + } + + talloc_zfree(data->name.lookup); + data->name.lookup = talloc_steal(data, name); + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static const char * +cache_req_group_by_name_create_debug_name(TALLOC_CTX *mem_ctx, + struct cache_req_data *data, + struct sss_domain_info *domain) +{ + return talloc_strdup(mem_ctx, data->name.lookup); +} + +static errno_t +cache_req_group_by_name_ncache_check(struct sss_nc_ctx *ncache, + struct sss_domain_info *domain, + struct cache_req_data *data) +{ + return sss_ncache_check_group(ncache, domain, data->name.lookup); +} + +static errno_t +cache_req_group_by_name_ncache_add(struct sss_nc_ctx *ncache, + struct sss_domain_info *domain, + struct cache_req_data *data) +{ + return sss_ncache_set_group(ncache, false, domain, data->name.lookup); +} + +static errno_t +cache_req_group_by_name_lookup(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain, + struct ldb_result **_result) +{ + return sysdb_getgrnam_with_views(mem_ctx, domain, data->name.lookup, + _result); +} + +static errno_t +cache_req_group_by_name_dpreq_params(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct ldb_result *result, + const char **_string, + uint32_t *_id, + const char **_flag) +{ + const char *name; + + *_id = 0; + *_string = cr->data->name.lookup; + *_flag = NULL; + + if (!DOM_HAS_VIEWS(cr->domain)) { + return EOK; + } + + /* We must search with views. */ + if (result == NULL || result->count == 0) { + *_flag = EXTRA_INPUT_MAYBE_WITH_VIEW; + return EOK; + } + + /* If domain has views we will try to use original values instead of the + * overridden ones. This is a must for the LOCAL view since we can't look + * it up otherwise. But it is also a shortcut for non-local views where + * we will not fail over to the overridden value. */ + + name = ldb_msg_find_attr_as_string(result->msgs[0], SYSDB_NAME, NULL); + if (name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Bug: name cannot be NULL\n"); + *_flag = EXTRA_INPUT_MAYBE_WITH_VIEW; + return EOK; + } + + /* Now we have the original name and id. We don't have to search with + * views unless some error occurred. */ + *_string = talloc_steal(mem_ctx, name); + + return EOK; +} + +static struct tevent_req * +cache_req_group_by_name_dp_send(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain, + struct ldb_result *result) +{ + const char *string; + const char *flag; + uint32_t id; + errno_t ret; + + ret = cache_req_group_by_name_dpreq_params(mem_ctx, cr, result, + &string, &id, &flag); + if (ret != EOK) { + return NULL; + } + + return sss_dp_get_account_send(mem_ctx, cr->rctx, domain, true, + SSS_DP_GROUP, string, id, flag); +} + +const struct cache_req_plugin cache_req_group_by_name = { + .name = "Group by name", + .attr_expiration = SYSDB_CACHE_EXPIRE, + .parse_name = true, + .ignore_default_domain = false, + .bypass_cache = false, + .only_one_result = true, + .search_all_domains = false, + .require_enumeration = false, + .allow_missing_fqn = false, + .allow_switch_to_upn = false, + .upn_equivalent = CACHE_REQ_SENTINEL, + .get_next_domain_flags = SSS_GND_DESCEND, + + .is_well_known_fn = NULL, + .prepare_domain_data_fn = cache_req_group_by_name_prepare_domain_data, + .create_debug_name_fn = cache_req_group_by_name_create_debug_name, + .global_ncache_add_fn = NULL, + .ncache_check_fn = cache_req_group_by_name_ncache_check, + .ncache_add_fn = cache_req_group_by_name_ncache_add, + .ncache_filter_fn = NULL, + .lookup_fn = cache_req_group_by_name_lookup, + .dp_send_fn = cache_req_group_by_name_dp_send, + .dp_recv_fn = cache_req_common_dp_recv, + .dp_get_domain_check_fn = NULL, + .dp_get_domain_send_fn = NULL, + .dp_get_domain_recv_fn = NULL, +}; + +struct tevent_req * +cache_req_group_by_name_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_nc_ctx *ncache, + int cache_refresh_percent, + enum cache_req_dom_type req_dom_type, + const char *domain, + const char *name) +{ + struct cache_req_data *data; + + data = cache_req_data_name(mem_ctx, CACHE_REQ_GROUP_BY_NAME, name); + if (data == NULL) { + return NULL; + } + + return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache, + cache_refresh_percent, + req_dom_type, domain, + data); +} diff --git a/src/responder/common/cache_req/plugins/cache_req_host_by_name.c b/src/responder/common/cache_req/plugins/cache_req_host_by_name.c new file mode 100644 index 0000000..696d9e5 --- /dev/null +++ b/src/responder/common/cache_req/plugins/cache_req_host_by_name.c @@ -0,0 +1,131 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "db/sysdb_ssh.h" +#include "util/util.h" +#include "providers/data_provider.h" +#include "responder/common/cache_req/cache_req_plugin.h" + +static const char * +cache_req_host_by_name_create_debug_name(TALLOC_CTX *mem_ctx, + struct cache_req_data *data, + struct sss_domain_info *domain) +{ + return talloc_strdup(mem_ctx, data->name.name); +} + +static errno_t +cache_req_host_by_name_lookup(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain, + struct ldb_result **_result) +{ +#ifdef BUILD_SSH + struct ldb_result *result; + struct ldb_message *msg; + errno_t ret; + + ret = sysdb_get_ssh_host(mem_ctx, domain, data->name.name, + data->attrs, &msg); + if (ret != EOK) { + return ret; + } + + result = cache_req_create_ldb_result_from_msg(mem_ctx, msg); + if (result == NULL) { + return ENOMEM; + } + + *_result = result; + + return EOK; +#else + return ERR_INTERNAL; +#endif /* BUILD_SSH */ +} + +struct tevent_req * +cache_req_host_by_name_dp_send(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain, + struct ldb_result *result) +{ + return sss_dp_get_ssh_host_send(mem_ctx, cr->rctx, domain, false, + data->name.name, data->alias); +} + +const struct cache_req_plugin cache_req_host_by_name = { + .name = "Host by name", + .attr_expiration = SYSDB_CACHE_EXPIRE, + .parse_name = true, + .ignore_default_domain = true, + .bypass_cache = true, + .only_one_result = true, + .search_all_domains = false, + .require_enumeration = false, + .allow_missing_fqn = true, + .allow_switch_to_upn = false, + .upn_equivalent = CACHE_REQ_SENTINEL, + .get_next_domain_flags = 0, + + .is_well_known_fn = NULL, + .prepare_domain_data_fn = NULL, + .create_debug_name_fn = cache_req_host_by_name_create_debug_name, + .global_ncache_add_fn = NULL, + .ncache_check_fn = NULL, + .ncache_add_fn = NULL, + .ncache_filter_fn = NULL, + .lookup_fn = cache_req_host_by_name_lookup, + .dp_send_fn = cache_req_host_by_name_dp_send, + .dp_recv_fn = cache_req_common_dp_recv, + .dp_get_domain_check_fn = NULL, + .dp_get_domain_send_fn = NULL, + .dp_get_domain_recv_fn = NULL, +}; + +struct tevent_req * +cache_req_host_by_name_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_nc_ctx *ncache, + int cache_refresh_percent, + const char *domain, + const char *name, + const char *alias, + const char **attrs) +{ + struct cache_req_data *data; + + data = cache_req_data_host(mem_ctx, CACHE_REQ_HOST_BY_NAME, name, + alias, attrs); + if (data == NULL) { + return NULL; + } + + return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache, + cache_refresh_percent, + CACHE_REQ_POSIX_DOM, domain, + data); +} diff --git a/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c b/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c new file mode 100644 index 0000000..c5bea9d --- /dev/null +++ b/src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c @@ -0,0 +1,242 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "db/sysdb.h" +#include "util/util.h" +#include "providers/data_provider.h" +#include "responder/common/cache_req/cache_req_plugin.h" + +static errno_t +cache_req_initgroups_by_name_prepare_domain_data(struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain) +{ + TALLOC_CTX *tmp_ctx; + const char *name; + errno_t ret; + + if (cr->data->name.name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Bug: parsed name is NULL?\n"); + return ERR_INTERNAL; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + name = sss_get_cased_name(tmp_ctx, cr->data->name.name, + domain->case_sensitive); + if (name == NULL) { + ret = ENOMEM; + goto done; + } + + name = sss_reverse_replace_space(tmp_ctx, name, cr->rctx->override_space); + if (name == NULL) { + ret = ENOMEM; + goto done; + } + + name = sss_create_internal_fqname(tmp_ctx, name, domain->name); + if (name == NULL) { + ret = ENOMEM; + goto done; + } + + talloc_zfree(data->name.lookup); + data->name.lookup = talloc_steal(data, name); + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static const char * +cache_req_initgroups_by_name_create_debug_name(TALLOC_CTX *mem_ctx, + struct cache_req_data *data, + struct sss_domain_info *domain) +{ + return talloc_strdup(mem_ctx, data->name.lookup); +} + +static errno_t +cache_req_initgroups_by_name_ncache_check(struct sss_nc_ctx *ncache, + struct sss_domain_info *domain, + struct cache_req_data *data) +{ + return sss_ncache_check_user(ncache, domain, data->name.lookup); +} + +static errno_t +cache_req_initgroups_by_name_ncache_add(struct sss_nc_ctx *ncache, + struct sss_domain_info *domain, + struct cache_req_data *data) +{ + return sss_ncache_set_user(ncache, false, domain, data->name.lookup); +} + +static errno_t +cache_req_initgroups_by_name_lookup(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain, + struct ldb_result **_result) +{ + return sysdb_initgroups_with_views(mem_ctx, domain, data->name.lookup, + _result); +} + +static errno_t +cache_req_initgroups_by_name_dpreq_params(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct ldb_result *result, + const char **_string, + uint32_t *_id, + const char **_flag) +{ + struct ldb_result *user; + const char *name; + errno_t ret; + + *_id = 0; + *_string = cr->data->name.lookup; + *_flag = NULL; + + if (!DOM_HAS_VIEWS(cr->domain)) { + return EOK; + } + + /* We must search with views. */ + if (result == NULL || result->count == 0) { + *_flag = EXTRA_INPUT_MAYBE_WITH_VIEW; + return EOK; + } + + /* If domain has views we will try to use original values instead of the + * overridden ones. This is a must for the LOCAL view since we can't look + * it up otherwise. But it is also a shortcut for non-local views where + * we will not fail over to the overridden value. */ + + ret = sysdb_getpwnam_with_views(NULL, cr->domain, + cr->data->name.lookup, &user); + if (ret != EOK || user == NULL || user->count != 1) { + /* Case where the user is not found has been already handled. If + * this is not OK, it is an error. */ + CACHE_REQ_DEBUG(SSSDBG_CRIT_FAILURE, cr, + "Unable to match initgroups user [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + name = ldb_msg_find_attr_as_string(user->msgs[0], SYSDB_NAME, NULL); + if (name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Bug: name cannot be NULL\n"); + talloc_free(user); + return ERR_INTERNAL; + } + + /* Now we have the original name. We don't have to search with + * views unless some error occurred. */ + *_string = talloc_steal(mem_ctx, name); + + talloc_free(user); + + return EOK; +} + +static struct tevent_req * +cache_req_initgroups_by_name_dp_send(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain, + struct ldb_result *result) +{ + const char *string; + const char *flag; + uint32_t id; + errno_t ret; + + ret = cache_req_initgroups_by_name_dpreq_params(mem_ctx, cr, result, + &string, &id, &flag); + if (ret != EOK) { + return NULL; + } + + return sss_dp_get_account_send(mem_ctx, cr->rctx, domain, true, + SSS_DP_INITGROUPS, string, id, flag); +} + +const struct cache_req_plugin cache_req_initgroups_by_name = { + .name = "Initgroups by name", + .attr_expiration = SYSDB_INITGR_EXPIRE, + .parse_name = true, + .ignore_default_domain = false, + .bypass_cache = false, + .only_one_result = false, + .search_all_domains = false, + .require_enumeration = false, + .allow_missing_fqn = false, + .allow_switch_to_upn = true, + .upn_equivalent = CACHE_REQ_INITGROUPS_BY_UPN, + .get_next_domain_flags = SSS_GND_DESCEND, + + .is_well_known_fn = NULL, + .prepare_domain_data_fn = cache_req_initgroups_by_name_prepare_domain_data, + .create_debug_name_fn = cache_req_initgroups_by_name_create_debug_name, + .global_ncache_add_fn = NULL, + .ncache_check_fn = cache_req_initgroups_by_name_ncache_check, + .ncache_add_fn = cache_req_initgroups_by_name_ncache_add, + .ncache_filter_fn = NULL, + .lookup_fn = cache_req_initgroups_by_name_lookup, + .dp_send_fn = cache_req_initgroups_by_name_dp_send, + .dp_recv_fn = cache_req_common_dp_recv, + .dp_get_domain_check_fn = NULL, + .dp_get_domain_send_fn = NULL, + .dp_get_domain_recv_fn = NULL, +}; + +struct tevent_req * +cache_req_initgr_by_name_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_nc_ctx *ncache, + int cache_refresh_percent, + enum cache_req_dom_type req_dom_type, + const char *domain, + const char *name) +{ + struct cache_req_data *data; + + data = cache_req_data_name(mem_ctx, CACHE_REQ_INITGROUPS, name); + if (data == NULL) { + return NULL; + } + + return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache, + cache_refresh_percent, + req_dom_type, domain, + data); +} diff --git a/src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c b/src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c new file mode 100644 index 0000000..9bd00f3 --- /dev/null +++ b/src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c @@ -0,0 +1,130 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "db/sysdb.h" +#include "util/util.h" +#include "providers/data_provider.h" +#include "responder/common/cache_req/cache_req_plugin.h" + +static errno_t +cache_req_initgroups_by_upn_prepare_domain_data(struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain) +{ + const char *name; + + if (cr->data->name.name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Bug: parsed UPN is NULL?\n"); + return ERR_INTERNAL; + } + + /* When looking up UPNs we don't want to reverse-replace spaces, + * just search whatever the user passed in. strdup the name so we + * can safely steal it later. + */ + name = talloc_strdup(data, cr->data->name.name); + if (name == NULL) { + return ENOMEM; + } + + talloc_zfree(data->name.lookup); + data->name.lookup = talloc_steal(data, name); + + return EOK; +} + +static const char * +cache_req_initgroups_by_upn_create_debug_name(TALLOC_CTX *mem_ctx, + struct cache_req_data *data, + struct sss_domain_info *domain) +{ + return talloc_strdup(mem_ctx, data->name.lookup); +} + +static errno_t +cache_req_initgroups_by_upn_ncache_check(struct sss_nc_ctx *ncache, + struct sss_domain_info *domain, + struct cache_req_data *data) +{ + return sss_ncache_check_upn(ncache, domain, data->name.lookup); +} + +static errno_t +cache_req_initgroups_by_upn_ncache_add(struct sss_nc_ctx *ncache, + struct sss_domain_info *domain, + struct cache_req_data *data) +{ + return sss_ncache_set_upn(ncache, false, domain, data->name.lookup); +} + +static errno_t +cache_req_initgroups_by_upn_lookup(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain, + struct ldb_result **_result) +{ + return sysdb_initgroups_by_upn(mem_ctx, domain, data->name.lookup, + _result); +} + +static struct tevent_req * +cache_req_initgroups_by_upn_dp_send(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain, + struct ldb_result *result) +{ + return sss_dp_get_account_send(mem_ctx, cr->rctx, domain, true, + SSS_DP_INITGROUPS, cr->data->name.lookup, + 0, EXTRA_NAME_IS_UPN); +} + +const struct cache_req_plugin cache_req_initgroups_by_upn = { + .name = "Initgroups by UPN", + .attr_expiration = SYSDB_INITGR_EXPIRE, + .parse_name = false, + .ignore_default_domain = false, + .bypass_cache = false, + .only_one_result = false, + .search_all_domains = false, + .require_enumeration = false, + .allow_missing_fqn = true, + .allow_switch_to_upn = false, + .upn_equivalent = CACHE_REQ_SENTINEL, + .get_next_domain_flags = SSS_GND_DESCEND, + + .is_well_known_fn = NULL, + .prepare_domain_data_fn = cache_req_initgroups_by_upn_prepare_domain_data, + .create_debug_name_fn = cache_req_initgroups_by_upn_create_debug_name, + .global_ncache_add_fn = NULL, + .ncache_check_fn = cache_req_initgroups_by_upn_ncache_check, + .ncache_add_fn = cache_req_initgroups_by_upn_ncache_add, + .ncache_filter_fn = NULL, + .lookup_fn = cache_req_initgroups_by_upn_lookup, + .dp_send_fn = cache_req_initgroups_by_upn_dp_send, + .dp_recv_fn = cache_req_common_dp_recv, + .dp_get_domain_check_fn = NULL, + .dp_get_domain_send_fn = NULL, + .dp_get_domain_recv_fn = NULL, +}; diff --git a/src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c b/src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c new file mode 100644 index 0000000..d370d34 --- /dev/null +++ b/src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c @@ -0,0 +1,160 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "db/sysdb.h" +#include "util/util.h" +#include "providers/data_provider.h" +#include "responder/common/cache_req/cache_req_plugin.h" + +static errno_t +cache_req_netgroup_by_name_prepare_domain_data(struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain) +{ + TALLOC_CTX *tmp_ctx; + const char *name; + errno_t ret; + + if (data->name.name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Bug: parsed name is NULL?\n"); + return ERR_INTERNAL; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + name = sss_get_cased_name(tmp_ctx, cr->data->name.name, + domain->case_sensitive); + if (name == NULL) { + ret = ENOMEM; + goto done; + } + + talloc_zfree(data->name.lookup); + data->name.lookup = talloc_steal(data, name); + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static const char * +cache_req_netgroup_by_name_create_debug_name(TALLOC_CTX *mem_ctx, + struct cache_req_data *data, + struct sss_domain_info *domain) +{ + return talloc_asprintf(mem_ctx, "%s@%s", data->name.lookup, domain->name); +} + +static errno_t +cache_req_netgroup_by_name_ncache_check(struct sss_nc_ctx *ncache, + struct sss_domain_info *domain, + struct cache_req_data *data) +{ + return sss_ncache_check_netgr(ncache, domain, data->name.lookup); +} + +static errno_t +cache_req_netgroup_by_name_ncache_add(struct sss_nc_ctx *ncache, + struct sss_domain_info *domain, + struct cache_req_data *data) +{ + return sss_ncache_set_netgr(ncache, false, domain, data->name.lookup); +} + +static errno_t +cache_req_netgroup_by_name_lookup(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain, + struct ldb_result **_result) +{ + return sysdb_getnetgr(mem_ctx, domain, data->name.lookup, _result); +} + +static struct tevent_req * +cache_req_netgroup_by_name_dp_send(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain, + struct ldb_result *result) +{ + return sss_dp_get_account_send(mem_ctx, cr->rctx, domain, true, + SSS_DP_NETGR, cr->data->name.lookup, + 0, NULL); +} + +const struct cache_req_plugin cache_req_netgroup_by_name = { + .name = "Netgroup by name", + .attr_expiration = SYSDB_CACHE_EXPIRE, + .parse_name = true, + .ignore_default_domain = true, + .bypass_cache = false, + .only_one_result = true, + .search_all_domains = false, + .require_enumeration = false, + .allow_missing_fqn = true, + .allow_switch_to_upn = false, + .upn_equivalent = CACHE_REQ_SENTINEL, + .get_next_domain_flags = SSS_GND_DESCEND, + + .is_well_known_fn = NULL, + .prepare_domain_data_fn = cache_req_netgroup_by_name_prepare_domain_data, + .create_debug_name_fn = cache_req_netgroup_by_name_create_debug_name, + .global_ncache_add_fn = NULL, + .ncache_check_fn = cache_req_netgroup_by_name_ncache_check, + .ncache_add_fn = cache_req_netgroup_by_name_ncache_add, + .ncache_filter_fn = NULL, + .lookup_fn = cache_req_netgroup_by_name_lookup, + .dp_send_fn = cache_req_netgroup_by_name_dp_send, + .dp_recv_fn = cache_req_common_dp_recv, + .dp_get_domain_check_fn = NULL, + .dp_get_domain_send_fn = NULL, + .dp_get_domain_recv_fn = NULL, +}; + +struct tevent_req * +cache_req_netgroup_by_name_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_nc_ctx *ncache, + int cache_refresh_percent, + const char *domain, + const char *name) +{ + struct cache_req_data *data; + + data = cache_req_data_name(mem_ctx, CACHE_REQ_NETGROUP_BY_NAME, name); + if (data == NULL) { + return NULL; + } + + return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache, + cache_refresh_percent, + CACHE_REQ_POSIX_DOM, domain, + data); +} diff --git a/src/responder/common/cache_req/plugins/cache_req_object_by_id.c b/src/responder/common/cache_req/plugins/cache_req_object_by_id.c new file mode 100644 index 0000000..634b683 --- /dev/null +++ b/src/responder/common/cache_req/plugins/cache_req_object_by_id.c @@ -0,0 +1,234 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "db/sysdb.h" +#include "util/util.h" +#include "providers/data_provider.h" +#include "responder/common/cache_req/cache_req_plugin.h" + +static const char * +cache_req_object_by_id_create_debug_name(TALLOC_CTX *mem_ctx, + struct cache_req_data *data, + struct sss_domain_info *domain) +{ + return talloc_asprintf(mem_ctx, "ID:%"PRIu32"@%s", data->id, domain->name); +} + +static errno_t +cache_req_object_by_id_ncache_check(struct sss_nc_ctx *ncache, + struct sss_domain_info *domain, + struct cache_req_data *data) +{ + errno_t ret; + + ret = sss_ncache_check_uid(ncache, domain, data->id); + if (ret == EEXIST) { + ret = sss_ncache_check_gid(ncache, domain, data->id); + } + + return ret; +} + +static errno_t +cache_req_object_by_id_ncache_filter(struct sss_nc_ctx *ncache, + struct sss_domain_info *domain, + const char *name) +{ + errno_t ret; + + ret = sss_ncache_check_user(ncache, domain, name); + if (ret == EEXIST) { + ret = sss_ncache_check_group(ncache, domain, name); + } + + return ret; +} + +static errno_t +cache_req_object_by_id_global_ncache_add(struct sss_nc_ctx *ncache, + struct cache_req_data *data) +{ + errno_t ret; + + ret = sss_ncache_set_uid(ncache, false, NULL, data->id); + if (ret != EOK) { + return ret; + } + + ret = sss_ncache_set_gid(ncache, false, NULL, data->id); + if (ret != EOK) { + return ret; + } + + return EOK; +} + +static errno_t +cache_req_object_by_id_ncache_add(struct sss_nc_ctx *ncache, + struct sss_domain_info *domain, + struct cache_req_data *data) +{ + errno_t ret; + + ret = sss_ncache_set_uid(ncache, false, domain, data->id); + if (ret != EOK) { + return ret; + } + + ret = sss_ncache_set_gid(ncache, false, domain, data->id); + if (ret != EOK) { + return ret; + } + + return EOK; +} + +static errno_t +cache_req_object_by_id_lookup(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain, + struct ldb_result **_result) +{ + errno_t ret; + + ret = cache_req_idminmax_check(data, domain); + if (ret != EOK) { + return ret; + } + return sysdb_search_object_by_id(mem_ctx, domain, data->id, + data->attrs, _result); +} + +static struct tevent_req * +cache_req_object_by_id_dp_send(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain, + struct ldb_result *result) +{ + return sss_dp_get_account_send(mem_ctx, cr->rctx, domain, true, + SSS_DP_USER_AND_GROUP, NULL, + cr->data->id, NULL); +} + +static bool +cache_req_object_by_id_get_domain_check(struct resp_ctx *rctx, + struct sss_domain_info *domain, + struct cache_req_data *data) +{ + int nret; + + nret = sss_ncache_check_locate_uid(rctx->ncache, domain, data->id); + if (nret == EEXIST) { + nret = sss_ncache_check_locate_gid(rctx->ncache, domain, data->id); + if (nret == EEXIST) { + return false; + } + } + + return true; +} + +static struct tevent_req * +cache_req_object_by_id_get_domain_send(TALLOC_CTX *mem_ctx, + struct resp_ctx *rctx, + struct sss_domain_info *domain, + struct cache_req_data *data) +{ + int nret; + + nret = sss_ncache_set_locate_uid(rctx->ncache, domain, data->id); + if (nret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot set negative cache, this might result in " + "performance degradation\n"); + /* Not fatal */ + } + + nret = sss_ncache_set_locate_gid(rctx->ncache, domain, data->id); + if (nret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot set negative cache, this might result in " + "performance degradation\n"); + /* Not fatal */ + } + + return sss_dp_get_account_domain_send(mem_ctx, + rctx, + domain, + SSS_DP_USER_AND_GROUP, + data->id); +} + +const struct cache_req_plugin cache_req_object_by_id = { + .name = "Object by ID", + .attr_expiration = SYSDB_CACHE_EXPIRE, + .parse_name = false, + .ignore_default_domain = false, + .bypass_cache = false, + .only_one_result = true, + .search_all_domains = false, + .require_enumeration = false, + .allow_missing_fqn = true, + .allow_switch_to_upn = false, + .upn_equivalent = CACHE_REQ_SENTINEL, + .get_next_domain_flags = SSS_GND_DESCEND, + + .is_well_known_fn = NULL, + .prepare_domain_data_fn = NULL, + .create_debug_name_fn = cache_req_object_by_id_create_debug_name, + .global_ncache_add_fn = cache_req_object_by_id_global_ncache_add, + .ncache_check_fn = cache_req_object_by_id_ncache_check, + .ncache_add_fn = cache_req_object_by_id_ncache_add, + .ncache_filter_fn = cache_req_object_by_id_ncache_filter, + .lookup_fn = cache_req_object_by_id_lookup, + .dp_send_fn = cache_req_object_by_id_dp_send, + .dp_recv_fn = cache_req_common_dp_recv, + .dp_get_domain_check_fn = cache_req_object_by_id_get_domain_check, + .dp_get_domain_send_fn = cache_req_object_by_id_get_domain_send, + .dp_get_domain_recv_fn = cache_req_common_get_acct_domain_recv, +}; + +struct tevent_req * +cache_req_object_by_id_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_nc_ctx *ncache, + int cache_refresh_percent, + const char *domain, + uint32_t id, + const char **attrs) +{ + struct cache_req_data *data; + + data = cache_req_data_id_attrs(mem_ctx, CACHE_REQ_OBJECT_BY_ID, id, attrs); + if (data == NULL) { + return NULL; + } + + return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache, + cache_refresh_percent, + CACHE_REQ_POSIX_DOM, domain, + data); +} diff --git a/src/responder/common/cache_req/plugins/cache_req_object_by_name.c b/src/responder/common/cache_req/plugins/cache_req_object_by_name.c new file mode 100644 index 0000000..a740fbb --- /dev/null +++ b/src/responder/common/cache_req/plugins/cache_req_object_by_name.c @@ -0,0 +1,238 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "db/sysdb.h" +#include "util/util.h" +#include "providers/data_provider.h" +#include "responder/common/cache_req/cache_req_plugin.h" + +static errno_t +cache_req_object_by_name_well_known(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct cache_req_result **_result) +{ + struct cache_req_result *result; + const char *sid; + char *domname; + char *name; + errno_t ret; + + ret = sss_parse_name(mem_ctx, cr->rctx->global_names, + data->name.input, &domname, &name); + if (ret != EOK) { + CACHE_REQ_DEBUG(SSSDBG_OP_FAILURE, cr, "Unable to parse name " + "[%d]: %s\n", ret, sss_strerror(ret)); + return ret; + } + + if (domname == NULL || name == NULL) { + CACHE_REQ_DEBUG(SSSDBG_OP_FAILURE, cr, "Unable to split [%s] in " + "name and odmain part. Skipping detection of " + "well-known name.\n", data->name.input); + return ENOENT; + } + + ret = name_to_well_known_sid(domname, name, &sid); + if (ret != EOK) { + return ret; + } + + result = cache_req_well_known_sid_result(mem_ctx, cr, domname, sid, name); + talloc_free(domname); + talloc_free(name); + if (result == NULL) { + return ENOMEM; + } + + *_result = result; + + return EOK; +} + +static errno_t +cache_req_object_by_name_prepare_domain_data(struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain) +{ + TALLOC_CTX *tmp_ctx; + const char *name; + errno_t ret; + + if (cr->data->name.name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Bug: parsed name is NULL?\n"); + return ERR_INTERNAL; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + name = sss_get_cased_name(tmp_ctx, cr->data->name.name, + domain->case_sensitive); + if (name == NULL) { + ret = ENOMEM; + goto done; + } + + name = sss_reverse_replace_space(tmp_ctx, name, cr->rctx->override_space); + if (name == NULL) { + ret = ENOMEM; + goto done; + } + + name = sss_create_internal_fqname(tmp_ctx, name, domain->name); + if (name == NULL) { + ret = ENOMEM; + goto done; + } + + talloc_zfree(data->name.lookup); + data->name.lookup = talloc_steal(data, name); + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static const char * +cache_req_object_by_name_create_debug_name(TALLOC_CTX *mem_ctx, + struct cache_req_data *data, + struct sss_domain_info *domain) +{ + return talloc_strdup(mem_ctx, data->name.lookup); +} + +static errno_t +cache_req_object_by_name_ncache_check(struct sss_nc_ctx *ncache, + struct sss_domain_info *domain, + struct cache_req_data *data) +{ + errno_t ret; + + ret = sss_ncache_check_user(ncache, domain, data->name.lookup); + if (ret == EEXIST) { + ret = sss_ncache_check_group(ncache, domain, data->name.lookup); + } + + return ret; +} + +static errno_t +cache_req_object_by_name_ncache_add(struct sss_nc_ctx *ncache, + struct sss_domain_info *domain, + struct cache_req_data *data) +{ + errno_t ret; + + ret = sss_ncache_set_user(ncache, false, domain, data->name.lookup); + if (ret != EOK) { + return ret; + } + + ret = sss_ncache_set_group(ncache, false, domain, data->name.lookup); + if (ret != EOK) { + return ret; + } + + return EOK; +} + +static errno_t +cache_req_object_by_name_lookup(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain, + struct ldb_result **_result) +{ + return sysdb_search_object_by_name(mem_ctx, domain, data->name.lookup, + data->attrs, _result); +} + +static struct tevent_req * +cache_req_object_by_name_dp_send(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain, + struct ldb_result *result) +{ + return sss_dp_get_account_send(mem_ctx, cr->rctx, domain, true, + SSS_DP_USER_AND_GROUP, + cr->data->name.lookup, 0, NULL); +} + +const struct cache_req_plugin cache_req_object_by_name = { + .name = "Object by name", + .attr_expiration = SYSDB_CACHE_EXPIRE, + .parse_name = true, + .ignore_default_domain = false, + .bypass_cache = false, + .only_one_result = true, + .search_all_domains = false, + .require_enumeration = false, + .allow_missing_fqn = false, + .allow_switch_to_upn = true, + .upn_equivalent = CACHE_REQ_USER_BY_UPN, + .get_next_domain_flags = SSS_GND_DESCEND, + + .is_well_known_fn = cache_req_object_by_name_well_known, + .prepare_domain_data_fn = cache_req_object_by_name_prepare_domain_data, + .create_debug_name_fn = cache_req_object_by_name_create_debug_name, + .global_ncache_add_fn = NULL, + .ncache_check_fn = cache_req_object_by_name_ncache_check, + .ncache_add_fn = cache_req_object_by_name_ncache_add, + .ncache_filter_fn = NULL, + .lookup_fn = cache_req_object_by_name_lookup, + .dp_send_fn = cache_req_object_by_name_dp_send, + .dp_recv_fn = cache_req_common_dp_recv, + .dp_get_domain_check_fn = NULL, + .dp_get_domain_send_fn = NULL, + .dp_get_domain_recv_fn = NULL, +}; + +struct tevent_req * +cache_req_object_by_name_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_nc_ctx *ncache, + int cache_refresh_percent, + const char *domain, + const char *name, + const char **attrs) +{ + struct cache_req_data *data; + + data = cache_req_data_name_attrs(mem_ctx, CACHE_REQ_OBJECT_BY_NAME, + name, attrs); + if (data == NULL) { + return NULL; + } + + return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache, + cache_refresh_percent, + CACHE_REQ_POSIX_DOM, domain, + data); +} diff --git a/src/responder/common/cache_req/plugins/cache_req_object_by_sid.c b/src/responder/common/cache_req/plugins/cache_req_object_by_sid.c new file mode 100644 index 0000000..1af638f --- /dev/null +++ b/src/responder/common/cache_req/plugins/cache_req_object_by_sid.c @@ -0,0 +1,153 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "db/sysdb.h" +#include "util/util.h" +#include "providers/data_provider.h" +#include "responder/common/cache_req/cache_req_plugin.h" + +static errno_t +cache_req_object_by_sid_well_known(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct cache_req_result **_result) +{ + struct cache_req_result *result; + const char *domname; + const char *name; + errno_t ret; + + ret = well_known_sid_to_name(data->sid, &domname, &name); + if (ret != EOK) { + CACHE_REQ_DEBUG(SSSDBG_TRACE_ALL, cr, + "SID [%s] is not a Well-Known SID.\n", data->sid); + return ret; + } + + result = cache_req_well_known_sid_result(mem_ctx, cr, domname, + data->sid, name); + if (result == NULL) { + return ENOMEM; + } + + *_result = result; + + return EOK; +} + +static const char * +cache_req_object_by_sid_create_debug_name(TALLOC_CTX *mem_ctx, + struct cache_req_data *data, + struct sss_domain_info *domain) +{ + return talloc_asprintf(mem_ctx, "SID:%s@%s", data->sid, domain->name); +} + +static errno_t +cache_req_object_by_sid_ncache_check(struct sss_nc_ctx *ncache, + struct sss_domain_info *domain, + struct cache_req_data *data) +{ + return sss_ncache_check_sid(ncache, data->sid); +} + +static errno_t +cache_req_object_by_sid_global_ncache_add(struct sss_nc_ctx *ncache, + struct cache_req_data *data) +{ + return sss_ncache_set_sid(ncache, false, data->sid); +} + +static errno_t +cache_req_object_by_sid_lookup(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain, + struct ldb_result **_result) +{ + return sysdb_search_object_by_sid(mem_ctx, domain, data->sid, data->attrs, + _result); +} + +static struct tevent_req * +cache_req_object_by_sid_dp_send(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain, + struct ldb_result *result) +{ + return sss_dp_get_account_send(mem_ctx, cr->rctx, domain, true, + SSS_DP_SECID, cr->data->sid, 0, NULL); +} + +const struct cache_req_plugin cache_req_object_by_sid = { + .name = "Object by SID", + .attr_expiration = SYSDB_CACHE_EXPIRE, + .parse_name = false, + .ignore_default_domain = false, + .bypass_cache = false, + .only_one_result = true, + .search_all_domains = false, + .require_enumeration = false, + .allow_missing_fqn = true, + .allow_switch_to_upn = false, + .upn_equivalent = CACHE_REQ_SENTINEL, + .get_next_domain_flags = SSS_GND_DESCEND, + + .is_well_known_fn = cache_req_object_by_sid_well_known, + .prepare_domain_data_fn = NULL, + .create_debug_name_fn = cache_req_object_by_sid_create_debug_name, + .global_ncache_add_fn = cache_req_object_by_sid_global_ncache_add, + .ncache_check_fn = cache_req_object_by_sid_ncache_check, + .ncache_add_fn = NULL, + .ncache_filter_fn = NULL, + .lookup_fn = cache_req_object_by_sid_lookup, + .dp_send_fn = cache_req_object_by_sid_dp_send, + .dp_recv_fn = cache_req_common_dp_recv, + .dp_get_domain_check_fn = NULL, + .dp_get_domain_send_fn = NULL, + .dp_get_domain_recv_fn = NULL, +}; + +struct tevent_req * +cache_req_object_by_sid_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_nc_ctx *ncache, + int cache_refresh_percent, + const char *domain, + const char *sid, + const char **attrs) +{ + struct cache_req_data *data; + + data = cache_req_data_sid(mem_ctx, CACHE_REQ_OBJECT_BY_SID, sid, attrs); + if (data == NULL) { + return NULL; + } + + return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache, + cache_refresh_percent, + CACHE_REQ_POSIX_DOM, domain, + data); +} diff --git a/src/responder/common/cache_req/plugins/cache_req_svc_by_name.c b/src/responder/common/cache_req/plugins/cache_req_svc_by_name.c new file mode 100644 index 0000000..5b17051 --- /dev/null +++ b/src/responder/common/cache_req/plugins/cache_req_svc_by_name.c @@ -0,0 +1,185 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "db/sysdb.h" +#include "db/sysdb_services.h" +#include "util/util.h" +#include "providers/data_provider.h" +#include "responder/common/cache_req/cache_req_plugin.h" + +static errno_t +cache_req_svc_by_name_prepare_domain_data(struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain) +{ + TALLOC_CTX *tmp_ctx; + const char *name; + const char *protocol; + errno_t ret; + + if (data->svc.name->name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Bug: parsed name is NULL?\n"); + return ERR_INTERNAL; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + name = sss_get_cased_name(tmp_ctx, data->svc.name->name, + domain->case_sensitive); + if (name == NULL) { + ret = ENOMEM; + goto done; + } + + if (data->svc.protocol.name == NULL) { + protocol = NULL; + } else { + protocol = sss_get_cased_name(tmp_ctx, data->svc.protocol.name, + domain->case_sensitive); + if (protocol == NULL) { + ret = ENOMEM; + goto done; + } + } + + talloc_zfree(data->svc.name->lookup); + talloc_zfree(data->svc.protocol.lookup); + data->svc.name->lookup = talloc_steal(data, name); + data->svc.protocol.lookup = talloc_steal(data, protocol); + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static const char * +cache_req_svc_by_name_create_debug_name(TALLOC_CTX *mem_ctx, + struct cache_req_data *data, + struct sss_domain_info *domain) +{ + const char *protocol = data->svc.protocol.lookup; + const char *name = data->svc.name->lookup; + + protocol = protocol == NULL ? "" : protocol; + + return talloc_asprintf(mem_ctx, "%s %s@%s", protocol, name, domain->name); +} + +static errno_t +cache_req_svc_by_name_ncache_check(struct sss_nc_ctx *ncache, + struct sss_domain_info *domain, + struct cache_req_data *data) +{ + return sss_ncache_check_service(ncache, domain, data->svc.name->lookup, + data->svc.protocol.lookup); +} + +static errno_t +cache_req_svc_by_name_ncache_add(struct sss_nc_ctx *ncache, + struct sss_domain_info *domain, + struct cache_req_data *data) +{ + return sss_ncache_set_service_name(ncache, false, domain, + data->svc.name->lookup, + data->svc.protocol.lookup); +} + +static errno_t +cache_req_svc_by_name_lookup(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain, + struct ldb_result **_result) +{ + return sysdb_getservbyname(mem_ctx, domain, data->svc.name->lookup, + data->svc.protocol.lookup, _result); +} + +static struct tevent_req * +cache_req_svc_by_name_dp_send(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain, + struct ldb_result *result) +{ + return sss_dp_get_account_send(mem_ctx, cr->rctx, domain, true, + SSS_DP_SERVICES, cr->data->svc.name->lookup, + 0, cr->data->svc.protocol.lookup); +} + +const struct cache_req_plugin cache_req_svc_by_name = { + .name = "Service by name", + .attr_expiration = SYSDB_CACHE_EXPIRE, + .parse_name = true, + .ignore_default_domain = false, + .bypass_cache = false, + .only_one_result = false, + .search_all_domains = false, + .require_enumeration = false, + .allow_missing_fqn = false, + .allow_switch_to_upn = false, + .upn_equivalent = CACHE_REQ_SENTINEL, + .get_next_domain_flags = SSS_GND_DESCEND, + + .is_well_known_fn = NULL, + .prepare_domain_data_fn = cache_req_svc_by_name_prepare_domain_data, + .create_debug_name_fn = cache_req_svc_by_name_create_debug_name, + .global_ncache_add_fn = NULL, + .ncache_check_fn = cache_req_svc_by_name_ncache_check, + .ncache_add_fn = cache_req_svc_by_name_ncache_add, + .ncache_filter_fn = NULL, + .lookup_fn = cache_req_svc_by_name_lookup, + .dp_send_fn = cache_req_svc_by_name_dp_send, + .dp_recv_fn = cache_req_common_dp_recv, + .dp_get_domain_check_fn = NULL, + .dp_get_domain_send_fn = NULL, + .dp_get_domain_recv_fn = NULL, +}; + +struct tevent_req * +cache_req_svc_by_name_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_nc_ctx *ncache, + int cache_refresh_percent, + const char *domain, + const char *name, + const char *protocol) +{ + struct cache_req_data *data; + + data = cache_req_data_svc(mem_ctx, CACHE_REQ_SVC_BY_NAME, name, protocol, 0); + if (data == NULL) { + return NULL; + } + + return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache, + cache_refresh_percent, + CACHE_REQ_POSIX_DOM, domain, + data); +} diff --git a/src/responder/common/cache_req/plugins/cache_req_svc_by_port.c b/src/responder/common/cache_req/plugins/cache_req_svc_by_port.c new file mode 100644 index 0000000..4c005df --- /dev/null +++ b/src/responder/common/cache_req/plugins/cache_req_svc_by_port.c @@ -0,0 +1,159 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "db/sysdb.h" +#include "db/sysdb_services.h" +#include "util/util.h" +#include "providers/data_provider.h" +#include "responder/common/cache_req/cache_req_plugin.h" + +static errno_t +cache_req_svc_by_port_prepare_domain_data(struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain) +{ + const char *protocol; + + if (data->svc.protocol.name == NULL) { + return EOK; + } + + protocol = sss_get_cased_name(NULL, data->svc.protocol.name, + domain->case_sensitive); + if (protocol == NULL) { + return ENOMEM; + } + + talloc_zfree(data->svc.protocol.lookup); + data->svc.protocol.lookup = talloc_steal(data, protocol); + + return EOK; +} + +static const char * +cache_req_svc_by_port_create_debug_name(TALLOC_CTX *mem_ctx, + struct cache_req_data *data, + struct sss_domain_info *domain) +{ + const char *protocol = data->svc.protocol.lookup; + + protocol = protocol == NULL ? "" : protocol; + + return talloc_asprintf(mem_ctx, "%s %u@%s", protocol, + data->svc.port, domain->name); +} + +static errno_t +cache_req_svc_by_port_ncache_check(struct sss_nc_ctx *ncache, + struct sss_domain_info *domain, + struct cache_req_data *data) +{ + return sss_ncache_check_service_port(ncache, domain, data->svc.port, + data->svc.protocol.lookup); +} + +static errno_t +cache_req_svc_by_port_ncache_add(struct sss_nc_ctx *ncache, + struct sss_domain_info *domain, + struct cache_req_data *data) +{ + return sss_ncache_set_service_port(ncache, false, domain, + data->svc.port, + data->svc.protocol.lookup); +} + +static errno_t +cache_req_svc_by_port_lookup(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain, + struct ldb_result **_result) +{ + return sysdb_getservbyport(mem_ctx, domain, data->svc.port, + data->svc.protocol.lookup, _result); +} + +static struct tevent_req * +cache_req_svc_by_port_dp_send(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain, + struct ldb_result *result) +{ + return sss_dp_get_account_send(mem_ctx, cr->rctx, domain, true, + SSS_DP_SERVICES, NULL, cr->data->svc.port, + cr->data->svc.protocol.lookup); +} + +const struct cache_req_plugin cache_req_svc_by_port = { + .name = "Service by port", + .attr_expiration = SYSDB_CACHE_EXPIRE, + .parse_name = false, + .ignore_default_domain = false, + .bypass_cache = false, + .only_one_result = false, + .search_all_domains = false, + .require_enumeration = false, + .allow_missing_fqn = false, + .allow_switch_to_upn = false, + .upn_equivalent = CACHE_REQ_SENTINEL, + .get_next_domain_flags = SSS_GND_DESCEND, + + .is_well_known_fn = NULL, + .prepare_domain_data_fn = cache_req_svc_by_port_prepare_domain_data, + .create_debug_name_fn = cache_req_svc_by_port_create_debug_name, + .global_ncache_add_fn = NULL, + .ncache_check_fn = cache_req_svc_by_port_ncache_check, + .ncache_add_fn = cache_req_svc_by_port_ncache_add, + .ncache_filter_fn = NULL, + .lookup_fn = cache_req_svc_by_port_lookup, + .dp_send_fn = cache_req_svc_by_port_dp_send, + .dp_recv_fn = cache_req_common_dp_recv, + .dp_get_domain_check_fn = NULL, + .dp_get_domain_send_fn = NULL, + .dp_get_domain_recv_fn = NULL, +}; + +struct tevent_req * +cache_req_svc_by_port_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_nc_ctx *ncache, + int cache_refresh_percent, + const char *domain, + uint16_t port, + const char *protocol) +{ + struct cache_req_data *data; + + data = cache_req_data_svc(mem_ctx, CACHE_REQ_SVC_BY_PORT, + NULL, protocol, port); + if (data == NULL) { + return NULL; + } + + return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache, + cache_refresh_percent, + CACHE_REQ_POSIX_DOM, domain, + data); +} diff --git a/src/responder/common/cache_req/plugins/cache_req_user_by_cert.c b/src/responder/common/cache_req/plugins/cache_req_user_by_cert.c new file mode 100644 index 0000000..a2dc1fa --- /dev/null +++ b/src/responder/common/cache_req/plugins/cache_req_user_by_cert.c @@ -0,0 +1,127 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "db/sysdb.h" +#include "util/util.h" +#include "providers/data_provider.h" +#include "responder/common/cache_req/cache_req_plugin.h" + +static const char * +cache_req_user_by_cert_create_debug_name(TALLOC_CTX *mem_ctx, + struct cache_req_data *data, + struct sss_domain_info *domain) +{ + /* Certificates might be quite long, thus we only use + * the last 10 characters for logging. */ + return talloc_asprintf(mem_ctx, "CERT:%s@%s", + get_last_x_chars(data->cert, 10), domain->name); +} + +static errno_t +cache_req_user_by_cert_ncache_check(struct sss_nc_ctx *ncache, + struct sss_domain_info *domain, + struct cache_req_data *data) +{ + return sss_ncache_check_cert(ncache, data->cert); +} + +static errno_t +cache_req_user_by_cert_global_ncache_add(struct sss_nc_ctx *ncache, + struct cache_req_data *data) +{ + return sss_ncache_set_cert(ncache, false, data->cert); +} + +static errno_t +cache_req_user_by_cert_lookup(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain, + struct ldb_result **_result) +{ + return sysdb_search_user_by_cert_with_views(mem_ctx, domain, data->cert, + _result); +} + +static struct tevent_req * +cache_req_user_by_cert_dp_send(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain, + struct ldb_result *result) +{ + return sss_dp_get_account_send(mem_ctx, cr->rctx, domain, true, + SSS_DP_CERT, cr->data->cert, 0, NULL); +} + +const struct cache_req_plugin cache_req_user_by_cert = { + .name = "User by certificate", + .attr_expiration = SYSDB_CACHE_EXPIRE, + .parse_name = false, + .ignore_default_domain = false, + .bypass_cache = false, + .only_one_result = false, + .search_all_domains = true, + .require_enumeration = false, + .allow_missing_fqn = true, + .allow_switch_to_upn = false, + .upn_equivalent = CACHE_REQ_SENTINEL, + .get_next_domain_flags = SSS_GND_DESCEND, + + .is_well_known_fn = NULL, + .prepare_domain_data_fn = NULL, + .create_debug_name_fn = cache_req_user_by_cert_create_debug_name, + .global_ncache_add_fn = cache_req_user_by_cert_global_ncache_add, + .ncache_check_fn = cache_req_user_by_cert_ncache_check, + .ncache_add_fn = NULL, + .ncache_filter_fn = NULL, + .lookup_fn = cache_req_user_by_cert_lookup, + .dp_send_fn = cache_req_user_by_cert_dp_send, + .dp_recv_fn = cache_req_common_dp_recv, + .dp_get_domain_check_fn = NULL, + .dp_get_domain_send_fn = NULL, + .dp_get_domain_recv_fn = NULL, +}; + +struct tevent_req * +cache_req_user_by_cert_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_nc_ctx *ncache, + int cache_refresh_percent, + enum cache_req_dom_type req_dom_type, + const char *domain, + const char *pem_cert) +{ + struct cache_req_data *data; + + data = cache_req_data_cert(mem_ctx, CACHE_REQ_USER_BY_CERT, pem_cert); + if (data == NULL) { + return NULL; + } + + return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache, + cache_refresh_percent, + req_dom_type, domain, + data); +} diff --git a/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c b/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c new file mode 100644 index 0000000..42b6e81 --- /dev/null +++ b/src/responder/common/cache_req/plugins/cache_req_user_by_filter.c @@ -0,0 +1,162 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "db/sysdb.h" +#include "util/util.h" +#include "providers/data_provider.h" +#include "responder/common/cache_req/cache_req_plugin.h" + +static errno_t +cache_req_user_by_filter_prepare_domain_data(struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain) +{ + TALLOC_CTX *tmp_ctx; + const char *name; + errno_t ret; + + if (cr->data->name.name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Bug: parsed name is NULL?\n"); + return ERR_INTERNAL; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + name = sss_get_cased_name(tmp_ctx, cr->data->name.name, + domain->case_sensitive); + if (name == NULL) { + ret = ENOMEM; + goto done; + } + + name = sss_reverse_replace_space(tmp_ctx, name, cr->rctx->override_space); + if (name == NULL) { + ret = ENOMEM; + goto done; + } + + talloc_zfree(data->name.lookup); + data->name.lookup = talloc_steal(data, name); + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static const char * +cache_req_user_by_filter_create_debug_name(TALLOC_CTX *mem_ctx, + struct cache_req_data *data, + struct sss_domain_info *domain) +{ + return talloc_strdup(mem_ctx, data->name.lookup); +} + +static errno_t +cache_req_user_by_filter_lookup(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain, + struct ldb_result **_result) +{ + char *recent_filter; + errno_t ret; + + recent_filter = talloc_asprintf(mem_ctx, "(%s>=%lu)", SYSDB_LAST_UPDATE, + cr->req_start); + if (recent_filter == NULL) { + return ENOMEM; + } + + ret = sysdb_enumpwent_filter_with_views(mem_ctx, domain, data->name.lookup, + recent_filter, _result); + talloc_free(recent_filter); + + return ret; +} + +static struct tevent_req * +cache_req_user_by_filter_dp_send(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain, + struct ldb_result *result) +{ + return sss_dp_get_account_send(mem_ctx, cr->rctx, domain, true, + SSS_DP_WILDCARD_USER, cr->data->name.lookup, + cr->data->id, NULL); +} + +const struct cache_req_plugin cache_req_user_by_filter = { + .name = "User by filter", + .attr_expiration = SYSDB_CACHE_EXPIRE, + .parse_name = true, + .ignore_default_domain = false, + .bypass_cache = true, + .only_one_result = false, + .search_all_domains = false, + .require_enumeration = false, + .allow_missing_fqn = false, + .allow_switch_to_upn = false, + .upn_equivalent = CACHE_REQ_SENTINEL, + .get_next_domain_flags = SSS_GND_DESCEND, + + .is_well_known_fn = NULL, + .prepare_domain_data_fn = cache_req_user_by_filter_prepare_domain_data, + .create_debug_name_fn = cache_req_user_by_filter_create_debug_name, + .global_ncache_add_fn = NULL, + .ncache_check_fn = NULL, + .ncache_add_fn = NULL, + .ncache_filter_fn = NULL, + .lookup_fn = cache_req_user_by_filter_lookup, + .dp_send_fn = cache_req_user_by_filter_dp_send, + .dp_recv_fn = cache_req_common_dp_recv, + .dp_get_domain_check_fn = NULL, + .dp_get_domain_send_fn = NULL, + .dp_get_domain_recv_fn = NULL, +}; + +struct tevent_req * +cache_req_user_by_filter_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + enum cache_req_dom_type req_dom_type, + const char *domain, + const char *filter) +{ + struct cache_req_data *data; + + data = cache_req_data_name(mem_ctx, CACHE_REQ_USER_BY_FILTER, filter); + if (data == NULL) { + return NULL; + } + + return cache_req_steal_data_and_send(mem_ctx, ev, rctx, NULL, + 0, + req_dom_type, domain, + data); +} diff --git a/src/responder/common/cache_req/plugins/cache_req_user_by_id.c b/src/responder/common/cache_req/plugins/cache_req_user_by_id.c new file mode 100644 index 0000000..07bce7c --- /dev/null +++ b/src/responder/common/cache_req/plugins/cache_req_user_by_id.c @@ -0,0 +1,244 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "db/sysdb.h" +#include "util/util.h" +#include "providers/data_provider.h" +#include "responder/common/cache_req/cache_req_plugin.h" + +static const char * +cache_req_user_by_id_create_debug_name(TALLOC_CTX *mem_ctx, + struct cache_req_data *data, + struct sss_domain_info *domain) +{ + return talloc_asprintf(mem_ctx, "UID:%"PRIu32"@%s", data->id, domain->name); +} + +static errno_t +cache_req_user_by_id_ncache_check(struct sss_nc_ctx *ncache, + struct sss_domain_info *domain, + struct cache_req_data *data) +{ + errno_t ret; + + if (domain != NULL) { + ret = sss_ncache_check_uid(ncache, domain, data->id); + if (ret == EEXIST) { + return ret; + } + } + + return sss_ncache_check_uid(ncache, NULL, data->id); +} + +static errno_t +cache_req_user_by_id_ncache_filter(struct sss_nc_ctx *ncache, + struct sss_domain_info *domain, + const char *name) +{ + return sss_ncache_check_user(ncache, domain, name); +} + +static errno_t +cache_req_user_by_id_global_ncache_add(struct sss_nc_ctx *ncache, + struct cache_req_data *data) +{ + return sss_ncache_set_uid(ncache, false, NULL, data->id); +} + +static errno_t +cache_req_user_by_id_ncache_add(struct sss_nc_ctx *ncache, + struct sss_domain_info *domain, + struct cache_req_data *data) +{ + return sss_ncache_set_uid(ncache, false, domain, data->id); +} + +static errno_t +cache_req_user_by_id_lookup(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain, + struct ldb_result **_result) +{ + errno_t ret; + ret = cache_req_idminmax_check(data, domain); + if (ret != EOK) { + return ret; + } + return sysdb_getpwuid_with_views(mem_ctx, domain, data->id, _result); +} + +static errno_t +cache_req_user_by_id_dpreq_params(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct ldb_result *result, + const char **_string, + uint32_t *_id, + const char **_flag) +{ + uint32_t id; + + *_id = cr->data->id; + *_string = NULL; + *_flag = NULL; + + if (!DOM_HAS_VIEWS(cr->domain)) { + return EOK; + } + + /* We must search with views. */ + if (result == NULL || result->count == 0) { + *_flag = EXTRA_INPUT_MAYBE_WITH_VIEW; + return EOK; + } + + /* If domain has views we will try to use original values instead of the + * overridden ones. This is a must for the LOCAL view since we can't look + * it up otherwise. But it is also a shortcut for non-local views where + * we will not fail over to the overridden value. */ + + id = ldb_msg_find_attr_as_uint64(result->msgs[0], SYSDB_UIDNUM, 0); + if (id == 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Bug: id cannot be 0\n"); + *_flag = EXTRA_INPUT_MAYBE_WITH_VIEW; + return EOK; + } + + /* Now we have the original name and id. We don't have to search with + * views unless some error occurred. */ + *_id = id; + + return EOK; +} + +static struct tevent_req * +cache_req_user_by_id_dp_send(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain, + struct ldb_result *result) +{ + const char *string; + const char *flag; + uint32_t id; + errno_t ret; + + ret = cache_req_user_by_id_dpreq_params(mem_ctx, cr, result, + &string, &id, &flag); + if (ret != EOK) { + return NULL; + } + + return sss_dp_get_account_send(mem_ctx, cr->rctx, domain, true, + SSS_DP_USER, string, id, flag); +} + +static bool +cache_req_user_by_id_get_domain_check(struct resp_ctx *rctx, + struct sss_domain_info *domain, + struct cache_req_data *data) +{ + int nret; + + nret = sss_ncache_check_locate_uid(rctx->ncache, domain, data->id); + if (nret == EEXIST) { + return false; + } + + return true; +} + +static struct tevent_req * +cache_req_user_by_id_get_domain_send(TALLOC_CTX *mem_ctx, + struct resp_ctx *rctx, + struct sss_domain_info *domain, + struct cache_req_data *data) +{ + int nret; + + nret = sss_ncache_set_locate_uid(rctx->ncache, domain, data->id); + if (nret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot set negative cache, this might result in " + "performance degradation\n"); + /* Not fatal */ + } + + return sss_dp_get_account_domain_send(mem_ctx, + rctx, + domain, + SSS_DP_USER, + data->id); +} + +const struct cache_req_plugin cache_req_user_by_id = { + .name = "User by ID", + .attr_expiration = SYSDB_CACHE_EXPIRE, + .parse_name = false, + .ignore_default_domain = false, + .bypass_cache = false, + .only_one_result = true, + .search_all_domains = false, + .require_enumeration = false, + .allow_missing_fqn = true, + .allow_switch_to_upn = false, + .upn_equivalent = CACHE_REQ_SENTINEL, + .get_next_domain_flags = SSS_GND_DESCEND, + + .is_well_known_fn = NULL, + .prepare_domain_data_fn = NULL, + .create_debug_name_fn = cache_req_user_by_id_create_debug_name, + .global_ncache_add_fn = cache_req_user_by_id_global_ncache_add, + .ncache_check_fn = cache_req_user_by_id_ncache_check, + .ncache_add_fn = cache_req_user_by_id_ncache_add, + .ncache_filter_fn = cache_req_user_by_id_ncache_filter, + .lookup_fn = cache_req_user_by_id_lookup, + .dp_send_fn = cache_req_user_by_id_dp_send, + .dp_recv_fn = cache_req_common_dp_recv, + .dp_get_domain_check_fn = cache_req_user_by_id_get_domain_check, + .dp_get_domain_send_fn = cache_req_user_by_id_get_domain_send, + .dp_get_domain_recv_fn = cache_req_common_get_acct_domain_recv, +}; + +struct tevent_req * +cache_req_user_by_id_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_nc_ctx *ncache, + int cache_refresh_percent, + const char *domain, + uid_t uid) +{ + struct cache_req_data *data; + + data = cache_req_data_id(mem_ctx, CACHE_REQ_USER_BY_ID, uid); + if (data == NULL) { + return NULL; + } + + return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache, + cache_refresh_percent, + CACHE_REQ_POSIX_DOM, domain, + data); +} diff --git a/src/responder/common/cache_req/plugins/cache_req_user_by_name.c b/src/responder/common/cache_req/plugins/cache_req_user_by_name.c new file mode 100644 index 0000000..d24a222 --- /dev/null +++ b/src/responder/common/cache_req/plugins/cache_req_user_by_name.c @@ -0,0 +1,256 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "db/sysdb.h" +#include "util/util.h" +#include "providers/data_provider.h" +#include "responder/common/cache_req/cache_req_plugin.h" + +static errno_t +cache_req_user_by_name_prepare_domain_data(struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain) +{ + TALLOC_CTX *tmp_ctx; + const char *name; + errno_t ret; + + if (cr->data->name.name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Bug: parsed name is NULL?\n"); + return ERR_INTERNAL; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + name = sss_get_cased_name(tmp_ctx, cr->data->name.name, + domain->case_sensitive); + if (name == NULL) { + ret = ENOMEM; + goto done; + } + + name = sss_reverse_replace_space(tmp_ctx, name, cr->rctx->override_space); + if (name == NULL) { + ret = ENOMEM; + goto done; + } + + name = sss_create_internal_fqname(tmp_ctx, name, domain->name); + if (name == NULL) { + ret = ENOMEM; + goto done; + } + + talloc_zfree(data->name.lookup); + data->name.lookup = talloc_steal(data, name); + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static const char * +cache_req_user_by_name_create_debug_name(TALLOC_CTX *mem_ctx, + struct cache_req_data *data, + struct sss_domain_info *domain) +{ + return talloc_strdup(mem_ctx, data->name.lookup); +} + +static errno_t +cache_req_user_by_name_ncache_check(struct sss_nc_ctx *ncache, + struct sss_domain_info *domain, + struct cache_req_data *data) +{ + return sss_ncache_check_user(ncache, domain, data->name.lookup); +} + +static errno_t +cache_req_user_by_name_ncache_add(struct sss_nc_ctx *ncache, + struct sss_domain_info *domain, + struct cache_req_data *data) +{ + return sss_ncache_set_user(ncache, false, domain, data->name.lookup); +} + +static errno_t +cache_req_user_by_name_lookup(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain, + struct ldb_result **_result) +{ + if (data->attrs == NULL) { + return sysdb_getpwnam_with_views(mem_ctx, domain, data->name.lookup, + _result); + } + + return sysdb_get_user_attr_with_views(mem_ctx, domain, data->name.lookup, + data->attrs, _result); +} + +static errno_t +cache_req_user_by_name_dpreq_params(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct ldb_result *result, + const char **_string, + uint32_t *_id, + const char **_flag) +{ + const char *name; + + *_id = 0; + *_string = cr->data->name.lookup; + *_flag = NULL; + + if (!DOM_HAS_VIEWS(cr->domain)) { + return EOK; + } + + /* We must search with views. */ + if (result == NULL || result->count == 0) { + *_flag = EXTRA_INPUT_MAYBE_WITH_VIEW; + return EOK; + } + + /* If domain has views we will try to use original values instead of the + * overridden ones. This is a must for the LOCAL view since we can't look + * it up otherwise. But it is also a shortcut for non-local views where + * we will not fail over to the overridden value. */ + + name = ldb_msg_find_attr_as_string(result->msgs[0], SYSDB_NAME, NULL); + if (name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Bug: name cannot be NULL\n"); + *_flag = EXTRA_INPUT_MAYBE_WITH_VIEW; + return EOK; + } + + /* Now we have the original name and id. We don't have to search with + * views unless some error occurred. */ + *_string = talloc_steal(mem_ctx, name); + + return EOK; +} + +static struct tevent_req * +cache_req_user_by_name_dp_send(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain, + struct ldb_result *result) +{ + const char *string; + const char *flag; + uint32_t id; + errno_t ret; + + ret = cache_req_user_by_name_dpreq_params(mem_ctx, cr, result, + &string, &id, &flag); + if (ret != EOK) { + return NULL; + } + + return sss_dp_get_account_send(mem_ctx, cr->rctx, domain, true, + SSS_DP_USER, string, id, flag); +} + +const struct cache_req_plugin cache_req_user_by_name = { + .name = "User by name", + .attr_expiration = SYSDB_CACHE_EXPIRE, + .parse_name = true, + .ignore_default_domain = false, + .bypass_cache = false, + .only_one_result = true, + .search_all_domains = false, + .require_enumeration = false, + .allow_missing_fqn = false, + .allow_switch_to_upn = true, + .upn_equivalent = CACHE_REQ_USER_BY_UPN, + .get_next_domain_flags = SSS_GND_DESCEND, + + .is_well_known_fn = NULL, + .prepare_domain_data_fn = cache_req_user_by_name_prepare_domain_data, + .create_debug_name_fn = cache_req_user_by_name_create_debug_name, + .global_ncache_add_fn = NULL, + .ncache_check_fn = cache_req_user_by_name_ncache_check, + .ncache_add_fn = cache_req_user_by_name_ncache_add, + .ncache_filter_fn = NULL, + .lookup_fn = cache_req_user_by_name_lookup, + .dp_send_fn = cache_req_user_by_name_dp_send, + .dp_recv_fn = cache_req_common_dp_recv, + .dp_get_domain_check_fn = NULL, + .dp_get_domain_send_fn = NULL, + .dp_get_domain_recv_fn = NULL, +}; + +struct tevent_req * +cache_req_user_by_name_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_nc_ctx *ncache, + int cache_refresh_percent, + enum cache_req_dom_type req_dom_type, + const char *domain, + const char *name) +{ + struct cache_req_data *data; + + data = cache_req_data_name(mem_ctx, CACHE_REQ_USER_BY_NAME, name); + if (data == NULL) { + return NULL; + } + + return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache, + cache_refresh_percent, + req_dom_type, domain, + data); +} + +struct tevent_req * +cache_req_user_by_name_attrs_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_nc_ctx *ncache, + int cache_refresh_percent, + const char *domain, + const char *name, + const char **attrs) +{ + struct cache_req_data *data; + + data = cache_req_data_name_attrs(mem_ctx, CACHE_REQ_USER_BY_NAME, + name, attrs); + if (data == NULL) { + return NULL; + } + + return cache_req_steal_data_and_send(mem_ctx, ev, rctx, ncache, + cache_refresh_percent, + CACHE_REQ_POSIX_DOM, domain, + data); +} diff --git a/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c b/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c new file mode 100644 index 0000000..e08ab70 --- /dev/null +++ b/src/responder/common/cache_req/plugins/cache_req_user_by_upn.c @@ -0,0 +1,135 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "db/sysdb.h" +#include "util/util.h" +#include "providers/data_provider.h" +#include "responder/common/cache_req/cache_req_plugin.h" + +static errno_t +cache_req_user_by_upn_prepare_domain_data(struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain) +{ + const char *name; + + if (cr->data->name.name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Bug: parsed UPN is NULL?\n"); + return ERR_INTERNAL; + } + + /* When looking up UPNs we don't want to reverse-replace spaces, + * just search whatever the user passed in. strdup the name so we + * can safely steal it later. + */ + name = talloc_strdup(data, cr->data->name.name); + if (name == NULL) { + return ENOMEM; + } + + talloc_zfree(data->name.lookup); + data->name.lookup = talloc_steal(data, name); + + return EOK; +} + +static const char * +cache_req_user_by_upn_create_debug_name(TALLOC_CTX *mem_ctx, + struct cache_req_data *data, + struct sss_domain_info *domain) +{ + return talloc_strdup(mem_ctx, data->name.lookup); +} + +static errno_t +cache_req_user_by_upn_ncache_check(struct sss_nc_ctx *ncache, + struct sss_domain_info *domain, + struct cache_req_data *data) +{ + return sss_ncache_check_upn(ncache, domain, data->name.lookup); +} + +static errno_t +cache_req_user_by_upn_ncache_add(struct sss_nc_ctx *ncache, + struct sss_domain_info *domain, + struct cache_req_data *data) +{ + return sss_ncache_set_upn(ncache, false, domain, data->name.lookup); +} + +static errno_t +cache_req_user_by_upn_lookup(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain, + struct ldb_result **_result) +{ + if (data->attrs == NULL) { + return sysdb_getpwupn(mem_ctx, domain, true, data->name.lookup, _result); + } + + return sysdb_search_user_by_upn_res(mem_ctx, domain, true, + data->name.lookup, data->attrs, + _result); +} + +static struct tevent_req * +cache_req_user_by_upn_dp_send(TALLOC_CTX *mem_ctx, + struct cache_req *cr, + struct cache_req_data *data, + struct sss_domain_info *domain, + struct ldb_result *result) +{ + return sss_dp_get_account_send(mem_ctx, cr->rctx, domain, true, + SSS_DP_USER, cr->data->name.lookup, + 0, EXTRA_NAME_IS_UPN); +} + +const struct cache_req_plugin cache_req_user_by_upn = { + .name = "User by UPN", + .attr_expiration = SYSDB_CACHE_EXPIRE, + .parse_name = false, + .ignore_default_domain = false, + .bypass_cache = false, + .only_one_result = true, + .search_all_domains = false, + .require_enumeration = false, + .allow_missing_fqn = true, + .allow_switch_to_upn = false, + .upn_equivalent = CACHE_REQ_SENTINEL, + .get_next_domain_flags = SSS_GND_DESCEND, + + .is_well_known_fn = NULL, + .prepare_domain_data_fn = cache_req_user_by_upn_prepare_domain_data, + .create_debug_name_fn = cache_req_user_by_upn_create_debug_name, + .global_ncache_add_fn = NULL, + .ncache_check_fn = cache_req_user_by_upn_ncache_check, + .ncache_add_fn = cache_req_user_by_upn_ncache_add, + .ncache_filter_fn = NULL, + .lookup_fn = cache_req_user_by_upn_lookup, + .dp_send_fn = cache_req_user_by_upn_dp_send, + .dp_recv_fn = cache_req_common_dp_recv, + .dp_get_domain_check_fn = NULL, + .dp_get_domain_send_fn = NULL, + .dp_get_domain_recv_fn = NULL, +}; diff --git a/src/responder/common/data_provider/rdp.h b/src/responder/common/data_provider/rdp.h new file mode 100644 index 0000000..f0aed17 --- /dev/null +++ b/src/responder/common/data_provider/rdp.h @@ -0,0 +1,80 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _RDP_H_ +#define _RDP_H_ + +#include "responder/common/responder.h" +#include "providers/data_provider/dp_iface_generated.h" +#include "providers/data_provider/dp_iface.h" +#include "sbus/sssd_dbus.h" +#include "util/util.h" + +struct be_conn; +struct resp_ctx; + +struct tevent_req *_rdp_message_send(TALLOC_CTX *mem_ctx, + struct resp_ctx *rctx, + struct sss_domain_info *domain, + const char *path, + const char *iface, + const char *method, + int first_arg_type, + ...); + +#define rdp_message_send(mem_ctx, rctx, domain, path, iface, \ + method, ...) \ + _rdp_message_send(mem_ctx, rctx, domain, path, iface, method, \ + ##__VA_ARGS__, DBUS_TYPE_INVALID) + +/* D-Bus reply message is freed with tevent request. Since all output data + * point inside D-Bus reply do not call talloc_free(req) unless + * you are not accessing the data any longer. */ +errno_t _rdp_message_recv(struct tevent_req *req, + int first_arg_type, + ...); + +#define rdp_message_recv(req, ...) \ + _rdp_message_recv(req, ##__VA_ARGS__, DBUS_TYPE_INVALID) + +/** + * Send D-Bus message to Data Provider but instead of returning the reply + * to the caller it forwards the reply to the client request. No further + * processing is required by the caller. In case of a failure the client + * request is freed since there is nothing we can do. + */ +void _rdp_message_send_and_reply(struct sbus_request *sbus_req, + struct resp_ctx *rctx, + struct sss_domain_info *domain, + const char *path, + const char *iface, + const char *method, + int first_arg_type, + ...); + +#define rdp_message_send_and_reply(sbus_req, rctx, domain, path, iface, \ + method, ...) \ + _rdp_message_send_and_reply(sbus_req, rctx, domain, path, iface, method, \ + ##__VA_ARGS__, DBUS_TYPE_INVALID) + +errno_t rdp_register_client(struct be_conn *be_conn, + const char *client_name); + +#endif /* _RDP_CALLS_H_ */ diff --git a/src/responder/common/data_provider/rdp_client.c b/src/responder/common/data_provider/rdp_client.c new file mode 100644 index 0000000..d0b8357 --- /dev/null +++ b/src/responder/common/data_provider/rdp_client.c @@ -0,0 +1,55 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "responder/common/data_provider/rdp.h" +#include "util/util.h" + +static void rdp_register_client_done(struct tevent_req *req); + +errno_t rdp_register_client(struct be_conn *be_conn, + const char *client_name) +{ + struct tevent_req *req; + + req = rdp_message_send(be_conn, be_conn->rctx, be_conn->domain, + DP_PATH, IFACE_DP_CLIENT, IFACE_DP_CLIENT_REGISTER, + DBUS_TYPE_STRING, &client_name); + if (req == NULL) { + return ENOMEM; + } + + tevent_req_set_callback(req, rdp_register_client_done, NULL); + + return EOK; +} + +static void rdp_register_client_done(struct tevent_req *req) +{ + errno_t ret; + + ret = rdp_message_recv(req); + talloc_zfree(req); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to register client with DP\n"); + return; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Client is registered with DP\n"); +} diff --git a/src/responder/common/data_provider/rdp_message.c b/src/responder/common/data_provider/rdp_message.c new file mode 100644 index 0000000..22127ac --- /dev/null +++ b/src/responder/common/data_provider/rdp_message.c @@ -0,0 +1,308 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "responder/common/data_provider/rdp.h" +#include "sbus/sssd_dbus.h" +#include "sbus/sssd_dbus_errors.h" +#include "util/util.h" + +static errno_t +rdp_message_send_internal(struct resp_ctx *rctx, + struct sss_domain_info *domain, + DBusPendingCallNotifyFunction notify_fn, + void *notify_fn_data, + const char *path, + const char *iface, + const char *method, + int first_arg_type, + va_list va) +{ + struct be_conn *be_conn; + DBusMessage *msg = NULL; + dbus_bool_t bret; + errno_t ret; + + ret = sss_dp_get_domain_conn(rctx, domain->conn_name, &be_conn); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "BUG: The Data Provider connection for " + "%s is not available!\n", domain->name); + goto done; + } + + msg = dbus_message_new_method_call(NULL, path, iface, method); + if (msg == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create message\n"); + ret = ENOMEM; + goto done; + } + + bret = dbus_message_append_args_valist(msg, first_arg_type, va); + if (!bret) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to build message\n"); + ret = EIO; + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "DP Request: %s %s.%s\n", path, iface, method); + + ret = sbus_conn_send(be_conn->conn, msg, 3000, + notify_fn, notify_fn_data, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to contact Data Provider " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + ret = EOK; + +done: + if (msg != NULL) { + dbus_message_unref(msg); + } + + return ret; +} + +static errno_t rdp_process_pending_call(TALLOC_CTX *mem_ctx, + DBusPendingCall *pending, + DBusMessage **_reply) +{ + DBusMessage *reply; + dbus_bool_t bret; + DBusError error; + errno_t ret; + + *_reply = NULL; + + dbus_error_init(&error); + + reply = dbus_pending_call_steal_reply(pending); + if (reply == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Severe error. A reply callback was " + "called but no reply was received and no timeout occurred\n"); + ret = EFAULT; + goto done; + } + + ret = sbus_talloc_bound_message(mem_ctx, reply); + if (ret != EOK) { + return ret; + } + + switch (dbus_message_get_type(reply)) { + case DBUS_MESSAGE_TYPE_METHOD_RETURN: + DEBUG(SSSDBG_TRACE_FUNC, "DP Success\n"); + ret = EOK; + break; + + case DBUS_MESSAGE_TYPE_ERROR: + bret = dbus_set_error_from_message(&error, reply); + if (bret == false) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to read error from message\n"); + ret = EIO; + goto done; + } + + DEBUG(SSSDBG_CRIT_FAILURE, "DP Error [%s]: %s\n", + error.name, (error.message == NULL ? "(null)" : error.message)); + ret = sbus_error_to_errno(&error); + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected type?\n"); + ret = ERR_INTERNAL; + goto done; + } + + *_reply = reply; + +done: + dbus_pending_call_unref(pending); + dbus_error_free(&error); + + return ret; +} + +struct rdp_message_state { + struct DBusMessage *reply; +}; + +static void rdp_message_done(DBusPendingCall *pending, void *ptr); + +struct tevent_req *_rdp_message_send(TALLOC_CTX *mem_ctx, + struct resp_ctx *rctx, + struct sss_domain_info *domain, + const char *path, + const char *iface, + const char *method, + int first_arg_type, + ...) +{ + struct rdp_message_state *state; + struct tevent_req *req; + errno_t ret; + va_list va; + + req = tevent_req_create(mem_ctx, &state, struct rdp_message_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + va_start(va, first_arg_type); + ret = rdp_message_send_internal(rctx, domain, rdp_message_done, req, + path, iface, method, first_arg_type, va); + va_end(va); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to contact Data Provider " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto immediately; + } + + return req; + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, rctx->ev); + + return req; +} + +static void rdp_message_done(DBusPendingCall *pending, void *ptr) +{ + struct rdp_message_state *state; + struct tevent_req *req; + errno_t ret; + + req = talloc_get_type(ptr, struct tevent_req); + state = tevent_req_data(req, struct rdp_message_state); + + ret = rdp_process_pending_call(state, pending, &state->reply); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +errno_t _rdp_message_recv(struct tevent_req *req, + int first_arg_type, + ...) +{ + struct rdp_message_state *state; + errno_t ret; + va_list va; + + TEVENT_REQ_RETURN_ON_ERROR(req); + + state = tevent_req_data(req, struct rdp_message_state); + + va_start(va, first_arg_type); + ret = sbus_parse_message_valist(state->reply, false, first_arg_type, va); + va_end(va); + + return ret; +} + +static void rdp_message_send_and_reply_done(DBusPendingCall *pending, + void *ptr); + +void _rdp_message_send_and_reply(struct sbus_request *sbus_req, + struct resp_ctx *rctx, + struct sss_domain_info *domain, + const char *path, + const char *iface, + const char *method, + int first_arg_type, + ...) +{ + errno_t ret; + va_list va; + + va_start(va, first_arg_type); + ret = rdp_message_send_internal(rctx, domain, + rdp_message_send_and_reply_done, sbus_req, + path, iface, method, first_arg_type, va); + va_end(va); + + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to contact Data Provider " + "[%d]: %s\n", ret, sss_strerror(ret)); + talloc_free(sbus_req); + } +} + +static void rdp_message_send_and_reply_done(DBusPendingCall *pending, + void *ptr) +{ + struct sbus_request *sbus_req; + DBusMessage *reply; + dbus_uint32_t serial; + const char *sender; + dbus_bool_t dbret; + errno_t ret; + + sbus_req = talloc_get_type(ptr, struct sbus_request); + + ret = rdp_process_pending_call(sbus_req, pending, &reply); + if (ret != EOK) { + /* Something bad happened. Just kill the request. */ + ret = EIO; + goto done; + } + + /* Otherwise we have a valid reply and we do not care about returned + * value. We set destination and serial in reply to point to the original + * client request. */ + + sender = dbus_message_get_sender(sbus_req->message); + serial = dbus_message_get_serial(sbus_req->message); + + dbret = dbus_message_set_destination(reply, sender); + if (dbret == false) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set reply sender!\n"); + ret = EIO; + goto done; + } + + dbret = dbus_message_set_reply_serial(reply, serial); + if (dbret == false) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set reply serial!\n"); + ret = EIO; + goto done; + } + + sbus_request_finish(sbus_req, reply); + + ret = EOK; + +done: + if (ret != EOK) { + /* Something bad happend, just kill the request. */ + talloc_free(sbus_req); + } +} diff --git a/src/responder/common/iface/responder_domain.c b/src/responder/common/iface/responder_domain.c new file mode 100644 index 0000000..2e7f788 --- /dev/null +++ b/src/responder/common/iface/responder_domain.c @@ -0,0 +1,73 @@ +/* + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "util/util.h" +#include "sbus/sssd_dbus.h" +#include "responder/common/responder.h" +#include "responder/common/iface/responder_iface.h" + +static void set_domain_state_by_name(struct resp_ctx *rctx, + const char *domain_name, + enum sss_domain_state state) +{ + struct sss_domain_info *dom; + + if (domain_name == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "BUG: NULL domain name\n"); + return; + } + + DEBUG(SSSDBG_TRACE_LIBS, "Setting state of domain %s\n", domain_name); + + for (dom = rctx->domains; + dom != NULL; + dom = get_next_domain(dom, SSS_GND_ALL_DOMAINS)) { + + if (strcasecmp(dom->name, domain_name) == 0) { + break; + } + } + + if (dom != NULL) { + sss_domain_set_state(dom, state); + } +} + +int sss_resp_domain_active(struct sbus_request *req, + void *data, + const char *domain_name) +{ + struct resp_ctx *rctx = talloc_get_type(data, struct resp_ctx); + + DEBUG(SSSDBG_TRACE_LIBS, "Enabling domain %s\n", domain_name); + set_domain_state_by_name(rctx, domain_name, DOM_ACTIVE); + return iface_responder_domain_SetActive_finish(req); +} + +int sss_resp_domain_inconsistent(struct sbus_request *req, + void *data, + const char *domain_name) +{ + struct resp_ctx *rctx = talloc_get_type(data, struct resp_ctx); + + DEBUG(SSSDBG_TRACE_LIBS, "Disabling domain %s\n", domain_name); + set_domain_state_by_name(rctx, domain_name, DOM_INCONSISTENT); + return iface_responder_domain_SetInconsistent_finish(req); +} diff --git a/src/responder/common/iface/responder_iface.c b/src/responder/common/iface/responder_iface.c new file mode 100644 index 0000000..71e530b --- /dev/null +++ b/src/responder/common/iface/responder_iface.c @@ -0,0 +1,43 @@ +/* + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "sbus/sssd_dbus.h" +#include "responder/common/iface/responder_iface.h" +#include "responder/common/responder.h" + +struct iface_responder_domain iface_responder_domain = { + { &iface_responder_domain_meta, 0 }, + .SetActive = sss_resp_domain_active, + .SetInconsistent = sss_resp_domain_inconsistent, +}; + +struct iface_responder_ncache iface_responder_ncache = { + { &iface_responder_ncache_meta, 0 }, + .ResetUsers = sss_resp_reset_ncache_users, + .ResetGroups = sss_resp_reset_ncache_groups, +}; + +static struct sbus_iface_map iface_map[] = { + { RESPONDER_PATH, &iface_responder_domain.vtable }, + { RESPONDER_PATH, &iface_responder_ncache.vtable }, + { NULL, NULL } +}; + +struct sbus_iface_map *responder_get_sbus_interface(void) +{ + return iface_map; +} diff --git a/src/responder/common/iface/responder_iface.h b/src/responder/common/iface/responder_iface.h new file mode 100644 index 0000000..5166b62 --- /dev/null +++ b/src/responder/common/iface/responder_iface.h @@ -0,0 +1,42 @@ +/* + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _RESPONDER_IFACE_H_ +#define _RESPONDER_IFACE_H_ + +#include "responder/common/iface/responder_iface_generated.h" + +#define RESPONDER_PATH "/org/freedesktop/sssd/responder" + +struct sbus_iface_map *responder_get_sbus_interface(void); + +/* org.freedesktop.sssd.Responder.Domain */ + +int sss_resp_domain_active(struct sbus_request *req, + void *data, + const char *domain_name); + +int sss_resp_domain_inconsistent(struct sbus_request *req, + void *data, + const char *domain_name); + +/* org.freedesktop.sssd.Responder.NegativeCache */ + +int sss_resp_reset_ncache_users(struct sbus_request *req, void *data); +int sss_resp_reset_ncache_groups(struct sbus_request *req, void *data); + +#endif /* _RESPONDER_IFACE_H_ */ diff --git a/src/responder/common/iface/responder_iface.xml b/src/responder/common/iface/responder_iface.xml new file mode 100644 index 0000000..9f092e0 --- /dev/null +++ b/src/responder/common/iface/responder_iface.xml @@ -0,0 +1,19 @@ + + + + + + + + + + + + + + + + + + diff --git a/src/responder/common/iface/responder_iface_generated.c b/src/responder/common/iface/responder_iface_generated.c new file mode 100644 index 0000000..21cc14a --- /dev/null +++ b/src/responder/common/iface/responder_iface_generated.c @@ -0,0 +1,121 @@ +/* The following definitions are auto-generated from responder_iface.xml */ + +#include + +#include "dbus/dbus-protocol.h" +#include "util/util_errors.h" +#include "sbus/sssd_dbus.h" +#include "sbus/sssd_dbus_meta.h" +#include "sbus/sssd_dbus_invokers.h" +#include "responder_iface_generated.h" + +/* invokes a handler with a 's' DBus signature */ +static int invoke_s_method(struct sbus_request *dbus_req, void *function_ptr); + +/* arguments for org.freedesktop.sssd.Responder.Domain.SetActive */ +const struct sbus_arg_meta iface_responder_domain_SetActive__in[] = { + { "name", "s" }, + { NULL, } +}; + +int iface_responder_domain_SetActive_finish(struct sbus_request *req) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_INVALID); +} + +/* arguments for org.freedesktop.sssd.Responder.Domain.SetInconsistent */ +const struct sbus_arg_meta iface_responder_domain_SetInconsistent__in[] = { + { "name", "s" }, + { NULL, } +}; + +int iface_responder_domain_SetInconsistent_finish(struct sbus_request *req) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_INVALID); +} + +/* methods for org.freedesktop.sssd.Responder.Domain */ +const struct sbus_method_meta iface_responder_domain__methods[] = { + { + "SetActive", /* name */ + iface_responder_domain_SetActive__in, + NULL, /* no out_args */ + offsetof(struct iface_responder_domain, SetActive), + invoke_s_method, + }, + { + "SetInconsistent", /* name */ + iface_responder_domain_SetInconsistent__in, + NULL, /* no out_args */ + offsetof(struct iface_responder_domain, SetInconsistent), + invoke_s_method, + }, + { NULL, } +}; + +/* interface info for org.freedesktop.sssd.Responder.Domain */ +const struct sbus_interface_meta iface_responder_domain_meta = { + "org.freedesktop.sssd.Responder.Domain", /* name */ + iface_responder_domain__methods, + NULL, /* no signals */ + NULL, /* no properties */ + sbus_invoke_get_all, /* GetAll invoker */ +}; + +int iface_responder_ncache_ResetUsers_finish(struct sbus_request *req) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_INVALID); +} + +int iface_responder_ncache_ResetGroups_finish(struct sbus_request *req) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_INVALID); +} + +/* methods for org.freedesktop.sssd.Responder.NegativeCache */ +const struct sbus_method_meta iface_responder_ncache__methods[] = { + { + "ResetUsers", /* name */ + NULL, /* no in_args */ + NULL, /* no out_args */ + offsetof(struct iface_responder_ncache, ResetUsers), + NULL, /* no invoker */ + }, + { + "ResetGroups", /* name */ + NULL, /* no in_args */ + NULL, /* no out_args */ + offsetof(struct iface_responder_ncache, ResetGroups), + NULL, /* no invoker */ + }, + { NULL, } +}; + +/* interface info for org.freedesktop.sssd.Responder.NegativeCache */ +const struct sbus_interface_meta iface_responder_ncache_meta = { + "org.freedesktop.sssd.Responder.NegativeCache", /* name */ + iface_responder_ncache__methods, + NULL, /* no signals */ + NULL, /* no properties */ + sbus_invoke_get_all, /* GetAll invoker */ +}; + +/* invokes a handler with a 's' DBus signature */ +static int invoke_s_method(struct sbus_request *dbus_req, void *function_ptr) +{ + const char * arg_0; + int (*handler)(struct sbus_request *, void *, const char *) = function_ptr; + + if (!sbus_request_parse_or_finish(dbus_req, + DBUS_TYPE_STRING, &arg_0, + DBUS_TYPE_INVALID)) { + return EOK; /* request handled */ + } + + return (handler)(dbus_req, dbus_req->intf->handler_data, + arg_0); +} diff --git a/src/responder/common/iface/responder_iface_generated.h b/src/responder/common/iface/responder_iface_generated.h new file mode 100644 index 0000000..d78a9c6 --- /dev/null +++ b/src/responder/common/iface/responder_iface_generated.h @@ -0,0 +1,85 @@ +/* The following declarations are auto-generated from responder_iface.xml */ + +#ifndef __RESPONDER_IFACE_XML__ +#define __RESPONDER_IFACE_XML__ + +#include "sbus/sssd_dbus.h" +#include "sbus/sssd_dbus_meta.h" + +/* ------------------------------------------------------------------------ + * DBus Constants + * + * Various constants of interface and method names mostly for use by clients + */ + +/* constants for org.freedesktop.sssd.Responder.Domain */ +#define IFACE_RESPONDER_DOMAIN "org.freedesktop.sssd.Responder.Domain" +#define IFACE_RESPONDER_DOMAIN_SETACTIVE "SetActive" +#define IFACE_RESPONDER_DOMAIN_SETINCONSISTENT "SetInconsistent" + +/* constants for org.freedesktop.sssd.Responder.NegativeCache */ +#define IFACE_RESPONDER_NCACHE "org.freedesktop.sssd.Responder.NegativeCache" +#define IFACE_RESPONDER_NCACHE_RESETUSERS "ResetUsers" +#define IFACE_RESPONDER_NCACHE_RESETGROUPS "ResetGroups" + +/* ------------------------------------------------------------------------ + * DBus handlers + * + * These structures are filled in by implementors of the different + * dbus interfaces to handle method calls. + * + * Handler functions of type sbus_msg_handler_fn accept raw messages, + * other handlers are typed appropriately. If a handler that is + * set to NULL is invoked it will result in a + * org.freedesktop.DBus.Error.NotSupported error for the caller. + * + * Handlers have a matching xxx_finish() function (unless the method has + * accepts raw messages). These finish functions the + * sbus_request_return_and_finish() with the appropriate arguments to + * construct a valid reply. Once a finish function has been called, the + * @dbus_req it was called with is freed and no longer valid. + */ + +/* vtable for org.freedesktop.sssd.Responder.Domain */ +struct iface_responder_domain { + struct sbus_vtable vtable; /* derive from sbus_vtable */ + int (*SetActive)(struct sbus_request *req, void *data, const char *arg_name); + int (*SetInconsistent)(struct sbus_request *req, void *data, const char *arg_name); +}; + +/* finish function for SetActive */ +int iface_responder_domain_SetActive_finish(struct sbus_request *req); + +/* finish function for SetInconsistent */ +int iface_responder_domain_SetInconsistent_finish(struct sbus_request *req); + +/* vtable for org.freedesktop.sssd.Responder.NegativeCache */ +struct iface_responder_ncache { + struct sbus_vtable vtable; /* derive from sbus_vtable */ + int (*ResetUsers)(struct sbus_request *req, void *data); + int (*ResetGroups)(struct sbus_request *req, void *data); +}; + +/* finish function for ResetUsers */ +int iface_responder_ncache_ResetUsers_finish(struct sbus_request *req); + +/* finish function for ResetGroups */ +int iface_responder_ncache_ResetGroups_finish(struct sbus_request *req); + +/* ------------------------------------------------------------------------ + * DBus Interface Metadata + * + * These structure definitions are filled in with the information about + * the interfaces, methods, properties and so on. + * + * The actual definitions are found in the accompanying C file next + * to this header. + */ + +/* interface info for org.freedesktop.sssd.Responder.Domain */ +extern const struct sbus_interface_meta iface_responder_domain_meta; + +/* interface info for org.freedesktop.sssd.Responder.NegativeCache */ +extern const struct sbus_interface_meta iface_responder_ncache_meta; + +#endif /* __RESPONDER_IFACE_XML__ */ diff --git a/src/responder/common/iface/responder_ncache.c b/src/responder/common/iface/responder_ncache.c new file mode 100644 index 0000000..c7aa0a3 --- /dev/null +++ b/src/responder/common/iface/responder_ncache.c @@ -0,0 +1,41 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2017 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "sbus/sssd_dbus.h" +#include "responder/common/responder.h" +#include "responder/common/negcache.h" +#include "responder/common/iface/responder_iface.h" + +int sss_resp_reset_ncache_users(struct sbus_request *req, void *data) +{ + struct resp_ctx *rctx = talloc_get_type(data, struct resp_ctx); + + sss_ncache_reset_users(rctx->ncache); + return iface_responder_ncache_ResetUsers_finish(req); +} + +int sss_resp_reset_ncache_groups(struct sbus_request *req, void *data) +{ + struct resp_ctx *rctx = talloc_get_type(data, struct resp_ctx); + + sss_ncache_reset_groups(rctx->ncache); + return iface_responder_ncache_ResetGroups_finish(req); +} diff --git a/src/responder/common/negcache.c b/src/responder/common/negcache.c new file mode 100644 index 0000000..c5c4317 --- /dev/null +++ b/src/responder/common/negcache.c @@ -0,0 +1,1267 @@ +/* + SSSD + + NSS Responder + + Copyright (C) Simo Sorce 2008 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "confdb/confdb.h" +#include "responder/common/negcache_files.h" +#include "responder/common/responder.h" +#include "responder/common/negcache.h" +#include +#include +#include "tdb.h" + +#define NC_ENTRY_PREFIX "NCE/" +#define NC_USER_PREFIX NC_ENTRY_PREFIX"USER" +#define NC_GROUP_PREFIX NC_ENTRY_PREFIX"GROUP" +#define NC_NETGROUP_PREFIX NC_ENTRY_PREFIX"NETGR" +#define NC_SERVICE_PREFIX NC_ENTRY_PREFIX"SERVICE" +#define NC_UID_PREFIX NC_ENTRY_PREFIX"UID" +#define NC_GID_PREFIX NC_ENTRY_PREFIX"GID" +#define NC_SID_PREFIX NC_ENTRY_PREFIX"SID" +#define NC_CERT_PREFIX NC_ENTRY_PREFIX"CERT" +#define NC_DOMAIN_ACCT_LOCATE_PREFIX NC_ENTRY_PREFIX"DOM_LOCATE" +#define NC_DOMAIN_ACCT_LOCATE_TYPE_PREFIX NC_ENTRY_PREFIX"DOM_LOCATE_TYPE" + +struct sss_nc_ctx { + struct tdb_context *tdb; + uint32_t timeout; + uint32_t local_timeout; +}; + +typedef int (*ncache_set_byname_fn_t)(struct sss_nc_ctx *, bool, + const char *, const char *); + +static int sss_ncache_set_ent(struct sss_nc_ctx *ctx, bool permanent, + struct sss_domain_info *dom, const char *name, + ncache_set_byname_fn_t setter); + +static int string_to_tdb_data(char *str, TDB_DATA *ret) +{ + if (!str || !ret) return EINVAL; + + ret->dptr = (uint8_t *)str; + ret->dsize = strlen(str)+1; + + return EOK; +} + +int sss_ncache_init(TALLOC_CTX *memctx, uint32_t timeout, + uint32_t local_timeout, struct sss_nc_ctx **_ctx) +{ + struct sss_nc_ctx *ctx; + + ctx = talloc_zero(memctx, struct sss_nc_ctx); + if (!ctx) return ENOMEM; + + errno = 0; + /* open a memory only tdb with default hash size */ + ctx->tdb = tdb_open("memcache", 0, TDB_INTERNAL, O_RDWR|O_CREAT, 0); + if (!ctx->tdb) return errno; + + ctx->timeout = timeout; + ctx->local_timeout = local_timeout; + + *_ctx = ctx; + return EOK; +}; + +uint32_t sss_ncache_get_timeout(struct sss_nc_ctx *ctx) +{ + return ctx->timeout; +} + +static int sss_ncache_check_str(struct sss_nc_ctx *ctx, char *str) +{ + TDB_DATA key; + TDB_DATA data; + unsigned long long int timestamp; + bool expired = false; + char *ep; + int ret; + + DEBUG(SSSDBG_TRACE_INTERNAL, "Checking negative cache for [%s]\n", str); + + data.dptr = NULL; + + ret = string_to_tdb_data(str, &key); + if (ret != EOK) goto done; + + data = tdb_fetch(ctx->tdb, key); + + if (!data.dptr) { + ret = ENOENT; + goto done; + } + + errno = 0; + timestamp = strtoull((const char *)data.dptr, &ep, 10); + if (errno != 0 || *ep != '\0') { + /* Malformed entry, remove it and return no entry */ + expired = true; + goto done; + } + + if (timestamp == 0) { + /* a 0 timestamp means this is a permanent entry */ + ret = EEXIST; + goto done; + } + + if (timestamp >= time(NULL)) { + /* still valid */ + ret = EEXIST; + goto done; + } + + expired = true; + +done: + if (expired) { + /* expired, remove and return no entry */ + tdb_delete(ctx->tdb, key); + ret = ENOENT; + } + + free(data.dptr); + return ret; +} + +static int sss_ncache_set_str(struct sss_nc_ctx *ctx, char *str, + bool permanent, bool use_local_negative) +{ + TDB_DATA key; + TDB_DATA data; + char *timest; + unsigned long long int timell; + int ret; + + ret = string_to_tdb_data(str, &key); + if (ret != EOK) return ret; + + if (permanent) { + timest = talloc_strdup(ctx, "0"); + } else { + if (use_local_negative == true && ctx->local_timeout > ctx->timeout) { + timell = ctx->local_timeout; + } else { + /* EOK is tested in cwrap based unit test */ + if (ctx->timeout == 0) { + return EOK; + } + timell = ctx->timeout; + } + timell += (unsigned long long int)time(NULL); + timest = talloc_asprintf(ctx, "%llu", timell); + } + if (!timest) return ENOMEM; + + ret = string_to_tdb_data(timest, &data); + if (ret != EOK) goto done; + + DEBUG(SSSDBG_TRACE_FUNC, "Adding [%s] to negative cache%s\n", + str, permanent?" permanently":""); + + ret = tdb_store(ctx->tdb, key, data, TDB_REPLACE); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Negative cache failed to set entry: [%s]\n", + tdb_errorstr(ctx->tdb)); + ret = EFAULT; + } + +done: + talloc_free(timest); + return ret; +} + +static int sss_ncache_check_user_int(struct sss_nc_ctx *ctx, const char *domain, + const char *name) +{ + char *str; + int ret; + + if (!name || !*name) return EINVAL; + + str = talloc_asprintf(ctx, "%s/%s/%s", NC_USER_PREFIX, domain, name); + if (!str) return ENOMEM; + + ret = sss_ncache_check_str(ctx, str); + + talloc_free(str); + return ret; +} + +static int sss_ncache_check_group_int(struct sss_nc_ctx *ctx, + const char *domain, const char *name) +{ + char *str; + int ret; + + if (!name || !*name) return EINVAL; + + str = talloc_asprintf(ctx, "%s/%s/%s", NC_GROUP_PREFIX, domain, name); + if (!str) return ENOMEM; + + ret = sss_ncache_check_str(ctx, str); + + talloc_free(str); + return ret; +} + +static int sss_ncache_check_netgr_int(struct sss_nc_ctx *ctx, + const char *domain, const char *name) +{ + char *str; + int ret; + + if (!name || !*name) return EINVAL; + + str = talloc_asprintf(ctx, "%s/%s/%s", NC_NETGROUP_PREFIX, domain, name); + if (!str) return ENOMEM; + + ret = sss_ncache_check_str(ctx, str); + + talloc_free(str); + return ret; +} + +static int sss_ncache_check_service_int(struct sss_nc_ctx *ctx, + const char *domain, + const char *name) +{ + char *str; + int ret; + + if (!name || !*name) return EINVAL; + + str = talloc_asprintf(ctx, "%s/%s/%s", + NC_SERVICE_PREFIX, + domain, + name); + if (!str) return ENOMEM; + + ret = sss_ncache_check_str(ctx, str); + + talloc_free(str); + return ret; +} + +typedef int (*ncache_check_byname_fn_t)(struct sss_nc_ctx *, const char *, + const char *); + +static int sss_cache_check_ent(struct sss_nc_ctx *ctx, + struct sss_domain_info *dom, const char *name, + ncache_check_byname_fn_t checker) +{ + char *lower; + errno_t ret; + + if (dom->case_sensitive == false) { + lower = sss_tc_utf8_str_tolower(ctx, name); + if (!lower) return ENOMEM; + ret = checker(ctx, dom->name, lower); + talloc_free(lower); + } else { + ret = checker(ctx, dom->name, name); + } + + return ret; +} + +int sss_ncache_check_user(struct sss_nc_ctx *ctx, struct sss_domain_info *dom, + const char *name) +{ + return sss_cache_check_ent(ctx, dom, name, sss_ncache_check_user_int); +} + +int sss_ncache_check_upn(struct sss_nc_ctx *ctx, struct sss_domain_info *dom, + const char *name) +{ + char *neg_cache_name = NULL; + errno_t ret; + + neg_cache_name = talloc_asprintf(ctx, "@%s", name); + if (neg_cache_name == NULL) { + return ENOMEM; + } + + ret = sss_cache_check_ent(ctx, dom, neg_cache_name, + sss_ncache_check_user_int); + talloc_free(neg_cache_name); + + return ret; +} + +int sss_ncache_check_group(struct sss_nc_ctx *ctx, struct sss_domain_info *dom, + const char *name) +{ + return sss_cache_check_ent(ctx, dom, name, sss_ncache_check_group_int); +} + +int sss_ncache_check_netgr(struct sss_nc_ctx *ctx, struct sss_domain_info *dom, + const char *name) +{ + return sss_cache_check_ent(ctx, dom, name, sss_ncache_check_netgr_int); +} + +static int sss_ncache_set_service_int(struct sss_nc_ctx *ctx, bool permanent, + const char *domain, const char *name) +{ + char *str; + int ret; + + if (!name || !*name) return EINVAL; + + str = talloc_asprintf(ctx, "%s/%s/%s", NC_SERVICE_PREFIX, domain, name); + if (!str) return ENOMEM; + + ret = sss_ncache_set_str(ctx, str, permanent, false); + + talloc_free(str); + return ret; +} + +int sss_ncache_set_service_name(struct sss_nc_ctx *ctx, bool permanent, + struct sss_domain_info *dom, + const char *name, const char *proto) +{ + int ret; + char *service_and_protocol = talloc_asprintf(ctx, "%s:%s", + name, + proto ? proto : ""); + if (!service_and_protocol) return ENOMEM; + + ret = sss_ncache_set_ent(ctx, permanent, dom, + service_and_protocol, + sss_ncache_set_service_int); + talloc_free(service_and_protocol); + return ret; +} + +int sss_ncache_check_service(struct sss_nc_ctx *ctx,struct sss_domain_info *dom, + const char *name, const char *proto) +{ + int ret; + char *service_and_protocol = talloc_asprintf(ctx, "%s:%s", + name, + proto ? proto : ""); + if (!service_and_protocol) return ENOMEM; + + ret = sss_cache_check_ent(ctx, dom, service_and_protocol, + sss_ncache_check_service_int); + talloc_free(service_and_protocol); + return ret; +} + +int sss_ncache_set_service_port(struct sss_nc_ctx *ctx, bool permanent, + struct sss_domain_info *dom, + uint16_t port, const char *proto) +{ + int ret; + char *service_and_protocol = talloc_asprintf(ctx, "%ul:%s", + port, + proto ? proto : ""); + if (!service_and_protocol) return ENOMEM; + + ret = sss_ncache_set_ent(ctx, permanent, dom, + service_and_protocol, + sss_ncache_set_service_int); + talloc_free(service_and_protocol); + return ret; +} + +int sss_ncache_check_service_port(struct sss_nc_ctx *ctx, + struct sss_domain_info *dom, + uint16_t port, + const char *proto) +{ + int ret; + char *service_and_protocol = talloc_asprintf(ctx, "%ul:%s", + port, + proto ? proto : ""); + if (!service_and_protocol) return ENOMEM; + + ret = sss_cache_check_ent(ctx, dom, service_and_protocol, + sss_ncache_check_service_int); + talloc_free(service_and_protocol); + return ret; +} + + + +int sss_ncache_check_uid(struct sss_nc_ctx *ctx, struct sss_domain_info *dom, + uid_t uid) +{ + char *str; + int ret; + + if (dom != NULL) { + str = talloc_asprintf(ctx, "%s/%s/%"SPRIuid, NC_UID_PREFIX, dom->name, + uid); + } else { + str = talloc_asprintf(ctx, "%s/%"SPRIuid, NC_UID_PREFIX, uid); + } + if (!str) return ENOMEM; + + ret = sss_ncache_check_str(ctx, str); + + talloc_free(str); + return ret; +} + +int sss_ncache_check_gid(struct sss_nc_ctx *ctx, struct sss_domain_info *dom, + gid_t gid) +{ + char *str; + int ret; + + if (dom != NULL) { + str = talloc_asprintf(ctx, "%s/%s/%"SPRIgid, NC_GID_PREFIX, dom->name, + gid); + } else { + str = talloc_asprintf(ctx, "%s/%"SPRIgid, NC_GID_PREFIX, gid); + } + if (!str) return ENOMEM; + + ret = sss_ncache_check_str(ctx, str); + + talloc_free(str); + return ret; +} + +int sss_ncache_check_sid(struct sss_nc_ctx *ctx, const char *sid) +{ + char *str; + int ret; + + str = talloc_asprintf(ctx, "%s/%s", NC_SID_PREFIX, sid); + if (!str) return ENOMEM; + + ret = sss_ncache_check_str(ctx, str); + + talloc_free(str); + return ret; +} + +int sss_ncache_check_cert(struct sss_nc_ctx *ctx, const char *cert) +{ + char *str; + int ret; + + str = talloc_asprintf(ctx, "%s/%s", NC_CERT_PREFIX, cert); + if (!str) return ENOMEM; + + ret = sss_ncache_check_str(ctx, str); + + talloc_free(str); + return ret; +} + + +static int sss_ncache_set_user_int(struct sss_nc_ctx *ctx, bool permanent, + const char *domain, const char *name) +{ + bool use_local_negative = false; + char *str; + int ret; + + if (!name || !*name) return EINVAL; + + str = talloc_asprintf(ctx, "%s/%s/%s", NC_USER_PREFIX, domain, name); + if (!str) return ENOMEM; + + if (ctx->local_timeout > 0) { + use_local_negative = is_user_local_by_name(name); + } + ret = sss_ncache_set_str(ctx, str, permanent, use_local_negative); + + talloc_free(str); + return ret; +} + +static int sss_ncache_set_group_int(struct sss_nc_ctx *ctx, bool permanent, + const char *domain, const char *name) +{ + bool use_local_negative = false; + char *str; + int ret; + + if (!name || !*name) return EINVAL; + + str = talloc_asprintf(ctx, "%s/%s/%s", NC_GROUP_PREFIX, domain, name); + if (!str) return ENOMEM; + + if (ctx->local_timeout > 0) { + use_local_negative = is_group_local_by_name(name); + } + ret = sss_ncache_set_str(ctx, str, permanent, use_local_negative); + + talloc_free(str); + return ret; +} + +static int sss_ncache_set_netgr_int(struct sss_nc_ctx *ctx, bool permanent, + const char *domain, const char *name) +{ + char *str; + int ret; + + if (!name || !*name) return EINVAL; + + str = talloc_asprintf(ctx, "%s/%s/%s", NC_NETGROUP_PREFIX, domain, name); + if (!str) return ENOMEM; + + ret = sss_ncache_set_str(ctx, str, permanent, false); + + talloc_free(str); + return ret; +} + +static int sss_ncache_set_ent(struct sss_nc_ctx *ctx, bool permanent, + struct sss_domain_info *dom, const char *name, + ncache_set_byname_fn_t setter) +{ + char *lower; + errno_t ret; + + if (dom->case_sensitive == false) { + lower = sss_tc_utf8_str_tolower(ctx, name); + if (!lower) return ENOMEM; + ret = setter(ctx, permanent, dom->name, lower); + talloc_free(lower); + } else { + ret = setter(ctx, permanent, dom->name, name); + } + + return ret; +} + + +int sss_ncache_set_user(struct sss_nc_ctx *ctx, bool permanent, + struct sss_domain_info *dom, const char *name) +{ + return sss_ncache_set_ent(ctx, permanent, dom, name, sss_ncache_set_user_int); +} + +int sss_ncache_set_upn(struct sss_nc_ctx *ctx, bool permanent, + struct sss_domain_info *dom, const char *name) +{ + char *neg_cache_name = NULL; + errno_t ret; + + neg_cache_name = talloc_asprintf(ctx, "@%s", name); + if (neg_cache_name == NULL) { + return ENOMEM; + } + + ret = sss_ncache_set_ent(ctx, permanent, dom, neg_cache_name, + sss_ncache_set_user_int); + talloc_free(neg_cache_name); + + return ret; +} + +int sss_ncache_set_group(struct sss_nc_ctx *ctx, bool permanent, + struct sss_domain_info *dom, const char *name) +{ + return sss_ncache_set_ent(ctx, permanent, dom, name, sss_ncache_set_group_int); +} + +int sss_ncache_set_netgr(struct sss_nc_ctx *ctx, bool permanent, + struct sss_domain_info *dom, const char *name) +{ + return sss_ncache_set_ent(ctx, permanent, dom, name, sss_ncache_set_netgr_int); +} + +int sss_ncache_set_uid(struct sss_nc_ctx *ctx, bool permanent, + struct sss_domain_info *dom, uid_t uid) +{ + bool use_local_negative = false; + char *str; + int ret; + + if (dom != NULL) { + str = talloc_asprintf(ctx, "%s/%s/%"SPRIuid, NC_UID_PREFIX, dom->name, + uid); + } else { + str = talloc_asprintf(ctx, "%s/%"SPRIuid, NC_UID_PREFIX, uid); + } + if (!str) return ENOMEM; + + if (ctx->local_timeout > 0) { + use_local_negative = is_user_local_by_uid(uid); + } + ret = sss_ncache_set_str(ctx, str, permanent, use_local_negative); + + talloc_free(str); + return ret; +} + +int sss_ncache_set_gid(struct sss_nc_ctx *ctx, bool permanent, + struct sss_domain_info *dom, gid_t gid) +{ + bool use_local_negative = false; + char *str; + int ret; + + if (dom != NULL) { + str = talloc_asprintf(ctx, "%s/%s/%"SPRIgid, NC_GID_PREFIX, dom->name, + gid); + } else { + str = talloc_asprintf(ctx, "%s/%"SPRIgid, NC_GID_PREFIX, gid); + } + if (!str) return ENOMEM; + + if (ctx->local_timeout > 0) { + use_local_negative = is_group_local_by_gid(gid); + } + ret = sss_ncache_set_str(ctx, str, permanent, use_local_negative); + + talloc_free(str); + return ret; +} + +int sss_ncache_set_sid(struct sss_nc_ctx *ctx, bool permanent, const char *sid) +{ + char *str; + int ret; + + str = talloc_asprintf(ctx, "%s/%s", NC_SID_PREFIX, sid); + if (!str) return ENOMEM; + + ret = sss_ncache_set_str(ctx, str, permanent, false); + + talloc_free(str); + return ret; +} + +int sss_ncache_set_cert(struct sss_nc_ctx *ctx, bool permanent, + const char *cert) +{ + char *str; + int ret; + + str = talloc_asprintf(ctx, "%s/%s", NC_CERT_PREFIX, cert); + if (!str) return ENOMEM; + + ret = sss_ncache_set_str(ctx, str, permanent, false); + + talloc_free(str); + return ret; +} + +static char *domain_lookup_type_str(TALLOC_CTX *mem_ctx, + struct sss_domain_info *dom, + const char *lookup_type) +{ + return talloc_asprintf(mem_ctx, + "%s/%s/%s", + NC_DOMAIN_ACCT_LOCATE_TYPE_PREFIX, + dom->name, + lookup_type); +} + +int sss_ncache_set_domain_locate_type(struct sss_nc_ctx *ctx, + struct sss_domain_info *dom, + const char *lookup_type) +{ + char *str; + int ret; + + str = domain_lookup_type_str(ctx, dom, lookup_type); + if (!str) return ENOMEM; + + /* Permanent cache is always used here, because the lookup + * type's (getgrgid, getpwuid, ..) support locating an entry's domain + * doesn't change + */ + ret = sss_ncache_set_str(ctx, str, true, false); + talloc_free(str); + return ret; +} + +int sss_ncache_check_domain_locate_type(struct sss_nc_ctx *ctx, + struct sss_domain_info *dom, + const char *lookup_type) +{ + char *str; + int ret; + + str = domain_lookup_type_str(ctx, dom, lookup_type); + if (!str) return ENOMEM; + + ret = sss_ncache_check_str(ctx, str); + talloc_free(str); + return ret; +} + +static char *locate_gid_str(TALLOC_CTX *mem_ctx, + struct sss_domain_info *dom, + gid_t gid) +{ + return talloc_asprintf(mem_ctx, + "%s/%s/%s/%"SPRIgid, + NC_DOMAIN_ACCT_LOCATE_PREFIX, + NC_GID_PREFIX, + dom->name, + gid); +} + +int sss_ncache_set_locate_gid(struct sss_nc_ctx *ctx, + struct sss_domain_info *dom, + gid_t gid) +{ + char *str; + int ret; + + if (dom == NULL) { + return EINVAL; + } + + str = locate_gid_str(ctx, dom, gid); + if (str == NULL) { + return ENOMEM; + } + + ret = sss_ncache_set_str(ctx, str, false, false); + talloc_free(str); + return ret; +} + +int sss_ncache_check_locate_gid(struct sss_nc_ctx *ctx, + struct sss_domain_info *dom, + gid_t gid) +{ + char *str; + int ret; + + if (dom == NULL) { + return EINVAL; + } + + str = locate_gid_str(ctx, dom, gid); + if (str == NULL) { + return ENOMEM; + } + + ret = sss_ncache_check_str(ctx, str); + talloc_free(str); + return ret; +} + +static char *locate_uid_str(struct sss_nc_ctx *ctx, + struct sss_domain_info *dom, + uid_t uid) +{ + return talloc_asprintf(ctx, + "%s/%s/%s/%"SPRIuid, + NC_DOMAIN_ACCT_LOCATE_PREFIX, + NC_UID_PREFIX, + dom->name, + uid); +} + +int sss_ncache_set_locate_uid(struct sss_nc_ctx *ctx, + struct sss_domain_info *dom, + uid_t uid) +{ + char *str; + int ret; + + if (dom == NULL) { + return EINVAL; + } + + str = locate_uid_str(ctx, dom, uid); + if (str == NULL) { + return ENOMEM; + } + + ret = sss_ncache_set_str(ctx, str, false, false); + talloc_free(str); + return ret; +} + +int sss_ncache_check_locate_uid(struct sss_nc_ctx *ctx, + struct sss_domain_info *dom, + uid_t uid) +{ + char *str; + int ret; + + if (dom == NULL) { + return EINVAL; + } + + str = locate_uid_str(ctx, dom, uid); + if (str == NULL) { + return ENOMEM; + } + + ret = sss_ncache_check_str(ctx, str); + talloc_free(str); + return ret; +} + +static int delete_permanent(struct tdb_context *tdb, + TDB_DATA key, TDB_DATA data, void *state) +{ + unsigned long long int timestamp; + bool remove_key = false; + char *ep; + + if (strncmp((char *)key.dptr, + NC_ENTRY_PREFIX, sizeof(NC_ENTRY_PREFIX) - 1) != 0) { + /* not interested in this key */ + return 0; + } + + errno = 0; + timestamp = strtoull((const char *)data.dptr, &ep, 10); + if (errno != 0 || *ep != '\0') { + /* Malformed entry, remove it */ + remove_key = true; + goto done; + } + + if (timestamp == 0) { + /* a 0 timestamp means this is a permanent entry */ + remove_key = true; + } + +done: + if (remove_key) { + return tdb_delete(tdb, key); + } + + return 0; +} + +int sss_ncache_reset_permanent(struct sss_nc_ctx *ctx) +{ + int ret; + + ret = tdb_traverse(ctx->tdb, delete_permanent, NULL); + if (ret < 0) + return EIO; + + return EOK; +} + +static int delete_prefix(struct tdb_context *tdb, + TDB_DATA key, TDB_DATA data, void *state) +{ + const char *prefix = (const char *) state; + + if (strncmp((char *)key.dptr, prefix, strlen(prefix) - 1) != 0) { + /* not interested in this key */ + return 0; + } + + return tdb_delete(tdb, key); +} + +static int sss_ncache_reset_pfx(struct sss_nc_ctx *ctx, + const char **prefixes) +{ + int ret; + + if (prefixes == NULL) { + return EOK; + } + + for (int i = 0; prefixes[i] != NULL; i++) { + ret = tdb_traverse(ctx->tdb, + delete_prefix, + discard_const(prefixes[i])); + if (ret < 0) { + return EIO; + } + } + + return EOK; +} + +int sss_ncache_reset_users(struct sss_nc_ctx *ctx) +{ + const char *prefixes[] = { + NC_USER_PREFIX, + NC_UID_PREFIX, + NULL, + }; + + return sss_ncache_reset_pfx(ctx, prefixes); +} + +int sss_ncache_reset_groups(struct sss_nc_ctx *ctx) +{ + const char *prefixes[] = { + NC_GROUP_PREFIX, + NC_GID_PREFIX, + NULL, + }; + + return sss_ncache_reset_pfx(ctx, prefixes); +} + +errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, + struct confdb_ctx *cdb, + struct resp_ctx *rctx) +{ + errno_t ret; + char **filter_list = NULL; + char **default_list = NULL; + char *name = NULL; + struct sss_domain_info *dom = NULL; + struct sss_domain_info *domain_list = rctx->domains; + char *domainname = NULL; + char *conf_path = NULL; + TALLOC_CTX *tmpctx = talloc_new(NULL); + int i; + char *fqname = NULL; + + if (tmpctx == NULL) { + return ENOMEM; + } + + /* Populate domain-specific negative cache user entries */ + for (dom = domain_list; dom; dom = get_next_domain(dom, 0)) { + conf_path = talloc_asprintf(tmpctx, CONFDB_DOMAIN_PATH_TMPL, + dom->name); + if (!conf_path) { + ret = ENOMEM; + goto done; + } + + talloc_zfree(filter_list); + ret = confdb_get_string_as_list(cdb, tmpctx, conf_path, + CONFDB_NSS_FILTER_USERS, + &filter_list); + if (ret == ENOENT) continue; + if (ret != EOK) goto done; + + for (i = 0; (filter_list && filter_list[i]); i++) { + ret = sss_parse_name_for_domains(tmpctx, domain_list, + rctx->default_domain, + filter_list[i], + &domainname, &name); + if (ret == EAGAIN) { + DEBUG(SSSDBG_MINOR_FAILURE, + "cannot add [%s] to negcache because the required or " + "default domain are not known yet\n", filter_list[i]); + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Invalid name in filterUsers list: [%s] (%d)\n", + filter_list[i], ret); + continue; + } + + if (domainname && strcmp(domainname, dom->name)) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Mismatch between domain name (%s) and name " + "set in FQN (%s), skipping user %s\n", + dom->name, domainname, name); + continue; + } + + fqname = sss_create_internal_fqname(tmpctx, name, dom->name); + if (fqname == NULL) { + continue; + } + + ret = sss_ncache_set_user(ncache, true, dom, fqname); + talloc_zfree(fqname); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to store permanent user filter for [%s]" + " (%d [%s])\n", filter_list[i], + ret, strerror(ret)); + continue; + } + } + } + + /* Populate non domain-specific negative cache user entries */ + ret = confdb_get_string_as_list(cdb, tmpctx, CONFDB_NSS_CONF_ENTRY, + CONFDB_NSS_FILTER_USERS, &filter_list); + if (ret != EOK && ret != ENOENT) { + goto done; + } + + for (i = 0; (filter_list && filter_list[i]); i++) { + ret = sss_parse_name_for_domains(tmpctx, domain_list, + rctx->default_domain, filter_list[i], + &domainname, &name); + if (ret == EAGAIN) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot add [%s] to negcache because the required or " + "default domain are not known yet\n", filter_list[i]); + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Invalid name in filterUsers list: [%s] (%d)\n", + filter_list[i], ret); + continue; + } + if (domainname) { + dom = responder_get_domain(rctx, domainname); + if (!dom) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Invalid domain name [%s]\n", domainname); + continue; + } + + fqname = sss_create_internal_fqname(tmpctx, name, dom->name); + if (fqname == NULL) { + continue; + } + + ret = sss_ncache_set_user(ncache, true, dom, fqname); + talloc_zfree(fqname); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to store permanent user filter for [%s]" + " (%d [%s])\n", filter_list[i], + ret, strerror(ret)); + continue; + } + } else { + for (dom = domain_list; + dom != NULL; + dom = get_next_domain(dom, SSS_GND_ALL_DOMAINS)) { + fqname = sss_create_internal_fqname(tmpctx, name, dom->name); + if (fqname == NULL) { + continue; + } + + ret = sss_ncache_set_user(ncache, true, dom, fqname); + talloc_zfree(fqname); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to store permanent user filter for" + " [%s:%s] (%d [%s])\n", + dom->name, filter_list[i], + ret, strerror(ret)); + continue; + } + } + } + } + + /* Populate domain-specific negative cache group entries */ + for (dom = domain_list; dom; dom = get_next_domain(dom, 0)) { + conf_path = talloc_asprintf(tmpctx, CONFDB_DOMAIN_PATH_TMPL, dom->name); + if (!conf_path) { + ret = ENOMEM; + goto done; + } + + talloc_zfree(filter_list); + ret = confdb_get_string_as_list(cdb, tmpctx, conf_path, + CONFDB_NSS_FILTER_GROUPS, &filter_list); + if (ret == ENOENT) continue; + if (ret != EOK) goto done; + + for (i = 0; (filter_list && filter_list[i]); i++) { + ret = sss_parse_name(tmpctx, dom->names, filter_list[i], + &domainname, &name); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Invalid name in filterGroups list: [%s] (%d)\n", + filter_list[i], ret); + continue; + } + + if (domainname && strcmp(domainname, dom->name)) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Mismatch between domain name (%s) and name " + "set in FQN (%s), skipping group %s\n", + dom->name, domainname, name); + continue; + } + + fqname = sss_create_internal_fqname(tmpctx, name, dom->name); + if (fqname == NULL) { + continue; + } + + ret = sss_ncache_set_group(ncache, true, dom, fqname); + talloc_zfree(fqname); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to store permanent group filter for [%s]" + " (%d [%s])\n", filter_list[i], + ret, strerror(ret)); + continue; + } + } + } + + /* Populate non domain-specific negative cache group entries */ + ret = confdb_get_string_as_list(cdb, tmpctx, CONFDB_NSS_CONF_ENTRY, + CONFDB_NSS_FILTER_GROUPS, &filter_list); + if (ret != EOK && ret != ENOENT) { + goto done; + } + + for (i = 0; (filter_list && filter_list[i]); i++) { + ret = sss_parse_name_for_domains(tmpctx, domain_list, + rctx->default_domain, filter_list[i], + &domainname, &name); + if (ret == EAGAIN) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot add [%s] to negcache because the required or " + "default domain are not known yet\n", filter_list[i]); + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Invalid name in filterGroups list: [%s] (%d)\n", + filter_list[i], ret); + continue; + } + if (domainname) { + dom = responder_get_domain(rctx, domainname); + if (!dom) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Invalid domain name [%s]\n", domainname); + continue; + } + + fqname = sss_create_internal_fqname(tmpctx, name, dom->name); + if (fqname == NULL) { + continue; + } + + ret = sss_ncache_set_group(ncache, true, dom, fqname); + talloc_zfree(fqname); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to store permanent group filter for" + " [%s] (%d [%s])\n", filter_list[i], + ret, strerror(ret)); + continue; + } + } else { + for (dom = domain_list; + dom != NULL; + dom = get_next_domain(dom, SSS_GND_ALL_DOMAINS)) { + fqname = sss_create_internal_fqname(tmpctx, name, dom->name); + if (fqname == NULL) { + continue; + } + + ret = sss_ncache_set_group(ncache, true, dom, fqname); + talloc_zfree(fqname); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to store permanent group filter for" + " [%s:%s] (%d [%s])\n", + dom->name, filter_list[i], + ret, strerror(ret)); + continue; + } + } + } + } + + /* SSSD doesn't handle "root", thus it'll be added to the negative cache + * nonetheless what's already added there. */ + default_list = talloc_array(tmpctx, char *, 2); + if (default_list == NULL) { + ret= ENOMEM; + goto done; + } + default_list[0] = talloc_strdup(tmpctx, "root"); + if (default_list[0] == NULL) { + ret = ENOMEM; + goto done; + } + default_list[1] = NULL; + + /* Populate negative cache users and groups entries for the + * "default_list" */ + for (i = 0; (default_list != NULL && default_list[i] != NULL); i++) { + for (dom = domain_list; + dom != NULL; + dom = get_next_domain(dom, SSS_GND_ALL_DOMAINS)) { + fqname = sss_create_internal_fqname(tmpctx, + default_list[i], + dom->name); + if (fqname == NULL) { + continue; + } + + ret = sss_ncache_set_user(ncache, true, dom, fqname); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to store permanent user filter for" + " [%s:%s] (%d [%s])\n", + dom->name, default_list[i], + ret, strerror(ret)); + continue; + } + + ret = sss_ncache_set_group(ncache, true, dom, fqname); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to store permanent group filter for" + " [%s:%s] (%d [%s])\n", + dom->name, default_list[i], + ret, strerror(ret)); + continue; + } + } + } + + /* Also add "root" uid and gid to the negative cache */ + ret = sss_ncache_set_uid(ncache, true, NULL, 0); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to store permanent uid filter for root (0) " + "(%d [%s])\n", + ret, strerror(ret)); + } + + ret = sss_ncache_set_gid(ncache, true, NULL, 0); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to store permanent gid filter for root (0) " + "(%d [%s])\n", + ret, strerror(ret)); + } + + ret = EOK; + +done: + talloc_free(tmpctx); + return ret; +} + +/* Reset permanent negcache after checking the domains */ +errno_t sss_ncache_reset_repopulate_permanent(struct resp_ctx *rctx, + struct sss_nc_ctx *ncache) +{ + int ret; + + ret = sss_ncache_reset_permanent(ncache); + if (ret == EOK) { + ret = sss_ncache_prepopulate(ncache, rctx->cdb, rctx); + } + + return ret; +} diff --git a/src/responder/common/negcache.h b/src/responder/common/negcache.h new file mode 100644 index 0000000..a804122 --- /dev/null +++ b/src/responder/common/negcache.h @@ -0,0 +1,165 @@ +/* + SSSD + + NSS Responder + + Copyright (C) Simo Sorce 2008 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _NSS_NEG_CACHE_H_ +#define _NSS_NEG_CACHE_H_ + +struct sss_nc_ctx; + +/* init the in memory negative cache */ +int sss_ncache_init(TALLOC_CTX *memctx, uint32_t timeout, + uint32_t local_timeout, struct sss_nc_ctx **_ctx); + +uint32_t sss_ncache_get_timeout(struct sss_nc_ctx *ctx); + +/* check if the user is expired according to the passed in time to live */ +int sss_ncache_check_user(struct sss_nc_ctx *ctx, struct sss_domain_info *dom, + const char *name); +int sss_ncache_check_upn(struct sss_nc_ctx *ctx, struct sss_domain_info *dom, + const char *name); +int sss_ncache_check_group(struct sss_nc_ctx *ctx, struct sss_domain_info *dom, + const char *name); +int sss_ncache_check_netgr(struct sss_nc_ctx *ctx, struct sss_domain_info *dom, + const char *name); +int sss_ncache_check_uid(struct sss_nc_ctx *ctx, struct sss_domain_info *dom, + uid_t uid); +int sss_ncache_check_gid(struct sss_nc_ctx *ctx, struct sss_domain_info *dom, + gid_t gid); +int sss_ncache_check_sid(struct sss_nc_ctx *ctx, const char *sid); +int sss_ncache_check_cert(struct sss_nc_ctx *ctx, const char *cert); + +int sss_ncache_check_service(struct sss_nc_ctx *ctx, + struct sss_domain_info *dom, + const char *name, + const char *proto); +int sss_ncache_check_service_port(struct sss_nc_ctx *ctx, + struct sss_domain_info *dom, + uint16_t port, + const char *proto); + +/* add a new neg-cache entry setting the timestamp to "now" unless + * "permanent" is set to true, in which case the timestamps is set to 0 + * and the negative cache never expires (used to permanently filter out + * users and groups) */ +int sss_ncache_set_user(struct sss_nc_ctx *ctx, bool permanent, + struct sss_domain_info *dom, const char *name); +int sss_ncache_set_upn(struct sss_nc_ctx *ctx, bool permanent, + struct sss_domain_info *dom, const char *name); +int sss_ncache_set_group(struct sss_nc_ctx *ctx, bool permanent, + struct sss_domain_info *dom, const char *name); +int sss_ncache_set_netgr(struct sss_nc_ctx *ctx, bool permanent, + struct sss_domain_info *dom, const char *name); +int sss_ncache_set_uid(struct sss_nc_ctx *ctx, bool permanent, + struct sss_domain_info *dom, uid_t uid); +int sss_ncache_set_gid(struct sss_nc_ctx *ctx, bool permanent, + struct sss_domain_info *dom, gid_t gid); +int sss_ncache_set_sid(struct sss_nc_ctx *ctx, bool permanent, const char *sid); +int sss_ncache_set_cert(struct sss_nc_ctx *ctx, bool permanent, + const char *cert); +int sss_ncache_set_service_name(struct sss_nc_ctx *ctx, bool permanent, + struct sss_domain_info *dom, + const char *name, const char *proto); +int sss_ncache_set_service_port(struct sss_nc_ctx *ctx, bool permanent, + struct sss_domain_info *dom, + uint16_t port, const char *proto); +/* + * Mark the lookup_type as not supporting the negative cache. This + * would be used by the corresponding checker to avoid needless + * subsequent calls to the locator for configurations that do not + * support the locator plugin. + * + * @param ctx The negative cache. + * @param dom The top-level domain. It is expected that the caller + * would use the top-level domain head here, because + * this negative cache is "per-request-type" which is the + * same for all subdomains of a domain. + * @param lookup_type Lookup type, e.g. getpwuid, getgrnam. + * + * @return EOK on success, errno on failure. + */ +int sss_ncache_set_domain_locate_type(struct sss_nc_ctx *ctx, + struct sss_domain_info *dom, + const char *lookup_type); +/* + * Check if the lookup_type supports the domain locator request. + * + * @param ctx The negative cache. + * @param dom The top-level domain. It is expected that the caller + * would use the top-level domain head here, because + * this negative cache is "per-request-type" which is the + * same for all subdomains of a domain. + * @param lookup_type Lookup type, e.g. getpwuid, getgrnam. + * + * @return ENOENT if the request supports the locator (or we + * haven't checked yet), EEXIST if the request does + * not support the domain locator request. + */ +int sss_ncache_check_domain_locate_type(struct sss_nc_ctx *ctx, + struct sss_domain_info *dom, + const char *key); + +/* + * Call these two functions to mark a GID as checked until the negative + * cache expires. This function is used to avoid a situation where + * GID would be found in a subsequent domain, so any request that + * searches for this GID again (even if it was cached) would first + * run the locator again. + * + * While this negative cache entry is valid, it is expected that + * the negatively cached entries in the domain's GID negative + * cache (if any) are valid. + * + * The sss_ncache_set_locate_gid() is called by the locator request + * when it finishes, the sss_ncache_check_locate_gid() is called + * by the caller of the locator request to find if the locator + * should be called at all. + */ +int sss_ncache_set_locate_gid(struct sss_nc_ctx *ctx, + struct sss_domain_info *dom, + gid_t gid); +int sss_ncache_check_locate_gid(struct sss_nc_ctx *ctx, + struct sss_domain_info *dom, + gid_t gid); +int sss_ncache_check_locate_uid(struct sss_nc_ctx *ctx, + struct sss_domain_info *dom, + uid_t uid); +int sss_ncache_set_locate_uid(struct sss_nc_ctx *ctx, + struct sss_domain_info *dom, + uid_t uid); + +int sss_ncache_reset_permanent(struct sss_nc_ctx *ctx); +int sss_ncache_reset_users(struct sss_nc_ctx *ctx); +int sss_ncache_reset_groups(struct sss_nc_ctx *ctx); + +struct resp_ctx; + +/* Set up the negative cache with values from filter_users and + * filter_groups in the sssd.conf + */ +errno_t sss_ncache_prepopulate(struct sss_nc_ctx *ncache, + struct confdb_ctx *cdb, + struct resp_ctx *rctx); + +/* Flush the negcache and then repopulate */ +errno_t sss_ncache_reset_repopulate_permanent(struct resp_ctx *rctx, + struct sss_nc_ctx *ncache); + +#endif /* _NSS_NEG_CACHE_H_ */ diff --git a/src/responder/common/negcache_files.c b/src/responder/common/negcache_files.c new file mode 100644 index 0000000..4256186 --- /dev/null +++ b/src/responder/common/negcache_files.c @@ -0,0 +1,112 @@ +/* + SSSD + + NSS Responder + + Copyright (C) Petr Čech 2016 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include "util/util.h" +#include "responder/common/negcache_files.h" + +#define BUFFER_SIZE 16384 + +bool is_user_local_by_name(const char *name) +{ + struct passwd pwd = { 0 }; + struct passwd *pwd_result; + char buffer[BUFFER_SIZE]; + bool is_local = false; + int ret; + char *shortname = NULL; + + ret = sss_parse_internal_fqname(NULL, name, &shortname, NULL); + if (ret != EOK) { + return false; + } + + ret = getpwnam_r(shortname, &pwd, buffer, BUFFER_SIZE, &pwd_result); + talloc_free(shortname); + if (ret == EOK && pwd_result != NULL) { + DEBUG(SSSDBG_TRACE_FUNC, "User %s is a local user\n", name); + is_local = true; + } + + return is_local; +} + +bool is_user_local_by_uid(uid_t uid) +{ + struct passwd pwd = { 0 }; + struct passwd *pwd_result; + char buffer[BUFFER_SIZE]; + bool is_local = false; + int ret; + + ret = getpwuid_r(uid, &pwd, buffer, BUFFER_SIZE, &pwd_result); + if (ret == EOK && pwd_result != NULL) { + DEBUG(SSSDBG_TRACE_FUNC, + "User with UID %"SPRIuid" is a local user\n", uid); + is_local = true; + } + + return is_local; +} + +bool is_group_local_by_name(const char *name) +{ + struct group grp = { 0 }; + struct group *grp_result; + char buffer[BUFFER_SIZE]; + bool is_local = false; + int ret; + char *shortname = NULL; + + ret = sss_parse_internal_fqname(NULL, name, &shortname, NULL); + if (ret != EOK) { + return false; + } + + ret = getgrnam_r(shortname, &grp, buffer, BUFFER_SIZE, &grp_result); + talloc_free(shortname); + if (ret == EOK && grp_result != NULL) { + DEBUG(SSSDBG_TRACE_FUNC, "Group %s is a local group\n", name); + is_local = true; + } + + return is_local; +} + +bool is_group_local_by_gid(uid_t gid) +{ + struct group grp = { 0 }; + struct group *grp_result; + char buffer[BUFFER_SIZE]; + bool is_local = false; + int ret; + + ret = getgrgid_r(gid, &grp, buffer, BUFFER_SIZE, &grp_result); + if (ret == EOK && grp_result != NULL) { + DEBUG(SSSDBG_TRACE_FUNC, + "Group with GID %"SPRIgid" is a local group\n", gid); + is_local = true; + } + + return is_local; +} diff --git a/src/responder/common/negcache_files.h b/src/responder/common/negcache_files.h new file mode 100644 index 0000000..01d9f08 --- /dev/null +++ b/src/responder/common/negcache_files.h @@ -0,0 +1,31 @@ +/* + SSSD + + NSS Responder + + Copyright (C) Petr Čech 2016 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _NEGCACHE_FILES_H_ +#define _NEGCACHE_FILES_H_ + +bool is_user_local_by_name(const char *name); +bool is_user_local_by_uid(uid_t uid); + +bool is_group_local_by_name(const char *name); +bool is_group_local_by_gid(uid_t gid); + +#endif /* _NEGCACHE_FILES_H_ */ diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h new file mode 100644 index 0000000..987a5d1 --- /dev/null +++ b/src/responder/common/responder.h @@ -0,0 +1,492 @@ +/* + SSSD + + SSS Client Responder, header file + + Copyright (C) Simo Sorce 2008 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __SSS_RESPONDER_H__ +#define __SSS_RESPONDER_H__ + +#include "config.h" + +#include +#include +#include +#include +#include +#include +#include +#include + +#include "data_provider/rdp.h" +#include "sbus/sssd_dbus.h" +#include "responder/common/negcache.h" +#include "sss_client/sss_cli.h" +#include "responder/common/cache_req/cache_req_domain.h" +#include "util/session_recording.h" + +extern hash_table_t *dp_requests; + +/* we want default permissions on created files to be very strict, + * so set our umask to 0177 */ +#define DFL_RSP_UMASK SSS_DFL_UMASK + +/* Public sockets must be readable and writable by anybody on the system. + * So we set umask to 0111. */ +#define SCKT_RSP_UMASK 0111 + +/* Neither the local provider nor the files provider have a back + * end in the traditional sense and can always just consult + * the responder's cache + */ +#define NEED_CHECK_PROVIDER(provider) \ + (provider != NULL && \ + (strcmp(provider, "local") != 0 && \ + strcmp(provider, "files") != 0)) + +#define NEED_CHECK_AUTH_PROVIDER(provider) \ + (provider != NULL && \ + strcmp(provider, "local") != 0) + +/* needed until nsssrv.h is updated */ +struct cli_request { + + /* original request from the wire */ + struct sss_packet *in; + + /* reply data */ + struct sss_packet *out; +}; + +struct cli_protocol_version { + uint32_t version; + const char *date; + const char *description; +}; + +struct cli_protocol { + struct cli_request *creq; + struct cli_protocol_version *cli_protocol_version; +}; + +struct resp_ctx; + +struct be_conn { + struct be_conn *next; + struct be_conn *prev; + + struct resp_ctx *rctx; + + const char *cli_name; + struct sss_domain_info *domain; + + char *sbus_address; + struct sbus_connection *conn; +}; + +struct resp_ctx { + struct tevent_context *ev; + struct tevent_fd *lfde; + int lfd; + struct tevent_fd *priv_lfde; + int priv_lfd; + struct confdb_ctx *cdb; + const char *sock_name; + const char *priv_sock_name; + + struct sss_nc_ctx *ncache; + struct sss_names_ctx *global_names; + + struct sbus_connection *mon_conn; + struct be_conn *be_conns; + + struct sss_domain_info *domains; + int domains_timeout; + int client_idle_timeout; + + struct cache_req_domain *cr_domains; + const char *domain_resolution_order; + + time_t last_request_time; + int idle_timeout; + struct tevent_timer *idle; + + struct sss_cmd_table *sss_cmds; + const char *sss_pipe_name; + const char *confdb_service_path; + + hash_table_t *dp_request_table; + + struct timeval get_domains_last_call; + + size_t allowed_uids_count; + uid_t *allowed_uids; + + char *default_domain; + char override_space; + + char **allowed_shells; + char *override_shell; + char **vetoed_shells; + char **etc_shells; + char *shell_fallback; + char *default_shell; + + struct session_recording_conf sr_conf; + + uint32_t cache_req_num; + + void *pvt_ctx; + + bool shutting_down; + bool socket_activated; + bool dbus_activated; + bool cache_first; + bool enumeration_warn_logged; +}; + +struct cli_creds; + +struct cli_ctx { + struct tevent_context *ev; + struct resp_ctx *rctx; + int cfd; + struct tevent_fd *cfde; + tevent_fd_handler_t cfd_handler; + struct sockaddr_un addr; + int priv; + + struct cli_creds *creds; + + void *protocol_ctx; + void *state_ctx; + + struct tevent_timer *idle; + time_t last_request_time; +}; + +struct sss_cmd_table { + enum sss_cli_command cmd; + int (*fn)(struct cli_ctx *cctx); +}; + +/* from generated code */ +struct mon_cli_iface; + +/* + * responder_common.c + * + */ + +typedef int (*connection_setup_t)(struct cli_ctx *cctx); + +int sss_connection_setup(struct cli_ctx *cctx); + +void sss_client_fd_handler(void *ptr, + void (*recv_fn) (struct cli_ctx *cctx), + void (*send_fn) (struct cli_ctx *cctx), + uint16_t flags); + +int sss_process_init(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct confdb_ctx *cdb, + struct sss_cmd_table sss_cmds[], + const char *sss_pipe_name, + int pipe_fd, + const char *sss_priv_pipe_name, + int priv_pipe_fd, + const char *confdb_service_path, + const char *svc_name, + uint16_t svc_version, + struct mon_cli_iface *monitor_intf, + const char *cli_name, + struct sbus_iface_map *sbus_iface, + connection_setup_t conn_setup, + struct resp_ctx **responder_ctx); + +int sss_dp_get_domain_conn(struct resp_ctx *rctx, const char *domain, + struct be_conn **_conn); +struct sss_domain_info * +responder_get_domain(struct resp_ctx *rctx, const char *domain); + +errno_t responder_get_domain_by_id(struct resp_ctx *rctx, const char *id, + struct sss_domain_info **_ret_dom); + +int create_pipe_fd(const char *sock_name, int *_fd, mode_t umaskval); +int activate_unix_sockets(struct resp_ctx *rctx, + connection_setup_t conn_setup); + +/* responder_cmd.c */ +int sss_cmd_empty_packet(struct sss_packet *packet); +int sss_cmd_send_empty(struct cli_ctx *cctx); +int sss_cmd_send_error(struct cli_ctx *cctx, int err); +void sss_cmd_done(struct cli_ctx *cctx, void *freectx); +int sss_cmd_get_version(struct cli_ctx *cctx); +int sss_cmd_execute(struct cli_ctx *cctx, + enum sss_cli_command cmd, + struct sss_cmd_table *sss_cmds); +struct cli_protocol_version *register_cli_protocol_version(void); + +struct setent_req_list; + +/* A facility for notifying setent requests */ +struct tevent_req *setent_get_req(struct setent_req_list *sl); +errno_t setent_add_ref(TALLOC_CTX *memctx, + struct setent_req_list **list, + struct tevent_req *req); +void setent_notify(struct setent_req_list **list, errno_t err); +void setent_notify_done(struct setent_req_list **list); + +errno_t +sss_cmd_check_cache(struct ldb_message *msg, + int cache_refresh_percent, + uint64_t cache_expire); + +typedef void (*sss_dp_callback_t)(uint16_t err_maj, uint32_t err_min, + const char *err_msg, void *ptr); + +struct dp_callback_ctx { + sss_dp_callback_t callback; + void *ptr; + + void *mem_ctx; + struct cli_ctx *cctx; +}; + +void handle_requests_after_reconnect(struct resp_ctx *rctx); + +int responder_logrotate(struct sbus_request *dbus_req, void *data); + +/* Each responder-specific request must create a constructor + * function that creates a DBus Message that would be sent to + * the back end + */ +typedef DBusMessage * (dbus_msg_constructor)(void *); + +/* + * This function is indended for consumption by responders to create + * responder-specific requests such as sss_dp_get_account_send for + * downloading account data. + * + * Issues a new back end request based on strkey if not already running + * or registers a callback that is called when an existing request finishes. + */ +errno_t +sss_dp_issue_request(TALLOC_CTX *mem_ctx, struct resp_ctx *rctx, + const char *strkey, struct sss_domain_info *dom, + dbus_msg_constructor msg_create, void *pvt, + struct tevent_req *nreq); + +/* Every provider specific request uses this structure as the tevent_req + * "state" structure. + */ +struct sss_dp_req_state { + dbus_uint16_t dp_err; + dbus_uint32_t dp_ret; + char *err_msg; +}; + +/* The _recv functions of provider specific requests usually need to + * only call sss_dp_req_recv() to get return codes from back end + */ +errno_t +sss_dp_req_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *sidereq, + dbus_uint16_t *dp_err, + dbus_uint32_t *dp_ret, + char **err_msg); + +/* Send a request to the data provider + * Once this function is called, the communication + * with the data provider will always run to + * completion. Freeing the returned tevent_req will + * cancel the notification of completion, but not + * the data provider action. + */ + +enum sss_dp_acct_type { + SSS_DP_USER = 1, + SSS_DP_GROUP, + SSS_DP_INITGROUPS, + SSS_DP_NETGR, + SSS_DP_SERVICES, + SSS_DP_SECID, + SSS_DP_USER_AND_GROUP, + SSS_DP_CERT, + SSS_DP_WILDCARD_USER, + SSS_DP_WILDCARD_GROUP, +}; + +struct tevent_req * +sss_dp_get_account_send(TALLOC_CTX *mem_ctx, + struct resp_ctx *rctx, + struct sss_domain_info *dom, + bool fast_reply, + enum sss_dp_acct_type type, + const char *opt_name, + uint32_t opt_id, + const char *extra); +errno_t +sss_dp_get_account_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + dbus_uint16_t *err_maj, + dbus_uint32_t *err_min, + char **err_msg); + +struct tevent_req * +sss_dp_get_ssh_host_send(TALLOC_CTX *mem_ctx, + struct resp_ctx *rctx, + struct sss_domain_info *dom, + bool fast_reply, + const char *name, + const char *alias); + +errno_t +sss_dp_get_ssh_host_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + dbus_uint16_t *dp_err, + dbus_uint32_t *dp_ret, + char **err_msg); + +bool sss_utf8_check(const uint8_t *s, size_t n); + +void responder_set_fd_limit(rlim_t fd_limit); + +errno_t reset_client_idle_timer(struct cli_ctx *cctx); + +errno_t responder_setup_idle_timeout_config(struct resp_ctx *rctx); + +#define GET_DOMAINS_DEFAULT_TIMEOUT 60 + +struct tevent_req *sss_dp_get_domains_send(TALLOC_CTX *mem_ctx, + struct resp_ctx *rctx, + bool force, + const char *hint); + +errno_t sss_dp_get_domains_recv(struct tevent_req *req); + +/* + * Call a getAccountDomain request + * + * Only requests by ID are supported. + * + * @param mem_ctx Parent memory context + * @param rctx Responder context + * @param domain The SSSD domain we're querying. The response can + * be either NULL or come from any of domain's subdomains + * or domain itself + * @param type Either SSS_DP_USER or SSS_DP_GROUP, other types + * are not supported at the moment + * @param opt_id The ID number we're trying to locate + * + * @return A tevent request or NULL if allocating the request fails. + */ +struct tevent_req *sss_dp_get_account_domain_send(TALLOC_CTX *mem_ctx, + struct resp_ctx *rctx, + struct sss_domain_info *domain, + enum sss_dp_acct_type type, + uint32_t opt_id); + +/* Receive a getAccountDomain request result + * + * @param mem_ctx The memory context that will own the contents of _domain + * @param req The request that had finished + * @para _domain Either NULL (the request did not match any domain) or + * a string that corresponds to either the input domain + * or any of its subdomains + * + * @return EOK on success, errno otherwise + */ +errno_t sss_dp_get_account_domain_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + char **_domain); + +errno_t schedule_get_domains_task(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_nc_ctx *optional_ncache); + +errno_t csv_string_to_uid_array(TALLOC_CTX *mem_ctx, const char *csv_string, + bool allow_sss_loop, + size_t *_uid_count, uid_t **_uids); + +uid_t client_euid(struct cli_creds *creds); +errno_t check_allowed_uids(uid_t uid, size_t allowed_uids_count, + uid_t *allowed_uids); + +struct tevent_req * +sss_parse_inp_send(TALLOC_CTX *mem_ctx, + struct resp_ctx *rctx, + const char *default_domain, + const char *rawinp); + +errno_t sss_parse_inp_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, + char **_name, char **_domname); + +const char **parse_attr_list_ex(TALLOC_CTX *mem_ctx, const char *conf_str, + const char **defaults); + +char *sss_resp_create_fqname(TALLOC_CTX *mem_ctx, + struct resp_ctx *rctx, + struct sss_domain_info *dom, + bool name_is_upn, + const char *orig_name); + +errno_t sss_resp_populate_cr_domains(struct resp_ctx *rctx); + +const char * +sss_resp_get_shell_override(struct ldb_message *msg, + struct resp_ctx *rctx, + struct sss_domain_info *domain); + +/** + * Helper functions to format output names + */ + +/* Format orig_name into a sized_string in output format as prescribed + * by the name_dom domain + */ +int sized_output_name(TALLOC_CTX *mem_ctx, + struct resp_ctx *rctx, + const char *orig_name, + struct sss_domain_info *name_dom, + struct sized_string **_name); + +/* Format orig_name into a sized_string in output format as prescribed + * by the domain read from the fully qualified name. + */ +int sized_domain_name(TALLOC_CTX *mem_ctx, + struct resp_ctx *rctx, + const char *member_name, + struct sized_string **_name); + +/* Given a ldb_result structure that contains a result of sysdb_initgroups + * where some groups might be just 'stubs' that don't have a name, but only + * a SID and a GID, resolve those incomplete groups into full group objects + */ +struct tevent_req *resp_resolve_group_names_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_domain_info *dom, + struct ldb_result *initgr_res); + +int resp_resolve_group_names_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct ldb_result **_initgr_named_res); + +#endif /* __SSS_RESPONDER_H__ */ diff --git a/src/responder/common/responder_cmd.c b/src/responder/common/responder_cmd.c new file mode 100644 index 0000000..bd05ca2 --- /dev/null +++ b/src/responder/common/responder_cmd.c @@ -0,0 +1,302 @@ +/* + SSSD + + SSS Client Responder, command parser + + Copyright (C) Simo Sorce 2008 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +#include +#include "db/sysdb.h" +#include "util/util.h" +#include "responder/common/responder.h" +#include "responder/common/responder_packet.h" + + +int sss_cmd_send_error(struct cli_ctx *cctx, int err) +{ + struct cli_protocol *pctx; + int ret; + + pctx = talloc_get_type(cctx->protocol_ctx, struct cli_protocol); + if (!pctx) return EINVAL; + + /* create response packet */ + ret = sss_packet_new(pctx->creq, 0, + sss_packet_get_cmd(pctx->creq->in), + &pctx->creq->out); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create new packet: %d\n", ret); + return ret; + } + + sss_packet_set_error(pctx->creq->out, err); + return EOK; +} + +int sss_cmd_empty_packet(struct sss_packet *packet) +{ + uint8_t *body; + size_t blen; + int ret; + + ret = sss_packet_grow(packet, 2*sizeof(uint32_t)); + if (ret != EOK) return ret; + + sss_packet_get_body(packet, &body, &blen); + + /* num results */ + SAFEALIGN_SETMEM_UINT32(body, 0, NULL); + + /* reserved */ + SAFEALIGN_SETMEM_UINT32(body + sizeof(uint32_t), 0, NULL); + + return EOK; +} + +int sss_cmd_send_empty(struct cli_ctx *cctx) +{ + struct cli_protocol *pctx; + int ret; + + pctx = talloc_get_type(cctx->protocol_ctx, struct cli_protocol); + if (!pctx) return EINVAL; + + /* create response packet */ + ret = sss_packet_new(pctx->creq, 0, + sss_packet_get_cmd(pctx->creq->in), + &pctx->creq->out); + if (ret != EOK) { + return ret; + } + + ret = sss_cmd_empty_packet(pctx->creq->out); + if (ret != EOK) { + return ret; + } + + sss_packet_set_error(pctx->creq->out, EOK); + return EOK; +} + +void sss_cmd_done(struct cli_ctx *cctx, void *freectx) +{ + /* now that the packet is in place, unlock queue + * making the event writable */ + TEVENT_FD_WRITEABLE(cctx->cfde); + + /* free all request related data through the talloc hierarchy */ + talloc_free(freectx); +} + +int sss_cmd_get_version(struct cli_ctx *cctx) +{ + struct cli_protocol *pctx; + uint8_t *req_body; + size_t req_blen; + uint8_t *body; + size_t blen; + int ret; + uint32_t client_version; + uint32_t protocol_version; + int i; + static struct cli_protocol_version *cli_protocol_version = NULL; + + pctx = talloc_get_type(cctx->protocol_ctx, struct cli_protocol); + if (!pctx) return EINVAL; + + pctx->cli_protocol_version = NULL; + + if (cli_protocol_version == NULL) { + cli_protocol_version = register_cli_protocol_version(); + } + + if (cli_protocol_version != NULL) { + pctx->cli_protocol_version = &cli_protocol_version[0]; + + sss_packet_get_body(pctx->creq->in, &req_body, &req_blen); + if (req_blen == sizeof(uint32_t)) { + memcpy(&client_version, req_body, sizeof(uint32_t)); + DEBUG(SSSDBG_FUNC_DATA, + "Received client version [%d].\n", client_version); + + i=0; + while(cli_protocol_version[i].version>0) { + if (cli_protocol_version[i].version == client_version) { + pctx->cli_protocol_version = &cli_protocol_version[i]; + break; + } + i++; + } + } + } + + /* create response packet */ + ret = sss_packet_new(pctx->creq, sizeof(uint32_t), + sss_packet_get_cmd(pctx->creq->in), + &pctx->creq->out); + if (ret != EOK) { + return ret; + } + sss_packet_get_body(pctx->creq->out, &body, &blen); + + protocol_version = (pctx->cli_protocol_version != NULL) + ? pctx->cli_protocol_version->version : 0; + + SAFEALIGN_COPY_UINT32(body, &protocol_version, NULL); + DEBUG(SSSDBG_FUNC_DATA, "Offered version [%d].\n", protocol_version); + + sss_cmd_done(cctx, NULL); + return EOK; +} + +int sss_cmd_execute(struct cli_ctx *cctx, + enum sss_cli_command cmd, + struct sss_cmd_table *sss_cmds) +{ + int i; + + for (i = 0; sss_cmds[i].cmd != SSS_CLI_NULL; i++) { + if (cmd == sss_cmds[i].cmd) { + return sss_cmds[i].fn(cctx); + } + } + + return EINVAL; +} +struct setent_req_list { + struct setent_req_list *prev; + struct setent_req_list *next; + /* Need to modify the list from a talloc destructor */ + struct setent_req_list **head; + + struct tevent_req *req; +}; + +struct tevent_req * +setent_get_req(struct setent_req_list *sl) +{ + return sl->req; +} + +int setent_remove_ref(TALLOC_CTX *ctx) +{ + struct setent_req_list *entry = + talloc_get_type(ctx, struct setent_req_list); + DLIST_REMOVE(*(entry->head), entry); + return 0; +} + +errno_t setent_add_ref(TALLOC_CTX *memctx, + struct setent_req_list **list, + struct tevent_req *req) +{ + struct setent_req_list *entry; + + entry = talloc_zero(memctx, struct setent_req_list); + if (!entry) { + return ENOMEM; + } + + entry->req = req; + DLIST_ADD_END(*list, entry, struct setent_req_list *); + entry->head = list; + + talloc_set_destructor((TALLOC_CTX *)entry, setent_remove_ref); + return EOK; +} + +void setent_notify(struct setent_req_list **list, errno_t err) +{ + struct setent_req_list *reql; + + /* Notify the waiting clients */ + while ((reql = *list) != NULL) { + /* Each tevent_req_done() call will free + * the request, removing it from the list. + */ + if (err == EOK) { + tevent_req_done(reql->req); + } else { + tevent_req_error(reql->req, err); + } + + if (reql == *list) { + /* The consumer failed to free the + * request. Log a bug and continue. + */ + DEBUG(SSSDBG_FATAL_FAILURE, + "BUG: a callback did not free its request. " + "May leak memory\n"); + /* Skip to the next since a memory leak is non-fatal */ + *list = (*list)->next; + } + } +} + +void setent_notify_done(struct setent_req_list **list) +{ + return setent_notify(list, EOK); +} + +/* + * Return values: + * EOK - cache hit + * EAGAIN - cache hit, but schedule off band update + * ENOENT - cache miss + */ +errno_t +sss_cmd_check_cache(struct ldb_message *msg, + int cache_refresh_percent, + uint64_t cache_expire) +{ + uint64_t lastUpdate; + uint64_t midpoint_refresh = 0; + time_t now; + + now = time(NULL); + lastUpdate = ldb_msg_find_attr_as_uint64(msg, SYSDB_LAST_UPDATE, 0); + midpoint_refresh = 0; + + if(cache_refresh_percent) { + midpoint_refresh = lastUpdate + + (cache_expire - lastUpdate)*cache_refresh_percent/100.0; + if (midpoint_refresh - lastUpdate < 10) { + /* If the percentage results in an expiration + * less than ten seconds after the lastUpdate time, + * that's too often we will simply set it to 10s + */ + midpoint_refresh = lastUpdate+10; + } + } + + if (cache_expire > now) { + /* cache still valid */ + + if (midpoint_refresh && midpoint_refresh < now) { + /* We're past the cache refresh timeout + * We'll return the value from the cache, but we'll also + * queue the cache entry for update out-of-band. + */ + return EAGAIN; + } else { + /* Cache is still valid. */ + return EOK; + } + } + + /* Cache needs to be updated */ + return ENOENT; +} diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c new file mode 100644 index 0000000..fb2a31b --- /dev/null +++ b/src/responder/common/responder_common.c @@ -0,0 +1,1892 @@ +/* + SSSD + + Common Responder methods + + Copyright (C) Simo Sorce 2008 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "util/util.h" +#include "util/strtonum.h" +#include "db/sysdb.h" +#include "confdb/confdb.h" +#include "sbus/sssd_dbus.h" +#include "responder/common/responder.h" +#include "responder/common/iface/responder_iface.h" +#include "responder/common/responder_packet.h" +#include "providers/data_provider.h" +#include "monitor/monitor_interfaces.h" +#include "sbus/sbus_client.h" +#include "util/util_creds.h" + +#ifdef HAVE_SYSTEMD +#include +#endif + +#define SHELL_REALLOC_INCREMENT 5 +#define SHELL_REALLOC_MAX 50 + +static errno_t set_close_on_exec(int fd) +{ + int v; + int ferr; + errno_t error; + + /* Get the current flags for this file descriptor */ + v = fcntl(fd, F_GETFD, 0); + + errno = 0; + /* Set the close-on-exec flags on this fd */ + ferr = fcntl(fd, F_SETFD, v | FD_CLOEXEC); + if (ferr < 0) { + error = errno; + DEBUG(SSSDBG_FATAL_FAILURE, + "Unable to set fd close-on-exec: [%d][%s]\n", + error, strerror(error)); + return error; + } + return EOK; +} + +static void client_close_fn(struct tevent_context *ev, + struct tevent_fd *fde, int fd, + void *ptr) +{ + errno_t ret; + struct cli_ctx *ctx = talloc_get_type(ptr, struct cli_ctx); + + if ((ctx->cfd > 0) && close(ctx->cfd) < 0) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to close fd [%d]: [%s]\n", + ctx->cfd, strerror(ret)); + } + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Terminated client [%p][%d]\n", + ctx, ctx->cfd); + + ctx->cfd = -1; +} + +static errno_t get_client_cred(struct cli_ctx *cctx) +{ + SEC_CTX secctx; + int ret; + + cctx->creds = talloc_zero(cctx, struct cli_creds); + if (!cctx->creds) return ENOMEM; + +#ifdef HAVE_UCRED + socklen_t client_cred_len = sizeof(struct ucred); + + cctx->creds->ucred.uid = -1; + cctx->creds->ucred.gid = -1; + cctx->creds->ucred.pid = -1; + + ret = getsockopt(cctx->cfd, SOL_SOCKET, SO_PEERCRED, &cctx->creds->ucred, + &client_cred_len); + if (ret != EOK) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "getsock failed [%d][%s].\n", ret, strerror(ret)); + return ret; + } + if (client_cred_len != sizeof(struct ucred)) { + DEBUG(SSSDBG_CRIT_FAILURE, + "getsockopt returned unexpected message size.\n"); + return ENOMSG; + } + + DEBUG(SSSDBG_TRACE_ALL, + "Client creds: euid[%d] egid[%d] pid[%d].\n", + cctx->creds->ucred.uid, cctx->creds->ucred.gid, + cctx->creds->ucred.pid); +#endif + + ret = SELINUX_getpeercon(cctx->cfd, &secctx); + if (ret != 0) { + ret = errno; + DEBUG(SSSDBG_MINOR_FAILURE, + "The following failure is expected to happen in case SELinux is disabled:\n" + "SELINUX_getpeercon failed [%d][%s].\n" + "Please, consider enabling SELinux in your system.\n", ret, strerror(ret)); + /* This is not fatal, as SELinux may simply be disabled */ + ret = EOK; + } else { + cctx->creds->selinux_ctx = SELINUX_context_new(secctx); + SELINUX_freecon(secctx); + } + + return ret; +} + +uid_t client_euid(struct cli_creds *creds) +{ + if (!creds) return -1; + return cli_creds_get_uid(creds); +} + +errno_t check_allowed_uids(uid_t uid, size_t allowed_uids_count, + uid_t *allowed_uids) +{ + size_t c; + + if (allowed_uids == NULL) { + return EINVAL; + } + + for (c = 0; c < allowed_uids_count; c++) { + if (uid == allowed_uids[c]) { + return EOK; + } + } + + return EACCES; +} + +errno_t csv_string_to_uid_array(TALLOC_CTX *mem_ctx, const char *csv_string, + bool allow_sss_loop, + size_t *_uid_count, uid_t **_uids) +{ + int ret; + size_t c; + char **list = NULL; + int list_size; + uid_t *uids = NULL; + char *endptr; + + ret = split_on_separator(mem_ctx, csv_string, ',', true, false, + &list, &list_size); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "split_on_separator failed [%d][%s].\n", + ret, strerror(ret)); + goto done; + } + + uids = talloc_array(mem_ctx, uint32_t, list_size); + if (uids == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_array failed.\n"); + ret = ENOMEM; + goto done; + } + + if (allow_sss_loop) { + ret = unsetenv("_SSS_LOOPS"); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to unset _SSS_LOOPS, getpwnam " + "might not find sssd users.\n"); + } + } + + for (c = 0; c < list_size; c++) { + errno = 0; + if (*list[c] == '\0') { + DEBUG(SSSDBG_OP_FAILURE, "Empty list item.\n"); + ret = EINVAL; + goto done; + } + + uids[c] = strtouint32(list[c], &endptr, 10); + if (errno != 0 || *endptr != '\0') { + ret = errno; + if (ret == ERANGE) { + DEBUG(SSSDBG_OP_FAILURE, "List item [%s] is out of range.\n", + list[c]); + goto done; + } + + ret = sss_user_by_name_or_uid(list[c], &uids[c], NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "List item [%s] is neither a valid " + "UID nor a user name which could be " + "resolved by getpwnam().\n", list[c]); + sss_log(SSS_LOG_WARNING, "List item [%s] is neither a valid " + "UID nor a user name which could be " + "resolved by getpwnam().\n", list[c]); + goto done; + } + } + } + + *_uid_count = list_size; + *_uids = uids; + + ret = EOK; + +done: + if(setenv("_SSS_LOOPS", "NO", 0) != 0) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to set _SSS_LOOPS.\n"); + } + talloc_free(list); + if (ret != EOK) { + talloc_free(uids); + } + + return ret; +} + +static void client_send(struct cli_ctx *cctx) +{ + struct cli_protocol *pctx; + int ret; + + pctx = talloc_get_type(cctx->protocol_ctx, struct cli_protocol); + + ret = sss_packet_send(pctx->creq->out, cctx->cfd); + if (ret == EAGAIN) { + /* not all data was sent, loop again */ + return; + } + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to send data, aborting client!\n"); + talloc_free(cctx); + return; + } + + /* ok all sent */ + TEVENT_FD_NOT_WRITEABLE(cctx->cfde); + TEVENT_FD_READABLE(cctx->cfde); + talloc_zfree(pctx->creq); + return; +} + +static int client_cmd_execute(struct cli_ctx *cctx, struct sss_cmd_table *sss_cmds) +{ + struct cli_protocol *pctx; + enum sss_cli_command cmd; + + pctx = talloc_get_type(cctx->protocol_ctx, struct cli_protocol); + cmd = sss_packet_get_cmd(pctx->creq->in); + return sss_cmd_execute(cctx, cmd, sss_cmds); +} + +static void client_recv(struct cli_ctx *cctx) +{ + struct cli_protocol *pctx; + int ret; + + pctx = talloc_get_type(cctx->protocol_ctx, struct cli_protocol); + + if (!pctx->creq) { + pctx->creq = talloc_zero(cctx, struct cli_request); + if (!pctx->creq) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to alloc request, aborting client!\n"); + talloc_free(cctx); + return; + } + } + + if (!pctx->creq->in) { + ret = sss_packet_new(pctx->creq, SSS_PACKET_MAX_RECV_SIZE, + 0, &pctx->creq->in); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to alloc request, aborting client!\n"); + talloc_free(cctx); + return; + } + } + + ret = sss_packet_recv(pctx->creq->in, cctx->cfd); + switch (ret) { + case EOK: + /* do not read anymore */ + TEVENT_FD_NOT_READABLE(cctx->cfde); + /* execute command */ + ret = client_cmd_execute(cctx, cctx->rctx->sss_cmds); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to execute request, aborting client!\n"); + talloc_free(cctx); + } + /* past this point cctx can be freed at any time by callbacks + * in case of error, do not use it */ + return; + + case EAGAIN: + /* need to read still some data, loop again */ + break; + + case EINVAL: + DEBUG(SSSDBG_TRACE_FUNC, + "Invalid data from client, closing connection!\n"); + talloc_free(cctx); + break; + + case ENODATA: + DEBUG(SSSDBG_FUNC_DATA, "Client disconnected!\n"); + talloc_free(cctx); + break; + + default: + DEBUG(SSSDBG_TRACE_FUNC, "Failed to read request, aborting client!\n"); + talloc_free(cctx); + } + + return; +} + +static errno_t schedule_responder_idle_timer(struct resp_ctx *rctx); + +static void responder_idle_handler(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval current_time, + void *data) +{ + struct resp_ctx *rctx; + time_t now; + + rctx = talloc_get_type(data, struct resp_ctx); + + now = time(NULL); + if (rctx->last_request_time > now) { + DEBUG(SSSDBG_IMPORTANT_INFO, + "Time shift detected, re-scheduling the responder timeout\n"); + goto end; + } + + if ((now - rctx->last_request_time) > rctx->idle_timeout) { + /* This responder is idle. Terminate it */ + DEBUG(SSSDBG_TRACE_INTERNAL, + "Terminating idle responder [%p]\n", rctx); + + talloc_free(rctx); + + orderly_shutdown(0); + } + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Re-scheduling the idle timeout for the responder [%p]\n", rctx); + +end: + schedule_responder_idle_timer(rctx); +} + +static errno_t schedule_responder_idle_timer(struct resp_ctx *rctx) +{ + struct timeval tv; + + tv = tevent_timeval_current_ofs(rctx->idle_timeout / 2, 0); + + talloc_zfree(rctx->idle); + rctx->idle = tevent_add_timer(rctx->ev, + rctx, + tv, + responder_idle_handler, + rctx); + if (rctx->idle == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to allocate time event: responder [%p] shutdown timeout\n", + rctx); + return ENOMEM; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Re-scheduling the idle timeout for the responder [%p]\n", rctx); + + return EOK; +} + +static errno_t setup_responder_idle_timer(struct resp_ctx *rctx) +{ + errno_t ret; + + rctx->last_request_time = time(NULL); + + ret = schedule_responder_idle_timer(rctx); + if (ret != EOK) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "Error scheduling the idle timeout for the responder [%p]: " + "%d [%s]\n", + rctx, ret, sss_strerror(ret)); + return ret; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Setting up the idle timeout for the responder [%p]\n", rctx); + + return EOK; +} + +static void client_fd_handler(struct tevent_context *ev, + struct tevent_fd *fde, + uint16_t flags, void *ptr) +{ + sss_client_fd_handler(ptr, client_recv, client_send, flags); +} + +static errno_t setup_client_idle_timer(struct cli_ctx *cctx); + +static int cli_ctx_destructor(struct cli_ctx *cctx) +{ + if (cctx->creds == NULL) { + return 0; + } + + if (cctx->creds->selinux_ctx == NULL) { + return 0; + } + + SELINUX_context_free(cctx->creds->selinux_ctx); + cctx->creds->selinux_ctx = NULL; + + return 0; +} + +struct accept_fd_ctx { + struct resp_ctx *rctx; + bool is_private; + connection_setup_t connection_setup; +}; + +/* + * Use this function only before the client context is established + */ +static void accept_and_terminate_cli(int fd) +{ + struct sockaddr_un addr; + int client_fd; + socklen_t len; + + /* accept and close to signal the client we have a problem */ + memset(&addr, 0, sizeof(addr)); + len = sizeof(addr); + client_fd = accept(fd, (struct sockaddr *)&addr, &len); + if (client_fd == -1) { + return; + } + close(client_fd); + return; +} + +static void accept_fd_handler(struct tevent_context *ev, + struct tevent_fd *fde, + uint16_t flags, void *ptr) +{ + /* accept and attach new event handler */ + struct accept_fd_ctx *accept_ctx = + talloc_get_type(ptr, struct accept_fd_ctx); + struct resp_ctx *rctx = accept_ctx->rctx; + struct cli_ctx *cctx; + socklen_t len; + struct stat stat_buf; + int ret; + int fd = accept_ctx->is_private ? rctx->priv_lfd : rctx->lfd; + + if (accept_ctx->is_private) { + ret = stat(rctx->priv_sock_name, &stat_buf); + if (ret == -1) { + DEBUG(SSSDBG_CRIT_FAILURE, + "stat on privileged pipe failed: [%d][%s].\n", + errno, strerror(errno)); + accept_and_terminate_cli(fd); + return; + } + + if ( ! (stat_buf.st_uid == 0 && stat_buf.st_gid == 0 && + (stat_buf.st_mode&(S_IFSOCK|S_IRUSR|S_IWUSR)) == stat_buf.st_mode)) { + DEBUG(SSSDBG_CRIT_FAILURE, + "privileged pipe has an illegal status.\n"); + accept_and_terminate_cli(fd); + return; + } + } + + cctx = talloc_zero(rctx, struct cli_ctx); + if (!cctx) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Out of memory trying to setup client context%s!\n", + accept_ctx->is_private ? " on privileged pipe": ""); + accept_and_terminate_cli(fd); + return; + } + + talloc_set_destructor(cctx, cli_ctx_destructor); + + len = sizeof(cctx->addr); + cctx->cfd = accept(fd, (struct sockaddr *)&cctx->addr, &len); + if (cctx->cfd == -1) { + DEBUG(SSSDBG_CRIT_FAILURE, "Accept failed [%s]\n", strerror(errno)); + talloc_free(cctx); + return; + } + + cctx->priv = accept_ctx->is_private; + + ret = get_client_cred(cctx); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "get_client_cred failed, " + "client cred may not be available.\n"); + } + + if (rctx->allowed_uids_count != 0) { + if (client_euid(cctx->creds) == -1) { + DEBUG(SSSDBG_CRIT_FAILURE, "allowed_uids configured, " \ + "but platform does not support " \ + "reading peer credential from the " \ + "socket. Access denied.\n"); + close(cctx->cfd); + talloc_free(cctx); + return; + } + + ret = check_allowed_uids(client_euid(cctx->creds), rctx->allowed_uids_count, + rctx->allowed_uids); + if (ret != EOK) { + if (ret == EACCES) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Access denied for uid [%"SPRIuid"].\n", + client_euid(cctx->creds)); + } else { + DEBUG(SSSDBG_OP_FAILURE, "check_allowed_uids failed.\n"); + } + close(cctx->cfd); + talloc_free(cctx); + return; + } + } + + ret = accept_ctx->connection_setup(cctx); + if (ret != EOK) { + close(cctx->cfd); + talloc_free(cctx); + DEBUG(SSSDBG_OP_FAILURE, + "Failed to setup client handler%s\n", + accept_ctx->is_private ? " on privileged pipe" : ""); + return; + } + + cctx->cfde = tevent_add_fd(ev, cctx, cctx->cfd, + TEVENT_FD_READ, cctx->cfd_handler, + cctx); + if (!cctx->cfde) { + close(cctx->cfd); + talloc_free(cctx); + DEBUG(SSSDBG_OP_FAILURE, + "Failed to queue client handler%s\n", + accept_ctx->is_private ? " on privileged pipe" : ""); + return; + } + tevent_fd_set_close_fn(cctx->cfde, client_close_fn); + + cctx->ev = ev; + cctx->rctx = rctx; + + /* Record the new time and set up the idle timer */ + ret = reset_client_idle_timer(cctx); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not create idle timer for client. " + "This connection may not auto-terminate\n"); + /* Non-fatal, continue */ + } + + ret = setup_client_idle_timer(cctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not create idle timer for client. " + "This connection may not auto-terminate\n"); + /* Non-fatal, continue */ + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Client connected%s!\n", + accept_ctx->is_private ? " to privileged pipe" : ""); + + return; +} + +static void client_idle_handler(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval current_time, + void *data) +{ + time_t now = time(NULL); + struct cli_ctx *cctx = talloc_get_type(data, struct cli_ctx); + + if (cctx->last_request_time > now) { + DEBUG(SSSDBG_IMPORTANT_INFO, + "Time shift detected, re-scheduling the client timeout\n"); + goto done; + } + + if ((now - cctx->last_request_time) > cctx->rctx->client_idle_timeout) { + /* This connection is idle. Terminate it */ + DEBUG(SSSDBG_TRACE_INTERNAL, + "Terminating idle client [%p][%d]\n", + cctx, cctx->cfd); + + /* The cli_ctx destructor will handle the rest */ + talloc_free(cctx); + return; + } + +done: + setup_client_idle_timer(cctx); +} + +errno_t reset_client_idle_timer(struct cli_ctx *cctx) +{ + cctx->last_request_time = time(NULL); + + return EOK; +} + +static errno_t setup_client_idle_timer(struct cli_ctx *cctx) +{ + struct timeval tv = + tevent_timeval_current_ofs(cctx->rctx->client_idle_timeout/2, 0); + + talloc_zfree(cctx->idle); + + cctx->idle = tevent_add_timer(cctx->ev, cctx, tv, client_idle_handler, cctx); + if (!cctx->idle) return ENOMEM; + + DEBUG(SSSDBG_TRACE_ALL, + "Idle timer re-set for client [%p][%d]\n", + cctx, cctx->cfd); + + return EOK; +} + +static int sss_dp_init(struct resp_ctx *rctx, + struct sbus_iface_map *sbus_iface, + const char *cli_name, + struct sss_domain_info *domain) +{ + struct be_conn *be_conn; + int ret; + struct sbus_iface_map *resp_sbus_iface; + + be_conn = talloc_zero(rctx, struct be_conn); + if (!be_conn) return ENOMEM; + + be_conn->cli_name = cli_name; + be_conn->domain = domain; + be_conn->rctx = rctx; + + /* Set up SBUS connection to the monitor */ + ret = dp_get_sbus_address(be_conn, &be_conn->sbus_address, domain->name); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Could not locate DP address.\n"); + return ret; + } + ret = sbus_client_init(rctx, rctx->ev, + be_conn->sbus_address, + NULL, + &be_conn->conn); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to connect to monitor services.\n"); + return ret; + } + + if (sbus_iface != NULL) { + ret = sbus_conn_register_iface_map(be_conn->conn, sbus_iface, rctx); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to register D-Bus interface.\n"); + return ret; + } + } + + resp_sbus_iface = responder_get_sbus_interface(); + if (resp_sbus_iface != NULL) { + ret = sbus_conn_register_iface_map(be_conn->conn, + resp_sbus_iface, + rctx); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Cannot register generic responder iface at %s: %d\n", + resp_sbus_iface->path, ret); + return ret; + } + } + + DLIST_ADD_END(rctx->be_conns, be_conn, struct be_conn *); + + /* Identify ourselves to the DP */ + ret = rdp_register_client(be_conn, cli_name); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to identify to the DP!\n"); + return ret; + } + + return EOK; +} + +int create_pipe_fd(const char *sock_name, int *_fd, mode_t umaskval) +{ + struct sockaddr_un addr; + mode_t orig_umaskval; + errno_t ret; + int fd; + + fd = socket(AF_UNIX, SOCK_STREAM, 0); + if (fd == -1) { + return EIO; + } + + orig_umaskval = umask(umaskval); + + ret = sss_fd_nonblocking(fd); + if (ret != EOK) { + goto done; + } + + ret = set_close_on_exec(fd); + if (ret != EOK) { + goto done; + } + + memset(&addr, 0, sizeof(addr)); + addr.sun_family = AF_UNIX; + strncpy(addr.sun_path, sock_name, sizeof(addr.sun_path) - 1); + addr.sun_path[sizeof(addr.sun_path) - 1] = '\0'; + + /* make sure we have no old sockets around */ + ret = unlink(sock_name); + if (ret != 0 && errno != ENOENT) { + ret = errno; + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot remove old socket (errno=%d [%s]), bind might fail!\n", + ret, sss_strerror(ret)); + } + + if (bind(fd, (struct sockaddr *)&addr, sizeof(addr)) == -1) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Unable to bind on socket '%s'\n", sock_name); + ret = EIO; + goto done; + } + if (listen(fd, 10) == -1) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Unable to listen on socket '%s'\n", sock_name); + ret = EIO; + goto done; + } + + ret = EOK; + +done: + /* restore previous umask value */ + umask(orig_umaskval); + if (ret == EOK) { + *_fd = fd; + } else { + close(fd); + } + return ret; +} + +/* create a unix socket and listen to it */ +static int set_unix_socket(struct resp_ctx *rctx, + connection_setup_t conn_setup) +{ + errno_t ret; + struct accept_fd_ctx *accept_ctx = NULL; + +/* for future use */ +#if 0 + char *default_pipe; + int ret; + + default_pipe = talloc_asprintf(rctx, "%s/%s", PIPE_PATH, + rctx->sss_pipe_name); + if (!default_pipe) { + return ENOMEM; + } + + ret = confdb_get_string(rctx->cdb, rctx, + rctx->confdb_socket_path, "unixSocket", + default_pipe, &rctx->sock_name); + if (ret != EOK) { + talloc_free(default_pipe); + return ret; + } + talloc_free(default_pipe); + + default_pipe = talloc_asprintf(rctx, "%s/private/%s", PIPE_PATH, + rctx->sss_pipe_name); + if (!default_pipe) { + return ENOMEM; + } + + ret = confdb_get_string(rctx->cdb, rctx, + rctx->confdb_socket_path, "privUnixSocket", + default_pipe, &rctx->priv_sock_name); + if (ret != EOK) { + talloc_free(default_pipe); + return ret; + } + talloc_free(default_pipe); +#endif + + if (rctx->sock_name != NULL ) { + /* Set the umask so that permissions are set right on the socket. + * It must be readable and writable by anybody on the system. */ + if (rctx->lfd == -1) { + ret = create_pipe_fd(rctx->sock_name, &rctx->lfd, SCKT_RSP_UMASK); + if (ret != EOK) { + return ret; + } + } + + accept_ctx = talloc_zero(rctx, struct accept_fd_ctx); + if(!accept_ctx) goto failed; + accept_ctx->rctx = rctx; + accept_ctx->is_private = false; + accept_ctx->connection_setup = conn_setup; + + rctx->lfde = tevent_add_fd(rctx->ev, rctx, rctx->lfd, + TEVENT_FD_READ, accept_fd_handler, + accept_ctx); + if (!rctx->lfde) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to queue handler on pipe\n"); + goto failed; + } + } + + if (rctx->priv_sock_name != NULL ) { + /* create privileged pipe */ + if (rctx->priv_lfd == -1) { + ret = create_pipe_fd(rctx->priv_sock_name, &rctx->priv_lfd, + DFL_RSP_UMASK); + if (ret != EOK) { + goto failed; + } + } + + accept_ctx = talloc_zero(rctx, struct accept_fd_ctx); + if(!accept_ctx) goto failed; + accept_ctx->rctx = rctx; + accept_ctx->is_private = true; + accept_ctx->connection_setup = conn_setup; + + rctx->priv_lfde = tevent_add_fd(rctx->ev, rctx, rctx->priv_lfd, + TEVENT_FD_READ, accept_fd_handler, + accept_ctx); + if (!rctx->priv_lfde) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to queue handler on privileged pipe\n"); + goto failed; + } + } + + return EOK; + +failed: + if (rctx->lfd >= 0) close(rctx->lfd); + if (rctx->priv_lfd >= 0) close(rctx->priv_lfd); + return EIO; +} + +int activate_unix_sockets(struct resp_ctx *rctx, + connection_setup_t conn_setup) +{ + int ret; + +#ifdef HAVE_SYSTEMD + if (rctx->lfd == -1 && rctx->priv_lfd == -1) { + int numfds = (rctx->sock_name ? 1 : 0) + + (rctx->priv_sock_name ? 1 : 0); + /* but if systemd support is available, check if the sockets + * have been opened for us, via socket activation */ + ret = sd_listen_fds(1); + if (ret < 0) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Unexpected error probing for active sockets. " + "Will proceed with no sockets. [Error %d (%s)]\n", + -ret, sss_strerror(-ret)); + } else if (ret > numfds) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Too many activated sockets have been found, " + "expected %d, found %d\n", numfds, ret); + ret = E2BIG; + goto done; + } + + if (ret == numfds) { + rctx->lfd = SD_LISTEN_FDS_START; + ret = sd_is_socket_unix(rctx->lfd, SOCK_STREAM, 1, NULL, 0); + if (ret < 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Activated socket is not a UNIX listening socket\n"); + ret = EIO; + goto done; + } + + ret = sss_fd_nonblocking(rctx->lfd); + if (ret != EOK) goto done; + if (numfds == 2) { + rctx->priv_lfd = SD_LISTEN_FDS_START + 1; + ret = sd_is_socket_unix(rctx->priv_lfd, SOCK_STREAM, 1, NULL, 0); + if (ret < 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Activated priv socket is not a UNIX listening socket\n"); + ret = EIO; + goto done; + } + + ret = sss_fd_nonblocking(rctx->priv_lfd); + if (ret != EOK) goto done; + } + } + } +#endif + + ret = set_unix_socket(rctx, conn_setup); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Fatal error initializing sockets\n"); + goto done; + } + +done: + return ret; +} + +void sss_client_fd_handler(void *ptr, + void (*recv_fn) (struct cli_ctx *cctx), + void (*send_fn) (struct cli_ctx *cctx), + uint16_t flags) +{ + errno_t ret; + struct cli_ctx *cctx = talloc_get_type(ptr, struct cli_ctx); + + /* Always reset the responder idle timer on any activity */ + cctx->rctx->last_request_time = time(NULL); + + /* Always reset the client idle timer on any activity */ + ret = reset_client_idle_timer(cctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not create idle timer for the client. " + "This connection may not auto-terminate.\n"); + /* Non-fatal, continue */ + } + + if (flags & TEVENT_FD_READ) { + recv_fn(cctx); + return; + } + + if (flags & TEVENT_FD_WRITE) { + send_fn(cctx); + return; + } +} + +int sss_connection_setup(struct cli_ctx *cctx) +{ + cctx->protocol_ctx = talloc_zero(cctx, struct cli_protocol); + if (!cctx->protocol_ctx) { + return ENOMEM; + } + + cctx->cfd_handler = client_fd_handler; + + return EOK; +} + +static int sss_responder_ctx_destructor(void *ptr) +{ + struct resp_ctx *rctx = talloc_get_type(ptr, struct resp_ctx); + + /* mark that we are shutting down the responder, so it is propagated + * into underlying contexts that are freed right before rctx */ + DEBUG(SSSDBG_TRACE_FUNC, "Responder is being shut down\n"); + rctx->shutting_down = true; + + return 0; +} + +static errno_t responder_init_ncache(TALLOC_CTX *mem_ctx, + struct confdb_ctx *cdb, + struct sss_nc_ctx **ncache) +{ + uint32_t neg_timeout; + uint32_t locals_timeout; + int tmp_value; + int ret; + + /* neg_timeout */ + ret = confdb_get_int(cdb, CONFDB_NSS_CONF_ENTRY, + CONFDB_NSS_ENTRY_NEG_TIMEOUT, + 15, &tmp_value); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Fatal failure of setup negative cache timeout.\n"); + ret = ENOENT; + goto done; + } + + if (tmp_value < 0) { + ret = EINVAL; + goto done; + } + + neg_timeout = tmp_value; + + /* local_timeout */ + ret = confdb_get_int(cdb, CONFDB_NSS_CONF_ENTRY, + CONFDB_RESPONDER_LOCAL_NEG_TIMEOUT, + CONFDB_RESPONDER_LOCAL_NEG_TIMEOUT_DEFAULT, + &tmp_value); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Fatal failure of setup negative cache timeout.\n"); + ret = ENOENT; + goto done; + } + + if (tmp_value < 0) { + ret = EINVAL; + goto done; + } + + locals_timeout = tmp_value; + + /* negative cache init */ + ret = sss_ncache_init(mem_ctx, neg_timeout, locals_timeout, ncache); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Fatal failure of initializing negative cache.\n"); + goto done; + } + + ret = EOK; + +done: + return ret; +} + +static errno_t sss_get_etc_shells(TALLOC_CTX *mem_ctx, char ***_shells) +{ + int i = 0; + char *sh; + char **shells = NULL; + TALLOC_CTX *tmp_ctx; + errno_t ret; + int size; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) return ENOMEM; + + shells = talloc_array(tmp_ctx, char *, SHELL_REALLOC_INCREMENT); + if (!shells) { + ret = ENOMEM; + goto done; + } + size = SHELL_REALLOC_INCREMENT; + + setusershell(); + while ((sh = getusershell())) { + shells[i] = talloc_strdup(shells, sh); + if (!shells[i]) { + endusershell(); + ret = ENOMEM; + goto done; + } + DEBUG(SSSDBG_TRACE_FUNC, "Found shell %s in /etc/shells\n", shells[i]); + i++; + + if (i == size) { + size += SHELL_REALLOC_INCREMENT; + if (size > SHELL_REALLOC_MAX) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Reached maximum number of shells [%d]. " + "Users may be denied access. " + "Please check /etc/shells for sanity\n", + SHELL_REALLOC_MAX); + break; + } + shells = talloc_realloc(NULL, shells, char *, + size); + if (!shells) { + ret = ENOMEM; + goto done; + } + } + } + endusershell(); + + if (i + 1 < size) { + shells = talloc_realloc(NULL, shells, char *, i + 1); + if (!shells) { + ret = ENOMEM; + goto done; + } + } + shells[i] = NULL; + + *_shells = talloc_move(mem_ctx, &shells); + ret = EOK; +done: + talloc_zfree(tmp_ctx); + return ret; +} + +int sss_process_init(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct confdb_ctx *cdb, + struct sss_cmd_table sss_cmds[], + const char *sss_pipe_name, + int pipe_fd, + const char *sss_priv_pipe_name, + int priv_pipe_fd, + const char *confdb_service_path, + const char *svc_name, + uint16_t svc_version, + struct mon_cli_iface *monitor_intf, + const char *cli_name, + struct sbus_iface_map *sbus_iface, + connection_setup_t conn_setup, + struct resp_ctx **responder_ctx) +{ + struct resp_ctx *rctx; + struct sss_domain_info *dom; + int ret; + char *tmp = NULL; + + rctx = talloc_zero(mem_ctx, struct resp_ctx); + if (!rctx) { + DEBUG(SSSDBG_FATAL_FAILURE, "fatal error initializing resp_ctx\n"); + return ENOMEM; + } + rctx->ev = ev; + rctx->cdb = cdb; + rctx->sss_cmds = sss_cmds; + rctx->sock_name = sss_pipe_name; + rctx->priv_sock_name = sss_priv_pipe_name; + rctx->lfd = pipe_fd; + rctx->priv_lfd = priv_pipe_fd; + rctx->confdb_service_path = confdb_service_path; + rctx->shutting_down = false; + rctx->socket_activated = is_socket_activated(); + rctx->dbus_activated = is_dbus_activated(); + + talloc_set_destructor((TALLOC_CTX*)rctx, sss_responder_ctx_destructor); + + ret = confdb_get_int(rctx->cdb, rctx->confdb_service_path, + CONFDB_RESPONDER_CLI_IDLE_TIMEOUT, + CONFDB_RESPONDER_CLI_IDLE_DEFAULT_TIMEOUT, + &rctx->client_idle_timeout); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot get the client idle timeout [%d]: %s\n", + ret, strerror(ret)); + goto fail; + } + + /* Ensure that the client timeout is at least ten seconds */ + if (rctx->client_idle_timeout < 10) { + rctx->client_idle_timeout = 10; + } + + if (rctx->socket_activated || rctx->dbus_activated) { + ret = responder_setup_idle_timeout_config(rctx); + if (ret != EOK) { + goto fail; + } + } + + ret = confdb_get_bool(rctx->cdb, rctx->confdb_service_path, + CONFDB_RESPONDER_CACHE_FIRST, + false, &rctx->cache_first); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot get \"cache_first_option\".\n" + "Querying the caches first before querying the " + "Data Providers will not be enforced [%d]: %s.\n", + ret, sss_strerror(ret)); + } + + ret = confdb_get_int(rctx->cdb, rctx->confdb_service_path, + CONFDB_RESPONDER_GET_DOMAINS_TIMEOUT, + GET_DOMAINS_DEFAULT_TIMEOUT, &rctx->domains_timeout); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot get the default domain timeout [%d]: %s\n", + ret, strerror(ret)); + goto fail; + } + + if (rctx->domains_timeout < 0) { + DEBUG(SSSDBG_CONF_SETTINGS, "timeout can't be set to negative value, setting default\n"); + rctx->domains_timeout = GET_DOMAINS_DEFAULT_TIMEOUT; + } + + ret = confdb_get_domains(rctx->cdb, &rctx->domains); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "fatal error setting up domain map\n"); + goto fail; + } + + ret = confdb_get_string(rctx->cdb, rctx, CONFDB_MONITOR_CONF_ENTRY, + CONFDB_MONITOR_DEFAULT_DOMAIN, NULL, + &rctx->default_domain); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot get the default domain [%d]: %s\n", + ret, strerror(ret)); + goto fail; + } + + ret = confdb_get_string(rctx->cdb, rctx, CONFDB_MONITOR_CONF_ENTRY, + CONFDB_MONITOR_OVERRIDE_SPACE, NULL, + &tmp); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot get the space substitution character [%d]: %s\n", + ret, strerror(ret)); + goto fail; + } + + if (tmp != NULL) { + if (strlen(tmp) > 1) { + DEBUG(SSSDBG_MINOR_FAILURE, "Option %s is longer than 1 character " + "only the first character %c will be used\n", + CONFDB_MONITOR_OVERRIDE_SPACE, tmp[0]); + } + + rctx->override_space = tmp[0]; + } + + ret = confdb_get_string(rctx->cdb, rctx, + CONFDB_MONITOR_CONF_ENTRY, + CONFDB_MONITOR_DOMAIN_RESOLUTION_ORDER, NULL, + &tmp); + if (ret == EOK) { + rctx->domain_resolution_order = sss_replace_char(rctx, tmp, ',', ':'); + } else { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot get the \"domain_resolution_order\" option.\n" + "The set up lookup_order won't be followed [%d]: %s.\n", + ret, sss_strerror(ret)); + } + + /* Read shell settings */ + ret = confdb_get_string(cdb, rctx, CONFDB_NSS_CONF_ENTRY, + CONFDB_NSS_OVERRIDE_SHELL, NULL, + &rctx->override_shell); + if (ret != EOK && ret != ENOENT) goto fail; + + ret = confdb_get_string_as_list(cdb, rctx, CONFDB_NSS_CONF_ENTRY, + CONFDB_NSS_ALLOWED_SHELL, + &rctx->allowed_shells); + if (ret != EOK && ret != ENOENT) goto fail; + + ret = confdb_get_string_as_list(cdb, rctx, CONFDB_NSS_CONF_ENTRY, + CONFDB_NSS_VETOED_SHELL, + &rctx->vetoed_shells); + if (ret != EOK && ret != ENOENT) goto fail; + + ret = sss_get_etc_shells(rctx, &rctx->etc_shells); + if (ret != EOK) goto fail; + + ret = confdb_get_string(cdb, rctx, CONFDB_NSS_CONF_ENTRY, + CONFDB_NSS_SHELL_FALLBACK, + CONFDB_DEFAULT_SHELL_FALLBACK, + &rctx->shell_fallback); + if (ret != EOK) goto fail; + + ret = confdb_get_string(cdb, rctx, CONFDB_NSS_CONF_ENTRY, + CONFDB_NSS_DEFAULT_SHELL, + NULL, + &rctx->default_shell); + if (ret != EOK) goto fail; + + /* Read session_recording section */ + ret = session_recording_conf_load(rctx, rctx->cdb, &rctx->sr_conf); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed loading session recording configuration: %s\n", + strerror(ret)); + goto fail; + } + + ret = sss_monitor_init(rctx, rctx->ev, monitor_intf, + svc_name, svc_version, MT_SVC_SERVICE, + rctx, &rctx->last_request_time, + &rctx->mon_conn); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "fatal error setting up message bus\n"); + goto fail; + } + + for (dom = rctx->domains; dom; dom = get_next_domain(dom, 0)) { + ret = sss_names_init(rctx->cdb, rctx->cdb, dom->name, &dom->names); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "fatal error initializing regex data for domain: %s\n", + dom->name); + goto fail; + } + + /* skip local domain, it doesn't have a backend */ + if (strcasecmp(dom->provider, "local") == 0) { + continue; + } + + ret = sss_dp_init(rctx, sbus_iface, cli_name, dom); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "fatal error setting up backend connector\n"); + goto fail; + } + } + + ret = sysdb_init(rctx, rctx->domains); + if (ret != EOK) { + SYSDB_VERSION_ERROR_DAEMON(ret); + DEBUG(SSSDBG_FATAL_FAILURE, + "fatal error initializing sysdb connection\n"); + goto fail; + } + + /* after all initializations we are ready to listen on our socket */ + ret = activate_unix_sockets(rctx, conn_setup); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "fatal error initializing socket\n"); + goto fail; + } + + /* Create DP request table */ + ret = sss_hash_create(rctx, 30, &rctx->dp_request_table); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Could not create hash table for the request queue\n"); + goto fail; + } + + ret = responder_init_ncache(rctx, rctx->cdb, &rctx->ncache); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "fatal error initializing negcache\n"); + goto fail; + } + + ret = sss_ad_default_names_ctx(rctx, &rctx->global_names); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sss_ad_default_names_ctx failed.\n"); + goto fail; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Responder initialization complete (%s)\n", + rctx->socket_activated ? "socket-activated" : + rctx->dbus_activated ? "dbus-activated" : + "explicitly configured"); + + *responder_ctx = rctx; + return EOK; + +fail: + talloc_free(rctx); + return ret; +} + +int sss_dp_get_domain_conn(struct resp_ctx *rctx, const char *domain, + struct be_conn **_conn) +{ + struct be_conn *iter; + + if (!rctx->be_conns) return ENOENT; + + for (iter = rctx->be_conns; iter; iter = iter->next) { + if (strcasecmp(domain, iter->domain->name) == 0) break; + } + + if (!iter) return ENOENT; + + *_conn = iter; + + return EOK; +} + +struct sss_domain_info * +responder_get_domain(struct resp_ctx *rctx, const char *name) +{ + struct sss_domain_info *dom; + struct sss_domain_info *ret_dom = NULL; + + for (dom = rctx->domains; dom; + dom = get_next_domain(dom, SSS_GND_DESCEND)) { + if (sss_domain_get_state(dom) == DOM_DISABLED) { + continue; + } + + if (strcasecmp(dom->name, name) == 0 || + (dom->flat_name != NULL && + strcasecmp(dom->flat_name, name) == 0)) { + ret_dom = dom; + break; + } + } + + if (!ret_dom) { + DEBUG(SSSDBG_OP_FAILURE, "Unknown domain [%s]\n", name); + } + + return ret_dom; +} + +errno_t responder_get_domain_by_id(struct resp_ctx *rctx, const char *id, + struct sss_domain_info **_ret_dom) +{ + struct sss_domain_info *dom; + struct sss_domain_info *ret_dom = NULL; + size_t id_len; + size_t dom_id_len; + int ret; + + if (id == NULL || _ret_dom == NULL) { + return EINVAL; + } + + id_len = strlen(id); + + for (dom = rctx->domains; dom; + dom = get_next_domain(dom, SSS_GND_DESCEND)) { + if (sss_domain_get_state(dom) == DOM_DISABLED || + dom->domain_id == NULL) { + continue; + } + + dom_id_len = strlen(dom->domain_id); + if ((id_len >= dom_id_len) && + strncasecmp(dom->domain_id, id, dom_id_len) == 0) { + if (IS_SUBDOMAIN(dom) && + ((time(NULL) - dom->parent->subdomains_last_checked.tv_sec) > + rctx->domains_timeout)) { + DEBUG(SSSDBG_TRACE_FUNC, "Domain entry with id [%s] " \ + "is expired.\n", id); + ret = EAGAIN; + goto done; + } + ret_dom = dom; + break; + } + } + + if (ret_dom == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Unknown domain id [%s], checking for " + "possible subdomains!\n", id); + ret = ENOENT; + } else { + *_ret_dom = ret_dom; + ret = EOK; + } + +done: + return ret; +} + +int responder_logrotate(struct sbus_request *dbus_req, void *data) +{ + errno_t ret; + struct resp_ctx *rctx = talloc_get_type(data, struct resp_ctx); + + ret = server_common_rotate_logs(rctx->cdb, rctx->confdb_service_path); + if (ret != EOK) return ret; + + return sbus_request_return_and_finish(dbus_req, DBUS_TYPE_INVALID); +} + +void responder_set_fd_limit(rlim_t fd_limit) +{ + struct rlimit current_limit, new_limit; + int limret; + + /* First, let's see if we have permission to just set + * the value as-is. + */ + new_limit.rlim_cur = fd_limit; + new_limit.rlim_max = fd_limit; + limret = setrlimit(RLIMIT_NOFILE, &new_limit); + if (limret == 0) { + DEBUG(SSSDBG_CONF_SETTINGS, + "Maximum file descriptors set to [%"SPRIrlim"]\n", + new_limit.rlim_cur); + return; + } + + /* We couldn't set the soft and hard limits to this + * value. Let's see how high we CAN set it. + */ + + /* Determine the maximum hard limit */ + limret = getrlimit(RLIMIT_NOFILE, ¤t_limit); + if (limret == 0) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "Current fd limit: [%"SPRIrlim"]\n", + current_limit.rlim_cur); + /* Choose the lesser of the requested and the hard limit */ + if (current_limit.rlim_max < fd_limit) { + new_limit.rlim_cur = current_limit.rlim_max; + } else { + new_limit.rlim_cur = fd_limit; + } + new_limit.rlim_max = current_limit.rlim_max; + + limret = setrlimit(RLIMIT_NOFILE, &new_limit); + if (limret == 0) { + DEBUG(SSSDBG_CONF_SETTINGS, + "Maximum file descriptors set to [%"SPRIrlim"]\n", + new_limit.rlim_cur); + } else { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not set new fd limits. Proceeding with " + "[%"SPRIrlim"]\n", current_limit.rlim_cur); + } + } else { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not determine fd limits. " + "Proceeding with system values\n"); + } +} + +errno_t responder_setup_idle_timeout_config(struct resp_ctx *rctx) +{ + errno_t ret; + + ret = confdb_get_int(rctx->cdb, rctx->confdb_service_path, + CONFDB_RESPONDER_IDLE_TIMEOUT, + CONFDB_RESPONDER_IDLE_DEFAULT_TIMEOUT, + &rctx->idle_timeout); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot get the responder idle timeout [%d]: %s\n", + ret, sss_strerror(ret)); + goto fail; + } + + /* Idle timeout set to 0 means that no timeout will be set up to + * the responder */ + if (rctx->idle_timeout == 0) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "Responder idle timeout won't be set up as the " + "responder_idle_timeout is set to 0"); + } else { + /* Ensure that the responder timeout is at least sixty seconds */ + if (rctx->idle_timeout < 60) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "responder_idle_timeout is set to a value lower than " + "the minimum allowed (60s).\n" + "The minimum allowed value will be used."); + + rctx->idle_timeout = 60; + } + + ret = setup_responder_idle_timer(rctx); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "An error occurred when setting up the responder's idle " + "timeout for the responder [%p]: %s [%d].\n" + "The responder won't be automatically shutdown after %d " + "seconds inactive. \n", + rctx, sss_strerror(ret), ret, + rctx->idle_timeout); + } + } + + ret = EOK; + +fail: + return ret; + +} + +/* ====== Helper functions for the domain resolution order ======= */ +static errno_t +sss_resp_new_cr_domains_from_ipa_id_view(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domains, + struct sysdb_ctx *sysdb, + struct cache_req_domain **_cr_domains) +{ + TALLOC_CTX *tmp_ctx; + struct cache_req_domain *cr_domains = NULL; + const char *domain_resolution_order = NULL; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + ret = sysdb_get_view_domain_resolution_order(tmp_ctx, sysdb, + &domain_resolution_order); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_MINOR_FAILURE, + "sysdb_get_view_cache_req_domain() failed [%d]: [%s].\n", + ret, sss_strerror(ret)); + goto done; + } + + if (ret == ENOENT) { + goto done; + } + + ret = cache_req_domain_new_list_from_domain_resolution_order( + mem_ctx, domains, domain_resolution_order, &cr_domains); + if (ret != EOK) { + DEBUG(SSSDBG_DEFAULT, + "cache_req_domain_new_list_from_domain_resolution_order() " + "failed [%d]: [%s].\n", + ret, sss_strerror(ret)); + goto done; + } + + *_cr_domains = cr_domains; + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static errno_t +sss_resp_new_cr_domains_from_ipa_config(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domains, + struct sysdb_ctx *sysdb, + const char *domain, + struct cache_req_domain **_cr_domains) +{ + TALLOC_CTX *tmp_ctx; + const char *domain_resolution_order = NULL; + errno_t ret; + + *_cr_domains = NULL; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + ret = sysdb_domain_get_domain_resolution_order(tmp_ctx, sysdb, domain, + &domain_resolution_order); + + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_MINOR_FAILURE, + "sysdb_domain_get_cache_req_domain() failed [%d]: [%s].\n", + ret, sss_strerror(ret)); + goto done; + } + + if (ret == ENOENT) { + goto done; + } + + ret = cache_req_domain_new_list_from_domain_resolution_order( + mem_ctx, domains, domain_resolution_order, _cr_domains); + if (ret != EOK) { + DEBUG(SSSDBG_DEFAULT, + "cache_req_domain_new_list_from_domain_resolution_order() " + "failed [%d]: [%s].\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +errno_t sss_resp_populate_cr_domains(struct resp_ctx *rctx) +{ + struct cache_req_domain *cr_domains = NULL; + struct sss_domain_info *dom; + errno_t ret; + + if (rctx->domain_resolution_order != NULL) { + ret = cache_req_domain_new_list_from_domain_resolution_order( + rctx, rctx->domains, + rctx->domain_resolution_order, &cr_domains); + if (ret == EOK) { + DEBUG(SSSDBG_TRACE_FUNC, + "Using domain_resolution_order from sssd.conf\n"); + goto done; + } else { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to use domain_resolution_order set in the config file.\n" + "Trying to fallback to use ipaDomainOrderResolution setup by " + "IPA.\n"); + } + } + + for (dom = rctx->domains; dom != NULL; dom = dom->next) { + if (dom->provider != NULL && strcmp(dom->provider, "ipa") == 0) { + break; + } + } + + if (dom == NULL) { + ret = cache_req_domain_new_list_from_domain_resolution_order( + rctx, rctx->domains, NULL, &cr_domains); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to flatten the list of domains.\n"); + } + goto done; + } + + if (dom->has_views) { + ret = sss_resp_new_cr_domains_from_ipa_id_view(rctx, rctx->domains, + dom->sysdb, + &cr_domains); + if (ret == EOK) { + DEBUG(SSSDBG_TRACE_FUNC, + "Using domain_resolution_order from IPA ID View\n"); + goto done; + } + + if (ret != ENOENT) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to use ipaDomainResolutionOrder set for the " + "view \"%s\".\n" + "Trying to fallback to use ipaDomainOrderResolution " + "set in ipaConfig for the domain: %s.\n", + dom->view_name, dom->name); + } + } + + ret = sss_resp_new_cr_domains_from_ipa_config(rctx, rctx->domains, + dom->sysdb, dom->name, + &cr_domains); + if (ret == EOK) { + DEBUG(SSSDBG_TRACE_FUNC, + "Using domain_resolution_order from IPA Config\n"); + goto done; + } + + if (ret != ENOENT) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to use ipaDomainResolutionOrder set in ipaConfig " + "for the domain: \"%s\".\n" + "No ipaDomainResolutionOrder will be followed.\n", + dom->name); + } + + ret = cache_req_domain_new_list_from_domain_resolution_order( + rctx, rctx->domains, NULL, &cr_domains); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to flatten the list of domains.\n"); + goto done; + } + + ret = EOK; + +done: + cache_req_domain_list_zfree(&rctx->cr_domains); + rctx->cr_domains = cr_domains; + + return ret; +} + +/** + * Helper functions to format output names + */ +int sized_output_name(TALLOC_CTX *mem_ctx, + struct resp_ctx *rctx, + const char *orig_name, + struct sss_domain_info *name_dom, + struct sized_string **_name) +{ + TALLOC_CTX *tmp_ctx = NULL; + errno_t ret; + char *name_str; + struct sized_string *name; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + name = talloc_zero(tmp_ctx, struct sized_string); + if (name == NULL) { + ret = ENOMEM; + goto done; + } + + ret = sss_output_fqname(name, name_dom, orig_name, + rctx->override_space, &name_str); + if (ret != EOK) { + goto done; + } + + to_sized_string(name, name_str); + *_name = talloc_steal(mem_ctx, name); + ret = EOK; +done: + talloc_zfree(tmp_ctx); + return ret; +} + +int sized_domain_name(TALLOC_CTX *mem_ctx, + struct resp_ctx *rctx, + const char *member_name, + struct sized_string **_name) +{ + TALLOC_CTX *tmp_ctx = NULL; + errno_t ret; + char *domname; + struct sss_domain_info *member_dom; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + ret = sss_parse_internal_fqname(tmp_ctx, member_name, NULL, &domname); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sss_parse_internal_fqname failed\n"); + goto done; + } + + if (domname == NULL) { + ret = ERR_WRONG_NAME_FORMAT; + goto done; + } + + member_dom = find_domain_by_name(get_domains_head(rctx->domains), + domname, true); + if (member_dom == NULL) { + ret = ERR_DOMAIN_NOT_FOUND; + goto done; + } + + ret = sized_output_name(mem_ctx, rctx, member_name, + member_dom, _name); +done: + talloc_free(tmp_ctx); + return ret; +} diff --git a/src/responder/common/responder_dp.c b/src/responder/common/responder_dp.c new file mode 100644 index 0000000..208c415 --- /dev/null +++ b/src/responder/common/responder_dp.c @@ -0,0 +1,941 @@ +/* + Authors: + Simo Sorce + Stephen Gallagher + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + + +#include +#include +#include "util/util.h" +#include "responder/common/responder_packet.h" +#include "responder/common/responder.h" +#include "providers/data_provider.h" +#include "providers/data_provider/dp_responder_iface.h" +#include "sbus/sbus_client.h" + +struct sss_dp_req; + +struct sss_dp_callback { + struct sss_dp_callback *prev; + struct sss_dp_callback *next; + + struct tevent_req *req; + struct sss_dp_req *sdp_req; +}; + +struct sss_dp_req { + struct resp_ctx *rctx; + struct tevent_context *ev; + DBusPendingCall *pending_reply; + + hash_key_t *key; + + struct sss_dp_callback *cb_list; + + dbus_uint16_t dp_err; + dbus_uint32_t dp_ret; + char *err_msg; +}; + +static int sss_dp_callback_destructor(void *ptr) +{ + struct sss_dp_callback *cb = + talloc_get_type(ptr, struct sss_dp_callback); + + DLIST_REMOVE(cb->sdp_req->cb_list, cb); + + return EOK; +} + +static int sss_dp_req_destructor(void *ptr) +{ + struct sss_dp_callback *cb; + struct sss_dp_req *sdp_req = talloc_get_type(ptr, struct sss_dp_req); + struct sss_dp_req_state *state; + int hret; + + /* Cancel Dbus pending reply if still pending */ + if (sdp_req->pending_reply) { + dbus_pending_call_cancel(sdp_req->pending_reply); + sdp_req->pending_reply = NULL; + } + + /* Do not call callbacks if the responder is shutting down, because + * the top level responder context (pam_ctx, sudo_ctx, ...) may be + * already semi-freed and we may end up accessing freed memory. + */ + if (sdp_req->rctx->shutting_down) { + return 0; + } + + /* If there are callbacks that haven't been invoked, return + * an error now. + */ + while ((cb = sdp_req->cb_list) != NULL) { + state = tevent_req_data(cb->req, struct sss_dp_req_state); + state->dp_err = DP_ERR_FATAL; + state->dp_ret = EIO; + + /* tevent_req_done/error will free cb */ + tevent_req_error(cb->req, EIO); + + /* Freeing the cb removes it from the cb_list. + * Therefore, the cb_list should now be pointing + * at a new callback. If it's not, it means the + * callback handler didn't free cb and may leak + * memory. Be paranoid and protect against this + * situation. + */ + if (cb == sdp_req->cb_list) { + DEBUG(SSSDBG_FATAL_FAILURE, + "BUG: a callback did not free its request. " + "May leak memory\n"); + /* Skip to the next since a memory leak is non-fatal */ + sdp_req->cb_list = sdp_req->cb_list->next; + } + } + + /* Destroy the hash entry */ + DEBUG(SSSDBG_TRACE_FUNC, "Deleting request: [%s]\n", sdp_req->key->str); + hret = hash_delete(sdp_req->rctx->dp_request_table, sdp_req->key); + if (hret != HASH_SUCCESS) { + /* This should never happen */ + DEBUG(SSSDBG_TRACE_INTERNAL, + "BUG: Could not clear [%d:%lu:%s] from request queue: [%s]\n", + sdp_req->key->type, sdp_req->key->ul, sdp_req->key->str, + hash_error_string(hret)); + return -1; + } + + return 0; +} + +static void sss_dp_req_timeout(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval t, void *ptr) +{ + /* ptr is a pointer to sidereq */ + /* Just free it to kill all waiting requests when the timeout fires */ + talloc_zfree(ptr); +} + +void handle_requests_after_reconnect(struct resp_ctx *rctx) +{ + int ret; + hash_value_t *values; + unsigned long count, i; + struct sss_dp_req *sdp_req; + + if (!rctx->dp_request_table) { + DEBUG(SSSDBG_TRACE_LIBS, "No requests to handle after reconnect\n"); + return; + } + + ret = hash_values(rctx->dp_request_table, &count, &values); + if (ret != HASH_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "hash_values failed, " + "not all request might be handled after reconnect.\n"); + return; + } + + DEBUG(SSSDBG_TRACE_LIBS, + "Will handle %lu requests after reconnect\n", count); + for (i=0; idp_err = DP_ERR_OK; + cb_state->dp_ret = EOK; + cb_state->err_msg = talloc_strdup(cb_state, "Success"); + + tevent_req_done(cb_req); + tevent_req_post(cb_req, ev); +} + +errno_t +sss_dp_issue_request(TALLOC_CTX *mem_ctx, struct resp_ctx *rctx, + const char *strkey, struct sss_domain_info *dom, + dbus_msg_constructor msg_create, void *pvt, + struct tevent_req *nreq) +{ + int hret; + hash_value_t value; + hash_key_t *key; + struct tevent_req *sidereq; + struct sss_dp_req *sdp_req; + struct sss_dp_callback *cb; + struct tevent_timer *te; + struct timeval tv; + DBusMessage *msg; + TALLOC_CTX *tmp_ctx = NULL; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + return ENOMEM; + } + + key = talloc(tmp_ctx, hash_key_t); + if (!key) { + ret = ENOMEM; + goto fail; + } + + key->type = HASH_KEY_STRING; + key->str = talloc_asprintf(key, "%p:%s", msg_create, strkey); + if (!key->str) { + ret = ENOMEM; + goto fail; + } + + if (strcasecmp(dom->provider, "local") == 0) { + DEBUG(SSSDBG_TRACE_FUNC, "Issuing local provider request for [%s]\n", + key->str); + sss_dp_issue_local_request(rctx->ev, nreq); + return EOK; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Issuing request for [%s]\n", key->str); + + /* Check the hash for existing references to this request */ + hret = hash_lookup(rctx->dp_request_table, key, &value); + switch (hret) { + case HASH_SUCCESS: + /* Request already in progress */ + DEBUG(SSSDBG_TRACE_FUNC, + "Identical request in progress: [%s]\n", key->str); + break; + + case HASH_ERROR_KEY_NOT_FOUND: + /* No such request in progress + * Create a new request + */ + msg = msg_create(pvt); + if (!msg) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create D-Bus message\n"); + ret = EIO; + goto fail; + } + + value.type = HASH_VALUE_PTR; + sidereq = sss_dp_internal_get_send(rctx, key, dom, msg); + dbus_message_unref(msg); + if (!sidereq) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot send D-Bus message\n"); + ret = EIO; + goto fail; + } + tevent_req_set_callback(sidereq, sss_dp_req_done, NULL); + + /* add timeout handling so we do not hang forever should something + * go wrong in the provider. Use 2 sec less than the idle timeout to + * give it a chance to reply to the client before closing the + * connection. */ + tv = tevent_timeval_current_ofs(rctx->client_idle_timeout - 2, 0); + te = tevent_add_timer(rctx->ev, sidereq, tv, + sss_dp_req_timeout, sidereq); + if (!te) { + /* Nothing much we can do */ + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory?!\n"); + ret = ENOMEM; + goto fail; + } + + /* We should now be able to find the sdp_req in the hash table */ + hret = hash_lookup(rctx->dp_request_table, key, &value); + if (hret != HASH_SUCCESS) { + /* Something must have gone wrong with creating the request */ + DEBUG(SSSDBG_CRIT_FAILURE, "The request has disappeared?\n"); + ret = EIO; + goto fail; + } + break; + + default: + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not query request list (%s)\n", + hash_error_string(hret)); + ret = EIO; + goto fail; + } + + /* Register this request for results */ + sdp_req = talloc_get_type(value.ptr, struct sss_dp_req); + if (!sdp_req) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not retrieve DP request context\n"); + ret = EIO; + goto fail; + } + + cb = talloc_zero(mem_ctx, struct sss_dp_callback); + if (!cb) { + ret = ENOMEM; + goto fail; + } + + cb->req = nreq; + cb->sdp_req = sdp_req; + + /* Add it to the list of requests to call */ + DLIST_ADD_END(sdp_req->cb_list, cb, + struct sss_dp_callback *); + talloc_set_destructor((TALLOC_CTX *)cb, + sss_dp_callback_destructor); + + ret = EOK; +fail: + talloc_free(tmp_ctx); + return ret; +} + +static void +sss_dp_req_done(struct tevent_req *sidereq) +{ + /* Nothing to do here. The callbacks have already been invoked */ + talloc_zfree(sidereq); +} + +errno_t +sss_dp_req_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *sidereq, + dbus_uint16_t *dp_err, + dbus_uint32_t *dp_ret, + char **err_msg) +{ + struct sss_dp_req_state *state = + tevent_req_data(sidereq, struct sss_dp_req_state); + + enum tevent_req_state TRROEstate; + uint64_t TRROEuint64; + errno_t TRROEerr; + + *dp_err = state->dp_err; + *dp_ret = state->dp_ret; + *err_msg = talloc_steal(mem_ctx, state->err_msg); + + if (tevent_req_is_error(sidereq, &TRROEstate, &TRROEuint64)) { + TRROEerr = (errno_t)TRROEuint64; + + if (TRROEstate == TEVENT_REQ_USER_ERROR) { + if (TRROEerr == 0) { + return ERR_INTERNAL; + } + *dp_err = DP_ERR_FATAL; + *dp_ret = TRROEerr; + } else { + return EIO; + } + } + + return EOK; +} + +/* Send a request to the data provider + * Once this function is called, the communication + * with the data provider will always run to + * completion. Freeing the returned tevent_req will + * cancel the notification of completion, but not + * the data provider action. + */ +static DBusMessage *sss_dp_get_account_msg(void *pvt); + +static int sss_dp_account_files_params(struct sss_domain_info *dom, + enum sss_dp_acct_type type_in, + const char *opt_name_in, + enum sss_dp_acct_type *_type_out, + const char **_opt_name_out); + +struct sss_dp_account_info { + struct sss_domain_info *dom; + + bool fast_reply; + enum sss_dp_acct_type type; + const char *opt_name; + const char *extra; + uint32_t opt_id; +}; + +struct tevent_req * +sss_dp_get_account_send(TALLOC_CTX *mem_ctx, + struct resp_ctx *rctx, + struct sss_domain_info *dom, + bool fast_reply, + enum sss_dp_acct_type type, + const char *opt_name, + uint32_t opt_id, + const char *extra) +{ + errno_t ret; + struct tevent_req *req; + struct sss_dp_account_info *info; + struct sss_dp_req_state *state; + char *key; + + req = tevent_req_create(mem_ctx, &state, struct sss_dp_req_state); + if (!req) { + return NULL; + } + + /* either, or, not both */ + if (opt_name && opt_id) { + ret = EINVAL; + goto error; + } + + if (!dom) { + ret = EINVAL; + goto error; + } + + if (NEED_CHECK_PROVIDER(dom->provider) == false) { + if (strcmp(dom->provider, "files") == 0) { + /* This is a special case. If the files provider is just being updated, + * we issue an enumeration request. We always use the same request type + * (user enumeration) to make sure concurrent requests are just chained + * in the Data Provider + */ + ret = sss_dp_account_files_params(dom, type, opt_name, + &type, &opt_name); + if (ret == EOK) { + goto error; + } else if (ret != EAGAIN) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to set files provider update: %d: %s\n", + ret, sss_strerror(ret)); + goto error; + } + /* EAGAIN, fall through to issuing the request */ + } else { + DEBUG(SSSDBG_TRACE_INTERNAL, "Domain %s does not check DP\n", dom->name); + ret = EOK; + goto error; + } + } + + info = talloc_zero(state, struct sss_dp_account_info); + if (info == NULL) { + ret = ENOMEM; + goto error; + } + info->fast_reply = fast_reply; + info->type = type; + info->opt_name = opt_name; + info->opt_id = opt_id; + info->extra = extra; + info->dom = dom; + + if (opt_name) { + if (extra) { + key = talloc_asprintf(state, "%d:%s:%s@%s", + type, opt_name, extra, dom->name); + } else { + key = talloc_asprintf(state, "%d:%s@%s", + type, opt_name, dom->name); + } + } else if (opt_id) { + if (extra) { + key = talloc_asprintf(state, "%d:%d:%s@%s", + type, opt_id, extra, dom->name); + } else { + key = talloc_asprintf(state, "%d:%d@%s", type, opt_id, dom->name); + } + } else { + key = talloc_asprintf(state, "%d:*@%s", type, dom->name); + } + if (!key) { + ret = ENOMEM; + goto error; + } + + ret = sss_dp_issue_request(state, rctx, key, dom, sss_dp_get_account_msg, + info, req); + talloc_free(key); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not issue DP request [%d]: %s\n", + ret, strerror(ret)); + goto error; + } + + return req; + +error: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, rctx->ev); + return req; +} + +static int sss_dp_account_files_params(struct sss_domain_info *dom, + enum sss_dp_acct_type type_in, + const char *opt_name_in, + enum sss_dp_acct_type *_type_out, + const char **_opt_name_out) +{ + if (sss_domain_get_state(dom) != DOM_INCONSISTENT) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "The entries in the files domain are up-to-date\n"); + return EOK; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Domain files is not consistent, issuing update\n"); + + switch(type_in) { + case SSS_DP_USER: + case SSS_DP_GROUP: + *_type_out = type_in; + *_opt_name_out = NULL; + return EAGAIN; + case SSS_DP_INITGROUPS: + /* There is no initgroups enumeration so let's use a dummy + * name to let the DP chain the requests + */ + *_type_out = type_in; + *_opt_name_out = DP_REQ_OPT_FILES_INITGR; + return EAGAIN; + /* These are not handled by the files provider, just fall back */ + case SSS_DP_NETGR: + case SSS_DP_SERVICES: + case SSS_DP_SECID: + case SSS_DP_USER_AND_GROUP: + case SSS_DP_CERT: + case SSS_DP_WILDCARD_USER: + case SSS_DP_WILDCARD_GROUP: + return EOK; + } + + DEBUG(SSSDBG_CRIT_FAILURE, "Unhandled type %d\n", type_in); + return EINVAL; +} + +static DBusMessage * +sss_dp_get_account_msg(void *pvt) +{ + DBusMessage *msg; + dbus_bool_t dbret; + struct sss_dp_account_info *info; + uint32_t dp_flags; + uint32_t entry_type; + char *filter; + + info = talloc_get_type(pvt, struct sss_dp_account_info); + + switch (info->type) { + case SSS_DP_USER: + case SSS_DP_WILDCARD_USER: + entry_type = BE_REQ_USER; + break; + case SSS_DP_GROUP: + case SSS_DP_WILDCARD_GROUP: + entry_type = BE_REQ_GROUP; + break; + case SSS_DP_INITGROUPS: + entry_type = BE_REQ_INITGROUPS; + break; + case SSS_DP_NETGR: + entry_type = BE_REQ_NETGROUP; + break; + case SSS_DP_SERVICES: + entry_type = BE_REQ_SERVICES; + break; + case SSS_DP_SECID: + entry_type = BE_REQ_BY_SECID; + break; + case SSS_DP_USER_AND_GROUP: + entry_type = BE_REQ_USER_AND_GROUP; + break; + case SSS_DP_CERT: + entry_type = BE_REQ_BY_CERT; + break; + } + + dp_flags = info->fast_reply ? DP_FAST_REPLY : 0; + + if (info->opt_name) { + switch(info->type) { + case SSS_DP_SECID: + filter = talloc_asprintf(info, "%s=%s", DP_SEC_ID, + info->opt_name); + break; + case SSS_DP_CERT: + filter = talloc_asprintf(info, "%s=%s", DP_CERT, + info->opt_name); + break; + case SSS_DP_WILDCARD_USER: + case SSS_DP_WILDCARD_GROUP: + filter = talloc_asprintf(info, "%s=%s", DP_WILDCARD, + info->opt_name); + break; + default: + filter = talloc_asprintf(info, "name=%s", info->opt_name); + break; + } + } else if (info->opt_id) { + filter = talloc_asprintf(info, "idnumber=%u", info->opt_id); + } else { + filter = talloc_strdup(info, ENUM_INDICATOR); + } + if (!filter) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory?!\n"); + return NULL; + } + + msg = dbus_message_new_method_call(NULL, + DP_PATH, + IFACE_DP, + IFACE_DP_GETACCOUNTINFO); + if (msg == NULL) { + talloc_free(filter); + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory?!\n"); + return NULL; + } + + /* create the message */ + DEBUG(SSSDBG_TRACE_FUNC, + "Creating request for [%s][%#x][%s][%s:%s]\n", + info->dom->name, entry_type, be_req2str(entry_type), + filter, info->extra == NULL ? "-" : info->extra); + + if (info->extra == NULL) { + /* D-Bus can't deal with NULL. */ + info->extra = ""; + } + + dbret = dbus_message_append_args(msg, + DBUS_TYPE_UINT32, &dp_flags, + DBUS_TYPE_UINT32, &entry_type, + DBUS_TYPE_STRING, &filter, + DBUS_TYPE_STRING, &info->dom->name, + DBUS_TYPE_STRING, &info->extra, + DBUS_TYPE_INVALID); + talloc_free(filter); + if (!dbret) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to build message\n"); + dbus_message_unref(msg); + return NULL; + } + + return msg; +} + +errno_t +sss_dp_get_account_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + dbus_uint16_t *dp_err, + dbus_uint32_t *dp_ret, + char **err_msg) +{ + return sss_dp_req_recv(mem_ctx, req, dp_err, dp_ret, err_msg); +} + +struct dp_internal_get_state { + struct resp_ctx *rctx; + struct sss_domain_info *dom; + + struct sss_dp_req *sdp_req; + DBusPendingCall *pending_reply; +}; + +static void sss_dp_internal_get_done(DBusPendingCall *pending, void *ptr); + +static struct tevent_req * +sss_dp_internal_get_send(struct resp_ctx *rctx, + hash_key_t *key, + struct sss_domain_info *dom, + DBusMessage *msg) +{ + errno_t ret; + int hret; + struct tevent_req *req; + struct dp_internal_get_state *state; + struct be_conn *be_conn; + hash_value_t value; + + /* Internal requests need to be allocated on the responder context + * so that they don't go away if a client disconnects. The worst- + * case scenario here is that the cache is updated without any + * client expecting a response. + */ + req = tevent_req_create(rctx, + &state, + struct dp_internal_get_state); + if (!req) return NULL; + + state->rctx = rctx; + state->dom = dom; + + state->sdp_req = talloc_zero(state, struct sss_dp_req); + if (!state->sdp_req) { + ret = ENOMEM; + goto error; + } + state->sdp_req->rctx = rctx; + state->sdp_req->ev = rctx->ev; + + /* Copy the key to use when calling the destructor + * It needs to be a copy because the original request + * might be freed if it no longer cares about the reply. + */ + state->sdp_req->key = talloc_steal(state->sdp_req, key); + + /* double check dp_ctx has actually been initialized. + * in some pathological cases it may happen that nss starts up before + * dp connection code is actually able to establish a connection. + */ + ret = sss_dp_get_domain_conn(rctx, dom->conn_name, &be_conn); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "BUG: The Data Provider connection for %s is not available!\n", + dom->name); + ret = EIO; + goto error; + } + + ret = sbus_conn_send(be_conn->conn, msg, + SSS_CLI_SOCKET_TIMEOUT / 2, + sss_dp_internal_get_done, + req, + &state->sdp_req->pending_reply); + if (ret != EOK) { + /* + * Critical Failure + * We can't communicate on this connection + */ + DEBUG(SSSDBG_CRIT_FAILURE, + "D-BUS send failed.\n"); + ret = EIO; + goto error; + } + + /* Add this sdp_req to the hash table */ + value.type = HASH_VALUE_PTR; + value.ptr = state->sdp_req; + + DEBUG(SSSDBG_TRACE_FUNC, "Entering request [%s]\n", key->str); + hret = hash_enter(rctx->dp_request_table, key, &value); + if (hret != HASH_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not store request query (%s)\n", + hash_error_string(hret)); + ret = EIO; + goto error; + } + talloc_set_destructor((TALLOC_CTX *)state->sdp_req, + sss_dp_req_destructor); + + return req; + +error: + tevent_req_error(req, ret); + tevent_req_post(req, rctx->ev); + return req; +} + +static void sss_dp_internal_get_done(DBusPendingCall *pending, void *ptr) +{ + int ret; + struct tevent_req *req; + struct sss_dp_req *sdp_req; + struct sss_dp_callback *cb; + struct dp_internal_get_state *state; + struct sss_dp_req_state *cb_state; + + req = talloc_get_type(ptr, struct tevent_req); + state = tevent_req_data(req, struct dp_internal_get_state); + sdp_req = state->sdp_req; + + /* prevent trying to cancel a reply that we already received */ + sdp_req->pending_reply = NULL; + + ret = sss_dp_get_reply(pending, + &sdp_req->dp_err, + &sdp_req->dp_ret, + &sdp_req->err_msg); + if (ret != EOK) { + if (ret == ETIME) { + sdp_req->dp_err = DP_ERR_TIMEOUT; + sdp_req->dp_ret = ret; + sdp_req->err_msg = talloc_strdup(sdp_req, "Request timed out"); + } + else { + sdp_req->dp_err = DP_ERR_FATAL; + sdp_req->dp_ret = ret; + sdp_req->err_msg = + talloc_strdup(sdp_req, + "Failed to get reply from Data Provider"); + } + } + + /* Check whether we need to issue any callbacks */ + while ((cb = sdp_req->cb_list) != NULL) { + cb_state = tevent_req_data(cb->req, struct sss_dp_req_state); + cb_state->dp_err = sdp_req->dp_err; + cb_state->dp_ret = sdp_req->dp_ret; + cb_state->err_msg = talloc_strdup(cb_state, sdp_req->err_msg); + /* Don't bother checking for NULL. If it fails due to ENOMEM, + * we can't really handle it anyway. + */ + + /* tevent_req_done/error will free cb */ + if (ret == EOK) { + tevent_req_done(cb->req); + } else { + tevent_req_error(cb->req, ret); + } + + /* Freeing the cb removes it from the cb_list. + * Therefore, the cb_list should now be pointing + * at a new callback. If it's not, it means the + * callback handler didn't free cb and may leak + * memory. Be paranoid and protect against this + * situation. + */ + if (cb == sdp_req->cb_list) { + DEBUG(SSSDBG_FATAL_FAILURE, + "BUG: a callback did not free its request. " + "May leak memory\n"); + /* Skip to the next since a memory leak is non-fatal */ + sdp_req->cb_list = sdp_req->cb_list->next; + } + } + + /* We're done with this request. Free the sdp_req + * This will clean up the hash table entry as well + */ + talloc_zfree(sdp_req); + + /* Free the sidereq to free the rest of the memory allocated with the + * internal dp request. */ + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } +} diff --git a/src/responder/common/responder_dp_ssh.c b/src/responder/common/responder_dp_ssh.c new file mode 100644 index 0000000..f780522 --- /dev/null +++ b/src/responder/common/responder_dp_ssh.c @@ -0,0 +1,159 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "util/util.h" +#include "sbus/sbus_client.h" +#include "sbus/sssd_dbus.h" +#include "providers/data_provider/dp_responder_iface.h" +#include "responder/common/responder.h" + +struct sss_dp_get_ssh_host_info { + struct sss_domain_info *dom; + + bool fast_reply; + const char *name; + const char *alias; +}; + +static DBusMessage * +sss_dp_get_ssh_host_msg(void *pvt); + +struct tevent_req * +sss_dp_get_ssh_host_send(TALLOC_CTX *mem_ctx, + struct resp_ctx *rctx, + struct sss_domain_info *dom, + bool fast_reply, + const char *name, + const char *alias) +{ + errno_t ret; + struct tevent_req *req; + struct sss_dp_get_ssh_host_info *info; + struct sss_dp_req_state *state; + char *key; + + req = tevent_req_create(mem_ctx, &state, struct sss_dp_req_state); + if (!req) { + return NULL; + } + + if (!dom) { + ret = EINVAL; + goto error; + } + + info = talloc_zero(state, struct sss_dp_get_ssh_host_info); + if (info == NULL) { + ret = ENOMEM; + goto error; + } + info->fast_reply = fast_reply; + info->name = name; + info->alias = alias; + info->dom = dom; + + if (alias) { + key = talloc_asprintf(state, "%s:%s@%s", name, alias, dom->name); + } else { + key = talloc_asprintf(state, "%s@%s", name, dom->name); + } + if (!key) { + ret = ENOMEM; + goto error; + } + + ret = sss_dp_issue_request(state, rctx, key, dom, sss_dp_get_ssh_host_msg, + info, req); + talloc_free(key); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not issue DP request [%d]: %s\n", + ret, strerror(ret)); + goto error; + } + + return req; + +error: + tevent_req_error(req, ret); + tevent_req_post(req, rctx->ev); + return req; +} + +static DBusMessage * +sss_dp_get_ssh_host_msg(void *pvt) +{ + DBusMessage *msg; + dbus_bool_t dbret; + struct sss_dp_get_ssh_host_info *info; + uint32_t dp_flags = 0; + + info = talloc_get_type(pvt, struct sss_dp_get_ssh_host_info); + + if (info->fast_reply) { + dp_flags |= DP_FAST_REPLY; + } + + msg = dbus_message_new_method_call(NULL, + DP_PATH, + IFACE_DP, + IFACE_DP_HOSTHANDLER); + if (msg == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory?!\n"); + return NULL; + } + + /* create the message */ + DEBUG(SSSDBG_TRACE_FUNC, + "Creating SSH host request for [%s][%u][%s][%s]\n", + info->dom->name, dp_flags, info->name, + info->alias == NULL ? "-" : info->alias); + + if (info->alias == NULL) { + info->alias = ""; + } + + dbret = dbus_message_append_args(msg, + DBUS_TYPE_UINT32, &dp_flags, + DBUS_TYPE_STRING, &info->name, + DBUS_TYPE_STRING, &info->alias, + DBUS_TYPE_INVALID); + if (!dbret) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to build message\n"); + dbus_message_unref(msg); + return NULL; + } + + return msg; +} + +errno_t +sss_dp_get_ssh_host_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + dbus_uint16_t *dp_err, + dbus_uint32_t *dp_ret, + char **err_msg) +{ + return sss_dp_req_recv(mem_ctx, req, dp_err, dp_ret, err_msg); +} diff --git a/src/responder/common/responder_get_domains.c b/src/responder/common/responder_get_domains.c new file mode 100644 index 0000000..9154db6 --- /dev/null +++ b/src/responder/common/responder_get_domains.c @@ -0,0 +1,799 @@ +/* + Authors: + Jan Zeleny + + Copyright (C) 2011 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "responder/common/responder.h" +#include "providers/data_provider.h" +#include "db/sysdb.h" + +/* ========== Get subdomains for a domain ================= */ +static DBusMessage *sss_dp_get_domains_msg(void *pvt); + +struct sss_dp_domains_info { + struct sss_domain_info *dom; + const char *hint; +}; + +static struct tevent_req * +get_subdomains_send(TALLOC_CTX *mem_ctx, struct resp_ctx *rctx, + struct sss_domain_info *dom, + const char *hint) +{ + errno_t ret; + struct tevent_req *req; + struct sss_dp_req_state *state; + struct sss_dp_domains_info *info; + char *key; + + req = tevent_req_create(mem_ctx, &state, struct sss_dp_req_state); + if (req == NULL) { + return NULL; + } + + info = talloc_zero(state, struct sss_dp_domains_info); + if (!info) { + ret = ENOMEM; + goto fail; + } + info->hint = hint; + info->dom = dom; + + key = talloc_asprintf(state, "domains@%s", dom->name); + if (key == NULL) { + ret = ENOMEM; + goto fail; + } + + ret = sss_dp_issue_request(state, rctx, key, dom, + sss_dp_get_domains_msg, info, req); + talloc_free(key); + if (ret != EOK) { + ret = EIO; + goto fail; + } + + return req; + +fail: + tevent_req_error(req, ret); + tevent_req_post(req, rctx->ev); + return req; +} + +static DBusMessage * +sss_dp_get_domains_msg(void *pvt) +{ + struct sss_dp_domains_info *info; + DBusMessage *msg = NULL; + dbus_bool_t dbret; + + info = talloc_get_type(pvt, struct sss_dp_domains_info); + + msg = dbus_message_new_method_call(NULL, + DP_PATH, + IFACE_DP, + IFACE_DP_GETDOMAINS); + if (msg == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory?!\n"); + return NULL; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Sending get domains request for [%s][%s]\n", + info->dom->name, info->hint); + + /* Send the hint argument to provider as well. This will + * be useful for some cases of transitional trust where + * the server might not know all trusted domains + */ + dbret = dbus_message_append_args(msg, + DBUS_TYPE_STRING, &info->hint, + DBUS_TYPE_INVALID); + if (!dbret) { + DEBUG(SSSDBG_OP_FAILURE ,"Failed to build message\n"); + dbus_message_unref(msg); + return NULL; + } + + return msg; +} + +static errno_t +get_next_domain_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + dbus_uint16_t *dp_err, + dbus_uint32_t *dp_ret, + char **err_msg) +{ + return sss_dp_req_recv(mem_ctx, req, dp_err, dp_ret, err_msg); +} + +/* ====== Iterate over all domains, searching for their subdomains ======= */ +static errno_t process_subdomains(struct sss_domain_info *dom, + struct confdb_ctx *confdb); +static void set_time_of_last_request(struct resp_ctx *rctx); +static errno_t check_last_request(struct resp_ctx *rctx, const char *hint); + +struct sss_dp_get_domains_state { + struct resp_ctx *rctx; + struct sss_domain_info *dom; + const char *hint; +}; + +static void +sss_dp_get_domains_process(struct tevent_req *subreq); + +struct tevent_req *sss_dp_get_domains_send(TALLOC_CTX *mem_ctx, + struct resp_ctx *rctx, + bool force, + const char *hint) +{ + errno_t ret; + struct tevent_req *req; + struct tevent_req *subreq; + struct sss_dp_get_domains_state *state; + + req = tevent_req_create(mem_ctx, &state, struct sss_dp_get_domains_state); + if (req == NULL) { + return NULL; + } + + if (rctx->domains == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "No domains configured.\n"); + ret = EINVAL; + goto immediately; + } + + if (!force) { + ret = check_last_request(rctx, hint); + if (ret == EOK) { + DEBUG(SSSDBG_TRACE_FUNC, + "Last call was too recent, nothing to do!\n"); + goto immediately; + } else if (ret != EAGAIN) { + DEBUG(SSSDBG_TRACE_FUNC, "check_domain_request failed with [%d][%s]\n", + ret, strerror(ret)); + goto immediately; + } + } + + state->rctx = rctx; + if (hint != NULL) { + state->hint = hint; + } else { + state->hint = talloc_strdup(state, ""); + if (state->hint == NULL) { + ret = ENOMEM; + goto immediately; + } + } + + state->dom = rctx->domains; + while(state->dom != NULL && !NEED_CHECK_PROVIDER(state->dom->provider)) { + state->dom = get_next_domain(state->dom, 0); + } + + if (state->dom == NULL) { + /* All domains were local */ + ret = sss_resp_populate_cr_domains(state->rctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sss_resp_populate_cr_domains() failed [%d]: [%s]\n", + ret, sss_strerror(ret)); + goto immediately; + } + ret = EOK; + goto immediately; + } + + subreq = get_subdomains_send(req, rctx, state->dom, state->hint); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + tevent_req_set_callback(subreq, sss_dp_get_domains_process, req); + + return req; + +immediately: + if (ret == EOK) { + set_time_of_last_request(rctx); + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, rctx->ev); + + return req; +} + +static void sss_resp_update_certmaps(struct resp_ctx *rctx) +{ + int ret; + struct certmap_info **certmaps; + bool user_name_hint; + struct sss_domain_info *dom; + + for (dom = rctx->domains; dom != NULL; dom = dom->next) { + ret = sysdb_get_certmap(dom, dom->sysdb, &certmaps, &user_name_hint); + if (ret == EOK) { + dom->user_name_hint = user_name_hint; + talloc_free(dom->certmaps); + dom->certmaps = certmaps; + } else { + DEBUG(SSSDBG_OP_FAILURE, + "sysdb_get_certmap failed for domain [%s].\n", dom->name); + } + } +} + +static void +sss_dp_get_domains_process(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sss_dp_get_domains_state *state = tevent_req_data(req, + struct sss_dp_get_domains_state); + dbus_uint16_t dp_err; + dbus_uint32_t dp_ret; + char *err_msg; + + ret = get_next_domain_recv(req, subreq, &dp_err, &dp_ret, &err_msg); + talloc_zfree(subreq); + if (ret != EOK) { + goto fail; + } + + ret = process_subdomains(state->dom, state->rctx->cdb); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "process_subdomains failed, " + "trying next domain.\n"); + goto fail; + } + + /* Advance to the next domain */ + state->dom = get_next_domain(state->dom, 0); + + /* Skip local domains */ + while(state->dom != NULL && !NEED_CHECK_PROVIDER(state->dom->provider)) { + state->dom = get_next_domain(state->dom, 0); + } + + if (state->dom == NULL) { + /* All domains were local */ + set_time_of_last_request(state->rctx); + ret = sss_resp_populate_cr_domains(state->rctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sss_resp_populate_cr_domains() failed [%d]: [%s]\n", + ret, sss_strerror(ret)); + goto fail; + } + + sss_resp_update_certmaps(state->rctx); + + tevent_req_done(req); + return; + } + + subreq = get_subdomains_send(req, state->rctx, state->dom, state->hint); + if (subreq == NULL) { + ret = ENOMEM; + goto fail; + } + tevent_req_set_callback(subreq, sss_dp_get_domains_process, req); + return; + +fail: + tevent_req_error(req, ret); + return; +} + +static errno_t +process_subdomains(struct sss_domain_info *domain, struct confdb_ctx *confdb) +{ + int ret; + + if (domain->realm == NULL || + domain->flat_name == NULL || + domain->domain_id == NULL) { + ret = sysdb_master_domain_update(domain); + if (ret != EOK) { + DEBUG(SSSDBG_FUNC_DATA, "sysdb_master_domain_get_info " \ + "failed.\n"); + goto done; + } + } + + /* Retrieve all subdomains of this domain from sysdb + * and create their struct sss_domain_info representations + */ + ret = sysdb_update_subdomains(domain, confdb); + if (ret != EOK) { + DEBUG(SSSDBG_FUNC_DATA, "sysdb_update_subdomains failed.\n"); + goto done; + } + + errno = 0; + ret = gettimeofday(&domain->subdomains_last_checked, NULL); + if (ret == -1) { + ret = errno; + goto done; + } + + ret = EOK; + +done: + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to update sub-domains " + "of domain [%s].\n", domain->name); + } + + return ret; +} + +errno_t sss_dp_get_domains_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +static void set_time_of_last_request(struct resp_ctx *rctx) +{ + int ret; + + errno = 0; + ret = gettimeofday(&rctx->get_domains_last_call, NULL); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_TRACE_FUNC, "gettimeofday failed [%d][%s].\n", + ret, strerror(ret)); + } +} + +static errno_t check_last_request(struct resp_ctx *rctx, const char *hint) +{ + struct sss_domain_info *dom; + time_t now = time(NULL); + time_t diff; + + diff = now - rctx->get_domains_last_call.tv_sec; + if (diff >= rctx->domains_timeout) { + /* Timeout, expired, fetch domains again */ + return EAGAIN; + } + + if (hint != NULL) { + for (dom = rctx->domains; dom; + dom = get_next_domain(dom, SSS_GND_DESCEND)) { + if (!IS_SUBDOMAIN(dom)) { + diff = now - dom->subdomains_last_checked.tv_sec; + /* not a subdomain */ + continue; + } + if (strcasecmp(dom->name, hint) == 0) { + if (diff >= rctx->domains_timeout) { + /* Timeout, expired, fetch domains again */ + return EAGAIN; + } + } + } + } + + return EOK; +} + +struct get_domains_state { + struct resp_ctx *rctx; + struct sss_nc_ctx *optional_ncache; +}; + +static void get_domains_at_startup_done(struct tevent_req *req) +{ + int ret; + struct get_domains_state *state; + + state = tevent_req_callback_data(req, struct get_domains_state); + + ret = sss_dp_get_domains_recv(req); + talloc_free(req); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "sss_dp_get_domains request failed.\n"); + } + + if (state->optional_ncache != NULL) { + ret = sss_ncache_reset_repopulate_permanent(state->rctx, + state->optional_ncache); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "sss_dp_get_domains request failed.\n"); + } + } + + if (!NEED_CHECK_PROVIDER(state->rctx->domains->provider)) { + ret = sysdb_master_domain_update(state->rctx->domains); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_master_domain_update failed, " + "ignored.\n"); + } + } + + talloc_free(state); + return; +} + +static void get_domains_at_startup(struct tevent_context *ev, + struct tevent_immediate *imm, + void *pvt) +{ + struct tevent_req *req; + struct get_domains_state *state; + + state = talloc_get_type(pvt, struct get_domains_state); + + req = sss_dp_get_domains_send(state, state->rctx, true, NULL); + if (req == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sss_dp_get_domains_send failed.\n"); + talloc_free(state); + return; + } + + tevent_req_set_callback(req, get_domains_at_startup_done, state); + return; +} + +errno_t schedule_get_domains_task(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_nc_ctx *optional_ncache) +{ + struct tevent_immediate *imm; + struct get_domains_state *state; + + state = talloc(mem_ctx, struct get_domains_state); + if (state == NULL) { + return ENOMEM; + } + state->rctx = rctx; + state->optional_ncache = optional_ncache; + + imm = tevent_create_immediate(mem_ctx); + if (imm == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "tevent_create_immediate failed.\n"); + talloc_free(state); + return ENOMEM; + } + + tevent_schedule_immediate(imm, ev, get_domains_at_startup, state); + + return EOK; +} + +struct sss_parse_inp_state { + struct resp_ctx *rctx; + const char *default_domain; + const char *rawinp; + + char *name; + char *domname; + errno_t error; +}; + +static void sss_parse_inp_done(struct tevent_req *subreq); + +struct tevent_req * +sss_parse_inp_send(TALLOC_CTX *mem_ctx, + struct resp_ctx *rctx, + const char *default_domain, + const char *rawinp) +{ + errno_t ret; + struct tevent_req *req; + struct tevent_req *subreq; + struct sss_parse_inp_state *state; + + req = tevent_req_create(mem_ctx, &state, struct sss_parse_inp_state); + if (req == NULL) { + return NULL; + } + + if (rawinp == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Empty input!\n"); + ret = EINVAL; + goto done; + } + + state->rctx = rctx; + + state->rawinp = talloc_strdup(state, rawinp); + if (state->rawinp == NULL) { + ret = ENOMEM; + goto done; + } + + + state->default_domain = talloc_strdup(state, default_domain); + if (default_domain != NULL && state->default_domain == NULL) { + ret = ENOMEM; + goto done; + } + + /* If the subdomains haven't been checked yet, we need to always + * attach to the post-startup subdomain request and only then parse + * the input. Otherwise, we might not be able to parse input with a + * flat domain name specifier */ + if (rctx->get_domains_last_call.tv_sec > 0) { + ret = sss_parse_name_for_domains(state, rctx->domains, + default_domain, rawinp, + &state->domname, &state->name); + if (ret == EOK) { + /* Was able to use cached domains */ + goto done; + } else if (ret != EAGAIN) { + DEBUG(SSSDBG_OP_FAILURE, "Invalid name received [%s]\n", rawinp); + ret = ERR_INPUT_PARSE; + goto done; + } + } + + /* EAGAIN - check the DP for subdomains */ + + DEBUG(SSSDBG_FUNC_DATA, "Requesting info for [%s] from [%s]\n", + state->name, state->domname ? state->domname : ""); + + /* We explicitly use force=false here. This request should decide itself + * if it's time to re-use the cached subdomain list or refresh. If the + * caller needs to specify the 'force' parameter, they should use the + * sss_dp_get_domains_send() request itself + */ + subreq = sss_dp_get_domains_send(state, rctx, false, state->domname); + if (subreq == NULL) { + ret = ENOMEM; + goto done; + } + tevent_req_set_callback(subreq, sss_parse_inp_done, req); + return req; + +done: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, rctx->ev); + return req; +} + +static void sss_parse_inp_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sss_parse_inp_state *state = tevent_req_data(req, + struct sss_parse_inp_state); + + ret = sss_dp_get_domains_recv(subreq); + talloc_free(subreq); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + state->error = ERR_OK; + + ret = sss_parse_name_for_domains(state, state->rctx->domains, + state->default_domain, + state->rawinp, + &state->domname, &state->name); + if (ret == EAGAIN && state->domname != NULL && state->name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "Unknown domain in [%s]\n", state->rawinp); + state->error = ERR_DOMAIN_NOT_FOUND; + } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Invalid name received [%s]\n", state->rawinp); + state->error = ERR_INPUT_PARSE; + } + + if (state->error != ERR_OK) { + tevent_req_error(req, state->error); + return; + } + + /* Was able to parse the name now */ + tevent_req_done(req); +} + +errno_t sss_parse_inp_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, + char **_name, char **_domname) +{ + struct sss_parse_inp_state *state = tevent_req_data(req, + struct sss_parse_inp_state); + + if (state->error != ERR_DOMAIN_NOT_FOUND) { + TEVENT_REQ_RETURN_ON_ERROR(req); + } + + if (_name) { + *_name = talloc_steal(mem_ctx, state->name); + } + + if (_domname) { + *_domname = talloc_steal(mem_ctx, state->domname); + } + + return state->error; +} + +/* ========== Get domain of an account ================= */ +struct sss_dp_get_account_domain_info { + struct sss_domain_info *dom; + enum sss_dp_acct_type type; + uint32_t opt_id; +}; + +static DBusMessage *sss_dp_get_account_domain_msg(void *pvt); + +struct tevent_req *sss_dp_get_account_domain_send(TALLOC_CTX *mem_ctx, + struct resp_ctx *rctx, + struct sss_domain_info *dom, + enum sss_dp_acct_type type, + uint32_t opt_id) +{ + struct tevent_req *req; + struct sss_dp_get_account_domain_info *info; + struct sss_dp_req_state *state; + char *key; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct sss_dp_req_state); + if (!req) { + return NULL; + } + + info = talloc_zero(state, struct sss_dp_get_account_domain_info); + if (info == NULL) { + ret = ENOMEM; + goto immediately; + } + info->type = type; + info->opt_id = opt_id; + info->dom = dom; + + key = talloc_asprintf(state, "%d: %"SPRIuid"@%s", type, opt_id, dom->name); + if (key == NULL) { + ret = ENOMEM; + goto immediately; + } + + ret = sss_dp_issue_request(state, rctx, key, dom, + sss_dp_get_account_domain_msg, + info, req); + talloc_free(key); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not issue DP request [%d]: %s\n", + ret, sss_strerror(ret)); + goto immediately; + } + + return req; + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, rctx->ev); + return req; +} + +static DBusMessage * +sss_dp_get_account_domain_msg(void *pvt) +{ + DBusMessage *msg; + dbus_bool_t dbret; + struct sss_dp_get_account_domain_info *info; + uint32_t entry_type; + char *filter; + + info = talloc_get_type(pvt, struct sss_dp_get_account_domain_info); + + switch (info->type) { + case SSS_DP_USER: + entry_type = BE_REQ_USER; + break; + case SSS_DP_GROUP: + entry_type = BE_REQ_GROUP; + break; + case SSS_DP_USER_AND_GROUP: + entry_type = BE_REQ_USER_AND_GROUP; + break; + default: + DEBUG(SSSDBG_OP_FAILURE, + "Unsupported lookup type %X for this request\n", info->type); + return NULL; + } + + filter = talloc_asprintf(info, "idnumber=%u", info->opt_id); + if (!filter) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory?!\n"); + return NULL; + } + + msg = dbus_message_new_method_call(NULL, + DP_PATH, + IFACE_DP, + IFACE_DP_GETACCOUNTDOMAIN); + if (msg == NULL) { + talloc_free(filter); + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory?!\n"); + return NULL; + } + + /* create the message */ + DEBUG(SSSDBG_TRACE_FUNC, + "Creating request for [%s][%#x][%s][%s:-]\n", + info->dom->name, entry_type, be_req2str(entry_type), filter); + + dbret = dbus_message_append_args(msg, + DBUS_TYPE_UINT32, &entry_type, + DBUS_TYPE_STRING, &filter, + DBUS_TYPE_INVALID); + talloc_free(filter); + if (!dbret) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to build message\n"); + dbus_message_unref(msg); + return NULL; + } + + return msg; +} + +errno_t sss_dp_get_account_domain_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + char **_domain) +{ + errno_t ret; + dbus_uint16_t err_maj; + dbus_uint32_t err_min; + char *msg; + + ret = sss_dp_req_recv(mem_ctx, req, &err_maj, &err_min, &msg); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not get account info [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + if (err_maj != DP_ERR_OK) { + DEBUG(SSSDBG_OP_FAILURE, + "Data Provider Error: %u, %u\n", + (unsigned int)err_maj, (unsigned int)err_min); + talloc_free(msg); + return err_min ? err_min : EIO; + } + + *_domain = msg; + return EOK; +} diff --git a/src/responder/common/responder_packet.c b/src/responder/common/responder_packet.c new file mode 100644 index 0000000..cc4d669 --- /dev/null +++ b/src/responder/common/responder_packet.c @@ -0,0 +1,326 @@ +/* + SSSD + + SSS Client Responder, command parser + + Copyright (C) Simo Sorce 2008 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include + +#include "util/util.h" +#include "responder/common/responder_packet.h" + +#define SSSSRV_PACKET_MEM_SIZE 512 + +struct sss_packet { + size_t memsize; + + /* Structure of the buffer: + * Bytes Content + * --------------------------------- + * 0-15 packet header + * 0-3 packet length (uint32_t) + * 4-7 command type (uint32_t) + * 8-11 status (uint32_t) + * 12-15 reserved + * 16+ packet body */ + uint8_t *buffer; + + /* io pointer */ + size_t iop; +}; + +/* Offsets to data in sss_packet's buffer */ +#define SSS_PACKET_LEN_OFFSET 0 +#define SSS_PACKET_CMD_OFFSET sizeof(uint32_t) +#define SSS_PACKET_ERR_OFFSET (2*(sizeof(uint32_t))) +#define SSS_PACKET_BODY_OFFSET (4*(sizeof(uint32_t))) + +static void sss_packet_set_len(struct sss_packet *packet, uint32_t len); +static void sss_packet_set_cmd(struct sss_packet *packet, + enum sss_cli_command cmd); +static uint32_t sss_packet_get_len(struct sss_packet *packet); + +/* + * Allocate a new packet structure + * + * - if size is defined use it otherwise the default packet will be + * SSSSRV_PACKET_MEM_SIZE bytes. + */ +int sss_packet_new(TALLOC_CTX *mem_ctx, size_t size, + enum sss_cli_command cmd, + struct sss_packet **rpacket) +{ + struct sss_packet *packet; + + packet = talloc(mem_ctx, struct sss_packet); + if (!packet) return ENOMEM; + + if (size) { + int n = (size + SSS_NSS_HEADER_SIZE) / SSSSRV_PACKET_MEM_SIZE; + packet->memsize = (n + 1) * SSSSRV_PACKET_MEM_SIZE; + } else { + packet->memsize = SSSSRV_PACKET_MEM_SIZE; + } + + packet->buffer = talloc_size(packet, packet->memsize); + if (!packet->buffer) { + talloc_free(packet); + return ENOMEM; + } + memset(packet->buffer, 0, SSS_NSS_HEADER_SIZE); + + sss_packet_set_len(packet, size + SSS_NSS_HEADER_SIZE); + sss_packet_set_cmd(packet, cmd); + + packet->iop = 0; + + *rpacket = packet; + + return EOK; +} + +/* grows a packet size only in SSSSRV_PACKET_MEM_SIZE chunks */ +int sss_packet_grow(struct sss_packet *packet, size_t size) +{ + size_t totlen, len; + uint8_t *newmem; + uint32_t packet_len; + + if (size == 0) { + return EOK; + } + + totlen = packet->memsize; + packet_len = sss_packet_get_len(packet); + + len = packet_len + size; + + /* make sure we do not overflow */ + if (totlen < len) { + int n = len / SSSSRV_PACKET_MEM_SIZE + 1; + totlen += n * SSSSRV_PACKET_MEM_SIZE; + if (totlen < len) { + return EINVAL; + } + } + + if (totlen > packet->memsize) { + newmem = talloc_realloc_size(packet, packet->buffer, totlen); + if (!newmem) { + return ENOMEM; + } + + packet->memsize = totlen; + + /* re-set pointers if realloc had to move memory */ + if (newmem != packet->buffer) { + packet->buffer = newmem; + } + } + + packet_len += size; + sss_packet_set_len(packet, packet_len); + + + return 0; +} + +/* reclaim backet previously resrved space in the packet + * usually done in functione recovering from not fatal erros */ +int sss_packet_shrink(struct sss_packet *packet, size_t size) +{ + size_t newlen; + size_t oldlen = sss_packet_get_len(packet); + + if (size > oldlen) return EINVAL; + + newlen = oldlen - size; + if (newlen < SSS_NSS_HEADER_SIZE) return EINVAL; + + sss_packet_set_len(packet, newlen); + return 0; +} + +int sss_packet_set_size(struct sss_packet *packet, size_t size) +{ + size_t newlen; + + newlen = SSS_NSS_HEADER_SIZE + size; + + /* make sure we do not overflow */ + if (packet->memsize < newlen) return EINVAL; + + sss_packet_set_len(packet, newlen); + + return 0; +} + +int sss_packet_recv(struct sss_packet *packet, int fd) +{ + size_t rb; + size_t len; + void *buf; + size_t new_len; + int ret; + + buf = (uint8_t *)packet->buffer + packet->iop; + if (packet->iop > 4) len = sss_packet_get_len(packet) - packet->iop; + else len = packet->memsize - packet->iop; + + /* check for wrapping */ + if (len > packet->memsize) { + return EINVAL; + } + + errno = 0; + rb = recv(fd, buf, len, 0); + + if (rb == -1) { + if (errno == EAGAIN || errno == EWOULDBLOCK || errno == EINTR) { + return EAGAIN; + } else { + return errno; + } + } + + if (rb == 0) { + return ENODATA; + } + + if (sss_packet_get_len(packet) > packet->memsize) { + /* Allow certificate based requests to use larger buffer but not + * larger than SSS_CERT_PACKET_MAX_RECV_SIZE. Due to the way + * sss_packet_grow() works the packet len must be set to '0' first and + * then grow to the expected size. */ + if ((sss_packet_get_cmd(packet) == SSS_NSS_GETNAMEBYCERT + || sss_packet_get_cmd(packet) == SSS_NSS_GETLISTBYCERT) + && packet->memsize < SSS_CERT_PACKET_MAX_RECV_SIZE + && (new_len = sss_packet_get_len(packet)) + < SSS_CERT_PACKET_MAX_RECV_SIZE) { + new_len = sss_packet_get_len(packet); + sss_packet_set_len(packet, 0); + ret = sss_packet_grow(packet, new_len); + if (ret != EOK) { + return ret; + } + } else { + return EINVAL; + } + } + + packet->iop += rb; + if (packet->iop < 4) { + return EAGAIN; + } + + if (packet->iop < sss_packet_get_len(packet)) { + return EAGAIN; + } + + return EOK; +} + +int sss_packet_send(struct sss_packet *packet, int fd) +{ + size_t rb; + size_t len; + void *buf; + + if (!packet) { + /* No packet object to write to? */ + return EINVAL; + } + + buf = packet->buffer + packet->iop; + len = sss_packet_get_len(packet) - packet->iop; + + errno = 0; + rb = send(fd, buf, len, 0); + + if (rb == -1) { + if (errno == EAGAIN || errno == EWOULDBLOCK || errno == EINTR) { + return EAGAIN; + } else { + return errno; + } + } + + if (rb == 0) { + return EIO; + } + + packet->iop += rb; + + if (packet->iop < sss_packet_get_len(packet)) { + return EAGAIN; + } + + return EOK; +} + +enum sss_cli_command sss_packet_get_cmd(struct sss_packet *packet) +{ + uint32_t cmd; + + SAFEALIGN_COPY_UINT32(&cmd, packet->buffer + SSS_PACKET_CMD_OFFSET, NULL); + return (enum sss_cli_command)cmd; +} + +uint32_t sss_packet_get_status(struct sss_packet *packet) +{ + uint32_t status; + + SAFEALIGN_COPY_UINT32(&status, packet->buffer + SSS_PACKET_ERR_OFFSET, + NULL); + return status; +} + +void sss_packet_get_body(struct sss_packet *packet, uint8_t **body, size_t *blen) +{ + *body = packet->buffer + SSS_PACKET_BODY_OFFSET; + *blen = sss_packet_get_len(packet) - SSS_NSS_HEADER_SIZE; +} + +void sss_packet_set_error(struct sss_packet *packet, int error) +{ + SAFEALIGN_SETMEM_UINT32(packet->buffer + SSS_PACKET_ERR_OFFSET, error, + NULL); +} + +static void sss_packet_set_len(struct sss_packet *packet, uint32_t len) +{ + SAFEALIGN_SETMEM_UINT32(packet->buffer + SSS_PACKET_LEN_OFFSET, len, NULL); +} + +static void sss_packet_set_cmd(struct sss_packet *packet, + enum sss_cli_command cmd) +{ + SAFEALIGN_SETMEM_UINT32(packet->buffer + SSS_PACKET_CMD_OFFSET, cmd, NULL); +} + +static uint32_t sss_packet_get_len(struct sss_packet *packet) +{ + uint32_t len; + + SAFEALIGN_COPY_UINT32(&len, packet->buffer + SSS_PACKET_LEN_OFFSET, NULL); + return len; +} diff --git a/src/responder/common/responder_packet.h b/src/responder/common/responder_packet.h new file mode 100644 index 0000000..afceb4a --- /dev/null +++ b/src/responder/common/responder_packet.h @@ -0,0 +1,45 @@ +/* + SSSD + + SSS Client Responder, header file + + Copyright (C) Simo Sorce 2008 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __SSSSRV_PACKET_H__ +#define __SSSSRV_PACKET_H__ + +#include "sss_client/sss_cli.h" + +#define SSS_PACKET_MAX_RECV_SIZE 1024 +#define SSS_CERT_PACKET_MAX_RECV_SIZE ( 10 * SSS_PACKET_MAX_RECV_SIZE ) + +struct sss_packet; + +int sss_packet_new(TALLOC_CTX *mem_ctx, size_t size, + enum sss_cli_command cmd, + struct sss_packet **rpacket); +int sss_packet_grow(struct sss_packet *packet, size_t size); +int sss_packet_shrink(struct sss_packet *packet, size_t size); +int sss_packet_set_size(struct sss_packet *packet, size_t size); +int sss_packet_recv(struct sss_packet *packet, int fd); +int sss_packet_send(struct sss_packet *packet, int fd); +enum sss_cli_command sss_packet_get_cmd(struct sss_packet *packet); +uint32_t sss_packet_get_status(struct sss_packet *packet); +void sss_packet_get_body(struct sss_packet *packet, uint8_t **body, size_t *blen); +void sss_packet_set_error(struct sss_packet *packet, int error); + +#endif /* __SSSSRV_PACKET_H__ */ diff --git a/src/responder/common/responder_sbus.h b/src/responder/common/responder_sbus.h new file mode 100644 index 0000000..ca1ce51 --- /dev/null +++ b/src/responder/common/responder_sbus.h @@ -0,0 +1,46 @@ +/* + SSSD + + SSS Client Responder, common header file + + Copyright (C) Red Hat, 2012 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __SSS_RESPONDER_SBUS_H__ +#define __SSS_RESPONDER_SBUS_H__ + +#define NSS_SBUS_SERVICE_NAME "nss" +#define NSS_SBUS_SERVICE_VERSION 0x0001 + +#define SSS_PAM_SBUS_SERVICE_NAME "pam" +#define SSS_PAM_SBUS_SERVICE_VERSION 0x0001 + +#define SSS_SUDO_SBUS_SERVICE_NAME "sudo" +#define SSS_SUDO_SBUS_SERVICE_VERSION 0x0001 + +#define SSS_AUTOFS_SBUS_SERVICE_NAME "autofs" +#define SSS_AUTOFS_SBUS_SERVICE_VERSION 0x0001 + +#define SSS_SSH_SBUS_SERVICE_NAME "ssh" +#define SSS_SSH_SBUS_SERVICE_VERSION 0x0001 + +#define SSS_IFP_SBUS_SERVICE_NAME "ifp" +#define SSS_IFP_SBUS_SERVICE_VERSION 0x0001 + +#define PAC_SBUS_SERVICE_NAME "pac" +#define PAC_SBUS_SERVICE_VERSION 0x0001 + +#endif /* __SSS_RESPONDER_SBUS_H__ */ diff --git a/src/responder/common/responder_utils.c b/src/responder/common/responder_utils.c new file mode 100644 index 0000000..a63eab4 --- /dev/null +++ b/src/responder/common/responder_utils.c @@ -0,0 +1,488 @@ + +/* + SSSD + + Common Responder utility functions + + Copyright (C) Sumit Bose 2014 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "responder/common/responder.h" +#include "responder/common/cache_req/cache_req.h" +#include "util/util.h" + +static inline bool +attr_in_list(const char **list, size_t nlist, const char *str) +{ + size_t i; + + for (i = 0; i < nlist; i++) { + if (strcasecmp(list[i], str) == 0) { + break; + } + } + + return (i < nlist) ? true : false; +} + +const char **parse_attr_list_ex(TALLOC_CTX *mem_ctx, const char *conf_str, + const char **defaults) +{ + TALLOC_CTX *tmp_ctx; + errno_t ret; + const char **list = NULL; + const char **res = NULL; + int list_size; + char **conf_list = NULL; + int conf_list_size = 0; + const char **allow = NULL; + const char **deny = NULL; + int ai = 0, di = 0, li = 0; + int i; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return NULL; + } + + if (conf_str) { + ret = split_on_separator(tmp_ctx, conf_str, ',', true, true, + &conf_list, &conf_list_size); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot parse attribute ACL list %s: %d\n", conf_str, ret); + goto done; + } + + allow = talloc_zero_array(tmp_ctx, const char *, conf_list_size); + deny = talloc_zero_array(tmp_ctx, const char *, conf_list_size); + if (allow == NULL || deny == NULL) { + goto done; + } + } + + for (i = 0; i < conf_list_size; i++) { + switch (conf_list[i][0]) { + case '+': + allow[ai] = conf_list[i] + 1; + ai++; + continue; + case '-': + deny[di] = conf_list[i] + 1; + di++; + continue; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "ACL values must start with " + "either '+' (allow) or '-' (deny), got '%s'\n", + conf_list[i]); + goto done; + } + } + + /* Assume the output will have to hold defaults and all the configured, + * values, resize later + */ + list_size = 0; + if (defaults != NULL) { + while (defaults[list_size]) { + list_size++; + } + } + list_size += conf_list_size; + + list = talloc_zero_array(tmp_ctx, const char *, list_size + 1); + if (list == NULL) { + goto done; + } + + /* Start by copying explicitly allowed attributes */ + for (i = 0; i < ai; i++) { + /* if the attribute is explicitly denied, skip it */ + if (attr_in_list(deny, di, allow[i])) { + continue; + } + + list[li] = talloc_strdup(list, allow[i]); + if (list[li] == NULL) { + goto done; + } + li++; + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Added allowed attr %s to whitelist\n", allow[i]); + } + + /* Add defaults */ + if (defaults != NULL) { + for (i = 0; defaults[i]; i++) { + /* if the attribute is explicitly denied, skip it */ + if (attr_in_list(deny, di, defaults[i])) { + continue; + } + + list[li] = talloc_strdup(list, defaults[i]); + if (list[li] == NULL) { + goto done; + } + li++; + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Added default attr %s to whitelist\n", defaults[i]); + } + } + + res = talloc_steal(mem_ctx, list); +done: + talloc_free(tmp_ctx); + return res; +} + +char *sss_resp_create_fqname(TALLOC_CTX *mem_ctx, + struct resp_ctx *rctx, + struct sss_domain_info *dom, + bool name_is_upn, + const char *orig_name) +{ + TALLOC_CTX *tmp_ctx; + char *name; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return NULL; + } + + name = sss_get_cased_name(tmp_ctx, orig_name, dom->case_sensitive); + if (name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "sss_get_cased_name failed\n"); + talloc_free(tmp_ctx); + return NULL; + } + + name = sss_reverse_replace_space(tmp_ctx, name, rctx->override_space); + if (name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "sss_reverse_replace_space failed\n"); + talloc_free(tmp_ctx); + return NULL; + } + + + if (name_is_upn == false) { + name = sss_create_internal_fqname(tmp_ctx, name, dom->name); + if (name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "sss_create_internal_fqname failed\n"); + talloc_free(tmp_ctx); + return NULL; + } + } + + name = talloc_steal(mem_ctx, name); + talloc_free(tmp_ctx); + return name; +} + +struct resp_resolve_group_names_state { + struct tevent_context *ev; + struct resp_ctx *rctx; + struct sss_domain_info *dom; + struct ldb_result *initgr_res; + + bool needs_refresh; + unsigned int group_iter; + + struct ldb_result *initgr_named_res; +}; + +static void resp_resolve_group_done(struct tevent_req *subreq); +static errno_t resp_resolve_group_next(struct tevent_req *req); +static errno_t resp_resolve_group_reread_names(struct resp_resolve_group_names_state *state); + +struct tevent_req *resp_resolve_group_names_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_domain_info *dom, + struct ldb_result *initgr_res) +{ + struct resp_resolve_group_names_state *state; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct resp_resolve_group_names_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + state->ev = ev; + state->rctx = rctx; + state->dom = dom; + state->initgr_res = initgr_res; + + ret = resp_resolve_group_next(req); + if (ret == EOK) { + goto immediate; + } else if (ret != EAGAIN) { + goto immediate; + } + + return req; + +immediate: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + return req; +} + +static bool +resp_resolve_group_needs_refresh(struct resp_resolve_group_names_state *state) +{ + /* Refresh groups that have a non-zero GID, + * but are marked as non-POSIX + */ + bool is_posix; + uint64_t gid; + struct ldb_message *group_msg; + + group_msg = state->initgr_res->msgs[state->group_iter]; + + is_posix = ldb_msg_find_attr_as_bool(group_msg, SYSDB_POSIX, false); + gid = ldb_msg_find_attr_as_uint64(group_msg, SYSDB_GIDNUM, 0); + + if (is_posix == false && gid != 0) { + return true; + } + + return false; +} + +static errno_t resp_resolve_group_next(struct tevent_req *req) +{ + struct cache_req_data *data; + uint64_t gid; + struct tevent_req *subreq; + struct resp_resolve_group_names_state *state; + + state = tevent_req_data(req, struct resp_resolve_group_names_state); + + while (state->group_iter < state->initgr_res->count + && !resp_resolve_group_needs_refresh(state)) { + state->group_iter++; + } + + if (state->group_iter >= state->initgr_res->count) { + /* All groups were refreshed */ + return EOK; + } + + /* Fire a request */ + gid = ldb_msg_find_attr_as_uint64(state->initgr_res->msgs[state->group_iter], + SYSDB_GIDNUM, 0); + if (gid == 0) { + return EINVAL; + } + + data = cache_req_data_id_attrs(state, CACHE_REQ_GROUP_BY_ID, gid, NULL); + if (data == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set cache request data!\n"); + return ENOMEM; + } + + subreq = cache_req_send(state, + state->ev, + state->rctx, + state->rctx->ncache, + 0, + CACHE_REQ_ANY_DOM, + NULL, + data); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to send cache request!\n"); + return ENOMEM; + } + + tevent_req_set_callback(subreq, resp_resolve_group_done, req); + return EAGAIN; +} + +static void resp_resolve_group_done(struct tevent_req *subreq) +{ + struct resp_resolve_group_names_state *state; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct resp_resolve_group_names_state); + + ret = cache_req_single_domain_recv(state, subreq, NULL); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to refresh group\n"); + /* Try to refresh the others on error */ + } + + state->group_iter++; + state->needs_refresh = true; + + ret = resp_resolve_group_next(req); + if (ret == EOK) { + ret = resp_resolve_group_reread_names(state); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + DEBUG(SSSDBG_TRACE_FUNC, "All groups are refreshed, done\n"); + tevent_req_done(req); + return; + } else if (ret != EAGAIN) { + tevent_req_error(req, ret); + return; + } + + /* Continue refreshing.. */ +} + +static errno_t +resp_resolve_group_reread_names(struct resp_resolve_group_names_state *state) +{ + errno_t ret; + const char *username; + + /* re-read reply in case any groups were renamed */ + /* msgs[0] is the user entry */ + username = sss_view_ldb_msg_find_attr_as_string(state->dom, + state->initgr_res->msgs[0], + SYSDB_NAME, + NULL); + if (username == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "A user with no name?\n"); + return EINVAL; + } + + ret = sysdb_initgroups_with_views(state, + state->dom, + username, + &state->initgr_named_res); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot re-read the group names\n"); + return ret; + } + + return EOK; +} + +int resp_resolve_group_names_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct ldb_result **_initgr_named_res) +{ + struct resp_resolve_group_names_state *state = NULL; + state = tevent_req_data(req, struct resp_resolve_group_names_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *_initgr_named_res = talloc_steal(mem_ctx, state->initgr_named_res); + return EOK; +} + +const char * +sss_resp_get_shell_override(struct ldb_message *msg, + struct resp_ctx *rctx, + struct sss_domain_info *domain) +{ + const char *shell; + int i; + + /* Here we skip the files provider as it should always return *only* + * what's in the files and nothing else. */ + if (!is_files_provider(domain)) { + /* Check whether we are unconditionally overriding + * the server for the login shell. */ + if (domain->override_shell) { + return domain->override_shell; + } else if (rctx->override_shell) { + return rctx->override_shell; + } + } + + shell = sss_view_ldb_msg_find_attr_as_string(domain, msg, SYSDB_SHELL, + NULL); + if (shell == NULL) { + /* Check whether there is a default shell specified */ + if (domain->default_shell) { + return domain->default_shell; + } else if (rctx->default_shell) { + return rctx->default_shell; + } + + return ""; + } + + if (rctx->allowed_shells == NULL && rctx->vetoed_shells == NULL) { + return shell; + } + + if (rctx->vetoed_shells) { + for (i = 0; rctx->vetoed_shells[i]; i++) { + if (strcmp(rctx->vetoed_shells[i], shell) == 0) { + DEBUG(SSSDBG_FUNC_DATA, + "The shell '%s' is vetoed. Using fallback.\n", + shell); + return rctx->shell_fallback; + } + } + } + + if (rctx->etc_shells) { + for (i = 0; rctx->etc_shells[i]; i++) { + if (strcmp(shell, rctx->etc_shells[i]) == 0) { + DEBUG(SSSDBG_TRACE_ALL, + "Shell %s found in /etc/shells\n", shell); + break; + } + } + + if (rctx->etc_shells[i]) { + DEBUG(SSSDBG_TRACE_ALL, "Using original shell '%s'\n", shell); + return shell; + } + } + + if (rctx->allowed_shells) { + if (strcmp(rctx->allowed_shells[0], "*") == 0) { + DEBUG(SSSDBG_FUNC_DATA, + "The shell '%s' is allowed but does not exist. " + "Using fallback\n", shell); + return rctx->shell_fallback; + } else { + for (i = 0; rctx->allowed_shells[i]; i++) { + if (strcmp(rctx->allowed_shells[i], shell) == 0) { + DEBUG(SSSDBG_FUNC_DATA, + "The shell '%s' is allowed but does not exist. " + "Using fallback\n", shell); + return rctx->shell_fallback; + } + } + } + } + + DEBUG(SSSDBG_FUNC_DATA, + "The shell '%s' is not allowed and does not exist.\n", shell); + + return NOLOGIN_SHELL; +} diff --git a/src/responder/ifp/ifp_cache.c b/src/responder/ifp/ifp_cache.c new file mode 100644 index 0000000..f84cb14 --- /dev/null +++ b/src/responder/ifp/ifp_cache.c @@ -0,0 +1,344 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "db/sysdb.h" +#include "util/util.h" +#include "responder/common/responder.h" +#include "responder/ifp/ifp_cache.h" +#include "responder/ifp/ifp_users.h" +#include "responder/ifp/ifp_groups.h" +#include "responder/ifp/ifp_iface_generated.h" + +static struct ldb_dn * +ifp_cache_build_base_dn(TALLOC_CTX *mem_ctx, + enum ifp_cache_type type, + struct sss_domain_info *domain) +{ + struct ldb_dn *base_dn = NULL; + + switch (type) { + case IFP_CACHE_USER: + base_dn = sysdb_user_base_dn(mem_ctx, domain); + break; + case IFP_CACHE_GROUP: + base_dn = sysdb_group_base_dn(mem_ctx, domain); + break; + } + + return base_dn; +} + +static char * +ifp_cache_build_path(TALLOC_CTX *mem_ctx, + enum ifp_cache_type type, + struct sss_domain_info *domain, + struct ldb_message *msg) +{ + char *path = NULL; + + switch (type) { + case IFP_CACHE_USER: + path = ifp_users_build_path_from_msg(mem_ctx, domain, msg); + break; + case IFP_CACHE_GROUP: + path = ifp_groups_build_path_from_msg(mem_ctx, domain, msg); + break; + } + + return path; +} + +static const char * +ifp_cache_object_class(enum ifp_cache_type type) +{ + const char *class = NULL; + + switch (type) { + case IFP_CACHE_USER: + class = SYSDB_USER_CLASS; + break; + case IFP_CACHE_GROUP: + class = SYSDB_GROUP_CLASS; + break; + } + + return class; +} + +static errno_t +ifp_cache_get_cached_objects(TALLOC_CTX *mem_ctx, + enum ifp_cache_type type, + struct sss_domain_info *domain, + const char ***_paths, + int *_num_paths) +{ + TALLOC_CTX *tmp_ctx; + struct ldb_dn *base_dn; + struct ldb_result *result; + const char *class = ifp_cache_object_class(type); + const char **paths; + errno_t ret; + int ldb_ret; + int i; + const char *attrs[] = {SYSDB_OBJECTCATEGORY, SYSDB_UIDNUM, + SYSDB_GIDNUM, NULL}; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + base_dn = ifp_cache_build_base_dn(tmp_ctx, type, domain); + if (base_dn == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create base dn\n"); + ret = ENOMEM; + goto done; + } + + ldb_ret = ldb_search(sysdb_ctx_get_ldb(domain->sysdb), tmp_ctx, &result, + base_dn, LDB_SCOPE_SUBTREE, attrs, + "(&(%s=%s)(%s=TRUE))", SYSDB_OBJECTCATEGORY, class, + SYSDB_IFP_CACHED); + if (ldb_ret != LDB_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to search the cache\n"); + ret = sysdb_error_to_errno(ldb_ret); + goto done; + } + + paths = talloc_zero_array(tmp_ctx, const char *, result->count + 1); + if (paths == NULL) { + ret = ENOMEM; + goto done; + } + + for (i = 0; i < result->count; i++) { + paths[i] = ifp_cache_build_path(paths, type, domain, result->msgs[i]); + if (paths[i] == NULL) { + ret = ENOMEM; + goto done; + } + } + + *_paths = talloc_steal(mem_ctx, paths); + *_num_paths = result->count; + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +errno_t ifp_cache_list_domains(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domains, + enum ifp_cache_type type, + const char ***_paths, + int *_num_paths) +{ + TALLOC_CTX *tmp_ctx; + struct sss_domain_info *domain; + const char **tmp_paths; + int num_tmp_paths; + const char **paths; + int num_paths; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + domain = domains; + num_paths = 0; + paths = NULL; + while (domain != NULL) { + ret = ifp_cache_get_cached_objects(tmp_ctx, type, domain, + &tmp_paths, &num_tmp_paths); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to build object list " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + ret = add_strings_lists(tmp_ctx, paths, tmp_paths, true, + discard_const(&paths)); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to build object list " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + num_paths += num_tmp_paths; + + domain = get_next_domain(domain, SSS_GND_DESCEND); + } + + if (_paths != NULL) { + *_paths = talloc_steal(mem_ctx, paths); + } + + if (_num_paths != NULL) { + *_num_paths = num_paths; + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +int ifp_cache_list(struct sbus_request *sbus_req, + void *data, + enum ifp_cache_type type) +{ + DBusError *error; + struct ifp_ctx *ifp_ctx; + const char **paths; + int num_paths; + errno_t ret; + + ifp_ctx = talloc_get_type(data, struct ifp_ctx); + if (ifp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid pointer!\n"); + return ERR_INTERNAL; + } + + ret = ifp_cache_list_domains(sbus_req, ifp_ctx->rctx->domains, type, + &paths, &num_paths); + if (ret != EOK) { + error = sbus_error_new(sbus_req, DBUS_ERROR_FAILED, + "Unable to build object list [%d]: %s\n", + ret, sss_strerror(ret)); + return sbus_request_fail_and_finish(sbus_req, error); + } + + iface_ifp_cache_List_finish(sbus_req, paths, num_paths); + + return EOK; +} + +int ifp_cache_list_by_domain(struct sbus_request *sbus_req, + void *data, + const char *domainname, + enum ifp_cache_type type) +{ + DBusError *error; + struct sss_domain_info *domain; + struct ifp_ctx *ifp_ctx; + const char **paths; + int num_paths; + errno_t ret; + + ifp_ctx = talloc_get_type(data, struct ifp_ctx); + if (ifp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid pointer!\n"); + return ERR_INTERNAL; + } + + domain = find_domain_by_name(ifp_ctx->rctx->domains, domainname, true); + if (domain == NULL) { + error = sbus_error_new(sbus_req, DBUS_ERROR_FAILED, "Unknown domain"); + return sbus_request_fail_and_finish(sbus_req, error); + } + + ret = ifp_cache_get_cached_objects(sbus_req, type, domain, + &paths, &num_paths); + if (ret != EOK) { + error = sbus_error_new(sbus_req, DBUS_ERROR_FAILED, "Unable to build " + "object list [%d]: %s\n", ret, sss_strerror(ret)); + return sbus_request_fail_and_finish(sbus_req, error); + } + + iface_ifp_cache_ListByDomain_finish(sbus_req, paths, num_paths); + + return EOK; +} + +static errno_t ifp_cache_object_set(struct sss_domain_info *domain, + struct ldb_dn *dn, + bool value) +{ + struct sysdb_attrs *attrs; + errno_t ret; + + attrs = sysdb_new_attrs(NULL); + if (attrs == NULL) { + return ENOMEM; + } + + ret = sysdb_attrs_add_bool(attrs, SYSDB_IFP_CACHED, value); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add attribute [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = sysdb_set_entry_attr(domain->sysdb, dn, attrs, SYSDB_MOD_REP); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to modify entry [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = EOK; + +done: + talloc_free(attrs); + + return ret; +} + +int ifp_cache_object_store(struct sbus_request *sbus_req, + struct sss_domain_info *domain, + struct ldb_dn *dn) +{ + errno_t ret; + + ret = ifp_cache_object_set(domain, dn, true); + + if (ret == EOK) { + iface_ifp_cache_object_Store_finish(sbus_req, true); + } else { + iface_ifp_cache_object_Store_finish(sbus_req, false); + } + + return EOK; +} + +int ifp_cache_object_remove(struct sbus_request *sbus_req, + struct sss_domain_info *domain, + struct ldb_dn *dn) +{ + errno_t ret; + + ret = ifp_cache_object_set(domain, dn, false); + + if (ret == EOK) { + iface_ifp_cache_object_Remove_finish(sbus_req, true); + } else { + iface_ifp_cache_object_Remove_finish(sbus_req, false); + } + + return EOK; +} diff --git a/src/responder/ifp/ifp_cache.h b/src/responder/ifp/ifp_cache.h new file mode 100644 index 0000000..eb16309 --- /dev/null +++ b/src/responder/ifp/ifp_cache.h @@ -0,0 +1,59 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef IFP_CACHE_H_ +#define IFP_CACHE_H_ + +#include "responder/common/responder.h" +#include "responder/ifp/ifp_iface_generated.h" + +enum ifp_cache_type { + IFP_CACHE_USER, + IFP_CACHE_GROUP +}; + +errno_t ifp_cache_list_domains(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domains, + enum ifp_cache_type type, + const char ***_paths, + int *_num_paths); + +/* org.freedesktop-sssd-infopipe.Cache */ + +int ifp_cache_list(struct sbus_request *sbus_req, + void *data, + enum ifp_cache_type type); + +int ifp_cache_list_by_domain(struct sbus_request *sbus_req, + void *data, + const char *domain, + enum ifp_cache_type type); + +/* org.freedesktop-sssd-infopipe.Cache.Object */ + +int ifp_cache_object_store(struct sbus_request *sbus_req, + struct sss_domain_info *domain, + struct ldb_dn *dn); + +int ifp_cache_object_remove(struct sbus_request *sbus_req, + struct sss_domain_info *domain, + struct ldb_dn *dn); + +#endif /* IFP_CACHE_H_ */ diff --git a/src/responder/ifp/ifp_components.c b/src/responder/ifp/ifp_components.c new file mode 100644 index 0000000..a4cc649 --- /dev/null +++ b/src/responder/ifp/ifp_components.c @@ -0,0 +1,661 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2014 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include + +#include "config.h" +#include "confdb/confdb.h" +#include "util/util.h" +#include "responder/common/responder.h" +#include "responder/ifp/ifp_components.h" + +#define PATH_MONITOR IFP_PATH_COMPONENTS "/monitor" +#define PATH_RESPONDERS IFP_PATH_COMPONENTS "/Responders" +#define PATH_BACKENDS IFP_PATH_COMPONENTS "/Backends" + +enum component_type { + COMPONENT_MONITOR, + COMPONENT_RESPONDER, + COMPONENT_BACKEND +}; + +static bool responder_exists(const char *name) +{ + const char * const *svc = get_known_services(); + int i; + + for (i = 0; svc[i] != NULL; i++) { + if (strcmp(svc[i], name) == 0) { + return true; + } + } + + return false; +} + +static bool backend_exists(struct confdb_ctx *confdb, const char *name) +{ + char **names = NULL; + errno_t ret; + int i; + + ret = confdb_list_all_domain_names(NULL, confdb, &names); + if (ret != EOK) { + return false; + } + + for (i = 0; names[i] != NULL; i++) { + if (strcmp(names[i], name) == 0) { + return true; + } + } + + return false; +} + +static errno_t check_and_get_component_from_path(TALLOC_CTX *mem_ctx, + struct confdb_ctx *confdb, + const char *path, + enum component_type *_type, + char **_name) +{ + enum component_type type; + char *name = NULL; + errno_t ret; + + if (confdb == NULL || path == NULL) { + return EINVAL; + } + + if (strcmp(path, PATH_MONITOR) == 0) { + type = COMPONENT_MONITOR; + name = talloc_strdup(mem_ctx, "monitor"); + if (name == NULL) { + ret = ENOMEM; + goto done; + } + } else { + name = sbus_opath_get_object_name(mem_ctx, path, PATH_RESPONDERS); + if (name != NULL) { + type = COMPONENT_RESPONDER; + } else { + name = sbus_opath_get_object_name(mem_ctx, path, PATH_BACKENDS); + if (name != NULL) { + type = COMPONENT_BACKEND; + } else { + ret = EINVAL; + goto done; + } + } + } + + if (strchr(name, '/') != NULL) { + ret = EINVAL; + goto done; + } + + switch (type) { + case COMPONENT_MONITOR: + /* noop */ + break; + case COMPONENT_RESPONDER: + if (!responder_exists(name)) { + ret = ENOENT; + goto done; + } + break; + case COMPONENT_BACKEND: + if (!backend_exists(confdb, name)) { + ret = ENOENT; + goto done; + } + break; + } + + if (_type != NULL) { + *_type = type; + } + + if (_name != NULL) { + *_name = name; + } + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(name); + } + + return ret; +} + +static errno_t list_responders(TALLOC_CTX *mem_ctx, + const char ***_list, + int *_num) +{ + const char **list = NULL; + const char * const *svc = get_known_services(); + errno_t ret; + int num; + int i; + + for (num = 0; svc[num] != NULL; num++); + + list = talloc_array(mem_ctx, const char*, num); + if (list == NULL) { + ret = ENOMEM; + goto done; + } + + for (i = 0; i < num; i++) { + list[i] = sbus_opath_compose(list, PATH_RESPONDERS, svc[i]); + if (list[i] == NULL) { + ret = ENOMEM; + goto done; + } + } + + *_num = num; + *_list = list; + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(list); + } + + return ret; +} + +static errno_t list_backends(TALLOC_CTX *mem_ctx, + struct confdb_ctx *confdb, + const char ***_list, + int *_num) +{ + TALLOC_CTX *tmp_ctx = NULL; + const char **list = NULL; + char **names = NULL; + errno_t ret; + int num; + int i; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + ret = confdb_list_all_domain_names(tmp_ctx, confdb, &names); + if (ret != EOK) { + goto done; + } + + for (num = 0; names[num] != NULL; num++); + + list = talloc_array(tmp_ctx, const char*, num); + if (list == NULL) { + ret = ENOMEM; + goto done; + } + + for (i = 0; i < num; i++) { + list[i] = sbus_opath_compose(list, PATH_BACKENDS, names[i]); + if (list[i] == NULL) { + ret = ENOMEM; + goto done; + } + } + + *_num = num; + *_list = talloc_steal(mem_ctx, list); + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +int ifp_list_components(struct sbus_request *dbus_req, void *data) +{ + struct ifp_ctx *ctx = NULL; + DBusError *error = NULL; + const char **responders = NULL; + const char **backends = NULL; + const char **result = NULL; + int num_responders; + int num_backends; + int num; + int i; + errno_t ret; + + ctx = talloc_get_type(data, struct ifp_ctx); + if (ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid ifp context!\n"); + ret = EINVAL; + goto done; + } + + ret = list_responders(dbus_req, &responders, &num_responders); + if (ret != EOK) { + goto done; + } + + ret = list_backends(dbus_req, ctx->rctx->cdb, &backends, &num_backends); + if (ret != EOK) { + goto done; + } + + num = num_responders + num_backends + 1; + result = talloc_array(dbus_req, const char*, num); + if (result == NULL) { + ret = ENOMEM; + goto done; + } + + result[0] = PATH_MONITOR; + + for (i = 0; i < num_responders; i++) { + result[i + 1] = talloc_steal(result, responders[i]); + } + + for (i = 0; i < num_backends; i++) { + result[i + num_responders + 1] = talloc_steal(result, backends[i]); + } + + ret = EOK; + +done: + if (ret != EOK) { + error = sbus_error_new(dbus_req, DBUS_ERROR_FAILED, + "%s", strerror(ret)); + return sbus_request_fail_and_finish(dbus_req, error); + } + + return iface_ifp_ListComponents_finish(dbus_req, result, num); +} + +int ifp_list_responders(struct sbus_request *dbus_req, void *data) +{ + DBusError *error = NULL; + const char **result = NULL; + int num; + errno_t ret; + + ret = list_responders(dbus_req, &result, &num); + if (ret != EOK) { + error = sbus_error_new(dbus_req, DBUS_ERROR_FAILED, + "%s", strerror(ret)); + return sbus_request_fail_and_finish(dbus_req, error); + } + + return iface_ifp_ListResponders_finish(dbus_req, result, num); +} + +int ifp_list_backends(struct sbus_request *dbus_req, void *data) +{ + struct ifp_ctx *ctx = NULL; + DBusError *error = NULL; + const char **result = NULL; + int num; + errno_t ret; + + ctx = talloc_get_type(data, struct ifp_ctx); + if (ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid ifp context!\n"); + ret = EINVAL; + goto done; + } + + ret = list_backends(dbus_req, ctx->rctx->cdb, &result, &num); + +done: + if (ret != EOK) { + error = sbus_error_new(dbus_req, DBUS_ERROR_FAILED, + "%s", strerror(ret)); + return sbus_request_fail_and_finish(dbus_req, error); + } + + return iface_ifp_ListBackends_finish(dbus_req, result, num); +} + +int ifp_find_monitor(struct sbus_request *dbus_req, void *data) +{ + return iface_ifp_FindMonitor_finish(dbus_req, PATH_MONITOR); +} + +int ifp_find_responder_by_name(struct sbus_request *dbus_req, + void *data, + const char *arg_name) +{ + DBusError *error = NULL; + const char *result = NULL; + + if (responder_exists(arg_name)) { + result = sbus_opath_compose(dbus_req, PATH_RESPONDERS, arg_name); + if (result == NULL) { + return sbus_request_fail_and_finish(dbus_req, NULL); + } + } else { + error = sbus_error_new(dbus_req, DBUS_ERROR_FAILED, + "Responder \"%s\" does not exist", arg_name); + return sbus_request_fail_and_finish(dbus_req, error); + } + + return iface_ifp_FindResponderByName_finish(dbus_req, result); +} + +int ifp_find_backend_by_name(struct sbus_request *dbus_req, + void *data, + const char *arg_name) +{ + struct ifp_ctx *ctx = NULL; + DBusError *error = NULL; + const char *result = NULL; + + ctx = talloc_get_type(data, struct ifp_ctx); + if (ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid ifp context!\n"); + error = sbus_error_new(dbus_req, DBUS_ERROR_FAILED, + "%s\n", strerror(EINVAL)); + return sbus_request_fail_and_finish(dbus_req, error); + } + + if (backend_exists(ctx->rctx->cdb, arg_name)) { + result = sbus_opath_compose(dbus_req, PATH_BACKENDS, arg_name); + if (result == NULL) { + return sbus_request_fail_and_finish(dbus_req, NULL); + } + } else { + error = sbus_error_new(dbus_req, DBUS_ERROR_FAILED, + "Backend \"%s\" does not exist", arg_name); + return sbus_request_fail_and_finish(dbus_req, error); + } + + return iface_ifp_FindBackendByName_finish(dbus_req, result); +} + +void ifp_component_get_name(struct sbus_request *dbus_req, + void *data, + const char **_out) +{ + struct ifp_ctx *ctx = NULL; + char *name = NULL; + errno_t ret; + + *_out = NULL; + + ctx = talloc_get_type(data, struct ifp_ctx); + if (ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid ifp context!\n"); + return; + } + + ret = check_and_get_component_from_path(dbus_req, ctx->rctx->cdb, + dbus_req->path, NULL, &name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Unknown object [%d]: %s\n", + ret, strerror(ret)); + return; + } + + *_out = name; +} + +void ifp_component_get_debug_level(struct sbus_request *dbus_req, + void *data, + uint32_t *_out) +{ + struct ifp_ctx *ctx = NULL; + const char *confdb_path = NULL; + char *name = NULL; + enum component_type type; + int level; + errno_t ret; + + *_out = 0; + + ctx = talloc_get_type(data, struct ifp_ctx); + if (ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid ifp context!\n"); + return; + } + + ret = check_and_get_component_from_path(dbus_req, ctx->rctx->cdb, + dbus_req->path, &type, &name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Unknown object [%d]: %s\n", + ret, strerror(ret)); + return; + } + + switch (type) { + case COMPONENT_MONITOR: + confdb_path = CONFDB_MONITOR_CONF_ENTRY; + break; + case COMPONENT_RESPONDER: + confdb_path = talloc_asprintf(dbus_req, CONFDB_SERVICE_PATH_TMPL, name); + break; + case COMPONENT_BACKEND: + confdb_path = talloc_asprintf(dbus_req, CONFDB_DOMAIN_PATH_TMPL, name); + break; + } + + if (confdb_path == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory\n"); + return; + } + + ret = confdb_get_int(ctx->rctx->cdb, confdb_path, + CONFDB_SERVICE_DEBUG_LEVEL, SSSDBG_DEFAULT, &level); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to retrieve configuration option" + "[%d]: %s\n", ret, strerror(ret)); + return; + } + + *_out = level; +} + +void ifp_component_get_enabled(struct sbus_request *dbus_req, + void *data, + bool *_out) +{ + struct ifp_ctx *ctx = NULL; + const char *param = NULL; + char **values = NULL; + char *name = NULL; + enum component_type type; + errno_t ret; + int i; + + *_out = false; + + ctx = talloc_get_type(data, struct ifp_ctx); + if (ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid ifp context!\n"); + return; + } + + ret = check_and_get_component_from_path(dbus_req, ctx->rctx->cdb, + dbus_req->path, &type, &name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Unknown object [%d]: %s\n", + ret, strerror(ret)); + return; + } + + switch (type) { + case COMPONENT_MONITOR: + *_out = true; + return; + case COMPONENT_RESPONDER: + param = CONFDB_MONITOR_ACTIVE_SERVICES; + break; + case COMPONENT_BACKEND: + param = CONFDB_MONITOR_ACTIVE_DOMAINS; + break; + } + + ret = confdb_get_string_as_list(ctx->rctx->cdb, dbus_req, + CONFDB_MONITOR_CONF_ENTRY, param, &values); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to retrieve configuration option" + "[%d]: %s\n", ret, strerror(ret)); + return; + } + + for (i = 0; values[i] != NULL; i++) { + if (strcmp(values[i], name) == 0) { + *_out = true; + return; + } + } +} + +void ifp_component_get_type(struct sbus_request *dbus_req, + void *data, + const char **_out) +{ + struct ifp_ctx *ctx = NULL; + enum component_type type; + errno_t ret; + + *_out = NULL; + + ctx = talloc_get_type(data, struct ifp_ctx); + if (ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid ifp context!\n"); + return; + } + + ret = check_and_get_component_from_path(dbus_req, ctx->rctx->cdb, + dbus_req->path, &type, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Unknown object [%d]: %s\n", + ret, strerror(ret)); + return; + } + + switch (type) { + case COMPONENT_MONITOR: + *_out = "monitor"; + break; + case COMPONENT_RESPONDER: + *_out = "responder"; + break; + case COMPONENT_BACKEND: + *_out = "backend"; + break; + } +} + +void ifp_backend_get_providers(struct sbus_request *dbus_req, + void *data, + const char ***_out, + int *_out_len) +{ + TALLOC_CTX *tmp_ctx = NULL; + struct ifp_ctx *ctx = NULL; + const char *confdb_path = NULL; + char *name = NULL; + enum component_type type; + const char **out = NULL; + char *value = NULL; + static const char *providers[] = {CONFDB_DOMAIN_ID_PROVIDER, + CONFDB_DOMAIN_AUTH_PROVIDER, + CONFDB_DOMAIN_ACCESS_PROVIDER, + CONFDB_DOMAIN_CHPASS_PROVIDER, + CONFDB_DOMAIN_SUDO_PROVIDER, + CONFDB_DOMAIN_AUTOFS_PROVIDER, + CONFDB_DOMAIN_SELINUX_PROVIDER, + CONFDB_DOMAIN_HOSTID_PROVIDER, + CONFDB_DOMAIN_SUBDOMAINS_PROVIDER, + CONFDB_DOMAIN_SESSION_PROVIDER}; + int num_providers = sizeof(providers) / sizeof(providers[0]); + errno_t ret; + int i; + int j; + + *_out = NULL; + *_out_len = 0; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return; + } + + ctx = talloc_get_type(data, struct ifp_ctx); + if (ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid ifp context!\n"); + return; + } + + ret = check_and_get_component_from_path(tmp_ctx, ctx->rctx->cdb, + dbus_req->path, &type, &name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Unknown object [%d]: %s\n", + ret, strerror(ret)); + return; + } + + if (type != COMPONENT_BACKEND) { + return; + } + + confdb_path = talloc_asprintf(tmp_ctx, CONFDB_DOMAIN_PATH_TMPL, name); + if (confdb_path == NULL) { + return; + } + + out = talloc_zero_array(tmp_ctx, const char*, num_providers); + if (out == NULL) { + return; + } + + j = 0; + for (i = 0; i < num_providers; i++) { + ret = confdb_get_string(ctx->rctx->cdb, tmp_ctx, confdb_path, + providers[i], NULL, &value); + if (ret != EOK) { + return; + } + + if (value == NULL) { + continue; + } + + out[j] = talloc_asprintf(out, "%s=%s", providers[i], value); + if (out[j] == NULL) { + return; + } + + j++; + } + + *_out = talloc_steal(dbus_req, out); + *_out_len = j; + + talloc_free(tmp_ctx); + return; +} diff --git a/src/responder/ifp/ifp_components.h b/src/responder/ifp/ifp_components.h new file mode 100644 index 0000000..354845d --- /dev/null +++ b/src/responder/ifp/ifp_components.h @@ -0,0 +1,70 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2014 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _IFP_COMPONENTS_H_ +#define _IFP_COMPONENTS_H_ + +#include "responder/ifp/ifp_iface.h" +#include "responder/ifp/ifp_private.h" + +/* org.freedesktop.sssd.infopipe */ + +int ifp_list_components(struct sbus_request *dbus_req, void *data); + +int ifp_list_responders(struct sbus_request *dbus_req, void *data); + +int ifp_list_backends(struct sbus_request *dbus_req, void *data); + +int ifp_find_monitor(struct sbus_request *dbus_req, void *data); + +int ifp_find_responder_by_name(struct sbus_request *dbus_req, + void *data, + const char *arg_name); + +int ifp_find_backend_by_name(struct sbus_request *dbus_req, + void *data, + const char *arg_name); + +/* org.freedesktop.sssd.infopipe.Components */ + +void ifp_component_get_name(struct sbus_request *dbus_req, + void *data, + const char **_out); + +void ifp_component_get_debug_level(struct sbus_request *dbus_req, + void *data, + uint32_t *_out); + +void ifp_component_get_enabled(struct sbus_request *dbus_req, + void *data, + bool *_out); + +void ifp_component_get_type(struct sbus_request *dbus_req, + void *data, + const char **_out); + +/* org.freedesktop.sssd.infopipe.Components.Backends */ + +void ifp_backend_get_providers(struct sbus_request *dbus_req, + void *data, + const char ***_out, + int *_out_len); + +#endif /* _IFP_COMPONENTS_H_ */ diff --git a/src/responder/ifp/ifp_domains.c b/src/responder/ifp/ifp_domains.c new file mode 100644 index 0000000..cd7e2fc --- /dev/null +++ b/src/responder/ifp/ifp_domains.c @@ -0,0 +1,654 @@ +/* + Authors: + Jakub Hrozek + Pavel Březina + + Copyright (C) 2014 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "db/sysdb.h" +#include "util/util.h" +#include "confdb/confdb.h" +#include "responder/common/responder.h" +#include "responder/ifp/ifp_domains.h" +#include "responder/common/data_provider/rdp.h" +#include "sbus/sssd_dbus_errors.h" +#include "providers/data_provider/dp_responder_iface.h" + +#define RETURN_DOM_PROP_AS_STRING(dbus_req, pvt_data, out, property) do { \ + struct sss_domain_info *__dom; \ + \ + *(out) = NULL; \ + \ + __dom = get_domain_info_from_req((dbus_req), (pvt_data)); \ + if (__dom == NULL) { \ + return; \ + } \ + \ + *(out) = __dom->property; \ +} while (0) + +static void ifp_list_domains_process(struct tevent_req *req); + +int ifp_list_domains(struct sbus_request *dbus_req, + void *data) +{ + struct ifp_ctx *ifp_ctx; + struct ifp_req *ireq; + struct tevent_req *req; + DBusError *error; + errno_t ret; + + ifp_ctx = talloc_get_type(data, struct ifp_ctx); + if (ifp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid ifp context!\n"); + error = sbus_error_new(dbus_req, DBUS_ERROR_FAILED, + "Invalid ifp context!"); + return sbus_request_fail_and_finish(dbus_req, error); + } + + ret = ifp_req_create(dbus_req, ifp_ctx, &ireq); + if (ret != EOK) { + error = sbus_error_new(dbus_req, DBUS_ERROR_FAILED, + "%s", sss_strerror(ret)); + return sbus_request_fail_and_finish(dbus_req, error); + } + + req = sss_dp_get_domains_send(ireq, ifp_ctx->rctx, false, NULL); + if (req == NULL) { + return sbus_request_finish(ireq->dbus_req, NULL); + } + + tevent_req_set_callback(req, ifp_list_domains_process, ireq); + + return EOK; +} + +static void ifp_list_domains_process(struct tevent_req *req) +{ + struct sss_domain_info *dom; + struct ifp_req *ireq; + const char **paths; + char *p; + DBusError *error; + size_t num_domains; + size_t pi; + errno_t ret; + + ireq = tevent_req_callback_data(req, struct ifp_req); + + ret = sss_dp_get_domains_recv(req); + talloc_free(req); + if (ret != EOK) { + error = sbus_error_new(ireq->dbus_req, DBUS_ERROR_FAILED, + "Failed to refresh domain objects\n"); + sbus_request_fail_and_finish(ireq->dbus_req, error); + return; + } + + ret = sysdb_master_domain_update(ireq->ifp_ctx->rctx->domains); + if (ret != EOK) { + error = sbus_error_new(ireq->dbus_req, DBUS_ERROR_FAILED, + "Failed to refresh subdomain list\n"); + sbus_request_fail_and_finish(ireq->dbus_req, error); + return; + } + + num_domains = 0; + for (dom = ireq->ifp_ctx->rctx->domains; + dom != NULL; + dom = get_next_domain(dom, SSS_GND_DESCEND)) { + num_domains++; + } + + paths = talloc_zero_array(ireq, const char *, num_domains); + if (paths == NULL) { + sbus_request_finish(ireq->dbus_req, NULL); + return; + } + + pi = 0; + for (dom = ireq->ifp_ctx->rctx->domains; + dom != NULL; + dom = get_next_domain(dom, SSS_GND_DESCEND)) { + p = sbus_opath_compose(ireq, IFP_PATH_DOMAINS, dom->name); + if (p == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not create path for dom %s, skipping\n", dom->name); + continue; + } + paths[pi] = p; + pi++; + } + + ret = iface_ifp_ListDomains_finish(ireq->dbus_req, paths, num_domains); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not finish request!\n"); + } +} + +struct ifp_get_domain_state { + const char *name; + struct ifp_req *ireq; +}; + +static void ifp_find_domain_by_name_process(struct tevent_req *req); + +int ifp_find_domain_by_name(struct sbus_request *dbus_req, + void *data, + const char *arg_name) +{ + struct ifp_ctx *ifp_ctx; + struct ifp_req *ireq; + struct tevent_req *req; + struct ifp_get_domain_state *state; + DBusError *error; + errno_t ret; + + ifp_ctx = talloc_get_type(data, struct ifp_ctx); + if (ifp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid pointer!\n"); + error = sbus_error_new(dbus_req, DBUS_ERROR_FAILED, + "Invalid ifp context!"); + return sbus_request_fail_and_finish(dbus_req, error); + } + + ret = ifp_req_create(dbus_req, ifp_ctx, &ireq); + if (ret != EOK) { + error = sbus_error_new(dbus_req, DBUS_ERROR_FAILED, + "%s", sss_strerror(ret)); + return sbus_request_fail_and_finish(dbus_req, error); + } + + state = talloc_zero(ireq, struct ifp_get_domain_state); + if (state == NULL) { + return sbus_request_finish(dbus_req, NULL); + } + state->name = arg_name; + state->ireq = ireq; + + req = sss_dp_get_domains_send(ireq, ifp_ctx->rctx, false, NULL); + if (req == NULL) { + return sbus_request_finish(dbus_req, NULL); + } + tevent_req_set_callback(req, ifp_find_domain_by_name_process, state); + return EOK; +} + +static void ifp_find_domain_by_name_process(struct tevent_req *req) +{ + errno_t ret; + struct ifp_req *ireq; + struct ifp_get_domain_state *state; + struct sss_domain_info *iter; + const char *path; + DBusError *error; + + state = tevent_req_callback_data(req, struct ifp_get_domain_state); + ireq = state->ireq; + + ret = sss_dp_get_domains_recv(req); + talloc_free(req); + if (ret != EOK) { + error = sbus_error_new(ireq->dbus_req, DBUS_ERROR_FAILED, + "Failed to refresh domain objects\n"); + sbus_request_fail_and_finish(ireq->dbus_req, error); + return; + } + + ret = sysdb_master_domain_update(ireq->ifp_ctx->rctx->domains); + if (ret != EOK) { + error = sbus_error_new(ireq->dbus_req, DBUS_ERROR_FAILED, + "Failed to refresh subdomain list\n"); + sbus_request_fail_and_finish(ireq->dbus_req, error); + return; + } + + /* Reply with the domain that was asked for */ + for (iter = ireq->ifp_ctx->rctx->domains; + iter != NULL; + iter = get_next_domain(iter, SSS_GND_DESCEND)) { + if (strcasecmp(iter->name, state->name) == 0) { + break; + } + } + + if (iter == NULL) { + error = sbus_error_new(ireq->dbus_req, DBUS_ERROR_FAILED, + "No such domain\n"); + sbus_request_fail_and_finish(ireq->dbus_req, error); + return; + } + + path = sbus_opath_compose(ireq, IFP_PATH_DOMAINS, iter->name); + if (path == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not create path for domain %s, skipping\n", iter->name); + sbus_request_finish(ireq->dbus_req, NULL); + return; + } + + ret = iface_ifp_FindDomainByName_finish(ireq->dbus_req, path); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not finish request!\n"); + } +} + +static struct sss_domain_info * +get_domain_info_from_req(struct sbus_request *dbus_req, void *data) +{ + struct ifp_ctx *ctx = NULL; + struct sss_domain_info *domains = NULL; + struct sss_domain_info *iter = NULL; + char *name = NULL; + + ctx = talloc_get_type(data, struct ifp_ctx); + if (ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid pointer!\n"); + return NULL; + } + + name = sbus_opath_get_object_name(dbus_req, dbus_req->path, + IFP_PATH_DOMAINS); + if (name == NULL) { + return NULL; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "Looking for domain %s\n", name); + + domains = ctx->rctx->domains; + for (iter = domains; iter != NULL; + iter = get_next_domain(iter, SSS_GND_DESCEND)) { + if (strcasecmp(iter->name, name) == 0) { + break; + } + } + + talloc_free(name); + return iter; +} + +static void get_server_list(struct sbus_request *dbus_req, + void *data, + const char ***_out, + int *_out_len, + bool backup) +{ + static const char *srv[] = {"_srv_"}; + struct sss_domain_info *dom = NULL; + struct ifp_ctx *ctx = NULL; + const char *conf_path = NULL; + const char *option = NULL; + const char **out = NULL; + char **servers = NULL; + int num_servers; + errno_t ret; + int i; + + *_out = NULL; + *_out_len = 0; + + dom = get_domain_info_from_req(dbus_req, data); + if (dom == NULL) { + return; + } + + if (dom->parent != NULL) { + /* subdomains are not present in configuration */ + ret = ENOENT; + goto done; + } + + ctx = talloc_get_type(data, struct ifp_ctx); + if (ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid ifp context!\n"); + ret = ENOMEM; + goto done; + } + + conf_path = talloc_asprintf(dbus_req, CONFDB_DOMAIN_PATH_TMPL, dom->name); + if (conf_path == NULL) { + ret = ENOMEM; + goto done; + } + + /* TODO: replace hardcoded values with option names from the provider */ + if (strcasecmp(dom->provider, "ldap") == 0) { + option = backup == false ? "ldap_uri" : "ldap_backup_uri"; + } else if (strcasecmp(dom->provider, "ipa") == 0) { + option = backup == false ? "ipa_server" : "ipa_backup_server"; + } else if (strcasecmp(dom->provider, "ad") == 0) { + option = backup == false ? "ad_server" : "ad_backup_server"; + } else { + ret = EINVAL; + goto done; + } + + ret = confdb_get_string_as_list(ctx->rctx->cdb, dbus_req, conf_path, + option, &servers); + if (ret != EOK) { + goto done; + } + + for (num_servers = 0; servers[num_servers] != NULL; num_servers++); + + if (num_servers == 0) { + ret = ENOENT; + goto done; + } + + out = talloc_zero_array(dbus_req, const char*, num_servers); + if (out == NULL) { + ret = ENOMEM; + goto done; + } + + for (i = 0; i < num_servers; i++) { + out[i] = talloc_steal(out, servers[i]); + } + + *_out = out; + *_out_len = num_servers; + + ret = EOK; + +done: + if (ret == ENOENT) { + *_out = srv; + *_out_len = 1; + } + + return; +} + +void ifp_dom_get_name(struct sbus_request *dbus_req, + void *data, + const char **_out) +{ + RETURN_DOM_PROP_AS_STRING(dbus_req, data, _out, name); +} + +void ifp_dom_get_provider(struct sbus_request *dbus_req, + void *data, + const char **_out) +{ + RETURN_DOM_PROP_AS_STRING(dbus_req, data, _out, provider); +} + +void ifp_dom_get_primary_servers(struct sbus_request *dbus_req, + void *data, + const char ***_out, + int *_out_len) +{ + get_server_list(dbus_req, data, _out, _out_len, false); +} + +void ifp_dom_get_backup_servers(struct sbus_request *dbus_req, + void *data, + const char ***_out, + int *_out_len) +{ + get_server_list(dbus_req, data, _out, _out_len, true); +} + +void ifp_dom_get_min_id(struct sbus_request *dbus_req, + void *data, + uint32_t *_out) +{ + struct sss_domain_info *dom; + + *_out = 1; + + dom = get_domain_info_from_req(dbus_req, data); + if (dom == NULL) { + return; + } + + *_out = dom->id_min; +} + +void ifp_dom_get_max_id(struct sbus_request *dbus_req, + void *data, + uint32_t *_out) +{ + struct sss_domain_info *dom; + + *_out = 0; + + dom = get_domain_info_from_req(dbus_req, data); + if (dom == NULL) { + return; + } + + *_out = dom->id_max; +} + +void ifp_dom_get_realm(struct sbus_request *dbus_req, + void *data, + const char **_out) +{ + RETURN_DOM_PROP_AS_STRING(dbus_req, data, _out, realm); +} + +void ifp_dom_get_forest(struct sbus_request *dbus_req, + void *data, + const char **_out) +{ + RETURN_DOM_PROP_AS_STRING(dbus_req, data, _out, forest); +} + +void ifp_dom_get_login_format(struct sbus_request *dbus_req, + void *data, + const char **_out) +{ + RETURN_DOM_PROP_AS_STRING(dbus_req, data, _out, names->re_pattern); +} + +void ifp_dom_get_fqdn_format(struct sbus_request *dbus_req, + void *data, + const char **_out) +{ + RETURN_DOM_PROP_AS_STRING(dbus_req, data, _out, names->fq_fmt); +} + +void ifp_dom_get_enumerable(struct sbus_request *dbus_req, + void *data, + bool *_out) +{ + struct sss_domain_info *dom; + + *_out = false; + + dom = get_domain_info_from_req(dbus_req, data); + if (dom == NULL) { + return; + } + + *_out = dom->enumerate; +} + +void ifp_dom_get_use_fqdn(struct sbus_request *dbus_req, + void *data, + bool *_out) +{ + struct sss_domain_info *dom; + + *_out = false; + + dom = get_domain_info_from_req(dbus_req, data); + if (dom == NULL) { + return; + } + + *_out = dom->fqnames; +} + +void ifp_dom_get_subdomain(struct sbus_request *dbus_req, + void *data, + bool *_out) +{ + struct sss_domain_info *dom; + + *_out = false; + + dom = get_domain_info_from_req(dbus_req, data); + if (dom == NULL) { + return; + } + + *_out = dom->parent ? true : false; +} + +void ifp_dom_get_parent_domain(struct sbus_request *dbus_req, + void *data, + const char **_out) +{ + struct sss_domain_info *dom; + + *_out = NULL; + + dom = get_domain_info_from_req(dbus_req, data); + if (dom == NULL) { + return; + } + + if (dom->parent == NULL) { + *_out = "/"; + return; + } + + *_out = sbus_opath_compose(dbus_req, IFP_PATH_DOMAINS, + dom->parent->name); +} + +int ifp_domains_domain_is_online(struct sbus_request *sbus_req, + void *data) +{ + struct ifp_ctx *ifp_ctx; + struct sss_domain_info *dom; + + ifp_ctx = talloc_get_type(data, struct ifp_ctx); + + dom = get_domain_info_from_req(sbus_req, data); + if (dom == NULL) { + sbus_request_reply_error(sbus_req, SBUS_ERROR_UNKNOWN_DOMAIN, + "Unknown domain"); + return EOK; + } + + rdp_message_send_and_reply(sbus_req, ifp_ctx->rctx, dom, DP_PATH, + IFACE_DP_BACKEND, IFACE_DP_BACKEND_ISONLINE, + DBUS_TYPE_STRING, &dom->name); + + return EOK; +} + +int ifp_domains_domain_list_services(struct sbus_request *sbus_req, + void *data) +{ + struct ifp_ctx *ifp_ctx; + struct sss_domain_info *dom; + + ifp_ctx = talloc_get_type(data, struct ifp_ctx); + + dom = get_domain_info_from_req(sbus_req, data); + if (dom == NULL) { + sbus_request_reply_error(sbus_req, SBUS_ERROR_UNKNOWN_DOMAIN, + "Unknown domain"); + return EOK; + } + + rdp_message_send_and_reply(sbus_req, ifp_ctx->rctx, dom, DP_PATH, + IFACE_DP_FAILOVER, + IFACE_DP_FAILOVER_LISTSERVICES, + DBUS_TYPE_STRING, &dom->name); + + return EOK; +} + +int ifp_domains_domain_active_server(struct sbus_request *sbus_req, + void *data, + const char *service) +{ + struct ifp_ctx *ifp_ctx; + struct sss_domain_info *dom; + + ifp_ctx = talloc_get_type(data, struct ifp_ctx); + + dom = get_domain_info_from_req(sbus_req, data); + if (dom == NULL) { + sbus_request_reply_error(sbus_req, SBUS_ERROR_UNKNOWN_DOMAIN, + "Unknown domain"); + return EOK; + } + + rdp_message_send_and_reply(sbus_req, ifp_ctx->rctx, dom, DP_PATH, + IFACE_DP_FAILOVER, + IFACE_DP_FAILOVER_ACTIVESERVER, + DBUS_TYPE_STRING, &service); + + return EOK; +} + +int ifp_domains_domain_list_servers(struct sbus_request *sbus_req, + void *data, + const char *service) +{ + struct ifp_ctx *ifp_ctx; + struct sss_domain_info *dom; + + ifp_ctx = talloc_get_type(data, struct ifp_ctx); + + dom = get_domain_info_from_req(sbus_req, data); + if (dom == NULL) { + sbus_request_reply_error(sbus_req, SBUS_ERROR_UNKNOWN_DOMAIN, + "Unknown domain"); + return EOK; + } + + rdp_message_send_and_reply(sbus_req, ifp_ctx->rctx, dom, DP_PATH, + IFACE_DP_FAILOVER, + IFACE_DP_FAILOVER_LISTSERVERS, + DBUS_TYPE_STRING, &service); + + return EOK; +} + +int ifp_domains_domain_refresh_access_rules(struct sbus_request *sbus_req, + void *data) +{ + struct ifp_ctx *ifp_ctx; + struct sss_domain_info *dom; + + ifp_ctx = talloc_get_type(data, struct ifp_ctx); + + dom = get_domain_info_from_req(sbus_req, data); + if (dom == NULL) { + sbus_request_reply_error(sbus_req, SBUS_ERROR_UNKNOWN_DOMAIN, + "Unknown domain"); + return EOK; + } + + rdp_message_send_and_reply(sbus_req, ifp_ctx->rctx, dom, DP_PATH, + IFACE_DP_ACCESS_CONTROL, + IFACE_DP_ACCESS_CONTROL_REFRESHRULES); + + return EOK; +} diff --git a/src/responder/ifp/ifp_domains.h b/src/responder/ifp/ifp_domains.h new file mode 100644 index 0000000..d8cc9d3 --- /dev/null +++ b/src/responder/ifp/ifp_domains.h @@ -0,0 +1,114 @@ +/* + Authors: + Jakub Hrozek + Pavel Březina + + Copyright (C) 2014 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef IFP_DOMAINS_H_ +#define IFP_DOMAINS_H_ + +#include "responder/ifp/ifp_iface.h" +#include "responder/ifp/ifp_private.h" + +/* org.freedesktop.sssd.infopipe */ + +int ifp_list_domains(struct sbus_request *dbus_req, + void *data); + +int ifp_find_domain_by_name(struct sbus_request *dbus_req, + void *data, + const char *arg_name); + +/* org.freedesktop.sssd.infopipe.Domains */ + +void ifp_dom_get_name(struct sbus_request *dbus_req, + void *data, + const char **_out); + +void ifp_dom_get_provider(struct sbus_request *dbus_req, + void *data, + const char **_out); + +void ifp_dom_get_primary_servers(struct sbus_request *dbus_req, + void *data, + const char ***_out, + int *_out_len); + +void ifp_dom_get_backup_servers(struct sbus_request *dbus_req, + void *data, + const char ***_out, + int *_out_len); + +void ifp_dom_get_min_id(struct sbus_request *dbus_req, + void *data, + uint32_t *_out); + +void ifp_dom_get_max_id(struct sbus_request *dbus_req, + void *data, + uint32_t *_out); + +void ifp_dom_get_realm(struct sbus_request *dbus_req, + void *data, + const char **_out); + +void ifp_dom_get_forest(struct sbus_request *dbus_req, + void *data, + const char **_out); + +void ifp_dom_get_login_format(struct sbus_request *dbus_req, + void *data, + const char **_out); + +void ifp_dom_get_fqdn_format(struct sbus_request *dbus_req, + void *data, + const char **_out); + +void ifp_dom_get_enumerable(struct sbus_request *dbus_req, + void *data, + bool *_out); + +void ifp_dom_get_use_fqdn(struct sbus_request *dbus_req, + void *data, + bool *_out); + +void ifp_dom_get_subdomain(struct sbus_request *dbus_req, + void *data, + bool *_out); + +void ifp_dom_get_parent_domain(struct sbus_request *dbus_req, + void *data, + const char **_out); + +int ifp_domains_domain_is_online(struct sbus_request *sbus_req, + void *data); + +int ifp_domains_domain_list_services(struct sbus_request *sbus_req, + void *data); + +int ifp_domains_domain_active_server(struct sbus_request *sbus_req, + void *data, + const char *service); + +int ifp_domains_domain_list_servers(struct sbus_request *sbus_req, + void *data, + const char *service); + +int ifp_domains_domain_refresh_access_rules(struct sbus_request *sbus_req, + void *data); + +#endif /* IFP_DOMAINS_H_ */ diff --git a/src/responder/ifp/ifp_groups.c b/src/responder/ifp/ifp_groups.c new file mode 100644 index 0000000..b274b8f --- /dev/null +++ b/src/responder/ifp/ifp_groups.c @@ -0,0 +1,1031 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "util/util.h" +#include "db/sysdb.h" +#include "util/strtonum.h" +#include "sbus/sssd_dbus_errors.h" +#include "responder/common/responder.h" +#include "responder/common/cache_req/cache_req.h" +#include "responder/ifp/ifp_groups.h" +#include "responder/ifp/ifp_users.h" +#include "responder/ifp/ifp_cache.h" + +char * ifp_groups_build_path_from_msg(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + struct ldb_message *msg) +{ + const char *key = NULL; + + switch (domain->type) { + case DOM_TYPE_APPLICATION: + key = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); + break; + case DOM_TYPE_POSIX: + key = ldb_msg_find_attr_as_string(msg, SYSDB_GIDNUM, NULL); + break; + } + + + if (key == NULL) { + return NULL; + } + + return sbus_opath_compose(mem_ctx, IFP_PATH_GROUPS, domain->name, key); +} + +static errno_t ifp_groups_decompose_path(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domains, + const char *path, + struct sss_domain_info **_domain, + char **_key) +{ + char **parts = NULL; + struct sss_domain_info *domain; + errno_t ret; + + ret = sbus_opath_decompose_exact(NULL, path, IFP_PATH_GROUPS, 2, &parts); + if (ret != EOK) { + return ret; + } + + domain = find_domain_by_name(domains, parts[0], false); + if (domain == NULL) { + ret = ERR_DOMAIN_NOT_FOUND; + goto done; + } + + *_domain = domain; + *_key = talloc_steal(mem_ctx, parts[1]); + +done: + talloc_free(parts); + return ret; +} + +static int ifp_groups_list_copy(struct ifp_list_ctx *list_ctx, + struct ldb_result *result) +{ + size_t copy_count, i; + errno_t ret; + + ret = ifp_list_ctx_remaining_capacity(list_ctx, result->count, ©_count); + if (ret != EOK) { + goto done; + } + + for (i = 0; i < copy_count; i++) { + list_ctx->paths[list_ctx->path_count + i] = \ + ifp_groups_build_path_from_msg(list_ctx->paths, + list_ctx->dom, + result->msgs[i]); + if (list_ctx->paths[list_ctx->path_count + i] == NULL) { + ret = ENOMEM; + goto done; + } + } + + list_ctx->path_count += copy_count; + ret = EOK; + +done: + return ret; +} + +static void ifp_groups_find_by_name_done(struct tevent_req *req); + +int ifp_groups_find_by_name(struct sbus_request *sbus_req, + void *data, + const char *name) +{ + struct ifp_ctx *ctx; + struct tevent_req *req; + + ctx = talloc_get_type(data, struct ifp_ctx); + if (ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid pointer!\n"); + return ERR_INTERNAL; + } + + req = cache_req_group_by_name_send(sbus_req, ctx->rctx->ev, ctx->rctx, + ctx->rctx->ncache, 0, + CACHE_REQ_ANY_DOM, NULL, + name); + if (req == NULL) { + return ENOMEM; + } + + tevent_req_set_callback(req, ifp_groups_find_by_name_done, sbus_req); + + return EOK; +} + +static void +ifp_groups_find_by_name_done(struct tevent_req *req) +{ + DBusError *error; + struct sbus_request *sbus_req; + struct cache_req_result *result; + char *object_path; + errno_t ret; + + sbus_req = tevent_req_callback_data(req, struct sbus_request); + + ret = cache_req_group_by_name_recv(sbus_req, req, &result); + talloc_zfree(req); + if (ret == ENOENT) { + error = sbus_error_new(sbus_req, SBUS_ERROR_NOT_FOUND, + "Group not found"); + goto done; + } else if (ret != EOK) { + error = sbus_error_new(sbus_req, DBUS_ERROR_FAILED, "Failed to fetch " + "group [%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + object_path = ifp_groups_build_path_from_msg(sbus_req, result->domain, + result->msgs[0]); + if (object_path == NULL) { + error = sbus_error_new(sbus_req, SBUS_ERROR_INTERNAL, + "Failed to compose object path"); + goto done; + } + + ret = EOK; + +done: + if (ret != EOK) { + sbus_request_fail_and_finish(sbus_req, error); + return; + } + + iface_ifp_groups_FindByName_finish(sbus_req, object_path); + return; +} + +static void ifp_groups_find_by_id_done(struct tevent_req *req); + +int ifp_groups_find_by_id(struct sbus_request *sbus_req, + void *data, + uint32_t id) +{ + struct ifp_ctx *ctx; + struct tevent_req *req; + + ctx = talloc_get_type(data, struct ifp_ctx); + if (ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid pointer!\n"); + return ERR_INTERNAL; + } + + req = cache_req_group_by_id_send(sbus_req, ctx->rctx->ev, ctx->rctx, + ctx->rctx->ncache, 0, NULL, id); + if (req == NULL) { + return ENOMEM; + } + + tevent_req_set_callback(req, ifp_groups_find_by_id_done, sbus_req); + + return EOK; +} + +static void +ifp_groups_find_by_id_done(struct tevent_req *req) +{ + DBusError *error; + struct sbus_request *sbus_req; + struct cache_req_result *result; + char *object_path; + errno_t ret; + + sbus_req = tevent_req_callback_data(req, struct sbus_request); + + ret = cache_req_group_by_id_recv(sbus_req, req, &result); + talloc_zfree(req); + if (ret == ENOENT) { + error = sbus_error_new(sbus_req, SBUS_ERROR_NOT_FOUND, + "Group not found"); + goto done; + } else if (ret != EOK) { + error = sbus_error_new(sbus_req, DBUS_ERROR_FAILED, "Failed to fetch " + "group [%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + object_path = ifp_groups_build_path_from_msg(sbus_req, result->domain, + result->msgs[0]); + if (object_path == NULL) { + error = sbus_error_new(sbus_req, SBUS_ERROR_INTERNAL, + "Failed to compose object path"); + goto done; + } + +done: + if (ret != EOK) { + sbus_request_fail_and_finish(sbus_req, error); + return; + } + + iface_ifp_groups_FindByID_finish(sbus_req, object_path); + return; +} + +static int ifp_groups_list_by_name_step(struct ifp_list_ctx *list_ctx); +static void ifp_groups_list_by_name_done(struct tevent_req *req); +static void ifp_groups_list_by_name_reply(struct ifp_list_ctx *list_ctx); + +int ifp_groups_list_by_name(struct sbus_request *sbus_req, + void *data, + const char *filter, + uint32_t limit) +{ + struct ifp_ctx *ctx; + struct ifp_list_ctx *list_ctx; + + ctx = talloc_get_type(data, struct ifp_ctx); + if (ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid pointer!\n"); + return ERR_INTERNAL; + } + + list_ctx = ifp_list_ctx_new(sbus_req, ctx, filter, limit); + if (list_ctx == NULL) { + return ENOMEM; + } + + return ifp_groups_list_by_name_step(list_ctx); +} + +static int ifp_groups_list_by_name_step(struct ifp_list_ctx *list_ctx) +{ + struct tevent_req *req; + + req = cache_req_group_by_filter_send(list_ctx, + list_ctx->ctx->rctx->ev, + list_ctx->ctx->rctx, + CACHE_REQ_ANY_DOM, + list_ctx->dom->name, + list_ctx->filter); + if (req == NULL) { + return ENOMEM; + } + tevent_req_set_callback(req, + ifp_groups_list_by_name_done, list_ctx); + + return EOK; +} + +static void ifp_groups_list_by_name_done(struct tevent_req *req) +{ + DBusError *error; + struct ifp_list_ctx *list_ctx; + struct sbus_request *sbus_req; + struct cache_req_result *result; + errno_t ret; + + list_ctx = tevent_req_callback_data(req, struct ifp_list_ctx); + sbus_req = list_ctx->sbus_req; + + ret = cache_req_group_by_name_recv(sbus_req, req, &result); + talloc_zfree(req); + if (ret != EOK && ret != ENOENT) { + error = sbus_error_new(sbus_req, DBUS_ERROR_FAILED, "Failed to fetch " + "groups by filter [%d]: %s\n", ret, sss_strerror(ret)); + sbus_request_fail_and_finish(sbus_req, error); + return; + } + + if (ret == EOK) { + ret = ifp_groups_list_copy(list_ctx, result->ldb_result); + if (ret != EOK) { + error = sbus_error_new(sbus_req, SBUS_ERROR_INTERNAL, + "Failed to copy domain result"); + sbus_request_fail_and_finish(sbus_req, error); + return; + } + } + + list_ctx->dom = get_next_domain(list_ctx->dom, SSS_GND_DESCEND); + if (list_ctx->dom == NULL) { + return ifp_groups_list_by_name_reply(list_ctx); + } + + ret = ifp_groups_list_by_name_step(list_ctx); + if (ret != EOK) { + error = sbus_error_new(sbus_req, SBUS_ERROR_INTERNAL, + "Failed to start next-domain search"); + sbus_request_fail_and_finish(sbus_req, error); + return; + } +} + +static void ifp_groups_list_by_name_reply(struct ifp_list_ctx *list_ctx) +{ + iface_ifp_groups_ListByDomainAndName_finish(list_ctx->sbus_req, + list_ctx->paths, + list_ctx->path_count); +} + +static void ifp_groups_list_by_domain_and_name_done(struct tevent_req *req); + +int ifp_groups_list_by_domain_and_name(struct sbus_request *sbus_req, + void *data, + const char *domain, + const char *filter, + uint32_t limit) +{ + struct tevent_req *req; + struct ifp_ctx *ctx; + struct ifp_list_ctx *list_ctx; + + ctx = talloc_get_type(data, struct ifp_ctx); + if (ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid pointer!\n"); + return ERR_INTERNAL; + } + + list_ctx = ifp_list_ctx_new(sbus_req, ctx, filter, limit); + if (list_ctx == NULL) { + return ENOMEM; + } + + req = cache_req_group_by_filter_send(list_ctx, ctx->rctx->ev, ctx->rctx, + CACHE_REQ_ANY_DOM, + domain, filter); + if (req == NULL) { + return ENOMEM; + } + tevent_req_set_callback(req, + ifp_groups_list_by_domain_and_name_done, list_ctx); + + return EOK; +} + +static void ifp_groups_list_by_domain_and_name_done(struct tevent_req *req) +{ + DBusError *error; + struct ifp_list_ctx *list_ctx; + struct sbus_request *sbus_req; + struct cache_req_result *result; + errno_t ret; + + list_ctx = tevent_req_callback_data(req, struct ifp_list_ctx); + sbus_req = list_ctx->sbus_req; + + ret = cache_req_user_by_name_recv(sbus_req, req, &result); + talloc_zfree(req); + if (ret == ENOENT) { + error = sbus_error_new(sbus_req, SBUS_ERROR_NOT_FOUND, + "User not found by filter"); + goto done; + } else if (ret != EOK) { + error = sbus_error_new(sbus_req, DBUS_ERROR_FAILED, "Failed to fetch " + "groups by filter [%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + if (ret == EOK) { + ret = ifp_groups_list_copy(list_ctx, result->ldb_result); + if (ret != EOK) { + error = sbus_error_new(sbus_req, SBUS_ERROR_INTERNAL, + "Failed to copy domain result"); + goto done; + } + } + +done: + if (ret != EOK) { + sbus_request_fail_and_finish(sbus_req, error); + return; + } + + iface_ifp_groups_ListByDomainAndName_finish(sbus_req, + list_ctx->paths, + list_ctx->path_count); + return; +} + +static errno_t +ifp_groups_get_from_cache(struct sbus_request *sbus_req, + struct sss_domain_info *domain, + const char *key, + struct ldb_message **_group) +{ + struct ldb_result *group_res; + errno_t ret; + gid_t gid; + + switch (domain->type) { + case DOM_TYPE_POSIX: + gid = strtouint32(key, NULL, 10); + ret = errno; + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid UID value\n"); + return ret; + } + + ret = sysdb_getgrgid_with_views(sbus_req, domain, gid, &group_res); + if (ret == EOK && group_res->count == 0) { + *_group = NULL; + return ENOENT; + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to lookup group %u@%s [%d]: %s\n", + gid, domain->name, ret, sss_strerror(ret)); + return ret; + } + break; + case DOM_TYPE_APPLICATION: + ret = sysdb_getgrnam_with_views(sbus_req, domain, key, &group_res); + if (ret == EOK && group_res->count == 0) { + *_group = NULL; + return ENOENT; + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to lookup group %s@%s [%d]: %s\n", + key, domain->name, ret, sss_strerror(ret)); + return ret; + } + break; + } + + if (group_res->count > 1) { + DEBUG(SSSDBG_CRIT_FAILURE, "More groups matched by the single key\n"); + return EIO; + } + + *_group = group_res->msgs[0]; + return EOK; +} + +static errno_t +ifp_groups_group_get(struct sbus_request *sbus_req, + void *data, + struct sss_domain_info **_domain, + struct ldb_message **_group) +{ + struct ifp_ctx *ctx; + struct sss_domain_info *domain; + char *key; + errno_t ret; + + ctx = talloc_get_type(data, struct ifp_ctx); + if (ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid pointer!\n"); + return ERR_INTERNAL; + } + + ret = ifp_groups_decompose_path(sbus_req, + ctx->rctx->domains, sbus_req->path, + &domain, &key); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to decompose object path" + "[%s] [%d]: %s\n", sbus_req->path, ret, sss_strerror(ret)); + return ret; + } + + if (_group != NULL) { + ret = ifp_groups_get_from_cache(sbus_req, domain, key, _group); + } + + if (ret == EOK || ret == ENOENT) { + if (_domain != NULL) { + *_domain = domain; + } + } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to retrieve group from cache\n"); + } + + return ret; +} + +struct resolv_ghosts_state { + struct tevent_context *ev; + struct sbus_request *sbus_req; + struct ifp_ctx *ctx; + void *data; + + struct sss_domain_info *domain; + const char **ghosts; + int index; +}; + +static void resolv_ghosts_group_done(struct tevent_req *subreq); +static errno_t resolv_ghosts_step(struct tevent_req *req); +static void resolv_ghosts_done(struct tevent_req *subreq); + +static struct tevent_req *resolv_ghosts_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sbus_request *sbus_req, + void *data) +{ + struct resolv_ghosts_state *state; + struct sss_domain_info *domain; + struct tevent_req *req; + struct tevent_req *subreq; + struct ldb_message *group; + struct ifp_ctx *ctx; + const char *name; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct resolv_ghosts_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + ctx = talloc_get_type(data, struct ifp_ctx); + if (ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid pointer!\n"); + ret = ERR_INTERNAL; + goto immediately; + } + + state->ev = ev; + state->sbus_req = sbus_req; + state->ctx = ctx; + state->data = data; + + ret = ifp_groups_group_get(sbus_req, data, &domain, &group); + if (ret != EOK) { + goto immediately; + } + + name = ldb_msg_find_attr_as_string(group, SYSDB_NAME, NULL); + if (name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Group name is empty!\n"); + ret = ERR_INTERNAL; + goto immediately; + } + + subreq = cache_req_group_by_name_send(state, ev, ctx->rctx, + ctx->rctx->ncache, 0, + CACHE_REQ_ANY_DOM, + domain->name, + name); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, resolv_ghosts_group_done, req); + + return req; + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + + return req; +} + +static void resolv_ghosts_group_done(struct tevent_req *subreq) +{ + struct resolv_ghosts_state *state; + struct ldb_message_element *el; + struct ldb_message *group; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct resolv_ghosts_state); + + ret = ifp_groups_group_get(state->sbus_req, state->data, + &state->domain, &group); + if (ret != EOK) { + goto done; + } + + el = ldb_msg_find_element(group, SYSDB_GHOST); + if (el == NULL || el->num_values == 0) { + ret = EOK; + goto done; + } + + state->ghosts = sss_ldb_el_to_string_list(state, el); + if (state->ghosts == NULL) { + ret = ENOMEM; + goto done; + } + + state->index = 0; + ret = resolv_ghosts_step(req); + +done: + if (ret == EOK) { + tevent_req_done(req); + } else if (ret != EAGAIN) { + tevent_req_error(req, ret); + } +} + +errno_t resolv_ghosts_step(struct tevent_req *req) +{ + struct resolv_ghosts_state *state; + struct tevent_req *subreq; + + state = tevent_req_data(req, struct resolv_ghosts_state); + + if (state->ghosts[state->index] == NULL) { + return EOK; + } + + subreq = cache_req_user_by_name_send(state, state->ev, state->ctx->rctx, + state->ctx->rctx->ncache, 0, + CACHE_REQ_ANY_DOM, + state->domain->name, + state->ghosts[state->index]); + if (subreq == NULL) { + return ENOMEM; + } + + tevent_req_set_callback(subreq, resolv_ghosts_done, req); + + state->index++; + + return EAGAIN; +} + +static void resolv_ghosts_done(struct tevent_req *subreq) +{ + struct resolv_ghosts_state *state = NULL; + struct tevent_req *req = NULL; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct resolv_ghosts_state); + + ret = cache_req_user_by_name_recv(state, subreq, NULL); + talloc_zfree(subreq); + if (ret != EOK) { + goto done; + } + + ret = resolv_ghosts_step(req); + +done: + if (ret == EOK) { + tevent_req_done(req); + } else if (ret != EAGAIN) { + tevent_req_error(req, ret); + } +} + +static errno_t resolv_ghosts_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +static void ifp_groups_group_update_member_list_done(struct tevent_req *req); + +int ifp_groups_group_update_member_list(struct sbus_request *sbus_req, + void *data) +{ + struct tevent_req *subreq; + struct ifp_ctx *ctx; + + ctx = talloc_get_type(data, struct ifp_ctx); + if (ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid pointer!\n"); + return ERR_INTERNAL; + } + + subreq = resolv_ghosts_send(sbus_req, ctx->rctx->ev, sbus_req, data); + if (subreq == NULL) { + return ENOMEM; + } + + tevent_req_set_callback(subreq, ifp_groups_group_update_member_list_done, + sbus_req); + + return EOK; +} + +static void ifp_groups_group_update_member_list_done(struct tevent_req *subreq) +{ + DBusError *error; + struct sbus_request *sbus_req; + errno_t ret; + + sbus_req = tevent_req_callback_data(subreq, struct sbus_request); + + ret = resolv_ghosts_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + error = sbus_error_new(sbus_req, DBUS_ERROR_FAILED, + "Unable to resolve ghost members [%d]: %s\n", + ret, sss_strerror(ret)); + sbus_request_fail_and_finish(sbus_req, error); + return; + } + + iface_ifp_groups_group_UpdateMemberList_finish(sbus_req); + return; +} + +void ifp_groups_group_get_name(struct sbus_request *sbus_req, + void *data, + const char **_out) +{ + struct ifp_ctx *ifp_ctx; + struct ldb_message *msg; + struct sss_domain_info *domain; + const char *in_name; + errno_t ret; + + *_out = NULL; + + ifp_ctx = talloc_get_type(data, struct ifp_ctx); + if (ifp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid pointer!\n"); + return; + } + + ret = ifp_groups_group_get(sbus_req, data, &domain, &msg); + if (ret != EOK) { + *_out = NULL; + return; + } + + in_name = sss_view_ldb_msg_find_attr_as_string(domain, msg, + SYSDB_NAME, NULL); + if (in_name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "No name?\n"); + return; + } + + *_out = ifp_format_name_attr(sbus_req, ifp_ctx, in_name, domain); + return; +} + +void ifp_groups_group_get_gid_number(struct sbus_request *sbus_req, + void *data, + uint32_t *_out) +{ + struct ldb_message *msg; + struct sss_domain_info *domain; + errno_t ret; + + ret = ifp_groups_group_get(sbus_req, data, &domain, &msg); + if (ret != EOK) { + *_out = 0; + return; + } + + *_out = sss_view_ldb_msg_find_attr_as_uint64(domain, msg, SYSDB_GIDNUM, 0); + + return; +} + +void ifp_groups_group_get_unique_id(struct sbus_request *sbus_req, + void *data, + const char **_out) +{ + struct ldb_message *msg; + struct sss_domain_info *domain; + errno_t ret; + + ret = ifp_groups_group_get(sbus_req, data, &domain, &msg); + if (ret != EOK) { + *_out = 0; + return; + } + + *_out = sss_view_ldb_msg_find_attr_as_string(domain, msg, SYSDB_UUID, 0); + + return; +} + +static errno_t +ifp_groups_group_get_members(TALLOC_CTX *mem_ctx, + struct sbus_request *sbus_req, + void *data, + const char ***_users, + int *_num_users, + const char ***_groups, + int *_num_groups) +{ + TALLOC_CTX *tmp_ctx; + struct sss_domain_info *domain; + struct ldb_message *group; + struct ldb_message **members; + size_t num_members; + const char *class; + const char **users; + const char **groups; + int num_users; + int num_groups; + int i; + errno_t ret; + const char *attrs[] = {SYSDB_OBJECTCATEGORY, SYSDB_UIDNUM, + SYSDB_GIDNUM, NULL}; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + ret = ifp_groups_group_get(sbus_req, data, &domain, &group); + if (ret != EOK) { + goto done; + } + + ret = sysdb_asq_search(tmp_ctx, domain, group->dn, NULL, SYSDB_MEMBER, + attrs, &num_members, &members); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to perform ASQ search [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + if (num_members == 0) { + users = NULL; + groups = NULL; + num_users = 0; + num_groups = 0; + ret = EOK; + goto done; + } + + users = talloc_zero_array(tmp_ctx, const char *, num_members + 1); + if (users == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero_array() failed\n"); + ret = ENOMEM; + goto done; + } + + groups = talloc_zero_array(tmp_ctx, const char *, num_members + 1); + if (groups == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero_array() failed\n"); + ret = ENOMEM; + goto done; + } + + num_users = 0; + num_groups = 0; + for (i = 0; i < num_members; i++) { + class = ldb_msg_find_attr_as_string(members[i], SYSDB_OBJECTCATEGORY, + NULL); + if (class == NULL) { + ret = ERR_INTERNAL; + goto done; + } + + if (strcmp(class, SYSDB_USER_CLASS) == 0) { + users[num_users] = ifp_users_build_path_from_msg(users, domain, + members[i]); + if (users[num_users] == NULL) { + ret = ENOMEM; + goto done; + } + + num_users++; + } else if (strcmp(class, SYSDB_GROUP_CLASS) == 0) { + groups[num_groups] = ifp_groups_build_path_from_msg(groups, + domain, members[i]); + if (groups[num_groups] == NULL) { + ret = ENOMEM; + goto done; + } + + num_groups++; + } else { + DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected object class %s\n", class); + ret = ERR_INTERNAL; + goto done; + } + } + + ret = EOK; + +done: + if (ret == EOK) { + if (_users != NULL) { + *_users = talloc_steal(mem_ctx, users); + } + + if (_num_users != NULL) { + *_num_users = num_users; + } + + if (_groups != NULL) { + *_groups = talloc_steal(mem_ctx, groups); + } + + if (_num_groups != NULL) { + *_num_groups = num_groups; + } + } + + talloc_free(tmp_ctx); + return ret; +} + +void ifp_groups_group_get_users(struct sbus_request *sbus_req, + void *data, + const char ***_out, + int *_size) +{ + errno_t ret; + + *_out = NULL; + *_size = 0; + + ret = ifp_groups_group_get_members(sbus_req, sbus_req, data, _out, _size, + NULL, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to acquire groups members\n"); + } +} + +void ifp_groups_group_get_groups(struct sbus_request *sbus_req, + void *data, + const char ***_out, + int *_size) +{ + errno_t ret; + + *_out = NULL; + *_size = 0; + + ret = ifp_groups_group_get_members(sbus_req, sbus_req, data, NULL, NULL, + _out, _size); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to acquire groups members\n"); + } +} + +int ifp_cache_list_group(struct sbus_request *sbus_req, + void *data) +{ + return ifp_cache_list(sbus_req, data, IFP_CACHE_GROUP); +} + +int ifp_cache_list_by_domain_group(struct sbus_request *sbus_req, + void *data, + const char *domain) +{ + return ifp_cache_list_by_domain(sbus_req, data, domain, IFP_CACHE_GROUP); +} + +int ifp_cache_object_store_group(struct sbus_request *sbus_req, + void *data) +{ + DBusError *error; + struct sss_domain_info *domain; + struct ldb_message *group; + errno_t ret; + + ret = ifp_groups_group_get(sbus_req, data, &domain, &group); + if (ret != EOK) { + error = sbus_error_new(sbus_req, DBUS_ERROR_FAILED, "Failed to fetch " + "group [%d]: %s\n", ret, sss_strerror(ret)); + return sbus_request_fail_and_finish(sbus_req, error); + } + + /* The request is finished inside. */ + return ifp_cache_object_store(sbus_req, domain, group->dn); +} + +int ifp_cache_object_remove_group(struct sbus_request *sbus_req, + void *data) +{ + DBusError *error; + struct sss_domain_info *domain; + struct ldb_message *group; + errno_t ret; + + ret = ifp_groups_group_get(sbus_req, data, &domain, &group); + if (ret != EOK) { + error = sbus_error_new(sbus_req, DBUS_ERROR_FAILED, "Failed to fetch " + "group [%d]: %s\n", ret, sss_strerror(ret)); + return sbus_request_fail_and_finish(sbus_req, error); + } + + /* The request is finished inside. */ + return ifp_cache_object_remove(sbus_req, domain, group->dn); +} diff --git a/src/responder/ifp/ifp_groups.h b/src/responder/ifp/ifp_groups.h new file mode 100644 index 0000000..1e0377f --- /dev/null +++ b/src/responder/ifp/ifp_groups.h @@ -0,0 +1,98 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef IFP_GROUPS_H_ +#define IFP_GROUPS_H_ + +#include "responder/ifp/ifp_iface.h" +#include "responder/ifp/ifp_private.h" + +/* Utility functions */ + +char * ifp_groups_build_path_from_msg(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + struct ldb_message *msg); + +/* org.freedesktop.sssd.infopipe.Groups */ + +int ifp_groups_find_by_name(struct sbus_request *sbus_req, + void *data, + const char *name); + +int ifp_groups_find_by_id(struct sbus_request *sbus_req, + void *data, + uint32_t id); + +int ifp_groups_list_by_name(struct sbus_request *sbus_req, + void *data, + const char *filter, + uint32_t limit); + +int ifp_groups_list_by_domain_and_name(struct sbus_request *sbus_req, + void *data, + const char *domain, + const char *filter, + uint32_t limit); + +/* org.freedesktop.sssd.infopipe.Groups.Group */ + +int ifp_groups_group_update_member_list(struct sbus_request *sbus_req, + void *data); + +void ifp_groups_group_get_name(struct sbus_request *sbus_req, + void *data, + const char **_out); + +void ifp_groups_group_get_gid_number(struct sbus_request *sbus_req, + void *data, + uint32_t *_out); + +void ifp_groups_group_get_unique_id(struct sbus_request *sbus_req, + void *data, + const char **_out); + +void ifp_groups_group_get_users(struct sbus_request *sbus_req, + void *data, + const char ***_out, + int *_size); + +void ifp_groups_group_get_groups(struct sbus_request *sbus_req, + void *data, + const char ***_out, + int *_size); + +/* org.freedesktop.sssd.infopipe.Cache */ + +int ifp_cache_list_group(struct sbus_request *sbus_req, + void *data); + +int ifp_cache_list_by_domain_group(struct sbus_request *sbus_req, + void *data, + const char *domain); + +/* org.freedesktop.sssd.infopipe.Cache.Object */ + +int ifp_cache_object_store_group(struct sbus_request *sbus_req, + void *data); + +int ifp_cache_object_remove_group(struct sbus_request *sbus_req, + void *data); + +#endif /* IFP_GROUPS_H_ */ diff --git a/src/responder/ifp/ifp_iface.c b/src/responder/ifp/ifp_iface.c new file mode 100644 index 0000000..f995e28 --- /dev/null +++ b/src/responder/ifp/ifp_iface.c @@ -0,0 +1,175 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "sbus/sssd_dbus.h" +#include "responder/ifp/ifp_iface_generated.h" +#include "responder/ifp/ifp_domains.h" +#include "responder/ifp/ifp_components.h" +#include "responder/ifp/ifp_users.h" +#include "responder/ifp/ifp_groups.h" + +struct iface_ifp iface_ifp = { + { &iface_ifp_meta, 0 }, + .Ping = ifp_ping, + + /* components */ + .ListComponents = ifp_list_components, + .ListResponders = ifp_list_responders, + .ListBackends = ifp_list_backends, + .FindMonitor = ifp_find_monitor, + .FindResponderByName = ifp_find_responder_by_name, + .FindBackendByName = ifp_find_backend_by_name, + + .GetUserAttr = ifp_user_get_attr, + .GetUserGroups = ifp_user_get_groups, + .ListDomains = ifp_list_domains, + .FindDomainByName = ifp_find_domain_by_name, +}; + +struct iface_ifp_components iface_ifp_components = { + { &iface_ifp_components_meta, 0 }, + .get_name = ifp_component_get_name, + .get_debug_level = ifp_component_get_debug_level, + .get_enabled = ifp_component_get_enabled, + .get_type = ifp_component_get_type, + /* FIXME: This should be part of Components.Backends interface, onece + * SSSD supports multiple interfaces per object path. */ + .get_providers = ifp_backend_get_providers +}; + +struct iface_ifp_domains iface_ifp_domains = { + { &iface_ifp_domains_meta, 0 }, + .get_name = ifp_dom_get_name, + .get_provider = ifp_dom_get_provider, + .get_primary_servers = ifp_dom_get_primary_servers, + .get_backup_servers = ifp_dom_get_backup_servers, + .get_min_id = ifp_dom_get_min_id, + .get_max_id = ifp_dom_get_max_id, + .get_realm = ifp_dom_get_realm, + .get_forest = ifp_dom_get_forest, + .get_login_format = ifp_dom_get_login_format, + .get_fully_qualified_name_format = ifp_dom_get_fqdn_format, + .get_enumerable = ifp_dom_get_enumerable, + .get_use_fully_qualified_names = ifp_dom_get_use_fqdn, + .get_subdomain = ifp_dom_get_subdomain, + .get_parent_domain = ifp_dom_get_parent_domain +}; + +struct iface_ifp_domains_domain iface_ifp_domains_domain = { + { &iface_ifp_domains_domain_meta, 0 }, + .IsOnline = ifp_domains_domain_is_online, + .ListServices = ifp_domains_domain_list_services, + .ActiveServer = ifp_domains_domain_active_server, + .ListServers = ifp_domains_domain_list_servers, + .RefreshAccessRules = ifp_domains_domain_refresh_access_rules +}; + +struct iface_ifp_users iface_ifp_users = { + { &iface_ifp_users_meta, 0 }, + .FindByName = ifp_users_find_by_name, + .FindByID = ifp_users_find_by_id, + .FindByCertificate = ifp_users_find_by_cert, + .ListByCertificate = ifp_users_list_by_cert, + .FindByNameAndCertificate = ifp_users_find_by_name_and_cert, + .ListByName = ifp_users_list_by_name, + .ListByDomainAndName = ifp_users_list_by_domain_and_name +}; + +struct iface_ifp_users_user iface_ifp_users_user = { + { &iface_ifp_users_user_meta, 0 }, + .UpdateGroupsList = ifp_users_user_update_groups_list, + .get_name = ifp_users_user_get_name, + .get_uidNumber = ifp_users_user_get_uid_number, + .get_gidNumber = ifp_users_user_get_gid_number, + .get_gecos = ifp_users_user_get_gecos, + .get_homeDirectory = ifp_users_user_get_home_directory, + .get_loginShell = ifp_users_user_get_login_shell, + .get_uniqueID = ifp_users_user_get_unique_id, + .get_groups = ifp_users_user_get_groups, + .get_domain = ifp_users_user_get_domain, + .get_domainname = ifp_users_user_get_domainname, + .get_extraAttributes = ifp_users_user_get_extra_attributes +}; + +struct iface_ifp_groups iface_ifp_groups = { + { &iface_ifp_groups_meta, 0 }, + .FindByName = ifp_groups_find_by_name, + .FindByID = ifp_groups_find_by_id, + .ListByName = ifp_groups_list_by_name, + .ListByDomainAndName = ifp_groups_list_by_domain_and_name +}; + +struct iface_ifp_groups_group iface_ifp_groups_group = { + { &iface_ifp_groups_group_meta, 0 }, + .UpdateMemberList = ifp_groups_group_update_member_list, + .get_name = ifp_groups_group_get_name, + .get_gidNumber = ifp_groups_group_get_gid_number, + .get_uniqueID = ifp_groups_group_get_unique_id, + .get_users = ifp_groups_group_get_users, + .get_groups = ifp_groups_group_get_groups +}; + +struct iface_ifp_cache iface_ifp_cache_user = { + { &iface_ifp_cache_meta, 0 }, + .List = ifp_cache_list_user, + .ListByDomain = ifp_cache_list_by_domain_user +}; + +struct iface_ifp_cache_object iface_ifp_cache_object_user = { + { &iface_ifp_cache_object_meta, 0 }, + .Store = ifp_cache_object_store_user, + .Remove = ifp_cache_object_remove_user +}; + +struct iface_ifp_cache iface_ifp_cache_group = { + { &iface_ifp_cache_meta, 0 }, + .List = ifp_cache_list_group, + .ListByDomain = ifp_cache_list_by_domain_group +}; + +struct iface_ifp_cache_object iface_ifp_cache_object_group = { + { &iface_ifp_cache_object_meta, 0 }, + .Store = ifp_cache_object_store_group, + .Remove = ifp_cache_object_remove_group +}; + +static struct sbus_iface_map iface_map[] = { + { IFP_PATH, &iface_ifp.vtable }, + { IFP_PATH_DOMAINS, &iface_ifp_domains.vtable }, + { IFP_PATH_DOMAINS_TREE, &iface_ifp_domains.vtable }, + { IFP_PATH_DOMAINS_TREE, &iface_ifp_domains_domain.vtable }, + { IFP_PATH_COMPONENTS_TREE, &iface_ifp_components.vtable }, + { IFP_PATH_USERS, &iface_ifp_users.vtable }, + { IFP_PATH_USERS, &iface_ifp_cache_user.vtable }, + { IFP_PATH_USERS_TREE, &iface_ifp_users_user.vtable }, + { IFP_PATH_USERS_TREE, &iface_ifp_cache_object_user.vtable }, + { IFP_PATH_GROUPS, &iface_ifp_groups.vtable }, + { IFP_PATH_GROUPS, &iface_ifp_cache_group.vtable }, + { IFP_PATH_GROUPS_TREE, &iface_ifp_groups_group.vtable }, + { IFP_PATH_GROUPS_TREE, &iface_ifp_cache_object_group.vtable }, + { NULL, NULL }, +}; + +errno_t ifp_register_sbus_interface(struct sbus_connection *conn, void *pvt) +{ + return sbus_conn_register_iface_map(conn, iface_map, pvt); +} diff --git a/src/responder/ifp/ifp_iface.h b/src/responder/ifp/ifp_iface.h new file mode 100644 index 0000000..06b3795 --- /dev/null +++ b/src/responder/ifp/ifp_iface.h @@ -0,0 +1,40 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _IFP_IFACE_H_ +#define _IFP_IFACE_H_ + +#include "responder/ifp/ifp_iface_generated.h" + +#define IFP_PATH "/org/freedesktop/sssd/infopipe" + +#define IFP_PATH_DOMAINS IFP_PATH "/Domains" +#define IFP_PATH_DOMAINS_TREE IFP_PATH_DOMAINS SBUS_SUBTREE_SUFFIX + +#define IFP_PATH_COMPONENTS IFP_PATH "/Components" +#define IFP_PATH_COMPONENTS_TREE IFP_PATH_COMPONENTS SBUS_SUBTREE_SUFFIX + +#define IFP_PATH_GROUPS IFP_PATH "/Groups" +#define IFP_PATH_GROUPS_TREE IFP_PATH_GROUPS SBUS_SUBTREE_SUFFIX + +#define IFP_PATH_USERS IFP_PATH "/Users" +#define IFP_PATH_USERS_TREE IFP_PATH_USERS SBUS_SUBTREE_SUFFIX + +#endif /* _IFP_IFACE_H_ */ diff --git a/src/responder/ifp/ifp_iface.xml b/src/responder/ifp/ifp_iface.xml new file mode 100644 index 0000000..1aa7eac --- /dev/null +++ b/src/responder/ifp/ifp_iface.xml @@ -0,0 +1,234 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/responder/ifp/ifp_iface_generated.c b/src/responder/ifp/ifp_iface_generated.c new file mode 100644 index 0000000..c2cdbf5 --- /dev/null +++ b/src/responder/ifp/ifp_iface_generated.c @@ -0,0 +1,1346 @@ +/* The following definitions are auto-generated from ifp_iface.xml */ + +#include + +#include "dbus/dbus-protocol.h" +#include "util/util_errors.h" +#include "sbus/sssd_dbus.h" +#include "sbus/sssd_dbus_meta.h" +#include "sbus/sssd_dbus_invokers.h" +#include "ifp_iface_generated.h" + +/* invokes a handler with a 's' DBus signature */ +static int invoke_s_method(struct sbus_request *dbus_req, void *function_ptr); + +/* invokes a handler with a 'u' DBus signature */ +static int invoke_u_method(struct sbus_request *dbus_req, void *function_ptr); + +/* invokes a handler with a 'su' DBus signature */ +static int invoke_su_method(struct sbus_request *dbus_req, void *function_ptr); + +/* invokes a handler with a 'ss' DBus signature */ +static int invoke_ss_method(struct sbus_request *dbus_req, void *function_ptr); + +/* invokes a handler with a 'ssu' DBus signature */ +static int invoke_ssu_method(struct sbus_request *dbus_req, void *function_ptr); + +/* arguments for org.freedesktop.sssd.infopipe.Ping */ +const struct sbus_arg_meta iface_ifp_Ping__in[] = { + { "ping", "s" }, + { NULL, } +}; + +/* arguments for org.freedesktop.sssd.infopipe.Ping */ +const struct sbus_arg_meta iface_ifp_Ping__out[] = { + { "pong", "s" }, + { NULL, } +}; + +int iface_ifp_Ping_finish(struct sbus_request *req, const char *arg_pong) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_STRING, &arg_pong, + DBUS_TYPE_INVALID); +} + +/* arguments for org.freedesktop.sssd.infopipe.ListComponents */ +const struct sbus_arg_meta iface_ifp_ListComponents__out[] = { + { "components", "ao" }, + { NULL, } +}; + +int iface_ifp_ListComponents_finish(struct sbus_request *req, const char *arg_components[], int len_components) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_ARRAY, DBUS_TYPE_OBJECT_PATH, &arg_components, len_components, + DBUS_TYPE_INVALID); +} + +/* arguments for org.freedesktop.sssd.infopipe.ListResponders */ +const struct sbus_arg_meta iface_ifp_ListResponders__out[] = { + { "responders", "ao" }, + { NULL, } +}; + +int iface_ifp_ListResponders_finish(struct sbus_request *req, const char *arg_responders[], int len_responders) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_ARRAY, DBUS_TYPE_OBJECT_PATH, &arg_responders, len_responders, + DBUS_TYPE_INVALID); +} + +/* arguments for org.freedesktop.sssd.infopipe.ListBackends */ +const struct sbus_arg_meta iface_ifp_ListBackends__out[] = { + { "backends", "ao" }, + { NULL, } +}; + +int iface_ifp_ListBackends_finish(struct sbus_request *req, const char *arg_backends[], int len_backends) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_ARRAY, DBUS_TYPE_OBJECT_PATH, &arg_backends, len_backends, + DBUS_TYPE_INVALID); +} + +/* arguments for org.freedesktop.sssd.infopipe.FindMonitor */ +const struct sbus_arg_meta iface_ifp_FindMonitor__out[] = { + { "monitor", "o" }, + { NULL, } +}; + +int iface_ifp_FindMonitor_finish(struct sbus_request *req, const char *arg_monitor) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_OBJECT_PATH, &arg_monitor, + DBUS_TYPE_INVALID); +} + +/* arguments for org.freedesktop.sssd.infopipe.FindResponderByName */ +const struct sbus_arg_meta iface_ifp_FindResponderByName__in[] = { + { "name", "s" }, + { NULL, } +}; + +/* arguments for org.freedesktop.sssd.infopipe.FindResponderByName */ +const struct sbus_arg_meta iface_ifp_FindResponderByName__out[] = { + { "responder", "o" }, + { NULL, } +}; + +int iface_ifp_FindResponderByName_finish(struct sbus_request *req, const char *arg_responder) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_OBJECT_PATH, &arg_responder, + DBUS_TYPE_INVALID); +} + +/* arguments for org.freedesktop.sssd.infopipe.FindBackendByName */ +const struct sbus_arg_meta iface_ifp_FindBackendByName__in[] = { + { "name", "s" }, + { NULL, } +}; + +/* arguments for org.freedesktop.sssd.infopipe.FindBackendByName */ +const struct sbus_arg_meta iface_ifp_FindBackendByName__out[] = { + { "backend", "o" }, + { NULL, } +}; + +int iface_ifp_FindBackendByName_finish(struct sbus_request *req, const char *arg_backend) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_OBJECT_PATH, &arg_backend, + DBUS_TYPE_INVALID); +} + +/* arguments for org.freedesktop.sssd.infopipe.GetUserAttr */ +const struct sbus_arg_meta iface_ifp_GetUserAttr__in[] = { + { "user", "s" }, + { "attr", "as" }, + { NULL, } +}; + +/* arguments for org.freedesktop.sssd.infopipe.GetUserAttr */ +const struct sbus_arg_meta iface_ifp_GetUserAttr__out[] = { + { "values", "a{sv}" }, + { NULL, } +}; + +/* arguments for org.freedesktop.sssd.infopipe.GetUserGroups */ +const struct sbus_arg_meta iface_ifp_GetUserGroups__in[] = { + { "user", "s" }, + { NULL, } +}; + +/* arguments for org.freedesktop.sssd.infopipe.GetUserGroups */ +const struct sbus_arg_meta iface_ifp_GetUserGroups__out[] = { + { "values", "as" }, + { NULL, } +}; + +int iface_ifp_GetUserGroups_finish(struct sbus_request *req, const char *arg_values[], int len_values) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, &arg_values, len_values, + DBUS_TYPE_INVALID); +} + +/* arguments for org.freedesktop.sssd.infopipe.FindDomainByName */ +const struct sbus_arg_meta iface_ifp_FindDomainByName__in[] = { + { "name", "s" }, + { NULL, } +}; + +/* arguments for org.freedesktop.sssd.infopipe.FindDomainByName */ +const struct sbus_arg_meta iface_ifp_FindDomainByName__out[] = { + { "domain", "o" }, + { NULL, } +}; + +int iface_ifp_FindDomainByName_finish(struct sbus_request *req, const char *arg_domain) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_OBJECT_PATH, &arg_domain, + DBUS_TYPE_INVALID); +} + +/* arguments for org.freedesktop.sssd.infopipe.ListDomains */ +const struct sbus_arg_meta iface_ifp_ListDomains__out[] = { + { "domain", "ao" }, + { NULL, } +}; + +int iface_ifp_ListDomains_finish(struct sbus_request *req, const char *arg_domain[], int len_domain) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_ARRAY, DBUS_TYPE_OBJECT_PATH, &arg_domain, len_domain, + DBUS_TYPE_INVALID); +} + +/* methods for org.freedesktop.sssd.infopipe */ +const struct sbus_method_meta iface_ifp__methods[] = { + { + "Ping", /* name */ + iface_ifp_Ping__in, + iface_ifp_Ping__out, + offsetof(struct iface_ifp, Ping), + invoke_s_method, + }, + { + "ListComponents", /* name */ + NULL, /* no in_args */ + iface_ifp_ListComponents__out, + offsetof(struct iface_ifp, ListComponents), + NULL, /* no invoker */ + }, + { + "ListResponders", /* name */ + NULL, /* no in_args */ + iface_ifp_ListResponders__out, + offsetof(struct iface_ifp, ListResponders), + NULL, /* no invoker */ + }, + { + "ListBackends", /* name */ + NULL, /* no in_args */ + iface_ifp_ListBackends__out, + offsetof(struct iface_ifp, ListBackends), + NULL, /* no invoker */ + }, + { + "FindMonitor", /* name */ + NULL, /* no in_args */ + iface_ifp_FindMonitor__out, + offsetof(struct iface_ifp, FindMonitor), + NULL, /* no invoker */ + }, + { + "FindResponderByName", /* name */ + iface_ifp_FindResponderByName__in, + iface_ifp_FindResponderByName__out, + offsetof(struct iface_ifp, FindResponderByName), + invoke_s_method, + }, + { + "FindBackendByName", /* name */ + iface_ifp_FindBackendByName__in, + iface_ifp_FindBackendByName__out, + offsetof(struct iface_ifp, FindBackendByName), + invoke_s_method, + }, + { + "GetUserAttr", /* name */ + iface_ifp_GetUserAttr__in, + iface_ifp_GetUserAttr__out, + offsetof(struct iface_ifp, GetUserAttr), + NULL, /* no invoker */ + }, + { + "GetUserGroups", /* name */ + iface_ifp_GetUserGroups__in, + iface_ifp_GetUserGroups__out, + offsetof(struct iface_ifp, GetUserGroups), + invoke_s_method, + }, + { + "FindDomainByName", /* name */ + iface_ifp_FindDomainByName__in, + iface_ifp_FindDomainByName__out, + offsetof(struct iface_ifp, FindDomainByName), + invoke_s_method, + }, + { + "ListDomains", /* name */ + NULL, /* no in_args */ + iface_ifp_ListDomains__out, + offsetof(struct iface_ifp, ListDomains), + NULL, /* no invoker */ + }, + { NULL, } +}; + +/* interface info for org.freedesktop.sssd.infopipe */ +const struct sbus_interface_meta iface_ifp_meta = { + "org.freedesktop.sssd.infopipe", /* name */ + iface_ifp__methods, + NULL, /* no signals */ + NULL, /* no properties */ + sbus_invoke_get_all, /* GetAll invoker */ +}; + +/* property info for org.freedesktop.sssd.infopipe.Components */ +const struct sbus_property_meta iface_ifp_components__properties[] = { + { + "name", /* name */ + "s", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct iface_ifp_components, get_name), + sbus_invoke_get_s, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "debug_level", /* name */ + "u", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct iface_ifp_components, get_debug_level), + sbus_invoke_get_u, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "enabled", /* name */ + "b", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct iface_ifp_components, get_enabled), + sbus_invoke_get_b, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "type", /* name */ + "s", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct iface_ifp_components, get_type), + sbus_invoke_get_s, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "providers", /* name */ + "as", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct iface_ifp_components, get_providers), + sbus_invoke_get_as, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { NULL, } +}; + +/* interface info for org.freedesktop.sssd.infopipe.Components */ +const struct sbus_interface_meta iface_ifp_components_meta = { + "org.freedesktop.sssd.infopipe.Components", /* name */ + NULL, /* no methods */ + NULL, /* no signals */ + iface_ifp_components__properties, + sbus_invoke_get_all, /* GetAll invoker */ +}; + +/* property info for org.freedesktop.sssd.infopipe.Domains */ +const struct sbus_property_meta iface_ifp_domains__properties[] = { + { + "name", /* name */ + "s", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct iface_ifp_domains, get_name), + sbus_invoke_get_s, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "provider", /* name */ + "s", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct iface_ifp_domains, get_provider), + sbus_invoke_get_s, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "primary_servers", /* name */ + "as", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct iface_ifp_domains, get_primary_servers), + sbus_invoke_get_as, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "backup_servers", /* name */ + "as", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct iface_ifp_domains, get_backup_servers), + sbus_invoke_get_as, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "min_id", /* name */ + "u", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct iface_ifp_domains, get_min_id), + sbus_invoke_get_u, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "max_id", /* name */ + "u", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct iface_ifp_domains, get_max_id), + sbus_invoke_get_u, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "realm", /* name */ + "s", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct iface_ifp_domains, get_realm), + sbus_invoke_get_s, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "forest", /* name */ + "s", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct iface_ifp_domains, get_forest), + sbus_invoke_get_s, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "login_format", /* name */ + "s", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct iface_ifp_domains, get_login_format), + sbus_invoke_get_s, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "fully_qualified_name_format", /* name */ + "s", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct iface_ifp_domains, get_fully_qualified_name_format), + sbus_invoke_get_s, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "enumerable", /* name */ + "b", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct iface_ifp_domains, get_enumerable), + sbus_invoke_get_b, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "use_fully_qualified_names", /* name */ + "b", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct iface_ifp_domains, get_use_fully_qualified_names), + sbus_invoke_get_b, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "subdomain", /* name */ + "b", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct iface_ifp_domains, get_subdomain), + sbus_invoke_get_b, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "parent_domain", /* name */ + "o", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct iface_ifp_domains, get_parent_domain), + sbus_invoke_get_o, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { NULL, } +}; + +/* interface info for org.freedesktop.sssd.infopipe.Domains */ +const struct sbus_interface_meta iface_ifp_domains_meta = { + "org.freedesktop.sssd.infopipe.Domains", /* name */ + NULL, /* no methods */ + NULL, /* no signals */ + iface_ifp_domains__properties, + sbus_invoke_get_all, /* GetAll invoker */ +}; + +/* arguments for org.freedesktop.sssd.infopipe.Domains.Domain.IsOnline */ +const struct sbus_arg_meta iface_ifp_domains_domain_IsOnline__out[] = { + { "status", "b" }, + { NULL, } +}; + +int iface_ifp_domains_domain_IsOnline_finish(struct sbus_request *req, bool arg_status) +{ + dbus_bool_t cast_status = arg_status; + return sbus_request_return_and_finish(req, + DBUS_TYPE_BOOLEAN, &cast_status, + DBUS_TYPE_INVALID); +} + +/* arguments for org.freedesktop.sssd.infopipe.Domains.Domain.ListServices */ +const struct sbus_arg_meta iface_ifp_domains_domain_ListServices__out[] = { + { "services", "as" }, + { NULL, } +}; + +int iface_ifp_domains_domain_ListServices_finish(struct sbus_request *req, const char *arg_services[], int len_services) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, &arg_services, len_services, + DBUS_TYPE_INVALID); +} + +/* arguments for org.freedesktop.sssd.infopipe.Domains.Domain.ActiveServer */ +const struct sbus_arg_meta iface_ifp_domains_domain_ActiveServer__in[] = { + { "service", "s" }, + { NULL, } +}; + +/* arguments for org.freedesktop.sssd.infopipe.Domains.Domain.ActiveServer */ +const struct sbus_arg_meta iface_ifp_domains_domain_ActiveServer__out[] = { + { "server", "s" }, + { NULL, } +}; + +int iface_ifp_domains_domain_ActiveServer_finish(struct sbus_request *req, const char *arg_server) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_STRING, &arg_server, + DBUS_TYPE_INVALID); +} + +/* arguments for org.freedesktop.sssd.infopipe.Domains.Domain.ListServers */ +const struct sbus_arg_meta iface_ifp_domains_domain_ListServers__in[] = { + { "service_name", "s" }, + { NULL, } +}; + +/* arguments for org.freedesktop.sssd.infopipe.Domains.Domain.ListServers */ +const struct sbus_arg_meta iface_ifp_domains_domain_ListServers__out[] = { + { "servers", "as" }, + { NULL, } +}; + +int iface_ifp_domains_domain_ListServers_finish(struct sbus_request *req, const char *arg_servers[], int len_servers) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, &arg_servers, len_servers, + DBUS_TYPE_INVALID); +} + +int iface_ifp_domains_domain_RefreshAccessRules_finish(struct sbus_request *req) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_INVALID); +} + +/* methods for org.freedesktop.sssd.infopipe.Domains.Domain */ +const struct sbus_method_meta iface_ifp_domains_domain__methods[] = { + { + "IsOnline", /* name */ + NULL, /* no in_args */ + iface_ifp_domains_domain_IsOnline__out, + offsetof(struct iface_ifp_domains_domain, IsOnline), + NULL, /* no invoker */ + }, + { + "ListServices", /* name */ + NULL, /* no in_args */ + iface_ifp_domains_domain_ListServices__out, + offsetof(struct iface_ifp_domains_domain, ListServices), + NULL, /* no invoker */ + }, + { + "ActiveServer", /* name */ + iface_ifp_domains_domain_ActiveServer__in, + iface_ifp_domains_domain_ActiveServer__out, + offsetof(struct iface_ifp_domains_domain, ActiveServer), + invoke_s_method, + }, + { + "ListServers", /* name */ + iface_ifp_domains_domain_ListServers__in, + iface_ifp_domains_domain_ListServers__out, + offsetof(struct iface_ifp_domains_domain, ListServers), + invoke_s_method, + }, + { + "RefreshAccessRules", /* name */ + NULL, /* no in_args */ + NULL, /* no out_args */ + offsetof(struct iface_ifp_domains_domain, RefreshAccessRules), + NULL, /* no invoker */ + }, + { NULL, } +}; + +/* interface info for org.freedesktop.sssd.infopipe.Domains.Domain */ +const struct sbus_interface_meta iface_ifp_domains_domain_meta = { + "org.freedesktop.sssd.infopipe.Domains.Domain", /* name */ + iface_ifp_domains_domain__methods, + NULL, /* no signals */ + NULL, /* no properties */ + sbus_invoke_get_all, /* GetAll invoker */ +}; + +/* arguments for org.freedesktop.sssd.infopipe.Cache.List */ +const struct sbus_arg_meta iface_ifp_cache_List__out[] = { + { "result", "ao" }, + { NULL, } +}; + +int iface_ifp_cache_List_finish(struct sbus_request *req, const char *arg_result[], int len_result) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_ARRAY, DBUS_TYPE_OBJECT_PATH, &arg_result, len_result, + DBUS_TYPE_INVALID); +} + +/* arguments for org.freedesktop.sssd.infopipe.Cache.ListByDomain */ +const struct sbus_arg_meta iface_ifp_cache_ListByDomain__in[] = { + { "domain_name", "s" }, + { NULL, } +}; + +/* arguments for org.freedesktop.sssd.infopipe.Cache.ListByDomain */ +const struct sbus_arg_meta iface_ifp_cache_ListByDomain__out[] = { + { "result", "ao" }, + { NULL, } +}; + +int iface_ifp_cache_ListByDomain_finish(struct sbus_request *req, const char *arg_result[], int len_result) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_ARRAY, DBUS_TYPE_OBJECT_PATH, &arg_result, len_result, + DBUS_TYPE_INVALID); +} + +/* methods for org.freedesktop.sssd.infopipe.Cache */ +const struct sbus_method_meta iface_ifp_cache__methods[] = { + { + "List", /* name */ + NULL, /* no in_args */ + iface_ifp_cache_List__out, + offsetof(struct iface_ifp_cache, List), + NULL, /* no invoker */ + }, + { + "ListByDomain", /* name */ + iface_ifp_cache_ListByDomain__in, + iface_ifp_cache_ListByDomain__out, + offsetof(struct iface_ifp_cache, ListByDomain), + invoke_s_method, + }, + { NULL, } +}; + +/* interface info for org.freedesktop.sssd.infopipe.Cache */ +const struct sbus_interface_meta iface_ifp_cache_meta = { + "org.freedesktop.sssd.infopipe.Cache", /* name */ + iface_ifp_cache__methods, + NULL, /* no signals */ + NULL, /* no properties */ + sbus_invoke_get_all, /* GetAll invoker */ +}; + +/* arguments for org.freedesktop.sssd.infopipe.Cache.Object.Store */ +const struct sbus_arg_meta iface_ifp_cache_object_Store__out[] = { + { "result", "b" }, + { NULL, } +}; + +int iface_ifp_cache_object_Store_finish(struct sbus_request *req, bool arg_result) +{ + dbus_bool_t cast_result = arg_result; + return sbus_request_return_and_finish(req, + DBUS_TYPE_BOOLEAN, &cast_result, + DBUS_TYPE_INVALID); +} + +/* arguments for org.freedesktop.sssd.infopipe.Cache.Object.Remove */ +const struct sbus_arg_meta iface_ifp_cache_object_Remove__out[] = { + { "result", "b" }, + { NULL, } +}; + +int iface_ifp_cache_object_Remove_finish(struct sbus_request *req, bool arg_result) +{ + dbus_bool_t cast_result = arg_result; + return sbus_request_return_and_finish(req, + DBUS_TYPE_BOOLEAN, &cast_result, + DBUS_TYPE_INVALID); +} + +/* methods for org.freedesktop.sssd.infopipe.Cache.Object */ +const struct sbus_method_meta iface_ifp_cache_object__methods[] = { + { + "Store", /* name */ + NULL, /* no in_args */ + iface_ifp_cache_object_Store__out, + offsetof(struct iface_ifp_cache_object, Store), + NULL, /* no invoker */ + }, + { + "Remove", /* name */ + NULL, /* no in_args */ + iface_ifp_cache_object_Remove__out, + offsetof(struct iface_ifp_cache_object, Remove), + NULL, /* no invoker */ + }, + { NULL, } +}; + +/* interface info for org.freedesktop.sssd.infopipe.Cache.Object */ +const struct sbus_interface_meta iface_ifp_cache_object_meta = { + "org.freedesktop.sssd.infopipe.Cache.Object", /* name */ + iface_ifp_cache_object__methods, + NULL, /* no signals */ + NULL, /* no properties */ + sbus_invoke_get_all, /* GetAll invoker */ +}; + +/* arguments for org.freedesktop.sssd.infopipe.Users.FindByName */ +const struct sbus_arg_meta iface_ifp_users_FindByName__in[] = { + { "name", "s" }, + { NULL, } +}; + +/* arguments for org.freedesktop.sssd.infopipe.Users.FindByName */ +const struct sbus_arg_meta iface_ifp_users_FindByName__out[] = { + { "result", "o" }, + { NULL, } +}; + +int iface_ifp_users_FindByName_finish(struct sbus_request *req, const char *arg_result) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_OBJECT_PATH, &arg_result, + DBUS_TYPE_INVALID); +} + +/* arguments for org.freedesktop.sssd.infopipe.Users.FindByID */ +const struct sbus_arg_meta iface_ifp_users_FindByID__in[] = { + { "id", "u" }, + { NULL, } +}; + +/* arguments for org.freedesktop.sssd.infopipe.Users.FindByID */ +const struct sbus_arg_meta iface_ifp_users_FindByID__out[] = { + { "result", "o" }, + { NULL, } +}; + +int iface_ifp_users_FindByID_finish(struct sbus_request *req, const char *arg_result) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_OBJECT_PATH, &arg_result, + DBUS_TYPE_INVALID); +} + +/* arguments for org.freedesktop.sssd.infopipe.Users.FindByCertificate */ +const struct sbus_arg_meta iface_ifp_users_FindByCertificate__in[] = { + { "pem_cert", "s" }, + { NULL, } +}; + +/* arguments for org.freedesktop.sssd.infopipe.Users.FindByCertificate */ +const struct sbus_arg_meta iface_ifp_users_FindByCertificate__out[] = { + { "result", "o" }, + { NULL, } +}; + +int iface_ifp_users_FindByCertificate_finish(struct sbus_request *req, const char *arg_result) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_OBJECT_PATH, &arg_result, + DBUS_TYPE_INVALID); +} + +/* arguments for org.freedesktop.sssd.infopipe.Users.ListByCertificate */ +const struct sbus_arg_meta iface_ifp_users_ListByCertificate__in[] = { + { "pem_cert", "s" }, + { "limit", "u" }, + { NULL, } +}; + +/* arguments for org.freedesktop.sssd.infopipe.Users.ListByCertificate */ +const struct sbus_arg_meta iface_ifp_users_ListByCertificate__out[] = { + { "result", "ao" }, + { NULL, } +}; + +int iface_ifp_users_ListByCertificate_finish(struct sbus_request *req, const char *arg_result[], int len_result) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_ARRAY, DBUS_TYPE_OBJECT_PATH, &arg_result, len_result, + DBUS_TYPE_INVALID); +} + +/* arguments for org.freedesktop.sssd.infopipe.Users.FindByNameAndCertificate */ +const struct sbus_arg_meta iface_ifp_users_FindByNameAndCertificate__in[] = { + { "name", "s" }, + { "pem_cert", "s" }, + { NULL, } +}; + +/* arguments for org.freedesktop.sssd.infopipe.Users.FindByNameAndCertificate */ +const struct sbus_arg_meta iface_ifp_users_FindByNameAndCertificate__out[] = { + { "result", "o" }, + { NULL, } +}; + +int iface_ifp_users_FindByNameAndCertificate_finish(struct sbus_request *req, const char *arg_result) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_OBJECT_PATH, &arg_result, + DBUS_TYPE_INVALID); +} + +/* arguments for org.freedesktop.sssd.infopipe.Users.ListByName */ +const struct sbus_arg_meta iface_ifp_users_ListByName__in[] = { + { "name_filter", "s" }, + { "limit", "u" }, + { NULL, } +}; + +/* arguments for org.freedesktop.sssd.infopipe.Users.ListByName */ +const struct sbus_arg_meta iface_ifp_users_ListByName__out[] = { + { "result", "ao" }, + { NULL, } +}; + +int iface_ifp_users_ListByName_finish(struct sbus_request *req, const char *arg_result[], int len_result) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_ARRAY, DBUS_TYPE_OBJECT_PATH, &arg_result, len_result, + DBUS_TYPE_INVALID); +} + +/* arguments for org.freedesktop.sssd.infopipe.Users.ListByDomainAndName */ +const struct sbus_arg_meta iface_ifp_users_ListByDomainAndName__in[] = { + { "domain_name", "s" }, + { "name_filter", "s" }, + { "limit", "u" }, + { NULL, } +}; + +/* arguments for org.freedesktop.sssd.infopipe.Users.ListByDomainAndName */ +const struct sbus_arg_meta iface_ifp_users_ListByDomainAndName__out[] = { + { "result", "ao" }, + { NULL, } +}; + +int iface_ifp_users_ListByDomainAndName_finish(struct sbus_request *req, const char *arg_result[], int len_result) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_ARRAY, DBUS_TYPE_OBJECT_PATH, &arg_result, len_result, + DBUS_TYPE_INVALID); +} + +/* methods for org.freedesktop.sssd.infopipe.Users */ +const struct sbus_method_meta iface_ifp_users__methods[] = { + { + "FindByName", /* name */ + iface_ifp_users_FindByName__in, + iface_ifp_users_FindByName__out, + offsetof(struct iface_ifp_users, FindByName), + invoke_s_method, + }, + { + "FindByID", /* name */ + iface_ifp_users_FindByID__in, + iface_ifp_users_FindByID__out, + offsetof(struct iface_ifp_users, FindByID), + invoke_u_method, + }, + { + "FindByCertificate", /* name */ + iface_ifp_users_FindByCertificate__in, + iface_ifp_users_FindByCertificate__out, + offsetof(struct iface_ifp_users, FindByCertificate), + invoke_s_method, + }, + { + "ListByCertificate", /* name */ + iface_ifp_users_ListByCertificate__in, + iface_ifp_users_ListByCertificate__out, + offsetof(struct iface_ifp_users, ListByCertificate), + invoke_su_method, + }, + { + "FindByNameAndCertificate", /* name */ + iface_ifp_users_FindByNameAndCertificate__in, + iface_ifp_users_FindByNameAndCertificate__out, + offsetof(struct iface_ifp_users, FindByNameAndCertificate), + invoke_ss_method, + }, + { + "ListByName", /* name */ + iface_ifp_users_ListByName__in, + iface_ifp_users_ListByName__out, + offsetof(struct iface_ifp_users, ListByName), + invoke_su_method, + }, + { + "ListByDomainAndName", /* name */ + iface_ifp_users_ListByDomainAndName__in, + iface_ifp_users_ListByDomainAndName__out, + offsetof(struct iface_ifp_users, ListByDomainAndName), + invoke_ssu_method, + }, + { NULL, } +}; + +/* interface info for org.freedesktop.sssd.infopipe.Users */ +const struct sbus_interface_meta iface_ifp_users_meta = { + "org.freedesktop.sssd.infopipe.Users", /* name */ + iface_ifp_users__methods, + NULL, /* no signals */ + NULL, /* no properties */ + sbus_invoke_get_all, /* GetAll invoker */ +}; + +int iface_ifp_users_user_UpdateGroupsList_finish(struct sbus_request *req) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_INVALID); +} + +/* methods for org.freedesktop.sssd.infopipe.Users.User */ +const struct sbus_method_meta iface_ifp_users_user__methods[] = { + { + "UpdateGroupsList", /* name */ + NULL, /* no in_args */ + NULL, /* no out_args */ + offsetof(struct iface_ifp_users_user, UpdateGroupsList), + NULL, /* no invoker */ + }, + { NULL, } +}; + +/* property info for org.freedesktop.sssd.infopipe.Users.User */ +const struct sbus_property_meta iface_ifp_users_user__properties[] = { + { + "name", /* name */ + "s", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct iface_ifp_users_user, get_name), + sbus_invoke_get_s, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "uidNumber", /* name */ + "u", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct iface_ifp_users_user, get_uidNumber), + sbus_invoke_get_u, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "gidNumber", /* name */ + "u", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct iface_ifp_users_user, get_gidNumber), + sbus_invoke_get_u, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "gecos", /* name */ + "s", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct iface_ifp_users_user, get_gecos), + sbus_invoke_get_s, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "homeDirectory", /* name */ + "s", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct iface_ifp_users_user, get_homeDirectory), + sbus_invoke_get_s, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "loginShell", /* name */ + "s", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct iface_ifp_users_user, get_loginShell), + sbus_invoke_get_s, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "uniqueID", /* name */ + "s", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct iface_ifp_users_user, get_uniqueID), + sbus_invoke_get_s, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "groups", /* name */ + "ao", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct iface_ifp_users_user, get_groups), + sbus_invoke_get_ao, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "domain", /* name */ + "o", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct iface_ifp_users_user, get_domain), + sbus_invoke_get_o, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "domainname", /* name */ + "s", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct iface_ifp_users_user, get_domainname), + sbus_invoke_get_s, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "extraAttributes", /* name */ + "a{sas}", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct iface_ifp_users_user, get_extraAttributes), + sbus_invoke_get_aDOsasDE, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { NULL, } +}; + +/* interface info for org.freedesktop.sssd.infopipe.Users.User */ +const struct sbus_interface_meta iface_ifp_users_user_meta = { + "org.freedesktop.sssd.infopipe.Users.User", /* name */ + iface_ifp_users_user__methods, + NULL, /* no signals */ + iface_ifp_users_user__properties, + sbus_invoke_get_all, /* GetAll invoker */ +}; + +/* arguments for org.freedesktop.sssd.infopipe.Groups.FindByName */ +const struct sbus_arg_meta iface_ifp_groups_FindByName__in[] = { + { "name", "s" }, + { NULL, } +}; + +/* arguments for org.freedesktop.sssd.infopipe.Groups.FindByName */ +const struct sbus_arg_meta iface_ifp_groups_FindByName__out[] = { + { "result", "o" }, + { NULL, } +}; + +int iface_ifp_groups_FindByName_finish(struct sbus_request *req, const char *arg_result) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_OBJECT_PATH, &arg_result, + DBUS_TYPE_INVALID); +} + +/* arguments for org.freedesktop.sssd.infopipe.Groups.FindByID */ +const struct sbus_arg_meta iface_ifp_groups_FindByID__in[] = { + { "id", "u" }, + { NULL, } +}; + +/* arguments for org.freedesktop.sssd.infopipe.Groups.FindByID */ +const struct sbus_arg_meta iface_ifp_groups_FindByID__out[] = { + { "result", "o" }, + { NULL, } +}; + +int iface_ifp_groups_FindByID_finish(struct sbus_request *req, const char *arg_result) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_OBJECT_PATH, &arg_result, + DBUS_TYPE_INVALID); +} + +/* arguments for org.freedesktop.sssd.infopipe.Groups.ListByName */ +const struct sbus_arg_meta iface_ifp_groups_ListByName__in[] = { + { "name_filter", "s" }, + { "limit", "u" }, + { NULL, } +}; + +/* arguments for org.freedesktop.sssd.infopipe.Groups.ListByName */ +const struct sbus_arg_meta iface_ifp_groups_ListByName__out[] = { + { "result", "ao" }, + { NULL, } +}; + +int iface_ifp_groups_ListByName_finish(struct sbus_request *req, const char *arg_result[], int len_result) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_ARRAY, DBUS_TYPE_OBJECT_PATH, &arg_result, len_result, + DBUS_TYPE_INVALID); +} + +/* arguments for org.freedesktop.sssd.infopipe.Groups.ListByDomainAndName */ +const struct sbus_arg_meta iface_ifp_groups_ListByDomainAndName__in[] = { + { "domain_name", "s" }, + { "name_filter", "s" }, + { "limit", "u" }, + { NULL, } +}; + +/* arguments for org.freedesktop.sssd.infopipe.Groups.ListByDomainAndName */ +const struct sbus_arg_meta iface_ifp_groups_ListByDomainAndName__out[] = { + { "result", "ao" }, + { NULL, } +}; + +int iface_ifp_groups_ListByDomainAndName_finish(struct sbus_request *req, const char *arg_result[], int len_result) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_ARRAY, DBUS_TYPE_OBJECT_PATH, &arg_result, len_result, + DBUS_TYPE_INVALID); +} + +/* methods for org.freedesktop.sssd.infopipe.Groups */ +const struct sbus_method_meta iface_ifp_groups__methods[] = { + { + "FindByName", /* name */ + iface_ifp_groups_FindByName__in, + iface_ifp_groups_FindByName__out, + offsetof(struct iface_ifp_groups, FindByName), + invoke_s_method, + }, + { + "FindByID", /* name */ + iface_ifp_groups_FindByID__in, + iface_ifp_groups_FindByID__out, + offsetof(struct iface_ifp_groups, FindByID), + invoke_u_method, + }, + { + "ListByName", /* name */ + iface_ifp_groups_ListByName__in, + iface_ifp_groups_ListByName__out, + offsetof(struct iface_ifp_groups, ListByName), + invoke_su_method, + }, + { + "ListByDomainAndName", /* name */ + iface_ifp_groups_ListByDomainAndName__in, + iface_ifp_groups_ListByDomainAndName__out, + offsetof(struct iface_ifp_groups, ListByDomainAndName), + invoke_ssu_method, + }, + { NULL, } +}; + +/* interface info for org.freedesktop.sssd.infopipe.Groups */ +const struct sbus_interface_meta iface_ifp_groups_meta = { + "org.freedesktop.sssd.infopipe.Groups", /* name */ + iface_ifp_groups__methods, + NULL, /* no signals */ + NULL, /* no properties */ + sbus_invoke_get_all, /* GetAll invoker */ +}; + +int iface_ifp_groups_group_UpdateMemberList_finish(struct sbus_request *req) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_INVALID); +} + +/* methods for org.freedesktop.sssd.infopipe.Groups.Group */ +const struct sbus_method_meta iface_ifp_groups_group__methods[] = { + { + "UpdateMemberList", /* name */ + NULL, /* no in_args */ + NULL, /* no out_args */ + offsetof(struct iface_ifp_groups_group, UpdateMemberList), + NULL, /* no invoker */ + }, + { NULL, } +}; + +/* property info for org.freedesktop.sssd.infopipe.Groups.Group */ +const struct sbus_property_meta iface_ifp_groups_group__properties[] = { + { + "name", /* name */ + "s", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct iface_ifp_groups_group, get_name), + sbus_invoke_get_s, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "gidNumber", /* name */ + "u", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct iface_ifp_groups_group, get_gidNumber), + sbus_invoke_get_u, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "uniqueID", /* name */ + "s", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct iface_ifp_groups_group, get_uniqueID), + sbus_invoke_get_s, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "users", /* name */ + "ao", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct iface_ifp_groups_group, get_users), + sbus_invoke_get_ao, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "groups", /* name */ + "ao", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct iface_ifp_groups_group, get_groups), + sbus_invoke_get_ao, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { NULL, } +}; + +/* interface info for org.freedesktop.sssd.infopipe.Groups.Group */ +const struct sbus_interface_meta iface_ifp_groups_group_meta = { + "org.freedesktop.sssd.infopipe.Groups.Group", /* name */ + iface_ifp_groups_group__methods, + NULL, /* no signals */ + iface_ifp_groups_group__properties, + sbus_invoke_get_all, /* GetAll invoker */ +}; + +/* invokes a handler with a 'ss' DBus signature */ +static int invoke_ss_method(struct sbus_request *dbus_req, void *function_ptr) +{ + const char * arg_0; + const char * arg_1; + int (*handler)(struct sbus_request *, void *, const char *, const char *) = function_ptr; + + if (!sbus_request_parse_or_finish(dbus_req, + DBUS_TYPE_STRING, &arg_0, + DBUS_TYPE_STRING, &arg_1, + DBUS_TYPE_INVALID)) { + return EOK; /* request handled */ + } + + return (handler)(dbus_req, dbus_req->intf->handler_data, + arg_0, + arg_1); +} + +/* invokes a handler with a 'ssu' DBus signature */ +static int invoke_ssu_method(struct sbus_request *dbus_req, void *function_ptr) +{ + const char * arg_0; + const char * arg_1; + uint32_t arg_2; + int (*handler)(struct sbus_request *, void *, const char *, const char *, uint32_t) = function_ptr; + + if (!sbus_request_parse_or_finish(dbus_req, + DBUS_TYPE_STRING, &arg_0, + DBUS_TYPE_STRING, &arg_1, + DBUS_TYPE_UINT32, &arg_2, + DBUS_TYPE_INVALID)) { + return EOK; /* request handled */ + } + + return (handler)(dbus_req, dbus_req->intf->handler_data, + arg_0, + arg_1, + arg_2); +} + +/* invokes a handler with a 's' DBus signature */ +static int invoke_s_method(struct sbus_request *dbus_req, void *function_ptr) +{ + const char * arg_0; + int (*handler)(struct sbus_request *, void *, const char *) = function_ptr; + + if (!sbus_request_parse_or_finish(dbus_req, + DBUS_TYPE_STRING, &arg_0, + DBUS_TYPE_INVALID)) { + return EOK; /* request handled */ + } + + return (handler)(dbus_req, dbus_req->intf->handler_data, + arg_0); +} + +/* invokes a handler with a 'u' DBus signature */ +static int invoke_u_method(struct sbus_request *dbus_req, void *function_ptr) +{ + uint32_t arg_0; + int (*handler)(struct sbus_request *, void *, uint32_t) = function_ptr; + + if (!sbus_request_parse_or_finish(dbus_req, + DBUS_TYPE_UINT32, &arg_0, + DBUS_TYPE_INVALID)) { + return EOK; /* request handled */ + } + + return (handler)(dbus_req, dbus_req->intf->handler_data, + arg_0); +} + +/* invokes a handler with a 'su' DBus signature */ +static int invoke_su_method(struct sbus_request *dbus_req, void *function_ptr) +{ + const char * arg_0; + uint32_t arg_1; + int (*handler)(struct sbus_request *, void *, const char *, uint32_t) = function_ptr; + + if (!sbus_request_parse_or_finish(dbus_req, + DBUS_TYPE_STRING, &arg_0, + DBUS_TYPE_UINT32, &arg_1, + DBUS_TYPE_INVALID)) { + return EOK; /* request handled */ + } + + return (handler)(dbus_req, dbus_req->intf->handler_data, + arg_0, + arg_1); +} diff --git a/src/responder/ifp/ifp_iface_generated.h b/src/responder/ifp/ifp_iface_generated.h new file mode 100644 index 0000000..f1e6c80 --- /dev/null +++ b/src/responder/ifp/ifp_iface_generated.h @@ -0,0 +1,385 @@ +/* The following declarations are auto-generated from ifp_iface.xml */ + +#ifndef __IFP_IFACE_XML__ +#define __IFP_IFACE_XML__ + +#include "sbus/sssd_dbus.h" +#include "sbus/sssd_dbus_meta.h" + +/* ------------------------------------------------------------------------ + * DBus Constants + * + * Various constants of interface and method names mostly for use by clients + */ + +/* constants for org.freedesktop.sssd.infopipe */ +#define IFACE_IFP "org.freedesktop.sssd.infopipe" +#define IFACE_IFP_PING "Ping" +#define IFACE_IFP_LISTCOMPONENTS "ListComponents" +#define IFACE_IFP_LISTRESPONDERS "ListResponders" +#define IFACE_IFP_LISTBACKENDS "ListBackends" +#define IFACE_IFP_FINDMONITOR "FindMonitor" +#define IFACE_IFP_FINDRESPONDERBYNAME "FindResponderByName" +#define IFACE_IFP_FINDBACKENDBYNAME "FindBackendByName" +#define IFACE_IFP_GETUSERATTR "GetUserAttr" +#define IFACE_IFP_GETUSERGROUPS "GetUserGroups" +#define IFACE_IFP_FINDDOMAINBYNAME "FindDomainByName" +#define IFACE_IFP_LISTDOMAINS "ListDomains" + +/* constants for org.freedesktop.sssd.infopipe.Components */ +#define IFACE_IFP_COMPONENTS "org.freedesktop.sssd.infopipe.Components" +#define IFACE_IFP_COMPONENTS_NAME "name" +#define IFACE_IFP_COMPONENTS_DEBUG_LEVEL "debug_level" +#define IFACE_IFP_COMPONENTS_ENABLED "enabled" +#define IFACE_IFP_COMPONENTS_TYPE "type" +#define IFACE_IFP_COMPONENTS_PROVIDERS "providers" + +/* constants for org.freedesktop.sssd.infopipe.Domains */ +#define IFACE_IFP_DOMAINS "org.freedesktop.sssd.infopipe.Domains" +#define IFACE_IFP_DOMAINS_NAME "name" +#define IFACE_IFP_DOMAINS_PROVIDER "provider" +#define IFACE_IFP_DOMAINS_PRIMARY_SERVERS "primary_servers" +#define IFACE_IFP_DOMAINS_BACKUP_SERVERS "backup_servers" +#define IFACE_IFP_DOMAINS_MIN_ID "min_id" +#define IFACE_IFP_DOMAINS_MAX_ID "max_id" +#define IFACE_IFP_DOMAINS_REALM "realm" +#define IFACE_IFP_DOMAINS_FOREST "forest" +#define IFACE_IFP_DOMAINS_LOGIN_FORMAT "login_format" +#define IFACE_IFP_DOMAINS_FULLY_QUALIFIED_NAME_FORMAT "fully_qualified_name_format" +#define IFACE_IFP_DOMAINS_ENUMERABLE "enumerable" +#define IFACE_IFP_DOMAINS_USE_FULLY_QUALIFIED_NAMES "use_fully_qualified_names" +#define IFACE_IFP_DOMAINS_SUBDOMAIN "subdomain" +#define IFACE_IFP_DOMAINS_PARENT_DOMAIN "parent_domain" + +/* constants for org.freedesktop.sssd.infopipe.Domains.Domain */ +#define IFACE_IFP_DOMAINS_DOMAIN "org.freedesktop.sssd.infopipe.Domains.Domain" +#define IFACE_IFP_DOMAINS_DOMAIN_ISONLINE "IsOnline" +#define IFACE_IFP_DOMAINS_DOMAIN_LISTSERVICES "ListServices" +#define IFACE_IFP_DOMAINS_DOMAIN_ACTIVESERVER "ActiveServer" +#define IFACE_IFP_DOMAINS_DOMAIN_LISTSERVERS "ListServers" +#define IFACE_IFP_DOMAINS_DOMAIN_REFRESHACCESSRULES "RefreshAccessRules" + +/* constants for org.freedesktop.sssd.infopipe.Cache */ +#define IFACE_IFP_CACHE "org.freedesktop.sssd.infopipe.Cache" +#define IFACE_IFP_CACHE_LIST "List" +#define IFACE_IFP_CACHE_LISTBYDOMAIN "ListByDomain" + +/* constants for org.freedesktop.sssd.infopipe.Cache.Object */ +#define IFACE_IFP_CACHE_OBJECT "org.freedesktop.sssd.infopipe.Cache.Object" +#define IFACE_IFP_CACHE_OBJECT_STORE "Store" +#define IFACE_IFP_CACHE_OBJECT_REMOVE "Remove" + +/* constants for org.freedesktop.sssd.infopipe.Users */ +#define IFACE_IFP_USERS "org.freedesktop.sssd.infopipe.Users" +#define IFACE_IFP_USERS_FINDBYNAME "FindByName" +#define IFACE_IFP_USERS_FINDBYID "FindByID" +#define IFACE_IFP_USERS_FINDBYCERTIFICATE "FindByCertificate" +#define IFACE_IFP_USERS_LISTBYCERTIFICATE "ListByCertificate" +#define IFACE_IFP_USERS_FINDBYNAMEANDCERTIFICATE "FindByNameAndCertificate" +#define IFACE_IFP_USERS_LISTBYNAME "ListByName" +#define IFACE_IFP_USERS_LISTBYDOMAINANDNAME "ListByDomainAndName" + +/* constants for org.freedesktop.sssd.infopipe.Users.User */ +#define IFACE_IFP_USERS_USER "org.freedesktop.sssd.infopipe.Users.User" +#define IFACE_IFP_USERS_USER_UPDATEGROUPSLIST "UpdateGroupsList" +#define IFACE_IFP_USERS_USER_NAME "name" +#define IFACE_IFP_USERS_USER_UIDNUMBER "uidNumber" +#define IFACE_IFP_USERS_USER_GIDNUMBER "gidNumber" +#define IFACE_IFP_USERS_USER_GECOS "gecos" +#define IFACE_IFP_USERS_USER_HOMEDIRECTORY "homeDirectory" +#define IFACE_IFP_USERS_USER_LOGINSHELL "loginShell" +#define IFACE_IFP_USERS_USER_UNIQUEID "uniqueID" +#define IFACE_IFP_USERS_USER_GROUPS "groups" +#define IFACE_IFP_USERS_USER_DOMAIN "domain" +#define IFACE_IFP_USERS_USER_DOMAINNAME "domainname" +#define IFACE_IFP_USERS_USER_EXTRAATTRIBUTES "extraAttributes" + +/* constants for org.freedesktop.sssd.infopipe.Groups */ +#define IFACE_IFP_GROUPS "org.freedesktop.sssd.infopipe.Groups" +#define IFACE_IFP_GROUPS_FINDBYNAME "FindByName" +#define IFACE_IFP_GROUPS_FINDBYID "FindByID" +#define IFACE_IFP_GROUPS_LISTBYNAME "ListByName" +#define IFACE_IFP_GROUPS_LISTBYDOMAINANDNAME "ListByDomainAndName" + +/* constants for org.freedesktop.sssd.infopipe.Groups.Group */ +#define IFACE_IFP_GROUPS_GROUP "org.freedesktop.sssd.infopipe.Groups.Group" +#define IFACE_IFP_GROUPS_GROUP_UPDATEMEMBERLIST "UpdateMemberList" +#define IFACE_IFP_GROUPS_GROUP_NAME "name" +#define IFACE_IFP_GROUPS_GROUP_GIDNUMBER "gidNumber" +#define IFACE_IFP_GROUPS_GROUP_UNIQUEID "uniqueID" +#define IFACE_IFP_GROUPS_GROUP_USERS "users" +#define IFACE_IFP_GROUPS_GROUP_GROUPS "groups" + +/* ------------------------------------------------------------------------ + * DBus handlers + * + * These structures are filled in by implementors of the different + * dbus interfaces to handle method calls. + * + * Handler functions of type sbus_msg_handler_fn accept raw messages, + * other handlers are typed appropriately. If a handler that is + * set to NULL is invoked it will result in a + * org.freedesktop.DBus.Error.NotSupported error for the caller. + * + * Handlers have a matching xxx_finish() function (unless the method has + * accepts raw messages). These finish functions the + * sbus_request_return_and_finish() with the appropriate arguments to + * construct a valid reply. Once a finish function has been called, the + * @dbus_req it was called with is freed and no longer valid. + */ + +/* vtable for org.freedesktop.sssd.infopipe */ +struct iface_ifp { + struct sbus_vtable vtable; /* derive from sbus_vtable */ + int (*Ping)(struct sbus_request *req, void *data, const char *arg_ping); + int (*ListComponents)(struct sbus_request *req, void *data); + int (*ListResponders)(struct sbus_request *req, void *data); + int (*ListBackends)(struct sbus_request *req, void *data); + int (*FindMonitor)(struct sbus_request *req, void *data); + int (*FindResponderByName)(struct sbus_request *req, void *data, const char *arg_name); + int (*FindBackendByName)(struct sbus_request *req, void *data, const char *arg_name); + sbus_msg_handler_fn GetUserAttr; + int (*GetUserGroups)(struct sbus_request *req, void *data, const char *arg_user); + int (*FindDomainByName)(struct sbus_request *req, void *data, const char *arg_name); + int (*ListDomains)(struct sbus_request *req, void *data); +}; + +/* finish function for Ping */ +int iface_ifp_Ping_finish(struct sbus_request *req, const char *arg_pong); + +/* finish function for ListComponents */ +int iface_ifp_ListComponents_finish(struct sbus_request *req, const char *arg_components[], int len_components); + +/* finish function for ListResponders */ +int iface_ifp_ListResponders_finish(struct sbus_request *req, const char *arg_responders[], int len_responders); + +/* finish function for ListBackends */ +int iface_ifp_ListBackends_finish(struct sbus_request *req, const char *arg_backends[], int len_backends); + +/* finish function for FindMonitor */ +int iface_ifp_FindMonitor_finish(struct sbus_request *req, const char *arg_monitor); + +/* finish function for FindResponderByName */ +int iface_ifp_FindResponderByName_finish(struct sbus_request *req, const char *arg_responder); + +/* finish function for FindBackendByName */ +int iface_ifp_FindBackendByName_finish(struct sbus_request *req, const char *arg_backend); + +/* finish function for GetUserGroups */ +int iface_ifp_GetUserGroups_finish(struct sbus_request *req, const char *arg_values[], int len_values); + +/* finish function for FindDomainByName */ +int iface_ifp_FindDomainByName_finish(struct sbus_request *req, const char *arg_domain); + +/* finish function for ListDomains */ +int iface_ifp_ListDomains_finish(struct sbus_request *req, const char *arg_domain[], int len_domain); + +/* vtable for org.freedesktop.sssd.infopipe.Components */ +struct iface_ifp_components { + struct sbus_vtable vtable; /* derive from sbus_vtable */ + void (*get_name)(struct sbus_request *, void *data, const char **); + void (*get_debug_level)(struct sbus_request *, void *data, uint32_t*); + void (*get_enabled)(struct sbus_request *, void *data, bool*); + void (*get_type)(struct sbus_request *, void *data, const char **); + void (*get_providers)(struct sbus_request *, void *data, const char ***, int *); +}; + +/* vtable for org.freedesktop.sssd.infopipe.Domains */ +struct iface_ifp_domains { + struct sbus_vtable vtable; /* derive from sbus_vtable */ + void (*get_name)(struct sbus_request *, void *data, const char **); + void (*get_provider)(struct sbus_request *, void *data, const char **); + void (*get_primary_servers)(struct sbus_request *, void *data, const char ***, int *); + void (*get_backup_servers)(struct sbus_request *, void *data, const char ***, int *); + void (*get_min_id)(struct sbus_request *, void *data, uint32_t*); + void (*get_max_id)(struct sbus_request *, void *data, uint32_t*); + void (*get_realm)(struct sbus_request *, void *data, const char **); + void (*get_forest)(struct sbus_request *, void *data, const char **); + void (*get_login_format)(struct sbus_request *, void *data, const char **); + void (*get_fully_qualified_name_format)(struct sbus_request *, void *data, const char **); + void (*get_enumerable)(struct sbus_request *, void *data, bool*); + void (*get_use_fully_qualified_names)(struct sbus_request *, void *data, bool*); + void (*get_subdomain)(struct sbus_request *, void *data, bool*); + void (*get_parent_domain)(struct sbus_request *, void *data, const char **); +}; + +/* vtable for org.freedesktop.sssd.infopipe.Domains.Domain */ +struct iface_ifp_domains_domain { + struct sbus_vtable vtable; /* derive from sbus_vtable */ + int (*IsOnline)(struct sbus_request *req, void *data); + int (*ListServices)(struct sbus_request *req, void *data); + int (*ActiveServer)(struct sbus_request *req, void *data, const char *arg_service); + int (*ListServers)(struct sbus_request *req, void *data, const char *arg_service_name); + int (*RefreshAccessRules)(struct sbus_request *req, void *data); +}; + +/* finish function for IsOnline */ +int iface_ifp_domains_domain_IsOnline_finish(struct sbus_request *req, bool arg_status); + +/* finish function for ListServices */ +int iface_ifp_domains_domain_ListServices_finish(struct sbus_request *req, const char *arg_services[], int len_services); + +/* finish function for ActiveServer */ +int iface_ifp_domains_domain_ActiveServer_finish(struct sbus_request *req, const char *arg_server); + +/* finish function for ListServers */ +int iface_ifp_domains_domain_ListServers_finish(struct sbus_request *req, const char *arg_servers[], int len_servers); + +/* finish function for RefreshAccessRules */ +int iface_ifp_domains_domain_RefreshAccessRules_finish(struct sbus_request *req); + +/* vtable for org.freedesktop.sssd.infopipe.Cache */ +struct iface_ifp_cache { + struct sbus_vtable vtable; /* derive from sbus_vtable */ + int (*List)(struct sbus_request *req, void *data); + int (*ListByDomain)(struct sbus_request *req, void *data, const char *arg_domain_name); +}; + +/* finish function for List */ +int iface_ifp_cache_List_finish(struct sbus_request *req, const char *arg_result[], int len_result); + +/* finish function for ListByDomain */ +int iface_ifp_cache_ListByDomain_finish(struct sbus_request *req, const char *arg_result[], int len_result); + +/* vtable for org.freedesktop.sssd.infopipe.Cache.Object */ +struct iface_ifp_cache_object { + struct sbus_vtable vtable; /* derive from sbus_vtable */ + int (*Store)(struct sbus_request *req, void *data); + int (*Remove)(struct sbus_request *req, void *data); +}; + +/* finish function for Store */ +int iface_ifp_cache_object_Store_finish(struct sbus_request *req, bool arg_result); + +/* finish function for Remove */ +int iface_ifp_cache_object_Remove_finish(struct sbus_request *req, bool arg_result); + +/* vtable for org.freedesktop.sssd.infopipe.Users */ +struct iface_ifp_users { + struct sbus_vtable vtable; /* derive from sbus_vtable */ + int (*FindByName)(struct sbus_request *req, void *data, const char *arg_name); + int (*FindByID)(struct sbus_request *req, void *data, uint32_t arg_id); + int (*FindByCertificate)(struct sbus_request *req, void *data, const char *arg_pem_cert); + int (*ListByCertificate)(struct sbus_request *req, void *data, const char *arg_pem_cert, uint32_t arg_limit); + int (*FindByNameAndCertificate)(struct sbus_request *req, void *data, const char *arg_name, const char *arg_pem_cert); + int (*ListByName)(struct sbus_request *req, void *data, const char *arg_name_filter, uint32_t arg_limit); + int (*ListByDomainAndName)(struct sbus_request *req, void *data, const char *arg_domain_name, const char *arg_name_filter, uint32_t arg_limit); +}; + +/* finish function for FindByName */ +int iface_ifp_users_FindByName_finish(struct sbus_request *req, const char *arg_result); + +/* finish function for FindByID */ +int iface_ifp_users_FindByID_finish(struct sbus_request *req, const char *arg_result); + +/* finish function for FindByCertificate */ +int iface_ifp_users_FindByCertificate_finish(struct sbus_request *req, const char *arg_result); + +/* finish function for ListByCertificate */ +int iface_ifp_users_ListByCertificate_finish(struct sbus_request *req, const char *arg_result[], int len_result); + +/* finish function for FindByNameAndCertificate */ +int iface_ifp_users_FindByNameAndCertificate_finish(struct sbus_request *req, const char *arg_result); + +/* finish function for ListByName */ +int iface_ifp_users_ListByName_finish(struct sbus_request *req, const char *arg_result[], int len_result); + +/* finish function for ListByDomainAndName */ +int iface_ifp_users_ListByDomainAndName_finish(struct sbus_request *req, const char *arg_result[], int len_result); + +/* vtable for org.freedesktop.sssd.infopipe.Users.User */ +struct iface_ifp_users_user { + struct sbus_vtable vtable; /* derive from sbus_vtable */ + int (*UpdateGroupsList)(struct sbus_request *req, void *data); + void (*get_name)(struct sbus_request *, void *data, const char **); + void (*get_uidNumber)(struct sbus_request *, void *data, uint32_t*); + void (*get_gidNumber)(struct sbus_request *, void *data, uint32_t*); + void (*get_gecos)(struct sbus_request *, void *data, const char **); + void (*get_homeDirectory)(struct sbus_request *, void *data, const char **); + void (*get_loginShell)(struct sbus_request *, void *data, const char **); + void (*get_uniqueID)(struct sbus_request *, void *data, const char **); + void (*get_groups)(struct sbus_request *, void *data, const char ***, int *); + void (*get_domain)(struct sbus_request *, void *data, const char **); + void (*get_domainname)(struct sbus_request *, void *data, const char **); + void (*get_extraAttributes)(struct sbus_request *, void *data, hash_table_t **); +}; + +/* finish function for UpdateGroupsList */ +int iface_ifp_users_user_UpdateGroupsList_finish(struct sbus_request *req); + +/* vtable for org.freedesktop.sssd.infopipe.Groups */ +struct iface_ifp_groups { + struct sbus_vtable vtable; /* derive from sbus_vtable */ + int (*FindByName)(struct sbus_request *req, void *data, const char *arg_name); + int (*FindByID)(struct sbus_request *req, void *data, uint32_t arg_id); + int (*ListByName)(struct sbus_request *req, void *data, const char *arg_name_filter, uint32_t arg_limit); + int (*ListByDomainAndName)(struct sbus_request *req, void *data, const char *arg_domain_name, const char *arg_name_filter, uint32_t arg_limit); +}; + +/* finish function for FindByName */ +int iface_ifp_groups_FindByName_finish(struct sbus_request *req, const char *arg_result); + +/* finish function for FindByID */ +int iface_ifp_groups_FindByID_finish(struct sbus_request *req, const char *arg_result); + +/* finish function for ListByName */ +int iface_ifp_groups_ListByName_finish(struct sbus_request *req, const char *arg_result[], int len_result); + +/* finish function for ListByDomainAndName */ +int iface_ifp_groups_ListByDomainAndName_finish(struct sbus_request *req, const char *arg_result[], int len_result); + +/* vtable for org.freedesktop.sssd.infopipe.Groups.Group */ +struct iface_ifp_groups_group { + struct sbus_vtable vtable; /* derive from sbus_vtable */ + int (*UpdateMemberList)(struct sbus_request *req, void *data); + void (*get_name)(struct sbus_request *, void *data, const char **); + void (*get_gidNumber)(struct sbus_request *, void *data, uint32_t*); + void (*get_uniqueID)(struct sbus_request *, void *data, const char **); + void (*get_users)(struct sbus_request *, void *data, const char ***, int *); + void (*get_groups)(struct sbus_request *, void *data, const char ***, int *); +}; + +/* finish function for UpdateMemberList */ +int iface_ifp_groups_group_UpdateMemberList_finish(struct sbus_request *req); + +/* ------------------------------------------------------------------------ + * DBus Interface Metadata + * + * These structure definitions are filled in with the information about + * the interfaces, methods, properties and so on. + * + * The actual definitions are found in the accompanying C file next + * to this header. + */ + +/* interface info for org.freedesktop.sssd.infopipe */ +extern const struct sbus_interface_meta iface_ifp_meta; + +/* interface info for org.freedesktop.sssd.infopipe.Components */ +extern const struct sbus_interface_meta iface_ifp_components_meta; + +/* interface info for org.freedesktop.sssd.infopipe.Domains */ +extern const struct sbus_interface_meta iface_ifp_domains_meta; + +/* interface info for org.freedesktop.sssd.infopipe.Domains.Domain */ +extern const struct sbus_interface_meta iface_ifp_domains_domain_meta; + +/* interface info for org.freedesktop.sssd.infopipe.Cache */ +extern const struct sbus_interface_meta iface_ifp_cache_meta; + +/* interface info for org.freedesktop.sssd.infopipe.Cache.Object */ +extern const struct sbus_interface_meta iface_ifp_cache_object_meta; + +/* interface info for org.freedesktop.sssd.infopipe.Users */ +extern const struct sbus_interface_meta iface_ifp_users_meta; + +/* interface info for org.freedesktop.sssd.infopipe.Users.User */ +extern const struct sbus_interface_meta iface_ifp_users_user_meta; + +/* interface info for org.freedesktop.sssd.infopipe.Groups */ +extern const struct sbus_interface_meta iface_ifp_groups_meta; + +/* interface info for org.freedesktop.sssd.infopipe.Groups.Group */ +extern const struct sbus_interface_meta iface_ifp_groups_group_meta; + +#endif /* __IFP_IFACE_XML__ */ diff --git a/src/responder/ifp/ifp_iface_nodes.c b/src/responder/ifp/ifp_iface_nodes.c new file mode 100644 index 0000000..6342111 --- /dev/null +++ b/src/responder/ifp/ifp_iface_nodes.c @@ -0,0 +1,170 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "sbus/sssd_dbus.h" +#include "responder/ifp/ifp_iface_generated.h" +#include "responder/ifp/ifp_users.h" +#include "responder/ifp/ifp_groups.h" +#include "responder/ifp/ifp_cache.h" +#include "responder/ifp/ifp_domains.h" + +static const char ** +nodes_ifp(TALLOC_CTX *mem_ctx, const char *path, void *data) +{ + static const char *nodes[] = {"Users", "Groups", "Domains", NULL}; + + return nodes; +} + +static const char ** +nodes_cached_objects(TALLOC_CTX *mem_ctx, + void *data, + enum ifp_cache_type type, + const char *prefix) +{ + TALLOC_CTX *tmp_ctx; + struct ifp_ctx *ifp_ctx; + const char **paths; + const char **nodes; + const char *node; + int num_paths; + errno_t ret; + int i; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return NULL; + } + + ifp_ctx = talloc_get_type(data, struct ifp_ctx); + if (ifp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid pointer!\n"); + goto fail; + } + + ret = ifp_cache_list_domains(tmp_ctx, ifp_ctx->rctx->domains, + type, &paths, &num_paths); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to obtain cache objects list " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto fail; + } + + nodes = talloc_zero_array(tmp_ctx, const char *, num_paths + 1); + if (nodes == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero_array() failed\n"); + goto fail; + } + + for (i = 0; i < num_paths; i++) { + node = sbus_opath_strip_prefix(paths[i], prefix); + nodes[i] = talloc_strdup(nodes, node); + if (nodes[i] == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup() failed\n"); + goto fail; + } + } + + talloc_steal(mem_ctx, nodes); + talloc_free(tmp_ctx); + + return nodes; + +fail: + talloc_free(tmp_ctx); + return NULL; +} + +static const char ** +nodes_users(TALLOC_CTX *mem_ctx, const char *path, void *data) +{ + return nodes_cached_objects(mem_ctx, data, IFP_CACHE_USER, + IFP_PATH_USERS "/"); +} + +static const char ** +nodes_groups(TALLOC_CTX *mem_ctx, const char *path, void *data) +{ + return nodes_cached_objects(mem_ctx, data, IFP_CACHE_GROUP, + IFP_PATH_GROUPS "/"); +} + +static const char ** +nodes_domains(TALLOC_CTX *mem_ctx, const char *path, void *data) +{ + struct ifp_ctx *ctx; + struct sss_domain_info *domain; + const char **nodes; + size_t count; + + ctx = talloc_get_type(data, struct ifp_ctx); + + count = 0; + domain = ctx->rctx->domains; + do { + count++; + } while ((domain = get_next_domain(domain, SSS_GND_ALL_DOMAINS)) != NULL); + + nodes = talloc_zero_array(mem_ctx, const char *, count + 1); + if (nodes == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero_array() failed\n"); + return NULL; + } + + count = 0; + domain = ctx->rctx->domains; + do { + nodes[count] = sbus_opath_escape_part(nodes, domain->name); + if (nodes == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "sbus_opath_escape_part() failed\n"); + talloc_free(nodes); + return NULL; + } + + count++; + } while ((domain = get_next_domain(domain, SSS_GND_ALL_DOMAINS)) != NULL); + + + return nodes; +} + +struct nodes_map { + const char *path; + sbus_nodes_fn fn; +}; + +static struct nodes_map nodes_map[] = { + { IFP_PATH, nodes_ifp }, + { IFP_PATH_USERS, nodes_users }, + { IFP_PATH_GROUPS, nodes_groups }, + { IFP_PATH_DOMAINS, nodes_domains }, + { NULL, NULL} +}; + +void ifp_register_nodes(struct ifp_ctx *ctx, struct sbus_connection *conn) +{ + int i; + + for (i = 0; nodes_map[i].path != NULL; i++) { + sbus_conn_register_nodes(conn, nodes_map[i].path, + nodes_map[i].fn, ctx); + } +} diff --git a/src/responder/ifp/ifp_private.h b/src/responder/ifp/ifp_private.h new file mode 100644 index 0000000..b406e7f --- /dev/null +++ b/src/responder/ifp/ifp_private.h @@ -0,0 +1,117 @@ +/* + Authors: + Jakub Hrozek + Stephen Gallagher + + Copyright (C) 2013 Red Hat + + InfoPipe responder: A private header + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _IFPSRV_PRIVATE_H_ +#define _IFPSRV_PRIVATE_H_ + +#include "responder/common/responder.h" +#include "responder/common/negcache.h" +#include "providers/data_provider.h" +#include "responder/ifp/ifp_iface.h" + +struct sysbus_ctx { + struct sbus_connection *conn; + char *introspect_xml; +}; + +struct ifp_ctx { + struct resp_ctx *rctx; + struct sss_names_ctx *snctx; + + struct sysbus_ctx *sysbus; + const char **user_whitelist; + uint32_t wildcard_limit; +}; + +errno_t ifp_register_sbus_interface(struct sbus_connection *conn, + void *handler_data); + +void ifp_register_nodes(struct ifp_ctx *ctx, struct sbus_connection *conn); + +int ifp_ping(struct sbus_request *dbus_req, void *data, const char *ping); + +int ifp_user_get_attr(struct sbus_request *dbus_req, void *data); + +int ifp_user_get_groups(struct sbus_request *req, + void *data, const char *arg_user); + +/* == Utility functions == */ +struct ifp_req { + struct sbus_request *dbus_req; + struct ifp_ctx *ifp_ctx; +}; + +errno_t ifp_req_create(struct sbus_request *dbus_req, + struct ifp_ctx *ifp_ctx, + struct ifp_req **_ifp_req); + +/* Returns an appropriate DBus error for specific ifp_req_create failures */ +int ifp_req_create_handle_failure(struct sbus_request *dbus_req, errno_t err); + +errno_t ifp_add_value_to_dict(DBusMessageIter *iter_dict, + const char *key, + const char *value); + +errno_t ifp_add_ldb_el_to_dict(DBusMessageIter *iter_dict, + struct ldb_message_element *el); +const char ** +ifp_parse_user_attr_list(TALLOC_CTX *mem_ctx, const char *conf_str); + +const char ** +ifp_get_user_extra_attributes(TALLOC_CTX *mem_ctx, struct ifp_ctx *ifp_ctx); + +bool ifp_attr_allowed(const char *whitelist[], const char *attr); +bool ifp_is_user_attr_allowed(struct ifp_ctx *ifp_ctx, const char *attr); + +/* Used for list calls */ +struct ifp_list_ctx { + struct sbus_request *sbus_req; + const char *filter; + uint32_t limit; + + struct sss_domain_info *dom; + struct ifp_ctx *ctx; + + const char **paths; + size_t paths_max; + size_t path_count; +}; + +struct ifp_list_ctx *ifp_list_ctx_new(struct sbus_request *sbus_req, + struct ifp_ctx *ctx, + const char *filter, + uint32_t limit); + +errno_t ifp_list_ctx_remaining_capacity(struct ifp_list_ctx *list_ctx, + size_t entries, + size_t *_capacity); + +errno_t ifp_ldb_el_output_name(struct resp_ctx *rctx, + struct ldb_message *msg, + const char *el_name, + struct sss_domain_info *dom); + +char *ifp_format_name_attr(TALLOC_CTX *mem_ctx, struct ifp_ctx *ifp_ctx, + const char *in_name, struct sss_domain_info *dom); + +#endif /* _IFPSRV_PRIVATE_H_ */ diff --git a/src/responder/ifp/ifp_users.c b/src/responder/ifp/ifp_users.c new file mode 100644 index 0000000..f66587b --- /dev/null +++ b/src/responder/ifp/ifp_users.c @@ -0,0 +1,1559 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "db/sysdb.h" +#include "util/util.h" +#include "util/strtonum.h" +#include "util/cert.h" +#include "sbus/sssd_dbus_errors.h" +#include "responder/common/responder.h" +#include "responder/common/cache_req/cache_req.h" +#include "responder/ifp/ifp_users.h" +#include "responder/ifp/ifp_groups.h" +#include "responder/ifp/ifp_cache.h" + +char * ifp_users_build_path_from_msg(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + struct ldb_message *msg) +{ + const char *key = NULL; + + switch (domain->type) { + case DOM_TYPE_APPLICATION: + key = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); + break; + case DOM_TYPE_POSIX: + key = ldb_msg_find_attr_as_string(msg, SYSDB_UIDNUM, NULL); + break; + } + + + if (key == NULL) { + return NULL; + } + + return sbus_opath_compose(mem_ctx, IFP_PATH_USERS, domain->name, key); +} + +static errno_t ifp_users_decompose_path(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domains, + const char *path, + struct sss_domain_info **_domain, + char **_key) +{ + char **parts = NULL; + struct sss_domain_info *domain; + errno_t ret; + + ret = sbus_opath_decompose_exact(NULL, path, IFP_PATH_USERS, 2, &parts); + if (ret != EOK) { + return ret; + } + + domain = find_domain_by_name(domains, parts[0], false); + if (domain == NULL) { + ret = ERR_DOMAIN_NOT_FOUND; + goto done; + } + + *_domain = domain; + *_key = talloc_steal(mem_ctx, parts[1]); + +done: + talloc_free(parts); + return ret; +} + +static void ifp_users_find_by_name_done(struct tevent_req *req); + +int ifp_users_find_by_name(struct sbus_request *sbus_req, + void *data, + const char *name) +{ + struct ifp_ctx *ctx; + struct tevent_req *req; + + ctx = talloc_get_type(data, struct ifp_ctx); + if (ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid pointer!\n"); + return ERR_INTERNAL; + } + + req = cache_req_user_by_name_send(sbus_req, ctx->rctx->ev, ctx->rctx, + ctx->rctx->ncache, 0, + CACHE_REQ_ANY_DOM, + NULL, name); + if (req == NULL) { + return ENOMEM; + } + + tevent_req_set_callback(req, ifp_users_find_by_name_done, sbus_req); + + return EOK; +} + +static void +ifp_users_find_by_name_done(struct tevent_req *req) +{ + DBusError *error; + struct sbus_request *sbus_req; + struct cache_req_result *result; + char *object_path; + errno_t ret; + + sbus_req = tevent_req_callback_data(req, struct sbus_request); + + ret = cache_req_user_by_name_recv(sbus_req, req, &result); + talloc_zfree(req); + if (ret == ENOENT) { + error = sbus_error_new(sbus_req, SBUS_ERROR_NOT_FOUND, + "User not found"); + goto done; + } else if (ret != EOK) { + error = sbus_error_new(sbus_req, DBUS_ERROR_FAILED, "Failed to fetch " + "user [%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + object_path = ifp_users_build_path_from_msg(sbus_req, result->domain, + result->msgs[0]); + if (object_path == NULL) { + error = sbus_error_new(sbus_req, SBUS_ERROR_INTERNAL, + "Failed to compose object path"); + goto done; + } + + ret = EOK; + +done: + if (ret != EOK) { + sbus_request_fail_and_finish(sbus_req, error); + return; + } + + iface_ifp_users_FindByName_finish(sbus_req, object_path); + return; +} + +static void ifp_users_find_by_id_done(struct tevent_req *req); + +int ifp_users_find_by_id(struct sbus_request *sbus_req, + void *data, + uint32_t id) +{ + struct ifp_ctx *ctx; + struct tevent_req *req; + + ctx = talloc_get_type(data, struct ifp_ctx); + if (ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid pointer!\n"); + return ERR_INTERNAL; + } + + req = cache_req_user_by_id_send(sbus_req, ctx->rctx->ev, ctx->rctx, + ctx->rctx->ncache, 0, NULL, id); + if (req == NULL) { + return ENOMEM; + } + + tevent_req_set_callback(req, ifp_users_find_by_id_done, sbus_req); + + return EOK; +} + +static void +ifp_users_find_by_id_done(struct tevent_req *req) +{ + DBusError *error; + struct sbus_request *sbus_req; + struct cache_req_result *result; + char *object_path; + errno_t ret; + + sbus_req = tevent_req_callback_data(req, struct sbus_request); + + ret = cache_req_user_by_id_recv(sbus_req, req, &result); + talloc_zfree(req); + if (ret == ENOENT) { + error = sbus_error_new(sbus_req, SBUS_ERROR_NOT_FOUND, + "User not found"); + goto done; + } else if (ret != EOK) { + error = sbus_error_new(sbus_req, DBUS_ERROR_FAILED, "Failed to fetch " + "user [%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + object_path = ifp_users_build_path_from_msg(sbus_req, result->domain, + result->msgs[0]); + if (object_path == NULL) { + error = sbus_error_new(sbus_req, SBUS_ERROR_INTERNAL, + "Failed to compose object path"); + goto done; + } + +done: + if (ret != EOK) { + sbus_request_fail_and_finish(sbus_req, error); + return; + } + + iface_ifp_users_FindByID_finish(sbus_req, object_path); + return; +} + +static void ifp_users_find_by_cert_done(struct tevent_req *req); + +int ifp_users_find_by_cert(struct sbus_request *sbus_req, void *data, + const char *pem_cert) +{ + struct ifp_ctx *ctx; + struct tevent_req *req; + int ret; + char *derb64; + DBusError *error; + + ctx = talloc_get_type(data, struct ifp_ctx); + if (ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid pointer!\n"); + return ERR_INTERNAL; + } + + ret = sss_cert_pem_to_derb64(sbus_req, pem_cert, &derb64); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_cert_pem_to_derb64 failed.\n"); + + if (ret == ENOMEM) { + return ret; + } + + error = sbus_error_new(sbus_req, DBUS_ERROR_INVALID_ARGS, + "Invalid certificate format"); + sbus_request_fail_and_finish(sbus_req, error); + /* the connection is already terminated with an error message, hence + * we have to return EOK to not terminate the connection twice. */ + return EOK; + } + + req = cache_req_user_by_cert_send(sbus_req, ctx->rctx->ev, ctx->rctx, + ctx->rctx->ncache, 0, + CACHE_REQ_ANY_DOM, NULL, + derb64); + if (req == NULL) { + return ENOMEM; + } + + tevent_req_set_callback(req, ifp_users_find_by_cert_done, sbus_req); + + return EOK; +} + +#define SBUS_ERROR_MORE_THAN_ONE "org.freedesktop.sssd.Error.MoreThanOne" + +static void ifp_users_find_by_cert_done(struct tevent_req *req) +{ + DBusError *error; + struct sbus_request *sbus_req; + struct cache_req_result *result; + char *object_path; + errno_t ret; + + sbus_req = tevent_req_callback_data(req, struct sbus_request); + + ret = cache_req_user_by_cert_recv(sbus_req, req, &result); + talloc_zfree(req); + if (ret == ENOENT) { + error = sbus_error_new(sbus_req, SBUS_ERROR_NOT_FOUND, + "User not found"); + goto done; + } else if (ret != EOK) { + error = sbus_error_new(sbus_req, DBUS_ERROR_FAILED, "Failed to fetch " + "user [%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + if (result->count > 1) { + ret = EINVAL; + error = sbus_error_new(sbus_req, SBUS_ERROR_MORE_THAN_ONE, + "More than one user found. " + "Use ListByCertificate to get all."); + goto done; + } + + object_path = ifp_users_build_path_from_msg(sbus_req, result->domain, + result->msgs[0]); + if (object_path == NULL) { + error = sbus_error_new(sbus_req, SBUS_ERROR_INTERNAL, + "Failed to compose object path"); + goto done; + } + +done: + if (ret != EOK) { + sbus_request_fail_and_finish(sbus_req, error); + return; + } + + iface_ifp_users_FindByCertificate_finish(sbus_req, object_path); + return; +} + +static int ifp_users_list_by_cert_step(struct ifp_list_ctx *list_ctx); +static void ifp_users_list_by_cert_done(struct tevent_req *req); +static void ifp_users_list_by_name_reply(struct ifp_list_ctx *list_ctx); +static int ifp_users_list_copy(struct ifp_list_ctx *list_ctx, + struct ldb_result *result); + +int ifp_users_list_by_cert(struct sbus_request *sbus_req, void *data, + const char *pem_cert, uint32_t limit) +{ + struct ifp_ctx *ctx; + struct ifp_list_ctx *list_ctx; + char *derb64; + int ret; + DBusError *error; + + ret = sss_cert_pem_to_derb64(sbus_req, pem_cert, &derb64); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_cert_pem_to_derb64 failed.\n"); + + if (ret == ENOMEM) { + return ret; + } + + error = sbus_error_new(sbus_req, DBUS_ERROR_INVALID_ARGS, + "Invalid certificate format"); + sbus_request_fail_and_finish(sbus_req, error); + /* the connection is already terminated with an error message, hence + * we have to return EOK to not terminate the connection twice. */ + return EOK; + } + + ctx = talloc_get_type(data, struct ifp_ctx); + if (ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid pointer!\n"); + return ERR_INTERNAL; + } + + list_ctx = ifp_list_ctx_new(sbus_req, ctx, derb64, limit); + if (list_ctx == NULL) { + return ENOMEM; + } + + return ifp_users_list_by_cert_step(list_ctx); +} + +static int ifp_users_list_by_cert_step(struct ifp_list_ctx *list_ctx) +{ + struct tevent_req *req; + + req = cache_req_user_by_cert_send(list_ctx, + list_ctx->ctx->rctx->ev, + list_ctx->ctx->rctx, + list_ctx->ctx->rctx->ncache, + 0, + CACHE_REQ_ANY_DOM, + list_ctx->dom->name, + list_ctx->filter); + if (req == NULL) { + return ENOMEM; + } + + tevent_req_set_callback(req, ifp_users_list_by_cert_done, list_ctx); + + return EOK; +} + +static void ifp_users_list_by_cert_done(struct tevent_req *req) +{ + DBusError *error; + struct ifp_list_ctx *list_ctx; + struct sbus_request *sbus_req; + struct cache_req_result *result; + errno_t ret; + + list_ctx = tevent_req_callback_data(req, struct ifp_list_ctx); + sbus_req = list_ctx->sbus_req; + + ret = cache_req_user_by_cert_recv(sbus_req, req, &result); + talloc_zfree(req); + if (ret != EOK && ret != ENOENT) { + error = sbus_error_new(sbus_req, DBUS_ERROR_FAILED, + "Failed to fetch user [%d]: %s\n", + ret, sss_strerror(ret)); + sbus_request_fail_and_finish(sbus_req, error); + return; + } + + if (ret == EOK) { + ret = ifp_users_list_copy(list_ctx, result->ldb_result); + if (ret != EOK) { + error = sbus_error_new(sbus_req, SBUS_ERROR_INTERNAL, + "Failed to copy domain result"); + sbus_request_fail_and_finish(sbus_req, error); + return; + } + } + + list_ctx->dom = get_next_domain(list_ctx->dom, SSS_GND_DESCEND); + if (list_ctx->dom == NULL) { + return ifp_users_list_by_name_reply(list_ctx); + } + + ret = ifp_users_list_by_cert_step(list_ctx); + if (ret != EOK) { + error = sbus_error_new(sbus_req, SBUS_ERROR_INTERNAL, + "Failed to start next-domain search"); + sbus_request_fail_and_finish(sbus_req, error); + return; + } + + return; +} + +static int ifp_users_list_copy(struct ifp_list_ctx *list_ctx, + struct ldb_result *result) +{ + size_t copy_count, i; + errno_t ret; + + ret = ifp_list_ctx_remaining_capacity(list_ctx, result->count, ©_count); + if (ret != EOK) { + goto done; + } + + for (i = 0; i < copy_count; i++) { + list_ctx->paths[list_ctx->path_count + i] = \ + ifp_users_build_path_from_msg(list_ctx->paths, + list_ctx->dom, + result->msgs[i]); + if (list_ctx->paths[list_ctx->path_count + i] == NULL) { + ret = ENOMEM; + goto done; + } + } + + list_ctx->path_count += copy_count; + ret = EOK; + +done: + return ret; +} + +struct name_and_cert_ctx { + const char *name; + char *derb64; + struct sbus_request *sbus_req; + char *user_opath; + struct ifp_list_ctx *list_ctx; +}; + +static void ifp_users_find_by_name_and_cert_name_done(struct tevent_req *req); +static int ifp_users_find_by_name_and_cert_step( + struct name_and_cert_ctx *name_and_cert_ctx); +static void ifp_users_find_by_name_and_cert_done(struct tevent_req *req); +static void ifp_users_find_by_name_and_cert_reply( + struct name_and_cert_ctx *name_and_cert_ctx); + +int ifp_users_find_by_name_and_cert(struct sbus_request *sbus_req, void *data, + const char *name, const char *pem_cert) +{ + struct ifp_ctx *ctx; + struct tevent_req *req; + int ret; + struct name_and_cert_ctx *name_and_cert_ctx = NULL; + DBusError *error; + + ctx = talloc_get_type(data, struct ifp_ctx); + if (ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid pointer!\n"); + return ERR_INTERNAL; + } + + if ((name == NULL || *name == '\0') + && (pem_cert == NULL || *pem_cert == '\0')) { + error = sbus_error_new(sbus_req, DBUS_ERROR_INVALID_ARGS, + "Missing input"); + sbus_request_fail_and_finish(sbus_req, error); + /* the connection is already terminated with an error message, hence + * we have to return EOK to not terminate the connection twice. */ + return EOK; + } + + name_and_cert_ctx = talloc_zero(sbus_req, struct name_and_cert_ctx); + if (name_and_cert_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc failed.\n"); + return ENOMEM; + } + + name_and_cert_ctx->sbus_req = sbus_req; + + if (name != NULL && *name != '\0') { + name_and_cert_ctx->name = talloc_strdup(name_and_cert_ctx, name); + if (name_and_cert_ctx->name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + return ENOMEM; + } + } + + if (pem_cert != NULL && *pem_cert != '\0') { + ret = sss_cert_pem_to_derb64(name_and_cert_ctx, pem_cert, + &(name_and_cert_ctx->derb64)); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_cert_pem_to_derb64 failed.\n"); + + if (ret == ENOMEM) { + return ret; + } + + error = sbus_error_new(sbus_req, DBUS_ERROR_INVALID_ARGS, + "Invalid certificate format"); + sbus_request_fail_and_finish(sbus_req, error); + /* the connection is already terminated with an error message, hence + * we have to return EOK to not terminate the connection twice. */ + return EOK; + } + + /* FIXME: if unlimted searches with limit=0 will work please replace + * 100 with 0. */ + name_and_cert_ctx->list_ctx = ifp_list_ctx_new(sbus_req, ctx, + name_and_cert_ctx->derb64, + 100); + if (name_and_cert_ctx->list_ctx == NULL) { + return ENOMEM; + } + } + + if (name_and_cert_ctx->name != NULL) { + req = cache_req_user_by_name_send(sbus_req, ctx->rctx->ev, ctx->rctx, + ctx->rctx->ncache, 0, + CACHE_REQ_ANY_DOM, + NULL, + name_and_cert_ctx->name); + if (req == NULL) { + return ENOMEM; + } + + tevent_req_set_callback(req, ifp_users_find_by_name_and_cert_name_done, + name_and_cert_ctx); + } else { + ret = ifp_users_find_by_name_and_cert_step(name_and_cert_ctx); + if (ret != EOK) { + return ret; + } + } + + return EOK; +} + +static void ifp_users_find_by_name_and_cert_name_done(struct tevent_req *req) +{ + DBusError *error; + struct name_and_cert_ctx *name_and_cert_ctx = NULL; + struct sbus_request *sbus_req; + struct cache_req_result *result; + errno_t ret; + + name_and_cert_ctx = tevent_req_callback_data(req, struct name_and_cert_ctx); + sbus_req = name_and_cert_ctx->sbus_req; + + ret = cache_req_user_by_name_recv(name_and_cert_ctx, req, &result); + talloc_zfree(req); + if (ret == ENOENT) { + error = sbus_error_new(sbus_req, SBUS_ERROR_NOT_FOUND, + "User not found"); + goto fail; + } else if (ret != EOK) { + error = sbus_error_new(sbus_req, DBUS_ERROR_FAILED, + "Failed to fetch user [%d]: %s\n", + ret, sss_strerror(ret)); + goto fail; + } + + name_and_cert_ctx->user_opath = ifp_users_build_path_from_msg( + name_and_cert_ctx, + result->domain, + result->msgs[0]); + if (name_and_cert_ctx->user_opath == NULL) { + error = sbus_error_new(sbus_req, SBUS_ERROR_INTERNAL, + "Failed to compose object path"); + goto fail; + } + + if (name_and_cert_ctx->list_ctx != NULL) { + ret = ifp_users_find_by_name_and_cert_step(name_and_cert_ctx); + if (ret != EOK) { + error = sbus_error_new(sbus_req, DBUS_ERROR_FAILED, + "Failed to fetch certificate [%d]: %s\n", + ret, sss_strerror(ret)); + goto fail; + } + } else { + ifp_users_find_by_name_and_cert_reply(name_and_cert_ctx); + } + + return; + +fail: + sbus_request_fail_and_finish(sbus_req, error); + return; +} + +static int ifp_users_find_by_name_and_cert_step( + struct name_and_cert_ctx *name_and_cert_ctx) +{ + struct tevent_req *req; + struct ifp_list_ctx *list_ctx = name_and_cert_ctx->list_ctx; + + req = cache_req_user_by_cert_send(list_ctx, + list_ctx->ctx->rctx->ev, + list_ctx->ctx->rctx, + list_ctx->ctx->rctx->ncache, + 0, + CACHE_REQ_ANY_DOM, + list_ctx->dom->name, + list_ctx->filter); + if (req == NULL) { + return ENOMEM; + } + + tevent_req_set_callback(req, ifp_users_find_by_name_and_cert_done, + name_and_cert_ctx); + + return EOK; +} + +static void ifp_users_find_by_name_and_cert_done(struct tevent_req *req) +{ + DBusError *error; + struct name_and_cert_ctx *name_and_cert_ctx; + struct ifp_list_ctx *list_ctx; + struct sbus_request *sbus_req; + struct cache_req_result *result; + errno_t ret; + + name_and_cert_ctx = tevent_req_callback_data(req, struct name_and_cert_ctx); + list_ctx = name_and_cert_ctx->list_ctx; + sbus_req = list_ctx->sbus_req; + + ret = cache_req_user_by_cert_recv(name_and_cert_ctx, req, &result); + talloc_zfree(req); + if (ret != EOK && ret != ENOENT) { + error = sbus_error_new(sbus_req, DBUS_ERROR_FAILED, + "Failed to fetch user [%d]: %s\n", + ret, sss_strerror(ret)); + sbus_request_fail_and_finish(sbus_req, error); + return; + } + + if (ret == EOK) { + ret = ifp_users_list_copy(list_ctx, result->ldb_result); + if (ret != EOK) { + error = sbus_error_new(sbus_req, SBUS_ERROR_INTERNAL, + "Failed to copy domain result"); + sbus_request_fail_and_finish(sbus_req, error); + return; + } + } + + list_ctx->dom = get_next_domain(list_ctx->dom, SSS_GND_DESCEND); + if (list_ctx->dom == NULL) { + return ifp_users_find_by_name_and_cert_reply(name_and_cert_ctx); + } + + ret = ifp_users_find_by_name_and_cert_step(name_and_cert_ctx); + if (ret != EOK) { + error = sbus_error_new(sbus_req, SBUS_ERROR_INTERNAL, + "Failed to start next-domain search"); + sbus_request_fail_and_finish(sbus_req, error); + return; + } + return; +} + +static void ifp_users_find_by_name_and_cert_reply( + struct name_and_cert_ctx *name_and_cert_ctx) +{ + struct sbus_request *sbus_req = name_and_cert_ctx->sbus_req; + struct ifp_list_ctx *list_ctx = name_and_cert_ctx->list_ctx; + DBusError *error; + size_t c; + + /* If no name was given check if there is only one user mapped to the + * certificate and return its object path. Either no or more than one + * mapped users are errors in this case. + * The case where a given name could not be found is already handled in + * ifp_users_find_by_name_and_cert_name_done(). */ + if (name_and_cert_ctx->user_opath == NULL) { + if (list_ctx == NULL || list_ctx->path_count == 0) { + error = sbus_error_new(sbus_req, SBUS_ERROR_NOT_FOUND, + "User not found"); + sbus_request_fail_and_finish(sbus_req, error); + } else if (list_ctx->path_count == 1) { + iface_ifp_users_FindByNameAndCertificate_finish(sbus_req, + list_ctx->paths[0]); + } else { + error = sbus_error_new(sbus_req, SBUS_ERROR_MORE_THAN_ONE, + "More than one user found. " + "Use ListByCertificate to get all."); + sbus_request_fail_and_finish(sbus_req, error); + } + return; + } + + /* If there was no certficate given just return the object path of the + * user found by name. If a certificate was given an no mapped user was + * found return an error. */ + if (list_ctx == NULL || list_ctx->path_count == 0) { + if (name_and_cert_ctx->derb64 == NULL) { + iface_ifp_users_FindByNameAndCertificate_finish(sbus_req, + name_and_cert_ctx->user_opath); + } else { + error = sbus_error_new(sbus_req, SBUS_ERROR_NOT_FOUND, + "No user matching name and certificate " + "found"); + sbus_request_fail_and_finish(sbus_req, error); + } + return; + } + + /* Check if the user found by name is one of the users mapped to the + * certificate. */ + for (c = 0; c < list_ctx->path_count; c++) { + if (strcmp(name_and_cert_ctx->user_opath, list_ctx->paths[c]) == 0) { + iface_ifp_users_FindByNameAndCertificate_finish(sbus_req, + name_and_cert_ctx->user_opath); + return; + } + } + + /* A user was found by name but the certificate is mapped to one or more + * different users. */ + error = sbus_error_new(sbus_req, SBUS_ERROR_NOT_FOUND, + "No user matching name and certificate found"); + sbus_request_fail_and_finish(sbus_req, error); + + /* name_and_cert_ctx is already freed because sbus_req (the parent) is + * already freed by the DBus finish calls */ + return; +} + +static int ifp_users_list_by_name_step(struct ifp_list_ctx *list_ctx); +static void ifp_users_list_by_name_done(struct tevent_req *req); +static void ifp_users_list_by_name_reply(struct ifp_list_ctx *list_ctx); + +int ifp_users_list_by_name(struct sbus_request *sbus_req, + void *data, + const char *filter, + uint32_t limit) +{ + struct ifp_ctx *ctx; + struct ifp_list_ctx *list_ctx; + + ctx = talloc_get_type(data, struct ifp_ctx); + if (ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid pointer!\n"); + return ERR_INTERNAL; + } + + list_ctx = ifp_list_ctx_new(sbus_req, ctx, filter, limit); + if (list_ctx == NULL) { + return ENOMEM; + } + + return ifp_users_list_by_name_step(list_ctx); +} + +static int ifp_users_list_by_name_step(struct ifp_list_ctx *list_ctx) +{ + struct tevent_req *req; + + req = cache_req_user_by_filter_send(list_ctx, + list_ctx->ctx->rctx->ev, + list_ctx->ctx->rctx, + CACHE_REQ_ANY_DOM, + list_ctx->dom->name, + list_ctx->filter); + if (req == NULL) { + return ENOMEM; + } + tevent_req_set_callback(req, + ifp_users_list_by_name_done, list_ctx); + + return EOK; +} + +static void ifp_users_list_by_name_done(struct tevent_req *req) +{ + DBusError *error; + struct ifp_list_ctx *list_ctx; + struct sbus_request *sbus_req; + struct cache_req_result *result = NULL; + errno_t ret; + + list_ctx = tevent_req_callback_data(req, struct ifp_list_ctx); + sbus_req = list_ctx->sbus_req; + + ret = cache_req_user_by_name_recv(sbus_req, req, &result); + talloc_zfree(req); + if (ret != EOK && ret != ENOENT) { + error = sbus_error_new(sbus_req, DBUS_ERROR_FAILED, "Failed to fetch " + "users by filter [%d]: %s\n", ret, sss_strerror(ret)); + sbus_request_fail_and_finish(sbus_req, error); + return; + } + + if (ret == EOK) { + ret = ifp_users_list_copy(list_ctx, result->ldb_result); + if (ret != EOK) { + error = sbus_error_new(sbus_req, SBUS_ERROR_INTERNAL, + "Failed to copy domain result"); + sbus_request_fail_and_finish(sbus_req, error); + return; + } + } + + list_ctx->dom = get_next_domain(list_ctx->dom, SSS_GND_DESCEND); + if (list_ctx->dom == NULL) { + return ifp_users_list_by_name_reply(list_ctx); + } + + ret = ifp_users_list_by_name_step(list_ctx); + if (ret != EOK) { + error = sbus_error_new(sbus_req, SBUS_ERROR_INTERNAL, + "Failed to start next-domain search"); + sbus_request_fail_and_finish(sbus_req, error); + return; + } +} + +static void ifp_users_list_by_name_reply(struct ifp_list_ctx *list_ctx) +{ + iface_ifp_users_ListByName_finish(list_ctx->sbus_req, + list_ctx->paths, + list_ctx->path_count); +} + +static void ifp_users_list_by_domain_and_name_done(struct tevent_req *req); + +int ifp_users_list_by_domain_and_name(struct sbus_request *sbus_req, + void *data, + const char *domain, + const char *filter, + uint32_t limit) +{ + struct tevent_req *req; + struct ifp_ctx *ctx; + struct ifp_list_ctx *list_ctx; + + ctx = talloc_get_type(data, struct ifp_ctx); + if (ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid pointer!\n"); + return ERR_INTERNAL; + } + + list_ctx = ifp_list_ctx_new(sbus_req, ctx, filter, limit); + if (list_ctx == NULL) { + return ENOMEM; + } + + req = cache_req_user_by_filter_send(list_ctx, ctx->rctx->ev, ctx->rctx, + CACHE_REQ_ANY_DOM, + domain, filter); + if (req == NULL) { + return ENOMEM; + } + tevent_req_set_callback(req, + ifp_users_list_by_domain_and_name_done, list_ctx); + + return EOK; +} + +static void ifp_users_list_by_domain_and_name_done(struct tevent_req *req) +{ + DBusError *error; + struct ifp_list_ctx *list_ctx; + struct sbus_request *sbus_req; + struct cache_req_result *result; + errno_t ret; + size_t copy_count, i; + + list_ctx = tevent_req_callback_data(req, struct ifp_list_ctx); + sbus_req = list_ctx->sbus_req; + + ret = cache_req_user_by_name_recv(sbus_req, req, &result); + talloc_zfree(req); + if (ret == ENOENT) { + error = sbus_error_new(sbus_req, SBUS_ERROR_NOT_FOUND, + "User not found by filter"); + goto done; + } else if (ret != EOK) { + error = sbus_error_new(sbus_req, DBUS_ERROR_FAILED, "Failed to fetch " + "users by filter [%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + ret = ifp_list_ctx_remaining_capacity(list_ctx, result->count, ©_count); + if (ret != EOK) { + error = sbus_error_new(sbus_req, SBUS_ERROR_INTERNAL, + "Failed to get the list remaining capacity\n"); + goto done; + } + + for (i = 0; i < copy_count; i++) { + list_ctx->paths[i] = ifp_users_build_path_from_msg(list_ctx->paths, + list_ctx->dom, + result->msgs[i]); + if (list_ctx->paths[i] == NULL) { + error = sbus_error_new(sbus_req, SBUS_ERROR_INTERNAL, + "Failed to compose object path"); + goto done; + } + } + + list_ctx->path_count += copy_count; + +done: + if (ret != EOK) { + sbus_request_fail_and_finish(sbus_req, error); + return; + } + + iface_ifp_users_ListByDomainAndName_finish(sbus_req, + list_ctx->paths, + list_ctx->path_count); + return; +} + +static errno_t +ifp_users_get_from_cache(struct sbus_request *sbus_req, + struct sss_domain_info *domain, + const char *key, + struct ldb_message **_user) +{ + struct ldb_result *user_res; + errno_t ret; + uid_t uid; + + switch (domain->type) { + case DOM_TYPE_POSIX: + uid = strtouint32(key, NULL, 10); + ret = errno; + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid UID value\n"); + return ret; + } + + ret = sysdb_getpwuid_with_views(sbus_req, domain, uid, &user_res); + if (ret == EOK && user_res->count == 0) { + *_user = NULL; + return ENOENT; + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to lookup user %u@%s [%d]: %s\n", + uid, domain->name, ret, sss_strerror(ret)); + return ret; + } + break; + case DOM_TYPE_APPLICATION: + ret = sysdb_getpwnam_with_views(sbus_req, domain, key, &user_res); + if (ret == EOK && user_res->count == 0) { + *_user = NULL; + return ENOENT; + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to lookup user %s@%s [%d]: %s\n", + key, domain->name, ret, sss_strerror(ret)); + return ret; + } + break; + } + + if (user_res->count > 1) { + DEBUG(SSSDBG_CRIT_FAILURE, "More users matched by the single key\n"); + return EIO; + } + + *_user = user_res->msgs[0]; + return EOK; +} + +static errno_t +ifp_users_user_get(struct sbus_request *sbus_req, + struct ifp_ctx *ifp_ctx, + struct sss_domain_info **_domain, + struct ldb_message **_user) +{ + struct sss_domain_info *domain; + char *key; + errno_t ret; + + ret = ifp_users_decompose_path(sbus_req, + ifp_ctx->rctx->domains, sbus_req->path, + &domain, &key); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to decompose object path" + "[%s] [%d]: %s\n", sbus_req->path, ret, sss_strerror(ret)); + return ret; + } + + if (_user != NULL) { + ret = ifp_users_get_from_cache(sbus_req, domain, key, _user); + } + + if (ret == EOK || ret == ENOENT) { + if (_domain != NULL) { + *_domain = domain; + } + } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to retrieve user from cache\n"); + } + + return ret; +} + +static void ifp_users_get_as_string(struct sbus_request *sbus_req, + void *data, + const char *attr, + const char **_out) +{ + struct ifp_ctx *ifp_ctx; + struct ldb_message *msg; + struct sss_domain_info *domain; + errno_t ret; + + *_out = NULL; + + ifp_ctx = talloc_get_type(data, struct ifp_ctx); + if (ifp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid pointer!\n"); + return; + } + + if (!ifp_is_user_attr_allowed(ifp_ctx, attr)) { + DEBUG(SSSDBG_TRACE_ALL, "Attribute %s is not allowed\n", attr); + return; + } + + ret = ifp_users_user_get(sbus_req, ifp_ctx, &domain, &msg); + if (ret != EOK) { + return; + } + + *_out = sss_view_ldb_msg_find_attr_as_string(domain, msg, attr, NULL); + + return; +} + +static void ifp_users_get_name(struct sbus_request *sbus_req, + void *data, + const char *attr, + const char **_out) +{ + struct ifp_ctx *ifp_ctx; + struct ldb_message *msg; + struct sss_domain_info *domain; + const char *in_name; + errno_t ret; + + *_out = NULL; + + ifp_ctx = talloc_get_type(data, struct ifp_ctx); + if (ifp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid pointer!\n"); + return; + } + + if (!ifp_is_user_attr_allowed(ifp_ctx, attr)) { + DEBUG(SSSDBG_TRACE_ALL, "Attribute %s is not allowed\n", attr); + return; + } + + ret = ifp_users_user_get(sbus_req, ifp_ctx, &domain, &msg); + if (ret != EOK) { + return; + } + + in_name = sss_view_ldb_msg_find_attr_as_string(domain, msg, attr, NULL); + if (in_name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "No name?\n"); + return; + } + + *_out = ifp_format_name_attr(sbus_req, ifp_ctx, in_name, domain); + return; +} + +static void ifp_users_get_as_uint32(struct sbus_request *sbus_req, + void *data, + const char *attr, + uint32_t *_out) +{ + struct ifp_ctx *ifp_ctx; + struct ldb_message *msg; + struct sss_domain_info *domain; + errno_t ret; + + *_out = 0; + + ifp_ctx = talloc_get_type(data, struct ifp_ctx); + if (ifp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid pointer!\n"); + return; + } + + if (!ifp_is_user_attr_allowed(ifp_ctx, attr)) { + DEBUG(SSSDBG_TRACE_ALL, "Attribute %s is not allowed\n", attr); + return; + } + + ret = ifp_users_user_get(sbus_req, ifp_ctx, &domain, &msg); + if (ret != EOK) { + return; + } + + *_out = sss_view_ldb_msg_find_attr_as_uint64(domain, msg, attr, 0); + + return; +} + +static void ifp_users_user_update_groups_list_done(struct tevent_req *req); + +int ifp_users_user_update_groups_list(struct sbus_request *sbus_req, + void *data) +{ + struct tevent_req *req; + struct ifp_ctx *ctx; + struct sss_domain_info *domain; + const char *username; + struct ldb_message *user; + errno_t ret; + + ctx = talloc_get_type(data, struct ifp_ctx); + if (ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid pointer!\n"); + return ERR_INTERNAL; + } + + ret = ifp_users_user_get(sbus_req, data, &domain, &user); + if (ret != EOK) { + return ret; + } + + username = ldb_msg_find_attr_as_string(user, SYSDB_NAME, NULL); + if (username == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "User name is empty!\n"); + return ERR_INTERNAL; + } + + req = cache_req_initgr_by_name_send(sbus_req, ctx->rctx->ev, ctx->rctx, + ctx->rctx->ncache, 0, + CACHE_REQ_ANY_DOM, domain->name, + username); + if (req == NULL) { + return ENOMEM; + } + + tevent_req_set_callback(req, ifp_users_user_update_groups_list_done, + sbus_req); + + return EOK; +} + +static void ifp_users_user_update_groups_list_done(struct tevent_req *req) +{ + DBusError *error; + struct sbus_request *sbus_req; + errno_t ret; + + sbus_req = tevent_req_callback_data(req, struct sbus_request); + + ret = cache_req_initgr_by_name_recv(sbus_req, req, NULL); + talloc_zfree(req); + if (ret == ENOENT) { + error = sbus_error_new(sbus_req, SBUS_ERROR_NOT_FOUND, + "User not found"); + goto done; + } else if (ret != EOK) { + error = sbus_error_new(sbus_req, DBUS_ERROR_FAILED, "Failed to fetch " + "user [%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + +done: + if (ret != EOK) { + sbus_request_fail_and_finish(sbus_req, error); + return; + } + + iface_ifp_users_user_UpdateGroupsList_finish(sbus_req); + return; +} + +void ifp_users_user_get_name(struct sbus_request *sbus_req, + void *data, + const char **_out) +{ + ifp_users_get_name(sbus_req, data, SYSDB_NAME, _out); +} + +void ifp_users_user_get_uid_number(struct sbus_request *sbus_req, + void *data, + uint32_t *_out) +{ + ifp_users_get_as_uint32(sbus_req, data, SYSDB_UIDNUM, _out); +} + +void ifp_users_user_get_gid_number(struct sbus_request *sbus_req, + void *data, + uint32_t *_out) +{ + ifp_users_get_as_uint32(sbus_req, data, SYSDB_GIDNUM, _out); +} + +void ifp_users_user_get_gecos(struct sbus_request *sbus_req, + void *data, + const char **_out) +{ + ifp_users_get_as_string(sbus_req, data, SYSDB_GECOS, _out); +} + +void ifp_users_user_get_home_directory(struct sbus_request *sbus_req, + void *data, + const char **_out) +{ + ifp_users_get_as_string(sbus_req, data, SYSDB_HOMEDIR, _out); +} + +void ifp_users_user_get_login_shell(struct sbus_request *sbus_req, + void *data, + const char **_out) +{ + ifp_users_get_as_string(sbus_req, data, SYSDB_SHELL, _out); +} + +void ifp_users_user_get_unique_id(struct sbus_request *sbus_req, + void *data, + const char **_out) +{ + ifp_users_get_as_string(sbus_req, data, SYSDB_UUID, _out); +} + +void ifp_users_user_get_groups(struct sbus_request *sbus_req, + void *data, + const char ***_out, + int *_size) +{ + struct ifp_ctx *ifp_ctx; + struct sss_domain_info *domain; + const char *username; + struct ldb_message *user; + struct ldb_result *res; + const char **out; + int num_groups; + gid_t gid; + errno_t ret; + int i; + + *_out = NULL; + *_size = 0; + + ifp_ctx = talloc_get_type(data, struct ifp_ctx); + if (ifp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid pointer!\n"); + return; + } + + if (!ifp_is_user_attr_allowed(ifp_ctx, "groups")) { + DEBUG(SSSDBG_TRACE_ALL, "Attribute %s is not allowed\n", + SYSDB_MEMBEROF); + return; + } + + ret = ifp_users_user_get(sbus_req, ifp_ctx, &domain, &user); + if (ret != EOK) { + return; + } + + username = ldb_msg_find_attr_as_string(user, SYSDB_NAME, NULL); + if (username == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "User name is empty!\n"); + return; + } + + /* Run initgroups. */ + ret = sysdb_initgroups_with_views(sbus_req, domain, username, &res); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get groups for %s@%s [%d]: %s\n", + username, domain->name, ret, sss_strerror(ret)); + return; + } + + if (res->count == 0) { + return; + } + + out = talloc_zero_array(sbus_req, const char *, res->count); + if (out == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero_array() failed\n"); + return; + } + + num_groups = 0; + for (i = 0; i < res->count; i++) { + gid = sss_view_ldb_msg_find_attr_as_uint64(domain, res->msgs[i], + SYSDB_GIDNUM, 0); + if (gid == 0 && domain->type == DOM_TYPE_POSIX) { + continue; + } + + out[num_groups] = ifp_groups_build_path_from_msg(out, + domain, + res->msgs[i]); + if (out[num_groups] == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "ifp_groups_build_path() failed\n"); + return; + } + + num_groups++; + } + + *_out = out; + *_size = num_groups; +} + +void ifp_users_user_get_domain(struct sbus_request *sbus_req, + void *data, + const char **_out) +{ + const char *domainname; + + *_out = NULL; + ifp_users_user_get_domainname(sbus_req, data, &domainname); + + if (domainname == NULL) { + return; + } + + *_out = sbus_opath_compose(sbus_req, IFP_PATH_DOMAINS, + domainname); +} + +void ifp_users_user_get_domainname(struct sbus_request *sbus_req, + void *data, + const char **_out) +{ + struct ifp_ctx *ifp_ctx; + struct sss_domain_info *domain; + errno_t ret; + + *_out = NULL; + + ifp_ctx = talloc_get_type(data, struct ifp_ctx); + if (ifp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid pointer!\n"); + return; + } + + if (!ifp_is_user_attr_allowed(ifp_ctx, "domainname")) { + DEBUG(SSSDBG_TRACE_ALL, "Attribute domainname is not allowed\n"); + return; + } + + ret = ifp_users_user_get(sbus_req, ifp_ctx, &domain, NULL); + if (ret != EOK) { + return; + } + + *_out = domain->name; +} + +void ifp_users_user_get_extra_attributes(struct sbus_request *sbus_req, + void *data, + hash_table_t **_out) +{ + struct ifp_ctx *ifp_ctx; + struct sss_domain_info *domain; + struct ldb_message *base_user; + const char *name; + struct ldb_message **user; + struct ldb_message_element *el; + struct ldb_dn *basedn; + size_t count; + const char *filter; + const char **extra; + hash_table_t *table; + hash_key_t key; + hash_value_t value; + const char **values; + errno_t ret; + int hret; + int i; + + *_out = NULL; + + ifp_ctx = talloc_get_type(data, struct ifp_ctx); + if (ifp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid pointer!\n"); + return; + } + + extra = ifp_get_user_extra_attributes(sbus_req, ifp_ctx); + if (extra == NULL || extra[0] == NULL) { + DEBUG(SSSDBG_TRACE_ALL, "No extra attributes to return\n"); + return; + } + + ret = ifp_users_user_get(sbus_req, data, &domain, &base_user); + if (ret != EOK) { + return; + } + + basedn = sysdb_user_base_dn(sbus_req, domain); + if (basedn == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_user_base_dn() failed\n"); + return; + } + + name = ldb_msg_find_attr_as_string(base_user, SYSDB_NAME, NULL); + if (name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "A user with no name\n"); + return; + } + + filter = talloc_asprintf(sbus_req, "(&(%s=%s)(%s=%s))", + SYSDB_OBJECTCATEGORY, SYSDB_USER_CLASS, + SYSDB_NAME, name); + if (filter == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf() failed\n"); + return; + } + + ret = sysdb_search_entry(sbus_req, domain->sysdb, basedn, + LDB_SCOPE_SUBTREE, filter, + extra, &count, &user); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to lookup user [%d]: %s\n", + ret, sss_strerror(ret)); + return; + } + + if (count == 0) { + DEBUG(SSSDBG_TRACE_FUNC, "User %s not found!\n", name); + return; + } else if (count > 1) { + DEBUG(SSSDBG_CRIT_FAILURE, "More than one entry found!\n"); + return; + } + + ret = sss_hash_create(sbus_req, 10, &table); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create hash table!\n"); + return; + } + + /* Read each extra attribute. */ + for (i = 0; extra[i] != NULL; i++) { + el = ldb_msg_find_element(user[0], extra[i]); + if (el == NULL) { + DEBUG(SSSDBG_TRACE_ALL, "Attribute %s not found, skipping...\n", + extra[i]); + continue; + } + + values = sss_ldb_el_to_string_list(table, el); + if (values == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "sss_ldb_el_to_string_list() failed\n"); + return; + } + + key.type = HASH_KEY_STRING; + key.str = talloc_strdup(table, extra[i]); + if (key.str == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup() failed\n"); + return; + } + + value.type = HASH_VALUE_PTR; + value.ptr = values; + + hret = hash_enter(table, &key, &value); + if (hret != HASH_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to insert entry " + "into hash table: %d\n", hret); + return; + } + } + + *_out = table; +} + +int ifp_cache_list_user(struct sbus_request *sbus_req, + void *data) +{ + return ifp_cache_list(sbus_req, data, IFP_CACHE_USER); +} + +int ifp_cache_list_by_domain_user(struct sbus_request *sbus_req, + void *data, + const char *domain) +{ + return ifp_cache_list_by_domain(sbus_req, data, domain, IFP_CACHE_USER); +} + +int ifp_cache_object_store_user(struct sbus_request *sbus_req, + void *data) +{ + DBusError *error; + struct sss_domain_info *domain; + struct ldb_message *user; + errno_t ret; + + ret = ifp_users_user_get(sbus_req, data, &domain, &user); + if (ret != EOK) { + error = sbus_error_new(sbus_req, DBUS_ERROR_FAILED, "Failed to fetch " + "user [%d]: %s\n", ret, sss_strerror(ret)); + return sbus_request_fail_and_finish(sbus_req, error); + } + + /* The request is finished inside. */ + return ifp_cache_object_store(sbus_req, domain, user->dn); +} + +int ifp_cache_object_remove_user(struct sbus_request *sbus_req, + void *data) +{ + DBusError *error; + struct sss_domain_info *domain; + struct ldb_message *user; + errno_t ret; + + ret = ifp_users_user_get(sbus_req, data, &domain, &user); + if (ret != EOK) { + error = sbus_error_new(sbus_req, DBUS_ERROR_FAILED, "Failed to fetch " + "user [%d]: %s\n", ret, sss_strerror(ret)); + return sbus_request_fail_and_finish(sbus_req, error); + } + + /* The request is finished inside. */ + return ifp_cache_object_remove(sbus_req, domain, user->dn); +} diff --git a/src/responder/ifp/ifp_users.h b/src/responder/ifp/ifp_users.h new file mode 100644 index 0000000..715a8bc --- /dev/null +++ b/src/responder/ifp/ifp_users.h @@ -0,0 +1,135 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef IFP_USERS_H_ +#define IFP_USERS_H_ + +#include "responder/ifp/ifp_iface.h" +#include "responder/ifp/ifp_private.h" + +/* Utility functions */ + +char * ifp_users_build_path_from_msg(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + struct ldb_message *msg); + +/* org.freedesktop.sssd.infopipe.Users */ + +int ifp_users_find_by_name(struct sbus_request *sbus_req, + void *data, + const char *name); + +int ifp_users_find_by_id(struct sbus_request *sbus_req, + void *data, + uint32_t id); + +int ifp_users_find_by_cert(struct sbus_request *sbus_req, + void *data, + const char *pem_cert); + +int ifp_users_list_by_cert(struct sbus_request *sbus_req, + void *data, + const char *pem_cert, + uint32_t limit); + +int ifp_users_find_by_name_and_cert(struct sbus_request *sbus_req, + void *data, + const char *name, + const char *pem_cert); + +int ifp_users_list_by_name(struct sbus_request *sbus_req, + void *data, + const char *filter, + uint32_t limit); + +int ifp_users_list_by_domain_and_name(struct sbus_request *sbus_req, + void *data, + const char *domain, + const char *filter, + uint32_t limit); + +/* org.freedesktop.sssd.infopipe.Users.User */ + +int ifp_users_user_update_groups_list(struct sbus_request *req, + void *data); + +void ifp_users_user_get_name(struct sbus_request *sbus_req, + void *data, + const char **_out); + +void ifp_users_user_get_uid_number(struct sbus_request *sbus_req, + void *data, + uint32_t *_out); + +void ifp_users_user_get_gid_number(struct sbus_request *sbus_req, + void *data, + uint32_t *_out); + +void ifp_users_user_get_gecos(struct sbus_request *sbus_req, + void *data, + const char **_out); + +void ifp_users_user_get_home_directory(struct sbus_request *sbus_req, + void *data, + const char **_out); + +void ifp_users_user_get_login_shell(struct sbus_request *sbus_req, + void *data, + const char **_out); + +void ifp_users_user_get_unique_id(struct sbus_request *sbus_req, + void *data, + const char **_out); + +void ifp_users_user_get_groups(struct sbus_request *sbus_req, + void *data, + const char ***_out, + int *_size); + +void ifp_users_user_get_domain(struct sbus_request *sbus_req, + void *data, + const char **_out); + +void ifp_users_user_get_domainname(struct sbus_request *sbus_req, + void *data, + const char **_out); + +void ifp_users_user_get_extra_attributes(struct sbus_request *sbus_req, + void *data, + hash_table_t **_out); + +/* org.freedesktop.sssd.infopipe.Cache */ + +int ifp_cache_list_user(struct sbus_request *sbus_req, + void *data); + +int ifp_cache_list_by_domain_user(struct sbus_request *sbus_req, + void *data, + const char *domain); + +/* org.freedesktop.sssd.infopipe.Cache.Object */ + +int ifp_cache_object_store_user(struct sbus_request *sbus_req, + void *data); + +int ifp_cache_object_remove_user(struct sbus_request *sbus_req, + void *data); + +#endif /* IFP_USERS_H_ */ diff --git a/src/responder/ifp/ifpsrv.c b/src/responder/ifp/ifpsrv.c new file mode 100644 index 0000000..d71475e --- /dev/null +++ b/src/responder/ifp/ifpsrv.c @@ -0,0 +1,417 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2013 Red Hat + + InfoPipe responder: the responder server + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "util/util.h" +#include "util/strtonum.h" +#include "sbus/sssd_dbus.h" +#include "monitor/monitor_interfaces.h" +#include "confdb/confdb.h" +#include "responder/ifp/ifp_private.h" +#include "responder/ifp/ifp_domains.h" +#include "responder/ifp/ifp_components.h" +#include "responder/common/responder_sbus.h" + +#define DEFAULT_ALLOWED_UIDS "0" + +static int ifp_sysbus_reconnect(struct sbus_request *dbus_req, void *data); + +struct mon_cli_iface monitor_ifp_methods = { + { &mon_cli_iface_meta, 0 }, + .resInit = monitor_common_res_init, + .goOffline = NULL, + .resetOffline = NULL, + .rotateLogs = responder_logrotate, + .sysbusReconnect = ifp_sysbus_reconnect, +}; + +struct sss_cmd_table *get_ifp_cmds(void) +{ + static struct sss_cmd_table ifp_cmds[] = { + { SSS_GET_VERSION, sss_cmd_get_version }, + { SSS_CLI_NULL, NULL} + }; + + return ifp_cmds; +} + +static void ifp_dp_reconnect_init(struct sbus_connection *conn, + int status, void *pvt) +{ + struct be_conn *be_conn = talloc_get_type(pvt, struct be_conn); + int ret; + + /* Did we reconnect successfully? */ + if (status == SBUS_RECONNECT_SUCCESS) { + DEBUG(SSSDBG_TRACE_FUNC, "Reconnected to the Data Provider.\n"); + + /* Identify ourselves to the data provider */ + ret = rdp_register_client(be_conn, "InfoPipe"); + /* all fine */ + if (ret == EOK) { + handle_requests_after_reconnect(be_conn->rctx); + return; + } + } + + /* Failed to reconnect */ + DEBUG(SSSDBG_FATAL_FAILURE, "Could not reconnect to %s provider.\n", + be_conn->domain->name); +} + +static errno_t +sysbus_init(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + const char *dbus_name, + void *pvt, + struct sysbus_ctx **sysbus) +{ + DBusError dbus_error; + DBusConnection *conn = NULL; + struct sysbus_ctx *system_bus = NULL; + errno_t ret; + + system_bus = talloc_zero(mem_ctx, struct sysbus_ctx); + if (system_bus == NULL) { + return ENOMEM; + } + + dbus_error_init(&dbus_error); + + /* Connect to the well-known system bus */ + conn = dbus_bus_get(DBUS_BUS_SYSTEM, &dbus_error); + if (conn == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to connect to D-BUS system bus: [%s]\n", + dbus_error.message); + ret = ERR_NO_SYSBUS; + goto fail; + } + dbus_connection_set_exit_on_disconnect(conn, FALSE); + + ret = dbus_bus_request_name(conn, dbus_name, + /* We want exclusive access */ + DBUS_NAME_FLAG_DO_NOT_QUEUE, + &dbus_error); + if (ret != DBUS_REQUEST_NAME_REPLY_PRIMARY_OWNER) { + /* We were unable to register on the system bus */ + DEBUG(SSSDBG_CRIT_FAILURE, + "Unable to request name on the system bus: [%s]\n", + dbus_error.message); + ret = EIO; + goto fail; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Listening on %s\n", dbus_name); + + /* Integrate with tevent loop */ + ret = sbus_init_connection(system_bus, ev, conn, + SBUS_CONN_TYPE_SYSBUS, + NULL, NULL, &system_bus->conn); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not integrate D-BUS into mainloop.\n"); + goto fail; + } + + ret = ifp_register_sbus_interface(system_bus->conn, pvt); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not register interfaces\n"); + goto fail; + } + + ifp_register_nodes(pvt, system_bus->conn); + + *sysbus = system_bus; + return EOK; + +fail: + if (dbus_error_is_set(&dbus_error)) { + DEBUG(SSSDBG_OP_FAILURE, + "DBus error message: %s\n", dbus_error.message); + dbus_error_free(&dbus_error); + } + + if (conn) dbus_connection_unref(conn); + + talloc_free(system_bus); + return ret; +} + +static int ifp_sysbus_reconnect(struct sbus_request *dbus_req, void *data) +{ + struct resp_ctx *rctx = talloc_get_type(data, struct resp_ctx); + struct ifp_ctx *ifp_ctx = (struct ifp_ctx*) rctx->pvt_ctx; + errno_t ret; + + DEBUG(SSSDBG_TRACE_FUNC, "Attempting to reconnect to the system bus\n"); + + if (ifp_ctx->sysbus) { + DEBUG(SSSDBG_TRACE_LIBS, "Already connected to sysbus\n"); + goto done; + } + + /* Connect to the D-BUS system bus and set up methods */ + ret = sysbus_init(ifp_ctx, ifp_ctx->rctx->ev, + IFACE_IFP, + ifp_ctx, &ifp_ctx->sysbus); + if (ret == ERR_NO_SYSBUS) { + DEBUG(SSSDBG_MINOR_FAILURE, + "The system bus is not available..\n"); + goto done; + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to connect to the system message bus\n"); + return ret; + } + + DEBUG(SSSDBG_TRACE_LIBS, "Reconnected to the system bus!\n"); + +done: + return sbus_request_return_and_finish(dbus_req, DBUS_TYPE_INVALID); +} + +int ifp_process_init(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct confdb_ctx *cdb) +{ + struct resp_ctx *rctx; + struct sss_cmd_table *ifp_cmds; + struct ifp_ctx *ifp_ctx; + struct be_conn *iter; + int ret; + int max_retries; + char *uid_str; + char *attr_list_str; + char *wildcard_limit_str; + + ifp_cmds = get_ifp_cmds(); + ret = sss_process_init(mem_ctx, ev, cdb, + ifp_cmds, + NULL, -1, NULL, -1, + CONFDB_IFP_CONF_ENTRY, + SSS_IFP_SBUS_SERVICE_NAME, + SSS_IFP_SBUS_SERVICE_VERSION, + &monitor_ifp_methods, + "InfoPipe", + NULL, + sss_connection_setup, + &rctx); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "sss_process_init() failed\n"); + return ret; + } + + ifp_ctx = talloc_zero(rctx, struct ifp_ctx); + if (ifp_ctx == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "fatal error initializing ifp_ctx\n"); + ret = ENOMEM; + goto fail; + } + + ifp_ctx->rctx = rctx; + ifp_ctx->rctx->pvt_ctx = ifp_ctx; + + ret = sss_names_init_from_args(ifp_ctx, + "(?P[^@]+)@?(?P[^@]*$)", + "%1$s@%2$s", &ifp_ctx->snctx); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "fatal error initializing regex data\n"); + goto fail; + } + + ret = confdb_get_string(ifp_ctx->rctx->cdb, ifp_ctx->rctx, + CONFDB_IFP_CONF_ENTRY, CONFDB_SERVICE_ALLOWED_UIDS, + DEFAULT_ALLOWED_UIDS, &uid_str); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to get allowed UIDs.\n"); + goto fail; + } + + ret = csv_string_to_uid_array(ifp_ctx->rctx, uid_str, true, + &ifp_ctx->rctx->allowed_uids_count, + &ifp_ctx->rctx->allowed_uids); + talloc_free(uid_str); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to set allowed UIDs.\n"); + goto fail; + } + + ret = confdb_get_string(ifp_ctx->rctx->cdb, ifp_ctx->rctx, + CONFDB_IFP_CONF_ENTRY, CONFDB_IFP_USER_ATTR_LIST, + NULL, &attr_list_str); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to get user attribute list.\n"); + goto fail; + } + + ifp_ctx->user_whitelist = ifp_parse_user_attr_list(ifp_ctx, attr_list_str); + talloc_free(attr_list_str); + if (ifp_ctx->user_whitelist == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to parse the allowed attribute list\n"); + goto fail; + } + + /* Enable automatic reconnection to the Data Provider */ + ret = confdb_get_int(ifp_ctx->rctx->cdb, + CONFDB_IFP_CONF_ENTRY, + CONFDB_SERVICE_RECON_RETRIES, + 3, &max_retries); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to set up automatic reconnection\n"); + goto fail; + } + + /* A bit convoluted way until we have a confdb_get_uint32 */ + ret = confdb_get_string(ifp_ctx->rctx->cdb, + ifp_ctx->rctx, + CONFDB_IFP_CONF_ENTRY, + CONFDB_IFP_WILDCARD_LIMIT, + NULL, /* no limit by default */ + &wildcard_limit_str); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to retrieve limit for a wildcard search\n"); + goto fail; + } + + if (wildcard_limit_str) { + ifp_ctx->wildcard_limit = strtouint32(wildcard_limit_str, NULL, 10); + ret = errno; + if (ret != EOK) { + goto fail; + } + } + + for (iter = ifp_ctx->rctx->be_conns; iter; iter = iter->next) { + sbus_reconnect_init(iter->conn, max_retries, + ifp_dp_reconnect_init, iter); + } + + /* Connect to the D-BUS system bus and set up methods */ + ret = sysbus_init(ifp_ctx, ifp_ctx->rctx->ev, + IFACE_IFP, + ifp_ctx, &ifp_ctx->sysbus); + if (ret == ERR_NO_SYSBUS) { + DEBUG(SSSDBG_MINOR_FAILURE, + "The system bus is not available..\n"); + /* Explicitly ignore, the D-Bus daemon will start us */ + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to connect to the system message bus\n"); + talloc_free(ifp_ctx); + return EIO; + } + + ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "schedule_get_domains_tasks failed.\n"); + goto fail; + } + + DEBUG(SSSDBG_TRACE_FUNC, "InfoPipe Initialization complete\n"); + return EOK; + +fail: + talloc_free(rctx); + return ret; +} + +int main(int argc, const char *argv[]) +{ + int opt; + poptContext pc; + char *opt_logger = NULL; + struct main_context *main_ctx; + int ret; + uid_t uid; + gid_t gid; + + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_MAIN_OPTS + SSSD_LOGGER_OPTS + SSSD_SERVER_OPTS(uid, gid) + SSSD_RESPONDER_OPTS + POPT_TABLEEND + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + umask(DFL_RSP_UMASK); + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + + poptFreeContext(pc); + + DEBUG_INIT(debug_level); + + /* set up things like debug, signals, daemonization, etc. */ + debug_log_file = "sssd_ifp"; + + sss_set_logger(opt_logger); + + ret = server_setup("sssd[ifp]", 0, 0, 0, + CONFDB_IFP_CONF_ENTRY, &main_ctx); + if (ret != EOK) return 2; + + ret = die_if_parent_died(); + if (ret != EOK) { + /* This is not fatal, don't return */ + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not set up to exit when parent process does\n"); + } + + ret = ifp_process_init(main_ctx, + main_ctx->event_ctx, + main_ctx->confdb_ctx); + if (ret != EOK) return 3; + + /* loop on main */ + server_loop(main_ctx); + return 0; +} diff --git a/src/responder/ifp/ifpsrv_cmd.c b/src/responder/ifp/ifpsrv_cmd.c new file mode 100644 index 0000000..38932b7 --- /dev/null +++ b/src/responder/ifp/ifpsrv_cmd.c @@ -0,0 +1,703 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2013 Red Hat + + InfoPipe responder: the responder commands + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "db/sysdb.h" + +#include "responder/ifp/ifp_private.h" +#include "responder/common/cache_req/cache_req.h" + +struct ifp_attr_req { + const char *name; + const char **attrs; + int nattrs; + + struct ifp_req *ireq; +}; + +static struct tevent_req * +ifp_user_get_attr_send(TALLOC_CTX *mem_ctx, struct resp_ctx *rctx, + struct sss_nc_ctx *ncache, + enum sss_dp_acct_type search_type, + const char *inp, const char **attrs); +static errno_t ifp_user_get_attr_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct ldb_result **_res, + struct sss_domain_info **_domain); + +static void ifp_user_get_attr_process(struct tevent_req *req); + +static errno_t +ifp_user_get_attr_handle_reply(struct sss_domain_info *domain, + struct ifp_req *ireq, + const char **attrs, + struct ldb_result *res); +static errno_t +ifp_user_get_attr_unpack_msg(struct ifp_attr_req *attr_req); + +int ifp_user_get_attr(struct sbus_request *dbus_req, void *data) +{ + errno_t ret; + struct ifp_req *ireq; + struct ifp_ctx *ifp_ctx; + struct ifp_attr_req *attr_req; + struct tevent_req *req; + + DEBUG(SSSDBG_IMPORTANT_INFO, "GetUserAttr is deprecated, please consider " + "switching to org.freedesktop.sssd.infopipe.Users.User interface\n"); + + ifp_ctx = talloc_get_type(data, struct ifp_ctx); + if (ifp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid pointer!\n"); + return sbus_request_return_and_finish(dbus_req, DBUS_TYPE_INVALID); + } + + ret = ifp_req_create(dbus_req, ifp_ctx, &ireq); + if (ret != EOK) { + return ifp_req_create_handle_failure(dbus_req, ret); + } + + attr_req = talloc_zero(ireq, struct ifp_attr_req); + if (attr_req == NULL) { + return sbus_request_finish(dbus_req, NULL); + } + attr_req->ireq = ireq; + + ret = ifp_user_get_attr_unpack_msg(attr_req); + if (ret != EOK) { + return ret; /* internal error */ + } + + DEBUG(SSSDBG_FUNC_DATA, + "Looking up attributes of user [%s] on behalf of %"PRIi64"\n", + attr_req->name, ireq->dbus_req->client); + + req = ifp_user_get_attr_send(ireq, ifp_ctx->rctx, + ifp_ctx->rctx->ncache, SSS_DP_USER, + attr_req->name, attr_req->attrs); + if (req == NULL) { + return sbus_request_finish(dbus_req, NULL); + } + tevent_req_set_callback(req, ifp_user_get_attr_process, attr_req); + return EOK; +} + +static errno_t +ifp_user_get_attr_unpack_msg(struct ifp_attr_req *attr_req) +{ + bool parsed; + char **attrs; + int nattrs; + int i, ai; + const char **whitelist = attr_req->ireq->ifp_ctx->user_whitelist; + + parsed = sbus_request_parse_or_finish(attr_req->ireq->dbus_req, + DBUS_TYPE_STRING, &attr_req->name, + DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, + &attrs, &nattrs, + DBUS_TYPE_INVALID); + if (parsed == false) { + DEBUG(SSSDBG_OP_FAILURE, "Could not parse arguments\n"); + return ERR_SBUS_REQUEST_HANDLED; + } + + /* Copy the attributes to maintain memory hierarchy with talloc */ + attr_req->attrs = talloc_zero_array(attr_req, const char *, nattrs+1); + if (attr_req->attrs == NULL) { + return ENOMEM; + } + + ai = 0; + for (i = 0; i < nattrs; i++) { + if (ifp_attr_allowed(whitelist, attrs[i]) == false) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Attribute %s not present in the whitelist, skipping\n", + attrs[i]); + continue; + } + + attr_req->attrs[ai] = talloc_strdup(attr_req->attrs, attrs[i]); + if (attr_req->attrs[ai] == NULL) { + return ENOMEM; + } + ai++; + } + + return EOK; +} + +static void ifp_user_get_attr_process(struct tevent_req *req) +{ + struct ifp_attr_req *attr_req; + errno_t ret; + struct ldb_result *res = NULL; + struct sss_domain_info *dom = NULL; + + attr_req = tevent_req_callback_data(req, struct ifp_attr_req); + + ret = ifp_user_get_attr_recv(attr_req, req, &res, &dom); + talloc_zfree(req); + if (ret == ENOENT) { + sbus_request_fail_and_finish(attr_req->ireq->dbus_req, + sbus_error_new(attr_req->ireq->dbus_req, + DBUS_ERROR_FAILED, + "No such user\n")); + return; + } else if (ret != EOK) { + sbus_request_fail_and_finish(attr_req->ireq->dbus_req, + sbus_error_new(attr_req->ireq->dbus_req, + DBUS_ERROR_FAILED, + "Failed to read user attribute\n")); + return; + } + + ret = ifp_user_get_attr_handle_reply(dom, attr_req->ireq, + attr_req->attrs, res); + if (ret != EOK) { + sbus_request_fail_and_finish(attr_req->ireq->dbus_req, + sbus_error_new(attr_req->ireq->dbus_req, + DBUS_ERROR_FAILED, + "Failed to build a reply\n")); + return; + } +} + +static errno_t +ifp_user_get_attr_handle_reply(struct sss_domain_info *domain, + struct ifp_req *ireq, + const char **attrs, + struct ldb_result *res) +{ + errno_t ret; + dbus_bool_t dbret; + DBusMessage *reply; + DBusMessageIter iter; + DBusMessageIter iter_dict; + struct ldb_message_element *el; + int ai; + + /* Construct a reply */ + reply = dbus_message_new_method_return(ireq->dbus_req->message); + if (!reply) { + return sbus_request_finish(ireq->dbus_req, NULL); + } + + dbus_message_iter_init_append(reply, &iter); + + dbret = dbus_message_iter_open_container( + &iter, DBUS_TYPE_ARRAY, + DBUS_DICT_ENTRY_BEGIN_CHAR_AS_STRING + DBUS_TYPE_STRING_AS_STRING + DBUS_TYPE_VARIANT_AS_STRING + DBUS_DICT_ENTRY_END_CHAR_AS_STRING, + &iter_dict); + if (!dbret) { + return sbus_request_finish(ireq->dbus_req, NULL); + } + + if (res->count > 0) { + ret = ifp_ldb_el_output_name(ireq->ifp_ctx->rctx, res->msgs[0], + SYSDB_NAME, domain); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot convert SYSDB_NAME to output format [%d]: %s\n", + ret, sss_strerror(ret)); + return sbus_request_finish(ireq->dbus_req, NULL); + } + + ret = ifp_ldb_el_output_name(ireq->ifp_ctx->rctx, res->msgs[0], + SYSDB_NAME_ALIAS, domain); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot convert SYSDB_NAME_ALIAS to output format [%d]: %s\n", + ret, sss_strerror(ret)); + return sbus_request_finish(ireq->dbus_req, NULL); + } + + for (ai = 0; attrs[ai]; ai++) { + if (strcmp(attrs[ai], "domainname") == 0) { + ret = ifp_add_value_to_dict(&iter_dict, "domainname", + domain->name); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot add attribute domainname to message\n"); + continue; + } + } + + el = sss_view_ldb_msg_find_element(domain, res->msgs[0], attrs[ai]); + if (el == NULL || el->num_values == 0) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Attribute %s not present or has no values\n", + attrs[ai]); + continue; + } + + ret = ifp_add_ldb_el_to_dict(&iter_dict, el); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot add attribute %s to message\n", + attrs[ai]); + continue; + } + } + } + + dbret = dbus_message_iter_close_container(&iter, &iter_dict); + if (!dbret) { + return sbus_request_finish(ireq->dbus_req, NULL); + } + + return sbus_request_finish(ireq->dbus_req, reply); +} + +struct ifp_user_get_groups_state { + struct resp_ctx *rctx; + + struct ifp_attr_req *group_attr_req; + + struct ldb_result *res; + struct ldb_result *res_names; + struct sss_domain_info *dom; +}; + +static void ifp_user_get_groups_process(struct tevent_req *req); +static void ifp_user_get_groups_names_resolved(struct tevent_req *req); +static errno_t ifp_user_get_groups_reply(struct sss_domain_info *domain, + struct ifp_req *ireq, + struct ldb_result *res); + +int ifp_user_get_groups(struct sbus_request *dbus_req, + void *data, const char *arg_user) +{ + struct ifp_req *ireq; + struct ifp_ctx *ifp_ctx; + struct ifp_user_get_groups_state *state; + struct tevent_req *req; + errno_t ret; + + ifp_ctx = talloc_get_type(data, struct ifp_ctx); + if (ifp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid pointer!\n"); + return sbus_request_return_and_finish(dbus_req, DBUS_TYPE_INVALID); + } + + ret = ifp_req_create(dbus_req, ifp_ctx, &ireq); + if (ret != EOK) { + return ifp_req_create_handle_failure(dbus_req, ret); + } + + state = talloc_zero(ireq, struct ifp_user_get_groups_state); + if (state == NULL) { + return sbus_request_finish(dbus_req, NULL); + } + state->rctx = ifp_ctx->rctx; + + state->group_attr_req = talloc_zero(state, struct ifp_attr_req); + if (state->group_attr_req == NULL) { + return sbus_request_finish(dbus_req, NULL); + } + state->group_attr_req->ireq = ireq; + state->group_attr_req->name = arg_user; + + state->group_attr_req->attrs = talloc_zero_array(state->group_attr_req, + const char *, 2); + if (state->group_attr_req->attrs == NULL) { + return sbus_request_finish(dbus_req, NULL); + } + + state->group_attr_req->attrs[0] = talloc_strdup(state->group_attr_req->attrs, + SYSDB_MEMBEROF); + if (state->group_attr_req->attrs[0] == NULL) { + return sbus_request_finish(dbus_req, NULL); + } + + DEBUG(SSSDBG_FUNC_DATA, + "Looking up groups of user [%s] on behalf of %"PRIi64"\n", + state->group_attr_req->name, + state->group_attr_req->ireq->dbus_req->client); + + req = ifp_user_get_attr_send(ireq, ifp_ctx->rctx, + ifp_ctx->rctx->ncache, SSS_DP_INITGROUPS, + state->group_attr_req->name, + state->group_attr_req->attrs); + if (req == NULL) { + return sbus_request_finish(dbus_req, NULL); + } + tevent_req_set_callback(req, + ifp_user_get_groups_process, + state); + return EOK; +} + +static void ifp_user_get_groups_process(struct tevent_req *req) +{ + struct ifp_user_get_groups_state *state; + struct ifp_attr_req *group_attr_req; + errno_t ret; + + state = tevent_req_callback_data(req, struct ifp_user_get_groups_state); + group_attr_req = state->group_attr_req; + + ret = ifp_user_get_attr_recv(group_attr_req, req, &state->res, &state->dom); + talloc_zfree(req); + if (ret == ENOENT) { + sbus_request_fail_and_finish(group_attr_req->ireq->dbus_req, + sbus_error_new(group_attr_req->ireq->dbus_req, + DBUS_ERROR_FAILED, + "No such user\n")); + return; + } else if (ret != EOK) { + sbus_request_fail_and_finish(group_attr_req->ireq->dbus_req, + sbus_error_new(group_attr_req->ireq->dbus_req, + DBUS_ERROR_FAILED, + "Failed to read attribute\n")); + return; + } + + req = resp_resolve_group_names_send(state, + state->rctx->ev, + state->rctx, + state->dom, + state->res); + if (req == NULL) { + sbus_request_finish(group_attr_req->ireq->dbus_req, NULL); + return; + } + tevent_req_set_callback(req, + ifp_user_get_groups_names_resolved, + state); +} + +static void ifp_user_get_groups_names_resolved(struct tevent_req *req) +{ + struct ifp_user_get_groups_state *state; + struct ifp_attr_req *group_attr_req; + errno_t ret; + + state = tevent_req_callback_data(req, struct ifp_user_get_groups_state); + group_attr_req = state->group_attr_req; + + ret = resp_resolve_group_names_recv(state, req, &state->res_names); + talloc_zfree(req); + if (ret != EOK) { + sbus_request_fail_and_finish(group_attr_req->ireq->dbus_req, + sbus_error_new(group_attr_req->ireq->dbus_req, + DBUS_ERROR_FAILED, + "Failed to resolve groupnames\n")); + return; + } + + if (state->res_names == NULL) { + state->res_names = state->res; + } + + ret = ifp_user_get_groups_reply(state->dom, + group_attr_req->ireq, + state->res_names); + if (ret != EOK) { + sbus_request_fail_and_finish(group_attr_req->ireq->dbus_req, + sbus_error_new( + group_attr_req->ireq->dbus_req, + DBUS_ERROR_FAILED, + "Failed to build a reply\n")); + return; + } +} + +static errno_t +ifp_user_get_groups_reply(struct sss_domain_info *domain, + struct ifp_req *ireq, + struct ldb_result *res) +{ + int i, gri, num; + const char *name; + const char **groupnames; + struct sized_string *group_name; + errno_t ret; + + /* one less, the first one is the user entry */ + num = res->count - 1; + groupnames = talloc_zero_array(ireq, const char *, num); + if (groupnames == NULL) { + return sbus_request_finish(ireq->dbus_req, NULL); + } + + gri = 0; + for (i = 0; i < num; i++) { + name = sss_view_ldb_msg_find_attr_as_string(domain, + res->msgs[i + 1], + SYSDB_NAME, NULL); + if (name == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "Skipping a group with no name\n"); + continue; + } + + ret = sized_domain_name(ireq, ireq->ifp_ctx->rctx, name, &group_name); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Unable to get sized name for %s [%d]: %s\n", + name, ret, sss_strerror(ret)); + continue; + } + + groupnames[gri] = talloc_strndup(groupnames, + group_name->str, group_name->len); + if (groupnames[gri] == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "talloc_strndup failed\n"); + continue; + } + gri++; + + DEBUG(SSSDBG_TRACE_FUNC, "Adding group %s\n", groupnames[i]); + } + + return iface_ifp_GetUserGroups_finish(ireq->dbus_req, groupnames, num); +} + +struct ifp_user_get_attr_state { + const char *inp; + const char **attrs; + struct ldb_result *res; + + enum sss_dp_acct_type search_type; + + char *inp_name; + char *domname; + + struct sss_domain_info *dom; + + struct resp_ctx *rctx; + struct sss_nc_ctx *ncache; +}; + +static void ifp_user_get_attr_lookup(struct tevent_req *subreq); +static void ifp_user_get_attr_done(struct tevent_req *subreq); + +static struct tevent_req * +ifp_user_get_attr_send(TALLOC_CTX *mem_ctx, struct resp_ctx *rctx, + struct sss_nc_ctx *ncache, + enum sss_dp_acct_type search_type, + const char *inp, const char **attrs) +{ + errno_t ret; + struct tevent_req *req; + struct tevent_req *subreq; + struct ifp_user_get_attr_state *state; + + req = tevent_req_create(mem_ctx, &state, struct ifp_user_get_attr_state); + if (req == NULL) { + return NULL; + } + state->inp = inp; + state->attrs = attrs; + state->rctx = rctx; + state->ncache = ncache; + state->search_type = search_type; + + subreq = sss_parse_inp_send(req, rctx, rctx->default_domain, inp); + if (subreq == NULL) { + ret = ENOMEM; + goto done; + } + tevent_req_set_callback(subreq, ifp_user_get_attr_lookup, req); + + ret = EOK; +done: + if (ret != EOK) { + tevent_req_error(req, ret); + } + return req; +} + +static void +ifp_user_get_attr_lookup(struct tevent_req *subreq) +{ + struct ifp_user_get_attr_state *state = NULL; + struct tevent_req *req = NULL; + struct cache_req_data *data; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ifp_user_get_attr_state); + + ret = sss_parse_inp_recv(subreq, state, + &state->inp_name, &state->domname); + talloc_zfree(subreq); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + switch (state->search_type) { + case SSS_DP_USER: + data = cache_req_data_name(state, CACHE_REQ_USER_BY_NAME, + state->inp_name); + break; + case SSS_DP_INITGROUPS: + data = cache_req_data_name(state, CACHE_REQ_INITGROUPS, + state->inp_name); + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported search type [%d]!\n", + state->search_type); + tevent_req_error(req, ERR_INTERNAL); + return; + } + + if (data == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + + /* IFP serves both POSIX and application domains. Requests that need + * to differentiate between the two must be qualified + */ + subreq = cache_req_send(state, state->rctx->ev, state->rctx, + state->ncache, 0, + CACHE_REQ_ANY_DOM, + state->domname, data); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + + tevent_req_set_callback(subreq, ifp_user_get_attr_done, req); +} + +static void ifp_user_get_attr_done(struct tevent_req *subreq) +{ + struct ifp_user_get_attr_state *state = NULL; + struct tevent_req *req = NULL; + struct cache_req_result *result; + errno_t ret; + char *fqdn; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ifp_user_get_attr_state); + + ret = cache_req_single_domain_recv(state, subreq, &result); + talloc_zfree(subreq); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + state->res = talloc_steal(state, result->ldb_result); + state->dom = result->domain; + talloc_zfree(result); + + fqdn = sss_create_internal_fqname(state, state->inp_name, + state->dom->name); + if (fqdn == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + + if (state->search_type == SSS_DP_USER) { + /* throw away the result and perform attr search */ + talloc_zfree(state->res); + + ret = sysdb_get_user_attr_with_views(state, state->dom, fqdn, + state->attrs, &state->res); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_get_user_attr_with_views() " + "failed [%d]: %s\n", ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } else if (state->res->count == 0) { + tevent_req_error(req, ENOENT); + return; + } else if (state->res->count != 1) { + DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_get_user_attr_with_views() " + "returned more than one result!\n"); + tevent_req_error(req, ENOENT); + return; + } + } + + tevent_req_done(req); +} + +static errno_t +ifp_user_get_attr_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct ldb_result **_res, + struct sss_domain_info **_domain) +{ + struct ifp_user_get_attr_state *state = tevent_req_data(req, + struct ifp_user_get_attr_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (state->res == NULL) { + /* Did the request end with success but with no data? */ + return ENOENT; + } + + if (_res) { + *_res = talloc_steal(mem_ctx, state->res); + } + + if (_domain) { + *_domain = state->dom; + } + + return EOK; +} + +struct cli_protocol_version *register_cli_protocol_version(void) +{ + static struct cli_protocol_version ssh_cli_protocol_version[] = { + {0, NULL, NULL} + }; + + return ssh_cli_protocol_version; +} + +int ifp_ping(struct sbus_request *dbus_req, void *data, const char *ping) +{ + struct ifp_ctx *ifp_ctx = talloc_get_type(data, struct ifp_ctx); + struct ifp_req *ifp_req; + errno_t ret; + + if (ifp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid pointer!\n"); + sbus_request_reply_error(dbus_req, SBUS_ERROR_INTERNAL, + "Invalid infopipe context!"); + return ERR_SBUS_REQUEST_HANDLED; + } + + ret = ifp_req_create(dbus_req, ifp_ctx, &ifp_req); + if (ret != EOK) { + return ifp_req_create_handle_failure(dbus_req, ret); + } + + DEBUG(SSSDBG_CONF_SETTINGS, "Got request for [%s]\n", ping); + + if (strcasecmp(ping, "ping") != 0) { + sbus_request_reply_error(dbus_req, DBUS_ERROR_INVALID_ARGS, + "Ping() only accepts \"ping\" as a param\n"); + return ERR_SBUS_REQUEST_HANDLED; + } + + return iface_ifp_Ping_finish(dbus_req, "PONG"); +} diff --git a/src/responder/ifp/ifpsrv_util.c b/src/responder/ifp/ifpsrv_util.c new file mode 100644 index 0000000..da4ab06 --- /dev/null +++ b/src/responder/ifp/ifpsrv_util.c @@ -0,0 +1,522 @@ +/* + Authors: + Jakub Hrozek + Stephen Gallagher + + Copyright (C) 2013 Red Hat + + InfoPipe responder: Utility functions + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "db/sysdb.h" +#include "responder/ifp/ifp_private.h" + +#define IFP_USER_DEFAULT_ATTRS {SYSDB_NAME, SYSDB_UIDNUM, \ + SYSDB_GIDNUM, SYSDB_GECOS, \ + SYSDB_HOMEDIR, SYSDB_SHELL, \ + "groups", "domain", "domainname", \ + NULL} + +errno_t ifp_req_create(struct sbus_request *dbus_req, + struct ifp_ctx *ifp_ctx, + struct ifp_req **_ifp_req) +{ + struct ifp_req *ireq = NULL; + errno_t ret; + + if (ifp_ctx->sysbus == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Responder not connected to sysbus!\n"); + return EINVAL; + } + + ireq = talloc_zero(dbus_req, struct ifp_req); + if (ireq == NULL) { + return ENOMEM; + } + + ireq->ifp_ctx = ifp_ctx; + ireq->dbus_req = dbus_req; + + if (dbus_req->client == -1) { + /* We got a sysbus message but couldn't identify the + * caller? Bail out! */ + DEBUG(SSSDBG_CRIT_FAILURE, + "BUG: Received a message without a known caller!\n"); + ret = EACCES; + goto done; + } + + ret = check_allowed_uids(dbus_req->client, + ifp_ctx->rctx->allowed_uids_count, + ifp_ctx->rctx->allowed_uids); + if (ret == EACCES) { + DEBUG(SSSDBG_MINOR_FAILURE, + "User %"PRIi64" not in ACL\n", dbus_req->client); + goto done; + } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot check if user %"PRIi64" is present in ACL\n", + dbus_req->client); + goto done; + } + + *_ifp_req = ireq; + ret = EOK; +done: + if (ret != EOK) { + talloc_free(ireq); + } + return ret; +} + +int ifp_req_create_handle_failure(struct sbus_request *dbus_req, errno_t err) +{ + if (err == EACCES) { + return sbus_request_fail_and_finish(dbus_req, + sbus_error_new(dbus_req, + DBUS_ERROR_ACCESS_DENIED, + "User %"PRIi64" not in ACL\n", + dbus_req->client)); + } + + return sbus_request_fail_and_finish(dbus_req, + sbus_error_new(dbus_req, + DBUS_ERROR_FAILED, + "Cannot create IFP request\n")); +} + +errno_t ifp_add_value_to_dict(DBusMessageIter *iter_dict, + const char *key, + const char *value) +{ + DBusMessageIter iter_dict_entry; + DBusMessageIter iter_dict_val; + DBusMessageIter iter_array; + dbus_bool_t dbret; + + if (value == NULL || key == NULL) { + return EINVAL; + } + + dbret = dbus_message_iter_open_container(iter_dict, + DBUS_TYPE_DICT_ENTRY, NULL, + &iter_dict_entry); + if (!dbret) { + return ENOMEM; + } + + /* Start by appending the key */ + dbret = dbus_message_iter_append_basic(&iter_dict_entry, + DBUS_TYPE_STRING, &key); + if (!dbret) { + return ENOMEM; + } + + dbret = dbus_message_iter_open_container(&iter_dict_entry, + DBUS_TYPE_VARIANT, + DBUS_TYPE_ARRAY_AS_STRING + DBUS_TYPE_STRING_AS_STRING, + &iter_dict_val); + if (!dbret) { + return ENOMEM; + } + + /* Open container for values */ + dbret = dbus_message_iter_open_container(&iter_dict_val, + DBUS_TYPE_ARRAY, DBUS_TYPE_STRING_AS_STRING, + &iter_array); + if (!dbret) { + return ENOMEM; + } + + dbret = dbus_message_iter_append_basic(&iter_array, + DBUS_TYPE_STRING, + &value); + if (!dbret) { + return ENOMEM; + } + + dbret = dbus_message_iter_close_container(&iter_dict_val, + &iter_array); + if (!dbret) { + return ENOMEM; + } + + dbret = dbus_message_iter_close_container(&iter_dict_entry, + &iter_dict_val); + if (!dbret) { + return ENOMEM; + } + + dbret = dbus_message_iter_close_container(iter_dict, + &iter_dict_entry); + if (!dbret) { + return ENOMEM; + } + + return EOK; +} + +errno_t ifp_add_ldb_el_to_dict(DBusMessageIter *iter_dict, + struct ldb_message_element *el) +{ + DBusMessageIter iter_dict_entry; + DBusMessageIter iter_dict_val; + DBusMessageIter iter_array; + dbus_bool_t dbret; + unsigned int i; + + if (el == NULL) { + return EINVAL; + } + + dbret = dbus_message_iter_open_container(iter_dict, + DBUS_TYPE_DICT_ENTRY, NULL, + &iter_dict_entry); + if (!dbret) { + return ENOMEM; + } + + /* Start by appending the key */ + dbret = dbus_message_iter_append_basic(&iter_dict_entry, + DBUS_TYPE_STRING, &(el->name)); + if (!dbret) { + return ENOMEM; + } + + dbret = dbus_message_iter_open_container(&iter_dict_entry, + DBUS_TYPE_VARIANT, + DBUS_TYPE_ARRAY_AS_STRING + DBUS_TYPE_STRING_AS_STRING, + &iter_dict_val); + if (!dbret) { + return ENOMEM; + } + + /* Open container for values */ + dbret = dbus_message_iter_open_container(&iter_dict_val, + DBUS_TYPE_ARRAY, DBUS_TYPE_STRING_AS_STRING, + &iter_array); + if (!dbret) { + return ENOMEM; + } + + /* Now add all the values */ + for (i = 0; i < el->num_values; i++) { + DEBUG(SSSDBG_TRACE_FUNC, "element [%s] has value [%s]\n", + el->name, (const char *) el->values[i].data); + + dbret = dbus_message_iter_append_basic(&iter_array, + DBUS_TYPE_STRING, + &(el->values[i].data)); + if (!dbret) { + return ENOMEM; + } + } + + dbret = dbus_message_iter_close_container(&iter_dict_val, + &iter_array); + if (!dbret) { + return ENOMEM; + } + + dbret = dbus_message_iter_close_container(&iter_dict_entry, + &iter_dict_val); + if (!dbret) { + return ENOMEM; + } + + dbret = dbus_message_iter_close_container(iter_dict, + &iter_dict_entry); + if (!dbret) { + return ENOMEM; + } + + return EOK; +} + + +bool +ifp_attr_allowed(const char *whitelist[], const char *attr) +{ + size_t i; + + if (whitelist == NULL) { + return false; + } + + for (i = 0; whitelist[i]; i++) { + if (strcasecmp(whitelist[i], attr) == 0) { + break; + } + } + + return (whitelist[i]) ? true : false; +} + +const char ** +ifp_parse_user_attr_list(TALLOC_CTX *mem_ctx, const char *csv) +{ + static const char *defaults[] = IFP_USER_DEFAULT_ATTRS; + + return parse_attr_list_ex(mem_ctx, csv, defaults); +} + +const char ** +ifp_get_user_extra_attributes(TALLOC_CTX *mem_ctx, struct ifp_ctx *ifp_ctx) +{ + TALLOC_CTX *tmp_ctx = NULL; + const char *std[] = IFP_USER_DEFAULT_ATTRS; + const char **whitelist = ifp_ctx->user_whitelist; + const char **extra; + bool found; + int extra_num; + int i, j; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return NULL; + } + + for (i = 0; whitelist[i] != NULL; i++) { + /* Just count number of attributes in whitelist. */ + } + + extra = talloc_zero_array(tmp_ctx, const char *, i + 1); + if (extra == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero_array() failed\n"); + goto fail; + } + + extra_num = 0; + for (i = 0; whitelist[i] != NULL; i++) { + found = false; + for (j = 0; std[j] != NULL; j++) { + if (strcmp(whitelist[i], std[j]) == 0) { + found = true; + break; + } + } + + if (!found) { + extra[extra_num] = talloc_strdup(extra, whitelist[i]); + if (extra[extra_num] == NULL) { + goto fail; + } + + extra_num++; + } + } + + extra = talloc_realloc(tmp_ctx, extra, const char *, extra_num + 1); + if (extra == NULL) { + goto fail; + } + + talloc_steal(mem_ctx, extra); + talloc_free(tmp_ctx); + return extra; + +fail: + talloc_free(tmp_ctx); + return NULL; +} + +bool +ifp_is_user_attr_allowed(struct ifp_ctx *ifp_ctx, const char *attr) +{ + return ifp_attr_allowed(ifp_ctx->user_whitelist, attr); +} + +static uint32_t ifp_list_limit(struct ifp_ctx *ctx, uint32_t limit) +{ + if (limit == 0) { + return ctx->wildcard_limit; + } else if (ctx->wildcard_limit) { + return MIN(ctx->wildcard_limit, limit); + } else { + return limit; + } +} + +struct ifp_list_ctx *ifp_list_ctx_new(struct sbus_request *sbus_req, + struct ifp_ctx *ctx, + const char *filter, + uint32_t limit) +{ + struct ifp_list_ctx *list_ctx; + + list_ctx = talloc_zero(sbus_req, struct ifp_list_ctx); + if (list_ctx == NULL) { + return NULL; + } + + list_ctx->sbus_req = sbus_req; + list_ctx->limit = ifp_list_limit(ctx, limit); + list_ctx->ctx = ctx; + list_ctx->dom = ctx->rctx->domains; + list_ctx->filter = filter; + list_ctx->paths_max = 1; + list_ctx->paths = talloc_zero_array(list_ctx, const char *, + list_ctx->paths_max); + if (list_ctx->paths == NULL) { + talloc_free(list_ctx); + return NULL; + } + + return list_ctx; +} + +errno_t ifp_list_ctx_remaining_capacity(struct ifp_list_ctx *list_ctx, + size_t entries, + size_t *_capacity) +{ + size_t capacity = list_ctx->limit - list_ctx->path_count; + errno_t ret; + size_t c; + + if (list_ctx->limit == 0) { + capacity = entries; + goto immediately; + } + + if (capacity < entries) { + DEBUG(SSSDBG_MINOR_FAILURE, + "IFP list request has limit of %"PRIu32" entries but back end " + "returned %zu entries\n", list_ctx->limit, + list_ctx->path_count + entries); + } else { + capacity = entries; + } + +immediately: + list_ctx->paths_max = list_ctx->path_count + capacity; + list_ctx->paths = talloc_realloc(list_ctx, list_ctx->paths, const char *, + list_ctx->paths_max); + if (list_ctx->paths == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero_array() failed\n"); + ret = ENOMEM; + goto done; + } + for (c = list_ctx->path_count; c < list_ctx->paths_max; c++) { + list_ctx->paths[c] = NULL; + } + + *_capacity = capacity; + ret = EOK; + +done: + return ret; +} + +errno_t ifp_ldb_el_output_name(struct resp_ctx *rctx, + struct ldb_message *msg, + const char *el_name, + struct sss_domain_info *dom) +{ + struct ldb_message_element *el; + char *in_name; + char *out_name; + errno_t ret; + char *name; + TALLOC_CTX *tmp_ctx; + + el = ldb_msg_find_element(msg, el_name); + if (el == NULL) { + return EOK; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + for (size_t c = 0; c < el->num_values; c++) { + in_name = (char *) el->values[c].data; + ret = sss_parse_internal_fqname(tmp_ctx, in_name, &name, NULL); + if (ret != EOK) { + goto done; + } + + out_name = sss_output_name(tmp_ctx, in_name, dom->case_preserve, + rctx->override_space); + if (out_name == NULL) { + ret = EIO; + goto done; + } + + if (dom->fqnames) { + out_name = sss_tc_fqname(tmp_ctx, dom->names, dom, out_name); + if (out_name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "sss_tc_fqname failed\n"); + ret = ENOMEM; + goto done; + } + } + + talloc_free(el->values[c].data); + el->values[c].data = (uint8_t *) talloc_steal(el->values, out_name); + el->values[c].length = strlen(out_name); + } + + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} + +char *ifp_format_name_attr(TALLOC_CTX *mem_ctx, struct ifp_ctx *ifp_ctx, + const char *in_name, struct sss_domain_info *dom) +{ + TALLOC_CTX *tmp_ctx; + char *out_name; + char *ret_name = NULL; + char *shortname; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return NULL; + } + + ret = sss_parse_internal_fqname(tmp_ctx, in_name, &shortname, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unparseable name %s\n", in_name); + goto done; + } + + out_name = sss_output_name(tmp_ctx, in_name, dom->case_preserve, + ifp_ctx->rctx->override_space); + if (out_name == NULL) { + goto done; + } + + if (dom->fqnames) { + out_name = sss_tc_fqname(tmp_ctx, dom->names, dom, out_name); + if (out_name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "sss_tc_fqname failed\n"); + goto done; + } + } + + ret_name = talloc_steal(mem_ctx, out_name); +done: + talloc_free(tmp_ctx); + return ret_name; +} diff --git a/src/responder/ifp/org.freedesktop.sssd.infopipe.conf b/src/responder/ifp/org.freedesktop.sssd.infopipe.conf new file mode 100644 index 0000000..4437fb3 --- /dev/null +++ b/src/responder/ifp/org.freedesktop.sssd.infopipe.conf @@ -0,0 +1,47 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/responder/ifp/org.freedesktop.sssd.infopipe.service b/src/responder/ifp/org.freedesktop.sssd.infopipe.service new file mode 100644 index 0000000..986607e --- /dev/null +++ b/src/responder/ifp/org.freedesktop.sssd.infopipe.service @@ -0,0 +1,5 @@ +[D-BUS Service] +Name=org.freedesktop.sssd.infopipe +Exec=/usr/local/libexec/sssd/sss_signal +User=root + diff --git a/src/responder/ifp/org.freedesktop.sssd.infopipe.service.in b/src/responder/ifp/org.freedesktop.sssd.infopipe.service.in new file mode 100644 index 0000000..ee77f41 --- /dev/null +++ b/src/responder/ifp/org.freedesktop.sssd.infopipe.service.in @@ -0,0 +1,5 @@ +[D-BUS Service] +Name=org.freedesktop.sssd.infopipe +Exec=@ifp_exec_cmd@ +User=root +@ifp_systemdservice@ diff --git a/src/responder/kcm/kcm.c b/src/responder/kcm/kcm.c new file mode 100644 index 0000000..a482234 --- /dev/null +++ b/src/responder/kcm/kcm.c @@ -0,0 +1,321 @@ +/* + SSSD + + KCM Server - the mainloop and server setup + + Copyright (C) Red Hat, 2016 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include + +#include "responder/kcm/kcm.h" +#include "responder/kcm/kcmsrv_ccache.h" +#include "responder/kcm/kcmsrv_pvt.h" +#include "responder/common/responder.h" +#include "util/util.h" +#include "util/sss_krb5.h" + +#define DEFAULT_KCM_FD_LIMIT 2048 + +#ifndef SSS_KCM_SOCKET_NAME +#define SSS_KCM_SOCKET_NAME DEFAULT_KCM_SOCKET_PATH +#endif + +static int kcm_responder_ctx_destructor(void *ptr) +{ + struct resp_ctx *rctx = talloc_get_type(ptr, struct resp_ctx); + + /* mark that we are shutting down the responder, so it is propagated + * into underlying contexts that are freed right before rctx */ + DEBUG(SSSDBG_TRACE_FUNC, "Responder is being shut down\n"); + rctx->shutting_down = true; + + return 0; +} + +static errno_t kcm_get_ccdb_be(struct kcm_ctx *kctx) +{ + errno_t ret; + char *str_db; + + ret = confdb_get_string(kctx->rctx->cdb, + kctx->rctx, + kctx->rctx->confdb_service_path, + CONFDB_KCM_DB, + "secrets", + &str_db); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot get the KCM database type [%d]: %s\n", + ret, strerror(ret)); + return ret; + } + + DEBUG(SSSDBG_CONF_SETTINGS, "KCM database type: %s\n", str_db); + if (strcasecmp(str_db, "memory") == 0) { + kctx->cc_be = CCDB_BE_MEMORY; + return EOK; + } else if (strcasecmp(str_db, "secrets") == 0) { + kctx->cc_be = CCDB_BE_SECRETS; + return EOK; + } + + DEBUG(SSSDBG_FATAL_FAILURE, "Unexpected KCM database type %s\n", str_db); + return EOK; +} + +static int kcm_get_config(struct kcm_ctx *kctx) +{ + int ret; + char *sock_name; + + ret = confdb_get_int(kctx->rctx->cdb, + CONFDB_KCM_CONF_ENTRY, + CONFDB_SERVICE_FD_LIMIT, + DEFAULT_KCM_FD_LIMIT, + &kctx->fd_limit); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to get file descriptors limit\n"); + goto done; + } + + ret = confdb_get_int(kctx->rctx->cdb, + kctx->rctx->confdb_service_path, + CONFDB_RESPONDER_CLI_IDLE_TIMEOUT, + CONFDB_RESPONDER_CLI_IDLE_DEFAULT_TIMEOUT, + &kctx->rctx->client_idle_timeout); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot get the client idle timeout [%d]: %s\n", + ret, strerror(ret)); + goto done; + } + + /* Ensure that the client timeout is at least ten seconds */ + if (kctx->rctx->client_idle_timeout < 10) { + kctx->rctx->client_idle_timeout = 10; + } + + ret = confdb_get_string(kctx->rctx->cdb, + kctx->rctx, + kctx->rctx->confdb_service_path, + CONFDB_KCM_SOCKET, + SSS_KCM_SOCKET_NAME, + &sock_name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot get KCM socket path [%d]: %s\n", + ret, strerror(ret)); + goto done; + } + kctx->rctx->sock_name = sock_name; + + ret = kcm_get_ccdb_be(kctx); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot get KCM ccache DB [%d]: %s\n", + ret, strerror(ret)); + goto done; + } + + if (kctx->cc_be == CCDB_BE_SECRETS) { + ret = responder_setup_idle_timeout_config(kctx->rctx); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot set up idle responder timeout\n"); + /* Not fatal */ + } + } + + kctx->qctx = kcm_ops_queue_create(kctx); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot create KCM request queue [%d]: %s\n", + ret, strerror(ret)); + goto done; + } + ret = EOK; +done: + return ret; +} + +static int kcm_data_destructor(void *ptr) +{ + struct kcm_resp_ctx *kcm_data = talloc_get_type(ptr, struct kcm_resp_ctx); + + if (kcm_data != NULL) { + krb5_free_context(kcm_data->k5c); + } + return 0; +} + +static struct kcm_resp_ctx *kcm_data_setup(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + enum kcm_ccdb_be cc_be) +{ + struct kcm_resp_ctx *kcm_data; + krb5_error_code kret; + + kcm_data = talloc_zero(mem_ctx, struct kcm_resp_ctx); + if (kcm_data == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "fatal error initializing kcm data\n"); + return NULL; + } + + kcm_data->db = kcm_ccdb_init(kcm_data, ev, cc_be); + if (kcm_data->db == NULL) { + talloc_free(kcm_data); + return NULL; + } + + kret = sss_krb5_init_context(&kcm_data->k5c); + if (kret != EOK) { + talloc_free(kcm_data); + return NULL; + } + talloc_set_destructor((TALLOC_CTX*)kcm_data, kcm_data_destructor); + + return kcm_data; +} + +static int kcm_process_init(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct confdb_ctx *cdb) +{ + struct resp_ctx *rctx; + struct kcm_ctx *kctx; + int ret; + + rctx = talloc_zero(mem_ctx, struct resp_ctx); + if (rctx == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "fatal error initializing resp_ctx\n"); + return ENOMEM; + } + rctx->ev = ev; + rctx->cdb = cdb; + rctx->confdb_service_path = CONFDB_KCM_CONF_ENTRY; + rctx->shutting_down = false; + rctx->lfd = -1; + rctx->priv_lfd = -1; + + talloc_set_destructor((TALLOC_CTX*)rctx, kcm_responder_ctx_destructor); + + kctx = talloc_zero(rctx, struct kcm_ctx); + if (kctx == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "fatal error initializing kcm_ctx\n"); + ret = ENOMEM; + goto fail; + } + + kctx->rctx = rctx; + kctx->rctx->pvt_ctx = kctx; + + ret = kcm_get_config(kctx); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "fatal error getting KCM config\n"); + goto fail; + } + + kctx->kcm_data = kcm_data_setup(kctx, ev, kctx->cc_be); + if (kctx->kcm_data == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, + "fatal error initializing responder data\n"); + ret = EIO; + goto fail; + } + + /* Set up file descriptor limits */ + responder_set_fd_limit(kctx->fd_limit); + + ret = activate_unix_sockets(rctx, kcm_connection_setup); + if (ret != EOK) goto fail; + + DEBUG(SSSDBG_TRACE_FUNC, "KCM Initialization complete\n"); + + return EOK; + +fail: + talloc_free(rctx); + return ret; +} + +int main(int argc, const char *argv[]) +{ + int opt; + poptContext pc; + char *opt_logger = NULL; + struct main_context *main_ctx; + int ret; + uid_t uid; + gid_t gid; + + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_MAIN_OPTS + SSSD_LOGGER_OPTS + SSSD_SERVER_OPTS(uid, gid) + POPT_TABLEEND + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + umask(DFL_RSP_UMASK); + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + + poptFreeContext(pc); + + DEBUG_INIT(debug_level); + + /* set up things like debug, signals, daemonization, etc. */ + debug_log_file = "sssd_kcm"; + + sss_set_logger(opt_logger); + + ret = server_setup("sssd[kcm]", 0, uid, gid, CONFDB_KCM_CONF_ENTRY, + &main_ctx); + if (ret != EOK) return 2; + + ret = die_if_parent_died(); + if (ret != EOK) { + /* This is not fatal, don't return */ + DEBUG(SSSDBG_OP_FAILURE, + "Could not set up to exit when parent process does\n"); + } + + ret = kcm_process_init(main_ctx, + main_ctx->event_ctx, + main_ctx->confdb_ctx); + if (ret != EOK) return 3; + + /* loop on main */ + server_loop(main_ctx); + + return 0; +} diff --git a/src/responder/kcm/kcm.h b/src/responder/kcm/kcm.h new file mode 100644 index 0000000..1ea7e9b --- /dev/null +++ b/src/responder/kcm/kcm.h @@ -0,0 +1,97 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* include/kcm.h - Kerberos cache manager protocol declarations */ +/* + * Copyright (C) 2014 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef KCM_H +#define KCM_H + +#define KCM_PROTOCOL_VERSION_MAJOR 2 +#define KCM_PROTOCOL_VERSION_MINOR 0 + +#define KCM_UUID_LEN 16 + +/* This should ideally be in RUNSTATEDIR, but Heimdal uses a hardcoded + * /var/run, and we need to use the same default path. */ +#define DEFAULT_KCM_SOCKET_PATH "/var/run/.heim_org.h5l.kcm-socket" +#define DEFAULT_KCM_MACH_SERVICE "org.h5l.kcm" + +/* + * All requests begin with: + * major version (1 bytes) + * minor version (1 bytes) + * opcode (16-bit big-endian) + * + * All replies begin with a 32-bit big-endian reply code. + * + * Parameters are appended to the request or reply with no delimiters. Flags + * and time offsets are stored as 32-bit big-endian integers. Names are + * marshalled as zero-terminated strings. Principals and credentials are + * marshalled in the v4 FILE ccache format. UUIDs are 16 bytes. UUID lists + * are not delimited, so nothing can come after them. + */ + +/* Opcodes without comments are currently unused in the MIT client + * implementation. */ +typedef enum kcm_opcode { + KCM_OP_NOOP, + KCM_OP_GET_NAME, + KCM_OP_RESOLVE, + KCM_OP_GEN_NEW, /* 0x3 () -> (name) */ + KCM_OP_INITIALIZE, /* 0x4 (name, princ) -> () */ + KCM_OP_DESTROY, /* 0x4 (name) -> () */ + KCM_OP_STORE, /* 0x6 (name, cred) -> () */ + KCM_OP_RETRIEVE, + KCM_OP_GET_PRINCIPAL, /* 0x8 (name) -> (princ) */ + KCM_OP_GET_CRED_UUID_LIST, /* 0x9 (name) -> (uuid, ...) */ + KCM_OP_GET_CRED_BY_UUID, /* 0xa (name, uuid) -> (cred) */ + KCM_OP_REMOVE_CRED, /* (name, flags, credtag) -> () */ + KCM_OP_SET_FLAGS, + KCM_OP_CHOWN, + KCM_OP_CHMOD, + KCM_OP_GET_INITIAL_TICKET, + KCM_OP_GET_TICKET, + KCM_OP_MOVE_CACHE, + KCM_OP_GET_CACHE_UUID_LIST, /* 0x12 () -> (uuid, ...) */ + KCM_OP_GET_CACHE_BY_UUID, /* 0x13 (uuid) -> (name) */ + KCM_OP_GET_DEFAULT_CACHE, /* 0x14 () -> (name) */ + KCM_OP_SET_DEFAULT_CACHE, /* 0x15 (name) -> () */ + KCM_OP_GET_KDC_OFFSET, /* 0x16 (name) -> (offset) */ + KCM_OP_SET_KDC_OFFSET, /* 0x17 (name, offset) -> () */ + KCM_OP_ADD_NTLM_CRED, + KCM_OP_HAVE_NTLM_CRED, + KCM_OP_DEL_NTLM_CRED, + KCM_OP_DO_NTLM_AUTH, + KCM_OP_GET_NTLM_USER_LIST, + + KCM_OP_SENTINEL, /* SSSD addition, not in the MIT header */ +} kcm_opcode; + +#endif /* KCM_H */ diff --git a/src/responder/kcm/kcmsrv_ccache.c b/src/responder/kcm/kcmsrv_ccache.c new file mode 100644 index 0000000..87a9bab --- /dev/null +++ b/src/responder/kcm/kcmsrv_ccache.c @@ -0,0 +1,1432 @@ +/* + SSSD + + KCM Server - the KCM ccache operations + + Copyright (C) Red Hat, 2016 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include "util/crypto/sss_crypto.h" +#include "util/util.h" +#include "util/sss_krb5.h" +#include "responder/kcm/kcmsrv_ccache.h" +#include "responder/kcm/kcmsrv_ccache_pvt.h" +#include "responder/kcm/kcmsrv_ccache_be.h" + +static int kcm_cc_destructor(struct kcm_ccache *cc) +{ + if (cc == NULL) { + return 0; + } + + krb5_free_principal(NULL, cc->client); + return 0; +} + +errno_t kcm_cc_new(TALLOC_CTX *mem_ctx, + krb5_context k5c, + struct cli_creds *owner, + const char *name, + krb5_principal princ, + struct kcm_ccache **_cc) +{ + struct kcm_ccache *cc = NULL; + krb5_error_code kret; + errno_t ret; + + cc = talloc_zero(mem_ctx, struct kcm_ccache); + if (cc == NULL) { + return ENOMEM; + } + + ret = kcm_check_name(name, owner); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Name %s is malformed\n", name); + goto done; + } + + cc->name = talloc_strdup(cc, name); + if (cc->name == NULL) { + ret = ENOMEM; + goto done; + } + + uuid_generate(cc->uuid); + + kret = krb5_copy_principal(k5c, princ, &cc->client); + if (kret != 0) { + const char *err_msg = sss_krb5_get_error_message(k5c, kret); + DEBUG(SSSDBG_OP_FAILURE, + "krb5_copy_principal failed: [%d][%s]\n", kret, err_msg); + sss_krb5_free_error_message(k5c, err_msg); + ret = ERR_INTERNAL; + goto done; + } + + cc->owner.uid = cli_creds_get_uid(owner); + cc->owner.gid = cli_creds_get_gid(owner); + cc->kdc_offset = INT32_MAX; + + talloc_set_destructor(cc, kcm_cc_destructor); + *_cc = cc; + ret = EOK; +done: + if (ret != EOK) { + talloc_free(cc); + } + return ret; +} + +const char *kcm_cc_get_name(struct kcm_ccache *cc) +{ + return cc ? cc->name : NULL; +} + +errno_t kcm_cc_get_uuid(struct kcm_ccache *cc, uuid_t _uuid) +{ + if (cc == NULL) { + return EINVAL; + } + uuid_copy(_uuid, cc->uuid); + return EOK; +} + +krb5_principal kcm_cc_get_client_principal(struct kcm_ccache *cc) +{ + return cc ? cc->client : NULL; +} + +bool kcm_cc_access(struct kcm_ccache *cc, + struct cli_creds *client) +{ + bool ok; + uid_t uid = cli_creds_get_uid(client); + gid_t gid = cli_creds_get_gid(client); + + if (cc == NULL) { + return false; + } + + if (uid == 0 && gid == 0) { + /* root can access any ccache */ + return true; + } + + ok = ((cc->owner.uid == uid) && (cc->owner.gid == gid)); + if (!ok) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Client %"SPRIuid":%"SPRIgid" has no access to ccache %s\n", + cli_creds_get_uid(client), + cli_creds_get_gid(client), + cc->name); + } + return ok; +} + +int32_t kcm_cc_get_offset(struct kcm_ccache *cc) +{ + return cc ? cc->kdc_offset : INT32_MAX; +} + +errno_t kcm_cc_store_cred_blob(struct kcm_ccache *cc, + struct sss_iobuf *cred_blob) +{ + struct kcm_cred *kcreds; + uuid_t uuid; + errno_t ret; + + if (cc == NULL || cred_blob == NULL) { + return EINVAL; + } + + uuid_generate(uuid); + kcreds = kcm_cred_new(cc, uuid, cred_blob); + if (kcreds == NULL) { + return ENOMEM; + } + + ret = kcm_cc_store_creds(cc, kcreds); + if (ret != EOK) { + return ret; + } + + return EOK; +} + +struct kcm_cred *kcm_cc_get_cred(struct kcm_ccache *cc) +{ + if (cc == NULL) { + return NULL; + } + + return cc->creds; +} + +struct kcm_cred *kcm_cc_next_cred(struct kcm_cred *crd) +{ + if (crd == NULL) { + return NULL; + } + + return crd->next; +} + +struct kcm_cred *kcm_cred_new(TALLOC_CTX *mem_ctx, + uuid_t uuid, + struct sss_iobuf *cred_blob) +{ + struct kcm_cred *kcreds; + + kcreds = talloc_zero(mem_ctx, struct kcm_cred); + if (kcreds == NULL) { + return NULL; + } + + uuid_copy(kcreds->uuid, uuid); + kcreds->cred_blob = talloc_steal(kcreds, cred_blob); + return kcreds; +} + +/* Add a cred to ccache */ +errno_t kcm_cc_store_creds(struct kcm_ccache *cc, + struct kcm_cred *crd) +{ + DLIST_ADD(cc->creds, crd); + talloc_steal(cc, crd); + return EOK; +} + +errno_t kcm_cred_get_uuid(struct kcm_cred *crd, uuid_t _uuid) +{ + if (crd == NULL) { + return EINVAL; + } + uuid_copy(_uuid, crd->uuid); + return EOK; +} + +struct sss_iobuf *kcm_cred_get_creds(struct kcm_cred *crd) +{ + return crd ? crd->cred_blob : NULL; +} + +struct kcm_ccdb *kcm_ccdb_init(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + enum kcm_ccdb_be cc_be) +{ + errno_t ret; + struct kcm_ccdb *ccdb = NULL; + + if (ev == NULL) { + return NULL; + } + + ccdb = talloc_zero(mem_ctx, struct kcm_ccdb); + if (ccdb == NULL) { + return NULL; + } + ccdb->ev = ev; + + switch (cc_be) { + case CCDB_BE_MEMORY: + DEBUG(SSSDBG_FUNC_DATA, "KCM back end: memory\n"); + ccdb->ops = &ccdb_mem_ops; + break; + case CCDB_BE_SECRETS: + DEBUG(SSSDBG_FUNC_DATA, "KCM back end: sssd-secrets\n"); + ccdb->ops = &ccdb_sec_ops; + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unknown ccache database\n"); + break; + } + + if (ccdb->ops == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Ccache database not initialized\n"); + talloc_free(ccdb); + return NULL; + } + + ret = ccdb->ops->init(ccdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot initialize ccache database\n"); + talloc_free(ccdb); + return NULL; + } + + return ccdb; +} + +struct kcm_ccdb_nextid_state { + char *next_cc; + struct kcm_ccdb *db; + struct cli_creds *client; +}; + +static void kcm_ccdb_nextid_done(struct tevent_req *subreq); + +struct tevent_req *kcm_ccdb_nextid_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct kcm_ccdb_nextid_state *state = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct kcm_ccdb_nextid_state); + if (req == NULL) { + return NULL; + } + state->db = db; + state->client = client; + + if (ev == NULL || db == NULL || client == NULL) { + ret = EINVAL; + goto immediate; + } + + subreq = state->db->ops->nextid_send(state, ev, state->db, client); + if (subreq == NULL) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, kcm_ccdb_nextid_done, req); + return req; + +immediate: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void kcm_ccdb_nextid_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct kcm_ccdb_nextid_state *state = tevent_req_data(req, + struct kcm_ccdb_nextid_state); + errno_t ret; + unsigned int nextid; + + ret = state->db->ops->nextid_recv(subreq, &nextid); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to generate next UID [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + state->next_cc = talloc_asprintf(state, "%"SPRIuid":%u", + cli_creds_get_uid(state->client), + nextid); + if (state->next_cc == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed\n"); + tevent_req_error(req, ENOMEM); + return; + } + + DEBUG(SSSDBG_TRACE_LIBS, "generated %s\n", state->next_cc); + tevent_req_done(req); +} + +errno_t kcm_ccdb_nextid_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + char **_next_cc) +{ + struct kcm_ccdb_nextid_state *state = tevent_req_data(req, + struct kcm_ccdb_nextid_state); + TEVENT_REQ_RETURN_ON_ERROR(req); + *_next_cc = talloc_steal(mem_ctx, state->next_cc); + return EOK; +} + +struct kcm_ccdb_list_state { + struct kcm_ccdb *db; + struct cli_creds *client; + + uuid_t *uuid_list; +}; + +static void kcm_ccdb_list_done(struct tevent_req *subreq); + +struct tevent_req *kcm_ccdb_list_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct kcm_ccdb_list_state *state = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct kcm_ccdb_list_state); + if (req == NULL) { + return NULL; + } + state->db = db; + state->client = client; + + if (ev == NULL || db == NULL || client == NULL) { + ret = EINVAL; + goto immediate; + } + + subreq = state->db->ops->list_send(state, + ev, + state->db, + client); + if (subreq == NULL) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, kcm_ccdb_list_done, req); + return req; + +immediate: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void kcm_ccdb_list_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct kcm_ccdb_list_state *state = tevent_req_data(req, + struct kcm_ccdb_list_state); + errno_t ret; + + ret = state->db->ops->list_recv(subreq, state, &state->uuid_list); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to list all ccaches [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +errno_t kcm_ccdb_list_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + uuid_t **_uuid_list) +{ + struct kcm_ccdb_list_state *state = tevent_req_data(req, + struct kcm_ccdb_list_state); + TEVENT_REQ_RETURN_ON_ERROR(req); + *_uuid_list = talloc_steal(mem_ctx, state->uuid_list); + return EOK; +} + +struct kcm_ccdb_get_default_state { + struct kcm_ccdb *db; + uuid_t uuid; +}; + +static void kcm_ccdb_get_default_done(struct tevent_req *subreq); + +struct tevent_req *kcm_ccdb_get_default_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct kcm_ccdb_get_default_state *state = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct kcm_ccdb_get_default_state); + if (req == NULL) { + return NULL; + } + state->db = db; + + if (ev == NULL || db == NULL || client == NULL) { + ret = EINVAL; + goto immediate; + } + + subreq = db->ops->get_default_send(state, ev, db, client); + if (subreq == NULL) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, kcm_ccdb_get_default_done, req); + return req; + +immediate: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void kcm_ccdb_get_default_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct kcm_ccdb_get_default_state *state = tevent_req_data(req, + struct kcm_ccdb_get_default_state); + errno_t ret; + + ret = state->db->ops->get_default_recv(subreq, state->uuid); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to get the default ccache [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +errno_t kcm_ccdb_get_default_recv(struct tevent_req *req, + uuid_t *uuid) +{ + struct kcm_ccdb_get_default_state *state = tevent_req_data(req, + struct kcm_ccdb_get_default_state); + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (uuid != NULL) { + /* The caller might supply a NULL dfl to just check if there is + * some default ccache + */ + uuid_copy(*uuid, state->uuid); + } + + return EOK; +} + +struct kcm_ccdb_set_default_state { + struct tevent_context *ev; + struct kcm_ccdb *db; + struct cli_creds *client; + uuid_t uuid; +}; + +static void kcm_ccdb_set_default_uuid_resolved(struct tevent_req *subreq); +static void kcm_ccdb_set_default_done(struct tevent_req *subreq); + +struct tevent_req *kcm_ccdb_set_default_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + uuid_t uuid) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct kcm_ccdb_set_default_state *state = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct kcm_ccdb_set_default_state); + if (req == NULL) { + return NULL; + } + state->db = db; + state->ev = ev; + state->client = client; + uuid_copy(state->uuid, uuid); + + if (ev == NULL || db == NULL || client == NULL) { + ret = EINVAL; + goto immediate; + } + + if (uuid_is_null(uuid)) { + /* NULL UUID means to just reset the default to 'no default' */ + subreq = state->db->ops->set_default_send(state, + state->ev, + state->db, + state->client, + state->uuid); + if (subreq == NULL) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, kcm_ccdb_set_default_done, req); + } else { + /* Otherwise we need to check if the client can access the UUID + * about to be set as default + */ + subreq = db->ops->getbyuuid_send(state, ev, db, client, uuid); + if (subreq == NULL) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, kcm_ccdb_set_default_uuid_resolved, req); + } + + return req; + +immediate: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void kcm_ccdb_set_default_uuid_resolved(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct kcm_ccdb_set_default_state *state = tevent_req_data(req, + struct kcm_ccdb_set_default_state); + errno_t ret; + bool ok; + struct kcm_ccache *cc; + + ret = state->db->ops->getbyuuid_recv(subreq, state, &cc); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to get cache by UUID [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + if (cc == NULL) { + DEBUG(SSSDBG_TRACE_LIBS, "No cache found by UUID\n"); + tevent_req_error(req, ERR_KCM_CC_END); + return; + } + + ok = kcm_cc_access(cc, state->client); + if (!ok) { + tevent_req_error(req, EACCES); + return; + } + + subreq = state->db->ops->set_default_send(state, + state->ev, + state->db, + state->client, + state->uuid); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, kcm_ccdb_set_default_done, req); +} + +static void kcm_ccdb_set_default_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct kcm_ccdb_set_default_state *state = tevent_req_data(req, + struct kcm_ccdb_set_default_state); + errno_t ret; + + ret = state->db->ops->set_default_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to set the default ccache [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +errno_t kcm_ccdb_set_default_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + return EOK; +} + +struct kcm_ccdb_getbyname_state { + struct kcm_ccdb *db; + struct cli_creds *client; + + struct kcm_ccache *cc; +}; + +static void kcm_ccdb_getbyname_done(struct tevent_req *subreq); + +struct tevent_req *kcm_ccdb_getbyname_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + const char *name) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct kcm_ccdb_getbyname_state *state = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct kcm_ccdb_getbyname_state); + if (req == NULL) { + return NULL; + } + state->db = db; + state->client = client; + + if (ev == NULL || db == NULL || client == NULL || name == NULL) { + ret = EINVAL; + goto immediate; + } + + subreq = db->ops->getbyname_send(state, ev, db, client, name); + if (subreq == NULL) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, kcm_ccdb_getbyname_done, req); + return req; + +immediate: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void kcm_ccdb_getbyname_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct kcm_ccdb_getbyname_state *state = tevent_req_data(req, + struct kcm_ccdb_getbyname_state); + errno_t ret; + bool ok; + + ret = state->db->ops->getbyname_recv(subreq, state, &state->cc); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to get cache by name [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + if (state->cc == NULL) { + DEBUG(SSSDBG_TRACE_LIBS, "No cache found by name\n"); + tevent_req_done(req); + return; + } + + ok = kcm_cc_access(state->cc, state->client); + if (!ok) { + tevent_req_error(req, EACCES); + return; + } + + tevent_req_done(req); +} + +errno_t kcm_ccdb_getbyname_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + struct kcm_ccache **_cc) +{ + struct kcm_ccdb_getbyname_state *state = tevent_req_data(req, + struct kcm_ccdb_getbyname_state); + TEVENT_REQ_RETURN_ON_ERROR(req); + *_cc = talloc_steal(mem_ctx, state->cc); + return EOK; +} + +struct kcm_ccdb_getbyuuid_state { + struct kcm_ccdb *db; + struct cli_creds *client; + + struct kcm_ccache *cc; +}; + +static void kcm_ccdb_getbyuuid_done(struct tevent_req *subreq); + +struct tevent_req *kcm_ccdb_getbyuuid_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + uuid_t uuid) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct kcm_ccdb_getbyuuid_state *state = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct kcm_ccdb_getbyuuid_state); + if (req == NULL) { + return NULL; + } + state->db = db; + state->client = client; + + if (ev == NULL || db == NULL || client == NULL) { + ret = EINVAL; + goto immediate; + } + + subreq = db->ops->getbyuuid_send(state, ev, db, client, uuid); + if (subreq == NULL) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, kcm_ccdb_getbyuuid_done, req); + return req; + +immediate: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void kcm_ccdb_getbyuuid_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct kcm_ccdb_getbyuuid_state *state = tevent_req_data(req, + struct kcm_ccdb_getbyuuid_state); + errno_t ret; + bool ok; + + ret = state->db->ops->getbyuuid_recv(subreq, state, &state->cc); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to get cache by UUID [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + if (state->cc == NULL) { + DEBUG(SSSDBG_TRACE_LIBS, "No cache found by UUID\n"); + tevent_req_done(req); + return; + } + + ok = kcm_cc_access(state->cc, state->client); + if (!ok) { + tevent_req_error(req, EACCES); + return; + } + + tevent_req_done(req); +} + +errno_t kcm_ccdb_getbyuuid_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + struct kcm_ccache **_cc) +{ + struct kcm_ccdb_getbyuuid_state *state = tevent_req_data(req, + struct kcm_ccdb_getbyuuid_state); + TEVENT_REQ_RETURN_ON_ERROR(req); + *_cc = talloc_steal(mem_ctx, state->cc); + return EOK; +} + +struct kcm_ccdb_name_by_uuid_state { + struct kcm_ccdb *db; + struct cli_creds *client; + + const char *name; +}; + +static void kcm_ccdb_name_by_uuid_done(struct tevent_req *subreq); + +struct tevent_req *kcm_ccdb_name_by_uuid_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + uuid_t uuid) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct kcm_ccdb_name_by_uuid_state *state = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, + &state, + struct kcm_ccdb_name_by_uuid_state); + if (req == NULL) { + return NULL; + } + state->db = db; + state->client = client; + + if (ev == NULL || db == NULL || client == NULL || uuid_is_null(uuid)) { + ret = EINVAL; + goto immediate; + } + + subreq = db->ops->name_by_uuid_send(state, ev, db, client, uuid); + if (subreq == NULL) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, kcm_ccdb_name_by_uuid_done, req); + return req; + +immediate: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void kcm_ccdb_name_by_uuid_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct kcm_ccdb_name_by_uuid_state *state = tevent_req_data(req, + struct kcm_ccdb_name_by_uuid_state); + errno_t ret; + + ret = state->db->ops->name_by_uuid_recv(subreq, state, &state->name); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to resolve cache by UUID [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +errno_t kcm_ccdb_name_by_uuid_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + const char **_name) +{ + struct kcm_ccdb_name_by_uuid_state *state = tevent_req_data(req, + struct kcm_ccdb_name_by_uuid_state); + TEVENT_REQ_RETURN_ON_ERROR(req); + *_name = talloc_steal(mem_ctx, state->name); + return EOK; +} + +struct kcm_ccdb_uuid_by_name_state { + struct kcm_ccdb *db; + struct cli_creds *client; + + uuid_t uuid; +}; + +static void kcm_ccdb_uuid_by_name_done(struct tevent_req *subreq); + +struct tevent_req *kcm_ccdb_uuid_by_name_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + const char *name) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct kcm_ccdb_uuid_by_name_state *state = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, + &state, + struct kcm_ccdb_uuid_by_name_state); + if (req == NULL) { + return NULL; + } + state->db = db; + state->client = client; + + if (ev == NULL || db == NULL || client == NULL || name == NULL) { + ret = EINVAL; + goto immediate; + } + + subreq = db->ops->uuid_by_name_send(state, ev, db, client, name); + if (subreq == NULL) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, kcm_ccdb_uuid_by_name_done, req); + return req; + +immediate: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void kcm_ccdb_uuid_by_name_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct kcm_ccdb_uuid_by_name_state *state = tevent_req_data(req, + struct kcm_ccdb_uuid_by_name_state); + errno_t ret; + + ret = state->db->ops->uuid_by_name_recv(subreq, state, state->uuid); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to resolve cache by UUID [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +errno_t kcm_ccdb_uuid_by_name_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + uuid_t _uuid) +{ + struct kcm_ccdb_uuid_by_name_state *state = tevent_req_data(req, + struct kcm_ccdb_uuid_by_name_state); + TEVENT_REQ_RETURN_ON_ERROR(req); + uuid_copy(_uuid, state->uuid); + return EOK; +} + +struct kcm_ccdb_create_cc_state { + struct kcm_ccdb *db; +}; + +static void kcm_ccdb_create_done(struct tevent_req *subreq); + +struct tevent_req *kcm_ccdb_create_cc_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + struct kcm_ccache *cc) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct kcm_ccdb_create_cc_state *state = NULL; + errno_t ret; + bool ok; + + req = tevent_req_create(mem_ctx, &state, struct kcm_ccdb_create_cc_state); + if (req == NULL) { + return NULL; + } + state->db = db; + + if (ev == NULL || db == NULL || client == NULL || cc == NULL) { + ret = EINVAL; + goto immediate; + } + + ok = kcm_cc_access(cc, client); + if (!ok) { + ret = EACCES; + goto immediate; + } + + subreq = state->db->ops->create_send(state, + ev, + state->db, + client, + cc); + if (subreq == NULL) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, kcm_ccdb_create_done, req); + return req; + +immediate: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void kcm_ccdb_create_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct kcm_ccdb_create_cc_state *state = tevent_req_data(req, + struct kcm_ccdb_create_cc_state); + errno_t ret; + + ret = state->db->ops->create_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to create ccache [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +errno_t kcm_ccdb_create_cc_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + return EOK; +} + +void kcm_mod_ctx_clear(struct kcm_mod_ctx *mod_ctx) +{ + if (mod_ctx == NULL) { + return; + } + + mod_ctx->kdc_offset = INT32_MAX; +} + +void kcm_mod_cc(struct kcm_ccache *cc, struct kcm_mod_ctx *mod_ctx) +{ + if (cc == NULL || mod_ctx == NULL) { + return; + } + + if (mod_ctx->kdc_offset != INT32_MAX) { + cc->kdc_offset = mod_ctx->kdc_offset; + } + +} + +struct kcm_ccdb_mod_cc_state { + struct kcm_ccdb *db; +}; + +static void kcm_ccdb_mod_done(struct tevent_req *subreq); + +struct tevent_req *kcm_ccdb_mod_cc_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + uuid_t uuid, + struct kcm_mod_ctx *mod_cc) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct kcm_ccdb_mod_cc_state *state = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct kcm_ccdb_mod_cc_state); + if (req == NULL) { + return NULL; + } + state->db = db; + + if (ev == NULL || db == NULL || client == NULL || mod_cc == NULL) { + ret = EINVAL; + goto immediate; + } + + subreq = state->db->ops->mod_send(state, + ev, + state->db, + client, + uuid, + mod_cc); + if (subreq == NULL) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, kcm_ccdb_mod_done, req); + return req; + +immediate: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void kcm_ccdb_mod_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct kcm_ccdb_mod_cc_state *state = tevent_req_data(req, + struct kcm_ccdb_mod_cc_state); + errno_t ret; + + ret = state->db->ops->mod_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to create ccache [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +errno_t kcm_ccdb_mod_cc_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + return EOK; +} + +struct kcm_ccdb_store_cred_blob_state { + struct kcm_ccdb *db; +}; + +static void kcm_ccdb_store_cred_blob_done(struct tevent_req *subreq); + +struct tevent_req *kcm_ccdb_store_cred_blob_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + uuid_t uuid, + struct sss_iobuf *cred_blob) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct kcm_ccdb_store_cred_blob_state *state = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct kcm_ccdb_store_cred_blob_state); + if (req == NULL) { + return NULL; + } + state->db = db; + + if (ev == NULL || db == NULL || client == NULL || cred_blob == NULL) { + ret = EINVAL; + goto immediate; + } + + subreq = state->db->ops->store_cred_send(state, + ev, + state->db, + client, + uuid, + cred_blob); + if (subreq == NULL) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, kcm_ccdb_store_cred_blob_done, req); + return req; + +immediate: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void kcm_ccdb_store_cred_blob_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct kcm_ccdb_store_cred_blob_state *state = tevent_req_data(req, + struct kcm_ccdb_store_cred_blob_state); + errno_t ret; + + ret = state->db->ops->store_cred_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to create ccache [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +errno_t kcm_ccdb_store_cred_blob_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + return EOK; +} + +struct kcm_ccdb_delete_cc_state { + struct tevent_context *ev; + struct kcm_ccdb *db; + struct cli_creds *client; + uuid_t uuid; +}; + +static void kcm_ccdb_delete_done(struct tevent_req *subreq); +static void kcm_ccdb_delete_get_default_done(struct tevent_req *subreq); +static void kcm_ccdb_delete_default_reset_done(struct tevent_req *subreq); + +struct tevent_req *kcm_ccdb_delete_cc_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + uuid_t uuid) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct kcm_ccdb_delete_cc_state *state = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct kcm_ccdb_delete_cc_state); + if (req == NULL) { + return NULL; + } + state->db = db; + state->ev = ev; + state->client = client; + uuid_copy(state->uuid, uuid); + + if (ev == NULL || db == NULL || client == NULL) { + ret = EINVAL; + goto immediate; + } + + subreq = state->db->ops->delete_send(state, + state->ev, + state->db, + state->client, + state->uuid); + if (subreq == NULL) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, kcm_ccdb_delete_done, req); + + return req; + +immediate: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void kcm_ccdb_delete_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct kcm_ccdb_delete_cc_state *state = tevent_req_data(req, + struct kcm_ccdb_delete_cc_state); + errno_t ret; + + ret = state->db->ops->delete_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to delete ccache [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + /* The delete operation must also check if the deleted ccache was + * the default and reset the default if it was + */ + subreq = state->db->ops->get_default_send(state, + state->ev, + state->db, + state->client); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, kcm_ccdb_delete_get_default_done, req); +} + +static void kcm_ccdb_delete_get_default_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct kcm_ccdb_delete_cc_state *state = tevent_req_data(req, + struct kcm_ccdb_delete_cc_state); + errno_t ret; + uuid_t dfl_uuid; + uuid_t null_uuid; + + ret = state->db->ops->get_default_recv(subreq, dfl_uuid); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to get the default ccache [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + if (uuid_compare(dfl_uuid, state->uuid) != 0) { + /* The ccache about to be deleted was not the default, quit */ + tevent_req_done(req); + return; + } + + /* If we deleted the default ccache, reset the default ccache to 'none' */ + uuid_clear(null_uuid); + + subreq = state->db->ops->set_default_send(state, + state->ev, + state->db, + state->client, + null_uuid); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, kcm_ccdb_delete_default_reset_done, req); +} + +static void kcm_ccdb_delete_default_reset_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct kcm_ccdb_delete_cc_state *state = tevent_req_data(req, + struct kcm_ccdb_delete_cc_state); + errno_t ret; + + ret = state->db->ops->set_default_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to NULL the default ccache [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +errno_t kcm_ccdb_delete_cc_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + return EOK; +} + +void kcm_debug_uuid(uuid_t uuid) +{ + char dbgbuf[UUID_STR_SIZE]; + + if (!(debug_level & SSSDBG_TRACE_ALL) || uuid == NULL) { + return; + } + + uuid_unparse(uuid, dbgbuf); + DEBUG(SSSDBG_TRACE_ALL, "UUID: %s\n", dbgbuf); +} + +errno_t kcm_check_name(const char *name, struct cli_creds *client) +{ + char prefix[64]; + size_t prefix_len; + + prefix_len = snprintf(prefix, sizeof(prefix), + "%"SPRIuid, cli_creds_get_uid(client)); + + if (strncmp(name, prefix, prefix_len) != 0) { + return ERR_KCM_WRONG_CCNAME_FORMAT; + } + return EOK; +} diff --git a/src/responder/kcm/kcmsrv_ccache.h b/src/responder/kcm/kcmsrv_ccache.h new file mode 100644 index 0000000..36c481c --- /dev/null +++ b/src/responder/kcm/kcmsrv_ccache.h @@ -0,0 +1,351 @@ +/* + SSSD + + KCM Server - the KCM ccache operations + + Copyright (C) Red Hat, 2016 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +#ifndef _KCMSRV_CCACHE_H_ +#define _KCMSRV_CCACHE_H_ + +#include "config.h" + +#include +#include + +#include "util/util.h" +#include "util/sss_iobuf.h" +#include "util/util_creds.h" +#include "responder/kcm/kcmsrv_pvt.h" + +#define UUID_BYTES 16 +#define UUID_STR_SIZE 37 + +/* + * Credentials are opaque to the KCM server + * + * Each ccache has a unique UUID. + */ +struct kcm_cred; + +/* + * An opaque ccache type and its operations + * + * Contains zero or some KCM credentials. One credential in the cache + * is marked as the default one. The client can set and get the default + * cache (e.g. with kswitch) but one cache is always the default -- we + * fall back to the one created first. + * + * Each cache has a name and a UUID. Heimdal allows the name to be changed, + * we don't (yet, because the MIT client doesn't allow that either) + * + * Each ccache also stores a client principal. + */ +struct kcm_ccache; + +/* + * Create a new KCM ccache owned by mem_ctx on the + * memory level. + * + * When created, the ccache contains no credendials + */ +errno_t kcm_cc_new(TALLOC_CTX *mem_ctx, + krb5_context k5c, + struct cli_creds *owner, + const char *name, + krb5_principal princ, + struct kcm_ccache **_cc); + +/* + * Returns true if a client can access a ccache. + * + * Note that root can access any ccache */ +bool kcm_cc_access(struct kcm_ccache *cc, + struct cli_creds *client); + +/* + * Since the kcm_ccache structure is opaque, the kcmsrv_ccache + * layer contains a number of getsetters to read and write + * properties of the kcm_ccache structure + */ +const char *kcm_cc_get_name(struct kcm_ccache *cc); +errno_t kcm_cc_get_uuid(struct kcm_ccache *cc, uuid_t _uuid); +krb5_principal kcm_cc_get_client_principal(struct kcm_ccache *cc); +int32_t kcm_cc_get_offset(struct kcm_ccache *cc); + +/* Mainly useful for creating a cred structure from a persistent + * storage + */ +struct kcm_cred *kcm_cred_new(TALLOC_CTX *mem_ctx, + uuid_t uuid, + struct sss_iobuf *cred_blob); + +/* Add a cred to ccache */ +errno_t kcm_cc_store_creds(struct kcm_ccache *cc, + struct kcm_cred *crd); + +errno_t kcm_cred_get_uuid(struct kcm_cred *crd, uuid_t uuid); + +/* + * At the moment, the credentials are stored without unmarshalling + * them, just as the clients sends the credentials. + */ +struct sss_iobuf *kcm_cred_get_creds(struct kcm_cred *crd); +errno_t kcm_cc_store_cred_blob(struct kcm_ccache *cc, + struct sss_iobuf *cred_blob); + /* + * The KCM server can call kcm_cred_get_creds to fetch the first + * credential, then iterate over the credentials with + * kcm_cc_next_cred until it returns NULL + */ +struct kcm_cred *kcm_cc_get_cred(struct kcm_ccache *cc); +struct kcm_cred *kcm_cc_next_cred(struct kcm_cred *crd); + +/* An opaque database that contains all the ccaches */ +struct kcm_ccdb; + +/* + * Initialize a ccache database of type cc_be + */ +struct kcm_ccdb *kcm_ccdb_init(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + enum kcm_ccdb_be cc_be); + +/* + * In KCM, each ccache name is usually in the form of "UID: + * + * The is generated by the KCM ccache database. Use this function + * to retrieve the next number + */ +struct tevent_req *kcm_ccdb_nextid_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client); +errno_t kcm_ccdb_nextid_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + char **_nextid); + +/* + * List all ccaches that belong to a given client + * + * The cc_list the recv function returns is NULL-terminated. + * + * NOTE: Contrary to how Heimdal behaves, root CAN NOT list all ccaches + * of all users. This is a deliberate decision to treat root as any other + * user, except it can access a ccache of another user by name, just not + * list them. + * + * If a client has no ccaches, the function returns OK, but an empty list + * containing just the NULL sentinel. + */ +struct tevent_req *kcm_ccdb_list_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client); +errno_t kcm_ccdb_list_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + uuid_t **_uuid_list); + +/* + * Retrieve a ccache by name. + * + * If there is no such ccache, return EOK, but a NULL _cc pointer + */ +struct tevent_req *kcm_ccdb_getbyname_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + const char *name); +errno_t kcm_ccdb_getbyname_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + struct kcm_ccache **_cc); + +/* + * Retrieve a ccache by UUID + * + * If there is no such ccache, return EOK, but a NULL _cc pointer + */ +struct tevent_req *kcm_ccdb_getbyuuid_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + uuid_t uuid); +errno_t kcm_ccdb_getbyuuid_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + struct kcm_ccache **_cc); + +/* + * Retrieve the default ccache. If there is no default cache, + * return EOK, but a NULL UUID. + */ +struct tevent_req *kcm_ccdb_get_default_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client); +errno_t kcm_ccdb_get_default_recv(struct tevent_req *req, + uuid_t *uuid); + +/* + * Translating name to UUID is often considerably faster than doing a full + * CC retrieval, hence this function and the converse. If the UUID cannot + * be found in the database, return ERR_KCM_CC_END + */ +struct tevent_req *kcm_ccdb_name_by_uuid_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + uuid_t uuid); +errno_t kcm_ccdb_name_by_uuid_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + const char **_name); + +/* + * Translating UUID to name is often considerably faster than doing a full + * CC retrieval, hence this function and the converse. If the UUID cannot + * be found in the database, return ERR_KCM_CC_END + */ +struct tevent_req *kcm_ccdb_uuid_by_name_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + const char *name); +errno_t kcm_ccdb_uuid_by_name_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + uuid_t _uuid); + +/* + * Set the default ccache. Passing a NULL UUID is a legal operation + * that 'unsets' the default ccache. + */ +struct tevent_req *kcm_ccdb_set_default_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + uuid_t uuid); +errno_t kcm_ccdb_set_default_recv(struct tevent_req *req); + +/* + * Add a ccache to the database. + */ +struct tevent_req *kcm_ccdb_create_cc_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + struct kcm_ccache *cc); +errno_t kcm_ccdb_create_cc_recv(struct tevent_req *req); + +/* + * Modify cache properties in a db + */ +struct kcm_mod_ctx { + int32_t kdc_offset; + /* More settable properties (like name, when we support renames + * will be added later + */ +}; + +void kcm_mod_ctx_clear(struct kcm_mod_ctx *mod_ctx); +void kcm_mod_cc(struct kcm_ccache *cc, struct kcm_mod_ctx *mod_ctx); + +struct tevent_req *kcm_ccdb_mod_cc_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + uuid_t uuid, + struct kcm_mod_ctx *mod_cc); +errno_t kcm_ccdb_mod_cc_recv(struct tevent_req *req); + +/* + * Store a credential in a cache + */ +struct tevent_req *kcm_ccdb_store_cred_blob_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + uuid_t uuid, + struct sss_iobuf *cred_blob); +errno_t kcm_ccdb_store_cred_blob_recv(struct tevent_req *req); + +/* + * Delete a ccache from the database + */ +struct tevent_req *kcm_ccdb_delete_cc_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + uuid_t uuid); +errno_t kcm_ccdb_delete_cc_recv(struct tevent_req *req); + +void kcm_debug_uuid(uuid_t uuid); + +/* + * The KCM clients are not allowed (except root) to create ccaches + * with arbitrary names. Instead, we assert that the ccache name + * begins with UID where UID is the stringified representation of + * the client's UID number + */ +errno_t kcm_check_name(const char *name, struct cli_creds *client); + +/* + * ccahe marshalling to and from JSON. This is used when the ccaches + * are stored in the secrets store + */ + +/* + * The secrets store is a key-value store at heart. We store the UUID + * and the name in the key to allow easy lookups be either key + */ +bool sec_key_match_name(const char *sec_key, + const char *name); + +bool sec_key_match_uuid(const char *sec_key, + uuid_t uuid); + +const char *sec_key_get_name(const char *sec_key); + +errno_t sec_key_get_uuid(const char *sec_key, + uuid_t uuid); + +/* Create a URL for the default client's ccache */ +const char *sec_dfl_url_create(TALLOC_CTX *mem_ctx, + struct cli_creds *client); + +/* Create a URL for the client's ccache container */ +const char *sec_container_url_create(TALLOC_CTX *mem_ctx, + struct cli_creds *client); + +const char *sec_cc_url_create(TALLOC_CTX *mem_ctx, + struct cli_creds *client, + const char *sec_key); + +/* + * sec_key is a concatenation of the ccache's UUID and name + * sec_value is the JSON dump of the ccache contents + */ +errno_t sec_kv_to_ccache(TALLOC_CTX *mem_ctx, + const char *sec_key, + const char *sec_value, + struct cli_creds *client, + struct kcm_ccache **_cc); + +/* Convert a kcm_ccache to a key-value pair to be stored in secrets */ +errno_t kcm_ccache_to_sec_input(TALLOC_CTX *mem_ctx, + struct kcm_ccache *cc, + struct cli_creds *client, + const char **_url, + struct sss_iobuf **_payload); + +#endif /* _KCMSRV_CCACHE_H_ */ diff --git a/src/responder/kcm/kcmsrv_ccache_be.h b/src/responder/kcm/kcmsrv_ccache_be.h new file mode 100644 index 0000000..a0796c2 --- /dev/null +++ b/src/responder/kcm/kcmsrv_ccache_be.h @@ -0,0 +1,205 @@ +/* + SSSD + + KCM Server - the KCM ccache database interface + + This file should only be included from the ccache.c module. + + Copyright (C) Red Hat, 2016 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _KCMSRV_CCACHE_BE_ +#define _KCMSRV_CCACHE_BE_ + +#include "config.h" + +#include +#include "responder/kcm/kcmsrv_ccache.h" + +typedef errno_t +(*ccdb_init_fn)(struct kcm_ccdb *db); + +typedef struct tevent_req * +(*ccdb_nextid_send_fn)(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client); +typedef errno_t +(*ccdb_nextid_recv_fn)(struct tevent_req *req, + unsigned int *_nextid); + +typedef struct tevent_req * +(*ccdb_set_default_send_fn)(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + uuid_t uuid); +typedef errno_t +(*ccdb_set_default_recv_fn)(struct tevent_req *req); + +typedef struct tevent_req * +(*ccdb_get_default_send_fn)(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client); +typedef errno_t +(*ccdb_get_default_recv_fn)(struct tevent_req *req, + uuid_t dfl); + + +typedef struct tevent_req * +(*ccdb_list_send_fn)(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client); +typedef errno_t +(*ccdb_list_recv_fn)(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + uuid_t **_uuid_list); + +typedef struct tevent_req * +(*ccdb_getbyname_send_fn)(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + const char *name); +typedef errno_t +(*ccdb_getbyname_recv_fn)(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + struct kcm_ccache **_cc); + +typedef struct tevent_req * +(*ccdb_getbyuuid_send_fn)(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + uuid_t uuid); +typedef errno_t +(*ccdb_getbyuuid_recv_fn)(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + struct kcm_ccache **_cc); + +typedef struct tevent_req * +(*ccdb_name_by_uuid_send_fn)(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + uuid_t uuid); +typedef errno_t +(*ccdb_name_by_uuid_recv_fn)(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + const char **_name); + +typedef struct tevent_req * +(*ccdb_uuid_by_name_send_fn)(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + const char *name); +typedef errno_t +(*ccdb_uuid_by_name_recv_fn)(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + uuid_t _uuid); + +typedef struct tevent_req * +(*ccdb_create_send_fn)(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + struct kcm_ccache *cc); +typedef errno_t +(*ccdb_create_recv_fn)(struct tevent_req *req); + +typedef struct tevent_req * +(*ccdb_mod_send_fn)(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + uuid_t uuid, + struct kcm_mod_ctx *mod_cc); +typedef errno_t +(*ccdb_mod_recv_fn)(struct tevent_req *req); + +typedef struct tevent_req * +(*kcm_ccdb_store_cred_blob_send_fn)(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + uuid_t uuid, + struct sss_iobuf *cred_blob); +typedef errno_t +(*kcm_ccdb_store_cred_blob_recv_fn)(struct tevent_req *req); + +typedef struct tevent_req * +(*ccdb_delete_send_fn)(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + uuid_t uuid); +typedef errno_t +(*ccdb_delete_recv_fn)(struct tevent_req *req); + +/* + * Each ccache back end (for example memory or secrets) must implement + * all these functions. The functions are wrapped by the kcm_ccdb + * interface that performs additional sanity checks or contains shared + * logic such as access checks but in general doesn't assume anything + * about how the operations work. + */ +struct kcm_ccdb_ops { + ccdb_init_fn init; + + ccdb_nextid_send_fn nextid_send; + ccdb_nextid_recv_fn nextid_recv; + + ccdb_set_default_send_fn set_default_send; + ccdb_set_default_recv_fn set_default_recv; + + ccdb_get_default_send_fn get_default_send; + ccdb_get_default_recv_fn get_default_recv; + + ccdb_list_send_fn list_send; + ccdb_list_recv_fn list_recv; + + ccdb_getbyname_send_fn getbyname_send; + ccdb_getbyname_recv_fn getbyname_recv; + + ccdb_getbyuuid_send_fn getbyuuid_send; + ccdb_getbyuuid_recv_fn getbyuuid_recv; + + ccdb_name_by_uuid_send_fn name_by_uuid_send; + ccdb_name_by_uuid_recv_fn name_by_uuid_recv; + + ccdb_uuid_by_name_send_fn uuid_by_name_send; + ccdb_uuid_by_name_recv_fn uuid_by_name_recv; + + ccdb_create_send_fn create_send; + ccdb_create_recv_fn create_recv; + + ccdb_mod_send_fn mod_send; + ccdb_mod_recv_fn mod_recv; + + kcm_ccdb_store_cred_blob_send_fn store_cred_send; + kcm_ccdb_store_cred_blob_recv_fn store_cred_recv; + + ccdb_delete_send_fn delete_send; + ccdb_delete_recv_fn delete_recv; +}; + +extern const struct kcm_ccdb_ops ccdb_mem_ops; +extern const struct kcm_ccdb_ops ccdb_sec_ops; + +#endif /* _KCMSRV_CCACHE_BE_ */ diff --git a/src/responder/kcm/kcmsrv_ccache_json.c b/src/responder/kcm/kcmsrv_ccache_json.c new file mode 100644 index 0000000..f70b0fc --- /dev/null +++ b/src/responder/kcm/kcmsrv_ccache_json.c @@ -0,0 +1,957 @@ +/* + SSSD + + KCM Server - ccache JSON (un)marshalling for storing ccaches in + sssd-secrets + + Copyright (C) Red Hat, 2017 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include +#include +#include + +#include "util/util.h" +#include "util/util_creds.h" +#include "util/crypto/sss_crypto.h" +#include "responder/kcm/kcmsrv_ccache_pvt.h" + +/* The base for storing secrets is: + * http://localhost/kcm/persistent/$uid + * + * Under $base, there are two containers: + * /ccache - stores the ccaches + * /ntlm - stores NTLM creds [Not implement yet] + * + * There is also a special entry that contains the UUID of the default + * cache for this UID: + * /default - stores the UUID of the default ccache for this UID + * + * Each ccache has a name and an UUID. On the secrets level, the 'secret' + * is a concatenation of the stringified UUID and the name separated + * by a plus-sign. + */ +#define KCM_SEC_URL "http://localhost/kcm/persistent" +#define KCM_SEC_BASE_FMT KCM_SEC_URL"/%"SPRIuid"/" +#define KCM_SEC_CCACHE_FMT KCM_SEC_BASE_FMT"ccache/" +#define KCM_SEC_DFL_FMT KCM_SEC_BASE_FMT"default" + + +/* + * We keep the JSON representation of the ccache versioned to allow + * us to modify the format in a future version + */ +#define KS_JSON_VERSION 1 + +/* + * The secrets store is a key-value store at heart. We store the UUID + * and the name in the key to allow easy lookups be either key + */ +#define SEC_KEY_SEPARATOR '-' + +/* Compat definition of json_array_foreach for older systems */ +#ifndef json_array_foreach +#define json_array_foreach(array, idx, value) \ + for(idx = 0; \ + idx < json_array_size(array) && (value = json_array_get(array, idx)); \ + idx++) +#endif + +const char *sec_container_url_create(TALLOC_CTX *mem_ctx, + struct cli_creds *client) +{ + return talloc_asprintf(mem_ctx, + KCM_SEC_CCACHE_FMT, + cli_creds_get_uid(client)); +} + +const char *sec_cc_url_create(TALLOC_CTX *mem_ctx, + struct cli_creds *client, + const char *sec_key) +{ + return talloc_asprintf(mem_ctx, + KCM_SEC_CCACHE_FMT"%s", + cli_creds_get_uid(client), + sec_key); +} + +const char *sec_dfl_url_create(TALLOC_CTX *mem_ctx, + struct cli_creds *client) +{ + return talloc_asprintf(mem_ctx, + KCM_SEC_DFL_FMT, + cli_creds_get_uid(client)); +} + +static const char *sec_key_create(TALLOC_CTX *mem_ctx, + const char *name, + uuid_t uuid) +{ + char uuid_str[UUID_STR_SIZE]; + + uuid_unparse(uuid, uuid_str); + return talloc_asprintf(mem_ctx, + "%s%c%s", uuid_str, SEC_KEY_SEPARATOR, name); +} + +static bool sec_key_valid(const char *sec_key) +{ + if (sec_key == NULL) { + return false; + } + + if (strlen(sec_key) < UUID_STR_SIZE + 1) { + /* One char for separator (at UUID_STR_SIZE, because strlen doesn't + * include the '\0', but UUID_STR_SIZE does) and at least one for + * the name */ + DEBUG(SSSDBG_CRIT_FAILURE, "Key %s is too short\n", sec_key); + return false; + } + + if (sec_key[UUID_STR_SIZE - 1] != SEC_KEY_SEPARATOR) { + DEBUG(SSSDBG_CRIT_FAILURE, "Key doesn't contain the separator\n"); + return false; + } + + return true; +} + +static errno_t sec_key_parse(TALLOC_CTX *mem_ctx, + const char *sec_key, + const char **_name, + uuid_t uuid) +{ + char uuid_str[UUID_STR_SIZE]; + + if (!sec_key_valid(sec_key)) { + return EINVAL; + } + + strncpy(uuid_str, sec_key, sizeof(uuid_str)-1); + if (sec_key[UUID_STR_SIZE - 1] != SEC_KEY_SEPARATOR) { + DEBUG(SSSDBG_CRIT_FAILURE, "Key doesn't contain the separator\n"); + return EINVAL; + } + uuid_str[UUID_STR_SIZE-1] = '\0'; + + *_name = talloc_strdup(mem_ctx, sec_key + UUID_STR_SIZE); + if (*_name == NULL) { + return ENOMEM; + } + uuid_parse(uuid_str, uuid); + + return EOK; +} + +errno_t sec_key_get_uuid(const char *sec_key, + uuid_t uuid) +{ + char uuid_str[UUID_STR_SIZE]; + + if (!sec_key_valid(sec_key)) { + return EINVAL; + } + + strncpy(uuid_str, sec_key, UUID_STR_SIZE-1); + uuid_str[UUID_STR_SIZE-1] = '\0'; + uuid_parse(uuid_str, uuid); + return EOK; +} + +const char *sec_key_get_name(const char *sec_key) +{ + if (!sec_key_valid(sec_key)) { + return NULL; + } + + return sec_key + UUID_STR_SIZE; +} + +bool sec_key_match_name(const char *sec_key, + const char *name) +{ + if (!sec_key_valid(sec_key) || name == NULL) { + return false; + } + + return strcmp(sec_key + UUID_STR_SIZE, name) == 0; +} + +bool sec_key_match_uuid(const char *sec_key, + uuid_t uuid) +{ + errno_t ret; + uuid_t key_uuid; + + ret = sec_key_get_uuid(sec_key, key_uuid); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Cannot convert key to UUID\n"); + return false; + } + + return uuid_compare(key_uuid, uuid) == 0; +} + +/* + * Creates an array of principal elements that will be used later + * in the form of: + * "components": [ "elem1", "elem2", ...] + */ +static json_t *princ_data_to_json(TALLOC_CTX *mem_ctx, + krb5_principal princ) +{ + json_t *jdata = NULL; + json_t *data_array = NULL; + int ret; + char *str_princ_data; + + data_array = json_array(); + if (data_array == NULL) { + return NULL; + } + + for (ssize_t i = 0; i < princ->length; i++) { + /* FIXME - it might be cleaner to use stringn here, but the libjansson + * version on RHEL-7 doesn't support that + */ + str_princ_data = talloc_zero_array(mem_ctx, + char, + princ->data[i].length + 1); + if (str_princ_data == NULL) { + return NULL; + } + memcpy(str_princ_data, princ->data[i].data, princ->data[i].length); + str_princ_data[princ->data[i].length] = '\0'; + + jdata = json_string(str_princ_data); + talloc_free(str_princ_data); + if (jdata == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot convert principal data to string\n"); + json_decref(data_array); + return NULL; + } + + ret = json_array_append_new(data_array, jdata); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot append principal data to array\n"); + json_decref(jdata); + json_decref(data_array); + return NULL; + } + /* data_array now owns the reference to jdata */ + } + + return data_array; +} + +/* Creates: + * { + * "type": "number", + * "realm": "string", + * "components": [ "elem1", "elem2", ...] + * } + */ +static json_t *princ_to_json(TALLOC_CTX *mem_ctx, + krb5_principal princ) +{ + json_t *jprinc = NULL; + json_t *components = NULL; + json_error_t error; + char *str_realm_data; + + components = princ_data_to_json(mem_ctx, princ); + if (components == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot convert principal data to JSON\n"); + return NULL; + } + + /* FIXME - it might be cleaner to use the s% specifier here, but the libjansson + * version on RHEL-7 doesn't support that + */ + str_realm_data = talloc_zero_array(mem_ctx, + char, + princ->realm.length + 1); + if (str_realm_data == NULL) { + return NULL; + } + memcpy(str_realm_data, princ->realm.data, princ->realm.length); + str_realm_data[princ->realm.length] = '\0'; + + jprinc = json_pack_ex(&error, + JSON_STRICT, + "{s:i, s:s, s:o}", + "type", princ->type, + "realm", str_realm_data, + "components", components); + talloc_free(str_realm_data); + if (jprinc == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to pack JSON princ structure on line %d: %s\n", + error.line, error.text); + json_decref(components); + return NULL; + } + + return jprinc; +} + +/* Creates: + * { + * "uuid": , + * "payload": , + * }, + */ +static json_t *cred_to_json(struct kcm_cred *crd) +{ + char uuid_str[UUID_STR_SIZE]; + uint8_t *cred_blob_data; + size_t cred_blob_size; + json_t *jcred; + json_error_t error; + char *base64_cred_blob; + + uuid_unparse(crd->uuid, uuid_str); + cred_blob_data = sss_iobuf_get_data(crd->cred_blob); + cred_blob_size = sss_iobuf_get_size(crd->cred_blob); + + base64_cred_blob = sss_base64_encode(crd, cred_blob_data, cred_blob_size); + if (base64_cred_blob == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot base64 encode the certificate blob\n"); + return NULL; + } + + jcred = json_pack_ex(&error, + JSON_STRICT, + "{s:s, s:s}", + "uuid", uuid_str, + "payload", base64_cred_blob); + talloc_free(base64_cred_blob); + if (jcred == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to pack JSON cred structure on line %d: %s\n", + error.line, error.text); + return NULL; + } + return jcred; +} + +/* + * Creates: + * [ + * { + * "uuid": , + * "payload": , + * }, + * ... + * ] + */ +static json_t *creds_to_json_array(struct kcm_cred *creds) +{ + struct kcm_cred *crd; + json_t *array; + json_t *jcred; + + array = json_array(); + if (array == NULL) { + return NULL; + } + + DLIST_FOR_EACH(crd, creds) { + jcred = cred_to_json(crd); + if (jcred == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot convert credentials to JSON\n"); + json_decref(array); + return NULL; + } + + json_array_append_new(array, jcred); + /* array now owns jcred */ + jcred = NULL; + } + + return array; +} + +/* + * The ccache is formatted in JSON as: + * { + * version: number + * kdc_offset: number + * principal : { + * "type": "number", + * "realm": "string", + * "components": [ "elem1", "elem2", ...] + * } + * creds : [ + * { + * "uuid": , + * "payload": , + * }, + * { + * ... + * } + * ] + * } + * } + */ +static json_t *ccache_to_json(struct kcm_ccache *cc) +{ + json_t *princ = NULL; + json_t *creds = NULL; + json_t *jcc = NULL; + json_error_t error; + + princ = princ_to_json(cc, cc->client); + if (princ == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot convert princ to JSON\n"); + return NULL; + } + + creds = creds_to_json_array(cc->creds); + if (creds == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot convert creds to JSON array\n"); + json_decref(princ); + return NULL; + } + + jcc = json_pack_ex(&error, + JSON_STRICT, + "{s:i, s:i, s:o, s:o}", + "version", KS_JSON_VERSION, + "kdc_offset", cc->kdc_offset, + "principal", princ, + "creds", creds); + if (jcc == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to pack JSON ccache structure on line %d: %s\n", + error.line, error.text); + json_decref(creds); + json_decref(princ); + return NULL; + } + + return jcc; +} + +static errno_t ccache_to_sec_kv(TALLOC_CTX *mem_ctx, + struct kcm_ccache *cc, + const char **_sec_key, + const char **_sec_value) +{ + json_t *jcc = NULL; + char *jdump; + + jcc = ccache_to_json(cc); + if (jcc == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot convert ccache to JSON\n"); + return ERR_JSON_ENCODING; + } + + /* it would be more efficient to learn the size with json_dumpb and + * a NULL buffer, but that's only available since 2.10 + */ + jdump = json_dumps(jcc, JSON_INDENT(4) | JSON_ENSURE_ASCII); + if (jdump == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot dump JSON\n"); + return ERR_JSON_ENCODING; + } + + *_sec_key = sec_key_create(mem_ctx, cc->name, cc->uuid); + *_sec_value = talloc_strdup(mem_ctx, jdump); + free(jdump); + json_decref(jcc); + if (*_sec_key == NULL || *_sec_value == NULL) { + return ENOMEM; + } + + return EOK; +} + +errno_t kcm_ccache_to_sec_input(TALLOC_CTX *mem_ctx, + struct kcm_ccache *cc, + struct cli_creds *client, + const char **_url, + struct sss_iobuf **_payload) +{ + errno_t ret; + const char *key; + const char *value; + const char *url; + struct sss_iobuf *payload; + TALLOC_CTX *tmp_ctx; + + tmp_ctx = talloc_new(mem_ctx); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + ret = ccache_to_sec_kv(mem_ctx, cc, &key, &value); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot convert cache %s to JSON [%d]: %s\n", + cc->name, ret, sss_strerror(ret)); + goto done; + } + + url = sec_cc_url_create(tmp_ctx, client, key); + if (url == NULL) { + ret = ENOMEM; + goto done; + } + + payload = sss_iobuf_init_readonly(tmp_ctx, + (const uint8_t *) value, + strlen(value)+1); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot create payload buffer\n"); + goto done; + } + + ret = EOK; + *_url = talloc_steal(mem_ctx, url); + *_payload = talloc_steal(mem_ctx, payload); +done: + talloc_free(tmp_ctx); + return ret; +} + +static errno_t sec_value_to_json(const char *input, + json_t **_root) +{ + json_t *root = NULL; + json_error_t error; + int ok; + + root = json_loads(input, 0, &error); + if (root == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to parse JSON payload on line %d: %s\n", + error.line, error.text); + return ERR_JSON_DECODING; + } + + ok = json_is_object(root); + if (!ok) { + DEBUG(SSSDBG_CRIT_FAILURE, "Json data is not an object.\n"); + json_decref(root); + return ERR_JSON_DECODING; + } + + *_root = root; + return EOK; +} + +/* + * ccache unmarshalling from JSON + */ +static errno_t json_element_to_krb5_data(TALLOC_CTX *mem_ctx, + json_t *element, + krb5_data *data) +{ + const char *str_value; + size_t str_len; + + /* FIXME - it might be cleaner to use stringn here, but the libjansson + * version on RHEL-7 doesn't support that + */ + str_value = json_string_value(element); + if (str_value == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "JSON element not a string\n"); + return EINVAL; + } + str_len = strlen(str_value); + /* make sure that the unsigned int length component of krb5_data can store + * str_len. */ + if (str_len > UINT_MAX) { + DEBUG(SSSDBG_CRIT_FAILURE, "String too long"); + return EINVAL; + } + + data->data = talloc_strndup(mem_ctx, str_value, str_len); + if (data->data == NULL) { + return ENOMEM; + } + data->length = (unsigned int) str_len; + + return EOK; +} + +static errno_t json_array_to_krb5_data(TALLOC_CTX *mem_ctx, + json_t *array, + krb5_data **_data, + size_t *_len) +{ + errno_t ret; + int ok; + size_t len; + size_t idx; + json_t *element; + krb5_data *data; + + ok = json_is_array(array); + if (!ok) { + DEBUG(SSSDBG_CRIT_FAILURE, "Json object is not an array.\n"); + return ERR_JSON_DECODING; + } + + len = json_array_size(array); + if (len == 0) { + *_data = NULL; + *_len = 0; + return EOK; + } + + data = talloc_zero_array(mem_ctx, krb5_data, len); + if (data == NULL) { + return ENOMEM; + } + + json_array_foreach(array, idx, element) { + ret = json_element_to_krb5_data(data, element, &data[idx]); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot convert krb5 data element from JSON"); + talloc_free(data); + return ret; + } + } + + *_data = data; + *_len = len; + return EOK; +} + +static errno_t json_to_princ(TALLOC_CTX *mem_ctx, + json_t *js_princ, + krb5_principal *_princ) +{ + errno_t ret; + json_t *components = NULL; + int ok; + krb5_principal princ = NULL; + TALLOC_CTX *tmp_ctx = NULL; + char *realm_str; + size_t realm_size; + size_t comp_count; + json_error_t error; + + ok = json_is_object(js_princ); + if (!ok) { + DEBUG(SSSDBG_CRIT_FAILURE, "Json principal is not an object.\n"); + ret = ERR_JSON_DECODING; + goto done; + } + + tmp_ctx = talloc_new(mem_ctx); + if (tmp_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + princ = talloc_zero(tmp_ctx, struct krb5_principal_data); + if (princ == NULL) { + return ENOMEM; + } + princ->magic = KV5M_PRINCIPAL; + + /* FIXME - it might be cleaner to use the s% specifier here, but the libjansson + * version on RHEL-7 doesn't support that + */ + ret = json_unpack_ex(js_princ, + &error, + JSON_STRICT, + "{s:i, s:s, s:o}", + "type", &princ->type, + "realm", &realm_str, + "components", &components); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to unpack JSON princ structure on line %d: %s\n", + error.line, error.text); + ret = EINVAL; + goto done; + } + + realm_size = strlen(realm_str); + /* Since the realm should be put into a krb5_data which uses unsigned int + * to store the length we have to make sure that the realm is not too long + * since size_t might be bigger than unsigned int. */ + if (realm_size > UINT_MAX) { + DEBUG(SSSDBG_CRIT_FAILURE, "Realm name is too long.\n"); + ret = EINVAL; + goto done; + } + + princ->realm.data = talloc_strndup(mem_ctx, realm_str, realm_size); + if (princ->realm.data == NULL) { + return ENOMEM; + } + princ->realm.length = (unsigned int) realm_size; + princ->realm.magic = 0; + + /* json_array_to_krb5_data expects size_t* as last argument but the length + * component of krb5_principal_data is krb5_int32 so it cannot be used + * directly here because size_t and krb5_int32 might differ in size. + * Additionally we have to check that the result will fit into the int32 + * range (although we would have other problems if the principal really + * has more then INT32_MAX components). */ + ret = json_array_to_krb5_data(princ, components, + &princ->data, + &comp_count); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot convert principal from JSON"); + ret = EINVAL; + goto done; + } + if (comp_count > INT32_MAX) { + DEBUG(SSSDBG_CRIT_FAILURE, "Too many principal components.\n"); + ret = EINVAL; + goto done; + } + princ->length = (krb5_int32) comp_count; + + *_princ = talloc_steal(mem_ctx, princ); + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} + +static errno_t json_elem_to_cred(TALLOC_CTX *mem_ctx, + json_t *element, + struct kcm_cred **_crd) +{ + errno_t ret; + char *uuid_str; + json_error_t error; + uuid_t uuid; + struct sss_iobuf *cred_blob; + const char *base64_cred_blob; + struct kcm_cred *crd; + uint8_t *outbuf; + size_t outbuf_size; + TALLOC_CTX *tmp_ctx = NULL; + + ret = json_unpack_ex(element, + &error, + JSON_STRICT, + "{s:s, s:s}", + "uuid", &uuid_str, + "payload", &base64_cred_blob); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to unpack JSON cred structure on line %d: %s\n", + error.line, error.text); + return EINVAL; + } + + uuid_parse(uuid_str, uuid); + + tmp_ctx = talloc_new(mem_ctx); + if (tmp_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + outbuf = sss_base64_decode(tmp_ctx, base64_cred_blob, &outbuf_size); + if (outbuf == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot decode cred blob\n"); + ret = EIO; + goto done; + } + + cred_blob = sss_iobuf_init_readonly(tmp_ctx, outbuf, outbuf_size); + if (cred_blob == NULL) { + ret = ENOMEM; + goto done; + } + + crd = kcm_cred_new(tmp_ctx, uuid, cred_blob); + if (crd == NULL) { + ret = ENOMEM; + goto done; + } + + ret = EOK; + *_crd = talloc_steal(mem_ctx, crd); +done: + talloc_free(tmp_ctx); + return ret; +} + +static errno_t json_to_creds(struct kcm_ccache *cc, + json_t *jcreds) +{ + errno_t ret; + int ok; + size_t idx; + json_t *value; + struct kcm_cred *crd; + + ok = json_is_array(jcreds); + if (!ok) { + DEBUG(SSSDBG_CRIT_FAILURE, "Json creds object is not an array.\n"); + return ERR_JSON_DECODING; + } + + json_array_foreach(jcreds, idx, value) { + ret = json_elem_to_cred(cc, value, &crd); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot convert JSON cred element [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + ret = kcm_cc_store_creds(cc, crd); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot store creds in ccache [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + } + + return EOK; +} + +static errno_t sec_json_value_to_ccache(struct kcm_ccache *cc, + json_t *root) +{ + errno_t ret; + json_t *princ = NULL; + json_t *creds = NULL; + json_error_t error; + int version; + + ret = json_unpack_ex(root, + &error, + JSON_STRICT, + "{s:i, s:i, s:o, s:o}", + "version", &version, + "kdc_offset", &cc->kdc_offset, + "principal", &princ, + "creds", &creds); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to unpack JSON creds structure on line %d: %s\n", + error.line, error.text); + return EINVAL; + } + + if (version != KS_JSON_VERSION) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Expected version %d, received version %d\n", + KS_JSON_VERSION, version); + return EINVAL; + } + + ret = json_to_princ(cc, princ, &cc->client); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot store JSON to principal [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + ret = json_to_creds(cc, creds); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot store JSON to creds [%d]: %s\n", + ret, sss_strerror(ret)); + return EOK; + } + + return EOK; +} + +/* + * sec_key is a concatenation of the ccache's UUID and name + * sec_value is the JSON dump of the ccache contents + */ +errno_t sec_kv_to_ccache(TALLOC_CTX *mem_ctx, + const char *sec_key, + const char *sec_value, + struct cli_creds *client, + struct kcm_ccache **_cc) +{ + errno_t ret; + json_t *root = NULL; + struct kcm_ccache *cc = NULL; + TALLOC_CTX *tmp_ctx = NULL; + + ret = sec_value_to_json(sec_value, &root); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot store secret to JSN [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + tmp_ctx = talloc_new(mem_ctx); + if (tmp_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + cc = talloc_zero(tmp_ctx, struct kcm_ccache); + if (cc == NULL) { + ret = ENOMEM; + goto done; + } + + /* We rely on sssd-secrets only searching the user's subtree so we + * set the ownership to the client + */ + cc->owner.uid = cli_creds_get_uid(client); + cc->owner.gid = cli_creds_get_gid(client); + + ret = sec_key_parse(cc, sec_key, &cc->name, cc->uuid); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannt parse secret key [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = sec_json_value_to_ccache(cc, root); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannt parse secret value [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = EOK; + *_cc = talloc_steal(mem_ctx, cc); +done: + talloc_free(tmp_ctx); + json_decref(root); + return ret; +} diff --git a/src/responder/kcm/kcmsrv_ccache_mem.c b/src/responder/kcm/kcmsrv_ccache_mem.c new file mode 100644 index 0000000..38bc205 --- /dev/null +++ b/src/responder/kcm/kcmsrv_ccache_mem.c @@ -0,0 +1,827 @@ +/* + SSSD + + KCM Server - ccache in-memory storage + + Copyright (C) Red Hat, 2016 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include +#include + +#include "util/util.h" +#include "responder/kcm/kcmsrv_ccache_pvt.h" +#include "responder/kcm/kcmsrv_ccache_be.h" + +struct ccdb_mem; + +/* + * The KCM memory database is just a double-linked list of kcm_ccache structures + */ +struct ccache_mem_wrap { + struct kcm_ccache *cc; + bool is_default; + + struct ccache_mem_wrap *next; + struct ccache_mem_wrap *prev; + + struct ccdb_mem *mem_be; +}; + +struct ccdb_mem { + /* Both ccaches and the next-id are kept in memory */ + struct ccache_mem_wrap *head; + unsigned int nextid; +}; + +/* In order to provide a consistent interface, we need to let the caller + * of getbyXXX own the ccache, therefore the memory back end returns a shallow + * copy of the ccache + */ +static struct kcm_ccache *kcm_ccache_dup(TALLOC_CTX *mem_ctx, + struct kcm_ccache *in) +{ + struct kcm_ccache *out; + + out = talloc_zero(mem_ctx, struct kcm_ccache); + if (out == NULL) { + return NULL; + } + memcpy(out, in, sizeof(struct kcm_ccache)); + + return out; +} + +static struct ccache_mem_wrap *memdb_get_by_uuid(struct ccdb_mem *memdb, + struct cli_creds *client, + uuid_t uuid) +{ + uid_t uid; + struct ccache_mem_wrap *ccwrap = NULL; + struct ccache_mem_wrap *out = NULL; + + uid = cli_creds_get_uid(client); + + DLIST_FOR_EACH(ccwrap, memdb->head) { + if (ccwrap->cc == NULL) { + /* since KCM stores ccaches, better not crash.. */ + DEBUG(SSSDBG_CRIT_FAILURE, "BUG: ccwrap contains NULL cc\n"); + continue; + } + + if (ccwrap->cc->owner.uid == uid) { + if (uuid_compare(uuid, ccwrap->cc->uuid) == 0) { + out = ccwrap; + break; + } + } + } + + return out; +} + +static struct ccache_mem_wrap *memdb_get_by_name(struct ccdb_mem *memdb, + struct cli_creds *client, + const char *name) +{ + uid_t uid; + struct ccache_mem_wrap *ccwrap = NULL; + struct ccache_mem_wrap *out = NULL; + + uid = cli_creds_get_uid(client); + + DLIST_FOR_EACH(ccwrap, memdb->head) { + if (ccwrap->cc == NULL) { + /* since KCM stores ccaches, better not crash.. */ + DEBUG(SSSDBG_CRIT_FAILURE, "BUG: ccwrap contains NULL cc\n"); + continue; + } + + if (ccwrap->cc->owner.uid == uid) { + if (strcmp(ccwrap->cc->name, name) == 0) { + out = ccwrap; + break; + } + } + } + + return out; +} + +/* Since with the in-memory database, the database operations are just + * fake-async wrappers around otherwise sync operations, we don't often + * need any state, so we use this empty structure instead + */ +struct ccdb_mem_dummy_state { +}; + +static int ccwrap_destructor(void *ptr) +{ + struct ccache_mem_wrap *ccwrap = talloc_get_type(ptr, struct ccache_mem_wrap); + + if (ccwrap == NULL) { + return 0; + } + + if (ccwrap->cc != NULL) { + if (ccwrap->cc->creds) { + safezero(sss_iobuf_get_data(ccwrap->cc->creds->cred_blob), + sss_iobuf_get_size(ccwrap->cc->creds->cred_blob)); + } + } + + + DLIST_REMOVE(ccwrap->mem_be->head, ccwrap); + + return 0; +} + +static errno_t ccdb_mem_init(struct kcm_ccdb *db) +{ + struct ccdb_mem *memdb = NULL; + + memdb = talloc_zero(db, struct ccdb_mem); + if (memdb == NULL) { + return ENOMEM; + } + db->db_handle = memdb; + + return EOK; +} + +struct ccdb_mem_nextid_state { + unsigned int nextid; +}; + +static struct tevent_req *ccdb_mem_nextid_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client) +{ + struct tevent_req *req = NULL; + struct ccdb_mem_nextid_state *state = NULL; + struct ccdb_mem *memdb = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct ccdb_mem_nextid_state); + if (req == NULL) { + return NULL; + } + + memdb = talloc_get_type(db->db_handle, struct ccdb_mem); + if (memdb == NULL) { + ret = EIO; + goto immediate; + } + + state->nextid = memdb->nextid++; + + ret = EOK; +immediate: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + return req; +} + +static errno_t ccdb_mem_nextid_recv(struct tevent_req *req, + unsigned int *_nextid) +{ + struct ccdb_mem_nextid_state *state = tevent_req_data(req, + struct ccdb_mem_nextid_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + *_nextid = state->nextid; + return EOK; +} + +struct ccdb_mem_list_state { + uuid_t *uuid_list; +}; + +static struct tevent_req *ccdb_mem_list_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client) +{ + struct tevent_req *req = NULL; + struct ccache_mem_wrap *ccwrap = NULL; + struct ccdb_mem_list_state *state = NULL; + struct ccdb_mem *memdb = talloc_get_type(db->db_handle, struct ccdb_mem); + size_t num_ccaches = 0; + size_t cc_index = 0; + errno_t ret; + uid_t uid; + + req = tevent_req_create(mem_ctx, &state, struct ccdb_mem_list_state); + if (req == NULL) { + return NULL; + } + + uid = cli_creds_get_uid(client); + + DLIST_FOR_EACH(ccwrap, memdb->head) { + if (ccwrap->cc->owner.uid == uid) { + num_ccaches++; + } + } + + state->uuid_list = talloc_zero_array(state, uuid_t, num_ccaches+1); + if (state->uuid_list == NULL) { + ret = ENOMEM; + goto immediate; + } + + cc_index = 0; + DLIST_FOR_EACH(ccwrap, memdb->head) { + if (ccwrap->cc->owner.uid == uid) { + uuid_copy(state->uuid_list[cc_index], ccwrap->cc->uuid); + cc_index++; + } + } + uuid_clear(state->uuid_list[num_ccaches]); + + ret = EOK; +immediate: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + return req; +} + +static errno_t ccdb_mem_list_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + uuid_t **_uuid_list) +{ + struct ccdb_mem_list_state *state = tevent_req_data(req, + struct ccdb_mem_list_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + *_uuid_list = talloc_steal(mem_ctx, state->uuid_list); + return EOK; +} + +static struct tevent_req *ccdb_mem_set_default_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + uuid_t uuid) +{ + struct tevent_req *req = NULL; + struct ccdb_mem_dummy_state *state = NULL; + struct ccdb_mem *memdb = talloc_get_type(db->db_handle, struct ccdb_mem); + struct ccache_mem_wrap *ccwrap = NULL; + uid_t uid = cli_creds_get_uid(client); + + req = tevent_req_create(mem_ctx, &state, struct ccdb_mem_dummy_state); + if (req == NULL) { + return NULL; + } + + /* Reset all ccache defaults first */ + DLIST_FOR_EACH(ccwrap, memdb->head) { + if (ccwrap->cc == NULL) { + /* since KCM stores ccaches, better not crash.. */ + DEBUG(SSSDBG_CRIT_FAILURE, "BUG: ccwrap contains NULL cc\n"); + continue; + } + + if (ccwrap->cc->owner.uid == uid) { + ccwrap->is_default = false; + } + } + + /* Then set the default for the right ccache. This also allows to + * pass a null uuid to just reset the old ccache (for example after + * deleting the default + */ + ccwrap = memdb_get_by_uuid(memdb, client, uuid); + if (ccwrap != NULL) { + ccwrap->is_default = true; + } + + tevent_req_done(req); + tevent_req_post(req, ev); + return req; +} + +static errno_t ccdb_mem_set_default_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + return EOK; +} + +struct ccdb_mem_get_default_state { + uuid_t dfl_uuid; +}; + +static struct tevent_req *ccdb_mem_get_default_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client) +{ + struct tevent_req *req = NULL; + struct ccdb_mem_get_default_state *state = NULL; + struct ccache_mem_wrap *ccwrap = NULL; + struct ccdb_mem *memdb = talloc_get_type(db->db_handle, struct ccdb_mem); + uid_t uid = cli_creds_get_uid(client); + + req = tevent_req_create(mem_ctx, &state, struct ccdb_mem_get_default_state); + if (req == NULL) { + return NULL; + } + + + /* Reset all ccache defaults first */ + DLIST_FOR_EACH(ccwrap, memdb->head) { + if (ccwrap->cc == NULL) { + /* since KCM stores ccaches, better not crash.. */ + DEBUG(SSSDBG_CRIT_FAILURE, "BUG: ccwrap contains NULL cc\n"); + continue; + } + + if (ccwrap->cc->owner.uid == uid && ccwrap->is_default == true) { + break; + } + } + + if (ccwrap == NULL) { + DEBUG(SSSDBG_TRACE_FUNC, + "No ccache marked as default, returning null ccache\n"); + uuid_clear(state->dfl_uuid); + } else { + uuid_copy(state->dfl_uuid, ccwrap->cc->uuid); + } + + tevent_req_done(req); + tevent_req_post(req, ev); + return req; +} + +static errno_t ccdb_mem_get_default_recv(struct tevent_req *req, + uuid_t dfl) +{ + struct ccdb_mem_get_default_state *state = tevent_req_data(req, + struct ccdb_mem_get_default_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + uuid_copy(dfl, state->dfl_uuid); + return EOK; +} + +struct ccdb_mem_getbyuuid_state { + struct kcm_ccache *cc; +}; + +static struct tevent_req *ccdb_mem_getbyuuid_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + uuid_t uuid) +{ + struct tevent_req *req = NULL; + struct ccdb_mem_getbyuuid_state *state = NULL; + struct ccdb_mem *memdb = talloc_get_type(db->db_handle, struct ccdb_mem); + struct ccache_mem_wrap *ccwrap = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct ccdb_mem_getbyuuid_state); + if (req == NULL) { + return NULL; + } + + ccwrap = memdb_get_by_uuid(memdb, client, uuid); + if (ccwrap != NULL) { + state->cc = kcm_ccache_dup(state, ccwrap->cc); + if (state->cc == NULL) { + ret = ENOMEM; + goto immediate; + } + } + + ret = EOK; +immediate: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + return req; +} + +static errno_t ccdb_mem_getbyuuid_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + struct kcm_ccache **_cc) +{ + struct ccdb_mem_getbyuuid_state *state = tevent_req_data(req, + struct ccdb_mem_getbyuuid_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + *_cc = talloc_steal(mem_ctx, state->cc); + return EOK; +} + +struct ccdb_mem_getbyname_state { + struct kcm_ccache *cc; +}; + +static struct tevent_req *ccdb_mem_getbyname_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + const char *name) +{ + struct tevent_req *req = NULL; + struct ccdb_mem_getbyname_state *state = NULL; + struct ccache_mem_wrap *ccwrap = NULL; + struct ccdb_mem *memdb = talloc_get_type(db->db_handle, struct ccdb_mem); + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct ccdb_mem_getbyname_state); + if (req == NULL) { + return NULL; + } + + ccwrap = memdb_get_by_name(memdb, client, name); + if (ccwrap != NULL) { + state->cc = kcm_ccache_dup(state, ccwrap->cc); + if (state->cc == NULL) { + ret = ENOMEM; + goto immediate; + } + } + + ret = EOK; +immediate: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + return req; +} + +static errno_t ccdb_mem_getbyname_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + struct kcm_ccache **_cc) +{ + struct ccdb_mem_getbyname_state *state = tevent_req_data(req, + struct ccdb_mem_getbyname_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + *_cc = talloc_steal(mem_ctx, state->cc); + return EOK; +} + +struct ccdb_mem_name_by_uuid_state { + const char *name; +}; + +struct tevent_req *ccdb_mem_name_by_uuid_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + uuid_t uuid) +{ + struct tevent_req *req = NULL; + struct ccdb_mem_name_by_uuid_state *state = NULL; + struct ccdb_mem *memdb = talloc_get_type(db->db_handle, struct ccdb_mem); + struct ccache_mem_wrap *ccwrap = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct ccdb_mem_name_by_uuid_state); + if (req == NULL) { + return NULL; + } + + ccwrap = memdb_get_by_uuid(memdb, client, uuid); + if (ccwrap == NULL) { + ret = ERR_KCM_CC_END; + goto immediate; + } + + state->name = talloc_strdup(state, ccwrap->cc->name); + if (state->name == NULL) { + ret = ENOMEM; + goto immediate; + } + + ret = EOK; +immediate: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + return req; +} + +errno_t ccdb_mem_name_by_uuid_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + const char **_name) +{ + struct ccdb_mem_name_by_uuid_state *state = tevent_req_data(req, + struct ccdb_mem_name_by_uuid_state); + TEVENT_REQ_RETURN_ON_ERROR(req); + *_name = talloc_steal(mem_ctx, state->name); + return EOK; +} + +struct ccdb_mem_uuid_by_name_state { + uuid_t uuid; +}; + +struct tevent_req *ccdb_mem_uuid_by_name_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + const char *name) +{ + struct tevent_req *req = NULL; + struct ccdb_mem_uuid_by_name_state *state = NULL; + struct ccdb_mem *memdb = talloc_get_type(db->db_handle, struct ccdb_mem); + struct ccache_mem_wrap *ccwrap = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct ccdb_mem_uuid_by_name_state); + if (req == NULL) { + return NULL; + } + + ccwrap = memdb_get_by_name(memdb, client, name); + if (ccwrap == NULL) { + ret = ERR_KCM_CC_END; + goto immediate; + } + + uuid_copy(state->uuid, ccwrap->cc->uuid); + + ret = EOK; +immediate: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + return req; +} + +errno_t ccdb_mem_uuid_by_name_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + uuid_t _uuid) +{ + struct ccdb_mem_uuid_by_name_state *state = tevent_req_data(req, + struct ccdb_mem_uuid_by_name_state); + TEVENT_REQ_RETURN_ON_ERROR(req); + uuid_copy(_uuid, state->uuid); + return EOK; +} + +static struct tevent_req *ccdb_mem_create_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + struct kcm_ccache *cc) +{ + struct tevent_req *req = NULL; + struct ccdb_mem_dummy_state *state = NULL; + struct ccache_mem_wrap *ccwrap; + struct ccdb_mem *memdb = talloc_get_type(db->db_handle, struct ccdb_mem); + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct ccdb_mem_dummy_state); + if (req == NULL) { + return NULL; + } + + ccwrap = talloc_zero(memdb, struct ccache_mem_wrap); + if (ccwrap == NULL) { + ret = ENOMEM; + goto immediate; + } + ccwrap->cc = cc; + ccwrap->mem_be = memdb; + talloc_steal(ccwrap, cc); + + DLIST_ADD(memdb->head, ccwrap); + talloc_set_destructor((TALLOC_CTX *) ccwrap, ccwrap_destructor); + + ret = EOK; +immediate: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + return req; +} + +static errno_t ccdb_mem_create_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + return EOK; +} + +static struct tevent_req *ccdb_mem_mod_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + uuid_t uuid, + struct kcm_mod_ctx *mod_cc) +{ + errno_t ret; + struct tevent_req *req = NULL; + struct ccdb_mem_dummy_state *state = NULL; + struct ccache_mem_wrap *ccwrap = NULL; + struct ccdb_mem *memdb = talloc_get_type(db->db_handle, struct ccdb_mem); + + req = tevent_req_create(mem_ctx, &state, struct ccdb_mem_dummy_state); + if (req == NULL) { + return NULL; + } + + /* UUID is immutable, so search by that */ + ccwrap = memdb_get_by_uuid(memdb, client, uuid); + if (ccwrap == NULL) { + ret = ERR_KCM_CC_END; + goto immediate; + } + + kcm_mod_cc(ccwrap->cc, mod_cc); + + ret = EOK; +immediate: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + return req; +} + +static errno_t ccdb_mem_mod_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + return EOK; +} + +static struct tevent_req *ccdb_mem_store_cred_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + uuid_t uuid, + struct sss_iobuf *cred_blob) +{ + struct tevent_req *req = NULL; + struct ccdb_mem_dummy_state *state = NULL; + struct ccdb_mem *memdb = talloc_get_type(db->db_handle, struct ccdb_mem); + struct ccache_mem_wrap *ccwrap = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct ccdb_mem_dummy_state); + if (req == NULL) { + return NULL; + } + + ccwrap = memdb_get_by_uuid(memdb, client, uuid); + if (ccwrap == NULL) { + ret = ERR_KCM_CC_END; + goto immediate; + } + + ret = kcm_cc_store_cred_blob(ccwrap->cc, cred_blob); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot store credentials to ccache [%d]: %s\n", + ret, sss_strerror(ret)); + goto immediate; + } + + ret = EOK; +immediate: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + return req; +} + +static errno_t ccdb_mem_store_cred_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + return EOK; +} + +static struct tevent_req *ccdb_mem_delete_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + uuid_t uuid) +{ + struct tevent_req *req = NULL; + struct ccdb_mem_dummy_state *state = NULL; + struct ccache_mem_wrap *ccwrap; + struct ccdb_mem *memdb = talloc_get_type(db->db_handle, struct ccdb_mem); + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct ccdb_mem_dummy_state); + if (req == NULL) { + return NULL; + } + + ccwrap = memdb_get_by_uuid(memdb, client, uuid); + if (ccwrap == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, + "BUG: Attempting to free unknown ccache\n"); + ret = ERR_KCM_CC_END; + goto immediate; + } + + ret = EOK; + /* Destructor takes care of everything */ + talloc_free(ccwrap); +immediate: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + return req; +} + +static errno_t ccdb_mem_delete_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + return EOK; +} + +const struct kcm_ccdb_ops ccdb_mem_ops = { + .init = ccdb_mem_init, + + .nextid_send = ccdb_mem_nextid_send, + .nextid_recv = ccdb_mem_nextid_recv, + + .set_default_send = ccdb_mem_set_default_send, + .set_default_recv = ccdb_mem_set_default_recv, + + .get_default_send = ccdb_mem_get_default_send, + .get_default_recv = ccdb_mem_get_default_recv, + + .list_send = ccdb_mem_list_send, + .list_recv = ccdb_mem_list_recv, + + .getbyname_send = ccdb_mem_getbyname_send, + .getbyname_recv = ccdb_mem_getbyname_recv, + + .getbyuuid_send = ccdb_mem_getbyuuid_send, + .getbyuuid_recv = ccdb_mem_getbyuuid_recv, + + .name_by_uuid_send = ccdb_mem_name_by_uuid_send, + .name_by_uuid_recv = ccdb_mem_name_by_uuid_recv, + + .uuid_by_name_send = ccdb_mem_uuid_by_name_send, + .uuid_by_name_recv = ccdb_mem_uuid_by_name_recv, + + .create_send = ccdb_mem_create_send, + .create_recv = ccdb_mem_create_recv, + + .mod_send = ccdb_mem_mod_send, + .mod_recv = ccdb_mem_mod_recv, + + .store_cred_send = ccdb_mem_store_cred_send, + .store_cred_recv = ccdb_mem_store_cred_recv, + + .delete_send = ccdb_mem_delete_send, + .delete_recv = ccdb_mem_delete_recv, +}; diff --git a/src/responder/kcm/kcmsrv_ccache_pvt.h b/src/responder/kcm/kcmsrv_ccache_pvt.h new file mode 100644 index 0000000..0cc24c2 --- /dev/null +++ b/src/responder/kcm/kcmsrv_ccache_pvt.h @@ -0,0 +1,62 @@ +/* + SSSD + + KCM Server - the KCM ccache operations - private structures + + Should be accessed only from the ccache layer. + + Copyright (C) Red Hat, 2016 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +#ifndef _KCMSRV_CCACHE_PVT_H +#define _KCMSRV_CCACHE_PVT_H + +#include "responder/kcm/kcmsrv_ccache.h" +#include "responder/kcm/kcmsrv_ccache_be.h" + +struct kcm_ccache_owner { + uid_t uid; + gid_t gid; +}; + +struct kcm_cred { + struct sss_iobuf *cred_blob; + /* Randomly generated 16 bytes */ + uuid_t uuid; + + struct kcm_cred *next; + struct kcm_cred *prev; +}; + +struct kcm_ccdb { + enum kcm_ccdb_be cc_be_type; + struct tevent_context *ev; + + void *db_handle; + const struct kcm_ccdb_ops *ops; +}; + +struct kcm_ccache { + const char *name; + struct kcm_ccache_owner owner; + uuid_t uuid; + + krb5_principal client; + int32_t kdc_offset; + + struct kcm_cred *creds; +}; + +#endif /* _KCMSRV_CCACHE_PVT_H */ diff --git a/src/responder/kcm/kcmsrv_ccache_secrets.c b/src/responder/kcm/kcmsrv_ccache_secrets.c new file mode 100644 index 0000000..f2b4646 --- /dev/null +++ b/src/responder/kcm/kcmsrv_ccache_secrets.c @@ -0,0 +1,2172 @@ +/* + SSSD + + KCM Server - ccache storage in sssd-secrets + + Copyright (C) Red Hat, 2016 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include +#include +#include + +#include "util/util.h" +#include "util/crypto/sss_crypto.h" +#include "util/tev_curl.h" +#include "responder/kcm/kcmsrv_ccache_pvt.h" +#include "responder/kcm/kcmsrv_ccache_be.h" + +#ifndef SSSD_SECRETS_SOCKET +#define SSSD_SECRETS_SOCKET VARDIR"/run/secrets.socket" +#endif /* SSSD_SECRETS_SOCKET */ + +#ifndef SEC_TIMEOUT +#define SEC_TIMEOUT 5 +#endif /* SEC_TIMEOUT */ + +/* Just to keep the name of the ccache readable */ +#define MAX_CC_NUM 99999 + +/* Compat definition of json_array_foreach for older systems */ +#ifndef json_array_foreach +#define json_array_foreach(array, idx, value) \ + for(idx = 0; \ + idx < json_array_size(array) && (value = json_array_get(array, idx)); \ + idx++) +#endif + +static const char *find_by_name(const char **sec_key_list, + const char *name) +{ + const char *sec_name = NULL; + + if (sec_key_list == NULL) { + return NULL; + } + + for (int i = 0; sec_key_list[i]; i++) { + if (sec_key_match_name(sec_key_list[i], name)) { + sec_name = sec_key_list[i]; + break; + } + } + + return sec_name; +} + +static const char *find_by_uuid(const char **sec_key_list, + uuid_t uuid) +{ + const char *sec_name = NULL; + + if (sec_key_list == NULL) { + return NULL; + } + + for (int i = 0; sec_key_list[i]; i++) { + if (sec_key_match_uuid(sec_key_list[i], uuid)) { + sec_name = sec_key_list[i]; + break; + } + } + + return sec_name; +} + +static const char *sec_headers[] = { + "Content-type: application/octet-stream", + NULL, +}; + +struct ccdb_sec { + struct tcurl_ctx *tctx; +}; + +static errno_t http2errno(int http_code) +{ + if (http_code != 200) { + DEBUG(SSSDBG_OP_FAILURE, "HTTP request returned %d\n", http_code); + } + + switch (http_code) { + case 200: + return EOK; + case 404: + return ERR_NO_CREDS; + case 400: + return ERR_INPUT_PARSE; + case 403: + return EACCES; + case 409: + return EEXIST; + case 413: + return E2BIG; + case 507: + return ENOSPC; + } + + return EIO; +} + +/* + * Helper request to list all UUID+name pairs + */ +struct sec_list_state { + const char **sec_key_list; + size_t sec_key_list_len; +}; + +static void sec_list_done(struct tevent_req *subreq); +static errno_t sec_list_parse(struct sss_iobuf *outbuf, + TALLOC_CTX *mem_ctx, + const char ***_list, + size_t *_list_len); + +static struct tevent_req *sec_list_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct ccdb_sec *secdb, + struct cli_creds *client) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct sec_list_state *state = NULL; + errno_t ret; + const char *container_url; + + req = tevent_req_create(mem_ctx, &state, struct sec_list_state); + if (req == NULL) { + return NULL; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "Listing all ccaches in the secrets store\n"); + container_url = sec_container_url_create(state, client); + if (container_url == NULL) { + ret = ENOMEM; + goto immediate; + } + + subreq = tcurl_http_send(state, ev, secdb->tctx, + TCURL_HTTP_GET, + SSSD_SECRETS_SOCKET, + container_url, + sec_headers, + NULL, + SEC_TIMEOUT); + if (subreq == NULL) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, sec_list_done, req); + return req; + +immediate: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void sec_list_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, struct tevent_req); + struct sec_list_state *state = tevent_req_data(req, + struct sec_list_state); + struct sss_iobuf *outbuf; + int http_code; + + ret = tcurl_http_recv(state, subreq, &http_code, &outbuf); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "list HTTP request failed [%d]: %s\n", ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + if (http_code == 404) { + DEBUG(SSSDBG_TRACE_INTERNAL, "Nothing to list\n"); + /* If no ccaches are found, return an empty list */ + state->sec_key_list = talloc_zero_array(state, const char *, 1); + if (state->sec_key_list == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + } else if (http_code == 200) { + ret = sec_list_parse(outbuf, state, + &state->sec_key_list, + &state->sec_key_list_len); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + DEBUG(SSSDBG_TRACE_INTERNAL, "Found %zu items\n", state->sec_key_list_len); + } else { + tevent_req_error(req, http2errno(http_code)); + return; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "list done\n"); + tevent_req_done(req); +} + +static errno_t sec_list_parse(struct sss_iobuf *outbuf, + TALLOC_CTX *mem_ctx, + const char ***_list, + size_t *_list_len) +{ + json_t *root; + uint8_t *sec_http_list; + size_t sec_http_list_len; + json_error_t error; + json_t *element; + errno_t ret; + int ok; + size_t idx; + const char **list = NULL; + size_t list_len; + + sec_http_list = sss_iobuf_get_data(outbuf); + if (sec_http_list == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "No data in output buffer?\n"); + return EINVAL; + } + sec_http_list_len = sss_iobuf_get_len(outbuf); + + root = json_loadb((const char *) sec_http_list, + sec_http_list_len, 0, &error); + if (root == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to parse JSON payload on line %d: %s\n", + error.line, error.text); + return ERR_JSON_DECODING; + } + + ok = json_is_array(root); + if (!ok) { + DEBUG(SSSDBG_CRIT_FAILURE, "list reply is not an object.\n"); + ret = ERR_JSON_DECODING; + goto done; + } + + list_len = json_array_size(root); + list = talloc_zero_array(mem_ctx, const char *, list_len + 1); + if (list == NULL) { + ret = ENOMEM; + goto done; + } + + json_array_foreach(root, idx, element) { + list[idx] = talloc_strdup(list, json_string_value(element)); + if (list[idx] == NULL) { + ret = ENOMEM; + goto done; + } + } + + ret = EOK; + *_list = list; + *_list_len = list_len; +done: + if (ret != EOK) { + talloc_free(list); + } + json_decref(root); + return ret; +} + +static errno_t sec_list_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + const char ***_sec_key_list, + size_t *_sec_key_list_len) + +{ + struct sec_list_state *state = tevent_req_data(req, + struct sec_list_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (_sec_key_list != NULL) { + *_sec_key_list = talloc_steal(mem_ctx, state->sec_key_list); + } + if (_sec_key_list_len != NULL) { + *_sec_key_list_len = state->sec_key_list_len; + } + return EOK; +} + +/* + * Helper request to get a ccache by key + */ +struct sec_get_state { + const char *sec_key; + struct cli_creds *client; + + struct kcm_ccache *cc; +}; + +static void sec_get_done(struct tevent_req *subreq); + +static struct tevent_req *sec_get_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct ccdb_sec *secdb, + struct cli_creds *client, + const char *sec_key) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct sec_get_state *state = NULL; + errno_t ret; + const char *cc_url; + + req = tevent_req_create(mem_ctx, &state, struct sec_get_state); + if (req == NULL) { + return NULL; + } + state->sec_key = sec_key; + state->client = client; + + DEBUG(SSSDBG_TRACE_INTERNAL, "Retrieving ccache %s\n", sec_key); + + cc_url = sec_cc_url_create(state, state->client, state->sec_key); + if (cc_url == NULL) { + ret = ENOMEM; + goto immediate; + } + + subreq = tcurl_http_send(state, + ev, + secdb->tctx, + TCURL_HTTP_GET, + SSSD_SECRETS_SOCKET, + cc_url, + sec_headers, + NULL, + SEC_TIMEOUT); + if (subreq == NULL) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, sec_get_done, req); + return req; + +immediate: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void sec_get_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, struct tevent_req); + struct sec_get_state *state = tevent_req_data(req, + struct sec_get_state); + struct sss_iobuf *outbuf; + const char *sec_value; + int http_code; + + ret = tcurl_http_recv(state, subreq, &http_code, &outbuf); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "GET HTTP request failed [%d]: %s\n", ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + if (http_code != 200) { + DEBUG(SSSDBG_OP_FAILURE, + "GET operation returned HTTP error %d\n", http_code); + ret = http2errno(http_code); + tevent_req_error(req, ret); + return; + } + + sec_value = (const char *) sss_iobuf_get_data(outbuf); + if (sec_value == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "No data in output buffer\n"); + tevent_req_error(req, EINVAL); + return; + } + + ret = sec_kv_to_ccache(state, + state->sec_key, + sec_value, + state->client, + &state->cc); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot convert JSON keyval to ccache blob [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "GET done\n"); + tevent_req_done(req); +} + +static errno_t sec_get_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + struct kcm_ccache **_cc) +{ + struct sec_get_state *state = tevent_req_data(req, struct sec_get_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + *_cc = talloc_steal(mem_ctx, state->cc); + return EOK; +} + +/* + * Helper request to get a ccache name or ID + */ +struct sec_get_ccache_state { + struct tevent_context *ev; + struct ccdb_sec *secdb; + struct cli_creds *client; + const char *name; + uuid_t uuid; + + const char *sec_key; + + struct kcm_ccache *cc; +}; + +static void sec_get_ccache_list_done(struct tevent_req *subreq); +static void sec_get_ccache_done(struct tevent_req *subreq); + +static struct tevent_req *sec_get_ccache_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct ccdb_sec *secdb, + struct cli_creds *client, + const char *name, + uuid_t uuid) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct sec_get_ccache_state *state = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct sec_get_ccache_state); + if (req == NULL) { + return NULL; + } + state->ev = ev; + state->secdb = secdb; + state->client = client; + state->name = name; + uuid_copy(state->uuid, uuid); + + if ((name == NULL && uuid_is_null(uuid)) + || (name != NULL && !uuid_is_null(uuid))) { + DEBUG(SSSDBG_OP_FAILURE, "Expected one of name, uuid to be set\n"); + ret = EINVAL; + goto immediate; + } + + subreq = sec_list_send(state, ev, secdb, client); + if (subreq == NULL) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, sec_get_ccache_list_done, req); + return req; + + +immediate: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void sec_get_ccache_list_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, struct tevent_req); + struct sec_get_ccache_state *state = tevent_req_data(req, + struct sec_get_ccache_state); + const char **sec_key_list; + + ret = sec_list_recv(subreq, state, &sec_key_list, NULL); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot list keys [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + if (state->name != NULL) { + state->sec_key = find_by_name(sec_key_list, state->name); + } else { + state->sec_key = find_by_uuid(sec_key_list, state->uuid); + } + + if (state->sec_key == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot find item in the ccache list\n"); + /* Don't error out, just return an empty list */ + tevent_req_done(req); + return; + } + + subreq = sec_get_send(state, + state->ev, + state->secdb, + state->client, + state->sec_key); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, sec_get_ccache_done, req); +} + +static void sec_get_ccache_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sec_get_ccache_state *state = tevent_req_data(req, + struct sec_get_ccache_state); + + ret = sec_get_recv(subreq, state, &state->cc); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot resolve key to ccache [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +static errno_t sec_get_ccache_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + struct kcm_ccache **_cc) +{ + struct sec_get_ccache_state *state = tevent_req_data(req, + struct sec_get_ccache_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + *_cc = talloc_steal(mem_ctx, state->cc); + return EOK; +} + +/* + * The actual sssd-secrets back end + */ +static errno_t ccdb_sec_init(struct kcm_ccdb *db) +{ + struct ccdb_sec *secdb = NULL; + + secdb = talloc_zero(db, struct ccdb_sec); + if (secdb == NULL) { + return ENOMEM; + } + + secdb->tctx = tcurl_init(secdb, db->ev); + if (secdb->tctx == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Cannot initialize tcurl\n"); + talloc_zfree(secdb); + return ENOMEM; + } + + /* We just need the random numbers to generate pseudo-random ccache names + * and avoid conflicts */ + srand(time(NULL)); + + db->db_handle = secdb; + return EOK; +} + +/* + * Helper request to get a ccache by key + */ +struct sec_patch_state { + struct tevent_context *ev; + struct ccdb_sec *secdb; + struct cli_creds *client; + + const char *sec_key_url; + struct sss_iobuf *sec_value; +}; + +static void sec_patch_del_done(struct tevent_req *subreq); +static void sec_patch_put_done(struct tevent_req *subreq); + +static struct tevent_req *sec_patch_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct ccdb_sec *secdb, + struct cli_creds *client, + const char *sec_key_url, + struct sss_iobuf *sec_value) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct sec_patch_state *state = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct sec_patch_state); + if (req == NULL) { + return NULL; + } + state->ev = ev; + state->secdb = secdb; + state->client = client; + state->sec_key_url = sec_key_url; + state->sec_value = sec_value; + + subreq = tcurl_http_send(state, state->ev, + state->secdb->tctx, + TCURL_HTTP_DELETE, + SSSD_SECRETS_SOCKET, + state->sec_key_url, + sec_headers, + NULL, + SEC_TIMEOUT); + if (subreq == NULL) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, sec_patch_del_done, req); + return req; + +immediate: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void sec_patch_del_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sec_patch_state *state = tevent_req_data(req, + struct sec_patch_state); + int http_code; + + ret = tcurl_http_recv(state, subreq, &http_code, NULL); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot delete key [%d]: %s\n", ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + if (http_code == 404) { + DEBUG(SSSDBG_TRACE_LIBS, + "Key %s does not exist, moving on\n", state->sec_key_url); + } else if (http_code != 200) { + ret = http2errno(http_code); + tevent_req_error(req, ret); + return; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "Adding new payload\n"); + + subreq = tcurl_http_send(state, + state->ev, + state->secdb->tctx, + TCURL_HTTP_PUT, + SSSD_SECRETS_SOCKET, + state->sec_key_url, + sec_headers, + state->sec_value, + SEC_TIMEOUT); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, sec_patch_put_done, req); +} + +static void sec_patch_put_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sec_patch_state *state = tevent_req_data(req, + struct sec_patch_state); + int http_code; + + ret = tcurl_http_recv(state, subreq, &http_code, NULL); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot put new value [%d]: %s\n", ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + if (http_code != 200) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to add the payload\n"); + ret = http2errno(http_code); + tevent_req_error(req, ret); + return; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "payload created\n"); + tevent_req_done(req); +} + + +static errno_t sec_patch_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + return EOK; +} + +/* The operations between the KCM and sssd-secrets */ + +struct ccdb_sec_nextid_state { + struct tevent_context *ev; + struct ccdb_sec *secdb; + struct cli_creds *client; + + unsigned int nextid; + char *nextid_name; + + int maxtries; + int numtry; +}; + +static errno_t ccdb_sec_nextid_generate(struct tevent_req *req); +static void ccdb_sec_nextid_list_done(struct tevent_req *subreq); + +/* Generate a unique ID */ +/* GET the name from secrets, if doesn't exist, OK, if exists, try again */ +static struct tevent_req *ccdb_sec_nextid_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client) +{ + struct tevent_req *req = NULL; + struct ccdb_sec_nextid_state *state = NULL; + struct ccdb_sec *secdb = talloc_get_type(db->db_handle, struct ccdb_sec); + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct ccdb_sec_nextid_state); + if (req == NULL) { + return NULL; + } + state->ev = ev; + state->secdb = secdb; + state->client = client; + + state->maxtries = 3; + state->numtry = 0; + + ret = ccdb_sec_nextid_generate(req); + if (ret != EOK) { + goto immediate; + } + + return req; + +immediate: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static errno_t ccdb_sec_nextid_generate(struct tevent_req *req) +{ + struct tevent_req *subreq = NULL; + struct ccdb_sec_nextid_state *state = tevent_req_data(req, + struct ccdb_sec_nextid_state); + + if (state->numtry >= state->maxtries) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to find a random ccache in %d tries\n", state->numtry); + return EBUSY; + } + + state->nextid = rand() % MAX_CC_NUM; + state->nextid_name = talloc_asprintf(state, "%"SPRIuid":%u", + cli_creds_get_uid(state->client), + state->nextid); + if (state->nextid_name == NULL) { + return ENOMEM; + } + + subreq = sec_list_send(state, state->ev, state->secdb, state->client); + if (subreq == NULL) { + return ENOMEM; + } + tevent_req_set_callback(subreq, ccdb_sec_nextid_list_done, req); + + state->numtry++; + return EOK; +} + +static void ccdb_sec_nextid_list_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ccdb_sec_nextid_state *state = tevent_req_data(req, + struct ccdb_sec_nextid_state); + const char **sec_key_list; + size_t sec_key_list_len; + size_t i; + + ret = sec_list_recv(subreq, state, &sec_key_list, &sec_key_list_len); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot list keys [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + for (i = 0; i < sec_key_list_len; i++) { + if (sec_key_match_name(sec_key_list[i], state->nextid_name) == true) { + break; + } + } + + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to find a random key, trying again..\n"); + if (i < sec_key_list_len) { + /* Try again */ + ret = ccdb_sec_nextid_generate(req); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + return; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Generated new ccache name %u\n", state->nextid); + tevent_req_done(req); +} + +static errno_t ccdb_sec_nextid_recv(struct tevent_req *req, + unsigned int *_nextid) +{ + struct ccdb_sec_nextid_state *state = tevent_req_data(req, + struct ccdb_sec_nextid_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + *_nextid = state->nextid; + return EOK; +} + +/* IN: HTTP PUT $base/default -d 'uuid' */ +/* We chose only UUID here to avoid issues later with renaming */ +struct ccdb_sec_set_default_state { +}; + +static void ccdb_sec_set_default_done(struct tevent_req *subreq); + +static struct tevent_req *ccdb_sec_set_default_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + uuid_t uuid) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct ccdb_sec_set_default_state *state = NULL; + struct ccdb_sec *secdb = talloc_get_type(db->db_handle, struct ccdb_sec); + struct sss_iobuf *uuid_iobuf; + errno_t ret; + const char *url; + char uuid_str[UUID_STR_SIZE]; + + req = tevent_req_create(mem_ctx, &state, struct ccdb_sec_set_default_state); + if (req == NULL) { + return NULL; + } + + uuid_unparse(uuid, uuid_str); + DEBUG(SSSDBG_TRACE_INTERNAL, + "Setting the default ccache to %s\n", uuid_str); + + url = sec_dfl_url_create(state, client); + if (url == NULL) { + ret = ENOMEM; + goto immediate; + } + + uuid_iobuf = sss_iobuf_init_readonly(state, + (uint8_t *) uuid_str, + UUID_STR_SIZE); + if (uuid_iobuf == NULL) { + ret = ENOMEM; + goto immediate; + } + + subreq = sec_patch_send(state, ev, secdb, client, url, uuid_iobuf); + if (subreq == NULL) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, ccdb_sec_set_default_done, req); + return req; + +immediate: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void ccdb_sec_set_default_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, struct tevent_req); + + ret = sec_patch_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sec_patch request failed [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "Set the default ccache\n"); + tevent_req_done(req); +} + +static errno_t ccdb_sec_set_default_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + return EOK; +} + +/* IN: HTTP GET $base/default */ +/* OUT: uuid */ +struct ccdb_sec_get_default_state { + uuid_t uuid; +}; + +static void ccdb_sec_get_default_done(struct tevent_req *subreq); + +static struct tevent_req *ccdb_sec_get_default_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct ccdb_sec_get_default_state *state = NULL; + struct ccdb_sec *secdb = talloc_get_type(db->db_handle, struct ccdb_sec); + const char *url; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct ccdb_sec_get_default_state); + if (req == NULL) { + return NULL; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "Getting the default ccache\n"); + url = sec_dfl_url_create(state, client); + if (url == NULL) { + ret = ENOMEM; + goto immediate; + } + + subreq = tcurl_http_send(state, ev, secdb->tctx, + TCURL_HTTP_GET, + SSSD_SECRETS_SOCKET, + url, + sec_headers, + NULL, + SEC_TIMEOUT); + if (subreq == NULL) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, ccdb_sec_get_default_done, req); + return req; + +immediate: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void ccdb_sec_get_default_done(struct tevent_req *subreq) +{ + errno_t ret; + int http_code; + struct tevent_req *req = tevent_req_callback_data(subreq, struct tevent_req); + struct ccdb_sec_get_default_state *state = tevent_req_data(req, + struct ccdb_sec_get_default_state); + struct sss_iobuf *outbuf; + size_t uuid_size; + + ret = tcurl_http_recv(state, subreq, &http_code, &outbuf); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Communication with the secrets responder failed [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + if (http_code == 404) { + /* Return a NULL uuid */ + uuid_clear(state->uuid); + tevent_req_done(req); + return; + } else if (http_code != 200) { + ret = http2errno(http_code); + tevent_req_error(req, ret); + return; + } + + uuid_size = sss_iobuf_get_len(outbuf); + if (uuid_size != UUID_STR_SIZE) { + DEBUG(SSSDBG_OP_FAILURE, "Unexpected UUID size %zu\n", uuid_size); + tevent_req_error(req, EIO); + return; + } + + uuid_parse((const char *) sss_iobuf_get_data(outbuf), state->uuid); + DEBUG(SSSDBG_TRACE_INTERNAL, "Got the default ccache\n"); + tevent_req_done(req); +} + +static errno_t ccdb_sec_get_default_recv(struct tevent_req *req, + uuid_t uuid) +{ + struct ccdb_sec_get_default_state *state = tevent_req_data(req, + struct ccdb_sec_get_default_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + uuid_copy(uuid, state->uuid); + return EOK; +} + +/* HTTP GET $base/ccache/ */ +/* OUT: a list of */ +struct ccdb_sec_list_state { + uuid_t *uuid_list; +}; + +static void ccdb_sec_list_done(struct tevent_req *subreq); + +static struct tevent_req *ccdb_sec_list_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct ccdb_sec_list_state *state = NULL; + struct ccdb_sec *secdb = talloc_get_type(db->db_handle, struct ccdb_sec); + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct ccdb_sec_list_state); + if (req == NULL) { + return NULL; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "Listing all ccaches\n"); + + subreq = sec_list_send(state, ev, secdb, client); + if (subreq == NULL) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, ccdb_sec_list_done, req); + return req; + +immediate: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void ccdb_sec_list_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ccdb_sec_list_state *state = tevent_req_data(req, + struct ccdb_sec_list_state); + const char **sec_key_list; + size_t sec_key_list_len; + + ret = sec_list_recv(subreq, state, &sec_key_list, &sec_key_list_len); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Communication with the secrets responder failed [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "Found %zu ccaches\n", sec_key_list_len); + + state->uuid_list = talloc_array(state, uuid_t, sec_key_list_len + 1); + if (state->uuid_list == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + + for (size_t i = 0; i < sec_key_list_len; i++) { + ret = sec_key_get_uuid(sec_key_list[i], + state->uuid_list[i]); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + } + /* Sentinel */ + uuid_clear(state->uuid_list[sec_key_list_len]); + + DEBUG(SSSDBG_TRACE_INTERNAL, "Listing all caches done\n"); + tevent_req_done(req); +} + +static errno_t ccdb_sec_list_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + uuid_t **_uuid_list) +{ + struct ccdb_sec_list_state *state = tevent_req_data(req, + struct ccdb_sec_list_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + *_uuid_list = talloc_steal(mem_ctx, state->uuid_list); + return EOK; +} + +struct ccdb_sec_getbyuuid_state { + struct kcm_ccache *cc; +}; + + +/* HTTP GET $base/ccache/ */ +/* OUT: a list of */ +/* for each item in list, compare with the uuid: portion */ +/* HTTP GET $base/ccache/uuid:name */ +/* return result */ +static void ccdb_sec_getbyuuid_done(struct tevent_req *subreq); + +static struct tevent_req *ccdb_sec_getbyuuid_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + uuid_t uuid) +{ + errno_t ret; + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct ccdb_sec_getbyuuid_state *state = NULL; + struct ccdb_sec *secdb = talloc_get_type(db->db_handle, struct ccdb_sec); + + req = tevent_req_create(mem_ctx, &state, struct ccdb_sec_getbyuuid_state); + if (req == NULL) { + return NULL; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "Getting ccache by UUID\n"); + + subreq = sec_get_ccache_send(state, ev, secdb, client, NULL, uuid); + if (subreq == NULL) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, ccdb_sec_getbyuuid_done, req); + return req; + +immediate: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void ccdb_sec_getbyuuid_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ccdb_sec_getbyuuid_state *state = tevent_req_data(req, + struct ccdb_sec_getbyuuid_state); + + ret = sec_get_ccache_recv(subreq, state, &state->cc); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot retrieve the ccache [%d]: %s\n", ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "Got ccache by UUID\n"); + tevent_req_done(req); +} + +static errno_t ccdb_sec_getbyuuid_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + struct kcm_ccache **_cc) +{ + struct ccdb_sec_getbyuuid_state *state = tevent_req_data(req, + struct ccdb_sec_getbyuuid_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + *_cc = talloc_steal(mem_ctx, state->cc); + return EOK; +} + +/* HTTP GET $base/ccache/ */ +/* OUT: a list of */ +/* for each item in list, compare with the :name portion */ +/* HTTP GET $base/ccache/uuid:name */ +/* return result */ +struct ccdb_sec_getbyname_state { + struct kcm_ccache *cc; +}; + +static void ccdb_sec_getbyname_done(struct tevent_req *subreq); + +static struct tevent_req *ccdb_sec_getbyname_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + const char *name) +{ + errno_t ret; + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct ccdb_sec_getbyname_state *state = NULL; + struct ccdb_sec *secdb = talloc_get_type(db->db_handle, struct ccdb_sec); + uuid_t null_uuid; + + req = tevent_req_create(mem_ctx, &state, struct ccdb_sec_getbyname_state); + if (req == NULL) { + return NULL; + } + uuid_clear(null_uuid); + + DEBUG(SSSDBG_TRACE_INTERNAL, "Getting ccache by name\n"); + + subreq = sec_get_ccache_send(state, ev, secdb, client, name, null_uuid); + if (subreq == NULL) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, ccdb_sec_getbyname_done, req); + return req; + +immediate: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void ccdb_sec_getbyname_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ccdb_sec_getbyname_state *state = tevent_req_data(req, + struct ccdb_sec_getbyname_state); + + ret = sec_get_ccache_recv(subreq, state, &state->cc); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot retrieve the ccache [%d]: %s\n", ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "Got ccache by UUID\n"); + tevent_req_done(req); +} + +static errno_t ccdb_sec_getbyname_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + struct kcm_ccache **_cc) +{ + struct ccdb_sec_getbyname_state *state = tevent_req_data(req, + struct ccdb_sec_getbyname_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + *_cc = talloc_steal(mem_ctx, state->cc); + return EOK; +} + +struct ccdb_sec_name_by_uuid_state { + struct tevent_context *ev; + struct ccdb_sec *secdb; + struct cli_creds *client; + + uuid_t uuid; + + const char *name; +}; + +static void ccdb_sec_name_by_uuid_done(struct tevent_req *subreq); + +struct tevent_req *ccdb_sec_name_by_uuid_send(TALLOC_CTX *sec_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + uuid_t uuid) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct ccdb_sec_name_by_uuid_state *state = NULL; + struct ccdb_sec *secdb = talloc_get_type(db->db_handle, struct ccdb_sec); + errno_t ret; + + req = tevent_req_create(sec_ctx, &state, struct ccdb_sec_name_by_uuid_state); + if (req == NULL) { + return NULL; + } + state->ev = ev; + state->secdb = secdb; + state->client = client; + uuid_copy(state->uuid, uuid); + + DEBUG(SSSDBG_TRACE_INTERNAL, "Translating UUID to name\n"); + + subreq = sec_list_send(state, state->ev, state->secdb, state->client); + if (subreq == NULL) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, ccdb_sec_name_by_uuid_done, req); + return req; + +immediate: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void ccdb_sec_name_by_uuid_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ccdb_sec_name_by_uuid_state *state = tevent_req_data(req, + struct ccdb_sec_name_by_uuid_state); + const char **sec_key_list; + const char *name; + size_t sec_key_list_len; + size_t i; + + ret = sec_list_recv(subreq, state, &sec_key_list, &sec_key_list_len); + talloc_zfree(subreq); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + for (i = 0; i < sec_key_list_len; i++) { + if (sec_key_match_uuid(sec_key_list[i], state->uuid) == true) { + /* Match, copy name */ + name = sec_key_get_name(sec_key_list[i]); + if (name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Malformed key, cannot get name\n"); + tevent_req_error(req, EINVAL); + return; + } + + state->name = talloc_strdup(state, name); + if (state->name == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "Got ccache by UUID\n"); + tevent_req_done(req); + return; + } + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "No such UUID\n"); + tevent_req_error(req, ERR_NO_CREDS); + return; +} + +errno_t ccdb_sec_name_by_uuid_recv(struct tevent_req *req, + TALLOC_CTX *sec_ctx, + const char **_name) +{ + struct ccdb_sec_name_by_uuid_state *state = tevent_req_data(req, + struct ccdb_sec_name_by_uuid_state); + TEVENT_REQ_RETURN_ON_ERROR(req); + *_name = talloc_steal(sec_ctx, state->name); + return EOK; +} + +struct ccdb_sec_uuid_by_name_state { + struct tevent_context *ev; + struct ccdb_sec *secdb; + struct cli_creds *client; + + const char *name; + + uuid_t uuid; +}; + +static void ccdb_sec_uuid_by_name_done(struct tevent_req *subreq); + +struct tevent_req *ccdb_sec_uuid_by_name_send(TALLOC_CTX *sec_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + const char *name) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct ccdb_sec_uuid_by_name_state *state = NULL; + struct ccdb_sec *secdb = talloc_get_type(db->db_handle, struct ccdb_sec); + errno_t ret; + + req = tevent_req_create(sec_ctx, &state, struct ccdb_sec_uuid_by_name_state); + if (req == NULL) { + return NULL; + } + state->ev = ev; + state->secdb = secdb; + state->client = client; + state->name = name; + + DEBUG(SSSDBG_TRACE_INTERNAL, "Translating name to UUID\n"); + + subreq = sec_list_send(state, state->ev, state->secdb, state->client); + if (subreq == NULL) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, ccdb_sec_uuid_by_name_done, req); + return req; + +immediate: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void ccdb_sec_uuid_by_name_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ccdb_sec_uuid_by_name_state *state = tevent_req_data(req, + struct ccdb_sec_uuid_by_name_state); + const char **sec_key_list; + size_t sec_key_list_len; + size_t i; + + ret = sec_list_recv(subreq, state, &sec_key_list, &sec_key_list_len); + talloc_zfree(subreq); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + for (i = 0; i < sec_key_list_len; i++) { + if (sec_key_match_name(sec_key_list[i], state->name) == true) { + /* Match, copy UUID */ + ret = sec_key_get_uuid(sec_key_list[i], state->uuid); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Malformed key, cannot get UUID\n"); + tevent_req_error(req, ret); + return; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "Got ccache by name\n"); + tevent_req_done(req); + return; + } + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "No such name\n"); + tevent_req_error(req, ERR_NO_CREDS); + return; +} + +errno_t ccdb_sec_uuid_by_name_recv(struct tevent_req *req, + TALLOC_CTX *sec_ctx, + uuid_t _uuid) +{ + struct ccdb_sec_uuid_by_name_state *state = tevent_req_data(req, + struct ccdb_sec_uuid_by_name_state); + TEVENT_REQ_RETURN_ON_ERROR(req); + uuid_copy(_uuid, state->uuid); + return EOK; +} + +/* HTTP POST $base to create the container */ +/* HTTP PUT $base to create the container. Since PUT errors out on duplicates, at least + * we fail consistently here and don't overwrite the ccache on concurrent requests + */ +struct ccdb_sec_create_state { + struct tevent_context *ev; + struct ccdb_sec *secdb; + + const char *key_url; + struct sss_iobuf *ccache_payload; +}; + +static void ccdb_sec_container_done(struct tevent_req *subreq); +static void ccdb_sec_ccache_done(struct tevent_req *subreq); + +static struct tevent_req *ccdb_sec_create_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + struct kcm_ccache *cc) +{ + struct tevent_req *subreq = NULL; + struct tevent_req *req = NULL; + struct ccdb_sec_create_state *state = NULL; + struct ccdb_sec *secdb = talloc_get_type(db->db_handle, struct ccdb_sec); + errno_t ret; + const char *container_url; + + req = tevent_req_create(mem_ctx, &state, struct ccdb_sec_create_state); + if (req == NULL) { + return NULL; + } + state->ev = ev; + state->secdb = secdb; + + DEBUG(SSSDBG_TRACE_INTERNAL, "Creating ccache storage for %s\n", cc->name); + + /* Do the encoding asap so that if we fail, we don't even attempt any + * writes */ + ret = kcm_ccache_to_sec_input(state, cc, client, &state->key_url, &state->ccache_payload); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot convert cache %s to JSON [%d]: %s\n", + cc->name, ret, sss_strerror(ret)); + goto immediate; + } + + container_url = sec_container_url_create(state, client); + if (container_url == NULL) { + ret = ENOMEM; + goto immediate; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "Creating the ccache container\n"); + subreq = tcurl_http_send(state, ev, secdb->tctx, + TCURL_HTTP_POST, + SSSD_SECRETS_SOCKET, + container_url, + sec_headers, + NULL, + SEC_TIMEOUT); + if (subreq == NULL) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, ccdb_sec_container_done, req); + return req; + +immediate: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void ccdb_sec_container_done(struct tevent_req *subreq) +{ + errno_t ret; + int http_code; + struct tevent_req *req = tevent_req_callback_data(subreq, struct tevent_req); + struct ccdb_sec_create_state *state = tevent_req_data(req, + struct ccdb_sec_create_state); + + ret = tcurl_http_recv(state, subreq, &http_code, NULL); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Communication with the secrets responder failed [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + /* Conflict is not an error as multiple ccaches are under the same + * container */ + if (http_code == 409) { + DEBUG(SSSDBG_TRACE_INTERNAL, "Container already exists, ignoring\n"); + } else if (http_code != 200) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to create the ccache container\n"); + ret = http2errno(http_code); + tevent_req_error(req, ret); + return; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "ccache container created\n"); + DEBUG(SSSDBG_TRACE_INTERNAL, "creating empty ccache payload\n"); + + subreq = tcurl_http_send(state, + state->ev, + state->secdb->tctx, + TCURL_HTTP_PUT, + SSSD_SECRETS_SOCKET, + state->key_url, + sec_headers, + state->ccache_payload, + SEC_TIMEOUT); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, ccdb_sec_ccache_done, req); +} + +static void ccdb_sec_ccache_done(struct tevent_req *subreq) +{ + errno_t ret; + int http_code; + struct tevent_req *req = tevent_req_callback_data(subreq, struct tevent_req); + struct ccdb_sec_create_state *state = tevent_req_data(req, + struct ccdb_sec_create_state); + + ret = tcurl_http_recv(state, subreq, &http_code, NULL); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Communication with the secrets responder failed [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + if (http_code != 200) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to add the payload\n"); + ret = http2errno(http_code); + tevent_req_error(req, ret); + return; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "payload created\n"); + tevent_req_done(req); +} + +static errno_t ccdb_sec_create_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + return EOK; +} + +struct ccdb_sec_mod_cred_state { + struct tevent_context *ev; + struct kcm_ccdb *db; + struct cli_creds *client; + struct kcm_mod_ctx *mod_cc; + + struct ccdb_sec *secdb; +}; + +static void ccdb_sec_mod_cred_get_done(struct tevent_req *subreq); +static void ccdb_sec_mod_cred_patch_done(struct tevent_req *subreq); + +static struct tevent_req *ccdb_sec_mod_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + uuid_t uuid, + struct kcm_mod_ctx *mod_cc) +{ + errno_t ret; + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct ccdb_sec_mod_cred_state *state = NULL; + struct ccdb_sec *secdb = talloc_get_type(db->db_handle, struct ccdb_sec); + + req = tevent_req_create(mem_ctx, &state, struct ccdb_sec_mod_cred_state); + if (req == NULL) { + return NULL; + } + state->ev = ev; + state->db =db; + state->client = client; + state->secdb = secdb; + state->mod_cc = mod_cc; + + DEBUG(SSSDBG_TRACE_INTERNAL, "Modifying ccache\n"); + + subreq = sec_get_ccache_send(state, ev, secdb, client, NULL, uuid); + if (subreq == NULL) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, *ccdb_sec_mod_cred_get_done, req); + return req; + +immediate: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void ccdb_sec_mod_cred_get_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ccdb_sec_mod_cred_state *state = tevent_req_data(req, + struct ccdb_sec_mod_cred_state); + struct kcm_ccache *cc; + const char *url; + struct sss_iobuf *payload; + + ret = sec_get_ccache_recv(subreq, state, &cc); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot retrieve the ccache [%d]: %s\n", ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + if (cc == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "No such ccache\n"); + tevent_req_error(req, ERR_NO_CREDS); + return; + } + + kcm_mod_cc(cc, state->mod_cc); + + ret = kcm_ccache_to_sec_input(state, cc, state->client, &url, &payload); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to marshall modified ccache to payload [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + subreq = sec_patch_send(state, + state->ev, + state->secdb, + state->client, + url, + payload); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, ccdb_sec_mod_cred_patch_done, req); +} + +static void ccdb_sec_mod_cred_patch_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + + ret = sec_patch_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sec_patch request failed [%d]: %s\n", ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "ccache modified\n"); + tevent_req_done(req); +} + +static errno_t ccdb_sec_mod_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + return EOK; +} + +struct ccdb_sec_store_cred_state { + struct tevent_context *ev; + struct kcm_ccdb *db; + struct cli_creds *client; + struct sss_iobuf *cred_blob; + + struct ccdb_sec *secdb; +}; + +static void ccdb_sec_store_cred_get_done(struct tevent_req *subreq); +static void ccdb_sec_store_cred_patch_done(struct tevent_req *subreq); + +/* HTTP DEL/PUT $base/ccache/uuid:name */ +static struct tevent_req *ccdb_sec_store_cred_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + uuid_t uuid, + struct sss_iobuf *cred_blob) +{ + errno_t ret; + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct ccdb_sec_store_cred_state *state = NULL; + struct ccdb_sec *secdb = talloc_get_type(db->db_handle, struct ccdb_sec); + + req = tevent_req_create(mem_ctx, &state, struct ccdb_sec_store_cred_state); + if (req == NULL) { + return NULL; + } + state->ev = ev; + state->db =db; + state->client = client; + state->cred_blob = cred_blob; + state->secdb = secdb; + + DEBUG(SSSDBG_TRACE_INTERNAL, "Storing creds in ccache\n"); + + subreq = sec_get_ccache_send(state, ev, secdb, client, NULL, uuid); + if (subreq == NULL) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, *ccdb_sec_store_cred_get_done, req); + return req; + +immediate: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void ccdb_sec_store_cred_get_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ccdb_sec_store_cred_state *state = tevent_req_data(req, + struct ccdb_sec_store_cred_state); + struct kcm_ccache *cc; + const char *url; + struct sss_iobuf *payload; + + ret = sec_get_ccache_recv(subreq, state, &cc); + talloc_zfree(subreq); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + ret = kcm_cc_store_cred_blob(cc, state->cred_blob); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot store credentials to ccache [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + ret = kcm_ccache_to_sec_input(state, cc, state->client, &url, &payload); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to marshall modified ccache to payload [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + subreq = sec_patch_send(state, + state->ev, + state->secdb, + state->client, + url, + payload); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, ccdb_sec_store_cred_patch_done, req); +} + +static void ccdb_sec_store_cred_patch_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + + ret = sec_patch_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sec_patch request failed [%d]: %s\n", ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "ccache creds stored\n"); + tevent_req_done(req); +} + +static errno_t ccdb_sec_store_cred_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + return EOK; +} + +/* HTTP DELETE $base/ccache/uuid:name */ +struct ccdb_sec_delete_state { + struct tevent_context *ev; + struct ccdb_sec *secdb; + struct cli_creds *client; + uuid_t uuid; + + size_t sec_key_list_len; +}; + +static void ccdb_sec_delete_list_done(struct tevent_req *subreq); +static void ccdb_sec_delete_cc_done(struct tevent_req *subreq); +static void ccdb_sec_delete_container_done(struct tevent_req *subreq); + +static struct tevent_req *ccdb_sec_delete_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ccdb *db, + struct cli_creds *client, + uuid_t uuid) +{ + errno_t ret; + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct ccdb_sec_delete_state *state = NULL; + struct ccdb_sec *secdb = talloc_get_type(db->db_handle, struct ccdb_sec); + + req = tevent_req_create(mem_ctx, &state, struct ccdb_sec_delete_state); + if (req == NULL) { + return NULL; + } + state->ev = ev; + state->secdb = secdb; + state->client = client; + uuid_copy(state->uuid, uuid); + + DEBUG(SSSDBG_TRACE_INTERNAL, "Deleting ccache\n"); + + subreq = sec_list_send(state, ev, secdb, client); + if (subreq == NULL) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, ccdb_sec_delete_list_done, req); + return req; + +immediate: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void ccdb_sec_delete_list_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ccdb_sec_delete_state *state = tevent_req_data(req, + struct ccdb_sec_delete_state); + const char **sec_key_list; + const char *sec_key; + const char *cc_url; + + ret = sec_list_recv(subreq, + state, + &sec_key_list, + &state->sec_key_list_len); + talloc_zfree(subreq); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + if (state->sec_key_list_len == 0) { + DEBUG(SSSDBG_MINOR_FAILURE, "No ccaches to delete\n"); + tevent_req_done(req); + return; + } + + sec_key = find_by_uuid(sec_key_list, state->uuid); + if (sec_key == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "Cannot find ccache by UUID\n"); + tevent_req_done(req); + return; + } + + cc_url = sec_cc_url_create(state, state->client, sec_key); + if (cc_url == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + + subreq = tcurl_http_send(state, state->ev, + state->secdb->tctx, + TCURL_HTTP_DELETE, + SSSD_SECRETS_SOCKET, + cc_url, + sec_headers, + NULL, + SEC_TIMEOUT); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, ccdb_sec_delete_cc_done, req); +} + +static void ccdb_sec_delete_cc_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ccdb_sec_delete_state *state = tevent_req_data(req, + struct ccdb_sec_delete_state); + int http_code; + const char *container_url; + + ret = tcurl_http_recv(state, subreq, &http_code, NULL); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot delete ccache [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + if (http_code != 200) { + ret = http2errno(http_code); + tevent_req_error(req, ret); + return; + } + + if (state->sec_key_list_len != 1) { + DEBUG(SSSDBG_TRACE_INTERNAL, "There are other ccaches, done\n"); + tevent_req_done(req); + return; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "Removing ccache container\n"); + + container_url = sec_container_url_create(state, state->client); + if (container_url == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + + subreq = tcurl_http_send(state, state->ev, + state->secdb->tctx, + TCURL_HTTP_DELETE, + SSSD_SECRETS_SOCKET, + container_url, + sec_headers, + NULL, + SEC_TIMEOUT); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, ccdb_sec_delete_container_done, req); +} + +static void ccdb_sec_delete_container_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ccdb_sec_delete_state *state = tevent_req_data(req, + struct ccdb_sec_delete_state); + int http_code; + + ret = tcurl_http_recv(state, subreq, &http_code, NULL); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot delete ccache container [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + if (http_code != 200) { + ret = http2errno(http_code); + tevent_req_error(req, ret); + return; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "Removed ccache container\n"); + tevent_req_done(req); +} + +static errno_t ccdb_sec_delete_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + return EOK; +} + +const struct kcm_ccdb_ops ccdb_sec_ops = { + .init = ccdb_sec_init, + + .nextid_send = ccdb_sec_nextid_send, + .nextid_recv = ccdb_sec_nextid_recv, + + .set_default_send = ccdb_sec_set_default_send, + .set_default_recv = ccdb_sec_set_default_recv, + + .get_default_send = ccdb_sec_get_default_send, + .get_default_recv = ccdb_sec_get_default_recv, + + .list_send = ccdb_sec_list_send, + .list_recv = ccdb_sec_list_recv, + + .getbyname_send = ccdb_sec_getbyname_send, + .getbyname_recv = ccdb_sec_getbyname_recv, + + .getbyuuid_send = ccdb_sec_getbyuuid_send, + .getbyuuid_recv = ccdb_sec_getbyuuid_recv, + + .name_by_uuid_send = ccdb_sec_name_by_uuid_send, + .name_by_uuid_recv = ccdb_sec_name_by_uuid_recv, + + .uuid_by_name_send = ccdb_sec_uuid_by_name_send, + .uuid_by_name_recv = ccdb_sec_uuid_by_name_recv, + + .create_send = ccdb_sec_create_send, + .create_recv = ccdb_sec_create_recv, + + .mod_send = ccdb_sec_mod_send, + .mod_recv = ccdb_sec_mod_recv, + + .store_cred_send = ccdb_sec_store_cred_send, + .store_cred_recv = ccdb_sec_store_cred_recv, + + .delete_send = ccdb_sec_delete_send, + .delete_recv = ccdb_sec_delete_recv, +}; diff --git a/src/responder/kcm/kcmsrv_cmd.c b/src/responder/kcm/kcmsrv_cmd.c new file mode 100644 index 0000000..421bf4b --- /dev/null +++ b/src/responder/kcm/kcmsrv_cmd.c @@ -0,0 +1,656 @@ +/* + SSSD + + KCM Server - the KCM server request and reply parsing and dispatching + + Copyright (C) Red Hat, 2016 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "config.h" +#include "util/util.h" +#include "responder/common/responder.h" +#include "responder/kcm/kcmsrv_pvt.h" +#include "responder/kcm/kcm.h" +#include "responder/kcm/kcmsrv_ops.h" + +/* The first four bytes of a message is always the size */ +#define KCM_MSG_LEN_SIZE 4 + +/* The return code is 32bits */ +#define KCM_RETCODE_SIZE 4 + +/* The maximum length of a request or reply as defined by the RPC + * protocol. This is the same constant size as MIT KRB5 uses + */ +#define KCM_PACKET_MAX_SIZE 10*1024*1024 + +/* KCM operation, its raw input and raw output and result */ +struct kcm_op_io { + struct kcm_op *op; + struct kcm_data request; + struct sss_iobuf *reply; +}; + +/** + * KCM IO-vector operations + */ +struct kcm_iovec { + /* We don't use iovec b/c void pointers don't allow for + * pointer arithmetics and it's convenient to keep track + * of processed bytes + */ + uint8_t *kiov_base; + size_t kiov_len; + size_t nprocessed; +}; + +static errno_t kcm_iovec_op(int fd, struct kcm_iovec *kiov, bool do_read) +{ + ssize_t len; + struct iovec iov[1]; + + iov[0].iov_base = kiov->kiov_base + kiov->nprocessed; + iov[0].iov_len = kiov->kiov_len - kiov->nprocessed; + if (iov[0].iov_len == 0) { + /* This iovec is full (read) or depleted (write), proceed to the next one */ + return EOK; + } + + if (do_read) { + len = readv(fd, iov, 1); + } else { + len = writev(fd, iov, 1); + } + + if (len == -1) { + if (errno == EAGAIN || errno == EWOULDBLOCK || errno == EINTR) { + return EAGAIN; + } else { + return errno; + } + } + + if (len == 0) { + /* Read event on fd that doesn't yield data? error */ + return ENODATA; + } + + /* Decrease the amount of available free space in the iovec */ + kiov->nprocessed += len; + return EOK; +} + +static errno_t kcm_read_iovec(int fd, struct kcm_iovec *kiov) +{ + return kcm_iovec_op(fd, kiov, true); +} + +static errno_t kcm_write_iovec(int fd, struct kcm_iovec *kiov) +{ + return kcm_iovec_op(fd, kiov, false); +} + +/** + * Parsing KCM input + * + * The request is received as two IO vectors: + * + * first iovec: + * length 32-bit big-endian integer + * + * second iovec: + * major protocol number 8-bit big-endian integer + * minor protocol number 8-bit big-endian integer + * opcode 16-bit big-endian integer + * message payload buffer + */ +struct kcm_reqbuf { + uint8_t lenbuf[KCM_MSG_LEN_SIZE]; + struct kcm_iovec v_len; + + /* Includes the major, minor versions etc */ + struct kcm_iovec v_msg; +}; + +static uint32_t kcm_input_get_payload_len(struct kcm_iovec *v) +{ + size_t lc = 0; + uint32_t len_be = 0; + + /* The first 4 bytes before the payload is message length */ + SAFEALIGN_COPY_UINT32_CHECK(&len_be, v->kiov_base, v->kiov_len, &lc); + + return be32toh(len_be); +} + +static errno_t kcm_input_parse(struct kcm_reqbuf *reqbuf, + struct kcm_op_io *op_io) +{ + size_t mc = 0; + uint16_t opcode_be = 0; + uint32_t msglen; + uint8_t proto_maj = 0; + uint8_t proto_min = 0; + + msglen = kcm_input_get_payload_len(&reqbuf->v_len); + DEBUG(SSSDBG_TRACE_LIBS, + "Received message with length %"PRIu32"\n", msglen); + + if (msglen == 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Illegal zero-length message\n"); + return EBADMSG; + } + + if (msglen != reqbuf->v_msg.nprocessed) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Sender claims the message is %"PRIu32" bytes, " + "but received %zu\n", + msglen, reqbuf->v_msg.nprocessed); + return EBADMSG; + } + + /* First 16 bits are 8 bit major and 8bit minor protocol version */ + SAFEALIGN_COPY_UINT8_CHECK(&proto_maj, + reqbuf->v_msg.kiov_base + mc, + reqbuf->v_msg.kiov_len, + &mc); + SAFEALIGN_COPY_UINT8_CHECK(&proto_min, + reqbuf->v_msg.kiov_base + mc, + reqbuf->v_msg.kiov_len, + &mc); + + if (proto_maj != KCM_PROTOCOL_VERSION_MAJOR) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Expected major version %d, got %"PRIu16"\n", + KCM_PROTOCOL_VERSION_MAJOR, (uint16_t) proto_maj); + return ERR_KCM_MALFORMED_IN_PKT; + } + + if (proto_min != KCM_PROTOCOL_VERSION_MINOR) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Expected minor version %d, got %"PRIu16"\n", + KCM_PROTOCOL_VERSION_MINOR, (uint16_t) proto_maj); + return ERR_KCM_MALFORMED_IN_PKT; + } + + SAFEALIGN_COPY_UINT16_CHECK(&opcode_be, + reqbuf->v_msg.kiov_base + mc, + reqbuf->v_msg.kiov_len, + &mc); + + op_io->op = kcm_get_opt(be16toh(opcode_be)); + if (op_io->op == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Did not find a KCM operation handler for the requested opcode\n"); + return ERR_KCM_MALFORMED_IN_PKT; + } + + /* The operation only receives the payload, not the opcode or the protocol info */ + op_io->request.data = reqbuf->v_msg.kiov_base + mc; + op_io->request.length = reqbuf->v_msg.nprocessed - mc; + + return EOK; +} + +/** + * Constructing a reply for failure and success + * + * The reply consists of three IO vectors: + * 1) length iovec: + * length: 32-bit big-endian + * + * 2) return code iovec: + * retcode: 32-bit big-endian. Non-zero on failure in the KCM server, + * zero if the KCM operation ran (even if the operation itself + * failed) + * + * 3) reply iovec + * message: buffer, first 32-bits of the buffer is the return code of + * the KCM operation, the rest depends on the operation itself. + * The buffer's length is specified by the first integer in the + * reply (very intuitive, right?) + * + * The client always reads the length and return code iovectors. However, the + * client reads the reply iovec only if retcode is 0 in the return code iovector + * (see kcmio_unix_socket_read() in the MIT tree) + */ +struct kcm_repbuf { + uint8_t lenbuf[KCM_MSG_LEN_SIZE]; + struct kcm_iovec v_len; + + uint8_t rcbuf[KCM_RETCODE_SIZE]; + struct kcm_iovec v_rc; + + struct kcm_iovec v_msg; +}; + +static errno_t kcm_failbuf_construct(errno_t ret, + struct kcm_repbuf *repbuf) +{ + size_t c; + + c = 0; + SAFEALIGN_SETMEM_UINT32(repbuf->lenbuf, 0, &c); + c = 0; + SAFEALIGN_SETMEM_UINT32(repbuf->rcbuf, htobe32(ret), &c); + + DEBUG(SSSDBG_TRACE_LIBS, "Sent reply with error %d\n", ret); + return EOK; +} + +/* retcode is 0 if the operation at least ran, non-zero if there + * was some kind of internal KCM error, like input couldn't be parsed + */ +static errno_t kcm_output_construct(TALLOC_CTX *mem_ctx, + struct kcm_op_io *op_io, + struct kcm_repbuf *repbuf) +{ + uint8_t *rep; + size_t replen; + size_t c; + + replen = sss_iobuf_get_len(op_io->reply); + if (replen > KCM_PACKET_MAX_SIZE) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Reply exceeds the KCM protocol limit, aborting\n"); + return E2BIG; + } + + DEBUG(SSSDBG_TRACE_LIBS, + "Sending a reply with %zu bytes of payload\n", replen); + c = 0; + SAFEALIGN_SETMEM_UINT32(repbuf->lenbuf, htobe32(replen), &c); + + c = 0; + SAFEALIGN_SETMEM_UINT32(repbuf->rcbuf, 0, &c); + + if (replen > 0) { + rep = talloc_zero_array(mem_ctx, uint8_t, replen); + if (rep == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to allocate memory for the message\n"); + return ENOMEM; + } + + c = 0; + SAFEALIGN_MEMCPY_CHECK(rep, + sss_iobuf_get_data(op_io->reply), + replen, + replen, + &c); + + /* Set the buffer and its length to send to KCM client */ + repbuf->v_msg.kiov_base = rep; + repbuf->v_msg.kiov_len = replen; + } + + return EOK; +} + +/** + * Construct a reply buffer and send it to the KCM client + */ +static void kcm_reply_error(struct cli_ctx *cctx, + errno_t retcode, + struct kcm_repbuf *repbuf) +{ + errno_t ret; + krb5_error_code kerr; + + DEBUG(SSSDBG_OP_FAILURE, + "KCM operation returs failure [%d]: %s\n", + retcode, sss_strerror(retcode)); + kerr = sss2krb5_error(retcode); + + ret = kcm_failbuf_construct(kerr, repbuf); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot construct the reply buffer, terminating client\n"); + talloc_free(cctx); + return; + } + + TEVENT_FD_WRITEABLE(cctx->cfde); +} + +/** + * Request-reply dispatcher + */ +struct kcm_req_ctx { + /* client context owns per-client buffers including this one */ + struct cli_ctx *cctx; + + /* raw IO buffers */ + struct kcm_reqbuf reqbuf; + struct kcm_repbuf repbuf; + + /* long-lived responder structures */ + struct kcm_ctx *kctx; + + struct kcm_op_io op_io; +}; + +static void kcm_send_reply(struct kcm_req_ctx *req_ctx) +{ + struct cli_ctx *cctx; + errno_t ret; + + DEBUG(SSSDBG_TRACE_INTERNAL, "Sending a reply\n"); + + cctx = req_ctx->cctx; + + ret = kcm_output_construct(cctx, &req_ctx->op_io, &req_ctx->repbuf); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot construct the reply buffer, terminating client\n"); + kcm_reply_error(cctx, ret, &req_ctx->repbuf); + return; + } + + TEVENT_FD_WRITEABLE(cctx->cfde); +} + +static void kcm_cmd_request_done(struct tevent_req *req); + +static errno_t kcm_cmd_dispatch(struct kcm_ctx *kctx, + struct kcm_req_ctx *req_ctx) +{ + struct tevent_req *req; + struct cli_ctx *cctx; + + cctx = req_ctx->cctx; + + req = kcm_cmd_send(req_ctx, + cctx->ev, + kctx->qctx, + req_ctx->kctx->kcm_data, + req_ctx->cctx->creds, + &req_ctx->op_io.request, + req_ctx->op_io.op); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to schedule KCM operation.\n"); + return ENOMEM; + } + + tevent_req_set_callback(req, kcm_cmd_request_done, req_ctx); + return EOK; +} + +static void kcm_cmd_request_done(struct tevent_req *req) +{ + struct kcm_req_ctx *req_ctx; + errno_t ret; + + req_ctx = tevent_req_callback_data(req, struct kcm_req_ctx); + + ret = kcm_cmd_recv(req_ctx, req, + &req_ctx->op_io.reply); + talloc_free(req); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "KCM operation failed [%d]: %s\n", ret, sss_strerror(ret)); + kcm_reply_error(req_ctx->cctx, ret, &req_ctx->repbuf); + return; + } + + kcm_send_reply(req_ctx); +} + +static errno_t kcm_recv_data(TALLOC_CTX *mem_ctx, + int fd, + struct kcm_reqbuf *reqbuf) +{ + uint8_t *msg; + uint32_t msglen; + errno_t ret; + + ret = kcm_read_iovec(fd, &reqbuf->v_len); + if (ret != EOK) { + /* Not all errors are fatal, hence we don't print DEBUG messages + * here, but in the caller + */ + return ret; + } + + msglen = kcm_input_get_payload_len(&reqbuf->v_len); + if (msglen > KCM_PACKET_MAX_SIZE) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Request exceeds the KCM protocol limit, aborting\n"); + return E2BIG; + } + + msg = talloc_zero_array(mem_ctx, uint8_t, msglen); + if (msg == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to allocate memory for the message\n"); + return ENOMEM; + } + + /* Set the buffer and its expected len to receive the data */ + reqbuf->v_msg.kiov_base = msg; + reqbuf->v_msg.kiov_len = msglen; + + ret = kcm_read_iovec(fd, &reqbuf->v_msg); + if (ret != EOK) { + /* Not all errors are fatal, hence we don't print DEBUG messages + * here, but in the caller + */ + return ret; + } + + return EOK; +} + +/* Mind that kcm_new_req() does not take a mem_ctx argument on purpose as we + * really want the cctx to be the memory context here so that if the client + * disconnects, the request goes away. */ +static struct kcm_req_ctx *kcm_new_req(struct cli_ctx *cctx, + struct kcm_ctx *kctx) +{ + struct kcm_req_ctx *req; + + req = talloc_zero(cctx, struct kcm_req_ctx); + if (req == NULL) { + return NULL; + } + + req->reqbuf.v_len.kiov_base = req->reqbuf.lenbuf; + req->reqbuf.v_len.kiov_len = KCM_MSG_LEN_SIZE; + + req->repbuf.v_len.kiov_base = req->repbuf.lenbuf; + req->repbuf.v_len.kiov_len = KCM_MSG_LEN_SIZE; + + req->repbuf.v_rc.kiov_base = req->repbuf.rcbuf; + req->repbuf.v_rc.kiov_len = KCM_RETCODE_SIZE; + + req->cctx = cctx; + req->kctx = kctx; + + return req; +} + +static void kcm_recv(struct cli_ctx *cctx) +{ + struct kcm_req_ctx *req; + struct kcm_ctx *kctx; + int ret; + + kctx = talloc_get_type(cctx->rctx->pvt_ctx, struct kcm_ctx); + req = talloc_get_type(cctx->state_ctx, struct kcm_req_ctx); + if (req == NULL) { + /* A new request comes in, setup data structures. */ + req = kcm_new_req(cctx, kctx); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot set up client connection\n"); + talloc_free(cctx); + return; + } + + cctx->state_ctx = req; + } + + ret = kcm_recv_data(req, cctx->cfd, &req->reqbuf); + switch (ret) { + case ENODATA: + DEBUG(SSSDBG_TRACE_ALL, "Client closed connection.\n"); + talloc_free(cctx); + return; + case EAGAIN: + DEBUG(SSSDBG_TRACE_ALL, "Retry later\n"); + return; + case EOK: + /* all fine */ + break; + default: + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to receive data (%d, %s), aborting client\n", + ret, sss_strerror(ret)); + talloc_free(cctx); + return; + } + + ret = kcm_input_parse(&req->reqbuf, &req->op_io); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to parse data (%d, %s), aborting client\n", + ret, sss_strerror(ret)); + goto fail; + } + + /* do not read anymore, client is done sending */ + TEVENT_FD_NOT_READABLE(cctx->cfde); + + ret = kcm_cmd_dispatch(kctx, req); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to dispatch KCM operation [%d]: %s\n", + ret, sss_strerror(ret)); + goto fail; + } + + /* Dispatched request resumes in kcm_cmd_request_done */ + return; + +fail: + /* Fail with reply */ + kcm_reply_error(cctx, ret, &req->repbuf); +} + +static int kcm_send_data(struct cli_ctx *cctx) +{ + struct kcm_req_ctx *req; + errno_t ret; + + req = talloc_get_type(cctx->state_ctx, struct kcm_req_ctx); + + ret = kcm_write_iovec(cctx->cfd, &req->repbuf.v_len); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to write the length iovec [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + ret = kcm_write_iovec(cctx->cfd, &req->repbuf.v_rc); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to write the retcode iovec [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + ret = kcm_write_iovec(cctx->cfd, &req->repbuf.v_msg); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to write the msg iovec [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + return EOK; +} + +static void kcm_send(struct cli_ctx *cctx) +{ + errno_t ret; + + ret = kcm_send_data(cctx); + if (ret == EAGAIN) { + DEBUG(SSSDBG_TRACE_ALL, "Sending data again..\n"); + return; + } else if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to send data, aborting client!\n"); + talloc_free(cctx); + return; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "All data sent!\n"); + TEVENT_FD_NOT_WRITEABLE(cctx->cfde); + TEVENT_FD_READABLE(cctx->cfde); + talloc_zfree(cctx->state_ctx); + return; +} + +static void kcm_fd_handler(struct tevent_context *ev, + struct tevent_fd *fde, + uint16_t flags, void *ptr) +{ + sss_client_fd_handler(ptr, kcm_recv, kcm_send, flags); +} + +int kcm_connection_setup(struct cli_ctx *cctx) +{ + cctx->cfd_handler = kcm_fd_handler; + return EOK; +} + +krb5_error_code sss2krb5_error(errno_t err) +{ + switch (err) { + case EOK: + return 0; + case ENOMEM: + return KRB5_CC_NOMEM; + case EACCES: + return KRB5_FCC_PERM; + case ERR_KCM_OP_NOT_IMPLEMENTED: + return KRB5_CC_NOSUPP; + case ERR_WRONG_NAME_FORMAT: + return KRB5_CC_BADNAME; + case ERR_NO_MATCHING_CREDS: + return KRB5_FCC_NOFILE; + case ERR_NO_CREDS: + return KRB5_CC_NOTFOUND; + case ERR_KCM_CC_END: + return KRB5_CC_END; + case ERR_KCM_MALFORMED_IN_PKT: + case EINVAL: + case EIO: + return KRB5_CC_IO; + } + + return KRB5_FCC_INTERNAL; +} + +/* Dummy, not used here but required to link to other responder files */ +struct cli_protocol_version *register_cli_protocol_version(void) +{ + return NULL; +} diff --git a/src/responder/kcm/kcmsrv_op_queue.c b/src/responder/kcm/kcmsrv_op_queue.c new file mode 100644 index 0000000..ee1aa47 --- /dev/null +++ b/src/responder/kcm/kcmsrv_op_queue.c @@ -0,0 +1,326 @@ +/* + SSSD + + KCM Server - the KCM operations wait queue + + Copyright (C) Red Hat, 2017 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "util/util_creds.h" +#include "responder/kcm/kcmsrv_pvt.h" + +#define QUEUE_HASH_SIZE 32 + +struct kcm_ops_queue_entry { + struct tevent_req *req; + + struct kcm_ops_queue *queue; + + struct kcm_ops_queue_entry *next; + struct kcm_ops_queue_entry *prev; +}; + +struct kcm_ops_queue { + uid_t uid; + struct tevent_context *ev; + struct kcm_ops_queue_ctx *qctx; + + struct kcm_ops_queue_entry *head; +}; + +struct kcm_ops_queue_ctx { + /* UID:kcm_ops_queue */ + hash_table_t *wait_queue_hash; +}; + +/* + * Per-UID wait queue + * + * They key in the hash table is the UID of the peer. The value of each + * hash table entry is kcm_ops_queue structure which in turn contains a + * linked list of kcm_ops_queue_entry structures * which primarily hold the + * tevent request being queued. + */ +struct kcm_ops_queue_ctx *kcm_ops_queue_create(TALLOC_CTX *mem_ctx) +{ + errno_t ret; + struct kcm_ops_queue_ctx *queue_ctx; + + queue_ctx = talloc_zero(mem_ctx, struct kcm_ops_queue_ctx); + if (queue_ctx == NULL) { + return NULL; + } + + ret = sss_hash_create_ex(mem_ctx, QUEUE_HASH_SIZE, + &queue_ctx->wait_queue_hash, 0, 0, 0, 0, + NULL, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sss_hash_create failed [%d]: %s\n", ret, sss_strerror(ret)); + talloc_free(queue_ctx); + return NULL; + } + + return queue_ctx; +} + +void queue_removal_cb(struct tevent_context *ctx, + struct tevent_immediate *imm, + void *private_data) +{ + struct kcm_ops_queue *kq = talloc_get_type(private_data, + struct kcm_ops_queue); + int ret; + hash_key_t key; + + talloc_free(imm); + + if (kq->head != NULL) { + DEBUG(SSSDBG_TRACE_LIBS, "The queue is no longer empty\n"); + return; + } + + key.type = HASH_KEY_ULONG; + key.ul = kq->uid; + + /* If this was the last entry, remove the key (the UID) from the + * hash table to signal the queue is empty + */ + ret = hash_delete(kq->qctx->wait_queue_hash, &key); + if (ret != HASH_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to remove wait queue for user %"SPRIuid"\n", + kq->uid); + return; + } + + DEBUG(SSSDBG_FUNC_DATA, + "Removed queue for %"SPRIuid" \n", kq->uid); + talloc_free(kq); +} + +static int kcm_op_queue_entry_destructor(struct kcm_ops_queue_entry *entry) +{ + struct kcm_ops_queue_entry *next_entry; + struct tevent_immediate *imm; + + if (entry == NULL) { + return 1; + } + + /* Take the next entry from the queue */ + next_entry = entry->next; + + /* Remove the current entry from the queue */ + DLIST_REMOVE(entry->queue->head, entry); + + if (next_entry == NULL) { + /* If there was no other entry, schedule removal of the queue. Do it + * in another tevent tick to avoid issues with callbacks invoking + * the descructor while another request is touching the queue + */ + imm = tevent_create_immediate(entry->queue); + if (imm == NULL) { + return 1; + } + + tevent_schedule_immediate(imm, entry->queue->ev, queue_removal_cb, entry->queue); + return 0; + } + + /* Otherwise, mark the current head as done to run the next request */ + tevent_req_done(next_entry->req); + return 0; +} + +static struct kcm_ops_queue *kcm_op_queue_get(struct kcm_ops_queue_ctx *qctx, + struct tevent_context *ev, + uid_t uid) +{ + errno_t ret; + hash_key_t key; + hash_value_t value; + struct kcm_ops_queue *kq; + + key.type = HASH_KEY_ULONG; + key.ul = uid; + + ret = hash_lookup(qctx->wait_queue_hash, &key, &value); + switch (ret) { + case HASH_SUCCESS: + if (value.type != HASH_VALUE_PTR) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected hash value type.\n"); + return NULL; + } + + kq = talloc_get_type(value.ptr, struct kcm_ops_queue); + if (kq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid queue pointer\n"); + return NULL; + } + + DEBUG(SSSDBG_TRACE_LIBS, "Found existing queue for this ID\n"); + break; + + case HASH_ERROR_KEY_NOT_FOUND: + /* No request for this UID yet. Enqueue this request in case + * another one comes in and return EOK to run the current request + * immediately + */ + DEBUG(SSSDBG_TRACE_LIBS, "No existing queue for this ID\n"); + + kq = talloc_zero(qctx->wait_queue_hash, struct kcm_ops_queue); + if (kq == NULL) { + return NULL; + } + kq->uid = uid; + kq->qctx = qctx; + kq->ev = ev; + + value.type = HASH_VALUE_PTR; + value.ptr = kq; + + ret = hash_enter(qctx->wait_queue_hash, &key, &value); + if (ret != HASH_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "hash_enter failed.\n"); + return NULL; + } + break; + + default: + DEBUG(SSSDBG_CRIT_FAILURE, "hash_lookup failed.\n"); + return NULL; + } + + return kq; +} + +struct kcm_op_queue_state { + struct kcm_ops_queue_entry *entry; +}; + +static errno_t kcm_op_queue_add_req(struct kcm_ops_queue *kq, + struct tevent_req *req); + +/* + * Enqueue a request. + * + * If the request queue /for the given ID/ is empty, that is, if this + * request is the first one in the queue, run the request immediately. + * + * Otherwise just add it to the queue and wait until the previous request + * finishes and only at that point mark the current request as done, which + * will trigger calling the recv function and allow the request to continue. + */ +struct tevent_req *kcm_op_queue_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ops_queue_ctx *qctx, + struct cli_creds *client) +{ + errno_t ret; + struct tevent_req *req; + struct kcm_ops_queue *kq; + struct kcm_op_queue_state *state; + uid_t uid; + + uid = cli_creds_get_uid(client); + + req = tevent_req_create(mem_ctx, &state, struct kcm_op_queue_state); + if (req == NULL) { + return NULL; + } + + DEBUG(SSSDBG_FUNC_DATA, + "Adding request by %"SPRIuid" to the wait queue\n", uid); + + kq = kcm_op_queue_get(qctx, ev, uid); + if (kq == NULL) { + ret = EIO; + DEBUG(SSSDBG_OP_FAILURE, + "Cannot get queue [%d]: %s\n", ret, sss_strerror(ret)); + goto immediate; + } + + ret = kcm_op_queue_add_req(kq, req); + if (ret == EOK) { + DEBUG(SSSDBG_TRACE_LIBS, + "Queue was empty, running the request immediately\n"); + goto immediate; + } else if (ret != EAGAIN) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot enqueue request [%d]: %s\n", ret, sss_strerror(ret)); + goto immediate; + } + + DEBUG(SSSDBG_TRACE_LIBS, "Waiting our turn in the queue\n"); + return req; + +immediate: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + return req; +} + +static errno_t kcm_op_queue_add_req(struct kcm_ops_queue *kq, + struct tevent_req *req) +{ + errno_t ret; + struct kcm_op_queue_state *state = tevent_req_data(req, + struct kcm_op_queue_state); + + state->entry = talloc_zero(kq->qctx->wait_queue_hash, struct kcm_ops_queue_entry); + if (state->entry == NULL) { + return ENOMEM; + } + state->entry->req = req; + state->entry->queue = kq; + talloc_set_destructor(state->entry, kcm_op_queue_entry_destructor); + + if (kq->head == NULL) { + /* First entry, will run callback at once */ + ret = EOK; + } else { + /* Will wait for the previous callbacks to finish */ + ret = EAGAIN; + } + + DLIST_ADD_END(kq->head, state->entry, struct kcm_ops_queue_entry *); + return ret; +} + +/* + * The queue recv function is called when this request is 'activated'. The queue + * entry should be allocated on the same memory context as the enqueued request + * to trigger freeing the kcm_ops_queue_entry structure destructor when the + * parent request is done and its tevent_req freed. This would in turn unblock + * the next request in the queue + */ +errno_t kcm_op_queue_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + struct kcm_ops_queue_entry **_entry) +{ + struct kcm_op_queue_state *state = tevent_req_data(req, + struct kcm_op_queue_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + *_entry = talloc_steal(mem_ctx, state->entry); + return EOK; +} diff --git a/src/responder/kcm/kcmsrv_ops.c b/src/responder/kcm/kcmsrv_ops.c new file mode 100644 index 0000000..1e229ad --- /dev/null +++ b/src/responder/kcm/kcmsrv_ops.c @@ -0,0 +1,1987 @@ +/* + SSSD + + KCM Server - the KCM server operations + + Copyright (C) Red Hat, 2016 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include + +#include "util/sss_iobuf.h" +#include "util/sss_krb5.h" +#include "util/util_creds.h" +#include "responder/kcm/kcm.h" +#include "responder/kcm/kcmsrv_pvt.h" +#include "responder/kcm/kcmsrv_ops.h" +#include "responder/kcm/kcmsrv_ccache.h" + +/* This limit comes from: + * https://github.com/krb5/krb5/blob/master/src/lib/krb5/ccache/cc_kcm.c#L53 + */ +#define KCM_REPLY_MAX 10*1024*1024 + +struct kcm_op_ctx { + struct kcm_resp_ctx *kcm_data; + struct cli_creds *client; + + struct sss_iobuf *input; + struct sss_iobuf *reply; +}; + +/* Each operation follows the same pattern and is implemented using + * functions with this prototype. The operation receives an op_ctx + * that serves as a state of the operation and can be used to keep + * track of any temporary data. The operation writes its output data + * into the op_ctx reply IO buffer and returns the op_ret status code + * separately. + * + * The operation always returns EOK unless an internal error occurs, + * the result of the operation is stored in the op_ret variable + */ +typedef struct tevent_req* +(*kcm_srv_send_method)(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_op_ctx *op_ctx); +typedef errno_t +(*kcm_srv_recv_method)(struct tevent_req *req, + uint32_t *_op_ret); + +struct kcm_op { + const char *name; + kcm_srv_send_method fn_send; + kcm_srv_recv_method fn_recv; +}; + +struct kcm_cmd_state { + struct kcm_op *op; + struct tevent_context *ev; + + struct kcm_ops_queue_entry *queue_entry; + struct kcm_op_ctx *op_ctx; + struct sss_iobuf *reply; + + uint32_t op_ret; +}; + +static void kcm_cmd_queue_done(struct tevent_req *subreq); +static void kcm_cmd_done(struct tevent_req *subreq); + +struct tevent_req *kcm_cmd_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ops_queue_ctx *qctx, + struct kcm_resp_ctx *kcm_data, + struct cli_creds *client, + struct kcm_data *input, + struct kcm_op *op) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct kcm_cmd_state *state = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct kcm_cmd_state); + if (req == NULL) { + return NULL; + } + state->op = op; + state->ev = ev; + + if (op == NULL) { + ret = EINVAL; + goto immediate; + } + + DEBUG(SSSDBG_TRACE_FUNC, "KCM operation %s\n", op->name); + DEBUG(SSSDBG_TRACE_LIBS, "%zu bytes on KCM input\n", input->length); + + state->reply = sss_iobuf_init_empty(state, + KCM_REPLY_MAX, + KCM_REPLY_MAX); + if (state->reply == NULL) { + ret = ENOMEM; + goto immediate; + } + + if (op->fn_send == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "KCM op %s has no handler\n", kcm_opt_name(op)); + ret = ERR_KCM_OP_NOT_IMPLEMENTED; + goto immediate; + } + + /* Allocating op_ctx on the heap makes it possible for operations to use + * op_ctx as their temporary context and avoid tmp_ctx altogether + */ + state->op_ctx = talloc_zero(state, struct kcm_op_ctx); + if (state->op_ctx == NULL) { + ret = ENOMEM; + goto immediate; + } + + state->op_ctx->kcm_data = kcm_data; + state->op_ctx->client = client; + + state->op_ctx->input = sss_iobuf_init_readonly(state->op_ctx, + input->data, + input->length); + if (state->op_ctx->input == NULL) { + ret = ENOMEM; + goto immediate; + } + + /* + * The internal operation returns the opcode and the buffer separately. + * The KCM server reply to the client also always contains zero if the + * operation ran to completion, both are uint32_t. + * FIXME: + * Alternatively, we could extend iobuf API so that we can just pass + * the reply's buffer+sizeof(2*uint32_t) and avoid the useless allocations + */ + state->op_ctx->reply = sss_iobuf_init_empty( + state, + KCM_REPLY_MAX - 2*sizeof(uint32_t), + KCM_REPLY_MAX - 2*sizeof(uint32_t)); + if (state->reply == NULL) { + ret = ENOMEM; + goto immediate; + } + + subreq = kcm_op_queue_send(state, ev, qctx, client); + if (subreq == NULL) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, kcm_cmd_queue_done, req); + return req; + +immediate: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void kcm_cmd_queue_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, struct tevent_req); + struct kcm_cmd_state *state = tevent_req_data(req, struct kcm_cmd_state); + errno_t ret; + + /* When this request finishes, it frees the queue_entry which unblocks + * other requests by the same UID + */ + ret = kcm_op_queue_recv(subreq, state, &state->queue_entry); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot acquire queue slot\n"); + tevent_req_error(req, ret); + return; + } + + subreq = state->op->fn_send(state, state->ev, state->op_ctx); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, kcm_cmd_done, req); +} + +static void kcm_cmd_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, struct tevent_req); + struct kcm_cmd_state *state = tevent_req_data(req, struct kcm_cmd_state); + errno_t ret; + krb5_error_code kerr; + + ret = state->op->fn_recv(subreq, &state->op_ret); + talloc_free(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "op receive function failed [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "KCM operation %s returned [%d]: %s\n", + kcm_opt_name(state->op), state->op_ret, sss_strerror(state->op_ret)); + + kerr = sss2krb5_error(state->op_ret); + + /* The first four bytes of the reply is the operation status code */ + ret = sss_iobuf_write_uint32(state->reply, htobe32(kerr)); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + ret = sss_iobuf_write_len(state->reply, + sss_iobuf_get_data(state->op_ctx->reply), + sss_iobuf_get_len(state->op_ctx->reply)); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +errno_t kcm_cmd_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct sss_iobuf **_reply) +{ + struct kcm_cmd_state *state = NULL; + + TEVENT_REQ_RETURN_ON_ERROR(req); + + state = tevent_req_data(req, struct kcm_cmd_state); + + *_reply = talloc_steal(mem_ctx, state->reply); + return EOK; +} + +/* ======= KCM operations ======= */ + +/* Operations that don't return any extra information except for the op_ret + * can use this macro in the _recv function to avoid code duplication + */ +#define KCM_OP_RET_FROM_TYPE(req, state_type, _op_ret_out) do { \ + state_type *state = NULL; \ + state = tevent_req_data(req, state_type); \ + TEVENT_REQ_RETURN_ON_ERROR(req); \ + *_op_ret_out = state->op_ret; \ + return EOK; \ +} while(0); + +struct kcm_op_common_state { + uint32_t op_ret; + struct kcm_op_ctx *op_ctx; + struct tevent_context *ev; +}; + +static errno_t kcm_op_common_recv(struct tevent_req *req, + uint32_t *_op_ret) +{ + struct kcm_op_common_state *state = tevent_req_data(req, + struct kcm_op_common_state); + TEVENT_REQ_RETURN_ON_ERROR(req); + *_op_ret = state->op_ret; + return EOK; +} + +/* () -> (name) */ +static void kcm_op_gen_new_done(struct tevent_req *subreq); + +static struct tevent_req *kcm_op_gen_new_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_op_ctx *op_ctx) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct kcm_op_common_state *state = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct kcm_op_common_state); + if (req == NULL) { + return NULL; + } + state->op_ctx = op_ctx; + + subreq = kcm_ccdb_nextid_send(state, ev, + op_ctx->kcm_data->db, + op_ctx->client); + if (subreq == NULL) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, kcm_op_gen_new_done, req); + return req; + +immediate: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void kcm_op_gen_new_done(struct tevent_req *subreq) +{ + errno_t ret; + char *newid; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct kcm_op_common_state *state = tevent_req_data(req, + struct kcm_op_common_state); + + ret = kcm_ccdb_nextid_recv(subreq, state, &newid); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot generate a new ID [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + DEBUG(SSSDBG_TRACE_LIBS, "Generated a new ID %s\n", newid); + + ret = sss_iobuf_write_stringz(state->op_ctx->reply, newid); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot write generated ID %d: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + state->op_ret = EOK; + tevent_req_done(req); +} + +/* (princ) -> () */ +struct kcm_op_initialize_state { + uint32_t op_ret; + struct kcm_op_ctx *op_ctx; + struct tevent_context *ev; + + struct kcm_ccache *new_cc; + const char *name; + krb5_principal princ; +}; + +static void kcm_op_initialize_got_byname(struct tevent_req *subreq); +static void kcm_op_initialize_cc_create_done(struct tevent_req *subreq); +static void kcm_op_initialize_cc_delete_done(struct tevent_req *subreq); +static void kcm_op_initialize_create_step(struct tevent_req *req); +static void kcm_op_initialize_got_default(struct tevent_req *subreq); +static void kcm_op_initialize_set_default_done(struct tevent_req *subreq); + +static struct tevent_req *kcm_op_initialize_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_op_ctx *op_ctx) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct kcm_op_initialize_state *state = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct kcm_op_initialize_state); + if (req == NULL) { + return NULL; + } + state->op_ctx = op_ctx; + state->ev = ev; + + ret = sss_iobuf_read_stringz(op_ctx->input, &state->name); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot read input name [%d]: %s\n", + ret, sss_strerror(ret)); + goto immediate; + } + DEBUG(SSSDBG_TRACE_LIBS, "Initializing ccache %s\n", state->name); + + ret = kcm_check_name(state->name, op_ctx->client); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Name %s is malformed [%d]: %s\n", + state->name, ret, sss_strerror(ret)); + goto immediate; + } + + ret = sss_krb5_unmarshal_princ(op_ctx, op_ctx->input, &state->princ); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot unmarshal principal [%d]: %s\n", + ret, sss_strerror(ret)); + goto immediate; + } + + subreq = kcm_ccdb_getbyname_send(state, ev, + op_ctx->kcm_data->db, + op_ctx->client, + state->name); + if (subreq == NULL) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, kcm_op_initialize_got_byname, req); + return req; + +immediate: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void kcm_op_initialize_got_byname(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct kcm_op_initialize_state *state = tevent_req_data(req, + struct kcm_op_initialize_state); + bool ok; + uuid_t uuid; + + ret = kcm_ccdb_getbyname_recv(subreq, state, &state->new_cc); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot get ccache by name [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + if (state->new_cc != NULL) { + ok = kcm_cc_access(state->new_cc, state->op_ctx->client); + if (!ok) { + state->op_ret = EACCES; + tevent_req_done(req); + return; + } + + ret = kcm_cc_get_uuid(state->new_cc, uuid); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot get new ccache UUID [%d]: %s\n", + ret, sss_strerror(ret)); + return; + } + + /* Nuke any previous cache and its contents during initialization */ + subreq = kcm_ccdb_delete_cc_send(state, + state->ev, + state->op_ctx->kcm_data->db, + state->op_ctx->client, + uuid); + if (subreq == NULL) { + tevent_req_error(req, ret); + return; + } + tevent_req_set_callback(subreq, kcm_op_initialize_cc_delete_done, req); + return; + } + + kcm_op_initialize_create_step(req); +} + +static void kcm_op_initialize_cc_delete_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + errno_t ret; + + ret = kcm_ccdb_delete_cc_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot delete ccache from the db %d: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + kcm_op_initialize_create_step(req); +} + +static void kcm_op_initialize_create_step(struct tevent_req *req) +{ + struct tevent_req *subreq; + struct kcm_op_initialize_state *state = tevent_req_data(req, + struct kcm_op_initialize_state); + errno_t ret; + + ret = kcm_cc_new(state->op_ctx, + state->op_ctx->kcm_data->k5c, + state->op_ctx->client, + state->name, + state->princ, + &state->new_cc); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot create new ccache %d: %s\n", ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + subreq = kcm_ccdb_create_cc_send(state, + state->ev, + state->op_ctx->kcm_data->db, + state->op_ctx->client, + state->new_cc); + if (subreq == NULL) { + tevent_req_error(req, ret); + return; + } + tevent_req_set_callback(subreq, kcm_op_initialize_cc_create_done, req); +} + +static void kcm_op_initialize_cc_create_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct kcm_op_initialize_state *state = tevent_req_data(req, + struct kcm_op_initialize_state); + errno_t ret; + + ret = kcm_ccdb_create_cc_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot add ccache to db %d: %s\n", ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + /* If there was no previous default ccache, set this one as default */ + subreq = kcm_ccdb_get_default_send(state, state->ev, + state->op_ctx->kcm_data->db, + state->op_ctx->client); + if (subreq == NULL) { + tevent_req_error(req, ret); + return; + } + tevent_req_set_callback(subreq, kcm_op_initialize_got_default, req); +} + +static void kcm_op_initialize_got_default(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct kcm_op_initialize_state *state = tevent_req_data(req, + struct kcm_op_initialize_state); + errno_t ret; + uuid_t dfl_uuid; + uuid_t old_dfl_uuid; + + ret = kcm_ccdb_get_default_recv(subreq, &old_dfl_uuid); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot get default ccache [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + if (uuid_is_null(old_dfl_uuid) == false) { + /* If there was a previous default ccache, switch to the initialized + * one by default + */ + ret = kcm_cc_get_uuid(state->new_cc, dfl_uuid); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot get new ccache UUID [%d]: %s\n", + ret, sss_strerror(ret)); + return; + } + + subreq = kcm_ccdb_set_default_send(state, + state->ev, + state->op_ctx->kcm_data->db, + state->op_ctx->client, + dfl_uuid); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, kcm_op_initialize_set_default_done, req); + return; + } + + /* ENOENT, done */ + state->op_ret = EOK; + tevent_req_done(req); +} + +static void kcm_op_initialize_set_default_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct kcm_op_initialize_state *state = tevent_req_data(req, + struct kcm_op_initialize_state); + errno_t ret; + + ret = kcm_ccdb_set_default_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot set default ccache %d: %s\n", ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + state->op_ret = EOK; + tevent_req_done(req); +} + +static errno_t kcm_op_initialize_recv(struct tevent_req *req, + uint32_t *_op_ret) +{ + KCM_OP_RET_FROM_TYPE(req, struct kcm_op_initialize_state, _op_ret); +} + +/* (name) -> () */ +static void kcm_op_destroy_getbyname_done(struct tevent_req *subreq); +static void kcm_op_destroy_delete_done(struct tevent_req *subreq); + +static struct tevent_req *kcm_op_destroy_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_op_ctx *op_ctx) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct kcm_op_common_state *state = NULL; + errno_t ret; + const char *name; + + req = tevent_req_create(mem_ctx, &state, struct kcm_op_common_state); + if (req == NULL) { + return NULL; + } + state->op_ctx = op_ctx; + state->ev = ev; + + ret = sss_iobuf_read_stringz(op_ctx->input, &name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot unmarshall input name [%d]: %s\n", + ret, sss_strerror(ret)); + goto immediate; + } + + DEBUG(SSSDBG_TRACE_LIBS, "Destroying credentials of %s\n", name); + + subreq = kcm_ccdb_uuid_by_name_send(state, ev, + op_ctx->kcm_data->db, + op_ctx->client, + name); + if (subreq == NULL) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, kcm_op_destroy_getbyname_done, req); + return req; + +immediate: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void kcm_op_destroy_getbyname_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct kcm_op_common_state *state = tevent_req_data(req, + struct kcm_op_common_state); + uuid_t uuid; + + ret = kcm_ccdb_uuid_by_name_recv(subreq, state, uuid); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot get matching ccache [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + subreq = kcm_ccdb_delete_cc_send(state, + state->ev, + state->op_ctx->kcm_data->db, + state->op_ctx->client, + uuid); + if (subreq == NULL) { + tevent_req_error(req, ret); + return; + } + tevent_req_set_callback(subreq, kcm_op_destroy_delete_done, req); +} + +static void kcm_op_destroy_delete_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct kcm_op_common_state *state = tevent_req_data(req, + struct kcm_op_common_state); + + ret = kcm_ccdb_delete_cc_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot delete ccache from the db [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + state->op_ret = EOK; + tevent_req_done(req); +} + +/* (name, cred) -> () */ +struct kcm_op_store_state { + uint32_t op_ret; + struct kcm_op_ctx *op_ctx; + struct tevent_context *ev; + + struct sss_iobuf *cred_blob; +}; + +static void kcm_op_store_getbyname_done(struct tevent_req *subreq); +static void kcm_op_store_done(struct tevent_req *subreq); + +static struct tevent_req *kcm_op_store_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_op_ctx *op_ctx) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct kcm_op_store_state *state = NULL; + errno_t ret; + const char *name; + size_t creds_len; + + req = tevent_req_create(mem_ctx, &state, struct kcm_op_store_state); + if (req == NULL) { + return NULL; + } + state->op_ctx = op_ctx; + state->ev = ev; + + ret = sss_iobuf_read_stringz(op_ctx->input, &name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot unmarshall input name [%d]: %s\n", + ret, sss_strerror(ret)); + goto immediate; + } + + DEBUG(SSSDBG_TRACE_LIBS, "Storing credentials for %s\n", name); + + creds_len = sss_iobuf_get_size(op_ctx->input) - strlen(name) -1; + if (creds_len > KCM_REPLY_MAX) { + /* Protects against underflows and in general adds sanity */ + ret = E2BIG; + goto immediate; + } + + state->cred_blob = sss_iobuf_init_empty(state, + creds_len, + creds_len); + if (state->cred_blob == NULL) { + ret = ENOMEM; + goto immediate; + } + + ret = sss_iobuf_read(op_ctx->input, + creds_len, + sss_iobuf_get_data(state->cred_blob), + NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot unmarshall input cred blob [%d]: %s\n", + ret, sss_strerror(ret)); + goto immediate; + } + + subreq = kcm_ccdb_uuid_by_name_send(state, ev, + op_ctx->kcm_data->db, + op_ctx->client, + name); + if (subreq == NULL) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, kcm_op_store_getbyname_done, req); + return req; + +immediate: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void kcm_op_store_getbyname_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct kcm_op_store_state *state = tevent_req_data(req, + struct kcm_op_store_state); + uuid_t uuid; + + ret = kcm_ccdb_uuid_by_name_recv(subreq, state, uuid); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot get ccache by name [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + subreq = kcm_ccdb_store_cred_blob_send(state, state->ev, + state->op_ctx->kcm_data->db, + state->op_ctx->client, + uuid, + state->cred_blob); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, kcm_op_store_done, req); +} + +static void kcm_op_store_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct kcm_op_store_state *state = tevent_req_data(req, + struct kcm_op_store_state); + + ret = kcm_ccdb_store_cred_blob_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot store credentials [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + state->op_ret = EOK; + tevent_req_done(req); +} + +static errno_t kcm_op_store_recv(struct tevent_req *req, + uint32_t *_op_ret) +{ + KCM_OP_RET_FROM_TYPE(req, struct kcm_op_store_state, _op_ret); +} + +/* (name) -> (princ) */ +static void kcm_op_get_principal_getbyname_done(struct tevent_req *subreq); + +static struct tevent_req *kcm_op_get_principal_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_op_ctx *op_ctx) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct kcm_op_common_state *state = NULL; + errno_t ret; + const char *name; + + req = tevent_req_create(mem_ctx, &state, struct kcm_op_common_state); + if (req == NULL) { + return NULL; + } + state->op_ctx = op_ctx; + + ret = sss_iobuf_read_stringz(op_ctx->input, &name); + if (ret != EOK) { + goto immediate; + } + DEBUG(SSSDBG_TRACE_LIBS, "Requested principal %s\n", name); + + subreq = kcm_ccdb_getbyname_send(state, ev, + op_ctx->kcm_data->db, + op_ctx->client, + name); + if (subreq == NULL) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, kcm_op_get_principal_getbyname_done, req); + return req; + +immediate: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void kcm_op_get_principal_getbyname_done(struct tevent_req *subreq) +{ + errno_t ret; + struct kcm_ccache *cc; + krb5_principal princ; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct kcm_op_common_state *state = tevent_req_data(req, + struct kcm_op_common_state); + + ret = kcm_ccdb_getbyname_recv(subreq, state, &cc); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot get ccache by name [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + if (cc == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "No credentials by that name\n"); + state->op_ret = ERR_NO_MATCHING_CREDS; + tevent_req_done(req); + return; + } + + /* Marshall the principal to the reply */ + princ = kcm_cc_get_client_principal(cc); + if (princ == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "Credentials with no principal?\n"); + tevent_req_error(req, EIO); + return; + } + + ret = sss_krb5_marshal_princ(princ, state->op_ctx->reply); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot marshall principal [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + state->op_ret = EOK; + tevent_req_done(req); +} + +/* (name) -> (uuid, ...) */ +static void kcm_op_get_cred_uuid_getbyname_done(struct tevent_req *subreq); + +static struct tevent_req * +kcm_op_get_cred_uuid_list_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_op_ctx *op_ctx) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct kcm_op_common_state *state = NULL; + errno_t ret; + const char *name; + + req = tevent_req_create(mem_ctx, &state, struct kcm_op_common_state); + if (req == NULL) { + return NULL; + } + state->op_ctx = op_ctx; + + ret = sss_iobuf_read_stringz(op_ctx->input, &name); + if (ret != EOK) { + goto immediate; + } + + DEBUG(SSSDBG_TRACE_LIBS, "Returning UUID list for %s\n", name); + + subreq = kcm_ccdb_getbyname_send(state, ev, + op_ctx->kcm_data->db, + op_ctx->client, + name); + if (subreq == NULL) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, kcm_op_get_cred_uuid_getbyname_done, req); + return req; + +immediate: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void kcm_op_get_cred_uuid_getbyname_done(struct tevent_req *subreq) +{ + errno_t ret; + struct kcm_ccache *cc; + struct kcm_cred *crd; + uuid_t uuid; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct kcm_op_common_state *state = tevent_req_data(req, + struct kcm_op_common_state); + + ret = kcm_ccdb_getbyname_recv(subreq, state, &cc); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot get ccache by name [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + if (cc == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "No credentials by that UUID\n"); + state->op_ret = ERR_NO_CREDS; + tevent_req_done(req); + return; + } + + for (crd = kcm_cc_get_cred(cc); + crd != NULL; + crd = kcm_cc_next_cred(crd)) { + ret = kcm_cred_get_uuid(crd, uuid); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Credential has no UUID, skipping\n"); + continue; + } + + kcm_debug_uuid(uuid); + + ret = sss_iobuf_write_len(state->op_ctx->reply, + uuid, UUID_BYTES); + if (ret != EOK) { + char uuid_errbuf[UUID_STR_SIZE]; + uuid_parse(uuid_errbuf, uuid); + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot marshall UUID %s [%d]: %s\n", + uuid_errbuf, ret, sss_strerror(ret)); + continue; + } + } + state->op_ret = EOK; + tevent_req_done(req); +} + +/* (name, uuid) -> (cred) */ +static void kcm_op_get_cred_by_uuid_getbyname_done(struct tevent_req *subreq); + +static struct tevent_req * +kcm_op_get_cred_by_uuid_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_op_ctx *op_ctx) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct kcm_op_common_state *state = NULL; + errno_t ret; + const char *name; + + req = tevent_req_create(mem_ctx, &state, struct kcm_op_common_state); + if (req == NULL) { + return NULL; + } + state->op_ctx = op_ctx; + + ret = sss_iobuf_read_stringz(op_ctx->input, &name); + if (ret != EOK) { + goto immediate; + } + DEBUG(SSSDBG_TRACE_LIBS, "Returning creds by UUID for %s\n", name); + + subreq = kcm_ccdb_getbyname_send(state, ev, + op_ctx->kcm_data->db, + op_ctx->client, + name); + if (subreq == NULL) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, kcm_op_get_cred_by_uuid_getbyname_done, req); + return req; + +immediate: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void kcm_op_get_cred_by_uuid_getbyname_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct kcm_op_common_state *state = tevent_req_data(req, + struct kcm_op_common_state); + errno_t ret; + struct kcm_ccache *cc; + struct kcm_cred *crd; + uuid_t uuid_in; + uuid_t uuid; + struct sss_iobuf *cred_blob; + + ret = kcm_ccdb_getbyname_recv(subreq, state, &cc); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot get ccache by name [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + if (cc == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "No credentials by that name\n"); + state->op_ret = ERR_NO_MATCHING_CREDS; + tevent_req_done(req); + return; + } + + ret = sss_iobuf_read_len(state->op_ctx->input, + UUID_BYTES, uuid_in); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot read input UUID [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + for (crd = kcm_cc_get_cred(cc); + crd != NULL; + crd = kcm_cc_next_cred(crd)) { + ret = kcm_cred_get_uuid(crd, uuid); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot get UUID from creds, skipping\n"); + continue; + } + + if (uuid_compare(uuid, uuid_in) == 0) { + break; + } + kcm_debug_uuid(uuid); + } + + if (crd == NULL) { + state->op_ret = ERR_KCM_CC_END; + DEBUG(SSSDBG_MINOR_FAILURE, "No credentials by that UUID\n"); + tevent_req_done(req); + return; + } + + cred_blob = kcm_cred_get_creds(crd); + if (cred_blob == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Credentials lack the creds blob\n"); + state->op_ret = ERR_NO_CREDS; + tevent_req_done(req); + return; + } + + ret = sss_iobuf_write_len(state->op_ctx->reply, + sss_iobuf_get_data(cred_blob), + sss_iobuf_get_size(cred_blob)); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot write ccache blob [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + state->op_ret = EOK; + tevent_req_done(req); +} + +/* (name, flags, credtag) -> () */ +/* FIXME */ +static struct tevent_req * +kcm_op_remove_cred_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_op_ctx *op_ctx) +{ + struct tevent_req *req = NULL; + struct kcm_op_common_state *state = NULL; + + req = tevent_req_create(mem_ctx, &state, struct kcm_op_common_state); + if (req == NULL) { + return NULL; + } + state->op_ctx = op_ctx; + + state->op_ret = ERR_KCM_OP_NOT_IMPLEMENTED; + tevent_req_post(req, ev); + tevent_req_done(req); + return req; +} + +/* () -> (uuid, ...) */ +static void kcm_op_get_cache_uuid_list_done(struct tevent_req *subreq); + +static struct tevent_req * +kcm_op_get_cache_uuid_list_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_op_ctx *op_ctx) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct kcm_op_common_state *state = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct kcm_op_common_state); + if (req == NULL) { + return NULL; + } + state->op_ctx = op_ctx; + + DEBUG(SSSDBG_TRACE_LIBS, "Returning full UUID list\n"); + + subreq = kcm_ccdb_list_send(state, ev, + op_ctx->kcm_data->db, + op_ctx->client); + if (subreq == NULL) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, kcm_op_get_cache_uuid_list_done, req); + return req; + +immediate: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void kcm_op_get_cache_uuid_list_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct kcm_op_common_state *state = tevent_req_data(req, + struct kcm_op_common_state); + errno_t ret; + uuid_t *uuid_list; + + ret = kcm_ccdb_list_recv(subreq, state, &uuid_list); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot list the ccache DB [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + if (uuid_list == NULL || uuid_list[0] == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "Nothing to list\n"); + state->op_ret = ERR_NO_MATCHING_CREDS; + tevent_req_done(req); + return; + } + + for (int i = 0; + uuid_is_null(uuid_list[i]) == false; + i++) { + kcm_debug_uuid(uuid_list[i]); + + ret = sss_iobuf_write_len(state->op_ctx->reply, + uuid_list[i], + UUID_BYTES); + if (ret != EOK) { + char uuid_errbuf[UUID_STR_SIZE]; + uuid_parse(uuid_errbuf, uuid_list[i]); + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot marshall UUID %s [%d]: %s\n", + uuid_errbuf, ret, sss_strerror(ret)); + tevent_req_done(req); + return; + } + } + + tevent_req_done(req); +} + +/* (uuid) -> (name) */ +static void kcm_op_get_cache_by_uuid_done(struct tevent_req *subreq); + +static struct tevent_req * +kcm_op_get_cache_by_uuid_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_op_ctx *op_ctx) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct kcm_op_common_state *state = NULL; + errno_t ret; + uuid_t uuid_in; + + req = tevent_req_create(mem_ctx, &state, struct kcm_op_common_state); + if (req == NULL) { + return NULL; + } + state->op_ctx = op_ctx; + + DEBUG(SSSDBG_TRACE_LIBS, "Retrieving cache by UUID\n"); + + ret = sss_iobuf_read_len(op_ctx->input, + UUID_BYTES, uuid_in); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot read input UUID [%d]: %s\n", + ret, sss_strerror(ret)); + goto immediate; + } + kcm_debug_uuid(uuid_in); + + subreq = kcm_ccdb_getbyuuid_send(state, ev, + op_ctx->kcm_data->db, + op_ctx->client, + uuid_in); + if (subreq == NULL) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, kcm_op_get_cache_by_uuid_done, req); + return req; + +immediate: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void kcm_op_get_cache_by_uuid_done(struct tevent_req *subreq) +{ + errno_t ret; + struct kcm_ccache *cc; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct kcm_op_common_state *state = tevent_req_data(req, + struct kcm_op_common_state); + const char *name; + + ret = kcm_ccdb_getbyuuid_recv(subreq, state, &cc); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot get ccahe by UUID [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + if (cc == NULL) { + state->op_ret = ERR_KCM_CC_END; + tevent_req_done(req); + return; + } + + name = kcm_cc_get_name(cc); + DEBUG(SSSDBG_TRACE_INTERNAL, "Found %s by UUID\n", name); + + ret = sss_iobuf_write_stringz(state->op_ctx->reply, + name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot write output name [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + state->op_ret = EOK; + tevent_req_done(req); +} + +/* () -> (name) */ +struct kcm_op_get_default_ccache_state { + uint32_t op_ret; + struct kcm_op_ctx *op_ctx; + struct tevent_context *ev; + + const char *name; +}; + +static void kcm_op_get_get_default_done(struct tevent_req *subreq); +static void kcm_op_get_default_ccache_byuuid_done(struct tevent_req *subreq); +static void kcm_op_get_default_ccache_list_done(struct tevent_req *subreq); +static errno_t +kcm_op_get_default_ccache_reply_step(struct kcm_op_get_default_ccache_state *state); + +static struct tevent_req * +kcm_op_get_default_ccache_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_op_ctx *op_ctx) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct kcm_op_get_default_ccache_state *state = NULL; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct kcm_op_get_default_ccache_state); + if (req == NULL) { + return NULL; + } + state->op_ctx = op_ctx; + state->ev = ev; + + DEBUG(SSSDBG_TRACE_LIBS, "Getting client's default ccache\n"); + + subreq = kcm_ccdb_get_default_send(state, ev, + state->op_ctx->kcm_data->db, + state->op_ctx->client); + if (subreq == NULL) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, kcm_op_get_get_default_done, req); + return req; + +immediate: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void kcm_op_get_get_default_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, struct tevent_req); + struct kcm_op_get_default_ccache_state *state = tevent_req_data(req, + struct kcm_op_get_default_ccache_state); + errno_t ret; + uuid_t dfl_uuid; + + ret = kcm_ccdb_get_default_recv(subreq, &dfl_uuid); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot get default ccache [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + if (uuid_is_null(dfl_uuid) == true) { + /* No cache marked as default -- get an existing ccache for ID + * and treat the default as simply the first one + */ + subreq = kcm_ccdb_list_send(state, state->ev, + state->op_ctx->kcm_data->db, + state->op_ctx->client); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, kcm_op_get_default_ccache_list_done, req); + return; + } + + /* Existing default */ + subreq = kcm_ccdb_name_by_uuid_send(state, + state->ev, + state->op_ctx->kcm_data->db, + state->op_ctx->client, + dfl_uuid); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, kcm_op_get_default_ccache_byuuid_done, req); + return; +} + +static void kcm_op_get_default_ccache_byuuid_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, struct tevent_req); + struct kcm_op_get_default_ccache_state *state = tevent_req_data(req, + struct kcm_op_get_default_ccache_state); + errno_t ret; + + ret = kcm_ccdb_name_by_uuid_recv(subreq, state, &state->name); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot get ccahe by UUID [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + ret = kcm_op_get_default_ccache_reply_step(state); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +static void kcm_op_get_default_ccache_list_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, struct tevent_req); + struct kcm_op_get_default_ccache_state *state = tevent_req_data(req, + struct kcm_op_get_default_ccache_state); + errno_t ret; + uuid_t *uuid_list; + + ret = kcm_ccdb_list_recv(subreq, state, &uuid_list); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot list ccaches [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + if (uuid_list == NULL || uuid_is_null(uuid_list[0])) { + /* No cache at all, just send back a reply */ + ret = kcm_op_get_default_ccache_reply_step(state); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); + return; + } + + /* Otherwise resolve the first cache and use it as a default */ + subreq = kcm_ccdb_name_by_uuid_send(state, + state->ev, + state->op_ctx->kcm_data->db, + state->op_ctx->client, + uuid_list[0]); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, kcm_op_get_default_ccache_byuuid_done, req); + return; +} + +static errno_t +kcm_op_get_default_ccache_reply_step(struct kcm_op_get_default_ccache_state *state) +{ + errno_t ret; + + if (state->name == NULL) { + state->name = talloc_asprintf(state, + "%"SPRIuid, + cli_creds_get_uid(state->op_ctx->client)); + if (state->name == NULL) { + return ENOMEM; + } + } + DEBUG(SSSDBG_TRACE_INTERNAL, "The default ccache is %s\n", state->name); + + ret = sss_iobuf_write_stringz(state->op_ctx->reply, state->name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot write output name [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + return EOK; +} + +static errno_t kcm_op_get_default_ccache_recv(struct tevent_req *req, + uint32_t *_op_ret) +{ + KCM_OP_RET_FROM_TYPE(req, struct kcm_op_get_default_ccache_state, _op_ret); +} + +/* (name) -> () */ +static void kcm_op_set_default_ccache_getbyname_done(struct tevent_req *subreq); +static void kcm_op_set_default_done(struct tevent_req *subreq); + +static struct tevent_req * +kcm_op_set_default_ccache_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_op_ctx *op_ctx) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct kcm_op_common_state *state = NULL; + errno_t ret; + const char *name; + + req = tevent_req_create(mem_ctx, &state, struct kcm_op_common_state); + if (req == NULL) { + return NULL; + } + state->op_ctx = op_ctx; + state->ev = ev; + + ret = sss_iobuf_read_stringz(op_ctx->input, &name); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot read input name [%d]: %s\n", + ret, sss_strerror(ret)); + goto immediate; + } + DEBUG(SSSDBG_TRACE_LIBS, "Setting default ccache %s\n", name); + + subreq = kcm_ccdb_uuid_by_name_send(state, ev, + op_ctx->kcm_data->db, + op_ctx->client, + name); + if (subreq == NULL) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, kcm_op_set_default_ccache_getbyname_done, req); + return req; + +immediate: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void kcm_op_set_default_ccache_getbyname_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct kcm_op_common_state *state = tevent_req_data(req, + struct kcm_op_common_state); + uuid_t dfl_uuid; + + ret = kcm_ccdb_uuid_by_name_recv(subreq, state, dfl_uuid); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot get ccache by name [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + subreq = kcm_ccdb_set_default_send(state, + state->ev, + state->op_ctx->kcm_data->db, + state->op_ctx->client, + dfl_uuid); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, kcm_op_set_default_done, req); + return; +} + +static void kcm_op_set_default_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct kcm_op_common_state *state = tevent_req_data(req, + struct kcm_op_common_state); + + ret = kcm_ccdb_set_default_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot set default ccache %d: %s\n", ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + state->op_ret = EOK; + tevent_req_done(req); +} + +/* (name) -> (offset) */ +static void kcm_op_get_kdc_offset_getbyname_done(struct tevent_req *subreq); + +static struct tevent_req * +kcm_op_get_kdc_offset_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_op_ctx *op_ctx) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct kcm_op_common_state *state = NULL; + errno_t ret; + const char *name; + + req = tevent_req_create(mem_ctx, &state, struct kcm_op_common_state); + if (req == NULL) { + return NULL; + } + state->op_ctx = op_ctx; + + ret = sss_iobuf_read_stringz(op_ctx->input, &name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot read input name [%d]: %s\n", + ret, sss_strerror(ret)); + goto immediate; + } + DEBUG(SSSDBG_TRACE_LIBS, "Requested offset for principal %s\n", name); + + subreq = kcm_ccdb_getbyname_send(state, ev, + op_ctx->kcm_data->db, + op_ctx->client, + name); + if (subreq == NULL) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, kcm_op_get_kdc_offset_getbyname_done, req); + return req; + +immediate: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void kcm_op_get_kdc_offset_getbyname_done(struct tevent_req *subreq) +{ + errno_t ret; + struct kcm_ccache *cc; + int32_t offset; + int32_t offset_be; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct kcm_op_common_state *state = tevent_req_data(req, + struct kcm_op_common_state); + + ret = kcm_ccdb_getbyname_recv(subreq, state, &cc); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot get matching ccache [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + if (cc == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "No matching credentials\n"); + state->op_ret = ERR_NO_MATCHING_CREDS; + tevent_req_done(req); + return; + } + + offset = kcm_cc_get_offset(cc); + DEBUG(SSSDBG_TRACE_LIBS, "KDC offset: %"PRIu32"\n", offset); + + offset_be = htobe32(offset); + ret = sss_iobuf_write_int32(state->op_ctx->reply, offset_be); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot write KDC offset [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + state->op_ret = EOK; + tevent_req_done(req); +} + +/* (name, offset) -> () */ +/* () -> (name) */ +struct kcm_op_set_kdc_offset_state { + uint32_t op_ret; + struct kcm_op_ctx *op_ctx; + struct tevent_context *ev; +}; + +static void kcm_op_set_kdc_offset_getbyname_done(struct tevent_req *subreq); +static void kcm_op_set_kdc_offset_mod_done(struct tevent_req *subreq); + +static struct tevent_req * +kcm_op_set_kdc_offset_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_op_ctx *op_ctx) +{ + struct tevent_req *req = NULL; + struct tevent_req *subreq = NULL; + struct kcm_op_set_kdc_offset_state *state = NULL; + errno_t ret; + const char *name; + + req = tevent_req_create(mem_ctx, &state, struct kcm_op_set_kdc_offset_state); + if (req == NULL) { + return NULL; + } + state->op_ctx = op_ctx; + state->ev = ev; + + ret = sss_iobuf_read_stringz(op_ctx->input, &name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot read input name [%d]: %s\n", + ret, sss_strerror(ret)); + goto immediate; + } + DEBUG(SSSDBG_TRACE_LIBS, "Setting offset for principal %s\n", name); + + subreq = kcm_ccdb_uuid_by_name_send(state, ev, + op_ctx->kcm_data->db, + op_ctx->client, + name); + if (subreq == NULL) { + ret = ENOMEM; + goto immediate; + } + tevent_req_set_callback(subreq, kcm_op_set_kdc_offset_getbyname_done, req); + return req; + +immediate: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void kcm_op_set_kdc_offset_getbyname_done(struct tevent_req *subreq) +{ + errno_t ret; + struct kcm_mod_ctx *mod_ctx; + int32_t offset_be; + uuid_t uuid; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct kcm_op_set_kdc_offset_state *state = tevent_req_data(req, + struct kcm_op_set_kdc_offset_state); + + ret = kcm_ccdb_uuid_by_name_recv(subreq, state, uuid); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot get matching ccache [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + ret = sss_iobuf_read_int32(state->op_ctx->input, &offset_be); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot read KDC offset [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + mod_ctx = talloc(state, struct kcm_mod_ctx); + if (mod_ctx == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + + kcm_mod_ctx_clear(mod_ctx); + mod_ctx->kdc_offset = be32toh(offset_be); + + subreq = kcm_ccdb_mod_cc_send(state, + state->ev, + state->op_ctx->kcm_data->db, + state->op_ctx->client, + uuid, + mod_ctx); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, kcm_op_set_kdc_offset_mod_done, req); +} + +static void kcm_op_set_kdc_offset_mod_done(struct tevent_req *subreq) +{ + errno_t ret; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct kcm_op_set_kdc_offset_state *state = tevent_req_data(req, + struct kcm_op_set_kdc_offset_state); + + ret = kcm_ccdb_mod_cc_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot modify ccache [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + state->op_ret = EOK; + tevent_req_done(req); +} + +static errno_t kcm_op_set_kdc_offset_recv(struct tevent_req *req, + uint32_t *_op_ret) +{ + KCM_OP_RET_FROM_TYPE(req, struct kcm_op_set_kdc_offset_state, _op_ret); +} + +static struct kcm_op kcm_optable[] = { + { "NOOP", NULL, NULL }, + { "GET_NAME", NULL, NULL }, + { "RESOLVE", NULL, NULL }, + { "GEN_NEW", kcm_op_gen_new_send, NULL }, + { "INITIALIZE", kcm_op_initialize_send, kcm_op_initialize_recv }, + { "DESTROY", kcm_op_destroy_send, NULL }, + { "STORE", kcm_op_store_send, kcm_op_store_recv }, + { "RETRIEVE", NULL, NULL }, + { "GET_PRINCIPAL", kcm_op_get_principal_send, NULL }, + { "GET_CRED_UUID_LIST", kcm_op_get_cred_uuid_list_send, NULL }, + { "GET_CRED_BY_UUID", kcm_op_get_cred_by_uuid_send, NULL }, + { "REMOVE_CRED", kcm_op_remove_cred_send, NULL }, + { "SET_FLAGS", NULL, NULL }, + { "CHOWN", NULL, NULL }, + { "CHMOD", NULL, NULL }, + { "GET_INITIAL_TICKET", NULL, NULL }, + { "GET_TICKET", NULL, NULL }, + { "MOVE_CACHE", NULL, NULL }, + { "GET_CACHE_UUID_LIST", kcm_op_get_cache_uuid_list_send, NULL }, + { "GET_CACHE_BY_UUID", kcm_op_get_cache_by_uuid_send, NULL }, + { "GET_DEFAULT_CACHE", kcm_op_get_default_ccache_send, kcm_op_get_default_ccache_recv }, + { "SET_DEFAULT_CACHE", kcm_op_set_default_ccache_send, NULL }, + { "GET_KDC_OFFSET", kcm_op_get_kdc_offset_send, NULL }, + { "SET_KDC_OFFSET", kcm_op_set_kdc_offset_send, kcm_op_set_kdc_offset_recv }, + { "ADD_NTLM_CRED", NULL, NULL }, + { "HAVE_NTLM_CRED", NULL, NULL }, + { "DEL_NTLM_CRED", NULL, NULL }, + { "DO_NTLM_AUTH", NULL, NULL }, + { "GET_NTLM_USER_LIST", NULL, NULL }, + + { NULL, NULL, NULL } +}; + +struct kcm_op *kcm_get_opt(uint16_t opcode) +{ + struct kcm_op *op; + + DEBUG(SSSDBG_TRACE_INTERNAL, + "The client requested operation %"PRIu16"\n", opcode); + + if (opcode >= KCM_OP_SENTINEL) { + return NULL; + } + + op = &kcm_optable[opcode]; + if (op->fn_recv == NULL) { + op->fn_recv = kcm_op_common_recv; + } + return op; +} + +const char *kcm_opt_name(struct kcm_op *op) +{ + if (op == NULL || op->name == NULL) { + return "Unknown operation"; + } + + return op->name; +} diff --git a/src/responder/kcm/kcmsrv_ops.h b/src/responder/kcm/kcmsrv_ops.h new file mode 100644 index 0000000..67d9f86 --- /dev/null +++ b/src/responder/kcm/kcmsrv_ops.h @@ -0,0 +1,46 @@ +/* + SSSD + + KCM Server - private header file + + Copyright (C) Red Hat, 2016 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __KCMSRV_OPS_H__ +#define __KCMSRV_OPS_H__ + +#include "config.h" + +#include +#include "util/sss_iobuf.h" +#include "responder/kcm/kcmsrv_pvt.h" + +struct kcm_op; +struct kcm_op *kcm_get_opt(uint16_t opcode); +const char *kcm_opt_name(struct kcm_op *op); + +struct tevent_req *kcm_cmd_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ops_queue_ctx *qctx, + struct kcm_resp_ctx *kcm_data, + struct cli_creds *client, + struct kcm_data *input, + struct kcm_op *op); +errno_t kcm_cmd_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct sss_iobuf **_reply); + +#endif /* __KCMSRV_OPS_H__ */ diff --git a/src/responder/kcm/kcmsrv_pvt.h b/src/responder/kcm/kcmsrv_pvt.h new file mode 100644 index 0000000..f081a6b --- /dev/null +++ b/src/responder/kcm/kcmsrv_pvt.h @@ -0,0 +1,101 @@ +/* + SSSD + + KCM Server - private header file + + Copyright (C) Red Hat, 2016 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __KCMSRV_PVT_H__ +#define __KCMSRV_PVT_H__ + +#include "config.h" + +#include +#include +#include "responder/common/responder.h" + +/* + * KCM IO structure + * + * In theory we cold use sss_iobuf there, but since iobuf was + * made opaque, this allows it to allocate the structures on + * the stack in one go. + * */ +struct kcm_data { + uint8_t *data; + size_t length; +}; + +/* + * To avoid leaking the sssd-specific responder data to other + * modules, the ccache databases and other KCM specific data + * are kept separately + */ +struct kcm_resp_ctx { + krb5_context k5c; + struct kcm_ccdb *db; +}; + +/* Supported ccache back ends */ +enum kcm_ccdb_be { + CCDB_BE_MEMORY, + CCDB_BE_SECRETS, +}; + +/* + * responder context that contains both the responder data, + * like the ccaches and the sssd-specific stuff like the + * generic responder ctx + */ +struct kcm_ctx { + struct resp_ctx *rctx; + int fd_limit; + char *socket_path; + enum kcm_ccdb_be cc_be; + struct kcm_ops_queue_ctx *qctx; + + struct kcm_resp_ctx *kcm_data; +}; + +int kcm_connection_setup(struct cli_ctx *cctx); + +/* + * Internally in SSSD-KCM we use SSSD-internal error codes so that we + * can always the same sss_strerror() functions to format the errors + * nicely, but the client expects libkrb5 error codes. + */ +krb5_error_code sss2krb5_error(errno_t err); + +/* We enqueue all requests by the same UID to avoid concurrency issues + * especially when performing multiple round-trips to sssd-secrets. In + * future, we should relax the queue to allow multiple read-only operations + * if no write operations are in progress. + */ +struct kcm_ops_queue_entry; + +struct kcm_ops_queue_ctx *kcm_ops_queue_create(TALLOC_CTX *mem_ctx); + +struct tevent_req *kcm_op_queue_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ops_queue_ctx *qctx, + struct cli_creds *client); + +errno_t kcm_op_queue_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + struct kcm_ops_queue_entry **_entry); + +#endif /* __KCMSRV_PVT_H__ */ diff --git a/src/responder/nss/nss_cmd.c b/src/responder/nss/nss_cmd.c new file mode 100644 index 0000000..9ee6ca8 --- /dev/null +++ b/src/responder/nss/nss_cmd.c @@ -0,0 +1,1285 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "util/util.h" +#include "util/sss_ptr_hash.h" +#include "db/sysdb.h" +#include "responder/nss/nss_private.h" +#include "responder/nss/nss_protocol.h" + +static struct nss_cmd_ctx * +nss_cmd_ctx_create(TALLOC_CTX *mem_ctx, + struct cli_ctx *cli_ctx, + enum cache_req_type type, + nss_protocol_fill_packet_fn fill_fn) +{ + struct nss_cmd_ctx *cmd_ctx; + + cmd_ctx = talloc_zero(mem_ctx, struct nss_cmd_ctx); + if (cmd_ctx == NULL) { + return NULL; + } + + cmd_ctx->cli_ctx = cli_ctx; + cmd_ctx->nss_ctx = talloc_get_type(cli_ctx->rctx->pvt_ctx, struct nss_ctx); + cmd_ctx->state_ctx = talloc_get_type(cli_ctx->state_ctx, + struct nss_state_ctx); + cmd_ctx->type = type; + cmd_ctx->fill_fn = fill_fn; + + return cmd_ctx; +} + +static errno_t eval_flags(struct nss_cmd_ctx *cmd_ctx, + struct cache_req_data *data) +{ + if ((cmd_ctx->flags & SSS_NSS_EX_FLAG_NO_CACHE) != 0 + && (cmd_ctx->flags & SSS_NSS_EX_FLAG_INVALIDATE_CACHE) != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Flags SSS_NSS_EX_FLAG_NO_CACHE and " + "SSS_NSS_EX_FLAG_INVALIDATE_CACHE are " + "mutually exclusive.\n"); + return EINVAL; + } + + if ((cmd_ctx->flags & SSS_NSS_EX_FLAG_NO_CACHE) != 0) { + cache_req_data_set_bypass_cache(data, true); + } else if ((cmd_ctx->flags & SSS_NSS_EX_FLAG_INVALIDATE_CACHE) != 0) { + cache_req_data_set_bypass_dp(data, true); + } + + return EOK; +} + +static void nss_getby_done(struct tevent_req *subreq); +static void nss_getlistby_done(struct tevent_req *subreq); + +static errno_t nss_getby_name(struct cli_ctx *cli_ctx, + bool ex_version, + enum cache_req_type type, + const char **attrs, + enum sss_mc_type memcache, + nss_protocol_fill_packet_fn fill_fn) +{ + struct cache_req_data *data; + struct nss_cmd_ctx *cmd_ctx; + struct tevent_req *subreq; + const char *rawname; + errno_t ret; + + cmd_ctx = nss_cmd_ctx_create(cli_ctx, cli_ctx, type, fill_fn); + if (cmd_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + cmd_ctx->flags = 0; + if (ex_version) { + ret = nss_protocol_parse_name_ex(cli_ctx, &rawname, &cmd_ctx->flags); + } else { + ret = nss_protocol_parse_name(cli_ctx, &rawname); + } + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid request message!\n"); + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Input name: %s\n", rawname); + + data = cache_req_data_name_attrs(cmd_ctx, type, rawname, attrs); + if (data == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set cache request data!\n"); + ret = ENOMEM; + goto done; + } + + ret = eval_flags(cmd_ctx, data); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "eval_flags failed.\n"); + goto done; + } + + subreq = nss_get_object_send(cmd_ctx, cli_ctx->ev, cli_ctx, + data, memcache, rawname, 0); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n"); + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, nss_getby_done, cmd_ctx); + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(cmd_ctx); + return nss_protocol_done(cli_ctx, ret); + } + + return EOK; +} + +static errno_t nss_getby_id(struct cli_ctx *cli_ctx, + bool ex_version, + enum cache_req_type type, + const char **attrs, + enum sss_mc_type memcache, + nss_protocol_fill_packet_fn fill_fn) +{ + struct cache_req_data *data; + struct nss_cmd_ctx *cmd_ctx; + struct tevent_req *subreq; + uint32_t id; + errno_t ret; + + cmd_ctx = nss_cmd_ctx_create(cli_ctx, cli_ctx, type, fill_fn); + if (cmd_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + if (ex_version) { + ret = nss_protocol_parse_id_ex(cli_ctx, &id, &cmd_ctx->flags); + } else { + ret = nss_protocol_parse_id(cli_ctx, &id); + } + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid request message!\n"); + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Input ID: %u\n", id); + + data = cache_req_data_id_attrs(cmd_ctx, type, id, attrs); + if (data == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set cache request data!\n"); + ret = ENOMEM; + goto done; + } + + ret = eval_flags(cmd_ctx, data); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "eval_flags failed.\n"); + goto done; + } + + subreq = nss_get_object_send(cmd_ctx, cli_ctx->ev, cli_ctx, + data, memcache, NULL, id); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n"); + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, nss_getby_done, cmd_ctx); + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(cmd_ctx); + return nss_protocol_done(cli_ctx, ret); + } + + return EOK; +} + +static errno_t nss_getby_svc(struct cli_ctx *cli_ctx, + enum cache_req_type type, + const char *protocol, + const char *name, + uint16_t port, + nss_protocol_fill_packet_fn fill_fn) +{ + struct cache_req_data *data; + struct nss_cmd_ctx *cmd_ctx; + struct tevent_req *subreq; + errno_t ret; + + cmd_ctx = nss_cmd_ctx_create(cli_ctx, cli_ctx, type, fill_fn); + if (cmd_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + cmd_ctx->svc_protocol = protocol; + + data = cache_req_data_svc(cmd_ctx, type, name, protocol, port); + if (data == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set cache request data!\n"); + ret = ENOMEM; + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Input name: %s, protocol: %s, port: %u\n", + (name == NULL ? "" : name), + (protocol == NULL ? "" : protocol), + port); + + subreq = nss_get_object_send(cmd_ctx, cli_ctx->ev, cli_ctx, + data, SSS_MC_NONE, NULL, 0); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n"); + return ENOMEM; + } + + tevent_req_set_callback(subreq, nss_getby_done, cmd_ctx); + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(cmd_ctx); + return nss_protocol_done(cli_ctx, ret); + } + + return EOK; +} + +static errno_t nss_getlistby_cert(struct cli_ctx *cli_ctx, + enum cache_req_type type) +{ + struct nss_cmd_ctx *cmd_ctx; + struct tevent_req *subreq; + const char *cert; + errno_t ret; + + cmd_ctx = nss_cmd_ctx_create(cli_ctx, cli_ctx, type, NULL); + if (cmd_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + cmd_ctx->sid_id_type = SSS_ID_TYPE_UID; + + ret = nss_protocol_parse_cert(cli_ctx, &cert); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid request message!\n"); + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Input cert: %s\n", get_last_x_chars(cert, 10)); + + subreq = cache_req_user_by_cert_send(cmd_ctx, cli_ctx->ev, cli_ctx->rctx, + cli_ctx->rctx->ncache, 0, + CACHE_REQ_ANY_DOM, NULL, + cert); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "cache_req_user_by_cert_send failed.\n"); + ret = ENOMEM; + goto done; + } + tevent_req_set_callback(subreq, nss_getlistby_done, cmd_ctx); + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(cmd_ctx); + return nss_protocol_done(cli_ctx, ret); + } + + return EOK; +} + +static void nss_getlistby_done(struct tevent_req *subreq) +{ + struct cache_req_result **results; + struct nss_cmd_ctx *cmd_ctx; + errno_t ret; + struct cli_protocol *pctx; + + cmd_ctx = tevent_req_callback_data(subreq, struct nss_cmd_ctx); + + ret = cache_req_recv(cmd_ctx, subreq, &results); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "cache_req_user_by_cert request failed.\n"); + goto done; + } + + pctx = talloc_get_type(cmd_ctx->cli_ctx->protocol_ctx, struct cli_protocol); + + ret = sss_packet_new(pctx->creq, 0, sss_packet_get_cmd(pctx->creq->in), + &pctx->creq->out); + if (ret != EOK) { + goto done; + } + + ret = nss_protocol_fill_name_list_all_domains(cmd_ctx->nss_ctx, cmd_ctx, + pctx->creq->out, results); + if (ret != EOK) { + goto done; + } + + sss_packet_set_error(pctx->creq->out, EOK); + +done: + nss_protocol_done(cmd_ctx->cli_ctx, ret); + talloc_free(cmd_ctx); +} + +static errno_t nss_getby_cert(struct cli_ctx *cli_ctx, + enum cache_req_type type, + nss_protocol_fill_packet_fn fill_fn) +{ + struct cache_req_data *data; + struct nss_cmd_ctx *cmd_ctx; + struct tevent_req *subreq; + const char *cert; + errno_t ret; + + cmd_ctx = nss_cmd_ctx_create(cli_ctx, cli_ctx, type, fill_fn); + if (cmd_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + cmd_ctx->sid_id_type = SSS_ID_TYPE_UID; + + ret = nss_protocol_parse_cert(cli_ctx, &cert); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid request message!\n"); + goto done; + } + + data = cache_req_data_cert(cmd_ctx, type, cert); + if (data == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set cache request data!\n"); + ret = ENOMEM; + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Input cert: %s\n", get_last_x_chars(cert, 10)); + + subreq = nss_get_object_send(cmd_ctx, cli_ctx->ev, cli_ctx, + data, SSS_MC_NONE, NULL, 0); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n"); + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, nss_getby_done, cmd_ctx); + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(cmd_ctx); + return nss_protocol_done(cli_ctx, ret); + } + + return EOK; +} + +static errno_t nss_getby_sid(struct cli_ctx *cli_ctx, + enum cache_req_type type, + nss_protocol_fill_packet_fn fill_fn) +{ + struct cache_req_data *data; + struct nss_cmd_ctx *cmd_ctx; + struct tevent_req *subreq; + const char *sid; + errno_t ret; + + cmd_ctx = nss_cmd_ctx_create(cli_ctx, cli_ctx, type, fill_fn); + if (cmd_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + /* It will be detected when constructing output packet. */ + cmd_ctx->sid_id_type = SSS_ID_TYPE_NOT_SPECIFIED; + + ret = nss_protocol_parse_sid(cli_ctx, &sid); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid request message!\n"); + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Input SID: %s\n", sid); + + data = cache_req_data_sid(cmd_ctx, type, sid, NULL); + if (data == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set cache request data!\n"); + ret = ENOMEM; + goto done; + } + + subreq = nss_get_object_send(cmd_ctx, cli_ctx->ev, cli_ctx, + data, SSS_MC_NONE, NULL, 0); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n"); + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, nss_getby_done, cmd_ctx); + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(cmd_ctx); + return nss_protocol_done(cli_ctx, ret); + } + + return EOK; +} + +static errno_t invalidate_cache(struct nss_cmd_ctx *cmd_ctx, + struct cache_req_result *result) +{ + int ret; + enum sss_mc_type memcache_type; + const char *name; + char *output_name = NULL; + bool is_user; + struct sysdb_attrs *attrs = NULL; + + switch (cmd_ctx->type) { + case CACHE_REQ_INITGROUPS: + case CACHE_REQ_INITGROUPS_BY_UPN: + memcache_type = SSS_MC_INITGROUPS; + is_user = true; + break; + case CACHE_REQ_USER_BY_NAME: + case CACHE_REQ_USER_BY_ID: + memcache_type = SSS_MC_PASSWD; + is_user = true; + break; + case CACHE_REQ_GROUP_BY_NAME: + case CACHE_REQ_GROUP_BY_ID: + memcache_type = SSS_MC_GROUP; + is_user = false; + break; + default: + /* nothing to do */ + return EOK; + } + + /* Find output name to invalidate memory cache entry*/ + name = sss_get_name_from_msg(result->domain, result->msgs[0]); + if (name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Found object has no name.\n"); + return EINVAL; + } + ret = sss_output_fqname(cmd_ctx, result->domain, name, + cmd_ctx->nss_ctx->rctx->override_space, + &output_name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_output_fqname failed.\n"); + return ret; + } + + memcache_delete_entry(cmd_ctx->nss_ctx, cmd_ctx->nss_ctx->rctx, NULL, + output_name, 0, memcache_type); + if (memcache_type == SSS_MC_INITGROUPS) { + /* Invalidate the passwd data as well */ + memcache_delete_entry(cmd_ctx->nss_ctx, cmd_ctx->nss_ctx->rctx, + result->domain, output_name, 0, SSS_MC_PASSWD); + } + talloc_free(output_name); + + /* Use sysdb name to invalidate disk cache entry */ + name = ldb_msg_find_attr_as_string(result->msgs[0], SYSDB_NAME, NULL); + if (name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Found object has no name.\n"); + return EINVAL; + } + + if (memcache_type == SSS_MC_INITGROUPS) { + attrs = sysdb_new_attrs(cmd_ctx); + if (attrs == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_new_attrs failed.\n"); + return ENOMEM; + } + + ret = sysdb_attrs_add_time_t(attrs, SYSDB_INITGR_EXPIRE, 1); + if (ret != EOK) { + talloc_free(attrs); + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_time_t failed.\n"); + return ret; + } + + ret = sysdb_set_user_attr(result->domain, name, attrs, SYSDB_MOD_REP); + talloc_free(attrs); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_set_user_attr failed.\n"); + return ret; + } + } + + ret = sysdb_invalidate_cache_entry(result->domain, name, is_user); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_invalidate_cache_entry failed.\n"); + return ret; + } + + return EOK; +} + +static void nss_getby_done(struct tevent_req *subreq) +{ + struct cache_req_result *result; + struct nss_cmd_ctx *cmd_ctx; + errno_t ret; + + cmd_ctx = tevent_req_callback_data(subreq, struct nss_cmd_ctx); + + ret = nss_get_object_recv(cmd_ctx, subreq, &result, &cmd_ctx->rawname); + talloc_zfree(subreq); + if (ret != EOK) { + nss_protocol_done(cmd_ctx->cli_ctx, ret); + goto done; + } + + if ((cmd_ctx->flags & SSS_NSS_EX_FLAG_INVALIDATE_CACHE) != 0) { + ret = invalidate_cache(cmd_ctx, result); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to invalidate cache for [%s].\n", + cmd_ctx->rawname); + nss_protocol_done(cmd_ctx->cli_ctx, ret); + goto done; + } + } + + nss_protocol_reply(cmd_ctx->cli_ctx, cmd_ctx->nss_ctx, cmd_ctx, + result, cmd_ctx->fill_fn); + +done: + talloc_free(cmd_ctx); +} + +static void nss_setent_done(struct tevent_req *subreq); + +static errno_t nss_setent(struct cli_ctx *cli_ctx, + enum cache_req_type type, + struct nss_enum_ctx *enum_ctx) +{ + struct tevent_req *subreq; + + subreq = nss_setent_send(cli_ctx, cli_ctx->ev, cli_ctx, type, enum_ctx); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n"); + return ENOMEM; + } + + tevent_req_set_callback(subreq, nss_setent_done, cli_ctx); + + return EOK; +} + +static void nss_setent_done(struct tevent_req *subreq) +{ + struct cli_ctx *cli_ctx; + errno_t ret; + + cli_ctx = tevent_req_callback_data(subreq, struct cli_ctx); + + ret = nss_setent_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK && ret != ENOENT) { + nss_protocol_done(cli_ctx, ret); + return; + } + + /* Both EOK and ENOENT means that setent was successful. */ + nss_protocol_done(cli_ctx, EOK); +} + +static void nss_getent_done(struct tevent_req *subreq); + +static errno_t nss_getent(struct cli_ctx *cli_ctx, + enum cache_req_type type, + struct nss_enum_index *idx, + nss_protocol_fill_packet_fn fill_fn, + struct nss_enum_ctx *enum_ctx) +{ + struct nss_cmd_ctx *cmd_ctx; + struct tevent_req *subreq; + errno_t ret; + + cmd_ctx = nss_cmd_ctx_create(cli_ctx, cli_ctx, type, fill_fn); + if (cmd_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + ret = nss_protocol_parse_limit(cli_ctx, &cmd_ctx->enum_limit); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid request message!\n"); + goto done; + } + + cmd_ctx->enumeration = true; + cmd_ctx->enum_ctx = enum_ctx; + cmd_ctx->enum_index = idx; + + subreq = nss_setent_send(cli_ctx, cli_ctx->ev, cli_ctx, type, enum_ctx); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create setent request!\n"); + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, nss_getent_done, cmd_ctx); + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(cmd_ctx); + return nss_protocol_done(cli_ctx, ret); + } + + return ret; +} + +static struct cache_req_result * +nss_getent_get_result(struct nss_enum_ctx *enum_ctx, + struct nss_enum_index *idx) +{ + struct cache_req_result *result; + + if (enum_ctx->result == NULL) { + /* Nothing was found. */ + return NULL; + } + + result = enum_ctx->result[idx->domain]; + + if (result != NULL && idx->result >= result->count) { + /* Switch to next domain. */ + idx->result = 0; + idx->domain++; + + result = enum_ctx->result[idx->domain]; + } + + return result; +} + +static void nss_getent_done(struct tevent_req *subreq) +{ + struct cache_req_result *limited; + struct cache_req_result *result; + struct nss_cmd_ctx *cmd_ctx; + errno_t ret; + + cmd_ctx = tevent_req_callback_data(subreq, struct nss_cmd_ctx); + + ret = nss_setent_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + goto done; + } + + result = nss_getent_get_result(cmd_ctx->enum_ctx, cmd_ctx->enum_index); + if (result == NULL) { + /* No more records to return. */ + ret = ENOENT; + goto done; + } + + /* Create copy of the result with limited number of records. */ + limited = cache_req_copy_limited_result(cmd_ctx, result, + cmd_ctx->enum_index->result, + cmd_ctx->enum_limit); + if (limited == NULL) { + ret = ERR_INTERNAL; + goto done; + } + + cmd_ctx->enum_index->result += result->count; + + /* Reply with limited result. */ + nss_protocol_reply(cmd_ctx->cli_ctx, cmd_ctx->nss_ctx, cmd_ctx, + result, cmd_ctx->fill_fn); + + ret = EOK; + +done: + if (ret != EOK) { + nss_protocol_done(cmd_ctx->cli_ctx, ret); + } + + talloc_free(cmd_ctx); +} + +static void nss_setnetgrent_done(struct tevent_req *subreq); + +static errno_t nss_setnetgrent(struct cli_ctx *cli_ctx, + enum cache_req_type type, + nss_protocol_fill_packet_fn fill_fn) +{ + struct nss_ctx *nss_ctx; + struct nss_state_ctx *state_ctx; + struct nss_cmd_ctx *cmd_ctx; + struct tevent_req *subreq; + const char *netgroup; + errno_t ret; + + cmd_ctx = nss_cmd_ctx_create(cli_ctx, cli_ctx, type, fill_fn); + if (cmd_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + nss_ctx = cmd_ctx->nss_ctx; + state_ctx = cmd_ctx->state_ctx; + + ret = nss_protocol_parse_name(cli_ctx, &netgroup); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid request message!\n"); + goto done; + } + + state_ctx->netgrent.domain = 0; + state_ctx->netgrent.result = 0; + + talloc_zfree(state_ctx->netgroup); + state_ctx->netgroup = talloc_strdup(state_ctx, netgroup); + if (state_ctx->netgroup == NULL) { + ret = ENOMEM; + goto done; + } + + subreq = nss_setnetgrent_send(cli_ctx, cli_ctx->ev, cli_ctx, type, + nss_ctx->netgrent, state_ctx->netgroup); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n"); + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, nss_setnetgrent_done, cmd_ctx); + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(cmd_ctx); + return nss_protocol_done(cli_ctx, ret); + } + + return EOK; +} + +static void nss_setnetgrent_done(struct tevent_req *subreq) +{ + struct nss_cmd_ctx *cmd_ctx; + errno_t ret; + + cmd_ctx = tevent_req_callback_data(subreq, struct nss_cmd_ctx); + + ret = nss_setnetgrent_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + nss_protocol_done(cmd_ctx->cli_ctx, ret); + goto done; + } + + nss_protocol_reply(cmd_ctx->cli_ctx, cmd_ctx->nss_ctx, cmd_ctx, + NULL, cmd_ctx->fill_fn); + +done: + talloc_free(cmd_ctx); +} + +static void nss_getnetgrent_done(struct tevent_req *subreq); + +static errno_t nss_getnetgrent(struct cli_ctx *cli_ctx, + enum cache_req_type type, + nss_protocol_fill_packet_fn fill_fn) +{ + struct nss_cmd_ctx *cmd_ctx; + struct tevent_req *subreq; + errno_t ret; + + cmd_ctx = nss_cmd_ctx_create(cli_ctx, cli_ctx, type, fill_fn); + if (cmd_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + if (cmd_ctx->state_ctx->netgroup == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "State does not contain netgroup name!\n"); + ret = EINVAL; + goto done; + } + + ret = nss_protocol_parse_limit(cli_ctx, &cmd_ctx->enum_limit); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid request message!\n"); + goto done; + } + + cmd_ctx->enumeration = true; + cmd_ctx->enum_ctx = NULL; /* We will determine it later. */ + cmd_ctx->enum_index = &cmd_ctx->state_ctx->netgrent; + + subreq = nss_setnetgrent_send(cli_ctx, cli_ctx->ev, cli_ctx, type, + cmd_ctx->nss_ctx->netgrent, + cmd_ctx->state_ctx->netgroup); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n"); + return ENOMEM; + } + + tevent_req_set_callback(subreq, nss_getnetgrent_done, cmd_ctx); + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(cmd_ctx); + return nss_protocol_done(cli_ctx, ret); + } + + return EOK; +} + +static void nss_getnetgrent_done(struct tevent_req *subreq) +{ + struct nss_enum_ctx *enum_ctx; + struct nss_cmd_ctx *cmd_ctx; + errno_t ret; + + cmd_ctx = tevent_req_callback_data(subreq, struct nss_cmd_ctx); + + ret = nss_setent_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + goto done; + } + + enum_ctx = sss_ptr_hash_lookup(cmd_ctx->nss_ctx->netgrent, + cmd_ctx->state_ctx->netgroup, + struct nss_enum_ctx); + if (enum_ctx == NULL) { + ret = ENOENT; + goto done; + } + + cmd_ctx->enum_ctx = enum_ctx; + + /* Reply with result. */ + nss_protocol_reply(cmd_ctx->cli_ctx, cmd_ctx->nss_ctx, cmd_ctx, + NULL, cmd_ctx->fill_fn); + + ret = EOK; + +done: + if (ret != EOK) { + nss_protocol_done(cmd_ctx->cli_ctx, ret); + } + + talloc_free(cmd_ctx); +} + +static errno_t nss_endent(struct cli_ctx *cli_ctx, + struct nss_enum_index *idx) +{ + DEBUG(SSSDBG_CONF_SETTINGS, "Resetting enumeration state\n"); + + idx->domain = 0; + idx->result = 0; + + nss_protocol_done(cli_ctx, EOK); + + return EOK; +} + +static errno_t nss_cmd_getpwnam(struct cli_ctx *cli_ctx) +{ + return nss_getby_name(cli_ctx, false, CACHE_REQ_USER_BY_NAME, NULL, + SSS_MC_PASSWD, nss_protocol_fill_pwent); +} + +static errno_t nss_cmd_getpwuid(struct cli_ctx *cli_ctx) +{ + return nss_getby_id(cli_ctx, false, CACHE_REQ_USER_BY_ID, NULL, + SSS_MC_PASSWD, nss_protocol_fill_pwent); +} + +static errno_t nss_cmd_getpwnam_ex(struct cli_ctx *cli_ctx) +{ + return nss_getby_name(cli_ctx, true, CACHE_REQ_USER_BY_NAME, NULL, + SSS_MC_PASSWD, nss_protocol_fill_pwent); +} + +static errno_t nss_cmd_getpwuid_ex(struct cli_ctx *cli_ctx) +{ + return nss_getby_id(cli_ctx, true, CACHE_REQ_USER_BY_ID, NULL, + SSS_MC_PASSWD, nss_protocol_fill_pwent); +} + +static errno_t nss_cmd_setpwent(struct cli_ctx *cli_ctx) +{ + struct nss_ctx *nss_ctx; + + nss_ctx = talloc_get_type(cli_ctx->rctx->pvt_ctx, struct nss_ctx); + + return nss_setent(cli_ctx, CACHE_REQ_ENUM_USERS, &nss_ctx->pwent); +} + +static errno_t nss_cmd_getpwent(struct cli_ctx *cli_ctx) +{ + struct nss_ctx *nss_ctx; + struct nss_state_ctx *state_ctx; + + nss_ctx = talloc_get_type(cli_ctx->rctx->pvt_ctx, struct nss_ctx); + state_ctx = talloc_get_type(cli_ctx->state_ctx, struct nss_state_ctx); + + return nss_getent(cli_ctx, CACHE_REQ_ENUM_USERS, + &state_ctx->pwent, nss_protocol_fill_pwent, + &nss_ctx->pwent); +} + +static errno_t nss_cmd_endpwent(struct cli_ctx *cli_ctx) +{ + struct nss_state_ctx *state_ctx; + + state_ctx = talloc_get_type(cli_ctx->state_ctx, struct nss_state_ctx); + + return nss_endent(cli_ctx, &state_ctx->pwent); +} + +static errno_t nss_cmd_getgrnam(struct cli_ctx *cli_ctx) +{ + return nss_getby_name(cli_ctx, false, CACHE_REQ_GROUP_BY_NAME, NULL, + SSS_MC_GROUP, nss_protocol_fill_grent); +} + +static errno_t nss_cmd_getgrgid(struct cli_ctx *cli_ctx) +{ + return nss_getby_id(cli_ctx, false, CACHE_REQ_GROUP_BY_ID, NULL, + SSS_MC_GROUP, nss_protocol_fill_grent); +} + +static errno_t nss_cmd_getgrnam_ex(struct cli_ctx *cli_ctx) +{ + return nss_getby_name(cli_ctx, true, CACHE_REQ_GROUP_BY_NAME, NULL, + SSS_MC_GROUP, nss_protocol_fill_grent); +} + +static errno_t nss_cmd_getgrgid_ex(struct cli_ctx *cli_ctx) +{ + return nss_getby_id(cli_ctx, true, CACHE_REQ_GROUP_BY_ID, NULL, + SSS_MC_GROUP, nss_protocol_fill_grent); +} + + +static errno_t nss_cmd_setgrent(struct cli_ctx *cli_ctx) +{ + struct nss_ctx *nss_ctx; + + nss_ctx = talloc_get_type(cli_ctx->rctx->pvt_ctx, struct nss_ctx); + + return nss_setent(cli_ctx, CACHE_REQ_ENUM_GROUPS, &nss_ctx->grent); +} + +static errno_t nss_cmd_getgrent(struct cli_ctx *cli_ctx) +{ + struct nss_ctx *nss_ctx; + struct nss_state_ctx *state_ctx; + + nss_ctx = talloc_get_type(cli_ctx->rctx->pvt_ctx, struct nss_ctx); + state_ctx = talloc_get_type(cli_ctx->state_ctx, struct nss_state_ctx); + + return nss_getent(cli_ctx, CACHE_REQ_ENUM_GROUPS, + &state_ctx->grent, nss_protocol_fill_grent, + &nss_ctx->grent); +} + +static errno_t nss_cmd_endgrent(struct cli_ctx *cli_ctx) +{ + struct nss_state_ctx *state_ctx; + + state_ctx = talloc_get_type(cli_ctx->state_ctx, struct nss_state_ctx); + + return nss_endent(cli_ctx, &state_ctx->grent); +} + +static errno_t nss_cmd_initgroups(struct cli_ctx *cli_ctx) +{ + return nss_getby_name(cli_ctx, false, CACHE_REQ_INITGROUPS, NULL, + SSS_MC_INITGROUPS, nss_protocol_fill_initgr); +} + +static errno_t nss_cmd_initgroups_ex(struct cli_ctx *cli_ctx) +{ + return nss_getby_name(cli_ctx, true, CACHE_REQ_INITGROUPS, NULL, + SSS_MC_INITGROUPS, nss_protocol_fill_initgr); +} + +static errno_t nss_cmd_setnetgrent(struct cli_ctx *cli_ctx) +{ + return nss_setnetgrent(cli_ctx, CACHE_REQ_NETGROUP_BY_NAME, + nss_protocol_fill_setnetgrent); +} + +static errno_t nss_cmd_getnetgrent(struct cli_ctx *cli_ctx) +{ + return nss_getnetgrent(cli_ctx, CACHE_REQ_NETGROUP_BY_NAME, + nss_protocol_fill_netgrent); +} + +static errno_t nss_cmd_endnetgrent(struct cli_ctx *cli_ctx) +{ + struct nss_state_ctx *state_ctx; + + state_ctx = talloc_get_type(cli_ctx->state_ctx, struct nss_state_ctx); + talloc_zfree(state_ctx->netgroup); + + return nss_endent(cli_ctx, &state_ctx->netgrent); +} + +static errno_t nss_cmd_getservbyname(struct cli_ctx *cli_ctx) +{ + const char *name; + const char *protocol; + errno_t ret; + + ret = nss_protocol_parse_svc_name(cli_ctx, &name, &protocol); + if (ret != EOK) { + return ret; + } + + return nss_getby_svc(cli_ctx, CACHE_REQ_SVC_BY_NAME, protocol, name, 0, + nss_protocol_fill_svcent); +} + +static errno_t nss_cmd_getservbyport(struct cli_ctx *cli_ctx) +{ + const char *protocol; + uint16_t port; + errno_t ret; + + ret = nss_protocol_parse_svc_port(cli_ctx, &port, &protocol); + if (ret != EOK) { + return ret; + } + + return nss_getby_svc(cli_ctx, CACHE_REQ_SVC_BY_PORT, protocol, NULL, port, + nss_protocol_fill_svcent); +} + +static errno_t nss_cmd_setservent(struct cli_ctx *cli_ctx) +{ + struct nss_ctx *nss_ctx; + + nss_ctx = talloc_get_type(cli_ctx->rctx->pvt_ctx, struct nss_ctx); + + return nss_setent(cli_ctx, CACHE_REQ_ENUM_SVC, &nss_ctx->svcent); +} + +static errno_t nss_cmd_getservent(struct cli_ctx *cli_ctx) +{ + struct nss_ctx *nss_ctx; + struct nss_state_ctx *state_ctx; + + nss_ctx = talloc_get_type(cli_ctx->rctx->pvt_ctx, struct nss_ctx); + state_ctx = talloc_get_type(cli_ctx->state_ctx, struct nss_state_ctx); + + return nss_getent(cli_ctx, CACHE_REQ_ENUM_SVC, + &state_ctx->svcent, nss_protocol_fill_svcent, + &nss_ctx->svcent); +} + +static errno_t nss_cmd_endservent(struct cli_ctx *cli_ctx) +{ + struct nss_state_ctx *state_ctx; + + state_ctx = talloc_get_type(cli_ctx->state_ctx, struct nss_state_ctx); + + return nss_endent(cli_ctx, &state_ctx->grent); +} + +static errno_t nss_cmd_getsidbyname(struct cli_ctx *cli_ctx) +{ + const char *attrs[] = { SYSDB_SID_STR, NULL }; + + return nss_getby_name(cli_ctx, false, CACHE_REQ_OBJECT_BY_NAME, attrs, + SSS_MC_NONE, nss_protocol_fill_sid); +} + +static errno_t nss_cmd_getsidbyid(struct cli_ctx *cli_ctx) +{ + const char *attrs[] = { SYSDB_SID_STR, NULL }; + + return nss_getby_id(cli_ctx, false, CACHE_REQ_OBJECT_BY_ID, attrs, + SSS_MC_NONE, nss_protocol_fill_sid); +} + +static errno_t nss_cmd_getsidbyuid(struct cli_ctx *cli_ctx) +{ + const char *attrs[] = { SYSDB_SID_STR, NULL }; + + return nss_getby_id(cli_ctx, false, CACHE_REQ_USER_BY_ID, attrs, + SSS_MC_NONE, nss_protocol_fill_sid); +} + +static errno_t nss_cmd_getsidbygid(struct cli_ctx *cli_ctx) +{ + const char *attrs[] = { SYSDB_SID_STR, NULL }; + + return nss_getby_id(cli_ctx, false, CACHE_REQ_GROUP_BY_ID, attrs, + SSS_MC_NONE, nss_protocol_fill_sid); +} + +static errno_t nss_cmd_getnamebysid(struct cli_ctx *cli_ctx) +{ + return nss_getby_sid(cli_ctx, CACHE_REQ_OBJECT_BY_SID, + nss_protocol_fill_name); +} + +static errno_t nss_cmd_getidbysid(struct cli_ctx *cli_ctx) +{ + return nss_getby_sid(cli_ctx, CACHE_REQ_OBJECT_BY_SID, + nss_protocol_fill_id); +} + +static errno_t nss_cmd_getorigbyname(struct cli_ctx *cli_ctx) +{ + errno_t ret; + struct nss_ctx *nss_ctx; + const char **attrs; + static const char *defattrs[] = { SYSDB_NAME, SYSDB_OBJECTCATEGORY, + SYSDB_SID_STR, + ORIGINALAD_PREFIX SYSDB_NAME, + ORIGINALAD_PREFIX SYSDB_UIDNUM, + ORIGINALAD_PREFIX SYSDB_GIDNUM, + ORIGINALAD_PREFIX SYSDB_GECOS, + ORIGINALAD_PREFIX SYSDB_HOMEDIR, + ORIGINALAD_PREFIX SYSDB_SHELL, + SYSDB_UPN, + SYSDB_DEFAULT_OVERRIDE_NAME, + SYSDB_AD_ACCOUNT_EXPIRES, + SYSDB_AD_USER_ACCOUNT_CONTROL, + SYSDB_SSH_PUBKEY, + SYSDB_USER_CERT, + SYSDB_USER_EMAIL, + SYSDB_ORIG_DN, + SYSDB_ORIG_MEMBEROF, + SYSDB_DEFAULT_ATTRS, NULL }; + + nss_ctx = talloc_get_type(cli_ctx->rctx->pvt_ctx, struct nss_ctx); + + if (nss_ctx->extra_attributes != NULL) { + ret = add_strings_lists(cli_ctx, defattrs, nss_ctx->extra_attributes, + false, discard_const(&attrs)); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Unable to concatenate attributes [%d]: %s\n", + ret, sss_strerror(ret)); + return ENOMEM; + } + } else { + attrs = defattrs; + } + + return nss_getby_name(cli_ctx, false, CACHE_REQ_OBJECT_BY_NAME, attrs, + SSS_MC_NONE, nss_protocol_fill_orig); +} + +static errno_t nss_cmd_getnamebycert(struct cli_ctx *cli_ctx) +{ + return nss_getby_cert(cli_ctx, CACHE_REQ_USER_BY_CERT, + nss_protocol_fill_single_name); +} + +static errno_t nss_cmd_getlistbycert(struct cli_ctx *cli_ctx) +{ + return nss_getlistby_cert(cli_ctx, CACHE_REQ_USER_BY_CERT); +} + +struct sss_cmd_table *get_nss_cmds(void) +{ + static struct sss_cmd_table nss_cmds[] = { + { SSS_GET_VERSION, sss_cmd_get_version }, + { SSS_NSS_GETPWNAM, nss_cmd_getpwnam }, + { SSS_NSS_GETPWUID, nss_cmd_getpwuid }, + { SSS_NSS_SETPWENT, nss_cmd_setpwent }, + { SSS_NSS_GETPWENT, nss_cmd_getpwent }, + { SSS_NSS_ENDPWENT, nss_cmd_endpwent }, + { SSS_NSS_GETGRNAM, nss_cmd_getgrnam }, + { SSS_NSS_GETGRGID, nss_cmd_getgrgid }, + { SSS_NSS_SETGRENT, nss_cmd_setgrent }, + { SSS_NSS_GETGRENT, nss_cmd_getgrent }, + { SSS_NSS_ENDGRENT, nss_cmd_endgrent }, + { SSS_NSS_INITGR, nss_cmd_initgroups }, + { SSS_NSS_SETNETGRENT, nss_cmd_setnetgrent }, + { SSS_NSS_GETNETGRENT, nss_cmd_getnetgrent }, + { SSS_NSS_ENDNETGRENT, nss_cmd_endnetgrent }, + { SSS_NSS_GETSERVBYNAME, nss_cmd_getservbyname }, + { SSS_NSS_GETSERVBYPORT, nss_cmd_getservbyport }, + { SSS_NSS_SETSERVENT, nss_cmd_setservent }, + { SSS_NSS_GETSERVENT, nss_cmd_getservent }, + { SSS_NSS_ENDSERVENT, nss_cmd_endservent }, + { SSS_NSS_GETSIDBYNAME, nss_cmd_getsidbyname }, + { SSS_NSS_GETSIDBYID, nss_cmd_getsidbyid }, + { SSS_NSS_GETSIDBYUID, nss_cmd_getsidbyuid }, + { SSS_NSS_GETSIDBYGID, nss_cmd_getsidbygid }, + { SSS_NSS_GETNAMEBYSID, nss_cmd_getnamebysid }, + { SSS_NSS_GETIDBYSID, nss_cmd_getidbysid }, + { SSS_NSS_GETORIGBYNAME, nss_cmd_getorigbyname }, + { SSS_NSS_GETNAMEBYCERT, nss_cmd_getnamebycert }, + { SSS_NSS_GETLISTBYCERT, nss_cmd_getlistbycert }, + { SSS_NSS_GETPWNAM_EX, nss_cmd_getpwnam_ex }, + { SSS_NSS_GETPWUID_EX, nss_cmd_getpwuid_ex }, + { SSS_NSS_GETGRNAM_EX, nss_cmd_getgrnam_ex }, + { SSS_NSS_GETGRGID_EX, nss_cmd_getgrgid_ex }, + { SSS_NSS_INITGR_EX, nss_cmd_initgroups_ex }, + { SSS_CLI_NULL, NULL } + }; + + return nss_cmds; +} + +struct cli_protocol_version *register_cli_protocol_version(void) +{ + static struct cli_protocol_version nss_cli_protocol_version[] = { + { 1, "2008-09-05", "initial version, \\0 terminated strings" }, + { 0, NULL, NULL } + }; + + return nss_cli_protocol_version; +} + +int nss_connection_setup(struct cli_ctx *cli_ctx) +{ + int ret; + + ret = sss_connection_setup(cli_ctx); + if (ret != EOK) return ret; + + cli_ctx->state_ctx = talloc_zero(cli_ctx, struct nss_state_ctx); + if (cli_ctx->state_ctx == NULL) { + return ENOMEM; + } + + return EOK; +} diff --git a/src/responder/nss/nss_enum.c b/src/responder/nss/nss_enum.c new file mode 100644 index 0000000..a45b652 --- /dev/null +++ b/src/responder/nss/nss_enum.c @@ -0,0 +1,365 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "util/util.h" +#include "util/sss_ptr_hash.h" +#include "responder/nss/nss_private.h" + +typedef errno_t (*nss_setent_set_timeout_fn)(struct tevent_context *ev, + struct nss_ctx *nss_ctx, + struct nss_enum_ctx *enum_ctx); + +struct nss_setent_internal_state { + struct tevent_context *ev; + struct nss_ctx *nss_ctx; + struct nss_enum_ctx *enum_ctx; + nss_setent_set_timeout_fn timeout_handler; + enum cache_req_type type; +}; + +static void nss_setent_internal_done(struct tevent_req *subreq); + +/* Cache request data is stealed on internal state. */ +static struct tevent_req * +nss_setent_internal_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct cli_ctx *cli_ctx, + struct cache_req_data *data, + enum cache_req_type type, + struct nss_enum_ctx *enum_ctx, + nss_setent_set_timeout_fn timeout_handler) +{ + struct nss_setent_internal_state *state; + struct tevent_req *subreq; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct nss_setent_internal_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n"); + return NULL; + } + + talloc_steal(state, data); + + state->ev = ev; + state->nss_ctx = talloc_get_type(cli_ctx->rctx->pvt_ctx, struct nss_ctx); + state->enum_ctx = enum_ctx; + state->type = type; + state->timeout_handler = timeout_handler; + + if (state->enum_ctx->is_ready) { + /* Object is already constructed, just return here. */ + talloc_free(data); + ret = EOK; + goto done; + } + + if (state->enum_ctx->ongoing != NULL) { + /* Object is being constructed. Register ourselves for + * notification when it is finished. */ + ret = setent_add_ref(state, &state->enum_ctx->notify_list, req); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unable to register setent reference [%d]: %s!\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = EAGAIN; + goto done; + } + + /* Create new object. */ + state->enum_ctx->is_ready = false; + subreq = cache_req_send(req, ev, cli_ctx->rctx, cli_ctx->rctx->ncache, + 0, CACHE_REQ_POSIX_DOM, NULL, data); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to send cache request!\n"); + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, nss_setent_internal_done, req); + state->enum_ctx->ongoing = subreq; + + ret = EAGAIN; + +done: + if (ret == EOK) { + tevent_req_done(req); + tevent_req_post(req, ev); + } else if (ret != EAGAIN) { + tevent_req_error(req, ret); + tevent_req_post(req, ev); + } + + return req; +} + +static void nss_setent_internal_done(struct tevent_req *subreq) +{ + struct cache_req_result **result; + struct nss_setent_internal_state *state; + struct setent_req_list **notify_list; + struct tevent_req *req; + errno_t ret; + errno_t tret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct nss_setent_internal_state); + + /* This is the ongoing request and it is finished. Remove it. */ + state->enum_ctx->ongoing = NULL; + + ret = cache_req_recv(state, subreq, &result); + talloc_zfree(subreq); + + switch (ret) { + case EOK: + talloc_zfree(state->enum_ctx->result); + state->enum_ctx->result = talloc_steal(state->nss_ctx, result); + + if (state->type == CACHE_REQ_NETGROUP_BY_NAME) { + /* We need to expand the netgroup into triples and members. */ + ret = sysdb_netgr_to_entries(state->enum_ctx, + result[0]->ldb_result, + &state->enum_ctx->netgroup, + &state->enum_ctx->netgroup_count); + if (ret != EOK) { + goto done; + } + } + break; + case ENOENT: + /* Reset the result but build it again next time setent is called. */ + talloc_zfree(state->enum_ctx->result); + talloc_zfree(state->enum_ctx->netgroup); + goto done; + default: + /* In case of an error, we do not touch the enumeration context. */ + goto done; + } + + /* Expire the result object after its timeout is reached. */ + tret = state->timeout_handler(state->ev, state->nss_ctx, state->enum_ctx); + if (tret != EOK) { + ret = ENOMEM; + goto done; + } + + /* The object is ready now. */ + state->enum_ctx->is_ready = true; + + ret = EOK; + +done: + /* We want to finish the requests in correct order, this was the + * first request, notify_list contain the subsequent request. + * + * Because callback invoked from tevent_req_done will free state, + * we must remember notify_list explicitly to avoid segfault. + */ + notify_list = &state->enum_ctx->notify_list; + + if (ret == EOK) { + tevent_req_done(req); + setent_notify_done(notify_list); + } else { + tevent_req_error(req, ret); + setent_notify(notify_list, ret); + } +} + +static errno_t +nss_setent_internal_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +static void +nss_setent_timeout(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval current_time, + void *pvt) +{ + struct nss_enum_ctx *enum_ctx = pvt; + + DEBUG(SSSDBG_TRACE_FUNC, "Enumeration result object has expired.\n"); + + /* Reset enumeration context. */ + talloc_zfree(enum_ctx->result); + enum_ctx->is_ready = false; +} + +static errno_t +nss_setent_set_timeout(struct tevent_context *ev, + struct nss_ctx *nss_ctx, + struct nss_enum_ctx *enum_ctx) +{ + struct tevent_timer *te; + struct timeval tv; + + tv = tevent_timeval_current_ofs(nss_ctx->enum_cache_timeout, 0); + te = tevent_add_timer(ev, nss_ctx, tv, nss_setent_timeout, enum_ctx); + if (te == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not set up life timer for enumeration object.\n"); + return ENOMEM; + } + + return EOK; +} + +struct tevent_req * +nss_setent_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct cli_ctx *cli_ctx, + enum cache_req_type type, + struct nss_enum_ctx *enum_ctx) +{ + struct cache_req_data *data; + + data = cache_req_data_enum(mem_ctx, type); + if (data == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set cache request data!\n"); + return NULL; + } + + return nss_setent_internal_send(mem_ctx, ev, cli_ctx, data, type, enum_ctx, + nss_setent_set_timeout); +} + +errno_t nss_setent_recv(struct tevent_req *req) +{ + return nss_setent_internal_recv(req); +} + +static void +nss_setnetgrent_timeout(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval current_time, + void *pvt) +{ + struct nss_enum_ctx *enum_ctx; + + DEBUG(SSSDBG_TRACE_FUNC, "Enumeration result object has expired.\n"); + + /* Free enumeration context. This will also remove it from the table. */ + enum_ctx = talloc_get_type(pvt, struct nss_enum_ctx); + talloc_free(enum_ctx); +} + +static errno_t +nss_setnetgrent_set_timeout(struct tevent_context *ev, + struct nss_ctx *nss_ctx, + struct nss_enum_ctx *enum_ctx) +{ + struct tevent_timer *te; + struct timeval tv; + uint32_t timeout; + + if (nss_ctx->cache_refresh_percent) { + timeout = enum_ctx->result[0]->domain->netgroup_timeout * + (nss_ctx->cache_refresh_percent / 100.0); + } else { + timeout = enum_ctx->result[0]->domain->netgroup_timeout; + } + + /* In order to not trash the cache between setnetgrent()/getnetgrent() + * calls with too low timeout values, we only allow 10 seconds as + * the minimal timeout + */ + if (timeout < 10) timeout = 10; + + tv = tevent_timeval_current_ofs(timeout, 0); + te = tevent_add_timer(ev, enum_ctx, tv, nss_setnetgrent_timeout, enum_ctx); + if (te == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not set up life timer for enumeration object.\n"); + return ENOMEM; + } + + return EOK; +} + +static struct nss_enum_ctx * +nss_setnetgrent_set_enum_ctx(hash_table_t *table, + const char *netgroup) +{ + struct nss_enum_ctx *enum_ctx; + errno_t ret; + + enum_ctx = sss_ptr_hash_lookup(table, netgroup, struct nss_enum_ctx); + if (enum_ctx != NULL) { + return enum_ctx; + } + + enum_ctx = talloc_zero(table, struct nss_enum_ctx); + if (enum_ctx == NULL) { + return NULL; + } + + ret = sss_ptr_hash_add(table, netgroup, enum_ctx, struct nss_enum_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unable to add enumeration context into table [%d]: %s\n", + ret, sss_strerror(ret)); + talloc_free(enum_ctx); + return NULL; + } + + return enum_ctx; +} + +struct tevent_req * +nss_setnetgrent_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct cli_ctx *cli_ctx, + enum cache_req_type type, + hash_table_t *table, + const char *netgroup) +{ + struct nss_enum_ctx *enum_ctx; + struct cache_req_data *data; + + enum_ctx = nss_setnetgrent_set_enum_ctx(table, netgroup); + if (enum_ctx == NULL) { + return NULL; + } + + data = cache_req_data_name(mem_ctx, type, netgroup); + if (data == NULL) { + return NULL; + } + + return nss_setent_internal_send(mem_ctx, ev, cli_ctx, data, type, enum_ctx, + nss_setnetgrent_set_timeout); +} + +errno_t nss_setnetgrent_recv(struct tevent_req *req) +{ + return nss_setent_internal_recv(req); +} diff --git a/src/responder/nss/nss_get_object.c b/src/responder/nss/nss_get_object.c new file mode 100644 index 0000000..15faced --- /dev/null +++ b/src/responder/nss/nss_get_object.c @@ -0,0 +1,286 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "util/util.h" +#include "responder/nss/nss_private.h" +#include "responder/nss/nsssrv_mmap_cache.h" + +static errno_t +memcache_delete_entry_by_name(struct nss_ctx *nss_ctx, + struct sized_string *name, + enum sss_mc_type type) +{ + errno_t ret; + + switch (type) { + case SSS_MC_PASSWD: + ret = sss_mmap_cache_pw_invalidate(nss_ctx->pwd_mc_ctx, name); + break; + case SSS_MC_GROUP: + ret = sss_mmap_cache_gr_invalidate(nss_ctx->grp_mc_ctx, name); + break; + case SSS_MC_INITGROUPS: + ret = sss_mmap_cache_initgr_invalidate(nss_ctx->initgr_mc_ctx, name); + break; + default: + return EINVAL; + } + + if (ret == EOK || ret == ENOENT) { + return EOK; + } + + DEBUG(SSSDBG_CRIT_FAILURE, + "Internal failure in memory cache code: %d [%s]\n", + ret, sss_strerror(ret)); + + return ret; +} + +static errno_t +memcache_delete_entry_by_id(struct nss_ctx *nss_ctx, + uint32_t id, + enum sss_mc_type type) +{ + errno_t ret; + + switch (type) { + case SSS_MC_PASSWD: + ret = sss_mmap_cache_pw_invalidate_uid(nss_ctx->pwd_mc_ctx, (uid_t)id); + break; + case SSS_MC_GROUP: + ret = sss_mmap_cache_gr_invalidate_gid(nss_ctx->grp_mc_ctx, (gid_t)id); + break; + default: + return EINVAL; + } + + if (ret == EOK || ret == ENOENT) { + return EOK; + } + + DEBUG(SSSDBG_CRIT_FAILURE, + "Internal failure in memory cache code: %d [%s]\n", + ret, sss_strerror(ret)); + + return ret; +} + +errno_t +memcache_delete_entry(struct nss_ctx *nss_ctx, + struct resp_ctx *rctx, + struct sss_domain_info *domain, + const char *name, + uint32_t id, + enum sss_mc_type type) +{ + struct sss_domain_info *dom; + struct sized_string *sized_name; + errno_t ret; + + for (dom = rctx->domains; + dom != NULL; + dom = get_next_domain(dom, SSS_GND_DESCEND)) { + + if (domain == dom) { + /* We found entry in this domain so we don't + * wont to invalidate it here. */ + continue; + } + + if (name != NULL) { + ret = sized_output_name(NULL, rctx, name, dom, &sized_name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Unable to create sized name [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + ret = memcache_delete_entry_by_name(nss_ctx, sized_name, type); + talloc_zfree(sized_name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Unable to delete '%s' from domain '%s' memory cache!\n", + name, dom->name); + continue; + } + } else if (id == 0) { + /* + * As "root" is not handled by SSSD, let's just return EOK here + * instead of erroring out. + */ + return EOK; + } else if (id != 0) { + ret = memcache_delete_entry_by_id(nss_ctx, id, type); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Unable to delete '%u' from domain '%s' memory cache!\n", + id, dom->name); + continue; + } + } else { + DEBUG(SSSDBG_OP_FAILURE, "Bug: invalid input!"); + return ERR_INTERNAL; + } + } + + return EOK; +} + +struct nss_get_object_state { + struct nss_ctx *nss_ctx; + struct resp_ctx *rctx; + + /* We delete object from memory cache if it is not found */ + enum sss_mc_type memcache; + const char *input_name; + uint32_t input_id; + + struct cache_req_result *result; +}; + +static void nss_get_object_done(struct tevent_req *subreq); + +/* Cache request data memory context is stolen to internal state. */ +struct tevent_req * +nss_get_object_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct cli_ctx *cli_ctx, + struct cache_req_data *data, + enum sss_mc_type memcache, + const char *input_name, + uint32_t input_id) +{ + struct nss_get_object_state *state; + struct tevent_req *subreq; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct nss_get_object_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n"); + return NULL; + } + + talloc_steal(state, data); + + state->rctx = cli_ctx->rctx; + state->nss_ctx = talloc_get_type(cli_ctx->rctx->pvt_ctx, struct nss_ctx); + state->memcache = memcache; + state->input_id = input_id; + state->input_name = talloc_strdup(state, input_name); + if (input_name != NULL && state->input_name == NULL) { + ret = ENOMEM; + goto done; + } + + subreq = cache_req_send(req, ev, cli_ctx->rctx, cli_ctx->rctx->ncache, + state->nss_ctx->cache_refresh_percent, + CACHE_REQ_POSIX_DOM, NULL, data); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to send cache request!\n"); + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, nss_get_object_done, req); + + ret = EAGAIN; + +done: + if (ret == EOK) { + tevent_req_done(req); + tevent_req_post(req, ev); + } else if (ret != EAGAIN) { + tevent_req_error(req, ret); + tevent_req_post(req, ev); + } + + return req; +} + +static void nss_get_object_done(struct tevent_req *subreq) +{ + struct nss_get_object_state *state; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct nss_get_object_state); + + ret = cache_req_single_domain_recv(state, subreq, &state->result); + talloc_zfree(subreq); + + switch (ret) { + case EOK: + if (state->memcache != SSS_MC_NONE) { + /* Delete entry from all domains but the one that was found. */ + memcache_delete_entry(state->nss_ctx, state->rctx, + state->result->domain, + state->input_name, + state->input_id, + state->memcache); + } + + tevent_req_done(req); + break; + case ENOENT: + if (state->memcache != SSS_MC_NONE) { + /* Delete entry from all domains. */ + memcache_delete_entry(state->nss_ctx, state->rctx, NULL, + state->input_name, state->input_id, + state->memcache); + } + + tevent_req_error(req, ENOENT); + break; + default: + tevent_req_error(req, ret); + break; + } + + return; +} + +errno_t +nss_get_object_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct cache_req_result **_result, + const char **_rawname) +{ + struct nss_get_object_state *state; + state = tevent_req_data(req, struct nss_get_object_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (_result != NULL) { + *_result = talloc_steal(mem_ctx, state->result); + } + + if (_rawname != NULL) { + *_rawname = talloc_steal(mem_ctx, state->input_name); + } + + return EOK; +} diff --git a/src/responder/nss/nss_iface.c b/src/responder/nss/nss_iface.c new file mode 100644 index 0000000..805e4fc --- /dev/null +++ b/src/responder/nss/nss_iface.c @@ -0,0 +1,234 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "sbus/sssd_dbus.h" +#include "responder/nss/nss_iface.h" +#include "responder/nss/nss_private.h" + +void nss_update_initgr_memcache(struct nss_ctx *nctx, + const char *fq_name, const char *domain, + int gnum, uint32_t *groups) +{ + TALLOC_CTX *tmp_ctx = NULL; + struct sss_domain_info *dom; + struct ldb_result *res; + struct sized_string *delete_name; + bool changed = false; + uint32_t id; + uint32_t gids[gnum]; + int ret; + int i, j; + + for (dom = nctx->rctx->domains; + dom; + dom = get_next_domain(dom, SSS_GND_DESCEND)) { + if (strcasecmp(dom->name, domain) == 0) { + break; + } + } + + if (dom == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "Unknown domain (%s) requested by provider\n", domain); + return; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return; + } + + ret = sized_output_name(tmp_ctx, nctx->rctx, fq_name, dom, &delete_name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sized_output_name failed for '%s': %d [%s]\n", + fq_name, ret, sss_strerror(ret)); + goto done; + } + + ret = sysdb_initgroups(tmp_ctx, dom, fq_name, &res); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to make request to our cache! [%d][%s]\n", + ret, strerror(ret)); + goto done; + } + + /* copy, we need the original intact in case we need to invalidate + * all the original groups */ + memcpy(gids, groups, gnum * sizeof(uint32_t)); + + if (ret == ENOENT || res->count == 0) { + /* The user is gone. Invalidate the mc record */ + ret = sss_mmap_cache_pw_invalidate(nctx->pwd_mc_ctx, delete_name); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Internal failure in memory cache code: %d [%s]\n", + ret, strerror(ret)); + } + + /* Also invalidate his groups */ + changed = true; + } else { + /* we skip the first entry, it's the user itself */ + for (i = 0; i < res->count; i++) { + id = ldb_msg_find_attr_as_uint(res->msgs[i], SYSDB_GIDNUM, 0); + if (id == 0) { + /* probably non-POSIX group, skip */ + continue; + } + for (j = 0; j < gnum; j++) { + if (gids[j] == id) { + gids[j] = 0; + break; + } + } + if (j >= gnum) { + /* we couldn't find a match, this means the groups have + * changed after the refresh */ + changed = true; + break; + } + } + + if (!changed) { + for (j = 0; j < gnum; j++) { + if (gids[j] != 0) { + /* we found an un-cleared groups, this means the groups + * have changed after the refresh (some got deleted) */ + changed = true; + break; + } + } + } + } + + if (changed) { + for (i = 0; i < gnum; i++) { + id = groups[i]; + + ret = sss_mmap_cache_gr_invalidate_gid(nctx->grp_mc_ctx, id); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Internal failure in memory cache code: %d [%s]\n", + ret, strerror(ret)); + } + } + + to_sized_string(delete_name, fq_name); + ret = sss_mmap_cache_initgr_invalidate(nctx->initgr_mc_ctx, + delete_name); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Internal failure in memory cache code: %d [%s]\n", + ret, strerror(ret)); + } + } + +done: + talloc_free(tmp_ctx); +} + +int nss_memorycache_invalidate_users(struct sbus_request *req, void *data) +{ + struct resp_ctx *rctx = talloc_get_type(data, struct resp_ctx); + struct nss_ctx *nctx = talloc_get_type(rctx->pvt_ctx, struct nss_ctx); + + DEBUG(SSSDBG_TRACE_LIBS, "Invalidating all users in memory cache\n"); + sss_mmap_cache_reset(nctx->pwd_mc_ctx); + + return iface_nss_memorycache_InvalidateAllUsers_finish(req); +} + +int nss_memorycache_invalidate_groups(struct sbus_request *req, void *data) +{ + struct resp_ctx *rctx = talloc_get_type(data, struct resp_ctx); + struct nss_ctx *nctx = talloc_get_type(rctx->pvt_ctx, struct nss_ctx); + + DEBUG(SSSDBG_TRACE_LIBS, "Invalidating all groups in memory cache\n"); + sss_mmap_cache_reset(nctx->grp_mc_ctx); + + return iface_nss_memorycache_InvalidateAllGroups_finish(req); +} + +int nss_memorycache_invalidate_initgroups(struct sbus_request *req, void *data) +{ + struct resp_ctx *rctx = talloc_get_type(data, struct resp_ctx); + struct nss_ctx *nctx = talloc_get_type(rctx->pvt_ctx, struct nss_ctx); + + DEBUG(SSSDBG_TRACE_LIBS, + "Invalidating all initgroup records in memory cache\n"); + sss_mmap_cache_reset(nctx->initgr_mc_ctx); + + return iface_nss_memorycache_InvalidateAllInitgroups_finish(req); +} + + +int nss_memorycache_update_initgroups(struct sbus_request *sbus_req, + void *data, + const char *user, + const char *domain, + uint32_t *groups, + int num_groups) +{ + struct resp_ctx *rctx = talloc_get_type(data, struct resp_ctx); + struct nss_ctx *nctx = talloc_get_type(rctx->pvt_ctx, struct nss_ctx); + + DEBUG(SSSDBG_TRACE_LIBS, "Updating initgroups memory cache of [%s@%s]\n", + user, domain); + + nss_update_initgr_memcache(nctx, user, domain, num_groups, groups); + + return iface_nss_memorycache_UpdateInitgroups_finish(sbus_req); +} + +int nss_memorycache_invalidate_group_by_id(struct sbus_request *sbus_req, + void *data, + gid_t gid) +{ + struct resp_ctx *rctx = talloc_get_type(data, struct resp_ctx); + struct nss_ctx *nctx = talloc_get_type(rctx->pvt_ctx, struct nss_ctx); + + DEBUG(SSSDBG_TRACE_LIBS, + "Invalidating group %"PRIu32" from memory cache\n", gid); + + sss_mmap_cache_gr_invalidate_gid(nctx->grp_mc_ctx, gid); + + return iface_nss_memorycache_InvalidateGroupById_finish(sbus_req); +} + +struct iface_nss_memorycache iface_nss_memorycache = { + { &iface_nss_memorycache_meta, 0 }, + .UpdateInitgroups = nss_memorycache_update_initgroups, + .InvalidateAllUsers = nss_memorycache_invalidate_users, + .InvalidateAllGroups = nss_memorycache_invalidate_groups, + .InvalidateAllInitgroups = nss_memorycache_invalidate_initgroups, + .InvalidateGroupById = nss_memorycache_invalidate_group_by_id, +}; + +static struct sbus_iface_map iface_map[] = { + { NSS_MEMORYCACHE_PATH, &iface_nss_memorycache.vtable }, + { NULL, NULL } +}; + +struct sbus_iface_map *nss_get_sbus_interface(void) +{ + return iface_map; +} diff --git a/src/responder/nss/nss_iface.h b/src/responder/nss/nss_iface.h new file mode 100644 index 0000000..ab59928 --- /dev/null +++ b/src/responder/nss/nss_iface.h @@ -0,0 +1,30 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _NSS_IFACE_H_ +#define _NSS_IFACE_H_ + +#include "responder/nss/nss_iface_generated.h" + +#define NSS_MEMORYCACHE_PATH "/org/freedesktop/sssd/nss/memcache" + +struct sbus_iface_map *nss_get_sbus_interface(void); + +#endif /* _NSS_IFACE_H_ */ diff --git a/src/responder/nss/nss_iface.xml b/src/responder/nss/nss_iface.xml new file mode 100644 index 0000000..4d8cf14 --- /dev/null +++ b/src/responder/nss/nss_iface.xml @@ -0,0 +1,21 @@ + + + + + + + + + + + + + + + + + + + + diff --git a/src/responder/nss/nss_iface_generated.c b/src/responder/nss/nss_iface_generated.c new file mode 100644 index 0000000..8d5a458 --- /dev/null +++ b/src/responder/nss/nss_iface_generated.c @@ -0,0 +1,149 @@ +/* The following definitions are auto-generated from nss_iface.xml */ + +#include + +#include "dbus/dbus-protocol.h" +#include "util/util_errors.h" +#include "sbus/sssd_dbus.h" +#include "sbus/sssd_dbus_meta.h" +#include "sbus/sssd_dbus_invokers.h" +#include "nss_iface_generated.h" + +/* invokes a handler with a 'ssau' DBus signature */ +static int invoke_ssau_method(struct sbus_request *dbus_req, void *function_ptr); + +/* invokes a handler with a 'u' DBus signature */ +static int invoke_u_method(struct sbus_request *dbus_req, void *function_ptr); + +/* arguments for org.freedesktop.sssd.nss.MemoryCache.UpdateInitgroups */ +const struct sbus_arg_meta iface_nss_memorycache_UpdateInitgroups__in[] = { + { "user", "s" }, + { "domain", "s" }, + { "groups", "au" }, + { NULL, } +}; + +int iface_nss_memorycache_UpdateInitgroups_finish(struct sbus_request *req) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_INVALID); +} + +int iface_nss_memorycache_InvalidateAllUsers_finish(struct sbus_request *req) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_INVALID); +} + +int iface_nss_memorycache_InvalidateAllGroups_finish(struct sbus_request *req) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_INVALID); +} + +int iface_nss_memorycache_InvalidateAllInitgroups_finish(struct sbus_request *req) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_INVALID); +} + +/* arguments for org.freedesktop.sssd.nss.MemoryCache.InvalidateGroupById */ +const struct sbus_arg_meta iface_nss_memorycache_InvalidateGroupById__in[] = { + { "gid", "u" }, + { NULL, } +}; + +int iface_nss_memorycache_InvalidateGroupById_finish(struct sbus_request *req) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_INVALID); +} + +/* methods for org.freedesktop.sssd.nss.MemoryCache */ +const struct sbus_method_meta iface_nss_memorycache__methods[] = { + { + "UpdateInitgroups", /* name */ + iface_nss_memorycache_UpdateInitgroups__in, + NULL, /* no out_args */ + offsetof(struct iface_nss_memorycache, UpdateInitgroups), + invoke_ssau_method, + }, + { + "InvalidateAllUsers", /* name */ + NULL, /* no in_args */ + NULL, /* no out_args */ + offsetof(struct iface_nss_memorycache, InvalidateAllUsers), + NULL, /* no invoker */ + }, + { + "InvalidateAllGroups", /* name */ + NULL, /* no in_args */ + NULL, /* no out_args */ + offsetof(struct iface_nss_memorycache, InvalidateAllGroups), + NULL, /* no invoker */ + }, + { + "InvalidateAllInitgroups", /* name */ + NULL, /* no in_args */ + NULL, /* no out_args */ + offsetof(struct iface_nss_memorycache, InvalidateAllInitgroups), + NULL, /* no invoker */ + }, + { + "InvalidateGroupById", /* name */ + iface_nss_memorycache_InvalidateGroupById__in, + NULL, /* no out_args */ + offsetof(struct iface_nss_memorycache, InvalidateGroupById), + invoke_u_method, + }, + { NULL, } +}; + +/* interface info for org.freedesktop.sssd.nss.MemoryCache */ +const struct sbus_interface_meta iface_nss_memorycache_meta = { + "org.freedesktop.sssd.nss.MemoryCache", /* name */ + iface_nss_memorycache__methods, + NULL, /* no signals */ + NULL, /* no properties */ + sbus_invoke_get_all, /* GetAll invoker */ +}; + +/* invokes a handler with a 'u' DBus signature */ +static int invoke_u_method(struct sbus_request *dbus_req, void *function_ptr) +{ + uint32_t arg_0; + int (*handler)(struct sbus_request *, void *, uint32_t) = function_ptr; + + if (!sbus_request_parse_or_finish(dbus_req, + DBUS_TYPE_UINT32, &arg_0, + DBUS_TYPE_INVALID)) { + return EOK; /* request handled */ + } + + return (handler)(dbus_req, dbus_req->intf->handler_data, + arg_0); +} + +/* invokes a handler with a 'ssau' DBus signature */ +static int invoke_ssau_method(struct sbus_request *dbus_req, void *function_ptr) +{ + const char * arg_0; + const char * arg_1; + uint32_t *arg_2; + int len_2; + int (*handler)(struct sbus_request *, void *, const char *, const char *, uint32_t[], int) = function_ptr; + + if (!sbus_request_parse_or_finish(dbus_req, + DBUS_TYPE_STRING, &arg_0, + DBUS_TYPE_STRING, &arg_1, + DBUS_TYPE_ARRAY, DBUS_TYPE_UINT32, &arg_2, &len_2, + DBUS_TYPE_INVALID)) { + return EOK; /* request handled */ + } + + return (handler)(dbus_req, dbus_req->intf->handler_data, + arg_0, + arg_1, + arg_2, + len_2); +} diff --git a/src/responder/nss/nss_iface_generated.h b/src/responder/nss/nss_iface_generated.h new file mode 100644 index 0000000..27a6d08 --- /dev/null +++ b/src/responder/nss/nss_iface_generated.h @@ -0,0 +1,79 @@ +/* The following declarations are auto-generated from nss_iface.xml */ + +#ifndef __NSS_IFACE_XML__ +#define __NSS_IFACE_XML__ + +#include "sbus/sssd_dbus.h" +#include "sbus/sssd_dbus_meta.h" + +/* ------------------------------------------------------------------------ + * DBus Constants + * + * Various constants of interface and method names mostly for use by clients + */ + +/* constants for org.freedesktop.sssd.nss.MemoryCache */ +#define IFACE_NSS_MEMORYCACHE "org.freedesktop.sssd.nss.MemoryCache" +#define IFACE_NSS_MEMORYCACHE_UPDATEINITGROUPS "UpdateInitgroups" +#define IFACE_NSS_MEMORYCACHE_INVALIDATEALLUSERS "InvalidateAllUsers" +#define IFACE_NSS_MEMORYCACHE_INVALIDATEALLGROUPS "InvalidateAllGroups" +#define IFACE_NSS_MEMORYCACHE_INVALIDATEALLINITGROUPS "InvalidateAllInitgroups" +#define IFACE_NSS_MEMORYCACHE_INVALIDATEGROUPBYID "InvalidateGroupById" + +/* ------------------------------------------------------------------------ + * DBus handlers + * + * These structures are filled in by implementors of the different + * dbus interfaces to handle method calls. + * + * Handler functions of type sbus_msg_handler_fn accept raw messages, + * other handlers are typed appropriately. If a handler that is + * set to NULL is invoked it will result in a + * org.freedesktop.DBus.Error.NotSupported error for the caller. + * + * Handlers have a matching xxx_finish() function (unless the method has + * accepts raw messages). These finish functions the + * sbus_request_return_and_finish() with the appropriate arguments to + * construct a valid reply. Once a finish function has been called, the + * @dbus_req it was called with is freed and no longer valid. + */ + +/* vtable for org.freedesktop.sssd.nss.MemoryCache */ +struct iface_nss_memorycache { + struct sbus_vtable vtable; /* derive from sbus_vtable */ + int (*UpdateInitgroups)(struct sbus_request *req, void *data, const char *arg_user, const char *arg_domain, uint32_t arg_groups[], int len_groups); + int (*InvalidateAllUsers)(struct sbus_request *req, void *data); + int (*InvalidateAllGroups)(struct sbus_request *req, void *data); + int (*InvalidateAllInitgroups)(struct sbus_request *req, void *data); + int (*InvalidateGroupById)(struct sbus_request *req, void *data, uint32_t arg_gid); +}; + +/* finish function for UpdateInitgroups */ +int iface_nss_memorycache_UpdateInitgroups_finish(struct sbus_request *req); + +/* finish function for InvalidateAllUsers */ +int iface_nss_memorycache_InvalidateAllUsers_finish(struct sbus_request *req); + +/* finish function for InvalidateAllGroups */ +int iface_nss_memorycache_InvalidateAllGroups_finish(struct sbus_request *req); + +/* finish function for InvalidateAllInitgroups */ +int iface_nss_memorycache_InvalidateAllInitgroups_finish(struct sbus_request *req); + +/* finish function for InvalidateGroupById */ +int iface_nss_memorycache_InvalidateGroupById_finish(struct sbus_request *req); + +/* ------------------------------------------------------------------------ + * DBus Interface Metadata + * + * These structure definitions are filled in with the information about + * the interfaces, methods, properties and so on. + * + * The actual definitions are found in the accompanying C file next + * to this header. + */ + +/* interface info for org.freedesktop.sssd.nss.MemoryCache */ +extern const struct sbus_interface_meta iface_nss_memorycache_meta; + +#endif /* __NSS_IFACE_XML__ */ diff --git a/src/responder/nss/nss_private.h b/src/responder/nss/nss_private.h new file mode 100644 index 0000000..aa8d8e9 --- /dev/null +++ b/src/responder/nss/nss_private.h @@ -0,0 +1,150 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _NSS_PRIVATE_H_ +#define _NSS_PRIVATE_H_ + +#include +#include +#include +#include + +#include "util/util.h" +#include "db/sysdb.h" +#include "responder/common/responder.h" +#include "responder/common/cache_req/cache_req.h" +#include "responder/nss/nsssrv_mmap_cache.h" +#include "lib/idmap/sss_idmap.h" + +struct nss_enum_index { + unsigned int domain; + unsigned int result; +}; + +struct nss_enum_ctx { + struct cache_req_result **result; + struct sysdb_netgroup_ctx **netgroup; + size_t netgroup_count; + + /* Ongoing cache request that is constructing enumeration result. */ + struct tevent_req *ongoing; + + /* If true, the object is already constructed. */ + bool is_ready; + + /* List of setent requests awaiting the result. We finish + * them when the ongoing cache request is completed. */ + struct setent_req_list *notify_list; +}; + +struct nss_state_ctx { + struct nss_enum_index pwent; + struct nss_enum_index grent; + struct nss_enum_index svcent; + struct nss_enum_index netgrent; + + const char *netgroup; +}; + +struct nss_ctx { + struct resp_ctx *rctx; + struct sss_idmap_ctx *idmap_ctx; + + /* Options. */ + int cache_refresh_percent; + int enum_cache_timeout; + bool filter_users_in_groups; + char *pwfield; + char *override_homedir; + char *fallback_homedir; + char *homedir_substr; + const char **extra_attributes; + + /* Enumeration. */ + struct nss_enum_ctx pwent; + struct nss_enum_ctx grent; + struct nss_enum_ctx svcent; + hash_table_t *netgrent; + + /* Memory cache. */ + struct sss_mc_ctx *pwd_mc_ctx; + struct sss_mc_ctx *grp_mc_ctx; + struct sss_mc_ctx *initgr_mc_ctx; +}; + +struct sss_cmd_table *get_nss_cmds(void); + +int nss_connection_setup(struct cli_ctx *cli_ctx); + +errno_t +memcache_delete_entry(struct nss_ctx *nss_ctx, + struct resp_ctx *rctx, + struct sss_domain_info *domain, + const char *name, + uint32_t id, + enum sss_mc_type type); + +struct tevent_req * +nss_get_object_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct cli_ctx *cli_ctx, + struct cache_req_data *data, + enum sss_mc_type memcache, + const char *input_name, + uint32_t input_id); + +errno_t +nss_get_object_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct cache_req_result **_result, + const char **_rawname); + +struct tevent_req * +nss_setent_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct cli_ctx *cli_ctx, + enum cache_req_type type, + struct nss_enum_ctx *enum_ctx); + +errno_t +nss_setent_recv(struct tevent_req *req); + +struct tevent_req * +nss_setnetgrent_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct cli_ctx *cli_ctx, + enum cache_req_type type, + hash_table_t *table, + const char *netgroup); + +errno_t +nss_setnetgrent_recv(struct tevent_req *req); + +/* Utils. */ + +const char * +nss_get_name_from_msg(struct sss_domain_info *domain, + struct ldb_message *msg); + +const char * +nss_get_pwfield(struct nss_ctx *nctx, + struct sss_domain_info *dom); + +#endif /* _NSS_PRIVATE_H_ */ diff --git a/src/responder/nss/nss_protocol.c b/src/responder/nss/nss_protocol.c new file mode 100644 index 0000000..13f6d15 --- /dev/null +++ b/src/responder/nss/nss_protocol.c @@ -0,0 +1,442 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "util/cert.h" +#include "lib/idmap/sss_idmap.h" +#include "responder/nss/nss_protocol.h" + +errno_t +nss_protocol_done(struct cli_ctx *cli_ctx, errno_t error) +{ + struct cli_protocol *pctx; + errno_t ret; + + pctx = talloc_get_type(cli_ctx->protocol_ctx, struct cli_protocol); + + switch (error) { + case EOK: + /* Create empty packet if none was provided. */ + if (pctx->creq->out == NULL) { + ret = sss_packet_new(pctx->creq, 0, + sss_packet_get_cmd(pctx->creq->in), + &pctx->creq->out); + if (ret != EOK) { + goto done; + } + + sss_packet_set_error(pctx->creq->out, EOK); + } + + DEBUG(SSSDBG_TRACE_ALL, "Sending reply: success\n"); + ret = EOK; + goto done; + case ENOENT: + DEBUG(SSSDBG_TRACE_ALL, "Sending reply: not found\n"); + ret = sss_cmd_send_empty(cli_ctx); + goto done; + default: + DEBUG(SSSDBG_TRACE_ALL, "Sending reply: error [%d]: %s\n", + error, sss_strerror(error)); + ret = sss_cmd_send_error(cli_ctx, error); + goto done; + } + +done: + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to send reply [%d]: %s!\n", + ret, sss_strerror(ret)); + return ret; + } + + sss_cmd_done(cli_ctx, NULL); + return EOK; +} + +void nss_protocol_reply(struct cli_ctx *cli_ctx, + struct nss_ctx *nss_ctx, + struct nss_cmd_ctx *cmd_ctx, + struct cache_req_result *result, + nss_protocol_fill_packet_fn fill_fn) +{ + struct cli_protocol *pctx; + errno_t ret; + + pctx = talloc_get_type(cli_ctx->protocol_ctx, struct cli_protocol); + + ret = sss_packet_new(pctx->creq, 0, sss_packet_get_cmd(pctx->creq->in), + &pctx->creq->out); + if (ret != EOK) { + goto done; + } + + ret = fill_fn(nss_ctx, cmd_ctx, pctx->creq->out, result); + if (ret != EOK) { + goto done; + } + + sss_packet_set_error(pctx->creq->out, EOK); + +done: + nss_protocol_done(cli_ctx, ret); +} + +errno_t +nss_protocol_parse_name(struct cli_ctx *cli_ctx, const char **_rawname) +{ + struct cli_protocol *pctx; + const char *rawname; + uint8_t *body; + size_t blen; + + pctx = talloc_get_type(cli_ctx->protocol_ctx, struct cli_protocol); + + sss_packet_get_body(pctx->creq->in, &body, &blen); + + /* If not terminated fail. */ + if (body[blen - 1] != '\0') { + DEBUG(SSSDBG_CRIT_FAILURE, "Body is not null terminated!\n"); + return EINVAL; + } + + /* If the body isn't valid UTF-8, fail */ + if (!sss_utf8_check(body, blen - 1)) { + DEBUG(SSSDBG_CRIT_FAILURE, "Body is not UTF-8 string!\n"); + return EINVAL; + } + + rawname = (const char *)body; + if (rawname[0] == '\0') { + DEBUG(SSSDBG_CRIT_FAILURE, "An empty name was provided!\n"); + return EINVAL; + } + + *_rawname = rawname; + + return EOK; +} + +errno_t +nss_protocol_parse_name_ex(struct cli_ctx *cli_ctx, const char **_rawname, + uint32_t *_flags) +{ + struct cli_protocol *pctx; + const char *rawname; + uint8_t *body; + size_t blen; + uint8_t *p; + uint32_t flags; + + pctx = talloc_get_type(cli_ctx->protocol_ctx, struct cli_protocol); + + sss_packet_get_body(pctx->creq->in, &body, &blen); + + if (blen < 1 + sizeof(uint32_t)) { + DEBUG(SSSDBG_CRIT_FAILURE, "Body too short!\n"); + return EINVAL; + } + + /* If first argument not terminated fail. */ + if (body[blen - 1 - sizeof(uint32_t)] != '\0') { + DEBUG(SSSDBG_CRIT_FAILURE, "Body is not null terminated!\n"); + return EINVAL; + } + + p = memchr(body, '\0', blen); + /* Although body for sure is null terminated, let's add this check here + * so static analyzers are happier. */ + if (p == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "memchr() returned NULL, body is not null terminated!\n"); + return EINVAL; + } + + /* If the body isn't valid UTF-8, fail */ + if (!sss_utf8_check(body, (p - body))) { + DEBUG(SSSDBG_CRIT_FAILURE, "First argument is not UTF-8 string!\n"); + return EINVAL; + } + + rawname = (const char *)body; + if (rawname[0] == '\0') { + DEBUG(SSSDBG_CRIT_FAILURE, "An empty name was provided!\n"); + return EINVAL; + } + + p++; + if ((p - body) + sizeof(uint32_t) != blen) { + DEBUG(SSSDBG_CRIT_FAILURE, "Body has unexpected size!\n"); + return EINVAL; + } + + SAFEALIGN_COPY_UINT32(&flags, p, NULL); + p += sizeof(uint32_t); + + *_rawname = rawname; + *_flags = flags; + + return EOK; +} + +errno_t +nss_protocol_parse_id(struct cli_ctx *cli_ctx, uint32_t *_id) +{ + struct cli_protocol *pctx; + uint8_t *body; + size_t blen; + uint32_t id; + + pctx = talloc_get_type(cli_ctx->protocol_ctx, struct cli_protocol); + + sss_packet_get_body(pctx->creq->in, &body, &blen); + + if (blen != sizeof(uint32_t)) { + return EINVAL; + } + + SAFEALIGN_COPY_UINT32(&id, body, NULL); + + *_id = id; + + return EOK; +} + +errno_t +nss_protocol_parse_id_ex(struct cli_ctx *cli_ctx, uint32_t *_id, + uint32_t *_flags) +{ + struct cli_protocol *pctx; + uint8_t *body; + size_t blen; + uint32_t id; + uint32_t flags; + + pctx = talloc_get_type(cli_ctx->protocol_ctx, struct cli_protocol); + + sss_packet_get_body(pctx->creq->in, &body, &blen); + + if (blen != 2 * sizeof(uint32_t)) { + return EINVAL; + } + + SAFEALIGN_COPY_UINT32(&id, body, NULL); + SAFEALIGN_COPY_UINT32(&flags, body + sizeof(uint32_t), NULL); + + *_id = id; + *_flags = flags; + + return EOK; +} + +errno_t +nss_protocol_parse_limit(struct cli_ctx *cli_ctx, uint32_t *_limit) +{ + return nss_protocol_parse_id(cli_ctx, _limit); +} + +errno_t +nss_protocol_parse_svc_name(struct cli_ctx *cli_ctx, + const char **_name, + const char **_protocol) +{ + struct cli_protocol *pctx; + const char *protocol; + const char *name; + size_t protocol_len; + size_t name_len; + uint8_t *body; + size_t blen; + int i; + + pctx = talloc_get_type(cli_ctx->protocol_ctx, struct cli_protocol); + + sss_packet_get_body(pctx->creq->in, &body, &blen); + + /* If not terminated fail. */ + if (body[blen - 1] != '\0') { + DEBUG(SSSDBG_CRIT_FAILURE, "Body is not null terminated\n"); + return EINVAL; + } + + /* Calculate service name length. */ + for (i = 0, name_len = 0; body[i] != '\0'; i++) { + name_len++; + } + + /* Calculate protocol name length, use index from previous cycle. */ + for (protocol_len = 0; body[i + 1] != '\0'; i++) { + protocol_len++; + } + + if (name_len == 0) { + return EINVAL; + } + + name = (const char *)body; + protocol = protocol_len == 0 ? NULL : (const char *)(body + name_len + 1); + + if (!sss_utf8_check((const uint8_t *)name, name_len)) { + DEBUG(SSSDBG_CRIT_FAILURE, "Name is not UTF-8 string\n"); + return EINVAL; + } + + if (!sss_utf8_check((const uint8_t *)protocol, protocol_len)) { + DEBUG(SSSDBG_CRIT_FAILURE, "Protocol is not UTF-8 string\n"); + return EINVAL; + } + + *_name = name; + *_protocol = protocol; + + return EOK; +} + +errno_t +nss_protocol_parse_svc_port(struct cli_ctx *cli_ctx, + uint16_t *_port, + const char **_protocol) +{ + struct cli_protocol *pctx; + const char *protocol; + size_t protocol_len; + uint16_t port; + uint8_t *body; + size_t blen; + int i; + + pctx = talloc_get_type(cli_ctx->protocol_ctx, struct cli_protocol); + + sss_packet_get_body(pctx->creq->in, &body, &blen); + + /* If not terminated fail. */ + if (body[blen - 1] != '\0') { + DEBUG(SSSDBG_CRIT_FAILURE, "Body is not null terminated\n"); + return EINVAL; + } + + SAFEALIGN_COPY_UINT16(&port, body, NULL); + port = ntohs(port); + + /* Move behind the port and padding to get the protocol. */ + body = body + 2 * sizeof(uint16_t) + sizeof(uint32_t); + + /* Calculate protocol name length. */ + for (protocol_len = 0, i = 0; body[i] != '\0'; i++) { + protocol_len++; + } + + protocol = protocol_len == 0 ? NULL : (const char *)body; + + if (!sss_utf8_check((const uint8_t *)protocol, protocol_len)) { + DEBUG(SSSDBG_CRIT_FAILURE, "Protocol is not UTF-8 string\n"); + return EINVAL; + } + + *_port = port; + *_protocol = protocol; + + return EOK; +} + +errno_t +nss_protocol_parse_cert(struct cli_ctx *cli_ctx, + const char **_derb64) +{ + struct cli_protocol *pctx; + const char *derb64; + size_t pem_size; + char *pem_cert; + uint8_t *body; + size_t blen; + errno_t ret; + + pctx = talloc_get_type(cli_ctx->protocol_ctx, struct cli_protocol); + + sss_packet_get_body(pctx->creq->in, &body, &blen); + + /* If not terminated fail. */ + if (body[blen - 1] != '\0') { + DEBUG(SSSDBG_CRIT_FAILURE, "Body is not null terminated\n"); + return EINVAL; + } + + derb64 = (const char *)body; + + DEBUG(SSSDBG_TRACE_ALL, "Input certificate [%s]\n", derb64); + + /* Check input. */ + ret = sss_cert_derb64_to_pem(cli_ctx, derb64, &pem_cert, &pem_size); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Unable to convert certificate to pem [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + talloc_free(pem_cert); + + *_derb64 = derb64; + + return EOK; +} + +errno_t +nss_protocol_parse_sid(struct cli_ctx *cli_ctx, + const char **_sid) +{ + struct cli_protocol *pctx; + struct nss_ctx *nss_ctx; + const char *sid; + uint8_t *bin_sid; + size_t bin_len; + uint8_t *body; + size_t blen; + enum idmap_error_code err; + + pctx = talloc_get_type(cli_ctx->protocol_ctx, struct cli_protocol); + nss_ctx = talloc_get_type(cli_ctx->rctx->pvt_ctx, struct nss_ctx); + + sss_packet_get_body(pctx->creq->in, &body, &blen); + + /* If not terminated fail. */ + if (body[blen - 1] != '\0') { + DEBUG(SSSDBG_CRIT_FAILURE, "Body is not null terminated\n"); + return EINVAL; + } + + sid = (const char *)body; + + /* If the body isn't a SID, fail */ + err = sss_idmap_sid_to_bin_sid(nss_ctx->idmap_ctx, sid, &bin_sid, + &bin_len); + if (err != IDMAP_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, + "Unable to convert SID to binary [%s].\n", sid); + return EINVAL; + } + + sss_idmap_free_bin_sid(nss_ctx->idmap_ctx, bin_sid); + + DEBUG(SSSDBG_TRACE_ALL, "Input SID [%s]\n", sid); + + *_sid = sid; + + return EOK; +} diff --git a/src/responder/nss/nss_protocol.h b/src/responder/nss/nss_protocol.h new file mode 100644 index 0000000..76724d2 --- /dev/null +++ b/src/responder/nss/nss_protocol.h @@ -0,0 +1,204 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _NSS_PROTOCOL_H_ +#define _NSS_PROTOCOL_H_ + +#include + +#include "util/util.h" +#include "responder/common/responder.h" +#include "responder/common/responder_packet.h" +#include "responder/common/cache_req/cache_req.h" +#include "responder/nss/nss_private.h" +#include "sss_client/idmap/sss_nss_idmap.h" + +struct nss_cmd_ctx; + +/** + * Fill SSSD response packet. + * + * @return EOK If packet is successfully created and should be sent to client. + * @return Other errno code on error, an error reply will be sent to client. + */ +typedef errno_t +(*nss_protocol_fill_packet_fn)(struct nss_ctx *nss_ctx, + struct nss_cmd_ctx *cmd_ctx, + struct sss_packet *packet, + struct cache_req_result *result); + +struct nss_cmd_ctx { + enum cache_req_type type; + struct cli_ctx *cli_ctx; + struct nss_ctx *nss_ctx; + struct nss_state_ctx *state_ctx; + nss_protocol_fill_packet_fn fill_fn; + uint32_t flags; + + /* For initgroups- */ + const char *rawname; + + /* For enumeration. */ + bool enumeration; + struct nss_enum_ctx *enum_ctx; + struct nss_enum_index *enum_index; + uint32_t enum_limit; + + /* For services. */ + const char *svc_protocol; + + /* For SID lookups. */ + enum sss_id_type sid_id_type; +}; + +/** + * If error is EOK, send existing reply packet to the client. + * If error is ENOENT, create and send empty response. + * On other error code, create and send an error. + */ +errno_t nss_protocol_done(struct cli_ctx *cli_ctx, errno_t error); + +/** + * Create and send SSSD response packet to the client. + */ +void nss_protocol_reply(struct cli_ctx *cli_ctx, + struct nss_ctx *nss_ctx, + struct nss_cmd_ctx *cmd_ctx, + struct cache_req_result *result, + nss_protocol_fill_packet_fn fill_fn); + +/* Parse input packet. */ + +errno_t +nss_protocol_parse_name(struct cli_ctx *cli_ctx, const char **_rawname); + +errno_t +nss_protocol_parse_name_ex(struct cli_ctx *cli_ctx, const char **_rawname, + uint32_t *_flags); + +errno_t +nss_protocol_parse_id(struct cli_ctx *cli_ctx, uint32_t *_id); + +errno_t +nss_protocol_parse_id_ex(struct cli_ctx *cli_ctx, uint32_t *_id, + uint32_t *_flags); + +errno_t +nss_protocol_parse_limit(struct cli_ctx *cli_ctx, uint32_t *_limit); + +errno_t +nss_protocol_parse_svc_name(struct cli_ctx *cli_ctx, + const char **_name, + const char **_protocol); + +errno_t +nss_protocol_parse_svc_port(struct cli_ctx *cli_ctx, + uint16_t *_port, + const char **_protocol); + +errno_t +nss_protocol_parse_cert(struct cli_ctx *cli_ctx, + const char **_derb64); + +errno_t +nss_protocol_parse_sid(struct cli_ctx *cli_ctx, + const char **_sid); + +/* Create response packet. */ + +errno_t +nss_protocol_fill_pwent(struct nss_ctx *nss_ctx, + struct nss_cmd_ctx *cmd_ctx, + struct sss_packet *packet, + struct cache_req_result *result); + +errno_t +nss_protocol_fill_grent(struct nss_ctx *nss_ctx, + struct nss_cmd_ctx *cmd_ctx, + struct sss_packet *packet, + struct cache_req_result *result); + +errno_t +nss_protocol_fill_initgr(struct nss_ctx *nss_ctx, + struct nss_cmd_ctx *cmd_ctx, + struct sss_packet *packet, + struct cache_req_result *result); + +errno_t +nss_protocol_fill_netgrent(struct nss_ctx *nss_ctx, + struct nss_cmd_ctx *cmd_ctx, + struct sss_packet *packet, + struct cache_req_result *result); + +errno_t +nss_protocol_fill_setnetgrent(struct nss_ctx *nss_ctx, + struct nss_cmd_ctx *cmd_ctx, + struct sss_packet *packet, + struct cache_req_result *result); + +errno_t +nss_protocol_fill_svcent(struct nss_ctx *nss_ctx, + struct nss_cmd_ctx *cmd_ctx, + struct sss_packet *packet, + struct cache_req_result *result); + +errno_t +nss_protocol_fill_sid(struct nss_ctx *nss_ctx, + struct nss_cmd_ctx *cmd_ctx, + struct sss_packet *packet, + struct cache_req_result *result); + +errno_t +nss_protocol_fill_orig(struct nss_ctx *nss_ctx, + struct nss_cmd_ctx *cmd_ctx, + struct sss_packet *packet, + struct cache_req_result *result); + +errno_t +nss_protocol_fill_name(struct nss_ctx *nss_ctx, + struct nss_cmd_ctx *cmd_ctx, + struct sss_packet *packet, + struct cache_req_result *result); + +errno_t +nss_protocol_fill_single_name(struct nss_ctx *nss_ctx, + struct nss_cmd_ctx *cmd_ctx, + struct sss_packet *packet, + struct cache_req_result *result); + +errno_t +nss_protocol_fill_name_list(struct nss_ctx *nss_ctx, + struct nss_cmd_ctx *cmd_ctx, + struct sss_packet *packet, + struct cache_req_result *result); + +errno_t +nss_protocol_fill_name_list_all_domains(struct nss_ctx *nss_ctx, + struct nss_cmd_ctx *cmd_ctx, + struct sss_packet *packet, + struct cache_req_result **results); + +errno_t +nss_protocol_fill_id(struct nss_ctx *nss_ctx, + struct nss_cmd_ctx *cmd_ctx, + struct sss_packet *packet, + struct cache_req_result *result); + +#endif /* _NSS_PROTOCOL_H_ */ diff --git a/src/responder/nss/nss_protocol_grent.c b/src/responder/nss/nss_protocol_grent.c new file mode 100644 index 0000000..59cdd80 --- /dev/null +++ b/src/responder/nss/nss_protocol_grent.c @@ -0,0 +1,416 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "responder/nss/nss_protocol.h" + +static errno_t +nss_get_grent(TALLOC_CTX *mem_ctx, + struct nss_ctx *nss_ctx, + struct sss_domain_info *domain, + struct ldb_message *msg, + uint32_t *_gid, + struct sized_string **_name) +{ + const char *name; + uint32_t gid; + errno_t ret; + + /* Check object class. */ + if (!ldb_msg_check_string_attribute(msg, SYSDB_OBJECTCATEGORY, + SYSDB_GROUP_CLASS)) { + DEBUG(SSSDBG_MINOR_FAILURE, "Wrong object (%s) found on stack!\n", + ldb_dn_get_linearized(msg->dn)); + return ERR_INTERNAL; + } + + /* Get fields. */ + name = sss_get_name_from_msg(domain, msg); + gid = sss_view_ldb_msg_find_attr_as_uint64(domain, msg, SYSDB_GIDNUM, 0); + + if (name == NULL || gid == 0) { + DEBUG(SSSDBG_OP_FAILURE, + "Incomplete group object for %s[%u]! Skipping\n", + name ? name : "", gid); + return EINVAL; + } + + /* Convert to sized strings. */ + ret = sized_output_name(mem_ctx, nss_ctx->rctx, name, domain, _name); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sized_output_name failed, skipping [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + *_gid = gid; + + return EOK; +} + +static struct ldb_message_element * +nss_get_group_members(struct sss_domain_info *domain, + struct ldb_message *msg) +{ + struct ldb_message_element *el; + + if (domain->ignore_group_members) { + return NULL; + } + + /* Unconditionally prefer OVERRIDE_PREFIX SYSDB_MEMBERUID, it + * might contain override names from the default view. */ + el = ldb_msg_find_element(msg, OVERRIDE_PREFIX SYSDB_MEMBERUID); + if (el == NULL) { + el = ldb_msg_find_element(msg, SYSDB_MEMBERUID); + } + + return el; +} + +static struct ldb_message_element * +nss_get_group_ghosts(struct sss_domain_info *domain, + struct ldb_message *msg, + const char *group_name) +{ + struct ldb_message_element *el; + + if (domain->ignore_group_members) { + return NULL; + } + + el = ldb_msg_find_element(msg, SYSDB_GHOST); + if (el == NULL) { + return NULL; + } + + if (DOM_HAS_VIEWS(domain) && !is_local_view(domain->view_name) + && el->num_values != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Domain has a view [%s] but group [%s] still has " + "ghost members.\n", domain->view_name, group_name); + return NULL; + } + + return el; +} + +static errno_t +nss_protocol_fill_members(struct sss_packet *packet, + struct nss_ctx *nss_ctx, + struct sss_domain_info *domain, + struct ldb_message *msg, + const char *group_name, + size_t *_rp, + uint32_t *_num_members) +{ + TALLOC_CTX *tmp_ctx; + struct resp_ctx *rctx = nss_ctx->rctx; + struct ldb_message_element *members[2]; + struct ldb_message_element *el; + struct sized_string *name; + const char *member_name; + uint32_t num_members; + size_t body_len; + uint8_t *body; + errno_t ret; + int i, j; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + members[0] = nss_get_group_members(domain, msg); + members[1] = nss_get_group_ghosts(domain, msg, group_name); + + sss_packet_get_body(packet, &body, &body_len); + + num_members = 0; + for (i = 0; i < sizeof(members) / sizeof(members[0]); i++) { + el = members[i]; + if (el == NULL) { + continue; + } + + for (j = 0; j < el->num_values; j++) { + member_name = (const char *)el->values[j].data; + + if (nss_ctx->filter_users_in_groups) { + ret = sss_ncache_check_user(rctx->ncache, domain, member_name); + if (ret == EEXIST) { + DEBUG(SSSDBG_TRACE_FUNC, + "Group [%s] member [%s] filtered out! " + "(negative cache)\n", group_name, member_name); + continue; + } + } + + ret = sized_domain_name(tmp_ctx, rctx, member_name, &name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to get sized name [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = sss_packet_grow(packet, name->len); + if (ret != EOK) { + goto done; + } + + sss_packet_get_body(packet, &body, &body_len); + SAFEALIGN_SET_STRING(&body[*_rp], name->str, name->len, _rp); + + num_members++; + } + } + + ret = EOK; + +done: + *_num_members = num_members; + talloc_free(tmp_ctx); + + return ret; +} + +errno_t +nss_protocol_fill_grent(struct nss_ctx *nss_ctx, + struct nss_cmd_ctx *cmd_ctx, + struct sss_packet *packet, + struct cache_req_result *result) +{ + TALLOC_CTX *tmp_ctx; + struct ldb_message *msg; + struct sized_string *name; + struct sized_string pwfield; + uint32_t gid; + uint32_t num_results; + uint32_t num_members; + char *members; + size_t members_size; + size_t rp; + size_t rp_members; + size_t rp_num_members; + size_t body_len; + uint8_t *body; + int i; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + /* First two fields (length and reserved), filled up later. */ + ret = sss_packet_grow(packet, 2 * sizeof(uint32_t)); + if (ret != EOK) { + return ret; + } + + rp = 2 * sizeof(uint32_t); + + num_results = 0; + for (i = 0; i < result->count; i++) { + talloc_free_children(tmp_ctx); + msg = result->msgs[i]; + + /* Password field content. */ + to_sized_string(&pwfield, nss_get_pwfield(nss_ctx, result->domain)); + + ret = nss_get_grent(tmp_ctx, nss_ctx, result->domain, msg, + &gid, &name); + if (ret != EOK) { + continue; + } + + /* Adjust packet size: gid, num_members + string fields. */ + + ret = sss_packet_grow(packet, 2 * sizeof(uint32_t) + + name->len + pwfield.len); + if (ret != EOK) { + goto done; + } + + sss_packet_get_body(packet, &body, &body_len); + + /* Fill packet. */ + + SAFEALIGN_SET_UINT32(&body[rp], gid, &rp); + + /* Remember pointer to number of members field. */ + rp_num_members = rp; + SAFEALIGN_SET_UINT32(&body[rp], 0, &rp); + SAFEALIGN_SET_STRING(&body[rp], name->str, name->len, &rp); + SAFEALIGN_SET_STRING(&body[rp], pwfield.str, pwfield.len, &rp); + rp_members = rp; + + /* Fill members. */ + ret = nss_protocol_fill_members(packet, nss_ctx, result->domain, msg, + name->str, &rp, &num_members); + if (ret != EOK) { + goto done; + } + + sss_packet_get_body(packet, &body, &body_len); + SAFEALIGN_SET_UINT32(&body[rp_num_members], num_members, NULL); + + num_results++; + + /* Do not store entry in memory cache during enumeration or when + * requested. */ + if (!cmd_ctx->enumeration + && (cmd_ctx->flags & SSS_NSS_EX_FLAG_INVALIDATE_CACHE) == 0) { + members = (char *)&body[rp_members]; + members_size = body_len - rp_members; + ret = sss_mmap_cache_gr_store(&nss_ctx->grp_mc_ctx, name, &pwfield, + gid, num_members, members, + members_size); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to store group %s (%s) in mem-cache [%d]: %s!\n", + name->str, result->domain->name, ret, sss_strerror(ret)); + } + } + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + + if (ret != EOK) { + sss_packet_set_size(packet, 0); + return ret; + } + + sss_packet_get_body(packet, &body, &body_len); + SAFEALIGN_COPY_UINT32(body, &num_results, NULL); + SAFEALIGN_SETMEM_UINT32(body + sizeof(uint32_t), 0, NULL); /* reserved */ + + return EOK; +} + +errno_t +nss_protocol_fill_initgr(struct nss_ctx *nss_ctx, + struct nss_cmd_ctx *cmd_ctx, + struct sss_packet *packet, + struct cache_req_result *result) +{ + struct sss_domain_info *domain; + struct ldb_message *user; + struct ldb_message *msg; + const char *posix; + struct sized_string rawname; + struct sized_string unique_name; + uint32_t num_results; + uint8_t *body; + size_t body_len; + size_t rp; + gid_t gid; + gid_t orig_gid; + errno_t ret; + int i; + + if (result->count == 0) { + return ENOENT; + } + + domain = result->domain; + + /* num_results, reserved + gids */ + ret = sss_packet_grow(packet, (2 + result->count) * sizeof(uint32_t)); + if (ret != EOK) { + return ret; + } + sss_packet_get_body(packet, &body, &body_len); + rp = 2 * sizeof(uint32_t); + + user = result->msgs[0]; + gid = sss_view_ldb_msg_find_attr_as_uint64(domain, user, SYSDB_GIDNUM, 0); + orig_gid = sss_view_ldb_msg_find_attr_as_uint64(domain, user, + SYSDB_PRIMARY_GROUP_GIDNUM, + 0); + + /* If the GID of the original primary group is available but equal to the + * current primary GID it must not be added. */ + orig_gid = orig_gid == gid ? 0 : orig_gid; + + /* First message is user, skip it. */ + num_results = 0; + for (i = 1; i < result->count; i++) { + msg = result->msgs[i]; + gid = sss_view_ldb_msg_find_attr_as_uint64(domain, msg, SYSDB_GIDNUM, + 0); + posix = ldb_msg_find_attr_as_string(msg, SYSDB_POSIX, NULL); + + if (gid == 0) { + if (posix != NULL && strcmp(posix, "FALSE") == 0) { + continue; + } else { + DEBUG(SSSDBG_MINOR_FAILURE, + "Incomplete group object [%s] for initgroups! " + "Skipping.\n", ldb_dn_get_linearized(msg->dn)); + continue; + } + } + + SAFEALIGN_COPY_UINT32(&body[rp], &gid, &rp); + num_results++; + + /* Do not add the GID of the original primary group if the user is + * already an explicit member of the group. */ + if (orig_gid == gid) { + orig_gid = 0; + } + } + + if (orig_gid == 0) { + /* Initialize allocated memory to be safe and make Valgrind happy. */ + SAFEALIGN_SET_UINT32(&body[rp], 0, &rp); + } else { + /* Insert original primary group into the result. */ + SAFEALIGN_COPY_UINT32(&body[rp], &orig_gid, &rp); + num_results++; + } + + if (nss_ctx->initgr_mc_ctx + && (cmd_ctx->flags & SSS_NSS_EX_FLAG_INVALIDATE_CACHE) == 0) { + to_sized_string(&rawname, cmd_ctx->rawname); + to_sized_string(&unique_name, result->lookup_name); + + ret = sss_mmap_cache_initgr_store(&nss_ctx->initgr_mc_ctx, &rawname, + &unique_name, num_results, + body + 2 * sizeof(uint32_t)); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to store initgroups %s (%s) in mem-cache [%d]: %s!\n", + rawname.str, domain->name, ret, sss_strerror(ret)); + sss_packet_set_size(packet, 0); + return ret; + } + } + + sss_packet_get_body(packet, &body, &body_len); + SAFEALIGN_COPY_UINT32(body, &num_results, NULL); + SAFEALIGN_SETMEM_UINT32(body + sizeof(uint32_t), 0, NULL); /* reserved */ + + return EOK; +} diff --git a/src/responder/nss/nss_protocol_netgr.c b/src/responder/nss/nss_protocol_netgr.c new file mode 100644 index 0000000..575171d --- /dev/null +++ b/src/responder/nss/nss_protocol_netgr.c @@ -0,0 +1,210 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "db/sysdb.h" +#include "db/sysdb_services.h" +#include "responder/nss/nss_protocol.h" + +static errno_t +nss_protocol_fill_netgr_triple(struct sss_packet *packet, + struct sysdb_netgroup_ctx *entry, + size_t *_rp) +{ + struct sized_string host; + struct sized_string user; + struct sized_string domain; + size_t body_len; + uint8_t *body; + errno_t ret; + + to_sized_string(&host, entry->value.triple.hostname); + to_sized_string(&user, entry->value.triple.username); + to_sized_string(&domain, entry->value.triple.domainname); + + if (host.len == 0) { + host.len = 1; + host.str = ""; + } + + if (user.len == 0) { + user.len = 1; + user.str = ""; + } + + if (domain.len == 0) { + domain.len = 1; + domain.str = ""; + } + + ret = sss_packet_grow(packet, sizeof(uint32_t) + + host.len + user.len + domain.len); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to grow packet!\n"); + return ret; + } + + sss_packet_get_body(packet, &body, &body_len); + + SAFEALIGN_SET_UINT32(&body[*_rp], SSS_NETGR_REP_TRIPLE, _rp); + SAFEALIGN_SET_STRING(&body[*_rp], host.str, host.len, _rp); + SAFEALIGN_SET_STRING(&body[*_rp], user.str, user.len, _rp); + SAFEALIGN_SET_STRING(&body[*_rp], domain.str, domain.len, _rp); + + return EOK; +} + +static errno_t +nss_protocol_fill_netgr_member(struct sss_packet *packet, + struct sysdb_netgroup_ctx *entry, + size_t *_rp) +{ + struct sized_string group; + size_t body_len; + uint8_t *body; + errno_t ret; + + if (entry->value.groupname == NULL || entry->value.groupname[0] == '\0') { + DEBUG(SSSDBG_CRIT_FAILURE, "Empty netgroup member!\n"); + return EINVAL; + } + + to_sized_string(&group, entry->value.groupname); + + ret = sss_packet_grow(packet, sizeof(uint32_t) + group.len); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to grow packet!\n"); + return ret; + } + + sss_packet_get_body(packet, &body, &body_len); + + SAFEALIGN_SET_UINT32(&body[*_rp], SSS_NETGR_REP_GROUP, _rp); + SAFEALIGN_SET_STRING(&body[*_rp], group.str, group.len, _rp); + + return EOK; +} + +errno_t +nss_protocol_fill_netgrent(struct nss_ctx *nss_ctx, + struct nss_cmd_ctx *cmd_ctx, + struct sss_packet *packet, + struct cache_req_result *result) +{ + struct sysdb_netgroup_ctx **entries; + struct sysdb_netgroup_ctx *entry; + struct nss_enum_index *idx; + uint32_t num_results; + size_t rp; + size_t body_len; + uint8_t *body; + errno_t ret; + unsigned int start; + + idx = cmd_ctx->enum_index; + entries = cmd_ctx->enum_ctx->netgroup; + + if (idx->result > cmd_ctx->enum_ctx->netgroup_count) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unconsistent state while processing netgroups.\n"); + ret = EINVAL; + goto done; + } + + /* First two fields (length and reserved), filled up later. */ + ret = sss_packet_grow(packet, 2 * sizeof(uint32_t)); + if (ret != EOK) { + return ret; + } + + rp = 2 * sizeof(uint32_t); + + if (entries == NULL) { + num_results = 0; + ret = EOK; + goto done; + } + + num_results = 0; + start = idx->result; + for (; entries[idx->result] != NULL; idx->result++) { + if ((idx->result - start) >= cmd_ctx->enum_limit) { + /* We have reached result limit. */ + break; + } + + entry = entries[idx->result]; + + switch (entry->type) { + case SYSDB_NETGROUP_TRIPLE_VAL: + ret = nss_protocol_fill_netgr_triple(packet, entry, &rp); + break; + case SYSDB_NETGROUP_GROUP_VAL: + ret = nss_protocol_fill_netgr_member(packet, entry, &rp); + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected value type!\n"); + ret = ERR_INTERNAL; + break; + } + + if (ret != EOK) { + goto done; + } + + num_results++; + } + + ret = EOK; + +done: + if (ret != EOK) { + sss_packet_set_size(packet, 0); + return ret; + } + + sss_packet_get_body(packet, &body, &body_len); + SAFEALIGN_COPY_UINT32(body, &num_results, NULL); + SAFEALIGN_SETMEM_UINT32(body + sizeof(uint32_t), 0, NULL); /* reserved */ + + return EOK; +} + +errno_t +nss_protocol_fill_setnetgrent(struct nss_ctx *nss_ctx, + struct nss_cmd_ctx *cmd_ctx, + struct sss_packet *packet, + struct cache_req_result *result) +{ + size_t body_len; + uint8_t *body; + errno_t ret; + + /* Two fields (length and reserved). */ + ret = sss_packet_grow(packet, 2 * sizeof(uint32_t)); + if (ret != EOK) { + return ret; + } + + sss_packet_get_body(packet, &body, &body_len); + SAFEALIGN_SET_UINT32(body, 1, NULL); /* Netgroup was found. */ + SAFEALIGN_SETMEM_UINT32(body + sizeof(uint32_t), 0, NULL); /* reserved */ + + return EOK; +} diff --git a/src/responder/nss/nss_protocol_pwent.c b/src/responder/nss/nss_protocol_pwent.c new file mode 100644 index 0000000..af9e74f --- /dev/null +++ b/src/responder/nss/nss_protocol_pwent.c @@ -0,0 +1,332 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "responder/nss/nss_protocol.h" +#include "util/sss_nss.h" + +static uint32_t +nss_get_gid(struct sss_domain_info *domain, + struct ldb_message *msg) +{ + uint32_t gid; + + /* First, try to return overriden gid. */ + if (DOM_HAS_VIEWS(domain)) { + gid = ldb_msg_find_attr_as_uint64(msg, OVERRIDE_PREFIX SYSDB_GIDNUM, + 0); + if (gid != 0) { + return gid; + } + } + + /* Try to return domain gid override. */ + if (domain->override_gid != 0) { + return domain->override_gid; + } + + /* Return original gid. */ + return ldb_msg_find_attr_as_uint64(msg, SYSDB_GIDNUM, 0); +} + +static const char * +nss_get_homedir_override(TALLOC_CTX *mem_ctx, + struct ldb_message *msg, + struct nss_ctx *nctx, + struct sss_domain_info *dom, + struct sss_nss_homedir_ctx *homedir_ctx) +{ + const char *homedir; + + homedir = sss_view_ldb_msg_find_attr_as_string(dom, msg, SYSDB_HOMEDIR, + NULL); + homedir_ctx->original = homedir; + + /* Check to see which homedir_prefix to use. */ + if (dom->homedir_substr != NULL) { + homedir_ctx->config_homedir_substr = dom->homedir_substr; + } else if (nctx->homedir_substr != NULL) { + homedir_ctx->config_homedir_substr = nctx->homedir_substr; + } + + /* Here we skip the files provider as it should always return *only* + * what's in the files and nothing else. + */ + if (strcasecmp(dom->provider, "files") != 0) { + /* Check whether we are unconditionally overriding the server + * for home directory locations. + */ + if (dom->override_homedir) { + return expand_homedir_template(mem_ctx, dom->override_homedir, + dom->case_preserve, homedir_ctx); + } else if (nctx->override_homedir) { + return expand_homedir_template(mem_ctx, nctx->override_homedir, + dom->case_preserve, homedir_ctx); + } + } + + if (!homedir || *homedir == '\0') { + /* In the case of a NULL or empty homedir, check to see if + * we have a fallback homedir to use. + */ + if (dom->fallback_homedir) { + return expand_homedir_template(mem_ctx, dom->fallback_homedir, + dom->case_preserve, homedir_ctx); + } else if (nctx->fallback_homedir) { + return expand_homedir_template(mem_ctx, nctx->fallback_homedir, + dom->case_preserve, homedir_ctx); + } + } + + /* Provider can also return template, try to expand it.*/ + return expand_homedir_template(mem_ctx, homedir, + dom->case_preserve, homedir_ctx); +} + +static const char * +nss_get_homedir(TALLOC_CTX *mem_ctx, + struct nss_ctx *nss_ctx, + struct sss_domain_info *domain, + struct ldb_message *msg, + const char *orig_name, + const char *upn, + uid_t uid) +{ + struct sss_nss_homedir_ctx hd_ctx = { 0 }; + const char *homedir; + + hd_ctx.username = orig_name; + hd_ctx.uid = uid; + hd_ctx.domain = domain->name; + hd_ctx.upn = upn; + + homedir = nss_get_homedir_override(mem_ctx, msg, nss_ctx, domain, &hd_ctx); + if (homedir == NULL) { + return "/"; + } + + return homedir; +} + +static errno_t +nss_get_shell(struct nss_ctx *nss_ctx, + struct sss_domain_info *domain, + struct ldb_message *msg, + const char *name, + uint32_t uid, + const char **_shell) +{ + const char *shell = NULL; + + if (nss_ctx->rctx->sr_conf.scope == SESSION_RECORDING_SCOPE_ALL) { + shell = SESSION_RECORDING_SHELL; + } else if (nss_ctx->rctx->sr_conf.scope == + SESSION_RECORDING_SCOPE_SOME) { + const char *sr_enabled; + sr_enabled = ldb_msg_find_attr_as_string( + msg, SYSDB_SESSION_RECORDING, NULL); + if (sr_enabled == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "%s attribute not found for %s[%u]! Skipping\n", + SYSDB_SESSION_RECORDING, name, uid); + return EINVAL; + } else if (strcmp(sr_enabled, "TRUE") == 0) { + shell = SESSION_RECORDING_SHELL; + } else if (strcmp(sr_enabled, "FALSE") != 0) { + DEBUG(SSSDBG_OP_FAILURE, + "Skipping %s[%u] " + "because its %s attribute value is invalid: %s\n", + name, uid, SYSDB_SESSION_RECORDING, sr_enabled); + return EINVAL; + } + } + if (shell == NULL) { + shell = sss_resp_get_shell_override(msg, nss_ctx->rctx, domain); + } + + *_shell = shell; + return EOK; +} + +static errno_t +nss_get_pwent(TALLOC_CTX *mem_ctx, + struct nss_ctx *nss_ctx, + struct sss_domain_info *domain, + struct ldb_message *msg, + uint32_t *_uid, + uint32_t *_gid, + struct sized_string **_name, + struct sized_string *_gecos, + struct sized_string *_homedir, + struct sized_string *_shell) +{ + const char *upn; + const char *name; + const char *gecos; + const char *homedir; + const char *shell; + uint32_t gid; + uint32_t uid; + errno_t ret; + + /* Get fields. */ + upn = ldb_msg_find_attr_as_string(msg, SYSDB_UPN, NULL); + name = sss_get_name_from_msg(domain, msg); + gid = nss_get_gid(domain, msg); + uid = sss_view_ldb_msg_find_attr_as_uint64(domain, msg, SYSDB_UIDNUM, 0); + + if (name == NULL || uid == 0 || gid == 0) { + DEBUG(SSSDBG_OP_FAILURE, + "Incomplete user object for %s[%u]! Skipping\n", + name ? name : "", uid); + return EINVAL; + } + + gecos = sss_view_ldb_msg_find_attr_as_string(domain, msg, SYSDB_GECOS, + NULL); + homedir = nss_get_homedir(mem_ctx, nss_ctx, domain, msg, name, upn, uid); + ret = nss_get_shell(nss_ctx, domain, msg, name, uid, &shell); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "failed retrieving shell for %s[%u], skipping [%d]: %s\n", + name, uid, ret, sss_strerror(ret)); + return ret; + } + + /* Convert to sized strings. */ + ret = sized_output_name(mem_ctx, nss_ctx->rctx, name, domain, _name); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sized_output_name failed, skipping [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + to_sized_string(_gecos, gecos == NULL ? "" : gecos); + to_sized_string(_shell, shell); + to_sized_string(_homedir, homedir); + + *_gid = gid; + *_uid = uid; + + return EOK; +} + +errno_t +nss_protocol_fill_pwent(struct nss_ctx *nss_ctx, + struct nss_cmd_ctx *cmd_ctx, + struct sss_packet *packet, + struct cache_req_result *result) +{ + TALLOC_CTX *tmp_ctx; + struct ldb_message *msg; + struct sized_string pwfield; + struct sized_string *name; + struct sized_string gecos; + struct sized_string homedir; + struct sized_string shell; + uint32_t gid; + uint32_t uid; + uint32_t num_results; + size_t rp; + size_t body_len; + uint8_t *body; + int i; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + /* First two fields (length and reserved), filled up later. */ + ret = sss_packet_grow(packet, 2 * sizeof(uint32_t)); + if (ret != EOK) { + return ret; + } + + rp = 2 * sizeof(uint32_t); + + num_results = 0; + for (i = 0; i < result->count; i++) { + talloc_free_children(tmp_ctx); + msg = result->msgs[i]; + + /* Password field content. */ + to_sized_string(&pwfield, nss_get_pwfield(nss_ctx, result->domain)); + + ret = nss_get_pwent(tmp_ctx, nss_ctx, result->domain, msg, &uid, &gid, + &name, &gecos, &homedir, &shell); + if (ret != EOK) { + continue; + } + + /* Adjust packet size: uid, gid + string fields. */ + + ret = sss_packet_grow(packet, 2 * sizeof(uint32_t) + + name->len + gecos.len + homedir.len + + shell.len + pwfield.len); + if (ret != EOK) { + goto done; + } + + sss_packet_get_body(packet, &body, &body_len); + + /* Fill packet. */ + + SAFEALIGN_SET_UINT32(&body[rp], uid, &rp); + SAFEALIGN_SET_UINT32(&body[rp], gid, &rp); + SAFEALIGN_SET_STRING(&body[rp], name->str, name->len, &rp); + SAFEALIGN_SET_STRING(&body[rp], pwfield.str, pwfield.len, &rp); + SAFEALIGN_SET_STRING(&body[rp], gecos.str, gecos.len, &rp); + SAFEALIGN_SET_STRING(&body[rp], homedir.str, homedir.len, &rp); + SAFEALIGN_SET_STRING(&body[rp], shell.str, shell.len, &rp); + + num_results++; + + /* Do not store entry in memory cache during enumeration or when + * requested. */ + if (!cmd_ctx->enumeration + && (cmd_ctx->flags & SSS_NSS_EX_FLAG_INVALIDATE_CACHE) == 0) { + ret = sss_mmap_cache_pw_store(&nss_ctx->pwd_mc_ctx, name, &pwfield, + uid, gid, &gecos, &homedir, &shell); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to store user %s (%s) in mmap cache [%d]: %s!\n", + name->str, result->domain->name, ret, sss_strerror(ret)); + } + } + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + + if (ret != EOK) { + sss_packet_set_size(packet, 0); + return ret; + } + + sss_packet_get_body(packet, &body, &body_len); + SAFEALIGN_COPY_UINT32(body, &num_results, NULL); + SAFEALIGN_SETMEM_UINT32(body + sizeof(uint32_t), 0, NULL); /* reserved */ + + return EOK; +} diff --git a/src/responder/nss/nss_protocol_sid.c b/src/responder/nss/nss_protocol_sid.c new file mode 100644 index 0000000..3f60967 --- /dev/null +++ b/src/responder/nss/nss_protocol_sid.c @@ -0,0 +1,641 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/crypto/sss_crypto.h" +#include "responder/nss/nss_protocol.h" + +static errno_t +find_sss_id_type(struct ldb_message *msg, + bool mpg, + enum sss_id_type *id_type) +{ + size_t c; + struct ldb_message_element *el; + struct ldb_val *val = NULL; + + el = ldb_msg_find_element(msg, SYSDB_OBJECTCATEGORY); + if (el == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Objectcategory attribute not found.\n"); + return EINVAL; + } + + for (c = 0; c < el->num_values; c++) { + val = &(el->values[c]); + if (strncasecmp(SYSDB_USER_CLASS, + (char *)val->data, val->length) == 0) { + break; + } + } + + if (c == el->num_values) { + *id_type = SSS_ID_TYPE_GID; + } else { + if (mpg) { + *id_type = SSS_ID_TYPE_BOTH; + } else { + *id_type = SSS_ID_TYPE_UID; + } + } + + return EOK; +} + +static errno_t +nss_get_id_type(struct nss_cmd_ctx *cmd_ctx, + struct cache_req_result *result, + enum sss_id_type *_type) +{ + errno_t ret; + + if (cmd_ctx->sid_id_type != SSS_ID_TYPE_NOT_SPECIFIED) { + *_type = cmd_ctx->sid_id_type; + return EOK; + } + + /* Well known objects are always groups. */ + if (result->well_known_object) { + *_type = SSS_ID_TYPE_GID; + return EOK; + } + + ret = find_sss_id_type(result->msgs[0], result->domain->mpg, _type); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Unable to find ID type [%d]: %s\n", ret, sss_strerror(ret)); + return ret; + } + + return EOK; +} + +errno_t +nss_protocol_fill_sid(struct nss_ctx *nss_ctx, + struct nss_cmd_ctx *cmd_ctx, + struct sss_packet *packet, + struct cache_req_result *result) +{ + struct ldb_message *msg = result->msgs[0]; + struct sized_string sz_sid; + enum sss_id_type id_type; + const char *sid; + size_t rp = 0; + size_t body_len; + uint8_t *body; + errno_t ret; + + ret = nss_get_id_type(cmd_ctx, result, &id_type); + if (ret != EOK) { + return ret; + } + + sid = ldb_msg_find_attr_as_string(msg, SYSDB_SID_STR, NULL); + if (sid == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing SID.\n"); + return EINVAL; + } + + to_sized_string(&sz_sid, sid); + + ret = sss_packet_grow(packet, sz_sid.len + 3 * sizeof(uint32_t)); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_packet_grow failed.\n"); + return ret; + } + + sss_packet_get_body(packet, &body, &body_len); + + SAFEALIGN_SET_UINT32(&body[rp], 1, &rp); /* Num results. */ + SAFEALIGN_SET_UINT32(&body[rp], 0, &rp); /* Reserved. */ + SAFEALIGN_SET_UINT32(&body[rp], id_type, &rp); + SAFEALIGN_SET_STRING(&body[rp], sz_sid.str, sz_sid.len, &rp); + + return EOK; +} + +static errno_t process_attr_list(TALLOC_CTX *mem_ctx, struct ldb_message *msg, + const char **attr_list, + struct sized_string **_keys, + struct sized_string **_vals, + size_t *array_size, size_t *sum, + size_t *found) +{ + size_t c; + size_t d; + struct sized_string *keys; + struct sized_string *vals; + struct ldb_val val; + struct ldb_message_element *el; + bool use_base64; + + keys = *_keys; + vals = *_vals; + + for (c = 0; attr_list[c] != NULL; c++) { + el = ldb_msg_find_element(msg, attr_list[c]); + if (el != NULL && el->num_values > 0) { + if (el->num_values > 1) { + *array_size += el->num_values; + keys = talloc_realloc(mem_ctx, keys, struct sized_string, + *array_size); + vals = talloc_realloc(mem_ctx, vals, struct sized_string, + *array_size); + if (keys == NULL || vals == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_array failed.\n"); + return ENOMEM; + } + } + + use_base64 = false; + if (strcmp(attr_list[c], SYSDB_USER_CERT) == 0) { + use_base64 = true; + } + + for (d = 0; d < el->num_values; d++) { + to_sized_string(&keys[*found], attr_list[c]); + *sum += keys[*found].len; + if (use_base64) { + val.data = (uint8_t *)sss_base64_encode(vals, + el->values[d].data, + el->values[d].length); + if (val.data != NULL) { + val.length = strlen((char *)val.data); + } + } else { + val = el->values[d]; + } + + if (val.data == NULL || val.data[val.length] != '\0') { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unexpected attribute value found for [%s].\n", + attr_list[c]); + return EINVAL; + } + to_sized_string(&vals[*found], (const char *)val.data); + *sum += vals[*found].len; + + (*found)++; + } + } + } + + *_keys = keys; + *_vals = vals; + + return EOK; +} + +errno_t +nss_protocol_fill_orig(struct nss_ctx *nss_ctx, + struct nss_cmd_ctx *cmd_ctx, + struct sss_packet *packet, + struct cache_req_result *result) +{ + TALLOC_CTX *tmp_ctx; + struct ldb_message *msg = result->msgs[0]; + const char **extra_attrs = NULL; + enum sss_id_type id_type; + struct sized_string *keys; + struct sized_string *vals; + size_t extra_attrs_count = 0; + size_t array_size; + size_t sum; + size_t found; + size_t i; + size_t rp = 0; + size_t body_len; + uint8_t *body; + errno_t ret; + const char *orig_attrs[] = { SYSDB_SID_STR, + ORIGINALAD_PREFIX SYSDB_NAME, + ORIGINALAD_PREFIX SYSDB_UIDNUM, + ORIGINALAD_PREFIX SYSDB_GIDNUM, + ORIGINALAD_PREFIX SYSDB_HOMEDIR, + ORIGINALAD_PREFIX SYSDB_GECOS, + ORIGINALAD_PREFIX SYSDB_SHELL, + SYSDB_UPN, + SYSDB_DEFAULT_OVERRIDE_NAME, + SYSDB_AD_ACCOUNT_EXPIRES, + SYSDB_AD_USER_ACCOUNT_CONTROL, + SYSDB_SSH_PUBKEY, + SYSDB_USER_CERT, + SYSDB_USER_EMAIL, + SYSDB_ORIG_DN, + SYSDB_ORIG_MEMBEROF, + NULL }; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + ret = nss_get_id_type(cmd_ctx, result, &id_type); + if (ret != EOK) { + return ret; + } + + if (nss_ctx->extra_attributes != NULL) { + extra_attrs = nss_ctx->extra_attributes; + for (extra_attrs_count = 0; + extra_attrs[extra_attrs_count] != NULL; + extra_attrs_count++); + } + + array_size = sizeof(orig_attrs) + extra_attrs_count; + keys = talloc_array(tmp_ctx, struct sized_string, array_size); + vals = talloc_array(tmp_ctx, struct sized_string, array_size); + if (keys == NULL || vals == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_array failed.\n"); + ret = ENOMEM; + goto done; + } + + sum = 0; + found = 0; + + ret = process_attr_list(tmp_ctx, msg, orig_attrs, &keys, &vals, + &array_size, &sum, &found); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "process_attr_list failed.\n"); + goto done; + } + + if (extra_attrs_count != 0) { + ret = process_attr_list(tmp_ctx, msg, extra_attrs, &keys, &vals, + &array_size, &sum, &found); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "process_attr_list failed.\n"); + goto done; + } + } + + ret = sss_packet_grow(packet, sum + 3 * sizeof(uint32_t)); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_packet_grow failed.\n"); + goto done; + } + + sss_packet_get_body(packet, &body, &body_len); + SAFEALIGN_SETMEM_UINT32(&body[rp], 1, &rp); /* Num results */ + SAFEALIGN_SETMEM_UINT32(&body[rp], 0, &rp); /* reserved */ + SAFEALIGN_COPY_UINT32(&body[rp], &id_type, &rp); + for (i = 0; i < found; i++) { + SAFEALIGN_SET_STRING(&body[rp], keys[i].str, keys[i].len, &rp); + SAFEALIGN_SET_STRING(&body[rp], vals[i].str, vals[i].len, &rp); + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static errno_t +nss_get_well_known_name(TALLOC_CTX *mem_ctx, + struct resp_ctx *rctx, + struct cache_req_result *result, + struct sized_string **_sz_name) +{ + struct sized_string *sz_name; + const char *fq_name = NULL; + const char *domname; + const char *name; + + name = result->lookup_name; + if (name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing name.\n"); + return EINVAL; + } + + sz_name = talloc_zero(mem_ctx, struct sized_string); + if (sz_name == NULL) { + return ENOMEM; + } + + domname = result->domain != NULL + ? result->domain->name + : result->well_known_domain; + + if (domname != NULL) { + fq_name = sss_tc_fqname2(sz_name, rctx->global_names, + domname, domname, name); + if (fq_name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Conversion to fqname failed.\n"); + talloc_free(sz_name); + return ENOMEM; + } + + name = fq_name; + } + + to_sized_string(sz_name, name); + + *_sz_name = sz_name; + + return EOK; +} + +static errno_t +nss_get_ad_name(TALLOC_CTX *mem_ctx, + struct resp_ctx *rctx, + struct cache_req_result *result, + struct sized_string **_sz_name) +{ + struct ldb_message *msg = result->msgs[0]; + const char *name; + errno_t ret; + + if (result->well_known_object) { + return nss_get_well_known_name(mem_ctx, rctx, result, _sz_name); + } + + name = ldb_msg_find_attr_as_string(msg, ORIGINALAD_PREFIX SYSDB_NAME, + NULL); + if (name == NULL) { + name = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); + } + + if (name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing name.\n"); + return EINVAL; + } + + ret = sized_output_name(mem_ctx, rctx, name, result->domain, _sz_name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Unable to create sized name [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + return EOK; +} + +errno_t +nss_protocol_fill_single_name(struct nss_ctx *nss_ctx, + struct nss_cmd_ctx *cmd_ctx, + struct sss_packet *packet, + struct cache_req_result *result) +{ + if (result->ldb_result->count > 1) { + DEBUG(SSSDBG_TRACE_FUNC, "Lookup returned more than one result " + "but only one was expected.\n"); + return EEXIST; + } + + return nss_protocol_fill_name(nss_ctx, cmd_ctx, packet, result); +} + +errno_t +nss_protocol_fill_name(struct nss_ctx *nss_ctx, + struct nss_cmd_ctx *cmd_ctx, + struct sss_packet *packet, + struct cache_req_result *result) +{ + struct sized_string *sz_name; + enum sss_id_type id_type; + size_t rp = 0; + size_t body_len; + uint8_t *body; + errno_t ret; + + ret = nss_get_id_type(cmd_ctx, result, &id_type); + if (ret != EOK) { + return ret; + } + + ret = nss_get_ad_name(cmd_ctx, nss_ctx->rctx, result, &sz_name); + if (ret != EOK) { + return ret; + } + + ret = sss_packet_grow(packet, sz_name->len + 3 * sizeof(uint32_t)); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_packet_grow failed.\n"); + talloc_free(sz_name); + return ret; + } + + sss_packet_get_body(packet, &body, &body_len); + + SAFEALIGN_SET_UINT32(&body[rp], 1, &rp); /* Num results. */ + SAFEALIGN_SET_UINT32(&body[rp], 0, &rp); /* Reserved. */ + SAFEALIGN_SET_UINT32(&body[rp], id_type, &rp); + SAFEALIGN_SET_STRING(&body[rp], sz_name->str, sz_name->len, &rp); + + talloc_free(sz_name); + + return EOK; +} + +errno_t +nss_protocol_fill_id(struct nss_ctx *nss_ctx, + struct nss_cmd_ctx *cmd_ctx, + struct sss_packet *packet, + struct cache_req_result *result) +{ + struct ldb_message *msg = result->msgs[0]; + enum sss_id_type id_type; + uint64_t id64; + uint32_t id; + size_t rp = 0; + size_t body_len; + uint8_t *body; + errno_t ret; + + if (result->ldb_result == NULL) { + /* This was a well known SID. This is currently unsupported with id. */ + return EINVAL; + } + + ret = nss_get_id_type(cmd_ctx, result, &id_type); + if (ret != EOK) { + return ret; + } + + if (id_type == SSS_ID_TYPE_GID) { + id64 = ldb_msg_find_attr_as_uint64(msg, SYSDB_GIDNUM, 0); + } else { + id64 = ldb_msg_find_attr_as_uint64(msg, SYSDB_UIDNUM, 0); + } + + if (id64 == 0 || id64 >= UINT32_MAX) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid POSIX ID.\n"); + return EINVAL; + } + + id = (uint32_t)id64; + + ret = sss_packet_grow(packet, 4 * sizeof(uint32_t)); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_packet_grow failed.\n"); + return ret; + } + + sss_packet_get_body(packet, &body, &body_len); + + SAFEALIGN_SET_UINT32(&body[rp], 1, &rp); /* Num results. */ + SAFEALIGN_SET_UINT32(&body[rp], 0, &rp); /* Reserved. */ + SAFEALIGN_SET_UINT32(&body[rp], id_type, &rp); + SAFEALIGN_SET_UINT32(&body[rp], id, &rp); + + return EOK; +} + +errno_t +nss_protocol_fill_name_list(struct nss_ctx *nss_ctx, + struct nss_cmd_ctx *cmd_ctx, + struct sss_packet *packet, + struct cache_req_result *result) +{ + enum sss_id_type *id_types; + size_t rp = 0; + size_t body_len; + uint8_t *body; + errno_t ret; + struct sized_string *sz_names; + size_t len; + size_t c; + const char *tmp_str; + + sz_names = talloc_array(cmd_ctx, struct sized_string, result->count); + if (sz_names == NULL) { + return ENOMEM; + } + + id_types = talloc_array(cmd_ctx, enum sss_id_type, result->count); + if (id_types == NULL) { + return ENOMEM; + } + + len = 0; + for (c = 0; c < result->count; c++) { + ret = nss_get_id_type(cmd_ctx, result, &(id_types[c])); + if (ret != EOK) { + return ret; + } + + tmp_str = sss_get_name_from_msg(result->domain, result->msgs[c]); + if (tmp_str == NULL) { + return EINVAL; + } + to_sized_string(&(sz_names[c]), tmp_str); + + len += sz_names[c].len; + } + + len += (2 + result->count) * sizeof(uint32_t); + + ret = sss_packet_grow(packet, len); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_packet_grow failed.\n"); + return ret; + } + + sss_packet_get_body(packet, &body, &body_len); + + SAFEALIGN_SET_UINT32(&body[rp], result->count, &rp); /* Num results. */ + SAFEALIGN_SET_UINT32(&body[rp], 0, &rp); /* Reserved. */ + for (c = 0; c < result->count; c++) { + SAFEALIGN_SET_UINT32(&body[rp], id_types[c], &rp); + SAFEALIGN_SET_STRING(&body[rp], sz_names[c].str, sz_names[c].len, + &rp); + } + + return EOK; +} + +errno_t +nss_protocol_fill_name_list_all_domains(struct nss_ctx *nss_ctx, + struct nss_cmd_ctx *cmd_ctx, + struct sss_packet *packet, + struct cache_req_result **results) +{ + enum sss_id_type *id_types; + size_t rp = 0; + size_t body_len; + uint8_t *body; + errno_t ret; + struct sized_string *sz_names; + size_t len; + size_t c; + const char *tmp_str; + size_t d; + size_t total = 0; + size_t iter = 0; + + if (results == NULL) { + return EINVAL; + } + + for (d = 0; results[d] != NULL; d++) { + total += results[d]->count; + } + + sz_names = talloc_array(cmd_ctx, struct sized_string, total); + if (sz_names == NULL) { + return ENOMEM; + } + + id_types = talloc_array(cmd_ctx, enum sss_id_type, total); + if (id_types == NULL) { + return ENOMEM; + } + + len = 0; + for (d = 0; results[d] != NULL; d++) { + for (c = 0; c < results[d]->count; c++) { + ret = nss_get_id_type(cmd_ctx, results[d], &(id_types[iter])); + if (ret != EOK) { + return ret; + } + + tmp_str = sss_get_name_from_msg(results[d]->domain, + results[d]->msgs[c]); + if (tmp_str == NULL) { + return EINVAL; + } + to_sized_string(&(sz_names[iter]), tmp_str); + + len += sz_names[iter].len; + iter++; + } + } + + len += (2 + total) * sizeof(uint32_t); + + ret = sss_packet_grow(packet, len); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_packet_grow failed.\n"); + return ret; + } + + sss_packet_get_body(packet, &body, &body_len); + + SAFEALIGN_SET_UINT32(&body[rp], total, &rp); /* Num results. */ + SAFEALIGN_SET_UINT32(&body[rp], 0, &rp); /* Reserved. */ + for (c = 0; c < total; c++) { + SAFEALIGN_SET_UINT32(&body[rp], id_types[c], &rp); + SAFEALIGN_SET_STRING(&body[rp], sz_names[c].str, sz_names[c].len, + &rp); + } + + return EOK; +} diff --git a/src/responder/nss/nss_protocol_svcent.c b/src/responder/nss/nss_protocol_svcent.c new file mode 100644 index 0000000..a94f830 --- /dev/null +++ b/src/responder/nss/nss_protocol_svcent.c @@ -0,0 +1,270 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "db/sysdb.h" +#include "db/sysdb_services.h" +#include "responder/nss/nss_protocol.h" + +static errno_t +nss_get_svcent(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + struct ldb_message *msg, + const char *requested_protocol, + struct sized_string *_name, + struct sized_string *_protocol, + uint16_t *_port) +{ + TALLOC_CTX *tmp_ctx; + struct ldb_message_element *el; + const char *protocol; + const char *name; + uint16_t port; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + /* Get name. */ + name = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); + if (name == NULL) { + ret = ERR_INTERNAL; + goto done; + } + + name = sss_get_cased_name(tmp_ctx, name, domain->case_preserve); + if (name == NULL) { + ret = ENOMEM; + goto done; + } + + /* Get port. */ + port = (uint16_t)ldb_msg_find_attr_as_uint(msg, SYSDB_SVC_PORT, 0); + if (port == 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "No port for service [%s]\n", name); + ret = EINVAL; + goto done; + } + + /* Get protocol. + * + * Use the requested protocol if present, otherwise take the + * first protocol returned by the sysdb. */ + if (requested_protocol != NULL) { + protocol = requested_protocol; + } else { + el = ldb_msg_find_element(msg, SYSDB_SVC_PROTO); + if (el->num_values == 0) { + ret = EINVAL; + goto done; + } + + protocol = (const char *)el->values[0].data; + if (protocol == NULL) { + ret = ERR_INTERNAL; + goto done; + } + } + + protocol = sss_get_cased_name(tmp_ctx, protocol, domain->case_preserve); + if (protocol == NULL) { + ret = ENOMEM; + goto done; + } + + /* Set output variables. */ + + talloc_steal(mem_ctx, name); + talloc_steal(mem_ctx, protocol); + + to_sized_string(_name, name); + to_sized_string(_protocol, protocol); + *_port = port; + + ret = EOK; + +done: + talloc_free(tmp_ctx); + + return ret; +} + +static errno_t +nss_get_svc_aliases(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + struct ldb_message *msg, + const char *name, + struct sized_string **_aliases, + uint32_t *_num_aliases) +{ + struct ldb_message_element *el; + struct sized_string *aliases = NULL; + uint32_t num_aliases; + const char *alias; + errno_t ret; + int i; + + el = ldb_msg_find_element(msg, SYSDB_NAME_ALIAS); + if (el == NULL) { + *_num_aliases = 0; + *_aliases = NULL; + ret = EOK; + goto done; + } + + aliases = talloc_zero_array(mem_ctx, struct sized_string, + el->num_values + 1); + if (aliases == NULL) { + ret = ENOMEM; + goto done; + } + + num_aliases = 0; + for (i = 0; i < el->num_values; i++) { + alias = (const char *)el->values[i].data; + + if (sss_string_equal(domain->case_sensitive, alias, name)) { + continue; + } + + /* Element value remains in the message, we don't need to strdup it. */ + to_sized_string(&aliases[num_aliases], alias); + num_aliases++; + } + + *_aliases = aliases; + *_num_aliases = num_aliases; + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(aliases); + } + + return ret; +} + +errno_t +nss_protocol_fill_svcent(struct nss_ctx *nss_ctx, + struct nss_cmd_ctx *cmd_ctx, + struct sss_packet *packet, + struct cache_req_result *result) +{ + TALLOC_CTX *tmp_ctx; + struct ldb_message *msg; + struct sized_string name; + struct sized_string protocol; + struct sized_string *aliases; + uint32_t num_aliases; + uint16_t port; + uint32_t num_results; + size_t rp; + size_t body_len; + uint8_t *body; + int i; + int j; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + /* First two fields (length and reserved), filled up later. */ + ret = sss_packet_grow(packet, 2 * sizeof(uint32_t)); + if (ret != EOK) { + return ret; + } + + rp = 2 * sizeof(uint32_t); + + num_results = 0; + for (i = 0; i < result->count; i++) { + talloc_free_children(tmp_ctx); + msg = result->msgs[i]; + + ret = nss_get_svcent(tmp_ctx, result->domain, msg, + cmd_ctx->svc_protocol, &name, &protocol, &port); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Unable to get service information, skipping... [%d]: %s\n", + ret, sss_strerror(ret)); + continue; + } + + ret = nss_get_svc_aliases(tmp_ctx, result->domain, msg, name.str, + &aliases, &num_aliases); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Unable to get service aliases, skipping... [%d]: %s\n", + ret, sss_strerror(ret)); + continue; + } + + /* Adjust packet size. */ + + ret = sss_packet_grow(packet, 2 * sizeof(uint16_t) + sizeof(uint32_t) + + name.len + protocol.len); + if (ret != EOK) { + goto done; + } + + sss_packet_get_body(packet, &body, &body_len); + + /* Fill packet. */ + + SAFEALIGN_SET_UINT32(&body[rp], (uint32_t)htons(port), &rp); + SAFEALIGN_SET_UINT32(&body[rp], num_aliases, &rp); + SAFEALIGN_SET_STRING(&body[rp], name.str, name.len, &rp); + SAFEALIGN_SET_STRING(&body[rp], protocol.str, protocol.len, &rp); + + /* Store aliases. */ + for (j = 0; j < num_aliases; j++) { + ret = sss_packet_grow(packet, aliases[j].len); + if (ret != EOK) { + goto done; + } + sss_packet_get_body(packet, &body, &body_len); + + SAFEALIGN_SET_STRING(&body[rp], aliases[j].str, aliases[j].len, + &rp); + } + + num_results++; + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + + if (ret != EOK) { + sss_packet_set_size(packet, 0); + return ret; + } + + sss_packet_get_body(packet, &body, &body_len); + SAFEALIGN_COPY_UINT32(body, &num_results, NULL); + SAFEALIGN_SETMEM_UINT32(body + sizeof(uint32_t), 0, NULL); /* reserved */ + + return EOK; +} diff --git a/src/responder/nss/nss_utils.c b/src/responder/nss/nss_utils.c new file mode 100644 index 0000000..b4950e5 --- /dev/null +++ b/src/responder/nss/nss_utils.c @@ -0,0 +1,38 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "util/util.h" +#include "confdb/confdb.h" +#include "responder/common/responder.h" +#include "responder/nss/nss_private.h" + +const char * +nss_get_pwfield(struct nss_ctx *nctx, + struct sss_domain_info *dom) +{ + if (dom->pwfield != NULL) { + return dom->pwfield; + } + + return nctx->pwfield; +} diff --git a/src/responder/nss/nsssrv.c b/src/responder/nss/nsssrv.c new file mode 100644 index 0000000..004e6c1 --- /dev/null +++ b/src/responder/nss/nsssrv.c @@ -0,0 +1,486 @@ +/* + SSSD + + NSS Responder + + Copyright (C) Simo Sorce 2008 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "util/util.h" +#include "util/sss_ptr_hash.h" +#include "responder/nss/nss_private.h" +#include "responder/nss/nss_iface.h" +#include "responder/nss/nsssrv_mmap_cache.h" +#include "responder/common/negcache.h" +#include "db/sysdb.h" +#include "confdb/confdb.h" +#include "sbus/sssd_dbus.h" +#include "responder/common/responder_packet.h" +#include "responder/common/responder.h" +#include "responder/common/responder_sbus.h" +#include "providers/data_provider.h" +#include "monitor/monitor_interfaces.h" +#include "sbus/sbus_client.h" +#include "util/util_sss_idmap.h" + +#define DEFAULT_PWFIELD "*" +#define DEFAULT_NSS_FD_LIMIT 8192 + +static int nss_clear_memcache(struct sbus_request *dbus_req, void *data); +static int nss_clear_netgroup_hash_table(struct sbus_request *dbus_req, void *data); + +struct mon_cli_iface monitor_nss_methods = { + { &mon_cli_iface_meta, 0 }, + .resInit = monitor_common_res_init, + .goOffline = NULL, + .resetOffline = NULL, + .rotateLogs = responder_logrotate, + .clearMemcache = nss_clear_memcache, + .clearEnumCache = nss_clear_netgroup_hash_table, + .sysbusReconnect = NULL, +}; + +static int nss_clear_memcache(struct sbus_request *dbus_req, void *data) +{ + errno_t ret; + int memcache_timeout; + struct resp_ctx *rctx = talloc_get_type(data, struct resp_ctx); + struct nss_ctx *nctx = (struct nss_ctx*) rctx->pvt_ctx; + + ret = unlink(SSS_NSS_MCACHE_DIR"/"CLEAR_MC_FLAG); + if (ret != 0) { + ret = errno; + if (ret == ENOENT) { + DEBUG(SSSDBG_TRACE_FUNC, + "CLEAR_MC_FLAG not found. Nothing to do.\n"); + goto done; + } else { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to unlink file: %s.\n", + strerror(ret)); + return ret; + } + } + + /* CLEAR_MC_FLAG removed successfully. Clearing memory caches. */ + + ret = confdb_get_int(rctx->cdb, + CONFDB_NSS_CONF_ENTRY, + CONFDB_MEMCACHE_TIMEOUT, + 300, &memcache_timeout); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Unable to get memory cache entry timeout.\n"); + return ret; + } + + /* TODO: read cache sizes from configuration */ + DEBUG(SSSDBG_TRACE_FUNC, "Clearing memory caches.\n"); + ret = sss_mmap_cache_reinit(nctx, SSS_MC_CACHE_ELEMENTS, + (time_t) memcache_timeout, + &nctx->pwd_mc_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "passwd mmap cache invalidation failed\n"); + return ret; + } + + ret = sss_mmap_cache_reinit(nctx, SSS_MC_CACHE_ELEMENTS, + (time_t) memcache_timeout, + &nctx->grp_mc_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "group mmap cache invalidation failed\n"); + return ret; + } + + ret = sss_mmap_cache_reinit(nctx, SSS_MC_CACHE_ELEMENTS, + (time_t)memcache_timeout, + &nctx->initgr_mc_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "initgroups mmap cache invalidation failed\n"); + return ret; + } + +done: + return sbus_request_return_and_finish(dbus_req, DBUS_TYPE_INVALID); +} + +static int nss_clear_netgroup_hash_table(struct sbus_request *dbus_req, void *data) +{ + struct resp_ctx *rctx; + struct nss_ctx *nss_ctx; + + rctx = talloc_get_type(data, struct resp_ctx); + nss_ctx = talloc_get_type(rctx->pvt_ctx, struct nss_ctx); + + DEBUG(SSSDBG_TRACE_FUNC, "Invalidating netgroup hash table\n"); + + sss_ptr_hash_delete_all(nss_ctx->netgrent, false); + + return sbus_request_return_and_finish(dbus_req, DBUS_TYPE_INVALID); +} + +static int nss_get_config(struct nss_ctx *nctx, + struct confdb_ctx *cdb) +{ + int ret; + char *tmp_str; + + ret = confdb_get_int(cdb, CONFDB_NSS_CONF_ENTRY, + CONFDB_NSS_ENUM_CACHE_TIMEOUT, 120, + &nctx->enum_cache_timeout); + if (ret != EOK) goto done; + + ret = confdb_get_bool(cdb, CONFDB_NSS_CONF_ENTRY, + CONFDB_NSS_FILTER_USERS_IN_GROUPS, true, + &nctx->filter_users_in_groups); + if (ret != EOK) goto done; + + ret = confdb_get_int(cdb, CONFDB_NSS_CONF_ENTRY, + CONFDB_NSS_ENTRY_CACHE_NOWAIT_PERCENTAGE, 50, + &nctx->cache_refresh_percent); + if (ret != EOK) goto done; + if (nctx->cache_refresh_percent < 0 || + nctx->cache_refresh_percent > 99) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Configuration error: entry_cache_nowait_percentage is " + "invalid. Disabling feature.\n"); + nctx->cache_refresh_percent = 0; + } + + ret = sss_ncache_prepopulate(nctx->rctx->ncache, cdb, nctx->rctx); + if (ret != EOK) { + goto done; + } + + ret = confdb_get_string(cdb, nctx, CONFDB_NSS_CONF_ENTRY, + CONFDB_NSS_PWFIELD, DEFAULT_PWFIELD, + &nctx->pwfield); + if (ret != EOK) goto done; + + ret = confdb_get_string(cdb, nctx, CONFDB_NSS_CONF_ENTRY, + CONFDB_NSS_OVERRIDE_HOMEDIR, NULL, + &nctx->override_homedir); + if (ret != EOK) goto done; + + ret = confdb_get_string(cdb, nctx, CONFDB_NSS_CONF_ENTRY, + CONFDB_NSS_FALLBACK_HOMEDIR, NULL, + &nctx->fallback_homedir); + if (ret != EOK) goto done; + + ret = confdb_get_string(cdb, nctx, CONFDB_NSS_CONF_ENTRY, + CONFDB_NSS_HOMEDIR_SUBSTRING, + CONFDB_DEFAULT_HOMEDIR_SUBSTRING, + &nctx->homedir_substr); + if (ret != EOK) goto done; + + + ret = confdb_get_string(cdb, nctx, CONFDB_NSS_CONF_ENTRY, + CONFDB_IFP_USER_ATTR_LIST, NULL, &tmp_str); + if (ret != EOK) goto done; + + if (tmp_str == NULL) { + ret = confdb_get_string(cdb, nctx, CONFDB_IFP_CONF_ENTRY, + CONFDB_IFP_USER_ATTR_LIST, NULL, &tmp_str); + if (ret != EOK) goto done; + } + + if (tmp_str != NULL) { + nctx->extra_attributes = parse_attr_list_ex(nctx, tmp_str, NULL); + if (nctx->extra_attributes == NULL) { + ret = ENOMEM; + goto done; + } + } + + ret = 0; +done: + return ret; +} + +static void nss_dp_reconnect_init(struct sbus_connection *conn, + int status, void *pvt) +{ + struct be_conn *be_conn = talloc_get_type(pvt, struct be_conn); + int ret; + + /* Did we reconnect successfully? */ + if (status == SBUS_RECONNECT_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "Reconnected to the Data Provider.\n"); + + /* Identify ourselves to the data provider */ + ret = rdp_register_client(be_conn, "NSS"); + /* all fine */ + if (ret == EOK) { + handle_requests_after_reconnect(be_conn->rctx); + return; + } + } + + /* Failed to reconnect */ + DEBUG(SSSDBG_FATAL_FAILURE, "Could not reconnect to %s provider.\n", + be_conn->domain->name); + + /* FIXME: kill the frontend and let the monitor restart it? */ + /* nss_shutdown(rctx); */ +} + +static int setup_memcaches(struct nss_ctx *nctx) +{ + int ret; + int memcache_timeout; + + /* Remove the CLEAR_MC_FLAG file if exists. */ + ret = unlink(SSS_NSS_MCACHE_DIR"/"CLEAR_MC_FLAG); + if (ret != 0 && errno != ENOENT) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to unlink file [%s]. This can cause memory cache to " + "be purged when next log rotation is requested. %d: %s\n", + SSS_NSS_MCACHE_DIR"/"CLEAR_MC_FLAG, ret, strerror(ret)); + } + + ret = confdb_get_int(nctx->rctx->cdb, + CONFDB_NSS_CONF_ENTRY, + CONFDB_MEMCACHE_TIMEOUT, + 300, &memcache_timeout); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to get 'memcache_timeout' option from confdb.\n"); + return ret; + } + + if (memcache_timeout == 0) { + DEBUG(SSSDBG_CONF_SETTINGS, + "Fast in-memory cache will not be initialized."); + return EOK; + } + + /* TODO: read cache sizes from configuration */ + ret = sss_mmap_cache_init(nctx, "passwd", SSS_MC_PASSWD, + SSS_MC_CACHE_ELEMENTS, (time_t)memcache_timeout, + &nctx->pwd_mc_ctx); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, "passwd mmap cache is DISABLED\n"); + } + + ret = sss_mmap_cache_init(nctx, "group", SSS_MC_GROUP, + SSS_MC_CACHE_ELEMENTS, (time_t)memcache_timeout, + &nctx->grp_mc_ctx); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, "group mmap cache is DISABLED\n"); + } + + ret = sss_mmap_cache_init(nctx, "initgroups", SSS_MC_INITGROUPS, + SSS_MC_CACHE_ELEMENTS, (time_t)memcache_timeout, + &nctx->initgr_mc_ctx); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, "initgroups mmap cache is DISABLED\n"); + } + + return EOK; +} + +int nss_process_init(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct confdb_ctx *cdb) +{ + struct resp_ctx *rctx; + struct sss_cmd_table *nss_cmds; + struct be_conn *iter; + struct nss_ctx *nctx; + int ret, max_retries; + enum idmap_error_code err; + int fd_limit; + + nss_cmds = get_nss_cmds(); + + ret = sss_process_init(mem_ctx, ev, cdb, + nss_cmds, + SSS_NSS_SOCKET_NAME, -1, NULL, -1, + CONFDB_NSS_CONF_ENTRY, + NSS_SBUS_SERVICE_NAME, + NSS_SBUS_SERVICE_VERSION, + &monitor_nss_methods, + "NSS", + nss_get_sbus_interface(), + nss_connection_setup, + &rctx); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "sss_process_init() failed\n"); + return ret; + } + + nctx = talloc_zero(rctx, struct nss_ctx); + if (!nctx) { + DEBUG(SSSDBG_FATAL_FAILURE, "fatal error initializing nss_ctx\n"); + ret = ENOMEM; + goto fail; + } + + nctx->rctx = rctx; + nctx->rctx->pvt_ctx = nctx; + + ret = nss_get_config(nctx, cdb); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "fatal error getting nss config\n"); + goto fail; + } + + /* Enable automatic reconnection to the Data Provider */ + ret = confdb_get_int(nctx->rctx->cdb, + CONFDB_NSS_CONF_ENTRY, + CONFDB_SERVICE_RECON_RETRIES, + 3, &max_retries); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to set up automatic reconnection\n"); + goto fail; + } + + for (iter = nctx->rctx->be_conns; iter; iter = iter->next) { + sbus_reconnect_init(iter->conn, max_retries, + nss_dp_reconnect_init, iter); + } + + err = sss_idmap_init(sss_idmap_talloc, nctx, sss_idmap_talloc_free, + &nctx->idmap_ctx); + if (err != IDMAP_SUCCESS) { + DEBUG(SSSDBG_FATAL_FAILURE, "sss_idmap_init failed.\n"); + ret = EFAULT; + goto fail; + } + + nctx->netgrent = sss_ptr_hash_create(nctx, NULL, NULL); + if (nctx->netgrent == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to initialize netgroups table!\n"); + ret = EFAULT; + goto fail; + } + + ret = setup_memcaches(nctx); + if (ret != EOK) { + goto fail; + } + + /* Set up file descriptor limits */ + ret = confdb_get_int(nctx->rctx->cdb, + CONFDB_NSS_CONF_ENTRY, + CONFDB_SERVICE_FD_LIMIT, + DEFAULT_NSS_FD_LIMIT, + &fd_limit); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to set up file descriptor limit\n"); + goto fail; + } + responder_set_fd_limit(fd_limit); + + ret = schedule_get_domains_task(rctx, rctx->ev, rctx, nctx->rctx->ncache); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n"); + goto fail; + } + + DEBUG(SSSDBG_TRACE_FUNC, "NSS Initialization complete\n"); + + return EOK; + +fail: + talloc_free(rctx); + return ret; +} + +int main(int argc, const char *argv[]) +{ + int opt; + poptContext pc; + char *opt_logger = NULL; + struct main_context *main_ctx; + int ret; + uid_t uid; + gid_t gid; + + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_MAIN_OPTS + SSSD_LOGGER_OPTS + SSSD_SERVER_OPTS(uid, gid) + SSSD_RESPONDER_OPTS + POPT_TABLEEND + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + umask(DFL_RSP_UMASK); + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + + poptFreeContext(pc); + + DEBUG_INIT(debug_level); + + /* set up things like debug, signals, daemonization, etc. */ + debug_log_file = "sssd_nss"; + + sss_set_logger(opt_logger); + + ret = server_setup("sssd[nss]", 0, uid, gid, CONFDB_NSS_CONF_ENTRY, + &main_ctx); + if (ret != EOK) return 2; + + ret = die_if_parent_died(); + if (ret != EOK) { + /* This is not fatal, don't return */ + DEBUG(SSSDBG_OP_FAILURE, + "Could not set up to exit when parent process does\n"); + } + + ret = nss_process_init(main_ctx, + main_ctx->event_ctx, + main_ctx->confdb_ctx); + if (ret != EOK) return 3; + + /* loop on main */ + server_loop(main_ctx); + + return 0; +} + diff --git a/src/responder/nss/nsssrv_mmap_cache.c b/src/responder/nss/nsssrv_mmap_cache.c new file mode 100644 index 0000000..de9e675 --- /dev/null +++ b/src/responder/nss/nsssrv_mmap_cache.c @@ -0,0 +1,1426 @@ +/* + SSSD + + NSS Responder - Mmap Cache + + Copyright (C) Simo Sorce 2011 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "confdb/confdb.h" +#include +#include +#include "util/mmap_cache.h" +#include "responder/nss/nss_private.h" +#include "responder/nss/nsssrv_mmap_cache.h" + +/* arbitrary (avg of my /etc/passwd) */ +#define SSS_AVG_PASSWD_PAYLOAD (MC_SLOT_SIZE * 4) +/* short group name and no gids (private user group */ +#define SSS_AVG_GROUP_PAYLOAD (MC_SLOT_SIZE * 3) +/* average place for 40 supplementary groups + 2 names */ +#define SSS_AVG_INITGROUP_PAYLOAD (MC_SLOT_SIZE * 5) + +#define MC_NEXT_BARRIER(val) ((((val) + 1) & 0x00ffffff) | 0xf0000000) + +#define MC_RAISE_BARRIER(m) do { \ + m->b2 = MC_NEXT_BARRIER(m->b1); \ + __sync_synchronize(); \ +} while (0) + +#define MC_LOWER_BARRIER(m) do { \ + __sync_synchronize(); \ + m->b1 = m->b2; \ +} while (0) + +#define MC_RAISE_INVALID_BARRIER(m) do { \ + m->b2 = MC_INVALID_VAL; \ + __sync_synchronize(); \ +} while (0) + +struct sss_mc_ctx { + char *name; /* mmap cache name */ + enum sss_mc_type type; /* mmap cache type */ + char *file; /* mmap cache file name */ + int fd; /* file descriptor */ + + uint32_t seed; /* pseudo-random seed to avoid collision attacks */ + time_t valid_time_slot; /* maximum time the entry is valid in seconds */ + + void *mmap_base; /* base address of mmap */ + size_t mmap_size; /* total size of mmap */ + + uint32_t *hash_table; /* hash table address (in mmap) */ + uint32_t ht_size; /* size of hash table */ + + uint8_t *free_table; /* free list bitmaps */ + uint32_t ft_size; /* size of free table */ + uint32_t next_slot; /* the next slot after last allocation */ + + uint8_t *data_table; /* data table address (in mmap) */ + uint32_t dt_size; /* size of data table */ +}; + +#define MC_FIND_BIT(base, num) \ + uint32_t n = (num); \ + uint8_t *b = (base) + n / 8; \ + uint8_t c = 0x80 >> (n % 8); + +#define MC_SET_BIT(base, num) do { \ + MC_FIND_BIT(base, num) \ + *b |= c; \ +} while (0) + +#define MC_CLEAR_BIT(base, num) do { \ + MC_FIND_BIT(base, num) \ + *b &= ~c; \ +} while (0) + +#define MC_PROBE_BIT(base, num, used) do { \ + MC_FIND_BIT(base, num) \ + if (*b & c) used = true; \ + else used = false; \ +} while (0) + +static inline +uint32_t sss_mc_next_slot_with_hash(struct sss_mc_rec *rec, + uint32_t hash) +{ + if (rec->hash1 == hash) { + return rec->next1; + } else if (rec->hash2 == hash) { + return rec->next2; + } else { + /* it should never happen. */ + return MC_INVALID_VAL; + } +} + +static inline +void sss_mc_chain_slot_to_record_with_hash(struct sss_mc_rec *rec, + uint32_t hash, + uint32_t slot) +{ + /* changing a single uint32_t is atomic, so there is no + * need to use barriers in this case */ + if (rec->hash1 == hash) { + rec->next1 = slot; + } else if (rec->hash2 == hash) { + rec->next2 = slot; + } +} + +/* This function will store corrupted memcache to disk for later + * analysis. */ +static void sss_mc_save_corrupted(struct sss_mc_ctx *mc_ctx) +{ + int err; + int fd = -1; + ssize_t written = -1; + char *file = NULL; + TALLOC_CTX *tmp_ctx; + + if (mc_ctx == NULL) { + DEBUG(SSSDBG_TRACE_FUNC, + "Cannot store uninitialized cache. Nothing to do.\n"); + return; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory.\n"); + return; + } + + file = talloc_asprintf(tmp_ctx, "%s_%s", + mc_ctx->file, "corrupted"); + if (file == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory.\n"); + goto done; + } + + /* We will always store only the last problematic cache state */ + fd = creat(file, 0600); + if (fd == -1) { + err = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to open file '%s' [%d]: %s\n", + file, err, strerror(err)); + goto done; + } + + written = sss_atomic_write_s(fd, mc_ctx->mmap_base, mc_ctx->mmap_size); + if (written != mc_ctx->mmap_size) { + if (written == -1) { + err = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "write() failed [%d]: %s\n", err, strerror(err)); + } else { + DEBUG(SSSDBG_CRIT_FAILURE, + "write() returned %zd (expected (%zd))\n", + written, mc_ctx->mmap_size); + } + goto done; + } + + sss_log(SSS_LOG_NOTICE, + "Stored copy of corrupted mmap cache in file '%s\n'", file); +done: + if (fd != -1) { + close(fd); + if (written == -1) { + err = unlink(file); + if (err != 0) { + err = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to remove file '%s': %s.\n", file, + strerror(err)); + } + } + } + talloc_free(tmp_ctx); +} + +static uint32_t sss_mc_hash(struct sss_mc_ctx *mcc, + const char *key, size_t len) +{ + return murmurhash3(key, len, mcc->seed) % MC_HT_ELEMS(mcc->ht_size); +} + +static void sss_mc_add_rec_to_chain(struct sss_mc_ctx *mcc, + struct sss_mc_rec *rec, + uint32_t hash) +{ + struct sss_mc_rec *cur; + uint32_t slot; + + if (hash > MC_HT_ELEMS(mcc->ht_size)) { + /* Invalid hash. This should never happen, but better + * return than trying to access out of bounds memory */ + return; + } + + slot = mcc->hash_table[hash]; + if (slot == MC_INVALID_VAL) { + /* no previous record/collision, just add to hash table */ + mcc->hash_table[hash] = MC_PTR_TO_SLOT(mcc->data_table, rec); + return; + } + + do { + cur = MC_SLOT_TO_PTR(mcc->data_table, slot, struct sss_mc_rec); + if (cur == rec) { + /* rec already stored in hash chain */ + return; + } + slot = sss_mc_next_slot_with_hash(cur, hash); + } while (slot != MC_INVALID_VAL); + /* end of chain, append our record here */ + + slot = MC_PTR_TO_SLOT(mcc->data_table, rec); + sss_mc_chain_slot_to_record_with_hash(cur, hash, slot); +} + +static void sss_mc_rm_rec_from_chain(struct sss_mc_ctx *mcc, + struct sss_mc_rec *rec, + uint32_t hash) +{ + struct sss_mc_rec *prev = NULL; + struct sss_mc_rec *cur = NULL; + uint32_t slot; + + if (hash > MC_HT_ELEMS(mcc->ht_size)) { + /* It can happen if rec->hash1 and rec->hash2 was the same. + * or it is invalid hash. It is better to return + * than trying to access out of bounds memory + */ + return; + } + + slot = mcc->hash_table[hash]; + if (slot == MC_INVALID_VAL) { + /* record has already been removed. It may happen if rec->hash1 and + * rec->has2 are the same. (It is not very likely). + */ + return; + } + cur = MC_SLOT_TO_PTR(mcc->data_table, slot, struct sss_mc_rec); + if (cur == rec) { + mcc->hash_table[hash] = sss_mc_next_slot_with_hash(rec, hash); + } else { + slot = sss_mc_next_slot_with_hash(cur, hash); + while (slot != MC_INVALID_VAL) { + prev = cur; + cur = MC_SLOT_TO_PTR(mcc->data_table, slot, struct sss_mc_rec); + if (cur == rec) { + slot = sss_mc_next_slot_with_hash(cur, hash); + + sss_mc_chain_slot_to_record_with_hash(prev, hash, slot); + slot = MC_INVALID_VAL; + } else { + slot = sss_mc_next_slot_with_hash(cur, hash); + } + } + } +} + +static void sss_mc_free_slots(struct sss_mc_ctx *mcc, struct sss_mc_rec *rec) +{ + uint32_t slot; + uint32_t num; + uint32_t i; + + slot = MC_PTR_TO_SLOT(mcc->data_table, rec); + num = MC_SIZE_TO_SLOTS(rec->len); + for (i = 0; i < num; i++) { + MC_CLEAR_BIT(mcc->free_table, slot + i); + } +} + +static void sss_mc_invalidate_rec(struct sss_mc_ctx *mcc, + struct sss_mc_rec *rec) +{ + if (rec->b1 == MC_INVALID_VAL) { + /* record already invalid */ + return; + } + + /* Remove from hash chains */ + /* hash chain 1 */ + sss_mc_rm_rec_from_chain(mcc, rec, rec->hash1); + /* hash chain 2 */ + sss_mc_rm_rec_from_chain(mcc, rec, rec->hash2); + + /* Clear from free_table */ + sss_mc_free_slots(mcc, rec); + + /* Invalidate record fields */ + MC_RAISE_INVALID_BARRIER(rec); + memset(rec->data, MC_INVALID_VAL8, ((MC_SLOT_SIZE * MC_SIZE_TO_SLOTS(rec->len)) + - sizeof(struct sss_mc_rec))); + rec->len = MC_INVALID_VAL32; + rec->expire = MC_INVALID_VAL64; + rec->next1 = MC_INVALID_VAL32; + rec->next2 = MC_INVALID_VAL32; + rec->hash1 = MC_INVALID_VAL32; + rec->hash2 = MC_INVALID_VAL32; + MC_LOWER_BARRIER(rec); +} + +static bool sss_mc_is_valid_rec(struct sss_mc_ctx *mcc, struct sss_mc_rec *rec) +{ + struct sss_mc_rec *self; + uint32_t slot; + + if (((uint8_t *)rec < mcc->data_table) || + ((uint8_t *)rec > (mcc->data_table + mcc->dt_size - MC_SLOT_SIZE))) { + return false; + } + + if ((rec->b1 == MC_INVALID_VAL) || + (rec->b1 != rec->b2)) { + return false; + } + + if (!MC_CHECK_RECORD_LENGTH(mcc, rec)) { + return false; + } + + if (rec->expire == MC_INVALID_VAL64) { + return false; + } + + /* next record can be invalid if there are no next records */ + + if (rec->hash1 == MC_INVALID_VAL32) { + return false; + } else { + self = NULL; + slot = mcc->hash_table[rec->hash1]; + while (slot != MC_INVALID_VAL32 && self != rec) { + self = MC_SLOT_TO_PTR(mcc->data_table, slot, struct sss_mc_rec); + slot = sss_mc_next_slot_with_hash(self, rec->hash1); + } + if (self != rec) { + return false; + } + } + if (rec->hash2 != MC_INVALID_VAL32) { + self = NULL; + slot = mcc->hash_table[rec->hash2]; + while (slot != MC_INVALID_VAL32 && self != rec) { + self = MC_SLOT_TO_PTR(mcc->data_table, slot, struct sss_mc_rec); + slot = sss_mc_next_slot_with_hash(self, rec->hash2); + } + if (self != rec) { + return false; + } + } + + /* all tests passed */ + return true; +} + +/* FIXME: This is a very simplistic, inefficient, memory allocator, + * it will just free the oldest entries regardless of expiration if it + * cycled the whole free bits map and found no empty slot */ +static errno_t sss_mc_find_free_slots(struct sss_mc_ctx *mcc, + int num_slots, uint32_t *free_slot) +{ + struct sss_mc_rec *rec; + uint32_t tot_slots; + uint32_t cur; + uint32_t i; + uint32_t t; + bool used; + + tot_slots = mcc->ft_size * 8; + + /* Try to find a free slot w/o removing anything first */ + /* FIXME: Is it really worth it? Maybe it is easier to + * just recycle the next set of slots? */ + if ((mcc->next_slot + num_slots) > tot_slots) { + cur = 0; + } else { + cur = mcc->next_slot; + } + + /* search for enough (num_slots) consecutive zero bits, indicating + * consecutive empty slots */ + for (i = 0; i < mcc->ft_size; i++) { + t = cur / 8; + /* if all full in this byte skip directly to the next */ + if (mcc->free_table[t] == 0xff) { + cur = ((cur + 8) & ~7); + if (cur >= tot_slots) { + cur = 0; + } + continue; + } + + /* at least one bit in this byte is marked as empty */ + for (t = ((cur + 8) & ~7) ; cur < t; cur++) { + MC_PROBE_BIT(mcc->free_table, cur, used); + if (!used) break; + } + /* check if we have enough slots before hitting the table end */ + if ((cur + num_slots) > tot_slots) { + cur = 0; + continue; + } + + /* check if we have at least num_slots empty starting from the first + * we found in the previous steps */ + for (t = cur + num_slots; cur < t; cur++) { + MC_PROBE_BIT(mcc->free_table, cur, used); + if (used) break; + } + if (cur == t) { + /* ok found num_slots consecutive free bits */ + *free_slot = cur - num_slots; + return EOK; + } + } + + /* no free slots found, free occupied slots after next_slot */ + if ((mcc->next_slot + num_slots) > tot_slots) { + cur = 0; + } else { + cur = mcc->next_slot; + } + for (i = 0; i < num_slots; i++) { + MC_PROBE_BIT(mcc->free_table, cur + i, used); + if (used) { + /* the first used slot should be a record header, however we + * carefully check it is a valid header and hardfail if not */ + rec = MC_SLOT_TO_PTR(mcc->data_table, cur + i, struct sss_mc_rec); + if (!sss_mc_is_valid_rec(mcc, rec)) { + /* this is a fatal error, the caller should probably just + * invalidate the whole cache */ + return EFAULT; + } + /* next loop skip the whole record */ + i += MC_SIZE_TO_SLOTS(rec->len) - 1; + + /* finally invalidate record completely */ + sss_mc_invalidate_rec(mcc, rec); + } + } + + mcc->next_slot = cur + num_slots; + *free_slot = cur; + return EOK; +} + +static errno_t sss_mc_get_strs_offset(struct sss_mc_ctx *mcc, + size_t *_offset) +{ + switch (mcc->type) { + case SSS_MC_PASSWD: + *_offset = offsetof(struct sss_mc_pwd_data, strs); + return EOK; + case SSS_MC_GROUP: + *_offset = offsetof(struct sss_mc_grp_data, strs); + return EOK; + case SSS_MC_INITGROUPS: + *_offset = offsetof(struct sss_mc_initgr_data, gids); + return EOK; + default: + DEBUG(SSSDBG_FATAL_FAILURE, "Unknown memory cache type.\n"); + return EINVAL; + } +} + +static errno_t sss_mc_get_strs_len(struct sss_mc_ctx *mcc, + struct sss_mc_rec *rec, + size_t *_len) +{ + switch (mcc->type) { + case SSS_MC_PASSWD: + *_len = ((struct sss_mc_pwd_data *)&rec->data)->strs_len; + return EOK; + case SSS_MC_GROUP: + *_len = ((struct sss_mc_grp_data *)&rec->data)->strs_len; + return EOK; + case SSS_MC_INITGROUPS: + *_len = ((struct sss_mc_initgr_data *)&rec->data)->data_len; + return EOK; + default: + DEBUG(SSSDBG_FATAL_FAILURE, "Unknown memory cache type.\n"); + return EINVAL; + } +} + +static struct sss_mc_rec *sss_mc_find_record(struct sss_mc_ctx *mcc, + struct sized_string *key) +{ + struct sss_mc_rec *rec; + uint32_t hash; + uint32_t slot; + rel_ptr_t name_ptr; + char *t_key; + size_t strs_offset; + size_t strs_len; + uint8_t *max_addr; + errno_t ret; + + hash = sss_mc_hash(mcc, key->str, key->len); + + slot = mcc->hash_table[hash]; + if (!MC_SLOT_WITHIN_BOUNDS(slot, mcc->dt_size)) { + return NULL; + } + + /* Get max address of data table. */ + max_addr = mcc->data_table + mcc->dt_size; + + ret = sss_mc_get_strs_offset(mcc, &strs_offset); + if (ret != EOK) { + return NULL; + } + + while (slot != MC_INVALID_VAL) { + if (!MC_SLOT_WITHIN_BOUNDS(slot, mcc->dt_size)) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Corrupted fastcache. Slot number too big.\n"); + sss_mc_save_corrupted(mcc); + sss_mmap_cache_reset(mcc); + return NULL; + } + + rec = MC_SLOT_TO_PTR(mcc->data_table, slot, struct sss_mc_rec); + ret = sss_mc_get_strs_len(mcc, rec, &strs_len); + if (ret != EOK) { + return NULL; + } + + if (key->len > strs_len) { + /* The string cannot be in current record */ + slot = sss_mc_next_slot_with_hash(rec, hash); + continue; + } + + safealign_memcpy(&name_ptr, rec->data, sizeof(rel_ptr_t), NULL); + t_key = (char *)rec->data + name_ptr; + /* name_ptr must point to some data in the strs/gids area of the data + * payload. Since it is a pointer relative to rec->data it must be + * larger/equal to strs_offset and must be smaller then strs_offset + strs_len. + * Additionally the area must not end outside of the data table and + * t_key must be a zero-terminated string. */ + if (name_ptr < strs_offset + || name_ptr >= strs_offset + strs_len + || (uint8_t *)rec->data > max_addr + || strs_offset > max_addr - (uint8_t *)rec->data + || strs_len > max_addr - (uint8_t *)rec->data - strs_offset) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Corrupted fastcache entry at slot %u. " + "name_ptr value is %u.\n", slot, name_ptr); + sss_mc_save_corrupted(mcc); + sss_mmap_cache_reset(mcc); + return NULL; + } + + if (strcmp(key->str, t_key) == 0) { + break; + } + + slot = sss_mc_next_slot_with_hash(rec, hash); + } + + if (slot == MC_INVALID_VAL) { + return NULL; + } + + return rec; +} + +static errno_t sss_mc_get_record(struct sss_mc_ctx **_mcc, + size_t rec_len, + struct sized_string *key, + struct sss_mc_rec **_rec) +{ + struct sss_mc_ctx *mcc = *_mcc; + struct sss_mc_rec *old_rec = NULL; + struct sss_mc_rec *rec; + int old_slots; + int num_slots; + uint32_t base_slot; + errno_t ret; + int i; + + num_slots = MC_SIZE_TO_SLOTS(rec_len); + + old_rec = sss_mc_find_record(mcc, key); + if (old_rec) { + old_slots = MC_SIZE_TO_SLOTS(old_rec->len); + + if (old_slots == num_slots) { + *_rec = old_rec; + return EOK; + } + + /* slot size changed, invalidate record and fall through to get a + * fully new record */ + sss_mc_invalidate_rec(mcc, old_rec); + } + + /* we are going to use more space, find enough free slots */ + ret = sss_mc_find_free_slots(mcc, num_slots, &base_slot); + if (ret != EOK) { + if (ret == EFAULT) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Fatal internal mmap cache error, invalidating cache!\n"); + (void)sss_mmap_cache_reinit(talloc_parent(mcc), -1, -1, _mcc); + } + return ret; + } + + rec = MC_SLOT_TO_PTR(mcc->data_table, base_slot, struct sss_mc_rec); + + /* mark as not valid yet */ + MC_RAISE_INVALID_BARRIER(rec); + rec->len = rec_len; + rec->next1 = MC_INVALID_VAL; + rec->next2 = MC_INVALID_VAL; + rec->padding = MC_INVALID_VAL; + MC_LOWER_BARRIER(rec); + + /* and now mark slots as used */ + for (i = 0; i < num_slots; i++) { + MC_SET_BIT(mcc->free_table, base_slot + i); + } + + *_rec = rec; + return EOK; +} + +static inline void sss_mmap_set_rec_header(struct sss_mc_ctx *mcc, + struct sss_mc_rec *rec, + size_t len, int ttl, + const char *key1, size_t key1_len, + const char *key2, size_t key2_len) +{ + rec->len = len; + rec->expire = time(NULL) + ttl; + rec->hash1 = sss_mc_hash(mcc, key1, key1_len); + rec->hash2 = sss_mc_hash(mcc, key2, key2_len); +} + +static inline void sss_mmap_chain_in_rec(struct sss_mc_ctx *mcc, + struct sss_mc_rec *rec) +{ + /* name first */ + sss_mc_add_rec_to_chain(mcc, rec, rec->hash1); + /* then uid/gid */ + sss_mc_add_rec_to_chain(mcc, rec, rec->hash2); +} + +/*************************************************************************** + * generic invalidation + ***************************************************************************/ + +static errno_t sss_mmap_cache_invalidate(struct sss_mc_ctx *mcc, + struct sized_string *key) +{ + struct sss_mc_rec *rec; + + if (mcc == NULL) { + /* cache not initialized? */ + return EINVAL; + } + + rec = sss_mc_find_record(mcc, key); + if (rec == NULL) { + /* nothing to invalidate */ + return ENOENT; + } + + sss_mc_invalidate_rec(mcc, rec); + + return EOK; +} + +/*************************************************************************** + * passwd map + ***************************************************************************/ + +errno_t sss_mmap_cache_pw_store(struct sss_mc_ctx **_mcc, + struct sized_string *name, + struct sized_string *pw, + uid_t uid, gid_t gid, + struct sized_string *gecos, + struct sized_string *homedir, + struct sized_string *shell) +{ + struct sss_mc_ctx *mcc = *_mcc; + struct sss_mc_rec *rec; + struct sss_mc_pwd_data *data; + struct sized_string uidkey; + char uidstr[11]; + size_t data_len; + size_t rec_len; + size_t pos; + int ret; + + if (mcc == NULL) { + /* cache not initialized? */ + return EINVAL; + } + + ret = snprintf(uidstr, 11, "%ld", (long)uid); + if (ret > 10) { + return EINVAL; + } + to_sized_string(&uidkey, uidstr); + + data_len = name->len + pw->len + gecos->len + homedir->len + shell->len; + rec_len = sizeof(struct sss_mc_rec) + + sizeof(struct sss_mc_pwd_data) + + data_len; + if (rec_len > mcc->dt_size) { + return ENOMEM; + } + + ret = sss_mc_get_record(_mcc, rec_len, name, &rec); + if (ret != EOK) { + return ret; + } + + data = (struct sss_mc_pwd_data *)rec->data; + pos = 0; + + MC_RAISE_BARRIER(rec); + + /* header */ + sss_mmap_set_rec_header(mcc, rec, rec_len, mcc->valid_time_slot, + name->str, name->len, uidkey.str, uidkey.len); + + /* passwd struct */ + data->name = MC_PTR_DIFF(data->strs, data); + data->uid = uid; + data->gid = gid; + data->strs_len = data_len; + memcpy(&data->strs[pos], name->str, name->len); + pos += name->len; + memcpy(&data->strs[pos], pw->str, pw->len); + pos += pw->len; + memcpy(&data->strs[pos], gecos->str, gecos->len); + pos += gecos->len; + memcpy(&data->strs[pos], homedir->str, homedir->len); + pos += homedir->len; + memcpy(&data->strs[pos], shell->str, shell->len); + pos += shell->len; + + MC_LOWER_BARRIER(rec); + + /* finally chain the rec in the hash table */ + sss_mmap_chain_in_rec(mcc, rec); + + return EOK; +} + +errno_t sss_mmap_cache_pw_invalidate(struct sss_mc_ctx *mcc, + struct sized_string *name) +{ + return sss_mmap_cache_invalidate(mcc, name); +} + +errno_t sss_mmap_cache_pw_invalidate_uid(struct sss_mc_ctx *mcc, uid_t uid) +{ + struct sss_mc_rec *rec; + struct sss_mc_pwd_data *data; + uint32_t hash; + uint32_t slot; + char *uidstr; + errno_t ret; + + if (mcc == NULL) { + /* cache not initialized? */ + return EINVAL; + } + + uidstr = talloc_asprintf(NULL, "%ld", (long)uid); + if (!uidstr) { + return ENOMEM; + } + + hash = sss_mc_hash(mcc, uidstr, strlen(uidstr) + 1); + + slot = mcc->hash_table[hash]; + if (!MC_SLOT_WITHIN_BOUNDS(slot, mcc->dt_size)) { + ret = ENOENT; + goto done; + } + + while (slot != MC_INVALID_VAL) { + if (!MC_SLOT_WITHIN_BOUNDS(slot, mcc->dt_size)) { + DEBUG(SSSDBG_FATAL_FAILURE, "Corrupted fastcache.\n"); + sss_mc_save_corrupted(mcc); + sss_mmap_cache_reset(mcc); + ret = ENOENT; + goto done; + } + + rec = MC_SLOT_TO_PTR(mcc->data_table, slot, struct sss_mc_rec); + data = (struct sss_mc_pwd_data *)(&rec->data); + + if (uid == data->uid) { + break; + } + + slot = sss_mc_next_slot_with_hash(rec, hash); + } + + if (slot == MC_INVALID_VAL) { + ret = ENOENT; + goto done; + } + + sss_mc_invalidate_rec(mcc, rec); + + ret = EOK; + +done: + talloc_zfree(uidstr); + return ret; +} + +/*************************************************************************** + * group map + ***************************************************************************/ + +int sss_mmap_cache_gr_store(struct sss_mc_ctx **_mcc, + struct sized_string *name, + struct sized_string *pw, + gid_t gid, size_t memnum, + char *membuf, size_t memsize) +{ + struct sss_mc_ctx *mcc = *_mcc; + struct sss_mc_rec *rec; + struct sss_mc_grp_data *data; + struct sized_string gidkey; + char gidstr[11]; + size_t data_len; + size_t rec_len; + size_t pos; + int ret; + + if (mcc == NULL) { + /* cache not initialized? */ + return EINVAL; + } + + ret = snprintf(gidstr, 11, "%ld", (long)gid); + if (ret > 10) { + return EINVAL; + } + to_sized_string(&gidkey, gidstr); + + data_len = name->len + pw->len + memsize; + rec_len = sizeof(struct sss_mc_rec) + + sizeof(struct sss_mc_grp_data) + + data_len; + if (rec_len > mcc->dt_size) { + return ENOMEM; + } + + ret = sss_mc_get_record(_mcc, rec_len, name, &rec); + if (ret != EOK) { + return ret; + } + + data = (struct sss_mc_grp_data *)rec->data; + pos = 0; + + MC_RAISE_BARRIER(rec); + + /* header */ + sss_mmap_set_rec_header(mcc, rec, rec_len, mcc->valid_time_slot, + name->str, name->len, gidkey.str, gidkey.len); + + /* group struct */ + data->name = MC_PTR_DIFF(data->strs, data); + data->gid = gid; + data->members = memnum; + data->strs_len = data_len; + memcpy(&data->strs[pos], name->str, name->len); + pos += name->len; + memcpy(&data->strs[pos], pw->str, pw->len); + pos += pw->len; + memcpy(&data->strs[pos], membuf, memsize); + pos += memsize; + + MC_LOWER_BARRIER(rec); + + /* finally chain the rec in the hash table */ + sss_mmap_chain_in_rec(mcc, rec); + + return EOK; +} + +errno_t sss_mmap_cache_gr_invalidate(struct sss_mc_ctx *mcc, + struct sized_string *name) +{ + return sss_mmap_cache_invalidate(mcc, name); +} + +errno_t sss_mmap_cache_gr_invalidate_gid(struct sss_mc_ctx *mcc, gid_t gid) +{ + struct sss_mc_rec *rec; + struct sss_mc_grp_data *data; + uint32_t hash; + uint32_t slot; + char *gidstr; + errno_t ret; + + if (mcc == NULL) { + /* cache not initialized? */ + return EINVAL; + } + + gidstr = talloc_asprintf(NULL, "%ld", (long)gid); + if (!gidstr) { + return ENOMEM; + } + + hash = sss_mc_hash(mcc, gidstr, strlen(gidstr) + 1); + + slot = mcc->hash_table[hash]; + if (!MC_SLOT_WITHIN_BOUNDS(slot, mcc->dt_size)) { + ret = ENOENT; + goto done; + } + + while (slot != MC_INVALID_VAL) { + if (!MC_SLOT_WITHIN_BOUNDS(slot, mcc->dt_size)) { + DEBUG(SSSDBG_FATAL_FAILURE, "Corrupted fastcache.\n"); + sss_mc_save_corrupted(mcc); + sss_mmap_cache_reset(mcc); + ret = ENOENT; + goto done; + } + + rec = MC_SLOT_TO_PTR(mcc->data_table, slot, struct sss_mc_rec); + data = (struct sss_mc_grp_data *)(&rec->data); + + if (gid == data->gid) { + break; + } + + slot = sss_mc_next_slot_with_hash(rec, hash); + } + + if (slot == MC_INVALID_VAL) { + ret = ENOENT; + goto done; + } + + sss_mc_invalidate_rec(mcc, rec); + + ret = EOK; + +done: + talloc_zfree(gidstr); + return ret; +} + +errno_t sss_mmap_cache_initgr_store(struct sss_mc_ctx **_mcc, + struct sized_string *name, + struct sized_string *unique_name, + uint32_t num_groups, + uint8_t *gids_buf) +{ + struct sss_mc_ctx *mcc = *_mcc; + struct sss_mc_rec *rec; + struct sss_mc_initgr_data *data; + size_t data_len; + size_t rec_len; + size_t pos; + int ret; + + if (mcc == NULL) { + /* cache not initialized? */ + return EINVAL; + } + + /* array of gids + name + unique_name */ + data_len = num_groups * sizeof(uint32_t) + name->len + unique_name->len; + rec_len = sizeof(struct sss_mc_rec) + sizeof(struct sss_mc_initgr_data) + + data_len; + if (rec_len > mcc->dt_size) { + return ENOMEM; + } + + /* use unique name for searching potential old records */ + ret = sss_mc_get_record(_mcc, rec_len, unique_name, &rec); + if (ret != EOK) { + return ret; + } + + data = (struct sss_mc_initgr_data *)rec->data; + pos = 0; + + MC_RAISE_BARRIER(rec); + + /* We cannot use two keys for searching in initgroups cache. + * Use the first key twice. + */ + sss_mmap_set_rec_header(mcc, rec, rec_len, mcc->valid_time_slot, + name->str, name->len, + unique_name->str, unique_name->len); + + /* initgroups struct */ + data->strs_len = name->len + unique_name->len; + data->data_len = data_len; + data->num_groups = num_groups; + memcpy((char *)data->gids + pos, gids_buf, num_groups * sizeof(uint32_t)); + pos += num_groups * sizeof(uint32_t); + + memcpy((char *)data->gids + pos, unique_name->str, unique_name->len); + data->strs = data->unique_name = MC_PTR_DIFF((char *)data->gids + pos, data); + pos += unique_name->len; + + memcpy((char *)data->gids + pos, name->str, name->len); + data->name = MC_PTR_DIFF((char *)data->gids + pos, data); + + MC_LOWER_BARRIER(rec); + + /* finally chain the rec in the hash table */ + sss_mmap_chain_in_rec(mcc, rec); + + return EOK; +} + +errno_t sss_mmap_cache_initgr_invalidate(struct sss_mc_ctx *mcc, + struct sized_string *name) +{ + return sss_mmap_cache_invalidate(mcc, name); +} + +/*************************************************************************** + * initialization + ***************************************************************************/ + +/* Copy of sss_mc_set_recycled is present in the src/tools/tools_mc_util.c. + * If you modify this function, you should modify the duplicated function + * too. */ +static errno_t sss_mc_set_recycled(int fd) +{ + uint32_t w = SSS_MC_HEADER_RECYCLED; + struct sss_mc_header h; + off_t offset; + off_t pos; + ssize_t written; + + offset = MC_PTR_DIFF(&h.status, &h); + + pos = lseek(fd, offset, SEEK_SET); + if (pos == -1) { + /* What do we do now? */ + return errno; + } + + errno = 0; + written = sss_atomic_write_s(fd, (uint8_t *)&w, sizeof(h.status)); + if (written == -1) { + return errno; + } + + if (written != sizeof(h.status)) { + /* Write error */ + return EIO; + } + + return EOK; +} + +/* + * When we (re)create a new file we must mark the current file as recycled + * so active clients will abandon its use ASAP. + * We unlink the current file and make a new one. + */ +static errno_t sss_mc_create_file(struct sss_mc_ctx *mc_ctx) +{ + mode_t old_mask; + int ofd; + int ret, uret; + useconds_t t = 50000; + int retries = 3; + + ofd = open(mc_ctx->file, O_RDWR); + if (ofd != -1) { + ret = sss_br_lock_file(ofd, 0, 1, retries, t); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to lock file %s.\n", mc_ctx->file); + } + ret = sss_mc_set_recycled(ofd); + if (ret) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to mark mmap file %s as" + " recycled: %d(%s)\n", + mc_ctx->file, ret, strerror(ret)); + } + + close(ofd); + } else if (errno != ENOENT) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to open old memory cache file %s: %d(%s).\n", + mc_ctx->file, ret, strerror(ret)); + } + + errno = 0; + ret = unlink(mc_ctx->file); + if (ret == -1 && errno != ENOENT) { + ret = errno; + DEBUG(SSSDBG_TRACE_FUNC, "Failed to rm mmap file %s: %d(%s)\n", + mc_ctx->file, ret, strerror(ret)); + } + + /* temporarily relax umask as we need the file to be readable + * by everyone for now */ + old_mask = umask(0022); + + errno = 0; + mc_ctx->fd = open(mc_ctx->file, O_CREAT | O_EXCL | O_RDWR, 0644); + umask(old_mask); + if (mc_ctx->fd == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to open mmap file %s: %d(%s)\n", + mc_ctx->file, ret, strerror(ret)); + return ret; + } + + ret = sss_br_lock_file(mc_ctx->fd, 0, 1, retries, t); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to lock file %s.\n", mc_ctx->file); + close(mc_ctx->fd); + mc_ctx->fd = -1; + + /* Report on unlink failures but don't overwrite the errno + * from sss_br_lock_file + */ + errno = 0; + uret = unlink(mc_ctx->file); + if (uret == -1) { + uret = errno; + DEBUG(SSSDBG_TRACE_FUNC, "Failed to rm mmap file %s: %d(%s)\n", + mc_ctx->file, uret, strerror(uret)); + } + + return ret; + } + + return ret; +} + +static void sss_mc_header_update(struct sss_mc_ctx *mc_ctx, int status) +{ + struct sss_mc_header *h; + + /* update header using barriers */ + h = (struct sss_mc_header *)mc_ctx->mmap_base; + MC_RAISE_BARRIER(h); + if (status == SSS_MC_HEADER_ALIVE) { + /* no reason to update anything else if the file is recycled or + * right before reset */ + h->hash_table = MC_PTR_DIFF(mc_ctx->hash_table, mc_ctx->mmap_base); + h->free_table = MC_PTR_DIFF(mc_ctx->free_table, mc_ctx->mmap_base); + h->data_table = MC_PTR_DIFF(mc_ctx->data_table, mc_ctx->mmap_base); + h->ht_size = mc_ctx->ht_size; + h->ft_size = mc_ctx->ft_size; + h->dt_size = mc_ctx->dt_size; + h->major_vno = SSS_MC_MAJOR_VNO; + h->minor_vno = SSS_MC_MINOR_VNO; + h->seed = mc_ctx->seed; + h->reserved = 0; + } + h->status = status; + MC_LOWER_BARRIER(h); +} + +static int mc_ctx_destructor(struct sss_mc_ctx *mc_ctx) +{ + int ret; + + /* Print debug message to logs if munmap() or close() + * fail but always return 0 */ + + if (mc_ctx->mmap_base != NULL) { + ret = munmap(mc_ctx->mmap_base, mc_ctx->mmap_size); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to unmap old memory cache file." + "[%d]: %s\n", ret, strerror(ret)); + } + } + + if (mc_ctx->fd != -1) { + ret = close(mc_ctx->fd); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to close old memory cache file." + "[%d]: %s\n", ret, strerror(ret)); + } + } + + return 0; +} + +errno_t sss_mmap_cache_init(TALLOC_CTX *mem_ctx, const char *name, + enum sss_mc_type type, size_t n_elem, + time_t timeout, struct sss_mc_ctx **mcc) +{ + struct sss_mc_ctx *mc_ctx = NULL; + unsigned int rseed; + int payload; + int ret, dret; + + switch (type) { + case SSS_MC_PASSWD: + payload = SSS_AVG_PASSWD_PAYLOAD; + break; + case SSS_MC_GROUP: + payload = SSS_AVG_GROUP_PAYLOAD; + break; + case SSS_MC_INITGROUPS: + payload = SSS_AVG_INITGROUP_PAYLOAD; + break; + default: + return EINVAL; + } + + mc_ctx = talloc_zero(mem_ctx, struct sss_mc_ctx); + if (!mc_ctx) { + return ENOMEM; + } + mc_ctx->fd = -1; + talloc_set_destructor(mc_ctx, mc_ctx_destructor); + + mc_ctx->name = talloc_strdup(mc_ctx, name); + if (!mc_ctx->name) { + ret = ENOMEM; + goto done; + } + + mc_ctx->type = type; + + mc_ctx->valid_time_slot = timeout; + + mc_ctx->file = talloc_asprintf(mc_ctx, "%s/%s", + SSS_NSS_MCACHE_DIR, name); + if (!mc_ctx->file) { + ret = ENOMEM; + goto done; + } + + /* elements must always be multiple of 8 to make things easier to handle, + * so we increase by the necessary amount if they are not a multiple */ + /* We can use MC_ALIGN64 for this */ + n_elem = MC_ALIGN64(n_elem); + + /* hash table is double the size because it will store both forward and + * reverse keys (name/uid, name/gid, ..) */ + mc_ctx->ht_size = MC_HT_SIZE(n_elem * 2); + mc_ctx->dt_size = MC_DT_SIZE(n_elem, payload); + mc_ctx->ft_size = MC_FT_SIZE(n_elem); + mc_ctx->mmap_size = MC_HEADER_SIZE + + MC_ALIGN64(mc_ctx->dt_size) + + MC_ALIGN64(mc_ctx->ft_size) + + MC_ALIGN64(mc_ctx->ht_size); + + + /* for now ALWAYS create a new file on restart */ + + ret = sss_mc_create_file(mc_ctx); + if (ret) { + goto done; + } + + ret = ftruncate(mc_ctx->fd, mc_ctx->mmap_size); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to resize file %s: %d(%s)\n", + mc_ctx->file, ret, strerror(ret)); + goto done; + } + + mc_ctx->mmap_base = mmap(NULL, mc_ctx->mmap_size, + PROT_READ | PROT_WRITE, + MAP_SHARED, mc_ctx->fd, 0); + if (mc_ctx->mmap_base == MAP_FAILED) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to mmap file %s(%zu): %d(%s)\n", + mc_ctx->file, mc_ctx->mmap_size, + ret, strerror(ret)); + goto done; + } + + mc_ctx->data_table = MC_PTR_ADD(mc_ctx->mmap_base, MC_HEADER_SIZE); + mc_ctx->free_table = MC_PTR_ADD(mc_ctx->data_table, + MC_ALIGN64(mc_ctx->dt_size)); + mc_ctx->hash_table = MC_PTR_ADD(mc_ctx->free_table, + MC_ALIGN64(mc_ctx->ft_size)); + + memset(mc_ctx->data_table, 0xff, mc_ctx->dt_size); + memset(mc_ctx->free_table, 0x00, mc_ctx->ft_size); + memset(mc_ctx->hash_table, 0xff, mc_ctx->ht_size); + + /* generate a pseudo-random seed. + * Needed to fend off dictionary based collision attacks */ + rseed = time(NULL) * getpid(); + mc_ctx->seed = rand_r(&rseed); + + sss_mc_header_update(mc_ctx, SSS_MC_HEADER_ALIVE); + + ret = EOK; + +done: + if (ret) { + /* Closing the file descriptor and unmapping the file + * from memory is done in the mc_ctx_destructor. */ + if (mc_ctx && mc_ctx->file && mc_ctx->fd != -1) { + dret = unlink(mc_ctx->file); + if (dret == -1) { + dret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to rm mmap file %s: %d(%s)\n", mc_ctx->file, + dret, strerror(dret)); + } + } + + talloc_free(mc_ctx); + } else { + *mcc = mc_ctx; + } + return ret; +} + +errno_t sss_mmap_cache_reinit(TALLOC_CTX *mem_ctx, size_t n_elem, + time_t timeout, struct sss_mc_ctx **mc_ctx) +{ + errno_t ret; + TALLOC_CTX* tmp_ctx = NULL; + char *name; + enum sss_mc_type type; + + if (mc_ctx == NULL || (*mc_ctx) == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unable to re-init uninitialized memory cache.\n"); + return EINVAL; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory.\n"); + return ENOMEM; + } + + name = talloc_strdup(tmp_ctx, (*mc_ctx)->name); + if (name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory.\n"); + ret = ENOMEM; + goto done; + } + + type = (*mc_ctx)->type; + + if (n_elem == (size_t)-1) { + n_elem = (*mc_ctx)->ft_size * 8; + } + + if (timeout == (time_t)-1) { + timeout = (*mc_ctx)->valid_time_slot; + } + + talloc_free(*mc_ctx); + + /* make sure we do not leave a potentially freed pointer around */ + *mc_ctx = NULL; + + ret = sss_mmap_cache_init(mem_ctx, name, type, n_elem, timeout, mc_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to re-initialize mmap cache.\n"); + goto done; + } + +done: + talloc_free(tmp_ctx); + return ret; +} + +/* Erase all contents of the mmap cache. This will bring the cache + * to the same state as if it was just initialized. */ +void sss_mmap_cache_reset(struct sss_mc_ctx *mc_ctx) +{ + if (mc_ctx == NULL) { + DEBUG(SSSDBG_TRACE_FUNC, + "Fastcache not initialized. Nothing to do.\n"); + return; + } + + sss_mc_header_update(mc_ctx, SSS_MC_HEADER_UNINIT); + + /* Reset the mmapped area */ + memset(mc_ctx->data_table, 0xff, mc_ctx->dt_size); + memset(mc_ctx->free_table, 0x00, mc_ctx->ft_size); + memset(mc_ctx->hash_table, 0xff, mc_ctx->ht_size); + + sss_mc_header_update(mc_ctx, SSS_MC_HEADER_ALIVE); +} diff --git a/src/responder/nss/nsssrv_mmap_cache.h b/src/responder/nss/nsssrv_mmap_cache.h new file mode 100644 index 0000000..b84fbc8 --- /dev/null +++ b/src/responder/nss/nsssrv_mmap_cache.h @@ -0,0 +1,78 @@ +/* + SSSD + + NSS Responder - Mmap Cache + + Copyright (C) Simo Sorce 2011 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _NSSSRV_MMAP_CACHE_H_ +#define _NSSSRV_MMAP_CACHE_H_ + +#define SSS_MC_CACHE_ELEMENTS 50000 + +struct sss_mc_ctx; + +enum sss_mc_type { + SSS_MC_NONE = 0, + SSS_MC_PASSWD, + SSS_MC_GROUP, + SSS_MC_INITGROUPS, +}; + +errno_t sss_mmap_cache_init(TALLOC_CTX *mem_ctx, const char *name, + enum sss_mc_type type, size_t n_elem, + time_t valid_time, struct sss_mc_ctx **mcc); + +errno_t sss_mmap_cache_pw_store(struct sss_mc_ctx **_mcc, + struct sized_string *name, + struct sized_string *pw, + uid_t uid, gid_t gid, + struct sized_string *gecos, + struct sized_string *homedir, + struct sized_string *shell); + +errno_t sss_mmap_cache_gr_store(struct sss_mc_ctx **_mcc, + struct sized_string *name, + struct sized_string *pw, + gid_t gid, size_t memnum, + char *membuf, size_t memsize); + +errno_t sss_mmap_cache_initgr_store(struct sss_mc_ctx **_mcc, + struct sized_string *name, + struct sized_string *unique_name, + uint32_t num_groups, + uint8_t *gids_buf); + +errno_t sss_mmap_cache_pw_invalidate(struct sss_mc_ctx *mcc, + struct sized_string *name); + +errno_t sss_mmap_cache_pw_invalidate_uid(struct sss_mc_ctx *mcc, uid_t uid); + +errno_t sss_mmap_cache_gr_invalidate(struct sss_mc_ctx *mcc, + struct sized_string *name); + +errno_t sss_mmap_cache_gr_invalidate_gid(struct sss_mc_ctx *mcc, gid_t gid); + +errno_t sss_mmap_cache_initgr_invalidate(struct sss_mc_ctx *mcc, + struct sized_string *name); + +errno_t sss_mmap_cache_reinit(TALLOC_CTX *mem_ctx, size_t n_elem, + time_t timeout, struct sss_mc_ctx **mc_ctx); + +void sss_mmap_cache_reset(struct sss_mc_ctx *mc_ctx); + +#endif /* _NSSSRV_MMAP_CACHE_H_ */ diff --git a/src/responder/pac/pacsrv.c b/src/responder/pac/pacsrv.c new file mode 100644 index 0000000..ab61e62 --- /dev/null +++ b/src/responder/pac/pacsrv.c @@ -0,0 +1,271 @@ +/* + SSSD + + PAC Responder + + Copyright (C) Sumit Bose 2011 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "util/util.h" +#include "responder/pac/pacsrv.h" +#include "db/sysdb.h" +#include "confdb/confdb.h" +#include "sbus/sssd_dbus.h" +#include "responder/common/responder_packet.h" +#include "responder/common/responder.h" +#include "providers/data_provider.h" +#include "monitor/monitor_interfaces.h" +#include "sbus/sbus_client.h" +#include "util/util_sss_idmap.h" + +#define SSS_PAC_PIPE_NAME "pac" +#define DEFAULT_PAC_FD_LIMIT 8192 +#define DEFAULT_ALLOWED_UIDS "0" + +struct mon_cli_iface monitor_pac_methods = { + { &mon_cli_iface_meta, 0 }, + .resInit = monitor_common_res_init, + .goOffline = NULL, + .resetOffline = NULL, + .rotateLogs = responder_logrotate, + .clearMemcache = NULL, + .clearEnumCache = NULL, + .sysbusReconnect = NULL, +}; + +/* TODO: check if this can be made generic for all responders */ +static void pac_dp_reconnect_init(struct sbus_connection *conn, + int status, void *pvt) +{ + struct be_conn *be_conn = talloc_get_type(pvt, struct be_conn); + int ret; + + /* Did we reconnect successfully? */ + if (status == SBUS_RECONNECT_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, "Reconnected to the Data Provider.\n"); + + /* Identify ourselves to the data provider */ + ret = rdp_register_client(be_conn, "PAC"); + /* all fine */ + if (ret == EOK) { + handle_requests_after_reconnect(be_conn->rctx); + return; + } + } + + /* Failed to reconnect */ + DEBUG(SSSDBG_FATAL_FAILURE, "Could not reconnect to %s provider.\n", + be_conn->domain->name); + + /* FIXME: kill the frontend and let the monitor restart it? */ + /* nss_shutdown(rctx); */ +} + +int pac_process_init(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct confdb_ctx *cdb) +{ + struct resp_ctx *rctx; + struct sss_cmd_table *pac_cmds; + struct be_conn *iter; + struct pac_ctx *pac_ctx; + int ret, max_retries; + enum idmap_error_code err; + int fd_limit; + char *uid_str; + + pac_cmds = get_pac_cmds(); + + ret = sss_process_init(mem_ctx, ev, cdb, + pac_cmds, + SSS_PAC_SOCKET_NAME, -1, NULL, -1, + CONFDB_PAC_CONF_ENTRY, + PAC_SBUS_SERVICE_NAME, + PAC_SBUS_SERVICE_VERSION, + &monitor_pac_methods, + "PAC", NULL, + sss_connection_setup, + &rctx); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "sss_process_init() failed\n"); + return ret; + } + + pac_ctx = talloc_zero(rctx, struct pac_ctx); + if (!pac_ctx) { + DEBUG(SSSDBG_FATAL_FAILURE, "fatal error initializing pac_ctx\n"); + ret = ENOMEM; + goto fail; + } + + pac_ctx->rctx = rctx; + pac_ctx->rctx->pvt_ctx = pac_ctx; + + + ret = confdb_get_string(pac_ctx->rctx->cdb, pac_ctx->rctx, + CONFDB_PAC_CONF_ENTRY, CONFDB_SERVICE_ALLOWED_UIDS, + DEFAULT_ALLOWED_UIDS, &uid_str); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to get allowed UIDs.\n"); + goto fail; + } + + ret = csv_string_to_uid_array(pac_ctx->rctx, uid_str, true, + &pac_ctx->rctx->allowed_uids_count, + &pac_ctx->rctx->allowed_uids); + talloc_free(uid_str); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to set allowed UIDs.\n"); + goto fail; + } + + /* Enable automatic reconnection to the Data Provider */ + ret = confdb_get_int(pac_ctx->rctx->cdb, + CONFDB_PAC_CONF_ENTRY, + CONFDB_SERVICE_RECON_RETRIES, + 3, &max_retries); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to set up automatic reconnection\n"); + goto fail; + } + + for (iter = pac_ctx->rctx->be_conns; iter; iter = iter->next) { + sbus_reconnect_init(iter->conn, max_retries, + pac_dp_reconnect_init, iter); + } + + err = sss_idmap_init(sss_idmap_talloc, pac_ctx, sss_idmap_talloc_free, + &pac_ctx->idmap_ctx); + if (err != IDMAP_SUCCESS) { + DEBUG(SSSDBG_FATAL_FAILURE, "sss_idmap_init failed.\n"); + ret = EFAULT; + goto fail; + } + + /* Set up file descriptor limits */ + ret = confdb_get_int(pac_ctx->rctx->cdb, + CONFDB_PAC_CONF_ENTRY, + CONFDB_SERVICE_FD_LIMIT, + DEFAULT_PAC_FD_LIMIT, + &fd_limit); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to set up file descriptor limit\n"); + goto fail; + } + responder_set_fd_limit(fd_limit); + + ret = confdb_get_int(pac_ctx->rctx->cdb, CONFDB_PAC_CONF_ENTRY, + CONFDB_PAC_LIFETIME, 300, + &pac_ctx->pac_lifetime); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to setup negative cache timeout.\n"); + goto fail; + } + + ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n"); + goto fail; + } + + DEBUG(SSSDBG_TRACE_FUNC, "PAC Initialization complete\n"); + + return EOK; + +fail: + talloc_free(rctx); + return ret; +} + +int main(int argc, const char *argv[]) +{ + int opt; + poptContext pc; + char *opt_logger = NULL; + struct main_context *main_ctx; + int ret; + uid_t uid; + gid_t gid; + + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_MAIN_OPTS + SSSD_LOGGER_OPTS + SSSD_SERVER_OPTS(uid, gid) + SSSD_RESPONDER_OPTS + POPT_TABLEEND + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + umask(DFL_RSP_UMASK); + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + + poptFreeContext(pc); + + DEBUG_INIT(debug_level); + + /* set up things like debug, signals, daemonization, etc. */ + debug_log_file = "sssd_pac"; + + sss_set_logger(opt_logger); + + ret = server_setup("sssd[pac]", 0, uid, gid, + CONFDB_PAC_CONF_ENTRY, &main_ctx); + if (ret != EOK) return 2; + + ret = die_if_parent_died(); + if (ret != EOK) { + /* This is not fatal, don't return */ + DEBUG(SSSDBG_OP_FAILURE, "Could not set up to exit when parent process does\n"); + } + + ret = pac_process_init(main_ctx, + main_ctx->event_ctx, + main_ctx->confdb_ctx); + if (ret != EOK) return 3; + + /* loop on main */ + server_loop(main_ctx); + + return 0; +} diff --git a/src/responder/pac/pacsrv.h b/src/responder/pac/pacsrv.h new file mode 100644 index 0000000..aea16f3 --- /dev/null +++ b/src/responder/pac/pacsrv.h @@ -0,0 +1,42 @@ +/* + SSSD + + PAC Responder, header file + + Copyright (C) Sumit Bose 2011 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __PACSRV_H__ +#define __PACSRV_H__ + +#include "config.h" + +#include "responder/common/responder_packet.h" +#include "responder/common/responder.h" +#include "responder/common/responder_sbus.h" +#include "lib/idmap/sss_idmap.h" + +struct pac_ctx { + struct resp_ctx *rctx; + struct sss_idmap_ctx *idmap_ctx; + struct dom_sid *my_dom_sid; + struct local_mapping_ranges *range_map; + int pac_lifetime; +}; + +struct sss_cmd_table *get_pac_cmds(void); + +#endif /* __PACSRV_H__ */ diff --git a/src/responder/pac/pacsrv_cmd.c b/src/responder/pac/pacsrv_cmd.c new file mode 100644 index 0000000..e3aab88 --- /dev/null +++ b/src/responder/pac/pacsrv_cmd.c @@ -0,0 +1,295 @@ +/* + SSSD + + PAC Responder + + Copyright (C) Sumit Bose 2012, 2016 + Jan Zeleny 2012 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "responder/pac/pacsrv.h" +#include "responder/common/cache_req/cache_req.h" +#include "confdb/confdb.h" + +#include "providers/ad/ad_pac.h" + +static errno_t pac_cmd_done(struct cli_ctx *cctx, int cmd_ret) +{ + struct cli_protocol *pctx; + int ret; + + if (cmd_ret == EAGAIN) { + /* async processing, just return here */ + return EOK; + } + + pctx = talloc_get_type(cctx->protocol_ctx, struct cli_protocol); + + ret = sss_packet_new(pctx->creq, 0, sss_packet_get_cmd(pctx->creq->in), + &pctx->creq->out); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_packet_new failed [%d][%s].\n", + ret, strerror(ret)); + return ret; + } + + sss_packet_set_error(pctx->creq->out, cmd_ret); + + sss_cmd_done(cctx, NULL); + + return EOK; +} + +struct pac_req_ctx { + struct cli_ctx *cctx; + struct pac_ctx *pac_ctx; + const char *domain_name; + struct sss_domain_info *dom; + + uint8_t *blob; + size_t blen; + + struct PAC_LOGON_INFO *logon_info; + + char *user_sid_str; + char *user_dom_sid_str; +}; + +static errno_t pac_resolve_user_sid_next(struct pac_req_ctx *pr_ctx); +static void pac_resolve_user_sid_done(struct tevent_req *req); +static void pac_get_domains_done(struct tevent_req *req); + +static errno_t pac_add_pac_user(struct cli_ctx *cctx) +{ + int ret; + uint8_t *body; + size_t blen; + struct pac_req_ctx *pr_ctx; + struct tevent_req *req; + enum idmap_error_code err; + struct cli_protocol *pctx; + + pctx = talloc_get_type(cctx->protocol_ctx, struct cli_protocol); + + sss_packet_get_body(pctx->creq->in, &body, &blen); + + pr_ctx = talloc_zero(cctx, struct pac_req_ctx); + if (pr_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); + return ENOMEM; + } + + pr_ctx->cctx = cctx; + pr_ctx->blob = body; + pr_ctx->blen = blen; + + pr_ctx->pac_ctx = talloc_get_type(cctx->rctx->pvt_ctx, struct pac_ctx); + if (pr_ctx->pac_ctx == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Cannot find pac responder context.\n"); + return EINVAL; + } + + ret = ad_get_data_from_pac(pr_ctx, body, blen, + &pr_ctx->logon_info); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "ad_get_data_from_pac failed.\n"); + goto done; + } + + pr_ctx->domain_name = pr_ctx->logon_info->info3.base.logon_domain.string; + if (pr_ctx->domain_name == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "No domain name in PAC\n"); + ret = EINVAL; + goto done; + } + + err = sss_idmap_smb_sid_to_sid(pr_ctx->pac_ctx->idmap_ctx, + pr_ctx->logon_info->info3.base.domain_sid, + &pr_ctx->user_dom_sid_str); + if (err != IDMAP_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, "sss_idmap_smb_sid_to_sid failed.\n"); + ret = EFAULT; + goto done; + } + + talloc_steal(pr_ctx, pr_ctx->user_dom_sid_str); + + pr_ctx->user_sid_str = talloc_asprintf(pr_ctx, "%s-%"PRIu32, + pr_ctx->user_dom_sid_str, + pr_ctx->logon_info->info3.base.rid); + if (pr_ctx->user_sid_str == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto done; + } + + ret = responder_get_domain_by_id(cctx->rctx, pr_ctx->user_dom_sid_str, + &pr_ctx->dom); + if (ret == EAGAIN || ret == ENOENT) { + req = sss_dp_get_domains_send(cctx->rctx, cctx->rctx, true, + pr_ctx->domain_name); + if (req == NULL) { + ret = ENOMEM; + } else { + tevent_req_set_callback(req, pac_get_domains_done, pr_ctx); + ret = EAGAIN; + } + goto done; + } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "responder_get_domain_by_id failed.\n"); + goto done; + } + + ret = pac_resolve_user_sid_next(pr_ctx); + +done: + if (ret != EAGAIN) { + talloc_free(pr_ctx); + } + return pac_cmd_done(cctx, ret); +} + +static void pac_get_domains_done(struct tevent_req *req) +{ + struct pac_req_ctx *pr_ctx = tevent_req_callback_data(req, + struct pac_req_ctx); + struct cli_ctx *cctx = pr_ctx->cctx; + int ret; + + ret = sss_dp_get_domains_recv(req); + talloc_free(req); + if (ret != EOK) { + goto done; + } + + ret = responder_get_domain_by_id(cctx->rctx, pr_ctx->user_dom_sid_str, + &pr_ctx->dom); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Corresponding domain [%s] has not been " + "found\n", pr_ctx->user_dom_sid_str); + ret = ENOENT; + goto done; + } + + ret = pac_resolve_user_sid_next(pr_ctx); + +done: + if (ret != EAGAIN) { + talloc_free(pr_ctx); + } + pac_cmd_done(cctx, ret); +} + +static errno_t pac_resolve_user_sid_next(struct pac_req_ctx *pr_ctx) +{ + int ret; + struct tevent_req *req; + const char *pw_attrs[] = SYSDB_PW_ATTRS; + + + req = cache_req_object_by_sid_send(pr_ctx, pr_ctx->cctx->ev, + pr_ctx->cctx->rctx, + pr_ctx->pac_ctx->rctx->ncache, + 0, pr_ctx->dom->name, + pr_ctx->user_sid_str, + pw_attrs); + if (req == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "cache_req_object_by_sid_send failed.\n"); + return ENOMEM; + } + + tevent_req_set_callback(req, pac_resolve_user_sid_done, pr_ctx); + + ret = EAGAIN; + + + return ret; +} + +static void pac_resolve_user_sid_done(struct tevent_req *req) +{ + struct pac_req_ctx *pr_ctx = tevent_req_callback_data(req, + struct pac_req_ctx); + struct cli_ctx *cctx = pr_ctx->cctx; + errno_t ret; + struct cache_req_result *result; + struct sysdb_attrs *user_attrs; + + ret = cache_req_object_by_sid_recv(pr_ctx, req, &result); + talloc_zfree(req); + + if (ret != EOK) { + talloc_free(pr_ctx); + pac_cmd_done(cctx, ret); + return; + } + + user_attrs = sysdb_new_attrs(pr_ctx); + if (user_attrs == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_new_attrs failed.\n"); + ret = ENOMEM; + goto done; + } + + ret = sysdb_attrs_add_mem(user_attrs, SYSDB_PAC_BLOB, pr_ctx->blob, + pr_ctx->blen); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_mem failed"); + goto done; + } + + ret = sysdb_attrs_add_time_t(user_attrs, SYSDB_PAC_BLOB_EXPIRE, + (time(NULL) + pr_ctx->pac_ctx->pac_lifetime)); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_time_t failed"); + goto done; + } + + ret = sysdb_set_entry_attr(result->domain->sysdb, + result->msgs[0]->dn, user_attrs, + SYSDB_MOD_REP); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_set_entry_attr failed.\n"); + goto done; + } + +done: + talloc_free(pr_ctx); + pac_cmd_done(cctx, ret); + return; +} + + +struct cli_protocol_version *register_cli_protocol_version(void) +{ + static struct cli_protocol_version pac_cli_protocol_version[] = { + {1, "2011-04-12", "initial version"}, + {0, NULL, NULL} + }; + + return pac_cli_protocol_version; +} + +static struct sss_cmd_table pac_cmds[] = { + {SSS_GET_VERSION, sss_cmd_get_version}, + {SSS_PAC_ADD_PAC_USER, pac_add_pac_user}, + {SSS_CLI_NULL, NULL} +}; + +struct sss_cmd_table *get_pac_cmds(void) { + return pac_cmds; +} diff --git a/src/responder/pam/pam_LOCAL_domain.c b/src/responder/pam/pam_LOCAL_domain.c new file mode 100644 index 0000000..ad16351 --- /dev/null +++ b/src/responder/pam/pam_LOCAL_domain.c @@ -0,0 +1,351 @@ +/* + SSSD + + PAM e credentials + + Copyright (C) Sumit Bose 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "util/util.h" +#include "db/sysdb.h" +#include "util/crypto/sss_crypto.h" +#include "providers/data_provider.h" +#include "responder/pam/pamsrv.h" + + +#define NULL_CHECK_OR_JUMP(var, msg, ret, err, label) do { \ + if (var == NULL) { \ + DEBUG(SSSDBG_CRIT_FAILURE, msg); \ + ret = (err); \ + goto label; \ + } \ +} while(0) + +#define NEQ_CHECK_OR_JUMP(var, val, msg, ret, err, label) do { \ + if (var != (val)) { \ + DEBUG(SSSDBG_CRIT_FAILURE, msg); \ + ret = (err); \ + goto label; \ + } \ +} while(0) + + +struct LOCAL_request { + struct tevent_context *ev; + struct sysdb_ctx *dbctx; + struct sss_domain_info *domain; + struct sysdb_attrs *mod_attrs; + + struct ldb_result *res; + int error; + + struct pam_auth_req *preq; +}; + +static void prepare_reply(struct LOCAL_request *lreq) +{ + struct pam_data *pd; + + pd = lreq->preq->pd; + + if (lreq->error != EOK && pd->pam_status == PAM_SUCCESS) + pd->pam_status = PAM_SYSTEM_ERR; + + lreq->preq->callback(lreq->preq); +} + +static void do_successful_login(struct LOCAL_request *lreq) +{ + int ret; + + lreq->mod_attrs = sysdb_new_attrs(lreq); + NULL_CHECK_OR_JUMP(lreq->mod_attrs, "sysdb_new_attrs failed.\n", + lreq->error, ENOMEM, done); + + ret = sysdb_attrs_add_long(lreq->mod_attrs, + SYSDB_LAST_LOGIN, (long)time(NULL)); + NEQ_CHECK_OR_JUMP(ret, EOK, "sysdb_attrs_add_long failed.\n", + lreq->error, ret, done); + + ret = sysdb_attrs_add_long(lreq->mod_attrs, SYSDB_FAILED_LOGIN_ATTEMPTS, 0L); + NEQ_CHECK_OR_JUMP(ret, EOK, "sysdb_attrs_add_long failed.\n", + lreq->error, ret, done); + + ret = sysdb_set_user_attr(lreq->domain, + lreq->preq->pd->user, + lreq->mod_attrs, SYSDB_MOD_REP); + NEQ_CHECK_OR_JUMP(ret, EOK, "sysdb_set_user_attr failed.\n", + lreq->error, ret, done); + +done: + return; +} + +static void do_failed_login(struct LOCAL_request *lreq) +{ + int ret; + int failedLoginAttempts; + struct pam_data *pd; + + pd = lreq->preq->pd; + pd->pam_status = PAM_AUTH_ERR; +/* TODO: maybe add more intelligent delay calculation */ + pd->response_delay = 3; + + lreq->mod_attrs = sysdb_new_attrs(lreq); + NULL_CHECK_OR_JUMP(lreq->mod_attrs, "sysdb_new_attrs failed.\n", + lreq->error, ENOMEM, done); + + ret = sysdb_attrs_add_long(lreq->mod_attrs, + SYSDB_LAST_FAILED_LOGIN, (long)time(NULL)); + NEQ_CHECK_OR_JUMP(ret, EOK, "sysdb_attrs_add_long failed.\n", + lreq->error, ret, done); + + failedLoginAttempts = ldb_msg_find_attr_as_int(lreq->res->msgs[0], + SYSDB_FAILED_LOGIN_ATTEMPTS, + 0); + failedLoginAttempts++; + + ret = sysdb_attrs_add_long(lreq->mod_attrs, + SYSDB_FAILED_LOGIN_ATTEMPTS, + (long)failedLoginAttempts); + NEQ_CHECK_OR_JUMP(ret, EOK, "sysdb_attrs_add_long failed.\n", + lreq->error, ret, done); + + ret = sysdb_set_user_attr(lreq->domain, + lreq->preq->pd->user, + lreq->mod_attrs, SYSDB_MOD_REP); + NEQ_CHECK_OR_JUMP(ret, EOK, "sysdb_set_user_attr failed.\n", + lreq->error, ret, done); + +done: + return; +} + +static void do_pam_acct_mgmt(struct LOCAL_request *lreq) +{ + const char *disabled; + struct pam_data *pd; + + pd = lreq->preq->pd; + + disabled = ldb_msg_find_attr_as_string(lreq->res->msgs[0], + SYSDB_DISABLED, NULL); + if ((disabled != NULL) && + (strncasecmp(disabled, "false",5) != 0) && + (strncasecmp(disabled, "no",2) != 0) ) { + pd->pam_status = PAM_PERM_DENIED; + } +} + +static void do_pam_chauthtok(struct LOCAL_request *lreq) +{ + int ret; + const char *password; + char *salt; + char *new_hash; + struct pam_data *pd; + + pd = lreq->preq->pd; + + ret = sss_authtok_get_password(pd->newauthtok, &password, NULL); + if (ret) { + /* TODO: should we allow null passwords via a config option? */ + if (ret == ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, "Empty passwords are not allowed!\n"); + } + lreq->error = EINVAL; + goto done; + } + + ret = s3crypt_gen_salt(lreq, &salt); + NEQ_CHECK_OR_JUMP(ret, EOK, "Salt generation failed.\n", + lreq->error, ret, done); + DEBUG(SSSDBG_CONF_SETTINGS, "Using salt [%s]\n", salt); + + ret = s3crypt_sha512(lreq, password, salt, &new_hash); + NEQ_CHECK_OR_JUMP(ret, EOK, "Hash generation failed.\n", + lreq->error, ret, done); + DEBUG(SSSDBG_CONF_SETTINGS, "New hash [%s]\n", new_hash); + + lreq->mod_attrs = sysdb_new_attrs(lreq); + NULL_CHECK_OR_JUMP(lreq->mod_attrs, "sysdb_new_attrs failed.\n", + lreq->error, ENOMEM, done); + + ret = sysdb_attrs_add_string(lreq->mod_attrs, SYSDB_PWD, new_hash); + NEQ_CHECK_OR_JUMP(ret, EOK, "sysdb_attrs_add_string failed.\n", + lreq->error, ret, done); + + ret = sysdb_attrs_add_long(lreq->mod_attrs, + "lastPasswordChange", (long)time(NULL)); + NEQ_CHECK_OR_JUMP(ret, EOK, "sysdb_attrs_add_long failed.\n", + lreq->error, ret, done); + + ret = sysdb_set_user_attr(lreq->domain, + lreq->preq->pd->user, + lreq->mod_attrs, SYSDB_MOD_REP); + NEQ_CHECK_OR_JUMP(ret, EOK, "sysdb_set_user_attr failed.\n", + lreq->error, ret, done); + +done: + sss_authtok_set_empty(pd->newauthtok); +} + +int LOCAL_pam_handler(struct pam_auth_req *preq) +{ + struct LOCAL_request *lreq; + static const char *attrs[] = {SYSDB_NAME, + SYSDB_PWD, + SYSDB_DISABLED, + SYSDB_LAST_LOGIN, + "lastPasswordChange", + "accountExpires", + SYSDB_FAILED_LOGIN_ATTEMPTS, + "passwordHint", + "passwordHistory", + SYSDB_LAST_FAILED_LOGIN, + NULL}; + struct ldb_result *res; + const char *username = NULL; + const char *pwdhash = NULL; + char *new_hash = NULL; + const char *password; + struct pam_data *pd = preq->pd; + int ret; + + DEBUG(SSSDBG_CONF_SETTINGS, "LOCAL pam handler.\n"); + + lreq = talloc_zero(preq, struct LOCAL_request); + if (!lreq) { + return ENOMEM; + } + + lreq->dbctx = preq->domain->sysdb; + if (lreq->dbctx == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Fatal: Sysdb CTX not found for this domain!\n"); + talloc_free(lreq); + return ENOENT; + } + lreq->domain = preq->domain; + lreq->ev = preq->cctx->ev; + lreq->preq = preq; + + pd->pam_status = PAM_SUCCESS; + + ret = sysdb_get_user_attr(lreq, preq->domain, preq->pd->user, attrs, + &res); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_get_user_attr failed.\n"); + talloc_free(lreq); + return ret; + } + + if (res->count < 1) { + DEBUG(SSSDBG_CONF_SETTINGS, + "No user found with filter ["SYSDB_PWNAM_FILTER"]\n", + pd->user, pd->user, pd->user); + pd->pam_status = PAM_USER_UNKNOWN; + goto done; + } else if (res->count > 1) { + DEBUG(SSSDBG_CONF_SETTINGS, + "More than one object found with filter ["SYSDB_PWNAM_FILTER"]\n", + pd->user, pd->user, pd->user); + lreq->error = EFAULT; + goto done; + } + + username = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_NAME, NULL); + if (strcmp(username, pd->user) != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Expected username [%s] get [%s].\n", pd->user, username); + lreq->error = EINVAL; + goto done; + } + + lreq->res = res; + + switch (pd->cmd) { + case SSS_PAM_AUTHENTICATE: + case SSS_PAM_CHAUTHTOK: + case SSS_PAM_CHAUTHTOK_PRELIM: + if ((pd->cmd == SSS_PAM_CHAUTHTOK || + pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM) && + lreq->preq->cctx->priv == 1) { +/* TODO: maybe this is a candidate for an explicit audit message. */ + DEBUG(SSSDBG_CONF_SETTINGS, + "allowing root to reset a password.\n"); + break; + } + ret = sss_authtok_get_password(pd->authtok, &password, NULL); + NEQ_CHECK_OR_JUMP(ret, EOK, "Failed to get password.\n", + lreq->error, ret, done); + + pwdhash = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_PWD, NULL); + NULL_CHECK_OR_JUMP(pwdhash, "No password stored.\n", + lreq->error, LDB_ERR_NO_SUCH_ATTRIBUTE, done); + DEBUG(SSSDBG_CONF_SETTINGS, + "user: [%s], password hash: [%s]\n", username, pwdhash); + + ret = s3crypt_sha512(lreq, password, pwdhash, &new_hash); + NEQ_CHECK_OR_JUMP(ret, EOK, "nss_sha512_crypt failed.\n", + lreq->error, ret, done); + + DEBUG(SSSDBG_CONF_SETTINGS, + "user: [%s], new hash: [%s]\n", username, new_hash); + + if (strcmp(new_hash, pwdhash) != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Passwords do not match.\n"); + do_failed_login(lreq); + goto done; + } + + break; + } + + switch (pd->cmd) { + case SSS_PAM_AUTHENTICATE: + do_successful_login(lreq); + break; + case SSS_PAM_CHAUTHTOK: + do_pam_chauthtok(lreq); + break; + case SSS_PAM_ACCT_MGMT: + do_pam_acct_mgmt(lreq); + break; + case SSS_PAM_SETCRED: + break; + case SSS_PAM_OPEN_SESSION: + break; + case SSS_PAM_CLOSE_SESSION: + break; + case SSS_PAM_CHAUTHTOK_PRELIM: + break; + default: + lreq->error = EINVAL; + DEBUG(SSSDBG_CRIT_FAILURE, "Unknown PAM task [%d].\n", pd->cmd); + } + +done: + sss_authtok_set_empty(pd->newauthtok); + sss_authtok_set_empty(pd->authtok); + prepare_reply(lreq); + return EOK; +} + diff --git a/src/responder/pam/pam_helpers.c b/src/responder/pam/pam_helpers.c new file mode 100644 index 0000000..2b931bd --- /dev/null +++ b/src/responder/pam/pam_helpers.c @@ -0,0 +1,156 @@ +/* + SSSD + + Authors: + Stephen Gallagher + + Copyright (C) 2011 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + + +#include "src/responder/pam/pam_helpers.h" + +struct pam_initgr_table_ctx { + hash_table_t *id_table; + char *name; +}; + +static void pam_initgr_cache_remove(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval tv, + void *pvt); + +errno_t pam_initgr_cache_set(struct tevent_context *ev, + hash_table_t *id_table, + char *name, + long timeout) +{ + errno_t ret; + hash_key_t key; + hash_value_t val; + int hret; + struct tevent_timer *te; + struct timeval tv; + struct pam_initgr_table_ctx *table_ctx; + + table_ctx = talloc_zero(id_table, struct pam_initgr_table_ctx); + if (!table_ctx) return ENOMEM; + + table_ctx->id_table = id_table; + table_ctx->name = talloc_strdup(table_ctx, name); + if (!table_ctx->name) { + ret = ENOMEM; + goto done; + } + + key.type = HASH_KEY_STRING; + key.str = name; + + /* The value isn't relevant, since we're using + * a timer to remove the entry. + */ + val.type = HASH_VALUE_UNDEF; + + hret = hash_enter(id_table, &key, &val); + if (hret != HASH_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not update initgr cache for [%s]: [%s]\n", + name, hash_error_string(hret)); + ret = EIO; + goto done; + } else { + DEBUG(SSSDBG_TRACE_INTERNAL, + "[%s] added to PAM initgroup cache\n", + name); + } + + /* Create a timer event to remove the entry from the cache */ + tv = tevent_timeval_current_ofs(timeout, 0); + te = tevent_add_timer(ev, table_ctx, tv, + pam_initgr_cache_remove, + table_ctx); + if (!te) { + ret = ENOMEM; + goto done; + } + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(table_ctx); + } + return ret; +} + +static void pam_initgr_cache_remove(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval tv, + void *pvt) +{ + int hret; + hash_key_t key; + + struct pam_initgr_table_ctx *table_ctx = + talloc_get_type(pvt, struct pam_initgr_table_ctx); + + key.type = HASH_KEY_STRING; + key.str = table_ctx->name; + + hret = hash_delete(table_ctx->id_table, &key); + if (hret != HASH_SUCCESS + && hret != HASH_ERROR_KEY_NOT_FOUND) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not clear [%s] from initgr cache: [%s]\n", + table_ctx->name, + hash_error_string(hret)); + } else { + DEBUG(SSSDBG_TRACE_INTERNAL, + "[%s] removed from PAM initgroup cache\n", + table_ctx->name); + } + + talloc_free(table_ctx); +} + +errno_t pam_initgr_check_timeout(hash_table_t *id_table, + char *name) +{ + hash_key_t key; + hash_value_t val; + int hret; + + key.type = HASH_KEY_STRING; + key.str = name; + + hret = hash_lookup(id_table, &key, &val); + if (hret != HASH_SUCCESS + && hret != HASH_ERROR_KEY_NOT_FOUND) { + DEBUG(SSSDBG_TRACE_ALL, "Error searching user [%s] in PAM cache.\n", + name); + return EIO; + } else if (hret == HASH_ERROR_KEY_NOT_FOUND) { + DEBUG(SSSDBG_TRACE_ALL, "User [%s] not found in PAM cache.\n", name); + return ENOENT; + } + + /* If there's a value here, then the cache + * entry is still valid. + */ + DEBUG(SSSDBG_TRACE_INTERNAL, "User [%s] found in PAM cache.\n", name); + return EOK; +} + diff --git a/src/responder/pam/pam_helpers.h b/src/responder/pam/pam_helpers.h new file mode 100644 index 0000000..6143897 --- /dev/null +++ b/src/responder/pam/pam_helpers.h @@ -0,0 +1,40 @@ +/* + SSSD + + Authors: + Stephen Gallagher + + Copyright (C) 2011 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef PAM_HELPERS_H_ +#define PAM_HELPERS_H_ + +#include "util/util.h" + +errno_t pam_initgr_cache_set(struct tevent_context *ev, + hash_table_t *id_table, + char *name, + long timeout); + +/* Returns EOK if the cache is still valid + * Returns ENOENT if the user is not found or is expired + * May report other errors if the hash lookup fails. + */ +errno_t pam_initgr_check_timeout(hash_table_t *id_table, + char *name); + +#endif /* PAM_HELPERS_H_ */ diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c new file mode 100644 index 0000000..4ddd1d0 --- /dev/null +++ b/src/responder/pam/pamsrv.c @@ -0,0 +1,454 @@ +/* + SSSD + + PAM Responder + + Copyright (C) Simo Sorce 2009 + Copyright (C) Sumit Bose 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "config.h" +#include "util/util.h" +#include "db/sysdb.h" +#include "confdb/confdb.h" +#include "sbus/sssd_dbus.h" +#include "responder/common/responder_packet.h" +#include "providers/data_provider.h" +#include "monitor/monitor_interfaces.h" +#include "sbus/sbus_client.h" +#include "responder/pam/pamsrv.h" +#include "responder/common/negcache.h" +#include "responder/common/responder_sbus.h" + +#define DEFAULT_PAM_FD_LIMIT 8192 +#define ALL_UIDS_ALLOWED "all" +#define ALL_DOMAINS_ARE_PUBLIC "all" +#define NO_DOMAINS_ARE_PUBLIC "none" +#define DEFAULT_ALLOWED_UIDS ALL_UIDS_ALLOWED +#define DEFAULT_PAM_CERT_AUTH false +#ifdef HAVE_NSS +#define DEFAULT_PAM_CERT_DB_PATH SYSCONFDIR"/pki/nssdb" +#else +#define DEFAULT_PAM_CERT_DB_PATH SYSCONFDIR"/sssd/pki/sssd_auth_ca_db.pem" +#endif + +struct mon_cli_iface monitor_pam_methods = { + { &mon_cli_iface_meta, 0 }, + .resInit = monitor_common_res_init, + .goOffline = NULL, + .resetOffline = NULL, + .rotateLogs = responder_logrotate, + .clearMemcache = NULL, + .clearEnumCache = NULL, + .sysbusReconnect = NULL, +}; + +static void pam_dp_reconnect_init(struct sbus_connection *conn, int status, void *pvt) +{ + struct be_conn *be_conn = talloc_get_type(pvt, struct be_conn); + int ret; + + /* Did we reconnect successfully? */ + if (status == SBUS_RECONNECT_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "Reconnected to the Data Provider.\n"); + + /* Identify ourselves to the data provider */ + ret = rdp_register_client(be_conn, "PAM"); + /* all fine */ + if (ret == EOK) { + handle_requests_after_reconnect(be_conn->rctx); + return; + } + } + + /* Handle failure */ + DEBUG(SSSDBG_FATAL_FAILURE, "Could not reconnect to %s provider.\n", + be_conn->domain->name); + + /* FIXME: kill the frontend and let the monitor restart it? */ + /* pam_shutdown(rctx); */ +} + +static errno_t get_trusted_uids(struct pam_ctx *pctx) +{ + char *uid_str; + errno_t ret; + + ret = confdb_get_string(pctx->rctx->cdb, pctx->rctx, + CONFDB_PAM_CONF_ENTRY, CONFDB_PAM_TRUSTED_USERS, + DEFAULT_ALLOWED_UIDS, &uid_str); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to get allowed UIDs.\n"); + goto done; + } + + if (strcmp(uid_str, ALL_UIDS_ALLOWED) == 0) { + DEBUG(SSSDBG_TRACE_FUNC, "All UIDs are allowed.\n"); + pctx->trusted_uids_count = 0; + } else { + ret = csv_string_to_uid_array(pctx->rctx, uid_str, true, + &pctx->trusted_uids_count, + &pctx->trusted_uids); + } + + talloc_free(uid_str); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to set allowed UIDs.\n"); + goto done; + } + +done: + return ret; +} + +static errno_t get_public_domains(struct pam_ctx *pctx) +{ + char *domains_str = NULL; + errno_t ret; + + ret = confdb_get_string(pctx->rctx->cdb, pctx->rctx, + CONFDB_PAM_CONF_ENTRY, CONFDB_PAM_PUBLIC_DOMAINS, + NO_DOMAINS_ARE_PUBLIC, &domains_str); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to get allowed UIDs.\n"); + goto done; + } + + if (strcmp(domains_str, ALL_DOMAINS_ARE_PUBLIC) == 0) { /* all */ + /* copy all domains */ + ret = get_dom_names(pctx, + pctx->rctx->domains, + &pctx->public_domains, + &pctx->public_domains_count); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "get_dom_names failed.\n"); + goto done; + } + } else if (strcmp(domains_str, NO_DOMAINS_ARE_PUBLIC) == 0) { /* none */ + pctx->public_domains = NULL; + pctx->public_domains_count = 0; + } else { + ret = split_on_separator(pctx, domains_str, ',', true, false, + &pctx->public_domains, + &pctx->public_domains_count); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "split_on_separator failed [%d][%s].\n", + ret, strerror(ret)); + goto done; + } + } + + ret = EOK; + +done: + talloc_free(domains_str); + return ret; +} + +static errno_t get_app_services(struct pam_ctx *pctx) +{ + errno_t ret; + + ret = confdb_get_string_as_list(pctx->rctx->cdb, pctx, + CONFDB_PAM_CONF_ENTRY, + CONFDB_PAM_APP_SERVICES, + &pctx->app_services); + if (ret == ENOENT) { + pctx->app_services = talloc_zero_array(pctx, char *, 1); + if (pctx->app_services == NULL) { + return ENOMEM; + } + /* Allocating an empty array makes it easier for the consumer + * to iterate over it + */ + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot read "CONFDB_PAM_APP_SERVICES" [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + return EOK; +} + +static int pam_process_init(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct confdb_ctx *cdb, + int pipe_fd, int priv_pipe_fd) +{ + struct resp_ctx *rctx; + struct sss_cmd_table *pam_cmds; + struct be_conn *iter; + struct pam_ctx *pctx; + int ret, max_retries; + int id_timeout; + int fd_limit; + + pam_cmds = get_pam_cmds(); + ret = sss_process_init(mem_ctx, ev, cdb, + pam_cmds, + SSS_PAM_SOCKET_NAME, pipe_fd, + SSS_PAM_PRIV_SOCKET_NAME, priv_pipe_fd, + CONFDB_PAM_CONF_ENTRY, + SSS_PAM_SBUS_SERVICE_NAME, + SSS_PAM_SBUS_SERVICE_VERSION, + &monitor_pam_methods, + "PAM", NULL, + sss_connection_setup, + &rctx); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "sss_process_init() failed\n"); + return ret; + } + + pctx = talloc_zero(rctx, struct pam_ctx); + if (!pctx) { + ret = ENOMEM; + goto done; + } + + pctx->rctx = rctx; + pctx->rctx->pvt_ctx = pctx; + + ret = get_trusted_uids(pctx); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "get_trusted_uids failed: %d:[%s].\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = get_public_domains(pctx); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "get_public_domains failed: %d:[%s].\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = get_app_services(pctx); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "get_app_services failed: %d:[%s].\n", + ret, sss_strerror(ret)); + goto done; + } + + /* Enable automatic reconnection to the Data Provider */ + + /* FIXME: "retries" is too generic, either get it from a global config + * or specify these retries are about the sbus connections to DP */ + ret = confdb_get_int(pctx->rctx->cdb, CONFDB_PAM_CONF_ENTRY, + CONFDB_SERVICE_RECON_RETRIES, 3, &max_retries); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to set up automatic reconnection\n"); + goto done; + } + + for (iter = pctx->rctx->be_conns; iter; iter = iter->next) { + sbus_reconnect_init(iter->conn, max_retries, + pam_dp_reconnect_init, iter); + } + + /* Set up the PAM identity timeout */ + ret = confdb_get_int(cdb, CONFDB_PAM_CONF_ENTRY, + CONFDB_PAM_ID_TIMEOUT, 5, + &id_timeout); + if (ret != EOK) goto done; + + pctx->id_timeout = (size_t)id_timeout; + + ret = sss_ncache_prepopulate(pctx->rctx->ncache, cdb, pctx->rctx); + if (ret != EOK) { + goto done; + } + + /* Create table for initgroup lookups */ + ret = sss_hash_create(pctx, 10, &pctx->id_table); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Could not create initgroups hash table: [%s]\n", + strerror(ret)); + goto done; + } + + /* Set up file descriptor limits */ + ret = confdb_get_int(pctx->rctx->cdb, + CONFDB_PAM_CONF_ENTRY, + CONFDB_SERVICE_FD_LIMIT, + DEFAULT_PAM_FD_LIMIT, + &fd_limit); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to set up file descriptor limit\n"); + goto done; + } + responder_set_fd_limit(fd_limit); + + ret = schedule_get_domains_task(rctx, rctx->ev, rctx, pctx->rctx->ncache); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n"); + goto done; + } + + /* Check if certificate based authentication is enabled */ + ret = confdb_get_bool(pctx->rctx->cdb, + CONFDB_PAM_CONF_ENTRY, + CONFDB_PAM_CERT_AUTH, + DEFAULT_PAM_CERT_AUTH, + &pctx->cert_auth); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to determine get cert db path.\n"); + goto done; + } + + pctx->p11_child_debug_fd = -1; + if (pctx->cert_auth) { + ret = p11_child_init(pctx); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "p11_child_init failed.\n"); + goto done; + } + + ret = confdb_get_string(pctx->rctx->cdb, pctx, + CONFDB_PAM_CONF_ENTRY, + CONFDB_PAM_CERT_DB_PATH, + DEFAULT_PAM_CERT_DB_PATH, + &pctx->nss_db); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to determine if certificate based authentication is " \ + "enabled or not.\n"); + goto done; + } + + ret = create_preauth_indicator(); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to create pre-authentication indicator file, " + "Smartcard authentication might not work as expected.\n"); + } + } + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(rctx); + } + return ret; +} + +int main(int argc, const char *argv[]) +{ + int opt; + poptContext pc; + char *opt_logger = NULL; + struct main_context *main_ctx; + int ret; + uid_t uid; + gid_t gid; + int pipe_fd = -1; + int priv_pipe_fd = -1; + + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_MAIN_OPTS + SSSD_LOGGER_OPTS + SSSD_SERVER_OPTS(uid, gid) + SSSD_RESPONDER_OPTS + POPT_TABLEEND + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + umask(DFL_RSP_UMASK); + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + + poptFreeContext(pc); + + DEBUG_INIT(debug_level); + + /* set up things like debug, signals, daemonization, etc. */ + debug_log_file = "sssd_pam"; + + sss_set_logger(opt_logger); + + if (!is_socket_activated()) { + /* Create pipe file descriptors here before privileges are dropped + * in server_setup() */ + ret = create_pipe_fd(SSS_PAM_SOCKET_NAME, &pipe_fd, SCKT_RSP_UMASK); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "create_pipe_fd failed [%d]: %s.\n", + ret, sss_strerror(ret)); + return 2; + } + + ret = create_pipe_fd(SSS_PAM_PRIV_SOCKET_NAME, &priv_pipe_fd, + DFL_RSP_UMASK); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "create_pipe_fd failed (privileged pipe) [%d]: %s.\n", + ret, sss_strerror(ret)); + return 2; + } + } + + ret = server_setup("sssd[pam]", 0, uid, gid, CONFDB_PAM_CONF_ENTRY, &main_ctx); + if (ret != EOK) return 2; + + ret = die_if_parent_died(); + if (ret != EOK) { + /* This is not fatal, don't return */ + DEBUG(SSSDBG_OP_FAILURE, + "Could not set up to exit when parent process does\n"); + } + + ret = pam_process_init(main_ctx, + main_ctx->event_ctx, + main_ctx->confdb_ctx, + pipe_fd, priv_pipe_fd); + if (ret != EOK) return 3; + + /* loop on main */ + server_loop(main_ctx); + + return 0; +} + diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h new file mode 100644 index 0000000..dfd9821 --- /dev/null +++ b/src/responder/pam/pamsrv.h @@ -0,0 +1,132 @@ +/* + Authors: + Simo Sorce + Sumit Bose + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __PAMSRV_H__ +#define __PAMSRV_H__ + +#include +#include "util/util.h" +#include "sbus/sssd_dbus.h" +#include "responder/common/responder.h" +#include "responder/common/cache_req/cache_req.h" +#include "lib/certmap/sss_certmap.h" + +struct pam_auth_req; + +typedef void (pam_dp_callback_t)(struct pam_auth_req *preq); + +struct pam_ctx { + struct resp_ctx *rctx; + time_t id_timeout; + hash_table_t *id_table; + size_t trusted_uids_count; + uid_t *trusted_uids; + + /* List of domains that are accessible even for untrusted users. */ + char **public_domains; + int public_domains_count; + + /* What services are permitted to access application domains */ + char **app_services; + + bool cert_auth; + int p11_child_debug_fd; + char *nss_db; + struct sss_certmap_ctx *sss_certmap_ctx; +}; + +struct pam_auth_dp_req { + struct pam_auth_req *preq; +}; + +struct pam_auth_req { + struct cli_ctx *cctx; + struct sss_domain_info *domain; + enum cache_req_dom_type req_dom_type; + + struct pam_data *pd; + + pam_dp_callback_t *callback; + + bool is_uid_trusted; + void *data; + bool use_cached_auth; + /* whether cached authentication was tried and failed */ + bool cached_auth_failed; + + struct pam_auth_dp_req *dpreq_spy; + + struct ldb_message *user_obj; + struct cert_auth_info *cert_list; + struct cert_auth_info *current_cert; + bool cert_auth_local; +}; + +struct sss_cmd_table *get_pam_cmds(void); + +int pam_dp_send_req(struct pam_auth_req *preq, int timeout); + +int LOCAL_pam_handler(struct pam_auth_req *preq); + +errno_t p11_child_init(struct pam_ctx *pctx); + +struct cert_auth_info; +const char *sss_cai_get_cert(struct cert_auth_info *i); +const char *sss_cai_get_token_name(struct cert_auth_info *i); +const char *sss_cai_get_module_name(struct cert_auth_info *i); +const char *sss_cai_get_key_id(struct cert_auth_info *i); +const char *sss_cai_get_label(struct cert_auth_info *i); +struct cert_auth_info *sss_cai_get_next(struct cert_auth_info *i); +struct ldb_result *sss_cai_get_cert_user_objs(struct cert_auth_info *i); +void sss_cai_set_cert_user_objs(struct cert_auth_info *i, + struct ldb_result *cert_user_objs); +void sss_cai_check_users(struct cert_auth_info **list, size_t *_cert_count, + size_t *_cert_user_count); + +struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + int child_debug_fd, + const char *nss_db, + time_t timeout, + const char *verify_opts, + struct sss_certmap_ctx *sss_certmap_ctx, + struct pam_data *pd); +errno_t pam_check_cert_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, + struct cert_auth_info **cert_list); + +errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username, + struct cert_auth_info *cert_info, + enum response_type type); + +bool may_do_cert_auth(struct pam_ctx *pctx, struct pam_data *pd); + +errno_t p11_refresh_certmap_ctx(struct pam_ctx *pctx, + struct certmap_info **certmap_list); + +errno_t +pam_set_last_online_auth_with_curr_token(struct sss_domain_info *domain, + const char *username, + uint64_t value); + +errno_t filter_responses(struct confdb_ctx *cdb, + struct response_data *resp_list, + struct pam_data *pd); +#endif /* __PAMSRV_H__ */ diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c new file mode 100644 index 0000000..94867a0 --- /dev/null +++ b/src/responder/pam/pamsrv_cmd.c @@ -0,0 +1,2311 @@ +/* + SSSD + + PAM Responder + + Copyright (C) Simo Sorce 2009 + Copyright (C) Sumit Bose 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include "util/util.h" +#include "util/auth_utils.h" +#include "db/sysdb.h" +#include "confdb/confdb.h" +#include "responder/common/responder_packet.h" +#include "responder/common/responder.h" +#include "responder/common/negcache.h" +#include "providers/data_provider.h" +#include "responder/pam/pamsrv.h" +#include "responder/pam/pam_helpers.h" +#include "responder/common/cache_req/cache_req.h" +#include "db/sysdb.h" + +enum pam_verbosity { + PAM_VERBOSITY_NO_MESSAGES = 0, + PAM_VERBOSITY_IMPORTANT, + PAM_VERBOSITY_INFO, + PAM_VERBOSITY_DEBUG +}; + +#define DEFAULT_PAM_VERBOSITY PAM_VERBOSITY_IMPORTANT + +static errno_t +pam_null_last_online_auth_with_curr_token(struct sss_domain_info *domain, + const char *username); +static errno_t +pam_get_last_online_auth_with_curr_token(struct sss_domain_info *domain, + const char *name, + uint64_t *_value); + +static void pam_reply(struct pam_auth_req *preq); + +static errno_t check_cert(TALLOC_CTX *mctx, + struct tevent_context *ev, + struct pam_ctx *pctx, + struct pam_auth_req *preq, + struct pam_data *pd); + +static int pam_check_user_done(struct pam_auth_req *preq, int ret); + +static errno_t pack_user_info_msg(TALLOC_CTX *mem_ctx, + const char *user_error_message, + size_t *resp_len, + uint8_t **_resp) +{ + uint32_t resp_type = SSS_PAM_USER_INFO_ACCOUNT_EXPIRED; + size_t err_len; + uint8_t *resp; + size_t p; + + err_len = strlen(user_error_message); + *resp_len = 2 * sizeof(uint32_t) + err_len; + resp = talloc_size(mem_ctx, *resp_len); + if (resp == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_size failed.\n"); + return ENOMEM; + } + + p = 0; + SAFEALIGN_SET_UINT32(&resp[p], resp_type, &p); + SAFEALIGN_SET_UINT32(&resp[p], err_len, &p); + safealign_memcpy(&resp[p], user_error_message, err_len, &p); + if (p != *resp_len) { + DEBUG(SSSDBG_FATAL_FAILURE, "Size mismatch\n"); + } + + *_resp = resp; + return EOK; +} + +static void inform_user(struct pam_data* pd, const char *pam_message) +{ + size_t msg_len; + uint8_t *msg; + errno_t ret; + + ret = pack_user_info_msg(pd, pam_message, &msg_len, &msg); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "pack_user_info_account_expired failed.\n"); + } else { + ret = pam_add_response(pd, SSS_PAM_USER_INFO, msg_len, msg); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n"); + } + } +} + +static bool is_domain_requested(struct pam_data *pd, const char *domain_name) +{ + int i; + + /* If none specific domains got requested via pam, all domains are allowed. + * Which mimics the default/original behaviour. + */ + if (!pd->requested_domains) { + return true; + } + + for (i = 0; pd->requested_domains[i]; i++) { + if (strcasecmp(domain_name, pd->requested_domains[i])) { + continue; + } + + return true; + } + + return false; +} + +static int extract_authtok_v2(struct sss_auth_token *tok, + size_t data_size, uint8_t *body, size_t blen, + size_t *c) +{ + uint32_t auth_token_type; + uint32_t auth_token_length; + uint8_t *auth_token_data; + int ret = EOK; + + if (data_size < sizeof(uint32_t) || *c+data_size > blen || + SIZE_T_OVERFLOW(*c, data_size)) return EINVAL; + + SAFEALIGN_COPY_UINT32_CHECK(&auth_token_type, &body[*c], blen, c); + auth_token_length = data_size - sizeof(uint32_t); + auth_token_data = body+(*c); + + switch (auth_token_type) { + case SSS_AUTHTOK_TYPE_EMPTY: + sss_authtok_set_empty(tok); + break; + case SSS_AUTHTOK_TYPE_PASSWORD: + if (auth_token_length == 0) { + sss_authtok_set_empty(tok); + } else { + ret = sss_authtok_set_password(tok, (const char *)auth_token_data, + auth_token_length); + } + break; + case SSS_AUTHTOK_TYPE_2FA: + case SSS_AUTHTOK_TYPE_SC_PIN: + case SSS_AUTHTOK_TYPE_SC_KEYPAD: + ret = sss_authtok_set(tok, auth_token_type, + auth_token_data, auth_token_length); + break; + default: + return EINVAL; + } + + *c += auth_token_length; + + return ret; +} + +static int extract_string(char **var, size_t size, uint8_t *body, size_t blen, + size_t *c) { + uint8_t *str; + + if (*c+size > blen || SIZE_T_OVERFLOW(*c, size)) return EINVAL; + + str = body+(*c); + + if (str[size-1]!='\0') return EINVAL; + + /* If the string isn't valid UTF-8, fail */ + if (!sss_utf8_check(str, size-1)) { + return EINVAL; + } + + *c += size; + + *var = (char *) str; + + return EOK; +} + +static int extract_uint32_t(uint32_t *var, size_t size, uint8_t *body, + size_t blen, size_t *c) { + + if (size != sizeof(uint32_t) || *c+size > blen || SIZE_T_OVERFLOW(*c, size)) + return EINVAL; + + SAFEALIGN_COPY_UINT32_CHECK(var, &body[*c], blen, c); + + return EOK; +} + +static int pd_set_primary_name(const struct ldb_message *msg,struct pam_data *pd) +{ + const char *name; + + name = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); + if (!name) { + DEBUG(SSSDBG_CRIT_FAILURE, "A user with no name?\n"); + return EIO; + } + + if (strcmp(pd->user, name)) { + DEBUG(SSSDBG_TRACE_FUNC, "User's primary name is %s\n", name); + talloc_free(pd->user); + pd->user = talloc_strdup(pd, name); + if (!pd->user) return ENOMEM; + } + + return EOK; +} + +static int pam_parse_in_data_v2(struct pam_data *pd, + uint8_t *body, size_t blen) +{ + size_t c; + uint32_t type; + uint32_t size; + int ret; + uint32_t start; + uint32_t terminator; + char *requested_domains; + + if (blen < 4*sizeof(uint32_t)+2) { + DEBUG(SSSDBG_CRIT_FAILURE, "Received data is invalid.\n"); + return EINVAL; + } + + SAFEALIGN_COPY_UINT32(&start, body, NULL); + SAFEALIGN_COPY_UINT32(&terminator, body + blen - sizeof(uint32_t), NULL); + + if (start != SSS_START_OF_PAM_REQUEST + || terminator != SSS_END_OF_PAM_REQUEST) { + DEBUG(SSSDBG_CRIT_FAILURE, "Received data is invalid.\n"); + return EINVAL; + } + + c = sizeof(uint32_t); + do { + SAFEALIGN_COPY_UINT32_CHECK(&type, &body[c], blen, &c); + + if (type == SSS_END_OF_PAM_REQUEST) { + if (c != blen) return EINVAL; + } else { + SAFEALIGN_COPY_UINT32_CHECK(&size, &body[c], blen, &c); + /* the uint32_t end maker SSS_END_OF_PAM_REQUEST does not count to + * the remaining buffer */ + if (size > (blen - c - sizeof(uint32_t))) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid data size.\n"); + return EINVAL; + } + + switch(type) { + case SSS_PAM_ITEM_USER: + ret = extract_string(&pd->logon_name, size, body, blen, &c); + if (ret != EOK) return ret; + break; + case SSS_PAM_ITEM_SERVICE: + ret = extract_string(&pd->service, size, body, blen, &c); + if (ret != EOK) return ret; + break; + case SSS_PAM_ITEM_TTY: + ret = extract_string(&pd->tty, size, body, blen, &c); + if (ret != EOK) return ret; + break; + case SSS_PAM_ITEM_RUSER: + ret = extract_string(&pd->ruser, size, body, blen, &c); + if (ret != EOK) return ret; + break; + case SSS_PAM_ITEM_RHOST: + ret = extract_string(&pd->rhost, size, body, blen, &c); + if (ret != EOK) return ret; + break; + case SSS_PAM_ITEM_REQUESTED_DOMAINS: + ret = extract_string(&requested_domains, size, body, blen, + &c); + if (ret != EOK) return ret; + + ret = split_on_separator(pd, requested_domains, ',', true, + true, &pd->requested_domains, + NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to parse requested_domains list!\n"); + return ret; + } + break; + case SSS_PAM_ITEM_CLI_PID: + ret = extract_uint32_t(&pd->cli_pid, size, + body, blen, &c); + if (ret != EOK) return ret; + break; + case SSS_PAM_ITEM_AUTHTOK: + ret = extract_authtok_v2(pd->authtok, + size, body, blen, &c); + if (ret != EOK) return ret; + break; + case SSS_PAM_ITEM_NEWAUTHTOK: + ret = extract_authtok_v2(pd->newauthtok, + size, body, blen, &c); + if (ret != EOK) return ret; + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, + "Ignoring unknown data type [%d].\n", type); + c += size; + } + } + + } while(c < blen); + + return EOK; + +} + +static int pam_parse_in_data_v3(struct pam_data *pd, + uint8_t *body, size_t blen) +{ + int ret; + + ret = pam_parse_in_data_v2(pd, body, blen); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam_parse_in_data_v2 failed.\n"); + return ret; + } + + if (pd->cli_pid == 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing client PID.\n"); + return EINVAL; + } + + return EOK; +} + +static int extract_authtok_v1(struct sss_auth_token *tok, + uint8_t *body, size_t blen, size_t *c) +{ + uint32_t auth_token_type; + uint32_t auth_token_length; + uint8_t *auth_token_data; + int ret = EOK; + + SAFEALIGN_COPY_UINT32_CHECK(&auth_token_type, &body[*c], blen, c); + SAFEALIGN_COPY_UINT32_CHECK(&auth_token_length, &body[*c], blen, c); + auth_token_data = body+(*c); + + switch (auth_token_type) { + case SSS_AUTHTOK_TYPE_EMPTY: + sss_authtok_set_empty(tok); + break; + case SSS_AUTHTOK_TYPE_PASSWORD: + ret = sss_authtok_set_password(tok, (const char *)auth_token_data, + auth_token_length); + break; + default: + return EINVAL; + } + + *c += auth_token_length; + + return ret; +} + +static int pam_parse_in_data(struct pam_data *pd, + uint8_t *body, size_t blen) +{ + size_t start; + size_t end; + size_t last; + int ret; + + last = blen - 1; + end = 0; + + /* user name */ + for (start = end; end < last; end++) if (body[end] == '\0') break; + if (body[end++] != '\0') return EINVAL; + pd->logon_name = (char *) &body[start]; + + for (start = end; end < last; end++) if (body[end] == '\0') break; + if (body[end++] != '\0') return EINVAL; + pd->service = (char *) &body[start]; + + for (start = end; end < last; end++) if (body[end] == '\0') break; + if (body[end++] != '\0') return EINVAL; + pd->tty = (char *) &body[start]; + + for (start = end; end < last; end++) if (body[end] == '\0') break; + if (body[end++] != '\0') return EINVAL; + pd->ruser = (char *) &body[start]; + + for (start = end; end < last; end++) if (body[end] == '\0') break; + if (body[end++] != '\0') return EINVAL; + pd->rhost = (char *) &body[start]; + + ret = extract_authtok_v1(pd->authtok, body, blen, &end); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid auth token\n"); + return ret; + } + ret = extract_authtok_v1(pd->newauthtok, body, blen, &end); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid new auth token\n"); + return ret; + } + + DEBUG_PAM_DATA(SSSDBG_CONF_SETTINGS, pd); + + return EOK; +} + +/*=Save-Last-Login-State===================================================*/ + +static errno_t set_last_login(struct pam_auth_req *preq) +{ + struct sysdb_attrs *attrs; + errno_t ret; + + attrs = sysdb_new_attrs(preq); + if (!attrs) { + ret = ENOMEM; + goto fail; + } + + ret = sysdb_attrs_add_time_t(attrs, SYSDB_LAST_ONLINE_AUTH, time(NULL)); + if (ret != EOK) { + goto fail; + } + + ret = sysdb_attrs_add_time_t(attrs, + SYSDB_LAST_ONLINE_AUTH_WITH_CURR_TOKEN, + time(NULL)); + if (ret != EOK) { + goto fail; + } + + ret = sysdb_attrs_add_time_t(attrs, SYSDB_LAST_LOGIN, time(NULL)); + if (ret != EOK) { + goto fail; + } + + ret = sysdb_set_user_attr(preq->domain, preq->pd->user, attrs, + SYSDB_MOD_REP); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "set_last_login failed.\n"); + preq->pd->pam_status = PAM_SYSTEM_ERR; + goto fail; + } else { + preq->pd->last_auth_saved = true; + } + preq->callback(preq); + + return EOK; + +fail: + return ret; +} + +static errno_t filter_responses_env(struct response_data *resp, + struct pam_data *pd, + char * const *pam_filter_opts) +{ + size_t c; + const char *var_name; + size_t var_name_len; + const char *service; + + if (pam_filter_opts == NULL) { + return EOK; + } + + for (c = 0; pam_filter_opts[c] != NULL; c++) { + if (strncmp(pam_filter_opts[c], "ENV", 3) != 0) { + continue; + } + + var_name = NULL; + var_name_len = 0; + service = NULL; + if (pam_filter_opts[c][3] != '\0') { + if (pam_filter_opts[c][3] != ':') { + /* Neither plain ENV nor ENV:, ignored */ + continue; + } + + var_name = pam_filter_opts[c] + 4; + /* check if there is a second ':' in the option and use the following + * data, if any, as service name. */ + service = strchr(var_name, ':'); + if (service == NULL) { + var_name_len = strlen(var_name); + } else { + var_name_len = service - var_name; + + service++; + /* handle empty service name "ENV:var:" */ + if (*service == '\0') { + service = NULL; + } + } + } + /* handle empty var name "ENV:" or "ENV::service" */ + if (var_name_len == 0) { + var_name = NULL; + } + + DEBUG(SSSDBG_TRACE_ALL, + "Found PAM ENV filter for variable [%.*s] and service [%s].\n", + (int) var_name_len, var_name, service); + + if (service != NULL && pd->service != NULL + && strcmp(service, pd->service) != 0) { + /* current service does not match the filter */ + continue; + } + + if (var_name == NULL) { + /* All environment variables should be filtered */ + resp->do_not_send_to_client = true; + continue; + } + + if (resp->len > var_name_len && resp->data[var_name_len] == '=' + && memcmp(resp->data, var_name, var_name_len) == 0) { + resp->do_not_send_to_client = true; + } + } + + return EOK; +} + +errno_t filter_responses(struct confdb_ctx *cdb, + struct response_data *resp_list, + struct pam_data *pd) +{ + int ret; + struct response_data *resp; + uint32_t user_info_type; + int64_t expire_date = 0; + int pam_verbosity = DEFAULT_PAM_VERBOSITY; + char **pam_filter_opts = NULL; + + ret = confdb_get_int(cdb, CONFDB_PAM_CONF_ENTRY, + CONFDB_PAM_VERBOSITY, DEFAULT_PAM_VERBOSITY, + &pam_verbosity); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to read PAM verbosity, not fatal.\n"); + pam_verbosity = DEFAULT_PAM_VERBOSITY; + } + + ret = confdb_get_string_as_list(cdb, pd, CONFDB_PAM_CONF_ENTRY, + CONFDB_PAM_RESPONSE_FILTER, + &pam_filter_opts); + if (ret != EOK) { + DEBUG(SSSDBG_CONF_SETTINGS, "[%s] not available, not fatal.\n", + CONFDB_PAM_RESPONSE_FILTER); + pam_filter_opts = NULL; + } + + resp = resp_list; + while(resp != NULL) { + if (resp->type == SSS_PAM_USER_INFO) { + if (resp->len < sizeof(uint32_t)) { + DEBUG(SSSDBG_CRIT_FAILURE, "User info entry is too short.\n"); + ret = EINVAL; + goto done; + } + + if (pam_verbosity == PAM_VERBOSITY_NO_MESSAGES) { + resp->do_not_send_to_client = true; + resp = resp->next; + continue; + } + + memcpy(&user_info_type, resp->data, sizeof(uint32_t)); + + resp->do_not_send_to_client = false; + switch (user_info_type) { + case SSS_PAM_USER_INFO_OFFLINE_AUTH: + if (resp->len != sizeof(uint32_t) + sizeof(int64_t)) { + DEBUG(SSSDBG_CRIT_FAILURE, + "User info offline auth entry is " + "too short.\n"); + ret = EINVAL; + goto done; + } + memcpy(&expire_date, resp->data + sizeof(uint32_t), + sizeof(int64_t)); + if ((expire_date == 0 && + pam_verbosity < PAM_VERBOSITY_INFO) || + (expire_date > 0 && + pam_verbosity < PAM_VERBOSITY_IMPORTANT)) { + resp->do_not_send_to_client = true; + } + + break; + default: + DEBUG(SSSDBG_TRACE_LIBS, + "User info type [%d] not filtered.\n", + user_info_type); + } + } else if (resp->type == SSS_PAM_ENV_ITEM) { + resp->do_not_send_to_client = false; + ret = filter_responses_env(resp, pd, pam_filter_opts); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "filter_responses_env failed.\n"); + goto done; + } + } else if (resp->type & SSS_SERVER_INFO) { + resp->do_not_send_to_client = true; + } + + resp = resp->next; + } + + ret = EOK; +done: + talloc_free(pam_filter_opts); + + return ret; +} + +static void pam_reply_delay(struct tevent_context *ev, struct tevent_timer *te, + struct timeval tv, void *pvt) +{ + struct pam_auth_req *preq; + + DEBUG(SSSDBG_CONF_SETTINGS, "pam_reply_delay get called.\n"); + + preq = talloc_get_type(pvt, struct pam_auth_req); + + pam_reply(preq); +} + +static errno_t get_password_for_cache_auth(struct sss_auth_token *authtok, + const char **password) +{ + int ret; + size_t pw_len; + const char *fa2; + size_t fa2_len; + + switch (sss_authtok_get_type(authtok)) { + case SSS_AUTHTOK_TYPE_PASSWORD: + ret = sss_authtok_get_password(authtok, password, NULL); + break; + case SSS_AUTHTOK_TYPE_2FA: + ret = sss_authtok_get_2fa(authtok, password, &pw_len, &fa2, &fa2_len); + break; + default: + DEBUG(SSSDBG_FATAL_FAILURE, "Unsupported auth token type [%d].\n", + sss_authtok_get_type(authtok)); + ret = EINVAL; + } + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to get password.\n"); + return ret; + } + + return EOK; +} + +static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd); +static void pam_handle_cached_login(struct pam_auth_req *preq, int ret, + time_t expire_date, time_t delayed_until, bool cached_auth); + +/* + * Add a request to add a variable to the PAM user environment, containing the + * actual (not overridden) user shell, in case session recording is enabled. + */ +static int pam_reply_sr_export_shell(struct pam_auth_req *preq, + const char *var_name) +{ + int ret; + TALLOC_CTX *ctx = NULL; + bool enabled; + const char *enabled_str; + const char *shell; + char *buf; + + /* Create temporary talloc context */ + ctx = talloc_new(NULL); + if (ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new failed.\n"); + ret = ENOMEM; + goto done; + } + + /* Check if session recording is enabled */ + if (preq->cctx->rctx->sr_conf.scope == + SESSION_RECORDING_SCOPE_NONE) { + enabled = false; + } else if (preq->cctx->rctx->sr_conf.scope == + SESSION_RECORDING_SCOPE_ALL) { + enabled = true; + } else { + enabled_str = ldb_msg_find_attr_as_string(preq->user_obj, + SYSDB_SESSION_RECORDING, NULL); + if (enabled_str == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "%s attribute not found\n", SYSDB_SESSION_RECORDING); + ret = ENOENT; + goto done; + } else if (strcmp(enabled_str, "TRUE") == 0) { + enabled = true; + } else if (strcmp(enabled_str, "FALSE") == 0) { + enabled = false; + } else { + DEBUG(SSSDBG_CRIT_FAILURE, "invalid value of %s attribute: %s\n", + SYSDB_SESSION_RECORDING, enabled_str); + ret = ENOENT; + goto done; + } + } + + /* Export original shell if recording is enabled and so it's overridden */ + if (enabled) { + /* Extract the shell */ + shell = sss_resp_get_shell_override(preq->user_obj, + preq->cctx->rctx, preq->domain); + if (shell == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "user has no shell\n"); + ret = ENOENT; + goto done; + } + + /* Format environment entry */ + buf = talloc_asprintf(ctx, "%s=%s", var_name, shell); + if (buf == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto done; + } + + /* Add request to add the entry to user environment */ + ret = pam_add_response(preq->pd, SSS_PAM_ENV_ITEM, + strlen(buf) + 1, (uint8_t *)buf); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n"); + goto done; + } + } + + ret = EOK; + +done: + talloc_free(ctx); + return ret; +} + +static void pam_reply(struct pam_auth_req *preq) +{ + struct cli_ctx *cctx; + struct cli_protocol *prctx; + uint8_t *body; + size_t blen; + int ret; + int32_t resp_c; + int32_t resp_size; + struct response_data *resp; + int p; + struct timeval tv; + struct tevent_timer *te; + struct pam_data *pd; + struct pam_ctx *pctx; + uint32_t user_info_type; + time_t exp_date = -1; + time_t delay_until = -1; + char* pam_account_expired_message; + char* pam_account_locked_message; + int pam_verbosity; + + pd = preq->pd; + cctx = preq->cctx; + pctx = talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx); + prctx = talloc_get_type(cctx->protocol_ctx, struct cli_protocol); + + ret = confdb_get_int(pctx->rctx->cdb, CONFDB_PAM_CONF_ENTRY, + CONFDB_PAM_VERBOSITY, DEFAULT_PAM_VERBOSITY, + &pam_verbosity); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to read PAM verbosity, not fatal.\n"); + pam_verbosity = DEFAULT_PAM_VERBOSITY; + } + + DEBUG(SSSDBG_FUNC_DATA, + "pam_reply called with result [%d]: %s.\n", + pd->pam_status, pam_strerror(NULL, pd->pam_status)); + + if (pd->cmd == SSS_PAM_AUTHENTICATE + && (pd->pam_status == PAM_AUTHINFO_UNAVAIL + || pd->pam_status == PAM_NO_MODULE_DATA + || pd->pam_status == PAM_BAD_ITEM) + && may_do_cert_auth(pctx, pd)) { + /* We have Smartcard credentials and the backend indicates that it is + * offline (PAM_AUTHINFO_UNAVAIL) or cannot handle the credentials + * (PAM_BAD_ITEM), so let's try authentication against the Smartcard + * PAM_NO_MODULE_DATA is returned by the krb5 backend if no + * authentication method was found at all, this might happen if the + * user has a Smartcard assigned but the pkint plugin is not available + * on the client. */ + DEBUG(SSSDBG_IMPORTANT_INFO, + "Backend cannot handle Smartcard authentication, " + "trying local Smartcard authentication.\n"); + preq->cert_auth_local = true; + ret = check_cert(cctx, cctx->ev, pctx, preq, pd); + pam_check_user_done(preq, ret); + return; + } + + if (pd->pam_status == PAM_AUTHINFO_UNAVAIL || preq->use_cached_auth) { + + switch(pd->cmd) { + case SSS_PAM_AUTHENTICATE: + if ((preq->domain != NULL) && + (preq->domain->cache_credentials == true) && + (pd->offline_auth == false)) { + const char *password = NULL; + bool use_cached_auth; + + /* backup value of preq->use_cached_auth*/ + use_cached_auth = preq->use_cached_auth; + /* set to false to avoid entering this branch when pam_reply() + * is recursively called from pam_handle_cached_login() */ + preq->use_cached_auth = false; + + /* do auth with offline credentials */ + pd->offline_auth = true; + + if (preq->domain->sysdb == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Fatal: Sysdb CTX not found for domain" + " [%s]!\n", preq->domain->name); + goto done; + } + + ret = get_password_for_cache_auth(pd->authtok, &password); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "get_password_and_type_for_cache_auth failed.\n"); + goto done; + } + + ret = sysdb_cache_auth(preq->domain, + pd->user, password, + pctx->rctx->cdb, false, + &exp_date, &delay_until); + + pam_handle_cached_login(preq, ret, exp_date, delay_until, + use_cached_auth); + return; + } + break; + case SSS_PAM_CHAUTHTOK_PRELIM: + case SSS_PAM_CHAUTHTOK: + DEBUG(SSSDBG_FUNC_DATA, + "Password change not possible while offline.\n"); + pd->pam_status = PAM_AUTHTOK_ERR; + user_info_type = SSS_PAM_USER_INFO_OFFLINE_CHPASS; + ret = pam_add_response(pd, SSS_PAM_USER_INFO, sizeof(uint32_t), + (const uint8_t *) &user_info_type); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n"); + goto done; + } + break; +/* TODO: we need the pam session cookie here to make sure that cached + * authentication was successful */ + case SSS_PAM_SETCRED: + case SSS_PAM_ACCT_MGMT: + case SSS_PAM_OPEN_SESSION: + case SSS_PAM_CLOSE_SESSION: + DEBUG(SSSDBG_OP_FAILURE, + "Assuming offline authentication setting status for " + "pam call %d to PAM_SUCCESS.\n", pd->cmd); + pd->pam_status = PAM_SUCCESS; + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unknown PAM call [%d].\n", pd->cmd); + pd->pam_status = PAM_MODULE_UNKNOWN; + } + } + + if (pd->pam_status == PAM_SUCCESS && pd->cmd == SSS_PAM_CHAUTHTOK) { + ret = pam_null_last_online_auth_with_curr_token(preq->domain, + pd->user); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sysdb_null_last_online_auth_with_curr_token failed: " + "%s [%d].\n", sss_strerror(ret), ret); + goto done; + } + } + + if (pd->response_delay > 0) { + ret = gettimeofday(&tv, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "gettimeofday failed [%d][%s].\n", + errno, strerror(errno)); + goto done; + } + tv.tv_sec += pd->response_delay; + tv.tv_usec = 0; + pd->response_delay = 0; + + te = tevent_add_timer(cctx->ev, cctx, tv, pam_reply_delay, preq); + if (te == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to add event pam_reply_delay.\n"); + goto done; + } + + return; + } + + /* If this was a successful login, save the lastLogin time */ + if (pd->cmd == SSS_PAM_AUTHENTICATE && + pd->pam_status == PAM_SUCCESS && + preq->domain->cache_credentials && + !pd->offline_auth && + !pd->last_auth_saved && + NEED_CHECK_PROVIDER(preq->domain->provider)) { + ret = set_last_login(preq); + if (ret != EOK) { + goto done; + } + return; + } + + ret = sss_packet_new(prctx->creq, 0, sss_packet_get_cmd(prctx->creq->in), + &prctx->creq->out); + if (ret != EOK) { + goto done; + } + + /* Account expiration warning is printed for sshd. If pam_verbosity + * is equal or above PAM_VERBOSITY_INFO then all services are informed + * about account expiration. + */ + if (pd->pam_status == PAM_ACCT_EXPIRED && + ((pd->service != NULL && strcasecmp(pd->service, "sshd") == 0) || + pam_verbosity >= PAM_VERBOSITY_INFO)) { + + ret = confdb_get_string(pctx->rctx->cdb, pd, CONFDB_PAM_CONF_ENTRY, + CONFDB_PAM_ACCOUNT_EXPIRED_MESSAGE, "", + &pam_account_expired_message); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to get expiration message: %d:[%s].\n", + ret, sss_strerror(ret)); + goto done; + } + + inform_user(pd, pam_account_expired_message); + } + + if (pd->account_locked) { + + ret = confdb_get_string(pctx->rctx->cdb, pd, CONFDB_PAM_CONF_ENTRY, + CONFDB_PAM_ACCOUNT_LOCKED_MESSAGE, "", + &pam_account_locked_message); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to get expiration message: %d:[%s].\n", + ret, sss_strerror(ret)); + goto done; + } + + inform_user(pd, pam_account_locked_message); + } + + ret = filter_responses(pctx->rctx->cdb, pd->resp_list, pd); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "filter_responses failed, not fatal.\n"); + } + + if (pd->domain != NULL) { + ret = pam_add_response(pd, SSS_PAM_DOMAIN_NAME, strlen(pd->domain)+1, + (uint8_t *) pd->domain); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n"); + goto done; + } + } + + /* + * Export non-overridden shell to tlog-rec-session when opening the session + */ + if (pd->cmd == SSS_PAM_OPEN_SESSION && pd->pam_status == PAM_SUCCESS) { + ret = pam_reply_sr_export_shell(preq, "TLOG_REC_SESSION_SHELL"); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "failed to export the shell to tlog-rec-session.\n"); + goto done; + } + } + + resp_c = 0; + resp_size = 0; + resp = pd->resp_list; + while(resp != NULL) { + if (!resp->do_not_send_to_client) { + resp_c++; + resp_size += resp->len; + } + resp = resp->next; + } + + ret = sss_packet_grow(prctx->creq->out, sizeof(int32_t) + + sizeof(int32_t) + + resp_c * 2* sizeof(int32_t) + + resp_size); + if (ret != EOK) { + goto done; + } + + sss_packet_get_body(prctx->creq->out, &body, &blen); + DEBUG(SSSDBG_FUNC_DATA, "blen: %zu\n", blen); + p = 0; + + memcpy(&body[p], &pd->pam_status, sizeof(int32_t)); + p += sizeof(int32_t); + + memcpy(&body[p], &resp_c, sizeof(int32_t)); + p += sizeof(int32_t); + + resp = pd->resp_list; + while(resp != NULL) { + if (!resp->do_not_send_to_client) { + memcpy(&body[p], &resp->type, sizeof(int32_t)); + p += sizeof(int32_t); + memcpy(&body[p], &resp->len, sizeof(int32_t)); + p += sizeof(int32_t); + memcpy(&body[p], resp->data, resp->len); + p += resp->len; + } + + resp = resp->next; + } + +done: + sss_cmd_done(cctx, preq); +} + +static void pam_dom_forwarder(struct pam_auth_req *preq); + +static void pam_handle_cached_login(struct pam_auth_req *preq, int ret, + time_t expire_date, time_t delayed_until, + bool use_cached_auth) +{ + uint32_t resp_type; + size_t resp_len; + uint8_t *resp; + int64_t dummy; + + preq->pd->pam_status = cached_login_pam_status(ret); + + switch (preq->pd->pam_status) { + case PAM_SUCCESS: + resp_type = SSS_PAM_USER_INFO_OFFLINE_AUTH; + resp_len = sizeof(uint32_t) + sizeof(int64_t); + resp = talloc_size(preq->pd, resp_len); + if (resp == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "talloc_size failed, cannot prepare user info.\n"); + } else { + memcpy(resp, &resp_type, sizeof(uint32_t)); + dummy = (int64_t) expire_date; + memcpy(resp+sizeof(uint32_t), &dummy, sizeof(int64_t)); + ret = pam_add_response(preq->pd, SSS_PAM_USER_INFO, resp_len, + (const uint8_t *) resp); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "pam_add_response failed.\n"); + } + } + break; + case PAM_PERM_DENIED: + if (delayed_until >= 0) { + resp_type = SSS_PAM_USER_INFO_OFFLINE_AUTH_DELAYED; + resp_len = sizeof(uint32_t) + sizeof(int64_t); + resp = talloc_size(preq->pd, resp_len); + if (resp == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "talloc_size failed, cannot prepare user info.\n"); + } else { + memcpy(resp, &resp_type, sizeof(uint32_t)); + dummy = (int64_t) delayed_until; + memcpy(resp+sizeof(uint32_t), &dummy, sizeof(int64_t)); + ret = pam_add_response(preq->pd, SSS_PAM_USER_INFO, resp_len, + (const uint8_t *) resp); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "pam_add_response failed.\n"); + } + } + } + break; + case PAM_AUTH_ERR: + /* Was this attempt to authenticate from cache? */ + if (use_cached_auth) { + /* Don't try cached authentication again, try online check. */ + DEBUG(SSSDBG_FUNC_DATA, + "Cached authentication failed for: %s\n", + preq->pd->user); + preq->cached_auth_failed = true; + pam_dom_forwarder(preq); + return; + } + break; + default: + DEBUG(SSSDBG_TRACE_LIBS, + "cached login returned: %d\n", preq->pd->pam_status); + } + + pam_reply(preq); + return; +} + +static void pam_forwarder_cb(struct tevent_req *req); +static void pam_forwarder_cert_cb(struct tevent_req *req); +static int pam_check_user_search(struct pam_auth_req *preq); + + +/* TODO: we should probably return some sort of cookie that is set in the + * PAM_ENVIRONMENT, so that we can save performing some calls and cache + * data. */ + +static errno_t pam_forwarder_parse_data(struct cli_ctx *cctx, struct pam_data *pd) +{ + struct cli_protocol *prctx; + uint8_t *body; + size_t blen; + errno_t ret; + uint32_t terminator; + const char *key_id; + + prctx = talloc_get_type(cctx->protocol_ctx, struct cli_protocol); + + sss_packet_get_body(prctx->creq->in, &body, &blen); + if (blen >= sizeof(uint32_t)) { + SAFEALIGN_COPY_UINT32(&terminator, + body + blen - sizeof(uint32_t), + NULL); + if (terminator != SSS_END_OF_PAM_REQUEST) { + DEBUG(SSSDBG_CRIT_FAILURE, "Received data not terminated.\n"); + ret = EINVAL; + goto done; + } + } + + switch (prctx->cli_protocol_version->version) { + case 1: + ret = pam_parse_in_data(pd, body, blen); + break; + case 2: + ret = pam_parse_in_data_v2(pd, body, blen); + break; + case 3: + ret = pam_parse_in_data_v3(pd, body, blen); + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Illegal protocol version [%d].\n", + prctx->cli_protocol_version->version); + ret = EINVAL; + } + if (ret != EOK) { + goto done; + } + + if (pd->logon_name != NULL) { + ret = sss_parse_name_for_domains(pd, cctx->rctx->domains, + cctx->rctx->default_domain, + pd->logon_name, + &pd->domain, &pd->user); + } else { + /* SSS_PAM_PREAUTH request may have a missing name, e.g. if the + * name is determined with the help of a certificate. During + * SSS_PAM_AUTHENTICATE at least a key ID is needed to identify the + * selected certificate. */ + if (pd->cmd == SSS_PAM_AUTHENTICATE + && may_do_cert_auth(talloc_get_type(cctx->rctx->pvt_ctx, + struct pam_ctx), pd) + && (sss_authtok_get_type(pd->authtok) == SSS_AUTHTOK_TYPE_SC_PIN + || sss_authtok_get_type(pd->authtok) + == SSS_AUTHTOK_TYPE_SC_KEYPAD)) { + ret = sss_authtok_get_sc(pd->authtok, NULL, NULL, NULL, NULL, NULL, + NULL, &key_id, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_authtok_get_sc failed.\n"); + goto done; + } + + if (key_id == NULL || *key_id == '\0') { + DEBUG(SSSDBG_CRIT_FAILURE, + "Missing logon and Smartcard key ID during " + "authentication.\n"); + ret = ERR_NO_CREDS; + goto done; + } + + ret = EOK; + } else if (pd->cmd == SSS_PAM_PREAUTH + && may_do_cert_auth(talloc_get_type(cctx->rctx->pvt_ctx, + struct pam_ctx), pd)) { + ret = EOK; + } else { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing logon name in PAM request.\n"); + ret = ERR_NO_CREDS; + goto done; + } + } + + DEBUG_PAM_DATA(SSSDBG_CONF_SETTINGS, pd); + +done: + return ret; +} + +static int pam_auth_req_destructor(struct pam_auth_req *preq) +{ + if (preq && preq->dpreq_spy) { + /* If there is still a request pending, tell the spy + * the client is going away + */ + preq->dpreq_spy->preq = NULL; + } + return 0; +} + +static bool is_uid_trusted(struct cli_creds *creds, + size_t trusted_uids_count, + uid_t *trusted_uids) +{ + errno_t ret; + + /* root is always trusted */ + if (client_euid(creds) == 0) { + return true; + } + + /* All uids are allowed */ + if (trusted_uids_count == 0) { + return true; + } + + ret = check_allowed_uids(client_euid(creds), trusted_uids_count, trusted_uids); + if (ret == EOK) return true; + + return false; +} + +static bool is_domain_public(char *name, + char **public_dom_names, + size_t public_dom_names_count) +{ + size_t i; + + for(i=0; i < public_dom_names_count; i++) { + if (strcasecmp(name, public_dom_names[i]) == 0) { + return true; + } + } + return false; +} + +static enum cache_req_dom_type +get_domain_request_type(struct pam_auth_req *preq, + struct pam_ctx *pctx) +{ + enum cache_req_dom_type req_dom_type; + + /* By default, only POSIX domains are to be contacted */ + req_dom_type = CACHE_REQ_POSIX_DOM; + + for (int i = 0; pctx->app_services[i]; i++) { + if (strcmp(pctx->app_services[i], preq->pd->service) == 0) { + req_dom_type = CACHE_REQ_APPLICATION_DOM; + break; + } + } + + return req_dom_type; +} + +static errno_t check_cert(TALLOC_CTX *mctx, + struct tevent_context *ev, + struct pam_ctx *pctx, + struct pam_auth_req *preq, + struct pam_data *pd) +{ + int p11_child_timeout; + char *cert_verification_opts; + errno_t ret; + struct tevent_req *req; + + ret = confdb_get_int(pctx->rctx->cdb, CONFDB_PAM_CONF_ENTRY, + CONFDB_PAM_P11_CHILD_TIMEOUT, + P11_CHILD_TIMEOUT_DEFAULT, + &p11_child_timeout); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to read p11_child_timeout from confdb: [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + ret = confdb_get_string(pctx->rctx->cdb, mctx, CONFDB_MONITOR_CONF_ENTRY, + CONFDB_MONITOR_CERT_VERIFICATION, NULL, + &cert_verification_opts); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to read certificate_verification from confdb: [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + req = pam_check_cert_send(mctx, ev, pctx->p11_child_debug_fd, + pctx->nss_db, p11_child_timeout, + cert_verification_opts, pctx->sss_certmap_ctx, + pd); + if (req == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "pam_check_cert_send failed.\n"); + return ENOMEM; + } + + tevent_req_set_callback(req, pam_forwarder_cert_cb, preq); + return EAGAIN; +} + +static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd) +{ + struct pam_auth_req *preq; + struct pam_data *pd; + int ret; + struct pam_ctx *pctx = + talloc_get_type(cctx->rctx->pvt_ctx, struct pam_ctx); + struct tevent_req *req; + + preq = talloc_zero(cctx, struct pam_auth_req); + if (!preq) { + return ENOMEM; + } + talloc_set_destructor(preq, pam_auth_req_destructor); + preq->cctx = cctx; + preq->cert_auth_local = false; + + preq->pd = create_pam_data(preq); + if (!preq->pd) { + talloc_free(preq); + return ENOMEM; + } + pd = preq->pd; + + preq->is_uid_trusted = is_uid_trusted(cctx->creds, + pctx->trusted_uids_count, + pctx->trusted_uids); + + if (!preq->is_uid_trusted) { + DEBUG(SSSDBG_MINOR_FAILURE, "uid %"SPRIuid" is not trusted.\n", + client_euid(cctx->creds)); + } + + + pd->cmd = pam_cmd; + pd->priv = cctx->priv; + + ret = pam_forwarder_parse_data(cctx, pd); + if (ret == EAGAIN) { + req = sss_dp_get_domains_send(cctx->rctx, cctx->rctx, true, pd->domain); + if (req == NULL) { + ret = ENOMEM; + } else { + tevent_req_set_callback(req, pam_forwarder_cb, preq); + ret = EAGAIN; + } + goto done; + } else if (ret != EOK) { + goto done; + } + + /* Determine what domain type to contact */ + preq->req_dom_type = get_domain_request_type(preq, pctx); + + /* Try backend first for authentication before doing local Smartcard + * authentication if a logon name is available. Otherwise try to derive + * the logon name from the certificate first. */ + if ((pd->cmd != SSS_PAM_AUTHENTICATE + || (pd->cmd == SSS_PAM_AUTHENTICATE && pd->logon_name == NULL)) + && may_do_cert_auth(pctx, pd)) { + ret = check_cert(cctx, cctx->ev, pctx, preq, pd); + /* Finish here */ + goto done; + } + + ret = pam_check_user_search(preq); + +done: + return pam_check_user_done(preq, ret); +} + +static errno_t pam_user_by_cert_step(struct pam_auth_req *preq); +static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req); +static void pam_forwarder_cert_cb(struct tevent_req *req) +{ + struct pam_auth_req *preq = tevent_req_callback_data(req, + struct pam_auth_req); + struct pam_data *pd; + errno_t ret = EOK; + const char *cert; + + ret = pam_check_cert_recv(req, preq, &preq->cert_list); + talloc_free(req); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "get_cert request failed.\n"); + goto done; + } + + pd = preq->pd; + + cert = sss_cai_get_cert(preq->cert_list); + + if (cert == NULL) { + if (pd->logon_name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "No certificate found and no logon name given, " \ + "authentication not possible.\n"); + ret = ENOENT; + } else { + if (pd->cmd == SSS_PAM_AUTHENTICATE) { + DEBUG(SSSDBG_CRIT_FAILURE, + "No certificate returned, authentication failed.\n"); + ret = ENOENT; + } else { + ret = pam_check_user_search(preq); + } + + } + goto done; + } + + preq->current_cert = preq->cert_list; + ret = pam_user_by_cert_step(preq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "pam_user_by_cert_step failed.\n"); + goto done; + } + + return; + +done: + pam_check_user_done(preq, ret); +} + +static errno_t pam_user_by_cert_step(struct pam_auth_req *preq) +{ + struct cli_ctx *cctx = preq->cctx; + struct tevent_req *req; + struct pam_ctx *pctx = + talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx); + + if (preq->current_cert == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing certificate data.\n"); + return EINVAL; + } + + req = cache_req_user_by_cert_send(preq, cctx->ev, cctx->rctx, + pctx->rctx->ncache, 0, + preq->req_dom_type, NULL, + sss_cai_get_cert(preq->current_cert)); + if (req == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "cache_req_user_by_cert_send failed.\n"); + return ENOMEM; + } + + tevent_req_set_callback(req, pam_forwarder_lookup_by_cert_done, preq); + return EOK; +} + +static errno_t get_results_from_all_domains(TALLOC_CTX *mem_ctx, + struct cache_req_result **results, + struct ldb_result **ldb_results) +{ + int ret; + size_t count = 0; + size_t c; + size_t d; + size_t r = 0; + struct ldb_result *res; + + for (d = 0; results != NULL && results[d] != NULL; d++) { + count += results[d]->count; + } + + res = talloc_zero(mem_ctx, struct ldb_result); + if (res == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_zero failed.\n"); + return ENOMEM; + } + + if (count == 0) { + *ldb_results = res; + return EOK; + } + + res->msgs = talloc_zero_array(res, struct ldb_message *, count); + if (res->msgs == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_array failed.\n"); + return ENOMEM; + } + res->count = count; + + for (d = 0; results != NULL && results[d] != NULL; d++) { + for (c = 0; c < results[d]->count; c++) { + if (r >= count) { + DEBUG(SSSDBG_CRIT_FAILURE, + "More results found then counted before.\n"); + ret = EINVAL; + goto done; + } + res->msgs[r++] = talloc_steal(res->msgs, results[d]->msgs[c]); + } + } + + *ldb_results = res; + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(res); + } + + return ret; +} + +static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req) +{ + int ret; + struct cache_req_result **results; + struct pam_auth_req *preq = tevent_req_callback_data(req, + struct pam_auth_req); + const char *cert_user = NULL; + size_t cert_count = 0; + size_t cert_user_count = 0; + struct ldb_result *cert_user_objs; + + ret = cache_req_recv(preq, req, &results); + talloc_zfree(req); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, "cache_req_user_by_cert request failed.\n"); + goto done; + } + + if (ret == EOK) { + ret = get_results_from_all_domains(preq, results, + &cert_user_objs); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "get_results_from_all_domains failed.\n"); + goto done; + } + + sss_cai_set_cert_user_objs(preq->current_cert, cert_user_objs); + } + + preq->current_cert = sss_cai_get_next(preq->current_cert); + if (preq->current_cert != NULL) { + ret = pam_user_by_cert_step(preq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "pam_user_by_cert_step failed.\n"); + goto done; + } + return; + } + + sss_cai_check_users(&preq->cert_list, &cert_count, &cert_user_count); + DEBUG(SSSDBG_TRACE_ALL, + "Found [%zu] certificates and [%zu] related users.\n", + cert_count, cert_user_count); + + if (cert_user_count == 0) { + if (preq->pd->logon_name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Missing logon name and no certificate user found.\n"); + ret = ENOENT; + goto done; + } + } else { + + if (preq->pd->logon_name == NULL) { + if (preq->pd->cmd != SSS_PAM_PREAUTH + && preq->pd->cmd != SSS_PAM_AUTHENTICATE) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Missing logon name only allowed during (pre-)auth.\n"); + ret = ENOENT; + goto done; + } + + if (cert_count > 1) { + for (preq->current_cert = preq->cert_list; + preq->current_cert != NULL; + preq->current_cert = sss_cai_get_next(preq->current_cert)) { + + ret = add_pam_cert_response(preq->pd, "", + preq->current_cert, + preq->cctx->rctx->domains->user_name_hint + ? SSS_PAM_CERT_INFO_WITH_HINT + : SSS_PAM_CERT_INFO); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "add_pam_cert_response failed.\n"); + preq->pd->pam_status = PAM_AUTHINFO_UNAVAIL; + } + } + + ret = EOK; + preq->pd->pam_status = PAM_SUCCESS; + pam_reply(preq); + goto done; + } + + if (cert_user_count == 1) { + cert_user_objs = sss_cai_get_cert_user_objs(preq->cert_list); + if (cert_user_objs == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing certificate user.\n"); + ret = ENOENT; + goto done; + } + + cert_user = ldb_msg_find_attr_as_string( + cert_user_objs->msgs[0], + SYSDB_NAME, NULL); + if (cert_user == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Certificate user object has not name.\n"); + ret = ENOENT; + goto done; + } + + DEBUG(SSSDBG_FUNC_DATA, + "Found certificate user [%s].\n", cert_user); + + ret = sss_parse_name_for_domains(preq->pd, + preq->cctx->rctx->domains, + preq->cctx->rctx->default_domain, + cert_user, + &preq->pd->domain, + &preq->pd->user); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sss_parse_name_for_domains failed.\n"); + goto done; + } + } + + if (preq->cctx->rctx->domains->user_name_hint + && preq->pd->cmd == SSS_PAM_PREAUTH) { + ret = add_pam_cert_response(preq->pd, cert_user, + preq->cert_list, + SSS_PAM_CERT_INFO_WITH_HINT); + preq->pd->pam_status = PAM_SUCCESS; + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "add_pam_cert_response failed.\n"); + preq->pd->pam_status = PAM_AUTHINFO_UNAVAIL; + } + ret = EOK; + pam_reply(preq); + goto done; + } + + /* Without user name hints the certificate must map to single user + * if no login name was given */ + if (cert_user == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "More than one user mapped to certificate.\n"); + ret = ERR_NO_CREDS; + goto done; + } + + /* If logon_name was not given during authentication add a + * SSS_PAM_CERT_INFO message to send the name to the caller. */ + if (preq->pd->cmd == SSS_PAM_AUTHENTICATE + && preq->pd->logon_name == NULL) { + ret = add_pam_cert_response(preq->pd, cert_user, + preq->cert_list, + SSS_PAM_CERT_INFO); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "add_pam_cert_response failed.\n"); + preq->pd->pam_status = PAM_AUTHINFO_UNAVAIL; + goto done; + } + } + + /* cert_user will be returned to the PAM client as user name, so + * we can use it here already e.g. to set in initgroups timeout */ + preq->pd->logon_name = talloc_strdup(preq->pd, cert_user); + if (preq->pd->logon_name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + } + } + + if (preq->user_obj == NULL) { + ret = pam_check_user_search(preq); + } else { + ret = EOK; + } + + if (ret == EOK) { + pam_dom_forwarder(preq); + } + +done: + pam_check_user_done(preq, ret); +} + +static void pam_forwarder_cb(struct tevent_req *req) +{ + struct pam_auth_req *preq = tevent_req_callback_data(req, + struct pam_auth_req); + struct cli_ctx *cctx = preq->cctx; + struct pam_data *pd; + errno_t ret = EOK; + struct pam_ctx *pctx = + talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx); + + ret = sss_dp_get_domains_recv(req); + talloc_free(req); + if (ret != EOK) { + goto done; + } + + ret = p11_refresh_certmap_ctx(pctx, pctx->rctx->domains->certmaps); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "p11_refresh_certmap_ctx failed, " + "certificate matching might not work as expected"); + } + + pd = preq->pd; + + ret = pam_forwarder_parse_data(cctx, pd); + if (ret == EAGAIN) { + DEBUG(SSSDBG_TRACE_FUNC, "Assuming %s is a UPN\n", pd->logon_name); + /* If not, cache_req will error out later */ + pd->user = talloc_strdup(pd, pd->logon_name); + if (pd->user == NULL) { + ret = ENOMEM; + goto done; + } + pd->domain = NULL; + } else if (ret != EOK) { + ret = EINVAL; + goto done; + } + + /* try backend first for authentication before doing local Smartcard + * authentication */ + if (pd->cmd != SSS_PAM_AUTHENTICATE && may_do_cert_auth(pctx, pd)) { + ret = check_cert(cctx, cctx->ev, pctx, preq, pd); + /* Finish here */ + goto done; + } + + ret = pam_check_user_search(preq); + +done: + pam_check_user_done(preq, ret); +} + +static void pam_dp_send_acct_req_done(struct tevent_req *req); +static int pam_check_user_search(struct pam_auth_req *preq) +{ + int ret; + struct tevent_req *dpreq; + struct pam_ctx *pctx; + struct cache_req_data *data; + + data = cache_req_data_name(preq, + CACHE_REQ_INITGROUPS, + preq->pd->logon_name); + if (data == NULL) { + return ENOMEM; + } + + pctx = talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx); + + /* The initgr cache is used to make sure that during a single PAM session + * (auth, acct_mgtm, ....) the backend is contacted only once. logon_name + * is the name provided by the PAM client and will not be modified during + * the request, so it makes sense to use it here instead od the pd->user. */ + ret = pam_initgr_check_timeout(pctx->id_table, preq->pd->logon_name); + if (ret == EOK) { + /* Entry is still valid, force to lookup in the cache first */ + cache_req_data_set_bypass_cache(data, false); + } else if (ret == ENOENT) { + /* Call the data provider first */ + cache_req_data_set_bypass_cache(data, true); + } else { + DEBUG(SSSDBG_OP_FAILURE, "Could not look up initgroup timeout\n"); + return EIO; + } + + dpreq = cache_req_send(preq, + preq->cctx->rctx->ev, + preq->cctx->rctx, + preq->cctx->rctx->ncache, + 0, + preq->req_dom_type, + NULL, + data); + if (!dpreq) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Out of memory sending data provider request\n"); + return ENOMEM; + } + + tevent_req_set_callback(dpreq, pam_dp_send_acct_req_done, preq); + + /* tell caller we are in an async call */ + return EAGAIN; +} + +static void pam_dp_send_acct_req_done(struct tevent_req *req) +{ + struct cache_req_result *result; + struct pam_auth_req *preq; + struct pam_ctx *pctx; + int ret; + + preq = tevent_req_callback_data(req, struct pam_auth_req); + pctx = talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx); + + ret = cache_req_single_domain_recv(preq, req, &result); + talloc_zfree(req); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Fatal error, killing connection!\n"); + talloc_zfree(preq->cctx); + return; + } + + if (ret == EOK) { + preq->user_obj = result->msgs[0]; + pd_set_primary_name(preq->user_obj, preq->pd); + preq->domain = result->domain; + + ret = pam_initgr_cache_set(pctx->rctx->ev, + pctx->id_table, + preq->pd->logon_name, + pctx->id_timeout); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not save initgr timestamp." + "Proceeding with PAM actions\n"); + } + + pam_dom_forwarder(preq); + } + + ret = pam_check_user_done(preq, ret); + if (ret != EOK) { + preq->pd->pam_status = PAM_SYSTEM_ERR; + pam_reply(preq); + } +} + +static int pam_check_user_done(struct pam_auth_req *preq, int ret) +{ + switch (ret) { + case EOK: + break; + + case EAGAIN: + /* performing async request, just return */ + break; + + case ENOENT: + preq->pd->pam_status = PAM_USER_UNKNOWN; + pam_reply(preq); + break; + + case ERR_NO_CREDS: + preq->pd->pam_status = PAM_CRED_INSUFFICIENT; + pam_reply(preq); + break; + + default: + preq->pd->pam_status = PAM_SYSTEM_ERR; + pam_reply(preq); + break; + } + + return EOK; +} + +static errno_t pam_is_last_online_login_fresh(struct sss_domain_info *domain, + const char* user, + int cached_auth_timeout, + bool *_result) +{ + errno_t ret; + bool result; + uint64_t last_login; + + ret = pam_get_last_online_auth_with_curr_token(domain, user, &last_login); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "sysdb_get_last_online_auth_with_curr_token failed: %s:[%d]\n", + sss_strerror(ret), ret); + goto done; + } + + result = time(NULL) < (last_login + cached_auth_timeout); + ret = EOK; + +done: + if (ret == EOK) { + *_result = result; + } + return ret; +} + +static bool pam_is_cmd_cachable(int cmd) +{ + bool is_cachable; + + switch(cmd) { + case SSS_PAM_AUTHENTICATE: + is_cachable = true; + break; + default: + is_cachable = false; + } + + return is_cachable; +} + +static bool pam_is_authtok_cachable(struct sss_auth_token *authtok) +{ + enum sss_authtok_type type; + bool cachable = false; + + type = sss_authtok_get_type(authtok); + if (type == SSS_AUTHTOK_TYPE_PASSWORD) { + cachable = true; + } else { + DEBUG(SSSDBG_TRACE_LIBS, "Authentication token can't be cached\n"); + } + + return cachable; +} + +static bool pam_can_user_cache_auth(struct sss_domain_info *domain, + int pam_cmd, + struct sss_auth_token *authtok, + const char* user, + bool cached_auth_failed) +{ + errno_t ret; + bool result = false; + + if (!cached_auth_failed /* don't try cached auth again */ + && domain->cache_credentials + && domain->cached_auth_timeout > 0 + && pam_is_authtok_cachable(authtok) + && pam_is_cmd_cachable(pam_cmd)) { + + ret = pam_is_last_online_login_fresh(domain, user, + domain->cached_auth_timeout, + &result); + if (ret != EOK) { + /* non-critical, consider fail as 'non-fresh value' */ + DEBUG(SSSDBG_MINOR_FAILURE, + "pam_is_last_online_login_fresh failed: %s:[%d]\n", + sss_strerror(ret), ret); + } + } + + return result; +} + +static void pam_dom_forwarder(struct pam_auth_req *preq) +{ + int ret; + struct pam_ctx *pctx = + talloc_get_type(preq->cctx->rctx->pvt_ctx, struct pam_ctx); + const char *cert_user; + struct ldb_result *cert_user_objs; + size_t c; + bool found = false; + + if (!preq->pd->domain) { + preq->pd->domain = preq->domain->name; + } + + /* Untrusted users can access only public domains. */ + if (!preq->is_uid_trusted && + !is_domain_public(preq->pd->domain, pctx->public_domains, + pctx->public_domains_count)) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Untrusted user %"SPRIuid" cannot access non-public domain %s.\n", + client_euid(preq->cctx->creds), preq->pd->domain); + preq->pd->pam_status = PAM_PERM_DENIED; + pam_reply(preq); + return; + } + + /* skip this domain if not requested and the user is trusted + * as untrusted users can't request a domain */ + if (preq->is_uid_trusted && + !is_domain_requested(preq->pd, preq->pd->domain)) { + preq->pd->pam_status = PAM_USER_UNKNOWN; + pam_reply(preq); + return; + } + + if (pam_can_user_cache_auth(preq->domain, + preq->pd->cmd, + preq->pd->authtok, + preq->pd->user, + preq->cached_auth_failed)) { + preq->use_cached_auth = true; + pam_reply(preq); + return; + } + + if (may_do_cert_auth(pctx, preq->pd) && preq->cert_list != NULL) { + /* Check if user matches certificate user */ + found = false; + for (preq->current_cert = preq->cert_list; + preq->current_cert != NULL; + preq->current_cert = sss_cai_get_next(preq->current_cert)) { + + cert_user_objs = sss_cai_get_cert_user_objs(preq->current_cert); + if (cert_user_objs == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "Unexpected missing certificate user, " + "trying next certificate.\n"); + continue; + } + + for (c = 0; c < cert_user_objs->count; c++) { + cert_user = ldb_msg_find_attr_as_string(cert_user_objs->msgs[c], + SYSDB_NAME, NULL); + if (cert_user == NULL) { + /* Even if there might be other users mapped to the + * certificate a missing SYSDB_NAME indicates some critical + * condition which justifies that the whole request is aborted + * */ + DEBUG(SSSDBG_CRIT_FAILURE, + "Certificate user object has no name.\n"); + preq->pd->pam_status = PAM_USER_UNKNOWN; + pam_reply(preq); + return; + } + + if (ldb_dn_compare(cert_user_objs->msgs[c]->dn, + preq->user_obj->dn) == 0) { + found = true; + if (preq->pd->cmd == SSS_PAM_PREAUTH) { + ret = sss_authtok_set_sc(preq->pd->authtok, + SSS_AUTHTOK_TYPE_SC_PIN, NULL, 0, + sss_cai_get_token_name(preq->current_cert), 0, + sss_cai_get_module_name(preq->current_cert), 0, + sss_cai_get_key_id(preq->current_cert), 0); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sss_authtok_set_sc failed, Smartcard " + "authentication detection might fail in " + "the backend.\n"); + } + + ret = add_pam_cert_response(preq->pd, cert_user, + preq->current_cert, + SSS_PAM_CERT_INFO); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "add_pam_cert_response failed.\n"); + preq->pd->pam_status = PAM_AUTHINFO_UNAVAIL; + } + } + + } + } + } + + if (found) { + /* We are done if we do not have to call the backend */ + if (preq->pd->cmd == SSS_PAM_AUTHENTICATE + && preq->cert_auth_local) { + preq->pd->pam_status = PAM_SUCCESS; + preq->callback = pam_reply; + pam_reply(preq); + return; + } + } else { + if (preq->pd->cmd == SSS_PAM_PREAUTH) { + DEBUG(SSSDBG_TRACE_FUNC, + "User and certificate user do not match, " + "continue with other authentication methods.\n"); + } else { + DEBUG(SSSDBG_CRIT_FAILURE, + "User and certificate user do not match.\n"); + preq->pd->pam_status = PAM_AUTH_ERR; + pam_reply(preq); + return; + } + } + } + + if (!NEED_CHECK_AUTH_PROVIDER(preq->domain->provider) ) { + preq->callback = pam_reply; + ret = LOCAL_pam_handler(preq); + } else { + preq->callback = pam_reply; + ret = pam_dp_send_req(preq, SSS_CLI_SOCKET_TIMEOUT/2); + DEBUG(SSSDBG_CONF_SETTINGS, "pam_dp_send_req returned %d\n", ret); + } + + if (ret != EOK) { + preq->pd->pam_status = PAM_SYSTEM_ERR; + pam_reply(preq); + } +} + +static int pam_cmd_authenticate(struct cli_ctx *cctx) { + DEBUG(SSSDBG_CONF_SETTINGS, "entering pam_cmd_authenticate\n"); + return pam_forwarder(cctx, SSS_PAM_AUTHENTICATE); +} + +static int pam_cmd_setcred(struct cli_ctx *cctx) { + DEBUG(SSSDBG_CONF_SETTINGS, "entering pam_cmd_setcred\n"); + return pam_forwarder(cctx, SSS_PAM_SETCRED); +} + +static int pam_cmd_acct_mgmt(struct cli_ctx *cctx) { + DEBUG(SSSDBG_CONF_SETTINGS, "entering pam_cmd_acct_mgmt\n"); + return pam_forwarder(cctx, SSS_PAM_ACCT_MGMT); +} + +static int pam_cmd_open_session(struct cli_ctx *cctx) { + DEBUG(SSSDBG_CONF_SETTINGS, "entering pam_cmd_open_session\n"); + return pam_forwarder(cctx, SSS_PAM_OPEN_SESSION); +} + +static int pam_cmd_close_session(struct cli_ctx *cctx) { + DEBUG(SSSDBG_CONF_SETTINGS, "entering pam_cmd_close_session\n"); + return pam_forwarder(cctx, SSS_PAM_CLOSE_SESSION); +} + +static int pam_cmd_chauthtok(struct cli_ctx *cctx) { + DEBUG(SSSDBG_CONF_SETTINGS, "entering pam_cmd_chauthtok\n"); + return pam_forwarder(cctx, SSS_PAM_CHAUTHTOK); +} + +static int pam_cmd_chauthtok_prelim(struct cli_ctx *cctx) { + DEBUG(SSSDBG_CONF_SETTINGS, "entering pam_cmd_chauthtok_prelim\n"); + return pam_forwarder(cctx, SSS_PAM_CHAUTHTOK_PRELIM); +} + +static int pam_cmd_preauth(struct cli_ctx *cctx) +{ + DEBUG(SSSDBG_CONF_SETTINGS, "entering pam_cmd_preauth\n"); + return pam_forwarder(cctx, SSS_PAM_PREAUTH); +} + +struct cli_protocol_version *register_cli_protocol_version(void) +{ + static struct cli_protocol_version pam_cli_protocol_version[] = { + {3, "2009-09-14", "make cli_pid mandatory"}, + {2, "2009-05-12", "new format "}, + {1, "2008-09-05", "initial version, \\0 terminated strings"}, + {0, NULL, NULL} + }; + + return pam_cli_protocol_version; +} + +struct sss_cmd_table *get_pam_cmds(void) +{ + static struct sss_cmd_table sss_cmds[] = { + {SSS_GET_VERSION, sss_cmd_get_version}, + {SSS_PAM_AUTHENTICATE, pam_cmd_authenticate}, + {SSS_PAM_SETCRED, pam_cmd_setcred}, + {SSS_PAM_ACCT_MGMT, pam_cmd_acct_mgmt}, + {SSS_PAM_OPEN_SESSION, pam_cmd_open_session}, + {SSS_PAM_CLOSE_SESSION, pam_cmd_close_session}, + {SSS_PAM_CHAUTHTOK, pam_cmd_chauthtok}, + {SSS_PAM_CHAUTHTOK_PRELIM, pam_cmd_chauthtok_prelim}, + {SSS_PAM_PREAUTH, pam_cmd_preauth}, + {SSS_CLI_NULL, NULL} + }; + + return sss_cmds; +} + +errno_t +pam_set_last_online_auth_with_curr_token(struct sss_domain_info *domain, + const char *username, + uint64_t value) +{ + TALLOC_CTX *tmp_ctx; + struct sysdb_attrs *attrs; + int ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + attrs = sysdb_new_attrs(tmp_ctx); + if (attrs == NULL) { + ret = ENOMEM; + goto done; + } + + ret = sysdb_attrs_add_time_t(attrs, + SYSDB_LAST_ONLINE_AUTH_WITH_CURR_TOKEN, + value); + if (ret != EOK) { goto done; } + + ret = sysdb_set_user_attr(domain, username, attrs, SYSDB_MOD_REP); + if (ret != EOK) { goto done; } + +done: + if (ret != EOK) { + DEBUG(SSSDBG_TRACE_FUNC, "Error: %d (%s)\n", ret, sss_strerror(ret)); + } + + talloc_zfree(tmp_ctx); + return ret; +} + +static errno_t +pam_null_last_online_auth_with_curr_token(struct sss_domain_info *domain, + const char *username) +{ + return pam_set_last_online_auth_with_curr_token(domain, username, 0); +} + +static errno_t +pam_get_last_online_auth_with_curr_token(struct sss_domain_info *domain, + const char *name, + uint64_t *_value) +{ + TALLOC_CTX *tmp_ctx = NULL; + const char *attrs[] = { SYSDB_LAST_ONLINE_AUTH_WITH_CURR_TOKEN, NULL }; + struct ldb_message *ldb_msg; + uint64_t value; + errno_t ret; + + if (name == NULL || *name == '\0') { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing user name.\n"); + ret = EINVAL; + goto done; + } + + if (domain->sysdb == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing sysdb db context.\n"); + ret = EINVAL; + goto done; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + ret = sysdb_search_user_by_name(tmp_ctx, domain, name, attrs, &ldb_msg); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sysdb_search_user_by_name failed [%d][%s].\n", + ret, strerror(ret)); + goto done; + } + + /* Check offline_auth_cache_timeout */ + value = ldb_msg_find_attr_as_uint64(ldb_msg, + SYSDB_LAST_ONLINE_AUTH_WITH_CURR_TOKEN, + 0); + ret = EOK; + +done: + if (ret == EOK) { + *_value = value; + } + + talloc_free(tmp_ctx); + return ret; +} diff --git a/src/responder/pam/pamsrv_dp.c b/src/responder/pam/pamsrv_dp.c new file mode 100644 index 0000000..aa3fdc3 --- /dev/null +++ b/src/responder/pam/pamsrv_dp.c @@ -0,0 +1,164 @@ +/* + SSSD + + NSS Responder - Data Provider Interfaces + + Copyright (C) Simo Sorce 2008 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include +#include + +#include "util/util.h" +#include "responder/common/responder_packet.h" +#include "providers/data_provider.h" +#include "sbus/sbus_client.h" +#include "responder/pam/pamsrv.h" + +static void pam_dp_process_reply(DBusPendingCall *pending, void *ptr) +{ + DBusError dbus_error; + DBusMessage* msg; + int ret; + int type; + struct pam_auth_req *preq = NULL; + struct pam_auth_dp_req *pdp_req; + + pdp_req = talloc_get_type(ptr, struct pam_auth_dp_req); + preq = pdp_req->preq; + talloc_free(pdp_req); + + dbus_error_init(&dbus_error); + msg = dbus_pending_call_steal_reply(pending); + + /* Check if the client still exists. If not, simply free all the resources + * and quit */ + if (preq == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "Client already disconnected\n"); + dbus_pending_call_unref(pending); + dbus_message_unref(msg); + return; + } + + /* Sanity-check of message validity */ + if (msg == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Severe error. A reply callback was called but no reply was" + "received and no timeout occurred\n"); + preq->pd->pam_status = PAM_SYSTEM_ERR; + goto done; + } + + type = dbus_message_get_type(msg); + switch (type) { + case DBUS_MESSAGE_TYPE_METHOD_RETURN: + ret = dp_unpack_pam_response(msg, preq->pd, &dbus_error); + if (!ret) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to parse reply.\n"); + preq->pd->pam_status = PAM_SYSTEM_ERR; + goto done; + } + DEBUG(SSSDBG_FUNC_DATA, + "received: [%d (%s)][%s]\n", preq->pd->pam_status, + pam_strerror(NULL, preq->pd->pam_status), + preq->pd->domain); + break; + case DBUS_MESSAGE_TYPE_ERROR: + DEBUG(SSSDBG_FATAL_FAILURE, "Reply error.\n"); + preq->pd->pam_status = PAM_SYSTEM_ERR; + break; + default: + DEBUG(SSSDBG_FATAL_FAILURE, "Default... what now?.\n"); + preq->pd->pam_status = PAM_SYSTEM_ERR; + } + + +done: + dbus_pending_call_unref(pending); + dbus_message_unref(msg); + preq->callback(preq); +} + +static int pdp_req_destructor(struct pam_auth_dp_req *pdp_req) +{ + if (pdp_req && pdp_req->preq) { + /* If there is still a client waiting, reset the + * spy */ + pdp_req->preq->dpreq_spy = NULL; + } + return 0; +} + +int pam_dp_send_req(struct pam_auth_req *preq, int timeout) +{ + struct pam_data *pd = preq->pd; + struct be_conn *be_conn; + DBusMessage *msg; + dbus_bool_t ret; + int res; + struct pam_auth_dp_req *pdp_req; + + /* double check dp_ctx has actually been initialized. + * in some pathological cases it may happen that nss starts up before + * dp connection code is actually able to establish a connection. + */ + res = sss_dp_get_domain_conn(preq->cctx->rctx, + preq->domain->conn_name, &be_conn); + if (res != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "The Data Provider connection for %s is not available!" + " This maybe a bug, it shouldn't happen!\n", + preq->domain->conn_name); + return EIO; + } + + msg = dbus_message_new_method_call(NULL, + DP_PATH, + IFACE_DP, + IFACE_DP_PAMHANDLER); + if (msg == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE,"Out of memory?!\n"); + return ENOMEM; + } + + + DEBUG(SSSDBG_CONF_SETTINGS, "Sending request with the following data:\n"); + DEBUG_PAM_DATA(SSSDBG_CONF_SETTINGS, pd); + + ret = dp_pack_pam_request(msg, pd); + if (!ret) { + DEBUG(SSSDBG_CRIT_FAILURE,"Failed to build message\n"); + return EIO; + } + + pdp_req = talloc(preq->cctx->rctx, struct pam_auth_dp_req); + if (pdp_req == NULL) { + return ENOMEM; + } + pdp_req->preq = preq; + preq->dpreq_spy = pdp_req; + talloc_set_destructor(pdp_req, pdp_req_destructor); + + res = sbus_conn_send(be_conn->conn, msg, + timeout, pam_dp_process_reply, + pdp_req, NULL); + dbus_message_unref(msg); + return res; +} + diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c new file mode 100644 index 0000000..0b6a162 --- /dev/null +++ b/src/responder/pam/pamsrv_p11.c @@ -0,0 +1,1030 @@ +/* + SSSD + + PAM Responder - certificate related requests + + Copyright (C) Sumit Bose 2015 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "util/util.h" +#include "providers/data_provider.h" +#include "util/child_common.h" +#include "util/strtonum.h" +#include "responder/pam/pamsrv.h" +#include "lib/certmap/sss_certmap.h" +#include "util/crypto/sss_crypto.h" + + +#define CERT_AUTH_DEFAULT_MATCHING_RULE "KRB5:clientAuth" + +struct cert_auth_info { + char *cert; + char *token_name; + char *module_name; + char *key_id; + char *label; + struct ldb_result *cert_user_objs; + struct cert_auth_info *prev; + struct cert_auth_info *next; +}; + +const char *sss_cai_get_cert(struct cert_auth_info *i) +{ + return i != NULL ? i->cert : NULL; +} + +const char *sss_cai_get_token_name(struct cert_auth_info *i) +{ + return i != NULL ? i->token_name : NULL; +} + +const char *sss_cai_get_module_name(struct cert_auth_info *i) +{ + return i != NULL ? i->module_name : NULL; +} + +const char *sss_cai_get_key_id(struct cert_auth_info *i) +{ + return i != NULL ? i->key_id : NULL; +} + +const char *sss_cai_get_label(struct cert_auth_info *i) +{ + return i != NULL ? i->label : NULL; +} + +struct cert_auth_info *sss_cai_get_next(struct cert_auth_info *i) +{ + return i != NULL ? i->next : NULL; +} + +struct ldb_result *sss_cai_get_cert_user_objs(struct cert_auth_info *i) +{ + return i != NULL ? i->cert_user_objs : NULL; +} + +void sss_cai_set_cert_user_objs(struct cert_auth_info *i, + struct ldb_result *cert_user_objs) +{ + if (i->cert_user_objs != NULL) { + talloc_free(i->cert_user_objs); + } + i->cert_user_objs = talloc_steal(i, cert_user_objs); +} + +void sss_cai_check_users(struct cert_auth_info **list, size_t *_cert_count, + size_t *_cert_user_count) +{ + struct cert_auth_info *c; + struct cert_auth_info *tmp; + size_t cert_count = 0; + size_t cert_user_count = 0; + struct ldb_result *user_objs; + + DLIST_FOR_EACH_SAFE(c, tmp, *list) { + user_objs = sss_cai_get_cert_user_objs(c); + if (user_objs != NULL) { + cert_count++; + cert_user_count += user_objs->count; + } else { + DLIST_REMOVE(*list, c); + } + } + + if (_cert_count != NULL) { + *_cert_count = cert_count; + } + + if (_cert_user_count != NULL) { + *_cert_user_count = cert_user_count; + } + + return; +} + +struct priv_sss_debug { + int level; +}; + +static void ext_debug(void *private, const char *file, long line, + const char *function, const char *format, ...) +{ + va_list ap; + struct priv_sss_debug *data = private; + int level = SSSDBG_OP_FAILURE; + + if (data != NULL) { + level = data->level; + } + + if (DEBUG_IS_SET(level)) { + va_start(ap, format); + sss_vdebug_fn(file, line, function, level, APPEND_LINE_FEED, + format, ap); + va_end(ap); + } +} + +errno_t p11_refresh_certmap_ctx(struct pam_ctx *pctx, + struct certmap_info **certmap_list) +{ + int ret; + struct sss_certmap_ctx *sss_certmap_ctx = NULL; + size_t c; + + ret = sss_certmap_init(pctx, ext_debug, NULL, &sss_certmap_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_certmap_init failed.\n"); + goto done; + } + + if (certmap_list == NULL || *certmap_list == NULL) { + /* Try to add default matching rule */ + ret = sss_certmap_add_rule(sss_certmap_ctx, SSS_CERTMAP_MIN_PRIO, + CERT_AUTH_DEFAULT_MATCHING_RULE, NULL, NULL); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to add default matching rule.\n"); + } + + goto done; + } + + for (c = 0; certmap_list[c] != NULL; c++) { + DEBUG(SSSDBG_TRACE_ALL, + "Trying to add rule [%s][%d][%s][%s].\n", + certmap_list[c]->name, certmap_list[c]->priority, + certmap_list[c]->match_rule, certmap_list[c]->map_rule); + + ret = sss_certmap_add_rule(sss_certmap_ctx, certmap_list[c]->priority, + certmap_list[c]->match_rule, + certmap_list[c]->map_rule, + certmap_list[c]->domains); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sss_certmap_add_rule failed for rule [%s] " + "with error [%d][%s], skipping. " + "Please check for typos and if rule syntax is supported.\n", + certmap_list[c]->name, ret, sss_strerror(ret)); + continue; + } + } + + ret = EOK; + +done: + if (ret == EOK) { + sss_certmap_free_ctx(pctx->sss_certmap_ctx); + pctx->sss_certmap_ctx = sss_certmap_ctx; + } else { + sss_certmap_free_ctx(sss_certmap_ctx); + } + + return ret; +} + +errno_t p11_child_init(struct pam_ctx *pctx) +{ + int ret; + struct certmap_info **certmaps; + bool user_name_hint; + struct sss_domain_info *dom = pctx->rctx->domains; + + ret = sysdb_get_certmap(dom, dom->sysdb, &certmaps, &user_name_hint); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_certmap failed.\n"); + return ret; + } + + dom->user_name_hint = user_name_hint; + talloc_free(dom->certmaps); + dom->certmaps = certmaps; + + ret = p11_refresh_certmap_ctx(pctx, dom->certmaps); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "p11_refresh_certmap_ctx failed.\n"); + return ret; + } + + return child_debug_init(P11_CHILD_LOG_FILE, &pctx->p11_child_debug_fd); +} + +bool may_do_cert_auth(struct pam_ctx *pctx, struct pam_data *pd) +{ + size_t c; + const char *sc_services[] = { "login", "su", "su-l", "gdm-smartcard", + "gdm-password", "kdm", "sudo", "sudo-i", + "gnome-screensaver", NULL }; + if (!pctx->cert_auth) { + return false; + } + + if (pd->cmd != SSS_PAM_PREAUTH && pd->cmd != SSS_PAM_AUTHENTICATE) { + return false; + } + + if (pd->cmd == SSS_PAM_AUTHENTICATE + && sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_SC_PIN + && sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_SC_KEYPAD) { + return false; + } + + /* TODO: make services configurable */ + if (pd->service == NULL || *pd->service == '\0') { + return false; + } + for (c = 0; sc_services[c] != NULL; c++) { + if (strcmp(pd->service, sc_services[c]) == 0) { + break; + } + } + if (sc_services[c] == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Smartcard authentication for service [%s] not supported.\n", + pd->service); + return false; + } + + return true; +} + +static errno_t get_p11_child_write_buffer(TALLOC_CTX *mem_ctx, + struct pam_data *pd, + uint8_t **_buf, size_t *_len) +{ + int ret; + uint8_t *buf; + size_t len; + const char *pin = NULL; + + if (pd == NULL || pd->authtok == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing authtok.\n"); + return EINVAL; + } + + switch (sss_authtok_get_type(pd->authtok)) { + case SSS_AUTHTOK_TYPE_SC_PIN: + ret = sss_authtok_get_sc_pin(pd->authtok, &pin, &len); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_authtok_get_sc_pin failed.\n"); + return ret; + } + if (pin == NULL || len == 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing PIN.\n"); + return EINVAL; + } + + buf = talloc_size(mem_ctx, len); + if (buf == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_size failed.\n"); + return ENOMEM; + } + + safealign_memcpy(buf, pin, len, NULL); + + break; + case SSS_AUTHTOK_TYPE_SC_KEYPAD: + /* Nothing to send */ + len = 0; + buf = NULL; + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported authtok type [%d].\n", + sss_authtok_get_type(pd->authtok)); + return EINVAL; + } + + *_len = len; + *_buf = buf; + + return EOK; +} + +static errno_t parse_p11_child_response(TALLOC_CTX *mem_ctx, uint8_t *buf, + ssize_t buf_len, + struct sss_certmap_ctx *sss_certmap_ctx, + struct cert_auth_info **_cert_list) +{ + int ret; + TALLOC_CTX *tmp_ctx = NULL; + uint8_t *p; + uint8_t *pn; + struct cert_auth_info *cert_list = NULL; + struct cert_auth_info *cert_auth_info; + unsigned char *der = NULL; + size_t der_size; + + if (buf_len < 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Error occurred while reading data from p11_child.\n"); + return EIO; + } + + if (buf_len == 0) { + DEBUG(SSSDBG_TRACE_LIBS, "No certificate found.\n"); + ret = EOK; + goto done; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); + return ENOMEM; + } + + p = buf; + + do { + cert_auth_info = talloc_zero(tmp_ctx, struct cert_auth_info); + if (cert_auth_info == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_zero failed.\n"); + return ENOMEM; + } + + pn = memchr(p, '\n', buf_len - (p - buf)); + if (pn == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "Missing new-line in p11_child response.\n"); + return EINVAL; + } + if (pn == p) { + DEBUG(SSSDBG_OP_FAILURE, + "Missing counter in p11_child response.\n"); + return EINVAL; + } + + cert_auth_info->token_name = talloc_strndup(cert_auth_info, (char *)p, + (pn - p)); + if (cert_auth_info->token_name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n"); + ret = ENOMEM; + goto done; + } + DEBUG(SSSDBG_TRACE_ALL, "Found token name [%s].\n", + cert_auth_info->token_name); + + p = ++pn; + pn = memchr(p, '\n', buf_len - (p - buf)); + if (pn == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "Missing new-line in p11_child response.\n"); + ret = EINVAL; + goto done; + } + + if (pn == p) { + DEBUG(SSSDBG_OP_FAILURE, + "Missing module name in p11_child response.\n"); + ret = EINVAL; + goto done; + } + + cert_auth_info->module_name = talloc_strndup(cert_auth_info, (char *)p, + (pn - p)); + if (cert_auth_info->module_name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n"); + ret = ENOMEM; + goto done; + } + DEBUG(SSSDBG_TRACE_ALL, "Found module name [%s].\n", + cert_auth_info->module_name); + + p = ++pn; + pn = memchr(p, '\n', buf_len - (p - buf)); + if (pn == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "Missing new-line in p11_child response.\n"); + ret = EINVAL; + goto done; + } + + if (pn == p) { + DEBUG(SSSDBG_OP_FAILURE, + "Missing key id in p11_child response.\n"); + ret = EINVAL; + goto done; + } + + cert_auth_info->key_id = talloc_strndup(cert_auth_info, (char *)p, + (pn - p)); + if (cert_auth_info->key_id == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n"); + ret = ENOMEM; + goto done; + } + DEBUG(SSSDBG_TRACE_ALL, "Found key id [%s].\n", cert_auth_info->key_id); + + p = ++pn; + pn = memchr(p, '\n', buf_len - (p - buf)); + if (pn == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "Missing new-line in p11_child response.\n"); + ret = EINVAL; + goto done; + } + + if (pn == p) { + DEBUG(SSSDBG_OP_FAILURE, + "Missing label in p11_child response.\n"); + ret = EINVAL; + goto done; + } + + cert_auth_info->label = talloc_strndup(cert_auth_info, (char *) p, + (pn - p)); + if (cert_auth_info->label == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n"); + ret = ENOMEM; + goto done; + } + DEBUG(SSSDBG_TRACE_ALL, "Found label [%s].\n", cert_auth_info->label); + + p = ++pn; + pn = memchr(p, '\n', buf_len - (p - buf)); + if (pn == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "Missing new-line in p11_child response.\n"); + ret = EINVAL; + goto done; + } + + if (pn == p) { + DEBUG(SSSDBG_OP_FAILURE, "Missing cert in p11_child response.\n"); + ret = EINVAL; + goto done; + } + + cert_auth_info->cert = talloc_strndup(cert_auth_info, (char *)p, + (pn - p)); + if (cert_auth_info->cert == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n"); + ret = ENOMEM; + goto done; + } + DEBUG(SSSDBG_TRACE_ALL, "Found cert [%s].\n", cert_auth_info->cert); + + der = sss_base64_decode(tmp_ctx, cert_auth_info->cert, &der_size); + if (der == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sss_base64_decode failed.\n"); + ret = EIO; + goto done; + } + + ret = sss_certmap_match_cert(sss_certmap_ctx, der, der_size); + if (ret == 0) { + DLIST_ADD(cert_list, cert_auth_info); + } else { + DEBUG(SSSDBG_TRACE_LIBS, + "Cert [%s] does not match matching rules and is ignored.\n", + cert_auth_info->cert); + talloc_free(cert_auth_info); + } + + p = ++pn; + } while ((pn - buf) < buf_len); + + ret = EOK; + +done: + if (ret == EOK) { + DLIST_FOR_EACH(cert_auth_info, cert_list) { + talloc_steal(mem_ctx, cert_auth_info); + } + + *_cert_list = cert_list; + } + + talloc_free(tmp_ctx); + + return ret; +} + +struct pam_check_cert_state { + int child_status; + struct sss_child_ctx_old *child_ctx; + struct tevent_timer *timeout_handler; + struct tevent_context *ev; + struct sss_certmap_ctx *sss_certmap_ctx; + + struct child_io_fds *io; + + struct cert_auth_info *cert_list; +}; + +static void p11_child_write_done(struct tevent_req *subreq); +static void p11_child_done(struct tevent_req *subreq); +static void p11_child_timeout(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval tv, void *pvt); + +struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + int child_debug_fd, + const char *nss_db, + time_t timeout, + const char *verify_opts, + struct sss_certmap_ctx *sss_certmap_ctx, + struct pam_data *pd) +{ + errno_t ret; + struct tevent_req *req; + struct tevent_req *subreq; + struct pam_check_cert_state *state; + pid_t child_pid; + struct timeval tv; + int pipefd_to_child[2] = PIPE_INIT; + int pipefd_from_child[2] = PIPE_INIT; + const char *extra_args[13] = { NULL }; + uint8_t *write_buf = NULL; + size_t write_buf_len = 0; + size_t arg_c; + const char *module_name = NULL; + const char *token_name = NULL; + const char *key_id = NULL; + + req = tevent_req_create(mem_ctx, &state, struct pam_check_cert_state); + if (req == NULL) { + return NULL; + } + + if (nss_db == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing NSS DB.\n"); + ret = EINVAL; + goto done; + } + + if (sss_certmap_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing certificate matching context.\n"); + ret = EINVAL; + goto done; + } + + /* extra_args are added in revers order */ + arg_c = 0; + extra_args[arg_c++] = nss_db; + extra_args[arg_c++] = "--nssdb"; + if (verify_opts != NULL) { + extra_args[arg_c++] = verify_opts; + extra_args[arg_c++] = "--verify"; + } + + if (sss_authtok_get_type(pd->authtok) == SSS_AUTHTOK_TYPE_SC_PIN + || sss_authtok_get_type(pd->authtok) == SSS_AUTHTOK_TYPE_SC_KEYPAD) { + ret = sss_authtok_get_sc(pd->authtok, NULL, NULL, &token_name, NULL, + &module_name, NULL, &key_id, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_authtok_get_sc failed.\n"); + goto done; + } + + if (module_name != NULL && *module_name != '\0') { + extra_args[arg_c++] = module_name; + extra_args[arg_c++] = "--module_name"; + } + if (token_name != NULL && *token_name != '\0') { + extra_args[arg_c++] = token_name; + extra_args[arg_c++] = "--token_name"; + } + if (key_id != NULL && *key_id != '\0') { + extra_args[arg_c++] = key_id; + extra_args[arg_c++] = "--key_id"; + } + } + + if (pd->cmd == SSS_PAM_AUTHENTICATE) { + extra_args[arg_c++] = "--auth"; + switch (sss_authtok_get_type(pd->authtok)) { + case SSS_AUTHTOK_TYPE_SC_PIN: + extra_args[arg_c++] = "--pin"; + break; + case SSS_AUTHTOK_TYPE_SC_KEYPAD: + extra_args[arg_c++] = "--keypad"; + break; + default: + DEBUG(SSSDBG_OP_FAILURE, "Unsupported authtok type.\n"); + ret = EINVAL; + goto done; + } + + } else if (pd->cmd == SSS_PAM_PREAUTH) { + extra_args[arg_c++] = "--pre"; + } else { + DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected PAM command [%d}.\n", pd->cmd); + ret = EINVAL; + goto done; + } + + state->ev = ev; + state->sss_certmap_ctx = sss_certmap_ctx; + state->child_status = EFAULT; + state->io = talloc(state, struct child_io_fds); + if (state->io == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc failed.\n"); + ret = ENOMEM; + goto done; + } + state->io->write_to_child_fd = -1; + state->io->read_from_child_fd = -1; + talloc_set_destructor((void *) state->io, child_io_destructor); + + ret = pipe(pipefd_from_child); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "pipe failed [%d][%s].\n", ret, strerror(ret)); + goto done; + } + ret = pipe(pipefd_to_child); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "pipe failed [%d][%s].\n", ret, strerror(ret)); + goto done; + } + + if (child_debug_fd == -1) { + child_debug_fd = STDERR_FILENO; + } + + child_pid = fork(); + if (child_pid == 0) { /* child */ + exec_child_ex(state, pipefd_to_child, pipefd_from_child, + P11_CHILD_PATH, child_debug_fd, extra_args, false, + STDIN_FILENO, STDOUT_FILENO); + + /* We should never get here */ + DEBUG(SSSDBG_CRIT_FAILURE, "BUG: Could not exec p11 child\n"); + } else if (child_pid > 0) { /* parent */ + + state->io->read_from_child_fd = pipefd_from_child[0]; + PIPE_FD_CLOSE(pipefd_from_child[1]); + sss_fd_nonblocking(state->io->read_from_child_fd); + + state->io->write_to_child_fd = pipefd_to_child[1]; + PIPE_FD_CLOSE(pipefd_to_child[0]); + sss_fd_nonblocking(state->io->write_to_child_fd); + + /* Set up SIGCHLD handler */ + ret = child_handler_setup(ev, child_pid, NULL, NULL, &state->child_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not set up child handlers [%d]: %s\n", + ret, sss_strerror(ret)); + ret = ERR_P11_CHILD; + goto done; + } + + /* Set up timeout handler */ + tv = tevent_timeval_current_ofs(timeout, 0); + state->timeout_handler = tevent_add_timer(ev, req, tv, + p11_child_timeout, req); + if(state->timeout_handler == NULL) { + ret = ERR_P11_CHILD; + goto done; + } + + if (pd->cmd == SSS_PAM_AUTHENTICATE) { + ret = get_p11_child_write_buffer(state, pd, &write_buf, + &write_buf_len); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "get_p11_child_write_buffer failed.\n"); + goto done; + } + } + + if (write_buf_len != 0) { + subreq = write_pipe_send(state, ev, write_buf, write_buf_len, + state->io->write_to_child_fd); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "write_pipe_send failed.\n"); + ret = ERR_P11_CHILD; + goto done; + } + tevent_req_set_callback(subreq, p11_child_write_done, req); + } else { + subreq = read_pipe_send(state, ev, state->io->read_from_child_fd); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "read_pipe_send failed.\n"); + ret = ERR_P11_CHILD; + goto done; + } + tevent_req_set_callback(subreq, p11_child_done, req); + } + + /* Now either wait for the timeout to fire or the child + * to finish + */ + } else { /* error */ + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "fork failed [%d][%s].\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = EOK; + +done: + if (ret != EOK) { + PIPE_CLOSE(pipefd_from_child); + PIPE_CLOSE(pipefd_to_child); + tevent_req_error(req, ret); + tevent_req_post(req, ev); + } + return req; +} + +static void p11_child_write_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct pam_check_cert_state *state = tevent_req_data(req, + struct pam_check_cert_state); + int ret; + + ret = write_pipe_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + PIPE_FD_CLOSE(state->io->write_to_child_fd); + + subreq = read_pipe_send(state, state->ev, state->io->read_from_child_fd); + if (subreq == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + tevent_req_set_callback(subreq, p11_child_done, req); +} + +static void p11_child_done(struct tevent_req *subreq) +{ + uint8_t *buf; + ssize_t buf_len; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct pam_check_cert_state *state = tevent_req_data(req, + struct pam_check_cert_state); + int ret; + + talloc_zfree(state->timeout_handler); + + ret = read_pipe_recv(subreq, state, &buf, &buf_len); + talloc_zfree(subreq); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + PIPE_FD_CLOSE(state->io->read_from_child_fd); + + ret = parse_p11_child_response(state, buf, buf_len, state->sss_certmap_ctx, + &state->cert_list); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "parse_p11_child_response failed.\n"); + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); + return; +} + +static void p11_child_timeout(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval tv, void *pvt) +{ + struct tevent_req *req = talloc_get_type(pvt, struct tevent_req); + struct pam_check_cert_state *state = + tevent_req_data(req, struct pam_check_cert_state); + + DEBUG(SSSDBG_CRIT_FAILURE, "Timeout reached for p11_child.\n"); + child_handler_destroy(state->child_ctx); + state->child_ctx = NULL; + state->child_status = ETIMEDOUT; + tevent_req_error(req, ERR_P11_CHILD); +} + +errno_t pam_check_cert_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, + struct cert_auth_info **cert_list) +{ + struct cert_auth_info *tmp_cert_auth_info; + struct pam_check_cert_state *state = + tevent_req_data(req, struct pam_check_cert_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (cert_list != NULL) { + DLIST_FOR_EACH(tmp_cert_auth_info, state->cert_list) { + talloc_steal(mem_ctx, tmp_cert_auth_info); + } + + *cert_list = state->cert_list; + } + + return EOK; +} + +static char *get_cert_prompt(TALLOC_CTX *mem_ctx, + struct cert_auth_info *cert_info) +{ + int ret; + struct sss_certmap_ctx *ctx = NULL; + unsigned char *der = NULL; + size_t der_size; + char *prompt = NULL; + char *filter = NULL; + char **domains = NULL; + + ret = sss_certmap_init(mem_ctx, NULL, NULL, &ctx); + if (ret != 0) { + DEBUG(SSSDBG_OP_FAILURE, "sss_certmap_init failed.\n"); + return NULL; + } + + ret = sss_certmap_add_rule(ctx, 10, "KRB5:.*", + "LDAP:{subject_dn!nss}", NULL); + if (ret != 0) { + DEBUG(SSSDBG_OP_FAILURE, "sss_certmap_add_rule failed.\n"); + goto done; + } + + der = sss_base64_decode(mem_ctx, sss_cai_get_cert(cert_info), &der_size); + if (der == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sss_base64_decode failed.\n"); + goto done; + } + + ret = sss_certmap_get_search_filter(ctx, der, der_size, &filter, &domains); + if (ret != 0) { + DEBUG(SSSDBG_OP_FAILURE, "sss_certmap_get_search_filter failed.\n"); + goto done; + } + + prompt = talloc_asprintf(mem_ctx, "%s\n%s", sss_cai_get_label(cert_info), + filter); + if (prompt == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + } + +done: + sss_certmap_free_filter_and_domains(filter, domains); + sss_certmap_free_ctx(ctx); + talloc_free(der); + + return prompt; +} + +static errno_t pack_cert_data(TALLOC_CTX *mem_ctx, const char *sysdb_username, + struct cert_auth_info *cert_info, + uint8_t **_msg, size_t *_msg_len) +{ + uint8_t *msg = NULL; + size_t msg_len; + const char *token_name; + const char *module_name; + const char *key_id; + char *prompt; + size_t user_len; + size_t token_len; + size_t module_len; + size_t key_id_len; + size_t prompt_len; + const char *username = ""; + + if (sysdb_username != NULL) { + username = sysdb_username; + } + + prompt = get_cert_prompt(mem_ctx, cert_info); + if (prompt == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "get_cert_prompt failed.\n"); + return EIO; + } + + token_name = sss_cai_get_token_name(cert_info); + module_name = sss_cai_get_module_name(cert_info); + key_id = sss_cai_get_key_id(cert_info); + + user_len = strlen(username) + 1; + token_len = strlen(token_name) + 1; + module_len = strlen(module_name) + 1; + key_id_len = strlen(key_id) + 1; + prompt_len = strlen(prompt) + 1; + msg_len = user_len + token_len + module_len + key_id_len + prompt_len; + + msg = talloc_zero_size(mem_ctx, msg_len); + if (msg == NULL) { + talloc_free(prompt); + DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_size failed.\n"); + return ENOMEM; + } + + memcpy(msg, username, user_len); + memcpy(msg + user_len, token_name, token_len); + memcpy(msg + user_len + token_len, module_name, module_len); + memcpy(msg + user_len + token_len + module_len, key_id, key_id_len); + memcpy(msg + user_len + token_len + module_len + key_id_len, + prompt, prompt_len); + talloc_free(prompt); + + if (_msg != NULL) { + *_msg = msg; + } + + if (_msg_len != NULL) { + *_msg_len = msg_len; + } + + return EOK; +} + +/* The PKCS11_LOGIN_TOKEN_NAME environment variable is e.g. used by the Gnome + * Settings Daemon to determine the name of the token used for login but it + * should be only set if SSSD is called by gdm-smartcard. Otherwise desktop + * components might assume that gdm-smartcard PAM stack is configured + * correctly which might not be the case e.g. if Smartcard authentication was + * used when running gdm-password. */ +#define PKCS11_LOGIN_TOKEN_ENV_NAME "PKCS11_LOGIN_TOKEN_NAME" + +errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username, + struct cert_auth_info *cert_info, + enum response_type type) +{ + uint8_t *msg = NULL; + char *env = NULL; + size_t msg_len; + int ret; + + if (type != SSS_PAM_CERT_INFO && type != SSS_PAM_CERT_INFO_WITH_HINT) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid response type [%d].\n", type); + return EINVAL; + } + + if ((type == SSS_PAM_CERT_INFO && sysdb_username == NULL) + || cert_info == NULL + || sss_cai_get_token_name(cert_info) == NULL + || sss_cai_get_module_name(cert_info) == NULL + || sss_cai_get_key_id(cert_info) == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing mandatory user or slot name.\n"); + return EINVAL; + } + + /* sysdb_username is a fully-qualified name which is used by pam_sss when + * prompting the user for the PIN and as login name if it wasn't set by + * the PAM caller but has to be determined based on the inserted + * Smartcard. If this type of name is irritating at the PIN prompt or the + * re_expression config option was set in a way that user@domain cannot be + * handled anymore some more logic has to be added here. But for the time + * being I think using sysdb_username is fine. */ + + ret = pack_cert_data(pd, sysdb_username, cert_info, &msg, &msg_len); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "pack_cert_data failed.\n"); + return ret; + } + + ret = pam_add_response(pd, type, msg_len, msg); + talloc_free(msg); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "pam_add_response failed to add certificate info.\n"); + return ret; + } + + if (strcmp(pd->service, "gdm-smartcard") == 0) { + env = talloc_asprintf(pd, "%s=%s", PKCS11_LOGIN_TOKEN_ENV_NAME, + sss_cai_get_token_name(cert_info)); + if (env == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); + return ENOMEM; + } + + ret = pam_add_response(pd, SSS_PAM_ENV_ITEM, strlen(env) + 1, + (uint8_t *)env); + talloc_free(env); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "pam_add_response failed to add environment variable.\n"); + return ret; + } + } + + return ret; +} diff --git a/src/responder/secrets/local.c b/src/responder/secrets/local.c new file mode 100644 index 0000000..ed57dda --- /dev/null +++ b/src/responder/secrets/local.c @@ -0,0 +1,1170 @@ +/* + SSSD + + Secrets Responder + + Copyright (C) Simo Sorce 2016 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "responder/secrets/secsrv_private.h" +#include "util/crypto/sss_crypto.h" +#include +#include +#include +#include + +#define MKEY_SIZE (256 / 8) + +#define SECRETS_BASEDN "cn=secrets" +#define KCM_BASEDN "cn=kcm" + +struct local_context { + struct ldb_context *ldb; + struct sec_data master_key; + + struct sec_quota *quota_secrets; + struct sec_quota *quota_kcm; +}; + +static int local_decrypt(struct local_context *lctx, TALLOC_CTX *mem_ctx, + const char *secret, const char *enctype, + char **plain_secret) +{ + char *output; + + if (enctype && strcmp(enctype, "masterkey") == 0) { + DEBUG(SSSDBG_TRACE_INTERNAL, "Decrypting with masterkey\n"); + + struct sec_data _secret; + size_t outlen; + int ret; + + _secret.data = (char *)sss_base64_decode(mem_ctx, secret, + &_secret.length); + if (!_secret.data) { + DEBUG(SSSDBG_OP_FAILURE, "sss_base64_decode failed\n"); + return EINVAL; + } + + ret = sss_decrypt(mem_ctx, AES256CBC_HMAC_SHA256, + (uint8_t *)lctx->master_key.data, + lctx->master_key.length, + (uint8_t *)_secret.data, _secret.length, + (uint8_t **)&output, &outlen); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, + "sss_decrypt failed [%d]: %s\n", ret, sss_strerror(ret)); + return ret; + } + + if (((strnlen(output, outlen) + 1) != outlen) || + output[outlen - 1] != '\0') { + DEBUG(SSSDBG_CRIT_FAILURE, + "Output length mismatch or output not NULL-terminated\n"); + return EIO; + } + } else { + output = talloc_strdup(mem_ctx, secret); + if (!output) return ENOMEM; + } + + *plain_secret = output; + return EOK; +} + +static int local_encrypt(struct local_context *lctx, TALLOC_CTX *mem_ctx, + const char *secret, const char *enctype, + char **ciphertext) +{ + struct sec_data _secret; + char *output; + int ret; + + if (enctype == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "No encryption type\n"); + return EINVAL; + } + + if (strcmp(enctype, "masterkey") != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unknown encryption type '%s'\n", enctype); + return EINVAL; + } + + ret = sss_encrypt(mem_ctx, AES256CBC_HMAC_SHA256, + (uint8_t *)lctx->master_key.data, + lctx->master_key.length, + (const uint8_t *)secret, strlen(secret) + 1, + (uint8_t **)&_secret.data, &_secret.length); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, + "sss_encrypt failed [%d]: %s\n", ret, sss_strerror(ret)); + return ret; + } + + output = sss_base64_encode(mem_ctx, + (uint8_t *)_secret.data, _secret.length); + if (!output) return ENOMEM; + + *ciphertext = output; + return EOK; +} + +static int local_db_dn(TALLOC_CTX *mem_ctx, + struct ldb_context *ldb, + const char *basedn, + const char *req_path, + struct ldb_dn **req_dn) +{ + struct ldb_dn *dn; + const char *s, *e; + int ret; + + dn = ldb_dn_new(mem_ctx, ldb, basedn); + if (!dn) { + ret = ENOMEM; + goto done; + } + + s = req_path; + + while (s && *s) { + e = strchr(s, '/'); + if (e) { + if (e == s) { + s++; + continue; + } + if (!ldb_dn_add_child_fmt(dn, "cn=%.*s", (int)(e - s), s)) { + ret = ENOMEM; + goto done; + } + s = e + 1; + } else { + if (!ldb_dn_add_child_fmt(dn, "cn=%s", s)) { + ret = ENOMEM; + goto done; + } + s = NULL; + } + } + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Local path for [%s] is [%s]\n", + req_path, ldb_dn_get_linearized(dn)); + *req_dn = dn; + ret = EOK; + +done: + return ret; +} + +static char *local_dn_to_path(TALLOC_CTX *mem_ctx, + struct ldb_dn *basedn, + struct ldb_dn *dn) +{ + int basecomps; + int dncomps; + char *path = NULL; + + basecomps = ldb_dn_get_comp_num(basedn); + dncomps = ldb_dn_get_comp_num(dn); + + for (int i = dncomps - basecomps; i > 0; i--) { + const struct ldb_val *val; + + val = ldb_dn_get_component_val(dn, i - 1); + if (!val) return NULL; + + if (path) { + path = talloc_strdup_append_buffer(path, "/"); + if (!path) return NULL; + path = talloc_strndup_append_buffer(path, (char *)val->data, + val->length); + } else { + path = talloc_strndup(mem_ctx, (char *)val->data, val->length); + } + if (!path) return NULL; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Secrets path for [%s] is [%s]\n", + ldb_dn_get_linearized(dn), path); + return path; +} + +struct local_db_req { + char *path; + const char *basedn; + struct ldb_dn *req_dn; + struct sec_quota *quota; +}; + +#define LOCAL_SIMPLE_FILTER "(type=simple)" +#define LOCAL_CONTAINER_FILTER "(type=container)" + +static int local_db_get_simple(TALLOC_CTX *mem_ctx, + struct local_context *lctx, + struct local_db_req *lc_req, + char **secret) +{ + TALLOC_CTX *tmp_ctx; + static const char *attrs[] = { "secret", "enctype", NULL }; + struct ldb_result *res; + const char *attr_secret; + const char *attr_enctype; + int ret; + + DEBUG(SSSDBG_TRACE_FUNC, "Retrieving a secret from [%s]\n", lc_req->path); + + tmp_ctx = talloc_new(mem_ctx); + if (!tmp_ctx) return ENOMEM; + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Searching for [%s] at [%s] with scope=base\n", + LOCAL_SIMPLE_FILTER, ldb_dn_get_linearized(lc_req->req_dn)); + + ret = ldb_search(lctx->ldb, tmp_ctx, &res, lc_req->req_dn, LDB_SCOPE_BASE, + attrs, "%s", LOCAL_SIMPLE_FILTER); + if (ret != EOK) { + DEBUG(SSSDBG_TRACE_LIBS, + "ldb_search returned [%d]: %s\n", ret, ldb_strerror(ret)); + ret = ENOENT; + goto done; + } + + switch (res->count) { + case 0: + DEBUG(SSSDBG_TRACE_LIBS, "No secret found\n"); + ret = ENOENT; + goto done; + case 1: + break; + default: + DEBUG(SSSDBG_OP_FAILURE, + "Too many secrets returned with BASE search\n"); + ret = E2BIG; + goto done; + } + + attr_secret = ldb_msg_find_attr_as_string(res->msgs[0], "secret", NULL); + if (!attr_secret) { + DEBUG(SSSDBG_CRIT_FAILURE, "The 'secret' attribute is missing\n"); + ret = ENOENT; + goto done; + } + + attr_enctype = ldb_msg_find_attr_as_string(res->msgs[0], "enctype", NULL); + + if (attr_enctype) { + ret = local_decrypt(lctx, mem_ctx, attr_secret, attr_enctype, secret); + if (ret) goto done; + } else { + *secret = talloc_strdup(mem_ctx, attr_secret); + } + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static int local_db_list_keys(TALLOC_CTX *mem_ctx, + struct local_context *lctx, + struct local_db_req *lc_req, + char ***_keys, + int *num_keys) +{ + TALLOC_CTX *tmp_ctx; + static const char *attrs[] = { "secret", NULL }; + struct ldb_result *res; + char **keys; + int ret; + + tmp_ctx = talloc_new(mem_ctx); + if (!tmp_ctx) return ENOMEM; + + DEBUG(SSSDBG_TRACE_FUNC, "Listing keys at [%s]\n", lc_req->path); + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Searching for [%s] at [%s] with scope=subtree\n", + LOCAL_SIMPLE_FILTER, ldb_dn_get_linearized(lc_req->req_dn)); + + ret = ldb_search(lctx->ldb, tmp_ctx, &res, lc_req->req_dn, LDB_SCOPE_SUBTREE, + attrs, "%s", LOCAL_SIMPLE_FILTER); + if (ret != EOK) { + DEBUG(SSSDBG_TRACE_LIBS, + "ldb_search returned [%d]: %s\n", ret, ldb_strerror(ret)); + ret = ENOENT; + goto done; + } + + if (res->count == 0) { + DEBUG(SSSDBG_TRACE_LIBS, "No secrets found\n"); + ret = ENOENT; + goto done; + } + + keys = talloc_array(mem_ctx, char *, res->count); + if (!keys) { + ret = ENOMEM; + goto done; + } + + for (unsigned i = 0; i < res->count; i++) { + keys[i] = local_dn_to_path(keys, lc_req->req_dn, res->msgs[i]->dn); + if (!keys[i]) { + ret = ENOMEM; + goto done; + } + } + + *_keys = keys; + DEBUG(SSSDBG_TRACE_LIBS, "Returning %d secrets\n", res->count); + *num_keys = res->count; + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static int local_db_check_containers(TALLOC_CTX *mem_ctx, + struct local_context *lctx, + struct ldb_dn *leaf_dn) +{ + TALLOC_CTX *tmp_ctx; + static const char *attrs[] = { NULL}; + struct ldb_result *res = NULL; + struct ldb_dn *dn; + int num; + int ret; + + tmp_ctx = talloc_new(mem_ctx); + if (!tmp_ctx) return ENOMEM; + + dn = ldb_dn_copy(tmp_ctx, leaf_dn); + if (!dn) { + ret = ENOMEM; + goto done; + } + + /* We need to exclude the leaf as that will be the new child entry, + * We also do not care for the synthetic containers that constitute the + * base path (cn=,cn=users,cn=secrets), so in total we remove + * 4 components */ + num = ldb_dn_get_comp_num(dn) - 4; + + for (int i = 0; i < num; i++) { + /* remove the child first (we do not want to check the leaf) */ + if (!ldb_dn_remove_child_components(dn, 1)) return EFAULT; + + /* and check the parent container exists */ + DEBUG(SSSDBG_TRACE_INTERNAL, + "Searching for [%s] at [%s] with scope=base\n", + LOCAL_CONTAINER_FILTER, ldb_dn_get_linearized(dn)); + + ret = ldb_search(lctx->ldb, tmp_ctx, &res, dn, LDB_SCOPE_BASE, + attrs, LOCAL_CONTAINER_FILTER); + if (ret != LDB_SUCCESS || res->count != 1) { + DEBUG(SSSDBG_TRACE_LIBS, + "DN [%s] does not exist\n", ldb_dn_get_linearized(dn)); + return ENOENT; + } + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static int local_db_check_containers_nest_level(struct local_db_req *lc_req, + struct ldb_dn *leaf_dn) +{ + int nest_level; + + if (lc_req->quota->containers_nest_level == 0) { + return EOK; + } + + /* We need do not care for the synthetic containers that constitute the + * base path (cn=,cn=user,cn=secrets). */ + nest_level = ldb_dn_get_comp_num(leaf_dn) - 3; + if (nest_level > lc_req->quota->containers_nest_level) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot create a nested container of depth %d as the maximum" + "allowed number of nested containers is %d.\n", + nest_level, lc_req->quota->containers_nest_level); + + return ERR_SEC_INVALID_CONTAINERS_NEST_LEVEL; + } + + return EOK; +} + +static struct ldb_dn *per_uid_container(TALLOC_CTX *mem_ctx, + struct ldb_dn *req_dn) +{ + int user_comp; + int num_comp; + struct ldb_dn *uid_base_dn; + + uid_base_dn = ldb_dn_copy(mem_ctx, req_dn); + if (uid_base_dn == NULL) { + return NULL; + } + + /* Remove all the components up to the per-user base path which consists + * of three components: + * cn=,cn=users,cn=secrets + */ + user_comp = ldb_dn_get_comp_num(uid_base_dn) - 3; + + if (!ldb_dn_remove_child_components(uid_base_dn, user_comp)) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot remove child components\n"); + talloc_free(uid_base_dn); + return NULL; + } + + num_comp = ldb_dn_get_comp_num(uid_base_dn); + if (num_comp != 3) { + DEBUG(SSSDBG_OP_FAILURE, "Expected 3 components got %d\n", num_comp); + talloc_free(uid_base_dn); + return NULL; + } + + return uid_base_dn; +} + +static int local_db_check_peruid_number_of_secrets(TALLOC_CTX *mem_ctx, + struct local_context *lctx, + struct local_db_req *lc_req) +{ + TALLOC_CTX *tmp_ctx; + static const char *attrs[] = { NULL }; + struct ldb_result *res = NULL; + struct ldb_dn *cli_basedn = NULL; + int ret; + + if (lc_req->quota->max_uid_secrets == 0) { + return EOK; + } + + tmp_ctx = talloc_new(mem_ctx); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + cli_basedn = per_uid_container(tmp_ctx, lc_req->req_dn); + if (cli_basedn == NULL) { + ret = ENOMEM; + goto done; + } + + ret = ldb_search(lctx->ldb, tmp_ctx, &res, cli_basedn, LDB_SCOPE_SUBTREE, + attrs, LOCAL_SIMPLE_FILTER); + if (ret != EOK) { + DEBUG(SSSDBG_TRACE_LIBS, + "ldb_search returned %d: %s\n", ret, ldb_strerror(ret)); + goto done; + } + + if (res->count >= lc_req->quota->max_uid_secrets) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot store any more secrets for this client (basedn %s) " + "as the maximum allowed limit (%d) has been reached\n", + ldb_dn_get_linearized(cli_basedn), + lc_req->quota->max_uid_secrets); + ret = ERR_SEC_INVALID_TOO_MANY_SECRETS; + goto done; + } + + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} + +static int local_db_check_number_of_secrets(TALLOC_CTX *mem_ctx, + struct local_context *lctx, + struct local_db_req *lc_req) +{ + TALLOC_CTX *tmp_ctx; + static const char *attrs[] = { NULL }; + struct ldb_result *res = NULL; + struct ldb_dn *dn; + int ret; + + if (lc_req->quota->max_secrets == 0) { + return EOK; + } + + tmp_ctx = talloc_new(mem_ctx); + if (!tmp_ctx) return ENOMEM; + + dn = ldb_dn_new(tmp_ctx, lctx->ldb, lc_req->basedn); + if (!dn) { + ret = ENOMEM; + goto done; + } + + ret = ldb_search(lctx->ldb, tmp_ctx, &res, dn, LDB_SCOPE_SUBTREE, + attrs, LOCAL_SIMPLE_FILTER); + if (ret != EOK) { + DEBUG(SSSDBG_TRACE_LIBS, + "ldb_search returned %d: %s\n", ret, ldb_strerror(ret)); + goto done; + } + + if (res->count >= lc_req->quota->max_secrets) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot store any more secrets as the maximum allowed limit (%d) " + "has been reached\n", lc_req->quota->max_secrets); + ret = ERR_SEC_INVALID_TOO_MANY_SECRETS; + goto done; + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static int local_check_max_payload_size(struct local_db_req *lc_req, + int payload_size) +{ + int max_payload_size; + + if (lc_req->quota->max_payload_size == 0) { + return EOK; + } + + max_payload_size = lc_req->quota->max_payload_size * 1024; /* kb */ + if (payload_size > max_payload_size) { + DEBUG(SSSDBG_OP_FAILURE, + "Secrets' payload size [%d kb (%d)] exceeds the maximum allowed " + "payload size [%d kb (%d)]\n", + payload_size * 1024, /* kb */ + payload_size, + lc_req->quota->max_payload_size, /* kb */ + max_payload_size); + + return ERR_SEC_PAYLOAD_SIZE_IS_TOO_LARGE; + } + + return EOK; +} + +static int local_db_put_simple(TALLOC_CTX *mem_ctx, + struct local_context *lctx, + struct local_db_req *lc_req, + const char *secret) +{ + struct ldb_message *msg; + const char *enctype = "masterkey"; + char *enc_secret; + int ret; + + DEBUG(SSSDBG_TRACE_FUNC, "Adding a secret to [%s]\n", lc_req->path); + + msg = ldb_msg_new(mem_ctx); + if (!msg) { + ret = ENOMEM; + goto done; + } + msg->dn = lc_req->req_dn; + + /* make sure containers exist */ + ret = local_db_check_containers(msg, lctx, msg->dn); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "local_db_check_containers failed for [%s]: [%d]: %s\n", + ldb_dn_get_linearized(msg->dn), ret, sss_strerror(ret)); + goto done; + } + + ret = local_db_check_number_of_secrets(msg, lctx, lc_req); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "local_db_check_number_of_secrets failed [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = local_db_check_peruid_number_of_secrets(msg, lctx, lc_req); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "local_db_check_number_of_secrets failed [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = local_check_max_payload_size(lc_req, strlen(secret)); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "local_check_max_payload_size failed [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = local_encrypt(lctx, msg, secret, enctype, &enc_secret); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "local_encrypt failed [%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + ret = ldb_msg_add_string(msg, "type", "simple"); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "ldb_msg_add_string failed adding type:simple [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = ldb_msg_add_string(msg, "enctype", enctype); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "ldb_msg_add_string failed adding enctype [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = ldb_msg_add_string(msg, "secret", enc_secret); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "ldb_msg_add_string failed adding secret [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + + ret = ldb_msg_add_fmt(msg, "creationTime", "%lu", time(NULL)); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "ldb_msg_add_string failed adding creationTime [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = ldb_add(lctx->ldb, msg); + if (ret != EOK) { + if (ret == LDB_ERR_ENTRY_ALREADY_EXISTS) { + DEBUG(SSSDBG_OP_FAILURE, + "Secret %s already exists\n", ldb_dn_get_linearized(msg->dn)); + ret = EEXIST; + } else { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to add secret [%s]: [%d]: %s\n", + ldb_dn_get_linearized(msg->dn), ret, ldb_strerror(ret)); + ret = EIO; + } + goto done; + } + + ret = EOK; +done: + talloc_free(msg); + return ret; +} + +static int local_db_delete(TALLOC_CTX *mem_ctx, + struct local_context *lctx, + struct local_db_req *lc_req) +{ + TALLOC_CTX *tmp_ctx; + static const char *attrs[] = { NULL }; + struct ldb_result *res; + int ret; + + DEBUG(SSSDBG_TRACE_FUNC, "Removing a secret from [%s]\n", lc_req->path); + + tmp_ctx = talloc_new(mem_ctx); + if (!tmp_ctx) return ENOMEM; + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Searching for [%s] at [%s] with scope=base\n", + LOCAL_CONTAINER_FILTER, ldb_dn_get_linearized(lc_req->req_dn)); + + ret = ldb_search(lctx->ldb, tmp_ctx, &res, lc_req->req_dn, LDB_SCOPE_BASE, + attrs, LOCAL_CONTAINER_FILTER); + if (ret != EOK) { + DEBUG(SSSDBG_TRACE_LIBS, + "ldb_search returned %d: %s\n", ret, ldb_strerror(ret)); + goto done; + } + + if (res->count == 1) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "Searching for children of [%s]\n", ldb_dn_get_linearized(lc_req->req_dn)); + ret = ldb_search(lctx->ldb, tmp_ctx, &res, lc_req->req_dn, LDB_SCOPE_ONELEVEL, + attrs, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_TRACE_LIBS, + "ldb_search returned %d: %s\n", ret, ldb_strerror(ret)); + goto done; + } + + if (res->count > 0) { + ret = EEXIST; + DEBUG(SSSDBG_OP_FAILURE, + "Failed to remove '%s': Container is not empty\n", + ldb_dn_get_linearized(lc_req->req_dn)); + + goto done; + } + } + + ret = ldb_delete(lctx->ldb, lc_req->req_dn); + if (ret != EOK) { + DEBUG(SSSDBG_TRACE_LIBS, + "ldb_delete returned %d: %s\n", ret, ldb_strerror(ret)); + /* fall through */ + } + ret = sysdb_error_to_errno(ret); + +done: + talloc_free(tmp_ctx); + return ret; +} + +static int local_db_create(TALLOC_CTX *mem_ctx, + struct local_context *lctx, + struct local_db_req *lc_req) +{ + struct ldb_message *msg; + int ret; + + DEBUG(SSSDBG_TRACE_FUNC, "Creating a container at [%s]\n", lc_req->path); + + msg = ldb_msg_new(mem_ctx); + if (!msg) { + ret = ENOMEM; + goto done; + } + msg->dn = lc_req->req_dn; + + /* make sure containers exist */ + ret = local_db_check_containers(msg, lctx, msg->dn); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "local_db_check_containers failed for [%s]: [%d]: %s\n", + ldb_dn_get_linearized(msg->dn), ret, sss_strerror(ret)); + goto done; + } + + ret = local_db_check_containers_nest_level(lc_req, msg->dn); + if (ret != EOK) goto done; + + ret = ldb_msg_add_string(msg, "type", "container"); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "ldb_msg_add_string failed adding type:container [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = ldb_msg_add_fmt(msg, "creationTime", "%lu", time(NULL)); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "ldb_msg_add_string failed adding creationTime [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = ldb_add(lctx->ldb, msg); + if (ret != EOK) { + if (ret == LDB_ERR_ENTRY_ALREADY_EXISTS) { + DEBUG(SSSDBG_OP_FAILURE, + "Secret %s already exists\n", ldb_dn_get_linearized(msg->dn)); + ret = EEXIST; + } else { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to add secret [%s]: [%d]: %s\n", + ldb_dn_get_linearized(msg->dn), ret, ldb_strerror(ret)); + ret = EIO; + } + goto done; + } + + ret = EOK; + +done: + talloc_free(msg); + return ret; +} + +static int local_secrets_map_path(TALLOC_CTX *mem_ctx, + struct local_context *lctx, + struct sec_req_ctx *secreq, + struct local_db_req **_lc_req) +{ + int ret; + struct local_db_req *lc_req; + struct ldb_context *ldb = lctx->ldb; + + /* be strict for now */ + if (secreq->parsed_url.fragment != NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unrecognized URI fragments: [%s]\n", + secreq->parsed_url.fragment); + return EINVAL; + } + + if (secreq->parsed_url.userinfo != NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unrecognized URI userinfo: [%s]\n", + secreq->parsed_url.userinfo); + return EINVAL; + } + + /* only type simple for now */ + if (secreq->parsed_url.query != NULL) { + ret = strcmp(secreq->parsed_url.query, "type=simple"); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Invalid URI query: [%s]\n", + secreq->parsed_url.query); + return EINVAL; + } + } + + lc_req = talloc(mem_ctx, struct local_db_req); + if (lc_req == NULL) { + return ENOMEM; + } + + /* drop the prefix and select a basedn instead */ + if (strncmp(secreq->mapped_path, + SEC_BASEPATH, sizeof(SEC_BASEPATH) - 1) == 0) { + lc_req->path = talloc_strdup(lc_req, + secreq->mapped_path + (sizeof(SEC_BASEPATH) - 1)); + lc_req->basedn = SECRETS_BASEDN; + lc_req->quota = lctx->quota_secrets; + } else if (strncmp(secreq->mapped_path, + SEC_KCM_BASEPATH, sizeof(SEC_KCM_BASEPATH) - 1) == 0) { + lc_req->path = talloc_strdup(lc_req, + secreq->mapped_path + (sizeof(SEC_KCM_BASEPATH) - 1)); + lc_req->basedn = KCM_BASEDN; + lc_req->quota = lctx->quota_kcm; + } else { + ret = EINVAL; + goto done; + } + + if (lc_req->path == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to map request to local db path\n"); + ret = ENOMEM; + goto done; + } + + ret = local_db_dn(mem_ctx, ldb, lc_req->basedn, lc_req->path, &lc_req->req_dn); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to map request to local db DN\n"); + goto done; + } + + DEBUG(SSSDBG_TRACE_LIBS, "Local DB path is %s\n", lc_req->path); + ret = EOK; + *_lc_req = lc_req; +done: + if (ret != EOK) { + talloc_free(lc_req); + } + return ret; +} + +struct local_secret_state { + struct tevent_context *ev; + struct sec_req_ctx *secreq; +}; + +static struct tevent_req *local_secret_req(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + void *provider_ctx, + struct sec_req_ctx *secreq) +{ + struct tevent_req *req; + struct local_secret_state *state; + struct local_context *lctx; + struct sec_data body = { 0 }; + const char *content_type; + bool body_is_json; + struct local_db_req *lc_req; + char *secret; + char **keys; + int nkeys; + int plen; + int ret; + + req = tevent_req_create(mem_ctx, &state, struct local_secret_state); + if (!req) return NULL; + + state->ev = ev; + state->secreq = secreq; + + lctx = talloc_get_type(provider_ctx, struct local_context); + if (!lctx) { + ret = EIO; + goto done; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "Received a local secrets request\n"); + + if (sec_req_has_header(secreq, "Content-Type", + "application/json")) { + body_is_json = true; + content_type = "application/json"; + } else if (sec_req_has_header(secreq, "Content-Type", + "application/octet-stream")) { + body_is_json = false; + content_type = "application/octet-stream"; + } else { + DEBUG(SSSDBG_OP_FAILURE, "No or unknown Content-Type\n"); + ret = EINVAL; + goto done; + } + DEBUG(SSSDBG_TRACE_LIBS, "Content-Type: %s\n", content_type); + + ret = local_secrets_map_path(state, lctx, secreq, &lc_req); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot map request path to local path\n"); + goto done; + } + + switch (secreq->method) { + case HTTP_GET: + DEBUG(SSSDBG_TRACE_LIBS, "Processing HTTP GET at [%s]\n", lc_req->path); + if (lc_req->path[strlen(lc_req->path) - 1] == '/') { + ret = local_db_list_keys(state, lctx, lc_req, &keys, &nkeys); + if (ret) goto done; + + ret = sec_array_to_json(state, keys, nkeys, &body.data); + if (ret) goto done; + + body.length = strlen(body.data); + break; + } + + ret = local_db_get_simple(state, lctx, lc_req, &secret); + if (ret) goto done; + + if (body_is_json) { + ret = sec_simple_secret_to_json(state, secret, &body.data); + if (ret) goto done; + + body.length = strlen(body.data); + } else { + body.data = (void *)sss_base64_decode(state, secret, &body.length); + ret = body.data ? EOK : ENOMEM; + } + if (ret) goto done; + + break; + + case HTTP_PUT: + if (secreq->body.length == 0) { + DEBUG(SSSDBG_OP_FAILURE, "PUT with no data\n"); + ret = EINVAL; + goto done; + } + + DEBUG(SSSDBG_TRACE_LIBS, "Processing HTTP PUT at [%s]\n", lc_req->path); + if (body_is_json) { + ret = sec_json_to_simple_secret(state, secreq->body.data, + &secret); + } else { + secret = sss_base64_encode(state, (uint8_t *)secreq->body.data, + secreq->body.length); + ret = secret ? EOK : ENOMEM; + } + if (ret) goto done; + + ret = local_db_put_simple(state, lctx, lc_req, secret); + if (ret) goto done; + break; + + case HTTP_DELETE: + ret = local_db_delete(state, lctx, lc_req); + if (ret) goto done; + break; + + case HTTP_POST: + DEBUG(SSSDBG_TRACE_LIBS, "Processing HTTP POST at [%s]\n", lc_req->path); + plen = strlen(lc_req->path); + + if (lc_req->path[plen - 1] != '/') { + ret = EINVAL; + goto done; + } + + lc_req->path[plen - 1] = '\0'; + + ret = local_db_create(state, lctx, lc_req); + if (ret) goto done; + break; + + default: + ret = EINVAL; + goto done; + } + + if (body.data) { + ret = sec_http_reply_with_body(secreq, &secreq->reply, STATUS_200, + content_type, &body); + } else { + ret = sec_http_status_reply(secreq, &secreq->reply, STATUS_200); + } + +done: + if (ret != EOK) { + if (ret == ENOENT) { + DEBUG(SSSDBG_TRACE_LIBS, "Did not find the requested data\n"); + } else { + DEBUG(SSSDBG_OP_FAILURE, + "Local secrets request error [%d]: %s\n", + ret, sss_strerror(ret)); + } + tevent_req_error(req, ret); + } else { + /* shortcircuit the request here as all called functions are + * synchronous and final and no further subrequests are made */ + DEBUG(SSSDBG_TRACE_INTERNAL, "Local secrets request done\n"); + tevent_req_done(req); + } + return tevent_req_post(req, state->ev); +} + +static int generate_master_key(const char *filename, size_t size) +{ + uint8_t buf[size]; + ssize_t rsize; + int ret; + int fd; + + ret = generate_csprng_buffer(buf, size); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, + "generate_csprng_buffer failed [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + fd = open(filename, O_CREAT|O_EXCL|O_WRONLY, 0600); + if (fd == -1) { + ret = errno; + DEBUG(SSSDBG_OP_FAILURE, + "open(%s) failed [%d]: %s\n", + filename, ret, strerror(ret)); + return ret; + } + + rsize = sss_atomic_write_s(fd, buf, size); + close(fd); + if (rsize != size) { + ret = errno; + DEBUG(SSSDBG_OP_FAILURE, + "sss_atomic_write_s failed [%d]: %s\n", + ret, strerror(ret)); + + ret = unlink(filename); + /* non-fatal failure */ + if (ret != EOK) { + ret = errno; + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to remove file: %s - %d [%s]!\n", + filename, ret, sss_strerror(ret)); + } + return EFAULT; + } + + return EOK; +} + +int local_secrets_provider_handle(struct sec_ctx *sctx, + struct provider_handle **out_handle) +{ + const char *mkey = SECRETS_DB_PATH"/.secrets.mkey"; + const char *dbpath = SECRETS_DB_PATH"/secrets.ldb"; + struct provider_handle *handle; + struct local_context *lctx; + ssize_t size; + int mfd; + int ret; + + DEBUG(SSSDBG_TRACE_INTERNAL, "Creating a local provider handle\n"); + + handle = talloc_zero(sctx, struct provider_handle); + if (!handle) return ENOMEM; + + handle->name = "LOCAL"; + handle->fn = local_secret_req; + + lctx = talloc_zero(handle, struct local_context); + if (!lctx) return ENOMEM; + + lctx->ldb = ldb_init(lctx, NULL); + if (!lctx->ldb) return ENOMEM; + + ret = ldb_connect(lctx->ldb, dbpath, 0, NULL); + if (ret != LDB_SUCCESS) { + DEBUG(SSSDBG_TRACE_LIBS, + "ldb_connect(%s) returned %d: %s\n", + dbpath, ret, ldb_strerror(ret)); + talloc_free(lctx->ldb); + return EIO; + } + + lctx->quota_secrets = &sctx->sec_config.quota; + lctx->quota_kcm = &sctx->kcm_config.quota; + + lctx->master_key.data = talloc_size(lctx, MKEY_SIZE); + if (!lctx->master_key.data) return ENOMEM; + lctx->master_key.length = MKEY_SIZE; + + ret = check_and_open_readonly(mkey, &mfd, 0, 0, + S_IFREG|S_IRUSR|S_IWUSR, 0); + if (ret == ENOENT) { + DEBUG(SSSDBG_TRACE_FUNC, "No master key, generating a new one..\n"); + + ret = generate_master_key(mkey, MKEY_SIZE); + if (ret) return EFAULT; + ret = check_and_open_readonly(mkey, &mfd, 0, 0, + S_IFREG|S_IRUSR|S_IWUSR, 0); + } + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot generate a master key: %d\n", ret); + return EFAULT; + } + + size = sss_atomic_read_s(mfd, lctx->master_key.data, + lctx->master_key.length); + close(mfd); + if (size < 0 || size != lctx->master_key.length) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot read a master key: %d\n", ret); + return EIO; + } + + handle->context = lctx; + + *out_handle = handle; + DEBUG(SSSDBG_TRACE_INTERNAL, "Local provider handle created\n"); + return EOK; +} diff --git a/src/responder/secrets/providers.c b/src/responder/secrets/providers.c new file mode 100644 index 0000000..d252370 --- /dev/null +++ b/src/responder/secrets/providers.c @@ -0,0 +1,693 @@ +/* + SSSD + + Secrets Responder + + Copyright (C) Simo Sorce 2016 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "responder/secrets/secsrv_private.h" +#include "responder/secrets/secsrv_local.h" +#include "responder/secrets/secsrv_proxy.h" +#include "util/sss_iobuf.h" +#include + +typedef int (*url_mapper_fn)(struct sec_req_ctx *secreq, + char **mapped_path); + +struct url_pfx_router { + const char *prefix; + url_mapper_fn mapper_fn; +}; + +static int sec_map_url_to_user_path(struct sec_req_ctx *secreq, + char **mapped_path) +{ + uid_t c_euid; + + c_euid = client_euid(secreq->cctx->creds); + + /* change path to be user specific */ + *mapped_path = + talloc_asprintf(secreq, SEC_BASEPATH"users/%"SPRIuid"/%s", + c_euid, + &secreq->parsed_url.path[sizeof(SEC_BASEPATH) - 1]); + if (!*mapped_path) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to map request to user specific url\n"); + return ENOMEM; + } + + DEBUG(SSSDBG_TRACE_LIBS, + "User-specific secrets path is [%s]\n", *mapped_path); + return EOK; +} + +static int kcm_map_url_to_path(struct sec_req_ctx *secreq, + char **mapped_path) +{ + uid_t c_euid; + + c_euid = client_euid(secreq->cctx->creds); + if (c_euid != KCM_PEER_UID) { + DEBUG(SSSDBG_CRIT_FAILURE, + "UID %"SPRIuid" is not allowed to access " + "the "SEC_KCM_BASEPATH" hive\n", + c_euid); + return EPERM; + } + + *mapped_path = talloc_strdup(secreq, secreq->parsed_url.path ); + if (!*mapped_path) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to map request to user specific url\n"); + return ENOMEM; + } + + DEBUG(SSSDBG_TRACE_LIBS, + "User-specific KCM path is [%s]\n", *mapped_path); + return EOK; +} + +static struct url_pfx_router secrets_url_mapping[] = { + { SEC_BASEPATH, sec_map_url_to_user_path }, + { SEC_KCM_BASEPATH, kcm_map_url_to_path }, + { NULL, NULL }, +}; + +int sec_req_routing(TALLOC_CTX *mem_ctx, struct sec_req_ctx *secreq, + struct provider_handle **handle) +{ + struct sec_ctx *sctx; + char **sections; + char *def_provider; + char *provider; + int num_sections; + int ret; + url_mapper_fn mapper_fn = NULL; + + sctx = talloc_get_type(secreq->cctx->rctx->pvt_ctx, struct sec_ctx); + + for (int i = 0; secrets_url_mapping[i].prefix != NULL; i++) { + if (strncasecmp(secreq->parsed_url.path, + secrets_url_mapping[i].prefix, + strlen(secrets_url_mapping[i].prefix)) == 0) { + DEBUG(SSSDBG_TRACE_LIBS, + "Mapping prefix %s\n", secrets_url_mapping[i].prefix); + mapper_fn = secrets_url_mapping[i].mapper_fn; + break; + } + } + + if (mapper_fn == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Path [%s] does not start with any allowed prefix\n", + secreq->parsed_url.path); + return EPERM; + } + + ret = mapper_fn(secreq, &secreq->mapped_path); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to map the user path [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + /* source default provider */ + ret = confdb_get_string(secreq->cctx->rctx->cdb, mem_ctx, + CONFDB_SEC_CONF_ENTRY, "provider", "LOCAL", + &def_provider); + if (ret) return EIO; + + DEBUG(SSSDBG_TRACE_INTERNAL, + "The default provider is '%s'\n", def_provider); + + ret = confdb_get_sub_sections(mem_ctx, secreq->cctx->rctx->cdb, + CONFDB_SEC_CONF_ENTRY, §ions, + &num_sections); + if (ret != EOK) return ret; + + DEBUG(SSSDBG_TRACE_INTERNAL, + "confdb section %s has %d sub-sections\n", + CONFDB_SEC_CONF_ENTRY, num_sections); + + provider = def_provider; + + // TODO order by length? + for (int i = 0; i < num_sections; i++) { + int slen; + + secreq->base_path = talloc_asprintf(secreq, SEC_BASEPATH"%s/", sections[i]); + if (!secreq->base_path) return ENOMEM; + slen = strlen(secreq->base_path); + + DEBUG(SSSDBG_TRACE_INTERNAL, + "matching subsection [%s]\n", sections[i]); + + if (strncmp(secreq->base_path, secreq->mapped_path, slen) == 0) { + char *secname; + + secname = talloc_asprintf(mem_ctx, CONFDB_SEC_CONF_ENTRY"/%s", + sections[i]); + if (!secname) return ENOMEM; + + provider = NULL; + ret = confdb_get_string(secreq->cctx->rctx->cdb, mem_ctx, + secname, "provider", def_provider, + &provider); + if (ret || !provider) return EIO; + + DEBUG(SSSDBG_TRACE_INTERNAL, + "matched subsection %s with provider %s\n", + sections[i], provider); + + secreq->cfg_section = talloc_steal(secreq, secname); + if (!secreq->cfg_section) return ENOMEM; + break; + } + talloc_zfree(secreq->base_path); + } + + if (!secreq->base_path) secreq->base_path = SEC_BASEPATH; + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Request base path is [%s]\n", secreq->base_path); + DEBUG(SSSDBG_TRACE_INTERNAL, + "Request provider is [%s]\n", provider); + + ret = sec_get_provider(sctx, provider, handle); + if (ret == ENOENT) { + if (strcasecmp(provider, "LOCAL") == 0) { + ret = local_secrets_provider_handle(sctx, handle); + } else if (strcasecmp(provider, "PROXY") == 0) { + ret = proxy_secrets_provider_handle(sctx, handle); + } else { + DEBUG(SSSDBG_FATAL_FAILURE, + "Unknown provider type: %s\n", provider); + ret = EIO; + } + if (ret == EOK) { + ret = sec_add_provider(sctx, *handle); + } + } + + return ret; +} + +int sec_provider_recv(struct tevent_req *req) { + TEVENT_REQ_RETURN_ON_ERROR(req); + DEBUG(SSSDBG_TRACE_INTERNAL, "Request finished\n"); + return EOK; +} + +static struct sec_http_status_format_table { + int status; + const char *text; + const char *description; +} sec_http_status_format_table[] = { + { 200, "OK", "Success" }, + { 400, "Bad Request", + "The request format is invalid." }, + { 401, "Unauthorized", + "Access to the requested resource requires authentication." }, + { 403, "Forbidden", + "Access to the requested resource is forbidden." }, + { 404, "Not Found", + "The requested resource was not found." }, + { 405, "Method Not Allowed", + "Request method not allowed for this resource." }, + { 406, "Not Acceptable", + "The request cannot be accepted." }, + { 409, "Conflict", + "The requested resource already exists." }, + { 413, "Payload Too Large", + "The secret payload is too large." }, + { 500, "Internal Server Error", + "The server encountered an internal error." }, + { 504, "Gateway timeout", + "No response from a proxy server." }, + { 507, "Insufficient Storage", + "The server is unable to store the resource needed to complete the request." }, +}; + +int sec_http_status_reply(TALLOC_CTX *mem_ctx, struct sec_data *reply, + enum sec_http_status_codes code) +{ + char *body = talloc_asprintf(mem_ctx, + "\r\n" + "\r\n%d %s\r\n" + "\r\n" + "

%s

\r\n" + "

%s

\r\n" + "", + sec_http_status_format_table[code].status, + sec_http_status_format_table[code].text, + sec_http_status_format_table[code].text, + sec_http_status_format_table[code].description); + if (!body) return ENOMEM; + + reply->data = talloc_asprintf(mem_ctx, + "HTTP/1.1 %d %s\r\n" + "Content-Length: %u\r\n" + "Content-Type: text/html\r\n" + "\r\n" + "%s", + sec_http_status_format_table[code].status, + sec_http_status_format_table[code].text, + (unsigned)strlen(body), body); + talloc_free(body); + if (!reply->data) return ENOMEM; + + reply->length = strlen(reply->data); + + DEBUG(SSSDBG_TRACE_LIBS, + "HTTP reply %d: %s\n", + sec_http_status_format_table[code].status, + sec_http_status_format_table[code].text); + + return EOK; +} + +int sec_http_reply_with_body(TALLOC_CTX *mem_ctx, struct sec_data *reply, + enum sec_http_status_codes code, + const char *content_type, + struct sec_data *body) +{ + int head_size; + + reply->data = talloc_asprintf(mem_ctx, + "HTTP/1.1 %d %s\r\n" + "Content-Type: %s\r\n" + "Content-Length: %zu\r\n" + "\r\n", + sec_http_status_format_table[code].status, + sec_http_status_format_table[code].text, + content_type, body->length); + if (!reply->data) return ENOMEM; + + head_size = strlen(reply->data); + + reply->data = talloc_realloc(mem_ctx, reply->data, char, + head_size + body->length); + if (!reply->data) return ENOMEM; + + memcpy(&reply->data[head_size], body->data, body->length); + reply->length = head_size + body->length; + + DEBUG(SSSDBG_TRACE_LIBS, + "HTTP reply %d: %s\n", + sec_http_status_format_table[code].status, + sec_http_status_format_table[code].text); + + return EOK; +} + +int sec_http_append_header(TALLOC_CTX *mem_ctx, char **dest, + char *field, char *value) +{ + if (*dest == NULL) { + *dest = talloc_asprintf(mem_ctx, "%s: %s\r\n", field, value); + } else { + *dest = talloc_asprintf_append_buffer(*dest, "%s: %s\r\n", + field, value); + } + if (!*dest) return ENOMEM; + + return EOK; +} + +int sec_http_reply_with_headers(TALLOC_CTX *mem_ctx, struct sec_data *reply, + int status_code, const char *reason, + struct sec_kvp *headers, int num_headers, + struct sec_data *body) +{ + const char *reason_phrase = reason ? reason : ""; + bool add_content_length = true; + bool has_content_type = false; + int ret; + + /* Status-Line */ + reply->data = talloc_asprintf(mem_ctx, "HTTP/1.1 %d %s\r\n", + status_code, reason_phrase); + if (!reply->data) return ENOMEM; + + DEBUG(SSSDBG_TRACE_LIBS, "HTTP reply %d: %s\n", status_code, reason_phrase); + + /* Headers */ + for (int i = 0; i < num_headers; i++) { + if (strcasecmp(headers[i].name, "Content-Length") == 0) { + add_content_length = false; + } else if (strcasecmp(headers[i].name, "Content-Type") == 0) { + has_content_type = true; + } + ret = sec_http_append_header(mem_ctx, &reply->data, + headers[i].name, headers[i].value); + if (ret) return ret; + } + + if (!has_content_type) { + DEBUG(SSSDBG_OP_FAILURE, "No Content-Type header\n"); + return EINVAL; + } + + if (add_content_length) { + reply->data = talloc_asprintf_append_buffer(reply->data, + "Content-Length: %u\r\n", (unsigned)body->length); + if (!reply->data) return ENOMEM; + } + + /* CRLF separator before body */ + reply->data = talloc_strdup_append_buffer(reply->data, "\r\n"); + + reply->length = strlen(reply->data); + + /* Message-Body */ + if (body && body->length) { + reply->data = talloc_realloc(mem_ctx, reply->data, char, + reply->length + body->length); + if (!reply->data) return ENOMEM; + + memcpy(&reply->data[reply->length], body->data, body->length); + reply->length += body->length; + } + + return EOK; +} + +static errno_t +sec_http_iobuf_split(struct sss_iobuf *response, + const char **headers, + const char **body) +{ + const char *data = (const char *)sss_iobuf_get_data(response); + char *delim; + + /* The last header ends with \r\n and then comes \r\n again as a separator + * of body from headers. We can use this to find this point. */ + delim = strstr(data, "\r\n\r\n"); + if (delim == NULL) { + return EINVAL; + } + + /* Skip to the body delimiter. */ + delim = delim + sizeof("\r\n") - 1; + + /* Replace \r\n with zeros turning data into: + * from HEADER\r\nBODY into HEADER\0\0BODY format. */ + delim[0] = '\0'; + delim[1] = '\0'; + + /* Split the buffer. */ + *headers = data; + *body = delim + 2; + + return 0; +} + +static const char * +sec_http_iobuf_add_content_length(TALLOC_CTX *mem_ctx, + const char *headers, + size_t body_len) +{ + /* If Content-Length is already present we do nothing. */ + if (strstr(headers, "Content-Length:") != NULL) { + return headers; + } + + return talloc_asprintf(mem_ctx, "%sContent-Length: %zu\r\n", + headers, body_len); +} + +errno_t sec_http_reply_iobuf(TALLOC_CTX *mem_ctx, + struct sec_data *reply, + int response_code, + struct sss_iobuf *response) +{ + const char *headers; + const char *body; + size_t body_len; + errno_t ret; + + DEBUG(SSSDBG_TRACE_LIBS, "HTTP reply %d\n", response_code); + + ret = sec_http_iobuf_split(response, &headers, &body); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Unexpected HTTP reply, returning what we got from server\n"); + reply->data = (char *)sss_iobuf_get_data(response); + reply->length = sss_iobuf_get_len(response); + + return EOK; + } + + /* Add Content-Length header if not present so client does not await + * not-existing incoming data. */ + body_len = strlen(body); + headers = sec_http_iobuf_add_content_length(mem_ctx, headers, body_len); + if (headers == NULL) { + return ENOMEM; + } + + reply->length = strlen(headers) + sizeof("\r\n") - 1 + body_len; + reply->data = talloc_asprintf(mem_ctx, "%s\r\n%s", headers, body); + if (reply->data == NULL) { + return ENOMEM; + } + + return EOK; +} + +enum sec_http_status_codes sec_errno_to_http_status(errno_t err) +{ + DEBUG(SSSDBG_TRACE_LIBS, "Request errno: %d\n", err); + + switch (err) { + case EOK: + return STATUS_200; + case EINVAL: + return STATUS_400; + case EACCES: + return STATUS_401; + case EPERM: + return STATUS_403; + case ENOENT: + return STATUS_404; + case EISDIR: + return STATUS_405; + case EMEDIUMTYPE: + case ERR_SEC_INVALID_CONTAINERS_NEST_LEVEL: + return STATUS_406; + case EEXIST: + return STATUS_409; + case ERR_SEC_PAYLOAD_SIZE_IS_TOO_LARGE: + return STATUS_413; + case ERR_SEC_NO_PROXY: + return STATUS_504; + case ERR_SEC_INVALID_TOO_MANY_SECRETS: + return STATUS_507; + default: + return STATUS_500; + } +} + +int sec_json_to_simple_secret(TALLOC_CTX *mem_ctx, + const char *input, + char **secret) +{ + json_t *root; + json_t *element; + json_error_t error; + int ret; + + root = json_loads(input, 0, &error); + if (!root) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to parse JSON payload on line %d: %s\n", + error.line, error.text); + return EINVAL; + } + + if (!json_is_object(root)) { + DEBUG(SSSDBG_CRIT_FAILURE, "Json data is not an object.\n"); + ret = EINVAL; + goto done; + } + + element = json_object_get(root, "type"); + if (!element) { + DEBUG(SSSDBG_CRIT_FAILURE, "Json data key 'type' not found.\n"); + ret = EINVAL; + goto done; + } + if (!json_is_string(element)) { + DEBUG(SSSDBG_CRIT_FAILURE, "Json object 'type' is not a string.\n"); + ret = EINVAL; + goto done; + } + if (strcmp(json_string_value(element), "simple") != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Token type is not 'simple'.\n"); + ret = EMEDIUMTYPE; + goto done; + } + + element = json_object_get(root, "value"); + if (!element) { + DEBUG(SSSDBG_CRIT_FAILURE, "Json key 'value' not found.\n"); + ret = EINVAL; + goto done; + } + if (!json_is_string(element)) { + DEBUG(SSSDBG_CRIT_FAILURE, "Json object 'value' is not a string.\n"); + ret = EINVAL; + goto done; + } + + *secret = talloc_strdup(mem_ctx, json_string_value(element)); + if (!*secret) { + ret = ENOMEM; + } else { + ret = EOK; + } + +done: + json_decref(root); + return ret; +} + +int sec_simple_secret_to_json(TALLOC_CTX *mem_ctx, + const char *secret, + char **output) +{ + char *jsonized = NULL; + json_t *root; + int ret; + + root = json_pack("{s:s, s:s}", "type", "simple", "value", secret); + if (!root) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to pack Json object\n"); + return ENOMEM; + } + + jsonized = json_dumps(root, JSON_INDENT(4)); + if (!jsonized) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to dump Json object\n"); + ret = ENOMEM; + goto done; + } + + *output = talloc_strdup(mem_ctx, jsonized); + if (!*output) { + ret = ENOMEM; + goto done; + } + + ret = EOK; + +done: + json_decref(root); + free(jsonized); + return ret; +} + +int sec_array_to_json(TALLOC_CTX *mem_ctx, + char **array, int count, + char **output) +{ + char *jsonized = NULL; + json_t *root; + int ret; + + root = json_array(); + if (root == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to create Json array\n"); + ret = ENOMEM; + goto done; + } + + for (int i = 0; i < count; i++) { + // FIXME: json_string mem leak? + // FIXME: Error checking + json_array_append_new(root, json_string(array[i])); + } + + jsonized = json_dumps(root, JSON_INDENT(4)); + if (!jsonized) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to dump Json object\n"); + ret = ENOMEM; + goto done; + } + + *output = talloc_strdup(mem_ctx, jsonized); + if (!*output) { + ret = ENOMEM; + goto done; + } + + ret = EOK; + +done: + json_decref(root); + free(jsonized); + return ret; +} + +int sec_get_provider(struct sec_ctx *sctx, const char *name, + struct provider_handle **out_handle) +{ + struct provider_handle *handle; + + for (int i = 0; sctx->providers && sctx->providers[i]; i++) { + handle = sctx->providers[i]; + if (strcasecmp(handle->name, name) != 0) { + continue; + } + *out_handle = handle; + return EOK; + } + + DEBUG(SSSDBG_MINOR_FAILURE, "No handle for provider %s\n", name); + return ENOENT; +} + +int sec_add_provider(struct sec_ctx *sctx, struct provider_handle *handle) +{ + int c; + + for (c = 0; sctx->providers && sctx->providers[c]; c++) + continue; + + sctx->providers = talloc_realloc(sctx, sctx->providers, + struct provider_handle *, c + 2); + if (!sctx->providers) return ENOMEM; + + sctx->providers[c] = talloc_steal(sctx, handle); + sctx->providers[c + 1] = NULL; + + return EOK; +} + +bool sec_req_has_header(struct sec_req_ctx *req, + const char *name, const char *value) +{ + for (int i = 0; i < req->num_headers; i++) { + if (strcasecmp(name, req->headers[i].name) == 0) { + if (value == NULL) return true; + return (strcasecmp(value, req->headers[i].value) == 0); + } + } + return false; +} diff --git a/src/responder/secrets/proxy.c b/src/responder/secrets/proxy.c new file mode 100644 index 0000000..a910b38 --- /dev/null +++ b/src/responder/secrets/proxy.c @@ -0,0 +1,598 @@ +/* + SSSD + + Secrets Responder + + Copyright (C) Simo Sorce 2016 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "responder/secrets/secsrv_private.h" +#include "util/crypto/sss_crypto.h" +#include "resolv/async_resolv.h" +#include "util/sss_sockets.h" +#include "util/sss_iobuf.h" +#include "util/tev_curl.h" + +#define SEC_PROXY_TIMEOUT 5 + +struct proxy_context { + struct confdb_ctx *cdb; + struct tcurl_ctx *tcurl; +}; + +enum proxy_auth_type { + PAT_NONE = 0, + PAT_BASIC_AUTH = 1, + PAT_HEADER = 2, +}; + +struct pat_basic_auth { + char *username; + char *password; +}; + +struct pat_header { + char *name; + char *value; +}; + +struct proxy_cfg { + char *url; + char **fwd_headers; + int num_headers; + enum proxy_auth_type auth_type; + union { + struct pat_basic_auth basic; + struct pat_header header; + } auth; + + char *key; + char *cert; + char *cacert; + char *capath; + bool verify_peer; + bool verify_host; +}; + +static int proxy_get_config_string(struct proxy_context *pctx, + TALLOC_CTX *ctx, bool not_null, + struct sec_req_ctx *secreq, + const char *name, char **value) +{ + int ret; + + ret = confdb_get_string(pctx->cdb, ctx, + secreq->cfg_section, name, NULL, value); + if (not_null && (ret == 0) && (*value == NULL)) ret = EINVAL; + return ret; +} + +static int proxy_sec_get_cfg(struct proxy_context *pctx, + TALLOC_CTX *mem_ctx, + struct sec_req_ctx *secreq, + struct proxy_cfg **target) +{ + struct proxy_cfg *cfg; + char *auth_type; + int ret; + + /* find matching remote and build the URI */ + cfg = talloc_zero(mem_ctx, struct proxy_cfg); + if (!cfg) return ENOMEM; + + ret = proxy_get_config_string(pctx, cfg, true, secreq, + "proxy_url", &cfg->url); + if (ret) goto done; + DEBUG(SSSDBG_CONF_SETTINGS, "proxy_url: %s\n", cfg->url); + + ret = proxy_get_config_string(pctx, cfg, false, secreq, + "auth_type", &auth_type); + if (ret) goto done; + DEBUG(SSSDBG_CONF_SETTINGS, "auth_type: %s\n", auth_type); + + if (auth_type) { + if (strcmp(auth_type, "basic_auth") == 0) { + cfg->auth_type = PAT_BASIC_AUTH; + ret = proxy_get_config_string(pctx, cfg, true, secreq, "username", + &cfg->auth.basic.username); + DEBUG(SSSDBG_CONF_SETTINGS, + "username: %s\n", cfg->auth.basic.username); + + if (ret) goto done; + ret = proxy_get_config_string(pctx, cfg, true, secreq, "password", + &cfg->auth.basic.password); + if (ret) goto done; + } else if (strcmp(auth_type, "header") == 0) { + cfg->auth_type = PAT_HEADER; + ret = proxy_get_config_string(pctx, cfg, true, secreq, + "auth_header_name", + &cfg->auth.header.name); + DEBUG(SSSDBG_CONF_SETTINGS, + "auth_header_name: %s\n", cfg->auth.basic.username); + + if (ret) goto done; + ret = proxy_get_config_string(pctx, cfg, true, secreq, + "auth_header_value", + &cfg->auth.header.value); + if (ret) goto done; + } else { + DEBUG(SSSDBG_CRIT_FAILURE, "Unknown auth type!\n"); + ret = EINVAL; + goto done; + } + } + + ret = confdb_get_bool(pctx->cdb, secreq->cfg_section, "verify_peer", + true, &cfg->verify_peer); + if (ret) goto done; + DEBUG(SSSDBG_CONF_SETTINGS, "verify_peer: %s\n", + cfg->verify_peer ? "true" : "false"); + + ret = confdb_get_bool(pctx->cdb, secreq->cfg_section, "verify_host", + true, &cfg->verify_host); + if (ret) goto done; + DEBUG(SSSDBG_CONF_SETTINGS, "verify_host: %s\n", + cfg->verify_host ? "true" : "false"); + + ret = proxy_get_config_string(pctx, cfg, false, secreq, + "capath", &cfg->capath); + if (ret) goto done; + DEBUG(SSSDBG_CONF_SETTINGS, "capath: %s\n", cfg->capath); + + ret = proxy_get_config_string(pctx, cfg, false, secreq, + "cacert", &cfg->cacert); + if (ret) goto done; + DEBUG(SSSDBG_CONF_SETTINGS, "cacert: %s\n", cfg->cacert); + + ret = proxy_get_config_string(pctx, cfg, false, secreq, + "cert", &cfg->cert); + if (ret) goto done; + DEBUG(SSSDBG_CONF_SETTINGS, "cert: %s\n", cfg->cert); + + ret = proxy_get_config_string(pctx, cfg, false, secreq, + "key", &cfg->key); + if (ret) goto done; + DEBUG(SSSDBG_CONF_SETTINGS, "key: %s\n", cfg->key); + + ret = confdb_get_string_as_list(pctx->cdb, cfg, secreq->cfg_section, + "forward_headers", &cfg->fwd_headers); + if ((ret != 0) && (ret != ENOENT)) goto done; + + while (cfg->fwd_headers && cfg->fwd_headers[cfg->num_headers]) { + DEBUG(SSSDBG_CONF_SETTINGS, + "Forwarding header: %s\n", cfg->fwd_headers[cfg->num_headers]); + cfg->num_headers++; + } + + /* Always whitelist Content-Type and Content-Length */ + cfg->fwd_headers = talloc_realloc(cfg, cfg->fwd_headers, char *, + cfg->num_headers + 3); + if (!cfg->fwd_headers) { + ret = ENOMEM; + goto done; + } + cfg->fwd_headers[cfg->num_headers] = talloc_strdup(cfg, "Content-Type"); + if (!cfg->fwd_headers[cfg->num_headers]) { + ret = ENOMEM; + goto done; + } + cfg->num_headers++; + cfg->fwd_headers[cfg->num_headers] = talloc_strdup(cfg, "Content-Length"); + if (!cfg->fwd_headers[cfg->num_headers]) { + ret = ENOMEM; + goto done; + } + cfg->num_headers++; + cfg->fwd_headers[cfg->num_headers] = NULL; + ret = EOK; + +done: + if (ret) talloc_free(cfg); + else *target = cfg; + return ret; +} + +#define REQ_HAS_SCHEMA(secreq) ((secreq)->parsed_url.schema != NULL) +#define REQ_HAS_HOST(secreq) ((secreq)->parsed_url.host != NULL) +#define REQ_HAS_PORT(secreq) ((secreq)->parsed_url.port != 0) +#define REQ_HAS_PATH(secreq) ((secreq)->parsed_url.path != NULL) +#define REQ_HAS_QUERY(secreq) ((secreq)->parsed_url.query != NULL) +#define REQ_HAS_FRAGMENT(secreq) ((secreq)->parsed_url.fragment != NULL) +#define REQ_HAS_USERINFO(secreq) ((secreq)->parsed_url.userinfo != NULL) + +#define SECREQ_HAS_PORT(secreq) ((secreq)->parsed_url.port != 0) +#define SECREQ_PORT(secreq) ((secreq)->parsed_url.port) + +#define SECREQ_HAS_PART(secreq, part) ((secreq)->parsed_url.part != NULL) +#define SECREQ_PART(secreq, part) \ + ((secreq)->parsed_url.part ? (secreq)->parsed_url.part : "") + +int proxy_sec_map_url(TALLOC_CTX *mem_ctx, struct sec_req_ctx *secreq, + struct proxy_cfg *pcfg, char **req_url) +{ + char port[6] = { 0 }; + char *url; + int blen; + int ret; + + if (SECREQ_HAS_PORT(secreq)) { + ret = snprintf(port, 6, "%d", SECREQ_PORT(secreq)); + if (ret < 1 || ret > 5) { + DEBUG(SSSDBG_CRIT_FAILURE, "snprintf failed\n"); + return EINVAL; + } + } + + blen = strlen(secreq->base_path); + + url = talloc_asprintf(mem_ctx, "%s%s%s%s%s%s%s%s/%s%s%s%s%s", + SECREQ_PART(secreq, schema), + SECREQ_HAS_PART(secreq, schema) ? "://" : "", + SECREQ_PART(secreq, userinfo), + SECREQ_HAS_PART(secreq, userinfo) ? "@" : "", + SECREQ_PART(secreq, host), + SECREQ_HAS_PORT(secreq) ? ":" : "", + SECREQ_HAS_PORT(secreq) ? port : "", + pcfg->url, &secreq->mapped_path[blen], + SECREQ_HAS_PART(secreq, query) ? "?" :"", + SECREQ_PART(secreq, query), + SECREQ_HAS_PART(secreq, fragment) ? "?" :"", + SECREQ_PART(secreq, fragment)); + if (!url) return ENOMEM; + + DEBUG(SSSDBG_TRACE_INTERNAL, "URL: %s\n", url); + + *req_url = url; + return EOK; +} + +static errno_t proxy_http_append_header(TALLOC_CTX *mem_ctx, + const char *name, + const char *value, + const char ***_headers, + size_t *_num_headers) +{ + const char **headers = *_headers; + size_t num_headers = *_num_headers; + + num_headers++; + headers = talloc_realloc(mem_ctx, headers, const char *, + num_headers + 1); + if (headers == NULL) { + return ENOMEM; + } + + headers[num_headers - 1] = talloc_asprintf(headers, "%s: %s", name, value); + if (headers[num_headers - 1] == NULL) { + return ENOMEM; + } + + headers[num_headers] = NULL; + + *_headers = headers; + *_num_headers = num_headers; + + return EOK; +} + +static const char ** +proxy_http_create_headers(TALLOC_CTX *mem_ctx, + struct sec_req_ctx *secreq, + struct proxy_cfg *pcfg) +{ + TALLOC_CTX *tmp_ctx; + const char **headers; + size_t num_headers; + errno_t ret; + int i, j; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory!\n"); + return NULL; + } + + headers = talloc_zero_array(tmp_ctx, const char *, 1); + if (headers == NULL) { + ret = ENOMEM; + goto done; + } + + num_headers = 0; + for (i = 0; i < secreq->num_headers; i++) { + for (j = 0; pcfg->fwd_headers[j]; j++) { + if (strcasecmp(secreq->headers[i].name, pcfg->fwd_headers[j]) == 0) { + DEBUG(SSSDBG_TRACE_LIBS, "Forwarding header %s: %s\n", + secreq->headers[i].name, secreq->headers[i].value); + + ret = proxy_http_append_header(tmp_ctx, secreq->headers[i].name, + secreq->headers[i].value, + &headers, &num_headers); + if (ret != EOK) { + goto done; + } + + break; + } + } + } + + if (pcfg->auth_type == PAT_HEADER) { + DEBUG(SSSDBG_TRACE_LIBS, "Forwarding header %s\n", + pcfg->auth.header.name); + + ret = proxy_http_append_header(tmp_ctx, pcfg->auth.header.name, + pcfg->auth.header.value, + &headers, &num_headers); + if (ret != EOK) { + goto done; + } + } + + talloc_steal(mem_ctx, headers); + + ret = EOK; + +done: + talloc_free(tmp_ctx); + + if (ret != EOK) { + return NULL; + } + + return headers; +} + +static errno_t proxy_http_create_request(TALLOC_CTX *mem_ctx, + struct sec_req_ctx *secreq, + struct proxy_cfg *pcfg, + const char *url, + struct tcurl_request **_tcurl_req) +{ + TALLOC_CTX *tmp_ctx; + struct tcurl_request *tcurl_req; + enum tcurl_http_method method; + struct sss_iobuf *body; + const char **headers; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory!\n"); + return ENOMEM; + } + + headers = proxy_http_create_headers(tmp_ctx, secreq, pcfg); + if (headers == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to construct HTTP headers!\n"); + ret = ENOMEM; + goto done; + } + + body = sss_iobuf_init_readonly(tmp_ctx, (uint8_t *)secreq->body.data, + secreq->body.length); + if (body == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create HTTP body!\n"); + ret = ENOMEM; + goto done; + } + + switch (secreq->method) { + case HTTP_GET: + method = TCURL_HTTP_GET; + break; + case HTTP_PUT: + method = TCURL_HTTP_PUT; + break; + case HTTP_POST: + method = TCURL_HTTP_POST; + break; + case HTTP_DELETE: + method = TCURL_HTTP_DELETE; + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected HTTP method: %d\n", + secreq->method); + ret = EINVAL; + goto done; + } + + tcurl_req = tcurl_http(tmp_ctx, method, NULL, url, headers, body); + if (tcurl_req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create TCURL request!\n"); + ret = ENOMEM; + goto done; + } + + /* TCURL will return response buffer also with headers. */ + ret = tcurl_req_enable_rawoutput(tcurl_req); + if (ret != EOK) { + goto done; + } + + /* Set TLS settings to verify peer. + * This has no effect for HTTP protocol so we can set it anyway. */ + ret = tcurl_req_verify_peer(tcurl_req, pcfg->capath, pcfg->cacert, + pcfg->verify_peer, pcfg->verify_host); + if (ret != EOK) { + goto done; + } + + /* Set client's certificate if required. */ + if (pcfg->cert != NULL) { + ret = tcurl_req_set_client_cert(tcurl_req, pcfg->cert, pcfg->key); + if (ret != EOK) { + goto done; + } + } + + /* Set basic authentication if required. */ + if (pcfg->auth_type == PAT_BASIC_AUTH) { + ret = tcurl_req_http_basic_auth(tcurl_req, pcfg->auth.basic.username, + pcfg->auth.basic.password); + if (ret != EOK) { + goto done; + } + } + + talloc_steal(tcurl_req, body); + *_tcurl_req = talloc_steal(mem_ctx, tcurl_req); + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +struct proxy_secret_state { + struct tevent_context *ev; + struct sec_req_ctx *secreq; + struct proxy_cfg *pcfg; +}; +static void proxy_secret_req_done(struct tevent_req *subreq); + +struct tevent_req *proxy_secret_req(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + void *provider_ctx, + struct sec_req_ctx *secreq) +{ + struct tevent_req *req, *subreq; + struct proxy_secret_state *state; + struct tcurl_request *tcurl_req; + struct proxy_context *pctx; + char *http_uri; + int ret; + + req = tevent_req_create(mem_ctx, &state, struct proxy_secret_state); + if (!req) return NULL; + + state->ev = ev; + state->secreq = secreq; + + pctx = talloc_get_type(provider_ctx, struct proxy_context); + if (!pctx) { + ret = EIO; + goto done; + } + + ret = proxy_sec_get_cfg(pctx, state, state->secreq, &state->pcfg); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, + "proxy_sec_get_cfg failed [%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + ret = proxy_sec_map_url(state, secreq, state->pcfg, &http_uri); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, + "proxy_sec_map_url failed [%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + ret = proxy_http_create_request(state, state->secreq, state->pcfg, + http_uri, &tcurl_req); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, + "proxy_http_create_request failed [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + subreq = tcurl_request_send(mem_ctx, ev, pctx->tcurl, tcurl_req, + SEC_PROXY_TIMEOUT); + if (subreq == NULL) { + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, proxy_secret_req_done, req); + + return req; + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + } else { + /* shortcircuit the request here as all called functions are + * synchronous and final and no further subrequests have been + * made if we get here */ + tevent_req_done(req); + } + + return tevent_req_post(req, ev); +} + +static void proxy_secret_req_done(struct tevent_req *subreq) +{ + struct tevent_req *req; + struct proxy_secret_state *state; + struct sss_iobuf *response; + int http_code; + int ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct proxy_secret_state); + + ret = tcurl_request_recv(state, subreq, &response, &http_code); + talloc_zfree(subreq); + + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "proxy_http request failed [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + return; + } + + ret = sec_http_reply_iobuf(state->secreq, &state->secreq->reply, + http_code, response); + if (ret == EOK) { + tevent_req_done(req); + } else { + DEBUG(SSSDBG_OP_FAILURE, + "sec_http_reply_iobuf request failed [%d]: %s\n", + ret, sss_strerror(ret)); + tevent_req_error(req, ret); + } +} + +int proxy_secrets_provider_handle(struct sec_ctx *sctx, + struct provider_handle **out_handle) +{ + struct provider_handle *handle; + struct proxy_context *pctx; + + handle = talloc_zero(sctx, struct provider_handle); + if (!handle) return ENOMEM; + + handle->name = "PROXY"; + handle->fn = proxy_secret_req; + + pctx = talloc(handle, struct proxy_context); + if (!pctx) return ENOMEM; + + pctx->cdb = sctx->rctx->cdb; + pctx->tcurl = tcurl_init(pctx, sctx->rctx->ev); + if (pctx->tcurl == NULL) { + talloc_free(pctx); + return ENOMEM; + } + + handle->context = pctx; + + *out_handle = handle; + return EOK; +} diff --git a/src/responder/secrets/secsrv.c b/src/responder/secrets/secsrv.c new file mode 100644 index 0000000..7a736a2 --- /dev/null +++ b/src/responder/secrets/secsrv.c @@ -0,0 +1,386 @@ +/* + SSSD + + Secrets Responder + + Copyright (C) Simo Sorce 2016 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include +#include +#include + +#include "responder/common/responder.h" +#include "responder/secrets/secsrv.h" +#include "resolv/async_resolv.h" + +#define DEFAULT_SEC_FD_LIMIT 2048 +#define DEFAULT_SEC_CONTAINERS_NEST_LEVEL 4 + +#define DEFAULT_SEC_MAX_SECRETS 1024 +#define DEFAULT_SEC_MAX_UID_SECRETS 256 +#define DEFAULT_SEC_MAX_PAYLOAD_SIZE 16 + +/* The number of secrets in the /kcm hive should be quite small, + * but the secret size must be large because one secret in the /kcm + * hive holds the whole ccache which consists of several credentials + */ +#define DEFAULT_SEC_KCM_MAX_SECRETS 256 +#define DEFAULT_SEC_KCM_MAX_UID_SECRETS 64 +#define DEFAULT_SEC_KCM_MAX_PAYLOAD_SIZE 65536 + +static int sec_get_quota(struct sec_ctx *sctx, + const char *section_config_path, + int default_max_containers_nest_level, + int default_max_num_secrets, + int default_max_num_uid_secrets, + int default_max_payload, + struct sec_quota *quota) +{ + int ret; + + ret = confdb_get_int(sctx->rctx->cdb, + section_config_path, + CONFDB_SEC_CONTAINERS_NEST_LEVEL, + default_max_containers_nest_level, + "a->containers_nest_level); + + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to get container nesting level for %s\n", + section_config_path); + return ret; + } + + ret = confdb_get_int(sctx->rctx->cdb, + section_config_path, + CONFDB_SEC_MAX_SECRETS, + default_max_num_secrets, + "a->max_secrets); + + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to get maximum number of entries for %s\n", + section_config_path); + return ret; + } + + ret = confdb_get_int(sctx->rctx->cdb, + section_config_path, + CONFDB_SEC_MAX_UID_SECRETS, + default_max_num_uid_secrets, + "a->max_uid_secrets); + + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to get maximum number of per-UID entries for %s\n", + section_config_path); + return ret; + } + + ret = confdb_get_int(sctx->rctx->cdb, + section_config_path, + CONFDB_SEC_MAX_PAYLOAD_SIZE, + default_max_payload, + "a->max_payload_size); + + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to get payload's maximum size for an entry in %s\n", + section_config_path); + return ret; + } + + return EOK; +} + +static int sec_get_hive_config(struct sec_ctx *sctx, + const char *hive_name, + struct sec_hive_config *hive_config, + int default_max_containers_nest_level, + int default_max_num_secrets, + int default_max_num_uid_secrets, + int default_max_payload) +{ + int ret; + TALLOC_CTX *tmp_ctx; + + tmp_ctx = talloc_new(sctx); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + hive_config->confdb_section = talloc_asprintf(sctx, + "config/secrets/%s", + hive_name); + if (hive_config->confdb_section == NULL) { + ret = ENOMEM; + goto done; + } + + ret = sec_get_quota(sctx, + hive_config->confdb_section, + default_max_containers_nest_level, + default_max_num_secrets, + default_max_num_uid_secrets, + default_max_payload, + &hive_config->quota); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot read quota settings for %s [%d]: %s\n", + hive_name, ret, sss_strerror(ret)); + goto done; + } + + if (hive_config->quota.max_payload_size == 0 + || (sctx->max_payload_size != 0 + && hive_config->quota.max_payload_size > sctx->max_payload_size)) { + /* If the quota is unlimited or it's larger than what + * we already have, save the total limit so we know how much to + * accept from clients + */ + sctx->max_payload_size = hive_config->quota.max_payload_size; + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static int sec_get_config(struct sec_ctx *sctx) +{ + int ret; + + ret = confdb_get_int(sctx->rctx->cdb, + sctx->rctx->confdb_service_path, + CONFDB_SERVICE_FD_LIMIT, + DEFAULT_SEC_FD_LIMIT, + &sctx->fd_limit); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to get file descriptors limit\n"); + goto fail; + } + + /* Set the global max_payload to ridiculously small value so that either 0 (unlimited) + * or any sensible value overwrite it + */ + sctx->max_payload_size = 1; + + /* Read the global quota first -- this should be removed in a future release */ + /* Note that this sets the defaults for the sec_config quota to be used + * in sec_get_hive_config() + */ + ret = sec_get_quota(sctx, + sctx->rctx->confdb_service_path, + DEFAULT_SEC_CONTAINERS_NEST_LEVEL, + DEFAULT_SEC_MAX_SECRETS, + DEFAULT_SEC_MAX_UID_SECRETS, + DEFAULT_SEC_MAX_PAYLOAD_SIZE, + &sctx->sec_config.quota); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to get legacy global quotas\n"); + goto fail; + } + + /* Read the per-hive configuration */ + ret = sec_get_hive_config(sctx, + "secrets", + &sctx->sec_config, + sctx->sec_config.quota.containers_nest_level, + sctx->sec_config.quota.max_secrets, + sctx->sec_config.quota.max_uid_secrets, + sctx->sec_config.quota.max_payload_size); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to get configuration of the secrets hive\n"); + goto fail; + } + + ret = sec_get_hive_config(sctx, + "kcm", + &sctx->kcm_config, + DEFAULT_SEC_CONTAINERS_NEST_LEVEL, + DEFAULT_SEC_KCM_MAX_SECRETS, + DEFAULT_SEC_KCM_MAX_UID_SECRETS, + DEFAULT_SEC_KCM_MAX_PAYLOAD_SIZE); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to get configuration of the secrets hive\n"); + goto fail; + } + + ret = confdb_get_int(sctx->rctx->cdb, sctx->rctx->confdb_service_path, + CONFDB_RESPONDER_CLI_IDLE_TIMEOUT, + CONFDB_RESPONDER_CLI_IDLE_DEFAULT_TIMEOUT, + &sctx->rctx->client_idle_timeout); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot get the client idle timeout [%d]: %s\n", + ret, strerror(ret)); + goto fail; + } + + /* Ensure that the client timeout is at least ten seconds */ + if (sctx->rctx->client_idle_timeout < 10) { + sctx->rctx->client_idle_timeout = 10; + } + + ret = responder_setup_idle_timeout_config(sctx->rctx); + if (ret != EOK) { + goto fail; + } + + ret = EOK; + +fail: + return ret; +} + +static int sec_responder_ctx_destructor(void *ptr) +{ + struct resp_ctx *rctx = talloc_get_type(ptr, struct resp_ctx); + + /* mark that we are shutting down the responder, so it is propagated + * into underlying contexts that are freed right before rctx */ + DEBUG(SSSDBG_TRACE_FUNC, "Responder is being shut down\n"); + rctx->shutting_down = true; + + return 0; +} + +static int sec_process_init(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct confdb_ctx *cdb) +{ + struct resp_ctx *rctx; + struct sec_ctx *sctx; + int ret; + + rctx = talloc_zero(mem_ctx, struct resp_ctx); + if (!rctx) { + DEBUG(SSSDBG_FATAL_FAILURE, "fatal error initializing resp_ctx\n"); + return ENOMEM; + } + rctx->ev = ev; + rctx->cdb = cdb; + rctx->sock_name = SSS_SEC_SOCKET_NAME; + rctx->confdb_service_path = CONFDB_SEC_CONF_ENTRY; + rctx->shutting_down = false; + rctx->lfd = -1; + rctx->priv_lfd = -1; + + talloc_set_destructor((TALLOC_CTX*)rctx, sec_responder_ctx_destructor); + + sctx = talloc_zero(rctx, struct sec_ctx); + if (!sctx) { + DEBUG(SSSDBG_FATAL_FAILURE, "fatal error initializing sec_ctx\n"); + ret = ENOMEM; + goto fail; + } + + sctx->rctx = rctx; + sctx->rctx->pvt_ctx = sctx; + + ret = sec_get_config(sctx); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "fatal error getting secrets config\n"); + goto fail; + } + + /* Set up file descriptor limits */ + responder_set_fd_limit(sctx->fd_limit); + + ret = activate_unix_sockets(rctx, sec_connection_setup); + if (ret != EOK) goto fail; + + DEBUG(SSSDBG_TRACE_FUNC, "Secrets Initialization complete\n"); + + return EOK; + +fail: + talloc_free(rctx); + return ret; +} + +int main(int argc, const char *argv[]) +{ + int opt; + poptContext pc; + char *opt_logger = NULL; + struct main_context *main_ctx; + int ret; + uid_t uid; + gid_t gid; + + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_MAIN_OPTS + SSSD_LOGGER_OPTS + SSSD_SERVER_OPTS(uid, gid) + POPT_TABLEEND + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + umask(DFL_RSP_UMASK); + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + + poptFreeContext(pc); + + DEBUG_INIT(debug_level); + + /* set up things like debug, signals, daemonization, etc. */ + debug_log_file = "sssd_secrets"; + + sss_set_logger(opt_logger); + + ret = server_setup("sssd[secrets]", 0, uid, gid, CONFDB_SEC_CONF_ENTRY, + &main_ctx); + if (ret != EOK) return 2; + + ret = die_if_parent_died(); + if (ret != EOK) { + /* This is not fatal, don't return */ + DEBUG(SSSDBG_OP_FAILURE, + "Could not set up to exit when parent process does\n"); + } + + ret = sec_process_init(main_ctx, + main_ctx->event_ctx, + main_ctx->confdb_ctx); + if (ret != EOK) return 3; + + /* loop on main */ + server_loop(main_ctx); + + return 0; +} diff --git a/src/responder/secrets/secsrv.h b/src/responder/secrets/secsrv.h new file mode 100644 index 0000000..3023116 --- /dev/null +++ b/src/responder/secrets/secsrv.h @@ -0,0 +1,59 @@ +/* + SSSD + + Secrets Responder, header file + + Copyright (C) Simo Sorce 2016 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __SECSRV_H__ +#define __SECSRV_H__ + +#include "config.h" + +#include +#include +#include +#include +#include + +struct sec_quota { + int max_secrets; + int max_uid_secrets; + int max_payload_size; + int containers_nest_level; +}; + +struct sec_hive_config { + const char *confdb_section; + + struct sec_quota quota; +}; + +struct sec_ctx { + struct resp_ctx *rctx; + int fd_limit; + + struct sec_hive_config sec_config; + struct sec_hive_config kcm_config; + int max_payload_size; + + struct provider_handle **providers; +}; + +int sec_connection_setup(struct cli_ctx *cctx); + +#endif /* __SECSRV_H__ */ diff --git a/src/responder/secrets/secsrv_cmd.c b/src/responder/secrets/secsrv_cmd.c new file mode 100644 index 0000000..9664d66 --- /dev/null +++ b/src/responder/secrets/secsrv_cmd.c @@ -0,0 +1,618 @@ +/* + SSSD + + Secrets Responder + + Copyright (C) Simo Sorce 2016 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" +#include "util/util.h" +#include "responder/common/responder.h" +#include "responder/secrets/secsrv.h" +#include "responder/secrets/secsrv_private.h" + + +/* ##### Request Handling ##### */ + +struct sec_http_request_state { + struct tevent_context *ev; + struct sec_req_ctx *secreq; +}; +static void sec_http_request_pipeline_done(struct tevent_req *subreq); + +static struct tevent_req *sec_http_request_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sec_req_ctx *secreq) +{ + struct tevent_req *req; + struct tevent_req *subreq; + struct sec_http_request_state *state; + struct provider_handle *provider_handle; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct sec_http_request_state); + if (!req) return NULL; + + state->ev = ev; + state->secreq = secreq; + + /* Go through the pipeline */ + + /* 1. mapping and path conversion */ + ret = sec_req_routing(state, secreq, &provider_handle); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, + "sec_req_routing failed [%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + /* 2. backend invocation */ + subreq = provider_handle->fn(state, state->ev, + provider_handle->context, secreq); + if (!subreq) { + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, sec_http_request_pipeline_done, req); + return req; + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + } + return tevent_req_post(req, state->ev); +} + +static void sec_http_request_pipeline_done(struct tevent_req *subreq) +{ + struct tevent_req *req; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + + /* 3. reply construction */ + ret = sec_provider_recv(subreq); + if (ret == ENOENT) { + DEBUG(SSSDBG_TRACE_LIBS, "Did not find the requested data\n"); + tevent_req_error(req, ret); + } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sec request failed [%d]: %s\n", ret, sss_strerror(ret)); + tevent_req_error(req, ret); + } else { + DEBUG(SSSDBG_TRACE_INTERNAL, "sec request done\n"); + tevent_req_done(req); + } +} + +static int sec_http_request_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +/* --- */ + +static void +sec_http_request_done(struct tevent_req *req) +{ + struct sec_req_ctx *secreq; + struct cli_ctx *cctx; + int ret; + + secreq = tevent_req_callback_data(req, struct sec_req_ctx); + cctx = secreq->cctx; + + ret = sec_http_request_recv(req); + + if (ret != EOK) { + if (ret == ENOENT) { + DEBUG(SSSDBG_TRACE_LIBS, "Did not find the requested data\n"); + } else { + DEBUG(SSSDBG_OP_FAILURE, + "sec_http_request_recv failed [%d]: %s\n", + ret, sss_strerror(ret)); + } + /* Always return an error if we get here */ + ret = sec_http_status_reply(secreq, &secreq->reply, + sec_errno_to_http_status(ret)); + } + + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to find reply, aborting client!\n"); + talloc_free(cctx); + return; + } + + /* Turn writable on so we can write back the reply */ + TEVENT_FD_WRITEABLE(cctx->cfde); +} + +static void sec_cmd_execute(struct cli_ctx *cctx) +{ + struct sec_req_ctx *secreq; + struct tevent_req *req; + + secreq = talloc_get_type(cctx->state_ctx, struct sec_req_ctx); + + req = sec_http_request_send(secreq, cctx->ev, secreq); + if (!req) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to schedule secret retrieval\n."); + talloc_free(cctx); + return; + } + tevent_req_set_callback(req, sec_http_request_done, secreq); +} + + +/* ##### HTTP Parsing Callbacks ##### */ + +static void sec_append_string(TALLOC_CTX *memctx, char **dest, + const char *src, size_t len) +{ + if (*dest) { + *dest = talloc_strndup_append_buffer(*dest, src, len); + } else { + *dest = talloc_strndup(memctx, src, len); + } +} + +static bool sec_too_much_data(struct sec_req_ctx *req, size_t length) +{ + req->total_size += length; + if (req->max_payload_size > 0 + && req->total_size > req->max_payload_size) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Request too big, aborting client!\n"); + return true; + } + return false; +} + +static int sec_on_message_begin(http_parser *parser) +{ + DEBUG(SSSDBG_TRACE_INTERNAL, "HTTP Message parsing begins\n"); + + return 0; +} + +static int sec_on_url(http_parser *parser, + const char *at, size_t length) +{ + struct sec_req_ctx *req = + talloc_get_type(parser->data, struct sec_req_ctx); + + if (sec_too_much_data(req, length)) return -1; + + sec_append_string(req, &req->request_url, at, length); + if (!req->request_url) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to store URL, aborting client!\n"); + return -1; + } + return 0; +} + +static int sec_on_header_field(http_parser *parser, + const char *at, size_t length) +{ + struct sec_req_ctx *req = + talloc_get_type(parser->data, struct sec_req_ctx); + int n = req->num_headers; + + if (sec_too_much_data(req, length)) return -1; + + if (!req->headers) { + req->headers = talloc_zero_array(req, struct sec_kvp, 10); + } else if ((n % 10 == 0) && + (req->headers[n - 1].value)) { + req->headers = talloc_realloc(req, req->headers, + struct sec_kvp, n + 10); + if (req->headers) { + memset(&req->headers[n], 0, sizeof(struct sec_kvp) * 10); + } + } + if (!req->headers) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to store headers, aborting client!\n"); + return -1; + } + + if (!n || req->headers[n - 1].value) { + /* new field */ + n++; + } + sec_append_string(req->headers, &req->headers[n - 1].name, at, length); + if (!req->headers[n - 1].name) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to store header name, aborting client!\n"); + return -1; + } + + return 0; +} + +static int sec_on_header_value(http_parser *parser, + const char *at, size_t length) +{ + struct sec_req_ctx *req = + talloc_get_type(parser->data, struct sec_req_ctx); + int n = req->num_headers; + + if (sec_too_much_data(req, length)) return -1; + + if (!req->headers) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Invalid headers pointer, aborting client!\n"); + return -1; + } + + if (req->headers[n].name && !req->headers[n].value) { + /* we increment on new value */ + n = ++req->num_headers; + } + + sec_append_string(req->headers, &req->headers[n - 1].value, at, length); + if (!req->headers[n - 1].value) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to store header value, aborting client!\n"); + return -1; + } + + return 0; +} + +static int sec_on_headers_complete(http_parser *parser) +{ + /* TODO: if message has no body we should return 1 */ + return 0; +} + +static int sec_on_body(http_parser *parser, + const char *at, size_t length) +{ + struct sec_req_ctx *req = + talloc_get_type(parser->data, struct sec_req_ctx); + + if (sec_too_much_data(req, length)) return -1; + + sec_append_string(req, &req->body.data, at, length); + if (!req->body.data) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to store body, aborting client!\n"); + return -1; + } + req->body.length += length; + + return 0; +} + +static int sec_get_parsed_field(TALLOC_CTX *mem_ctx, int field, + struct http_parser_url *parsed, + char *source_buf, + char **dest) +{ + uint16_t off = parsed->field_data[field].off; + uint16_t len = parsed->field_data[field].len; + *dest = talloc_strndup(mem_ctx, &source_buf[off], len); + if (!*dest) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to parse url, aborting client!\n"); + return ENOMEM; + } + return EOK; +} + +static int sec_on_message_complete(http_parser *parser) +{ + struct sec_req_ctx *req = + talloc_get_type(parser->data, struct sec_req_ctx); + struct http_parser_url parsed; + int ret; + + /* parse url as well */ + ret = http_parser_parse_url(req->request_url, + strlen(req->request_url), + 0, &parsed); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to parse URL %s\n", req->request_url); + return ret; + } + + if (parsed.field_set & (1 << UF_SCHEMA)) { + ret = sec_get_parsed_field(req, UF_SCHEMA, &parsed, + req->request_url, + &req->parsed_url.schema); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to retrieve schema from %s\n", req->request_url); + return -1; + } + DEBUG(SSSDBG_TRACE_INTERNAL, "schema: %s\n", req->parsed_url.schema); + } + + if (parsed.field_set & (1 << UF_HOST)) { + ret = sec_get_parsed_field(req, UF_HOST, &parsed, + req->request_url, + &req->parsed_url.host); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to retrieve host from %s\n", req->request_url); + return -1; + } + DEBUG(SSSDBG_TRACE_INTERNAL, "host: %s\n", req->parsed_url.host); + } + + if (parsed.field_set & (1 << UF_PORT)) { + req->parsed_url.port = parsed.port; + DEBUG(SSSDBG_TRACE_INTERNAL, "port: %d\n", req->parsed_url.port); + } + + if (parsed.field_set & (1 << UF_PATH)) { + ret = sec_get_parsed_field(req, UF_PATH, &parsed, + req->request_url, + &req->parsed_url.path); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to retrieve path from %s\n", req->request_url); + return -1; + } + DEBUG(SSSDBG_TRACE_INTERNAL, "path: %s\n", req->parsed_url.path); + } + + if (parsed.field_set & (1 << UF_QUERY)) { + ret = sec_get_parsed_field(req, UF_QUERY, &parsed, + req->request_url, + &req->parsed_url.query); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to retrieve query from %s\n", req->request_url); + return -1; + } + DEBUG(SSSDBG_TRACE_INTERNAL, "query: %s\n", req->parsed_url.query); + } + + if (parsed.field_set & (1 << UF_FRAGMENT)) { + ret = sec_get_parsed_field(req, UF_FRAGMENT, &parsed, + req->request_url, + &req->parsed_url.fragment); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to retrieve fragment from %s\n", req->request_url); + return -1; + } + DEBUG(SSSDBG_TRACE_INTERNAL, + "fragment: %s\n", req->parsed_url.fragment); + } + + if (parsed.field_set & (1 << UF_USERINFO)) { + ret = sec_get_parsed_field(req, UF_USERINFO, &parsed, + req->request_url, + &req->parsed_url.userinfo); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to retrieve userinfo from %s\n", req->request_url); + return -1; + } + DEBUG(SSSDBG_TRACE_INTERNAL, + "userinfo: %s\n", req->parsed_url.userinfo); + } + + req->method = parser->method; + + req->complete = true; + DEBUG(SSSDBG_TRACE_INTERNAL, "parsing complete\n"); + + return 0; +} + + +/* ##### Communications ##### */ + +int sec_send_data(int fd, struct sec_data *data) +{ + ssize_t len; + errno_t ret; + + errno = 0; + len = send(fd, data->data, data->length, 0); + if (len == -1) { + if (errno == EAGAIN || errno == EWOULDBLOCK || errno == EINTR) { + return EAGAIN; + } else { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "send failed [%d]: %s\n", ret, strerror(ret)); + return ret; + } + } + + if (len == 0) { + return EIO; + } + + data->length -= len; + data->data += len; + DEBUG(SSSDBG_TRACE_INTERNAL, "sent %zu bytes, %zu bytes remaining\n", + len, data->length); + return EOK; +} + +static void sec_send(struct cli_ctx *cctx) +{ + struct sec_req_ctx *req; + int ret; + + req = talloc_get_type(cctx->state_ctx, struct sec_req_ctx); + + ret = sec_send_data(cctx->cfd, &req->reply); + if (ret == EAGAIN) { + /* not all data was sent, loop again */ + return; + } + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to send data, aborting client!\n"); + talloc_free(cctx); + return; + } + + /* ok all sent */ + TEVENT_FD_NOT_WRITEABLE(cctx->cfde); + TEVENT_FD_READABLE(cctx->cfde); + talloc_zfree(cctx->state_ctx); + return; +} + +int sec_recv_data(int fd, struct sec_data *data) +{ + ssize_t len; + errno_t ret; + + errno = 0; + len = recv(fd, data->data, data->length, 0); + if (len == -1) { + if (errno == EAGAIN || errno == EWOULDBLOCK || errno == EINTR) { + return EAGAIN; + } else { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "send failed [%d]: %s\n", ret, strerror(ret)); + return ret; + } + } + + if (len == 0) { + data->length = 0; + return ENODATA; + } + + data->length = len; + DEBUG(SSSDBG_TRACE_INTERNAL, "received %zu bytes\n", data->length); + return EOK; +} + +static void sec_recv(struct cli_ctx *cctx) +{ + struct sec_proto_ctx *prctx; + struct sec_req_ctx *req; + struct sec_ctx *sec_ctx = talloc_get_type(cctx->rctx->pvt_ctx, + struct sec_ctx); + char buffer[SEC_PACKET_MAX_RECV_SIZE]; + struct sec_data data = { buffer, + SEC_PACKET_MAX_RECV_SIZE }; + size_t len; + int ret; + + prctx = talloc_get_type(cctx->protocol_ctx, struct sec_proto_ctx); + req = talloc_get_type(cctx->state_ctx, struct sec_req_ctx); + if (!req) { + /* A new request comes in, setup data structures */ + req = talloc_zero(cctx, struct sec_req_ctx); + if (!req) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to setup request handlers, aborting client\n"); + talloc_free(cctx); + return; + } + req->cctx = cctx; + req->max_payload_size = sec_ctx->max_payload_size; + cctx->state_ctx = req; + http_parser_init(&prctx->parser, HTTP_REQUEST); + prctx->parser.data = req; + } + + ret = sec_recv_data(cctx->cfd, &data); + switch (ret) { + case ENODATA: + DEBUG(SSSDBG_TRACE_ALL, + "Client closed connection.\n"); + talloc_free(cctx); + return; + case EAGAIN: + DEBUG(SSSDBG_TRACE_ALL, + "Interrupted before any data could be read, retry later\n"); + return; + case EOK: + /* all fine */ + break; + default: + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to receive data (%d, %s), aborting client\n", + ret, sss_strerror(ret)); + talloc_free(cctx); + return; + } + + len = http_parser_execute(&prctx->parser, &prctx->callbacks, + data.data, data.length); + if (len != data.length) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to parse request, aborting client!\n"); + talloc_free(cctx); + return; + } + + if (!req->complete) { + return; + } + + /* do not read anymore, client is done sending */ + TEVENT_FD_NOT_READABLE(cctx->cfde); + + sec_cmd_execute(cctx); +} + +static void sec_fd_handler(struct tevent_context *ev, + struct tevent_fd *fde, + uint16_t flags, void *ptr) +{ + sss_client_fd_handler(ptr, sec_recv, sec_send, flags); +} + +static http_parser_settings sec_callbacks = { + .on_message_begin = sec_on_message_begin, + .on_url = sec_on_url, + .on_header_field = sec_on_header_field, + .on_header_value = sec_on_header_value, + .on_headers_complete = sec_on_headers_complete, + .on_body = sec_on_body, + .on_message_complete = sec_on_message_complete +}; + +int sec_connection_setup(struct cli_ctx *cctx) +{ + struct sec_proto_ctx *protocol_ctx; + + protocol_ctx = talloc_zero(cctx, struct sec_proto_ctx); + if (!protocol_ctx) return ENOMEM; + protocol_ctx->callbacks = sec_callbacks; + + cctx->protocol_ctx = protocol_ctx; + cctx->cfd_handler = sec_fd_handler; + return EOK; +} + +/* Dummy, not used here but required to link to other responder files */ +struct cli_protocol_version *register_cli_protocol_version(void) +{ + return NULL; +} diff --git a/src/responder/secrets/secsrv_local.h b/src/responder/secrets/secsrv_local.h new file mode 100644 index 0000000..1ec1a34 --- /dev/null +++ b/src/responder/secrets/secsrv_local.h @@ -0,0 +1,28 @@ +/* + SSSD + + Secrets Proxy Provider + + Copyright (C) Simo Sorce 2016 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __SECSRV_LOCAL_H__ +#define __SECSRV_LOCAL_H__ + +int local_secrets_provider_handle(struct sec_ctx *sctx, + struct provider_handle **out_handle); + +#endif /* __SECSRV_LOCAL_H__ */ diff --git a/src/responder/secrets/secsrv_private.h b/src/responder/secrets/secsrv_private.h new file mode 100644 index 0000000..c4a0c57 --- /dev/null +++ b/src/responder/secrets/secsrv_private.h @@ -0,0 +1,160 @@ +/* + SSSD + + Secrets Responder, private header file + + Copyright (C) Simo Sorce 2016 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __SECSRV_PRIVATE_H__ +#define __SECSRV_PRIVATE_H__ + +#include "config.h" +#include "responder/common/responder.h" +#include "responder/secrets/secsrv.h" +#include "util/sss_iobuf.h" +#include + +struct sec_kvp { + char *name; + char *value; +}; + +struct sec_data { + char *data; + size_t length; +}; + +enum sec_http_status_codes { + STATUS_200 = 0, + STATUS_400, + STATUS_401, + STATUS_403, + STATUS_404, + STATUS_405, + STATUS_406, + STATUS_409, + STATUS_413, + STATUS_500, + STATUS_504, + STATUS_507, +}; + +struct sec_proto_ctx { + http_parser_settings callbacks; + http_parser parser; +}; + +struct sec_url { + char *schema; + char *host; + int port; + char *path; + char *query; + char *fragment; + char *userinfo; +}; + +struct sec_req_ctx { + struct cli_ctx *cctx; + const char *base_path; + const char *cfg_section; + bool complete; + + size_t total_size; + size_t max_payload_size; + + char *request_url; + char *mapped_path; + + enum http_method method; + struct sec_url parsed_url; + struct sec_kvp *headers; + int num_headers; + struct sec_data body; + + struct sec_data reply; +}; + +typedef struct tevent_req *(*sec_provider_req_t)(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + void *provider_ctx, + struct sec_req_ctx *secreq); + +struct provider_handle { + const char *name; + sec_provider_req_t fn; + void *context; +}; +int sec_get_provider(struct sec_ctx *sctx, const char *name, + struct provider_handle **out_handle); +int sec_add_provider(struct sec_ctx *sctx, struct provider_handle *handle); + +#define SEC_BASEPATH "/secrets/" +#define SEC_KCM_BASEPATH "/kcm/" + +/* The KCM responder must "impersonate" the owner of the credentials. + * Only a trusted UID can do that -- root by default, but unit + * tests might choose otherwise */ +#ifndef KCM_PEER_UID +#define KCM_PEER_UID 0 +#endif /* KCM_PEER_UID */ + +/* providers.c */ +int sec_req_routing(TALLOC_CTX *mem_ctx, struct sec_req_ctx *secreq, + struct provider_handle **handle); +int sec_provider_recv(struct tevent_req *subreq); + +int sec_http_append_header(TALLOC_CTX *mem_ctx, char **dest, + char *field, char *value); + +int sec_http_status_reply(TALLOC_CTX *mem_ctx, struct sec_data *reply, + enum sec_http_status_codes code); +int sec_http_reply_with_body(TALLOC_CTX *mem_ctx, struct sec_data *reply, + enum sec_http_status_codes code, + const char *content_type, + struct sec_data *body); +int sec_http_reply_with_headers(TALLOC_CTX *mem_ctx, struct sec_data *reply, + int status_code, const char *reason, + struct sec_kvp *headers, int num_headers, + struct sec_data *body); +errno_t sec_http_reply_iobuf(TALLOC_CTX *mem_ctx, + struct sec_data *reply, + int response_code, + struct sss_iobuf *response); +enum sec_http_status_codes sec_errno_to_http_status(errno_t err); + +int sec_json_to_simple_secret(TALLOC_CTX *mem_ctx, + const char *input, + char **secret); +int sec_simple_secret_to_json(TALLOC_CTX *mem_ctx, + const char *secret, + char **output); + +int sec_array_to_json(TALLOC_CTX *mem_ctx, + char **array, int count, + char **output); + +bool sec_req_has_header(struct sec_req_ctx *req, + const char *name, const char *value); + +/* secsrv_cmd.c */ +#define SEC_PACKET_MAX_RECV_SIZE 8192 + +int sec_send_data(int fd, struct sec_data *data); +int sec_recv_data(int fd, struct sec_data *data); + +#endif /* __SECSRV_PRIVATE_H__ */ diff --git a/src/responder/secrets/secsrv_proxy.h b/src/responder/secrets/secsrv_proxy.h new file mode 100644 index 0000000..cfce721 --- /dev/null +++ b/src/responder/secrets/secsrv_proxy.h @@ -0,0 +1,28 @@ +/* + SSSD + + Secrets Proxy Provider + + Copyright (C) Simo Sorce 2016 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __SECSRV_PROXY_H__ +#define __SECSRV_PROXY_H__ + +int proxy_secrets_provider_handle(struct sec_ctx *sctx, + struct provider_handle **out_handle); + +#endif /* __SECSRV_PROXY_H__ */ diff --git a/src/responder/ssh/ssh_cmd.c b/src/responder/ssh/ssh_cmd.c new file mode 100644 index 0000000..1b9aff2 --- /dev/null +++ b/src/responder/ssh/ssh_cmd.c @@ -0,0 +1,256 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include +#include +#include + +#include "util/util.h" +#include "responder/common/responder.h" +#include "responder/common/cache_req/cache_req.h" +#include "responder/ssh/ssh_private.h" + +struct ssh_cmd_ctx { + struct cli_ctx *cli_ctx; + const char *name; + const char *alias; + const char *domain; +}; + +static errno_t +ssh_check_non_sssd_user(const char *username) +{ + struct passwd *pwd; + + pwd = getpwnam(username); + if (pwd != NULL) { + DEBUG(SSSDBG_TRACE_ALL, "%s is a non-SSSD user\n", username); + return ERR_NON_SSSD_USER; + } + + return ENOENT; +} + + +static struct sss_domain_info * +ssh_get_result_domain(struct resp_ctx *rctx, + struct cache_req_result *result, + const char *name) +{ + if (result != NULL) { + return result->domain; + } + + return find_domain_by_name(rctx->domains, name, true); +} + +static void ssh_cmd_get_user_pubkeys_done(struct tevent_req *subreq); + +static errno_t ssh_cmd_get_user_pubkeys(struct cli_ctx *cli_ctx) +{ + struct ssh_cmd_ctx *cmd_ctx; + struct tevent_req *subreq; + errno_t ret; + + static const char *attrs[] = { SYSDB_NAME, SYSDB_SSH_PUBKEY, + SYSDB_USER_CERT, NULL }; + + cmd_ctx = talloc_zero(cli_ctx, struct ssh_cmd_ctx); + if (cmd_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + cmd_ctx->cli_ctx = cli_ctx; + + ret = ssh_protocol_parse_user(cli_ctx, cli_ctx->rctx->default_domain, + &cmd_ctx->name, &cmd_ctx->domain); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid request message!\n"); + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Requesting SSH user public keys for [%s] from [%s]\n", + cmd_ctx->name, cmd_ctx->domain ? cmd_ctx->domain : ""); + + if (strcmp(cmd_ctx->name, "root") == 0) { + ret = ERR_NON_SSSD_USER; + goto done; + } + + subreq = cache_req_user_by_name_attrs_send(cmd_ctx, cli_ctx->ev, + cli_ctx->rctx, + cli_ctx->rctx->ncache, 0, + cmd_ctx->domain, + cmd_ctx->name, attrs); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n"); + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, ssh_cmd_get_user_pubkeys_done, cmd_ctx); + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(cmd_ctx); + return ssh_protocol_done(cli_ctx, ret); + } + + return ret; +} + +static void ssh_cmd_get_user_pubkeys_done(struct tevent_req *subreq) +{ + struct cache_req_result *result; + struct ssh_cmd_ctx *cmd_ctx; + errno_t ret; + + cmd_ctx = tevent_req_callback_data(subreq, struct ssh_cmd_ctx); + + ret = cache_req_user_by_name_attrs_recv(cmd_ctx, subreq, &result); + talloc_zfree(subreq); + if (ret != EOK) { + if (ret == ENOENT) { + /* Check if it is a non SSSD user. */ + ret = ssh_check_non_sssd_user(cmd_ctx->name); + } + + ssh_protocol_done(cmd_ctx->cli_ctx, ret); + goto done; + } + + ssh_protocol_reply(cmd_ctx->cli_ctx, result); + +done: + talloc_free(cmd_ctx); +} + +static void ssh_cmd_get_host_pubkeys_done(struct tevent_req *subreq); + +static errno_t ssh_cmd_get_host_pubkeys(struct cli_ctx *cli_ctx) +{ + struct ssh_cmd_ctx *cmd_ctx; + struct tevent_req *subreq; + errno_t ret; + + static const char *attrs[] = { SYSDB_NAME, SYSDB_SSH_PUBKEY, NULL }; + + cmd_ctx = talloc_zero(cli_ctx, struct ssh_cmd_ctx); + if (cmd_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + cmd_ctx->cli_ctx = cli_ctx; + + ret = ssh_protocol_parse_host(cli_ctx, &cmd_ctx->name, &cmd_ctx->alias, + &cmd_ctx->domain); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid request message!\n"); + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Requesting SSH host public keys for [%s] from [%s]\n", + cmd_ctx->name, cmd_ctx->domain ? cmd_ctx->domain : ""); + + subreq = cache_req_host_by_name_send(cmd_ctx, cli_ctx->ev, + cli_ctx->rctx, + cli_ctx->rctx->ncache, 0, + cmd_ctx->domain, + cmd_ctx->name, + cmd_ctx->alias, attrs); + if (subreq == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n"); + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, ssh_cmd_get_host_pubkeys_done, cmd_ctx); + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(cmd_ctx); + return ssh_protocol_done(cli_ctx, ret); + } + + return ret; +} + +static void ssh_cmd_get_host_pubkeys_done(struct tevent_req *subreq) +{ + struct cache_req_result *result = NULL; + struct sss_domain_info *domain; + struct ssh_cmd_ctx *cmd_ctx; + struct ssh_ctx *ssh_ctx; + errno_t ret; + + cmd_ctx = tevent_req_callback_data(subreq, struct ssh_cmd_ctx); + ssh_ctx = talloc_get_type(cmd_ctx->cli_ctx->rctx->pvt_ctx, struct ssh_ctx); + + ret = cache_req_host_by_name_recv(cmd_ctx, subreq, &result); + talloc_zfree(subreq); + + if (ret == EOK || ret == ENOENT) { + domain = ssh_get_result_domain(ssh_ctx->rctx, result, cmd_ctx->domain); + + ssh_update_known_hosts_file(ssh_ctx->rctx->domains, domain, + cmd_ctx->name, ssh_ctx->hash_known_hosts, + ssh_ctx->known_hosts_timeout); + } + + if (ret != EOK) { + ssh_protocol_done(cmd_ctx->cli_ctx, ret); + goto done; + } + + ssh_protocol_reply(cmd_ctx->cli_ctx, result); + +done: + talloc_free(cmd_ctx); +} + +struct cli_protocol_version *register_cli_protocol_version(void) +{ + static struct cli_protocol_version ssh_cli_protocol_version[] = { + {0, NULL, NULL} + }; + + return ssh_cli_protocol_version; +} + +struct sss_cmd_table *get_ssh_cmds(void) { + static struct sss_cmd_table ssh_cmds[] = { + {SSS_GET_VERSION, sss_cmd_get_version}, + {SSS_SSH_GET_USER_PUBKEYS, ssh_cmd_get_user_pubkeys}, + {SSS_SSH_GET_HOST_PUBKEYS, ssh_cmd_get_host_pubkeys}, + {SSS_CLI_NULL, NULL} + }; + + return ssh_cmds; +} diff --git a/src/responder/ssh/ssh_known_hosts.c b/src/responder/ssh/ssh_known_hosts.c new file mode 100644 index 0000000..ca08722 --- /dev/null +++ b/src/responder/ssh/ssh_known_hosts.c @@ -0,0 +1,329 @@ +/* + Authors: + Jan Cholasta + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include + +#include "util/util.h" +#include "util/crypto/sss_crypto.h" +#include "util/sss_ssh.h" +#include "db/sysdb.h" +#include "db/sysdb_ssh.h" +#include "responder/ssh/ssh_private.h" + +static char * +ssh_host_pubkeys_format_known_host_plain(TALLOC_CTX *mem_ctx, + struct sss_ssh_ent *ent) +{ + TALLOC_CTX *tmp_ctx; + errno_t ret; + char *name, *pubkey; + char *result = NULL; + size_t i; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + return NULL; + } + + name = talloc_strdup(tmp_ctx, ent->name); + if (!name) { + goto done; + } + + for (i = 0; i < ent->num_aliases; i++) { + name = talloc_asprintf_append(name, ",%s", ent->aliases[i]); + if (!name) { + goto done; + } + } + + result = talloc_strdup(tmp_ctx, ""); + if (!result) { + goto done; + } + + for (i = 0; i < ent->num_pubkeys; i++) { + ret = sss_ssh_format_pubkey(tmp_ctx, &ent->pubkeys[i], &pubkey); + if (ret != EOK) { + result = NULL; + goto done; + } + + result = talloc_asprintf_append(result, "%s %s\n", name, pubkey); + if (!result) { + goto done; + } + + talloc_free(pubkey); + } + + talloc_steal(mem_ctx, result); + +done: + talloc_free(tmp_ctx); + + return result; +} + +static char * +ssh_host_pubkeys_format_known_host_hashed(TALLOC_CTX *mem_ctx, + struct sss_ssh_ent *ent) +{ + TALLOC_CTX *tmp_ctx; + errno_t ret; + char *name, *pubkey, *saltstr, *hashstr, *result; + unsigned char salt[SSS_SHA1_LENGTH], hash[SSS_SHA1_LENGTH]; + size_t i, j, k; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + return NULL; + } + + result = talloc_strdup(tmp_ctx, ""); + if (!result) { + goto done; + } + + for (i = 0; i < ent->num_pubkeys; i++) { + ret = sss_ssh_format_pubkey(tmp_ctx, &ent->pubkeys[i], &pubkey); + if (ret != EOK) { + result = NULL; + goto done; + } + + for (j = 0; j <= ent->num_aliases; j++) { + name = (j == 0 ? ent->name : ent->aliases[j-1]); + + for (k = 0; k < SSS_SHA1_LENGTH; k++) { + salt[k] = rand(); + } + + ret = sss_hmac_sha1(salt, SSS_SHA1_LENGTH, + (unsigned char *)name, strlen(name), + hash); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sss_hmac_sha1() failed (%d): %s\n", + ret, strerror(ret)); + result = NULL; + goto done; + } + + saltstr = sss_base64_encode(tmp_ctx, salt, SSS_SHA1_LENGTH); + if (!saltstr) { + result = NULL; + goto done; + } + + hashstr = sss_base64_encode(tmp_ctx, hash, SSS_SHA1_LENGTH); + if (!hashstr) { + result = NULL; + goto done; + } + + result = talloc_asprintf_append(result, "|1|%s|%s %s\n", + saltstr, hashstr, pubkey); + if (!result) { + goto done; + } + + talloc_free(saltstr); + talloc_free(hashstr); + } + + talloc_free(pubkey); + } + + talloc_steal(mem_ctx, result); + +done: + talloc_free(tmp_ctx); + + return result; +} + +static errno_t +ssh_write_known_hosts(struct sss_domain_info *domains, + bool hash_known_hosts, + time_t now, + int fd) +{ + TALLOC_CTX *tmp_ctx; + struct sss_domain_info *dom; + struct ldb_message **hosts; + struct sysdb_ctx *sysdb; + struct sss_ssh_ent *ent; + char *entstr; + size_t num_hosts; + size_t i; + ssize_t wret; + errno_t ret; + + static const char *attrs[] = { + SYSDB_NAME, + SYSDB_NAME_ALIAS, + SYSDB_SSH_PUBKEY, + NULL + }; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory!\n"); + return ENOMEM; + } + + for (dom = domains; dom != NULL; dom = get_next_domain(dom, false)) { + sysdb = dom->sysdb; + if (sysdb == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Fatal: Sysdb CTX not found for this domain!\n"); + ret = EFAULT; + goto done; + } + + ret = sysdb_get_ssh_known_hosts(tmp_ctx, dom, now, attrs, + &hosts, &num_hosts); + if (ret == ENOENT) { + continue; + } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Host search failed for domain " + "%s [%d]: %s\n", dom->name, ret, sss_strerror(ret)); + continue; + } + + for (i = 0; i < num_hosts; i++) { + ret = sss_ssh_make_ent(tmp_ctx, hosts[i], &ent); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to get SSH host public keys\n"); + continue; + } + + if (hash_known_hosts) { + entstr = ssh_host_pubkeys_format_known_host_hashed(ent, ent); + } else { + entstr = ssh_host_pubkeys_format_known_host_plain(ent, ent); + } + + if (entstr == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to format known_hosts data " + "for [%s]\n", ent->name); + continue; + } + + wret = sss_atomic_write_s(fd, entstr, strlen(entstr)); + if (wret == -1) { + ret = errno; + goto done; + } + + talloc_free(ent); + } + + talloc_free(hosts); + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + + return ret; +} + +errno_t +ssh_update_known_hosts_file(struct sss_domain_info *domains, + struct sss_domain_info *domain, + const char *name, + bool hash_known_hosts, + int known_hosts_timeout) +{ + TALLOC_CTX *tmp_ctx; + char *filename; + errno_t ret; + time_t now; + int fd = -1; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory!\n"); + return ENOMEM; + } + + now = time(NULL); + + /* Update host's expiration time. */ + if (domain != NULL) { + ret = sysdb_update_ssh_known_host_expire(domain, name, now, + known_hosts_timeout); + if (ret != EOK && ret != ENOENT) { + goto done; + } + } + + /* Create temporary known hosts file. */ + filename = talloc_strdup(tmp_ctx, SSS_SSH_KNOWN_HOSTS_TEMP_TMPL); + if (filename == NULL) { + ret = ENOMEM; + goto done; + } + + fd = sss_unique_file_ex(tmp_ctx, filename, 0133, &ret); + if (fd == -1) { + filename = NULL; + goto done; + } + + /* Write contents. */ + ret = ssh_write_known_hosts(domains, hash_known_hosts, now, fd); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to write known hosts file " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + + /* Rename to SSH known hosts file. */ + ret = fchmod(fd, 0644); + if (ret == -1) { + ret = errno; + goto done; + } + + ret = rename(filename, SSS_SSH_KNOWN_HOSTS_PATH); + if (ret == -1) { + ret = errno; + goto done; + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + + if (fd != -1) { + close(fd); + } + + return ret; +} diff --git a/src/responder/ssh/ssh_private.h b/src/responder/ssh/ssh_private.h new file mode 100644 index 0000000..a369fc8 --- /dev/null +++ b/src/responder/ssh/ssh_private.h @@ -0,0 +1,84 @@ +/* + Authors: + Jan Cholasta + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _SSHSRV_PRIVATE_H_ +#define _SSHSRV_PRIVATE_H_ + +#include "responder/common/responder.h" +#include "responder/common/cache_req/cache_req.h" + +#define SSS_SSH_KNOWN_HOSTS_PATH PUBCONF_PATH"/known_hosts" +#define SSS_SSH_KNOWN_HOSTS_TEMP_TMPL PUBCONF_PATH"/.known_hosts.XXXXXX" + +struct ssh_ctx { + struct resp_ctx *rctx; + struct sss_names_ctx *snctx; + + bool hash_known_hosts; + int known_hosts_timeout; + char *ca_db; + bool use_cert_keys; +}; + +struct sss_cmd_table *get_ssh_cmds(void); + +errno_t +ssh_protocol_parse_user(struct cli_ctx *cli_ctx, + const char *default_domain, + const char **_name, + const char **_domain); + +errno_t +ssh_protocol_parse_host(struct cli_ctx *cli_ctx, + const char **_name, + const char **_alias, + const char **_domain); + +void ssh_protocol_reply(struct cli_ctx *cli_ctx, + struct cache_req_result *result); + +errno_t +ssh_protocol_done(struct cli_ctx *cli_ctx, errno_t error); + +struct tevent_req * ssh_get_output_keys_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct cli_ctx *cli_ctx, + struct sss_domain_info *domain, + struct ldb_message *msg); + +errno_t ssh_get_output_keys_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, + struct sized_string *name, + struct ldb_message_element ***elements, + uint32_t *num_keys); + +errno_t +ssh_protocol_build_reply(struct sss_packet *packet, + struct sized_string name, + struct ldb_message_element **elements, + uint32_t num_keys); + +errno_t +ssh_update_known_hosts_file(struct sss_domain_info *domains, + struct sss_domain_info *domain, + const char *name, + bool hash_known_hosts, + int known_hosts_timeout); + +#endif /* _SSHSRV_PRIVATE_H_ */ diff --git a/src/responder/ssh/ssh_protocol.c b/src/responder/ssh/ssh_protocol.c new file mode 100644 index 0000000..5a9081b --- /dev/null +++ b/src/responder/ssh/ssh_protocol.c @@ -0,0 +1,252 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2017 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include + +#include "util/util.h" +#include "util/sss_ssh.h" +#include "responder/common/responder.h" +#include "responder/common/responder_packet.h" +#include "responder/common/cache_req/cache_req.h" +#include "responder/ssh/ssh_private.h" + +errno_t +ssh_protocol_done(struct cli_ctx *cli_ctx, errno_t error) +{ + struct cli_protocol *pctx; + errno_t ret; + + pctx = talloc_get_type(cli_ctx->protocol_ctx, struct cli_protocol); + + switch (error) { + case EOK: + /* Create empty packet if none was provided. */ + if (pctx->creq->out == NULL) { + ret = sss_packet_new(pctx->creq, 0, + sss_packet_get_cmd(pctx->creq->in), + &pctx->creq->out); + if (ret != EOK) { + goto done; + } + + sss_packet_set_error(pctx->creq->out, EOK); + } + + DEBUG(SSSDBG_TRACE_ALL, "Sending reply: success\n"); + ret = EOK; + goto done; + default: + DEBUG(SSSDBG_TRACE_ALL, "Sending reply: error [%d]: %s\n", + error, sss_strerror(error)); + ret = sss_cmd_send_error(cli_ctx, error); + goto done; + } + +done: + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to send reply [%d]: %s!\n", + ret, sss_strerror(ret)); + return ret; + } + + sss_cmd_done(cli_ctx, NULL); + return EOK; +} + +static void got_ssh_keys(struct tevent_req *req); +void ssh_protocol_reply(struct cli_ctx *cli_ctx, + struct cache_req_result *result) +{ + errno_t ret; + struct tevent_req *req; + + /* Make sure we have the results around until the end of the request. To + * avoid copying and memory allocation the keys and certificates from the + * result will be referenced during the next requests, so they should not + * be freed too early. */ + result = talloc_steal(cli_ctx, result); + + req = ssh_get_output_keys_send(cli_ctx, cli_ctx->ev, cli_ctx, + result->domain, result->msgs[0]); + if (req == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sss_get_output_keys_send failed.\n"); + ret = ENOMEM; + goto done; + } + tevent_req_set_callback(req, got_ssh_keys, cli_ctx); + + return; + +done: + ssh_protocol_done(cli_ctx, ret); +} + +static void got_ssh_keys(struct tevent_req *req) +{ + errno_t ret; + struct cli_ctx *cli_ctx = tevent_req_callback_data(req, struct cli_ctx); + struct cli_protocol *pctx; + pctx = talloc_get_type(cli_ctx->protocol_ctx, struct cli_protocol); + struct ldb_message_element **elements; + uint32_t num_keys; + struct sized_string name; + + ret = ssh_get_output_keys_recv(req, cli_ctx, &name, &elements, &num_keys); + talloc_zfree(req); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_get_output_keys_revc failed"); + goto done; + } + + ret = sss_packet_new(pctx->creq, 0, sss_packet_get_cmd(pctx->creq->in), + &pctx->creq->out); + if (ret != EOK) { + goto done; + } + + ret = ssh_protocol_build_reply(pctx->creq->out, name, elements, num_keys); + if (ret != EOK) { + goto done; + } + + sss_packet_set_error(pctx->creq->out, EOK); + +done: + ssh_protocol_done(cli_ctx, ret); +} + +static errno_t +ssh_protocol_parse_request(struct cli_ctx *cli_ctx, + const char *default_domain, + const char **_name, + const char **_alias, + const char **_domain) +{ + struct cli_protocol *pctx; + const char *name = NULL; + const char *alias = NULL; + const char *domain = NULL; + uint32_t flags; + uint32_t name_len; + uint32_t alias_len; + uint32_t domain_len; + size_t body_len; + uint8_t *body; + size_t c = 0; + + pctx = talloc_get_type(cli_ctx->protocol_ctx, struct cli_protocol); + + sss_packet_get_body(pctx->creq->in, &body, &body_len); + + SAFEALIGN_COPY_UINT32_CHECK(&flags, body + c, body_len, &c); + if (flags & ~(uint32_t)SSS_SSH_REQ_MASK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid flags received [0x%x]\n", flags); + return EINVAL; + } + + SAFEALIGN_COPY_UINT32_CHECK(&name_len, body + c, body_len, &c); + if (name_len == 0 || name_len > body_len - c) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid name length\n"); + return EINVAL; + } + + name = (const char *)(body + c); + if (!sss_utf8_check((const uint8_t *)name, name_len-1) || + name[name_len - 1] != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Name is not valid UTF-8 string\n"); + return EINVAL; + } + c += name_len; + + if (flags & SSS_SSH_REQ_ALIAS) { + SAFEALIGN_COPY_UINT32_CHECK(&alias_len, body + c, body_len, &c); + if (alias_len == 0 || alias_len > body_len - c) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid alias length\n"); + return EINVAL; + } + + alias = (const char *)(body+c); + if (!sss_utf8_check((const uint8_t *)alias, alias_len - 1) || + alias[alias_len - 1] != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Alias is not valid UTF-8 string\n"); + return EINVAL; + } + c += alias_len; + } + + if (flags & SSS_SSH_REQ_DOMAIN) { + SAFEALIGN_COPY_UINT32_CHECK(&domain_len, body + c, body_len, &c); + if (domain_len > 0) { + if (domain_len > body_len - c) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid domain length\n"); + return EINVAL; + } + + domain = (const char *)(body + c); + if (!sss_utf8_check((const uint8_t *)domain, domain_len - 1) || + domain[domain_len - 1] != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Domain is not valid UTF-8 string\n"); + return EINVAL; + } + c += domain_len; + } else { + domain = default_domain; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Requested domain [%s]\n", domain ? domain : ""); + } + + if (_name != NULL) { + *_name = name; + } + + if (_alias != NULL) { + *_alias = alias; + } + + if (_domain != NULL) { + *_domain = domain; + } + + return EOK; +} + +errno_t +ssh_protocol_parse_user(struct cli_ctx *cli_ctx, + const char *default_domain, + const char **_name, + const char **_domain) +{ + return ssh_protocol_parse_request(cli_ctx, default_domain, + _name, NULL, _domain); +} + +errno_t +ssh_protocol_parse_host(struct cli_ctx *cli_ctx, + const char **_name, + const char **_alias, + const char **_domain) +{ + return ssh_protocol_parse_request(cli_ctx, NULL, _name, _alias, _domain); +} diff --git a/src/responder/ssh/ssh_reply.c b/src/responder/ssh/ssh_reply.c new file mode 100644 index 0000000..a8a26da --- /dev/null +++ b/src/responder/ssh/ssh_reply.c @@ -0,0 +1,408 @@ +/* + Authors: + Jan Cholasta + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include +#include + +#include "util/util.h" +#include "util/crypto/sss_crypto.h" +#include "util/sss_ssh.h" +#include "util/cert.h" +#include "responder/common/responder.h" +#include "responder/common/responder_packet.h" +#include "responder/common/cache_req/cache_req.h" +#include "responder/ssh/ssh_private.h" + +/* Locally used flag for libldb's ldb_message_element structure to indicate + * binary data. Since the related data is only used in memory it is safe. If + * should be used with care if libldb's I/O operations are involved. */ +#define SSS_EL_FLAG_BIN_DATA (1<<4) + +static errno_t decode_and_add_base64_data(struct sss_packet *packet, + struct ldb_message_element *el, + bool skip_base64_decode, + size_t fqname_len, + const char *fqname, + size_t *c) +{ + uint8_t *key; + size_t key_len; + uint8_t *body; + size_t body_len; + int ret; + size_t d; + TALLOC_CTX *tmp_ctx; + + if (el == NULL) { + DEBUG(SSSDBG_TRACE_ALL, "Mssing element, nothing to do.\n"); + return EOK; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); + return ENOMEM; + } + + for (d = 0; d < el->num_values; d++) { + if (el->values[d].length == 0 && el->values[d].data == NULL) { + /* skip empty keys, e.g. due to invalid certificate */ + continue; + } + if (skip_base64_decode || (el->flags & SSS_EL_FLAG_BIN_DATA)) { + key = el->values[d].data; + key_len = el->values[d].length; + } else { + key = sss_base64_decode(tmp_ctx, (const char *) el->values[d].data, + &key_len); + if (key == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sss_base64_decode failed.\n"); + ret = ENOMEM; + goto done; + } + } + + ret = sss_packet_grow(packet, + 3*sizeof(uint32_t) + key_len + fqname_len); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_packet_grow failed.\n"); + goto done; + } + sss_packet_get_body(packet, &body, &body_len); + + SAFEALIGN_SET_UINT32(body+(*c), 0, c); + SAFEALIGN_SET_UINT32(body+(*c), fqname_len, c); + safealign_memcpy(body+(*c), fqname, fqname_len, c); + SAFEALIGN_SET_UINT32(body+(*c), key_len, c); + safealign_memcpy(body+(*c), key, key_len, c); + + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + + return ret; +} + +struct ssh_get_output_keys_state { + struct tevent_context *ev; + struct cli_ctx *cli_ctx; + struct ldb_message *msg; + char *cert_verification_opts; + int p11_child_timeout; + struct ssh_ctx *ssh_ctx; + struct ldb_message_element *user_cert; + struct ldb_message_element *user_cert_override; + struct ldb_message_element *current_cert; + + const char *name; + struct ldb_message_element **elements; + uint32_t num_keys; + size_t iter; +}; + +void ssh_get_output_keys_done(struct tevent_req *subreq); + +struct tevent_req *ssh_get_output_keys_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct cli_ctx *cli_ctx, + struct sss_domain_info *domain, + struct ldb_message *msg) +{ + struct tevent_req *req; + struct tevent_req *subreq; + errno_t ret; + struct ssh_get_output_keys_state *state; + + req = tevent_req_create(mem_ctx, &state, struct ssh_get_output_keys_state); + if (req == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "tevent_req_create failed.\n"); + return NULL; + } + + state->ev = ev; + state->cli_ctx = cli_ctx; + state->msg = msg; + state->num_keys = 0; + state->iter = 0; + state->ssh_ctx = talloc_get_type(cli_ctx->rctx->pvt_ctx, struct ssh_ctx); + if (state->ssh_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Missing ssh responder context.\n"); + ret = EINVAL; + goto done; + } + + state->name = ldb_msg_find_attr_as_string(state->msg, SYSDB_NAME, NULL); + if (state->name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Missing name.\n"); + ret = EINVAL; + goto done; + } + + state->elements = talloc_zero_array(state, struct ldb_message_element *, 6); + if (state->elements == NULL) { + ret = ENOMEM; + goto done; + } + + state->elements[state->iter] = ldb_msg_find_element(state->msg, + SYSDB_SSH_PUBKEY); + if (state->elements[state->iter] != NULL) { + state->num_keys += state->elements[state->iter]->num_values; + state->iter++; + } + + state->elements[state->iter] = ldb_msg_find_element(state->msg, + ORIGINALAD_PREFIX SYSDB_SSH_PUBKEY); + if (state->elements[state->iter] != NULL) { + state->num_keys += state->elements[state->iter]->num_values; + state->iter++; + } + + if (DOM_HAS_VIEWS(domain)) { + state->elements[state->iter] = ldb_msg_find_element(state->msg, + OVERRIDE_PREFIX SYSDB_SSH_PUBKEY); + if (state->elements[state->iter] != NULL) { + state->num_keys += state->elements[state->iter]->num_values; + state->iter++; + } + } + + if (!state->ssh_ctx->use_cert_keys) { + DEBUG(SSSDBG_TRACE_ALL, "Skipping keys from certificates.\n"); + ret = EOK; + goto done; + } + + ret = confdb_get_string(cli_ctx->rctx->cdb, state, + CONFDB_MONITOR_CONF_ENTRY, + CONFDB_MONITOR_CERT_VERIFICATION, NULL, + &state->cert_verification_opts); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to read verification options from confdb: [%d] %s\n", + ret, sss_strerror(ret)); + goto done; + } + + state->p11_child_timeout = -1; + ret = confdb_get_int(cli_ctx->rctx->cdb, CONFDB_SSH_CONF_ENTRY, + CONFDB_PAM_P11_CHILD_TIMEOUT, -1, + &state->p11_child_timeout); + if (ret != EOK || state->p11_child_timeout == -1) { + /* check pam configuration as well or use default */ + ret = confdb_get_int(cli_ctx->rctx->cdb, CONFDB_PAM_CONF_ENTRY, + CONFDB_PAM_P11_CHILD_TIMEOUT, + P11_CHILD_TIMEOUT_DEFAULT, + &state->p11_child_timeout); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to read p11_child_timeout from confdb: [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + } + + state->user_cert = ldb_msg_find_element(state->msg, SYSDB_USER_CERT); + if (DOM_HAS_VIEWS(domain)) { + state->user_cert_override = ldb_msg_find_element(state->msg, + OVERRIDE_PREFIX SYSDB_USER_CERT); + } + + if (state->user_cert == NULL && state->user_cert_override == NULL) { + /* no certificates to convert, we are done */ + ret = EOK; + goto done; + } + + state->current_cert = state->user_cert != NULL ? state->user_cert + : state->user_cert_override; + + subreq = cert_to_ssh_key_send(state, state->ev, -1, + state->p11_child_timeout, + state->ssh_ctx->ca_db, + state->current_cert->num_values, + state->current_cert->values, + state->cert_verification_opts); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "cert_to_ssh_key_send failed.\n"); + ret = ENOMEM; + goto done; + } + tevent_req_set_callback(subreq, ssh_get_output_keys_done, req); + + ret = EAGAIN; + +done: + if (ret != EAGAIN) { + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + } + + return req; +} + +void ssh_get_output_keys_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct ssh_get_output_keys_state *state = tevent_req_data(req, + struct ssh_get_output_keys_state); + int ret; + struct ldb_val *keys; + size_t valid_keys; + + ret = cert_to_ssh_key_recv(subreq, state, &keys, &valid_keys); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "cert_to_ssh_key request failed.\n"); + tevent_req_error(req, ret); + return; + } + + state->elements[state->iter] = talloc_zero(state->elements, + struct ldb_message_element); + if (state->elements[state->iter] == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_zero failed.\n"); + ret = ENOMEM; + goto done; + } + state->elements[state->iter]->values = talloc_steal( + state->elements[state->iter], + keys); + state->elements[state->iter]->num_values = state->current_cert->num_values; + state->elements[state->iter]->flags |= SSS_EL_FLAG_BIN_DATA; + state->num_keys += valid_keys; + + if (state->current_cert == state->user_cert) { + state->current_cert = state->user_cert_override; + } else if (state->current_cert == state->user_cert_override) { + state->current_cert = NULL; + } else { + DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected certificate pointer.\n"); + tevent_req_error(req, EINVAL); + return; + } + + if (state->current_cert == NULL) { + /* done */ + ret = EOK; + goto done; + } + + subreq = cert_to_ssh_key_send(state, state->ev, -1, + state->p11_child_timeout, + state->ssh_ctx->ca_db, + state->current_cert->num_values, + state->current_cert->values, + state->cert_verification_opts); + if (subreq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "cert_to_ssh_key_send failed.\n"); + ret = ENOMEM; + goto done; + } + tevent_req_set_callback(subreq, ssh_get_output_keys_done, req); + return; +done: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + + return; +} + +errno_t ssh_get_output_keys_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, + struct sized_string *name, + struct ldb_message_element ***elements, + uint32_t *num_keys) +{ + struct ssh_get_output_keys_state *state = tevent_req_data(req, + struct ssh_get_output_keys_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (name != NULL) { + name->str = talloc_strdup(mem_ctx, state->name); + name->len = strlen(name->str) + 1; + } + + if (elements != NULL) { + *elements = talloc_steal(mem_ctx, state->elements); + } + + if (num_keys != NULL) { + *num_keys = state->num_keys; + } + + return EOK; +} + +errno_t +ssh_protocol_build_reply(struct sss_packet *packet, + struct sized_string name, + struct ldb_message_element **elements, + uint32_t num_keys) +{ + size_t body_len; + uint8_t *body; + size_t c = 0; + errno_t ret; + int i; + + ret = sss_packet_grow(packet, 2 * sizeof(uint32_t)); + if (ret != EOK) { + goto done; + } + + sss_packet_get_body(packet, &body, &body_len); + + SAFEALIGN_SET_UINT32(&body[c], num_keys, &c); + SAFEALIGN_SET_UINT32(&body[c], 0, &c); + + if (num_keys == 0) { + ret = EOK; + goto done; + } + + for (i = 0; elements[i] != NULL; i++) { + ret = decode_and_add_base64_data(packet, elements[i], false, + name.len, name.str, &c); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "decode_and_add_base64_data failed.\n"); + goto done; + } + } + + ret = EOK; + +done: + + return ret; +} diff --git a/src/responder/ssh/sshsrv.c b/src/responder/ssh/sshsrv.c new file mode 100644 index 0000000..9f1f618 --- /dev/null +++ b/src/responder/ssh/sshsrv.c @@ -0,0 +1,256 @@ +/* + Authors: + Jan Cholasta + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "util/util.h" +#include "confdb/confdb.h" +#include "monitor/monitor_interfaces.h" +#include "responder/common/responder.h" +#include "responder/common/responder_sbus.h" +#include "responder/ssh/ssh_private.h" +#include "providers/data_provider.h" + +struct mon_cli_iface monitor_ssh_methods = { + { &mon_cli_iface_meta, 0 }, + .resInit = monitor_common_res_init, + .goOffline = NULL, + .resetOffline = NULL, + .rotateLogs = responder_logrotate, + .clearMemcache = NULL, + .clearEnumCache = NULL, + .sysbusReconnect = NULL, +}; + +static void ssh_dp_reconnect_init(struct sbus_connection *conn, + int status, void *pvt) +{ + struct be_conn *be_conn = talloc_get_type(pvt, struct be_conn); + int ret; + + /* Did we reconnect successfully? */ + if (status == SBUS_RECONNECT_SUCCESS) { + DEBUG(SSSDBG_TRACE_FUNC, "Reconnected to the Data Provider.\n"); + + /* Identify ourselves to the data provider */ + ret = rdp_register_client(be_conn, "SSH"); + /* all fine */ + if (ret == EOK) { + handle_requests_after_reconnect(be_conn->rctx); + return; + } + } + + /* Failed to reconnect */ + DEBUG(SSSDBG_FATAL_FAILURE, "Could not reconnect to %s provider.\n", + be_conn->domain->name); +} + +int ssh_process_init(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct confdb_ctx *cdb) +{ + struct resp_ctx *rctx; + struct sss_cmd_table *ssh_cmds; + struct ssh_ctx *ssh_ctx; + struct be_conn *iter; + int ret; + int max_retries; + + ssh_cmds = get_ssh_cmds(); + ret = sss_process_init(mem_ctx, ev, cdb, + ssh_cmds, + SSS_SSH_SOCKET_NAME, -1, NULL, -1, + CONFDB_SSH_CONF_ENTRY, + SSS_SSH_SBUS_SERVICE_NAME, + SSS_SSH_SBUS_SERVICE_VERSION, + &monitor_ssh_methods, + "SSH", + NULL, + sss_connection_setup, + &rctx); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "sss_process_init() failed\n"); + return ret; + } + + ssh_ctx = talloc_zero(rctx, struct ssh_ctx); + if (!ssh_ctx) { + DEBUG(SSSDBG_FATAL_FAILURE, "fatal error initializing ssh_ctx\n"); + ret = ENOMEM; + goto fail; + } + + ssh_ctx->rctx = rctx; + ssh_ctx->rctx->pvt_ctx = ssh_ctx; + + ret = sss_names_init_from_args(ssh_ctx, + "(?P[^@]+)@?(?P[^@]*$)", + "%1$s@%2$s", &ssh_ctx->snctx); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "fatal error initializing regex data\n"); + goto fail; + } + + /* Enable automatic reconnection to the Data Provider */ + ret = confdb_get_int(ssh_ctx->rctx->cdb, + CONFDB_SSH_CONF_ENTRY, + CONFDB_SERVICE_RECON_RETRIES, + 3, &max_retries); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to set up automatic reconnection\n"); + goto fail; + } + + for (iter = ssh_ctx->rctx->be_conns; iter; iter = iter->next) { + sbus_reconnect_init(iter->conn, max_retries, + ssh_dp_reconnect_init, iter); + } + + /* Get responder options */ + + /* Get ssh_hash_known_hosts option */ + ret = confdb_get_bool(ssh_ctx->rctx->cdb, + CONFDB_SSH_CONF_ENTRY, CONFDB_SSH_HASH_KNOWN_HOSTS, + CONFDB_DEFAULT_SSH_HASH_KNOWN_HOSTS, + &ssh_ctx->hash_known_hosts); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Error reading from confdb (%d) [%s]\n", + ret, strerror(ret)); + goto fail; + } + + /* Get ssh_known_hosts_timeout option */ + ret = confdb_get_int(ssh_ctx->rctx->cdb, + CONFDB_SSH_CONF_ENTRY, CONFDB_SSH_KNOWN_HOSTS_TIMEOUT, + CONFDB_DEFAULT_SSH_KNOWN_HOSTS_TIMEOUT, + &ssh_ctx->known_hosts_timeout); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Error reading from confdb (%d) [%s]\n", + ret, strerror(ret)); + goto fail; + } + + ret = confdb_get_string(ssh_ctx->rctx->cdb, ssh_ctx, + CONFDB_SSH_CONF_ENTRY, CONFDB_SSH_CA_DB, + CONFDB_DEFAULT_SSH_CA_DB, &ssh_ctx->ca_db); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Error reading CA DB from confdb (%d) [%s]\n", + ret, strerror(ret)); + goto fail; + } + + ret = confdb_get_bool(ssh_ctx->rctx->cdb, CONFDB_SSH_CONF_ENTRY, + CONFDB_SSH_USE_CERT_KEYS, + CONFDB_DEFAULT_SSH_USE_CERT_KEYS, + &ssh_ctx->use_cert_keys); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE,"Error reading option " + CONFDB_SSH_USE_CERT_KEYS + "from confdb (%d) [%s]\n", + ret, strerror(ret)); + goto fail; + } + + ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n"); + goto fail; + } + + DEBUG(SSSDBG_TRACE_FUNC, "SSH Initialization complete\n"); + + return EOK; + +fail: + talloc_free(rctx); + return ret; +} + +int main(int argc, const char *argv[]) +{ + int opt; + poptContext pc; + char *opt_logger = NULL; + struct main_context *main_ctx; + int ret; + uid_t uid; + gid_t gid; + + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_MAIN_OPTS + SSSD_LOGGER_OPTS + SSSD_SERVER_OPTS(uid, gid) + SSSD_RESPONDER_OPTS + POPT_TABLEEND + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + umask(DFL_RSP_UMASK); + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + + poptFreeContext(pc); + + DEBUG_INIT(debug_level); + + /* set up things like debug, signals, daemonization, etc. */ + debug_log_file = "sssd_ssh"; + + sss_set_logger(opt_logger); + + ret = server_setup("sssd[ssh]", 0, uid, gid, + CONFDB_SSH_CONF_ENTRY, &main_ctx); + if (ret != EOK) { + return 2; + } + + ret = die_if_parent_died(); + if (ret != EOK) { + /* This is not fatal, don't return */ + DEBUG(SSSDBG_OP_FAILURE, "Could not set up to exit " + "when parent process does\n"); + } + + ret = ssh_process_init(main_ctx, + main_ctx->event_ctx, + main_ctx->confdb_ctx); + if (ret != EOK) { + return 3; + } + + /* loop on main */ + server_loop(main_ctx); + + return 0; +} diff --git a/src/responder/sudo/sudosrv.c b/src/responder/sudo/sudosrv.c new file mode 100644 index 0000000..82315e0 --- /dev/null +++ b/src/responder/sudo/sudosrv.c @@ -0,0 +1,269 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2011 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "util/util.h" +#include "confdb/confdb.h" +#include "monitor/monitor_interfaces.h" +#include "responder/common/responder.h" +#include "responder/common/responder_sbus.h" +#include "responder/sudo/sudosrv_private.h" +#include "providers/data_provider.h" +#include "responder/common/negcache.h" + +struct mon_cli_iface monitor_sudo_methods = { + { &mon_cli_iface_meta, 0 }, + .resInit = monitor_common_res_init, + .goOffline = NULL, + .resetOffline = NULL, + .rotateLogs = responder_logrotate, + .clearMemcache = NULL, + .clearEnumCache = NULL, + .sysbusReconnect = NULL, +}; + +static void sudo_dp_reconnect_init(struct sbus_connection *conn, + int status, + void *pvt) +{ + struct be_conn *be_conn = talloc_get_type(pvt, struct be_conn); + int ret; + + /* Did we reconnect successfully? */ + if (status == SBUS_RECONNECT_SUCCESS) { + DEBUG(SSSDBG_TRACE_FUNC, "Reconnected to the Data Provider.\n"); + + /* Identify ourselves to the data provider */ + ret = rdp_register_client(be_conn, "SUDO"); + /* all fine */ + if (ret == EOK) { + handle_requests_after_reconnect(be_conn->rctx); + return; + } + } + + /* Failed to reconnect */ + DEBUG(SSSDBG_FATAL_FAILURE, "Could not reconnect to %s provider.\n", + be_conn->domain->name); +} + +int sudo_process_init(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct confdb_ctx *cdb, + int pipe_fd) +{ + struct resp_ctx *rctx; + struct sss_cmd_table *sudo_cmds; + struct sudo_ctx *sudo_ctx; + struct be_conn *iter; + int ret; + int max_retries; + + sudo_cmds = get_sudo_cmds(); + ret = sss_process_init(mem_ctx, ev, cdb, + sudo_cmds, + SSS_SUDO_SOCKET_NAME, pipe_fd, /* custom permissions on socket */ + NULL, -1, /* No private socket */ + CONFDB_SUDO_CONF_ENTRY, + SSS_SUDO_SBUS_SERVICE_NAME, + SSS_SUDO_SBUS_SERVICE_VERSION, + &monitor_sudo_methods, + "SUDO", + NULL, + sss_connection_setup, + &rctx); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "sss_process_init() failed\n"); + return ret; + } + + sudo_ctx = talloc_zero(rctx, struct sudo_ctx); + if (!sudo_ctx) { + DEBUG(SSSDBG_FATAL_FAILURE, "fatal error initializing sudo_ctx\n"); + ret = ENOMEM; + goto fail; + } + + sudo_ctx->rctx = rctx; + sudo_ctx->rctx->pvt_ctx = sudo_ctx; + + sss_ncache_prepopulate(sudo_ctx->rctx->ncache, sudo_ctx->rctx->cdb, rctx); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "failed to set ncache for sudo's filter_users\n"); + goto fail; + } + + /* Enable automatic reconnection to the Data Provider */ + ret = confdb_get_int(sudo_ctx->rctx->cdb, + CONFDB_SUDO_CONF_ENTRY, + CONFDB_SERVICE_RECON_RETRIES, + 3, &max_retries); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to set up automatic reconnection\n"); + goto fail; + } + + for (iter = sudo_ctx->rctx->be_conns; iter; iter = iter->next) { + sbus_reconnect_init(iter->conn, max_retries, + sudo_dp_reconnect_init, iter); + } + + /* Get sudo_timed option */ + ret = confdb_get_bool(sudo_ctx->rctx->cdb, + CONFDB_SUDO_CONF_ENTRY, CONFDB_SUDO_TIMED, + CONFDB_DEFAULT_SUDO_TIMED, + &sudo_ctx->timed); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Error reading from confdb (%d) [%s]\n", + ret, strerror(ret)); + goto fail; + } + + /* Get sudo_inverse_order option */ + ret = confdb_get_bool(sudo_ctx->rctx->cdb, + CONFDB_SUDO_CONF_ENTRY, CONFDB_SUDO_INVERSE_ORDER, + CONFDB_DEFAULT_SUDO_INVERSE_ORDER, + &sudo_ctx->inverse_order); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Error reading from confdb (%d) [%s]\n", + ret, strerror(ret)); + goto fail; + } + + /* Get sudo_inverse_order option */ + ret = confdb_get_int(sudo_ctx->rctx->cdb, + CONFDB_SUDO_CONF_ENTRY, CONFDB_SUDO_THRESHOLD, + CONFDB_DEFAULT_SUDO_THRESHOLD, + &sudo_ctx->threshold); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Error reading from confdb (%d) [%s]\n", + ret, strerror(ret)); + goto fail; + } + + ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n"); + goto fail; + } + + DEBUG(SSSDBG_TRACE_FUNC, "SUDO Initialization complete\n"); + + return EOK; + +fail: + talloc_free(rctx); + return ret; +} + +int main(int argc, const char *argv[]) +{ + int opt; + poptContext pc; + char *opt_logger = NULL; + struct main_context *main_ctx; + int ret; + int pipe_fd = -1; + uid_t uid; + gid_t gid; + + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_MAIN_OPTS + SSSD_LOGGER_OPTS + SSSD_SERVER_OPTS(uid, gid) + SSSD_RESPONDER_OPTS + POPT_TABLEEND + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + umask(DFL_RSP_UMASK); + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + + poptFreeContext(pc); + + DEBUG_INIT(debug_level); + + /* set up things like debug, signals, daemonization, etc. */ + debug_log_file = "sssd_sudo"; + + sss_set_logger(opt_logger); + + if (!is_socket_activated()) { + /* Create pipe file descriptors here with right ownerschip */ + ret = create_pipe_fd(SSS_SUDO_SOCKET_NAME, &pipe_fd, SSS_DFL_UMASK); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "create_pipe_fd failed [%d]: %s.\n", + ret, sss_strerror(ret)); + return 4; + } + + ret = chown(SSS_SUDO_SOCKET_NAME, uid, 0); + if (ret != 0) { + ret = errno; + close(pipe_fd); + DEBUG(SSSDBG_FATAL_FAILURE, + "create_pipe_fd failed [%d]: %s.\n", + ret, sss_strerror(ret)); + return 5; + } + } + + ret = server_setup("sssd[sudo]", 0, uid, gid, CONFDB_SUDO_CONF_ENTRY, + &main_ctx); + if (ret != EOK) { + return 2; + } + + ret = die_if_parent_died(); + if (ret != EOK) { + /* This is not fatal, don't return */ + DEBUG(SSSDBG_OP_FAILURE, "Could not set up to exit " + "when parent process does\n"); + } + + ret = sudo_process_init(main_ctx, + main_ctx->event_ctx, + main_ctx->confdb_ctx, pipe_fd); + if (ret != EOK) { + return 3; + } + + /* loop on main */ + server_loop(main_ctx); + + return 0; +} diff --git a/src/responder/sudo/sudosrv_cmd.c b/src/responder/sudo/sudosrv_cmd.c new file mode 100644 index 0000000..3bed22b --- /dev/null +++ b/src/responder/sudo/sudosrv_cmd.c @@ -0,0 +1,302 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2011 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "util/util.h" +#include "responder/common/responder.h" +#include "responder/common/responder_packet.h" +#include "responder/sudo/sudosrv_private.h" +#include "db/sysdb_sudo.h" +#include "sss_client/sss_cli.h" +#include "responder/common/negcache.h" + +static errno_t sudosrv_cmd_send_reply(struct sudo_cmd_ctx *cmd_ctx, + uint8_t *response_body, + size_t response_len) +{ + errno_t ret; + uint8_t *packet_body = NULL; + size_t packet_len = 0; + struct cli_ctx *cli_ctx = cmd_ctx->cli_ctx; + struct cli_protocol *pctx; + TALLOC_CTX *tmp_ctx; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) return ENOMEM; + + pctx = talloc_get_type(cli_ctx->protocol_ctx, struct cli_protocol); + + ret = sss_packet_new(pctx->creq, 0, + sss_packet_get_cmd(pctx->creq->in), + &pctx->creq->out); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unable to create a new packet [%d]; %s\n", + ret, strerror(ret)); + goto done; + } + + ret = sss_packet_grow(pctx->creq->out, response_len); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unable to create response: %s\n", strerror(ret)); + goto done; + } + sss_packet_get_body(pctx->creq->out, &packet_body, &packet_len); + memcpy(packet_body, response_body, response_len); + + sss_packet_set_error(pctx->creq->out, EOK); + sss_cmd_done(cmd_ctx->cli_ctx, cmd_ctx); + + ret = EOK; + +done: + talloc_zfree(tmp_ctx); + return ret; +} + +static errno_t sudosrv_cmd_send_error(TALLOC_CTX *mem_ctx, + struct sudo_cmd_ctx *cmd_ctx, + uint32_t error) +{ + uint8_t *response_body = NULL; + size_t response_len = 0; + int ret = EOK; + + if (error == EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Everything is fine but we are " + "returning error?\n"); + return EFAULT; + } + + ret = sudosrv_build_response(mem_ctx, error, 0, NULL, + &response_body, &response_len); + if (ret != EOK) { + return ret; + } + + return sudosrv_cmd_send_reply(cmd_ctx, response_body, response_len); +} + +errno_t sudosrv_cmd_reply(struct sudo_cmd_ctx *cmd_ctx, int ret) +{ + uint8_t *response_body = NULL; + size_t response_len = 0; + uint32_t num_rules = cmd_ctx->num_rules; + struct sysdb_attrs **rules = cmd_ctx->rules; + + switch (ret) { + case EOK: + /* + * Parent of cmd_ctx->rules is in-memory cache, we must not talloc_free it! + */ + if (cmd_ctx->sudo_ctx->timed) { + /* filter rules by time */ + + DEBUG(SSSDBG_TRACE_FUNC, "Applying time restrictions on" + "%u rules\n", cmd_ctx->num_rules); + + ret = sysdb_sudo_filter_rules_by_time(cmd_ctx, cmd_ctx->num_rules, + cmd_ctx->rules, 0, + &num_rules, &rules); + if (ret != EOK) { + return EFAULT; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Got %u rules after time filter\n", + num_rules); + } + + /* send result */ + ret = sudosrv_build_response(cmd_ctx, SSS_SUDO_ERROR_OK, + num_rules, rules, + &response_body, &response_len); + if (ret != EOK) { + return EFAULT; + } + + ret = sudosrv_cmd_send_reply(cmd_ctx, response_body, response_len); + break; + + case EAGAIN: + /* async processing, just return here */ + return EOK; + + case EFAULT: + /* very bad error */ + return EFAULT; + + + /* case ENOENT: + * - means user not found + * - send error ENOENT + */ + + default: + /* send error */ + ret = sudosrv_cmd_send_error(cmd_ctx, cmd_ctx, ret); + break; + } + + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Fatal error, killing connection!\n"); + talloc_free(cmd_ctx->cli_ctx); + return EFAULT; + } + + return EOK; +} + +static void sudosrv_cmd_done(struct tevent_req *req); + +static int sudosrv_cmd(enum sss_sudo_type type, struct cli_ctx *cli_ctx) +{ + struct tevent_req *req = NULL; + struct sudo_cmd_ctx *cmd_ctx = NULL; + uint8_t *query_body = NULL; + size_t query_len = 0; + struct cli_protocol *pctx; + uint32_t protocol; + errno_t ret; + + /* create cmd_ctx */ + + cmd_ctx = talloc_zero(cli_ctx, struct sudo_cmd_ctx); + if (cmd_ctx == NULL) { + /* kill the connection here as we have no context for reply */ + DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory?\n"); + return ENOMEM; + } + + cmd_ctx->cli_ctx = cli_ctx; + cmd_ctx->type = type; + cmd_ctx->sudo_ctx = talloc_get_type(cli_ctx->rctx->pvt_ctx, struct sudo_ctx); + if (cmd_ctx->sudo_ctx == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "sudo_ctx not set, killing connection!\n"); + return EFAULT; + } + + pctx = talloc_get_type(cli_ctx->protocol_ctx, struct cli_protocol); + protocol = pctx->cli_protocol_version->version; + + /* if protocol is invalid return */ + switch (protocol) { + case 0: + DEBUG(SSSDBG_FATAL_FAILURE, "Protocol [%d] is not secure. " + "SSSD does not allow to use this protocol.\n", protocol); + ret = EFAULT; + goto done; + break; + case SSS_SUDO_PROTOCOL_VERSION: + DEBUG(SSSDBG_TRACE_INTERNAL, "Using protocol version [%d]\n", + protocol); + break; + default: + DEBUG(SSSDBG_FATAL_FAILURE, "Invalid protocol version [%d]!\n", + protocol); + ret = EFAULT; + goto done; + } + + /* parse query */ + sss_packet_get_body(pctx->creq->in, &query_body, &query_len); + if (query_len <= 0 || query_body == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Query is empty\n"); + ret = EINVAL; + goto done; + } + + ret = sudosrv_parse_query(cmd_ctx, query_body, query_len, + &cmd_ctx->rawname, &cmd_ctx->uid); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse sudo query [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + req = sudosrv_get_rules_send(cmd_ctx, cli_ctx->ev, cmd_ctx->sudo_ctx, + cmd_ctx->type, cmd_ctx->uid, + cmd_ctx->rawname); + if (req == NULL) { + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(req, sudosrv_cmd_done, cmd_ctx); + + ret = EAGAIN; + +done: + return sudosrv_cmd_reply(cmd_ctx, ret); +} + +static void sudosrv_cmd_done(struct tevent_req *req) +{ + struct sudo_cmd_ctx *cmd_ctx; + errno_t ret; + + cmd_ctx = tevent_req_callback_data(req, struct sudo_cmd_ctx); + + ret = sudosrv_get_rules_recv(cmd_ctx, req, &cmd_ctx->rules, + &cmd_ctx->num_rules); + talloc_zfree(req); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to obtain cached rules [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + +done: + sudosrv_cmd_reply(cmd_ctx, ret); +} + +static int sudosrv_cmd_get_sudorules(struct cli_ctx *cli_ctx) +{ + return sudosrv_cmd(SSS_SUDO_USER, cli_ctx); +} + +static int sudosrv_cmd_get_defaults(struct cli_ctx *cli_ctx) +{ + return sudosrv_cmd(SSS_SUDO_DEFAULTS, cli_ctx); +} + +struct cli_protocol_version *register_cli_protocol_version(void) +{ + static struct cli_protocol_version sudo_cli_protocol_version[] = { + {1, "2012-05-14", "require uid and domain"}, + {0, NULL, NULL} + }; + + return sudo_cli_protocol_version; +} + +struct sss_cmd_table *get_sudo_cmds(void) { + static struct sss_cmd_table sudo_cmds[] = { + {SSS_GET_VERSION, sss_cmd_get_version}, + {SSS_SUDO_GET_SUDORULES, sudosrv_cmd_get_sudorules}, + {SSS_SUDO_GET_DEFAULTS, sudosrv_cmd_get_defaults}, + {SSS_CLI_NULL, NULL} + }; + + return sudo_cmds; +} diff --git a/src/responder/sudo/sudosrv_dp.c b/src/responder/sudo/sudosrv_dp.c new file mode 100644 index 0000000..f8ec8ab --- /dev/null +++ b/src/responder/sudo/sudosrv_dp.c @@ -0,0 +1,228 @@ +/* + Authors: + Pavel Březina + Jakub Hrozek + + Copyright (C) 2011 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include "sbus/sssd_dbus.h" + +#include "util/util.h" +#include "sbus/sbus_client.h" +#include "providers/data_provider_req.h" +#include "providers/data_provider/dp_responder_iface.h" +#include "responder/common/responder.h" +#include "responder/sudo/sudosrv_private.h" +#include "db/sysdb.h" + +struct sss_dp_get_sudoers_info { + struct sss_domain_info *dom; + + bool fast_reply; + enum sss_dp_sudo_type type; + const char *name; + uint32_t num_rules; + struct sysdb_attrs **rules; +}; + +static DBusMessage * +sss_dp_get_sudoers_msg(void *pvt); + +struct tevent_req * +sss_dp_get_sudoers_send(TALLOC_CTX *mem_ctx, + struct resp_ctx *rctx, + struct sss_domain_info *dom, + bool fast_reply, + enum sss_dp_sudo_type type, + const char *name, + uint32_t num_rules, + struct sysdb_attrs **rules) +{ + struct tevent_req *req; + struct sss_dp_req_state *state; + struct sss_dp_get_sudoers_info *info; + errno_t ret; + char *key = NULL; + + req = tevent_req_create(mem_ctx, &state, struct sss_dp_req_state); + if (!req) { + return NULL; + } + + if (!dom) { + ret = EINVAL; + goto error; + } + + info = talloc_zero(state, struct sss_dp_get_sudoers_info); + if (info == NULL) { + ret = ENOMEM; + goto error; + } + info->fast_reply = fast_reply; + info->type = type; + info->name = name; + info->dom = dom; + info->num_rules = num_rules; + info->rules = rules; + + switch (info->type) { + case SSS_DP_SUDO_REFRESH_RULES: + key = talloc_asprintf(state, "%d:%u:%s@%s", type, + num_rules, name, dom->name); + break; + case SSS_DP_SUDO_FULL_REFRESH: + key = talloc_asprintf(state, "%d:%s", type, dom->name); + break; + } + + if (!key) { + ret = ENOMEM; + goto error; + } + + ret = sss_dp_issue_request(state, rctx, key, dom, sss_dp_get_sudoers_msg, + info, req); + talloc_free(key); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Could not issue DP request [%d]: %s\n", + ret, strerror(ret)); + goto error; + } + + return req; + +error: + tevent_req_error(req, ret); + tevent_req_post(req, rctx->ev); + return req; +} + +static DBusMessage * +sss_dp_get_sudoers_msg(void *pvt) +{ + DBusMessage *msg; + DBusMessageIter iter; + DBusMessageIter array_iter; + dbus_bool_t dbret; + errno_t ret; + struct sss_dp_get_sudoers_info *info; + uint32_t be_type = 0; + uint32_t dp_flags = 0; + const char *rule_name = NULL; + uint32_t i; + + info = talloc_get_type(pvt, struct sss_dp_get_sudoers_info); + + switch (info->type) { + case SSS_DP_SUDO_REFRESH_RULES: + be_type = BE_REQ_SUDO_RULES; + break; + case SSS_DP_SUDO_FULL_REFRESH: + be_type = BE_REQ_SUDO_FULL; + break; + } + + if (info->fast_reply) { + dp_flags |= DP_FAST_REPLY; + } + + msg = dbus_message_new_method_call(NULL, + DP_PATH, + IFACE_DP, + IFACE_DP_SUDOHANDLER); + if (msg == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory?!\n"); + return NULL; + } + + /* create the message */ + DEBUG(SSSDBG_TRACE_FUNC, + "Creating SUDOers request for [%s][%u][%s][%u]\n", + info->dom->name, be_type, info->name, info->num_rules); + + dbus_message_iter_init_append(msg, &iter); + + dbret = dbus_message_iter_append_basic(&iter, DBUS_TYPE_UINT32, &dp_flags); + if (dbret == FALSE) { + goto fail; + } + + /* BE TYPE */ + dbret = dbus_message_iter_append_basic(&iter, DBUS_TYPE_UINT32, &be_type); + if (dbret == FALSE) { + goto fail; + } + + /* BE TYPE SPECIFIC */ + if (be_type & BE_REQ_SUDO_RULES) { + dbret = dbus_message_iter_append_basic(&iter, DBUS_TYPE_UINT32, + &info->num_rules); + if (dbret == FALSE) { + goto fail; + } + + dbret = dbus_message_iter_open_container(&iter, DBUS_TYPE_ARRAY, + DBUS_TYPE_STRING_AS_STRING, + &array_iter); + if (dbret == FALSE) { + goto fail; + } + + for (i = 0; i < info->num_rules; i++) { + ret = sysdb_attrs_get_string(info->rules[i], SYSDB_NAME, &rule_name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not get rule name [%d]: %s\n", + ret, strerror(ret)); + goto fail; + } + + dbret = dbus_message_iter_append_basic(&array_iter, + DBUS_TYPE_STRING, + &rule_name); + if (dbret == FALSE) { + goto fail; + } + } + + dbret = dbus_message_iter_close_container(&iter, &array_iter); + if (dbret == FALSE) { + goto fail; + } + } + + return msg; + +fail: + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to build message\n"); + dbus_message_unref(msg); + return NULL; +} + +errno_t +sss_dp_get_sudoers_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + dbus_uint16_t *dp_err, + dbus_uint32_t *dp_ret, + char **err_msg) +{ + return sss_dp_req_recv(mem_ctx, req, dp_err, dp_ret, err_msg); +} diff --git a/src/responder/sudo/sudosrv_get_sudorules.c b/src/responder/sudo/sudosrv_get_sudorules.c new file mode 100644 index 0000000..a420c76 --- /dev/null +++ b/src/responder/sudo/sudosrv_get_sudorules.c @@ -0,0 +1,793 @@ +/* + Authors: + Pavel Březina + Jakub Hrozek + + Copyright (C) 2011 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include +#include +#include +#include + +#include "util/util.h" +#include "db/sysdb_sudo.h" +#include "responder/common/cache_req/cache_req.h" +#include "responder/sudo/sudosrv_private.h" +#include "providers/data_provider.h" + +static int +sudo_order_cmp(const void *a, const void *b, bool lower_wins) +{ + struct sysdb_attrs *r1, *r2; + uint32_t o1, o2; + int ret; + + r1 = * (struct sysdb_attrs * const *) a; + r2 = * (struct sysdb_attrs * const *) b; + if (!r1 || !r2) { + DEBUG(SSSDBG_CRIT_FAILURE, "BUG: Wrong data?\n"); + return 0; + } + + ret = sysdb_attrs_get_uint32_t(r1, SYSDB_SUDO_CACHE_AT_ORDER, &o1); + if (ret == ENOENT) { + /* man sudoers-ldap: If the sudoOrder attribute is not present, + * a value of 0 is assumed */ + o1 = 0; + } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot get sudoOrder value\n"); + return 0; + } + + ret = sysdb_attrs_get_uint32_t(r2, SYSDB_SUDO_CACHE_AT_ORDER, &o2); + if (ret == ENOENT) { + /* man sudoers-ldap: If the sudoOrder attribute is not present, + * a value of 0 is assumed */ + o2 = 0; + } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot get sudoOrder value\n"); + return 0; + } + + if (lower_wins) { + /* The lowest value takes priority. Original wrong SSSD behaviour. */ + if (o1 > o2) { + return 1; + } else if (o1 < o2) { + return -1; + } + } else { + /* The higher value takes priority. Standard LDAP behaviour. */ + if (o1 < o2) { + return 1; + } else if (o1 > o2) { + return -1; + } + } + + return 0; +} + +static int +sudo_order_low_cmp_fn(const void *a, const void *b) +{ + return sudo_order_cmp(a, b, true); +} + +static int +sudo_order_high_cmp_fn(const void *a, const void *b) +{ + return sudo_order_cmp(a, b, false); +} + +static errno_t +sort_sudo_rules(struct sysdb_attrs **rules, size_t count, bool lower_wins) +{ + if (lower_wins) { + DEBUG(SSSDBG_TRACE_FUNC, "Sorting rules with lower-wins logic\n"); + qsort(rules, count, sizeof(struct sysdb_attrs *), + sudo_order_low_cmp_fn); + } else { + DEBUG(SSSDBG_TRACE_FUNC, "Sorting rules with higher-wins logic\n"); + qsort(rules, count, sizeof(struct sysdb_attrs *), + sudo_order_high_cmp_fn); + } + + return EOK; +} + +static errno_t sudosrv_query_cache(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char **attrs, + const char *filter, + struct sysdb_attrs ***_rules, + uint32_t *_count) +{ + TALLOC_CTX *tmp_ctx; + errno_t ret; + size_t count; + struct sysdb_attrs **rules; + struct ldb_message **msgs; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + DEBUG(SSSDBG_FUNC_DATA, "Searching sysdb with [%s]\n", filter); + + if (IS_SUBDOMAIN(domain)) { + /* rules are stored inside parent domain tree */ + domain = domain->parent; + } + + ret = sysdb_search_custom(tmp_ctx, domain, filter, SUDORULE_SUBDIR, + attrs, &count, &msgs); + if (ret == ENOENT) { + *_rules = NULL; + *_count = 0; + ret = EOK; + goto done; + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Error looking up SUDO rules\n"); + goto done; + } + + ret = sysdb_msg2attrs(tmp_ctx, count, msgs, &rules); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not convert ldb message to sysdb_attrs\n"); + goto done; + } + + *_rules = talloc_steal(mem_ctx, rules); + *_count = (uint32_t)count; + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static errno_t sudosrv_expired_rules(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + uid_t uid, + const char *username, + char **groups, + struct sysdb_attrs ***_rules, + uint32_t *_num_rules) +{ + const char *attrs[] = { SYSDB_NAME, NULL }; + char *filter; + errno_t ret; + + filter = sysdb_sudo_filter_expired(NULL, username, groups, uid); + if (filter == NULL) { + return ENOMEM; + } + + ret = sudosrv_query_cache(mem_ctx, domain, attrs, filter, + _rules, _num_rules); + talloc_free(filter); + + return ret; +} + +static errno_t sudosrv_cached_rules_by_user(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + uid_t cli_uid, + uid_t orig_uid, + const char *username, + char **groupnames, + struct sysdb_attrs ***_rules, + uint32_t *_num_rules) +{ + TALLOC_CTX *tmp_ctx; + struct sysdb_attrs **rules; + uint32_t num_rules; + uint32_t i; + const char *filter; + const char *val; + errno_t ret; + const char *attrs[] = { SYSDB_OBJECTCLASS, + SYSDB_SUDO_CACHE_AT_CN, + SYSDB_SUDO_CACHE_AT_HOST, + SYSDB_SUDO_CACHE_AT_COMMAND, + SYSDB_SUDO_CACHE_AT_OPTION, + SYSDB_SUDO_CACHE_AT_RUNAS, + SYSDB_SUDO_CACHE_AT_RUNASUSER, + SYSDB_SUDO_CACHE_AT_RUNASGROUP, + SYSDB_SUDO_CACHE_AT_NOTBEFORE, + SYSDB_SUDO_CACHE_AT_NOTAFTER, + SYSDB_SUDO_CACHE_AT_ORDER, + NULL }; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + filter = sysdb_sudo_filter_user(tmp_ctx, username, groupnames, orig_uid); + if (filter == NULL) { + ret = ENOMEM; + goto done; + } + + ret = sudosrv_query_cache(tmp_ctx, domain, attrs, filter, + &rules, &num_rules); + if (ret != EOK) { + goto done; + } + + val = talloc_asprintf(tmp_ctx, "#%"SPRIuid, cli_uid); + if (val == NULL) { + ret = ENOMEM; + goto done; + } + + /* Add sudoUser: #uid to prevent conflicts with fqnames. */ + DEBUG(SSSDBG_TRACE_FUNC, "Replacing sudoUser attribute with " + "sudoUser: %s\n", val); + for (i = 0; i < num_rules; i++) { + ret = sysdb_attrs_add_string(rules[i], SYSDB_SUDO_CACHE_AT_USER, val); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to alter sudoUser attribute " + "[%d]: %s\n", ret, sss_strerror(ret)); + } + } + + *_rules = talloc_steal(mem_ctx, rules); + *_num_rules = num_rules; + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static errno_t sudosrv_cached_rules_by_ng(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + uid_t uid, + const char *username, + char **groupnames, + struct sysdb_attrs ***_rules, + uint32_t *_num_rules) +{ + char *filter; + errno_t ret; + const char *attrs[] = { SYSDB_OBJECTCLASS, + SYSDB_SUDO_CACHE_AT_CN, + SYSDB_SUDO_CACHE_AT_USER, + SYSDB_SUDO_CACHE_AT_HOST, + SYSDB_SUDO_CACHE_AT_COMMAND, + SYSDB_SUDO_CACHE_AT_OPTION, + SYSDB_SUDO_CACHE_AT_RUNAS, + SYSDB_SUDO_CACHE_AT_RUNASUSER, + SYSDB_SUDO_CACHE_AT_RUNASGROUP, + SYSDB_SUDO_CACHE_AT_NOTBEFORE, + SYSDB_SUDO_CACHE_AT_NOTAFTER, + SYSDB_SUDO_CACHE_AT_ORDER, + NULL }; + + filter = sysdb_sudo_filter_netgroups(NULL, username, groupnames, uid); + if (filter == NULL) { + return ENOMEM; + } + + ret = sudosrv_query_cache(mem_ctx, domain, attrs, filter, + _rules, _num_rules); + talloc_free(filter); + + return ret; +} + +static errno_t sudosrv_cached_rules(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + uid_t cli_uid, + uid_t orig_uid, + const char *username, + char **groups, + bool inverse_order, + struct sysdb_attrs ***_rules, + uint32_t *_num_rules) +{ + TALLOC_CTX *tmp_ctx; + struct sysdb_attrs **user_rules; + struct sysdb_attrs **ng_rules; + struct sysdb_attrs **rules; + uint32_t num_user_rules; + uint32_t num_ng_rules; + uint32_t num_rules; + uint32_t rule_iter, i; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + ret = sudosrv_cached_rules_by_user(tmp_ctx, domain, + cli_uid, orig_uid, username, groups, + &user_rules, &num_user_rules); + if (ret != EOK) { + goto done; + } + + ret = sudosrv_cached_rules_by_ng(tmp_ctx, domain, + orig_uid, username, groups, + &ng_rules, &num_ng_rules); + if (ret != EOK) { + goto done; + } + + num_rules = num_user_rules + num_ng_rules; + if (num_rules == 0) { + *_rules = NULL; + *_num_rules = 0; + ret = EOK; + goto done; + } + + rules = talloc_array(tmp_ctx, struct sysdb_attrs *, num_rules); + if (rules == NULL) { + ret = ENOMEM; + goto done; + } + + rule_iter = 0; + for (i = 0; i < num_user_rules; rule_iter++, i++) { + rules[rule_iter] = talloc_steal(rules, user_rules[i]); + } + + for (i = 0; i < num_ng_rules; rule_iter++, i++) { + rules[rule_iter] = talloc_steal(rules, ng_rules[i]); + } + + ret = sort_sudo_rules(rules, num_rules, inverse_order); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not sort rules by sudoOrder\n"); + goto done; + } + + *_rules = talloc_steal(mem_ctx, rules); + *_num_rules = num_rules; + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static errno_t sudosrv_cached_defaults(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + struct sysdb_attrs ***_rules, + uint32_t *_num_rules) +{ + char *filter; + errno_t ret; + const char *attrs[] = { SYSDB_OBJECTCLASS, + SYSDB_SUDO_CACHE_AT_CN, + SYSDB_SUDO_CACHE_AT_USER, + SYSDB_SUDO_CACHE_AT_HOST, + SYSDB_SUDO_CACHE_AT_COMMAND, + SYSDB_SUDO_CACHE_AT_OPTION, + SYSDB_SUDO_CACHE_AT_RUNAS, + SYSDB_SUDO_CACHE_AT_RUNASUSER, + SYSDB_SUDO_CACHE_AT_RUNASGROUP, + SYSDB_SUDO_CACHE_AT_NOTBEFORE, + SYSDB_SUDO_CACHE_AT_NOTAFTER, + SYSDB_SUDO_CACHE_AT_ORDER, + NULL }; + + filter = sysdb_sudo_filter_defaults(NULL); + if (filter == NULL) { + return ENOMEM; + } + + ret = sudosrv_query_cache(mem_ctx, domain, attrs, filter, + _rules, _num_rules); + talloc_free(filter); + + return ret; +} + +static errno_t sudosrv_fetch_rules(TALLOC_CTX *mem_ctx, + enum sss_sudo_type type, + struct sss_domain_info *domain, + uid_t cli_uid, + uid_t orig_uid, + const char *username, + char **groups, + bool inverse_order, + struct sysdb_attrs ***_rules, + uint32_t *_num_rules) +{ + struct sysdb_attrs **rules; + const char *debug_name = "unknown"; + uint32_t num_rules; + errno_t ret; + + switch (type) { + case SSS_SUDO_USER: + DEBUG(SSSDBG_TRACE_FUNC, "Retrieving rules for [%s@%s]\n", + username, domain->name); + debug_name = "rules"; + + ret = sudosrv_cached_rules(mem_ctx, domain, + cli_uid, orig_uid, username, groups, + inverse_order, &rules, &num_rules); + + break; + case SSS_SUDO_DEFAULTS: + debug_name = "default options"; + DEBUG(SSSDBG_TRACE_FUNC, "Retrieving default options for [%s@%s]\n", + username, domain->name); + + ret = sudosrv_cached_defaults(mem_ctx, domain, &rules, &num_rules); + + break; + default: + ret = EINVAL; + } + + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to retrieve %s [%d]: %s\n", + debug_name, ret, sss_strerror(ret)); + return ret; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Returning %u %s for [%s@%s]\n", + num_rules, debug_name, username, domain->name); + + *_rules = rules; + *_num_rules = num_rules; + + return EOK; +} + +static void +sudosrv_dp_oob_req_done(struct tevent_req *req) +{ + DEBUG(SSSDBG_TRACE_FUNC, "Out of band refresh finished\n"); + talloc_free(req); +} + +struct sudosrv_refresh_rules_state { + struct resp_ctx *rctx; + struct sss_domain_info *domain; + const char *username; +}; + +static void sudosrv_refresh_rules_done(struct tevent_req *subreq); + +static struct tevent_req * +sudosrv_refresh_rules_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resp_ctx *rctx, + struct sss_domain_info *domain, + int threshold, + uid_t uid, + const char *username, + char **groups) +{ + struct sudosrv_refresh_rules_state *state; + struct tevent_req *req; + struct tevent_req *subreq; + struct sysdb_attrs **rules; + uint32_t num_rules; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, + struct sudosrv_refresh_rules_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->rctx = rctx; + state->domain = domain; + state->username = username; + + ret = sudosrv_expired_rules(state, domain, uid, username, groups, + &rules, &num_rules); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unable to retrieve expired sudo rules [%d]: %s\n", + ret, strerror(ret)); + goto immediately; + } + + if (num_rules == 0) { + DEBUG(SSSDBG_TRACE_FUNC, "No expired rules were found for [%s@%s].\n", + username, domain->name); + ret = EOK; + goto immediately; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "Refreshing %d expired rules of [%s@%s]\n", + num_rules, username, domain->name); + + if (num_rules > threshold) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "Rules threshold [%d] is reached, performing full refresh " + "instead.\n", threshold); + + subreq = sss_dp_get_sudoers_send(state, rctx, domain, false, + SSS_DP_SUDO_FULL_REFRESH, + username, 0, NULL); + } else { + subreq = sss_dp_get_sudoers_send(state, rctx, domain, false, + SSS_DP_SUDO_REFRESH_RULES, + username, num_rules, rules); + } + + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, sudosrv_refresh_rules_done, req); + + return req; + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + + return req; +} + +static void sudosrv_refresh_rules_done(struct tevent_req *subreq) +{ + struct sudosrv_refresh_rules_state *state; + struct tevent_req *req; + dbus_uint16_t err_maj; + dbus_uint32_t err_min; + char *err_msg; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sudosrv_refresh_rules_state); + + ret = sss_dp_get_sudoers_recv(state, subreq, &err_maj, &err_min, &err_msg); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unable to get information from Data Provider, " + "Error: %u, %u, %s\n", + (unsigned int)err_maj, (unsigned int)err_min, err_msg); + goto done; + } + + if (err_min == ENOENT) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "Some expired rules were removed from the server, scheduling " + "full refresh out of band\n"); + subreq = sss_dp_get_sudoers_send(state->rctx, state->rctx, + state->domain, false, + SSS_DP_SUDO_FULL_REFRESH, + state->username, 0, NULL); + if (subreq == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "Cannot issue DP request.\n"); + ret = EOK; /* We don't care. */ + goto done; + } + + tevent_req_set_callback(subreq, sudosrv_dp_oob_req_done, NULL); + } + + ret = EOK; + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +static errno_t sudosrv_refresh_rules_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +struct sudosrv_get_rules_state { + struct tevent_context *ev; + struct resp_ctx *rctx; + enum sss_sudo_type type; + uid_t cli_uid; + const char *username; + struct sss_domain_info *domain; + char **groups; + bool inverse_order; + int threshold; + + uid_t orig_uid; + const char *orig_username; + + struct sysdb_attrs **rules; + uint32_t num_rules; +}; + +static void sudosrv_get_rules_initgr_done(struct tevent_req *subreq); +static void sudosrv_get_rules_done(struct tevent_req *subreq); + +struct tevent_req *sudosrv_get_rules_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sudo_ctx *sudo_ctx, + enum sss_sudo_type type, + uid_t cli_uid, + const char *username) +{ + struct sudosrv_get_rules_state *state; + struct tevent_req *req; + struct tevent_req *subreq; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct sudosrv_get_rules_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n"); + return NULL; + } + + state->ev = ev; + state->rctx = sudo_ctx->rctx; + state->type = type; + state->cli_uid = cli_uid; + state->inverse_order = sudo_ctx->inverse_order; + state->threshold = sudo_ctx->threshold; + + DEBUG(SSSDBG_TRACE_FUNC, "Running initgroups for [%s]\n", username); + + subreq = cache_req_initgr_by_name_send(state, ev, sudo_ctx->rctx, + sudo_ctx->rctx->ncache, 0, + CACHE_REQ_POSIX_DOM, NULL, + username); + if (subreq == NULL) { + ret = ENOMEM; + goto immediately; + } + + tevent_req_set_callback(subreq, sudosrv_get_rules_initgr_done, req); + + return req; + +immediately: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + + return req; +} + +static void sudosrv_get_rules_initgr_done(struct tevent_req *subreq) +{ + struct sudosrv_get_rules_state *state; + struct cache_req_result *result; + struct tevent_req *req; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sudosrv_get_rules_state); + + ret = cache_req_initgr_by_name_recv(state, subreq, &result); + talloc_zfree(subreq); + if (ret != EOK) { + goto done; + } + + state->domain = result->domain; + state->username = talloc_steal(state, result->lookup_name); + talloc_zfree(result); + + ret = sysdb_get_sudo_user_info(state, state->domain, state->username, + &state->orig_username, + &state->orig_uid, + &state->groups); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to obtain user groups [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + subreq = sudosrv_refresh_rules_send(state, state->ev, state->rctx, + state->domain, state->threshold, + state->orig_uid, + state->orig_username, + state->groups); + if (subreq == NULL) { + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(subreq, sudosrv_get_rules_done, req); + + ret = EAGAIN; + +done: + if (ret != EOK && ret != EAGAIN) { + tevent_req_error(req, ret); + return; + } else if (ret != EAGAIN) { + tevent_req_done(req); + } +} + +static void sudosrv_get_rules_done(struct tevent_req *subreq) +{ + struct sudosrv_get_rules_state *state = NULL; + struct tevent_req *req = NULL; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct sudosrv_get_rules_state); + + ret = sudosrv_refresh_rules_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unable to refresh expired rules, we will return what is " + "in cache.\n"); + } + + ret = sudosrv_fetch_rules(state, state->type, state->domain, + state->cli_uid, + state->orig_uid, + state->orig_username, + state->groups, + state->inverse_order, + &state->rules, &state->num_rules); + + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tevent_req_done(req); +} + +errno_t sudosrv_get_rules_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct sysdb_attrs ***_rules, + uint32_t *_num_rules) +{ + struct sudosrv_get_rules_state *state = NULL; + state = tevent_req_data(req, struct sudosrv_get_rules_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *_rules = talloc_steal(mem_ctx, state->rules); + *_num_rules = state->num_rules; + + return EOK; +} diff --git a/src/responder/sudo/sudosrv_private.h b/src/responder/sudo/sudosrv_private.h new file mode 100644 index 0000000..164f033 --- /dev/null +++ b/src/responder/sudo/sudosrv_private.h @@ -0,0 +1,112 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2011 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _SUDOSRV_PRIVATE_H_ +#define _SUDOSRV_PRIVATE_H_ + +#include +#include +#include + +#include "src/db/sysdb.h" +#include "responder/common/responder.h" + +#define SSS_SUDO_ERROR_OK 0 + +enum sss_dp_sudo_type { + SSS_DP_SUDO_REFRESH_RULES, + SSS_DP_SUDO_FULL_REFRESH +}; + +enum sss_sudo_type { + SSS_SUDO_DEFAULTS, + SSS_SUDO_USER +}; + +struct sudo_ctx { + struct resp_ctx *rctx; + + /* + * options + */ + bool timed; + bool inverse_order; + int threshold; +}; + +struct sudo_cmd_ctx { + struct cli_ctx *cli_ctx; + struct sudo_ctx *sudo_ctx; + enum sss_sudo_type type; + + /* input data */ + uid_t uid; + char *rawname; + + /* output data */ + struct sysdb_attrs **rules; + uint32_t num_rules; +}; + +struct sss_cmd_table *get_sudo_cmds(void); + +struct tevent_req *sudosrv_get_rules_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sudo_ctx *sudo_ctx, + enum sss_sudo_type type, + uid_t cli_uid, + const char *username); + +errno_t sudosrv_get_rules_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct sysdb_attrs ***_rules, + uint32_t *_num_rules); + +errno_t sudosrv_parse_query(TALLOC_CTX *mem_ctx, + uint8_t *query_body, + size_t query_len, + char **_rawname, + uid_t *_uid); + +errno_t sudosrv_build_response(TALLOC_CTX *mem_ctx, + uint32_t error, + uint32_t rules_num, + struct sysdb_attrs **rules, + uint8_t **_response_body, + size_t *_response_len); + +struct tevent_req * +sss_dp_get_sudoers_send(TALLOC_CTX *mem_ctx, + struct resp_ctx *rctx, + struct sss_domain_info *dom, + bool fast_reply, + enum sss_dp_sudo_type type, + const char *name, + uint32_t num_rules, + struct sysdb_attrs **rules); + +errno_t +sss_dp_get_sudoers_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + dbus_uint16_t *err_maj, + dbus_uint32_t *err_min, + char **err_msg); + +#endif /* _SUDOSRV_PRIVATE_H_ */ diff --git a/src/responder/sudo/sudosrv_query.c b/src/responder/sudo/sudosrv_query.c new file mode 100644 index 0000000..5b0edb6 --- /dev/null +++ b/src/responder/sudo/sudosrv_query.c @@ -0,0 +1,307 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2011 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include + +#include "util/util.h" +#include "responder/sudo/sudosrv_private.h" + +static int sudosrv_response_append_string(TALLOC_CTX *mem_ctx, + const char *str, + size_t str_len, + uint8_t **_response_body, + size_t *_response_len) +{ + size_t response_len = *_response_len; + uint8_t *response_body = *_response_body; + + response_body = talloc_realloc(mem_ctx, response_body, uint8_t, + response_len + (str_len * sizeof(char))); + if (response_body == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_realloc() failed\n"); + return ENOMEM; + } + memcpy(response_body + response_len, str, str_len); + response_len += str_len; + + *_response_body = response_body; + *_response_len = response_len; + + return EOK; +} + +static int sudosrv_response_append_uint32(TALLOC_CTX *mem_ctx, + uint32_t number, + uint8_t **_response_body, + size_t *_response_len) +{ + size_t response_len = *_response_len; + uint8_t *response_body = *_response_body; + + response_body = talloc_realloc(mem_ctx, response_body, uint8_t, + response_len + sizeof(uint32_t)); + if (response_body == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_realloc() failed\n"); + return ENOMEM; + } + SAFEALIGN_SET_UINT32(response_body + response_len, number, &response_len); + + *_response_body = response_body; + *_response_len = response_len; + + return EOK; +} + +static int sudosrv_response_append_attr(TALLOC_CTX *mem_ctx, + const char *name, + unsigned int values_num, + struct ldb_val *values, + uint8_t **_response_body, + size_t *_response_len) +{ + uint8_t *response_body = *_response_body; + size_t response_len = *_response_len; + TALLOC_CTX *tmp_ctx = NULL; + unsigned int i = 0; + int ret = EOK; + const char *strval; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return ENOMEM; + } + + /* attr name */ + ret = sudosrv_response_append_string(tmp_ctx, name, strlen(name) + 1, + &response_body, &response_len); + if (ret != EOK) { + goto done; + } + + /* values count */ + ret = sudosrv_response_append_uint32(tmp_ctx, values_num, + &response_body, &response_len); + if (ret != EOK) { + goto done; + } + + /* values */ + for (i = 0; i < values_num; i++) { + strval = (const char *) values[i].data; + + if (strlen((strval)) != values[i].length) { + DEBUG(SSSDBG_CRIT_FAILURE, "value is not a string\n"); + ret = EINVAL; + goto done; + } + + ret = sudosrv_response_append_string(tmp_ctx, + strval, + values[i].length + 1, + &response_body, &response_len); + DEBUG(SSSDBG_TRACE_INTERNAL, "%s:%s\n", name, strval); + if (ret != EOK) { + goto done; + } + } + + *_response_body = talloc_steal(mem_ctx, response_body); + *_response_len = response_len; + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static int sudosrv_response_append_rule(TALLOC_CTX *mem_ctx, + int attrs_num, + struct ldb_message_element *attrs, + uint8_t **_response_body, + size_t *_response_len) +{ + uint8_t *response_body = *_response_body; + size_t response_len = *_response_len; + TALLOC_CTX *tmp_ctx = NULL; + int i = 0; + int ret = EOK; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return ENOMEM; + } + + /* attrs count */ + ret = sudosrv_response_append_uint32(tmp_ctx, attrs_num, + &response_body, &response_len); + if (ret != EOK) { + goto done; + } + + /* attrs */ + for (i = 0; i < attrs_num; i++) { + ret = sudosrv_response_append_attr(tmp_ctx, attrs[i].name, + attrs[i].num_values, attrs[i].values, + &response_body, &response_len); + if (ret != EOK) { + goto done; + } + } + + *_response_body = talloc_steal(mem_ctx, response_body); + *_response_len = response_len; + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +/* + * Response format: + * \0... + * = ... + * = \0\0\0... + * + * if is not SSS_SUDO_ERROR_OK, the rest of the data is skipped. + */ +errno_t sudosrv_build_response(TALLOC_CTX *mem_ctx, + uint32_t error, + uint32_t rules_num, + struct sysdb_attrs **rules, + uint8_t **_response_body, + size_t *_response_len) +{ + uint8_t *response_body = NULL; + size_t response_len = 0; + TALLOC_CTX *tmp_ctx = NULL; + uint32_t i = 0; + errno_t ret = EOK; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return ENOMEM; + } + + /* error code */ + ret = sudosrv_response_append_uint32(tmp_ctx, error, + &response_body, &response_len); + if (ret != EOK) { + goto fail; + } + DEBUG(SSSDBG_TRACE_INTERNAL, "error: [%"PRIu32"]\n", error); + + if (error != SSS_SUDO_ERROR_OK) { + goto done; + } + + /* domain name - deprecated + * TODO: when possible change the protocol */ + ret = sudosrv_response_append_string(tmp_ctx, "\0", 1, + &response_body, &response_len); + if (ret != EOK) { + goto fail; + } + + /* rules count */ + ret = sudosrv_response_append_uint32(tmp_ctx, rules_num, + &response_body, &response_len); + if (ret != EOK) { + goto fail; + } + DEBUG(SSSDBG_TRACE_INTERNAL, "rules_num: [%"PRIu32"]\n", error); + + /* rules */ + for (i = 0; i < rules_num; i++) { + DEBUG(SSSDBG_TRACE_INTERNAL, "rule [%"PRIu32"]/[%"PRIu32"]\n", i+1, rules_num); + ret = sudosrv_response_append_rule(tmp_ctx, rules[i]->num, rules[i]->a, + &response_body, &response_len); + if (ret != EOK) { + goto fail; + } + } + +done: + *_response_body = talloc_steal(mem_ctx, response_body); + *_response_len = response_len; + + ret = EOK; + +fail: + talloc_free(tmp_ctx); + return ret; +} + +errno_t sudosrv_parse_query(TALLOC_CTX *mem_ctx, + uint8_t *query_body, + size_t query_len, + char **_rawname, + uid_t *_uid) +{ + size_t offset = 0; + size_t rawname_len; + char *rawname; + uid_t uid; + + /* uid */ + if (query_len < sizeof(uid_t)) { + DEBUG(SSSDBG_CRIT_FAILURE, "Query is too small\n"); + return EINVAL; + } + safealign_memcpy(&uid, query_body, sizeof(uid_t), &offset); + + /* username[@domain] */ + rawname = (char*)(query_body + offset); + rawname_len = query_len - offset; /* strlen + zero */ + + if (rawname[rawname_len - 1] != '\0') { + DEBUG(SSSDBG_CRIT_FAILURE, "Username is not zero terminated\n"); + return EINVAL; + } + + if (rawname_len < 2) { /* at least one character and zero */ + DEBUG(SSSDBG_CRIT_FAILURE, "Query does not contain username\n"); + return EINVAL; + } + + if (!sss_utf8_check((uint8_t*)rawname, rawname_len - 1)) { + DEBUG(SSSDBG_CRIT_FAILURE, "Supplied data is not valid UTF-8 string\n"); + return EINVAL; + } + + rawname = talloc_strdup(mem_ctx, rawname); + if (rawname == NULL) { + return ENOMEM; + } + + *_uid = uid; + *_rawname = rawname; + + return EOK; +} diff --git a/src/sbus/sbus_client.c b/src/sbus/sbus_client.c new file mode 100644 index 0000000..1f084e8 --- /dev/null +++ b/src/sbus/sbus_client.c @@ -0,0 +1,79 @@ +/* + SSSD + + Data Provider Helpers + + Copyright (C) Stephen Gallagher 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "util/util.h" +#include "sbus_client.h" + +int sbus_client_init(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + const char *server_address, + time_t *last_request_time, + struct sbus_connection **_conn) +{ + struct sbus_connection *conn = NULL; + int ret; + char *filename; + uid_t check_uid; + gid_t check_gid; + + /* Validate input */ + if (server_address == NULL) { + return EINVAL; + } + + filename = strchr(server_address, '/'); + if (filename == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unexpected dbus address [%s].\n", server_address); + return EIO; + } + + check_uid = geteuid(); + check_gid = getegid(); + + /* Ignore ownership checks when the server runs as root. This is the + * case when privileged monitor is setting up sockets for unprivileged + * responders */ + if (check_uid == 0) check_uid = -1; + if (check_gid == 0) check_gid = -1; + + ret = check_file(filename, check_uid, check_gid, + S_IFSOCK|S_IRUSR|S_IWUSR, 0, NULL, true); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "check_file failed for [%s].\n", filename); + return EIO; + } + + ret = sbus_new_connection(mem_ctx, ev, server_address, + last_request_time, &conn); + if (ret != EOK) { + goto fail; + } + + *_conn = conn; + return EOK; + +fail: + talloc_free(conn); + return ret; +} diff --git a/src/sbus/sbus_client.h b/src/sbus/sbus_client.h new file mode 100644 index 0000000..0366e56 --- /dev/null +++ b/src/sbus/sbus_client.h @@ -0,0 +1,34 @@ +/* + SSSD + + Data Provider Helpers + + Copyright (C) Stephen Gallagher 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef SBUS_CLIENT_H_ +#define SBUS_CLIENT_H_ + +#include +#include "sbus/sssd_dbus.h" + +int sbus_client_init(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + const char *server_address, + time_t *last_request_time, + struct sbus_connection **_conn); + +#endif /* SBUS_CLIENT_H_ */ diff --git a/src/sbus/sbus_codegen b/src/sbus/sbus_codegen new file mode 100755 index 0000000..a97a925 --- /dev/null +++ b/src/sbus/sbus_codegen @@ -0,0 +1,831 @@ +#!/usr/bin/env python + +# +# Authors: +# Stef Walter +# +# Copyright (C) 2014 Red Hat +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +# +# Some parser code from GLib +# +# Copyright (C) 2008-2011 Red Hat, Inc. +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General +# Public License along with this library; if not, write to the +# Free Software Foundation, Inc., 59 Temple Place, Suite 330, +# Boston, MA 02111-1307, USA. +# +# Portions by: David Zeuthen +# + +# +# DBus interfaces are defined here: +# +# http://dbus.freedesktop.org/doc/dbus-specification.html#introspection-format +# +# The introspection data format has become the standard way to represent a +# DBus interface. For many examples see /usr/share/dbus-1/interfaces/ on a +# typical linux machine. +# +# A word about annotations. These are extra flags or values that can be +# assigned to anything. So far, the codegen supports this annotation: +# +# org.freedesktop.DBus.GLib.CSymbol +# - An annotation specified in the specification that tells us what C symbol +# to generate for a given interface or method. By default the codegen will +# build up a symbol name from the DBus name. +# +from __future__ import print_function + +import optparse +import os +import re +import sys +import xml.parsers.expat + +if sys.version_info[0] > 2: + import io as StringIO +else: + import StringIO + +# ----------------------------------------------------------------------------- +# Objects + +class DBusXmlException(Exception): + line = 0 + file = None + + # Lets us print problems like a compiler would + def __str__(self): + message = Exception.__str__(self) + if self.file and self.line: + return "%s:%d: %s" % (self.file, self.line, message) + elif self.file: + return "%s: %s" % (self.file, message) + else: + return message + +class Base(object): + def __init__(self, name): + if not name: + raise DBusXmlException('No name on element') + self.name = name + self.annotations = { } + def validate(self): + pass + def c_name(self): + return self.annotations.get("org.freedesktop.DBus.GLib.CSymbol", self.name) + +# The basic types that we support marshalling right now. These +# are the ones we can pass as basic arguments to libdbus directly. +# If the dbus and sssd types are identical we pass things directly. +# otherwise some copying is necessary. +BASIC_TYPES = { + 'y': ( "DBUS_TYPE_BYTE", "uint8_t", "uint8_t" ), + 'b': ( "DBUS_TYPE_BOOLEAN", "dbus_bool_t", "bool" ), + 'n': ( "DBUS_TYPE_INT16", "int16_t", "int16_t" ), + 'q': ( "DBUS_TYPE_UINT16", "uint16_t", "uint16_t" ), + 'i': ( "DBUS_TYPE_INT32", "int32_t", "int32_t" ), + 'u': ( "DBUS_TYPE_UINT32", "uint32_t", "uint32_t" ), + 'x': ( "DBUS_TYPE_INT64", "int64_t", "int64_t" ), + 't': ( "DBUS_TYPE_UINT64", "uint64_t", "uint64_t" ), + 'd': ( "DBUS_TYPE_DOUBLE", "double", "double" ), + 's': ( "DBUS_TYPE_STRING", "const char *", "const char *" ), + 'o': ( "DBUS_TYPE_OBJECT_PATH", "const char *", "const char *" ), +} + +class Typed(Base): + def __init__(self, name, type): + Base.__init__(self, name) + self.type = type + self.is_basic = False + self.is_array = False + self.is_dictionary = False + self.dbus_constant = None + self.dbus_type = None + self.sssd_type = None + if type[0] == 'a': + type = type[1:] + self.is_array = True + if "{" in type: + self.is_dictionary = True + if type in BASIC_TYPES: + (self.dbus_constant, self.dbus_type, self.sssd_type) = BASIC_TYPES[type] + # If types are not identical, we can't do array (yet) + if self.is_array: + self.is_basic = (self.dbus_type == self.sssd_type) + else: + self.is_basic = True + +class Arg(Typed): + def __init__(self, method, name, type): + Typed.__init__(self, name, type) + self.method = method + +class Method(Base): + def __init__(self, iface, name): + Base.__init__(self, name) + self.iface = iface + self.in_args = [] + self.out_args = [] + def validate(self): + if not self.only_basic_args() and not self.use_raw_handler(): + raise DBusXmlException("Method has complex arguments and requires " + + "the 'org.freedesktop.sssd.RawHandler' annotation") + def fq_c_name(self): + return "%s_%s" % (self.iface.c_name(), self.c_name()) + def use_raw_handler(self): + anno = 'org.freedesktop.sssd.RawHandler' + return self.annotations.get(anno, self.iface.annotations.get(anno)) == 'true' + def in_signature(self): + return "".join([arg.type for arg in self.in_args]) + def only_basic_args(self): + for arg in self.in_args + self.out_args: + if not arg.is_basic: + return False + return True + +class Signal(Base): + def __init__(self, iface, name): + Base.__init__(self, name) + self.iface = iface + self.args = [] + def fq_c_name(self): + return "%s_%s" % (self.iface.c_name(), self.c_name()) + +class Property(Typed): + def __init__(self, iface, name, type, access): + Typed.__init__(self, name, type) + self.iface = iface + self.readable = False + self.writable = False + if access == 'readwrite': + self.readable = True + self.writable = True + elif access == 'read': + self.readable = True + elif access == 'write': + self.writable = True + else: + raise DBusXmlException('Invalid access type %s'%self.access) + def fq_c_name(self): + return "%s_%s" % (self.iface.c_name(), self.c_name()) + def get_invoker_name(self): + type = self.type + type = type.replace("{", "DO") + type = type.replace("}", "DE") + return type + def get_invoker_signature(self, name): + sig = "void (*%s)(struct sbus_request *, void *data, " % (name) + if self.is_dictionary: + sig += "hash_table_t **" + elif self.is_array: + sig += "%s**, int *" % (self.sssd_type) + else: + sig += "%s*" % (self.sssd_type) + sig += ")" + return sig + + + def getter_name(self): + return "get_%s" % self.c_name() + def getter_invoker_name(self): + return "sbus_invoke_get_%s" % self.get_invoker_name() + def getter_signature(self): + return self.get_invoker_signature(self.getter_name()) + +class Interface(Base): + def __init__(self, name): + Base.__init__(self, name) + self.methods = [] + self.signals = [] + self.properties = [] + def c_name(self): + return self.annotations.get("org.freedesktop.DBus.GLib.CSymbol", + self.name.replace(".", "_")) + +# ----------------------------------------------------------------------------- +# Code Generation + +def out(format, *args, **kwargs): + str = format % args + sys.stdout.write(str) + # NOTE: Would like to use the following syntax for this function + # but need to wait until python3 until it is supported: + # def out(format, *args, new_line=True) + if kwargs.pop("new_line", True): + sys.stdout.write("\n") + assert not kwargs, "unknown keyword argument(s): %s" % str(kwargs) + +def method_arg_types(args, with_names=False): + str = "" + for arg in args: + str += ", " + str += arg.sssd_type + if with_names: + if str[-1] != '*': + str += " " + str += "arg_" + str += arg.c_name() + if arg.is_array: + str += "[], int" + if with_names: + str += " len_" + str += arg.c_name() + return str + +def method_function_pointer(meth, name, with_names=False): + if meth.use_raw_handler(): + return "sbus_msg_handler_fn " + name + else: + return "int (*%s)(struct sbus_request *%s, void *%s%s)" % \ + (name, with_names and "req" or "", + with_names and "data" or "", + method_arg_types(meth.in_args, with_names)) + +def property_handlers(prop): + return prop.getter_signature() + +def forward_method_invoker(signature, args): + out("") + out("/* invokes a handler with a '%s' DBus signature */", signature) + out("static int invoke_%s_method(struct sbus_request *dbus_req, void *function_ptr);", signature) + +def source_method_invoker(signature, args): + out("") + out("/* invokes a handler with a '%s' DBus signature */", signature) + out("static int invoke_%s_method(struct sbus_request *dbus_req, void *function_ptr)", signature) + out("{") + for i in range(0, len(args)): + arg = args[i] + if arg.is_array: + out(" %s *arg_%d;", arg.dbus_type, i) + out(" int len_%d;", i) + else: + out(" %s arg_%d;", arg.dbus_type, i) + out(" int (*handler)(struct sbus_request *, void *%s) = function_ptr;", method_arg_types(args)) + out("") + out(" if (!sbus_request_parse_or_finish(dbus_req,") + for i in range(0, len(args)): + arg = args[i] + if arg.is_array: + out(" DBUS_TYPE_ARRAY, %s, &arg_%d, &len_%d,", + arg.dbus_constant, i, i) + else: + out(" %s, &arg_%d,", arg.dbus_constant, i) + out(" DBUS_TYPE_INVALID)) {") + out(" return EOK; /* request handled */") + out(" }") + out("") + + out(" return (handler)(dbus_req, dbus_req->intf->handler_data", new_line=False) + for i in range(0, len(args)): + arg = args[i] + out(",\n arg_%d", i, new_line=False) + if arg.is_array: + out(",\n len_%d", i, new_line=False) + out(");") + out("}") + +def source_prop_types(prop, type_prefix=False): + prefix = "%s_" % prop.type if type_prefix else "" + if prop.is_array: + out(" %s *%sprop_val;", prop.sssd_type, prefix) + out(" int %sprop_len;", prefix) + out(" %s *%sout_val;", prop.dbus_type, prefix) + else: + out(" %s %sprop_val;", prop.sssd_type, prefix) + out(" %s %sout_val;", prop.dbus_type, prefix) + +def source_prop_handler(prop, type_prefix=False): + prefix = "%s_" % prop.type if type_prefix else "" + out(" %s", prop.getter_signature("%shandler" % prefix), new_line=False) + out(";") + +def forward_method_invokers(ifaces): + invokers = { } + for iface in ifaces: + for meth in iface.methods: + if meth.use_raw_handler() or not meth.in_args: + continue + signature = meth.in_signature() + if signature in invokers: + continue + forward_method_invoker(signature, meth.in_args) + invokers[signature] = meth + return invokers + +def source_method_invokers(invokers): + for (signature, meth) in invokers.items(): + source_method_invoker(signature, meth.in_args) + +def source_finisher(meth): + out("") + out("int %s_finish(struct sbus_request *req%s)", + meth.fq_c_name(), method_arg_types(meth.out_args, with_names=True)) + out("{") + + for arg in meth.out_args: + if arg.dbus_type != arg.sssd_type: + out(" %s cast_%s = arg_%s;", arg.dbus_type, arg.c_name(), arg.c_name()) + + out(" return sbus_request_return_and_finish(req,") + for arg in meth.out_args: + out(" ", new_line=False) + if arg.is_array: + out("DBUS_TYPE_ARRAY, %s, &arg_%s, len_%s,", + arg.dbus_constant, arg.c_name(), arg.c_name()) + elif arg.dbus_type != arg.sssd_type: + out("%s, &cast_%s,", arg.dbus_constant, arg.c_name()) + else: + out("%s, &arg_%s,", arg.dbus_constant, arg.c_name()) + out(" DBUS_TYPE_INVALID);") + out("}") + +def header_reply(meth): + for arg in meth.out_args: + if arg.is_array: + out(" %s *%s", arg.dbus_type, arg.c_name()) + out(" int %s__len", arg.c_name()) + else: + out(" %s %s;", arg.dbus_type, arg.c_name()) + types = [arg.sssd_type for arg in meth.in_args] + +def source_args(parent, args, suffix): + out("") + out("/* arguments for %s.%s */", parent.iface.name, parent.name) + out("const struct sbus_arg_meta %s%s[] = {", parent.fq_c_name(), suffix) + for arg in args: + out(" { \"%s\", \"%s\" },", arg.name, arg.type) + out(" { NULL, }") + out("};") + +def source_methods(iface, methods): + for meth in methods: + if meth.in_args: + source_args(meth, meth.in_args, "__in") + if meth.out_args: + source_args(meth, meth.out_args, "__out") + + if not meth.use_raw_handler(): + source_finisher(meth) + + out("") + out("/* methods for %s */", iface.name) + out("const struct sbus_method_meta %s__methods[] = {", iface.c_name()) + for meth in methods: + out(" {") + out(" \"%s\", /* name */", meth.name) + if meth.in_args: + out(" %s__in,", meth.fq_c_name()) + else: + out(" NULL, /* no in_args */") + if meth.out_args: + out(" %s__out,", meth.fq_c_name()) + else: + out(" NULL, /* no out_args */") + out(" offsetof(struct %s, %s),", iface.c_name(), meth.c_name()) + if meth.use_raw_handler() or not meth.in_args: + out(" NULL, /* no invoker */") + else: + out(" invoke_%s_method,", meth.in_signature()) + out(" },") + out(" { NULL, }") + out("};") + +def source_signals(iface, signals): + for sig in iface.signals: + if sig.args: + source_args(sig, sig.args, "__args") + + out("") + out("/* signals for %s */", iface.name) + out("const struct sbus_signal_meta %s__signals[] = {", iface.c_name()) + for sig in signals: + out(" {") + out(" \"%s\", /* name */", sig.name) + if sig.args: + out(" %s__args", sig.fq_c_name()) + else: + out(" NULL, /* no args */") + out(" },") + out(" { NULL, }") + out("};") + +def source_properties(iface, properties): + out("") + out("/* property info for %s */", iface.name) + + out("const struct sbus_property_meta %s__properties[] = {", iface.c_name()) + for prop in properties: + out(" {") + out(" \"%s\", /* name */", prop.name) + out(" \"%s\", /* type */", prop.type) + if prop.readable and prop.writable: + out(" SBUS_PROPERTY_READABLE | SBUS_PROPERTY_WRITABLE,") + elif prop.readable: + out(" SBUS_PROPERTY_READABLE,") + elif prop.writable: + out(" SBUS_PROPERTY_WRITABLE,") + else: + assert False, "should not be reached" + if prop.readable: + out(" offsetof(struct %s, %s),", iface.c_name(), prop.getter_name()) + out(" %s,", prop.getter_invoker_name()) + else: + out(" 0, /* not readable */") + out(" NULL, /* no invoker */") + out(" 0, /* not writable */") + out(" NULL, /* no invoker */") + out(" },") + out(" { NULL, }") + out("};") + +def header_interface(iface): + out("") + out("/* interface info for %s */", iface.name) + out("extern const struct sbus_interface_meta %s_meta;", iface.c_name()) + +def source_interface(iface): + out("") + out("/* interface info for %s */", iface.name) + out("const struct sbus_interface_meta %s_meta = {", iface.c_name()) + out(" \"%s\", /* name */", iface.name) + if iface.methods: + out(" %s__methods,", iface.c_name()) + else: + out(" NULL, /* no methods */") + if iface.signals: + out(" %s__signals,", iface.c_name()) + else: + out(" NULL, /* no signals */") + if iface.properties: + out(" %s__properties,", iface.c_name()) + else: + out(" NULL, /* no properties */") + out(" sbus_invoke_get_all, /* GetAll invoker */") + out("};") + +def generate_source(ifaces, filename, include_header=None): + basename = os.path.basename(filename) + + out("/* The following definitions are auto-generated from %s */", basename) + out("") + + out("#include ") + out("") + out("#include \"dbus/dbus-protocol.h\"") + out("#include \"util/util_errors.h\"") + out("#include \"sbus/sssd_dbus.h\"") + out("#include \"sbus/sssd_dbus_meta.h\"") + out("#include \"sbus/sssd_dbus_invokers.h\"") + if include_header: + out("#include \"%s\"", os.path.basename(include_header)) + + meth_invokers = forward_method_invokers(ifaces) + + for iface in ifaces: + + # The methods + if iface.methods: + source_methods(iface, iface.methods) + + # The signals array + if iface.signals: + source_signals(iface, iface.signals) + + # The properties array + if iface.properties: + source_properties(iface, iface.properties) + + # The sbus_interface structure + source_interface(iface) + + source_method_invokers(meth_invokers) + +def header_finisher(iface, meth): + if meth.use_raw_handler(): + return + out("") + out("/* finish function for %s */", meth.name) + out("int %s_finish(struct sbus_request *req%s);", + meth.fq_c_name(), method_arg_types(meth.out_args, with_names=True)) + +def header_vtable(iface, methods): + out("") + out("/* vtable for %s */", iface.name) + out("struct %s {", iface.c_name()) + out(" struct sbus_vtable vtable; /* derive from sbus_vtable */") + + # All methods + for meth in iface.methods: + out(" %s;", method_function_pointer(meth, meth.c_name(), with_names=True)) + for prop in iface.properties: + out(" %s;", property_handlers(prop)) + + out("};") + +def header_constants(iface): + out("") + out("/* constants for %s */", iface.name) + out("#define %s \"%s\"", iface.c_name().upper(), iface.name) + for meth in iface.methods: + out("#define %s \"%s\"", meth.fq_c_name().upper(), meth.name) + for sig in iface.signals: + out("#define %s \"%s\"", sig.fq_c_name().upper(), sig.name) + for prop in iface.properties: + out("#define %s \"%s\"", prop.fq_c_name().upper(), prop.name) + +def generate_header(ifaces, filename): + basename = os.path.basename(filename) + guard = "__%s__" % re.sub(r'([^_A-Z0-9])', "_", basename.upper()) + + out("/* The following declarations are auto-generated from %s */", basename) + out("") + out("#ifndef %s", guard) + out("#define %s", guard) + out("") + out("#include \"sbus/sssd_dbus.h\"") + out("#include \"sbus/sssd_dbus_meta.h\"") + + out("") + out("/* ------------------------------------------------------------------------") + out(" * DBus Constants") + out(" *") + out(" * Various constants of interface and method names mostly for use by clients") + out(" */") + + for iface in ifaces: + header_constants(iface) + + out("") + out("/* ------------------------------------------------------------------------") + out(" * DBus handlers") + out(" *") + out(" * These structures are filled in by implementors of the different") + out(" * dbus interfaces to handle method calls.") + out(" *") + out(" * Handler functions of type sbus_msg_handler_fn accept raw messages,") + out(" * other handlers are typed appropriately. If a handler that is") + out(" * set to NULL is invoked it will result in a") + out(" * org.freedesktop.DBus.Error.NotSupported error for the caller.") + out(" *") + out(" * Handlers have a matching xxx_finish() function (unless the method has") + out(" * accepts raw messages). These finish functions the") + out(" * sbus_request_return_and_finish() with the appropriate arguments to") + out(" * construct a valid reply. Once a finish function has been called, the") + out(" * @dbus_req it was called with is freed and no longer valid.") + out(" */") + + for iface in ifaces: + if iface.methods or iface.properties: + header_vtable(iface, iface.methods) + for meth in iface.methods: + header_finisher(iface, meth) + + out("") + out("/* ------------------------------------------------------------------------") + out(" * DBus Interface Metadata") + out(" *") + out(" * These structure definitions are filled in with the information about") + out(" * the interfaces, methods, properties and so on.") + out(" *") + out(" * The actual definitions are found in the accompanying C file next") + out(" * to this header.") + out(" */") + + for iface in ifaces: + header_interface(iface) + + out("") + out("#endif /* %s */", guard) + +# ----------------------------------------------------------------------------- +# XML Interface Parsing + +STATE_TOP = 'top' +STATE_NODE = 'node' +STATE_INTERFACE = 'interface' +STATE_METHOD = 'method' +STATE_SIGNAL = 'signal' +STATE_PROPERTY = 'property' +STATE_ARG = 'arg' +STATE_ANNOTATION = 'annotation' +STATE_IGNORED = 'ignored' + +def expect_attr(attrs, name): + if name not in attrs: + raise DBusXmlException("Missing attribute '%s'" % name) + if attrs[name] == "": + raise DBusXmlException("Empty attribute '%s'" % name) + return attrs[name] + +class DBusXMLParser(object): + def __init__(self, filename): + parser = xml.parsers.expat.ParserCreate() + parser.CommentHandler = self.handle_comment + parser.CharacterDataHandler = self.handle_char_data + parser.StartElementHandler = self.handle_start_element + parser.EndElementHandler = self.handle_end_element + + self.parsed_interfaces = [] + self.cur_object = None + + self.state = STATE_TOP + self.state_stack = [] + self.cur_object = None + self.cur_object_stack = [] + self.arg_count = 0 + + try: + with open(filename, "rb") as f: + parser.ParseFile(f) + except DBusXmlException as ex: + ex.line = parser.CurrentLineNumber + ex.file = filename + raise + except xml.parsers.expat.ExpatError as ex: + exc = DBusXmlException(str(ex)) + exc.line = ex.lineno + exc.file = filename + raise exc + + def handle_comment(self, data): + pass + + def handle_char_data(self, data): + pass + + def handle_start_element(self, name, attrs): + old_state = self.state + old_cur_object = self.cur_object + if self.state == STATE_IGNORED: + self.state = STATE_IGNORED + elif self.cur_object and name == STATE_ANNOTATION: + val = attrs.get('value', '') + self.cur_object.annotations[expect_attr(attrs, 'name')] = val + self.state = STATE_IGNORED + elif self.state == STATE_TOP: + if name == STATE_NODE: + self.state = STATE_NODE + else: + self.state = STATE_IGNORED + elif self.state == STATE_NODE: + if name == STATE_INTERFACE: + self.state = STATE_INTERFACE + iface = Interface(expect_attr(attrs, 'name')) + self.cur_object = iface + self.parsed_interfaces.append(iface) + else: + self.state = STATE_IGNORED + + elif self.state == STATE_INTERFACE: + if name == STATE_METHOD: + self.state = STATE_METHOD + method = Method(self.cur_object, expect_attr(attrs, 'name')) + self.cur_object.methods.append(method) + self.cur_object = method + self.arg_count = 0 + elif name == STATE_SIGNAL: + self.state = STATE_SIGNAL + signal = Signal(self.cur_object, expect_attr(attrs, 'name')) + self.cur_object.signals.append(signal) + self.cur_object = signal + self.arg_count = 0 + elif name == STATE_PROPERTY: + self.state = STATE_PROPERTY + prop = Property(self.cur_object, + expect_attr(attrs, 'name'), + expect_attr(attrs, 'type'), + expect_attr(attrs, 'access')) + self.cur_object.properties.append(prop) + self.cur_object = prop + else: + self.state = STATE_IGNORED + + elif self.state == STATE_METHOD: + if name == STATE_ARG: + self.state = STATE_ARG + arg = Arg(self.cur_object, + expect_attr(attrs, 'name'), + expect_attr(attrs, 'type')) + direction = attrs.get('direction', 'in') + if direction == 'in': + self.cur_object.in_args.append(arg) + elif direction == 'out': + self.cur_object.out_args.append(arg) + else: + raise DBusXmlException('Invalid direction "%s"' % direction) + self.cur_object = arg + else: + self.state = STATE_IGNORED + + elif self.state == STATE_SIGNAL: + if name == STATE_ARG: + self.state = STATE_ARG + arg = Arg(self.cur_object, + expect_attr(attrs, 'name'), + expect_attr(attrs, 'type')) + self.cur_object.args.append(arg) + self.cur_object = arg + else: + self.state = STATE_IGNORED + + elif self.state == STATE_PROPERTY: + self.state = STATE_IGNORED + + elif self.state == STATE_ARG: + self.state = STATE_IGNORED + + else: + assert False, 'Unhandled state "%s" while entering element with name "%s"' % (self.state, name) + + self.state_stack.append(old_state) + self.cur_object_stack.append(old_cur_object) + + def handle_end_element(self, name): + if self.cur_object: + self.cur_object.validate() + self.state = self.state_stack.pop() + self.cur_object = self.cur_object_stack.pop() + +def parse_options(): + parser = optparse.OptionParser("usage: %prog [options] introspect.xml ...") + parser.set_description("sbus_codegen generates sbus interface structures \ + from standard XML Introspect data.") + parser.add_option("--mode", + dest="mode", default="header", + help="'header' or 'source' (default: header)", + metavar="MODE") + parser.add_option("--output", + dest="output", default=None, + help="Set output file name (default: stdout)", + metavar="FILE") + parser.add_option("--include", + dest="include", default=None, + help="name of a header to #include", + metavar="HEADER") + (options, args) = parser.parse_args() + + if not args: + print("sbus_codegen: no input file specified", file=sys.stderr) + sys.exit(2) + + if options.mode not in ["header", "source"]: + print("sbus_codegen: specify --mode=header or --mode=source", file=sys.stderr) + + return options, args + +def main(): + options, args = parse_options() + + if options.output: + sys.stdout = buf = StringIO.StringIO() + + for filename in args: + parser = DBusXMLParser(filename) + + if options.mode == "header": + generate_header(parser.parsed_interfaces, filename) + elif options.mode == "source": + generate_source(parser.parsed_interfaces, filename, options.include) + else: + assert False, "should not be reached" + + # Write output at end to be nice to 'make' + if options.output: + output = open(options.output, "w") + output.write(buf.getvalue()) + output.close() + +if __name__ == "__main__": + try: + main() + except DBusXmlException as ex: + print(str(ex), file=sys.stderr) + sys.exit(1) diff --git a/src/sbus/sssd_dbus.h b/src/sbus/sssd_dbus.h new file mode 100644 index 0000000..f26713b --- /dev/null +++ b/src/sbus/sssd_dbus.h @@ -0,0 +1,454 @@ +/* + SSSD + + SSSD - D-BUS interface + + Copyright (C) Stephen Gallagher 2008 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _SSSD_DBUS_H_ +#define _SSSD_DBUS_H_ + +struct sbus_connection; +struct sbus_interface; +struct sbus_request; + +#include +#include +#include "util/util.h" +#include "sbus/sssd_dbus_errors.h" +#include "sbus/sssd_dbus_utils.h" + +/* Older platforms (such as RHEL-6) might not have these error constants + * defined */ +#ifndef DBUS_ERROR_UNKNOWN_INTERFACE +/** Interface you invoked a method on isn't known by the object. */ +#define DBUS_ERROR_UNKNOWN_INTERFACE \ + "org.freedesktop.DBus.Error.UnknownInterface" +#endif /* DBUS_ERROR_UNKNOWN_INTERFACE */ + +#ifndef DBUS_ERROR_UNKNOWN_PROPERTY +/** Property you tried to access isn't known by the object. */ +#define DBUS_ERROR_UNKNOWN_PROPERTY \ + "org.freedesktop.DBus.Error.UnknownProperty" +#endif /* DBUS_ERROR_UNKNOWN_PROPERTY */ + +#ifndef DBUS_ERROR_PROPERTY_READ_ONLY +/** Property you tried to set is read-only. */ +#define DBUS_ERROR_PROPERTY_READ_ONLY \ + "org.freedesktop.DBus.Error.PropertyReadOnly" +#endif /* DBUS_ERROR_PROPERTY_READ_ONLY */ + +#ifndef DBUS_ERROR_INIT +#define DBUS_ERROR_INIT { NULL, NULL, TRUE, 0, 0, 0, 0, NULL } +#endif /* DBUS_ERROR_INIT */ + +/** + * Note: internal functions do not rely on the value of this constant to + * simplify implementation. If this constant change, some functions in + * sssd_dbus_interface.c needs to be amended. + */ +#define SBUS_SUBTREE_SUFFIX "/*" + +/** + * It is not possible to send NULL over D-Bus. We can only test if it + * is empty or not. + */ +#define SBUS_IS_STRING_EMPTY(str) ((str) == NULL || (str)[0] == '\0') +#define SBUS_SET_STRING(str) (SBUS_IS_STRING_EMPTY(str) ? NULL : (str)) + + +typedef int (*sbus_msg_handler_fn)(struct sbus_request *dbus_req, + void *handler_data); + +typedef void (*sbus_conn_reconn_callback_fn)(struct sbus_connection *, int, void *); + +/* + * sbus_server_conn_init_fn + * Set up function for connection-specific activities + * This function should define the sbus_conn_destructor_fn + * for this connection at a minimum + */ +typedef int (*sbus_server_conn_init_fn)(struct sbus_connection *, void *); + +typedef const char ** (* sbus_nodes_fn)(TALLOC_CTX *mem_ctx, + const char *path, + void *data); + +enum { + SBUS_CONN_TYPE_PRIVATE = 1, + SBUS_CONN_TYPE_SHARED, + SBUS_CONN_TYPE_SYSBUS +}; + +enum { + SBUS_RECONNECT_SUCCESS = 1, + SBUS_RECONNECT_EXCEEDED_RETRIES, + SBUS_RECONNECT_ERROR +}; + +/* + * This represents vtable of interface handlers for methods and + * properties and so on. The actual vtable structs derive from this struct + * (i.e.: have this struct as their first member). + * + * The offsets for matching vtable function pointers are in sbus_method_meta + * These are used to dynamically dispatch the method invocations. + */ +struct sbus_vtable { + const struct sbus_interface_meta *meta; + int flags; /* unused for now */ + + /* derived structs place function pointers here. */ +}; + +/* Special interface and method for D-BUS introspection */ +#define DBUS_INTROSPECT_INTERFACE "org.freedesktop.DBus.Introspectable" +#define DBUS_INTROSPECT_METHOD "Introspect" + +/* Special interface and method for D-BUS properties */ +#define DBUS_PROPERTIES_INTERFACE "org.freedesktop.DBus.Properties" + +struct sbus_interface { + const char *path; + struct sbus_vtable *vtable; + void *handler_data; +}; + +/* Server Functions */ +int sbus_new_server(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + const char *address, + uid_t uid, gid_t gid, + bool use_symlink, + struct sbus_connection **server, + sbus_server_conn_init_fn init_fn, + void *init_pvt_data, + void *client_destructor_data); + +/* Connection Functions */ + +/* sbus_new_connection + * Use this function when connecting a new process to + * the standard SSSD interface. + * This will connect to the address specified and then + * call sbus_add_connection to integrate with the main + * loop. + */ +int sbus_new_connection(TALLOC_CTX *ctx, + struct tevent_context *ev, + const char *address, + time_t *last_request_time, + struct sbus_connection **conn); + +/* sbus_add_connection + * Integrates a D-BUS connection with the TEvent main + * loop. Use this function when you already have a + * DBusConnection object (for example from dbus_bus_get) + * Connection type can be either: + * SBUS_CONN_TYPE_PRIVATE: Used only from within a D-BUS + * server such as the Monitor in the + * new_connection_callback + * SBUS_CONN_TYPE_SHARED: Used for all D-BUS client + * connections, including those retrieved from + * dbus_bus_get + */ +int sbus_init_connection(TALLOC_CTX *ctx, + struct tevent_context *ev, + DBusConnection *dbus_conn, + int connection_type, + time_t *last_request_time, + void *destructor_data, + struct sbus_connection **_conn); + +DBusConnection *sbus_get_connection(struct sbus_connection *conn); + +void sbus_disconnect(struct sbus_connection *conn); + +/* + * Register a new interface to be available at given object path. + * + * The interface will be exported at @object_path. The method handlers are + * represented by @iface_vtable. @pvt contains additional caller specific data + * which is made available to handlers. + */ +int sbus_conn_register_iface(struct sbus_connection *conn, + struct sbus_vtable *iface_vtable, + const char *object_path, + void *handler_data); + +struct sbus_iface_map { + const char *path; + struct sbus_vtable *vtable; +}; + +errno_t sbus_conn_register_iface_map(struct sbus_connection *conn, + struct sbus_iface_map *map, + void *pvt); + +void +sbus_conn_register_nodes(struct sbus_connection *conn, + const char *path, + sbus_nodes_fn nodes_fn, + void *data); + +errno_t +sbus_conn_reregister_paths(struct sbus_connection *conn); + +char * +sbus_opath_escape_part(TALLOC_CTX *mem_ctx, + const char *object_path_part); + +char * +sbus_opath_unescape_part(TALLOC_CTX *mem_ctx, + const char *object_path_part); + +char * +_sbus_opath_compose(TALLOC_CTX *mem_ctx, + const char *base, + const char *part, ...); + +#define sbus_opath_compose(mem_ctx, base, ...) \ + _sbus_opath_compose(mem_ctx, base, ##__VA_ARGS__, NULL) + +errno_t +sbus_opath_decompose(TALLOC_CTX *mem_ctx, + const char *object_path, + const char *prefix, + char ***_components, + size_t *_len); + +errno_t +sbus_opath_decompose_exact(TALLOC_CTX *mem_ctx, + const char *object_path, + const char *prefix, + size_t expected, + char ***_components); + +const char * +sbus_opath_strip_prefix(const char *object_path, + const char *prefix); + +char * +sbus_opath_get_object_name(TALLOC_CTX *mem_ctx, + const char *object_path, + const char *base_path); + +/* max_retries < 0: retry forever + * max_retries = 0: never retry (why are you calling this function?) + * max_retries > 0: obvious + */ +void sbus_reconnect_init(struct sbus_connection *conn, + int max_retries, + sbus_conn_reconn_callback_fn callback, + void *pvt); + +/* + * Send a message across the SBUS + * If requested, the DBusPendingCall object will + * be returned to the caller. + * + * This function will return EAGAIN in the event + * that the connection is not open for + * communication. + */ +int sbus_conn_send(struct sbus_connection *conn, + DBusMessage *msg, + int timeout_ms, + DBusPendingCallNotifyFunction reply_handler, + void *pvt, + DBusPendingCall **pending); + +void sbus_conn_send_reply(struct sbus_connection *conn, + DBusMessage *reply); + +/* Set up D-BUS access control. If there is an SSSD user, we must allow + * him to connect. root is always allowed */ +void sbus_allow_uid(struct sbus_connection *conn, uid_t *uid); + +/* + * This structure is passed to all dbus method and property + * handlers. It is a talloc context which will be valid until + * the request is completed with either the sbus_request_complete() + * or sbus_request_fail() functions. + */ +struct sbus_request { + int64_t client; + struct sbus_connection *conn; + DBusMessage *message; + struct sbus_interface *intf; + const struct sbus_method_meta *method; + const char *path; +}; + +/* + * Complete a DBus request, and free the @dbus_req context. The @dbus_req + * and associated talloc context are no longer valid after this function + * returns. + * + * If @reply is non-NULL then the reply is sent to the caller. Not sending + * a reply when the caller is expecting one is fairly rude behavior. + * + * The return value is useful for logging, but not much else. In particular + * even if this function return !EOK, @dbus_req is still unusable after this + * function returns. + */ +int sbus_request_finish(struct sbus_request *dbus_req, + DBusMessage *reply); + +/* + * Return a reply for a DBus method call request. The variable + * arguments are (unfortunately) formatted exactly the same as those of the + * dbus_message_append_args() function. Documented here: + * + * http://dbus.freedesktop.org/doc/api/html/group__DBusMessage.html + * + * Important: don't pass int or bool or such types as + * values to this function. That's not portable. Use actual dbus types. + * You must also pass pointers as the values: + * + * dbus_bool_t val1 = TRUE; + * dbus_int32_t val2 = 5; + * ret = sbus_request_finish(dbus_req, + * DBUS_TYPE_BOOLEAN, &val1, + * DBUS_TYPE_INT32, &val2, + * DBUS_TYPE_INVALID); + * + * To pass arrays to this function, use the following syntax. Never + * pass actual C arrays with [] syntax to this function. The C standard is + * rather vague with C arrays and varargs, and it just plain doesn't work. + * + * const char *array[] = { "one", "two", "three" }; + * int count = 3; // yes, a plain int + * const char **ptr = array; + * ret = sbus_request_finish(dbus_req, + * DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, &ptr, 3, + * DBUS_TYPE_INVALID); + * + * The @dbus_req and associated talloc context are no longer valid after this + * function returns, even if this function returns an error code. + */ +int sbus_request_return_and_finish(struct sbus_request *dbus_req, + int first_arg_type, + ...); + +/* + + * Return an error for a DBus method call request. The @error is a normal + * DBusError. + * + * The @dbus_req and associated talloc context are no longer valid after this + * function returns, even if this function returns an error code. + */ +int sbus_request_fail_and_finish(struct sbus_request *dbus_req, + const DBusError *error); + +void sbus_request_reply_error(struct sbus_request *sbus_req, + const char *error_name, + const char *fmt, + ...) SSS_ATTRIBUTE_PRINTF(3, 4); + +/* + * Construct a new DBusError instance which can be consumed by functions such + * as @sbus_request_fail_and_finish(). + * + * The @error is a string constant representing a DBus error as documented at + * http://dbus.freedesktop.org/doc/api/html/group__DBusProtocol.html. + * The parameter @err_msg is a human-readable error representation (or + * NULL for none). The returned DBusError is a talloc context and the err_msg + * is duplicated using the returned DBusError instance as a talloc parent. + */ +DBusError *sbus_error_new(TALLOC_CTX *mem_ctx, + const char *dbus_error_name, + const char *fmt, + ...) SSS_ATTRIBUTE_PRINTF(3, 4); + +/* + * Parse a DBus method call request. + * + * If parsing the method call message does not succeed, then an error is + * sent to the DBus caller and the request is finished. If this function + * returns false then @request is no longer valid. + * + * This also means if this method returns false within a handler, you should + * return EOK from the handler. The message has been handled, appropriate + * logs have been written, and everything should just move on. + * + * If the method call does not match the expected arguments, then a + * org.freedesktop.DBus.Error.InvalidArgs is returned to the caller as + * expected. + * + * The variable arguments are (unfortunately) formatted exactly the same + * as those of the dbus_message_get_args() function. Documented here: + * + * http://dbus.freedesktop.org/doc/api/html/group__DBusMessage.html + * + * Exception: You don't need to free string arrays returned by this + * function. They are automatically talloc parented to the request memory + * context and can be used until the request has been finished. + * + * Important: don't pass int or bool or such types as values to this + * function. That's not portable. Use actual dbus types. You must also pass + * pointers as the values: + * + * dbus_bool_t val1; + * dbus_int32_t val2; + * ret = sbus_request_parse_or_finish(request, + * DBUS_TYPE_BOOLEAN, &val1, + * DBUS_TYPE_INT32, &val2, + * DBUS_TYPE_INVALID); + * + * To pass arrays to this function, use the following syntax. Never + * pass actual C arrays with [] syntax to this function. The C standard is + * rather vague with C arrays and varargs, and it just plain doesn't work. + * + * int count; // yes, a plain int + * const char **array; + * ret = sbus_request_parse_or_finish(request, + * DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, &array, &count, + * DBUS_TYPE_INVALID); + */ +bool sbus_request_parse_or_finish(struct sbus_request *request, + int first_arg_type, + ...); + +struct sbus_incoming_signal { + struct sbus_connection *conn; + DBusMessage *message; + int64_t client; + const char *interface; + const char *signal; + const char *path; +}; + +typedef void +(*sbus_incoming_signal_fn)(struct sbus_incoming_signal *sbus_signal, + void *handler_data); + +errno_t +sbus_signal_listen(struct sbus_connection *conn, + const char *iface, + const char *signal, + sbus_incoming_signal_fn handler_fn, + void *handler_data); + +/* This function returns the destructor data passed when in starting + * a new dbus server/connection. Its use, for now, must be restricted + * to {dbus,socket}-activated services in order to proper shut them + * down, unregistering them in the monitor. */ +void *sbus_connection_get_destructor_data(struct sbus_connection *conn); + +#endif /* _SSSD_DBUS_H_*/ diff --git a/src/sbus/sssd_dbus_common.c b/src/sbus/sssd_dbus_common.c new file mode 100644 index 0000000..5010032 --- /dev/null +++ b/src/sbus/sssd_dbus_common.c @@ -0,0 +1,381 @@ +/* + Authors: + Simo Sorce + Stephen Gallagher + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "util/util.h" +#include "sbus/sssd_dbus.h" +#include "sbus/sssd_dbus_private.h" + +/* =Watches=============================================================== */ + +/* DBUS may ask us to add a watch to a file descriptor that already had a watch + * associated. Need to check if that's the case */ +static struct sbus_watch_ctx *fd_to_watch(struct sbus_watch_ctx *list, int fd) +{ + struct sbus_watch_ctx *watch_iter; + + watch_iter = list; + while (watch_iter != NULL) { + if (watch_iter->fd == fd) { + return watch_iter; + } + + watch_iter = watch_iter->next; + } + + return NULL; +} + +static int watch_destructor(void *mem) +{ + struct sbus_watch_ctx *watch; + + watch = talloc_get_type(mem, struct sbus_watch_ctx); + DLIST_REMOVE(watch->conn->watch_list, watch); + + return 0; +} + +/* + * watch_handler + * Callback for D-BUS to handle messages on a file-descriptor + */ +static void sbus_watch_handler(struct tevent_context *ev, + struct tevent_fd *fde, + uint16_t flags, void *data) +{ + struct sbus_watch_ctx *watch = talloc_get_type(data, + struct sbus_watch_ctx); + enum dbus_conn_type type; + union dbus_conn_pointer dbus_p; + + /* conn may get freed inside a handle, save the data we need for later */ + type = watch->conn->type; + dbus_p = watch->conn->dbus; + + /* Take a reference while handling watch */ + if (type == SBUS_SERVER) { + dbus_server_ref(dbus_p.server); + } else { + dbus_connection_ref(dbus_p.conn); + } + + /* Fire if readable */ + if (flags & TEVENT_FD_READ) { + if (watch->dbus_read_watch) { + dbus_watch_handle(watch->dbus_read_watch, DBUS_WATCH_READABLE); + } + } + + /* Fire if writeable */ + if (flags & TEVENT_FD_WRITE) { + if (watch->dbus_write_watch) { + dbus_watch_handle(watch->dbus_write_watch, DBUS_WATCH_WRITABLE); + } + } + + /* Release reference once done */ + if (type == SBUS_SERVER) { + dbus_server_unref(dbus_p.server); + } else { + dbus_connection_unref(dbus_p.conn); + } +} + +/* + * add_watch + * Set up hooks into the libevents mainloop for + * D-BUS to add file descriptor-based events + */ +dbus_bool_t sbus_add_watch(DBusWatch *dbus_watch, void *data) +{ + unsigned int flags; + uint16_t event_flags; + struct sbus_connection *conn; + struct sbus_watch_ctx *watch; + dbus_bool_t enabled; + int fd; + + conn = talloc_get_type(data, struct sbus_connection); + +#ifdef HAVE_DBUS_WATCH_GET_UNIX_FD + fd = dbus_watch_get_unix_fd(dbus_watch); +#else + fd = dbus_watch_get_fd(dbus_watch); +#endif + + watch = fd_to_watch(conn->watch_list, fd); + if (!watch) { + /* does not exist, allocate new one */ + watch = talloc_zero(conn, struct sbus_watch_ctx); + if (!watch) { + DEBUG(SSSDBG_FATAL_FAILURE, "Out of Memory!\n"); + return FALSE; + } + watch->conn = conn; + watch->fd = fd; + } + + enabled = dbus_watch_get_enabled(dbus_watch); + flags = dbus_watch_get_flags(dbus_watch); + + /* Save the event to the watch object so it can be found later */ + if (flags & DBUS_WATCH_READABLE) { + watch->dbus_read_watch = dbus_watch; + } + if (flags & DBUS_WATCH_WRITABLE) { + watch->dbus_write_watch = dbus_watch; + } + dbus_watch_set_data(dbus_watch, watch, NULL); + + if (watch->fde) { + /* pre-existing event, just toggle flags */ + sbus_toggle_watch(dbus_watch, data); + return TRUE; + } + + event_flags = 0; + if (enabled) { + if (flags & DBUS_WATCH_READABLE) { + event_flags |= TEVENT_FD_READ; + } + if (flags & DBUS_WATCH_WRITABLE) { + event_flags |= TEVENT_FD_WRITE; + } + } + + /* Add the file descriptor to the event loop */ + watch->fde = tevent_add_fd(conn->ev, + watch, fd, event_flags, + sbus_watch_handler, watch); + if (!watch->fde) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to set up fd event!\n"); + talloc_zfree(watch); + return FALSE; + } + + DLIST_ADD(conn->watch_list, watch); + talloc_set_destructor((TALLOC_CTX *)watch, watch_destructor); + + DEBUG(SSSDBG_TRACE_INTERNAL, "%p/%p (%d), %s/%s (%s)\n", + watch, dbus_watch, fd, + ((flags & DBUS_WATCH_READABLE)?"R":"-"), + ((flags & DBUS_WATCH_WRITABLE)?"W":"-"), + enabled?"enabled":"disabled"); + + return TRUE; +} + +/* + * toggle_watch + * Hook for D-BUS to toggle the enabled/disabled state of + * an event in the mainloop + */ +void sbus_toggle_watch(DBusWatch *dbus_watch, void *data) +{ + struct sbus_watch_ctx *watch; + unsigned int flags; + dbus_bool_t enabled; + void *watch_data; + int fd = -1; + + enabled = dbus_watch_get_enabled(dbus_watch); + flags = dbus_watch_get_flags(dbus_watch); + + watch_data = dbus_watch_get_data(dbus_watch); + watch = talloc_get_type(watch_data, struct sbus_watch_ctx); + if (!watch) { + DEBUG(SSSDBG_OP_FAILURE, + "[%p] does not carry watch context?!\n", dbus_watch); + /* abort? */ + return; + } + + if (enabled) { + if (flags & DBUS_WATCH_READABLE) { + TEVENT_FD_READABLE(watch->fde); + } + if (flags & DBUS_WATCH_WRITABLE) { + TEVENT_FD_WRITEABLE(watch->fde); + } + } else { + if (flags & DBUS_WATCH_READABLE) { + TEVENT_FD_NOT_READABLE(watch->fde); + } + if (flags & DBUS_WATCH_WRITABLE) { + TEVENT_FD_NOT_WRITEABLE(watch->fde); + } + } + + if (DEBUG_IS_SET(SSSDBG_TRACE_ALL)) { +#ifdef HAVE_DBUS_WATCH_GET_UNIX_FD + fd = dbus_watch_get_unix_fd(dbus_watch); +#else + fd = dbus_watch_get_fd(dbus_watch); +#endif + } + DEBUG(SSSDBG_TRACE_ALL, + "%p/%p (%d), %s/%s (%s)\n", + watch, dbus_watch, fd, + ((flags & DBUS_WATCH_READABLE)?"R":"-"), + ((flags & DBUS_WATCH_WRITABLE)?"W":"-"), + enabled?"enabled":"disabled"); +} + +/* + * sbus_remove_watch + * Hook for D-BUS to remove file descriptor-based events + * from the libevents mainloop + */ +void sbus_remove_watch(DBusWatch *dbus_watch, void *data) +{ + struct sbus_watch_ctx *watch; + void *watch_data; + + watch_data = dbus_watch_get_data(dbus_watch); + watch = talloc_get_type(watch_data, struct sbus_watch_ctx); + + DEBUG(SSSDBG_TRACE_INTERNAL, "%p/%p\n", watch, dbus_watch); + + if (!watch) { + DEBUG(SSSDBG_OP_FAILURE, "DBUS trying to remove unknown watch!\n"); + return; + } + + /* remove dbus watch data */ + dbus_watch_set_data(dbus_watch, NULL, NULL); + + /* check which watch to remove, or free if none left */ + if (watch->dbus_read_watch == dbus_watch) { + watch->dbus_read_watch = NULL; + } + if (watch->dbus_write_watch == dbus_watch) { + watch->dbus_write_watch = NULL; + } + if (!watch->dbus_read_watch && !watch->dbus_write_watch) { + talloc_free(watch); + } +} + +/* =Timeouts============================================================== */ + +static struct timeval _get_interval_tv(int interval) { + struct timeval tv; + struct timeval rightnow; + + gettimeofday(&rightnow,NULL); + + tv.tv_sec = interval / 1000 + rightnow.tv_sec; + tv.tv_usec = (interval % 1000) * 1000 + rightnow.tv_usec; + return tv; +} + +/* + * timeout_handler + * Callback for D-BUS to handle timed events + */ +static void sbus_timeout_handler(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval t, void *data) +{ + struct sbus_timeout_ctx *timeout; + timeout = talloc_get_type(data, struct sbus_timeout_ctx); + + dbus_timeout_handle(timeout->dbus_timeout); +} + +/* + * add_timeout + * Hook for D-BUS to add time-based events to the mainloop + */ +dbus_bool_t sbus_add_timeout(DBusTimeout *dbus_timeout, void *data) +{ + struct sbus_connection *conn; + struct sbus_timeout_ctx *timeout; + struct timeval tv; + + DEBUG(SSSDBG_TRACE_INTERNAL, "%p\n", dbus_timeout); + + if (!dbus_timeout_get_enabled(dbus_timeout)) { + return TRUE; + } + + conn = talloc_get_type(data, struct sbus_connection); + + timeout = talloc_zero(conn, struct sbus_timeout_ctx); + if (!timeout) { + DEBUG(SSSDBG_FATAL_FAILURE, "Out of Memory!\n"); + return FALSE; + } + timeout->dbus_timeout = dbus_timeout; + + tv = _get_interval_tv(dbus_timeout_get_interval(dbus_timeout)); + timeout->te = tevent_add_timer(conn->ev, timeout, tv, + sbus_timeout_handler, timeout); + if (!timeout->te) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to set up timeout event!\n"); + return FALSE; + } + + /* Save the event to the watch object so it can be removed later */ + dbus_timeout_set_data(timeout->dbus_timeout, timeout, NULL); + + return TRUE; +} + +/* + * sbus_toggle_timeout + * Hook for D-BUS to toggle the enabled/disabled state of a mainloop + * event + */ +void sbus_toggle_timeout(DBusTimeout *dbus_timeout, void *data) +{ + DEBUG(SSSDBG_TRACE_INTERNAL, "%p\n", dbus_timeout); + + if (dbus_timeout_get_enabled(dbus_timeout)) { + sbus_add_timeout(dbus_timeout, data); + } else { + sbus_remove_timeout(dbus_timeout, data); + } +} + +/* + * sbus_remove_timeout + * Hook for D-BUS to remove time-based events from the mainloop + */ +void sbus_remove_timeout(DBusTimeout *dbus_timeout, void *data) +{ + void *timeout; + + DEBUG(SSSDBG_TRACE_INTERNAL, "%p\n", dbus_timeout); + + timeout = dbus_timeout_get_data(dbus_timeout); + + /* remove dbus timeout data */ + dbus_timeout_set_data(dbus_timeout, NULL, NULL); + + /* Freeing the event object will remove it from the event loop */ + talloc_free(timeout); + +} diff --git a/src/sbus/sssd_dbus_common_signals.c b/src/sbus/sssd_dbus_common_signals.c new file mode 100644 index 0000000..c153e46 --- /dev/null +++ b/src/sbus/sssd_dbus_common_signals.c @@ -0,0 +1,91 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "util/util.h" +#include "sbus/sssd_dbus.h" +#include "sbus/sssd_dbus_private.h" + +static void +sbus_signal_name_owner_changed(struct sbus_incoming_signal *a_signal, + void *handler_data) +{ + hash_table_t *table = a_signal->conn->clients; + hash_key_t *keys; + unsigned long count; + unsigned long i; + int hret; + + DEBUG(SSSDBG_TRACE_FUNC, "Clearing UIDs cache\n"); + + hret = hash_keys(table, &count, &keys); + if (hret != HASH_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to get hash keys\n"); + return; + } + + for (i = 0; i < count; i++) { + hret = hash_delete(table, &keys[i]); + if (hret != HASH_SUCCESS) { + DEBUG(SSSDBG_MINOR_FAILURE, "Could not delete key from hash\n"); + return; + } + } + + return; +} + +struct signals_map { + const char *iface; + const char *signal; + sbus_incoming_signal_fn handler_fn; + int conn_type; +}; + +static struct signals_map signals_map[] = { + { "org.freedesktop.DBus", "NameOwnerChanged", + sbus_signal_name_owner_changed, SBUS_CONN_TYPE_SYSBUS }, + { NULL, NULL, NULL, 0 }, +}; + +void sbus_register_common_signals(struct sbus_connection *conn, void *pvt) +{ + errno_t ret; + int i; + + for (i = 0; signals_map[i].iface != NULL; i++) { + if (signals_map[i].conn_type != conn->connection_type) { + /* Skip this signal. */ + continue; + } + + ret = sbus_signal_listen(conn, signals_map[i].iface, + signals_map[i].signal, + signals_map[i].handler_fn, conn); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Unable to register signal %s.%s\n", + signals_map[i].iface, signals_map[i].signal); + continue; + } + } +} diff --git a/src/sbus/sssd_dbus_connection.c b/src/sbus/sssd_dbus_connection.c new file mode 100644 index 0000000..f575b7d --- /dev/null +++ b/src/sbus/sssd_dbus_connection.c @@ -0,0 +1,615 @@ +/* + Authors: + Simo Sorce + Stephen Gallagher + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "util/util.h" +#include "sbus/sssd_dbus.h" +#include "sbus/sssd_dbus_private.h" +#include "sbus/sssd_dbus_meta.h" + +static int sbus_auto_reconnect(struct sbus_connection *conn); + +static void sbus_dispatch(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval tv, void *data) +{ + struct tevent_timer *new_event; + struct sbus_connection *conn; + DBusConnection *dbus_conn; + int ret; + + if (data == NULL) return; + + conn = talloc_get_type(data, struct sbus_connection); + + dbus_conn = conn->dbus.conn; + DEBUG(SSSDBG_TRACE_ALL, "dbus conn: %p\n", dbus_conn); + + if (conn->retries > 0) { + DEBUG(SSSDBG_TRACE_FUNC, "SBUS is reconnecting. Deferring.\n"); + /* Currently trying to reconnect, defer dispatch for 30ms */ + tv = tevent_timeval_current_ofs(0, 30); + new_event = tevent_add_timer(ev, conn, tv, sbus_dispatch, conn); + if (new_event == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE,"Could not defer dispatch!\n"); + } + return; + } + + if ((!dbus_connection_get_is_connected(dbus_conn)) && + (conn->max_retries != 0)) { + /* Attempt to reconnect automatically */ + ret = sbus_auto_reconnect(conn); + if (ret == EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Performing auto-reconnect\n"); + return; + } + + DEBUG(SSSDBG_FATAL_FAILURE, "Cannot start auto-reconnection.\n"); + conn->reconnect_callback(conn, + SBUS_RECONNECT_ERROR, + conn->reconnect_pvt); + return; + } + + if ((conn->disconnect) || + (!dbus_connection_get_is_connected(dbus_conn))) { + DEBUG(SSSDBG_MINOR_FAILURE,"Connection is not open for dispatching.\n"); + /* + * Free the connection object. + * This will invoke the destructor for the connection + */ + talloc_free(conn); + conn = NULL; + return; + } + + /* Dispatch only once each time through the mainloop to avoid + * starving other features + */ + ret = dbus_connection_get_dispatch_status(dbus_conn); + if (ret != DBUS_DISPATCH_COMPLETE) { + DEBUG(SSSDBG_TRACE_ALL,"Dispatching.\n"); + dbus_connection_dispatch(dbus_conn); + } + + /* If other dispatches are waiting, queue up the dispatch function + * for the next loop. + */ + ret = dbus_connection_get_dispatch_status(dbus_conn); + if (ret != DBUS_DISPATCH_COMPLETE) { + new_event = tevent_add_timer(ev, conn, tv, sbus_dispatch, conn); + if (new_event == NULL) { + DEBUG(SSSDBG_OP_FAILURE,"Could not add dispatch event!\n"); + + /* TODO: Calling exit here is bad */ + exit(1); + } + } +} + +/* dbus_connection_wakeup_main + * D-BUS makes a callback to the wakeup_main function when + * it has data available for dispatching. + * In order to avoid blocking, this function will create a now() + * timed event to perform the dispatch during the next iteration + * through the mainloop + */ +static void sbus_conn_wakeup_main(void *data) +{ + struct sbus_connection *conn; + struct timeval tv; + struct tevent_timer *te; + + conn = talloc_get_type(data, struct sbus_connection); + + tv = tevent_timeval_current(); + + /* D-BUS calls this function when it is time to do a dispatch */ + te = tevent_add_timer(conn->ev, conn, tv, sbus_dispatch, conn); + if (te == NULL) { + DEBUG(SSSDBG_OP_FAILURE,"Could not add dispatch event!\n"); + /* TODO: Calling exit here is bad */ + exit(1); + } +} + +static int sbus_conn_set_fns(struct sbus_connection *conn); + +/* + * integrate_connection_with_event_loop + * Set up a D-BUS connection to use the libevents mainloop + * for handling file descriptor and timed events + */ +int sbus_init_connection(TALLOC_CTX *ctx, + struct tevent_context *ev, + DBusConnection *dbus_conn, + int connection_type, + time_t *last_request_time, + void *client_destructor_data, + struct sbus_connection **_conn) +{ + struct sbus_connection *conn; + dbus_bool_t dbret; + int ret; + + DEBUG(SSSDBG_TRACE_FUNC,"Adding connection %p\n", dbus_conn); + conn = talloc_zero(ctx, struct sbus_connection); + + conn->ev = ev; + conn->type = SBUS_CONNECTION; + conn->dbus.conn = dbus_conn; + conn->connection_type = connection_type; + conn->last_request_time = last_request_time; + conn->client_destructor_data = client_destructor_data; + + conn->managed_paths = sbus_opath_hash_init(conn, conn); + if (conn->managed_paths == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create object paths hash table\n"); + talloc_free(conn); + return EIO; + } + + conn->nodes_fns = sbus_nodes_hash_init(conn); + if (conn->nodes_fns == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create node functions hash table\n"); + talloc_free(conn); + return EIO; + } + + conn->incoming_signals = sbus_incoming_signal_hash_init(conn); + if (conn->incoming_signals == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create incoming signals " + "hash table\n"); + talloc_free(conn); + return EIO; + } + + ret = sss_hash_create(conn, 32, &conn->clients); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create clients hash table\n"); + talloc_free(conn); + return EIO; + } + + ret = sbus_conn_set_fns(conn); + if (ret != EOK) { + talloc_free(conn); + return ret; + } + + /* Set up signal handler. */ + dbret = dbus_connection_add_filter(dbus_conn, sbus_signal_handler, conn, + NULL); + if (dbret == false) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot register signal handler\n"); + talloc_free(conn); + return EIO; + } + + sbus_register_common_signals(conn, conn); + + *_conn = conn; + return ret; +} + +static int sbus_conn_set_fns(struct sbus_connection *conn) +{ + dbus_bool_t dbret; + + /* Set up DBusWatch functions */ + dbret = dbus_connection_set_watch_functions(conn->dbus.conn, + sbus_add_watch, + sbus_remove_watch, + sbus_toggle_watch, + conn, NULL); + if (!dbret) { + DEBUG(SSSDBG_OP_FAILURE, + "Error setting up D-BUS connection watch functions\n"); + return EIO; + } + + /* Set up DBusTimeout functions */ + dbret = dbus_connection_set_timeout_functions(conn->dbus.conn, + sbus_add_timeout, + sbus_remove_timeout, + sbus_toggle_timeout, + conn, NULL); + if (!dbret) { + DEBUG(SSSDBG_OP_FAILURE, + "Error setting up D-BUS server timeout functions\n"); + /* FIXME: free resources? */ + return EIO; + } + + /* Set up dispatch handler */ + dbus_connection_set_wakeup_main_function(conn->dbus.conn, + sbus_conn_wakeup_main, + conn, NULL); + + /* Set up any method_contexts passed in */ + + /* Attempt to dispatch immediately in case of opportunistic + * services connecting before the handlers were all up. + * If there are no messages to be dispatched, this will do + * nothing. + */ + sbus_conn_wakeup_main(conn); + + return EOK; +} + +int sbus_new_connection(TALLOC_CTX *ctx, struct tevent_context *ev, + const char *address, time_t *last_request_time, + struct sbus_connection **_conn) +{ + struct sbus_connection *conn; + DBusConnection *dbus_conn; + DBusError dbus_error; + int ret; + + dbus_error_init(&dbus_error); + + /* Open a shared D-BUS connection to the address */ + dbus_conn = dbus_connection_open(address, &dbus_error); + if (!dbus_conn) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to open connection: name=%s, message=%s\n", + dbus_error.name, dbus_error.message); + if (dbus_error_is_set(&dbus_error)) dbus_error_free(&dbus_error); + return EIO; + } + + ret = sbus_init_connection(ctx, ev, dbus_conn, SBUS_CONN_TYPE_SHARED, + last_request_time, NULL, &conn); + if (ret != EOK) { + /* FIXME: release resources */ + } + + /* Store the address for later reconnection */ + conn->address = talloc_strdup(conn, address); + + dbus_connection_set_exit_on_disconnect(conn->dbus.conn, FALSE); + + *_conn = conn; + return ret; +} + +static int connection_destructor(void *ctx) +{ + struct sbus_connection *conn; + conn = talloc_get_type(ctx, struct sbus_connection); + + DEBUG(SSSDBG_TRACE_FUNC, "Invoking default destructor on connection %p\n", + conn->dbus.conn); + if (conn->connection_type == SBUS_CONN_TYPE_PRIVATE) { + /* Private connections must be closed explicitly */ + dbus_connection_close(conn->dbus.conn); + } + else if (conn->connection_type == SBUS_CONN_TYPE_SHARED || + conn->connection_type == SBUS_CONN_TYPE_SYSBUS) { + /* Shared and system bus connections are destroyed when their last + reference is removed */ + } + else { + /* Critical Error! */ + DEBUG(SSSDBG_CRIT_FAILURE, + "Critical Error, connection_type is neither shared nor private!\n"); + return -1; + } + + /* Remove object path */ + /* TODO: Remove object paths */ + + dbus_connection_unref(conn->dbus.conn); + return 0; +} + +/* + * sbus_get_connection + * Utility function to retrieve the DBusConnection object + * from a sbus_connection + */ +DBusConnection *sbus_get_connection(struct sbus_connection *conn) +{ + return conn->dbus.conn; +} + +void sbus_disconnect(struct sbus_connection *conn) +{ + if (conn == NULL) { + return; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Disconnecting %p\n", conn->dbus.conn); + + /******************************* + * Referencing conn->dbus.conn */ + dbus_connection_ref(conn->dbus.conn); + + conn->disconnect = 1; + + /* Unregister object paths */ + talloc_zfree(conn->managed_paths); + + /* Disable watch functions */ + dbus_connection_set_watch_functions(conn->dbus.conn, + NULL, NULL, NULL, + NULL, NULL); + /* Disable timeout functions */ + dbus_connection_set_timeout_functions(conn->dbus.conn, + NULL, NULL, NULL, + NULL, NULL); + + /* Disable dispatch status function */ + dbus_connection_set_dispatch_status_function(conn->dbus.conn, + NULL, NULL, NULL); + + /* Disable wakeup main function */ + dbus_connection_set_wakeup_main_function(conn->dbus.conn, + NULL, NULL, NULL); + + /* Finalize the connection */ + connection_destructor(conn); + + dbus_connection_unref(conn->dbus.conn); + /* Unreferenced conn->dbus_conn * + ******************************/ + + DEBUG(SSSDBG_TRACE_FUNC ,"Disconnected %p\n", conn->dbus.conn); +} + +static void sbus_reconnect(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval tv, void *data) +{ + struct sbus_connection *conn; + DBusError dbus_error; + int ret; + + conn = talloc_get_type(data, struct sbus_connection); + dbus_error_init(&dbus_error); + + DEBUG(SSSDBG_MINOR_FAILURE, "Making reconnection attempt %d to [%s]\n", + conn->retries, conn->address); + conn->dbus.conn = dbus_connection_open(conn->address, &dbus_error); + if (conn->dbus.conn) { + /* We successfully reconnected. Set up mainloop integration. */ + DEBUG(SSSDBG_MINOR_FAILURE, "Reconnected to [%s]\n", conn->address); + ret = sbus_conn_set_fns(conn); + if (ret != EOK) { + dbus_connection_unref(conn->dbus.conn); + goto failed; + } + + /* Re-register object paths */ + sbus_conn_reregister_paths(conn); + + /* Reset retries to 0 to resume dispatch processing */ + conn->retries = 0; + + /* Notify the owner of this connection that the + * reconnection was successful + */ + conn->reconnect_callback(conn, + SBUS_RECONNECT_SUCCESS, + conn->reconnect_pvt); + return; + } + +failed: + /* Reconnection failed, try again in a few seconds */ + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to open connection: name=%s, message=%s\n", + dbus_error.name, dbus_error.message); + if (dbus_error_is_set(&dbus_error)) dbus_error_free(&dbus_error); + + conn->retries++; + + /* Check if we've passed our last chance or if we've lost track of + * our retry count somehow + */ + if ((conn->retries > conn->max_retries) || (conn->retries <= 0)) { + conn->reconnect_callback(conn, + SBUS_RECONNECT_EXCEEDED_RETRIES, + conn->reconnect_pvt); + } + + if (conn->retries == 2) { + /* Wait 3 seconds before the second reconnect attempt */ + tv.tv_sec += 3; + } + else if (conn->retries == 3) { + /* Wait 10 seconds before the third reconnect attempt */ + tv.tv_sec += 10; + } + else { + /* Wait 30 seconds before all subsequent reconnect attempts */ + tv.tv_sec += 30; + } + + te = tevent_add_timer(conn->ev, conn, tv, sbus_reconnect, conn); + if (!te) { + conn->reconnect_callback(conn, + SBUS_RECONNECT_ERROR, + conn->reconnect_pvt); + } +} + +/* This function will free and recreate the sbus_connection, + * calling functions need to be aware of this (and whether + * they have attached a talloc destructor to the + * sbus_connection. + */ +static int sbus_auto_reconnect(struct sbus_connection *conn) +{ + struct tevent_timer *te = NULL; + struct timeval tv; + + conn->retries++; + if (conn->retries >= conn->max_retries) { + /* Return EIO (to tell the calling process it + * needs to create a new connection from scratch + */ + return EIO; + } + + gettimeofday(&tv, NULL); + tv.tv_sec += 1; /* Wait 1 second before the first reconnect attempt */ + te = tevent_add_timer(conn->ev, conn, tv, sbus_reconnect, conn); + if (!te) { + return EIO; + } + + return EOK; +} + +/* Max retries */ +void sbus_reconnect_init(struct sbus_connection *conn, + int max_retries, + sbus_conn_reconn_callback_fn callback, + void *pvt) +{ + if (max_retries < 0 || callback == NULL) return; + + conn->retries = 0; + conn->max_retries = max_retries; + conn->reconnect_callback = callback; + conn->reconnect_pvt = pvt; +} + +int sss_dbus_conn_send(DBusConnection *dbus_conn, + DBusMessage *msg, + int timeout_ms, + DBusPendingCallNotifyFunction reply_handler, + void *pvt, + DBusPendingCall **pending) +{ + DBusPendingCall *pending_reply; + dbus_bool_t dbret; + + dbret = dbus_connection_send_with_reply(dbus_conn, msg, + &pending_reply, + timeout_ms); + if (!dbret) { + /* + * Critical Failure + * Insufficient memory to send message + */ + DEBUG(SSSDBG_FATAL_FAILURE, "D-BUS send failed.\n"); + return ENOMEM; + } + + if (pending_reply) { + /* Set up the reply handler */ + dbret = dbus_pending_call_set_notify(pending_reply, reply_handler, + pvt, NULL); + if (!dbret) { + /* + * Critical Failure + * Insufficient memory to create pending call notify + */ + DEBUG(SSSDBG_FATAL_FAILURE, "D-BUS send failed.\n"); + dbus_pending_call_cancel(pending_reply); + dbus_pending_call_unref(pending_reply); + return ENOMEM; + } + + if(pending) { + *pending = pending_reply; + } + return EOK; + } + + /* If pending_reply is NULL, the connection was not + * open for sending. + */ + + /* TODO: Create a callback into the reconnection logic so this + * request is invoked when the connection is re-established + */ + return EAGAIN; +} + +/* + * Send a message across the SBUS + * If requested, the DBusPendingCall object will + * be returned to the caller. + * + * This function will return EAGAIN in the event + * that the connection is not open for + * communication. + */ +int sbus_conn_send(struct sbus_connection *conn, + DBusMessage *msg, + int timeout_ms, + DBusPendingCallNotifyFunction reply_handler, + void *pvt, + DBusPendingCall **pending) +{ + DBusConnection *dbus_conn; + + dbus_conn = sbus_get_connection(conn); + if (!dbus_conn) { + DEBUG(SSSDBG_CRIT_FAILURE, "D-BUS not connected\n"); + return ENOTCONN; + } + + return sss_dbus_conn_send(dbus_conn, msg, timeout_ms, + reply_handler, pvt, pending); +} + +void sbus_conn_send_reply(struct sbus_connection *conn, DBusMessage *reply) +{ + dbus_connection_send(conn->dbus.conn, reply, NULL); +} + +dbus_bool_t is_uid_sssd_user(DBusConnection *connection, + unsigned long uid, + void *data) +{ + uid_t sssd_user = * (uid_t *) data; + + if (uid == 0 || uid == sssd_user) { + return TRUE; + } + + return FALSE; +} + +void sbus_allow_uid(struct sbus_connection *conn, uid_t *uid) +{ + dbus_connection_set_unix_user_function(sbus_get_connection(conn), + is_uid_sssd_user, + uid, NULL); +} + +void *sbus_connection_get_destructor_data(struct sbus_connection *conn) +{ + if (conn == NULL) { + /* Should never happen! */ + return NULL; + } + + return conn->client_destructor_data; +} diff --git a/src/sbus/sssd_dbus_errors.h b/src/sbus/sssd_dbus_errors.h new file mode 100644 index 0000000..a7afa8e --- /dev/null +++ b/src/sbus/sssd_dbus_errors.h @@ -0,0 +1,34 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2015 Red Hat + + SBUS: Interface introspection + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef SSSD_DBUS_ERRORS_H_ +#define SSSD_DBUS_ERRORS_H_ + +#define SBUS_ERROR_INTERNAL "org.freedesktop.sssd.Error.Internal" +#define SBUS_ERROR_NOT_FOUND "org.freedesktop.sssd.Error.NotFound" +#define SBUS_ERROR_UNKNOWN_DOMAIN "org.freedesktop.sssd.Error.UnknownDomain" + +#define SBUS_ERROR_DP_FATAL "org.freedesktop.sssd.Error.DataProvider.Fatal" +#define SBUS_ERROR_DP_OFFLINE "org.freedesktop.sssd.Error.DataProvider.Offline" +#define SBUS_ERROR_DP_NOTSUP "org.freedesktop.sssd.Error.DataProvider.NotSupported" + +#endif /* SSSD_DBUS_ERRORS_H_ */ diff --git a/src/sbus/sssd_dbus_interface.c b/src/sbus/sssd_dbus_interface.c new file mode 100644 index 0000000..c9007a4 --- /dev/null +++ b/src/sbus/sssd_dbus_interface.c @@ -0,0 +1,1050 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2014 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "util/util.h" +#include "util/sss_ptr_hash.h" +#include "sbus/sssd_dbus.h" +#include "sbus/sssd_dbus_meta.h" +#include "sbus/sssd_dbus_private.h" + +static struct sbus_interface * +sbus_iface_list_lookup(struct sbus_interface_list *list, + const char *iface) +{ + struct sbus_interface_list *item; + + DLIST_FOR_EACH(item, list) { + if (strcmp(item->interface->vtable->meta->name, iface) == 0) { + return item->interface; + } + } + + return NULL; +} + +static errno_t +sbus_iface_list_copy(TALLOC_CTX *mem_ctx, + struct sbus_interface_list *list, + struct sbus_interface_list **_copy) +{ + TALLOC_CTX *list_ctx; + struct sbus_interface_list *new_list = NULL; + struct sbus_interface_list *new_item; + struct sbus_interface_list *item; + errno_t ret; + + if (list == NULL) { + *_copy = NULL; + return EOK; + } + + list_ctx = talloc_new(mem_ctx); + if (list_ctx == NULL) { + return ENOMEM; + } + + DLIST_FOR_EACH(item, list) { + if (sbus_iface_list_lookup(new_list, + item->interface->vtable->meta->name) != NULL) { + /* already in list */ + continue; + } + + new_item = talloc_zero(list_ctx, struct sbus_interface_list); + if (new_item == NULL) { + ret = ENOMEM; + goto done; + } + + new_item->interface = item->interface; + DLIST_ADD(new_list, new_item); + } + + *_copy = new_list; + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(list_ctx); + } + + return ret; +} + +/** + * Object paths that represent all objects under the path: + * /org/object/path/~* (without tilda) + */ +static bool sbus_opath_is_subtree(const char *path) +{ + size_t len; + + len = strlen(path); + + if (len < 2) { + return false; + } + + return path[len - 2] == '/' && path[len - 1] == '*'; +} + +/** + * If the path represents a subtree object path, this function will + * remove /~* from the end. + */ +static char *sbus_opath_get_base_path(TALLOC_CTX *mem_ctx, + const char *object_path) +{ + char *tree_path; + size_t len; + + tree_path = talloc_strdup(mem_ctx, object_path); + if (tree_path == NULL) { + return NULL; + } + + if (!sbus_opath_is_subtree(tree_path)) { + return tree_path; + } + + /* replace / only if it is not a root path (only slash) */ + len = strlen(tree_path); + tree_path[len - 1] = '\0'; + tree_path[len - 2] = (len - 2 != 0) ? '\0' : '/'; + + return tree_path; +} + +static char *sbus_opath_parent_subtree(TALLOC_CTX *mem_ctx, + const char *path) +{ + char *subtree; + char *slash; + + /* first remove /~* from the end, stop when we have reached the root i.e. + * subtree == "/" */ + subtree = sbus_opath_get_base_path(mem_ctx, path); + if (subtree == NULL || subtree[1] == '\0') { + return NULL; + } + + /* Find the first separator and replace the part with asterisk. */ + slash = strrchr(subtree, '/'); + if (slash == NULL) { + /* we cannot continue up */ + talloc_free(subtree); + return NULL; + } + + if (*(slash + 1) == '\0') { + /* this object path is invalid since it cannot end with slash */ + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid object path '%s'?\n", path); + talloc_free(subtree); + return NULL; + } + + /* because object path cannot end with / there is enough space for + * asterisk and terminating zero */ + *(slash + 1) = '*'; + *(slash + 2) = '\0'; + + return subtree; +} + +/** + * The following path related functions are based on similar code in + * storaged, just tailored to use talloc instead of glib + */ +char * +sbus_opath_escape_part(TALLOC_CTX *mem_ctx, + const char *object_path_part) +{ + size_t n; + char *safe_path = NULL; + TALLOC_CTX *tmp_ctx = NULL; + + /* The path must be valid */ + if (object_path_part == NULL) { + return NULL; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return NULL; + } + + safe_path = talloc_strdup(tmp_ctx, ""); + if (safe_path == NULL) { + goto done; + } + + /* Special case for an empty string */ + if (strcmp(object_path_part, "") == 0) { + /* the for loop would just fall through */ + safe_path = talloc_asprintf_append_buffer(safe_path, "_"); + if (safe_path == NULL) { + goto done; + } + } + + for (n = 0; object_path_part[n]; n++) { + int c = object_path_part[n]; + /* D-Bus spec says: + * * + * * Each element must only contain the ASCII characters + * "[A-Z][a-z][0-9]_" + * */ + if ((c >= 'A' && c <= 'Z') + || (c >= 'a' && c <= 'z') + || (c >= '0' && c <= '9')) { + safe_path = talloc_asprintf_append_buffer(safe_path, "%c", c); + if (safe_path == NULL) { + goto done; + } + } else { + safe_path = talloc_asprintf_append_buffer(safe_path, "_%02x", c); + if (safe_path == NULL) { + goto done; + } + } + } + + safe_path = talloc_steal(mem_ctx, safe_path); + +done: + talloc_free(tmp_ctx); + return safe_path; +} + +static inline int unhexchar(char c) +{ + if (c >= '0' && c <= '9') { + return c - '0'; + } + + if (c >= 'a' && c <= 'f') { + return c - 'a' + 10; + } + + if (c >= 'A' && c <= 'F') { + return c - 'A' + 10; + } + + return -1; +} + +char * +sbus_opath_unescape_part(TALLOC_CTX *mem_ctx, + const char *object_path_part) +{ + char *safe_path; + const char *p; + int a, b, c; + TALLOC_CTX *tmp_ctx = NULL; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return NULL; + } + + safe_path = talloc_strdup(tmp_ctx, ""); + if (safe_path == NULL) { + goto done; + } + + /* Special case for the empty string */ + if (strcmp(object_path_part, "_") == 0) { + safe_path = talloc_steal(mem_ctx, safe_path); + goto done; + } + + for (p = object_path_part; *p; p++) { + if (*p == '_') { + /* There must be at least two more chars after underscore */ + if (p[1] == '\0' || p[2] == '\0') { + safe_path = NULL; + goto done; + } + + if ((a = unhexchar(p[1])) < 0 + || (b = unhexchar(p[2])) < 0) { + /* Invalid escape code, let's take it literal then */ + c = '_'; + } else { + c = ((a << 4) | b); + p += 2; + } + } else { + c = *p; + } + + safe_path = talloc_asprintf_append_buffer(safe_path, "%c", c); + if (safe_path == NULL) { + goto done; + } + } + + safe_path = talloc_steal(mem_ctx, safe_path); + +done: + talloc_free(tmp_ctx); + return safe_path; +} + +char * +_sbus_opath_compose(TALLOC_CTX *mem_ctx, + const char *base, + const char *part, ...) +{ + char *safe_part; + char *path = NULL; + va_list va; + + if (base == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Wrong object path base!\n"); + return NULL; + } + + path = talloc_strdup(mem_ctx, base); + if (path == NULL) return NULL; + + va_start(va, part); + while (part != NULL) { + safe_part = sbus_opath_escape_part(mem_ctx, part); + if (safe_part == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Could not add [%s] to objpath\n", part); + goto fail; + } + + path = talloc_asprintf_append(path, "/%s", safe_part); + talloc_free(safe_part); + if (path == NULL) { + goto fail; + } + + part = va_arg(va, const char *); + } + va_end(va); + + return path; + +fail: + va_end(va); + talloc_free(path); + return NULL; +} + +errno_t +sbus_opath_decompose(TALLOC_CTX *mem_ctx, + const char *object_path, + const char *prefix, + char ***_components, + size_t *_len) +{ + TALLOC_CTX *tmp_ctx; + const char *path; + char **decomposed; + char **unescaped; + errno_t ret; + int len; + int i; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + /* Strip prefix from the path. */ + if (prefix != NULL) { + path = sbus_opath_strip_prefix(object_path, prefix); + if (path == NULL) { + ret = ERR_SBUS_INVALID_PATH; + goto done; + } + } else { + path = object_path; + } + + /* Split the string using / as delimiter. */ + split_on_separator(tmp_ctx, path, '/', true, true, &decomposed, &len); + + /* Unescape parts. */ + unescaped = talloc_zero_array(tmp_ctx, char *, len + 1); + if (unescaped == NULL) { + ret = ENOMEM; + goto done; + } + + for (i = 0; i < len; i++) { + unescaped[i] = sbus_opath_unescape_part(unescaped, decomposed[i]); + if (unescaped[i] == NULL) { + ret = ENOMEM; + goto done; + } + } + + if (_components != NULL) { + *_components = talloc_steal(mem_ctx, unescaped); + } + + if (_len != NULL) { + *_len = len; + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +errno_t +sbus_opath_decompose_exact(TALLOC_CTX *mem_ctx, + const char *object_path, + const char *prefix, + size_t expected, + char ***_components) +{ + char **components; + size_t len; + errno_t ret; + + ret = sbus_opath_decompose(mem_ctx, object_path, prefix, + &components, &len); + if (ret != EOK) { + return ret; + } + + if (len != expected) { + talloc_free(components); + return ERR_SBUS_INVALID_PATH; + } + + if (_components != NULL) { + *_components = components; + } + + return EOK; +} + +const char * +sbus_opath_strip_prefix(const char *object_path, + const char *prefix) +{ + if (strncmp(object_path, prefix, strlen(prefix)) == 0) { + return object_path + strlen(prefix); + } + + return NULL; +} + +char * +sbus_opath_get_object_name(TALLOC_CTX *mem_ctx, + const char *object_path, + const char *base_path) +{ + const char *name; + + name = sbus_opath_strip_prefix(object_path, base_path); + if (name == NULL || name[0] == '\0') { + return NULL; + } + + /* if base_path did not end with / */ + if (name[0] == '/') { + name = name + 1; + } + + return sbus_opath_unescape_part(mem_ctx, name); +} + +static void +sbus_opath_hash_delete_cb(hash_entry_t *item, + hash_destroy_enum deltype, + void *pvt) +{ + struct sbus_connection *conn; + char *path; + + conn = talloc_get_type(pvt, struct sbus_connection); + path = sbus_opath_get_base_path(NULL, item->key.str); + + /* There seem to be code paths where the data is added to the hash + * before the connection is properly initialized, to avoid core dump + * during shut down we only call dbus_connection_unregister_object_path() + * if there is a connection. */ + if (conn->dbus.conn != NULL) { + dbus_connection_unregister_object_path(conn->dbus.conn, path); + } +} + +hash_table_t * +sbus_opath_hash_init(TALLOC_CTX *mem_ctx, + struct sbus_connection *conn) +{ + return sss_ptr_hash_create(mem_ctx, sbus_opath_hash_delete_cb, conn); +} + +static errno_t +sbus_opath_hash_add_iface(hash_table_t *table, + const char *object_path, + struct sbus_interface *iface, + bool *_path_known) +{ + TALLOC_CTX *tmp_ctx = NULL; + struct sbus_interface_list *list = NULL; + struct sbus_interface_list *item = NULL; + const char *iface_name = iface->vtable->meta->name; + bool path_known; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Registering interface %s with path %s\n", + iface_name, object_path); + + /* create new list item */ + + item = talloc_zero(tmp_ctx, struct sbus_interface_list); + if (item == NULL) { + return ENOMEM; + } + + item->interface = iface; + + /* first lookup existing list in hash table */ + + list = sss_ptr_hash_lookup(table, object_path, struct sbus_interface_list); + if (list != NULL) { + /* This object path has already some interface registered. We will + * check for existence of the interface currently being added and + * add it if missing. */ + + path_known = true; + + if (sbus_iface_list_lookup(list, iface_name) != NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "Trying to register the same interface" + " twice: iface=%s, opath=%s\n", iface_name, object_path); + ret = EEXIST; + goto done; + } + + DLIST_ADD_END(list, item, struct sbus_interface_list *); + ret = EOK; + goto done; + } + + /* otherwise create new hash entry and new list */ + + path_known = false; + list = item; + + ret = sss_ptr_hash_add(table, object_path, list, + struct sbus_interface_list); + +done: + if (ret == EOK) { + talloc_steal(item, iface); + talloc_steal(table, item); + *_path_known = path_known; + } + + talloc_free(tmp_ctx); + return ret; +} + +static bool +sbus_opath_hash_has_path(hash_table_t *table, + const char *object_path) +{ + return sss_ptr_hash_has_key(table, object_path); +} + +/** + * First @object_path is looked up in @table, if it is not found it steps up + * in the path hierarchy and try to lookup the parent node. This continues + * until the root is reached. + */ +struct sbus_interface * +sbus_opath_hash_lookup_iface(hash_table_t *table, + const char *object_path, + const char *iface_name) +{ + TALLOC_CTX *tmp_ctx = NULL; + struct sbus_interface_list *list = NULL; + struct sbus_interface *iface = NULL; + char *lookup_path = NULL; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return NULL; + } + + lookup_path = talloc_strdup(tmp_ctx, object_path); + if (lookup_path == NULL) { + goto done; + } + + while (lookup_path != NULL) { + list = sss_ptr_hash_lookup(table, lookup_path, + struct sbus_interface_list); + if (list != NULL) { + iface = sbus_iface_list_lookup(list, iface_name); + if (iface != NULL) { + goto done; + } + } + + /* we will not free lookup path since it is freed with tmp_ctx + * and the object paths are supposed to be small */ + lookup_path = sbus_opath_parent_subtree(tmp_ctx, lookup_path); + } + +done: + talloc_free(tmp_ctx); + return iface; +} + +/** + * Acquire list of all interfaces that are supported on given object path. + */ +errno_t +sbus_opath_hash_lookup_supported(TALLOC_CTX *mem_ctx, + hash_table_t *table, + const char *object_path, + struct sbus_interface_list **_list) +{ + TALLOC_CTX *tmp_ctx = NULL; + TALLOC_CTX *list_ctx = NULL; + struct sbus_interface_list *copy; + struct sbus_interface_list *output_list; + struct sbus_interface_list *table_list; + char *lookup_path = NULL; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + list_ctx = talloc_new(tmp_ctx); + if (list_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + lookup_path = talloc_strdup(tmp_ctx, object_path); + if (lookup_path == NULL) { + ret = ENOMEM; + goto done; + } + + /* Initialize output_list. */ + output_list = NULL; + + while (lookup_path != NULL) { + table_list = sss_ptr_hash_lookup(table, lookup_path, + struct sbus_interface_list); + if (table_list != NULL) { + ret = sbus_iface_list_copy(list_ctx, table_list, ©); + if (ret != EOK) { + goto done; + } + + DLIST_CONCATENATE(output_list, copy, struct sbus_interface_list *); + } + + /* we will not free lookup path since it is freed with tmp_ctx + * and the object paths are supposed to be small */ + lookup_path = sbus_opath_parent_subtree(tmp_ctx, lookup_path); + } + + talloc_steal(mem_ctx, list_ctx); + *_list = output_list; + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +hash_table_t * +sbus_nodes_hash_init(TALLOC_CTX *mem_ctx) +{ + return sss_ptr_hash_create(mem_ctx, NULL, NULL); +} + +struct sbus_nodes_data { + sbus_nodes_fn nodes_fn; + void *handler_data; +}; + +static errno_t +sbus_nodes_hash_add(hash_table_t *table, + const char *object_path, + sbus_nodes_fn nodes_fn, + void *handler_data) +{ + struct sbus_nodes_data *data; + errno_t ret; + + data = talloc_zero(table, struct sbus_nodes_data); + if (data == NULL) { + return ENOMEM; + } + + data->handler_data = handler_data; + data->nodes_fn = nodes_fn; + + ret = sss_ptr_hash_add(table, object_path, data, struct sbus_nodes_data); + if (ret != EOK) { + talloc_free(data); + return ret; + } + + return EOK; +} + +const char ** +sbus_nodes_hash_lookup(TALLOC_CTX *mem_ctx, + hash_table_t *table, + const char *object_path) +{ + struct sbus_nodes_data *data; + + data = sss_ptr_hash_lookup(table, object_path, struct sbus_nodes_data); + if (data == NULL) { + return NULL; + } + + return data->nodes_fn(mem_ctx, object_path, data->handler_data); +} + +static struct sbus_interface * +sbus_new_interface(TALLOC_CTX *mem_ctx, + const char *object_path, + struct sbus_vtable *iface_vtable, + void *handler_data) +{ + struct sbus_interface *intf; + + intf = talloc_zero(mem_ctx, struct sbus_interface); + if (intf == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Cannot allocate a new sbus_interface.\n"); + return NULL; + } + + intf->path = talloc_strdup(intf, object_path); + if (intf->path == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Cannot duplicate object path.\n"); + talloc_free(intf); + return NULL; + } + + intf->vtable = iface_vtable; + intf->handler_data = handler_data; + return intf; +} + +static DBusHandlerResult +sbus_message_handler(DBusConnection *dbus_conn, + DBusMessage *message, + void *user_data); + +static errno_t +sbus_conn_register_path(struct sbus_connection *conn, + const char *path) +{ + static DBusObjectPathVTable vtable = {NULL, sbus_message_handler, + NULL, NULL, NULL, NULL}; + DBusError error; + char *reg_path = NULL; + dbus_bool_t dbret; + + DEBUG(SSSDBG_TRACE_FUNC, "Registering object path %s with D-Bus " + "connection\n", path); + + if (sbus_opath_is_subtree(path)) { + reg_path = sbus_opath_get_base_path(conn, path); + if (reg_path == NULL) { + return ENOMEM; + } + + /* D-Bus does not allow to have both object path and fallback + * registered. Since we handle the real message handlers ourselves + * we will register fallback only in this case. */ + if (sbus_opath_hash_has_path(conn->managed_paths, reg_path)) { + dbus_connection_unregister_object_path(conn->dbus.conn, reg_path); + } + + dbret = dbus_connection_register_fallback(conn->dbus.conn, reg_path, + &vtable, conn); + talloc_free(reg_path); + } else { + dbus_error_init(&error); + + dbret = dbus_connection_try_register_object_path(conn->dbus.conn, path, + &vtable, conn, &error); + + if (dbus_error_is_set(&error) && + strcmp(error.name, DBUS_ERROR_OBJECT_PATH_IN_USE) == 0) { + /* A fallback is probably already registered. Just return. */ + dbus_error_free(&error); + return EOK; + } + } + + if (!dbret) { + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to register object path " + "%s with D-Bus connection.\n", path); + return ENOMEM; + } + + return EOK; +} + +errno_t +sbus_conn_register_iface(struct sbus_connection *conn, + struct sbus_vtable *iface_vtable, + const char *object_path, + void *handler_data) +{ + struct sbus_interface *iface = NULL; + bool path_known; + errno_t ret; + + if (conn == NULL || iface_vtable == NULL || object_path == NULL) { + return EINVAL; + } + + iface = sbus_new_interface(conn, object_path, iface_vtable, handler_data); + if (iface == NULL) { + return ENOMEM; + } + + ret = sbus_opath_hash_add_iface(conn->managed_paths, object_path, iface, + &path_known); + if (ret != EOK) { + talloc_free(iface); + return ret; + } + + if (path_known) { + /* this object path is already registered */ + return EOK; + } + + /* if ret != EOK we will still leave iface in the table, since + * we probably don't have enough memory to remove it correctly anyway */ + + ret = sbus_conn_register_path(conn, object_path); + if (ret != EOK) { + return ret; + } + + /* register standard interfaces with this object path as well */ + ret = sbus_conn_register_iface(conn, sbus_properties_vtable(), + object_path, conn); + if (ret != EOK) { + return ret; + } + + ret = sbus_conn_register_iface(conn, sbus_introspect_vtable(), + object_path, conn); + if (ret != EOK) { + return ret; + } + + return ret; +} + +errno_t +sbus_conn_register_iface_map(struct sbus_connection *conn, + struct sbus_iface_map *map, + void *pvt) +{ + errno_t ret; + int i; + + for (i = 0; map[i].path != NULL; i++) { + ret = sbus_conn_register_iface(conn, map[i].vtable, map[i].path, pvt); + if (ret != EOK) { + return ret; + } + } + + return EOK; +} + +void +sbus_conn_register_nodes(struct sbus_connection *conn, + const char *path, + sbus_nodes_fn nodes_fn, + void *data) +{ + errno_t ret; + + ret = sbus_nodes_hash_add(conn->nodes_fns, path, nodes_fn, data); + if (ret != EOK && ret != EEXIST) { + DEBUG(SSSDBG_MINOR_FAILURE, "Unable to register node function with " + "%s. Introspection may not work correctly.\n", path); + } +} + +errno_t +sbus_conn_reregister_paths(struct sbus_connection *conn) +{ + hash_key_t *keys = NULL; + unsigned long count; + unsigned long i; + errno_t ret; + int hret; + + hret = hash_keys(conn->managed_paths, &count, &keys); + if (hret != HASH_SUCCESS) { + ret = ENOMEM; + goto done; + } + + for (i = 0; i < count; i++) { + ret = sbus_conn_register_path(conn, keys[i].str); + if (ret != EOK) { + goto done; + } + } + + ret = EOK; + +done: + talloc_free(keys); + return ret; +} + +static void +sbus_message_handler_got_caller_id(struct tevent_req *req); + +static DBusHandlerResult +sbus_message_handler(DBusConnection *dbus_conn, + DBusMessage *message, + void *handler_data) +{ + struct tevent_req *req; + struct sbus_connection *conn; + struct sbus_interface *iface; + struct sbus_request *sbus_req; + const struct sbus_method_meta *method; + const char *iface_name; + const char *method_name; + const char *path; + const char *sender; + + conn = talloc_get_type(handler_data, struct sbus_connection); + + /* header information */ + iface_name = dbus_message_get_interface(message); + method_name = dbus_message_get_member(message); + path = dbus_message_get_path(message); + sender = dbus_message_get_sender(message); + + DEBUG(SSSDBG_TRACE_INTERNAL, "Received SBUS method %s.%s on path %s\n", + iface_name, method_name, path); + + /* try to find the interface */ + iface = sbus_opath_hash_lookup_iface(conn->managed_paths, + path, iface_name); + if (iface == NULL) { + goto fail; + } + + method = sbus_meta_find_method(iface->vtable->meta, method_name); + if (method == NULL || method->vtable_offset == 0) { + goto fail; + } + + /* we have a valid handler, create D-Bus request */ + sbus_req = sbus_new_request(conn, iface, message); + if (sbus_req == NULL) { + return DBUS_HANDLER_RESULT_NEED_MEMORY; + } + + sbus_req->method = method; + + /* now get the sender ID */ + req = sbus_get_sender_id_send(sbus_req, conn->ev, conn, sender); + if (req == NULL) { + talloc_free(sbus_req); + return DBUS_HANDLER_RESULT_NEED_MEMORY; + } + tevent_req_set_callback(req, sbus_message_handler_got_caller_id, sbus_req); + + if (conn->last_request_time != NULL) { + *conn->last_request_time = time(NULL); + } + + return DBUS_HANDLER_RESULT_HANDLED; + +fail: ; + DBusMessage *reply; + + DEBUG(SSSDBG_CRIT_FAILURE, "No matching handler found for method %s.%s " + "on path %s\n", iface_name, method_name, path); + + reply = dbus_message_new_error(message, DBUS_ERROR_UNKNOWN_METHOD, NULL); + sbus_conn_send_reply(conn, reply); + + return DBUS_HANDLER_RESULT_HANDLED; +} + +static void +sbus_message_handler_got_caller_id(struct tevent_req *req) +{ + struct sbus_request *sbus_req; + const struct sbus_method_meta *method; + sbus_msg_handler_fn handler; + sbus_method_invoker_fn invoker; + void *pvt; + DBusError *error; + errno_t ret; + + sbus_req = tevent_req_callback_data(req, struct sbus_request); + method = sbus_req->method; + + ret = sbus_get_sender_id_recv(req, &sbus_req->client); + if (ret != EOK) { + error = sbus_error_new(sbus_req, DBUS_ERROR_FAILED, "Failed to " + "resolve caller's ID: %s\n", sss_strerror(ret)); + sbus_request_fail_and_finish(sbus_req, error); + return; + } + + handler = VTABLE_FUNC(sbus_req->intf->vtable, method->vtable_offset); + invoker = method->invoker; + pvt = sbus_req->intf->handler_data; + + sbus_request_invoke_or_finish(sbus_req, handler, pvt, invoker); + return; +} diff --git a/src/sbus/sssd_dbus_introspect.c b/src/sbus/sssd_dbus_introspect.c new file mode 100644 index 0000000..fe833f2 --- /dev/null +++ b/src/sbus/sssd_dbus_introspect.c @@ -0,0 +1,407 @@ +/* + Authors: + Jakub Hrozek + Pavel Březina + + Copyright (C) 2014 Red Hat + + SBUS: Interface introspection + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include + +#include "util/util.h" +#include "sbus/sssd_dbus.h" +#include "sbus/sssd_dbus_meta.h" +#include "sbus/sssd_dbus_private.h" + +#define FMT_DOCTYPE \ + "\n" + +#define FMT_NODE "\n" +#define FMT_IFACE " \n" +#define FMT_METHOD " \n" +#define FMT_METHOD_NOARG " \n" +#define FMT_METHOD_ARG " \n" +#define FMT_METHOD_CLOSE " \n" +#define FMT_SIGNAL " \n" +#define FMT_SIGNAL_NOARG " \n" +#define FMT_SIGNAL_ARG " \n" +#define FMT_SIGNAL_CLOSE " \n" +#define FMT_PROPERTY " \n" +#define FMT_IFACE_CLOSE " \n" +#define FMT_CHILD_NODE " \n" +#define FMT_NODE_CLOSE "\n" + +#define WRITE_OR_FAIL(file, ret, label, fmt, ...) do { \ + ret = fprintf(file, fmt, ##__VA_ARGS__); \ + if (ret < 0) { \ + ret = EIO; \ + goto label; \ + } \ +} while (0) + +#define METHOD_HAS_ARGS(m) ((m)->in_args != NULL || (m)->out_args != NULL) +#define SIGNAL_HAS_ARGS(s) ((s)->args != NULL) + +enum sbus_arg_type { + SBUS_ARG_IN, + SBUS_ARG_OUT, + SBUS_ARG_SIGNAL +}; + +static int +iface_Introspect_finish(struct sbus_request *req, const char *arg_data) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_STRING, &arg_data, + DBUS_TYPE_INVALID); +} + +struct iface_introspectable { + struct sbus_vtable vtable; /* derive from sbus_vtable */ + int (*Introspect)(struct sbus_request *req, void *data); +}; + +static int sbus_introspect(struct sbus_request *sbus_req, void *pvt); + +struct sbus_vtable * +sbus_introspect_vtable(void) +{ + static const struct sbus_arg_meta iface_out[] = { + {"data", "s"}, + {NULL, NULL} + }; + + static const struct sbus_method_meta iface_methods[] = { + {"Introspect", NULL, iface_out, + offsetof(struct iface_introspectable, Introspect), NULL}, + {NULL, } + }; + + static const struct sbus_interface_meta iface_meta = { + "org.freedesktop.DBus.Introspectable", /* name */ + iface_methods, + NULL, /* no signals */ + NULL, /* no properties */ + NULL, /* no GetAll invoker */ + }; + + static struct iface_introspectable iface = { + { &iface_meta, 0 }, + .Introspect = sbus_introspect + }; + + return &iface.vtable; +} + +static int +sbus_introspect_generate_args(FILE *file, + const struct sbus_arg_meta *args, + enum sbus_arg_type type) +{ + const struct sbus_arg_meta *arg; + int ret; + int i; + + if (args == NULL) { + return EOK; + } + + for (i = 0; args[i].name != NULL; i++) { + arg = &args[i]; + + switch (type) { + case SBUS_ARG_SIGNAL: + WRITE_OR_FAIL(file, ret, done, FMT_SIGNAL_ARG, + arg->type, arg->name); + break; + case SBUS_ARG_IN: + WRITE_OR_FAIL(file, ret, done, FMT_METHOD_ARG, + arg->type, arg->name, "in"); + break; + case SBUS_ARG_OUT: + WRITE_OR_FAIL(file, ret, done, FMT_METHOD_ARG, + arg->type, arg->name, "out"); + break; + } + } + + ret = EOK; + +done: + return ret; +} + +#define sbus_introspect_generate_in_args(file, args) \ + sbus_introspect_generate_args(file, args, SBUS_ARG_IN) + +#define sbus_introspect_generate_out_args(file, args) \ + sbus_introspect_generate_args(file, args, SBUS_ARG_OUT) + +#define sbus_introspect_generate_signal_args(file, args) \ + sbus_introspect_generate_args(file, args, SBUS_ARG_SIGNAL) + +static int +sbus_introspect_generate_methods(FILE *file, + const struct sbus_method_meta *methods) +{ + const struct sbus_method_meta *method; + int ret; + int i; + + if (methods == NULL) { + return EOK; + } + + for (i = 0; methods[i].name != NULL; i++) { + method = &methods[i]; + + if (!METHOD_HAS_ARGS(method)) { + WRITE_OR_FAIL(file, ret, done, FMT_METHOD_NOARG, method->name); + continue; + } + + WRITE_OR_FAIL(file, ret, done, FMT_METHOD, method->name); + + ret = sbus_introspect_generate_in_args(file, method->in_args); + if (ret != EOK) { + goto done; + } + + ret = sbus_introspect_generate_out_args(file, method->out_args); + if (ret != EOK) { + goto done; + } + + WRITE_OR_FAIL(file, ret, done, FMT_METHOD_CLOSE); + } + + ret = EOK; + +done: + return ret; +} + +static int +sbus_introspect_generate_signals(FILE *file, + const struct sbus_signal_meta *signals) +{ + const struct sbus_signal_meta *a_signal; + int ret; + int i; + + if (signals == NULL) { + return EOK; + } + + for (i = 0; signals[i].name != NULL; i++) { + a_signal = &signals[i]; + + if (!SIGNAL_HAS_ARGS(a_signal)) { + WRITE_OR_FAIL(file, ret, done, FMT_SIGNAL_NOARG, a_signal->name); + continue; + } + + WRITE_OR_FAIL(file, ret, done, FMT_SIGNAL, a_signal->name); + + ret = sbus_introspect_generate_signal_args(file, a_signal->args); + if (ret != EOK) { + goto done; + } + + WRITE_OR_FAIL(file, ret, done, FMT_SIGNAL_CLOSE); + } + + ret = EOK; + +done: + return ret; +} + +static int +sbus_introspect_generate_properties(FILE *file, + const struct sbus_property_meta *props) +{ + const struct sbus_property_meta *prop; + const char *access_mode; + int ret; + int i; + + if (props == NULL) { + return EOK; + } + + for (i = 0; props[i].name != NULL; i++) { + prop = &props[i]; + + access_mode = prop->flags & SBUS_PROPERTY_WRITABLE + ? "readwrite" : "read"; + WRITE_OR_FAIL(file, ret, done, FMT_PROPERTY, + prop->name, prop->type, access_mode); + } + + ret = EOK; + +done: + return ret; +} + +static int +sbus_introspect_generate_iface(FILE *file, struct sbus_interface *iface) +{ + const struct sbus_interface_meta *meta; + int ret; + + meta = iface->vtable->meta; + + WRITE_OR_FAIL(file, ret, done, FMT_IFACE, meta->name); + + ret = sbus_introspect_generate_methods(file, meta->methods); + if (ret != EOK) { + goto done; + } + + ret = sbus_introspect_generate_signals(file, meta->signals); + if (ret != EOK) { + goto done; + } + + ret = sbus_introspect_generate_properties(file, meta->properties); + if (ret != EOK) { + goto done; + } + + WRITE_OR_FAIL(file, ret, done, FMT_IFACE_CLOSE); + + ret = EOK; + +done: + return ret; +} + +static int +sbus_introspect_generate_nodes(FILE *file, const char **nodes) +{ + int ret; + int i; + + if (nodes == NULL) { + return EOK; + } + + for (i = 0; nodes[i] != NULL; i++) { + WRITE_OR_FAIL(file, ret, done, FMT_CHILD_NODE, nodes[i]); + } + + ret = EOK; + +done: + return ret; +} + +static char * +sbus_introspect_generate(TALLOC_CTX *mem_ctx, + const char *node, + const char **nodes, + struct sbus_interface_list *list) +{ + struct sbus_interface_list *item; + char *introspect = NULL; + FILE *memstream; + char *buffer; + size_t size; + int ret; + + memstream = open_memstream(&buffer, &size); + if (memstream == NULL) { + goto done; + } + + WRITE_OR_FAIL(memstream, ret, done, FMT_DOCTYPE); + WRITE_OR_FAIL(memstream, ret, done, FMT_NODE, node); + + DLIST_FOR_EACH(item, list) { + ret = sbus_introspect_generate_iface(memstream, item->interface); + if (ret != EOK) { + goto done; + } + } + + ret = sbus_introspect_generate_nodes(memstream, nodes); + if (ret != EOK) { + goto done; + } + + WRITE_OR_FAIL(memstream, ret, done, FMT_NODE_CLOSE); + + fflush(memstream); + introspect = talloc_memdup(mem_ctx, buffer, size + 1); + + DEBUG(SSSDBG_TRACE_ALL, "Introspection: \n%s\n", introspect); + +done: + if (memstream != NULL) { + fclose(memstream); + free(buffer); + } + + return introspect; +} + +static int +sbus_introspect(struct sbus_request *sbus_req, void *pvt) +{ + DBusError *error; + struct sbus_interface_list *list; + struct sbus_connection *conn; + const char **nodes; + char *introspect; + errno_t ret; + + conn = talloc_get_type(pvt, struct sbus_connection); + + ret = sbus_opath_hash_lookup_supported(sbus_req, conn->managed_paths, + sbus_req->path, &list); + if (ret != EOK) { + error = sbus_error_new(sbus_req, DBUS_ERROR_FAILED, + "%s", sss_strerror(ret)); + return sbus_request_fail_and_finish(sbus_req, error); + } + + nodes = sbus_nodes_hash_lookup(sbus_req, conn->nodes_fns, sbus_req->path); + + introspect = sbus_introspect_generate(sbus_req, sbus_req->path, + nodes, list); + if (introspect == NULL) { + ret = ENOMEM; + goto done; + } + + ret = EOK; + +done: + if (ret != EOK) { + error = sbus_error_new(sbus_req, DBUS_ERROR_FAILED, + "%s", sss_strerror(ret)); + return sbus_request_fail_and_finish(sbus_req, error); + } + + return iface_Introspect_finish(sbus_req, introspect); +} diff --git a/src/sbus/sssd_dbus_invokers.c b/src/sbus/sssd_dbus_invokers.c new file mode 100644 index 0000000..f4d4ba3 --- /dev/null +++ b/src/sbus/sssd_dbus_invokers.c @@ -0,0 +1,583 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2014 Red Hat + + SBUS: Interface introspection + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include +#include + +#include "util/util.h" +#include "sbus/sssd_dbus.h" +#include "sbus/sssd_dbus_meta.h" +#include "sbus/sssd_dbus_private.h" +#include "sbus/sssd_dbus_invokers.h" + +static int +sbus_invoke_get_basic(struct sbus_request *sbus_req, + void *function_ptr, + void *value_ptr, + int dbus_type, + DBusMessageIter *iter) +{ + void (*handler_fn)(struct sbus_request *, void *, void *); + dbus_bool_t value_bool; + dbus_bool_t dbret; + + handler_fn = function_ptr; + handler_fn(sbus_req, sbus_req->intf->handler_data, value_ptr); + + if (dbus_type == DBUS_TYPE_BOOLEAN) { + /* Special case to convert bool into dbus_bool_t. */ + value_bool = *((bool *) value_ptr); + value_ptr = &value_bool; + } + + dbret = dbus_message_iter_append_basic(iter, dbus_type, value_ptr); + return dbret ? EOK : EIO; +} + +static int +sbus_invoke_get_string(struct sbus_request *sbus_req, + void *function_ptr, + const char *default_value, + int dbus_type, + DBusMessageIter *iter) +{ + void (*handler_fn)(struct sbus_request *, void *, const char **); + const char *value = NULL; + dbus_bool_t dbret; + + handler_fn = function_ptr; + handler_fn(sbus_req, sbus_req->intf->handler_data, &value); + + value = value == NULL ? default_value : value; + + dbret = dbus_message_iter_append_basic(iter, dbus_type, &value); + return dbret ? EOK : EIO; +} + +static int +sbus_invoke_get_array(struct sbus_request *sbus_req, + void *function_ptr, + unsigned int item_size, + int dbus_type, + DBusMessageIter *iter) +{ + void (*handler_fn)(struct sbus_request *, void *, void *, int *); + const char array_type[2] = {dbus_type, '\0'}; + DBusMessageIter array; + dbus_bool_t dbret; + uint8_t *values; + void *addr; + int num_values; + int i; + + handler_fn = function_ptr; + handler_fn(sbus_req, sbus_req->intf->handler_data, &values, &num_values); + + dbret = dbus_message_iter_open_container(iter, DBUS_TYPE_ARRAY, + array_type, &array); + if (!dbret) { + return EIO; + } + + for (i = 0; i < num_values; i++) { + addr = values + i * item_size; + + dbret = dbus_message_iter_append_basic(&array, dbus_type, addr); + if (!dbret) { + return ENOMEM; + } + } + + dbret = dbus_message_iter_close_container(iter, &array); + if (!dbret) { + return EIO; + } + + return EOK; +} + +int sbus_invoke_get_y(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *function_ptr) +{ + uint8_t value; + + return sbus_invoke_get_basic(sbus_req, function_ptr, &value, + DBUS_TYPE_BYTE, iter); +} + +int sbus_invoke_get_b(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *function_ptr) +{ + bool value; + + return sbus_invoke_get_basic(sbus_req, function_ptr, &value, + DBUS_TYPE_BOOLEAN, iter); +} + +int sbus_invoke_get_n(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *function_ptr) +{ + int16_t value; + + return sbus_invoke_get_basic(sbus_req, function_ptr, &value, + DBUS_TYPE_INT16, iter); +} + +int sbus_invoke_get_q(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *function_ptr) +{ + uint16_t value; + + return sbus_invoke_get_basic(sbus_req, function_ptr, &value, + DBUS_TYPE_UINT16, iter); +} + +int sbus_invoke_get_i(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *function_ptr) +{ + int32_t value; + + return sbus_invoke_get_basic(sbus_req, function_ptr, &value, + DBUS_TYPE_INT32, iter); +} + +int sbus_invoke_get_u(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *function_ptr) +{ + uint32_t value; + + return sbus_invoke_get_basic(sbus_req, function_ptr, &value, + DBUS_TYPE_UINT32, iter); +} + +int sbus_invoke_get_x(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *function_ptr) +{ + int64_t value; + + return sbus_invoke_get_basic(sbus_req, function_ptr, &value, + DBUS_TYPE_INT64, iter); +} + +int sbus_invoke_get_t(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *function_ptr) +{ + uint64_t value; + + return sbus_invoke_get_basic(sbus_req, function_ptr, &value, + DBUS_TYPE_UINT64, iter); +} + +int sbus_invoke_get_d(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *function_ptr) +{ + double value; + + return sbus_invoke_get_basic(sbus_req, function_ptr, &value, + DBUS_TYPE_DOUBLE, iter); +} + +int sbus_invoke_get_s(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *function_ptr) +{ + return sbus_invoke_get_string(sbus_req, function_ptr, "", + DBUS_TYPE_STRING, iter); +} + +int sbus_invoke_get_o(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *function_ptr) +{ + return sbus_invoke_get_string(sbus_req, function_ptr, "/", + DBUS_TYPE_OBJECT_PATH, iter); +} + +int sbus_invoke_get_ay(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *function_ptr) +{ + return sbus_invoke_get_array(sbus_req, function_ptr, sizeof(uint8_t), + DBUS_TYPE_BYTE, iter); +} + +int sbus_invoke_get_an(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *function_ptr) +{ + return sbus_invoke_get_array(sbus_req, function_ptr, sizeof(int16_t), + DBUS_TYPE_INT16, iter); +} + +int sbus_invoke_get_aq(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *function_ptr) +{ + return sbus_invoke_get_array(sbus_req, function_ptr, sizeof(uint16_t), + DBUS_TYPE_UINT16, iter); +} + +int sbus_invoke_get_ai(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *function_ptr) +{ + return sbus_invoke_get_array(sbus_req, function_ptr, sizeof(int32_t), + DBUS_TYPE_INT32, iter); +} + +int sbus_invoke_get_au(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *function_ptr) +{ + return sbus_invoke_get_array(sbus_req, function_ptr, sizeof(uint32_t), + DBUS_TYPE_UINT32, iter); +} + +int sbus_invoke_get_ax(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *function_ptr) +{ + return sbus_invoke_get_array(sbus_req, function_ptr, sizeof(int64_t), + DBUS_TYPE_INT64, iter); +} + +int sbus_invoke_get_at(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *function_ptr) +{ + return sbus_invoke_get_array(sbus_req, function_ptr, sizeof(uint64_t), + DBUS_TYPE_UINT64, iter); +} + +int sbus_invoke_get_ad(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *function_ptr) +{ + return sbus_invoke_get_array(sbus_req, function_ptr, sizeof(double), + DBUS_TYPE_DOUBLE, iter); +} + +int sbus_invoke_get_as(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *function_ptr) +{ + return sbus_invoke_get_array(sbus_req, function_ptr, sizeof(const char *), + DBUS_TYPE_STRING, iter); +} + +int sbus_invoke_get_ao(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *function_ptr) +{ + return sbus_invoke_get_array(sbus_req, function_ptr, sizeof(const char *), + DBUS_TYPE_OBJECT_PATH, iter); +} + +int sbus_invoke_get_aDOsasDE(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *function_ptr) +{ + void (*handler_fn)(struct sbus_request *, void *, hash_table_t **); + DBusMessageIter it_array; + DBusMessageIter it_dict; + DBusMessageIter it_values; + hash_table_t *table; + struct hash_iter_context_t *table_iter = NULL; + hash_entry_t *entry; + const char **values; + dbus_bool_t dbret; + errno_t ret; + int i; + + handler_fn = function_ptr; + handler_fn(sbus_req, sbus_req->intf->handler_data, &table); + + dbret = dbus_message_iter_open_container(iter, DBUS_TYPE_ARRAY, + DBUS_DICT_ENTRY_BEGIN_CHAR_AS_STRING + DBUS_TYPE_STRING_AS_STRING + DBUS_TYPE_ARRAY_AS_STRING + DBUS_TYPE_STRING_AS_STRING + DBUS_DICT_ENTRY_END_CHAR_AS_STRING, &it_array); + if (!dbret) { + ret = EIO; + goto done; + } + + /* iterate over keys */ + + if (table == NULL) { + dbret = dbus_message_iter_close_container(iter, &it_array); + if (!dbret) { + ret = EIO; + goto done; + } + + ret = EOK; + goto done; + } + + table_iter = new_hash_iter_context(table); + while ((entry = table_iter->next(table_iter)) != NULL) { + if (entry->key.type != HASH_KEY_STRING || entry->key.str == NULL + || entry->value.type != HASH_VALUE_PTR + || entry->value.ptr == NULL) { + continue; + } + + dbret = dbus_message_iter_open_container(&it_array, + DBUS_TYPE_DICT_ENTRY, NULL, + &it_dict); + if (!dbret) { + ret = EIO; + goto done; + } + + /* append key as dict entry key */ + + dbret = dbus_message_iter_append_basic(&it_dict, + DBUS_TYPE_STRING, + &entry->key.str); + if (!dbret) { + ret = EIO; + goto done; + } + + /* iterate over values */ + + dbret = dbus_message_iter_open_container(&it_dict, + DBUS_TYPE_ARRAY, + DBUS_TYPE_STRING_AS_STRING, + &it_values); + if (!dbret) { + ret = EIO; + goto done; + } + + values = entry->value.ptr; + for (i = 0; values[i] != NULL; i++) { + /* append value into array */ + dbret = dbus_message_iter_append_basic(&it_values, + DBUS_TYPE_STRING, + &values[i]); + if (!dbret) { + ret = EIO; + goto done; + } + } + + dbret = dbus_message_iter_close_container(&it_dict, &it_values); + if (!dbret) { + ret = EIO; + goto done; + } + + dbret = dbus_message_iter_close_container(&it_array, &it_dict); + if (!dbret) { + ret = EIO; + goto done; + } + } + + dbret = dbus_message_iter_close_container(iter, &it_array); + if (!dbret) { + ret = EIO; + goto done; + } + + ret = EOK; + +done: + talloc_free(table_iter); + return ret; +} + +void sbus_invoke_get(struct sbus_request *sbus_req, + const char *type, + sbus_get_invoker_fn invoker_fn, + sbus_msg_handler_fn handler_fn) +{ + DBusMessage *reply = NULL; + DBusMessageIter iter; + DBusMessageIter variant; + dbus_bool_t dbret; + errno_t ret; + + reply = dbus_message_new_method_return(sbus_req->message); + if (reply == NULL) { + ret = ENOMEM; + goto fail; + } + + dbus_message_iter_init_append(reply, &iter); + + dbret = dbus_message_iter_open_container(&iter, DBUS_TYPE_VARIANT, + type, &variant); + if (!dbret) { + ret = ENOMEM; + goto fail; + } + + ret = invoker_fn(&variant, sbus_req, handler_fn); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Invoker error [%d]: %s\n", ret, sss_strerror(ret)); + goto fail; + } + + dbret = dbus_message_iter_close_container(&iter, &variant); + if (!dbret) { + ret = EIO; + goto fail; + } + + sbus_request_finish(sbus_req, reply); + return; + +fail: + DEBUG(SSSDBG_CRIT_FAILURE, + "Unable to reply [%d]: %s\n", ret, sss_strerror(ret)); + + if (reply != NULL) { + dbus_message_unref(reply); + } + sbus_request_finish(sbus_req, NULL); + + return; +} + +void sbus_invoke_get_all(struct sbus_request *sbus_req) +{ + const struct sbus_property_meta *props; + sbus_msg_handler_fn *handler_fn; + DBusMessage *reply = NULL; + DBusMessageIter iter; + DBusMessageIter array; + DBusMessageIter dict; + DBusMessageIter variant; + dbus_bool_t dbret; + errno_t ret; + int i; + + reply = dbus_message_new_method_return(sbus_req->message); + if (reply == NULL) { + ret = ENOMEM; + goto fail; + } + + dbus_message_iter_init_append(reply, &iter); + + dbret = dbus_message_iter_open_container(&iter, DBUS_TYPE_ARRAY, + DBUS_DICT_ENTRY_BEGIN_CHAR_AS_STRING + DBUS_TYPE_STRING_AS_STRING + DBUS_TYPE_VARIANT_AS_STRING + DBUS_DICT_ENTRY_END_CHAR_AS_STRING, + &array); + if (!dbret) { + ret = ENOMEM; + goto fail; + } + + props = sbus_req->intf->vtable->meta->properties; + + if (props != NULL) { + for (i = 0; props[i].name != NULL; i++) { + dbret = dbus_message_iter_open_container(&array, + DBUS_TYPE_DICT_ENTRY, NULL, + &dict); + if (!dbret) { + ret = ENOMEM; + goto fail; + } + + /* key */ + dbret = dbus_message_iter_append_basic(&dict, DBUS_TYPE_STRING, + &props[i].name); + if (!dbret) { + ret = ENOMEM; + goto fail; + } + + /* value */ + dbret = dbus_message_iter_open_container(&dict, DBUS_TYPE_VARIANT, + props[i].type, &variant); + if (!dbret) { + ret = ENOMEM; + goto fail; + } + + handler_fn = VTABLE_FUNC(sbus_req->intf->vtable, + props[i].vtable_offset_get); + if (handler_fn == NULL) { + ret = ERR_INTERNAL; + goto fail; + } + + ret = props[i].invoker_get(&variant, sbus_req, handler_fn); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Invoker error [%d]: %s\n", ret, sss_strerror(ret)); + goto fail; + } + + dbret = dbus_message_iter_close_container(&dict, &variant); + if (!dbret) { + ret = EIO; + goto fail; + } + + dbret = dbus_message_iter_close_container(&array, &dict); + if (!dbret) { + ret = EIO; + goto fail; + } + } + } + + dbret = dbus_message_iter_close_container(&iter, &array); + if (!dbret) { + ret = EIO; + goto fail; + } + + sbus_request_finish(sbus_req, reply); + return; + +fail: + DEBUG(SSSDBG_CRIT_FAILURE, + "Unable to reply [%d]: %s\n", ret, sss_strerror(ret)); + + dbus_message_unref(reply); + sbus_request_finish(sbus_req, NULL); + + return; +} diff --git a/src/sbus/sssd_dbus_invokers.h b/src/sbus/sssd_dbus_invokers.h new file mode 100644 index 0000000..6f7f254 --- /dev/null +++ b/src/sbus/sssd_dbus_invokers.h @@ -0,0 +1,124 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2014 Red Hat + + SBUS: Interface introspection + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef SSSD_DBUS_INVOKER_H_ +#define SSSD_DBUS_INVOKER_H_ + +#include "sbus/sssd_dbus.h" + +int sbus_invoke_get_y(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *function_ptr); + +int sbus_invoke_get_b(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *function_ptr); + +int sbus_invoke_get_n(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *function_ptr); + +int sbus_invoke_get_q(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *function_ptr); + +int sbus_invoke_get_i(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *function_ptr); + +int sbus_invoke_get_u(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *function_ptr); + +int sbus_invoke_get_x(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *function_ptr); + +int sbus_invoke_get_t(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *function_ptr); + +int sbus_invoke_get_d(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *function_ptr); + +int sbus_invoke_get_s(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *function_ptr); + +int sbus_invoke_get_o(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *function_ptr); + +int sbus_invoke_get_ay(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *function_ptr); + +int sbus_invoke_get_an(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *function_ptr); + +int sbus_invoke_get_aq(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *function_ptr); + +int sbus_invoke_get_ai(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *function_ptr); + +int sbus_invoke_get_au(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *function_ptr); + +int sbus_invoke_get_ax(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *function_ptr); + +int sbus_invoke_get_at(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *function_ptr); + +int sbus_invoke_get_ad(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *function_ptr); + +int sbus_invoke_get_as(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *function_ptr); + +int sbus_invoke_get_ao(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *function_ptr); + +int sbus_invoke_get_aDOsasDE(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *function_ptr); + +void sbus_invoke_get(struct sbus_request *sbus_req, + const char *type, + sbus_get_invoker_fn invoker_fn, + sbus_msg_handler_fn handler_fn); + +void sbus_invoke_get_all(struct sbus_request *sbus_req); + + +#endif /* SSSD_DBUS_INVOKER_H_ */ diff --git a/src/sbus/sssd_dbus_meta.c b/src/sbus/sssd_dbus_meta.c new file mode 100644 index 0000000..f058ede --- /dev/null +++ b/src/sbus/sssd_dbus_meta.c @@ -0,0 +1,67 @@ +/* + Authors: + Stef Walter + + Copyright (C) 2014 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "sbus/sssd_dbus_meta.h" + +const struct sbus_method_meta * +sbus_meta_find_method(const struct sbus_interface_meta *interface, + const char *method_name) +{ + const struct sbus_method_meta *method; + + for (method = interface->methods; method && method->name; method++) { + if (strcmp(method_name, method->name) == 0) { + return method; + } + } + + return NULL; +} + +const struct sbus_signal_meta * +sbus_meta_find_signal(const struct sbus_interface_meta *interface, + const char *signal_name) +{ + const struct sbus_signal_meta *sig; + + for (sig = interface->signals; sig && sig->name; sig++) { + if (strcmp(signal_name, sig->name) == 0) { + return sig; + } + } + + return NULL; +} + +const struct sbus_property_meta * +sbus_meta_find_property(const struct sbus_interface_meta *interface, + const char *property_name) +{ + const struct sbus_property_meta *property; + + for (property = interface->properties; property && property->name; property++) { + if (strcmp(property_name, property->name) == 0) { + return property; + } + } + + return NULL; +} diff --git a/src/sbus/sssd_dbus_meta.h b/src/sbus/sssd_dbus_meta.h new file mode 100644 index 0000000..83c2f05 --- /dev/null +++ b/src/sbus/sssd_dbus_meta.h @@ -0,0 +1,107 @@ +/* + Authors: + Stef Walter + + Copyright (C) 2014 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _SSSD_DBUS_META_H_ +#define _SSSD_DBUS_META_H_ + +#include + +/* + * Interface metadata + * + * For arrays, the last item in each array will have a + * NULL .name field + * + * Typically these structs will be generated by sbus_codegen + * from canonical XML interface data: + * + * http://dbus.freedesktop.org/doc/dbus-specification.html#introspection-format + */ + +/* Looks up a vtable func, in a struct derived from struct sbus_vtable */ +#define VTABLE_FUNC(vtable, offset) \ + (*(DISCARD_ALIGN((char *)(vtable) + (offset), void **))) + +struct sbus_arg_meta { + const char *name; + const char *type; +}; + +struct sbus_request; +struct sbus_interface; + +typedef int (* sbus_get_invoker_fn)(DBusMessageIter *iter, + struct sbus_request *sbus_req, + void *handler_fn); + +typedef void (* sbus_get_all_invoker_fn)(struct sbus_request *sbus_req); + +typedef int (* sbus_method_invoker_fn)(struct sbus_request *sbus_req, + void *handler_fn); + +struct sbus_method_meta { + const char *name; + const struct sbus_arg_meta *in_args; + const struct sbus_arg_meta *out_args; + size_t vtable_offset; + sbus_method_invoker_fn invoker; +}; + +enum { + SBUS_PROPERTY_READABLE = 1 << 0, + SBUS_PROPERTY_WRITABLE = 1 << 1 +}; + +struct sbus_property_meta { + const char *name; + const char *type; + int flags; + size_t vtable_offset_get; + sbus_get_invoker_fn invoker_get; + size_t vtable_offset_set; + sbus_method_invoker_fn invoker_set; +}; + +struct sbus_signal_meta { + const char *name; + const struct sbus_arg_meta *args; +}; + +struct sbus_interface_meta { + const char *name; + const struct sbus_method_meta *methods; + const struct sbus_signal_meta *signals; + const struct sbus_property_meta *properties; + sbus_get_all_invoker_fn invoker_get_all; +}; + +const struct sbus_method_meta * +sbus_meta_find_method (const struct sbus_interface_meta *interface, + const char *method_name); + +const struct sbus_signal_meta * +sbus_meta_find_signal (const struct sbus_interface_meta *interface, + const char *signal_name); + +const struct sbus_property_meta * +sbus_meta_find_property (const struct sbus_interface_meta *interface, + const char *property_name); + +#endif /* _SSSD_DBUS_META_H_ */ diff --git a/src/sbus/sssd_dbus_private.h b/src/sbus/sssd_dbus_private.h new file mode 100644 index 0000000..a3d4bae --- /dev/null +++ b/src/sbus/sssd_dbus_private.h @@ -0,0 +1,188 @@ +/* + Authors: + Simo Sorce + Stephen Gallagher + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _SSSD_DBUS_PRIVATE_H_ +#define _SSSD_DBUS_PRIVATE_H_ + +#include + +#include "sssd_dbus_meta.h" + +union dbus_conn_pointer { + DBusServer *server; + DBusConnection *conn; +}; +enum dbus_conn_type { + SBUS_SERVER, + SBUS_CONNECTION +}; + +struct sbus_watch_ctx; + +struct sbus_connection { + struct tevent_context *ev; + + enum dbus_conn_type type; + union dbus_conn_pointer dbus; + + char *address; + int connection_type; + int disconnect; + + hash_table_t *managed_paths; + hash_table_t *nodes_fns; + hash_table_t *incoming_signals; + + /* reconnect settings */ + int retries; + int max_retries; + sbus_conn_reconn_callback_fn reconnect_callback; + /* Private data needed to reinit after reconnection */ + void *reconnect_pvt; + + /* server related stuff */ + char *symlink; + sbus_server_conn_init_fn srv_init_fn; + void *srv_init_data; + hash_table_t *clients; + + /* watches list */ + struct sbus_watch_ctx *watch_list; + + /* responder related stuff */ + time_t *last_request_time; + + /* client related stuff */ + void *client_destructor_data; +}; + +/* =Standard=interfaces=================================================== */ + +struct sbus_vtable *sbus_introspect_vtable(void); +struct sbus_vtable *sbus_properties_vtable(void); + +/* =Watches=============================================================== */ + +struct sbus_watch_ctx { + struct sbus_watch_ctx *prev, *next; + + struct sbus_connection *conn; + + struct tevent_fd *fde; + int fd; + + DBusWatch *dbus_read_watch; + DBusWatch *dbus_write_watch; +}; + +dbus_bool_t sbus_add_watch(DBusWatch *watch, void *data); +void sbus_toggle_watch(DBusWatch *watch, void *data); +void sbus_remove_watch(DBusWatch *watch, void *data); + +/* =Timeouts============================================================== */ + +struct sbus_timeout_ctx { + DBusTimeout *dbus_timeout; + struct tevent_timer *te; +}; + +dbus_bool_t sbus_add_timeout(DBusTimeout *dbus_timeout, void *data); +void sbus_toggle_timeout(DBusTimeout *dbus_timeout, void *data); +void sbus_remove_timeout(DBusTimeout *dbus_timeout, void *data); + +/* =Requests============================================================== */ + +struct sbus_request * +sbus_new_request(struct sbus_connection *conn, struct sbus_interface *intf, + DBusMessage *message); + +/* =Interface=and=object=paths============================================ */ + +struct sbus_interface_list { + struct sbus_interface_list *prev, *next; + struct sbus_interface *interface; +}; + +hash_table_t * +sbus_opath_hash_init(TALLOC_CTX *mem_ctx, + struct sbus_connection *conn); + +struct sbus_interface * +sbus_opath_hash_lookup_iface(hash_table_t *table, + const char *object_path, + const char *iface_name); + +errno_t +sbus_opath_hash_lookup_supported(TALLOC_CTX *mem_ctx, + hash_table_t *table, + const char *object_path, + struct sbus_interface_list **_list); + +hash_table_t * +sbus_nodes_hash_init(TALLOC_CTX *mem_ctx); + +const char ** +sbus_nodes_hash_lookup(TALLOC_CTX *mem_ctx, + hash_table_t *table, + const char *object_path); + +void +sbus_request_invoke_or_finish(struct sbus_request *dbus_req, + sbus_msg_handler_fn handler_fn, + void *handler_data, + sbus_method_invoker_fn invoker_fn); + +/* A low-level, private variant of sbus_conn_send that accepts just + * DBusConnection. It should never be used outside sbus code, responders + * and back ends should use sbus_conn_send! + */ +int sss_dbus_conn_send(DBusConnection *dbus_conn, + DBusMessage *msg, + int timeout_ms, + DBusPendingCallNotifyFunction reply_handler, + void *pvt, + DBusPendingCall **pending); + + +/* =Retrieve-conn-credentials=============================================== */ +struct tevent_req *sbus_get_sender_id_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sbus_connection *conn, + const char *sender); +int sbus_get_sender_id_recv(struct tevent_req *req, int64_t *_uid); + +/* =Properties============================================================ */ + +int sbus_properties_dispatch(struct sbus_request *dbus_req); + +/* =Signals=============================================================== */ + +DBusHandlerResult +sbus_signal_handler(DBusConnection *conn, + DBusMessage *message, + void *handler_data); + +hash_table_t * +sbus_incoming_signal_hash_init(TALLOC_CTX *mem_ctx); + +void sbus_register_common_signals(struct sbus_connection *conn, void *pvt); + +#endif /* _SSSD_DBUS_PRIVATE_H_ */ diff --git a/src/sbus/sssd_dbus_properties.c b/src/sbus/sssd_dbus_properties.c new file mode 100644 index 0000000..6b4ca74 --- /dev/null +++ b/src/sbus/sssd_dbus_properties.c @@ -0,0 +1,348 @@ +/* + Authors: + Stef Walter + Pavel Březina + + Copyright (C) 2014 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include "util/util.h" +#include "sbus/sssd_dbus.h" +#include "sbus/sssd_dbus_meta.h" +#include "sbus/sssd_dbus_private.h" +#include "sbus/sssd_dbus_invokers.h" + +#define CHECK_SIGNATURE_OR_FAIL(req, error, label, exp) do { \ + const char *__sig; \ + __sig = dbus_message_get_signature(req->message); \ + if (strcmp(__sig, exp) != 0) { \ + error = sbus_error_new(req, DBUS_ERROR_INVALID_ARGS, \ + "Invalid arguments: expected \"%s\", got \"%s\"", exp, __sig); \ + goto label; \ + } \ +} while (0) + +struct iface_properties { + struct sbus_vtable vtable; /* derive from sbus_vtable */ + sbus_msg_handler_fn Get; + sbus_msg_handler_fn Set; + sbus_msg_handler_fn GetAll; +}; + +static int sbus_properties_get(struct sbus_request *sbus_req, void *pvt); +static int sbus_properties_set(struct sbus_request *sbus_req, void *pvt); +static int sbus_properties_get_all(struct sbus_request *sbus_req, void *pvt); + +struct sbus_vtable * +sbus_properties_vtable(void) +{ + /* Properties.Get */ + static const struct sbus_arg_meta get_args_in[] = { + { "interface_name", "s" }, + { "property_name", "s" }, + { NULL, } + }; + + static const struct sbus_arg_meta get_args_out[] = { + { "value", "v" }, + { NULL, } + }; + + /* Properties.Set */ + static const struct sbus_arg_meta set_args_in[] = { + { "interface_name", "s" }, + { "property_name", "s" }, + { "value", "v" }, + { NULL, } + }; + + /* Properties.GetAll */ + static const struct sbus_arg_meta getall_args_in[] = { + { "interface_name", "s" }, + { NULL, } + }; + + static const struct sbus_arg_meta getall_args_out[] = { + { "props", "a{sv}" }, + { NULL, } + }; + + static const struct sbus_method_meta iface_methods[] = { + { + "Get", /* name */ + get_args_in, + get_args_out, + offsetof(struct iface_properties, Get), + NULL, /* no invoker */ + }, + { + "Set", /* name */ + set_args_in, + NULL, /* no out_args */ + offsetof(struct iface_properties, Set), + NULL, /* no invoker */ + }, + { + "GetAll", /* name */ + getall_args_in, + getall_args_out, + offsetof(struct iface_properties, GetAll), + NULL, /* no invoker */ + }, + { NULL, } + }; + + static const struct sbus_interface_meta iface_meta = { + "org.freedesktop.DBus.Properties", /* name */ + iface_methods, + NULL, /* no signals */ + NULL, /* no properties */ + NULL, /* no GetAll invoker */ + }; + + static struct iface_properties iface = { + { &iface_meta, 0 }, + .Get = sbus_properties_get, + .Set = sbus_properties_set, + .GetAll = sbus_properties_get_all, + }; + + return &iface.vtable; +} + +static struct sbus_request * +sbus_properties_subreq(struct sbus_request *sbus_req, + struct sbus_interface *iface) +{ + struct sbus_request *sbus_subreq; + + /* Create new sbus_request to so it contain given interface. The + * old sbus_request talloc context will be attached to this new one + * so it is freed together. */ + sbus_subreq = sbus_new_request(sbus_req->conn, iface, sbus_req->message); + if (sbus_subreq == NULL) { + return NULL; + } + + talloc_steal(sbus_subreq, sbus_req); + + return sbus_subreq; +} + +static int sbus_properties_get(struct sbus_request *sbus_req, void *pvt) +{ + DBusError *error; + struct sbus_request *sbus_subreq; + struct sbus_connection *conn; + struct sbus_interface *iface; + const struct sbus_property_meta *prop; + sbus_msg_handler_fn handler_fn; + const char *interface_name; + const char *property_name; + bool bret; + + conn = talloc_get_type(pvt, struct sbus_connection); + + CHECK_SIGNATURE_OR_FAIL(sbus_req, error, fail, "ss"); + + bret = sbus_request_parse_or_finish(sbus_req, + DBUS_TYPE_STRING, &interface_name, + DBUS_TYPE_STRING, &property_name, + DBUS_TYPE_INVALID); + if (!bret) { + /* request was handled */ + return EOK; + } + + /* find interface */ + iface = sbus_opath_hash_lookup_iface(conn->managed_paths, sbus_req->path, + interface_name); + if (iface == NULL) { + error = sbus_error_new(sbus_req, DBUS_ERROR_UNKNOWN_INTERFACE, + "Unknown interface"); + goto fail; + } + + /* find property handler */ + prop = sbus_meta_find_property(iface->vtable->meta, property_name); + if (prop == NULL) { + error = sbus_error_new(sbus_req, DBUS_ERROR_UNKNOWN_PROPERTY, + "Unknown property"); + goto fail; + } + + if (!(prop->flags & SBUS_PROPERTY_READABLE)) { + error = sbus_error_new(sbus_req, DBUS_ERROR_ACCESS_DENIED, + "Property is not readable"); + goto fail; + } + + handler_fn = VTABLE_FUNC(iface->vtable, prop->vtable_offset_get); + if (handler_fn == NULL) { + error = sbus_error_new(sbus_req, DBUS_ERROR_NOT_SUPPORTED, + "Getter is not implemented"); + goto fail; + } + + sbus_subreq = sbus_properties_subreq(sbus_req, iface); + if (sbus_subreq == NULL) { + error = NULL; + goto fail; + } + + sbus_invoke_get(sbus_subreq, prop->type, + prop->invoker_get, handler_fn); + return EOK; + +fail: + return sbus_request_fail_and_finish(sbus_req, error); +} + +/* + * We don't implement any handlers for setters yet. This code is for future + * use and it is likely it will need some changes. + */ +static int sbus_properties_set(struct sbus_request *sbus_req, void *pvt) +{ + DBusError *error; + DBusMessageIter iter; + DBusMessageIter iter_variant; + struct sbus_request *sbus_subreq; + struct sbus_connection *conn; + struct sbus_interface *iface; + const struct sbus_property_meta *prop; + const char *interface_name; + const char *property_name; + const char *variant_sig; + sbus_msg_handler_fn handler_fn; + + conn = talloc_get_type(pvt, struct sbus_connection); + + CHECK_SIGNATURE_OR_FAIL(sbus_req, error, fail, "ssv"); + + /* get interface and property */ + dbus_message_iter_init(sbus_req->message, &iter); + dbus_message_iter_get_basic(&iter, &interface_name); + dbus_message_iter_next(&iter); + dbus_message_iter_get_basic(&iter, &property_name); + dbus_message_iter_next(&iter); + + /* find interface */ + iface = sbus_opath_hash_lookup_iface(conn->managed_paths, sbus_req->path, + interface_name); + if (iface == NULL) { + error = sbus_error_new(sbus_req, DBUS_ERROR_UNKNOWN_INTERFACE, + "Unknown interface"); + goto fail; + } + + /* find property handler */ + prop = sbus_meta_find_property(iface->vtable->meta, property_name); + if (prop == NULL) { + error = sbus_error_new(sbus_req, DBUS_ERROR_UNKNOWN_PROPERTY, + "Unknown property"); + goto fail; + } + + if (!(prop->flags & SBUS_PROPERTY_WRITABLE)) { + error = sbus_error_new(sbus_req, DBUS_ERROR_ACCESS_DENIED, + "Property is not writable"); + goto fail; + } + + handler_fn = VTABLE_FUNC(iface->vtable, prop->vtable_offset_set); + if (handler_fn == NULL) { + error = sbus_error_new(sbus_req, DBUS_ERROR_NOT_SUPPORTED, + "Setter is not implemented"); + goto fail; + } + + /* check variant type */ + dbus_message_iter_recurse(&iter, &iter_variant); + variant_sig = dbus_message_iter_get_signature(&iter_variant); + if (strcmp(prop->type, variant_sig) != 0) { + error = sbus_error_new(sbus_req, DBUS_ERROR_INVALID_ARGS, + "Invalid data type for property"); + goto fail; + } + + sbus_subreq = sbus_properties_subreq(sbus_req, iface); + if (sbus_subreq == NULL) { + error = NULL; + goto fail; + } + + sbus_request_invoke_or_finish(sbus_subreq, handler_fn, + iface->handler_data, prop->invoker_set); + + return EOK; + +fail: + return sbus_request_fail_and_finish(sbus_req, error); +} + +static int sbus_properties_get_all(struct sbus_request *sbus_req, void *pvt) +{ + DBusError *error; + struct sbus_request *sbus_subreq; + struct sbus_connection *conn; + struct sbus_interface *iface; + const char *interface_name; + bool bret; + + conn = talloc_get_type(pvt, struct sbus_connection); + + CHECK_SIGNATURE_OR_FAIL(sbus_req, error, fail, "s"); + + bret = sbus_request_parse_or_finish(sbus_req, + DBUS_TYPE_STRING, &interface_name, + DBUS_TYPE_INVALID); + if (!bret) { + /* request was handled */ + return EOK; + } + + /* find interface */ + iface = sbus_opath_hash_lookup_iface(conn->managed_paths, sbus_req->path, + interface_name); + if (iface == NULL) { + error = sbus_error_new(sbus_req, DBUS_ERROR_UNKNOWN_INTERFACE, + "Unknown interface"); + goto fail; + } + + sbus_subreq = sbus_properties_subreq(sbus_req, iface); + if (sbus_subreq == NULL) { + error = NULL; + goto fail; + } + + if (iface->vtable->meta->invoker_get_all == NULL) { + DEBUG(SSSDBG_TRACE_FUNC, "No get all invoker set," + "using the default one\n"); + + sbus_invoke_get_all(sbus_req); + } else { + iface->vtable->meta->invoker_get_all(sbus_subreq); + } + + return EOK; + +fail: + return sbus_request_fail_and_finish(sbus_req, error); +} diff --git a/src/sbus/sssd_dbus_request.c b/src/sbus/sssd_dbus_request.c new file mode 100644 index 0000000..c5b0853 --- /dev/null +++ b/src/sbus/sssd_dbus_request.c @@ -0,0 +1,585 @@ +/* + Authors: + Stef Walter + + Copyright (C) 2014 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "util/sss_utf8.h" +#include "sbus/sssd_dbus.h" +#include "sbus/sssd_dbus_private.h" + +#include +#include + +#define INTERNAL_ERROR "Internal Error" + +static int sbus_request_destructor(struct sbus_request *dbus_req) +{ + dbus_message_unref(dbus_req->message); + return 0; +} + +struct sbus_request * +sbus_new_request(struct sbus_connection *conn, + struct sbus_interface *intf, + DBusMessage *message) +{ + struct sbus_request *dbus_req; + + dbus_req = talloc_zero(conn, struct sbus_request); + if (!dbus_req) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory allocating DBus request\n"); + return NULL; + } + + dbus_req->intf = intf; + dbus_req->conn = conn; + dbus_req->message = dbus_message_ref(message); + dbus_req->path = dbus_message_get_path(message); + talloc_set_destructor(dbus_req, sbus_request_destructor); + + return dbus_req; +} + +void +sbus_request_invoke_or_finish(struct sbus_request *dbus_req, + sbus_msg_handler_fn handler_fn, + void *handler_data, + sbus_method_invoker_fn invoker_fn) +{ + DBusError error; + int ret; + + if (invoker_fn != NULL) { + ret = invoker_fn(dbus_req, handler_fn); + } else if (handler_fn != NULL) { + ret = handler_fn(dbus_req, handler_data); + } else { + ret = EINVAL; + } + + switch(ret) { + case ERR_SBUS_REQUEST_HANDLED: + case EOK: + return; + case ENOMEM: + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory handling DBus message\n"); + sbus_request_finish(dbus_req, NULL); + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Handler failed [%d]: %s\n", + ret, sss_strerror(ret)); + dbus_error_init(&error); + dbus_set_error_const(&error, DBUS_ERROR_FAILED, INTERNAL_ERROR); + sbus_request_fail_and_finish(dbus_req, &error); + break; + } +} + +int sbus_request_finish(struct sbus_request *dbus_req, + DBusMessage *reply) +{ + if (reply) { + sbus_conn_send_reply(dbus_req->conn, reply); + } + return talloc_free(dbus_req); +} + +static int sbus_request_valist_check(va_list va, int first_arg_type) +{ + int ret = EOK; +#ifdef HAVE_DBUSBASICVALUE + int type; + va_list va_check; + const DBusBasicValue *value; + bool ok; + + va_copy(va_check, va); + + type = first_arg_type; + while (type != DBUS_TYPE_INVALID) { + value = va_arg(va_check, const DBusBasicValue*); + + if (type == DBUS_TYPE_STRING) { + ok = sss_utf8_check((const uint8_t *) value->str, + strlen(value->str)); + if (!ok) { + DEBUG(SSSDBG_MINOR_FAILURE, + "sbus message argument [%s] contains invalid " + "non-UTF8 characters\n", value->str); + ret = EINVAL; + break; + } + } + type = va_arg(va_check, int); + } + + va_end(va_check); +#endif /* HAVE_DBUSBASICVALUE */ + return ret; +} + +int sbus_request_return_and_finish(struct sbus_request *dbus_req, + int first_arg_type, + ...) +{ + DBusMessage *reply; + DBusError error = DBUS_ERROR_INIT; + dbus_bool_t dbret; + va_list va; + int ret; + + va_start(va, first_arg_type); + ret = sbus_request_valist_check(va, first_arg_type); + if (ret != EOK) { + va_end(va); + dbus_set_error_const(&error, DBUS_ERROR_INVALID_ARGS, INTERNAL_ERROR); + return sbus_request_fail_and_finish(dbus_req, &error); + } + + reply = dbus_message_new_method_return(dbus_req->message); + if (!reply) { + va_end(va); + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory allocating DBus message\n"); + sbus_request_finish(dbus_req, NULL); + return ENOMEM; + } + + dbret = dbus_message_append_args_valist(reply, first_arg_type, va); + va_end(va); + + if (dbret) { + ret = sbus_request_finish(dbus_req, reply); + + } else { + DEBUG(SSSDBG_CRIT_FAILURE, "Couldn't build DBus message\n"); + sbus_request_finish(dbus_req, NULL); + ret = EINVAL; + } + + dbus_message_unref(reply); + return ret; +} + +int sbus_request_fail_and_finish(struct sbus_request *dbus_req, + const DBusError *error) +{ + DBusMessage *reply; + int ret; + + if (error == NULL) { + sbus_request_finish(dbus_req, NULL); + return ENOMEM; + } + + reply = dbus_message_new_error(dbus_req->message, error->name, error->message); + if (!reply) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory allocating DBus message\n"); + sbus_request_finish(dbus_req, NULL); + return ENOMEM; + } + + ret = sbus_request_finish(dbus_req, reply); + dbus_message_unref(reply); + return ret; +} + +static DBusError *sbus_error_new_va(TALLOC_CTX *mem_ctx, + const char *error_name, + const char *fmt, + va_list ap) +{ + DBusError *error; + const char *error_msg; + + error = talloc_zero(mem_ctx, DBusError); + if (error == NULL) { + return NULL; + } + + if (fmt != NULL) { + error_msg = talloc_vasprintf(error, fmt, ap); + if (error_msg == NULL) { + talloc_free(error); + return NULL; + } + } else { + error_msg = NULL; + } + + dbus_error_init(error); + dbus_set_error_const(error, error_name, error_msg); + + return error; +} + +DBusError *sbus_error_new(TALLOC_CTX *mem_ctx, + const char *dbus_error_name, + const char *fmt, + ...) +{ + DBusError *error; + va_list ap; + + va_start(ap, fmt); + error = sbus_error_new_va(mem_ctx, dbus_error_name, fmt, ap); + va_end(ap); + + return error; +} + +void sbus_request_reply_error(struct sbus_request *sbus_req, + const char *error_name, + const char *fmt, + ...) +{ + DBusError *error; + va_list ap; + + va_start(ap, fmt); + error = sbus_error_new_va(sbus_req, error_name, fmt, ap); + va_end(ap); + + if (error == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unable to create D-Bus error, killing request!\n"); + talloc_free(sbus_req); + return; + } + + sbus_request_fail_and_finish(sbus_req, error); +} + +struct array_arg { + char **dbus_array; +}; + +static int array_arg_destructor(struct array_arg *arg) +{ + dbus_free_string_array(arg->dbus_array); + return 0; +} + +static bool +parent_dbus_string_arrays(struct sbus_request *request, int first_arg_type, + va_list va) +{ + struct array_arg *array_arg; + int arg_type; + void **arg_ptr; + + /* + * Here we iterate through the entire thing again and look for + * things we need to fix allocation for. Normally certain types + * returned from dbus_message_get_args() and friends require + * later freeing. We tie those to the talloc context here. + * + * The list of argument has already been validated by the previous + * dbus_message_get_args() call, so we can be cheap. + */ + + arg_type = first_arg_type; + while (arg_type != DBUS_TYPE_INVALID) { + + if (arg_type == DBUS_TYPE_ARRAY) { + arg_type = va_arg(va, int); /* the array element type */ + arg_ptr = va_arg(va, void **); /* the array elements */ + va_arg(va, int *); /* the array length */ + + /* Arrays of these things need to be freed */ + if (arg_type == DBUS_TYPE_STRING || + arg_type == DBUS_TYPE_OBJECT_PATH || + arg_type == DBUS_TYPE_SIGNATURE) { + + array_arg = talloc_zero(request, struct array_arg); + if (array_arg == NULL) { + /* no kidding ... */ + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory while trying not to leak memory\n"); + return false; + } + + array_arg->dbus_array = *arg_ptr; + talloc_set_destructor(array_arg, array_arg_destructor); + } + + /* A non array argument */ + } else { + arg_ptr = va_arg(va, void**); + } + + /* The next type */ + arg_type = va_arg(va, int); + } + + return true; +} + +bool +sbus_request_parse_or_finish(struct sbus_request *request, + int first_arg_type, + ...) +{ + DBusError error = DBUS_ERROR_INIT; + bool ret = true; + va_list va2; + va_list va; + + va_start(va, first_arg_type); + va_copy(va2, va); + + if (dbus_message_get_args_valist(request->message, &error, + first_arg_type, va)) { + ret = parent_dbus_string_arrays(request, first_arg_type, va2); + + } else { + /* Trying to send the error back to the caller in this case is a joke */ + if (!dbus_error_is_set(&error) && + dbus_error_has_name(&error, DBUS_ERROR_NO_MEMORY)) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory parsing DBus message\n"); + sbus_request_finish(request, NULL); + + /* Log other errors and send them back, this include o.f.d.InvalidArgs */ + } else { + DEBUG(SSSDBG_OP_FAILURE, "Couldn't parse DBus message %s.%s: %s\n", + dbus_message_get_interface(request->message), + dbus_message_get_member(request->message), + error.message); + sbus_request_fail_and_finish(request, &error); + } + + dbus_error_free(&error); + ret = false; + } + + va_end(va2); + va_end(va); + + return ret; +} + +struct sbus_get_sender_id_state { + struct sbus_connection *conn; + DBusConnection *sysbus_conn; + char *sender; + int64_t uid; +}; + +static void sbus_get_sender_id_done(DBusPendingCall *pending, void *ptr); + +struct tevent_req *sbus_get_sender_id_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sbus_connection *conn, + const char *sender) +{ + struct tevent_req *req; + struct sbus_get_sender_id_state *state; + DBusError dbus_error; + DBusMessage *msg = NULL; + dbus_bool_t dbret; + errno_t ret; + hash_key_t key; + hash_value_t value; + + req = tevent_req_create(mem_ctx, &state, struct sbus_get_sender_id_state); + if (req == NULL) { + return NULL; + } + state->conn = conn; + state->uid = -1; + + if (conn->connection_type != SBUS_CONN_TYPE_SYSBUS) { + DEBUG(SSSDBG_TRACE_INTERNAL, "Not a sysbus message, quit\n"); + ret = EOK; + goto immediate; + } + + if (sender == NULL) { + ret = ERR_SBUS_NO_SENDER; + goto immediate; + } + + if (strcmp(sender, "org.freedesktop.DBus") == 0) { + ret = ERR_SBUS_SENDER_BUS; + goto immediate; + } + + state->sender = talloc_strdup(state, sender); + if (state->sender == NULL) { + ret = ENOMEM; + goto immediate; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Looking for identity of sender [%s]\n", sender); + + key.type = HASH_KEY_STRING; + key.str = discard_const(sender); + ret = hash_lookup(conn->clients, &key, &value); + if (ret == HASH_SUCCESS) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "%s already present in the clients table\n", sender); + state->uid = (int64_t) value.ul; + ret = EOK; + goto immediate; + } else if (ret != HASH_ERROR_KEY_NOT_FOUND) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to look up %s in the clients table\n", sender); + ret = ERR_SBUS_GET_SENDER_ERROR; + goto immediate; + } + + /* We don't know this sender yet, let's ask the system bus */ + + /* Connect to the well-known system bus */ + dbus_error_init(&dbus_error); + state->sysbus_conn = dbus_bus_get(DBUS_BUS_SYSTEM, &dbus_error); + if (state->sysbus_conn == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to connect to D-BUS system bus.\n"); + ret = ERR_SBUS_GET_SENDER_ERROR; + goto immediate; + } + dbus_connection_set_exit_on_disconnect(state->sysbus_conn, FALSE); + + /* If we ever need to get the SELinux context or the PID here, we need + * to call GetConnectionCredentials instead + */ + msg = dbus_message_new_method_call("org.freedesktop.DBus", /* bus name */ + "/org/freedesktop/DBus", /* path */ + "org.freedesktop.DBus", /* interface */ + "GetConnectionUnixUser"); + if (msg == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory?!\n"); + ret = ENOMEM; + goto immediate; + } + + dbret = dbus_message_append_args(msg, + DBUS_TYPE_STRING, &sender, + DBUS_TYPE_INVALID); + if (!dbret) { + ret = ERR_INTERNAL; + goto immediate; + } + + ret = sss_dbus_conn_send(state->sysbus_conn, msg, 3000, + sbus_get_sender_id_done, + req, NULL); + dbus_message_unref(msg); + msg = NULL; + if (ret != EOK) { + goto immediate; + } + + return req; + +immediate: + if (ret == EOK) { + tevent_req_done(req); + } else { + if (msg != NULL) { + dbus_message_unref(msg); + } + if (state->sysbus_conn != NULL) { + dbus_connection_unref(state->sysbus_conn); + } + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + return req; +} + +static void sbus_get_sender_id_done(DBusPendingCall *pending, void *ptr) +{ + struct tevent_req *req; + struct sbus_get_sender_id_state *state; + DBusMessage *reply; + DBusError dbus_error; + hash_key_t key; + hash_value_t value; + dbus_bool_t dbret; + int ret; + uid_t uid; + + dbus_error_init(&dbus_error); + + req = talloc_get_type(ptr, struct tevent_req); + state = tevent_req_data(req, struct sbus_get_sender_id_state); + + reply = dbus_pending_call_steal_reply(pending); + if (!reply) { + /* reply should never be null. This function shouldn't be called + * until reply is valid or timeout has occurred. If reply is NULL + * here, something is seriously wrong and we should bail out. + */ + DEBUG(SSSDBG_CRIT_FAILURE, + "Severe error. A reply callback was called but no reply " + "was received and no timeout occurred\n"); + + ret = EIO; + goto done; + } + + dbret = dbus_message_get_args(reply, + &dbus_error, + DBUS_TYPE_UINT32, &uid, + DBUS_TYPE_INVALID); + if (!dbret) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not parse reply!\n"); + ret = EIO; + goto done; + } + + state->uid = uid; + + key.type = HASH_KEY_STRING; + key.str = talloc_steal(state->conn->clients, state->sender); + value.type = HASH_VALUE_UINT; + value.ul = state->uid; + ret = hash_enter(state->conn->clients, &key, &value); + if (ret != HASH_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not add key to hash table!\n"); + ret = EIO; + goto done; + } + + ret = EOK; +done: + dbus_pending_call_unref(pending); + dbus_message_unref(reply); + dbus_connection_unref(state->sysbus_conn); + if (ret != EOK) { + tevent_req_error(req, ret); + } else { + tevent_req_done(req); + } +} + +int sbus_get_sender_id_recv(struct tevent_req *req, int64_t *_uid) +{ + struct sbus_get_sender_id_state *state = \ + tevent_req_data(req, struct sbus_get_sender_id_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (_uid) { + *_uid = state->uid; + } + + return EOK; +} diff --git a/src/sbus/sssd_dbus_server.c b/src/sbus/sssd_dbus_server.c new file mode 100644 index 0000000..70ca8dc --- /dev/null +++ b/src/sbus/sssd_dbus_server.c @@ -0,0 +1,400 @@ +/* + SSSD + + Service monitor - D-BUS features + + Copyright (C) Stephen Gallagher 2008 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +#include +#include +#include +#include +#include +#include + +#include "util/util.h" +#include "sbus/sssd_dbus.h" +#include "sbus/sssd_dbus_private.h" + +static int sbus_server_destructor(void *ctx); + +struct new_connection_data { + struct sbus_connection *server; + void *client_destructor_data; +}; + +/* + * new_connection_callback + * Actions to be run upon each new client connection + * Must either perform dbus_connection_ref() on the + * new connection or else close the connection with + * dbus_connection_close() + */ +static void sbus_server_init_new_connection(DBusServer *dbus_server, + DBusConnection *dbus_conn, + void *data) +{ + struct new_connection_data *ncd; + struct sbus_connection *conn; + int ret; + + DEBUG(SSSDBG_FUNC_DATA,"Entering.\n"); + ncd = talloc_get_type(data, struct new_connection_data); + if (!ncd) { + return; + } + + DEBUG(SSSDBG_FUNC_DATA,"Adding connection %p.\n", dbus_conn); + ret = sbus_init_connection(ncd->server, ncd->server->ev, dbus_conn, + SBUS_CONN_TYPE_PRIVATE, NULL, + ncd->client_destructor_data, &conn); + if (ret != 0) { + dbus_connection_close(dbus_conn); + DEBUG(SSSDBG_FUNC_DATA, "Closing connection (failed setup)\n"); + return; + } + + dbus_connection_ref(dbus_conn); + + DEBUG(SSSDBG_FUNC_DATA,"Got a connection\n"); + + /* + * Initialize connection-specific features + * This function (or its callbacks) should also + * set up connection-specific methods. + */ + ret = ncd->server->srv_init_fn(conn, ncd->server->srv_init_data); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE,"Initialization failed!\n"); + dbus_connection_close(dbus_conn); + talloc_zfree(conn); + } +} + +const char * +get_socket_address(TALLOC_CTX *mem_ctx, const char *address, bool use_symlink) +{ + if (!use_symlink) { + return talloc_strdup(mem_ctx, address); + } + + return talloc_asprintf(mem_ctx, + "%s.%lu", address, (unsigned long) getpid()); +} + +static errno_t +create_socket_symlink(const char *filename, const char *symlink_filename) +{ + errno_t ret; + + DEBUG(SSSDBG_TRACE_LIBS, "Symlinking the dbus path %s to a link %s\n", + filename, symlink_filename); + errno = 0; + ret = symlink(filename, symlink_filename); + if (ret != 0 && errno == EEXIST) { + /* Perhaps cruft after a previous server? */ + errno = 0; + ret = unlink(symlink_filename); + if (ret != 0) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot remove old symlink '%s': [%d][%s].\n", + symlink_filename, ret, strerror(ret)); + return EIO; + } + errno = 0; + ret = symlink(filename, symlink_filename); + } + + if (ret != 0) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "symlink() failed on file '%s': [%d][%s].\n", + filename, ret, strerror(ret)); + return EIO; + } + + return EOK; +} + +static errno_t +remove_socket_symlink(const char *symlink_name) +{ + errno_t ret; + char target[PATH_MAX]; + char pidpath[PATH_MAX]; + ssize_t numread = 0; + + errno = 0; + numread = readlink(symlink_name, target, PATH_MAX-1); + if (numread < 0) { + ret = errno; + DEBUG(SSSDBG_OP_FAILURE, + "readlink failed [%d]: %s\n", ret, strerror(ret)); + return ret; + } + target[numread] = '\0'; + DEBUG(SSSDBG_TRACE_ALL, "The symlink points to [%s]\n", target); + + /* We can only remove the symlink if it points to a socket with + * the same PID */ + ret = snprintf(pidpath, PATH_MAX, "%s.%lu", + symlink_name, (unsigned long) getpid()); + if (ret < 0) { + DEBUG(SSSDBG_OP_FAILURE, "snprintf failed\n"); + return EIO; + } else if (ret >= PATH_MAX) { + DEBUG(SSSDBG_OP_FAILURE, "path too long?!?!\n"); + return EIO; + } + DEBUG(SSSDBG_TRACE_ALL, "The path including our pid is [%s]\n", pidpath); + + if (strcmp(pidpath, target) != 0) { + DEBUG(SSSDBG_CONF_SETTINGS, + "Will not remove symlink, seems to be owned by " + "another process\n"); + return EOK; + } + + ret = unlink(symlink_name); + if (ret != 0) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "unlink failed to remove [%s] [%d]: %s\n", + symlink_name, ret, strerror(ret)); + return ret; + } + + DEBUG(SSSDBG_TRACE_ALL, "Removed the symlink\n"); + return EOK; +} + +/* + * dbus_new_server + * Set up a D-BUS server, integrate with the event loop + * for handling file descriptor and timed events + */ +int sbus_new_server(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + const char *address, + uid_t uid, gid_t gid, + bool use_symlink, + struct sbus_connection **_server, + sbus_server_conn_init_fn init_fn, + void *init_pvt_data, + void *client_destructor_data) +{ + struct sbus_connection *server; + DBusServer *dbus_server; + DBusError dbus_error; + dbus_bool_t dbret; + char *tmp; + int ret, tmp_ret; + char *filename; + char *symlink_filename = NULL; + const char *socket_address; + struct stat stat_buf; + TALLOC_CTX *tmp_ctx; + struct new_connection_data *ncd; + + *_server = NULL; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) return ENOMEM; + + socket_address = get_socket_address(tmp_ctx, address, use_symlink); + if (!socket_address) { + ret = ENOMEM; + goto done; + } + + /* Set up D-BUS server */ + dbus_error_init(&dbus_error); + dbus_server = dbus_server_listen(socket_address, &dbus_error); + if (!dbus_server) { + DEBUG(SSSDBG_CRIT_FAILURE, + "dbus_server_listen failed! (name=%s, message=%s)\n", + dbus_error.name, dbus_error.message); + if (dbus_error_is_set(&dbus_error)) dbus_error_free(&dbus_error); + ret = EIO; + goto done; + } + + filename = strchr(socket_address, '/'); + if (filename == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unexpected dbus address [%s].\n", socket_address); + ret = EIO; + goto done; + } + + if (use_symlink) { + symlink_filename = strchr(address, '/'); + if (symlink_filename == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unexpected dbus address [%s].\n", address); + ret = EIO; + goto done; + } + + ret = create_socket_symlink(filename, symlink_filename); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not create symlink [%d]: %s\n", + ret, strerror(ret)); + ret = EIO; + goto done; + } + } + + /* Both check_file and chmod can handle both the symlink and + * the socket */ + ret = check_file(filename, + getuid(), getgid(), S_IFSOCK, S_IFMT, &stat_buf, true); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "check_file failed for [%s].\n", filename); + ret = EIO; + goto done; + } + + if ((stat_buf.st_mode & ~S_IFMT) != (S_IRUSR|S_IWUSR)) { + ret = chmod(filename, (S_IRUSR|S_IWUSR)); + if (ret != EOK) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "chmod failed for [%s]: [%d][%s].\n", filename, ret, + sss_strerror(ret)); + ret = EIO; + goto done; + } + } + + if (stat_buf.st_uid != uid || stat_buf.st_gid != gid) { + ret = chown(filename, uid, gid); + if (ret != EOK) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "chown failed for [%s]: [%d][%s].\n", filename, ret, + sss_strerror(ret)); + ret = EIO; + goto done; + } + } + + tmp = dbus_server_get_address(dbus_server); + DEBUG(SSSDBG_TRACE_FUNC, "D-BUS Server listening on %s\n", tmp); + free(tmp); + + server = talloc_zero(tmp_ctx, struct sbus_connection); + if (!server) { + ret = ENOMEM; + goto done; + } + + server->ev = ev; + server->type = SBUS_SERVER; + server->dbus.server = dbus_server; + server->srv_init_fn = init_fn; + server->srv_init_data = init_pvt_data; + + talloc_set_destructor((TALLOC_CTX *)server, sbus_server_destructor); + + if (use_symlink) { + server->symlink = talloc_strdup(server, symlink_filename); + if (!server->symlink) { + ret = ENOMEM; + goto done; + } + } + + /* This structure must be alive while server is alive. That's the + * reason for using server as its talloc context. + */ + ncd = talloc_zero((TALLOC_CTX *)server, struct new_connection_data); + if (!ncd) { + ret = ENOMEM; + goto done; + } + ncd->server = server; + ncd->client_destructor_data = client_destructor_data; + + /* Set up D-BUS new connection handler */ + dbus_server_set_new_connection_function(server->dbus.server, + sbus_server_init_new_connection, + ncd, NULL); + + /* Set up DBusWatch functions */ + dbret = dbus_server_set_watch_functions(server->dbus.server, + sbus_add_watch, + sbus_remove_watch, + sbus_toggle_watch, + server, NULL); + if (!dbret) { + DEBUG(SSSDBG_CONF_SETTINGS, + "Error setting up D-BUS server watch functions\n"); + ret = EIO; + goto done; + } + + /* Set up DBusTimeout functions */ + dbret = dbus_server_set_timeout_functions(server->dbus.server, + sbus_add_timeout, + sbus_remove_timeout, + sbus_toggle_timeout, + server, NULL); + if (!dbret) { + DEBUG(SSSDBG_CONF_SETTINGS, + "Error setting up D-BUS server timeout functions\n"); + dbus_server_set_watch_functions(server->dbus.server, + NULL, NULL, NULL, NULL, NULL); + ret = EIO; + goto done; + } + + *_server = talloc_steal(mem_ctx, server); + ret = EOK; + +done: + if (ret != EOK && symlink_filename) { + tmp_ret = unlink(symlink_filename); + /* non-fatal failure */ + if (tmp_ret != EOK) { + tmp_ret = errno; + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to remove symbolic link '%s': %d [%s]!\n", + symlink_filename, tmp_ret, sss_strerror(tmp_ret)); + } + } + talloc_free(tmp_ctx); + return ret; +} + +static int sbus_server_destructor(void *ctx) +{ + struct sbus_connection *server; + errno_t ret; + + server = talloc_get_type(ctx, struct sbus_connection); + dbus_server_disconnect(server->dbus.server); + + if (server->symlink) { + ret = remove_socket_symlink(server->symlink); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not remove the server symlink\n"); + } + } + + return 0; +} diff --git a/src/sbus/sssd_dbus_signals.c b/src/sbus/sssd_dbus_signals.c new file mode 100644 index 0000000..be1c852 --- /dev/null +++ b/src/sbus/sssd_dbus_signals.c @@ -0,0 +1,262 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "util/util.h" +#include "util/sss_ptr_hash.h" +#include "sbus/sssd_dbus.h" +#include "sbus/sssd_dbus_private.h" + +static int sbus_incoming_signal_destructor(struct sbus_incoming_signal *a_signal) +{ + dbus_message_unref(a_signal->message); + return 0; +} + +static struct sbus_incoming_signal * +sbus_new_incoming_signal(struct sbus_connection *conn, + DBusMessage *message) +{ + struct sbus_incoming_signal *a_signal; + + a_signal = talloc_zero(conn, struct sbus_incoming_signal); + if (a_signal == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory allocating D-Bus signal\n"); + return NULL; + } + + a_signal->conn = conn; + a_signal->message = dbus_message_ref(message); + a_signal->interface = dbus_message_get_interface(message); + a_signal->signal = dbus_message_get_member(message); + a_signal->path = dbus_message_get_path(message); + + talloc_set_destructor(a_signal, sbus_incoming_signal_destructor); + + return a_signal; +} + +struct sbus_incoming_signal_data { + sbus_incoming_signal_fn handler_fn; + void *handler_data; +}; + +hash_table_t * +sbus_incoming_signal_hash_init(TALLOC_CTX *mem_ctx) +{ + return sss_ptr_hash_create(mem_ctx, NULL, NULL); +} + +static errno_t +sbus_incoming_signal_hash_add(hash_table_t *table, + const char *iface, + const char *a_signal, + sbus_incoming_signal_fn handler_fn, + void *handler_data) +{ + TALLOC_CTX *tmp_ctx; + struct sbus_incoming_signal_data *data; + char *key; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + key = talloc_asprintf(tmp_ctx, "%s.%s", iface, a_signal); + if (key == NULL) { + ret = ENOMEM; + goto done; + } + + data = talloc_zero(tmp_ctx, struct sbus_incoming_signal_data); + if (data == NULL) { + ret = ENOMEM; + goto done; + } + + data->handler_data = handler_data; + data->handler_fn = handler_fn; + + ret = sss_ptr_hash_add(table, key, data, struct sbus_incoming_signal_data); + if (ret != EOK) { + goto done; + } + + talloc_steal(table, data); + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static struct sbus_incoming_signal_data * +sbus_incoming_signal_hash_lookup(hash_table_t *table, + const char *iface, + const char *a_signal) +{ + struct sbus_incoming_signal_data *data; + char *key; + + key = talloc_asprintf(NULL, "%s.%s", iface, a_signal); + if (key == NULL) { + return NULL; + } + + data = sss_ptr_hash_lookup(table, key, struct sbus_incoming_signal_data); + talloc_free(key); + + return data; +} + +errno_t +sbus_signal_listen(struct sbus_connection *conn, + const char *iface, + const char *a_signal, + sbus_incoming_signal_fn handler_fn, + void *handler_data) +{ + TALLOC_CTX *tmp_ctx; + const char *rule; + DBusError error; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return ENOMEM; + } + + dbus_error_init(&error); + + ret = sbus_incoming_signal_hash_add(conn->incoming_signals, iface, + a_signal, handler_fn, handler_data); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to register signal handler " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + rule = talloc_asprintf(tmp_ctx, "type='signal',interface='%s',member='%s'", + iface, a_signal); + if (rule == NULL) { + ret = ENOMEM; + goto done; + } + + dbus_bus_add_match(conn->dbus.conn, rule, &error); + if (dbus_error_is_set(&error)) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot add D-Bus match rule, cause: %s\n", error.message); + ret = EIO; + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Listening to signal %s.%s\n", iface, a_signal); + +done: + dbus_error_free(&error); + talloc_free(tmp_ctx); + + return ret; +} + +static void +sbus_signal_handler_got_caller_id(struct tevent_req *req); + +DBusHandlerResult +sbus_signal_handler(DBusConnection *dbus_conn, + DBusMessage *message, + void *handler_data) +{ + struct tevent_req *req; + struct sbus_connection *conn; + struct sbus_incoming_signal *a_signal; + const char *sender; + int type; + + type = dbus_message_get_type(message); + if (type != DBUS_MESSAGE_TYPE_SIGNAL) { + /* We ignore other types here. */ + return DBUS_HANDLER_RESULT_NOT_YET_HANDLED; + } + + conn = talloc_get_type(handler_data, struct sbus_connection); + sender = dbus_message_get_sender(message); + + /* we have a valid handler, create D-Bus request */ + a_signal = sbus_new_incoming_signal(conn, message); + if (a_signal == NULL) { + return DBUS_HANDLER_RESULT_NEED_MEMORY; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "Received D-Bus signal %s.%s\n", + a_signal->interface, a_signal->signal); + + /* now get the sender ID */ + req = sbus_get_sender_id_send(a_signal, conn->ev, conn, sender); + if (req == NULL) { + talloc_free(a_signal); + return DBUS_HANDLER_RESULT_NEED_MEMORY; + } + tevent_req_set_callback(req, sbus_signal_handler_got_caller_id, a_signal); + + return DBUS_HANDLER_RESULT_HANDLED; +} + +static void +sbus_signal_handler_got_caller_id(struct tevent_req *req) +{ + struct sbus_incoming_signal_data *signal_data; + struct sbus_incoming_signal *a_signal; + errno_t ret; + + a_signal = tevent_req_callback_data(req, struct sbus_incoming_signal); + + ret = sbus_get_sender_id_recv(req, &a_signal->client); + if (ret == ERR_SBUS_SENDER_BUS) { + DEBUG(SSSDBG_TRACE_FUNC, "Got a signal from the bus..\n"); + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to resolve caller's ID: %s\n", sss_strerror(ret)); + goto done; + } + + signal_data = sbus_incoming_signal_hash_lookup( + a_signal->conn->incoming_signals, + a_signal->interface, + a_signal->signal); + if (signal_data == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "Received signal %s.%s that we are " + "not listening to.\n", a_signal->interface, a_signal->signal); + goto done; + } + + signal_data->handler_fn(a_signal, signal_data->handler_data); + +done: + talloc_free(a_signal); +} diff --git a/src/sbus/sssd_dbus_utils.c b/src/sbus/sssd_dbus_utils.c new file mode 100644 index 0000000..b0150e2 --- /dev/null +++ b/src/sbus/sssd_dbus_utils.c @@ -0,0 +1,277 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "sbus/sssd_dbus.h" +#include "util/util.h" + +struct sbus_talloc_msg { + DBusMessage *msg; + dbus_int32_t data_slot; + bool in_talloc_destructor; +}; + +static int sbus_talloc_msg_destructor(struct sbus_talloc_msg *talloc_msg) +{ + talloc_msg->in_talloc_destructor = true; + + if (talloc_msg->msg == NULL) { + return 0; + } + + /* There may exist more references to this message but this talloc + * context is no longer valid. We remove dbus message data to invoke + * dbus destructor now. */ + dbus_message_set_data(talloc_msg->msg, talloc_msg->data_slot, NULL, NULL); + dbus_message_unref(talloc_msg->msg); + return 0; +} + +static void sbus_msg_data_destructor(void *ctx) +{ + struct sbus_talloc_msg *talloc_msg; + + talloc_msg = talloc_get_type(ctx, struct sbus_talloc_msg); + + dbus_message_free_data_slot(&talloc_msg->data_slot); + + if (!talloc_msg->in_talloc_destructor) { + /* References to this message dropped to zero but through + * dbus_message_unref(), not by calling talloc_free(). We need to free + * the talloc context and avoid running talloc desctuctor. */ + talloc_set_destructor(talloc_msg, NULL); + talloc_free(talloc_msg); + } +} + +errno_t sbus_talloc_bound_message(TALLOC_CTX *mem_ctx, DBusMessage *msg) +{ + struct sbus_talloc_msg *talloc_msg; + dbus_int32_t data_slot = -1; + DBusFreeFunction free_fn; + dbus_bool_t bret; + + /* Create a talloc context that will unreference this message when + * the parent context is freed. */ + talloc_msg = talloc(mem_ctx, struct sbus_talloc_msg); + if (talloc_msg == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unable to bound D-Bus message with talloc context!\n"); + return ENOMEM; + } + + /* Allocate a dbus message data slot that will contain point to the + * talloc context so we can pick up cases when the dbus message is + * freed through dbus api. */ + bret = dbus_message_allocate_data_slot(&data_slot); + if (!bret) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to allocate data slot!\n"); + talloc_free(talloc_msg); + return ENOMEM; + } + + free_fn = sbus_msg_data_destructor; + bret = dbus_message_set_data(msg, data_slot, talloc_msg, free_fn); + if (!bret) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to set message data!\n"); + talloc_free(talloc_msg); + dbus_message_free_data_slot(&data_slot); + return ENOMEM; + } + + talloc_msg->msg = msg; + talloc_msg->data_slot = data_slot; + talloc_msg->in_talloc_destructor = false; + + talloc_set_destructor(talloc_msg, sbus_talloc_msg_destructor); + + return EOK; +} + +errno_t sbus_error_to_errno(DBusError *error) +{ + static struct { + const char *name; + errno_t ret; + } list[] = { { SBUS_ERROR_INTERNAL, ERR_INTERNAL }, + { SBUS_ERROR_NOT_FOUND, ENOENT }, + { SBUS_ERROR_UNKNOWN_DOMAIN, ERR_DOMAIN_NOT_FOUND }, + { SBUS_ERROR_DP_FATAL, ERR_TERMINATED }, + { SBUS_ERROR_DP_OFFLINE, ERR_OFFLINE }, + { SBUS_ERROR_DP_NOTSUP, ENOTSUP }, + { NULL, ERR_INTERNAL } }; + int i; + + if (!dbus_error_is_set(error)) { + return EOK; + } + + for (i = 0; list[i].name != NULL; i++) { + if (dbus_error_has_name(error, list[i].name)) { + return list[i].ret; + } + } + + return EIO; +} + +errno_t sbus_check_reply(DBusMessage *reply) +{ + dbus_bool_t bret; + DBusError error; + errno_t ret; + + dbus_error_init(&error); + + switch (dbus_message_get_type(reply)) { + case DBUS_MESSAGE_TYPE_METHOD_RETURN: + ret = EOK; + goto done; + + case DBUS_MESSAGE_TYPE_ERROR: + bret = dbus_set_error_from_message(&error, reply); + if (bret == false) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to read error from message\n"); + ret = EIO; + goto done; + } + + DEBUG(SSSDBG_CRIT_FAILURE, "D-Bus error [%s]: %s\n", + error.name, (error.message == NULL ? "(null)" : error.message)); + ret = sbus_error_to_errno(&error); + goto done; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unexpected D-Bus message type?\n"); + ret = ERR_INTERNAL; + goto done; + } + +done: + dbus_error_free(&error); + + return ret; +} + +DBusMessage *sbus_create_message_valist(TALLOC_CTX *mem_ctx, + const char *bus, + const char *path, + const char *iface, + const char *method, + int first_arg_type, + va_list va) +{ + DBusMessage *msg; + dbus_bool_t bret; + errno_t ret; + + msg = dbus_message_new_method_call(bus, path, iface, method); + if (msg == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create message\n"); + return NULL; + } + + bret = dbus_message_append_args_valist(msg, first_arg_type, va); + if (!bret) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to build message\n"); + ret = EIO; + goto done; + } + + ret = sbus_talloc_bound_message(mem_ctx, msg); + +done: + if (ret != EOK) { + dbus_message_unref(msg); + } + + return msg; +} + +DBusMessage *_sbus_create_message(TALLOC_CTX *mem_ctx, + const char *bus, + const char *path, + const char *iface, + const char *method, + int first_arg_type, + ...) +{ + DBusMessage *msg; + va_list va; + + va_start(va, first_arg_type); + msg = sbus_create_message_valist(mem_ctx, bus, path, iface, method, + first_arg_type, va); + va_end(va); + + return msg; +} + +errno_t sbus_parse_message_valist(DBusMessage *msg, + bool check_reply, + int first_arg_type, + va_list va) +{ + DBusError error; + dbus_bool_t bret; + errno_t ret; + + if (check_reply) { + ret = sbus_check_reply(msg); + if (ret != EOK) { + return ret; + } + } + + dbus_error_init(&error); + + bret = dbus_message_get_args_valist(msg, &error, first_arg_type, va); + if (bret == false) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse D-Bus message\n"); + ret = EIO; + goto done; + } + + ret = sbus_error_to_errno(&error); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse D-Bus message [%s]: %s\n", + error.name, error.message); + goto done; + } + +done: + dbus_error_free(&error); + return ret; +} + +errno_t _sbus_parse_message(DBusMessage *msg, + bool check_reply, + int first_arg_type, + ...) +{ + errno_t ret; + va_list va; + + va_start(va, first_arg_type); + ret = sbus_parse_message_valist(msg, check_reply, first_arg_type, va); + va_end(va); + + return ret; +} diff --git a/src/sbus/sssd_dbus_utils.h b/src/sbus/sssd_dbus_utils.h new file mode 100644 index 0000000..e53a7fa --- /dev/null +++ b/src/sbus/sssd_dbus_utils.h @@ -0,0 +1,71 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef SSSD_DBUS_UTILS_H_ +#define SSSD_DBUS_UTILS_H_ + +errno_t sbus_talloc_bound_message(TALLOC_CTX *mem_ctx, DBusMessage *msg); +errno_t sbus_error_to_errno(DBusError *error); +errno_t sbus_check_reply(DBusMessage *reply); + +/* Creates a DBusMessage from a vararg list. Please note that even though + * this function and sbus_create_message accept a talloc memory context, + * it is not valid to free the resulting message with talloc_free() directly. + * Instead, either free the parent memory context or directly call + * dbus_message_unref on the message if you pass NULL memory context to + * these functions + */ +DBusMessage *sbus_create_message_valist(TALLOC_CTX *mem_ctx, + const char *bus, + const char *path, + const char *iface, + const char *method, + int first_arg_type, + va_list va); + +DBusMessage *_sbus_create_message(TALLOC_CTX *mem_ctx, + const char *bus, + const char *path, + const char *iface, + const char *method, + int first_arg_type, + ...); + +#define sbus_create_message(mem_ctx, bus, path, iface, method, ...) \ + _sbus_create_message(mem_ctx, bus, path, iface, method, \ + ##__VA_ARGS__, DBUS_TYPE_INVALID) + +errno_t sbus_parse_message_valist(DBusMessage *msg, + bool check_reply, + int first_arg_type, + va_list va); + +errno_t _sbus_parse_message(DBusMessage *msg, + bool check_reply, + int first_arg_type, + ...); + +#define sbus_parse_message(msg, ...) \ + _sbus_parse_message(msg, false, ##__VA_ARGS__, DBUS_TYPE_INVALID) + +#define sbus_parse_reply(msg, ...) \ + _sbus_parse_message(msg, true, ##__VA_ARGS__, DBUS_TYPE_INVALID) + +#endif /* SSSD_DBUS_UTILS_H_ */ diff --git a/src/shared/io.h b/src/shared/io.h new file mode 100644 index 0000000..26caa52 --- /dev/null +++ b/src/shared/io.h @@ -0,0 +1,33 @@ +/* + SSSD + + SSSD Utility functions + + Copyright (C) Lukas Slebodnik 2013 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _SHARED_IO_H_ +#define _SHARED_IO_H_ + +/* CAUTION: + * This file is also used in sss_client (pam, nss). Therefore it have to be + * minimalist and cannot include DEBUG macros or header file util.h. + */ + +int sss_open_cloexec(const char *pathname, int flags, int *ret); +int sss_openat_cloexec(int dir_fd, const char *pathname, int flags, int *ret); + +#endif /* _SHARED_IO_H_ */ diff --git a/src/shared/murmurhash3.h b/src/shared/murmurhash3.h new file mode 100644 index 0000000..2767183 --- /dev/null +++ b/src/shared/murmurhash3.h @@ -0,0 +1,21 @@ +/* This file is based on the public domain MurmurHash3 from Austin Appleby: + * http://code.google.com/p/smhasher/source/browse/trunk/MurmurHash3.cpp + * + * We use only the 32 bit variant because the 2 produce different result while + * we need to produce the same result regardless of the architecture as + * clients can be both 64 or 32 bit at the same time. + */ + +#ifndef _SHARED_MURMURHASH3_H_ +#define _SHARED_MURMURHASH3_H_ + +/* CAUTION: + * This file is also used in sss_client (pam, nss). Therefore it have to be + * minimalist and cannot include DEBUG macros or header file util.h. + */ + +#include + +uint32_t murmurhash3(const char *key, int len, uint32_t seed); + +#endif /* _SHARED_MURMURHASH3_H_ */ diff --git a/src/shared/safealign.h b/src/shared/safealign.h new file mode 100644 index 0000000..b00c37f --- /dev/null +++ b/src/shared/safealign.h @@ -0,0 +1,146 @@ +/* + SSSD + + Authors: + Simo Sorce + + Copyright (C) Red Hat, Inc 2007 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU Lesser General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with this program. If not, see . +*/ + +#ifndef _SHARED_SAFEALIGN_H +#define _SHARED_SAFEALIGN_H + +/* CAUTION: + * This file is also used in sss_client (pam, nss). Therefore it have to be + * minimalist and cannot include DEBUG macros or header file util.h. + */ + +#include +#include + +/* Use this macro to suppress alignment warnings (use it + * only to suppress false-positives) */ +#define DISCARD_ALIGN(ptr, type) ((type)(void *)(ptr)) + +#define IS_ALIGNED(ptr, type) \ + ((uintptr_t)(ptr) % sizeof(type) == 0) + +#define PADDING_SIZE(base, type) \ + ((sizeof(type) - ((base) % sizeof(type))) % sizeof(type)) + +#define SIZE_T_OVERFLOW(current, add) \ + (((size_t)(add)) > (SIZE_MAX - ((size_t)(current)))) + +static inline void +safealign_memcpy(void *dest, const void *src, size_t n, size_t *counter) +{ + memcpy(dest, src, n); + if (counter) { + *counter += n; + } +} + +#define SAFEALIGN_SETMEM_VALUE(dest, value, type, pctr) do { \ + type CV_MACRO_val = (type)(value); \ + safealign_memcpy(dest, &CV_MACRO_val, sizeof(type), pctr); \ +} while(0) + +/* SAFEALIGN_COPY_INT64(void *dest, void *src, size_t *pctr) + * This macro will safely copy sizeof(int64_t) bytes from memory + * location pointed by 'src' to memory location pointed by 'dest'. + * If the 'pctr' pointer is not NULL, the value it points to will + * be incremented by sizeof(int64_t). */ +#define SAFEALIGN_COPY_INT64(dest, src, pctr) \ + safealign_memcpy(dest, src, sizeof(int64_t), pctr) + +/* SAFEALIGN_SETMEM_INT64(void *dest, int64_t value, size_t *pctr) + * This macro will safely assign an int64_t value to the memory + * location pointed by 'dest'. If the 'pctr' pointer is not NULL, + * the value it points to will be incremented by sizeof(int64_t). */ +#define SAFEALIGN_SETMEM_INT64(dest, value, pctr) \ + SAFEALIGN_SETMEM_VALUE(dest, value, int64_t, pctr) + +/* SAFEALIGN_COPY_UINT32(void *dest, void *src, size_t *pctr) */ +#define SAFEALIGN_COPY_UINT32(dest, src, pctr) \ + safealign_memcpy(dest, src, sizeof(uint32_t), pctr) + +/* SAFEALIGN_SETMEM_UINT32(void *dest, uint32_t value, size_t *pctr) */ +#define SAFEALIGN_SETMEM_UINT32(dest, value, pctr) \ + SAFEALIGN_SETMEM_VALUE(dest, value, uint32_t, pctr) + +/* SAFEALIGN_COPY_INT32(void *dest, void *src, size_t *pctr) */ +#define SAFEALIGN_COPY_INT32(dest, src, pctr) \ + safealign_memcpy(dest, src, sizeof(int32_t), pctr) + +/* SAFEALIGN_SETMEM_INT32(void *dest, int32_t value, size_t *pctr) */ +#define SAFEALIGN_SETMEM_INT32(dest, value, pctr) \ + SAFEALIGN_SETMEM_VALUE(dest, value, int32_t, pctr) + +/* SAFEALIGN_COPY_UINT16(void *dest, void *src, size_t *pctr) */ +#define SAFEALIGN_COPY_UINT16(dest, src, pctr) \ + safealign_memcpy(dest, src, sizeof(uint16_t), pctr) + +/* SAFEALIGN_SETMEM_UINT16(void *dest, uint16_t value, size_t *pctr) */ +#define SAFEALIGN_SETMEM_UINT16(dest, value, pctr) \ + SAFEALIGN_SETMEM_VALUE(dest, value, uint16_t, pctr) + +/* These macros are the same as their equivalents without _CHECK suffix, + * but additionally make the caller return EINVAL immediately if *pctr + * would exceed len. */ +#define SAFEALIGN_COPY_UINT32_CHECK(dest, src, len, pctr) do { \ + if ((*(pctr) + sizeof(uint32_t)) > (len) || \ + SIZE_T_OVERFLOW(*(pctr), sizeof(uint32_t))) { return EINVAL; } \ + safealign_memcpy(dest, src, sizeof(uint32_t), pctr); \ +} while(0) + +#define SAFEALIGN_COPY_INT32_CHECK(dest, src, len, pctr) do { \ + if ((*(pctr) + sizeof(int32_t)) > (len) || \ + SIZE_T_OVERFLOW(*(pctr), sizeof(int32_t))) { return EINVAL; } \ + safealign_memcpy(dest, src, sizeof(int32_t), pctr); \ +} while(0) + +#define SAFEALIGN_COPY_UINT16_CHECK(dest, src, len, pctr) do { \ + if ((*(pctr) + sizeof(uint16_t)) > (len) || \ + SIZE_T_OVERFLOW(*(pctr), sizeof(uint16_t))) { return EINVAL; } \ + safealign_memcpy(dest, src, sizeof(uint16_t), pctr); \ +} while(0) + +#define SAFEALIGN_SETMEM_STRING(dest, value, length, pctr) do { \ + const char *CV_MACRO_val = (const char *)(value); \ + safealign_memcpy(dest, CV_MACRO_val, sizeof(char) * length, pctr); \ +} while(0) + +#define SAFEALIGN_MEMCPY_CHECK(dest, src, srclen, len, pctr) do { \ + if ((*(pctr) + srclen) > (len) || \ + SIZE_T_OVERFLOW(*(pctr), srclen)) { return EINVAL; } \ + safealign_memcpy(dest, src, srclen, pctr); \ +} while(0) + +#define SAFEALIGN_COPY_UINT8_CHECK(dest, src, len, pctr) do { \ + if ((*(pctr) + sizeof(uint8_t)) > (len) || \ + SIZE_T_OVERFLOW(*(pctr), sizeof(uint8_t))) { return EINVAL; } \ + safealign_memcpy(dest, src, sizeof(uint8_t), pctr); \ +} while(0) + +/* Aliases for backward compatibility. */ +#define SAFEALIGN_SET_VALUE SAFEALIGN_SETMEM_VALUE +#define SAFEALIGN_SET_INT64 SAFEALIGN_SETMEM_INT64 +#define SAFEALIGN_SET_UINT32 SAFEALIGN_SETMEM_UINT32 +#define SAFEALIGN_SET_INT32 SAFEALIGN_SETMEM_INT32 +#define SAFEALIGN_SET_UINT16 SAFEALIGN_SETMEM_UINT16 +#define SAFEALIGN_SET_STRING SAFEALIGN_SETMEM_STRING + +#endif /* _SHARED_SAFEALIGN_H */ diff --git a/src/sss_client/COPYING b/src/sss_client/COPYING new file mode 100644 index 0000000..94a9ed0 --- /dev/null +++ b/src/sss_client/COPYING @@ -0,0 +1,674 @@ + GNU GENERAL PUBLIC LICENSE + Version 3, 29 June 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU General Public License is a free, copyleft license for +software and other kinds of works. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +the GNU General Public License is intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. We, the Free Software Foundation, use the +GNU General Public License for most of our software; it applies also to +any other work released this way by its authors. You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + To protect your rights, we need to prevent others from denying you +these rights or asking you to surrender the rights. Therefore, you have +certain responsibilities if you distribute copies of the software, or if +you modify it: responsibilities to respect the freedom of others. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must pass on to the recipients the same +freedoms that you received. You must make sure that they, too, receive +or can get the source code. And you must show them these terms so they +know their rights. + + Developers that use the GNU GPL protect your rights with two steps: +(1) assert copyright on the software, and (2) offer you this License +giving you legal permission to copy, distribute and/or modify it. + + For the developers' and authors' protection, the GPL clearly explains +that there is no warranty for this free software. For both users' and +authors' sake, the GPL requires that modified versions be marked as +changed, so that their problems will not be attributed erroneously to +authors of previous versions. + + Some devices are designed to deny users access to install or run +modified versions of the software inside them, although the manufacturer +can do so. This is fundamentally incompatible with the aim of +protecting users' freedom to change the software. The systematic +pattern of such abuse occurs in the area of products for individuals to +use, which is precisely where it is most unacceptable. Therefore, we +have designed this version of the GPL to prohibit the practice for those +products. If such problems arise substantially in other domains, we +stand ready to extend this provision to those domains in future versions +of the GPL, as needed to protect the freedom of users. + + Finally, every program is threatened constantly by software patents. +States should not allow patents to restrict development and use of +software on general-purpose computers, but in those that do, we wish to +avoid the special danger that patents applied to a free program could +make it effectively proprietary. To prevent this, the GPL assures that +patents cannot be used to render the program non-free. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Use with the GNU Affero General Public License. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU Affero General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the special requirements of the GNU Affero General Public License, +section 13, concerning interaction through a network will apply to the +combination as such. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + + If the program does terminal interaction, make it output a short +notice like this when it starts in an interactive mode: + + Copyright (C) + This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, your program's commands +might be different; for a GUI interface, you would use an "about box". + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU GPL, see +. + + The GNU General Public License does not permit incorporating your program +into proprietary programs. If your program is a subroutine library, you +may consider it more useful to permit linking proprietary applications with +the library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. But first, please read +. diff --git a/src/sss_client/COPYING.LESSER b/src/sss_client/COPYING.LESSER new file mode 100644 index 0000000..755013b --- /dev/null +++ b/src/sss_client/COPYING.LESSER @@ -0,0 +1,165 @@ + GNU LESSER GENERAL PUBLIC LICENSE + Version 3, 29 June 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + + This version of the GNU Lesser General Public License incorporates +the terms and conditions of version 3 of the GNU General Public +License, supplemented by the additional permissions listed below. + + 0. Additional Definitions. + + As used herein, "this License" refers to version 3 of the GNU Lesser +General Public License, and the "GNU GPL" refers to version 3 of the GNU +General Public License. + + "The Library" refers to a covered work governed by this License, +other than an Application or a Combined Work as defined below. + + An "Application" is any work that makes use of an interface provided +by the Library, but which is not otherwise based on the Library. +Defining a subclass of a class defined by the Library is deemed a mode +of using an interface provided by the Library. + + A "Combined Work" is a work produced by combining or linking an +Application with the Library. The particular version of the Library +with which the Combined Work was made is also called the "Linked +Version". + + The "Minimal Corresponding Source" for a Combined Work means the +Corresponding Source for the Combined Work, excluding any source code +for portions of the Combined Work that, considered in isolation, are +based on the Application, and not on the Linked Version. + + The "Corresponding Application Code" for a Combined Work means the +object code and/or source code for the Application, including any data +and utility programs needed for reproducing the Combined Work from the +Application, but excluding the System Libraries of the Combined Work. + + 1. Exception to Section 3 of the GNU GPL. + + You may convey a covered work under sections 3 and 4 of this License +without being bound by section 3 of the GNU GPL. + + 2. Conveying Modified Versions. + + If you modify a copy of the Library, and, in your modifications, a +facility refers to a function or data to be supplied by an Application +that uses the facility (other than as an argument passed when the +facility is invoked), then you may convey a copy of the modified +version: + + a) under this License, provided that you make a good faith effort to + ensure that, in the event an Application does not supply the + function or data, the facility still operates, and performs + whatever part of its purpose remains meaningful, or + + b) under the GNU GPL, with none of the additional permissions of + this License applicable to that copy. + + 3. Object Code Incorporating Material from Library Header Files. + + The object code form of an Application may incorporate material from +a header file that is part of the Library. You may convey such object +code under terms of your choice, provided that, if the incorporated +material is not limited to numerical parameters, data structure +layouts and accessors, or small macros, inline functions and templates +(ten or fewer lines in length), you do both of the following: + + a) Give prominent notice with each copy of the object code that the + Library is used in it and that the Library and its use are + covered by this License. + + b) Accompany the object code with a copy of the GNU GPL and this license + document. + + 4. Combined Works. + + You may convey a Combined Work under terms of your choice that, +taken together, effectively do not restrict modification of the +portions of the Library contained in the Combined Work and reverse +engineering for debugging such modifications, if you also do each of +the following: + + a) Give prominent notice with each copy of the Combined Work that + the Library is used in it and that the Library and its use are + covered by this License. + + b) Accompany the Combined Work with a copy of the GNU GPL and this license + document. + + c) For a Combined Work that displays copyright notices during + execution, include the copyright notice for the Library among + these notices, as well as a reference directing the user to the + copies of the GNU GPL and this license document. + + d) Do one of the following: + + 0) Convey the Minimal Corresponding Source under the terms of this + License, and the Corresponding Application Code in a form + suitable for, and under terms that permit, the user to + recombine or relink the Application with a modified version of + the Linked Version to produce a modified Combined Work, in the + manner specified by section 6 of the GNU GPL for conveying + Corresponding Source. + + 1) Use a suitable shared library mechanism for linking with the + Library. A suitable mechanism is one that (a) uses at run time + a copy of the Library already present on the user's computer + system, and (b) will operate properly with a modified version + of the Library that is interface-compatible with the Linked + Version. + + e) Provide Installation Information, but only if you would otherwise + be required to provide such information under section 6 of the + GNU GPL, and only to the extent that such information is + necessary to install and execute a modified version of the + Combined Work produced by recombining or relinking the + Application with a modified version of the Linked Version. (If + you use option 4d0, the Installation Information must accompany + the Minimal Corresponding Source and Corresponding Application + Code. If you use option 4d1, you must provide the Installation + Information in the manner specified by section 6 of the GNU GPL + for conveying Corresponding Source.) + + 5. Combined Libraries. + + You may place library facilities that are a work based on the +Library side by side in a single library together with other library +facilities that are not Applications and are not covered by this +License, and convey such a combined library under terms of your +choice, if you do both of the following: + + a) Accompany the combined library with a copy of the same work based + on the Library, uncombined with any other library facilities, + conveyed under the terms of this License. + + b) Give prominent notice with the combined library that part of it + is a work based on the Library, and explaining where to find the + accompanying uncombined form of the same work. + + 6. Revised Versions of the GNU Lesser General Public License. + + The Free Software Foundation may publish revised and/or new versions +of the GNU Lesser General Public License from time to time. Such new +versions will be similar in spirit to the present version, but may +differ in detail to address new problems or concerns. + + Each version is given a distinguishing version number. If the +Library as you received it specifies that a certain numbered version +of the GNU Lesser General Public License "or any later version" +applies to it, you have the option of following the terms and +conditions either of that published version or of any later version +published by the Free Software Foundation. If the Library as you +received it does not specify a version number of the GNU Lesser +General Public License, you may choose any version of the GNU Lesser +General Public License ever published by the Free Software Foundation. + + If the Library as you received it specifies that a proxy can decide +whether future versions of the GNU Lesser General Public License shall +apply, that proxy's public statement of acceptance of any version is +permanent authorization for you to choose that version for the +Library. diff --git a/src/sss_client/autofs/autofs_test_client.c b/src/sss_client/autofs/autofs_test_client.c new file mode 100644 index 0000000..f4395ff --- /dev/null +++ b/src/sss_client/autofs/autofs_test_client.c @@ -0,0 +1,130 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU Lesser General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with this program. If not, see . +*/ + +#ifdef HAVE_CONFIG_H +#include +#endif + +#include +#include +#include +#include +#include + +#include "util/util.h" +#include "sss_client/autofs/sss_autofs_private.h" + +struct automtent { + const char *mapname; + size_t cursor; +}; + +int main(int argc, const char *argv[]) +{ + void *ctx; + errno_t ret; + const char *mapname; + char *key = NULL; + char *value = NULL; + char *pc_key = NULL; + struct poptOption long_options[] = { + POPT_AUTOHELP + { "by-name", 'n', POPT_ARG_STRING, &pc_key, 0, "Request map by name", NULL }, + POPT_TABLEEND + }; + poptContext pc = NULL; + + pc = poptGetContext(NULL, argc, argv, long_options, 0); + poptSetOtherOptionHelp(pc, "MAPNAME"); + + while ((ret = poptGetNextOpt(pc)) > 0) + ; + + mapname = poptGetArg(pc); + if (mapname == NULL) { + poptPrintUsage(pc, stderr, 0); + fprintf(stderr, "Please specify the automounter map name\n"); + poptFreeContext(pc); + exit(EXIT_FAILURE); + } + + poptFreeContext(pc); + + ret = _sss_setautomntent(mapname, &ctx); + if (ret) { + fprintf(stderr, "setautomntent failed [%d]: %s\n", + ret, strerror(ret)); + exit(EXIT_FAILURE); + } + printf("setautomntent done for %s\n", mapname); + + if (!pc_key) { + do { + ret = _sss_getautomntent_r(&key, &value, ctx); + if (ret == 0) { + if (!key || !value) { + fprintf(stderr, + "getautomntent returned success but no data?\n"); + goto end; + } + + printf("key: %s\t\tvalue: %s\n", key, value); + free(key); + key = NULL; + free(value); + value = NULL; + } + } while(ret == 0); + + if (ret != 0 && ret != ENOENT) { + fprintf(stderr, "getautomntent_r failed [%d]: %s\n", + ret, strerror(ret)); + goto end; + } + } else { + ret = _sss_getautomntbyname_r(pc_key, &value, ctx); + if (ret == ENOENT) { + fprintf(stderr, "no such entry in map\n"); + } else if (ret != 0) { + fprintf(stderr, "getautomntent_r failed [%d]: %s\n", + ret, strerror(ret)); + goto end; + } else { + if (!value) { + fprintf(stderr, "_sss_getautomntbyname_r " + "returned success but no data?\n"); + goto end; + } + + printf("key: %s\t\tvalue: %s\n", pc_key, value); + free(value); + } + } + +end: + ret = _sss_endautomntent(&ctx); + if (ret) { + fprintf(stderr, "endautomntent failed [%d]: %s\n", + ret, strerror(ret)); + exit(EXIT_FAILURE); + } + printf("endautomntent done for %s\n", mapname); + return 0; +} diff --git a/src/sss_client/autofs/sss_autofs.c b/src/sss_client/autofs/sss_autofs.c new file mode 100644 index 0000000..482ff2c --- /dev/null +++ b/src/sss_client/autofs/sss_autofs.c @@ -0,0 +1,478 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "sss_client/autofs/sss_autofs_private.h" +#include "sss_client/sss_cli.h" + +/* Historically, autofs map names were just file names. Direct key names + * may be full directory paths + */ +#define MAX_AUTOMNTMAPNAME_LEN NAME_MAX +#define MAX_AUTOMNTKEYNAME_LEN PATH_MAX + +/* How many entries shall _sss_getautomntent_r retrieve at once */ +#define GETAUTOMNTENT_MAX_ENTRIES 512 + +struct automtent { + char *mapname; + size_t cursor; +}; + +static struct sss_getautomntent_data { + char *mapname; + size_t len; + size_t ptr; + uint8_t *data; +} sss_getautomntent_data; + +static void +sss_getautomntent_data_clean(void) +{ + free(sss_getautomntent_data.data); + free(sss_getautomntent_data.mapname); + memset(&sss_getautomntent_data, 0, sizeof(struct sss_getautomntent_data)); +} + +errno_t +_sss_setautomntent(const char *mapname, void **context) +{ + errno_t ret; + int errnop; + struct automtent *ctx; + char *name; + size_t name_len; + struct sss_cli_req_data rd; + uint8_t *repbuf = NULL; + size_t replen; + uint32_t num_results = 0; + + if (!mapname) return EINVAL; + + sss_nss_lock(); + + /* Make sure there are no leftovers from previous runs */ + sss_getautomntent_data_clean(); + + ret = sss_strnlen(mapname, MAX_AUTOMNTMAPNAME_LEN, &name_len); + if (ret != 0) { + ret = EINVAL; + goto out; + } + + name = malloc(sizeof(char)*name_len + 1); + if (name == NULL) { + ret = ENOMEM; + goto out; + } + strncpy(name, mapname, name_len + 1); + + rd.data = name; + rd.len = name_len + 1; + + ret = sss_autofs_make_request(SSS_AUTOFS_SETAUTOMNTENT, &rd, + &repbuf, &replen, &errnop); + if (ret != SSS_STATUS_SUCCESS) { + free(name); + ret = errnop; + goto out; + } + + /* Get number of results from repbuf. */ + SAFEALIGN_COPY_UINT32(&num_results, repbuf, NULL); + + /* no results if not found */ + if (num_results == 0) { + free(name); + free(repbuf); + ret = ENOENT; + goto out; + } + free(repbuf); + + ctx = malloc(sizeof(struct automtent)); + if (!ctx) { + free(name); + ret = ENOMEM; + goto out; + } + + ctx->mapname = strdup(name); + if (!ctx->mapname) { + free(name); + free(ctx); + ret = ENOMEM; + goto out; + } + ctx->cursor = 0; + free(name); + + *context = ctx; + ret = 0; +out: + sss_nss_unlock(); + return ret; +} + +static errno_t +sss_getautomntent_data_return(const char *mapname, char **_key, char **_value) +{ + size_t dp; + uint32_t len = 0; + char *key = NULL; + uint32_t keylen; + char *value = NULL; + uint32_t vallen; + errno_t ret; + + if (sss_getautomntent_data.mapname == NULL || + sss_getautomntent_data.data == NULL || + sss_getautomntent_data.ptr >= sss_getautomntent_data.len) { + /* We're done with this buffer */ + ret = ENOENT; + goto done; + } + + ret = strcmp(mapname, sss_getautomntent_data.mapname); + if (ret != EOK) { + /* The map we're looking for is not cached. Let responder + * do an implicit setautomntent */ + ret = ENOENT; + goto done; + } + + dp = sss_getautomntent_data.ptr; + + SAFEALIGN_COPY_UINT32(&len, sss_getautomntent_data.data+dp, &dp); + if (len + sss_getautomntent_data.ptr > sss_getautomntent_data.len) { + /* len is bigger than the buffer */ + ret = EIO; + goto done; + } + + if (len == 0) { + /* There are no more records. */ + *_key = NULL; + *_value = NULL; + ret = ENOENT; + goto done; + } + + SAFEALIGN_COPY_UINT32(&keylen, sss_getautomntent_data.data+dp, &dp); + if (keylen + dp > sss_getautomntent_data.len) { + ret = EIO; + goto done; + } + + key = malloc(keylen); + if (!key) { + ret = ENOMEM; + goto done; + } + + safealign_memcpy(key, sss_getautomntent_data.data+dp, keylen, &dp); + + SAFEALIGN_COPY_UINT32(&vallen, sss_getautomntent_data.data+dp, &dp); + if (vallen + dp > sss_getautomntent_data.len) { + ret = EIO; + goto done; + } + + value = malloc(vallen); + if (!value) { + ret = ENOMEM; + goto done; + } + + safealign_memcpy(value, sss_getautomntent_data.data+dp, vallen, &dp); + + sss_getautomntent_data.ptr = dp; + *_key = key; + *_value = value; + return EOK; + +done: + free(key); + free(value); + sss_getautomntent_data_clean(); + return ret; +} + +/* The repbuf is owned by the sss_getautomntent_data once this + * function is called */ +static errno_t +sss_getautomntent_data_save(const char *mapname, uint8_t **repbuf, size_t replen) +{ + size_t rp; + uint32_t num; + + rp = 0; + SAFEALIGN_COPY_UINT32(&num, *repbuf+rp, &rp); + if (num == 0) { + free(*repbuf); + return ENOENT; + } + + sss_getautomntent_data.mapname = strdup(mapname); + if (sss_getautomntent_data.mapname == NULL) { + free(*repbuf); + return ENOENT; + } + + sss_getautomntent_data.data = *repbuf; + sss_getautomntent_data.len = replen; + sss_getautomntent_data.ptr = rp; + *repbuf = NULL; + return EOK; +} + +errno_t +_sss_getautomntent_r(char **key, char **value, void *context) +{ + int errnop; + errno_t ret; + size_t name_len; + struct sss_cli_req_data rd; + uint8_t *repbuf = NULL; + size_t replen; + struct automtent *ctx; + size_t ctr = 0; + size_t data_len = 0; + uint8_t *data; + + sss_nss_lock(); + + ctx = (struct automtent *) context; + if (!ctx) { + ret = EINVAL; + goto out; + } + + /* Be paranoid in case someone tries to smuggle in a huge map name */ + ret = sss_strnlen(ctx->mapname, MAX_AUTOMNTMAPNAME_LEN, &name_len); + if (ret != 0) { + ret = EINVAL; + goto out; + } + + ret = sss_getautomntent_data_return(ctx->mapname, key, value); + if (ret == EOK) { + /* The results are available from cache. Just advance the + * cursor and return. */ + ctx->cursor++; + ret = 0; + goto out; + } + /* Don't try to handle any error codes, just go to the responder again */ + + data_len = sizeof(uint32_t) + /* mapname len */ + name_len + 1 + /* mapname\0 */ + sizeof(uint32_t) + /* index into the map */ + sizeof(uint32_t); /* num entries to retrieve */ + + data = malloc(data_len); + if (!data) { + ret = ENOMEM; + goto out; + } + + SAFEALIGN_SET_UINT32(data, name_len, &ctr); + + safealign_memcpy(data+ctr, ctx->mapname, name_len + 1, &ctr); + + SAFEALIGN_SET_UINT32(data+ctr, ctx->cursor, &ctr); + + SAFEALIGN_SET_UINT32(data+ctr, GETAUTOMNTENT_MAX_ENTRIES, &ctr); + + rd.data = data; + rd.len = data_len; + + ret = sss_autofs_make_request(SSS_AUTOFS_GETAUTOMNTENT, &rd, + &repbuf, &replen, &errnop); + free(data); + if (ret != SSS_STATUS_SUCCESS) { + ret = errnop; + goto out; + } + + /* Got reply, let's save it and return from "cache" */ + ret = sss_getautomntent_data_save(ctx->mapname, &repbuf, replen); + if (ret == ENOENT) { + /* No results */ + *key = NULL; + *value = NULL; + goto out; + } else if (ret != EOK) { + /* Unexpected error */ + goto out; + } + + ret = sss_getautomntent_data_return(ctx->mapname, key, value); + if (ret != EOK) { + goto out; + } + + /* Advance the cursor so that we'll fetch the next map + * next time getautomntent is called */ + ctx->cursor++; + ret = 0; +out: + sss_nss_unlock(); + return ret; +} + +errno_t +_sss_getautomntbyname_r(const char *key, char **value, void *context) +{ + int errnop; + errno_t ret; + struct automtent *ctx; + size_t key_len; + size_t name_len; + size_t data_len = 0; + uint8_t *data; + size_t ctr = 0; + struct sss_cli_req_data rd; + uint8_t *repbuf = NULL; + size_t replen; + + char *buf; + uint32_t len; + uint32_t vallen; + size_t rp; + + sss_nss_lock(); + + ctx = (struct automtent *) context; + if (!ctx || !key) { + ret = EINVAL; + goto out; + } + + /* Be paranoid in case someone tries to smuggle in a huge map name */ + ret = sss_strnlen(ctx->mapname, MAX_AUTOMNTMAPNAME_LEN, &name_len); + if (ret != 0) { + ret = EINVAL; + goto out; + } + + ret = sss_strnlen(key, MAX_AUTOMNTKEYNAME_LEN, &key_len); + if (ret != 0) { + ret = EINVAL; + goto out; + } + + + data_len = sizeof(uint32_t) + /* mapname len */ + name_len + 1 + /* mapname\0 */ + sizeof(uint32_t) + /* keyname len */ + key_len + 1; /* keyname\0 */ + + data = malloc(data_len); + if (!data) { + ret = ENOMEM; + goto out; + } + + SAFEALIGN_SET_UINT32(data, name_len, &ctr); + + safealign_memcpy(data+ctr, ctx->mapname, name_len + 1, &ctr); + + SAFEALIGN_SET_UINT32(data+ctr, key_len, &ctr); + + safealign_memcpy(data+ctr, key, key_len + 1, &ctr); + + rd.data = data; + rd.len = data_len; + + ret = sss_autofs_make_request(SSS_AUTOFS_GETAUTOMNTBYNAME, &rd, + &repbuf, &replen, &errnop); + free(data); + if (ret != SSS_STATUS_SUCCESS) { + ret = errnop; + goto out; + } + + /* Got reply, let's parse it */ + rp = 0; + SAFEALIGN_COPY_UINT32(&len, repbuf+rp, &rp); + if (len == 0) { + /* No data */ + *value = NULL; + ret = ENOENT; + goto out; + } + + SAFEALIGN_COPY_UINT32(&vallen, repbuf+rp, &rp); + if (vallen > len-rp) { + ret = EIO; + goto out; + } + + buf = malloc(vallen); + if (!buf) { + ret = ENOMEM; + goto out; + } + + safealign_memcpy(buf, repbuf+rp, vallen, &rp); + *value = buf; + + ret = 0; +out: + free(repbuf); + sss_nss_unlock(); + return ret; +} + +errno_t +_sss_endautomntent(void **context) +{ + struct automtent *fctx; + errno_t ret; + int errnop; + + if (!context) return 0; + + sss_nss_lock(); + + sss_getautomntent_data_clean(); + + fctx = (struct automtent *) *context; + + if (fctx != NULL) { + free(fctx->mapname); + free(fctx); + } + + ret = sss_autofs_make_request(SSS_AUTOFS_ENDAUTOMNTENT, + NULL, NULL, NULL, &errnop); + if (ret != SSS_STATUS_SUCCESS) { + ret = errnop; + goto out; + } + + ret = 0; +out: + sss_nss_unlock(); + return ret; +} diff --git a/src/sss_client/autofs/sss_autofs.exports b/src/sss_client/autofs/sss_autofs.exports new file mode 100644 index 0000000..f9ce8f5 --- /dev/null +++ b/src/sss_client/autofs/sss_autofs.exports @@ -0,0 +1,14 @@ +EXPORTED { + + # public functions + global: + _sss_setautomntent; + _sss_getautomntent_r; + _sss_getautomntbyname_r; + _sss_endautomntent; + + # everything else is local + local: + *; +}; + diff --git a/src/sss_client/autofs/sss_autofs_private.h b/src/sss_client/autofs/sss_autofs_private.h new file mode 100644 index 0000000..6459c1c --- /dev/null +++ b/src/sss_client/autofs/sss_autofs_private.h @@ -0,0 +1,45 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include "util/util.h" + +/** + * Selects a map for processing. + */ +errno_t _sss_setautomntent(const char *mapname, void **context); + +/** + * Iterates through key/value pairs in the selected map. The key is usually + * the mount point, the value is mount information (server:/export) + */ +errno_t _sss_getautomntent_r(char **key, char **value, void *context); + +/** + * Returns value for a specific key + */ +errno_t +_sss_getautomntbyname_r(const char *key, char **value, void *context); + +/** + * Deselect a map, end the processing + */ +errno_t _sss_endautomntent(void **context); + diff --git a/src/sss_client/common.c b/src/sss_client/common.c new file mode 100644 index 0000000..67a4607 --- /dev/null +++ b/src/sss_client/common.c @@ -0,0 +1,1223 @@ +/* + * System Security Services Daemon. NSS client interface + * + * Copyright (C) Simo Sorce 2007 + * + * Winbind derived code: + * Copyright (C) Tim Potter 2000 + * Copyright (C) Andrew Tridgell 2000 + * Copyright (C) Andrew Bartlett 2002 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see . + */ + +#include "config.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#define _(STRING) dgettext (PACKAGE, STRING) +#include "sss_cli.h" +#include "common_private.h" + +#if HAVE_PTHREAD +#include +#endif + +/* +* Note we set MSG_NOSIGNAL to avoid +* having to fiddle with signal masks +* but also do not want to die in case +* SIGPIPE gets raised and the application +* does not handle it. +*/ +#ifdef MSG_NOSIGNAL +#define SSS_DEFAULT_WRITE_FLAGS MSG_NOSIGNAL +#else +#define SSS_DEFAULT_WRITE_FLAGS 0 +#endif + +/* common functions */ + +int sss_cli_sd = -1; /* the sss client socket descriptor */ +struct stat sss_cli_sb; /* the sss client stat buffer */ + +#if HAVE_FUNCTION_ATTRIBUTE_DESTRUCTOR +__attribute__((destructor)) +#endif +static void sss_cli_close_socket(void) +{ + if (sss_cli_sd != -1) { + close(sss_cli_sd); + sss_cli_sd = -1; + } +} + +/* Requests: + * + * byte 0-3: 32bit unsigned with length (the complete packet length: 0 to X) + * byte 4-7: 32bit unsigned with command code + * byte 8-11: 32bit unsigned (reserved) + * byte 12-15: 32bit unsigned (reserved) + * byte 16-X: (optional) request structure associated to the command code used + */ +static enum sss_status sss_cli_send_req(enum sss_cli_command cmd, + struct sss_cli_req_data *rd, + int timeout, + int *errnop) +{ + uint32_t header[4]; + size_t datasent; + + header[0] = SSS_NSS_HEADER_SIZE + (rd?rd->len:0); + header[1] = cmd; + header[2] = 0; + header[3] = 0; + + datasent = 0; + + while (datasent < header[0]) { + struct pollfd pfd; + int rdsent; + int res, error; + + *errnop = 0; + pfd.fd = sss_cli_sd; + pfd.events = POLLOUT; + + do { + errno = 0; + res = poll(&pfd, 1, timeout); + error = errno; + + /* If error is EINTR here, we'll try again + * If it's any other error, we'll catch it + * below. + */ + } while (error == EINTR); + + switch (res) { + case -1: + *errnop = error; + break; + case 0: + *errnop = ETIME; + break; + case 1: + if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) { + *errnop = EPIPE; + } + if (!(pfd.revents & POLLOUT)) { + *errnop = EBUSY; + } + break; + default: /* more than one available!? */ + *errnop = EBADF; + break; + } + if (*errnop) { + sss_cli_close_socket(); + return SSS_STATUS_UNAVAIL; + } + + errno = 0; + if (datasent < SSS_NSS_HEADER_SIZE) { + res = send(sss_cli_sd, + (char *)header + datasent, + SSS_NSS_HEADER_SIZE - datasent, + SSS_DEFAULT_WRITE_FLAGS); + } else { + rdsent = datasent - SSS_NSS_HEADER_SIZE; + res = send(sss_cli_sd, + (const char *)rd->data + rdsent, + rd->len - rdsent, + SSS_DEFAULT_WRITE_FLAGS); + } + error = errno; + + if ((res == -1) || (res == 0)) { + if ((error == EINTR) || error == EAGAIN) { + /* If the write was interrupted, go back through + * the loop and try again + */ + continue; + } + + /* Write failed */ + sss_cli_close_socket(); + *errnop = error; + return SSS_STATUS_UNAVAIL; + } + + datasent += res; + } + + return SSS_STATUS_SUCCESS; +} + +/* Replies: + * + * byte 0-3: 32bit unsigned with length (the complete packet length: 0 to X) + * byte 4-7: 32bit unsigned with command code + * byte 8-11: 32bit unsigned with the request status (server errno) + * byte 12-15: 32bit unsigned (reserved) + * byte 16-X: (optional) reply structure associated to the command code used + */ + +static enum sss_status sss_cli_recv_rep(enum sss_cli_command cmd, + int timeout, + uint8_t **_buf, int *_len, + int *errnop) +{ + uint32_t header[4]; + size_t datarecv; + uint8_t *buf = NULL; + bool pollhup = false; + int len; + int ret; + + header[0] = SSS_NSS_HEADER_SIZE; /* until we know the real length */ + header[1] = 0; + header[2] = 0; + header[3] = 0; + + datarecv = 0; + buf = NULL; + len = 0; + *errnop = 0; + + while (datarecv < header[0]) { + struct pollfd pfd; + int bufrecv; + int res, error; + + pfd.fd = sss_cli_sd; + pfd.events = POLLIN; + + do { + errno = 0; + res = poll(&pfd, 1, timeout); + error = errno; + + /* If error is EINTR here, we'll try again + * If it's any other error, we'll catch it + * below. + */ + } while (error == EINTR); + + switch (res) { + case -1: + *errnop = error; + break; + case 0: + *errnop = ETIME; + break; + case 1: + if (pfd.revents & (POLLHUP)) { + pollhup = true; + } + if (pfd.revents & (POLLERR | POLLNVAL)) { + *errnop = EPIPE; + } + if (!(pfd.revents & POLLIN)) { + *errnop = EBUSY; + } + break; + default: /* more than one available!? */ + *errnop = EBADF; + break; + } + if (*errnop) { + sss_cli_close_socket(); + ret = SSS_STATUS_UNAVAIL; + goto failed; + } + + errno = 0; + if (datarecv < SSS_NSS_HEADER_SIZE) { + res = read(sss_cli_sd, + (char *)header + datarecv, + SSS_NSS_HEADER_SIZE - datarecv); + } else { + bufrecv = datarecv - SSS_NSS_HEADER_SIZE; + res = read(sss_cli_sd, + (char *) buf + bufrecv, + header[0] - datarecv); + } + error = errno; + + if ((res == -1) || (res == 0)) { + if ((error == EINTR) || error == EAGAIN) { + /* If the read was interrupted, go back through + * the loop and try again + */ + continue; + } + + /* Read failed. I think the only useful thing + * we can do here is just return -1 and fail + * since the transaction has failed half way + * through. */ + + sss_cli_close_socket(); + *errnop = error; + ret = SSS_STATUS_UNAVAIL; + goto failed; + } + + datarecv += res; + + if (datarecv == SSS_NSS_HEADER_SIZE && len == 0) { + /* at this point recv buf is not yet + * allocated and the header has just + * been read, do checks and proceed */ + if (header[2] != 0) { + /* server side error */ + sss_cli_close_socket(); + *errnop = header[2]; + if (*errnop == EAGAIN) { + ret = SSS_STATUS_TRYAGAIN; + goto failed; + } else { + ret = SSS_STATUS_UNAVAIL; + goto failed; + } + } + if (header[1] != cmd) { + /* wrong command id */ + sss_cli_close_socket(); + *errnop = EBADMSG; + ret = SSS_STATUS_UNAVAIL; + goto failed; + } + if (header[0] > SSS_NSS_HEADER_SIZE) { + len = header[0] - SSS_NSS_HEADER_SIZE; + buf = malloc(len); + if (!buf) { + sss_cli_close_socket(); + *errnop = ENOMEM; + ret = SSS_STATUS_UNAVAIL; + goto failed; + } + } + } + } + + if (pollhup) { + sss_cli_close_socket(); + } + + *_len = len; + *_buf = buf; + + return SSS_STATUS_SUCCESS; + +failed: + free(buf); + return ret; +} + +/* this function will check command codes match and returned length is ok */ +/* repbuf and replen report only the data section not the header */ +static enum sss_status sss_cli_make_request_nochecks( + enum sss_cli_command cmd, + struct sss_cli_req_data *rd, + int timeout, + uint8_t **repbuf, size_t *replen, + int *errnop) +{ + enum sss_status ret; + uint8_t *buf = NULL; + int len = 0; + + /* send data */ + ret = sss_cli_send_req(cmd, rd, timeout, errnop); + if (ret != SSS_STATUS_SUCCESS) { + return ret; + } + + /* data sent, now get reply */ + ret = sss_cli_recv_rep(cmd, timeout, &buf, &len, errnop); + if (ret != SSS_STATUS_SUCCESS) { + return ret; + } + + /* we got through, now we have the custom data in buf if any, + * return it if requested */ + if (repbuf && buf) { + *repbuf = buf; + if (replen) { + *replen = len; + } + } else { + free(buf); + if (replen) { + *replen = 0; + } + } + + return SSS_STATUS_SUCCESS; +} + +/* GET_VERSION Reply: + * 0-3: 32bit unsigned version number + */ + +static bool sss_cli_check_version(const char *socket_name, int timeout) +{ + uint8_t *repbuf = NULL; + size_t replen; + enum sss_status nret; + int errnop; + uint32_t expected_version; + uint32_t obtained_version; + struct sss_cli_req_data req; + + if (strcmp(socket_name, SSS_NSS_SOCKET_NAME) == 0) { + expected_version = SSS_NSS_PROTOCOL_VERSION; + } else if (strcmp(socket_name, SSS_PAM_SOCKET_NAME) == 0 || + strcmp(socket_name, SSS_PAM_PRIV_SOCKET_NAME) == 0) { + expected_version = SSS_PAM_PROTOCOL_VERSION; + } else if (strcmp(socket_name, SSS_SUDO_SOCKET_NAME) == 0) { + expected_version = SSS_SUDO_PROTOCOL_VERSION; + } else if (strcmp(socket_name, SSS_AUTOFS_SOCKET_NAME) == 0) { + expected_version = SSS_AUTOFS_PROTOCOL_VERSION; + } else if (strcmp(socket_name, SSS_SSH_SOCKET_NAME) == 0) { + expected_version = SSS_SSH_PROTOCOL_VERSION; + } else if (strcmp(socket_name, SSS_PAC_SOCKET_NAME) == 0) { + expected_version = SSS_PAC_PROTOCOL_VERSION; + } else { + return false; + } + + req.len = sizeof(expected_version); + req.data = &expected_version; + + nret = sss_cli_make_request_nochecks(SSS_GET_VERSION, &req, timeout, + &repbuf, &replen, &errnop); + if (nret != SSS_STATUS_SUCCESS) { + return false; + } + + if (!repbuf) { + return false; + } + + SAFEALIGN_COPY_UINT32(&obtained_version, repbuf, NULL); + free(repbuf); + + return (obtained_version == expected_version); +} + +/* this 2 functions are adapted from samba3 winbind's wb_common.c */ + +/* Make sure socket handle isn't stdin (0), stdout(1) or stderr(2) by setting + * the limit to 3 */ +#define RECURSION_LIMIT 3 + +static int make_nonstd_fd_internals(int fd, int limit) +{ + int new_fd; + if (fd >= 0 && fd <= 2) { +#ifdef F_DUPFD + if ((new_fd = fcntl(fd, F_DUPFD, 3)) == -1) { + return -1; + } + /* Paranoia */ + if (new_fd < 3) { + close(new_fd); + return -1; + } + close(fd); + return new_fd; +#else + if (limit <= 0) + return -1; + + new_fd = dup(fd); + if (new_fd == -1) + return -1; + + /* use the program stack to hold our list of FDs to close */ + new_fd = make_nonstd_fd_internals(new_fd, limit - 1); + close(fd); + return new_fd; +#endif + } + return fd; +} + +/**************************************************************************** + Set a fd into blocking/nonblocking mode. Uses POSIX O_NONBLOCK if available, + else + if SYSV use O_NDELAY + if BSD use FNDELAY + Set close on exec also. +****************************************************************************/ + +static int make_safe_fd(int fd) +{ + int result, flags; + int new_fd = make_nonstd_fd_internals(fd, RECURSION_LIMIT); + if (new_fd == -1) { + close(fd); + return -1; + } + + /* Socket should be nonblocking. */ +#ifdef O_NONBLOCK +#define FLAG_TO_SET O_NONBLOCK +#else +#ifdef SYSV +#define FLAG_TO_SET O_NDELAY +#else /* BSD */ +#define FLAG_TO_SET FNDELAY +#endif +#endif + + if ((flags = fcntl(new_fd, F_GETFL)) == -1) { + close(new_fd); + return -1; + } + + flags |= FLAG_TO_SET; + if (fcntl(new_fd, F_SETFL, flags) == -1) { + close(new_fd); + return -1; + } + +#undef FLAG_TO_SET + + /* Socket should be closed on exec() */ +#ifdef FD_CLOEXEC + result = flags = fcntl(new_fd, F_GETFD, 0); + if (flags >= 0) { + flags |= FD_CLOEXEC; + result = fcntl( new_fd, F_SETFD, flags ); + } + if (result < 0) { + close(new_fd); + return -1; + } +#endif + return new_fd; +} + +static int sss_cli_open_socket(int *errnop, const char *socket_name, int timeout) +{ + struct sockaddr_un nssaddr; + bool inprogress = true; + bool connected = false; + unsigned int wait_time; + unsigned int sleep_time; + time_t start_time = time(NULL); + int ret; + int sd; + + if (sizeof(nssaddr.sun_path) <= strlen(socket_name) + 1) { + *errnop = EINVAL; + return -1; + } + + memset(&nssaddr, 0, sizeof(struct sockaddr_un)); + nssaddr.sun_family = AF_UNIX; + strncpy(nssaddr.sun_path, socket_name, sizeof(nssaddr.sun_path)); + + sd = socket(AF_UNIX, SOCK_STREAM, 0); + if (sd == -1) { + *errnop = errno; + return -1; + } + + /* set as non-blocking, close on exec, and make sure standard + * descriptors are not used */ + sd = make_safe_fd(sd); + if (sd == -1) { + *errnop = errno; + return -1; + } + + /* this piece is adapted from winbind client code */ + wait_time = 0; + sleep_time = 0; + while (inprogress) { + int connect_errno = 0; + socklen_t errnosize; + struct pollfd pfd; + + wait_time += sleep_time; + + ret = connect(sd, (struct sockaddr *)&nssaddr, + sizeof(nssaddr)); + if (ret == 0) { + connected = true; + break; + } + + switch(errno) { + case EINPROGRESS: + pfd.fd = sd; + pfd.events = POLLOUT; + + ret = poll(&pfd, 1, timeout - wait_time); + + if (ret > 0) { + errnosize = sizeof(connect_errno); + ret = getsockopt(sd, SOL_SOCKET, SO_ERROR, + &connect_errno, &errnosize); + if (ret >= 0 && connect_errno == 0) { + connected = true; + break; + } + } + wait_time = time(NULL) - start_time; + break; + case EAGAIN: + if (wait_time < timeout) { + sleep_time = rand() % 2 + 1; + sleep(sleep_time); + } + break; + default: + *errnop = errno; + inprogress = false; + break; + } + + if (wait_time >= timeout) { + inprogress = false; + } + + if (connected) { + inprogress = false; + } + } + + if (!connected) { + close(sd); + return -1; + } + + ret = fstat(sd, &sss_cli_sb); + if (ret != 0) { + close(sd); + return -1; + } + + return sd; +} + +static enum sss_status sss_cli_check_socket(int *errnop, + const char *socket_name, + int timeout) +{ + static pid_t mypid; + struct stat mysb; + int mysd; + int ret; + + if (getpid() != mypid) { + ret = fstat(sss_cli_sd, &mysb); + if (ret == 0) { + if (S_ISSOCK(mysb.st_mode) && + mysb.st_dev == sss_cli_sb.st_dev && + mysb.st_ino == sss_cli_sb.st_ino) { + sss_cli_close_socket(); + } + } + sss_cli_sd = -1; + mypid = getpid(); + } + + /* check if the socket has been closed on the other side */ + if (sss_cli_sd != -1) { + struct pollfd pfd; + int res, error; + + *errnop = 0; + pfd.fd = sss_cli_sd; + pfd.events = POLLIN | POLLOUT; + + do { + errno = 0; + res = poll(&pfd, 1, timeout); + error = errno; + + /* If error is EINTR here, we'll try again + * If it's any other error, we'll catch it + * below. + */ + } while (error == EINTR); + + switch (res) { + case -1: + *errnop = error; + break; + case 0: + *errnop = ETIME; + break; + case 1: + if (pfd.revents & (POLLERR | POLLHUP | POLLNVAL)) { + *errnop = EPIPE; + } + if (!(pfd.revents & (POLLIN | POLLOUT))) { + *errnop = EBUSY; + } + break; + default: /* more than one available!? */ + *errnop = EBADF; + break; + } + if (*errnop == 0) { + return SSS_STATUS_SUCCESS; + } + + sss_cli_close_socket(); + } + + mysd = sss_cli_open_socket(errnop, socket_name, timeout); + if (mysd == -1) { + return SSS_STATUS_UNAVAIL; + } + + sss_cli_sd = mysd; + + if (sss_cli_check_version(socket_name, timeout)) { + return SSS_STATUS_SUCCESS; + } + + sss_cli_close_socket(); + *errnop = EFAULT; + return SSS_STATUS_UNAVAIL; +} + +/* this function will check command codes match and returned length is ok */ +/* repbuf and replen report only the data section not the header */ +enum nss_status sss_nss_make_request_timeout(enum sss_cli_command cmd, + struct sss_cli_req_data *rd, + int timeout, + uint8_t **repbuf, size_t *replen, + int *errnop) +{ + enum sss_status ret; + char *envval; + + /* avoid looping in the nss daemon */ + envval = getenv("_SSS_LOOPS"); + if (envval && strcmp(envval, "NO") == 0) { + return NSS_STATUS_NOTFOUND; + } + + ret = sss_cli_check_socket(errnop, SSS_NSS_SOCKET_NAME, timeout); + if (ret != SSS_STATUS_SUCCESS) { +#ifdef NONSTANDARD_SSS_NSS_BEHAVIOUR + *errnop = 0; + errno = 0; + return NSS_STATUS_NOTFOUND; +#else + return NSS_STATUS_UNAVAIL; +#endif + } + + ret = sss_cli_make_request_nochecks(cmd, rd, timeout, repbuf, replen, + errnop); + if (ret == SSS_STATUS_UNAVAIL && *errnop == EPIPE) { + /* try reopen socket */ + ret = sss_cli_check_socket(errnop, SSS_NSS_SOCKET_NAME, timeout); + if (ret != SSS_STATUS_SUCCESS) { +#ifdef NONSTANDARD_SSS_NSS_BEHAVIOUR + *errnop = 0; + errno = 0; + return NSS_STATUS_NOTFOUND; +#else + return NSS_STATUS_UNAVAIL; +#endif + } + + /* and make request one more time */ + ret = sss_cli_make_request_nochecks(cmd, rd, timeout, repbuf, replen, + errnop); + } + switch (ret) { + case SSS_STATUS_TRYAGAIN: + return NSS_STATUS_TRYAGAIN; + case SSS_STATUS_SUCCESS: + return NSS_STATUS_SUCCESS; + case SSS_STATUS_UNAVAIL: + default: +#ifdef NONSTANDARD_SSS_NSS_BEHAVIOUR + *errnop = 0; + errno = 0; + return NSS_STATUS_NOTFOUND; +#else + return NSS_STATUS_UNAVAIL; +#endif + } +} + +enum nss_status sss_nss_make_request(enum sss_cli_command cmd, + struct sss_cli_req_data *rd, + uint8_t **repbuf, size_t *replen, + int *errnop) +{ + return sss_nss_make_request_timeout(cmd, rd, SSS_CLI_SOCKET_TIMEOUT, + repbuf, replen, errnop); +} + +int sss_pac_check_and_open(void) +{ + enum sss_status ret; + int errnop; + + ret = sss_cli_check_socket(&errnop, SSS_PAC_SOCKET_NAME, + SSS_CLI_SOCKET_TIMEOUT); + if (ret != SSS_STATUS_SUCCESS) { + return EIO; + } + + return EOK; +} + +int sss_pac_make_request(enum sss_cli_command cmd, + struct sss_cli_req_data *rd, + uint8_t **repbuf, size_t *replen, + int *errnop) +{ + enum sss_status ret; + char *envval; + int timeout = SSS_CLI_SOCKET_TIMEOUT; + + /* avoid looping in the nss daemon */ + envval = getenv("_SSS_LOOPS"); + if (envval && strcmp(envval, "NO") == 0) { + return NSS_STATUS_NOTFOUND; + } + + ret = sss_cli_check_socket(errnop, SSS_PAC_SOCKET_NAME, timeout); + if (ret != SSS_STATUS_SUCCESS) { + return NSS_STATUS_UNAVAIL; + } + + ret = sss_cli_make_request_nochecks(cmd, rd, timeout, repbuf, replen, + errnop); + if (ret == SSS_STATUS_UNAVAIL && *errnop == EPIPE) { + /* try reopen socket */ + ret = sss_cli_check_socket(errnop, SSS_PAC_SOCKET_NAME, timeout); + if (ret != SSS_STATUS_SUCCESS) { + return NSS_STATUS_UNAVAIL; + } + + /* and make request one more time */ + ret = sss_cli_make_request_nochecks(cmd, rd, timeout, repbuf, replen, + errnop); + } + switch (ret) { + case SSS_STATUS_TRYAGAIN: + return NSS_STATUS_TRYAGAIN; + case SSS_STATUS_SUCCESS: + return NSS_STATUS_SUCCESS; + case SSS_STATUS_UNAVAIL: + default: + return NSS_STATUS_UNAVAIL; + } +} + +int sss_pac_make_request_with_lock(enum sss_cli_command cmd, + struct sss_cli_req_data *rd, + uint8_t **repbuf, size_t *replen, + int *errnop) +{ + int ret; + + sss_pac_lock(); + + ret = sss_pac_make_request(cmd, rd, repbuf, replen, errnop); + + sss_pac_unlock(); + + return ret; +} + +errno_t check_server_cred(int sockfd) +{ +#ifdef HAVE_UCRED + int ret; + struct ucred server_cred; + socklen_t server_cred_len = sizeof(server_cred); + + ret = getsockopt(sockfd, SOL_SOCKET, SO_PEERCRED, &server_cred, + &server_cred_len); + if (ret != 0) { + return errno; + } + + if (server_cred_len != sizeof(struct ucred)) { + return ESSS_BAD_CRED_MSG; + } + + if (server_cred.uid != 0 || server_cred.gid != 0) { + return ESSS_SERVER_NOT_TRUSTED; + } +#endif + return 0; +} + +int sss_pam_make_request(enum sss_cli_command cmd, + struct sss_cli_req_data *rd, + uint8_t **repbuf, size_t *replen, + int *errnop) +{ + int ret, statret; + errno_t error; + enum sss_status status; + char *envval; + struct stat stat_buf; + const char *socket_name; + int timeout = SSS_CLI_SOCKET_TIMEOUT; + + sss_pam_lock(); + + /* avoid looping in the pam daemon */ + envval = getenv("_SSS_LOOPS"); + if (envval && strcmp(envval, "NO") == 0) { + ret = PAM_SERVICE_ERR; + goto out; + } + + /* only root shall use the privileged pipe */ + if (getuid() == 0 && getgid() == 0) { + socket_name = SSS_PAM_PRIV_SOCKET_NAME; + statret = stat(socket_name, &stat_buf); + if (statret != 0) { + ret = PAM_SERVICE_ERR; + goto out; + } + if ( ! (stat_buf.st_uid == 0 && + stat_buf.st_gid == 0 && + S_ISSOCK(stat_buf.st_mode) && + (stat_buf.st_mode & ~S_IFMT) == 0600 )) { + *errnop = ESSS_BAD_PRIV_SOCKET; + ret = PAM_SERVICE_ERR; + goto out; + } + } else { + socket_name = SSS_PAM_SOCKET_NAME; + statret = stat(socket_name, &stat_buf); + if (statret != 0) { + ret = PAM_SERVICE_ERR; + goto out; + } + if ( ! (stat_buf.st_uid == 0 && + stat_buf.st_gid == 0 && + S_ISSOCK(stat_buf.st_mode) && + (stat_buf.st_mode & ~S_IFMT) == 0666 )) { + *errnop = ESSS_BAD_PUB_SOCKET; + ret = PAM_SERVICE_ERR; + goto out; + } + } + + status = sss_cli_check_socket(errnop, socket_name, timeout); + if (status != SSS_STATUS_SUCCESS) { + ret = PAM_SERVICE_ERR; + goto out; + } + + error = check_server_cred(sss_cli_sd); + if (error != 0) { + sss_cli_close_socket(); + *errnop = error; + ret = PAM_SERVICE_ERR; + goto out; + } + + status = sss_cli_make_request_nochecks(cmd, rd, timeout, repbuf, replen, + errnop); + if (status == SSS_STATUS_UNAVAIL && *errnop == EPIPE) { + /* try reopen socket */ + status = sss_cli_check_socket(errnop, socket_name, timeout); + if (status != SSS_STATUS_SUCCESS) { + ret = PAM_SERVICE_ERR; + goto out; + } + + /* and make request one more time */ + status = sss_cli_make_request_nochecks(cmd, rd, timeout, repbuf, replen, + errnop); + } + + if (status == SSS_STATUS_SUCCESS) { + ret = PAM_SUCCESS; + } else { + ret = PAM_SERVICE_ERR; + } + +out: + sss_pam_unlock(); + return ret; +} + +void sss_pam_close_fd(void) +{ + sss_pam_lock(); + + if (sss_cli_sd != -1) { + close(sss_cli_sd); + sss_cli_sd = -1; + } + + sss_pam_unlock(); +} + +static enum sss_status +sss_cli_make_request_with_checks(enum sss_cli_command cmd, + struct sss_cli_req_data *rd, + int timeout, + uint8_t **repbuf, size_t *replen, + int *errnop, + const char *socket_name) +{ + enum sss_status ret = SSS_STATUS_UNAVAIL; + + ret = sss_cli_check_socket(errnop, socket_name, timeout); + if (ret != SSS_STATUS_SUCCESS) { + return SSS_STATUS_UNAVAIL; + } + + ret = sss_cli_make_request_nochecks(cmd, rd, timeout, repbuf, replen, + errnop); + if (ret == SSS_STATUS_UNAVAIL && *errnop == EPIPE) { + /* try reopen socket */ + ret = sss_cli_check_socket(errnop, socket_name, timeout); + if (ret != SSS_STATUS_SUCCESS) { + return SSS_STATUS_UNAVAIL; + } + + /* and make request one more time */ + ret = sss_cli_make_request_nochecks(cmd, rd, timeout, repbuf, replen, + errnop); + } + + return ret; +} + +int sss_sudo_make_request(enum sss_cli_command cmd, + struct sss_cli_req_data *rd, + uint8_t **repbuf, size_t *replen, + int *errnop) +{ + return sss_cli_make_request_with_checks(cmd, rd, SSS_CLI_SOCKET_TIMEOUT, + repbuf, replen, errnop, + SSS_SUDO_SOCKET_NAME); +} + +int sss_autofs_make_request(enum sss_cli_command cmd, + struct sss_cli_req_data *rd, + uint8_t **repbuf, size_t *replen, + int *errnop) +{ + return sss_cli_make_request_with_checks(cmd, rd, SSS_CLI_SOCKET_TIMEOUT, + repbuf, replen, errnop, + SSS_AUTOFS_SOCKET_NAME); +} + +int sss_ssh_make_request(enum sss_cli_command cmd, + struct sss_cli_req_data *rd, + uint8_t **repbuf, size_t *replen, + int *errnop) +{ + return sss_cli_make_request_with_checks(cmd, rd, SSS_CLI_SOCKET_TIMEOUT, + repbuf, replen, errnop, + SSS_SSH_SOCKET_NAME); +} + + +const char *ssscli_err2string(int err) +{ + const char *m; + + switch(err) { + case ESSS_BAD_PRIV_SOCKET: + return _("Privileged socket has wrong ownership or permissions."); + break; + case ESSS_BAD_PUB_SOCKET: + return _("Public socket has wrong ownership or permissions."); + break; + case ESSS_BAD_CRED_MSG: + return _("Unexpected format of the server credential message."); + break; + case ESSS_SERVER_NOT_TRUSTED: + return _("SSSD is not run by root."); + break; + default: + m = strerror(err); + if (m == NULL) { + return _("An error occurred, but no description can be found."); + } + return m; + break; + } + + return _("Unexpected error while looking for an error description"); +} + +/* Return strlen(str) or maxlen, whichever is shorter + * Returns EINVAL if str is NULL, EFBIG if str is longer than maxlen + * _len will return the result + * + * This function is useful for preventing buffer overflow attacks. + */ +errno_t sss_strnlen(const char *str, size_t maxlen, size_t *len) +{ + if (!str) { + return EINVAL; + } + +#if defined __USE_GNU + *len = strnlen(str, maxlen); +#else + *len = 0; + while (*len < maxlen) { + if (str[*len] == '\0') break; + (*len)++; + } +#endif + + if (*len == maxlen && str[*len] != '\0') { + return EFBIG; + } + + return 0; +} + +#if HAVE_PTHREAD +typedef void (*sss_mutex_init)(void); + +struct sss_mutex sss_nss_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER }; + +static struct sss_mutex sss_pam_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER }; + +static struct sss_mutex sss_nss_mc_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER }; + +static struct sss_mutex sss_pac_mtx = { .mtx = PTHREAD_MUTEX_INITIALIZER }; + +static void sss_mt_lock(struct sss_mutex *m) +{ + pthread_mutex_lock(&m->mtx); + pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &m->old_cancel_state); +} + +static void sss_mt_unlock(struct sss_mutex *m) +{ + pthread_setcancelstate(m->old_cancel_state, NULL); + pthread_mutex_unlock(&m->mtx); +} + +/* NSS mutex wrappers */ +void sss_nss_lock(void) +{ + sss_mt_lock(&sss_nss_mtx); +} +void sss_nss_unlock(void) +{ + sss_mt_unlock(&sss_nss_mtx); +} + +/* NSS mutex wrappers */ +void sss_pam_lock(void) +{ + sss_mt_lock(&sss_pam_mtx); +} +void sss_pam_unlock(void) +{ + sss_mt_unlock(&sss_pam_mtx); +} + +/* NSS mutex wrappers */ +void sss_nss_mc_lock(void) +{ + sss_mt_lock(&sss_nss_mc_mtx); +} +void sss_nss_mc_unlock(void) +{ + sss_mt_unlock(&sss_nss_mc_mtx); +} + +/* PAC mutex wrappers */ +void sss_pac_lock(void) +{ + sss_mt_lock(&sss_pac_mtx); +} +void sss_pac_unlock(void) +{ + sss_mt_unlock(&sss_pac_mtx); +} + +#else + +/* sorry no mutexes available */ +void sss_nss_lock(void) { return; } +void sss_nss_unlock(void) { return; } +void sss_pam_lock(void) { return; } +void sss_pam_unlock(void) { return; } +void sss_nss_mc_lock(void) { return; } +void sss_nss_mc_unlock(void) { return; } +void sss_pac_lock(void) { return; } +void sss_pac_unlock(void) { return; } +#endif + + +errno_t sss_readrep_copy_string(const char *in, + size_t *offset, + size_t *slen, + size_t *dlen, + char **out, + size_t *size) +{ + size_t i = 0; + while (*slen > *offset && *dlen > 0) { + (*out)[i] = in[*offset]; + if ((*out)[i] == '\0') break; + i++; + (*offset)++; + (*dlen)--; + } + if (*slen <= *offset) { /* premature end of buf */ + return EBADMSG; + } + if (*dlen == 0) { /* not enough memory */ + return ERANGE; /* not ENOMEM, ERANGE is what glibc looks for */ + } + (*offset)++; + (*dlen)--; + if (size) { + *size = i; + } + + return EOK; +} diff --git a/src/sss_client/common_private.h b/src/sss_client/common_private.h new file mode 100644 index 0000000..a98d2c0 --- /dev/null +++ b/src/sss_client/common_private.h @@ -0,0 +1,41 @@ +/* + SSSD + + SSS client - private calls + + Authors: + Sumit Bose + + Copyright (C) 2017 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef COMMON_PRIVATE_H_ +#define COMMON_PRIVATE_H_ + +#include "config.h" + +#if HAVE_PTHREAD +#include + +struct sss_mutex { + pthread_mutex_t mtx; + + int old_cancel_state; +}; + +#endif /* HAVE_PTHREAD */ + +#endif /* COMMON_PRIVATE_H_ */ diff --git a/src/sss_client/idmap/common_ex.c b/src/sss_client/idmap/common_ex.c new file mode 100644 index 0000000..e655bb8 --- /dev/null +++ b/src/sss_client/idmap/common_ex.c @@ -0,0 +1,107 @@ +/* + Authors: + Sumit Bose + + Copyright (C) 2017 Red Hat + + SSSD's enhanced NSS API + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "sss_cli.h" +#include "common_private.h" + +extern struct sss_mutex sss_nss_mtx; + +#define SEC_FROM_MSEC(ms) ((ms) / 1000) +#define NSEC_FROM_MSEC(ms) (((ms) % 1000) * 1000 * 1000) + +/* adopted from timersub() defined in /usr/include/sys/time.h */ +#define TIMESPECSUB(a, b, result) \ + do { \ + (result)->tv_sec = (a)->tv_sec - (b)->tv_sec; \ + (result)->tv_nsec = (a)->tv_nsec - (b)->tv_nsec; \ + if ((result)->tv_nsec < 0) { \ + --(result)->tv_sec; \ + (result)->tv_nsec += 1000000000; \ + } \ + } while (0) + +#define TIMESPEC_TO_MS(ts) ( ((ts)->tv_sec * 1000) \ + + ((ts)->tv_nsec) / (1000 * 1000) ) + +static int sss_mt_timedlock(struct sss_mutex *m, struct timespec *endtime) +{ + int ret; + + ret = pthread_mutex_timedlock(&m->mtx, endtime); + if (ret != 0) { + return ret; + } + pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, &m->old_cancel_state); + + return 0; +} + +int sss_nss_timedlock(unsigned int timeout_ms, int *time_left_ms) +{ + int ret; + int left; + struct timespec starttime; + struct timespec endtime; + struct timespec diff; + + /* make sure there is no overrun when calculating the time left */ + if (timeout_ms > INT_MAX) { + timeout_ms = INT_MAX; + } + + ret = clock_gettime(CLOCK_REALTIME, &starttime); + if (ret != 0) { + return ret; + } + endtime.tv_sec = starttime.tv_sec + SEC_FROM_MSEC(timeout_ms); + endtime.tv_nsec = starttime.tv_nsec + NSEC_FROM_MSEC(timeout_ms); + + ret = sss_mt_timedlock(&sss_nss_mtx, &endtime); + + if (ret == 0) { + ret = clock_gettime(CLOCK_REALTIME, &endtime); + if (ret != 0) { + sss_nss_unlock(); + return ret; + } + + if (timeout_ms == 0) { + *time_left_ms = 0; + } else { + TIMESPECSUB(&endtime, &starttime, &diff); + left = timeout_ms - TIMESPEC_TO_MS(&diff); + if (left <= 0) { + sss_nss_unlock(); + return EIO; + } else if (left > SSS_CLI_SOCKET_TIMEOUT) { + *time_left_ms = SSS_CLI_SOCKET_TIMEOUT; + } else { + *time_left_ms = left; + } + } + } + + return ret; +} diff --git a/src/sss_client/idmap/sss_nss_ex.c b/src/sss_client/idmap/sss_nss_ex.c new file mode 100644 index 0000000..9714220 --- /dev/null +++ b/src/sss_client/idmap/sss_nss_ex.c @@ -0,0 +1,531 @@ +/* + SSSD + + Extended NSS Responder Interface + + Authors: + Sumit Bose + + Copyright (C) 2017 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +#include +#include + +#include /* for MIN() */ + +#include "sss_client/sss_cli.h" +#include "sss_client/nss_mc.h" +#include "sss_client/nss_common.h" +#include "sss_client/idmap/sss_nss_idmap.h" +#include "sss_client/idmap/sss_nss_idmap_private.h" + +#ifndef discard_const +#define discard_const(ptr) ((void *)((uintptr_t)(ptr))) +#endif + +struct sss_nss_initgr_rep { + gid_t *groups; + long int *ngroups; + long int *start; +}; + +struct nss_input { + union { + const char *name; + uid_t uid; + gid_t gid; + } input; + struct sss_cli_req_data rd; + enum sss_cli_command cmd; + union { + struct sss_nss_pw_rep pwrep; + struct sss_nss_gr_rep grrep; + struct sss_nss_initgr_rep initgrrep; + } result; +}; + +errno_t sss_nss_mc_get(struct nss_input *inp) +{ + switch(inp->cmd) { + case SSS_NSS_GETPWNAM: + case SSS_NSS_GETPWNAM_EX: + return sss_nss_mc_getpwnam(inp->input.name, strlen(inp->input.name), + inp->result.pwrep.result, + inp->result.pwrep.buffer, + inp->result.pwrep.buflen); + break; + case SSS_NSS_GETPWUID: + case SSS_NSS_GETPWUID_EX: + return sss_nss_mc_getpwuid(inp->input.uid, + inp->result.pwrep.result, + inp->result.pwrep.buffer, + inp->result.pwrep.buflen); + break; + case SSS_NSS_GETGRNAM: + case SSS_NSS_GETGRNAM_EX: + return sss_nss_mc_getgrnam(inp->input.name, strlen(inp->input.name), + inp->result.grrep.result, + inp->result.grrep.buffer, + inp->result.grrep.buflen); + break; + case SSS_NSS_GETGRGID: + case SSS_NSS_GETGRGID_EX: + return sss_nss_mc_getgrgid(inp->input.gid, + inp->result.grrep.result, + inp->result.grrep.buffer, + inp->result.grrep.buflen); + break; + case SSS_NSS_INITGR: + case SSS_NSS_INITGR_EX: + return sss_nss_mc_initgroups_dyn(inp->input.name, + strlen(inp->input.name), + -1 /* currently ignored */, + inp->result.initgrrep.start, + inp->result.initgrrep.ngroups, + &(inp->result.initgrrep.groups), + /* no limit so that needed size can + * be returned properly */ + -1); + break; + default: + return EINVAL; + } +} + +static int check_flags(struct nss_input *inp, uint32_t flags, + bool *skip_mc, bool *skip_data) +{ + bool no_data = false; + + /* SSS_NSS_EX_FLAG_NO_CACHE and SSS_NSS_EX_FLAG_INVALIDATE_CACHE are + * mutually exclusive */ + if ((flags & SSS_NSS_EX_FLAG_NO_CACHE) != 0 + && (flags & SSS_NSS_EX_FLAG_INVALIDATE_CACHE) != 0) { + return EINVAL; + } + + *skip_mc = false; + if ((flags & SSS_NSS_EX_FLAG_NO_CACHE) != 0 + || (flags & SSS_NSS_EX_FLAG_INVALIDATE_CACHE) != 0) { + *skip_mc = true; + } + + switch(inp->cmd) { + case SSS_NSS_GETPWNAM: + case SSS_NSS_GETPWNAM_EX: + case SSS_NSS_GETPWUID: + case SSS_NSS_GETPWUID_EX: + if (inp->result.pwrep.buffer == NULL + || inp->result.pwrep.buflen == 0) { + no_data = true; + } + break; + case SSS_NSS_GETGRNAM: + case SSS_NSS_GETGRNAM_EX: + case SSS_NSS_GETGRGID: + case SSS_NSS_GETGRGID_EX: + if (inp->result.grrep.buffer == NULL + || inp->result.grrep.buflen == 0) { + no_data = true; + } + break; + case SSS_NSS_INITGR: + case SSS_NSS_INITGR_EX: + if (inp->result.initgrrep.ngroups == 0 + || inp->result.initgrrep.groups == NULL) { + return EINVAL; + } + break; + default: + return EINVAL; + } + + *skip_data = false; + /* Allow empty buffer with SSS_NSS_EX_FLAG_INVALIDATE_CACHE */ + if (no_data) { + if ((flags & SSS_NSS_EX_FLAG_INVALIDATE_CACHE) != 0) { + *skip_data = true; + } else { + return ERANGE; + } + } + + return 0; +} + +int sss_get_ex(struct nss_input *inp, uint32_t flags, unsigned int timeout) +{ + uint8_t *repbuf = NULL; + size_t replen; + size_t len; + uint32_t num_results; + int ret; + int time_left; + int errnop; + size_t c; + gid_t *new_groups; + size_t idx; + bool skip_mc = false; + bool skip_data = false; + + ret = check_flags(inp, flags, &skip_mc, &skip_data); + if (ret != 0) { + return ret; + } + + if (!skip_mc && !skip_data) { + ret = sss_nss_mc_get(inp); + switch (ret) { + case 0: + return 0; + case ERANGE: + return ERANGE; + case ENOENT: + /* fall through, we need to actively ask the parent + * if no entry is found */ + break; + default: + /* if using the mmapped cache failed, + * fall back to socket based comms */ + break; + } + } + + ret = sss_nss_timedlock(timeout, &time_left); + if (ret != 0) { + return ret; + } + + if (!skip_mc && !skip_data) { + /* previous thread might already initialize entry in mmap cache */ + ret = sss_nss_mc_get(inp); + switch (ret) { + case 0: + ret = 0; + goto out; + case ERANGE: + ret = ERANGE; + goto out; + case ENOENT: + /* fall through, we need to actively ask the parent + * if no entry is found */ + break; + default: + /* if using the mmapped cache failed, + * fall back to socket based comms */ + break; + } + } + + ret = sss_nss_make_request_timeout(inp->cmd, &inp->rd, time_left, + &repbuf, &replen, &errnop); + if (ret != NSS_STATUS_SUCCESS) { + ret = errnop != 0 ? errnop : EIO; + goto out; + } + + /* Get number of results from repbuf. */ + SAFEALIGN_COPY_UINT32(&num_results, repbuf, NULL); + + /* no results if not found */ + if (num_results == 0) { + ret = ENOENT; + goto out; + } + + if (skip_data) { + /* No data requested, just return the return code */ + ret = 0; + goto out; + } + + if (inp->cmd == SSS_NSS_INITGR || inp->cmd == SSS_NSS_INITGR_EX) { + if ((*(inp->result.initgrrep.ngroups) - *(inp->result.initgrrep.start)) + < num_results) { + new_groups = realloc(inp->result.initgrrep.groups, + (num_results + *(inp->result.initgrrep.start)) + * sizeof(gid_t)); + if (new_groups == NULL) { + ret = ENOMEM; + goto out; + } + + inp->result.initgrrep.groups = new_groups; + } + *(inp->result.initgrrep.ngroups) = num_results + + *(inp->result.initgrrep.start); + + idx = 2 * sizeof(uint32_t); + for (c = 0; c < num_results; c++) { + SAFEALIGN_COPY_UINT32( + &(inp->result.initgrrep.groups[*(inp->result.initgrrep.start)]), + repbuf + idx, &idx); + *(inp->result.initgrrep.start) += 1; + } + + ret = 0; + goto out; + } + + /* only 1 result is accepted for this function */ + if (num_results != 1) { + ret = EBADMSG; + goto out; + } + + len = replen - 8; + + switch(inp->cmd) { + case SSS_NSS_GETPWNAM: + case SSS_NSS_GETPWUID: + case SSS_NSS_GETPWNAM_EX: + case SSS_NSS_GETPWUID_EX: + ret = sss_nss_getpw_readrep(&(inp->result.pwrep), repbuf+8, &len); + break; + case SSS_NSS_GETGRNAM: + case SSS_NSS_GETGRGID: + case SSS_NSS_GETGRNAM_EX: + case SSS_NSS_GETGRGID_EX: + ret = sss_nss_getgr_readrep(&(inp->result.grrep), repbuf+8, &len); + break; + default: + ret = EINVAL; + } + if (ret != 0) { + goto out; + } + + if (len == 0) { + /* no extra data */ + ret = 0; + goto out; + } + +out: + free(repbuf); + + sss_nss_unlock(); + return ret; +} + +static int make_name_flag_req_data(const char *name, uint32_t flags, + struct sss_cli_req_data *rd) +{ + size_t len; + size_t name_len; + uint8_t *data; + int ret; + + if (name == NULL) { + return EINVAL; + } + + ret = sss_strnlen(name, SSS_NAME_MAX, &name_len); + if (ret != 0) { + return ret; + } + name_len++; + + len = name_len + sizeof(uint32_t); + data = malloc(len); + if (data == NULL) { + return ENOMEM; + } + + memcpy(data, name, name_len); + SAFEALIGN_COPY_UINT32(data + name_len, &flags, NULL); + + rd->len = len; + rd->data = data; + + return 0; +} + +int sss_nss_getpwnam_timeout(const char *name, struct passwd *pwd, + char *buffer, size_t buflen, + struct passwd **result, + uint32_t flags, unsigned int timeout) +{ + int ret; + struct nss_input inp = { + .input.name = name, + .cmd = SSS_NSS_GETPWNAM_EX, + .result.pwrep.result = pwd, + .result.pwrep.buffer = buffer, + .result.pwrep.buflen = buflen}; + + ret = make_name_flag_req_data(name, flags, &inp.rd); + if (ret != 0) { + return ret; + } + + ret = sss_get_ex(&inp, flags, timeout); + free(discard_const(inp.rd.data)); + + if (result != NULL) { + if (ret == 0) { + *result = inp.result.pwrep.result; + } else { + *result = NULL; + } + } + + return ret; +} + +int sss_nss_getpwuid_timeout(uid_t uid, struct passwd *pwd, + char *buffer, size_t buflen, + struct passwd **result, + uint32_t flags, unsigned int timeout) +{ + int ret; + uint32_t req_data[2]; + struct nss_input inp = { + .input.uid = uid, + .cmd = SSS_NSS_GETPWUID_EX, + .rd.len = 2 * sizeof(uint32_t), + .rd.data = &req_data, + .result.pwrep.result = pwd, + .result.pwrep.buffer = buffer, + .result.pwrep.buflen = buflen}; + + SAFEALIGN_COPY_UINT32(&req_data[0], &uid, NULL); + SAFEALIGN_COPY_UINT32(&req_data[1], &flags, NULL); + + ret = sss_get_ex(&inp, flags, timeout); + + if (result != NULL) { + if (ret == 0) { + *result = inp.result.pwrep.result; + } else { + *result = NULL; + } + } + + return ret; +} + +int sss_nss_getgrnam_timeout(const char *name, struct group *grp, + char *buffer, size_t buflen, struct group **result, + uint32_t flags, unsigned int timeout) +{ + int ret; + struct nss_input inp = { + .input.name = name, + .cmd = SSS_NSS_GETGRNAM_EX, + .result.grrep.result = grp, + .result.grrep.buffer = buffer, + .result.grrep.buflen = buflen}; + + ret = make_name_flag_req_data(name, flags, &inp.rd); + if (ret != 0) { + return ret; + } + + ret = sss_get_ex(&inp, flags, timeout); + free(discard_const(inp.rd.data)); + + if (result != NULL) { + if (ret == 0) { + *result = inp.result.grrep.result; + } else { + *result = NULL; + } + } + + return ret; +} + +int sss_nss_getgrgid_timeout(gid_t gid, struct group *grp, + char *buffer, size_t buflen, struct group **result, + uint32_t flags, unsigned int timeout) +{ + int ret; + uint32_t req_data[2]; + struct nss_input inp = { + .input.gid = gid, + .cmd = SSS_NSS_GETGRGID_EX, + .rd.len = 2 * sizeof(uint32_t), + .rd.data = &req_data, + .result.grrep.result = grp, + .result.grrep.buffer = buffer, + .result.grrep.buflen = buflen}; + + SAFEALIGN_COPY_UINT32(&req_data[0], &gid, NULL); + SAFEALIGN_COPY_UINT32(&req_data[1], &flags, NULL); + + ret = sss_get_ex(&inp, flags, timeout); + + if (result != NULL) { + if (ret == 0) { + *result = inp.result.grrep.result; + } else { + *result = NULL; + } + } + + return ret; +} + +int sss_nss_getgrouplist_timeout(const char *name, gid_t group, + gid_t *groups, int *ngroups, + uint32_t flags, unsigned int timeout) +{ + int ret; + long int new_ngroups; + long int start = 1; + struct nss_input inp = { + .input.name = name, + .cmd = SSS_NSS_INITGR_EX}; + + ret = make_name_flag_req_data(name, flags, &inp.rd); + if (ret != 0) { + return ret; + } + + new_ngroups = MAX(1, *ngroups); + inp.result.initgrrep.groups = malloc(new_ngroups * sizeof(gid_t)); + if (inp.result.initgrrep.groups == NULL) { + free(discard_const(inp.rd.data)); + return ENOMEM; + } + inp.result.initgrrep.groups[0] = group; + + inp.result.initgrrep.ngroups = &new_ngroups; + inp.result.initgrrep.start = &start; + + /* inp.result.initgrrep.groups, inp.result.initgrrep.ngroups and + * inp.result.initgrrep.start might be modified by sss_get_ex() */ + ret = sss_get_ex(&inp, flags, timeout); + free(discard_const(inp.rd.data)); + if (ret != 0) { + free(inp.result.initgrrep.groups); + return ret; + } + + memcpy(groups, inp.result.initgrrep.groups, + MIN(*ngroups, start) * sizeof(gid_t)); + free(inp.result.initgrrep.groups); + + if (start > *ngroups) { + ret = ERANGE; + } else { + ret = 0; + } + *ngroups = start; + + return ret; +} diff --git a/src/sss_client/idmap/sss_nss_idmap.c b/src/sss_client/idmap/sss_nss_idmap.c new file mode 100644 index 0000000..323392f --- /dev/null +++ b/src/sss_client/idmap/sss_nss_idmap.c @@ -0,0 +1,613 @@ +/* + SSSD + + NSS Responder Interface for ID-SID mappings + + Authors: + Sumit Bose + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "sss_client/sss_cli.h" +#include "sss_client/idmap/sss_nss_idmap.h" +#include "sss_client/idmap/sss_nss_idmap_private.h" +#include "util/strtonum.h" + +#define DATA_START (3 * sizeof(uint32_t)) +#define LIST_START (2 * sizeof(uint32_t)) +#define NO_TIMEOUT ((unsigned int) -1) + +union input { + const char *str; + uint32_t id; +}; + +struct output { + enum sss_id_type type; + enum sss_id_type *types; + union { + char *str; + uint32_t id; + struct sss_nss_kv *kv_list; + char **names; + } d; +}; + +int nss_status_to_errno(enum nss_status nret) { + switch (nret) { + case NSS_STATUS_TRYAGAIN: + return EAGAIN; + case NSS_STATUS_SUCCESS: + return EOK; + case NSS_STATUS_UNAVAIL: + default: + return ENOENT; + } + + return EINVAL; +} + +void sss_nss_free_kv(struct sss_nss_kv *kv_list) +{ + size_t c; + + if (kv_list != NULL) { + for (c = 0; kv_list[c].key != NULL; c++) { + free(kv_list[c].key); + free(kv_list[c].value); + } + free(kv_list); + } +} + +void sss_nss_free_list(char **l) +{ + size_t c; + + if (l != NULL) { + for (c = 0; l[c] != NULL; c++) { + free(l[c]); + } + free(l); + } +} + +static int buf_to_name_type_list(uint8_t *buf, size_t buf_len, uint32_t num, + char ***names, enum sss_id_type **types) +{ + int ret; + size_t c; + char **n = NULL; + enum sss_id_type *t = NULL; + size_t rp = 0; + + n = calloc(num + 1, sizeof(char *)); + if (n == NULL) { + ret = ENOMEM; + goto done; + } + + t = calloc(num + 1, sizeof(enum sss_id_type)); + if (t == NULL) { + ret = ENOMEM; + goto done; + } + + for (c = 0; c < num; c++) { + SAFEALIGN_COPY_UINT32(&(t[c]), buf + rp, &rp); + n[c] = strdup((char *) buf + rp); + if (n[c] == NULL) { + ret = ENOMEM; + goto done; + } + rp += strlen(n[c]) + 1; + } + + ret = EOK; + +done: + if (ret != EOK) { + sss_nss_free_list(n); + free(t); + } else { + *names = n; + *types = t; + } + + return ret; +} + +static int buf_to_kv_list(uint8_t *buf, size_t buf_len, + struct sss_nss_kv **kv_list) +{ + size_t c; + size_t count = 0; + struct sss_nss_kv *list; + uint8_t *p; + int ret; + + for (c = 0; c < buf_len; c++) { + if (buf[c] == '\0') { + count++; + } + } + + if ((count % 2) != 0) { + return EINVAL; + } + count /= 2; + + list = calloc((count + 1), sizeof(struct sss_nss_kv)); + if (list == NULL) { + return ENOMEM; + } + + p = buf; + for (c = 0; c < count; c++) { + list[c].key = strdup((char *) p); + if (list[c].key == NULL) { + ret = ENOMEM; + goto done; + } + + p = memchr(p, '\0', buf_len - (p - buf)); + if (p == NULL) { + ret = EINVAL; + goto done; + } + p++; + + list[c].value = strdup((char *) p); + if (list[c].value == NULL) { + ret = ENOMEM; + goto done; + } + + p = memchr(p, '\0', buf_len - (p - buf)); + if (p == NULL) { + ret = EINVAL; + goto done; + } + p++; + } + + *kv_list = list; + + ret = EOK; + +done: + if (ret != EOK) { + sss_nss_free_kv(list); + } + + return ret; +} + +static int sss_nss_getyyybyxxx(union input inp, enum sss_cli_command cmd, + unsigned int timeout, struct output *out) +{ + int ret; + size_t inp_len; + struct sss_cli_req_data rd; + uint8_t *repbuf = NULL; + size_t replen; + int errnop; + enum nss_status nret; + uint32_t num_results; + char *str = NULL; + size_t data_len; + uint32_t c; + struct sss_nss_kv *kv_list; + char **names; + enum sss_id_type *types; + int time_left = SSS_CLI_SOCKET_TIMEOUT; + + switch (cmd) { + case SSS_NSS_GETSIDBYNAME: + case SSS_NSS_GETNAMEBYSID: + case SSS_NSS_GETIDBYSID: + case SSS_NSS_GETORIGBYNAME: + ret = sss_strnlen(inp.str, 2048, &inp_len); + if (ret != EOK) { + return EINVAL; + } + + rd.len = inp_len + 1; + rd.data = inp.str; + + break; + case SSS_NSS_GETNAMEBYCERT: + case SSS_NSS_GETLISTBYCERT: + ret = sss_strnlen(inp.str, 10 * 1024 , &inp_len); + if (ret != EOK) { + return EINVAL; + } + + rd.len = inp_len + 1; + rd.data = inp.str; + + break; + case SSS_NSS_GETSIDBYID: + case SSS_NSS_GETSIDBYUID: + case SSS_NSS_GETSIDBYGID: + rd.len = sizeof(uint32_t); + rd.data = &inp.id; + + break; + default: + return EINVAL; + } + + if (timeout == NO_TIMEOUT) { + sss_nss_lock(); + } else { + ret = sss_nss_timedlock(timeout, &time_left); + if (ret != 0) { + return ret; + } + } + + nret = sss_nss_make_request_timeout(cmd, &rd, time_left, &repbuf, &replen, + &errnop); + if (nret != NSS_STATUS_SUCCESS) { + ret = nss_status_to_errno(nret); + goto done; + } + + if (replen < 8) { + ret = EBADMSG; + goto done; + } + + SAFEALIGN_COPY_UINT32(&num_results, repbuf, NULL); + if (num_results == 0) { + ret = ENOENT; + goto done; + } else if (num_results > 1 && cmd != SSS_NSS_GETLISTBYCERT) { + ret = EBADMSG; + goto done; + } + + /* Skip first two 32 bit values (number of results and + * reserved padding) */ + SAFEALIGN_COPY_UINT32(&out->type, repbuf + 2 * sizeof(uint32_t), NULL); + + data_len = replen - DATA_START; + + switch(cmd) { + case SSS_NSS_GETSIDBYID: + case SSS_NSS_GETSIDBYUID: + case SSS_NSS_GETSIDBYGID: + case SSS_NSS_GETSIDBYNAME: + case SSS_NSS_GETNAMEBYSID: + case SSS_NSS_GETNAMEBYCERT: + if (data_len <= 1 || repbuf[replen - 1] != '\0') { + ret = EBADMSG; + goto done; + } + + str = malloc(sizeof(char) * data_len); + if (str == NULL) { + ret = ENOMEM; + goto done; + } + + strncpy(str, (char *) repbuf + DATA_START, data_len); + + out->d.str = str; + + break; + case SSS_NSS_GETIDBYSID: + if (data_len != sizeof(uint32_t)) { + ret = EBADMSG; + goto done; + } + + SAFEALIGN_COPY_UINT32(&c, repbuf + DATA_START, NULL); + out->d.id = c; + + break; + case SSS_NSS_GETLISTBYCERT: + ret = buf_to_name_type_list(repbuf + LIST_START, replen - LIST_START, + num_results, + &names, &types); + if (ret != EOK) { + goto done; + } + + out->types = types; + out->d.names = names; + + break; + case SSS_NSS_GETORIGBYNAME: + ret = buf_to_kv_list(repbuf + DATA_START, data_len, &kv_list); + if (ret != EOK) { + goto done; + } + + out->d.kv_list = kv_list; + + break; + default: + ret = EINVAL; + goto done; + } + + ret = EOK; + +done: + sss_nss_unlock(); + free(repbuf); + if (ret != EOK) { + free(str); + } + + return ret; +} + +int sss_nss_getsidbyname_timeout(const char *fq_name, unsigned int timeout, + char **sid, enum sss_id_type *type) +{ + int ret; + union input inp; + struct output out; + + if (sid == NULL || fq_name == NULL || *fq_name == '\0') { + return EINVAL; + } + + inp.str = fq_name; + + ret = sss_nss_getyyybyxxx(inp, SSS_NSS_GETSIDBYNAME, timeout, &out); + if (ret == EOK) { + *sid = out.d.str; + *type = out.type; + } + + return ret; +} + +int sss_nss_getsidbyname(const char *fq_name, char **sid, + enum sss_id_type *type) +{ + return sss_nss_getsidbyname_timeout(fq_name, NO_TIMEOUT, sid, type); +} + +int sss_nss_getsidbyid_timeout(uint32_t id, unsigned int timeout, + char **sid, enum sss_id_type *type) +{ + int ret; + union input inp; + struct output out; + + if (sid == NULL) { + return EINVAL; + } + + inp.id = id; + + ret = sss_nss_getyyybyxxx(inp, SSS_NSS_GETSIDBYID, timeout, &out); + if (ret == EOK) { + *sid = out.d.str; + *type = out.type; + } + + return ret; +} + +int sss_nss_getsidbyid(uint32_t id, char **sid, enum sss_id_type *type) +{ + return sss_nss_getsidbyid_timeout(id, NO_TIMEOUT, sid, type); +} + +int sss_nss_getsidbyuid_timeout(uint32_t uid, unsigned int timeout, + char **sid, enum sss_id_type *type) +{ + int ret; + union input inp; + struct output out; + + if (sid == NULL) { + return EINVAL; + } + + inp.id = uid; + + ret = sss_nss_getyyybyxxx(inp, SSS_NSS_GETSIDBYUID, timeout, &out); + if (ret == EOK) { + *sid = out.d.str; + *type = out.type; + } + + return ret; +} + +int sss_nss_getsidbyuid(uint32_t uid, char **sid, enum sss_id_type *type) +{ + return sss_nss_getsidbyuid_timeout(uid, NO_TIMEOUT, sid, type); +} + +int sss_nss_getsidbygid_timeout(uint32_t gid, unsigned int timeout, + char **sid, enum sss_id_type *type) +{ + int ret; + union input inp; + struct output out; + + if (sid == NULL) { + return EINVAL; + } + + inp.id = gid; + + ret = sss_nss_getyyybyxxx(inp, SSS_NSS_GETSIDBYGID, timeout, &out); + if (ret == EOK) { + *sid = out.d.str; + *type = out.type; + } + + return ret; +} + +int sss_nss_getsidbygid(uint32_t gid, char **sid, enum sss_id_type *type) +{ + return sss_nss_getsidbygid_timeout(gid, NO_TIMEOUT, sid, type); +} + +int sss_nss_getnamebysid_timeout(const char *sid, unsigned int timeout, + char **fq_name, enum sss_id_type *type) +{ + int ret; + union input inp; + struct output out; + + if (fq_name == NULL || sid == NULL || *sid == '\0') { + return EINVAL; + } + + inp.str = sid; + + ret = sss_nss_getyyybyxxx(inp, SSS_NSS_GETNAMEBYSID, timeout, &out); + if (ret == EOK) { + *fq_name = out.d.str; + *type = out.type; + } + + return ret; +} + +int sss_nss_getnamebysid(const char *sid, char **fq_name, + enum sss_id_type *type) +{ + return sss_nss_getnamebysid_timeout(sid, NO_TIMEOUT, fq_name, type); +} + +int sss_nss_getidbysid_timeout(const char *sid, unsigned int timeout, + uint32_t *id, enum sss_id_type *id_type) +{ + int ret; + union input inp; + struct output out; + + if (id == NULL || id_type == NULL || sid == NULL || *sid == '\0') { + return EINVAL; + } + + inp.str = sid; + + ret = sss_nss_getyyybyxxx(inp, SSS_NSS_GETIDBYSID, timeout, &out); + if (ret == EOK) { + *id = out.d.id; + *id_type = out.type; + } + + return ret; +} + +int sss_nss_getidbysid(const char *sid, uint32_t *id, enum sss_id_type *id_type) +{ + return sss_nss_getidbysid_timeout(sid, NO_TIMEOUT, id, id_type); +} + +int sss_nss_getorigbyname_timeout(const char *fq_name, unsigned int timeout, + struct sss_nss_kv **kv_list, + enum sss_id_type *type) +{ + int ret; + union input inp; + struct output out; + + if (kv_list == NULL || fq_name == NULL || *fq_name == '\0') { + return EINVAL; + } + + inp.str = fq_name; + + ret = sss_nss_getyyybyxxx(inp, SSS_NSS_GETORIGBYNAME, timeout, &out); + if (ret == EOK) { + *kv_list = out.d.kv_list; + *type = out.type; + } + + return ret; +} + +int sss_nss_getorigbyname(const char *fq_name, struct sss_nss_kv **kv_list, + enum sss_id_type *type) +{ + return sss_nss_getorigbyname_timeout(fq_name, NO_TIMEOUT, kv_list, type); +} + +int sss_nss_getnamebycert_timeout(const char *cert, unsigned int timeout, + char **fq_name, enum sss_id_type *type) +{ + int ret; + union input inp; + struct output out; + + if (fq_name == NULL || cert == NULL || *cert == '\0') { + return EINVAL; + } + + inp.str = cert; + + ret = sss_nss_getyyybyxxx(inp, SSS_NSS_GETNAMEBYCERT, timeout, &out); + if (ret == EOK) { + *fq_name = out.d.str; + *type = out.type; + } + + return ret; +} + +int sss_nss_getnamebycert(const char *cert, char **fq_name, + enum sss_id_type *type) +{ + return sss_nss_getnamebycert_timeout(cert, NO_TIMEOUT, fq_name, type); +} + +int sss_nss_getlistbycert_timeout(const char *cert, unsigned int timeout, + char ***fq_name, enum sss_id_type **type) +{ + int ret; + union input inp; + struct output out; + + if (fq_name == NULL || cert == NULL || *cert == '\0') { + return EINVAL; + } + + inp.str = cert; + + ret = sss_nss_getyyybyxxx(inp, SSS_NSS_GETLISTBYCERT, timeout, &out); + if (ret == EOK) { + *fq_name = out.d.names; + *type = out.types; + } + + return ret; +} + +int sss_nss_getlistbycert(const char *cert, char ***fq_name, + enum sss_id_type **type) +{ + return sss_nss_getlistbycert_timeout(cert, NO_TIMEOUT, fq_name, type); +} diff --git a/src/sss_client/idmap/sss_nss_idmap.doxy.in b/src/sss_client/idmap/sss_nss_idmap.doxy.in new file mode 100644 index 0000000..f6c18ba --- /dev/null +++ b/src/sss_client/idmap/sss_nss_idmap.doxy.in @@ -0,0 +1,1539 @@ +# Doxyfile 1.6.1 + +# This file describes the settings to be used by the documentation system +# doxygen (www.doxygen.org) for a project +# +# All text after a hash (#) is considered a comment and will be ignored +# The format is: +# TAG = value [value, ...] +# For lists items can also be appended using: +# TAG += value [value, ...] +# Values that contain spaces should be placed between quotes (" ") + +#--------------------------------------------------------------------------- +# Project related configuration options +#--------------------------------------------------------------------------- + +# This tag specifies the encoding used for all characters in the config file +# that follow. The default is UTF-8 which is also the encoding used for all +# text before the first occurrence of this tag. Doxygen uses libiconv (or the +# iconv built into libc) for the transcoding. See +# http://www.gnu.org/software/libiconv for the list of possible encodings. + +DOXYFILE_ENCODING = UTF-8 + +# The PROJECT_NAME tag is a single word (or a sequence of words surrounded +# by quotes) that should identify the project. + +PROJECT_NAME = sss_nss_idmap + +# The PROJECT_NUMBER tag can be used to enter a project or revision number. +# This could be handy for archiving the generated documentation or +# if some version control system is used. + +PROJECT_NUMBER = @PACKAGE_VERSION@ + +# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) +# base path where the generated documentation will be put. +# If a relative path is entered, it will be relative to the location +# where doxygen was started. If left blank the current directory will be used. + +OUTPUT_DIRECTORY = nss_idmap_doc + +# If the CREATE_SUBDIRS tag is set to YES, then doxygen will create +# 4096 sub-directories (in 2 levels) under the output directory of each output +# format and will distribute the generated files over these directories. +# Enabling this option can be useful when feeding doxygen a huge amount of +# source files, where putting all generated files in the same directory would +# otherwise cause performance problems for the file system. + +CREATE_SUBDIRS = NO + +# The OUTPUT_LANGUAGE tag is used to specify the language in which all +# documentation generated by doxygen is written. Doxygen will use this +# information to generate all constant output in the proper language. +# The default language is English, other supported languages are: +# Afrikaans, Arabic, Brazilian, Catalan, Chinese, Chinese-Traditional, +# Croatian, Czech, Danish, Dutch, Esperanto, Farsi, Finnish, French, German, +# Greek, Hungarian, Italian, Japanese, Japanese-en (Japanese with English +# messages), Korean, Korean-en, Lithuanian, Norwegian, Macedonian, Persian, +# Polish, Portuguese, Romanian, Russian, Serbian, Serbian-Cyrilic, Slovak, +# Slovene, Spanish, Swedish, Ukrainian, and Vietnamese. + +OUTPUT_LANGUAGE = English + +# If the BRIEF_MEMBER_DESC tag is set to YES (the default) Doxygen will +# include brief member descriptions after the members that are listed in +# the file and class documentation (similar to JavaDoc). +# Set to NO to disable this. + +BRIEF_MEMBER_DESC = YES + +# If the REPEAT_BRIEF tag is set to YES (the default) Doxygen will prepend +# the brief description of a member or function before the detailed description. +# Note: if both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the +# brief descriptions will be completely suppressed. + +REPEAT_BRIEF = YES + +# This tag implements a quasi-intelligent brief description abbreviator +# that is used to form the text in various listings. Each string +# in this list, if found as the leading text of the brief description, will be +# stripped from the text and the result after processing the whole list, is +# used as the annotated text. Otherwise, the brief description is used as-is. +# If left blank, the following values are used ("$name" is automatically +# replaced with the name of the entity): "The $name class" "The $name widget" +# "The $name file" "is" "provides" "specifies" "contains" +# "represents" "a" "an" "the" + +ABBREVIATE_BRIEF = "The $name class" \ + "The $name widget" \ + "The $name file" \ + is \ + provides \ + specifies \ + contains \ + represents \ + a \ + an \ + the + +# If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then +# Doxygen will generate a detailed section even if there is only a brief +# description. + +ALWAYS_DETAILED_SEC = NO + +# If the INLINE_INHERITED_MEMB tag is set to YES, doxygen will show all +# inherited members of a class in the documentation of that class as if those +# members were ordinary class members. Constructors, destructors and assignment +# operators of the base classes will not be shown. + +INLINE_INHERITED_MEMB = NO + +# If the FULL_PATH_NAMES tag is set to YES then Doxygen will prepend the full +# path before files name in the file list and in the header files. If set +# to NO the shortest path that makes the file name unique will be used. + +FULL_PATH_NAMES = YES + +# If the FULL_PATH_NAMES tag is set to YES then the STRIP_FROM_PATH tag +# can be used to strip a user-defined part of the path. Stripping is +# only done if one of the specified strings matches the left-hand part of +# the path. The tag can be used to show relative paths in the file list. +# If left blank the directory from which doxygen is run is used as the +# path to strip. + +STRIP_FROM_PATH = + +# The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of +# the path mentioned in the documentation of a class, which tells +# the reader which header file to include in order to use a class. +# If left blank only the name of the header file containing the class +# definition is used. Otherwise one should specify the include paths that +# are normally passed to the compiler using the -I flag. + +STRIP_FROM_INC_PATH = + +# If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter +# (but less readable) file names. This can be useful is your file systems +# doesn't support long names like on DOS, Mac, or CD-ROM. + +SHORT_NAMES = NO + +# If the JAVADOC_AUTOBRIEF tag is set to YES then Doxygen +# will interpret the first line (until the first dot) of a JavaDoc-style +# comment as the brief description. If set to NO, the JavaDoc +# comments will behave just like regular Qt-style comments +# (thus requiring an explicit @brief command for a brief description.) + +JAVADOC_AUTOBRIEF = YES + +# If the QT_AUTOBRIEF tag is set to YES then Doxygen will +# interpret the first line (until the first dot) of a Qt-style +# comment as the brief description. If set to NO, the comments +# will behave just like regular Qt-style comments (thus requiring +# an explicit \brief command for a brief description.) + +QT_AUTOBRIEF = NO + +# The MULTILINE_CPP_IS_BRIEF tag can be set to YES to make Doxygen +# treat a multi-line C++ special comment block (i.e. a block of //! or /// +# comments) as a brief description. This used to be the default behaviour. +# The new default is to treat a multi-line C++ comment block as a detailed +# description. Set this tag to YES if you prefer the old behaviour instead. + +MULTILINE_CPP_IS_BRIEF = NO + +# If the INHERIT_DOCS tag is set to YES (the default) then an undocumented +# member inherits the documentation from any documented member that it +# re-implements. + +INHERIT_DOCS = YES + +# If the SEPARATE_MEMBER_PAGES tag is set to YES, then doxygen will produce +# a new page for each member. If set to NO, the documentation of a member will +# be part of the file/class/namespace that contains it. + +SEPARATE_MEMBER_PAGES = NO + +# The TAB_SIZE tag can be used to set the number of spaces in a tab. +# Doxygen uses this value to replace tabs by spaces in code fragments. + +TAB_SIZE = 8 + +# This tag can be used to specify a number of aliases that acts +# as commands in the documentation. An alias has the form "name=value". +# For example adding "sideeffect=\par Side Effects:\n" will allow you to +# put the command \sideeffect (or @sideeffect) in the documentation, which +# will result in a user-defined paragraph with heading "Side Effects:". +# You can put \n's in the value part of an alias to insert newlines. + +ALIASES = + +# Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C +# sources only. Doxygen will then generate output that is more tailored for C. +# For instance, some of the names that are used will be different. The list +# of all members will be omitted, etc. + +OPTIMIZE_OUTPUT_FOR_C = YES + +# Set the OPTIMIZE_OUTPUT_JAVA tag to YES if your project consists of Java +# sources only. Doxygen will then generate output that is more tailored for +# Java. For instance, namespaces will be presented as packages, qualified +# scopes will look different, etc. + +OPTIMIZE_OUTPUT_JAVA = NO + +# Set the OPTIMIZE_FOR_FORTRAN tag to YES if your project consists of Fortran +# sources only. Doxygen will then generate output that is more tailored for +# Fortran. + +OPTIMIZE_FOR_FORTRAN = NO + +# Set the OPTIMIZE_OUTPUT_VHDL tag to YES if your project consists of VHDL +# sources. Doxygen will then generate output that is tailored for +# VHDL. + +OPTIMIZE_OUTPUT_VHDL = NO + +# Doxygen selects the parser to use depending on the extension of the files it parses. +# With this tag you can assign which parser to use for a given extension. +# Doxygen has a built-in mapping, but you can override or extend it using this tag. +# The format is ext=language, where ext is a file extension, and language is one of +# the parsers supported by doxygen: IDL, Java, Javascript, C#, C, C++, D, PHP, +# Objective-C, Python, Fortran, VHDL, C, C++. For instance to make doxygen treat +# .inc files as Fortran files (default is PHP), and .f files as C (default is Fortran), +# use: inc=Fortran f=C. Note that for custom extensions you also need to set FILE_PATTERNS otherwise the files are not read by doxygen. + +EXTENSION_MAPPING = + +# If you use STL classes (i.e. std::string, std::vector, etc.) but do not want +# to include (a tag file for) the STL sources as input, then you should +# set this tag to YES in order to let doxygen match functions declarations and +# definitions whose arguments contain STL classes (e.g. func(std::string); v.s. +# func(std::string) {}). This also make the inheritance and collaboration +# diagrams that involve STL classes more complete and accurate. + +BUILTIN_STL_SUPPORT = NO + +# If you use Microsoft's C++/CLI language, you should set this option to YES to +# enable parsing support. + +CPP_CLI_SUPPORT = NO + +# Set the SIP_SUPPORT tag to YES if your project consists of sip sources only. +# Doxygen will parse them like normal C++ but will assume all classes use public +# instead of private inheritance when no explicit protection keyword is present. + +SIP_SUPPORT = NO + +# For Microsoft's IDL there are propget and propput attributes to indicate getter +# and setter methods for a property. Setting this option to YES (the default) +# will make doxygen to replace the get and set methods by a property in the +# documentation. This will only work if the methods are indeed getting or +# setting a simple type. If this is not the case, or you want to show the +# methods anyway, you should set this option to NO. + +IDL_PROPERTY_SUPPORT = YES + +# If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC +# tag is set to YES, then doxygen will reuse the documentation of the first +# member in the group (if any) for the other members of the group. By default +# all members of a group must be documented explicitly. + +DISTRIBUTE_GROUP_DOC = NO + +# Set the SUBGROUPING tag to YES (the default) to allow class member groups of +# the same type (for instance a group of public functions) to be put as a +# subgroup of that type (e.g. under the Public Functions section). Set it to +# NO to prevent subgrouping. Alternatively, this can be done per class using +# the \nosubgrouping command. + +SUBGROUPING = YES + +# When TYPEDEF_HIDES_STRUCT is enabled, a typedef of a struct, union, or enum +# is documented as struct, union, or enum with the name of the typedef. So +# typedef struct TypeS {} TypeT, will appear in the documentation as a struct +# with name TypeT. When disabled the typedef will appear as a member of a file, +# namespace, or class. And the struct will be named TypeS. This can typically +# be useful for C code in case the coding convention dictates that all compound +# types are typedef'ed and only the typedef is referenced, never the tag name. + +TYPEDEF_HIDES_STRUCT = NO + +# The SYMBOL_CACHE_SIZE determines the size of the internal cache use to +# determine which symbols to keep in memory and which to flush to disk. +# When the cache is full, less often used symbols will be written to disk. +# For small to medium size projects (<1000 input files) the default value is +# probably good enough. For larger projects a too small cache size can cause +# doxygen to be busy swapping symbols to and from disk most of the time +# causing a significant performance penality. +# If the system has enough physical memory increasing the cache will improve the +# performance by keeping more symbols in memory. Note that the value works on +# a logarithmic scale so increasing the size by one will rougly double the +# memory usage. The cache size is given by this formula: +# 2^(16+SYMBOL_CACHE_SIZE). The valid range is 0..9, the default is 0, +# corresponding to a cache size of 2^16 = 65536 symbols + +SYMBOL_CACHE_SIZE = 0 + +#--------------------------------------------------------------------------- +# Build related configuration options +#--------------------------------------------------------------------------- + +# If the EXTRACT_ALL tag is set to YES doxygen will assume all entities in +# documentation are documented, even if no documentation was available. +# Private class members and static file members will be hidden unless +# the EXTRACT_PRIVATE and EXTRACT_STATIC tags are set to YES + +EXTRACT_ALL = NO + +# If the EXTRACT_PRIVATE tag is set to YES all private members of a class +# will be included in the documentation. + +EXTRACT_PRIVATE = NO + +# If the EXTRACT_STATIC tag is set to YES all static members of a file +# will be included in the documentation. + +EXTRACT_STATIC = NO + +# If the EXTRACT_LOCAL_CLASSES tag is set to YES classes (and structs) +# defined locally in source files will be included in the documentation. +# If set to NO only classes defined in header files are included. + +EXTRACT_LOCAL_CLASSES = NO + +# This flag is only useful for Objective-C code. When set to YES local +# methods, which are defined in the implementation section but not in +# the interface are included in the documentation. +# If set to NO (the default) only methods in the interface are included. + +EXTRACT_LOCAL_METHODS = NO + +# If this flag is set to YES, the members of anonymous namespaces will be +# extracted and appear in the documentation as a namespace called +# 'anonymous_namespace{file}', where file will be replaced with the base +# name of the file that contains the anonymous namespace. By default +# anonymous namespace are hidden. + +EXTRACT_ANON_NSPACES = NO + +# If the HIDE_UNDOC_MEMBERS tag is set to YES, Doxygen will hide all +# undocumented members of documented classes, files or namespaces. +# If set to NO (the default) these members will be included in the +# various overviews, but no documentation section is generated. +# This option has no effect if EXTRACT_ALL is enabled. + +HIDE_UNDOC_MEMBERS = YES + +# If the HIDE_UNDOC_CLASSES tag is set to YES, Doxygen will hide all +# undocumented classes that are normally visible in the class hierarchy. +# If set to NO (the default) these classes will be included in the various +# overviews. This option has no effect if EXTRACT_ALL is enabled. + +HIDE_UNDOC_CLASSES = YES + +# If the HIDE_FRIEND_COMPOUNDS tag is set to YES, Doxygen will hide all +# friend (class|struct|union) declarations. +# If set to NO (the default) these declarations will be included in the +# documentation. + +HIDE_FRIEND_COMPOUNDS = NO + +# If the HIDE_IN_BODY_DOCS tag is set to YES, Doxygen will hide any +# documentation blocks found inside the body of a function. +# If set to NO (the default) these blocks will be appended to the +# function's detailed documentation block. + +HIDE_IN_BODY_DOCS = NO + +# The INTERNAL_DOCS tag determines if documentation +# that is typed after a \internal command is included. If the tag is set +# to NO (the default) then the documentation will be excluded. +# Set it to YES to include the internal documentation. + +INTERNAL_DOCS = NO + +# If the CASE_SENSE_NAMES tag is set to NO then Doxygen will only generate +# file names in lower-case letters. If set to YES upper-case letters are also +# allowed. This is useful if you have classes or files whose names only differ +# in case and if your file system supports case sensitive file names. Windows +# and Mac users are advised to set this option to NO. + +CASE_SENSE_NAMES = YES + +# If the HIDE_SCOPE_NAMES tag is set to NO (the default) then Doxygen +# will show members with their full class and namespace scopes in the +# documentation. If set to YES the scope will be hidden. + +HIDE_SCOPE_NAMES = NO + +# If the SHOW_INCLUDE_FILES tag is set to YES (the default) then Doxygen +# will put a list of the files that are included by a file in the documentation +# of that file. + +SHOW_INCLUDE_FILES = YES + +# If the INLINE_INFO tag is set to YES (the default) then a tag [inline] +# is inserted in the documentation for inline members. + +INLINE_INFO = YES + +# If the SORT_MEMBER_DOCS tag is set to YES (the default) then doxygen +# will sort the (detailed) documentation of file and class members +# alphabetically by member name. If set to NO the members will appear in +# declaration order. + +SORT_MEMBER_DOCS = YES + +# If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the +# brief documentation of file, namespace and class members alphabetically +# by member name. If set to NO (the default) the members will appear in +# declaration order. + +SORT_BRIEF_DOCS = NO + +# If the SORT_MEMBERS_CTORS_1ST tag is set to YES then doxygen will sort the (brief and detailed) documentation of class members so that constructors and destructors are listed first. If set to NO (the default) the constructors will appear in the respective orders defined by SORT_MEMBER_DOCS and SORT_BRIEF_DOCS. This tag will be ignored for brief docs if SORT_BRIEF_DOCS is set to NO and ignored for detailed docs if SORT_MEMBER_DOCS is set to NO. + +SORT_MEMBERS_CTORS_1ST = NO + +# If the SORT_GROUP_NAMES tag is set to YES then doxygen will sort the +# hierarchy of group names into alphabetical order. If set to NO (the default) +# the group names will appear in their defined order. + +SORT_GROUP_NAMES = NO + +# If the SORT_BY_SCOPE_NAME tag is set to YES, the class list will be +# sorted by fully-qualified names, including namespaces. If set to +# NO (the default), the class list will be sorted only by class name, +# not including the namespace part. +# Note: This option is not very useful if HIDE_SCOPE_NAMES is set to YES. +# Note: This option applies only to the class list, not to the +# alphabetical list. + +SORT_BY_SCOPE_NAME = NO + +# The GENERATE_TODOLIST tag can be used to enable (YES) or +# disable (NO) the todo list. This list is created by putting \todo +# commands in the documentation. + +GENERATE_TODOLIST = YES + +# The GENERATE_TESTLIST tag can be used to enable (YES) or +# disable (NO) the test list. This list is created by putting \test +# commands in the documentation. + +GENERATE_TESTLIST = YES + +# The GENERATE_BUGLIST tag can be used to enable (YES) or +# disable (NO) the bug list. This list is created by putting \bug +# commands in the documentation. + +GENERATE_BUGLIST = YES + +# The GENERATE_DEPRECATEDLIST tag can be used to enable (YES) or +# disable (NO) the deprecated list. This list is created by putting +# \deprecated commands in the documentation. + +GENERATE_DEPRECATEDLIST= YES + +# The ENABLED_SECTIONS tag can be used to enable conditional +# documentation sections, marked by \if sectionname ... \endif. + +ENABLED_SECTIONS = + +# The MAX_INITIALIZER_LINES tag determines the maximum number of lines +# the initial value of a variable or define consists of for it to appear in +# the documentation. If the initializer consists of more lines than specified +# here it will be hidden. Use a value of 0 to hide initializers completely. +# The appearance of the initializer of individual variables and defines in the +# documentation can be controlled using \showinitializer or \hideinitializer +# command in the documentation regardless of this setting. + +MAX_INITIALIZER_LINES = 30 + +# Set the SHOW_USED_FILES tag to NO to disable the list of files generated +# at the bottom of the documentation of classes and structs. If set to YES the +# list will mention the files that were used to generate the documentation. + +SHOW_USED_FILES = YES + +# If the sources in your project are distributed over multiple directories +# then setting the SHOW_DIRECTORIES tag to YES will show the directory hierarchy +# in the documentation. The default is NO. + +SHOW_DIRECTORIES = NO + +# Set the SHOW_FILES tag to NO to disable the generation of the Files page. +# This will remove the Files entry from the Quick Index and from the +# Folder Tree View (if specified). The default is YES. + +SHOW_FILES = YES + +# Set the SHOW_NAMESPACES tag to NO to disable the generation of the +# Namespaces page. +# This will remove the Namespaces entry from the Quick Index +# and from the Folder Tree View (if specified). The default is YES. + +SHOW_NAMESPACES = YES + +# The FILE_VERSION_FILTER tag can be used to specify a program or script that +# doxygen should invoke to get the current version for each file (typically from +# the version control system). Doxygen will invoke the program by executing (via +# popen()) the command , where is the value of +# the FILE_VERSION_FILTER tag, and is the name of an input file +# provided by doxygen. Whatever the program writes to standard output +# is used as the file version. See the manual for examples. + +FILE_VERSION_FILTER = + +# The LAYOUT_FILE tag can be used to specify a layout file which will be parsed by +# doxygen. The layout file controls the global structure of the generated output files +# in an output format independent way. The create the layout file that represents +# doxygen's defaults, run doxygen with the -l option. You can optionally specify a +# file name after the option, if omitted DoxygenLayout.xml will be used as the name +# of the layout file. + +LAYOUT_FILE = + +#--------------------------------------------------------------------------- +# configuration options related to warning and progress messages +#--------------------------------------------------------------------------- + +# The QUIET tag can be used to turn on/off the messages that are generated +# by doxygen. Possible values are YES and NO. If left blank NO is used. + +QUIET = NO + +# The WARNINGS tag can be used to turn on/off the warning messages that are +# generated by doxygen. Possible values are YES and NO. If left blank +# NO is used. + +WARNINGS = YES + +# If WARN_IF_UNDOCUMENTED is set to YES, then doxygen will generate warnings +# for undocumented members. If EXTRACT_ALL is set to YES then this flag will +# automatically be disabled. + +WARN_IF_UNDOCUMENTED = YES + +# If WARN_IF_DOC_ERROR is set to YES, doxygen will generate warnings for +# potential errors in the documentation, such as not documenting some +# parameters in a documented function, or documenting parameters that +# don't exist or using markup commands wrongly. + +WARN_IF_DOC_ERROR = YES + +# This WARN_NO_PARAMDOC option can be abled to get warnings for +# functions that are documented, but have no documentation for their parameters +# or return value. If set to NO (the default) doxygen will only warn about +# wrong or incomplete parameter documentation, but not about the absence of +# documentation. + +WARN_NO_PARAMDOC = NO + +# The WARN_FORMAT tag determines the format of the warning messages that +# doxygen can produce. The string should contain the $file, $line, and $text +# tags, which will be replaced by the file and line number from which the +# warning originated and the warning text. Optionally the format may contain +# $version, which will be replaced by the version of the file (if it could +# be obtained via FILE_VERSION_FILTER) + +WARN_FORMAT = "$file:$line: $text" + +# The WARN_LOGFILE tag can be used to specify a file to which warning +# and error messages should be written. If left blank the output is written +# to stderr. + +WARN_LOGFILE = + +#--------------------------------------------------------------------------- +# configuration options related to the input files +#--------------------------------------------------------------------------- + +# The INPUT tag can be used to specify the files and/or directories that contain +# documented source files. You may enter file names like "myfile.cpp" or +# directories like "/usr/src/myproject". Separate the files or directories +# with spaces. + +INPUT = @abs_top_srcdir@/src/sss_client/idmap/sss_nss_idmap.h + +# This tag can be used to specify the character encoding of the source files +# that doxygen parses. Internally doxygen uses the UTF-8 encoding, which is +# also the default input encoding. Doxygen uses libiconv (or the iconv built +# into libc) for the transcoding. See http://www.gnu.org/software/libiconv for +# the list of possible encodings. + +INPUT_ENCODING = UTF-8 + +# If the value of the INPUT tag contains directories, you can use the +# FILE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp +# and *.h) to filter out the source-files in the directories. If left +# blank the following patterns are tested: +# *.c *.cc *.cxx *.cpp *.c++ *.java *.ii *.ixx *.ipp *.i++ *.inl *.h *.hh *.hxx +# *.hpp *.h++ *.idl *.odl *.cs *.php *.php3 *.inc *.m *.mm *.py *.f90 + +FILE_PATTERNS = *.cpp \ + *.cc \ + *.c \ + *.h \ + *.hh \ + *.hpp \ + *.dox + +# The RECURSIVE tag can be used to turn specify whether or not subdirectories +# should be searched for input files as well. Possible values are YES and NO. +# If left blank NO is used. + +RECURSIVE = NO + +# The EXCLUDE tag can be used to specify files and/or directories that should +# excluded from the INPUT source files. This way you can easily exclude a +# subdirectory from a directory tree whose root is specified with the INPUT tag. + +EXCLUDE = + +# The EXCLUDE_SYMLINKS tag can be used select whether or not files or +# directories that are symbolic links (a UNIX filesystem feature) are excluded +# from the input. + +EXCLUDE_SYMLINKS = NO + +# If the value of the INPUT tag contains directories, you can use the +# EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude +# certain files from those directories. Note that the wildcards are matched +# against the file with absolute path, so to exclude all test directories +# for example use the pattern */test/* + +EXCLUDE_PATTERNS = */.git/* \ + */.svn/* \ + */cmake/* \ + */build/* + +# The EXCLUDE_SYMBOLS tag can be used to specify one or more symbol names +# (namespaces, classes, functions, etc.) that should be excluded from the +# output. The symbol name can be a fully qualified name, a word, or if the +# wildcard * is used, a substring. Examples: ANamespace, AClass, +# AClass::ANamespace, ANamespace::*Test + +EXCLUDE_SYMBOLS = + +# The EXAMPLE_PATH tag can be used to specify one or more files or +# directories that contain example code fragments that are included (see +# the \include command). + +EXAMPLE_PATH = + +# If the value of the EXAMPLE_PATH tag contains directories, you can use the +# EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp +# and *.h) to filter out the source-files in the directories. If left +# blank all files are included. + +EXAMPLE_PATTERNS = + +# If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be +# searched for input files to be used with the \include or \dontinclude +# commands irrespective of the value of the RECURSIVE tag. +# Possible values are YES and NO. If left blank NO is used. + +EXAMPLE_RECURSIVE = NO + +# The IMAGE_PATH tag can be used to specify one or more files or +# directories that contain image that are included in the documentation (see +# the \image command). + +IMAGE_PATH = + +# The INPUT_FILTER tag can be used to specify a program that doxygen should +# invoke to filter for each input file. Doxygen will invoke the filter program +# by executing (via popen()) the command , where +# is the value of the INPUT_FILTER tag, and is the name of an +# input file. Doxygen will then use the output that the filter program writes +# to standard output. +# If FILTER_PATTERNS is specified, this tag will be +# ignored. + +INPUT_FILTER = + +# The FILTER_PATTERNS tag can be used to specify filters on a per file pattern +# basis. +# Doxygen will compare the file name with each pattern and apply the +# filter if there is a match. +# The filters are a list of the form: +# pattern=filter (like *.cpp=my_cpp_filter). See INPUT_FILTER for further +# info on how filters are used. If FILTER_PATTERNS is empty, INPUT_FILTER +# is applied to all files. + +FILTER_PATTERNS = + +# If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using +# INPUT_FILTER) will be used to filter the input files when producing source +# files to browse (i.e. when SOURCE_BROWSER is set to YES). + +FILTER_SOURCE_FILES = NO + +#--------------------------------------------------------------------------- +# configuration options related to source browsing +#--------------------------------------------------------------------------- + +# If the SOURCE_BROWSER tag is set to YES then a list of source files will +# be generated. Documented entities will be cross-referenced with these sources. +# Note: To get rid of all source code in the generated output, make sure also +# VERBATIM_HEADERS is set to NO. + +SOURCE_BROWSER = NO + +# Setting the INLINE_SOURCES tag to YES will include the body +# of functions and classes directly in the documentation. + +INLINE_SOURCES = NO + +# Setting the STRIP_CODE_COMMENTS tag to YES (the default) will instruct +# doxygen to hide any special comment blocks from generated source code +# fragments. Normal C and C++ comments will always remain visible. + +STRIP_CODE_COMMENTS = YES + +# If the REFERENCED_BY_RELATION tag is set to YES +# then for each documented function all documented +# functions referencing it will be listed. + +REFERENCED_BY_RELATION = NO + +# If the REFERENCES_RELATION tag is set to YES +# then for each documented function all documented entities +# called/used by that function will be listed. + +REFERENCES_RELATION = NO + +# If the REFERENCES_LINK_SOURCE tag is set to YES (the default) +# and SOURCE_BROWSER tag is set to YES, then the hyperlinks from +# functions in REFERENCES_RELATION and REFERENCED_BY_RELATION lists will +# link to the source code. +# Otherwise they will link to the documentation. + +REFERENCES_LINK_SOURCE = YES + +# If the USE_HTAGS tag is set to YES then the references to source code +# will point to the HTML generated by the htags(1) tool instead of doxygen +# built-in source browser. The htags tool is part of GNU's global source +# tagging system (see http://www.gnu.org/software/global/global.html). You +# will need version 4.8.6 or higher. + +USE_HTAGS = NO + +# If the VERBATIM_HEADERS tag is set to YES (the default) then Doxygen +# will generate a verbatim copy of the header file for each class for +# which an include is specified. Set to NO to disable this. + +VERBATIM_HEADERS = YES + +#--------------------------------------------------------------------------- +# configuration options related to the alphabetical class index +#--------------------------------------------------------------------------- + +# If the ALPHABETICAL_INDEX tag is set to YES, an alphabetical index +# of all compounds will be generated. Enable this if the project +# contains a lot of classes, structs, unions or interfaces. + +ALPHABETICAL_INDEX = NO + +# If the alphabetical index is enabled (see ALPHABETICAL_INDEX) then +# the COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns +# in which this list will be split (can be a number in the range [1..20]) + +COLS_IN_ALPHA_INDEX = 5 + +# In case all classes in a project start with a common prefix, all +# classes will be put under the same header in the alphabetical index. +# The IGNORE_PREFIX tag can be used to specify one or more prefixes that +# should be ignored while generating the index headers. + +IGNORE_PREFIX = + +#--------------------------------------------------------------------------- +# configuration options related to the HTML output +#--------------------------------------------------------------------------- + +# If the GENERATE_HTML tag is set to YES (the default) Doxygen will +# generate HTML output. + +GENERATE_HTML = YES + +# If the HTML_TIMESTAMP tag is set to YES then the footer of each generated +# HTML page will contain the date and time when the page was generated. Setting +# this to NO can help when comparing the output of multiple runs. + +HTML_TIMESTAMP = NO + +# The HTML_OUTPUT tag is used to specify where the HTML docs will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `html' will be used as the default path. + +HTML_OUTPUT = html + +# The HTML_FILE_EXTENSION tag can be used to specify the file extension for +# each generated HTML page (for example: .htm,.php,.asp). If it is left blank +# doxygen will generate files with .html extension. + +HTML_FILE_EXTENSION = .html + +# The HTML_HEADER tag can be used to specify a personal HTML header for +# each generated HTML page. If it is left blank doxygen will generate a +# standard header. + +HTML_HEADER = + +# The HTML_FOOTER tag can be used to specify a personal HTML footer for +# each generated HTML page. If it is left blank doxygen will generate a +# standard footer. + +HTML_FOOTER = + +# The HTML_STYLESHEET tag can be used to specify a user-defined cascading +# style sheet that is used by each HTML page. It can be used to +# fine-tune the look of the HTML output. If the tag is left blank doxygen +# will generate a default style sheet. Note that doxygen will try to copy +# the style sheet file to the HTML output directory, so don't put your own +# stylesheet in the HTML output directory as well, or it will be erased! + +HTML_STYLESHEET = + +# If the HTML_ALIGN_MEMBERS tag is set to YES, the members of classes, +# files or namespaces will be aligned in HTML using tables. If set to +# NO a bullet list will be used. + +HTML_ALIGN_MEMBERS = YES + +# If the HTML_DYNAMIC_SECTIONS tag is set to YES then the generated HTML +# documentation will contain sections that can be hidden and shown after the +# page has loaded. For this to work a browser that supports +# JavaScript and DHTML is required (for instance Mozilla 1.0+, Firefox +# Netscape 6.0+, Internet explorer 5.0+, Konqueror, or Safari). + +HTML_DYNAMIC_SECTIONS = NO + +# If the GENERATE_DOCSET tag is set to YES, additional index files +# will be generated that can be used as input for Apple's Xcode 3 +# integrated development environment, introduced with OSX 10.5 (Leopard). +# To create a documentation set, doxygen will generate a Makefile in the +# HTML output directory. Running make will produce the docset in that +# directory and running "make install" will install the docset in +# ~/Library/Developer/Shared/Documentation/DocSets so that Xcode will find +# it at startup. +# See http://developer.apple.com/tools/creatingdocsetswithdoxygen.html for more information. + +GENERATE_DOCSET = NO + +# When GENERATE_DOCSET tag is set to YES, this tag determines the name of the +# feed. A documentation feed provides an umbrella under which multiple +# documentation sets from a single provider (such as a company or product suite) +# can be grouped. + +DOCSET_FEEDNAME = "Doxygen generated docs" + +# When GENERATE_DOCSET tag is set to YES, this tag specifies a string that +# should uniquely identify the documentation set bundle. This should be a +# reverse domain-name style string, e.g. com.mycompany.MyDocSet. Doxygen +# will append .docset to the name. + +DOCSET_BUNDLE_ID = org.doxygen.Project + +# If the GENERATE_HTMLHELP tag is set to YES, additional index files +# will be generated that can be used as input for tools like the +# Microsoft HTML help workshop to generate a compiled HTML help file (.chm) +# of the generated HTML documentation. + +GENERATE_HTMLHELP = NO + +# If the GENERATE_HTMLHELP tag is set to YES, the CHM_FILE tag can +# be used to specify the file name of the resulting .chm file. You +# can add a path in front of the file if the result should not be +# written to the html output directory. + +CHM_FILE = + +# If the GENERATE_HTMLHELP tag is set to YES, the HHC_LOCATION tag can +# be used to specify the location (absolute path including file name) of +# the HTML help compiler (hhc.exe). If non-empty doxygen will try to run +# the HTML help compiler on the generated index.hhp. + +HHC_LOCATION = + +# If the GENERATE_HTMLHELP tag is set to YES, the GENERATE_CHI flag +# controls if a separate .chi index file is generated (YES) or that +# it should be included in the master .chm file (NO). + +GENERATE_CHI = NO + +# If the GENERATE_HTMLHELP tag is set to YES, the CHM_INDEX_ENCODING +# is used to encode HtmlHelp index (hhk), content (hhc) and project file +# content. + +CHM_INDEX_ENCODING = + +# If the GENERATE_HTMLHELP tag is set to YES, the BINARY_TOC flag +# controls whether a binary table of contents is generated (YES) or a +# normal table of contents (NO) in the .chm file. + +BINARY_TOC = NO + +# The TOC_EXPAND flag can be set to YES to add extra items for group members +# to the contents of the HTML help documentation and to the tree view. + +TOC_EXPAND = NO + +# If the GENERATE_QHP tag is set to YES and both QHP_NAMESPACE and QHP_VIRTUAL_FOLDER +# are set, an additional index file will be generated that can be used as input for +# Qt's qhelpgenerator to generate a Qt Compressed Help (.qch) of the generated +# HTML documentation. + +GENERATE_QHP = NO + +# If the QHG_LOCATION tag is specified, the QCH_FILE tag can +# be used to specify the file name of the resulting .qch file. +# The path specified is relative to the HTML output folder. + +QCH_FILE = + +# The QHP_NAMESPACE tag specifies the namespace to use when generating +# Qt Help Project output. For more information please see +# http://doc.trolltech.com/qthelpproject.html#namespace + +QHP_NAMESPACE = + +# The QHP_VIRTUAL_FOLDER tag specifies the namespace to use when generating +# Qt Help Project output. For more information please see +# http://doc.trolltech.com/qthelpproject.html#virtual-folders + +QHP_VIRTUAL_FOLDER = doc + +# If QHP_CUST_FILTER_NAME is set, it specifies the name of a custom filter to add. +# For more information please see +# http://doc.trolltech.com/qthelpproject.html#custom-filters + +QHP_CUST_FILTER_NAME = + +# The QHP_CUST_FILT_ATTRS tag specifies the list of the attributes of the custom filter to add.For more information please see +# Qt Help Project / Custom Filters. + +QHP_CUST_FILTER_ATTRS = + +# The QHP_SECT_FILTER_ATTRS tag specifies the list of the attributes this project's +# filter section matches. +# Qt Help Project / Filter Attributes. + +QHP_SECT_FILTER_ATTRS = + +# If the GENERATE_QHP tag is set to YES, the QHG_LOCATION tag can +# be used to specify the location of Qt's qhelpgenerator. +# If non-empty doxygen will try to run qhelpgenerator on the generated +# .qhp file. + +QHG_LOCATION = + +# The DISABLE_INDEX tag can be used to turn on/off the condensed index at +# top of each HTML page. The value NO (the default) enables the index and +# the value YES disables it. + +DISABLE_INDEX = NO + +# This tag can be used to set the number of enum values (range [1..20]) +# that doxygen will group on one line in the generated HTML documentation. + +ENUM_VALUES_PER_LINE = 4 + +# The GENERATE_TREEVIEW tag is used to specify whether a tree-like index +# structure should be generated to display hierarchical information. +# If the tag value is set to YES, a side panel will be generated +# containing a tree-like index structure (just like the one that +# is generated for HTML Help). For this to work a browser that supports +# JavaScript, DHTML, CSS and frames is required (i.e. any modern browser). +# Windows users are probably better off using the HTML help feature. + +GENERATE_TREEVIEW = NONE + +# By enabling USE_INLINE_TREES, doxygen will generate the Groups, Directories, +# and Class Hierarchy pages using a tree view instead of an ordered list. + +USE_INLINE_TREES = NO + +# If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be +# used to set the initial width (in pixels) of the frame in which the tree +# is shown. + +TREEVIEW_WIDTH = 250 + +# Use this tag to change the font size of Latex formulas included +# as images in the HTML documentation. The default is 10. Note that +# when you change the font size after a successful doxygen run you need +# to manually remove any form_*.png images from the HTML output directory +# to force them to be regenerated. + +FORMULA_FONTSIZE = 10 + +# When the SEARCHENGINE tag is enable doxygen will generate a search box for the HTML output. The underlying search engine uses javascript +# and DHTML and should work on any modern browser. Note that when using HTML help (GENERATE_HTMLHELP) or Qt help (GENERATE_QHP) +# there is already a search function so this one should typically +# be disabled. + +SEARCHENGINE = NO + +#--------------------------------------------------------------------------- +# configuration options related to the LaTeX output +#--------------------------------------------------------------------------- + +# If the GENERATE_LATEX tag is set to YES (the default) Doxygen will +# generate Latex output. + +GENERATE_LATEX = NO + +# The LATEX_OUTPUT tag is used to specify where the LaTeX docs will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `latex' will be used as the default path. + +LATEX_OUTPUT = latex + +# The LATEX_CMD_NAME tag can be used to specify the LaTeX command name to be +# invoked. If left blank `latex' will be used as the default command name. + +LATEX_CMD_NAME = latex + +# The MAKEINDEX_CMD_NAME tag can be used to specify the command name to +# generate index for LaTeX. If left blank `makeindex' will be used as the +# default command name. + +MAKEINDEX_CMD_NAME = makeindex + +# If the COMPACT_LATEX tag is set to YES Doxygen generates more compact +# LaTeX documents. This may be useful for small projects and may help to +# save some trees in general. + +COMPACT_LATEX = NO + +# The PAPER_TYPE tag can be used to set the paper type that is used +# by the printer. Possible values are: a4, a4wide, letter, legal and +# executive. If left blank a4wide will be used. + +PAPER_TYPE = a4wide + +# The EXTRA_PACKAGES tag can be to specify one or more names of LaTeX +# packages that should be included in the LaTeX output. + +EXTRA_PACKAGES = + +# The LATEX_HEADER tag can be used to specify a personal LaTeX header for +# the generated latex document. The header should contain everything until +# the first chapter. If it is left blank doxygen will generate a +# standard header. Notice: only use this tag if you know what you are doing! + +LATEX_HEADER = + +# If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated +# is prepared for conversion to pdf (using ps2pdf). The pdf file will +# contain links (just like the HTML output) instead of page references +# This makes the output suitable for online browsing using a pdf viewer. + +PDF_HYPERLINKS = YES + +# If the USE_PDFLATEX tag is set to YES, pdflatex will be used instead of +# plain latex in the generated Makefile. Set this option to YES to get a +# higher quality PDF documentation. + +USE_PDFLATEX = YES + +# If the LATEX_BATCHMODE tag is set to YES, doxygen will add the \\batchmode. +# command to the generated LaTeX files. This will instruct LaTeX to keep +# running if errors occur, instead of asking the user for help. +# This option is also used when generating formulas in HTML. + +LATEX_BATCHMODE = NO + +# If LATEX_HIDE_INDICES is set to YES then doxygen will not +# include the index chapters (such as File Index, Compound Index, etc.) +# in the output. + +LATEX_HIDE_INDICES = NO + +# If LATEX_SOURCE_CODE is set to YES then doxygen will include source code with syntax highlighting in the LaTeX output. Note that which sources are shown also depends on other settings such as SOURCE_BROWSER. + +LATEX_SOURCE_CODE = NO + +#--------------------------------------------------------------------------- +# configuration options related to the RTF output +#--------------------------------------------------------------------------- + +# If the GENERATE_RTF tag is set to YES Doxygen will generate RTF output +# The RTF output is optimized for Word 97 and may not look very pretty with +# other RTF readers or editors. + +GENERATE_RTF = NO + +# The RTF_OUTPUT tag is used to specify where the RTF docs will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `rtf' will be used as the default path. + +RTF_OUTPUT = rtf + +# If the COMPACT_RTF tag is set to YES Doxygen generates more compact +# RTF documents. This may be useful for small projects and may help to +# save some trees in general. + +COMPACT_RTF = NO + +# If the RTF_HYPERLINKS tag is set to YES, the RTF that is generated +# will contain hyperlink fields. The RTF file will +# contain links (just like the HTML output) instead of page references. +# This makes the output suitable for online browsing using WORD or other +# programs which support those fields. +# Note: wordpad (write) and others do not support links. + +RTF_HYPERLINKS = NO + +# Load stylesheet definitions from file. Syntax is similar to doxygen's +# config file, i.e. a series of assignments. You only have to provide +# replacements, missing definitions are set to their default value. + +RTF_STYLESHEET_FILE = + +# Set optional variables used in the generation of an rtf document. +# Syntax is similar to doxygen's config file. + +RTF_EXTENSIONS_FILE = + +#--------------------------------------------------------------------------- +# configuration options related to the man page output +#--------------------------------------------------------------------------- + +# If the GENERATE_MAN tag is set to YES (the default) Doxygen will +# generate man pages + +GENERATE_MAN = NO + +# The MAN_OUTPUT tag is used to specify where the man pages will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `man' will be used as the default path. + +MAN_OUTPUT = man + +# The MAN_EXTENSION tag determines the extension that is added to +# the generated man pages (default is the subroutine's section .3) + +MAN_EXTENSION = .3 + +# If the MAN_LINKS tag is set to YES and Doxygen generates man output, +# then it will generate one additional man file for each entity +# documented in the real man page(s). These additional files +# only source the real man page, but without them the man command +# would be unable to find the correct page. The default is NO. + +MAN_LINKS = NO + +#--------------------------------------------------------------------------- +# configuration options related to the XML output +#--------------------------------------------------------------------------- + +# If the GENERATE_XML tag is set to YES Doxygen will +# generate an XML file that captures the structure of +# the code including all documentation. + +GENERATE_XML = NO + +# The XML_OUTPUT tag is used to specify where the XML pages will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `xml' will be used as the default path. + +XML_OUTPUT = xml + +# The XML_SCHEMA tag can be used to specify an XML schema, +# which can be used by a validating XML parser to check the +# syntax of the XML files. + +XML_SCHEMA = + +# The XML_DTD tag can be used to specify an XML DTD, +# which can be used by a validating XML parser to check the +# syntax of the XML files. + +XML_DTD = + +# If the XML_PROGRAMLISTING tag is set to YES Doxygen will +# dump the program listings (including syntax highlighting +# and cross-referencing information) to the XML output. Note that +# enabling this will significantly increase the size of the XML output. + +XML_PROGRAMLISTING = YES + +#--------------------------------------------------------------------------- +# configuration options for the AutoGen Definitions output +#--------------------------------------------------------------------------- + +# If the GENERATE_AUTOGEN_DEF tag is set to YES Doxygen will +# generate an AutoGen Definitions (see autogen.sf.net) file +# that captures the structure of the code including all +# documentation. Note that this feature is still experimental +# and incomplete at the moment. + +GENERATE_AUTOGEN_DEF = NO + +#--------------------------------------------------------------------------- +# configuration options related to the Perl module output +#--------------------------------------------------------------------------- + +# If the GENERATE_PERLMOD tag is set to YES Doxygen will +# generate a Perl module file that captures the structure of +# the code including all documentation. Note that this +# feature is still experimental and incomplete at the +# moment. + +GENERATE_PERLMOD = NO + +# If the PERLMOD_LATEX tag is set to YES Doxygen will generate +# the necessary Makefile rules, Perl scripts and LaTeX code to be able +# to generate PDF and DVI output from the Perl module output. + +PERLMOD_LATEX = NO + +# If the PERLMOD_PRETTY tag is set to YES the Perl module output will be +# nicely formatted so it can be parsed by a human reader. +# This is useful +# if you want to understand what is going on. +# On the other hand, if this +# tag is set to NO the size of the Perl module output will be much smaller +# and Perl will parse it just the same. + +PERLMOD_PRETTY = YES + +# The names of the make variables in the generated doxyrules.make file +# are prefixed with the string contained in PERLMOD_MAKEVAR_PREFIX. +# This is useful so different doxyrules.make files included by the same +# Makefile don't overwrite each other's variables. + +PERLMOD_MAKEVAR_PREFIX = + +#--------------------------------------------------------------------------- +# Configuration options related to the preprocessor +#--------------------------------------------------------------------------- + +# If the ENABLE_PREPROCESSING tag is set to YES (the default) Doxygen will +# evaluate all C-preprocessor directives found in the sources and include +# files. + +ENABLE_PREPROCESSING = YES + +# If the MACRO_EXPANSION tag is set to YES Doxygen will expand all macro +# names in the source code. If set to NO (the default) only conditional +# compilation will be performed. Macro expansion can be done in a controlled +# way by setting EXPAND_ONLY_PREDEF to YES. + +MACRO_EXPANSION = NO + +# If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES +# then the macro expansion is limited to the macros specified with the +# PREDEFINED and EXPAND_AS_DEFINED tags. + +EXPAND_ONLY_PREDEF = NO + +# If the SEARCH_INCLUDES tag is set to YES (the default) the includes files +# in the INCLUDE_PATH (see below) will be search if a #include is found. + +SEARCH_INCLUDES = YES + +# The INCLUDE_PATH tag can be used to specify one or more directories that +# contain include files that are not input files but should be processed by +# the preprocessor. + +INCLUDE_PATH = + +# You can use the INCLUDE_FILE_PATTERNS tag to specify one or more wildcard +# patterns (like *.h and *.hpp) to filter out the header-files in the +# directories. If left blank, the patterns specified with FILE_PATTERNS will +# be used. + +INCLUDE_FILE_PATTERNS = + +# The PREDEFINED tag can be used to specify one or more macro names that +# are defined before the preprocessor is started (similar to the -D option of +# gcc). The argument of the tag is a list of macros of the form: name +# or name=definition (no spaces). If the definition and the = are +# omitted =1 is assumed. To prevent a macro definition from being +# undefined via #undef or recursively expanded use the := operator +# instead of the = operator. + +PREDEFINED = DOXYGEN + +# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then +# this tag can be used to specify a list of macro names that should be expanded. +# The macro definition that is found in the sources will be used. +# Use the PREDEFINED tag if you want to use a different macro definition. + +EXPAND_AS_DEFINED = + +# If the SKIP_FUNCTION_MACROS tag is set to YES (the default) then +# doxygen's preprocessor will remove all function-like macros that are alone +# on a line, have an all uppercase name, and do not end with a semicolon. Such +# function macros are typically used for boiler-plate code, and will confuse +# the parser if not removed. + +SKIP_FUNCTION_MACROS = YES + +#--------------------------------------------------------------------------- +# Configuration::additions related to external references +#--------------------------------------------------------------------------- + +# The TAGFILES option can be used to specify one or more tagfiles. +# Optionally an initial location of the external documentation +# can be added for each tagfile. The format of a tag file without +# this location is as follows: +# +# TAGFILES = file1 file2 ... +# Adding location for the tag files is done as follows: +# +# TAGFILES = file1=loc1 "file2 = loc2" ... +# where "loc1" and "loc2" can be relative or absolute paths or +# URLs. If a location is present for each tag, the installdox tool +# does not have to be run to correct the links. +# Note that each tag file must have a unique name +# (where the name does NOT include the path) +# If a tag file is not located in the directory in which doxygen +# is run, you must also specify the path to the tagfile here. + +TAGFILES = + +# When a file name is specified after GENERATE_TAGFILE, doxygen will create +# a tag file that is based on the input files it reads. + +GENERATE_TAGFILE = + +# If the ALLEXTERNALS tag is set to YES all external classes will be listed +# in the class index. If set to NO only the inherited external classes +# will be listed. + +ALLEXTERNALS = NO + +# If the EXTERNAL_GROUPS tag is set to YES all external groups will be listed +# in the modules index. If set to NO, only the current project's groups will +# be listed. + +EXTERNAL_GROUPS = YES + +# The PERL_PATH should be the absolute path and name of the perl script +# interpreter (i.e. the result of `which perl'). + +PERL_PATH = /usr/bin/perl + +#--------------------------------------------------------------------------- +# Configuration options related to the dot tool +#--------------------------------------------------------------------------- + +# If the CLASS_DIAGRAMS tag is set to YES (the default) Doxygen will +# generate a inheritance diagram (in HTML, RTF and LaTeX) for classes with base +# or super classes. Setting the tag to NO turns the diagrams off. Note that +# this option is superseded by the HAVE_DOT option below. This is only a +# fallback. It is recommended to install and use dot, since it yields more +# powerful graphs. + +CLASS_DIAGRAMS = YES + +# You can define message sequence charts within doxygen comments using the \msc +# command. Doxygen will then run the mscgen tool (see +# http://www.mcternan.me.uk/mscgen/) to produce the chart and insert it in the +# documentation. The MSCGEN_PATH tag allows you to specify the directory where +# the mscgen tool resides. If left empty the tool is assumed to be found in the +# default search path. + +MSCGEN_PATH = + +# If set to YES, the inheritance and collaboration graphs will hide +# inheritance and usage relations if the target is undocumented +# or is not a class. + +HIDE_UNDOC_RELATIONS = YES + +# If you set the HAVE_DOT tag to YES then doxygen will assume the dot tool is +# available from the path. This tool is part of Graphviz, a graph visualization +# toolkit from AT&T and Lucent Bell Labs. The other options in this section +# have no effect if this option is set to NO (the default) + +HAVE_DOT = NO + +# By default doxygen will write a font called FreeSans.ttf to the output +# directory and reference it in all dot files that doxygen generates. This +# font does not include all possible unicode characters however, so when you need +# these (or just want a differently looking font) you can specify the font name +# using DOT_FONTNAME. You need need to make sure dot is able to find the font, +# which can be done by putting it in a standard location or by setting the +# DOTFONTPATH environment variable or by setting DOT_FONTPATH to the directory +# containing the font. + +DOT_FONTNAME = FreeSans + +# The DOT_FONTSIZE tag can be used to set the size of the font of dot graphs. +# The default size is 10pt. + +DOT_FONTSIZE = 10 + +# By default doxygen will tell dot to use the output directory to look for the +# FreeSans.ttf font (which doxygen will put there itself). If you specify a +# different font using DOT_FONTNAME you can set the path where dot +# can find it using this tag. + +DOT_FONTPATH = + +# If the CLASS_GRAPH and HAVE_DOT tags are set to YES then doxygen +# will generate a graph for each documented class showing the direct and +# indirect inheritance relations. Setting this tag to YES will force the +# the CLASS_DIAGRAMS tag to NO. + +CLASS_GRAPH = YES + +# If the COLLABORATION_GRAPH and HAVE_DOT tags are set to YES then doxygen +# will generate a graph for each documented class showing the direct and +# indirect implementation dependencies (inheritance, containment, and +# class references variables) of the class with other documented classes. + +COLLABORATION_GRAPH = YES + +# If the GROUP_GRAPHS and HAVE_DOT tags are set to YES then doxygen +# will generate a graph for groups, showing the direct groups dependencies + +GROUP_GRAPHS = YES + +# If the UML_LOOK tag is set to YES doxygen will generate inheritance and +# collaboration diagrams in a style similar to the OMG's Unified Modeling +# Language. + +UML_LOOK = NO + +# If set to YES, the inheritance and collaboration graphs will show the +# relations between templates and their instances. + +TEMPLATE_RELATIONS = NO + +# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDE_GRAPH, and HAVE_DOT +# tags are set to YES then doxygen will generate a graph for each documented +# file showing the direct and indirect include dependencies of the file with +# other documented files. + +INCLUDE_GRAPH = YES + +# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDED_BY_GRAPH, and +# HAVE_DOT tags are set to YES then doxygen will generate a graph for each +# documented header file showing the documented files that directly or +# indirectly include this file. + +INCLUDED_BY_GRAPH = YES + +# If the CALL_GRAPH and HAVE_DOT options are set to YES then +# doxygen will generate a call dependency graph for every global function +# or class method. Note that enabling this option will significantly increase +# the time of a run. So in most cases it will be better to enable call graphs +# for selected functions only using the \callgraph command. + +CALL_GRAPH = NO + +# If the CALLER_GRAPH and HAVE_DOT tags are set to YES then +# doxygen will generate a caller dependency graph for every global function +# or class method. Note that enabling this option will significantly increase +# the time of a run. So in most cases it will be better to enable caller +# graphs for selected functions only using the \callergraph command. + +CALLER_GRAPH = NO + +# If the GRAPHICAL_HIERARCHY and HAVE_DOT tags are set to YES then doxygen +# will graphical hierarchy of all classes instead of a textual one. + +GRAPHICAL_HIERARCHY = YES + +# If the DIRECTORY_GRAPH, SHOW_DIRECTORIES and HAVE_DOT tags are set to YES +# then doxygen will show the dependencies a directory has on other directories +# in a graphical way. The dependency relations are determined by the #include +# relations between the files in the directories. + +DIRECTORY_GRAPH = YES + +# The DOT_IMAGE_FORMAT tag can be used to set the image format of the images +# generated by dot. Possible values are png, jpg, or gif +# If left blank png will be used. + +DOT_IMAGE_FORMAT = png + +# The tag DOT_PATH can be used to specify the path where the dot tool can be +# found. If left blank, it is assumed the dot tool can be found in the path. + +DOT_PATH = + +# The DOTFILE_DIRS tag can be used to specify one or more directories that +# contain dot files that are included in the documentation (see the +# \dotfile command). + +DOTFILE_DIRS = + +# The DOT_GRAPH_MAX_NODES tag can be used to set the maximum number of +# nodes that will be shown in the graph. If the number of nodes in a graph +# becomes larger than this value, doxygen will truncate the graph, which is +# visualized by representing a node as a red box. Note that doxygen if the +# number of direct children of the root node in a graph is already larger than +# DOT_GRAPH_MAX_NODES then the graph will not be shown at all. Also note +# that the size of a graph can be further restricted by MAX_DOT_GRAPH_DEPTH. + +DOT_GRAPH_MAX_NODES = 50 + +# The MAX_DOT_GRAPH_DEPTH tag can be used to set the maximum depth of the +# graphs generated by dot. A depth value of 3 means that only nodes reachable +# from the root by following a path via at most 3 edges will be shown. Nodes +# that lay further from the root node will be omitted. Note that setting this +# option to 1 or 2 may greatly reduce the computation time needed for large +# code bases. Also note that the size of a graph can be further restricted by +# DOT_GRAPH_MAX_NODES. Using a depth of 0 means no depth restriction. + +MAX_DOT_GRAPH_DEPTH = 0 + +# Set the DOT_TRANSPARENT tag to YES to generate images with a transparent +# background. This is disabled by default, because dot on Windows does not +# seem to support this out of the box. Warning: Depending on the platform used, +# enabling this option may lead to badly anti-aliased labels on the edges of +# a graph (i.e. they become hard to read). + +DOT_TRANSPARENT = YES + +# Set the DOT_MULTI_TARGETS tag to YES allow dot to generate multiple output +# files in one run (i.e. multiple -o and -T options on the command line). This +# makes dot run faster, but since only newer versions of dot (>1.8.10) +# support this, this feature is disabled by default. + +DOT_MULTI_TARGETS = NO + +# If the GENERATE_LEGEND tag is set to YES (the default) Doxygen will +# generate a legend page explaining the meaning of the various boxes and +# arrows in the dot generated graphs. + +GENERATE_LEGEND = YES + +# If the DOT_CLEANUP tag is set to YES (the default) Doxygen will +# remove the intermediate dot files that are used to generate +# the various graphs. + +DOT_CLEANUP = YES diff --git a/src/sss_client/idmap/sss_nss_idmap.exports b/src/sss_client/idmap/sss_nss_idmap.exports new file mode 100644 index 0000000..d1b61f5 --- /dev/null +++ b/src/sss_client/idmap/sss_nss_idmap.exports @@ -0,0 +1,59 @@ +SSS_NSS_IDMAP_0.0.1 { + + # public functions + global: + + sss_nss_getsidbyname; + sss_nss_getsidbyid; + sss_nss_getnamebysid; + sss_nss_getidbysid; + + # everything else is local + local: + *; +}; + +SSS_NSS_IDMAP_0.1.0 { + # public functions + global: + sss_nss_getorigbyname; + sss_nss_free_kv; +} SSS_NSS_IDMAP_0.0.1; + +SSS_NSS_IDMAP_0.2.0 { + # public functions + global: + sss_nss_getnamebycert; +} SSS_NSS_IDMAP_0.1.0; + +SSS_NSS_IDMAP_0.3.0 { + # public functions + global: + sss_nss_getlistbycert; +} SSS_NSS_IDMAP_0.2.0; + +SSS_NSS_IDMAP_0.4.0 { + # public functions + global: + sss_nss_getpwnam_timeout; + sss_nss_getpwuid_timeout; + sss_nss_getgrnam_timeout; + sss_nss_getgrgid_timeout; + sss_nss_getgrouplist_timeout; + sss_nss_getsidbyname_timeout; + sss_nss_getsidbyid_timeout; + sss_nss_getnamebysid_timeout; + sss_nss_getidbysid_timeout; + sss_nss_getorigbyname_timeout; + sss_nss_getnamebycert_timeout; + sss_nss_getlistbycert_timeout; +} SSS_NSS_IDMAP_0.3.0; + +SSS_NSS_IDMAP_0.5.0 { + # public functions + global: + sss_nss_getsidbyuid; + sss_nss_getsidbyuid_timeout; + sss_nss_getsidbygid; + sss_nss_getsidbygid_timeout; +} SSS_NSS_IDMAP_0.4.0; diff --git a/src/sss_client/idmap/sss_nss_idmap.h b/src/sss_client/idmap/sss_nss_idmap.h new file mode 100644 index 0000000..46e2425 --- /dev/null +++ b/src/sss_client/idmap/sss_nss_idmap.h @@ -0,0 +1,487 @@ +/* + SSSD + + NSS Responder ID-mapping interface + + Authors: + Sumit Bose + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef SSS_NSS_IDMAP_H_ +#define SSS_NSS_IDMAP_H_ + +#include +#include +#include +#include + +/** + * Object types + */ +enum sss_id_type { + SSS_ID_TYPE_NOT_SPECIFIED = 0, + SSS_ID_TYPE_UID, + SSS_ID_TYPE_GID, + SSS_ID_TYPE_BOTH /* used for user or magic private groups */ +}; + +struct sss_nss_kv { + char *key; + char *value; +}; + +/** + * @brief Find SID by fully qualified name + * + * @param[in] fq_name Fully qualified name of a user or a group + * @param[out] sid String representation of the SID of the requested user + * or group, must be freed by the caller + * @param[out] type Type of the object related to the given name + * + * @return + * - 0 (EOK): success, sid contains the requested SID + * - ENOENT: requested object was not found in the domain extracted from the given name + * - ENETUNREACH: SSSD does not know how to handle the domain extracted from the given name + * - ENOSYS: this call is not supported by the configured provider + * - EINVAL: input cannot be parsed + * - EIO: remote servers cannot be reached + * - EFAULT: any other error + */ +int sss_nss_getsidbyname(const char *fq_name, char **sid, + enum sss_id_type *type); + +/** + * @brief Find SID by a POSIX UID or GID + * + * @param[in] id POSIX UID or GID + * @param[out] sid String representation of the SID of the requested user + * or group, must be freed by the caller + * @param[out] type Type of the object related to the given ID + * + * @return + * - see #sss_nss_getsidbyname + */ +int sss_nss_getsidbyid(uint32_t id, char **sid, enum sss_id_type *type); + +/** + * @brief Find SID by a POSIX UID + * + * @param[in] uid POSIX UID + * @param[out] sid String representation of the SID of the requested user, + * must be freed by the caller + * @param[out] type Type of the object related to the given ID + * + * @return + * - see #sss_nss_getsidbyname + */ +int sss_nss_getsidbyuid(uint32_t uid, char **sid, enum sss_id_type *type); + +/** + * @brief Find SID by a POSIX GID + * + * @param[in] gid POSIX GID + * @param[out] sid String representation of the SID of the requested group, + * must be freed by the caller + * @param[out] type Type of the object related to the given ID + * + * @return + * - see #sss_nss_getsidbyname + */ +int sss_nss_getsidbygid(uint32_t id, char **sid, enum sss_id_type *type); + +/** + * @brief Return the fully qualified name for the given SID + * + * @param[in] sid String representation of the SID + * @param[out] fq_name Fully qualified name of a user or a group, + * must be freed by the caller + * @param[out] type Type of the object related to the SID + * + * @return + * - see #sss_nss_getsidbyname + */ +int sss_nss_getnamebysid(const char *sid, char **fq_name, + enum sss_id_type *type); + +/** + * @brief Return the POSIX ID for the given SID + * + * @param[in] sid String representation of the SID + * @param[out] id POSIX ID related to the SID + * @param[out] id_type Type of the object related to the SID + * + * @return + * - see #sss_nss_getsidbyname + */ +int sss_nss_getidbysid(const char *sid, uint32_t *id, + enum sss_id_type *id_type); + +/** + * @brief Find original data by fully qualified name + * + * @param[in] fq_name Fully qualified name of a user or a group + * @param[out] kv_list A NULL terminate list of key-value pairs where the key + * is the attribute name in the cache of SSSD, + * must be freed by the caller with sss_nss_free_kv() + * @param[out] type Type of the object related to the given name + * + * @return + * - 0 (EOK): success, sid contains the requested SID + * - ENOENT: requested object was not found in the domain extracted from the given name + * - ENETUNREACH: SSSD does not know how to handle the domain extracted from the given name + * - ENOSYS: this call is not supported by the configured provider + * - EINVAL: input cannot be parsed + * - EIO: remote servers cannot be reached + * - EFAULT: any other error + */ +int sss_nss_getorigbyname(const char *fq_name, struct sss_nss_kv **kv_list, + enum sss_id_type *type); + +/** + * @brief Return the fully qualified name for the given base64 encoded + * X.509 certificate in DER format + * + * @param[in] cert base64 encoded certificate + * @param[out] fq_name Fully qualified name of a user or a group, + * must be freed by the caller + * @param[out] type Type of the object related to the cert + * + * @return + * - see #sss_nss_getsidbyname + */ +int sss_nss_getnamebycert(const char *cert, char **fq_name, + enum sss_id_type *type); + +/** + * @brief Return a list of fully qualified names for the given base64 encoded + * X.509 certificate in DER format + * + * @param[in] cert base64 encoded certificate + * @param[out] fq_name List of fully qualified name of users or groups, + * must be freed by the caller + * @param[out] type List of types of the objects related to the cert + * + * @return + * - see #sss_nss_getsidbyname + */ +int sss_nss_getlistbycert(const char *cert, char ***fq_name, + enum sss_id_type **type); + +/** + * @brief Free key-value list returned by sss_nss_getorigbyname() + * + * @param[in] kv_list Key-value list returned by sss_nss_getorigbyname(). + */ +void sss_nss_free_kv(struct sss_nss_kv *kv_list); + +/** + * Flags to control the behavior and the results for sss_*_ex() calls + */ + +#define SSS_NSS_EX_FLAG_NO_FLAGS 0 + +/** Always request data from the server side, client must be privileged to do + * so, see nss_trusted_users option in man sssd.conf for details. + * This flag cannot be used together with SSS_NSS_EX_FLAG_INVALIDATE_CACHE */ +#define SSS_NSS_EX_FLAG_NO_CACHE (1 << 0) + +/** Invalidate the data in the caches, client must be privileged to do + * so, see nss_trusted_users option in man sssd.conf for details. + * This flag cannot be used together with SSS_NSS_EX_FLAG_NO_CACHE */ +#define SSS_NSS_EX_FLAG_INVALIDATE_CACHE (1 << 1) + +#ifdef IPA_389DS_PLUGIN_HELPER_CALLS + +/** + * @brief Return user information based on the user name + * + * @param[in] name same as for getpwnam_r(3) + * @param[in] pwd same as for getpwnam_r(3) + * @param[in] buffer same as for getpwnam_r(3) + * @param[in] buflen same as for getpwnam_r(3) + * @param[out] result same as for getpwnam_r(3) + * @param[in] flags flags to control the behavior and the results of the + * call + * @param[in] timeout timeout in milliseconds + * + * @return + * - 0: + * - ENOENT: no user with the given name found + * - ERANGE: Insufficient buffer space supplied + * - ETIME: request timed out but was send to SSSD + * - ETIMEDOUT: request timed out but was not send to SSSD + */ +int sss_nss_getpwnam_timeout(const char *name, struct passwd *pwd, + char *buffer, size_t buflen, + struct passwd **result, + uint32_t flags, unsigned int timeout); + +/** + * @brief Return user information based on the user uid + * + * @param[in] uid same as for getpwuid_r(3) + * @param[in] pwd same as for getpwuid_r(3) + * @param[in] buffer same as for getpwuid_r(3) + * @param[in] buflen same as for getpwuid_r(3) + * @param[out] result same as for getpwuid_r(3) + * @param[in] flags flags to control the behavior and the results of the + * call + * @param[in] timeout timeout in milliseconds + * + * @return + * - 0: + * - ENOENT: no user with the given uid found + * - ERANGE: Insufficient buffer space supplied + * - ETIME: request timed out but was send to SSSD + * - ETIMEDOUT: request timed out but was not send to SSSD + */ +int sss_nss_getpwuid_timeout(uid_t uid, struct passwd *pwd, + char *buffer, size_t buflen, + struct passwd **result, + uint32_t flags, unsigned int timeout); + +/** + * @brief Return group information based on the group name + * + * @param[in] name same as for getgrnam_r(3) + * @param[in] pwd same as for getgrnam_r(3) + * @param[in] buffer same as for getgrnam_r(3) + * @param[in] buflen same as for getgrnam_r(3) + * @param[out] result same as for getgrnam_r(3) + * @param[in] flags flags to control the behavior and the results of the + * call + * @param[in] timeout timeout in milliseconds + * + * @return + * - 0: + * - ENOENT: no group with the given name found + * - ERANGE: Insufficient buffer space supplied + * - ETIME: request timed out but was send to SSSD + * - ETIMEDOUT: request timed out but was not send to SSSD + */ +int sss_nss_getgrnam_timeout(const char *name, struct group *grp, + char *buffer, size_t buflen, struct group **result, + uint32_t flags, unsigned int timeout); + +/** + * @brief Return group information based on the group gid + * + * @param[in] gid same as for getgrgid_r(3) + * @param[in] pwd same as for getgrgid_r(3) + * @param[in] buffer same as for getgrgid_r(3) + * @param[in] buflen same as for getgrgid_r(3) + * @param[out] result same as for getgrgid_r(3) + * @param[in] flags flags to control the behavior and the results of the + * call + * @param[in] timeout timeout in milliseconds + * + * @return + * - 0: + * - ENOENT: no group with the given gid found + * - ERANGE: Insufficient buffer space supplied + * - ETIME: request timed out but was send to SSSD + * - ETIMEDOUT: request timed out but was not send to SSSD + */ +int sss_nss_getgrgid_timeout(gid_t gid, struct group *grp, + char *buffer, size_t buflen, struct group **result, + uint32_t flags, unsigned int timeout); + +/** + * @brief Return a list of groups to which a user belongs + * + * @param[in] name name of the user + * @param[in] group same as second argument of getgrouplist(3) + * @param[in] groups array of gid_t of size ngroups, will be filled + * with GIDs of groups the user belongs to + * @param[in,out] ngroups size of the groups array on input. On output it + * will contain the actual number of groups the + * user belongs to. With a return value of 0 the + * groups array was large enough to hold all group. + * With a return valu of ERANGE the array was not + * large enough and ngroups will have the needed + * size. + * @param[in] flags flags to control the behavior and the results of + * the call + * @param[in] timeout timeout in milliseconds + * + * @return + * - 0: success + * - ENOENT: no user with the given name found + * - ERANGE: Insufficient buffer space supplied + * - ETIME: request timed out but was send to SSSD + * - ETIMEDOUT: request timed out but was not send to SSSD + */ +int sss_nss_getgrouplist_timeout(const char *name, gid_t group, + gid_t *groups, int *ngroups, + uint32_t flags, unsigned int timeout); +/** + * @brief Find SID by fully qualified name with timeout + * + * @param[in] fq_name Fully qualified name of a user or a group + * @param[in] timeout timeout in milliseconds + * @param[out] sid String representation of the SID of the requested user + * or group, must be freed by the caller + * @param[out] type Type of the object related to the given name + * + * @return + * - 0 (EOK): success, sid contains the requested SID + * - ENOENT: requested object was not found in the domain extracted from the given name + * - ENETUNREACH: SSSD does not know how to handle the domain extracted from the given name + * - ENOSYS: this call is not supported by the configured provider + * - EINVAL: input cannot be parsed + * - EIO: remote servers cannot be reached + * - EFAULT: any other error + * - ETIME: request timed out but was send to SSSD + * - ETIMEDOUT: request timed out but was not send to SSSD + */ +int sss_nss_getsidbyname_timeout(const char *fq_name, unsigned int timeout, + char **sid, enum sss_id_type *type); + +/** + * @brief Find SID by a POSIX UID or GID with timeout + * + * @param[in] id POSIX UID or GID + * @param[in] timeout timeout in milliseconds + * @param[out] sid String representation of the SID of the requested user + * or group, must be freed by the caller + * @param[out] type Type of the object related to the given ID + * + * @return + * - see #sss_nss_getsidbyname_timeout + */ +int sss_nss_getsidbyid_timeout(uint32_t id, unsigned int timeout, + char **sid, enum sss_id_type *type); +/** + * @brief Find SID by a POSIX UID with timeout + * + * @param[in] uid POSIX UID + * @param[in] timeout timeout in milliseconds + * @param[out] sid String representation of the SID of the requested user, + * must be freed by the caller + * @param[out] type Type of the object related to the given ID + * + * @return + * - see #sss_nss_getsidbyname_timeout + */ +int sss_nss_getsidbyuid_timeout(uint32_t uid, unsigned int timeout, + char **sid, enum sss_id_type *type); + +/** + * @brief Find SID by a POSIX GID with timeout + * + * @param[in] gid POSIX GID + * @param[in] timeout timeout in milliseconds + * @param[out] sid String representation of the SID of the requested group, + * must be freed by the caller + * @param[out] type Type of the object related to the given ID + * + * @return + * - see #sss_nss_getsidbyname_timeout + */ +int sss_nss_getsidbygid_timeout(uint32_t gid, unsigned int timeout, + char **sid, enum sss_id_type *type); + + +/** + * @brief Return the fully qualified name for the given SID with timeout + * + * @param[in] sid String representation of the SID + * @param[in] timeout timeout in milliseconds + * @param[out] fq_name Fully qualified name of a user or a group, + * must be freed by the caller + * @param[out] type Type of the object related to the SID + * + * @return + * - see #sss_nss_getsidbyname_timeout + */ +int sss_nss_getnamebysid_timeout(const char *sid, unsigned int timeout, + char **fq_name, enum sss_id_type *type); + +/** + * @brief Return the POSIX ID for the given SID with timeout + * + * @param[in] sid String representation of the SID + * @param[in] timeout timeout in milliseconds + * @param[out] id POSIX ID related to the SID + * @param[out] id_type Type of the object related to the SID + * + * @return + * - see #sss_nss_getsidbyname_timeout + */ +int sss_nss_getidbysid_timeout(const char *sid, unsigned int timeout, + uint32_t *id, enum sss_id_type *id_type); + +/** + * @brief Find original data by fully qualified name with timeout + * + * @param[in] fq_name Fully qualified name of a user or a group + * @param[in] timeout timeout in milliseconds + * @param[out] kv_list A NULL terminate list of key-value pairs where the key + * is the attribute name in the cache of SSSD, + * must be freed by the caller with sss_nss_free_kv() + * @param[out] type Type of the object related to the given name + * + * @return + * - 0 (EOK): success, sid contains the requested SID + * - ENOENT: requested object was not found in the domain extracted from the given name + * - ENETUNREACH: SSSD does not know how to handle the domain extracted from the given name + * - ENOSYS: this call is not supported by the configured provider + * - EINVAL: input cannot be parsed + * - EIO: remote servers cannot be reached + * - EFAULT: any other error + * - ETIME: request timed out but was send to SSSD + * - ETIMEDOUT: request timed out but was not send to SSSD + */ +int sss_nss_getorigbyname_timeout(const char *fq_name, unsigned int timeout, + struct sss_nss_kv **kv_list, + enum sss_id_type *type); + +/** + * @brief Return the fully qualified name for the given base64 encoded + * X.509 certificate in DER format with timeout + * + * @param[in] cert base64 encoded certificate + * @param[in] timeout timeout in milliseconds + * @param[out] fq_name Fully qualified name of a user or a group, + * must be freed by the caller + * @param[out] type Type of the object related to the cert + * + * @return + * - see #sss_nss_getsidbyname_timeout + */ +int sss_nss_getnamebycert_timeout(const char *cert, unsigned int timeout, + char **fq_name, enum sss_id_type *type); + +/** + * @brief Return a list of fully qualified names for the given base64 encoded + * X.509 certificate in DER format with timeout + * + * @param[in] cert base64 encoded certificate + * @param[in] timeout timeout in milliseconds + * @param[out] fq_name List of fully qualified name of users or groups, + * must be freed by the caller + * @param[out] type List of types of the objects related to the cert + * + * @return + * - see #sss_nss_getsidbyname_timeout + */ +int sss_nss_getlistbycert_timeout(const char *cert, unsigned int timeout, + char ***fq_name, enum sss_id_type **type); + +#endif /* IPA_389DS_PLUGIN_HELPER_CALLS */ +#endif /* SSS_NSS_IDMAP_H_ */ diff --git a/src/sss_client/idmap/sss_nss_idmap.pc.in b/src/sss_client/idmap/sss_nss_idmap.pc.in new file mode 100644 index 0000000..097875b --- /dev/null +++ b/src/sss_client/idmap/sss_nss_idmap.pc.in @@ -0,0 +1,11 @@ +prefix=@prefix@ +exec_prefix=@exec_prefix@ +libdir=@libdir@ +includedir=@includedir@ + +Name: sss_nss_idmap +Description: NSS Responder ID-SID mapping interface +Version: @VERSION@ +Libs: -L${libdir} -lsss_nss_idmap +Cflags: +URL: https://pagure.io/SSSD/sssd/ diff --git a/src/sss_client/idmap/sss_nss_idmap.unit_tests b/src/sss_client/idmap/sss_nss_idmap.unit_tests new file mode 100644 index 0000000..05c474f --- /dev/null +++ b/src/sss_client/idmap/sss_nss_idmap.unit_tests @@ -0,0 +1,6 @@ +# version script files can be combined. They needn't be in single file +UNIT_TEST_ONLY { + # should not be part of installed library + global: + sss_nss_make_request_timeout; +}; diff --git a/src/sss_client/idmap/sss_nss_idmap_private.h b/src/sss_client/idmap/sss_nss_idmap_private.h new file mode 100644 index 0000000..afcd8e3 --- /dev/null +++ b/src/sss_client/idmap/sss_nss_idmap_private.h @@ -0,0 +1,30 @@ +/* + SSSD + + NSS Responder ID-mapping interface - private calls + + Authors: + Sumit Bose + + Copyright (C) 2017 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef SSS_NSS_IDMAP_PRIVATE_H_ +#define SSS_NSS_IDMAP_PRIVATE_H_ + +int sss_nss_timedlock(unsigned int timeout_ms, int *time_left_ms); + +#endif /* SSS_NSS_IDMAP_PRIVATE_H_ */ diff --git a/src/sss_client/krb5_authdata_int.h b/src/sss_client/krb5_authdata_int.h new file mode 100644 index 0000000..5e0cf5e --- /dev/null +++ b/src/sss_client/krb5_authdata_int.h @@ -0,0 +1,185 @@ +/* + SSSD - MIT Kerberos authdata plugin + + This file contains definitions and declarations to build authdata plugins + for MIT Kerberos outside of the MIT Kerberos source tree. +*/ + +#ifndef _KRB5_AUTHDATA_INT_H +#define _KRB5_AUTHDATA_INT_H + +krb5_error_code KRB5_CALLCONV +krb5_ser_pack_int32(krb5_int32, krb5_octet **, size_t *); + +krb5_error_code KRB5_CALLCONV +krb5_ser_unpack_int32(krb5_int32 *, krb5_octet **, size_t *); + +krb5_error_code KRB5_CALLCONV +krb5_ser_pack_bytes(krb5_octet *, size_t, krb5_octet **, size_t *); + +#define AD_USAGE_AS_REQ 0x01 +#define AD_USAGE_TGS_REQ 0x02 +#define AD_USAGE_AP_REQ 0x04 +#define AD_USAGE_KDC_ISSUED 0x08 +#define AD_USAGE_MASK 0x0F +#define AD_INFORMATIONAL 0x10 + +struct _krb5_authdata_context; +typedef struct _krb5_authdata_context *krb5_authdata_context; + +typedef void +(*authdata_client_plugin_flags_proc)(krb5_context kcontext, + void *plugin_context, + krb5_authdatatype ad_type, + krb5_flags *flags); + +typedef krb5_error_code +(*authdata_client_plugin_init_proc)(krb5_context context, + void **plugin_context); +typedef void +(*authdata_client_plugin_fini_proc)(krb5_context kcontext, + void *plugin_context); + +typedef krb5_error_code +(*authdata_client_request_init_proc)(krb5_context kcontext, + struct _krb5_authdata_context *context, + void *plugin_context, + void **request_context); + +typedef void +(*authdata_client_request_fini_proc)(krb5_context kcontext, + struct _krb5_authdata_context *context, + void *plugin_context, + void *request_context); + +typedef krb5_error_code +(*authdata_client_import_authdata_proc)(krb5_context kcontext, + struct _krb5_authdata_context *context, + void *plugin_context, + void *request_context, + krb5_authdata **authdata, + krb5_boolean kdc_issued_flag, + krb5_const_principal issuer); + +typedef krb5_error_code +(*authdata_client_export_authdata_proc)(krb5_context kcontext, + struct _krb5_authdata_context *context, + void *plugin_context, + void *request_context, + krb5_flags usage, + krb5_authdata ***authdata); + +typedef krb5_error_code +(*authdata_client_get_attribute_types_proc)(krb5_context kcontext, + struct _krb5_authdata_context *context, + void *plugin_context, + void *request_context, + krb5_data **attrs); + +typedef krb5_error_code +(*authdata_client_get_attribute_proc)(krb5_context kcontext, + struct _krb5_authdata_context *context, + void *plugin_context, + void *request_context, + const krb5_data *attribute, + krb5_boolean *authenticated, + krb5_boolean *complete, + krb5_data *value, + krb5_data *display_value, + int *more); + +typedef krb5_error_code +(*authdata_client_set_attribute_proc)(krb5_context kcontext, + struct _krb5_authdata_context *context, + void *plugin_context, + void *request_context, + krb5_boolean complete, + const krb5_data *attribute, + const krb5_data *value); + +typedef krb5_error_code +(*authdata_client_delete_attribute_proc)(krb5_context kcontext, + struct _krb5_authdata_context *context, + void *plugin_context, + void *request_context, + const krb5_data *attribute); + +typedef krb5_error_code +(*authdata_client_export_internal_proc)(krb5_context kcontext, + struct _krb5_authdata_context *context, + void *plugin_context, + void *request_context, + krb5_boolean restrict_authenticated, + void **ptr); + +typedef void +(*authdata_client_free_internal_proc)(krb5_context kcontext, + struct _krb5_authdata_context *context, + void *plugin_context, + void *request_context, + void *ptr); + +typedef krb5_error_code +(*authdata_client_verify_proc)(krb5_context kcontext, + struct _krb5_authdata_context *context, + void *plugin_context, + void *request_context, + const krb5_auth_context *auth_context, + const krb5_keyblock *key, + const krb5_ap_req *req); + +typedef krb5_error_code +(*authdata_client_size_proc)(krb5_context kcontext, + struct _krb5_authdata_context *context, + void *plugin_context, + void *request_context, + size_t *sizep); + +typedef krb5_error_code +(*authdata_client_externalize_proc)(krb5_context kcontext, + struct _krb5_authdata_context *context, + void *plugin_context, + void *request_context, + krb5_octet **buffer, + size_t *lenremain); + +typedef krb5_error_code +(*authdata_client_internalize_proc)(krb5_context kcontext, + struct _krb5_authdata_context *context, + void *plugin_context, + void *request_context, + krb5_octet **buffer, + size_t *lenremain); + +typedef krb5_error_code +(*authdata_client_copy_proc)(krb5_context kcontext, + struct _krb5_authdata_context *context, + void *plugin_context, + void *request_context, + void *dst_plugin_context, + void *dst_request_context); + +typedef struct krb5plugin_authdata_client_ftable_v0 { + char *name; + krb5_authdatatype *ad_type_list; + authdata_client_plugin_init_proc init; + authdata_client_plugin_fini_proc fini; + authdata_client_plugin_flags_proc flags; + authdata_client_request_init_proc request_init; + authdata_client_request_fini_proc request_fini; + authdata_client_get_attribute_types_proc get_attribute_types; + authdata_client_get_attribute_proc get_attribute; + authdata_client_set_attribute_proc set_attribute; + authdata_client_delete_attribute_proc delete_attribute; + authdata_client_export_authdata_proc export_authdata; + authdata_client_import_authdata_proc import_authdata; + authdata_client_export_internal_proc export_internal; + authdata_client_free_internal_proc free_internal; + authdata_client_verify_proc verify; + authdata_client_size_proc size; + authdata_client_externalize_proc externalize; + authdata_client_internalize_proc internalize; + authdata_client_copy_proc copy; /* optional */ +} krb5plugin_authdata_client_ftable_v0; + +#endif /* _KRB5_AUTHDATA_INT_H */ diff --git a/src/sss_client/libwbclient/libwbclient.h b/src/sss_client/libwbclient/libwbclient.h new file mode 100644 index 0000000..4be65f5 --- /dev/null +++ b/src/sss_client/libwbclient/libwbclient.h @@ -0,0 +1,46 @@ +/* + Unix SMB/CIFS implementation. + + Winbind client API + + Copyright (C) Gerald (Jerry) Carter 2007 + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 3 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Library General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with this program. If not, see . +*/ + +#ifndef _LIBWBCLIENT_H +#define _LIBWBCLIENT_H + +#include +#include +#include +#include +#include + + +/* Super header including necessary public and private header files + for building the wbclient library. __DO NOT__ define anything + in this file. Only include other headers. */ + +/* Public headers */ + +#include "wbclient_sssd.h" + +/* Private headers */ + +#include "wbc_err_internal.h" +#include "wbclient_internal.h" + + +#endif /* _LIBWBCLIENT_H */ diff --git a/src/sss_client/libwbclient/wbc_ctx_sssd.c b/src/sss_client/libwbclient/wbc_ctx_sssd.c new file mode 100644 index 0000000..0f5aff4 --- /dev/null +++ b/src/sss_client/libwbclient/wbc_ctx_sssd.c @@ -0,0 +1,403 @@ +/* + Unix SMB/CIFS implementation. + + Winbind client API - SSSD version + + Copyright (C) Sumit Bose 2015 + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 3 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Library General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include "libwbclient.h" +#include "wbc_sssd_internal.h" + +struct wbcContext *wbcCtxCreate(void) +{ + WBC_SSSD_DEV_LOG; + return NULL; +} + +void wbcCtxFree(struct wbcContext *ctx) +{ + WBC_SSSD_DEV_LOG; + return; +} + +wbcErr wbcCtxPing(struct wbcContext *ctx) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +struct wbcContext *wbcGetGlobalCtx(void) +{ + WBC_SSSD_DEV_LOG; + return NULL; +} + +wbcErr wbcCtxInterfaceDetails(struct wbcContext *ctx, + struct wbcInterfaceDetails **details) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxLookupName(struct wbcContext *ctx, + const char *dom_name, + const char *name, + struct wbcDomainSid *sid, + enum wbcSidType *name_type) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxLookupSid(struct wbcContext *ctx, + const struct wbcDomainSid *sid, + char **domain, + char **name, + enum wbcSidType *name_type) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxLookupSids(struct wbcContext *ctx, + const struct wbcDomainSid *sids, int num_sids, + struct wbcDomainInfo **domains, int *num_domains, + struct wbcTranslatedName **names) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxLookupRids(struct wbcContext *ctx, + struct wbcDomainSid *dom_sid, + int num_rids, + uint32_t *rids, + const char **domain_name, + const char ***names, + enum wbcSidType **types) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxLookupUserSids(struct wbcContext *ctx, + const struct wbcDomainSid *user_sid, + bool domain_groups_only, + uint32_t *num_sids, + struct wbcDomainSid **sids) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxGetSidAliases(struct wbcContext *ctx, + const struct wbcDomainSid *dom_sid, + struct wbcDomainSid *sids, + uint32_t num_sids, + uint32_t **alias_rids, + uint32_t *num_alias_rids) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxListUsers(struct wbcContext *ctx, + const char *domain_name, + uint32_t *num_users, + const char ***users) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxListGroups(struct wbcContext *ctx, + const char *domain_name, + uint32_t *num_groups, + const char ***groups) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxGetDisplayName(struct wbcContext *ctx, + const struct wbcDomainSid *sid, + char **pdomain, + char **pfullname, + enum wbcSidType *pname_type) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxSidToUid(struct wbcContext *ctx, + const struct wbcDomainSid *sid, + uid_t *puid) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxUidToSid(struct wbcContext *ctx, uid_t uid, + struct wbcDomainSid *sid) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxSidToGid(struct wbcContext *ctx, + const struct wbcDomainSid *sid, + gid_t *pgid) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxGidToSid(struct wbcContext *ctx, gid_t gid, + struct wbcDomainSid *sid) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxSidsToUnixIds(struct wbcContext *ctx, + const struct wbcDomainSid *sids, uint32_t num_sids, + struct wbcUnixId *ids) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxUnixIdsToSids(struct wbcContext *ctx, + const struct wbcUnixId *ids, uint32_t num_ids, + struct wbcDomainSid *sids) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxAllocateUid(struct wbcContext *ctx, uid_t *puid) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxAllocateGid(struct wbcContext *ctx, gid_t *pgid) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxGetpwnam(struct wbcContext *ctx, + const char *name, struct passwd **pwd) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxGetpwuid(struct wbcContext *ctx, + uid_t uid, struct passwd **pwd) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxGetpwsid(struct wbcContext *ctx, + struct wbcDomainSid * sid, struct passwd **pwd) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxGetgrnam(struct wbcContext *ctx, + const char *name, struct group **grp) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxGetgrgid(struct wbcContext *ctx, + gid_t gid, struct group **grp) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxSetpwent(struct wbcContext *ctx) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxEndpwent(struct wbcContext *ctx) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxGetpwent(struct wbcContext *ctx, struct passwd **pwd) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxSetgrent(struct wbcContext *ctx) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxEndgrent(struct wbcContext *ctx) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxGetgrent(struct wbcContext *ctx, struct group **grp) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxGetgrlist(struct wbcContext *ctx, struct group **grp) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxGetGroups(struct wbcContext *ctx, + const char *account, + uint32_t *num_groups, + gid_t **_groups) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxDomainInfo(struct wbcContext *ctx, + const char *domain, + struct wbcDomainInfo **dinfo) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxDcInfo(struct wbcContext *ctx, + const char *domain, size_t *num_dcs, + const char ***dc_names, const char ***dc_ips) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxListTrusts(struct wbcContext *ctx, + struct wbcDomainInfo **domains, + size_t *num_domains) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxLookupDomainController(struct wbcContext *ctx, + const char *domain, + uint32_t flags, + struct wbcDomainControllerInfo **dc_info) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxLookupDomainControllerEx(struct wbcContext *ctx, + const char *domain, + struct wbcGuid *guid, + const char *site, + uint32_t flags, + struct wbcDomainControllerInfoEx **dc_info) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxAuthenticateUser(struct wbcContext *ctx, + const char *username, + const char *password) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxAuthenticateUserEx(struct wbcContext *ctx, + const struct wbcAuthUserParams *params, + struct wbcAuthUserInfo **info, + struct wbcAuthErrorInfo **error) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxLogonUser(struct wbcContext *ctx, + const struct wbcLogonUserParams *params, + struct wbcLogonUserInfo **info, + struct wbcAuthErrorInfo **error, + struct wbcUserPasswordPolicyInfo **policy) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxLogoffUser(struct wbcContext *ctx, + const char *username, uid_t uid, + const char *ccfilename) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxLogoffUserEx(struct wbcContext *ctx, + const struct wbcLogoffUserParams *params, + struct wbcAuthErrorInfo **error) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxChangeUserPassword(struct wbcContext *ctx, + const char *username, + const char *old_password, + const char *new_password) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxChangeUserPasswordEx(struct wbcContext *ctx, + const struct wbcChangePasswordParams *params, + struct wbcAuthErrorInfo **error, + enum wbcPasswordChangeRejectReason *reject_reason, + struct wbcUserPasswordPolicyInfo **policy) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxCredentialCache(struct wbcContext *ctx, + struct wbcCredentialCacheParams *params, + struct wbcCredentialCacheInfo **info, + struct wbcAuthErrorInfo **error) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxCredentialSave(struct wbcContext *ctx, + const char *user, const char *password) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxResolveWinsByName(struct wbcContext *ctx, + const char *name, char **ip) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxResolveWinsByIP(struct wbcContext *ctx, + const char *ip, char **name) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxCheckTrustCredentials(struct wbcContext *ctx, const char *domain, + struct wbcAuthErrorInfo **error) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxChangeTrustCredentials(struct wbcContext *ctx, const char *domain, + struct wbcAuthErrorInfo **error) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxPingDc(struct wbcContext *ctx, const char *domain, + struct wbcAuthErrorInfo **error) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcCtxPingDc2(struct wbcContext *ctx, const char *domain, + struct wbcAuthErrorInfo **error, + char **dcname) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} diff --git a/src/sss_client/libwbclient/wbc_err_internal.h b/src/sss_client/libwbclient/wbc_err_internal.h new file mode 100644 index 0000000..65970a9 --- /dev/null +++ b/src/sss_client/libwbclient/wbc_err_internal.h @@ -0,0 +1,44 @@ +/* + Unix SMB/CIFS implementation. + + Winbind client API + + Copyright (C) Gerald (Jerry) Carter 2007 + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 3 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Library General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with this program. If not, see . +*/ + +#ifndef _WBC_ERR_INTERNAL_H +#define _WBC_ERR_INTERNAL_H + +/* Private macros */ + +#define BAIL_ON_WBC_ERROR(x) \ + do { \ + if (!WBC_ERROR_IS_OK(x)) { \ + goto done; \ + } \ + } while(0) + +#define BAIL_ON_PTR_ERROR(x, status) \ + do { \ + if ((x) == NULL) { \ + status = WBC_ERR_NO_MEMORY; \ + goto done; \ + } else { \ + status = WBC_ERR_SUCCESS; \ + } \ + } while (0) + +#endif /* _WBC_ERR_INTERNAL_H */ diff --git a/src/sss_client/libwbclient/wbc_guid.c b/src/sss_client/libwbclient/wbc_guid.c new file mode 100644 index 0000000..22f7725 --- /dev/null +++ b/src/sss_client/libwbclient/wbc_guid.c @@ -0,0 +1,100 @@ +/* + Unix SMB/CIFS implementation. + + Winbind client API + + Copyright (C) Gerald (Jerry) Carter 2007 + + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 3 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Library General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with this program. If not, see . +*/ + +/* Required Headers */ + +#include "libwbclient.h" + +/* Convert a binary GUID to a character string */ +wbcErr wbcGuidToString(const struct wbcGuid *guid, + char **guid_string) +{ + char *result; + + result = (char *)wbcAllocateMemory(37, 1, NULL); + if (result == NULL) { + return WBC_ERR_NO_MEMORY; + } + snprintf(result, 37, + "%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x", + guid->time_low, guid->time_mid, + guid->time_hi_and_version, + guid->clock_seq[0], + guid->clock_seq[1], + guid->node[0], guid->node[1], + guid->node[2], guid->node[3], + guid->node[4], guid->node[5]); + *guid_string = result; + + return WBC_ERR_SUCCESS; +} + +/* @brief Convert a character string to a binary GUID */ +wbcErr wbcStringToGuid(const char *str, + struct wbcGuid *guid) +{ + uint32_t time_low; + uint32_t time_mid, time_hi_and_version; + uint32_t clock_seq[2]; + uint32_t node[6]; + int i; + wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE; + + if (!guid) { + wbc_status = WBC_ERR_INVALID_PARAM; + BAIL_ON_WBC_ERROR(wbc_status); + } + + if (!str) { + wbc_status = WBC_ERR_INVALID_PARAM; + BAIL_ON_WBC_ERROR(wbc_status); + } + + if (11 == sscanf(str, "%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x", + &time_low, &time_mid, &time_hi_and_version, + &clock_seq[0], &clock_seq[1], + &node[0], &node[1], &node[2], &node[3], &node[4], &node[5])) { + wbc_status = WBC_ERR_SUCCESS; + } else if (11 == sscanf(str, "{%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}", + &time_low, &time_mid, &time_hi_and_version, + &clock_seq[0], &clock_seq[1], + &node[0], &node[1], &node[2], &node[3], &node[4], &node[5])) { + wbc_status = WBC_ERR_SUCCESS; + } + + BAIL_ON_WBC_ERROR(wbc_status); + + guid->time_low = time_low; + guid->time_mid = time_mid; + guid->time_hi_and_version = time_hi_and_version; + guid->clock_seq[0] = clock_seq[0]; + guid->clock_seq[1] = clock_seq[1]; + + for (i=0;i<6;i++) { + guid->node[i] = node[i]; + } + + wbc_status = WBC_ERR_SUCCESS; + +done: + return wbc_status; +} diff --git a/src/sss_client/libwbclient/wbc_idmap_common.c b/src/sss_client/libwbclient/wbc_idmap_common.c new file mode 100644 index 0000000..ef30d27 --- /dev/null +++ b/src/sss_client/libwbclient/wbc_idmap_common.c @@ -0,0 +1,89 @@ +/* + Unix SMB/CIFS implementation. + + Winbind client API + + Copyright (C) Gerald (Jerry) Carter 2007 + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 3 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Library General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with this program. If not, see . +*/ + +/* Required Headers */ + +#include "libwbclient.h" + +/* Convert a Windows SID to a Unix uid if there already is a mapping */ +wbcErr wbcQuerySidToUid(const struct wbcDomainSid *sid, + uid_t *puid) +{ + return WBC_ERR_NOT_IMPLEMENTED; +} + +/* Convert a Unix uid to a Windows SID if there already is a mapping */ +wbcErr wbcQueryUidToSid(uid_t uid, + struct wbcDomainSid *sid) +{ + return WBC_ERR_NOT_IMPLEMENTED; +} + +/* Convert a Windows SID to a Unix gid if there already is a mapping */ +wbcErr wbcQuerySidToGid(const struct wbcDomainSid *sid, + gid_t *pgid) +{ + return WBC_ERR_NOT_IMPLEMENTED; +} + + +/* Convert a Unix gid to a Windows SID if there already is a mapping */ +wbcErr wbcQueryGidToSid(gid_t gid, + struct wbcDomainSid *sid) +{ + return WBC_ERR_NOT_IMPLEMENTED; +} + +/* Set an user id mapping - not implemented any more */ +wbcErr wbcSetUidMapping(uid_t uid, const struct wbcDomainSid *sid) +{ + return WBC_ERR_NOT_IMPLEMENTED; +} + +/* Set a group id mapping - not implemented any more */ +wbcErr wbcSetGidMapping(gid_t gid, const struct wbcDomainSid *sid) +{ + return WBC_ERR_NOT_IMPLEMENTED; +} + +/* Remove a user id mapping - not implemented any more */ +wbcErr wbcRemoveUidMapping(uid_t uid, const struct wbcDomainSid *sid) +{ + return WBC_ERR_NOT_IMPLEMENTED; +} + +/* Remove a group id mapping - not implemented any more */ +wbcErr wbcRemoveGidMapping(gid_t gid, const struct wbcDomainSid *sid) +{ + return WBC_ERR_NOT_IMPLEMENTED; +} + +/* Set the highwater mark for allocated uids - not implemented any more */ +wbcErr wbcSetUidHwm(uid_t uid_hwm) +{ + return WBC_ERR_NOT_IMPLEMENTED; +} + +/* Set the highwater mark for allocated gids - not implemented any more */ +wbcErr wbcSetGidHwm(gid_t gid_hwm) +{ + return WBC_ERR_NOT_IMPLEMENTED; +} diff --git a/src/sss_client/libwbclient/wbc_idmap_sssd.c b/src/sss_client/libwbclient/wbc_idmap_sssd.c new file mode 100644 index 0000000..dd2cbb4 --- /dev/null +++ b/src/sss_client/libwbclient/wbc_idmap_sssd.c @@ -0,0 +1,230 @@ +/* + Unix SMB/CIFS implementation. + + Winbind client API - SSSD version + + Copyright (C) Sumit Bose 2014 + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 3 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Library General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with this program. If not, see . +*/ + +/* Required Headers */ + +#include "sss_client/idmap/sss_nss_idmap.h" + +#include "libwbclient.h" +#include "wbc_sssd_internal.h" + +/* Convert a Windows SID to a Unix uid, allocating an uid if needed */ +wbcErr wbcSidToUid(const struct wbcDomainSid *sid, uid_t *puid) +{ + int ret; + char *sid_str; + uint32_t id; + enum sss_id_type type; + wbcErr wbc_status; + + wbc_status = wbcSidToString(sid, &sid_str); + if (!WBC_ERROR_IS_OK(wbc_status)) { + return wbc_status; + } + + ret = sss_nss_getidbysid(sid_str, &id, &type); + wbcFreeMemory(sid_str); + if (ret != 0) { + return WBC_ERR_UNKNOWN_FAILURE; + } + + if (type != SSS_ID_TYPE_UID && type != SSS_ID_TYPE_BOTH) { + return WBC_ERR_UNKNOWN_GROUP; + } + + *puid = (uid_t) id; + + return WBC_ERR_SUCCESS; +} + +/* Convert a Unix uid to a Windows SID, allocating a SID if needed */ +wbcErr wbcUidToSid(uid_t uid, struct wbcDomainSid *sid) +{ + int ret; + char *str_sid; + enum sss_id_type type; + wbcErr wbc_status; + + ret = sss_nss_getsidbyuid(uid, &str_sid, &type); + if (ret != 0) { + return WBC_ERR_UNKNOWN_FAILURE; + } + + if (type != SSS_ID_TYPE_UID && type != SSS_ID_TYPE_BOTH) { + free(str_sid); + return WBC_ERR_UNKNOWN_USER; + } + + wbc_status = wbcStringToSid(str_sid, sid); + free(str_sid); + if (!WBC_ERROR_IS_OK(wbc_status)) { + return wbc_status; + } + + return WBC_ERR_SUCCESS; +} + +/** @brief Convert a Windows SID to a Unix gid, allocating a gid if needed + * + * @param *sid Pointer to the domain SID to be resolved + * @param *pgid Pointer to the resolved gid_t value + * + * @return #wbcErr + * + **/ + +wbcErr wbcSidToGid(const struct wbcDomainSid *sid, gid_t *pgid) +{ + int ret; + char *sid_str; + uint32_t id; + enum sss_id_type type; + wbcErr wbc_status; + + wbc_status = wbcSidToString(sid, &sid_str); + if (!WBC_ERROR_IS_OK(wbc_status)) { + return wbc_status; + } + + ret = sss_nss_getidbysid(sid_str, &id, &type); + wbcFreeMemory(sid_str); + if (ret != 0) { + return WBC_ERR_UNKNOWN_FAILURE; + } + + if (type != SSS_ID_TYPE_GID && type != SSS_ID_TYPE_BOTH) { + return WBC_ERR_UNKNOWN_GROUP; + } + + *pgid = (gid_t) id; + + return WBC_ERR_SUCCESS; +} + +/* Convert a Unix gid to a Windows SID, allocating a SID if needed */ +wbcErr wbcGidToSid(gid_t gid, struct wbcDomainSid *sid) +{ + int ret; + char *str_sid; + enum sss_id_type type; + wbcErr wbc_status; + + ret = sss_nss_getsidbygid(gid, &str_sid, &type); + if (ret != 0) { + return WBC_ERR_UNKNOWN_FAILURE; + } + + if (type != SSS_ID_TYPE_GID && type != SSS_ID_TYPE_BOTH) { + free(str_sid); + return WBC_ERR_UNKNOWN_USER; + } + + wbc_status = wbcStringToSid(str_sid, sid); + free(str_sid); + if (!WBC_ERROR_IS_OK(wbc_status)) { + return wbc_status; + } + + return WBC_ERR_SUCCESS; +} + +/* Obtain a new uid from Winbind */ +wbcErr wbcAllocateUid(uid_t *puid) +{ + /* Not supported by SSSD */ + WBC_SSSD_NOT_IMPLEMENTED; +} + +/* Obtain a new gid from Winbind */ +wbcErr wbcAllocateGid(gid_t *pgid) +{ + /* Not supported by SSSD */ + WBC_SSSD_NOT_IMPLEMENTED; +} + +/* Convert a list of SIDs */ +wbcErr wbcSidsToUnixIds(const struct wbcDomainSid *sids, uint32_t num_sids, + struct wbcUnixId *ids) +{ + int ret; + char *sid_str; + uint32_t id; + enum sss_id_type type; + size_t c; + wbcErr wbc_status; + + for (c = 0; c < num_sids; c++) { + type = SSS_ID_TYPE_NOT_SPECIFIED; + wbc_status = wbcSidToString(&sids[c], &sid_str); + if (WBC_ERROR_IS_OK(wbc_status)) { + ret = sss_nss_getidbysid(sid_str, &id, &type); + wbcFreeMemory(sid_str); + if (ret != 0) { + type = SSS_ID_TYPE_NOT_SPECIFIED; + } + } + + switch (type) { + case SSS_ID_TYPE_UID: + ids[c].type = WBC_ID_TYPE_UID; + ids[c].id.uid = (uid_t) id; + break; + case SSS_ID_TYPE_GID: + ids[c].type = WBC_ID_TYPE_GID; + ids[c].id.gid = (gid_t) id; + break; + case SSS_ID_TYPE_BOTH: + ids[c].type = WBC_ID_TYPE_BOTH; + ids[c].id.uid = (uid_t) id; + break; + default: + ids[c].type = WBC_ID_TYPE_NOT_SPECIFIED; + } + } + + return WBC_ERR_SUCCESS; +} + +wbcErr wbcUnixIdsToSids(const struct wbcUnixId *ids, uint32_t num_ids, + struct wbcDomainSid *sids) +{ + size_t c; + wbcErr wbc_status; + + for (c = 0; c < num_ids; c++) { + switch (ids[c].type) { + case WBC_ID_TYPE_UID: + wbc_status = wbcUidToSid(ids[c].id.uid, &sids[c]); + break; + case WBC_ID_TYPE_GID: + wbc_status = wbcGidToSid(ids[c].id.gid, &sids[c]); + break; + default: + wbc_status = WBC_ERR_INVALID_PARAM; + } + + if (!WBC_ERROR_IS_OK(wbc_status)) { + sids[c] = (struct wbcDomainSid){ 0 }; + }; + } + + return WBC_ERR_SUCCESS; +} diff --git a/src/sss_client/libwbclient/wbc_pam_sssd.c b/src/sss_client/libwbclient/wbc_pam_sssd.c new file mode 100644 index 0000000..77698f5 --- /dev/null +++ b/src/sss_client/libwbclient/wbc_pam_sssd.c @@ -0,0 +1,183 @@ +/* + Unix SMB/CIFS implementation. + + Winbind client API - SSSD version + + Copyright (C) Sumit Bose 2014 + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 3 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Library General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with this program. If not, see . +*/ + +/* Required Headers */ +#include "libwbclient.h" +#include "wbc_sssd_internal.h" + +/* Authenticate a username/password pair */ +wbcErr wbcAuthenticateUser(const char *username, + const char *password) +{ + wbcErr wbc_status = WBC_ERR_SUCCESS; + struct wbcAuthUserParams params = {0}; + + params.account_name = username; + params.level = WBC_AUTH_USER_LEVEL_PLAIN; + params.password.plaintext = password; + + wbc_status = wbcAuthenticateUserEx(¶ms, NULL, NULL); + + return wbc_status; +} + + +/* Authenticate with more detailed information */ +wbcErr wbcAuthenticateUserEx(const struct wbcAuthUserParams *params, + struct wbcAuthUserInfo **info, + struct wbcAuthErrorInfo **error) +{ + if (error != NULL) { + *error = NULL; + } + + return WBC_ERR_WINBIND_NOT_AVAILABLE; +} + +/* Trigger a verification of the trust credentials of a specific domain */ +wbcErr wbcCheckTrustCredentials(const char *domain, + struct wbcAuthErrorInfo **error) +{ + if (error != NULL) { + *error = NULL; + } + + WBC_SSSD_NOT_IMPLEMENTED; +} + +/* Trigger a change of the trust credentials for a specific domain */ +wbcErr wbcChangeTrustCredentials(const char *domain, + struct wbcAuthErrorInfo **error) +{ + if (error != NULL) { + *error = NULL; + } + + WBC_SSSD_NOT_IMPLEMENTED; +} + +/* + * Trigger a no-op NETLOGON call. Lightweight version of + * wbcCheckTrustCredentials + */ +wbcErr wbcPingDc(const char *domain, struct wbcAuthErrorInfo **error) +{ + return wbcPingDc2(domain, error, NULL); +} + +/* + * Trigger a no-op NETLOGON call. Lightweight version of + * wbcCheckTrustCredentials, optionally return attempted DC + */ +wbcErr wbcPingDc2(const char *domain, struct wbcAuthErrorInfo **error, + char **dcname) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +/* Trigger an extended logoff notification to Winbind for a specific user */ +wbcErr wbcLogoffUserEx(const struct wbcLogoffUserParams *params, + struct wbcAuthErrorInfo **error) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +/* Trigger a logoff notification to Winbind for a specific user */ +wbcErr wbcLogoffUser(const char *username, + uid_t uid, + const char *ccfilename) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +/* Change a password for a user with more detailed information upon failure */ +wbcErr wbcChangeUserPasswordEx(const struct wbcChangePasswordParams *params, + struct wbcAuthErrorInfo **error, + enum wbcPasswordChangeRejectReason *reject_reason, + struct wbcUserPasswordPolicyInfo **policy) +{ + if (error != NULL) { + *error = NULL; + } + + if (policy != NULL) { + *policy = NULL; + } + + WBC_SSSD_NOT_IMPLEMENTED; +} + +/* Change a password for a user */ +wbcErr wbcChangeUserPassword(const char *username, + const char *old_password, + const char *new_password) +{ + wbcErr wbc_status = WBC_ERR_SUCCESS; + struct wbcChangePasswordParams params = {0}; + + params.account_name = username; + params.level = WBC_CHANGE_PASSWORD_LEVEL_PLAIN; + params.old_password.plaintext = old_password; + params.new_password.plaintext = new_password; + + wbc_status = wbcChangeUserPasswordEx(¶ms, NULL, NULL, NULL); + + return wbc_status; +} + +/* Logon a User */ +wbcErr wbcLogonUser(const struct wbcLogonUserParams *params, + struct wbcLogonUserInfo **info, + struct wbcAuthErrorInfo **error, + struct wbcUserPasswordPolicyInfo **policy) +{ + if (info != NULL) { + *info = NULL; + } + + if (error != NULL) { + *error = NULL; + } + + if (policy != NULL) { + *policy = NULL; + } + + WBC_SSSD_NOT_IMPLEMENTED; +} + +/* Authenticate a user with cached credentials */ +wbcErr wbcCredentialCache(struct wbcCredentialCacheParams *params, + struct wbcCredentialCacheInfo **info, + struct wbcAuthErrorInfo **error) +{ + if (error != NULL) { + *error = NULL; + } + + WBC_SSSD_NOT_IMPLEMENTED; +} + +/* Authenticate a user with cached credentials */ +wbcErr wbcCredentialSave(const char *user, const char *password) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} diff --git a/src/sss_client/libwbclient/wbc_pwd_sssd.c b/src/sss_client/libwbclient/wbc_pwd_sssd.c new file mode 100644 index 0000000..cacad9d --- /dev/null +++ b/src/sss_client/libwbclient/wbc_pwd_sssd.c @@ -0,0 +1,659 @@ +/* + Unix SMB/CIFS implementation. + + Winbind client API - SSSD version + + Copyright (C) Sumit Bose 2014 + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 3 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Library General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with this program. If not, see . +*/ +/* Required Headers */ + +#include +#include +#include + +#include "libwbclient.h" +#include "wbc_sssd_internal.h" + +#define DEFAULT_BUFSIZE_HALF 2048 +#define DEFAULT_BUFSIZE (2 * DEFAULT_BUFSIZE_HALF) +#define MAX_BUFSIZE (1024*1204) + +struct nss_ops_ctx { + void *dl_handle; + + enum nss_status (*getpwnam_r)(const char *name, struct passwd *result, + char *buffer, size_t buflen, int *errnop); + enum nss_status (*getpwuid_r)(uid_t uid, struct passwd *result, + char *buffer, size_t buflen, int *errnop); + enum nss_status (*setpwent)(void); + enum nss_status (*getpwent_r)(struct passwd *result, + char *buffer, size_t buflen, int *errnop); + enum nss_status (*endpwent)(void); + + enum nss_status (*getgrnam_r)(const char *name, struct group *result, + char *buffer, size_t buflen, int *errnop); + enum nss_status (*getgrgid_r)(gid_t gid, struct group *result, + char *buffer, size_t buflen, int *errnop); + enum nss_status (*setgrent)(void); + enum nss_status (*getgrent_r)(struct group *result, + char *buffer, size_t buflen, int *errnop); + enum nss_status (*endgrent)(void); + + enum nss_status (*initgroups_dyn)(const char *user, gid_t group, + long int *start, long int *size, + gid_t **groups, long int limit, + int *errnop); +}; + +struct nss_ops_ctx *ctx = NULL; + +static bool open_libnss_sss(void) +{ + ctx = calloc(1, sizeof(struct nss_ops_ctx)); + if (ctx == NULL) { + return false; + } + + ctx->dl_handle = dlopen("libnss_sss.so.2", RTLD_NOW); + if (ctx->dl_handle == NULL) { + goto fail; + } + + ctx->getpwnam_r = dlsym(ctx->dl_handle, "_nss_sss_getpwnam_r"); + if (ctx->getpwnam_r == NULL) { + goto fail; + } + + ctx->getpwuid_r = dlsym(ctx->dl_handle, "_nss_sss_getpwuid_r"); + if (ctx->getpwuid_r == NULL) { + goto fail; + } + + ctx->setpwent = dlsym(ctx->dl_handle, "_nss_sss_setpwent"); + if (ctx->setpwent == NULL) { + goto fail; + } + + ctx->getpwent_r = dlsym(ctx->dl_handle, "_nss_sss_getpwent_r"); + if (ctx->getpwent_r == NULL) { + goto fail; + } + + ctx->endpwent = dlsym(ctx->dl_handle, "_nss_sss_endpwent"); + if (ctx->endpwent == NULL) { + goto fail; + } + + ctx->getgrnam_r = dlsym(ctx->dl_handle, "_nss_sss_getgrnam_r"); + if (ctx->getgrnam_r == NULL) { + goto fail; + } + + ctx->getgrgid_r = dlsym(ctx->dl_handle, "_nss_sss_getgrgid_r"); + if (ctx->getgrgid_r == NULL) { + goto fail; + } + + ctx->setgrent = dlsym(ctx->dl_handle, "_nss_sss_setgrent"); + if (ctx->setgrent == NULL) { + goto fail; + } + + ctx->getgrent_r = dlsym(ctx->dl_handle, "_nss_sss_getgrent_r"); + if (ctx->getgrent_r == NULL) { + goto fail; + } + + ctx->endgrent = dlsym(ctx->dl_handle, "_nss_sss_endgrent"); + if (ctx->endgrent == NULL) { + goto fail; + } + + ctx->initgroups_dyn = dlsym(ctx->dl_handle, "_nss_sss_initgroups_dyn"); + if (ctx->initgroups_dyn == NULL) { + goto fail; + } + + return true; + +fail: + if (ctx->dl_handle != NULL) { + dlclose(ctx->dl_handle); + } + + free(ctx); + ctx = NULL; + + return false; +} + +static void wbcPasswdDestructor(void *ptr) +{ + struct passwd *pw = (struct passwd *)ptr; + free(pw->pw_name); + free(pw->pw_passwd); + free(pw->pw_gecos); + free(pw->pw_shell); + free(pw->pw_dir); +} + +static wbcErr copy_pwd(struct passwd *in, struct passwd **out) +{ + struct passwd *pw; + + pw = (struct passwd *)wbcAllocateMemory(1, sizeof(struct passwd), + wbcPasswdDestructor); + if (pw == NULL) { + return WBC_ERR_NO_MEMORY; + } + + pw->pw_name = strdup(in->pw_name); + if (pw->pw_name == NULL) { + goto fail; + } + + pw->pw_passwd = strdup(in->pw_passwd); + if (pw->pw_passwd == NULL) { + goto fail; + } + + pw->pw_uid = in->pw_uid; + pw->pw_gid = in->pw_gid; + + pw->pw_gecos = strdup(in->pw_gecos); + if (pw->pw_gecos == NULL) { + goto fail; + } + + pw->pw_shell = strdup(in->pw_shell); + if (pw->pw_shell == NULL) { + goto fail; + } + + pw->pw_dir = strdup(in->pw_dir); + if (pw->pw_dir == NULL) { + goto fail; + } + + *out = pw; + return WBC_ERR_SUCCESS; +fail: + wbcFreeMemory(pw); + + return WBC_ERR_NO_MEMORY; +} + +static wbcErr nss_to_wbc(enum nss_status status) +{ + wbcErr wbc_status; + + switch (status) { + case NSS_STATUS_SUCCESS: + wbc_status = WBC_ERR_SUCCESS; + break; + case NSS_STATUS_NOTFOUND: + wbc_status = WBC_ERR_UNKNOWN_USER; + break; + case NSS_STATUS_UNAVAIL: + wbc_status = WBC_ERR_WINBIND_NOT_AVAILABLE; + break; + default: + wbc_status = WBC_ERR_UNKNOWN_FAILURE; + } + + return wbc_status; +} + +/* Fill in a struct passwd* for a domain user based on username */ +wbcErr wbcGetpwnam(const char *name, struct passwd **pwd) +{ + struct passwd lpwd = {0}; + enum nss_status status; + char *buffer = NULL; + size_t buflen; + wbcErr wbc_status; + int nss_errno; + + if (ctx == NULL && !open_libnss_sss()) { + return WBC_ERR_NSS_ERROR; + } + + if (name == NULL || pwd == NULL) { + return WBC_ERR_INVALID_PARAM; + } + + buflen = DEFAULT_BUFSIZE; + buffer = malloc(buflen); + if (buffer == NULL) { + return WBC_ERR_NO_MEMORY; + } + + status = ctx->getpwnam_r(name, &lpwd, buffer, buflen, &nss_errno); + wbc_status = nss_to_wbc(status); + if (WBC_ERROR_IS_OK(wbc_status) == true) { + wbc_status = copy_pwd(&lpwd, pwd); + } + + free(buffer); + + return wbc_status; +} + +/* Fill in a struct passwd* for a domain user based on uid */ +wbcErr wbcGetpwuid(uid_t uid, struct passwd **pwd) +{ + struct passwd lpwd = {0}; + enum nss_status status; + char *buffer = NULL; + size_t buflen; + wbcErr wbc_status; + int nss_errno; + + if (ctx == NULL && !open_libnss_sss()) { + return WBC_ERR_NSS_ERROR; + } + + if (pwd == NULL) { + return WBC_ERR_INVALID_PARAM; + } + + buflen = DEFAULT_BUFSIZE; + buffer = malloc(buflen); + if (buffer == NULL) { + return WBC_ERR_NO_MEMORY; + } + + status = ctx->getpwuid_r(uid, &lpwd, buffer, buflen, &nss_errno); + wbc_status = nss_to_wbc(status); + if (WBC_ERROR_IS_OK(wbc_status) == true) { + wbc_status = copy_pwd(&lpwd, pwd); + } + + free(buffer); + + return wbc_status; +} + +/* Fill in a struct passwd* for a domain user based on sid */ +wbcErr wbcGetpwsid(struct wbcDomainSid *sid, struct passwd **pwd) +{ + wbcErr wbc_status; + uid_t uid; + + wbc_status = wbcSidToUid(sid, &uid); + if (!WBC_ERROR_IS_OK(wbc_status)) { + return wbc_status; + } + + wbc_status = wbcGetpwuid(uid, pwd); + + return wbc_status; + +} + +static void wbcGroupDestructor(void *ptr) +{ + struct group *gr = (struct group *)ptr; + size_t c; + + free(gr->gr_name); + free(gr->gr_passwd); + + /* if the array was partly created this can be NULL */ + if (gr->gr_mem == NULL) { + return; + } + + for (c=0; gr->gr_mem[c] != NULL; c++) { + free(gr->gr_mem[c]); + } + free(gr->gr_mem); +} + +static wbcErr copy_grp(struct group *in, struct group **out) +{ + struct group *gr; + size_t members; + size_t c; + + gr = (struct group *)wbcAllocateMemory(1, sizeof(struct group), + wbcGroupDestructor); + if (gr == NULL) { + return WBC_ERR_NO_MEMORY; + } + + gr->gr_name = strdup(in->gr_name); + if (gr->gr_name == NULL) { + goto fail; + } + + gr->gr_passwd = strdup(in->gr_passwd); + if (gr->gr_passwd == NULL) { + goto fail; + } + + gr->gr_gid = in->gr_gid; + + for (members = 0; in->gr_mem[members] != NULL; members++); + + gr->gr_mem = (char **)calloc(members+1, sizeof(char *)); + if (gr->gr_mem == NULL) { + goto fail; + } + + for (c = 0; c < members; c++) { + gr->gr_mem[c] = strdup(in->gr_mem[c]); + if (gr->gr_mem[c] == NULL) { + goto fail; + } + } + + *out = gr; + return WBC_ERR_SUCCESS; +fail: + wbcFreeMemory(gr); + + return WBC_ERR_NO_MEMORY; +} +/* Fill in a struct passwd* for a domain user based on username */ +wbcErr wbcGetgrnam(const char *name, struct group **grp) +{ + struct group lgrp; + enum nss_status status; + char *newbuffer = NULL; + char *buffer = NULL; + size_t buflen = 0; + wbcErr wbc_status; + int nss_errno; + + if (ctx == NULL && !open_libnss_sss()) { + return WBC_ERR_NSS_ERROR; + } + + if (name == NULL || grp == NULL) { + return WBC_ERR_INVALID_PARAM; + } + + buflen = DEFAULT_BUFSIZE_HALF; + do { + buflen *= 2; + + newbuffer = realloc(buffer, buflen); + if (newbuffer == NULL) { + free(buffer); + return WBC_ERR_NO_MEMORY; + } + buffer = newbuffer; + + memset(grp, 0, sizeof(struct group)); + status = ctx->getgrnam_r(name, &lgrp, buffer, buflen, &nss_errno); + wbc_status = nss_to_wbc(status); + if (WBC_ERROR_IS_OK(wbc_status) == true) { + wbc_status = copy_grp(&lgrp, grp); + } + } while (status == NSS_STATUS_TRYAGAIN && nss_errno == ERANGE \ + && buflen < MAX_BUFSIZE); + + free(buffer); + + return wbc_status; +} + +/* Fill in a struct passwd* for a domain user based on uid */ +wbcErr wbcGetgrgid(gid_t gid, struct group **grp) +{ + struct group lgrp; + enum nss_status status; + char *newbuffer = NULL; + char *buffer = NULL; + size_t buflen = 0; + wbcErr wbc_status; + int nss_errno; + + if (ctx == NULL && !open_libnss_sss()) { + return WBC_ERR_NSS_ERROR; + } + + if (grp == NULL) { + return WBC_ERR_INVALID_PARAM; + } + + buflen = DEFAULT_BUFSIZE_HALF; + do { + buflen *= 2; + + newbuffer = realloc(buffer, buflen); + if (newbuffer == NULL) { + free(buffer); + return WBC_ERR_NO_MEMORY; + } + buffer = newbuffer; + + memset(grp, 0, sizeof(struct group)); + status = ctx->getgrgid_r(gid, &lgrp, buffer, buflen, &nss_errno); + wbc_status = nss_to_wbc(status); + if (WBC_ERROR_IS_OK(wbc_status) == true) { + wbc_status = copy_grp(&lgrp, grp); + } + } while (status == NSS_STATUS_TRYAGAIN && nss_errno == ERANGE \ + && buflen < MAX_BUFSIZE); + + free(buffer); + + return wbc_status; +} + +/* Reset the passwd iterator */ +wbcErr wbcSetpwent(void) +{ + enum nss_status status; + wbcErr wbc_status; + + if (ctx == NULL && !open_libnss_sss()) { + return WBC_ERR_NSS_ERROR; + } + + status = ctx->setpwent(); + wbc_status = nss_to_wbc(status); + + return wbc_status; +} + +/* Close the passwd iterator */ +wbcErr wbcEndpwent(void) +{ + enum nss_status status; + wbcErr wbc_status; + + if (ctx == NULL && !open_libnss_sss()) { + return WBC_ERR_NSS_ERROR; + } + + status = ctx->endpwent(); + wbc_status = nss_to_wbc(status); + + return wbc_status; +} + +/* Return the next struct passwd* entry from the pwent iterator */ +wbcErr wbcGetpwent(struct passwd **pwd) +{ + struct passwd lpwd = {0}; + enum nss_status status; + char *buffer = NULL; + size_t buflen; + wbcErr wbc_status; + int nss_errno; + + if (ctx == NULL && !open_libnss_sss()) { + return WBC_ERR_NSS_ERROR; + } + + if (pwd == NULL) { + return WBC_ERR_INVALID_PARAM; + } + + buflen = DEFAULT_BUFSIZE; + buffer = malloc(buflen); + if (buffer == NULL) { + return WBC_ERR_NO_MEMORY; + } + + status = ctx->getpwent_r(&lpwd, buffer, buflen, &nss_errno); + wbc_status = nss_to_wbc(status); + if (WBC_ERROR_IS_OK(wbc_status) == true) { + wbc_status = copy_pwd(&lpwd, pwd); + } + + free(buffer); + + return wbc_status; +} + +/* Reset the group iterator */ +wbcErr wbcSetgrent(void) +{ + enum nss_status status; + wbcErr wbc_status; + + if (ctx == NULL && !open_libnss_sss()) { + return WBC_ERR_NSS_ERROR; + } + + status = ctx->setgrent(); + wbc_status = nss_to_wbc(status); + + return wbc_status; +} + +/* Close the group iterator */ +wbcErr wbcEndgrent(void) +{ + enum nss_status status; + wbcErr wbc_status; + + if (ctx == NULL && !open_libnss_sss()) { + return WBC_ERR_NSS_ERROR; + } + + status = ctx->endgrent(); + wbc_status = nss_to_wbc(status); + + return wbc_status; +} + +/* Return the next struct group* entry from the pwent iterator */ +wbcErr wbcGetgrent(struct group **grp) +{ + struct group lgrp; + enum nss_status status; + char *newbuffer = NULL; + char *buffer = NULL; + size_t buflen = 0; + wbcErr wbc_status; + int nss_errno; + + if (ctx == NULL && !open_libnss_sss()) { + return WBC_ERR_NSS_ERROR; + } + + if (grp == NULL) { + return WBC_ERR_INVALID_PARAM; + } + + buflen = DEFAULT_BUFSIZE_HALF; + do { + buflen *= 2; + + newbuffer = realloc(buffer, buflen); + if (newbuffer == NULL) { + free(buffer); + return WBC_ERR_NO_MEMORY; + } + buffer = newbuffer; + + memset(grp, 0, sizeof(struct group)); + status = ctx->getgrent_r(&lgrp, buffer, buflen, &nss_errno); + wbc_status = nss_to_wbc(status); + if (WBC_ERROR_IS_OK(wbc_status) == true) { + wbc_status = copy_grp(&lgrp, grp); + } + } while (status == NSS_STATUS_TRYAGAIN && nss_errno == ERANGE \ + && buflen < MAX_BUFSIZE); + + free(buffer); + + return wbc_status; +} + +/* Return the next struct group* entry from the pwent iterator */ +wbcErr wbcGetgrlist(struct group **grp) +{ + /* Not used anywhere */ + WBC_SSSD_NOT_IMPLEMENTED; +} + +/* Return the Unix group array belonging to the given user */ +wbcErr wbcGetGroups(const char *account, + uint32_t *num_groups, + gid_t **_groups) +{ + wbcErr wbc_status; + enum nss_status status; + struct passwd *pwd; + long int gr_size = 0; + long int start = 0; + gid_t *gids = NULL; + int nss_errno; + + wbc_status = wbcGetpwnam(account, &pwd); + if (!WBC_ERROR_IS_OK(wbc_status)) { + return wbc_status; + } + + gr_size = DEFAULT_BUFSIZE; + gids = calloc(gr_size, sizeof(gid_t)); + if (gids == NULL) { + wbc_status = WBC_ERR_NO_MEMORY; + goto done; + } + + /* nss modules may skip the primary group when we pass it in so always + * add it in advance */ + gids[0] = pwd->pw_gid; + start++; + + status = ctx->initgroups_dyn(pwd->pw_name, pwd->pw_gid, &start, + &gr_size, &gids, -1, &nss_errno); + wbc_status = nss_to_wbc(status); + if (!WBC_ERROR_IS_OK(wbc_status)) { + goto done; + } + + *_groups = gids; + *num_groups = start; + + wbc_status = WBC_ERR_SUCCESS; + +done: + wbcFreeMemory(pwd); + + if (!WBC_ERROR_IS_OK(wbc_status)) { + free(gids); + } + + return wbc_status; +} diff --git a/src/sss_client/libwbclient/wbc_sid_common.c b/src/sss_client/libwbclient/wbc_sid_common.c new file mode 100644 index 0000000..d562d77 --- /dev/null +++ b/src/sss_client/libwbclient/wbc_sid_common.c @@ -0,0 +1,199 @@ +/* + Unix SMB/CIFS implementation. + + Winbind client API + + Copyright (C) Gerald (Jerry) Carter 2007 + Copyright (C) Volker Lendecke 2010 + + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 3 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Library General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with this program. If not, see . +*/ + +/* Required Headers */ + +#include + +#include "libwbclient.h" + +#define MAX(a, b) (((a) > (b)) ? (a) : (b)) + +/* Convert a sid to a string into a buffer. Return the string + * length. If buflen is too small, return the string length that would + * result if it was long enough. */ +int wbcSidToStringBuf(const struct wbcDomainSid *sid, char *buf, int buflen) +{ + uint64_t id_auth; + int i, ofs; + + if (!sid) { + strncpy(buf, "(NULL SID)", buflen); + buf[buflen < 10 ? buflen :10] = '\0'; + return 10; /* strlen("(NULL SID)") */ + } + + id_auth = (uint64_t)sid->id_auth[5] + + ((uint64_t)sid->id_auth[4] << 8) + + ((uint64_t)sid->id_auth[3] << 16) + + ((uint64_t)sid->id_auth[2] << 24) + + ((uint64_t)sid->id_auth[1] << 32) + + ((uint64_t)sid->id_auth[0] << 40); + + ofs = snprintf(buf, buflen, "S-%hhu-", (unsigned char)sid->sid_rev_num); + if (id_auth >= UINT32_MAX) { + ofs += snprintf(buf + ofs, MAX(buflen - ofs, 0), "0x%llx", + (unsigned long long)id_auth); + } else { + ofs += snprintf(buf + ofs, MAX(buflen - ofs, 0), "%llu", + (unsigned long long)id_auth); + } + + for (i = 0; i < sid->num_auths; i++) { + ofs += snprintf(buf + ofs, MAX(buflen - ofs, 0), "-%u", + (unsigned int)sid->sub_auths[i]); + } + return ofs; +} + +/* Convert a binary SID to a character string */ +wbcErr wbcSidToString(const struct wbcDomainSid *sid, + char **sid_string) +{ + char buf[WBC_SID_STRING_BUFLEN]; + char *result; + int len; + + if (!sid) { + return WBC_ERR_INVALID_SID; + } + + len = wbcSidToStringBuf(sid, buf, sizeof(buf)); + + if (len+1 > sizeof(buf)) { + return WBC_ERR_INVALID_SID; + } + + result = (char *)wbcAllocateMemory(len+1, 1, NULL); + if (result == NULL) { + return WBC_ERR_NO_MEMORY; + } + memcpy(result, buf, len+1); + + *sid_string = result; + return WBC_ERR_SUCCESS; +} + +#define AUTHORITY_MASK (~(0xffffffffffffULL)) + +/* Convert a character string to a binary SID */ +wbcErr wbcStringToSid(const char *str, + struct wbcDomainSid *sid) +{ + const char *p; + char *q; + uint64_t x; + wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE; + + if (!sid) { + wbc_status = WBC_ERR_INVALID_PARAM; + BAIL_ON_WBC_ERROR(wbc_status); + } + + /* Sanity check for either "S-" or "s-" */ + + if (!str + || (str[0]!='S' && str[0]!='s') + || (str[1]!='-')) + { + wbc_status = WBC_ERR_INVALID_PARAM; + BAIL_ON_WBC_ERROR(wbc_status); + } + + /* Get the SID revision number */ + + p = str+2; + x = (uint64_t)strtoul(p, &q, 10); + if (x==0 || x > UINT8_MAX || !q || *q!='-') { + wbc_status = WBC_ERR_INVALID_SID; + BAIL_ON_WBC_ERROR(wbc_status); + } + sid->sid_rev_num = (uint8_t)x; + + /* + * Next the Identifier Authority. This is stored big-endian in a + * 6 byte array. If the authority value is >= UINT_MAX, then it should + * be expressed as a hex value, according to MS-DTYP. + */ + p = q+1; + x = strtoull(p, &q, 0); + if (!q || *q!='-' || (x & AUTHORITY_MASK)) { + wbc_status = WBC_ERR_INVALID_SID; + BAIL_ON_WBC_ERROR(wbc_status); + } + sid->id_auth[5] = (x & 0x0000000000ffULL); + sid->id_auth[4] = (x & 0x00000000ff00ULL) >> 8; + sid->id_auth[3] = (x & 0x000000ff0000ULL) >> 16; + sid->id_auth[2] = (x & 0x0000ff000000ULL) >> 24; + sid->id_auth[1] = (x & 0x00ff00000000ULL) >> 32; + sid->id_auth[0] = (x & 0xff0000000000ULL) >> 40; + + /* now read the subauthorities */ + p = q +1; + sid->num_auths = 0; + while (sid->num_auths < WBC_MAXSUBAUTHS) { + x = strtoull(p, &q, 10); + if (p == q) + break; + if (x > UINT32_MAX) { + wbc_status = WBC_ERR_INVALID_SID; + BAIL_ON_WBC_ERROR(wbc_status); + } + sid->sub_auths[sid->num_auths++] = x; + + if (*q != '-') { + break; + } + p = q + 1; + } + + /* IF we ended early, then the SID could not be converted */ + + if (q && *q!='\0') { + wbc_status = WBC_ERR_INVALID_SID; + BAIL_ON_WBC_ERROR(wbc_status); + } + + wbc_status = WBC_ERR_SUCCESS; + +done: + return wbc_status; + +} + +const char* wbcSidTypeString(enum wbcSidType type) +{ + switch (type) { + case WBC_SID_NAME_USE_NONE: return "SID_NONE"; + case WBC_SID_NAME_USER: return "SID_USER"; + case WBC_SID_NAME_DOM_GRP: return "SID_DOM_GROUP"; + case WBC_SID_NAME_DOMAIN: return "SID_DOMAIN"; + case WBC_SID_NAME_ALIAS: return "SID_ALIAS"; + case WBC_SID_NAME_WKN_GRP: return "SID_WKN_GROUP"; + case WBC_SID_NAME_DELETED: return "SID_DELETED"; + case WBC_SID_NAME_INVALID: return "SID_INVALID"; + case WBC_SID_NAME_UNKNOWN: return "SID_UNKNOWN"; + case WBC_SID_NAME_COMPUTER: return "SID_COMPUTER"; + default: return "Unknown type"; + } +} diff --git a/src/sss_client/libwbclient/wbc_sid_sssd.c b/src/sss_client/libwbclient/wbc_sid_sssd.c new file mode 100644 index 0000000..a2cd170 --- /dev/null +++ b/src/sss_client/libwbclient/wbc_sid_sssd.c @@ -0,0 +1,289 @@ +/* + UNIX SMB/CIFS implementation. + + Winbind client API - SSSD version + + Copyright (C) Sumit Bose 2014 + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 3 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Library General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with this program. If not, see . +*/ + +/* Required Headers */ +#include "config.h" + +#include + +#include + +#include "sss_client/idmap/sss_nss_idmap.h" + +#include "libwbclient.h" +#include "wbc_sssd_internal.h" + +#define MAX_NAME_LEN 1024 + +static int sss_id_type_to_wbcSidType(enum sss_id_type sss_type, + enum wbcSidType *name_type) +{ + switch (sss_type) { + case SSS_ID_TYPE_NOT_SPECIFIED: + *name_type = WBC_SID_NAME_USE_NONE; + break; + case SSS_ID_TYPE_UID: + case SSS_ID_TYPE_BOTH: + *name_type = WBC_SID_NAME_USER; + break; + case SSS_ID_TYPE_GID: + *name_type = WBC_SID_NAME_DOM_GRP; + break; + default: + return EINVAL; + } + + return 0; +}; + +/* Convert a domain and name to SID */ +wbcErr wbcLookupName(const char *domain, + const char *name, + struct wbcDomainSid *sid, + enum wbcSidType *name_type) +{ + char *fq_name = NULL; + char *str_sid; + enum sss_id_type type; + int ret; + wbcErr wbc_status; + + if (domain == NULL || name == NULL + || strnlen(domain, MAX_NAME_LEN) == MAX_NAME_LEN + || strnlen(name, MAX_NAME_LEN) == MAX_NAME_LEN) { + return WBC_ERR_INVALID_PARAM; + } + ret = asprintf(&fq_name, "%s@%s", name, domain); + if (ret == -1) { + return WBC_ERR_NO_MEMORY; + } + + ret = sss_nss_getsidbyname(fq_name, &str_sid, &type); + free(fq_name); + if (ret != 0) { + return WBC_ERR_UNKNOWN_FAILURE; + } + + ret = sss_id_type_to_wbcSidType(type, name_type); + if (ret != 0) { + return WBC_ERR_UNKNOWN_FAILURE; + } + + wbc_status = wbcStringToSid(str_sid, sid); + free(str_sid); + if (!WBC_ERROR_IS_OK(wbc_status)) { + return wbc_status; + } + + return WBC_ERR_SUCCESS; +} + + +/* Convert a SID to a domain and name */ +wbcErr wbcLookupSid(const struct wbcDomainSid *sid, + char **pdomain, + char **pname, + enum wbcSidType *pname_type) +{ + char *str_sid; + char *fq_name = NULL; + enum sss_id_type type; + int ret; + char *p; + wbcErr wbc_status; + + wbc_status = wbcSidToString(sid, &str_sid); + if (!WBC_ERROR_IS_OK(wbc_status)) { + return wbc_status; + } + + ret = sss_nss_getnamebysid(str_sid, &fq_name, &type); + wbcFreeMemory(str_sid); + if (ret != 0) { + return WBC_ERR_UNKNOWN_FAILURE; + } + + if (pname_type != NULL) { + ret = sss_id_type_to_wbcSidType(type, pname_type); + if (ret != 0) { + wbc_status = WBC_ERR_UNKNOWN_FAILURE; + goto done; + } + } + + /* TODO: it would be nice to have an sss_nss_getnamebysid() call which + * returns name and domain separately. */ + p = strchr(fq_name, '@'); + if (p == NULL) { + wbc_status = WBC_ERR_UNKNOWN_FAILURE; + goto done; + } + + *p = '\0'; + if (pname != NULL) { + *pname = wbcStrDup(fq_name); + if (*pname == NULL) { + wbc_status = WBC_ERR_NO_MEMORY; + goto done; + } + } + + if (pdomain != NULL) { + *pdomain = wbcStrDup(p + 1); + if (*pdomain == NULL) { + wbcFreeMemory(*pname); + wbc_status = WBC_ERR_NO_MEMORY; + goto done; + } + } + + wbc_status = WBC_ERR_SUCCESS; +done: + free(fq_name); + return wbc_status; +} + +wbcErr wbcLookupSids(const struct wbcDomainSid *sids, int num_sids, + struct wbcDomainInfo **pdomains, int *pnum_domains, + struct wbcTranslatedName **pnames) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +/* Translate a collection of RIDs within a domain to names */ + +wbcErr wbcLookupRids(struct wbcDomainSid *dom_sid, + int num_rids, + uint32_t *rids, + const char **pp_domain_name, + const char ***pnames, + enum wbcSidType **ptypes) +{ + struct wbcDomainSid obj_sid = {0}; + size_t c; + wbcErr err; + char *domain; + char *name; + enum wbcSidType type; + const char **names = NULL; + enum wbcSidType *types = NULL; + + obj_sid.sid_rev_num = dom_sid->sid_rev_num; + obj_sid.num_auths = dom_sid->num_auths + 1; + for (c = 0; c < 6; c++) { + obj_sid.id_auth[c] = dom_sid->id_auth[c]; + } + for (c = 0; c < WBC_MAXSUBAUTHS; c++) { + obj_sid.sub_auths[c] = dom_sid->sub_auths[c]; + } + + names = wbcAllocateStringArray(num_rids + 1); + if (names == NULL) { + err = WBC_ERR_NO_MEMORY; + goto done; + } + + types = wbcAllocateMemory(num_rids + 1, sizeof(enum wbcSidType), NULL); + if (types == NULL) { + err = WBC_ERR_NO_MEMORY; + goto done; + } + + for (c = 0; c < num_rids; c++) { + obj_sid.sub_auths[obj_sid.num_auths - 1] = rids[c]; + + err = wbcLookupSid(&obj_sid, &domain, &name, &type); + if (err != WBC_ERR_SUCCESS) { + goto done; + } + + names[c] = strdup(name); + wbcFreeMemory(name); + if (names[c] == NULL) { + err = WBC_ERR_NO_MEMORY; + goto done; + } + types[c] = type; + + if (c == 0) { + *pp_domain_name = domain; + } else { + wbcFreeMemory(domain); + } + } + + *pnames = names; + *ptypes = types; + + err = WBC_ERR_SUCCESS; + +done: + if (err != WBC_ERR_SUCCESS) { + wbcFreeMemory(types); + wbcFreeMemory(names); + } + + return err; +} + +/* Get the groups a user belongs to */ +wbcErr wbcLookupUserSids(const struct wbcDomainSid *user_sid, + bool domain_groups_only, + uint32_t *num_sids, + struct wbcDomainSid **_sids) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +/* Get alias membership for sids */ +wbcErr wbcGetSidAliases(const struct wbcDomainSid *dom_sid, + struct wbcDomainSid *sids, + uint32_t num_sids, + uint32_t **alias_rids, + uint32_t *num_alias_rids) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + + +/* Lists Users */ +wbcErr wbcListUsers(const char *domain_name, + uint32_t *_num_users, + const char ***_users) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +/* Lists Groups */ +wbcErr wbcListGroups(const char *domain_name, + uint32_t *_num_groups, + const char ***_groups) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcGetDisplayName(const struct wbcDomainSid *sid, + char **pdomain, + char **pfullname, + enum wbcSidType *pname_type) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} diff --git a/src/sss_client/libwbclient/wbc_sssd_internal.h b/src/sss_client/libwbclient/wbc_sssd_internal.h new file mode 100644 index 0000000..e20de48 --- /dev/null +++ b/src/sss_client/libwbclient/wbc_sssd_internal.h @@ -0,0 +1,41 @@ +/* + Unix SMB/CIFS implementation. + + Winbind client API - SSSD version + + Copyright (C) Sumit Bose 2014 + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 3 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Library General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with this program. If not, see . +*/ + +#ifndef _WBC_SSSD_INTERNAL_H +#define _WBC_SSSD_INTERNAL_H + +#include + +#include "libwbclient.h" + +#if defined(DEVELOPER) +#define WBC_SSSD_DEV_LOG syslog(LOG_DEBUG, "libwbclient_sssd: %s", __FUNCTION__); +#else +#define WBC_SSSD_DEV_LOG +#endif + +#define WBC_SSSD_NOT_IMPLEMENTED \ + do { \ + WBC_SSSD_DEV_LOG; \ + return WBC_ERR_NOT_IMPLEMENTED; \ + } while(0) + +#endif /* _WBC_SSSD_INTERNAL_H */ diff --git a/src/sss_client/libwbclient/wbc_util_common.c b/src/sss_client/libwbclient/wbc_util_common.c new file mode 100644 index 0000000..25ff1f8 --- /dev/null +++ b/src/sss_client/libwbclient/wbc_util_common.c @@ -0,0 +1,97 @@ +/* + Unix SMB/CIFS implementation. + + Winbind client asynchronous API, utility functions + + Copyright (C) Gerald (Jerry) Carter 2007-2008 + + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 3 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Library General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with this program. If not, see . +*/ + +/* Required Headers */ + +#include "libwbclient.h" + +#include "util/util.h" + +static void wbcNamedBlobDestructor(void *ptr) +{ + struct wbcNamedBlob *b = (struct wbcNamedBlob *)ptr; + + while (b->name != NULL) { + free(discard_const_p(char, b->name)); + free(b->blob.data); + b += 1; + } +} + +/* Initialize a named blob and add to list of blobs */ +wbcErr wbcAddNamedBlob(size_t *num_blobs, + struct wbcNamedBlob **pblobs, + const char *name, + uint32_t flags, + uint8_t *data, + size_t length) +{ + wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE; + struct wbcNamedBlob *blobs, *blob; + + if (name == NULL) { + return WBC_ERR_INVALID_PARAM; + } + + /* + * Overallocate the b->name==NULL terminator for + * wbcNamedBlobDestructor + */ + blobs = (struct wbcNamedBlob *)wbcAllocateMemory( + *num_blobs + 2, sizeof(struct wbcNamedBlob), + wbcNamedBlobDestructor); + + if (blobs == NULL) { + return WBC_ERR_NO_MEMORY; + } + + if (*pblobs != NULL) { + struct wbcNamedBlob *old = *pblobs; + memcpy(blobs, old, sizeof(struct wbcNamedBlob) * (*num_blobs)); + if (*num_blobs != 0) { + /* end indicator for wbcNamedBlobDestructor */ + old[0].name = NULL; + } + wbcFreeMemory(old); + } + *pblobs = blobs; + + blob = &blobs[*num_blobs]; + + blob->name = strdup(name); + BAIL_ON_PTR_ERROR(blob->name, wbc_status); + blob->flags = flags; + + blob->blob.length = length; + blob->blob.data = (uint8_t *)malloc(length); + BAIL_ON_PTR_ERROR(blob->blob.data, wbc_status); + memcpy(blob->blob.data, data, length); + + *num_blobs += 1; + *pblobs = blobs; + blobs = NULL; + + wbc_status = WBC_ERR_SUCCESS; +done: + wbcFreeMemory(blobs); + return wbc_status; +} diff --git a/src/sss_client/libwbclient/wbc_util_sssd.c b/src/sss_client/libwbclient/wbc_util_sssd.c new file mode 100644 index 0000000..667b79b --- /dev/null +++ b/src/sss_client/libwbclient/wbc_util_sssd.c @@ -0,0 +1,160 @@ +/* + Unix SMB/CIFS implementation. + + Winbind client API - SSSD version + + Copyright (C) Sumit Bose 2014 + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 3 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Library General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with this program. If not, see . +*/ +/* Required Headers */ + +#include "libwbclient.h" +#include "wbc_sssd_internal.h" + +#define WINBIND_INTERFACE_VERSION 27 + +/** @brief Ping winbindd to see if the daemon is running + * + * @return #wbcErr + **/ +wbcErr wbcPing(void) +{ + /* TODO: add real check */ + return WBC_ERR_SUCCESS; +} + +static void wbcInterfaceDetailsDestructor(void *ptr) +{ + struct wbcInterfaceDetails *i = (struct wbcInterfaceDetails *)ptr; + free(i->winbind_version); + free(i->netbios_name); + free(i->netbios_domain); + free(i->dns_domain); +} + +/** + * @brief Query useful information about the winbind service + * + * @param *_details pointer to hold the struct wbcInterfaceDetails + * + * @return #wbcErr + */ + +wbcErr wbcInterfaceDetails(struct wbcInterfaceDetails **_details) +{ + wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE; + struct wbcInterfaceDetails *info; + info = (struct wbcInterfaceDetails *)wbcAllocateMemory( + 1, sizeof(struct wbcInterfaceDetails), + wbcInterfaceDetailsDestructor); + if (info == NULL) { + return WBC_ERR_NO_MEMORY; + } + + /* TODO: currently this call just returns a suitable winbind_separator + * for wbinfo. */ + + info->interface_version = WINBIND_INTERFACE_VERSION; + info->winbind_version = strdup("libwbclient for SSSD"); + if (info->winbind_version == NULL) { + wbc_status = WBC_ERR_NO_MEMORY; + goto done; + } + + info->winbind_separator = '\\'; + + info->netbios_name = strdup("-not available-"); + if (info->netbios_name == NULL) { + wbc_status = WBC_ERR_NO_MEMORY; + goto done; + } + + info->netbios_domain = strdup("-not available-"); + if (info->netbios_domain == NULL) { + wbc_status = WBC_ERR_NO_MEMORY; + goto done; + } + + info->dns_domain = strdup("-not available-"); + if (info->dns_domain == NULL) { + wbc_status = WBC_ERR_NO_MEMORY; + goto done; + } + + *_details = info; + info = NULL; + wbc_status = WBC_ERR_SUCCESS; +done: + wbcFreeMemory(info); + return wbc_status; +} + +/** @brief Lookup the current status of a trusted domain, sync wrapper + * + * @param domain Domain to query + * @param *dinfo Pointer to returned struct wbcDomainInfo + * + * @return #wbcErr + */ + +wbcErr wbcDomainInfo(const char *domain, struct wbcDomainInfo **dinfo) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +/* Get the list of current DCs */ +wbcErr wbcDcInfo(const char *domain, size_t *num_dcs, + const char ***dc_names, const char ***dc_ips) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +/* Resolve a NetbiosName via WINS */ +wbcErr wbcResolveWinsByName(const char *name, char **ip) +{ + /* SSSD does not support WINS */ + WBC_SSSD_NOT_IMPLEMENTED; +} + +/* Resolve an IP address via WINS into a NetbiosName */ +wbcErr wbcResolveWinsByIP(const char *ip, char **name) +{ + /* SSSD does not support WINS */ + WBC_SSSD_NOT_IMPLEMENTED; +} + +/* Enumerate the domain trusts known by Winbind */ +wbcErr wbcListTrusts(struct wbcDomainInfo **domains, size_t *num_domains) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +/* Enumerate the domain trusts known by Winbind */ +wbcErr wbcLookupDomainController(const char *domain, + uint32_t flags, + struct wbcDomainControllerInfo **dc_info) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} + +/* Get extended domain controller information */ +wbcErr wbcLookupDomainControllerEx(const char *domain, + struct wbcGuid *guid, + const char *site, + uint32_t flags, + struct wbcDomainControllerInfoEx **dc_info) +{ + WBC_SSSD_NOT_IMPLEMENTED; +} diff --git a/src/sss_client/libwbclient/wbclient.exports b/src/sss_client/libwbclient/wbclient.exports new file mode 100644 index 0000000..7abbaba --- /dev/null +++ b/src/sss_client/libwbclient/wbclient.exports @@ -0,0 +1,155 @@ +WBCLIENT_0.9 { + global: + wbcGetpwuid; + wbcLogoffUser; + wbcSidToStringBuf; + wbcLogonUser; + wbcGetgrgid; + wbcSetGidMapping; + wbcQueryGidToSid; + wbcListTrusts; + wbcGetGroups; + wbcDomainInfo; + wbcSidToGid; + wbcLookupRids; + wbcCredentialCache; + wbcDcInfo; + wbcAuthenticateUserEx; + wbcGetpwent; + wbcGetSidAliases; + wbcGetDisplayName; + wbcAllocateUid; + wbcSidToUid; + wbcChangeTrustCredentials; + wbcGetpwsid; + wbcPingDc; + wbcAllocateStringArray; + wbcErrorString; + wbcStringToGuid; + wbcStrDup; + wbcGetgrnam; + wbcGetgrlist; + wbcListUsers; + wbcRemoveUidMapping; + wbcLookupDomainController; + wbcRemoveGidMapping; + wbcSidTypeString; + wbcAllocateMemory; + wbcInterfaceDetails; + wbcCheckTrustCredentials; + wbcListGroups; + wbcLookupUserSids; + wbcResolveWinsByName; + wbcSetpwent; + wbcSetUidHwm; + wbcSidsToUnixIds; + wbcQuerySidToGid; + wbcChangeUserPasswordEx; + wbcPing; + wbcQueryUidToSid; + wbcEndpwent; + wbcLibraryDetails; + wbcSetgrent; + wbcLookupName; + wbcChangeUserPassword; + wbcSetGidHwm; + wbcAddNamedBlob; + wbcGuidToString; + wbcLookupSids; + wbcRequestResponsePriv; + wbcAllocateGid; + wbcFreeMemory; + wbcResolveWinsByIP; + wbcRequestResponse; + wbcStringToSid; + wbcLookupSid; + wbcCredentialSave; + wbcGidToSid; + wbcQuerySidToUid; + wbcEndgrent; + wbcGetgrent; + wbcAuthenticateUser; + wbcGetpwnam; + wbcLookupDomainControllerEx; + wbcLogoffUserEx; + wbcSetUidMapping; + wbcSidToString; + wbcUidToSid; +}; + +WBCLIENT_0.10 { + global: + wbcPingDc2; +} WBCLIENT_0.9; + +WBCLIENT_0.11 { + local: + *; +} WBCLIENT_0.10; + +WBCLIENT_0.12 { + global: + wbcCtxCreate; + wbcCtxFree; + wbcGetGlobalCtx; + wbcCtxPing; + wbcCtxInterfaceDetails; + wbcCtxLookupName; + wbcCtxLookupSid; + wbcCtxLookupSids; + wbcCtxLookupRids; + wbcCtxLookupUserSids; + wbcCtxGetSidAliases; + wbcCtxListUsers; + wbcCtxListGroups; + wbcCtxGetDisplayName; + wbcCtxSidToUid; + wbcCtxUidToSid; + wbcCtxSidToGid; + wbcCtxGidToSid; + wbcCtxSidsToUnixIds; + wbcCtxAllocateUid; + wbcCtxAllocateGid; + wbcCtxGetpwnam; + wbcCtxGetpwuid; + wbcCtxGetpwsid; + wbcCtxGetgrnam; + wbcCtxGetgrgid; + wbcCtxSetpwent; + wbcCtxEndpwent; + wbcCtxGetpwent; + wbcCtxSetgrent; + wbcCtxEndgrent; + wbcCtxGetgrent; + wbcCtxGetgrlist; + wbcCtxGetGroups; + wbcCtxDomainInfo; + wbcCtxDcInfo; + wbcCtxListTrusts; + wbcCtxLookupDomainController; + wbcCtxLookupDomainControllerEx; + wbcCtxAuthenticateUser; + wbcCtxAuthenticateUserEx; + wbcCtxLogonUser; + wbcCtxLogoffUser; + wbcCtxLogoffUserEx; + wbcCtxChangeUserPassword; + wbcCtxChangeUserPasswordEx; + wbcCtxCredentialCache; + wbcCtxCredentialSave; + wbcCtxResolveWinsByName; + wbcCtxResolveWinsByIP; + wbcCtxCheckTrustCredentials; + wbcCtxChangeTrustCredentials; + wbcCtxPingDc; + wbcCtxPingDc2; +} WBCLIENT_0.11; + +WBCLIENT_0.13 { + global: + wbcUnixIdsToSids; + wbcCtxUnixIdsToSids; +} WBCLIENT_0.12; + +WBCLIENT_0.14 { +} WBCLIENT_0.13; diff --git a/src/sss_client/libwbclient/wbclient_common.c b/src/sss_client/libwbclient/wbclient_common.c new file mode 100644 index 0000000..4189a34 --- /dev/null +++ b/src/sss_client/libwbclient/wbclient_common.c @@ -0,0 +1,178 @@ +/* + Unix SMB/CIFS implementation. + + Winbind client API + + Copyright (C) Gerald (Jerry) Carter 2007 + + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 3 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Library General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with this program. If not, see . +*/ + +/* Required Headers */ + +#include "libwbclient.h" + +/** @brief Translate an error value into a string + * + * @param error + * + * @return a pointer to a static string + **/ +const char *wbcErrorString(wbcErr error) +{ + switch (error) { + case WBC_ERR_SUCCESS: + return "WBC_ERR_SUCCESS"; + case WBC_ERR_NOT_IMPLEMENTED: + return "WBC_ERR_NOT_IMPLEMENTED"; + case WBC_ERR_UNKNOWN_FAILURE: + return "WBC_ERR_UNKNOWN_FAILURE"; + case WBC_ERR_NO_MEMORY: + return "WBC_ERR_NO_MEMORY"; + case WBC_ERR_INVALID_SID: + return "WBC_ERR_INVALID_SID"; + case WBC_ERR_INVALID_PARAM: + return "WBC_ERR_INVALID_PARAM"; + case WBC_ERR_WINBIND_NOT_AVAILABLE: + return "WBC_ERR_WINBIND_NOT_AVAILABLE"; + case WBC_ERR_DOMAIN_NOT_FOUND: + return "WBC_ERR_DOMAIN_NOT_FOUND"; + case WBC_ERR_INVALID_RESPONSE: + return "WBC_ERR_INVALID_RESPONSE"; + case WBC_ERR_NSS_ERROR: + return "WBC_ERR_NSS_ERROR"; + case WBC_ERR_UNKNOWN_USER: + return "WBC_ERR_UNKNOWN_USER"; + case WBC_ERR_UNKNOWN_GROUP: + return "WBC_ERR_UNKNOWN_GROUP"; + case WBC_ERR_AUTH_ERROR: + return "WBC_ERR_AUTH_ERROR"; + case WBC_ERR_PWD_CHANGE_FAILED: + return "WBC_ERR_PWD_CHANGE_FAILED"; + } + + return "unknown wbcErr value"; +} + +#define WBC_MAGIC (0x7a2b0e1e) +#define WBC_MAGIC_FREE (0x875634fe) + +struct wbcMemPrefix { + uint32_t magic; + void (*destructor)(void *ptr); +}; + +static size_t wbcPrefixLen(void) +{ + size_t result = sizeof(struct wbcMemPrefix); + return (result + 15) & ~15; +} + +static struct wbcMemPrefix *wbcMemToPrefix(void *ptr) +{ + return (struct wbcMemPrefix *)((void *)(((char *)ptr) - wbcPrefixLen())); +} + +void *wbcAllocateMemory(size_t nelem, size_t elsize, + void (*destructor)(void *ptr)) +{ + struct wbcMemPrefix *result; + + if (nelem >= (2<<24)/elsize) { + /* basic protection against integer wrap */ + return NULL; + } + + result = (struct wbcMemPrefix *)calloc( + 1, nelem*elsize + wbcPrefixLen()); + if (result == NULL) { + return NULL; + } + result->magic = WBC_MAGIC; + result->destructor = destructor; + return ((char *)result) + wbcPrefixLen(); +} + +/* Free library allocated memory */ +void wbcFreeMemory(void *p) +{ + struct wbcMemPrefix *wbcMem; + + if (p == NULL) { + return; + } + wbcMem = wbcMemToPrefix(p); + if (wbcMem->magic != WBC_MAGIC) { + return; + } + + /* paranoid check to ensure we don't double free */ + wbcMem->magic = WBC_MAGIC_FREE; + + if (wbcMem->destructor != NULL) { + wbcMem->destructor(p); + } + free(wbcMem); + return; +} + +char *wbcStrDup(const char *str) +{ + char *result; + size_t len; + + len = strlen(str); + result = (char *)wbcAllocateMemory(len+1, sizeof(char), NULL); + if (result == NULL) { + return NULL; + } + memcpy(result, str, len+1); + return result; +} + +static void wbcStringArrayDestructor(void *ptr) +{ + char **p = (char **)ptr; + while (*p != NULL) { + free(*p); + p += 1; + } +} + +const char **wbcAllocateStringArray(int num_strings) +{ + return (const char **)wbcAllocateMemory( + num_strings + 1, sizeof(const char *), + wbcStringArrayDestructor); +} + +wbcErr wbcLibraryDetails(struct wbcLibraryDetails **_details) +{ + struct wbcLibraryDetails *info; + + info = (struct wbcLibraryDetails *)wbcAllocateMemory( + 1, sizeof(struct wbcLibraryDetails), NULL); + + if (info == NULL) { + return WBC_ERR_NO_MEMORY; + } + + info->major_version = WBCLIENT_MAJOR_VERSION; + info->minor_version = WBCLIENT_MINOR_VERSION; + info->vendor_version = WBCLIENT_VENDOR_VERSION; + + *_details = info; + return WBC_ERR_SUCCESS; +} diff --git a/src/sss_client/libwbclient/wbclient_internal.h b/src/sss_client/libwbclient/wbclient_internal.h new file mode 100644 index 0000000..20e2c63 --- /dev/null +++ b/src/sss_client/libwbclient/wbclient_internal.h @@ -0,0 +1,44 @@ +/* + Unix SMB/CIFS implementation. + + Winbind client API + + Copyright (C) Gerald (Jerry) Carter 2007 + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 3 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Library General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with this program. If not, see . +*/ + +#ifndef _WBCLIENT_INTERNAL_H +#define _WBCLIENT_INTERNAL_H + +/* Private functions */ + +struct winbindd_request; +struct winbindd_response; + +wbcErr wbcRequestResponse(int cmd, + struct winbindd_request *request, + struct winbindd_response *response); + +wbcErr wbcRequestResponsePriv(int cmd, + struct winbindd_request *request, + struct winbindd_response *response); + +void *wbcAllocateMemory(size_t nelem, size_t elsize, + void (*destructor)(void *ptr)); + +char *wbcStrDup(const char *str); +const char **wbcAllocateStringArray(int num_strings); + +#endif /* _WBCLIENT_INTERNAL_H */ diff --git a/src/sss_client/libwbclient/wbclient_sssd.c b/src/sss_client/libwbclient/wbclient_sssd.c new file mode 100644 index 0000000..28cc985 --- /dev/null +++ b/src/sss_client/libwbclient/wbclient_sssd.c @@ -0,0 +1,40 @@ +/* + Unix SMB/CIFS implementation. + + Winbind client API - SSSD version + + Copyright (C) Sumit Bose 2014 + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 3 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Library General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with this program. If not, see . +*/ +/* Required Headers */ + +#include "libwbclient.h" +#include "wbc_sssd_internal.h" + +wbcErr wbcRequestResponse(int cmd, + struct winbindd_request *request, + struct winbindd_response *response) +{ + /* Helper to make API check happy */ + WBC_SSSD_NOT_IMPLEMENTED; +} + +wbcErr wbcRequestResponsePriv(int cmd, + struct winbindd_request *request, + struct winbindd_response *response) +{ + /* Helper to make API check happy */ + WBC_SSSD_NOT_IMPLEMENTED; +} diff --git a/src/sss_client/libwbclient/wbclient_sssd.h b/src/sss_client/libwbclient/wbclient_sssd.h new file mode 100644 index 0000000..f2fe8fe --- /dev/null +++ b/src/sss_client/libwbclient/wbclient_sssd.h @@ -0,0 +1,2069 @@ +/* + Unix SMB/CIFS implementation. + + Winbind client API + + Copyright (C) Gerald (Jerry) Carter 2007 + Copyright (C) Volker Lendecke 2009 + Copyright (C) Matthew Newton 2015 + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 3 of the License, or (at your option) any later version. + + This library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Library General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with this program. If not, see . +*/ + +#ifndef _WBCLIENT_H +#define _WBCLIENT_H + +#include +#include + +/* Define error types */ + +/** + * @brief Status codes returned from wbc functions + **/ + +enum _wbcErrType { + WBC_ERR_SUCCESS = 0, /**< Successful completion **/ + WBC_ERR_NOT_IMPLEMENTED, /**< Function not implemented **/ + WBC_ERR_UNKNOWN_FAILURE, /**< General failure **/ + WBC_ERR_NO_MEMORY, /**< Memory allocation error **/ + WBC_ERR_INVALID_SID, /**< Invalid SID format **/ + WBC_ERR_INVALID_PARAM, /**< An Invalid parameter was supplied **/ + WBC_ERR_WINBIND_NOT_AVAILABLE, /**< Winbind daemon is not available **/ + WBC_ERR_DOMAIN_NOT_FOUND, /**< Domain is not trusted or cannot be found **/ + WBC_ERR_INVALID_RESPONSE, /**< Winbind returned an invalid response **/ + WBC_ERR_NSS_ERROR, /**< NSS_STATUS error **/ + WBC_ERR_AUTH_ERROR, /**< Authentication failed **/ + WBC_ERR_UNKNOWN_USER, /**< User account cannot be found */ + WBC_ERR_UNKNOWN_GROUP, /**< Group account cannot be found */ + WBC_ERR_PWD_CHANGE_FAILED /**< Password Change has failed */ +}; + +typedef enum _wbcErrType wbcErr; + +#define WBC_ERROR_IS_OK(x) ((x) == WBC_ERR_SUCCESS) + +const char *wbcErrorString(wbcErr error); + +/** + * @brief Some useful details about the wbclient library + * + * 0.1: Initial version + * 0.2: Added wbcRemoveUidMapping() + * Added wbcRemoveGidMapping() + * 0.3: Added wbcGetpwsid() + * Added wbcGetSidAliases() + * 0.4: Added wbcSidTypeString() + * 0.5: Added wbcChangeTrustCredentials() + * 0.6: Made struct wbcInterfaceDetails char* members non-const + * 0.7: Added wbcSidToStringBuf() + * 0.8: Added wbcSidsToUnixIds() and wbcLookupSids() + * 0.9: Added support for WBC_ID_TYPE_BOTH + * 0.10: Added wbcPingDc2() + * 0.11: Extended wbcAuthenticateUserEx to provide PAC parsing + * 0.12: Added wbcCtxCreate and friends + * 0.13: Added wbcCtxUnixIdsToSids and wbcUnixIdsToSids + * 0.14: Added "authoritative" to wbcAuthErrorInfo + * Added WBC_SID_NAME_LABEL + **/ +#define WBCLIENT_MAJOR_VERSION 0 +#define WBCLIENT_MINOR_VERSION 14 +#define WBCLIENT_VENDOR_VERSION "Samba libwbclient" +struct wbcLibraryDetails { + uint16_t major_version; + uint16_t minor_version; + const char *vendor_version; +}; + +/** + * @brief Some useful details about the running winbindd + * + **/ +struct wbcInterfaceDetails { + uint32_t interface_version; + char *winbind_version; + char winbind_separator; + char *netbios_name; + char *netbios_domain; + char *dns_domain; +}; + +/** + * @brief Library context data + * + **/ + +struct wbcContext; + +/* + * Data types used by the Winbind Client API + */ + +#ifndef WBC_MAXSUBAUTHS +#define WBC_MAXSUBAUTHS 15 /* max sub authorities in a SID */ +#endif + +/** + * @brief Windows Security Identifier + * + **/ + +struct wbcDomainSid { + uint8_t sid_rev_num; + uint8_t num_auths; + uint8_t id_auth[6]; + uint32_t sub_auths[WBC_MAXSUBAUTHS]; +}; + +/** + * @brief Security Identifier type + **/ + +enum wbcSidType { + WBC_SID_NAME_USE_NONE=0, + WBC_SID_NAME_USER=1, + WBC_SID_NAME_DOM_GRP=2, + WBC_SID_NAME_DOMAIN=3, + WBC_SID_NAME_ALIAS=4, + WBC_SID_NAME_WKN_GRP=5, + WBC_SID_NAME_DELETED=6, + WBC_SID_NAME_INVALID=7, + WBC_SID_NAME_UNKNOWN=8, + WBC_SID_NAME_COMPUTER=9, + WBC_SID_NAME_LABEL=10 +}; + +/** + * @brief Security Identifier with attributes + **/ + +struct wbcSidWithAttr { + struct wbcDomainSid sid; + uint32_t attributes; +}; + +/* wbcSidWithAttr->attributes */ + +#define WBC_SID_ATTR_GROUP_MANDATORY 0x00000001 +#define WBC_SID_ATTR_GROUP_ENABLED_BY_DEFAULT 0x00000002 +#define WBC_SID_ATTR_GROUP_ENABLED 0x00000004 +#define WBC_SID_ATTR_GROUP_OWNER 0x00000008 +#define WBC_SID_ATTR_GROUP_USEFOR_DENY_ONLY 0x00000010 +#define WBC_SID_ATTR_GROUP_RESOURCE 0x20000000 +#define WBC_SID_ATTR_GROUP_LOGON_ID 0xC0000000 + +/** + * @brief Windows GUID + * + **/ + +struct wbcGuid { + uint32_t time_low; + uint16_t time_mid; + uint16_t time_hi_and_version; + uint8_t clock_seq[2]; + uint8_t node[6]; +}; + +/** + * @brief Domain Information + **/ + +struct wbcDomainInfo { + char *short_name; + char *dns_name; + struct wbcDomainSid sid; + uint32_t domain_flags; + uint32_t trust_flags; + uint32_t trust_type; +}; + +/* wbcDomainInfo->domain_flags */ + +#define WBC_DOMINFO_DOMAIN_UNKNOWN 0x00000000 +#define WBC_DOMINFO_DOMAIN_NATIVE 0x00000001 +#define WBC_DOMINFO_DOMAIN_AD 0x00000002 +#define WBC_DOMINFO_DOMAIN_PRIMARY 0x00000004 +#define WBC_DOMINFO_DOMAIN_OFFLINE 0x00000008 + +/* wbcDomainInfo->trust_flags */ + +#define WBC_DOMINFO_TRUST_TRANSITIVE 0x00000001 +#define WBC_DOMINFO_TRUST_INCOMING 0x00000002 +#define WBC_DOMINFO_TRUST_OUTGOING 0x00000004 + +/* wbcDomainInfo->trust_type */ + +#define WBC_DOMINFO_TRUSTTYPE_NONE 0x00000000 +#define WBC_DOMINFO_TRUSTTYPE_FOREST 0x00000001 +#define WBC_DOMINFO_TRUSTTYPE_IN_FOREST 0x00000002 +#define WBC_DOMINFO_TRUSTTYPE_EXTERNAL 0x00000003 + +/** + * @brief Generic Blob + **/ + +struct wbcBlob { + uint8_t *data; + size_t length; +}; + +/** + * @brief Named Blob + **/ + +struct wbcNamedBlob { + const char *name; + uint32_t flags; + struct wbcBlob blob; +}; + +/** + * @brief Auth User Parameters + **/ + +struct wbcAuthUserParams { + const char *account_name; + const char *domain_name; + const char *workstation_name; + + uint32_t flags; + + uint32_t parameter_control; + + enum wbcAuthUserLevel { + WBC_AUTH_USER_LEVEL_PLAIN = 1, + WBC_AUTH_USER_LEVEL_HASH = 2, + WBC_AUTH_USER_LEVEL_RESPONSE = 3, + WBC_AUTH_USER_LEVEL_PAC = 4 + } level; + union { + const char *plaintext; + struct { + uint8_t nt_hash[16]; + uint8_t lm_hash[16]; + } hash; + struct { + uint8_t challenge[8]; + uint32_t nt_length; + uint8_t *nt_data; + uint32_t lm_length; + uint8_t *lm_data; + } response; + struct wbcBlob pac; + } password; +}; + +/** + * @brief Logon User Parameters + **/ + +struct wbcLogonUserParams { + const char *username; + const char *password; + size_t num_blobs; + struct wbcNamedBlob *blobs; +}; + +/** + * @brief ChangePassword Parameters + **/ + +struct wbcChangePasswordParams { + const char *account_name; + const char *domain_name; + + uint32_t flags; + + enum wbcChangePasswordLevel { + WBC_CHANGE_PASSWORD_LEVEL_PLAIN = 1, + WBC_CHANGE_PASSWORD_LEVEL_RESPONSE = 2 + } level; + + union { + const char *plaintext; + struct { + uint32_t old_nt_hash_enc_length; + uint8_t *old_nt_hash_enc_data; + uint32_t old_lm_hash_enc_length; + uint8_t *old_lm_hash_enc_data; + } response; + } old_password; + union { + const char *plaintext; + struct { + uint32_t nt_length; + uint8_t *nt_data; + uint32_t lm_length; + uint8_t *lm_data; + } response; + } new_password; +}; + +/* wbcAuthUserParams->parameter_control */ + +#define WBC_MSV1_0_CLEARTEXT_PASSWORD_ALLOWED 0x00000002 +#define WBC_MSV1_0_UPDATE_LOGON_STATISTICS 0x00000004 +#define WBC_MSV1_0_RETURN_USER_PARAMETERS 0x00000008 +#define WBC_MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT 0x00000020 +#define WBC_MSV1_0_RETURN_PROFILE_PATH 0x00000200 +#define WBC_MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT 0x00000800 +#define WBC_MSV1_0_ALLOW_MSVCHAPV2 0x00010000 + +/* wbcAuthUserParams->flags */ + +#define WBC_AUTH_PARAM_FLAGS_INTERACTIVE_LOGON 0x00000001 + +/** + * @brief Auth User Information + * + * Some of the strings are maybe NULL + **/ + +struct wbcAuthUserInfo { + uint32_t user_flags; + + char *account_name; + char *user_principal; + char *full_name; + char *domain_name; + char *dns_domain_name; + + uint32_t acct_flags; + uint8_t user_session_key[16]; + uint8_t lm_session_key[8]; + + uint16_t logon_count; + uint16_t bad_password_count; + + uint64_t logon_time; + uint64_t logoff_time; + uint64_t kickoff_time; + uint64_t pass_last_set_time; + uint64_t pass_can_change_time; + uint64_t pass_must_change_time; + + char *logon_server; + char *logon_script; + char *profile_path; + char *home_directory; + char *home_drive; + + /* + * the 1st one is the account sid + * the 2nd one is the primary_group sid + * followed by the rest of the groups + */ + uint32_t num_sids; + struct wbcSidWithAttr *sids; +}; + +/** + * @brief Logon User Information + * + * Some of the strings are maybe NULL + **/ + +struct wbcLogonUserInfo { + struct wbcAuthUserInfo *info; + size_t num_blobs; + struct wbcNamedBlob *blobs; +}; + +/* wbcAuthUserInfo->user_flags */ + +#define WBC_AUTH_USER_INFO_GUEST 0x00000001 +#define WBC_AUTH_USER_INFO_NOENCRYPTION 0x00000002 +#define WBC_AUTH_USER_INFO_CACHED_ACCOUNT 0x00000004 +#define WBC_AUTH_USER_INFO_USED_LM_PASSWORD 0x00000008 +#define WBC_AUTH_USER_INFO_EXTRA_SIDS 0x00000020 +#define WBC_AUTH_USER_INFO_SUBAUTH_SESSION_KEY 0x00000040 +#define WBC_AUTH_USER_INFO_SERVER_TRUST_ACCOUNT 0x00000080 +#define WBC_AUTH_USER_INFO_NTLMV2_ENABLED 0x00000100 +#define WBC_AUTH_USER_INFO_RESOURCE_GROUPS 0x00000200 +#define WBC_AUTH_USER_INFO_PROFILE_PATH_RETURNED 0x00000400 +#define WBC_AUTH_USER_INFO_GRACE_LOGON 0x01000000 + +/* wbcAuthUserInfo->acct_flags */ + +#define WBC_ACB_DISABLED 0x00000001 /* 1 User account disabled */ +#define WBC_ACB_HOMDIRREQ 0x00000002 /* 1 Home directory required */ +#define WBC_ACB_PWNOTREQ 0x00000004 /* 1 User password not required */ +#define WBC_ACB_TEMPDUP 0x00000008 /* 1 Temporary duplicate account */ +#define WBC_ACB_NORMAL 0x00000010 /* 1 Normal user account */ +#define WBC_ACB_MNS 0x00000020 /* 1 MNS logon user account */ +#define WBC_ACB_DOMTRUST 0x00000040 /* 1 Interdomain trust account */ +#define WBC_ACB_WSTRUST 0x00000080 /* 1 Workstation trust account */ +#define WBC_ACB_SVRTRUST 0x00000100 /* 1 Server trust account */ +#define WBC_ACB_PWNOEXP 0x00000200 /* 1 User password does not expire */ +#define WBC_ACB_AUTOLOCK 0x00000400 /* 1 Account auto locked */ +#define WBC_ACB_ENC_TXT_PWD_ALLOWED 0x00000800 /* 1 Encryped text password is allowed */ +#define WBC_ACB_SMARTCARD_REQUIRED 0x00001000 /* 1 Smart Card required */ +#define WBC_ACB_TRUSTED_FOR_DELEGATION 0x00002000 /* 1 Trusted for Delegation */ +#define WBC_ACB_NOT_DELEGATED 0x00004000 /* 1 Not delegated */ +#define WBC_ACB_USE_DES_KEY_ONLY 0x00008000 /* 1 Use DES key only */ +#define WBC_ACB_DONT_REQUIRE_PREAUTH 0x00010000 /* 1 Preauth not required */ +#define WBC_ACB_PW_EXPIRED 0x00020000 /* 1 Password Expired */ +#define WBC_ACB_NO_AUTH_DATA_REQD 0x00080000 /* 1 = No authorization data required */ + +struct wbcAuthErrorInfo { + uint32_t nt_status; + char *nt_string; + int32_t pam_error; + char *display_string; + uint8_t authoritative; +}; + +/** + * @brief User Password Policy Information + **/ + +/* wbcUserPasswordPolicyInfo->password_properties */ + +#define WBC_DOMAIN_PASSWORD_COMPLEX 0x00000001 +#define WBC_DOMAIN_PASSWORD_NO_ANON_CHANGE 0x00000002 +#define WBC_DOMAIN_PASSWORD_NO_CLEAR_CHANGE 0x00000004 +#define WBC_DOMAIN_PASSWORD_LOCKOUT_ADMINS 0x00000008 +#define WBC_DOMAIN_PASSWORD_STORE_CLEARTEXT 0x00000010 +#define WBC_DOMAIN_REFUSE_PASSWORD_CHANGE 0x00000020 + +struct wbcUserPasswordPolicyInfo { + uint32_t min_length_password; + uint32_t password_history; + uint32_t password_properties; + uint64_t expire; + uint64_t min_passwordage; +}; + +/** + * @brief Change Password Reject Reason + **/ + +enum wbcPasswordChangeRejectReason { + WBC_PWD_CHANGE_NO_ERROR=0, + WBC_PWD_CHANGE_PASSWORD_TOO_SHORT=1, + WBC_PWD_CHANGE_PWD_IN_HISTORY=2, + WBC_PWD_CHANGE_USERNAME_IN_PASSWORD=3, + WBC_PWD_CHANGE_FULLNAME_IN_PASSWORD=4, + WBC_PWD_CHANGE_NOT_COMPLEX=5, + WBC_PWD_CHANGE_MACHINE_NOT_DEFAULT=6, + WBC_PWD_CHANGE_FAILED_BY_FILTER=7, + WBC_PWD_CHANGE_PASSWORD_TOO_LONG=8 +}; + +/* Note: this defines exist for compatibility reasons with existing code */ +#define WBC_PWD_CHANGE_REJECT_OTHER WBC_PWD_CHANGE_NO_ERROR +#define WBC_PWD_CHANGE_REJECT_TOO_SHORT WBC_PWD_CHANGE_PASSWORD_TOO_SHORT +#define WBC_PWD_CHANGE_REJECT_IN_HISTORY WBC_PWD_CHANGE_PWD_IN_HISTORY +#define WBC_PWD_CHANGE_REJECT_COMPLEXITY WBC_PWD_CHANGE_NOT_COMPLEX + +/** + * @brief Logoff User Parameters + **/ + +struct wbcLogoffUserParams { + const char *username; + size_t num_blobs; + struct wbcNamedBlob *blobs; +}; + +/** @brief Credential cache log-on parameters + * + */ + +struct wbcCredentialCacheParams { + const char *account_name; + const char *domain_name; + enum wbcCredentialCacheLevel { + WBC_CREDENTIAL_CACHE_LEVEL_NTLMSSP = 1 + } level; + size_t num_blobs; + struct wbcNamedBlob *blobs; +}; + + +/** @brief Info returned by credential cache auth + * + */ + +struct wbcCredentialCacheInfo { + size_t num_blobs; + struct wbcNamedBlob *blobs; +}; + +/* + * DomainControllerInfo struct + */ +struct wbcDomainControllerInfo { + char *dc_name; +}; + +/* + * DomainControllerInfoEx struct + */ +struct wbcDomainControllerInfoEx { + const char *dc_unc; + const char *dc_address; + uint16_t dc_address_type; + struct wbcGuid *domain_guid; + const char *domain_name; + const char *forest_name; + uint32_t dc_flags; + const char *dc_site_name; + const char *client_site_name; +}; + +/********************************************************** + * Memory Management + **********************************************************/ + +/** + * @brief Free library allocated memory + * + * @param * Pointer to free + * + * @return void + **/ +void wbcFreeMemory(void*); + + +/********************************************************** + * Context Management + **********************************************************/ + +/** + * @brief Create a new wbcContext context + * + * @return wbcContext + **/ +struct wbcContext *wbcCtxCreate(void); + +/** + * @brief Free a library context + * + * @param ctx wbcContext to free + * + * @return void + **/ +void wbcCtxFree(struct wbcContext *ctx); + + + +/* + * Utility functions for dealing with SIDs + */ + +/** + * @brief Get a string representation of the SID type + * + * @param type type of the SID + * + * @return string representation of the SID type + */ +const char* wbcSidTypeString(enum wbcSidType type); + +#define WBC_SID_STRING_BUFLEN (15*11+25) + +/* + * @brief Print a sid into a buffer + * + * @param sid Binary Security Identifier + * @param buf Target buffer + * @param buflen Target buffer length + * + * @return Resulting string length. + */ +int wbcSidToStringBuf(const struct wbcDomainSid *sid, char *buf, int buflen); + +/** + * @brief Convert a binary SID to a character string + * + * @param sid Binary Security Identifier + * @param **sid_string Resulting character string + * + * @return #wbcErr + **/ +wbcErr wbcSidToString(const struct wbcDomainSid *sid, + char **sid_string); + +/** + * @brief Convert a character string to a binary SID + * + * @param *sid_string Character string in the form of S-... + * @param sid Resulting binary SID + * + * @return #wbcErr + **/ +wbcErr wbcStringToSid(const char *sid_string, + struct wbcDomainSid *sid); + +/* + * Utility functions for dealing with GUIDs + */ + +/** + * @brief Convert a binary GUID to a character string + * + * @param guid Binary Guid + * @param **guid_string Resulting character string + * + * @return #wbcErr + **/ +wbcErr wbcGuidToString(const struct wbcGuid *guid, + char **guid_string); + +/** + * @brief Convert a character string to a binary GUID + * + * @param *guid_string Character string + * @param guid Resulting binary GUID + * + * @return #wbcErr + **/ +wbcErr wbcStringToGuid(const char *guid_string, + struct wbcGuid *guid); + +/** + * @brief Ping winbindd to see if the daemon is running + * + * @param *ctx wbclient Context + * + * @return #wbcErr + **/ +wbcErr wbcCtxPing(struct wbcContext *ctx); + +/** + * @brief Ping winbindd to see if the daemon is running + * + * @return #wbcErr + **/ +wbcErr wbcPing(void); + +wbcErr wbcLibraryDetails(struct wbcLibraryDetails **details); + +wbcErr wbcCtxInterfaceDetails(struct wbcContext *ctx, + struct wbcInterfaceDetails **details); +wbcErr wbcInterfaceDetails(struct wbcInterfaceDetails **details); + +/********************************************************** + * Name/SID conversion + **********************************************************/ + +/** + * @brief Convert a domain and name to SID + * + * @param *ctx wbclient Context + * @param dom_name Domain name (possibly "") + * @param name User or group name + * @param *sid Pointer to the resolved domain SID + * @param *name_type Pointer to the SID type + * + * @return #wbcErr + **/ +wbcErr wbcCtxLookupName(struct wbcContext *ctx, + const char *dom_name, + const char *name, + struct wbcDomainSid *sid, + enum wbcSidType *name_type); + +/** + * @brief Convert a domain and name to SID + * + * @param dom_name Domain name (possibly "") + * @param name User or group name + * @param *sid Pointer to the resolved domain SID + * @param *name_type Pointer to the SID type + * + * @return #wbcErr + **/ +wbcErr wbcLookupName(const char *dom_name, + const char *name, + struct wbcDomainSid *sid, + enum wbcSidType *name_type); + +/** + * @brief Convert a SID to a domain and name + * + * @param *ctx wbclient Context + * @param *sid Pointer to the domain SID to be resolved + * @param domain Resolved Domain name (possibly "") + * @param name Resolved User or group name + * @param *name_type Pointer to the resolved SID type + * + * @return #wbcErr + **/ +wbcErr wbcCtxLookupSid(struct wbcContext *ctx, + const struct wbcDomainSid *sid, + char **domain, + char **name, + enum wbcSidType *name_type); + +/** + * @brief Convert a SID to a domain and name + * + * @param *sid Pointer to the domain SID to be resolved + * @param domain Resolved Domain name (possibly "") + * @param name Resolved User or group name + * @param *name_type Pointer to the resolved SID type + * + * @return #wbcErr + **/ +wbcErr wbcLookupSid(const struct wbcDomainSid *sid, + char **domain, + char **name, + enum wbcSidType *name_type); + +struct wbcTranslatedName { + enum wbcSidType type; + char *name; + int domain_index; +}; + +wbcErr wbcCtxLookupSids(struct wbcContext *ctx, + const struct wbcDomainSid *sids, int num_sids, + struct wbcDomainInfo **domains, int *num_domains, + struct wbcTranslatedName **names); + +wbcErr wbcLookupSids(const struct wbcDomainSid *sids, int num_sids, + struct wbcDomainInfo **domains, int *num_domains, + struct wbcTranslatedName **names); + +/** + * @brief Translate a collection of RIDs within a domain to names + */ +wbcErr wbcCtxLookupRids(struct wbcContext *ctx, + struct wbcDomainSid *dom_sid, + int num_rids, + uint32_t *rids, + const char **domain_name, + const char ***names, + enum wbcSidType **types); + +/** + * @brief Translate a collection of RIDs within a domain to names + */ +wbcErr wbcLookupRids(struct wbcDomainSid *dom_sid, + int num_rids, + uint32_t *rids, + const char **domain_name, + const char ***names, + enum wbcSidType **types); + +/* + * @brief Get the groups a user belongs to + **/ +wbcErr wbcCtxLookupUserSids(struct wbcContext *ctx, + const struct wbcDomainSid *user_sid, + bool domain_groups_only, + uint32_t *num_sids, + struct wbcDomainSid **sids); + +/* + * @brief Get the groups a user belongs to + **/ +wbcErr wbcLookupUserSids(const struct wbcDomainSid *user_sid, + bool domain_groups_only, + uint32_t *num_sids, + struct wbcDomainSid **sids); + +/* + * @brief Get alias membership for sids + **/ +wbcErr wbcCtxGetSidAliases(struct wbcContext *ctx, + const struct wbcDomainSid *dom_sid, + struct wbcDomainSid *sids, + uint32_t num_sids, + uint32_t **alias_rids, + uint32_t *num_alias_rids); + +/* + * @brief Get alias membership for sids + **/ +wbcErr wbcGetSidAliases(const struct wbcDomainSid *dom_sid, + struct wbcDomainSid *sids, + uint32_t num_sids, + uint32_t **alias_rids, + uint32_t *num_alias_rids); + +/** + * @brief Lists Users + **/ +wbcErr wbcCtxListUsers(struct wbcContext *ctx, + const char *domain_name, + uint32_t *num_users, + const char ***users); + +/** + * @brief Lists Users + **/ +wbcErr wbcListUsers(const char *domain_name, + uint32_t *num_users, + const char ***users); + +/** + * @brief Lists Groups + **/ +wbcErr wbcCtxListGroups(struct wbcContext *ctx, + const char *domain_name, + uint32_t *num_groups, + const char ***groups); + +/** + * @brief Lists Groups + **/ +wbcErr wbcListGroups(const char *domain_name, + uint32_t *num_groups, + const char ***groups); + +wbcErr wbcCtxGetDisplayName(struct wbcContext *ctx, + const struct wbcDomainSid *sid, + char **pdomain, + char **pfullname, + enum wbcSidType *pname_type); + +wbcErr wbcGetDisplayName(const struct wbcDomainSid *sid, + char **pdomain, + char **pfullname, + enum wbcSidType *pname_type); + +/********************************************************** + * SID/uid/gid Mappings + **********************************************************/ + +/** + * @brief Convert a Windows SID to a Unix uid, allocating an uid if needed + * + * @param *ctx wbclient Context + * @param *sid Pointer to the domain SID to be resolved + * @param *puid Pointer to the resolved uid_t value + * + * @return #wbcErr + * + **/ +wbcErr wbcCtxSidToUid(struct wbcContext *ctx, + const struct wbcDomainSid *sid, + uid_t *puid); + +/** + * @brief Convert a Windows SID to a Unix uid, allocating an uid if needed + * + * @param *sid Pointer to the domain SID to be resolved + * @param *puid Pointer to the resolved uid_t value + * + * @return #wbcErr + * + **/ +wbcErr wbcSidToUid(const struct wbcDomainSid *sid, + uid_t *puid); + +/** + * @brief Convert a Windows SID to a Unix uid if there already is a mapping + * + * @param *sid Pointer to the domain SID to be resolved + * @param *puid Pointer to the resolved uid_t value + * + * @return #wbcErr + * + **/ +wbcErr wbcQuerySidToUid(const struct wbcDomainSid *sid, + uid_t *puid); + +/** + * @brief Convert a Unix uid to a Windows SID, allocating a SID if needed + * + * @param *ctx wbclient Context + * @param uid Unix uid to be resolved + * @param *sid Pointer to the resolved domain SID + * + * @return #wbcErr + * + **/ +wbcErr wbcCtxUidToSid(struct wbcContext *ctx, uid_t uid, + struct wbcDomainSid *sid); + +/** + * @brief Convert a Unix uid to a Windows SID, allocating a SID if needed + * + * @param uid Unix uid to be resolved + * @param *sid Pointer to the resolved domain SID + * + * @return #wbcErr + * + **/ +wbcErr wbcUidToSid(uid_t uid, + struct wbcDomainSid *sid); + +/** + * @brief Convert a Unix uid to a Windows SID if there already is a mapping + * + * @param uid Unix uid to be resolved + * @param *sid Pointer to the resolved domain SID + * + * @return #wbcErr + * + **/ +wbcErr wbcQueryUidToSid(uid_t uid, + struct wbcDomainSid *sid); + +/** + * @brief Convert a Windows SID to a Unix gid, allocating a gid if needed + * + * @param *ctx wbclient Context + * @param *sid Pointer to the domain SID to be resolved + * @param *pgid Pointer to the resolved gid_t value + * + * @return #wbcErr + * + **/ +wbcErr wbcCtxSidToGid(struct wbcContext *ctx, + const struct wbcDomainSid *sid, + gid_t *pgid); + +/** + * @brief Convert a Windows SID to a Unix gid, allocating a gid if needed + * + * @param *sid Pointer to the domain SID to be resolved + * @param *pgid Pointer to the resolved gid_t value + * + * @return #wbcErr + * + **/ +wbcErr wbcSidToGid(const struct wbcDomainSid *sid, + gid_t *pgid); + +/** + * @brief Convert a Windows SID to a Unix gid if there already is a mapping + * + * @param *sid Pointer to the domain SID to be resolved + * @param *pgid Pointer to the resolved gid_t value + * + * @return #wbcErr + * + **/ +wbcErr wbcQuerySidToGid(const struct wbcDomainSid *sid, + gid_t *pgid); + +/** + * @brief Convert a Unix gid to a Windows SID, allocating a SID if needed + * + * @param *ctx wbclient Context + * @param gid Unix gid to be resolved + * @param *sid Pointer to the resolved domain SID + * + * @return #wbcErr + * + **/ +wbcErr wbcCtxGidToSid(struct wbcContext *ctx, gid_t gid, + struct wbcDomainSid *sid); + +/** + * @brief Convert a Unix gid to a Windows SID, allocating a SID if needed + * + * @param gid Unix gid to be resolved + * @param *sid Pointer to the resolved domain SID + * + * @return #wbcErr + * + **/ +wbcErr wbcGidToSid(gid_t gid, + struct wbcDomainSid *sid); + +/** + * @brief Convert a Unix gid to a Windows SID if there already is a mapping + * + * @param gid Unix gid to be resolved + * @param *sid Pointer to the resolved domain SID + * + * @return #wbcErr + * + **/ +wbcErr wbcQueryGidToSid(gid_t gid, + struct wbcDomainSid *sid); + +enum wbcIdType { + WBC_ID_TYPE_NOT_SPECIFIED, + WBC_ID_TYPE_UID, + WBC_ID_TYPE_GID, + WBC_ID_TYPE_BOTH +}; + +union wbcUnixIdContainer { + uid_t uid; + gid_t gid; +}; + +struct wbcUnixId { + enum wbcIdType type; + union wbcUnixIdContainer id; +}; + +/** + * @brief Convert a list of sids to unix ids + * + * @param *ctx wbclient Context + * @param sids Pointer to an array of SIDs to convert + * @param num_sids Number of SIDs + * @param ids Preallocated output array for translated IDs + * + * @return #wbcErr + * + **/ +wbcErr wbcCtxSidsToUnixIds(struct wbcContext *ctx, + const struct wbcDomainSid *sids, uint32_t num_sids, + struct wbcUnixId *ids); + +/** + * @brief Convert a list of sids to unix ids + * + * @param sids Pointer to an array of SIDs to convert + * @param num_sids Number of SIDs + * @param ids Preallocated output array for translated IDs + * + * @return #wbcErr + * + **/ +wbcErr wbcSidsToUnixIds(const struct wbcDomainSid *sids, uint32_t num_sids, + struct wbcUnixId *ids); + +/** + * @brief Convert a list of unix ids to sids + * + * @param ctx wbclient Context + * @param ids Pointer to an array of UNIX IDs to convert + * @param num_ids Number of UNIX IDs + * @param sids Preallocated output array for translated SIDs + * + * @return #wbcErr + * + **/ +wbcErr wbcCtxUnixIdsToSids(struct wbcContext *ctx, + const struct wbcUnixId *ids, uint32_t num_ids, + struct wbcDomainSid *sids); + +/** + * @brief Convert a list of unix ids to sids + * + * @param ids Pointer to an array of UNIX IDs to convert + * @param num_ids Number of UNIX IDs + * @param sids Preallocated output array for translated SIDs + * + * @return #wbcErr + * + **/ +wbcErr wbcUnixIdsToSids(const struct wbcUnixId *ids, uint32_t num_ids, + struct wbcDomainSid *sids); + +/** + * @brief Obtain a new uid from Winbind + * + * @param *ctx wbclient Context + * @param *puid Pointer to the allocated uid + * + * @return #wbcErr + **/ +wbcErr wbcCtxAllocateUid(struct wbcContext *ctx, uid_t *puid); + +/** + * @brief Obtain a new uid from Winbind + * + * @param *puid Pointer to the allocated uid + * + * @return #wbcErr + **/ +wbcErr wbcAllocateUid(uid_t *puid); + +/** + * @brief Obtain a new gid from Winbind + * + * @param *ctx wbclient Context + * @param *pgid Pointer to the allocated gid + * + * @return #wbcErr + **/ +wbcErr wbcCtxAllocateGid(struct wbcContext *ctx, gid_t *pgid); + +/** + * @brief Obtain a new gid from Winbind + * + * @param *pgid Pointer to the allocated gid + * + * @return #wbcErr + **/ +wbcErr wbcAllocateGid(gid_t *pgid); + +/** + * @brief Set an user id mapping + * + * @param uid Uid of the desired mapping. + * @param *sid Pointer to the sid of the desired mapping. + * + * @return #wbcErr + * + * @deprecated This method is not impemented any more and should + * be removed in the next major version change. + **/ +wbcErr wbcSetUidMapping(uid_t uid, const struct wbcDomainSid *sid); + +/** + * @brief Set a group id mapping + * + * @param gid Gid of the desired mapping. + * @param *sid Pointer to the sid of the desired mapping. + * + * @return #wbcErr + * + * @deprecated This method is not impemented any more and should + * be removed in the next major version change. + **/ +wbcErr wbcSetGidMapping(gid_t gid, const struct wbcDomainSid *sid); + +/** + * @brief Remove a user id mapping + * + * @param uid Uid of the mapping to remove. + * @param *sid Pointer to the sid of the mapping to remove. + * + * @return #wbcErr + * + * @deprecated This method is not impemented any more and should + * be removed in the next major version change. + **/ +wbcErr wbcRemoveUidMapping(uid_t uid, const struct wbcDomainSid *sid); + +/** + * @brief Remove a group id mapping + * + * @param gid Gid of the mapping to remove. + * @param *sid Pointer to the sid of the mapping to remove. + * + * @return #wbcErr + * + * @deprecated This method is not impemented any more and should + * be removed in the next major version change. + **/ +wbcErr wbcRemoveGidMapping(gid_t gid, const struct wbcDomainSid *sid); + +/** + * @brief Set the highwater mark for allocated uids. + * + * @param uid_hwm The new uid highwater mark value + * + * @return #wbcErr + * + * @deprecated This method is not impemented any more and should + * be removed in the next major version change. + **/ +wbcErr wbcSetUidHwm(uid_t uid_hwm); + +/** + * @brief Set the highwater mark for allocated gids. + * + * @param gid_hwm The new gid highwater mark value + * + * @return #wbcErr + * + * @deprecated This method is not impemented any more and should + * be removed in the next major version change. + **/ +wbcErr wbcSetGidHwm(gid_t gid_hwm); + +/********************************************************** + * NSS Lookup User/Group details + **********************************************************/ + +/** + * @brief Fill in a struct passwd* for a domain user based + * on username + * + * @param *ctx wbclient Context + * @param *name Username to lookup + * @param **pwd Pointer to resulting struct passwd* from the query. + * + * @return #wbcErr + **/ +wbcErr wbcCtxGetpwnam(struct wbcContext *ctx, + const char *name, struct passwd **pwd); + +/** + * @brief Fill in a struct passwd* for a domain user based + * on username + * + * @param *name Username to lookup + * @param **pwd Pointer to resulting struct passwd* from the query. + * + * @return #wbcErr + **/ +wbcErr wbcGetpwnam(const char *name, struct passwd **pwd); + +/** + * @brief Fill in a struct passwd* for a domain user based + * on uid + * + * @param *ctx wbclient Context + * @param uid Uid to lookup + * @param **pwd Pointer to resulting struct passwd* from the query. + * + * @return #wbcErr + **/ +wbcErr wbcCtxGetpwuid(struct wbcContext *ctx, + uid_t uid, struct passwd **pwd); + +/** + * @brief Fill in a struct passwd* for a domain user based + * on uid + * + * @param uid Uid to lookup + * @param **pwd Pointer to resulting struct passwd* from the query. + * + * @return #wbcErr + **/ +wbcErr wbcGetpwuid(uid_t uid, struct passwd **pwd); + +/** + * @brief Fill in a struct passwd* for a domain user based + * on sid + * + * @param *ctx wbclient Context + * @param sid Sid to lookup + * @param **pwd Pointer to resulting struct passwd* from the query. + * + * @return #wbcErr + **/ +wbcErr wbcCtxGetpwsid(struct wbcContext *ctx, + struct wbcDomainSid * sid, struct passwd **pwd); + +/** + * @brief Fill in a struct passwd* for a domain user based + * on sid + * + * @param sid Sid to lookup + * @param **pwd Pointer to resulting struct passwd* from the query. + * + * @return #wbcErr + **/ +wbcErr wbcGetpwsid(struct wbcDomainSid * sid, struct passwd **pwd); + +/** + * @brief Fill in a struct passwd* for a domain user based + * on username + * + * @param *ctx wbclient Context + * @param *name Username to lookup + * @param **grp Pointer to resulting struct group* from the query. + * + * @return #wbcErr + **/ +wbcErr wbcCtxGetgrnam(struct wbcContext *ctx, + const char *name, struct group **grp); + +/** + * @brief Fill in a struct passwd* for a domain user based + * on username + * + * @param *name Username to lookup + * @param **grp Pointer to resulting struct group* from the query. + * + * @return #wbcErr + **/ +wbcErr wbcGetgrnam(const char *name, struct group **grp); + +/** + * @brief Fill in a struct passwd* for a domain user based + * on uid + * + * @param *ctx wbclient Context + * @param gid Uid to lookup + * @param **grp Pointer to resulting struct group* from the query. + * + * @return #wbcErr + **/ +wbcErr wbcCtxGetgrgid(struct wbcContext *ctx, + gid_t gid, struct group **grp); + +/** + * @brief Fill in a struct passwd* for a domain user based + * on uid + * + * @param gid Uid to lookup + * @param **grp Pointer to resulting struct group* from the query. + * + * @return #wbcErr + **/ +wbcErr wbcGetgrgid(gid_t gid, struct group **grp); + +/** + * @brief Reset the passwd iterator + * + * @param *ctx wbclient Context + * + * @return #wbcErr + **/ +wbcErr wbcCtxSetpwent(struct wbcContext *ctx); + +/** + * @brief Reset the passwd iterator + * + * @return #wbcErr + **/ +wbcErr wbcSetpwent(void); + +/** + * @brief Close the passwd iterator + * + * @param *ctx wbclient Context + * + * @return #wbcErr + **/ +wbcErr wbcCtxEndpwent(struct wbcContext *ctx); + +/** + * @brief Close the passwd iterator + * + * @return #wbcErr + **/ +wbcErr wbcEndpwent(void); + +/** + * @brief Return the next struct passwd* entry from the pwent iterator + * + * @param *ctx wbclient Context + * @param **pwd Pointer to resulting struct passwd* from the query. + * + * @return #wbcErr + **/ +wbcErr wbcCtxGetpwent(struct wbcContext *ctx, struct passwd **pwd); + +/** + * @brief Return the next struct passwd* entry from the pwent iterator + * + * @param **pwd Pointer to resulting struct passwd* from the query. + * + * @return #wbcErr + **/ +wbcErr wbcGetpwent(struct passwd **pwd); + +/** + * @brief Reset the group iterator + * + * @param *ctx wbclient Context + * + * @return #wbcErr + **/ +wbcErr wbcCtxSetgrent(struct wbcContext *ctx); + +/** + * @brief Reset the group iterator + * + * @return #wbcErr + **/ +wbcErr wbcSetgrent(void); + +/** + * @brief Close the group iterator + * + * @param *ctx wbclient Context + * + * @return #wbcErr + **/ +wbcErr wbcCtxEndgrent(struct wbcContext *ctx); + +/** + * @brief Close the group iterator + * + * @return #wbcErr + **/ +wbcErr wbcEndgrent(void); + +/** + * @brief Return the next struct group* entry from the pwent iterator + * + * @param *ctx wbclient Context + * @param **grp Pointer to resulting struct group* from the query. + * + * @return #wbcErr + **/ +wbcErr wbcCtxGetgrent(struct wbcContext *ctx, struct group **grp); + +/** + * @brief Return the next struct group* entry from the pwent iterator + * + * @param **grp Pointer to resulting struct group* from the query. + * + * @return #wbcErr + **/ +wbcErr wbcGetgrent(struct group **grp); + +/** + * @brief Return the next struct group* entry from the pwent iterator + * + * This is similar to #wbcGetgrent, just that the member list is empty + * + * @param *ctx wbclient Context + * @param **grp Pointer to resulting struct group* from the query. + * + * @return #wbcErr + **/ +wbcErr wbcCtxGetgrlist(struct wbcContext *ctx, struct group **grp); + +/** + * @brief Return the next struct group* entry from the pwent iterator + * + * This is similar to #wbcGetgrent, just that the member list is empty + * + * @param **grp Pointer to resulting struct group* from the query. + * + * @return #wbcErr + **/ +wbcErr wbcGetgrlist(struct group **grp); + +/** + * @brief Return the unix group array belonging to the given user + * + * @param *ctx wbclient Context + * @param *account The given user name + * @param *num_groups Number of elements returned in the groups array + * @param **_groups Pointer to resulting gid_t array. + * + * @return #wbcErr + **/ +wbcErr wbcCtxGetGroups(struct wbcContext *ctx, + const char *account, + uint32_t *num_groups, + gid_t **_groups); + +/** + * @brief Return the unix group array belonging to the given user + * + * @param *account The given user name + * @param *num_groups Number of elements returned in the groups array + * @param **_groups Pointer to resulting gid_t array. + * + * @return #wbcErr + **/ +wbcErr wbcGetGroups(const char *account, + uint32_t *num_groups, + gid_t **_groups); + + +/********************************************************** + * Lookup Domain information + **********************************************************/ + +/** + * @brief Lookup the current status of a trusted domain + * + * @param *ctx wbclient Context + * @param domain The domain to query + * + * @param dinfo A pointer to store the returned domain_info struct. + * + * @return #wbcErr + **/ +wbcErr wbcCtxDomainInfo(struct wbcContext *ctx, + const char *domain, + struct wbcDomainInfo **dinfo); + +/** + * @brief Lookup the current status of a trusted domain + * + * @param domain The domain to query + * + * @param dinfo A pointer to store the returned domain_info struct. + * + * @return #wbcErr + **/ +wbcErr wbcDomainInfo(const char *domain, + struct wbcDomainInfo **dinfo); + +/** + * @brief Lookup the currently contacted DCs + * + * @param *ctx wbclient Context + * @param domain The domain to query + * + * @param num_dcs Number of DCs currently known + * @param dc_names Names of the currently known DCs + * @param dc_ips IP addresses of the currently known DCs + * + * @return #wbcErr + **/ +wbcErr wbcCtxDcInfo(struct wbcContext *ctx, + const char *domain, size_t *num_dcs, + const char ***dc_names, const char ***dc_ips); + +/** + * @brief Lookup the currently contacted DCs + * + * @param domain The domain to query + * + * @param num_dcs Number of DCs currently known + * @param dc_names Names of the currently known DCs + * @param dc_ips IP addresses of the currently known DCs + * + * @return #wbcErr + **/ +wbcErr wbcDcInfo(const char *domain, size_t *num_dcs, + const char ***dc_names, const char ***dc_ips); + +/** + * @brief Enumerate the domain trusts known by Winbind + * + * @param *ctx wbclient Context + * @param **domains Pointer to the allocated domain list array + * @param *num_domains Pointer to number of domains returned + * + * @return #wbcErr + **/ +wbcErr wbcCtxListTrusts(struct wbcContext *ctx, + struct wbcDomainInfo **domains, + size_t *num_domains); + +/** + * @brief Enumerate the domain trusts known by Winbind + * + * @param **domains Pointer to the allocated domain list array + * @param *num_domains Pointer to number of domains returned + * + * @return #wbcErr + **/ +wbcErr wbcListTrusts(struct wbcDomainInfo **domains, + size_t *num_domains); + +/* Flags for wbcLookupDomainController */ + +#define WBC_LOOKUP_DC_FORCE_REDISCOVERY 0x00000001 +#define WBC_LOOKUP_DC_DS_REQUIRED 0x00000010 +#define WBC_LOOKUP_DC_DS_PREFERRED 0x00000020 +#define WBC_LOOKUP_DC_GC_SERVER_REQUIRED 0x00000040 +#define WBC_LOOKUP_DC_PDC_REQUIRED 0x00000080 +#define WBC_LOOKUP_DC_BACKGROUND_ONLY 0x00000100 +#define WBC_LOOKUP_DC_IP_REQUIRED 0x00000200 +#define WBC_LOOKUP_DC_KDC_REQUIRED 0x00000400 +#define WBC_LOOKUP_DC_TIMESERV_REQUIRED 0x00000800 +#define WBC_LOOKUP_DC_WRITABLE_REQUIRED 0x00001000 +#define WBC_LOOKUP_DC_GOOD_TIMESERV_PREFERRED 0x00002000 +#define WBC_LOOKUP_DC_AVOID_SELF 0x00004000 +#define WBC_LOOKUP_DC_ONLY_LDAP_NEEDED 0x00008000 +#define WBC_LOOKUP_DC_IS_FLAT_NAME 0x00010000 +#define WBC_LOOKUP_DC_IS_DNS_NAME 0x00020000 +#define WBC_LOOKUP_DC_TRY_NEXTCLOSEST_SITE 0x00040000 +#define WBC_LOOKUP_DC_DS_6_REQUIRED 0x00080000 +#define WBC_LOOKUP_DC_RETURN_DNS_NAME 0x40000000 +#define WBC_LOOKUP_DC_RETURN_FLAT_NAME 0x80000000 + +/** + * @brief Enumerate the domain trusts known by Winbind + * + * @param *ctx wbclient Context + * @param domain Name of the domain to query for a DC + * @param flags Bit flags used to control the domain location query + * @param *dc_info Pointer to the returned domain controller information + * + * @return #wbcErr + **/ +wbcErr wbcCtxLookupDomainController(struct wbcContext *ctx, + const char *domain, + uint32_t flags, + struct wbcDomainControllerInfo **dc_info); + +/** + * @brief Enumerate the domain trusts known by Winbind + * + * @param domain Name of the domain to query for a DC + * @param flags Bit flags used to control the domain location query + * @param *dc_info Pointer to the returned domain controller information + * + * @return #wbcErr + **/ +wbcErr wbcLookupDomainController(const char *domain, + uint32_t flags, + struct wbcDomainControllerInfo **dc_info); + +/** + * @brief Get extended domain controller information + * + * @param *ctx wbclient Context + * @param domain Name of the domain to query for a DC + * @param guid Guid of the domain to query for a DC + * @param site Site of the domain to query for a DC + * @param flags Bit flags used to control the domain location query + * @param *dc_info Pointer to the returned extended domain controller information + * + * @return #wbcErr + **/ +wbcErr wbcCtxLookupDomainControllerEx(struct wbcContext *ctx, + const char *domain, + struct wbcGuid *guid, + const char *site, + uint32_t flags, + struct wbcDomainControllerInfoEx **dc_info); + +/** + * @brief Get extended domain controller information + * + * @param domain Name of the domain to query for a DC + * @param guid Guid of the domain to query for a DC + * @param site Site of the domain to query for a DC + * @param flags Bit flags used to control the domain location query + * @param *dc_info Pointer to the returned extended domain controller information + * + * @return #wbcErr + **/ +wbcErr wbcLookupDomainControllerEx(const char *domain, + struct wbcGuid *guid, + const char *site, + uint32_t flags, + struct wbcDomainControllerInfoEx **dc_info); + +/********************************************************** + * Athenticate functions + **********************************************************/ + +/** + * @brief Authenticate a username/password pair + * + * @param *ctx wbclient Context + * @param username Name of user to authenticate + * @param password Clear text password os user + * + * @return #wbcErr + **/ +wbcErr wbcCtxAuthenticateUser(struct wbcContext *ctx, + const char *username, + const char *password); + +/** + * @brief Authenticate a username/password pair + * + * @param username Name of user to authenticate + * @param password Clear text password os user + * + * @return #wbcErr + **/ +wbcErr wbcAuthenticateUser(const char *username, + const char *password); + +/** + * @brief Authenticate with more detailed information + * + * @param *ctx wbclient Context + * @param params Input parameters, WBC_AUTH_USER_LEVEL_HASH + * is not supported yet + * @param info Output details on WBC_ERR_SUCCESS + * @param error Output details on WBC_ERR_AUTH_ERROR + * + * @return #wbcErr + **/ +wbcErr wbcCtxAuthenticateUserEx(struct wbcContext *ctx, + const struct wbcAuthUserParams *params, + struct wbcAuthUserInfo **info, + struct wbcAuthErrorInfo **error); + +/** + * @brief Authenticate with more detailed information + * + * @param params Input parameters, WBC_AUTH_USER_LEVEL_HASH + * is not supported yet + * @param info Output details on WBC_ERR_SUCCESS + * @param error Output details on WBC_ERR_AUTH_ERROR + * + * @return #wbcErr + **/ +wbcErr wbcAuthenticateUserEx(const struct wbcAuthUserParams *params, + struct wbcAuthUserInfo **info, + struct wbcAuthErrorInfo **error); + +/** + * @brief Logon a User + * + * @param[in] *ctx wbclient Context + * @param[in] params Pointer to a wbcLogonUserParams structure + * @param[out] info Pointer to a pointer to a wbcLogonUserInfo structure + * @param[out] error Pointer to a pointer to a wbcAuthErrorInfo structure + * @param[out] policy Pointer to a pointer to a wbcUserPasswordPolicyInfo structure + * + * @return #wbcErr + **/ +wbcErr wbcCtxLogonUser(struct wbcContext *ctx, + const struct wbcLogonUserParams *params, + struct wbcLogonUserInfo **info, + struct wbcAuthErrorInfo **error, + struct wbcUserPasswordPolicyInfo **policy); + +/** + * @brief Logon a User + * + * @param[in] params Pointer to a wbcLogonUserParams structure + * @param[out] info Pointer to a pointer to a wbcLogonUserInfo structure + * @param[out] error Pointer to a pointer to a wbcAuthErrorInfo structure + * @param[out] policy Pointer to a pointer to a wbcUserPasswordPolicyInfo structure + * + * @return #wbcErr + **/ +wbcErr wbcLogonUser(const struct wbcLogonUserParams *params, + struct wbcLogonUserInfo **info, + struct wbcAuthErrorInfo **error, + struct wbcUserPasswordPolicyInfo **policy); + +/** + * @brief Trigger a logoff notification to Winbind for a specific user + * + * @param *ctx wbclient Context + * @param username Name of user to remove from Winbind's list of + * logged on users. + * @param uid Uid assigned to the username + * @param ccfilename Absolute path to the Krb5 credentials cache to + * be removed + * + * @return #wbcErr + **/ +wbcErr wbcCtxLogoffUser(struct wbcContext *ctx, + const char *username, uid_t uid, + const char *ccfilename); + +/** + * @brief Trigger a logoff notification to Winbind for a specific user + * + * @param username Name of user to remove from Winbind's list of + * logged on users. + * @param uid Uid assigned to the username + * @param ccfilename Absolute path to the Krb5 credentials cache to + * be removed + * + * @return #wbcErr + **/ +wbcErr wbcLogoffUser(const char *username, + uid_t uid, + const char *ccfilename); + +/** + * @brief Trigger an extended logoff notification to Winbind for a specific user + * + * @param *ctx wbclient Context + * @param params A wbcLogoffUserParams structure + * @param error User output details on error + * + * @return #wbcErr + **/ +wbcErr wbcCtxLogoffUserEx(struct wbcContext *ctx, + const struct wbcLogoffUserParams *params, + struct wbcAuthErrorInfo **error); + +/** + * @brief Trigger an extended logoff notification to Winbind for a specific user + * + * @param params A wbcLogoffUserParams structure + * @param error User output details on error + * + * @return #wbcErr + **/ +wbcErr wbcLogoffUserEx(const struct wbcLogoffUserParams *params, + struct wbcAuthErrorInfo **error); + +/** + * @brief Change a password for a user + * + * @param *ctx wbclient Context + * @param username Name of user to authenticate + * @param old_password Old clear text password of user + * @param new_password New clear text password of user + * + * @return #wbcErr + **/ +wbcErr wbcCtxChangeUserPassword(struct wbcContext *ctx, + const char *username, + const char *old_password, + const char *new_password); + +/** + * @brief Change a password for a user + * + * @param username Name of user to authenticate + * @param old_password Old clear text password of user + * @param new_password New clear text password of user + * + * @return #wbcErr + **/ +wbcErr wbcChangeUserPassword(const char *username, + const char *old_password, + const char *new_password); + +/** + * @brief Change a password for a user with more detailed information upon + * failure + * + * @param *ctx wbclient Context + * @param params Input parameters + * @param error User output details on WBC_ERR_PWD_CHANGE_FAILED + * @param reject_reason New password reject reason on WBC_ERR_PWD_CHANGE_FAILED + * @param policy Password policy output details on WBC_ERR_PWD_CHANGE_FAILED + * + * @return #wbcErr + **/ +wbcErr wbcCtxChangeUserPasswordEx(struct wbcContext *ctx, + const struct wbcChangePasswordParams *params, + struct wbcAuthErrorInfo **error, + enum wbcPasswordChangeRejectReason *reject_reason, + struct wbcUserPasswordPolicyInfo **policy); + +/** + * @brief Change a password for a user with more detailed information upon + * failure + * + * @param params Input parameters + * @param error User output details on WBC_ERR_PWD_CHANGE_FAILED + * @param reject_reason New password reject reason on WBC_ERR_PWD_CHANGE_FAILED + * @param policy Password policy output details on WBC_ERR_PWD_CHANGE_FAILED + * + * @return #wbcErr + **/ +wbcErr wbcChangeUserPasswordEx(const struct wbcChangePasswordParams *params, + struct wbcAuthErrorInfo **error, + enum wbcPasswordChangeRejectReason *reject_reason, + struct wbcUserPasswordPolicyInfo **policy); + +/** + * @brief Authenticate a user with cached credentials + * + * @param *ctx wbclient Context + * @param *params Pointer to a wbcCredentialCacheParams structure + * @param **info Pointer to a pointer to a wbcCredentialCacheInfo structure + * @param **error Pointer to a pointer to a wbcAuthErrorInfo structure + * + * @return #wbcErr + **/ +wbcErr wbcCtxCredentialCache(struct wbcContext *ctx, + struct wbcCredentialCacheParams *params, + struct wbcCredentialCacheInfo **info, + struct wbcAuthErrorInfo **error); + +/** + * @brief Authenticate a user with cached credentials + * + * @param *params Pointer to a wbcCredentialCacheParams structure + * @param **info Pointer to a pointer to a wbcCredentialCacheInfo structure + * @param **error Pointer to a pointer to a wbcAuthErrorInfo structure + * + * @return #wbcErr + **/ +wbcErr wbcCredentialCache(struct wbcCredentialCacheParams *params, + struct wbcCredentialCacheInfo **info, + struct wbcAuthErrorInfo **error); + +/** + * @brief Save a password with winbind for doing wbcCredentialCache() later + * + * @param *ctx wbclient Context + * @param *user Username + * @param *password Password + * + * @return #wbcErr + **/ +wbcErr wbcCtxCredentialSave(struct wbcContext *ctx, + const char *user, const char *password); + +/** + * @brief Save a password with winbind for doing wbcCredentialCache() later + * + * @param *user Username + * @param *password Password + * + * @return #wbcErr + **/ +wbcErr wbcCredentialSave(const char *user, const char *password); + +/********************************************************** + * Resolve functions + **********************************************************/ + +/** + * @brief Resolve a NetbiosName via WINS + * + * @param *ctx wbclient Context + * @param name Name to resolve + * @param *ip Pointer to the ip address string + * + * @return #wbcErr + **/ +wbcErr wbcCtxResolveWinsByName(struct wbcContext *ctx, + const char *name, char **ip); + +/** + * @brief Resolve a NetbiosName via WINS + * + * @param name Name to resolve + * @param *ip Pointer to the ip address string + * + * @return #wbcErr + **/ +wbcErr wbcResolveWinsByName(const char *name, char **ip); + +/** + * @brief Resolve an IP address via WINS into a NetbiosName + * + * @param *ctx wbclient Context + * @param ip The ip address string + * @param *name Pointer to the name + * + * @return #wbcErr + * + **/ +wbcErr wbcCtxResolveWinsByIP(struct wbcContext *ctx, + const char *ip, char **name); + +/** + * @brief Resolve an IP address via WINS into a NetbiosName + * + * @param ip The ip address string + * @param *name Pointer to the name + * + * @return #wbcErr + * + **/ +wbcErr wbcResolveWinsByIP(const char *ip, char **name); + +/********************************************************** + * Trusted domain functions + **********************************************************/ + +/** + * @brief Trigger a verification of the trust credentials of a specific domain + * + * @param *ctx wbclient Context + * @param *domain The name of the domain. + * @param error Output details on WBC_ERR_AUTH_ERROR + * + * @return #wbcErr + **/ +wbcErr wbcCtxCheckTrustCredentials(struct wbcContext *ctx, const char *domain, + struct wbcAuthErrorInfo **error); + +/** + * @brief Trigger a verification of the trust credentials of a specific domain + * + * @param *domain The name of the domain. + * @param error Output details on WBC_ERR_AUTH_ERROR + * + * @return #wbcErr + **/ +wbcErr wbcCheckTrustCredentials(const char *domain, + struct wbcAuthErrorInfo **error); + +/** + * @brief Trigger a change of the trust credentials for a specific domain + * + * @param *ctx wbclient Context + * @param *domain The name of the domain. + * @param error Output details on WBC_ERR_AUTH_ERROR + * + * @return #wbcErr + **/ +wbcErr wbcCtxChangeTrustCredentials(struct wbcContext *ctx, const char *domain, + struct wbcAuthErrorInfo **error); + +/** + * @brief Trigger a change of the trust credentials for a specific domain + * + * @param *domain The name of the domain. + * @param error Output details on WBC_ERR_AUTH_ERROR + * + * @return #wbcErr + **/ +wbcErr wbcChangeTrustCredentials(const char *domain, + struct wbcAuthErrorInfo **error); + +/** + * @brief Trigger a no-op call through the NETLOGON pipe. Low-cost + * version of wbcCheckTrustCredentials + * + * @param *ctx wbclient Context + * @param *domain The name of the domain, only NULL for the default domain is + * supported yet. Other values than NULL will result in + * WBC_ERR_NOT_IMPLEMENTED. + * @param error Output details on WBC_ERR_AUTH_ERROR + * + * @return #wbcErr + **/ +wbcErr wbcCtxPingDc(struct wbcContext *ctx, const char *domain, + struct wbcAuthErrorInfo **error); + +/** + * @brief Trigger a no-op call through the NETLOGON pipe. Low-cost + * version of wbcCheckTrustCredentials + * + * @param *domain The name of the domain, only NULL for the default domain is + * supported yet. Other values than NULL will result in + * WBC_ERR_NOT_IMPLEMENTED. + * @param error Output details on WBC_ERR_AUTH_ERROR + * + * @return #wbcErr + **/ +wbcErr wbcPingDc(const char *domain, struct wbcAuthErrorInfo **error); + +/** + * @brief Trigger a no-op call through the NETLOGON pipe. Low-cost + * version of wbcCheckTrustCredentials + * + * @param *ctx wbclient Context + * @param *domain The name of the domain, only NULL for the default domain is + * supported yet. Other values than NULL will result in + * WBC_ERR_NOT_IMPLEMENTED. + * @param error Output details on WBC_ERR_AUTH_ERROR + * @param dcname DC that was attempted to ping + * + * @return #wbcErr + **/ +wbcErr wbcCtxPingDc2(struct wbcContext *ctx, const char *domain, + struct wbcAuthErrorInfo **error, + char **dcname); + +/** + * @brief Trigger a no-op call through the NETLOGON pipe. Low-cost + * version of wbcCheckTrustCredentials + * + * @param *domain The name of the domain, only NULL for the default domain is + * supported yet. Other values than NULL will result in + * WBC_ERR_NOT_IMPLEMENTED. + * @param error Output details on WBC_ERR_AUTH_ERROR + * @param dcname DC that was attempted to ping + * + * @return #wbcErr + **/ +wbcErr wbcPingDc2(const char *domain, struct wbcAuthErrorInfo **error, + char **dcname); + +/********************************************************** + * Helper functions + **********************************************************/ + +/** + * @brief Initialize a named blob and add to list of blobs + * + * @param[in,out] num_blobs Pointer to the number of blobs + * @param[in,out] blobs Pointer to an array of blobs + * @param[in] name Name of the new named blob + * @param[in] flags Flags of the new named blob + * @param[in] data Blob data of new blob + * @param[in] length Blob data length of new blob + * + * @return #wbcErr + **/ +wbcErr wbcAddNamedBlob(size_t *num_blobs, + struct wbcNamedBlob **blobs, + const char *name, + uint32_t flags, + uint8_t *data, + size_t length); + +#endif /* _WBCLIENT_H */ diff --git a/src/sss_client/libwbclient/wbclient_sssd.pc.in b/src/sss_client/libwbclient/wbclient_sssd.pc.in new file mode 100644 index 0000000..802a35b --- /dev/null +++ b/src/sss_client/libwbclient/wbclient_sssd.pc.in @@ -0,0 +1,11 @@ +prefix=@prefix@ +exec_prefix=@exec_prefix@ +libdir=@appmodpath@ +includedir=@includedir@ + +Name: wbclient +Description: SSSD implementation of Samba wbclient API +Version: @libwbclient_version@ +Libs: -L${libdir} -lwbclient +Cflags: +URL: https://pagure.io/SSSD/sssd/, http://www.samba.org diff --git a/src/sss_client/nfs/nfsidmap_internal.h b/src/sss_client/nfs/nfsidmap_internal.h new file mode 100644 index 0000000..07547f8 --- /dev/null +++ b/src/sss_client/nfs/nfsidmap_internal.h @@ -0,0 +1,78 @@ +/* + * nfsidmap_internal.h + * + * nfs idmapping library, primarily for nfs4 client/server kernel idmapping + * and for userland nfs4 idmapping by acl libraries. + * + * Copyright (c) 2004 The Regents of the University of Michigan. + * All rights reserved. + * + * Andy Adamson + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the University nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +char *get_default_domain(void); +struct conf_list *get_local_realms(void); + +typedef struct trans_func * (*libnfsidmap_plugin_init_t)(void); + +struct trans_func { + char *name; + int (*init)(void); + int (*princ_to_ids)(char *secname, char *princ, uid_t *uid, gid_t *gid, + extra_mapping_params **ex); + int (*name_to_uid)(char *name, uid_t *uid); + int (*name_to_gid)(char *name, gid_t *gid); + int (*uid_to_name)(uid_t uid, char *domain, char *name, size_t len); + int (*gid_to_name)(gid_t gid, char *domain, char *name, size_t len); + int (*gss_princ_to_grouplist)(char *secname, char *princ, gid_t *groups, + int *ngroups, extra_mapping_params **ex); +}; + +struct mapping_plugin { + void *dl_handle; + struct trans_func *trans; +}; + +typedef enum { + IDTYPE_USER = 1, + IDTYPE_GROUP = 2 +} idtypes; + +extern int idmap_verbosity; +extern nfs4_idmap_log_function_t idmap_log_func; +/* Level zero always prints, others print depending on verbosity level */ +#define IDMAP_LOG(LVL, MSG) \ + do { if (LVL <= idmap_verbosity) (*idmap_log_func)MSG; } while (0) + + +/* + * from libnfsidmap's cfg.h (same license as above) + * Copyright (c) 1998, 1999, 2001 Niklas Hallqvist. All rights reserved. + * Copyright (c) 2000, 2003 H�kan Olsson. All rights reserved. + */ +extern const char *conf_get_str(const char *, const char *); diff --git a/src/sss_client/nfs/sss_nfs_client.c b/src/sss_client/nfs/sss_nfs_client.c new file mode 100644 index 0000000..eff0d92 --- /dev/null +++ b/src/sss_client/nfs/sss_nfs_client.c @@ -0,0 +1,577 @@ +/* + SSSD + + NFS Client + + Copyright (C) Noam Meltzer 2013-2014 + Copyright (C) Noam Meltzer 2014- + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include +#include +#include +#include +#include + +#include + +#ifdef HAVE_NFSIDMAP_PLUGIN_H +#include +#else /* fallback to internal header file with older version of libnfsidmap */ +#include "nfsidmap_internal.h" +#define nfsidmap_config_get conf_get_str +#endif + +#include "sss_client/sss_cli.h" +#include "sss_client/nss_mc.h" + + +/*. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .*/ +#define PLUGIN_NAME "sss_nfs" +#define CONF_SECTION "sss_nfs" +#define CONF_USE_MC "memcache" +#define REPLY_ID_OFFSET (8) +#define REPLY_NAME_OFFSET (REPLY_ID_OFFSET + 8) +#define BUF_LEN (4096) +#define USE_MC_DEFAULT true + + +/*. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .*/ +static char sss_nfs_plugin_name[] = PLUGIN_NAME; +static char nfs_conf_sect[] = CONF_SECTION; +static char nfs_conf_use_mc[] = CONF_USE_MC; + +static bool nfs_use_mc = USE_MC_DEFAULT; + + +/*. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .*/ +/* Forward declarations */ +static int send_recv(uint8_t **repp, size_t *rep_lenp, enum sss_cli_command cmd, + const void *req, size_t req_len); +static int reply_to_id(id_t *idp, uint8_t *rep, size_t rep_len); +static int reply_to_name(char *name, size_t len, uint8_t *rep, size_t rep_len); + + +/*. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .*/ +/* get from memcache functions */ +static int get_uid_from_mc(id_t *uid, const char *name) +{ + int rc = 0; + struct passwd pwd; + char *buf = NULL; + char *p = NULL; + size_t buflen = 0; + size_t len = 0; + + if (!nfs_use_mc) { + return -1; + } + + sss_strnlen(name, SSS_NAME_MAX, &len); + + do { + buflen += BUF_LEN; + if ((p = realloc(buf, buflen)) == NULL) { + rc = ENOMEM; + goto done; + } + buf = p; + rc = sss_nss_mc_getpwnam(name, len, &pwd, buf, buflen); + } while (rc == ERANGE); + + if (rc == 0) { + IDMAP_LOG(1, ("found user %s in memcache", name)); + *uid = pwd.pw_uid; + } else { + IDMAP_LOG(1, ("user %s not in memcache", name)); + } + +done: + free(buf); + return rc; +} + +static int get_gid_from_mc(id_t *gid, const char *name) +{ + int rc = 0; + struct group grp; + char *buf = NULL; + char *p = NULL; + size_t buflen = 0; + size_t len; + + if (!nfs_use_mc) { + return -1; + } + + sss_strnlen(name, SSS_NAME_MAX, &len); + + do { + buflen += BUF_LEN; + if ((p = realloc(buf, buflen)) == NULL) { + rc = ENOMEM; + goto done; + } + buf = p; + rc = sss_nss_mc_getgrnam(name, len, &grp, buf, buflen); + } while (rc == ERANGE); + + if (rc == 0) { + IDMAP_LOG(1, ("found group %s in memcache", name)); + *gid = grp.gr_gid; + } else { + IDMAP_LOG(1, ("group %s not in memcache", name)); + } + +done: + free(buf); + return rc; +} + +static int get_user_from_mc(char *name, size_t len, uid_t uid) +{ + int rc; + struct passwd pwd; + char *buf = NULL; + char *p = NULL; + size_t buflen = 0; + size_t pw_name_len; + + if (!nfs_use_mc) { + return -1; + } + + do { + buflen += BUF_LEN; + if ((p = realloc(buf, buflen)) == NULL) { + rc = ENOMEM; + goto done; + } + buf = p; + rc = sss_nss_mc_getpwuid(uid, &pwd, buf, buflen); + } while (rc == ERANGE); + + if (rc == 0) { + pw_name_len = strlen(pwd.pw_name) + 1; + if (pw_name_len > len) { + IDMAP_LOG(0, ("%s: reply too long; pw_name_len=%lu, len=%lu", + __func__, pw_name_len, len)); + rc = ENOBUFS; + } + IDMAP_LOG(1, ("found uid %i in memcache", uid)); + memcpy(name, pwd.pw_name, pw_name_len); + } else { + IDMAP_LOG(1, ("uid %i not in memcache", uid)); + } + +done: + free(buf); + return rc; +} + +static int get_group_from_mc(char *name, size_t len, id_t gid) +{ + int rc; + struct group grp; + char *buf = NULL; + char *p = NULL; + size_t buflen = 0; + size_t gr_name_len; + + if (!nfs_use_mc) { + return -1; + } + + do { + buflen += BUF_LEN; + if ((p = realloc(buf, buflen)) == NULL) { + rc = ENOMEM; + goto done; + } + buf = p; + rc = sss_nss_mc_getgrgid(gid, &grp, buf, buflen); + } while (rc == ERANGE); + + if (rc == 0) { + gr_name_len = strlen(grp.gr_name) + 1; + if (gr_name_len > len) { + IDMAP_LOG(0, ("%s: reply too long; gr_name_len=%lu, len=%lu", + __func__, gr_name_len, len)); + rc = ENOBUFS; + } + IDMAP_LOG(1, ("found gid %i in memcache", gid)); + memcpy(name, grp.gr_name, gr_name_len); + } else { + IDMAP_LOG(1, ("gid %i not in memcache", gid)); + } + +done: + free(buf); + return rc; +} + +/*. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .*/ +static int name_to_id(const char *name, id_t *id, enum sss_cli_command cmd) +{ + int rc; + uint8_t *rep = NULL; + size_t rep_len = 0; + size_t name_len; + + sss_strnlen(name, SSS_NAME_MAX, &name_len); + + rc = send_recv(&rep, &rep_len, cmd, name, name_len + 1); + if (rc == 0) { + rc = reply_to_id(id, rep, rep_len); + } + + free(rep); + + return rc; +} + +static int id_to_name(char *name, size_t len, id_t id, + enum sss_cli_command cmd) +{ + int rc; + size_t rep_len = 0; + size_t req_len = sizeof(id_t); + uint8_t *rep = NULL; + uint8_t req[req_len]; + + memcpy(req, &id, req_len); + rc = send_recv(&rep, &rep_len, cmd, &req, req_len); + if (rc == 0) { + rc = reply_to_name(name, len, rep, rep_len); + } + + free(rep); + + return rc; +} + +/*. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .*/ +static int send_recv(uint8_t **rep, size_t *rep_len, enum sss_cli_command cmd, + const void *req, size_t req_len) +{ + int err = 0; + enum nss_status req_rc; + struct sss_cli_req_data rd; + + rd.data = req; + rd.len = req_len; + + sss_nss_lock(); + req_rc = sss_nss_make_request(cmd, &rd, rep, rep_len, &err); + sss_nss_unlock(); + + if (req_rc == NSS_STATUS_NOTFOUND) { + return ENOENT; + } + if (req_rc != NSS_STATUS_SUCCESS) { + IDMAP_LOG(0, ("no-make-request; err=%i", err)); + return EPIPE; + } + + return 0; +} + +static int reply_to_id(id_t *idp, uint8_t *rep, size_t rep_len) +{ + int rc = 0; + id_t id; + uint32_t num_results = 0; + + if (rep_len < sizeof(uint32_t)) { + IDMAP_LOG(0, ("%s: reply too small; rep_len=%lu", __func__, rep_len)); + rc = EBADMSG; + goto done; + } + + SAFEALIGN_COPY_UINT32(&num_results, rep, NULL); + if (num_results > 1) { + IDMAP_LOG(0, ("%s: too many results (%lu)", __func__, num_results)); + rc = EBADMSG; + goto done; + } + if (num_results == 0) { + rc = ENOENT; + goto done; + } + if (rep_len < sizeof(uint32_t) + REPLY_ID_OFFSET) { + IDMAP_LOG(0, ("%s: reply too small(2); rep_len=%lu", __func__, + rep_len)); + rc = EBADMSG; + goto done; + } + + SAFEALIGN_COPY_UINT32(&id, rep + REPLY_ID_OFFSET, NULL); + *idp = id; + +done: + return rc; +} + +static int reply_to_name(char *name, size_t len, uint8_t *rep, size_t rep_len) +{ + int rc = 0; + uint32_t num_results = 0; + const char *buf; + size_t buf_len; + size_t offset; + + if (rep_len < sizeof(uint32_t)) { + IDMAP_LOG(0, ("%s: reply too small; rep_len=%lu", __func__, rep_len)); + rc = EBADMSG; + goto done; + } + + SAFEALIGN_COPY_UINT32(&num_results, rep, NULL); + if (num_results > 1) { + IDMAP_LOG(0, ("%s: too many results (%lu)", __func__, num_results)); + rc = EBADMSG; + goto done; + } + if (num_results == 0) { + rc = ENOENT; + goto done; + } + if (rep_len < sizeof(uint32_t) + REPLY_NAME_OFFSET) { + IDMAP_LOG(0, ("%s: reply too small(2); rep_len=%lu", __func__, + rep_len)); + rc = EBADMSG; + goto done; + } + + buf = (const char *)(rep + REPLY_NAME_OFFSET); + buf_len = rep_len - REPLY_NAME_OFFSET; + offset = 0; + rc = sss_readrep_copy_string(buf, &offset, &buf_len, &len, &name, NULL); + if (rc != 0) { + rc = -rc; + } + +done: + return rc; +} + +/*. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .*/ +/* configuration parsing aids */ +static bool str_equal(const char *s1, const char *s2) +{ + bool res = false; + size_t len1; + size_t len2; + + len1 = strlen(s1); + len2 = strlen(s2); + + if (len1 == len2) { + res = (strncasecmp(s1, s2, len1) == 0); + } + + return res; +} + +static int nfs_conf_get_bool(const char *sect, const char *attr, int def) +{ + int res; + const char *val; + + res = def; + val = nfsidmap_config_get(sect, attr); + if (val) { + res = (str_equal("1", val) || + str_equal("yes", val) || + str_equal("true", val) || + str_equal("on", val)); + } + + return res; +} + + +/*. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .*/ +/* libnfsidmap return-code aids */ + +/* + * we only want to return 0 or ENOENT; otherwise libnfsidmap will stop + * translation instead of proceeding to the next translation plugin + */ +int normalise_rc(int rc) { + int res; + + res = rc; + if (res != 0 && res != ENOENT) { + res = ENOENT; + } + + return res; +} + +/* log the actual rc from our code (to be used before normalising the rc) */ +void log_actual_rc(const char *trans_name, int rc) { + char tmp[80]; + IDMAP_LOG(1, ("%s: rc=%i msg=%s", trans_name, rc, + strerror_r(rc, tmp, sizeof(tmp)))); +} + + +/*. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .*/ +/* The external interface */ +static int sss_nfs_init(void) +{ + nfs_use_mc = nfs_conf_get_bool(nfs_conf_sect, nfs_conf_use_mc, + USE_MC_DEFAULT); + IDMAP_LOG(1, ("%s: use memcache: %i", __func__, nfs_use_mc)); + + return 0; +} + +static int sss_nfs_princ_to_ids(char *secname, char *princ, uid_t *uid, + gid_t *gid, extra_mapping_params **ex) +{ + IDMAP_LOG(0, ("%s: not implemented", __func__)); + return -ENOENT; +} + +static int sss_nfs_name_to_uid(char *name, uid_t *uid) +{ + int rc; + size_t name_len = 0; + + if (name == NULL) { + IDMAP_LOG(0, ("%s: name is null", __func__)); + return -EINVAL; + } + if (uid == NULL) { + IDMAP_LOG(0, ("%s: uid is null", __func__)); + return -EINVAL; + } + + rc = sss_strnlen(name, SSS_NAME_MAX, &name_len); + if (rc != 0) { + IDMAP_LOG(0, ("%s: no-strnlen; rc=%i", __func__, rc)); + return -rc; + } + + rc = get_uid_from_mc(uid, name); + if (rc != 0) { + rc = name_to_id(name, uid, SSS_NSS_GETPWNAM); + } + + log_actual_rc(__func__, rc); + rc = normalise_rc(rc); + + return -rc; +} + +static int sss_nfs_name_to_gid(char *name, gid_t *gid) +{ + int rc; + size_t name_len = 0; + + if (name == NULL) { + IDMAP_LOG(0, ("%s: name is null", __func__)); + return -EINVAL; + } + if (gid == NULL) { + IDMAP_LOG(0, ("%s: gid is null", __func__)); + return -EINVAL; + } + + rc = sss_strnlen(name, SSS_NAME_MAX, &name_len); + if (rc != 0) { + IDMAP_LOG(0, ("%s: no-strnlen; rc=%i", __func__, rc)); + return -rc; + } + + rc = get_gid_from_mc(gid, name); + if (rc != 0) { + rc = name_to_id(name, gid, SSS_NSS_GETGRNAM); + } + + log_actual_rc(__func__, rc); + rc = normalise_rc(rc); + + return -rc; +} + +static int sss_nfs_uid_to_name(uid_t uid, char *domain, char *name, size_t len) +{ + int rc; + + if (name == NULL) { + IDMAP_LOG(0, ("%s: name is null", __func__)); + return -EINVAL; + } + + rc = get_user_from_mc(name, len, uid); + if (rc != 0) { + rc = id_to_name(name, len, uid, SSS_NSS_GETPWUID); + } + + log_actual_rc(__func__, rc); + rc = normalise_rc(rc); + + return -rc; +} + +static int sss_nfs_gid_to_name(gid_t gid, char *domain, char *name, size_t len) +{ + int rc; + + if (name == NULL) { + IDMAP_LOG(0, ("%s: name is null", __func__)); + return -EINVAL; + } + + rc = get_group_from_mc(name, len, gid); + if (rc != 0) { + rc = id_to_name(name, len, gid, SSS_NSS_GETGRGID); + } + + log_actual_rc(__func__, rc); + rc = normalise_rc(rc); + + return -rc; +} + +static int sss_nfs_gss_princ_to_grouplist( + char *secname, char *princ, gid_t *groups, int *ngroups, + extra_mapping_params **ex) +{ + IDMAP_LOG(0, ("%s: not implemented", __func__)); + return -ENOENT; +} + +static struct trans_func s_sss_nfs_trans = { + .name = sss_nfs_plugin_name, + .init = sss_nfs_init, + .princ_to_ids = sss_nfs_princ_to_ids, + .name_to_uid = sss_nfs_name_to_uid, + .name_to_gid = sss_nfs_name_to_gid, + .uid_to_name = sss_nfs_uid_to_name, + .gid_to_name = sss_nfs_gid_to_name, + .gss_princ_to_grouplist = sss_nfs_gss_princ_to_grouplist, +}; + +struct trans_func *libnfsidmap_plugin_init(void) +{ + return (&s_sss_nfs_trans); +} diff --git a/src/sss_client/nss_common.h b/src/sss_client/nss_common.h new file mode 100644 index 0000000..e83b4f9 --- /dev/null +++ b/src/sss_client/nss_common.h @@ -0,0 +1,43 @@ +/* + SSSD + + Common routines for classical and enhanced NSS interface + + Authors: + Sumit Bose + + Copyright (C) Red Hat, Inc 2007 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU Lesser General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with this program. If not, see . +*/ + + + +struct sss_nss_pw_rep { + struct passwd *result; + char *buffer; + size_t buflen; +}; + +int sss_nss_getpw_readrep(struct sss_nss_pw_rep *pr, + uint8_t *buf, size_t *len); + +struct sss_nss_gr_rep { + struct group *result; + char *buffer; + size_t buflen; +}; + +int sss_nss_getgr_readrep(struct sss_nss_gr_rep *pr, + uint8_t *buf, size_t *len); diff --git a/src/sss_client/nss_compat.h b/src/sss_client/nss_compat.h new file mode 100644 index 0000000..97fbfeb --- /dev/null +++ b/src/sss_client/nss_compat.h @@ -0,0 +1,67 @@ +/* + SSSD + + nss_compat.h + + Authors: + Stephen Gallagher + + Copyright (C) 2010 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + + Portions of this source file were copied from nss-pam-ldapd version + 0.7.8, licensed under LGPLv2.1+ +*/ + +#ifndef NSS_COMPAT_H_ +#define NSS_COMPAT_H_ + +/* We also define struct __netgrent because it's definition is + not publically available. This is taken from inet/netgroup.h + of the glibc (2.3.6) source tarball. + The first part of the struct is the only part that is modified + by our getnetgrent() function, all the other fields are not + touched at all. */ +struct __netgrent +{ + enum { triple_val, group_val } type; + union + { + struct + { + const char *host; + const char *user; + const char *domain; + } triple; + const char *group; + } val; + /* the following stuff is used by some NSS services + but not by ours (it's not completely clear how these + are shared between different services) or is used + by our caller */ + char *data; + size_t data_size; + union + { + char *cursor; + unsigned long int position; + } idx; /* added name to union to avoid warning */ + int first; + struct name_list *known_groups; + struct name_list *needed_groups; + void *nip; /* changed from `service_user *nip' */ +}; + +#endif /* NSS_COMPAT_H_ */ diff --git a/src/sss_client/nss_group.c b/src/sss_client/nss_group.c new file mode 100644 index 0000000..5ab2bdf --- /dev/null +++ b/src/sss_client/nss_group.c @@ -0,0 +1,752 @@ +/* + * System Security Services Daemon. NSS client interface + * + * Copyright (C) Simo Sorce 2007 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see . + */ + +/* GROUP database NSS interface */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include "sss_cli.h" +#include "nss_mc.h" +#include "nss_common.h" + +static struct sss_nss_getgrent_data { + size_t len; + size_t ptr; + uint8_t *data; +} sss_nss_getgrent_data; + +static void sss_nss_getgrent_data_clean(void) +{ + if (sss_nss_getgrent_data.data != NULL) { + free(sss_nss_getgrent_data.data); + sss_nss_getgrent_data.data = NULL; + } + sss_nss_getgrent_data.len = 0; + sss_nss_getgrent_data.ptr = 0; +} + +enum sss_nss_gr_type { + GETGR_NONE, + GETGR_NAME, + GETGR_GID +}; + +static struct sss_nss_getgr_data { + enum sss_nss_gr_type type; + union { + char *grname; + gid_t gid; + } id; + + uint8_t *repbuf; + size_t replen; +} sss_nss_getgr_data; + +static void sss_nss_getgr_data_clean(bool freebuf) +{ + if (sss_nss_getgr_data.type == GETGR_NAME) { + free(sss_nss_getgr_data.id.grname); + } + if (freebuf) { + free(sss_nss_getgr_data.repbuf); + } + memset(&sss_nss_getgr_data, 0, sizeof(struct sss_nss_getgr_data)); +} + +static enum nss_status sss_nss_get_getgr_cache(const char *name, gid_t gid, + enum sss_nss_gr_type type, + uint8_t **repbuf, + size_t *replen, + int *errnop) +{ + bool freebuf = true; + enum nss_status status; + int ret = 0; + + if (sss_nss_getgr_data.type != type) { + status = NSS_STATUS_NOTFOUND; + goto done; + } + + switch (type) { + case GETGR_NAME: + ret = strcmp(name, sss_nss_getgr_data.id.grname); + if (ret != 0) { + status = NSS_STATUS_NOTFOUND; + goto done; + } + break; + case GETGR_GID: + if (sss_nss_getgr_data.id.gid != gid) { + status = NSS_STATUS_NOTFOUND; + goto done; + } + break; + default: + status = NSS_STATUS_TRYAGAIN; + ret = EINVAL; + goto done; + } + + /* ok we have it, remove from cache and pass back to the caller */ + *repbuf = sss_nss_getgr_data.repbuf; + *replen = sss_nss_getgr_data.replen; + + /* prevent _clean() from freeing the buffer */ + freebuf = false; + status = NSS_STATUS_SUCCESS; + +done: + sss_nss_getgr_data_clean(freebuf); + *errnop = ret; + return status; +} + +/* this function always takes ownership of repbuf and NULLs it before + * returning */ +static void sss_nss_save_getgr_cache(const char *name, gid_t gid, + enum sss_nss_gr_type type, + uint8_t **repbuf, size_t replen) +{ + int ret = 0; + + sss_nss_getgr_data.type = type; + sss_nss_getgr_data.repbuf = *repbuf; + sss_nss_getgr_data.replen = replen; + + switch (type) { + case GETGR_NAME: + if (name == NULL) { + ret = EINVAL; + goto done; + } + sss_nss_getgr_data.id.grname = strdup(name); + if (!sss_nss_getgr_data.id.grname) { + ret = ENOMEM; + goto done; + } + break; + case GETGR_GID: + if (gid == 0) { + ret = EINVAL; + goto done; + } + sss_nss_getgr_data.id.gid = gid; + break; + default: + ret = EINVAL; + goto done; + } + +done: + if (ret) { + sss_nss_getgr_data_clean(true); + } + *repbuf = NULL; +} + +/* GETGRNAM Request: + * + * 0-X: string with name + * + * GERTGRGID Request: + * + * 0-7: 32bit number with gid + * + * INITGROUPS Request: + * + * 0-3: 32bit number with gid + * 4-7: 32bit unsigned with max num of entries + * + * Replies: + * + * 0-3: 32bit unsigned number of results + * 4-7: 32bit unsigned (reserved/padding) + * For each result (64bit padded?): + * 0-3: 32bit number gid + * 4-7: 32bit unsigned number of members + * 8-X: sequence of 0 terminated strings (name, passwd, mem..) + * + * FIXME: do we need to pad so that each result is 32 bit aligned? + */ + +int sss_nss_getgr_readrep(struct sss_nss_gr_rep *pr, + uint8_t *buf, size_t *len) +{ + errno_t ret; + size_t i, l, slen, ptmem, pad, dlen, glen; + char *sbuf; + uint32_t mem_num; + uint32_t c; + + if (*len < 11) { /* not enough space for data, bad packet */ + return EBADMSG; + } + + SAFEALIGN_COPY_UINT32(&c, buf, NULL); + pr->result->gr_gid = c; + SAFEALIGN_COPY_UINT32(&mem_num, buf+sizeof(uint32_t), NULL); + + sbuf = (char *)&buf[8]; + slen = *len - 8; + dlen = pr->buflen; + + pr->result->gr_name = &(pr->buffer[0]); + i = 0; + + ret = sss_readrep_copy_string(sbuf, &i, + &slen, &dlen, + &pr->result->gr_name, + NULL); + if (ret != EOK) return ret; + + pr->result->gr_passwd = &(pr->buffer[i]); + ret = sss_readrep_copy_string(sbuf, &i, + &slen, &dlen, + &pr->result->gr_passwd, + NULL); + if (ret != EOK) return ret; + + /* Make sure pr->buffer[i+pad] is aligned to sizeof(char *) */ + pad = PADDING_SIZE(i, char *); + + /* now members */ + pr->result->gr_mem = DISCARD_ALIGN(&(pr->buffer[i+pad]), char **); + + ptmem = (sizeof(char *) * (mem_num + 1)) + pad; + if (ptmem > dlen) { + return ERANGE; /* not ENOMEM, ERANGE is what glibc looks for */ + } + dlen -= ptmem; + ptmem += i; + pr->result->gr_mem[mem_num] = NULL; /* terminate array */ + + for (l = 0; l < mem_num; l++) { + pr->result->gr_mem[l] = &(pr->buffer[ptmem]); + ret = sss_readrep_copy_string(sbuf, &i, + &slen, &dlen, + &pr->result->gr_mem[l], + &glen); + if (ret != EOK) return ret; + + ptmem += glen + 1; + } + + *len = slen -i; + return 0; +} + +/* INITGROUP Reply: + * + * 0-3: 32bit unsigned number of results + * 4-7: 32bit unsigned (reserved/padding) + * For each result: + * 0-4: 32bit number with gid + */ + + +enum nss_status _nss_sss_initgroups_dyn(const char *user, gid_t group, + long int *start, long int *size, + gid_t **groups, long int limit, + int *errnop) +{ + struct sss_cli_req_data rd; + uint8_t *repbuf; + size_t replen; + enum nss_status nret; + size_t buf_index = 0; + size_t user_len; + uint32_t num_ret; + long int l, max_ret; + int ret; + + ret = sss_strnlen(user, SSS_NAME_MAX, &user_len); + if (ret != 0) { + *errnop = EINVAL; + return NSS_STATUS_NOTFOUND; + } + + ret = sss_nss_mc_initgroups_dyn(user, user_len, group, start, size, + groups, limit); + switch (ret) { + case 0: + *errnop = 0; + return NSS_STATUS_SUCCESS; + case ERANGE: + *errnop = ERANGE; + return NSS_STATUS_TRYAGAIN; + case ENOENT: + /* fall through, we need to actively ask the parent + * if no entry is found */ + break; + default: + /* if using the mmapped cache failed, + * fall back to socket based comms */ + break; + } + + rd.len = user_len + 1; + rd.data = user; + + sss_nss_lock(); + + /* previous thread might already initialize entry in mmap cache */ + ret = sss_nss_mc_initgroups_dyn(user, user_len, group, start, size, + groups, limit); + switch (ret) { + case 0: + *errnop = 0; + nret = NSS_STATUS_SUCCESS; + goto out; + case ERANGE: + *errnop = ERANGE; + nret = NSS_STATUS_TRYAGAIN; + goto out; + case ENOENT: + /* fall through, we need to actively ask the parent + * if no entry is found */ + break; + default: + /* if using the mmapped cache failed, + * fall back to socket based comms */ + break; + } + + nret = sss_nss_make_request(SSS_NSS_INITGR, &rd, + &repbuf, &replen, errnop); + if (nret != NSS_STATUS_SUCCESS) { + goto out; + } + + /* no results if not found */ + SAFEALIGN_COPY_UINT32(&num_ret, repbuf, NULL); + if (num_ret == 0) { + free(repbuf); + nret = NSS_STATUS_NOTFOUND; + goto out; + } + max_ret = num_ret; + + /* check we have enough space in the buffer */ + if ((*size - *start) < num_ret) { + long int newsize; + gid_t *newgroups; + + newsize = *size + num_ret; + if ((limit > 0) && (newsize > limit)) { + newsize = limit; + max_ret = newsize - *start; + } + + newgroups = (gid_t *)realloc((*groups), newsize * sizeof(**groups)); + if (!newgroups) { + *errnop = ENOMEM; + free(repbuf); + nret = NSS_STATUS_TRYAGAIN; + goto out; + } + *groups = newgroups; + *size = newsize; + } + + /* Skip first two 32 bit values (number of results and + * reserved padding) */ + buf_index = 2 * sizeof(uint32_t); + + for (l = 0; l < max_ret; l++) { + SAFEALIGN_COPY_UINT32(&(*groups)[*start], repbuf + buf_index, + &buf_index); + *start += 1; + } + + free(repbuf); + nret = NSS_STATUS_SUCCESS; + +out: + sss_nss_unlock(); + return nret; +} + + +enum nss_status _nss_sss_getgrnam_r(const char *name, struct group *result, + char *buffer, size_t buflen, int *errnop) +{ + struct sss_cli_req_data rd; + struct sss_nss_gr_rep grrep; + uint8_t *repbuf; + size_t replen, len, name_len; + uint32_t num_results; + enum nss_status nret; + int ret; + + /* Caught once glibc passing in buffer == 0x0 */ + if (!buffer || !buflen) { + *errnop = ERANGE; + return NSS_STATUS_TRYAGAIN; + } + + ret = sss_strnlen(name, SSS_NAME_MAX, &name_len); + if (ret != 0) { + *errnop = EINVAL; + return NSS_STATUS_NOTFOUND; + } + + ret = sss_nss_mc_getgrnam(name, name_len, result, buffer, buflen); + switch (ret) { + case 0: + *errnop = 0; + return NSS_STATUS_SUCCESS; + case ERANGE: + *errnop = ERANGE; + return NSS_STATUS_TRYAGAIN; + case ENOENT: + /* fall through, we need to actively ask the parent + * if no entry is found */ + break; + default: + /* if using the mmapped cache failed, + * fall back to socket based comms */ + break; + } + + rd.len = name_len + 1; + rd.data = name; + + sss_nss_lock(); + + /* previous thread might already initialize entry in mmap cache */ + ret = sss_nss_mc_getgrnam(name, name_len, result, buffer, buflen); + switch (ret) { + case 0: + *errnop = 0; + nret = NSS_STATUS_SUCCESS; + goto out; + case ERANGE: + *errnop = ERANGE; + nret = NSS_STATUS_TRYAGAIN; + goto out; + case ENOENT: + /* fall through, we need to actively ask the parent + * if no entry is found */ + break; + default: + /* if using the mmapped cache failed, + * fall back to socket based comms */ + break; + } + + nret = sss_nss_get_getgr_cache(name, 0, GETGR_NAME, + &repbuf, &replen, errnop); + if (nret == NSS_STATUS_NOTFOUND) { + nret = sss_nss_make_request(SSS_NSS_GETGRNAM, &rd, + &repbuf, &replen, errnop); + } + if (nret != NSS_STATUS_SUCCESS) { + goto out; + } + + grrep.result = result; + grrep.buffer = buffer; + grrep.buflen = buflen; + + /* Get number of results from repbuf. */ + SAFEALIGN_COPY_UINT32(&num_results, repbuf, NULL); + + /* no results if not found */ + if (num_results == 0) { + free(repbuf); + nret = NSS_STATUS_NOTFOUND; + goto out; + } + + /* only 1 result is accepted for this function */ + if (num_results != 1) { + *errnop = EBADMSG; + free(repbuf); + nret = NSS_STATUS_TRYAGAIN; + goto out; + } + + len = replen - 8; + ret = sss_nss_getgr_readrep(&grrep, repbuf+8, &len); + if (ret == ERANGE) { + sss_nss_save_getgr_cache(name, 0, GETGR_NAME, &repbuf, replen); + } else { + free(repbuf); + } + if (ret) { + *errnop = ret; + nret = NSS_STATUS_TRYAGAIN; + goto out; + } + + nret = NSS_STATUS_SUCCESS; + +out: + sss_nss_unlock(); + return nret; +} + +enum nss_status _nss_sss_getgrgid_r(gid_t gid, struct group *result, + char *buffer, size_t buflen, int *errnop) +{ + struct sss_cli_req_data rd; + struct sss_nss_gr_rep grrep; + uint8_t *repbuf; + size_t replen, len; + uint32_t num_results; + enum nss_status nret; + uint32_t group_gid; + int ret; + + /* Caught once glibc passing in buffer == 0x0 */ + if (!buffer || !buflen) { + *errnop = ERANGE; + return NSS_STATUS_TRYAGAIN; + } + + ret = sss_nss_mc_getgrgid(gid, result, buffer, buflen); + switch (ret) { + case 0: + *errnop = 0; + return NSS_STATUS_SUCCESS; + case ERANGE: + *errnop = ERANGE; + return NSS_STATUS_TRYAGAIN; + case ENOENT: + /* fall through, we need to actively ask the parent + * if no entry is found */ + break; + default: + /* if using the mmapped cache failed, + * fall back to socket based comms */ + break; + } + + group_gid = gid; + rd.len = sizeof(uint32_t); + rd.data = &group_gid; + + sss_nss_lock(); + + /* previous thread might already initialize entry in mmap cache */ + ret = sss_nss_mc_getgrgid(gid, result, buffer, buflen); + switch (ret) { + case 0: + *errnop = 0; + nret = NSS_STATUS_SUCCESS; + goto out; + case ERANGE: + *errnop = ERANGE; + nret = NSS_STATUS_TRYAGAIN; + goto out; + case ENOENT: + /* fall through, we need to actively ask the parent + * if no entry is found */ + break; + default: + /* if using the mmapped cache failed, + * fall back to socket based comms */ + break; + } + + nret = sss_nss_get_getgr_cache(NULL, gid, GETGR_GID, + &repbuf, &replen, errnop); + if (nret == NSS_STATUS_NOTFOUND) { + nret = sss_nss_make_request(SSS_NSS_GETGRGID, &rd, + &repbuf, &replen, errnop); + } + if (nret != NSS_STATUS_SUCCESS) { + goto out; + } + + grrep.result = result; + grrep.buffer = buffer; + grrep.buflen = buflen; + + /* Get number of results from repbuf. */ + SAFEALIGN_COPY_UINT32(&num_results, repbuf, NULL); + + /* no results if not found */ + if (num_results == 0) { + free(repbuf); + nret = NSS_STATUS_NOTFOUND; + goto out; + } + + /* only 1 result is accepted for this function */ + if (num_results != 1) { + *errnop = EBADMSG; + free(repbuf); + nret = NSS_STATUS_TRYAGAIN; + goto out; + } + + len = replen - 8; + ret = sss_nss_getgr_readrep(&grrep, repbuf+8, &len); + if (ret == ERANGE) { + sss_nss_save_getgr_cache(NULL, gid, GETGR_GID, &repbuf, replen); + } else { + free(repbuf); + } + if (ret) { + *errnop = ret; + nret = NSS_STATUS_TRYAGAIN; + goto out; + } + + nret = NSS_STATUS_SUCCESS; + +out: + sss_nss_unlock(); + return nret; +} + +enum nss_status _nss_sss_setgrent(void) +{ + enum nss_status nret; + int errnop; + + sss_nss_lock(); + + /* make sure we do not have leftovers, and release memory */ + sss_nss_getgrent_data_clean(); + + nret = sss_nss_make_request(SSS_NSS_SETGRENT, + NULL, NULL, NULL, &errnop); + if (nret != NSS_STATUS_SUCCESS) { + errno = errnop; + } + + sss_nss_unlock(); + return nret; +} + +static enum nss_status internal_getgrent_r(struct group *result, + char *buffer, size_t buflen, + int *errnop) +{ + struct sss_cli_req_data rd; + struct sss_nss_gr_rep grrep; + uint8_t *repbuf; + size_t replen; + uint32_t num_results; + enum nss_status nret; + uint32_t num_entries; + int ret; + + /* Caught once glibc passing in buffer == 0x0 */ + if (!buffer || !buflen) { + *errnop = ERANGE; + return NSS_STATUS_TRYAGAIN; + } + + /* if there are leftovers return the next one */ + if (sss_nss_getgrent_data.data != NULL && + sss_nss_getgrent_data.ptr < sss_nss_getgrent_data.len) { + + repbuf = (uint8_t *)sss_nss_getgrent_data.data + + sss_nss_getgrent_data.ptr; + replen = sss_nss_getgrent_data.len - + sss_nss_getgrent_data.ptr; + + grrep.result = result; + grrep.buffer = buffer; + grrep.buflen = buflen; + + ret = sss_nss_getgr_readrep(&grrep, repbuf, &replen); + if (ret) { + *errnop = ret; + return NSS_STATUS_TRYAGAIN; + } + + /* advance buffer pointer */ + sss_nss_getgrent_data.ptr = sss_nss_getgrent_data.len - replen; + + return NSS_STATUS_SUCCESS; + } + + /* release memory if any */ + sss_nss_getgrent_data_clean(); + + /* retrieve no more than SSS_NSS_MAX_ENTRIES at a time */ + num_entries = SSS_NSS_MAX_ENTRIES; + rd.len = sizeof(uint32_t); + rd.data = &num_entries; + + nret = sss_nss_make_request(SSS_NSS_GETGRENT, &rd, + &repbuf, &replen, errnop); + if (nret != NSS_STATUS_SUCCESS) { + return nret; + } + + /* Get number of results from repbuf. */ + SAFEALIGN_COPY_UINT32(&num_results, repbuf, NULL); + + /* no results if not found */ + if ((num_results == 0) || (replen - 8 == 0)) { + free(repbuf); + return NSS_STATUS_NOTFOUND; + } + + sss_nss_getgrent_data.data = repbuf; + sss_nss_getgrent_data.len = replen; + sss_nss_getgrent_data.ptr = 8; /* skip metadata fields */ + + /* call again ourselves, this will return the first result */ + return internal_getgrent_r(result, buffer, buflen, errnop); +} + +enum nss_status _nss_sss_getgrent_r(struct group *result, + char *buffer, size_t buflen, int *errnop) +{ + enum nss_status nret; + + sss_nss_lock(); + nret = internal_getgrent_r(result, buffer, buflen, errnop); + sss_nss_unlock(); + + return nret; +} + +enum nss_status _nss_sss_endgrent(void) +{ + enum nss_status nret; + int errnop; + + sss_nss_lock(); + + /* make sure we do not have leftovers, and release memory */ + sss_nss_getgrent_data_clean(); + + nret = sss_nss_make_request(SSS_NSS_ENDGRENT, + NULL, NULL, NULL, &errnop); + if (nret != NSS_STATUS_SUCCESS) { + errno = errnop; + } + + sss_nss_unlock(); + return nret; +} diff --git a/src/sss_client/nss_mc.h b/src/sss_client/nss_mc.h new file mode 100644 index 0000000..a39d45f --- /dev/null +++ b/src/sss_client/nss_mc.h @@ -0,0 +1,93 @@ +/* + * System Security Services Daemon. NSS client interface + * + * Copyright (C) Simo Sorce 2011 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see . + */ + +/* NSS interfaces to mmap cache */ + +#ifndef _NSS_MC_H_ +#define _NSS_MC_H_ + +#include +#include +#include +#include +#include "util/mmap_cache.h" + +#ifndef HAVE_ERRNO_T +#define HAVE_ERRNO_T +typedef int errno_t; +#endif + +enum sss_mc_state { + UNINITIALIZED = 0, + INITIALIZED, + RECYCLED, +}; + +/* common stuff */ +struct sss_cli_mc_ctx { + enum sss_mc_state initialized; + int fd; + + uint32_t seed; /* seed from the tables header */ + + void *mmap_base; /* base address of mmap */ + size_t mmap_size; /* total size of mmap */ + + uint8_t *data_table; /* data table address (in mmap) */ + uint32_t dt_size; /* size of data table */ + + uint32_t *hash_table; /* hash table address (in mmap) */ + uint32_t ht_size; /* size of hash table */ + + uint32_t active_threads; /* count of threads which use memory cache */ +}; + +errno_t sss_nss_mc_get_ctx(const char *name, struct sss_cli_mc_ctx *ctx); +errno_t sss_nss_check_header(struct sss_cli_mc_ctx *ctx); +uint32_t sss_nss_mc_hash(struct sss_cli_mc_ctx *ctx, + const char *key, size_t len); +errno_t sss_nss_mc_get_record(struct sss_cli_mc_ctx *ctx, + uint32_t slot, struct sss_mc_rec **_rec); +errno_t sss_nss_str_ptr_from_buffer(char **str, void **cookie, + char *buf, size_t len); +uint32_t sss_nss_mc_next_slot_with_hash(struct sss_mc_rec *rec, + uint32_t hash); + +/* passwd db */ +errno_t sss_nss_mc_getpwnam(const char *name, size_t name_len, + struct passwd *result, + char *buffer, size_t buflen); +errno_t sss_nss_mc_getpwuid(uid_t uid, + struct passwd *result, + char *buffer, size_t buflen); + +/* group db */ +errno_t sss_nss_mc_getgrnam(const char *name, size_t name_len, + struct group *result, + char *buffer, size_t buflen); +errno_t sss_nss_mc_getgrgid(gid_t gid, + struct group *result, + char *buffer, size_t buflen); + +/* initgroups db */ +errno_t sss_nss_mc_initgroups_dyn(const char *name, size_t name_len, + gid_t group, long int *start, long int *size, + gid_t **groups, long int limit); + +#endif /* _NSS_MC_H_ */ diff --git a/src/sss_client/nss_mc_common.c b/src/sss_client/nss_mc_common.c new file mode 100644 index 0000000..8aa8c12 --- /dev/null +++ b/src/sss_client/nss_mc_common.c @@ -0,0 +1,383 @@ +/* + * System Security Services Daemon. NSS client interface + * + * Copyright (C) Simo Sorce 2011 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see . + */ + +/* NSS interfaces to mmap cache */ + +#include "config.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include "nss_mc.h" +#include "sss_cli.h" +#include "shared/io.h" + +/* FIXME: hook up to library destructor to avoid leaks */ +/* FIXME: temporarily open passwd file on our own, later we will probably + * use socket passing from the main process */ +/* FIXME: handle name upper/lower casing? Maybe a flag passed down by + * SSSD or a flag in sss_mc_header? per domain? */ + +#define MEMCPY_WITH_BARRIERS(res, dest, src, len) \ +do { \ + uint32_t _b1; \ + res = false; \ + _b1 = (src)->b1; \ + if (MC_VALID_BARRIER(_b1)) { \ + __sync_synchronize(); \ + memcpy(dest, src, len); \ + __sync_synchronize(); \ + if ((src)->b2 == _b1) { \ + res = true; \ + } \ + } \ +} while(0) + +errno_t sss_nss_check_header(struct sss_cli_mc_ctx *ctx) +{ + struct sss_mc_header h; + bool copy_ok; + int count; + int ret; + struct stat fdstat; + + /* retry barrier protected reading max 5 times then give up */ + for (count = 5; count > 0; count--) { + MEMCPY_WITH_BARRIERS(copy_ok, &h, + (struct sss_mc_header *)ctx->mmap_base, + sizeof(struct sss_mc_header)); + if (copy_ok) { + /* record is consistent so we can proceed */ + break; + } + } + if (count == 0) { + /* couldn't successfully read header we have to give up */ + return EIO; + } + + if (h.major_vno != SSS_MC_MAJOR_VNO || + h.minor_vno != SSS_MC_MINOR_VNO || + h.status == SSS_MC_HEADER_RECYCLED) { + return EINVAL; + } + + /* first time we check the header, let's fill our own struct */ + if (ctx->data_table == NULL) { + ctx->seed = h.seed; + ctx->data_table = MC_PTR_ADD(ctx->mmap_base, h.data_table); + ctx->hash_table = MC_PTR_ADD(ctx->mmap_base, h.hash_table); + ctx->dt_size = h.dt_size; + ctx->ht_size = h.ht_size; + } else { + if (ctx->seed != h.seed || + ctx->data_table != MC_PTR_ADD(ctx->mmap_base, h.data_table) || + ctx->hash_table != MC_PTR_ADD(ctx->mmap_base, h.hash_table) || + ctx->dt_size != h.dt_size || + ctx->ht_size != h.ht_size) { + return EINVAL; + } + } + + ret = fstat(ctx->fd, &fdstat); + if (ret == -1) { + return EIO; + } + + if (fdstat.st_nlink == 0) { + /* memory cache was removed; we need to reinitialize it. */ + return EINVAL; + } + + return 0; +} + +static void sss_nss_mc_destroy_ctx(struct sss_cli_mc_ctx *ctx) +{ + uint32_t active_threads = ctx->active_threads; + + if ((ctx->mmap_base != NULL) && (ctx->mmap_size != 0)) { + munmap(ctx->mmap_base, ctx->mmap_size); + } + if (ctx->fd != -1) { + close(ctx->fd); + } + memset(ctx, 0, sizeof(struct sss_cli_mc_ctx)); + ctx->fd = -1; + + /* restore count of active threads */ + ctx->active_threads = active_threads; +} + +static errno_t sss_nss_mc_init_ctx(const char *name, + struct sss_cli_mc_ctx *ctx) +{ + struct stat fdstat; + char *file = NULL; + int ret; + + sss_nss_mc_lock(); + /* check if ctx is initialised by previous thread. */ + if (ctx->initialized != UNINITIALIZED) { + ret = sss_nss_check_header(ctx); + goto done; + } + + ret = asprintf(&file, "%s/%s", SSS_NSS_MCACHE_DIR, name); + if (ret == -1) { + ret = ENOMEM; + goto done; + } + + ctx->fd = sss_open_cloexec(file, O_RDONLY, &ret); + if (ctx->fd == -1) { + goto done; + } + + ret = fstat(ctx->fd, &fdstat); + if (ret == -1) { + ret = EIO; + goto done; + } + + if (fdstat.st_size < MC_HEADER_SIZE) { + ret = ENOMEM; + goto done; + } + ctx->mmap_size = fdstat.st_size; + + ctx->mmap_base = mmap(NULL, ctx->mmap_size, + PROT_READ, MAP_SHARED, ctx->fd, 0); + if (ctx->mmap_base == MAP_FAILED) { + ret = ENOMEM; + goto done; + } + + ret = sss_nss_check_header(ctx); + if (ret != 0) { + goto done; + } + + ctx->initialized = INITIALIZED; + + ret = 0; + +done: + if (ret) { + sss_nss_mc_destroy_ctx(ctx); + } + free(file); + sss_nss_mc_unlock(); + + return ret; +} + +errno_t sss_nss_mc_get_ctx(const char *name, struct sss_cli_mc_ctx *ctx) +{ + char *envval; + int ret; + bool need_decrement = false; + + envval = getenv("SSS_NSS_USE_MEMCACHE"); + if (envval && strcasecmp(envval, "NO") == 0) { + return EPERM; + } + + switch (ctx->initialized) { + case UNINITIALIZED: + __sync_add_and_fetch(&ctx->active_threads, 1); + ret = sss_nss_mc_init_ctx(name, ctx); + if (ret) { + need_decrement = true; + } + break; + case INITIALIZED: + __sync_add_and_fetch(&ctx->active_threads, 1); + ret = sss_nss_check_header(ctx); + if (ret) { + need_decrement = true; + } + break; + case RECYCLED: + /* we need to safely destroy memory cache */ + ret = EAGAIN; + break; + default: + ret = EFAULT; + } + + if (ret) { + if (ctx->initialized == INITIALIZED) { + ctx->initialized = RECYCLED; + } + if (ctx->initialized == RECYCLED && ctx->active_threads == 0) { + /* just one thread should call munmap */ + sss_nss_mc_lock(); + if (ctx->initialized == RECYCLED) { + sss_nss_mc_destroy_ctx(ctx); + } + sss_nss_mc_unlock(); + } + if (need_decrement) { + /* In case of error, we will not touch mmapped area => decrement */ + __sync_sub_and_fetch(&ctx->active_threads, 1); + } + } + return ret; +} + +uint32_t sss_nss_mc_hash(struct sss_cli_mc_ctx *ctx, + const char *key, size_t len) +{ + return murmurhash3(key, len, ctx->seed) % MC_HT_ELEMS(ctx->ht_size); +} + +errno_t sss_nss_mc_get_record(struct sss_cli_mc_ctx *ctx, + uint32_t slot, struct sss_mc_rec **_rec) +{ + struct sss_mc_rec *rec; + struct sss_mc_rec *copy_rec = NULL; + size_t buf_size = 0; + size_t rec_len; + uint32_t b1; + uint32_t b2; + bool copy_ok; + int count; + int ret; + + /* try max 5 times */ + for (count = 5; count > 0; count--) { + rec = MC_SLOT_TO_PTR(ctx->data_table, slot, struct sss_mc_rec); + + /* fetch record length */ + b1 = rec->b1; + __sync_synchronize(); + rec_len = rec->len; + __sync_synchronize(); + b2 = rec->b2; + if (!MC_VALID_BARRIER(b1) || b1 != b2) { + /* record is inconsistent, retry */ + continue; + } + + if (!MC_CHECK_RECORD_LENGTH(ctx, rec)) { + /* record has invalid length */ + free(copy_rec); + return EINVAL; + } + + if (rec_len > buf_size) { + free(copy_rec); + copy_rec = malloc(rec_len); + if (!copy_rec) { + ret = ENOMEM; + goto done; + } + buf_size = rec_len; + } + /* we cannot access data directly, we must copy data and then + * access the copy */ + MEMCPY_WITH_BARRIERS(copy_ok, copy_rec, rec, rec_len); + + /* we must check data is consistent again after the copy */ + if (copy_ok && b1 == copy_rec->b2) { + /* record is consistent, use it */ + break; + } + } + if (count == 0) { + /* couldn't successfully read header we have to give up */ + ret = EIO; + goto done; + } + + *_rec = copy_rec; + ret = 0; + +done: + if (ret) { + free(copy_rec); + *_rec = NULL; + } + return ret; +} + +/* + * returns strings from a buffer. + * + * Call first time with *cookie set to null, then call again + * with the returned cookie. + * On the last string the cookie will be reset to null and + * all strings will have been returned. + * In case the last string is not zero terminated EINVAL is returned. + */ +errno_t sss_nss_str_ptr_from_buffer(char **str, void **cookie, + char *buf, size_t len) +{ + char *max = buf + len; + char *ret; + char *p; + + if (*cookie == NULL) { + p = buf; + } else { + p = *((char **)cookie); + } + + ret = p; + + while (p < max) { + if (*p == '\0') { + break; + } + p++; + } + if (p >= max) { + return EINVAL; + } + p++; + if (p == max) { + *cookie = NULL; + } else { + *cookie = p; + } + + *str = ret; + return 0; +} + +uint32_t sss_nss_mc_next_slot_with_hash(struct sss_mc_rec *rec, + uint32_t hash) +{ + if (rec->hash1 == hash) { + return rec->next1; + } else if (rec->hash2 == hash) { + return rec->next2; + } else { + /* it should never happen. */ + return MC_INVALID_VAL; + } + +} diff --git a/src/sss_client/nss_mc_group.c b/src/sss_client/nss_mc_group.c new file mode 100644 index 0000000..3371e0f --- /dev/null +++ b/src/sss_client/nss_mc_group.c @@ -0,0 +1,250 @@ +/* + * System Security Services Daemon. NSS client interface + * + * Copyright (C) Simo Sorce 2011 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see . + */ + +/* GROUP database NSS interface using mmap cache */ + +#include +#include +#include +#include +#include +#include +#include +#include "nss_mc.h" +#include "shared/safealign.h" + +struct sss_cli_mc_ctx gr_mc_ctx = { UNINITIALIZED, -1, 0, NULL, 0, NULL, 0, + NULL, 0, 0 }; + +static errno_t sss_nss_mc_parse_result(struct sss_mc_rec *rec, + struct group *result, + char *buffer, size_t buflen) +{ + struct sss_mc_grp_data *data; + time_t expire; + void *cookie; + char *membuf; + size_t memsize; + int ret; + int i; + + /* additional checks before filling result*/ + expire = rec->expire; + if (expire < time(NULL)) { + /* entry is now invalid */ + return EINVAL; + } + + data = (struct sss_mc_grp_data *)rec->data; + + memsize = (data->members + 1) * sizeof(char *); + if (data->strs_len + memsize > buflen) { + return ERANGE; + } + + /* fill in glibc provided structs */ + + /* copy in buffer */ + membuf = buffer + memsize; + memcpy(membuf, data->strs, data->strs_len); + + /* fill in group */ + result->gr_gid = data->gid; + + /* The address &buffer[0] must be aligned to sizeof(char *) */ + if (!IS_ALIGNED(buffer, char *)) { + /* The buffer is not properly aligned. */ + return EFAULT; + } + + result->gr_mem = DISCARD_ALIGN(buffer, char **); + result->gr_mem[data->members] = NULL; + + cookie = NULL; + ret = sss_nss_str_ptr_from_buffer(&result->gr_name, &cookie, + membuf, data->strs_len); + if (ret) { + return ret; + } + ret = sss_nss_str_ptr_from_buffer(&result->gr_passwd, &cookie, + membuf, data->strs_len); + if (ret) { + return ret; + } + + for (i = 0; i < data->members; i++) { + ret = sss_nss_str_ptr_from_buffer(&result->gr_mem[i], &cookie, + membuf, data->strs_len); + if (ret) { + return ret; + } + } + if (cookie != NULL) { + return EINVAL; + } + + return 0; +} + +errno_t sss_nss_mc_getgrnam(const char *name, size_t name_len, + struct group *result, + char *buffer, size_t buflen) +{ + struct sss_mc_rec *rec = NULL; + struct sss_mc_grp_data *data; + char *rec_name; + uint32_t hash; + uint32_t slot; + int ret; + const size_t strs_offset = offsetof(struct sss_mc_grp_data, strs); + size_t data_size; + + ret = sss_nss_mc_get_ctx("group", &gr_mc_ctx); + if (ret) { + return ret; + } + + /* Get max size of data table. */ + data_size = gr_mc_ctx.dt_size; + + /* hashes are calculated including the NULL terminator */ + hash = sss_nss_mc_hash(&gr_mc_ctx, name, name_len + 1); + slot = gr_mc_ctx.hash_table[hash]; + + /* If slot is not within the bounds of mmapped region and + * it's value is not MC_INVALID_VAL, then the cache is + * probably corrupted. */ + while (MC_SLOT_WITHIN_BOUNDS(slot, data_size)) { + /* free record from previous iteration */ + free(rec); + rec = NULL; + + ret = sss_nss_mc_get_record(&gr_mc_ctx, slot, &rec); + if (ret) { + goto done; + } + + /* check record matches what we are searching for */ + if (hash != rec->hash1) { + /* if name hash does not match we can skip this immediately */ + slot = sss_nss_mc_next_slot_with_hash(rec, hash); + continue; + } + + data = (struct sss_mc_grp_data *)rec->data; + rec_name = (char *)data + data->name; + /* Integrity check + * - data->name cannot point outside strings + * - all strings must be within copy of record + * - rec_name is a zero-terminated string */ + if (data->name < strs_offset + || data->name >= strs_offset + data->strs_len + || data->strs_len > rec->len) { + ret = ENOENT; + goto done; + } + + if (strcmp(name, rec_name) == 0) { + break; + } + + slot = sss_nss_mc_next_slot_with_hash(rec, hash); + } + + if (!MC_SLOT_WITHIN_BOUNDS(slot, data_size)) { + ret = ENOENT; + goto done; + } + + ret = sss_nss_mc_parse_result(rec, result, buffer, buflen); + +done: + free(rec); + __sync_sub_and_fetch(&gr_mc_ctx.active_threads, 1); + return ret; +} + +errno_t sss_nss_mc_getgrgid(gid_t gid, + struct group *result, + char *buffer, size_t buflen) +{ + struct sss_mc_rec *rec = NULL; + struct sss_mc_grp_data *data; + char gidstr[11]; + uint32_t hash; + uint32_t slot; + int len; + int ret; + + ret = sss_nss_mc_get_ctx("group", &gr_mc_ctx); + if (ret) { + return ret; + } + + len = snprintf(gidstr, 11, "%ld", (long)gid); + if (len > 10) { + ret = EINVAL; + goto done; + } + + /* hashes are calculated including the NULL terminator */ + hash = sss_nss_mc_hash(&gr_mc_ctx, gidstr, len+1); + slot = gr_mc_ctx.hash_table[hash]; + + /* If slot is not within the bounds of mmapped region and + * it's value is not MC_INVALID_VAL, then the cache is + * probably corrupted. */ + while (MC_SLOT_WITHIN_BOUNDS(slot, gr_mc_ctx.dt_size)) { + /* free record from previous iteration */ + free(rec); + rec = NULL; + + ret = sss_nss_mc_get_record(&gr_mc_ctx, slot, &rec); + if (ret) { + goto done; + } + + /* check record matches what we are searching for */ + if (hash != rec->hash2) { + /* if uid hash does not match we can skip this immediately */ + slot = sss_nss_mc_next_slot_with_hash(rec, hash); + continue; + } + + data = (struct sss_mc_grp_data *)rec->data; + if (gid == data->gid) { + break; + } + + slot = sss_nss_mc_next_slot_with_hash(rec, hash); + } + + if (!MC_SLOT_WITHIN_BOUNDS(slot, gr_mc_ctx.dt_size)) { + ret = ENOENT; + goto done; + } + + ret = sss_nss_mc_parse_result(rec, result, buffer, buflen); + +done: + free(rec); + __sync_sub_and_fetch(&gr_mc_ctx.active_threads, 1); + return ret; +} + diff --git a/src/sss_client/nss_mc_initgr.c b/src/sss_client/nss_mc_initgr.c new file mode 100644 index 0000000..331930c --- /dev/null +++ b/src/sss_client/nss_mc_initgr.c @@ -0,0 +1,164 @@ +/* + * System Security Services Daemon. NSS client interface + * + * Authors: + * Lukas Slebodnik + * + * Copyright (C) 2015 Red Hat + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see . + */ + +/* INITGROUPs database NSS interface using mmap cache */ + +#include +#include +#include +#include +#include +#include +#include +#include "nss_mc.h" +#include "shared/safealign.h" + +struct sss_cli_mc_ctx initgr_mc_ctx = { UNINITIALIZED, -1, 0, NULL, 0, NULL, 0, + NULL, 0, 0 }; + +static errno_t sss_nss_mc_parse_result(struct sss_mc_rec *rec, + long int *start, long int *size, + gid_t **groups, long int limit) +{ + struct sss_mc_initgr_data *data; + time_t expire; + long int i; + uint32_t num_groups; + long int max_ret; + + /* additional checks before filling result*/ + expire = rec->expire; + if (expire < time(NULL)) { + /* entry is now invalid */ + return EINVAL; + } + + data = (struct sss_mc_initgr_data *)rec->data; + num_groups = data->num_groups; + max_ret = num_groups; + + /* check we have enough space in the buffer */ + if ((*size - *start) < num_groups) { + long int newsize; + gid_t *newgroups; + + newsize = *size + num_groups; + if ((limit > 0) && (newsize > limit)) { + newsize = limit; + max_ret = newsize - *start; + } + + newgroups = (gid_t *)realloc((*groups), newsize * sizeof(**groups)); + if (!newgroups) { + return ENOMEM; + } + *groups = newgroups; + *size = newsize; + } + + for (i = 0; i < max_ret; i++) { + SAFEALIGN_COPY_UINT32(&(*groups)[*start], data->gids + i, NULL); + *start += 1; + } + + return 0; +} + +errno_t sss_nss_mc_initgroups_dyn(const char *name, size_t name_len, + gid_t group, long int *start, long int *size, + gid_t **groups, long int limit) +{ + struct sss_mc_rec *rec = NULL; + struct sss_mc_initgr_data *data; + char *rec_name; + uint32_t hash; + uint32_t slot; + int ret; + const size_t data_offset = offsetof(struct sss_mc_initgr_data, gids); + size_t data_size; + + ret = sss_nss_mc_get_ctx("initgroups", &initgr_mc_ctx); + if (ret) { + return ret; + } + + /* Get max size of data table. */ + data_size = initgr_mc_ctx.dt_size; + + /* hashes are calculated including the NULL terminator */ + hash = sss_nss_mc_hash(&initgr_mc_ctx, name, name_len + 1); + slot = initgr_mc_ctx.hash_table[hash]; + + /* If slot is not within the bounds of mmapped region and + * it's value is not MC_INVALID_VAL, then the cache is + * probably corrupted. */ + while (MC_SLOT_WITHIN_BOUNDS(slot, data_size)) { + /* free record from previous iteration */ + free(rec); + rec = NULL; + + ret = sss_nss_mc_get_record(&initgr_mc_ctx, slot, &rec); + if (ret) { + goto done; + } + + /* check record matches what we are searching for */ + if (hash != rec->hash1) { + /* if name hash does not match we can skip this immediately */ + slot = sss_nss_mc_next_slot_with_hash(rec, hash); + continue; + } + + data = (struct sss_mc_initgr_data *)rec->data; + rec_name = (char *)data + data->name; + /* Integrity check + * - data->name cannot point outside all strings or data + * - all data must be within copy of record + * - data->strs cannot point outside strings + * - rec_name is a zero-terminated string */ + if (data->name < data_offset + || data->name >= data_offset + data->data_len + || data->strs_len > data->data_len + || data->data_len > rec->len) { + ret = ENOENT; + goto done; + } + + if (strcmp(name, rec_name) == 0) { + break; + } + + slot = sss_nss_mc_next_slot_with_hash(rec, hash); + } + + if (!MC_SLOT_WITHIN_BOUNDS(slot, data_size)) { + ret = ENOENT; + goto done; + } + + ret = sss_nss_mc_parse_result(rec, start, size, groups, limit); + +done: + free(rec); + __sync_sub_and_fetch(&initgr_mc_ctx.active_threads, 1); + return ret; +} diff --git a/src/sss_client/nss_mc_passwd.c b/src/sss_client/nss_mc_passwd.c new file mode 100644 index 0000000..ac44b71 --- /dev/null +++ b/src/sss_client/nss_mc_passwd.c @@ -0,0 +1,243 @@ +/* + * System Security Services Daemon. NSS client interface + * + * Copyright (C) Simo Sorce 2011 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see . + */ + +/* PASSWD database NSS interface using mmap cache */ + +#include +#include +#include +#include +#include +#include +#include +#include "nss_mc.h" + +struct sss_cli_mc_ctx pw_mc_ctx = { UNINITIALIZED, -1, 0, NULL, 0, NULL, 0, + NULL, 0, 0 }; + +static errno_t sss_nss_mc_parse_result(struct sss_mc_rec *rec, + struct passwd *result, + char *buffer, size_t buflen) +{ + struct sss_mc_pwd_data *data; + time_t expire; + void *cookie; + int ret; + + /* additional checks before filling result*/ + expire = rec->expire; + if (expire < time(NULL)) { + /* entry is now invalid */ + return EINVAL; + } + + data = (struct sss_mc_pwd_data *)rec->data; + + if (data->strs_len > buflen) { + return ERANGE; + } + + /* fill in glibc provided structs */ + + /* copy in buffer */ + memcpy(buffer, data->strs, data->strs_len); + + /* fill in passwd */ + result->pw_uid = data->uid; + result->pw_gid = data->gid; + + cookie = NULL; + ret = sss_nss_str_ptr_from_buffer(&result->pw_name, &cookie, + buffer, data->strs_len); + if (ret) { + return ret; + } + ret = sss_nss_str_ptr_from_buffer(&result->pw_passwd, &cookie, + buffer, data->strs_len); + if (ret) { + return ret; + } + ret = sss_nss_str_ptr_from_buffer(&result->pw_gecos, &cookie, + buffer, data->strs_len); + if (ret) { + return ret; + } + ret = sss_nss_str_ptr_from_buffer(&result->pw_dir, &cookie, + buffer, data->strs_len); + if (ret) { + return ret; + } + ret = sss_nss_str_ptr_from_buffer(&result->pw_shell, &cookie, + buffer, data->strs_len); + if (ret) { + return ret; + } + if (cookie != NULL) { + return EINVAL; + } + + return 0; +} + +errno_t sss_nss_mc_getpwnam(const char *name, size_t name_len, + struct passwd *result, + char *buffer, size_t buflen) +{ + struct sss_mc_rec *rec = NULL; + struct sss_mc_pwd_data *data; + char *rec_name; + uint32_t hash; + uint32_t slot; + int ret; + const size_t strs_offset = offsetof(struct sss_mc_pwd_data, strs); + size_t data_size; + + ret = sss_nss_mc_get_ctx("passwd", &pw_mc_ctx); + if (ret) { + return ret; + } + + /* Get max size of data table. */ + data_size = pw_mc_ctx.dt_size; + + /* hashes are calculated including the NULL terminator */ + hash = sss_nss_mc_hash(&pw_mc_ctx, name, name_len + 1); + slot = pw_mc_ctx.hash_table[hash]; + + /* If slot is not within the bounds of mmapped region and + * it's value is not MC_INVALID_VAL, then the cache is + * probably corrupted. */ + while (MC_SLOT_WITHIN_BOUNDS(slot, data_size)) { + /* free record from previous iteration */ + free(rec); + rec = NULL; + + ret = sss_nss_mc_get_record(&pw_mc_ctx, slot, &rec); + if (ret) { + goto done; + } + + /* check record matches what we are searching for */ + if (hash != rec->hash1) { + /* if name hash does not match we can skip this immediately */ + slot = sss_nss_mc_next_slot_with_hash(rec, hash); + continue; + } + + data = (struct sss_mc_pwd_data *)rec->data; + rec_name = (char *)data + data->name; + /* Integrity check + * - data->name cannot point outside strings + * - all strings must be within copy of record + * - rec_name is a zero-terminated string */ + if (data->name < strs_offset + || data->name >= strs_offset + data->strs_len + || data->strs_len > rec->len) { + ret = ENOENT; + goto done; + } + + if (strcmp(name, rec_name) == 0) { + break; + } + + slot = sss_nss_mc_next_slot_with_hash(rec, hash); + } + + if (!MC_SLOT_WITHIN_BOUNDS(slot, data_size)) { + ret = ENOENT; + goto done; + } + + ret = sss_nss_mc_parse_result(rec, result, buffer, buflen); + +done: + free(rec); + __sync_sub_and_fetch(&pw_mc_ctx.active_threads, 1); + return ret; +} + +errno_t sss_nss_mc_getpwuid(uid_t uid, + struct passwd *result, + char *buffer, size_t buflen) +{ + struct sss_mc_rec *rec = NULL; + struct sss_mc_pwd_data *data; + char uidstr[11]; + uint32_t hash; + uint32_t slot; + int len; + int ret; + + ret = sss_nss_mc_get_ctx("passwd", &pw_mc_ctx); + if (ret) { + return ret; + } + + len = snprintf(uidstr, 11, "%ld", (long)uid); + if (len > 10) { + ret = EINVAL; + goto done; + } + + /* hashes are calculated including the NULL terminator */ + hash = sss_nss_mc_hash(&pw_mc_ctx, uidstr, len+1); + slot = pw_mc_ctx.hash_table[hash]; + + /* If slot is not within the bounds of mmapped region and + * it's value is not MC_INVALID_VAL, then the cache is + * probably corrupted. */ + while (MC_SLOT_WITHIN_BOUNDS(slot, pw_mc_ctx.dt_size)) { + /* free record from previous iteration */ + free(rec); + rec = NULL; + + ret = sss_nss_mc_get_record(&pw_mc_ctx, slot, &rec); + if (ret) { + goto done; + } + + /* check record matches what we are searching for */ + if (hash != rec->hash2) { + /* if uid hash does not match we can skip this immediately */ + slot = sss_nss_mc_next_slot_with_hash(rec, hash); + continue; + } + + data = (struct sss_mc_pwd_data *)rec->data; + if (uid == data->uid) { + break; + } + + slot = sss_nss_mc_next_slot_with_hash(rec, hash); + } + + if (!MC_SLOT_WITHIN_BOUNDS(slot, pw_mc_ctx.dt_size)) { + ret = ENOENT; + goto done; + } + + ret = sss_nss_mc_parse_result(rec, result, buffer, buflen); + +done: + free(rec); + __sync_sub_and_fetch(&pw_mc_ctx.active_threads, 1); + return ret; +} + diff --git a/src/sss_client/nss_netgroup.c b/src/sss_client/nss_netgroup.c new file mode 100644 index 0000000..3a1834a --- /dev/null +++ b/src/sss_client/nss_netgroup.c @@ -0,0 +1,326 @@ +/* + SSSD + + nss_netgroup.c + + Authors: + Stephen Gallagher + + Copyright (C) 2010 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include "sss_cli.h" +#include "nss_compat.h" + +#define CLEAR_NETGRENT_DATA(netgrent) do { \ + free(netgrent->data); \ + netgrent->data = NULL; \ + netgrent->idx.position = 0; \ + netgrent->data_size = 0; \ +} while (0); + +/* + * Replies: + * + * 0-3: 32bit unsigned number of results N + * 4-7: 32bit unsigned (reserved/padding) + * For each result: + * 8-11: 32bit unsigned type of result + * 12-X: \0 terminated string representing a tuple + * (host, user, domain) + * or a netgroup, depending on the type indicator + * ... repeated N times + */ +#define NETGR_METADATA_COUNT 2 * sizeof(uint32_t) +struct sss_nss_netgr_rep { + struct __netgrent *result; + char *buffer; + size_t buflen; +}; + +static int sss_nss_getnetgr_readrep(struct sss_nss_netgr_rep *pr, + uint8_t *buf, size_t *len) +{ + errno_t ret; + char *sbuf; + char *temp; + size_t i, slen, dlen, size; + uint32_t type; + + if (*len < 6) { + /* Not enough space for data, bad packet */ + return EBADMSG; + } + + sbuf = (char *)(buf + sizeof(uint32_t)); + slen = *len - sizeof(uint32_t); + dlen = pr->buflen; + + i = 0; + + SAFEALIGN_COPY_UINT32(&type, buf, NULL); + switch (type) { + case SSS_NETGR_REP_TRIPLE: + pr->result->type = triple_val; + + /* Host value */ + temp = &(pr->buffer[i]); + ret = sss_readrep_copy_string(sbuf, &i, + &slen, &dlen, + &temp, + &size); + if (ret != EOK) return ret; + + /* libc expects NULL instead of empty string */ + if (size == 0) { + pr->result->val.triple.host = NULL; + } else { + pr->result->val.triple.host = temp; + } + + /* User value */ + temp = &(pr->buffer[i]); + ret = sss_readrep_copy_string(sbuf, &i, + &slen, &dlen, + &temp, + &size); + if (ret != EOK) return ret; + + /* libc expects NULL instead of empty string */ + if (size == 0) { + pr->result->val.triple.user = NULL; + } else { + pr->result->val.triple.user = temp; + } + + /* Domain value */ + temp = &(pr->buffer[i]); + ret = sss_readrep_copy_string(sbuf, &i, + &slen, &dlen, + &temp, + &size); + if (ret != EOK) return ret; + + /* libc expects NULL instead of empty string */ + if (size == 0) { + pr->result->val.triple.domain = NULL; + } else { + pr->result->val.triple.domain = temp; + } + + break; + + case SSS_NETGR_REP_GROUP: + pr->result->type = group_val; + + temp = &(pr->buffer[i]); + ret = sss_readrep_copy_string(sbuf, &i, + &slen, &dlen, + &temp, + NULL); + if (ret != EOK) return ret; + + pr->result->val.group = temp; + + break; + + default: + return EBADMSG; + } + + + *len = slen -i; + + return 0; +} + +enum nss_status _nss_sss_setnetgrent(const char *netgroup, + struct __netgrent *result) +{ + uint8_t *repbuf = NULL; + size_t replen; + uint32_t num_results; + enum nss_status nret; + struct sss_cli_req_data rd; + int errnop; + char *name; + size_t name_len; + errno_t ret; + + if (!netgroup) return NSS_STATUS_NOTFOUND; + + sss_nss_lock(); + + /* make sure we do not have leftovers, and release memory */ + CLEAR_NETGRENT_DATA(result); + + ret = sss_strnlen(netgroup, SSS_NAME_MAX, &name_len); + if (ret != 0) { + nret = NSS_STATUS_NOTFOUND; + goto out; + } + + name = malloc(sizeof(char)*name_len + 1); + if (name == NULL) { + nret = NSS_STATUS_TRYAGAIN; + goto out; + } + strncpy(name, netgroup, name_len + 1); + + rd.data = name; + rd.len = name_len + 1; + + nret = sss_nss_make_request(SSS_NSS_SETNETGRENT, &rd, + &repbuf, &replen, &errnop); + free(name); + if (nret != NSS_STATUS_SUCCESS) { + errno = errnop; + goto out; + } + + /* Get number of results from repbuf */ + SAFEALIGN_COPY_UINT32(&num_results, repbuf, NULL); + + /* no results if not found */ + if ((num_results == 0) || (replen < NETGR_METADATA_COUNT)) { + free(repbuf); + nret = NSS_STATUS_NOTFOUND; + goto out; + } + + free(repbuf); + nret = NSS_STATUS_SUCCESS; + +out: + sss_nss_unlock(); + return nret; +} + +static enum nss_status internal_getnetgrent_r(struct __netgrent *result, + char *buffer, size_t buflen, + int *errnop) +{ + struct sss_cli_req_data rd; + struct sss_nss_netgr_rep netgrrep; + uint8_t *repbuf; + size_t replen; + uint32_t num_results; + enum nss_status nret; + uint32_t num_entries; + int ret; + + /* Caught once glibc passing in buffer == 0x0 */ + if (!buffer || !buflen) { + *errnop = ERANGE; + return NSS_STATUS_TRYAGAIN; + } + + /* If we're already processing result data, continue to + * return it. + */ + if (result->data != NULL && + result->idx.position < result->data_size) { + + repbuf = (uint8_t *) result->data + result->idx.position; + replen = result->data_size - result->idx.position; + + netgrrep.result = result; + netgrrep.buffer = buffer; + netgrrep.buflen = buflen; + + ret = sss_nss_getnetgr_readrep(&netgrrep, repbuf, &replen); + if (ret != 0) { + *errnop = ret; + return NSS_STATUS_TRYAGAIN; + } + + result->idx.position = result->data_size - replen; + + return NSS_STATUS_SUCCESS; + } + + /* Release memory, if any */ + CLEAR_NETGRENT_DATA(result); + + /* retrieve no more than SSS_NSS_MAX_ENTRIES at a time */ + num_entries = SSS_NSS_MAX_ENTRIES; + rd.len = sizeof(uint32_t); + rd.data = &num_entries; + + nret = sss_nss_make_request(SSS_NSS_GETNETGRENT, &rd, + &repbuf, &replen, errnop); + if (nret != NSS_STATUS_SUCCESS) { + return nret; + } + + /* Get number of results from repbuf. */ + SAFEALIGN_COPY_UINT32(&num_results, repbuf, NULL); + + /* no results if not found */ + if ((num_results == 0) || (replen <= NETGR_METADATA_COUNT)) { + free(repbuf); + return NSS_STATUS_RETURN; + } + + result->data = (char *) repbuf; + result->data_size = replen; + /* skip metadata fields */ + result->idx.position = NETGR_METADATA_COUNT; + + /* call again ourselves, this will return the first result */ + return internal_getnetgrent_r(result, buffer, buflen, errnop); +} + +enum nss_status _nss_sss_getnetgrent_r(struct __netgrent *result, + char *buffer, size_t buflen, + int *errnop) +{ + enum nss_status nret; + + sss_nss_lock(); + nret = internal_getnetgrent_r(result, buffer, buflen, errnop); + sss_nss_unlock(); + + return nret; +} + +enum nss_status _nss_sss_endnetgrent(struct __netgrent *result) +{ + enum nss_status nret; + int errnop; + + sss_nss_lock(); + + /* make sure we do not have leftovers, and release memory */ + CLEAR_NETGRENT_DATA(result); + + nret = sss_nss_make_request(SSS_NSS_ENDNETGRENT, + NULL, NULL, NULL, &errnop); + if (nret != NSS_STATUS_SUCCESS) { + errno = errnop; + } + + sss_nss_unlock(); + return nret; +} diff --git a/src/sss_client/nss_passwd.c b/src/sss_client/nss_passwd.c new file mode 100644 index 0000000..96368bd --- /dev/null +++ b/src/sss_client/nss_passwd.c @@ -0,0 +1,472 @@ +/* + * System Security Services Daemon. NSS client interface + * + * Copyright (C) Simo Sorce 2007 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see . + */ + +/* PASSWD database NSS interface */ + +#include +#include +#include +#include +#include +#include +#include +#include "sss_cli.h" +#include "nss_mc.h" +#include "nss_common.h" + +static struct sss_nss_getpwent_data { + size_t len; + size_t ptr; + uint8_t *data; +} sss_nss_getpwent_data; + +static void sss_nss_getpwent_data_clean(void) { + + if (sss_nss_getpwent_data.data != NULL) { + free(sss_nss_getpwent_data.data); + sss_nss_getpwent_data.data = NULL; + } + sss_nss_getpwent_data.len = 0; + sss_nss_getpwent_data.ptr = 0; +} + +/* GETPWNAM Request: + * + * 0-X: string with name + * + * GERTPWUID Request: + * + * 0-3: 32bit number with uid + * + * Replies: + * + * 0-3: 32bit unsigned number of results + * 4-7: 32bit unsigned (reserved/padding) + * For each result: + * 0-3: 32bit number uid + * 4-7: 32bit number gid + * 8-X: sequence of 5, 0 terminated, strings (name, passwd, gecos, dir, shell) + */ + +int sss_nss_getpw_readrep(struct sss_nss_pw_rep *pr, + uint8_t *buf, size_t *len) +{ + errno_t ret; + size_t i, slen, dlen; + char *sbuf; + uint32_t c; + + if (*len < 13) { /* not enough space for data, bad packet */ + return EBADMSG; + } + + SAFEALIGN_COPY_UINT32(&c, buf, NULL); + pr->result->pw_uid = c; + SAFEALIGN_COPY_UINT32(&c, buf+sizeof(uint32_t), NULL); + pr->result->pw_gid = c; + + sbuf = (char *)&buf[8]; + slen = *len - 8; + dlen = pr->buflen; + + i = 0; + pr->result->pw_name = &(pr->buffer[i]); + + ret = sss_readrep_copy_string(sbuf, &i, + &slen, &dlen, + &pr->result->pw_name, + NULL); + if (ret != EOK) return ret; + + pr->result->pw_passwd = &(pr->buffer[i]); + ret = sss_readrep_copy_string(sbuf, &i, + &slen, &dlen, + &pr->result->pw_passwd, + NULL); + if (ret != EOK) return ret; + + pr->result->pw_gecos = &(pr->buffer[i]); + ret = sss_readrep_copy_string(sbuf, &i, + &slen, &dlen, + &pr->result->pw_gecos, + NULL); + if (ret != EOK) return ret; + + + pr->result->pw_dir = &(pr->buffer[i]); + ret = sss_readrep_copy_string(sbuf, &i, + &slen, &dlen, + &pr->result->pw_dir, + NULL); + if (ret != EOK) return ret; + + pr->result->pw_shell = &(pr->buffer[i]); + ret = sss_readrep_copy_string(sbuf, &i, + &slen, &dlen, + &pr->result->pw_shell, + NULL); + if (ret != EOK) return ret; + *len = slen - i; + + return 0; +} + +enum nss_status _nss_sss_getpwnam_r(const char *name, struct passwd *result, + char *buffer, size_t buflen, int *errnop) +{ + struct sss_cli_req_data rd; + struct sss_nss_pw_rep pwrep; + uint8_t *repbuf; + size_t replen, len, name_len; + uint32_t num_results; + enum nss_status nret; + int ret; + + /* Caught once glibc passing in buffer == 0x0 */ + if (!buffer || !buflen) { + *errnop = ERANGE; + return NSS_STATUS_TRYAGAIN; + } + + ret = sss_strnlen(name, SSS_NAME_MAX, &name_len); + if (ret != 0) { + *errnop = EINVAL; + return NSS_STATUS_NOTFOUND; + } + + ret = sss_nss_mc_getpwnam(name, name_len, result, buffer, buflen); + switch (ret) { + case 0: + *errnop = 0; + return NSS_STATUS_SUCCESS; + case ERANGE: + *errnop = ERANGE; + return NSS_STATUS_TRYAGAIN; + case ENOENT: + /* fall through, we need to actively ask the parent + * if no entry is found */ + break; + default: + /* if using the mmapped cache failed, + * fall back to socket based comms */ + break; + } + + rd.len = name_len + 1; + rd.data = name; + + sss_nss_lock(); + + /* previous thread might already initialize entry in mmap cache */ + ret = sss_nss_mc_getpwnam(name, name_len, result, buffer, buflen); + switch (ret) { + case 0: + *errnop = 0; + nret = NSS_STATUS_SUCCESS; + goto out; + case ERANGE: + *errnop = ERANGE; + nret = NSS_STATUS_TRYAGAIN; + goto out; + case ENOENT: + /* fall through, we need to actively ask the parent + * if no entry is found */ + break; + default: + /* if using the mmapped cache failed, + * fall back to socket based comms */ + break; + } + + nret = sss_nss_make_request(SSS_NSS_GETPWNAM, &rd, + &repbuf, &replen, errnop); + if (nret != NSS_STATUS_SUCCESS) { + goto out; + } + + pwrep.result = result; + pwrep.buffer = buffer; + pwrep.buflen = buflen; + + /* Get number of results from repbuf. */ + SAFEALIGN_COPY_UINT32(&num_results, repbuf, NULL); + + /* no results if not found */ + if (num_results == 0) { + free(repbuf); + nret = NSS_STATUS_NOTFOUND; + goto out; + } + + /* only 1 result is accepted for this function */ + if (num_results != 1) { + *errnop = EBADMSG; + free(repbuf); + nret = NSS_STATUS_TRYAGAIN; + goto out; + } + + len = replen - 8; + ret = sss_nss_getpw_readrep(&pwrep, repbuf+8, &len); + free(repbuf); + if (ret) { + *errnop = ret; + nret = NSS_STATUS_TRYAGAIN; + goto out; + } + + nret = NSS_STATUS_SUCCESS; + +out: + sss_nss_unlock(); + return nret; +} + +enum nss_status _nss_sss_getpwuid_r(uid_t uid, struct passwd *result, + char *buffer, size_t buflen, int *errnop) +{ + struct sss_cli_req_data rd; + struct sss_nss_pw_rep pwrep; + uint8_t *repbuf; + size_t replen, len; + uint32_t num_results; + enum nss_status nret; + uint32_t user_uid; + int ret; + + /* Caught once glibc passing in buffer == 0x0 */ + if (!buffer || !buflen) { + *errnop = ERANGE; + return NSS_STATUS_TRYAGAIN; + } + + ret = sss_nss_mc_getpwuid(uid, result, buffer, buflen); + switch (ret) { + case 0: + *errnop = 0; + return NSS_STATUS_SUCCESS; + case ERANGE: + *errnop = ERANGE; + return NSS_STATUS_TRYAGAIN; + case ENOENT: + /* fall through, we need to actively ask the parent + * if no entry is found */ + break; + default: + /* if using the mmapped cache failed, + * fall back to socket based comms */ + break; + } + + user_uid = uid; + rd.len = sizeof(uint32_t); + rd.data = &user_uid; + + sss_nss_lock(); + + /* previous thread might already initialize entry in mmap cache */ + ret = sss_nss_mc_getpwuid(uid, result, buffer, buflen); + switch (ret) { + case 0: + *errnop = 0; + nret = NSS_STATUS_SUCCESS; + goto out; + case ERANGE: + *errnop = ERANGE; + nret = NSS_STATUS_TRYAGAIN; + goto out; + case ENOENT: + /* fall through, we need to actively ask the parent + * if no entry is found */ + break; + default: + /* if using the mmapped cache failed, + * fall back to socket based comms */ + break; + } + + nret = sss_nss_make_request(SSS_NSS_GETPWUID, &rd, + &repbuf, &replen, errnop); + if (nret != NSS_STATUS_SUCCESS) { + goto out; + } + + pwrep.result = result; + pwrep.buffer = buffer; + pwrep.buflen = buflen; + + /* Get number of results from repbuf. */ + SAFEALIGN_COPY_UINT32(&num_results, repbuf, NULL); + + /* no results if not found */ + if (num_results == 0) { + free(repbuf); + nret = NSS_STATUS_NOTFOUND; + goto out; + } + + /* only 1 result is accepted for this function */ + if (num_results != 1) { + *errnop = EBADMSG; + free(repbuf); + nret = NSS_STATUS_TRYAGAIN; + goto out; + } + + len = replen - 8; + ret = sss_nss_getpw_readrep(&pwrep, repbuf+8, &len); + free(repbuf); + if (ret) { + *errnop = ret; + nret = NSS_STATUS_TRYAGAIN; + goto out; + } + + nret = NSS_STATUS_SUCCESS; + +out: + sss_nss_unlock(); + return nret; +} + +enum nss_status _nss_sss_setpwent(void) +{ + enum nss_status nret; + int errnop; + + sss_nss_lock(); + + /* make sure we do not have leftovers, and release memory */ + sss_nss_getpwent_data_clean(); + + nret = sss_nss_make_request(SSS_NSS_SETPWENT, + NULL, NULL, NULL, &errnop); + if (nret != NSS_STATUS_SUCCESS) { + errno = errnop; + } + + sss_nss_unlock(); + return nret; +} + +static enum nss_status internal_getpwent_r(struct passwd *result, + char *buffer, size_t buflen, + int *errnop) +{ + struct sss_cli_req_data rd; + struct sss_nss_pw_rep pwrep; + uint8_t *repbuf; + size_t replen; + uint32_t num_results; + enum nss_status nret; + uint32_t num_entries; + int ret; + + /* Caught once glibc passing in buffer == 0x0 */ + if (!buffer || !buflen) { + *errnop = ERANGE; + return NSS_STATUS_TRYAGAIN; + } + + /* if there are leftovers return the next one */ + if (sss_nss_getpwent_data.data != NULL && + sss_nss_getpwent_data.ptr < sss_nss_getpwent_data.len) { + + repbuf = sss_nss_getpwent_data.data + sss_nss_getpwent_data.ptr; + replen = sss_nss_getpwent_data.len - sss_nss_getpwent_data.ptr; + + pwrep.result = result; + pwrep.buffer = buffer; + pwrep.buflen = buflen; + + ret = sss_nss_getpw_readrep(&pwrep, repbuf, &replen); + if (ret) { + *errnop = ret; + return NSS_STATUS_TRYAGAIN; + } + + /* advance buffer pointer */ + sss_nss_getpwent_data.ptr = sss_nss_getpwent_data.len - replen; + + return NSS_STATUS_SUCCESS; + } + + /* release memory if any */ + sss_nss_getpwent_data_clean(); + + /* retrieve no more than SSS_NSS_MAX_ENTRIES at a time */ + num_entries = SSS_NSS_MAX_ENTRIES; + rd.len = sizeof(uint32_t); + rd.data = &num_entries; + + nret = sss_nss_make_request(SSS_NSS_GETPWENT, &rd, + &repbuf, &replen, errnop); + if (nret != NSS_STATUS_SUCCESS) { + return nret; + } + + /* Get number of results from repbuf. */ + SAFEALIGN_COPY_UINT32(&num_results, repbuf, NULL); + + /* no results if not found */ + if ((num_results == 0) || (replen - 8 == 0)) { + free(repbuf); + return NSS_STATUS_NOTFOUND; + } + + sss_nss_getpwent_data.data = repbuf; + sss_nss_getpwent_data.len = replen; + sss_nss_getpwent_data.ptr = 8; /* skip metadata fields */ + + /* call again ourselves, this will return the first result */ + return internal_getpwent_r(result, buffer, buflen, errnop); +} + +enum nss_status _nss_sss_getpwent_r(struct passwd *result, + char *buffer, size_t buflen, + int *errnop) +{ + enum nss_status nret; + + sss_nss_lock(); + nret = internal_getpwent_r(result, buffer, buflen, errnop); + sss_nss_unlock(); + + return nret; +} + +enum nss_status _nss_sss_endpwent(void) +{ + enum nss_status nret; + int errnop; + + sss_nss_lock(); + + /* make sure we do not have leftovers, and release memory */ + sss_nss_getpwent_data_clean(); + + nret = sss_nss_make_request(SSS_NSS_ENDPWENT, + NULL, NULL, NULL, &errnop); + if (nret != NSS_STATUS_SUCCESS) { + errno = errnop; + } + + sss_nss_unlock(); + return nret; +} diff --git a/src/sss_client/nss_services.c b/src/sss_client/nss_services.c new file mode 100644 index 0000000..161dad9 --- /dev/null +++ b/src/sss_client/nss_services.c @@ -0,0 +1,501 @@ +/* + SSSD + + Authors: + Stephen Gallagher + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include "sss_cli.h" + +static struct sss_nss_getservent_data { + size_t len; + size_t ptr; + uint8_t *data; +} sss_nss_getservent_data; + +static void sss_nss_getservent_data_clean(void) { + + if (sss_nss_getservent_data.data != NULL) { + free(sss_nss_getservent_data.data); + sss_nss_getservent_data.data = NULL; + } + sss_nss_getservent_data.len = 0; + sss_nss_getservent_data.ptr = 0; +} + +/* GETSERVBYNAME Request + * + * 0-X: Sequence of two, zero-terminated strings (name, protocol). + * Protocol may be zero-length to imply "any" + * + * GETSERVBYPORT Request: + * 0-3: 16-bit port number in network byte order + * 4-15: Reserved/padding + * 16-X: Zero-terminated string (protocol) + * Protocol may be zero-length to imply "any" + * + * Replies: + * 0-3: 32-bit unsigned number of results + * 4-7: 32-bit unsigned (reserved/padding) + * 7-X: Result data (blocks equal to number of results) + * + * Result data: + * 0-3: 32-bit unsigned port number in network byte order + * 4-7: 32-bit unsigned number of aliases + * 8-X: sequence of zero-terminated strings + * (name, protocol, zero or more aliases) + */ +struct sss_nss_svc_rep { + struct servent *result; + char *buffer; + size_t buflen; +}; + +#define SVC_METADATA_COUNT 8 + +static errno_t +sss_nss_getsvc_readrep(struct sss_nss_svc_rep *sr, + uint8_t *buf, size_t *len) +{ + errno_t ret; + uint32_t c; + uint32_t num_aliases; + size_t i, l, slen, dlen, pad, ptaliases, alen; + char *sbuf; + + /* Buffer must contain two 32-bit integers, + * at least one character and null-terminator + * for the name, and at least a null- + * terminator for the protocol. + */ + if (*len < 11) { + /* not enough space for data, bad packet */ + return EBADMSG; + } + + /* Get the port */ + SAFEALIGN_COPY_UINT32(&c, buf, NULL); + sr->result->s_port = (uint16_t)c; + + /* Get the number of aliases */ + SAFEALIGN_COPY_UINT32(&num_aliases, buf + sizeof(uint32_t), NULL); + + sbuf = (char *)&buf[2 * sizeof(uint32_t)]; + slen = *len - (2 * sizeof(uint32_t)); + dlen = sr->buflen; + + /* Copy in the name */ + i = 0; + sr->result->s_name = &(sr->buffer[i]); + + ret = sss_readrep_copy_string(sbuf, &i, + &slen, &dlen, + &sr->result->s_name, + NULL); + if (ret != EOK) return ret; + + /* Copy in the protocol */ + sr->result->s_proto = &(sr->buffer[i]); + + ret = sss_readrep_copy_string(sbuf, &i, + &slen, &dlen, + &sr->result->s_proto, + NULL); + if (ret != EOK) return ret; + + /* Make sure sr->buffer[i+pad] is aligned to sizeof(char *) */ + pad = PADDING_SIZE(i, char *); + + /* Copy in the aliases */ + sr->result->s_aliases = DISCARD_ALIGN(&(sr->buffer[i+pad]), char **); + + ptaliases = (sizeof(char *) * (num_aliases + 1)) + pad; + if (ptaliases > dlen) { + return ERANGE; /* not ENOMEM, ERANGE is what glibc looks for */ + } + + dlen -= ptaliases; + ptaliases += i; + sr->result->s_aliases[num_aliases] = NULL; /* terminate array */ + + for (l = 0; l < num_aliases; l++) { + sr->result->s_aliases[l] = &(sr->buffer[ptaliases]); + ret = sss_readrep_copy_string(sbuf, &i, + &slen, &dlen, + &sr->result->s_aliases[l], + &alen); + if (ret != EOK) return ret; + + ptaliases += alen + 1; + } + + *len = slen - i; + + return EOK; +} + +enum nss_status +_nss_sss_getservbyname_r(const char *name, + const char *protocol, + struct servent *result, + char *buffer, size_t buflen, + int *errnop) +{ + struct sss_cli_req_data rd; + struct sss_nss_svc_rep svcrep; + size_t name_len; + size_t proto_len = 0; + uint8_t *repbuf; + uint8_t *data; + size_t replen, len; + uint32_t num_results; + enum nss_status nret; + int ret; + + /* Caught once glibc passing in buffer == 0x0 */ + if (!buffer || !buflen) { + *errnop = ERANGE; + return NSS_STATUS_TRYAGAIN; + } + + ret = sss_strnlen(name, SSS_NAME_MAX, &name_len); + if (ret != 0) { + *errnop = EINVAL; + return NSS_STATUS_NOTFOUND; + } + + if (protocol) { + ret = sss_strnlen(protocol, SSS_NAME_MAX, &proto_len); + if (ret != 0) { + *errnop = EINVAL; + return NSS_STATUS_NOTFOUND; + } + } + + rd.len = name_len + proto_len + 2; + data = malloc(sizeof(uint8_t)*rd.len); + if (data == NULL) { + nret = NSS_STATUS_TRYAGAIN; + goto out; + } + + memcpy(data, name, name_len + 1); + + if (protocol) { + memcpy(data + name_len + 1, protocol, proto_len + 1); + } else { + /* No protocol specified, pass empty string */ + data[name_len + 1] = '\0'; + } + rd.data = data; + + sss_nss_lock(); + + nret = sss_nss_make_request(SSS_NSS_GETSERVBYNAME, &rd, + &repbuf, &replen, errnop); + free(data); + if (nret != NSS_STATUS_SUCCESS) { + goto out; + } + + svcrep.result = result; + svcrep.buffer = buffer; + svcrep.buflen = buflen; + + /* Get number of results from repbuf. */ + SAFEALIGN_COPY_UINT32(&num_results, repbuf, NULL); + + /* no results if not found */ + if (num_results == 0) { + free(repbuf); + nret = NSS_STATUS_NOTFOUND; + goto out; + } + + /* only 1 result is accepted for this function */ + if (num_results != 1) { + *errnop = EBADMSG; + free(repbuf); + nret = NSS_STATUS_TRYAGAIN; + goto out; + } + + len = replen - SVC_METADATA_COUNT; + ret = sss_nss_getsvc_readrep(&svcrep, + repbuf + SVC_METADATA_COUNT, + &len); + free(repbuf); + if (ret) { + *errnop = ret; + nret = NSS_STATUS_TRYAGAIN; + goto out; + } + + nret = NSS_STATUS_SUCCESS; + +out: + sss_nss_unlock(); + return nret; +} + + +enum nss_status +_nss_sss_getservbyport_r(int port, const char *protocol, + struct servent *result, + char *buffer, size_t buflen, + int *errnop) +{ + struct sss_cli_req_data rd; + struct sss_nss_svc_rep svcrep; + size_t proto_len = 0; + uint8_t *repbuf; + uint8_t *data; + size_t p = 0; + size_t replen, len; + uint32_t num_results; + enum nss_status nret; + int ret; + + /* Caught once glibc passing in buffer == 0x0 */ + if (!buffer || !buflen) { + *errnop = ERANGE; + return NSS_STATUS_TRYAGAIN; + } + + if (protocol) { + ret = sss_strnlen(protocol, SSS_NAME_MAX, &proto_len); + if (ret != 0) { + *errnop = EINVAL; + return NSS_STATUS_NOTFOUND; + } + } + + rd.len = sizeof(uint32_t)*2 + proto_len + 1; + data = malloc(sizeof(uint8_t)*rd.len); + if (data == NULL) { + nret = NSS_STATUS_TRYAGAIN; + goto out; + } + + SAFEALIGN_SET_UINT16(data, port, &p); + + /* Padding */ + SAFEALIGN_SET_UINT16(data + p, 0, &p); + SAFEALIGN_SET_UINT32(data + p, 0, &p); + + if (protocol) { + memcpy(data + p, protocol, proto_len + 1); + } else { + /* No protocol specified, pass empty string */ + data[p] = '\0'; + } + rd.data = data; + + sss_nss_lock(); + + nret = sss_nss_make_request(SSS_NSS_GETSERVBYPORT, &rd, + &repbuf, &replen, errnop); + free(data); + if (nret != NSS_STATUS_SUCCESS) { + goto out; + } + + svcrep.result = result; + svcrep.buffer = buffer; + svcrep.buflen = buflen; + + /* Get number of results from repbuf. */ + SAFEALIGN_COPY_UINT32(&num_results, repbuf, NULL); + + /* no results if not found */ + if (num_results == 0) { + free(repbuf); + nret = NSS_STATUS_NOTFOUND; + goto out; + } + + /* only 1 result is accepted for this function */ + if (num_results != 1) { + *errnop = EBADMSG; + free(repbuf); + nret = NSS_STATUS_TRYAGAIN; + goto out; + } + + len = replen - SVC_METADATA_COUNT; + ret = sss_nss_getsvc_readrep(&svcrep, + repbuf + SVC_METADATA_COUNT, + &len); + free(repbuf); + if (ret) { + *errnop = ret; + nret = NSS_STATUS_TRYAGAIN; + goto out; + } + + nret = NSS_STATUS_SUCCESS; + +out: + sss_nss_unlock(); + return nret; +} + + +enum nss_status +_nss_sss_setservent(void) +{ + enum nss_status nret; + int errnop; + sss_nss_lock(); + + /* make sure we do not have leftovers, and release memory */ + sss_nss_getservent_data_clean(); + + nret = sss_nss_make_request(SSS_NSS_SETSERVENT, + NULL, NULL, NULL, &errnop); + if (nret != NSS_STATUS_SUCCESS) { + errno = errnop; + } + + sss_nss_unlock(); + return nret; +} + +static enum nss_status internal_getservent_r(struct servent *result, + char *buffer, size_t buflen, + int *errnop); + +enum nss_status +_nss_sss_getservent_r(struct servent *result, + char *buffer, size_t buflen, + int *errnop) +{ + enum nss_status nret; + + sss_nss_lock(); + nret = internal_getservent_r(result, buffer, buflen, errnop); + sss_nss_unlock(); + + return nret; +} + +static enum nss_status internal_getservent_r(struct servent *result, + char *buffer, size_t buflen, + int *errnop) +{ + struct sss_cli_req_data rd; + struct sss_nss_svc_rep pwrep; + uint8_t *repbuf; + size_t replen; + uint32_t num_results; + enum nss_status nret; + uint32_t num_entries; + int ret; + + /* Caught once glibc passing in buffer == 0x0 */ + if (!buffer || !buflen) { + *errnop = ERANGE; + return NSS_STATUS_TRYAGAIN; + } + + /* if there are leftovers return the next one */ + if (sss_nss_getservent_data.data != NULL && + sss_nss_getservent_data.ptr < sss_nss_getservent_data.len) { + + repbuf = sss_nss_getservent_data.data + sss_nss_getservent_data.ptr; + replen = sss_nss_getservent_data.len - sss_nss_getservent_data.ptr; + + pwrep.result = result; + pwrep.buffer = buffer; + pwrep.buflen = buflen; + + ret = sss_nss_getsvc_readrep(&pwrep, repbuf, &replen); + if (ret) { + *errnop = ret; + return NSS_STATUS_TRYAGAIN; + } + + /* advance buffer pointer */ + sss_nss_getservent_data.ptr = sss_nss_getservent_data.len - replen; + + return NSS_STATUS_SUCCESS; + } + + /* release memory if any */ + sss_nss_getservent_data_clean(); + + /* retrieve no more than SSS_NSS_MAX_ENTRIES at a time */ + num_entries = SSS_NSS_MAX_ENTRIES; + rd.len = sizeof(uint32_t); + rd.data = &num_entries; + + nret = sss_nss_make_request(SSS_NSS_GETSERVENT, &rd, + &repbuf, &replen, errnop); + if (nret != NSS_STATUS_SUCCESS) { + return nret; + } + + /* Get number of results from repbuf */ + SAFEALIGN_COPY_UINT32(&num_results, repbuf, NULL); + + /* no results if not found */ + if ((num_results == 0) || (replen - SVC_METADATA_COUNT == 0)) { + free(repbuf); + return NSS_STATUS_NOTFOUND; + } + + sss_nss_getservent_data.data = repbuf; + sss_nss_getservent_data.len = replen; + + /* skip metadata fields */ + sss_nss_getservent_data.ptr = SVC_METADATA_COUNT; + + /* call again ourselves, this will return the first result */ + return internal_getservent_r(result, buffer, buflen, errnop); +} + + +enum nss_status +_nss_sss_endservent(void) +{ + enum nss_status nret; + int errnop; + + sss_nss_lock(); + + /* make sure we do not have leftovers, and release memory */ + sss_nss_getservent_data_clean(); + + nret = sss_nss_make_request(SSS_NSS_ENDSERVENT, + NULL, NULL, NULL, &errnop); + if (nret != NSS_STATUS_SUCCESS) { + errno = errnop; + } + + sss_nss_unlock(); + return nret; +} diff --git a/src/sss_client/pam_message.c b/src/sss_client/pam_message.c new file mode 100644 index 0000000..b239f6f --- /dev/null +++ b/src/sss_client/pam_message.c @@ -0,0 +1,179 @@ +/* + Authors: + Sumit Bose + + PAM client - create message blob + + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU Lesser General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "sss_pam_compat.h" +#include "sss_pam_macros.h" + +#include "pam_message.h" + +#include "sss_cli.h" + +static size_t add_authtok_item(enum pam_item_type type, + enum sss_authtok_type authtok_type, + const char *tok, const size_t size, + uint8_t *buf) +{ + size_t rp = 0; + uint32_t c; + + if (tok == NULL) return 0; + + c = type; + memcpy(&buf[rp], &c, sizeof(uint32_t)); + rp += sizeof(uint32_t); + + c = size + sizeof(uint32_t); + memcpy(&buf[rp], &c, sizeof(uint32_t)); + rp += sizeof(uint32_t); + + c = authtok_type; + memcpy(&buf[rp], &c, sizeof(uint32_t)); + rp += sizeof(uint32_t); + + memcpy(&buf[rp], tok, size); + rp += size; + + return rp; +} + +static size_t add_uint32_t_item(enum pam_item_type type, const uint32_t val, + uint8_t *buf) +{ + size_t rp = 0; + uint32_t c; + + c = type; + memcpy(&buf[rp], &c, sizeof(uint32_t)); + rp += sizeof(uint32_t); + + c = sizeof(uint32_t); + memcpy(&buf[rp], &c, sizeof(uint32_t)); + rp += sizeof(uint32_t); + + c = val; + memcpy(&buf[rp], &c, sizeof(uint32_t)); + rp += sizeof(uint32_t); + + return rp; +} + +static size_t add_string_item(enum pam_item_type type, const char *str, + const size_t size, uint8_t *buf) +{ + size_t rp = 0; + uint32_t c; + + if (str == NULL || *str == '\0') return 0; + + c = type; + memcpy(&buf[rp], &c, sizeof(uint32_t)); + rp += sizeof(uint32_t); + + c = size; + memcpy(&buf[rp], &c, sizeof(uint32_t)); + rp += sizeof(uint32_t); + + memcpy(&buf[rp], str, size); + rp += size; + + return rp; +} + +int pack_message_v3(struct pam_items *pi, size_t *size, uint8_t **buffer) +{ + int len; + uint8_t *buf; + size_t rp; + + len = sizeof(uint32_t) + sizeof(uint32_t); + + len += *pi->pam_user != '\0' ? + 2*sizeof(uint32_t) + pi->pam_user_size : 0; + len += *pi->pam_service != '\0' ? + 2*sizeof(uint32_t) + pi->pam_service_size : 0; + len += *pi->pam_tty != '\0' ? + 2*sizeof(uint32_t) + pi->pam_tty_size : 0; + len += *pi->pam_ruser != '\0' ? + 2*sizeof(uint32_t) + pi->pam_ruser_size : 0; + len += *pi->pam_rhost != '\0' ? + 2*sizeof(uint32_t) + pi->pam_rhost_size : 0; + len += pi->pam_authtok != NULL ? + 3*sizeof(uint32_t) + pi->pam_authtok_size : 0; + len += pi->pam_newauthtok != NULL ? + 3*sizeof(uint32_t) + pi->pam_newauthtok_size : 0; + len += 3*sizeof(uint32_t); /* cli_pid */ + len += *pi->requested_domains != '\0' ? + 2*sizeof(uint32_t) + pi->requested_domains_size : 0; + + buf = malloc(len); + if (buf == NULL) { + D(("malloc failed.")); + return PAM_BUF_ERR; + } + + rp = 0; + SAFEALIGN_SETMEM_UINT32(buf, SSS_START_OF_PAM_REQUEST, &rp); + + rp += add_string_item(SSS_PAM_ITEM_USER, pi->pam_user, pi->pam_user_size, + &buf[rp]); + + rp += add_string_item(SSS_PAM_ITEM_SERVICE, pi->pam_service, + pi->pam_service_size, &buf[rp]); + + rp += add_string_item(SSS_PAM_ITEM_TTY, pi->pam_tty, pi->pam_tty_size, + &buf[rp]); + + rp += add_string_item(SSS_PAM_ITEM_RUSER, pi->pam_ruser, pi->pam_ruser_size, + &buf[rp]); + + rp += add_string_item(SSS_PAM_ITEM_RHOST, pi->pam_rhost, pi->pam_rhost_size, + &buf[rp]); + + rp += add_string_item(SSS_PAM_ITEM_REQUESTED_DOMAINS, pi->requested_domains, pi->requested_domains_size, + &buf[rp]); + + rp += add_uint32_t_item(SSS_PAM_ITEM_CLI_PID, (uint32_t) pi->cli_pid, + &buf[rp]); + + rp += add_authtok_item(SSS_PAM_ITEM_AUTHTOK, pi->pam_authtok_type, + pi->pam_authtok, pi->pam_authtok_size, &buf[rp]); + + rp += add_authtok_item(SSS_PAM_ITEM_NEWAUTHTOK, pi->pam_newauthtok_type, + pi->pam_newauthtok, pi->pam_newauthtok_size, + &buf[rp]); + + SAFEALIGN_SETMEM_UINT32(buf + rp, SSS_END_OF_PAM_REQUEST, &rp); + + if (rp != len) { + D(("error during packet creation.")); + free(buf); + return PAM_BUF_ERR; + } + + *size = len; + *buffer = buf; + + return 0; +} diff --git a/src/sss_client/pam_message.h b/src/sss_client/pam_message.h new file mode 100644 index 0000000..11526a8 --- /dev/null +++ b/src/sss_client/pam_message.h @@ -0,0 +1,71 @@ +/* + Authors: + Sumit Bose + + Copyright (C) 2015 Red Hat + + PAM client - create message blob + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU Lesser General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with this program. If not, see . +*/ + +#ifndef _PAM_MESSAGE_H_ +#define _PAM_MESSAGE_H_ + +#include +#include +#include + +#include "sss_client/sss_cli.h" + +struct cert_auth_info; + +struct pam_items { + const char *pam_service; + const char *pam_user; + const char *pam_tty; + const char *pam_ruser; + const char *pam_rhost; + char *pam_authtok; + char *pam_newauthtok; + const char *pamstack_authtok; + const char *pamstack_oldauthtok; + size_t pam_service_size; + size_t pam_user_size; + size_t pam_tty_size; + size_t pam_ruser_size; + size_t pam_rhost_size; + enum sss_authtok_type pam_authtok_type; + size_t pam_authtok_size; + enum sss_authtok_type pam_newauthtok_type; + size_t pam_newauthtok_size; + pid_t cli_pid; + const char *login_name; + char *domain_name; + const char *requested_domains; + size_t requested_domains_size; + char *otp_vendor; + char *otp_token_id; + char *otp_challenge; + char *first_factor; + bool password_prompting; + + bool user_name_hint; + struct cert_auth_info *cert_list; + struct cert_auth_info *selected_cert; +}; + +int pack_message_v3(struct pam_items *pi, size_t *size, uint8_t **buffer); + +#endif /* _PAM_MESSAGE_H_ */ diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c new file mode 100644 index 0000000..59081cc --- /dev/null +++ b/src/sss_client/pam_sss.c @@ -0,0 +1,2653 @@ +/* + Authors: + Sumit Bose + + Copyright (C) 2009 Red Hat + Copyright (C) 2010, rhafer@suse.de, Novell Inc. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU Lesser General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with this program. If not, see . +*/ + +#include "config.h" +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include + +#ifdef HAVE_GDM_PAM_EXTENSIONS +#include +#endif + +#include "sss_pam_compat.h" +#include "sss_pam_macros.h" + +#include "sss_cli.h" +#include "pam_message.h" +#include "util/atomic_io.h" +#include "util/authtok-utils.h" +#include "util/dlinklist.h" + +#include +#define _(STRING) dgettext (PACKAGE, STRING) + +#define FLAGS_USE_FIRST_PASS (1 << 0) +#define FLAGS_FORWARD_PASS (1 << 1) +#define FLAGS_USE_AUTHTOK (1 << 2) +#define FLAGS_IGNORE_UNKNOWN_USER (1 << 3) +#define FLAGS_IGNORE_AUTHINFO_UNAVAIL (1 << 4) +#define FLAGS_USE_2FA (1 << 5) +#define FLAGS_ALLOW_MISSING_NAME (1 << 6) +#define FLAGS_PROMPT_ALWAYS (1 << 7) + +#define PWEXP_FLAG "pam_sss:password_expired_flag" +#define FD_DESTRUCTOR "pam_sss:fd_destructor" +#define PAM_SSS_AUTHOK_TYPE "pam_sss:authtok_type" +#define PAM_SSS_AUTHOK_SIZE "pam_sss:authtok_size" +#define PAM_SSS_AUTHOK_DATA "pam_sss:authtok_data" + +#define PW_RESET_MSG_FILENAME_TEMPLATE SSSD_CONF_DIR"/customize/%s/pam_sss_pw_reset_message.%s" +#define PW_RESET_MSG_MAX_SIZE 4096 + +#define OPT_RETRY_KEY "retry=" +#define OPT_DOMAINS_KEY "domains=" + +#define EXP_ACC_MSG _("Permission denied. ") +#define SRV_MSG _("Server message: ") + +#define DEBUG_MGS_LEN 1024 +#define MAX_AUTHTOK_SIZE (1024*1024) +#define CHECK_AND_RETURN_PI_STRING(s) ((s != NULL && *s != '\0')? s : "(not available)") + +static void logger(pam_handle_t *pamh, int level, const char *fmt, ...) { + va_list ap; + + va_start(ap, fmt); + +#ifdef DEBUG + va_list apd; + char debug_msg[DEBUG_MGS_LEN]; + int ret; + va_copy(apd, ap); + + ret = vsnprintf(debug_msg, DEBUG_MGS_LEN, fmt, apd); + if (ret >= DEBUG_MGS_LEN) { + D(("the following message is truncated: %s", debug_msg)); + } else if (ret < 0) { + D(("vsnprintf failed to format debug message!")); + } else { + D((debug_msg)); + } + + va_end(apd); +#endif + + pam_vsyslog(pamh, LOG_AUTHPRIV|level, fmt, ap); + + va_end(ap); +} + +static void free_exp_data(pam_handle_t *pamh, void *ptr, int err) +{ + free(ptr); +} + +static void close_fd(pam_handle_t *pamh, void *ptr, int err) +{ +#ifdef PAM_DATA_REPLACE + if (err & PAM_DATA_REPLACE) { + /* Nothing to do */ + return; + } +#endif /* PAM_DATA_REPLACE */ + + D(("Closing the fd")); + sss_pam_close_fd(); +} + +struct cert_auth_info { + char *cert_user; + char *cert; + char *token_name; + char *module_name; + char *key_id; + char *prompt_str; + struct cert_auth_info *prev; + struct cert_auth_info *next; +}; + +static void free_cai(struct cert_auth_info *cai) +{ + if (cai != NULL) { + free(cai->cert_user); + free(cai->cert); + free(cai->token_name); + free(cai->key_id); + free(cai->prompt_str); + free(cai); + } +} + +static void free_cert_list(struct cert_auth_info *list) +{ + struct cert_auth_info *cai; + struct cert_auth_info *cai_next; + + if (list != NULL) { + DLIST_FOR_EACH_SAFE(cai, cai_next, list) { + DLIST_REMOVE(list, cai); + free_cai(cai); + } + } +} + +static void overwrite_and_free_authtoks(struct pam_items *pi) +{ + if (pi->pam_authtok != NULL) { + _pam_overwrite_n((void *)pi->pam_authtok, pi->pam_authtok_size); + free((void *)pi->pam_authtok); + pi->pam_authtok = NULL; + } + + if (pi->pam_newauthtok != NULL) { + _pam_overwrite_n((void *)pi->pam_newauthtok, pi->pam_newauthtok_size); + free((void *)pi->pam_newauthtok); + pi->pam_newauthtok = NULL; + } + + if (pi->first_factor != NULL) { + _pam_overwrite_n((void *)pi->first_factor, strlen(pi->first_factor)); + free((void *)pi->first_factor); + pi->first_factor = NULL; + } + + pi->pamstack_authtok = NULL; + pi->pamstack_oldauthtok = NULL; +} + +static void overwrite_and_free_pam_items(struct pam_items *pi) +{ + overwrite_and_free_authtoks(pi); + + free(pi->domain_name); + pi->domain_name = NULL; + + free(pi->otp_vendor); + pi->otp_vendor = NULL; + + free(pi->otp_token_id); + pi->otp_token_id = NULL; + + free(pi->otp_challenge); + pi->otp_challenge = NULL; + + free_cert_list(pi->cert_list); + pi->cert_list = NULL; + pi->selected_cert = NULL; +} + +static int null_strcmp(const char *s1, const char *s2) { + if (s1 == NULL && s2 == NULL) return 0; + if (s1 == NULL && s2 != NULL) return -1; + if (s1 != NULL && s2 == NULL) return 1; + return strcmp(s1, s2); +} + +enum { + SSS_PAM_CONV_DONE = 0, + SSS_PAM_CONV_STD, + SSS_PAM_CONV_REENTER, +}; + +static int do_pam_conversation(pam_handle_t *pamh, const int msg_style, + const char *msg, + const char *reenter_msg, + char **_answer) +{ + int ret; + int state = SSS_PAM_CONV_STD; + const struct pam_conv *conv; + const struct pam_message *mesg[1]; + struct pam_message *pam_msg; + struct pam_response *resp=NULL; + char *answer = NULL; + + if ((msg_style == PAM_TEXT_INFO || msg_style == PAM_ERROR_MSG) && + msg == NULL) return PAM_SYSTEM_ERR; + + if ((msg_style == PAM_PROMPT_ECHO_OFF || + msg_style == PAM_PROMPT_ECHO_ON) && + (msg == NULL || _answer == NULL)) return PAM_SYSTEM_ERR; + + if (msg_style == PAM_TEXT_INFO || msg_style == PAM_ERROR_MSG) { + logger(pamh, LOG_INFO, "User %s message: %s", + msg_style == PAM_TEXT_INFO ? "info" : "error", + msg); + } + + ret=pam_get_item(pamh, PAM_CONV, (const void **) &conv); + if (ret != PAM_SUCCESS) return ret; + if (conv == NULL || conv->conv == NULL) { + logger(pamh, LOG_ERR, "No conversation function"); + return PAM_SYSTEM_ERR; + } + + do { + pam_msg = malloc(sizeof(struct pam_message)); + if (pam_msg == NULL) { + D(("Malloc failed.")); + ret = PAM_SYSTEM_ERR; + goto failed; + } + + pam_msg->msg_style = msg_style; + if (state == SSS_PAM_CONV_REENTER) { + pam_msg->msg = reenter_msg; + } else { + pam_msg->msg = msg; + } + + mesg[0] = (const struct pam_message *) pam_msg; + + ret=conv->conv(1, mesg, &resp, + conv->appdata_ptr); + free(pam_msg); + if (ret != PAM_SUCCESS) { + D(("Conversation failure: %s.", pam_strerror(pamh,ret))); + goto failed; + } + + if (msg_style == PAM_PROMPT_ECHO_OFF || + msg_style == PAM_PROMPT_ECHO_ON) { + if (resp == NULL) { + D(("response expected, but resp==NULL")); + ret = PAM_SYSTEM_ERR; + goto failed; + } + + if (state == SSS_PAM_CONV_REENTER) { + if (null_strcmp(answer, resp[0].resp) != 0) { + logger(pamh, LOG_NOTICE, "Passwords do not match."); + _pam_overwrite((void *)resp[0].resp); + free(resp[0].resp); + if (answer != NULL) { + _pam_overwrite((void *) answer); + free(answer); + answer = NULL; + } + ret = do_pam_conversation(pamh, PAM_ERROR_MSG, + _("Passwords do not match"), + NULL, NULL); + if (ret != PAM_SUCCESS) { + D(("do_pam_conversation failed.")); + ret = PAM_SYSTEM_ERR; + goto failed; + } + ret = PAM_CRED_ERR; + goto failed; + } + _pam_overwrite((void *)resp[0].resp); + free(resp[0].resp); + } else { + if (resp[0].resp == NULL) { + D(("Empty password")); + answer = NULL; + } else { + answer = strndup(resp[0].resp, MAX_AUTHTOK_SIZE); + _pam_overwrite((void *)resp[0].resp); + free(resp[0].resp); + if(answer == NULL) { + D(("strndup failed")); + ret = PAM_BUF_ERR; + goto failed; + } + } + } + free(resp); + resp = NULL; + } + + if (reenter_msg != NULL && state == SSS_PAM_CONV_STD) { + state = SSS_PAM_CONV_REENTER; + } else { + state = SSS_PAM_CONV_DONE; + } + } while (state != SSS_PAM_CONV_DONE); + + if (_answer) *_answer = answer; + return PAM_SUCCESS; + +failed: + free(answer); + return ret; + +} + +static errno_t display_pw_reset_message(pam_handle_t *pamh, + const char *domain_name, + const char *suffix) +{ + int ret; + struct stat stat_buf; + char *msg_buf = NULL; + int fd = -1; + size_t size; + size_t total_len; + char *filename = NULL; + + if (strchr(suffix, '/') != NULL || strchr(domain_name, '/') != NULL) { + D(("Suffix [%s] or domain name [%s] contain illegal character.", suffix, + domain_name)); + return EINVAL; + } + + size = sizeof(PW_RESET_MSG_FILENAME_TEMPLATE) + strlen(domain_name) + + strlen(suffix); + filename = malloc(size); + if (filename == NULL) { + D(("malloc failed.")); + ret = ENOMEM; + goto done; + } + ret = snprintf(filename, size, PW_RESET_MSG_FILENAME_TEMPLATE, domain_name, + suffix); + if (ret < 0 || ret >= size) { + D(("snprintf failed.")); + ret = EFAULT; + goto done; + } + + fd = open(filename, O_RDONLY); + if (fd == -1) { + ret = errno; + D(("open failed [%d][%s].\n", ret, strerror(ret))); + goto done; + } + + ret = fstat(fd, &stat_buf); + if (ret == -1) { + ret = errno; + D(("fstat failed [%d][%s].", ret, strerror(ret))); + goto done; + } + + if (!S_ISREG(stat_buf.st_mode)) { + logger(pamh, LOG_ERR, + "Password reset message file is not a regular file."); + ret = EINVAL; + goto done; + } + + if (stat_buf.st_uid != 0 || stat_buf.st_gid != 0 || + (stat_buf.st_mode & ~S_IFMT) != 0644) { + logger(pamh, LOG_ERR,"Permission error, " + "file [%s] must be owned by root with permissions 0644.", + filename); + ret = EPERM; + goto done; + } + + if (stat_buf.st_size > PW_RESET_MSG_MAX_SIZE) { + logger(pamh, LOG_ERR, "Password reset message file is too large."); + ret = EFBIG; + goto done; + } + + msg_buf = malloc(stat_buf.st_size + 1); + if (msg_buf == NULL) { + D(("malloc failed.")); + ret = ENOMEM; + goto done; + } + + errno = 0; + total_len = sss_atomic_read_s(fd, msg_buf, stat_buf.st_size); + if (total_len == -1) { + ret = errno; + D(("read failed [%d][%s].", ret, strerror(ret))); + goto done; + } + + ret = close(fd); + fd = -1; + if (ret == -1) { + ret = errno; + D(("close failed [%d][%s].", ret, strerror(ret))); + } + + if (total_len != stat_buf.st_size) { + D(("read fewer bytes [%d] than expected [%d].", total_len, + stat_buf.st_size)); + ret = EIO; + goto done; + } + + msg_buf[stat_buf.st_size] = '\0'; + + ret = do_pam_conversation(pamh, PAM_TEXT_INFO, msg_buf, NULL, NULL); + if (ret != PAM_SUCCESS) { + D(("do_pam_conversation failed.")); + } + +done: + if (fd != -1) { + close(fd); + } + free(msg_buf); + free(filename); + + return ret; +} + +static errno_t select_pw_reset_message(pam_handle_t *pamh, struct pam_items *pi) +{ + int ret; + char *locale; + const char *domain_name; + + domain_name = pi->domain_name; + if (domain_name == NULL || *domain_name == '\0') { + D(("Domain name is unknown.")); + return EINVAL; + } + + locale = setlocale(LC_MESSAGES, NULL); + + ret = -1; + if (locale != NULL) { + ret = display_pw_reset_message(pamh, domain_name, locale); + } + + if (ret != 0) { + ret = display_pw_reset_message(pamh, domain_name, "txt"); + } + + if (ret != 0) { + ret = do_pam_conversation(pamh, PAM_TEXT_INFO, + _("Password reset by root is not supported."), + NULL, NULL); + if (ret != PAM_SUCCESS) { + D(("do_pam_conversation failed.")); + } + } + + return ret; +} + +static int user_info_offline_auth(pam_handle_t *pamh, size_t buflen, + uint8_t *buf) +{ + int ret; + int64_t expire_date; + struct tm tm; + char expire_str[128]; + char user_msg[256]; + + expire_str[0] = '\0'; + + if (buflen != sizeof(uint32_t) + sizeof(int64_t)) { + D(("User info response data has the wrong size")); + return PAM_BUF_ERR; + } + + memcpy(&expire_date, buf + sizeof(uint32_t), sizeof(int64_t)); + + if (expire_date > 0) { + if (localtime_r((time_t *) &expire_date, &tm) != NULL) { + ret = strftime(expire_str, sizeof(expire_str), "%c", &tm); + if (ret == 0) { + D(("strftime failed.")); + expire_str[0] = '\0'; + } + } else { + D(("localtime_r failed")); + } + } + + ret = snprintf(user_msg, sizeof(user_msg), "%s%s%s.", + _("Authenticated with cached credentials"), + expire_str[0] ? _(", your cached password will expire at: ") : "", + expire_str[0] ? expire_str : ""); + if (ret < 0 || ret >= sizeof(user_msg)) { + D(("snprintf failed.")); + return PAM_SYSTEM_ERR; + } + + ret = do_pam_conversation(pamh, PAM_TEXT_INFO, user_msg, NULL, NULL); + if (ret != PAM_SUCCESS) { + D(("do_pam_conversation failed.")); + return PAM_SYSTEM_ERR; + } + + return PAM_SUCCESS; +} + +static int user_info_grace_login(pam_handle_t *pamh, + size_t buflen, + uint8_t *buf) +{ + int ret; + uint32_t grace; + char user_msg[256]; + + if (buflen != 2* sizeof(uint32_t)) { + D(("User info response data has the wrong size")); + return PAM_BUF_ERR; + } + memcpy(&grace, buf + sizeof(uint32_t), sizeof(uint32_t)); + ret = snprintf(user_msg, sizeof(user_msg), + _("Your password has expired. " + "You have %1$d grace login(s) remaining."), + grace); + if (ret < 0 || ret >= sizeof(user_msg)) { + D(("snprintf failed.")); + return PAM_SYSTEM_ERR; + } + ret = do_pam_conversation(pamh, PAM_TEXT_INFO, user_msg, NULL, NULL); + + if (ret != PAM_SUCCESS) { + D(("do_pam_conversation failed.")); + return PAM_SYSTEM_ERR; + } + + return PAM_SUCCESS; +} + +#define MINSEC 60 +#define HOURSEC (60*MINSEC) +#define DAYSEC (24*HOURSEC) +static int user_info_expire_warn(pam_handle_t *pamh, + size_t buflen, + uint8_t *buf) +{ + int ret; + uint32_t expire; + char user_msg[256]; + const char* unit="second(s)"; + + if (buflen != 2* sizeof(uint32_t)) { + D(("User info response data has the wrong size")); + return PAM_BUF_ERR; + } + memcpy(&expire, buf + sizeof(uint32_t), sizeof(uint32_t)); + if (expire >= DAYSEC) { + expire /= DAYSEC; + unit = "day(s)"; + } else if (expire >= HOURSEC) { + expire /= HOURSEC; + unit = "hour(s)"; + } else if (expire >= MINSEC) { + expire /= MINSEC; + unit = "minute(s)"; + } + + ret = snprintf(user_msg, sizeof(user_msg), + _("Your password will expire in %1$d %2$s."), expire, unit); + if (ret < 0 || ret >= sizeof(user_msg)) { + D(("snprintf failed.")); + return PAM_SYSTEM_ERR; + } + ret = do_pam_conversation(pamh, PAM_TEXT_INFO, user_msg, NULL, NULL); + + if (ret != PAM_SUCCESS) { + D(("do_pam_conversation failed.")); + return PAM_SYSTEM_ERR; + } + + return PAM_SUCCESS; +} + +static int user_info_offline_auth_delayed(pam_handle_t *pamh, size_t buflen, + uint8_t *buf) +{ + int ret; + int64_t delayed_until; + struct tm tm; + char delay_str[128]; + char user_msg[256]; + + delay_str[0] = '\0'; + + if (buflen != sizeof(uint32_t) + sizeof(int64_t)) { + D(("User info response data has the wrong size")); + return PAM_BUF_ERR; + } + + memcpy(&delayed_until, buf + sizeof(uint32_t), sizeof(int64_t)); + + if (delayed_until <= 0) { + D(("User info response data has an invalid value")); + return PAM_BUF_ERR; + } + + if (localtime_r((time_t *) &delayed_until, &tm) != NULL) { + ret = strftime(delay_str, sizeof(delay_str), "%c", &tm); + if (ret == 0) { + D(("strftime failed.")); + delay_str[0] = '\0'; + } + } else { + D(("localtime_r failed")); + } + + ret = snprintf(user_msg, sizeof(user_msg), "%s%s.", + _("Authentication is denied until: "), + delay_str); + if (ret < 0 || ret >= sizeof(user_msg)) { + D(("snprintf failed.")); + return PAM_SYSTEM_ERR; + } + + ret = do_pam_conversation(pamh, PAM_TEXT_INFO, user_msg, NULL, NULL); + if (ret != PAM_SUCCESS) { + D(("do_pam_conversation failed.")); + return PAM_SYSTEM_ERR; + } + + return PAM_SUCCESS; +} + +static int user_info_offline_chpass(pam_handle_t *pamh) +{ + int ret; + + ret = do_pam_conversation(pamh, PAM_TEXT_INFO, + _("System is offline, password change not possible"), + NULL, NULL); + if (ret != PAM_SUCCESS) { + D(("do_pam_conversation failed.")); + return PAM_SYSTEM_ERR; + } + + return PAM_SUCCESS; +} + +static int user_info_otp_chpass(pam_handle_t *pamh) +{ + int ret; + + ret = do_pam_conversation(pamh, PAM_TEXT_INFO, + _("After changing the OTP password, you need to " + "log out and back in order to acquire a ticket"), + NULL, NULL); + if (ret != PAM_SUCCESS) { + D(("do_pam_conversation failed.")); + return PAM_SYSTEM_ERR; + } + + return PAM_SUCCESS; +} + +static int user_info_account_expired(pam_handle_t *pamh, size_t buflen, + uint8_t *buf) +{ + int ret; + uint32_t msg_len; + char *user_msg; + size_t bufsize = 0; + + /* resp_type and length of message are expected to be in buf */ + if (buflen < 2* sizeof(uint32_t)) { + D(("User info response data is too short")); + return PAM_BUF_ERR; + } + + /* msg_len = legth of message */ + memcpy(&msg_len, buf + sizeof(uint32_t), sizeof(uint32_t)); + + if (buflen != 2* sizeof(uint32_t) + msg_len) { + D(("User info response data has the wrong size")); + return PAM_BUF_ERR; + } + + bufsize = strlen(EXP_ACC_MSG) + 1; + + if (msg_len > 0) { + bufsize += strlen(SRV_MSG) + msg_len; + } + + user_msg = (char *)malloc(sizeof(char) * bufsize); + if (!user_msg) { + D(("Out of memory.")); + return PAM_SYSTEM_ERR; + } + + ret = snprintf(user_msg, bufsize, "%s%s%.*s", + EXP_ACC_MSG, + msg_len > 0 ? SRV_MSG : "", + (int)msg_len, + msg_len > 0 ? (char *)(buf + 2 * sizeof(uint32_t)) : "" ); + if (ret < 0 || ret > bufsize) { + D(("snprintf failed.")); + + free(user_msg); + return PAM_SYSTEM_ERR; + } + + ret = do_pam_conversation(pamh, PAM_TEXT_INFO, user_msg, NULL, NULL); + free(user_msg); + if (ret != PAM_SUCCESS) { + D(("do_pam_conversation failed.")); + + return PAM_SYSTEM_ERR; + } + + return PAM_SUCCESS; +} + +static int user_info_chpass_error(pam_handle_t *pamh, size_t buflen, + uint8_t *buf) +{ + int ret; + uint32_t msg_len; + char *user_msg; + size_t bufsize = 0; + + if (buflen < 2* sizeof(uint32_t)) { + D(("User info response data is too short")); + return PAM_BUF_ERR; + } + + memcpy(&msg_len, buf + sizeof(uint32_t), sizeof(uint32_t)); + + if (buflen != 2* sizeof(uint32_t) + msg_len) { + D(("User info response data has the wrong size")); + return PAM_BUF_ERR; + } + + bufsize = strlen(_("Password change failed. ")) + 1; + + if (msg_len > 0) { + bufsize += strlen(_("Server message: ")) + msg_len; + } + + user_msg = (char *)malloc(sizeof(char) * bufsize); + if (!user_msg) { + D(("Out of memory.")); + return PAM_SYSTEM_ERR; + } + + ret = snprintf(user_msg, bufsize, "%s%s%.*s", + _("Password change failed. "), + msg_len > 0 ? _("Server message: ") : "", + (int)msg_len, + msg_len > 0 ? (char *)(buf + 2 * sizeof(uint32_t)) : "" ); + if (ret < 0 || ret > bufsize) { + D(("snprintf failed.")); + + free(user_msg); + return PAM_SYSTEM_ERR; + } + + ret = do_pam_conversation(pamh, PAM_TEXT_INFO, user_msg, NULL, NULL); + free(user_msg); + if (ret != PAM_SUCCESS) { + D(("do_pam_conversation failed.")); + + return PAM_SYSTEM_ERR; + } + + return PAM_SUCCESS; +} + +static int eval_user_info_response(pam_handle_t *pamh, size_t buflen, + uint8_t *buf) +{ + int ret; + uint32_t type; + + if (buflen < sizeof(uint32_t)) { + D(("User info response data is too short")); + return PAM_BUF_ERR; + } + + memcpy(&type, buf, sizeof(uint32_t)); + + switch(type) { + case SSS_PAM_USER_INFO_OFFLINE_AUTH: + ret = user_info_offline_auth(pamh, buflen, buf); + break; + case SSS_PAM_USER_INFO_GRACE_LOGIN: + ret = user_info_grace_login(pamh, buflen, buf); + break; + case SSS_PAM_USER_INFO_EXPIRE_WARN: + ret = user_info_expire_warn(pamh, buflen, buf); + break; + case SSS_PAM_USER_INFO_OFFLINE_AUTH_DELAYED: + ret = user_info_offline_auth_delayed(pamh, buflen, buf); + break; + case SSS_PAM_USER_INFO_OFFLINE_CHPASS: + ret = user_info_offline_chpass(pamh); + break; + case SSS_PAM_USER_INFO_OTP_CHPASS: + ret = user_info_otp_chpass(pamh); + break; + case SSS_PAM_USER_INFO_CHPASS_ERROR: + ret = user_info_chpass_error(pamh, buflen, buf); + break; + case SSS_PAM_USER_INFO_ACCOUNT_EXPIRED: + ret = user_info_account_expired(pamh, buflen, buf); + break; + default: + D(("Unknown user info type [%d]", type)); + ret = PAM_SYSTEM_ERR; + } + + return ret; +} + +static int parse_cert_info(struct pam_items *pi, uint8_t *buf, size_t len, + size_t *p, const char **cert_user) +{ + struct cert_auth_info *cai = NULL; + size_t offset; + int ret; + + if (buf[*p + (len - 1)] != '\0') { + D(("cert info does not end with \\0.")); + return EINVAL; + } + + cai = calloc(1, sizeof(struct cert_auth_info)); + if (cai == NULL) { + return ENOMEM; + } + + cai->cert_user = strdup((char *) &buf[*p]); + if (cai->cert_user == NULL) { + D(("strdup failed")); + ret = ENOMEM; + goto done; + } + if (cert_user != NULL) { + *cert_user = cai->cert_user; + } + + offset = strlen(cai->cert_user) + 1; + if (offset >= len) { + D(("Cert message size mismatch")); + ret = EINVAL; + goto done; + } + + cai->token_name = strdup((char *) &buf[*p + offset]); + if (cai->token_name == NULL) { + D(("strdup failed")); + ret = ENOMEM; + goto done; + } + + offset += strlen(cai->token_name) + 1; + if (offset >= len) { + D(("Cert message size mismatch")); + ret = EINVAL; + goto done; + } + + cai->module_name = strdup((char *) &buf[*p + offset]); + if (cai->module_name == NULL) { + D(("strdup failed")); + ret = ENOMEM; + goto done; + } + + offset += strlen(cai->module_name) + 1; + if (offset >= len) { + D(("Cert message size mismatch")); + ret = EINVAL; + goto done; + } + + cai->key_id = strdup((char *) &buf[*p + offset]); + if (cai->key_id == NULL) { + D(("strdup failed")); + ret = ENOMEM; + goto done; + } + + offset += strlen(cai->key_id) + 1; + if (offset >= len) { + D(("Cert message size mismatch")); + ret = EINVAL; + goto done; + } + + cai->prompt_str = strdup((char *) &buf[*p + offset]); + if (cai->prompt_str == NULL) { + D(("strdup failed")); + ret = ENOMEM; + goto done; + } + + + D(("cert user: [%s] token name: [%s] module: [%s] key id: [%s] " + "prompt: [%s]", + cai->cert_user, cai->token_name, cai->module_name, + cai->key_id, cai->prompt_str)); + + DLIST_ADD(pi->cert_list, cai); + ret = 0; + +done: + if (ret != 0) { + free_cai(cai); + } + + return ret; +} + +static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf, + struct pam_items *pi) +{ + int ret; + size_t p=0; + char *env_item; + int32_t c; + int32_t type; + int32_t len; + int32_t pam_status; + size_t offset; + const char *cert_user; + + if (buflen < (2*sizeof(int32_t))) { + D(("response buffer is too small")); + return PAM_BUF_ERR; + } + + memcpy(&pam_status, buf+p, sizeof(int32_t)); + p += sizeof(int32_t); + + + memcpy(&c, buf+p, sizeof(int32_t)); + p += sizeof(int32_t); + + while(c>0) { + if (buflen < (p+2*sizeof(int32_t))) { + D(("response buffer is too small")); + return PAM_BUF_ERR; + } + + memcpy(&type, buf+p, sizeof(int32_t)); + p += sizeof(int32_t); + + memcpy(&len, buf+p, sizeof(int32_t)); + p += sizeof(int32_t); + + if (buflen < (p + len)) { + D(("response buffer is too small")); + return PAM_BUF_ERR; + } + + switch(type) { + case SSS_PAM_SYSTEM_INFO: + if (buf[p + (len -1)] != '\0') { + D(("system info does not end with \\0.")); + break; + } + logger(pamh, LOG_INFO, "system info: [%s]", &buf[p]); + break; + case SSS_PAM_DOMAIN_NAME: + if (buf[p + (len -1)] != '\0') { + D(("domain name does not end with \\0.")); + break; + } + D(("domain name: [%s]", &buf[p])); + free(pi->domain_name); + pi->domain_name = strdup((char *) &buf[p]); + if (pi->domain_name == NULL) { + D(("strdup failed")); + } + break; + case SSS_ENV_ITEM: + case SSS_PAM_ENV_ITEM: + case SSS_ALL_ENV_ITEM: + if (buf[p + (len -1)] != '\0') { + D(("env item does not end with \\0.")); + break; + } + + D(("env item: [%s]", &buf[p])); + if (type == SSS_PAM_ENV_ITEM || type == SSS_ALL_ENV_ITEM) { + ret = pam_putenv(pamh, (char *)&buf[p]); + if (ret != PAM_SUCCESS) { + D(("pam_putenv failed.")); + break; + } + } + + if (type == SSS_ENV_ITEM || type == SSS_ALL_ENV_ITEM) { + env_item = strdup((char *)&buf[p]); + if (env_item == NULL) { + D(("strdup failed")); + break; + } + ret = putenv(env_item); + if (ret == -1) { + D(("putenv failed.")); + break; + } + } + break; + case SSS_PAM_USER_INFO: + ret = eval_user_info_response(pamh, len, &buf[p]); + if (ret != PAM_SUCCESS) { + D(("eval_user_info_response failed")); + } + break; + case SSS_PAM_TEXT_MSG: + if (buf[p + (len -1)] != '\0') { + D(("system info does not end with \\0.")); + break; + } + + ret = do_pam_conversation(pamh, PAM_TEXT_INFO, (char *) &buf[p], + NULL, NULL); + if (ret != PAM_SUCCESS) { + D(("do_pam_conversation failed.")); + } + break; + case SSS_OTP: + D(("OTP was used, removing authtokens.")); + overwrite_and_free_authtoks(pi); + ret = pam_set_item(pamh, PAM_AUTHTOK, NULL); + if (ret != PAM_SUCCESS) { + D(("Failed to remove PAM_AUTHTOK after using otp [%s]", + pam_strerror(pamh,ret))); + } + break; + case SSS_PAM_OTP_INFO: + if (buf[p + (len - 1)] != '\0') { + D(("otp info does not end with \\0.")); + break; + } + + free(pi->otp_vendor); + pi->otp_vendor = strdup((char *) &buf[p]); + if (pi->otp_vendor == NULL) { + D(("strdup failed")); + break; + } + + offset = strlen(pi->otp_vendor) + 1; + if (offset >= len) { + D(("OTP message size mismatch")); + free(pi->otp_vendor); + pi->otp_vendor = NULL; + break; + } + free(pi->otp_token_id); + pi->otp_token_id = strdup((char *) &buf[p + offset]); + if (pi->otp_token_id == NULL) { + D(("strdup failed")); + break; + } + + offset += strlen(pi->otp_token_id) + 1; + if (offset >= len) { + D(("OTP message size mismatch")); + free(pi->otp_token_id); + pi->otp_token_id = NULL; + break; + } + free(pi->otp_challenge); + pi->otp_challenge = strdup((char *) &buf[p + offset]); + if (pi->otp_challenge == NULL) { + D(("strdup failed")); + break; + } + + break; + case SSS_PAM_CERT_INFO: + case SSS_PAM_CERT_INFO_WITH_HINT: + if (buf[p + (len - 1)] != '\0') { + D(("cert info does not end with \\0.")); + break; + } + + if (type == SSS_PAM_CERT_INFO_WITH_HINT) { + pi->user_name_hint = true; + } else { + pi->user_name_hint = false; + } + + ret = parse_cert_info(pi, buf, len, &p, &cert_user); + if (ret != 0) { + D(("Failed to parse cert info")); + break; + } + + if ((pi->pam_user == NULL || *(pi->pam_user) == '\0') + && *cert_user != '\0') { + ret = pam_set_item(pamh, PAM_USER, cert_user); + if (ret != PAM_SUCCESS) { + D(("Failed to set PAM_USER during " + "Smartcard authentication [%s]", + pam_strerror(pamh, ret))); + break; + } + + ret = pam_get_item(pamh, PAM_USER, + (const void **)&(pi->pam_user)); + if (ret != PAM_SUCCESS) { + D(("Failed to get PAM_USER during " + "Smartcard authentication [%s]", + pam_strerror(pamh, ret))); + break; + } + + pi->pam_user_size = strlen(pi->pam_user) + 1; + } + break; + case SSS_PASSWORD_PROMPTING: + D(("Password prompting available.")); + pi->password_prompting = true; + break; + default: + D(("Unknown response type [%d]", type)); + } + p += len; + + --c; + } + + return PAM_SUCCESS; +} + +static int get_pam_items(pam_handle_t *pamh, uint32_t flags, + struct pam_items *pi) +{ + int ret; + + pi->pam_authtok_type = SSS_AUTHTOK_TYPE_EMPTY; + pi->pam_authtok = NULL; + pi->pam_authtok_size = 0; + pi->pam_newauthtok_type = SSS_AUTHTOK_TYPE_EMPTY; + pi->pam_newauthtok = NULL; + pi->pam_newauthtok_size = 0; + pi->first_factor = NULL; + + ret = pam_get_item(pamh, PAM_SERVICE, (const void **) &(pi->pam_service)); + if (ret != PAM_SUCCESS) return ret; + if (pi->pam_service == NULL) pi->pam_service=""; + pi->pam_service_size=strlen(pi->pam_service)+1; + + ret = pam_get_item(pamh, PAM_USER, (const void **) &(pi->pam_user)); + if (ret == PAM_PERM_DENIED && (flags & FLAGS_ALLOW_MISSING_NAME)) { + pi->pam_user = ""; + ret = PAM_SUCCESS; + } + if (ret != PAM_SUCCESS) return ret; + if (pi->pam_user == NULL) { + if (flags & FLAGS_ALLOW_MISSING_NAME) { + pi->pam_user = ""; + } else { + D(("No user found, aborting.")); + return PAM_BAD_ITEM; + } + } + if (strcmp(pi->pam_user, "root") == 0) { + D(("pam_sss will not handle root.")); + return PAM_USER_UNKNOWN; + } + pi->pam_user_size=strlen(pi->pam_user)+1; + + + ret = pam_get_item(pamh, PAM_TTY, (const void **) &(pi->pam_tty)); + if (ret != PAM_SUCCESS) return ret; + if (pi->pam_tty == NULL) pi->pam_tty=""; + pi->pam_tty_size=strlen(pi->pam_tty)+1; + + ret = pam_get_item(pamh, PAM_RUSER, (const void **) &(pi->pam_ruser)); + if (ret != PAM_SUCCESS) return ret; + if (pi->pam_ruser == NULL) pi->pam_ruser=""; + pi->pam_ruser_size=strlen(pi->pam_ruser)+1; + + ret = pam_get_item(pamh, PAM_RHOST, (const void **) &(pi->pam_rhost)); + if (ret != PAM_SUCCESS) return ret; + if (pi->pam_rhost == NULL) pi->pam_rhost=""; + pi->pam_rhost_size=strlen(pi->pam_rhost)+1; + + ret = pam_get_item(pamh, PAM_AUTHTOK, + (const void **) &(pi->pamstack_authtok)); + if (ret != PAM_SUCCESS) return ret; + if (pi->pamstack_authtok == NULL) pi->pamstack_authtok=""; + + ret = pam_get_item(pamh, PAM_OLDAUTHTOK, + (const void **) &(pi->pamstack_oldauthtok)); + if (ret != PAM_SUCCESS) return ret; + if (pi->pamstack_oldauthtok == NULL) pi->pamstack_oldauthtok=""; + + pi->cli_pid = getpid(); + + pi->login_name = pam_modutil_getlogin(pamh); + if (pi->login_name == NULL) pi->login_name=""; + + pi->domain_name = NULL; + + if (pi->requested_domains == NULL) pi->requested_domains = ""; + pi->requested_domains_size = strlen(pi->requested_domains) + 1; + + pi->otp_vendor = NULL; + pi->otp_token_id = NULL; + pi->otp_challenge = NULL; + pi->password_prompting = false; + + pi->cert_list = NULL; + pi->selected_cert = NULL; + + return PAM_SUCCESS; +} + +static void print_pam_items(struct pam_items *pi) +{ + if (pi == NULL) return; + + D(("Service: %s", CHECK_AND_RETURN_PI_STRING(pi->pam_service))); + D(("User: %s", CHECK_AND_RETURN_PI_STRING(pi->pam_user))); + D(("Tty: %s", CHECK_AND_RETURN_PI_STRING(pi->pam_tty))); + D(("Ruser: %s", CHECK_AND_RETURN_PI_STRING(pi->pam_ruser))); + D(("Rhost: %s", CHECK_AND_RETURN_PI_STRING(pi->pam_rhost))); + D(("Pamstack_Authtok: %s", + CHECK_AND_RETURN_PI_STRING(pi->pamstack_authtok))); + D(("Pamstack_Oldauthtok: %s", + CHECK_AND_RETURN_PI_STRING(pi->pamstack_oldauthtok))); + D(("Authtok: %s", CHECK_AND_RETURN_PI_STRING(pi->pam_authtok))); + D(("Newauthtok: %s", CHECK_AND_RETURN_PI_STRING(pi->pam_newauthtok))); + D(("Cli_PID: %d", pi->cli_pid)); + D(("Requested domains: %s", pi->requested_domains)); +} + +static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi, + enum sss_cli_command task, bool quiet_mode) +{ + int ret; + int sret; + int errnop; + struct sss_cli_req_data rd; + uint8_t *buf = NULL; + uint8_t *repbuf = NULL; + size_t replen; + int pam_status = PAM_SYSTEM_ERR; + + print_pam_items(pi); + + ret = pack_message_v3(pi, &rd.len, &buf); + if (ret != 0) { + D(("pack_message failed.")); + pam_status = PAM_SYSTEM_ERR; + goto done; + } + rd.data = buf; + + errnop = 0; + ret = sss_pam_make_request(task, &rd, &repbuf, &replen, &errnop); + + sret = pam_set_data(pamh, FD_DESTRUCTOR, NULL, close_fd); + if (sret != PAM_SUCCESS) { + D(("pam_set_data failed, client might leaks fds")); + } + + if (ret != PAM_SUCCESS) { + if (errnop != 0) { + logger(pamh, LOG_ERR, "Request to sssd failed. %s", ssscli_err2string(errnop)); + } + pam_status = PAM_AUTHINFO_UNAVAIL; + goto done; + } + +/* FIXME: add an end signature */ + if (replen < (2*sizeof(int32_t))) { + D(("response not in expected format.")); + pam_status = PAM_SYSTEM_ERR; + goto done; + } + + SAFEALIGN_COPY_UINT32(&pam_status, repbuf, NULL); + ret = eval_response(pamh, replen, repbuf, pi); + if (ret != PAM_SUCCESS) { + D(("eval_response failed.")); + pam_status = ret; + goto done; + } + + switch (task) { + case SSS_PAM_AUTHENTICATE: + logger(pamh, (pam_status == PAM_SUCCESS ? LOG_INFO : LOG_NOTICE), + "authentication %s; logname=%s uid=%lu euid=%d tty=%s " + "ruser=%s rhost=%s user=%s", + pam_status == PAM_SUCCESS ? "success" : "failure", + pi->login_name, getuid(), (unsigned long) geteuid(), + pi->pam_tty, pi->pam_ruser, pi->pam_rhost, pi->pam_user); + if (pam_status != PAM_SUCCESS) { + /* don't log if quiet_mode is on and pam_status is + * User not known to the underlying authentication module + */ + if (!quiet_mode || pam_status != 10) { + logger(pamh, LOG_NOTICE, "received for user %s: %d (%s)", + pi->pam_user, pam_status, + pam_strerror(pamh,pam_status)); + } + } + break; + case SSS_PAM_CHAUTHTOK_PRELIM: + if (pam_status != PAM_SUCCESS) { + /* don't log if quiet_mode is on and pam_status is + * User not known to the underlying authentication module + */ + if (!quiet_mode || pam_status != 10) { + logger(pamh, LOG_NOTICE, + "Authentication failed for user %s: %d (%s)", + pi->pam_user, pam_status, + pam_strerror(pamh,pam_status)); + } + } + break; + case SSS_PAM_CHAUTHTOK: + if (pam_status != PAM_SUCCESS) { + logger(pamh, LOG_NOTICE, + "Password change failed for user %s: %d (%s)", + pi->pam_user, pam_status, + pam_strerror(pamh,pam_status)); + } + break; + case SSS_PAM_ACCT_MGMT: + if (pam_status != PAM_SUCCESS) { + /* don't log if quiet_mode is on and pam_status is + * User not known to the underlying authentication module + */ + if (!quiet_mode || pam_status != 10) { + logger(pamh, LOG_NOTICE, + "Access denied for user %s: %d (%s)", + pi->pam_user, pam_status, + pam_strerror(pamh,pam_status)); + } + } + break; + case SSS_PAM_OPEN_SESSION: + case SSS_PAM_SETCRED: + case SSS_PAM_CLOSE_SESSION: + case SSS_PAM_PREAUTH: + break; + default: + D(("Illegal task [%#x]", task)); + return PAM_SYSTEM_ERR; + } + +done: + if (buf != NULL ) { + _pam_overwrite_n((void *)buf, rd.len); + free(buf); + } + free(repbuf); + + return pam_status; +} + +static int prompt_password(pam_handle_t *pamh, struct pam_items *pi, + const char *prompt) +{ + int ret; + char *answer = NULL; + + ret = do_pam_conversation(pamh, PAM_PROMPT_ECHO_OFF, prompt, NULL, &answer); + if (ret != PAM_SUCCESS) { + D(("do_pam_conversation failed.")); + return ret; + } + + if (answer == NULL) { + pi->pam_authtok = NULL; + pi->pam_authtok_type = SSS_AUTHTOK_TYPE_EMPTY; + pi->pam_authtok_size=0; + } else { + pi->pam_authtok = strdup(answer); + _pam_overwrite((void *)answer); + free(answer); + answer=NULL; + if (pi->pam_authtok == NULL) { + return PAM_BUF_ERR; + } + pi->pam_authtok_type = SSS_AUTHTOK_TYPE_PASSWORD; + pi->pam_authtok_size=strlen(pi->pam_authtok); + } + + return PAM_SUCCESS; +} + +static int prompt_2fa(pam_handle_t *pamh, struct pam_items *pi, + const char *prompt_fa1, const char *prompt_fa2) +{ + int ret; + const struct pam_conv *conv; + const struct pam_message *mesg[2] = { NULL, NULL }; + struct pam_message m[2] = { {0}, {0} }; + struct pam_response *resp = NULL; + size_t needed_size; + + ret = pam_get_item(pamh, PAM_CONV, (const void **) &conv); + if (ret != PAM_SUCCESS) { + return ret; + } + if (conv == NULL || conv->conv == NULL) { + logger(pamh, LOG_ERR, "No conversation function"); + return PAM_SYSTEM_ERR; + } + + m[0].msg_style = PAM_PROMPT_ECHO_OFF; + m[0].msg = prompt_fa1; + m[1].msg_style = PAM_PROMPT_ECHO_OFF; + m[1].msg = prompt_fa2; + + mesg[0] = (const struct pam_message *) m; + /* The following assignment might look a bit odd but is recommended in the + * pam_conv man page to make sure that the second argument of the PAM + * conversation function can be interpreted in two different ways. + * Basically it is important that both the actual struct pam_message and + * the pointers to the struct pam_message are arrays. Since the assignment + * makes clear that mesg[] and (*mesg)[] are arrays it should be kept this + * way and not be replaced by other equivalent assignments. */ + mesg[1] = & (( *mesg )[1]); + + ret = conv->conv(2, mesg, &resp, conv->appdata_ptr); + if (ret != PAM_SUCCESS) { + D(("Conversation failure: %s.", pam_strerror(pamh, ret))); + return ret; + } + + if (resp == NULL) { + D(("response expected, but resp==NULL")); + return PAM_SYSTEM_ERR; + } + + if (resp[0].resp == NULL || *(resp[0].resp) == '\0') { + D(("Missing factor.")); + ret = PAM_CRED_INSUFFICIENT; + goto done; + } + + if (resp[1].resp == NULL || *(resp[1].resp) == '\0' + || (pi->pam_service != NULL && strcmp(pi->pam_service, "sshd") == 0 + && strcmp(resp[0].resp, resp[1].resp) == 0)) { + /* Missing second factor, assume first factor contains combined 2FA + * credentials. + * Special handling for SSH with password authentication. Combined + * 2FA credentials are used but SSH puts them in both responses. */ + + pi->pam_authtok = strndup(resp[0].resp, MAX_AUTHTOK_SIZE); + if (pi->pam_authtok == NULL) { + D(("strndup failed.")); + ret = PAM_BUF_ERR; + goto done; + } + pi->pam_authtok_size = strlen(pi->pam_authtok) + 1; + pi->pam_authtok_type = SSS_AUTHTOK_TYPE_PASSWORD; + } else { + + ret = sss_auth_pack_2fa_blob(resp[0].resp, 0, resp[1].resp, 0, NULL, 0, + &needed_size); + if (ret != EAGAIN) { + D(("sss_auth_pack_2fa_blob failed.")); + ret = PAM_BUF_ERR; + goto done; + } + + pi->pam_authtok = malloc(needed_size); + if (pi->pam_authtok == NULL) { + D(("malloc failed.")); + ret = PAM_BUF_ERR; + goto done; + } + + ret = sss_auth_pack_2fa_blob(resp[0].resp, 0, resp[1].resp, 0, + (uint8_t *) pi->pam_authtok, needed_size, + &needed_size); + if (ret != EOK) { + D(("sss_auth_pack_2fa_blob failed.")); + ret = PAM_BUF_ERR; + goto done; + } + + pi->pam_authtok_size = needed_size; + pi->pam_authtok_type = SSS_AUTHTOK_TYPE_2FA; + pi->first_factor = strndup(resp[0].resp, MAX_AUTHTOK_SIZE); + if (pi->first_factor == NULL) { + D(("strndup failed.")); + ret = PAM_BUF_ERR; + goto done; + } + } + + ret = PAM_SUCCESS; + +done: + if (resp != NULL) { + if (resp[0].resp != NULL) { + _pam_overwrite((void *)resp[0].resp); + free(resp[0].resp); + } + if (resp[1].resp != NULL) { + _pam_overwrite((void *)resp[1].resp); + free(resp[1].resp); + } + + free(resp); + resp = NULL; + } + + return ret; +} + +#define SC_PROMPT_FMT "PIN for %s" + +#ifndef discard_const +#define discard_const(ptr) ((void *)((uintptr_t)(ptr))) +#endif + +#define CERT_SEL_PROMPT_FMT "%s" +#define SEL_TITLE discard_const("Please select a certificate") + +static int prompt_multi_cert_gdm(pam_handle_t *pamh, struct pam_items *pi) +{ +#ifdef HAVE_GDM_PAM_EXTENSIONS + int ret; + size_t cert_count = 0; + size_t c; + const struct pam_conv *conv; + struct cert_auth_info *cai; + GdmPamExtensionChoiceListRequest *request = NULL; + GdmPamExtensionChoiceListResponse *response = NULL; + struct pam_message prompt_message; + const struct pam_message *prompt_messages[1]; + struct pam_response *reply = NULL; + char *prompt; + + if (!GDM_PAM_EXTENSION_SUPPORTED(GDM_PAM_EXTENSION_CHOICE_LIST)) { + return ENOTSUP; + } + + if (pi->cert_list == NULL) { + return EINVAL; + } + + DLIST_FOR_EACH(cai, pi->cert_list) { + cert_count++; + } + + ret = pam_get_item(pamh, PAM_CONV, (const void **)&conv); + if (ret != PAM_SUCCESS) { + ret = EIO; + return ret; + } + + request = calloc(1, GDM_PAM_EXTENSION_CHOICE_LIST_REQUEST_SIZE(cert_count)); + if (request == NULL) { + ret = ENOMEM; + goto done; + } + GDM_PAM_EXTENSION_CHOICE_LIST_REQUEST_INIT(request, SEL_TITLE, cert_count); + + c = 0; + DLIST_FOR_EACH(cai, pi->cert_list) { + ret = asprintf(&prompt, CERT_SEL_PROMPT_FMT, cai->prompt_str); + if (ret == -1) { + ret = ENOMEM; + goto done; + } + request->list.items[c].key = cai->key_id; + request->list.items[c++].text = prompt; + } + + GDM_PAM_EXTENSION_MESSAGE_TO_BINARY_PROMPT_MESSAGE(request, + &prompt_message); + prompt_messages[0] = &prompt_message; + + ret = conv->conv(1, prompt_messages, &reply, conv->appdata_ptr); + if (ret != PAM_SUCCESS) { + ret = EIO; + goto done; + } + + ret = EIO; + response = GDM_PAM_EXTENSION_REPLY_TO_CHOICE_LIST_RESPONSE(reply); + if (response->key == NULL) { + goto done; + } + + DLIST_FOR_EACH(cai, pi->cert_list) { + if (strcmp(response->key, cai->key_id) == 0) { + pam_info(pamh, "Certificate ‘%s’ selected", cai->key_id); + pi->selected_cert = cai; + ret = 0; + break; + } + } + +done: + if (request != NULL) { + for (c = 0; c < cert_count; c++) { + free(discard_const(request->list.items[c++].text)); + } + free(request); + } + free(response); + + return ret; +#else + return ENOTSUP; +#endif +} + +#define TEXT_CERT_SEL_PROMPT_FMT "%s\n[%zu]:\n%s\n" +#define TEXT_SEL_TITLE discard_const("Please select a certificate by typing " \ + "the corresponding number\n") + +static int prompt_multi_cert(pam_handle_t *pamh, struct pam_items *pi) +{ + int ret; + size_t cert_count = 0; + size_t tries = 0; + long int resp = -1; + struct cert_auth_info *cai; + char *prompt; + char *tmp; + char *answer; + char *ep; + + /* First check if gdm extension is supported */ + ret = prompt_multi_cert_gdm(pamh, pi); + if (ret != ENOTSUP) { + return ret; + } + + if (pi->cert_list == NULL) { + return EINVAL; + } + + prompt = strdup(TEXT_SEL_TITLE); + if (prompt == NULL) { + return ENOMEM; + } + + DLIST_FOR_EACH(cai, pi->cert_list) { + cert_count++; + ret = asprintf(&tmp, TEXT_CERT_SEL_PROMPT_FMT, prompt, cert_count, + cai->prompt_str); + free(prompt); + if (ret == -1) { + return ENOMEM; + } + + prompt = tmp; + } + + do { + ret = do_pam_conversation(pamh, PAM_PROMPT_ECHO_ON, prompt, NULL, + &answer); + if (ret != PAM_SUCCESS) { + D(("do_pam_conversation failed.")); + break; + } + + errno = 0; + resp = strtol(answer, &ep, 10); + if (errno == 0 && *ep == '\0' && resp > 0 && resp <= cert_count) { + /* do not free answer ealier because ep is pointing to it */ + free(answer); + break; + } + free(answer); + resp = -1; + } while (++tries < 5); + free(prompt); + + pi->selected_cert = NULL; + ret = ENOENT; + if (resp > 0 && resp <= cert_count) { + cert_count = 0; + DLIST_FOR_EACH(cai, pi->cert_list) { + cert_count++; + if (resp == cert_count) { + pam_info(pamh, "Certificate ‘%s’ selected", cai->key_id); + pi->selected_cert = cai; + ret = 0; + break; + } + } + } + + return ret; +} + +static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi) +{ + int ret; + char *answer = NULL; + char *prompt; + size_t size; + size_t needed_size; + const struct pam_conv *conv; + const struct pam_message *mesg[2] = { NULL, NULL }; + struct pam_message m[2] = { { 0 }, { 0 } }; + struct pam_response *resp = NULL; + struct cert_auth_info *cai = pi->selected_cert; + + if (cai == NULL || cai->token_name == NULL || *cai->token_name == '\0') { + return EINVAL; + } + + size = sizeof(SC_PROMPT_FMT) + strlen(cai->token_name); + prompt = malloc(size); + if (prompt == NULL) { + D(("malloc failed.")); + return ENOMEM; + } + + ret = snprintf(prompt, size, SC_PROMPT_FMT, cai->token_name); + if (ret < 0 || ret >= size) { + D(("snprintf failed.")); + free(prompt); + return EFAULT; + } + + if (pi->user_name_hint) { + ret = pam_get_item(pamh, PAM_CONV, (const void **)&conv); + if (ret != PAM_SUCCESS) { + free(prompt); + return ret; + } + if (conv == NULL || conv->conv == NULL) { + logger(pamh, LOG_ERR, "No conversation function"); + free(prompt); + return PAM_SYSTEM_ERR; + } + + m[0].msg_style = PAM_PROMPT_ECHO_OFF; + m[0].msg = prompt; + m[1].msg_style = PAM_PROMPT_ECHO_ON; + m[1].msg = "User name hint: "; + + mesg[0] = (const struct pam_message *)m; + /* The following assignment might look a bit odd but is recommended in the + * pam_conv man page to make sure that the second argument of the PAM + * conversation function can be interpreted in two different ways. + * Basically it is important that both the actual struct pam_message and + * the pointers to the struct pam_message are arrays. Since the assignment + * makes clear that mesg[] and (*mesg)[] are arrays it should be kept this + * way and not be replaced by other equivalent assignments. */ + mesg[1] = &((*mesg)[1]); + + ret = conv->conv(2, mesg, &resp, conv->appdata_ptr); + free(prompt); + if (ret != PAM_SUCCESS) { + D(("Conversation failure: %s.", pam_strerror(pamh, ret))); + return ret; + } + + if (resp == NULL) { + D(("response expected, but resp==NULL")); + return PAM_SYSTEM_ERR; + } + + if (resp[0].resp == NULL || *(resp[0].resp) == '\0') { + D(("Missing PIN.")); + ret = PAM_CRED_INSUFFICIENT; + goto done; + } + + answer = strndup(resp[0].resp, MAX_AUTHTOK_SIZE); + _pam_overwrite((void *)resp[0].resp); + free(resp[0].resp); + resp[0].resp = NULL; + if (answer == NULL) { + D(("strndup failed")); + ret = PAM_BUF_ERR; + goto done; + } + + if (resp[1].resp != NULL && *(resp[1].resp) != '\0') { + ret = pam_set_item(pamh, PAM_USER, resp[1].resp); + free(resp[1].resp); + resp[1].resp = NULL; + if (ret != PAM_SUCCESS) { + D(("Failed to set PAM_USER with user name hint [%s]", + pam_strerror(pamh, ret))); + goto done; + } + + ret = pam_get_item(pamh, PAM_USER, (const void **)&(pi->pam_user)); + if (ret != PAM_SUCCESS) { + D(("Failed to get PAM_USER with user name hint [%s]", + pam_strerror(pamh, ret))); + goto done; + } + + pi->pam_user_size = strlen(pi->pam_user) + 1; + } + } else { + ret = do_pam_conversation(pamh, PAM_PROMPT_ECHO_OFF, prompt, NULL, + &answer); + free(prompt); + if (ret != PAM_SUCCESS) { + D(("do_pam_conversation failed.")); + return ret; + } + } + + if (answer == NULL) { + pi->pam_authtok = NULL; + pi->pam_authtok_type = SSS_AUTHTOK_TYPE_EMPTY; + pi->pam_authtok_size=0; + } else { + + ret = sss_auth_pack_sc_blob(answer, 0, cai->token_name, 0, + cai->module_name, 0, + cai->key_id, 0, + NULL, 0, &needed_size); + if (ret != EAGAIN) { + D(("sss_auth_pack_sc_blob failed.")); + ret = PAM_BUF_ERR; + goto done; + } + + pi->pam_authtok = malloc(needed_size); + if (pi->pam_authtok == NULL) { + D(("malloc failed.")); + ret = PAM_BUF_ERR; + goto done; + } + + ret = sss_auth_pack_sc_blob(answer, 0, cai->token_name, 0, + cai->module_name, 0, + cai->key_id, 0, + (uint8_t *) pi->pam_authtok, needed_size, + &needed_size); + if (ret != EOK) { + D(("sss_auth_pack_sc_blob failed.")); + free((void *)pi->pam_authtok); + ret = PAM_BUF_ERR; + goto done; + } + + pi->pam_authtok_type = SSS_AUTHTOK_TYPE_SC_PIN; + pi->pam_authtok_size = needed_size; + } + + ret = PAM_SUCCESS; + +done: + _pam_overwrite((void *)answer); + free(answer); + answer=NULL; + + if (resp != NULL) { + if (resp[0].resp != NULL) { + _pam_overwrite((void *)resp[0].resp); + free(resp[0].resp); + } + if (resp[1].resp != NULL) { + _pam_overwrite((void *)resp[1].resp); + free(resp[1].resp); + } + + free(resp); + resp = NULL; + } + + return ret; +} + +static int prompt_new_password(pam_handle_t *pamh, struct pam_items *pi) +{ + int ret; + char *answer = NULL; + + ret = do_pam_conversation(pamh, PAM_PROMPT_ECHO_OFF, + _("New Password: "), + _("Reenter new Password: "), + &answer); + if (ret != PAM_SUCCESS) { + D(("do_pam_conversation failed.")); + return ret; + } + if (answer == NULL) { + pi->pam_newauthtok = NULL; + pi->pam_newauthtok_type = SSS_AUTHTOK_TYPE_EMPTY; + pi->pam_newauthtok_size=0; + } else { + pi->pam_newauthtok = strdup(answer); + _pam_overwrite((void *)answer); + free(answer); + answer=NULL; + if (pi->pam_newauthtok == NULL) { + return PAM_BUF_ERR; + } + pi->pam_newauthtok_type = SSS_AUTHTOK_TYPE_PASSWORD; + pi->pam_newauthtok_size=strlen(pi->pam_newauthtok); + } + + return PAM_SUCCESS; +} + +static void eval_argv(pam_handle_t *pamh, int argc, const char **argv, + uint32_t *flags, int *retries, bool *quiet_mode, + const char **domains) +{ + char *ep; + + *quiet_mode = false; + + for (; argc-- > 0; ++argv) { + if (strcmp(*argv, "forward_pass") == 0) { + *flags |= FLAGS_FORWARD_PASS; + } else if (strcmp(*argv, "use_first_pass") == 0) { + *flags |= FLAGS_USE_FIRST_PASS; + } else if (strcmp(*argv, "use_authtok") == 0) { + *flags |= FLAGS_USE_AUTHTOK; + } else if (strncmp(*argv, OPT_DOMAINS_KEY, strlen(OPT_DOMAINS_KEY)) == 0) { + if (*(*argv+strlen(OPT_DOMAINS_KEY)) == '\0') { + logger(pamh, LOG_ERR, "Missing argument to option domains."); + *domains = ""; + } else { + *domains = *argv+strlen(OPT_DOMAINS_KEY); + } + + } else if (strncmp(*argv, OPT_RETRY_KEY, strlen(OPT_RETRY_KEY)) == 0) { + if (*(*argv+6) == '\0') { + logger(pamh, LOG_ERR, "Missing argument to option retry."); + *retries = 0; + } else { + errno = 0; + *retries = strtol(*argv+6, &ep, 10); + if (errno != 0) { + D(("strtol failed [%d][%s]", errno, strerror(errno))); + *retries = 0; + } + if (*ep != '\0') { + logger(pamh, LOG_ERR, "Argument to option retry contains " + "extra characters."); + *retries = 0; + } + if (*retries < 0) { + logger(pamh, LOG_ERR, "Argument to option retry must not " + "be negative."); + *retries = 0; + } + } + } else if (strcmp(*argv, "quiet") == 0) { + *quiet_mode = true; + } else if (strcmp(*argv, "ignore_unknown_user") == 0) { + *flags |= FLAGS_IGNORE_UNKNOWN_USER; + } else if (strcmp(*argv, "ignore_authinfo_unavail") == 0) { + *flags |= FLAGS_IGNORE_AUTHINFO_UNAVAIL; + } else if (strcmp(*argv, "use_2fa") == 0) { + *flags |= FLAGS_USE_2FA; + } else if (strcmp(*argv, "allow_missing_name") == 0) { + *flags |= FLAGS_ALLOW_MISSING_NAME; + } else if (strcmp(*argv, "prompt_always") == 0) { + *flags |= FLAGS_PROMPT_ALWAYS; + } else { + logger(pamh, LOG_WARNING, "unknown option: %s", *argv); + } + } + + return; +} + +static int get_authtok_for_authentication(pam_handle_t *pamh, + struct pam_items *pi, + uint32_t flags) +{ + int ret; + + if ((flags & FLAGS_USE_FIRST_PASS) + || ( pi->pamstack_authtok != NULL + && *(pi->pamstack_authtok) != '\0' + && !(flags & FLAGS_PROMPT_ALWAYS))) { + pi->pam_authtok_type = SSS_AUTHTOK_TYPE_PASSWORD; + pi->pam_authtok = strdup(pi->pamstack_authtok); + if (pi->pam_authtok == NULL) { + D(("option use_first_pass set, but no password found")); + return PAM_BUF_ERR; + } + pi->pam_authtok_size = strlen(pi->pam_authtok); + } else { + if (flags & FLAGS_USE_2FA + || (pi->otp_vendor != NULL && pi->otp_token_id != NULL + && pi->otp_challenge != NULL)) { + if (pi->password_prompting) { + ret = prompt_2fa(pamh, pi, _("First Factor: "), + _("Second Factor (optional): ")); + } else { + ret = prompt_2fa(pamh, pi, _("First Factor: "), + _("Second Factor: ")); + } + } else if (pi->cert_list != NULL) { + if (pi->cert_list->next == NULL) { + /* Only one certificate */ + pi->selected_cert = pi->cert_list; + } else { + ret = prompt_multi_cert(pamh, pi); + if (ret != 0) { + D(("Failed to select certificate")); + return PAM_AUTHTOK_ERR; + } + } + ret = prompt_sc_pin(pamh, pi); + } else { + ret = prompt_password(pamh, pi, _("Password: ")); + } + if (ret != PAM_SUCCESS) { + D(("failed to get password from user")); + return ret; + } + + if (flags & FLAGS_FORWARD_PASS) { + if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_PASSWORD) { + ret = pam_set_item(pamh, PAM_AUTHTOK, pi->pam_authtok); + } else if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_2FA + && pi->first_factor != NULL) { + ret = pam_set_item(pamh, PAM_AUTHTOK, pi->first_factor); + } else { + ret = EINVAL; + } + if (ret != PAM_SUCCESS) { + D(("Failed to set PAM_AUTHTOK [%s], " + "authtok may not be available for other modules", + pam_strerror(pamh,ret))); + } + } + } + + return PAM_SUCCESS; +} + +static int check_authtok_data(pam_handle_t *pamh, struct pam_items *pi) +{ + int pam_status; + int *authtok_type; + size_t *authtok_size; + char *authtok_data; + + pam_status = pam_get_data(pamh, PAM_SSS_AUTHOK_TYPE, + (const void **) &authtok_type); + if (pam_status != PAM_SUCCESS) { + D(("pam_get_data failed.")); + return EIO; + } + + pam_status = pam_get_data(pamh, PAM_SSS_AUTHOK_SIZE, + (const void **) &authtok_size); + if (pam_status != PAM_SUCCESS) { + D(("pam_get_data failed.")); + return EIO; + } + + pam_status = pam_get_data(pamh, PAM_SSS_AUTHOK_DATA, + (const void **) &authtok_data); + if (pam_status != PAM_SUCCESS) { + D(("pam_get_data failed.")); + return EIO; + } + + pi->pam_authtok = malloc(*authtok_size); + if (pi->pam_authtok == NULL) { + D(("malloc failed.")); + return ENOMEM; + } + memcpy(pi->pam_authtok, authtok_data, *authtok_size); + + pi->pam_authtok_type = *authtok_type; + pi->pam_authtok_size = *authtok_size; + + return 0; +} + +static int keep_authtok_data(pam_handle_t *pamh, struct pam_items *pi) +{ + int pam_status; + int *authtok_type; + size_t *authtok_size; + char *authtok_data; + + authtok_type = malloc(sizeof(int)); + if (authtok_type == NULL) { + D(("malloc failed.")); + return ENOMEM; + } + *authtok_type = pi->pam_authtok_type; + + pam_status = pam_set_data(pamh, PAM_SSS_AUTHOK_TYPE, authtok_type, + free_exp_data); + if (pam_status != PAM_SUCCESS) { + free(authtok_type); + D(("pam_set_data failed.")); + return EIO; + } + + authtok_size = malloc(sizeof(size_t)); + if (authtok_size == NULL) { + D(("malloc failed.")); + return ENOMEM; + } + *authtok_size = pi->pam_authtok_size; + + pam_status = pam_set_data(pamh, PAM_SSS_AUTHOK_SIZE, authtok_size, + free_exp_data); + if (pam_status != PAM_SUCCESS) { + free(authtok_size); + D(("pam_set_data failed.")); + return EIO; + } + + authtok_data = malloc(pi->pam_authtok_size); + if (authtok_data == NULL) { + D(("malloc failed.")); + return ENOMEM; + } + memcpy(authtok_data, pi->pam_authtok, pi->pam_authtok_size); + + pam_status = pam_set_data(pamh, PAM_SSS_AUTHOK_DATA, authtok_data, + free_exp_data); + if (pam_status != PAM_SUCCESS) { + free(authtok_data); + D(("pam_set_data failed.")); + return EIO; + } + + return 0; +} + +static int get_authtok_for_password_change(pam_handle_t *pamh, + struct pam_items *pi, + uint32_t flags, + int pam_flags) +{ + int ret; + const int *exp_data = NULL; + ret = pam_get_data(pamh, PWEXP_FLAG, (const void **) &exp_data); + if (ret != PAM_SUCCESS) { + exp_data = NULL; + } + + /* we query for the old password during PAM_PRELIM_CHECK to make + * pam_sss work e.g. with pam_cracklib */ + if (pam_flags & PAM_PRELIM_CHECK) { + if ( (getuid() != 0 || exp_data ) && !(flags & FLAGS_USE_FIRST_PASS)) { + if (flags & FLAGS_USE_2FA + || (pi->otp_vendor != NULL && pi->otp_token_id != NULL + && pi->otp_challenge != NULL)) { + if (pi->password_prompting) { + ret = prompt_2fa(pamh, pi, _("First Factor (Current Password): "), + _("Second Factor (optional): ")); + } else { + ret = prompt_2fa(pamh, pi, _("First Factor (Current Password): "), + _("Second Factor: ")); + } + } else { + ret = prompt_password(pamh, pi, _("Current Password: ")); + if (ret != PAM_SUCCESS) { + D(("failed to get password from user")); + return ret; + } + } + + ret = pam_set_item(pamh, PAM_OLDAUTHTOK, pi->pam_authtok); + if (ret != PAM_SUCCESS) { + D(("Failed to set PAM_OLDAUTHTOK [%s], " + "oldauthtok may not be available", + pam_strerror(pamh,ret))); + return ret; + } + + if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_2FA) { + ret = keep_authtok_data(pamh, pi); + if (ret != 0) { + D(("Failed to store authtok data to pam handle. Password " + "change might fail.")); + } + } + } + + return PAM_SUCCESS; + } + + if (check_authtok_data(pamh, pi) != 0) { + if (pi->pamstack_oldauthtok == NULL) { + if (getuid() != 0) { + D(("no password found for chauthtok")); + return PAM_BUF_ERR; + } else { + pi->pam_authtok_type = SSS_AUTHTOK_TYPE_EMPTY; + pi->pam_authtok = NULL; + pi->pam_authtok_size = 0; + } + } else { + pi->pam_authtok = strdup(pi->pamstack_oldauthtok); + if (pi->pam_authtok == NULL) { + D(("strdup failed")); + return PAM_BUF_ERR; + } + pi->pam_authtok_type = SSS_AUTHTOK_TYPE_PASSWORD; + pi->pam_authtok_size = strlen(pi->pam_authtok); + } + } + + if (flags & FLAGS_USE_AUTHTOK) { + pi->pam_newauthtok_type = SSS_AUTHTOK_TYPE_PASSWORD; + pi->pam_newauthtok = strdup(pi->pamstack_authtok); + if (pi->pam_newauthtok == NULL) { + D(("option use_authtok set, but no new password found")); + return PAM_BUF_ERR; + } + pi->pam_newauthtok_size = strlen(pi->pam_newauthtok); + } else { + ret = prompt_new_password(pamh, pi); + if (ret != PAM_SUCCESS) { + D(("failed to get new password from user")); + return ret; + } + + if (flags & FLAGS_FORWARD_PASS) { + ret = pam_set_item(pamh, PAM_AUTHTOK, pi->pam_newauthtok); + if (ret != PAM_SUCCESS) { + D(("Failed to set PAM_AUTHTOK [%s], " + "oldauthtok may not be available", + pam_strerror(pamh,ret))); + } + } + } + + return PAM_SUCCESS; +} + +#define SC_ENTER_FMT "Please enter smart card labeled\n %s\nand press enter" + +static int check_login_token_name(pam_handle_t *pamh, struct pam_items *pi, + bool quiet_mode) +{ + int ret; + int pam_status; + char *login_token_name; + char *prompt = NULL; + size_t size; + char *answer = NULL; + /* TODO: check multiple cert case */ + struct cert_auth_info *cai = pi->cert_list; + + if (cai == NULL) { + D(("No certificate information available")); + return EINVAL; + } + + login_token_name = getenv("PKCS11_LOGIN_TOKEN_NAME"); + if (login_token_name == NULL) { + return PAM_SUCCESS; + } + + while (cai->token_name == NULL + || strcmp(login_token_name, cai->token_name) != 0) { + size = sizeof(SC_ENTER_FMT) + strlen(login_token_name); + prompt = malloc(size); + if (prompt == NULL) { + D(("malloc failed.")); + return ENOMEM; + } + + ret = snprintf(prompt, size, SC_ENTER_FMT, + login_token_name); + if (ret < 0 || ret >= size) { + D(("snprintf failed.")); + free(prompt); + return EFAULT; + } + + ret = do_pam_conversation(pamh, PAM_PROMPT_ECHO_OFF, prompt, + NULL, &answer); + free(prompt); + if (ret != PAM_SUCCESS) { + D(("do_pam_conversation failed.")); + return ret; + } else { + free(answer); + } + + pam_status = send_and_receive(pamh, pi, SSS_PAM_PREAUTH, quiet_mode); + if (pam_status != PAM_SUCCESS) { + D(("send_and_receive returned [%d] during pre-auth", pam_status)); + /* + * Since we are waiting for the right Smartcard to be inserted errors + * can be ignored here. + */ + } + } + + return PAM_SUCCESS; +} + +static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, + int pam_flags, int argc, const char **argv) +{ + int ret; + int pam_status; + struct pam_items pi; + uint32_t flags = 0; + const int *exp_data; + int *pw_exp_data; + bool retry = false; + bool quiet_mode = false; + int retries = 0; + const char *domains = NULL; + + bindtextdomain(PACKAGE, LOCALEDIR); + + D(("Hello pam_sssd: %#x", task)); + + eval_argv(pamh, argc, argv, &flags, &retries, &quiet_mode, &domains); + + /* Fail all authentication on misconfigured domains= parameter. The admin + * probably wanted to restrict authentication, so it's safer to fail */ + if (domains && strcmp(domains, "") == 0) { + return PAM_SYSTEM_ERR; + } + + pi.requested_domains = domains; + + ret = get_pam_items(pamh, flags, &pi); + if (ret != PAM_SUCCESS) { + D(("get items returned error: %s", pam_strerror(pamh,ret))); + if (flags & FLAGS_IGNORE_UNKNOWN_USER && ret == PAM_USER_UNKNOWN) { + ret = PAM_IGNORE; + } + if (flags & FLAGS_IGNORE_AUTHINFO_UNAVAIL + && ret == PAM_AUTHINFO_UNAVAIL) { + ret = PAM_IGNORE; + } + return ret; + } + + do { + retry = false; + + switch(task) { + case SSS_PAM_AUTHENTICATE: + /* + * Only do preauth if + * - FLAGS_USE_FIRST_PASS is not set + * - no password is on the stack or FLAGS_PROMPT_ALWAYS is set + * - preauth indicator file exists. + */ + if ( !(flags & FLAGS_USE_FIRST_PASS) + && (pi.pam_authtok == NULL + || (flags & FLAGS_PROMPT_ALWAYS)) + && access(PAM_PREAUTH_INDICATOR, F_OK) == 0) { + pam_status = send_and_receive(pamh, &pi, SSS_PAM_PREAUTH, + quiet_mode); + if (pam_status != PAM_SUCCESS) { + D(("send_and_receive returned [%d] during pre-auth", + pam_status)); + /* + * Since we are only interested in the result message + * and will always use password authentication + * as a fallback, errors can be ignored here. + */ + } + } + + if (strcmp(pi.pam_service, "gdm-smartcard") == 0) { + ret = check_login_token_name(pamh, &pi, quiet_mode); + if (ret != PAM_SUCCESS) { + D(("check_login_token_name failed.\n")); + return ret; + } + } + + ret = get_authtok_for_authentication(pamh, &pi, flags); + if (ret != PAM_SUCCESS) { + D(("failed to get authentication token: %s", + pam_strerror(pamh, ret))); + return ret; + } + break; + case SSS_PAM_CHAUTHTOK: + /* + * Even if we only want to change the (long term) password + * there are cases where more than the password is needed to + * get the needed privileges in a backend to change the + * password. + * + * E.g. with mandatory 2-factor authentication we have to ask + * not only for the current password but for the second + * factor, e.g. the one-time token value, as well. + * + * The means the preauth step has to be done here as well but + * only if + * - PAM_PRELIM_CHECK is set + * - FLAGS_USE_FIRST_PASS is not set + * - no password is on the stack or FLAGS_PROMPT_ALWAYS is set + * - preauth indicator file exists. + */ + if ( (pam_flags & PAM_PRELIM_CHECK) + && !(flags & FLAGS_USE_FIRST_PASS) + && (pi.pam_authtok == NULL + || (flags & FLAGS_PROMPT_ALWAYS)) + && access(PAM_PREAUTH_INDICATOR, F_OK) == 0) { + pam_status = send_and_receive(pamh, &pi, SSS_PAM_PREAUTH, + quiet_mode); + if (pam_status != PAM_SUCCESS) { + D(("send_and_receive returned [%d] during pre-auth", + pam_status)); + /* + * Since we are only interested in the result message + * and will always use password authentication + * as a fallback, errors can be ignored here. + */ + } + } + + ret = get_authtok_for_password_change(pamh, &pi, flags, pam_flags); + if (ret != PAM_SUCCESS) { + D(("failed to get tokens for password change: %s", + pam_strerror(pamh, ret))); + overwrite_and_free_pam_items(&pi); + return ret; + } + + if (pam_flags & PAM_PRELIM_CHECK) { + if (pi.pam_authtok_type == SSS_AUTHTOK_TYPE_2FA) { + /* We cannot validate the credentials with an OTP + * token value during PAM_PRELIM_CHECK because it + * would be invalid for the actual password change. So + * we are done. */ + + return PAM_SUCCESS; + } + task = SSS_PAM_CHAUTHTOK_PRELIM; + } + break; + case SSS_PAM_ACCT_MGMT: + case SSS_PAM_SETCRED: + case SSS_PAM_OPEN_SESSION: + case SSS_PAM_CLOSE_SESSION: + break; + default: + D(("Illegal task [%#x]", task)); + return PAM_SYSTEM_ERR; + } + + pam_status = send_and_receive(pamh, &pi, task, quiet_mode); + + if (flags & FLAGS_IGNORE_UNKNOWN_USER + && pam_status == PAM_USER_UNKNOWN) { + pam_status = PAM_IGNORE; + } + if (flags & FLAGS_IGNORE_AUTHINFO_UNAVAIL + && pam_status == PAM_AUTHINFO_UNAVAIL) { + pam_status = PAM_IGNORE; + } + + switch (task) { + case SSS_PAM_AUTHENTICATE: + /* We allow sssd to send the return code PAM_NEW_AUTHTOK_REQD during + * authentication, see sss_cli.h for details */ + if (pam_status == PAM_NEW_AUTHTOK_REQD) { + D(("Authtoken expired, trying to change it")); + + pw_exp_data = malloc(sizeof(int)); + if (pw_exp_data == NULL) { + D(("malloc failed.")); + pam_status = PAM_BUF_ERR; + break; + } + *pw_exp_data = 1; + + pam_status = pam_set_data(pamh, PWEXP_FLAG, pw_exp_data, + free_exp_data); + if (pam_status != PAM_SUCCESS) { + D(("pam_set_data failed.")); + } + } + break; + case SSS_PAM_ACCT_MGMT: + if (pam_status == PAM_SUCCESS && + pam_get_data(pamh, PWEXP_FLAG, (const void **) &exp_data) == + PAM_SUCCESS) { + ret = do_pam_conversation(pamh, PAM_TEXT_INFO, + _("Password expired. Change your password now."), + NULL, NULL); + if (ret != PAM_SUCCESS) { + D(("do_pam_conversation failed.")); + } + pam_status = PAM_NEW_AUTHTOK_REQD; + } + break; + case SSS_PAM_CHAUTHTOK: + if (pam_status != PAM_SUCCESS && pam_status != PAM_USER_UNKNOWN) { + ret = pam_set_item(pamh, PAM_AUTHTOK, NULL); + if (ret != PAM_SUCCESS) { + D(("Failed to unset PAM_AUTHTOK [%s]", + pam_strerror(pamh,ret))); + } + ret = pam_set_item(pamh, PAM_OLDAUTHTOK, NULL); + if (ret != PAM_SUCCESS) { + D(("Failed to unset PAM_OLDAUTHTOK [%s]", + pam_strerror(pamh,ret))); + } + } + break; + case SSS_PAM_CHAUTHTOK_PRELIM: + if (pam_status == PAM_PERM_DENIED && pi.pam_authtok_size == 0 && + getuid() == 0 && + pam_get_data(pamh, PWEXP_FLAG, (const void **) &exp_data) != + PAM_SUCCESS) { + + ret = select_pw_reset_message(pamh, &pi); + if (ret != 0) { + D(("select_pw_reset_message failed.\n")); + } + } + default: + /* nothing to do */ + break; + } + + overwrite_and_free_pam_items(&pi); + + D(("retries [%d].", retries)); + + if (pam_status != PAM_SUCCESS && + (task == SSS_PAM_AUTHENTICATE || task == SSS_PAM_CHAUTHTOK_PRELIM) && + retries > 0) { + retry = true; + retries--; + + flags &= ~FLAGS_USE_FIRST_PASS; + ret = pam_set_item(pamh, PAM_AUTHTOK, NULL); + if (ret != PAM_SUCCESS) { + D(("Failed to unset PAM_AUTHTOK [%s]", + pam_strerror(pamh,ret))); + } + ret = pam_set_item(pamh, PAM_OLDAUTHTOK, NULL); + if (ret != PAM_SUCCESS) { + D(("Failed to unset PAM_OLDAUTHTOK [%s]", + pam_strerror(pamh,ret))); + } + } + } while(retry); + + return pam_status; +} + +PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, + const char **argv ) +{ + return pam_sss(SSS_PAM_AUTHENTICATE, pamh, flags, argc, argv); +} + + +PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, + const char **argv ) +{ + return pam_sss(SSS_PAM_SETCRED, pamh, flags, argc, argv); +} + +PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, + const char **argv ) +{ + return pam_sss(SSS_PAM_ACCT_MGMT, pamh, flags, argc, argv); +} + +PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, + const char **argv ) +{ + return pam_sss(SSS_PAM_CHAUTHTOK, pamh, flags, argc, argv); +} + +PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, + const char **argv ) +{ + return pam_sss(SSS_PAM_OPEN_SESSION, pamh, flags, argc, argv); +} + +PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, + const char **argv ) +{ + return pam_sss(SSS_PAM_CLOSE_SESSION, pamh, flags, argc, argv); +} + + +#ifdef PAM_STATIC + +/* static module data */ + +struct pam_module _pam_sssd_modstruct ={ + "pam_sssd", + pam_sm_authenticate, + pam_sm_setcred, + pam_sm_acct_mgmt, + pam_sm_open_session, + pam_sm_close_session, + pam_sm_chauthtok +}; + +#endif diff --git a/src/sss_client/ssh/sss_ssh_authorizedkeys.c b/src/sss_client/ssh/sss_ssh_authorizedkeys.c new file mode 100644 index 0000000..8e80f96 --- /dev/null +++ b/src/sss_client/ssh/sss_ssh_authorizedkeys.c @@ -0,0 +1,126 @@ +/* + Authors: + Jan Cholasta + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include + +#include "util/util.h" +#include "util/crypto/sss_crypto.h" +#include "util/sss_ssh.h" +#include "sss_client/sss_cli.h" +#include "sss_client/ssh/sss_ssh_client.h" + +int main(int argc, const char **argv) +{ + TALLOC_CTX *mem_ctx = NULL; + int pc_debug = SSSDBG_DEFAULT; + const char *pc_domain = NULL; + const char *pc_user = NULL; + struct poptOption long_options[] = { + POPT_AUTOHELP + { "debug", '\0', POPT_ARG_INT | POPT_ARGFLAG_DOC_HIDDEN, &pc_debug, 0, + _("The debug level to run with"), NULL }, + { "domain", 'd', POPT_ARG_STRING, &pc_domain, 0, + _("The SSSD domain to use"), NULL }, + POPT_TABLEEND + }; + poptContext pc = NULL; + struct sss_ssh_ent *ent; + size_t i; + int ret; + + debug_prg_name = argv[0]; + + ret = set_locale(); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "set_locale() failed (%d): %s\n", ret, strerror(ret)); + ERROR("Error setting the locale\n"); + ret = EXIT_FAILURE; + goto fini; + } + + mem_ctx = talloc_new(NULL); + if (!mem_ctx) { + ERROR("Not enough memory\n"); + ret = EXIT_FAILURE; + goto fini; + } + + /* parse parameters */ + pc = poptGetContext(NULL, argc, argv, long_options, 0); + poptSetOtherOptionHelp(pc, "USER"); + while ((ret = poptGetNextOpt(pc)) > 0) + ; + + DEBUG_INIT(pc_debug); + + if (ret != -1) { + BAD_POPT_PARAMS(pc, poptStrerror(ret), ret, fini); + } + + pc_user = poptGetArg(pc); + if (pc_user == NULL) { + BAD_POPT_PARAMS(pc, _("User not specified\n"), ret, fini); + } + + /* look up public keys */ + ret = sss_ssh_get_ent(mem_ctx, SSS_SSH_GET_USER_PUBKEYS, + pc_user, pc_domain, NULL, &ent); + if (ret == ERR_NON_SSSD_USER) { + DEBUG(SSSDBG_MINOR_FAILURE, + "The user %s is valid, but not handled by sssd\n", pc_user); + ret = EXIT_SUCCESS; + goto fini; + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sss_ssh_get_ent() failed (%d): %s\n", ret, strerror(ret)); + ERROR("Error looking up public keys\n"); + ret = EXIT_FAILURE; + goto fini; + } + + /* if sshd closes its end of the pipe, we don't want sss_ssh_authorizedkeys + * to exit abruptly, but to finish gracefully instead because the valid + * key can be present in the data already written + */ + signal(SIGPIPE, SIG_IGN); + + /* print results */ + for (i = 0; i < ent->num_pubkeys; i++) { + ret = sss_ssh_print_pubkey(&ent->pubkeys[i]); + if (ret != EOK && ret != EINVAL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ssh_ssh_print_pubkey() failed (%d): %s\n", + ret, strerror(ret)); + goto fini; + } + } + + ret = EXIT_SUCCESS; + +fini: + poptFreeContext(pc); + talloc_free(mem_ctx); + + return ret; +} diff --git a/src/sss_client/ssh/sss_ssh_client.c b/src/sss_client/ssh/sss_ssh_client.c new file mode 100644 index 0000000..a198039 --- /dev/null +++ b/src/sss_client/ssh/sss_ssh_client.c @@ -0,0 +1,265 @@ +/* + Authors: + Jan Cholasta + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include +#include +#include +#include + +#include +#include +#include +#include + +#include "util/util.h" +#include "util/crypto/sss_crypto.h" +#include "util/sss_ssh.h" +#include "sss_client/sss_cli.h" +#include "sss_client/ssh/sss_ssh_client.h" + +/* FIXME - split from tools_util to create a common function */ +void usage(poptContext pc, const char *error) +{ + poptPrintUsage(pc, stderr, 0); + if (error) fprintf(stderr, "%s", error); +} + +/* FIXME - split from tools_util to create a common function */ +int set_locale(void) +{ + char *c; + + c = setlocale(LC_ALL, ""); + if (c == NULL) { + /* If setlocale fails, continue with the default + * locale. */ + DEBUG(SSSDBG_MINOR_FAILURE, "Unable to set locale\n"); + } + + errno = 0; + c = bindtextdomain(PACKAGE, LOCALEDIR); + if (c == NULL) { + return errno; + } + + errno = 0; + c = textdomain(PACKAGE); + if (c == NULL) { + return errno; + } + + return EOK; +} + +/* SSH public key request: + * + * header: + * 0..3: flags (unsigned int, must be combination of SSS_SSH_REQ_* flags) + * 4..7: name length (unsigned int) + * 8..X: name (null-terminated UTF-8 string) + * alias (only included if flags & SSS_SSH_REQ_ALIAS): + * 0..3: alias length (unsigned int) + * 4..X: alias (null-terminated UTF-8 string) + * domain (ony included if flags & SSS_SSH_REQ_DOMAIN): + * 0..3: domain length (unsigned int, 0 means default domain) + * 4..X: domain (null-terminated UTF-8 string) + * + * SSH public key reply: + * + * header: + * 0..3: number of results (unsigned int) + * 4..7: reserved (unsigned int, must be 0) + * results (repeated for each result): + * 0..3: flags (unsigned int, must be 0) + * 4..7: name length (unsigned int) + * 8..(X-1): name (null-terminated UTF-8 string) + * X..(X+3): key length (unsigned int) + * (X+4)..Y: key (public key data) + */ +errno_t +sss_ssh_get_ent(TALLOC_CTX *mem_ctx, + enum sss_cli_command command, + const char *name, + const char *domain, + const char *alias, + struct sss_ssh_ent **result) +{ + TALLOC_CTX *tmp_ctx; + struct sss_ssh_ent *res = NULL; + errno_t ret; + uint32_t flags; + uint32_t name_len; + uint32_t alias_len = 0; + uint32_t domain_len; + size_t req_len; + uint8_t *req = NULL; + size_t c = 0; + struct sss_cli_req_data rd; + int req_ret, req_errno; + uint8_t *rep = NULL; + size_t rep_len; + uint32_t count, reserved, len, i; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + return ENOMEM; + } + + /* build request */ + flags = 0; + name_len = strlen(name)+1; + req_len = 2*sizeof(uint32_t) + name_len; + + if (alias) { + flags |= SSS_SSH_REQ_ALIAS; + alias_len = strlen(alias)+1; + req_len += sizeof(uint32_t) + alias_len; + } + + flags |= SSS_SSH_REQ_DOMAIN; + domain_len = domain ? (strlen(domain)+1) : 0; + req_len += sizeof(uint32_t) + domain_len; + + req = talloc_array(tmp_ctx, uint8_t, req_len); + if (!req) { + ret = ENOMEM; + goto done; + } + + SAFEALIGN_SET_UINT32(req+c, flags, &c); + SAFEALIGN_SET_UINT32(req+c, name_len, &c); + safealign_memcpy(req+c, name, name_len, &c); + if (alias) { + SAFEALIGN_SET_UINT32(req+c, alias_len, &c); + safealign_memcpy(req+c, alias, alias_len, &c); + } + SAFEALIGN_SET_UINT32(req+c, domain_len, &c); + if (domain_len > 0) { + safealign_memcpy(req+c, domain, domain_len, &c); + } + + /* send request */ + rd.data = req; + rd.len = req_len; + + req_ret = sss_ssh_make_request(command, &rd, &rep, &rep_len, &req_errno); + if (req_errno != EOK) { + ret = req_errno; + goto done; + } + if (req_ret != SSS_STATUS_SUCCESS) { + ret = EFAULT; + goto done; + } + + /* parse reply */ + c = 0; + if (rep_len < c + 2*sizeof(uint32_t)) { + ret = EINVAL; + goto done; + } + + SAFEALIGN_COPY_UINT32(&count, rep+c, &c); + + SAFEALIGN_COPY_UINT32(&reserved, rep+c, &c); + if (reserved != 0) { + ret = EINVAL; + goto done; + } + + res = talloc_zero(tmp_ctx, struct sss_ssh_ent); + if (!res) { + ret = ENOMEM; + goto done; + } + + if (count > 0) { + res->pubkeys = talloc_zero_array(res, struct sss_ssh_pubkey, count); + if (!res->pubkeys) { + ret = ENOMEM; + goto done; + } + + res->num_pubkeys = count; + } + + for (i = 0; i < count; i++) { + if (rep_len-c < 2*sizeof(uint32_t)) { + ret = EINVAL; + goto done; + } + + SAFEALIGN_COPY_UINT32(&flags, rep+c, &c); + if (flags != 0) { + ret = EINVAL; + goto done; + } + + SAFEALIGN_COPY_UINT32(&len, rep+c, &c); + + if (len > rep_len - c - sizeof(uint32_t)) { + ret = EINVAL; + goto done; + } + + if (!res->name) { + res->name = talloc_array(res, char, len); + if (!res->name) { + ret = ENOMEM; + goto done; + } + + safealign_memcpy(res->name, rep+c, len, &c); + if (strnlen(res->name, len) != len-1) { + ret = EINVAL; + goto done; + } + } else { + c += len; + } + + SAFEALIGN_COPY_UINT32(&len, rep+c, &c); + + if (len > rep_len - c) { + ret = EINVAL; + goto done; + } + + res->pubkeys[i].data = talloc_array(res, uint8_t, len); + if (!res->pubkeys[i].data) { + ret = ENOMEM; + goto done; + } + + safealign_memcpy(res->pubkeys[i].data, rep+c, len, &c); + res->pubkeys[i].data_len = len; + } + + *result = talloc_steal(mem_ctx, res); + ret = EOK; + +done: + talloc_free(tmp_ctx); + free(rep); + + return ret; +} diff --git a/src/sss_client/ssh/sss_ssh_client.h b/src/sss_client/ssh/sss_ssh_client.h new file mode 100644 index 0000000..5ad0643 --- /dev/null +++ b/src/sss_client/ssh/sss_ssh_client.h @@ -0,0 +1,41 @@ +/* + Authors: + Jan Cholasta + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _SSS_SSH_CLIENT_H_ +#define _SSS_SSH_CLIENT_H_ + +void usage(poptContext pc, const char *error); +int set_locale(void); + +#define BAD_POPT_PARAMS(pc, msg, val, label) do { \ + usage(pc, msg); \ + val = EXIT_FAILURE; \ + goto label; \ +} while(0) + +errno_t +sss_ssh_get_ent(TALLOC_CTX *mem_ctx, + enum sss_cli_command command, + const char *name, + const char *domain, + const char *alias, + struct sss_ssh_ent **result); + +#endif /* _SSS_SSH_CLIENT_H_ */ diff --git a/src/sss_client/ssh/sss_ssh_knownhostsproxy.c b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c new file mode 100644 index 0000000..9e574ad --- /dev/null +++ b/src/sss_client/ssh/sss_ssh_knownhostsproxy.c @@ -0,0 +1,352 @@ +/* + Authors: + Jan Cholasta + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "util/util.h" +#include "util/crypto/sss_crypto.h" +#include "util/sss_ssh.h" +#include "sss_client/sss_cli.h" +#include "sss_client/ssh/sss_ssh_client.h" + +#define BUFFER_SIZE 8192 + +/* connect to server using socket */ +static int +connect_socket(int family, struct sockaddr *addr, size_t addr_len, int *sd) +{ + int flags; + int sock = -1; + int ret; + + /* set O_NONBLOCK on standard input */ + flags = fcntl(0, F_GETFL); + if (flags == -1) { + ret = errno; + DEBUG(SSSDBG_OP_FAILURE, "fcntl() failed (%d): %s\n", + ret, strerror(ret)); + goto done; + } + + ret = fcntl(0, F_SETFL, flags | O_NONBLOCK); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_OP_FAILURE, "fcntl() failed (%d): %s\n", + ret, strerror(ret)); + goto done; + } + + /* create socket */ + sock = socket(family, SOCK_STREAM, IPPROTO_TCP); + if (sock == -1) { + ret = errno; + DEBUG(SSSDBG_OP_FAILURE, "socket() failed (%d): %s\n", + ret, strerror(ret)); + goto done; + } + + /* connect to the server */ + ret = connect(sock, addr, addr_len); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_OP_FAILURE, "connect() failed (%d): %s\n", + ret, strerror(ret)); + goto done; + } + + *sd = sock; + +done: + if (ret != 0 && sock >= 0) close(sock); + return ret; +} + +static int proxy_data(int sock) +{ + int flags; + struct pollfd fds[2]; + char buffer[BUFFER_SIZE]; + int i; + ssize_t res; + int ret; + + /* set O_NONBLOCK on the socket */ + flags = fcntl(sock, F_GETFL); + if (flags == -1) { + ret = errno; + DEBUG(SSSDBG_OP_FAILURE, "fcntl() failed (%d): %s\n", + ret, strerror(ret)); + goto done; + } + + ret = fcntl(sock, F_SETFL, flags | O_NONBLOCK); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_OP_FAILURE, "fcntl() failed (%d): %s\n", + ret, strerror(ret)); + goto done; + } + + fds[0].fd = 0; + fds[0].events = POLLIN; + fds[1].fd = sock; + fds[1].events = POLLIN; + + while (1) { + ret = poll(fds, 2, -1); + if (ret == -1) { + ret = errno; + if (ret == EINTR || ret == EAGAIN) { + continue; + } + DEBUG(SSSDBG_OP_FAILURE, + "poll() failed (%d): %s\n", ret, strerror(ret)); + goto done; + } + + /* read from standard input & write to socket */ + /* read from socket & write to standard output */ + for (i = 0; i < 2; i++) { + if (fds[i].revents & POLLIN) { + res = read(fds[i].fd, buffer, BUFFER_SIZE); + if (res == -1) { + ret = errno; + if (ret == EAGAIN || ret == EINTR || ret == EWOULDBLOCK) { + continue; + } + DEBUG(SSSDBG_OP_FAILURE, + "read() failed (%d): %s\n", ret, strerror(ret)); + goto done; + } else if (res == 0) { + ret = EOK; + goto done; + } + + errno = 0; + res = sss_atomic_write_s(i == 0 ? sock : 1, buffer, res); + ret = errno; + if (res == -1) { + DEBUG(SSSDBG_OP_FAILURE, + "sss_atomic_write_s() failed (%d): %s\n", + ret, strerror(ret)); + goto done; + } else if (ret == EPIPE) { + ret = EOK; + goto done; + } + } + if (fds[i].revents & POLLHUP) { + ret = EOK; + goto done; + } + } + } + +done: + close(sock); + return ret; +} + +/* connect to server using proxy command */ +static int +connect_proxy_command(char **args) +{ + int ret; + + execv(args[0], (char * const *)args); + + ret = errno; + DEBUG(SSSDBG_OP_FAILURE, "execv() failed (%d): %s\n", + ret, strerror(ret)); + + return ret; +} + +int main(int argc, const char **argv) +{ + TALLOC_CTX *mem_ctx = NULL; + int pc_debug = SSSDBG_DEFAULT; + int pc_port = 22; + const char *pc_domain = NULL; + const char *pc_host = NULL; + const char **pc_args = NULL; + int pc_pubkeys = 0; + struct poptOption long_options[] = { + POPT_AUTOHELP + { "debug", '\0', POPT_ARG_INT | POPT_ARGFLAG_DOC_HIDDEN, &pc_debug, 0, + _("The debug level to run with"), NULL }, + { "port", 'p', POPT_ARG_INT, &pc_port, 0, + _("The port to use to connect to the host"), NULL }, + { "domain", 'd', POPT_ARG_STRING, &pc_domain, 0, + _("The SSSD domain to use"), NULL }, + { "pubkey", 'k', POPT_ARG_NONE, &pc_pubkeys, 0, + _("Print the host ssh public keys"), NULL }, + POPT_TABLEEND + }; + poptContext pc = NULL; + char strport[6]; + struct addrinfo ai_hint; + struct addrinfo *ai = NULL; + char canonhost[NI_MAXHOST]; + const char *host = NULL; + struct sss_ssh_ent *ent = NULL; + int ret; + + debug_prg_name = argv[0]; + + ret = set_locale(); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "set_locale() failed (%d): %s\n", ret, strerror(ret)); + ret = EXIT_FAILURE; + goto fini; + } + + mem_ctx = talloc_new(NULL); + if (!mem_ctx) { + DEBUG(SSSDBG_CRIT_FAILURE, "Not enough memory\n"); + ret = EXIT_FAILURE; + goto fini; + } + + /* parse parameters */ + pc = poptGetContext(NULL, argc, argv, long_options, 0); + poptSetOtherOptionHelp(pc, "HOST [PROXY_COMMAND]"); + while ((ret = poptGetNextOpt(pc)) > 0) + ; + + DEBUG_INIT(pc_debug); + + if (ret != -1) { + BAD_POPT_PARAMS(pc, poptStrerror(ret), ret, fini); + } + + if (pc_port < 1 || pc_port > 65535) { + BAD_POPT_PARAMS(pc, _("Invalid port\n"), ret, fini); + } + + pc_host = poptGetArg(pc); + if (pc_host == NULL) { + BAD_POPT_PARAMS(pc, _("Host not specified\n"), ret, fini); + } + + pc_args = poptGetArgs(pc); + if (pc_args && pc_args[0] && pc_args[0][0] != '/') { + BAD_POPT_PARAMS(pc, + _("The path to the proxy command must be absolute\n"), + ret, fini); + } + + /* canonicalize hostname */ + snprintf(strport, 6, "%d", pc_port); + + memset(&ai_hint, 0, sizeof(struct addrinfo)); + ai_hint.ai_family = AF_UNSPEC; + ai_hint.ai_socktype = SOCK_STREAM; + ai_hint.ai_protocol = IPPROTO_TCP; + ai_hint.ai_flags = AI_ADDRCONFIG | AI_NUMERICHOST | AI_NUMERICSERV; + + ret = getaddrinfo(pc_host, strport, &ai_hint, &ai); + if (ret) { + ai_hint.ai_flags = AI_ADDRCONFIG | AI_CANONNAME | AI_NUMERICSERV; + + ret = getaddrinfo(pc_host, strport, &ai_hint, &ai); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, + "getaddrinfo() failed (%d): %s\n", ret, gai_strerror(ret)); + } else { + host = ai->ai_canonname; + } + } else { + ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, + canonhost, NI_MAXHOST, NULL, 0, NI_NAMEREQD); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, + "getnameinfo() failed (%d): %s\n", ret, gai_strerror(ret)); + } else { + host = canonhost; + } + } + + if (host) { + /* look up public keys */ + ret = sss_ssh_get_ent(mem_ctx, SSS_SSH_GET_HOST_PUBKEYS, + host, pc_domain, pc_host, &ent); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sss_ssh_get_ent() failed (%d): %s\n", ret, strerror(ret)); + } + } + + if (pc_pubkeys) { + /* print results */ + if (ent != NULL) { + for (size_t i = 0; i < ent->num_pubkeys; i++) { + ret = sss_ssh_print_pubkey(&ent->pubkeys[i]); + if (ret != EOK && ret != EINVAL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ssh_ssh_print_pubkey() failed (%d): %s\n", + ret, strerror(ret)); + ret = EXIT_FAILURE; + goto fini; + } + } + } + + ret = EXIT_SUCCESS; + goto fini; + } + + /* connect to server */ + if (pc_args) { + ret = connect_proxy_command(discard_const(pc_args)); + } else if (ai) { + /* Try all IP addresses before giving up */ + for (struct addrinfo *ti = ai; ti != NULL; ti = ti->ai_next) { + int socket_descriptor = -1; + ret = connect_socket(ti->ai_family, ti->ai_addr, ti->ai_addrlen, + &socket_descriptor); + if (ret == 0) { + ret = proxy_data(socket_descriptor); + break; + } + } + } else { + ret = EFAULT; + } + ret = (ret == EOK) ? EXIT_SUCCESS : EXIT_FAILURE; + +fini: + poptFreeContext(pc); + if (ai) freeaddrinfo(ai); + talloc_free(mem_ctx); + + return ret; +} diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h new file mode 100644 index 0000000..24d28ed --- /dev/null +++ b/src/sss_client/sss_cli.h @@ -0,0 +1,673 @@ +/* + SSSD + + Client Interface for NSS and PAM. + + Authors: + Simo Sorce + + Copyright (C) Red Hat, Inc 2007 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU Lesser General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with this program. If not, see . +*/ + +#ifndef _SSSCLI_H +#define _SSSCLI_H + +#include +#include +#include +#include +#include +#include + +#include "shared/safealign.h" + +#ifndef HAVE_ERRNO_T +#define HAVE_ERRNO_T +typedef int errno_t; +#endif + + +#ifndef EOK +#define EOK 0 +#endif + +#define SSS_NSS_PROTOCOL_VERSION 1 +#define SSS_PAM_PROTOCOL_VERSION 3 +#define SSS_SUDO_PROTOCOL_VERSION 1 +#define SSS_AUTOFS_PROTOCOL_VERSION 1 +#define SSS_SSH_PROTOCOL_VERSION 0 +#define SSS_PAC_PROTOCOL_VERSION 1 + +#ifdef LOGIN_NAME_MAX +#define SSS_NAME_MAX LOGIN_NAME_MAX +#else +#define SSS_NAME_MAX 256 +#endif + +/** + * @defgroup sss_cli_command SSS client commands + * @{ + */ + +/** The allowed commands an SSS client can send to the SSSD */ + +enum sss_cli_command { +/* null */ + SSS_CLI_NULL = 0x0000, + +/* version */ + SSS_GET_VERSION = 0x0001, + +/* passwd */ + + SSS_NSS_GETPWNAM = 0x0011, + SSS_NSS_GETPWUID = 0x0012, + SSS_NSS_SETPWENT = 0x0013, + SSS_NSS_GETPWENT = 0x0014, + SSS_NSS_ENDPWENT = 0x0015, + + SSS_NSS_GETPWNAM_EX = 0x0019, + SSS_NSS_GETPWUID_EX = 0x001A, + +/* group */ + + SSS_NSS_GETGRNAM = 0x0021, + SSS_NSS_GETGRGID = 0x0022, + SSS_NSS_SETGRENT = 0x0023, + SSS_NSS_GETGRENT = 0x0024, + SSS_NSS_ENDGRENT = 0x0025, + SSS_NSS_INITGR = 0x0026, + + SSS_NSS_GETGRNAM_EX = 0x0029, + SSS_NSS_GETGRGID_EX = 0x002A, + SSS_NSS_INITGR_EX = 0x002E, + +#if 0 +/* aliases */ + + SSS_NSS_GETALIASBYNAME = 0x0031, + SSS_NSS_GETALIASBYPORT = 0x0032, + SSS_NSS_SETALIASENT = 0x0033, + SSS_NSS_GETALIASENT = 0x0034, + SSS_NSS_ENDALIASENT = 0x0035, + +/* ethers */ + + SSS_NSS_GETHOSTTON = 0x0041, + SSS_NSS_GETNTOHOST = 0x0042, + SSS_NSS_SETETHERENT = 0x0043, + SSS_NSS_GETETHERENT = 0x0044, + SSS_NSS_ENDETHERENT = 0x0045, + +/* hosts */ + + SSS_NSS_GETHOSTBYNAME = 0x0051, + SSS_NSS_GETHOSTBYNAME2 = 0x0052, + SSS_NSS_GETHOSTBYADDR = 0x0053, + SSS_NSS_SETHOSTENT = 0x0054, + SSS_NSS_GETHOSTENT = 0x0055, + SSS_NSS_ENDHOSTENT = 0x0056, +#endif +/* netgroup */ + + SSS_NSS_SETNETGRENT = 0x0061, + SSS_NSS_GETNETGRENT = 0x0062, + SSS_NSS_ENDNETGRENT = 0x0063, + /* SSS_NSS_INNETGR = 0x0064, */ +#if 0 +/* networks */ + + SSS_NSS_GETNETBYNAME = 0x0071, + SSS_NSS_GETNETBYADDR = 0x0072, + SSS_NSS_SETNETENT = 0x0073, + SSS_NSS_GETNETENT = 0x0074, + SSS_NSS_ENDNETENT = 0x0075, + +/* protocols */ + + SSS_NSS_GETPROTOBYNAME = 0x0081, + SSS_NSS_GETPROTOBYNUM = 0x0082, + SSS_NSS_SETPROTOENT = 0x0083, + SSS_NSS_GETPROTOENT = 0x0084, + SSS_NSS_ENDPROTOENT = 0x0085, + +/* rpc */ + + SSS_NSS_GETRPCBYNAME = 0x0091, + SSS_NSS_GETRPCBYNUM = 0x0092, + SSS_NSS_SETRPCENT = 0x0093, + SSS_NSS_GETRPCENT = 0x0094, + SSS_NSS_ENDRPCENT = 0x0095, +#endif + +/* services */ + + SSS_NSS_GETSERVBYNAME = 0x00A1, + SSS_NSS_GETSERVBYPORT = 0x00A2, + SSS_NSS_SETSERVENT = 0x00A3, + SSS_NSS_GETSERVENT = 0x00A4, + SSS_NSS_ENDSERVENT = 0x00A5, + +#if 0 +/* shadow */ + + SSS_NSS_GETSPNAM = 0x00B1, + SSS_NSS_GETSPUID = 0x00B2, + SSS_NSS_SETSPENT = 0x00B3, + SSS_NSS_GETSPENT = 0x00B4, + SSS_NSS_ENDSPENT = 0x00B5, +#endif + +/* SUDO */ + SSS_SUDO_GET_SUDORULES = 0x00C1, + SSS_SUDO_GET_DEFAULTS = 0x00C2, + +/* autofs */ + SSS_AUTOFS_SETAUTOMNTENT = 0x00D1, + SSS_AUTOFS_GETAUTOMNTENT = 0x00D2, + SSS_AUTOFS_GETAUTOMNTBYNAME = 0x00D3, + SSS_AUTOFS_ENDAUTOMNTENT = 0x00D4, + +/* SSH */ + SSS_SSH_GET_USER_PUBKEYS = 0x00E1, + SSS_SSH_GET_HOST_PUBKEYS = 0x00E2, + +/* PAM related calls */ + SSS_PAM_AUTHENTICATE = 0x00F1, /**< see pam_sm_authenticate(3) for + * details. + * + * Additionally we allow sssd to send + * the return code PAM_NEW_AUTHTOK_REQD + * during authentication if the + * authentication was successful but + * the authentication token is expired. + * To meet the standards of libpam we + * return PAM_SUCCESS for + * authentication and set a flag so + * that the account management module + * can return PAM_NEW_AUTHTOK_REQD if + * sssd return success for account + * management. We do this to reduce the + * communication with external servers, + * because there are cases, e.g. + * Kerberos authentication, where the + * information that the password is + * expired is already available during + * authentication. */ + SSS_PAM_SETCRED = 0x00F2, /**< see pam_sm_setcred(3) for + * details */ + SSS_PAM_ACCT_MGMT = 0x00F3, /**< see pam_sm_acct_mgmt(3) for + * details */ + SSS_PAM_OPEN_SESSION = 0x00F4, /**< see pam_sm_open_session(3) for + * details */ + SSS_PAM_CLOSE_SESSION = 0x00F5, /**< see pam_sm_close_session(3) for + *details */ + SSS_PAM_CHAUTHTOK = 0x00F6, /**< second run of the password change + * operation where the PAM_UPDATE_AUTHTOK + * flag is set and the real change may + * happen, see pam_sm_chauthtok(3) for + * details */ + SSS_PAM_CHAUTHTOK_PRELIM = 0x00F7, /**< first run of the password change + * operation where the PAM_PRELIM_CHECK + * flag is set, see pam_sm_chauthtok(3) + * for details */ + SSS_CMD_RENEW = 0x00F8, /**< Renew a credential with a limited + * lifetime, e.g. a Kerberos Ticket + * Granting Ticket (TGT) */ + SSS_PAM_PREAUTH = 0x00F9, /**< Request which can be run before + * an authentication request to find + * out which authentication methods + * are available for the given user. */ + +/* PAC responder calls */ + SSS_PAC_ADD_PAC_USER = 0x0101, + +/* ID-SID mapping calls */ +SSS_NSS_GETSIDBYNAME = 0x0111, /**< Takes a zero terminated fully qualified + name and returns the zero terminated + string representation of the SID of the + object with the given name. */ +SSS_NSS_GETSIDBYID = 0x0112, /**< Takes an unsigned 32bit integer (POSIX ID) + and returns the zero terminated string + representation of the SID of the object + with the given ID. */ +SSS_NSS_GETNAMEBYSID = 0x0113, /**< Takes the zero terminated string + representation of a SID and returns the + zero terminated fully qualified name of + the related object. */ +SSS_NSS_GETIDBYSID = 0x0114, /**< Takes the zero terminated string + representation of a SID and returns and + returns the POSIX ID of the related object + as unsigned 32bit integer value and + another unsigned 32bit integer value + indicating the type (unknown, user, group, + both) of the object. */ +SSS_NSS_GETORIGBYNAME = 0x0115, /**< Takes a zero terminated fully qualified + name and returns a list of zero + terminated strings with key-value pairs + where the first string is the key and + second the value. Hence the list should + have an even number of strings, if not + the whole list is invalid. */ +SSS_NSS_GETNAMEBYCERT = 0x0116, /**< Takes the zero terminated string + of the base64 encoded DER representation + of a X509 certificate and returns the zero + terminated fully qualified name of the + related object. */ +SSS_NSS_GETLISTBYCERT = 0x0117, /**< Takes the zero terminated string + of the base64 encoded DER representation + of a X509 certificate and returns a list + of zero terminated fully qualified names + of the related objects. */ +SSS_NSS_GETSIDBYUID = 0x0118, /**< Takes an unsigned 32bit integer (POSIX UID) + and reurn the zero terminated string + representation of the SID of the object + with the given UID. */ +SSS_NSS_GETSIDBYGID = 0x0119, /**< Takes an unsigned 32bit integer (POSIX GID) + and reurn the zero terminated string + representation of the SID of the object + with the given UID. */ +}; + +/** + * @} + */ /* end of group sss_cli_command */ + + +/** + * @defgroup sss_pam SSSD and PAM + * + * SSSD offers authentication and authorization via PAM + * + * The SSSD provides a PAM client modules pam_sss which can be called from the + * PAM stack of the operation system. pam_sss will collect all the data about + * the user from the PAM stack and sends them via a socket to the PAM + * responder of the SSSD. The PAM responder selects the appropriate backend + * and forwards the data via D-BUS to the backend. The backend preforms the + * requested operation and sends the result expressed by a PAM return value + * and optional additional information back to the PAM responder. Finally the + * PAM responder forwards the response back to the client. + * + * @{ + */ + +/** + * @} + */ /* end of group sss_pam */ + +/** + * @defgroup sss_authtok_type Authentication Tokens + * @ingroup sss_pam + * + * To indicate to the components of the SSSD how to handle the authentication + * token the client sends the type of the authentication token to the SSSD. + * + * @{ + */ + +/** The different types of authentication tokens */ + +enum sss_authtok_type { + SSS_AUTHTOK_TYPE_EMPTY = 0x0000, /**< No authentication token + * available */ + SSS_AUTHTOK_TYPE_PASSWORD = 0x0001, /**< Authentication token is a + * password, it may or may no contain + * a trailing \\0 */ + SSS_AUTHTOK_TYPE_CCFILE = 0x0002, /**< Authentication token is a path to + * a Kerberos credential cache file, + * it may or may no contain + * a trailing \\0 */ + SSS_AUTHTOK_TYPE_2FA = 0x0003, /**< Authentication token has two + * factors, they may or may no contain + * a trailing \\0 */ + SSS_AUTHTOK_TYPE_SC_PIN = 0x0004, /**< Authentication token is a Smart + * Card PIN, it may or may no contain + * a trailing \\0 */ + SSS_AUTHTOK_TYPE_SC_KEYPAD = 0x0005, /**< Authentication token indicates + * Smart Card authentication is used + * and that the PIN will be entered + * at the card reader. */ +}; + +/** + * @} + */ /* end of group sss_authtok_type */ + +#define SSS_START_OF_PAM_REQUEST 0x4d415049 +#define SSS_END_OF_PAM_REQUEST 0x4950414d + +#define PAM_PREAUTH_INDICATOR PUBCONF_PATH"/pam_preauth_available" + +enum pam_item_type { + SSS_PAM_ITEM_EMPTY = 0x0000, + SSS_PAM_ITEM_USER, + SSS_PAM_ITEM_SERVICE, + SSS_PAM_ITEM_TTY, + SSS_PAM_ITEM_RUSER, + SSS_PAM_ITEM_RHOST, + SSS_PAM_ITEM_AUTHTOK, + SSS_PAM_ITEM_NEWAUTHTOK, + SSS_PAM_ITEM_CLI_LOCALE, + SSS_PAM_ITEM_CLI_PID, + SSS_PAM_ITEM_REQUESTED_DOMAINS, +}; + +#define SSS_NSS_MAX_ENTRIES 256 +#define SSS_NSS_HEADER_SIZE (sizeof(uint32_t) * 4) +struct sss_cli_req_data { + size_t len; + const void *data; +}; + +/* this is in milliseconds, wait up to 300 seconds */ +#define SSS_CLI_SOCKET_TIMEOUT 300000 + +enum sss_status { + SSS_STATUS_TRYAGAIN, + SSS_STATUS_UNAVAIL, + SSS_STATUS_SUCCESS +}; + +/** + * @defgroup sss_pam_cli Responses to the PAM client + * @ingroup sss_pam + * @{ + */ + +/** + * @defgroup response_type Messages from the server + * @ingroup sss_pam_cli + * + * SSSD can send different kind of information back to the client. + * A response from the SSSD can contain 0 or more messages. Each message + * contains a type tag and the size of the message data, both are unsigned + * 32-bit integer values, followed be the message specific data. + * + * If the message is generated by a backend it is send back to the PAM + * responder via a D-BUS message in an array of D-BUS structs. The struct + * consists of a DBUS_TYPE_UINT32 for the tag and a DBUS_TYPE_ARRAY to hold + * the message. + * + * Examples: + * - #SSS_PAM_ENV_ITEM, + uint32_t | uint32_t | uint8_t[4] + ----------|----------|------------ + 0x03 | 0x04 | a=b\\0 + * @{ + */ + +/** Types of different messages */ + +enum response_type { + SSS_PAM_SYSTEM_INFO = 0x01, /**< Message for the system log. + * @param String, zero terminated. */ + SSS_PAM_DOMAIN_NAME, /**< Name of the domain the user belongs too. + * This messages is generated by the PAM responder. + * @param String, zero terminated, with the domain + * name. */ + SSS_PAM_ENV_ITEM, /**< Set and environment variable with pam_putenv(3). + * @param String, zero terminated, of the form + * name=value. See pam_putenv(3) for details. */ + SSS_ENV_ITEM, /**< Set and environment variable with putenv(3). + * @param String, zero terminated, of the form + * name=value. See putenv(3) for details. */ + SSS_ALL_ENV_ITEM, /**< Set and environment variable with putenv(3) and + * pam_putenv(3). + * @param String, zero terminated, of the form + * name=value. See putenv(3) and pam_putenv(3) for + * details. */ + SSS_PAM_USER_INFO, /**< A message which should be displayed to the user. + * @param User info message, see #user_info_type + * for details. */ + SSS_PAM_TEXT_MSG, /**< A plain text message which should be displayed to + * the user. This should only be used in the case where + * it is not possible to use SSS_PAM_USER_INFO. + * @param A zero terminated string. */ + SSS_PAM_OTP_INFO, /**< A message which optionally may contain the name + * of the vendor, the ID of an OTP token and a + * challenge. + * @param Three zero terminated strings, if one of the + * strings is missing the message will contain only + * an empty string (\0) for that component. */ + SSS_PAM_CERT_INFO, /**< A message indicating that Smartcard/certificate + * based authentication is available and contains + * details about the found Smartcard. + * @param user name, zero terminated + * @param token name, zero terminated + * @param PKCS#11 module name, zero terminated + * @param key id, zero terminated */ + SSS_OTP, /**< Indicates that the authtok was a OTP, so don't + * cache it. There is no message. + * @param None. */ + SSS_PASSWORD_PROMPTING, /**< Indicates that password prompting is possible. + * This might be used together with + * SSS_PAM_OTP_INFO to determine the type of + * prompting. There is no message. + * @param None. */ + SSS_CERT_AUTH_PROMPTING, /**< Indicates that on the server side + * Smartcard/certificate based authentication is + * available for the selected account. This might + * be used together with other prompting options + * to determine the type of prompting. + * @param None. */ + SSS_PAM_CERT_INFO_WITH_HINT, /**< Same as SSS_PAM_CERT_INFO but user name + * might be missing and should be prompted + * for. */ +}; + +/** + * @defgroup user_info_type User info messages + * @ingroup response_type + * + * To achieve a consistent user experience and to facilitate + * internationalization all messages show to the user are generate by the PAM + * client and not by the SSSD server components. To indicate what message the + * client should display to the user SSSD can send a #SSS_PAM_USER_INFO message + * where the data part contains one of the following tags as an unsigned + * 32-bit integer value and optional data. + * + * Examples: + * - #SSS_PAM_USER_INFO_OFFLINE_CHPASS + * uint32_t | uint32_t | uint32_t + * ----------|----------|---------- + * 0x06 | 0x04 | 0x03 + * + * - #SSS_PAM_USER_INFO_CHPASS_ERROR + * uint32_t | uint32_t | uint32_t | uint32_t | uint8_t[3] + * ----------|----------|----------|----------|------------ + * 0x06 | 0x0B | 0x04 | 0x03 | abc + * @{ + */ + +/** Different types of user messages */ + +enum user_info_type { + SSS_PAM_USER_INFO_OFFLINE_AUTH = 0x01, /**< Inform the user that the + * authentication happened offline. + * This message is generated by the + * PAM responder. + * @param Time when the cached + * password will expire in seconds + * since the UNIX Epoch as returned + * by time(2) as int64_t. A value + * of zero indicates that the + * cached password will never + * expire. */ + SSS_PAM_USER_INFO_OFFLINE_AUTH_DELAYED, /**< Tell the user how low a new + * authentication is delayed. This + * message is generated by the PAM + * responder. + * @param Time when an + * authentication is allowed again + * in seconds since the UNIX Epoch + * as returned by time(2) as + * int64_t. */ + SSS_PAM_USER_INFO_OFFLINE_CHPASS, /**< * Tell the user that it is not + * possible to change the password while + * the system is offline. This message + * is generated by the PAM responder. */ + SSS_PAM_USER_INFO_OTP_CHPASS, /**< Tell the user that he needs to kinit + * or login and logout to get a TGT after + * an OTP password change */ + SSS_PAM_USER_INFO_CHPASS_ERROR, /**< Tell the user that a password change + * failed and optionally give a reason. + * @param Size of the message as unsigned + * 32-bit integer value. A value of 0 + * indicates that no message is following. + * @param String with the specified + * length. */ + + SSS_PAM_USER_INFO_GRACE_LOGIN, /**< Warn the user that the password is + * expired and inform about the remaining + * number of grace logins. + * @param The number of remaining grace + * logins as uint32_t */ + SSS_PAM_USER_INFO_EXPIRE_WARN, /**< Warn the user that the password will + * expire soon. + * @param Number of seconds before the + * user's password will expire. */ + + SSS_PAM_USER_INFO_ACCOUNT_EXPIRED, /**< Tell the user that the account + * has expired and optionally give + * a reason. + * @param Size of the message as + * unsigned 32-bit integer value. A + * value of 0 indicates that no message + * is following. @param String with the + * specified length. */ +}; +/** + * @} + */ /* end of group user_info_type */ + +/** + * @} + */ /* end of group response_type */ + +/** + * @} + */ /* end of group sss_pam_cli */ + +enum sss_netgr_rep_type { + SSS_NETGR_REP_TRIPLE = 1, + SSS_NETGR_REP_GROUP +}; + +enum sss_cli_error_codes { + ESSS_SSS_CLI_ERROR_START = 0x1000, + ESSS_BAD_PRIV_SOCKET, + ESSS_BAD_PUB_SOCKET, + ESSS_BAD_CRED_MSG, + ESSS_SERVER_NOT_TRUSTED, + + ESS_SSS_CLI_ERROR_MAX +}; + +const char *ssscli_err2string(int err); + +enum nss_status sss_nss_make_request(enum sss_cli_command cmd, + struct sss_cli_req_data *rd, + uint8_t **repbuf, size_t *replen, + int *errnop); + +enum nss_status sss_nss_make_request_timeout(enum sss_cli_command cmd, + struct sss_cli_req_data *rd, + int timeout, + uint8_t **repbuf, size_t *replen, + int *errnop); + +int sss_pam_make_request(enum sss_cli_command cmd, + struct sss_cli_req_data *rd, + uint8_t **repbuf, size_t *replen, + int *errnop); +void sss_pam_close_fd(void); + +/* Checks access to the PAC responder and opens the socket, if available. + * Required for processes like krb5_child that need to open the socket + * before dropping privs. + */ +int sss_pac_check_and_open(void); + +int sss_pac_make_request(enum sss_cli_command cmd, + struct sss_cli_req_data *rd, + uint8_t **repbuf, size_t *replen, + int *errnop); + +int sss_pac_make_request_with_lock(enum sss_cli_command cmd, + struct sss_cli_req_data *rd, + uint8_t **repbuf, size_t *replen, + int *errnop); + +int sss_sudo_make_request(enum sss_cli_command cmd, + struct sss_cli_req_data *rd, + uint8_t **repbuf, size_t *replen, + int *errnop); + +int sss_autofs_make_request(enum sss_cli_command cmd, + struct sss_cli_req_data *rd, + uint8_t **repbuf, size_t *replen, + int *errnop); + +int sss_ssh_make_request(enum sss_cli_command cmd, + struct sss_cli_req_data *rd, + uint8_t **repbuf, size_t *replen, + int *errnop); + +#if 0 + +/* GETSPNAM Request: + * + * 0-X: string with name + * + * Replies: + * + * 0-3: 32bit unsigned number of results + * 4-7: 32bit unsigned (reserved/padding) + * For each result: + * 0-7: 64bit unsigned with Date of last change + * 8-15: 64bit unsigned with Min #days between changes + * 16-23: 64bit unsigned with Max #days between changes + * 24-31: 64bit unsigned with #days before pwd expires + * 32-39: 64bit unsigned with #days after pwd expires until account is disabled + * 40-47: 64bit unsigned with expiration date in days since 1970-01-01 + * 48-55: 64bit unsigned (flags/reserved) + * 56-X: sequence of 2, 0 terminated, strings (name, pwd) 64bit padded + */ +#endif + +/* Return strlen(str) or maxlen, whichever is shorter + * Returns EINVAL if str is NULL, EFBIG if str is longer than maxlen + * _len will return the result + */ +errno_t sss_strnlen(const char *str, size_t maxlen, size_t *len); + +void sss_nss_lock(void); +void sss_nss_unlock(void); +void sss_pam_lock(void); +void sss_pam_unlock(void); +void sss_nss_mc_lock(void); +void sss_nss_mc_unlock(void); +void sss_pac_lock(void); +void sss_pac_unlock(void); + +errno_t sss_readrep_copy_string(const char *in, + size_t *offset, + size_t *slen, + size_t *dlen, + char **out, + size_t *size); + +#endif /* _SSSCLI_H */ diff --git a/src/sss_client/sss_nss.exports b/src/sss_client/sss_nss.exports new file mode 100644 index 0000000..1eefea8 --- /dev/null +++ b/src/sss_client/sss_nss.exports @@ -0,0 +1,73 @@ +EXPORTED { + + # public functions + global: + + _nss_sss_getpwnam_r; + _nss_sss_getpwuid_r; + _nss_sss_setpwent; + _nss_sss_getpwent_r; + _nss_sss_endpwent; + + _nss_sss_getgrnam_r; + _nss_sss_getgrgid_r; + _nss_sss_setgrent; + _nss_sss_getgrent_r; + _nss_sss_endgrent; + _nss_sss_initgroups_dyn; + + #_nss_sss_getaliasbyname_r; + #_nss_sss_setaliasent; + #_nss_sss_getaliasent_r; + #_nss_sss_endaliasent; + + #_nss_sss_gethostton_r; + #_nss_sss_getntohost_r; + #_nss_sss_setetherent; + #_nss_sss_getetherent_r; + #_nss_sss_endetherent; + + #_nss_sss_gethostbyname_r; + #_nss_sss_gethostbyname2_r; + #_nss_sss_gethostbyaddr_r; + #_nss_sss_sethostent; + #_nss_sss_gethostent_r; + #_nss_sss_endhostent; + + _nss_sss_setnetgrent; + _nss_sss_getnetgrent_r; + _nss_sss_endnetgrent; + + #_nss_sss_getnetbyname_r; + #_nss_sss_getnetbyaddr_r; + #_nss_sss_setnetent; + #_nss_sss_getnetent_r; + #_nss_sss_endnetent; + + #_nss_sss_getprotobyname_r; + #_nss_sss_getprotobynumber_r; + #_nss_sss_setprotoent; + #_nss_sss_getprotoent_r; + #_nss_sss_endprotoent; + + #_nss_sss_getrpcbyname_r; + #_nss_sss_getrpcbynumber_r; + #_nss_sss_setrpcent; + #_nss_sss_getrpcent_r; + #_nss_sss_endrpcent; + + _nss_sss_getservbyname_r; + _nss_sss_getservbyport_r; + _nss_sss_setservent; + _nss_sss_getservent_r; + _nss_sss_endservent; + + #_nss_sss_getspnam_r; + #_nss_sss_setspent; + #_nss_sss_getspent_r; + #_nss_sss_endspent; + + # everything else is local + local: + *; +}; diff --git a/src/sss_client/sss_pac_responder_client.c b/src/sss_client/sss_pac_responder_client.c new file mode 100644 index 0000000..1185381 --- /dev/null +++ b/src/sss_client/sss_pac_responder_client.c @@ -0,0 +1,137 @@ + +#include +#include +#include +#include +#include +#include +#include + +#include +#include + +#include "sss_client/sss_cli.h" + +const uint8_t pac[] = { +0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x10, +0x02, 0x00, 0x00, 0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a, 0x00, +0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x68, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, +0x00, 0x0c, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x78, 0x02, 0x00, 0x00, +0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0xb8, +0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x10, 0x00, +0x00, 0x00, 0xc8, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x10, 0x08, +0x00, 0xcc, 0xcc, 0xcc, 0xcc, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +0x00, 0x00, 0x02, 0x00, 0x30, 0xe3, 0xd6, 0x9e, 0x99, 0x2b, 0xd3, 0x01, 0xff, +0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, +0xff, 0x7f, 0xe2, 0xf7, 0x8a, 0xaf, 0x00, 0x0f, 0xd0, 0x01, 0xe2, 0xb7, 0xf4, +0xd9, 0xc9, 0x0f, 0xd0, 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, +0x06, 0x00, 0x06, 0x00, 0x04, 0x00, 0x02, 0x00, 0x06, 0x00, 0x06, 0x00, 0x08, +0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x02, 0x00, 0x00, 0x00, +0x00, 0x00, 0x10, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x14, 0x00, 0x02, +0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x00, 0x02, 0x00, 0x45, 0x02, 0x00, 0x00, +0x50, 0x04, 0x00, 0x00, 0x01, 0x02, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x1c, +0x00, 0x02, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x12, 0x00, 0x14, +0x00, 0x20, 0x00, 0x02, 0x00, 0x04, 0x00, 0x06, 0x00, 0x24, 0x00, 0x02, 0x00, +0x28, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, +0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x2c, 0x00, 0x02, 0x00, +0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, +0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x74, 0x00, +0x75, 0x00, 0x31, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +0x00, 0x03, 0x00, 0x00, 0x00, 0x74, 0x00, 0x20, 0x00, 0x75, 0x00, 0x00, 0x00, +0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, +0xfd, 0xa2, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00, 0x00, 0x07, +0x00, 0x00, 0x00, 0x5c, 0x04, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x56, 0x04, +0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x89, 0xa6, 0x00, 0x00, 0x07, 0x00, 0x00, +0x00, 0x0a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, +0x41, 0x00, 0x44, 0x00, 0x2d, 0x00, 0x53, 0x00, 0x45, 0x00, 0x52, 0x00, 0x56, +0x00, 0x45, 0x00, 0x52, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, +0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x41, 0x00, 0x44, 0x00, 0x04, 0x00, 0x00, +0x00, 0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00, +0xf8, 0x12, 0x13, 0xdc, 0x47, 0xf3, 0x1c, 0x76, 0x47, 0x2f, 0x2e, 0xd7, 0x02, +0x00, 0x00, 0x00, 0x30, 0x00, 0x02, 0x00, 0x07, 0x00, 0x00, 0x00, 0x34, 0x00, +0x02, 0x00, 0x07, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x01, 0x05, 0x00, +0x00, 0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00, 0x29, 0xc9, 0x4f, 0xd9, +0xc2, 0x3c, 0xc3, 0x78, 0x36, 0x55, 0x87, 0xf8, 0x54, 0x04, 0x00, 0x00, 0x05, +0x00, 0x00, 0x00, 0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x15, 0x00, +0x00, 0x00, 0x25, 0xe1, 0xff, 0x1c, 0xf7, 0x87, 0x6b, 0x2c, 0x25, 0xd2, 0x0c, +0xe3, 0xf2, 0x03, 0x00, 0x00, 0x00, 0x2c, 0x29, 0x89, 0x65, 0x2d, 0xd3, 0x01, +0x06, 0x00, 0x74, 0x00, 0x75, 0x00, 0x31, 0x00, 0x20, 0x00, 0x10, 0x00, 0x10, +0x00, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x74, 0x00, +0x75, 0x00, 0x31, 0x00, 0x74, 0x00, 0x65, 0x00, 0x73, 0x00, 0x74, 0x00, 0x40, +0x00, 0x61, 0x00, 0x64, 0x00, 0x2e, 0x00, 0x64, 0x00, 0x65, 0x00, 0x76, 0x00, +0x65, 0x00, 0x6c, 0x00, 0x41, 0x00, 0x44, 0x00, 0x2e, 0x00, 0x44, 0x00, 0x45, +0x00, 0x56, 0x00, 0x45, 0x00, 0x4c, 0x00, 0x10, 0x00, 0x00, 0x00, 0x76, 0x8e, +0x25, 0x32, 0x7c, 0x85, 0x00, 0x32, 0xac, 0x8f, 0x02, 0x2c, 0x10, 0x00, 0x00, +0x00, 0x6b, 0xe8, 0x51, 0x03, 0x30, 0xed, 0xca, 0x7d, 0xe2, 0x12, 0xa5, 0xde}; + +enum nss_status _nss_sss_getpwuid_r(uid_t uid, struct passwd *result, + char *buffer, size_t buflen, int *errnop); +static void *pac_client(void *arg) +{ + struct sss_cli_req_data sss_data = { sizeof(pac), pac }; + int errnop = -1; + int ret; + size_t c; + + fprintf(stderr, "[%ld][%d][%ld][%s] started\n", time(NULL), getpid(), + syscall(SYS_gettid), + (char *) arg); + for (c = 0; c < 1000; c++) { + /* sss_pac_make_request() does not protect the client's file + * descriptor to the PAC responder. With this one thread will miss a + * reply for an SSS_GET_VERSION request and will wait until + * SSS_CLI_SOCKET_TIMEOUT is passed. + + ret = sss_pac_make_request(SSS_PAC_ADD_PAC_USER, &sss_data, + NULL, NULL, &errnop); + */ + ret = sss_pac_make_request_with_lock(SSS_PAC_ADD_PAC_USER, &sss_data, + NULL, NULL, &errnop); + if (ret != NSS_STATUS_SUCCESS + && !(ret == NSS_STATUS_UNAVAIL && errnop != ECONNREFUSED)) { + /* NSS_STATUS_UNAVAIL is returned if the PAC responder rejects + * the request which is ok because the client is waiting for a + * response here as well. Only errnop == ECONNREFUSED should + * be treated as error because this means that the PAC + * responder is not running. */ + fprintf(stderr, "pac: [%s][%d][%d]\n", (char *)arg, ret, errnop); + return ((void *)((uintptr_t)("X"))); + } + } + + fprintf(stderr, "[%ld][%s] done\n", time(NULL),(char *) arg); + return NULL; +} + +int main(void) +{ + pthread_t thread1; + pthread_t thread2; + int ret; + void *t_ret; + + pthread_create(&thread1, NULL, pac_client, + ((void *)((uintptr_t)("Thread 1")))); + pthread_create(&thread2, NULL, pac_client, + ((void *)((uintptr_t)("Thread 2")))); + + ret = pthread_join(thread1, &t_ret); + if (ret != 0 || t_ret != NULL) { + fprintf(stderr, "Thread 1 failed.\n"); + return EIO; + } + + ret = pthread_join(thread2, &t_ret); + if (ret != 0 || t_ret != NULL) { + fprintf(stderr, "Thread 1 failed.\n"); + return EIO; + } + + return 0; +} diff --git a/src/sss_client/sss_pam.exports b/src/sss_client/sss_pam.exports new file mode 100644 index 0000000..9afa106 --- /dev/null +++ b/src/sss_client/sss_pam.exports @@ -0,0 +1,4 @@ +{ + global: + *; +}; diff --git a/src/sss_client/sss_pam_compat.h b/src/sss_client/sss_pam_compat.h new file mode 100644 index 0000000..d131cea --- /dev/null +++ b/src/sss_client/sss_pam_compat.h @@ -0,0 +1,45 @@ +/* + SSSD + + Compat declarations for PAM. + + Authors: + Lukas Slebodnik + + Copyright (C) Red Hat, Inc 2014 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU Lesser General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with this program. If not, see . +*/ + +#ifndef _SSS_PAM_COMPAT_H +#define _SSS_PAM_COMPAT_H + +#ifdef HAVE_SECURITY_PAM_MODUTIL_H +# include +#endif /* HAVE_SECURITY_PAM_MODUTIL_H */ + +#ifdef HAVE_SECURITY_PAM_EXT_H +# include +#endif /* HAVE_SECURITY_PAM_EXT_H */ + +#ifndef HAVE_PAM_VSYSLOG +#define pam_vsyslog(pamh, priority, fmt, vargs) \ + vsyslog((priority), (fmt), (vargs)) +#endif /* HAVE_PAM_VSYSLOG */ + +#ifndef PAM_BAD_ITEM +# define PAM_BAD_ITEM PAM_USER_UNKNOWN +#endif /* PAM_BAD_ITEM */ + +#endif /* _SSS_PAM_COMPAT_H */ diff --git a/src/sss_client/sss_pam_macros.h b/src/sss_client/sss_pam_macros.h new file mode 100644 index 0000000..0a7e266 --- /dev/null +++ b/src/sss_client/sss_pam_macros.h @@ -0,0 +1,61 @@ +/* + SSSD + + Client Interface for NSS and PAM. + + Authors: + Stephen Gallagher + + Copyright (C) Red Hat, Inc 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU Lesser General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with this program. If not, see . +*/ + +#ifndef _SSS_PAM_MACROS_H +#define _SSS_PAM_MACROS_H + +/* Older versions of the pam development headers do not include the + * _pam_overwrite_n(n,x) macro. This implementation is copied from + * the Fedora 11 _pam_macros.h. + */ +#ifdef HAVE_SECURITY__PAM_MACROS_H +# include +#endif /* HAVE_SECURITY__PAM_MACROS_H */ + +#ifndef _pam_overwrite +#define _pam_overwrite(x) \ +do { \ + register char *__xx__; \ + if ((__xx__=(x))) \ + while (*__xx__) \ + *__xx__++ = '\0'; \ +} while (0) +#endif /* _pam_overwrite */ + +#ifndef _pam_overwrite_n +#define _pam_overwrite_n(x,n) \ +do { \ + register char *__xx__; \ + register unsigned int __i__ = 0; \ + if ((__xx__=(x))) \ + for (;__i__ + + Copyright (C) 2011, 2012, 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU Lesser General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with this program. If not, see . +*/ + +/* A short documentation about authdata plugins can be found in + * http://http://k5wiki.kerberos.org/wiki/Projects/VerifyAuthData */ + +#include +#include + +#include "krb5_authdata_int.h" +#include "sss_cli.h" + + +struct sssd_context { + krb5_data data; +}; + +static krb5_error_code +sssdpac_init(krb5_context kcontext, void **plugin_context) +{ + *plugin_context = NULL; + return 0; +} + +static void +sssdpac_flags(krb5_context kcontext, + void *plugin_context, + krb5_authdatatype ad_type, + krb5_flags *flags) +{ + *flags = AD_USAGE_KDC_ISSUED | AD_USAGE_TGS_REQ; +} + +static void +sssdpac_fini(krb5_context kcontext, void *plugin_context) +{ + return; +} + +static krb5_error_code +sssdpac_request_init(krb5_context kcontext, + krb5_authdata_context context, + void *plugin_context, + void **request_context) +{ + struct sssd_context *sssdctx; + + sssdctx = (struct sssd_context *)calloc(1, sizeof(*sssdctx)); + if (sssdctx == NULL) { + return ENOMEM; + } + + *request_context = sssdctx; + + return 0; +} + +static krb5_error_code +sssdpac_import_authdata(krb5_context kcontext, + krb5_authdata_context context, + void *plugin_context, + void *request_context, + krb5_authdata **authdata, + krb5_boolean kdc_issued, + krb5_const_principal kdc_issuer) +{ + char *data = NULL; + struct sssd_context *sssdctx = (struct sssd_context *)request_context; + + if (authdata[0] == NULL) { + return EINVAL; + } + + if (authdata[0]->length > 0) { + data = malloc(sizeof(char) * authdata[0]->length); + if (data == NULL) { + return ENOMEM; + } + memcpy(data, authdata[0]->contents, authdata[0]->length); + } + + if (sssdctx->data.data != NULL) { + krb5_free_data_contents(kcontext, &sssdctx->data); + } + + sssdctx->data.length = authdata[0]->length; + sssdctx->data.data = data; + return 0; +} + +static void +sssdpac_request_fini(krb5_context kcontext, + krb5_authdata_context context, + void *plugin_context, + void *request_context) +{ + struct sssd_context *sssdctx = (struct sssd_context *)request_context; + + if (sssdctx != NULL) { + if (sssdctx->data.data != NULL) { + krb5_free_data_contents(kcontext, &sssdctx->data); + } + + free(sssdctx); + } +} + +static krb5_error_code sssdpac_verify(krb5_context kcontext, + krb5_authdata_context context, + void *plugin_context, + void *request_context, + const krb5_auth_context *auth_context, + const krb5_keyblock *key, + const krb5_ap_req *req) +{ + krb5_error_code kerr; + int ret; + krb5_pac pac; + struct sssd_context *sssdctx = (struct sssd_context *)request_context; + struct sss_cli_req_data sss_data; + int errnop; + + if (sssdctx == NULL || sssdctx->data.data == NULL) { + return EINVAL; + } + + kerr = krb5_pac_parse(kcontext, sssdctx->data.data, + sssdctx->data.length, &pac); + if (kerr != 0) { + return EINVAL; + } + + kerr = krb5_pac_verify(kcontext, pac, + req->ticket->enc_part2->times.authtime, + req->ticket->enc_part2->client, key, NULL); + /* deallocate pac */ + krb5_pac_free(kcontext, pac); + pac = NULL; + if (kerr != 0) { + /* The krb5 documentation says: + * A checksum mismatch can occur if the PAC was copied from a + * cross-realm TGT by an ignorant KDC; also Apple Mac OS X Server + * Open Directory (as of 10.6) generates PACs with no server checksum + * at all. One should consider not failing the whole authentication + * because of this reason, but, instead, treating the ticket as + * if it did not contain a PAC or marking the PAC information as + * non-verified. + */ + return 0; + } + + sss_data.len = sssdctx->data.length; + sss_data.data = sssdctx->data.data; + + ret = sss_pac_make_request_with_lock(SSS_PAC_ADD_PAC_USER, &sss_data, + NULL, NULL, &errnop); + if (ret != 0) { + /* Ignore the error */ + } + + return 0; +} + +static krb5_error_code +sssdpac_size(krb5_context kcontext, + krb5_authdata_context context, + void *plugin_context, + void *request_context, + size_t *sizep) +{ + struct sssd_context *sssdctx = (struct sssd_context *)request_context; + + *sizep += sizeof(krb5_int32); + + *sizep += sssdctx->data.length; + + *sizep += sizeof(krb5_int32); + + return 0; +} + +static krb5_error_code +sssdpac_externalize(krb5_context kcontext, + krb5_authdata_context context, + void *plugin_context, + void *request_context, + krb5_octet **buffer, + size_t *lenremain) +{ + krb5_error_code code = 0; + struct sssd_context *sssdctx = (struct sssd_context *)request_context; + size_t required = 0; + krb5_octet *bp; + size_t remain; + + bp = *buffer; + remain = *lenremain; + + if (sssdctx->data.data != NULL) { + sssdpac_size(kcontext, context, plugin_context, + request_context, &required); + + if (required <= remain) { + krb5_ser_pack_int32((krb5_int32)sssdctx->data.length, + &bp, &remain); + krb5_ser_pack_bytes((krb5_octet *)sssdctx->data.data, + (size_t)sssdctx->data.length, + &bp, &remain); + krb5_ser_pack_int32(0, + &bp, &remain); + } else { + code = ENOMEM; + } + } else { + krb5_ser_pack_int32(0, &bp, &remain); /* length */ + krb5_ser_pack_int32(0, &bp, &remain); /* verified */ + } + + *buffer = bp; + *lenremain = remain; + + return code; +} + +static krb5_error_code +sssdpac_internalize(krb5_context kcontext, + krb5_authdata_context context, + void *plugin_context, + void *request_context, + krb5_octet **buffer, + size_t *lenremain) +{ + struct sssd_context *sssdctx = (struct sssd_context *)request_context; + krb5_error_code code; + krb5_int32 ibuf; + krb5_octet *bp; + size_t remain; + krb5_data data; + + bp = *buffer; + remain = *lenremain; + + /* length */ + code = krb5_ser_unpack_int32(&ibuf, &bp, &remain); + if (code != 0) { + return code; + } + + if (ibuf != 0) { + + data.length = ibuf; + data.data = malloc(sizeof(char) * ibuf); + if (data.data == NULL) { + return ENOMEM; + } + memcpy(data.data, bp, ibuf); + + bp += ibuf; + remain -= ibuf; + } else { + data.length = 0; + data.data = NULL; + } + + /* verified */ + code = krb5_ser_unpack_int32(&ibuf, &bp, &remain); + if (code != 0) { + free(data.data); + return code; + } + + if (sssdctx->data.data != NULL) { + krb5_free_data_contents(kcontext, &sssdctx->data); + } + + sssdctx->data.length = data.length; + sssdctx->data.data = data.data; + + *buffer = bp; + *lenremain = remain; + + return 0; +} + +static krb5_authdatatype sssdpac_ad_types[] = { KRB5_AUTHDATA_WIN2K_PAC, 0 }; + +krb5plugin_authdata_client_ftable_v0 authdata_client_0 = { + ((void *)((uintptr_t)("sssd_sssdpac"))), + sssdpac_ad_types, + sssdpac_init, + sssdpac_fini, + sssdpac_flags, + sssdpac_request_init, + sssdpac_request_fini, + NULL, + NULL, + NULL, + NULL, + NULL, + sssdpac_import_authdata, + NULL, + NULL, + sssdpac_verify, + sssdpac_size, + sssdpac_externalize, + sssdpac_internalize, + NULL +}; diff --git a/src/sss_client/sudo/sss_sudo.c b/src/sss_client/sudo/sss_sudo.c new file mode 100644 index 0000000..3651740 --- /dev/null +++ b/src/sss_client/sudo/sss_sudo.c @@ -0,0 +1,251 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2011 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include +#include +#include +#include + +#include "util/util.h" +#include "sss_client/sss_cli.h" +#include "sss_client/sudo/sss_sudo.h" +#include "sss_client/sudo/sss_sudo_private.h" + +int sss_sudo_create_query(uid_t uid, + const char *username, + uint8_t **_query, + size_t *_query_len); + +static void sss_sudo_free_rules(unsigned int num_rules, + struct sss_sudo_rule *rules); + +static void sss_sudo_free_attrs(unsigned int num_attrs, + struct sss_sudo_attr *attrs); + +static int sss_sudo_send_recv_generic(enum sss_cli_command command, + uid_t uid, + const char *username, + uint32_t *_error, + char **_domainname, + struct sss_sudo_result **_result) +{ + struct sss_cli_req_data request; + uint8_t *query_buf = NULL; + size_t query_len = 0; + uint8_t *reply_buf = NULL; + size_t reply_len = 0; + int errnop = 0; + int ret = 0; + + /* create query */ + + ret = sss_sudo_create_query(uid, username, &query_buf, &query_len); + if (ret != EOK) { + goto done; + } + + request.len = query_len; + request.data = (const void*)query_buf; + + /* send query and receive response */ + + errnop = 0; + ret = sss_sudo_make_request(command, &request, + &reply_buf, &reply_len, &errnop); + if (ret != SSS_STATUS_SUCCESS) { + ret = errnop; + goto done; + } + + /* parse structure */ + + ret = sss_sudo_parse_response((const char*)reply_buf, reply_len, + _domainname, _result, _error); + +done: + free(query_buf); + free(reply_buf); + return ret; +} + +int sss_sudo_send_recv(uid_t uid, + const char *username, + const char *domainname, + uint32_t *_error, + struct sss_sudo_result **_result) +{ + int ret; + + if (username == NULL || strlen(username) == 0) { + return EINVAL; + } + + /* send query and receive response */ + + ret = sss_sudo_send_recv_generic(SSS_SUDO_GET_SUDORULES, uid, username, + _error, NULL, _result); + return ret; +} + +int sss_sudo_send_recv_defaults(uid_t uid, + const char *username, + uint32_t *_error, + char **_domainname, + struct sss_sudo_result **_result) +{ + if (username == NULL || strlen(username) == 0) { + return EINVAL; + } + + return sss_sudo_send_recv_generic(SSS_SUDO_GET_DEFAULTS, uid, username, + _error, _domainname, _result); +} + +int sss_sudo_create_query(uid_t uid, const char *username, + uint8_t **_query, size_t *_query_len) +{ + uint8_t *data = NULL; + size_t username_len = strlen(username) * sizeof(char) + 1; + size_t data_len = sizeof(uid_t) + username_len; + size_t offset = 0; + + data = (uint8_t*)malloc(data_len * sizeof(uint8_t)); + if (data == NULL) { + return ENOMEM; + } + + SAFEALIGN_SET_VALUE(data, uid, uid_t, &offset); + memcpy(data + offset, username, username_len); + + *_query = data; + *_query_len = data_len; + + return EOK; +} + +int sss_sudo_get_values(struct sss_sudo_rule *e, + const char *attrname, char ***_values) +{ + struct sss_sudo_attr *attr = NULL; + char **values = NULL; + int i, j; + + for (i = 0; i < e->num_attrs; i++) { + attr = e->attrs + i; + if (strcasecmp(attr->name, attrname) == 0) { + values = calloc(attr->num_values + 1, sizeof(char*)); + if (values == NULL) { + return ENOMEM; + } + + for (j = 0; j < attr->num_values; j++) { + values[j] = strdup(attr->values[j]); + if (values[j] == NULL) { + sss_sudo_free_values(values); + return ENOMEM; + } + } + + values[attr->num_values] = NULL; + + break; + } + } + + if (values == NULL) { + return ENOENT; + } + + *_values = values; + + return EOK; +} + +void sss_sudo_free_values(char **values) +{ + char **value = NULL; + + if (values == NULL) { + return; + } + + for (value = values; *value != NULL; value++) { + free(*value); + } + + free(values); +} + +void sss_sudo_free_result(struct sss_sudo_result *result) +{ + if (result == NULL) { + return; + } + + sss_sudo_free_rules(result->num_rules, result->rules); + free(result); +} + +void sss_sudo_free_rules(unsigned int num_rules, struct sss_sudo_rule *rules) +{ + struct sss_sudo_rule *rule = NULL; + int i; + + if (rules == NULL) { + return; + } + + for (i = 0; i < num_rules; i++) { + rule = rules + i; + + sss_sudo_free_attrs(rule->num_attrs, rule->attrs); + rule->attrs = NULL; + } + + free(rules); +} + +void sss_sudo_free_attrs(unsigned int num_attrs, struct sss_sudo_attr *attrs) +{ + struct sss_sudo_attr *attr = NULL; + int i, j; + + if (attrs == NULL) { + return; + } + + for (i = 0; i < num_attrs; i++) { + attr = attrs + i; + + free(attr->name); + attr->name = NULL; + + for (j = 0; j < attr->num_values; j++) { + free(attr->values[j]); + attr->values[j] = NULL; + } + + free(attr->values); + } + + free(attrs); +} diff --git a/src/sss_client/sudo/sss_sudo.h b/src/sss_client/sudo/sss_sudo.h new file mode 100644 index 0000000..dc41d9f --- /dev/null +++ b/src/sss_client/sudo/sss_sudo.h @@ -0,0 +1,195 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2011 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef SSS_SUDO_H_ +#define SSS_SUDO_H_ + +/** + * @defgroup libsss_sudo A library for communication between SUDO and SSSD + * libsss_sudo provides a mechanism to for a SUDO plugin + * to communicate with the sudo responder of SSSD. + * + * @{ + */ + +#include +#include + +/** The value returned when the communication with SUDO is successful and + * the user was found in one of the domains + */ +#define SSS_SUDO_ERROR_OK 0 + +/** + * Component of an sss_rule structure. The component + * has exactly one name and one or more values. + * + */ +struct sss_sudo_attr { + /** The attribute name */ + char *name; + /** A string array that contains all the attribute values */ + char **values; + + /** The number of values the attribute contains. + * + * Attributes are multivalued in general. + */ + unsigned int num_values; +}; + +/** + * One sudo rule. The rule consists of one or more + * attributes of sss_attr type + */ +struct sss_sudo_rule { + /** The number of attributes in the rule */ + unsigned int num_attrs; + + /** List of rule attributes */ + struct sss_sudo_attr *attrs; +}; + +/** + * A result object returned from SSSD. + * + * The result consists of zero or more sss_rule elements. + */ +struct sss_sudo_result { + /** + * The number of rules for the user + * + * In case the user exists in one of SSSD domains + * but no rules match for him, the num_rules element + * is 0. + */ + unsigned int num_rules; + + /** List of rules found */ + struct sss_sudo_rule *rules; +}; + +/** + * @brief Send a request to SSSD to retrieve all SUDO rules for a given + * user. + * + * @param[in] uid The uid of the user to retrieve the rules for. + * @param[in] username The username to retrieve the rules for + * @param[in] domainname The domain name the user is a member of. + * @param[out] _error The result of the search in SSSD's domains. If the + * user was present in the domain, the _error code is + * SSS_SUDO_ERROR_OK and the _result structure is + * returned even if it was empty (in other words + * _result->num_rules == 0). Other problems are returned + * as errno codes. Most prominently these are ENOENT + * (the user was not found with SSSD), EIO (SSSD + * encountered an internal problem) and EINVAL + * (malformed query). + * @param[out] _result Newly allocated structure sss_result that contains + * the rules for the user. If no rules were found but + * the user was valid, this structure is "empty", which + * means that the num_rules member is 0. + * + * @return 0 on success and other errno values on failure. The return value + * denotes whether communication with SSSD was successful. It does not + * tell whether the result contains any rules or whether SSSD knew the + * user at all. That information is transferred in the _error parameter. + */ +int sss_sudo_send_recv(uid_t uid, + const char *username, + const char *domainname, + uint32_t *_error, + struct sss_sudo_result **_result); + +/** + * @brief Send a request to SSSD to retrieve the default options, commonly + * stored in the "cn=defaults" record, + * + * @param[in] uid The uid of the user to retrieve the rules for. + * + * @param[in] username The username to retrieve the rules for. + * + * @param[out] _error The result of the search in SSSD's domains. If the + * options were present in the domain, the _error code + * is SSS_SUDO_ERROR_OK and the _result structure is + * returned even if it was empty (in other words + * _result->num_rules == 0). Other problems are returned + * as errno codes. + * + * @param[out] _domainname The domain name the user is a member of. + * + * @param[out] _result Newly allocated structure sss_result that contains + * the options. If no options were found this structure + * is "empty", which means that the num_rules member + * is 0. + * + * @return 0 on success and other errno values on failure. The return value + * denotes whether communication with SSSD was successful. It does not + * tell whether the result contains any rules or whether SSSD knew the + * user at all. That information is transferred in the _error parameter. + * + * @note The _domainname should be freed using free(). + */ +int sss_sudo_send_recv_defaults(uid_t uid, + const char *username, + uint32_t *_error, + char **_domainname, + struct sss_sudo_result **_result); + +/** + * @brief Free the sss_result structure returned by sss_sudo_send_recv + * + * @param[in] result The sss_result structure to free. The structure was + * previously returned by sss_sudo_get_values(). + */ +void sss_sudo_free_result(struct sss_sudo_result *result); + +/** + * @brief Get all values for a given attribute in an sss_rule + * + * @param[in] e The sss_rule to get values from + * @param[in] attrname The name of the attribute to query from the rule + * @param[out] values A newly allocated list of values the attribute has in + * rule. On success, this parameter is an array of + * NULL-terminated strings, the last element is a NULL + * pointer. On failure (including when the attribute is + * not found), the pointer address is not changed. + * + * @return 0 on success, ENOENT in case the attribute is not found and other + * errno values on failure. + * + * @note the returned values should be freed using sss_sudo_free_values() + */ +int sss_sudo_get_values(struct sss_sudo_rule *e, + const char *attrname, + char ***values); + +/** + * @brief Free the values returned by sss_sudo_get_values + * + * @param[in] values The list of values to free. The values were previously + * returned by sss_sudo_get_values() + */ +void sss_sudo_free_values(char **values); + +/** + * @} + */ +#endif /* SSS_SUDO_H_ */ diff --git a/src/sss_client/sudo/sss_sudo_private.h b/src/sss_client/sudo/sss_sudo_private.h new file mode 100644 index 0000000..2827a94 --- /dev/null +++ b/src/sss_client/sudo/sss_sudo_private.h @@ -0,0 +1,33 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2011 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef SSS_SUDO_PRIVATE_H_ +#define SSS_SUDO_PRIVATE_H_ + +#include +#include "sss_client/sudo/sss_sudo.h" + +int sss_sudo_parse_response(const char *message, + size_t message_len, + char **_domainname, + struct sss_sudo_result **_result, + uint32_t *_error); + +#endif /* SSS_SUDO_PRIVATE_H_ */ diff --git a/src/sss_client/sudo/sss_sudo_response.c b/src/sss_client/sudo/sss_sudo_response.c new file mode 100644 index 0000000..7d4bcc5 --- /dev/null +++ b/src/sss_client/sudo/sss_sudo_response.c @@ -0,0 +1,257 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2011 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include +#include +#include +#include + +#include "sss_client/sss_cli.h" +#include "sss_client/sudo/sss_sudo.h" +#include "sss_client/sudo/sss_sudo_private.h" + +static int sss_sudo_parse_rule(const char *message, + size_t message_len, + size_t *_cursor, + struct sss_sudo_rule *_rule); + +static int sss_sudo_parse_attr(const char *message, + size_t message_len, + size_t *_cursor, + struct sss_sudo_attr *_attr); + +static int sss_sudo_parse_uint32(const char *message, + size_t message_len, + size_t *_cursor, + uint32_t *_number); + +static int sss_sudo_parse_string(const char *message, + size_t message_len, + size_t *_cursor, + char **_str); + +int sss_sudo_parse_response(const char *message, + size_t message_len, + char **_domainname, + struct sss_sudo_result **_result, + uint32_t *_error) +{ + struct sss_sudo_result *result = NULL; + char *domainname = NULL; + size_t cursor = 0; + int ret = EOK; + int i = 0; + + /* error code */ + ret = sss_sudo_parse_uint32(message, message_len, &cursor, _error); + if (ret != EOK || *_error != SSS_SUDO_ERROR_OK) { + return ret; + } + + /* domain name - deprecated + * it won't be used, but we will read it anyway to ease parsing + * TODO: when possible change the protocol */ + ret = sss_sudo_parse_string(message, message_len, &cursor, &domainname); + if (ret != EOK) { + return ret; + } + + free(domainname); + if (_domainname != NULL) { + *_domainname = NULL; + } + + /* result */ + result = malloc(sizeof(struct sss_sudo_result)); + if (result == NULL) { + return ENOMEM; + } + + memset(result, 0, sizeof(struct sss_sudo_result)); + + /* rules_num */ + ret = sss_sudo_parse_uint32(message, message_len, + &cursor, &result->num_rules); + if (ret != EOK) { + goto fail; + } + + /* rules */ + result->rules = calloc(result->num_rules, sizeof(struct sss_sudo_rule)); + if (result->rules == NULL) { + ret = ENOMEM; + goto fail; + } + + for (i = 0; i < result->num_rules; i++) { + ret = sss_sudo_parse_rule(message, message_len, + &cursor, &result->rules[i]); + if (ret != EOK) { + goto fail; + } + } + + *_result = result; + + return EOK; + +fail: + sss_sudo_free_result(result); + return ret; +} + +int sss_sudo_parse_rule(const char *message, + size_t message_len, + size_t *_cursor, + struct sss_sudo_rule *_rule) +{ + int ret = EOK; + int i = 0; + + /* attrs_num */ + ret = sss_sudo_parse_uint32(message, message_len, + _cursor, &_rule->num_attrs); + if (ret != EOK) { + return ret; + } + + /* attrs */ + _rule->attrs = calloc(_rule->num_attrs, sizeof(struct sss_sudo_attr)); + if (_rule->attrs == NULL) { + return ENOMEM; + } + + for (i = 0; i < _rule->num_attrs; i++) { + ret = sss_sudo_parse_attr(message, message_len, + _cursor, &_rule->attrs[i]); + if (ret != EOK) { + return ret; + } + } + + return EOK; +} + +int sss_sudo_parse_attr(const char *message, + size_t message_len, + size_t *_cursor, + struct sss_sudo_attr *_attr) +{ + char *str = NULL; + int ret = EOK; + int i = 0; + + /* name */ + ret = sss_sudo_parse_string(message, message_len, _cursor, &str); + if (ret != EOK) { + return ret; + } + _attr->name = str; + + /* values_num */ + ret = sss_sudo_parse_uint32(message, message_len, + _cursor, &_attr->num_values); + if (ret != EOK) { + return ret; + } + + /* values */ + _attr->values = calloc(_attr->num_values, sizeof(const char*)); + if (_attr->values == NULL) { + return ENOMEM; + } + + for (i = 0; i < _attr->num_values; i++) { + ret = sss_sudo_parse_string(message, message_len, _cursor, &str); + if (ret != EOK) { + return ret; + } + _attr->values[i] = str; + } + + return EOK; +} + +int sss_sudo_parse_uint32(const char *message, + size_t message_len, + size_t *_cursor, + uint32_t *_number) +{ + size_t start_pos = 0; + + if (_cursor == NULL) { + return EINVAL; + } + + start_pos = *_cursor; + + if (start_pos + sizeof(uint32_t) > message_len) { + return EINVAL; + } + + /* expanded SAFEALIGN_COPY_UINT32 macro from util.h */ + memcpy(_number, message + start_pos, sizeof(uint32_t)); + *_cursor = start_pos + sizeof(uint32_t); + + return EOK; +} + +int sss_sudo_parse_string(const char *message, + size_t message_len, + size_t *_cursor, + char **_str) +{ + const char *current = NULL; + char *str = NULL; + size_t start_pos = 0; + size_t len = 0; + size_t maxlen = 0; + + if (_cursor == NULL) { + return EINVAL; + } + + start_pos = *_cursor; + maxlen = message_len - start_pos; + + if (start_pos >= message_len ) { + return EINVAL; + } + + current = message + start_pos; + len = strnlen(current, maxlen); + if (len == maxlen) { + /* the string exceeds message length */ + return EINVAL; + } + + str = strndup(current, len); + if (str == NULL) { + return ENOMEM; + } + + /* go after \0 */ + *_cursor = start_pos + len + 1; + *_str = str; + + return EOK; +} diff --git a/src/sss_client/sudo_testcli/sudo_testcli.c b/src/sss_client/sudo_testcli/sudo_testcli.c new file mode 100644 index 0000000..948b8b2 --- /dev/null +++ b/src/sss_client/sudo_testcli/sudo_testcli.c @@ -0,0 +1,159 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2011 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include + +#include "sss_client/sss_cli.h" +#include "sss_client/sudo/sss_sudo.h" +#include "sss_client/sudo/sss_sudo_private.h" + +#ifndef EOK +#define EOK 0 +#endif + +void print_sss_result(struct sss_sudo_result *result); + +int main(int argc, char **argv) +{ + int ret = 0; + struct sss_sudo_result *result = NULL; + struct passwd *passwd = NULL; + const char *username = NULL; + char *domainname = NULL; + uid_t uid = 0; + uint32_t error = 0; + + if (argc != 2 && argc != 3) { + fprintf(stderr, "Usage: sss_sudo_cli username [uid]\n"); + goto fail; + } + + username = argv[1]; + if (argc == 3) { + uid = atoi(argv[2]); + } else { + passwd = getpwnam(username); + if (passwd == NULL) { + fprintf(stderr, "Unknown user\n"); + goto fail; + } + uid = passwd->pw_uid; + } + + /* get sss_result - it will send new query to responder */ + + /* get default options */ + + ret = sss_sudo_send_recv_defaults(uid, username, &error, + &domainname, &result); + if (ret != EOK) { + fprintf(stderr, "sss_sudo_send_recv_defaults() failed: %s\n", + strerror(ret)); + goto fail; + } + + printf("[\n"); + printf("\t{\n"); + printf("\t\t\"type\": \"default\",\n"); + printf("\t\t\"retval\": %d,\n", error); + if (error == SSS_SUDO_ERROR_OK) { + print_sss_result(result); + } + printf("\t},\n"); + + sss_sudo_free_result(result); + result = NULL; + + /* get rules */ + + ret = sss_sudo_send_recv(uid, username, domainname, &error, &result); + if (ret != EOK) { + fprintf(stderr, "sss_sudo_send_recv() failed: %s\n", strerror(ret)); + goto fail; + } + + printf("\t{\n"); + printf("\t\t\"type\": \"rules\",\n"); + printf("\t\t\"retval\": %d,\n", error); + if (error == SSS_SUDO_ERROR_OK) { + print_sss_result(result); + } + printf("\t}\n"); + printf("]\n"); + + + free(domainname); + sss_sudo_free_result(result); + return 0; + +fail: + free(domainname); + sss_sudo_free_result(result); + return 1; +} + +void print_sss_result(struct sss_sudo_result *result) +{ + struct sss_sudo_rule *rule = NULL; + struct sss_sudo_attr *attr = NULL; + int i = 0; + int j = 0; + int k = 0; + + printf("\t\t\"result\": {\n"); + printf("\t\t\t\"num_rules\": %d,\n", result->num_rules); + printf("\t\t\t\"rules\": [\n"); + for (i = 0; i < result->num_rules; i++) { + rule = &result->rules[i]; + printf("\t\t\t\t{\n"); + for (j = 0; j < rule->num_attrs; j++) { + attr = &rule->attrs[j]; + printf("\t\t\t\t\t\"%s\": ", attr->name); + if (attr->num_values > 1) { + printf("[ "); + printf("\"%s\"", attr->values[0]); + for (k = 1; k < attr->num_values; k++) { + printf(", \"%s\"", attr->values[k]); + } + printf(" ]"); + } else { + printf("\"%s\"", attr->values[0]); + } + + if (j < rule->num_attrs - 1) { + printf(","); + } + printf("\n"); + } + printf("\t\t\t\t}"); + if (i < result->num_rules - 1) { + printf(","); + } + printf("\n"); + } + printf("\t\t\t]\n"); + printf("\t\t}\n"); +} diff --git a/src/systemtap/sssd.stp.in b/src/systemtap/sssd.stp.in new file mode 100644 index 0000000..25a68cd --- /dev/null +++ b/src/systemtap/sssd.stp.in @@ -0,0 +1,274 @@ +# Database transaction probes +probe sssd_transaction_start = process("@libdir@/sssd/libsss_util.so").mark("sysdb_transaction_start") +{ + nesting = $arg1; + probestr = sprintf("-> %s(nesting=%d)", + $$name, + nesting); +} + +probe sssd_transaction_commit_before = process("@libdir@/sssd/libsss_util.so").mark("sysdb_transaction_commit_before") +{ + nesting = $arg1; + probestr = sprintf("<- %s(pre)(nesting=%d)", + $$name, + nesting); +} + +probe sssd_transaction_commit_after = process("@libdir@/sssd/libsss_util.so").mark("sysdb_transaction_commit_after") +{ + nesting = $arg1; + probestr = sprintf("<- %s(post)(nesting=%d)", + $$name, + nesting); +} + +probe sssd_transaction_cancel = process("@libdir@/sssd/libsss_util.so").mark("sysdb_transaction_cancel") +{ + nesting = $arg1; + probestr = sprintf("<- %s(nesting=%d)", + $$name, + nesting); +} + +# LDAP search probes +probe sdap_search_send = process("@libdir@/sssd/libsss_ldap_common.so").mark("sdap_get_generic_ext_send") +{ + base = user_string($arg1); + scope = $arg2; + filter = user_string($arg3); + + probestr = sprintf("-> search base [%s] scope [%d] filter [%s]", + base, scope, filter); +} + +probe sdap_search_recv = process("@libdir@/sssd/libsss_ldap_common.so").mark("sdap_get_generic_ext_recv") +{ + base = user_string($arg1); + scope = $arg2; + filter = user_string($arg3); + + probestr = sprintf("<- search base [%s] scope [%d] filter [%s]", + base, scope, filter); +} + +probe sdap_deref_send = process("@libdir@/sssd/libsss_ldap_common.so").mark("sdap_deref_search_send") +{ + base_dn = user_string($arg1); + deref_attr = user_string($arg2); + + probestr = sprintf("-> (%s)(base_dn=[%s],deref_attr=[%s])", + $$name, base_dn, deref_attr); +} + +probe sdap_deref_recv = process("@libdir@/sssd/libsss_ldap_common.so").mark("sdap_deref_search_recv") +{ + base_dn = user_string($arg1); + deref_attr = user_string($arg2); + + probestr = sprintf("-> (%s)(base_dn=[%s],deref_attr=[%s])", + $$name, base_dn, deref_attr); +} + +# LDAP account request probes +probe sdap_acct_req_send = process("@libdir@/sssd/libsss_ldap_common.so").mark("sdap_acct_req_send") +{ + entry_type = $arg1; + filter_type = $arg2; + filter_value = user_string($arg3); + extra_value = user_string($arg4); +} + +probe sdap_acct_req_recv = process("@libdir@/sssd/libsss_ldap_common.so").mark("sdap_acct_req_recv") +{ + entry_type = $arg1; + filter_type = $arg2; + filter_value = user_string($arg3); + extra_value = user_string($arg4); +} + +# LDAP user search probes +probe sdap_search_user_send = process("@libdir@/sssd/libsss_ldap_common.so").mark("sdap_search_user_send") +{ + filter = user_string($arg1); +} + +probe sdap_search_user_save_begin = process("@libdir@/sssd/libsss_ldap_common.so").mark("sdap_search_user_save_begin") +{ + filter = user_string($arg1); +} + +probe sdap_search_user_save_end = process("@libdir@/sssd/libsss_ldap_common.so").mark("sdap_search_user_save_end") +{ + filter = user_string($arg1); +} + +probe sdap_search_user_recv = process("@libdir@/sssd/libsss_ldap_common.so").mark("sdap_search_user_recv") +{ + filter = user_string($arg1); +} + +# LDAP group search probes +probe sdap_nested_group_populate_pre = process("@libdir@/sssd/libsss_ldap_common.so").mark("sdap_nested_group_populate_pre") +{ + # No arguments +} + +probe sdap_nested_group_populate_post = process("@libdir@/sssd/libsss_ldap_common.so").mark("sdap_nested_group_populate_post") +{ + # No arguments +} + +probe sdap_nested_group_save_pre = process("@libdir@/sssd/libsss_ldap_common.so").mark("sdap_nested_group_save_pre") +{ + # No arguments +} + +probe sdap_nested_group_save_post = process("@libdir@/sssd/libsss_ldap_common.so").mark("sdap_nested_group_save_post") +{ + # No arguments +} + +probe sdap_nested_group_lookup_user_send = process("@libdir@/sssd/libsss_ldap_common.so").mark("sdap_nested_group_lookup_user_send") +{ + # No arguments +} + +probe sdap_nested_group_lookup_user_recv = process("@libdir@/sssd/libsss_ldap_common.so").mark("sdap_nested_group_lookup_user_recv") +{ + # No arguments +} + +probe sdap_nested_group_lookup_group_send = process("@libdir@/sssd/libsss_ldap_common.so").mark("sdap_nested_group_lookup_group_send") +{ + # No arguments +} + +probe sdap_nested_group_lookup_group_recv = process("@libdir@/sssd/libsss_ldap_common.so").mark("sdap_nested_group_lookup_group_recv") +{ + # No arguments +} + +probe sdap_nested_group_lookup_unknown_send = process("@libdir@/sssd/libsss_ldap_common.so").mark("sdap_nested_group_lookup_unknown_send") +{ + # No arguments +} + +probe sdap_nested_group_lookup_unknown_recv = process("@libdir@/sssd/libsss_ldap_common.so").mark("sdap_nested_group_lookup_unknown_recv") +{ + # No arguments +} + +probe sdap_nested_group_deref_send = process("@libdir@/sssd/libsss_ldap_common.so").mark("sdap_nested_group_deref_send") +{ + # No arguments +} + +probe sdap_nested_group_deref_recv = process("@libdir@/sssd/libsss_ldap_common.so").mark("sdap_nested_group_deref_recv") +{ + # No arguments +} + +probe sdap_nested_group_deref_process_pre = process("@libdir@/sssd/libsss_ldap_common.so").mark("sdap_nested_group_deref_process_pre") +{ + # No arguments +} + +probe sdap_nested_group_deref_process_post = process("@libdir@/sssd/libsss_ldap_common.so").mark("sdap_nested_group_deref_process_post") +{ + # No arguments +} + +probe sdap_nested_group_send = process("@libdir@/sssd/libsss_ldap_common.so").mark("sdap_nested_group_send") +{ + # No arguments +} + +probe sdap_nested_group_recv = process("@libdir@/sssd/libsss_ldap_common.so").mark("sdap_nested_group_recv") +{ + # No arguments +} + +probe sdap_nested_group_process_send = process("@libdir@/sssd/libsss_ldap_common.so").mark("sdap_nested_group_process_send") +{ + orig_dn = user_string($arg1); + + probestr = sprintf("-> %s(orig_dn=[%s])", + $$name, orig_dn); +} + +probe sdap_nested_group_process_split_pre = process("@libdir@/sssd/libsss_ldap_common.so").mark("sdap_nested_group_process_split_pre") +{ + # No arguments +} + +probe sdap_nested_group_process_split_post = process("@libdir@/sssd/libsss_ldap_common.so").mark("sdap_nested_group_process_split_post") +{ + # No arguments +} + +probe sdap_nested_group_check_cache_pre = process("@libdir@/sssd/libsss_ldap_common.so").mark("sdap_nested_group_check_cache_pre") +{ + # No arguments +} + +probe sdap_nested_group_check_cache_post = process("@libdir@/sssd/libsss_ldap_common.so").mark("sdap_nested_group_check_cache_post") +{ + # No arguments +} + +probe sdap_nested_group_sysdb_search_users_pre = process("@libdir@/sssd/libsss_ldap_common.so").mark("sdap_nested_group_sysdb_search_users_pre") +{ + # No arguments +} + +probe sdap_nested_group_sysdb_search_users_post = process("@libdir@/sssd/libsss_ldap_common.so").mark("sdap_nested_group_sysdb_search_users_post") +{ + # No arguments +} + +probe sdap_nested_group_sysdb_search_groups_pre = process("@libdir@/sssd/libsss_ldap_common.so").mark("sdap_nested_group_sysdb_search_groups_pre") +{ + # No arguments +} + +probe sdap_nested_group_sysdb_search_groups_post = process("@libdir@/sssd/libsss_ldap_common.so").mark("sdap_nested_group_sysdb_search_groups_post") +{ + # No arguments +} + +probe sdap_nested_group_populate_search_users_pre = process("@libdir@/sssd/libsss_ldap_common.so").mark("sdap_nested_group_populate_search_users_pre") +{ + # No arguments +} + +probe sdap_nested_group_populate_search_users_post = process("@libdir@/sssd/libsss_ldap_common.so").mark("sdap_nested_group_populate_search_users_post") +{ + # No arguments +} + +probe sdap_nested_group_process_recv = process("@libdir@/sssd/libsss_ldap_common.so").mark("sdap_nested_group_process_recv") +{ + orig_dn = user_string($arg1); + + probestr = sprintf("-> %s(orig_dn=[%s])", + $$name, orig_dn); +} + +## Data Provider Request Probes +probe dp_req_send = process("@libexecdir@/sssd/sssd_be").mark("dp_req_send") +{ + dp_req_domain = user_string($arg1, "NULL"); + dp_req_name = user_string($arg2, "NULL"); + dp_req_target = $arg3; + dp_req_method = $arg4; +} + +probe dp_req_done = process("@libexecdir@/sssd/sssd_be").mark("dp_req_done") +{ + dp_req_name = user_string($arg1, "NULL"); + dp_req_target = $arg2; + dp_req_method = $arg3; + dp_ret = $arg4; + dp_errorstr = user_string($arg5, "NULL"); +} diff --git a/src/systemtap/sssd_functions.stp b/src/systemtap/sssd_functions.stp new file mode 100644 index 0000000..e249aac --- /dev/null +++ b/src/systemtap/sssd_functions.stp @@ -0,0 +1,134 @@ +// constants +global TARGET_ID=0, TARGET_AUTH=1, TARGET_ACCESS=2, TARGET_CHPASS=3, + TARGET_SUDO=4, TARGET_AUTOFS=5, TARGET_SELINUX=6, TARGET_HOSTID=7, + TARGET_SUBDOMAINS=8, TARGET_SENTINEL=9 + +global METHOD_CHECK_ONLINE=0, METHOD_ACCOUNT_HANDLER=1, METHOD_AUTH_HANDLER=2, + METHOD_ACCESS_HANDLER=3, METHOD_SELINUX_HANDLER=4, METHOD_SUDO_HANDLER=5, + METHOD_AUTOFS_HANDLER=6, METHOD_HOSTID_HANDLER=7, METHOD_DOMAINS_HANDLER=8, + METHOD_SENTINEL=9 + +function acct_req_desc(entry_type) +{ + if (entry_type == 0x0001) { + str_entry_type = "user" + } else if (entry_type == 0x0002) { + str_entry_type = "group" + } else if (entry_type == 0x0003) { + str_entry_type = "initgroups" + } else if (entry_type == 0x0004) { + str_entry_type = "netgroups" + } else if (entry_type == 0x0005) { + str_entry_type = "services" + } else if (entry_type == 0x0006) { + str_entry_type = "sudo_full" + } else if (entry_type == 0x0007) { + str_entry_type = "sudo_rules" + # See src/providers/data_provider_req.h, no 0x0008 there.. + } else if (entry_type == 0x0009) { + str_entry_type = "autofs" + } else if (entry_type == 0x0010) { + str_entry_type = "host" + } else if (entry_type == 0x0011) { + str_entry_type = "by_secid" + } else if (entry_type == 0x0012) { + str_entry_type = "user_and_group" + } else if (entry_type == 0x0013) { + str_entry_type = "by_uuid" + } else if (entry_type == 0x0014) { + str_entry_type = "by_cert" + } else { + str_entry_type = sprintf("%X", entry_type) + } + + return str_entry_type +} + +function sssd_acct_req_probestr(fc_name, entry_type, filter_type, + filter_value, extra_value) +{ + str_entry_type = acct_req_desc(entry_type) + + # Maybe we could use guru mode here and include the constants + # directly.. + if (filter_type == 1) { + str_filter_type = "name" + } else if (filter_type == 2) { + str_filter_type = "idnum" + } else if (filter_type == 3) { + str_filter_type = "enum" + } else if (filter_type == 4) { + str_filter_type = "secid" + } else if (filter_type == 5) { + str_filter_type = "uuid" + } else if (filter_type == 6) { + str_filter_type = "cert" + } else if (filter_type == 7) { + str_filter_type = "wildcard" + } else { + str_filter_type = sprintf("%d", filter_type) + } + + probestr = sprintf("%s(entry_type=%s, filter_type=%s, filter_value=%s, extra_value=%s)", + fc_name, str_entry_type, str_filter_type, + filter_value, extra_value) + return probestr +} + +function dp_target_str(target) +{ + if (target == TARGET_ID) { + str_target = "ID" + } else if (target == TARGET_AUTH) { + str_target = "AUTH" + } else if (target == TARGET_ACCESS) { + str_target = "ACCESS" + } else if (target == TARGET_CHPASS) { + str_target = "CHPASS" + } else if (target == TARGET_SUDO) { + str_target = "SUDO" + } else if (target == TARGET_AUTOFS) { + str_target = "AUTOFS" + } else if (target == TARGET_SELINUX) { + str_target = "SELINUX" + } else if (target == TARGET_HOSTID) { + str_target = "HOSTID" + } else if (target == TARGET_SUBDOMAINS) { + str_target = "SUBDOMAINS" + } else if (target == TARGET_SENTINEL) { + str_target = "TARGET_SENTINEL" + } else { + str_target = "UNKNOWN" + } + + return str_target +} + +function dp_method_str(method) +{ + if (method == METHOD_CHECK_ONLINE) { + str_method = "Check Online" + } else if (method == METHOD_ACCOUNT_HANDLER) { + str_method = "Account Handler" + } else if (method == METHOD_AUTH_HANDLER) { + str_method = "Auth Handler" + } else if (method == METHOD_ACCESS_HANDLER) { + str_method = "Access Handler" + } else if (method == METHOD_SELINUX_HANDLER) { + str_method = "SELinux Handler" + } else if (method == METHOD_SUDO_HANDLER) { + str_method = "Sudo Handler" + } else if (method == METHOD_AUTOFS_HANDLER) { + str_method = "Autofs Handler" + } else if (method == METHOD_HOSTID_HANDLER) { + str_method = "HostID Handler" + } else if (method == METHOD_DOMAINS_HANDLER) { + str_method = "Domains Handler" + } else if (method == METHOD_SENTINEL) { + str_method = "Method Sentinel" + } else { + str_method = "UNKNOWN" + } + + return str_method +} diff --git a/src/systemtap/sssd_probes.d b/src/systemtap/sssd_probes.d new file mode 100644 index 0000000..c0d5268 --- /dev/null +++ b/src/systemtap/sssd_probes.d @@ -0,0 +1,73 @@ +provider sssd { + probe sysdb_transaction_start(int nesting); + probe sysdb_transaction_commit_before(int nesting); + probe sysdb_transaction_commit_after(int nesting); + probe sysdb_transaction_cancel(int nesting); + + probe sdap_acct_req_send(int entry_type, + int filter_type, + char *filter_value, + char *extra_value); + probe sdap_acct_req_recv(int entry_type, + int filter_type, + char *filter_value, + char *extra_value); + + probe sdap_search_user_send(const char *filter); + probe sdap_search_user_save_begin(const char *filter); + probe sdap_search_user_save_end(const char *filter); + probe sdap_search_user_recv(const char *filter); + + probe sdap_get_generic_ext_send(const char *base, int scope, const char *filter); + probe sdap_get_generic_ext_recv(const char *base, int scope, const char *filter); + + probe sdap_deref_search_send(const char *base_dn, const char *deref_attr); + probe sdap_deref_search_recv(const char *base_dn, const char *deref_attr); + + probe sdap_nested_group_populate_pre(); + probe sdap_nested_group_populate_post(); + + probe sdap_nested_group_save_pre(); + probe sdap_nested_group_save_post(); + + probe sdap_nested_group_lookup_user_send(); + probe sdap_nested_group_lookup_user_recv(); + + probe sdap_nested_group_lookup_group_send(); + probe sdap_nested_group_lookup_group_recv(); + + probe sdap_nested_group_lookup_unknown_send(); + probe sdap_nested_group_lookup_unknown_recv(); + + probe sdap_nested_group_deref_send(); + probe sdap_nested_group_deref_process_pre(); + probe sdap_nested_group_deref_process_post(); + probe sdap_nested_group_deref_recv(); + + probe sdap_save_group_pre(); + probe sdap_save_group_post(); + + probe sdap_save_grpmem_pre(); + probe sdap_save_grpmem_post(); + + probe sdap_nested_group_send(); + probe sdap_nested_group_recv(); + + probe sdap_nested_group_process_send(const char *orig_dn); + probe sdap_nested_group_process_split_pre(); + probe sdap_nested_group_process_split_post(); + probe sdap_nested_group_process_recv(const char *orig_dn); + probe sdap_nested_group_check_cache_pre(); + probe sdap_nested_group_check_cache_post(); + probe sdap_nested_group_sysdb_search_users_pre(); + probe sdap_nested_group_sysdb_search_users_post(); + probe sdap_nested_group_sysdb_search_groups_pre(); + probe sdap_nested_group_sysdb_search_groups_post(); + probe sdap_nested_group_populate_search_users_pre(); + probe sdap_nested_group_populate_search_users_post(); + + probe dp_req_send(const char *domain, const char *dp_req_name, + int target, int method); + probe dp_req_done(const char *dp_req_name, int target, int method, + int ret, const char *errorstr); +} diff --git a/src/sysv/SUSE/sssd.in b/src/sysv/SUSE/sssd.in new file mode 100644 index 0000000..04d3023 --- /dev/null +++ b/src/sysv/SUSE/sssd.in @@ -0,0 +1,77 @@ +#!/bin/sh +### BEGIN INIT INFO +# Provides: sssd +# Required-Start: $remote_fs $time +# Should-Start: $syslog +# Should-Stop: $syslog +# Required-Stop: $remote_fs +# Default-Start: 3 5 +# Default-Stop: 0 1 2 4 6 +# Short-Description: System Security Services Daemon +# Description: Provides a set of daemons to manage access to remote directories +# and authentication mechanisms. It provides an NSS and PAM +# interface toward the system and a pluggable backend system to +# connect to multiple different account sources. It is also the +# basis to provide client auditing and policy services for projects +# like FreeIPA. +### END INIT INFO + +RETVAL=0 +prog="sssd" + +# Source function library. +. /etc/rc.status +rc_reset + +SSSD=@sbindir@/sssd +PID_FILE=@localstatedir@/run/sssd.pid + +case "$1" in + start) + echo -n "Starting $prog " + /sbin/startproc $SSSD -f -D 2>/dev/null + rc_status -v + ;; + + stop) + echo -n "Shutting down $prog " + /sbin/killproc -p $PID_FILE $SSSD -TERM + rc_status -v + ;; + + restart) + $0 stop + $0 start + rc_status + ;; + + reload) + echo -n "Reload service $prog " + killproc $SSSD -HUP + rc_status -v + ;; + + force-reload) + $0 reload + ;; + + status) + echo -n "Checking for service $prog" + /sbin/checkproc $SSSD + rc_status -v + ;; + + condrestart|try-restart) + $0 status + if test $? = 0; then + $0 restart + else + rc_reset # Not running is not a failure. + fi + rc_status + ;; + *) + echo "Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}" + exit 1 +esac +rc_exit diff --git a/src/sysv/gentoo/sssd.in b/src/sysv/gentoo/sssd.in new file mode 100644 index 0000000..7ced44f --- /dev/null +++ b/src/sysv/gentoo/sssd.in @@ -0,0 +1,18 @@ +#!/sbin/runscript + +depend(){ + need localmount netmount clock + use syslog xdm +} + +start(){ + ebegin "Starting sssd" + start-stop-daemon --start --exec @sbindir@/sssd -- -Df ${SSSD_OPTIONS} + eend ${?} +} + +stop(){ + ebegin "Stopping sssd" + start-stop-daemon --stop --pidfile @localstatedir@/run/sssd.pid + eend ${?} +} diff --git a/src/sysv/sssd.in b/src/sysv/sssd.in new file mode 100644 index 0000000..385785e --- /dev/null +++ b/src/sysv/sssd.in @@ -0,0 +1,148 @@ +#!/bin/sh +# +# +# chkconfig: - 12 88 +# description: Provides a set of daemons to manage access to remote directories +# and authentication mechanisms. It provides an NSS and PAM +# interface toward the system and a pluggable backend system to +# connect to multiple different account sources. It is also the +# basis to provide client auditing and policy services for projects +# like FreeIPA. +# +### BEGIN INIT INFO +# Provides: sssd +# Required-Start: $remote_fs $time +# Should-Start: $syslog +# Should-Stop: $null +# Required-Stop: $null +# Default-Stop: 0 1 6 +# Short-Description: System Security Services Daemon +# Description: Provides a set of daemons to manage access to remote directories +# and authentication mechanisms. It provides an NSS and PAM +# interface toward the system and a pluggable backend system to +# connect to multiple different account sources. It is also the +# basis to provide client auditing and policy services for projects +# like FreeIPA. +### END INIT INFO + +RETVAL=0 +prog="sssd" + +# Source function library. +. /etc/init.d/functions + +if [ -f @environment_file@ ]; then + . @environment_file@ +fi + +SSSD=@sbindir@/sssd + +LOCK_FILE=@localstatedir@/lock/subsys/sssd +PID_FILE=@localstatedir@/run/sssd.pid + +TIMEOUT=15 + +start() { + [ -x $SSSD ] || exit 5 + echo -n $"Starting $prog: " + daemon $SSSD -f -D + RETVAL=$? + echo + [ "$RETVAL" = 0 ] && touch $LOCK_FILE + + # Wait for pidfile creation or timeout + sec=0 + [ "$RETVAL" = 0 ] && while [ $sec -lt $TIMEOUT -a ! -f $PID_FILE ] + do + sleep 1 + sec=$(($sec+1)) + done + + if [ "$sec" = "$TIMEOUT" ]; then + RETVAL=-1 + fi + + return $RETVAL +} + +stop() { + echo -n $"Stopping $prog: " + pid=`cat $PID_FILE` + + killproc -p $PID_FILE $SSSD -TERM + RETVAL=$? + + # Wait until the monitor exits + while (checkpid $pid) + do + usleep 100000 + done + + echo + [ "$RETVAL" = 0 ] && rm -f $LOCK_FILE + return $RETVAL +} + +reload() { + echo -n $"Reloading $prog: " + killproc $SSSD -HUP + RETVAL=$? + echo + return $RETVAL +} + +restart() { + stop + start +} + +force_reload() { + restart +} + +rh_status() { + # run checks to determine if the service is running or use generic status + status $prog +} + +rh_status_q() { + rh_status >/dev/null 2>&1 +} + +case "$1" in + start) + rh_status_q && exit 0 + $1 + ;; + + stop) + rh_status_q || exit 0 + $1 + ;; + + restart) + $1 + ;; + + reload) + rh_status_q || exit 7 + $1 + ;; + + force-reload) + force_reload + ;; + + status) + rh_status + ;; + + condrestart|try-restart) + rh_status_q || exit 0 + restart + ;; + *) + echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}" + exit 2 +esac +exit $? diff --git a/src/sysv/systemd/sssd-autofs.service.in b/src/sysv/systemd/sssd-autofs.service.in new file mode 100644 index 0000000..7f920ad --- /dev/null +++ b/src/sysv/systemd/sssd-autofs.service.in @@ -0,0 +1,19 @@ +[Unit] +Description=SSSD AutoFS Service responder +Documentation=man:sssd.conf(5) +After=sssd.service +BindsTo=sssd.service +RefuseManualStart=true + +[Install] +Also=sssd-autofs.socket + +[Service] +Environment=DEBUG_LOGGER=--logger=files +EnvironmentFile=-@environment_file@ +ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_autofs.log +ExecStart=@libexecdir@/sssd/sssd_autofs ${DEBUG_LOGGER} --socket-activated +Restart=on-failure +User=@SSSD_USER@ +Group=@SSSD_USER@ +PermissionsStartOnly=true diff --git a/src/sysv/systemd/sssd-autofs.socket.in b/src/sysv/systemd/sssd-autofs.socket.in new file mode 100644 index 0000000..201b33d --- /dev/null +++ b/src/sysv/systemd/sssd-autofs.socket.in @@ -0,0 +1,16 @@ +[Unit] +Description=SSSD AutoFS Service responder socket +Documentation=man:sssd.conf(5) +After=sssd.service +BindsTo=sssd.service +DefaultDependencies=no +Conflicts=shutdown.target + +[Socket] +ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r autofs +ListenStream=@pipepath@/autofs +SocketUser=@SSSD_USER@ +SocketGroup=@SSSD_USER@ + +[Install] +WantedBy=sssd.service diff --git a/src/sysv/systemd/sssd-ifp.service.in b/src/sysv/systemd/sssd-ifp.service.in new file mode 100644 index 0000000..f3bf922 --- /dev/null +++ b/src/sysv/systemd/sssd-ifp.service.in @@ -0,0 +1,13 @@ +[Unit] +Description=SSSD IFP Service responder +Documentation=man:sssd-ifp(5) +After=sssd.service +BindsTo=sssd.service + +[Service] +Environment=DEBUG_LOGGER=--logger=files +EnvironmentFile=-@environment_file@ +Type=dbus +BusName=org.freedesktop.sssd.infopipe +ExecStart=@ifp_exec_cmd@ ${DEBUG_LOGGER} +@ifp_restart@ diff --git a/src/sysv/systemd/sssd-kcm.service.in b/src/sysv/systemd/sssd-kcm.service.in new file mode 100644 index 0000000..8d689bf --- /dev/null +++ b/src/sysv/systemd/sssd-kcm.service.in @@ -0,0 +1,12 @@ +[Unit] +Description=SSSD Kerberos Cache Manager +Documentation=man:sssd-kcm(5) +Requires=sssd-kcm.socket +After=sssd-kcm.socket + +[Install] +Also=sssd-kcm.socket + +[Service] +Environment=DEBUG_LOGGER=--logger=files +ExecStart=@libexecdir@/sssd/sssd_kcm --uid 0 --gid 0 ${DEBUG_LOGGER} diff --git a/src/sysv/systemd/sssd-kcm.socket.in b/src/sysv/systemd/sssd-kcm.socket.in new file mode 100644 index 0000000..8b74284 --- /dev/null +++ b/src/sysv/systemd/sssd-kcm.socket.in @@ -0,0 +1,10 @@ +[Unit] +Description=SSSD Kerberos Cache Manager responder socket +Documentation=man:sssd-kcm(8) +Requires=sssd-secrets.socket + +[Socket] +ListenStream=@runstatedir@/.heim_org.h5l.kcm-socket + +[Install] +WantedBy=sockets.target diff --git a/src/sysv/systemd/sssd-nss.service.in b/src/sysv/systemd/sssd-nss.service.in new file mode 100644 index 0000000..c671280 --- /dev/null +++ b/src/sysv/systemd/sssd-nss.service.in @@ -0,0 +1,15 @@ +[Unit] +Description=SSSD NSS Service responder +Documentation=man:sssd.conf(5) +After=sssd.service +BindsTo=sssd.service +RefuseManualStart=true + +[Install] +Also=sssd-nss.socket + +[Service] +Environment=DEBUG_LOGGER=--logger=files +EnvironmentFile=-@environment_file@ +ExecStart=@libexecdir@/sssd/sssd_nss ${DEBUG_LOGGER} --socket-activated +Restart=on-failure diff --git a/src/sysv/systemd/sssd-nss.socket.in b/src/sysv/systemd/sssd-nss.socket.in new file mode 100644 index 0000000..e5d6eda --- /dev/null +++ b/src/sysv/systemd/sssd-nss.socket.in @@ -0,0 +1,15 @@ +[Unit] +Description=SSSD NSS Service responder socket +Documentation=man:sssd.conf(5) +After=sssd.service +BindsTo=sssd.service +Before=sssd-autofs.socket sssd-pac.socket sssd-pam.socket sssd-ssh.socket sssd-sudo.socket +DefaultDependencies=no +Conflicts=shutdown.target + +[Socket] +ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r nss +ListenStream=@pipepath@/nss + +[Install] +WantedBy=sssd.service diff --git a/src/sysv/systemd/sssd-pac.service.in b/src/sysv/systemd/sssd-pac.service.in new file mode 100644 index 0000000..590449b --- /dev/null +++ b/src/sysv/systemd/sssd-pac.service.in @@ -0,0 +1,19 @@ +[Unit] +Description=SSSD PAC Service responder +Documentation=man:sssd.conf(5) +After=sssd.service +BindsTo=sssd.service +RefuseManualStart=true + +[Install] +Also=sssd-pac.socket + +[Service] +Environment=DEBUG_LOGGER=--logger=files +EnvironmentFile=-@environment_file@ +ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_pac.log +ExecStart=@libexecdir@/sssd/sssd_pac ${DEBUG_LOGGER} --socket-activated +Restart=on-failure +User=@SSSD_USER@ +Group=@SSSD_USER@ +PermissionsStartOnly=true diff --git a/src/sysv/systemd/sssd-pac.socket.in b/src/sysv/systemd/sssd-pac.socket.in new file mode 100644 index 0000000..40dec44 --- /dev/null +++ b/src/sysv/systemd/sssd-pac.socket.in @@ -0,0 +1,16 @@ +[Unit] +Description=SSSD PAC Service responder socket +Documentation=man:sssd.conf(5) +After=sssd.service +BindsTo=sssd.service +DefaultDependencies=no +Conflicts=shutdown.target + +[Socket] +ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r pac +ListenStream=@pipepath@/pac +SocketUser=@SSSD_USER@ +SocketGroup=@SSSD_USER@ + +[Install] +WantedBy=sssd.service diff --git a/src/sysv/systemd/sssd-pam-priv.socket.in b/src/sysv/systemd/sssd-pam-priv.socket.in new file mode 100644 index 0000000..27f2cf7 --- /dev/null +++ b/src/sysv/systemd/sssd-pam-priv.socket.in @@ -0,0 +1,19 @@ +[Unit] +Description=SSSD PAM Service responder private socket +Documentation=man:sssd.conf(5) +After=sssd.service +BindsTo=sssd.service +BindsTo=sssd-pam.socket +DefaultDependencies=no +Conflicts=shutdown.target + +[Socket] +ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r pam +Service=sssd-pam.service +ListenStream=@pipepath@/private/pam +SocketUser=root +SocketGroup=root +SocketMode=0600 + +[Install] +WantedBy=sssd.service diff --git a/src/sysv/systemd/sssd-pam.service.in b/src/sysv/systemd/sssd-pam.service.in new file mode 100644 index 0000000..f2e9385 --- /dev/null +++ b/src/sysv/systemd/sssd-pam.service.in @@ -0,0 +1,19 @@ +[Unit] +Description=SSSD PAM Service responder +Documentation=man:sssd.conf(5) +After=sssd.service +BindsTo=sssd.service +RefuseManualStart=true + +[Install] +Also=sssd-pam.socket sssd-pam-priv.socket + +[Service] +Environment=DEBUG_LOGGER=--logger=files +EnvironmentFile=-@environment_file@ +ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_pam.log +ExecStart=@libexecdir@/sssd/sssd_pam ${DEBUG_LOGGER} --socket-activated +Restart=on-failure +User=@SSSD_USER@ +Group=@SSSD_USER@ +PermissionsStartOnly=true diff --git a/src/sysv/systemd/sssd-pam.socket.in b/src/sysv/systemd/sssd-pam.socket.in new file mode 100644 index 0000000..cbbb762 --- /dev/null +++ b/src/sysv/systemd/sssd-pam.socket.in @@ -0,0 +1,17 @@ +[Unit] +Description=SSSD PAM Service responder socket +Documentation=man:sssd.conf(5) +After=sssd.service +BindsTo=sssd.service +BindsTo=sssd-pam-priv.socket +DefaultDependencies=no +Conflicts=shutdown.target + +[Socket] +ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r pam +ListenStream=@pipepath@/pam +SocketUser=root +SocketGroup=root + +[Install] +WantedBy=sssd.service diff --git a/src/sysv/systemd/sssd-secrets.service.in b/src/sysv/systemd/sssd-secrets.service.in new file mode 100644 index 0000000..a9756ac --- /dev/null +++ b/src/sysv/systemd/sssd-secrets.service.in @@ -0,0 +1,12 @@ +[Unit] +Description=SSSD Secrets Service responder +Documentation=man:sssd-secrets(5) +Requires=sssd-secrets.socket +After=sssd-secrets.socket + +[Install] +Also=sssd-secrets.socket + +[Service] +Environment=DEBUG_LOGGER=--logger=files +ExecStart=@libexecdir@/sssd/sssd_secrets --uid 0 --gid 0 ${DEBUG_LOGGER} diff --git a/src/sysv/systemd/sssd-secrets.socket.in b/src/sysv/systemd/sssd-secrets.socket.in new file mode 100644 index 0000000..a7c8b0b --- /dev/null +++ b/src/sysv/systemd/sssd-secrets.socket.in @@ -0,0 +1,9 @@ +[Unit] +Description=SSSD Secrets Service responder socket +Documentation=man:sssd-secrets(5) + +[Socket] +ListenStream=@runstatedir@/secrets.socket + +[Install] +WantedBy=sockets.target diff --git a/src/sysv/systemd/sssd-ssh.service.in b/src/sysv/systemd/sssd-ssh.service.in new file mode 100644 index 0000000..1c18546 --- /dev/null +++ b/src/sysv/systemd/sssd-ssh.service.in @@ -0,0 +1,19 @@ +[Unit] +Description=SSSD SSH Service responder +Documentation=man:sssd.conf(5) +After=sssd.service +BindsTo=sssd.service +RefuseManualStart=true + +[Install] +Also=sssd-ssh.socket + +[Service] +Environment=DEBUG_LOGGER=--logger=files +EnvironmentFile=-@environment_file@ +ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_ssh.log +ExecStart=@libexecdir@/sssd/sssd_ssh ${DEBUG_LOGGER} --socket-activated +Restart=on-failure +User=@SSSD_USER@ +Group=@SSSD_USER@ +PermissionsStartOnly=true diff --git a/src/sysv/systemd/sssd-ssh.socket.in b/src/sysv/systemd/sssd-ssh.socket.in new file mode 100644 index 0000000..4772ef3 --- /dev/null +++ b/src/sysv/systemd/sssd-ssh.socket.in @@ -0,0 +1,16 @@ +[Unit] +Description=SSSD SSH Service responder socket +Documentation=man:sssd.conf(5) +After=sssd.service +BindsTo=sssd.service +DefaultDependencies=no +Conflicts=shutdown.target + +[Socket] +ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r ssh +ListenStream=@pipepath@/ssh +SocketUser=@SSSD_USER@ +SocketGroup=@SSSD_USER@ + +[Install] +WantedBy=sssd.service diff --git a/src/sysv/systemd/sssd-sudo.service.in b/src/sysv/systemd/sssd-sudo.service.in new file mode 100644 index 0000000..f13d881 --- /dev/null +++ b/src/sysv/systemd/sssd-sudo.service.in @@ -0,0 +1,19 @@ +[Unit] +Description=SSSD Sudo Service responder +Documentation=man:sssd.conf(5) man:sssd-sudo(5) +After=sssd.service +BindsTo=sssd.service +RefuseManualStart=true + +[Install] +Also=sssd-sudo.socket + +[Service] +Environment=DEBUG_LOGGER=--logger=files +EnvironmentFile=-@environment_file@ +ExecStartPre=-/bin/chown @SSSD_USER@:@SSSD_USER@ @logpath@/sssd_sudo.log +ExecStart=@libexecdir@/sssd/sssd_sudo --socket-activated +Restart=on-failure +User=@SSSD_USER@ +Group=@SSSD_USER@ +PermissionsStartOnly=true diff --git a/src/sysv/systemd/sssd-sudo.socket.in b/src/sysv/systemd/sssd-sudo.socket.in new file mode 100644 index 0000000..e94a2f6 --- /dev/null +++ b/src/sysv/systemd/sssd-sudo.socket.in @@ -0,0 +1,16 @@ +[Unit] +Description=SSSD Sudo Service responder socket +Documentation=man:sssd.conf(5) +After=sssd.service +BindsTo=sssd.service +DefaultDependencies=no +Conflicts=shutdown.target + +[Socket] +ExecStartPre=@libexecdir@/sssd/sssd_check_socket_activated_responders -r sudo +ListenStream=@pipepath@/sudo +SocketUser=@SSSD_USER@ +SocketMode=0660 + +[Install] +WantedBy=sssd.service diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in new file mode 100644 index 0000000..0c515d3 --- /dev/null +++ b/src/sysv/systemd/sssd.service.in @@ -0,0 +1,16 @@ +[Unit] +Description=System Security Services Daemon +# SSSD must be running before we permit user sessions +Before=systemd-user-sessions.service nss-user-lookup.target +Wants=nss-user-lookup.target + +[Service] +Environment=DEBUG_LOGGER=--logger=files +EnvironmentFile=-@environment_file@ +ExecStart=@sbindir@/sssd -i ${DEBUG_LOGGER} +Type=notify +NotifyAccess=main +PIDFile=@localstatedir@/run/sssd.pid + +[Install] +WantedBy=multi-user.target diff --git a/src/tests/ad_ldap_opt-tests.c b/src/tests/ad_ldap_opt-tests.c new file mode 100644 index 0000000..e9ce9d0 --- /dev/null +++ b/src/tests/ad_ldap_opt-tests.c @@ -0,0 +1,109 @@ +/* + SSSD + + Tests if AD and LDAP backend options are in sync + + Authors: + Jakub Hrozek + Stephen Gallagher + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "providers/ad/ad_common.h" +#include "providers/ad/ad_opts.h" +#include "providers/ldap/sdap.h" +#include "providers/ldap/ldap_opts.h" +#include "providers/krb5/krb5_opts.h" +#include "providers/krb5/krb5_common.h" +#include "tests/common.h" + +START_TEST(test_compare_opts) +{ + errno_t ret; + + ret = compare_dp_options(default_basic_opts, SDAP_OPTS_BASIC, + ad_def_ldap_opts); + fail_unless(ret == EOK, "[%s]", strerror(ret)); + + ret = compare_dp_options(default_krb5_opts, KRB5_OPTS, + ad_def_krb5_opts); + fail_unless(ret == EOK, "[%s]", strerror(ret)); +} +END_TEST + +START_TEST(test_compare_sdap_attrs) +{ + errno_t ret; + + /* General Attributes */ + ret = compare_sdap_attr_maps(generic_attr_map, SDAP_AT_GENERAL, + ad_2008r2_attr_map); + fail_unless(ret == EOK, "[%s]", strerror(ret)); + + /* User Attributes */ + ret = compare_sdap_attr_maps(rfc2307_user_map, SDAP_OPTS_USER, + ad_2008r2_user_map); + fail_unless(ret == EOK, "[%s]", strerror(ret)); + + /* Group Attributes */ + ret = compare_sdap_attr_maps(rfc2307_group_map, SDAP_OPTS_GROUP, + ad_2008r2_group_map); + fail_unless(ret == EOK, "[%s]", strerror(ret)); + + /* Netgroup Attributes */ + ret = compare_sdap_attr_maps(netgroup_map, SDAP_OPTS_NETGROUP, + ad_netgroup_map); + fail_unless(ret == EOK, "[%s]", strerror(ret)); + + /* Service Attributes */ + ret = compare_sdap_attr_maps(service_map, SDAP_OPTS_SERVICES, + ad_service_map); + fail_unless(ret == EOK, "[%s]", strerror(ret)); +} +END_TEST + +Suite *ad_ldap_opt_suite (void) +{ + Suite *s = suite_create ("ad_ldap_opt"); + + TCase *tc_ad_ldap_opt = tcase_create ("ad_ldap_opt"); + + tcase_add_test (tc_ad_ldap_opt, test_compare_opts); + tcase_add_test (tc_ad_ldap_opt, test_compare_sdap_attrs); + suite_add_tcase (s, tc_ad_ldap_opt); + + return s; +} + +int main(void) +{ + int number_failed; + + tests_set_cwd(); + + Suite *s = ad_ldap_opt_suite (); + SRunner *sr = srunner_create (s); + /* If CK_VERBOSITY is set, use that, otherwise it defaults to CK_NORMAL */ + srunner_run_all(sr, CK_ENV); + number_failed = srunner_ntests_failed (sr); + srunner_free (sr); + return (number_failed == 0) ? EXIT_SUCCESS : EXIT_FAILURE; +} diff --git a/src/tests/auth-tests.c b/src/tests/auth-tests.c new file mode 100644 index 0000000..1d2c7cd --- /dev/null +++ b/src/tests/auth-tests.c @@ -0,0 +1,345 @@ +/* + SSSD + + Test for local authentication utilities + + Authors: + Sumit Bose + + Copyright (C) 2010 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include + +#include "util/util.h" +#include "confdb/confdb.h" +#include "db/sysdb.h" +#include "tests/common.h" + +#define TESTS_PATH "tp_" BASE_FILE_STEM +#define TEST_CONF_FILE "tests_conf.ldb" + +struct sysdb_test_ctx { + struct sysdb_ctx *sysdb; + struct confdb_ctx *confdb; + struct tevent_context *ev; + struct sss_domain_info *domain; +}; + +static int setup_sysdb_tests(struct sysdb_test_ctx **ctx) +{ + struct sysdb_test_ctx *test_ctx; + char *conf_db; + int ret; + + const char *val[2]; + val[1] = NULL; + + /* Create tests directory if it doesn't exist */ + /* (relative to current dir) */ + ret = mkdir(TESTS_PATH, 0775); + if (ret == -1 && errno != EEXIST) { + fail("Could not create %s directory", TESTS_PATH); + return EFAULT; + } + + test_ctx = talloc_zero(NULL, struct sysdb_test_ctx); + if (test_ctx == NULL) { + fail("Could not allocate memory for test context"); + return ENOMEM; + } + + /* Create an event context + * It will not be used except in confdb_init and sysdb_init + */ + test_ctx->ev = tevent_context_init(test_ctx); + if (test_ctx->ev == NULL) { + fail("Could not create event context"); + talloc_free(test_ctx); + return EIO; + } + + conf_db = talloc_asprintf(test_ctx, "%s/%s", TESTS_PATH, TEST_CONF_FILE); + if (conf_db == NULL) { + fail("Out of memory, aborting!"); + talloc_free(test_ctx); + return ENOMEM; + } + DEBUG(SSSDBG_MINOR_FAILURE, "CONFDB: %s\n", conf_db); + + /* Connect to the conf db */ + ret = confdb_init(test_ctx, &test_ctx->confdb, conf_db); + if (ret != EOK) { + fail("Could not initialize connection to the confdb"); + talloc_free(test_ctx); + return ret; + } + + val[0] = "LOCAL"; + ret = confdb_add_param(test_ctx->confdb, true, + "config/sssd", "domains", val); + if (ret != EOK) { + fail("Could not initialize domains placeholder"); + talloc_free(test_ctx); + return ret; + } + + val[0] = "local"; + ret = confdb_add_param(test_ctx->confdb, true, + "config/domain/LOCAL", "id_provider", val); + if (ret != EOK) { + fail("Could not initialize provider"); + talloc_free(test_ctx); + return ret; + } + + val[0] = "TRUE"; + ret = confdb_add_param(test_ctx->confdb, true, + "config/domain/LOCAL", "enumerate", val); + if (ret != EOK) { + fail("Could not initialize LOCAL domain"); + talloc_free(test_ctx); + return ret; + } + + val[0] = "TRUE"; + ret = confdb_add_param(test_ctx->confdb, true, + "config/domain/LOCAL", "cache_credentials", val); + if (ret != EOK) { + fail("Could not initialize LOCAL domain"); + talloc_free(test_ctx); + return ret; + } + + ret = sssd_domain_init(test_ctx, test_ctx->confdb, "local", + TESTS_PATH, &test_ctx->domain); + if (ret != EOK) { + fail("Could not initialize connection to the sysdb (%d)", ret); + talloc_free(test_ctx); + return ret; + } + test_ctx->sysdb = test_ctx->domain->sysdb; + + *ctx = test_ctx; + return EOK; +} + +static void do_failed_login_test(uint32_t failed_login_attempts, + time_t last_failed_login, + int offline_failed_login_attempts, + int offline_failed_login_delay, + int expected_result, + int expected_counter, + time_t expected_delay) +{ + struct sysdb_test_ctx *test_ctx = NULL; + int ret; + const char *val[2]; + val[1] = NULL; + struct ldb_message *ldb_msg; + uint32_t returned_failed_login_attempts; + time_t delayed_until; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + fail_unless(ret == EOK, "Could not set up the test"); + + val[0] = talloc_asprintf(test_ctx, "%u", offline_failed_login_attempts); + fail_unless(val[0] != NULL, "talloc_sprintf failed"); + ret = confdb_add_param(test_ctx->confdb, true, + "config/pam", CONFDB_PAM_FAILED_LOGIN_ATTEMPTS, val); + fail_unless(ret == EOK, "Could not set offline_failed_login_attempts"); + + val[0] = talloc_asprintf(test_ctx, "%u", offline_failed_login_delay); + ret = confdb_add_param(test_ctx->confdb, true, + "config/pam", CONFDB_PAM_FAILED_LOGIN_DELAY, val); + fail_unless(ret == EOK, "Could not set offline_failed_login_delay"); + + ldb_msg = ldb_msg_new(test_ctx); + fail_unless(ldb_msg != NULL, "ldb_msg_new failed"); + + ret = ldb_msg_add_fmt(ldb_msg, SYSDB_FAILED_LOGIN_ATTEMPTS, "%u", + failed_login_attempts); + fail_unless(ret == EOK, "ldb_msg_add_string failed"); + + ret = ldb_msg_add_fmt(ldb_msg, SYSDB_LAST_FAILED_LOGIN, "%lld", + (long long) last_failed_login); + fail_unless(ret == EOK, "ldb_msg_add_string failed"); + + ret = check_failed_login_attempts(test_ctx->confdb, ldb_msg, + &returned_failed_login_attempts, + &delayed_until); + fail_unless(ret == expected_result, + "check_failed_login_attempts returned wrong error code, " + "expected [%d], got [%d]", expected_result, ret); + + fail_unless(returned_failed_login_attempts == expected_counter, + "check_failed_login_attempts returned wrong number of failed " + "login attempts, expected [%d], got [%d]", + expected_counter, failed_login_attempts); + + fail_unless(delayed_until == expected_delay, + "check_failed_login_attempts wrong delay, " + "expected [%d], got [%d]", + expected_delay, delayed_until); + + talloc_free(test_ctx); +} + +START_TEST(test_failed_login_attempts) +{ + time_t now; + + /* if offline_failed_login_attempts == 0 a login is never denied */ + do_failed_login_test(0, 0, 0, 5, EOK, 0, -1); + do_failed_login_test(0, time(NULL), 0, 5, EOK, 0, -1); + do_failed_login_test(2, 0, 0, 5, EOK, 2, -1); + do_failed_login_test(2, time(NULL), 0, 5, EOK, 2, -1); + + do_failed_login_test(0, 0, 0, 0, EOK, 0, -1); + do_failed_login_test(0, time(NULL), 0, 0, EOK, 0, -1); + do_failed_login_test(2, 0, 0, 0, EOK, 2, -1); + do_failed_login_test(2, time(NULL), 0, 0, EOK, 2, -1); + + /* if offline_failed_login_attempts != 0 and + * offline_failed_login_delay == 0 a login is denied if the number of + * failed attempts >= offline_failed_login_attempts */ + do_failed_login_test(0, 0, 2, 0, EOK, 0, -1); + do_failed_login_test(0, time(NULL), 2, 0, EOK, 0, -1); + do_failed_login_test(2, 0, 2, 0, ERR_AUTH_DENIED, 2, -1); + do_failed_login_test(2, time(NULL), 2, 0, ERR_AUTH_DENIED, 2, -1); + + /* if offline_failed_login_attempts != 0 and + * offline_failed_login_delay != 0 a login is denied only if the number of + * failed attempts >= offline_failed_login_attempts AND the last failed + * login attempt is not longer than offline_failed_login_delay ago */ + do_failed_login_test(0, 0, 2, 5, EOK, 0, -1); + do_failed_login_test(0, time(NULL), 2, 5, EOK, 0, -1); + do_failed_login_test(2, 0, 2, 5, EOK, 0, -1); + now = time(NULL); + do_failed_login_test(2, now, 2, 5, ERR_AUTH_DENIED, 2, (now + 5 * 60)); + +} +END_TEST + +Suite *auth_suite (void) +{ + Suite *s = suite_create ("auth"); + + TCase *tc_auth = tcase_create ("auth"); + + tcase_add_test (tc_auth, test_failed_login_attempts); + tcase_set_timeout(tc_auth, 60); + + suite_add_tcase (s, tc_auth); + + return s; +} + +static int clean_db_dir(void) +{ + int ret; + + ret = unlink(TESTS_PATH"/"TEST_CONF_FILE); + if (ret != EOK && errno != ENOENT) { + fprintf(stderr, "Could not delete the test config ldb file (%d) (%s)\n", + errno, strerror(errno)); + return ret; + } + + ret = unlink(TESTS_PATH"/"LOCAL_SYSDB_FILE); + if (ret != EOK && errno != ENOENT) { + fprintf(stderr, "Could not delete the test config ldb file (%d) (%s)\n", + errno, strerror(errno)); + return ret; + } + + ret = rmdir(TESTS_PATH); + if (ret != EOK && errno != ENOENT) { + fprintf(stderr, "Could not delete the test directory (%d) (%s)\n", + errno, strerror(errno)); + return ret; + } + + return EOK; +} + +int main(int argc, const char *argv[]) +{ + int ret; + int opt; + int failure_count; + poptContext pc; + Suite *s = auth_suite (); + SRunner *sr = srunner_create (s); + + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_MAIN_OPTS + POPT_TABLEEND + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + tests_set_cwd(); + + ret = clean_db_dir(); + if (ret != EOK) { + fprintf(stderr, "Could not delete the db directory (%d) (%s)\n", + errno, strerror(errno)); + return EXIT_FAILURE; + } + + srunner_run_all(sr, CK_ENV); + failure_count = srunner_ntests_failed (sr); + srunner_free (sr); + if (failure_count == 0) { + ret = clean_db_dir(); + if (ret != EOK) { + fprintf(stderr, "Could not delete the db directory (%d) (%s)\n", + errno, strerror(errno)); + return EXIT_FAILURE; + } + + return EXIT_SUCCESS; + } + return EXIT_FAILURE; +} diff --git a/src/tests/check_and_open-tests.c b/src/tests/check_and_open-tests.c new file mode 100644 index 0000000..525e28a --- /dev/null +++ b/src/tests/check_and_open-tests.c @@ -0,0 +1,257 @@ +/* + SSSD + + Utilities tests check_and_open + + Authors: + Sumit Bose + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include + +#include "util/util.h" +#include "tests/common.h" + +#define SUFFIX ".symlink" + +#define FILENAME_TEMPLATE "check_and_open-tests-XXXXXX" +char *filename; +uid_t uid; +gid_t gid; +mode_t mode; +int fd; + +void setup_check_and_open(void) +{ + int ret; + mode_t old_umask; + + filename = strdup(FILENAME_TEMPLATE); + fail_unless(filename != NULL, "strdup failed"); + + old_umask = umask(SSS_DFL_UMASK); + ret = mkstemp(filename); + umask(old_umask); + fail_unless(ret != -1, "mkstemp failed [%d][%s]", errno, strerror(errno)); + close(ret); + + uid = getuid(); + gid = getgid(); + mode = (S_IRUSR | S_IWUSR); + fd = -1; +} + +void teardown_check_and_open(void) +{ + int ret; + + if (fd != -1) { + ret = close(fd); + fail_unless(ret == 0, "close failed [%d][%s]", errno, strerror(errno)); + } + + fail_unless(filename != NULL, "unknown filename"); + ret = unlink(filename); + free(filename); + fail_unless(ret == 0, "unlink failed [%d][%s]", errno, strerror(errno)); +} + +START_TEST(test_wrong_filename) +{ + int ret; + + ret = check_and_open_readonly("/bla/bla/bla", &fd, + uid, gid, S_IFREG|mode, 0); + fail_unless(ret == ENOENT, + "check_and_open_readonly succeeded on non-existing file"); + fail_unless(fd == -1, "check_and_open_readonly file descriptor not -1"); +} +END_TEST + +START_TEST(test_symlink) +{ + int ret; + char *newpath; + size_t newpath_length; + + newpath_length = strlen(filename) + strlen(SUFFIX) + 1; + newpath = malloc((newpath_length) * sizeof(char)); + fail_unless(newpath != NULL, "malloc failed"); + + ret = snprintf(newpath, newpath_length, "%s%s", filename, SUFFIX); + fail_unless(ret == newpath_length - 1, + "snprintf failed: expected [%d] got [%d]", newpath_length -1, + ret); + + ret = symlink(filename, newpath); + fail_unless(ret == 0, "symlink failed [%d][%s]", ret, strerror(errno)); + + ret = check_file(newpath, uid, gid, S_IFREG|mode, 0, NULL, false); + unlink(newpath); + + fail_unless(ret == EINVAL, + "check_and_open_readonly succeeded on symlink"); + free(newpath); +} +END_TEST + +START_TEST(test_follow_symlink) +{ + int ret; + char *newpath; + size_t newpath_length; + + newpath_length = strlen(filename) + strlen(SUFFIX) + 1; + newpath = malloc((newpath_length) * sizeof(char)); + fail_unless(newpath != NULL, "malloc failed"); + + ret = snprintf(newpath, newpath_length, "%s%s", filename, SUFFIX); + fail_unless(ret == newpath_length - 1, + "snprintf failed: expected [%d] got [%d]", newpath_length -1, + ret); + + ret = symlink(filename, newpath); + fail_unless(ret == 0, "symlink failed [%d][%s]", ret, strerror(errno)); + + ret = check_file(newpath, uid, gid, S_IFREG|mode, 0, NULL, true); + unlink(newpath); + + fail_unless(ret == EOK, + "check_and_open_readonly failed on symlink with follow=true"); + free(newpath); +} +END_TEST + +START_TEST(test_not_regular_file) +{ + int ret; + + ret = check_and_open_readonly("/dev/null", &fd, uid, gid, S_IFREG|mode, 0); + fail_unless(ret == EINVAL, + "check_and_open_readonly succeeded on non-regular file"); + fail_unless(fd == -1, "check_and_open_readonly file descriptor not -1"); +} +END_TEST + +START_TEST(test_wrong_uid) +{ + int ret; + + ret = check_and_open_readonly(filename, &fd, uid+1, gid, S_IFREG|mode, 0); + fail_unless(ret == EINVAL, + "check_and_open_readonly succeeded with wrong uid"); + fail_unless(fd == -1, "check_and_open_readonly file descriptor not -1"); +} +END_TEST + +START_TEST(test_wrong_gid) +{ + int ret; + + ret = check_and_open_readonly(filename, &fd, uid, gid+1, S_IFREG|mode, 0); + fail_unless(ret == EINVAL, + "check_and_open_readonly succeeded with wrong gid"); + fail_unless(fd == -1, "check_and_open_readonly file descriptor not -1"); +} +END_TEST + +START_TEST(test_wrong_permission) +{ + int ret; + + ret = check_and_open_readonly(filename, &fd, + uid, gid, S_IFREG|mode|S_IWOTH, 0); + fail_unless(ret == EINVAL, + "check_and_open_readonly succeeded with wrong mode"); + fail_unless(fd == -1, "check_and_open_readonly file descriptor not -1"); +} +END_TEST + +START_TEST(test_ok) +{ + int ret; + + ret = check_and_open_readonly(filename, &fd, uid, gid, S_IFREG|mode, 0); + fail_unless(ret == EOK, + "check_and_open_readonly failed"); + fail_unless(fd >= 0, + "check_and_open_readonly returned illegal file descriptor"); +} +END_TEST + +START_TEST(test_write) +{ + int ret; + ssize_t size; + errno_t my_errno; + + ret = check_and_open_readonly(filename, &fd, uid, gid, S_IFREG|mode, 0); + fail_unless(ret == EOK, + "check_and_open_readonly failed"); + fail_unless(fd >= 0, + "check_and_open_readonly returned illegal file descriptor"); + + size = write(fd, "abc", 3); + my_errno = errno; + fail_unless(size == -1, "check_and_open_readonly file is not readonly"); + fail_unless(my_errno == EBADF, + "write failed for other reason than readonly"); +} +END_TEST + +Suite *check_and_open_suite (void) +{ + Suite *s = suite_create ("check_and_open"); + + TCase *tc_check_and_open_readonly = tcase_create ("check_and_open_readonly"); + tcase_add_checked_fixture (tc_check_and_open_readonly, + setup_check_and_open, + teardown_check_and_open); + tcase_add_test (tc_check_and_open_readonly, test_wrong_filename); + tcase_add_test (tc_check_and_open_readonly, test_not_regular_file); + tcase_add_test (tc_check_and_open_readonly, test_symlink); + tcase_add_test (tc_check_and_open_readonly, test_follow_symlink); + tcase_add_test (tc_check_and_open_readonly, test_wrong_uid); + tcase_add_test (tc_check_and_open_readonly, test_wrong_gid); + tcase_add_test (tc_check_and_open_readonly, test_wrong_permission); + tcase_add_test (tc_check_and_open_readonly, test_ok); + tcase_add_test (tc_check_and_open_readonly, test_write); + suite_add_tcase (s, tc_check_and_open_readonly); + + return s; +} + +int main(void) +{ + int number_failed; + + tests_set_cwd(); + + Suite *s = check_and_open_suite (); + SRunner *sr = srunner_create (s); + /* If CK_VERBOSITY is set, use that, otherwise it defaults to CK_NORMAL */ + srunner_run_all(sr, CK_ENV); + number_failed = srunner_ntests_failed (sr); + srunner_free (sr); + return (number_failed == 0) ? EXIT_SUCCESS : EXIT_FAILURE; +} + diff --git a/src/tests/cmocka/common_mock.h b/src/tests/cmocka/common_mock.h new file mode 100644 index 0000000..f305e6f --- /dev/null +++ b/src/tests/cmocka/common_mock.h @@ -0,0 +1,56 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2013 Red Hat + + SSSD tests: Common utilities for tests that exercise domains + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __COMMON_MOCK_H_ +#define __COMMON_MOCK_H_ + +/* + * from cmocka.c: + * These headers or their equivalents should be included prior to + * including + * this header file. + * + * #include + * #include + * #include + * + * This allows test applications to use custom definitions of C standard + * library functions and types. + */ +#include +#include +#include +#include + +#include "tests/common.h" + +#define sss_mock_type(type) ((type) mock()) +#define sss_mock_ptr_type(type) ((type) (uintptr_t) mock()) + +#define sss_will_return_always(fn, value) will_return_count(fn, (value), -1) + +enum sss_test_wrapper_call { + WRAP_CALL_WRAPPER, + WRAP_CALL_REAL +}; + +#endif /* __COMMON_MOCK_H_ */ diff --git a/src/tests/cmocka/common_mock_be.c b/src/tests/cmocka/common_mock_be.c new file mode 100644 index 0000000..a83f0ae --- /dev/null +++ b/src/tests/cmocka/common_mock_be.c @@ -0,0 +1,39 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2015 Red Hat + + SSSD tests: Fake back end + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "tests/cmocka/common_mock_resp.h" + +struct be_ctx *mock_be_ctx(TALLOC_CTX *mem_ctx, struct sss_test_ctx *tctx) +{ + struct be_ctx *be_ctx; + + be_ctx = talloc_zero(mem_ctx, struct be_ctx); + assert_non_null(be_ctx); + + be_ctx->cdb = tctx->confdb; + be_ctx->ev = tctx->ev; + be_ctx->domain = tctx->dom; + be_ctx->conf_path = tctx->conf_dom_path; + + return be_ctx; +} diff --git a/src/tests/cmocka/common_mock_be.h b/src/tests/cmocka/common_mock_be.h new file mode 100644 index 0000000..3397e02 --- /dev/null +++ b/src/tests/cmocka/common_mock_be.h @@ -0,0 +1,30 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2015 Red Hat + + SSSD tests: Fake back end + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __COMMON_MOCK_BE_H_ +#define __COMMON_MOCK_BE_H_ + +#include "tests/cmocka/common_mock.h" + +struct be_ctx *mock_be_ctx(TALLOC_CTX *mem_ctx, struct sss_test_ctx *tctx); + +#endif /* __COMMON_MOCK_BE_H_ */ diff --git a/src/tests/cmocka/common_mock_krb5.c b/src/tests/cmocka/common_mock_krb5.c new file mode 100644 index 0000000..e253119 --- /dev/null +++ b/src/tests/cmocka/common_mock_krb5.c @@ -0,0 +1,103 @@ +/* + Authors: + Sumit Bose + Jakub Hrozek + + Copyright (C) 2015 Red Hat + + SSSD tests: Tests keytab utilities + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/sss_krb5.h" +#include "tests/cmocka/common_mock.h" +#include "tests/cmocka/common_mock_krb5.h" + +int mock_keytab(krb5_context kctx, + const char *kt_path, + krb5_keytab_entry *kt_keys, + size_t nkeys) +{ + krb5_error_code kerr; + krb5_keytab keytab; + size_t n; + + kerr = krb5_kt_resolve(kctx, kt_path, &keytab); + assert_int_equal(kerr, 0); + + for (n = 0; n < nkeys; n++) { + kerr = krb5_kt_add_entry(kctx, keytab, &kt_keys[n]); + assert_int_equal(kerr, 0); + } + + kerr = krb5_kt_close(kctx, keytab); + assert_int_equal(kerr, 0); + + return EOK; +} + +void mock_krb5_keytab_entry(krb5_keytab_entry *kent, + krb5_principal principal, + krb5_timestamp timestamp, + krb5_kvno vno, + krb5_enctype enctype, + const char *key) +{ + memset(kent, 0, sizeof(krb5_keytab_entry)); + + kent->magic = KV5M_KEYTAB_ENTRY; + kent->principal = principal; + kent->timestamp = timestamp; + kent->vno = vno; + kent->key.magic = KV5M_KEYBLOCK; + kent->key.enctype = enctype; + kent->key.length = strlen(key) - 1; + kent->key.contents = (krb5_octet *) discard_const(key); +} + +int mock_keytab_with_contents(TALLOC_CTX *mem_ctx, + const char *keytab_path, + const char *keytab_princ) +{ + krb5_context kctx; + krb5_principal principal; + krb5_error_code kerr; + size_t nkeys = 2; + krb5_keytab_entry keys[nkeys]; + char *keytab_file_name; + + kerr = krb5_init_context(&kctx); + assert_int_equal(kerr, 0); + + keytab_file_name = talloc_asprintf(mem_ctx, "FILE:%s", keytab_path); + assert_non_null(keytab_file_name); + + kerr = krb5_parse_name(kctx, keytab_princ, &principal); + assert_int_equal(kerr, 0); + + memset(&keys, nkeys, nkeys * sizeof(krb5_keytab_entry)); + + mock_krb5_keytab_entry(&keys[0], principal, 12345, 1, 1, "11"); + mock_krb5_keytab_entry(&keys[1], principal, 12345, 1, 2, "12"); + + kerr = mock_keytab(kctx, keytab_file_name, keys, nkeys); + assert_int_equal(kerr, 0); + + krb5_free_principal(kctx, principal); + krb5_free_context(kctx); + talloc_free(keytab_file_name); + + return 0; +} diff --git a/src/tests/cmocka/common_mock_krb5.h b/src/tests/cmocka/common_mock_krb5.h new file mode 100644 index 0000000..5d7247b --- /dev/null +++ b/src/tests/cmocka/common_mock_krb5.h @@ -0,0 +1,47 @@ +/* + Authors: + Sumit Bose + Jakub Hrozek + + Copyright (C) 2015 Red Hat + + SSSD tests: Tests keytab utilities + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __COMMON_MOCK_KRB5_H_ +#define __COMMON_MOCK_KRB5_H_ + +#include "util/sss_krb5.h" +#include "tests/cmocka/common_mock.h" + +void mock_krb5_keytab_entry(krb5_keytab_entry *kent, + krb5_principal principal, + krb5_timestamp timestamp, + krb5_kvno vno, + krb5_enctype enctype, + const char *key); + +int mock_keytab(krb5_context kctx, + const char *kt_path, + krb5_keytab_entry *kt_keys, + size_t nkeys); + +/* Dummy keys with user-selected principal */ +int mock_keytab_with_contents(TALLOC_CTX *mem_ctx, + const char *keytab_path, + const char *keytab_princ); + +#endif /* __COMMON_MOCK_KRB5_H_ */ diff --git a/src/tests/cmocka/common_mock_resp.c b/src/tests/cmocka/common_mock_resp.c new file mode 100644 index 0000000..175101f --- /dev/null +++ b/src/tests/cmocka/common_mock_resp.c @@ -0,0 +1,92 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2013 Red Hat + + SSSD tests: Common utilities for tests that exercise domains + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "tests/cmocka/common_mock_resp.h" + +/* Mock a responder context */ +struct resp_ctx * +mock_rctx(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sss_domain_info *domains, + void *pvt_ctx) +{ + struct resp_ctx *rctx; + errno_t ret; + + rctx = talloc_zero(mem_ctx, struct resp_ctx); + if (!rctx) return NULL; + + ret = sss_hash_create(rctx, 30, &rctx->dp_request_table); + if (ret != EOK) { + talloc_free(rctx); + return NULL; + } + + ret = sss_ncache_init(rctx, 10, 0, &rctx->ncache); + if (ret != EOK) { + talloc_free(rctx); + return NULL; + } + + rctx->ev = ev; + rctx->domains = domains; + rctx->pvt_ctx = pvt_ctx; + if (domains != NULL) { + ret = sss_resp_populate_cr_domains(rctx); + if (ret != EOK) { + return NULL; + } + } + return rctx; +} + +/* Mock a client context */ +struct cli_ctx * +mock_cctx(TALLOC_CTX *mem_ctx, struct resp_ctx *rctx) +{ + struct cli_ctx *cctx; + + cctx = talloc_zero(mem_ctx, struct cli_ctx); + if (!cctx) return NULL; + + cctx->rctx = rctx; + cctx->ev = rctx->ev; + return cctx; +} + +struct cli_protocol * +mock_prctx(TALLOC_CTX *mem_ctx) +{ + struct cli_protocol *prctx; + + prctx = talloc_zero(mem_ctx, struct cli_protocol); + if (!prctx) return NULL; + + prctx->creq = talloc_zero(prctx, struct cli_request); + if (prctx->creq == NULL) { + talloc_free(prctx); + return NULL; + } + + return prctx; +} diff --git a/src/tests/cmocka/common_mock_resp.h b/src/tests/cmocka/common_mock_resp.h new file mode 100644 index 0000000..aab6a94 --- /dev/null +++ b/src/tests/cmocka/common_mock_resp.h @@ -0,0 +1,67 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2013 Red Hat + + SSSD tests: Common utilities for tests that exercise domains + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __COMMON_MOCK_RESP_H_ +#define __COMMON_MOCK_RESP_H_ + +#include "util/util.h" +#include "responder/common/responder.h" +#include "tests/cmocka/common_mock.h" + +/* Mock a responder context */ +struct resp_ctx * +mock_rctx(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sss_domain_info *domains, + void *pvt_ctx); + +/* Mock a client context */ +struct cli_ctx * +mock_cctx(TALLOC_CTX *mem_ctx, struct resp_ctx *rctx); + +struct cli_protocol * +mock_prctx(TALLOC_CTX *mem_ctx); + +/* When mocking a module that calls sss_dp_get_account_{send,recv} + * requests, your test, when linked against this module, will call + * the mock functions instead. Then you can simulate results of the + * sss_dp_get_account_recv call by calling mock_account_recv. + * + * The mocked sss_sp_get_account_recv shall return the return values + * given with parameters dp_err, dp_ret and msg and optionally also call + * the acct_cb_t callback, if given with the pvt pointer as user data. + * The callback can for instance populate the cache, thus simulating + * Data Provider lookup. + * + * There is also even simpler wrapper called mock_account_recv_simple + * that just finishes the account request with a success. + */ +typedef int (*acct_cb_t)(void *); + +void mock_account_recv(uint16_t dp_err, uint32_t dp_ret, char *msg, + acct_cb_t acct_cb, void *pvt); + +void mock_account_recv_simple(void); + +void mock_parse_inp(const char *name, const char *domname, errno_t ret); + +#endif /* __COMMON_MOCK_RESP_H_ */ diff --git a/src/tests/cmocka/common_mock_resp_dp.c b/src/tests/cmocka/common_mock_resp_dp.c new file mode 100644 index 0000000..a852575 --- /dev/null +++ b/src/tests/cmocka/common_mock_resp_dp.c @@ -0,0 +1,204 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2013 Red Hat + + SSSD tests: Fake Data Provider requests + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "responder/common/responder.h" +#include "tests/cmocka/common_mock_resp.h" + +/* Mock DP requests that finish immediately and return + * mocked values as per previous set by mock_account_recv + */ +struct tevent_req * +sss_dp_get_account_send(TALLOC_CTX *mem_ctx, + struct resp_ctx *rctx, + struct sss_domain_info *dom, + bool fast_reply, + enum sss_dp_acct_type type, + const char *opt_name, + uint32_t opt_id, + const char *extra) +{ + return test_req_succeed_send(mem_ctx, rctx->ev); +} + + +errno_t +sss_dp_get_account_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + dbus_uint16_t *dp_err, + dbus_uint32_t *dp_ret, + char **err_msg) +{ + acct_cb_t cb; + + *dp_err = sss_mock_type(dbus_uint16_t); + *dp_ret = sss_mock_type(dbus_uint32_t); + *err_msg = sss_mock_ptr_type(char *); + + cb = sss_mock_ptr_type(acct_cb_t); + if (cb) { + (cb)(sss_mock_ptr_type(void *)); + } + + return test_request_recv(req); +} + +struct tevent_req * +sss_dp_get_ssh_host_send(TALLOC_CTX *mem_ctx, + struct resp_ctx *rctx, + struct sss_domain_info *dom, + bool fast_reply, + const char *name, + const char *alias) +{ + return test_req_succeed_send(mem_ctx, rctx->ev); +} + + +errno_t +sss_dp_get_ssh_host_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + dbus_uint16_t *dp_err, + dbus_uint32_t *dp_ret, + char **err_msg) +{ + acct_cb_t cb; + + *dp_err = sss_mock_type(dbus_uint16_t); + *dp_ret = sss_mock_type(dbus_uint32_t); + *err_msg = sss_mock_ptr_type(char *); + + cb = sss_mock_ptr_type(acct_cb_t); + if (cb) { + (cb)(sss_mock_ptr_type(void *)); + } + + return test_request_recv(req); +} + +errno_t +sss_dp_req_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + dbus_uint16_t *dp_err, + dbus_uint32_t *dp_ret, + char **err_msg) +{ + acct_cb_t cb; + + *dp_err = sss_mock_type(dbus_uint16_t); + *dp_ret = sss_mock_type(dbus_uint32_t); + *err_msg = sss_mock_ptr_type(char *); + + cb = sss_mock_ptr_type(acct_cb_t); + if (cb) { + (cb)(sss_mock_ptr_type(void *)); + } + + return test_request_recv(req); +} + +void mock_account_recv(uint16_t dp_err, uint32_t dp_ret, char *msg, + acct_cb_t acct_cb, void *pvt) +{ + will_return(sss_dp_req_recv, dp_err); + will_return(sss_dp_req_recv, dp_ret); + will_return(sss_dp_req_recv, msg); + + will_return(sss_dp_req_recv, acct_cb); + if (acct_cb) { + will_return(sss_dp_req_recv, pvt); + } +} + +void mock_account_recv_simple(void) +{ + return mock_account_recv(0, 0, NULL, NULL, NULL); +} + +struct tevent_req * +sss_parse_inp_send(TALLOC_CTX *mem_ctx, + struct resp_ctx *rctx, + const char *default_domain, + const char *rawinp) +{ + return test_req_succeed_send(mem_ctx, rctx->ev); +} + +errno_t sss_parse_inp_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, + char **_name, char **_domname) +{ + *_name = sss_mock_ptr_type(char *); + *_domname = sss_mock_ptr_type(char *); + + return sss_mock_type(errno_t); +} + +void mock_parse_inp(const char *name, const char *domname, errno_t ret) +{ + will_return(sss_parse_inp_recv, name); + will_return(sss_parse_inp_recv, domname); + will_return(sss_parse_inp_recv, ret); +} + +/* Mock subdomain requests */ +struct tevent_req * +sss_dp_get_domains_send(TALLOC_CTX *mem_ctx, + struct resp_ctx *rctx, + bool force, + const char *hint) +{ + errno_t ret; + ret = sss_resp_populate_cr_domains(rctx); + if (ret != EOK) { + return NULL; + } + + return test_req_succeed_send(mem_ctx, rctx->ev); +} + +errno_t sss_dp_get_domains_recv(struct tevent_req *req) +{ + return test_request_recv(req); +} + +struct tevent_req * +sss_dp_get_account_domain_send(TALLOC_CTX *mem_ctx, + struct resp_ctx *rctx, + struct sss_domain_info *domain, + enum sss_dp_acct_type type, + uint32_t opt_id) +{ + return test_req_succeed_send(mem_ctx, rctx->ev); +} + +errno_t sss_dp_get_account_domain_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + char **_domain) +{ + errno_t ret; + + ret = sss_mock_type(errno_t); + if (ret == EOK) { + *_domain = sss_mock_ptr_type(char *); + } + return ret; +} diff --git a/src/tests/cmocka/common_mock_sdap.c b/src/tests/cmocka/common_mock_sdap.c new file mode 100644 index 0000000..fa4787c --- /dev/null +++ b/src/tests/cmocka/common_mock_sdap.c @@ -0,0 +1,139 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "util/util.h" +#include "providers/ldap/ldap_common.h" +#include "providers/ldap/sdap.h" +#include "tests/cmocka/common_mock.h" + +struct sdap_id_ctx *mock_sdap_id_ctx(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct sdap_options *sdap_opts) +{ + struct sdap_id_ctx *sdap_id_ctx; + + sdap_id_ctx = talloc_zero(mem_ctx, struct sdap_id_ctx); + assert_non_null(sdap_id_ctx); + + sdap_id_ctx->be = be_ctx; + sdap_id_ctx->opts = sdap_opts; + + return sdap_id_ctx; +} + +struct sdap_options *mock_sdap_options_ldap(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + struct confdb_ctx *confdb_ctx, + const char *conf_path) +{ + struct sdap_options *opts = NULL; + errno_t ret; + + ret = ldap_get_options(mem_ctx, domain, confdb_ctx, conf_path, NULL, &opts); + if (ret != EOK) { + return NULL; + } + + return opts; +} + +struct sdap_handle *mock_sdap_handle(TALLOC_CTX *mem_ctx) +{ + struct sdap_handle *handle = talloc_zero(mem_ctx, struct sdap_handle); + + /* we will never connect to any LDAP server and any sdap API that + * access sdap_handle should be mocked, thus returning empty structure + * is enough */ + + return handle; +} + +/* + * Mock sdap_async.c + * + * Every function that is placed in sdap_async.c module has to be mocked, + * to avoid any attempt to communicate with remote servers. Therefore no test + * can be compiled with sdap_async.c. If any of these functions is needed, + * their mock equivalent shall be used. + */ + +bool sdap_has_deref_support(struct sdap_handle *sh, struct sdap_options *opts) +{ + return sss_mock_type(bool); +} + +struct tevent_req *sdap_get_generic_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_options *opts, + struct sdap_handle *sh, + const char *search_base, + int scope, + const char *filter, + const char **attrs, + struct sdap_attr_map *map, + int map_num_attrs, + int timeout, + bool allow_paging) +{ + return test_req_succeed_send(mem_ctx, ev); +} + +int sdap_get_generic_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *reply_count, + struct sysdb_attrs ***reply) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + *reply_count = sss_mock_type(size_t); + *reply = sss_mock_ptr_type(struct sysdb_attrs **); + + return sss_mock_type(int); +} + +struct tevent_req * sdap_deref_search_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sdap_options *opts, + struct sdap_handle *sh, + const char *base_dn, + const char *deref_attr, + const char **attrs, + int num_maps, + struct sdap_attr_map_info *maps, + int timeout) +{ + return test_req_succeed_send(mem_ctx, ev); +} + +int sdap_deref_search_recv(struct tevent_req *req, + TALLOC_CTX *mem_ctx, + size_t *reply_count, + struct sdap_deref_attrs ***reply) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + *reply_count = sss_mock_type(size_t); + *reply = talloc_steal(mem_ctx, + sss_mock_ptr_type(struct sdap_deref_attrs **)); + + return EOK; +} diff --git a/src/tests/cmocka/common_mock_sdap.h b/src/tests/cmocka/common_mock_sdap.h new file mode 100644 index 0000000..747287d --- /dev/null +++ b/src/tests/cmocka/common_mock_sdap.h @@ -0,0 +1,40 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef COMMON_MOCK_SDAP_H_ +#define COMMON_MOCK_SDAP_H_ + +#include + +#include "util/util.h" +#include "providers/ldap/sdap.h" + +struct sdap_options *mock_sdap_options_ldap(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + struct confdb_ctx *confdb_ctx, + const char *conf_path); + +struct sdap_id_ctx *mock_sdap_id_ctx(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct sdap_options *sdap_opts); + +struct sdap_handle *mock_sdap_handle(TALLOC_CTX *mem_ctx); + +#endif /* COMMON_MOCK_SDAP_H_ */ diff --git a/src/tests/cmocka/common_mock_sysdb_objects.c b/src/tests/cmocka/common_mock_sysdb_objects.c new file mode 100644 index 0000000..5dc9e4e --- /dev/null +++ b/src/tests/cmocka/common_mock_sysdb_objects.c @@ -0,0 +1,203 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "db/sysdb.h" +#include "tests/cmocka/common_mock.h" +#include "tests/cmocka/common_mock_sysdb_objects.h" + +enum sysdb_attr_type { + SYSDB_ATTR_TYPE_BOOL, + SYSDB_ATTR_TYPE_LONG, + SYSDB_ATTR_TYPE_UINT32, + SYSDB_ATTR_TYPE_TIME, + SYSDB_ATTR_TYPE_STRING +}; + +static enum sysdb_attr_type +get_attr_type(const char *attr) +{ + /* Most attributes in sysdb are strings. Since this is only for the purpose + * of unit tests, we can safe ourselves some time and handle all attributes + * that are not listed amongst other types as string instead of invalid + * or unknown. + */ + + static const char *table_bool[] = { + SYSDB_POSIX, + NULL + }; + + static const char *table_long[] = { + NULL + }; + + static const char *table_uint32[] = { + SYSDB_UIDNUM, SYSDB_GIDNUM, + NULL + }; + + static const char *table_time[] = { + SYSDB_CACHE_EXPIRE, + NULL + }; + + static const char **tables[SYSDB_ATTR_TYPE_STRING] = { + table_bool, table_long, table_uint32, table_time + }; + + enum sysdb_attr_type type; + int i; + + for (type = 0; type < SYSDB_ATTR_TYPE_STRING; type++) { + for (i = 0; tables[type][i] != NULL; i++) { + if (strcmp(attr, tables[type][i]) == 0) { + return type; + } + } + } + + /* we didn't find the attribute, consider it as string */ + return SYSDB_ATTR_TYPE_STRING; +} + +static errno_t +fill_attrs(struct sysdb_attrs *attrs, va_list in_ap) +{ + va_list ap; + const char *attr = NULL; + errno_t ret; + + va_copy(ap, in_ap); + while ((attr = va_arg(ap, const char *)) != NULL) { + switch (get_attr_type(attr)) { + case SYSDB_ATTR_TYPE_STRING: + ret = sysdb_attrs_add_string(attrs, attr, va_arg(ap, const char *)); + break; + case SYSDB_ATTR_TYPE_BOOL: + /* _Bool is implicitly promoted to int in variadic functions */ + ret = sysdb_attrs_add_bool(attrs, attr, va_arg(ap, int)); + break; + case SYSDB_ATTR_TYPE_LONG: + ret = sysdb_attrs_add_long(attrs, attr, va_arg(ap, long int)); + break; + case SYSDB_ATTR_TYPE_UINT32: + ret = sysdb_attrs_add_uint32(attrs, attr, va_arg(ap, uint32_t)); + break; + case SYSDB_ATTR_TYPE_TIME: + ret = sysdb_attrs_add_time_t(attrs, attr, va_arg(ap, time_t)); + break; + } + + if (ret != EOK) { + return ret; + } + } + va_end(ap); + + return EOK; +} + +struct sysdb_attrs * +_mock_sysdb_object(TALLOC_CTX *mem_ctx, + const char *base_dn, + const char *name, + ...) +{ + va_list ap; + struct sysdb_attrs *attrs = NULL; + char *orig_dn = NULL; + errno_t ret; + + attrs = sysdb_new_attrs(mem_ctx); + if (attrs == NULL) { + goto fail; + } + + orig_dn = talloc_asprintf(attrs, "cn=%s,%s", name, base_dn); + if (orig_dn == NULL) { + goto fail; + } + + ret = sysdb_attrs_add_string(attrs, SYSDB_ORIG_DN, orig_dn); + if (ret != EOK) { + goto fail; + } + + ret = sysdb_attrs_add_string(attrs, SYSDB_NAME, name); + if (ret != EOK) { + goto fail; + } + + va_start(ap, name); + ret = fill_attrs(attrs, ap); + va_end(ap); + + if (ret != EOK) { + goto fail; + } + + talloc_free(orig_dn); + return attrs; + +fail: + talloc_free(attrs); + return NULL; +} + +struct sysdb_attrs * +mock_sysdb_group_rfc2307bis(TALLOC_CTX *mem_ctx, + const char *base_dn, + gid_t gid, + const char *name, + const char **members) +{ + struct sysdb_attrs *attrs = NULL; + errno_t ret; + int i; + + attrs = mock_sysdb_object(mem_ctx, base_dn, name, + SYSDB_GIDNUM, gid); + if (attrs == NULL) { + return NULL; + } + + if (members != NULL) { + for (i = 0; members[i] != NULL; i++) { + ret = sysdb_attrs_add_string(attrs, SYSDB_MEMBER, members[i]); + if (ret != EOK) { + talloc_zfree(attrs); + return NULL; + } + } + } + + return attrs; +} + +struct sysdb_attrs * +mock_sysdb_user(TALLOC_CTX *mem_ctx, + const char *base_dn, + uid_t uid, + const char *name) +{ + return mock_sysdb_object(mem_ctx, base_dn, name, + SYSDB_UIDNUM, uid); +} diff --git a/src/tests/cmocka/common_mock_sysdb_objects.h b/src/tests/cmocka/common_mock_sysdb_objects.h new file mode 100644 index 0000000..2d00a3f --- /dev/null +++ b/src/tests/cmocka/common_mock_sysdb_objects.h @@ -0,0 +1,51 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef COMMON_MOCK_SYSDB_OBJECTS_H_ +#define COMMON_MOCK_SYSDB_OBJECTS_H_ + +#include + +#include "util/util.h" +#include "providers/ldap/sdap.h" + +struct sysdb_attrs * +_mock_sysdb_object(TALLOC_CTX *mem_ctx, + const char *base_dn, + const char *name, + ...); + +#define mock_sysdb_object(mem_ctx, base_dn, name, ...) \ + _mock_sysdb_object(mem_ctx, base_dn, name, ##__VA_ARGS__, NULL) + +struct sysdb_attrs * +mock_sysdb_group_rfc2307bis(TALLOC_CTX *mem_ctx, + const char *base_dn, + gid_t gid, + const char *name, + const char **members); + +struct sysdb_attrs * +mock_sysdb_user(TALLOC_CTX *mem_ctx, + const char *base_dn, + uid_t uid, + const char *name); + +#endif /* COMMON_MOCK_SYSDB_OBJECTS_H_ */ diff --git a/src/tests/cmocka/data_provider/mock_dp.c b/src/tests/cmocka/data_provider/mock_dp.c new file mode 100644 index 0000000..387faa9 --- /dev/null +++ b/src/tests/cmocka/data_provider/mock_dp.c @@ -0,0 +1,121 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "providers/backend.h" +#include "providers/data_provider/dp_private.h" +#include "providers/data_provider/dp.h" +#include "tests/cmocka/common_mock.h" + +static struct dp_method *mock_dp_methods(TALLOC_CTX *mem_ctx) +{ + struct dp_method *methods; + + methods = talloc_zero_array(mem_ctx, struct dp_method, + DP_METHOD_SENTINEL + 1); + assert_non_null(methods); + + return methods; +} + +static struct dp_target **mock_dp_targets(TALLOC_CTX *mem_ctx) +{ + struct dp_target **targets; + enum dp_targets type; + + targets = talloc_zero_array(mem_ctx, struct dp_target *, + DP_TARGET_SENTINEL + 1); + assert_non_null(targets); + + for (type = 0; type != DP_TARGET_SENTINEL; type++) { + targets[type] = talloc_zero(targets, struct dp_target); + assert_non_null(targets[type]); + + targets[type]->name = dp_target_to_string(type); + targets[type]->module_name = "test-module"; + targets[type]->module = NULL; + targets[type]->methods = mock_dp_methods(targets[type]); + targets[type]->initialized = true; + } + + return targets; +} + +struct data_provider *mock_dp(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx) +{ + struct data_provider *provider; + + provider = talloc_zero(mem_ctx, struct data_provider); + assert_non_null(provider); + + provider->ev = be_ctx->ev; + provider->be_ctx = be_ctx; + provider->terminating = false; + provider->requests.index = 0; + provider->requests.num_active = 0; + provider->requests.active = NULL; + provider->targets = mock_dp_targets(provider); + provider->modules = NULL; + + be_ctx->provider = provider; + + return provider; +} + +struct dp_method *mock_dp_get_methods(struct data_provider *provider, + enum dp_targets target) +{ + struct dp_method *methods; + + assert_non_null(provider); + assert_non_null(provider->targets); + assert_non_null(provider->targets[target]); + + methods = provider->targets[target]->methods; + assert_non_null(methods); + + return methods; +} + +struct dp_req_params *mock_dp_req_params(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct sss_domain_info *domain, + enum dp_targets target, + enum dp_methods method) +{ + struct dp_req_params *params; + + params = talloc_zero(mem_ctx, struct dp_req_params); + if (params == NULL) { + return NULL; + } + + params->ev = ev; + params->be_ctx = be_ctx; + params->domain = domain; + params->target = target; + params->method = method; + + return params; +} diff --git a/src/tests/cmocka/data_provider/mock_dp.h b/src/tests/cmocka/data_provider/mock_dp.h new file mode 100644 index 0000000..c583783 --- /dev/null +++ b/src/tests/cmocka/data_provider/mock_dp.h @@ -0,0 +1,42 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _MOCK_DP_H_ +#define _MOCK_DP_H_ + +#include + +#include "providers/backend.h" +#include "providers/data_provider/dp_private.h" + +struct data_provider *mock_dp(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx); + +struct dp_method *mock_dp_get_methods(struct data_provider *provider, + enum dp_targets target); + +struct dp_req_params *mock_dp_req_params(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct sss_domain_info *domain, + enum dp_targets target, + enum dp_methods method); + +#endif /* _MOCK_DP_H_ */ diff --git a/src/tests/cmocka/data_provider/test_dp_builtin.c b/src/tests/cmocka/data_provider/test_dp_builtin.c new file mode 100644 index 0000000..e0a727c --- /dev/null +++ b/src/tests/cmocka/data_provider/test_dp_builtin.c @@ -0,0 +1,191 @@ +/* + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include + +#include "providers/backend.h" +#include "providers/data_provider/dp_private.h" +#include "providers/data_provider/dp_builtin.h" +#include "providers/data_provider/dp.h" +#include "tests/cmocka/common_mock.h" +#include "tests/common.h" +#include "tests/cmocka/common_mock_be.h" +#include "tests/cmocka/data_provider/mock_dp.h" + +#define TESTS_PATH "tp_" BASE_FILE_STEM +#define TEST_CONF_DB "test_dp_request.ldb" +#define TEST_DOM_NAME "dp_request_test" +#define TEST_ID_PROVIDER "ldap" + +struct test_ctx { + struct sss_test_ctx *tctx; + struct be_ctx *be_ctx; + struct dp_req_params *params; +}; + +static int test_setup(void **state) +{ + struct test_ctx *test_ctx; + + + assert_true(leak_check_setup()); + + test_ctx = talloc_zero(global_talloc_context, struct test_ctx); + assert_non_null(test_ctx); + + test_ctx->tctx = create_dom_test_ctx(test_ctx, TESTS_PATH, TEST_CONF_DB, + TEST_DOM_NAME, TEST_ID_PROVIDER, NULL); + assert_non_null(test_ctx->tctx); + + test_ctx->be_ctx = mock_be_ctx(test_ctx, test_ctx->tctx); + assert_non_null(test_ctx->be_ctx); + + test_ctx->params = mock_dp_req_params(test_ctx, test_ctx->be_ctx->ev, + test_ctx->be_ctx, NULL, + DPT_ID, DPM_ACCOUNT_HANDLER); + assert_non_null(test_ctx->params); + + check_leaks_push(test_ctx); + + *state = test_ctx; + + return 0; +} + +static int test_teardown(void **state) +{ + struct test_ctx *test_ctx; + + test_ctx = talloc_get_type_abort(*state, struct test_ctx); + assert_true(check_leaks_pop(test_ctx)); + talloc_zfree(test_ctx); + + assert_true(leak_check_teardown()); + return 0; +} + +static void test_deny_handler(void **state) +{ + errno_t ret; + struct test_ctx *test_ctx; + struct tevent_req *req; + struct pam_data *pd; + struct pam_data *out_pd; + + test_ctx = talloc_get_type(*state, struct test_ctx); + + pd = talloc_zero(test_ctx, struct pam_data); + assert_non_null(pd); + + req = dp_access_deny_handler_send(test_ctx, NULL, pd, test_ctx->params); + assert_non_null(req); + + tevent_loop_wait(test_ctx->tctx->ev); + + ret = dp_access_deny_handler_recv(test_ctx, req, &out_pd); + assert_int_equal(ret, EOK); + assert_ptr_equal(pd, out_pd); + assert_int_equal(pd->pam_status, PAM_PERM_DENIED); + + talloc_free(req); + talloc_free(pd); +} + +static void test_permit_handler(void **state) +{ + errno_t ret; + struct test_ctx *test_ctx; + struct tevent_req *req; + struct pam_data *pd; + struct pam_data *out_pd; + + test_ctx = talloc_get_type(*state, struct test_ctx); + + pd = talloc_zero(test_ctx, struct pam_data); + assert_non_null(pd); + + req = dp_access_permit_handler_send(test_ctx, NULL, pd, test_ctx->params); + assert_non_null(req); + + tevent_loop_wait(test_ctx->tctx->ev); + + ret = dp_access_permit_handler_recv(test_ctx, req, &out_pd); + assert_int_equal(ret, EOK); + assert_ptr_equal(pd, out_pd); + assert_int_equal(pd->pam_status, PAM_SUCCESS); + + talloc_free(req); + talloc_free(pd); +} + +int main(int argc, const char *argv[]) +{ + poptContext pc; + int opt; + int rv; + int no_cleanup = 0; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + {"no-cleanup", 'n', POPT_ARG_NONE, &no_cleanup, 0, + _("Do not delete the test database after a test run"), NULL }, + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_permit_handler, + test_setup, + test_teardown), + cmocka_unit_test_setup_teardown(test_deny_handler, + test_setup, + test_teardown), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + /* Even though normally the tests should clean up after themselves + * they might not after a failed run. Remove the old DB to be sure */ + tests_set_cwd(); + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + test_dom_suite_setup(TESTS_PATH); + + rv = cmocka_run_group_tests(tests, NULL, NULL); + if (rv == 0 && !no_cleanup) { + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + } + + return rv; +} diff --git a/src/tests/cmocka/data_provider/test_dp_request.c b/src/tests/cmocka/data_provider/test_dp_request.c new file mode 100644 index 0000000..77b909b --- /dev/null +++ b/src/tests/cmocka/data_provider/test_dp_request.c @@ -0,0 +1,469 @@ +/* + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include + +#include "providers/backend.h" +#include "providers/data_provider/dp_private.h" +#include "providers/data_provider/dp.h" +#include "tests/cmocka/common_mock.h" +#include "tests/common.h" +#include "tests/cmocka/common_mock_be.h" +#include "tests/cmocka/data_provider/mock_dp.h" + +#define TESTS_PATH "tp_" BASE_FILE_STEM +#define TEST_CONF_DB "test_dp_request.ldb" +#define TEST_DOM_NAME "dp_request_test" +#define TEST_ID_PROVIDER "ldap" + +struct test_ctx { + struct sss_test_ctx *tctx; + struct be_ctx *be_ctx; + struct data_provider *provider; + struct dp_method *dp_methods; +}; + +static int test_setup(void **state) +{ + struct test_ctx *test_ctx; + + assert_true(leak_check_setup()); + + test_ctx = talloc_zero(global_talloc_context, struct test_ctx); + assert_non_null(test_ctx); + + test_ctx->tctx = create_dom_test_ctx(test_ctx, TESTS_PATH, TEST_CONF_DB, + TEST_DOM_NAME, TEST_ID_PROVIDER, NULL); + assert_non_null(test_ctx->tctx); + + test_ctx->be_ctx = mock_be_ctx(test_ctx, test_ctx->tctx); + test_ctx->provider = mock_dp(test_ctx, test_ctx->be_ctx); + test_ctx->dp_methods = mock_dp_get_methods(test_ctx->provider, DPT_ID); + + check_leaks_push(test_ctx); + + *state = test_ctx; + + return 0; +} + +static int test_teardown(void **state) +{ + struct test_ctx *test_ctx; + + test_ctx = talloc_get_type_abort(*state, struct test_ctx); + assert_true(check_leaks_pop(test_ctx)); + talloc_zfree(test_ctx); + + assert_true(leak_check_teardown()); + return 0; +} + +static bool is_be_offline_opt = false; + +bool __wrap_be_is_offline(struct be_ctx *ctx) +{ + return is_be_offline_opt; +} + +#define UID 100001 +#define UID2 100002 +#define UID_FAIL 100003 +#define NAME "test_user" +#define NAME2 "test_user2" +#define REQ_NAME "getpwuid" + +struct method_data +{ + int foo; +}; + +struct req_data +{ + uid_t uid; +}; + +struct test_state +{ + uid_t uid; + const char *name; +}; + +static void get_name_by_uid_done(struct tevent_context *ev, + struct tevent_timer *tt, + struct timeval tv, + void *pvt); + +static struct tevent_req * +get_name_by_uid_send(TALLOC_CTX *mem_ctx, + struct method_data *md, + struct req_data *req_data, + struct dp_req_params *params) +{ + struct tevent_req *req; + struct test_state *state; + struct tevent_timer *tt; + struct timeval tv; + + req = tevent_req_create(mem_ctx, &state, struct test_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create failed.\n"); + return NULL; + } + + /* Init state of lookup */ + state->uid = req_data->uid; + + /* Mock lookup */ + tv = tevent_timeval_current_ofs(1, 0); + tt = tevent_add_timer(params->ev, req, tv, get_name_by_uid_done, req); + if (tt == NULL) { + return NULL; + } + + return req; +} + +static void get_name_by_uid_done(struct tevent_context *ev, + struct tevent_timer *tt, + struct timeval tv, + void *pvt) +{ + struct tevent_req *req; + struct test_state *state; + + req = talloc_get_type(pvt, struct tevent_req); + state = tevent_req_data(req, struct test_state); + + /* Result */ + if (state->uid == UID) { + state->name = NAME; + } else if (state->uid == UID2) { + state->name = NAME2; + } else { + state->name = NULL; + } + tevent_req_done(req); +} + +struct recv_data +{ + const char *name; +}; + +static errno_t +get_name_by_uid_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct recv_data *recv_data) +{ + struct test_state *state; + + state = tevent_req_data(req, struct test_state); + + if (state->name == NULL) { + return ENOENT; + } else { + recv_data->name = talloc_strdup(recv_data, state->name); + } + return EOK; +} + +static void test_get_name_by_uid(void **state) +{ + errno_t ret; + struct test_ctx *test_ctx; + const char *req_name; + struct tevent_req *req; + struct tevent_req *req2; + struct tevent_req *req3; + struct method_data *md; + struct req_data *req_data; + struct req_data *req_data2; + struct req_data *req_data3; + struct recv_data *recv_data; + + test_ctx = talloc_get_type(*state, struct test_ctx); + + md = talloc(test_ctx, struct method_data); + + dp_set_method(test_ctx->dp_methods, + DPM_ACCOUNT_HANDLER, + get_name_by_uid_send, get_name_by_uid_recv, + md, + struct method_data, struct req_data, struct recv_data); + + /* Prepare request data #1 */ + req_data = talloc_zero(test_ctx, struct req_data); + assert_non_null(req_data); + req_data->uid = UID; /* We are looking for user by UID */ + + /* Prepare request data #2 */ + req_data2 = talloc_zero(test_ctx, struct req_data); + assert_non_null(req_data2); + req_data2->uid = UID_FAIL; /* We are looking for user by UID */ + + /* Prepare request data #3 */ + req_data3 = talloc_zero(test_ctx, struct req_data); + assert_non_null(req_data3); + req_data3->uid = UID2; /* We are looking for user by UID */ + + /* Send request #1 */ + req = dp_req_send(test_ctx, test_ctx->provider, NULL, NULL, REQ_NAME, + DPT_ID, DPM_ACCOUNT_HANDLER, 0, req_data, &req_name); + assert_non_null(req); + assert_string_equal(req_name, REQ_NAME" #0"); + talloc_zfree(req_name); + + /* Send request #2 */ + req2 = dp_req_send(test_ctx, test_ctx->provider, NULL, NULL, REQ_NAME, + DPT_ID, DPM_ACCOUNT_HANDLER, 0, req_data2, &req_name); + assert_non_null(req2); + assert_string_equal(req_name, REQ_NAME" #1"); + talloc_zfree(req_name); + + /* Send request #3 */ + req3 = dp_req_send(test_ctx, test_ctx->provider, NULL, NULL, REQ_NAME, + DPT_ID, DPM_ACCOUNT_HANDLER, 0, req_data3, &req_name); + assert_non_null(req3); + assert_string_equal(req_name, REQ_NAME" #2"); + talloc_zfree(req_name); + + tevent_loop_wait(test_ctx->tctx->ev); + + /* Receive lookup results */ + ret = dp_req_recv_ptr(test_ctx, req, struct recv_data, &recv_data); + assert_int_equal(ret, EOK); + assert_string_equal(recv_data->name, NAME); + talloc_free(recv_data); + + ret = dp_req_recv_ptr(test_ctx, req2, struct recv_data, &recv_data); + assert_int_equal(ret, ENOENT); + + ret = dp_req_recv_ptr(test_ctx, req3, struct recv_data, &recv_data); + assert_int_equal(ret, EOK); + assert_string_equal(recv_data->name, NAME2); + talloc_free(recv_data); + + talloc_free(req_data); + talloc_free(req_data2); + talloc_free(req_data3); + talloc_free(req); + talloc_free(req2); + talloc_free(req3); + talloc_free(md); +} + +static void test_type_mismatch(void **state) +{ + errno_t ret; + struct test_ctx *test_ctx; + const char *req_name; + struct tevent_req *req; + struct method_data *md; + struct req_data *req_data; + struct recv_data *recv_data; + + test_ctx = talloc_get_type(*state, struct test_ctx); + + md = talloc(test_ctx, struct method_data); + assert_non_null(md); + + dp_set_method(test_ctx->dp_methods, + DPM_ACCOUNT_HANDLER, + get_name_by_uid_send, get_name_by_uid_recv, + md, + struct method_data, struct req_data, struct recv_data); + + /* Prepare request data #1 */ + req_data = talloc_zero(test_ctx, struct req_data); + assert_non_null(req_data); + req_data->uid = UID; /* We are looking for user by UID */ + + /* Send request #1 */ + req = dp_req_send(test_ctx, test_ctx->provider, NULL, NULL, REQ_NAME, + DPT_ID, DPM_ACCOUNT_HANDLER, 0, req_data, &req_name); + assert_non_null(req); + assert_string_equal(req_name, REQ_NAME" #0"); + talloc_zfree(req_name); + + tevent_loop_wait(test_ctx->tctx->ev); + + /* Receive lookup results */ + ret = dp_req_recv_ptr(test_ctx, req, + struct req_data, /* Wrong data type. */ + &recv_data); + assert_int_equal(ret, ERR_INVALID_DATA_TYPE); + + talloc_free(req_data); + talloc_free(req); + talloc_free(md); +} + +static void test_nonexist_dom(void **state) +{ + errno_t ret; + struct test_ctx *test_ctx; + struct tevent_req *req; + struct method_data *md; + struct req_data *req_data; + struct recv_data *recv_data; + + test_ctx = talloc_get_type(*state, struct test_ctx); + + md = talloc(test_ctx, struct method_data); + + dp_set_method(test_ctx->dp_methods, + DPM_ACCOUNT_HANDLER, + get_name_by_uid_send, get_name_by_uid_recv, + md, + struct method_data, struct req_data, struct recv_data); + + /* Prepare request data #1 */ + req_data = talloc_zero(test_ctx, struct req_data); + assert_non_null(req_data); + req_data->uid = UID; /* We are looking for user by UID */ + + /* Send request #1 */ + req = dp_req_send(test_ctx, test_ctx->provider, NULL, + "non-existing domain name", + REQ_NAME, + DPT_ID, DPM_ACCOUNT_HANDLER, + 0, + req_data, NULL); + + assert_non_null(req); + + tevent_loop_wait(test_ctx->tctx->ev); + + /* Receive lookup results */ + ret = dp_req_recv_ptr(test_ctx, req, struct recv_data, &recv_data); + assert_int_equal(ret, ERR_DOMAIN_NOT_FOUND); + + talloc_free(req_data); + talloc_free(req); + talloc_free(md); +} + +static void test_fast_reply(void **state) +{ + errno_t ret; + struct test_ctx *test_ctx; + struct tevent_req *req; + struct method_data *md; + struct req_data *req_data; + struct recv_data *recv_data; + bool backup; + + test_ctx = talloc_get_type(*state, struct test_ctx); + + md = talloc(test_ctx, struct method_data); + + dp_set_method(test_ctx->dp_methods, + DPM_ACCOUNT_HANDLER, + get_name_by_uid_send, get_name_by_uid_recv, + md, + struct method_data, struct req_data, struct recv_data); + + /* Prepare request data #1 */ + req_data = talloc_zero(test_ctx, struct req_data); + assert_non_null(req_data); + req_data->uid = UID; /* We are looking for user by UID */ + + backup = is_be_offline_opt; + is_be_offline_opt = true; + + /* Send request #1 */ + req = dp_req_send(test_ctx, test_ctx->provider, NULL, NULL, REQ_NAME, + DPT_ID, DPM_ACCOUNT_HANDLER, + DP_FAST_REPLY, /* FAST REPLY, don't check online! */ + req_data, NULL); + /* Restore */ + is_be_offline_opt = backup; + + assert_non_null(req); + + tevent_loop_wait(test_ctx->tctx->ev); + + /* Receive lookup results */ + ret = dp_req_recv_ptr(test_ctx, req, struct recv_data, &recv_data); + assert_int_equal(ret, ERR_OFFLINE); + talloc_free(req); + talloc_free(md); +} + +int main(int argc, const char *argv[]) +{ + poptContext pc; + int opt; + int rv; + int no_cleanup = 0; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + {"no-cleanup", 'n', POPT_ARG_NONE, &no_cleanup, 0, + _("Do not delete the test database after a test run"), NULL }, + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_get_name_by_uid, + test_setup, + test_teardown), + cmocka_unit_test_setup_teardown(test_fast_reply, + test_setup, + test_teardown), + cmocka_unit_test_setup_teardown(test_type_mismatch, + test_setup, + test_teardown), + cmocka_unit_test_setup_teardown(test_nonexist_dom, + test_setup, + test_teardown), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + /* Even though normally the tests should clean up after themselves + * they might not after a failed run. Remove the old DB to be sure */ + tests_set_cwd(); + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + test_dom_suite_setup(TESTS_PATH); + + rv = cmocka_run_group_tests(tests, NULL, NULL); + if (rv == 0 && !no_cleanup) { + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + } + + return rv; +} diff --git a/src/tests/cmocka/data_provider/test_dp_request_table.c b/src/tests/cmocka/data_provider/test_dp_request_table.c new file mode 100644 index 0000000..14e0145 --- /dev/null +++ b/src/tests/cmocka/data_provider/test_dp_request_table.c @@ -0,0 +1,356 @@ +/* + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include + +#include "providers/data_provider/dp_private.h" +#include "tests/cmocka/common_mock.h" +#include "tests/common.h" + +struct test_ctx { + hash_table_t *table; +}; + +static int test_setup(void **state) +{ + struct test_ctx *test_ctx = NULL; + errno_t ret; + + assert_true(leak_check_setup()); + + test_ctx = talloc_zero(global_talloc_context, struct test_ctx); + assert_non_null(test_ctx); + + ret = dp_req_table_init(test_ctx, &test_ctx->table); + assert_int_equal(ret, EOK); + assert_non_null(test_ctx->table); + + check_leaks_push(test_ctx); + + *state = test_ctx; + + return 0; +} + +static int test_teardown(void **state) +{ + struct test_ctx *test_ctx; + + test_ctx = talloc_get_type_abort(*state, struct test_ctx); + assert_true(check_leaks_pop(test_ctx)); + talloc_zfree(test_ctx); + + return 0; +} + +static const char *get_req_key(struct test_ctx* test_ctx) +{ + const char *req_name; + + req_name = dp_req_table_key(test_ctx, + DPT_ID, DPM_ACCOUNT_HANDLER, + DP_FAST_REPLY, + "custom_part"); + assert_non_null(req_name); + return req_name; +} + +static void test_add_del_req(void **state) +{ + errno_t ret; + bool is_present; + const char *key; + struct dp_table_value *tv; + struct dp_table_value *tv2; + struct sbus_request *sbus_req; + struct test_ctx *test_ctx = talloc_get_type(*state, struct test_ctx); + struct tevent_req *req; + + req = tevent_req_create(test_ctx, &state, struct test_ctx); + assert_non_null(req); + + key = get_req_key(test_ctx); + + is_present = dp_req_table_has_key(test_ctx->table, key); + assert_false(is_present); + + sbus_req = talloc(test_ctx, struct sbus_request); + assert_non_null(sbus_req); + + ret = dp_req_table_add(test_ctx->table, key, req, sbus_req); + assert_int_equal(ret, EOK); + + is_present = dp_req_table_has_key(test_ctx->table, key); + assert_true(is_present); + + tv = dp_req_table_lookup(test_ctx->table, key); + assert_non_null(tv); + + dp_req_table_del(test_ctx->table, key); + + tv2 = dp_req_table_lookup(test_ctx->table, key); + assert_null(tv2); + + is_present = dp_req_table_has_key(test_ctx->table, key); + assert_false(is_present); + + talloc_free(discard_const(key)); + talloc_free(tv); + talloc_free(sbus_req); + talloc_free(req); +} + +static void test_del_non_present_req(void **state) +{ + bool is_present; + hash_table_t *table; + const char *key; + struct test_ctx *test_ctx = talloc_get_type(*state, struct test_ctx); + + table = test_ctx->table; + + key = get_req_key(test_ctx); + + is_present = dp_req_table_has_key(table, key); + assert_false(is_present); + + dp_req_table_del(table, key); + + is_present = dp_req_table_has_key(table, key); + assert_false(is_present); + + talloc_free(discard_const(key)); +} + +static void test_mult_req(void **state) +{ + errno_t ret; + bool is_present; + hash_table_t *table; + const char *key; + struct sbus_request *sbus_req; + struct sbus_request *sbus_req2; + struct dp_table_value *tv; + struct dp_table_value *tv2; + struct test_ctx *test_ctx = talloc_get_type(*state, struct test_ctx); + struct tevent_req *req; + + req = tevent_req_create(test_ctx, &state, struct test_ctx); + assert_non_null(req); + + table = test_ctx->table; + + key = get_req_key(test_ctx); + + /* Add 1st request */ + is_present = dp_req_table_has_key(table, key); + assert_false(is_present); + + sbus_req = talloc(test_ctx, struct sbus_request); + assert_non_null(sbus_req); + + ret = dp_req_table_add(table, key, req, sbus_req); + assert_int_equal(ret, EOK); + + is_present = dp_req_table_has_key(table, key); + assert_true(is_present); + + tv = dp_req_table_lookup(table, key); + assert_non_null(tv); + assert_ptr_equal(tv->req, req); + assert_ptr_equal(tv->list->sbus_req, sbus_req); + + /* Add 2nd request */ + is_present = dp_req_table_has_key(table, key); + assert_true(is_present); + + sbus_req2 = talloc(test_ctx, struct sbus_request); + assert_non_null(sbus_req2); + + ret = dp_req_table_add(table, key, NULL, sbus_req2); + assert_int_equal(ret, EOK); + + is_present = dp_req_table_has_key(table, key); + assert_true(is_present); + + tv = dp_req_table_lookup(table, key); + assert_non_null(tv); + assert_ptr_equal(tv->req, req); + assert_ptr_equal(tv->list->sbus_req, sbus_req2); + assert_non_null(tv->list->next); + assert_ptr_equal(tv->list->next->sbus_req, sbus_req); + + /* Del req */ + dp_req_table_del(table, key); + is_present = dp_req_table_has_key(table, key); + assert_false(is_present); + + tv2 = dp_req_table_lookup(table, key); + assert_null(tv2); + + /* Free memory */ + talloc_free(discard_const(key)); + talloc_free(tv); + talloc_free(sbus_req); + talloc_free(sbus_req2); + talloc_free(req); +} + +/* This test is aimed to test 'dp_sbus_req_item_destructor()' */ +static void test_destructor_req(void **state) +{ + errno_t ret; + bool is_present; + hash_table_t *table; + const char *key; + struct dp_table_value *tv; + struct dp_table_value *tv2; + const int N = 5; + const int MAGIC = 3; + struct sbus_request *sbus_req[N]; + struct test_ctx *test_ctx = talloc_get_type(*state, struct test_ctx); + struct tevent_req *req; + + req = tevent_req_create(test_ctx, &state, struct test_ctx); + assert_non_null(req); + + table = test_ctx->table; + + key = get_req_key(test_ctx); + + is_present = dp_req_table_has_key(table, key); + assert_false(is_present); + + /* Insert N sbus_requests for req_name */ + for (int i = 0; i < N; i++) { + sbus_req[i] = talloc(test_ctx, struct sbus_request); + assert_non_null(sbus_req[i]); + + ret = dp_req_table_add(table, key, req, sbus_req[i]); + assert_int_equal(ret, EOK); + } + + /* Check */ + is_present = dp_req_table_has_key(table, key); + assert_true(is_present); + + tv = dp_req_table_lookup(table, key); + assert_non_null(tv); + assert_ptr_equal(tv->req, req); + + struct dp_sbus_req_item *ri = tv->list; + for (int i = 0; i < N; i++) { + assert_ptr_equal(ri->sbus_req, sbus_req[N-i-1]); + ri = ri->next; + } + assert_null(ri); + + /* Del one req */ + talloc_free(sbus_req[MAGIC]); + + /* Check that only magic is missing */ + is_present = dp_req_table_has_key(table, key); + assert_true(is_present); + + tv = dp_req_table_lookup(table, key); + assert_non_null(tv); + assert_ptr_equal(tv->req, req); + + ri = tv->list; + assert_ptr_equal(ri->sbus_req, sbus_req[N-1]); + ri = ri->next; + /* Skip deleted MAGIC request */ + assert_ptr_equal(ri->sbus_req, sbus_req[N-3]); + ri = ri->next; + assert_ptr_equal(ri->sbus_req, sbus_req[N-4]); + ri = ri->next; + assert_ptr_equal(ri->sbus_req, sbus_req[N-5]); + ri = ri->next; + assert_null(ri); + + /* misc */ + dp_req_table_del(table, key); + is_present = dp_req_table_has_key(table, key); + assert_false(is_present); + + tv2 = dp_req_table_lookup(table, key); + assert_null(tv2); + + /* Free memory */ + for (int i = 0; i < N; i++) { + if (i != MAGIC) { + talloc_free(sbus_req[i]); + } + } + + talloc_free(discard_const(key)); + talloc_free(tv); + talloc_free(req); +} + +int main(int argc, const char *argv[]) +{ + poptContext pc; + int opt; + int no_cleanup = 0; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + {"no-cleanup", 'n', POPT_ARG_NONE, &no_cleanup, 0, + _("Do not delete the test database after a test run"), NULL }, + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_add_del_req, + test_setup, + test_teardown), + cmocka_unit_test_setup_teardown(test_del_non_present_req, + test_setup, + test_teardown), + cmocka_unit_test_setup_teardown(test_mult_req, + test_setup, + test_teardown), + cmocka_unit_test_setup_teardown(test_destructor_req, + test_setup, + test_teardown), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + tests_set_cwd(); + + return cmocka_run_group_tests(tests, NULL, NULL); +} diff --git a/src/tests/cmocka/dummy_child.c b/src/tests/cmocka/dummy_child.c new file mode 100644 index 0000000..811cb40 --- /dev/null +++ b/src/tests/cmocka/dummy_child.c @@ -0,0 +1,140 @@ +/* + SSSD + + Tests -- a simple test process that echoes input back + + Authors: + Jakub Hrozek + + Copyright (C) 2014 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include + +#include "util/util.h" +#include "util/child_common.h" + +int main(int argc, const char *argv[]) +{ + int opt; + int debug_fd = -1; + char *opt_logger = NULL; + poptContext pc; + ssize_t len; + ssize_t written; + errno_t ret; + uint8_t buf[IN_BUF_SIZE]; + const char *action = NULL; + const char *guitar; + const char *drums; + + struct poptOption long_options[] = { + POPT_AUTOHELP + {"debug-level", 'd', POPT_ARG_INT, &debug_level, 0, + _("Debug level"), NULL}, + {"debug-timestamps", 0, POPT_ARG_INT, &debug_timestamps, 0, + _("Add debug timestamps"), NULL}, + {"debug-microseconds", 0, POPT_ARG_INT, &debug_microseconds, 0, + _("Show timestamps with microseconds"), NULL}, + {"debug-fd", 0, POPT_ARG_INT, &debug_fd, 0, + _("An open file descriptor for the debug logs"), NULL}, + {"debug-to-stderr", 0, POPT_ARG_NONE | POPT_ARGFLAG_DOC_HIDDEN, &debug_to_stderr, 0, \ + _("Send the debug output to stderr directly."), NULL }, + SSSD_LOGGER_OPTS + {"guitar", 0, POPT_ARG_STRING, &guitar, 0, _("Who plays guitar"), NULL }, + {"drums", 0, POPT_ARG_STRING, &drums, 0, _("Who plays drums"), NULL }, + POPT_TABLEEND + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + poptFreeContext(pc); + _exit(1); + } + } + poptFreeContext(pc); + + sss_set_logger(opt_logger); + + action = getenv("TEST_CHILD_ACTION"); + if (action) { + if (strcasecmp(action, "check_extra_args") == 0) { + if (!(strcmp(guitar, "george") == 0 \ + && strcmp(drums, "ringo") == 0)) { + DEBUG(SSSDBG_CRIT_FAILURE, "This band sounds weird\n"); + _exit(1); + } + } else if (strcasecmp(action, "check_only_extra_args") == 0) { + if (debug_timestamps == 1) { + DEBUG(SSSDBG_CRIT_FAILURE, + "debug_timestamp was passed when only extra args " + "should have been\n"); + _exit(1); + } + + if (!(strcmp(guitar, "george") == 0 \ + && strcmp(drums, "ringo") == 0)) { + DEBUG(SSSDBG_CRIT_FAILURE, "This band sounds weird\n"); + _exit(1); + } + } else if (strcasecmp(action, "check_only_extra_args_neg") == 0) { + if (debug_timestamps != 1) { + DEBUG(SSSDBG_CRIT_FAILURE, + "debug_timestamp was not passed as expected\n"); + _exit(1); + } + } else if (strcasecmp(action, "echo") == 0) { + errno = 0; + len = sss_atomic_read_s(STDIN_FILENO, buf, IN_BUF_SIZE); + if (len == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "read failed [%d][%s].\n", ret, strerror(ret)); + _exit(1); + } + close(STDIN_FILENO); + + errno = 0; + written = sss_atomic_write_s(3, buf, len); + if (written == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "write failed [%d][%s].\n", ret, + strerror(ret)); + _exit(1); + } + close(STDOUT_FILENO); + + if (written != len) { + DEBUG(SSSDBG_CRIT_FAILURE, "Expected to write %zu bytes, wrote %zu\n", + len, written); + _exit(1); + } + } + } + + DEBUG(SSSDBG_TRACE_FUNC, "test_child completed successfully\n"); + _exit(0); +} diff --git a/src/tests/cmocka/sbus_internal_tests.c b/src/tests/cmocka/sbus_internal_tests.c new file mode 100644 index 0000000..6b71dff --- /dev/null +++ b/src/tests/cmocka/sbus_internal_tests.c @@ -0,0 +1,267 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2014 Red Hat + + SSSD tests: SBUS internals + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "util/util.h" +#include "responder/common/responder.h" +#include "tests/cmocka/common_mock.h" +#include "sbus/sssd_dbus_private.h" + +struct sbus_get_id_ctx { + struct sss_test_ctx *stc; + struct sbus_connection *conn; + + DBusPendingCallNotifyFunction reply_handler; + void *reply_pvt; + int last_hash_lookup; + + int64_t expected; +}; + +struct sbus_get_id_ctx *global_test_ctx; + +DBusConnection * +__wrap_dbus_bus_get(DBusBusType type, + DBusError *error) +{ + /* just don't return NULL */ + return (DBusConnection *) 0x42; +} + +void +__wrap_dbus_connection_set_exit_on_disconnect(DBusConnection *connection, + dbus_bool_t exit_on_disconnect) +{ + return; +} + +void __wrap_dbus_pending_call_unref(DBusPendingCall *pending) +{ + return; +} + +void __wrap_dbus_message_unref(DBusMessage *message) +{ + return; +} + +void __wrap_dbus_connection_unref(DBusConnection *connection) +{ + return; +} + +DBusMessage* +__wrap_dbus_pending_call_steal_reply(DBusPendingCall *pending) +{ + return sss_mock_ptr_type(DBusMessage *); +} + +int __real_hash_lookup(hash_table_t *table, hash_key_t *key, hash_value_t *value); + +int __wrap_hash_lookup(hash_table_t *table, hash_key_t *key, hash_value_t *value) +{ + global_test_ctx->last_hash_lookup = __real_hash_lookup(table, key, value); + return global_test_ctx->last_hash_lookup; +} + +static void fake_sbus_msg_done(struct tevent_context *ev, + struct tevent_immediate *imm, + void *pvt) +{ + struct sbus_get_id_ctx *test_ctx = talloc_get_type(pvt, + struct sbus_get_id_ctx); + talloc_free(imm); + test_ctx->reply_handler(NULL, test_ctx->reply_pvt); +} + +int sss_dbus_conn_send(DBusConnection *dbus_conn, + DBusMessage *msg, + int timeout_ms, + DBusPendingCallNotifyFunction reply_handler, + void *pvt, + DBusPendingCall **pending) +{ + struct tevent_immediate *imm; + + global_test_ctx->reply_pvt = pvt; + global_test_ctx->reply_handler = reply_handler; + + imm = tevent_create_immediate(global_test_ctx->stc->ev); + assert_non_null(imm); + tevent_schedule_immediate(imm, global_test_ctx->stc->ev, fake_sbus_msg_done, global_test_ctx); + + return EOK; +} + +int sbus_get_id_test_setup(void **state) +{ + struct sbus_get_id_ctx *test_ctx; + int ret; + + test_ctx = talloc(global_talloc_context, struct sbus_get_id_ctx); + assert_non_null(test_ctx); + + test_ctx->conn = talloc(test_ctx, struct sbus_connection); + assert_non_null(test_ctx->conn); + test_ctx->conn->connection_type = SBUS_CONN_TYPE_SYSBUS; + ret = sss_hash_create(test_ctx->conn, 32, &test_ctx->conn->clients); + assert_int_equal(ret, EOK); + + test_ctx->stc = create_ev_test_ctx(test_ctx); + assert_non_null(test_ctx->stc); + + *state = test_ctx; + global_test_ctx = test_ctx; + return 0; +} + +void sbus_int_test_get_uid_done(struct tevent_req *req) +{ + errno_t ret; + int64_t uid; + struct sbus_get_id_ctx *test_ctx = tevent_req_callback_data(req, + struct sbus_get_id_ctx); + + ret = sbus_get_sender_id_recv(req, &uid); + talloc_free(req); + assert_int_equal(ret, EOK); + + test_ctx->stc->done = true; + assert_int_equal(uid, test_ctx->expected); +} + +void sbus_int_test_get_uid(void **state) +{ + errno_t ret; + struct tevent_req *req; + DBusMessage *reply; + struct sbus_get_id_ctx *test_ctx = talloc_get_type(*state, + struct sbus_get_id_ctx); + + uint32_t uid; + + test_ctx->expected = 42; + uid = test_ctx->expected; + + reply = dbus_message_new(DBUS_MESSAGE_TYPE_METHOD_CALL); + assert_non_null(reply); + dbus_message_append_args(reply, + DBUS_TYPE_UINT32, &uid, + DBUS_TYPE_INVALID); + will_return(__wrap_dbus_pending_call_steal_reply, reply); + + req = sbus_get_sender_id_send(test_ctx, test_ctx->stc->ev, + test_ctx->conn, __FILE__); + tevent_req_set_callback(req, sbus_int_test_get_uid_done, test_ctx); + + ret = test_ev_loop(test_ctx->stc); + assert_int_equal(ret, EOK); + assert_int_equal(test_ctx->last_hash_lookup, HASH_ERROR_KEY_NOT_FOUND); + + /* Now do the same lookup again, just make sure the result was cached */ + req = sbus_get_sender_id_send(test_ctx, test_ctx->stc->ev, + test_ctx->conn, __FILE__); + tevent_req_set_callback(req, sbus_int_test_get_uid_done, test_ctx); + + ret = test_ev_loop(test_ctx->stc); + assert_int_equal(ret, EOK); + assert_int_equal(test_ctx->last_hash_lookup, HASH_SUCCESS); +} + +void sbus_int_test_get_uid_no_sender_done(struct tevent_req *req) +{ + errno_t ret; + int64_t uid; + struct sbus_get_id_ctx *test_ctx = tevent_req_callback_data(req, + struct sbus_get_id_ctx); + + ret = sbus_get_sender_id_recv(req, &uid); + talloc_free(req); + assert_int_equal(ret, ERR_SBUS_NO_SENDER); + test_ctx->stc->done = true; +} + +void sbus_int_test_get_uid_no_sender(void **state) +{ + errno_t ret; + struct tevent_req *req; + struct sbus_get_id_ctx *test_ctx = talloc_get_type(*state, + struct sbus_get_id_ctx); + + test_ctx->expected = -1; + + req = sbus_get_sender_id_send(test_ctx, test_ctx->stc->ev, + test_ctx->conn, NULL); + tevent_req_set_callback(req, sbus_int_test_get_uid_no_sender_done, test_ctx); + + ret = test_ev_loop(test_ctx->stc); + assert_int_equal(ret, EOK); +} + +int sbus_get_id_test_teardown(void **state) +{ + struct sbus_get_id_ctx *test_ctx = talloc_get_type(*state, + struct sbus_get_id_ctx); + talloc_free(test_ctx); + return 0; +} + +int main(int argc, const char *argv[]) +{ + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(sbus_int_test_get_uid, + sbus_get_id_test_setup, + sbus_get_id_test_teardown), + cmocka_unit_test_setup_teardown(sbus_int_test_get_uid_no_sender, + sbus_get_id_test_setup, + sbus_get_id_test_teardown), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + tests_set_cwd(); + return cmocka_run_group_tests(tests, NULL, NULL); +} diff --git a/src/tests/cmocka/sss_nss_idmap-tests.c b/src/tests/cmocka/sss_nss_idmap-tests.c new file mode 100644 index 0000000..83bab29 --- /dev/null +++ b/src/tests/cmocka/sss_nss_idmap-tests.c @@ -0,0 +1,160 @@ +/* + Authors: + Sumit Bose + + Copyright (C) 2013 Red Hat + + Test for the NSS Responder ID-SID mapping interface + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include + + +#include "util/util.h" +#include "util/sss_endian.h" + +#include "sss_client/idmap/sss_nss_idmap.h" +#include "tests/cmocka/common_mock.h" + +#include +#include "sss_client/sss_cli.h" + +struct sss_nss_make_request_test_data { + uint8_t *repbuf; + size_t replen; + int errnop; + enum nss_status nss_status; +}; + +#if (__BYTE_ORDER == __LITTLE_ENDIAN) +uint8_t buf1[] = {0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 't', 'e', 's', 't', 0x00}; +uint8_t buf2[] = {0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 't', 'e', 's', 't', 0x00}; +uint8_t buf3[] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 't', 'e', 's', 't', 0x00}; +uint8_t buf4[] = {0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 't', 'e', 's', 't', 'x'}; + +uint8_t buf_orig1[] = {0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 'k', 'e', 'y', 0x00, 'v', 'a', 'l', 'u', 'e', 0x00}; +#elif (__BYTE_ORDER == __BIG_ENDIAN) +uint8_t buf1[] = {0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 't', 'e', 's', 't', 0x00}; +uint8_t buf2[] = {0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 't', 'e', 's', 't', 0x00}; +uint8_t buf3[] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 't', 'e', 's', 't', 0x00}; +uint8_t buf4[] = {0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 't', 'e', 's', 't', 'x'}; + +uint8_t buf_orig1[] = {0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 'k', 'e', 'y', 0x00, 'v', 'a', 'l', 'u', 'e', 0x00}; +#else + #error "unknow endianess" +#endif + +enum nss_status __wrap_sss_nss_make_request_timeout(enum sss_cli_command cmd, + struct sss_cli_req_data *rd, + int timeout, + uint8_t **repbuf, + size_t *replen, + int *errnop) +{ + struct sss_nss_make_request_test_data *d; + + d = sss_mock_ptr_type(struct sss_nss_make_request_test_data *); + + *replen = d->replen; + *errnop = d->errnop; + + /* the caller must be able to free repbuf. */ + if (*replen != 0 && d->repbuf != NULL) { + *repbuf = malloc(*replen); + assert_non_null(*repbuf); + memcpy(*repbuf, d->repbuf, *replen); + } + + return d->nss_status; +} + +void test_getsidbyname(void **state) +{ + int ret; + char *sid = NULL; + size_t c; + enum sss_id_type type; + + struct test_data { + struct sss_nss_make_request_test_data d; + int ret; + const char *str; + } d[] = { + {{buf1, sizeof(buf1), 0, NSS_STATUS_SUCCESS}, EOK, "test"}, + {{buf2, sizeof(buf2), 0, NSS_STATUS_SUCCESS}, EBADMSG, NULL}, + {{buf3, sizeof(buf3), 0, NSS_STATUS_SUCCESS}, ENOENT, NULL}, + {{buf4, sizeof(buf4), 0, NSS_STATUS_SUCCESS}, EBADMSG, NULL}, + {{NULL, 0, 0, 0}, 0, NULL} + }; + + ret = sss_nss_getsidbyname(NULL, NULL, NULL); + assert_int_equal(ret, EINVAL); + + ret = sss_nss_getsidbyname("", NULL, NULL); + assert_int_equal(ret, EINVAL); + + ret = sss_nss_getsidbyname("", &sid, NULL); + assert_int_equal(ret, EINVAL); + free(sid); + sid = NULL; + + for (c = 0; d[c].d.repbuf != NULL; c++) { + will_return(__wrap_sss_nss_make_request_timeout, &d[0].d); + + ret = sss_nss_getsidbyname("test", &sid, &type); + assert_int_equal(ret, d[0].ret); + if (ret == EOK) { + assert_string_equal(sid, d[0].str); + assert_int_equal(type, 0); + } + free(sid); + sid = NULL; + } +} + +void test_getorigbyname(void **state) +{ + int ret; + struct sss_nss_kv *kv_list; + enum sss_id_type type; + struct sss_nss_make_request_test_data d = {buf_orig1, sizeof(buf_orig1), 0, NSS_STATUS_SUCCESS}; + + will_return(__wrap_sss_nss_make_request_timeout, &d); + ret = sss_nss_getorigbyname("test", &kv_list, &type); + assert_int_equal(ret, EOK); + assert_int_equal(type, SSS_ID_TYPE_UID); + assert_string_equal(kv_list[0].key, "key"); + assert_string_equal(kv_list[0].value, "value"); + assert_null(kv_list[1].key); + assert_null(kv_list[1].value); + + sss_nss_free_kv(kv_list); +} + +int main(int argc, const char *argv[]) +{ + + const struct CMUnitTest tests[] = { + cmocka_unit_test(test_getsidbyname), + cmocka_unit_test(test_getorigbyname), + }; + + return cmocka_run_group_tests(tests, NULL, NULL); +} diff --git a/src/tests/cmocka/test_ad_access_filter.c b/src/tests/cmocka/test_ad_access_filter.c new file mode 100644 index 0000000..9e6ecd0 --- /dev/null +++ b/src/tests/cmocka/test_ad_access_filter.c @@ -0,0 +1,361 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2013 Red Hat + + SSSD tests: AD access control filter tests + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include +#include + +/* In order to access opaque types */ +#include "providers/ad/ad_access.c" + +#include "tests/cmocka/common_mock.h" + +#define DOM_NAME "parent_dom" + +struct ad_access_test_ctx { + struct sss_domain_info *dom; +}; + +static struct ad_access_test_ctx *test_ctx; + +int ad_access_filter_test_setup(void **state) +{ + assert_true(leak_check_setup()); + test_ctx = talloc_zero(global_talloc_context, + struct ad_access_test_ctx); + assert_non_null(test_ctx); + + test_ctx->dom = talloc_zero(test_ctx, struct sss_domain_info); + assert_non_null(test_ctx->dom); + + test_ctx->dom->name = talloc_strdup(test_ctx->dom, DOM_NAME); + assert_non_null(test_ctx->dom->name); + return 0; +} + +int ad_access_filter_test_teardown(void **state) +{ + talloc_free(test_ctx); + assert_true(leak_check_teardown()); + return 0; +} + +struct filter_parse_result { + const int result; + const char *best_match; +}; + +static void test_parse_filter_generic(const char *filter_in, + struct filter_parse_result *expected) +{ + errno_t ret; + TALLOC_CTX *tmp_ctx; + char *best_match; + + assert_non_null(expected); + + tmp_ctx = talloc_new(global_talloc_context); + assert_non_null(tmp_ctx); + check_leaks_push(tmp_ctx); + + ret = ad_parse_access_filter(tmp_ctx, test_ctx->dom, filter_in, + &best_match); + assert_int_equal(ret, expected->result); + if (expected->result != EOK) { + goto done; + } + + if (expected->best_match != NULL) { + assert_string_equal(best_match, expected->best_match); + } else { + assert_true(best_match == NULL); + } + talloc_free(best_match); + +done: + assert_true(check_leaks_pop(tmp_ctx) == true); + talloc_free(tmp_ctx); +} + +/* Test that setting no filter lets all access through + */ +void test_no_filter(void **state) +{ + struct filter_parse_result expected = { + .result = EOK, + .best_match = NULL + }; + + test_parse_filter_generic(NULL, &expected); +} + +/* Test that if one filter is provided, it is returned as-is + */ +void test_single_filter(void **state) +{ + struct filter_parse_result expected = { + .result = EOK, + .best_match = "(name=foo)" + }; + + test_parse_filter_generic("name=foo", &expected); + test_parse_filter_generic("(name=foo)", &expected); + test_parse_filter_generic(DOM_NAME":(name=foo)", &expected); + test_parse_filter_generic("DOM:"DOM_NAME":(name=foo)", &expected); +} + +/* Test that if more filters are provided, the best match is returned */ +void test_filter_order(void **state) +{ + struct filter_parse_result expected = { + .result = EOK, + .best_match = "(name=foo)" + }; + + test_parse_filter_generic("name=foo?name=bar", &expected); + test_parse_filter_generic(DOM_NAME":(name=foo)?name=bar", &expected); + test_parse_filter_generic("name=bla?"DOM_NAME":(name=foo)?name=bar", &expected); + /* Test that another foreign domain wouldn't match */ + test_parse_filter_generic("anotherdom:(name=bla)?"DOM_NAME":(name=foo)", &expected); + test_parse_filter_generic("anotherdom:(name=bla)?(name=foo)", &expected); +} + +void test_filter_no_match(void **state) +{ + struct filter_parse_result expected = { + .result = EOK, + .best_match = NULL + }; + + test_parse_filter_generic("anotherdom:(name=bla)?yetanother:(name=foo)", &expected); +} + + +int parse_test_setup(void **state) +{ + assert_true(leak_check_setup()); + return 0; +} + +int parse_test_teardown(void **state) +{ + assert_true(leak_check_teardown()); + return 0; +} + +struct parse_result { + const int result; + const char *filter; + const char *spec; + const int flags; +}; + +static void test_parse_generic(const char *filter_in, struct parse_result *expected) +{ + errno_t ret; + TALLOC_CTX *tmp_ctx; + char *filter; + char *spec; + int flags; + + assert_non_null(expected); + + tmp_ctx = talloc_new(global_talloc_context); + assert_non_null(tmp_ctx); + check_leaks_push(tmp_ctx); + + ret = parse_filter(tmp_ctx, filter_in, &filter, &spec, &flags); + + assert_int_equal(ret, expected->result); + if (expected->result != EOK) { + goto done; + } + + if (expected->filter != NULL) { + assert_string_equal(filter, expected->filter); + } else { + assert_true(filter == NULL); + } + talloc_free(filter); + + if (expected->spec != NULL) { + assert_string_equal(spec, expected->spec); + } else { + assert_true(spec == NULL); + } + talloc_free(spec); + + assert_int_equal(flags, expected->flags); + +done: + assert_true(check_leaks_pop(tmp_ctx) == true); + talloc_free(tmp_ctx); +} + +void test_parse_plain(void **state) +{ + struct parse_result expected = { + .result = EOK, + .filter = "name=foo", + .spec = NULL, + .flags = AD_FILTER_GENERIC + }; + + test_parse_generic("name=foo", &expected); +} + +void test_parse_dom_without_kw(void **state) +{ + struct parse_result expected = { + .result = EOK, + .filter = "(name=foo)", + .spec = "mydom", + .flags = AD_FILTER_DOMAIN + }; + + test_parse_generic("mydom:(name=foo)", &expected); + + /* Check we can handle domain called DOM */ + struct parse_result expected2 = { + .result = EOK, + .filter = "(name=foo)", + .spec = "DOM", + .flags = AD_FILTER_DOMAIN + }; + + test_parse_generic("DOM:(name=foo)", &expected2); +} + +void test_parse_dom_kw(void **state) +{ + struct parse_result expected = { + .result = EOK, + .filter = "(name=foo)", + .spec = "mydom", + .flags = AD_FILTER_DOMAIN + }; + + test_parse_generic("DOM:mydom:(name=foo)", &expected); +} + +void test_parse_forest_kw(void **state) +{ + struct parse_result expected = { + .result = EOK, + .filter = "(name=foo)", + .spec = "myforest", + .flags = AD_FILTER_FOREST + }; + + test_parse_generic("FOREST:myforest:(name=foo)", &expected); +} + + +void test_parse_malformed(void **state) +{ + struct parse_result expected = { + .result = EINVAL, + }; + + test_parse_generic("DOM:", &expected); + test_parse_generic("DOM::", &expected); + test_parse_generic("DOM:mydom:", &expected); + test_parse_generic("DOM:mydom:name=foo", &expected); + test_parse_generic("DOM::(name=foo)", &expected); + test_parse_generic("BLABLABLA:mydom:name=foo", &expected); +} + +int main(int argc, const char *argv[]) +{ + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_parse_plain, + parse_test_setup, + parse_test_teardown), + + cmocka_unit_test_setup_teardown(test_parse_dom_without_kw, + parse_test_setup, + parse_test_teardown), + + cmocka_unit_test_setup_teardown(test_parse_dom_kw, + parse_test_setup, + parse_test_teardown), + + cmocka_unit_test_setup_teardown(test_parse_forest_kw, + parse_test_setup, + parse_test_teardown), + + cmocka_unit_test_setup_teardown(test_parse_malformed, + parse_test_setup, + parse_test_teardown), + + cmocka_unit_test_setup_teardown(test_no_filter, + ad_access_filter_test_setup, + ad_access_filter_test_teardown), + + cmocka_unit_test_setup_teardown(test_single_filter, + ad_access_filter_test_setup, + ad_access_filter_test_teardown), + + cmocka_unit_test_setup_teardown(test_filter_order, + ad_access_filter_test_setup, + ad_access_filter_test_teardown), + + cmocka_unit_test_setup_teardown(test_filter_no_match, + ad_access_filter_test_setup, + ad_access_filter_test_teardown), + + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + tests_set_cwd(); + + return cmocka_run_group_tests(tests, NULL, NULL); +} diff --git a/src/tests/cmocka/test_ad_common.c b/src/tests/cmocka/test_ad_common.c new file mode 100644 index 0000000..ac3b0d0 --- /dev/null +++ b/src/tests/cmocka/test_ad_common.c @@ -0,0 +1,1045 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2013 Red Hat + + SSSD tests: AD access control filter tests + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include +#include + +#include "providers/ad/ad_pac.h" +#include "util/crypto/sss_crypto.h" +#ifdef HAVE_NSS +#include "util/crypto/nss/nss_util.h" +#endif +#include "util/util_sss_idmap.h" + +/* In order to access opaque types */ +#include "providers/ad/ad_common.c" + +#include "tests/cmocka/common_mock.h" +#include "tests/cmocka/common_mock_krb5.h" + +#define DOMNAME "domname" +#define SUBDOMNAME "sub."DOMNAME +#define REALMNAME DOMNAME +#define HOST_NAME "ad."REALMNAME + +#define TESTS_PATH "tp_" BASE_FILE_STEM +#define TEST_AUTHID "host/"HOST_NAME +#define KEYTAB_TEST_PRINC TEST_AUTHID"@"REALMNAME +#define KEYTAB_PATH TESTS_PATH"/keytab_test.keytab" + +#define ONEWAY_DOMNAME "ONEWAY" +#define ONEWAY_HOST_NAME "ad."ONEWAY_DOMNAME + +#define ONEWAY_KEYTAB_PATH TESTS_PATH"/oneway_test.keytab" +#define ONEWAY_AUTHID "host/"ONEWAY_HOST_NAME +#define ONEWAY_TEST_PRINC ONEWAY_AUTHID"@"ONEWAY_DOMNAME + +#define TESTS_PATH "tp_" BASE_FILE_STEM +#define TEST_CONF_DB "test_ad_sysdb.ldb" +#define TEST_ID_PROVIDER "ad" +#define TEST_DOM1_NAME "test_sysdb_subdomains_1" +#define TEST_DOM2_NAME "child2.test_sysdb_subdomains_2" +#define TEST_USER "test_user" + +static bool call_real_sasl_options; + +const char *domains[] = { TEST_DOM1_NAME, + TEST_DOM2_NAME, + NULL }; +struct ad_sysdb_test_ctx { + struct sss_test_ctx *tctx; +}; + +static int test_ad_sysdb_setup(void **state) +{ + struct ad_sysdb_test_ctx *test_ctx; + + assert_true(leak_check_setup()); + + test_ctx = talloc_zero(global_talloc_context, + struct ad_sysdb_test_ctx); + assert_non_null(test_ctx); + + test_dom_suite_setup(TESTS_PATH); + + test_ctx->tctx = create_multidom_test_ctx(test_ctx, TESTS_PATH, + TEST_CONF_DB, domains, + TEST_ID_PROVIDER, NULL); + assert_non_null(test_ctx->tctx); + + *state = test_ctx; + return 0; +} + +static int test_ad_sysdb_teardown(void **state) +{ + struct ad_sysdb_test_ctx *test_ctx = + talloc_get_type(*state, struct ad_sysdb_test_ctx); + + test_multidom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, domains); + talloc_free(test_ctx); + assert_true(leak_check_teardown()); + return 0; +} + +static void test_check_if_pac_is_available(void **state) +{ + int ret; + struct ad_sysdb_test_ctx *test_ctx = + talloc_get_type(*state, struct ad_sysdb_test_ctx); + struct dp_id_data *ar; + struct ldb_message *msg = NULL; + struct sysdb_attrs *attrs; + + ret = check_if_pac_is_available(NULL, NULL, NULL, NULL); + assert_int_equal(ret, EINVAL); + + ar = talloc_zero(test_ctx, struct dp_id_data); + assert_non_null(ar); + + ret = check_if_pac_is_available(test_ctx, test_ctx->tctx->dom, ar, &msg); + assert_int_equal(ret, EINVAL); + + ar->filter_type = BE_FILTER_NAME; + ar->filter_value = discard_const(TEST_USER); + + ret = check_if_pac_is_available(test_ctx, test_ctx->tctx->dom, ar, &msg); + assert_int_equal(ret, ENOENT); + + ret = sysdb_add_user(test_ctx->tctx->dom, TEST_USER, 123, 456, NULL, NULL, + NULL, NULL, NULL, 0, 0); + assert_int_equal(ret, EOK); + + ret = check_if_pac_is_available(test_ctx, test_ctx->tctx->dom, ar, &msg); + assert_int_equal(ret, ENOENT); + + attrs = sysdb_new_attrs(test_ctx); + assert_non_null(attrs); + + ret = sysdb_attrs_add_string(attrs, SYSDB_PAC_BLOB, "pac"); + assert_int_equal(ret, EOK); + + ret = sysdb_set_user_attr(test_ctx->tctx->dom, TEST_USER, attrs, + SYSDB_MOD_REP); + + /* PAC available but too old */ + ret = check_if_pac_is_available(test_ctx, test_ctx->tctx->dom, ar, &msg); + assert_int_equal(ret, ENOENT); + + talloc_free(attrs); + attrs = sysdb_new_attrs(test_ctx); + assert_non_null(attrs); + + ret = sysdb_attrs_add_time_t(attrs, SYSDB_PAC_BLOB_EXPIRE, 123); + assert_int_equal(ret, EOK); + + ret = sysdb_set_user_attr(test_ctx->tctx->dom, TEST_USER, attrs, + SYSDB_MOD_REP); + + /* PAC available but still too old */ + ret = check_if_pac_is_available(test_ctx, test_ctx->tctx->dom, ar, &msg); + assert_int_equal(ret, ENOENT); + + talloc_free(attrs); + attrs = sysdb_new_attrs(test_ctx); + assert_non_null(attrs); + + ret = sysdb_attrs_add_time_t(attrs, SYSDB_PAC_BLOB_EXPIRE, time(NULL) + 10); + assert_int_equal(ret, EOK); + + ret = sysdb_set_user_attr(test_ctx->tctx->dom, TEST_USER, attrs, + SYSDB_MOD_REP); + + /* PAC available but still too old */ + ret = check_if_pac_is_available(test_ctx, test_ctx->tctx->dom, ar, &msg); + assert_int_equal(ret, EOK); + assert_non_null(msg); + assert_string_equal(ldb_msg_find_attr_as_string(msg, SYSDB_NAME, "x"), + TEST_USER); + + talloc_free(attrs); + talloc_free(ar); +} + +#define TEST_PAC_BASE64 \ + "BQAAAAAAAAABAAAA6AEAAFgAAAAAAAAACgAAABAAAABAAgAAAA" \ + "AAAAwAAAA4AAAAUAIAAAAAAAAGAAAAFAAAAIgCAAAAAAAABwAA" \ + "ABQAAACgAgAAAAAAAAEQCADMzMzM2AEAAAAAAAAAAAIA2hr35p" \ + "Ji0QH/////////f/////////9/4veKrwAP0AHit/TZyQ/QAf//" \ + "//////9/BgAGAAQAAgAGAAYACAACAAAAAAAMAAIAAAAAABAAAg" \ + "AAAAAAFAACAAAAAAAYAAIATwAAAFAEAAABAgAABQAAABwAAgAg" \ + "AAAAAAAAAAAAAAAAAAAAAAAAABIAFAAgAAIABAAGACQAAgAoAA" \ + "IAAAAAAAAAAAAQAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \ + "AAAAAAEAAAAsAAIAAAAAAAAAAAAAAAAAAwAAAAAAAAADAAAAdA" \ + "B1ADEAAAADAAAAAAAAAAMAAAB0ACAAdQAAAAAAAAAAAAAAAAAA" \ + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \ + "UAAAD9ogAABwAAAAECAAAHAAAAXAQAAAcAAABWBAAABwAAAImm" \ + "AAAHAAAACgAAAAAAAAAJAAAAQQBEAC0AUwBFAFIAVgBFAFIAAA" \ + "ADAAAAAAAAAAIAAABBAEQABAAAAAEEAAAAAAAFFQAAAPgSE9xH" \ + "8xx2Ry8u1wEAAAAwAAIABwAAAAUAAAABBQAAAAAABRUAAAApyU" \ + "/ZwjzDeDZVh/hUBAAAgD5SqNxk0QEGAHQAdQAxABgAEAAQACgA" \ + "AAAAAAAAAAB0AHUAMQBAAGEAZAAuAGQAZQB2AGUAbABBAEQALg" \ + "BEAEUAVgBFAEwAdv///4yBQZ5ZQnp3qwj2lKGcd0UAAAAAdv//" \ + "/39fn4UneD5l6YxP8w/U0coAAAAA" + +#define TEST_PAC_RESOURCE_GROUPS_BASE64 \ + "BQAAAAAAAAABAAAA8AEAAFgAAAAAAAAACgAAABQAAABIAgAA" \ + "AAAAAAwAAABYAAAAYAIAAAAAAAAGAAAAEAAAALgCAAAAAAAA" \ + "BwAAABQAAADIAgAAAAAAAAEQCADMzMzM4AEAAAAAAAAAAAIA" \ + "Rr0gPUQO1AH/////////f/////////9/TRPNRwtu0wFN0zZy" \ + "1G7TAf////////9/CgAKAAQAAgAKAAoACAACAAAAAAAMAAIA" \ + "AAAAABAAAgAAAAAAFAACAAAAAAAYAAIACwAAAFEEAAABAgAA" \ + "AwAAABwAAgAgAgAAAAAAAAAAAAAAAAAAAAAAAAQABgAgAAIA" \ + "BgAIACQAAgAoAAIAAAAAAAAAAAAQAgAAAAAAAAAAAAAAAAAA" \ + "AAAAAAAAAAAAAAAAAAAAAAEAAAAsAAIANAACAAEAAAA4AAIA" \ + "BQAAAAAAAAAFAAAAdAB1AHMAZQByAAAABQAAAAAAAAAFAAAA" \ + "dAB1AHMAZQByAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" \ + "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAAECAAAHAAAA" \ + "YgQAAAcAAABjBAAABwAAAAMAAAAAAAAAAgAAAEQAQwAEAAAA" \ + "AAAAAAMAAABXAEkATgAAAAQAAAABBAAAAAAABRUAAAAkYm0r" \ + "SyFumd73jX0BAAAAMAACAAcAAAABAAAAAQEAAAAAABIBAAAA" \ + "BAAAAAEEAAAAAAAFFQAAACRibStLIW6Z3veNfQEAAABoBAAA" \ + "BwAAIAAAAACAEuVfRA7UAQoAdAB1AHMAZQByAAAAAAAoABAA" \ + "HAA4AAAAAAAAAAAAdAB1AHMAZQByAEAAdwBpAG4ALgB0AHIA" \ + "dQBzAHQALgB0AGUAcwB0AFcASQBOAC4AVABSAFUAUwBUAC4A" \ + "VABFAFMAVAAAAAAAEAAAAOGTj7I9Qn7XebOqdHb///+fHhrZ" \ + "kBt0So4jOFBk84sDAAAAAA==" + +static void test_ad_get_data_from_pac(void **state) +{ + int ret; + struct PAC_LOGON_INFO *logon_info; + uint8_t *test_pac_blob; + size_t test_pac_blob_size; + + struct ad_common_test_ctx *test_ctx = talloc_get_type(*state, + struct ad_common_test_ctx); + + test_pac_blob = sss_base64_decode(test_ctx, TEST_PAC_BASE64, + &test_pac_blob_size); + assert_non_null(test_pac_blob_size); + + ret = ad_get_data_from_pac(test_ctx, test_pac_blob, test_pac_blob_size, + &logon_info); + assert_int_equal(ret, EOK); + assert_non_null(logon_info); + assert_string_equal(logon_info->info3.base.account_name.string, "tu1"); + assert_string_equal(logon_info->info3.base.full_name.string, "t u"); + assert_int_equal(logon_info->info3.base.rid, 1104); + assert_int_equal(logon_info->info3.base.primary_gid, 513); + assert_int_equal(logon_info->info3.base.groups.count, 5); + assert_string_equal(logon_info->info3.base.logon_domain.string, "AD"); + assert_int_equal(logon_info->info3.sidcount, 1); + + talloc_free(test_pac_blob); + talloc_free(logon_info); +} + +static void test_ad_get_sids_from_pac(void **state) +{ + int ret; + struct PAC_LOGON_INFO *logon_info; + uint8_t *test_pac_blob; + size_t test_pac_blob_size; + char *user_sid; + char *primary_group_sid; + size_t num_sids; + char **sid_list; + struct sss_idmap_ctx *idmap_ctx; + enum idmap_error_code err; + size_t c; + size_t s; + + const char *sid_check_list[] = { "S-1-5-21-3692237560-1981608775-3610128199-513", + "S-1-5-21-3692237560-1981608775-3610128199-1110", + "S-1-5-21-3692237560-1981608775-3610128199-1116", + "S-1-5-21-3692237560-1981608775-3610128199-41725", + "S-1-5-21-3692237560-1981608775-3610128199-42633", + "S-1-5-21-3645884713-2026060994-4169618742-1108", + NULL }; + + struct ad_common_test_ctx *test_ctx = talloc_get_type(*state, + struct ad_common_test_ctx); + + err = sss_idmap_init(sss_idmap_talloc, test_ctx, sss_idmap_talloc_free, + &idmap_ctx); + assert_int_equal(err, IDMAP_SUCCESS); + + test_pac_blob = sss_base64_decode(test_ctx, TEST_PAC_BASE64, + &test_pac_blob_size); + assert_non_null(test_pac_blob_size); + + ret = ad_get_data_from_pac(test_ctx, test_pac_blob, test_pac_blob_size, + &logon_info); + assert_int_equal(ret, EOK); + + ret = ad_get_sids_from_pac(test_ctx, idmap_ctx, logon_info, &user_sid, + &primary_group_sid, &num_sids, &sid_list); + assert_int_equal(ret, EOK); + assert_string_equal(user_sid, + "S-1-5-21-3692237560-1981608775-3610128199-1104"); + assert_string_equal(primary_group_sid, + "S-1-5-21-3692237560-1981608775-3610128199-513"); + assert_int_equal(num_sids, 6); + + for (c = 0; sid_check_list[c] != NULL; c++) { + for (s = 0; s < num_sids; s++) { + if (strcmp(sid_check_list[c], sid_list[s]) == 0) { + break; + } + } + if (s == num_sids) { + fail_msg("SID [%s] not found in SID list.", sid_check_list[c]); + } + } + + talloc_free(test_pac_blob); + talloc_free(logon_info); + talloc_free(user_sid); + talloc_free(primary_group_sid); + talloc_free(sid_list); + sss_idmap_free(idmap_ctx); +} + +#ifdef HAVE_STRUCT_PAC_LOGON_INFO_RESOURCE_GROUPS +static void test_ad_get_sids_from_pac_with_resource_groups(void **state) +{ + int ret; + struct PAC_LOGON_INFO *logon_info; + uint8_t *test_pac_blob; + size_t test_pac_blob_size; + char *user_sid; + char *primary_group_sid; + size_t num_sids; + char **sid_list; + struct sss_idmap_ctx *idmap_ctx; + enum idmap_error_code err; + size_t c; + size_t s; + + const char *sid_check_list[] = { "S-1-5-21-728588836-2574131531-2106456030-513", + "S-1-5-21-728588836-2574131531-2106456030-1122", + "S-1-5-21-728588836-2574131531-2106456030-1123", + "S-1-5-21-728588836-2574131531-2106456030-1128", + "S-1-18-1", + NULL }; + + struct ad_common_test_ctx *test_ctx = talloc_get_type(*state, + struct ad_common_test_ctx); + + err = sss_idmap_init(sss_idmap_talloc, test_ctx, sss_idmap_talloc_free, + &idmap_ctx); + assert_int_equal(err, IDMAP_SUCCESS); + + test_pac_blob = sss_base64_decode(test_ctx, TEST_PAC_RESOURCE_GROUPS_BASE64, + &test_pac_blob_size); + assert_non_null(test_pac_blob_size); + + ret = ad_get_data_from_pac(test_ctx, test_pac_blob, test_pac_blob_size, + &logon_info); + assert_int_equal(ret, EOK); + + ret = ad_get_sids_from_pac(test_ctx, idmap_ctx, logon_info, &user_sid, + &primary_group_sid, &num_sids, &sid_list); + assert_int_equal(ret, EOK); + assert_string_equal(user_sid, + "S-1-5-21-728588836-2574131531-2106456030-1105"); + assert_string_equal(primary_group_sid, + "S-1-5-21-728588836-2574131531-2106456030-513"); + assert_int_equal(num_sids, 5); + + for (c = 0; sid_check_list[c] != NULL; c++) { + for (s = 0; s < num_sids; s++) { + if (strcmp(sid_check_list[c], sid_list[s]) == 0) { + break; + } + } + if (s == num_sids) { + fail_msg("SID [%s] not found in SID list.", sid_check_list[c]); + } + } + + talloc_free(test_pac_blob); + talloc_free(logon_info); + talloc_free(user_sid); + talloc_free(primary_group_sid); + talloc_free(sid_list); + sss_idmap_free(idmap_ctx); +} +#endif + +static void test_ad_get_pac_data_from_user_entry(void **state) +{ + int ret; + struct ldb_message *user_msg; + struct ldb_val val; + struct ad_common_test_ctx *test_ctx = talloc_get_type(*state, + struct ad_common_test_ctx); + struct sss_idmap_ctx *idmap_ctx; + enum idmap_error_code err; + char *username; + char *user_sid; + char *primary_group_sid; + size_t num_sids; + char **sid_list; + size_t c; + size_t s; + const char *sid_check_list[] = { "S-1-5-21-3692237560-1981608775-3610128199-513", + "S-1-5-21-3692237560-1981608775-3610128199-1110", + "S-1-5-21-3692237560-1981608775-3610128199-1116", + "S-1-5-21-3692237560-1981608775-3610128199-41725", + "S-1-5-21-3692237560-1981608775-3610128199-42633", + "S-1-5-21-3645884713-2026060994-4169618742-1108", + NULL }; + + err = sss_idmap_init(sss_idmap_talloc, test_ctx, sss_idmap_talloc_free, + &idmap_ctx); + assert_int_equal(err, IDMAP_SUCCESS); + + user_msg = ldb_msg_new(test_ctx); + assert_non_null(user_msg); + + ret = ldb_msg_add_string(user_msg, SYSDB_NAME, "username"); + assert_int_equal(ret, EOK); + ret = ldb_msg_add_string(user_msg, SYSDB_OBJECTCATEGORY, SYSDB_USER_CLASS); + assert_int_equal(ret, EOK); + ret = ldb_msg_add_string(user_msg, SYSDB_PAC_BLOB_EXPIRE, "12345"); + assert_int_equal(ret, EOK); + val.data = sss_base64_decode(test_ctx, TEST_PAC_BASE64, &val.length); + ret = ldb_msg_add_value(user_msg, SYSDB_PAC_BLOB, &val, NULL); + assert_int_equal(ret, EOK); + + + ret = ad_get_pac_data_from_user_entry(test_ctx, user_msg, idmap_ctx, + &username, &user_sid, + &primary_group_sid, &num_sids, + &sid_list); + assert_int_equal(ret, EOK); + assert_string_equal(username, "username"); + assert_string_equal(user_sid, + "S-1-5-21-3692237560-1981608775-3610128199-1104"); + assert_string_equal(primary_group_sid, + "S-1-5-21-3692237560-1981608775-3610128199-513"); + assert_int_equal(num_sids, 6); + for (c = 0; sid_check_list[c] != NULL; c++) { + for (s = 0; s < num_sids; s++) { + if (strcmp(sid_check_list[c], sid_list[s]) == 0) { + break; + } + } + if (s == num_sids) { + fail_msg("SID [%s] not found in SID list.", sid_check_list[c]); + } + } + + talloc_free(username); + talloc_free(user_sid); + talloc_free(primary_group_sid); + talloc_free(sid_list); + talloc_free(val.data); + talloc_free(user_msg); + sss_idmap_free(idmap_ctx); +} + +krb5_error_code __wrap_krb5_kt_default(krb5_context context, krb5_keytab *id) +{ + return krb5_kt_resolve(context, KEYTAB_PATH, id); +} + +struct ad_common_test_ctx { + struct ad_id_ctx *ad_ctx; + struct ad_id_ctx *subdom_ad_ctx; + + struct sss_domain_info *dom; + struct sss_domain_info *subdom; +}; + +static int test_ad_common_setup(void **state) +{ + struct ad_common_test_ctx *test_ctx; + + test_dom_suite_setup(TESTS_PATH); + + assert_true(leak_check_setup()); + + test_ctx = talloc_zero(global_talloc_context, struct ad_common_test_ctx); + assert_non_null(test_ctx); + + test_ctx->dom = talloc_zero(test_ctx, struct sss_domain_info); + assert_non_null(test_ctx->dom); + test_ctx->dom->name = discard_const(DOMNAME); + + test_ctx->subdom = talloc_zero(test_ctx, struct sss_domain_info); + assert_non_null(test_ctx->subdom); + test_ctx->subdom->name = discard_const(SUBDOMNAME); + test_ctx->subdom->parent = test_ctx->dom; + + test_ctx->ad_ctx = talloc_zero(test_ctx, struct ad_id_ctx); + assert_non_null(test_ctx->ad_ctx); + + check_leaks_push(test_ctx); + *state = test_ctx; + return 0; +} + +static int test_ad_common_teardown(void **state) +{ + int ret; + struct ad_common_test_ctx *test_ctx = talloc_get_type(*state, + struct ad_common_test_ctx); + assert_non_null(test_ctx); + + assert_true(check_leaks_pop(test_ctx) == true); + talloc_free(test_ctx); + assert_true(leak_check_teardown()); + + ret = rmdir(TESTS_PATH); + assert_return_code(ret, errno); + + return 0; +} + +static void test_ad_create_1way_trust_options(void **state) +{ + struct ad_common_test_ctx *test_ctx = talloc_get_type(*state, + struct ad_common_test_ctx); + const char *s; + + call_real_sasl_options = true; + /* Make sure this is not the keytab that __wrap_krb5_kt_default uses */ + mock_keytab_with_contents(test_ctx, ONEWAY_KEYTAB_PATH, ONEWAY_TEST_PRINC); + + test_ctx->subdom->name = discard_const(ONEWAY_DOMNAME); + test_ctx->ad_ctx->ad_options = ad_create_1way_trust_options( + test_ctx->ad_ctx, + NULL, + NULL, + NULL, + test_ctx->subdom, + ONEWAY_HOST_NAME, + ONEWAY_KEYTAB_PATH, + ONEWAY_AUTHID); + assert_non_null(test_ctx->ad_ctx->ad_options); + + assert_int_equal(test_ctx->ad_ctx->ad_options->id->schema_type, + SDAP_SCHEMA_AD); + + s = dp_opt_get_string(test_ctx->ad_ctx->ad_options->basic, + AD_KRB5_REALM); + assert_non_null(s); + assert_string_equal(s, ONEWAY_DOMNAME); + + s = dp_opt_get_string(test_ctx->ad_ctx->ad_options->basic, + AD_DOMAIN); + assert_non_null(s); + assert_string_equal(s, ONEWAY_DOMNAME); + + s = dp_opt_get_string(test_ctx->ad_ctx->ad_options->basic, + AD_HOSTNAME); + assert_non_null(s); + assert_string_equal(s, ONEWAY_HOST_NAME); + + s = dp_opt_get_string(test_ctx->ad_ctx->ad_options->basic, + AD_KEYTAB); + assert_non_null(s); + assert_string_equal(s, ONEWAY_KEYTAB_PATH); + + s = dp_opt_get_string(test_ctx->ad_ctx->ad_options->id->basic, + SDAP_KRB5_KEYTAB); + assert_non_null(s); + + s = dp_opt_get_string(test_ctx->ad_ctx->ad_options->id->basic, + SDAP_SASL_REALM); + assert_non_null(s); + assert_string_equal(s, ONEWAY_DOMNAME); + + s = dp_opt_get_string(test_ctx->ad_ctx->ad_options->id->basic, + SDAP_KRB5_REALM); + assert_non_null(s); + assert_string_equal(s, ONEWAY_DOMNAME); + + s = dp_opt_get_string(test_ctx->ad_ctx->ad_options->id->basic, + SDAP_SASL_AUTHID); + assert_non_null(s); + assert_string_equal(s, ONEWAY_AUTHID); + + talloc_free(test_ctx->ad_ctx->ad_options); + + unlink(ONEWAY_KEYTAB_PATH); +} +static void test_ad_create_2way_trust_options(void **state) +{ + struct ad_common_test_ctx *test_ctx = talloc_get_type(*state, + struct ad_common_test_ctx); + const char *s; + + call_real_sasl_options = true; + mock_keytab_with_contents(test_ctx, KEYTAB_PATH, KEYTAB_TEST_PRINC); + test_ctx->subdom->name = discard_const(DOMNAME); + + test_ctx->ad_ctx->ad_options = ad_create_2way_trust_options( + test_ctx->ad_ctx, + NULL, + NULL, + NULL, + REALMNAME, + test_ctx->subdom, + HOST_NAME, + NULL); + + assert_non_null(test_ctx->ad_ctx->ad_options); + + assert_int_equal(test_ctx->ad_ctx->ad_options->id->schema_type, + SDAP_SCHEMA_AD); + + s = dp_opt_get_string(test_ctx->ad_ctx->ad_options->basic, + AD_KRB5_REALM); + assert_non_null(s); + assert_string_equal(s, REALMNAME); + + s = dp_opt_get_string(test_ctx->ad_ctx->ad_options->basic, + AD_DOMAIN); + assert_non_null(s); + assert_string_equal(s, DOMNAME); + + s = dp_opt_get_string(test_ctx->ad_ctx->ad_options->basic, + AD_HOSTNAME); + assert_non_null(s); + assert_string_equal(s, HOST_NAME); + + s = dp_opt_get_string(test_ctx->ad_ctx->ad_options->id->basic, + SDAP_KRB5_KEYTAB); + assert_null(s); /* This is the system keytab */ + + s = dp_opt_get_string(test_ctx->ad_ctx->ad_options->id->basic, + SDAP_SASL_REALM); + assert_non_null(s); + assert_string_equal(s, REALMNAME); + + s = dp_opt_get_string(test_ctx->ad_ctx->ad_options->id->basic, + SDAP_KRB5_REALM); + assert_non_null(s); + assert_string_equal(s, REALMNAME); + + s = dp_opt_get_string(test_ctx->ad_ctx->ad_options->id->basic, + SDAP_SASL_AUTHID); + assert_non_null(s); + assert_string_equal(s, TEST_AUTHID); + + talloc_free(test_ctx->ad_ctx->ad_options); + + unlink(KEYTAB_PATH); +} + +static int +test_ldap_conn_setup(void **state) +{ + struct ad_common_test_ctx *test_ctx; + errno_t ret; + struct sdap_domain *sdom; + struct ad_id_ctx *ad_ctx; + struct ad_id_ctx *subdom_ad_ctx; + struct sdap_id_conn_ctx *subdom_ldap_ctx; + + ret = test_ad_common_setup((void **) &test_ctx); + assert_int_equal(ret, EOK); + + mock_keytab_with_contents(test_ctx, KEYTAB_PATH, KEYTAB_TEST_PRINC); + + ad_ctx = test_ctx->ad_ctx; + + test_ctx->ad_ctx->ad_options = ad_create_2way_trust_options( + ad_ctx, + NULL, + NULL, + NULL, + REALMNAME, + test_ctx->subdom, + HOST_NAME, + NULL); + + assert_non_null(ad_ctx->ad_options); + + ad_ctx->gc_ctx = talloc_zero(ad_ctx, struct sdap_id_conn_ctx); + assert_non_null(ad_ctx->gc_ctx); + + ad_ctx->ldap_ctx = talloc_zero(ad_ctx, struct sdap_id_conn_ctx); + assert_non_null(ad_ctx->ldap_ctx); + + ad_ctx->sdap_id_ctx = talloc_zero(ad_ctx, struct sdap_id_ctx); + assert_non_null(ad_ctx->sdap_id_ctx); + + ad_ctx->sdap_id_ctx->opts = talloc_zero(ad_ctx->sdap_id_ctx, + struct sdap_options); + assert_non_null(ad_ctx->sdap_id_ctx->opts); + + ret = sdap_domain_add(ad_ctx->sdap_id_ctx->opts, test_ctx->dom, &sdom); + assert_int_equal(ret, EOK); + sdom->pvt = ad_ctx; + + subdom_ad_ctx = talloc_zero(test_ctx, struct ad_id_ctx); + assert_non_null(subdom_ad_ctx); + + subdom_ldap_ctx = talloc_zero(subdom_ad_ctx, struct sdap_id_conn_ctx); + assert_non_null(subdom_ldap_ctx); + subdom_ad_ctx->ldap_ctx = subdom_ldap_ctx; + + ret = sdap_domain_add(ad_ctx->sdap_id_ctx->opts, test_ctx->subdom, &sdom); + assert_int_equal(ret, EOK); + sdom->pvt = subdom_ad_ctx; + + test_ctx->subdom_ad_ctx = subdom_ad_ctx; + + *state = test_ctx; + return 0; +} + +static int +test_ldap_conn_teardown(void **state) +{ + struct ad_common_test_ctx *test_ctx = talloc_get_type(*state, + struct ad_common_test_ctx); + assert_non_null(test_ctx); + + unlink(KEYTAB_PATH); + + talloc_free(test_ctx->subdom_ad_ctx); + talloc_free(test_ctx->ad_ctx->ad_options); + talloc_free(test_ctx->ad_ctx->gc_ctx); + talloc_free(test_ctx->ad_ctx->ldap_ctx); + talloc_free(test_ctx->ad_ctx->sdap_id_ctx); + + test_ad_common_teardown((void **) &test_ctx); + return 0; +} + +errno_t +__real_sdap_set_sasl_options(struct sdap_options *id_opts, + char *default_primary, + char *default_realm, + const char *keytab_path); +errno_t +__wrap_sdap_set_sasl_options(struct sdap_options *id_opts, + char *default_primary, + char *default_realm, + const char *keytab_path) +{ + /* Pretend SASL is fine */ + if (call_real_sasl_options == true) { + return __real_sdap_set_sasl_options(id_opts, + default_primary, + default_realm, + keytab_path); + } + + return EOK; +} + +void test_ad_get_dom_ldap_conn(void **state) +{ + struct sdap_id_conn_ctx *conn; + + struct ad_common_test_ctx *test_ctx = talloc_get_type(*state, + struct ad_common_test_ctx); + assert_non_null(test_ctx); + + conn = ad_get_dom_ldap_conn(test_ctx->ad_ctx, test_ctx->dom); + assert_true(conn == test_ctx->ad_ctx->ldap_ctx); + + conn = ad_get_dom_ldap_conn(test_ctx->ad_ctx, test_ctx->subdom); + assert_true(conn == test_ctx->subdom_ad_ctx->ldap_ctx); +} + +void test_gc_conn_list(void **state) +{ + struct sdap_id_conn_ctx **conn_list; + + struct ad_common_test_ctx *test_ctx = talloc_get_type(*state, + struct ad_common_test_ctx); + assert_non_null(test_ctx); + + assert_true(dp_opt_get_bool(test_ctx->ad_ctx->ad_options->basic, + AD_ENABLE_GC)); + conn_list = ad_gc_conn_list(test_ctx, test_ctx->ad_ctx, test_ctx->dom); + assert_non_null(conn_list); + + assert_true(conn_list[0] == test_ctx->ad_ctx->gc_ctx); + /* If there is a fallback, we should ignore the offline mode */ + assert_true(conn_list[0]->ignore_mark_offline); + assert_true(conn_list[1] == test_ctx->ad_ctx->ldap_ctx); + assert_false(conn_list[1]->ignore_mark_offline); + assert_null(conn_list[2]); + talloc_free(conn_list); + + conn_list = ad_gc_conn_list(test_ctx, test_ctx->ad_ctx, test_ctx->subdom); + assert_non_null(conn_list); + + assert_true(conn_list[0] == test_ctx->ad_ctx->gc_ctx); + assert_true(conn_list[0]->ignore_mark_offline); + assert_true(conn_list[1] == test_ctx->subdom_ad_ctx->ldap_ctx); + /* Subdomain error should not set the backend offline! */ + assert_true(conn_list[1]->ignore_mark_offline); + talloc_free(conn_list); + + dp_opt_set_bool(test_ctx->ad_ctx->ad_options->basic, AD_ENABLE_GC, false); + assert_false(dp_opt_get_bool(test_ctx->ad_ctx->ad_options->basic, + AD_ENABLE_GC)); + + conn_list = ad_gc_conn_list(test_ctx, test_ctx->ad_ctx, test_ctx->dom); + assert_non_null(conn_list); + + assert_true(conn_list[0] == test_ctx->ad_ctx->ldap_ctx); + assert_false(conn_list[0]->ignore_mark_offline); + assert_null(conn_list[1]); + talloc_free(conn_list); + + conn_list = ad_gc_conn_list(test_ctx, test_ctx->ad_ctx, test_ctx->subdom); + assert_non_null(conn_list); + + assert_true(conn_list[0] == test_ctx->subdom_ad_ctx->ldap_ctx); + assert_true(conn_list[0]->ignore_mark_offline); + assert_null(conn_list[1]); + talloc_free(conn_list); +} + +void test_ldap_conn_list(void **state) +{ + struct sdap_id_conn_ctx **conn_list; + + struct ad_common_test_ctx *test_ctx = talloc_get_type(*state, + struct ad_common_test_ctx); + assert_non_null(test_ctx); + + conn_list = ad_ldap_conn_list(test_ctx, + test_ctx->ad_ctx, + test_ctx->dom); + assert_non_null(conn_list); + + assert_true(conn_list[0] == test_ctx->ad_ctx->ldap_ctx); + assert_false(conn_list[0]->ignore_mark_offline); + assert_null(conn_list[1]); + talloc_free(conn_list); + + conn_list = ad_ldap_conn_list(test_ctx, + test_ctx->ad_ctx, + test_ctx->subdom); + assert_non_null(conn_list); + + assert_true(conn_list[0] == test_ctx->subdom_ad_ctx->ldap_ctx); + assert_true(conn_list[0]->ignore_mark_offline); + assert_null(conn_list[1]); + talloc_free(conn_list); +} + +void test_user_conn_list(void **state) +{ + struct sdap_id_conn_ctx **conn_list; + + struct ad_common_test_ctx *test_ctx = talloc_get_type(*state, + struct ad_common_test_ctx); + assert_non_null(test_ctx); + + conn_list = ad_user_conn_list(test_ctx, test_ctx->ad_ctx, + test_ctx->dom); + assert_non_null(conn_list); + + assert_true(conn_list[0] == test_ctx->ad_ctx->ldap_ctx); + assert_false(conn_list[0]->ignore_mark_offline); + assert_null(conn_list[1]); + talloc_free(conn_list); + + conn_list = ad_user_conn_list(test_ctx, test_ctx->ad_ctx, + test_ctx->subdom); + assert_non_null(conn_list); + + assert_true(conn_list[0] == test_ctx->ad_ctx->gc_ctx); + assert_true(conn_list[0]->ignore_mark_offline); + assert_true(conn_list[1] == test_ctx->subdom_ad_ctx->ldap_ctx); + /* Subdomain error should not set the backend offline! */ + assert_true(conn_list[1]->ignore_mark_offline); + talloc_free(conn_list); +} + +void test_netlogon_get_domain_info(void **state) +{ + int ret; + struct sysdb_attrs *attrs; + struct ldb_val val = { 0 }; + char *flat_name; + char *site; + char *forest; + + struct ad_common_test_ctx *test_ctx = talloc_get_type(*state, + struct ad_common_test_ctx); + assert_non_null(test_ctx); + + attrs = sysdb_new_attrs(test_ctx); + assert_non_null(attrs); + + ret = netlogon_get_domain_info(test_ctx, attrs, false, NULL, NULL, NULL); + assert_int_equal(ret, ENOENT); + + ret = sysdb_attrs_add_val(attrs, AD_AT_NETLOGON, &val); + assert_int_equal(ret, EOK); + + ret = netlogon_get_domain_info(test_ctx, attrs, false, NULL, NULL, NULL); + assert_int_equal(ret, EBADMSG); + + talloc_free(attrs); + attrs = sysdb_new_attrs(test_ctx); + assert_non_null(attrs); + + val.data = sss_base64_decode(test_ctx, "FwAAAP0zAABsGcIYI7j2TL97Rd+TvpATAmFkBWRldmVsAMAYCWFkLXNlcnZlcsAYAkFEAAlBRC1TRVJWRVIAABdEZWZhdWx0LUZpcnN0LVNpdGUtTmFtZQDAQAUAAAD/////", &val.length); + assert_non_null(val.data); + + ret = sysdb_attrs_add_val(attrs, AD_AT_NETLOGON, &val); + assert_int_equal(ret, EOK); + + ret = netlogon_get_domain_info(test_ctx, attrs, false, &flat_name, &site, &forest); + assert_int_equal(ret, EOK); + assert_string_equal(flat_name, "AD"); + assert_string_equal(site, "Default-First-Site-Name"); + assert_string_equal(forest, "ad.devel"); + + /* missing site */ + talloc_free(flat_name); + talloc_free(site); + talloc_free(forest); + talloc_free(val.data); + talloc_free(attrs); + attrs = sysdb_new_attrs(test_ctx); + assert_non_null(attrs); + + val.data = sss_base64_decode(test_ctx, "FwAAAH0zAABsGcIYI7j2TL97Rd+TvpATAmFkBWRldmVsAMAYCWFkLXNlcnZlcsAYAkFEAAlBRC1TRVJWRVIAABdEZWZhdWx0LUZpcnN0LVNpdGUtTmFtZQAABQAAAP////8=", &val.length); + assert_non_null(val.data); + + ret = sysdb_attrs_add_val(attrs, AD_AT_NETLOGON, &val); + assert_int_equal(ret, EOK); + + ret = netlogon_get_domain_info(test_ctx, attrs, false, &flat_name, &site, &forest); + assert_int_equal(ret, EOK); + assert_string_equal(flat_name, "AD"); + assert_null(site); + assert_string_equal(forest, "ad.devel"); + + talloc_free(flat_name); + talloc_free(site); + talloc_free(forest); + ret = netlogon_get_domain_info(test_ctx, attrs, true, &flat_name, &site, &forest); + assert_int_equal(ret, EOK); + assert_string_equal(flat_name, "AD"); + assert_null(site); + assert_string_equal(forest, "ad.devel"); + + talloc_free(flat_name); + talloc_free(site); + talloc_free(forest); + talloc_free(val.data); + talloc_free(attrs); +} + +int main(int argc, const char *argv[]) +{ + poptContext pc; + int opt; + int ret; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_ad_create_1way_trust_options, + test_ad_common_setup, + test_ad_common_teardown), + cmocka_unit_test_setup_teardown(test_ad_create_2way_trust_options, + test_ad_common_setup, + test_ad_common_teardown), + cmocka_unit_test_setup_teardown(test_ad_get_dom_ldap_conn, + test_ldap_conn_setup, + test_ldap_conn_teardown), + cmocka_unit_test_setup_teardown(test_gc_conn_list, + test_ldap_conn_setup, + test_ldap_conn_teardown), + cmocka_unit_test_setup_teardown(test_ldap_conn_list, + test_ldap_conn_setup, + test_ldap_conn_teardown), + cmocka_unit_test_setup_teardown(test_user_conn_list, + test_ldap_conn_setup, + test_ldap_conn_teardown), + cmocka_unit_test_setup_teardown(test_check_if_pac_is_available, + test_ad_sysdb_setup, + test_ad_sysdb_teardown), + cmocka_unit_test_setup_teardown(test_ad_get_data_from_pac, + test_ad_common_setup, + test_ad_common_teardown), + cmocka_unit_test_setup_teardown(test_ad_get_sids_from_pac, + test_ad_common_setup, + test_ad_common_teardown), +#ifdef HAVE_STRUCT_PAC_LOGON_INFO_RESOURCE_GROUPS + cmocka_unit_test_setup_teardown(test_ad_get_sids_from_pac_with_resource_groups, + test_ad_common_setup, + test_ad_common_teardown), +#endif + cmocka_unit_test_setup_teardown(test_ad_get_pac_data_from_user_entry, + test_ad_common_setup, + test_ad_common_teardown), + cmocka_unit_test_setup_teardown(test_netlogon_get_domain_info, + test_ad_common_setup, + test_ad_common_teardown), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + tests_set_cwd(); + + ret = cmocka_run_group_tests(tests, NULL, NULL); + +#ifdef HAVE_NSS + /* Cleanup NSS and NSPR to make Valgrind happy. */ + nspr_nss_cleanup(); +#endif + + return ret; +} diff --git a/src/tests/cmocka/test_ad_gpo.c b/src/tests/cmocka/test_ad_gpo.c new file mode 100644 index 0000000..0589adc --- /dev/null +++ b/src/tests/cmocka/test_ad_gpo.c @@ -0,0 +1,389 @@ +/* + Authors: + Yassir Elley + + Copyright (C) 2014 Red Hat + + SSSD tests: GPO unit tests + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include +#include + +/* In order to access opaque types */ +#include "providers/ad/ad_gpo.c" + +#include "tests/cmocka/common_mock.h" + +struct ad_gpo_test_ctx { + struct ldb_context *ldb_ctx; +}; + +static struct ad_gpo_test_ctx *test_ctx; + +static int ad_gpo_test_setup(void **state) +{ + assert_true(leak_check_setup()); + test_ctx = talloc_zero(global_talloc_context, + struct ad_gpo_test_ctx); + assert_non_null(test_ctx); + + test_ctx->ldb_ctx = ldb_init(test_ctx, NULL); + assert_non_null(test_ctx->ldb_ctx); + return 0; +} + +static int ad_gpo_test_teardown(void **state) +{ + talloc_free(test_ctx); + assert_true(leak_check_teardown()); + return 0; +} + +struct som_list_result { + const int result; + const int num_soms; + const char **som_dns; +}; + +/* + * Test parsing target DN into som components + */ +static void test_populate_som_list(const char *target_dn, + struct som_list_result *expected) +{ + errno_t ret; + int i; + int num_soms; + struct gp_som **som_list = NULL; + TALLOC_CTX *tmp_ctx; + + tmp_ctx = talloc_new(global_talloc_context); + assert_non_null(tmp_ctx); + check_leaks_push(tmp_ctx); + + ret = ad_gpo_populate_som_list(tmp_ctx, + test_ctx->ldb_ctx, + target_dn, + &num_soms, + &som_list); + + assert_int_equal(ret, expected->result); + if (ret != EOK) { + goto done; + } + + assert_int_equal(num_soms, expected->num_soms); + + for (i=0; inum_soms; i++){ + bool equal = true; + if (strncmp(som_list[i]->som_dn, + expected->som_dns[i], + strlen(expected->som_dns[i])) != 0) { + equal = false; + } + + assert_int_equal(equal, true); + } + + if (som_list) { + talloc_free(som_list); + } + + done: + assert_true(check_leaks_pop(tmp_ctx) == true); + talloc_free(tmp_ctx); +} + +void test_populate_som_list_plain(void **state) +{ + const char *som_dns[] = {"OU=West OU,OU=Sales OU,DC=foo,DC=com", + "OU=Sales OU,DC=foo,DC=com", + "DC=foo,DC=com"}; + + struct som_list_result expected = { + .result = EOK, + .num_soms = 3, + .som_dns = som_dns + }; + + test_populate_som_list("CN=F21-Client,OU=West OU,OU=Sales OU,DC=foo,DC=com", + &expected); +} + +void test_populate_som_list_malformed(void **state) +{ + struct som_list_result expected = { + .result = EINVAL, + }; + + test_populate_som_list("malformed target dn", &expected); +} + +struct gplink_list_result { + const int result; + const int num_gplinks; + const char **gpo_dns; + bool *enforced; +}; + +/* + * Test parsing raw_gplink_value into gplink components + */ +static void test_populate_gplink_list(const char *input_gplink_value, + bool allow_enforced_only, + struct gplink_list_result *expected) +{ + errno_t ret; + int i; + struct gp_gplink **gplink_list = NULL; + TALLOC_CTX *tmp_ctx; + + tmp_ctx = talloc_new(global_talloc_context); + assert_non_null(tmp_ctx); + check_leaks_push(tmp_ctx); + + char *raw_gplink_value = talloc_strdup(tmp_ctx, input_gplink_value); + + ret = ad_gpo_populate_gplink_list(tmp_ctx, + NULL, + raw_gplink_value, + &gplink_list, + allow_enforced_only); + + talloc_free(raw_gplink_value); + + assert_int_equal(ret, expected->result); + if (ret != EOK) { + goto done; + } + + for (i=0; inum_gplinks; i++){ + bool equal = true; + if (strncmp(gplink_list[i]->gpo_dn, + expected->gpo_dns[i], + strlen(expected->gpo_dns[i])) != 0) { + equal = false; + } + + if (gplink_list[i]->enforced != expected->enforced[i]) + equal = false; + + assert_int_equal(equal, true); + } + + if (gplink_list) { + talloc_free(gplink_list); + } + + done: + assert_true(check_leaks_pop(tmp_ctx) == true); + talloc_free(tmp_ctx); +} + +void test_populate_gplink_list_plain(void **state) +{ + const char *gpo_dns[] = {"OU=Sales,DC=FOO,DC=COM", "DC=FOO,DC=COM"}; + bool enforced[] = {false, true}; + + struct gplink_list_result expected = { + .result = EOK, + .num_gplinks = 2, + .gpo_dns = gpo_dns, + .enforced = enforced + }; + + test_populate_gplink_list("[OU=Sales,DC=FOO,DC=COM;0][DC=FOO,DC=COM;2]", + false, + &expected); +} + +void test_populate_gplink_list_with_ignored(void **state) +{ + const char *gpo_dns[] = {"OU=Sales,DC=FOO,DC=COM"}; + bool enforced[] = {false}; + + struct gplink_list_result expected = { + .result = EOK, + .num_gplinks = 1, + .gpo_dns = gpo_dns, + .enforced = enforced + }; + + test_populate_gplink_list("[OU=Sales,DC=FOO,DC=COM;0][DC=ignored;1]", + false, + &expected); +} + +void test_populate_gplink_list_with_allow_enforced(void **state) +{ + const char *gpo_dns[] = {"DC=FOO,DC=COM"}; + bool enforced[] = {true}; + + struct gplink_list_result expected = { + .result = EOK, + .num_gplinks = 1, + .gpo_dns = gpo_dns, + .enforced = enforced + }; + + test_populate_gplink_list("[OU=Sales,DC=FOO,DC=COM;0][DC=FOO,DC=COM;2]", + true, + &expected); +} + +void test_populate_gplink_list_malformed(void **state) +{ + struct gplink_list_result expected = { + .result = EINVAL, + }; + + test_populate_gplink_list(NULL, false, &expected); + test_populate_gplink_list("[malformed]", false, &expected); + /* the GPLinkOptions value (after semicolon) must be between 0 and 3 */ + test_populate_gplink_list("[gpo_dn; 4]", false, &expected); +} + +/* + * Test SID-matching logic + */ +static void test_ad_gpo_ace_includes_client_sid(const char *user_sid, + const char **group_sids, + int group_size, + struct dom_sid ace_dom_sid, + bool expected) +{ + errno_t ret; + enum idmap_error_code err; + struct sss_idmap_ctx *idmap_ctx; + bool includes_client_sid; + TALLOC_CTX *tmp_ctx; + + tmp_ctx = talloc_new(global_talloc_context); + assert_non_null(tmp_ctx); + check_leaks_push(tmp_ctx); + + err = sss_idmap_init(sss_idmap_talloc, tmp_ctx, sss_idmap_talloc_free, + &idmap_ctx); + assert_int_equal(err, IDMAP_SUCCESS); + + ret = ad_gpo_ace_includes_client_sid(user_sid, group_sids, group_size, + ace_dom_sid, idmap_ctx, + &includes_client_sid); + talloc_free(idmap_ctx); + + assert_int_equal(ret, EOK); + + assert_int_equal(includes_client_sid, expected); + + assert_true(check_leaks_pop(tmp_ctx) == true); + talloc_free(tmp_ctx); +} + +void test_ad_gpo_ace_includes_client_sid_true(void **state) +{ + /* ace_dom_sid represents "S-1-5-21-2-3-4" */ + struct dom_sid ace_dom_sid = {1, 4, {0, 0, 0, 0, 0, 5}, {21, 2, 3, 4}}; + + const char *user_sid = "S-1-5-21-1175337206-4250576914-2321192831-1103"; + + int group_size = 2; + const char *group_sids[] = {"S-1-5-21-2-3-4", + "S-1-5-21-2-3-5"}; + + test_ad_gpo_ace_includes_client_sid(user_sid, group_sids, group_size, + ace_dom_sid, true); +} + +void test_ad_gpo_ace_includes_client_sid_false(void **state) +{ + /* ace_dom_sid represents "S-1-5-21-2-3-4" */ + struct dom_sid ace_dom_sid = {1, 4, {0, 0, 0, 0, 0, 5}, {21, 2, 3, 4}}; + + const char *user_sid = "S-1-5-21-1175337206-4250576914-2321192831-1103"; + + int group_size = 2; + const char *group_sids[] = {"S-1-5-21-2-3-5", + "S-1-5-21-2-3-6"}; + + test_ad_gpo_ace_includes_client_sid(user_sid, group_sids, group_size, + ace_dom_sid, false); +} + +int main(int argc, const char *argv[]) +{ + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_populate_som_list_plain, + ad_gpo_test_setup, + ad_gpo_test_teardown), + cmocka_unit_test_setup_teardown(test_populate_som_list_malformed, + ad_gpo_test_setup, + ad_gpo_test_teardown), + cmocka_unit_test_setup_teardown(test_populate_gplink_list_plain, + ad_gpo_test_setup, + ad_gpo_test_teardown), + cmocka_unit_test_setup_teardown(test_populate_gplink_list_with_ignored, + ad_gpo_test_setup, + ad_gpo_test_teardown), + cmocka_unit_test_setup_teardown(test_populate_gplink_list_with_allow_enforced, + ad_gpo_test_setup, + ad_gpo_test_teardown), + cmocka_unit_test_setup_teardown(test_populate_gplink_list_malformed, + ad_gpo_test_setup, + ad_gpo_test_teardown), + cmocka_unit_test_setup_teardown(test_ad_gpo_ace_includes_client_sid_true, + ad_gpo_test_setup, + ad_gpo_test_teardown), + cmocka_unit_test_setup_teardown(test_ad_gpo_ace_includes_client_sid_false, + ad_gpo_test_setup, + ad_gpo_test_teardown), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + tests_set_cwd(); + + return cmocka_run_group_tests(tests, NULL, NULL); +} diff --git a/src/tests/cmocka/test_ad_subdomains.c b/src/tests/cmocka/test_ad_subdomains.c new file mode 100644 index 0000000..20c06aa --- /dev/null +++ b/src/tests/cmocka/test_ad_subdomains.c @@ -0,0 +1,328 @@ +/* + Authors: + Petr Čech + + Copyright (C) 2016 Red Hat + + SSSD tests: AD subdomain tests + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + + + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "tests/cmocka/common_mock.h" +#include "tests/cmocka/common_mock_resp.h" +#include "providers/ad/ad_common.h" + +#include "providers/ad/ad_subdomains.c" +#include "providers/ad/ad_opts.c" + +#define AD_DOMAIN "ad_domain.domain.test" +#define DOMAIN_1 "one.domain.test" +#define DOMAIN_2 "two.domain.test" + +struct test_ad_subdom_ctx { + struct ad_id_ctx *ad_id_ctx; +}; + +static struct ad_id_ctx * +test_ad_subdom_init_ad_id_ctx(TALLOC_CTX *mem_ctx) +{ + struct ad_id_ctx *ad_id_ctx; + struct ad_options *ad_options; + errno_t ret; + + ad_id_ctx = talloc_zero(mem_ctx, struct ad_id_ctx); + assert_non_null(ad_id_ctx); + + ad_options = talloc_zero(ad_id_ctx, struct ad_options); + assert_non_null(ad_options); + + ret = dp_copy_defaults(ad_options, + ad_basic_opts, + AD_OPTS_BASIC, + &ad_options->basic); + assert_int_equal(ret, EOK); + + ad_id_ctx->ad_options = ad_options; + + return ad_id_ctx; +} + +static int test_ad_subdom_setup(void **state) +{ + struct test_ad_subdom_ctx *test_ctx; + + assert_true(leak_check_setup()); + + test_ctx = talloc_zero(global_talloc_context, struct test_ad_subdom_ctx); + assert_non_null(test_ctx); + + test_ctx->ad_id_ctx = NULL; + + check_leaks_push(test_ctx); + *state = test_ctx; + return 0; +} + +static int test_ad_subdom_teardown(void **state) +{ + struct test_ad_subdom_ctx *test_ctx; + + test_ctx = talloc_get_type(*state, struct test_ad_subdom_ctx); + assert_non_null(test_ctx); + + assert_true(check_leaks_pop(test_ctx) == true); + talloc_free(test_ctx); + assert_true(leak_check_teardown()); + return 0; +} + +static void test_ad_subdom_default(void **state) +{ + struct test_ad_subdom_ctx *test_ctx; + const char **ad_enabled_domains = NULL; + errno_t ret; + + test_ctx = talloc_get_type(*state, struct test_ad_subdom_ctx); + test_ctx->ad_id_ctx = test_ad_subdom_init_ad_id_ctx(test_ctx); + assert_non_null(test_ctx->ad_id_ctx); + + ret = ad_get_enabled_domains(test_ctx, test_ctx->ad_id_ctx, + AD_DOMAIN, + &ad_enabled_domains); + assert_int_equal(ret, EOK); + assert_null(ad_enabled_domains); + + talloc_zfree(test_ctx->ad_id_ctx); +} + +static void test_ad_subdom_add_one(void **state) +{ + struct test_ad_subdom_ctx *test_ctx; + const char **ad_enabled_domains = NULL; + int enabled_domains_count; + int domain_count = 2; + const char *domains[domain_count]; + errno_t ret; + + test_ctx = talloc_get_type(*state, struct test_ad_subdom_ctx); + test_ctx->ad_id_ctx = test_ad_subdom_init_ad_id_ctx(test_ctx); + assert_non_null(test_ctx->ad_id_ctx); + + ret = dp_opt_set_string(test_ctx->ad_id_ctx->ad_options->basic, + AD_ENABLED_DOMAINS, DOMAIN_1); + assert_int_equal(ret, EOK); + + ret = ad_get_enabled_domains(test_ctx, test_ctx->ad_id_ctx, + AD_DOMAIN, + &ad_enabled_domains); + assert_int_equal(ret, EOK); + assert_non_null(ad_enabled_domains); + + for (enabled_domains_count = 0; + ad_enabled_domains[enabled_domains_count] != NULL; + enabled_domains_count++) { + } + assert_int_equal(domain_count, enabled_domains_count); + + domains[0] = AD_DOMAIN; + domains[1] = DOMAIN_1; + assert_true(are_values_in_array(domains, domain_count, + ad_enabled_domains, enabled_domains_count)); + + talloc_zfree(test_ctx->ad_id_ctx); + talloc_zfree(ad_enabled_domains); +} + +static void test_ad_subdom_add_two(void **state) +{ + struct test_ad_subdom_ctx *test_ctx; + const char **ad_enabled_domains = NULL; + int enabled_domains_count; + int domain_count = 3; + const char *domains[domain_count]; + errno_t ret; + + test_ctx = talloc_get_type(*state, struct test_ad_subdom_ctx); + test_ctx->ad_id_ctx = test_ad_subdom_init_ad_id_ctx(test_ctx); + assert_non_null(test_ctx->ad_id_ctx); + + ret = dp_opt_set_string(test_ctx->ad_id_ctx->ad_options->basic, + AD_ENABLED_DOMAINS, DOMAIN_1","DOMAIN_2); + assert_int_equal(ret, EOK); + + ret = ad_get_enabled_domains(test_ctx, test_ctx->ad_id_ctx, + AD_DOMAIN, + &ad_enabled_domains); + assert_int_equal(ret, EOK); + assert_non_null(ad_enabled_domains); + + for (enabled_domains_count = 0; + ad_enabled_domains[enabled_domains_count] != NULL; + enabled_domains_count++) { + } + assert_int_equal(domain_count, enabled_domains_count); + + domains[0] = AD_DOMAIN; + domains[1] = DOMAIN_1; + domains[2] = DOMAIN_2; + assert_true(are_values_in_array(domains, domain_count, + ad_enabled_domains, enabled_domains_count)); + + talloc_zfree(test_ctx->ad_id_ctx); + talloc_zfree(ad_enabled_domains); +} + +static void test_ad_subdom_add_master(void **state) +{ + struct test_ad_subdom_ctx *test_ctx; + const char **ad_enabled_domains = NULL; + int enabled_domains_count; + int domain_count = 1; + const char *domains[domain_count]; + errno_t ret; + + test_ctx = talloc_get_type(*state, struct test_ad_subdom_ctx); + test_ctx->ad_id_ctx = test_ad_subdom_init_ad_id_ctx(test_ctx); + assert_non_null(test_ctx->ad_id_ctx); + + ret = dp_opt_set_string(test_ctx->ad_id_ctx->ad_options->basic, + AD_ENABLED_DOMAINS, AD_DOMAIN); + assert_int_equal(ret, EOK); + + ret = ad_get_enabled_domains(test_ctx, test_ctx->ad_id_ctx, + AD_DOMAIN, + &ad_enabled_domains); + assert_int_equal(ret, EOK); + assert_non_null(ad_enabled_domains); + + for (enabled_domains_count = 0; + ad_enabled_domains[enabled_domains_count] != NULL; + enabled_domains_count++) { + } + assert_int_equal(domain_count, enabled_domains_count); + + domains[0] = AD_DOMAIN; + assert_true(are_values_in_array(domains, domain_count, + ad_enabled_domains, enabled_domains_count)); + + talloc_zfree(test_ctx->ad_id_ctx); + talloc_zfree(ad_enabled_domains); +} + +static void test_ad_subdom_add_two_with_master(void **state) +{ + struct test_ad_subdom_ctx *test_ctx; + const char **ad_enabled_domains = NULL; + int enabled_domains_count; + int domain_count = 3; + const char *domains[domain_count]; + errno_t ret; + + test_ctx = talloc_get_type(*state, struct test_ad_subdom_ctx); + test_ctx->ad_id_ctx = test_ad_subdom_init_ad_id_ctx(test_ctx); + assert_non_null(test_ctx->ad_id_ctx); + + ret = dp_opt_set_string(test_ctx->ad_id_ctx->ad_options->basic, + AD_ENABLED_DOMAINS, + DOMAIN_1","AD_DOMAIN","DOMAIN_2); + assert_int_equal(ret, EOK); + + ret = ad_get_enabled_domains(test_ctx, test_ctx->ad_id_ctx, + AD_DOMAIN, + &ad_enabled_domains); + assert_int_equal(ret, EOK); + assert_non_null(ad_enabled_domains); + + for (enabled_domains_count = 0; + ad_enabled_domains[enabled_domains_count] != NULL; + enabled_domains_count++) { + } + assert_int_equal(domain_count, enabled_domains_count); + + domains[0] = AD_DOMAIN; + domains[1] = DOMAIN_1; + domains[2] = DOMAIN_2; + assert_true(are_values_in_array(domains, domain_count, + ad_enabled_domains, enabled_domains_count)); + + talloc_zfree(test_ctx->ad_id_ctx); + talloc_zfree(ad_enabled_domains); +} + +int main(int argc, const char *argv[]) +{ + int rv; + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_ad_subdom_default, + test_ad_subdom_setup, + test_ad_subdom_teardown), + cmocka_unit_test_setup_teardown(test_ad_subdom_add_one, + test_ad_subdom_setup, + test_ad_subdom_teardown), + cmocka_unit_test_setup_teardown(test_ad_subdom_add_two, + test_ad_subdom_setup, + test_ad_subdom_teardown), + cmocka_unit_test_setup_teardown(test_ad_subdom_add_master, + test_ad_subdom_setup, + test_ad_subdom_teardown), + cmocka_unit_test_setup_teardown(test_ad_subdom_add_two_with_master, + test_ad_subdom_setup, + test_ad_subdom_teardown), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + /* Even though normally the tests should clean up after themselves + * they might not after a failed run. Remove the old DB to be sure */ + tests_set_cwd(); + + rv = cmocka_run_group_tests(tests, NULL, NULL); + return rv; +} diff --git a/src/tests/cmocka/test_authtok.c b/src/tests/cmocka/test_authtok.c new file mode 100644 index 0000000..9422f96 --- /dev/null +++ b/src/tests/cmocka/test_authtok.c @@ -0,0 +1,710 @@ +/* + SSSD + + authtok - Utilities tests + + Authors: + Pallavi Jha + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "tests/cmocka/common_mock.h" + +#include "util/authtok.h" + + +struct test_state { + struct sss_auth_token *authtoken; +}; + +static int setup(void **state) +{ + struct test_state *ts = NULL; + + assert_true(leak_check_setup()); + + ts = talloc(global_talloc_context, struct test_state); + assert_non_null(ts); + + ts->authtoken = sss_authtok_new(ts); + assert_non_null(ts->authtoken); + + check_leaks_push(ts); + *state = (void *)ts; + return 0; +} + +static int teardown(void **state) +{ + struct test_state *ts = talloc_get_type_abort(*state, struct test_state); + + assert_non_null(ts); + + assert_true(check_leaks_pop(ts)); + talloc_free(ts); + assert_true(leak_check_teardown()); + return 0; +} + +static void test_sss_authtok_new(void **state) +{ + struct test_state *ts = talloc_get_type_abort(*state, struct test_state); + struct sss_auth_token *authtoken; + + authtoken = sss_authtok_new(ts); + assert_non_null(authtoken); + + talloc_free(authtoken); +} + +/* @test_authtok_type_x : tests following functions for different value of type + * sss_authtok_set + * sss_authtok_get_type + * sss_authtok_get_size + * sss_authtok_get_data + * sss_authtok_get_password + * sss_authtok_get_ccfile + * + * @test_authtok_type_password : type => SSS_AUTHTOK_TYPE_PASSWORD + * @test_authtok_type_ccfile : type => SSS_AUTHTOK_TYPE_CCFILE + * @test_authtok_type_empty : type => SSS_AUTHTOK_TYPE_EMPTY + */ + +/* Test when type has value SSS_AUTHTOK_TYPE_PASSWORD */ +static void test_sss_authtok_password(void **state) +{ + size_t len; + errno_t ret; + char *data; + size_t ret_len; + const char *pwd; + struct test_state *ts; + enum sss_authtok_type type; + + ts = talloc_get_type_abort(*state, struct test_state); + data = talloc_strdup(ts, "password"); + assert_non_null(data); + + len = strlen(data) + 1; + type = SSS_AUTHTOK_TYPE_PASSWORD; + ret = sss_authtok_set(ts->authtoken, type, (const uint8_t *)data, len); + + assert_int_equal(ret, EOK); + assert_int_equal(type, sss_authtok_get_type(ts->authtoken)); + assert_int_equal(len, sss_authtok_get_size(ts->authtoken)); + assert_string_equal(data, sss_authtok_get_data(ts->authtoken)); + + ret = sss_authtok_get_password(ts->authtoken, &pwd, &ret_len); + + assert_int_equal(ret, EOK); + assert_string_equal(data, pwd); + assert_int_equal(len - 1, ret_len); + + ret = sss_authtok_set_password(ts->authtoken, data, len); + assert_int_equal(ret, EOK); + + ret = sss_authtok_get_password(ts->authtoken, &pwd, &ret_len); + assert_int_equal(ret, EOK); + assert_string_equal(data, pwd); + assert_int_equal(len - 1, ret_len); + + talloc_free(data); + sss_authtok_set_empty(ts->authtoken); +} + +/* Test when type has value SSS_AUTHTOK_TYPE_CCFILE */ +static void test_sss_authtok_ccfile(void **state) +{ + size_t len; + errno_t ret; + char *data; + size_t ret_len; + const char *pwd; + struct test_state *ts; + enum sss_authtok_type type; + + ts = talloc_get_type_abort(*state, struct test_state); + data = talloc_strdup(ts, "path/to/cc_file"); + assert_non_null(data); + + len = strlen(data) + 1; + type = SSS_AUTHTOK_TYPE_CCFILE; + ret = sss_authtok_set(ts->authtoken, type, (const uint8_t *)data, len); + + assert_int_equal(ret, EOK); + assert_int_equal(type, sss_authtok_get_type(ts->authtoken)); + assert_int_equal(len, sss_authtok_get_size(ts->authtoken)); + assert_string_equal(data, sss_authtok_get_data(ts->authtoken)); + + ret = sss_authtok_get_ccfile(ts->authtoken, &pwd, &ret_len); + + assert_int_equal(ret, EOK); + assert_string_equal(data, pwd); + assert_int_equal(len - 1, ret_len); + + ret = sss_authtok_set_ccfile(ts->authtoken, data, len); + + assert_int_equal(ret, EOK); + + ret = sss_authtok_get_ccfile(ts->authtoken, &pwd, &ret_len); + + assert_int_equal(ret, EOK); + assert_string_equal(data, pwd); + assert_int_equal(len - 1, ret_len); + + + ret = sss_authtok_set(ts->authtoken, type, (const uint8_t *) data, 0); + + assert_int_equal(ret, EOK); + assert_int_equal(type, sss_authtok_get_type(ts->authtoken)); + assert_int_equal(len, sss_authtok_get_size(ts->authtoken)); + assert_string_equal(data, sss_authtok_get_data(ts->authtoken)); + + ret = sss_authtok_get_ccfile(ts->authtoken, &pwd, &ret_len); + + assert_int_equal(ret, EOK); + assert_string_equal(data, pwd); + assert_int_equal(len - 1, ret_len); + + talloc_free(data); + sss_authtok_set_empty(ts->authtoken); +} + +/* Test when type has value SSS_AUTHTOK_TYPE_EMPTY */ +static void test_sss_authtok_empty(void **state) +{ + errno_t ret; + size_t ret_len; + const char *pwd; + struct test_state *ts; + enum sss_authtok_type type; + + type = SSS_AUTHTOK_TYPE_EMPTY; + ts = talloc_get_type_abort(*state, struct test_state); + ret = sss_authtok_set(ts->authtoken, type, NULL, 0); + + assert_int_equal(ret, EOK); + assert_int_equal(type, sss_authtok_get_type(ts->authtoken)); + assert_int_equal(0, sss_authtok_get_size(ts->authtoken)); + assert_null(sss_authtok_get_data(ts->authtoken)); + + ret = sss_authtok_get_password(ts->authtoken, &pwd, &ret_len); + + assert_int_equal(ret, ENOENT); + + ret = sss_authtok_get_ccfile(ts->authtoken, &pwd, &ret_len); + + assert_int_equal(ret, ENOENT); + + sss_authtok_set_empty(ts->authtoken); + + assert_int_equal(type, sss_authtok_get_type(ts->authtoken)); + assert_int_equal(0, sss_authtok_get_size(ts->authtoken)); + assert_null(sss_authtok_get_data(ts->authtoken)); + + ret = sss_authtok_set(ts->authtoken, type, (const uint8_t*)"", 0); + assert_int_equal(ret, EOK); + + assert_int_equal(type, sss_authtok_get_type(ts->authtoken)); + assert_int_equal(EOK, sss_authtok_get_size(ts->authtoken)); + assert_null(sss_authtok_get_data(ts->authtoken)); + + ret = sss_authtok_get_password(ts->authtoken, &pwd, &ret_len); + + assert_int_equal(ret, ENOENT); + + ret = sss_authtok_get_ccfile(ts->authtoken, &pwd, &ret_len); + + assert_int_equal(ret, ENOENT); +} + +static void test_sss_authtok_wipe_password(void **state) +{ + size_t len; + errno_t ret; + char *data; + size_t ret_len; + const char *pwd; + struct test_state *ts; + enum sss_authtok_type type; + + ts = talloc_get_type_abort(*state, struct test_state); + data = talloc_strdup(ts, "password"); + assert_non_null(data); + + len = strlen(data) + 1; + type = SSS_AUTHTOK_TYPE_PASSWORD; + ret = sss_authtok_set(ts->authtoken, type, (const uint8_t *)data, len); + + assert_int_equal(ret, EOK); + + sss_authtok_wipe_password(ts->authtoken); + + ret = sss_authtok_get_password(ts->authtoken, &pwd, &ret_len); + + assert_int_equal(ret, EOK); + assert_string_equal(pwd, ""); + assert_int_equal(len - 1, ret_len); + + sss_authtok_set_empty(ts->authtoken); + talloc_free(data); +} + +static void test_sss_authtok_copy(void **state) +{ + size_t len; + errno_t ret; + char *data; + struct test_state *ts; + enum sss_authtok_type type; + struct sss_auth_token *dest_authtoken; + + ts= talloc_get_type_abort(*state, struct test_state); + + dest_authtoken = sss_authtok_new(ts); + assert_non_null(dest_authtoken); + + data = talloc_strdup(ts, "password"); + assert_non_null(data); + + len = strlen(data) + 1; + type = SSS_AUTHTOK_TYPE_EMPTY; + ret = sss_authtok_set(ts->authtoken, type, (const uint8_t *)data, len); + + assert_int_equal(ret, EOK); + assert_int_equal(EOK, sss_authtok_copy(ts->authtoken, dest_authtoken)); + assert_int_equal(type, sss_authtok_get_type(dest_authtoken)); + + sss_authtok_set_empty(dest_authtoken); + type = SSS_AUTHTOK_TYPE_PASSWORD; + ret = sss_authtok_set(ts->authtoken, type, (const uint8_t *)data, len); + + assert_int_equal(ret, EOK); + + ret = sss_authtok_copy(ts->authtoken, dest_authtoken); + + assert_int_equal(ret, EOK); + assert_int_equal(type, sss_authtok_get_type(dest_authtoken)); + assert_string_equal(data, sss_authtok_get_data(dest_authtoken)); + assert_int_equal(len, sss_authtok_get_size(dest_authtoken)); + + sss_authtok_set_empty(dest_authtoken); + talloc_free(dest_authtoken); + sss_authtok_set_empty(ts->authtoken); + talloc_free(data); +} + +void test_sss_authtok_2fa(void **state) +{ + int ret; + const char *fa1; + size_t fa1_size; + const char *fa2; + size_t fa2_size; + struct test_state *ts; + + ts = talloc_get_type_abort(*state, struct test_state); + + ret = sss_authtok_set_2fa(NULL, "a", 0, "b", 0); + assert_int_equal(ret, EINVAL); + + /* Test missing first factor */ + ret = sss_authtok_set_2fa(ts->authtoken, NULL, 1, "b", 1); + assert_int_equal(ret, EINVAL); + /* Test missing second factor */ + ret = sss_authtok_set_2fa(ts->authtoken, "a", 1, NULL, 1); + assert_int_equal(ret, EINVAL); + /* Test wrong first factor length */ + ret = sss_authtok_set_2fa(ts->authtoken, "ab", 1, "b", 1); + assert_int_equal(ret, EINVAL); + /* Test wrong second factor length */ + ret = sss_authtok_set_2fa(ts->authtoken, "a", 1, "bc", 1); + assert_int_equal(ret, EINVAL); + + ret = sss_authtok_set_2fa(ts->authtoken, "a", 1, "bc", 2); + assert_int_equal(ret, EOK); + assert_int_equal(sss_authtok_get_size(ts->authtoken), + 2 * sizeof(uint32_t) + 5); + assert_int_equal(sss_authtok_get_type(ts->authtoken), SSS_AUTHTOK_TYPE_2FA); +#if __BYTE_ORDER == __LITTLE_ENDIAN + assert_memory_equal(sss_authtok_get_data(ts->authtoken), + "\2\0\0\0\3\0\0\0a\0bc\0", + 2 * sizeof(uint32_t) + 5); +#else + assert_memory_equal(sss_authtok_get_data(ts->authtoken), + "\0\0\0\2\0\0\0\3a\0bc\0", + 2 * sizeof(uint32_t) + 5); +#endif + + ret = sss_authtok_get_2fa(ts->authtoken, &fa1, &fa1_size, &fa2, &fa2_size); + assert_int_equal(ret, EOK); + assert_int_equal(fa1_size, 1); + assert_string_equal(fa1, "a"); + assert_int_equal(fa2_size, 2); + assert_string_equal(fa2, "bc"); + + sss_authtok_set_empty(ts->authtoken); + + /* check return code of empty token */ + ret = sss_authtok_get_2fa(ts->authtoken, &fa1, &fa1_size, &fa2, &fa2_size); + assert_int_equal(ret, ENOENT); + + /* check return code for other token type */ + ret = sss_authtok_set_password(ts->authtoken, "abc", 0); + assert_int_equal(ret, EOK); + + ret = sss_authtok_get_2fa(ts->authtoken, &fa1, &fa1_size, &fa2, &fa2_size); + assert_int_equal(ret, EACCES); + + sss_authtok_set_empty(ts->authtoken); + + /* check return code for garbage */ + ret = sss_authtok_set(ts->authtoken, SSS_AUTHTOK_TYPE_2FA, + (const uint8_t *) "1111222233334444", 16); + assert_int_equal(ret, EINVAL); + + sss_authtok_set_empty(ts->authtoken); +} + +void test_sss_authtok_2fa_blobs(void **state) +{ + int ret; + struct test_state *ts; + size_t needed_size; + uint8_t *buf; + char *fa1; + size_t fa1_len; + char *fa2; + size_t fa2_len; + + ts = talloc_get_type_abort(*state, struct test_state); + + ret = sss_auth_pack_2fa_blob(NULL, 0, "defg", 0, NULL, 0, &needed_size); + assert_int_equal(ret, EINVAL); + + ret = sss_auth_pack_2fa_blob("abc", 0, NULL, 0, NULL, 0, &needed_size); + assert_int_equal(ret, EINVAL); + + ret = sss_auth_pack_2fa_blob("", 0, "defg", 0, NULL, 0, &needed_size); + assert_int_equal(ret, EINVAL); + + ret = sss_auth_pack_2fa_blob("abc", 0, "", 0, NULL, 0, &needed_size); + assert_int_equal(ret, EINVAL); + + ret = sss_auth_pack_2fa_blob("abc", 0, "defg", 0, NULL, 0, &needed_size); + assert_int_equal(ret, EAGAIN); + + buf = talloc_size(ts, needed_size); + assert_non_null(buf); + + ret = sss_auth_pack_2fa_blob("abc", 0, "defg", 0, buf, needed_size, + &needed_size); + assert_int_equal(ret, EOK); + +#if __BYTE_ORDER == __LITTLE_ENDIAN + assert_memory_equal(buf, "\4\0\0\0\5\0\0\0abc\0defg\0", needed_size); +#else + assert_memory_equal(buf, "\0\0\0\4\0\0\0\5abc\0defg\0", needed_size); +#endif + + ret = sss_auth_unpack_2fa_blob(ts, buf, needed_size, &fa1, &fa1_len, &fa2, + &fa2_len); + assert_int_equal(ret, EOK); + assert_int_equal(fa1_len, 3); + assert_string_equal(fa1, "abc"); + assert_int_equal(fa2_len, 4); + assert_string_equal(fa2, "defg"); + + talloc_free(buf); + talloc_free(fa1); + talloc_free(fa2); +} + +void test_sss_authtok_sc_blobs(void **state) +{ + int ret; + struct test_state *ts; + size_t needed_size; + uint8_t *buf; + const char *pin; + size_t pin_len; + const char *token_name; + size_t token_name_len; + const char *module_name; + size_t module_name_len; + const char *key_id; + size_t key_id_len; + + ts = talloc_get_type_abort(*state, struct test_state); + + ret = sss_auth_pack_sc_blob("abc", 0, "defg", 0, "hijkl", 0, "mnopqr", 0, + NULL, 0, &needed_size); + assert_int_equal(ret, EAGAIN); + + buf = talloc_size(ts, needed_size); + assert_non_null(buf); + + ret = sss_auth_pack_sc_blob("abc", 0, "defg", 0, "hijkl", 0, "mnopqr", 0, + buf, needed_size, &needed_size); + assert_int_equal(ret, EOK); + +#if __BYTE_ORDER == __LITTLE_ENDIAN + assert_memory_equal(buf, "\4\0\0\0\5\0\0\0\6\0\0\0\7\0\0\0abc\0defg\0hijkl\0mnopqr\0", + needed_size); +#else + assert_memory_equal(buf, "\0\0\0\4\0\0\0\5\0\0\0\6\0\0\0\7abc\0defg\0hijkl\0mnopqr\0", + needed_size); +#endif + + ret = sss_authtok_set(ts->authtoken, SSS_AUTHTOK_TYPE_SC_PIN, buf, + needed_size); + assert_int_equal(ret, EOK); + + ret = sss_authtok_get_sc(ts->authtoken, &pin, &pin_len, + &token_name, &token_name_len, + &module_name, &module_name_len, + &key_id, &key_id_len); + assert_int_equal(ret, EOK); + assert_int_equal(pin_len, 3); + assert_string_equal(pin, "abc"); + assert_int_equal(token_name_len, 4); + assert_string_equal(token_name, "defg"); + assert_int_equal(module_name_len, 5); + assert_string_equal(module_name, "hijkl"); + assert_int_equal(key_id_len, 6); + assert_string_equal(key_id, "mnopqr"); + + ret = sss_authtok_get_sc(ts->authtoken, NULL, NULL, + &token_name, &token_name_len, + &module_name, &module_name_len, + &key_id, &key_id_len); + assert_int_equal(ret, EOK); + assert_int_equal(token_name_len, 4); + assert_string_equal(token_name, "defg"); + assert_int_equal(module_name_len, 5); + assert_string_equal(module_name, "hijkl"); + assert_int_equal(key_id_len, 6); + assert_string_equal(key_id, "mnopqr"); + + ret = sss_authtok_get_sc(ts->authtoken, NULL, NULL, + &token_name, NULL, + &module_name, NULL, + &key_id, NULL); + assert_int_equal(ret, EOK); + assert_string_equal(token_name, "defg"); + assert_string_equal(module_name, "hijkl"); + assert_string_equal(key_id, "mnopqr"); + + sss_authtok_set_empty(ts->authtoken); + talloc_free(buf); +} + +#define MISSING_NULL_CHECK do { \ + assert_int_equal(ret, EOK); \ + assert_int_equal(fa1_len, 3); \ + assert_string_equal(fa1, "abc"); \ + assert_int_equal(fa2_len, 4); \ + assert_string_equal(fa2, "defg"); \ + \ + talloc_free(fa1); \ + talloc_free(fa2); \ +} while (0) + +void test_sss_authtok_2fa_blobs_missing_null(void **state) +{ + int ret; + struct test_state *ts; + char *fa1; + size_t fa1_len; + char *fa2; + size_t fa2_len; +#if __BYTE_ORDER == __LITTLE_ENDIAN + uint8_t b0[] = {0x04, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 'a', 'b', 'c', 0x00, 'd', 'e', 'f', 'g', 0x00}; + uint8_t b1[] = {0x03, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 'a', 'b', 'c', 'd', 'e', 'f', 'g', 0x00}; + uint8_t b2[] = {0x04, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 'a', 'b', 'c', 0x00, 'd', 'e', 'f', 'g'}; + uint8_t b3[] = {0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 'a', 'b', 'c', 'd', 'e', 'f', 'g'}; +#else + uint8_t b0[] = {0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x05, 'a', 'b', 'c', 0x00, 'd', 'e', 'f', 'g', 0x00}; + uint8_t b1[] = {0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x05, 'a', 'b', 'c', 'd', 'e', 'f', 'g', 0x00}; + uint8_t b2[] = {0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x04, 'a', 'b', 'c', 0x00, 'd', 'e', 'f', 'g'}; + uint8_t b3[] = {0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 'a', 'b', 'c', 'd', 'e', 'f', 'g'}; +#endif + + + ts = talloc_get_type_abort(*state, struct test_state); + + ret = sss_auth_unpack_2fa_blob(ts, b0, sizeof(b0), &fa1, &fa1_len, &fa2, + &fa2_len); + MISSING_NULL_CHECK; + + ret = sss_auth_unpack_2fa_blob(ts, b1, sizeof(b1), &fa1, &fa1_len, &fa2, + &fa2_len); + MISSING_NULL_CHECK; + + ret = sss_auth_unpack_2fa_blob(ts, b2, sizeof(b2), &fa1, &fa1_len, &fa2, + &fa2_len); + MISSING_NULL_CHECK; + + ret = sss_auth_unpack_2fa_blob(ts, b3, sizeof(b3), &fa1, &fa1_len, &fa2, + &fa2_len); + MISSING_NULL_CHECK; +} + +void test_sss_authtok_sc_keypad(void **state) +{ + struct test_state *ts; + + ts = talloc_get_type_abort(*state, struct test_state); + + sss_authtok_set_sc_keypad(NULL); + + sss_authtok_set_sc_keypad(ts->authtoken); + assert_int_equal(sss_authtok_get_type(ts->authtoken), + SSS_AUTHTOK_TYPE_SC_KEYPAD); + assert_int_equal(sss_authtok_get_size(ts->authtoken), 0); + assert_null(sss_authtok_get_data(ts->authtoken)); +} + +void test_sss_authtok_sc_pin(void **state) +{ + struct test_state *ts; + int ret; + size_t size; + const char *pin; + size_t len; + + ts = talloc_get_type_abort(*state, struct test_state); + + ret = sss_authtok_set_sc_pin(NULL, NULL, 0); + assert_int_equal(ret, EFAULT); + + ret = sss_authtok_set_sc_pin(ts->authtoken, NULL, 0); + assert_int_equal(ret, EINVAL); + + ret = sss_authtok_set_sc_pin(ts->authtoken, "12345678", 0); + assert_int_equal(ret, EOK); + assert_int_equal(sss_authtok_get_type(ts->authtoken), + SSS_AUTHTOK_TYPE_SC_PIN); + size = sss_authtok_get_size(ts->authtoken); + assert_int_equal(size, 28); +#if __BYTE_ORDER == __LITTLE_ENDIAN + assert_memory_equal(sss_authtok_get_data(ts->authtoken), + "\11\0\0\0\1\0\0\0\1\0\0\0\1\0\0\0" "12345678\0\0\0\0", + size); +#else + assert_memory_equal(sss_authtok_get_data(ts->authtoken), + "\0\0\0\11\0\0\0\1\0\0\0\1\0\0\0\1" "12345678\0\0\0\0", + size); +#endif + + ret = sss_authtok_set_sc_pin(ts->authtoken, "12345678", 5); + assert_int_equal(ret, EOK); + assert_int_equal(sss_authtok_get_type(ts->authtoken), + SSS_AUTHTOK_TYPE_SC_PIN); + size = sss_authtok_get_size(ts->authtoken); + assert_int_equal(size, 25); +#if __BYTE_ORDER == __LITTLE_ENDIAN + assert_memory_equal(sss_authtok_get_data(ts->authtoken), + "\6\0\0\0\1\0\0\0\1\0\0\0\1\0\0\0" "12345\0\0\0\0", + size); +#else + assert_memory_equal(sss_authtok_get_data(ts->authtoken), + "\0\0\0\6\0\0\0\1\0\0\0\1\0\0\0\1" "12345\0\0\0\0", + size); +#endif + + ret = sss_authtok_get_sc_pin(ts->authtoken, &pin, &len); + assert_int_equal(ret, EOK); + assert_int_equal(len, 5); + assert_string_equal(pin, "12345"); + + sss_authtok_set_empty(ts->authtoken); + + ret = sss_authtok_get_sc_pin(ts->authtoken, &pin, &len); + assert_int_equal(ret, ENOENT); + + ret = sss_authtok_set_password(ts->authtoken, "12345", 0); + assert_int_equal(ret, EOK); + + ret = sss_authtok_get_sc_pin(ts->authtoken, &pin, &len); + assert_int_equal(ret, EACCES); + + sss_authtok_set_empty(ts->authtoken); + + ret = sss_authtok_get_sc_pin(NULL, &pin, &len); + assert_int_equal(ret, EFAULT); +} + +int main(int argc, const char *argv[]) +{ + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_sss_authtok_new, + setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_authtok_password, + setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_authtok_ccfile, + setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_authtok_empty, + setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_authtok_wipe_password, + setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_authtok_copy, + setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_authtok_2fa, + setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_authtok_2fa_blobs, + setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_authtok_2fa_blobs_missing_null, + setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_authtok_sc_keypad, + setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_authtok_sc_pin, + setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_authtok_sc_blobs, + setup, teardown), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + return cmocka_run_group_tests(tests, NULL, NULL); +} diff --git a/src/tests/cmocka/test_be_ptask.c b/src/tests/cmocka/test_be_ptask.c new file mode 100644 index 0000000..ca80b54 --- /dev/null +++ b/src/tests/cmocka/test_be_ptask.c @@ -0,0 +1,1021 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2014 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include + +#include "providers/backend.h" +#include "providers/be_ptask_private.h" +#include "providers/be_ptask.h" +#include "tests/cmocka/common_mock.h" +#include "tests/cmocka/common_mock_be.h" +#include "tests/common.h" + +#define DELAY 2 +#define PERIOD 1 +#define TIMEOUT 123 + +#define new_test(test) \ + cmocka_unit_test_setup_teardown(test_ ## test, test_setup, test_teardown) + +struct test_ctx { + struct sss_test_ctx *tctx; + struct be_ctx *be_ctx; + + time_t when; + bool done; + + bool add_online_cb_called; + bool add_offline_cb_called; +}; + +#define mark_online(test_ctx) do { \ + test_ctx->be_ctx->offstat.went_offline = 0; \ + test_ctx->be_ctx->offstat.offline = false; \ +} while (0) + +#define mark_offline(test_ctx) do { \ + test_ctx->be_ctx->offstat.went_offline = get_current_time(); \ + test_ctx->be_ctx->offstat.offline = true; \ +} while (0) + +/* Since both test_ctx->done and ptask->req is marked as finished already + * in the sync _send function before a new execution is scheduled we need to + * rely on the fact that ptask->req is set to zero when a new timer is + * created. This way we guarantee that the condition is true only when + * the ptask is executed and a new one is scheduled. */ +#define is_sync_ptask_finished(test_ctx, ptask) \ + (test_ctx->done && ptask->req == NULL) + +static time_t get_current_time(void) +{ + struct timeval tv; + int ret; + + ret = gettimeofday(&tv, NULL); + assert_int_equal(0, ret); + return tv.tv_sec; +} + +/* Mock few backend functions so we don't have to bring the whole + * data provider into this test. */ + +bool be_is_offline(struct be_ctx *ctx) +{ + return ctx->offstat.offline; +} + +int be_add_online_cb(TALLOC_CTX *mem_ctx, + struct be_ctx *ctx, + be_callback_t cb, + void *pvt, + struct be_cb **online_cb) +{ + struct test_ctx *test_ctx = NULL; + + test_ctx = sss_mock_ptr_type(struct test_ctx *); + test_ctx->add_online_cb_called = true; + + return ERR_OK; +} + +int be_add_offline_cb(TALLOC_CTX *mem_ctx, + struct be_ctx *ctx, + be_callback_t cb, + void *pvt, + struct be_cb **offline_cb) +{ + struct test_ctx *test_ctx = NULL; + + test_ctx = sss_mock_ptr_type(struct test_ctx *); + test_ctx->add_offline_cb_called = true; + + return ERR_OK; +} + +struct test_be_ptask_state { + struct test_ctx *test_ctx; +}; + +struct tevent_req * test_be_ptask_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct be_ptask *be_ptask, + void *pvt) +{ + struct test_be_ptask_state *state = NULL; + struct test_ctx *test_ctx = NULL; + struct tevent_req *req = NULL; + + assert_non_null(ev); + assert_non_null(be_ctx); + assert_non_null(be_ptask); + assert_non_null(pvt); + + test_ctx = talloc_get_type(pvt, struct test_ctx); + assert_non_null(test_ctx); + + test_ctx->when = get_current_time(); + + req = tevent_req_create(mem_ctx, &state, struct test_be_ptask_state); + assert_non_null(req); + + state->test_ctx = test_ctx; + + tevent_req_done(req); + tevent_req_post(req, ev); + return req; +} + +struct tevent_req * test_be_ptask_null_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct be_ptask *be_ptask, + void *pvt) +{ + struct test_ctx *test_ctx = NULL; + assert_non_null(ev); + assert_non_null(be_ctx); + assert_non_null(be_ptask); + assert_non_null(pvt); + + test_ctx = talloc_get_type(pvt, struct test_ctx); + assert_non_null(test_ctx); + + test_ctx->when = get_current_time(); + test_ctx->done = true; + + return NULL; +} + +struct tevent_req * test_be_ptask_timeout_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct be_ptask *be_ptask, + void *pvt) +{ + struct test_be_ptask_state *state = NULL; + struct test_ctx *test_ctx = NULL; + struct tevent_req *req = NULL; + + assert_non_null(ev); + assert_non_null(be_ctx); + assert_non_null(be_ptask); + assert_non_null(pvt); + + test_ctx = talloc_get_type(pvt, struct test_ctx); + assert_non_null(test_ctx); + + test_ctx->when = get_current_time(); + + req = tevent_req_create(mem_ctx, &state, struct test_be_ptask_state); + assert_non_null(req); + + state->test_ctx = test_ctx; + + /* we won't finish the request */ + + return req; +} + +errno_t test_be_ptask_recv(struct tevent_req *req) +{ + struct test_be_ptask_state *state = NULL; + + state = tevent_req_data(req, struct test_be_ptask_state); + assert_non_null(state); + + state->test_ctx->done = true; + + TEVENT_REQ_RETURN_ON_ERROR(req); + + return ERR_OK; +} + +errno_t test_be_ptask_error_recv(struct tevent_req *req) +{ + struct test_be_ptask_state *state = NULL; + + state = tevent_req_data(req, struct test_be_ptask_state); + assert_non_null(state); + + state->test_ctx->done = true; + + return ERR_INTERNAL; +} + +errno_t test_be_ptask_sync(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct be_ptask *be_ptask, + void *pvt) +{ + struct test_ctx *test_ctx = NULL; + + assert_non_null(ev); + assert_non_null(be_ctx); + assert_non_null(be_ptask); + assert_non_null(pvt); + + test_ctx = talloc_get_type(pvt, struct test_ctx); + assert_non_null(test_ctx); + + test_ctx->when = get_current_time(); + test_ctx->done = true; + + return ERR_OK; +} + +errno_t test_be_ptask_sync_error(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct be_ptask *be_ptask, + void *pvt) +{ + struct test_ctx *test_ctx = NULL; + + assert_non_null(ev); + assert_non_null(be_ctx); + assert_non_null(be_ptask); + assert_non_null(pvt); + + test_ctx = talloc_get_type(pvt, struct test_ctx); + assert_non_null(test_ctx); + + test_ctx->when = get_current_time(); + test_ctx->done = true; + + return ERR_INTERNAL; +} + +static int test_setup(void **state) +{ + struct test_ctx *test_ctx = NULL; + + assert_true(leak_check_setup()); + + test_ctx = talloc_zero(global_talloc_context, struct test_ctx); + assert_non_null(test_ctx); + + test_ctx->tctx = create_ev_test_ctx(test_ctx); + assert_non_null(test_ctx->tctx); + + test_ctx->be_ctx = mock_be_ctx(test_ctx, test_ctx->tctx); + assert_non_null(test_ctx->be_ctx); + + test_ctx->be_ctx->ev = tevent_context_init(test_ctx->be_ctx); + assert_non_null(test_ctx->be_ctx->ev); + + check_leaks_push(test_ctx); + *state = test_ctx; + return 0; +} + +static int test_teardown(void **state) +{ + assert_true(check_leaks_pop(*state)); + talloc_zfree(*state); + assert_true(leak_check_teardown()); + return 0; +} + +void test_be_ptask_create_einval_be(void **state) +{ + struct test_ctx *test_ctx = (struct test_ctx *)(*state); + struct be_ptask *ptask = NULL; + errno_t ret; + + ret = be_ptask_create(test_ctx, NULL, PERIOD, 0, 0, 0, 0, + BE_PTASK_OFFLINE_SKIP, 0, test_be_ptask_send, + test_be_ptask_recv, NULL, "Test ptask", &ptask); + assert_int_equal(ret, EINVAL); + assert_null(ptask); +} + +void test_be_ptask_create_einval_period(void **state) +{ + struct test_ctx *test_ctx = (struct test_ctx *)(*state); + struct be_ptask *ptask = NULL; + errno_t ret; + + ret = be_ptask_create(test_ctx, test_ctx->be_ctx, 0, 0, 0, 0, 0, + BE_PTASK_OFFLINE_SKIP, 0, test_be_ptask_send, + test_be_ptask_recv, NULL, "Test ptask", &ptask); + assert_int_equal(ret, EINVAL); + assert_null(ptask); +} + +void test_be_ptask_create_einval_send(void **state) +{ + struct test_ctx *test_ctx = (struct test_ctx *)(*state); + struct be_ptask *ptask = NULL; + errno_t ret; + + ret = be_ptask_create(test_ctx, test_ctx->be_ctx, PERIOD, 0, 0, 0, 0, + BE_PTASK_OFFLINE_SKIP, 0, NULL, + test_be_ptask_recv, NULL, "Test ptask", &ptask); + assert_int_equal(ret, EINVAL); + assert_null(ptask); +} + +void test_be_ptask_create_einval_recv(void **state) +{ + struct test_ctx *test_ctx = (struct test_ctx *)(*state); + struct be_ptask *ptask = NULL; + errno_t ret; + + ret = be_ptask_create(test_ctx, test_ctx->be_ctx, PERIOD, 0, 0, 0, 0, + BE_PTASK_OFFLINE_SKIP, 0, test_be_ptask_send, + NULL, NULL, "Test ptask", &ptask); + assert_int_equal(ret, EINVAL); + assert_null(ptask); +} + +void test_be_ptask_create_einval_name(void **state) +{ + struct test_ctx *test_ctx = (struct test_ctx *)(*state); + struct be_ptask *ptask = NULL; + errno_t ret; + + ret = be_ptask_create(test_ctx, test_ctx->be_ctx, PERIOD, 0, 0, 0, 0, + BE_PTASK_OFFLINE_SKIP, 0, test_be_ptask_send, + test_be_ptask_recv, NULL, NULL, &ptask); + assert_int_equal(ret, EINVAL); + assert_null(ptask); +} + +void test_be_ptask_create_no_delay(void **state) +{ + struct test_ctx *test_ctx = (struct test_ctx *)(*state); + struct be_ptask *ptask = NULL; + time_t now; + errno_t ret; + + now = get_current_time(); + ret = be_ptask_create(test_ctx, test_ctx->be_ctx, PERIOD, 0, 0, 0, 0, + BE_PTASK_OFFLINE_SKIP, 0, test_be_ptask_send, + test_be_ptask_recv, test_ctx, "Test ptask", &ptask); + assert_int_equal(ret, ERR_OK); + assert_non_null(ptask); + assert_non_null(ptask->timer); + + while (!test_ctx->done) { + tevent_loop_once(test_ctx->be_ctx->ev); + } + + assert_true(now <= ptask->last_execution); + assert_true(now <= test_ctx->when); + assert_true(ptask->last_execution <= test_ctx->when); + + be_ptask_destroy(&ptask); + assert_null(ptask); +} + +void test_be_ptask_create_first_delay(void **state) +{ + struct test_ctx *test_ctx = (struct test_ctx *)(*state); + struct be_ptask *ptask = NULL; + time_t now; + errno_t ret; + + now = get_current_time(); + ret = be_ptask_create(test_ctx, test_ctx->be_ctx, PERIOD, DELAY, 0, 0, 0, + BE_PTASK_OFFLINE_SKIP, 0, test_be_ptask_send, + test_be_ptask_recv, test_ctx, "Test ptask", &ptask); + assert_int_equal(ret, ERR_OK); + assert_non_null(ptask); + assert_non_null(ptask->timer); + + while (!test_ctx->done) { + tevent_loop_once(test_ctx->be_ctx->ev); + } + + assert_true(now + DELAY <= ptask->last_execution); + assert_true(now + DELAY <= test_ctx->when); + assert_true(ptask->last_execution <= test_ctx->when); + + be_ptask_destroy(&ptask); + assert_null(ptask); +} + +void test_be_ptask_disable(void **state) +{ + struct test_ctx *test_ctx = (struct test_ctx *)(*state); + struct be_ptask *ptask = NULL; + errno_t ret; + + ret = be_ptask_create(test_ctx, test_ctx->be_ctx, PERIOD, 0, 0, 0, 0, + BE_PTASK_OFFLINE_SKIP, 0, test_be_ptask_send, + test_be_ptask_recv, test_ctx, "Test ptask", &ptask); + assert_int_equal(ret, ERR_OK); + assert_non_null(ptask); + assert_non_null(ptask->timer); + + be_ptask_disable(ptask); + + assert_null(ptask->timer); + assert_false(ptask->enabled); + + be_ptask_destroy(&ptask); + assert_null(ptask); +} + +void test_be_ptask_enable(void **state) +{ + struct test_ctx *test_ctx = (struct test_ctx *)(*state); + struct be_ptask *ptask = NULL; + time_t now; + errno_t ret; + + now = get_current_time(); + ret = be_ptask_create(test_ctx, test_ctx->be_ctx, PERIOD, 0, 0, 0, 0, + BE_PTASK_OFFLINE_SKIP, 0, test_be_ptask_send, + test_be_ptask_recv, test_ctx, "Test ptask", &ptask); + assert_int_equal(ret, ERR_OK); + assert_non_null(ptask); + assert_non_null(ptask->timer); + + be_ptask_disable(ptask); + + now = get_current_time(); + be_ptask_enable(ptask); + assert_non_null(ptask->timer); + + while (!test_ctx->done) { + tevent_loop_once(test_ctx->be_ctx->ev); + } + + assert_true(now <= ptask->last_execution); + assert_true(now <= test_ctx->when); + assert_true(ptask->last_execution <= test_ctx->when); + + be_ptask_destroy(&ptask); + assert_null(ptask); +} + +void test_be_ptask_enable_delay(void **state) +{ + struct test_ctx *test_ctx = (struct test_ctx *)(*state); + struct be_ptask *ptask = NULL; + time_t now; + errno_t ret; + + ret = be_ptask_create(test_ctx, test_ctx->be_ctx, PERIOD, 0, DELAY, 0, 0, + BE_PTASK_OFFLINE_SKIP, 0, test_be_ptask_send, + test_be_ptask_recv, test_ctx, "Test ptask", &ptask); + assert_int_equal(ret, ERR_OK); + assert_non_null(ptask); + assert_non_null(ptask->timer); + + while (!test_ctx->done) { + tevent_loop_once(test_ctx->be_ctx->ev); + } + + be_ptask_disable(ptask); + test_ctx->done = false; + now = get_current_time(); + be_ptask_enable(ptask); + + while (!test_ctx->done) { + tevent_loop_once(test_ctx->be_ctx->ev); + } + + assert_true(now + DELAY <= ptask->last_execution); + assert_true(now + DELAY <= test_ctx->when); + assert_true(ptask->last_execution <= test_ctx->when); + + be_ptask_destroy(&ptask); + assert_null(ptask); +} + +void test_be_ptask_offline_skip(void **state) +{ + struct test_ctx *test_ctx = (struct test_ctx *)(*state); + struct be_ptask *ptask = NULL; + time_t next_execution; + time_t now; + errno_t ret; + + mark_offline(test_ctx); + + now = get_current_time(); + ret = be_ptask_create(test_ctx, test_ctx->be_ctx, PERIOD, 0, 0, 0, 0, + BE_PTASK_OFFLINE_SKIP, 0, test_be_ptask_send, + test_be_ptask_recv, test_ctx, "Test ptask", &ptask); + assert_int_equal(ret, ERR_OK); + assert_non_null(ptask); + assert_non_null(ptask->timer); + + next_execution = ptask->next_execution; + assert_true(now <= next_execution); + + while (ptask->next_execution == next_execution && !test_ctx->done) { + tevent_loop_once(test_ctx->be_ctx->ev); + } + + assert_true(next_execution + PERIOD <= ptask->next_execution); + assert_true(ptask->enabled); + assert_non_null(ptask->timer); + + be_ptask_destroy(&ptask); + assert_null(ptask); +} + +void test_be_ptask_offline_disable(void **state) +{ + struct test_ctx *test_ctx = (struct test_ctx *)(*state); + struct be_ptask *ptask = NULL; + errno_t ret; + + mark_offline(test_ctx); + + will_return(be_add_online_cb, test_ctx); + will_return(be_add_offline_cb, test_ctx); + + ret = be_ptask_create(test_ctx, test_ctx->be_ctx, PERIOD, 0, 0, 0, 0, + BE_PTASK_OFFLINE_DISABLE, 0, test_be_ptask_send, + test_be_ptask_recv, test_ctx, "Test ptask", &ptask); + assert_int_equal(ret, ERR_OK); + assert_non_null(ptask); + assert_non_null(ptask->timer); + + assert_true(test_ctx->add_online_cb_called); + assert_true(test_ctx->add_offline_cb_called); + + while (ptask->enabled && !test_ctx->done) { + tevent_loop_once(test_ctx->be_ctx->ev); + } + + assert_false(ptask->enabled); + assert_false(test_ctx->done); + assert_null(ptask->timer); + + be_ptask_destroy(&ptask); + assert_null(ptask); +} + +void test_be_ptask_offline_execute(void **state) +{ + struct test_ctx *test_ctx = (struct test_ctx *)(*state); + struct be_ptask *ptask = NULL; + errno_t ret; + + mark_offline(test_ctx); + + ret = be_ptask_create(test_ctx, test_ctx->be_ctx, PERIOD, 0, 0, 0, 0, + BE_PTASK_OFFLINE_EXECUTE, 0, test_be_ptask_send, + test_be_ptask_recv, test_ctx, "Test ptask", &ptask); + assert_int_equal(ret, ERR_OK); + assert_non_null(ptask); + assert_non_null(ptask->timer); + + while (!test_ctx->done) { + tevent_loop_once(test_ctx->be_ctx->ev); + } + + assert_true(ptask->enabled); + assert_non_null(ptask->timer); + + be_ptask_destroy(&ptask); + assert_null(ptask); +} + +void test_be_ptask_reschedule_ok(void **state) +{ + struct test_ctx *test_ctx = (struct test_ctx *)(*state); + struct be_ptask *ptask = NULL; + time_t next_execution; + time_t now; + errno_t ret; + + now = get_current_time(); + ret = be_ptask_create(test_ctx, test_ctx->be_ctx, PERIOD, 0, 0, 0, 0, + BE_PTASK_OFFLINE_SKIP, 0, test_be_ptask_send, + test_be_ptask_recv, test_ctx, "Test ptask", &ptask); + assert_int_equal(ret, ERR_OK); + assert_non_null(ptask); + assert_non_null(ptask->timer); + + next_execution = ptask->next_execution; + + while (!test_ctx->done) { + tevent_loop_once(test_ctx->be_ctx->ev); + } + + assert_true(now <= ptask->last_execution); + assert_true(now <= test_ctx->when); + assert_true(ptask->last_execution <= test_ctx->when); + + assert_true(next_execution + PERIOD <= ptask->next_execution); + assert_non_null(ptask->timer); + + be_ptask_destroy(&ptask); + assert_null(ptask); +} + +void test_be_ptask_reschedule_null(void **state) +{ + struct test_ctx *test_ctx = (struct test_ctx *)(*state); + struct be_ptask *ptask = NULL; + time_t now = 0; + errno_t ret; + + ret = be_ptask_create(test_ctx, test_ctx->be_ctx, PERIOD, 0, 0, 0, 0, + BE_PTASK_OFFLINE_SKIP, 0, test_be_ptask_null_send, + test_be_ptask_recv, test_ctx, "Test ptask", + &ptask); + assert_int_equal(ret, ERR_OK); + assert_non_null(ptask); + assert_non_null(ptask->timer); + + while (!test_ctx->done) { + now = get_current_time(); + tevent_loop_once(test_ctx->be_ctx->ev); + } + + assert_true(now + PERIOD <= ptask->next_execution); + assert_non_null(ptask->timer); + + be_ptask_destroy(&ptask); + assert_null(ptask); +} + +void test_be_ptask_reschedule_error(void **state) +{ + struct test_ctx *test_ctx = (struct test_ctx *)(*state); + struct be_ptask *ptask = NULL; + time_t now = 0; + errno_t ret; + + ret = be_ptask_create(test_ctx, test_ctx->be_ctx, PERIOD, 0, 0, 0, 0, + BE_PTASK_OFFLINE_SKIP, 0, test_be_ptask_send, + test_be_ptask_error_recv, test_ctx, "Test ptask", + &ptask); + assert_int_equal(ret, ERR_OK); + assert_non_null(ptask); + assert_non_null(ptask->timer); + + while (!test_ctx->done) { + now = get_current_time(); + tevent_loop_once(test_ctx->be_ctx->ev); + } + + assert_true(now + PERIOD <= ptask->next_execution); + assert_non_null(ptask->timer); + + be_ptask_destroy(&ptask); + assert_null(ptask); +} + +void test_be_ptask_reschedule_timeout(void **state) +{ + struct test_ctx *test_ctx = (struct test_ctx *)(*state); + struct be_ptask *ptask = NULL; + time_t now = 0; + errno_t ret; + + ret = be_ptask_create(test_ctx, test_ctx->be_ctx, PERIOD, 0, 0, 0, 1, + BE_PTASK_OFFLINE_SKIP, 0, test_be_ptask_timeout_send, + test_be_ptask_error_recv, test_ctx, "Test ptask", + &ptask); + assert_int_equal(ret, ERR_OK); + assert_non_null(ptask); + assert_non_null(ptask->timer); + + /* first iterate until the task is executed */ + while (!test_ctx->done && ptask->req == NULL) { + tevent_loop_once(test_ctx->be_ctx->ev); + } + + /* then iterate until the request is destroyed */ + while (!test_ctx->done && ptask->req != NULL) { + now = get_current_time(); + tevent_loop_once(test_ctx->be_ctx->ev); + } + + assert_false(test_ctx->done); + assert_true(now + PERIOD <= ptask->next_execution); + assert_non_null(ptask->timer); + + be_ptask_destroy(&ptask); + assert_null(ptask); +} + +void test_be_ptask_reschedule_backoff(void **state) +{ + struct test_ctx *test_ctx = (struct test_ctx *)(*state); + struct be_ptask *ptask = NULL; + time_t next_execution; + time_t now_first; + time_t now_backoff = 0; + errno_t ret; + + now_first = get_current_time(); + ret = be_ptask_create(test_ctx, test_ctx->be_ctx, PERIOD, 0, 0, 0, 0, + BE_PTASK_OFFLINE_SKIP, PERIOD*2, test_be_ptask_send, + test_be_ptask_recv, test_ctx, "Test ptask", &ptask); + assert_int_equal(ret, ERR_OK); + assert_non_null(ptask); + assert_non_null(ptask->timer); + + /* first run */ + next_execution = ptask->next_execution; + + while (!test_ctx->done) { + /* We need to acquire timestamp for the second test here, since this + * is the closest value to the timestamp when the next event is + * scheduled. */ + now_backoff = get_current_time(); + tevent_loop_once(test_ctx->be_ctx->ev); + } + + assert_true(now_first <= ptask->last_execution); + assert_true(now_first <= test_ctx->when); + assert_true(ptask->last_execution <= test_ctx->when); + + assert_true(next_execution + PERIOD <= ptask->next_execution); + assert_int_equal(PERIOD*2, ptask->period); + assert_non_null(ptask->timer); + + test_ctx->done = false; + + /* second run */ + next_execution = ptask->next_execution; + + while (!test_ctx->done) { + tevent_loop_once(test_ctx->be_ctx->ev); + } + + assert_true(now_backoff + PERIOD <= ptask->last_execution); + assert_true(now_backoff + PERIOD <= test_ctx->when); + assert_true(ptask->last_execution <= test_ctx->when); + + assert_true(next_execution + PERIOD*2 <= ptask->next_execution); + assert_int_equal(PERIOD*2, ptask->period); + assert_non_null(ptask->timer); + + be_ptask_destroy(&ptask); + assert_null(ptask); +} + +void test_be_ptask_get_period(void **state) +{ + struct test_ctx *test_ctx = (struct test_ctx *)(*state); + struct be_ptask *ptask = NULL; + time_t out_period; + errno_t ret; + + ret = be_ptask_create(test_ctx, test_ctx->be_ctx, PERIOD, 0, 0, 0, 0, + BE_PTASK_OFFLINE_SKIP, 0, test_be_ptask_send, + test_be_ptask_recv, test_ctx, "Test ptask", &ptask); + assert_int_equal(ret, ERR_OK); + assert_non_null(ptask); + + out_period = be_ptask_get_period(ptask); + assert_true(PERIOD == out_period); + + be_ptask_destroy(&ptask); + assert_null(ptask); +} + +void test_be_ptask_get_timeout(void **state) +{ + struct test_ctx *test_ctx = (struct test_ctx *)(*state); + struct be_ptask *ptask = NULL; + time_t out_timeout; + errno_t ret; + + ret = be_ptask_create(test_ctx, test_ctx->be_ctx, PERIOD, 0, 0, 0, TIMEOUT, + BE_PTASK_OFFLINE_SKIP, 0, test_be_ptask_send, + test_be_ptask_recv, test_ctx, "Test ptask", &ptask); + assert_int_equal(ret, ERR_OK); + assert_non_null(ptask); + + out_timeout = be_ptask_get_timeout(ptask); + assert_true(TIMEOUT == out_timeout); + + be_ptask_destroy(&ptask); + assert_null(ptask); +} + +void test_be_ptask_create_sync(void **state) +{ + struct test_ctx *test_ctx = (struct test_ctx *)(*state); + struct be_ptask *ptask = NULL; + time_t now; + errno_t ret; + + now = get_current_time(); + ret = be_ptask_create_sync(test_ctx, test_ctx->be_ctx, PERIOD, 0, 0, 0, 0, + BE_PTASK_OFFLINE_SKIP, 0, test_be_ptask_sync, + test_ctx, "Test ptask", &ptask); + assert_int_equal(ret, ERR_OK); + assert_non_null(ptask); + assert_non_null(ptask->timer); + + while (!test_ctx->done) { + tevent_loop_once(test_ctx->be_ctx->ev); + } + + assert_true(now <= ptask->last_execution); + assert_true(now <= test_ctx->when); + assert_true(ptask->last_execution <= test_ctx->when); + + be_ptask_destroy(&ptask); + assert_null(ptask); +} + +void test_be_ptask_sync_reschedule_ok(void **state) +{ + struct test_ctx *test_ctx = (struct test_ctx *)(*state); + struct be_ptask *ptask = NULL; + time_t next_execution; + time_t now; + errno_t ret; + + now = get_current_time(); + ret = be_ptask_create_sync(test_ctx, test_ctx->be_ctx, PERIOD, 0, 0, 0, 0, + BE_PTASK_OFFLINE_SKIP, 0, test_be_ptask_sync, + test_ctx, "Test ptask", &ptask); + assert_int_equal(ret, ERR_OK); + assert_non_null(ptask); + assert_non_null(ptask->timer); + + next_execution = ptask->next_execution; + + while (!is_sync_ptask_finished(test_ctx, ptask)) { + tevent_loop_once(test_ctx->be_ctx->ev); + } + + assert_true(now <= ptask->last_execution); + assert_true(now <= test_ctx->when); + assert_true(ptask->last_execution <= test_ctx->when); + + assert_true(next_execution + PERIOD <= ptask->next_execution); + assert_non_null(ptask->timer); + + be_ptask_destroy(&ptask); + assert_null(ptask); +} + +void test_be_ptask_sync_reschedule_error(void **state) +{ + struct test_ctx *test_ctx = (struct test_ctx *)(*state); + struct be_ptask *ptask = NULL; + time_t now = 0; + errno_t ret; + + ret = be_ptask_create_sync(test_ctx, test_ctx->be_ctx, PERIOD, 0, 0, 0, 0, + BE_PTASK_OFFLINE_SKIP, 0, + test_be_ptask_sync_error, + test_ctx, "Test ptask", &ptask); + assert_int_equal(ret, ERR_OK); + assert_non_null(ptask); + assert_non_null(ptask->timer); + + while (!is_sync_ptask_finished(test_ctx, ptask)) { + now = get_current_time(); + tevent_loop_once(test_ctx->be_ctx->ev); + } + + assert_true(now + PERIOD <= ptask->next_execution); + assert_non_null(ptask->timer); + + be_ptask_destroy(&ptask); + assert_null(ptask); +} + +void test_be_ptask_sync_reschedule_backoff(void **state) +{ + struct test_ctx *test_ctx = (struct test_ctx *)(*state); + struct be_ptask *ptask = NULL; + time_t next_execution; + time_t now_first; + time_t now_backoff = 0; + errno_t ret; + + now_first = get_current_time(); + ret = be_ptask_create_sync(test_ctx, test_ctx->be_ctx, PERIOD, 0, 0, 0, 0, + BE_PTASK_OFFLINE_SKIP, PERIOD*2, + test_be_ptask_sync_error, + test_ctx, "Test ptask", &ptask); + assert_int_equal(ret, ERR_OK); + assert_non_null(ptask); + assert_non_null(ptask->timer); + + /* first run */ + next_execution = ptask->next_execution; + + while (!is_sync_ptask_finished(test_ctx, ptask)) { + /* We need to acquire timestamp for the second test here, since this + * is the closest value to the timestamp when the next event is + * scheduled. */ + now_backoff = get_current_time(); + tevent_loop_once(test_ctx->be_ctx->ev); + } + + assert_true(now_first <= ptask->last_execution); + assert_true(now_first <= test_ctx->when); + assert_true(ptask->last_execution <= test_ctx->when); + + assert_true(next_execution + PERIOD <= ptask->next_execution); + assert_int_equal(PERIOD*2, ptask->period); + assert_non_null(ptask->timer); + + test_ctx->done = false; + + /* second run */ + next_execution = ptask->next_execution; + + while (!is_sync_ptask_finished(test_ctx, ptask)) { + tevent_loop_once(test_ctx->be_ctx->ev); + } + + assert_true(now_backoff + PERIOD <= ptask->last_execution); + assert_true(now_backoff + PERIOD <= test_ctx->when); + assert_true(ptask->last_execution <= test_ctx->when); + + assert_true(next_execution + PERIOD*2 <= ptask->next_execution); + assert_int_equal(PERIOD*2, ptask->period); + assert_non_null(ptask->timer); + + be_ptask_destroy(&ptask); + assert_null(ptask); +} + +int main(int argc, const char *argv[]) +{ + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + new_test(be_ptask_create_einval_be), + new_test(be_ptask_create_einval_period), + new_test(be_ptask_create_einval_send), + new_test(be_ptask_create_einval_recv), + new_test(be_ptask_create_einval_name), + new_test(be_ptask_create_no_delay), + new_test(be_ptask_create_first_delay), + new_test(be_ptask_disable), + new_test(be_ptask_enable), + new_test(be_ptask_enable_delay), + new_test(be_ptask_offline_skip), + new_test(be_ptask_offline_disable), + new_test(be_ptask_offline_execute), + new_test(be_ptask_reschedule_ok), + new_test(be_ptask_reschedule_null), + new_test(be_ptask_reschedule_error), + new_test(be_ptask_reschedule_timeout), + new_test(be_ptask_reschedule_backoff), + new_test(be_ptask_get_period), + new_test(be_ptask_get_timeout), + new_test(be_ptask_create_sync), + new_test(be_ptask_sync_reschedule_ok), + new_test(be_ptask_sync_reschedule_error), + new_test(be_ptask_sync_reschedule_backoff) + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + return cmocka_run_group_tests(tests, NULL, NULL); +} diff --git a/src/tests/cmocka/test_cert_utils.c b/src/tests/cmocka/test_cert_utils.c new file mode 100644 index 0000000..26fffb8 --- /dev/null +++ b/src/tests/cmocka/test_cert_utils.c @@ -0,0 +1,631 @@ +/* + SSSD + + Certificates - Utilities tests + + Authors: + Sumit Bose + + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +#include "config.h" + +#include +#include +#ifdef HAVE_LIBCRYPTO +#include +#include +#endif + +#include "util/cert.h" +#include "tests/cmocka/common_mock.h" +#include "util/crypto/nss/nss_util.h" +#include "util/crypto/sss_crypto.h" + +#ifdef HAVE_TEST_CA +#include "tests/test_CA/SSSD_test_cert_pubsshkey_0001.h" +#include "tests/test_CA/SSSD_test_cert_x509_0001.h" +#include "tests/test_CA/SSSD_test_cert_pubsshkey_0002.h" +#include "tests/test_CA/SSSD_test_cert_x509_0002.h" +#else +#define SSSD_TEST_CERT_0001 "" +#define SSSD_TEST_CERT_SSH_KEY_0001 "" +#define SSSD_TEST_CERT_0002 "" +#define SSSD_TEST_CERT_SSH_KEY_0002 "" +#endif + +/* When run under valgrind with --trace-children=yes we have to increase the + * timeout not because p11_child needs much more time under valgrind but + * because of the way valgrind handles the children. */ +#define P11_CHILD_TIMEOUT 40 + +/* TODO: create a certificate for this test */ +const uint8_t test_cert_der[] = { +0x30, 0x82, 0x04, 0x09, 0x30, 0x82, 0x02, 0xf1, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x01, 0x09, +0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, +0x34, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x09, 0x49, 0x50, 0x41, 0x2e, +0x44, 0x45, 0x56, 0x45, 0x4c, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x15, +0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68, +0x6f, 0x72, 0x69, 0x74, 0x79, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x35, 0x30, 0x34, 0x32, 0x38, 0x31, +0x30, 0x32, 0x31, 0x31, 0x31, 0x5a, 0x17, 0x0d, 0x31, 0x37, 0x30, 0x34, 0x32, 0x38, 0x31, 0x30, +0x32, 0x31, 0x31, 0x31, 0x5a, 0x30, 0x32, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x0a, +0x0c, 0x09, 0x49, 0x50, 0x41, 0x2e, 0x44, 0x45, 0x56, 0x45, 0x4c, 0x31, 0x1c, 0x30, 0x1a, 0x06, +0x03, 0x55, 0x04, 0x03, 0x0c, 0x13, 0x69, 0x70, 0x61, 0x2d, 0x64, 0x65, 0x76, 0x65, 0x6c, 0x2e, +0x69, 0x70, 0x61, 0x2e, 0x64, 0x65, 0x76, 0x65, 0x6c, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, +0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, +0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xb2, 0x32, 0x92, 0xab, 0x47, 0xb8, +0x0c, 0x13, 0x54, 0x4a, 0x1f, 0x1e, 0x29, 0x06, 0xff, 0xd0, 0x50, 0xcb, 0xf7, 0x5f, 0x79, 0x91, +0x65, 0xb1, 0x39, 0x01, 0x83, 0x6a, 0xad, 0x9e, 0x77, 0x3b, 0xf3, 0x0d, 0xd7, 0xb9, 0xf6, 0xdc, +0x9e, 0x4a, 0x49, 0xa7, 0xd0, 0x66, 0x72, 0xcc, 0xbf, 0x77, 0xd6, 0xde, 0xa9, 0xfe, 0x67, 0x96, +0xcc, 0x49, 0xf1, 0x37, 0x23, 0x2e, 0xc4, 0x50, 0xf4, 0xeb, 0xba, 0x62, 0xd4, 0x23, 0x4d, 0xf3, +0x37, 0x38, 0x82, 0xee, 0x3b, 0x3f, 0x2c, 0xd0, 0x80, 0x9b, 0x17, 0xaa, 0x9b, 0xeb, 0xa6, 0xdd, +0xf6, 0x15, 0xff, 0x06, 0xb2, 0xce, 0xff, 0xdf, 0x8a, 0x9e, 0x95, 0x85, 0x49, 0x1f, 0x84, 0xfd, +0x81, 0x26, 0xce, 0x06, 0x32, 0x0d, 0x36, 0xca, 0x7c, 0x15, 0x81, 0x68, 0x6b, 0x8f, 0x3e, 0xb3, +0xa2, 0xfc, 0xae, 0xaf, 0xc2, 0x44, 0x58, 0x15, 0x95, 0x40, 0xfc, 0x56, 0x19, 0x91, 0x80, 0xed, +0x42, 0x11, 0x66, 0x04, 0xef, 0x3c, 0xe0, 0x76, 0x33, 0x4b, 0x83, 0xfa, 0x7e, 0xb4, 0x47, 0xdc, +0xfb, 0xed, 0x46, 0xa5, 0x8d, 0x0a, 0x66, 0x87, 0xa5, 0xef, 0x7b, 0x74, 0x62, 0xac, 0xbe, 0x73, +0x36, 0xc9, 0xb4, 0xfe, 0x20, 0xc4, 0x81, 0xf3, 0xfe, 0x78, 0x19, 0xa8, 0xd0, 0xaf, 0x7f, 0x81, +0x72, 0x24, 0x61, 0xd9, 0x76, 0x93, 0xe3, 0x0b, 0xd2, 0x4f, 0x19, 0x17, 0x33, 0x57, 0xd4, 0x82, +0xb0, 0xf1, 0xa8, 0x03, 0xf6, 0x01, 0x99, 0xa9, 0xb8, 0x8c, 0x83, 0xc9, 0xba, 0x19, 0x87, 0xea, +0xd6, 0x3b, 0x06, 0xeb, 0x4c, 0xf7, 0xf1, 0xe5, 0x28, 0xa9, 0x10, 0xb6, 0x46, 0xde, 0xe1, 0xe1, +0x3f, 0xc1, 0xcc, 0x72, 0xbe, 0x2a, 0x43, 0xc6, 0xf6, 0xd0, 0xb5, 0xa0, 0xc4, 0x24, 0x6e, 0x4f, +0xbd, 0xec, 0x22, 0x8a, 0x07, 0x11, 0x3d, 0xf9, 0xd3, 0x15, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, +0x82, 0x01, 0x26, 0x30, 0x82, 0x01, 0x22, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, +0x30, 0x16, 0x80, 0x14, 0xf2, 0x9d, 0x42, 0x4e, 0x0f, 0xc4, 0x48, 0x25, 0x58, 0x2f, 0x1c, 0xce, +0x0f, 0xa1, 0x3f, 0x22, 0xc8, 0x55, 0xc8, 0x91, 0x30, 0x3b, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, +0x05, 0x07, 0x01, 0x01, 0x04, 0x2f, 0x30, 0x2d, 0x30, 0x2b, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, +0x05, 0x07, 0x30, 0x01, 0x86, 0x1f, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x69, 0x70, 0x61, +0x2d, 0x63, 0x61, 0x2e, 0x69, 0x70, 0x61, 0x2e, 0x64, 0x65, 0x76, 0x65, 0x6c, 0x2f, 0x63, 0x61, +0x2f, 0x6f, 0x63, 0x73, 0x70, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, +0x04, 0x03, 0x02, 0x04, 0xf0, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, 0x16, 0x30, 0x14, +0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, +0x05, 0x07, 0x03, 0x02, 0x30, 0x74, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x6d, 0x30, 0x6b, 0x30, +0x69, 0xa0, 0x31, 0xa0, 0x2f, 0x86, 0x2d, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x69, 0x70, +0x61, 0x2d, 0x63, 0x61, 0x2e, 0x69, 0x70, 0x61, 0x2e, 0x64, 0x65, 0x76, 0x65, 0x6c, 0x2f, 0x69, +0x70, 0x61, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x4d, 0x61, 0x73, 0x74, 0x65, 0x72, 0x43, 0x52, 0x4c, +0x2e, 0x62, 0x69, 0x6e, 0xa2, 0x34, 0xa4, 0x32, 0x30, 0x30, 0x31, 0x0e, 0x30, 0x0c, 0x06, 0x03, +0x55, 0x04, 0x0a, 0x0c, 0x05, 0x69, 0x70, 0x61, 0x63, 0x61, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, +0x55, 0x04, 0x03, 0x0c, 0x15, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, +0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, +0x0e, 0x04, 0x16, 0x04, 0x14, 0x2d, 0x2b, 0x3f, 0xcb, 0xf5, 0xb2, 0xff, 0x32, 0x2c, 0xa8, 0xc2, +0x1c, 0xdd, 0xbd, 0x8c, 0x80, 0x1e, 0xdd, 0x31, 0x82, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, +0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x9a, 0x47, 0x2e, +0x50, 0xa7, 0x4d, 0x1d, 0x53, 0x0f, 0xc9, 0x71, 0x42, 0x0c, 0xe5, 0xda, 0x7d, 0x49, 0x64, 0xe7, +0xab, 0xc8, 0xdf, 0xdf, 0x02, 0xc1, 0x87, 0xd1, 0x5b, 0xde, 0xda, 0x6f, 0x2b, 0xe4, 0xf0, 0xbe, +0xba, 0x09, 0xdf, 0x02, 0x85, 0x0b, 0x8a, 0xe6, 0x9b, 0x06, 0x7d, 0x69, 0x38, 0x6c, 0x72, 0xff, +0x4c, 0x7b, 0x2a, 0x0d, 0x3f, 0x23, 0x2f, 0x16, 0x46, 0xff, 0x05, 0x93, 0xb0, 0xea, 0x24, 0x28, +0xd7, 0x12, 0xa1, 0x57, 0xb8, 0x59, 0x19, 0x25, 0xf3, 0x43, 0x0a, 0xd3, 0xfd, 0x0f, 0x37, 0x8d, +0xb8, 0xca, 0x15, 0xe7, 0x48, 0x8a, 0xa0, 0xc7, 0xc7, 0x4b, 0x7f, 0x01, 0x3c, 0x58, 0xd7, 0x37, +0xe5, 0xff, 0x7d, 0x2b, 0x01, 0xac, 0x0d, 0x9f, 0x51, 0x6a, 0xe5, 0x40, 0x24, 0xe6, 0x5e, 0x55, +0x0d, 0xf7, 0xb8, 0x2f, 0x42, 0xac, 0x6d, 0xe5, 0x29, 0x6b, 0xc6, 0x0b, 0xa4, 0xbf, 0x19, 0xbd, +0x39, 0x27, 0xee, 0xfe, 0xc5, 0xb3, 0xdb, 0x62, 0xd4, 0xbe, 0xd2, 0x47, 0xba, 0x96, 0x30, 0x5a, +0xfd, 0x62, 0x00, 0xb8, 0x27, 0x5d, 0x2f, 0x3a, 0x94, 0x0b, 0x95, 0x35, 0x85, 0x40, 0x2c, 0xbc, +0x67, 0xdf, 0x8a, 0xf9, 0xf1, 0x7b, 0x19, 0x96, 0x3e, 0x42, 0x48, 0x13, 0x23, 0x04, 0x95, 0xa9, +0x6b, 0x11, 0x33, 0x81, 0x47, 0x5a, 0x83, 0x72, 0xf6, 0x20, 0xfa, 0x8e, 0x41, 0x7b, 0x8f, 0x77, +0x47, 0x7c, 0xc7, 0x5d, 0x46, 0xf4, 0x4f, 0xfd, 0x81, 0x0a, 0xae, 0x39, 0x27, 0xb6, 0x6a, 0x26, +0x63, 0xb1, 0xd3, 0xbf, 0x55, 0x83, 0x82, 0x9b, 0x36, 0x6c, 0x33, 0x64, 0x0f, 0x50, 0xc0, 0x55, +0x94, 0x13, 0xc3, 0x85, 0xf4, 0xd5, 0x71, 0x65, 0xd0, 0xc0, 0xdd, 0xfc, 0xe6, 0xec, 0x9c, 0x5b, +0xf0, 0x11, 0xb5, 0x2c, 0xf3, 0x48, 0xc1, 0x36, 0x8c, 0xa2, 0x96, 0x48, 0x84}; + +#define TEST_CERT_PEM "-----BEGIN CERTIFICATE-----\n" \ +"MIIECTCCAvGgAwIBAgIBCTANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlJUEEu\n" \ +"REVWRUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNTA0Mjgx\n" \ +"MDIxMTFaFw0xNzA0MjgxMDIxMTFaMDIxEjAQBgNVBAoMCUlQQS5ERVZFTDEcMBoG\n" \ +"A1UEAwwTaXBhLWRldmVsLmlwYS5kZXZlbDCCASIwDQYJKoZIhvcNAQEBBQADggEP\n" \ +"ADCCAQoCggEBALIykqtHuAwTVEofHikG/9BQy/dfeZFlsTkBg2qtnnc78w3Xufbc\n" \ +"nkpJp9Bmcsy/d9beqf5nlsxJ8TcjLsRQ9Ou6YtQjTfM3OILuOz8s0ICbF6qb66bd\n" \ +"9hX/BrLO/9+KnpWFSR+E/YEmzgYyDTbKfBWBaGuPPrOi/K6vwkRYFZVA/FYZkYDt\n" \ +"QhFmBO884HYzS4P6frRH3PvtRqWNCmaHpe97dGKsvnM2ybT+IMSB8/54GajQr3+B\n" \ +"ciRh2XaT4wvSTxkXM1fUgrDxqAP2AZmpuIyDyboZh+rWOwbrTPfx5SipELZG3uHh\n" \ +"P8HMcr4qQ8b20LWgxCRuT73sIooHET350xUCAwEAAaOCASYwggEiMB8GA1UdIwQY\n" \ +"MBaAFPKdQk4PxEglWC8czg+hPyLIVciRMDsGCCsGAQUFBwEBBC8wLTArBggrBgEF\n" \ +"BQcwAYYfaHR0cDovL2lwYS1jYS5pcGEuZGV2ZWwvY2Evb2NzcDAOBgNVHQ8BAf8E\n" \ +"BAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHQGA1UdHwRtMGsw\n" \ +"aaAxoC+GLWh0dHA6Ly9pcGEtY2EuaXBhLmRldmVsL2lwYS9jcmwvTWFzdGVyQ1JM\n" \ +"LmJpbqI0pDIwMDEOMAwGA1UECgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRl\n" \ +"IEF1dGhvcml0eTAdBgNVHQ4EFgQULSs/y/Wy/zIsqMIc3b2MgB7dMYIwDQYJKoZI\n" \ +"hvcNAQELBQADggEBAJpHLlCnTR1TD8lxQgzl2n1JZOeryN/fAsGH0Vve2m8r5PC+\n" \ +"ugnfAoULiuabBn1pOGxy/0x7Kg0/Iy8WRv8Fk7DqJCjXEqFXuFkZJfNDCtP9DzeN\n" \ +"uMoV50iKoMfHS38BPFjXN+X/fSsBrA2fUWrlQCTmXlUN97gvQqxt5Slrxgukvxm9\n" \ +"OSfu/sWz22LUvtJHupYwWv1iALgnXS86lAuVNYVALLxn34r58XsZlj5CSBMjBJWp\n" \ +"axEzgUdag3L2IPqOQXuPd0d8x11G9E/9gQquOSe2aiZjsdO/VYOCmzZsM2QPUMBV\n" \ +"lBPDhfTVcWXQwN385uycW/ARtSzzSME2jKKWSIQ=\n" \ +"-----END CERTIFICATE-----\n" + +#define TEST_CERT_PEM_WITH_METADATA "Bag Attributes\n" \ +" friendlyName: ipa-devel\n" \ +" localKeyID: 8E 0D 04 1F BC 13 73 54 00 8F 65 57 D7 A8 AF 34 0C 18 B3 99\n" \ +"subject= /O=IPA.DEVEL/CN=ipa-devel.ipa.devel\n" \ +"issuer= /O=IPA.DEVEL/CN=Certificate Authority\n" \ +TEST_CERT_PEM + +#define TEST_CERT_DERB64 \ +"MIIECTCCAvGgAwIBAgIBCTANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlJUEEu" \ +"REVWRUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNTA0Mjgx" \ +"MDIxMTFaFw0xNzA0MjgxMDIxMTFaMDIxEjAQBgNVBAoMCUlQQS5ERVZFTDEcMBoG" \ +"A1UEAwwTaXBhLWRldmVsLmlwYS5kZXZlbDCCASIwDQYJKoZIhvcNAQEBBQADggEP" \ +"ADCCAQoCggEBALIykqtHuAwTVEofHikG/9BQy/dfeZFlsTkBg2qtnnc78w3Xufbc" \ +"nkpJp9Bmcsy/d9beqf5nlsxJ8TcjLsRQ9Ou6YtQjTfM3OILuOz8s0ICbF6qb66bd" \ +"9hX/BrLO/9+KnpWFSR+E/YEmzgYyDTbKfBWBaGuPPrOi/K6vwkRYFZVA/FYZkYDt" \ +"QhFmBO884HYzS4P6frRH3PvtRqWNCmaHpe97dGKsvnM2ybT+IMSB8/54GajQr3+B" \ +"ciRh2XaT4wvSTxkXM1fUgrDxqAP2AZmpuIyDyboZh+rWOwbrTPfx5SipELZG3uHh" \ +"P8HMcr4qQ8b20LWgxCRuT73sIooHET350xUCAwEAAaOCASYwggEiMB8GA1UdIwQY" \ +"MBaAFPKdQk4PxEglWC8czg+hPyLIVciRMDsGCCsGAQUFBwEBBC8wLTArBggrBgEF" \ +"BQcwAYYfaHR0cDovL2lwYS1jYS5pcGEuZGV2ZWwvY2Evb2NzcDAOBgNVHQ8BAf8E" \ +"BAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHQGA1UdHwRtMGsw" \ +"aaAxoC+GLWh0dHA6Ly9pcGEtY2EuaXBhLmRldmVsL2lwYS9jcmwvTWFzdGVyQ1JM" \ +"LmJpbqI0pDIwMDEOMAwGA1UECgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRl" \ +"IEF1dGhvcml0eTAdBgNVHQ4EFgQULSs/y/Wy/zIsqMIc3b2MgB7dMYIwDQYJKoZI" \ +"hvcNAQELBQADggEBAJpHLlCnTR1TD8lxQgzl2n1JZOeryN/fAsGH0Vve2m8r5PC+" \ +"ugnfAoULiuabBn1pOGxy/0x7Kg0/Iy8WRv8Fk7DqJCjXEqFXuFkZJfNDCtP9DzeN" \ +"uMoV50iKoMfHS38BPFjXN+X/fSsBrA2fUWrlQCTmXlUN97gvQqxt5Slrxgukvxm9" \ +"OSfu/sWz22LUvtJHupYwWv1iALgnXS86lAuVNYVALLxn34r58XsZlj5CSBMjBJWp" \ +"axEzgUdag3L2IPqOQXuPd0d8x11G9E/9gQquOSe2aiZjsdO/VYOCmzZsM2QPUMBV" \ +"lBPDhfTVcWXQwN385uycW/ARtSzzSME2jKKWSIQ=" + +struct test_state { + void *dummy; + bool done; +}; + +static int setup(void **state) +{ + struct test_state *ts = NULL; + + assert_true(leak_check_setup()); + + ts = talloc(global_talloc_context, struct test_state); + assert_non_null(ts); + + check_leaks_push(ts); + *state = (void *)ts; + return 0; +} + +static int teardown(void **state) +{ + struct test_state *ts = talloc_get_type_abort(*state, struct test_state); + + assert_non_null(ts); + + assert_true(check_leaks_pop(ts)); + talloc_free(ts); + assert_true(leak_check_teardown()); + return 0; +} + +void test_sss_cert_der_to_pem(void **state) +{ + int ret; + char *pem_str; + size_t pem_size; + struct test_state *ts = talloc_get_type_abort(*state, struct test_state); + assert_non_null(ts); + + ret = sss_cert_der_to_pem(NULL, NULL, 0, NULL, NULL); + assert_int_equal(ret, EINVAL); + + ret = sss_cert_der_to_pem(ts, test_cert_der, sizeof(test_cert_der), + &pem_str, &pem_size); + assert_int_equal(ret, EOK); + assert_int_equal(sizeof(TEST_CERT_PEM) - 1, pem_size); + assert_string_equal(pem_str, TEST_CERT_PEM); + + talloc_free(pem_str); +} + +void test_sss_cert_pem_to_der(void **state) +{ + int ret; + uint8_t *der; + size_t der_size; + struct test_state *ts = talloc_get_type_abort(*state, struct test_state); + assert_non_null(ts); + + ret = sss_cert_pem_to_der(NULL, NULL, NULL, NULL); + assert_int_equal(ret, EINVAL); + + ret = sss_cert_pem_to_der(ts, TEST_CERT_PEM, &der, &der_size); + assert_int_equal(ret, EOK); + assert_int_equal(sizeof(test_cert_der), der_size); + assert_memory_equal(der, test_cert_der, der_size); + + talloc_free(der); + + /* https://pagure.io/SSSD/sssd/issue/3354 + https://tools.ietf.org/html/rfc7468#section-2 */ + ret = sss_cert_pem_to_der(ts, TEST_CERT_PEM_WITH_METADATA, &der, &der_size); + assert_int_equal(ret, EOK); + assert_int_equal(sizeof(test_cert_der), der_size); + assert_memory_equal(der, test_cert_der, der_size); + + talloc_free(der); +} + +void test_sss_cert_derb64_to_pem(void **state) +{ + int ret; + char *pem_str; + size_t pem_size; + struct test_state *ts = talloc_get_type_abort(*state, struct test_state); + assert_non_null(ts); + + ret = sss_cert_derb64_to_pem(NULL, NULL, NULL, NULL); + assert_int_equal(ret, EINVAL); + + ret = sss_cert_derb64_to_pem(ts, TEST_CERT_DERB64, &pem_str, &pem_size); + assert_int_equal(ret, EOK); + assert_int_equal(sizeof(TEST_CERT_PEM) - 1, pem_size); + assert_string_equal(pem_str, TEST_CERT_PEM); + + talloc_free(pem_str); +} + +void test_sss_cert_pem_to_derb64(void **state) +{ + int ret; + char *derb64; + struct test_state *ts = talloc_get_type_abort(*state, struct test_state); + assert_non_null(ts); + + ret = sss_cert_pem_to_derb64(NULL, NULL, NULL); + assert_int_equal(ret, EINVAL); + + ret = sss_cert_pem_to_derb64(ts, TEST_CERT_PEM, &derb64); + assert_int_equal(ret, EOK); + assert_string_equal(derb64, TEST_CERT_DERB64); + + talloc_free(derb64); +} + +void test_bin_to_ldap_filter_value(void **state) +{ + int ret; + size_t c; + char *str; + struct test_state *ts = talloc_get_type_abort(*state, struct test_state); + assert_non_null(ts); + + struct test_data { + uint8_t blob[5]; + const char *str; + } test_data[] = { + {{0x01, 0x02, 0x03, 0x04, 0x05}, "\\01\\02\\03\\04\\05"}, + {{0x00, 0x00, 0x00, 0x00, 0x00}, "\\00\\00\\00\\00\\00"}, + {{0xff, 0xff, 0xff, 0xff, 0xff}, "\\ff\\ff\\ff\\ff\\ff"}, + {{0xca, 0xfe, 0xc0, 0xff, 0xee}, "\\ca\\fe\\c0\\ff\\ee"}, + {{0}, NULL} + }; + + ret = bin_to_ldap_filter_value(ts, NULL, 0, NULL); + assert_int_equal(ret, EINVAL); + + for (c = 0; test_data[c].str != NULL; c++) { + ret = bin_to_ldap_filter_value(ts, test_data[c].blob, 5, &str); + assert_int_equal(ret, EOK); + assert_string_equal(str, test_data[c].str); + + talloc_free(str); + } + +} + +void test_sss_cert_derb64_to_ldap_filter(void **state) +{ + int ret; + char *filter; + + struct test_state *ts = talloc_get_type_abort(*state, struct test_state); + assert_non_null(ts); + + ret = sss_cert_derb64_to_ldap_filter(ts, NULL, NULL, NULL, NULL, NULL); + assert_int_equal(ret, EINVAL); + + ret = sss_cert_derb64_to_ldap_filter(ts, "AAECAwQFBgcICQ==", "attrName", + NULL, NULL, &filter); + assert_int_equal(ret, EOK); + assert_string_equal(filter, + "(attrName=\\00\\01\\02\\03\\04\\05\\06\\07\\08\\09)"); + + talloc_free(filter); +} + +void test_cert_to_ssh_key_done(struct tevent_req *req) +{ + int ret; + struct test_state *ts = tevent_req_callback_data(req, struct test_state); + struct ldb_val *keys; + uint8_t *exp_key; + size_t exp_key_size; + size_t valid_keys; + + assert_non_null(ts); + ts->done = true; + + ret = cert_to_ssh_key_recv(req, ts, &keys, &valid_keys); + talloc_free(req); + assert_int_equal(ret, 0); + assert_non_null(keys[0].data); + assert_int_equal(valid_keys, 1); + + exp_key = sss_base64_decode(ts, SSSD_TEST_CERT_SSH_KEY_0001, &exp_key_size); + assert_non_null(exp_key); + assert_int_equal(keys[0].length, exp_key_size); + assert_memory_equal(keys[0].data, exp_key, exp_key_size); + + talloc_free(exp_key); + talloc_free(keys); +} + +void test_cert_to_ssh_key_send(void **state) +{ + struct tevent_context *ev; + struct tevent_req *req; + struct ldb_val val[1]; + + struct test_state *ts = talloc_get_type_abort(*state, struct test_state); + assert_non_null(ts); + ts->done = false; + + val[0].data = sss_base64_decode(ts, SSSD_TEST_CERT_0001, &val[0].length); + assert_non_null(val[0].data); + + ev = tevent_context_init(ts); + assert_non_null(ev); + + req = cert_to_ssh_key_send(ts, ev, -1, P11_CHILD_TIMEOUT, +#ifdef HAVE_NSS + "sql:" ABS_BUILD_DIR "/src/tests/test_CA/p11_nssdb", +#else + ABS_BUILD_DIR "/src/tests/test_CA/SSSD_test_CA.pem", +#endif + 1, &val[0], NULL); + assert_non_null(req); + + tevent_req_set_callback(req, test_cert_to_ssh_key_done, ts); + + while (!ts->done) { + tevent_loop_once(ev); + } + + talloc_free(val[0].data); + talloc_free(ev); +} + +void test_cert_to_ssh_2keys_done(struct tevent_req *req) +{ + int ret; + struct test_state *ts = tevent_req_callback_data(req, struct test_state); + struct ldb_val *keys; + uint8_t *exp_key; + size_t exp_key_size; + size_t valid_keys; + + assert_non_null(ts); + ts->done = true; + + ret = cert_to_ssh_key_recv(req, ts, &keys, &valid_keys); + talloc_free(req); + assert_int_equal(ret, 0); + assert_non_null(keys[0].data); + assert_non_null(keys[1].data); + assert_int_equal(valid_keys, 2); + + exp_key = sss_base64_decode(ts, SSSD_TEST_CERT_SSH_KEY_0001, &exp_key_size); + assert_non_null(exp_key); + assert_int_equal(keys[0].length, exp_key_size); + assert_memory_equal(keys[0].data, exp_key, exp_key_size); + talloc_free(exp_key); + + exp_key = sss_base64_decode(ts, SSSD_TEST_CERT_SSH_KEY_0002, &exp_key_size); + assert_non_null(exp_key); + assert_int_equal(keys[1].length, exp_key_size); + assert_memory_equal(keys[1].data, exp_key, exp_key_size); + talloc_free(exp_key); + + talloc_free(keys); +} + +void test_cert_to_ssh_2keys_send(void **state) +{ + struct tevent_context *ev; + struct tevent_req *req; + struct ldb_val val[2]; + + struct test_state *ts = talloc_get_type_abort(*state, struct test_state); + assert_non_null(ts); + ts->done = false; + + val[0].data = sss_base64_decode(ts, SSSD_TEST_CERT_0001, + &val[0].length); + assert_non_null(val[0].data); + + val[1].data = sss_base64_decode(ts, SSSD_TEST_CERT_0002, + &val[1].length); + assert_non_null(val[1].data); + + ev = tevent_context_init(ts); + assert_non_null(ev); + + req = cert_to_ssh_key_send(ts, ev, -1, P11_CHILD_TIMEOUT, +#ifdef HAVE_NSS + "sql:" ABS_BUILD_DIR "/src/tests/test_CA/p11_nssdb", +#else + ABS_BUILD_DIR "/src/tests/test_CA/SSSD_test_CA.pem", +#endif + 2, &val[0], NULL); + assert_non_null(req); + + tevent_req_set_callback(req, test_cert_to_ssh_2keys_done, ts); + + while (!ts->done) { + tevent_loop_once(ev); + } + + talloc_free(val[0].data); + talloc_free(val[1].data); + talloc_free(ev); +} + +void test_cert_to_ssh_2keys_invalid_done(struct tevent_req *req) +{ + int ret; + struct test_state *ts = tevent_req_callback_data(req, struct test_state); + struct ldb_val *keys; + uint8_t *exp_key; + size_t exp_key_size; + size_t valid_keys; + + assert_non_null(ts); + ts->done = true; + + ret = cert_to_ssh_key_recv(req, ts, &keys, &valid_keys); + talloc_free(req); + assert_int_equal(ret, 0); + assert_non_null(keys[0].data); + assert_null(keys[1].data); + assert_int_equal(keys[1].length, 0); + assert_non_null(keys[2].data); + assert_int_equal(valid_keys, 2); + + exp_key = sss_base64_decode(ts, SSSD_TEST_CERT_SSH_KEY_0001, &exp_key_size); + assert_non_null(exp_key); + assert_int_equal(keys[0].length, exp_key_size); + assert_memory_equal(keys[0].data, exp_key, exp_key_size); + talloc_free(exp_key); + + exp_key = sss_base64_decode(ts, SSSD_TEST_CERT_SSH_KEY_0002, &exp_key_size); + assert_non_null(exp_key); + assert_int_equal(keys[2].length, exp_key_size); + assert_memory_equal(keys[2].data, exp_key, exp_key_size); + talloc_free(exp_key); + + talloc_free(keys); +} + +void test_cert_to_ssh_2keys_invalid_send(void **state) +{ + struct tevent_context *ev; + struct tevent_req *req; + struct ldb_val val[3]; + + struct test_state *ts = talloc_get_type_abort(*state, struct test_state); + assert_non_null(ts); + ts->done = false; + + val[0].data = sss_base64_decode(ts, SSSD_TEST_CERT_0001, + &val[0].length); + assert_non_null(val[0].data); + + val[1].data = sss_base64_decode(ts, SSSD_TEST_CERT_0002, + &val[1].length); + assert_non_null(val[1].data); + /* flip last bit to make the certificate invalid */ + val[1].data[val[1].length - 1] ^= 1 << 0; + + val[2].data = sss_base64_decode(ts, SSSD_TEST_CERT_0002, + &val[2].length); + assert_non_null(val[2].data); + + ev = tevent_context_init(ts); + assert_non_null(ev); + + req = cert_to_ssh_key_send(ts, ev, -1, P11_CHILD_TIMEOUT, +#ifdef HAVE_NSS + "sql:" ABS_BUILD_DIR "/src/tests/test_CA/p11_nssdb", +#else + ABS_BUILD_DIR "/src/tests/test_CA/SSSD_test_CA.pem", +#endif + 3, &val[0], NULL); + assert_non_null(req); + + tevent_req_set_callback(req, test_cert_to_ssh_2keys_invalid_done, ts); + + while (!ts->done) { + tevent_loop_once(ev); + } + + talloc_free(val[0].data); + talloc_free(val[1].data); + talloc_free(val[2].data); + talloc_free(ev); +} + +int main(int argc, const char *argv[]) +{ + poptContext pc; + int opt; + int ret; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_sss_cert_der_to_pem, + setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_cert_pem_to_der, + setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_cert_derb64_to_pem, + setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_cert_pem_to_derb64, + setup, teardown), + cmocka_unit_test_setup_teardown(test_bin_to_ldap_filter_value, + setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_cert_derb64_to_ldap_filter, + setup, teardown), +#ifdef HAVE_TEST_CA + cmocka_unit_test_setup_teardown(test_cert_to_ssh_key_send, + setup, teardown), + cmocka_unit_test_setup_teardown(test_cert_to_ssh_2keys_send, + setup, teardown), + cmocka_unit_test_setup_teardown(test_cert_to_ssh_2keys_invalid_send, + setup, teardown), +#endif + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + ret = cmocka_run_group_tests(tests, NULL, NULL); + +#ifdef HAVE_LIBCRYPTO + CRYPTO_cleanup_all_ex_data(); /* to make Valgrind happy */ +#endif + +#ifdef HAVE_NSS + /* Cleanup NSS and NSPR to make Valgrind happy. */ + nspr_nss_cleanup(); +#endif + + + return ret; +} diff --git a/src/tests/cmocka/test_certmap.c b/src/tests/cmocka/test_certmap.c new file mode 100644 index 0000000..3091e1a --- /dev/null +++ b/src/tests/cmocka/test_certmap.c @@ -0,0 +1,1615 @@ +/* + SSSD + + certmap - Tests for SSSD's certificate mapping library + + Authors: + Sumit Bose + + Copyright (C) 2017 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include + +#include "lib/certmap/sss_certmap.h" +#include "lib/certmap/sss_certmap_int.h" + +#include "util/crypto/sss_crypto.h" + +#include "tests/cmocka/common_mock.h" +#include "tests/common.h" + +#ifdef HAVE_NSS +#include "util/crypto/nss/nss_util.h" +#endif + +#ifdef HAVE_LIBCRYPTO +#include +#endif + +#ifdef HAVE_TEST_CA +#include "tests/test_CA/SSSD_test_cert_x509_0003.h" +#else +#define SSSD_TEST_CERT_0003 "" +#endif + +struct priv_sss_debug { + int level; +}; + +void ext_debug(void *private, const char *file, long line, const char *function, + const char *format, ...) +{ + va_list ap; + struct priv_sss_debug *data = private; + int level = SSSDBG_OP_FAILURE; + + if (data != NULL) { + level = data->level; + } + + if (DEBUG_IS_SET(level)) { + va_start(ap, format); + sss_vdebug_fn(file, line, function, level, APPEND_LINE_FEED, + format, ap); + va_end(ap); + } +} + +static void test_sss_certmap_init(void **state) +{ + int ret; + struct sss_certmap_ctx *ctx; + + ret = sss_certmap_init(NULL, ext_debug, NULL, NULL); + assert_int_equal(ret, EINVAL); + + ret = sss_certmap_init(NULL, ext_debug, NULL, &ctx); + assert_int_equal(ret, EOK); + + sss_certmap_free_ctx(ctx); +} + +static struct sss_certmap_ctx *setup_prio(const int *l) +{ + int ret; + size_t c; + struct sss_certmap_ctx *ctx; + + ret = sss_certmap_init(NULL, ext_debug, NULL, &ctx); + assert_int_equal(ret, EOK); + assert_non_null(ctx); + + for (c = 0; c < 10; c++) { + ret = sss_certmap_add_rule(ctx, l[c], NULL, NULL, NULL); + assert_int_equal(ret, EOK); + } + + return ctx; +} + +static void test_sss_certmap_add_rule(void **state) +{ + struct sss_certmap_ctx *ctx; + int i; + struct priority_list *p; + struct priority_list *last; + size_t c; + + const int tests_a[][10] = {{0, 1, 2, 3, 4, 5, 6, 7, 8, 9}, + {9, 8, 7, 6, 5, 4, 3, 2, 1, 0}, + {1, 3, 5 ,7, 9, 0, 2, 4, 6, 8}, + {0, 2, 4, 6, 8, 1, 3, 5, 7, 9}, + {0, 0, 0, 0, 0, 0, 0, 0, 0, 0}}; + + const int tests_b[][10] = {{0, 0, 0, 0, 1, 1, 1, 2, 2, 2}, + {2, 2, 2, 1, 1, 1, 0, 0, 0, 0}, + {0, 1, 2, 0, 1, 2, 0, 1, 2, 0}, + {0, 2, 1, 0, 2, 1, 0, 2, 1, 0}, + {0, 1, 2, 0, 2, 1, 0, 0, 1, 2}, + {0, 0, 0, 0, 0, 0, 0, 0, 0, 0}}; + + for (c = 0; tests_a[c][0] != 0 || tests_a[c][9] != 0; c++) { + ctx = setup_prio(tests_a[0]); + assert_non_null(ctx); + i = 0; + for (p = ctx->prio_list; p != NULL; p = p->next) { + assert_int_equal(i, p->priority); + assert_non_null(p->rule_list); + assert_int_equal(i, p->rule_list->priority); + assert_null(p->rule_list->prev); + assert_null(p->rule_list->next); + i++; + } + + i = 9; + for (last = ctx->prio_list; last->next != NULL; last = last->next); + for (p = last; p != NULL; p = p->prev) { + assert_int_equal(i, p->priority); + assert_int_equal(i, p->rule_list->priority); + i--; + } + + sss_certmap_free_ctx(ctx); + } + for (c = 0; tests_b[c][0] != 0 || tests_b[c][9] != 0; c++) { + ctx = setup_prio(tests_b[0]); + assert_non_null(ctx); + i = 0; + for (p = ctx->prio_list; p != NULL; p = p->next) { + assert_int_equal(i, p->priority); + assert_non_null(p->rule_list); + assert_int_equal(i, p->rule_list->priority); + assert_null(p->rule_list->prev); + assert_non_null(p->rule_list->next); + assert_ptr_equal(p->rule_list, p->rule_list->next->prev); + assert_non_null(p->rule_list->next->next); + assert_ptr_equal(p->rule_list->next, + p->rule_list->next->next->prev); + if (i == 0) { + assert_non_null(p->rule_list->next->next->next); + assert_ptr_equal(p->rule_list->next->next, + p->rule_list->next->next->next->prev); + assert_null(p->rule_list->next->next->next->next); + } else { + assert_null(p->rule_list->next->next->next); + } + i++; + } + sss_certmap_free_ctx(ctx); + } +} + +static void test_sss_certmap_add_matching_rule(void **state) +{ + struct sss_certmap_ctx *ctx; + int ret; + + ret = sss_certmap_init(NULL, ext_debug, NULL, &ctx); + assert_int_equal(ret, EOK); + assert_non_null(ctx); + assert_null(ctx->prio_list); + + ret = sss_certmap_add_rule(ctx, 1, "fsdf", NULL, NULL); + assert_int_equal(ret, EINVAL); + assert_null(ctx->prio_list); + + ret = sss_certmap_add_rule(ctx, 1, "FDSF:fsdf", NULL, NULL); + assert_int_equal(ret, ESRCH); + assert_null(ctx->prio_list); + + ret = sss_certmap_add_rule(ctx, 1, "", NULL, NULL); + assert_int_equal(ret, EINVAL); + assert_null(ctx->prio_list); + + ret = sss_certmap_add_rule(ctx, 1, "KRB5:", NULL, NULL); + assert_int_equal(ret, EINVAL); + assert_null(ctx->prio_list); + + ret = sss_certmap_add_rule(ctx, 1, "", NULL, NULL); + assert_int_equal(ret, EINVAL); + assert_null(ctx->prio_list); + + ret = sss_certmap_add_rule(ctx, 1, "", NULL, NULL); + assert_int_equal(ret, EINVAL); + assert_null(ctx->prio_list); + + ret = sss_certmap_add_rule(ctx, 1, "", NULL, NULL); + assert_int_equal(ret, EINVAL); + assert_null(ctx->prio_list); + + ret = sss_certmap_add_rule(ctx, 1, "ddqwdq", NULL, NULL); + assert_int_equal(ret, EINVAL); + assert_null(ctx->prio_list); + + ret = sss_certmap_add_rule(ctx, 1, "digitalSignature,dddq", NULL, NULL); + assert_int_equal(ret, EINVAL); + assert_null(ctx->prio_list); + + + ret = sss_certmap_add_rule(ctx, 1, "", NULL, NULL); + assert_int_equal(ret, EINVAL); + assert_null(ctx->prio_list); + + ret = sss_certmap_add_rule(ctx, 1, "dwqwqw", NULL, NULL); + assert_int_equal(ret, EINVAL); + assert_null(ctx->prio_list); + + ret = sss_certmap_add_rule(ctx, 1, ".", NULL, NULL); + assert_int_equal(ret, EINVAL); + assert_null(ctx->prio_list); + + ret = sss_certmap_add_rule(ctx, 1, ".1.2.3", NULL, NULL); + assert_int_equal(ret, EINVAL); + assert_null(ctx->prio_list); + + ret = sss_certmap_add_rule(ctx, 1, "1.2.3.", NULL, NULL); + assert_int_equal(ret, EINVAL); + assert_null(ctx->prio_list); + + ret = sss_certmap_add_rule(ctx, 1, "1.a.3", NULL, NULL); + assert_int_equal(ret, EINVAL); + assert_null(ctx->prio_list); + + ret = sss_certmap_add_rule(ctx, 1, "", NULL, NULL); + assert_int_equal(ret, EINVAL); + assert_null(ctx->prio_list); + + ret = sss_certmap_add_rule(ctx, 1, "prio_list); + + /* invalid base64 input */ + ret = sss_certmap_add_rule(ctx, 1, "...", NULL, NULL); + assert_int_equal(ret, EINVAL); + assert_null(ctx->prio_list); + + /* invalid OID input */ + ret = sss_certmap_add_rule(ctx, 1, "dqq", NULL, NULL); + assert_int_equal(ret, EINVAL); + assert_null(ctx->prio_list); + + ret = sss_certmap_add_rule(ctx, 1, "dqq", NULL, NULL); + assert_int_equal(ret, EINVAL); + assert_null(ctx->prio_list); + + ret = sss_certmap_add_rule(ctx, 1, "dqq", NULL, NULL); + assert_int_equal(ret, EINVAL); + assert_null(ctx->prio_list); + + ret = sss_certmap_add_rule(ctx, 1, "dqq", NULL, NULL); + assert_int_equal(ret, EINVAL); + assert_null(ctx->prio_list); + + ret = sss_certmap_add_rule(ctx, 1, "a", NULL, NULL); + assert_int_equal(ret, 0); + assert_non_null(ctx->prio_list); + assert_non_null(ctx->prio_list->rule_list); + assert_non_null(ctx->prio_list->rule_list->parsed_match_rule); + assert_int_equal(ctx->prio_list->rule_list->parsed_match_rule->r, + relation_and); + assert_null(ctx->prio_list->rule_list->parsed_match_rule->subject); + assert_non_null(ctx->prio_list->rule_list->parsed_match_rule->issuer); + assert_string_equal("a", + ctx->prio_list->rule_list->parsed_match_rule->issuer->val); + talloc_free(ctx); + + ret = sss_certmap_init(NULL, ext_debug, NULL, &ctx); + assert_int_equal(ret, EOK); + assert_non_null(ctx); + assert_null(ctx->prio_list); + ret = sss_certmap_add_rule(ctx, 1, "&&a", NULL, NULL); + assert_int_equal(ret, 0); + assert_non_null(ctx->prio_list); + assert_non_null(ctx->prio_list->rule_list); + assert_non_null(ctx->prio_list->rule_list->parsed_match_rule); + assert_int_equal(ctx->prio_list->rule_list->parsed_match_rule->r, + relation_and); + assert_null(ctx->prio_list->rule_list->parsed_match_rule->subject); + assert_non_null(ctx->prio_list->rule_list->parsed_match_rule->issuer); + assert_string_equal("a", + ctx->prio_list->rule_list->parsed_match_rule->issuer->val); + talloc_free(ctx); + + ret = sss_certmap_init(NULL, ext_debug, NULL, &ctx); + assert_int_equal(ret, EOK); + assert_non_null(ctx); + assert_null(ctx->prio_list); + ret = sss_certmap_add_rule(ctx, 1, "KRB5:||a", NULL, NULL); + assert_int_equal(ret, 0); + assert_non_null(ctx->prio_list); + assert_non_null(ctx->prio_list->rule_list); + assert_non_null(ctx->prio_list->rule_list->parsed_match_rule); + assert_int_equal(ctx->prio_list->rule_list->parsed_match_rule->r, + relation_or); + assert_null(ctx->prio_list->rule_list->parsed_match_rule->subject); + assert_non_null(ctx->prio_list->rule_list->parsed_match_rule->issuer); + assert_string_equal("a", + ctx->prio_list->rule_list->parsed_match_rule->issuer->val); + talloc_free(ctx); + + ret = sss_certmap_init(NULL, ext_debug, NULL, &ctx); + assert_int_equal(ret, EOK); + assert_non_null(ctx); + assert_null(ctx->prio_list); + ret = sss_certmap_add_rule(ctx, 1, "KRB5:ab", NULL, NULL); + assert_int_equal(ret, 0); + assert_non_null(ctx->prio_list); + assert_non_null(ctx->prio_list->rule_list); + assert_non_null(ctx->prio_list->rule_list->parsed_match_rule); + assert_int_equal(ctx->prio_list->rule_list->parsed_match_rule->r, + relation_and); + assert_non_null(ctx->prio_list->rule_list->parsed_match_rule->subject); + assert_string_equal("b", + ctx->prio_list->rule_list->parsed_match_rule->subject->val); + assert_non_null(ctx->prio_list->rule_list->parsed_match_rule->issuer); + assert_string_equal("a", + ctx->prio_list->rule_list->parsed_match_rule->issuer->val); + talloc_free(ctx); + + ret = sss_certmap_init(NULL, ext_debug, NULL, &ctx); + assert_int_equal(ret, EOK); + assert_non_null(ctx); + assert_null(ctx->prio_list); + ret = sss_certmap_add_rule(ctx, 1000, + "KRB5:abcd", + NULL, NULL); + assert_int_equal(ret, 0); + assert_non_null(ctx->prio_list); + assert_non_null(ctx->prio_list->rule_list); + assert_non_null(ctx->prio_list->rule_list->parsed_match_rule); + assert_int_equal(ctx->prio_list->rule_list->parsed_match_rule->r, + relation_and); + assert_non_null(ctx->prio_list->rule_list->parsed_match_rule->subject); + assert_string_equal("d", + ctx->prio_list->rule_list->parsed_match_rule->subject->val); + assert_string_equal("b", + ctx->prio_list->rule_list->parsed_match_rule->subject->next->val); + assert_non_null(ctx->prio_list->rule_list->parsed_match_rule->issuer); + assert_string_equal("c", + ctx->prio_list->rule_list->parsed_match_rule->issuer->val); + assert_string_equal("a", + ctx->prio_list->rule_list->parsed_match_rule->issuer->next->val); + + ret = sss_certmap_add_rule(ctx, 99, + "KRB5:ab" + "dataEncipherment,cRLSignc" + "d", + NULL, NULL); + assert_int_equal(ret, 0); + assert_non_null(ctx->prio_list); + assert_non_null(ctx->prio_list->rule_list); + assert_non_null(ctx->prio_list->rule_list->parsed_match_rule); + assert_int_equal(ctx->prio_list->rule_list->parsed_match_rule->r, + relation_and); + assert_non_null(ctx->prio_list->rule_list->parsed_match_rule->subject); + assert_string_equal("d", + ctx->prio_list->rule_list->parsed_match_rule->subject->val); + assert_string_equal("b", + ctx->prio_list->rule_list->parsed_match_rule->subject->next->val); + assert_non_null(ctx->prio_list->rule_list->parsed_match_rule->issuer); + assert_string_equal("c", + ctx->prio_list->rule_list->parsed_match_rule->issuer->val); + assert_string_equal("a", + ctx->prio_list->rule_list->parsed_match_rule->issuer->next->val); + assert_non_null(ctx->prio_list->rule_list->parsed_match_rule->ku); + assert_int_equal(SSS_KU_CRL_SIGN|SSS_KU_DATA_ENCIPHERMENT, + ctx->prio_list->rule_list->parsed_match_rule->ku->ku); + + ret = sss_certmap_add_rule(ctx, 98, + "KRB5:ab" + "dataEncipherment,cRLSignc" + "clientAuth,emailProtection" + "d", + NULL, NULL); + assert_int_equal(ret, 0); + assert_non_null(ctx->prio_list); + assert_non_null(ctx->prio_list->rule_list); + assert_non_null(ctx->prio_list->rule_list->parsed_match_rule); + assert_int_equal(ctx->prio_list->rule_list->parsed_match_rule->r, + relation_and); + assert_non_null(ctx->prio_list->rule_list->parsed_match_rule->subject); + assert_string_equal("d", + ctx->prio_list->rule_list->parsed_match_rule->subject->val); + assert_string_equal("b", + ctx->prio_list->rule_list->parsed_match_rule->subject->next->val); + assert_non_null(ctx->prio_list->rule_list->parsed_match_rule->issuer); + assert_string_equal("c", + ctx->prio_list->rule_list->parsed_match_rule->issuer->val); + assert_string_equal("a", + ctx->prio_list->rule_list->parsed_match_rule->issuer->next->val); + assert_non_null(ctx->prio_list->rule_list->parsed_match_rule->ku); + assert_int_equal(SSS_KU_CRL_SIGN|SSS_KU_DATA_ENCIPHERMENT, + ctx->prio_list->rule_list->parsed_match_rule->ku->ku); + assert_non_null(ctx->prio_list->rule_list->parsed_match_rule->eku); + assert_true(string_in_list("1.3.6.1.5.5.7.3.2", + discard_const( + ctx->prio_list->rule_list->parsed_match_rule->eku->eku_oid_list), + true)); + assert_true(string_in_list("1.3.6.1.5.5.7.3.4", + discard_const( + ctx->prio_list->rule_list->parsed_match_rule->eku->eku_oid_list), + true)); + assert_null( + ctx->prio_list->rule_list->parsed_match_rule->eku->eku_oid_list[2]); + + ret = sss_certmap_add_rule(ctx, 97, + "KRB5:clientAuth,1.2.3,emailProtection", + NULL, NULL); + assert_int_equal(ret, 0); + assert_non_null(ctx->prio_list); + assert_non_null(ctx->prio_list->rule_list); + assert_non_null(ctx->prio_list->rule_list->parsed_match_rule); + assert_int_equal(ctx->prio_list->rule_list->parsed_match_rule->r, + relation_and); + assert_non_null(ctx->prio_list->rule_list->parsed_match_rule->eku); + assert_true(string_in_list("1.3.6.1.5.5.7.3.2", + discard_const( + ctx->prio_list->rule_list->parsed_match_rule->eku->eku_oid_list), + true)); + assert_true(string_in_list("1.3.6.1.5.5.7.3.4", + discard_const( + ctx->prio_list->rule_list->parsed_match_rule->eku->eku_oid_list), + true)); + assert_true(string_in_list("1.2.3", + discard_const( + ctx->prio_list->rule_list->parsed_match_rule->eku->eku_oid_list), + true)); + assert_null( + ctx->prio_list->rule_list->parsed_match_rule->eku->eku_oid_list[3]); + + ret = sss_certmap_add_rule(ctx, 96, + "KRB5:1.2.3", + NULL, NULL); + assert_int_equal(ret, 0); + assert_non_null(ctx->prio_list); + assert_non_null(ctx->prio_list->rule_list); + assert_non_null(ctx->prio_list->rule_list->parsed_match_rule); + assert_int_equal(ctx->prio_list->rule_list->parsed_match_rule->r, + relation_and); + assert_non_null(ctx->prio_list->rule_list->parsed_match_rule->eku); + assert_true(string_in_list("1.2.3", + discard_const( + ctx->prio_list->rule_list->parsed_match_rule->eku->eku_oid_list), + true)); + assert_null( + ctx->prio_list->rule_list->parsed_match_rule->eku->eku_oid_list[1]); + + /* SAN tests */ + ret = sss_certmap_add_rule(ctx, 89, "KRB5:abc", NULL, NULL); + assert_int_equal(ret, 0); + assert_non_null(ctx->prio_list); + assert_non_null(ctx->prio_list->rule_list); + assert_non_null(ctx->prio_list->rule_list->parsed_match_rule); + assert_int_equal(ctx->prio_list->rule_list->parsed_match_rule->r, + relation_and); + assert_non_null(ctx->prio_list->rule_list->parsed_match_rule->san); + assert_int_equal(ctx->prio_list->rule_list->parsed_match_rule->san->san_opt, + SAN_PRINCIPAL); + assert_string_equal(ctx->prio_list->rule_list->parsed_match_rule->san->val, + "abc"); + + ret = sss_certmap_add_rule(ctx, 88, "KRB5:def", NULL, NULL); + assert_int_equal(ret, 0); + assert_non_null(ctx->prio_list); + assert_non_null(ctx->prio_list->rule_list); + assert_non_null(ctx->prio_list->rule_list->parsed_match_rule); + assert_int_equal(ctx->prio_list->rule_list->parsed_match_rule->r, + relation_and); + assert_non_null(ctx->prio_list->rule_list->parsed_match_rule->san); + assert_int_equal(ctx->prio_list->rule_list->parsed_match_rule->san->san_opt, + SAN_DNS_NAME); + assert_string_equal(ctx->prio_list->rule_list->parsed_match_rule->san->val, + "def"); + + ret = sss_certmap_add_rule(ctx, 87, "KRB5:aGlq", + NULL, NULL); + assert_int_equal(ret, 0); + assert_non_null(ctx->prio_list); + assert_non_null(ctx->prio_list->rule_list); + assert_non_null(ctx->prio_list->rule_list->parsed_match_rule); + assert_int_equal(ctx->prio_list->rule_list->parsed_match_rule->r, + relation_and); + assert_non_null(ctx->prio_list->rule_list->parsed_match_rule->san); + assert_int_equal(ctx->prio_list->rule_list->parsed_match_rule->san->san_opt, + SAN_X400_ADDRESS); + assert_int_equal( + ctx->prio_list->rule_list->parsed_match_rule->san->bin_val_len, + 3); + assert_memory_equal( + ctx->prio_list->rule_list->parsed_match_rule->san->bin_val, + "hij", 3); + + ret = sss_certmap_add_rule(ctx, 86, "KRB5:klm", + NULL, NULL); + assert_int_equal(ret, 0); + assert_non_null(ctx->prio_list); + assert_non_null(ctx->prio_list->rule_list); + assert_non_null(ctx->prio_list->rule_list->parsed_match_rule); + assert_int_equal(ctx->prio_list->rule_list->parsed_match_rule->r, + relation_and); + assert_non_null(ctx->prio_list->rule_list->parsed_match_rule->san); + assert_int_equal(ctx->prio_list->rule_list->parsed_match_rule->san->san_opt, + SAN_STRING_OTHER_NAME); + assert_string_equal(ctx->prio_list->rule_list->parsed_match_rule->san->val, + "klm"); + assert_string_equal("1.2.3.4", + ctx->prio_list->rule_list->parsed_match_rule->san->str_other_name_oid); + + talloc_free(ctx); +} + +static void test_check_ad_attr_name(void **state) +{ + char *res; + + res = check_ad_attr_name(NULL, NULL); + assert_null(res); + + res = check_ad_attr_name(NULL, ""); + assert_null(res); + + res = check_ad_attr_name(NULL, "dsddqwdas"); + assert_null(res); + + res = check_ad_attr_name(NULL, "dsddq=wdas"); + assert_null(res); + + res = check_ad_attr_name(NULL, "CN=abc"); + assert_null(res); + + res = check_ad_attr_name(NULL, "O=xyz"); + assert_null(res); + + res = check_ad_attr_name(NULL, "ST=def"); + assert_non_null(res); + assert_string_equal(res, "S=def"); + talloc_free(res); +} + +const uint8_t test_cert_der[] = { +0x30, 0x82, 0x04, 0x09, 0x30, 0x82, 0x02, 0xf1, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x01, 0x09, +0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, +0x34, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x09, 0x49, 0x50, 0x41, 0x2e, +0x44, 0x45, 0x56, 0x45, 0x4c, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x15, +0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68, +0x6f, 0x72, 0x69, 0x74, 0x79, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x35, 0x30, 0x34, 0x32, 0x38, 0x31, +0x30, 0x32, 0x31, 0x31, 0x31, 0x5a, 0x17, 0x0d, 0x31, 0x37, 0x30, 0x34, 0x32, 0x38, 0x31, 0x30, +0x32, 0x31, 0x31, 0x31, 0x5a, 0x30, 0x32, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x0a, +0x0c, 0x09, 0x49, 0x50, 0x41, 0x2e, 0x44, 0x45, 0x56, 0x45, 0x4c, 0x31, 0x1c, 0x30, 0x1a, 0x06, +0x03, 0x55, 0x04, 0x03, 0x0c, 0x13, 0x69, 0x70, 0x61, 0x2d, 0x64, 0x65, 0x76, 0x65, 0x6c, 0x2e, +0x69, 0x70, 0x61, 0x2e, 0x64, 0x65, 0x76, 0x65, 0x6c, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, +0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, +0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xb2, 0x32, 0x92, 0xab, 0x47, 0xb8, +0x0c, 0x13, 0x54, 0x4a, 0x1f, 0x1e, 0x29, 0x06, 0xff, 0xd0, 0x50, 0xcb, 0xf7, 0x5f, 0x79, 0x91, +0x65, 0xb1, 0x39, 0x01, 0x83, 0x6a, 0xad, 0x9e, 0x77, 0x3b, 0xf3, 0x0d, 0xd7, 0xb9, 0xf6, 0xdc, +0x9e, 0x4a, 0x49, 0xa7, 0xd0, 0x66, 0x72, 0xcc, 0xbf, 0x77, 0xd6, 0xde, 0xa9, 0xfe, 0x67, 0x96, +0xcc, 0x49, 0xf1, 0x37, 0x23, 0x2e, 0xc4, 0x50, 0xf4, 0xeb, 0xba, 0x62, 0xd4, 0x23, 0x4d, 0xf3, +0x37, 0x38, 0x82, 0xee, 0x3b, 0x3f, 0x2c, 0xd0, 0x80, 0x9b, 0x17, 0xaa, 0x9b, 0xeb, 0xa6, 0xdd, +0xf6, 0x15, 0xff, 0x06, 0xb2, 0xce, 0xff, 0xdf, 0x8a, 0x9e, 0x95, 0x85, 0x49, 0x1f, 0x84, 0xfd, +0x81, 0x26, 0xce, 0x06, 0x32, 0x0d, 0x36, 0xca, 0x7c, 0x15, 0x81, 0x68, 0x6b, 0x8f, 0x3e, 0xb3, +0xa2, 0xfc, 0xae, 0xaf, 0xc2, 0x44, 0x58, 0x15, 0x95, 0x40, 0xfc, 0x56, 0x19, 0x91, 0x80, 0xed, +0x42, 0x11, 0x66, 0x04, 0xef, 0x3c, 0xe0, 0x76, 0x33, 0x4b, 0x83, 0xfa, 0x7e, 0xb4, 0x47, 0xdc, +0xfb, 0xed, 0x46, 0xa5, 0x8d, 0x0a, 0x66, 0x87, 0xa5, 0xef, 0x7b, 0x74, 0x62, 0xac, 0xbe, 0x73, +0x36, 0xc9, 0xb4, 0xfe, 0x20, 0xc4, 0x81, 0xf3, 0xfe, 0x78, 0x19, 0xa8, 0xd0, 0xaf, 0x7f, 0x81, +0x72, 0x24, 0x61, 0xd9, 0x76, 0x93, 0xe3, 0x0b, 0xd2, 0x4f, 0x19, 0x17, 0x33, 0x57, 0xd4, 0x82, +0xb0, 0xf1, 0xa8, 0x03, 0xf6, 0x01, 0x99, 0xa9, 0xb8, 0x8c, 0x83, 0xc9, 0xba, 0x19, 0x87, 0xea, +0xd6, 0x3b, 0x06, 0xeb, 0x4c, 0xf7, 0xf1, 0xe5, 0x28, 0xa9, 0x10, 0xb6, 0x46, 0xde, 0xe1, 0xe1, +0x3f, 0xc1, 0xcc, 0x72, 0xbe, 0x2a, 0x43, 0xc6, 0xf6, 0xd0, 0xb5, 0xa0, 0xc4, 0x24, 0x6e, 0x4f, +0xbd, 0xec, 0x22, 0x8a, 0x07, 0x11, 0x3d, 0xf9, 0xd3, 0x15, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, +0x82, 0x01, 0x26, 0x30, 0x82, 0x01, 0x22, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, +0x30, 0x16, 0x80, 0x14, 0xf2, 0x9d, 0x42, 0x4e, 0x0f, 0xc4, 0x48, 0x25, 0x58, 0x2f, 0x1c, 0xce, +0x0f, 0xa1, 0x3f, 0x22, 0xc8, 0x55, 0xc8, 0x91, 0x30, 0x3b, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, +0x05, 0x07, 0x01, 0x01, 0x04, 0x2f, 0x30, 0x2d, 0x30, 0x2b, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, +0x05, 0x07, 0x30, 0x01, 0x86, 0x1f, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x69, 0x70, 0x61, +0x2d, 0x63, 0x61, 0x2e, 0x69, 0x70, 0x61, 0x2e, 0x64, 0x65, 0x76, 0x65, 0x6c, 0x2f, 0x63, 0x61, +0x2f, 0x6f, 0x63, 0x73, 0x70, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, +0x04, 0x03, 0x02, 0x04, 0xf0, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, 0x16, 0x30, 0x14, +0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, +0x05, 0x07, 0x03, 0x02, 0x30, 0x74, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, 0x6d, 0x30, 0x6b, 0x30, +0x69, 0xa0, 0x31, 0xa0, 0x2f, 0x86, 0x2d, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x69, 0x70, +0x61, 0x2d, 0x63, 0x61, 0x2e, 0x69, 0x70, 0x61, 0x2e, 0x64, 0x65, 0x76, 0x65, 0x6c, 0x2f, 0x69, +0x70, 0x61, 0x2f, 0x63, 0x72, 0x6c, 0x2f, 0x4d, 0x61, 0x73, 0x74, 0x65, 0x72, 0x43, 0x52, 0x4c, +0x2e, 0x62, 0x69, 0x6e, 0xa2, 0x34, 0xa4, 0x32, 0x30, 0x30, 0x31, 0x0e, 0x30, 0x0c, 0x06, 0x03, +0x55, 0x04, 0x0a, 0x0c, 0x05, 0x69, 0x70, 0x61, 0x63, 0x61, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, +0x55, 0x04, 0x03, 0x0c, 0x15, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, +0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, +0x0e, 0x04, 0x16, 0x04, 0x14, 0x2d, 0x2b, 0x3f, 0xcb, 0xf5, 0xb2, 0xff, 0x32, 0x2c, 0xa8, 0xc2, +0x1c, 0xdd, 0xbd, 0x8c, 0x80, 0x1e, 0xdd, 0x31, 0x82, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, +0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x9a, 0x47, 0x2e, +0x50, 0xa7, 0x4d, 0x1d, 0x53, 0x0f, 0xc9, 0x71, 0x42, 0x0c, 0xe5, 0xda, 0x7d, 0x49, 0x64, 0xe7, +0xab, 0xc8, 0xdf, 0xdf, 0x02, 0xc1, 0x87, 0xd1, 0x5b, 0xde, 0xda, 0x6f, 0x2b, 0xe4, 0xf0, 0xbe, +0xba, 0x09, 0xdf, 0x02, 0x85, 0x0b, 0x8a, 0xe6, 0x9b, 0x06, 0x7d, 0x69, 0x38, 0x6c, 0x72, 0xff, +0x4c, 0x7b, 0x2a, 0x0d, 0x3f, 0x23, 0x2f, 0x16, 0x46, 0xff, 0x05, 0x93, 0xb0, 0xea, 0x24, 0x28, +0xd7, 0x12, 0xa1, 0x57, 0xb8, 0x59, 0x19, 0x25, 0xf3, 0x43, 0x0a, 0xd3, 0xfd, 0x0f, 0x37, 0x8d, +0xb8, 0xca, 0x15, 0xe7, 0x48, 0x8a, 0xa0, 0xc7, 0xc7, 0x4b, 0x7f, 0x01, 0x3c, 0x58, 0xd7, 0x37, +0xe5, 0xff, 0x7d, 0x2b, 0x01, 0xac, 0x0d, 0x9f, 0x51, 0x6a, 0xe5, 0x40, 0x24, 0xe6, 0x5e, 0x55, +0x0d, 0xf7, 0xb8, 0x2f, 0x42, 0xac, 0x6d, 0xe5, 0x29, 0x6b, 0xc6, 0x0b, 0xa4, 0xbf, 0x19, 0xbd, +0x39, 0x27, 0xee, 0xfe, 0xc5, 0xb3, 0xdb, 0x62, 0xd4, 0xbe, 0xd2, 0x47, 0xba, 0x96, 0x30, 0x5a, +0xfd, 0x62, 0x00, 0xb8, 0x27, 0x5d, 0x2f, 0x3a, 0x94, 0x0b, 0x95, 0x35, 0x85, 0x40, 0x2c, 0xbc, +0x67, 0xdf, 0x8a, 0xf9, 0xf1, 0x7b, 0x19, 0x96, 0x3e, 0x42, 0x48, 0x13, 0x23, 0x04, 0x95, 0xa9, +0x6b, 0x11, 0x33, 0x81, 0x47, 0x5a, 0x83, 0x72, 0xf6, 0x20, 0xfa, 0x8e, 0x41, 0x7b, 0x8f, 0x77, +0x47, 0x7c, 0xc7, 0x5d, 0x46, 0xf4, 0x4f, 0xfd, 0x81, 0x0a, 0xae, 0x39, 0x27, 0xb6, 0x6a, 0x26, +0x63, 0xb1, 0xd3, 0xbf, 0x55, 0x83, 0x82, 0x9b, 0x36, 0x6c, 0x33, 0x64, 0x0f, 0x50, 0xc0, 0x55, +0x94, 0x13, 0xc3, 0x85, 0xf4, 0xd5, 0x71, 0x65, 0xd0, 0xc0, 0xdd, 0xfc, 0xe6, 0xec, 0x9c, 0x5b, +0xf0, 0x11, 0xb5, 0x2c, 0xf3, 0x48, 0xc1, 0x36, 0x8c, 0xa2, 0x96, 0x48, 0x84}; + +const uint8_t test_cert2_der[] = { +0x30, 0x82, 0x06, 0x98, 0x30, 0x82, 0x05, 0x80, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x0a, 0x61, +0x22, 0x88, 0xc2, 0x00, 0x00, 0x00, 0x00, 0x02, 0xa6, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, +0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x45, 0x31, 0x15, 0x30, 0x13, 0x06, 0x0a, +0x09, 0x92, 0x26, 0x89, 0x93, 0xf2, 0x2c, 0x64, 0x01, 0x19, 0x16, 0x05, 0x64, 0x65, 0x76, 0x65, +0x6c, 0x31, 0x12, 0x30, 0x10, 0x06, 0x0a, 0x09, 0x92, 0x26, 0x89, 0x93, 0xf2, 0x2c, 0x64, 0x01, +0x19, 0x16, 0x02, 0x61, 0x64, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0f, +0x61, 0x64, 0x2d, 0x41, 0x44, 0x2d, 0x53, 0x45, 0x52, 0x56, 0x45, 0x52, 0x2d, 0x43, 0x41, 0x30, +0x1e, 0x17, 0x0d, 0x31, 0x36, 0x31, 0x31, 0x31, 0x31, 0x31, 0x33, 0x35, 0x31, 0x31, 0x31, 0x5a, +0x17, 0x0d, 0x31, 0x37, 0x31, 0x31, 0x31, 0x31, 0x31, 0x33, 0x35, 0x31, 0x31, 0x31, 0x5a, 0x30, +0x70, 0x31, 0x15, 0x30, 0x13, 0x06, 0x0a, 0x09, 0x92, 0x26, 0x89, 0x93, 0xf2, 0x2c, 0x64, 0x01, +0x19, 0x16, 0x05, 0x64, 0x65, 0x76, 0x65, 0x6c, 0x31, 0x12, 0x30, 0x10, 0x06, 0x0a, 0x09, 0x92, +0x26, 0x89, 0x93, 0xf2, 0x2c, 0x64, 0x01, 0x19, 0x16, 0x02, 0x61, 0x64, 0x31, 0x0e, 0x30, 0x0c, +0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x05, 0x55, 0x73, 0x65, 0x72, 0x73, 0x31, 0x0c, 0x30, 0x0a, +0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x03, 0x74, 0x20, 0x75, 0x31, 0x25, 0x30, 0x23, 0x06, 0x09, +0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x16, 0x74, 0x65, 0x73, 0x74, 0x2e, +0x75, 0x73, 0x65, 0x72, 0x40, 0x65, 0x6d, 0x61, 0x69, 0x6c, 0x2e, 0x64, 0x6f, 0x6d, 0x61, 0x69, +0x6e, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, +0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, +0x01, 0x00, 0x9c, 0xcf, 0x36, 0x99, 0xde, 0x63, 0x74, 0x2b, 0x77, 0x25, 0x9e, 0x24, 0xd9, 0x77, +0x4b, 0x5f, 0x98, 0xc0, 0x8c, 0xd7, 0x20, 0x91, 0xc0, 0x1c, 0xe8, 0x37, 0x45, 0xbf, 0x3c, 0xd9, +0x33, 0xbd, 0xe9, 0xde, 0xc9, 0x5d, 0xd4, 0xcd, 0x06, 0x0a, 0x0d, 0xd4, 0xf1, 0x7c, 0x74, 0x5b, +0x29, 0xd5, 0x66, 0x9c, 0x2c, 0x9f, 0x6b, 0x1a, 0x0f, 0x0d, 0xe6, 0x6c, 0x62, 0xa5, 0x41, 0x4f, +0xc3, 0xa4, 0x88, 0x27, 0x11, 0x5d, 0xb7, 0xb1, 0xfb, 0xf8, 0x8d, 0xee, 0x43, 0x8d, 0x93, 0xb5, +0x8c, 0xb4, 0x34, 0x06, 0xf5, 0xe9, 0x2f, 0x5a, 0x26, 0x68, 0xd7, 0x43, 0x60, 0x82, 0x5e, 0x22, +0xa7, 0xc6, 0x34, 0x40, 0x19, 0xa5, 0x8e, 0xf0, 0x58, 0x9f, 0x16, 0x2d, 0x43, 0x3f, 0x0c, 0xda, +0xe2, 0x23, 0xf6, 0x09, 0x2a, 0x5e, 0xbd, 0x84, 0x27, 0xc8, 0xab, 0xd5, 0x70, 0xf8, 0x3d, 0x9c, +0x14, 0xc2, 0xc2, 0xa2, 0x77, 0xe8, 0x44, 0x73, 0x10, 0x01, 0x34, 0x40, 0x1f, 0xc6, 0x2f, 0xa0, +0x70, 0xee, 0x2f, 0xd5, 0x4b, 0xbe, 0x4c, 0xc7, 0x45, 0xf7, 0xac, 0x9c, 0xc3, 0x68, 0x5b, 0x1d, +0x5a, 0x4b, 0x77, 0x65, 0x76, 0xe4, 0xb3, 0x92, 0xf4, 0x84, 0x0a, 0x9e, 0x6a, 0x9c, 0xc9, 0x53, +0x42, 0x9f, 0x6d, 0xfe, 0xf9, 0xf5, 0xf2, 0x9a, 0x15, 0x50, 0x47, 0xef, 0xf4, 0x06, 0x59, 0xc8, +0x50, 0x48, 0x4b, 0x46, 0x95, 0x68, 0x25, 0xc5, 0xbd, 0x4f, 0x65, 0x34, 0x00, 0xfc, 0x31, 0x69, +0xf8, 0x3e, 0xe0, 0x20, 0x83, 0x41, 0x27, 0x0b, 0x5c, 0x46, 0x98, 0x14, 0xf0, 0x07, 0xde, 0x02, +0x17, 0xb1, 0xd2, 0x9c, 0xbe, 0x1c, 0x0d, 0x56, 0x22, 0x1b, 0x02, 0xfe, 0xda, 0x69, 0xb9, 0xef, +0x91, 0x37, 0x39, 0x7f, 0x24, 0xda, 0xc4, 0x81, 0x5e, 0x82, 0x31, 0x2f, 0x98, 0x1d, 0xf7, 0x73, +0x5b, 0x23, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x03, 0x5d, 0x30, 0x82, 0x03, 0x59, 0x30, +0x3d, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x07, 0x04, 0x30, 0x30, 0x2e, +0x06, 0x26, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x08, 0x87, 0x85, 0xa1, 0x23, 0x84, +0xc8, 0xb2, 0x26, 0x83, 0x9d, 0x9d, 0x21, 0x82, 0xd4, 0xa6, 0x1b, 0x86, 0xa3, 0xba, 0x37, 0x81, +0x10, 0x85, 0x89, 0xd5, 0x02, 0xd6, 0x8f, 0x24, 0x02, 0x01, 0x64, 0x02, 0x01, 0x02, 0x30, 0x29, +0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, 0x22, 0x30, 0x20, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, +0x07, 0x03, 0x02, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x04, 0x06, 0x0a, 0x2b, +0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x0a, 0x03, 0x04, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, +0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x05, 0xa0, 0x30, 0x35, 0x06, 0x09, 0x2b, 0x06, 0x01, +0x04, 0x01, 0x82, 0x37, 0x15, 0x0a, 0x04, 0x28, 0x30, 0x26, 0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06, +0x01, 0x05, 0x05, 0x07, 0x03, 0x02, 0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, +0x03, 0x04, 0x30, 0x0c, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x0a, 0x03, 0x04, +0x30, 0x81, 0x94, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x0f, 0x04, 0x81, +0x86, 0x30, 0x81, 0x83, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, +0x2a, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x2d, 0x30, 0x0b, +0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x16, 0x30, 0x0b, 0x06, 0x09, 0x60, +0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x01, 0x19, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, +0x65, 0x03, 0x04, 0x01, 0x02, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, +0x01, 0x05, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x03, 0x07, 0x30, 0x07, +0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x07, 0x30, 0x0e, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, +0x0d, 0x03, 0x02, 0x02, 0x02, 0x00, 0x80, 0x30, 0x0e, 0x06, 0x08, 0x2a, 0x86, 0x48, 0x86, 0xf7, +0x0d, 0x03, 0x04, 0x02, 0x02, 0x02, 0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, +0x04, 0x14, 0x49, 0xac, 0xad, 0xe0, 0x65, 0x30, 0xc4, 0xce, 0xa0, 0x09, 0x03, 0x5b, 0xad, 0x4a, +0x7b, 0x49, 0x5e, 0xc9, 0x6c, 0xb4, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, +0x16, 0x80, 0x14, 0x62, 0x50, 0xb6, 0x8d, 0xa1, 0xe6, 0x2d, 0x91, 0xbf, 0xb0, 0x54, 0x4d, 0x8f, +0xa8, 0xca, 0x10, 0xae, 0xb8, 0xdd, 0x54, 0x30, 0x81, 0xcc, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04, +0x81, 0xc4, 0x30, 0x81, 0xc1, 0x30, 0x81, 0xbe, 0xa0, 0x81, 0xbb, 0xa0, 0x81, 0xb8, 0x86, 0x81, +0xb5, 0x6c, 0x64, 0x61, 0x70, 0x3a, 0x2f, 0x2f, 0x2f, 0x43, 0x4e, 0x3d, 0x61, 0x64, 0x2d, 0x41, +0x44, 0x2d, 0x53, 0x45, 0x52, 0x56, 0x45, 0x52, 0x2d, 0x43, 0x41, 0x2c, 0x43, 0x4e, 0x3d, 0x61, +0x64, 0x2d, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x2c, 0x43, 0x4e, 0x3d, 0x43, 0x44, 0x50, 0x2c, +0x43, 0x4e, 0x3d, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x25, 0x32, 0x30, 0x4b, 0x65, 0x79, 0x25, +0x32, 0x30, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x73, 0x2c, 0x43, 0x4e, 0x3d, 0x53, 0x65, +0x72, 0x76, 0x69, 0x63, 0x65, 0x73, 0x2c, 0x43, 0x4e, 0x3d, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, +0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2c, 0x44, 0x43, 0x3d, 0x61, 0x64, 0x2c, 0x44, 0x43, +0x3d, 0x64, 0x65, 0x76, 0x65, 0x6c, 0x3f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, +0x74, 0x65, 0x52, 0x65, 0x76, 0x6f, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4c, 0x69, 0x73, 0x74, +0x3f, 0x62, 0x61, 0x73, 0x65, 0x3f, 0x6f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6c, 0x61, 0x73, +0x73, 0x3d, 0x63, 0x52, 0x4c, 0x44, 0x69, 0x73, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x69, 0x6f, +0x6e, 0x50, 0x6f, 0x69, 0x6e, 0x74, 0x30, 0x81, 0xbe, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, +0x07, 0x01, 0x01, 0x04, 0x81, 0xb1, 0x30, 0x81, 0xae, 0x30, 0x81, 0xab, 0x06, 0x08, 0x2b, 0x06, +0x01, 0x05, 0x05, 0x07, 0x30, 0x02, 0x86, 0x81, 0x9e, 0x6c, 0x64, 0x61, 0x70, 0x3a, 0x2f, 0x2f, +0x2f, 0x43, 0x4e, 0x3d, 0x61, 0x64, 0x2d, 0x41, 0x44, 0x2d, 0x53, 0x45, 0x52, 0x56, 0x45, 0x52, +0x2d, 0x43, 0x41, 0x2c, 0x43, 0x4e, 0x3d, 0x41, 0x49, 0x41, 0x2c, 0x43, 0x4e, 0x3d, 0x50, 0x75, +0x62, 0x6c, 0x69, 0x63, 0x25, 0x32, 0x30, 0x4b, 0x65, 0x79, 0x25, 0x32, 0x30, 0x53, 0x65, 0x72, +0x76, 0x69, 0x63, 0x65, 0x73, 0x2c, 0x43, 0x4e, 0x3d, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, +0x73, 0x2c, 0x43, 0x4e, 0x3d, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, +0x6f, 0x6e, 0x2c, 0x44, 0x43, 0x3d, 0x61, 0x64, 0x2c, 0x44, 0x43, 0x3d, 0x64, 0x65, 0x76, 0x65, +0x6c, 0x3f, 0x63, 0x41, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x3f, +0x62, 0x61, 0x73, 0x65, 0x3f, 0x6f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x43, 0x6c, 0x61, 0x73, 0x73, +0x3d, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x41, 0x75, +0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x30, 0x3f, 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04, 0x38, +0x30, 0x36, 0xa0, 0x1c, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x03, +0xa0, 0x0e, 0x0c, 0x0c, 0x74, 0x75, 0x31, 0x40, 0x61, 0x64, 0x2e, 0x64, 0x65, 0x76, 0x65, 0x6c, +0x81, 0x16, 0x74, 0x65, 0x73, 0x74, 0x2e, 0x75, 0x73, 0x65, 0x72, 0x40, 0x65, 0x6d, 0x61, 0x69, +0x6c, 0x2e, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, +0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x41, 0x45, 0x0a, 0x6d, +0xbb, 0x7f, 0x5c, 0x07, 0x0c, 0xc9, 0xb0, 0x39, 0x55, 0x6d, 0x7c, 0xb5, 0x02, 0xcd, 0xe8, 0xb2, +0xe5, 0x02, 0x94, 0x77, 0x60, 0xdb, 0xd1, 0xaf, 0x1d, 0xdb, 0x44, 0x5f, 0xce, 0x83, 0xdb, 0x80, +0x2e, 0xe2, 0xb2, 0x08, 0x25, 0x82, 0x14, 0xcb, 0x48, 0x95, 0x20, 0x13, 0x6c, 0xa9, 0xaa, 0xf8, +0x31, 0x56, 0xed, 0xc0, 0x3b, 0xd4, 0xae, 0x2e, 0xe3, 0x8f, 0x05, 0xfc, 0xab, 0x5f, 0x2a, 0x69, +0x23, 0xbc, 0xb8, 0x8c, 0xec, 0x2d, 0xa9, 0x0b, 0x86, 0x95, 0x73, 0x73, 0xdb, 0x17, 0xce, 0xc6, +0xae, 0xc5, 0xb4, 0xc1, 0x25, 0x87, 0x3b, 0x67, 0x43, 0x9e, 0x87, 0x5a, 0xe6, 0xb9, 0xa0, 0x28, +0x12, 0x3d, 0xa8, 0x2e, 0xd7, 0x5e, 0xef, 0x65, 0x2d, 0xe6, 0xa5, 0x67, 0x84, 0xac, 0xfd, 0x31, +0xc1, 0x78, 0xd8, 0x72, 0x51, 0xa2, 0x88, 0x55, 0x0f, 0x97, 0x47, 0x93, 0x07, 0xea, 0x8a, 0x53, +0x27, 0x4e, 0x34, 0x54, 0x34, 0x1f, 0xa0, 0x6a, 0x03, 0x44, 0xfb, 0x23, 0x61, 0x8e, 0x87, 0x8e, +0x3c, 0xd0, 0x8f, 0xae, 0xe4, 0xcf, 0xee, 0x65, 0xa8, 0xba, 0x96, 0x68, 0x08, 0x1c, 0x60, 0xe2, +0x4e, 0x11, 0xa3, 0x74, 0xb8, 0xa5, 0x4e, 0xea, 0x6a, 0x82, 0x4c, 0xc2, 0x4d, 0x63, 0x8e, 0x9f, +0x7c, 0x2f, 0xa8, 0xc0, 0x62, 0xf8, 0xf7, 0xd9, 0x25, 0xc4, 0x91, 0xab, 0x4d, 0x6a, 0x44, 0xaf, +0x75, 0x93, 0x53, 0x03, 0xa4, 0x99, 0xc8, 0xcd, 0x91, 0x89, 0x60, 0x75, 0x30, 0x99, 0x76, 0x05, +0x5a, 0xa0, 0x03, 0xa7, 0xa1, 0x2c, 0x03, 0x04, 0x8f, 0xd4, 0x5a, 0x31, 0x52, 0x28, 0x5a, 0xe6, +0xa2, 0xd3, 0x43, 0x21, 0x5b, 0xdc, 0xa2, 0x1d, 0x55, 0xa9, 0x48, 0xc5, 0xc4, 0xaa, 0xf3, 0x8b, +0xe6, 0x3e, 0x75, 0x96, 0xe4, 0x3e, 0x64, 0xaf, 0xe8, 0xa7, 0x6a, 0xb6}; + +/* used to test SAN principal encoding according to RFC4556 */ +const uint8_t test_cert3_der[] = { +0x30, 0x82, 0x03, 0x70, 0x30, 0x82, 0x02, 0x58, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, +0xe5, 0x8f, 0x16, 0xfe, 0x23, 0x4d, 0xc5, 0xd6, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, +0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x1a, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, +0x04, 0x03, 0x0c, 0x0f, 0x6b, 0x72, 0x62, 0x35, 0x5f, 0x70, 0x72, 0x69, 0x6e, 0x63, 0x5f, 0x74, +0x65, 0x73, 0x74, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x37, 0x30, 0x37, 0x31, 0x32, 0x30, 0x39, 0x32, +0x34, 0x31, 0x38, 0x5a, 0x17, 0x0d, 0x32, 0x30, 0x30, 0x34, 0x30, 0x37, 0x30, 0x39, 0x32, 0x34, +0x31, 0x38, 0x5a, 0x30, 0x1a, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, +0x6b, 0x72, 0x62, 0x35, 0x5f, 0x70, 0x72, 0x69, 0x6e, 0x63, 0x5f, 0x74, 0x65, 0x73, 0x74, 0x30, +0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, +0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, +0xbf, 0x84, 0x34, 0x46, 0x37, 0x50, 0xb1, 0xca, 0x14, 0x4c, 0x6b, 0x0d, 0xe4, 0xab, 0xc1, 0xce, +0xf4, 0xd1, 0xde, 0xca, 0xf5, 0x50, 0x46, 0x3c, 0x63, 0x0f, 0x8e, 0xb8, 0xe9, 0xf9, 0x3e, 0xc4, +0xf3, 0x24, 0xc1, 0xe4, 0x78, 0xf6, 0xa4, 0x39, 0x6f, 0xc1, 0xd8, 0x9c, 0x1c, 0xa7, 0x47, 0xe4, +0xc8, 0x71, 0x32, 0x9a, 0x1d, 0x1d, 0xfb, 0x30, 0x0f, 0xf9, 0x85, 0x48, 0xf8, 0x1f, 0xa7, 0xbd, +0xda, 0x39, 0xd4, 0xc7, 0x27, 0x4f, 0xf5, 0x34, 0xee, 0x4a, 0x59, 0x0c, 0x7a, 0xec, 0x2b, 0xaf, +0x81, 0x8e, 0x41, 0x54, 0x6f, 0xcc, 0x91, 0x61, 0x4c, 0x61, 0x80, 0xca, 0x37, 0xab, 0x2c, 0x63, +0x8d, 0xce, 0x07, 0xcd, 0x61, 0x11, 0x10, 0xa0, 0xe4, 0x08, 0x7d, 0x1d, 0x10, 0x85, 0xb1, 0x64, +0x33, 0x6b, 0x4d, 0x8d, 0xd2, 0x9d, 0xd7, 0x0b, 0x21, 0xbc, 0x15, 0xcd, 0xed, 0xaa, 0xc0, 0x01, +0x67, 0xe1, 0x7c, 0xd4, 0xf7, 0xdd, 0xf8, 0x28, 0x92, 0xce, 0x8b, 0x7f, 0x08, 0x29, 0x76, 0x6e, +0xa5, 0xe6, 0xcd, 0xeb, 0x9c, 0x13, 0x78, 0xa3, 0x08, 0xb5, 0xdc, 0x7f, 0xc2, 0x60, 0xc3, 0xac, +0x68, 0x30, 0x37, 0xe1, 0x54, 0x6a, 0xa9, 0x34, 0x3e, 0x43, 0x8d, 0x6f, 0x9b, 0xe5, 0x8a, 0xf9, +0xa4, 0x22, 0xab, 0x33, 0x01, 0x32, 0xaf, 0xc4, 0x9f, 0xb1, 0x27, 0xba, 0xae, 0x20, 0x60, 0xd7, +0x16, 0x48, 0x66, 0x2b, 0x36, 0x9c, 0x54, 0xd0, 0x6e, 0x45, 0xd3, 0x23, 0x3f, 0x17, 0x2e, 0xee, +0xd4, 0x55, 0xa7, 0x75, 0x2f, 0x28, 0xa9, 0x40, 0x3b, 0xbc, 0x79, 0x69, 0xea, 0x58, 0xc2, 0x3c, +0x4c, 0x70, 0x4b, 0x93, 0xd8, 0xa4, 0xb6, 0x59, 0x24, 0x77, 0x10, 0xb3, 0xc7, 0x34, 0x99, 0x6b, +0x28, 0xbd, 0x03, 0xdb, 0xda, 0xea, 0x23, 0x19, 0x10, 0x56, 0x7e, 0xa4, 0x28, 0x04, 0x5a, 0x53, +0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x81, 0xb8, 0x30, 0x81, 0xb5, 0x30, 0x09, 0x06, 0x03, 0x55, +0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, +0x02, 0x03, 0xa8, 0x30, 0x12, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, 0x0b, 0x30, 0x09, 0x06, 0x07, +0x2b, 0x06, 0x01, 0x05, 0x02, 0x03, 0x04, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, +0x04, 0x14, 0xea, 0xd4, 0x30, 0xd7, 0x7d, 0x3b, 0xc7, 0xb4, 0x83, 0x53, 0x2c, 0xa5, 0xb9, 0xd8, +0x1a, 0x47, 0x6b, 0xb5, 0xe5, 0x9d, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, +0x16, 0x80, 0x14, 0xea, 0xd4, 0x30, 0xd7, 0x7d, 0x3b, 0xc7, 0xb4, 0x83, 0x53, 0x2c, 0xa5, 0xb9, +0xd8, 0x1a, 0x47, 0x6b, 0xb5, 0xe5, 0x9d, 0x30, 0x47, 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04, 0x40, +0x30, 0x3e, 0xa0, 0x3c, 0x06, 0x06, 0x2b, 0x06, 0x01, 0x05, 0x02, 0x02, 0xa0, 0x32, 0x30, 0x30, +0xa0, 0x0b, 0x1b, 0x09, 0x53, 0x53, 0x53, 0x44, 0x2e, 0x54, 0x45, 0x53, 0x54, 0xa1, 0x21, 0x30, +0x1f, 0xa0, 0x03, 0x02, 0x01, 0x01, 0xa1, 0x18, 0x30, 0x16, 0x1b, 0x04, 0x74, 0x65, 0x73, 0x74, +0x1b, 0x05, 0x63, 0x6f, 0x6d, 0x70, 0x32, 0x1b, 0x07, 0x61, 0x6e, 0x6f, 0x74, 0x68, 0x65, 0x72, +0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, +0x82, 0x01, 0x01, 0x00, 0x08, 0x64, 0x63, 0x89, 0x6d, 0x3d, 0x66, 0x77, 0xe3, 0xb6, 0x40, 0x54, +0xd7, 0xe2, 0xc5, 0x99, 0xac, 0x98, 0x6e, 0xf8, 0xcd, 0x62, 0xa4, 0xf8, 0xd9, 0xaf, 0xdb, 0xef, +0xb7, 0x10, 0x8e, 0x45, 0x42, 0x53, 0x5c, 0x3f, 0x6a, 0x8d, 0xa8, 0x8a, 0x6d, 0x76, 0x51, 0x1a, +0xf4, 0x71, 0x54, 0x27, 0x27, 0xe2, 0x45, 0xe8, 0xa8, 0xd2, 0xa9, 0xcd, 0x62, 0x0d, 0xfc, 0x0d, +0x28, 0x46, 0x9e, 0x4e, 0x5a, 0x57, 0x72, 0xb4, 0xf2, 0x35, 0x91, 0x57, 0x11, 0xae, 0x2b, 0x9c, +0x6a, 0x80, 0x21, 0x8e, 0x4c, 0x19, 0x4a, 0x2d, 0xe0, 0xd2, 0xdf, 0x83, 0x9d, 0x65, 0x49, 0xd1, +0x34, 0x34, 0x14, 0xa0, 0xbb, 0x1c, 0xa8, 0x12, 0xb0, 0xe3, 0x5e, 0x82, 0x36, 0x41, 0x4c, 0x87, +0xd1, 0x1e, 0x1a, 0xe9, 0xff, 0x55, 0xef, 0xb5, 0x2d, 0x20, 0xc5, 0xa7, 0xe5, 0x5a, 0xf2, 0xfc, +0xf7, 0xd2, 0x21, 0xc5, 0x32, 0xb4, 0x07, 0x8f, 0xc4, 0x94, 0x56, 0xa6, 0x21, 0x6a, 0xb6, 0x26, +0x05, 0x48, 0x90, 0xe0, 0x6b, 0x22, 0x35, 0x00, 0x51, 0x2e, 0xd7, 0xe8, 0x3a, 0x56, 0xa8, 0x70, +0x7d, 0x0f, 0x9a, 0x97, 0x5a, 0xb8, 0x7f, 0x33, 0xc1, 0xe0, 0x92, 0x0f, 0xb3, 0xfe, 0x36, 0xe6, +0x8b, 0x97, 0x58, 0x42, 0x49, 0xcb, 0x74, 0xde, 0x19, 0x59, 0x90, 0xb6, 0x36, 0x38, 0x07, 0x48, +0x5d, 0x5b, 0xab, 0x08, 0xf0, 0x69, 0x22, 0x42, 0x08, 0x29, 0xfe, 0x43, 0xab, 0x83, 0x73, 0x74, +0x5a, 0x3f, 0x3b, 0x5d, 0x8e, 0xca, 0x6f, 0x2d, 0xad, 0xa1, 0x6e, 0x80, 0x80, 0xd2, 0xc8, 0x16, +0xb7, 0x67, 0x1a, 0x2d, 0x37, 0x8c, 0x20, 0x3b, 0x15, 0xef, 0xb2, 0x94, 0x86, 0x5c, 0xaf, 0xa2, +0x61, 0x8b, 0xc7, 0xc1, 0xe4, 0xbe, 0x60, 0x5a, 0x86, 0x5c, 0x86, 0xba, 0x59, 0x97, 0x83, 0x1b, +0x79, 0x1c, 0x7c, 0x26}; + +void test_sss_cert_get_content(void **state) +{ + int ret; + struct sss_cert_content *content; + + ret = sss_cert_get_content(NULL, test_cert_der, sizeof(test_cert_der), + &content); + assert_int_equal(ret , 0); + assert_non_null(content); + assert_non_null(content->issuer_str); + assert_string_equal(content->issuer_str, "CN=Certificate Authority,O=IPA.DEVEL"); + assert_non_null(content->subject_str); + assert_string_equal(content->subject_str, "CN=ipa-devel.ipa.devel,O=IPA.DEVEL"); + assert_int_equal(content->key_usage, SSS_KU_DIGITAL_SIGNATURE + |SSS_KU_NON_REPUDIATION + |SSS_KU_KEY_ENCIPHERMENT + |SSS_KU_DATA_ENCIPHERMENT); + assert_non_null(content->extended_key_usage_oids); + assert_non_null(content->extended_key_usage_oids[0]); + assert_true(string_in_list("1.3.6.1.5.5.7.3.1", + discard_const(content->extended_key_usage_oids), true)); + assert_true(string_in_list("1.3.6.1.5.5.7.3.2", + discard_const(content->extended_key_usage_oids), true)); + assert_null(content->extended_key_usage_oids[2]); + assert_int_equal(content->cert_der_size, sizeof(test_cert_der)); + assert_memory_equal(content->cert_der, test_cert_der, sizeof(test_cert_der)); + + assert_non_null(content->issuer_rdn_list); + assert_string_equal(content->issuer_rdn_list[0], "O=IPA.DEVEL"); + assert_string_equal(content->issuer_rdn_list[1], "CN=Certificate Authority"); + assert_null(content->issuer_rdn_list[2]); + + assert_non_null(content->subject_rdn_list); + assert_string_equal(content->subject_rdn_list[0], "O=IPA.DEVEL"); + assert_string_equal(content->subject_rdn_list[1], "CN=ipa-devel.ipa.devel"); + assert_null(content->subject_rdn_list[2]); + + + talloc_free(content); +} + +void test_sss_cert_get_content_2(void **state) +{ + int ret; + struct sss_cert_content *content; + struct san_list *i; + + ret = sss_cert_get_content(NULL, test_cert2_der, sizeof(test_cert2_der), + &content); + assert_int_equal(ret, 0); + assert_non_null(content); + assert_non_null(content->issuer_str); + assert_string_equal(content->issuer_str, + "CN=ad-AD-SERVER-CA,DC=ad,DC=devel"); + assert_non_null(content->subject_str); +#if 0 +FIXME: + assert_string_equal(content->subject_str, + "E=test.user@email.domain,CN=t u,CN=Users,DC=ad,DC=devel,DC=ad,DC=devel"); + //"CN=t u/emailAddress=test.user@email.domain,DC=ad,DC=devel"); +#endif + assert_int_equal(content->key_usage, SSS_KU_DIGITAL_SIGNATURE + |SSS_KU_KEY_ENCIPHERMENT); + assert_non_null(content->extended_key_usage_oids); + assert_non_null(content->extended_key_usage_oids[0]); + assert_true(string_in_list("1.3.6.1.5.5.7.3.2", + discard_const(content->extended_key_usage_oids), true)); + assert_true(string_in_list("1.3.6.1.5.5.7.3.4", + discard_const(content->extended_key_usage_oids), true)); + /* Can use Microsoft Encrypted File System OID */ + assert_true(string_in_list("1.3.6.1.4.1.311.10.3.4", + discard_const(content->extended_key_usage_oids), true)); + assert_null(content->extended_key_usage_oids[3]); + assert_int_equal(content->cert_der_size, sizeof(test_cert2_der)); + assert_memory_equal(content->cert_der, test_cert2_der, + sizeof(test_cert2_der)); + + assert_non_null(content->issuer_rdn_list); + assert_string_equal(content->issuer_rdn_list[0], "DC=devel"); + assert_string_equal(content->issuer_rdn_list[1], "DC=ad"); + assert_string_equal(content->issuer_rdn_list[2], "CN=ad-AD-SERVER-CA"); + assert_null(content->issuer_rdn_list[3]); + + assert_non_null(content->subject_rdn_list); + assert_string_equal(content->subject_rdn_list[0], "DC=devel"); + assert_string_equal(content->subject_rdn_list[1], "DC=ad"); + assert_string_equal(content->subject_rdn_list[2], "CN=Users"); + assert_string_equal(content->subject_rdn_list[3], "CN=t u"); + assert_string_equal(content->subject_rdn_list[4], + "E=test.user@email.domain"); + assert_null(content->subject_rdn_list[5]); + + assert_non_null(content->san_list); + + DLIST_FOR_EACH(i, content->san_list) { + switch (i->san_opt) { + case SAN_RFC822_NAME: + assert_string_equal(i->val, "test.user@email.domain"); + assert_string_equal(i->short_name, "test.user"); + break; + case SAN_STRING_OTHER_NAME: + assert_string_equal(i->other_name_oid, "1.3.6.1.4.1.311.20.2.3"); + assert_int_equal(i->bin_val_len, 14); + assert_memory_equal(i->bin_val, "\f\ftu1@ad.devel", 14); + break; + case SAN_NT: + case SAN_PRINCIPAL: + assert_string_equal(i->val, "tu1@ad.devel"); + assert_string_equal(i->short_name, "tu1"); + break; + default: + assert_true(false); + } + } + + talloc_free(content); +} + +void test_sss_cert_get_content_test_cert_0003(void **state) +{ + int ret; + uint8_t *der; + size_t der_size; + struct sss_cert_content *content; + + der = sss_base64_decode(NULL, SSSD_TEST_CERT_0003, &der_size); + assert_non_null(der); + + ret = sss_cert_get_content(NULL, der, der_size, &content); + assert_int_equal(ret, 0); + assert_non_null(content); + assert_non_null(content->issuer_str); + assert_string_equal(content->issuer_str, + "CN=SSSD test CA,OU=SSSD test,O=SSSD"); + + assert_non_null(content->issuer_rdn_list); + assert_string_equal(content->issuer_rdn_list[0], "O=SSSD"); + assert_string_equal(content->issuer_rdn_list[1], "OU=SSSD test"); + assert_string_equal(content->issuer_rdn_list[2], "CN=SSSD test CA"); + assert_null(content->issuer_rdn_list[3]); + + assert_non_null(content->subject_str); + assert_string_equal(content->subject_str, + "CN=SSSD test cert 0003,OU=SSSD test,O=SSSD"); + + assert_non_null(content->subject_rdn_list); + assert_string_equal(content->issuer_rdn_list[0], "O=SSSD"); + assert_string_equal(content->issuer_rdn_list[1], "OU=SSSD test"); + assert_string_equal(content->subject_rdn_list[2], "CN=SSSD test cert 0003"); + assert_null(content->subject_rdn_list[3]); + + assert_int_equal(content->key_usage, SSS_KU_DIGITAL_SIGNATURE + |SSS_KU_KEY_ENCIPHERMENT); + + assert_non_null(content->extended_key_usage_oids); + assert_null(content->extended_key_usage_oids[0]); + + assert_null(content->san_list); + + talloc_free(content); +} + + +static void test_sss_certmap_match_cert(void **state) +{ + struct sss_certmap_ctx *ctx; + int ret; + size_t c; + + struct match_tests { + const char *rule; + int result; + } match_tests[] = { + {"KRB5:digitalSignature", 0}, + {"KRB5:digitalSignature,nonRepudiation", 0}, + {"KRB5:digitalSignature,cRLSign", ENOENT}, + {"KRB5:clientAuth", 0}, + {"KRB5:clientAuth,OCSPSigning", ENOENT}, + {"KRB5:clientAuth,serverAuth", 0}, + {NULL, 0} + }; + + struct match_tests match_tests_2[] = { + {"KRB5:digitalSignature", 0}, + {"KRB5:keyEncipherment", 0}, + {"KRB5:digitalSignature,keyEncipherment", 0}, + {"KRB5:digitalSignature,keyEncipherment,cRLSign", ENOENT}, + {"KRB5:clientAuth", 0}, + {"KRB5:clientAuth,1.3.6.1.4.1.311.10.3.4", 0}, + {"KRB5:clientAuth,1.3.6.1.4.1.311.10.3.41", ENOENT}, + {"KRB5:tu1", 0}, + {"KRB5:tu1", 0}, + {"KRB5:tu1", 0}, + {"KRB5:tu1", ENOENT}, + {"KRB5:^tu1@ad.devel$", 0}, + {"KRB5:tu", ENOENT}, + {"KRB5:test.user", 0}, + {"KRB5:test.usertu1", 0}, + {"KRB5:||test.usertu1", 0}, + {"KRB5:&&tu1tu1", ENOENT}, + {"KRB5:||tu1tu1", 0}, + {"KRB5:MTIz", ENOENT}, /* 123 */ + {"KRB5:DAx0dTFAYWQuZGV2ZWw=", 0}, /* "\f\ftu1@ad.devel" */ + {"KRB5:DAx0dTFAYWQuZGV2ZWx4", ENOENT}, /* "\f\ftu1@ad.develx" */ + {"KRB5:dHUxQGFkLmRldmVs", 0}, /* "tu1@ad.devel" */ + {"KRB5:test", ENOENT}, + {"KRB5:tu1@ad", 0}, + /* Fails because the NT principal SAN starts with binary values */ + {"KRB5:^tu1@ad.devel$", ENOENT}, + {NULL, 0} + }; + + struct match_tests match_tests_3[] = { + {"KRB5:digitalSignature", 0}, + {"KRB5:keyEncipherment", 0}, + {"KRB5:keyAgreement", 0}, + {"KRB5:digitalSignature,keyAgreement,keyEncipherment", 0}, + {"KRB5:test", 0}, + {"KRB5:test", ENOENT}, + {"KRB5:comp2", 0}, + {"KRB5:another", 0}, + {"KRB5:test/comp2/another@SSSD.TEST", 0}, + {"KRB5:^test/comp2/another@SSSD.TEST$", 0}, + {"KRB5:^test/comp2/another@SSSD.TEST$", 0}, + {NULL, 0} + }; + + ret = sss_certmap_init(NULL, ext_debug, NULL, &ctx); + assert_int_equal(ret, EOK); + assert_non_null(ctx); + assert_null(ctx->prio_list); + + ret = sss_certmap_add_rule(ctx, 1, "KRB5:xyzxyz", + NULL, NULL); + assert_int_equal(ret, EOK); + + ret = sss_certmap_match_cert(ctx, discard_const(test_cert_der), + sizeof(test_cert_der)); + assert_int_equal(ret, ENOENT); + + ret = sss_certmap_add_rule(ctx, 1, + "KRB5:CN=Certificate Authority,O=IPA.DEVEL", + NULL, NULL); + assert_int_equal(ret, EOK); + + ret = sss_certmap_match_cert(ctx, discard_const(test_cert_der), + sizeof(test_cert_der)); + assert_int_equal(ret, 0); + + sss_certmap_free_ctx(ctx); + + for (c = 0; match_tests[c].rule != NULL; c++) { + ret = sss_certmap_init(NULL, ext_debug, NULL, &ctx); + assert_int_equal(ret, EOK); + assert_non_null(ctx); + assert_null(ctx->prio_list); + + ret = sss_certmap_add_rule(ctx, 1, match_tests[c].rule, NULL, NULL); + assert_int_equal(ret, EOK); + + ret = sss_certmap_match_cert(ctx, discard_const(test_cert_der), + sizeof(test_cert_der)); + assert_int_equal(ret, match_tests[c].result); + + sss_certmap_free_ctx(ctx); + } + + for (c = 0; match_tests_2[c].rule != NULL; c++) { + ret = sss_certmap_init(NULL, ext_debug, NULL, &ctx); + assert_int_equal(ret, EOK); + assert_non_null(ctx); + assert_null(ctx->prio_list); + + print_error("Checking matching rule [%s]\n", match_tests_2[c].rule); + + ret = sss_certmap_add_rule(ctx, 1, match_tests_2[c].rule, NULL, NULL); + assert_int_equal(ret, EOK); + + ret = sss_certmap_match_cert(ctx, discard_const(test_cert2_der), + sizeof(test_cert2_der)); + assert_int_equal(ret, match_tests_2[c].result); + + sss_certmap_free_ctx(ctx); + } + + for (c = 0; match_tests_3[c].rule != NULL; c++) { + ret = sss_certmap_init(NULL, ext_debug, NULL, &ctx); + assert_int_equal(ret, EOK); + assert_non_null(ctx); + assert_null(ctx->prio_list); + + print_error("Checking matching rule [%s]\n", match_tests_3[c].rule); + + ret = sss_certmap_add_rule(ctx, 1, match_tests_3[c].rule, NULL, NULL); + assert_int_equal(ret, EOK); + + ret = sss_certmap_match_cert(ctx, discard_const(test_cert3_der), + sizeof(test_cert3_der)); + assert_int_equal(ret, match_tests_3[c].result); + + sss_certmap_free_ctx(ctx); + } +} + +static void test_sss_certmap_add_mapping_rule(void **state) +{ + struct sss_certmap_ctx *ctx; + int ret; + + ret = sss_certmap_init(NULL, ext_debug, NULL, &ctx); + assert_int_equal(ret, EOK); + assert_non_null(ctx); + assert_null(ctx->prio_list); + + ret = sss_certmap_add_rule(ctx, 1, NULL, "FWEAWEF:fwefwe", NULL); + assert_int_equal(ret, ESRCH); + + ret = sss_certmap_add_rule(ctx, 1, NULL, "LDAP:abc", NULL); + assert_int_equal(ret, 0); + assert_non_null(ctx->prio_list); + assert_non_null(ctx->prio_list->rule_list); + assert_non_null(ctx->prio_list->rule_list->parsed_mapping_rule); + assert_non_null(ctx->prio_list->rule_list->parsed_mapping_rule->list); + assert_int_equal(comp_string, + ctx->prio_list->rule_list->parsed_mapping_rule->list->type); + assert_string_equal("abc", + ctx->prio_list->rule_list->parsed_mapping_rule->list->val); + talloc_free(ctx); + + ret = sss_certmap_init(NULL, ext_debug, NULL, &ctx); + assert_int_equal(ret, EOK); + assert_non_null(ctx); + assert_null(ctx->prio_list); + ret = sss_certmap_add_rule(ctx, 1, NULL, "LDAP:abc{issuer_dn}", NULL); + assert_int_equal(ret, 0); + assert_non_null(ctx->prio_list); + assert_non_null(ctx->prio_list->rule_list); + assert_non_null(ctx->prio_list->rule_list->parsed_mapping_rule); + assert_non_null(ctx->prio_list->rule_list->parsed_mapping_rule->list); + assert_int_equal(comp_string, + ctx->prio_list->rule_list->parsed_mapping_rule->list->type); + assert_string_equal("abc", + ctx->prio_list->rule_list->parsed_mapping_rule->list->val); + assert_int_equal(comp_template, + ctx->prio_list->rule_list->parsed_mapping_rule->list->next->type); + assert_string_equal("issuer_dn", + ctx->prio_list->rule_list->parsed_mapping_rule->list->next->val); + talloc_free(ctx); + + ret = sss_certmap_init(NULL, ext_debug, NULL, &ctx); + assert_int_equal(ret, EOK); + assert_non_null(ctx); + assert_null(ctx->prio_list); + ret = sss_certmap_add_rule(ctx, 1, NULL, "{issuer_dn}a:b{{c}}", NULL); + assert_int_equal(ret, 0); + assert_non_null(ctx->prio_list); + assert_non_null(ctx->prio_list->rule_list); + assert_non_null(ctx->prio_list->rule_list->parsed_mapping_rule); + assert_non_null(ctx->prio_list->rule_list->parsed_mapping_rule->list); + assert_int_equal(comp_template, + ctx->prio_list->rule_list->parsed_mapping_rule->list->type); + assert_string_equal("issuer_dn", + ctx->prio_list->rule_list->parsed_mapping_rule->list->val); + assert_int_equal(comp_string, + ctx->prio_list->rule_list->parsed_mapping_rule->list->next->type); + assert_string_equal("a:b{c}", + ctx->prio_list->rule_list->parsed_mapping_rule->list->next->val); + talloc_free(ctx); + + ret = sss_certmap_init(NULL, ext_debug, NULL, &ctx); + assert_int_equal(ret, EOK); + assert_non_null(ctx); + assert_null(ctx->prio_list); + ret = sss_certmap_add_rule(ctx, 1, NULL, "LDAP:{issuer_dn}{subject_dn}", + NULL); + assert_int_equal(ret, 0); + assert_non_null(ctx->prio_list); + assert_non_null(ctx->prio_list->rule_list); + assert_non_null(ctx->prio_list->rule_list->parsed_mapping_rule); + assert_non_null(ctx->prio_list->rule_list->parsed_mapping_rule->list); + assert_int_equal(comp_template, + ctx->prio_list->rule_list->parsed_mapping_rule->list->type); + assert_string_equal("issuer_dn", + ctx->prio_list->rule_list->parsed_mapping_rule->list->val); + assert_int_equal(comp_template, + ctx->prio_list->rule_list->parsed_mapping_rule->list->next->type); + assert_string_equal("subject_dn", + ctx->prio_list->rule_list->parsed_mapping_rule->list->next->val); + talloc_free(ctx); +} + +#define TEST_CERT_BIN \ + "\\30\\82\\04\\09\\30\\82\\02\\f1\\a0\\03\\02\\01\\02\\02\\01\\09" \ + "\\30\\0d\\06\\09\\2a\\86\\48\\86\\f7\\0d\\01\\01\\0b\\05\\00\\30" \ + "\\34\\31\\12\\30\\10\\06\\03\\55\\04\\0a\\0c\\09\\49\\50\\41\\2e" \ + "\\44\\45\\56\\45\\4c\\31\\1e\\30\\1c\\06\\03\\55\\04\\03\\0c\\15" \ + "\\43\\65\\72\\74\\69\\66\\69\\63\\61\\74\\65\\20\\41\\75\\74\\68" \ + "\\6f\\72\\69\\74\\79\\30\\1e\\17\\0d\\31\\35\\30\\34\\32\\38\\31" \ + "\\30\\32\\31\\31\\31\\5a\\17\\0d\\31\\37\\30\\34\\32\\38\\31\\30" \ + "\\32\\31\\31\\31\\5a\\30\\32\\31\\12\\30\\10\\06\\03\\55\\04\\0a" \ + "\\0c\\09\\49\\50\\41\\2e\\44\\45\\56\\45\\4c\\31\\1c\\30\\1a\\06" \ + "\\03\\55\\04\\03\\0c\\13\\69\\70\\61\\2d\\64\\65\\76\\65\\6c\\2e" \ + "\\69\\70\\61\\2e\\64\\65\\76\\65\\6c\\30\\82\\01\\22\\30\\0d\\06" \ + "\\09\\2a\\86\\48\\86\\f7\\0d\\01\\01\\01\\05\\00\\03\\82\\01\\0f" \ + "\\00\\30\\82\\01\\0a\\02\\82\\01\\01\\00\\b2\\32\\92\\ab\\47\\b8" \ + "\\0c\\13\\54\\4a\\1f\\1e\\29\\06\\ff\\d0\\50\\cb\\f7\\5f\\79\\91" \ + "\\65\\b1\\39\\01\\83\\6a\\ad\\9e\\77\\3b\\f3\\0d\\d7\\b9\\f6\\dc" \ + "\\9e\\4a\\49\\a7\\d0\\66\\72\\cc\\bf\\77\\d6\\de\\a9\\fe\\67\\96" \ + "\\cc\\49\\f1\\37\\23\\2e\\c4\\50\\f4\\eb\\ba\\62\\d4\\23\\4d\\f3" \ + "\\37\\38\\82\\ee\\3b\\3f\\2c\\d0\\80\\9b\\17\\aa\\9b\\eb\\a6\\dd" \ + "\\f6\\15\\ff\\06\\b2\\ce\\ff\\df\\8a\\9e\\95\\85\\49\\1f\\84\\fd" \ + "\\81\\26\\ce\\06\\32\\0d\\36\\ca\\7c\\15\\81\\68\\6b\\8f\\3e\\b3" \ + "\\a2\\fc\\ae\\af\\c2\\44\\58\\15\\95\\40\\fc\\56\\19\\91\\80\\ed" \ + "\\42\\11\\66\\04\\ef\\3c\\e0\\76\\33\\4b\\83\\fa\\7e\\b4\\47\\dc" \ + "\\fb\\ed\\46\\a5\\8d\\0a\\66\\87\\a5\\ef\\7b\\74\\62\\ac\\be\\73" \ + "\\36\\c9\\b4\\fe\\20\\c4\\81\\f3\\fe\\78\\19\\a8\\d0\\af\\7f\\81" \ + "\\72\\24\\61\\d9\\76\\93\\e3\\0b\\d2\\4f\\19\\17\\33\\57\\d4\\82" \ + "\\b0\\f1\\a8\\03\\f6\\01\\99\\a9\\b8\\8c\\83\\c9\\ba\\19\\87\\ea" \ + "\\d6\\3b\\06\\eb\\4c\\f7\\f1\\e5\\28\\a9\\10\\b6\\46\\de\\e1\\e1" \ + "\\3f\\c1\\cc\\72\\be\\2a\\43\\c6\\f6\\d0\\b5\\a0\\c4\\24\\6e\\4f" \ + "\\bd\\ec\\22\\8a\\07\\11\\3d\\f9\\d3\\15\\02\\03\\01\\00\\01\\a3" \ + "\\82\\01\\26\\30\\82\\01\\22\\30\\1f\\06\\03\\55\\1d\\23\\04\\18" \ + "\\30\\16\\80\\14\\f2\\9d\\42\\4e\\0f\\c4\\48\\25\\58\\2f\\1c\\ce" \ + "\\0f\\a1\\3f\\22\\c8\\55\\c8\\91\\30\\3b\\06\\08\\2b\\06\\01\\05" \ + "\\05\\07\\01\\01\\04\\2f\\30\\2d\\30\\2b\\06\\08\\2b\\06\\01\\05" \ + "\\05\\07\\30\\01\\86\\1f\\68\\74\\74\\70\\3a\\2f\\2f\\69\\70\\61" \ + "\\2d\\63\\61\\2e\\69\\70\\61\\2e\\64\\65\\76\\65\\6c\\2f\\63\\61" \ + "\\2f\\6f\\63\\73\\70\\30\\0e\\06\\03\\55\\1d\\0f\\01\\01\\ff\\04" \ + "\\04\\03\\02\\04\\f0\\30\\1d\\06\\03\\55\\1d\\25\\04\\16\\30\\14" \ + "\\06\\08\\2b\\06\\01\\05\\05\\07\\03\\01\\06\\08\\2b\\06\\01\\05" \ + "\\05\\07\\03\\02\\30\\74\\06\\03\\55\\1d\\1f\\04\\6d\\30\\6b\\30" \ + "\\69\\a0\\31\\a0\\2f\\86\\2d\\68\\74\\74\\70\\3a\\2f\\2f\\69\\70" \ + "\\61\\2d\\63\\61\\2e\\69\\70\\61\\2e\\64\\65\\76\\65\\6c\\2f\\69" \ + "\\70\\61\\2f\\63\\72\\6c\\2f\\4d\\61\\73\\74\\65\\72\\43\\52\\4c" \ + "\\2e\\62\\69\\6e\\a2\\34\\a4\\32\\30\\30\\31\\0e\\30\\0c\\06\\03" \ + "\\55\\04\\0a\\0c\\05\\69\\70\\61\\63\\61\\31\\1e\\30\\1c\\06\\03" \ + "\\55\\04\\03\\0c\\15\\43\\65\\72\\74\\69\\66\\69\\63\\61\\74\\65" \ + "\\20\\41\\75\\74\\68\\6f\\72\\69\\74\\79\\30\\1d\\06\\03\\55\\1d" \ + "\\0e\\04\\16\\04\\14\\2d\\2b\\3f\\cb\\f5\\b2\\ff\\32\\2c\\a8\\c2" \ + "\\1c\\dd\\bd\\8c\\80\\1e\\dd\\31\\82\\30\\0d\\06\\09\\2a\\86\\48" \ + "\\86\\f7\\0d\\01\\01\\0b\\05\\00\\03\\82\\01\\01\\00\\9a\\47\\2e" \ + "\\50\\a7\\4d\\1d\\53\\0f\\c9\\71\\42\\0c\\e5\\da\\7d\\49\\64\\e7" \ + "\\ab\\c8\\df\\df\\02\\c1\\87\\d1\\5b\\de\\da\\6f\\2b\\e4\\f0\\be" \ + "\\ba\\09\\df\\02\\85\\0b\\8a\\e6\\9b\\06\\7d\\69\\38\\6c\\72\\ff" \ + "\\4c\\7b\\2a\\0d\\3f\\23\\2f\\16\\46\\ff\\05\\93\\b0\\ea\\24\\28" \ + "\\d7\\12\\a1\\57\\b8\\59\\19\\25\\f3\\43\\0a\\d3\\fd\\0f\\37\\8d" \ + "\\b8\\ca\\15\\e7\\48\\8a\\a0\\c7\\c7\\4b\\7f\\01\\3c\\58\\d7\\37" \ + "\\e5\\ff\\7d\\2b\\01\\ac\\0d\\9f\\51\\6a\\e5\\40\\24\\e6\\5e\\55" \ + "\\0d\\f7\\b8\\2f\\42\\ac\\6d\\e5\\29\\6b\\c6\\0b\\a4\\bf\\19\\bd" \ + "\\39\\27\\ee\\fe\\c5\\b3\\db\\62\\d4\\be\\d2\\47\\ba\\96\\30\\5a" \ + "\\fd\\62\\00\\b8\\27\\5d\\2f\\3a\\94\\0b\\95\\35\\85\\40\\2c\\bc" \ + "\\67\\df\\8a\\f9\\f1\\7b\\19\\96\\3e\\42\\48\\13\\23\\04\\95\\a9" \ + "\\6b\\11\\33\\81\\47\\5a\\83\\72\\f6\\20\\fa\\8e\\41\\7b\\8f\\77" \ + "\\47\\7c\\c7\\5d\\46\\f4\\4f\\fd\\81\\0a\\ae\\39\\27\\b6\\6a\\26" \ + "\\63\\b1\\d3\\bf\\55\\83\\82\\9b\\36\\6c\\33\\64\\0f\\50\\c0\\55" \ + "\\94\\13\\c3\\85\\f4\\d5\\71\\65\\d0\\c0\\dd\\fc\\e6\\ec\\9c\\5b" \ + "\\f0\\11\\b5\\2c\\f3\\48\\c1\\36\\8c\\a2\\96\\48\\84" + +#define TEST_CERT2_BIN \ + "\\30\\82\\06\\98\\30\\82\\05\\80\\a0\\03\\02\\01\\02\\02\\0a\\61" \ + "\\22\\88\\c2\\00\\00\\00\\00\\02\\a6\\30\\0d\\06\\09\\2a\\86\\48" \ + "\\86\\f7\\0d\\01\\01\\05\\05\\00\\30\\45\\31\\15\\30\\13\\06\\0a" \ + "\\09\\92\\26\\89\\93\\f2\\2c\\64\\01\\19\\16\\05\\64\\65\\76\\65" \ + "\\6c\\31\\12\\30\\10\\06\\0a\\09\\92\\26\\89\\93\\f2\\2c\\64\\01" \ + "\\19\\16\\02\\61\\64\\31\\18\\30\\16\\06\\03\\55\\04\\03\\13\\0f" \ + "\\61\\64\\2d\\41\\44\\2d\\53\\45\\52\\56\\45\\52\\2d\\43\\41\\30" \ + "\\1e\\17\\0d\\31\\36\\31\\31\\31\\31\\31\\33\\35\\31\\31\\31\\5a" \ + "\\17\\0d\\31\\37\\31\\31\\31\\31\\31\\33\\35\\31\\31\\31\\5a\\30" \ + "\\70\\31\\15\\30\\13\\06\\0a\\09\\92\\26\\89\\93\\f2\\2c\\64\\01" \ + "\\19\\16\\05\\64\\65\\76\\65\\6c\\31\\12\\30\\10\\06\\0a\\09\\92" \ + "\\26\\89\\93\\f2\\2c\\64\\01\\19\\16\\02\\61\\64\\31\\0e\\30\\0c" \ + "\\06\\03\\55\\04\\03\\13\\05\\55\\73\\65\\72\\73\\31\\0c\\30\\0a" \ + "\\06\\03\\55\\04\\03\\13\\03\\74\\20\\75\\31\\25\\30\\23\\06\\09" \ + "\\2a\\86\\48\\86\\f7\\0d\\01\\09\\01\\16\\16\\74\\65\\73\\74\\2e" \ + "\\75\\73\\65\\72\\40\\65\\6d\\61\\69\\6c\\2e\\64\\6f\\6d\\61\\69" \ + "\\6e\\30\\82\\01\\22\\30\\0d\\06\\09\\2a\\86\\48\\86\\f7\\0d\\01" \ + "\\01\\01\\05\\00\\03\\82\\01\\0f\\00\\30\\82\\01\\0a\\02\\82\\01" \ + "\\01\\00\\9c\\cf\\36\\99\\de\\63\\74\\2b\\77\\25\\9e\\24\\d9\\77" \ + "\\4b\\5f\\98\\c0\\8c\\d7\\20\\91\\c0\\1c\\e8\\37\\45\\bf\\3c\\d9" \ + "\\33\\bd\\e9\\de\\c9\\5d\\d4\\cd\\06\\0a\\0d\\d4\\f1\\7c\\74\\5b" \ + "\\29\\d5\\66\\9c\\2c\\9f\\6b\\1a\\0f\\0d\\e6\\6c\\62\\a5\\41\\4f" \ + "\\c3\\a4\\88\\27\\11\\5d\\b7\\b1\\fb\\f8\\8d\\ee\\43\\8d\\93\\b5" \ + "\\8c\\b4\\34\\06\\f5\\e9\\2f\\5a\\26\\68\\d7\\43\\60\\82\\5e\\22" \ + "\\a7\\c6\\34\\40\\19\\a5\\8e\\f0\\58\\9f\\16\\2d\\43\\3f\\0c\\da" \ + "\\e2\\23\\f6\\09\\2a\\5e\\bd\\84\\27\\c8\\ab\\d5\\70\\f8\\3d\\9c" \ + "\\14\\c2\\c2\\a2\\77\\e8\\44\\73\\10\\01\\34\\40\\1f\\c6\\2f\\a0" \ + "\\70\\ee\\2f\\d5\\4b\\be\\4c\\c7\\45\\f7\\ac\\9c\\c3\\68\\5b\\1d" \ + "\\5a\\4b\\77\\65\\76\\e4\\b3\\92\\f4\\84\\0a\\9e\\6a\\9c\\c9\\53" \ + "\\42\\9f\\6d\\fe\\f9\\f5\\f2\\9a\\15\\50\\47\\ef\\f4\\06\\59\\c8" \ + "\\50\\48\\4b\\46\\95\\68\\25\\c5\\bd\\4f\\65\\34\\00\\fc\\31\\69" \ + "\\f8\\3e\\e0\\20\\83\\41\\27\\0b\\5c\\46\\98\\14\\f0\\07\\de\\02" \ + "\\17\\b1\\d2\\9c\\be\\1c\\0d\\56\\22\\1b\\02\\fe\\da\\69\\b9\\ef" \ + "\\91\\37\\39\\7f\\24\\da\\c4\\81\\5e\\82\\31\\2f\\98\\1d\\f7\\73" \ + "\\5b\\23\\02\\03\\01\\00\\01\\a3\\82\\03\\5d\\30\\82\\03\\59\\30" \ + "\\3d\\06\\09\\2b\\06\\01\\04\\01\\82\\37\\15\\07\\04\\30\\30\\2e" \ + "\\06\\26\\2b\\06\\01\\04\\01\\82\\37\\15\\08\\87\\85\\a1\\23\\84" \ + "\\c8\\b2\\26\\83\\9d\\9d\\21\\82\\d4\\a6\\1b\\86\\a3\\ba\\37\\81" \ + "\\10\\85\\89\\d5\\02\\d6\\8f\\24\\02\\01\\64\\02\\01\\02\\30\\29" \ + "\\06\\03\\55\\1d\\25\\04\\22\\30\\20\\06\\08\\2b\\06\\01\\05\\05" \ + "\\07\\03\\02\\06\\08\\2b\\06\\01\\05\\05\\07\\03\\04\\06\\0a\\2b" \ + "\\06\\01\\04\\01\\82\\37\\0a\\03\\04\\30\\0e\\06\\03\\55\\1d\\0f" \ + "\\01\\01\\ff\\04\\04\\03\\02\\05\\a0\\30\\35\\06\\09\\2b\\06\\01" \ + "\\04\\01\\82\\37\\15\\0a\\04\\28\\30\\26\\30\\0a\\06\\08\\2b\\06" \ + "\\01\\05\\05\\07\\03\\02\\30\\0a\\06\\08\\2b\\06\\01\\05\\05\\07" \ + "\\03\\04\\30\\0c\\06\\0a\\2b\\06\\01\\04\\01\\82\\37\\0a\\03\\04" \ + "\\30\\81\\94\\06\\09\\2a\\86\\48\\86\\f7\\0d\\01\\09\\0f\\04\\81" \ + "\\86\\30\\81\\83\\30\\0b\\06\\09\\60\\86\\48\\01\\65\\03\\04\\01" \ + "\\2a\\30\\0b\\06\\09\\60\\86\\48\\01\\65\\03\\04\\01\\2d\\30\\0b" \ + "\\06\\09\\60\\86\\48\\01\\65\\03\\04\\01\\16\\30\\0b\\06\\09\\60" \ + "\\86\\48\\01\\65\\03\\04\\01\\19\\30\\0b\\06\\09\\60\\86\\48\\01" \ + "\\65\\03\\04\\01\\02\\30\\0b\\06\\09\\60\\86\\48\\01\\65\\03\\04" \ + "\\01\\05\\30\\0a\\06\\08\\2a\\86\\48\\86\\f7\\0d\\03\\07\\30\\07" \ + "\\06\\05\\2b\\0e\\03\\02\\07\\30\\0e\\06\\08\\2a\\86\\48\\86\\f7" \ + "\\0d\\03\\02\\02\\02\\00\\80\\30\\0e\\06\\08\\2a\\86\\48\\86\\f7" \ + "\\0d\\03\\04\\02\\02\\02\\00\\30\\1d\\06\\03\\55\\1d\\0e\\04\\16" \ + "\\04\\14\\49\\ac\\ad\\e0\\65\\30\\c4\\ce\\a0\\09\\03\\5b\\ad\\4a" \ + "\\7b\\49\\5e\\c9\\6c\\b4\\30\\1f\\06\\03\\55\\1d\\23\\04\\18\\30" \ + "\\16\\80\\14\\62\\50\\b6\\8d\\a1\\e6\\2d\\91\\bf\\b0\\54\\4d\\8f" \ + "\\a8\\ca\\10\\ae\\b8\\dd\\54\\30\\81\\cc\\06\\03\\55\\1d\\1f\\04" \ + "\\81\\c4\\30\\81\\c1\\30\\81\\be\\a0\\81\\bb\\a0\\81\\b8\\86\\81" \ + "\\b5\\6c\\64\\61\\70\\3a\\2f\\2f\\2f\\43\\4e\\3d\\61\\64\\2d\\41" \ + "\\44\\2d\\53\\45\\52\\56\\45\\52\\2d\\43\\41\\2c\\43\\4e\\3d\\61" \ + "\\64\\2d\\73\\65\\72\\76\\65\\72\\2c\\43\\4e\\3d\\43\\44\\50\\2c" \ + "\\43\\4e\\3d\\50\\75\\62\\6c\\69\\63\\25\\32\\30\\4b\\65\\79\\25" \ + "\\32\\30\\53\\65\\72\\76\\69\\63\\65\\73\\2c\\43\\4e\\3d\\53\\65" \ + "\\72\\76\\69\\63\\65\\73\\2c\\43\\4e\\3d\\43\\6f\\6e\\66\\69\\67" \ + "\\75\\72\\61\\74\\69\\6f\\6e\\2c\\44\\43\\3d\\61\\64\\2c\\44\\43" \ + "\\3d\\64\\65\\76\\65\\6c\\3f\\63\\65\\72\\74\\69\\66\\69\\63\\61" \ + "\\74\\65\\52\\65\\76\\6f\\63\\61\\74\\69\\6f\\6e\\4c\\69\\73\\74" \ + "\\3f\\62\\61\\73\\65\\3f\\6f\\62\\6a\\65\\63\\74\\43\\6c\\61\\73" \ + "\\73\\3d\\63\\52\\4c\\44\\69\\73\\74\\72\\69\\62\\75\\74\\69\\6f" \ + "\\6e\\50\\6f\\69\\6e\\74\\30\\81\\be\\06\\08\\2b\\06\\01\\05\\05" \ + "\\07\\01\\01\\04\\81\\b1\\30\\81\\ae\\30\\81\\ab\\06\\08\\2b\\06" \ + "\\01\\05\\05\\07\\30\\02\\86\\81\\9e\\6c\\64\\61\\70\\3a\\2f\\2f" \ + "\\2f\\43\\4e\\3d\\61\\64\\2d\\41\\44\\2d\\53\\45\\52\\56\\45\\52" \ + "\\2d\\43\\41\\2c\\43\\4e\\3d\\41\\49\\41\\2c\\43\\4e\\3d\\50\\75" \ + "\\62\\6c\\69\\63\\25\\32\\30\\4b\\65\\79\\25\\32\\30\\53\\65\\72" \ + "\\76\\69\\63\\65\\73\\2c\\43\\4e\\3d\\53\\65\\72\\76\\69\\63\\65" \ + "\\73\\2c\\43\\4e\\3d\\43\\6f\\6e\\66\\69\\67\\75\\72\\61\\74\\69" \ + "\\6f\\6e\\2c\\44\\43\\3d\\61\\64\\2c\\44\\43\\3d\\64\\65\\76\\65" \ + "\\6c\\3f\\63\\41\\43\\65\\72\\74\\69\\66\\69\\63\\61\\74\\65\\3f" \ + "\\62\\61\\73\\65\\3f\\6f\\62\\6a\\65\\63\\74\\43\\6c\\61\\73\\73" \ + "\\3d\\63\\65\\72\\74\\69\\66\\69\\63\\61\\74\\69\\6f\\6e\\41\\75" \ + "\\74\\68\\6f\\72\\69\\74\\79\\30\\3f\\06\\03\\55\\1d\\11\\04\\38" \ + "\\30\\36\\a0\\1c\\06\\0a\\2b\\06\\01\\04\\01\\82\\37\\14\\02\\03" \ + "\\a0\\0e\\0c\\0c\\74\\75\\31\\40\\61\\64\\2e\\64\\65\\76\\65\\6c" \ + "\\81\\16\\74\\65\\73\\74\\2e\\75\\73\\65\\72\\40\\65\\6d\\61\\69" \ + "\\6c\\2e\\64\\6f\\6d\\61\\69\\6e\\30\\0d\\06\\09\\2a\\86\\48\\86" \ + "\\f7\\0d\\01\\01\\05\\05\\00\\03\\82\\01\\01\\00\\41\\45\\0a\\6d" \ + "\\bb\\7f\\5c\\07\\0c\\c9\\b0\\39\\55\\6d\\7c\\b5\\02\\cd\\e8\\b2" \ + "\\e5\\02\\94\\77\\60\\db\\d1\\af\\1d\\db\\44\\5f\\ce\\83\\db\\80" \ + "\\2e\\e2\\b2\\08\\25\\82\\14\\cb\\48\\95\\20\\13\\6c\\a9\\aa\\f8" \ + "\\31\\56\\ed\\c0\\3b\\d4\\ae\\2e\\e3\\8f\\05\\fc\\ab\\5f\\2a\\69" \ + "\\23\\bc\\b8\\8c\\ec\\2d\\a9\\0b\\86\\95\\73\\73\\db\\17\\ce\\c6" \ + "\\ae\\c5\\b4\\c1\\25\\87\\3b\\67\\43\\9e\\87\\5a\\e6\\b9\\a0\\28" \ + "\\12\\3d\\a8\\2e\\d7\\5e\\ef\\65\\2d\\e6\\a5\\67\\84\\ac\\fd\\31" \ + "\\c1\\78\\d8\\72\\51\\a2\\88\\55\\0f\\97\\47\\93\\07\\ea\\8a\\53" \ + "\\27\\4e\\34\\54\\34\\1f\\a0\\6a\\03\\44\\fb\\23\\61\\8e\\87\\8e" \ + "\\3c\\d0\\8f\\ae\\e4\\cf\\ee\\65\\a8\\ba\\96\\68\\08\\1c\\60\\e2" \ + "\\4e\\11\\a3\\74\\b8\\a5\\4e\\ea\\6a\\82\\4c\\c2\\4d\\63\\8e\\9f" \ + "\\7c\\2f\\a8\\c0\\62\\f8\\f7\\d9\\25\\c4\\91\\ab\\4d\\6a\\44\\af" \ + "\\75\\93\\53\\03\\a4\\99\\c8\\cd\\91\\89\\60\\75\\30\\99\\76\\05" \ + "\\5a\\a0\\03\\a7\\a1\\2c\\03\\04\\8f\\d4\\5a\\31\\52\\28\\5a\\e6" \ + "\\a2\\d3\\43\\21\\5b\\dc\\a2\\1d\\55\\a9\\48\\c5\\c4\\aa\\f3\\8b" \ + "\\e6\\3e\\75\\96\\e4\\3e\\64\\af\\e8\\a7\\6a\\b6" + +static void test_sss_certmap_get_search_filter(void **state) +{ + int ret; + struct sss_certmap_ctx *ctx; + char *filter; + char **domains; + const char *dom_list[] = {"test.dom", NULL}; + + ret = sss_certmap_init(NULL, ext_debug, NULL, &ctx); + assert_int_equal(ret, EOK); + assert_non_null(ctx); + assert_null(ctx->prio_list); + + ret = sss_certmap_add_rule(ctx, 100, + "KRB5:CN=Certificate Authority,O=IPA.DEVEL", + "LDAP:rule100={issuer_dn}{subject_dn}", NULL); + assert_int_equal(ret, 0); + + ret = sss_certmap_get_search_filter(ctx, discard_const(test_cert_der), + sizeof(test_cert_der), + &filter, &domains); + assert_int_equal(ret, 0); + assert_non_null(filter); + assert_string_equal(filter, "rule100=CN=Certificate Authority,O=IPA.DEVEL" + "CN=ipa-devel.ipa.devel,O=IPA.DEVEL"); + assert_null(domains); + + ret = sss_certmap_add_rule(ctx, 99, + "KRB5:CN=Certificate Authority,O=IPA.DEVEL", + "LDAP:rule99={issuer_dn}{subject_dn}", + dom_list); + assert_int_equal(ret, 0); + ret = sss_certmap_get_search_filter(ctx, discard_const(test_cert_der), + sizeof(test_cert_der), + &filter, &domains); + assert_int_equal(ret, 0); + assert_non_null(filter); + assert_string_equal(filter, "rule99=CN=Certificate Authority,O=IPA.DEVEL" + "CN=ipa-devel.ipa.devel,O=IPA.DEVEL"); + assert_non_null(domains); + assert_string_equal(domains[0], "test.dom"); + assert_null(domains[1]); + + ret = sss_certmap_add_rule(ctx, 98, + "KRB5:CN=Certificate Authority,O=IPA.DEVEL", + "LDAP:rule98=userCertificate;binary={cert!bin}", + dom_list); + assert_int_equal(ret, 0); + ret = sss_certmap_get_search_filter(ctx, discard_const(test_cert_der), + sizeof(test_cert_der), + &filter, &domains); + assert_int_equal(ret, 0); + assert_non_null(filter); + assert_string_equal(filter, "rule98=userCertificate;binary=" TEST_CERT_BIN); + assert_non_null(domains); + assert_string_equal(domains[0], "test.dom"); + assert_null(domains[1]); + + ret = sss_certmap_add_rule(ctx, 97, + "KRB5:CN=Certificate Authority,O=IPA.DEVEL", + "LDAP:rule97={issuer_dn!nss_x500}{subject_dn}", + dom_list); + assert_int_equal(ret, 0); + ret = sss_certmap_get_search_filter(ctx, discard_const(test_cert_der), + sizeof(test_cert_der), + &filter, &domains); + assert_int_equal(ret, 0); + assert_non_null(filter); + assert_string_equal(filter, "rule97=O=IPA.DEVEL,CN=Certificate Authority" + "CN=ipa-devel.ipa.devel,O=IPA.DEVEL"); + assert_non_null(domains); + assert_string_equal(domains[0], "test.dom"); + assert_null(domains[1]); + + ret = sss_certmap_add_rule(ctx, 96, + "KRB5:CN=Certificate Authority,O=IPA.DEVEL", + "LDAP:rule96={issuer_dn!nss_x500}{subject_dn!nss_x500}", + dom_list); + assert_int_equal(ret, 0); + ret = sss_certmap_get_search_filter(ctx, discard_const(test_cert_der), + sizeof(test_cert_der), + &filter, &domains); + assert_int_equal(ret, 0); + assert_non_null(filter); + assert_string_equal(filter, "rule96=O=IPA.DEVEL,CN=Certificate Authority" + "O=IPA.DEVEL,CN=ipa-devel.ipa.devel"); + assert_non_null(domains); + assert_string_equal(domains[0], "test.dom"); + assert_null(domains[1]); + + ret = sss_certmap_add_rule(ctx, 95, + "KRB5:CN=Certificate Authority,O=IPA.DEVEL", + NULL, NULL); + assert_int_equal(ret, 0); + ret = sss_certmap_get_search_filter(ctx, discard_const(test_cert_der), + sizeof(test_cert_der), + &filter, &domains); + assert_int_equal(ret, 0); + assert_non_null(filter); + assert_string_equal(filter, "(userCertificate;binary=" TEST_CERT_BIN ")"); + assert_null(domains); + + ret = sss_certmap_add_rule(ctx, 94, + "KRB5:CN=Certificate Authority,O=IPA.DEVEL", + "LDAP:rule94={issuer_dn!ad_x500}{subject_dn!ad_x500}", + dom_list); + assert_int_equal(ret, 0); + ret = sss_certmap_get_search_filter(ctx, discard_const(test_cert_der), + sizeof(test_cert_der), + &filter, &domains); + assert_int_equal(ret, 0); + assert_non_null(filter); + assert_string_equal(filter, "rule94=O=IPA.DEVEL,CN=Certificate Authority" + "O=IPA.DEVEL,CN=ipa-devel.ipa.devel"); + assert_non_null(domains); + assert_string_equal(domains[0], "test.dom"); + assert_null(domains[1]); + + + ret = sss_certmap_add_rule(ctx, 89, NULL, + "(rule89={subject_nt_principal})", + NULL); + assert_int_equal(ret, 0); + ret = sss_certmap_get_search_filter(ctx, discard_const(test_cert2_der), + sizeof(test_cert2_der), + &filter, &domains); + assert_int_equal(ret, 0); + assert_non_null(filter); + assert_string_equal(filter, "(rule89=tu1@ad.devel)"); + assert_null(domains); + + ret = sss_certmap_add_rule(ctx, 88, NULL, + "(rule88={subject_nt_principal.short_name})", + NULL); + assert_int_equal(ret, 0); + ret = sss_certmap_get_search_filter(ctx, discard_const(test_cert2_der), + sizeof(test_cert2_der), + &filter, &domains); + assert_int_equal(ret, 0); + assert_non_null(filter); + assert_string_equal(filter, "(rule88=tu1)"); + assert_null(domains); + + ret = sss_certmap_add_rule(ctx, 87, NULL, + "LDAP:rule87={issuer_dn!nss_x500}{subject_dn!nss_x500}", + NULL); + assert_int_equal(ret, 0); + ret = sss_certmap_get_search_filter(ctx, discard_const(test_cert2_der), + sizeof(test_cert2_der), + &filter, &domains); + assert_int_equal(ret, 0); + assert_non_null(filter); + assert_string_equal(filter, "rule87=DC=devel,DC=ad,CN=ad-AD-SERVER-CA" + "DC=devel,DC=ad,CN=Users,CN=t u,E=test.user@email.domain"); + assert_null(domains); + + ret = sss_certmap_add_rule(ctx, 86, NULL, + "LDAP:rule86={issuer_dn!ad_x500}{subject_dn!ad_x500}", + NULL); + assert_int_equal(ret, 0); + ret = sss_certmap_get_search_filter(ctx, discard_const(test_cert2_der), + sizeof(test_cert2_der), + &filter, &domains); + assert_int_equal(ret, 0); + assert_non_null(filter); + assert_string_equal(filter, "rule86=DC=devel,DC=ad,CN=ad-AD-SERVER-CA" + "DC=devel,DC=ad,CN=Users,CN=t u,E=test.user@email.domain"); + assert_null(domains); + + + sss_certmap_free_ctx(ctx); + + /* check defaults when no rules are added yet */ + ret = sss_certmap_init(NULL, ext_debug, NULL, &ctx); + assert_int_equal(ret, EOK); + assert_non_null(ctx); + assert_null(ctx->prio_list); + ret = sss_certmap_get_search_filter(ctx, discard_const(test_cert2_der), + sizeof(test_cert2_der), + &filter, &domains); + assert_int_equal(ret, 0); + assert_non_null(filter); + assert_string_equal(filter, "(userCertificate;binary=" TEST_CERT2_BIN")"); + assert_null(domains); + + sss_certmap_free_ctx(ctx); +} + +int main(int argc, const char *argv[]) +{ + int rv; + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test(test_sss_certmap_init), + cmocka_unit_test(test_sss_certmap_add_rule), + cmocka_unit_test(test_sss_certmap_add_matching_rule), + cmocka_unit_test(test_check_ad_attr_name), + cmocka_unit_test(test_sss_cert_get_content), + cmocka_unit_test(test_sss_cert_get_content_2), +#ifdef HAVE_TEST_CA + cmocka_unit_test(test_sss_cert_get_content_test_cert_0003), +#endif + cmocka_unit_test(test_sss_certmap_match_cert), + cmocka_unit_test(test_sss_certmap_add_mapping_rule), + cmocka_unit_test(test_sss_certmap_get_search_filter), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + +#ifdef HAVE_NSS + nspr_nss_init(); +#endif + + tests_set_cwd(); + rv = cmocka_run_group_tests(tests, NULL, NULL); + +#ifdef HAVE_NSS + /* Cleanup NSS and NSPR to make Valgrind happy. */ + nspr_nss_cleanup(); +#endif + +#ifdef HAVE_LIBCRYPTO + CRYPTO_cleanup_all_ex_data(); /* to make Valgrind happy */ +#endif + + return rv; +} diff --git a/src/tests/cmocka/test_child_common.c b/src/tests/cmocka/test_child_common.c new file mode 100644 index 0000000..5cf460b --- /dev/null +++ b/src/tests/cmocka/test_child_common.c @@ -0,0 +1,560 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2014 Red Hat + + SSSD tests: Child handlers + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include + +#include "util/child_common.h" +#include "tests/cmocka/common_mock.h" + +#define TEST_BIN "dummy-child" +#define ECHO_STR "Hello child" + +static int destructor_called; + +struct child_test_ctx { + int pipefd_to_child[2]; + int pipefd_from_child[2]; + + struct sss_test_ctx *test_ctx; + + int save_debug_timestamps; +}; + +static int child_test_setup(void **state) +{ + struct child_test_ctx *child_tctx; + errno_t ret; + + assert_true(leak_check_setup()); + + child_tctx = talloc(global_talloc_context, struct child_test_ctx); + assert_non_null(child_tctx); + + child_tctx->test_ctx = create_ev_test_ctx(child_tctx); + assert_non_null(child_tctx->test_ctx); + + ret = pipe(child_tctx->pipefd_from_child); + assert_int_not_equal(ret, -1); + DEBUG(SSSDBG_TRACE_LIBS, "from_child: %d:%d\n", + child_tctx->pipefd_from_child[0], + child_tctx->pipefd_from_child[1]); + + ret = pipe(child_tctx->pipefd_to_child); + assert_int_not_equal(ret, -1); + DEBUG(SSSDBG_TRACE_LIBS, "to_child: %d:%d\n", + child_tctx->pipefd_to_child[0], + child_tctx->pipefd_to_child[1]); + + *state = child_tctx; + return 0; +} + +static int child_test_teardown(void **state) +{ + struct child_test_ctx *child_tctx = talloc_get_type(*state, + struct child_test_ctx); + + talloc_free(child_tctx); + + assert_true(leak_check_teardown()); + return 0; +} + +/* Just make sure the exec works. The child does nothing but exits */ +void test_exec_child(void **state) +{ + errno_t ret; + pid_t child_pid; + int status; + struct child_test_ctx *child_tctx = talloc_get_type(*state, + struct child_test_ctx); + + child_pid = fork(); + assert_int_not_equal(child_pid, -1); + if (child_pid == 0) { + exec_child(child_tctx, + child_tctx->pipefd_to_child, + child_tctx->pipefd_from_child, + CHILD_DIR"/"TEST_BIN, 2); + } else { + do { + errno = 0; + ret = waitpid(child_pid, &status, 0); + } while (ret == -1 && errno == EINTR); + + if (ret > 0) { + ret = EIO; + if (WIFEXITED(status)) { + ret = WEXITSTATUS(status); + assert_int_equal(ret, 0); + } + } else { + DEBUG(SSSDBG_FUNC_DATA, + "Failed to wait for children %d\n", child_pid); + ret = EIO; + } + } +} + +static int only_extra_args_setup(void **state) +{ + struct child_test_ctx *child_tctx; + errno_t ret; + + ret = child_test_setup((void **) &child_tctx); + if (ret != 0) { + return ret; + } + + child_tctx->save_debug_timestamps = debug_timestamps; + *state = child_tctx; + + return 0; +} + +static int only_extra_args_teardown(void **state) +{ + struct child_test_ctx *child_tctx = talloc_get_type(*state, + struct child_test_ctx); + errno_t ret; + + debug_timestamps = child_tctx->save_debug_timestamps; + ret = child_test_teardown((void **) &child_tctx); + if (ret != 0) { + return ret; + } + + return 0; +} + +static void extra_args_test(struct child_test_ctx *child_tctx, + bool extra_args_only) +{ + pid_t child_pid; + errno_t ret; + int status; + + const char *extra_args[] = { "--guitar=george", + "--drums=ringo", + NULL }; + + child_pid = fork(); + assert_int_not_equal(child_pid, -1); + if (child_pid == 0) { + debug_timestamps = 1; + + exec_child_ex(child_tctx, + child_tctx->pipefd_to_child, + child_tctx->pipefd_from_child, + CHILD_DIR"/"TEST_BIN, 2, extra_args, + extra_args_only, + STDIN_FILENO, STDOUT_FILENO); + } else { + do { + errno = 0; + ret = waitpid(child_pid, &status, 0); + } while (ret == -1 && errno == EINTR); + + if (ret > 0) { + ret = EIO; + if (WIFEXITED(status)) { + ret = WEXITSTATUS(status); + assert_int_equal(ret, 0); + } + } else { + DEBUG(SSSDBG_FUNC_DATA, + "Failed to wait for children %d\n", child_pid); + ret = EIO; + } + } +} + +/* Make sure extra arguments are passed correctly */ +void test_exec_child_extra_args(void **state) +{ + struct child_test_ctx *child_tctx = talloc_get_type(*state, + struct child_test_ctx); + setenv("TEST_CHILD_ACTION", "check_extra_args", 1); + extra_args_test(child_tctx, false); +} + +/* Make sure extra arguments are passed correctly */ +void test_exec_child_only_extra_args(void **state) +{ + struct child_test_ctx *child_tctx = talloc_get_type(*state, + struct child_test_ctx); + setenv("TEST_CHILD_ACTION", "check_only_extra_args", 1); + extra_args_test(child_tctx, true); +} + +void test_exec_child_only_extra_args_neg(void **state) +{ + struct child_test_ctx *child_tctx = talloc_get_type(*state, + struct child_test_ctx); + setenv("TEST_CHILD_ACTION", "check_only_extra_args_neg", 1); + extra_args_test(child_tctx, false); +} + +struct tevent_req *echo_child_write_send(TALLOC_CTX *mem_ctx, + struct child_test_ctx *child_tctx, + struct child_io_fds *io_fds, + const char *input); +static void echo_child_write_done(struct tevent_req *subreq); +static void echo_child_read_done(struct tevent_req *subreq); + +int __real_child_io_destructor(void *ptr); + +int __wrap_child_io_destructor(void *ptr) +{ + destructor_called = 1; + return __real_child_io_destructor(ptr); +} + +/* Test that writing to the pipes works as expected */ +void test_exec_child_io_destruct(void **state) +{ + struct child_test_ctx *child_tctx = talloc_get_type(*state, + struct child_test_ctx); + struct child_io_fds *io_fds; + + io_fds = talloc(child_tctx, struct child_io_fds); + io_fds->read_from_child_fd = -1; + io_fds->write_to_child_fd = -1; + assert_non_null(io_fds); + talloc_set_destructor((void *) io_fds, child_io_destructor); + + io_fds->read_from_child_fd = child_tctx->pipefd_from_child[0]; + io_fds->write_to_child_fd = child_tctx->pipefd_to_child[1]; + + destructor_called = 0; + talloc_free(io_fds); + assert_int_equal(destructor_called, 1); + + errno = 0; + close(child_tctx->pipefd_from_child[0]); + assert_int_equal(errno, EBADF); + + errno = 0; + close(child_tctx->pipefd_from_child[1]); + assert_int_equal(errno, 0); + + errno = 0; + close(child_tctx->pipefd_to_child[0]); + assert_int_equal(errno, 0); + + errno = 0; + close(child_tctx->pipefd_to_child[1]); + assert_int_equal(errno, EBADF); +} + +void test_child_cb(int child_status, + struct tevent_signal *sige, + void *pvt); + +/* Test that writing to the pipes works as expected */ +void test_exec_child_handler(void **state) +{ + errno_t ret; + pid_t child_pid; + struct child_test_ctx *child_tctx = talloc_get_type(*state, + struct child_test_ctx); + struct sss_child_ctx_old *child_old_ctx; + + ret = unsetenv("TEST_CHILD_ACTION"); + assert_int_equal(ret, 0); + + child_pid = fork(); + assert_int_not_equal(child_pid, -1); + if (child_pid == 0) { + exec_child(child_tctx, + child_tctx->pipefd_to_child, + child_tctx->pipefd_from_child, + CHILD_DIR"/"TEST_BIN, 2); + } + + ret = child_handler_setup(child_tctx->test_ctx->ev, child_pid, + test_child_cb, child_tctx, &child_old_ctx); + assert_int_equal(ret, EOK); + + ret = test_ev_loop(child_tctx->test_ctx); + assert_int_equal(ret, EOK); + assert_int_equal(child_tctx->test_ctx->error, 0); +} + +void test_child_cb(int child_status, + struct tevent_signal *sige, + void *pvt) +{ + struct child_test_ctx *child_ctx = talloc_get_type(pvt, struct child_test_ctx); + + child_ctx->test_ctx->error = EIO; + if (WIFEXITED(child_status) && WEXITSTATUS(child_status) == 0) { + child_ctx->test_ctx->error = 0; + } + + child_ctx->test_ctx->done = true; +} + +/* Test that writing to the pipes works as expected */ +void test_exec_child_echo(void **state) +{ + errno_t ret; + pid_t child_pid; + struct child_test_ctx *child_tctx = talloc_get_type(*state, + struct child_test_ctx); + struct tevent_req *req; + struct child_io_fds *io_fds; + + setenv("TEST_CHILD_ACTION", "echo", 1); + + io_fds = talloc(child_tctx, struct child_io_fds); + assert_non_null(io_fds); + io_fds->read_from_child_fd = -1; + io_fds->write_to_child_fd = -1; + talloc_set_destructor((void *) io_fds, child_io_destructor); + + child_pid = fork(); + assert_int_not_equal(child_pid, -1); + if (child_pid == 0) { + exec_child_ex(child_tctx, + child_tctx->pipefd_to_child, + child_tctx->pipefd_from_child, + CHILD_DIR"/"TEST_BIN, 2, NULL, false, + STDIN_FILENO, 3); + } + + DEBUG(SSSDBG_FUNC_DATA, "Forked into %d\n", child_pid); + + io_fds->read_from_child_fd = child_tctx->pipefd_from_child[0]; + close(child_tctx->pipefd_from_child[1]); + io_fds->write_to_child_fd = child_tctx->pipefd_to_child[1]; + close(child_tctx->pipefd_to_child[0]); + + sss_fd_nonblocking(io_fds->write_to_child_fd); + sss_fd_nonblocking(io_fds->read_from_child_fd); + + ret = child_handler_setup(child_tctx->test_ctx->ev, child_pid, + NULL, NULL, NULL); + assert_int_equal(ret, EOK); + + req = echo_child_write_send(child_tctx, child_tctx, io_fds, ECHO_STR); + assert_non_null(req); + + ret = test_ev_loop(child_tctx->test_ctx); + talloc_free(io_fds); + assert_int_equal(ret, EOK); +} + +struct test_exec_echo_state { + struct child_io_fds *io_fds; + struct io_buffer buf; + struct child_test_ctx *child_test_ctx; +}; + +struct tevent_req *echo_child_write_send(TALLOC_CTX *mem_ctx, + struct child_test_ctx *child_tctx, + struct child_io_fds *io_fds, + const char *input) +{ + struct tevent_req *req; + struct tevent_req *subreq; + struct test_exec_echo_state *echo_state; + + req = tevent_req_create(mem_ctx, &echo_state, struct test_exec_echo_state); + assert_non_null(req); + + echo_state->child_test_ctx = child_tctx; + + echo_state->buf.data = (unsigned char *) talloc_strdup(echo_state, input); + assert_non_null(echo_state->buf.data); + echo_state->buf.size = strlen(input) + 1; + echo_state->io_fds = io_fds; + + DEBUG(SSSDBG_TRACE_INTERNAL, "Writing..\n"); + subreq = write_pipe_send(child_tctx, child_tctx->test_ctx->ev, + echo_state->buf.data, echo_state->buf.size, + echo_state->io_fds->write_to_child_fd); + assert_non_null(subreq); + tevent_req_set_callback(subreq, echo_child_write_done, req); + + return req; +} + +static void echo_child_write_done(struct tevent_req *subreq) +{ + struct tevent_req *req; + struct test_exec_echo_state *echo_state; + errno_t ret; + + req = tevent_req_callback_data(subreq, struct tevent_req); + echo_state = tevent_req_data(req, struct test_exec_echo_state); + + ret = write_pipe_recv(subreq); + DEBUG(SSSDBG_TRACE_INTERNAL, "Writing OK\n"); + talloc_zfree(subreq); + assert_int_equal(ret, EOK); + + close(echo_state->io_fds->write_to_child_fd); + echo_state->io_fds->write_to_child_fd = -1; + + DEBUG(SSSDBG_TRACE_INTERNAL, "Reading..\n"); + subreq = read_pipe_send(echo_state, + echo_state->child_test_ctx->test_ctx->ev, + echo_state->io_fds->read_from_child_fd); + assert_non_null(subreq); + tevent_req_set_callback(subreq, echo_child_read_done, req); +} + +static void echo_child_read_done(struct tevent_req *subreq) +{ + struct tevent_req *req; + struct test_exec_echo_state *echo_state; + errno_t ret; + ssize_t len; + uint8_t *buf; + + req = tevent_req_callback_data(subreq, struct tevent_req); + echo_state = tevent_req_data(req, struct test_exec_echo_state); + + ret = read_pipe_recv(subreq, echo_state, &buf, &len); + talloc_zfree(subreq); + DEBUG(SSSDBG_TRACE_INTERNAL, "Reading OK\n"); + assert_int_equal(ret, EOK); + + close(echo_state->io_fds->read_from_child_fd); + echo_state->io_fds->read_from_child_fd = -1; + + assert_string_equal(buf, echo_state->buf.data); + echo_state->child_test_ctx->test_ctx->done = true; +} + +void sss_child_cb(int pid, int wait_status, void *pvt); + +/* Just make sure the exec works. The child does nothing but exits */ +void test_sss_child(void **state) +{ + errno_t ret; + pid_t child_pid; + struct child_test_ctx *child_tctx = talloc_get_type(*state, + struct child_test_ctx); + struct sss_sigchild_ctx *sc_ctx; + struct sss_child_ctx *sss_child; + + ret = unsetenv("TEST_CHILD_ACTION"); + assert_int_equal(ret, 0); + + ret = sss_sigchld_init(child_tctx, child_tctx->test_ctx->ev, &sc_ctx); + assert_int_equal(ret, EOK); + + child_pid = fork(); + assert_int_not_equal(child_pid, -1); + if (child_pid == 0) { + exec_child(child_tctx, + child_tctx->pipefd_to_child, + child_tctx->pipefd_from_child, + CHILD_DIR"/"TEST_BIN, 2); + } + + ret = sss_child_register(child_tctx, sc_ctx, + child_pid, + sss_child_cb, + child_tctx, &sss_child); + assert_int_equal(ret, EOK); + + ret = test_ev_loop(child_tctx->test_ctx); + assert_int_equal(ret, EOK); + assert_int_equal(child_tctx->test_ctx->error, 0); +} + +void sss_child_cb(int pid, int wait_status, void *pvt) +{ + struct child_test_ctx *child_ctx = talloc_get_type(pvt, struct child_test_ctx); + + child_ctx->test_ctx->error = EIO; + if (WIFEXITED(wait_status) && WEXITSTATUS(wait_status) == 0) { + child_ctx->test_ctx->error = 0; + } + + child_ctx->test_ctx->done = true; +} + +int main(int argc, const char *argv[]) +{ + int rv; + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_exec_child, + child_test_setup, + child_test_teardown), + cmocka_unit_test_setup_teardown(test_exec_child_extra_args, + child_test_setup, + child_test_teardown), + cmocka_unit_test_setup_teardown(test_exec_child_io_destruct, + child_test_setup, + child_test_teardown), + cmocka_unit_test_setup_teardown(test_exec_child_handler, + child_test_setup, + child_test_teardown), + cmocka_unit_test_setup_teardown(test_exec_child_echo, + child_test_setup, + child_test_teardown), + cmocka_unit_test_setup_teardown(test_sss_child, + child_test_setup, + child_test_teardown), + cmocka_unit_test_setup_teardown(test_exec_child_only_extra_args, + only_extra_args_setup, + only_extra_args_teardown), + cmocka_unit_test_setup_teardown(test_exec_child_only_extra_args_neg, + only_extra_args_setup, + only_extra_args_teardown), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + rv = cmocka_run_group_tests(tests, NULL, NULL); + return rv; +} diff --git a/src/tests/cmocka/test_config_check.c b/src/tests/cmocka/test_config_check.c new file mode 100644 index 0000000..a2958de --- /dev/null +++ b/src/tests/cmocka/test_config_check.c @@ -0,0 +1,308 @@ +/* + Authors: + Michal Zidek + + Copyright (C) 2017 Red Hat + + Config file validators test + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "util/sss_ini.h" +#include "tests/cmocka/common_mock.h" + +#ifdef HAVE_LIBINI_CONFIG_V1_3 + +#define RULES_PATH ABS_SRC_DIR"/src/config/cfg_rules.ini" + +struct sss_ini_initdata { + char **error_list; + struct ref_array *ra_success_list; + struct ref_array *ra_error_list; + struct ini_cfgobj *sssd_config; + struct value_obj *obj; + const struct stat *cstat; + struct ini_cfgfile *file; +}; + +void config_check_test_common(const char *cfg_string, + size_t num_errors_expected, + const char **errors_expected) +{ + struct sss_ini_initdata *init_data; + size_t num_errors; + char **strs; + int ret; + TALLOC_CTX *tmp_ctx; + + tmp_ctx = talloc_new(NULL); + assert_non_null(tmp_ctx); + + init_data = sss_ini_initdata_init(tmp_ctx); + + ret = ini_config_file_from_mem(discard_const(cfg_string), + strlen(cfg_string), + &init_data->file); + assert_int_equal(ret, EOK); + + ret = ini_config_create(&(init_data->sssd_config)); + assert_int_equal(ret, EOK); + + ret = ini_config_parse(init_data->file, + INI_STOP_ON_ANY, + INI_MV1S_OVERWRITE, + INI_PARSE_NOWRAP, + init_data->sssd_config); + assert_int_equal(ret, EOK); + + ret = sss_ini_call_validators_strs(tmp_ctx, init_data, + RULES_PATH, + &strs, &num_errors); + assert_int_equal(ret, EOK); + + /* Output from validators */ + for (int i = 0; i < num_errors; i++) { + /* Keep this printf loop for faster debugging */ + printf("%s\n", strs[i]); + } + assert_int_equal(num_errors, num_errors_expected); + + for (int i = 0; i < num_errors && i <= num_errors_expected; i++) { + assert_string_equal(strs[i], errors_expected[i]); + } + + /* Check if the number of errors is the same */ + assert_int_equal(num_errors_expected, num_errors); + + sss_ini_close_file(init_data); + sss_ini_config_destroy(init_data); + talloc_free(tmp_ctx); +} + +void config_check_test_bad_section_name(void **state) +{ + char cfg_str[] = "[sssssssssssssd]"; + const char *expected_errors[] = { + "[rule/allowed_sections]: Section [sssssssssssssd] is not allowed. " + "Check for typos.", + }; + + config_check_test_common(cfg_str, 1, expected_errors); +} + +void config_check_test_too_many_subdomains(void **state) +{ + char cfg_str[] = "[domain/ad.test/b.test/c.test]"; + const char *expected_errors[] = { + "[rule/allowed_sections]: Section [domain/ad.test/b.test/c.test] is not allowed. " + "Check for typos.", + }; + + config_check_test_common(cfg_str, 1, expected_errors); +} + +void config_check_test_bad_sssd_option_name(void **state) +{ + char cfg_str[] = "[sssd]\n" + "debug_leTYPOvel = 10\n"; + const char *expected_errors[] = { + "[rule/allowed_sssd_options]: Attribute 'debug_leTYPOvel' is not " + "allowed in section 'sssd'. Check for typos.", + }; + + config_check_test_common(cfg_str, 1, expected_errors); +} + +void config_check_test_bad_pam_option_name(void **state) +{ + char cfg_str[] = "[pam]\n" + "debug_leTYPOvel = 10\n"; + const char *expected_errors[] = { + "[rule/allowed_pam_options]: Attribute 'debug_leTYPOvel' is not " + "allowed in section 'pam'. Check for typos.", + }; + + config_check_test_common(cfg_str, 1, expected_errors); +} + +void config_check_test_bad_nss_option_name(void **state) +{ + char cfg_str[] = "[nss]\n" + "debug_leTYPOvel = 10\n"; + const char *expected_errors[] = { + "[rule/allowed_nss_options]: Attribute 'debug_leTYPOvel' is not " + "allowed in section 'nss'. Check for typos.", + }; + + config_check_test_common(cfg_str, 1, expected_errors); +} + +void config_check_test_bad_pac_option_name(void **state) +{ + char cfg_str[] = "[pac]\n" + "debug_leTYPOvel = 10\n"; + const char *expected_errors[] = { + "[rule/allowed_pac_options]: Attribute 'debug_leTYPOvel' is not " + "allowed in section 'pac'. Check for typos.", + }; + + config_check_test_common(cfg_str, 1, expected_errors); +} + +void config_check_test_bad_ifp_option_name(void **state) +{ + char cfg_str[] = "[ifp]\n" + "debug_leTYPOvel = 10\n"; + const char *expected_errors[] = { + "[rule/allowed_ifp_options]: Attribute 'debug_leTYPOvel' is not " + "allowed in section 'ifp'. Check for typos.", + }; + + config_check_test_common(cfg_str, 1, expected_errors); +} + +void config_check_test_bad_domain_option_name(void **state) +{ + char cfg_str[] = "[domain/A.test]\n" + "debug_leTYPOvel = 10\n"; + const char *expected_errors[] = { + "[rule/allowed_subdomain_options]: Attribute 'debug_leTYPOvel' is not " + "allowed in section 'domain/A.test'. Check for typos.", + }; + + config_check_test_common(cfg_str, 1, expected_errors); +} + +void config_check_test_bad_appdomain_option_name(void **state) +{ + char cfg_str[] = "[application/myapp]\n" + "debug_leTYPOvel = 10\n"; + const char *expected_errors[] = { + "[rule/allowed_domain_options]: Attribute 'debug_leTYPOvel' is not " + "allowed in section 'application/myapp'. Check for typos.", + }; + + config_check_test_common(cfg_str, 1, expected_errors); +} + +void config_check_test_bad_subdom_option_name(void **state) +{ + char cfg_str[] = "[domain/A.test/B.A.test]\n" + "debug_leTYPOvel = 10\n"; + const char *expected_errors[] = { + "[rule/allowed_subdomain_options]: Attribute 'debug_leTYPOvel' is not " + "allowed in section 'domain/A.test/B.A.test'. Check for typos.", + }; + + config_check_test_common(cfg_str, 1, expected_errors); +} + +void config_check_test_good_sections(void **state) +{ + char cfg_str[] = "[sssd]\n" + "[pam]\n" + "[nss]\n" + "[domain/testdom.test]\n" + "[domain/testdom.test/testsubdom.testdom.test]\n" + "[application/myapp]\n" + "[secrets]\n" + "[secrets/users/1000]\n" + "[ssh]\n" + "[ifp]\n" + "[pac]\n"; + const char *expected_errors[] = { NULL }; + + config_check_test_common(cfg_str, 0, expected_errors); +} + +void config_check_test_inherit_from_in_normal_dom(void **state) +{ + char cfg_str[] = "[domain/A.test]\n" + "inherit_from = domain\n"; + const char *expected_errors[] = { + "[rule/sssd_checks]: Attribute 'inherit_from' is not allowed in " + "section 'domain/A.test'. Check for typos.", + }; + + config_check_test_common(cfg_str, 1, expected_errors); +} + +void config_check_test_inherit_from_in_app_dom(void **state) +{ + char cfg_str[] = "[application/A.test]\n" + "inherit_from = domain\n"; + const char *expected_errors[] = { NULL }; + + config_check_test_common(cfg_str, 0, expected_errors); +} + +int main(int argc, const char *argv[]) +{ + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test(config_check_test_bad_section_name), + cmocka_unit_test(config_check_test_too_many_subdomains), + cmocka_unit_test(config_check_test_bad_sssd_option_name), + cmocka_unit_test(config_check_test_bad_pam_option_name), + cmocka_unit_test(config_check_test_bad_nss_option_name), + cmocka_unit_test(config_check_test_bad_pac_option_name), + cmocka_unit_test(config_check_test_bad_ifp_option_name), + cmocka_unit_test(config_check_test_bad_appdomain_option_name), + cmocka_unit_test(config_check_test_bad_subdom_option_name), + cmocka_unit_test(config_check_test_good_sections), + cmocka_unit_test(config_check_test_inherit_from_in_normal_dom), + cmocka_unit_test(config_check_test_inherit_from_in_app_dom), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while ((opt = poptGetNextOpt(pc)) != -1) { + switch (opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + tests_set_cwd(); + return cmocka_run_group_tests(tests, NULL, NULL); +} + +#else /* !HAVE_LIBINI_CONFIG_V1_3 */ + +int main(int argc, const char *argv[]) +{ + fprintf(stderr, "%s requires newer version of libini\n", argv[0]); + return 0; +} + +#endif /* HAVE_LIBINI_CONFIG_V1_3 */ diff --git a/src/tests/cmocka/test_copy_ccache.c b/src/tests/cmocka/test_copy_ccache.c new file mode 100644 index 0000000..84225b6 --- /dev/null +++ b/src/tests/cmocka/test_copy_ccache.c @@ -0,0 +1,240 @@ +/* + Authors: + Sumit Bose + + Copyright (C) 2014 Red Hat + + SSSD tests: Tests ccache utilities + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "util/sss_krb5.h" +#include "providers/krb5/krb5_common.h" +#include "providers/krb5/krb5_ccache.h" +#include "tests/cmocka/common_mock.h" + +#define CCACHE_TEST_CLIENT_PRINC "test/client@TEST.CCACHE" +#define CCACHE_TEST_SERVER_PRINC "test/server@TEST.CCACHE" +#define CCACHE_PATH TEST_DIR "/ccache_test.ccache" + +struct ccache_test_ctx { + krb5_context kctx; + const char *ccache_file_name; + krb5_principal client_principal; + krb5_principal server_principal; +}; + +static int setup_ccache(void **state) +{ + struct ccache_test_ctx *test_ctx; + krb5_error_code kerr; + krb5_ccache ccache; + krb5_creds test_creds; + static krb5_address addr; + int add=0x12345; + krb5_authdata *a; + + static krb5_address *addrs[] = { + &addr, + NULL, + }; + + assert_true(leak_check_setup()); + + + test_ctx = talloc_zero(global_talloc_context, struct ccache_test_ctx); + assert_non_null(test_ctx); + + kerr = krb5_init_context(&test_ctx->kctx); + assert_int_equal(kerr, 0); + + addr.magic = KV5M_ADDRESS; + addr.addrtype = ADDRTYPE_INET; + addr.length = 4; + addr.contents = (krb5_octet *) &add; + + memset(&test_creds, 0, sizeof(test_creds)); + test_creds.magic = KV5M_CREDS; + kerr = krb5_parse_name(test_ctx->kctx, CCACHE_TEST_CLIENT_PRINC, + &test_ctx->client_principal); + assert_int_equal(kerr, 0); + test_creds.client = test_ctx->client_principal; + kerr = krb5_parse_name(test_ctx->kctx, CCACHE_TEST_SERVER_PRINC, + &test_ctx->server_principal); + assert_int_equal(kerr, 0); + test_creds.server = test_ctx->server_principal; + + test_creds.keyblock.magic = KV5M_KEYBLOCK; + test_creds.keyblock.contents = 0; + test_creds.keyblock.enctype = 1; + test_creds.keyblock.length = 1; + test_creds.keyblock.contents = (unsigned char *) discard_const("1"); + test_creds.times.authtime = 1111; + test_creds.times.starttime = 2222; + test_creds.times.endtime = 3333; + test_creds.times.renew_till = 4444; + test_creds.is_skey = 1; + test_creds.ticket_flags = 5555; + test_creds.addresses = addrs; + + test_creds.ticket.magic = KV5M_DATA; + test_creds.ticket.length = sizeof("Ticket"); + test_creds.ticket.data = discard_const("Ticket"); + + test_creds.authdata = malloc (2 * sizeof(krb5_authdata *)); + assert_non_null(test_creds.authdata); + + a = (krb5_authdata *) malloc(sizeof(krb5_authdata)); + assert_non_null(a); + + a->magic = KV5M_AUTHDATA; + a->ad_type = KRB5_AUTHDATA_IF_RELEVANT; + a->contents = (krb5_octet * ) malloc(1); + assert_non_null(a->contents); + a->contents[0]=5; + a->length = 1; + test_creds.authdata[0] = a; + test_creds.authdata[1] = NULL; + + + test_ctx->ccache_file_name = "FILE:" CCACHE_PATH; + + kerr = krb5_cc_resolve(test_ctx->kctx, test_ctx->ccache_file_name, + &ccache); + assert_int_equal(kerr, 0); + + kerr = krb5_cc_initialize(test_ctx->kctx, ccache, test_creds.client); + assert_int_equal(kerr, 0); + + kerr = krb5_cc_store_cred(test_ctx->kctx, ccache, &test_creds); + assert_int_equal(kerr, 0); + + kerr = krb5_cc_close(test_ctx->kctx, ccache); + assert_int_equal(kerr, 0); + + check_leaks_push(test_ctx); + *state = test_ctx; + + krb5_free_authdata(test_ctx->kctx, test_creds.authdata); + return 0; +} + +static int teardown_ccache(void **state) +{ + int ret; + struct ccache_test_ctx *test_ctx = talloc_get_type(*state, + struct ccache_test_ctx); + assert_non_null(test_ctx); + + krb5_free_principal(test_ctx->kctx, test_ctx->client_principal); + krb5_free_principal(test_ctx->kctx, test_ctx->server_principal); + krb5_free_context(test_ctx->kctx); + + ret = unlink(CCACHE_PATH); + assert_int_equal(ret, 0); + + assert_true(check_leaks_pop(test_ctx) == true); + talloc_free(test_ctx); + assert_true(leak_check_teardown()); + return 0; +} + +void test_copy_ccache(void **state) +{ + krb5_error_code kerr; + char *mem_ccache_name; + krb5_ccache ccache; + krb5_creds mcreds; + krb5_creds creds; + krb5_principal mem_principal; + struct ccache_test_ctx *test_ctx = talloc_get_type(*state, + struct ccache_test_ctx); + assert_non_null(test_ctx); + + kerr = copy_ccache_into_memory(test_ctx, test_ctx->kctx, + test_ctx->ccache_file_name, + &mem_ccache_name); + assert_int_equal(kerr, 0); + assert_non_null(mem_ccache_name); + + kerr = krb5_cc_resolve(test_ctx->kctx, mem_ccache_name, &ccache); + assert_int_equal(kerr, 0); + + talloc_free(mem_ccache_name); + + kerr = krb5_cc_get_principal(test_ctx->kctx, ccache, &mem_principal); + assert_int_equal(kerr, 0); + assert_non_null(mem_principal); + + assert_true(krb5_principal_compare(test_ctx->kctx, mem_principal, + test_ctx->client_principal)); + krb5_free_principal(test_ctx->kctx, mem_principal); + + memset(&mcreds, 0, sizeof(mcreds)); + memset(&creds, 0, sizeof(mcreds)); + mcreds.client = test_ctx->client_principal; + mcreds.server = test_ctx->server_principal; + kerr = krb5_cc_retrieve_cred(test_ctx->kctx, ccache, 0, &mcreds, &creds); + assert_int_equal(kerr, 0); + krb5_free_cred_contents(test_ctx->kctx, &creds); + + kerr = krb5_cc_destroy(test_ctx->kctx, ccache); + assert_int_equal(kerr, 0); +} + +int main(int argc, const char *argv[]) +{ + poptContext pc; + int opt; + int rv; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_copy_ccache, + setup_ccache, teardown_ccache), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + /* Even though normally the tests should clean up after themselves + * they might not after a failed run. Remove the old DB to be sure */ + tests_set_cwd(); + + rv = cmocka_run_group_tests(tests, NULL, NULL); + + return rv; +} diff --git a/src/tests/cmocka/test_copy_keytab.c b/src/tests/cmocka/test_copy_keytab.c new file mode 100644 index 0000000..7d15929 --- /dev/null +++ b/src/tests/cmocka/test_copy_keytab.c @@ -0,0 +1,310 @@ +/* + Authors: + Sumit Bose + + Copyright (C) 2014 Red Hat + + SSSD tests: Tests keytab utilities + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "util/sss_krb5.h" +#include "providers/krb5/krb5_common.h" +#include "tests/cmocka/common_mock.h" +#include "tests/cmocka/common_mock_krb5.h" + +#define TESTS_PATH "tp_" BASE_FILE_STEM +#define KEYTAB_TEST_PRINC "test/keytab@TEST.KEYTAB" +#define KEYTAB_PATH TESTS_PATH "/keytab_test.keytab" +#define EMPTY_KEYTAB_PATH TESTS_PATH "/empty_keytab_test.keytab" + +struct keytab_test_ctx { + krb5_context kctx; + const char *keytab_file_name; + krb5_principal principal; +}; + +static int setup_keytab(void **state) +{ + struct keytab_test_ctx *test_ctx; + krb5_error_code kerr; + size_t nkeys = 4; + krb5_keytab_entry keys[nkeys]; + + test_dom_suite_setup(TESTS_PATH); + + assert_true(leak_check_setup()); + + test_ctx = talloc_zero(global_talloc_context, struct keytab_test_ctx); + assert_non_null(test_ctx); + + kerr = krb5_init_context(&test_ctx->kctx); + assert_int_equal(kerr, 0); + + test_ctx->keytab_file_name = "FILE:" KEYTAB_PATH; + + kerr = krb5_parse_name(test_ctx->kctx, KEYTAB_TEST_PRINC, + &test_ctx->principal); + assert_int_equal(kerr, 0); + + memset(&keys, nkeys, nkeys * sizeof(krb5_keytab_entry)); + + mock_krb5_keytab_entry(&keys[0], test_ctx->principal, 12345, 1, 1, "11"); + mock_krb5_keytab_entry(&keys[1], test_ctx->principal, 12345, 1, 2, "12"); + mock_krb5_keytab_entry(&keys[2], test_ctx->principal, 12345, 2, 1, "21"); + mock_krb5_keytab_entry(&keys[3], test_ctx->principal, 12345, 2, 2, "22"); + + kerr = mock_keytab(test_ctx->kctx, test_ctx->keytab_file_name, keys, nkeys); + assert_int_equal(kerr, 0); + + check_leaks_push(test_ctx); + *state = test_ctx; + return 0; +} + +static int teardown_keytab(void **state) +{ + int ret; + struct keytab_test_ctx *test_ctx = talloc_get_type(*state, + struct keytab_test_ctx); + assert_non_null(test_ctx); + + krb5_free_principal(test_ctx->kctx, test_ctx->principal); + krb5_free_context(test_ctx->kctx); + + ret = unlink(KEYTAB_PATH); + assert_int_equal(ret, 0); + + assert_true(check_leaks_pop(test_ctx) == true); + talloc_free(test_ctx); + assert_true(leak_check_teardown()); + + ret = rmdir(TESTS_PATH); + assert_return_code(ret, errno); + + return 0; +} + +void test_copy_keytab(void **state) +{ + krb5_error_code kerr; + char *mem_keytab_name; + krb5_keytab mem_keytab; + krb5_keytab keytab; + krb5_keytab_entry kent; + struct keytab_test_ctx *test_ctx = talloc_get_type(*state, + struct keytab_test_ctx); + assert_non_null(test_ctx); + + kerr = copy_keytab_into_memory(test_ctx, test_ctx->kctx, + test_ctx->keytab_file_name, + &mem_keytab_name, &mem_keytab); + assert_int_equal(kerr, 0); + assert_non_null(mem_keytab_name); + + kerr = krb5_kt_resolve(test_ctx->kctx, mem_keytab_name, &keytab); + assert_int_equal(kerr, 0); + + kerr = krb5_kt_get_entry(test_ctx->kctx, keytab, test_ctx->principal, 9, 9, + &kent); + assert_int_not_equal(kerr, 0); + + kerr = krb5_kt_get_entry(test_ctx->kctx, keytab, test_ctx->principal, 1, 1, + &kent); + assert_int_equal(kerr, 0); + krb5_free_keytab_entry_contents(test_ctx->kctx, &kent); + + kerr = krb5_kt_get_entry(test_ctx->kctx, keytab, test_ctx->principal, 1, 2, + &kent); + assert_int_equal(kerr, 0); + krb5_free_keytab_entry_contents(test_ctx->kctx, &kent); + + kerr = krb5_kt_get_entry(test_ctx->kctx, keytab, test_ctx->principal, 2, 1, + &kent); + assert_int_equal(kerr, 0); + krb5_free_keytab_entry_contents(test_ctx->kctx, &kent); + + kerr = krb5_kt_get_entry(test_ctx->kctx, keytab, test_ctx->principal, 2, 2, + &kent); + assert_int_equal(kerr, 0); + krb5_free_keytab_entry_contents(test_ctx->kctx, &kent); + + talloc_free(mem_keytab_name); + + kerr = krb5_kt_close(test_ctx->kctx, keytab); + assert_int_equal(kerr, 0); + + kerr = krb5_kt_close(test_ctx->kctx, mem_keytab); + assert_int_equal(kerr, 0); +} + +void test_sss_krb5_kt_have_content(void **state) +{ + krb5_error_code kerr; + krb5_keytab keytab; + struct keytab_test_ctx *test_ctx = talloc_get_type(*state, + struct keytab_test_ctx); + assert_non_null(test_ctx); + + kerr = krb5_kt_resolve(test_ctx->kctx, test_ctx->keytab_file_name, &keytab); + assert_int_equal(kerr, 0); + + kerr = sss_krb5_kt_have_content(test_ctx->kctx, keytab); + assert_int_equal(kerr, 0); + + kerr = krb5_kt_close(test_ctx->kctx, keytab); + assert_int_equal(kerr, 0); + + kerr = krb5_kt_resolve(test_ctx->kctx, "FILE:" EMPTY_KEYTAB_PATH, &keytab); + assert_int_equal(kerr, 0); + + kerr = sss_krb5_kt_have_content(test_ctx->kctx, keytab); + assert_int_equal(kerr, KRB5_KT_NOTFOUND); + + kerr = krb5_kt_close(test_ctx->kctx, keytab); + assert_int_equal(kerr, 0); + + /* no need to remove EMPTY_KEYTAB_PATH because krb5_kt_close() does not + * create empty keytab files */ +} + +static bool keytab_entries_equal(krb5_keytab_entry kent1, + krb5_keytab_entry kent2) +{ + if (kent1.vno != kent2.vno + || kent1.key.enctype != kent2.key.enctype + || kent1.key.length != kent2.key.length + || memcmp(kent1.key.contents, kent2.key.contents, + kent1.key.length) != 0 ) { + return false; + } + + return true; +} + +void test_copy_keytab_order(void **state) +{ + krb5_error_code kerr; + krb5_error_code kerr_mem; + char *mem_keytab_name; + krb5_keytab mem_keytab; + krb5_kt_cursor mem_cursor; + krb5_keytab_entry mem_kent; + krb5_keytab keytab; + krb5_kt_cursor cursor; + krb5_keytab_entry kent; + struct keytab_test_ctx *test_ctx = talloc_get_type(*state, + struct keytab_test_ctx); + assert_non_null(test_ctx); + + kerr = copy_keytab_into_memory(test_ctx, test_ctx->kctx, + test_ctx->keytab_file_name, + &mem_keytab_name, &mem_keytab); + assert_int_equal(kerr, 0); + assert_non_null(mem_keytab_name); + + kerr = krb5_kt_resolve(test_ctx->kctx, mem_keytab_name, &mem_keytab); + assert_int_equal(kerr, 0); + + kerr = krb5_kt_resolve(test_ctx->kctx, test_ctx->keytab_file_name, &keytab); + assert_int_equal(kerr, 0); + + kerr = krb5_kt_start_seq_get(test_ctx->kctx, mem_keytab, &mem_cursor); + assert_int_equal(kerr, 0); + + kerr = krb5_kt_start_seq_get(test_ctx->kctx, keytab, &cursor); + assert_int_equal(kerr, 0); + + while ((kerr = krb5_kt_next_entry(test_ctx->kctx, keytab, &kent, + &cursor)) == 0) { + kerr_mem = krb5_kt_next_entry(test_ctx->kctx, mem_keytab, &mem_kent, + &mem_cursor); + assert_int_equal(kerr_mem, 0); + + assert_true(keytab_entries_equal(kent, mem_kent)); + + krb5_free_keytab_entry_contents(test_ctx->kctx, &kent); + krb5_free_keytab_entry_contents(test_ctx->kctx, &mem_kent); + } + + assert_int_equal(kerr, KRB5_KT_END); + + kerr_mem = krb5_kt_next_entry(test_ctx->kctx, mem_keytab, &mem_kent, + &mem_cursor); + assert_int_equal(kerr_mem, KRB5_KT_END); + + kerr = krb5_kt_end_seq_get(test_ctx->kctx, mem_keytab, &mem_cursor); + assert_int_equal(kerr, 0); + + kerr = krb5_kt_end_seq_get(test_ctx->kctx, keytab, &cursor); + assert_int_equal(kerr, 0); + + talloc_free(mem_keytab_name); + + kerr = krb5_kt_close(test_ctx->kctx, keytab); + assert_int_equal(kerr, 0); + + kerr = krb5_kt_close(test_ctx->kctx, mem_keytab); + assert_int_equal(kerr, 0); +} + +int main(int argc, const char *argv[]) +{ + poptContext pc; + int opt; + int rv; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_copy_keytab, + setup_keytab, teardown_keytab), + cmocka_unit_test_setup_teardown(test_sss_krb5_kt_have_content, + setup_keytab, teardown_keytab), + cmocka_unit_test_setup_teardown(test_copy_keytab_order, + setup_keytab, teardown_keytab), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + /* Even though normally the tests should clean up after themselves + * they might not after a failed run. Remove the old DB to be sure */ + tests_set_cwd(); + + rv = cmocka_run_group_tests(tests, NULL, NULL); + + return rv; +} diff --git a/src/tests/cmocka/test_data_provider_be.c b/src/tests/cmocka/test_data_provider_be.c new file mode 100644 index 0000000..a6d6ec8 --- /dev/null +++ b/src/tests/cmocka/test_data_provider_be.c @@ -0,0 +1,258 @@ +/* + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include + +#include "providers/backend.h" +#include "tests/cmocka/common_mock.h" +#include "tests/cmocka/common_mock_be.h" +#include "tests/common.h" + +#define TESTS_PATH "tests_dp_be" +#define TEST_CONF_DB "test_dp_be_conf.ldb" +#define TEST_DOM_NAME "dp_be_test" +#define TEST_ID_PROVIDER "ldap" + +#define OFFLINE_TIMEOUT 2 +#define AS_STR(param) (#param) + +static TALLOC_CTX *global_mock_context = NULL; +static bool global_timer_added; + +struct tevent_timer *__real__tevent_add_timer(struct tevent_context *ev, + TALLOC_CTX *mem_ctx, + struct timeval next_event, + tevent_timer_handler_t handler, + void *private_data, + const char *handler_name, + const char *location); + +struct tevent_timer *__wrap__tevent_add_timer(struct tevent_context *ev, + TALLOC_CTX *mem_ctx, + struct timeval next_event, + tevent_timer_handler_t handler, + void *private_data, + const char *handler_name, + const char *location) +{ + global_timer_added = true; + + return __real__tevent_add_timer(ev, mem_ctx, next_event, + handler, private_data, handler_name, + location); +} + + +struct test_ctx { + struct sss_test_ctx *tctx; + struct be_ctx *be_ctx; +}; + +static int test_setup(void **state) +{ + struct test_ctx *test_ctx = NULL; + struct sss_test_conf_param params[] = { + { "offline_timeout", AS_STR(OFFLINE_TIMEOUT) }, + { NULL, NULL }, /* Sentinel */ + }; + + assert_true(leak_check_setup()); + global_mock_context = talloc_new(global_talloc_context); + assert_non_null(global_mock_context); + + test_ctx = talloc_zero(global_talloc_context, struct test_ctx); + assert_non_null(test_ctx); + + test_ctx->tctx = create_dom_test_ctx(test_ctx, TESTS_PATH, + TEST_CONF_DB, TEST_DOM_NAME, + TEST_ID_PROVIDER, params); + assert_non_null(test_ctx->tctx); + + test_ctx->be_ctx = mock_be_ctx(test_ctx, test_ctx->tctx); + assert_non_null(test_ctx->be_ctx); + + test_ctx->be_ctx->domain->subdomains = named_domain(test_ctx, + "subdomains", + test_ctx->be_ctx->domain); + assert_non_null(test_ctx->be_ctx->domain->subdomains); + + *state = test_ctx; + + return 0; +} + +static int test_teardown(void **state) +{ + talloc_zfree(*state); + assert_true(leak_check_teardown()); + return 0; +} + +static void assert_domain_state(struct sss_domain_info *dom, + enum sss_domain_state expected_state) +{ + enum sss_domain_state dom_state; + + dom_state = sss_domain_get_state(dom); + assert_int_equal(dom_state, expected_state); +} + +static void test_mark_subdom_offline_check(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval current_time, + void *pvt) +{ + struct test_ctx *test_ctx = talloc_get_type(pvt, struct test_ctx); + + assert_domain_state(test_ctx->be_ctx->domain->subdomains, + DOM_ACTIVE); + + test_ctx->tctx->done = true; + test_ctx->tctx->error = EOK; +} + +static void test_mark_dom_offline(void **state) +{ + struct test_ctx *test_ctx = talloc_get_type(*state, struct test_ctx); + + assert_domain_state(test_ctx->be_ctx->domain, DOM_ACTIVE); + assert_false(be_is_offline(test_ctx->be_ctx)); + + be_mark_dom_offline(test_ctx->be_ctx->domain, test_ctx->be_ctx); + + assert_true(be_is_offline(test_ctx->be_ctx)); + assert_domain_state(test_ctx->be_ctx->domain, DOM_ACTIVE); +} + +static void test_mark_subdom_offline(void **state) +{ + struct timeval tv; + struct tevent_timer *check_ev = NULL; + struct test_ctx *test_ctx = talloc_get_type(*state, struct test_ctx); + errno_t ret; + + assert_domain_state(test_ctx->be_ctx->domain->subdomains, + DOM_ACTIVE); + assert_false(be_is_offline(test_ctx->be_ctx)); + + global_timer_added = false; + be_mark_dom_offline(test_ctx->be_ctx->domain->subdomains, test_ctx->be_ctx); + assert_domain_state(test_ctx->be_ctx->domain->subdomains, + DOM_INACTIVE); + + /* A timer must be added that resets the state back */ + assert_true(global_timer_added); + + /* Global offline state must not change */ + assert_false(be_is_offline(test_ctx->be_ctx)); + + /* Make sure we don't add a second timer */ + global_timer_added = false; + be_mark_dom_offline(test_ctx->be_ctx->domain->subdomains, test_ctx->be_ctx); + assert_domain_state(test_ctx->be_ctx->domain->subdomains, + DOM_INACTIVE); + assert_false(global_timer_added); + + /* Wait for the internal timer to reset our subdomain back */ + tv = tevent_timeval_current_ofs(OFFLINE_TIMEOUT + 1, 0); + + check_ev = tevent_add_timer(test_ctx->tctx->ev, test_ctx, tv, + test_mark_subdom_offline_check, + test_ctx); + if (check_ev == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot create timer\n"); + return; + } + + ret = test_ev_loop(test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +static void test_mark_subdom_offline_disabled(void **state) +{ + struct test_ctx *test_ctx = talloc_get_type(*state, struct test_ctx); + + sss_domain_set_state(test_ctx->be_ctx->domain->subdomains, DOM_DISABLED); + assert_domain_state(test_ctx->be_ctx->domain->subdomains, + DOM_DISABLED); + + be_mark_dom_offline(test_ctx->be_ctx->domain->subdomains, test_ctx->be_ctx); + assert_domain_state(test_ctx->be_ctx->domain->subdomains, + DOM_DISABLED); +} + +int main(int argc, const char *argv[]) +{ + poptContext pc; + int opt; + int rv; + int no_cleanup = 0; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + {"no-cleanup", 'n', POPT_ARG_NONE, &no_cleanup, 0, + _("Do not delete the test database after a test run"), NULL }, + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_mark_dom_offline, + test_setup, + test_teardown), + cmocka_unit_test_setup_teardown(test_mark_subdom_offline, + test_setup, + test_teardown), + cmocka_unit_test_setup_teardown(test_mark_subdom_offline_disabled, + test_setup, + test_teardown), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + /* Even though normally the tests should clean up after themselves + * they might not after a failed run. Remove the old DB to be sure */ + tests_set_cwd(); + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + test_dom_suite_setup(TESTS_PATH); + + rv = cmocka_run_group_tests(tests, NULL, NULL); + if (rv == 0 && !no_cleanup) { + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + } + return rv; + + return cmocka_run_group_tests(tests, NULL, NULL); +} diff --git a/src/tests/cmocka/test_deskprofile_utils.c b/src/tests/cmocka/test_deskprofile_utils.c new file mode 100644 index 0000000..f52741b --- /dev/null +++ b/src/tests/cmocka/test_deskprofile_utils.c @@ -0,0 +1,162 @@ +/* + Authors: + Fabiano Fidêncio + + Copyright (C) 2018 Red Hat + + SSSD tests: Tests for desktop profile utilities functions + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#define _GNU_SOURCE +#include +#include + +#include "tests/cmocka/common_mock.h" +#include "src/providers/ipa/ipa_deskprofile_rules_util.h" + +#define RULES_DIR "/var/lib/sss/deskprofile" +#define DOMAIN "domain.example" +#define USERNAME "user" +#define PRIO "000420" +#define RULE_NAME "rule" +#define EXTENSION "json" +#define USER "000420" +#define GROUP "000000" +#define HOST "000000" +#define HOSTGROUP "000420" + +void test_deskprofile_get_filename_path(void **state) +{ + TALLOC_CTX *tmp_ctx; + errno_t ret; + char *result = NULL; + const char *results[24]; + + /* All the results are based as: + * user and hostgroup match the rules; + * group and host don't match the rules; + */ + + /* 1 = user, group, host, hostgroup */ + results[0] = RULES_DIR"/"DOMAIN"/"USERNAME"/"PRIO"_"USER"_"GROUP"_"HOST"_"HOSTGROUP"_"RULE_NAME"."EXTENSION; + /* 2 = user, group, hostgroup, host */ + results[1] = RULES_DIR"/"DOMAIN"/"USERNAME"/"PRIO"_"USER"_"GROUP"_"HOSTGROUP"_"HOST"_"RULE_NAME"."EXTENSION; + /* 3 = user, host, group, hostgroup */ + results[2] = RULES_DIR"/"DOMAIN"/"USERNAME"/"PRIO"_"USER"_"HOST"_"GROUP"_"HOSTGROUP"_"RULE_NAME"."EXTENSION; + /* 4 = user, host, hostgroup, group */ + results[3] = RULES_DIR"/"DOMAIN"/"USERNAME"/"PRIO"_"USER"_"HOST"_"HOSTGROUP"_"GROUP"_"RULE_NAME"."EXTENSION; + /* 5 = user, hostgroup, group, host */ + results[4] = RULES_DIR"/"DOMAIN"/"USERNAME"/"PRIO"_"USER"_"HOSTGROUP"_"GROUP"_"HOST"_"RULE_NAME"."EXTENSION; + /* 6 = user, hostgroup, host, group */ + results[5] = RULES_DIR"/"DOMAIN"/"USERNAME"/"PRIO"_"USER"_"HOSTGROUP"_"HOST"_"GROUP"_"RULE_NAME"."EXTENSION; + /* 7 = group, user, host, hostgroup */ + results[6] = RULES_DIR"/"DOMAIN"/"USERNAME"/"PRIO"_"GROUP"_"USER"_"HOST"_"HOSTGROUP"_"RULE_NAME"."EXTENSION; + /* 8 = group, user, hostgroup, host */ + results[7] = RULES_DIR"/"DOMAIN"/"USERNAME"/"PRIO"_"GROUP"_"USER"_"HOSTGROUP"_"HOST"_"RULE_NAME"."EXTENSION; + /* 9 = group, host, user, hostgroup */ + results[8] = RULES_DIR"/"DOMAIN"/"USERNAME"/"PRIO"_"GROUP"_"HOST"_"USER"_"HOSTGROUP"_"RULE_NAME"."EXTENSION; + /* 10 = group, host, hostgroup, user */ + results[9] = RULES_DIR"/"DOMAIN"/"USERNAME"/"PRIO"_"GROUP"_"HOST"_"HOSTGROUP"_"USER"_"RULE_NAME"."EXTENSION; + /* 11 = group, hostgroup, user, host */ + results[10] = RULES_DIR"/"DOMAIN"/"USERNAME"/"PRIO"_"GROUP"_"HOSTGROUP"_"USER"_"HOST"_"RULE_NAME"."EXTENSION; + /* 12 = group, hostgroup, host, user */ + results[11] = RULES_DIR"/"DOMAIN"/"USERNAME"/"PRIO"_"GROUP"_"HOSTGROUP"_"HOST"_"USER"_"RULE_NAME"."EXTENSION; + /* 13 = host, user, group, hostgroup */ + results[12] = RULES_DIR"/"DOMAIN"/"USERNAME"/"PRIO"_"HOST"_"USER"_"GROUP"_"HOSTGROUP"_"RULE_NAME"."EXTENSION; + /* 14 = host, user, hostgroup, group */ + results[13] = RULES_DIR"/"DOMAIN"/"USERNAME"/"PRIO"_"HOST"_"USER"_"HOSTGROUP"_"GROUP"_"RULE_NAME"."EXTENSION; + /* 15 = host, group, user, hostgroup */ + results[14] = RULES_DIR"/"DOMAIN"/"USERNAME"/"PRIO"_"HOST"_"GROUP"_"USER"_"HOSTGROUP"_"RULE_NAME"."EXTENSION; + /* 16 = host, group, hostgroup, user */ + results[15] = RULES_DIR"/"DOMAIN"/"USERNAME"/"PRIO"_"HOST"_"GROUP"_"HOSTGROUP"_"USER"_"RULE_NAME"."EXTENSION; + /* 17 = host, hostgroup, user, group */ + results[16] = RULES_DIR"/"DOMAIN"/"USERNAME"/"PRIO"_"HOST"_"HOSTGROUP"_"USER"_"GROUP"_"RULE_NAME"."EXTENSION; + /* 18 = host, hostgroup, group, user */ + results[17] = RULES_DIR"/"DOMAIN"/"USERNAME"/"PRIO"_"HOST"_"HOSTGROUP"_"GROUP"_"USER"_"RULE_NAME"."EXTENSION; + /* 19 = hostgroup, user, group, host */ + results[18] = RULES_DIR"/"DOMAIN"/"USERNAME"/"PRIO"_"HOSTGROUP"_"USER"_"GROUP"_"HOST"_"RULE_NAME"."EXTENSION; + /* 20 = hostgroup, user, host, group */ + results[19] = RULES_DIR"/"DOMAIN"/"USERNAME"/"PRIO"_"HOSTGROUP"_"USER"_"HOST"_"GROUP"_"RULE_NAME"."EXTENSION; + /* 21 = hostgroup, group, user, host */ + results[20] = RULES_DIR"/"DOMAIN"/"USERNAME"/"PRIO"_"HOSTGROUP"_"GROUP"_"USER"_"HOST"_"RULE_NAME"."EXTENSION; + /* 22 = hostgroup, group, host, user */ + results[21] = RULES_DIR"/"DOMAIN"/"USERNAME"/"PRIO"_"HOSTGROUP"_"GROUP"_"HOST"_"USER"_"RULE_NAME"."EXTENSION; + /* 23 = hostgroup, host, user, group */ + results[22] = RULES_DIR"/"DOMAIN"/"USERNAME"/"PRIO"_"HOSTGROUP"_"HOST"_"USER"_"GROUP"_"RULE_NAME"."EXTENSION; + /* 24 = hostgroup, host, group, user */ + results[23] = RULES_DIR"/"DOMAIN"/"USERNAME"/"PRIO"_"HOSTGROUP"_"HOST"_"GROUP"_"USER"_"RULE_NAME"."EXTENSION; + + tmp_ctx = talloc_new(NULL); + assert_non_null(tmp_ctx); + + for (uint16_t i = 0; i < 24; i++) { + ret = ipa_deskprofile_get_filename_path(tmp_ctx, + i + 1, + RULES_DIR, + DOMAIN, + USERNAME, + PRIO, + USER, + GROUP, + HOST, + HOSTGROUP, + RULE_NAME, + EXTENSION, + &result); + assert_int_equal(ret, EOK); + assert_string_equal(results[i], result); + + talloc_zfree(result); + } + + talloc_free(tmp_ctx); +} + +int main(int argc, const char *argv[]) +{ + poptContext pc; + int opt; + int rv; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test(test_deskprofile_get_filename_path), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + rv = cmocka_run_group_tests(tests, NULL, NULL); + return rv; +} diff --git a/src/tests/cmocka/test_domain_resolution_order.c b/src/tests/cmocka/test_domain_resolution_order.c new file mode 100644 index 0000000..fcbe08b --- /dev/null +++ b/src/tests/cmocka/test_domain_resolution_order.c @@ -0,0 +1,228 @@ +/* + Authors: + Fabiano Fidêncio + + Copyright (C) 2018 Red Hat + + SSSD tests: Tests for domain resolution order functions + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#define _GNU_SOURCE +#include +#include + +#include "tests/cmocka/common_mock.h" +#include "responder/common/cache_req/cache_req_domain.h" + +#define DOM_COUNT 3 +#define DOMAIN_1 "one.domain.test" +#define DOMAIN_2 "two.domain.test" +#define DOMAIN_3 "three.domain.test" +#define DOMAIN_RESOLUTION_ORDER DOMAIN_2":"DOMAIN_1 +#define LDAP "ldap" +#define FILES "files" + +struct domain_resolution_order_test_ctx { + size_t dom_count; + struct sss_domain_info *dom_list; +}; + +static void test_domain_resolution_order(void **state) +{ + struct domain_resolution_order_test_ctx *test_ctx; + struct cache_req_domain *cr_domains = NULL; + struct cache_req_domain *cr_domain; + const char *expected_order[DOM_COUNT] = { DOMAIN_2, DOMAIN_1, DOMAIN_3 }; + errno_t ret; + size_t c; + + test_ctx = talloc_get_type(*state, + struct domain_resolution_order_test_ctx); + + cr_domains = talloc_zero(test_ctx, struct cache_req_domain); + ret = cache_req_domain_new_list_from_domain_resolution_order( + test_ctx, + test_ctx->dom_list, + DOMAIN_RESOLUTION_ORDER, + &cr_domains); + assert_int_equal(ret, EOK); + + for (c = 0, cr_domain = cr_domains; cr_domain != NULL; + cr_domain = cr_domain->next, c++) { + assert_string_equal(expected_order[c], cr_domain->domain->name); + } +} + +static void +test_domain_resolution_order_with_implicit_files_provider(void **state) +{ + struct domain_resolution_order_test_ctx *test_ctx; + struct cache_req_domain *cr_domains = NULL; + struct cache_req_domain *cr_domain; + const char *expected_order[DOM_COUNT] = { DOMAIN_3, DOMAIN_2, DOMAIN_1 }; + errno_t ret; + size_t c; + + test_ctx = talloc_get_type(*state, + struct domain_resolution_order_test_ctx); + + cr_domains = talloc_zero(test_ctx, struct cache_req_domain); + ret = cache_req_domain_new_list_from_domain_resolution_order( + test_ctx, + test_ctx->dom_list, + DOMAIN_RESOLUTION_ORDER, + &cr_domains); + assert_int_equal(ret, EOK); + + for (c = 0, cr_domain = cr_domains; cr_domain != NULL; + cr_domain = cr_domain->next, c++) { + assert_string_equal(expected_order[c], cr_domain->domain->name); + } +} + +static void test_domain_resolution_order_output_fqnames(void **state) +{ + struct domain_resolution_order_test_ctx *test_ctx; + struct cache_req_domain *cr_domains = NULL; + struct cache_req_domain *cr_domain; + errno_t ret; + + test_ctx = talloc_get_type(*state, + struct domain_resolution_order_test_ctx); + + cr_domains = talloc_zero(test_ctx, struct cache_req_domain); + ret = cache_req_domain_new_list_from_domain_resolution_order( + test_ctx, + test_ctx->dom_list, + DOMAIN_RESOLUTION_ORDER, + &cr_domains); + assert_int_equal(ret, EOK); + + for (cr_domain = cr_domains; cr_domain != NULL; + cr_domain = cr_domain->next) { + struct sss_domain_info *dom = cr_domain->domain; + bool expected = !is_files_provider(dom); + bool output_fqnames = sss_domain_info_get_output_fqnames(dom); + + assert_true(expected == output_fqnames); + } +} + +static int setup_domains_list_helper(void **state, bool with_files_provider) +{ + struct domain_resolution_order_test_ctx *test_ctx; + struct sss_domain_info *dom = NULL; + const char *domains[DOM_COUNT] = { DOMAIN_1, DOMAIN_2, DOMAIN_3 }; + const char *providers[DOM_COUNT] = { LDAP, LDAP, LDAP }; + size_t c; + + if (with_files_provider) { + providers[DOM_COUNT - 1] = FILES; + } + + test_ctx = talloc_zero(global_talloc_context, + struct domain_resolution_order_test_ctx); + assert_non_null(test_ctx); + + test_ctx->dom_count = DOM_COUNT; + + for (c = 0; c < test_ctx->dom_count; c++) { + dom = talloc_zero(test_ctx, struct sss_domain_info); + assert_non_null(dom); + + dom->name = talloc_strdup(dom, domains[c]); + assert_non_null(dom->name); + + dom->provider = talloc_strdup(dom, providers[c]); + assert_non_null(dom->provider); + + DLIST_ADD(test_ctx->dom_list, dom); + } + + *state = test_ctx; + return 0; +} + +static int setup_domains_list(void **state) +{ + return setup_domains_list_helper(state, false); +} + +static int setup_domains_list_with_implicit_files_provider(void **state) +{ + return setup_domains_list_helper(state, true); +} + +static int teardown_domains_list(void **state) +{ + struct domain_resolution_order_test_ctx *test_ctx; + + test_ctx = talloc_get_type(*state, + struct domain_resolution_order_test_ctx); + if (test_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Type mismatch\n"); + return 1; + } + + talloc_free(test_ctx); + return 0; +} + +int main(int argc, const char *argv[]) +{ + poptContext pc; + int opt; + int rv; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_domain_resolution_order, + setup_domains_list, + teardown_domains_list), + cmocka_unit_test_setup_teardown( + test_domain_resolution_order_with_implicit_files_provider, + setup_domains_list_with_implicit_files_provider, + teardown_domains_list), + cmocka_unit_test_setup_teardown( + test_domain_resolution_order_output_fqnames, + setup_domains_list_with_implicit_files_provider, + teardown_domains_list), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + rv = cmocka_run_group_tests(tests, NULL, NULL); + return rv; +} diff --git a/src/tests/cmocka/test_dp_opts.c b/src/tests/cmocka/test_dp_opts.c new file mode 100644 index 0000000..8af2442 --- /dev/null +++ b/src/tests/cmocka/test_dp_opts.c @@ -0,0 +1,528 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2014 Red Hat + + SSSD tests: Data Provider Option Tests + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "providers/data_provider.h" + +#include "tests/cmocka/common_mock.h" + +#define STRING_DEFAULT "stringval" +#define BLOB_DEFAULT "blobval" +#define INT_DEFAULT 123 + +#define TESTS_PATH "tp_" BASE_FILE_STEM +#define TEST_CONF_DB "test_opt_conf.ldb" +#define TEST_DOM_NAME "opt_test" +#define TEST_ID_PROVIDER "ldap" + +enum test_opts { + OPT_STRING_NODEFAULT, + OPT_STRING_DEFAULT, + OPT_BLOB_NODEFAULT, + OPT_BLOB_DEFAULT, + OPT_INT_NODEFAULT, + OPT_INT_DEFAULT, + OPT_BOOL_TRUE, + OPT_BOOL_FALSE, + + OPT_NUM_OPTS +}; + +struct dp_option test_def_opts[] = { + { "string_nodefault", DP_OPT_STRING, NULL_STRING, NULL_STRING }, + { "string_default", DP_OPT_STRING, { STRING_DEFAULT }, NULL_STRING}, + { "blob_nodefault", DP_OPT_BLOB, NULL_BLOB, NULL_BLOB }, + { "blob_default", DP_OPT_BLOB, + { .blob = { discard_const(BLOB_DEFAULT), + sizeof(BLOB_DEFAULT) - 1 } }, + NULL_BLOB }, + { "int_nodefault", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER }, + { "int_default", DP_OPT_NUMBER, { .number = INT_DEFAULT }, NULL_NUMBER }, + { "bool_true", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE }, + { "bool_false", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, + DP_OPTION_TERMINATOR +}; + +static void assert_defaults(struct dp_option *opts) +{ + char *s; + struct dp_opt_blob b; + int i; + bool bo; + + s = dp_opt_get_string(opts, OPT_STRING_NODEFAULT); + assert_null(s); + + s = dp_opt_get_string(opts, OPT_STRING_DEFAULT); + assert_non_null(s); + assert_string_equal(s, STRING_DEFAULT); + + b = dp_opt_get_blob(opts, OPT_BLOB_NODEFAULT); + assert_null(b.data); + assert_int_equal(b.length, 0); + + b = dp_opt_get_blob(opts, OPT_BLOB_DEFAULT); + assert_non_null(b.data); + assert_int_equal(b.length, strlen(BLOB_DEFAULT)); + assert_memory_equal(b.data, BLOB_DEFAULT, strlen(BLOB_DEFAULT)); + + i = dp_opt_get_int(opts, OPT_INT_NODEFAULT); + assert_int_equal(i, 0); + + i = dp_opt_get_int(opts, OPT_INT_DEFAULT); + assert_int_equal(i, INT_DEFAULT); + + bo = dp_opt_get_bool(opts, OPT_BOOL_TRUE); + assert_true(bo == true); + + bo = dp_opt_get_bool(opts, OPT_BOOL_FALSE); + assert_true(bo == false); +} + +void opt_test_copy_default(void **state) +{ + int ret; + TALLOC_CTX *mem_ctx; + struct dp_option *opts; + struct dp_opt_blob b; + + mem_ctx = talloc_new(global_talloc_context); + assert_non_null(mem_ctx); + + ret = dp_copy_defaults(mem_ctx, test_def_opts, OPT_NUM_OPTS, &opts); + assert_int_equal(ret, EOK); + assert_defaults(opts); + + /* Test that copy_defaults would still copy defaults even if we + * change the values + */ + ret = dp_opt_set_string(opts, OPT_STRING_NODEFAULT, "str1"); + assert_int_equal(ret, EOK); + ret = dp_opt_set_string(opts, OPT_STRING_DEFAULT, "str2"); + assert_int_equal(ret, EOK); + + b.data = discard_const_p(uint8_t, "blob1"); + b.length = strlen("blob1"); + ret = dp_opt_set_blob(opts, OPT_BLOB_NODEFAULT, b); + assert_int_equal(ret, EOK); + + ret = dp_opt_set_blob(opts, OPT_BLOB_DEFAULT, b); + b.data = discard_const_p(uint8_t, "blob2"); + b.length = strlen("blob2"); + assert_int_equal(ret, EOK); + + ret = dp_opt_set_int(opts, OPT_INT_NODEFAULT, 456); + assert_int_equal(ret, EOK); + ret = dp_opt_set_int(opts, OPT_INT_DEFAULT, 789); + assert_int_equal(ret, EOK); + + ret = dp_opt_set_bool(opts, OPT_BOOL_TRUE, false); + assert_int_equal(ret, EOK); + ret = dp_opt_set_bool(opts, OPT_BOOL_FALSE, true); + assert_int_equal(ret, EOK); + + talloc_free(opts); + ret = dp_copy_defaults(mem_ctx, test_def_opts, OPT_NUM_OPTS, &opts); + assert_int_equal(ret, EOK); + assert_defaults(opts); +} + +void opt_test_copy_options(void **state) +{ + int ret; + TALLOC_CTX *mem_ctx; + struct dp_option *opts; + char *s; + struct dp_opt_blob b; + int i; + bool bo; + + mem_ctx = talloc_new(global_talloc_context); + assert_non_null(mem_ctx); + + ret = dp_copy_options(mem_ctx, test_def_opts, OPT_NUM_OPTS, &opts); + assert_int_equal(ret, EOK); + assert_int_equal(ret, EOK); + + ret = dp_opt_set_string(opts, OPT_STRING_NODEFAULT, "str1"); + assert_int_equal(ret, EOK); + + b.data = discard_const_p(uint8_t, "blob1"); + b.length = strlen("blob1"); + ret = dp_opt_set_blob(opts, OPT_BLOB_NODEFAULT, b); + assert_int_equal(ret, EOK); + + ret = dp_opt_set_int(opts, OPT_INT_NODEFAULT, 456); + assert_int_equal(ret, EOK); + + ret = dp_opt_set_bool(opts, OPT_BOOL_TRUE, false); + assert_int_equal(ret, EOK); + + /* Test that options set to an explicit value retain + * the value and even options with default value + * do not return the default unless explicitly set + */ + s = dp_opt_get_string(opts, OPT_STRING_NODEFAULT); + assert_string_equal(s, "str1"); + s = dp_opt_get_string(opts, OPT_STRING_DEFAULT); + assert_null(s); + + b = dp_opt_get_blob(opts, OPT_BLOB_NODEFAULT); + assert_non_null(b.data); + assert_int_equal(b.length, strlen("blob1")); + assert_memory_equal(b.data, "blob1", strlen("blob1")); + b = dp_opt_get_blob(opts, OPT_BLOB_DEFAULT); + assert_null(b.data); + assert_int_equal(b.length, 0); + + i = dp_opt_get_int(opts, OPT_INT_NODEFAULT); + assert_int_equal(i, 456); + i = dp_opt_get_int(opts, OPT_INT_DEFAULT); + assert_int_equal(i, 0); + + bo = dp_opt_get_bool(opts, OPT_BOOL_TRUE); + assert_false(bo == true); +} + +void opt_test_get(void **state) +{ + int ret; + struct sss_test_ctx *tctx; + struct dp_option *opts; + struct sss_test_conf_param params[] = { + { "string_nodefault", "stringval2" }, + { "blob_nodefault", "blobval2" }, + { "int_nodefault", "456" }, + { "bool_true", "false" }, + { NULL, NULL }, /* Sentinel */ + }; + char *s; + struct dp_opt_blob b; + int i; + bool bo; + + tctx = create_dom_test_ctx(global_talloc_context, TESTS_PATH, TEST_CONF_DB, + TEST_DOM_NAME, TEST_ID_PROVIDER, params); + assert_non_null(tctx); + + ret = dp_get_options(global_talloc_context, tctx->confdb, tctx->conf_dom_path, + test_def_opts, OPT_NUM_OPTS, &opts); + assert_int_equal(ret, EOK); + + /* Options that were not specified explicitly should only have the default + * value, those that have been specified explicitly should carry that + * value + */ + s = dp_opt_get_string(opts, OPT_STRING_NODEFAULT); + assert_non_null(s); + assert_string_equal(s, "stringval2"); + + s = dp_opt_get_string(opts, OPT_STRING_DEFAULT); + assert_non_null(s); + assert_string_equal(s, STRING_DEFAULT); + + b = dp_opt_get_blob(opts, OPT_BLOB_NODEFAULT); + assert_non_null(b.data); + assert_int_equal(b.length, strlen("blobval2")); + assert_memory_equal(b.data, "blobval2", strlen("blobval2")); + + b = dp_opt_get_blob(opts, OPT_BLOB_DEFAULT); + assert_non_null(b.data); + assert_int_equal(b.length, strlen(BLOB_DEFAULT)); + assert_memory_equal(b.data, BLOB_DEFAULT, strlen(BLOB_DEFAULT)); + + i = dp_opt_get_int(opts, OPT_INT_NODEFAULT); + assert_int_equal(i, 456); + + i = dp_opt_get_int(opts, OPT_INT_DEFAULT); + assert_int_equal(i, INT_DEFAULT); + + bo = dp_opt_get_bool(opts, OPT_BOOL_TRUE); + assert_true(bo == false); + + bo = dp_opt_get_bool(opts, OPT_BOOL_FALSE); + assert_true(bo == false); +} + +static int opt_test_getset_setup(void **state) +{ + int ret; + struct dp_option *opts; + + ret = dp_copy_defaults(global_talloc_context, + test_def_opts, OPT_NUM_OPTS, &opts); + assert_int_equal(ret, EOK); + assert_defaults(opts); + + *state = opts; + return 0; +} + +static int opt_test_getset_teardown(void **state) +{ + struct dp_option *opts = talloc_get_type(*state, struct dp_option); + talloc_free(opts); + return 0; +} + +static void assert_nondefault_string_empty(struct dp_option *opts) +{ + char *s; + + s = dp_opt_get_string(opts, OPT_STRING_NODEFAULT); + assert_null(s); +} + +static void set_nondefault_string(struct dp_option *opts) +{ + int ret; + + ret = dp_opt_set_string(opts, OPT_STRING_NODEFAULT, "str1"); + assert_int_equal(ret, EOK); +} + +static void check_nondefault_string(struct dp_option *opts) +{ + char *s; + + s = dp_opt_get_string(opts, OPT_STRING_NODEFAULT); + assert_non_null(s); + assert_string_equal(s, "str1"); +} + +void opt_test_getset_string(void **state) +{ + struct dp_option *opts = talloc_get_type(*state, struct dp_option); + + assert_nondefault_string_empty(opts); + set_nondefault_string(opts); + check_nondefault_string(opts); +} + +static void assert_nondefault_blob_empty(struct dp_option *opts) +{ + struct dp_opt_blob b; + + b = dp_opt_get_blob(opts, OPT_BLOB_NODEFAULT); + assert_null(b.data); + assert_int_equal(b.length, 0); +} + +static void set_nondefault_blob(struct dp_option *opts) +{ + struct dp_opt_blob b; + int ret; + + b.data = discard_const_p(uint8_t, "blob2"); + b.length = strlen("blob2"); + ret = dp_opt_set_blob(opts, OPT_BLOB_NODEFAULT, b); + assert_int_equal(ret, EOK); +} + +static void check_nondefault_blob(struct dp_option *opts) +{ + struct dp_opt_blob b; + + b = dp_opt_get_blob(opts, OPT_BLOB_NODEFAULT); + assert_non_null(b.data); + assert_int_equal(b.length, strlen("blob2")); + assert_memory_equal(b.data, "blob2", strlen("blob2")); +} + +void opt_test_getset_blob(void **state) +{ + struct dp_option *opts = talloc_get_type(*state, struct dp_option); + + assert_nondefault_blob_empty(opts); + set_nondefault_blob(opts); + check_nondefault_blob(opts); +} + +static void assert_nondefault_int_notset(struct dp_option *opts) +{ + int i; + i = dp_opt_get_int(opts, OPT_INT_NODEFAULT); + assert_int_equal(i, 0); +} + +static void set_nondefault_int(struct dp_option *opts) +{ + int ret; + ret = dp_opt_set_int(opts, OPT_INT_NODEFAULT, 456); + assert_int_equal(ret, EOK); +} + +static void assert_nondefault_int_set(struct dp_option *opts) +{ + int i; + i = dp_opt_get_int(opts, OPT_INT_NODEFAULT); + assert_int_equal(i, 456); +} + +void opt_test_getset_int(void **state) +{ + struct dp_option *opts = talloc_get_type(*state, struct dp_option); + + assert_nondefault_int_notset(opts); + set_nondefault_int(opts); + assert_nondefault_int_set(opts); +} + +void opt_test_getset_bool(void **state) +{ + struct dp_option *opts = talloc_get_type(*state, struct dp_option); + int ret; + bool b; + + b = dp_opt_get_bool(opts, OPT_BOOL_TRUE); + assert_true(b == true); + + ret = dp_opt_set_bool(opts, OPT_BOOL_TRUE, false); + assert_int_equal(ret, EOK); + + b = dp_opt_get_bool(opts, OPT_BOOL_TRUE); + assert_false(b == true); +} + +void opt_test_inherit(void **state) +{ + struct dp_option *opts = talloc_get_type(*state, struct dp_option); + int ret; + struct dp_option *opts_copy; + const char *s; + const char *sd_inherit_match[] = { "string_nodefault", + "blob_nodefault", + "int_nodefault", + "bool_true", + NULL }; + + ret = dp_copy_defaults(opts, test_def_opts, + OPT_NUM_OPTS, &opts_copy); + assert_int_equal(ret, EOK); + assert_defaults(opts); + + dp_option_inherit(NULL, OPT_STRING_NODEFAULT, + opts, opts_copy); + s = dp_opt_get_string(opts_copy, OPT_STRING_NODEFAULT); + assert_null(s); + + /* string */ + assert_nondefault_string_empty(opts_copy); + set_nondefault_string(opts); + dp_option_inherit(discard_const(sd_inherit_match), + OPT_STRING_NODEFAULT, + opts, opts_copy); + check_nondefault_string(opts_copy); + + /* blob */ + assert_nondefault_blob_empty(opts_copy); + set_nondefault_blob(opts); + dp_option_inherit(discard_const(sd_inherit_match), + OPT_BLOB_NODEFAULT, + opts, opts_copy); + check_nondefault_blob(opts_copy); + + /* number */ + assert_nondefault_int_notset(opts_copy); + set_nondefault_int(opts); + dp_option_inherit(discard_const(sd_inherit_match), + OPT_INT_NODEFAULT, + opts, opts_copy); + assert_nondefault_int_set(opts_copy); + + /* bool */ + assert_true(dp_opt_get_bool(opts_copy, OPT_BOOL_TRUE)); + + ret = dp_opt_set_bool(opts, OPT_BOOL_TRUE, false); + assert_int_equal(ret, EOK); + + dp_option_inherit(discard_const(sd_inherit_match), + OPT_BOOL_TRUE, + opts, opts_copy); + + assert_false(dp_opt_get_bool(opts_copy, OPT_BOOL_TRUE)); +} + +int main(int argc, const char *argv[]) +{ + int no_cleanup = 0; + poptContext pc; + int opt; + int ret; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + {"no-cleanup", 'n', POPT_ARG_NONE, &no_cleanup, 0, + _("Do not delete the test database after a test run"), NULL }, + POPT_TABLEEND + }; + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(opt_test_getset_string, + opt_test_getset_setup, + opt_test_getset_teardown), + cmocka_unit_test_setup_teardown(opt_test_getset_int, + opt_test_getset_setup, + opt_test_getset_teardown), + cmocka_unit_test_setup_teardown(opt_test_getset_bool, + opt_test_getset_setup, + opt_test_getset_teardown), + cmocka_unit_test_setup_teardown(opt_test_getset_blob, + opt_test_getset_setup, + opt_test_getset_teardown), + cmocka_unit_test_setup_teardown(opt_test_inherit, + opt_test_getset_setup, + opt_test_getset_teardown), + cmocka_unit_test(opt_test_copy_default), + cmocka_unit_test(opt_test_copy_options), + cmocka_unit_test(opt_test_get) + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + /* Even though normally the tests should clean up after themselves + * they might not after a failed run. Remove the old DB to be sure */ + tests_set_cwd(); + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + test_dom_suite_setup(TESTS_PATH); + + ret = cmocka_run_group_tests(tests, NULL, NULL); + if (ret == 0 && !no_cleanup) { + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + } + return ret; +} diff --git a/src/tests/cmocka/test_dyndns.c b/src/tests/cmocka/test_dyndns.c new file mode 100644 index 0000000..8888b53 --- /dev/null +++ b/src/tests/cmocka/test_dyndns.c @@ -0,0 +1,1085 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2013 Red Hat + + SSSD tests: Dynamic DNS tests + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include +#include + +/* In order to access opaque types */ +#include "providers/be_dyndns.c" + +#include "tests/cmocka/common_mock.h" +#include "tests/cmocka/common_mock_be.h" +#include "src/providers/be_dyndns.h" + +#define TESTS_PATH "tp_" BASE_FILE_STEM +#define TEST_CONF_DB "test_dyndns_conf.ldb" +#define TEST_DOM_NAME "dyndns_test" +#define TEST_ID_PROVIDER "ldap" + +enum mock_nsupdate_states { + MOCK_NSUPDATE_OK, + MOCK_NSUPDATE_ERR, + MOCK_NSUPDATE_TIMEOUT, +}; + +static TALLOC_CTX *global_mock_context = NULL; + +struct dyndns_test_ctx { + struct sss_test_ctx *tctx; + + struct be_ctx *be_ctx; + struct be_nsupdate_ctx *update_ctx; + + enum mock_nsupdate_states state; + int child_status; + int child_retval; +}; + +static struct dyndns_test_ctx *dyndns_test_ctx; + +void __wrap_execv(const char *path, char *const argv[]) +{ + int err; + + switch (dyndns_test_ctx->state) { + case MOCK_NSUPDATE_OK: + DEBUG(SSSDBG_FUNC_DATA, "nsupdate success test case\n"); + err = 0; + usleep(50000); /* 50 milliseconds */ + break; + case MOCK_NSUPDATE_ERR: + DEBUG(SSSDBG_FUNC_DATA, "nsupdate error test case\n"); + err = 1; + usleep(50000); /* 50 milliseconds */ + break; + case MOCK_NSUPDATE_TIMEOUT: + DEBUG(SSSDBG_FUNC_DATA, "nsupdate timeout test case\n"); + err = 2; + sleep(3); + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "unknown test case\n"); + err = 255; + break; + } + + DEBUG(SSSDBG_TRACE_LIBS, "Child exiting with status %d\n", err); + _exit(err); +} + +int __wrap_getifaddrs(struct ifaddrs **_ifap) +{ + struct ifaddrs *ifap = NULL; + struct ifaddrs *ifap_prev = NULL; + struct ifaddrs *ifap_head = NULL; + char *name; + char *straddr; + int ad_family; + struct sockaddr_in *sa; + void *dst; + + while ((name = sss_mock_ptr_type(char *)) != NULL) { + straddr = sss_mock_ptr_type(char *); + if (straddr == NULL) { + errno = EINVAL; + goto fail; + } + ad_family = sss_mock_type(int); + + ifap = talloc_zero(global_mock_context, struct ifaddrs); + if (ifap == NULL) { + errno = ENOMEM; /* getifaddrs sets errno, too */ + goto fail; + } + + if (ifap_prev) { + ifap_prev->ifa_next = ifap; + } else { + ifap_head = ifap; + } + ifap_prev = ifap; + + ifap->ifa_name = talloc_strdup(ifap, name); + if (ifap->ifa_name == NULL) { + errno = ENOMEM; + goto fail; + } + + /* Do not allocate directly on ifap->ifa_addr to + * avoid alignment warnings */ + if (ad_family == AF_INET) { + sa = talloc(ifap, struct sockaddr_in); + } else if (ad_family == AF_INET6) { + sa = (struct sockaddr_in *) talloc(ifap, struct sockaddr_in6); + } else { + errno = EINVAL; + goto fail; + } + + if (sa == NULL) { + errno = ENOMEM; + goto fail; + } + + sa->sin_family = ad_family; + + if (ad_family == AF_INET) { + dst = &sa->sin_addr; + } else if (ad_family == AF_INET6) { + dst = &((struct sockaddr_in6 *)sa)->sin6_addr; + } else { + errno = EINVAL; + goto fail; + } + + /* convert straddr into ifa_addr */ + if (inet_pton(ad_family, straddr, dst) != 1) { + goto fail; + } + + ifap->ifa_addr = (struct sockaddr *) sa; + } + + *_ifap = ifap_head; + return 0; + +fail: + talloc_free(ifap); + return -1; +} + +void __wrap_freeifaddrs(struct ifaddrs *ifap) +{ + talloc_free(ifap); +} + +static void dyndns_test_done(struct tevent_req *req) +{ + struct dyndns_test_ctx *ctx = + tevent_req_callback_data(req, struct dyndns_test_ctx); + + ctx->child_retval = -1; + ctx->tctx->error = be_nsupdate_recv(req, &ctx->child_status); + talloc_zfree(req); + + ctx->tctx->done = true; +} + +void will_return_getifaddrs(const char *ifname, const char *straddr, + int af_family) +{ + will_return(__wrap_getifaddrs, ifname); + if (ifname) { + will_return(__wrap_getifaddrs, straddr); + } + if (straddr) { + will_return(__wrap_getifaddrs, af_family); + } +} + +void dyndns_test_sss_iface_addr_get_misc(void **state) +{ + struct sss_iface_addr addrs[3]; + struct sockaddr_storage ss[3]; + + addrs[0].prev = NULL; + addrs[0].next = &addrs[1]; + addrs[0].addr = &ss[0]; + addrs[1].prev = &addrs[0]; + addrs[1].next = &addrs[2]; + addrs[1].addr = &ss[1]; + addrs[2].prev = &addrs[1]; + addrs[2].next = NULL; + addrs[2].addr = &ss[2]; + + assert_ptr_equal(sss_iface_addr_get_address(NULL), NULL); + assert_ptr_equal(sss_iface_addr_get_address(&addrs[0]), &ss[0]); + assert_ptr_equal(sss_iface_addr_get_address(&addrs[1]), &ss[1]); + assert_ptr_equal(sss_iface_addr_get_address(&addrs[2]), &ss[2]); + + assert_ptr_equal(sss_iface_addr_get_next(NULL), NULL); + assert_ptr_equal(sss_iface_addr_get_next(&addrs[0]), &addrs[1]); + assert_ptr_equal(sss_iface_addr_get_next(&addrs[1]), &addrs[2]); + assert_ptr_equal(sss_iface_addr_get_next(&addrs[2]), NULL); +} + +void dyndns_test_get_ifaddr(void **state) +{ + errno_t ret; + struct sss_iface_addr *addrlist; + char straddr[128]; + + check_leaks_push(dyndns_test_ctx); + will_return_getifaddrs("eth0", "192.168.0.1", AF_INET); + will_return_getifaddrs("eth1", "192.168.0.2", AF_INET); + will_return_getifaddrs(NULL, NULL, 0); /* sentinel */ + ret = sss_iface_addr_list_get(dyndns_test_ctx, "eth0", &addrlist); + assert_int_equal(ret, EOK); + + /* There must be only one address with the correct value */ + assert_non_null(addrlist); + assert_non_null(addrlist->addr); + assert_null(addrlist->next); + assert_null(addrlist->prev); + + assert_non_null(inet_ntop(AF_INET, + &((struct sockaddr_in *) addrlist->addr)->sin_addr, + straddr, INET_ADDRSTRLEN)); + assert_string_equal(straddr, "192.168.0.1"); + + talloc_free(addrlist); + + assert_true(check_leaks_pop(dyndns_test_ctx) == true); +} + +void dyndns_test_get_multi_ifaddr(void **state) +{ + errno_t ret; + struct sss_iface_addr *addrlist; + struct sss_iface_addr *sss_if_addr; + char straddr[128]; + + check_leaks_push(dyndns_test_ctx); + will_return_getifaddrs("eth0", "192.168.0.2", AF_INET); + will_return_getifaddrs("eth0", "192.168.0.1", AF_INET); + will_return_getifaddrs(NULL, NULL, 0); /* sentinel */ + ret = sss_iface_addr_list_get(dyndns_test_ctx, "eth0", &addrlist); + assert_int_equal(ret, EOK); + + sss_if_addr = addrlist; + assert_non_null(sss_if_addr); + assert_non_null(sss_if_addr->addr); + assert_non_null(sss_if_addr->next); + assert_null(sss_if_addr->prev); + + assert_non_null(inet_ntop(AF_INET, + &((struct sockaddr_in *) sss_if_addr->addr)->sin_addr, + straddr, INET_ADDRSTRLEN)); + /* ip addresses are returned in different order */ + assert_string_equal(straddr, "192.168.0.1"); + + sss_if_addr = addrlist->next; + assert_non_null(sss_if_addr); + assert_non_null(sss_if_addr->addr); + assert_null(sss_if_addr->next); + assert_non_null(sss_if_addr->prev); + + assert_non_null(inet_ntop(AF_INET, + &((struct sockaddr_in *) sss_if_addr->addr)->sin_addr, + straddr, INET_ADDRSTRLEN)); + /* ip addresses are returned in different order */ + assert_string_equal(straddr, "192.168.0.2"); + + talloc_free(addrlist); + + assert_true(check_leaks_pop(dyndns_test_ctx) == true); +} + +void dyndns_test_get_ifaddr_enoent(void **state) +{ + errno_t ret; + struct sss_iface_addr *addrlist = NULL; + + check_leaks_push(dyndns_test_ctx); + will_return_getifaddrs("eth0", "192.168.0.1", AF_INET); + will_return_getifaddrs("eth1", "192.168.0.2", AF_INET); + will_return_getifaddrs(NULL, NULL, 0); /* sentinel */ + ret = sss_iface_addr_list_get(dyndns_test_ctx, "non_existing_interface", + &addrlist); + assert_int_equal(ret, ENOENT); + talloc_free(addrlist); + + assert_true(check_leaks_pop(dyndns_test_ctx) == true); +} + +void dyndns_test_addr_list_as_str_list(void **state) +{ + int i; + char **output; + errno_t ret; + struct sss_iface_addr *addrlist; + struct { + const char* addr; + int af; + } input[] = { + {"2001:cdba::555", AF_INET6}, + {"192.168.0.1", AF_INET}, + {"192.168.0.2", AF_INET}, + {"2001:cdba::444", AF_INET6} + }; + int size = 4; + + check_leaks_push(dyndns_test_ctx); + + for (i = 0; i < size; i++) { + will_return_getifaddrs("eth0", input[i].addr, input[i].af); + } + will_return_getifaddrs(NULL, NULL, 0); /* sentinel */ + + ret = sss_iface_addr_list_get(dyndns_test_ctx, "eth0", &addrlist); + assert_int_equal(ret, EOK); + + ret = sss_iface_addr_list_as_str_list(dyndns_test_ctx, addrlist, &output); + assert_int_equal(ret, EOK); + for (i = 0; i < size; i++) { + /* addresses are returned in reversed order */ + assert_int_equal(strcmp(input[i].addr, output[size - 1 - i]), 0); + } + + talloc_free(addrlist); + talloc_free(output); + assert_true(check_leaks_pop(dyndns_test_ctx) == true); +} + +void dyndns_test_create_fwd_msg(void **state) +{ + errno_t ret; + char *msg; + struct sss_iface_addr *addrlist; + int i; + + check_leaks_push(dyndns_test_ctx); + + /* getifaddrs is called twice in sss_get_dualstack_addresses() */ + for (i = 0; i < 2; i++) { + will_return_getifaddrs("eth0", "192.168.0.2", AF_INET); + will_return_getifaddrs("eth1", "192.168.0.1", AF_INET); + will_return_getifaddrs("eth0", "2001:cdba::555", AF_INET6); + will_return_getifaddrs("eth1", "2001:cdba::444", AF_INET6); + will_return_getifaddrs(NULL, NULL, 0); /* sentinel */ + } + + struct sockaddr_in sin; + memset(&sin, 0, sizeof (sin)); + sin.sin_family = AF_INET; + sin.sin_addr.s_addr = inet_addr ("192.168.0.2"); + ret = sss_get_dualstack_addresses(dyndns_test_ctx, + (struct sockaddr *) &sin, + &addrlist); + assert_int_equal(ret, EOK); + + ret = be_nsupdate_create_fwd_msg(dyndns_test_ctx, NULL, NULL, "bran_stark", + 1234, DYNDNS_REMOVE_A | DYNDNS_REMOVE_AAAA, + addrlist, &msg); + assert_int_equal(ret, EOK); + + assert_string_equal(msg, + "\nupdate delete bran_stark. in A\n" + "update add bran_stark. 1234 in A 192.168.0.2\n" + "send\n" + "update delete bran_stark. in AAAA\n" + "update add bran_stark. 1234 in AAAA 2001:cdba::555\n" + "send\n"); + talloc_zfree(msg); + + /* fallback case realm and server */ + ret = be_nsupdate_create_fwd_msg(dyndns_test_ctx, "North", "Winterfell", + "bran_stark", + 1234, DYNDNS_REMOVE_A | DYNDNS_REMOVE_AAAA, + addrlist, &msg); + assert_int_equal(ret, EOK); + + assert_string_equal(msg, + "server Winterfell\n" +#ifdef HAVE_NSUPDATE_REALM + "realm North\n" +#else + "\n" +#endif + "update delete bran_stark. in A\n" + "update add bran_stark. 1234 in A 192.168.0.2\n" + "send\n" + "update delete bran_stark. in AAAA\n" + "update add bran_stark. 1234 in AAAA 2001:cdba::555\n" + "send\n"); + talloc_zfree(msg); + + /* just realm */ + ret = be_nsupdate_create_fwd_msg(dyndns_test_ctx, "North", NULL, + "bran_stark", + 1234, DYNDNS_REMOVE_A | DYNDNS_REMOVE_AAAA, + addrlist, &msg); + assert_int_equal(ret, EOK); + + assert_string_equal(msg, +#ifdef HAVE_NSUPDATE_REALM + "realm North\n" +#else + "\n" +#endif + "update delete bran_stark. in A\n" + "update add bran_stark. 1234 in A 192.168.0.2\n" + "send\n" + "update delete bran_stark. in AAAA\n" + "update add bran_stark. 1234 in AAAA 2001:cdba::555\n" + "send\n"); + talloc_zfree(msg); + + /* just server */ + ret = be_nsupdate_create_fwd_msg(dyndns_test_ctx, NULL, "Winterfell", + "bran_stark", + 1234, DYNDNS_REMOVE_A | DYNDNS_REMOVE_AAAA, + addrlist, &msg); + assert_int_equal(ret, EOK); + + assert_string_equal(msg, + "server Winterfell\n" + "\n" + "update delete bran_stark. in A\n" + "update add bran_stark. 1234 in A 192.168.0.2\n" + "send\n" + "update delete bran_stark. in AAAA\n" + "update add bran_stark. 1234 in AAAA 2001:cdba::555\n" + "send\n"); + talloc_zfree(msg); + + /* remove just A */ + ret = be_nsupdate_create_fwd_msg(dyndns_test_ctx, NULL, NULL, "bran_stark", + 1234, DYNDNS_REMOVE_A, + addrlist, &msg); + assert_int_equal(ret, EOK); + + assert_string_equal(msg, + "\nupdate delete bran_stark. in A\n" + "update add bran_stark. 1234 in A 192.168.0.2\n" + "send\n" + "update add bran_stark. 1234 in AAAA 2001:cdba::555\n" + "send\n"); + talloc_zfree(msg); + + /* remove just AAAA */ + ret = be_nsupdate_create_fwd_msg(dyndns_test_ctx, NULL, NULL, "bran_stark", + 1234, DYNDNS_REMOVE_AAAA, + addrlist, &msg); + assert_int_equal(ret, EOK); + + assert_string_equal(msg, + "\nupdate add bran_stark. 1234 in A 192.168.0.2\n" + "send\n" + "update delete bran_stark. in AAAA\n" + "update add bran_stark. 1234 in AAAA 2001:cdba::555\n" + "send\n"); + talloc_zfree(msg); + + talloc_free(addrlist); + assert_true(check_leaks_pop(dyndns_test_ctx) == true); +} + +void dyndns_test_create_fwd_msg_mult(void **state) +{ + errno_t ret; + char *msg; + struct sss_iface_addr *addrlist; + int i; + + check_leaks_push(dyndns_test_ctx); + + /* getifaddrs is called twice in sss_get_dualstack_addresses() */ + for (i = 0; i < 2; i++) { + will_return_getifaddrs("eth0", "192.168.0.2", AF_INET); + will_return_getifaddrs("eth0", "192.168.0.1", AF_INET); + will_return_getifaddrs("eth0", "2001:cdba::555", AF_INET6); + will_return_getifaddrs("eth0", "2001:cdba::444", AF_INET6); + will_return_getifaddrs(NULL, NULL, 0); /* sentinel */ + } + + struct sockaddr_in sin; + memset(&sin, 0, sizeof (sin)); + sin.sin_family = AF_INET; + sin.sin_addr.s_addr = inet_addr ("192.168.0.2"); + ret = sss_get_dualstack_addresses(dyndns_test_ctx, + (struct sockaddr *) &sin, + &addrlist); + assert_int_equal(ret, EOK); + + ret = be_nsupdate_create_fwd_msg(dyndns_test_ctx, NULL, NULL, "bran_stark", + 1234, DYNDNS_REMOVE_A | DYNDNS_REMOVE_AAAA, + addrlist, &msg); + assert_int_equal(ret, EOK); + + assert_string_equal(msg, + "\nupdate delete bran_stark. in A\n" + "update add bran_stark. 1234 in A 192.168.0.1\n" + "update add bran_stark. 1234 in A 192.168.0.2\n" + "send\n" + "update delete bran_stark. in AAAA\n" + "update add bran_stark. 1234 in AAAA 2001:cdba::444\n" + "update add bran_stark. 1234 in AAAA 2001:cdba::555\n" + "send\n"); + talloc_zfree(msg); + + talloc_free(addrlist); + assert_true(check_leaks_pop(dyndns_test_ctx) == true); +} + +void dyndns_test_create_fwd_msg_A(void **state) +{ + errno_t ret; + char *msg; + struct sss_iface_addr *addrlist; + int i; + + check_leaks_push(dyndns_test_ctx); + + /* getifaddrs is called twice in sss_get_dualstack_addresses() */ + for (i = 0; i < 2; i++) { + will_return_getifaddrs("eth0", "192.168.0.2", AF_INET); + will_return_getifaddrs("eth0", "192.168.0.1", AF_INET); + will_return_getifaddrs(NULL, NULL, 0); /* sentinel */ + } + + struct sockaddr_in sin; + memset(&sin, 0, sizeof (sin)); + sin.sin_family = AF_INET; + sin.sin_addr.s_addr = inet_addr ("192.168.0.2"); + ret = sss_get_dualstack_addresses(dyndns_test_ctx, + (struct sockaddr *) &sin, + &addrlist); + assert_int_equal(ret, EOK); + + ret = be_nsupdate_create_fwd_msg(dyndns_test_ctx, NULL, NULL, "bran_stark", + 1234, DYNDNS_REMOVE_A | DYNDNS_REMOVE_AAAA, + addrlist, &msg); + assert_int_equal(ret, EOK); + + assert_string_equal(msg, + "\nupdate delete bran_stark. in A\n" + "update add bran_stark. 1234 in A 192.168.0.1\n" + "update add bran_stark. 1234 in A 192.168.0.2\n" + "send\n" + "update delete bran_stark. in AAAA\n" + "send\n"); + talloc_zfree(msg); + + talloc_free(addrlist); + assert_true(check_leaks_pop(dyndns_test_ctx) == true); +} + +void dyndns_test_create_fwd_msg_AAAA(void **state) +{ + errno_t ret; + char *msg; + struct sss_iface_addr *addrlist; + int i; + + check_leaks_push(dyndns_test_ctx); + + /* getifaddrs is called twice in sss_get_dualstack_addresses() */ + for (i = 0; i < 2; i++) { + will_return_getifaddrs("eth0", "2001:cdba::555", AF_INET6); + will_return_getifaddrs("eth0", "2001:cdba::444", AF_INET6); + will_return_getifaddrs(NULL, NULL, 0); /* sentinel */ + } + + struct sockaddr_in6 sin; + memset(&sin, 0, sizeof (sin)); + sin.sin6_family = AF_INET6; + ret = inet_pton(AF_INET6, "2001:cdba::555", &sin.sin6_addr.s6_addr); + assert_int_equal(ret, 1); + ret = sss_get_dualstack_addresses(dyndns_test_ctx, + (struct sockaddr *) &sin, + &addrlist); + assert_int_equal(ret, EOK); + + ret = be_nsupdate_create_fwd_msg(dyndns_test_ctx, NULL, NULL, "bran_stark", + 1234, DYNDNS_REMOVE_A | DYNDNS_REMOVE_AAAA, + addrlist, &msg); + assert_int_equal(ret, EOK); + + assert_string_equal(msg, + "\nupdate delete bran_stark. in A\n" + "send\n" + "update delete bran_stark. in AAAA\n" + "update add bran_stark. 1234 in AAAA 2001:cdba::444\n" + "update add bran_stark. 1234 in AAAA 2001:cdba::555\n" + "send\n"); + talloc_zfree(msg); + + talloc_free(addrlist); + assert_true(check_leaks_pop(dyndns_test_ctx) == true); +} + +void dyndns_test_dualstack(void **state) +{ + errno_t ret; + struct sss_iface_addr *addrlist; + struct sss_iface_addr *sss_if_addrs; + char straddr[128]; + int i; + + check_leaks_push(dyndns_test_ctx); + + /* getifaddrs is called twice in sss_get_dualstack_addresses() */ + for (i = 0; i < 2; i++) { + will_return_getifaddrs("eth0", "192.168.0.2", AF_INET); + will_return_getifaddrs("eth1", "192.168.0.1", AF_INET); + will_return_getifaddrs("eth0", "2001:cdba::555", AF_INET6); + will_return_getifaddrs("eth1", "2001:cdba::444", AF_INET6); + will_return_getifaddrs(NULL, NULL, 0); /* sentinel */ + } + + struct sockaddr_in sin; + memset(&sin, 0, sizeof (sin)); + sin.sin_family = AF_INET; + sin.sin_addr.s_addr = inet_addr ("192.168.0.2"); + ret = sss_get_dualstack_addresses(dyndns_test_ctx, + (struct sockaddr *) &sin, + &addrlist); + assert_int_equal(ret, EOK); + + sss_if_addrs = addrlist; + assert_non_null(sss_if_addrs); + assert_non_null(sss_if_addrs->addr); + assert_non_null(sss_if_addrs->next); + assert_null(sss_if_addrs->prev); + + assert_non_null(inet_ntop(AF_INET6, + &((struct sockaddr_in6 *) sss_if_addrs->addr)->sin6_addr, + straddr, INET6_ADDRSTRLEN)); + /* ip addresses are returned in different order */ + assert_string_equal(straddr, "2001:cdba::555"); + + sss_if_addrs = addrlist->next; + assert_non_null(sss_if_addrs); + assert_non_null(sss_if_addrs->addr); + assert_null(sss_if_addrs->next); + assert_non_null(sss_if_addrs->prev); + + assert_non_null(inet_ntop(AF_INET, + &((struct sockaddr_in *) sss_if_addrs->addr)->sin_addr, + straddr, INET_ADDRSTRLEN)); + /* ip addresses are returned in different order */ + assert_string_equal(straddr, "192.168.0.2"); + + talloc_free(addrlist); + + assert_true(check_leaks_pop(dyndns_test_ctx) == true); +} + +void dyndns_test_dualstack_multiple_addresses(void **state) +{ + errno_t ret; + struct sss_iface_addr *addrlist; + struct sss_iface_addr *sss_if_addrs; + char straddr[128]; + int i; + + check_leaks_push(dyndns_test_ctx); + + /* getifaddrs is called twice in sss_get_dualstack_addresses() */ + for (i = 0; i < 2; i++) { + will_return_getifaddrs("eth0", "192.168.0.2", AF_INET); + will_return_getifaddrs("eth0", "192.168.0.1", AF_INET); + /* loopback - invalid for DNS (should be skipped) */ + will_return_getifaddrs("eth0", "::1", AF_INET6); + /* linklocal - invalid for DNS (should be skipped) */ + will_return_getifaddrs("eth0", "fe80::5054:ff:fe4a:65ae", AF_INET6); + will_return_getifaddrs("eth0", "2001:cdba::555", AF_INET6); + will_return_getifaddrs("eth0", "2001:cdba::444", AF_INET6); + will_return_getifaddrs(NULL, NULL, 0); /* sentinel */ + } + + struct sockaddr_in sin; + memset(&sin, 0, sizeof (sin)); + sin.sin_family = AF_INET; + sin.sin_addr.s_addr = inet_addr ("192.168.0.2"); + ret = sss_get_dualstack_addresses(dyndns_test_ctx, + (struct sockaddr *) &sin, + &addrlist); + assert_int_equal(ret, EOK); + + sss_if_addrs = addrlist; + assert_non_null(sss_if_addrs); + assert_non_null(sss_if_addrs->addr); + assert_non_null(sss_if_addrs->next); + assert_null(sss_if_addrs->prev); + + assert_non_null(inet_ntop(AF_INET6, + &((struct sockaddr_in6 *) sss_if_addrs->addr)->sin6_addr, + straddr, INET6_ADDRSTRLEN)); + /* ip addresses are returned in different order */ + assert_string_equal(straddr, "2001:cdba::444"); + + sss_if_addrs = sss_if_addrs->next; + assert_non_null(sss_if_addrs); + assert_non_null(sss_if_addrs->addr); + assert_non_null(sss_if_addrs->prev); + assert_non_null(sss_if_addrs->next); + + assert_non_null(inet_ntop(AF_INET6, + &((struct sockaddr_in6 *) sss_if_addrs->addr)->sin6_addr, + straddr, INET6_ADDRSTRLEN)); + /* ip addresses are returned in different order */ + assert_string_equal(straddr, "2001:cdba::555"); + + sss_if_addrs = sss_if_addrs->next; + assert_non_null(sss_if_addrs); + assert_non_null(sss_if_addrs->addr); + assert_non_null(sss_if_addrs->next); + assert_non_null(sss_if_addrs->prev); + + assert_non_null(inet_ntop(AF_INET, + &((struct sockaddr_in *) sss_if_addrs->addr)->sin_addr, + straddr, INET_ADDRSTRLEN)); + /* ip addresses are returned in different order */ + assert_string_equal(straddr, "192.168.0.1"); + + sss_if_addrs = sss_if_addrs->next; + assert_non_null(sss_if_addrs); + assert_non_null(sss_if_addrs->addr); + assert_null(sss_if_addrs->next); + assert_non_null(sss_if_addrs->prev); + + assert_non_null(inet_ntop(AF_INET, + &((struct sockaddr_in *) sss_if_addrs->addr)->sin_addr, + straddr, INET_ADDRSTRLEN)); + /* ip addresses are returned in different order */ + assert_string_equal(straddr, "192.168.0.2"); + + talloc_free(addrlist); + + assert_true(check_leaks_pop(dyndns_test_ctx) == true); +} + +void dyndns_test_dualstack_no_iface(void **state) +{ + errno_t ret; + struct sss_iface_addr *addrlist; + + check_leaks_push(dyndns_test_ctx); + + will_return_getifaddrs("eth0", "192.168.0.2", AF_INET); + will_return_getifaddrs("eth1", "192.168.0.1", AF_INET); + will_return_getifaddrs("eth0", "2001:cdba::555", AF_INET6); + will_return_getifaddrs("eth1", "2001:cdba::444", AF_INET6); + will_return_getifaddrs(NULL, NULL, 0); /* sentinel */ + + struct sockaddr_in sin; + memset(&sin, 0, sizeof (sin)); + sin.sin_family = AF_INET; + sin.sin_addr.s_addr = inet_addr ("192.168.0.3"); + ret = sss_get_dualstack_addresses(dyndns_test_ctx, + (struct sockaddr *) &sin, + &addrlist); + assert_int_equal(ret, ENOENT); + + assert_true(check_leaks_pop(dyndns_test_ctx) == true); +} + +void dyndns_test_ok(void **state) +{ + struct tevent_req *req; + errno_t ret; + TALLOC_CTX *tmp_ctx; + + tmp_ctx = talloc_new(global_talloc_context); + assert_non_null(tmp_ctx); + check_leaks_push(tmp_ctx); + + dyndns_test_ctx->state = MOCK_NSUPDATE_OK; + + req = be_nsupdate_send(tmp_ctx, dyndns_test_ctx->tctx->ev, + BE_NSUPDATE_AUTH_GSS_TSIG, + discard_const("test message"), false); + assert_non_null(req); + tevent_req_set_callback(req, dyndns_test_done, dyndns_test_ctx); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(dyndns_test_ctx->tctx); + DEBUG(SSSDBG_TRACE_LIBS, + "Child request returned [%d]: %s\n", ret, strerror(ret)); + assert_int_equal(ret, EOK); + + assert_true(WIFEXITED(dyndns_test_ctx->child_status)); + assert_int_equal(WEXITSTATUS(dyndns_test_ctx->child_status), 0); + + assert_true(check_leaks_pop(tmp_ctx) == true); + talloc_free(tmp_ctx); +} + +void dyndns_test_error(void **state) +{ + struct tevent_req *req; + errno_t ret; + TALLOC_CTX *tmp_ctx; + + tmp_ctx = talloc_new(global_talloc_context); + assert_non_null(tmp_ctx); + check_leaks_push(tmp_ctx); + + dyndns_test_ctx->state = MOCK_NSUPDATE_ERR; + + req = be_nsupdate_send(tmp_ctx, dyndns_test_ctx->tctx->ev, + BE_NSUPDATE_AUTH_GSS_TSIG, + discard_const("test message"), false); + assert_non_null(req); + tevent_req_set_callback(req, dyndns_test_done, dyndns_test_ctx); + + /* Wait until the test finishes with EIO (child error) */ + ret = test_ev_loop(dyndns_test_ctx->tctx); + DEBUG(SSSDBG_TRACE_LIBS, + "Child request returned [%d]: %s\n", ret, strerror(ret)); + assert_int_equal(ret, ERR_DYNDNS_FAILED); + + assert_true(WIFEXITED(dyndns_test_ctx->child_status)); + assert_int_equal(WEXITSTATUS(dyndns_test_ctx->child_status), 1); + + assert_true(check_leaks_pop(tmp_ctx) == true); + talloc_free(tmp_ctx); +} + +void dyndns_test_timeout(void **state) +{ + struct tevent_req *req; + errno_t ret; + TALLOC_CTX *tmp_ctx; + + tmp_ctx = talloc_new(global_talloc_context); + assert_non_null(tmp_ctx); + check_leaks_push(tmp_ctx); + + dyndns_test_ctx->state = MOCK_NSUPDATE_TIMEOUT; + + req = be_nsupdate_send(tmp_ctx, dyndns_test_ctx->tctx->ev, + BE_NSUPDATE_AUTH_GSS_TSIG, + discard_const("test message"), false); + assert_non_null(req); + tevent_req_set_callback(req, dyndns_test_done, dyndns_test_ctx); + + /* Wait until the test finishes with EIO (child error) */ + ret = test_ev_loop(dyndns_test_ctx->tctx); + + /* The event queue may not be empty. We need to make sure that all events + * are processed. Unfortunately, tevent_loop_wait() contains a bug that + * prevents exiting the loop even if there are no remaining events, thus + * we have to use tevent_loop_once(). + * + * FIXME: use tevent_loop_wait() when the bug is fixed + * https://bugzilla.samba.org/show_bug.cgi?id=10012 + */ + tevent_loop_once(dyndns_test_ctx->tctx->ev); /* SIGCHLD handler */ + tevent_loop_once(dyndns_test_ctx->tctx->ev); /* nsupdate_child_handler */ + + DEBUG(SSSDBG_TRACE_LIBS, + "Child request returned [%d]: %s\n", ret, strerror(ret)); + assert_int_equal(ret, ERR_DYNDNS_TIMEOUT); + + assert_true(check_leaks_pop(tmp_ctx) == true); + talloc_free(tmp_ctx); +} + +void dyndns_test_timer(void *pvt) +{ + struct dyndns_test_ctx *ctx = talloc_get_type(pvt, struct dyndns_test_ctx); + static int ncalls = 0; + + ncalls++; + if (ncalls == 1) { + be_nsupdate_timer_schedule(ctx->tctx->ev, ctx->update_ctx); + } else if (ncalls == 2) { + ctx->tctx->done = true; + } + ctx->tctx->error = ERR_OK; +} + +void dyndns_test_interval(void **state) +{ + errno_t ret; + TALLOC_CTX *tmp_ctx; + + tmp_ctx = talloc_new(global_talloc_context); + assert_non_null(tmp_ctx); + check_leaks_push(tmp_ctx); + + ret = be_nsupdate_init(tmp_ctx, dyndns_test_ctx->be_ctx, NULL, + &dyndns_test_ctx->update_ctx); + assert_int_equal(ret, EOK); + + ret = be_nsupdate_init_timer(dyndns_test_ctx->update_ctx, + dyndns_test_ctx->be_ctx->ev, + dyndns_test_timer, dyndns_test_ctx); + assert_int_equal(ret, EOK); + + /* Wait until the timer hits */ + ret = test_ev_loop(dyndns_test_ctx->tctx); + DEBUG(SSSDBG_TRACE_LIBS, + "Child request returned [%d]: %s\n", ret, strerror(ret)); + assert_int_equal(ret, ERR_OK); + + talloc_free(dyndns_test_ctx->update_ctx); + assert_true(check_leaks_pop(tmp_ctx) == true); + talloc_free(tmp_ctx); +} + +/* Testsuite setup and teardown */ +static int dyndns_test_setup(void **state) +{ + struct sss_test_conf_param params[] = { + { "dyndns_update", "true" }, + { "dyndns_refresh_interval", "2" }, + { NULL, NULL }, /* Sentinel */ + }; + + assert_true(leak_check_setup()); + global_mock_context = talloc_new(global_talloc_context); + assert_non_null(global_mock_context); + + dyndns_test_ctx = talloc_zero(global_talloc_context, struct dyndns_test_ctx); + assert_non_null(dyndns_test_ctx); + + dyndns_test_ctx->tctx = create_dom_test_ctx(dyndns_test_ctx, TESTS_PATH, + TEST_CONF_DB, TEST_DOM_NAME, + TEST_ID_PROVIDER, params); + assert_non_null(dyndns_test_ctx->tctx); + + dyndns_test_ctx->be_ctx = mock_be_ctx(dyndns_test_ctx, dyndns_test_ctx->tctx); + assert_non_null(dyndns_test_ctx->be_ctx); + + return 0; +} + +static int dyndns_test_simple_setup(void **state) +{ + assert_true(leak_check_setup()); + global_mock_context = talloc_new(global_talloc_context); + assert_non_null(global_mock_context); + + dyndns_test_ctx = talloc_zero(global_talloc_context, struct dyndns_test_ctx); + assert_non_null(dyndns_test_ctx); + return 0; +} + +static int dyndns_test_teardown(void **state) +{ + talloc_free(dyndns_test_ctx); + talloc_free(global_mock_context); + assert_true(leak_check_teardown()); + return 0; +} + +int main(int argc, const char *argv[]) +{ + int rv; + int no_cleanup = 0; + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + {"no-cleanup", 'n', POPT_ARG_NONE, &no_cleanup, 0, + _("Do not delete the test database after a test run"), NULL }, + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + /* Utility functions unit test */ + cmocka_unit_test_setup_teardown(dyndns_test_sss_iface_addr_get_misc, + dyndns_test_simple_setup, + dyndns_test_teardown), + cmocka_unit_test_setup_teardown(dyndns_test_get_ifaddr, + dyndns_test_simple_setup, + dyndns_test_teardown), + cmocka_unit_test_setup_teardown(dyndns_test_get_multi_ifaddr, + dyndns_test_simple_setup, + dyndns_test_teardown), + cmocka_unit_test_setup_teardown(dyndns_test_get_ifaddr_enoent, + dyndns_test_simple_setup, + dyndns_test_teardown), + cmocka_unit_test_setup_teardown(dyndns_test_addr_list_as_str_list, + dyndns_test_simple_setup, + dyndns_test_teardown), + + /* Dynamic DNS update unit tests*/ + cmocka_unit_test_setup_teardown(dyndns_test_ok, + dyndns_test_setup, + dyndns_test_teardown), + cmocka_unit_test_setup_teardown(dyndns_test_error, + dyndns_test_setup, + dyndns_test_teardown), + cmocka_unit_test_setup_teardown(dyndns_test_timeout, + dyndns_test_setup, + dyndns_test_teardown), + cmocka_unit_test_setup_teardown(dyndns_test_interval, + dyndns_test_setup, + dyndns_test_teardown), + + /* Dynamic DNS dualstack unit tests*/ + cmocka_unit_test_setup_teardown(dyndns_test_dualstack, + dyndns_test_simple_setup, + dyndns_test_teardown), + cmocka_unit_test_setup_teardown(dyndns_test_dualstack_multiple_addresses, + dyndns_test_simple_setup, + dyndns_test_teardown), + cmocka_unit_test_setup_teardown(dyndns_test_dualstack_no_iface, + dyndns_test_simple_setup, + dyndns_test_teardown), + + /* Messages for nsupdate */ + cmocka_unit_test_setup_teardown(dyndns_test_create_fwd_msg, + dyndns_test_setup, + dyndns_test_teardown), + cmocka_unit_test_setup_teardown(dyndns_test_create_fwd_msg_mult, + dyndns_test_setup, + dyndns_test_teardown), + cmocka_unit_test_setup_teardown(dyndns_test_create_fwd_msg_A, + dyndns_test_setup, + dyndns_test_teardown), + cmocka_unit_test_setup_teardown(dyndns_test_create_fwd_msg_AAAA, + dyndns_test_setup, + dyndns_test_teardown), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + /* Even though normally the tests should clean up after themselves + * they might not after a failed run. Remove the old DB to be sure */ + tests_set_cwd(); + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + test_dom_suite_setup(TESTS_PATH); + + rv = cmocka_run_group_tests(tests, NULL, NULL); + if (rv == 0 && !no_cleanup) { + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + } + return rv; +} diff --git a/src/tests/cmocka/test_expire_common.c b/src/tests/cmocka/test_expire_common.c new file mode 100644 index 0000000..5d3ea02 --- /dev/null +++ b/src/tests/cmocka/test_expire_common.c @@ -0,0 +1,131 @@ +/* + Authors: + Pavel Reichl + + Copyright (C) 2015 Red Hat + + SSSD tests - common code for password expiration tests + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include +#include + +#include "tests/common_check.h" +#include "tests/cmocka/test_expire_common.h" + +#define MAX 100 + +static char *now_str(TALLOC_CTX *mem_ctx, const char* format, int s) +{ + time_t t = time(NULL) + s; + struct tm *tm; + size_t len; + char *timestr; + + timestr = talloc_array(mem_ctx, char, MAX); + + tm = gmtime(&t); + len = strftime(timestr, MAX, format, tm); + if (len == 0) { + return NULL; + } + + return timestr; +} + +int expire_test_setup(void **state) +{ + struct expire_test_ctx *exp_state; + TALLOC_CTX *mem_ctx; + char *past_time; + char *future_time; + char *invalid_format; + char *invalid_longer_format; + + mem_ctx = talloc_new(NULL); + assert_non_null(mem_ctx); + + exp_state = talloc(mem_ctx, struct expire_test_ctx); + assert_non_null(exp_state); + + *state = exp_state; + + /* testing data */ + invalid_format = now_str(exp_state, "%Y%m%d%H%M%S", -20); + assert_non_null(invalid_format); + + invalid_longer_format = (void*)now_str(exp_state, "%Y%m%d%H%M%SZA", -20); + assert_non_null(invalid_longer_format); + + past_time = (void*)now_str(exp_state, "%Y%m%d%H%M%SZ", -20); + assert_non_null(past_time); + + future_time = (void*)now_str(exp_state, "%Y%m%d%H%M%SZ", 20); + assert_non_null(future_time); + + exp_state->past_time = past_time; + exp_state->future_time = future_time; + exp_state->invalid_format = invalid_format; + exp_state->invalid_longer_format = invalid_longer_format; + + return 0; +} + +int expire_test_teardown(void **state) +{ + struct expire_test_ctx *test_ctx; + + test_ctx = talloc_get_type(*state, struct expire_test_ctx); + assert_non_null(test_ctx); + + talloc_free(test_ctx); + + return 0; +} + +void expire_test_tz(const char* tz, + void (*test_func)(void*, void*), + void *test_in, + void *_test_out) +{ + errno_t ret; + const char *orig_tz = NULL; + + orig_tz = getenv("TZ"); + if (orig_tz == NULL) { + orig_tz = ""; + } + + if (tz) { + ret = setenv("TZ", tz, 1); + + assert_return_code(ret, errno); + } + + test_func(test_in, _test_out); + + /* restore */ + if (orig_tz != NULL) { + ret = setenv("TZ", orig_tz, 1); + assert_return_code(ret, errno); + } +} diff --git a/src/tests/cmocka/test_expire_common.h b/src/tests/cmocka/test_expire_common.h new file mode 100644 index 0000000..0ccff14 --- /dev/null +++ b/src/tests/cmocka/test_expire_common.h @@ -0,0 +1,39 @@ +/* + Authors: + Pavel Reichl + + Copyright (C) 2015 Red Hat + + SSSD tests: Tests for password expiration related functionality + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __TEST_EXPIRE_COMMON_H +#define __TEST_EXPIRE_COMMON_H + +struct expire_test_ctx +{ + char *past_time; + char *future_time; + char *invalid_format; + char *invalid_longer_format; +}; + +int expire_test_setup(void **state); +int expire_test_teardown(void **state); +void expire_test_tz(const char* tz, void (*f)(void*, void*), void *in, + void *_out); + +#endif /* __TEST_EXPIRE_COMMON_H */ diff --git a/src/tests/cmocka/test_find_uid.c b/src/tests/cmocka/test_find_uid.c new file mode 100644 index 0000000..63a426a --- /dev/null +++ b/src/tests/cmocka/test_find_uid.c @@ -0,0 +1,105 @@ +/* + SSSD + + find_uid - Utilities tests + + Authors: + Abhishek Singh + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include +#include + +#include "util/find_uid.h" +#include "tests/common.h" + +void test_check_if_uid_is_active_success(void **state) +{ + int ret; + uid_t uid; + bool result; + + uid = getuid(); + + ret = check_if_uid_is_active(uid, &result); + assert_true(ret == EOK); + assert_true(result); +} + +void test_check_if_uid_is_active_fail(void **state) +{ + int ret; + uid_t uid; + bool result; + + uid = (uid_t) -7; + + ret = check_if_uid_is_active(uid, &result); + assert_true(ret == EOK); + assert_true(!result); +} + +void test_get_uid_table(void **state) +{ + int ret; + uid_t uid; + TALLOC_CTX *tmp_ctx; + hash_table_t *table; + hash_key_t key; + hash_value_t value; + + tmp_ctx = talloc_new(NULL); + assert_true(tmp_ctx != NULL); + + ret = get_uid_table(tmp_ctx, &table); + assert_true(ret == EOK); + + uid = getuid(); + key.type = HASH_KEY_ULONG; + key.ul = (unsigned long) uid; + + ret = hash_lookup(table, &key, &value); + assert_true(ret == HASH_SUCCESS); + assert_true(hash_delete(table, &key) == HASH_SUCCESS); + + uid = (uid_t) -7; + key.type = HASH_KEY_ULONG; + key.ul = (unsigned long) uid; + + ret = hash_lookup(table, &key, &value); + assert_true(ret == HASH_ERROR_KEY_NOT_FOUND); + + talloc_free(tmp_ctx); +} + +int main(void) +{ + const struct CMUnitTest tests[] = { + cmocka_unit_test(test_check_if_uid_is_active_success), + cmocka_unit_test(test_check_if_uid_is_active_fail), + cmocka_unit_test(test_get_uid_table) + }; + + return cmocka_run_group_tests(tests, NULL, NULL); +} diff --git a/src/tests/cmocka/test_fo_srv.c b/src/tests/cmocka/test_fo_srv.c new file mode 100644 index 0000000..a11ebbb --- /dev/null +++ b/src/tests/cmocka/test_fo_srv.c @@ -0,0 +1,809 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2014 Red Hat + + SSSD tests: Resolver tests using a fake resolver library + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "providers/fail_over_srv.h" +#include "tests/cmocka/common_mock.h" +#include "tests/cmocka/common_mock_resp.h" + +#define TEST_RESOLV_TIMEOUT 5 +#define TEST_FO_TIMEOUT 3000 +#define TEST_SRV_TTL 500 +#define TEST_SRV_SHORT_TTL 2 + +static TALLOC_CTX *global_mock_context = NULL; + +enum host_database default_host_dbs[] = { DB_FILES, DB_DNS, DB_SENTINEL }; + +struct resolv_ctx { + int foo; +}; + +/* mock resolver interface. The resolver test is separate */ +int resolv_init(TALLOC_CTX *mem_ctx, struct tevent_context *ev_ctx, + int timeout, struct resolv_ctx **ctxp) +{ + *ctxp = talloc(mem_ctx, struct resolv_ctx); + return EOK; +} + +struct tevent_req * +resolv_gethostbyname_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, + struct resolv_ctx *ctx, const char *name, + enum restrict_family family_order, + enum host_database *db) +{ + return test_req_succeed_send(mem_ctx, ev); +} + +int resolv_gethostbyname_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, + int *status, int *timeouts, + struct resolv_hostent **rhostent) +{ + return test_request_recv(req); +} + +const char *resolv_strerror(int ares_code) +{ + return NULL; +} + +struct tevent_req *resolv_discover_srv_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resolv_ctx *resolv_ctx, + const char *service, + const char *protocol, + const char **discovery_domains) +{ + return test_req_succeed_send(mem_ctx, ev); +} + +errno_t resolv_discover_srv_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct ares_srv_reply **_reply_list, + uint32_t *_ttl, + char **_dns_domain) +{ + struct ares_srv_reply *reply_list; + uint32_t ttl; + char *dns_domain; + + /* Need to always consume all mocked values */ + reply_list = sss_mock_ptr_type(struct ares_srv_reply *); + ttl = sss_mock_ptr_type(uint32_t); + dns_domain = sss_mock_ptr_type(char *); + + if (_reply_list != NULL) { + *_reply_list = reply_list; + } + + if (_ttl != NULL) { + *_ttl = ttl; + } + + if (_dns_domain != NULL) { + *_dns_domain = dns_domain; + } + + return test_request_recv(req); +} + +struct ares_srv_reply *pop_lowest_prio(struct ares_srv_reply **r) +{ + struct ares_srv_reply *lowest; + struct ares_srv_reply *iter; + struct ares_srv_reply *prev; + + lowest = *r; + iter = lowest; + while (iter != NULL) { + if (iter->priority < lowest->priority) { + lowest = iter; + } + + iter = iter->next; + } + + prev = NULL; + iter = *r; + while (iter != lowest) { + prev = iter; + iter = iter->next; + } + + /* iter points to the lowest prio. Prev points to the item before */ + if (prev) { + prev->next = lowest->next; + } else { + *r = lowest->next; + } + + return lowest; +} + +int resolv_sort_srv_reply(struct ares_srv_reply **reply) +{ + struct ares_srv_reply *r; + struct ares_srv_reply *lowest; + struct ares_srv_reply *sorted = NULL; + struct ares_srv_reply *sorted_head = NULL; + + r = *reply; + if (r == NULL || r->next == NULL) { + return EOK; + } + + do { + lowest = pop_lowest_prio(&r); + if (sorted) { + sorted->next = lowest; + sorted = sorted->next; + } else { + sorted = lowest; + sorted_head = sorted; + } + } while (r != NULL); + + *reply = sorted_head; + return EOK; +} + +struct tevent_req *resolv_get_domain_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct resolv_ctx *resolv_ctx, + const char *hostname, + enum host_database *host_dbs, + enum restrict_family family_order) +{ + return test_req_succeed_send(mem_ctx, ev); +} + +errno_t resolv_get_domain_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + char **_dns_domain) +{ + return test_request_recv(req); +} + +/* The unit test */ +struct test_fo_ctx { + struct resolv_ctx *resolv; + struct fo_ctx *fo_ctx; + struct fo_resolve_srv_dns_ctx *srv_ctx; + struct fo_service *fo_svc; + struct sss_test_ctx *ctx; + int ttl; + + struct fo_server *srv; + + int num_done; +}; + +int test_fo_srv_data_cmp(void *ud1, void *ud2) +{ + return strcasecmp((char*) ud1, (char*) ud2); +} + +static int test_fo_setup(void **state) +{ + struct test_fo_ctx *test_ctx; + errno_t ret; + struct fo_options fopts; + + assert_true(leak_check_setup()); + global_mock_context = talloc_new(global_talloc_context); + assert_non_null(global_mock_context); + + test_ctx = talloc_zero(global_mock_context, + struct test_fo_ctx); + assert_non_null(test_ctx); + + test_ctx->ctx = create_ev_test_ctx(test_ctx); + assert_non_null(test_ctx->ctx); + + ret = resolv_init(test_ctx, test_ctx->ctx->ev, + TEST_RESOLV_TIMEOUT, &test_ctx->resolv); + assert_non_null(test_ctx->resolv); + + memset(&fopts, 0, sizeof(fopts)); + fopts.retry_timeout = TEST_FO_TIMEOUT; + fopts.family_order = IPV4_FIRST; + + test_ctx->fo_ctx = fo_context_init(test_ctx, &fopts); + assert_non_null(test_ctx->fo_ctx); + + ret = fo_new_service(test_ctx->fo_ctx, "ldap", + test_fo_srv_data_cmp, + &test_ctx->fo_svc); + assert_int_equal(ret, ERR_OK); + + *state = test_ctx; + return 0; +} + +static int test_fo_teardown(void **state) +{ + struct test_fo_ctx *test_ctx = + talloc_get_type(*state, struct test_fo_ctx); + + talloc_free(test_ctx); + talloc_free(global_mock_context); + assert_true(leak_check_teardown()); + return 0; +} + +static int test_fo_srv_setup(void **state) +{ + struct test_fo_ctx *test_ctx; + bool ok; + + test_fo_setup(state); + test_ctx = *state; + + test_ctx->srv_ctx = fo_resolve_srv_dns_ctx_init(test_ctx, test_ctx->resolv, + IPV4_FIRST, default_host_dbs, + "client.sssd.com", "sssd.local"); + assert_non_null(test_ctx->srv_ctx); + + ok = fo_set_srv_lookup_plugin(test_ctx->fo_ctx, + fo_resolve_srv_dns_send, + fo_resolve_srv_dns_recv, + test_ctx->srv_ctx); + assert_true(ok); + + *state = test_ctx; + return 0; +} + +static int test_fo_srv_teardown(void **state) +{ + test_fo_teardown(state); + return 0; +} + +/* reply_list and dns_domain must be a talloc context so it can be used as + * talloc_steal argument later + */ +static void mock_srv_results(struct ares_srv_reply *reply_list, + uint32_t ttl, + char *dns_domain) +{ + will_return(resolv_discover_srv_recv, reply_list); + will_return(resolv_discover_srv_recv, ttl); + will_return(resolv_discover_srv_recv, dns_domain); +} + +static void check_server(struct test_fo_ctx *ctx, + struct fo_server *srv, + int port, + const char *name) +{ + assert_non_null(srv); + assert_int_equal(fo_get_server_port(srv), port); + assert_string_equal(fo_get_server_name(srv), name); + + + if (ctx->srv_ctx) { + assert_true(fo_is_srv_lookup(srv)); + } +} + +static void test_fo_srv_step1(struct test_fo_ctx *test_ctx); +static void test_fo_srv_done1(struct tevent_req *req); +static void test_fo_srv_done2(struct tevent_req *req); +static void test_fo_srv_done3(struct tevent_req *req); +static void test_fo_srv_done4(struct tevent_req *req); +static void test_fo_srv_done5(struct tevent_req *req); + + +struct ares_srv_reply * +mock_ares_reply(TALLOC_CTX *mem_ctx, const char *hostname, + int weight, int priority, int port) +{ + struct ares_srv_reply *s; + + s = talloc_zero(mem_ctx, struct ares_srv_reply); + if (s == NULL) { + return NULL; + } + + s->host = talloc_strdup(s, hostname); + if (s->host == NULL) { + talloc_free(s); + return NULL; + } + + s->weight = weight; + s->priority = priority; + s->port = port; + + return s; +} + +static void test_fo_srv_mock_dns(struct test_fo_ctx *test_ctx, + int ttl) +{ + struct ares_srv_reply *s1; + struct ares_srv_reply *s2; + char *dns_domain; + + s1 = mock_ares_reply(test_ctx, "ldap1.sssd.com", 100, 1, 389); + assert_non_null(s1); + + s2 = mock_ares_reply(test_ctx, "ldap2.sssd.com", 100, 2, 389); + assert_non_null(s2); + + s1->next = s2; + + dns_domain = talloc_strdup(test_ctx, "sssd.com"); + assert_non_null(dns_domain); + + mock_srv_results(s1, ttl, dns_domain); +} + +static void test_fo_srv(void **state) +{ + errno_t ret; + struct test_fo_ctx *test_ctx = + talloc_get_type(*state, struct test_fo_ctx); + + test_fo_srv_mock_dns(test_ctx, TEST_SRV_TTL); + + ret = fo_add_srv_server(test_ctx->fo_svc, "_ldap", "sssd.com", + "sssd.local", "tcp", test_ctx); + assert_int_equal(ret, ERR_OK); + + test_fo_srv_step1(test_ctx); + + ret = test_ev_loop(test_ctx->ctx); + assert_int_equal(ret, ERR_OK); +} + +static void test_fo_srv_step1(struct test_fo_ctx *test_ctx) +{ + struct tevent_req *req; + + req = fo_resolve_service_send(test_ctx, test_ctx->ctx->ev, + test_ctx->resolv, test_ctx->fo_ctx, + test_ctx->fo_svc); + assert_non_null(req); + tevent_req_set_callback(req, test_fo_srv_done1, test_ctx); +} + +static void test_fo_srv_done1(struct tevent_req *req) +{ + struct test_fo_ctx *test_ctx = \ + tevent_req_callback_data(req, struct test_fo_ctx); + struct fo_server *srv; + errno_t ret; + + ret = fo_resolve_service_recv(req, req, &srv); + talloc_zfree(req); + assert_int_equal(ret, ERR_OK); + + /* ldap1.sssd.com has lower priority, it must always be first */ + check_server(test_ctx, srv, 389, "ldap1.sssd.com"); + + /* Mark the server as working and request the service again. The same server + * must be returned */ + fo_set_server_status(srv, SERVER_WORKING); + + req = fo_resolve_service_send(test_ctx, test_ctx->ctx->ev, + test_ctx->resolv, test_ctx->fo_ctx, + test_ctx->fo_svc); + assert_non_null(req); + tevent_req_set_callback(req, test_fo_srv_done2, test_ctx); +} + +static void test_fo_srv_done2(struct tevent_req *req) +{ + struct test_fo_ctx *test_ctx = \ + tevent_req_callback_data(req, struct test_fo_ctx); + struct fo_server *srv; + errno_t ret; + + ret = fo_resolve_service_recv(req, req, &srv); + talloc_zfree(req); + assert_int_equal(ret, ERR_OK); + + /* Must be ldap1 again */ + check_server(test_ctx, srv, 389, "ldap1.sssd.com"); + + /* Mark it at wrong, next lookup should yield ldap2 */ + fo_set_server_status(srv, SERVER_NOT_WORKING); + + req = fo_resolve_service_send(test_ctx, test_ctx->ctx->ev, + test_ctx->resolv, test_ctx->fo_ctx, + test_ctx->fo_svc); + assert_non_null(req); + tevent_req_set_callback(req, test_fo_srv_done3, test_ctx); +} + +static void test_fo_srv_done3(struct tevent_req *req) +{ + struct test_fo_ctx *test_ctx = \ + tevent_req_callback_data(req, struct test_fo_ctx); + struct fo_server *srv; + errno_t ret; + + ret = fo_resolve_service_recv(req, req, &srv); + talloc_zfree(req); + assert_int_equal(ret, ERR_OK); + + /* Must be ldap2 now */ + check_server(test_ctx, srv, 389, "ldap2.sssd.com"); + + /* Mark is at wrong, next lookup must reach the end of the server list */ + fo_set_server_status(srv, SERVER_NOT_WORKING); + + req = fo_resolve_service_send(test_ctx, test_ctx->ctx->ev, + test_ctx->resolv, test_ctx->fo_ctx, + test_ctx->fo_svc); + assert_non_null(req); + tevent_req_set_callback(req, test_fo_srv_done4, test_ctx); +} + +static void test_fo_srv_done4(struct tevent_req *req) +{ + struct test_fo_ctx *test_ctx = \ + tevent_req_callback_data(req, struct test_fo_ctx); + struct fo_server *srv; + errno_t ret; + + ret = fo_resolve_service_recv(req, req, &srv); + talloc_zfree(req); + /* No servers are left..*/ + assert_int_equal(ret, ENOENT); + + /* reset the server status and try again.. */ + fo_reset_servers(test_ctx->fo_svc); + if (test_ctx->srv_ctx) { + test_fo_srv_mock_dns(test_ctx, TEST_SRV_TTL); + } + + req = fo_resolve_service_send(test_ctx, test_ctx->ctx->ev, + test_ctx->resolv, test_ctx->fo_ctx, + test_ctx->fo_svc); + assert_non_null(req); + tevent_req_set_callback(req, test_fo_srv_done5, test_ctx); +} + +static void test_fo_srv_done5(struct tevent_req *req) +{ + struct test_fo_ctx *test_ctx = \ + tevent_req_callback_data(req, struct test_fo_ctx); + struct fo_server *srv; + errno_t ret; + + ret = fo_resolve_service_recv(req, req, &srv); + talloc_zfree(req); + + assert_int_equal(ret, ERR_OK); + + /* ldap1.sssd.com has lower priority, it must always be first */ + check_server(test_ctx, srv, 389, "ldap1.sssd.com"); + + /* OK, we made a full circle with the test, done */ + test_ctx->ctx->error = ERR_OK; + test_ctx->ctx->done = true; +} + +/* Make sure that two queries more than TTL seconds apart resolve + * into two different lists + */ +static void test_fo_srv_ttl_change_step(struct test_fo_ctx *test_ctx); +static void test_fo_srv_before(struct tevent_req *req); +static void test_fo_srv_after(struct tevent_req *req); + +void test_fo_srv_ttl_change(void **state) +{ + struct test_fo_ctx *test_ctx = + talloc_get_type(*state, struct test_fo_ctx); + + test_ctx->ttl = TEST_SRV_SHORT_TTL; + test_fo_srv_ttl_change_step(test_ctx); +} + +static void test_fo_srv_ttl_change_step(struct test_fo_ctx *test_ctx) +{ + errno_t ret; + struct tevent_req *req; + + test_fo_srv_mock_dns(test_ctx, test_ctx->ttl); + + ret = fo_add_srv_server(test_ctx->fo_svc, "_ldap", "sssd.com", + "sssd.local", "tcp", test_ctx); + assert_int_equal(ret, ERR_OK); + + ret = fo_add_server(test_ctx->fo_svc, "ldap1.sssd.com", + 389, (void *) discard_const("ldap://ldap1.sssd.com"), + true); + assert_int_equal(ret, ERR_OK); + + req = fo_resolve_service_send(test_ctx, test_ctx->ctx->ev, + test_ctx->resolv, test_ctx->fo_ctx, + test_ctx->fo_svc); + assert_non_null(req); + tevent_req_set_callback(req, test_fo_srv_before, test_ctx); + + ret = test_ev_loop(test_ctx->ctx); + assert_int_equal(ret, ERR_OK); +} + +static void test_fo_srv_before(struct tevent_req *req) +{ + struct test_fo_ctx *test_ctx = \ + tevent_req_callback_data(req, struct test_fo_ctx); + struct ares_srv_reply *s1; + struct ares_srv_reply *s2; + char *dns_domain; + errno_t ret; + + ret = fo_resolve_service_recv(req, test_ctx, &test_ctx->srv); + talloc_zfree(req); + assert_int_equal(ret, ERR_OK); + + DEBUG(SSSDBG_TRACE_FUNC, "Before TTL change\n"); + + check_server(test_ctx, test_ctx->srv, 389, "ldap1.sssd.com"); + fo_set_server_status(test_ctx->srv, SERVER_WORKING); + + /* Simulate changing the DNS environment. Change the host names */ + s1 = mock_ares_reply(test_ctx, "ldap1.sssd.com", 100, 2, 389); + assert_non_null(s1); + + s2 = mock_ares_reply(test_ctx, "ldap2.sssd.com", 100, 1, 389); + assert_non_null(s2); + + s1->next = s2; + + dns_domain = talloc_strdup(test_ctx, "sssd.com"); + assert_non_null(dns_domain); + + mock_srv_results(s1, test_ctx->ttl, dns_domain); + sleep(test_ctx->ttl + 1); + + req = fo_resolve_service_send(test_ctx, test_ctx->ctx->ev, + test_ctx->resolv, test_ctx->fo_ctx, + test_ctx->fo_svc); + assert_non_null(req); + tevent_req_set_callback(req, test_fo_srv_after, test_ctx); +} + +static void test_fo_srv_after2(struct tevent_req *req); + +static void test_fo_srv_after(struct tevent_req *req) +{ + struct test_fo_ctx *test_ctx = \ + tevent_req_callback_data(req, struct test_fo_ctx); + struct fo_server *srv; + errno_t ret; + struct ares_srv_reply *s1; + struct ares_srv_reply *s2; + char *dns_domain; + + ret = fo_resolve_service_recv(req, req, &srv); + talloc_zfree(req); + assert_int_equal(ret, ERR_OK); + + /* Try accessing server from a previous iteration. The + * server should be collapsed, but at least we shouldn't crash + */ + fo_set_server_status(test_ctx->srv, SERVER_WORKING); + + sleep(test_ctx->ttl + 1); + + /* Must be a different server now */ + check_server(test_ctx, srv, 389, "ldap2.sssd.com"); + + /* Simulate changing the DNS environment. Change the host names */ + s1 = mock_ares_reply(test_ctx, "ldap1.sssd.com", 100, 1, 389); + assert_non_null(s1); + + s2 = mock_ares_reply(test_ctx, "ldap2.sssd.com", 100, 2, 389); + assert_non_null(s2); + + s1->next = s2; + + dns_domain = talloc_strdup(test_ctx, "sssd.com"); + assert_non_null(dns_domain); + + mock_srv_results(s1, test_ctx->ttl, dns_domain); + sleep(test_ctx->ttl + 1); + + req = fo_resolve_service_send(test_ctx, test_ctx->ctx->ev, + test_ctx->resolv, test_ctx->fo_ctx, + test_ctx->fo_svc); + assert_non_null(req); + tevent_req_set_callback(req, test_fo_srv_after2, test_ctx); +} + +static void test_fo_srv_after2(struct tevent_req *req) +{ + struct test_fo_ctx *test_ctx = \ + tevent_req_callback_data(req, struct test_fo_ctx); + struct fo_server *srv; + errno_t ret; + + ret = fo_resolve_service_recv(req, req, &srv); + talloc_zfree(req); + assert_int_equal(ret, ERR_OK); + + /* Must be a different server now */ + check_server(test_ctx, srv, 389, "ldap1.sssd.com"); + + test_ctx->ctx->error = ERR_OK; + test_ctx->ctx->done = true; +} + +void test_fo_srv_ttl_zero(void **state) +{ + struct test_fo_ctx *test_ctx = + talloc_get_type(*state, struct test_fo_ctx); + + test_ctx->ttl = 0; + test_fo_srv_ttl_change_step(test_ctx); +} + +static void test_fo_hostlist(void **state) +{ + errno_t ret; + struct test_fo_ctx *test_ctx = + talloc_get_type(*state, struct test_fo_ctx); + + ret = fo_add_server(test_ctx->fo_svc, + "ldap1.sssd.com", 389, test_ctx, true); + assert_int_equal(ret, ERR_OK); + + ret = fo_add_server(test_ctx->fo_svc, + "ldap2.sssd.com", 389, test_ctx, true); + assert_int_equal(ret, ERR_OK); + + test_fo_srv_step1(test_ctx); + + ret = test_ev_loop(test_ctx->ctx); + assert_int_equal(ret, ERR_OK); +} + +static void test_fo_srv_dup_done(struct tevent_req *req); + +/* Test that running two parallel SRV queries doesn't return an error. + * This is a regression test for https://fedorahosted.org/sssd/ticket/3131 + */ +void test_fo_srv_duplicates(void **state) +{ + errno_t ret; + struct tevent_req *req; + struct test_fo_ctx *test_ctx = + talloc_get_type(*state, struct test_fo_ctx); + + test_fo_srv_mock_dns(test_ctx, test_ctx->ttl); + test_fo_srv_mock_dns(test_ctx, test_ctx->ttl); + + ret = fo_add_srv_server(test_ctx->fo_svc, "_ldap", "sssd.com", + "sssd.local", "tcp", test_ctx); + assert_int_equal(ret, ERR_OK); + + ret = fo_add_server(test_ctx->fo_svc, "ldap1.sssd.com", + 389, (void *) discard_const("ldap://ldap1.sssd.com"), + true); + assert_int_equal(ret, ERR_OK); + + req = fo_resolve_service_send(test_ctx, test_ctx->ctx->ev, + test_ctx->resolv, test_ctx->fo_ctx, + test_ctx->fo_svc); + assert_non_null(req); + tevent_req_set_callback(req, test_fo_srv_dup_done, test_ctx); + + req = fo_resolve_service_send(test_ctx, test_ctx->ctx->ev, + test_ctx->resolv, test_ctx->fo_ctx, + test_ctx->fo_svc); + assert_non_null(req); + tevent_req_set_callback(req, test_fo_srv_dup_done, test_ctx); + + ret = test_ev_loop(test_ctx->ctx); + assert_int_equal(ret, ERR_OK); +} + +static void test_fo_srv_dup_done(struct tevent_req *req) +{ + struct test_fo_ctx *test_ctx = \ + tevent_req_callback_data(req, struct test_fo_ctx); + errno_t ret; + const char *name; + + ret = fo_resolve_service_recv(req, test_ctx, &test_ctx->srv); + talloc_zfree(req); + assert_int_equal(ret, EOK); + + name = fo_get_server_name(test_ctx->srv); + assert_string_equal(name, "ldap1.sssd.com"); + + test_ctx->num_done++; + if (test_ctx->num_done == 2) { + test_ctx->ctx->error = ERR_OK; + test_ctx->ctx->done = true; + } +} + +int main(int argc, const char *argv[]) +{ + int rv; + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_fo_hostlist, + test_fo_setup, + test_fo_teardown), + cmocka_unit_test_setup_teardown(test_fo_srv, + test_fo_srv_setup, + test_fo_srv_teardown), + cmocka_unit_test_setup_teardown(test_fo_srv_ttl_change, + test_fo_srv_setup, + test_fo_srv_teardown), + cmocka_unit_test_setup_teardown(test_fo_srv_ttl_zero, + test_fo_srv_setup, + test_fo_srv_teardown), + cmocka_unit_test_setup_teardown(test_fo_srv_duplicates, + test_fo_srv_setup, + test_fo_srv_teardown), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + /* Even though normally the tests should clean up after themselves + * they might not after a failed run. Remove the old DB to be sure */ + tests_set_cwd(); + + rv = cmocka_run_group_tests(tests, NULL, NULL); + return rv; +} diff --git a/src/tests/cmocka/test_fqnames.c b/src/tests/cmocka/test_fqnames.c new file mode 100644 index 0000000..dda58f2 --- /dev/null +++ b/src/tests/cmocka/test_fqnames.c @@ -0,0 +1,528 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2013 Red Hat + + SSSD tests: Fully Qualified Names Tests + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "db/sysdb_private.h" +#include "tests/cmocka/common_mock.h" + +#define NAME "name" +#define DOMNAME "domname" +#define FLATNAME "flatname" +#define SPECIALNAME "[]{}();:'|\",<.>/?!#$%^&*_+~`" +#define PROVIDER "local" +#define CONNNAME "conn" + +#define DOMNAME2 "domname2" +#define FLATNAME2 "flatname2" + +#define SUBDOMNAME "subdomname" +#define SUBFLATNAME "subflatname" + +static struct sss_domain_info *create_test_domain(TALLOC_CTX *mem_ctx, + const char *name, + const char *flatname, + struct sss_domain_info *parent, + struct sss_names_ctx *nctx) +{ + struct sss_domain_info *dom; + + dom = talloc_zero(mem_ctx, struct sss_domain_info); + assert_non_null(dom); + + /* just to make new_subdomain happy */ + dom->sysdb = talloc_zero(dom, struct sysdb_ctx); + assert_non_null(dom->sysdb); + + dom->name = discard_const(name); + dom->flat_name = discard_const(flatname); + dom->parent = parent; + dom->names = nctx; + dom->provider = discard_const(PROVIDER); + dom->conn_name = discard_const(CONNNAME); + + return dom; +} + +struct fqdn_test_ctx { + struct sss_domain_info *dom; + + struct sss_names_ctx *nctx; +}; + +static int fqdn_test_setup(void **state) +{ + struct fqdn_test_ctx *test_ctx; + + assert_true(leak_check_setup()); + + test_ctx = talloc_zero(global_talloc_context, struct fqdn_test_ctx); + assert_non_null(test_ctx); + + test_ctx->dom = create_test_domain(test_ctx, DOMNAME, FLATNAME, + NULL, NULL); + + check_leaks_push(test_ctx); + *state = test_ctx; + return 0; +} + +static int fqdn_test_teardown(void **state) +{ + struct fqdn_test_ctx *test_ctx = talloc_get_type(*state, + struct fqdn_test_ctx); + + if (test_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Type mismatch\n"); + return 1; + } + + assert_true(check_leaks_pop(test_ctx) == true); + talloc_free(test_ctx); + assert_true(leak_check_teardown()); + return 0; +} + +void test_default(void **state) +{ + struct fqdn_test_ctx *test_ctx = talloc_get_type(*state, + struct fqdn_test_ctx); + errno_t ret; + + char *fqdn; + const int fqdn_size = 255; + char fqdn_s[fqdn_size]; + + if (test_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Type mismatch\n"); + return; + } + + ret = sss_names_init_from_args(test_ctx, + "(?P[^@]+)@?(?P[^@]*$)", + "%1$s@%2$s", &test_ctx->nctx); + assert_int_equal(ret, EOK); + + fqdn = sss_tc_fqname(test_ctx, test_ctx->nctx, test_ctx->dom, NAME); + assert_non_null(fqdn); + assert_string_equal(fqdn, NAME"@"DOMNAME); + talloc_free(fqdn); + + ret = sss_fqname(fqdn_s, fqdn_size, test_ctx->nctx, test_ctx->dom, NAME); + assert_int_equal(ret + 1, sizeof(NAME"@"DOMNAME)); + assert_string_equal(fqdn_s, NAME"@"DOMNAME); + + talloc_free(test_ctx->nctx); +} + +void test_all(void **state) +{ + struct fqdn_test_ctx *test_ctx = talloc_get_type(*state, + struct fqdn_test_ctx); + errno_t ret; + + char *fqdn; + const int fqdn_size = 255; + char fqdn_s[fqdn_size]; + + if (test_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Type mismatch\n"); + return; + } + + ret = sss_names_init_from_args(test_ctx, + "(?P[^@]+)@?(?P[^@]*$)", + "%1$s@%2$s@%3$s", &test_ctx->nctx); + assert_int_equal(ret, EOK); + + fqdn = sss_tc_fqname(test_ctx, test_ctx->nctx, test_ctx->dom, NAME); + assert_non_null(fqdn); + assert_string_equal(fqdn, NAME"@"DOMNAME"@"FLATNAME); + talloc_free(fqdn); + + ret = sss_fqname(fqdn_s, fqdn_size, test_ctx->nctx, test_ctx->dom, NAME); + assert_int_equal(ret + 1, sizeof(NAME"@"DOMNAME"@"FLATNAME)); + assert_string_equal(fqdn_s, NAME"@"DOMNAME"@"FLATNAME); + + talloc_free(test_ctx->nctx); +} + +void test_flat(void **state) +{ + struct fqdn_test_ctx *test_ctx = talloc_get_type(*state, + struct fqdn_test_ctx); + errno_t ret; + + char *fqdn; + const int fqdn_size = 255; + char fqdn_s[fqdn_size]; + + if (test_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Type mismatch\n"); + return; + } + + ret = sss_names_init_from_args(test_ctx, + "(?P[^@]+)@?(?P[^@]*$)", + "%1$s@%3$s", &test_ctx->nctx); + assert_int_equal(ret, EOK); + + fqdn = sss_tc_fqname(test_ctx, test_ctx->nctx, test_ctx->dom, NAME); + assert_non_null(fqdn); + assert_string_equal(fqdn, NAME"@"FLATNAME); + talloc_free(fqdn); + + ret = sss_fqname(fqdn_s, fqdn_size, test_ctx->nctx, test_ctx->dom, NAME); + assert_int_equal(ret + 1, sizeof(NAME"@"FLATNAME)); + assert_string_equal(fqdn_s, NAME"@"FLATNAME); + + talloc_free(test_ctx->nctx); +} + +void test_flat_fallback(void **state) +{ + struct fqdn_test_ctx *test_ctx = talloc_get_type(*state, + struct fqdn_test_ctx); + errno_t ret; + + char *fqdn; + const int fqdn_size = 255; + char fqdn_s[fqdn_size]; + + if (test_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Type mismatch\n"); + return; + } + + ret = sss_names_init_from_args(test_ctx, + "(?P[^@]+)@?(?P[^@]*$)", + "%1$s@%3$s", &test_ctx->nctx); + assert_int_equal(ret, EOK); + + test_ctx->dom->flat_name = NULL; + + /* If flat name is requested but does not exist, the code falls back to domain + * name + */ + fqdn = sss_tc_fqname(test_ctx, test_ctx->nctx, test_ctx->dom, NAME); + assert_non_null(fqdn); + assert_string_equal(fqdn, NAME"@"DOMNAME); + talloc_free(fqdn); + + ret = sss_fqname(fqdn_s, fqdn_size, test_ctx->nctx, test_ctx->dom, NAME); + assert_int_equal(ret + 1, sizeof(NAME"@"DOMNAME)); + assert_string_equal(fqdn_s, NAME"@"DOMNAME); + + talloc_free(test_ctx->nctx); +} + +struct parse_name_test_ctx { + struct sss_domain_info *dom; + struct sss_domain_info *subdom; + struct sss_names_ctx *nctx; +}; + +void parse_name_check(struct parse_name_test_ctx *test_ctx, + const char *full_name, + const char *default_domain, + const char exp_ret, + const char *exp_name, + const char *exp_domain) +{ + errno_t ret; + char *domain = NULL; + char *name = NULL; + + check_leaks_push(test_ctx); + ret = sss_parse_name_for_domains(test_ctx, test_ctx->dom, default_domain, + full_name, &domain, &name); + assert_int_equal(ret, exp_ret); + + if (exp_name) { + assert_non_null(name); + assert_string_equal(name, exp_name); + } + + if (exp_domain) { + assert_non_null(domain); + assert_string_equal(domain, exp_domain); + } + + talloc_free(name); + talloc_free(domain); + assert_true(check_leaks_pop(test_ctx) == true); +} + +static int parse_name_test_setup(void **state) +{ + struct parse_name_test_ctx *test_ctx; + struct sss_domain_info *dom; + errno_t ret; + + assert_true(leak_check_setup()); + + test_ctx = talloc_zero(global_talloc_context, struct parse_name_test_ctx); + assert_non_null(test_ctx); + + /* Init with an AD-style regex to be able to test flat name */ + ret = sss_names_init_from_args(test_ctx, + "(((?P[^\\\\]+)\\\\(?P.+$))|" \ + "((?P[^@]+)@(?P.+$))|" \ + "(^(?P[^@\\\\]+)$))", + "%1$s@%2$s", &test_ctx->nctx); + assert_int_equal(ret, EOK); + + /* The setup is two domains, first one with no subdomains, + * second one with a single subdomain + */ + dom = create_test_domain(test_ctx, DOMNAME, FLATNAME, + NULL, test_ctx->nctx); + assert_non_null(dom); + DLIST_ADD_END(test_ctx->dom, dom, struct sss_domain_info *); + + dom = create_test_domain(test_ctx, DOMNAME2, + FLATNAME2, NULL, test_ctx->nctx); + assert_non_null(dom); + DLIST_ADD_END(test_ctx->dom, dom, struct sss_domain_info *); + + /* Create the subdomain, but don't add it yet, we want to be able to + * test sss_parse_name_for_domains() signaling that domains must be + * discovered + */ + test_ctx->subdom = new_subdomain(dom, dom, SUBDOMNAME, NULL, SUBFLATNAME, + NULL, false, false, NULL, NULL, 0, NULL); + assert_non_null(test_ctx->subdom); + + check_leaks_push(test_ctx); + *state = test_ctx; + return 0; +} + +static int parse_name_test_teardown(void **state) +{ + struct parse_name_test_ctx *test_ctx = talloc_get_type(*state, + struct parse_name_test_ctx); + + assert_true(check_leaks_pop(test_ctx) == true); + talloc_free(test_ctx); + assert_true(leak_check_teardown()); + return 0; +} + +void sss_parse_name_check(struct parse_name_test_ctx *test_ctx, + const char *input_name, + const int exp_ret, + const char *exp_name, + const char *exp_domain) +{ + errno_t ret; + char *domain = NULL; + char *name = NULL; + + check_leaks_push(test_ctx); + ret = sss_parse_name(test_ctx, test_ctx->nctx, input_name, + &domain, &name); + assert_int_equal(ret, exp_ret); + + if (exp_name) { + assert_non_null(name); + assert_string_equal(name, exp_name); + } + + if (exp_domain) { + assert_non_null(domain); + assert_string_equal(domain, exp_domain); + } + + talloc_zfree(name); + talloc_zfree(domain); + + assert_true(check_leaks_pop(test_ctx) == true); +} + +void parse_name_plain(void **state) +{ + struct parse_name_test_ctx *test_ctx = talloc_get_type(*state, + struct parse_name_test_ctx); + int ret; + + parse_name_check(test_ctx, NAME, NULL, EOK, NAME, NULL); + + ret = sss_parse_name(test_ctx, test_ctx->nctx, NAME, + NULL, NULL); + assert_int_equal(ret, EOK); + + sss_parse_name_check(test_ctx, NAME, EOK, NAME, NULL); + sss_parse_name_check(test_ctx, SPECIALNAME, EOK, SPECIALNAME, NULL); +} + +void parse_name_fqdn(void **state) +{ + struct parse_name_test_ctx *test_ctx = talloc_get_type(*state, + struct parse_name_test_ctx); + parse_name_check(test_ctx, NAME"@"DOMNAME, NULL, EOK, NAME, DOMNAME); + parse_name_check(test_ctx, NAME"@"DOMNAME2, NULL, EOK, NAME, DOMNAME2); + + sss_parse_name_check(test_ctx, NAME"@"DOMNAME, EOK, NAME, DOMNAME); + sss_parse_name_check(test_ctx, NAME"@"DOMNAME2, EOK, NAME, DOMNAME2); + sss_parse_name_check(test_ctx, DOMNAME"\\"NAME, EOK, NAME, DOMNAME); + sss_parse_name_check(test_ctx, DOMNAME2"\\"NAME, EOK, NAME, DOMNAME2); +} + +void parse_name_sub(void **state) +{ + struct parse_name_test_ctx *test_ctx = talloc_get_type(*state, + struct parse_name_test_ctx); + /* The subdomain name is valid, but not known */ + parse_name_check(test_ctx, NAME"@"SUBDOMNAME, NULL, EAGAIN, NULL, NULL); + + /* Link the subdomain (simulating subdom handler) and retry */ + test_ctx->dom->subdomains = test_ctx->subdom; + parse_name_check(test_ctx, NAME"@"SUBDOMNAME, NULL, EOK, NAME, SUBDOMNAME); +} + +void parse_name_flat(void **state) +{ + struct parse_name_test_ctx *test_ctx = talloc_get_type(*state, + struct parse_name_test_ctx); + + /* Link the subdomain (simulating subdom handler) */ + parse_name_check(test_ctx, FLATNAME"\\"NAME, NULL, EOK, NAME, DOMNAME); + parse_name_check(test_ctx, FLATNAME2"\\"NAME, NULL, EOK, NAME, DOMNAME2); + + /* The subdomain name is valid, but not known */ + parse_name_check(test_ctx, SUBFLATNAME"\\"NAME, NULL, EAGAIN, NULL, NULL); + test_ctx->dom->subdomains = test_ctx->subdom; + parse_name_check(test_ctx, SUBFLATNAME"\\"NAME, NULL, EOK, NAME, SUBDOMNAME); +} + +void parse_name_default(void **state) +{ + struct parse_name_test_ctx *test_ctx = talloc_get_type(*state, + struct parse_name_test_ctx); + struct sss_domain_info *dom2; + + parse_name_check(test_ctx, NAME, DOMNAME2, EOK, NAME, DOMNAME2); + dom2 = test_ctx->dom->next; + + /* Simulate unknown default domain */ + DLIST_REMOVE(test_ctx->dom, dom2); + parse_name_check(test_ctx, NAME, DOMNAME2, EAGAIN, NULL, NULL); +} + +void test_init_nouser(void **state) +{ + struct fqdn_test_ctx *test_ctx = talloc_get_type(*state, + struct fqdn_test_ctx); + errno_t ret; + + if (test_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Type mismatch\n"); + return; + } + + ret = sss_names_init_from_args(test_ctx, + "(?P[^@]+)@?(?P[^@]*$)", + "%2$s@%3$s", &test_ctx->nctx); + /* Initialization with no user name must fail */ + assert_int_not_equal(ret, EOK); +} + +void sss_parse_name_fail(void **state) +{ + struct parse_name_test_ctx *test_ctx = talloc_get_type(*state, + struct parse_name_test_ctx); + + sss_parse_name_check(test_ctx, "", ERR_REGEX_NOMATCH, NULL, NULL); + sss_parse_name_check(test_ctx, "@", ERR_REGEX_NOMATCH, NULL, NULL); + sss_parse_name_check(test_ctx, "\\", ERR_REGEX_NOMATCH, NULL, NULL); + sss_parse_name_check(test_ctx, "\\"NAME, ERR_REGEX_NOMATCH, NULL, NULL); + sss_parse_name_check(test_ctx, "@"NAME, ERR_REGEX_NOMATCH, NULL, NULL); + sss_parse_name_check(test_ctx, NAME"@", ERR_REGEX_NOMATCH, NULL, NULL); + sss_parse_name_check(test_ctx, NAME"\\", ERR_REGEX_NOMATCH, NULL, NULL); +} + +int main(int argc, const char *argv[]) +{ + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_default, + fqdn_test_setup, fqdn_test_teardown), + cmocka_unit_test_setup_teardown(test_all, + fqdn_test_setup, fqdn_test_teardown), + cmocka_unit_test_setup_teardown(test_flat, + fqdn_test_setup, fqdn_test_teardown), + cmocka_unit_test_setup_teardown(test_flat_fallback, + fqdn_test_setup, fqdn_test_teardown), + cmocka_unit_test_setup_teardown(test_init_nouser, + fqdn_test_setup, fqdn_test_teardown), + + cmocka_unit_test_setup_teardown(parse_name_plain, + parse_name_test_setup, + parse_name_test_teardown), + cmocka_unit_test_setup_teardown(parse_name_fqdn, + parse_name_test_setup, + parse_name_test_teardown), + cmocka_unit_test_setup_teardown(parse_name_sub, + parse_name_test_setup, + parse_name_test_teardown), + cmocka_unit_test_setup_teardown(parse_name_flat, + parse_name_test_setup, + parse_name_test_teardown), + cmocka_unit_test_setup_teardown(parse_name_default, + parse_name_test_setup, + parse_name_test_teardown), + cmocka_unit_test_setup_teardown(sss_parse_name_fail, + parse_name_test_setup, + parse_name_test_teardown), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + /* Even though normally the tests should clean up after themselves + * they might not after a failed run. Remove the old DB to be sure */ + tests_set_cwd(); + + return cmocka_run_group_tests(tests, NULL, NULL); +} diff --git a/src/tests/cmocka/test_ifp.c b/src/tests/cmocka/test_ifp.c new file mode 100644 index 0000000..ccaa1d0 --- /dev/null +++ b/src/tests/cmocka/test_ifp.c @@ -0,0 +1,448 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2013 Red Hat + + SSSD tests: InfoPipe responder + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "db/sysdb.h" +#include "tests/cmocka/common_mock.h" +#include "tests/cmocka/common_mock_resp.h" +#include "responder/ifp/ifp_private.h" +#include "sbus/sssd_dbus_private.h" + +/* dbus library checks for valid object paths when unit testing, we don't + * want that */ +#undef DBUS_TYPE_OBJECT_PATH +#define DBUS_TYPE_OBJECT_PATH ((int) 's') + +static struct ifp_ctx * +mock_ifp_ctx(TALLOC_CTX *mem_ctx) +{ + struct ifp_ctx *ifp_ctx; + + ifp_ctx = talloc_zero(mem_ctx, struct ifp_ctx); + assert_non_null(ifp_ctx); + + ifp_ctx->rctx = mock_rctx(ifp_ctx, NULL, NULL, NULL); + assert_non_null(ifp_ctx->rctx); + + ifp_ctx->rctx->allowed_uids = talloc_array(ifp_ctx->rctx, uint32_t, 1); + assert_non_null(ifp_ctx->rctx->allowed_uids); + ifp_ctx->rctx->allowed_uids[0] = geteuid(); + ifp_ctx->rctx->allowed_uids_count = 1; + + ifp_ctx->sysbus = talloc_zero(ifp_ctx, struct sysbus_ctx); + assert_non_null(ifp_ctx->sysbus); + + ifp_ctx->sysbus->conn = talloc_zero(ifp_ctx, struct sbus_connection); + assert_non_null(ifp_ctx->sysbus->conn); + + return ifp_ctx; +} + +static struct sbus_request * +mock_sbus_request(TALLOC_CTX *mem_ctx, uid_t client) +{ + struct sbus_request *sr; + + sr = talloc_zero(mem_ctx, struct sbus_request); + assert_non_null(sr); + + sr->conn = talloc_zero(sr, struct sbus_connection); + assert_non_null(sr->conn); + + sr->message = dbus_message_new(DBUS_MESSAGE_TYPE_METHOD_CALL); + assert_non_null(sr->message); + dbus_message_set_serial(sr->message, 1); + + sr->client = client; + + return sr; +} + +void ifp_test_req_create(void **state) +{ + struct ifp_req *ireq; + struct sbus_request *sr; + struct ifp_ctx *ifp_ctx; + errno_t ret; + + assert_true(leak_check_setup()); + + ifp_ctx = mock_ifp_ctx(global_talloc_context); + assert_non_null(ifp_ctx); + check_leaks_push(ifp_ctx); + + sr = mock_sbus_request(ifp_ctx, geteuid()); + assert_non_null(sr); + check_leaks_push(sr); + + ret = ifp_req_create(sr, ifp_ctx, &ireq); + assert_int_equal(ret, EOK); + talloc_free(ireq); + + assert_true(check_leaks_pop(sr) == true); + talloc_free(sr); + + assert_true(check_leaks_pop(ifp_ctx) == true); + talloc_free(ifp_ctx); + + assert_true(leak_check_teardown()); +} + +void ifp_test_req_wrong_uid(void **state) +{ + struct ifp_req *ireq; + struct sbus_request *sr; + struct ifp_ctx *ifp_ctx; + errno_t ret; + + assert_true(leak_check_setup()); + + ifp_ctx = mock_ifp_ctx(global_talloc_context); + assert_non_null(ifp_ctx); + check_leaks_push(ifp_ctx); + + sr = mock_sbus_request(ifp_ctx, geteuid()+1); + assert_non_null(sr); + + ret = ifp_req_create(sr, ifp_ctx, &ireq); + assert_int_equal(ret, EACCES); + talloc_free(sr); + + assert_true(check_leaks_pop(ifp_ctx) == true); + talloc_free(ifp_ctx); + + assert_true(leak_check_teardown()); +} + +void test_el_to_dict(void **state) +{ + static struct sbus_request *sr; + dbus_bool_t dbret; + DBusMessageIter iter; + DBusMessageIter iter_dict; + struct ldb_message_element *el; + errno_t ret; + char *attr_name; + char *attr_val; + + sr = mock_sbus_request(global_talloc_context, geteuid()); + assert_non_null(sr); + + el = talloc(sr, struct ldb_message_element); + assert_non_null(el); + el->name = "numbers"; + el->values = talloc_array(el, struct ldb_val, 2); + assert_non_null(el->values); + el->num_values = 2; + el->values[0].data = (uint8_t *) discard_const("one"); + el->values[0].length = strlen("one") + 1; + el->values[1].data = (uint8_t *) discard_const("two"); + el->values[1].length = strlen("two") + 1; + + dbus_message_iter_init_append(sr->message, &iter); + dbret = dbus_message_iter_open_container( + &iter, DBUS_TYPE_ARRAY, + DBUS_DICT_ENTRY_BEGIN_CHAR_AS_STRING + DBUS_TYPE_STRING_AS_STRING + DBUS_TYPE_VARIANT_AS_STRING + DBUS_DICT_ENTRY_END_CHAR_AS_STRING, + &iter_dict); + assert_true(dbret == TRUE); + + ret = ifp_add_ldb_el_to_dict(&iter_dict, el); + assert_int_equal(ret, EOK); + + dbret = dbus_message_iter_close_container(&iter, &iter_dict); + assert_true(dbret == TRUE); + + /* Test the reply contains what we expect */ + dbus_message_iter_init(sr->message, &iter); + assert_int_equal(dbus_message_iter_get_arg_type(&iter), + DBUS_TYPE_ARRAY); + dbus_message_iter_recurse(&iter, &iter); + assert_int_equal(dbus_message_iter_get_arg_type(&iter), + DBUS_TYPE_DICT_ENTRY); + + dbus_message_iter_recurse(&iter, &iter_dict); + dbus_message_iter_get_basic(&iter_dict, &attr_name); + assert_string_equal(attr_name, "numbers"); + + dbus_message_iter_next(&iter_dict); + assert_int_equal(dbus_message_iter_get_arg_type(&iter_dict), + DBUS_TYPE_VARIANT); + dbus_message_iter_recurse(&iter_dict, &iter_dict); + assert_int_equal(dbus_message_iter_get_arg_type(&iter_dict), + DBUS_TYPE_ARRAY); + + dbus_message_iter_recurse(&iter_dict, &iter_dict); + dbus_message_iter_get_basic(&iter_dict, &attr_val); + assert_string_equal(attr_val, "one"); + assert_true(dbus_message_iter_next(&iter_dict)); + dbus_message_iter_get_basic(&iter_dict, &attr_val); + assert_string_equal(attr_val, "two"); + assert_false(dbus_message_iter_next(&iter_dict)); + + talloc_free(sr); +} + +static void assert_string_list_equal(const char **s1, + const char **s2) +{ + int i; + + for (i=0; s1[i]; i++) { + assert_non_null(s2[i]); + assert_string_equal(s1[i], s2[i]); + } + + assert_null(s2[i]); +} + +static void attr_parse_test(const char *expected[], const char *input) +{ + const char **res; + TALLOC_CTX *test_ctx; + + test_ctx = talloc_new(NULL); + assert_non_null(test_ctx); + + res = ifp_parse_user_attr_list(test_ctx, input); + + if (expected) { + /* Positive test */ + assert_non_null(res); + assert_string_list_equal(res, expected); + } else { + /* Negative test */ + assert_null(res); + } + + talloc_free(test_ctx); +} + +static void attr_parse_test_ex(const char *expected[], const char *input, + const char **defaults) +{ + const char **res; + TALLOC_CTX *test_ctx; + + test_ctx = talloc_new(NULL); + assert_non_null(test_ctx); + + res = parse_attr_list_ex(test_ctx, input, defaults); + + if (expected) { + /* Positive test */ + assert_non_null(res); + assert_string_list_equal(res, expected); + } else { + /* Negative test */ + assert_null(res); + } + + talloc_free(test_ctx); +} + +void test_attr_acl(void **state) +{ + /* Test defaults */ + const char *exp_defaults[] = { SYSDB_NAME, SYSDB_UIDNUM, + SYSDB_GIDNUM, SYSDB_GECOS, + SYSDB_HOMEDIR, SYSDB_SHELL, + "groups", "domain", "domainname", NULL }; + attr_parse_test(exp_defaults, NULL); + + /* Test adding some attributes to the defaults */ + const char *exp_add[] = { "telephoneNumber", "streetAddress", + SYSDB_NAME, SYSDB_UIDNUM, + SYSDB_GIDNUM, SYSDB_GECOS, + SYSDB_HOMEDIR, SYSDB_SHELL, + "groups", "domain", "domainname", NULL }; + attr_parse_test(exp_add, "+telephoneNumber, +streetAddress"); + + /* Test removing some attributes to the defaults */ + const char *exp_rm[] = { SYSDB_NAME, + SYSDB_GIDNUM, SYSDB_GECOS, + SYSDB_HOMEDIR, "groups", + "domain", "domainname", + NULL }; + attr_parse_test(exp_rm, "-"SYSDB_SHELL ",-"SYSDB_UIDNUM); + + /* Test both add and remove */ + const char *exp_add_rm[] = { "telephoneNumber", + SYSDB_NAME, SYSDB_UIDNUM, + SYSDB_GIDNUM, SYSDB_GECOS, + SYSDB_HOMEDIR, "groups", + "domain", "domainname", + NULL }; + attr_parse_test(exp_add_rm, "+telephoneNumber, -"SYSDB_SHELL); + + /* Test rm trumps add */ + const char *exp_add_rm_override[] = { SYSDB_NAME, SYSDB_UIDNUM, + SYSDB_GIDNUM, SYSDB_GECOS, + SYSDB_HOMEDIR, SYSDB_SHELL, + "groups", "domain", + "domainname", NULL }; + attr_parse_test(exp_add_rm_override, + "+telephoneNumber, -telephoneNumber, +telephoneNumber"); + + /* Remove all */ + const char *rm_all[] = { NULL }; + attr_parse_test(rm_all, "-"SYSDB_NAME ", -"SYSDB_UIDNUM + ", -"SYSDB_GIDNUM ", -"SYSDB_GECOS + ", -"SYSDB_HOMEDIR ", -"SYSDB_SHELL", -groups, " + "-domain, -domainname"); + + /* Malformed list */ + attr_parse_test(NULL, "missing_plus_or_minus"); +} + +void test_attr_acl_ex(void **state) +{ + /* Test defaults */ + const char *exp_defaults[] = { "abc", "123", "xyz", NULL }; + attr_parse_test_ex(exp_defaults, NULL, exp_defaults); + + /* Test adding some attributes to the defaults */ + const char *exp_add[] = { "telephoneNumber", "streetAddress", + "abc", "123", "xyz", + NULL }; + attr_parse_test_ex(exp_add, "+telephoneNumber, +streetAddress", + exp_defaults); + + /* Test removing some attributes to the defaults */ + const char *exp_rm[] = { "123", NULL }; + attr_parse_test_ex(exp_rm, "-abc, -xyz", exp_defaults); + + /* Test adding with empty defaults */ + const char *exp_add_empty[] = { "telephoneNumber", "streetAddress", + NULL }; + attr_parse_test_ex(exp_add_empty, "+telephoneNumber, +streetAddress", NULL); + + /* Test removing with empty defaults */ + const char *rm_all[] = { NULL }; + attr_parse_test_ex(rm_all, "-telephoneNumber, -streetAddress", NULL); +} + +void test_attr_allowed(void **state) +{ + const char *whitelist[] = { "name", "gecos", NULL }; + const char *emptylist[] = { NULL }; + + assert_true(ifp_attr_allowed(whitelist, "name")); + assert_true(ifp_attr_allowed(whitelist, "gecos")); + + assert_false(ifp_attr_allowed(whitelist, "password")); + + assert_false(ifp_attr_allowed(emptylist, "name")); + assert_false(ifp_attr_allowed(NULL, "name")); +} + +struct ifp_test_req_ctx { + struct ifp_req *ireq; + struct sbus_request *sr; + struct ifp_ctx *ifp_ctx; +}; + +static int ifp_test_req_setup(void **state) +{ + struct ifp_test_req_ctx *test_ctx; + errno_t ret; + + assert_true(leak_check_setup()); + + test_ctx = talloc_zero(global_talloc_context, struct ifp_test_req_ctx); + assert_non_null(test_ctx); + test_ctx->ifp_ctx = mock_ifp_ctx(test_ctx); + assert_non_null(test_ctx->ifp_ctx); + + test_ctx->sr = mock_sbus_request(test_ctx, geteuid()); + assert_non_null(test_ctx->sr); + + ret = ifp_req_create(test_ctx->sr, test_ctx->ifp_ctx, &test_ctx->ireq); + assert_int_equal(ret, EOK); + assert_non_null(test_ctx->ireq); + + check_leaks_push(test_ctx); + *state = test_ctx; + return 0; +} + +static int ifp_test_req_teardown(void **state) +{ + struct ifp_test_req_ctx *test_ctx = talloc_get_type_abort(*state, + struct ifp_test_req_ctx); + + assert_true(check_leaks_pop(test_ctx) == true); + + dbus_message_unref(test_ctx->sr->message); + talloc_free(test_ctx); + + assert_true(leak_check_teardown()); + return 0; +} + +int main(int argc, const char *argv[]) +{ + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test(ifp_test_req_create), + cmocka_unit_test(ifp_test_req_wrong_uid), + cmocka_unit_test_setup_teardown(test_el_to_dict, + ifp_test_req_setup, + ifp_test_req_teardown), + cmocka_unit_test(test_attr_acl), + cmocka_unit_test(test_attr_acl_ex), + cmocka_unit_test(test_attr_allowed), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + /* Even though normally the tests should clean up after themselves + * they might not after a failed run. Remove the old DB to be sure */ + tests_set_cwd(); + + return cmocka_run_group_tests(tests, NULL, NULL); +} diff --git a/src/tests/cmocka/test_inotify.c b/src/tests/cmocka/test_inotify.c new file mode 100644 index 0000000..cd507a3 --- /dev/null +++ b/src/tests/cmocka/test_inotify.c @@ -0,0 +1,582 @@ +/* + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "limits.h" +#include "shared/io.h" +#include "util/inotify.h" +#include "util/util.h" +#include "tests/common.h" + +struct inotify_test_ctx { + char *filename; + char *dirname; + + int ncb; + int threshold; + /* if the cb receives flags not in this set, test fails */ + uint32_t exp_flags; + + struct sss_test_ctx *tctx; + struct tevent_timer *fail_te; +}; + +static void test_timeout(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval t, + void *ptr) +{ + DEBUG(SSSDBG_FATAL_FAILURE, "The test timed out!\n"); + talloc_free(te); + fail(); +} + +static struct inotify_test_ctx *common_setup(TALLOC_CTX *mem_ctx) +{ + struct inotify_test_ctx *ctx; + struct timeval tv; + + ctx = talloc_zero(mem_ctx, struct inotify_test_ctx); + if (ctx == NULL) { + return NULL; + } + + ctx->tctx = create_ev_test_ctx(ctx); + if (ctx->tctx == NULL) { + talloc_free(ctx); + return NULL; + } + + gettimeofday(&tv, NULL); + tv.tv_sec += 5; + ctx->fail_te = tevent_add_timer(ctx->tctx->ev, ctx, + tv, test_timeout, ctx); + if (ctx->fail_te == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to queue fallback timer!\n"); + talloc_free(ctx); + return NULL; + } + + return ctx; +} + +static int inotify_test_setup(void **state) +{ + struct inotify_test_ctx *ctx; + int fd; + + ctx = common_setup(NULL); + if (ctx == NULL) { + return 1; + } + + ctx->filename = talloc_strdup(ctx, "test_inotify.XXXXXX"); + if (ctx->filename == NULL) { + talloc_free(ctx); + return 1; + } + + fd = mkstemp(ctx->filename); + if (fd == -1) { + talloc_free(ctx); + return 1; + } + close(fd); + + *state = ctx; + return 0; +} + +static int inotify_test_dir_setup(void **state) +{ + struct inotify_test_ctx *ctx; + + ctx = common_setup(NULL); + if (ctx == NULL) { + return 1; + } + + ctx->dirname = talloc_strdup(ctx, "test_inotify_dir.XXXXXX"); + if (ctx->dirname == NULL) { + talloc_free(ctx); + return 1; + } + + ctx->dirname = mkdtemp(ctx->dirname); + if (ctx->dirname == NULL) { + talloc_free(ctx); + return 1; + } + + ctx->filename = talloc_asprintf(ctx, "%s/testfile", ctx->dirname); + if (ctx->filename == NULL) { + talloc_free(ctx); + return 1; + } + + *state = ctx; + return 0; +} + +static int inotify_test_teardown(void **state) +{ + struct inotify_test_ctx *ctx = talloc_get_type_abort(*state, + struct inotify_test_ctx); + int ret; + + ret = unlink(ctx->filename); + if (ret == -1 && errno != ENOENT) { + return 1; + } + + talloc_free(ctx); + return 0; +} + +static int inotify_test_dir_teardown(void **state) +{ + struct inotify_test_ctx *ctx = talloc_get_type_abort(*state, + struct inotify_test_ctx); + int ret; + + ret = unlink(ctx->filename); + if (ret == -1 && errno != ENOENT) { + return 1; + } + + ret = rmdir(ctx->dirname); + if (ret == -1 && errno != ENOENT) { + return 1; + } + + talloc_free(ctx); + return 0; +} + +static void file_mod_op(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval t, + void *ptr) +{ + struct inotify_test_ctx *test_ctx = talloc_get_type_abort(ptr, + struct inotify_test_ctx); + FILE *f; + + talloc_free(te); + + f = fopen(test_ctx->filename, "w"); + if (f == NULL) { + test_ctx->tctx->error = errno; + test_ctx->tctx->done = true; + return; + } + + fprintf(f, "%s\n", test_ctx->filename); + fflush(f); + fclose(f); +} + +static void check_and_set_threshold(struct inotify_test_ctx *test_ctx, + uint32_t flags) +{ + if (test_ctx->exp_flags != 0 && !(test_ctx->exp_flags & flags)) { + fail(); + } + + test_ctx->ncb++; +} + +static int inotify_set_threshold_cb(const char *filename, + uint32_t flags, + void *pvt) +{ + struct inotify_test_ctx *test_ctx = talloc_get_type_abort(pvt, + struct inotify_test_ctx); + + check_and_set_threshold(test_ctx, flags); + return EOK; +} + +static int inotify_threshold_cb(const char *filename, + uint32_t flags, + void *pvt) +{ + struct inotify_test_ctx *test_ctx = talloc_get_type_abort(pvt, + struct inotify_test_ctx); + + check_and_set_threshold(test_ctx, flags); + if (test_ctx->ncb == test_ctx->threshold) { + test_ctx->tctx->done = true; + return EOK; + } + + return EOK; +} + +/* Test that running two modifications fires the callback twice */ +static void test_inotify_mod(void **state) +{ + struct inotify_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct inotify_test_ctx); + struct snotify_ctx *ctx; + struct timeval tv; + struct tevent_timer *te; + errno_t ret; + + ctx = snotify_create(test_ctx, test_ctx->tctx->ev, SNOTIFY_WATCH_DIR, + test_ctx->filename, NULL, IN_MODIFY, + inotify_threshold_cb, test_ctx); + assert_non_null(ctx); + + test_ctx->threshold = 2; + test_ctx->exp_flags = IN_MODIFY; + + gettimeofday(&tv, NULL); + tv.tv_usec += 500; + te = tevent_add_timer(test_ctx->tctx->ev, test_ctx, + tv, file_mod_op, test_ctx); + if (te == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to queue file update!\n"); + return; + } + + gettimeofday(&tv, NULL); + tv.tv_sec += 1; + te = tevent_add_timer(test_ctx->tctx->ev, test_ctx, + tv, file_mod_op, test_ctx); + if (te == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to queue file update!\n"); + return; + } + + ret = test_ev_loop(test_ctx->tctx); + assert_int_equal(ret, EOK); + + talloc_free(ctx); +} + +static void file_mv_op(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval t, + void *ptr) +{ + struct inotify_test_ctx *test_ctx = talloc_get_type_abort(ptr, + struct inotify_test_ctx); + FILE *f; + int fd; + char src_tmp_file[] = "test_inotify_src.XXXXXX"; + int ret; + + talloc_free(te); + + fd = mkstemp(src_tmp_file); + if (fd == -1) { + test_ctx->tctx->error = errno; + test_ctx->tctx->done = true; + return; + } + + f = fdopen(fd, "w"); + if (f == NULL) { + close(fd); + unlink(src_tmp_file); + test_ctx->tctx->error = errno; + test_ctx->tctx->done = true; + return; + } + + fprintf(f, "%s\n", test_ctx->filename); + fflush(f); + fclose(f); + + ret = rename(src_tmp_file, test_ctx->filename); + if (ret == -1) { + unlink(src_tmp_file); + test_ctx->tctx->error = errno; + test_ctx->tctx->done = true; + return; + } +} + +static void test_inotify_mv(void **state) +{ + struct inotify_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct inotify_test_ctx); + struct snotify_ctx *ctx; + struct timeval tv; + struct tevent_timer *te; + errno_t ret; + + ctx = snotify_create(test_ctx, test_ctx->tctx->ev, SNOTIFY_WATCH_DIR, + test_ctx->filename, NULL, IN_MOVED_TO, + inotify_threshold_cb, test_ctx); + assert_non_null(ctx); + + test_ctx->threshold = 1; + test_ctx->exp_flags = IN_MOVED_TO; + + gettimeofday(&tv, NULL); + tv.tv_usec += 200; + te = tevent_add_timer(test_ctx->tctx->ev, test_ctx, + tv, file_mv_op, test_ctx); + if (te == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to queue file update!\n"); + return; + } + + ret = test_ev_loop(test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +static void file_del_add_op(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval t, + void *ptr) +{ + struct inotify_test_ctx *test_ctx = talloc_get_type_abort(ptr, + struct inotify_test_ctx); + FILE *f; + int ret; + + talloc_free(te); + + ret = unlink(test_ctx->filename); + if (ret == -1) { + test_ctx->tctx->error = errno; + test_ctx->tctx->done = true; + return; + } + + f = fopen(test_ctx->filename, "w"); + if (f == NULL) { + test_ctx->tctx->error = errno; + test_ctx->tctx->done = true; + return; + } + + fprintf(f, "%s\n", test_ctx->filename); + fflush(f); + fclose(f); +} + +static void test_inotify_del_add(void **state) +{ + struct inotify_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct inotify_test_ctx); + struct snotify_ctx *ctx; + struct timeval tv; + struct tevent_timer *te; + errno_t ret; + + test_ctx->threshold = 1; + test_ctx->exp_flags = IN_CREATE; + + ctx = snotify_create(test_ctx, test_ctx->tctx->ev, SNOTIFY_WATCH_DIR, + test_ctx->filename, NULL, + IN_CREATE, + inotify_threshold_cb, test_ctx); + assert_non_null(ctx); + + gettimeofday(&tv, NULL); + tv.tv_usec += 200; + te = tevent_add_timer(test_ctx->tctx->ev, test_ctx, + tv, file_del_add_op, test_ctx); + if (te == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to queue file update!\n"); + return; + } + + ret = test_ev_loop(test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +static void test_inotify_file_moved_in(void **state) +{ + struct inotify_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct inotify_test_ctx); + struct snotify_ctx *ctx; + struct timeval tv; + struct tevent_timer *te; + errno_t ret; + + test_ctx->threshold = 1; + test_ctx->exp_flags = IN_CREATE; + + ctx = snotify_create(test_ctx, test_ctx->tctx->ev, SNOTIFY_WATCH_DIR, + test_ctx->filename, NULL, + IN_CREATE | IN_CLOSE_WRITE, + inotify_threshold_cb, test_ctx); + assert_non_null(ctx); + + gettimeofday(&tv, NULL); + tv.tv_usec += 200; + + te = tevent_add_timer(test_ctx->tctx->ev, test_ctx, + tv, file_mod_op, test_ctx); + if (te == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to queue file update!\n"); + return; + } + + ret = test_ev_loop(test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +static void file_del_op(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval t, + void *ptr) +{ + struct inotify_test_ctx *test_ctx = talloc_get_type_abort(ptr, + struct inotify_test_ctx); + int ret; + + talloc_free(te); + + ret = unlink(test_ctx->filename); + if (ret == -1) { + test_ctx->tctx->error = errno; + test_ctx->tctx->done = true; + return; + } +} + +static void check_threshold_cb(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval t, + void *ptr) +{ + struct inotify_test_ctx *test_ctx = talloc_get_type_abort(ptr, + struct inotify_test_ctx); + + /* tests that no more callbacks were issued and exactly one + * was caught for both requests + */ + if (test_ctx->ncb == test_ctx->threshold) { + test_ctx->tctx->done = true; + return; + } + + fail(); +} + +static void test_inotify_delay(void **state) +{ + struct inotify_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct inotify_test_ctx); + struct snotify_ctx *ctx; + struct timeval tv; + struct tevent_timer *te; + errno_t ret; + struct timeval delay = { .tv_sec = 1, .tv_usec = 0 }; + + test_ctx->threshold = 1; + test_ctx->exp_flags = IN_CREATE | IN_DELETE; + + ctx = snotify_create(test_ctx, test_ctx->tctx->ev, SNOTIFY_WATCH_DIR, + test_ctx->filename, &delay, + IN_CREATE | IN_DELETE, + inotify_set_threshold_cb, test_ctx); + assert_non_null(ctx); + + gettimeofday(&tv, NULL); + tv.tv_usec += 100; + te = tevent_add_timer(test_ctx->tctx->ev, test_ctx, + tv, file_mod_op, test_ctx); + if (te == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to queue file update!\n"); + return; + } + + gettimeofday(&tv, NULL); + tv.tv_usec += 200; + te = tevent_add_timer(test_ctx->tctx->ev, test_ctx, + tv, file_del_op, test_ctx); + if (te == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to queue file update!\n"); + return; + } + + gettimeofday(&tv, NULL); + tv.tv_sec += 2; + te = tevent_add_timer(test_ctx->tctx->ev, test_ctx, + tv, check_threshold_cb, test_ctx); + if (te == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to queue file update!\n"); + return; + } + + ret = test_ev_loop(test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +int main(int argc, const char *argv[]) +{ + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_inotify_mv, + inotify_test_setup, + inotify_test_teardown), + cmocka_unit_test_setup_teardown(test_inotify_mod, + inotify_test_setup, + inotify_test_teardown), + cmocka_unit_test_setup_teardown(test_inotify_del_add, + inotify_test_setup, + inotify_test_teardown), + cmocka_unit_test_setup_teardown(test_inotify_file_moved_in, + inotify_test_dir_setup, + inotify_test_dir_teardown), + cmocka_unit_test_setup_teardown(test_inotify_delay, + inotify_test_dir_setup, + inotify_test_dir_teardown), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + return cmocka_run_group_tests(tests, NULL, NULL); +} diff --git a/src/tests/cmocka/test_io.c b/src/tests/cmocka/test_io.c new file mode 100644 index 0000000..20475a0 --- /dev/null +++ b/src/tests/cmocka/test_io.c @@ -0,0 +1,243 @@ +/* + SSSD + + find_uid - Utilities tests + + Authors: + Abhishek Singh + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "limits.h" +#include "shared/io.h" +#include "util/util.h" +#include "tests/common.h" + +#define TESTS_PATH "tp_" BASE_FILE_STEM +#define FILE_TEMPLATE TESTS_PATH"/test_io.XXXXXX" +#define NON_EX_PATH TESTS_PATH"/non-existent-path" + +/* Creates a unique temporary file inside TEST_DIR and returns its path*/ +static char *get_random_filepath(const char *template) +{ + int ret; + char *path; + + path = strdup(template); + assert_non_null(path); + + ret = mkstemp(path); + if (ret == -1) { + int err = errno; + fprintf(stderr, "mkstemp failed with path:'%s' [%s]\n", + path, strerror(err)); + } + assert_int_not_equal(ret, -1); + + /* We do not need this file descriptor */ + close(ret); + + return path; +} + +static int test_file_setup(void **state) +{ + int ret; + char *file_path; + + ret = mkdir(TESTS_PATH, S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH); + assert_int_equal(ret, EOK); + + file_path = get_random_filepath(FILE_TEMPLATE); + assert_non_null(file_path); + + ret = unlink(NON_EX_PATH); + ret = errno; + assert_int_equal(ret, ENOENT); + + *state = file_path; + return 0; +} + +static int test_file_teardown(void **state) +{ + int ret; + char *file_path = (char *)*state; + + ret = unlink(file_path); + assert_int_equal(ret, EOK); + free(file_path); + + ret = rmdir(TESTS_PATH); + assert_int_equal(ret, EOK); + return 0; +} + +struct dir_state { + int dir_fd; + char *basename; + + /* resources for cleanup*/ + DIR *dirp; + char *filename; +}; + +static int test_dir_setup(void **state) +{ + struct dir_state *data; + int ret; + + data = (struct dir_state *)calloc(1, sizeof(struct dir_state)); + assert_non_null(data); + + ret = mkdir(TESTS_PATH, S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH); + assert_int_equal(ret, EOK); + + data->dirp = opendir(TESTS_PATH); + if (data->dirp == NULL) { + int err = errno; + fprintf(stderr, "Could not open directory:'%s' [%s]\n", + TESTS_PATH, strerror(err)); + } + assert_non_null(data->dirp); + + data->dir_fd = dirfd(data->dirp); + assert_int_not_equal(data->dir_fd, -1); + + data->filename = get_random_filepath(FILE_TEMPLATE); + assert_non_null(data->filename); + + data->basename = basename(data->filename); + + ret = unlink(NON_EX_PATH); + ret = errno; + assert_int_equal(ret, ENOENT); + + *state = data; + return 0; +} + +static int test_dir_teardown(void **state) +{ + int ret; + struct dir_state *data = (struct dir_state *) *state; + + ret = unlink(data->filename); + assert_int_equal(ret, EOK); + free(data->filename); + + ret = closedir(data->dirp); + assert_int_equal(ret, EOK); + + ret = rmdir(TESTS_PATH); + assert_int_equal(ret, EOK); + + free(data); + return 0; +} + +void test_sss_open_cloexec_success(void **state) +{ + int fd; + int ret; + int ret_flag; + int expec_flag; + int flags = O_RDWR; + char *file_path = (char *) *state; + + fd = sss_open_cloexec(file_path, flags, &ret); + assert_int_not_equal(fd, -1); + + ret_flag = fcntl(fd, F_GETFD, 0); + expec_flag = FD_CLOEXEC; + assert_true(ret_flag & expec_flag); + + close(fd); +} + +void test_sss_open_cloexec_fail(void **state) +{ + int fd; + int ret; + int flags = O_RDWR; + + fd = sss_open_cloexec(NON_EX_PATH, flags, &ret); + + assert_true(fd == -1); + assert_int_not_equal(ret, 0); +} + +void test_sss_openat_cloexec_success(void **state) +{ + int fd; + int ret; + int ret_flag; + int expec_flag; + const int flags = O_RDWR; + struct dir_state *data = (struct dir_state *) *state; + + fd = sss_openat_cloexec(data->dir_fd, data->basename, flags, &ret); + assert_int_not_equal(fd, -1); + + ret_flag = fcntl(fd, F_GETFD, 0); + expec_flag = FD_CLOEXEC; + assert_true(ret_flag & expec_flag); + + close(fd); +} + +void test_sss_openat_cloexec_fail(void **state) +{ + int fd; + int ret; + int flags = O_RDWR; + struct dir_state *data = (struct dir_state *) *state; + + fd = sss_openat_cloexec(data->dir_fd, NON_EX_PATH, flags, &ret); + assert_int_equal(fd, -1); + assert_int_equal(ret, ENOENT); +} + +int main(void) +{ + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_sss_open_cloexec_success, + test_file_setup, test_file_teardown), + cmocka_unit_test_setup_teardown(test_sss_open_cloexec_fail, + test_file_setup, test_file_teardown), + cmocka_unit_test_setup_teardown(test_sss_openat_cloexec_success, + test_dir_setup, test_dir_teardown), + cmocka_unit_test_setup_teardown(test_sss_openat_cloexec_fail, + test_dir_setup, test_dir_teardown) + }; + + tests_set_cwd(); + return cmocka_run_group_tests(tests, NULL, NULL); +} diff --git a/src/tests/cmocka/test_iobuf.c b/src/tests/cmocka/test_iobuf.c new file mode 100644 index 0000000..796db51 --- /dev/null +++ b/src/tests/cmocka/test_iobuf.c @@ -0,0 +1,195 @@ +/* + SSSD + + test_iobuf - IO buffer tests + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "util/sss_iobuf.h" +#include "util/util.h" + +static void test_sss_iobuf_read(void **state) +{ + errno_t ret; + uint8_t buffer[] = { 'H', 'e', 'l', 'l', 'o', ' ', 'w', 'o', 'r', 'l', 'd', 0 }; + uint8_t readbuf[64] = { 0 }; + size_t nread; + struct sss_iobuf *rb; + + rb = sss_iobuf_init_readonly(NULL, buffer, sizeof(buffer)); + assert_non_null(rb); + + ret = sss_iobuf_read(rb, 5, readbuf, &nread); + assert_int_equal(ret, EOK); + /* There is enough data in the buffer */ + assert_int_equal(nread, 5); + /* The data matches beginning of the buffer */ + assert_int_equal(strncmp((const char *) readbuf, "Hello", 5), 0); + + memset(readbuf, 0, sizeof(readbuf)); + ret = sss_iobuf_read(rb, 3, readbuf, &nread); + assert_int_equal(ret, EOK); + /* There is enough data in the buffer */ + assert_int_equal(nread, 3); + /* The data matches beginning of the buffer */ + assert_int_equal(strncmp((const char *) readbuf, " wo", 3), 0); + + /* Try to read more than the buffer has */ + memset(readbuf, 0, sizeof(readbuf)); + ret = sss_iobuf_read(rb, 10, readbuf, &nread); + /* This is not a fatal error */ + assert_int_equal(ret, EOK); + /* We just see how much there was */ + assert_int_equal(nread, 4); + /* And get the rest of the buffer back. readbuf includes trailing zero now */ + assert_int_equal(strcmp((const char *) readbuf, "rld"), 0); + + /* Reading a depleted buffer will just yield zero bytes read now */ + ret = sss_iobuf_read(rb, 10, readbuf, &nread); + assert_int_equal(ret, EOK); + assert_int_equal(nread, 0); + + /* Failure cases */ + ret = sss_iobuf_read(NULL, 10, readbuf, &nread); + assert_int_equal(ret, EINVAL); + ret = sss_iobuf_read(rb, 10, NULL, &nread); + assert_int_equal(ret, EINVAL); + + talloc_free(rb); +} + +static void test_sss_iobuf_write(void **state) +{ + struct sss_iobuf *wb; + struct sss_iobuf *rb; + size_t hwlen = sizeof("Hello world"); /* Includes trailing zero */ + uint8_t readbuf[64]; + size_t nread; + errno_t ret; + + /* Exactly fill the capacity */ + wb = sss_iobuf_init_empty(NULL, hwlen, hwlen); + assert_non_null(wb); + ret = sss_iobuf_write_len(wb, + (uint8_t *) discard_const("Hello world"), + sizeof("Hello world")); + assert_int_equal(ret, EOK); + + rb = sss_iobuf_init_readonly(NULL, + sss_iobuf_get_data(wb), + sss_iobuf_get_len(wb)); + talloc_free(wb); + assert_non_null(rb); + + ret = sss_iobuf_read(rb, sizeof(readbuf), readbuf, &nread); + assert_int_equal(ret, EOK); + assert_int_equal(nread, hwlen); + assert_int_equal(strcmp((const char *) readbuf, "Hello world"), 0); + talloc_zfree(rb); + + /* Overflow the capacity by one */ + wb = sss_iobuf_init_empty(NULL, hwlen, hwlen); + assert_non_null(wb); + ret = sss_iobuf_write_len(wb, + (uint8_t *) discard_const("Hello world!"), + sizeof("Hello world!")); + assert_int_not_equal(ret, EOK); + talloc_zfree(wb); + + /* Test resizing exactly up to capacity in several writes */ + wb = sss_iobuf_init_empty(NULL, 2, hwlen); + assert_non_null(wb); + + ret = sss_iobuf_write_len(wb, + (uint8_t *) discard_const("Hello "), + sizeof("Hello ")-1); /* Not the null byte now.. */ + assert_int_equal(ret, EOK); + ret = sss_iobuf_write_len(wb, + (uint8_t *) discard_const("world"), + sizeof("world")); + assert_int_equal(ret, EOK); + + rb = sss_iobuf_init_readonly(NULL, + sss_iobuf_get_data(wb), + sss_iobuf_get_len(wb)); + talloc_free(wb); + assert_non_null(rb); + + ret = sss_iobuf_read(rb, sizeof(readbuf), readbuf, &nread); + assert_int_equal(ret, EOK); + assert_int_equal(nread, hwlen); + assert_int_equal(strcmp((const char *) readbuf, "Hello world"), 0); + talloc_zfree(rb); + + /* Overflow the capacity during a resize by one */ + wb = sss_iobuf_init_empty(NULL, 2, hwlen); + assert_non_null(wb); + + ret = sss_iobuf_write_len(wb, + (uint8_t *) discard_const("Hello "), + sizeof("Hello ")-1); /* Not the null byte now.. */ + assert_int_equal(ret, EOK); + ret = sss_iobuf_write_len(wb, + (uint8_t *) discard_const("world!"), + sizeof("world!")); + assert_int_not_equal(ret, EOK); + talloc_zfree(wb); + + /* Test allocating an unlimited buffer */ + wb = sss_iobuf_init_empty(NULL, 2, 0); + assert_non_null(wb); + + ret = sss_iobuf_write_len(wb, + (uint8_t *) discard_const("Hello "), + sizeof("Hello ")-1); /* Not the null byte now.. */ + assert_int_equal(ret, EOK); + ret = sss_iobuf_write_len(wb, + (uint8_t *) discard_const("world"), + sizeof("world")); + assert_int_equal(ret, EOK); + + rb = sss_iobuf_init_readonly(NULL, + sss_iobuf_get_data(wb), + sss_iobuf_get_len(wb)); + talloc_free(wb); + assert_non_null(rb); + + ret = sss_iobuf_read(rb, sizeof(readbuf), readbuf, &nread); + assert_int_equal(ret, EOK); + assert_int_equal(nread, hwlen); + assert_int_equal(strcmp((const char *) readbuf, "Hello world"), 0); + talloc_zfree(rb); +} + +int main(void) +{ + const struct CMUnitTest tests[] = { + cmocka_unit_test(test_sss_iobuf_read), + cmocka_unit_test(test_sss_iobuf_write), + }; + + return cmocka_run_group_tests(tests, NULL, NULL); +} diff --git a/src/tests/cmocka/test_ipa_dn.c b/src/tests/cmocka/test_ipa_dn.c new file mode 100644 index 0000000..b39e05b --- /dev/null +++ b/src/tests/cmocka/test_ipa_dn.c @@ -0,0 +1,235 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "tests/cmocka/common_mock.h" +#include "providers/ipa/ipa_dn.h" + +#define TESTS_PATH "tp_" BASE_FILE_STEM +#define TEST_CONF_DB "test_ipa_dn_conf.ldb" +#define TEST_DOM_NAME "ipa_dn_test" +#define TEST_ID_PROVIDER "ipa" + +struct ipa_dn_test_ctx { + struct sss_test_ctx *tctx; + struct sysdb_ctx *sysdb; +}; + +static int ipa_dn_test_setup(void **state) +{ + struct ipa_dn_test_ctx *test_ctx = NULL; + + test_ctx = talloc_zero(NULL, struct ipa_dn_test_ctx); + assert_non_null(test_ctx); + *state = test_ctx; + + /* initialize domain */ + test_ctx->tctx = create_dom_test_ctx(test_ctx, TESTS_PATH, TEST_CONF_DB, + TEST_DOM_NAME, + TEST_ID_PROVIDER, NULL); + assert_non_null(test_ctx->tctx); + + test_ctx->sysdb = test_ctx->tctx->sysdb; + + return 0; +} + +static int ipa_dn_test_teardown(void **state) +{ + talloc_zfree(*state); + return 0; +} + +static void ipa_check_rdn_test(void **state) +{ + struct ipa_dn_test_ctx *test_ctx = NULL; + errno_t ret; + + test_ctx = talloc_get_type_abort(*state, struct ipa_dn_test_ctx); + + ret = ipa_check_rdn(test_ctx->sysdb, "cn=rdn,dc=example,dc=com", "cn"); + assert_int_equal(ret, EOK); + + ret = ipa_check_rdn(test_ctx->sysdb, "cn=rdn,attr1=value1,dc=example,dc=com", "cn", "attr1", "value1"); + assert_int_equal(ret, EOK); + + ret = ipa_check_rdn(test_ctx->sysdb, "cn=rdn,attr1=value1,attr2=value2,dc=example,dc=com", "cn", "attr1", "value1", "attr2", "value2"); + assert_int_equal(ret, EOK); + + ret = ipa_check_rdn(test_ctx->sysdb, "cn=rdn,dc=example,dc=com", "nope"); + assert_int_equal(ret, ENOENT); + + ret = ipa_check_rdn(test_ctx->sysdb, "cn=rdn,attr1=value1,dc=example,dc=com", "cn", "nope", "value1"); + assert_int_equal(ret, ENOENT); + + ret = ipa_check_rdn(test_ctx->sysdb, "cn=rdn,attr1=value1,attr2=value2,dc=example,dc=com", "cn", "attr1", "nope"); + assert_int_equal(ret, ENOENT); + + ret = ipa_check_rdn(test_ctx->sysdb, "cn=rdn,attr1=value1,dc=example,dc=com", "cn", "attr1"); + assert_int_equal(ret, ENOENT); + + ret = ipa_check_rdn(test_ctx->sysdb, "cn=rdn,attr1=value1", "cn", "attr1", "value1"); + assert_int_equal(ret, ENOENT); +} + +static void ipa_check_rdn_bool_test(void **state) +{ + struct ipa_dn_test_ctx *test_ctx = NULL; + bool bret; + + test_ctx = talloc_get_type_abort(*state, struct ipa_dn_test_ctx); + + bret = ipa_check_rdn_bool(test_ctx->sysdb, "cn=rdn,dc=example,dc=com", "cn"); + assert_true(bret); + + bret = ipa_check_rdn_bool(test_ctx->sysdb, "cn=rdn,attr1=value1,dc=example,dc=com", "cn", "attr1", "value1"); + assert_true(bret); + + bret = ipa_check_rdn_bool(test_ctx->sysdb, "cn=rdn,attr1=value1,attr2=value2,dc=example,dc=com", "cn", "attr1", "value1", "attr2", "value2"); + assert_true(bret); + + bret = ipa_check_rdn_bool(test_ctx->sysdb, "cn=rdn,dc=example,dc=com", "nope"); + assert_false(bret); + + bret = ipa_check_rdn_bool(test_ctx->sysdb, "cn=rdn,attr1=value1,dc=example,dc=com", "cn", "nope", "value1"); + assert_false(bret); + + bret = ipa_check_rdn_bool(test_ctx->sysdb, "cn=rdn,attr1=value1,attr2=value2,dc=example,dc=com", "cn", "attr1", "nope"); + assert_false(bret); + + bret = ipa_check_rdn_bool(test_ctx->sysdb, "cn=rdn,attr1=value1,dc=example,dc=com", "cn", "attr1"); + assert_false(bret); + + bret = ipa_check_rdn_bool(test_ctx->sysdb, "cn=rdn,attr1=value1", "cn", "attr1", "value1"); + assert_false(bret); +} + +static void ipa_get_rdn_test(void **state) +{ + struct ipa_dn_test_ctx *test_ctx = NULL; + const char *exprdn = "rdn"; + char *rdn = NULL; + errno_t ret; + + test_ctx = talloc_get_type_abort(*state, struct ipa_dn_test_ctx); + + ret = ipa_get_rdn(test_ctx, test_ctx->sysdb, "cn=rdn,dc=example,dc=com", &rdn, "cn"); + assert_int_equal(ret, EOK); + assert_non_null(rdn); + assert_string_equal(exprdn, rdn); + + ret = ipa_get_rdn(test_ctx, test_ctx->sysdb, "cn=rdn,attr1=value1,dc=example,dc=com", &rdn, "cn", "attr1", "value1"); + assert_int_equal(ret, EOK); + assert_non_null(rdn); + assert_string_equal(exprdn, rdn); + + ret = ipa_get_rdn(test_ctx, test_ctx->sysdb, "cn=rdn,attr1=value1,attr2=value2,dc=example,dc=com", &rdn, "cn", "attr1", "value1", "attr2", "value2"); + assert_int_equal(ret, EOK); + assert_non_null(rdn); + assert_string_equal(exprdn, rdn); + + rdn = NULL; + + ret = ipa_get_rdn(test_ctx, test_ctx->sysdb, "cn=rdn,dc=example,dc=com", &rdn, "nope"); + assert_int_equal(ret, ENOENT); + assert_null(rdn); + + ret = ipa_get_rdn(test_ctx, test_ctx->sysdb, "cn=rdn,attr1=value1,dc=example,dc=com", &rdn, "cn", "nope", "value1"); + assert_int_equal(ret, ENOENT); + assert_null(rdn); + + ret = ipa_get_rdn(test_ctx, test_ctx->sysdb, "cn=rdn,attr1=value1,attr2=value2,dc=example,dc=com", &rdn, "cn", "attr1", "nope"); + assert_int_equal(ret, ENOENT); + assert_null(rdn); + + ret = ipa_get_rdn(test_ctx, test_ctx->sysdb, "cn=rdn,attr1=value1,dc=example,dc=com", &rdn, "cn", "attr1"); + assert_int_equal(ret, ENOENT); + assert_null(rdn); + + ret = ipa_get_rdn(test_ctx, test_ctx->sysdb, "cn=rdn,attr1=value1", &rdn, "cn", "attr1", "value1"); + assert_int_equal(ret, ENOENT); + assert_null(rdn); + + ret = ipa_get_rdn(test_ctx, test_ctx->sysdb, + "cn=rdn+nsuniqueid=9b1e3301-c32611e6-bdcae37a-ef905e7c," + "attr1=value1,attr2=value2,dc=example,dc=com", + &rdn, "cn", "attr1", "value1", "attr2", "value2"); + assert_int_equal(ret, ENOENT); + assert_null(rdn); +} + +int main(int argc, const char *argv[]) +{ + int rv; + int no_cleanup = 0; + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + {"no-cleanup", 'n', POPT_ARG_NONE, &no_cleanup, 0, + _("Do not delete the test database after a test run"), NULL }, + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(ipa_check_rdn_test, + ipa_dn_test_setup, + ipa_dn_test_teardown), + cmocka_unit_test_setup_teardown(ipa_check_rdn_bool_test, + ipa_dn_test_setup, + ipa_dn_test_teardown), + cmocka_unit_test_setup_teardown(ipa_get_rdn_test, + ipa_dn_test_setup, + ipa_dn_test_teardown) + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + /* Even though normally the tests should clean up after themselves + * they might not after a failed run. Remove the old DB to be sure */ + tests_set_cwd(); + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + test_dom_suite_setup(TESTS_PATH); + + rv = cmocka_run_group_tests(tests, NULL, NULL); + if (rv == 0 && !no_cleanup) { + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + } + return rv; +} diff --git a/src/tests/cmocka/test_ipa_idmap.c b/src/tests/cmocka/test_ipa_idmap.c new file mode 100644 index 0000000..6b1a156 --- /dev/null +++ b/src/tests/cmocka/test_ipa_idmap.c @@ -0,0 +1,251 @@ +/* + Authors: + Sumit Bose + + Copyright (C) 2014 Red Hat + + SSSD tests: Unit tests for id-mapping in the IPA provider + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "tests/cmocka/common_mock.h" +#include "lib/idmap/sss_idmap.h" +#include "providers/ipa/ipa_common.h" +#include "providers/ldap/sdap_idmap.h" + +#define RANGE_NAME discard_const("range1") +#define DOMAIN_SID discard_const("S-1-5-21-2-3-4") +#define DOMAIN_NAME discard_const("dom.test") +#define BASE_RID 111 +#define SECONDARY_BASE_RID 11223344 +#define BASE_ID 123456 +#define RANGE_SIZE 222222 +#define RANGE_MAX (BASE_ID + RANGE_SIZE - 1) + +void test_get_idmap_data_from_range(void **state) +{ + char *dom_name; + char *sid; + uint32_t rid; + struct sss_idmap_range range; + bool external_mapping; + size_t c; + errno_t ret; + + struct test_data { + struct range_info r; + errno_t exp_ret; + char *exp_dom_name; + char *exp_sid; + uint32_t exp_rid; + struct sss_idmap_range exp_range; + bool exp_external_mapping; + } d[] = { + /* working IPA_RANGE_LOCAL range */ + {{RANGE_NAME, BASE_ID, RANGE_SIZE, BASE_RID, SECONDARY_BASE_RID, + NULL, discard_const(IPA_RANGE_LOCAL)}, + EOK, DOMAIN_NAME, NULL, 0, {BASE_ID, RANGE_MAX}, true}, + /* working old-style IPA_RANGE_LOCAL range without range type */ + {{RANGE_NAME, BASE_ID, RANGE_SIZE, BASE_RID, SECONDARY_BASE_RID, + NULL, NULL}, + EOK, DOMAIN_NAME, NULL, 0, {BASE_ID, RANGE_MAX}, true}, + /* old-style IPA_RANGE_LOCAL without SID and secondary base rid */ + {{RANGE_NAME, BASE_ID, RANGE_SIZE, BASE_RID, 0, NULL, NULL}, + EINVAL, NULL, NULL, 0, {0, 0}, false}, + /* old-style range with SID and secondary base rid */ + {{RANGE_NAME, BASE_ID, RANGE_SIZE, BASE_RID, SECONDARY_BASE_RID, + DOMAIN_SID, NULL}, + EINVAL, NULL, NULL, 0, {0, 0}, false}, + /* working IPA_RANGE_AD_TRUST range */ + {{RANGE_NAME, BASE_ID, RANGE_SIZE, BASE_RID, 0, DOMAIN_SID, + discard_const(IPA_RANGE_AD_TRUST)}, + EOK, DOMAIN_SID, DOMAIN_SID, BASE_RID, {BASE_ID, RANGE_MAX}, false}, + /* working old-style IPA_RANGE_AD_TRUST range without range type */ + {{RANGE_NAME, BASE_ID, RANGE_SIZE, BASE_RID, 0, DOMAIN_SID, NULL}, + EOK, DOMAIN_SID, DOMAIN_SID, BASE_RID, {BASE_ID, RANGE_MAX}, false}, + /* working IPA_RANGE_AD_TRUST_POSIX range */ + {{RANGE_NAME, BASE_ID, RANGE_SIZE, BASE_RID, 0, DOMAIN_SID, + discard_const(IPA_RANGE_AD_TRUST_POSIX)}, + EOK, DOMAIN_SID, DOMAIN_SID, 0, {BASE_ID, RANGE_MAX}, true}, + {{0}, 0, NULL, NULL, 0, {0, 0}, false} + }; + + for (c = 0; d[c].exp_dom_name != NULL; c++) { + ret = get_idmap_data_from_range(&d[c].r, DOMAIN_NAME, &dom_name, &sid, + &rid, &range, &external_mapping); + assert_int_equal(ret, d[c].exp_ret); + assert_string_equal(dom_name, d[c].exp_dom_name); + if (d[c].exp_sid == NULL) { + assert_null(sid); + } else { + assert_string_equal(sid, d[c].exp_sid); + } + assert_int_equal(rid, d[c].exp_rid); + assert_int_equal(range.min, d[c].exp_range.min); + assert_int_equal(range.max, d[c].exp_range.max); + assert_true(external_mapping == d[c].exp_external_mapping); + } +} + +errno_t __wrap_sysdb_get_ranges(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb, + size_t *range_count, + struct range_info ***range_list) +{ + + *range_count = sss_mock_type(size_t); + *range_list = talloc_steal(mem_ctx, + sss_mock_ptr_type(struct range_info **)); + return EOK; +} + +struct test_ctx { + struct sdap_idmap_ctx *idmap_ctx; + struct sdap_id_ctx *sdap_id_ctx; +}; + +static struct range_info **get_range_list(TALLOC_CTX *mem_ctx) +{ + struct range_info **range_list; + + range_list = talloc_array(mem_ctx, struct range_info *, 2); + assert_non_null(range_list); + + range_list[0] = talloc_zero(range_list, struct range_info); + assert_non_null(range_list[0]); + + range_list[0]->name = talloc_strdup(range_list[0], RANGE_NAME); + assert_non_null( range_list[0]->name); + range_list[0]->base_id = BASE_ID; + range_list[0]->id_range_size = RANGE_SIZE; + range_list[0]->base_rid = BASE_RID; + range_list[0]->secondary_base_rid = 0; + range_list[0]->trusted_dom_sid = talloc_strdup(range_list[0], DOMAIN_SID); + assert_non_null(range_list[0]->trusted_dom_sid); + range_list[0]->range_type = talloc_strdup(range_list[0], + IPA_RANGE_AD_TRUST); + assert_non_null(range_list[0]->range_type); + + return range_list; +} + +static int setup_idmap_ctx(void **state) +{ + int ret; + struct test_ctx *test_ctx; + + assert_true(leak_check_setup()); + + test_ctx = talloc_zero(global_talloc_context, struct test_ctx); + assert_non_null(test_ctx); + + test_ctx->sdap_id_ctx = talloc_zero(test_ctx, + struct sdap_id_ctx); + assert_non_null(test_ctx->sdap_id_ctx); + + test_ctx->sdap_id_ctx->be = talloc_zero(test_ctx->sdap_id_ctx, + struct be_ctx); + assert_non_null(test_ctx->sdap_id_ctx->be); + + test_ctx->sdap_id_ctx->be->domain = talloc_zero(test_ctx->sdap_id_ctx->be, + struct sss_domain_info); + assert_non_null(test_ctx->sdap_id_ctx->be->domain); + + test_ctx->sdap_id_ctx->be->domain->name = + talloc_strdup(test_ctx->sdap_id_ctx->be->domain, DOMAIN_NAME); + assert_non_null(test_ctx->sdap_id_ctx->be->domain->name); + + will_return(__wrap_sysdb_get_ranges, 1); + will_return(__wrap_sysdb_get_ranges, get_range_list(global_talloc_context)); + + ret = ipa_idmap_init(test_ctx, test_ctx->sdap_id_ctx, + &test_ctx->idmap_ctx); + assert_int_equal(ret, EOK); + + check_leaks_push(test_ctx); + *state = test_ctx; + return 0; +} + +static int teardown_idmap_ctx(void **state) +{ + struct test_ctx *test_ctx = talloc_get_type(*state, struct test_ctx); + + assert_non_null(test_ctx); + + assert_true(check_leaks_pop(test_ctx) == true); + + talloc_free(test_ctx); + assert_true(leak_check_teardown()); + return 0; +} + +void test_ipa_idmap_get_ranges_from_sysdb(void **state) +{ + int ret; + struct test_ctx *test_ctx = talloc_get_type(*state, struct test_ctx); + assert_non_null(test_ctx); + + will_return(__wrap_sysdb_get_ranges, 1); + will_return(__wrap_sysdb_get_ranges, get_range_list(test_ctx->idmap_ctx)); + ret = ipa_idmap_get_ranges_from_sysdb(test_ctx->idmap_ctx, + DOMAIN_NAME, DOMAIN_SID, true); + assert_int_equal(ret, EOK); + + will_return(__wrap_sysdb_get_ranges, 1); + will_return(__wrap_sysdb_get_ranges, get_range_list(global_talloc_context)); + ret = ipa_idmap_get_ranges_from_sysdb(test_ctx->idmap_ctx, + DOMAIN_NAME, DOMAIN_SID, false); + assert_int_equal(ret, EIO); +} + +int main(int argc, const char *argv[]) +{ + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test(test_get_idmap_data_from_range), + cmocka_unit_test_setup_teardown(test_ipa_idmap_get_ranges_from_sysdb, + setup_idmap_ctx, teardown_idmap_ctx), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + tests_set_cwd(); + + return cmocka_run_group_tests(tests, NULL, NULL); +} diff --git a/src/tests/cmocka/test_ipa_subdomains_server.c b/src/tests/cmocka/test_ipa_subdomains_server.c new file mode 100644 index 0000000..11cec67 --- /dev/null +++ b/src/tests/cmocka/test_ipa_subdomains_server.c @@ -0,0 +1,1005 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2015 Red Hat + + SSSD tests: IPA subdomain server utils tests + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define TESTS_PATH "tp_" BASE_FILE_STEM + +#include "providers/ipa/ipa_subdomains.h" +#include "providers/ipa/ipa_opts.h" +#include "providers/data_provider.h" +#include "tests/cmocka/common_mock.h" +#include "tests/cmocka/common_mock_resp.h" +#include "tests/cmocka/common_mock_krb5.h" +#include "tests/cmocka/common_mock_sdap.h" +#include "tests/cmocka/common_mock_be.h" + +#define DOM_REALM "DOM.MAIN" +#define HOSTNAME "ipaserver.dom.main" +#define DOM_FLAT "DOM" + +#define TEST_AUTHID "host/"HOSTNAME +#define KEYTAB_TEST_PRINC TEST_AUTHID"@"DOM_REALM +#define KEYTAB_PATH TEST_DIR"/"TESTS_PATH"/keytab_test.keytab" + +#define SUBDOM_NAME "twoway.subdom.test" +#define SUBDOM_REALM "TWOWAY.SUBDOM.TEST" +#define SUBDOM_FLAT "TWOWAY" +#define SUBDOM_SID "S-1-2-3" + +#define CHILD_NAME "child."SUBDOM_NAME +#define CHILD_REALM "CHILD."SUBDOM_REALM +#define CHILD_FLAT "CHILD" +#define CHILD_SID "S-1-2-3-4" + +#define TEST_CONF_DB "test_ipa_subdom_server.ldb" +#define TEST_DOM_NAME "ipa_subdom_server_test" +#define TEST_ID_PROVIDER "ipa" + +#define ONEWAY_KEYTAB TEST_DIR"/"TESTS_PATH"/"SUBDOM_REALM".keytab" +#define ONEWAY_PRINC DOM_FLAT"$" +#define ONEWAY_AUTHID ONEWAY_PRINC"@"SUBDOM_REALM + +static bool global_rename_called; + +#ifdef HAVE_SELINUX +/* Provide faster implementation of Kerberos function + * krb5int_labeled_[f]?open. Real functions take care also + * about SELinux context which is very expensive operation + * and cause failures due to timeout when executing with Valgrind. + * It's approximately 40 times slower with real function + */ +FILE * +krb5int_labeled_fopen(const char *path, const char *mode) +{ + return fopen(path, mode); +} + +int +krb5int_labeled_open(const char *path, int flags, mode_t mode) +{ + return open(path, flags, mode); +} +#endif /* HAVE_SELINUX */ + +krb5_error_code __wrap_krb5_kt_default(krb5_context context, krb5_keytab *id) +{ + return krb5_kt_resolve(context, KEYTAB_PATH, id); +} + +static void create_dummy_keytab(const char *dummy_kt) +{ + errno_t ret; + + assert_non_null(dummy_kt); + mock_keytab_with_contents(global_talloc_context, + dummy_kt, ONEWAY_AUTHID); + + ret = access(dummy_kt, R_OK); + assert_int_equal(ret, 0); +} + +static int wrap_exec(void) +{ + const char *test_kt; + const char *fail_creating_kt; + + test_kt = getenv("TEST_KT_ENV"); + if (test_kt == NULL) { + _exit(1); + } + unsetenv("TEST_KT_ENV"); + + fail_creating_kt = getenv("KT_CREATE_FAIL"); + if (fail_creating_kt != NULL) { + _exit(1); + } + + create_dummy_keytab(test_kt); + _exit(0); + + return 1; /* Should not happen */ +} + +int __wrap_execle(const char *path, const char *arg, ...) +{ + return wrap_exec(); +} + +int __wrap_execve(const char *path, const char *arg, ...) +{ + return wrap_exec(); +} + +errno_t __real_sss_unique_filename(TALLOC_CTX *owner, char *path_tmpl); + +errno_t __wrap_sss_unique_filename(TALLOC_CTX *owner, char *path_tmpl) +{ + int ret; + int sret; + + ret = __real_sss_unique_filename(owner, path_tmpl); + if (ret == EOK) { + + sret = setenv("TEST_KT_ENV", path_tmpl, 1); + assert_int_equal(sret, 0); + } + return ret; +} + +int __real_rename(const char *old, const char *new); + +int __wrap_rename(const char *old, const char *new) +{ + global_rename_called = true; + return __real_rename(old, new); +} + +struct trust_test_ctx { + struct sss_test_ctx *tctx; + struct be_ctx *be_ctx; + + struct ipa_id_ctx *ipa_ctx; + bool expect_rename; +}; + +static struct ipa_id_ctx *mock_ipa_ctx(TALLOC_CTX *mem_ctx, + struct be_ctx *be_ctx, + struct sss_test_ctx *tctx, + const char *krb5_realm, + const char *hostname) +{ + struct ipa_id_ctx *ipa_ctx; + errno_t ret; + + ipa_ctx = talloc_zero(mem_ctx, struct ipa_id_ctx); + assert_non_null(ipa_ctx); + + ipa_ctx->ipa_options = talloc_zero(ipa_ctx, struct ipa_options); + assert_non_null(ipa_ctx->ipa_options); + + ipa_ctx->ipa_options->id = talloc_zero(ipa_ctx->ipa_options, + struct sdap_options); + assert_non_null(ipa_ctx->ipa_options->id); + + ret = sdap_copy_map(ipa_ctx->ipa_options->id, + ipa_user_map, + SDAP_OPTS_USER, + &ipa_ctx->ipa_options->id->user_map); + assert_int_equal(ret, ERR_OK); + + ret = dp_get_options(ipa_ctx->ipa_options->id, + tctx->confdb, + tctx->conf_dom_path, + ipa_def_ldap_opts, + SDAP_OPTS_BASIC, + &ipa_ctx->ipa_options->id->basic); + assert_int_equal(ret, EOK); + + ret = dp_get_options(ipa_ctx->ipa_options->basic, + tctx->confdb, + tctx->conf_dom_path, + ipa_basic_opts, + IPA_OPTS_BASIC, + &ipa_ctx->ipa_options->basic); + assert_int_equal(ret, EOK); + + ret = dp_opt_set_string(ipa_ctx->ipa_options->basic, + IPA_KRB5_REALM, krb5_realm); + assert_int_equal(ret, EOK); + + ret = dp_opt_set_string(ipa_ctx->ipa_options->basic, + IPA_HOSTNAME, hostname); + assert_int_equal(ret, EOK); + + ret = dp_opt_set_bool(ipa_ctx->ipa_options->basic, + IPA_SERVER_MODE, true); + assert_int_equal(ret, EOK); + + ipa_ctx->sdap_id_ctx = mock_sdap_id_ctx(ipa_ctx, be_ctx, + ipa_ctx->ipa_options->id); + assert_non_null(ipa_ctx->sdap_id_ctx); + + return ipa_ctx; +} + +static struct ipa_server_mode_ctx *mock_server_mode(TALLOC_CTX *mem_ctx) +{ + struct ipa_server_mode_ctx *server_mode; + + server_mode = talloc_zero(mem_ctx, struct ipa_server_mode_ctx); + assert_non_null(server_mode); + + server_mode->hostname = HOSTNAME; + server_mode->realm = DOM_REALM; + + return server_mode; +} + +static void add_test_subdomains(struct trust_test_ctx *test_ctx, + uint32_t direction) +{ + errno_t + + /* Add two subdomains */ + ret = sysdb_subdomain_store(test_ctx->tctx->sysdb, + SUBDOM_NAME, SUBDOM_REALM, + NULL, SUBDOM_SID, + true, false, SUBDOM_REALM, + direction, NULL); + assert_int_equal(ret, EOK); + + ret = sysdb_subdomain_store(test_ctx->tctx->sysdb, + CHILD_NAME, CHILD_REALM, + CHILD_FLAT, CHILD_SID, + true, false, SUBDOM_REALM, + direction, NULL); + assert_int_equal(ret, EOK); + + ret = sysdb_update_subdomains(test_ctx->tctx->dom, test_ctx->tctx->confdb); + assert_int_equal(ret, EOK); + +} + +static void add_test_2way_subdomains(struct trust_test_ctx *test_ctx) +{ + return add_test_subdomains(test_ctx, 0x1 | 0x2); +} + +static void add_test_1way_subdomains(struct trust_test_ctx *test_ctx) +{ + return add_test_subdomains(test_ctx, 0x1); +} + +static int test_ipa_server_create_trusts_setup(void **state) +{ + errno_t ret; + struct trust_test_ctx *test_ctx; + struct sss_test_conf_param params[] = { + { NULL, NULL }, /* Sentinel */ + }; + + test_ctx = talloc_zero(NULL, + struct trust_test_ctx); + assert_non_null(test_ctx); + + test_ctx->tctx = create_dom_test_ctx(test_ctx, TESTS_PATH, + TEST_CONF_DB, TEST_DOM_NAME, + TEST_ID_PROVIDER, params); + assert_non_null(test_ctx->tctx); + test_ctx->tctx->dom->flat_name = discard_const(DOM_FLAT); + test_ctx->tctx->dom->realm = discard_const(DOM_REALM); + + test_ctx->be_ctx = mock_be_ctx(test_ctx, test_ctx->tctx); + assert_non_null(test_ctx->be_ctx); + + test_ctx->ipa_ctx = mock_ipa_ctx(test_ctx, test_ctx->be_ctx, test_ctx->tctx, + DOM_REALM, HOSTNAME); + assert_non_null(test_ctx->tctx); + + test_ctx->ipa_ctx->server_mode = mock_server_mode(test_ctx->ipa_ctx); + assert_non_null(test_ctx->ipa_ctx->server_mode); + + ret = be_init_failover(test_ctx->be_ctx); + assert_int_equal(ret, EOK); + + mock_keytab_with_contents(test_ctx, KEYTAB_PATH, KEYTAB_TEST_PRINC); + + global_rename_called = false; + + *state = test_ctx; + return 0; +} + +static int test_ipa_server_create_trusts_teardown(void **state) +{ + struct trust_test_ctx *test_ctx = + talloc_get_type(*state, struct trust_test_ctx); + errno_t ret; + + ret = unlink(KEYTAB_PATH); + assert_int_equal(ret, 0); + + unlink(ONEWAY_KEYTAB); + /* Ignore failures */ + + /* If a test needs this variable, it should be set again in + * each test + */ + unsetenv("KT_CREATE_FAIL"); + + talloc_free(test_ctx); + return 0; +} + +static void test_ipa_server_create_trusts_none(struct tevent_req *req); +static void test_ipa_server_create_trusts_twoway(struct tevent_req *req); + +static void test_ipa_server_create_trusts(void **state) +{ + struct trust_test_ctx *test_ctx = + talloc_get_type(*state, struct trust_test_ctx); + struct tevent_req *req; + errno_t ret; + + req = ipa_server_create_trusts_send(test_ctx, + test_ctx->tctx->ev, + test_ctx->be_ctx, + test_ctx->ipa_ctx, + test_ctx->be_ctx->domain); + assert_non_null(req); + + tevent_req_set_callback(req, test_ipa_server_create_trusts_none, test_ctx); + + ret = test_ev_loop(test_ctx->tctx); + assert_int_equal(ret, ERR_OK); +} + +static void test_ipa_server_create_trusts_none(struct tevent_req *req) +{ + struct trust_test_ctx *test_ctx = \ + tevent_req_callback_data(req, struct trust_test_ctx); + errno_t ret; + + ret = ipa_server_create_trusts_recv(req); + talloc_zfree(req); + assert_int_equal(ret, EOK); + + /* Add two subdomains */ + add_test_2way_subdomains(test_ctx); + + req = ipa_server_create_trusts_send(test_ctx, + test_ctx->tctx->ev, + test_ctx->be_ctx, + test_ctx->ipa_ctx, + test_ctx->be_ctx->domain); + assert_non_null(req); + + tevent_req_set_callback(req, test_ipa_server_create_trusts_twoway, test_ctx); + +} + +static void assert_trust_object(struct ipa_ad_server_ctx *trust, + const char *dom_name, + const char *dom_realm, + const char *sid, + const char *keytab, + const char *authid, + const char *sdap_realm) +{ + const char *s; + + assert_non_null(trust); + assert_non_null(trust->dom); + assert_string_equal(trust->dom->name, dom_name); + assert_string_equal(trust->dom->domain_id, sid); + + s = dp_opt_get_string(trust->ad_id_ctx->ad_options->basic, + AD_KRB5_REALM); + if (dom_realm != NULL) { + assert_non_null(s); + assert_string_equal(s, dom_realm); + } else { + assert_null(s); + } + + s = dp_opt_get_string(trust->ad_id_ctx->ad_options->basic, + AD_DOMAIN); + if (dom_name != NULL) { + assert_non_null(s); + assert_string_equal(s, dom_name); + } else { + assert_null(s); + } + + /* both one-way and two-way trust uses specialized keytab */ + s = dp_opt_get_string(trust->ad_id_ctx->ad_options->id->basic, + SDAP_KRB5_KEYTAB); + if (keytab != NULL) { + assert_non_null(s); + assert_string_equal(s, keytab); + } else { + assert_null(s); + } + + s = dp_opt_get_string(trust->ad_id_ctx->ad_options->id->basic, + SDAP_SASL_REALM); + if (sdap_realm != NULL) { + assert_non_null(s); + assert_string_equal(s, sdap_realm); + } else { + assert_null(s); + } + + s = dp_opt_get_string(trust->ad_id_ctx->ad_options->id->basic, + SDAP_SASL_AUTHID); + if (authid != NULL) { + assert_non_null(s); + assert_string_equal(s, authid); + } else { + assert_null(s); + } +} + +static void test_ipa_server_create_trusts_twoway(struct tevent_req *req) +{ + struct trust_test_ctx *test_ctx = \ + tevent_req_callback_data(req, struct trust_test_ctx); + errno_t ret; + struct sss_domain_info *child_dom; + struct ipa_ad_server_ctx *s_trust; + struct ipa_ad_server_ctx *c_trust; + + ret = ipa_server_create_trusts_recv(req); + talloc_zfree(req); + assert_int_equal(ret, EOK); + + /* Trust object should be around now */ + assert_non_null(test_ctx->ipa_ctx->server_mode->trusts); + assert_non_null(test_ctx->ipa_ctx->server_mode->trusts->next); + + if (strcmp(test_ctx->ipa_ctx->server_mode->trusts->dom->name, + SUBDOM_NAME) == 0) { + s_trust = test_ctx->ipa_ctx->server_mode->trusts; + c_trust = test_ctx->ipa_ctx->server_mode->trusts->next; + } else { + s_trust = test_ctx->ipa_ctx->server_mode->trusts->next; + c_trust = test_ctx->ipa_ctx->server_mode->trusts; + } + assert_trust_object(c_trust, + CHILD_NAME, + CHILD_REALM, + CHILD_SID, + ONEWAY_KEYTAB, + ONEWAY_PRINC, + SUBDOM_REALM); + + + assert_trust_object(s_trust, + SUBDOM_NAME, + SUBDOM_REALM, + SUBDOM_SID, + ONEWAY_KEYTAB, + ONEWAY_PRINC, + SUBDOM_REALM); + + /* No more trust objects */ + assert_null(test_ctx->ipa_ctx->server_mode->trusts->next->next); + + ret = sysdb_subdomain_delete(test_ctx->tctx->sysdb, CHILD_NAME); + assert_int_equal(ret, EOK); + + child_dom = find_domain_by_name(test_ctx->be_ctx->domain, CHILD_NAME, true); + assert_non_null(child_dom); + + ipa_ad_subdom_remove(test_ctx->be_ctx, test_ctx->ipa_ctx, child_dom); + + assert_trust_object(test_ctx->ipa_ctx->server_mode->trusts, + SUBDOM_NAME, + SUBDOM_REALM, + SUBDOM_SID, + ONEWAY_KEYTAB, + ONEWAY_PRINC, + SUBDOM_REALM); + assert_null(test_ctx->ipa_ctx->server_mode->trusts->next); + + test_ev_done(test_ctx->tctx, EOK); +} + +static void +ipa_server_init_done(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval tv, void *pvt) +{ + struct trust_test_ctx *test_ctx = + talloc_get_type(pvt, struct trust_test_ctx); + + test_ctx->tctx->done = true; +} + +static void test_ipa_server_trust_init(void **state) +{ + struct trust_test_ctx *test_ctx = + talloc_get_type(*state, struct trust_test_ctx); + errno_t ret; + struct tevent_timer *timeout_handler; + struct timeval tv; + struct ipa_ad_server_ctx *s_trust; + struct ipa_ad_server_ctx *c_trust; + + add_test_2way_subdomains(test_ctx); + + ret = ipa_ad_subdom_init(test_ctx->be_ctx, test_ctx->ipa_ctx); + assert_int_equal(ret, EOK); + + tv = tevent_timeval_current_ofs(1, 0); + timeout_handler = tevent_add_timer(test_ctx->tctx->ev, test_ctx, tv, + ipa_server_init_done, test_ctx); + assert_non_null(timeout_handler); + + ret = test_ev_loop(test_ctx->tctx); + assert_int_equal(ret, ERR_OK); + + /* Trust object should be around now */ + assert_non_null(test_ctx->ipa_ctx->server_mode->trusts); + assert_non_null(test_ctx->ipa_ctx->server_mode->trusts->next); + + if (strcmp(test_ctx->ipa_ctx->server_mode->trusts->dom->name, + SUBDOM_NAME) == 0) { + s_trust = test_ctx->ipa_ctx->server_mode->trusts; + c_trust = test_ctx->ipa_ctx->server_mode->trusts->next; + } else { + s_trust = test_ctx->ipa_ctx->server_mode->trusts->next; + c_trust = test_ctx->ipa_ctx->server_mode->trusts; + } + + assert_trust_object(c_trust, + CHILD_NAME, + CHILD_REALM, + CHILD_SID, + ONEWAY_KEYTAB, + ONEWAY_PRINC, + SUBDOM_REALM); + + assert_trust_object(s_trust, + SUBDOM_NAME, + SUBDOM_REALM, + SUBDOM_SID, + ONEWAY_KEYTAB, + ONEWAY_PRINC, + SUBDOM_REALM); + + /* No more trust objects */ + assert_null(test_ctx->ipa_ctx->server_mode->trusts->next->next); +} + +struct dir_test_ctx { + struct ldb_context *ldb; + struct sysdb_attrs *tdo; +}; + +static int test_get_trust_direction_setup(void **state) +{ + struct dir_test_ctx *test_ctx; + + test_ctx = talloc_zero(global_talloc_context, + struct dir_test_ctx); + assert_non_null(test_ctx); + + test_ctx->ldb = ldb_init(test_ctx, NULL); + assert_non_null(test_ctx->ldb); + + test_ctx->tdo = sysdb_new_attrs(test_ctx); + assert_non_null(test_ctx->tdo); + + *state = test_ctx; + return 0; +} + +static int test_get_trust_direction_teardown(void **state) +{ + struct dir_test_ctx *test_ctx = + talloc_get_type(*state, struct dir_test_ctx); + + talloc_free(test_ctx); + return 0; +} + +/* These are stupid tests, but test real data */ +static void test_trust_dir_getset(struct dir_test_ctx *test_ctx, + uint32_t dir_in) +{ + errno_t ret; + uint32_t dir; + + ret = sysdb_attrs_add_uint32(test_ctx->tdo, IPA_TRUST_DIRECTION, dir_in); + assert_int_equal(ret, EOK); + + ret = ipa_server_get_trust_direction(test_ctx->tdo, test_ctx->ldb, &dir); + assert_int_equal(ret, EOK); + assert_int_equal(dir, dir_in); +} + +static void test_get_trust_direction_inbound(void **state) +{ + struct dir_test_ctx *test_ctx = + talloc_get_type(*state, struct dir_test_ctx); + + test_trust_dir_getset(test_ctx, 0x1); +} + +static void test_get_trust_direction_outbound(void **state) +{ + struct dir_test_ctx *test_ctx = + talloc_get_type(*state, struct dir_test_ctx); + + test_trust_dir_getset(test_ctx, 0x2); +} + +static void test_get_trust_direction_twoway(void **state) +{ + struct dir_test_ctx *test_ctx = + talloc_get_type(*state, struct dir_test_ctx); + + test_trust_dir_getset(test_ctx, 0x1 | 0x2); +} + +static void test_get_trust_direction_notset_root(void **state) +{ + errno_t ret; + uint32_t dir; + struct dir_test_ctx *test_ctx = + talloc_get_type(*state, struct dir_test_ctx); + + ret = sysdb_attrs_add_string(test_ctx->tdo, SYSDB_ORIG_DN, + "cn=AD.DOM,cn=ad,cn=trusts,dc=example,dc=com"); + assert_int_equal(ret, EOK); + + ret = ipa_server_get_trust_direction(test_ctx->tdo, test_ctx->ldb, &dir); + assert_int_equal(ret, EOK); + + /* With root domains we assume two-way trust */ + assert_int_equal(dir, 0x1 | 0x2); +} + +static void test_get_trust_direction_notset_member(void **state) +{ + errno_t ret; + uint32_t dir; + struct dir_test_ctx *test_ctx = + talloc_get_type(*state, struct dir_test_ctx); + + ret = sysdb_attrs_add_string(test_ctx->tdo, SYSDB_ORIG_DN, + "cn=SUB.AD.DOM,cn=AD.DOM,cn=ad,cn=trusts,dc=example,dc=com"); + assert_int_equal(ret, EOK); + + ret = ipa_server_get_trust_direction(test_ctx->tdo, test_ctx->ldb, &dir); + assert_int_equal(ret, EOK); + + /* With members we set zero and take a look at the parent */ + assert_int_equal(dir, 0); +} + +static void test_ipa_server_create_trusts_oneway(struct tevent_req *req); + +static void test_ipa_server_create_oneway(void **state) +{ + struct trust_test_ctx *test_ctx = + talloc_get_type(*state, struct trust_test_ctx); + struct tevent_req *req; + errno_t ret; + + add_test_1way_subdomains(test_ctx); + + ret = access(ONEWAY_KEYTAB, R_OK); + assert_int_not_equal(ret, 0); + + assert_null(test_ctx->ipa_ctx->server_mode->trusts); + + test_ctx->expect_rename = true; + + req = ipa_server_create_trusts_send(test_ctx, + test_ctx->tctx->ev, + test_ctx->be_ctx, + test_ctx->ipa_ctx, + test_ctx->be_ctx->domain); + assert_non_null(req); + + tevent_req_set_callback(req, test_ipa_server_create_trusts_oneway, test_ctx); + + ret = test_ev_loop(test_ctx->tctx); + assert_int_equal(ret, ERR_OK); +} + +static void test_ipa_server_create_trusts_oneway(struct tevent_req *req) +{ + struct trust_test_ctx *test_ctx = \ + tevent_req_callback_data(req, struct trust_test_ctx); + errno_t ret; + struct ipa_ad_server_ctx *s_trust; + struct ipa_ad_server_ctx *c_trust; + + ret = ipa_server_create_trusts_recv(req); + talloc_zfree(req); + assert_int_equal(ret, EOK); + + assert_true(test_ctx->expect_rename == global_rename_called); + + ret = access(ONEWAY_KEYTAB, R_OK); + assert_int_equal(ret, 0); + + /* Trust object should be around now */ + assert_non_null(test_ctx->ipa_ctx->server_mode->trusts); + assert_non_null(test_ctx->ipa_ctx->server_mode->trusts->next); + + if (strcmp(test_ctx->ipa_ctx->server_mode->trusts->dom->name, + SUBDOM_NAME) == 0) { + s_trust = test_ctx->ipa_ctx->server_mode->trusts; + c_trust = test_ctx->ipa_ctx->server_mode->trusts->next; + } else { + s_trust = test_ctx->ipa_ctx->server_mode->trusts->next; + c_trust = test_ctx->ipa_ctx->server_mode->trusts; + } + + assert_trust_object( + c_trust, + CHILD_NAME, /* AD domain name */ + CHILD_REALM, /* AD realm can be child if SDAP realm is parent's */ + CHILD_SID, + ONEWAY_KEYTAB, /* Keytab shared with parent AD dom */ + ONEWAY_PRINC, /* Principal shared with parent AD dom */ + SUBDOM_REALM); /* SDAP realm must be AD root domain */ + + /* Here all properties point to the AD domain */ + assert_trust_object(s_trust, + SUBDOM_NAME, + SUBDOM_REALM, + SUBDOM_SID, + ONEWAY_KEYTAB, + ONEWAY_PRINC, + SUBDOM_REALM); + + assert_null(test_ctx->ipa_ctx->server_mode->trusts->next->next); + test_ev_done(test_ctx->tctx, EOK); +} + +static void test_ipa_server_create_oneway_kt_exists(void **state) +{ + struct trust_test_ctx *test_ctx = + talloc_get_type(*state, struct trust_test_ctx); + struct tevent_req *req; + errno_t ret; + + add_test_1way_subdomains(test_ctx); + + create_dummy_keytab(ONEWAY_KEYTAB); + ret = access(ONEWAY_KEYTAB, R_OK); + assert_int_equal(ret, 0); + + test_ctx->expect_rename = true; + + assert_null(test_ctx->ipa_ctx->server_mode->trusts); + + req = ipa_server_create_trusts_send(test_ctx, + test_ctx->tctx->ev, + test_ctx->be_ctx, + test_ctx->ipa_ctx, + test_ctx->be_ctx->domain); + assert_non_null(req); + + tevent_req_set_callback(req, test_ipa_server_create_trusts_oneway, test_ctx); + + ret = test_ev_loop(test_ctx->tctx); + assert_int_equal(ret, ERR_OK); +} + +/* Test scenario where a keytab already exists, but refresh fails. In this case, + * sssd should attempt to reuse the previous keytab + */ +static void test_ipa_server_create_oneway_kt_refresh_fallback(void **state) +{ + struct trust_test_ctx *test_ctx = + talloc_get_type(*state, struct trust_test_ctx); + struct tevent_req *req; + errno_t ret; + + add_test_1way_subdomains(test_ctx); + + create_dummy_keytab(ONEWAY_KEYTAB); + ret = access(ONEWAY_KEYTAB, R_OK); + assert_int_equal(ret, 0); + + setenv("KT_CREATE_FAIL", "1", 1); + test_ctx->expect_rename = false; + + assert_null(test_ctx->ipa_ctx->server_mode->trusts); + + req = ipa_server_create_trusts_send(test_ctx, + test_ctx->tctx->ev, + test_ctx->be_ctx, + test_ctx->ipa_ctx, + test_ctx->be_ctx->domain); + assert_non_null(req); + + tevent_req_set_callback(req, test_ipa_server_create_trusts_oneway, test_ctx); + + ret = test_ev_loop(test_ctx->tctx); + assert_int_equal(ret, ERR_OK); +} + +/* Tests case where there's no keytab and retrieving fails. Just fail the + * request in that case + */ +static void test_ipa_server_create_trusts_oneway_fail(struct tevent_req *req); + +static void test_ipa_server_create_oneway_kt_refresh_fail(void **state) +{ + struct trust_test_ctx *test_ctx = + talloc_get_type(*state, struct trust_test_ctx); + struct tevent_req *req; + errno_t ret; + + add_test_1way_subdomains(test_ctx); + + setenv("KT_CREATE_FAIL", "1", 1); + test_ctx->expect_rename = false; + + assert_null(test_ctx->ipa_ctx->server_mode->trusts); + + req = ipa_server_create_trusts_send(test_ctx, + test_ctx->tctx->ev, + test_ctx->be_ctx, + test_ctx->ipa_ctx, + test_ctx->be_ctx->domain); + assert_non_null(req); + + tevent_req_set_callback(req, + test_ipa_server_create_trusts_oneway_fail, + test_ctx); + + ret = test_ev_loop(test_ctx->tctx); + assert_int_equal(ret, ERR_OK); +} + +static void test_ipa_server_create_trusts_oneway_fail(struct tevent_req *req) +{ + struct trust_test_ctx *test_ctx = \ + tevent_req_callback_data(req, struct trust_test_ctx); + errno_t ret; + + ret = ipa_server_create_trusts_recv(req); + assert_int_not_equal(ret, EOK); + + assert_true(test_ctx->expect_rename == global_rename_called); + + test_ev_done(test_ctx->tctx, EOK); +} + +static void test_ipa_server_trust_oneway_init(void **state) +{ + struct trust_test_ctx *test_ctx = + talloc_get_type(*state, struct trust_test_ctx); + errno_t ret; + struct tevent_timer *timeout_handler; + struct timeval tv; + + add_test_1way_subdomains(test_ctx); + + ret = ipa_ad_subdom_init(test_ctx->be_ctx, test_ctx->ipa_ctx); + assert_int_equal(ret, EOK); + + tv = tevent_timeval_current_ofs(1, 0); + timeout_handler = tevent_add_timer(test_ctx->tctx->ev, test_ctx, tv, + ipa_server_init_done, test_ctx); + assert_non_null(timeout_handler); + + ret = test_ev_loop(test_ctx->tctx); + assert_int_equal(ret, ERR_OK); + + assert_non_null(test_ctx->ipa_ctx->server_mode->trusts); +} + +static void test_ipa_trust_dir2str(void **state) +{ + /* Just make sure the caller can rely on getting a valid string.. */ + assert_non_null(ipa_trust_dir2str(0x00)); + assert_non_null(ipa_trust_dir2str(0x01)); + assert_non_null(ipa_trust_dir2str(0x02)); + assert_non_null(ipa_trust_dir2str(0x80)); +} + +int main(int argc, const char *argv[]) +{ + int rv; + int no_cleanup = 0; + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + { "no-cleanup", 'n', POPT_ARG_NONE, &no_cleanup, 0, + _("Do not delete the test database after a test run"), NULL }, + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test(test_ipa_trust_dir2str), + + cmocka_unit_test_setup_teardown(test_ipa_server_create_oneway, + test_ipa_server_create_trusts_setup, + test_ipa_server_create_trusts_teardown), + cmocka_unit_test_setup_teardown(test_ipa_server_create_oneway_kt_exists, + test_ipa_server_create_trusts_setup, + test_ipa_server_create_trusts_teardown), + cmocka_unit_test_setup_teardown(test_ipa_server_create_oneway_kt_refresh_fallback, + test_ipa_server_create_trusts_setup, + test_ipa_server_create_trusts_teardown), + cmocka_unit_test_setup_teardown(test_ipa_server_create_oneway_kt_refresh_fail, + test_ipa_server_create_trusts_setup, + test_ipa_server_create_trusts_teardown), + cmocka_unit_test_setup_teardown(test_ipa_server_trust_oneway_init, + test_ipa_server_create_trusts_setup, + test_ipa_server_create_trusts_teardown), + + cmocka_unit_test_setup_teardown(test_ipa_server_trust_init, + test_ipa_server_create_trusts_setup, + test_ipa_server_create_trusts_teardown), + cmocka_unit_test_setup_teardown(test_ipa_server_create_trusts, + test_ipa_server_create_trusts_setup, + test_ipa_server_create_trusts_teardown), + + cmocka_unit_test_setup_teardown(test_get_trust_direction_inbound, + test_get_trust_direction_setup, + test_get_trust_direction_teardown), + cmocka_unit_test_setup_teardown(test_get_trust_direction_outbound, + test_get_trust_direction_setup, + test_get_trust_direction_teardown), + cmocka_unit_test_setup_teardown(test_get_trust_direction_twoway, + test_get_trust_direction_setup, + test_get_trust_direction_teardown), + cmocka_unit_test_setup_teardown(test_get_trust_direction_notset_root, + test_get_trust_direction_setup, + test_get_trust_direction_teardown), + cmocka_unit_test_setup_teardown(test_get_trust_direction_notset_member, + test_get_trust_direction_setup, + test_get_trust_direction_teardown), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + /* Even though normally the tests should clean up after themselves + * they might not after a failed run. Remove the old DB to be sure */ + tests_set_cwd(); + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + test_dom_suite_setup(TESTS_PATH); + + rv = cmocka_run_group_tests(tests, NULL, NULL); + if (rv == 0 && !no_cleanup) { + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + } + + return rv; +} diff --git a/src/tests/cmocka/test_ipa_subdomains_utils.c b/src/tests/cmocka/test_ipa_subdomains_utils.c new file mode 100644 index 0000000..59cdafa --- /dev/null +++ b/src/tests/cmocka/test_ipa_subdomains_utils.c @@ -0,0 +1,227 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2015 Red Hat + + SSSD tests: IPA subdomain util tests + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "providers/ipa/ipa_subdomains.h" +#include "tests/cmocka/common_mock.h" +#include "tests/cmocka/common_mock_resp.h" + +struct test_ipa_subdom_ctx { + struct ldb_context *ldb; +}; + +static int test_ipa_subdom_setup(void **state) +{ + struct test_ipa_subdom_ctx *test_ctx; + + assert_true(leak_check_setup()); + + test_ctx = talloc_zero(global_talloc_context, struct test_ipa_subdom_ctx); + assert_non_null(test_ctx); + + test_ctx->ldb = ldb_init(test_ctx, NULL); + assert_non_null(test_ctx->ldb); + + check_leaks_push(test_ctx); + *state = test_ctx; + return 0; +} + +static int test_ipa_subdom_teardown(void **state) +{ + struct test_ipa_subdom_ctx *test_ctx; + + test_ctx = talloc_get_type(*state, struct test_ipa_subdom_ctx); + assert_non_null(test_ctx); + + assert_true(check_leaks_pop(test_ctx) == true); + talloc_free(test_ctx); + assert_true(leak_check_teardown()); + return 0; +} + +static struct sysdb_attrs *dn_attrs(TALLOC_CTX *mem_ctx, const char *dn) +{ + struct sysdb_attrs *attrs; + int rv; + + attrs = sysdb_new_attrs(mem_ctx); + assert_non_null(attrs); + + rv = sysdb_attrs_add_string(attrs, SYSDB_ORIG_DN, dn); + assert_int_equal(rv, EOK); + + return attrs; +} + +static void test_ipa_subdom_ldb_dn(void **state) +{ + struct ldb_dn *dn; + struct sysdb_attrs *attrs; + struct test_ipa_subdom_ctx *test_ctx; + + test_ctx = talloc_get_type(*state, struct test_ipa_subdom_ctx); + assert_non_null(test_ctx); + + attrs = dn_attrs(test_ctx, "dc=foo,dc=bar"); + assert_non_null(attrs); + + dn = ipa_subdom_ldb_dn(test_ctx, test_ctx->ldb, attrs); + assert_non_null(dn); + assert_string_equal(ldb_dn_get_linearized(dn), "dc=foo,dc=bar"); + + talloc_free(dn); + talloc_free(attrs); +} + +static void test_ipa_subdom_ldb_dn_fail(void **state) +{ + struct ldb_dn *dn; + struct sysdb_attrs *attrs; + struct test_ipa_subdom_ctx *test_ctx; + + test_ctx = talloc_get_type(*state, struct test_ipa_subdom_ctx); + assert_non_null(test_ctx); + + attrs = dn_attrs(test_ctx, "notadn"); + assert_non_null(attrs); + + dn = ipa_subdom_ldb_dn(test_ctx, NULL, NULL); + assert_null(dn); + + dn = ipa_subdom_ldb_dn(test_ctx, test_ctx->ldb, attrs); + assert_null(dn); + talloc_free(attrs); + + attrs = sysdb_new_attrs(test_ctx); + assert_non_null(attrs); + dn = ipa_subdom_ldb_dn(test_ctx, test_ctx->ldb, attrs); + assert_null(dn); + talloc_free(attrs); +} + +static struct ldb_dn *get_dn(TALLOC_CTX *mem_ctx, + struct ldb_context *ldb, + const char *strdn) +{ + struct ldb_dn *dn; + struct sysdb_attrs *attrs; + + attrs = dn_attrs(mem_ctx, strdn); + assert_non_null(attrs); + + dn = ipa_subdom_ldb_dn(mem_ctx, ldb, attrs); + talloc_free(attrs); + assert_non_null(dn); + + return dn; +} + +static void test_ipa_subdom_is_member_dom(void **state) +{ + struct ldb_dn *dn; + struct test_ipa_subdom_ctx *test_ctx; + bool is_member; + + test_ctx = talloc_get_type(*state, struct test_ipa_subdom_ctx); + + dn = get_dn(test_ctx, test_ctx->ldb, + "cn=SUB.AD.DOM,cn=AD.DOM,cn=ad,cn=trusts,dc=example,dc=com"); + is_member = ipa_subdom_is_member_dom(dn); + talloc_free(dn); + assert_true(is_member); + + dn = get_dn(test_ctx, test_ctx->ldb, + "cn=AD.DOM,cn=ad,cn=trusts,dc=example,dc=com"); + is_member = ipa_subdom_is_member_dom(dn); + talloc_free(dn); + assert_false(is_member); + + dn = get_dn(test_ctx, test_ctx->ldb, + "cn=SUB.AD.DOM,cn=AD.DOM,cn=ad,cn=XXX,dc=example,dc=com"); + is_member = ipa_subdom_is_member_dom(dn); + talloc_free(dn); + assert_false(is_member); + + dn = get_dn(test_ctx, test_ctx->ldb, + "cn=SUB.AD.DOM,cn=AD.DOM,cn=YYY,cn=trusts,dc=example,dc=com"); + is_member = ipa_subdom_is_member_dom(dn); + talloc_free(dn); + assert_false(is_member); +} + +int main(int argc, const char *argv[]) +{ + int rv; + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_ipa_subdom_ldb_dn, + test_ipa_subdom_setup, + test_ipa_subdom_teardown), + cmocka_unit_test_setup_teardown(test_ipa_subdom_ldb_dn_fail, + test_ipa_subdom_setup, + test_ipa_subdom_teardown), + cmocka_unit_test_setup_teardown(test_ipa_subdom_is_member_dom, + test_ipa_subdom_setup, + test_ipa_subdom_teardown), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + /* Even though normally the tests should clean up after themselves + * they might not after a failed run. Remove the old DB to be sure */ + tests_set_cwd(); + + rv = cmocka_run_group_tests(tests, NULL, NULL); + return rv; +} diff --git a/src/tests/cmocka/test_kcm_json_marshalling.c b/src/tests/cmocka/test_kcm_json_marshalling.c new file mode 100644 index 0000000..760b8a5 --- /dev/null +++ b/src/tests/cmocka/test_kcm_json_marshalling.c @@ -0,0 +1,309 @@ +/* + Copyright (C) 2017 Red Hat + + SSSD tests: Test KCM JSON marshalling + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include +#include + +#include "util/util_creds.h" +#include "responder/kcm/kcmsrv_ccache.h" +#include "responder/kcm/kcmsrv_ccache_be.h" +#include "tests/cmocka/common_mock.h" + +#define TEST_REALM "TESTREALM" +#define TEST_PRINC_COMPONENT "PRINC_NAME" + +#define TEST_CREDS "TESTCREDS" + +#define TEST_UUID_STR "5f8f296b-02be-4e86-9235-500e82354186" +#define TEST_SEC_KEY_ONEDIGIT TEST_UUID_STR"-0" +#define TEST_SEC_KEY_MULTIDIGITS TEST_UUID_STR"-123456" + +#define TEST_SEC_KEY_NOSEP TEST_UUID_STR"+0" + +const struct kcm_ccdb_ops ccdb_mem_ops; +const struct kcm_ccdb_ops ccdb_sec_ops; + +struct kcm_marshalling_test_ctx { + krb5_context kctx; + krb5_principal princ; +}; + +static int setup_kcm_marshalling(void **state) +{ + struct kcm_marshalling_test_ctx *test_ctx; + krb5_error_code kerr; + + test_ctx = talloc_zero(NULL, struct kcm_marshalling_test_ctx); + assert_non_null(test_ctx); + + kerr = krb5_init_context(&test_ctx->kctx); + assert_int_equal(kerr, 0); + + kerr = krb5_build_principal(test_ctx->kctx, + &test_ctx->princ, + sizeof(TEST_REALM)-1, TEST_REALM, + TEST_PRINC_COMPONENT, NULL); + assert_int_equal(kerr, 0); + + *state = test_ctx; + return 0; +} + +static int teardown_kcm_marshalling(void **state) +{ + struct kcm_marshalling_test_ctx *test_ctx = talloc_get_type(*state, + struct kcm_marshalling_test_ctx); + assert_non_null(test_ctx); + + krb5_free_principal(test_ctx->kctx, test_ctx->princ); + krb5_free_context(test_ctx->kctx); + talloc_free(test_ctx); + return 0; +} + +static void assert_cc_name_equal(struct kcm_ccache *cc1, + struct kcm_ccache *cc2) +{ + const char *name1, *name2; + + name1 = kcm_cc_get_name(cc1); + name2 = kcm_cc_get_name(cc2); + assert_string_equal(name1, name2); +} + +static void assert_cc_uuid_equal(struct kcm_ccache *cc1, + struct kcm_ccache *cc2) +{ + uuid_t u1, u2; + errno_t ret; + + ret = kcm_cc_get_uuid(cc1, u1); + assert_int_equal(ret, EOK); + ret = kcm_cc_get_uuid(cc2, u2); + assert_int_equal(ret, EOK); + ret = uuid_compare(u1, u2); + assert_int_equal(ret, 0); +} + +static void assert_cc_princ_equal(struct kcm_ccache *cc1, + struct kcm_ccache *cc2) +{ + krb5_principal p1; + krb5_principal p2; + char *name1; + char *name2; + krb5_error_code kerr; + + p1 = kcm_cc_get_client_principal(cc1); + p2 = kcm_cc_get_client_principal(cc2); + + kerr = krb5_unparse_name(NULL, p1, &name1); + assert_int_equal(kerr, 0); + kerr = krb5_unparse_name(NULL, p2, &name2); + assert_int_equal(kerr, 0); + + assert_string_equal(name1, name2); + krb5_free_unparsed_name(NULL, name1); + krb5_free_unparsed_name(NULL, name2); +} + +static void assert_cc_offset_equal(struct kcm_ccache *cc1, + struct kcm_ccache *cc2) +{ + int32_t off1; + int32_t off2; + + off1 = kcm_cc_get_offset(cc1); + off2 = kcm_cc_get_offset(cc2); + assert_int_equal(off1, off2); +} + +static void assert_cc_equal(struct kcm_ccache *cc1, + struct kcm_ccache *cc2) +{ + assert_cc_name_equal(cc1, cc2); + assert_cc_uuid_equal(cc1, cc2); + assert_cc_princ_equal(cc1, cc2); + assert_cc_offset_equal(cc1, cc2); +} + +static void test_kcm_ccache_marshall_unmarshall(void **state) +{ + struct kcm_marshalling_test_ctx *test_ctx = talloc_get_type(*state, + struct kcm_marshalling_test_ctx); + errno_t ret; + struct cli_creds owner; + struct kcm_ccache *cc; + struct kcm_ccache *cc2; + const char *url; + struct sss_iobuf *payload; + const char *name; + const char *key; + uint8_t *data; + + owner.ucred.uid = getuid(); + owner.ucred.gid = getuid(); + + name = talloc_asprintf(test_ctx, "%"SPRIuid, getuid()); + assert_non_null(name); + + ret = kcm_cc_new(test_ctx, + test_ctx->kctx, + &owner, + name, + test_ctx->princ, + &cc); + assert_int_equal(ret, EOK); + + ret = kcm_ccache_to_sec_input(test_ctx, + cc, + &owner, + &url, + &payload); + assert_int_equal(ret, EOK); + + key = strrchr(url, '/') + 1; + assert_non_null(key); + + data = sss_iobuf_get_data(payload); + assert_non_null(data); + + ret = sec_kv_to_ccache(test_ctx, + key, + (const char *) data, + &owner, + &cc2); + assert_int_equal(ret, EOK); + + assert_cc_equal(cc, cc2); + + /* This key is exactly one byte shorter than it should be */ + ret = sec_kv_to_ccache(test_ctx, + TEST_UUID_STR"-", + (const char *) data, + &owner, + &cc2); + assert_int_equal(ret, EINVAL); +} + +void test_sec_key_get_uuid(void **state) +{ + errno_t ret; + uuid_t uuid; + char str_uuid[UUID_STR_SIZE]; + + uuid_clear(uuid); + ret = sec_key_get_uuid(TEST_SEC_KEY_ONEDIGIT, uuid); + assert_int_equal(ret, EOK); + uuid_unparse(uuid, str_uuid); + assert_string_equal(TEST_UUID_STR, str_uuid); + + ret = sec_key_get_uuid(TEST_SEC_KEY_NOSEP, uuid); + assert_int_equal(ret, EINVAL); + + ret = sec_key_get_uuid(TEST_UUID_STR, uuid); + assert_int_equal(ret, EINVAL); + + ret = sec_key_get_uuid(NULL, uuid); + assert_int_equal(ret, EINVAL); +} + +void test_sec_key_get_name(void **state) +{ + const char *name; + + name = sec_key_get_name(TEST_SEC_KEY_ONEDIGIT); + assert_non_null(name); + assert_string_equal(name, "0"); + + name = sec_key_get_name(TEST_SEC_KEY_MULTIDIGITS); + assert_non_null(name); + assert_string_equal(name, "123456"); + + name = sec_key_get_name(TEST_UUID_STR); + assert_null(name); + + name = sec_key_get_name(TEST_SEC_KEY_NOSEP); + assert_null(name); + + name = sec_key_get_name(NULL); + assert_null(name); +} + +void test_sec_key_match_name(void **state) +{ + assert_true(sec_key_match_name(TEST_SEC_KEY_ONEDIGIT, "0")); + assert_true(sec_key_match_name(TEST_SEC_KEY_MULTIDIGITS, "123456")); + + assert_false(sec_key_match_name(TEST_SEC_KEY_MULTIDIGITS, "0")); + assert_false(sec_key_match_name(TEST_SEC_KEY_ONEDIGIT, "123456")); + + assert_false(sec_key_match_name(TEST_UUID_STR, "0")); + assert_false(sec_key_match_name(TEST_SEC_KEY_NOSEP, "0")); + assert_false(sec_key_match_name(TEST_SEC_KEY_ONEDIGIT, NULL)); + assert_false(sec_key_match_name(NULL, "0")); +} + +int main(int argc, const char *argv[]) +{ + poptContext pc; + int opt; + int rv; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_kcm_ccache_marshall_unmarshall, + setup_kcm_marshalling, + teardown_kcm_marshalling), + cmocka_unit_test(test_sec_key_get_uuid), + cmocka_unit_test(test_sec_key_get_name), + cmocka_unit_test(test_sec_key_match_name), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + /* Even though normally the tests should clean up after themselves + * they might not after a failed run. Remove the old DB to be sure */ + tests_set_cwd(); + + rv = cmocka_run_group_tests(tests, NULL, NULL); + + return rv; +} diff --git a/src/tests/cmocka/test_kcm_queue.c b/src/tests/cmocka/test_kcm_queue.c new file mode 100644 index 0000000..1e51eb5 --- /dev/null +++ b/src/tests/cmocka/test_kcm_queue.c @@ -0,0 +1,365 @@ +/* + Copyright (C) 2017 Red Hat + + SSSD tests: Test KCM wait queue + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include +#include + +#include "util/util.h" +#include "util/util_creds.h" +#include "tests/cmocka/common_mock.h" +#include "responder/kcm/kcmsrv_pvt.h" + +#define INVALID_ID -1 +#define FAST_REQ_ID 0 +#define SLOW_REQ_ID 1 + +#define FAST_REQ_DELAY 1 +#define SLOW_REQ_DELAY 2 + +struct timed_request_state { + struct tevent_context *ev; + struct kcm_ops_queue_ctx *qctx; + struct cli_creds *client; + int delay; + int req_id; + + struct kcm_ops_queue_entry *queue_entry; +}; + +static void timed_request_start(struct tevent_req *subreq); +static void timed_request_done(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval current_time, + void *pvt); + +static struct tevent_req *timed_request_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct kcm_ops_queue_ctx *qctx, + struct cli_creds *client, + int delay, + int req_id) +{ + struct tevent_req *req; + struct tevent_req *subreq; + struct timed_request_state *state; + + req = tevent_req_create(mem_ctx, &state, struct timed_request_state); + if (req == NULL) { + return NULL; + } + state->ev = ev; + state->qctx = qctx; + state->client = client; + state->delay = delay; + state->req_id = req_id; + + DEBUG(SSSDBG_TRACE_ALL, "Request %p with delay %d\n", req, delay); + + subreq = kcm_op_queue_send(state, ev, qctx, client); + if (subreq == NULL) { + return NULL; + } + tevent_req_set_callback(subreq, timed_request_start, req); + + return req; +} + +static void timed_request_start(struct tevent_req *subreq) +{ + struct timeval tv; + struct tevent_timer *timeout = NULL; + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct timed_request_state *state = tevent_req_data(req, + struct timed_request_state); + errno_t ret; + + ret = kcm_op_queue_recv(subreq, state, &state->queue_entry); + talloc_zfree(subreq); + if (ret != EOK) { + tevent_req_error(req, ret); + return; + } + + tv = tevent_timeval_current_ofs(state->delay, 0); + timeout = tevent_add_timer(state->ev, state, tv, timed_request_done, req); + if (timeout == NULL) { + tevent_req_error(req, ENOMEM); + return; + } + + return; +} + +static void timed_request_done(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval current_time, + void *pvt) +{ + struct tevent_req *req = talloc_get_type(pvt, struct tevent_req); + DEBUG(SSSDBG_TRACE_ALL, "Request %p done\n", req); + tevent_req_done(req); +} + +static errno_t timed_request_recv(struct tevent_req *req, + int *req_id) +{ + struct timed_request_state *state = tevent_req_data(req, + struct timed_request_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + *req_id = state->req_id; + return EOK; +} + +struct test_ctx { + struct kcm_ops_queue_ctx *qctx; + struct tevent_context *ev; + + int *req_ids; + + int num_requests; + int finished_requests; + bool done; + errno_t error; +}; + +static int setup_kcm_queue(void **state) +{ + struct test_ctx *tctx; + + tctx = talloc_zero(NULL, struct test_ctx); + assert_non_null(tctx); + + tctx->ev = tevent_context_init(tctx); + assert_non_null(tctx->ev); + + tctx->qctx = kcm_ops_queue_create(tctx); + assert_non_null(tctx->qctx); + + *state = tctx; + return 0; +} + +static int teardown_kcm_queue(void **state) +{ + struct test_ctx *tctx = talloc_get_type(*state, struct test_ctx); + talloc_free(tctx); + return 0; +} + +static void test_kcm_queue_done(struct tevent_req *req) +{ + struct test_ctx *test_ctx = tevent_req_callback_data(req, + struct test_ctx); + int req_id = INVALID_ID; + + test_ctx->error = timed_request_recv(req, &req_id); + talloc_zfree(req); + if (test_ctx->error != EOK) { + test_ctx->done = true; + return; + } + + if (test_ctx->req_ids[test_ctx->finished_requests] != req_id) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Request %d finished, expected %d\n", + req_id, test_ctx->req_ids[test_ctx->finished_requests]); + test_ctx->error = EIO; + test_ctx->done = true; + return; + } + + test_ctx->finished_requests++; + if (test_ctx->finished_requests == test_ctx->num_requests) { + test_ctx->done = true; + return; + } +} + +/* + * Just make sure that a single pass through the queue works + */ +static void test_kcm_queue_single(void **state) +{ + struct test_ctx *test_ctx = talloc_get_type(*state, struct test_ctx); + struct tevent_req *req; + struct cli_creds client; + static int req_ids[] = { 0 }; + + client.ucred.uid = getuid(); + client.ucred.gid = getgid(); + + req = timed_request_send(test_ctx, + test_ctx->ev, + test_ctx->qctx, + &client, 1, 0); + assert_non_null(req); + tevent_req_set_callback(req, test_kcm_queue_done, test_ctx); + + test_ctx->num_requests = 1; + test_ctx->req_ids = req_ids; + + while (test_ctx->done == false) { + tevent_loop_once(test_ctx->ev); + } + assert_int_equal(test_ctx->error, EOK); +} + +/* + * Test that multiple requests from the same ID wait for one another + */ +static void test_kcm_queue_multi_same_id(void **state) +{ + struct test_ctx *test_ctx = talloc_get_type(*state, struct test_ctx); + struct tevent_req *req; + struct cli_creds client; + /* The slow request will finish first because request from + * the same ID are serialized + */ + static int req_ids[] = { SLOW_REQ_ID, FAST_REQ_ID }; + + client.ucred.uid = getuid(); + client.ucred.gid = getgid(); + + req = timed_request_send(test_ctx, + test_ctx->ev, + test_ctx->qctx, + &client, + SLOW_REQ_DELAY, + SLOW_REQ_ID); + assert_non_null(req); + tevent_req_set_callback(req, test_kcm_queue_done, test_ctx); + + req = timed_request_send(test_ctx, + test_ctx->ev, + test_ctx->qctx, + &client, + FAST_REQ_DELAY, + FAST_REQ_ID); + assert_non_null(req); + tevent_req_set_callback(req, test_kcm_queue_done, test_ctx); + + test_ctx->num_requests = 2; + test_ctx->req_ids = req_ids; + + while (test_ctx->done == false) { + tevent_loop_once(test_ctx->ev); + } + assert_int_equal(test_ctx->error, EOK); +} + +/* + * Test that multiple requests from different IDs don't wait for one + * another and can run concurrently + */ +static void test_kcm_queue_multi_different_id(void **state) +{ + struct test_ctx *test_ctx = talloc_get_type(*state, struct test_ctx); + struct tevent_req *req; + struct cli_creds client; + /* In this test, the fast request will finish sooner because + * both requests are from different IDs, allowing them to run + * concurrently + */ + static int req_ids[] = { FAST_REQ_ID, SLOW_REQ_ID }; + + client.ucred.uid = getuid(); + client.ucred.gid = getgid(); + + req = timed_request_send(test_ctx, + test_ctx->ev, + test_ctx->qctx, + &client, + SLOW_REQ_DELAY, + SLOW_REQ_ID); + assert_non_null(req); + tevent_req_set_callback(req, test_kcm_queue_done, test_ctx); + + client.ucred.uid = getuid() + 1; + client.ucred.gid = getgid() + 1; + + req = timed_request_send(test_ctx, + test_ctx->ev, + test_ctx->qctx, + &client, + FAST_REQ_DELAY, + FAST_REQ_ID); + assert_non_null(req); + tevent_req_set_callback(req, test_kcm_queue_done, test_ctx); + + test_ctx->num_requests = 2; + test_ctx->req_ids = req_ids; + + while (test_ctx->done == false) { + tevent_loop_once(test_ctx->ev); + } + assert_int_equal(test_ctx->error, EOK); +} + +int main(int argc, const char *argv[]) +{ + poptContext pc; + int opt; + int rv; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_kcm_queue_single, + setup_kcm_queue, + teardown_kcm_queue), + cmocka_unit_test_setup_teardown(test_kcm_queue_multi_same_id, + setup_kcm_queue, + teardown_kcm_queue), + cmocka_unit_test_setup_teardown(test_kcm_queue_multi_different_id, + setup_kcm_queue, + teardown_kcm_queue), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + /* Even though normally the tests should clean up after themselves + * they might not after a failed run. Remove the old DB to be sure */ + tests_set_cwd(); + + rv = cmocka_run_group_tests(tests, NULL, NULL); + + return rv; +} diff --git a/src/tests/cmocka/test_krb5_common.c b/src/tests/cmocka/test_krb5_common.c new file mode 100644 index 0000000..8a9aa4e --- /dev/null +++ b/src/tests/cmocka/test_krb5_common.c @@ -0,0 +1,297 @@ +/* + SSSD + + krb5_common - Test for some krb5 utility functions + + Authors: + Sumit Bose + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include + +#include "tests/cmocka/common_mock.h" +#include "tests/common.h" + +#include "src/providers/krb5/krb5_common.h" + +#define TEST_REALM "MY.REALM" +#define TEST_FAST_PRINC "fast_princ@" TEST_REALM +#define TEST_FAST_STR "dummy" +#define TEST_LIFE_STR "dummy-life" +#define TEST_RLIFE_STR "dummy-rlife" + +#define TESTS_PATH "tp_" BASE_FILE_STEM +#define TEST_CONF_DB "test_krb5_common_conf.ldb" +#define TEST_DOM_NAME "test.krb5.common" +#define TEST_ID_PROVIDER "ldap" + +struct test_ctx { + struct sss_test_ctx *tctx; +}; + +static int test_setup(void **state) +{ + struct test_ctx *test_ctx; + + assert_true(leak_check_setup()); + + test_ctx = talloc_zero(global_talloc_context, struct test_ctx); + assert_non_null(test_ctx); + + test_ctx->tctx = create_dom_test_ctx(test_ctx, TESTS_PATH, TEST_CONF_DB, + TEST_DOM_NAME, + TEST_ID_PROVIDER, NULL); + assert_non_null(test_ctx->tctx); + + check_leaks_push(test_ctx); + *state = test_ctx; + + return 0; +} + +static int test_teardown(void **state) +{ + struct test_ctx *test_ctx = talloc_get_type(*state, struct test_ctx); + + assert_true(check_leaks_pop(test_ctx)); + talloc_free(test_ctx); + assert_true(leak_check_teardown()); + return 0; +} + +void test_set_extra_args(void **state) +{ + int ret; + struct krb5_ctx *krb5_ctx; + char *uid_opt; + char *gid_opt; + const char **krb5_child_extra_args; + + ret = set_extra_args(NULL, NULL, NULL); + assert_int_equal(ret, EINVAL); + + krb5_ctx = talloc_zero(global_talloc_context, struct krb5_ctx); + assert_non_null(krb5_ctx); + uid_opt = talloc_asprintf(krb5_ctx, "--fast-ccache-uid=%"SPRIuid, getuid()); + assert_non_null(uid_opt); + + gid_opt = talloc_asprintf(krb5_ctx, "--fast-ccache-gid=%"SPRIgid, getgid()); + assert_non_null(gid_opt); + + ret = set_extra_args(global_talloc_context, krb5_ctx, + &krb5_child_extra_args); + assert_int_equal(ret, EOK); + assert_string_equal(krb5_child_extra_args[0], uid_opt); + assert_string_equal(krb5_child_extra_args[1], gid_opt); + assert_null(krb5_child_extra_args[2]); + talloc_free(krb5_child_extra_args); + + krb5_ctx->canonicalize = true; + ret = set_extra_args(global_talloc_context, krb5_ctx, + &krb5_child_extra_args); + assert_int_equal(ret, EOK); + assert_string_equal(krb5_child_extra_args[0], uid_opt); + assert_string_equal(krb5_child_extra_args[1], gid_opt); + assert_string_equal(krb5_child_extra_args[2], "--canonicalize"); + assert_null(krb5_child_extra_args[3]); + talloc_free(krb5_child_extra_args); + + krb5_ctx->realm = discard_const(TEST_REALM); + ret = set_extra_args(global_talloc_context, krb5_ctx, + &krb5_child_extra_args); + assert_int_equal(ret, EOK); + assert_string_equal(krb5_child_extra_args[0], uid_opt); + assert_string_equal(krb5_child_extra_args[1], gid_opt); + assert_string_equal(krb5_child_extra_args[2], "--realm=" TEST_REALM); + assert_string_equal(krb5_child_extra_args[3], "--canonicalize"); + assert_null(krb5_child_extra_args[4]); + talloc_free(krb5_child_extra_args); + + /* --fast-principal will be only set if FAST is used */ + krb5_ctx->fast_principal = discard_const(TEST_FAST_PRINC); + ret = set_extra_args(global_talloc_context, krb5_ctx, + &krb5_child_extra_args); + assert_int_equal(ret, EOK); + assert_string_equal(krb5_child_extra_args[0], uid_opt); + assert_string_equal(krb5_child_extra_args[1], gid_opt); + assert_string_equal(krb5_child_extra_args[2], "--realm=" TEST_REALM); + assert_string_equal(krb5_child_extra_args[3], "--canonicalize"); + assert_null(krb5_child_extra_args[4]); + talloc_free(krb5_child_extra_args); + + krb5_ctx->use_fast_str = discard_const(TEST_FAST_STR); + ret = set_extra_args(global_talloc_context, krb5_ctx, + &krb5_child_extra_args); + assert_int_equal(ret, EOK); + assert_string_equal(krb5_child_extra_args[0], uid_opt); + assert_string_equal(krb5_child_extra_args[1], gid_opt); + assert_string_equal(krb5_child_extra_args[2], "--realm=" TEST_REALM); + assert_string_equal(krb5_child_extra_args[3], "--use-fast=" TEST_FAST_STR); + assert_string_equal(krb5_child_extra_args[4], + "--fast-principal=" TEST_FAST_PRINC); + assert_string_equal(krb5_child_extra_args[5], "--canonicalize"); + assert_null(krb5_child_extra_args[6]); + talloc_free(krb5_child_extra_args); + + krb5_ctx->lifetime_str = discard_const(TEST_LIFE_STR); + krb5_ctx->rlife_str = discard_const(TEST_RLIFE_STR); + ret = set_extra_args(global_talloc_context, krb5_ctx, + &krb5_child_extra_args); + assert_int_equal(ret, EOK); + assert_string_equal(krb5_child_extra_args[0], uid_opt); + assert_string_equal(krb5_child_extra_args[1], gid_opt); + assert_string_equal(krb5_child_extra_args[2], "--realm=" TEST_REALM); + assert_string_equal(krb5_child_extra_args[3], "--lifetime=" TEST_LIFE_STR); + assert_string_equal(krb5_child_extra_args[4], + "--renewable-lifetime=" TEST_RLIFE_STR); + assert_string_equal(krb5_child_extra_args[5], "--use-fast=" TEST_FAST_STR); + assert_string_equal(krb5_child_extra_args[6], + "--fast-principal=" TEST_FAST_PRINC); + assert_string_equal(krb5_child_extra_args[7], "--canonicalize"); + assert_null(krb5_child_extra_args[8]); + talloc_free(krb5_child_extra_args); + + talloc_free(krb5_ctx); +} + +void test_sss_krb5_check_options(void **state) +{ + int ret; + struct dp_option *opts; + struct test_ctx *test_ctx = talloc_get_type(*state, struct test_ctx); + struct krb5_ctx *krb5_ctx; + + ret = sss_krb5_check_options(NULL, NULL, NULL); + assert_int_equal(ret, EINVAL); + + ret = sss_krb5_get_options(test_ctx, test_ctx->tctx->confdb, + "[domain/" TEST_DOM_NAME "]", &opts); + assert_int_equal(ret, EOK); + assert_non_null(opts); + + krb5_ctx = talloc_zero(test_ctx, struct krb5_ctx); + assert_non_null(krb5_ctx); + + ret = sss_krb5_check_options(opts, test_ctx->tctx->dom, krb5_ctx); + assert_int_equal(ret, EOK); + assert_string_equal(krb5_ctx->realm, TEST_DOM_NAME); + + /* check check_lifetime() indirectly */ + ret = dp_opt_set_string(opts, KRB5_LIFETIME, "123"); + assert_int_equal(ret, EOK); + ret = sss_krb5_check_options(opts, test_ctx->tctx->dom, krb5_ctx); + assert_int_equal(ret, EOK); + assert_string_equal(krb5_ctx->lifetime_str, "123s"); + + ret = dp_opt_set_string(opts, KRB5_LIFETIME, "abc"); + assert_int_equal(ret, EOK); + ret = sss_krb5_check_options(opts, test_ctx->tctx->dom, krb5_ctx); + assert_int_equal(ret, EINVAL); + + ret = dp_opt_set_string(opts, KRB5_LIFETIME, "s"); + assert_int_equal(ret, EOK); + ret = sss_krb5_check_options(opts, test_ctx->tctx->dom, krb5_ctx); + assert_int_equal(ret, EINVAL); + + ret = dp_opt_set_string(opts, KRB5_LIFETIME, "1d"); + assert_int_equal(ret, EOK); + ret = sss_krb5_check_options(opts, test_ctx->tctx->dom, krb5_ctx); + assert_int_equal(ret, EOK); + assert_string_equal(krb5_ctx->lifetime_str, "1d"); + + ret = dp_opt_set_string(opts, KRB5_LIFETIME, "7d 0h 0m 0s"); + assert_int_equal(ret, EOK); + ret = sss_krb5_check_options(opts, test_ctx->tctx->dom, krb5_ctx); + assert_int_equal(ret, EOK); + assert_string_equal(krb5_ctx->lifetime_str, "7d 0h 0m 0s"); + + /* check canonicalize */ + assert_false(krb5_ctx->canonicalize); + + ret = dp_opt_set_bool(opts, KRB5_USE_ENTERPRISE_PRINCIPAL, true); + assert_int_equal(ret, EOK); + ret = sss_krb5_check_options(opts, test_ctx->tctx->dom, krb5_ctx); + assert_int_equal(ret, EOK); + assert_true(krb5_ctx->canonicalize); + + ret = dp_opt_set_bool(opts, KRB5_USE_ENTERPRISE_PRINCIPAL, false); + assert_int_equal(ret, EOK); + ret = dp_opt_set_bool(opts, KRB5_CANONICALIZE, true); + assert_int_equal(ret, EOK); + ret = sss_krb5_check_options(opts, test_ctx->tctx->dom, krb5_ctx); + assert_int_equal(ret, EOK); + assert_true(krb5_ctx->canonicalize); + + talloc_free(krb5_ctx); + talloc_free(opts); +} + +int main(int argc, const char *argv[]) +{ + int rv; + int no_cleanup = 0; + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + {"no-cleanup", 'n', POPT_ARG_NONE, &no_cleanup, 0, + _("Do not delete the test database after a test run"), NULL }, + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_set_extra_args, + test_setup, test_teardown), + cmocka_unit_test_setup_teardown(test_sss_krb5_check_options, + test_setup, test_teardown), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while ((opt = poptGetNextOpt(pc)) != -1) { + switch (opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + tests_set_cwd(); + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + test_dom_suite_setup(TESTS_PATH); + + rv = cmocka_run_group_tests(tests, NULL, NULL); + if (rv == 0 && !no_cleanup) { + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + } + + return rv; +} diff --git a/src/tests/cmocka/test_krb5_wait_queue.c b/src/tests/cmocka/test_krb5_wait_queue.c new file mode 100644 index 0000000..9f8473b --- /dev/null +++ b/src/tests/cmocka/test_krb5_wait_queue.c @@ -0,0 +1,365 @@ +/* + Copyright (C) 2015 Red Hat + + SSSD tests: Kerberos wait queue tests + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include + +#include "util/util.h" +#include "providers/krb5/krb5_common.h" +#include "providers/krb5/krb5_auth.h" +#include "tests/cmocka/common_mock.h" +#include "tests/cmocka/common_mock_be.h" + +struct krb5_mocked_auth_state { + const char *user; + time_t us_delay; + int ret; + int pam_status; + int dp_err; +}; + +static void krb5_mocked_auth_done(struct tevent_context *ev, + struct tevent_timer *tt, + struct timeval tv, + void *pvt); + +struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct be_ctx *be_ctx, + struct pam_data *pd, + struct krb5_ctx *krb5_ctx) +{ + struct tevent_req *req; + struct krb5_mocked_auth_state *state; + struct tevent_timer *tt; + struct timeval tv; + + req = tevent_req_create(mem_ctx, &state, struct krb5_mocked_auth_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create failed.\n"); + return NULL; + } + + state->user = sss_mock_ptr_type(const char *); + state->us_delay = sss_mock_type(time_t); + state->ret = sss_mock_type(int); + state->pam_status = sss_mock_type(int); + state->dp_err = sss_mock_type(int); + + tv = tevent_timeval_current_ofs(0, state->us_delay); + + tt = tevent_add_timer(ev, req, tv, krb5_mocked_auth_done, req); + if (tt == NULL) { + return NULL; + } + + return req; +} + +static void krb5_mocked_auth_done(struct tevent_context *ev, + struct tevent_timer *tt, + struct timeval tv, + void *pvt) +{ + struct tevent_req *req; + struct krb5_mocked_auth_state *state; + + req = talloc_get_type(pvt, struct tevent_req); + state = tevent_req_data(req, struct krb5_mocked_auth_state); + + DEBUG(SSSDBG_TRACE_LIBS, "Finished auth request of %s\n", state->user); + + if (state->ret == 0) { + tevent_req_done(req); + } else { + tevent_req_error(req, state->ret); + } +} + +int krb5_auth_recv(struct tevent_req *req, + int *_pam_status, + int *_dp_err) +{ + struct krb5_mocked_auth_state *state; + + state = tevent_req_data(req, struct krb5_mocked_auth_state); + + if (_pam_status != NULL) { + *_pam_status = state->pam_status; + } + + if (_dp_err != NULL) { + *_dp_err = state->dp_err; + } + + TEVENT_REQ_RETURN_ON_ERROR(req); + return EOK; +} + +struct test_krb5_wait_queue { + struct sss_test_ctx *tctx; + int num_auths; + int num_finished_auths; + + struct be_ctx *be_ctx; + struct pam_data *pd; + struct krb5_ctx *krb5_ctx; +}; + +static int test_krb5_wait_queue_setup(void **state) +{ + struct test_krb5_wait_queue *test_ctx; + + test_ctx = talloc_zero(global_talloc_context, + struct test_krb5_wait_queue); + assert_non_null(test_ctx); + + test_ctx->tctx = create_ev_test_ctx(test_ctx); + assert_non_null(test_ctx); + + test_ctx->be_ctx = mock_be_ctx(test_ctx, test_ctx->tctx); + assert_non_null(test_ctx->be_ctx); + + test_ctx->pd = talloc_zero(test_ctx, struct pam_data); + assert_non_null(test_ctx->pd); + + test_ctx->krb5_ctx = talloc_zero(test_ctx, struct krb5_ctx); + assert_non_null(test_ctx->krb5_ctx); + + *state = test_ctx; + return 0; +} + +static int test_krb5_wait_queue_teardown(void **state) +{ + struct test_krb5_wait_queue *test_ctx = + talloc_get_type(*state, struct test_krb5_wait_queue); + + talloc_free(test_ctx); + return 0; +} + +static void test_krb5_wait_mock(struct test_krb5_wait_queue *test_ctx, + const char *username, + time_t us_delay, + int ret, + int pam_status, + int dp_err) +{ + test_ctx->pd->user = discard_const(username); + + will_return(krb5_auth_send, username); + will_return(krb5_auth_send, us_delay); + will_return(krb5_auth_send, ret); + will_return(krb5_auth_send, pam_status); + will_return(krb5_auth_send, dp_err); +} + +static void test_krb5_wait_mock_success(struct test_krb5_wait_queue *test_ctx, + const char *username) +{ + return test_krb5_wait_mock(test_ctx, username, 200, 0, 0, 0); +} + +static void test_krb5_wait_queue_single_done(struct tevent_req *req); + +static void test_krb5_wait_queue_single(void **state) +{ + errno_t ret; + struct tevent_req *req; + struct test_krb5_wait_queue *test_ctx = + talloc_get_type(*state, struct test_krb5_wait_queue); + + test_krb5_wait_mock_success(test_ctx, "krb5_user"); + + req = krb5_auth_queue_send(test_ctx, + test_ctx->tctx->ev, + test_ctx->be_ctx, + test_ctx->pd, + test_ctx->krb5_ctx); + assert_non_null(req); + tevent_req_set_callback(req, test_krb5_wait_queue_single_done, test_ctx); + + ret = test_ev_loop(test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +static void test_krb5_wait_queue_single_done(struct tevent_req *req) +{ + struct test_krb5_wait_queue *test_ctx = \ + tevent_req_callback_data(req, struct test_krb5_wait_queue); + errno_t ret; + int pam_status; + int dp_err; + + ret = krb5_auth_queue_recv(req, &pam_status, &dp_err); + talloc_free(req); + assert_int_equal(ret, EOK); + + test_ev_done(test_ctx->tctx, EOK); +} + +static void test_krb5_wait_queue_multi_done(struct tevent_req *req); + +static void test_krb5_wait_queue_multi(void **state) +{ + int i; + errno_t ret; + struct tevent_req *req; + struct test_krb5_wait_queue *test_ctx = + talloc_get_type(*state, struct test_krb5_wait_queue); + + test_ctx->num_auths = 1000; + + for (i=0; i < test_ctx->num_auths; i++) { + test_krb5_wait_mock_success(test_ctx, "krb5_user"); + + req = krb5_auth_queue_send(test_ctx, + test_ctx->tctx->ev, + test_ctx->be_ctx, + test_ctx->pd, + test_ctx->krb5_ctx); + assert_non_null(req); + tevent_req_set_callback(req, test_krb5_wait_queue_multi_done, test_ctx); + } + + ret = test_ev_loop(test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +static void test_krb5_wait_queue_multi_done(struct tevent_req *req) +{ + struct test_krb5_wait_queue *test_ctx = \ + tevent_req_callback_data(req, struct test_krb5_wait_queue); + errno_t ret; + int pam_status; + int dp_err; + + ret = krb5_auth_queue_recv(req, &pam_status, &dp_err); + talloc_free(req); + assert_int_equal(ret, EOK); + + test_ctx->num_finished_auths++; + + if (test_ctx->num_finished_auths == test_ctx->num_auths) { + test_ev_done(test_ctx->tctx, EOK); + } +} + +static void test_krb5_wait_queue_fail_odd_done(struct tevent_req *req); + +static void test_krb5_wait_queue_fail_odd(void **state) +{ + int i; + errno_t ret; + struct tevent_req *req; + struct test_krb5_wait_queue *test_ctx = + talloc_get_type(*state, struct test_krb5_wait_queue); + + test_ctx->num_auths = 10; + + for (i=0; i < test_ctx->num_auths; i++) { + test_krb5_wait_mock(test_ctx, "krb5_user", 0, i+1 % 2, PAM_SUCCESS, 0); + + req = krb5_auth_queue_send(test_ctx, + test_ctx->tctx->ev, + test_ctx->be_ctx, + test_ctx->pd, + test_ctx->krb5_ctx); + assert_non_null(req); + tevent_req_set_callback(req, test_krb5_wait_queue_fail_odd_done, test_ctx); + } + + ret = test_ev_loop(test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +static void test_krb5_wait_queue_fail_odd_done(struct tevent_req *req) +{ + struct test_krb5_wait_queue *test_ctx = \ + tevent_req_callback_data(req, struct test_krb5_wait_queue); + errno_t ret; + int pam_status; + int dp_err; + + ret = krb5_auth_queue_recv(req, &pam_status, &dp_err); + talloc_free(req); + assert_int_equal(ret, test_ctx->num_finished_auths+1 % 2); + + test_ctx->num_finished_auths++; + + if (test_ctx->num_finished_auths == test_ctx->num_auths) { + test_ev_done(test_ctx->tctx, EOK); + } +} + +int main(int argc, const char *argv[]) +{ + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + /* Run a single auth request */ + cmocka_unit_test_setup_teardown(test_krb5_wait_queue_single, + test_krb5_wait_queue_setup, + test_krb5_wait_queue_teardown), + + /* Run multiple auth requests */ + cmocka_unit_test_setup_teardown(test_krb5_wait_queue_multi, + test_krb5_wait_queue_setup, + test_krb5_wait_queue_teardown), + + /* Make sure that all requests in queue run even if some fail */ + cmocka_unit_test_setup_teardown(test_krb5_wait_queue_fail_odd, + test_krb5_wait_queue_setup, + test_krb5_wait_queue_teardown), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + /* Even though normally the tests should clean up after themselves + * they might not after a failed run. Remove the old DB to be sure */ + tests_set_cwd(); + + return cmocka_run_group_tests(tests, NULL, NULL); +} diff --git a/src/tests/cmocka/test_ldap_auth.c b/src/tests/cmocka/test_ldap_auth.c new file mode 100644 index 0000000..a2c3559 --- /dev/null +++ b/src/tests/cmocka/test_ldap_auth.c @@ -0,0 +1,102 @@ +/* + Authors: + Pavel Reichl + + Copyright (C) 2015 Red Hat + + SSSD tests - ldap auth + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include + +#include "tests/common_check.h" +#include "providers/ldap/ldap_auth.h" +#include "tests/cmocka/test_expire_common.h" + +struct check_pwexpire_policy_wrap_indata { + enum pwexpire type; + void *time_fmt; +}; + +static void check_pwexpire_policy_wrap(void *in, void *_out) +{ + errno_t ret; + struct check_pwexpire_policy_wrap_indata *data = + (struct check_pwexpire_policy_wrap_indata*) in; + + ret = check_pwexpire_policy(data->type, data->time_fmt, NULL, 0); + *(errno_t*)_out = ret; +} + +static void test_pwexpire_krb(void **state) +{ + struct expire_test_ctx *tc; + enum pwexpire type = PWEXPIRE_KERBEROS; + errno_t ret; + + tc = talloc_get_type(*state, struct expire_test_ctx); + assert_non_null(tc); + + ret = check_pwexpire_policy(type, + (void*) tc->invalid_longer_format, NULL, 0); + assert_int_equal(ret, ERR_TIMESPEC_NOT_SUPPORTED); + + ret = check_pwexpire_policy(type, (void*) tc->invalid_format, + NULL, 0); + assert_int_equal(ret, ERR_TIMESPEC_NOT_SUPPORTED); + + ret = check_pwexpire_policy(type, (void*) tc->past_time, + NULL, 0); + assert_int_equal(ret, ERR_PASSWORD_EXPIRED); + + ret = check_pwexpire_policy(type, (void*) tc->future_time, + NULL, 0); + assert_int_equal(ret, EOK); + + /* changing time zone has no effect as time of expiration is in UTC */ + struct check_pwexpire_policy_wrap_indata data; + data.type = type; + data.time_fmt = (void*)tc->future_time; + expire_test_tz("GST-2", + check_pwexpire_policy_wrap, + (void*)&data, + (void*)&ret); + assert_int_equal(ret, EOK); + + data.time_fmt = (void*)tc->past_time; + expire_test_tz("GST-2", + check_pwexpire_policy_wrap, + (void*)&data, + (void*)&ret); + assert_int_equal(ret, ERR_PASSWORD_EXPIRED); +} + +int main(void) +{ + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_pwexpire_krb, + expire_test_setup, + expire_test_teardown), + }; + + return cmocka_run_group_tests(tests, NULL, NULL); +} diff --git a/src/tests/cmocka/test_ldap_id_cleanup.c b/src/tests/cmocka/test_ldap_id_cleanup.c new file mode 100644 index 0000000..dc8398f --- /dev/null +++ b/src/tests/cmocka/test_ldap_id_cleanup.c @@ -0,0 +1,342 @@ +/* + Authors: + Pavel Reichl + + Copyright (C) 2015 Red Hat + + SSSD tests - id cleanup + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include +#include + +#include "tests/cmocka/common_mock.h" +#include "providers/ldap/ldap_auth.h" +#include "tests/cmocka/test_expire_common.h" +#include "providers/ldap/ldap_common.h" +#include "providers/ldap/ldap_opts.h" +#include "providers/ipa/ipa_opts.h" + +#define TESTS_PATH "tp_" BASE_FILE_STEM +#define TEST_CONF_FILE "tests_conf.ldb" + +struct sysdb_test_ctx { + struct sysdb_ctx *sysdb; + struct confdb_ctx *confdb; + struct tevent_context *ev; + struct sss_domain_info *domain; + struct sdap_options *opts; +}; + +static int _setup_sysdb_tests(struct sysdb_test_ctx **ctx, bool enumerate) +{ + struct sysdb_test_ctx *test_ctx; + char *conf_db; + int ret; + + const char *val[2]; + val[1] = NULL; + + /* Create tests directory if it doesn't exist */ + /* (relative to current dir) */ + ret = mkdir(TESTS_PATH, 0775); + assert_true(ret == 0 || errno == EEXIST); + + test_ctx = talloc_zero(global_talloc_context, struct sysdb_test_ctx); + assert_non_null(test_ctx); + + /* Create an event context + * It will not be used except in confdb_init and sysdb_init + */ + test_ctx->ev = tevent_context_init(test_ctx); + assert_non_null(test_ctx->ev); + + conf_db = talloc_asprintf(test_ctx, "%s/%s", TESTS_PATH, TEST_CONF_FILE); + assert_non_null(conf_db); + DEBUG(SSSDBG_MINOR_FAILURE, "CONFDB: %s\n", conf_db); + + /* Connect to the conf db */ + ret = confdb_init(test_ctx, &test_ctx->confdb, conf_db); + assert_int_equal(ret, EOK); + + val[0] = "LOCAL"; + ret = confdb_add_param(test_ctx->confdb, true, + "config/sssd", "domains", val); + assert_int_equal(ret, EOK); + + val[0] = "local"; + ret = confdb_add_param(test_ctx->confdb, true, + "config/domain/LOCAL", "id_provider", val); + assert_int_equal(ret, EOK); + + val[0] = enumerate ? "TRUE" : "FALSE"; + ret = confdb_add_param(test_ctx->confdb, true, + "config/domain/LOCAL", "enumerate", val); + assert_int_equal(ret, EOK); + + val[0] = "TRUE"; + ret = confdb_add_param(test_ctx->confdb, true, + "config/domain/LOCAL", "cache_credentials", val); + assert_int_equal(ret, EOK); + + ret = sssd_domain_init(test_ctx, test_ctx->confdb, "local", + TESTS_PATH, &test_ctx->domain); + assert_int_equal(ret, EOK); + + test_ctx->domain->has_views = true; + test_ctx->sysdb = test_ctx->domain->sysdb; + + *ctx = test_ctx; + return EOK; +} + +#define setup_sysdb_tests(ctx) _setup_sysdb_tests((ctx), false) + +static int test_sysdb_setup(void **state) +{ + int ret; + struct sysdb_test_ctx *test_ctx; + + assert_true(leak_check_setup()); + + ret = setup_sysdb_tests(&test_ctx); + assert_int_equal(ret, EOK); + + test_ctx->domain->mpg = false; + + /* set options */ + test_ctx->opts = talloc_zero(test_ctx, struct sdap_options); + assert_non_null(test_ctx->opts); + + ret = sdap_copy_map(test_ctx->opts, rfc2307_user_map, + SDAP_OPTS_USER, &test_ctx->opts->user_map); + assert_int_equal(ret, ERR_OK); + + ret = dp_copy_defaults(test_ctx->opts, default_basic_opts, + SDAP_OPTS_BASIC, &test_ctx->opts->basic); + assert_int_equal(ret, ERR_OK); + + dp_opt_set_int(test_ctx->opts->basic, SDAP_ACCOUNT_CACHE_EXPIRATION, 1); + + *state = (void *) test_ctx; + return 0; +} + +static int test_sysdb_teardown(void **state) +{ + struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_test_ctx); + + talloc_free(test_ctx); + assert_true(leak_check_teardown()); + return 0; +} + +static errno_t invalidate_group(TALLOC_CTX *ctx, + struct sss_domain_info *domain, + const char *name) +{ + struct sysdb_attrs *sys_attrs = NULL; + errno_t ret; + + sys_attrs = sysdb_new_attrs(ctx); + if (sys_attrs) { + ret = sysdb_attrs_add_time_t(sys_attrs, + SYSDB_CACHE_EXPIRE, 1); + if (ret == EOK) { + ret = sysdb_set_group_attr(domain, name, sys_attrs, + SYSDB_MOD_REP); + } else { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not add expiration time to attributes\n"); + } + talloc_zfree(sys_attrs); + } else { + DEBUG(SSSDBG_MINOR_FAILURE, "Could not create sysdb attributes\n"); + ret = ENOMEM; + } + return ret; +} + +static void test_id_cleanup_exp_group(void **state) +{ + errno_t ret; + struct ldb_message *msg; + struct sdap_domain sdom; + char *special_grp; + char *empty_special_grp; + char *empty_grp; + char *grp; + char *test_user; + char *test_user2; + /* This timeout can be bigger because we will call invalidate_group + * to expire entries without waiting. */ + const uint64_t CACHE_TIMEOUT = 30; + struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_test_ctx); + + special_grp = sss_create_internal_fqname(test_ctx, + "special_gr*o/u\\p(2016)", + test_ctx->domain->name); + assert_non_null(special_grp); + + empty_special_grp = sss_create_internal_fqname(test_ctx, + "empty_gr*o/u\\p(2016)", + test_ctx->domain->name); + assert_non_null(empty_special_grp); + + empty_grp = sss_create_internal_fqname(test_ctx, "empty_grp", + test_ctx->domain->name); + assert_non_null(empty_grp); + + grp = sss_create_internal_fqname(test_ctx, "grp", test_ctx->domain->name); + assert_non_null(grp); + + test_user = sss_create_internal_fqname(test_ctx, "test_user", + test_ctx->domain->name); + assert_non_null(test_user); + test_user2 = sss_create_internal_fqname(test_ctx, "test_user2", + test_ctx->domain->name); + assert_non_null(test_user2); + + ret = sysdb_store_group(test_ctx->domain, special_grp, + 10002, NULL, CACHE_TIMEOUT, 0); + assert_int_equal(ret, EOK); + + ret = sysdb_store_group(test_ctx->domain, empty_special_grp, + 10003, NULL, CACHE_TIMEOUT, 0); + assert_int_equal(ret, EOK); + + ret = sysdb_store_group(test_ctx->domain, grp, + 10004, NULL, CACHE_TIMEOUT, 0); + assert_int_equal(ret, EOK); + + ret = sysdb_store_group(test_ctx->domain, empty_grp, + 10005, NULL, CACHE_TIMEOUT, 0); + assert_int_equal(ret, EOK); + + ret = sysdb_store_user(test_ctx->domain, test_user, NULL, + 10001, 10002, "Test user", + NULL, NULL, NULL, NULL, NULL, + 0, 0); + assert_int_equal(ret, EOK); + + ret = sysdb_store_user(test_ctx->domain, test_user2, NULL, + 10002, 10004, "Test user", + NULL, NULL, NULL, NULL, NULL, + 0, 0); + assert_int_equal(ret, EOK); + + sdom.dom = test_ctx->domain; + + /* not expired */ + ret = ldap_id_cleanup(test_ctx->opts, &sdom); + assert_int_equal(ret, EOK); + + ret = sysdb_search_group_by_name(test_ctx, test_ctx->domain, + special_grp, NULL, &msg); + assert_int_equal(ret, EOK); + + ret = sysdb_search_group_by_name(test_ctx, test_ctx->domain, + empty_special_grp, NULL, &msg); + assert_int_equal(ret, EOK); + + ret = sysdb_search_group_by_name(test_ctx, test_ctx->domain, + grp, NULL, &msg); + assert_int_equal(ret, EOK); + + ret = sysdb_search_group_by_name(test_ctx, test_ctx->domain, + empty_grp, NULL, &msg); + assert_int_equal(ret, EOK); + + /* let records to expire */ + invalidate_group(test_ctx, test_ctx->domain, special_grp); + invalidate_group(test_ctx, test_ctx->domain, empty_special_grp); + invalidate_group(test_ctx, test_ctx->domain, grp); + invalidate_group(test_ctx, test_ctx->domain, empty_grp); + + ret = ldap_id_cleanup(test_ctx->opts, &sdom); + assert_int_equal(ret, EOK); + + ret = sysdb_search_group_by_name(test_ctx, test_ctx->domain, + special_grp, NULL, &msg); + assert_int_equal(ret, EOK); + + ret = sysdb_search_group_by_name(test_ctx, test_ctx->domain, + empty_special_grp, NULL, &msg); + assert_int_equal(ret, ENOENT); + + ret = sysdb_search_group_by_name(test_ctx, test_ctx->domain, + grp, NULL, &msg); + assert_int_equal(ret, EOK); + + ret = sysdb_search_group_by_name(test_ctx, test_ctx->domain, + empty_grp, NULL, &msg); + assert_int_equal(ret, ENOENT); +} + +int main(int argc, const char *argv[]) +{ + int rv; + int no_cleanup = 0; + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + { "no-cleanup", 'n', POPT_ARG_NONE, &no_cleanup, 0, + _("Do not delete the test database after a test run"), NULL }, + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_id_cleanup_exp_group, + test_sysdb_setup, test_sysdb_teardown), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while ((opt = poptGetNextOpt(pc)) != -1) { + switch (opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + tests_set_cwd(); + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_FILE, LOCAL_SYSDB_FILE); + test_dom_suite_setup(TESTS_PATH); + rv = cmocka_run_group_tests(tests, NULL, NULL); + + if (rv == 0 && no_cleanup == 0) { + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_FILE, LOCAL_SYSDB_FILE); + } + return rv; +} diff --git a/src/tests/cmocka/test_negcache.c b/src/tests/cmocka/test_negcache.c new file mode 100644 index 0000000..a021092 --- /dev/null +++ b/src/tests/cmocka/test_negcache.c @@ -0,0 +1,998 @@ +/* + SSSD + + NSS Responder + + Authors: + Pallavi Jha + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "tests/cmocka/common_mock.h" +#include "tests/cmocka/common_mock_resp.h" +#include "responder/nss/nss_private.h" +#include "sss_client/idmap/sss_nss_idmap.h" +#include "util/util_sss_idmap.h" +#include "lib/idmap/sss_idmap.h" +#include "util/util.h" +#include "util/util_sss_idmap.h" +#include "responder/common/responder.h" +#include "responder/common/negcache.h" + +#define PORT 21 +#define SID "S-1-2-3-4-5" +#define CERT "MIIECTCCAvGgAwIBAgIBCTANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlJUEEuREVWRUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNTA0MjgxMDIxMTFaFw0xNzA0MjgxMDIxMTFaMDIxEjAQBgNVBAoMCUlQQS5ERVZFTDEcMBoGA1UEAwwTaXBhLWRldmVsLmlwYS5kZXZlbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALIykqtHuAwTVEofHikG/9BQy/dfeZFlsTkBg2qtnnc78w3XufbcnkpJp9Bmcsy/d9beqf5nlsxJ8TcjLsRQ9Ou6YtQjTfM3OILuOz8s0ICbF6qb66bd9hX/BrLO/9+KnpWFSR+E/YEmzgYyDTbKfBWBaGuPPrOi/K6vwkRYFZVA/FYZkYDtQhFmBO884HYzS4P6frRH3PvtRqWNCmaHpe97dGKsvnM2ybT+IMSB8/54GajQr3+BciRh2XaT4wvSTxkXM1fUgrDxqAP2AZmpuIyDyboZh+rWOwbrTPfx5SipELZG3uHhP8HMcr4qQ8b20LWgxCRuT73sIooHET350xUCAwEAAaOCASYwggEiMB8GA1UdIwQYMBaAFPKdQk4PxEglWC8czg+hPyLIVciRMDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAYYfaHR0cDovL2lwYS1jYS5pcGEuZGV2ZWwvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHQGA1UdHwRtMGswaaAxoC+GLWh0dHA6Ly9pcGEtY2EuaXBhLmRldmVsL2lwYS9jcmwvTWFzdGVyQ1JMLmJpbqI0pDIwMDEOMAwGA1UECgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAdBgNVHQ4EFgQULSs/y/Wy/zIsqMIc3b2MgB7dMYIwDQYJKoZIhvcNAQELBQADggEBAJpHLlCnTR1TD8lxQgzl2n1JZOeryN/fAsGH0Vve2m8r5PC+ugnfAoULiuabBn1pOGxy/0x7Kg0/Iy8WRv8Fk7DqJCjXEqFXuFkZJfNDCtP9DzeNuMoV50iKoMfHS38BPFjXN+X/fSsBrA2fUWrlQCTmXlUN97gvQqxt5Slrxgukvxm9OSfu/sWz22LUvtJHupYwWv1iALgnXS86lAuVNYVALLxn34r58XsZlj5CSBMjBJWpaxEzgUdag3L2IPqOQXuPd0d8x11G9E/9gQquOSe2aiZjsdO/VYOCmzZsM2QPUMBVlBPDhfTVcWXQwN385uycW/ARtSzzSME2jKKWSIQ=" +#define PROTO "TCP" +#define SHORTSPAN 1 +#define NAME "foo_name" +#define TESTS_PATH "tp_" BASE_FILE_STEM +#define TEST_CONF_DB "test_nss_conf.ldb" +#define TEST_DOM_NAME "nss_test" +#define TEST_ID_PROVIDER "ldap" + +/* register_cli_protocol_version is required in test since it links with + * responder_common.c module + */ +struct cli_protocol_version *register_cli_protocol_version(void) +{ + static struct cli_protocol_version responder_test_cli_protocol_version[] = { + {0, NULL, NULL} + }; + + return responder_test_cli_protocol_version; +} + +/* Mock NSS structure */ +static struct nss_ctx * +mock_nctx(TALLOC_CTX *mem_ctx) +{ + struct nss_ctx *nctx; + enum idmap_error_code err; + + nctx = talloc_zero(mem_ctx, struct nss_ctx); + if (!nctx) { + return NULL; + } + + nctx->pwfield = discard_const("*"); + + err = sss_idmap_init(sss_idmap_talloc, nctx, sss_idmap_talloc_free, + &nctx->idmap_ctx); + if (err != IDMAP_SUCCESS) { + DEBUG(SSSDBG_FATAL_FAILURE, "sss_idmap_init failed.\n"); + talloc_free(nctx); + return NULL; + } + return nctx; +} + +struct test_state { + struct sss_nc_ctx *ctx; + struct nss_ctx *nctx; + struct resp_ctx *rctx; +}; + +static int setup(void **state) +{ + int ret; + struct test_state *ts; + + ts = talloc(NULL, struct test_state); + assert_non_null(ts); + + ret = sss_ncache_init(ts, SHORTSPAN, 0, &ts->ctx); + assert_int_equal(ret, EOK); + assert_non_null(ts->ctx); + + *state = (void *)ts; + return 0; +} + +static int teardown(void **state) +{ + struct test_state *ts = talloc_get_type_abort(*state, struct test_state); + talloc_free(ts); + return 0; +} + +static void test_sss_ncache_init(void **state) +{ + int ret; + TALLOC_CTX *memctx; + struct sss_nc_ctx *ctx; + + memctx = talloc_new(NULL); + assert_non_null(memctx); + + ret = sss_ncache_init(memctx, SHORTSPAN, 0, &ctx); + assert_int_equal(ret, EOK); + assert_non_null(ctx); + + talloc_free(memctx); +} + +/* @test_sss_ncache_uid : test following functions + * sss_ncache_set_uid + * sss_ncache_check_uid + */ +static void test_sss_ncache_uid(void **state) +{ + uid_t uid; + int ret; + bool permanent; + struct test_state *ts; + + uid = getuid(); + + ts = talloc_get_type_abort(*state, struct test_state); + + /* test when uid not present in database */ + ret = sss_ncache_check_uid(ts->ctx, NULL, uid); + assert_int_equal(ret, ENOENT); + + /* test when uid is present in database */ + permanent = true; + + ret = sss_ncache_reset_permanent(ts->ctx); + assert_int_equal(ret, EOK); + + ret = sss_ncache_set_uid(ts->ctx, permanent, NULL, uid); + assert_int_equal(ret, EOK); + + ret = sss_ncache_check_uid(ts->ctx, NULL, uid); + assert_int_equal(ret, EEXIST); + + ret = sss_ncache_set_uid(ts->ctx, permanent, NULL, uid); + assert_int_equal(ret, EOK); + + ret = sss_ncache_check_uid(ts->ctx, NULL, uid); + assert_int_equal(ret, EEXIST); + + sleep(SHORTSPAN + 1); + + ret = sss_ncache_check_uid(ts->ctx, NULL, uid); + assert_int_equal(ret, EEXIST); + + permanent = false; + + ret = sss_ncache_set_uid(ts->ctx, permanent, NULL, uid); + assert_int_equal(ret, EOK); + + ret = sss_ncache_check_uid(ts->ctx, NULL, uid); + assert_int_equal(ret, EEXIST); + + sleep(SHORTSPAN + 1); + + ret = sss_ncache_check_uid(ts->ctx, NULL, uid); + assert_int_equal(ret, ENOENT); + + ret = sss_ncache_set_uid(ts->ctx, permanent, NULL, uid); + assert_int_equal(ret, EOK); +} + +/* @test_sss_ncache_gid : test following functions + * sss_ncache_set_gid + * sss_ncache_check_gid + */ +static void test_sss_ncache_gid(void **state) +{ + gid_t gid; + int ret; + bool permanent; + struct test_state *ts; + + gid = getgid(); + ts = talloc_get_type_abort(*state, struct test_state); + + /* test when gid is not present in database */ + ret = sss_ncache_check_gid(ts->ctx, NULL, gid); + assert_int_equal(ret, ENOENT); + + /* test when gid is present in database */ + permanent = true; + ret = sss_ncache_set_gid(ts->ctx, permanent, NULL, gid); + assert_int_equal(ret, EOK); + + ret = sss_ncache_check_gid(ts->ctx, NULL, gid); + assert_int_equal(ret, EEXIST); + + permanent = false; + ret = sss_ncache_set_gid(ts->ctx, permanent, NULL, gid); + assert_int_equal(ret, EOK); + + ret = sss_ncache_check_gid(ts->ctx, NULL, gid); + assert_int_equal(ret, EEXIST); +} + + +/* @test_sss_ncache_sid : test following functions + * sss_ncache_set_sid + * sss_ncache_check_sid + */ +static void test_sss_ncache_sid(void **state) +{ + int ret; + bool permanent; + const char *sid = NULL; + struct test_state *ts; + + sid = SID; + ts = talloc_get_type_abort(*state, struct test_state); + + /*test when sid in not present in database */ + ret = sss_ncache_check_sid(ts->ctx, sid); + assert_int_equal(ret, ENOENT); + + /* test when sid is present in database */ + permanent = true; + ret = sss_ncache_set_sid(ts->ctx, permanent, sid); + assert_int_equal(ret, EOK); + + ret = sss_ncache_check_sid(ts->ctx, sid); + assert_int_equal(ret, EEXIST); + + permanent = false; + ret = sss_ncache_set_sid(ts->ctx, permanent, sid); + assert_int_equal(ret, EOK); + + ret = sss_ncache_check_sid(ts->ctx, sid); + assert_int_equal(ret, EEXIST); +} + +/* @test_sss_ncache_cert : test following functions + * sss_ncache_set_cert + * sss_ncache_check_cert_ + */ +static void test_sss_ncache_cert(void **state) +{ + int ret; + bool permanent; + const char *cert = NULL; + struct test_state *ts; + + cert = CERT; + ts = talloc_get_type_abort(*state, struct test_state); + + /*test when cert in not present in database */ + ret = sss_ncache_check_cert(ts->ctx, cert); + assert_int_equal(ret, ENOENT); + + /* test when cert is present in database */ + permanent = true; + ret = sss_ncache_set_cert(ts->ctx, permanent, cert); + assert_int_equal(ret, EOK); + + ret = sss_ncache_check_cert(ts->ctx, cert); + assert_int_equal(ret, EEXIST); + + permanent = false; + ret = sss_ncache_set_cert(ts->ctx, permanent, cert); + assert_int_equal(ret, EOK); + + ret = sss_ncache_check_cert(ts->ctx, cert); + assert_int_equal(ret, EEXIST); +} + +/* @test_sss_ncache_user : test following functions + * sss_ncache_check_user + * sss_ncache_set_user + */ +static void test_sss_ncache_user(void **state) +{ + int ret; + bool permanent; + char *name; + struct test_state *ts; + struct sss_domain_info *dom; + + ts = talloc_get_type_abort(*state, struct test_state); + dom = talloc(ts, struct sss_domain_info); + dom->name = discard_const_p(char, TEST_DOM_NAME); + + name = sss_create_internal_fqname(ts, NAME, dom->name); + assert_non_null(name); + + /* test when domain name is not present in database */ + dom->case_sensitive = false; + ret = sss_ncache_check_user(ts->ctx, dom, name); + assert_int_equal(ret, ENOENT); + + dom->case_sensitive = true; + ret = sss_ncache_check_user(ts->ctx, dom, name); + assert_int_equal(ret, ENOENT); + + /* test when domain name is present in database */ + permanent = true; + ret = sss_ncache_set_user(ts->ctx, permanent, dom, name); + assert_int_equal(ret, EOK); + + ret = sss_ncache_check_user(ts->ctx, dom, name); + assert_int_equal(ret, EEXIST); + + permanent = false; + ret = sss_ncache_set_user(ts->ctx, permanent, dom, name); + assert_int_equal(ret, EOK); + + ret = sss_ncache_check_user(ts->ctx, dom, name); + assert_int_equal(ret, EEXIST); + + talloc_free(name); +} + +/* @test_sss_ncache_group : test following functions + * sss_ncache_check_group + * sss_ncache_set_group + */ +static void test_sss_ncache_group(void **state) +{ + int ret; + bool permanent; + char *name; + struct test_state *ts; + struct sss_domain_info *dom; + + ts = talloc_get_type_abort(*state, struct test_state); + dom = talloc(ts, struct sss_domain_info); + dom->name = discard_const_p(char, TEST_DOM_NAME); + + name = sss_create_internal_fqname(ts, NAME, dom->name); + assert_non_null(name); + + /* test when domain name is not present in database */ + dom->case_sensitive = false; + ret = sss_ncache_check_group(ts->ctx, dom, name); + assert_int_equal(ret, ENOENT); + + dom->case_sensitive = true; + ret = sss_ncache_check_group(ts->ctx, dom, name); + assert_int_equal(ret, ENOENT); + + /* test when domain name is present in database */ + permanent = true; + ret = sss_ncache_set_group(ts->ctx, permanent, dom, name); + assert_int_equal(ret, EOK); + + ret = sss_ncache_check_group(ts->ctx, dom, name); + assert_int_equal(ret, EEXIST); + + permanent = false; + ret = sss_ncache_set_group(ts->ctx, permanent, dom, name); + assert_int_equal(ret, EOK); + + ret = sss_ncache_check_group(ts->ctx, dom, name); + assert_int_equal(ret, EEXIST); + + talloc_free(name); +} + +/* @test_sss_ncache_netgr : test following functions + * sss_ncache_check_netgr + * sss_ncache_set_netgr + */ +static void test_sss_ncache_netgr(void **state) +{ + int ret; + bool permanent; + const char *name = NAME; + struct test_state *ts; + struct sss_domain_info *dom; + + ts = talloc_get_type_abort(*state, struct test_state); + dom = talloc(ts, struct sss_domain_info); + dom->name = discard_const_p(char, TEST_DOM_NAME); + + /* test when domain name is not present in database */ + dom->case_sensitive = false; + ret = sss_ncache_check_netgr(ts->ctx, dom, name); + assert_int_equal(ret, ENOENT); + + dom->case_sensitive = true; + ret = sss_ncache_check_netgr(ts->ctx, dom, name); + assert_int_equal(ret, ENOENT); + + /* test when domain name is present in database */ + permanent = true; + ret = sss_ncache_set_netgr(ts->ctx, permanent, dom, name); + assert_int_equal(ret, EOK); + + ret = sss_ncache_check_netgr(ts->ctx, dom, name); + assert_int_equal(ret, EEXIST); + + permanent = false; + ret = sss_ncache_set_netgr(ts->ctx, permanent, dom, name); + assert_int_equal(ret, EOK); + + ret = sss_ncache_check_netgr(ts->ctx, dom, name); + assert_int_equal(ret, EEXIST); +} + +/* @test_sss_ncache_service_name : test following functions + * sss_ncache_check_service + * sss_ncache_set_service_name + */ +static void test_sss_ncache_service_name(void **state) +{ + int ret; + bool permanent; + const char *name = NAME; + struct test_state *ts; + struct sss_domain_info *dom; + + ts = talloc_get_type_abort(*state, struct test_state); + dom = talloc(ts, struct sss_domain_info); + dom->name = discard_const_p(char, TEST_DOM_NAME); + + /* test when domain name and protocol are not present in database */ + dom->case_sensitive = false; + ret = sss_ncache_check_service(ts->ctx, dom, name, PROTO); + assert_int_equal(ret, ENOENT); + + dom->case_sensitive = true; + ret = sss_ncache_check_service(ts->ctx, dom, name, PROTO); + assert_int_equal(ret, ENOENT); + + /* test when domain name and protocol are present in database */ + permanent = true; + ret = sss_ncache_set_service_name(ts->ctx, permanent, dom, name, PROTO); + assert_int_equal(ret, EOK); + + ret = sss_ncache_check_service(ts->ctx, dom, name, PROTO); + assert_int_equal(ret, EEXIST); + + permanent = false; + ret = sss_ncache_set_service_name(ts->ctx, permanent, dom, name, PROTO); + assert_int_equal(ret, EOK); + + ret = sss_ncache_check_service(ts->ctx, dom, name, PROTO); + assert_int_equal(ret, EEXIST); +} + +/* @test_sss_ncache_service_port : test following functions + * sss_ncache_check_service_port + * sss_ncache_set_service_port + */ +static void test_sss_ncache_service_port(void **state) +{ + int ret; + bool permanent; + struct test_state *ts; + struct sss_domain_info *dom; + + ts = talloc_get_type_abort(*state, struct test_state); + dom = talloc(ts, struct sss_domain_info); + dom->name = discard_const_p(char, TEST_DOM_NAME); + + /* test when domain name, port and protocol are not present in database */ + dom->case_sensitive = false; + ret = sss_ncache_check_service_port(ts->ctx, dom, (uint16_t)PORT, + PROTO); + assert_int_equal(ret, ENOENT); + + dom->case_sensitive = true; + ret = sss_ncache_check_service_port(ts->ctx, dom, (uint16_t)PORT, + PROTO); + assert_int_equal(ret, ENOENT); + + /* test when domain name, port and protocol are present in database */ + permanent = true; + ret = sss_ncache_set_service_port(ts->ctx, permanent, dom, (uint16_t)PORT, + PROTO); + assert_int_equal(ret, EOK); + + ret = sss_ncache_check_service_port(ts->ctx, dom, (uint16_t)PORT, + PROTO); + assert_int_equal(ret, EEXIST); + + permanent = false; + ret = sss_ncache_set_service_port(ts->ctx, permanent, dom, (uint16_t)PORT, + PROTO); + assert_int_equal(ret, EOK); + + ret = sss_ncache_check_service_port(ts->ctx, dom, (uint16_t)PORT, + PROTO); + assert_int_equal(ret, EEXIST); +} + + +static void test_sss_ncache_reset_permanent(void **state) +{ + int ret; + struct test_state *ts; + const bool permanent = true; + + ts = talloc_get_type_abort(*state, struct test_state); + + ret = sss_ncache_set_uid(ts->ctx, permanent, NULL, 0); + assert_int_equal(ret, EOK); + + ret = sss_ncache_check_uid(ts->ctx, NULL, 0); + assert_int_equal(ret, EEXIST); + + ret = sss_ncache_reset_permanent(ts->ctx); + assert_int_equal(ret, EOK); + + ret = sss_ncache_check_uid(ts->ctx, NULL, 0); + assert_int_equal(ret, ENOENT); +} + +static int check_user_in_ncache(struct sss_nc_ctx *ctx, + struct sss_domain_info *dom, + const char *name) +{ + char *fqdn; + int ret; + + fqdn = sss_create_internal_fqname(ctx, name, dom->name); + ret = sss_ncache_check_user(ctx, dom, fqdn); + talloc_free(fqdn); + return ret; +} + +static int check_group_in_ncache(struct sss_nc_ctx *ctx, + struct sss_domain_info *dom, + const char *name) +{ + char *fqdn; + int ret; + + fqdn = sss_create_internal_fqname(ctx, name, dom->name); + ret = sss_ncache_check_group(ctx, dom, fqdn); + talloc_free(fqdn); + return ret; +} + +static int check_uid_in_ncache(struct sss_nc_ctx *ctx, + uid_t uid) +{ + int ret; + + ret = sss_ncache_check_uid(ctx, NULL, uid); + return ret; +} + +static int check_gid_in_ncache(struct sss_nc_ctx *ctx, + gid_t gid) +{ + int ret; + + ret = sss_ncache_check_gid(ctx, NULL, gid); + return ret; +} + +static void test_sss_ncache_prepopulate(void **state) +{ + int ret; + struct test_state *ts; + struct tevent_context *ev; + struct sss_nc_ctx *ncache; + struct sss_test_ctx *tc; + struct sss_domain_info *dom; + + struct sss_test_conf_param params[] = { + { "filter_users", "testuser1, testuser2@"TEST_DOM_NAME", testuser3@somedomain" }, + { "filter_groups", "testgroup1, testgroup2@"TEST_DOM_NAME", testgroup3@somedomain" }, + { NULL, NULL }, + }; + + ts = talloc_get_type_abort(*state, struct test_state); + + ev = tevent_context_init(ts); + assert_non_null(ev); + + dom = talloc_zero(ts, struct sss_domain_info); + assert_non_null(dom); + dom->name = discard_const_p(char, TEST_DOM_NAME); + + ts->nctx = mock_nctx(ts); + assert_non_null(ts->nctx); + + tc = create_dom_test_ctx(ts, TESTS_PATH, TEST_CONF_DB, + TEST_DOM_NAME, TEST_ID_PROVIDER, params); + assert_non_null(tc); + + ncache = ts->ctx; + ts->rctx = mock_rctx(ts, ev, dom, ts->nctx); + assert_non_null(ts->rctx); + + ret = sss_names_init(ts, tc->confdb, TEST_DOM_NAME, &dom->names); + assert_int_equal(ret, EOK); + + ret = sss_ncache_prepopulate(ncache, tc->confdb, ts->rctx); + assert_int_equal(ret, EOK); + + sleep(SHORTSPAN); + + ret = check_user_in_ncache(ncache, dom, "testuser1"); + assert_int_equal(ret, EEXIST); + + ret = check_group_in_ncache(ncache, dom, "testgroup1"); + assert_int_equal(ret, EEXIST); + + ret = check_user_in_ncache(ncache, dom, "testuser2"); + assert_int_equal(ret, EEXIST); + + ret = check_group_in_ncache(ncache, dom, "testgroup2"); + assert_int_equal(ret, EEXIST); + + ret = check_user_in_ncache(ncache, dom, "testuser3"); + assert_int_equal(ret, ENOENT); + + ret = check_group_in_ncache(ncache, dom, "testgroup3"); + assert_int_equal(ret, ENOENT); + + ret = check_user_in_ncache(ncache, dom, "testuser3@somedomain"); + assert_int_equal(ret, ENOENT); + + ret = check_group_in_ncache(ncache, dom, "testgroup3@somedomain"); + assert_int_equal(ret, ENOENT); + + ret = check_user_in_ncache(ncache, dom, "root"); + assert_int_equal(ret, EEXIST); + + ret = check_group_in_ncache(ncache, dom, "root"); + assert_int_equal(ret, EEXIST); + + ret = check_uid_in_ncache(ncache, 0); + assert_int_equal(ret, EEXIST); + + ret = check_gid_in_ncache(ncache, 0); + assert_int_equal(ret, EEXIST); +} + +static void test_sss_ncache_default_domain_suffix(void **state) +{ + int ret; + struct test_state *ts; + struct tevent_context *ev; + struct sss_nc_ctx *ncache; + struct sss_test_ctx *tc; + struct sss_domain_info *dom; + + struct sss_test_conf_param params[] = { + { "filter_users", "testuser1, testuser2@"TEST_DOM_NAME", testuser3@somedomain" }, + { "filter_groups", "testgroup1, testgroup2@"TEST_DOM_NAME", testgroup3@somedomain" }, + { NULL, NULL }, + }; + + ts = talloc_get_type_abort(*state, struct test_state); + + ev = tevent_context_init(ts); + assert_non_null(ev); + + dom = talloc_zero(ts, struct sss_domain_info); + assert_non_null(dom); + dom->name = discard_const_p(char, TEST_DOM_NAME); + + ts->nctx = mock_nctx(ts); + assert_non_null(ts->nctx); + + tc = create_dom_test_ctx(ts, TESTS_PATH, TEST_CONF_DB, + TEST_DOM_NAME, TEST_ID_PROVIDER, params); + assert_non_null(tc); + + ncache = ts->ctx; + ts->rctx = mock_rctx(ts, ev, dom, ts->nctx); + assert_non_null(ts->rctx); + ts->rctx->default_domain = discard_const(TEST_DOM_NAME); + + ret = sss_names_init(ts, tc->confdb, TEST_DOM_NAME, &dom->names); + assert_int_equal(ret, EOK); + + ret = sss_ncache_prepopulate(ncache, tc->confdb, ts->rctx); + assert_int_equal(ret, EOK); + + ret = check_user_in_ncache(ncache, dom, "testuser1"); + assert_int_equal(ret, EEXIST); + + ret = check_group_in_ncache(ncache, dom, "testgroup1"); + assert_int_equal(ret, EEXIST); + + ret = check_user_in_ncache(ncache, dom, "testuser2"); + assert_int_equal(ret, EEXIST); + + ret = check_group_in_ncache(ncache, dom, "testgroup2"); + assert_int_equal(ret, EEXIST); + + ret = check_user_in_ncache(ncache, dom, "testuser3"); + assert_int_equal(ret, ENOENT); + + ret = check_group_in_ncache(ncache, dom, "testgroup3"); + assert_int_equal(ret, ENOENT); + +} + +static void test_sss_ncache_reset_prepopulate(void **state) +{ + int ret; + struct test_state *ts; + struct tevent_context *ev; + struct sss_nc_ctx *ncache; + struct sss_test_ctx *tc; + struct sss_domain_info *dom; + struct sss_domain_info *dom2; + + struct sss_test_conf_param params[] = { + { "filter_users", "testuser1@"TEST_DOM_NAME", testuser2@"TEST_DOM_NAME"2" }, + { "filter_groups", "testgroup1@"TEST_DOM_NAME", testgroup2@"TEST_DOM_NAME"2" }, + { NULL, NULL }, + }; + + const char *nss_filter_users[] = { params[0].value, NULL}; + const char *nss_filter_groups[] = { params[1].value, NULL}; + + ts = talloc_get_type_abort(*state, struct test_state); + + ev = tevent_context_init(ts); + assert_non_null(ev); + + dom = talloc_zero(ts, struct sss_domain_info); + assert_non_null(dom); + dom->name = discard_const_p(char, TEST_DOM_NAME); + + ts->nctx = mock_nctx(ts); + assert_non_null(ts->nctx); + + tc = create_dom_test_ctx(ts, TESTS_PATH, TEST_CONF_DB, + TEST_DOM_NAME, TEST_ID_PROVIDER, params); + assert_non_null(tc); + + ret = confdb_add_param(tc->confdb, true, "config/nss", + "filter_users", nss_filter_users); + assert_int_equal(ret, EOK); + + ret = confdb_add_param(tc->confdb, true, "config/nss", + "filter_groups", nss_filter_groups); + assert_int_equal(ret, EOK); + + ncache = ts->ctx; + ts->rctx = mock_rctx(ts, ev, dom, ts->nctx); + assert_non_null(ts->rctx); + ts->rctx->default_domain = discard_const(TEST_DOM_NAME); + ts->rctx->cdb = tc->confdb; + + ret = sss_names_init(ts, tc->confdb, TEST_DOM_NAME, &dom->names); + assert_int_equal(ret, EOK); + + ret = sss_ncache_reset_repopulate_permanent(ts->rctx, ncache); + assert_int_equal(ret, EOK); + + /* Add another domain */ + dom2 = talloc_zero(ts, struct sss_domain_info); + assert_non_null(dom2); + dom2->name = discard_const_p(char, TEST_DOM_NAME"2"); + dom->next = dom2; + dom2->names = dom->names; + + /* First domain should not be known, the second not */ + ret = check_user_in_ncache(ncache, dom, "testuser1"); + assert_int_equal(ret, EEXIST); + + ret = check_group_in_ncache(ncache, dom, "testgroup1"); + assert_int_equal(ret, EEXIST); + + ret = check_user_in_ncache(ncache, dom2, "testuser2"); + assert_int_equal(ret, ENOENT); + + ret = check_group_in_ncache(ncache, dom2, "testgroup2"); + assert_int_equal(ret, ENOENT); + + ret = sss_ncache_reset_repopulate_permanent(ts->rctx, ncache); + assert_int_equal(ret, EOK); + + /* First domain should not be known, the second not */ + ret = check_user_in_ncache(ncache, dom, "testuser1"); + assert_int_equal(ret, EEXIST); + + ret = check_group_in_ncache(ncache, dom, "testgroup1"); + assert_int_equal(ret, EEXIST); + + ret = check_user_in_ncache(ncache, dom2, "testuser2"); + assert_int_equal(ret, EEXIST); + + ret = check_group_in_ncache(ncache, dom2, "testgroup2"); + assert_int_equal(ret, EEXIST); +} + +static void test_sss_ncache_reset(void **state) +{ + errno_t ret; + struct test_state *ts; + struct sss_domain_info *dom; + + ts = talloc_get_type_abort(*state, struct test_state); + dom = talloc(ts, struct sss_domain_info); + assert_non_null(dom); + dom->case_sensitive = true; + + dom->name = discard_const_p(char, TEST_DOM_NAME); + + /* Set users */ + ret = sss_ncache_check_uid(ts->ctx, NULL, 123); + assert_int_equal(ret, ENOENT); + ret = sss_ncache_set_uid(ts->ctx, false, NULL, 123); + assert_int_equal(ret, EOK); + ret = sss_ncache_check_uid(ts->ctx, NULL, 123); + assert_int_equal(ret, EEXIST); + + ret = sss_ncache_check_user(ts->ctx, dom, "foo"); + assert_int_equal(ret, ENOENT); + ret = sss_ncache_set_user(ts->ctx, false, dom, "foo"); + assert_int_equal(ret, EOK); + ret = sss_ncache_check_user(ts->ctx, dom, "foo"); + assert_int_equal(ret, EEXIST); + + /* Set groups */ + ret = sss_ncache_check_gid(ts->ctx, NULL, 456); + assert_int_equal(ret, ENOENT); + ret = sss_ncache_set_gid(ts->ctx, false, NULL, 456); + assert_int_equal(ret, EOK); + ret = sss_ncache_check_gid(ts->ctx, NULL, 456); + assert_int_equal(ret, EEXIST); + + ret = sss_ncache_check_group(ts->ctx, dom, "bar"); + assert_int_equal(ret, ENOENT); + ret = sss_ncache_set_group(ts->ctx, false, dom, "bar"); + assert_int_equal(ret, EOK); + ret = sss_ncache_check_group(ts->ctx, dom, "bar"); + assert_int_equal(ret, EEXIST); + + ret = sss_ncache_reset_users(ts->ctx); + assert_int_equal(ret, EOK); + + /* Users are no longer negatively cached */ + ret = sss_ncache_check_user(ts->ctx, dom, "foo"); + assert_int_equal(ret, ENOENT); + ret = sss_ncache_check_uid(ts->ctx, NULL, 123); + assert_int_equal(ret, ENOENT); + + /* Groups still are */ + ret = sss_ncache_check_gid(ts->ctx, NULL, 456); + assert_int_equal(ret, EEXIST); + ret = sss_ncache_check_group(ts->ctx, dom, "bar"); + assert_int_equal(ret, EEXIST); + + ret = sss_ncache_reset_groups(ts->ctx); + assert_int_equal(ret, EOK); + + ret = sss_ncache_check_gid(ts->ctx, NULL, 456); + assert_int_equal(ret, ENOENT); + ret = sss_ncache_check_group(ts->ctx, dom, "bar"); + assert_int_equal(ret, ENOENT); +} + +static void test_sss_ncache_locate_uid_gid(void **state) +{ + uid_t uid; + gid_t gid; + int ret; + struct test_state *ts; + struct sss_domain_info *dom; + struct sss_domain_info *dom2; + + ts = talloc_get_type_abort(*state, struct test_state); + + uid = getuid(); + gid = getgid(); + + dom = talloc(ts, struct sss_domain_info); + assert_non_null(dom); + dom->name = discard_const_p(char, TEST_DOM_NAME); + + dom2 = talloc(ts, struct sss_domain_info); + assert_non_null(dom2); + dom2->name = discard_const_p(char, TEST_DOM_NAME"2"); + + ret = sss_ncache_check_locate_gid(ts->ctx, dom, gid); + assert_int_equal(ret, ENOENT); + ret = sss_ncache_check_locate_uid(ts->ctx, dom, uid); + assert_int_equal(ret, ENOENT); + + ret = sss_ncache_set_locate_gid(ts->ctx, dom, gid); + assert_int_equal(ret, EOK); + ret = sss_ncache_set_locate_uid(ts->ctx, dom, uid); + assert_int_equal(ret, EOK); + + ret = sss_ncache_check_locate_gid(ts->ctx, dom, gid); + assert_int_equal(ret, EEXIST); + ret = sss_ncache_check_locate_uid(ts->ctx, dom, uid); + assert_int_equal(ret, EEXIST); + + ret = sss_ncache_check_locate_gid(ts->ctx, dom2, gid); + assert_int_equal(ret, ENOENT); + ret = sss_ncache_check_locate_uid(ts->ctx, dom2, uid); + assert_int_equal(ret, ENOENT); +} + +static void test_sss_ncache_domain_locate_type(void **state) +{ + int ret; + struct test_state *ts; + struct sss_domain_info *dom; + struct sss_domain_info *dom2; + + ts = talloc_get_type_abort(*state, struct test_state); + + dom = talloc(ts, struct sss_domain_info); + assert_non_null(dom); + dom->name = discard_const_p(char, TEST_DOM_NAME); + + dom2 = talloc(ts, struct sss_domain_info); + assert_non_null(dom2); + dom2->name = discard_const_p(char, TEST_DOM_NAME"2"); + + ret = sss_ncache_check_domain_locate_type(ts->ctx, dom, "foo"); + assert_int_equal(ret, ENOENT); + ret = sss_ncache_set_domain_locate_type(ts->ctx, dom, "foo"); + assert_int_equal(ret, EOK); + ret = sss_ncache_check_domain_locate_type(ts->ctx, dom, "foo"); + assert_int_equal(ret, EEXIST); + + ret = sss_ncache_check_domain_locate_type(ts->ctx, dom2, "foo"); + assert_int_equal(ret, ENOENT); +} + +int main(void) +{ + int rv; + const struct CMUnitTest tests[] = { + cmocka_unit_test(test_sss_ncache_init), + cmocka_unit_test_setup_teardown(test_sss_ncache_uid, setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_ncache_gid, setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_ncache_sid, setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_ncache_cert, setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_ncache_user, setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_ncache_group, setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_ncache_netgr, setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_ncache_service_name, setup, + teardown), + cmocka_unit_test_setup_teardown(test_sss_ncache_service_port, + setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_ncache_reset_permanent, setup, + teardown), + cmocka_unit_test_setup_teardown(test_sss_ncache_prepopulate, + setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_ncache_default_domain_suffix, + setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_ncache_reset_prepopulate, + setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_ncache_reset, + setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_ncache_locate_uid_gid, + setup, teardown), + cmocka_unit_test_setup_teardown(test_sss_ncache_domain_locate_type, + setup, teardown), + }; + + tests_set_cwd(); + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + test_dom_suite_setup(TESTS_PATH); + + rv = cmocka_run_group_tests(tests, NULL, NULL); + if (rv == 0) { + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + } + return rv; +} diff --git a/src/tests/cmocka/test_nested_groups.c b/src/tests/cmocka/test_nested_groups.c new file mode 100644 index 0000000..1d74d3d --- /dev/null +++ b/src/tests/cmocka/test_nested_groups.c @@ -0,0 +1,1335 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include + +#include "tests/cmocka/common_mock.h" +#include "tests/cmocka/common_mock_sdap.h" +#include "tests/cmocka/common_mock_be.h" +#include "tests/cmocka/common_mock_sysdb_objects.h" +#include "providers/ldap/ldap_common.h" +#include "providers/ldap/sdap.h" +#include "providers/ldap/sdap_idmap.h" +#include "providers/ldap/sdap_async_private.h" +#include "providers/ldap/ldap_opts.h" + +#define TESTS_PATH "tp_" BASE_FILE_STEM +#define TEST_CONF_DB "test_ldap_nested_groups_conf.ldb" +#define TEST_DOM_NAME "ldap_nested_groups_test" +#define TEST_ID_PROVIDER "ldap" +#define TEST_EXT_MEMBER "extMember" + +bool _dp_target_enabled(struct data_provider *provider, + const char *module_name, + ...) +{ + return true; +} + +#define new_test(test) \ + cmocka_unit_test_setup_teardown(nested_groups_test_ ## test, \ + nested_groups_test_setup, \ + nested_groups_test_teardown) + +/* put users and groups under the same container so we can easily run the + * same tests cases for several search base scenarios */ +#define OBJECT_BASE_DN "cn=objects,dc=test,dc=com" +#define GROUP_BASE_DN "cn=groups," OBJECT_BASE_DN +#define USER_BASE_DN "cn=users," OBJECT_BASE_DN + +struct nested_groups_test_ctx { + struct sss_test_ctx *tctx; + + struct be_ctx *be_ctx; + struct sdap_options *sdap_opts; + struct sdap_handle *sdap_handle; + struct sdap_domain *sdap_domain; + struct sdap_idmap_ctx *idmap_ctx; + struct sdap_id_ctx *sdap_id_ctx; + hash_table_t *missing_external; + + struct sysdb_attrs **users; + struct sysdb_attrs **groups; + unsigned long num_users; + unsigned long num_groups; + + /* External members tests */ + struct sdap_ext_member_ctx *ext_ctx; + enum sysdb_member_type ext_member_type; + struct sss_domain_info *ext_dom; + struct sysdb_attrs *ext_member; +}; + +errno_t krb5_try_kdcip(struct confdb_ctx *cdb, + const char *conf_path, + struct dp_option *opts, + int opt_id) +{ + return EOK; +} + +/* Both arrays must have the same length! */ +static void compare_sysdb_string_array_noorder(struct sysdb_attrs **sysdb_array, + const char **string_array, + size_t len) +{ + int i, ii; + errno_t ret; + const char *name; + + /* Check the returned groups. The order is irrelevant. */ + for (i = 0; i < len; i++) { + ret = sysdb_attrs_get_string(sysdb_array[i], SYSDB_NAME, &name); + assert_int_equal(ret, ERR_OK); + + for (ii = 0; ii < len; ii++) { + if (string_array[ii] == NULL) { + continue; + } + if (strcmp(name, string_array[ii]) == 0) { + string_array[ii] = NULL; + break; + } + } + } + + for (i = 0; i < len; i++) { + assert_null(string_array[i]); + } +} + +static void nested_groups_test_done(struct tevent_req *req) +{ + struct nested_groups_test_ctx *ctx = NULL; + + ctx = tevent_req_callback_data(req, struct nested_groups_test_ctx); + + ctx->tctx->error = sdap_nested_group_recv(ctx, req, + &ctx->num_users, &ctx->users, + &ctx->num_groups, &ctx->groups, + &ctx->missing_external); + talloc_zfree(req); + + ctx->tctx->done = true; +} + +static void nested_groups_test_one_group_no_members(void **state) +{ + struct nested_groups_test_ctx *test_ctx = NULL; + struct sysdb_attrs *rootgroup = NULL; + struct tevent_req *req = NULL; + TALLOC_CTX *req_mem_ctx = NULL; + errno_t ret; + + test_ctx = talloc_get_type_abort(*state, struct nested_groups_test_ctx); + + rootgroup = mock_sysdb_group_rfc2307bis(test_ctx, GROUP_BASE_DN, 1000, + "rootgroup", NULL); + + /* mock return values */ + sss_will_return_always(sdap_has_deref_support, false); + + /* run test, check for memory leaks */ + req_mem_ctx = talloc_new(global_talloc_context); + assert_non_null(req_mem_ctx); + check_leaks_push(req_mem_ctx); + + req = sdap_nested_group_send(req_mem_ctx, test_ctx->tctx->ev, + test_ctx->sdap_domain, test_ctx->sdap_opts, + test_ctx->sdap_handle, rootgroup); + assert_non_null(req); + tevent_req_set_callback(req, nested_groups_test_done, test_ctx); + + ret = test_ev_loop(test_ctx->tctx); + assert_true(check_leaks_pop(req_mem_ctx) == true); + talloc_zfree(req_mem_ctx); + /* check return code */ + assert_int_equal(ret, ERR_OK); + + /* check generated values */ + assert_int_equal(test_ctx->num_users, 0); + assert_null(test_ctx->users); + + assert_int_equal(test_ctx->num_groups, 1); + assert_non_null(test_ctx->groups); + assert_true(rootgroup == test_ctx->groups[0]); +} + +static void nested_groups_test_one_group_unique_members(void **state) +{ + struct nested_groups_test_ctx *test_ctx = NULL; + struct sysdb_attrs *rootgroup = NULL; + struct tevent_req *req = NULL; + TALLOC_CTX *req_mem_ctx = NULL; + errno_t ret; + const char *users[] = { "cn=user1,"USER_BASE_DN, + "cn=user2,"USER_BASE_DN, + NULL }; + const struct sysdb_attrs *user1_reply[2] = { NULL }; + const struct sysdb_attrs *user2_reply[2] = { NULL }; + const char * expected[] = { "user1", + "user2" }; + + + test_ctx = talloc_get_type_abort(*state, struct nested_groups_test_ctx); + + /* mock return values */ + rootgroup = mock_sysdb_group_rfc2307bis(test_ctx, GROUP_BASE_DN, 1000, + "rootgroup", users); + + user1_reply[0] = mock_sysdb_user(test_ctx, USER_BASE_DN, 2001, "user1"); + assert_non_null(user1_reply[0]); + will_return(sdap_get_generic_recv, 1); + will_return(sdap_get_generic_recv, user1_reply); + will_return(sdap_get_generic_recv, ERR_OK); + + user2_reply[0] = mock_sysdb_user(test_ctx, USER_BASE_DN, 2002, "user2"); + assert_non_null(user2_reply[0]); + will_return(sdap_get_generic_recv, 1); + will_return(sdap_get_generic_recv, user2_reply); + will_return(sdap_get_generic_recv, ERR_OK); + + sss_will_return_always(sdap_has_deref_support, false); + + /* run test, check for memory leaks */ + req_mem_ctx = talloc_new(global_talloc_context); + assert_non_null(req_mem_ctx); + check_leaks_push(req_mem_ctx); + + req = sdap_nested_group_send(req_mem_ctx, test_ctx->tctx->ev, + test_ctx->sdap_domain, test_ctx->sdap_opts, + test_ctx->sdap_handle, rootgroup); + assert_non_null(req); + tevent_req_set_callback(req, nested_groups_test_done, test_ctx); + + ret = test_ev_loop(test_ctx->tctx); + assert_true(check_leaks_pop(req_mem_ctx) == true); + talloc_zfree(req_mem_ctx); + + /* check return code */ + assert_int_equal(ret, ERR_OK); + + /* Check the users */ + assert_int_equal(test_ctx->num_users, N_ELEMENTS(expected)); + assert_int_equal(test_ctx->num_groups, 1); + + compare_sysdb_string_array_noorder(test_ctx->users, + expected, N_ELEMENTS(expected)); +} + +static void nested_groups_test_one_group_dup_users(void **state) +{ + struct nested_groups_test_ctx *test_ctx = NULL; + struct sysdb_attrs *rootgroup = NULL; + struct tevent_req *req = NULL; + TALLOC_CTX *req_mem_ctx = NULL; + errno_t ret; + const char *name; + const char *users[] = { "cn=user1,"USER_BASE_DN, + "cn=user1,"USER_BASE_DN, + NULL }; + const struct sysdb_attrs *user1_reply[2] = { NULL }; + const struct sysdb_attrs *user2_reply[2] = { NULL }; + + test_ctx = talloc_get_type_abort(*state, struct nested_groups_test_ctx); + + /* mock return values */ + rootgroup = mock_sysdb_group_rfc2307bis(test_ctx, GROUP_BASE_DN, 1000, + "rootgroup", users); + + user1_reply[0] = mock_sysdb_user(test_ctx, USER_BASE_DN, 2001, "user1"); + assert_non_null(user1_reply[0]); + will_return(sdap_get_generic_recv, 1); + will_return(sdap_get_generic_recv, user1_reply); + will_return(sdap_get_generic_recv, ERR_OK); + + user2_reply[0] = mock_sysdb_user(test_ctx, USER_BASE_DN, 2001, "user1"); + assert_non_null(user2_reply[0]); + will_return(sdap_get_generic_recv, 1); + will_return(sdap_get_generic_recv, user2_reply); + will_return(sdap_get_generic_recv, ERR_OK); + + sss_will_return_always(sdap_has_deref_support, false); + + /* run test, check for memory leaks */ + req_mem_ctx = talloc_new(global_talloc_context); + assert_non_null(req_mem_ctx); + check_leaks_push(req_mem_ctx); + + req = sdap_nested_group_send(req_mem_ctx, test_ctx->tctx->ev, + test_ctx->sdap_domain, test_ctx->sdap_opts, + test_ctx->sdap_handle, rootgroup); + assert_non_null(req); + tevent_req_set_callback(req, nested_groups_test_done, test_ctx); + + ret = test_ev_loop(test_ctx->tctx); + assert_true(check_leaks_pop(req_mem_ctx) == true); + talloc_zfree(req_mem_ctx); + + /* check return code */ + assert_int_equal(ret, ERR_OK); + + /* Check the users */ + assert_int_equal(test_ctx->num_users, 1); + assert_int_equal(test_ctx->num_groups, 1); + + ret = sysdb_attrs_get_string(test_ctx->users[0], SYSDB_NAME, &name); + assert_int_equal(ret, ERR_OK); + assert_string_equal(name, "user1"); +} + +static void nested_groups_test_one_group_unique_group_members(void **state) +{ + struct nested_groups_test_ctx *test_ctx = NULL; + struct sysdb_attrs *rootgroup = NULL; + struct tevent_req *req = NULL; + TALLOC_CTX *req_mem_ctx = NULL; + errno_t ret; + const char *groups[] = { "cn=emptygroup1,"GROUP_BASE_DN, + "cn=emptygroup2,"GROUP_BASE_DN, + NULL }; + const struct sysdb_attrs *group1_reply[2] = { NULL }; + const struct sysdb_attrs *group2_reply[2] = { NULL }; + const char * expected[] = { "rootgroup", + "emptygroup1", + "emptygroup2" }; + + test_ctx = talloc_get_type_abort(*state, struct nested_groups_test_ctx); + + /* mock return values */ + rootgroup = mock_sysdb_group_rfc2307bis(test_ctx, GROUP_BASE_DN, 1000, + "rootgroup", groups); + + group1_reply[0] = mock_sysdb_group_rfc2307bis(test_ctx, GROUP_BASE_DN, + 1001, "emptygroup1", NULL); + assert_non_null(group1_reply[0]); + will_return(sdap_get_generic_recv, 1); + will_return(sdap_get_generic_recv, group1_reply); + will_return(sdap_get_generic_recv, ERR_OK); + + group2_reply[0] = mock_sysdb_group_rfc2307bis(test_ctx, GROUP_BASE_DN, + 1002, "emptygroup2", NULL); + assert_non_null(group2_reply[0]); + will_return(sdap_get_generic_recv, 1); + will_return(sdap_get_generic_recv, group2_reply); + will_return(sdap_get_generic_recv, ERR_OK); + + sss_will_return_always(sdap_has_deref_support, false); + + /* run test, check for memory leaks */ + req_mem_ctx = talloc_new(global_talloc_context); + assert_non_null(req_mem_ctx); + check_leaks_push(req_mem_ctx); + + req = sdap_nested_group_send(req_mem_ctx, test_ctx->tctx->ev, + test_ctx->sdap_domain, test_ctx->sdap_opts, + test_ctx->sdap_handle, rootgroup); + assert_non_null(req); + tevent_req_set_callback(req, nested_groups_test_done, test_ctx); + + ret = test_ev_loop(test_ctx->tctx); + assert_true(check_leaks_pop(req_mem_ctx) == true); + talloc_zfree(req_mem_ctx); + + /* check return code */ + assert_int_equal(ret, ERR_OK); + + /* Check the users */ + assert_int_equal(test_ctx->num_users, 0); + assert_int_equal(test_ctx->num_groups, N_ELEMENTS(expected)); + + compare_sysdb_string_array_noorder(test_ctx->groups, + expected, N_ELEMENTS(expected)); +} + +static void nested_groups_test_one_group_dup_group_members(void **state) +{ + struct nested_groups_test_ctx *test_ctx = NULL; + struct sysdb_attrs *rootgroup = NULL; + struct tevent_req *req = NULL; + TALLOC_CTX *req_mem_ctx = NULL; + errno_t ret; + const char *groups[] = { "cn=emptygroup1,"GROUP_BASE_DN, + "cn=emptygroup1,"GROUP_BASE_DN, + NULL }; + const struct sysdb_attrs *group1_reply[2] = { NULL }; + const struct sysdb_attrs *group2_reply[2] = { NULL }; + const char * expected[] = { "rootgroup", + "emptygroup1" }; + + test_ctx = talloc_get_type_abort(*state, struct nested_groups_test_ctx); + + /* mock return values */ + rootgroup = mock_sysdb_group_rfc2307bis(test_ctx, GROUP_BASE_DN, 1000, + "rootgroup", groups); + + group1_reply[0] = mock_sysdb_group_rfc2307bis(test_ctx, GROUP_BASE_DN, + 1001, "emptygroup1", NULL); + assert_non_null(group1_reply[0]); + will_return(sdap_get_generic_recv, 1); + will_return(sdap_get_generic_recv, group1_reply); + will_return(sdap_get_generic_recv, ERR_OK); + + group2_reply[0] = mock_sysdb_group_rfc2307bis(test_ctx, GROUP_BASE_DN, + 1001, "emptygroup1", NULL); + assert_non_null(group2_reply[0]); + will_return(sdap_get_generic_recv, 1); + will_return(sdap_get_generic_recv, group2_reply); + will_return(sdap_get_generic_recv, ERR_OK); + + sss_will_return_always(sdap_has_deref_support, false); + + /* run test, check for memory leaks */ + req_mem_ctx = talloc_new(global_talloc_context); + assert_non_null(req_mem_ctx); + check_leaks_push(req_mem_ctx); + + req = sdap_nested_group_send(req_mem_ctx, test_ctx->tctx->ev, + test_ctx->sdap_domain, test_ctx->sdap_opts, + test_ctx->sdap_handle, rootgroup); + assert_non_null(req); + tevent_req_set_callback(req, nested_groups_test_done, test_ctx); + + ret = test_ev_loop(test_ctx->tctx); + assert_true(check_leaks_pop(req_mem_ctx) == true); + talloc_zfree(req_mem_ctx); + + /* check return code */ + assert_int_equal(ret, ERR_OK); + + assert_int_equal(test_ctx->num_users, 0); + assert_int_equal(test_ctx->num_groups, N_ELEMENTS(expected)); + + compare_sysdb_string_array_noorder(test_ctx->groups, + expected, N_ELEMENTS(expected)); +} + +static void nested_groups_test_nested_chain(void **state) +{ + struct nested_groups_test_ctx *test_ctx = NULL; + struct tevent_req *req = NULL; + TALLOC_CTX *req_mem_ctx = NULL; + errno_t ret; + const char *rootgroup_members[] = { "cn=user1,"USER_BASE_DN, + "cn=group1,"GROUP_BASE_DN, + NULL }; + const char *group1_members[] = { "cn=user2,"USER_BASE_DN, + "cn=group2,"GROUP_BASE_DN, + NULL }; + const char *group2_members[] = { "cn=user3,"USER_BASE_DN, + NULL }; + struct sysdb_attrs *rootgroup; + const struct sysdb_attrs *user1_reply[2] = { NULL }; + const struct sysdb_attrs *group1_reply[2] = { NULL }; + const struct sysdb_attrs *user2_reply[2] = { NULL }; + const struct sysdb_attrs *group2_reply[2] = { NULL }; + const struct sysdb_attrs *user3_reply[2] = { NULL }; + const char *expected_groups[] = { "rootgroup", "group1", "group2" }; + const char *expected_users[] = { "user1", "user2", "user3" }; + + test_ctx = talloc_get_type_abort(*state, struct nested_groups_test_ctx); + + /* mock return values */ + rootgroup = mock_sysdb_group_rfc2307bis(test_ctx, GROUP_BASE_DN, 1000, + "rootgroup", rootgroup_members); + assert_non_null(rootgroup); + + user1_reply[0] = mock_sysdb_user(test_ctx, USER_BASE_DN, 2001, "user1"); + assert_non_null(user1_reply[0]); + will_return(sdap_get_generic_recv, 1); + will_return(sdap_get_generic_recv, user1_reply); + will_return(sdap_get_generic_recv, ERR_OK); + + group1_reply[0] = mock_sysdb_group_rfc2307bis(test_ctx, GROUP_BASE_DN, + 1001, "group1", + group1_members); + assert_non_null(group1_reply[0]); + will_return(sdap_get_generic_recv, 1); + will_return(sdap_get_generic_recv, group1_reply); + will_return(sdap_get_generic_recv, ERR_OK); + + user2_reply[0] = mock_sysdb_user(test_ctx, USER_BASE_DN, 2002, "user2"); + assert_non_null(user2_reply[0]); + will_return(sdap_get_generic_recv, 1); + will_return(sdap_get_generic_recv, user2_reply); + will_return(sdap_get_generic_recv, ERR_OK); + + group2_reply[0] = mock_sysdb_group_rfc2307bis(test_ctx, GROUP_BASE_DN, + 1002, "group2", + group2_members); + assert_non_null(group2_reply[0]); + will_return(sdap_get_generic_recv, 1); + will_return(sdap_get_generic_recv, group2_reply); + will_return(sdap_get_generic_recv, ERR_OK); + + user3_reply[0] = mock_sysdb_user(test_ctx, USER_BASE_DN, 2003, "user3"); + assert_non_null(user3_reply[0]); + will_return(sdap_get_generic_recv, 1); + will_return(sdap_get_generic_recv, user3_reply); + will_return(sdap_get_generic_recv, ERR_OK); + + sss_will_return_always(sdap_has_deref_support, false); + + /* run test, check for memory leaks */ + req_mem_ctx = talloc_new(global_talloc_context); + assert_non_null(req_mem_ctx); + check_leaks_push(req_mem_ctx); + + req = sdap_nested_group_send(req_mem_ctx, test_ctx->tctx->ev, + test_ctx->sdap_domain, test_ctx->sdap_opts, + test_ctx->sdap_handle, rootgroup); + assert_non_null(req); + tevent_req_set_callback(req, nested_groups_test_done, test_ctx); + + ret = test_ev_loop(test_ctx->tctx); + assert_true(check_leaks_pop(req_mem_ctx) == true); + talloc_zfree(req_mem_ctx); + + /* check return code */ + assert_int_equal(ret, ERR_OK); + + /* Check the users */ + assert_int_equal(test_ctx->num_users, N_ELEMENTS(expected_users)); + assert_int_equal(test_ctx->num_groups, N_ELEMENTS(expected_groups)); + + compare_sysdb_string_array_noorder(test_ctx->groups, + expected_groups, + N_ELEMENTS(expected_groups)); + compare_sysdb_string_array_noorder(test_ctx->users, + expected_users, + N_ELEMENTS(expected_users)); +} + +static void nested_groups_test_nested_chain_with_error(void **state) +{ + struct nested_groups_test_ctx *test_ctx = NULL; + struct tevent_req *req = NULL; + TALLOC_CTX *req_mem_ctx = NULL; + errno_t ret; + const char *rootgroup_members[] = { "cn=group1,"GROUP_BASE_DN, + NULL }; + const char *group1_members[] = { "cn=group2,"GROUP_BASE_DN, + NULL }; + const char *group2_members[] = { "cn=user1,"USER_BASE_DN, + NULL }; + struct sysdb_attrs *rootgroup; + const struct sysdb_attrs *user_reply[2] = { NULL }; + const struct sysdb_attrs *group1_reply[2] = { NULL }; + const struct sysdb_attrs *group2_reply[2] = { NULL }; + + test_ctx = talloc_get_type_abort(*state, struct nested_groups_test_ctx); + + /* mock return values */ + rootgroup = mock_sysdb_group_rfc2307bis(test_ctx, GROUP_BASE_DN, 1000, + "rootgroup", rootgroup_members); + assert_non_null(rootgroup); + + group1_reply[0] = mock_sysdb_group_rfc2307bis(test_ctx, GROUP_BASE_DN, + 1001, "group1", + group1_members); + assert_non_null(group1_reply[0]); + will_return(sdap_get_generic_recv, 1); + will_return(sdap_get_generic_recv, group1_reply); + will_return(sdap_get_generic_recv, ERR_OK); + + group2_reply[0] = mock_sysdb_group_rfc2307bis(test_ctx, GROUP_BASE_DN, + 1002, "group2", + group2_members); + assert_non_null(group2_reply[0]); + will_return(sdap_get_generic_recv, 1); + will_return(sdap_get_generic_recv, group2_reply); + will_return(sdap_get_generic_recv, ERR_OK); + + user_reply[0] = mock_sysdb_user(test_ctx, USER_BASE_DN, 2001, "user1"); + assert_non_null(user_reply[0]); + will_return(sdap_get_generic_recv, 1); + will_return(sdap_get_generic_recv, user_reply); + will_return(sdap_get_generic_recv, EIO); + + sss_will_return_always(sdap_has_deref_support, false); + + /* run test, check for memory leaks */ + req_mem_ctx = talloc_new(global_talloc_context); + assert_non_null(req_mem_ctx); + check_leaks_push(req_mem_ctx); + + req = sdap_nested_group_send(req_mem_ctx, test_ctx->tctx->ev, + test_ctx->sdap_domain, test_ctx->sdap_opts, + test_ctx->sdap_handle, rootgroup); + assert_non_null(req); + tevent_req_set_callback(req, nested_groups_test_done, test_ctx); + + ret = test_ev_loop(test_ctx->tctx); + assert_true(check_leaks_pop(req_mem_ctx) == true); + talloc_zfree(req_mem_ctx); + + /* check return code */ + assert_int_equal(ret, EIO); +} + +static int nested_groups_test_setup(void **state) +{ + errno_t ret; + struct nested_groups_test_ctx *test_ctx = NULL; + static struct sss_test_conf_param params[] = { + { "ldap_schema", "rfc2307bis" }, /* enable nested groups */ + { "ldap_search_base", OBJECT_BASE_DN }, + { "ldap_user_search_base", USER_BASE_DN }, + { "ldap_group_search_base", GROUP_BASE_DN }, + { NULL, NULL } + }; + + test_ctx = talloc_zero(NULL, struct nested_groups_test_ctx); + assert_non_null(test_ctx); + *state = test_ctx; + + /* initialize domain */ + test_ctx->tctx = create_dom_test_ctx(test_ctx, TESTS_PATH, TEST_CONF_DB, + TEST_DOM_NAME, + TEST_ID_PROVIDER, params); + assert_non_null(test_ctx->tctx); + + /* mock SDAP */ + test_ctx->sdap_opts = mock_sdap_options_ldap(test_ctx, + test_ctx->tctx->dom, + test_ctx->tctx->confdb, + test_ctx->tctx->conf_dom_path); + assert_non_null(test_ctx->sdap_opts); + test_ctx->sdap_domain = test_ctx->sdap_opts->sdom; + test_ctx->sdap_handle = mock_sdap_handle(test_ctx); + assert_non_null(test_ctx->sdap_handle); + + test_ctx->be_ctx = mock_be_ctx(test_ctx, test_ctx->tctx); + assert_non_null(test_ctx->be_ctx); + + test_ctx->sdap_id_ctx = mock_sdap_id_ctx(test_ctx, + test_ctx->be_ctx, + test_ctx->sdap_opts); + assert_non_null(test_ctx->sdap_id_ctx); + + ret = sdap_idmap_init(test_ctx, test_ctx->sdap_id_ctx, &test_ctx->idmap_ctx); + assert_int_equal(ret, EOK); + test_ctx->sdap_opts->idmap_ctx = test_ctx->idmap_ctx; + + test_ctx->ext_ctx = talloc_zero(test_ctx, struct sdap_ext_member_ctx); + assert_non_null(test_ctx->ext_ctx); + + return 0; +} + +static int nested_groups_test_teardown(void **state) +{ + talloc_zfree(*state); + return 0; +} + +struct test_ext_pvt { + struct sss_domain_info *dom_head; +}; + +struct test_ext_member { + const char *sid; + const char *short_name; + id_t id; + enum sysdb_member_type member_type; +} test_ext_member_table[] = { + { "S-1-5-21-3623811015-3361044348-30300820-10001", + "ext_user10001", 10001, SYSDB_MEMBER_USER }, + { "S-1-5-21-3623811015-3361044348-30300820-20001", + "ext_group20001", 10001, SYSDB_MEMBER_GROUP }, + { NULL, NULL, 0, 0 }, +}; + +struct test_resolve_ext_state { + struct sss_domain_info *dom; + enum sysdb_member_type member_type; + struct sysdb_attrs *member; +}; + +static errno_t test_resolve_ext_save_obj(TALLOC_CTX *mem_ctx, + struct sss_domain_info *dom, + const char *name, + id_t id, + enum sysdb_member_type member_type, + struct sysdb_attrs **_member); + +struct tevent_req *test_resolve_ext_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + const char *ext_member, + void *pvt) +{ + struct tevent_req *req; + struct test_resolve_ext_state *state; + errno_t ret; + struct test_ext_pvt *test_pvt = talloc_get_type(pvt, struct test_ext_pvt); + struct sysdb_attrs *member; + + req = tevent_req_create(mem_ctx, &state, struct test_resolve_ext_state); + if (req == NULL) { + return NULL; + } + + for (size_t i = 0; test_ext_member_table[i].sid; i++) { + if (strcmp(ext_member, test_ext_member_table[i].sid) == 0) { + ret = test_resolve_ext_save_obj(state, test_pvt->dom_head, + test_ext_member_table[i].short_name, + test_ext_member_table[i].id, + test_ext_member_table[i].member_type, + &member); + if (ret != EOK) { + goto immediate; + } + + state->dom = test_pvt->dom_head; + state->member_type = test_ext_member_table[i].member_type; + state->member = talloc_steal(state, member); + + ret = EOK; + goto immediate; + } + } + + ret = ENOENT; + +immediate: + if (ret != EOK) { + tevent_req_error(req, ret); + } else { + tevent_req_done(req); + } + tevent_req_post(req, ev); + return req; +} + +static errno_t test_resolve_ext_save_obj(TALLOC_CTX *mem_ctx, + struct sss_domain_info *dom, + const char *name, + id_t id, + enum sysdb_member_type member_type, + struct sysdb_attrs **_member) +{ + errno_t ret; + struct ldb_result *res; + char *home; + struct sysdb_attrs **members; + TALLOC_CTX *tmp_ctx; + char *fqdn; + + tmp_ctx = talloc_new(mem_ctx); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + fqdn = sss_create_internal_fqname(tmp_ctx, name, dom->name); + if (fqdn == NULL) { + ret = ENOMEM; + goto done; + } + + if (member_type == SYSDB_MEMBER_USER) { + home = talloc_asprintf(tmp_ctx, "/home/%s", name); + if (home == NULL) { + ret = ENOMEM; + goto done; + } + + ret = sysdb_store_user(dom, fqdn, "*", id, id, + name, home, "/bin/bash", NULL, NULL, + NULL, 1000, time(NULL)); + if (ret != EOK) { + goto done; + } + + ret = sysdb_getpwnam(tmp_ctx, dom, fqdn, &res); + if (ret != EOK) { + goto done; + } + } else if (member_type == SYSDB_MEMBER_GROUP) { + ret = sysdb_store_group(dom, fqdn, id, NULL, 1000, time(NULL)); + if (ret != EOK) { + goto done; + } + + ret = sysdb_getgrnam(tmp_ctx, dom, fqdn, &res); + if (ret != EOK) { + goto done; + } + } else { + ret = EINVAL; + goto done; + } + + ret = sysdb_msg2attrs(tmp_ctx, 1, res->msgs, &members); + if (ret != EOK) { + goto done; + } + + *_member = talloc_steal(mem_ctx, members[0]); + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} + +static errno_t test_resolve_ext_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + enum sysdb_member_type *_member_type, + struct sss_domain_info **_dom, + struct sysdb_attrs **_member) +{ + struct test_resolve_ext_state *state = tevent_req_data(req, + struct test_resolve_ext_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (_member_type != NULL) { + *_member_type = state->member_type; + } + + if (_dom) { + *_dom = state->dom; + } + + if (_member != NULL) { + *_member = talloc_steal(mem_ctx, state->member); + } + + return EOK; +} + +static int nested_group_external_member_setup(void **state) +{ + struct nested_groups_test_ctx *test_ctx; + struct test_ext_pvt *ext_pvt; + int ret; + + ret = nested_groups_test_setup((void **) &test_ctx); + assert_int_equal(ret, 0); + + ext_pvt = talloc_zero(test_ctx->ext_ctx, struct test_ext_pvt); + assert_non_null(ext_pvt); + ext_pvt->dom_head = test_ctx->tctx->dom; + + test_ctx->ext_ctx->ext_member_resolve_send = test_resolve_ext_send; + test_ctx->ext_ctx->ext_member_resolve_recv = test_resolve_ext_recv; + test_ctx->ext_ctx->pvt = ext_pvt; + + *state = test_ctx; + return 0; +} + +static int nested_group_external_member_teardown(void **state) +{ + struct nested_groups_test_ctx *test_ctx = talloc_get_type(*state, + struct nested_groups_test_ctx); + errno_t ret; + char *fqdn; + int i; + + ret = sysdb_delete_group(test_ctx->tctx->dom, "rootgroup", 0); + if (ret != EOK && ret != ENOENT) { + return 1; + } + + for (i = 0; test_ext_member_table[i].sid != NULL; i++) { + fqdn = sss_create_internal_fqname(test_ctx, + test_ext_member_table[i].short_name, + test_ctx->tctx->dom->name); + if (fqdn == NULL) { + return 1; + } + + switch (test_ext_member_table[i].member_type) { + case SYSDB_MEMBER_USER: + ret = sysdb_delete_user(test_ctx->tctx->dom, + fqdn, 0); + break; + + case SYSDB_MEMBER_GROUP: + ret = sysdb_delete_group(test_ctx->tctx->dom, + fqdn, 0); + break; + + default: + continue; + } + + talloc_zfree(fqdn); + + if (ret != EOK && ret != ENOENT) { + return 1; + } + } + + talloc_free(test_ctx->ext_ctx); + return nested_groups_test_setup(*state); +} + +static void nested_external_done(struct tevent_req *req) +{ + struct nested_groups_test_ctx *ctx = NULL; + + ctx = tevent_req_callback_data(req, struct nested_groups_test_ctx); + + ctx->tctx->error = sdap_nested_group_lookup_external_recv(ctx, req); + talloc_zfree(req); + + ctx->tctx->done = true; +} + +static struct sysdb_attrs * +mock_group_with_ext_members(struct nested_groups_test_ctx *test_ctx, + const char *name, + gid_t gid, + const char *ext_members[]) +{ + struct sysdb_attrs *ext_group = NULL; + const struct sysdb_attrs **ext_group_reply; + int i; + errno_t ret; + + ext_group_reply = talloc_zero_array(test_ctx, + const struct sysdb_attrs *, + 2); + if (ext_group_reply == NULL) { + return NULL; + } + + ext_group = mock_sysdb_object(ext_group_reply, GROUP_BASE_DN, name, + SYSDB_GIDNUM, gid); + if (ext_group == NULL) { + talloc_free(ext_group_reply); + return NULL; + } + + for (i = 0; ext_members[i] != NULL; i++) { + ret = sysdb_attrs_add_string( + ext_group, + test_ctx->sdap_opts->group_map[SDAP_AT_GROUP_EXT_MEMBER].sys_name, + ext_members[i]); + if (ret != EOK) { + talloc_free(ext_group_reply); + return NULL; + } + } + + ext_group_reply[0] = ext_group; + will_return(sdap_get_generic_recv, 1); + will_return(sdap_get_generic_recv, ext_group_reply); + will_return(sdap_get_generic_recv, ERR_OK); + + return ext_group; +} + +static errno_t +nested_group_test_save_group(struct nested_groups_test_ctx *test_ctx, + struct sysdb_attrs *ldap_attrs, + struct group *gr) +{ + errno_t ret; + struct sysdb_attrs *sysdb_grattrs = NULL; + const char *s; + char *fqdn_gr; + + sysdb_grattrs = sysdb_new_attrs(test_ctx); + if (sysdb_grattrs == NULL) { + return ENOMEM; + } + + ret = sysdb_attrs_get_string(ldap_attrs, SYSDB_ORIG_DN, &s); + if (ret != EOK) { + talloc_free(sysdb_grattrs); + return ret; + } + + ret = sysdb_attrs_add_string(sysdb_grattrs, SYSDB_ORIG_DN, s); + if (ret != EOK) { + talloc_free(sysdb_grattrs); + return ret; + } + + fqdn_gr = sss_create_internal_fqname(test_ctx, gr->gr_name, + test_ctx->tctx->dom->name); + if (fqdn_gr == NULL) { + talloc_free(sysdb_grattrs); + return ENOMEM; + } + + ret = sysdb_store_group(test_ctx->tctx->dom, + fqdn_gr, gr->gr_gid, + sysdb_grattrs, 0, time(NULL)); + talloc_free(fqdn_gr); + talloc_free(sysdb_grattrs); + if (ret != EOK) { + return ret; + } + + return EOK; +} + +static errno_t +nested_group_test_link_group(struct nested_groups_test_ctx *test_ctx, + const char *shortname_parent, + const char *shortname_child) +{ + errno_t ret; + char *fqdn_parent; + char *fqdn_child; + + fqdn_parent = sss_create_internal_fqname(test_ctx, shortname_parent, + test_ctx->tctx->dom->name); + if (fqdn_parent == NULL) { + return ENOMEM; + } + + fqdn_child = sss_create_internal_fqname(test_ctx, shortname_child, + test_ctx->tctx->dom->name); + if (fqdn_child == NULL) { + return ENOMEM; + } + + ret = sysdb_add_group_member(test_ctx->tctx->dom, + fqdn_parent, + fqdn_child, + SYSDB_MEMBER_GROUP, false); + talloc_free(fqdn_parent); + talloc_free(fqdn_child); + return ret; +} + +static void assert_sysdb_name_equal(struct nested_groups_test_ctx *test_ctx, + struct ldb_message *msg, + const char *shortname) +{ + const char *s; + char *fqname; + + fqname = sss_create_internal_fqname(test_ctx, shortname, + test_ctx->tctx->dom->name); + assert_non_null(fqname); + + s = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); + assert_string_equal(s, fqname); + talloc_free(fqname); +} + +static void assert_member_dn(struct nested_groups_test_ctx *test_ctx, + const char *member_name, + const char *exp_member_name) +{ + const char *s; + char *fqname; + + fqname = sss_create_internal_fqname(test_ctx, exp_member_name, + test_ctx->tctx->dom->name); + assert_non_null(fqname); + + s = sysdb_group_strdn(test_ctx, + test_ctx->tctx->dom->name, + fqname); + talloc_free(fqname); + assert_non_null(s); + + assert_string_equal(member_name, s); +} + +static void nested_group_external_member_test(void **state) +{ + struct nested_groups_test_ctx *test_ctx = talloc_get_type(*state, + struct nested_groups_test_ctx); + struct tevent_req *req; + errno_t ret; + struct sysdb_attrs *rootgroup_ldap_attrs = NULL; + struct sysdb_attrs *nested_group_ldap_attrs = NULL; + struct sysdb_attrs *ext_group_ldap_attrs = NULL; + struct sysdb_attrs *ext_group_nested_ldap_attrs = NULL; + struct ldb_result *res; + struct group rootgroup; + struct group nested_group; + struct group ext_group; + struct group ext_group_nested; + const char *rootgroup_members[] = { + "cn=nested_group,"GROUP_BASE_DN, + "cn=extgroup,"GROUP_BASE_DN, + NULL + }; + const char *nestedgroup_members[] = { + "cn=extgroup_nested,"GROUP_BASE_DN, + NULL + }; + const char *extgroup_members[] = { + "S-1-5-21-3623811015-3361044348-30300820-10001", + NULL + }; + const char *extgroup_nested_members[] = { + "S-1-5-21-3623811015-3361044348-30300820-10001", + "S-1-5-21-3623811015-3361044348-30300820-20001", + NULL + }; + const struct sysdb_attrs *nested_group_reply[2] = { NULL }; + struct ldb_message *msg; + struct ldb_message_element *member; + const char *sysdb_gr_attrs[] = { SYSDB_MEMBEROF, + NULL + }; + TALLOC_CTX *req_mem_ctx = NULL; + char *fqdn; + + /* LDAP provider doesn't support external groups by default */ + test_ctx->sdap_opts->group_map[SDAP_AT_GROUP_MEMBER].name = \ + discard_const(TEST_EXT_MEMBER); + test_ctx->sdap_opts->ext_ctx = test_ctx->ext_ctx; + + rootgroup.gr_name = discard_const("rootgroup"); + rootgroup.gr_gid = 1000; + rootgroup_ldap_attrs = mock_sysdb_group_rfc2307bis(test_ctx, + GROUP_BASE_DN, + rootgroup.gr_gid, + rootgroup.gr_name, + rootgroup_members); + assert_non_null(rootgroup_ldap_attrs); + + nested_group.gr_name = discard_const("nested_group"); + nested_group.gr_gid = 1001; + nested_group_ldap_attrs = mock_sysdb_group_rfc2307bis(test_ctx, + GROUP_BASE_DN, + nested_group.gr_gid, + nested_group.gr_name, + nestedgroup_members); + assert_non_null(nested_group_ldap_attrs); + nested_group_reply[0] = nested_group_ldap_attrs; + will_return(sdap_get_generic_recv, 1); + will_return(sdap_get_generic_recv, nested_group_reply); + will_return(sdap_get_generic_recv, ERR_OK); + + ext_group.gr_name = discard_const("extgroup"); + ext_group.gr_gid = 2001; + ext_group_ldap_attrs = mock_group_with_ext_members(test_ctx, + ext_group.gr_name, + ext_group.gr_gid, + extgroup_members); + assert_non_null(ext_group_ldap_attrs); + + ext_group_nested.gr_name = discard_const("extgroup_nested"); + ext_group_nested.gr_gid = 2002; + ext_group_nested_ldap_attrs = mock_group_with_ext_members(test_ctx, + ext_group_nested.gr_name, + ext_group_nested.gr_gid, + extgroup_nested_members); + assert_non_null(ext_group_nested_ldap_attrs); + + /* run test, check for memory leaks */ + req_mem_ctx = talloc_new(global_talloc_context); + assert_non_null(req_mem_ctx); + check_leaks_push(req_mem_ctx); + + sss_will_return_always(sdap_has_deref_support, false); + req = sdap_nested_group_send(test_ctx, test_ctx->tctx->ev, + test_ctx->sdap_domain, test_ctx->sdap_opts, + test_ctx->sdap_handle, rootgroup_ldap_attrs); + assert_non_null(req); + tevent_req_set_callback(req, nested_groups_test_done, test_ctx); + + ret = test_ev_loop(test_ctx->tctx); + assert_true(check_leaks_pop(req_mem_ctx) == true); + talloc_zfree(req_mem_ctx); + assert_int_equal(ret, ERR_OK); + + /* Save the groups to sysdb so that external membership code can link + * external members against this group + */ + ret = nested_group_test_save_group(test_ctx, + rootgroup_ldap_attrs, + &rootgroup); + assert_int_equal(ret, EOK); + + ret = nested_group_test_save_group(test_ctx, + ext_group_ldap_attrs, + &ext_group); + assert_int_equal(ret, EOK); + + ret = nested_group_test_save_group(test_ctx, + nested_group_ldap_attrs, + &nested_group); + assert_int_equal(ret, EOK); + + ret = nested_group_test_save_group(test_ctx, + ext_group_nested_ldap_attrs, + &ext_group_nested); + assert_int_equal(ret, EOK); + + ret = nested_group_test_link_group(test_ctx, + rootgroup.gr_name, + ext_group.gr_name); + assert_int_equal(ret, EOK); + + ret = nested_group_test_link_group(test_ctx, + rootgroup.gr_name, + nested_group.gr_name); + assert_int_equal(ret, EOK); + + ret = nested_group_test_link_group(test_ctx, + nested_group.gr_name, + ext_group_nested.gr_name); + assert_int_equal(ret, EOK); + + /* Resolve external members */ + req_mem_ctx = talloc_new(global_talloc_context); + assert_non_null(req_mem_ctx); + check_leaks_push(req_mem_ctx); + + req = sdap_nested_group_lookup_external_send(test_ctx, test_ctx->tctx->ev, + test_ctx->tctx->dom, + test_ctx->ext_ctx, + test_ctx->missing_external); + assert_non_null(req); + tevent_req_set_callback(req, nested_external_done, test_ctx); + + test_ctx->tctx->done = false; + ret = test_ev_loop(test_ctx->tctx); + assert_true(check_leaks_pop(req_mem_ctx) == true); + talloc_zfree(req_mem_ctx); + assert_int_equal(ret, ERR_OK); + + /* Make sure that extuser1001 is a member of rootgroup now */ + fqdn = sss_create_internal_fqname(test_ctx, "ext_user10001", + test_ctx->tctx->dom->name); + assert_non_null(fqdn); + + ret = sysdb_initgroups(test_ctx, test_ctx->tctx->dom, fqdn, &res); + talloc_zfree(fqdn); + assert_int_equal(ret, EOK); + assert_sysdb_name_equal(test_ctx, res->msgs[1], rootgroup.gr_name); + assert_sysdb_name_equal(test_ctx, res->msgs[2], nested_group.gr_name); + + fqdn = sss_create_internal_fqname(test_ctx, "ext_group20001", + test_ctx->tctx->dom->name); + assert_non_null(fqdn); + + ret = sysdb_search_group_by_name(test_ctx, + test_ctx->tctx->dom, + fqdn, + sysdb_gr_attrs, + &msg); + assert_int_equal(ret, EOK); + member = ldb_msg_find_element(msg, SYSDB_MEMBEROF); + assert_int_equal(member->num_values, 2); + + assert_member_dn(test_ctx, + (const char *) member->values[0].data, + rootgroup.gr_name); + assert_member_dn(test_ctx, + (const char *) member->values[1].data, + nested_group.gr_name); +} + +static void test_get_enterprise_principal_string_filter(void **state) +{ + int ret; + char *ep_filter; + struct dp_option *no_krb5_realm_opt = default_basic_opts; + + struct dp_option *krb5_realm_opt; + + ret = dp_copy_defaults(NULL, default_basic_opts, SDAP_OPTS_BASIC, + &krb5_realm_opt); + assert_int_equal(ret, EOK); + + ret = dp_opt_set_string(krb5_realm_opt, SDAP_KRB5_REALM, "TEST.DOM"); + assert_int_equal(ret, EOK); + + ep_filter = get_enterprise_principal_string_filter(NULL, NULL, NULL, NULL); + assert_null(ep_filter); + + ep_filter = get_enterprise_principal_string_filter(NULL, "aBC", "p@d.c", + no_krb5_realm_opt); + assert_null(ep_filter); + + ep_filter = get_enterprise_principal_string_filter(NULL, "aBC", "p", + krb5_realm_opt); + assert_null(ep_filter); + + ep_filter = get_enterprise_principal_string_filter(NULL, "aBC", "p@d.c", + krb5_realm_opt); + assert_non_null(ep_filter); + assert_string_equal(ep_filter, "(aBC=p\\\\@d.c@TEST.DOM)"); + talloc_free(ep_filter); +} + +int main(int argc, const char *argv[]) +{ + int rv; + int no_cleanup = 0; + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + {"no-cleanup", 'n', POPT_ARG_NONE, &no_cleanup, 0, + _("Do not delete the test database after a test run"), NULL }, + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + new_test(one_group_no_members), + new_test(one_group_unique_members), + new_test(one_group_dup_users), + new_test(one_group_unique_group_members), + new_test(one_group_dup_group_members), + new_test(nested_chain), + new_test(nested_chain_with_error), + cmocka_unit_test_setup_teardown(nested_group_external_member_test, + nested_group_external_member_setup, + nested_group_external_member_teardown), + cmocka_unit_test(test_get_enterprise_principal_string_filter), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + /* Even though normally the tests should clean up after themselves + * they might not after a failed run. Remove the old DB to be sure */ + tests_set_cwd(); + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + test_dom_suite_setup(TESTS_PATH); + + rv = cmocka_run_group_tests(tests, NULL, NULL); + if (rv == 0 && !no_cleanup) { + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + } + return rv; +} diff --git a/src/tests/cmocka/test_nss_srv.c b/src/tests/cmocka/test_nss_srv.c new file mode 100644 index 0000000..1f7de7b --- /dev/null +++ b/src/tests/cmocka/test_nss_srv.c @@ -0,0 +1,5161 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2013 Red Hat + + SSSD tests: NSS responder tests + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include + +#include "tests/cmocka/common_mock.h" +#include "tests/cmocka/common_mock_resp.h" +#include "responder/common/negcache.h" +#include "responder/nss/nss_private.h" +#include "responder/nss/nss_protocol.h" +#include "sss_client/idmap/sss_nss_idmap.h" +#include "util/util_sss_idmap.h" +#include "util/crypto/sss_crypto.h" +#include "util/crypto/nss/nss_util.h" +#include "db/sysdb_private.h" /* new_subdomain() */ + +#define TESTS_PATH "tp_" BASE_FILE_STEM +#define TEST_CONF_DB "test_nss_conf.ldb" +#define TEST_DOM_NAME "nss_test" +#define TEST_SUBDOM_NAME "test.subdomain" +#define TEST_ID_PROVIDER "ldap" +#define TEST_DOM_SID "S-1-5-21-444379608-1639770488-2995963434" + +struct nss_test_ctx { + struct sss_test_ctx *tctx; + struct sss_domain_info *subdom; + + struct resp_ctx *rctx; + struct cli_ctx *cctx; + struct sss_cmd_table *nss_cmds; + struct nss_ctx *nctx; + + int ncache_hits; +}; + +const char *global_extra_attrs[] = {"phone", "mobile", NULL}; + +struct nss_test_ctx *nss_test_ctx; + +/* Mock NSS structure */ +struct nss_ctx * +mock_nctx(TALLOC_CTX *mem_ctx) +{ + struct nss_ctx *nctx; + enum idmap_error_code err; + + nctx = talloc_zero(mem_ctx, struct nss_ctx); + if (!nctx) { + return NULL; + } + + nctx->pwfield = discard_const("*"); + + err = sss_idmap_init(sss_idmap_talloc, nctx, sss_idmap_talloc_free, + &nctx->idmap_ctx); + if (err != IDMAP_SUCCESS) { + DEBUG(SSSDBG_FATAL_FAILURE, "sss_idmap_init failed.\n"); + talloc_free(nctx); + return NULL; + } + + return nctx; +} + +/* Mock reading requests from a client. Use values passed from mock + * instead + */ +void __real_sss_packet_get_body(struct sss_packet *packet, + uint8_t **body, size_t *blen); + +void __wrap_sss_packet_get_body(struct sss_packet *packet, + uint8_t **body, size_t *blen) +{ + enum sss_test_wrapper_call wtype = sss_mock_type(enum sss_test_wrapper_call); + size_t len; + + if (wtype == WRAP_CALL_REAL) { + return __real_sss_packet_get_body(packet, body, blen); + } + + *body = sss_mock_ptr_type(uint8_t *); + len = sss_mock_type(size_t); + if (len == 0) { + len = strlen((const char *) *body)+1; + } + *blen = len; + return; +} + +/* Mock returning result to client. Terminate the unit test instead. */ +typedef int (*cmd_cb_fn_t)(uint32_t, uint8_t *, size_t ); + +static void set_cmd_cb(cmd_cb_fn_t fn) +{ + will_return(__wrap_sss_cmd_done, fn); +} + +void __wrap_sss_cmd_done(struct cli_ctx *cctx, void *freectx) +{ + struct cli_protocol *pctx; + struct sss_packet *packet; + uint8_t *body; + size_t blen; + cmd_cb_fn_t check_cb; + + check_cb = sss_mock_ptr_type(cmd_cb_fn_t); + + if (check_cb == NULL) { + nss_test_ctx->tctx->error = ENOENT; + } else { + pctx = talloc_get_type(cctx->protocol_ctx, struct cli_protocol); + packet = pctx->creq->out; + + __real_sss_packet_get_body(packet, &body, &blen); + + nss_test_ctx->tctx->error = check_cb(sss_packet_get_status(packet), + body, blen); + } + + nss_test_ctx->tctx->done = true; + talloc_free(freectx); +} + +enum sss_cli_command __wrap_sss_packet_get_cmd(struct sss_packet *packet) +{ + return sss_mock_type(enum sss_cli_command); +} + +int __wrap_sss_cmd_send_empty(struct cli_ctx *cctx, TALLOC_CTX *freectx) +{ + nss_test_ctx->tctx->done = true; + nss_test_ctx->tctx->error = ENOENT; + return EOK; +} + +/* Intercept negative cache lookups */ +int __real_sss_ncache_check_user(struct sss_nc_ctx *ctx, + struct sss_domain_info *dom, const char *name); + +int __wrap_sss_ncache_check_user(struct sss_nc_ctx *ctx, + struct sss_domain_info *dom, const char *name) +{ + int ret; + + ret = __real_sss_ncache_check_user(ctx, dom, name); + if (ret == EEXIST) { + nss_test_ctx->ncache_hits++; + } + return ret; +} + +int __real_sss_ncache_check_upn(struct sss_nc_ctx *ctx, + struct sss_domain_info *dom, const char *name); + +int __wrap_sss_ncache_check_upn(struct sss_nc_ctx *ctx, + struct sss_domain_info *dom, const char *name) +{ + int ret; + + ret = __real_sss_ncache_check_upn(ctx, dom, name); + if (ret == EEXIST) { + nss_test_ctx->ncache_hits++; + } + return ret; +} + +int __real_sss_ncache_check_uid(struct sss_nc_ctx *ctx, + struct sss_domain_info *dom, uid_t uid); + +int __wrap_sss_ncache_check_uid(struct sss_nc_ctx *ctx, + struct sss_domain_info *dom, uid_t uid) +{ + int ret; + + ret = __real_sss_ncache_check_uid(ctx, dom, uid); + if (ret == EEXIST) { + nss_test_ctx->ncache_hits++; + } + return ret; +} + +int __real_sss_ncache_check_sid(struct sss_nc_ctx *ctx, const char *sid); + +int __wrap_sss_ncache_check_sid(struct sss_nc_ctx *ctx, const char *sid) +{ + int ret; + + ret = __real_sss_ncache_check_sid(ctx, sid); + if (ret == EEXIST) { + nss_test_ctx->ncache_hits++; + } + return ret; +} + +int __real_sss_ncache_check_cert(struct sss_nc_ctx *ctx, const char *cert); + +int __wrap_sss_ncache_check_cert(struct sss_nc_ctx *ctx, const char *cert) +{ + int ret; + + ret = __real_sss_ncache_check_cert(ctx, cert); + if (ret == EEXIST) { + nss_test_ctx->ncache_hits++; + } + return ret; +} + +/* Mock input from the client library */ +static void mock_input_user_or_group(const char *input) +{ + const char *copy; + const char *shortname; + const char *domname; + char *separator; + + copy = talloc_strdup(nss_test_ctx, input); + assert_non_null(copy); + + separator = strrchr(copy, '@'); + if (separator == NULL) { + shortname = input; + domname = NULL; + } else { + *separator = '\0'; + shortname = copy; + domname = separator + 1; + } + + will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER); + will_return(__wrap_sss_packet_get_body, input); + will_return(__wrap_sss_packet_get_body, 0); + + mock_parse_inp(shortname, domname, EOK); +} + +static void mock_input_user_or_group_ex(bool do_parse_inp, const char *input, + uint32_t flags) +{ + const char *copy; + const char *shortname; + const char *domname; + char *separator; + uint8_t *data; + size_t len; + + len = strlen(input); + len++; + data = talloc_size(nss_test_ctx, len + sizeof(uint32_t)); + assert_non_null(data); + memcpy(data, input, len); + SAFEALIGN_COPY_UINT32(data + len, &flags, NULL); + + will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER); + will_return(__wrap_sss_packet_get_body, data); + will_return(__wrap_sss_packet_get_body, len + sizeof(uint32_t)); + + if (do_parse_inp) { + copy = talloc_strdup(nss_test_ctx, input); + assert_non_null(copy); + + separator = strrchr(copy, '@'); + if (separator == NULL) { + shortname = input; + domname = NULL; + } else { + *separator = '\0'; + shortname = copy; + domname = separator + 1; + } + + mock_parse_inp(shortname, domname, EOK); + } +} + +static void mock_input_upn(const char *upn) +{ + will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER); + will_return(__wrap_sss_packet_get_body, upn); + will_return(__wrap_sss_packet_get_body, 0); + + mock_parse_inp(NULL, NULL, ERR_DOMAIN_NOT_FOUND); +} + +static void mock_input_sid(const char *sid) +{ + will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER); + will_return(__wrap_sss_packet_get_body, sid); + will_return(__wrap_sss_packet_get_body, 0); +} + +static void mock_input_cert(const char *cert) +{ + will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER); + will_return(__wrap_sss_packet_get_body, cert); + will_return(__wrap_sss_packet_get_body, 0); +} + +static void mock_input_id(TALLOC_CTX *mem_ctx, uint32_t id) +{ + uint8_t *body; + + body = talloc_zero_array(mem_ctx, uint8_t, 4); + if (body == NULL) return; + + SAFEALIGN_SETMEM_UINT32(body, id, NULL); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER); + will_return(__wrap_sss_packet_get_body, body); + will_return(__wrap_sss_packet_get_body, sizeof(uint32_t)); +} + +static void mock_input_id_ex(TALLOC_CTX *mem_ctx, uint32_t id, uint32_t flags) +{ + uint8_t *body; + + body = talloc_zero_array(mem_ctx, uint8_t, 8); + if (body == NULL) return; + + SAFEALIGN_SETMEM_UINT32(body, id, NULL); + SAFEALIGN_SETMEM_UINT32(body + sizeof(uint32_t), flags, NULL); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER); + will_return(__wrap_sss_packet_get_body, body); + will_return(__wrap_sss_packet_get_body, 2 * sizeof(uint32_t)); +} + +static void mock_fill_user(void) +{ + /* One packet for the entry and one for num entries */ + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); +} + +static void mock_fill_bysid(void) +{ + /* One packet for the entry and one for num entries */ + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); +} + +static int parse_user_packet(uint8_t *body, size_t blen, struct passwd *pwd) +{ + size_t rp = 2 * sizeof(uint32_t); + + SAFEALIGN_COPY_UINT32(&pwd->pw_uid, body+rp, &rp); + SAFEALIGN_COPY_UINT32(&pwd->pw_gid, body+rp, &rp); + + /* Sequence of null terminated strings (name, passwd, gecos, dir, shell) */ + pwd->pw_name = (char *) body+rp; + rp += strlen(pwd->pw_name) + 1; + if (rp >= blen) return EINVAL; + + pwd->pw_passwd = (char *) body+rp; + rp += strlen(pwd->pw_passwd) + 1; + if (rp >= blen) return EINVAL; + + pwd->pw_gecos = (char *) body+rp; + rp += strlen(pwd->pw_gecos) + 1; + if (rp >= blen) return EINVAL; + + pwd->pw_dir = (char *) body+rp; + rp += strlen(pwd->pw_dir) + 1; + if (rp >= blen) return EINVAL; + + pwd->pw_shell = (char *) body+rp; + rp += strlen(pwd->pw_shell) + 1; + if (rp != blen) return EINVAL; + + return EOK; +} + +static int parse_group_packet(uint8_t *body, size_t blen, struct group *gr, uint32_t *nmem) +{ + size_t rp = 2 * sizeof(uint32_t); /* Len and reserved */ + unsigned i; + + SAFEALIGN_COPY_UINT32(&gr->gr_gid, body+rp, &rp); + SAFEALIGN_COPY_UINT32(nmem, body+rp, &rp); + + gr->gr_name = (char *) body+rp; + rp += strlen(gr->gr_name) + 1; + if (rp >= blen) return EINVAL; + + gr->gr_passwd = (char *) body+rp; + rp += strlen(gr->gr_passwd) + 1; + + if (*nmem > 0) { + gr->gr_mem = talloc_zero_array(nss_test_ctx, char *, *nmem); + if (gr->gr_mem == NULL) return ENOMEM; + + for (i = 0; i < *nmem; i++) { + if (rp >= blen) return EINVAL; + + gr->gr_mem[i] = talloc_strdup(gr->gr_mem, (char *) body+rp); + rp += strlen(gr->gr_mem[i]) + 1; + } + } + + /* Make sure we exactly matched the end of the packet */ + if (rp != blen) return EINVAL; + return EOK; +} + +static void check_initgr_packet(uint8_t *body, size_t blen, + gid_t *gids, size_t num_gids) +{ + size_t rp; + unsigned i; + gid_t cur_gid; + uint32_t num_ret; + + rp = 0; + SAFEALIGN_COPY_UINT32(&num_ret, body, NULL); + assert_int_equal(num_ret, num_gids); + + rp = 2 * sizeof(uint32_t); /* Len and reserved */ + + for (i = 0; i < num_gids; i++) { + SAFEALIGN_COPY_UINT32(&cur_gid, body + rp, &rp); + assert_int_equal(cur_gid, gids[i]); + } +} + +static errno_t store_user(struct nss_test_ctx *ctx, + struct sss_domain_info *dom, + struct passwd *user, + struct sysdb_attrs *attrs, + time_t cache_update) +{ + errno_t ret; + char *fqname; + + fqname = sss_create_internal_fqname(ctx, + user->pw_name, + dom->name); + if (fqname == NULL) { + return ENOMEM; + } + + /* Prime the cache with a valid user */ + ret = sysdb_store_user(dom, + fqname, + user->pw_passwd, + user->pw_uid, + user->pw_gid, + user->pw_gecos, + user->pw_dir, + user->pw_shell, + NULL, attrs, + NULL, 300, cache_update); + talloc_free(fqname); + return ret; +} + +static errno_t delete_user(struct nss_test_ctx *ctx, + struct sss_domain_info *dom, + struct passwd *user) +{ + errno_t ret; + char *fqname; + + fqname = sss_create_internal_fqname(ctx, + user->pw_name, + dom->name); + if (fqname == NULL) { + return ENOMEM; + } + + ret = sysdb_delete_user(dom, fqname, user->pw_uid); + + talloc_free(fqname); + return ret; +} + +static errno_t set_user_attr(struct nss_test_ctx *ctx, + struct sss_domain_info *dom, + struct passwd *user, + struct sysdb_attrs *attrs) +{ + errno_t ret; + char *fqname; + + fqname = sss_create_internal_fqname(ctx, + user->pw_name, + dom->name); + if (fqname == NULL) { + return ENOMEM; + } + + ret = sysdb_set_user_attr(nss_test_ctx->tctx->dom, + fqname, + attrs, SYSDB_MOD_REP); + talloc_free(fqname); + return ret; +} + +static int get_user(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *shortname, + struct ldb_result **_res) +{ + errno_t ret; + char *fqname; + + fqname = sss_create_internal_fqname(mem_ctx, shortname, + domain->name); + if (fqname == NULL) { + return ENOMEM; + } + + ret = sysdb_getpwnam(mem_ctx, domain, fqname, _res); + talloc_free(fqname); + return ret; +} + +static void assert_users_equal(struct passwd *a, struct passwd *b) +{ + assert_int_equal(a->pw_uid, b->pw_uid); + assert_int_equal(a->pw_gid, b->pw_gid); + assert_string_equal(a->pw_name, b->pw_name); + assert_string_equal(a->pw_shell, b->pw_shell); + assert_string_equal(a->pw_passwd, b->pw_passwd); +} + +static errno_t store_group(struct nss_test_ctx *ctx, + struct sss_domain_info *dom, + struct group *group, + struct sysdb_attrs *attrs, + time_t cache_update) +{ + errno_t ret; + char *fqname; + + fqname = sss_create_internal_fqname(ctx, + group->gr_name, + dom->name); + if (fqname == NULL) { + return ENOMEM; + } + + ret = sysdb_store_group(dom, + fqname, + group->gr_gid, + attrs, 300, 0); + talloc_free(fqname); + return ret; +} + +static errno_t delete_group(struct nss_test_ctx *ctx, + struct sss_domain_info *dom, + struct group *group) +{ + errno_t ret; + char *fqname; + + fqname = sss_create_internal_fqname(ctx, + group->gr_name, + dom->name); + + if (fqname == NULL) { + return ENOMEM; + } + + ret = sysdb_delete_group(dom, fqname, group->gr_gid); + + talloc_free(fqname); + return ret; +} + +static int cmp_func(const void *a, const void *b) +{ + char *str1 = *(char **)discard_const(a); + char *str2 = *(char **)discard_const(b); + + return strcmp(str1, str2); +} + +static void order_string_array(char **_list, int size) +{ + if (size < 2 || _list == NULL || *_list == NULL) { + /* Nothing to do */ + return; + } + + qsort(_list, size, sizeof(char *), cmp_func); + return; +} + +static void assert_groups_equal(struct group *expected, + struct group *gr, const int nmem) +{ + int i; + + assert_int_equal(gr->gr_gid, expected->gr_gid); + assert_string_equal(gr->gr_name, expected->gr_name); + assert_string_equal(gr->gr_passwd, expected->gr_passwd); + + order_string_array(gr->gr_mem, nmem); + order_string_array(expected->gr_mem, nmem); + + for (i = 0; i < nmem; i++) { + assert_string_equal(gr->gr_mem[i], expected->gr_mem[i]); + } +} + +static errno_t store_group_member(struct nss_test_ctx *ctx, + const char *shortname_group, + struct sss_domain_info *group_dom, + const char *shortname_member, + struct sss_domain_info *member_dom, + enum sysdb_member_type type) +{ + errno_t ret; + char *group_fqname = NULL; + char *member_fqname = NULL; + + group_fqname = sss_create_internal_fqname(ctx, + shortname_group, + group_dom->name); + if (group_fqname == NULL) { + return ENOMEM; + } + + member_fqname = sss_create_internal_fqname(ctx, + shortname_member, + member_dom->name); + if (member_fqname == NULL) { + talloc_free(group_fqname); + return ENOMEM; + } + + ret = sysdb_add_group_member(group_dom, + group_fqname, + member_fqname, + SYSDB_MEMBER_USER, false); + talloc_free(group_fqname); + talloc_free(member_fqname); + return ret; +} + +static errno_t remove_group_member(struct nss_test_ctx *ctx, + const char *shortname_group, + struct sss_domain_info *group_dom, + const char *shortname_member, + struct sss_domain_info *member_dom, + enum sysdb_member_type type) +{ + errno_t ret; + char *group_fqname = NULL; + char *member_fqname = NULL; + + group_fqname = sss_create_internal_fqname(ctx, + shortname_group, + group_dom->name); + if (group_fqname == NULL) { + return ENOMEM; + } + + member_fqname = sss_create_internal_fqname(ctx, + shortname_member, + member_dom->name); + if (member_fqname == NULL) { + talloc_free(group_fqname); + return ENOMEM; + } + + ret = sysdb_remove_group_member(group_dom, + group_fqname, + member_fqname, + type, + false); + + talloc_free(group_fqname); + talloc_free(member_fqname); + return ret; +} + +/* ====================== The tests =============================== */ +struct passwd getpwnam_usr = { + .pw_name = discard_const("testuser"), + .pw_uid = 123, + .pw_gid = 456, + .pw_dir = discard_const("/home/testuser"), + .pw_gecos = discard_const("test user"), + .pw_shell = discard_const("/bin/sh"), + .pw_passwd = discard_const("*"), +}; + +/* Check getting cached and valid user from cache. Account callback will + * not be called and test_nss_getpwnam_check will make sure the user is + * the same as the test entered before starting + */ +static int test_nss_getpwnam_check(uint32_t status, uint8_t *body, size_t blen) +{ + struct passwd pwd; + errno_t ret; + + assert_int_equal(status, EOK); + + ret = parse_user_packet(body, blen, &pwd); + assert_int_equal(ret, EOK); + + assert_users_equal(&pwd, &getpwnam_usr); + return EOK; +} + +void test_nss_getpwnam(void **state) +{ + errno_t ret; + + ret = store_user(nss_test_ctx, nss_test_ctx->tctx->dom, + &getpwnam_usr, NULL, 0); + assert_int_equal(ret, EOK); + + mock_input_user_or_group("testuser"); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETPWNAM); + mock_fill_user(); + + /* Query for that user, call a callback when command finishes */ + set_cmd_cb(test_nss_getpwnam_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETPWNAM, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +/* Test that searching for a nonexistent user yields ENOENT. + * Account callback will be called + */ +void test_nss_getpwnam_neg(void **state) +{ + errno_t ret; + + mock_input_user_or_group("testuser_neg"); + mock_account_recv_simple(); + + assert_int_equal(nss_test_ctx->ncache_hits, 0); + + set_cmd_cb(NULL); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETPWNAM, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with ENOENT */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, ENOENT); + assert_int_equal(nss_test_ctx->ncache_hits, 0); + + /* Test that subsequent search for a nonexistent user yields + * ENOENT and Account callback is not called, on the other hand + * the ncache functions will be called + */ + nss_test_ctx->tctx->done = false; + + mock_input_user_or_group("testuser_neg"); + set_cmd_cb(NULL); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETPWNAM, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with ENOENT */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, ENOENT); + /* Negative cache was hit this time */ + assert_int_equal(nss_test_ctx->ncache_hits, 1); +} + +struct passwd getpwnam_search_usr = { + .pw_name = discard_const("testuser_search"), + .pw_uid = 567, + .pw_gid = 890, + .pw_dir = discard_const("/home/testuser_search"), + .pw_gecos = discard_const("test search user"), + .pw_shell = discard_const("/bin/sh"), + .pw_passwd = discard_const("*"), +}; + +static int test_nss_getpwnam_search_acct_cb(void *pvt) +{ + struct nss_test_ctx *ctx = talloc_get_type(pvt, struct nss_test_ctx); + + return store_user(ctx, ctx->tctx->dom, &getpwnam_search_usr, NULL, 0); +} + +static int test_nss_getpwnam_search_check(uint32_t status, + uint8_t *body, size_t blen) +{ + struct passwd pwd; + errno_t ret; + + assert_int_equal(status, EOK); + + ret = parse_user_packet(body, blen, &pwd); + assert_int_equal(ret, EOK); + + assert_users_equal(&pwd, &getpwnam_search_usr); + return EOK; +} + +void test_nss_getpwnam_search(void **state) +{ + errno_t ret; + struct ldb_result *res; + + mock_input_user_or_group("testuser_search"); + mock_account_recv(0, 0, NULL, test_nss_getpwnam_search_acct_cb, nss_test_ctx); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETPWNAM); + mock_fill_user(); + set_cmd_cb(test_nss_getpwnam_search_check); + + ret = get_user(nss_test_ctx, nss_test_ctx->tctx->dom, + "testuser_search", &res); + assert_int_equal(ret, EOK); + assert_int_equal(res->count, 0); + + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETPWNAM, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); + + /* test_nss_getpwnam_search_check will check the user attributes */ + ret = get_user(nss_test_ctx, nss_test_ctx->tctx->dom, + "testuser_search", &res); + assert_int_equal(ret, EOK); + assert_int_equal(res->count, 1); +} + +/* Test that searching for a user that is expired in the cache goes to the DP + * which updates the record and the NSS responder returns the updated record + * + * The user's shell attribute is updated. + */ + +struct passwd getpwnam_update = { + .pw_name = discard_const("testuser_update"), + .pw_uid = 10, + .pw_gid = 11, + .pw_dir = discard_const("/home/testuser"), + .pw_gecos = discard_const("test user"), + .pw_shell = discard_const("/bin/sh"), + .pw_passwd = discard_const("*"), +}; + +static int test_nss_getpwnam_update_acct_cb(void *pvt) +{ + struct nss_test_ctx *ctx = talloc_get_type(pvt, struct nss_test_ctx); + + getpwnam_update.pw_shell = discard_const("/bin/ksh"); + return store_user(ctx, ctx->tctx->dom, &getpwnam_update, NULL, 0); +} + +static int test_nss_getpwnam_update_check(uint32_t status, + uint8_t *body, size_t blen) +{ + struct passwd pwd; + errno_t ret; + + assert_int_equal(status, EOK); + + ret = parse_user_packet(body, blen, &pwd); + assert_int_equal(ret, EOK); + + assert_users_equal(&pwd, &getpwnam_update); + return EOK; +} + +void test_nss_getpwnam_update(void **state) +{ + errno_t ret; + struct ldb_result *res; + const char *shell; + + ret = store_user(nss_test_ctx, nss_test_ctx->tctx->dom, + &getpwnam_update, NULL, 1); + assert_int_equal(ret, EOK); + + /* Mock client input */ + mock_input_user_or_group("testuser_update"); + /* Mock client command */ + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETPWNAM); + /* Call this function when user is updated by the mock DP request */ + mock_account_recv(0, 0, NULL, test_nss_getpwnam_update_acct_cb, nss_test_ctx); + /* Call this function to check what the responder returned to the client */ + set_cmd_cb(test_nss_getpwnam_update_check); + /* Mock output buffer */ + mock_fill_user(); + + /* Fire the command */ + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETPWNAM, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); + + /* Check the user was updated in the cache */ + ret = get_user(nss_test_ctx, nss_test_ctx->tctx->dom, + "testuser_update" , &res); + assert_int_equal(ret, EOK); + assert_int_equal(res->count, 1); + + shell = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_SHELL, NULL); + assert_string_equal(shell, "/bin/ksh"); +} + +/* Check that a FQDN is returned if the domain is FQDN-only and a + * FQDN is requested + */ +struct passwd getpwnam_fqdn = { + .pw_name = discard_const("testuser_fqdn"), + .pw_uid = 124, + .pw_gid = 457, + .pw_dir = discard_const("/home/testuser"), + .pw_gecos = discard_const("test user"), + .pw_shell = discard_const("/bin/sh"), + .pw_passwd = discard_const("*"), +}; + +static int test_nss_getpwnam_check_fqdn(uint32_t status, + uint8_t *body, size_t blen) +{ + struct passwd pwd; + errno_t ret; + + assert_int_equal(status, EOK); + + nss_test_ctx->cctx->rctx->domains[0].fqnames = false; + + ret = parse_user_packet(body, blen, &pwd); + assert_int_equal(ret, EOK); + + getpwnam_fqdn.pw_name = discard_const("testuser_fqdn@"TEST_DOM_NAME); + assert_users_equal(&pwd, &getpwnam_fqdn); + return EOK; +} + +void test_nss_getpwnam_fqdn(void **state) +{ + errno_t ret; + + ret = store_user(nss_test_ctx, nss_test_ctx->tctx->dom, + &getpwnam_fqdn, NULL, 0); + assert_int_equal(ret, EOK); + + mock_input_user_or_group("testuser_fqdn@"TEST_DOM_NAME); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETPWNAM); + mock_fill_user(); + + /* Query for that user, call a callback when command finishes */ + set_cmd_cb(test_nss_getpwnam_check_fqdn); + nss_test_ctx->cctx->rctx->domains[0].fqnames = true; + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETPWNAM, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +/* Check that a user with a space in his username is returned fine. + */ +struct passwd getpwnam_space = { + .pw_name = discard_const("space user"), + .pw_uid = 225, + .pw_gid = 558, + .pw_dir = discard_const("/home/testuser"), + .pw_gecos = discard_const("test user"), + .pw_shell = discard_const("/bin/sh"), + .pw_passwd = discard_const("*"), +}; + +static int test_nss_getpwnam_check_space(uint32_t status, + uint8_t *body, size_t blen) +{ + struct passwd pwd; + errno_t ret; + + assert_int_equal(status, EOK); + + ret = parse_user_packet(body, blen, &pwd); + assert_int_equal(ret, EOK); + + assert_users_equal(&pwd, &getpwnam_space); + return EOK; +} + +void test_nss_getpwnam_space(void **state) +{ + errno_t ret; + + /* Prime the cache with a valid user */ + ret = store_user(nss_test_ctx, nss_test_ctx->tctx->dom, + &getpwnam_space, NULL, 0); + assert_int_equal(ret, EOK); + + mock_input_user_or_group("space user"); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETPWNAM); + mock_fill_user(); + + /* Query for that user, call a callback when command finishes */ + set_cmd_cb(test_nss_getpwnam_check_space); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETPWNAM, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); + +} + +static int test_nss_getpwnam_check_space_sub(uint32_t status, + uint8_t *body, size_t blen) +{ + struct passwd pwd; + errno_t ret; + + assert_int_equal(status, EOK); + + ret = parse_user_packet(body, blen, &pwd); + assert_int_equal(ret, EOK); + + assert_int_equal(pwd.pw_uid, 225); + assert_int_equal(pwd.pw_gid, 558); + assert_string_equal(pwd.pw_name, "space_user"); + assert_string_equal(pwd.pw_shell, "/bin/sh"); + return EOK; +} + +void test_nss_getpwnam_space_sub(void **state) +{ + errno_t ret; + + /* Set whitespace substitution */ + nss_test_ctx->rctx->override_space = '_'; + + mock_input_user_or_group("space user"); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETPWNAM); + mock_fill_user(); + + /* Query for that user, call a callback when command finishes */ + set_cmd_cb(test_nss_getpwnam_check_space_sub); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETPWNAM, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + nss_test_ctx->rctx->override_space = '\0'; + assert_int_equal(ret, EOK); +} + +void test_nss_getpwnam_space_sub_query(void **state) +{ + errno_t ret; + + /* Set whitespace substitution */ + nss_test_ctx->rctx->override_space = '_'; + + mock_input_user_or_group("space_user"); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETPWNAM); + mock_fill_user(); + + /* Query for that user, call a callback when command finishes */ + set_cmd_cb(test_nss_getpwnam_check_space_sub); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETPWNAM, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + nss_test_ctx->rctx->override_space = '\0'; + assert_int_equal(ret, EOK); +} + +/* + * Check that FQDN processing is able to handle arbitrarily sized + * delimiter + */ +struct passwd getpwnam_fancy_fqdn = { + .pw_name = discard_const("testuser_fqdn_fancy"), + .pw_uid = 125, + .pw_gid = 458, + .pw_dir = discard_const("/home/testuser"), + .pw_gecos = discard_const("test user"), + .pw_shell = discard_const("/bin/sh"), + .pw_passwd = discard_const("*"), +}; + +static int test_nss_getpwnam_check_fancy_fqdn(uint32_t status, + uint8_t *body, size_t blen) +{ + struct passwd pwd; + errno_t ret; + + assert_int_equal(status, EOK); + + nss_test_ctx->cctx->rctx->domains[0].fqnames = false; + + ret = parse_user_packet(body, blen, &pwd); + assert_int_equal(ret, EOK); + + assert_int_equal(pwd.pw_uid, 125); + assert_int_equal(pwd.pw_gid, 458); + assert_string_equal(pwd.pw_name, "testuser_fqdn_fancy@@@@@"TEST_DOM_NAME); + assert_string_equal(pwd.pw_shell, "/bin/sh"); + return EOK; +} + +void test_nss_getpwnam_fqdn_fancy(void **state) +{ + errno_t ret; + + /* Prime the cache with a valid user */ + ret = store_user(nss_test_ctx, nss_test_ctx->tctx->dom, + &getpwnam_fancy_fqdn, NULL, 0); + assert_int_equal(ret, EOK); + + mock_input_user_or_group("testuser_fqdn_fancy@"TEST_DOM_NAME); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETPWNAM); + mock_fill_user(); + + /* Query for that user, call a callback when command finishes */ + set_cmd_cb(test_nss_getpwnam_check_fancy_fqdn); + nss_test_ctx->cctx->rctx->domains[0].fqnames = true; + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETPWNAM, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +/* Check getting cached and valid id from cache. Account callback will + * not be called and test_nss_getpwuid_check will make sure the id is + * the same as the test entered before starting + */ +struct passwd getpwuid_usr = { + .pw_name = discard_const("testuser1"), + .pw_uid = 101, + .pw_gid = 401, + .pw_dir = discard_const("/home/testuser1"), + .pw_gecos = discard_const("test user1"), + .pw_shell = discard_const("/bin/sh"), + .pw_passwd = discard_const("*"), +}; + +static int test_nss_getpwuid_check(uint32_t status, uint8_t *body, size_t blen) +{ + struct passwd pwd; + errno_t ret; + + assert_int_equal(status, EOK); + + ret = parse_user_packet(body, blen, &pwd); + assert_int_equal(ret, EOK); + + assert_users_equal(&pwd, &getpwuid_usr); + return EOK; +} + +void test_nss_getpwuid(void **state) +{ + errno_t ret; + uint32_t id = 101; + + /* Prime the cache with a valid user */ + ret = store_user(nss_test_ctx, nss_test_ctx->tctx->dom, + &getpwuid_usr, NULL, 0); + assert_int_equal(ret, EOK); + + mock_input_id(nss_test_ctx, id); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETPWUID); + mock_fill_user(); + + /* Query for that id, call a callback when command finishes */ + set_cmd_cb(test_nss_getpwuid_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETPWUID, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +/* Test that searching for a nonexistent id yields ENOENT. + * Account callback will be called + */ +void test_nss_getpwuid_neg(void **state) +{ + errno_t ret; + uid_t uid_neg = 102; + + mock_input_id(nss_test_ctx, uid_neg); + mock_account_recv_simple(); + + assert_int_equal(nss_test_ctx->ncache_hits, 0); + + set_cmd_cb(NULL); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETPWUID, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with ENOENT */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, ENOENT); + assert_int_equal(nss_test_ctx->ncache_hits, 0); + + /* Test that subsequent search for a nonexistent id yields + * ENOENT and Account callback is not called, on the other hand + * the ncache functions will be called + */ + nss_test_ctx->tctx->done = false; + + mock_input_id(nss_test_ctx, uid_neg); + set_cmd_cb(NULL); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETPWUID, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with ENOENT */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, ENOENT); + /* Negative cache was hit this time */ + assert_int_equal(nss_test_ctx->ncache_hits, 1); +} + +/* Test that lookup by UID for a user that does + * not exist in the cache fetches the user from DP + */ +struct passwd getpwuid_srch = { + .pw_name = discard_const("exampleuser_search"), + .pw_uid = 107, + .pw_gid = 987, + .pw_dir = discard_const("/home/examplesearch"), + .pw_gecos = discard_const("example search"), + .pw_shell = discard_const("/bin/sh"), + .pw_passwd = discard_const("*"), +}; + +static int test_nss_getpwuid_search_acct_cb(void *pvt) +{ + struct nss_test_ctx *ctx = talloc_get_type(pvt, struct nss_test_ctx); + + return store_user(ctx, ctx->tctx->dom, &getpwuid_srch, NULL, 0); +} + +static int test_nss_getpwuid_search_check(uint32_t status, + uint8_t *body, size_t blen) +{ + struct passwd pwd; + errno_t ret; + + assert_int_equal(status, EOK); + + ret = parse_user_packet(body, blen, &pwd); + assert_int_equal(ret, EOK); + + assert_users_equal(&pwd, &getpwuid_srch); + return EOK; +} + +void test_nss_getpwuid_search(void **state) +{ + errno_t ret; + struct ldb_result *res; + + mock_input_id(nss_test_ctx, getpwuid_srch.pw_uid); + mock_account_recv(0, 0, NULL, test_nss_getpwuid_search_acct_cb, nss_test_ctx); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETPWUID); + mock_fill_user(); + set_cmd_cb(test_nss_getpwuid_search_check); + + ret = sysdb_getpwuid(nss_test_ctx, nss_test_ctx->tctx->dom, + getpwuid_srch.pw_uid, &res); + assert_int_equal(ret, EOK); + assert_int_equal(res->count, 0); + + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETPWUID, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); + + /* test_nss_getpwuid_search_check will check the id attributes */ + ret = sysdb_getpwuid(nss_test_ctx, nss_test_ctx->tctx->dom, + getpwuid_srch.pw_uid, &res); + assert_int_equal(ret, EOK); + assert_int_equal(res->count, 1); +} + +/* Test that searching for an id that is expired in the cache goes to the DP + * which updates the record and the NSS responder returns the updated record + * + * The user's shell attribute is updated. + */ +struct passwd getpwuid_update = { + .pw_name = discard_const("exampleuser_update"), + .pw_uid = 109, + .pw_gid = 11000, + .pw_dir = discard_const("/home/exampleuser"), + .pw_gecos = discard_const("example user"), + .pw_shell = discard_const("/bin/sh"), + .pw_passwd = discard_const("*"), +}; + +static int test_nss_getpwuid_update_acct_cb(void *pvt) +{ + struct nss_test_ctx *ctx = talloc_get_type(pvt, struct nss_test_ctx); + + getpwuid_update.pw_shell = discard_const("/bin/ksh"); + return store_user(ctx, ctx->tctx->dom, &getpwuid_update, NULL, 0); +} + +static int test_nss_getpwuid_update_check(uint32_t status, + uint8_t *body, size_t blen) +{ + struct passwd pwd; + errno_t ret; + + assert_int_equal(status, EOK); + + ret = parse_user_packet(body, blen, &pwd); + assert_int_equal(ret, EOK); + + assert_users_equal(&pwd, &getpwuid_update); + return EOK; +} + +void test_nss_getpwuid_update(void **state) +{ + errno_t ret; + struct ldb_result *res; + const char *shell; + + /* Prime the cache with a valid but expired user */ + ret = store_user(nss_test_ctx, nss_test_ctx->tctx->dom, + &getpwuid_update, NULL, 1); + assert_int_equal(ret, EOK); + + /* Mock client input */ + mock_input_id(nss_test_ctx, getpwuid_update.pw_uid); + /* Mock client command */ + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETPWUID); + /* Call this function when id is updated by the mock DP request */ + mock_account_recv(0, 0, NULL, test_nss_getpwuid_update_acct_cb, nss_test_ctx); + /* Call this function to check what the responder returned to the client */ + set_cmd_cb(test_nss_getpwuid_update_check); + /* Mock output buffer */ + mock_fill_user(); + + /* Fire the command */ + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETPWUID, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); + + /* Check the user was updated in the cache */ + ret = sysdb_getpwuid(nss_test_ctx, nss_test_ctx->tctx->dom, + getpwuid_update.pw_uid, &res); + assert_int_equal(ret, EOK); + assert_int_equal(res->count, 1); + + shell = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_SHELL, NULL); + assert_string_equal(shell, "/bin/ksh"); +} + +/* Testsuite setup and teardown */ +void test_nss_setup(struct sss_test_conf_param params[], + void **state) +{ + errno_t ret; + + nss_test_ctx = talloc_zero(NULL, struct nss_test_ctx); + assert_non_null(nss_test_ctx); + + nss_test_ctx->tctx = create_dom_test_ctx(nss_test_ctx, TESTS_PATH, + TEST_CONF_DB, TEST_DOM_NAME, + TEST_ID_PROVIDER, params); + assert_non_null(nss_test_ctx->tctx); + + nss_test_ctx->tctx->dom->domain_id = discard_const(TEST_DOM_SID); + + nss_test_ctx->nss_cmds = get_nss_cmds(); + assert_non_null(nss_test_ctx->nss_cmds); + + /* FIXME - perhaps this should be folded into sssd_domain_init or strictly + * used together + */ + ret = sss_names_init(nss_test_ctx, nss_test_ctx->tctx->confdb, + TEST_DOM_NAME, &nss_test_ctx->tctx->dom->names); + assert_int_equal(ret, EOK); + + /* Initialize the NSS responder */ + nss_test_ctx->nctx = mock_nctx(nss_test_ctx); + assert_non_null(nss_test_ctx->nctx); + + nss_test_ctx->rctx = mock_rctx(nss_test_ctx, nss_test_ctx->tctx->ev, + nss_test_ctx->tctx->dom, nss_test_ctx->nctx); + assert_non_null(nss_test_ctx->rctx); + nss_test_ctx->rctx->cdb = nss_test_ctx->tctx->confdb; + nss_test_ctx->nctx->rctx = nss_test_ctx->rctx; + + ret = sss_ad_default_names_ctx(nss_test_ctx->nctx, + &nss_test_ctx->nctx->rctx->global_names); + assert_int_equal(ret, EOK); + assert_non_null(nss_test_ctx->nctx->rctx->global_names); + + /* Create client context */ + nss_test_ctx->cctx = mock_cctx(nss_test_ctx, nss_test_ctx->rctx); + assert_non_null(nss_test_ctx->cctx); + + /* Add nss specific state_ctx */ + nss_connection_setup(nss_test_ctx->cctx); + assert_non_null(nss_test_ctx->cctx->state_ctx); + + /* do after previous setup as the former nulls protocol_ctx */ + nss_test_ctx->cctx->protocol_ctx = mock_prctx(nss_test_ctx->cctx); + assert_non_null(nss_test_ctx->cctx->protocol_ctx); +} + +struct group getgrnam_no_members = { + .gr_gid = 1123, + .gr_name = discard_const("testgroup"), + .gr_passwd = discard_const("*"), + .gr_mem = NULL, +}; + +static int test_nss_getgrnam_no_members_check(uint32_t status, + uint8_t *body, size_t blen) +{ + int ret; + uint32_t nmem; + struct group gr; + + assert_int_equal(status, EOK); + + ret = parse_group_packet(body, blen, &gr, &nmem); + assert_int_equal(ret, EOK); + assert_int_equal(nmem, 0); + + assert_groups_equal(&getgrnam_no_members, &gr, nmem); + return EOK; +} + +/* Test that requesting a valid, cached group with no members returns a valid + * group structure + */ +void test_nss_getgrnam_no_members(void **state) +{ + errno_t ret; + + /* Prime the cache with a valid group */ + ret = store_group(nss_test_ctx, nss_test_ctx->tctx->dom, + &getgrnam_no_members, NULL, 0); + assert_int_equal(ret, EOK); + + mock_input_user_or_group(getgrnam_no_members.gr_name); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETGRNAM); + will_return_always(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + /* Query for that group, call a callback when command finishes */ + set_cmd_cb(test_nss_getgrnam_no_members_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETGRNAM, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +struct passwd testmember1 = { + .pw_name = discard_const("testmember1"), + .pw_uid = 2001, + .pw_gid = 456, + .pw_dir = discard_const("/home/testmember1"), + .pw_gecos = discard_const("test member1"), + .pw_shell = discard_const("/bin/sh"), + .pw_passwd = discard_const("*"), +}; + +struct passwd testmember2 = { + .pw_name = discard_const("testmember2"), + .pw_uid = 2002, + .pw_gid = 456, + .pw_dir = discard_const("/home/testmember2"), + .pw_gecos = discard_const("test member2"), + .pw_shell = discard_const("/bin/sh"), + .pw_passwd = discard_const("*"), +}; + +struct group testgroup_members = { + .gr_gid = 1124, + .gr_name = discard_const("testgroup_members"), + .gr_passwd = discard_const("*"), + .gr_mem = NULL, +}; + +static int test_nss_getgrnam_members_check(uint32_t status, + uint8_t *body, size_t blen) +{ + int ret; + uint32_t nmem; + struct group gr; + const char *exp_members[] = { testmember1.pw_name, + testmember2.pw_name }; + struct group expected = { + .gr_gid = testgroup_members.gr_gid, + .gr_name = testgroup_members.gr_name, + .gr_passwd = testgroup_members.gr_passwd, + .gr_mem = discard_const(exp_members) + }; + + assert_int_equal(status, EOK); + + ret = parse_group_packet(body, blen, &gr, &nmem); + assert_int_equal(ret, EOK); + assert_int_equal(nmem, 2); + + assert_groups_equal(&expected, &gr, nmem); + return EOK; +} + +/* Test that requesting a valid, cached group with some members returns a valid + * group structure with those members present + */ +void test_nss_getgrnam_members(void **state) +{ + errno_t ret; + + ret = store_group(nss_test_ctx, nss_test_ctx->tctx->dom, + &testgroup_members, NULL, 0); + assert_int_equal(ret, EOK); + + ret = store_user(nss_test_ctx, nss_test_ctx->tctx->dom, + &testmember1, NULL, 0); + assert_int_equal(ret, EOK); + + ret = store_user(nss_test_ctx, nss_test_ctx->tctx->dom, + &testmember2, NULL, 0); + assert_int_equal(ret, EOK); + + ret = store_group_member(nss_test_ctx, + testgroup_members.gr_name, + nss_test_ctx->tctx->dom, + testmember1.pw_name, + nss_test_ctx->tctx->dom, + SYSDB_MEMBER_USER); + assert_int_equal(ret, EOK); + + ret = store_group_member(nss_test_ctx, + testgroup_members.gr_name, + nss_test_ctx->tctx->dom, + testmember2.pw_name, + nss_test_ctx->tctx->dom, + SYSDB_MEMBER_USER); + assert_int_equal(ret, EOK); + + mock_input_user_or_group("testgroup_members"); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETGRNAM); + will_return_always(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + /* Query for that group, call a callback when command finishes */ + set_cmd_cb(test_nss_getgrnam_members_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETGRNAM, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +static int test_nss_getgrnam_members_check_fqdn(uint32_t status, + uint8_t *body, size_t blen) +{ + int ret; + uint32_t nmem; + struct group gr; + const char *exp_members[2]; + struct group expected = { + .gr_gid = testgroup_members.gr_gid, + .gr_passwd = testgroup_members.gr_passwd, + .gr_mem = discard_const(exp_members) + }; + TALLOC_CTX *tmp_ctx; + + tmp_ctx = talloc_new(nss_test_ctx); + assert_non_null(tmp_ctx); + + exp_members[0] = sss_tc_fqname(tmp_ctx, nss_test_ctx->tctx->dom->names, + nss_test_ctx->tctx->dom, testmember1.pw_name); + assert_non_null(exp_members[0]); + exp_members[1] = sss_tc_fqname(tmp_ctx, nss_test_ctx->tctx->dom->names, + nss_test_ctx->tctx->dom, testmember2.pw_name); + assert_non_null(exp_members[1]); + + expected.gr_name = sss_tc_fqname(tmp_ctx, + nss_test_ctx->tctx->dom->names, + nss_test_ctx->tctx->dom, + testgroup_members.gr_name); + assert_non_null(expected.gr_name); + + assert_int_equal(status, EOK); + + ret = parse_group_packet(body, blen, &gr, &nmem); + assert_int_equal(ret, EOK); + assert_int_equal(nmem, 2); + + assert_groups_equal(&expected, &gr, nmem); + assert_int_equal(ret, EOK); + + talloc_free(tmp_ctx); + return EOK; +} + +/* Test that requesting a valid, cached group with some members returns a valid + * group structure with those members present as fully qualified names + */ +void test_nss_getgrnam_members_fqdn(void **state) +{ + errno_t ret; + + nss_test_ctx->tctx->dom->fqnames = true; + + mock_input_user_or_group("testgroup_members@"TEST_DOM_NAME); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETGRNAM); + will_return_always(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + /* Query for that group, call a callback when command finishes */ + set_cmd_cb(test_nss_getgrnam_members_check_fqdn); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETGRNAM, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + + /* Restore FQDN settings */ + nss_test_ctx->tctx->dom->fqnames = false; + assert_int_equal(ret, EOK); +} + +/* Test that requesting a valid, cached group with subdomain members returns + * a valid * group structure with those members present as fully + * qualified names + */ +struct passwd submember1 = { + .pw_name = discard_const("submember1"), + .pw_uid = 4001, + .pw_gid = 456, + .pw_dir = discard_const("/home/submember1"), + .pw_gecos = discard_const("sub member1"), + .pw_shell = discard_const("/bin/sh"), + .pw_passwd = discard_const("*"), +}; + +struct passwd submember2 = { + .pw_name = discard_const("submember2"), + .pw_uid = 4002, + .pw_gid = 456, + .pw_dir = discard_const("/home/submember2"), + .pw_gecos = discard_const("sub member2"), + .pw_shell = discard_const("/bin/sh"), + .pw_passwd = discard_const("*"), +}; + +struct group testsubdomgroup = { + .gr_gid = 2002, + .gr_name = discard_const("testsubdomgroup"), + .gr_passwd = discard_const("*"), + .gr_mem = NULL, +}; + +static int test_nss_getgrnam_members_check_subdom(uint32_t status, + uint8_t *body, size_t blen) +{ + int ret; + uint32_t nmem; + struct group gr; + const char *exp_members[2]; + struct group expected = { + .gr_gid = testsubdomgroup.gr_gid, + .gr_passwd = testsubdomgroup.gr_passwd, + .gr_mem = discard_const(exp_members) + }; + TALLOC_CTX *tmp_ctx; + + tmp_ctx = talloc_new(nss_test_ctx); + assert_non_null(tmp_ctx); + + exp_members[0] = sss_tc_fqname(tmp_ctx, + nss_test_ctx->subdom->names, + nss_test_ctx->subdom, + submember1.pw_name); + assert_non_null(exp_members[0]); + + exp_members[1] = sss_tc_fqname(tmp_ctx, + nss_test_ctx->subdom->names, + nss_test_ctx->subdom, + submember2.pw_name); + assert_non_null(exp_members[1]); + + expected.gr_name = sss_tc_fqname(tmp_ctx, + nss_test_ctx->subdom->names, + nss_test_ctx->subdom, + testsubdomgroup.gr_name); + assert_non_null(expected.gr_name); + + assert_int_equal(status, EOK); + + ret = parse_group_packet(body, blen, &gr, &nmem); + assert_int_equal(ret, EOK); + assert_int_equal(nmem, 2); + + assert_groups_equal(&expected, &gr, nmem); + assert_int_equal(ret, EOK); + + talloc_free(tmp_ctx); + return EOK; +} + +void test_nss_getgrnam_members_subdom(void **state) +{ + errno_t ret; + + mock_input_user_or_group("testsubdomgroup@"TEST_SUBDOM_NAME); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETGRNAM); + will_return_always(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + /* Query for that group, call a callback when command finishes */ + set_cmd_cb(test_nss_getgrnam_members_check_subdom); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETGRNAM, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + + assert_int_equal(ret, EOK); +} + +void test_nss_getgrnam_members_subdom_nonfqnames(void **state) +{ + errno_t ret; + + mock_input_user_or_group("testsubdomgroup"); + mock_account_recv_simple(); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETGRNAM); + will_return_always(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + /* Query for that group, call a callback when command finishes */ + set_cmd_cb(test_nss_getgrnam_members_check_subdom); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETGRNAM, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + + assert_int_equal(ret, EOK); +} + +static int test_nss_getgrnam_check_mix_dom(uint32_t status, + uint8_t *body, size_t blen) +{ + int ret; + uint32_t nmem; + struct group gr; + const char *exp_members[3]; + struct group expected = { + .gr_name = testgroup_members.gr_name, + .gr_gid = testgroup_members.gr_gid, + .gr_passwd = testgroup_members.gr_passwd, + .gr_mem = discard_const(exp_members) + }; + TALLOC_CTX *tmp_ctx; + + tmp_ctx = talloc_new(nss_test_ctx); + assert_non_null(tmp_ctx); + + exp_members[0] = sss_tc_fqname(tmp_ctx, + nss_test_ctx->subdom->names, + nss_test_ctx->subdom, + submember1.pw_name); + assert_non_null(exp_members[0]); + exp_members[1] = testmember1.pw_name; + exp_members[2] = testmember2.pw_name; + + assert_int_equal(status, EOK); + + ret = parse_group_packet(body, blen, &gr, &nmem); + assert_int_equal(ret, EOK); + assert_int_equal(nmem, 3); + + assert_groups_equal(&expected, &gr, nmem); + assert_int_equal(ret, EOK); + + talloc_free(tmp_ctx); + return EOK; +} + +void test_nss_getgrnam_mix_dom(void **state) +{ + errno_t ret; + + ret = store_group_member(nss_test_ctx, + testgroup_members.gr_name, + nss_test_ctx->tctx->dom, + submember1.pw_name, + nss_test_ctx->subdom, + SYSDB_MEMBER_USER); + assert_int_equal(ret, EOK); + + mock_input_user_or_group("testgroup_members"); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETGRNAM); + will_return_always(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + /* Query for that group, call a callback when command finishes */ + set_cmd_cb(test_nss_getgrnam_check_mix_dom); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETGRNAM, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_nss_getgrnam_mix_dom_nonfqnames(void **state) +{ + errno_t ret; + + ret = store_group_member(nss_test_ctx, + testgroup_members.gr_name, + nss_test_ctx->tctx->dom, + submember1.pw_name, + nss_test_ctx->subdom, + SYSDB_MEMBER_USER); + assert_int_equal(ret, EOK); + + mock_input_user_or_group("testgroup_members"); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETGRNAM); + will_return_always(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + /* Query for that group, call a callback when command finishes */ + set_cmd_cb(test_nss_getgrnam_check_mix_dom); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETGRNAM, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +static int test_nss_getgrnam_check_mix_dom_fqdn(uint32_t status, + uint8_t *body, size_t blen) +{ + int ret; + uint32_t nmem; + struct group gr; + const char *exp_members[3]; + struct group expected = { + .gr_gid = testgroup_members.gr_gid, + .gr_passwd = testgroup_members.gr_passwd, + .gr_mem = discard_const(exp_members) + }; + TALLOC_CTX *tmp_ctx; + + tmp_ctx = talloc_new(nss_test_ctx); + assert_non_null(tmp_ctx); + + exp_members[0] = sss_tc_fqname(tmp_ctx, + nss_test_ctx->subdom->names, + nss_test_ctx->subdom, + submember1.pw_name); + assert_non_null(exp_members[0]); + + if (nss_test_ctx->tctx->dom->fqnames) { + exp_members[1] = sss_tc_fqname(tmp_ctx, nss_test_ctx->tctx->dom->names, + nss_test_ctx->tctx->dom, testmember1.pw_name); + assert_non_null(exp_members[1]); + exp_members[2] = sss_tc_fqname(tmp_ctx, nss_test_ctx->tctx->dom->names, + nss_test_ctx->tctx->dom, testmember2.pw_name); + assert_non_null(exp_members[2]); + + expected.gr_name = sss_tc_fqname(tmp_ctx, + nss_test_ctx->tctx->dom->names, + nss_test_ctx->tctx->dom, + testgroup_members.gr_name); + assert_non_null(expected.gr_name); + } else { + exp_members[1] = testmember1.pw_name; + exp_members[2] = testmember2.pw_name; + expected.gr_name = testgroup_members.gr_name; + } + + assert_int_equal(status, EOK); + + ret = parse_group_packet(body, blen, &gr, &nmem); + assert_int_equal(ret, EOK); + assert_int_equal(nmem, 3); + + assert_groups_equal(&expected, &gr, nmem); + assert_int_equal(ret, EOK); + + talloc_free(tmp_ctx); + return EOK; +} + +void test_nss_getgrnam_mix_dom_fqdn(void **state) +{ + errno_t ret; + + ret = store_group_member(nss_test_ctx, + testgroup_members.gr_name, + nss_test_ctx->tctx->dom, + submember1.pw_name, + nss_test_ctx->subdom, + SYSDB_MEMBER_USER); + assert_int_equal(ret, EOK); + + nss_test_ctx->tctx->dom->fqnames = true; + + mock_input_user_or_group("testgroup_members@"TEST_DOM_NAME); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETGRNAM); + will_return_always(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + /* Query for that group, call a callback when command finishes */ + set_cmd_cb(test_nss_getgrnam_check_mix_dom_fqdn); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETGRNAM, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + + /* Restore FQDN settings */ + nss_test_ctx->tctx->dom->fqnames = false; + assert_int_equal(ret, EOK); +} + + +void test_nss_getgrnam_mix_dom_fqdn_nonfqnames(void **state) +{ + errno_t ret; + + ret = store_group_member(nss_test_ctx, + testgroup_members.gr_name, + nss_test_ctx->tctx->dom, + submember1.pw_name, + nss_test_ctx->subdom, + SYSDB_MEMBER_USER); + assert_int_equal(ret, EOK); + + mock_input_user_or_group("testgroup_members"); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETGRNAM); + will_return_always(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + /* Query for that group, call a callback when command finishes */ + set_cmd_cb(test_nss_getgrnam_check_mix_dom_fqdn); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETGRNAM, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + + /* Restore FQDN settings */ + nss_test_ctx->tctx->dom->fqnames = false; + assert_int_equal(ret, EOK); +} + +static int test_nss_getgrnam_check_mix_subdom(uint32_t status, + uint8_t *body, size_t blen) +{ + int ret; + uint32_t nmem; + struct group gr; + const char *exp_members[3]; + struct group expected = { + .gr_gid = testsubdomgroup.gr_gid, + .gr_passwd = testsubdomgroup.gr_passwd, + .gr_mem = discard_const(exp_members) + }; + TALLOC_CTX *tmp_ctx; + + tmp_ctx = talloc_new(nss_test_ctx); + assert_non_null(tmp_ctx); + + exp_members[0] = sss_tc_fqname(tmp_ctx, + nss_test_ctx->subdom->names, + nss_test_ctx->subdom, + submember1.pw_name); + assert_non_null(exp_members[0]); + + exp_members[1] = sss_tc_fqname(tmp_ctx, + nss_test_ctx->subdom->names, + nss_test_ctx->subdom, + submember2.pw_name); + assert_non_null(exp_members[1]); + + /* Important: this member is from a non-qualified domain, so his name will + * not be qualified either + */ + exp_members[2] = testmember1.pw_name; + + expected.gr_name = sss_tc_fqname(tmp_ctx, + nss_test_ctx->subdom->names, + nss_test_ctx->subdom, + testsubdomgroup.gr_name); + assert_non_null(expected.gr_name); + + assert_int_equal(status, EOK); + + ret = parse_group_packet(body, blen, &gr, &nmem); + assert_int_equal(ret, EOK); + assert_int_equal(nmem, 3); + + assert_groups_equal(&expected, &gr, nmem); + assert_int_equal(ret, EOK); + + talloc_free(tmp_ctx); + return EOK; +} + +void test_nss_getgrnam_mix_subdom(void **state) +{ + errno_t ret; + + ret = store_group_member(nss_test_ctx, + testsubdomgroup.gr_name, + nss_test_ctx->subdom, + testmember1.pw_name, + nss_test_ctx->tctx->dom, + SYSDB_MEMBER_USER); + assert_int_equal(ret, EOK); + + mock_input_user_or_group("testsubdomgroup@"TEST_SUBDOM_NAME); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETGRNAM); + will_return_always(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + /* Query for that group, call a callback when command finishes */ + set_cmd_cb(test_nss_getgrnam_check_mix_subdom); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETGRNAM, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_nss_getgrnam_mix_subdom_nonfqnames(void **state) +{ + errno_t ret; + + ret = store_group_member(nss_test_ctx, + testsubdomgroup.gr_name, + nss_test_ctx->subdom, + testmember1.pw_name, + nss_test_ctx->tctx->dom, + SYSDB_MEMBER_USER); + assert_int_equal(ret, EOK); + + mock_input_user_or_group("testsubdomgroup"); + mock_account_recv_simple(); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETGRNAM); + will_return_always(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + /* Query for that group, call a callback when command finishes */ + set_cmd_cb(test_nss_getgrnam_check_mix_subdom); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETGRNAM, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +struct group space_group = { + .gr_gid = 2123, + .gr_name = discard_const("space group"), + .gr_passwd = discard_const("*"), + .gr_mem = NULL, +}; + +static int test_nss_getgrnam_space_check(uint32_t status, + uint8_t *body, size_t blen) +{ + int ret; + uint32_t nmem; + struct group gr; + + assert_int_equal(status, EOK); + + ret = parse_group_packet(body, blen, &gr, &nmem); + assert_int_equal(ret, EOK); + assert_int_equal(nmem, 0); + + assert_groups_equal(&space_group, &gr, nmem); + assert_int_equal(ret, EOK); + + return EOK; +} + +/* Test that requesting a valid, cached group with space in its name returns a valid + * group structure + */ +void test_nss_getgrnam_space(void **state) +{ + errno_t ret; + + /* Prime the cache with a valid group */ + ret = store_group(nss_test_ctx, nss_test_ctx->tctx->dom, + &space_group, NULL, 0); + assert_int_equal(ret, EOK); + + mock_input_user_or_group("space group"); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETGRNAM); + will_return_always(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + /* Query for that group, call a callback when command finishes */ + set_cmd_cb(test_nss_getgrnam_space_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETGRNAM, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +static int test_nss_getgrnam_space_sub_check(uint32_t status, + uint8_t *body, size_t blen) +{ + int ret; + uint32_t nmem; + struct group gr; + + assert_int_equal(status, EOK); + + ret = parse_group_packet(body, blen, &gr, &nmem); + assert_int_equal(ret, EOK); + assert_int_equal(nmem, 0); + + space_group.gr_name = discard_const("space_group"); + assert_groups_equal(&space_group, &gr, nmem); + assert_int_equal(ret, EOK); + + return EOK; +} + +/* Test that requesting a valid, cached group with space in its name returns a valid + * group structure + */ +void test_nss_getgrnam_space_sub(void **state) +{ + errno_t ret; + + /* Set whitespace substitution */ + nss_test_ctx->rctx->override_space = '_'; + + mock_input_user_or_group("space group"); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETGRNAM); + will_return_always(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + /* Query for that group, call a callback when command finishes */ + set_cmd_cb(test_nss_getgrnam_space_sub_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETGRNAM, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + nss_test_ctx->rctx->override_space = '\0'; + assert_int_equal(ret, EOK); +} + +static int test_nss_well_known_sid_check(uint32_t status, + uint8_t *body, size_t blen) +{ + const char *name; + enum sss_id_type type; + size_t rp = 2 * sizeof(uint32_t); + char *expected_result = sss_mock_ptr_type(char *); + + if (expected_result == NULL) { + assert_int_equal(status, EINVAL); + assert_int_equal(blen, 0); + } else { + assert_int_equal(status, EOK); + + SAFEALIGN_COPY_UINT32(&type, body+rp, &rp); + + name = (char *) body+rp; + + assert_int_equal(type, SSS_ID_TYPE_GID); + assert_string_equal(name, expected_result); + } + + return EOK; +} + +void test_nss_well_known_getnamebysid(void **state) +{ + errno_t ret; + + will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER); + will_return(__wrap_sss_packet_get_body, "S-1-5-32-550"); + will_return(__wrap_sss_packet_get_body, 0); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETNAMEBYSID); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + will_return(test_nss_well_known_sid_check, "Print Operators@BUILTIN"); + + set_cmd_cb(test_nss_well_known_sid_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETNAMEBYSID, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_nss_well_known_getnamebysid_special(void **state) +{ + errno_t ret; + + will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER); + will_return(__wrap_sss_packet_get_body, "S-1-2-0"); + will_return(__wrap_sss_packet_get_body, 0); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETNAMEBYSID); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + will_return(test_nss_well_known_sid_check, "LOCAL@LOCAL AUTHORITY"); + + set_cmd_cb(test_nss_well_known_sid_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETNAMEBYSID, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_nss_well_known_getnamebysid_non_existing(void **state) +{ + errno_t ret; + + will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER); + will_return(__wrap_sss_packet_get_body, "S-1-5-32-123"); + will_return(__wrap_sss_packet_get_body, 0); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETNAMEBYSID); + will_return(test_nss_well_known_sid_check, NULL); + + set_cmd_cb(test_nss_well_known_sid_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETNAMEBYSID, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_nss_well_known_getidbysid_failure(void **state) +{ + errno_t ret; + + will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER); + will_return(__wrap_sss_packet_get_body, "S-1-5-32-550"); + will_return(__wrap_sss_packet_get_body, 0); + will_return_always(__wrap_sss_packet_get_cmd, SSS_NSS_GETIDBYSID); + will_return(test_nss_well_known_sid_check, NULL); + + set_cmd_cb(test_nss_well_known_sid_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETIDBYSID, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_nss_well_known_getsidbyname(void **state) +{ + errno_t ret; + const char *names[] = { "Cryptographic Operators@BUILTIN", + "BUILTIN\\Cryptographic Operators", NULL}; + size_t c; + + for (c = 0; names[c] != NULL; c++) { + nss_test_ctx->tctx->done = false; + + will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER); + will_return(__wrap_sss_packet_get_body, names[c]); + will_return(__wrap_sss_packet_get_body, 0); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETSIDBYNAME); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + will_return(test_nss_well_known_sid_check, "S-1-5-32-569"); + + set_cmd_cb(test_nss_well_known_sid_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETSIDBYNAME, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); + } +} + +void test_nss_well_known_getsidbyname_nonexisting(void **state) +{ + errno_t ret; + const char *names[] = { "Abc@BUILTIN", "BUILTIN\\Abc", NULL }; + size_t c; + + for (c = 0; names[c] != NULL; c++) { + nss_test_ctx->tctx->done = false; + + will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER); + will_return(__wrap_sss_packet_get_body, names[c]); + will_return(__wrap_sss_packet_get_body, 0); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETSIDBYNAME); + will_return(test_nss_well_known_sid_check, NULL); + + set_cmd_cb(test_nss_well_known_sid_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETSIDBYNAME, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); + } +} + +void test_nss_well_known_getsidbyname_special(void **state) +{ + errno_t ret; + const char *names[] = { "CREATOR OWNER@CREATOR AUTHORITY", + "CREATOR AUTHORITY\\CREATOR OWNER", NULL }; + size_t c; + + for (c = 0; names[c] != NULL; c++) { + nss_test_ctx->tctx->done = false; + + will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER); + will_return(__wrap_sss_packet_get_body, names[c]); + will_return(__wrap_sss_packet_get_body, 0); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETSIDBYNAME); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + will_return(test_nss_well_known_sid_check, "S-1-3-0"); + + set_cmd_cb(test_nss_well_known_sid_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETSIDBYNAME, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); + } +} + +static int test_nss_getorigbyname_check(uint32_t status, uint8_t *body, + size_t blen) +{ + const char *s; + enum sss_id_type id_type; + size_t rp = 2 * sizeof(uint32_t); + + assert_int_equal(status, EOK); + + SAFEALIGN_COPY_UINT32(&id_type, body+rp, &rp); + assert_int_equal(id_type, SSS_ID_TYPE_UID); + + /* Sequence of null terminated strings */ + s = (char *) body+rp; + assert_string_equal(s, SYSDB_SID_STR); + rp += strlen(s) + 1; + assert_true(rp < blen); + + s = (char *) body+rp; + assert_string_equal(s, "S-1-2-3-4"); + rp += strlen(s) + 1; + assert_true(rp < blen); + + s = (char *) body+rp; + assert_string_equal(s, ORIGINALAD_PREFIX SYSDB_NAME); + rp += strlen(s) + 1; + assert_true(rp < blen); + + s = (char *) body+rp; + assert_string_equal(s, "orig_name"); + rp += strlen(s) + 1; + assert_true(rp < blen); + + s = (char *) body+rp; + assert_string_equal(s, ORIGINALAD_PREFIX SYSDB_UIDNUM); + rp += strlen(s) + 1; + assert_true(rp < blen); + + s = (char *) body+rp; + assert_string_equal(s, "1234"); + rp += strlen(s) + 1; + assert_true(rp < blen); + + s = (char *) body+rp; + assert_string_equal(s, SYSDB_UPN); + rp += strlen(s) + 1; + assert_true(rp < blen); + + s = (char *) body+rp; + assert_string_equal(s, "testuserorig@upndomain.test"); + rp += strlen(s) + 1; + assert_int_equal(rp, blen); + + return EOK; +} + +struct passwd orig_name = { + .pw_name = discard_const("testuserorig"), + .pw_uid = 1234, + .pw_gid = 5678, + .pw_dir = discard_const("/home/testuserorig"), + .pw_gecos = discard_const("test user"), + .pw_shell = discard_const("/bin/sh"), + .pw_passwd = discard_const("*"), +}; + +void test_nss_getorigbyname(void **state) +{ + errno_t ret; + struct sysdb_attrs *attrs; + const char *test_upn = "testuserorig@upndomain.test"; + + attrs = sysdb_new_attrs(nss_test_ctx); + assert_non_null(attrs); + + ret = sysdb_attrs_add_string(attrs, SYSDB_SID_STR, "S-1-2-3-4"); + assert_int_equal(ret, EOK); + + ret = sysdb_attrs_add_string(attrs, ORIGINALAD_PREFIX SYSDB_NAME, + "orig_name"); + assert_int_equal(ret, EOK); + + ret = sysdb_attrs_add_uint32(attrs, ORIGINALAD_PREFIX SYSDB_UIDNUM, 1234); + assert_int_equal(ret, EOK); + + ret = sysdb_attrs_add_string(attrs, SYSDB_UPN, test_upn); + assert_int_equal(ret, EOK); + + /* Prime the cache with a valid user */ + ret = store_user(nss_test_ctx, nss_test_ctx->tctx->dom, + &orig_name, attrs, 0); + assert_int_equal(ret, EOK); + + mock_input_user_or_group("testuserorig"); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETORIGBYNAME); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + /* Query for that user, call a callback when command finishes */ + set_cmd_cb(test_nss_getorigbyname_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETORIGBYNAME, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); + + /* Also test looking up the same stuff with UPN */ + nss_test_ctx->tctx->done = false; + + mock_input_upn(test_upn); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETORIGBYNAME); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + /* Query for that user, call a callback when command finishes */ + set_cmd_cb(test_nss_getorigbyname_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETORIGBYNAME, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +static int test_nss_getorigbyname_extra_check(uint32_t status, uint8_t *body, + size_t blen) +{ + const char *s; + enum sss_id_type id_type; + size_t rp = 2 * sizeof(uint32_t); + + assert_int_equal(status, EOK); + + SAFEALIGN_COPY_UINT32(&id_type, body+rp, &rp); + assert_int_equal(id_type, SSS_ID_TYPE_UID); + + /* Sequence of null terminated strings */ + s = (char *) body+rp; + assert_string_equal(s, SYSDB_SID_STR); + rp += strlen(s) + 1; + assert_true(rp < blen); + + s = (char *) body+rp; + assert_string_equal(s, "S-1-2-3-4"); + rp += strlen(s) + 1; + assert_true(rp < blen); + + s = (char *) body+rp; + assert_string_equal(s, ORIGINALAD_PREFIX SYSDB_NAME); + rp += strlen(s) + 1; + assert_true(rp < blen); + + s = (char *) body+rp; + assert_string_equal(s, "orig_name"); + rp += strlen(s) + 1; + assert_true(rp < blen); + + s = (char *) body+rp; + assert_string_equal(s, ORIGINALAD_PREFIX SYSDB_UIDNUM); + rp += strlen(s) + 1; + assert_true(rp < blen); + + s = (char *) body+rp; + assert_string_equal(s, "1234"); + rp += strlen(s) + 1; + assert_true(rp < blen); + + s = (char *) body+rp; + assert_string_equal(s, "phone"); + rp += strlen(s) + 1; + assert_true(rp < blen); + + s = (char *) body+rp; + assert_string_equal(s, "+12-34 56 78"); + rp += strlen(s) + 1; + assert_true(rp < blen); + + s = (char *) body+rp; + assert_string_equal(s, "mobile"); + rp += strlen(s) + 1; + assert_true(rp < blen); + + s = (char *) body+rp; + assert_string_equal(s, "+98-76 54 32"); + rp += strlen(s) + 1; + assert_int_equal(rp, blen); + + return EOK; +} + +struct passwd orig_extra = { + .pw_name = discard_const("testuserorigextra"), + .pw_uid = 2345, + .pw_gid = 6789, + .pw_dir = discard_const("/home/testuserorigextra"), + .pw_gecos = discard_const("test user"), + .pw_shell = discard_const("/bin/sh"), + .pw_passwd = discard_const("*"), +}; + +void test_nss_getorigbyname_extra_attrs(void **state) +{ + errno_t ret; + struct sysdb_attrs *attrs; + + attrs = sysdb_new_attrs(nss_test_ctx); + assert_non_null(attrs); + + ret = sysdb_attrs_add_string(attrs, SYSDB_SID_STR, "S-1-2-3-4"); + assert_int_equal(ret, EOK); + + ret = sysdb_attrs_add_string(attrs, ORIGINALAD_PREFIX SYSDB_NAME, + "orig_name"); + assert_int_equal(ret, EOK); + + ret = sysdb_attrs_add_uint32(attrs, ORIGINALAD_PREFIX SYSDB_UIDNUM, 1234); + assert_int_equal(ret, EOK); + + ret = sysdb_attrs_add_string(attrs, "phone", "+12-34 56 78"); + assert_int_equal(ret, EOK); + + ret = sysdb_attrs_add_string(attrs, "mobile", "+98-76 54 32"); + assert_int_equal(ret, EOK); + + ret = sysdb_attrs_add_string(attrs, "not_extra", "abc"); + assert_int_equal(ret, EOK); + + ret = store_user(nss_test_ctx, nss_test_ctx->tctx->dom, + &orig_extra, attrs, 0); + assert_int_equal(ret, EOK); + + mock_input_user_or_group("testuserorigextra"); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETORIGBYNAME); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + /* Query for that user, call a callback when command finishes */ + set_cmd_cb(test_nss_getorigbyname_extra_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETORIGBYNAME, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +static int test_nss_getorigbyname_multi_check(uint32_t status, uint8_t *body, + size_t blen) +{ + const char *s; + enum sss_id_type id_type; + size_t rp = 2 * sizeof(uint32_t); + + assert_int_equal(status, EOK); + + SAFEALIGN_COPY_UINT32(&id_type, body+rp, &rp); + assert_int_equal(id_type, SSS_ID_TYPE_UID); + + /* Sequence of null terminated strings */ + s = (char *) body+rp; + assert_string_equal(s, SYSDB_SID_STR); + rp += strlen(s) + 1; + assert_true(rp < blen); + + s = (char *) body+rp; + assert_string_equal(s, "S-1-2-3-4"); + rp += strlen(s) + 1; + assert_true(rp < blen); + + s = (char *) body+rp; + assert_string_equal(s, ORIGINALAD_PREFIX SYSDB_NAME); + rp += strlen(s) + 1; + assert_true(rp < blen); + + s = (char *) body+rp; + assert_string_equal(s, "orig_name"); + rp += strlen(s) + 1; + assert_true(rp < blen); + + s = (char *) body+rp; + assert_string_equal(s, ORIGINALAD_PREFIX SYSDB_UIDNUM); + rp += strlen(s) + 1; + assert_true(rp < blen); + + s = (char *) body+rp; + assert_string_equal(s, "1234"); + rp += strlen(s) + 1; + assert_true(rp < blen); + + s = (char *) body+rp; + assert_string_equal(s, SYSDB_ORIG_MEMBEROF); + rp += strlen(s) + 1; + assert_true(rp < blen); + + s = (char *) body+rp; + assert_string_equal(s, "cn=abc"); + rp += strlen(s) + 1; + assert_true(rp < blen); + + s = (char *) body+rp; + assert_string_equal(s, SYSDB_ORIG_MEMBEROF); + rp += strlen(s) + 1; + assert_true(rp < blen); + + s = (char *) body+rp; + assert_string_equal(s, "cn=def"); + rp += strlen(s) + 1; + assert_true(rp < blen); + + s = (char *) body+rp; + assert_string_equal(s, SYSDB_ORIG_MEMBEROF); + rp += strlen(s) + 1; + assert_true(rp < blen); + + s = (char *) body+rp; + assert_string_equal(s, "cn=123"); + rp += strlen(s) + 1; + assert_int_equal(rp, blen); + + return EOK; +} + +struct passwd orig_multi = { + .pw_name = discard_const("testuserorigmulti"), + .pw_uid = 3456, + .pw_gid = 7890, + .pw_dir = discard_const("/home/testuserorigmulti"), + .pw_gecos = discard_const("test user"), + .pw_shell = discard_const("/bin/sh"), + .pw_passwd = discard_const("*"), +}; + +void test_nss_getorigbyname_multi_value_attrs(void **state) +{ + errno_t ret; + struct sysdb_attrs *attrs; + + attrs = sysdb_new_attrs(nss_test_ctx); + assert_non_null(attrs); + + ret = sysdb_attrs_add_string(attrs, SYSDB_SID_STR, "S-1-2-3-4"); + assert_int_equal(ret, EOK); + + ret = sysdb_attrs_add_string(attrs, ORIGINALAD_PREFIX SYSDB_NAME, + "orig_name"); + assert_int_equal(ret, EOK); + + ret = sysdb_attrs_add_uint32(attrs, ORIGINALAD_PREFIX SYSDB_UIDNUM, 1234); + assert_int_equal(ret, EOK); + + ret = sysdb_attrs_add_string(attrs, SYSDB_ORIG_MEMBEROF, "cn=abc"); + assert_int_equal(ret, EOK); + + ret = sysdb_attrs_add_string(attrs, SYSDB_ORIG_MEMBEROF, "cn=def"); + assert_int_equal(ret, EOK); + + ret = sysdb_attrs_add_string(attrs, SYSDB_ORIG_MEMBEROF, "cn=123"); + assert_int_equal(ret, EOK); + + ret = store_user(nss_test_ctx, nss_test_ctx->tctx->dom, + &orig_multi, attrs, 0); + assert_int_equal(ret, EOK); + + mock_input_user_or_group("testuserorigmulti"); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETORIGBYNAME); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + /* Query for that user, call a callback when command finishes */ + set_cmd_cb(test_nss_getorigbyname_multi_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETORIGBYNAME, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +struct passwd upn_user = { + .pw_name = discard_const("upnuser"), + .pw_uid = 34567, + .pw_gid = 45678, + .pw_dir = discard_const("/home/testuserorig"), + .pw_gecos = discard_const("test user"), + .pw_shell = discard_const("/bin/sh"), + .pw_passwd = discard_const("*"), +}; + +static int test_nss_getpwnam_upn_check(uint32_t status, + uint8_t *body, + size_t blen) +{ + struct passwd pwd; + errno_t ret; + + assert_int_equal(status, EOK); + + ret = parse_user_packet(body, blen, &pwd); + assert_int_equal(ret, EOK); + + assert_users_equal(&pwd, &upn_user); + return EOK; +} + +void test_nss_getpwnam_upn(void **state) +{ + errno_t ret; + struct sysdb_attrs *attrs; + + attrs = sysdb_new_attrs(nss_test_ctx); + assert_non_null(attrs); + + ret = sysdb_attrs_add_string(attrs, SYSDB_UPN, "upnuser@upndomain.test"); + assert_int_equal(ret, EOK); + + /* Prime the cache with a valid user */ + ret = store_user(nss_test_ctx, nss_test_ctx->tctx->dom, + &upn_user, attrs, 0); + assert_int_equal(ret, EOK); + + mock_input_upn("upnuser@upndomain.test"); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETPWNAM); + mock_fill_user(); + + /* Query for that user, call a callback when command finishes */ + set_cmd_cb(test_nss_getpwnam_upn_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETPWNAM, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_nss_getpwnam_upn_same_domain(void **state) +{ + errno_t ret; + struct sysdb_attrs *attrs; + + attrs = sysdb_new_attrs(nss_test_ctx); + assert_non_null(attrs); + + ret = sysdb_attrs_add_string(attrs, SYSDB_UPN, "upnuser_upn@" TEST_DOM_NAME); + assert_int_equal(ret, EOK); + + /* Prime the cache with a valid user */ + ret = store_user(nss_test_ctx, nss_test_ctx->tctx->dom, + &upn_user, attrs, 0); + assert_int_equal(ret, EOK); + + mock_input_user_or_group("upnuser_upn@" TEST_DOM_NAME); + mock_account_recv_simple(); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETPWNAM); + mock_fill_user(); + + /* Query for that user, call a callback when command finishes */ + set_cmd_cb(test_nss_getpwnam_upn_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETPWNAM, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +/* Test that searching for a nonexistent user yields ENOENT. + * Account callback will be called + */ +void test_nss_getpwnam_upn_neg(void **state) +{ + errno_t ret; + + mock_input_upn("nosuchupnuser@upndomain.test"); + mock_account_recv_simple(); + + assert_int_equal(nss_test_ctx->ncache_hits, 0); + + set_cmd_cb(NULL); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETPWNAM, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with ENOENT */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, ENOENT); + assert_int_equal(nss_test_ctx->ncache_hits, 0); + + /* Test that subsequent search for a nonexistent user yields + * ENOENT and Account callback is not called, on the other hand + * the ncache functions will be called + */ + nss_test_ctx->tctx->done = false; + nss_test_ctx->ncache_hits = 0; + + mock_input_upn("nosuchupnuser@upndomain.test"); + set_cmd_cb(NULL); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETPWNAM, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with ENOENT */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, ENOENT); + /* Negative cache was hit this time */ + assert_int_equal(nss_test_ctx->ncache_hits, 1); +} + +static int test_nss_initgr_check(uint32_t status, uint8_t *body, size_t blen) +{ + gid_t expected_gids[] = { 3211, 3212 }; + + assert_int_equal(status, EOK); + check_initgr_packet(body, blen, expected_gids, N_ELEMENTS(expected_gids)); + return EOK; +} + +struct passwd testinitgr_usr = { + .pw_name = discard_const("testinitgr"), + .pw_uid = 321, + .pw_gid = 654, + .pw_dir = discard_const("/home/testinitgr"), + .pw_gecos = discard_const("test initgroups"), + .pw_shell = discard_const("/bin/sh"), + .pw_passwd = discard_const("*"), +}; + +struct group testinitgr_gr1 = { + .gr_gid = 3211, + .gr_name = discard_const("testinitgr_gr1"), + .gr_passwd = discard_const("*"), + .gr_mem = NULL, +}; + +struct group testinitgr_gr2 = { + .gr_gid = 3212, + .gr_name = discard_const("testinitgr_gr2"), + .gr_passwd = discard_const("*"), + .gr_mem = NULL, +}; + +void test_nss_initgroups(void **state) +{ + errno_t ret; + struct sysdb_attrs *attrs; + + attrs = sysdb_new_attrs(nss_test_ctx); + assert_non_null(attrs); + + ret = sysdb_attrs_add_time_t(attrs, SYSDB_INITGR_EXPIRE, + time(NULL) + 300); + assert_int_equal(ret, EOK); + + ret = sysdb_attrs_add_string(attrs, SYSDB_UPN, "upninitgr@upndomain.test"); + assert_int_equal(ret, EOK); + + ret = store_user(nss_test_ctx, nss_test_ctx->tctx->dom, + &testinitgr_usr, attrs, 0); + assert_int_equal(ret, EOK); + + ret = store_group(nss_test_ctx, nss_test_ctx->tctx->dom, + &testinitgr_gr1, NULL, 0); + assert_int_equal(ret, EOK); + + ret = store_group(nss_test_ctx, nss_test_ctx->tctx->dom, + &testinitgr_gr2, NULL, 0); + assert_int_equal(ret, EOK); + + ret = store_group_member(nss_test_ctx, + testinitgr_gr1.gr_name, + nss_test_ctx->tctx->dom, + testinitgr_usr.pw_name, + nss_test_ctx->tctx->dom, + SYSDB_MEMBER_USER); + assert_int_equal(ret, EOK); + + ret = store_group_member(nss_test_ctx, + testinitgr_gr2.gr_name, + nss_test_ctx->tctx->dom, + testinitgr_usr.pw_name, + nss_test_ctx->tctx->dom, + SYSDB_MEMBER_USER); + assert_int_equal(ret, EOK); + + mock_input_user_or_group("testinitgr"); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_INITGR); + will_return_always(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + /* Query for that user, call a callback when command finishes */ + set_cmd_cb(test_nss_initgr_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_INITGR, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +/* Test that searching for a nonexistent user yields ENOENT. + * Account callback will be called + */ +void test_initgr_neg_by_name(const char *name, bool is_upn) +{ + errno_t ret; + + if (is_upn) { + mock_input_upn(name); + } else { + mock_input_user_or_group(name); + } + mock_account_recv_simple(); + + assert_int_equal(nss_test_ctx->ncache_hits, 0); + + set_cmd_cb(NULL); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_INITGR, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with ENOENT */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, ENOENT); + assert_int_equal(nss_test_ctx->ncache_hits, 0); + + /* Test that subsequent search for a nonexistent user yields + * ENOENT and Account callback is not called, on the other hand + * the ncache functions will be called + */ + nss_test_ctx->tctx->done = false; + nss_test_ctx->ncache_hits = 0; + + if (is_upn) { + mock_input_upn(name); + } else { + mock_input_user_or_group(name); + } + set_cmd_cb(NULL); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_INITGR, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with ENOENT */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, ENOENT); + /* Negative cache was hit this time */ + assert_int_equal(nss_test_ctx->ncache_hits, 1); +} + +void test_nss_initgr_neg(void **state) +{ + test_initgr_neg_by_name("testinitgr_neg", false); +} + +struct passwd testinitgr_srch_usr = { + .pw_name = discard_const("testinitgr_srch"), + .pw_uid = 421, + .pw_gid = 654, + .pw_dir = discard_const("/home/testinitgr_srch"), + .pw_gecos = discard_const("test initgroups"), + .pw_shell = discard_const("/bin/sh"), + .pw_passwd = discard_const("*"), +}; + +struct group testinitgr_srch_gr1 = { + .gr_gid = 4211, + .gr_name = discard_const("testinitgr_srch_gr1"), + .gr_passwd = discard_const("*"), + .gr_mem = NULL, +}; + +struct group testinitgr_srch_gr2 = { + .gr_gid = 4212, + .gr_name = discard_const("testinitgr_srch_gr2"), + .gr_passwd = discard_const("*"), + .gr_mem = NULL, +}; + +static int test_nss_initgr_search_acct_cb(void *pvt) +{ + errno_t ret; + struct sysdb_attrs *attrs; + + attrs = sysdb_new_attrs(nss_test_ctx); + assert_non_null(attrs); + + ret = sysdb_attrs_add_time_t(attrs, SYSDB_INITGR_EXPIRE, + time(NULL) + 300); + assert_int_equal(ret, EOK); + + ret = store_user(nss_test_ctx, nss_test_ctx->tctx->dom, + &testinitgr_srch_usr, attrs, 0); + assert_int_equal(ret, EOK); + + ret = store_group(nss_test_ctx, nss_test_ctx->tctx->dom, + &testinitgr_srch_gr1, NULL, 0); + assert_int_equal(ret, EOK); + + ret = store_group(nss_test_ctx, nss_test_ctx->tctx->dom, + &testinitgr_srch_gr2, NULL, 0); + assert_int_equal(ret, EOK); + + ret = store_group_member(nss_test_ctx, + testinitgr_srch_gr1.gr_name, + nss_test_ctx->tctx->dom, + testinitgr_srch_usr.pw_name, + nss_test_ctx->tctx->dom, + SYSDB_MEMBER_USER); + assert_int_equal(ret, EOK); + + ret = store_group_member(nss_test_ctx, + testinitgr_srch_gr2.gr_name, + nss_test_ctx->tctx->dom, + testinitgr_srch_usr.pw_name, + nss_test_ctx->tctx->dom, + SYSDB_MEMBER_USER); + assert_int_equal(ret, EOK); + + return EOK; +} + +static int test_nss_initgr_search_check(uint32_t status, + uint8_t *body, size_t blen) +{ + gid_t expected_gids[] = { 4211, 4212 }; + + assert_int_equal(status, EOK); + check_initgr_packet(body, blen, expected_gids, N_ELEMENTS(expected_gids)); + return EOK; +} + +void test_nss_initgr_search(void **state) +{ + errno_t ret; + struct ldb_result *res; + + mock_input_user_or_group("testinitgr_srch"); + mock_account_recv(0, 0, NULL, test_nss_initgr_search_acct_cb, nss_test_ctx); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_INITGR); + will_return_always(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + set_cmd_cb(test_nss_initgr_search_check); + + ret = get_user(nss_test_ctx, nss_test_ctx->tctx->dom, + "testinitgr_srch", &res); + assert_int_equal(ret, EOK); + assert_int_equal(res->count, 0); + + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_INITGR, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); + + /* test_nss_getpwnam_search_check will check the user attributes */ + ret = get_user(nss_test_ctx, nss_test_ctx->tctx->dom, + "testinitgr_srch", &res); + assert_int_equal(ret, EOK); + assert_int_equal(res->count, 1); +} + +struct passwd testinitgr_update_usr = { + .pw_name = discard_const("testinitgr_update"), + .pw_uid = 521, + .pw_gid = 654, + .pw_dir = discard_const("/home/testinitgr_update"), + .pw_gecos = discard_const("test initgroups"), + .pw_shell = discard_const("/bin/sh"), + .pw_passwd = discard_const("*"), +}; + +struct group testinitgr_update_gr1 = { + .gr_gid = 5211, + .gr_name = discard_const("testinitgr_update_gr1"), + .gr_passwd = discard_const("*"), + .gr_mem = NULL, +}; + +struct group testinitgr_update_gr2 = { + .gr_gid = 5212, + .gr_name = discard_const("testinitgr_update_gr2"), + .gr_passwd = discard_const("*"), + .gr_mem = NULL, +}; + +static int test_nss_initgr_update_acct_cb(void *pvt) +{ + errno_t ret; + struct sysdb_attrs *attrs; + + attrs = sysdb_new_attrs(nss_test_ctx); + assert_non_null(attrs); + + ret = sysdb_attrs_add_time_t(attrs, SYSDB_INITGR_EXPIRE, + time(NULL) + 300); + assert_int_equal(ret, EOK); + + ret = set_user_attr(nss_test_ctx, + nss_test_ctx->tctx->dom, + &testinitgr_update_usr, + attrs); + assert_int_equal(ret, EOK); + + ret = store_group(nss_test_ctx, nss_test_ctx->tctx->dom, + &testinitgr_update_gr2, NULL, 0); + assert_int_equal(ret, EOK); + + ret = store_group_member(nss_test_ctx, + testinitgr_update_gr2.gr_name, + nss_test_ctx->tctx->dom, + testinitgr_update_usr.pw_name, + nss_test_ctx->tctx->dom, + SYSDB_MEMBER_USER); + assert_int_equal(ret, EOK); + + return EOK; +} + +static int test_nss_initgr_update_check(uint32_t status, uint8_t *body, size_t blen) +{ + gid_t expected_gids[] = { 5211, 5212 }; + + assert_int_equal(status, EOK); + check_initgr_packet(body, blen, expected_gids, N_ELEMENTS(expected_gids)); + return EOK; +} + +void test_nss_initgr_update(void **state) +{ + errno_t ret; + struct sysdb_attrs *attrs; + + attrs = sysdb_new_attrs(nss_test_ctx); + assert_non_null(attrs); + + ret = sysdb_attrs_add_time_t(attrs, SYSDB_INITGR_EXPIRE, + time(NULL) - 1); + assert_int_equal(ret, EOK); + + ret = store_user(nss_test_ctx, nss_test_ctx->tctx->dom, + &testinitgr_update_usr, attrs, 0); + assert_int_equal(ret, EOK); + + ret = store_group(nss_test_ctx, nss_test_ctx->tctx->dom, + &testinitgr_update_gr1, NULL, 0); + assert_int_equal(ret, EOK); + + ret = store_group_member(nss_test_ctx, + testinitgr_update_gr1.gr_name, + nss_test_ctx->tctx->dom, + testinitgr_update_usr.pw_name, + nss_test_ctx->tctx->dom, + SYSDB_MEMBER_USER); + assert_int_equal(ret, EOK); + + mock_input_user_or_group("testinitgr_update"); + mock_account_recv(0, 0, NULL, test_nss_initgr_update_acct_cb, nss_test_ctx); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_INITGR); + will_return_always(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + set_cmd_cb(test_nss_initgr_update_check); + + /* Query for that user, call a callback when command finishes */ + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_INITGR, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +struct passwd testinitgr_2attr_usr = { + .pw_name = discard_const("testinitgr_2attr"), + .pw_uid = 521, + .pw_gid = 654, + .pw_dir = discard_const("/home/testinitgr_2attr"), + .pw_gecos = discard_const("test initgroups"), + .pw_shell = discard_const("/bin/sh"), + .pw_passwd = discard_const("*"), +}; + +struct group testinitgr_2attr_gr1 = { + .gr_gid = 5221, + .gr_name = discard_const("testinitgr_2attr_gr11"), + .gr_passwd = discard_const("*"), + .gr_mem = NULL, +}; + +struct group testinitgr_2attr_gr2 = { + .gr_gid = 5222, + .gr_name = discard_const("testinitgr_2attr_gr12"), + .gr_passwd = discard_const("*"), + .gr_mem = NULL, +}; + +static int test_nss_initgr_update_acct_2expire_attributes_cb(void *pvt) +{ + errno_t ret; + struct sysdb_attrs *attrs; + + attrs = sysdb_new_attrs(nss_test_ctx); + assert_non_null(attrs); + + ret = sysdb_attrs_add_time_t(attrs, SYSDB_INITGR_EXPIRE, + time(NULL) + 300); + assert_int_equal(ret, EOK); + + ret = set_user_attr(nss_test_ctx, nss_test_ctx->tctx->dom, + &testinitgr_2attr_usr, attrs); + assert_int_equal(ret, EOK); + + ret = store_group(nss_test_ctx, nss_test_ctx->tctx->dom, + &testinitgr_2attr_gr2, NULL, 0); + assert_int_equal(ret, EOK); + + ret = store_group_member(nss_test_ctx, + testinitgr_2attr_gr2.gr_name, + nss_test_ctx->tctx->dom, + testinitgr_2attr_usr.pw_name, + nss_test_ctx->tctx->dom, + SYSDB_MEMBER_USER); + assert_int_equal(ret, EOK); + + return EOK; +} + +static int test_nss_initgr_update_2expire_attributes_check(uint32_t status, + uint8_t *body, + size_t blen) +{ + gid_t expected_gids[] = { 5221, 5222 }; + + assert_int_equal(status, EOK); + check_initgr_packet(body, blen, expected_gids, N_ELEMENTS(expected_gids)); + return EOK; +} + +/* + * SYSDB_INITGR_EXPIRE has default value 0 => initgroups was not finished. + * SYSDB_CACHE_EXPIRE has value from future => getpwnam finished successfully + * + * Test result: DP should be contacted for update. + */ +void test_nss_initgr_update_two_expire_attributes(void **state) +{ + errno_t ret; + struct sysdb_attrs *attrs; + + attrs = sysdb_new_attrs(nss_test_ctx); + assert_non_null(attrs); + + ret = sysdb_attrs_add_time_t(attrs, SYSDB_INITGR_EXPIRE, + 0); + assert_int_equal(ret, EOK); + + ret = sysdb_attrs_add_time_t(attrs, SYSDB_CACHE_EXPIRE, + time(NULL) + 100); + assert_int_equal(ret, EOK); + + ret = store_user(nss_test_ctx, nss_test_ctx->tctx->dom, + &testinitgr_2attr_usr, attrs, 0); + assert_int_equal(ret, EOK); + + ret = store_group(nss_test_ctx, nss_test_ctx->tctx->dom, + &testinitgr_2attr_gr1, NULL, 0); + assert_int_equal(ret, EOK); + + ret = store_group_member(nss_test_ctx, + testinitgr_2attr_gr1.gr_name, + nss_test_ctx->tctx->dom, + testinitgr_2attr_usr.pw_name, + nss_test_ctx->tctx->dom, + SYSDB_MEMBER_USER); + assert_int_equal(ret, EOK); + + mock_input_user_or_group("testinitgr_2attr"); + mock_account_recv(0, 0, NULL, + test_nss_initgr_update_acct_2expire_attributes_cb, + nss_test_ctx); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_INITGR); + will_return_always(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + set_cmd_cb(test_nss_initgr_update_2expire_attributes_check); + + /* Query for that user, call a callback when command finishes */ + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_INITGR, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_nss_initgroups_upn(void **state) +{ + errno_t ret; + + mock_input_upn("upninitgr@upndomain.test"); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_INITGR); + will_return_always(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + /* Query for that user, call a callback when command finishes */ + set_cmd_cb(test_nss_initgr_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_INITGR, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +/* Test that searching for a nonexistent user yields ENOENT. + * Account callback will be called + */ +void test_nss_initgr_neg_upn(void **state) +{ + test_initgr_neg_by_name("upninitgr_neg@upndomain.test", true); +} + +static int nss_test_setup(void **state) +{ + struct sss_test_conf_param params[] = { + { "enumerate", "false" }, + { NULL, NULL }, /* Sentinel */ + }; + + test_nss_setup(params, state); + return 0; +} + +static int nss_fqdn_test_setup(void **state) +{ + struct sss_test_conf_param params[] = { + { "enumerate", "false" }, + { "full_name_format", "%1$s@%2$s" }, + { NULL, NULL }, /* Sentinel */ + }; + + test_nss_setup(params, state); + return 0; +} + +static int nss_test_setup_extra_attr(void **state) +{ + struct sss_test_conf_param params[] = { + { "enumerate", "false" }, + { NULL, NULL }, /* Sentinel */ + }; + + test_nss_setup(params, state); + + nss_test_ctx->nctx->extra_attributes = global_extra_attrs; + return 0; +} + +static int nss_subdom_test_setup_common(void **state, bool nonfqnames) +{ + const char *const testdom[4] = { TEST_SUBDOM_NAME, "TEST.SUB", "test", "S-3" }; + struct sss_domain_info *dom; + + struct sss_domain_info *subdomain; + errno_t ret; + + nss_test_setup(state); + + subdomain = new_subdomain(nss_test_ctx, nss_test_ctx->tctx->dom, + testdom[0], testdom[1], testdom[2], testdom[3], + false, false, NULL, NULL, 0, + nss_test_ctx->tctx->confdb); + assert_non_null(subdomain); + + ret = sysdb_subdomain_store(nss_test_ctx->tctx->sysdb, + testdom[0], testdom[1], testdom[2], testdom[3], + false, false, NULL, 0, NULL); + assert_int_equal(ret, EOK); + + ret = sysdb_update_subdomains(nss_test_ctx->tctx->dom, + nss_test_ctx->tctx->confdb); + assert_int_equal(ret, EOK); + + if (nonfqnames) { + for (dom = nss_test_ctx->rctx->domains; + dom != NULL; + dom = get_next_domain(dom, SSS_GND_ALL_DOMAINS)) { + if (strcmp(dom->name, subdomain->name) == 0) { + dom->fqnames = false; + break; + } + } + } + + ret = sss_resp_populate_cr_domains(nss_test_ctx->rctx); + assert_int_equal(ret, EOK); + assert_non_null(nss_test_ctx->rctx->cr_domains); + + nss_test_ctx->subdom = nss_test_ctx->tctx->dom->subdomains; + + ret = store_group(nss_test_ctx, nss_test_ctx->subdom, + &testsubdomgroup, NULL, 0); + assert_int_equal(ret, EOK); + + ret = store_user(nss_test_ctx, nss_test_ctx->subdom, + &submember1, NULL, 0); + assert_int_equal(ret, EOK); + + ret = store_user(nss_test_ctx, nss_test_ctx->subdom, + &submember2, NULL, 0); + assert_int_equal(ret, EOK); + + ret = store_group_member(nss_test_ctx, + testsubdomgroup.gr_name, + nss_test_ctx->subdom, + submember1.pw_name, + nss_test_ctx->subdom, + SYSDB_MEMBER_USER); + assert_int_equal(ret, EOK); + + ret = store_group_member(nss_test_ctx, + testsubdomgroup.gr_name, + nss_test_ctx->subdom, + submember2.pw_name, + nss_test_ctx->subdom, + SYSDB_MEMBER_USER); + assert_int_equal(ret, EOK); + + return 0; + +} + +static int nss_subdom_test_setup(void **state) +{ + return nss_subdom_test_setup_common(state, false); +} + +static int nss_subdom_test_setup_nonfqnames(void **state) +{ + return nss_subdom_test_setup_common(state, true); +} + +static int nss_fqdn_fancy_test_setup(void **state) +{ + struct sss_test_conf_param params[] = { + { "enumerate", "false" }, + { "full_name_format", "%1$s@@@@@%2$s" }, + { NULL, NULL }, /* Sentinel */ + }; + + test_nss_setup(params, state); + return 0; +} + +static int nss_test_teardown(void **state) +{ + talloc_free(nss_test_ctx); + return 0; +} + +static int nss_subdom_test_teardown(void **state) +{ + errno_t ret; + + ret = remove_group_member(nss_test_ctx, + testsubdomgroup.gr_name, + nss_test_ctx->subdom, + submember2.pw_name, + nss_test_ctx->subdom, + SYSDB_MEMBER_USER); + assert_int_equal(ret, EOK); + + ret = remove_group_member(nss_test_ctx, + testsubdomgroup.gr_name, + nss_test_ctx->subdom, + submember1.pw_name, + nss_test_ctx->subdom, + SYSDB_MEMBER_USER); + assert_int_equal(ret, EOK); + + ret = delete_user(nss_test_ctx, nss_test_ctx->subdom, &submember2); + assert_int_equal(ret, EOK); + + ret = delete_user(nss_test_ctx, nss_test_ctx->subdom, &submember1); + assert_int_equal(ret, EOK); + + ret = delete_group(nss_test_ctx, nss_test_ctx->subdom, &testsubdomgroup); + assert_int_equal(ret, EOK); + + return nss_test_teardown(state); +} + +struct passwd testbysid = { + .pw_name = discard_const("testsiduser"), + .pw_uid = 12345, + .pw_gid = 6890, + .pw_dir = discard_const("/home/testsiduser"), + .pw_gecos = discard_const("test bysid lookup"), + .pw_shell = discard_const("/bin/sh"), + .pw_passwd = discard_const("*"), +}; + +static int test_nss_getnamebysid_check(uint32_t status, uint8_t *body, size_t blen) +{ + size_t rp = 2 * sizeof(uint32_t); /* num_results and reserved */ + uint32_t id_type; + const char *name; + + assert_int_equal(status, EOK); + + SAFEALIGN_COPY_UINT32(&id_type, body+rp, &rp); + assert_int_equal(id_type, SSS_ID_TYPE_UID); + + name = (const char *) body + rp; + assert_string_equal(name, testbysid.pw_name); + + return EOK; +} + +static void test_nss_getnamebysid(void **state) +{ + errno_t ret; + struct sysdb_attrs *attrs; + char *user_sid; + + attrs = sysdb_new_attrs(nss_test_ctx); + assert_non_null(attrs); + + user_sid = talloc_asprintf(attrs, "%s-500", + nss_test_ctx->tctx->dom->domain_id); + assert_non_null(user_sid); + + ret = sysdb_attrs_add_string(attrs, SYSDB_SID_STR, user_sid); + assert_int_equal(ret, EOK); + + ret = store_user(nss_test_ctx, nss_test_ctx->tctx->dom, + &testbysid, attrs, 0); + assert_int_equal(ret, EOK); + + mock_input_sid(user_sid); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETNAMEBYSID); + mock_fill_bysid(); + + /* Query for that user, call a callback when command finishes */ + /* Should go straight to back end, without contacting DP */ + set_cmd_cb(test_nss_getnamebysid_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETNAMEBYSID, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +/* Test that searching for a nonexistent user yields ENOENT. + * Account callback will be called + */ +void test_nss_getnamebysid_neg(void **state) +{ + errno_t ret; + char *user_sid; + + user_sid = talloc_asprintf(nss_test_ctx, "%s-499", + nss_test_ctx->tctx->dom->domain_id); + assert_non_null(user_sid); + + mock_input_sid(user_sid); + mock_account_recv_simple(); + + assert_int_equal(nss_test_ctx->ncache_hits, 0); + + set_cmd_cb(NULL); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETNAMEBYSID, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with ENOENT */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, ENOENT); + assert_int_equal(nss_test_ctx->ncache_hits, 0); + + /* Test that subsequent search for a nonexistent user yields + * ENOENT and Account callback is not called, on the other hand + * the ncache functions will be called + */ + nss_test_ctx->tctx->done = false; + + mock_input_sid(user_sid); + set_cmd_cb(NULL); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETNAMEBYSID, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with ENOENT */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, ENOENT); + /* Negative cache was hit this time */ + assert_int_equal(nss_test_ctx->ncache_hits, 1); +} + +struct passwd testbysid_update = { + .pw_name = discard_const("testsidbyname_update"), + .pw_uid = 123456, + .pw_gid = 789, + .pw_dir = discard_const("/home/testsidbyname_update"), + .pw_gecos = discard_const("test bysid lookup"), + .pw_shell = discard_const("/bin/sh"), + .pw_passwd = discard_const("*"), +}; + +static int test_nss_getnamebysid_update_check(uint32_t status, + uint8_t *body, + size_t blen) +{ + size_t rp = 2 * sizeof(uint32_t); /* num_results and reserved */ + uint32_t id_type; + const char *name; + + assert_int_equal(status, EOK); + + SAFEALIGN_COPY_UINT32(&id_type, body+rp, &rp); + assert_int_equal(id_type, SSS_ID_TYPE_UID); + + name = (const char *) body + rp; + assert_string_equal(name, "testsidbyname_update"); + + return EOK; +} + +static int test_nss_getnamebysid_update_acct_cb(void *pvt) +{ + errno_t ret; + struct nss_test_ctx *ctx = talloc_get_type(pvt, struct nss_test_ctx); + + testbysid_update.pw_shell = discard_const("/bin/ksh"); + ret = store_user(ctx, nss_test_ctx->tctx->dom, + &testbysid_update, NULL, 0); + assert_int_equal(ret, EOK); + + return EOK; +} + +void test_nss_getnamebysid_update(void **state) +{ + errno_t ret; + struct ldb_result *res; + struct sysdb_attrs *attrs; + const char *shell; + char *user_sid; + + attrs = sysdb_new_attrs(nss_test_ctx); + assert_non_null(attrs); + + user_sid = talloc_asprintf(attrs, "%s-123456", + nss_test_ctx->tctx->dom->domain_id); + assert_non_null(user_sid); + + ret = sysdb_attrs_add_string(attrs, SYSDB_SID_STR, user_sid); + assert_int_equal(ret, EOK); + + /* Prime the cache with a valid but expired user */ + ret = store_user(nss_test_ctx, nss_test_ctx->tctx->dom, + &testbysid_update, attrs, 1); + assert_int_equal(ret, EOK); + + /* Mock client input */ + mock_input_sid(user_sid); + /* Mock client command */ + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETNAMEBYSID); + /* Call this function when user is updated by the mock DP request */ + mock_account_recv(0, 0, NULL, test_nss_getnamebysid_update_acct_cb, + nss_test_ctx); + /* Call this function to check what the responder returned to the client */ + set_cmd_cb(test_nss_getnamebysid_update_check); + /* Mock output buffer */ + mock_fill_bysid(); + + /* Fire the command */ + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETNAMEBYSID, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); + + /* Check the user was updated in the cache */ + ret = get_user(nss_test_ctx, nss_test_ctx->tctx->dom, + testbysid_update.pw_name, &res); + assert_int_equal(ret, EOK); + assert_int_equal(res->count, 1); + + shell = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_SHELL, NULL); + assert_string_equal(shell, "/bin/ksh"); +} + +struct passwd testbycert = { + .pw_name = discard_const("testcertuser"), + .pw_uid = 23456, + .pw_gid = 6890, + .pw_dir = discard_const("/home/testcertuser"), + .pw_gecos = discard_const("test cert user"), + .pw_shell = discard_const("/bin/sh"), + .pw_passwd = discard_const("*"), +}; + +struct passwd testbycert2 = { + .pw_name = discard_const("testcertuser2"), + .pw_uid = 23457, + .pw_gid = 6890, + .pw_dir = discard_const("/home/testcertuser2"), + .pw_gecos = discard_const("test cert user2"), + .pw_shell = discard_const("/bin/sh"), + .pw_passwd = discard_const("*"), +}; + +#define TEST_TOKEN_CERT \ +"MIIECTCCAvGgAwIBAgIBCDANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlJUEEu" \ +"REVWRUwxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNTA2MjMx" \ +"NjMyMDdaFw0xNzA2MjMxNjMyMDdaMDIxEjAQBgNVBAoMCUlQQS5ERVZFTDEcMBoG" \ +"A1UEAwwTaXBhLWRldmVsLmlwYS5kZXZlbDCCASIwDQYJKoZIhvcNAQEBBQADggEP" \ +"ADCCAQoCggEBALXUq56VlY+Z0aWLLpFAjFfbElPBXGQsbZb85J3cGyPjaMHC9wS+" \ +"wjB6Ve4HmQyPLx8hbINdDmbawMHYQvTScLYfsqLtj0Lqw20sUUmedk+Es5Oh9VHo" \ +"nd8MavYx25Du2u+T0iSgNIDikXguiwCmtAj8VC49ebbgITcjJGzMmiiuJkV3o93Y" \ +"vvYF0VjLGDQbQWOy7IxzYJeNVJnZWKo67CHdok6qOrm9rxQt81rzwV/mGLbCMUbr" \ +"+N4M8URtd7EmzaYZQmNm//s2owFrCYMxpLiURPj+URZVuB72504/Ix7X0HCbA/AV" \ +"26J27fPY5nc8DMwfhUDCbTqPH/JEjd3mvY8CAwEAAaOCASYwggEiMB8GA1UdIwQY" \ +"MBaAFJOq+KAQmPEnNp8Wok23eGTdE7aDMDsGCCsGAQUFBwEBBC8wLTArBggrBgEF" \ +"BQcwAYYfaHR0cDovL2lwYS1jYS5pcGEuZGV2ZWwvY2Evb2NzcDAOBgNVHQ8BAf8E" \ +"BAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHQGA1UdHwRtMGsw" \ +"aaAxoC+GLWh0dHA6Ly9pcGEtY2EuaXBhLmRldmVsL2lwYS9jcmwvTWFzdGVyQ1JM" \ +"LmJpbqI0pDIwMDEOMAwGA1UECgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRl" \ +"IEF1dGhvcml0eTAdBgNVHQ4EFgQUFaDNd5a53QGpaw5m63hnwXicMQ8wDQYJKoZI" \ +"hvcNAQELBQADggEBADH7Nj00qqGhGJeXJQAsepqSskz/wooqXh8vgVyb8SS4N0/c" \ +"0aQtVmY81xamlXE12ZFpwDX43d+EufBkwCUKFX/+8JFDd2doAyeJxv1xM22kKRpc" \ +"AqITPgMsa9ToGMWxjbVpc/X/5YfZixWPF0/eZUTotBj9oaR039UrhGfyN7OguF/G" \ +"rzmxtB5y4ZrMpcD/Oe90mkd9HY7sA/fB8OWOUgeRfQoh97HNS0UiDWsPtfxmjQG5" \ +"zotpoBIZmdH+ipYsu58HohHVlM9Wi5H4QmiiXl+Soldkq7eXYlafcmT7wv8+cKwz" \ +"Nz0Tm3+eYpFqRo3skr6QzXi525Jkg3r6r+kkhxU=" + +static int test_nss_getnamebycert_check(uint32_t status, uint8_t *body, size_t blen) +{ + size_t rp = 2 * sizeof(uint32_t); /* num_results and reserved */ + uint32_t id_type; + const char *name; + + assert_int_equal(status, EOK); + + SAFEALIGN_COPY_UINT32(&id_type, body + rp, &rp); + assert_int_equal(id_type, SSS_ID_TYPE_UID); + + name = (const char *)body + rp; + assert_string_equal(name, testbycert.pw_name); + + return EOK; +} + +static int test_nss_getlistbycert_check_exp(uint32_t status, uint8_t *body, + size_t blen, size_t exp) +{ + size_t rp = 0; + uint32_t id_type; + uint32_t num; + uint32_t reserved; + const char *name; + int found = 0; + const char *fq_name1 = "testcertuser@"TEST_DOM_NAME ; + const char *fq_name2 = "testcertuser2@"TEST_SUBDOM_NAME; + + assert_int_equal(status, EOK); + + /* num_results and reserved */ + SAFEALIGN_COPY_UINT32(&num, body + rp, &rp); + assert_int_equal(num, exp); + SAFEALIGN_COPY_UINT32(&reserved, body + rp, &rp); + assert_int_equal(reserved, 0); + + SAFEALIGN_COPY_UINT32(&id_type, body + rp, &rp); + assert_int_equal(id_type, SSS_ID_TYPE_UID); + + name = (const char *)body + rp; + if (num == 1) { + assert_string_equal(name, fq_name1); + return EOK; + } + + rp += strlen(name) + 1; + if (strcmp(name, fq_name1) == 0) { + found = 1; + } else if (strcmp(name, fq_name2) == 0) { + found = 2; + } + assert_in_range(found, 1, 2); + + SAFEALIGN_COPY_UINT32(&id_type, body + rp, &rp); + assert_int_equal(id_type, SSS_ID_TYPE_UID); + + name = (const char *)body + rp; + if (found == 1) { + assert_string_equal(name, fq_name2); + } else { + assert_string_equal(name, fq_name1); + } + + + return EOK; +} + +static int test_nss_getlistbycert_check_one(uint32_t status, uint8_t *body, + size_t blen) +{ + return test_nss_getlistbycert_check_exp(status, body, blen, 1); +} + +static int test_nss_getlistbycert_check_two(uint32_t status, uint8_t *body, + size_t blen) +{ + return test_nss_getlistbycert_check_exp(status, body, blen, 2); +} + +static void test_nss_getnamebycert(void **state) +{ + errno_t ret; + struct sysdb_attrs *attrs; + unsigned char *der = NULL; + size_t der_size; + + attrs = sysdb_new_attrs(nss_test_ctx); + assert_non_null(attrs); + + der = sss_base64_decode(nss_test_ctx, TEST_TOKEN_CERT, &der_size); + assert_non_null(der); + + ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_MAPPED_CERT, der, der_size); + talloc_free(der); + assert_int_equal(ret, EOK); + + /* Prime the cache with a valid user */ + ret = store_user(nss_test_ctx, nss_test_ctx->tctx->dom, + &testbycert, attrs, 0); + assert_int_equal(ret, EOK); + talloc_free(attrs); + + mock_input_cert(TEST_TOKEN_CERT); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETNAMEBYCERT); + mock_fill_bysid(); + + /* Query for that user, call a callback when command finishes */ + /* Should go straight to back end, without contacting DP */ + set_cmd_cb(test_nss_getnamebycert_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETNAMEBYCERT, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_nss_getnamebycert_neg(void **state) +{ + errno_t ret; + + mock_input_cert(TEST_TOKEN_CERT); + mock_account_recv_simple(); + + assert_int_equal(nss_test_ctx->ncache_hits, 0); + + set_cmd_cb(NULL); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETNAMEBYCERT, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with ENOENT */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, ENOENT); + assert_int_equal(nss_test_ctx->ncache_hits, 0); + + /* Test that subsequent search for a nonexistent user yields + * ENOENT and Account callback is not called, on the other hand + * the ncache functions will be called + */ + nss_test_ctx->tctx->done = false; + + mock_input_cert(TEST_TOKEN_CERT); + set_cmd_cb(NULL); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETNAMEBYCERT, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with ENOENT */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, ENOENT); + /* Negative cache was hit this time */ + assert_int_equal(nss_test_ctx->ncache_hits, 1); +} + +static void test_nss_getlistbycert(void **state) +{ + errno_t ret; + struct sysdb_attrs *attrs; + unsigned char *der = NULL; + size_t der_size; + + attrs = sysdb_new_attrs(nss_test_ctx); + assert_non_null(attrs); + + der = sss_base64_decode(nss_test_ctx, TEST_TOKEN_CERT, &der_size); + assert_non_null(der); + + ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_MAPPED_CERT, der, der_size); + talloc_free(der); + assert_int_equal(ret, EOK); + + /* Prime the cache with a valid user */ + ret = store_user(nss_test_ctx, nss_test_ctx->tctx->dom, + &testbycert, attrs, 0); + assert_int_equal(ret, EOK); + talloc_free(attrs); + + mock_input_cert(TEST_TOKEN_CERT); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETLISTBYCERT); + mock_fill_bysid(); + + /* Query for that user, call a callback when command finishes */ + /* Should go straight to back end, without contacting DP. */ + /* If there is only a single user mapped the result will look like the */ + /* result of getnamebycert. */ + set_cmd_cb(test_nss_getlistbycert_check_one); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETLISTBYCERT, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +static void test_nss_getlistbycert_multi(void **state) +{ + errno_t ret; + struct sysdb_attrs *attrs; + unsigned char *der = NULL; + size_t der_size; + + der = sss_base64_decode(nss_test_ctx, TEST_TOKEN_CERT, &der_size); + assert_non_null(der); + + attrs = sysdb_new_attrs(nss_test_ctx); + assert_non_null(attrs); + + ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_MAPPED_CERT, der, der_size); + assert_int_equal(ret, EOK); + + /* Prime the cache with two valid user */ + ret = store_user(nss_test_ctx, nss_test_ctx->tctx->dom, + &testbycert, attrs, 0); + assert_int_equal(ret, EOK); + talloc_free(attrs); + + /* Looks like attrs is modified during store_user() makes sure we start + * with fresh data. */ + attrs = sysdb_new_attrs(nss_test_ctx); + assert_non_null(attrs); + + ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_MAPPED_CERT, der, der_size); + talloc_free(der); + assert_int_equal(ret, EOK); + + ret = store_user(nss_test_ctx, nss_test_ctx->subdom, + &testbycert2, attrs, 0); + assert_int_equal(ret, EOK); + talloc_free(attrs); + + mock_input_cert(TEST_TOKEN_CERT); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETLISTBYCERT); + mock_fill_bysid(); + + /* Query for that user, call a callback when command finishes */ + /* Should go straight to back end, without contacting DP */ + set_cmd_cb(test_nss_getlistbycert_check_two); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETLISTBYCERT, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +struct passwd sid_user = { + .pw_name = discard_const("testusersid"), + .pw_uid = 1234, + .pw_gid = 5678, + .pw_dir = discard_const("/home/testusersid"), + .pw_gecos = discard_const("test user"), + .pw_shell = discard_const("/bin/sh"), + .pw_passwd = discard_const("*"), +}; + +static int test_nss_getsidbyname_check(uint32_t status, + uint8_t *body, + size_t blen) +{ + const char *name; + enum sss_id_type type; + size_t rp = 2 * sizeof(uint32_t); + char *expected_result = sss_mock_ptr_type(char *); + + if (expected_result == NULL) { + assert_int_equal(status, EINVAL); + assert_int_equal(blen, 0); + } else { + assert_int_equal(status, EOK); + + SAFEALIGN_COPY_UINT32(&type, body+rp, &rp); + + name = (char *) body+rp; + + assert_int_equal(type, SSS_ID_TYPE_UID); + assert_string_equal(name, expected_result); + } + + return EOK; +} + +void test_nss_getsidbyname(void **state) +{ + errno_t ret; + struct sysdb_attrs *attrs; + const char *testuser_sid = "S-1-2-3-4"; + + attrs = sysdb_new_attrs(nss_test_ctx); + assert_non_null(attrs); + + ret = sysdb_attrs_add_string(attrs, SYSDB_SID_STR, testuser_sid); + assert_int_equal(ret, EOK); + + ret = store_user(nss_test_ctx, nss_test_ctx->tctx->dom, + &sid_user, attrs, 0); + assert_int_equal(ret, EOK); + + mock_input_user_or_group("testusersid"); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETSIDBYNAME); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + will_return(test_nss_getsidbyname_check, testuser_sid); + + /* Query for that user, call a callback when command finishes */ + set_cmd_cb(test_nss_getsidbyname_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETSIDBYNAME, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_nss_getsidbyid(void **state) +{ + errno_t ret; + struct sysdb_attrs *attrs; + const char *testuser_sid = "S-1-2-3-4"; + + attrs = sysdb_new_attrs(nss_test_ctx); + assert_non_null(attrs); + + ret = sysdb_attrs_add_string(attrs, SYSDB_SID_STR, testuser_sid); + assert_int_equal(ret, EOK); + + ret = store_user(nss_test_ctx, nss_test_ctx->tctx->dom, + &sid_user, attrs, 0); + assert_int_equal(ret, EOK); + + mock_input_id(nss_test_ctx, 1234); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETSIDBYID); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + will_return(test_nss_getsidbyname_check, testuser_sid); + + /* Query for that user, call a callback when command finishes */ + set_cmd_cb(test_nss_getsidbyname_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETSIDBYID, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_nss_getsidbyuid(void **state) +{ + errno_t ret; + struct sysdb_attrs *attrs; + const char *testuser_sid = "S-1-2-3-4"; + + attrs = sysdb_new_attrs(nss_test_ctx); + assert_non_null(attrs); + + ret = sysdb_attrs_add_string(attrs, SYSDB_SID_STR, testuser_sid); + assert_int_equal(ret, EOK); + + ret = store_user(nss_test_ctx, nss_test_ctx->tctx->dom, + &sid_user, attrs, 0); + assert_int_equal(ret, EOK); + + mock_input_id(nss_test_ctx, 1234); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETSIDBYUID); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + will_return(test_nss_getsidbyname_check, testuser_sid); + + /* Query for that user, call a callback when command finishes */ + set_cmd_cb(test_nss_getsidbyname_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETSIDBYUID, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_nss_getsidbygid_no_group(void **state) +{ + errno_t ret; + struct sysdb_attrs *attrs; + const char *testuser_sid = "S-1-2-3-4"; + + attrs = sysdb_new_attrs(nss_test_ctx); + assert_non_null(attrs); + + ret = sysdb_attrs_add_string(attrs, SYSDB_SID_STR, testuser_sid); + assert_int_equal(ret, EOK); + + ret = store_user(nss_test_ctx, nss_test_ctx->tctx->dom, + &sid_user, attrs, 0); + assert_int_equal(ret, EOK); + + mock_input_id(nss_test_ctx, 1234); + mock_account_recv_simple(); + set_cmd_cb(NULL); + + /* Query for that user, call a callback when command finishes */ + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETSIDBYGID, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with ENOENT (because there is no such + * group) */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, ENOENT); +} + +struct group sid_group = { + .gr_name = discard_const("testgroupsid"), + .gr_gid = 5555, +}; + +static int test_nss_getsidbyname_group_check(uint32_t status, + uint8_t *body, + size_t blen) +{ + const char *name; + enum sss_id_type type; + size_t rp = 2 * sizeof(uint32_t); + char *expected_result = sss_mock_ptr_type(char *); + + if (expected_result == NULL) { + assert_int_equal(status, EINVAL); + assert_int_equal(blen, 0); + } else { + assert_int_equal(status, EOK); + + SAFEALIGN_COPY_UINT32(&type, body+rp, &rp); + + name = (char *) body+rp; + + assert_int_equal(type, SSS_ID_TYPE_GID); + assert_string_equal(name, expected_result); + } + + return EOK; +} + +void test_nss_getsidbyname_group(void **state) +{ + errno_t ret; + struct sysdb_attrs *attrs; + const char *testgroup_sid = "S-1-2-3-5"; + + attrs = sysdb_new_attrs(nss_test_ctx); + assert_non_null(attrs); + + ret = sysdb_attrs_add_string(attrs, SYSDB_SID_STR, testgroup_sid); + assert_int_equal(ret, EOK); + + ret = store_group(nss_test_ctx, nss_test_ctx->tctx->dom, + &sid_group, attrs, 0); + assert_int_equal(ret, EOK); + + mock_input_user_or_group("testgroupsid"); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETSIDBYNAME); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + will_return(test_nss_getsidbyname_group_check, testgroup_sid); + + /* Query for that group, call a callback when command finishes */ + set_cmd_cb(test_nss_getsidbyname_group_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETSIDBYNAME, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_nss_getsidbyid_group(void **state) +{ + errno_t ret; + struct sysdb_attrs *attrs; + const char *testgroup_sid = "S-1-2-3-5"; + + attrs = sysdb_new_attrs(nss_test_ctx); + assert_non_null(attrs); + + ret = sysdb_attrs_add_string(attrs, SYSDB_SID_STR, testgroup_sid); + assert_int_equal(ret, EOK); + + ret = store_group(nss_test_ctx, nss_test_ctx->tctx->dom, + &sid_group, attrs, 0); + assert_int_equal(ret, EOK); + + mock_input_id(nss_test_ctx, 5555); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETSIDBYID); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + will_return(test_nss_getsidbyname_group_check, testgroup_sid); + + /* Query for that group, call a callback when command finishes */ + set_cmd_cb(test_nss_getsidbyname_group_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETSIDBYID, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_nss_getsidbygid_group(void **state) +{ + errno_t ret; + struct sysdb_attrs *attrs; + const char *testgroup_sid = "S-1-2-3-5"; + + attrs = sysdb_new_attrs(nss_test_ctx); + assert_non_null(attrs); + + ret = sysdb_attrs_add_string(attrs, SYSDB_SID_STR, testgroup_sid); + assert_int_equal(ret, EOK); + + ret = store_group(nss_test_ctx, nss_test_ctx->tctx->dom, + &sid_group, attrs, 0); + assert_int_equal(ret, EOK); + + mock_input_id(nss_test_ctx, 5555); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETSIDBYGID); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + will_return(test_nss_getsidbyname_group_check, testgroup_sid); + + /* Query for that user, call a callback when command finishes */ + set_cmd_cb(test_nss_getsidbyname_group_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETSIDBYGID, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_nss_getsidbyuid_no_user(void **state) +{ + errno_t ret; + struct sysdb_attrs *attrs; + const char *testgroup_sid = "S-1-2-3-5"; + + attrs = sysdb_new_attrs(nss_test_ctx); + assert_non_null(attrs); + + ret = sysdb_attrs_add_string(attrs, SYSDB_SID_STR, testgroup_sid); + assert_int_equal(ret, EOK); + + ret = store_group(nss_test_ctx, nss_test_ctx->tctx->dom, + &sid_group, attrs, 0); + assert_int_equal(ret, EOK); + + mock_input_id(nss_test_ctx, 5555); + mock_account_recv_simple(); + set_cmd_cb(NULL); + + /* Query for that user, call a callback when command finishes */ + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETSIDBYUID, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with ENOENT (because there is no such + * user) */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, ENOENT); +} + +void test_nss_getsidbyupn(void **state) +{ + errno_t ret; + struct sysdb_attrs *attrs; + const char *testuser_sid = "S-1-2-3-4"; + const char *testuser_upn = "testusersid@upndomain.test"; + + attrs = sysdb_new_attrs(nss_test_ctx); + assert_non_null(attrs); + + ret = sysdb_attrs_add_string(attrs, SYSDB_SID_STR, testuser_sid); + assert_int_equal(ret, EOK); + + ret = sysdb_attrs_add_string(attrs, SYSDB_UPN, testuser_upn); + assert_int_equal(ret, EOK); + + ret = store_user(nss_test_ctx, nss_test_ctx->tctx->dom, + &sid_user, attrs, 0); + assert_int_equal(ret, EOK); + + mock_input_upn(testuser_upn); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETSIDBYNAME); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + will_return(test_nss_getsidbyname_check, testuser_sid); + + /* Query for that user, call a callback when command finishes */ + set_cmd_cb(test_nss_getsidbyname_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETSIDBYNAME, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_nss_getsidbyname_neg(void **state) +{ + errno_t ret; + + mock_input_user_or_group("testnosuchsid"); + mock_account_recv_simple(); + + /* Query for that user, call a callback when command finishes */ + set_cmd_cb(NULL); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETSIDBYNAME, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with ENOENT (because there is no such SID */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, ENOENT); +} + +static int test_nss_EINVAL_check(uint32_t status, uint8_t *body, size_t blen) +{ + assert_int_equal(status, EINVAL); + assert_int_equal(blen, 0); + + return EOK; +} + +#define RESET_TCTX do { \ + nss_test_ctx->tctx->done = false; \ + nss_test_ctx->tctx->error = EIO; \ +} while (0) + +void test_nss_getpwnam_ex(void **state) +{ + errno_t ret; + + ret = store_user(nss_test_ctx, nss_test_ctx->tctx->dom, + &getpwnam_usr, NULL, 0); + assert_int_equal(ret, EOK); + + mock_input_user_or_group_ex(true, "testuser", 0); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETPWNAM_EX); + mock_fill_user(); + + /* Query for that user, call a callback when command finishes */ + set_cmd_cb(test_nss_getpwnam_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETPWNAM_EX, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); + RESET_TCTX; + + /* Use old input format, expect EINVAL */ + will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER); + will_return(__wrap_sss_packet_get_body, "testuser"); + will_return(__wrap_sss_packet_get_body, 0); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETPWNAM_EX); + + set_cmd_cb(test_nss_EINVAL_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETPWNAM_EX, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); + RESET_TCTX; + + /* Use unsupported flag combination, expect EINVAL */ + mock_input_user_or_group_ex(false, "testuser", + SSS_NSS_EX_FLAG_NO_CACHE + |SSS_NSS_EX_FLAG_INVALIDATE_CACHE); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETPWNAM_EX); + + set_cmd_cb(test_nss_EINVAL_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETPWNAM_EX, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); + RESET_TCTX; + + /* Use flag SSS_NSS_EX_FLAG_NO_CACHE, + * will cause a backend lookup -> mock_account_recv_simple() */ + mock_input_user_or_group_ex(true, "testuser", SSS_NSS_EX_FLAG_NO_CACHE); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETPWNAM_EX); + mock_fill_user(); + mock_account_recv_simple(); + + set_cmd_cb(test_nss_getpwnam_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETPWNAM_EX, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); + RESET_TCTX; + + /* Use flag SSS_NSS_EX_FLAG_INVALIDATE_CACHE */ + mock_input_user_or_group_ex(true, "testuser", + SSS_NSS_EX_FLAG_INVALIDATE_CACHE); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETPWNAM_EX); + mock_fill_user(); + + set_cmd_cb(test_nss_getpwnam_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETPWNAM_EX, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_nss_getpwuid_ex(void **state) +{ + errno_t ret; + uint32_t id = 101; + + /* Prime the cache with a valid user */ + ret = store_user(nss_test_ctx, nss_test_ctx->tctx->dom, + &getpwuid_usr, NULL, 0); + assert_int_equal(ret, EOK); + + mock_input_id_ex(nss_test_ctx, id, 0); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETPWUID_EX); + mock_fill_user(); + + /* Query for that id, call a callback when command finishes */ + set_cmd_cb(test_nss_getpwuid_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETPWUID_EX, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); + RESET_TCTX; + + /* Use old input format, expect failure */ + mock_input_id(nss_test_ctx, id); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETPWUID_EX); + + set_cmd_cb(test_nss_EINVAL_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETPWUID_EX, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); + RESET_TCTX; + + /* Use unsupported flag combination, expect EINVAL */ + mock_input_id_ex(nss_test_ctx, id, SSS_NSS_EX_FLAG_NO_CACHE + |SSS_NSS_EX_FLAG_INVALIDATE_CACHE); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETPWUID_EX); + + set_cmd_cb(test_nss_EINVAL_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETPWUID_EX, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); + RESET_TCTX; + + /* Use flag SSS_NSS_EX_FLAG_NO_CACHE, + * will cause a backend lookup -> mock_account_recv_simple() */ + mock_input_id_ex(nss_test_ctx, id, SSS_NSS_EX_FLAG_NO_CACHE); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETPWUID_EX); + mock_fill_user(); + mock_account_recv_simple(); + + set_cmd_cb(test_nss_getpwuid_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETPWUID_EX, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); + RESET_TCTX; + + /* Use flag SSS_NSS_EX_FLAG_INVALIDATE_CACHE */ + mock_input_id_ex(nss_test_ctx, id, SSS_NSS_EX_FLAG_INVALIDATE_CACHE); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETPWUID_EX); + mock_fill_user(); + + set_cmd_cb(test_nss_getpwuid_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETPWUID_EX, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_nss_getgrnam_ex_no_members(void **state) +{ + errno_t ret; + + /* Test group is still in the cache */ + + mock_input_user_or_group_ex(true, getgrnam_no_members.gr_name, 0); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETGRNAM_EX); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + /* Query for that group, call a callback when command finishes */ + set_cmd_cb(test_nss_getgrnam_no_members_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETGRNAM_EX, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); + RESET_TCTX; + + /* Use old input format, expect failure */ + will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER); + will_return(__wrap_sss_packet_get_body, "testgroup"); + will_return(__wrap_sss_packet_get_body, 0); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETGRNAM_EX); + + set_cmd_cb(test_nss_EINVAL_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETGRNAM_EX, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); + RESET_TCTX; + + /* Use unsupported flag combination, expect EINVAL */ + mock_input_user_or_group_ex(false, getgrnam_no_members.gr_name, + SSS_NSS_EX_FLAG_NO_CACHE + |SSS_NSS_EX_FLAG_INVALIDATE_CACHE); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETGRNAM_EX); + + set_cmd_cb(test_nss_EINVAL_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETGRNAM_EX, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); + RESET_TCTX; + + /* Use flag SSS_NSS_EX_FLAG_NO_CACHE, + * will cause a backend lookup -> mock_account_recv_simple() */ + mock_input_user_or_group_ex(true, getgrnam_no_members.gr_name, + SSS_NSS_EX_FLAG_NO_CACHE); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETGRNAM_EX); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + mock_account_recv_simple(); + + set_cmd_cb(test_nss_getgrnam_no_members_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETGRNAM_EX, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); + RESET_TCTX; + + /* Use flag SSS_NSS_EX_FLAG_INVALIDATE_CACHE */ + mock_input_user_or_group_ex(true, getgrnam_no_members.gr_name, + SSS_NSS_EX_FLAG_INVALIDATE_CACHE); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETGRNAM_EX); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + set_cmd_cb(test_nss_getgrnam_no_members_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETGRNAM_EX, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_nss_getgrgid_ex_no_members(void **state) +{ + errno_t ret; + + /* Test group is still in the cache */ + + mock_input_id_ex(nss_test_ctx, getgrnam_no_members.gr_gid, 0); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETGRGID_EX); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + mock_account_recv_simple(); + + /* Query for that group, call a callback when command finishes */ + set_cmd_cb(test_nss_getgrnam_no_members_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETGRGID_EX, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); + RESET_TCTX; + + /* Use old input format, expect failure */ + mock_input_id(nss_test_ctx, getgrnam_no_members.gr_gid); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETGRGID_EX); + + set_cmd_cb(test_nss_EINVAL_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETGRGID_EX, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); + RESET_TCTX; + + /* Use unsupported flag combination, expect EINVAL */ + mock_input_id_ex(nss_test_ctx, getgrnam_no_members.gr_gid, + SSS_NSS_EX_FLAG_NO_CACHE + |SSS_NSS_EX_FLAG_INVALIDATE_CACHE); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETGRGID_EX); + + set_cmd_cb(test_nss_EINVAL_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETGRGID_EX, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); + RESET_TCTX; + + /* Use flag SSS_NSS_EX_FLAG_NO_CACHE, + * will cause a backend lookup -> mock_account_recv_simple() */ + mock_input_id_ex(nss_test_ctx, getgrnam_no_members.gr_gid, + SSS_NSS_EX_FLAG_NO_CACHE); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETGRGID_EX); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + mock_account_recv_simple(); + mock_account_recv_simple(); + + set_cmd_cb(test_nss_getgrnam_no_members_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETGRGID_EX, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); + RESET_TCTX; + + /* Use flag SSS_NSS_EX_FLAG_INVALIDATE_CACHE */ + mock_input_id_ex(nss_test_ctx, getgrnam_no_members.gr_gid, + SSS_NSS_EX_FLAG_INVALIDATE_CACHE); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_GETGRGID_EX); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + set_cmd_cb(test_nss_getgrnam_no_members_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_GETGRGID_EX, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_nss_initgroups_ex(void **state) +{ + errno_t ret; + struct sysdb_attrs *attrs; + + attrs = sysdb_new_attrs(nss_test_ctx); + assert_non_null(attrs); + + ret = sysdb_attrs_add_time_t(attrs, SYSDB_INITGR_EXPIRE, + time(NULL) + 300); + assert_int_equal(ret, EOK); + + ret = sysdb_attrs_add_string(attrs, SYSDB_UPN, "upninitgr@upndomain.test"); + assert_int_equal(ret, EOK); + + ret = store_user(nss_test_ctx, nss_test_ctx->tctx->dom, + &testinitgr_usr, attrs, 0); + assert_int_equal(ret, EOK); + + mock_input_user_or_group_ex(true, "testinitgr", 0); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_INITGR_EX); + mock_fill_user(); + + /* Query for that user, call a callback when command finishes */ + set_cmd_cb(test_nss_initgr_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_INITGR_EX, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); + RESET_TCTX; + + /* Use old input format, expect failure */ + will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER); + will_return(__wrap_sss_packet_get_body, "testinitgr"); + will_return(__wrap_sss_packet_get_body, 0); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_INITGR_EX); + + set_cmd_cb(test_nss_EINVAL_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_INITGR_EX, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); + RESET_TCTX; + + /* Use unsupported flag combination, expect EINVAL */ + mock_input_user_or_group_ex(false, "testinitgr", + SSS_NSS_EX_FLAG_NO_CACHE + |SSS_NSS_EX_FLAG_INVALIDATE_CACHE); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_INITGR_EX); + + set_cmd_cb(test_nss_EINVAL_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_INITGR_EX, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); + RESET_TCTX; + + /* Use flag SSS_NSS_EX_FLAG_NO_CACHE, + * will cause a backend lookup -> mock_account_recv_simple() */ + mock_input_user_or_group_ex(true, "testinitgr", + SSS_NSS_EX_FLAG_NO_CACHE); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_INITGR_EX); + mock_fill_user(); + mock_account_recv_simple(); + + set_cmd_cb(test_nss_initgr_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_INITGR_EX, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); + RESET_TCTX; + + /* Use flag SSS_NSS_EX_FLAG_INVALIDATE_CACHE */ + mock_input_user_or_group_ex(true, "testinitgr", + SSS_NSS_EX_FLAG_INVALIDATE_CACHE); + will_return(__wrap_sss_packet_get_cmd, SSS_NSS_INITGR_EX); + mock_fill_user(); + + set_cmd_cb(test_nss_initgr_check); + ret = sss_cmd_execute(nss_test_ctx->cctx, SSS_NSS_INITGR_EX, + nss_test_ctx->nss_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(nss_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +int main(int argc, const char *argv[]) +{ + int rv; + int no_cleanup = 0; + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + {"no-cleanup", 'n', POPT_ARG_NONE, &no_cleanup, 0, + _("Do not delete the test database after a test run"), NULL }, + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_nss_getpwnam, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getpwuid, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getpwnam_neg, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getpwuid_neg, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getpwnam_search, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getpwuid_search, + nss_test_setup, + nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getpwnam_update, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getpwuid_update, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getpwnam_fqdn, + nss_fqdn_test_setup, + nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getpwnam_fqdn_fancy, + nss_fqdn_fancy_test_setup, + nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getpwnam_space, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getpwnam_space_sub, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getpwnam_space_sub_query, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getgrnam_no_members, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getgrnam_members, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getgrnam_members_fqdn, + nss_fqdn_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getgrnam_members_subdom, + nss_subdom_test_setup, + nss_subdom_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getgrnam_members_subdom_nonfqnames, + nss_subdom_test_setup_nonfqnames, + nss_subdom_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getgrnam_mix_dom, + nss_subdom_test_setup, + nss_subdom_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getgrnam_mix_dom_nonfqnames, + nss_subdom_test_setup_nonfqnames, + nss_subdom_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getgrnam_mix_dom_fqdn, + nss_subdom_test_setup, + nss_subdom_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getgrnam_mix_dom_fqdn_nonfqnames, + nss_subdom_test_setup_nonfqnames, + nss_subdom_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getgrnam_mix_subdom, + nss_subdom_test_setup, + nss_subdom_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getgrnam_mix_subdom_nonfqnames, + nss_subdom_test_setup_nonfqnames, + nss_subdom_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getgrnam_space, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getgrnam_space_sub, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_well_known_getnamebysid, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_well_known_getnamebysid_special, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_well_known_getnamebysid_non_existing, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_well_known_getidbysid_failure, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_well_known_getsidbyname, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_well_known_getsidbyname_nonexisting, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_well_known_getsidbyname_special, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getorigbyname, + nss_test_setup, + nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getorigbyname_extra_attrs, + nss_test_setup_extra_attr, + nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getorigbyname_multi_value_attrs, + nss_test_setup_extra_attr, + nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getorigbyname, + nss_test_setup, + nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getpwnam_upn, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getpwnam_upn_same_domain, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getpwnam_upn_neg, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_initgroups, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_initgr_neg, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_initgr_search, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_initgr_update, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_initgr_update_two_expire_attributes, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_initgroups_upn, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_initgr_neg_upn, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getnamebysid, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getnamebysid_neg, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getnamebysid_update, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getnamebycert_neg, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getnamebycert, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getlistbycert, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getlistbycert_multi, + nss_subdom_test_setup, + nss_subdom_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getsidbyname, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getsidbyid, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getsidbyuid, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getsidbygid_no_group, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getsidbyname_group, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getsidbyid_group, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getsidbygid_group, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getsidbyuid_no_user, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getsidbyupn, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getsidbyname_neg, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getpwnam_ex, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getpwuid_ex, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getgrnam_ex_no_members, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_getgrgid_ex_no_members, + nss_test_setup, nss_test_teardown), + cmocka_unit_test_setup_teardown(test_nss_initgroups_ex, + nss_test_setup, nss_test_teardown), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + /* Even though normally the tests should clean up after themselves + * they might not after a failed run. Remove the old DB to be sure */ + tests_set_cwd(); + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + test_dom_suite_setup(TESTS_PATH); + + rv = cmocka_run_group_tests(tests, NULL, NULL); + if (rv == 0 && !no_cleanup) { + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + } + +#ifdef HAVE_NSS + /* Cleanup NSS and NSPR to make Valgrind happy. */ + nspr_nss_cleanup(); +#endif + + return rv; +} diff --git a/src/tests/cmocka/test_pam_srv.c b/src/tests/cmocka/test_pam_srv.c new file mode 100644 index 0000000..446985d --- /dev/null +++ b/src/tests/cmocka/test_pam_srv.c @@ -0,0 +1,2942 @@ +/* + Authors: + Sumit Bose + + Copyright (C) 2015 Red Hat + + SSSD tests: PAM responder tests + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include /* putenv */ + +#include "tests/cmocka/common_mock.h" +#include "tests/cmocka/common_mock_resp.h" +#include "responder/common/responder_packet.h" +#include "responder/common/negcache.h" +#include "responder/pam/pamsrv.h" +#include "responder/pam/pam_helpers.h" +#include "sss_client/pam_message.h" +#include "sss_client/sss_cli.h" +#include "confdb/confdb.h" + +#include "util/crypto/sss_crypto.h" +#ifdef HAVE_NSS +#include "util/crypto/nss/nss_util.h" +#endif + +#ifdef HAVE_TEST_CA +#include "tests/test_CA/SSSD_test_cert_x509_0001.h" +#include "tests/test_CA/SSSD_test_cert_x509_0002.h" +#else +#define SSSD_TEST_CERT_0001 "" +#define SSSD_TEST_CERT_0002 "" +#endif + +#define TESTS_PATH "tp_" BASE_FILE_STEM +#define TEST_CONF_DB "test_pam_conf.ldb" +#define TEST_DOM_NAME "pam_test" +#define TEST_SUBDOM_NAME "test.subdomain" +#define TEST_ID_PROVIDER "ldap" + +#define NSS_DB_PATH TESTS_PATH +#define NSS_DB "sql:"NSS_DB_PATH + +#define NSS_DB_PATH_2CERTS TESTS_PATH "_2certs" +#define NSS_DB_2CERTS "sql:"NSS_DB_PATH_2CERTS +#ifdef HAVE_NSS +#define CA_DB NSS_DB +#else +#define CA_DB ABS_BUILD_DIR"/src/tests/test_CA/SSSD_test_CA.pem" +#endif + +#define TEST_TOKEN_NAME "SSSD Test Token" +#define TEST_KEY_ID "C554C9F82C2A9D58B70921C143304153A8A42F17" +#ifdef HAVE_NSS +#define TEST_MODULE_NAME "NSS-Internal" +#define TEST_PROMPT "SSSD test cert 0001 - SSSD\nCN=SSSD test cert 0001,OU=SSSD test,O=SSSD" +#define TEST2_PROMPT "SSSD test cert 0002 - SSSD\nCN=SSSD test cert 0002,OU=SSSD test,O=SSSD" +#else +#define TEST_MODULE_NAME SOFTHSM2_PATH +#define TEST_PROMPT "SSSD test cert 0001\nCN=SSSD test cert 0001,OU=SSSD test,O=SSSD" +#define TEST2_PROMPT "SSSD test cert 0002\nCN=SSSD test cert 0002,OU=SSSD test,O=SSSD" +#endif + +#define TEST2_KEY_ID "5405842D56CF31F0BB025A695C5F3E907051C5B9" + +static char CACHED_AUTH_TIMEOUT_STR[] = "4"; +static const int CACHED_AUTH_TIMEOUT = 4; + +struct pam_test_ctx { + struct sss_test_ctx *tctx; + struct sss_domain_info *subdom; + + struct resp_ctx *rctx; + struct cli_ctx *cctx; + struct sss_cmd_table *pam_cmds; + struct pam_ctx *pctx; + + int ncache_hits; + int exp_pam_status; + bool provider_contacted; + + const char *pam_user_fqdn; + const char *wrong_user_fqdn; +}; + +/* Must be global because it is needed in some wrappers */ +struct pam_test_ctx *pam_test_ctx; + +static errno_t setup_nss_db(void) +{ + int ret; + FILE *fp; + int status; + pid_t child_pid; + + ret = mkdir(NSS_DB_PATH, 0775); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to create " NSS_DB_PATH ".\n"); + return ret; + } + + ret = mkdir(NSS_DB_PATH_2CERTS, 0775); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to create " NSS_DB_PATH_2CERTS ".\n"); + return ret; + } + + child_pid = fork(); + if (child_pid == 0) { /* child */ + ret = execlp("certutil", "certutil", "-N", "--empty-password", "-d", + NSS_DB, NULL); + if (ret == -1) { + DEBUG(SSSDBG_FATAL_FAILURE, "execl() failed.\n"); + exit(-1); + } + } else if (child_pid > 0) { + wait(&status); + } else { + ret = errno; + DEBUG(SSSDBG_FATAL_FAILURE, "fork() failed\n"); + return ret; + } + + child_pid = fork(); + if (child_pid == 0) { /* child */ + ret = execlp("certutil", "certutil", "-N", "--empty-password", "-d", + NSS_DB_2CERTS, NULL); + if (ret == -1) { + DEBUG(SSSDBG_FATAL_FAILURE, "execl() failed.\n"); + exit(-1); + } + } else if (child_pid > 0) { + wait(&status); + } else { + ret = errno; + DEBUG(SSSDBG_FATAL_FAILURE, "fork() failed\n"); + return ret; + } + + fp = fopen(NSS_DB_PATH"/pkcs11.txt", "w"); + if (fp == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "fopen() failed.\n"); + return ret; + } + ret = fprintf(fp, "library=libsoftokn3.so\nname=soft\n"); + if (ret < 0) { + DEBUG(SSSDBG_FATAL_FAILURE, "fprintf() failed.\n"); + return ret; + } + ret = fprintf(fp, "parameters=configdir='sql:%s/src/tests/test_CA/p11_nssdb' dbSlotDescription='SSSD Test Slot' dbTokenDescription='SSSD Test Token' secmod='secmod.db' flags=readOnly \n\n", ABS_BUILD_DIR); + if (ret < 0) { + DEBUG(SSSDBG_FATAL_FAILURE, "fprintf() failed.\n"); + return ret; + } + ret = fclose(fp); + if (ret != 0) { + DEBUG(SSSDBG_FATAL_FAILURE, "fclose() failed.\n"); + return ret; + } + + fp = fopen(NSS_DB_PATH_2CERTS"/pkcs11.txt", "w"); + if (fp == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "fopen() failed.\n"); + return ret; + } + ret = fprintf(fp, "library=libsoftokn3.so\nname=soft\n"); + if (ret < 0) { + DEBUG(SSSDBG_FATAL_FAILURE, "fprintf() failed.\n"); + return ret; + } + ret = fprintf(fp, "parameters=configdir='sql:%s/src/tests/test_CA/p11_nssdb_2certs' dbSlotDescription='SSSD Test Slot' dbTokenDescription='SSSD Test Token' secmod='secmod.db' flags=readOnly \n\n", ABS_BUILD_DIR); + if (ret < 0) { + DEBUG(SSSDBG_FATAL_FAILURE, "fprintf() failed.\n"); + return ret; + } + ret = fclose(fp); + if (ret != 0) { + DEBUG(SSSDBG_FATAL_FAILURE, "fclose() failed.\n"); + return ret; + } + + return EOK; +} + +static void cleanup_nss_db(void) +{ + int ret; + + ret = unlink(NSS_DB_PATH"/cert9.db"); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to remove cert9.db.\n"); + } + + ret = unlink(NSS_DB_PATH"/key4.db"); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to remove key4.db.\n"); + } + + ret = unlink(NSS_DB_PATH"/pkcs11.txt"); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to remove pkcs11.db.\n"); + } + + ret = rmdir(NSS_DB_PATH); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to remove " NSS_DB_PATH "\n"); + } + + ret = unlink(NSS_DB_PATH_2CERTS"/cert9.db"); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to remove cert9.db.\n"); + } + + ret = unlink(NSS_DB_PATH_2CERTS"/key4.db"); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to remove key4.db.\n"); + } + + ret = unlink(NSS_DB_PATH_2CERTS"/pkcs11.txt"); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to remove pkcs11.db.\n"); + } + + ret = rmdir(NSS_DB_PATH_2CERTS); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to remove " NSS_DB_PATH "\n"); + } +} + +struct pam_ctx *mock_pctx(TALLOC_CTX *mem_ctx) +{ + struct pam_ctx *pctx; + errno_t ret; + + pctx = talloc_zero(mem_ctx, struct pam_ctx); + assert_non_null(pctx); + + ret = sss_hash_create(pctx, 10, &pctx->id_table); + assert_int_equal(ret, EOK); + + /* Two NULLs so that tests can just assign a const to the first slot + * should they need it. The code iterates until first NULL anyway + */ + pctx->app_services = talloc_zero_array(pctx, char *, 2); + if (pctx->app_services == NULL) { + talloc_free(pctx); + return NULL; + } + + ret = p11_refresh_certmap_ctx(pctx, NULL); + assert_int_equal(ret, 0); + + return pctx; +} + +static int add_confdb_params(struct sss_test_conf_param params[], + struct confdb_ctx *cdb, const char *section) +{ + const char *val[2]; + int ret; + + val[1] = NULL; + + for (int i = 0; params[i].key; i++) { + val[0] = params[i].value; + ret = confdb_add_param(cdb, true, section, params[i].key, val); + assert_int_equal(ret, EOK); + } + + return EOK; +} + +static int add_pam_params(struct sss_test_conf_param pam_params[], + struct confdb_ctx *cdb) +{ + return add_confdb_params(pam_params, cdb, CONFDB_PAM_CONF_ENTRY); +} + +static int add_monitor_params(struct sss_test_conf_param monitor_params[], + struct confdb_ctx *cdb) +{ + return add_confdb_params(monitor_params, cdb, CONFDB_MONITOR_CONF_ENTRY); +} + +void test_pam_setup(struct sss_test_conf_param dom_params[], + struct sss_test_conf_param pam_params[], + struct sss_test_conf_param monitor_params[], + void **state) +{ + struct cli_protocol *prctx; + errno_t ret; + + pam_test_ctx = talloc_zero(NULL, struct pam_test_ctx); + assert_non_null(pam_test_ctx); + + pam_test_ctx->tctx = create_dom_test_ctx(pam_test_ctx, TESTS_PATH, + TEST_CONF_DB, TEST_DOM_NAME, + TEST_ID_PROVIDER, dom_params); + assert_non_null(pam_test_ctx->tctx); + + pam_test_ctx->pam_cmds = get_pam_cmds(); + assert_non_null(pam_test_ctx->pam_cmds); + + /* FIXME - perhaps this should be folded into sssd_domain_init or strictly + * used together + */ + ret = sss_names_init(pam_test_ctx, pam_test_ctx->tctx->confdb, + TEST_DOM_NAME, &pam_test_ctx->tctx->dom->names); + assert_int_equal(ret, EOK); + + /* Initialize the PAM responder */ + pam_test_ctx->pctx = mock_pctx(pam_test_ctx); + assert_non_null(pam_test_ctx->pctx); + + pam_test_ctx->rctx = mock_rctx(pam_test_ctx, pam_test_ctx->tctx->ev, + pam_test_ctx->tctx->dom, pam_test_ctx->pctx); + assert_non_null(pam_test_ctx->rctx); + pam_test_ctx->rctx->cdb = pam_test_ctx->tctx->confdb; + pam_test_ctx->pctx->rctx = pam_test_ctx->rctx; + + ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb); + assert_int_equal(ret, EOK); + + ret = add_monitor_params(monitor_params, pam_test_ctx->rctx->cdb); + assert_int_equal(ret, EOK); + + /* Create client context */ + pam_test_ctx->cctx = mock_cctx(pam_test_ctx, pam_test_ctx->rctx); + assert_non_null(pam_test_ctx->cctx); + pam_test_ctx->cctx->ev = pam_test_ctx->tctx->ev; + + prctx = mock_prctx(pam_test_ctx->cctx); + assert_non_null(prctx); + pam_test_ctx->cctx->protocol_ctx = prctx; + prctx->cli_protocol_version = register_cli_protocol_version(); +} + +static void pam_test_setup_common(void) +{ + errno_t ret; + + pam_test_ctx->pam_user_fqdn = \ + sss_create_internal_fqname(pam_test_ctx, + "pamuser", + pam_test_ctx->tctx->dom->name); + assert_non_null(pam_test_ctx->pam_user_fqdn); + + pam_test_ctx->wrong_user_fqdn = \ + sss_create_internal_fqname(pam_test_ctx, + "wronguser", + pam_test_ctx->tctx->dom->name); + assert_non_null(pam_test_ctx->wrong_user_fqdn); + + /* integer values cannot be set by pam_params */ + pam_test_ctx->pctx->id_timeout = 5; + + /* Prime the cache with a valid user */ + ret = sysdb_add_user(pam_test_ctx->tctx->dom, + pam_test_ctx->pam_user_fqdn, + 123, 456, "pam user", + "/home/pamuser", "/bin/sh", NULL, + NULL, 300, 0); + assert_int_equal(ret, EOK); + + /* Add entry to the initgr cache to make sure no initgr request is sent to + * the backend */ + ret = pam_initgr_cache_set(pam_test_ctx->pctx->rctx->ev, + pam_test_ctx->pctx->id_table, + discard_const("pamuser"), + pam_test_ctx->pctx->id_timeout); + assert_int_equal(ret, EOK); + + /* Prime the cache with a user for wrong matches */ + ret = sysdb_add_user(pam_test_ctx->tctx->dom, + pam_test_ctx->wrong_user_fqdn, + 321, 654, "wrong user", + "/home/wronguser", "/bin/sh", NULL, + NULL, 300, 0); + assert_int_equal(ret, EOK); + + /* Add entry to the initgr cache to make sure no initgr request is sent to + * the backend */ + ret = pam_initgr_cache_set(pam_test_ctx->pctx->rctx->ev, + pam_test_ctx->pctx->id_table, + discard_const("wronguser"), + pam_test_ctx->pctx->id_timeout); + assert_int_equal(ret, EOK); +} + +static int pam_test_setup(void **state) +{ + struct sss_test_conf_param dom_params[] = { + { "enumerate", "false" }, + { "cache_credentials", "true" }, + { NULL, NULL }, /* Sentinel */ + }; + + struct sss_test_conf_param pam_params[] = { + { "p11_child_timeout", "30" }, + { NULL, NULL }, /* Sentinel */ + }; + + struct sss_test_conf_param monitor_params[] = { + { "certificate_verification", "no_ocsp"}, + { NULL, NULL }, /* Sentinel */ + }; + + test_pam_setup(dom_params, pam_params, monitor_params, state); + + pam_test_setup_common(); + return 0; +} + +#ifdef HAVE_TEST_CA +static int pam_test_setup_no_verification(void **state) +{ + struct sss_test_conf_param dom_params[] = { + { "enumerate", "false" }, + { "cache_credentials", "true" }, + { NULL, NULL }, /* Sentinel */ + }; + + struct sss_test_conf_param pam_params[] = { + { "p11_child_timeout", "30" }, + { NULL, NULL }, /* Sentinel */ + }; + + struct sss_test_conf_param monitor_params[] = { + { "certificate_verification", "no_verification" }, + { NULL, NULL }, /* Sentinel */ + }; + + test_pam_setup(dom_params, pam_params, monitor_params, state); + + pam_test_setup_common(); + return 0; +} +#endif /* HAVE_TEST_CA */ + +static int pam_cached_test_setup(void **state) +{ + struct sss_test_conf_param dom_params[] = { + { "enumerate", "false" }, + { "cache_credentials", "true" }, + { "cached_auth_timeout", CACHED_AUTH_TIMEOUT_STR }, + { NULL, NULL }, /* Sentinel */ + }; + + struct sss_test_conf_param pam_params[] = { + { "p11_child_timeout", "30" }, + { NULL, NULL }, /* Sentinel */ + }; + + struct sss_test_conf_param monitor_params[] = { + { "certificate_verification", "no_ocsp"}, + { NULL, NULL }, /* Sentinel */ + }; + + test_pam_setup(dom_params, pam_params, monitor_params, state); + + pam_test_setup_common(); + return 0; +} + +static int pam_test_teardown(void **state) +{ + int ret; + + ret = sysdb_delete_user(pam_test_ctx->tctx->dom, + pam_test_ctx->pam_user_fqdn, 0); + assert_int_equal(ret, EOK); + + ret = sysdb_delete_user(pam_test_ctx->tctx->dom, + pam_test_ctx->wrong_user_fqdn, 0); + assert_int_equal(ret, EOK); + + talloc_free(pam_test_ctx); + return 0; +} + +typedef int (*cmd_cb_fn_t)(uint32_t, uint8_t *, size_t); + + +int __real_read_pipe_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, + uint8_t **buf, ssize_t *len); + +void __real_sss_packet_get_body(struct sss_packet *packet, + uint8_t **body, size_t *blen); + +void __wrap_sss_packet_get_body(struct sss_packet *packet, + uint8_t **body, size_t *blen) +{ + enum sss_test_wrapper_call wtype = sss_mock_type(enum sss_test_wrapper_call); + size_t len; + + if (wtype == WRAP_CALL_REAL) { + return __real_sss_packet_get_body(packet, body, blen); + } + + *body = sss_mock_ptr_type(uint8_t *); + len = sss_mock_type(size_t); + if (len == 0) { + len = strlen((const char *) *body) + 1; + } + *blen = len; + return; +} + +void __real_sss_packet_get_body(struct sss_packet *packet, + uint8_t **body, size_t *blen); + +void __wrap_sss_cmd_done(struct cli_ctx *cctx, void *freectx) +{ + struct cli_protocol *prctx; + struct sss_packet *packet; + uint8_t *body; + size_t blen; + cmd_cb_fn_t check_cb; + + prctx = talloc_get_type(cctx->protocol_ctx, struct cli_protocol); + packet = prctx->creq->out; + assert_non_null(packet); + + check_cb = sss_mock_ptr_type(cmd_cb_fn_t); + + __real_sss_packet_get_body(packet, &body, &blen); + + pam_test_ctx->tctx->error = check_cb(sss_packet_get_status(packet), + body, blen); + pam_test_ctx->tctx->done = true; +} + +enum sss_cli_command __wrap_sss_packet_get_cmd(struct sss_packet *packet) +{ + return sss_mock_type(enum sss_cli_command); +} + +int __wrap_sss_cmd_send_empty(struct cli_ctx *cctx, TALLOC_CTX *freectx) +{ + pam_test_ctx->tctx->done = true; + pam_test_ctx->tctx->error = ENOENT; + return EOK; +} + +static void set_cmd_cb(cmd_cb_fn_t fn) +{ + will_return(__wrap_sss_cmd_done, fn); +} + +int __wrap_pam_dp_send_req(struct pam_auth_req *preq, int timeout) +{ + pam_test_ctx->provider_contacted = true; + + /* Set expected status */ + preq->pd->pam_status = pam_test_ctx->exp_pam_status; + + preq->callback(preq); + + return EOK; +} + +static void mock_input_pam_ex(TALLOC_CTX *mem_ctx, + const char *name, + const char *pwd, + const char *fa2, + const char *svc, + bool contact_dp) +{ + size_t buf_size; + uint8_t *m_buf; + uint8_t *buf; + struct pam_items pi = { 0 }; + int ret; + size_t needed_size; + uint8_t *authtok; + char *s_name; + char *dom; + + if (name != NULL) { + pi.pam_user = name; + pi.pam_user_size = strlen(pi.pam_user) + 1; + } else { + pi.pam_user = ""; + pi.pam_user_size = 0; + } + + if (pwd != NULL) { + if (fa2 != NULL) { + ret = sss_auth_pack_2fa_blob(pwd, 0, fa2, 0, NULL, 0, &needed_size); + assert_int_equal(ret, EAGAIN); + + authtok = talloc_size(mem_ctx, needed_size); + assert_non_null(authtok); + + ret = sss_auth_pack_2fa_blob(pwd, 0, fa2, 0, authtok, + needed_size, &needed_size); + assert_int_equal(ret, EOK); + + pi.pam_authtok = (char *) authtok; + pi.pam_authtok_size = needed_size; + pi.pam_authtok_type = SSS_AUTHTOK_TYPE_2FA; + } else { + pi.pam_authtok = discard_const(pwd); + pi.pam_authtok_size = strlen(pi.pam_authtok) + 1; + pi.pam_authtok_type = SSS_AUTHTOK_TYPE_PASSWORD; + } + } + + if (svc == NULL) { + svc = "pam_test_service"; + } + pi.pam_service = svc; + pi.pam_service_size = strlen(pi.pam_service) + 1; + pi.pam_tty = "/dev/tty"; + pi.pam_tty_size = strlen(pi.pam_tty) + 1; + pi.pam_ruser = "remuser"; + pi.pam_ruser_size = strlen(pi.pam_ruser) + 1; + pi.pam_rhost = "remhost"; + pi.pam_rhost_size = strlen(pi.pam_rhost) + 1; + pi.requested_domains = ""; + pi.cli_pid = 12345; + + ret = pack_message_v3(&pi, &buf_size, &m_buf); + assert_int_equal(ret, 0); + + buf = talloc_memdup(mem_ctx, m_buf, buf_size); + free(m_buf); + assert_non_null(buf); + + will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER); + will_return(__wrap_sss_packet_get_body, buf); + will_return(__wrap_sss_packet_get_body, buf_size); + + if (strrchr(name, '@') == NULL) { + mock_parse_inp(name, NULL, EOK); + } else { + ret = sss_parse_internal_fqname(mem_ctx, name, &s_name, &dom); + mock_parse_inp(s_name, dom, EOK); + } + + if (contact_dp) { + mock_account_recv_simple(); + } +} + +static void mock_input_pam(TALLOC_CTX *mem_ctx, + const char *name, + const char *pwd, + const char *fa2) +{ + return mock_input_pam_ex(mem_ctx, name, pwd, fa2, NULL, true); +} + +static void mock_input_pam_cert(TALLOC_CTX *mem_ctx, const char *name, + const char *pin, const char *token_name, + const char *module_name, const char *key_id, + const char *service, + acct_cb_t acct_cb, const char *cert, + bool only_one_provider_call) +{ + size_t buf_size; + uint8_t *m_buf; + uint8_t *buf; + struct pam_items pi = { 0 }; + int ret; + bool already_mocked = false; + size_t needed_size; + + if (name != NULL) { + pi.pam_user = name; + pi.pam_user_size = strlen(pi.pam_user) + 1; + } else { + pi.pam_user = ""; + pi.pam_user_size = 0; + } + + if (pin != NULL) { + ret = sss_auth_pack_sc_blob(pin, 0, token_name, 0, module_name, 0, + key_id, 0, NULL, 0, &needed_size); + assert_int_equal(ret, EAGAIN); + + pi.pam_authtok = malloc(needed_size); + assert_non_null(pi.pam_authtok); + + ret = sss_auth_pack_sc_blob(pin, 0, token_name, 0, module_name, 0, + key_id, 0, + (uint8_t *)pi.pam_authtok, needed_size, + &needed_size); + assert_int_equal(ret, EOK); + + pi.pam_authtok_type = SSS_AUTHTOK_TYPE_SC_PIN; + pi.pam_authtok_size = needed_size; + } + + pi.pam_service = service == NULL ? "login" : service; + pi.pam_service_size = strlen(pi.pam_service) + 1; + pi.pam_tty = "/dev/tty"; + pi.pam_tty_size = strlen(pi.pam_tty) + 1; + pi.pam_ruser = "remuser"; + pi.pam_ruser_size = strlen(pi.pam_ruser) + 1; + pi.pam_rhost = "remhost"; + pi.pam_rhost_size = strlen(pi.pam_rhost) + 1; + pi.requested_domains = ""; + pi.cli_pid = 12345; + + ret = pack_message_v3(&pi, &buf_size, &m_buf); + free(pi.pam_authtok); + assert_int_equal(ret, 0); + + buf = talloc_memdup(mem_ctx, m_buf, buf_size); + free(m_buf); + assert_non_null(buf); + + will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER); + will_return(__wrap_sss_packet_get_body, buf); + will_return(__wrap_sss_packet_get_body, buf_size); + + if (acct_cb != NULL) { + mock_account_recv(0, 0, NULL, acct_cb, discard_const(cert)); + already_mocked = true; + } + + if (name != NULL) { + mock_parse_inp(name, NULL, EOK); + if (!(only_one_provider_call && already_mocked)) { + mock_account_recv_simple(); + } + } +} + +static int test_pam_simple_check(uint32_t status, uint8_t *body, size_t blen) +{ + size_t rp = 0; + uint32_t val; + + assert_int_equal(status, 0); + + SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); + assert_int_equal(val, pam_test_ctx->exp_pam_status); + + SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); + assert_int_equal(val, 1); + + SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); + assert_int_equal(val, SSS_PAM_DOMAIN_NAME); + + SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); + assert_int_equal(val, 9); + + assert_int_equal(*(body + rp + val - 1), 0); + assert_string_equal(body + rp, TEST_DOM_NAME); + + return EOK; +} + +#define PKCS11_LOGIN_TOKEN_ENV_NAME "PKCS11_LOGIN_TOKEN_NAME" + +static int test_pam_cert_check_gdm_smartcard(uint32_t status, uint8_t *body, + size_t blen) +{ + size_t rp = 0; + uint32_t val; + + assert_int_equal(status, 0); + + SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); + assert_int_equal(val, pam_test_ctx->exp_pam_status); + + SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); + assert_int_equal(val, 3); + + SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); + assert_int_equal(val, SSS_PAM_DOMAIN_NAME); + + SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); + assert_int_equal(val, 9); + + assert_int_equal(*(body + rp + val - 1), 0); + assert_string_equal(body + rp, TEST_DOM_NAME); + rp += val; + + SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); + assert_int_equal(val, SSS_PAM_ENV_ITEM); + + SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); + assert_int_equal(val, (strlen(PKCS11_LOGIN_TOKEN_ENV_NAME "=") + + sizeof(TEST_TOKEN_NAME))); + assert_string_equal(body + rp, + PKCS11_LOGIN_TOKEN_ENV_NAME "=" TEST_TOKEN_NAME); + rp += val; + + SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); + assert_int_equal(val, SSS_PAM_CERT_INFO); + + SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); + assert_int_equal(val, (sizeof("pamuser@"TEST_DOM_NAME) + + sizeof(TEST_TOKEN_NAME) + + sizeof(TEST_MODULE_NAME) + + sizeof(TEST_KEY_ID) + + sizeof(TEST_PROMPT))); + + assert_int_equal(*(body + rp + sizeof("pamuser@"TEST_DOM_NAME) - 1), 0); + assert_string_equal(body + rp, "pamuser@"TEST_DOM_NAME); + rp += sizeof("pamuser@"TEST_DOM_NAME); + + assert_int_equal(*(body + rp + sizeof(TEST_TOKEN_NAME) - 1), 0); + assert_string_equal(body + rp, TEST_TOKEN_NAME); + rp += sizeof(TEST_TOKEN_NAME); + + assert_int_equal(*(body + rp + sizeof(TEST_MODULE_NAME) - 1), 0); + assert_string_equal(body + rp, TEST_MODULE_NAME); + rp += sizeof(TEST_MODULE_NAME); + + assert_int_equal(*(body + rp + sizeof(TEST_KEY_ID) - 1), 0); + assert_string_equal(body + rp, TEST_KEY_ID); + rp += sizeof(TEST_KEY_ID); + + assert_int_equal(*(body + rp + sizeof(TEST_PROMPT) - 1), 0); + assert_string_equal(body + rp, TEST_PROMPT); + rp += sizeof(TEST_PROMPT); + + assert_int_equal(rp, blen); + return EOK; +} + +static void check_string_array(const char **strs, uint8_t *body, size_t *rp) +{ + size_t c; + + for (c = 0; strs[c] != NULL; c++) { + assert_int_equal(*(body + *rp + strlen(strs[c])), 0); + assert_string_equal(body + *rp, strs[c]); + *rp += strlen(strs[c]) + 1; + } +} + +static size_t check_string_array_len(const char **strs) +{ + size_t c; + size_t sum = 0; + + for (c = 0; strs[c] != NULL; c++) { + sum += strlen(strs[c]) + 1; + } + + return sum; +} + +static int test_pam_cert_check_ex(uint32_t status, uint8_t *body, size_t blen, + enum response_type type, const char *name, + const char *name2) +{ + size_t rp = 0; + uint32_t val; + bool test2_first = false; + + size_t check_len = 0; + char const *check_strings[] = { NULL, + TEST_TOKEN_NAME, + TEST_MODULE_NAME, + TEST_KEY_ID, + TEST_PROMPT, + NULL }; + + size_t check2_len = 0; + char const *check2_strings[] = { NULL, + TEST_TOKEN_NAME, + TEST_MODULE_NAME, + TEST2_KEY_ID, + TEST2_PROMPT, + NULL }; + + assert_int_equal(status, 0); + + check_strings[0] = name; + check_len = check_string_array_len(check_strings); + check2_strings[0] = name; + check2_len = check_string_array_len(check2_strings); + + SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); + assert_int_equal(val, pam_test_ctx->exp_pam_status); + + SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); + if (name == NULL || *name == '\0') { + assert_int_equal(val, 1); + } else { + if (name2 == NULL || *name2 == '\0') { + assert_int_equal(val, 2); + } else { + assert_int_equal(val, 3); + } + + SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); + assert_int_equal(val, SSS_PAM_DOMAIN_NAME); + + SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); + assert_int_equal(val, 9); + + assert_int_equal(*(body + rp + val - 1), 0); + assert_string_equal(body + rp, TEST_DOM_NAME); + rp += val; + } + + SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); + assert_int_equal(val, type); + + SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); + + /* look ahead to check if the certificate #2 comes first */ + if (name2 != NULL && *name2 != '\0' + && val == check2_len + && strncmp((char *) body + rp + strlen(name) + 1 + + sizeof(TEST_TOKEN_NAME) + + sizeof(TEST_MODULE_NAME), + TEST2_KEY_ID, + sizeof(TEST2_KEY_ID)) == 0 ) { + test2_first = true; + + assert_int_equal(val, check2_len); + + check_string_array(check2_strings, body, &rp); + + SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); + assert_int_equal(val, type); + + SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); + } + + assert_int_equal(val, check_len); + + check_string_array(check_strings, body, &rp); + + if (name2 != NULL && *name2 != '\0' && !test2_first) { + SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); + assert_int_equal(val, type); + + SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); + assert_int_equal(val, check2_len); + + check_string_array(check2_strings, body, &rp); + } + + assert_int_equal(rp, blen); + + return EOK; +} + +static int test_pam_cert_check(uint32_t status, uint8_t *body, size_t blen) +{ + return test_pam_cert_check_ex(status, body, blen, + SSS_PAM_CERT_INFO, "pamuser@"TEST_DOM_NAME, + NULL); +} + +static int test_pam_cert_check_auth_success(uint32_t status, uint8_t *body, + size_t blen) +{ + assert_int_equal(pam_test_ctx->exp_pam_status, PAM_BAD_ITEM); + pam_test_ctx->exp_pam_status = PAM_SUCCESS; + return test_pam_cert_check_ex(status, body, blen, + SSS_PAM_CERT_INFO, "pamuser@"TEST_DOM_NAME, + NULL); +} + +static int test_pam_cert_check_with_hint(uint32_t status, uint8_t *body, + size_t blen) +{ + return test_pam_cert_check_ex(status, body, blen, + SSS_PAM_CERT_INFO_WITH_HINT, + "pamuser@"TEST_DOM_NAME, NULL); +} + +static int test_pam_cert_check_with_hint_no_user(uint32_t status, uint8_t *body, + size_t blen) +{ + return test_pam_cert_check_ex(status, body, blen, + SSS_PAM_CERT_INFO_WITH_HINT, "", NULL); +} + +static int test_pam_cert_check_2certs(uint32_t status, uint8_t *body, + size_t blen) +{ + return test_pam_cert_check_ex(status, body, blen, + SSS_PAM_CERT_INFO, "pamuser@"TEST_DOM_NAME, + "pamuser@"TEST_DOM_NAME); +} + +static int test_pam_offline_chauthtok_check(uint32_t status, + uint8_t *body, size_t blen) +{ + size_t rp = 0; + uint32_t val; + + pam_test_ctx->exp_pam_status = PAM_AUTHTOK_ERR; + + assert_int_equal(status, 0); + + SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); + assert_int_equal(val, pam_test_ctx->exp_pam_status); + + SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); + assert_int_equal(val, 2); + + SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); + assert_int_equal(val, SSS_PAM_DOMAIN_NAME); + + SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); + assert_int_equal(val, 9); + + assert_int_equal(*(body + rp + val - 1), 0); + assert_string_equal(body + rp, TEST_DOM_NAME); + rp += val; + + SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); + assert_int_equal(val, SSS_PAM_USER_INFO); + + SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); + assert_int_equal(val, 4); + + SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); + assert_int_equal(val, SSS_PAM_USER_INFO_OFFLINE_CHPASS); + + return EOK; +} + + +static int test_pam_failed_offline_auth_check(uint32_t status, uint8_t *body, + size_t blen) +{ + pam_test_ctx->exp_pam_status = PAM_PERM_DENIED; + return test_pam_simple_check(status, body, blen); +} + +static int test_pam_successful_offline_auth_check(uint32_t status, + uint8_t *body, size_t blen) +{ + pam_test_ctx->exp_pam_status = PAM_SUCCESS; + return test_pam_simple_check(status, body, blen); +} + +static int test_pam_successful_cached_auth_check(uint32_t status, + uint8_t *body, size_t blen) +{ + pam_test_ctx->exp_pam_status = PAM_SUCCESS; + return test_pam_simple_check(status, body, blen); +} + +static int test_pam_wrong_pw_offline_auth_check(uint32_t status, + uint8_t *body, size_t blen) +{ + pam_test_ctx->exp_pam_status = PAM_AUTH_ERR; + return test_pam_simple_check(status, body, blen); +} + +static int test_pam_simple_check_success(uint32_t status, + uint8_t *body, size_t blen) +{ + pam_test_ctx->exp_pam_status = PAM_SUCCESS; + return test_pam_simple_check(status, body, blen); +} + +static int test_pam_creds_insufficient_check(uint32_t status, + uint8_t *body, size_t blen) +{ + size_t rp = 0; + uint32_t val; + + assert_int_equal(status, 0); + + SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); + assert_int_equal(val, PAM_CRED_INSUFFICIENT); + + SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); + assert_int_equal(val, 0); + + return EOK; +} + +static int test_pam_user_unknown_check(uint32_t status, + uint8_t *body, size_t blen) +{ + size_t rp = 0; + uint32_t val; + + assert_int_equal(status, 0); + + SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); + assert_int_equal(val, PAM_USER_UNKNOWN); + + SAFEALIGN_COPY_UINT32(&val, body + rp, &rp); + assert_int_equal(val, 0); + + return EOK; +} + +void test_pam_authenticate(void **state) +{ + int ret; + + mock_input_pam(pam_test_ctx, "pamuser", NULL, NULL); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + set_cmd_cb(test_pam_simple_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_pam_setcreds(void **state) +{ + int ret; + + mock_input_pam(pam_test_ctx, "pamuser", NULL, NULL); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_SETCRED); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + set_cmd_cb(test_pam_simple_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_SETCRED, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_pam_acct_mgmt(void **state) +{ + int ret; + + mock_input_pam(pam_test_ctx, "pamuser", NULL, NULL); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_ACCT_MGMT); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + set_cmd_cb(test_pam_simple_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_ACCT_MGMT, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_pam_open_session(void **state) +{ + int ret; + + mock_input_pam(pam_test_ctx, "pamuser", NULL, NULL); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_OPEN_SESSION); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + /* make sure pam_status is not touched by setting it to a value which is + * not used by SSSD. */ + pam_test_ctx->exp_pam_status = _PAM_RETURN_VALUES; + set_cmd_cb(test_pam_simple_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_OPEN_SESSION, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_pam_close_session(void **state) +{ + int ret; + + mock_input_pam(pam_test_ctx, "pamuser", NULL, NULL); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_CLOSE_SESSION); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + set_cmd_cb(test_pam_simple_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_CLOSE_SESSION, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_pam_chauthtok(void **state) +{ + int ret; + + mock_input_pam(pam_test_ctx, "pamuser", NULL, NULL); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_CHAUTHTOK); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + set_cmd_cb(test_pam_simple_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_CHAUTHTOK, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_pam_chauthtok_prelim(void **state) +{ + int ret; + + mock_input_pam(pam_test_ctx, "pamuser", NULL, NULL); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_CHAUTHTOK_PRELIM); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + set_cmd_cb(test_pam_simple_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_CHAUTHTOK_PRELIM, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_pam_preauth(void **state) +{ + int ret; + + mock_input_pam(pam_test_ctx, "pamuser", NULL, NULL); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + set_cmd_cb(test_pam_simple_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +/* Cached on-line authentication */ + +static void common_test_pam_cached_auth(const char *pwd) +{ + int ret; + + mock_input_pam(pam_test_ctx, "pamuser", pwd, NULL); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + pam_test_ctx->exp_pam_status = PAM_SUCCESS; + set_cmd_cb(test_pam_successful_cached_auth_check); + + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_pam_cached_auth_success(void **state) +{ + int ret; + + common_test_pam_cached_auth("12345"); + + /* Back end should be contacted */ + assert_true(pam_test_ctx->provider_contacted); + + ret = sysdb_cache_password(pam_test_ctx->tctx->dom, + pam_test_ctx->pam_user_fqdn, + "12345"); + assert_int_equal(ret, EOK); + + /* Reset before next call */ + pam_test_ctx->provider_contacted = false; + + pam_test_ctx->tctx->done = false; + + common_test_pam_cached_auth("12345"); + + /* Back end should not be contacted */ + assert_false(pam_test_ctx->provider_contacted); +} + +void test_pam_cached_auth_wrong_pw(void **state) +{ + int ret; + + ret = sysdb_cache_password(pam_test_ctx->tctx->dom, + pam_test_ctx->pam_user_fqdn, + "12345"); + assert_int_equal(ret, EOK); + + ret = pam_set_last_online_auth_with_curr_token(pam_test_ctx->tctx->dom, + pam_test_ctx->pam_user_fqdn, + time(NULL)); + assert_int_equal(ret, EOK); + + common_test_pam_cached_auth("11111"); + + /* Back end should be contacted */ + assert_true(pam_test_ctx->provider_contacted); +} + +/* test cached_auth_timeout option */ +void test_pam_cached_auth_opt_timeout(void **state) +{ + int ret; + uint64_t last_online; + + ret = sysdb_cache_password(pam_test_ctx->tctx->dom, + pam_test_ctx->pam_user_fqdn, + "12345"); + assert_int_equal(ret, EOK); + + last_online = time(NULL) - CACHED_AUTH_TIMEOUT - 1; + ret = pam_set_last_online_auth_with_curr_token(pam_test_ctx->tctx->dom, + pam_test_ctx->pam_user_fqdn, + last_online); + assert_int_equal(ret, EOK); + + common_test_pam_cached_auth("12345"); + + /* Back end should be contacted */ + assert_true(pam_test_ctx->provider_contacted); +} + +/* too long since last on-line authentication */ +void test_pam_cached_auth_timeout(void **state) +{ + int ret; + + ret = sysdb_cache_password(pam_test_ctx->tctx->dom, + pam_test_ctx->pam_user_fqdn, + "12345"); + assert_int_equal(ret, EOK); + + ret = pam_set_last_online_auth_with_curr_token(pam_test_ctx->tctx->dom, + pam_test_ctx->pam_user_fqdn, + 0); + assert_int_equal(ret, EOK); + + common_test_pam_cached_auth("12345"); + + /* Back end should be contacted */ + assert_true(pam_test_ctx->provider_contacted); +} + +void test_pam_cached_auth_success_combined_pw_with_cached_2fa(void **state) +{ + int ret; + + common_test_pam_cached_auth("12345678"); + + assert_true(pam_test_ctx->provider_contacted); + + ret = sysdb_cache_password_ex(pam_test_ctx->tctx->dom, + pam_test_ctx->pam_user_fqdn, + "12345678", SSS_AUTHTOK_TYPE_2FA, 5); + assert_int_equal(ret, EOK); + + /* Reset before next call */ + pam_test_ctx->provider_contacted = false; + + pam_test_ctx->tctx->done = false; + + common_test_pam_cached_auth("12345678"); + + assert_false(pam_test_ctx->provider_contacted); +} + +void test_pam_cached_auth_failed_combined_pw_with_cached_2fa(void **state) +{ + int ret; + + ret = sysdb_cache_password_ex(pam_test_ctx->tctx->dom, + pam_test_ctx->pam_user_fqdn, + "12345678", SSS_AUTHTOK_TYPE_2FA, 5); + assert_int_equal(ret, EOK); + ret = pam_set_last_online_auth_with_curr_token(pam_test_ctx->tctx->dom, + pam_test_ctx->pam_user_fqdn, + time(NULL)); + assert_int_equal(ret, EOK); + + common_test_pam_cached_auth("1111abcde"); + + assert_true(pam_test_ctx->provider_contacted); +} + +/* Off-line authentication */ + +void test_pam_offline_auth_no_hash(void **state) +{ + int ret; + + mock_input_pam(pam_test_ctx, "pamuser", "12345", NULL); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + pam_test_ctx->exp_pam_status = PAM_AUTHINFO_UNAVAIL; + + set_cmd_cb(test_pam_failed_offline_auth_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_pam_offline_auth_success(void **state) +{ + int ret; + + ret = sysdb_cache_password(pam_test_ctx->tctx->dom, + pam_test_ctx->pam_user_fqdn, + "12345"); + assert_int_equal(ret, EOK); + + mock_input_pam(pam_test_ctx, "pamuser", "12345", NULL); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + pam_test_ctx->exp_pam_status = PAM_AUTHINFO_UNAVAIL; + + set_cmd_cb(test_pam_successful_offline_auth_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_pam_offline_auth_wrong_pw(void **state) +{ + int ret; + + ret = sysdb_cache_password(pam_test_ctx->tctx->dom, + pam_test_ctx->pam_user_fqdn, + "12345"); + assert_int_equal(ret, EOK); + + mock_input_pam(pam_test_ctx, "pamuser", "11111", NULL); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + pam_test_ctx->exp_pam_status = PAM_AUTHINFO_UNAVAIL; + + set_cmd_cb(test_pam_wrong_pw_offline_auth_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_pam_offline_auth_success_2fa(void **state) +{ + int ret; + + ret = sysdb_cache_password(pam_test_ctx->tctx->dom, + pam_test_ctx->pam_user_fqdn, + "12345"); + assert_int_equal(ret, EOK); + + mock_input_pam(pam_test_ctx, "pamuser", "12345", "abcde"); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + pam_test_ctx->exp_pam_status = PAM_AUTHINFO_UNAVAIL; + + set_cmd_cb(test_pam_successful_offline_auth_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_pam_offline_auth_failed_2fa(void **state) +{ + int ret; + + ret = sysdb_cache_password(pam_test_ctx->tctx->dom, + pam_test_ctx->pam_user_fqdn, + "12345"); + assert_int_equal(ret, EOK); + + mock_input_pam(pam_test_ctx, "pamuser", "11111", "abcde"); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + pam_test_ctx->exp_pam_status = PAM_AUTHINFO_UNAVAIL; + + set_cmd_cb(test_pam_wrong_pw_offline_auth_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_pam_offline_auth_success_2fa_with_cached_2fa(void **state) +{ + int ret; + + ret = sysdb_cache_password_ex(pam_test_ctx->tctx->dom, + pam_test_ctx->pam_user_fqdn, + "12345", + SSS_AUTHTOK_TYPE_2FA, 5); + assert_int_equal(ret, EOK); + + mock_input_pam(pam_test_ctx, "pamuser", "12345", "abcde"); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + pam_test_ctx->exp_pam_status = PAM_AUTHINFO_UNAVAIL; + + set_cmd_cb(test_pam_successful_offline_auth_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_pam_offline_auth_failed_2fa_with_cached_2fa(void **state) +{ + int ret; + + ret = sysdb_cache_password_ex(pam_test_ctx->tctx->dom, + pam_test_ctx->pam_user_fqdn, + "12345", + SSS_AUTHTOK_TYPE_2FA, 5); + assert_int_equal(ret, EOK); + + mock_input_pam(pam_test_ctx, "pamuser", "11111", "abcde"); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + pam_test_ctx->exp_pam_status = PAM_AUTHINFO_UNAVAIL; + + set_cmd_cb(test_pam_wrong_pw_offline_auth_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_pam_offline_auth_success_pw_with_cached_2fa(void **state) +{ + int ret; + + ret = sysdb_cache_password_ex(pam_test_ctx->tctx->dom, + pam_test_ctx->pam_user_fqdn, + "12345", + SSS_AUTHTOK_TYPE_2FA, 5); + assert_int_equal(ret, EOK); + + mock_input_pam(pam_test_ctx, "pamuser", "12345", NULL); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + pam_test_ctx->exp_pam_status = PAM_AUTHINFO_UNAVAIL; + + set_cmd_cb(test_pam_successful_offline_auth_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_pam_offline_auth_failed_pw_with_cached_2fa(void **state) +{ + int ret; + + ret = sysdb_cache_password_ex(pam_test_ctx->tctx->dom, + pam_test_ctx->pam_user_fqdn, + "12345", + SSS_AUTHTOK_TYPE_2FA, 5); + assert_int_equal(ret, EOK); + + mock_input_pam(pam_test_ctx, "pamuser", "11111", NULL); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + pam_test_ctx->exp_pam_status = PAM_AUTHINFO_UNAVAIL; + + set_cmd_cb(test_pam_wrong_pw_offline_auth_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_pam_offline_auth_success_combined_pw_with_cached_2fa(void **state) +{ + int ret; + + ret = sysdb_cache_password_ex(pam_test_ctx->tctx->dom, + pam_test_ctx->pam_user_fqdn, + "12345678", SSS_AUTHTOK_TYPE_2FA, 5); + assert_int_equal(ret, EOK); + + mock_input_pam(pam_test_ctx, "pamuser", "12345678abcde", NULL); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + pam_test_ctx->exp_pam_status = PAM_AUTHINFO_UNAVAIL; + + set_cmd_cb(test_pam_successful_offline_auth_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_pam_offline_auth_failed_combined_pw_with_cached_2fa(void **state) +{ + int ret; + + ret = sysdb_cache_password_ex(pam_test_ctx->tctx->dom, + pam_test_ctx->pam_user_fqdn, + "12345678", SSS_AUTHTOK_TYPE_2FA, 5); + assert_int_equal(ret, EOK); + + mock_input_pam(pam_test_ctx, "pamuser", "11111111abcde", NULL); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + pam_test_ctx->exp_pam_status = PAM_AUTHINFO_UNAVAIL; + + set_cmd_cb(test_pam_wrong_pw_offline_auth_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_pam_offline_auth_failed_wrong_2fa_size_with_cached_2fa(void **state) +{ + int ret; + + ret = sysdb_cache_password_ex(pam_test_ctx->tctx->dom, + pam_test_ctx->pam_user_fqdn, + "12345678", SSS_AUTHTOK_TYPE_2FA, 5); + assert_int_equal(ret, EOK); + + mock_input_pam(pam_test_ctx, "pamuser", "12345678abcd", NULL); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + pam_test_ctx->exp_pam_status = PAM_AUTHINFO_UNAVAIL; + + set_cmd_cb(test_pam_wrong_pw_offline_auth_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_pam_offline_chauthtok_prelim(void **state) +{ + int ret; + + mock_input_pam(pam_test_ctx, "pamuser", NULL, NULL); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_CHAUTHTOK_PRELIM); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + pam_test_ctx->exp_pam_status = PAM_AUTHINFO_UNAVAIL; + + set_cmd_cb(test_pam_offline_chauthtok_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_CHAUTHTOK_PRELIM, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_pam_offline_chauthtok(void **state) +{ + int ret; + + mock_input_pam(pam_test_ctx, "pamuser", NULL, NULL); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_CHAUTHTOK); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + pam_test_ctx->exp_pam_status = PAM_AUTHINFO_UNAVAIL; + + set_cmd_cb(test_pam_offline_chauthtok_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_CHAUTHTOK, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_pam_preauth_no_logon_name(void **state) +{ + int ret; + + mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL, NULL, + NULL, false); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + set_cmd_cb(test_pam_creds_insufficient_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_pam_auth_no_upn_logon_name(void **state) +{ + int ret; + + ret = sysdb_cache_password(pam_test_ctx->tctx->dom, + pam_test_ctx->pam_user_fqdn, + "12345"); + assert_int_equal(ret, EOK); + + mock_input_pam_ex(pam_test_ctx, "upn@"TEST_DOM_NAME, "12345", NULL, NULL, + true); + mock_account_recv_simple(); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + pam_test_ctx->exp_pam_status = PAM_USER_UNKNOWN; + set_cmd_cb(test_pam_simple_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_pam_auth_upn_logon_name(void **state) +{ + int ret; + struct sysdb_attrs *attrs; + + ret = sysdb_cache_password(pam_test_ctx->tctx->dom, + pam_test_ctx->pam_user_fqdn, + "12345"); + assert_int_equal(ret, EOK); + attrs = sysdb_new_attrs(pam_test_ctx); + assert_non_null(attrs); + ret = sysdb_attrs_add_string(attrs, SYSDB_UPN, "upn@"TEST_DOM_NAME); + assert_int_equal(ret, EOK); + + ret = sysdb_set_user_attr(pam_test_ctx->tctx->dom, + pam_test_ctx->pam_user_fqdn, + attrs, + LDB_FLAG_MOD_ADD); + assert_int_equal(ret, EOK); + + mock_input_pam_ex(pam_test_ctx, "upn@"TEST_DOM_NAME, "12345", NULL, NULL, + true); + mock_account_recv_simple(); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + set_cmd_cb(test_pam_successful_offline_auth_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + + +static void set_cert_auth_param(struct pam_ctx *pctx, const char *dbpath) +{ + pam_test_ctx->pctx->cert_auth = true; + pam_test_ctx->pctx->nss_db = discard_const(dbpath); +} + +void test_pam_preauth_cert_nocert(void **state) +{ + int ret; + +#ifdef HAVE_NSS + set_cert_auth_param(pam_test_ctx->pctx, "/no/path"); +#else + set_cert_auth_param(pam_test_ctx->pctx, CA_DB); +#endif + + + mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL, + NULL, NULL, false); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + set_cmd_cb(test_pam_simple_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +static int test_lookup_by_cert_cb(void *pvt) +{ + int ret; + struct sysdb_attrs *attrs; + unsigned char *der = NULL; + size_t der_size; + + if (pvt != NULL) { + + attrs = sysdb_new_attrs(pam_test_ctx); + assert_non_null(attrs); + + der = sss_base64_decode(pam_test_ctx, pvt, &der_size); + assert_non_null(der); + + ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_MAPPED_CERT, der, der_size); + talloc_free(der); + assert_int_equal(ret, EOK); + + ret = sysdb_set_user_attr(pam_test_ctx->tctx->dom, + pam_test_ctx->pam_user_fqdn, + attrs, + LDB_FLAG_MOD_ADD); + assert_int_equal(ret, EOK); + } + + return EOK; +} + +static int test_lookup_by_cert_cb_2nd_cert_same_user(void *pvt) +{ + int ret; + struct sysdb_attrs *attrs; + unsigned char *der = NULL; + size_t der_size; + + test_lookup_by_cert_cb(pvt); + + attrs = sysdb_new_attrs(pam_test_ctx); + assert_non_null(attrs); + + der = sss_base64_decode(pam_test_ctx, SSSD_TEST_CERT_0002, &der_size); + assert_non_null(der); + + ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_MAPPED_CERT, der, der_size); + talloc_free(der); + assert_int_equal(ret, EOK); + + ret = sysdb_set_user_attr(pam_test_ctx->tctx->dom, + pam_test_ctx->pam_user_fqdn, + attrs, + LDB_FLAG_MOD_ADD); + assert_int_equal(ret, EOK); + + return EOK; +} + +static int test_lookup_by_cert_double_cb(void *pvt) +{ + int ret; + struct sysdb_attrs *attrs; + unsigned char *der = NULL; + size_t der_size; + + if (pvt != NULL) { + + ret = test_lookup_by_cert_cb(pvt); + assert_int_equal(ret, EOK); + + attrs = sysdb_new_attrs(pam_test_ctx); + assert_non_null(attrs); + + der = sss_base64_decode(pam_test_ctx, pvt, &der_size); + assert_non_null(der); + + ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_MAPPED_CERT, der, der_size); + talloc_free(der); + assert_int_equal(ret, EOK); + + ret = sysdb_set_user_attr(pam_test_ctx->tctx->dom, + pam_test_ctx->wrong_user_fqdn, + attrs, + LDB_FLAG_MOD_ADD); + assert_int_equal(ret, EOK); + } + + return EOK; +} + +static int test_lookup_by_cert_wrong_user_cb(void *pvt) +{ + int ret; + struct sysdb_attrs *attrs; + unsigned char *der = NULL; + size_t der_size; + + if (pvt != NULL) { + attrs = sysdb_new_attrs(pam_test_ctx); + assert_non_null(attrs); + + der = sss_base64_decode(pam_test_ctx, pvt, &der_size); + assert_non_null(der); + + ret = sysdb_attrs_add_mem(attrs, SYSDB_USER_MAPPED_CERT, der, der_size); + talloc_free(der); + assert_int_equal(ret, EOK); + + ret = sysdb_set_user_attr(pam_test_ctx->tctx->dom, + pam_test_ctx->wrong_user_fqdn, + attrs, + LDB_FLAG_MOD_ADD); + assert_int_equal(ret, EOK); + } + + return EOK; +} + + +void test_pam_preauth_cert_nomatch(void **state) +{ + int ret; + +#ifndef HAVE_NSS + putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_one.conf")); +#endif + set_cert_auth_param(pam_test_ctx->pctx, CA_DB); + + mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL, + test_lookup_by_cert_cb, NULL, false); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + set_cmd_cb(test_pam_simple_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_pam_preauth_cert_match(void **state) +{ + int ret; + + set_cert_auth_param(pam_test_ctx->pctx, CA_DB); + + mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL, + test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, false); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + set_cmd_cb(test_pam_cert_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +/* Test if PKCS11_LOGIN_TOKEN_NAME is added for the gdm-smartcard service */ +void test_pam_preauth_cert_match_gdm_smartcard(void **state) +{ + int ret; + + set_cert_auth_param(pam_test_ctx->pctx, CA_DB); + + mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, + "gdm-smartcard", test_lookup_by_cert_cb, + SSSD_TEST_CERT_0001, false); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + set_cmd_cb(test_pam_cert_check_gdm_smartcard); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_pam_preauth_cert_match_wrong_user(void **state) +{ + int ret; + + set_cert_auth_param(pam_test_ctx->pctx, CA_DB); + + mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL, + test_lookup_by_cert_wrong_user_cb, + SSSD_TEST_CERT_0001, false); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + set_cmd_cb(test_pam_simple_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + + +void test_pam_preauth_cert_no_logon_name(void **state) +{ + int ret; + + set_cert_auth_param(pam_test_ctx->pctx, CA_DB); + + /* If no logon name is given the user is looked by certificate first. + * Since there is a matching user the upcoming lookup by name will find + * the user entry. But since we force the lookup by name to go to the + * backend to make sure the group-membership data is up to date the + * backend response has to be mocked twice. + * Additionally sss_parse_inp_recv() must be mocked because the cache + * request will be done with the username found by the certificate + * lookup. */ + mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL, + test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, false); + mock_account_recv_simple(); + mock_parse_inp("pamuser", NULL, EOK); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + set_cmd_cb(test_pam_cert_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_pam_preauth_cert_no_logon_name_with_hint(void **state) +{ + int ret; + + set_cert_auth_param(pam_test_ctx->pctx, CA_DB); + pam_test_ctx->rctx->domains->user_name_hint = true; + + /* If no logon name is given the user is looked by certificate first. + * Since user name hint is enabled we do not have to search the user + * during pre-auth and there is no need for an extra mocked response as in + * test_pam_preauth_cert_no_logon_name. */ + mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL, + test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, false); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + set_cmd_cb(test_pam_cert_check_with_hint); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_pam_preauth_cert_no_logon_name_double_cert(void **state) +{ + int ret; + + set_cert_auth_param(pam_test_ctx->pctx, CA_DB); + + mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL, + test_lookup_by_cert_double_cb, SSSD_TEST_CERT_0001, + false); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + set_cmd_cb(test_pam_creds_insufficient_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_pam_preauth_cert_no_logon_name_double_cert_with_hint(void **state) +{ + int ret; + + set_cert_auth_param(pam_test_ctx->pctx, CA_DB); + pam_test_ctx->rctx->domains->user_name_hint = true; + + mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL, + test_lookup_by_cert_double_cb, SSSD_TEST_CERT_0001, + false); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + set_cmd_cb(test_pam_cert_check_with_hint_no_user); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_pam_preauth_no_cert_no_logon_name(void **state) +{ + int ret; + + set_cert_auth_param(pam_test_ctx->pctx, "/no/path"); + + mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL, NULL, + NULL, false); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + set_cmd_cb(test_pam_user_unknown_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_pam_preauth_cert_no_logon_name_no_match(void **state) +{ + int ret; + + set_cert_auth_param(pam_test_ctx->pctx, CA_DB); + + mock_input_pam_cert(pam_test_ctx, NULL, NULL, NULL, NULL, NULL, NULL, + test_lookup_by_cert_cb, NULL, false); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + set_cmd_cb(test_pam_user_unknown_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_pam_cert_auth(void **state) +{ + int ret; + + set_cert_auth_param(pam_test_ctx->pctx, CA_DB); + + /* Here the last option must be set to true because the backend is only + * connected once. During authentication the backend is connected first to + * see if it can handle Smartcard authentication, but before that the user + * is looked up. Since the first mocked reply already adds the certificate + * to the user entry the lookup by certificate will already find the user + * in the cache and no second request to the backend is needed. */ + mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token", + TEST_MODULE_NAME, + "C554C9F82C2A9D58B70921C143304153A8A42F17", NULL, + test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, true); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + /* Assume backend cannot handle Smartcard credentials */ + pam_test_ctx->exp_pam_status = PAM_BAD_ITEM; + + + set_cmd_cb(test_pam_simple_check_success); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_pam_cert_auth_no_logon_name(void **state) +{ + int ret; + +#ifndef HAVE_NSS + putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_one.conf")); +#endif + set_cert_auth_param(pam_test_ctx->pctx, CA_DB); + + /* Here the last option must be set to true because the backend is only + * connected once. During authentication the backend is connected first to + * see if it can handle Smartcard authentication, but before that the user + * is looked up. Since the first mocked reply already adds the certificate + * to the user entry the lookup by certificate will already find the user + * in the cache and no second request to the backend is needed. */ + mock_input_pam_cert(pam_test_ctx, NULL, "123456", "SSSD Test Token", + TEST_MODULE_NAME, + "C554C9F82C2A9D58B70921C143304153A8A42F17", NULL, + test_lookup_by_cert_cb, SSSD_TEST_CERT_0001, true); + + mock_account_recv_simple(); + mock_parse_inp("pamuser", NULL, EOK); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + /* Assume backend cannot handle Smartcard credentials */ + pam_test_ctx->exp_pam_status = PAM_BAD_ITEM; + + set_cmd_cb(test_pam_cert_check_auth_success); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_pam_cert_auth_no_logon_name_no_key_id(void **state) +{ + int ret; + + set_cert_auth_param(pam_test_ctx->pctx, CA_DB); + + /* Here the last option must be set to true because the backend is only + * connected once. During authentication the backend is connected first to + * see if it can handle Smartcard authentication, but before that the user + * is looked up. Since the first mocked reply already adds the certificate + * to the user entry the lookup by certificate will already find the user + * in the cache and no second request to the backend is needed. */ + mock_input_pam_cert(pam_test_ctx, NULL, "123456", "SSSD Test Token", + TEST_MODULE_NAME, NULL, NULL, + NULL, NULL, false); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + /* Assume backend cannot handle Smartcard credentials */ + pam_test_ctx->exp_pam_status = PAM_BAD_ITEM; + + set_cmd_cb(test_pam_creds_insufficient_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_pam_cert_auth_double_cert(void **state) +{ + int ret; + + set_cert_auth_param(pam_test_ctx->pctx, CA_DB); + + mock_input_pam_cert(pam_test_ctx, "pamuser", "123456", "SSSD Test Token", + TEST_MODULE_NAME, + "C554C9F82C2A9D58B70921C143304153A8A42F17", NULL, + test_lookup_by_cert_double_cb, SSSD_TEST_CERT_0001, + true); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + /* Assume backend cannot handle Smartcard credentials */ + pam_test_ctx->exp_pam_status = PAM_BAD_ITEM; + + set_cmd_cb(test_pam_simple_check_success); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_pam_cert_preauth_2certs_one_mapping(void **state) +{ + int ret; + +#ifdef HAVE_NSS + set_cert_auth_param(pam_test_ctx->pctx, NSS_DB_2CERTS); +#else + set_cert_auth_param(pam_test_ctx->pctx, CA_DB); + putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_two.conf")); +#endif + + ret = test_lookup_by_cert_cb(discard_const(SSSD_TEST_CERT_0001)); + assert_int_equal(ret, EOK); + mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL, + test_lookup_by_cert_cb, NULL, false); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + set_cmd_cb(test_pam_cert_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_pam_cert_preauth_2certs_two_mappings(void **state) +{ + int ret; + +#ifdef HAVE_NSS + set_cert_auth_param(pam_test_ctx->pctx, NSS_DB_2CERTS); +#else + set_cert_auth_param(pam_test_ctx->pctx, CA_DB); + putenv(discard_const("SOFTHSM2_CONF=" ABS_BUILD_DIR "/src/tests/test_CA/softhsm2_two.conf")); +#endif + + mock_input_pam_cert(pam_test_ctx, "pamuser", NULL, NULL, NULL, NULL, NULL, + test_lookup_by_cert_cb_2nd_cert_same_user, + SSSD_TEST_CERT_0001, false); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_PREAUTH); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + set_cmd_cb(test_pam_cert_check_2certs); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_PREAUTH, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_filter_response(void **state) +{ + int ret; + struct pam_data *pd; + uint8_t offline_auth_data[(sizeof(uint32_t) + sizeof(int64_t))]; + uint32_t info_type; + char *env; + + struct sss_test_conf_param pam_params[] = { + { CONFDB_PAM_VERBOSITY, "1" }, + { CONFDB_PAM_RESPONSE_FILTER, NULL }, + { NULL, NULL }, /* Sentinel */ + }; + + ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb); + assert_int_equal(ret, EOK); + + pd = talloc_zero(pam_test_ctx, struct pam_data); + assert_non_null(pd); + + pd->service = discard_const("MyService"); + + env = talloc_asprintf(pd, "%s=%s", "MyEnv", "abcdef"); + assert_non_null(env); + + ret = pam_add_response(pd, SSS_PAM_ENV_ITEM, + strlen(env) + 1, (uint8_t *) env); + assert_int_equal(ret, EOK); + + info_type = SSS_PAM_USER_INFO_OFFLINE_AUTH; + memset(offline_auth_data, 0, sizeof(offline_auth_data)); + memcpy(offline_auth_data, &info_type, sizeof(uint32_t)); + ret = pam_add_response(pd, SSS_PAM_USER_INFO, + sizeof(offline_auth_data), offline_auth_data); + assert_int_equal(ret, EOK); + + /* pd->resp_list points to the SSS_PAM_USER_INFO and pd->resp_list->next + * to the SSS_PAM_ENV_ITEM message. */ + + + /* Test CONFDB_PAM_VERBOSITY option */ + ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd); + assert_int_equal(ret, EOK); + assert_true(pd->resp_list->do_not_send_to_client); + assert_false(pd->resp_list->next->do_not_send_to_client); + + /* SSS_PAM_USER_INFO_OFFLINE_AUTH message will only be shown with + * pam_verbosity 2 or above if cache password never expires. */ + pam_params[0].value = "2"; + ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb); + assert_int_equal(ret, EOK); + + ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd); + assert_int_equal(ret, EOK); + assert_false(pd->resp_list->do_not_send_to_client); + assert_false(pd->resp_list->next->do_not_send_to_client); + + pam_params[0].value = "0"; + ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb); + assert_int_equal(ret, EOK); + + ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd); + assert_int_equal(ret, EOK); + assert_true(pd->resp_list->do_not_send_to_client); + assert_false(pd->resp_list->next->do_not_send_to_client); + + /* Test CONFDB_PAM_RESPONSE_FILTER option */ + pam_params[1].value = "NoSuchOption"; + ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb); + assert_int_equal(ret, EOK); + + ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd); + assert_int_equal(ret, EOK); + assert_true(pd->resp_list->do_not_send_to_client); + assert_false(pd->resp_list->next->do_not_send_to_client); + + pam_params[1].value = "ENV"; /* filter all environment variables */ + /* for all services */ + ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb); + assert_int_equal(ret, EOK); + + ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd); + assert_int_equal(ret, EOK); + assert_true(pd->resp_list->do_not_send_to_client); + assert_true(pd->resp_list->next->do_not_send_to_client); + + pam_params[1].value = "ENV:"; /* filter all environment variables */ + ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb); + assert_int_equal(ret, EOK); + + ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd); + assert_int_equal(ret, EOK); + assert_true(pd->resp_list->do_not_send_to_client); + assert_true(pd->resp_list->next->do_not_send_to_client); + + pam_params[1].value = "ENV::"; /* filter all environment variables */ + ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb); + assert_int_equal(ret, EOK); + + ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd); + assert_int_equal(ret, EOK); + assert_true(pd->resp_list->do_not_send_to_client); + assert_true(pd->resp_list->next->do_not_send_to_client); + + pam_params[1].value = "ENV:abc:"; /* variable name does not match */ + ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb); + assert_int_equal(ret, EOK); + + ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd); + assert_int_equal(ret, EOK); + assert_true(pd->resp_list->do_not_send_to_client); + assert_false(pd->resp_list->next->do_not_send_to_client); + + pam_params[1].value = "ENV:abc:MyService"; /* variable name does not match */ + ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb); + assert_int_equal(ret, EOK); + + ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd); + assert_int_equal(ret, EOK); + assert_true(pd->resp_list->do_not_send_to_client); + assert_false(pd->resp_list->next->do_not_send_to_client); + + pam_params[1].value = "ENV::abc"; /* service name does not match */ + ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb); + assert_int_equal(ret, EOK); + + ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd); + assert_int_equal(ret, EOK); + assert_true(pd->resp_list->do_not_send_to_client); + assert_false(pd->resp_list->next->do_not_send_to_client); + + /* service name does not match */ + pam_params[1].value = "ENV:MyEnv:abc"; + ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb); + assert_int_equal(ret, EOK); + + ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd); + assert_int_equal(ret, EOK); + assert_true(pd->resp_list->do_not_send_to_client); + assert_false(pd->resp_list->next->do_not_send_to_client); + + pam_params[1].value = "ENV:MyEnv"; /* match */ + ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb); + assert_int_equal(ret, EOK); + + ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd); + assert_int_equal(ret, EOK); + assert_true(pd->resp_list->do_not_send_to_client); + assert_true(pd->resp_list->next->do_not_send_to_client); + + pam_params[1].value = "ENV:MyEnv:"; /* match */ + ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb); + assert_int_equal(ret, EOK); + + ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd); + assert_int_equal(ret, EOK); + assert_true(pd->resp_list->do_not_send_to_client); + assert_true(pd->resp_list->next->do_not_send_to_client); + + pam_params[1].value = "ENV:MyEnv:MyService"; /* match */ + ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb); + assert_int_equal(ret, EOK); + + ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd); + assert_int_equal(ret, EOK); + assert_true(pd->resp_list->do_not_send_to_client); + assert_true(pd->resp_list->next->do_not_send_to_client); + + /* multiple rules with a match */ + pam_params[1].value = "ENV:abc:def, " + "ENV:MyEnv:MyService, " + "ENV:stu:xyz"; + ret = add_pam_params(pam_params, pam_test_ctx->rctx->cdb); + assert_int_equal(ret, EOK); + + ret = filter_responses(pam_test_ctx->rctx->cdb, pd->resp_list, pd); + assert_int_equal(ret, EOK); + assert_true(pd->resp_list->do_not_send_to_client); + assert_true(pd->resp_list->next->do_not_send_to_client); + + talloc_free(pd); +} + +static int pam_test_setup_appsvc_posix_dom(void **state) +{ + int ret; + + ret = pam_test_setup(state); + if (ret != EOK) { + return ret; + } + + /* This config option is only read on startup, which is not executed + * in test, so we can't just pass in a param + */ + pam_test_ctx->pctx->app_services[0] = discard_const("app_svc"); + return 0; +} + +void test_appsvc_posix_dom(void **state) +{ + int ret; + + /* The domain is POSIX, the request will skip over it */ + mock_input_pam_ex(pam_test_ctx, "pamuser", NULL, NULL, "app_svc", false); + pam_test_ctx->exp_pam_status = PAM_USER_UNKNOWN; + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + set_cmd_cb(test_pam_user_unknown_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_not_appsvc_posix_dom(void **state) +{ + int ret; + + /* A different service than the app one can authenticate against a POSIX domain */ + mock_input_pam_ex(pam_test_ctx, "pamuser", NULL, NULL, "not_app_svc", true); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + set_cmd_cb(test_pam_simple_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +static int pam_test_setup_appsvc_app_dom(void **state) +{ + struct sss_test_conf_param dom_params[] = { + { "domain_type", "application" }, + { NULL, NULL }, /* Sentinel */ + }; + struct sss_test_conf_param pam_params[] = { + { NULL, NULL }, /* Sentinel */ + }; + struct sss_test_conf_param monitor_params[] = { + { NULL, NULL }, /* Sentinel */ + }; + + + test_pam_setup(dom_params, pam_params, monitor_params, state); + pam_test_setup_common(); + + /* This config option is only read on startup, which is not executed + * in test, so we can't just pass in a param + */ + pam_test_ctx->pctx->app_services[0] = discard_const("app_svc"); + return 0; +} + +void test_appsvc_app_dom(void **state) +{ + int ret; + + /* The domain is POSIX, the request will skip over it */ + mock_input_pam_ex(pam_test_ctx, "pamuser", NULL, NULL, "app_svc", true); + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + set_cmd_cb(test_pam_simple_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_not_appsvc_app_dom(void **state) +{ + int ret; + + /* A different service than the app one can authenticate against a POSIX domain */ + mock_input_pam_ex(pam_test_ctx, "pamuser", NULL, NULL, "not_app_svc", false); + + pam_test_ctx->exp_pam_status = PAM_USER_UNKNOWN; + + will_return(__wrap_sss_packet_get_cmd, SSS_PAM_AUTHENTICATE); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + set_cmd_cb(test_pam_user_unknown_check); + ret = sss_cmd_execute(pam_test_ctx->cctx, SSS_PAM_AUTHENTICATE, + pam_test_ctx->pam_cmds); + assert_int_equal(ret, EOK); + + ret = test_ev_loop(pam_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +int main(int argc, const char *argv[]) +{ + int rv; + int no_cleanup = 0; + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + { "no-cleanup", 'n', POPT_ARG_NONE, &no_cleanup, 0, + _("Do not delete the test database after a test run"), NULL }, + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_pam_authenticate, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown(test_pam_setcreds, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown(test_pam_acct_mgmt, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown(test_pam_open_session, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown(test_pam_close_session, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown(test_pam_chauthtok, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown(test_pam_chauthtok_prelim, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown(test_pam_preauth, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown(test_pam_offline_auth_no_hash, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown(test_pam_offline_auth_success, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown(test_pam_offline_auth_wrong_pw, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown(test_pam_offline_auth_success_2fa, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown(test_pam_offline_auth_failed_2fa, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown( + test_pam_offline_auth_success_2fa_with_cached_2fa, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown( + test_pam_offline_auth_failed_2fa_with_cached_2fa, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown( + test_pam_offline_auth_success_pw_with_cached_2fa, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown( + test_pam_offline_auth_failed_pw_with_cached_2fa, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown( + test_pam_offline_auth_success_combined_pw_with_cached_2fa, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown( + test_pam_offline_auth_failed_combined_pw_with_cached_2fa, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown( + test_pam_offline_auth_failed_wrong_2fa_size_with_cached_2fa, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown(test_pam_offline_chauthtok_prelim, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown(test_pam_offline_chauthtok, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown(test_pam_preauth_no_logon_name, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown(test_pam_auth_no_upn_logon_name, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown(test_pam_auth_upn_logon_name, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown(test_pam_cached_auth_success, + pam_cached_test_setup, + pam_test_teardown), + cmocka_unit_test_setup_teardown(test_pam_cached_auth_wrong_pw, + pam_cached_test_setup, + pam_test_teardown), + cmocka_unit_test_setup_teardown(test_pam_cached_auth_opt_timeout, + pam_cached_test_setup, + pam_test_teardown), + cmocka_unit_test_setup_teardown(test_pam_cached_auth_timeout, + pam_cached_test_setup, + pam_test_teardown), + cmocka_unit_test_setup_teardown(test_pam_cached_auth_success_combined_pw_with_cached_2fa, + pam_cached_test_setup, + pam_test_teardown), + cmocka_unit_test_setup_teardown(test_pam_cached_auth_failed_combined_pw_with_cached_2fa, + pam_cached_test_setup, + pam_test_teardown), +#ifdef HAVE_TEST_CA + cmocka_unit_test_setup_teardown(test_pam_preauth_cert_nocert, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown(test_pam_preauth_cert_nomatch, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown(test_pam_preauth_cert_match, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown(test_pam_preauth_cert_match_gdm_smartcard, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown(test_pam_preauth_cert_match_wrong_user, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown(test_pam_preauth_cert_no_logon_name, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown( + test_pam_preauth_cert_no_logon_name_with_hint, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown( + test_pam_preauth_cert_no_logon_name_double_cert, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown( + test_pam_preauth_cert_no_logon_name_double_cert_with_hint, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown(test_pam_preauth_no_cert_no_logon_name, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown( + test_pam_preauth_cert_no_logon_name_no_match, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown(test_pam_cert_auth, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown(test_pam_cert_auth, + pam_test_setup_no_verification, + pam_test_teardown), + cmocka_unit_test_setup_teardown(test_pam_cert_auth_double_cert, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown(test_pam_cert_preauth_2certs_one_mapping, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown(test_pam_cert_preauth_2certs_two_mappings, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown(test_pam_cert_auth_no_logon_name, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown(test_pam_cert_auth_no_logon_name_no_key_id, + pam_test_setup, pam_test_teardown), +#endif /* HAVE_TEST_CA */ + + cmocka_unit_test_setup_teardown(test_filter_response, + pam_test_setup, pam_test_teardown), + cmocka_unit_test_setup_teardown(test_appsvc_posix_dom, + pam_test_setup_appsvc_posix_dom, + pam_test_teardown), + cmocka_unit_test_setup_teardown(test_not_appsvc_posix_dom, + pam_test_setup_appsvc_posix_dom, + pam_test_teardown), + cmocka_unit_test_setup_teardown(test_appsvc_app_dom, + pam_test_setup_appsvc_app_dom, + pam_test_teardown), + cmocka_unit_test_setup_teardown(test_not_appsvc_app_dom, + pam_test_setup_appsvc_posix_dom, + pam_test_teardown), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while ((opt = poptGetNextOpt(pc)) != -1) { + switch (opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + /* Even though normally the tests should clean up after themselves + * they might not after a failed run. Remove the old DB to be sure */ + tests_set_cwd(); + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + test_dom_suite_setup(TESTS_PATH); + + cleanup_nss_db(); + rv = setup_nss_db(); + if (rv != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "setup_nss_db failed.\n"); + exit(-1); + } + + rv = cmocka_run_group_tests(tests, NULL, NULL); + if (rv == 0 && !no_cleanup) { + cleanup_nss_db(); + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + } + +#ifdef HAVE_NSS + /* Cleanup NSS and NSPR to make Valgrind happy. */ + nspr_nss_cleanup(); +#endif + + return rv; +} diff --git a/src/tests/cmocka/test_resolv_fake.c b/src/tests/cmocka/test_resolv_fake.c new file mode 100644 index 0000000..4cb3d40 --- /dev/null +++ b/src/tests/cmocka/test_resolv_fake.c @@ -0,0 +1,401 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2014 Red Hat + + SSSD tests: Resolver tests using a fake resolver library + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include + +#include "resolv/async_resolv.h" +#include "tests/cmocka/common_mock.h" +#include "tests/cmocka/common_mock_resp.h" + +#define TEST_BUFSIZE 1024 +#define TEST_DEFAULT_TIMEOUT 5 +#define TEST_SRV_QUERY "_ldap._tcp.sssd.com" + +static TALLOC_CTX *global_mock_context = NULL; + +struct srv_rrdata { + uint16_t port; + uint16_t prio; + uint16_t weight; + uint32_t ttl; + const char *hostname; +}; + +static ssize_t dns_header(unsigned char **buf, size_t ancount) +{ + uint8_t *hb; + HEADER h; + + hb = *buf; + memset(hb, 0, NS_HFIXEDSZ); + memset(&h, 0, sizeof(h)); + + h.id = res_randomid(); /* random query ID */ + h.qr = 1; /* response flag */ + h.rd = 1; /* recursion desired */ + h.ra = 1; /* recursion available */ + + h.qdcount = htons(1); /* no. of questions */ + h.ancount = htons(ancount); /* no. of answers */ + h.arcount = htons(0); /* no. of add'tl records */ + memcpy(hb, &h, sizeof(h)); + + hb += NS_HFIXEDSZ; /* move past the header */ + *buf = hb; + + return NS_HFIXEDSZ; +} + +static ssize_t dns_question(const char *question, + uint16_t type, + uint8_t **question_ptr, + size_t remaining) +{ + unsigned char *qb = *question_ptr; + int n; + + n = ns_name_compress(question, qb, remaining, NULL, NULL); + assert_true(n > 0); + + qb += n; + remaining -= n; + + NS_PUT16(type, qb); + NS_PUT16(ns_c_in, qb); + + *question_ptr = qb; + return n + 2 * sizeof(uint16_t); +} + +static ssize_t add_rr_common(uint16_t type, + uint32_t ttl, + size_t rdata_size, + const char *key, + size_t remaining, + uint8_t **rdata_ptr) +{ + uint8_t *rd = *rdata_ptr; + ssize_t written = 0; + + written = ns_name_compress(key, rd, remaining, NULL, NULL); + assert_int_not_equal(written, -1); + rd += written; + remaining -= written; + + assert_true(remaining > 3 * sizeof(uint16_t) + sizeof(uint32_t)); + NS_PUT16(type, rd); + NS_PUT16(ns_c_in, rd); + NS_PUT32(ttl, rd); + NS_PUT16(rdata_size, rd); + + assert_true(remaining > rdata_size); + *rdata_ptr = rd; + return written + 3 * sizeof(uint16_t) + sizeof(uint32_t) + rdata_size; +} + +static ssize_t add_srv_rr(struct srv_rrdata *rr, + const char *question, + uint8_t *answer, + size_t anslen) +{ + uint8_t *a = answer; + ssize_t resp_size; + size_t rdata_size; + unsigned char hostname_compressed[MAXDNAME]; + ssize_t compressed_len; + + rdata_size = 3 * sizeof(uint16_t); + + /* Prepare the data to write */ + compressed_len = ns_name_compress(rr->hostname, + hostname_compressed, MAXDNAME, + NULL, NULL); + assert_int_not_equal(compressed_len, -1); + rdata_size += compressed_len; + + resp_size = add_rr_common(ns_t_srv, rr->ttl, rdata_size, + question, anslen, &a); + + NS_PUT16(rr->prio, a); + NS_PUT16(rr->weight, a); + NS_PUT16(rr->port, a); + memcpy(a, hostname_compressed, compressed_len); + + return resp_size; +} + +unsigned char *create_srv_buffer(TALLOC_CTX *mem_ctx, + const char *question, + struct srv_rrdata *rrs, + size_t n_rrs, + size_t *_buflen) +{ + unsigned char *buf; + unsigned char *buf_head; + ssize_t len; + ssize_t i; + ssize_t total = 0; + + buf = talloc_zero_array(mem_ctx, unsigned char, TEST_BUFSIZE); + assert_non_null(buf); + buf_head = buf; + + len = dns_header(&buf, n_rrs); + assert_true(len > 0); + total += len; + + len = dns_question(question, ns_t_srv, &buf, TEST_BUFSIZE - total); + assert_true(len > 0); + total += len; + + /* answer */ + for (i = 0; i < n_rrs; i++) { + len = add_srv_rr(&rrs[i], question, buf, TEST_BUFSIZE - total); + assert_true(len > 0); + total += len; + buf += len; + } + + *_buflen = total; + return buf_head; +} + +struct fake_ares_query { + int status; + int timeouts; + unsigned char *abuf; + int alen; +}; + +void mock_ares_query(int status, int timeouts, unsigned char *abuf, int alen) +{ + will_return(__wrap_ares_query, status); + will_return(__wrap_ares_query, timeouts); + will_return(__wrap_ares_query, abuf); + will_return(__wrap_ares_query, alen); +} + +void __wrap_ares_query(ares_channel channel, const char *name, int dnsclass, + int type, ares_callback callback, void *arg) +{ + struct fake_ares_query query; + + query.status = sss_mock_type(int); + query.timeouts = sss_mock_type(int); + query.abuf = sss_mock_ptr_type(unsigned char *); + query.alen = sss_mock_type(int); + + callback(arg, query.status, query.timeouts, query.abuf, query.alen); +} + +/* The unit test */ +struct resolv_fake_ctx { + struct resolv_ctx *resolv; + struct sss_test_ctx *ctx; +}; + +static int test_resolv_fake_setup(void **state) +{ + struct resolv_fake_ctx *test_ctx; + int ret; + + assert_true(leak_check_setup()); + global_mock_context = talloc_new(global_talloc_context); + assert_non_null(global_mock_context); + + test_ctx = talloc_zero(global_mock_context, + struct resolv_fake_ctx); + assert_non_null(test_ctx); + + test_ctx->ctx = create_ev_test_ctx(test_ctx); + assert_non_null(test_ctx->ctx); + + ret = resolv_init(test_ctx, test_ctx->ctx->ev, + TEST_DEFAULT_TIMEOUT, &test_ctx->resolv); + assert_int_equal(ret, EOK); + + *state = test_ctx; + return 0; +} + +static int test_resolv_fake_teardown(void **state) +{ + struct resolv_fake_ctx *test_ctx = + talloc_get_type(*state, struct resolv_fake_ctx); + + talloc_free(test_ctx); + talloc_free(global_mock_context); + assert_true(leak_check_teardown()); + return 0; +} + +void test_resolv_fake_srv_done(struct tevent_req *req) +{ + errno_t ret; + TALLOC_CTX *tmp_ctx; + int status; + uint32_t ttl; + struct ares_srv_reply *srv_replies = NULL; + struct resolv_fake_ctx *test_ctx = + tevent_req_callback_data(req, struct resolv_fake_ctx); + + tmp_ctx = talloc_new(test_ctx); + assert_non_null(tmp_ctx); + + ret = resolv_getsrv_recv(tmp_ctx, req, &status, NULL, + &srv_replies, &ttl); + assert_int_equal(ret, EOK); + + assert_non_null(srv_replies); + assert_int_equal(srv_replies->priority, 1); + assert_int_equal(srv_replies->weight, 40); + assert_int_equal(srv_replies->port, 389); + assert_string_equal(srv_replies->host, "ldap.sssd.com"); + + srv_replies = srv_replies->next; + assert_non_null(srv_replies); + assert_int_equal(srv_replies->priority, 1); + assert_int_equal(srv_replies->weight, 60); + assert_int_equal(srv_replies->port, 389); + assert_string_equal(srv_replies->host, "ldap2.sssd.com"); + + srv_replies = srv_replies->next; + assert_null(srv_replies); + + assert_int_equal(ttl, 500); + + talloc_free(tmp_ctx); + test_ev_done(test_ctx->ctx, EOK); +} + +void test_resolv_fake_srv(void **state) +{ + int ret; + struct tevent_req *req; + struct resolv_fake_ctx *test_ctx = + talloc_get_type(*state, struct resolv_fake_ctx); + + unsigned char *buf; + size_t buflen; + + struct srv_rrdata rr[2]; + + rr[0].prio = 1; + rr[0].port = 389; + rr[0].weight = 40; + rr[0].ttl = 600; + rr[0].hostname = "ldap.sssd.com"; + + rr[1].prio = 1; + rr[1].port = 389; + rr[1].weight = 60; + rr[1].ttl = 500; + rr[1].hostname = "ldap2.sssd.com"; + + buf = create_srv_buffer(test_ctx, TEST_SRV_QUERY, rr, 2, &buflen); + assert_non_null(buf); + mock_ares_query(0, 0, buf, buflen); + + req = resolv_getsrv_send(test_ctx, test_ctx->ctx->ev, + test_ctx->resolv, TEST_SRV_QUERY); + assert_non_null(req); + tevent_req_set_callback(req, test_resolv_fake_srv_done, test_ctx); + + ret = test_ev_loop(test_ctx->ctx); + assert_int_equal(ret, ERR_OK); +} + +void test_resolv_is_address(void **state) +{ + bool ret; + + ret = resolv_is_address("10.192.211.37"); + assert_true(ret); + + ret = resolv_is_address("127.0.0.1"); + assert_true(ret); + + ret = resolv_is_address("2001:0db8:85a3:0000:0000:8a2e:0370:7334"); + assert_true(ret); + + ret = resolv_is_address("sssd.ldap.com"); + assert_false(ret); + + ret = resolv_is_address("testhostname"); + assert_false(ret); + + ret = resolv_is_address("localhost"); + assert_false(ret); +} + +int main(int argc, const char *argv[]) +{ + int rv; + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_resolv_fake_srv, + test_resolv_fake_setup, + test_resolv_fake_teardown), + cmocka_unit_test(test_resolv_is_address), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + /* Even though normally the tests should clean up after themselves + * they might not after a failed run. Remove the old DB to be sure */ + tests_set_cwd(); + + rv = cmocka_run_group_tests(tests, NULL, NULL); + return rv; +} diff --git a/src/tests/cmocka/test_responder_cache_req.c b/src/tests/cmocka/test_responder_cache_req.c new file mode 100644 index 0000000..45d71b8 --- /dev/null +++ b/src/tests/cmocka/test_responder_cache_req.c @@ -0,0 +1,4114 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2014 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include + +#include "tests/cmocka/common_mock.h" +#include "tests/cmocka/common_mock_resp.h" +#include "db/sysdb.h" +#include "responder/common/cache_req/cache_req.h" +#include "db/sysdb_private.h" /* new_subdomain() */ + +#define TESTS_PATH "tp_" BASE_FILE_STEM +#define TEST_CONF_DB "test_responder_cache_req_conf.ldb" +#define TEST_DOM_NAME "responder_cache_req_test" +#define TEST_ID_PROVIDER "ldap" + +#define TEST_USER_PREFIX "test*" + +struct test_user { + const char *short_name; + const char *upn; + const char *sid; + uid_t uid; + gid_t gid; +} users[] = {{"test-user1", "upn1@upndomain.com", + "S-1-5-21-3623811015-3361044348-30300820-1001", 1001, 1001}, + {"test-user2", "upn2@upndomain.com", + "S-1-5-21-3623811015-3361044348-30300820-1002", 1002, 1002}}; + +struct test_group { + const char *short_name; + const char *sid; + gid_t gid; +} groups[] = {{"test-group1", "S-1-5-21-3623811015-3361044348-30300820-2001", 2001}, + {"test-group2", "S-1-5-21-3623811015-3361044348-30300820-2002", 2002}}; + +#define new_single_domain_test(test) \ + cmocka_unit_test_setup_teardown(test_ ## test, \ + test_single_domain_setup, \ + test_single_domain_teardown) + +#define new_single_domain_id_limit_test(test) \ + cmocka_unit_test_setup_teardown(test_ ## test, \ + test_single_domain_id_limits_setup, \ + test_single_domain_teardown) + +#define new_multi_domain_test(test) \ + cmocka_unit_test_setup_teardown(test_ ## test, \ + test_multi_domain_setup, \ + test_multi_domain_teardown) + +#define new_subdomain_test(test) \ + cmocka_unit_test_setup_teardown(test_ ## test, \ + test_subdomain_setup, \ + test_subdomain_teardown) + +#define run_cache_req(ctx, send_fn, done_fn, dom, crp, lookup, expret) do { \ + TALLOC_CTX *req_mem_ctx; \ + struct tevent_req *req; \ + errno_t ret; \ + \ + req_mem_ctx = talloc_new(global_talloc_context); \ + check_leaks_push(req_mem_ctx); \ + \ + req = send_fn(req_mem_ctx, ctx->tctx->ev, ctx->rctx, \ + ctx->ncache, crp, \ + (dom == NULL ? NULL : dom->name), lookup); \ + assert_non_null(req); \ + tevent_req_set_callback(req, done_fn, ctx); \ + \ + ret = test_ev_loop(ctx->tctx); \ + assert_int_equal(ret, expret); \ + assert_true(check_leaks_pop(req_mem_ctx)); \ + \ + talloc_free(req_mem_ctx); \ +} while (0) + +#define run_cache_req_domtype(ctx, send_fn, done_fn, dom, crp, domtype, lookup, expret) do { \ + TALLOC_CTX *req_mem_ctx; \ + struct tevent_req *req; \ + errno_t ret; \ + \ + req_mem_ctx = talloc_new(global_talloc_context); \ + check_leaks_push(req_mem_ctx); \ + \ + req = send_fn(req_mem_ctx, ctx->tctx->ev, ctx->rctx, \ + ctx->ncache, crp, \ + domtype, \ + (dom == NULL ? NULL : dom->name), lookup); \ + assert_non_null(req); \ + tevent_req_set_callback(req, done_fn, ctx); \ + \ + ret = test_ev_loop(ctx->tctx); \ + assert_int_equal(ret, expret); \ + assert_true(check_leaks_pop(req_mem_ctx)); \ + \ + talloc_free(req_mem_ctx); \ +} while (0) + +struct cache_req_test_ctx { + struct sss_test_ctx *tctx; + struct resp_ctx *rctx; + struct sss_nc_ctx *ncache; + struct sss_domain_info *subdomain; + + struct cache_req_result *result; + bool dp_called; + + /* NOTE: Please, instead of adding new create_[user|group] bool, + * use bitshift. */ + bool create_user1; + bool create_user2; + bool create_group1; + bool create_group2; + bool create_subgroup1; + bool create_subuser1; +}; + +const char *domains[] = {"responder_cache_req_test_a", + "responder_cache_req_test_b", + "responder_cache_req_test_c", + "responder_cache_req_test_d", + NULL}; + +const char *subdomain_name = "responder_cache_req_test_a_sub"; + +struct cli_protocol_version *register_cli_protocol_version(void) +{ + static struct cli_protocol_version version[] = { + { 0, NULL, NULL } + }; + + return version; +} + +static void cache_req_user_by_name_test_done(struct tevent_req *req) +{ + struct cache_req_test_ctx *ctx = NULL; + + ctx = tevent_req_callback_data(req, struct cache_req_test_ctx); + + ctx->tctx->error = cache_req_user_by_name_recv(ctx, req, &ctx->result); + talloc_zfree(req); + + ctx->tctx->done = true; +} + +static void cache_req_user_by_id_test_done(struct tevent_req *req) +{ + struct cache_req_test_ctx *ctx = NULL; + + ctx = tevent_req_callback_data(req, struct cache_req_test_ctx); + + ctx->tctx->error = cache_req_user_by_id_recv(ctx, req, &ctx->result); + talloc_zfree(req); + + ctx->tctx->done = true; +} + +static void cache_req_group_by_name_test_done(struct tevent_req *req) +{ + struct cache_req_test_ctx *ctx = NULL; + + ctx = tevent_req_callback_data(req, struct cache_req_test_ctx); + + ctx->tctx->error = cache_req_group_by_name_recv(ctx, req, &ctx->result); + talloc_zfree(req); + + ctx->tctx->done = true; +} + +static void cache_req_group_by_id_test_done(struct tevent_req *req) +{ + struct cache_req_test_ctx *ctx = NULL; + + ctx = tevent_req_callback_data(req, struct cache_req_test_ctx); + + ctx->tctx->error = cache_req_group_by_id_recv(ctx, req, &ctx->result); + talloc_zfree(req); + + ctx->tctx->done = true; +} + +static void cache_req_object_by_sid_test_done(struct tevent_req *req) +{ + struct cache_req_test_ctx *ctx = NULL; + + ctx = tevent_req_callback_data(req, struct cache_req_test_ctx); + + ctx->tctx->error = cache_req_object_by_sid_recv(ctx, req, &ctx->result); + talloc_zfree(req); + + ctx->tctx->done = true; +} + +static void cache_req_object_by_id_test_done(struct tevent_req *req) +{ + struct cache_req_test_ctx *ctx = NULL; + + ctx = tevent_req_callback_data(req, struct cache_req_test_ctx); + + ctx->tctx->error = cache_req_object_by_id_recv(ctx, req, &ctx->result); + talloc_zfree(req); + + ctx->tctx->done = true; +} + +static void prepare_user(struct sss_domain_info *domain, + struct test_user *user, + uint64_t timeout, + time_t transaction_time) +{ + struct sysdb_attrs *attrs; + errno_t ret; + char *fqname; + + attrs = sysdb_new_attrs(NULL); + assert_non_null(attrs); + + ret = sysdb_attrs_add_string(attrs, SYSDB_UPN, user->upn); + assert_int_equal(ret, EOK); + + ret = sysdb_attrs_add_string(attrs, SYSDB_SID_STR, user->sid); + assert_int_equal(ret, EOK); + + fqname = sss_create_internal_fqname(attrs, user->short_name, domain->name); + assert_non_null(fqname); + + ret = sysdb_store_user(domain, fqname, "pwd", + user->uid, user->gid, NULL, NULL, NULL, + "cn=origdn,dc=test", attrs, NULL, + timeout, transaction_time); + talloc_free(fqname); + assert_int_equal(ret, EOK); + + talloc_free(attrs); +} + +static void run_user_by_name(struct cache_req_test_ctx *test_ctx, + struct sss_domain_info *domain, + int cache_refresh_percent, + errno_t exp_ret) +{ + run_cache_req_domtype(test_ctx, cache_req_user_by_name_send, + cache_req_user_by_name_test_done, domain, + cache_refresh_percent, + CACHE_REQ_POSIX_DOM, + users[0].short_name, exp_ret); +} + +static void run_user_by_upn(struct cache_req_test_ctx *test_ctx, + struct sss_domain_info *domain, + int cache_refresh_percent, + errno_t exp_ret) +{ + run_cache_req_domtype(test_ctx, cache_req_user_by_name_send, + cache_req_user_by_name_test_done, domain, + cache_refresh_percent, + CACHE_REQ_POSIX_DOM, + users[0].upn, exp_ret); +} + +static void run_user_by_id(struct cache_req_test_ctx *test_ctx, + struct sss_domain_info *domain, + int cache_refresh_percent, + errno_t exp_ret) +{ + run_cache_req(test_ctx, cache_req_user_by_id_send, + cache_req_user_by_id_test_done, domain, + cache_refresh_percent, users[0].uid, exp_ret); +} + +static void assert_msg_has_shortname(struct cache_req_test_ctx *test_ctx, + struct ldb_message *msg, + const char *check_name) +{ + const char *ldbname; + char *shortname; + errno_t ret; + + ldbname = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); + assert_non_null(ldbname); + ret = sss_parse_internal_fqname(test_ctx, ldbname, &shortname, NULL); + assert_int_equal(ret, EOK); + assert_string_equal(shortname, check_name); + talloc_free(shortname); +} + +static void check_user(struct cache_req_test_ctx *test_ctx, + struct test_user *user, + struct sss_domain_info *exp_dom) +{ + const char *ldbupn; + const char *ldbsid; + uid_t ldbuid; + + assert_non_null(test_ctx->result); + assert_int_equal(test_ctx->result->count, 1); + assert_non_null(test_ctx->result->msgs); + assert_non_null(test_ctx->result->msgs[0]); + + assert_msg_has_shortname(test_ctx, + test_ctx->result->msgs[0], + user->short_name); + + ldbupn = ldb_msg_find_attr_as_string(test_ctx->result->msgs[0], + SYSDB_UPN, NULL); + assert_non_null(ldbupn); + assert_string_equal(ldbupn, user->upn); + + ldbsid = ldb_msg_find_attr_as_string(test_ctx->result->msgs[0], + SYSDB_SID_STR, NULL); + assert_non_null(ldbsid); + assert_string_equal(ldbsid, user->sid); + + ldbuid = ldb_msg_find_attr_as_uint(test_ctx->result->msgs[0], + SYSDB_UIDNUM, 0); + assert_int_equal(ldbuid, user->uid); + + assert_non_null(test_ctx->result->domain); + assert_string_equal(exp_dom->name, test_ctx->result->domain->name); +} + +static void prepare_group(struct sss_domain_info *domain, + struct test_group *group, + uint64_t timeout, + time_t transaction_time) +{ + struct sysdb_attrs *attrs; + char *fqname; + errno_t ret; + + attrs = sysdb_new_attrs(NULL); + assert_non_null(attrs); + + ret = sysdb_attrs_add_string(attrs, SYSDB_SID_STR, group->sid); + assert_int_equal(ret, EOK); + + fqname = sss_create_internal_fqname(attrs, group->short_name, domain->name); + assert_non_null(fqname); + + ret = sysdb_store_group(domain, fqname, group->gid, attrs, + timeout, transaction_time); + talloc_free(fqname); + assert_int_equal(ret, EOK); + + talloc_free(attrs); +} + +static void run_group_by_name(struct cache_req_test_ctx *test_ctx, + struct sss_domain_info *domain, + int cache_refresh_percent, + errno_t exp_ret) +{ + run_cache_req_domtype(test_ctx, cache_req_group_by_name_send, + cache_req_group_by_name_test_done, domain, + cache_refresh_percent, + CACHE_REQ_POSIX_DOM, + groups[0].short_name, exp_ret); +} + +static void run_group_by_id(struct cache_req_test_ctx *test_ctx, + struct sss_domain_info *domain, + int cache_refresh_percent, + errno_t exp_ret) +{ + run_cache_req(test_ctx, cache_req_group_by_id_send, + cache_req_group_by_id_test_done, domain, + cache_refresh_percent, groups[0].gid, exp_ret); +} + +static void check_group(struct cache_req_test_ctx *test_ctx, + struct test_group *group, + struct sss_domain_info *exp_dom) +{ + const char *ldbsid; + gid_t ldbgid; + + assert_non_null(test_ctx->result); + assert_int_equal(test_ctx->result->count, 1); + assert_non_null(test_ctx->result->msgs); + assert_non_null(test_ctx->result->msgs[0]); + + assert_msg_has_shortname(test_ctx, + test_ctx->result->msgs[0], + group->short_name); + + ldbsid = ldb_msg_find_attr_as_string(test_ctx->result->msgs[0], + SYSDB_SID_STR, NULL); + assert_non_null(ldbsid); + assert_string_equal(ldbsid, group->sid); + + ldbgid = ldb_msg_find_attr_as_uint(test_ctx->result->msgs[0], + SYSDB_GIDNUM, 0); + assert_int_equal(ldbgid, group->gid); + + assert_non_null(test_ctx->result->domain); + assert_string_equal(exp_dom->name, test_ctx->result->domain->name); +} + +static void run_object_by_sid(struct cache_req_test_ctx *test_ctx, + struct sss_domain_info *domain, + const char *sid, + const char **attrs, + int cache_refresh_percent, + errno_t exp_ret) +{ + TALLOC_CTX *req_mem_ctx; + struct tevent_req *req; + errno_t ret; + + req_mem_ctx = talloc_new(global_talloc_context); + check_leaks_push(req_mem_ctx); + + req = cache_req_object_by_sid_send(req_mem_ctx, test_ctx->tctx->ev, + test_ctx->rctx, test_ctx->ncache, cache_refresh_percent, + (domain == NULL ? NULL : domain->name), sid, attrs); + assert_non_null(req); + tevent_req_set_callback(req, cache_req_object_by_sid_test_done, test_ctx); + + ret = test_ev_loop(test_ctx->tctx); + assert_int_equal(ret, exp_ret); + assert_true(check_leaks_pop(req_mem_ctx)); + + talloc_free(req_mem_ctx); +} + +static void run_object_by_id(struct cache_req_test_ctx *test_ctx, + struct sss_domain_info *domain, + id_t id, + const char **attrs, + int cache_refresh_percent, + errno_t exp_ret) +{ + TALLOC_CTX *req_mem_ctx; + struct tevent_req *req; + errno_t ret; + + req_mem_ctx = talloc_new(global_talloc_context); + check_leaks_push(req_mem_ctx); + + req = cache_req_object_by_id_send(req_mem_ctx, test_ctx->tctx->ev, + test_ctx->rctx, test_ctx->ncache, cache_refresh_percent, + (domain == NULL ? NULL : domain->name), id, attrs); + assert_non_null(req); + tevent_req_set_callback(req, cache_req_object_by_id_test_done, test_ctx); + + ret = test_ev_loop(test_ctx->tctx); + assert_int_equal(ret, exp_ret); + assert_true(check_leaks_pop(req_mem_ctx)); + + talloc_free(req_mem_ctx); +} + +struct tevent_req * +__wrap_sss_dp_get_account_send(TALLOC_CTX *mem_ctx, + struct resp_ctx *rctx, + struct sss_domain_info *dom, + bool fast_reply, + enum sss_dp_acct_type type, + const char *opt_name, + uint32_t opt_id, + const char *extra) +{ + struct cache_req_test_ctx *ctx = NULL; + + ctx = sss_mock_ptr_type(struct cache_req_test_ctx*); + ctx->dp_called = true; + + if (ctx->create_user1) { + prepare_user(ctx->tctx->dom, &users[0], 1000, time(NULL)); + } + + if (ctx->create_user2) { + prepare_user(ctx->tctx->dom, &users[1], 1000, time(NULL)); + } + + if (ctx->create_group1) { + prepare_group(ctx->tctx->dom, &groups[0], 1000, time(NULL)); + } + + if (ctx->create_group2) { + prepare_group(ctx->tctx->dom, &groups[1], 1000, time(NULL)); + } + + if (ctx->create_subgroup1) { + struct sss_domain_info *domain = NULL; + + domain = find_domain_by_name(ctx->tctx->dom, + subdomain_name, + true); + assert_non_null(domain); + prepare_group(domain, &groups[0], 1000, time(NULL)); + } + + if (ctx->create_subuser1) { + struct sss_domain_info *domain = NULL; + + domain = find_domain_by_name(ctx->tctx->dom, + subdomain_name, + true); + assert_non_null(domain); + prepare_user(domain, &users[0], 1000, time(NULL)); + } + + return test_req_succeed_send(mem_ctx, rctx->ev); +} + +static int test_single_domain_setup_common(void **state, + struct sss_test_conf_param *params) +{ + struct cache_req_test_ctx *test_ctx = NULL; + errno_t ret; + + assert_true(leak_check_setup()); + + test_dom_suite_setup(TESTS_PATH); + + test_ctx = talloc_zero(global_talloc_context, struct cache_req_test_ctx); + assert_non_null(test_ctx); + *state = test_ctx; + + test_ctx->tctx = create_dom_test_ctx(test_ctx, TESTS_PATH, TEST_CONF_DB, + TEST_DOM_NAME, TEST_ID_PROVIDER, params); + assert_non_null(test_ctx->tctx); + + test_ctx->rctx = mock_rctx(test_ctx, test_ctx->tctx->ev, + test_ctx->tctx->dom, NULL); + assert_non_null(test_ctx->rctx); + + ret = sss_ncache_init(test_ctx, 10, 0, &test_ctx->ncache); + assert_int_equal(ret, EOK); + + check_leaks_push(test_ctx); + + return 0; +} + +static int test_single_domain_setup(void **state) +{ + return test_single_domain_setup_common(state, NULL); +} + +static int test_single_domain_teardown(void **state) +{ + struct cache_req_test_ctx *test_ctx; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + talloc_zfree(test_ctx->result); + + assert_true(check_leaks_pop(test_ctx)); + talloc_zfree(test_ctx); + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + assert_true(leak_check_teardown()); + return 0; +} + +static int test_single_domain_id_limits_setup(void **state) +{ + struct sss_test_conf_param params[] = { + { "min_id", "100" }, + { "max_id", "10000" }, + { NULL, NULL }, /* Sentinel */ + }; + return test_single_domain_setup_common(state, params); +} + +static int test_multi_domain_setup(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + errno_t ret; + + assert_true(leak_check_setup()); + + test_dom_suite_setup(TESTS_PATH); + + test_ctx = talloc_zero(global_talloc_context, struct cache_req_test_ctx); + assert_non_null(test_ctx); + *state = test_ctx; + + test_ctx->tctx = create_multidom_test_ctx(test_ctx, TESTS_PATH, + TEST_CONF_DB, domains, + TEST_ID_PROVIDER, NULL); + assert_non_null(test_ctx->tctx); + + test_ctx->rctx = mock_rctx(test_ctx, test_ctx->tctx->ev, + test_ctx->tctx->dom, NULL); + assert_non_null(test_ctx->rctx); + + ret = sss_ncache_init(test_ctx, 10, 0, &test_ctx->ncache); + assert_int_equal(ret, EOK); + + reset_ldb_errstrings(test_ctx->tctx->dom); + check_leaks_push(test_ctx); + + return 0; +} + +void test_user_by_id_below_id_range(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Test. */ + run_cache_req(test_ctx, cache_req_user_by_id_send, + cache_req_user_by_id_test_done, test_ctx->tctx->dom, + 0, 10, ENOENT); + assert_false(test_ctx->dp_called); +} + +void test_user_by_id_above_id_range(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Test. */ + run_cache_req(test_ctx, cache_req_user_by_id_send, + cache_req_user_by_id_test_done, test_ctx->tctx->dom, + 0, 100000, ENOENT); + assert_false(test_ctx->dp_called); +} + +static int test_multi_domain_teardown(void **state) +{ + struct cache_req_test_ctx *test_ctx; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + talloc_zfree(test_ctx->result); + + reset_ldb_errstrings(test_ctx->tctx->dom); + assert_true(check_leaks_pop(test_ctx)); + talloc_zfree(test_ctx); + test_multidom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, domains); + assert_true(leak_check_teardown()); + return 0; +} + +static int test_subdomain_setup(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + int ret; + const char *const testdom[4] = { subdomain_name, "TEST_A.SUB", "test_a", "S-3" }; + + assert_true(leak_check_setup()); + + test_dom_suite_setup(TESTS_PATH); + + test_ctx = talloc_zero(global_talloc_context, struct cache_req_test_ctx); + assert_non_null(test_ctx); + *state = test_ctx; + + test_ctx->tctx = create_dom_test_ctx(test_ctx, TESTS_PATH, TEST_CONF_DB, + TEST_DOM_NAME, TEST_ID_PROVIDER, NULL); + assert_non_null(test_ctx->tctx); + + test_ctx->rctx = mock_rctx(test_ctx, test_ctx->tctx->ev, + test_ctx->tctx->dom, NULL); + assert_non_null(test_ctx->rctx); + + ret = sss_ncache_init(test_ctx, 10, 0, &test_ctx->ncache); + assert_int_equal(ret, EOK); + + test_ctx->subdomain = new_subdomain(test_ctx, test_ctx->tctx->dom, + testdom[0], testdom[1], testdom[2], testdom[3], + false, false, NULL, NULL, 0, + test_ctx->tctx->confdb); + assert_non_null(test_ctx->subdomain); + + ret = sysdb_subdomain_store(test_ctx->tctx->sysdb, + testdom[0], testdom[1], testdom[2], testdom[3], + false, false, NULL, 0, NULL); + assert_int_equal(ret, EOK); + + ret = sysdb_update_subdomains(test_ctx->tctx->dom, + test_ctx->tctx->confdb); + assert_int_equal(ret, EOK); + + *state = test_ctx; + check_leaks_push(test_ctx); + return 0; +} + +static int test_subdomain_teardown(void **state) +{ + struct cache_req_test_ctx *test_ctx; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + talloc_zfree(test_ctx->result); + talloc_zfree(test_ctx->rctx->cr_domains); + + assert_true(check_leaks_pop(test_ctx)); + talloc_zfree(test_ctx); + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + assert_true(leak_check_teardown()); + return 0; +} + +void test_user_by_name_multiple_domains_found(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + struct sss_domain_info *domain = NULL; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup user. */ + domain = find_domain_by_name(test_ctx->tctx->dom, + "responder_cache_req_test_d", true); + assert_non_null(domain); + + prepare_user(domain, &users[0], 1000, time(NULL)); + + /* Mock values. */ + will_return_always(__wrap_sss_dp_get_account_send, test_ctx); + will_return_always(sss_dp_req_recv, 0); + mock_parse_inp(users[0].short_name, NULL, ERR_OK); + + /* Test. */ + run_user_by_name(test_ctx, NULL, 0, ERR_OK); + assert_true(test_ctx->dp_called); + check_user(test_ctx, &users[0], domain); +} + +void test_user_by_name_multiple_domains_notfound(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Mock values. */ + will_return_always(__wrap_sss_dp_get_account_send, test_ctx); + will_return_always(sss_dp_req_recv, 0); + mock_parse_inp(users[0].short_name, NULL, ERR_OK); + + /* Test. */ + run_user_by_name(test_ctx, NULL, 0, ENOENT); + assert_true(test_ctx->dp_called); +} + +void test_user_by_name_multiple_domains_parse(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + struct sss_domain_info *domain = NULL; + TALLOC_CTX *req_mem_ctx = NULL; + struct tevent_req *req = NULL; + char *input_fqn; + char *fqname; + errno_t ret; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Add user to the first domain with different uid then test user. */ + domain = find_domain_by_name(test_ctx->tctx->dom, + "responder_cache_req_test_a", true); + assert_non_null(domain); + + fqname = sss_create_internal_fqname(test_ctx, users[0].short_name, domain->name); + assert_non_null(fqname); + + ret = sysdb_store_user(domain, fqname, "pwd", 2000, 1000, + NULL, NULL, NULL, "cn=test-user,dc=test", NULL, + NULL, 1000, time(NULL)); + talloc_zfree(fqname); + assert_int_equal(ret, EOK); + + /* Add test user to the last domain. */ + + domain = find_domain_by_name(test_ctx->tctx->dom, + "responder_cache_req_test_d", true); + assert_non_null(domain); + + prepare_user(domain, &users[0], 1000, time(NULL)); + + /* Append domain name to the username to form the qualified input. + * We don't use the internal fqname here on purpose, because this is + * the user's input. + */ + input_fqn = talloc_asprintf(test_ctx, "%s@%s", users[0].short_name, + "responder_cache_req_test_d"); + assert_non_null(input_fqn); + + /* Mock values. */ + mock_parse_inp(users[0].short_name, "responder_cache_req_test_d", ERR_OK); + + /* Test. */ + req_mem_ctx = talloc_new(global_talloc_context); + check_leaks_push(req_mem_ctx); + + req = cache_req_user_by_name_send(req_mem_ctx, test_ctx->tctx->ev, + test_ctx->rctx, test_ctx->ncache, + CACHE_REQ_POSIX_DOM, + 0, + NULL, input_fqn); + assert_non_null(req); + tevent_req_set_callback(req, cache_req_user_by_name_test_done, test_ctx); + + ret = test_ev_loop(test_ctx->tctx); + assert_int_equal(ret, ERR_OK); + assert_true(check_leaks_pop(req_mem_ctx)); + assert_false(test_ctx->dp_called); + + check_user(test_ctx, &users[0], domain); + + assert_non_null(test_ctx->result->lookup_name); + assert_string_equal(input_fqn, test_ctx->result->lookup_name); + + talloc_free(input_fqn); +} + +void test_user_by_name_cache_valid(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup user. */ + prepare_user(test_ctx->tctx->dom, &users[0], 1000, time(NULL)); + + /* Test. */ + run_user_by_name(test_ctx, test_ctx->tctx->dom, 0, ERR_OK); + check_user(test_ctx, &users[0], test_ctx->tctx->dom); +} + +void test_user_by_name_cache_expired(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup user. */ + prepare_user(test_ctx->tctx->dom, &users[0], -1000, time(NULL)); + + /* Mock values. */ + /* DP should be contacted */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + mock_account_recv_simple(); + + /* Test. */ + run_user_by_name(test_ctx, test_ctx->tctx->dom, 0, ERR_OK); + assert_true(test_ctx->dp_called); + check_user(test_ctx, &users[0], test_ctx->tctx->dom); +} + +void test_user_by_name_cache_midpoint(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup user. */ + prepare_user(test_ctx->tctx->dom, &users[0], 50, time(NULL) - 26); + + /* Mock values. */ + /* DP should be contacted without callback */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + + /* Test. */ + run_user_by_name(test_ctx, test_ctx->tctx->dom, 50, ERR_OK); + assert_true(test_ctx->dp_called); + check_user(test_ctx, &users[0], test_ctx->tctx->dom); +} + +void test_user_by_name_ncache(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + errno_t ret; + char *fqname; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup user. */ + fqname = sss_create_internal_fqname(test_ctx, users[0].short_name, + test_ctx->tctx->dom->name); + assert_non_null(fqname); + + ret = sss_ncache_set_user(test_ctx->ncache, false, + test_ctx->tctx->dom, fqname); + talloc_free(fqname); + assert_int_equal(ret, EOK); + + /* Test. */ + run_user_by_name(test_ctx, test_ctx->tctx->dom, 0, ENOENT); + assert_false(test_ctx->dp_called); +} + +void test_user_by_name_missing_found(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Mock values. */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + mock_account_recv_simple(); + + test_ctx->create_user1 = true; + test_ctx->create_user2 = false; + + /* Test. */ + run_user_by_name(test_ctx, test_ctx->tctx->dom, 0, ERR_OK); + assert_true(test_ctx->dp_called); + check_user(test_ctx, &users[0], test_ctx->tctx->dom); +} + +void test_user_by_name_missing_notfound(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Mock values. */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + mock_account_recv_simple(); + + /* Test. */ + run_user_by_name(test_ctx, test_ctx->tctx->dom, 0, ENOENT); + assert_true(test_ctx->dp_called); +} + +void test_user_by_upn_multiple_domains_found(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + struct sss_domain_info *domain = NULL; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup user. */ + domain = find_domain_by_name(test_ctx->tctx->dom, + "responder_cache_req_test_d", true); + assert_non_null(domain); + + prepare_user(domain, &users[0], 1000, time(NULL)); + + /* Mock values. */ + will_return_always(__wrap_sss_dp_get_account_send, test_ctx); + will_return_always(sss_dp_req_recv, 0); + mock_parse_inp(NULL, NULL, ERR_DOMAIN_NOT_FOUND); + + /* Test. */ + run_user_by_upn(test_ctx, NULL, 0, ERR_OK); + assert_true(test_ctx->dp_called); + check_user(test_ctx, &users[0], domain); +} + +void test_user_by_upn_multiple_domains_notfound(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Mock values. */ + will_return_always(__wrap_sss_dp_get_account_send, test_ctx); + will_return_always(sss_dp_req_recv, 0); + mock_parse_inp(NULL, NULL, ERR_DOMAIN_NOT_FOUND); + + /* Test. */ + run_user_by_upn(test_ctx, NULL, 0, ENOENT); + assert_true(test_ctx->dp_called); +} + +void test_user_by_upn_cache_valid(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup user. */ + prepare_user(test_ctx->tctx->dom, &users[0], 1000, time(NULL)); + + /* Mock values. */ + mock_parse_inp(NULL, NULL, ERR_DOMAIN_NOT_FOUND); + + /* Test. */ + run_user_by_upn(test_ctx, NULL, 0, ERR_OK); + check_user(test_ctx, &users[0], test_ctx->tctx->dom); +} + +void test_user_by_upn_cache_expired(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup user. */ + prepare_user(test_ctx->tctx->dom, &users[0], -1000, time(NULL)); + + /* Mock values. */ + /* DP should be contacted */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + mock_account_recv_simple(); + mock_parse_inp(NULL, NULL, ERR_DOMAIN_NOT_FOUND); + + /* Test. */ + run_user_by_upn(test_ctx, NULL, 0, ERR_OK); + assert_true(test_ctx->dp_called); + check_user(test_ctx, &users[0], test_ctx->tctx->dom); +} + +void test_user_by_upn_cache_midpoint(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup user. */ + prepare_user(test_ctx->tctx->dom, &users[0], 50, time(NULL) - 26); + + /* Mock values. */ + /* DP should be contacted without callback */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + mock_parse_inp(NULL, NULL, ERR_DOMAIN_NOT_FOUND); + + /* Test. */ + run_user_by_upn(test_ctx, NULL, 50, ERR_OK); + assert_true(test_ctx->dp_called); + check_user(test_ctx, &users[0], test_ctx->tctx->dom); +} + +void test_user_by_upn_ncache(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + errno_t ret; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup user's UPN. */ + ret = sss_ncache_set_upn(test_ctx->ncache, false, + test_ctx->tctx->dom, users[0].upn); + assert_int_equal(ret, EOK); + + /* Mock values. */ + mock_parse_inp(NULL, NULL, ERR_DOMAIN_NOT_FOUND); + + /* Test. */ + run_user_by_upn(test_ctx, NULL, 0, ENOENT); + assert_false(test_ctx->dp_called); +} + +void test_user_by_upn_missing_found(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Mock values. */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + mock_account_recv_simple(); + mock_parse_inp(NULL, NULL, ERR_DOMAIN_NOT_FOUND); + + test_ctx->create_user1 = true; + test_ctx->create_user2 = false; + + /* Test. */ + run_user_by_upn(test_ctx, NULL, 0, ERR_OK); + assert_true(test_ctx->dp_called); + check_user(test_ctx, &users[0], test_ctx->tctx->dom); +} + +void test_user_by_upn_missing_notfound(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Mock values. */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + mock_account_recv_simple(); + mock_parse_inp(NULL, NULL, ERR_DOMAIN_NOT_FOUND); + + /* Test. */ + run_user_by_upn(test_ctx, NULL, 0, ENOENT); + assert_true(test_ctx->dp_called); +} + +void test_user_by_id_multiple_domains_found(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + struct sss_domain_info *domain = NULL; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup user. */ + domain = find_domain_by_name(test_ctx->tctx->dom, + "responder_cache_req_test_d", true); + assert_non_null(domain); + + prepare_user(domain, &users[0], 1000, time(NULL)); + + /* Mock values. */ + will_return_always(__wrap_sss_dp_get_account_send, test_ctx); + will_return_always(sss_dp_req_recv, 0); + will_return_always(sss_dp_get_account_domain_recv, ERR_GET_ACCT_DOM_NOT_SUPPORTED); + + /* Test. */ + run_user_by_id(test_ctx, NULL, 0, ERR_OK); + assert_true(test_ctx->dp_called); + check_user(test_ctx, &users[0], domain); +} + +void test_user_by_id_multiple_domains_notfound(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Mock values. */ + will_return_always(__wrap_sss_dp_get_account_send, test_ctx); + will_return_always(sss_dp_req_recv, 0); + will_return_always(sss_dp_get_account_domain_recv, ERR_GET_ACCT_DOM_NOT_SUPPORTED); + + /* Test. */ + run_user_by_id(test_ctx, NULL, 0, ENOENT); + assert_true(test_ctx->dp_called); +} + +void test_user_by_id_multiple_domains_locator_cache_valid(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + struct sss_domain_info *domain = NULL; + const char *locator_domain; + TALLOC_CTX *tmp_ctx; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + tmp_ctx = talloc_new(test_ctx); + assert_non_null(tmp_ctx); + + /* Has to be a talloc ptr, not just const, so it's stealable inside cache_req */ + locator_domain = talloc_strdup(tmp_ctx, "responder_cache_req_test_d"); + assert_non_null(locator_domain); + + /* Setup user. */ + domain = find_domain_by_name(test_ctx->tctx->dom, + "responder_cache_req_test_d", true); + assert_non_null(domain); + prepare_user(domain, &users[0], 1000, time(NULL)); + + will_return(sss_dp_get_account_domain_recv, EOK); + will_return(sss_dp_get_account_domain_recv, locator_domain); + will_return_always(sss_dp_get_account_domain_recv, ERR_GET_ACCT_DOM_NOT_SUPPORTED); + + will_return_always(__wrap_sss_dp_get_account_send, test_ctx); + will_return_always(sss_dp_req_recv, EOK); + + /* Test. */ + run_user_by_id(test_ctx, NULL, 0, ERR_OK); + /* Even though the locator tells us to skip all domains except d, the domains + * are standalone and the result of the locator request is only valid within + * the subdomains + */ + assert_true(test_ctx->dp_called); + check_user(test_ctx, &users[0], domain); + + talloc_free(tmp_ctx); +} + +void test_user_by_id_multiple_domains_locator_cache_expired(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + struct sss_domain_info *domain = NULL; + const char *locator_domain; + TALLOC_CTX *tmp_ctx; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + tmp_ctx = talloc_new(test_ctx); + assert_non_null(tmp_ctx); + + /* Has to be a talloc ptr, not just const, so it's stealable inside cache_req */ + locator_domain = talloc_strdup(tmp_ctx, "responder_cache_req_test_d"); + assert_non_null(locator_domain); + + /* Setup user. */ + domain = find_domain_by_name(test_ctx->tctx->dom, + "responder_cache_req_test_d", true); + assert_non_null(domain); + prepare_user(domain, &users[0], -1000, time(NULL)); + + will_return_always(__wrap_sss_dp_get_account_send, test_ctx); + will_return_always(sss_dp_req_recv, EOK); + + will_return(sss_dp_get_account_domain_recv, EOK); + will_return(sss_dp_get_account_domain_recv, locator_domain); + will_return_always(sss_dp_get_account_domain_recv, ERR_GET_ACCT_DOM_NOT_SUPPORTED); + + /* Test. */ + run_user_by_id(test_ctx, NULL, 0, ERR_OK); + + assert_true(test_ctx->dp_called); + check_user(test_ctx, &users[0], domain); + + talloc_free(tmp_ctx); +} + +void test_user_by_id_sub_domains_locator_cache_valid(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + struct sss_domain_info *domain = NULL; + const char *locator_domain; + TALLOC_CTX *tmp_ctx; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + tmp_ctx = talloc_new(test_ctx); + assert_non_null(tmp_ctx); + + /* Has to be a talloc ptr, not just const, so it's stealable inside cache_req */ + locator_domain = talloc_strdup(tmp_ctx, subdomain_name); + assert_non_null(locator_domain); + + /* Setup user. */ + domain = find_domain_by_name(test_ctx->tctx->dom, + subdomain_name, + true); + assert_non_null(domain); + prepare_user(domain, &users[0], 1000, time(NULL)); + + will_return(sss_dp_get_account_domain_recv, EOK); + will_return(sss_dp_get_account_domain_recv, locator_domain); + + /* Test. */ + run_user_by_id(test_ctx, NULL, 0, ERR_OK); + + /* Even though the ID is present in the last domain, + * we're not calling sss_dp_get_account_send, + * because the locator will cause cache_req to skip + * all domains except _d + */ + assert_false(test_ctx->dp_called); + check_user(test_ctx, &users[0], domain); + + talloc_free(tmp_ctx); +} + +void test_user_by_id_sub_domains_locator_cache_expired(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + struct sss_domain_info *domain = NULL; + const char *locator_domain; + TALLOC_CTX *tmp_ctx; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + tmp_ctx = talloc_new(test_ctx); + assert_non_null(tmp_ctx); + + /* Has to be a talloc ptr, not just const, so it's stealable inside cache_req */ + locator_domain = talloc_strdup(tmp_ctx, subdomain_name); + assert_non_null(locator_domain); + + /* Setup user. */ + domain = find_domain_by_name(test_ctx->tctx->dom, + subdomain_name, + true); + assert_non_null(domain); + prepare_user(domain, &users[0], -1000, time(NULL)); + + /* Note - DP will only be called once (so, we're not using will_return_always) + * because the locator will tell us which domain to look into. For the recv + * function, we use always b/c internally it mocks several values. + */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + will_return_always(sss_dp_req_recv, 0); + + will_return(sss_dp_get_account_domain_recv, EOK); + will_return(sss_dp_get_account_domain_recv, locator_domain); + + /* Test. */ + run_user_by_id(test_ctx, NULL, 0, ERR_OK); + + assert_true(test_ctx->dp_called); + check_user(test_ctx, &users[0], domain); + + talloc_free(tmp_ctx); +} + +void test_user_by_id_sub_domains_locator_cache_midpoint(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + struct sss_domain_info *domain = NULL; + const char *locator_domain; + TALLOC_CTX *tmp_ctx; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + tmp_ctx = talloc_new(test_ctx); + assert_non_null(tmp_ctx); + + /* Has to be a talloc ptr, not just const, so it's stealable inside cache_req */ + locator_domain = talloc_strdup(tmp_ctx, subdomain_name); + assert_non_null(locator_domain); + + /* Setup user. */ + domain = find_domain_by_name(test_ctx->tctx->dom, + subdomain_name, + true); + assert_non_null(domain); + prepare_user(domain, &users[0], 50, time(NULL) - 26); + + /* Note - DP will only be called once and we're not waiting + * for the results (so, we're not mocking _recv) + */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + + will_return(sss_dp_get_account_domain_recv, EOK); + will_return(sss_dp_get_account_domain_recv, locator_domain); + + /* Test. */ + run_user_by_id(test_ctx, NULL, 50, ERR_OK); + + assert_true(test_ctx->dp_called); + check_user(test_ctx, &users[0], domain); + + talloc_free(tmp_ctx); +} + +void test_user_by_id_sub_domains_locator_missing_found(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + struct sss_domain_info *domain = NULL; + const char *locator_domain; + TALLOC_CTX *tmp_ctx; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + tmp_ctx = talloc_new(test_ctx); + assert_non_null(tmp_ctx); + + /* Has to be a talloc ptr, not just const, so it's stealable inside cache_req */ + locator_domain = talloc_strdup(tmp_ctx, subdomain_name); + assert_non_null(locator_domain); + + /* Note - DP will only be called once (so, we're not using will_return_always) + * because the locator will tell us which domain to look into. For the recv + * function, we use always b/c internally it mocks several values. + */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + will_return_always(sss_dp_req_recv, 0); + + will_return(sss_dp_get_account_domain_recv, EOK); + will_return(sss_dp_get_account_domain_recv, locator_domain); + + /* Test. */ + test_ctx->create_subuser1 = true; + run_user_by_id(test_ctx, NULL, 0, ERR_OK); + + assert_true(test_ctx->dp_called); + + domain = find_domain_by_name(test_ctx->tctx->dom, + subdomain_name, + true); + assert_non_null(domain); + check_user(test_ctx, &users[0], domain); + + talloc_free(tmp_ctx); +} + +void test_group_by_id_below_id_range(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Test. */ + run_cache_req(test_ctx, cache_req_group_by_id_send, + cache_req_group_by_id_test_done, test_ctx->tctx->dom, + 0, 10, ENOENT); + assert_false(test_ctx->dp_called); +} + +void test_group_by_id_above_id_range(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Test. */ + run_cache_req(test_ctx, cache_req_group_by_id_send, + cache_req_group_by_id_test_done, test_ctx->tctx->dom, + 0, 100000, ENOENT); + assert_false(test_ctx->dp_called); +} + +void test_user_by_id_sub_domains_locator_missing_notfound(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + will_return(sss_dp_get_account_domain_recv, ERR_NOT_FOUND); + + /* Test. */ + run_user_by_id(test_ctx, NULL, 0, ENOENT); + assert_false(test_ctx->dp_called); +} + +void test_user_by_id_sub_domains_locator_cache_expired_two_calls(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + struct sss_domain_info *domain = NULL; + const char *locator_domain; + TALLOC_CTX *tmp_ctx; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + tmp_ctx = talloc_new(test_ctx); + assert_non_null(tmp_ctx); + + /* Has to be a talloc ptr, not just const, so it's stealable inside cache_req */ + locator_domain = talloc_strdup(tmp_ctx, subdomain_name); + assert_non_null(locator_domain); + + /* Setup user. */ + domain = find_domain_by_name(test_ctx->tctx->dom, + subdomain_name, + true); + assert_non_null(domain); + test_ctx->create_subuser1 = true; + prepare_user(domain, &users[0], -1000, time(NULL)); + + /* Note - DP will only be called once (so, we're not using will_return_always) + * because the locator will tell us which domain to look into. For the recv + * function, we use always b/c internally it mocks several values. + */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + will_return_always(sss_dp_req_recv, 0); + + will_return(sss_dp_get_account_domain_recv, EOK); + will_return(sss_dp_get_account_domain_recv, locator_domain); + + /* Test. */ + run_user_by_id(test_ctx, NULL, 0, ERR_OK); + assert_true(test_ctx->dp_called); + check_user(test_ctx, &users[0], domain); + + /* Request the same user again */ + test_ctx->tctx->done = false; + talloc_zfree(test_ctx->result); + + run_user_by_id(test_ctx, NULL, 0, ERR_OK); + check_user(test_ctx, &users[0], domain); + + talloc_free(tmp_ctx); +} + +void test_user_by_id_cache_valid(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup user. */ + prepare_user(test_ctx->tctx->dom, &users[0], 1000, time(NULL)); + + /* Test. */ + run_user_by_id(test_ctx, test_ctx->tctx->dom, 0, ERR_OK); + check_user(test_ctx, &users[0], test_ctx->tctx->dom); +} + +void test_user_by_id_cache_expired(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup user. */ + prepare_user(test_ctx->tctx->dom, &users[0], -1000, time(NULL)); + + /* Mock values. */ + /* DP should be contacted. */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + mock_account_recv_simple(); + + /* Test. */ + run_user_by_id(test_ctx, test_ctx->tctx->dom, 0, ERR_OK); + assert_true(test_ctx->dp_called); + check_user(test_ctx, &users[0], test_ctx->tctx->dom); +} + +void test_user_by_id_cache_midpoint(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup user. */ + prepare_user(test_ctx->tctx->dom, &users[0], 50, time(NULL) - 26); + + /* Mock values. */ + /* DP should be contacted without callback */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + + /* Test. */ + run_user_by_id(test_ctx, test_ctx->tctx->dom, 50, ERR_OK); + assert_true(test_ctx->dp_called); + check_user(test_ctx, &users[0], test_ctx->tctx->dom); +} + +void test_user_by_id_ncache(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + errno_t ret; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup user. */ + ret = sss_ncache_set_uid(test_ctx->ncache, false, NULL, users[0].uid); + assert_int_equal(ret, EOK); + + /* Test. */ + run_user_by_id(test_ctx, test_ctx->tctx->dom, 0, ENOENT); + assert_false(test_ctx->dp_called); +} + +void test_user_by_id_missing_found(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Mock values. */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + mock_account_recv_simple(); + + test_ctx->create_user1 = true; + test_ctx->create_user2 = false; + + /* Test. */ + run_user_by_id(test_ctx, test_ctx->tctx->dom, 0, ERR_OK); + assert_true(test_ctx->dp_called); + check_user(test_ctx, &users[0], test_ctx->tctx->dom); +} + +void test_user_by_id_missing_notfound(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Mock values. */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + mock_account_recv_simple(); + + /* Test. */ + run_user_by_id(test_ctx, test_ctx->tctx->dom, 0, ENOENT); + assert_true(test_ctx->dp_called); +} + +void test_group_by_name_multiple_domains_found(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + struct sss_domain_info *domain = NULL; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup group. */ + domain = find_domain_by_name(test_ctx->tctx->dom, + "responder_cache_req_test_d", true); + assert_non_null(domain); + prepare_group(domain, &groups[0], 1000, time(NULL)); + + /* Mock values. */ + will_return_always(__wrap_sss_dp_get_account_send, test_ctx); + will_return_always(sss_dp_req_recv, 0); + mock_parse_inp(groups[0].short_name, NULL, ERR_OK); + + /* Test. */ + run_group_by_name(test_ctx, NULL, 0, ERR_OK); + assert_true(test_ctx->dp_called); + check_group(test_ctx, &groups[0], domain); +} + +void test_group_by_name_multiple_domains_notfound(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Mock values. */ + will_return_always(__wrap_sss_dp_get_account_send, test_ctx); + will_return_always(sss_dp_req_recv, 0); + mock_parse_inp(groups[0].short_name, NULL, ERR_OK); + + /* Test. */ + run_group_by_name(test_ctx, NULL, 0, ENOENT); + assert_true(test_ctx->dp_called); +} + +void test_group_by_name_multiple_domains_parse(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + struct sss_domain_info *domain = NULL; + TALLOC_CTX *req_mem_ctx = NULL; + struct tevent_req *req = NULL; + char *input_fqn; + char *fqname; + errno_t ret; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Add group to the first domain. */ + domain = find_domain_by_name(test_ctx->tctx->dom, + "responder_cache_req_test_a", true); + assert_non_null(domain); + + fqname = sss_create_internal_fqname(test_ctx, users[0].short_name, domain->name); + assert_non_null(fqname); + + ret = sysdb_store_group(domain, fqname, 2000, NULL, + 1000, time(NULL)); + talloc_zfree(fqname); + assert_int_equal(ret, EOK); + + /* Add group to the last domain, with different gid. */ + + domain = find_domain_by_name(test_ctx->tctx->dom, + "responder_cache_req_test_d", true); + assert_non_null(domain); + + prepare_group(domain, &groups[0], 1000, time(NULL)); + + /* Append domain name to the groupname. + * We don't use the internal fqname here on purpose, because this is + * the user's input. + */ + input_fqn = talloc_asprintf(test_ctx, "%s@%s", groups[0].short_name, + "responder_cache_req_test_d"); + assert_non_null(input_fqn); + + /* Test. */ + req_mem_ctx = talloc_new(global_talloc_context); + check_leaks_push(req_mem_ctx); + + mock_parse_inp(groups[0].short_name, "responder_cache_req_test_d", ERR_OK); + + req = cache_req_group_by_name_send(req_mem_ctx, test_ctx->tctx->ev, + test_ctx->rctx, test_ctx->ncache, 0, + CACHE_REQ_POSIX_DOM, NULL, + input_fqn); + assert_non_null(req); + tevent_req_set_callback(req, cache_req_group_by_name_test_done, test_ctx); + + ret = test_ev_loop(test_ctx->tctx); + assert_int_equal(ret, ERR_OK); + assert_true(check_leaks_pop(req_mem_ctx)); + assert_false(test_ctx->dp_called); + + check_group(test_ctx, &groups[0], domain); + + assert_non_null(test_ctx->result->lookup_name); + assert_string_equal(input_fqn, test_ctx->result->lookup_name); + + talloc_free(input_fqn); +} + +void test_group_by_name_cache_valid(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup group. */ + prepare_group(test_ctx->tctx->dom, &groups[0], 1000, time(NULL)); + + /* Test. */ + run_group_by_name(test_ctx, test_ctx->tctx->dom, 0, ERR_OK); + check_group(test_ctx, &groups[0], test_ctx->tctx->dom); +} + +void test_group_by_name_cache_expired(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup group. */ + prepare_group(test_ctx->tctx->dom, &groups[0], -1000, time(NULL)); + + /* Mock values. */ + /* DP should be contacted */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + mock_account_recv_simple(); + + /* Test. */ + run_group_by_name(test_ctx, test_ctx->tctx->dom, 0, ERR_OK); + assert_true(test_ctx->dp_called); + check_group(test_ctx, &groups[0], test_ctx->tctx->dom); +} + +void test_group_by_name_cache_midpoint(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup group. */ + prepare_group(test_ctx->tctx->dom, &groups[0], 50, time(NULL) - 26); + + /* Mock values. */ + /* DP should be contacted without callback */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + + /* Test. */ + run_group_by_name(test_ctx, test_ctx->tctx->dom, 50, ERR_OK); + assert_true(test_ctx->dp_called); + check_group(test_ctx, &groups[0], test_ctx->tctx->dom); +} + +void test_group_by_name_ncache(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + errno_t ret; + char *fqname; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup group. */ + fqname = sss_create_internal_fqname(test_ctx, groups[0].short_name, + test_ctx->tctx->dom->name); + assert_non_null(fqname); + + ret = sss_ncache_set_group(test_ctx->ncache, false, + test_ctx->tctx->dom, fqname); + talloc_free(fqname); + assert_int_equal(ret, EOK); + + /* Test. */ + run_group_by_name(test_ctx, test_ctx->tctx->dom, 0, ENOENT); + assert_false(test_ctx->dp_called); +} + +void test_group_by_name_missing_found(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Mock values. */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + mock_account_recv_simple(); + + test_ctx->create_group1 = true; + test_ctx->create_group2 = false; + + /* Test. */ + run_group_by_name(test_ctx, test_ctx->tctx->dom, 0, ERR_OK); + assert_true(test_ctx->dp_called); + check_group(test_ctx, &groups[0], test_ctx->tctx->dom); +} + +void test_group_by_name_missing_notfound(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Mock values. */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + mock_account_recv_simple(); + + /* Test. */ + run_group_by_name(test_ctx, test_ctx->tctx->dom, 0, ENOENT); + assert_true(test_ctx->dp_called); +} + +void test_group_by_id_multiple_domains_found(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + struct sss_domain_info *domain = NULL; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup group. */ + domain = find_domain_by_name(test_ctx->tctx->dom, + "responder_cache_req_test_d", true); + assert_non_null(domain); + prepare_group(domain, &groups[0], 1000, time(NULL)); + + /* Mock values. */ + will_return_always(__wrap_sss_dp_get_account_send, test_ctx); + will_return_always(sss_dp_req_recv, 0); + will_return_always(sss_dp_get_account_domain_recv, ERR_GET_ACCT_DOM_NOT_SUPPORTED); + + /* Test. */ + run_group_by_id(test_ctx, NULL, 0, ERR_OK); + assert_true(test_ctx->dp_called); + check_group(test_ctx, &groups[0], domain); +} + +void test_group_by_id_multiple_domains_notfound(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Mock values. */ + will_return_always(__wrap_sss_dp_get_account_send, test_ctx); + will_return_always(sss_dp_req_recv, 0); + will_return_always(sss_dp_get_account_domain_recv, ERR_GET_ACCT_DOM_NOT_SUPPORTED); + + /* Test. */ + run_group_by_id(test_ctx, NULL, 0, ENOENT); + assert_true(test_ctx->dp_called); +} + +void test_group_by_id_multiple_domains_outside_id_range(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + struct sss_domain_info *domain = NULL; + struct sss_domain_info *domain_a = NULL; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + domain_a = find_domain_by_name(test_ctx->tctx->dom, + "responder_cache_req_test_a", true); + assert_non_null(domain_a); + domain_a->id_min = 1; + domain_a->id_max = 100; + + /* Setup group. */ + domain = find_domain_by_name(test_ctx->tctx->dom, + "responder_cache_req_test_d", true); + assert_non_null(domain); + prepare_group(domain, &groups[0], 1000, time(NULL)); + + /* Mock values. */ + will_return_always(__wrap_sss_dp_get_account_send, test_ctx); + will_return_always(sss_dp_req_recv, 0); + will_return_always(sss_dp_get_account_domain_recv, ERR_GET_ACCT_DOM_NOT_SUPPORTED); + + /* Test. */ + run_group_by_id(test_ctx, NULL, 0, ERR_OK); + assert_true(test_ctx->dp_called); + check_group(test_ctx, &groups[0], domain); +} + +void test_group_by_id_multiple_domains_locator_cache_valid(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + struct sss_domain_info *domain = NULL; + const char *locator_domain; + TALLOC_CTX *tmp_ctx; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + tmp_ctx = talloc_new(test_ctx); + assert_non_null(tmp_ctx); + + /* Has to be a talloc ptr, not just const, so it's stealable inside cache_req */ + locator_domain = talloc_strdup(tmp_ctx, "responder_cache_req_test_d"); + assert_non_null(locator_domain); + + /* Setup group. */ + domain = find_domain_by_name(test_ctx->tctx->dom, + "responder_cache_req_test_d", true); + assert_non_null(domain); + prepare_group(domain, &groups[0], 1000, time(NULL)); + + will_return(sss_dp_get_account_domain_recv, EOK); + will_return(sss_dp_get_account_domain_recv, locator_domain); + will_return_always(sss_dp_get_account_domain_recv, ERR_GET_ACCT_DOM_NOT_SUPPORTED); + + will_return_always(__wrap_sss_dp_get_account_send, test_ctx); + will_return_always(sss_dp_req_recv, EOK); + + /* Test. */ + run_group_by_id(test_ctx, NULL, 0, ERR_OK); + + /* Even though the locator tells us to skip all domains except d, the domains + * are standalone and the result of the locator request is only valid within + * the subdomains + */ + assert_true(test_ctx->dp_called); + check_group(test_ctx, &groups[0], domain); + + talloc_free(tmp_ctx); +} + +void test_group_by_id_multiple_domains_locator_cache_expired(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + struct sss_domain_info *domain = NULL; + const char *locator_domain; + TALLOC_CTX *tmp_ctx; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + tmp_ctx = talloc_new(test_ctx); + assert_non_null(tmp_ctx); + + /* Has to be a talloc ptr, not just const, so it's stealable inside cache_req */ + locator_domain = talloc_strdup(tmp_ctx, "responder_cache_req_test_d"); + assert_non_null(locator_domain); + + /* Setup group. */ + domain = find_domain_by_name(test_ctx->tctx->dom, + "responder_cache_req_test_d", true); + assert_non_null(domain); + prepare_group(domain, &groups[0], -1000, time(NULL)); + + will_return_always(__wrap_sss_dp_get_account_send, test_ctx); + will_return_always(sss_dp_req_recv, EOK); + + will_return(sss_dp_get_account_domain_recv, EOK); + will_return(sss_dp_get_account_domain_recv, locator_domain); + will_return_always(sss_dp_get_account_domain_recv, ERR_GET_ACCT_DOM_NOT_SUPPORTED); + + /* Test. */ + run_group_by_id(test_ctx, NULL, 0, ERR_OK); + + assert_true(test_ctx->dp_called); + check_group(test_ctx, &groups[0], domain); + + talloc_free(tmp_ctx); +} + +void test_group_by_id_sub_domains_locator_cache_valid(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + struct sss_domain_info *domain = NULL; + const char *locator_domain; + TALLOC_CTX *tmp_ctx; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + tmp_ctx = talloc_new(test_ctx); + assert_non_null(tmp_ctx); + + /* Has to be a talloc ptr, not just const, so it's stealable inside cache_req */ + locator_domain = talloc_strdup(tmp_ctx, subdomain_name); + assert_non_null(locator_domain); + + /* Setup group. */ + domain = find_domain_by_name(test_ctx->tctx->dom, + subdomain_name, + true); + assert_non_null(domain); + prepare_group(domain, &groups[0], 1000, time(NULL)); + + will_return(sss_dp_get_account_domain_recv, EOK); + will_return(sss_dp_get_account_domain_recv, locator_domain); + + /* Test. */ + run_group_by_id(test_ctx, NULL, 0, ERR_OK); + + /* Even though the ID is present in the last domain, + * we're not calling sss_dp_get_account_send, + * because the locator will cause cache_req to skip + * all domains except _d + */ + assert_false(test_ctx->dp_called); + check_group(test_ctx, &groups[0], domain); + + talloc_free(tmp_ctx); +} + +void test_group_by_id_sub_domains_locator_cache_expired(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + struct sss_domain_info *domain = NULL; + const char *locator_domain; + TALLOC_CTX *tmp_ctx; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + tmp_ctx = talloc_new(test_ctx); + assert_non_null(tmp_ctx); + + /* Has to be a talloc ptr, not just const, so it's stealable inside cache_req */ + locator_domain = talloc_strdup(tmp_ctx, subdomain_name); + assert_non_null(locator_domain); + + /* Setup group. */ + domain = find_domain_by_name(test_ctx->tctx->dom, + subdomain_name, + true); + assert_non_null(domain); + prepare_group(domain, &groups[0], -1000, time(NULL)); + + /* Note - DP will only be called once (so, we're not using will_return_always) + * because the locator will tell us which domain to look into. For the recv + * function, we use always b/c internally it mocks several values. + */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + will_return_always(sss_dp_req_recv, 0); + + will_return(sss_dp_get_account_domain_recv, EOK); + will_return(sss_dp_get_account_domain_recv, locator_domain); + + /* Test. */ + run_group_by_id(test_ctx, NULL, 0, ERR_OK); + + assert_true(test_ctx->dp_called); + check_group(test_ctx, &groups[0], domain); + + talloc_free(tmp_ctx); +} + +void test_group_by_id_sub_domains_locator_cache_midpoint(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + struct sss_domain_info *domain = NULL; + const char *locator_domain; + TALLOC_CTX *tmp_ctx; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + tmp_ctx = talloc_new(test_ctx); + assert_non_null(tmp_ctx); + + /* Has to be a talloc ptr, not just const, so it's stealable inside cache_req */ + locator_domain = talloc_strdup(tmp_ctx, subdomain_name); + assert_non_null(locator_domain); + + /* Setup group. */ + domain = find_domain_by_name(test_ctx->tctx->dom, + subdomain_name, + true); + assert_non_null(domain); + prepare_group(domain, &groups[0], 50, time(NULL) - 26); + + /* Note - DP will only be called once and we're not waiting + * for the results (so, we're not mocking _recv) + */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + + will_return(sss_dp_get_account_domain_recv, EOK); + will_return(sss_dp_get_account_domain_recv, locator_domain); + + /* Test. */ + run_group_by_id(test_ctx, NULL, 50, ERR_OK); + + assert_true(test_ctx->dp_called); + check_group(test_ctx, &groups[0], domain); + + talloc_free(tmp_ctx); +} + +void test_group_by_id_sub_domains_locator_missing_found(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + struct sss_domain_info *domain = NULL; + const char *locator_domain; + TALLOC_CTX *tmp_ctx; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + tmp_ctx = talloc_new(test_ctx); + assert_non_null(tmp_ctx); + + /* Has to be a talloc ptr, not just const, so it's stealable inside cache_req */ + locator_domain = talloc_strdup(tmp_ctx, subdomain_name); + assert_non_null(locator_domain); + + /* Note - DP will only be called once (so, we're not using will_return_always) + * because the locator will tell us which domain to look into. For the recv + * function, we use always b/c internally it mocks several values. + */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + will_return_always(sss_dp_req_recv, 0); + + will_return(sss_dp_get_account_domain_recv, EOK); + will_return(sss_dp_get_account_domain_recv, locator_domain); + + /* Test. */ + test_ctx->create_subgroup1 = true; + run_group_by_id(test_ctx, NULL, 0, ERR_OK); + + assert_true(test_ctx->dp_called); + + domain = find_domain_by_name(test_ctx->tctx->dom, + subdomain_name, + true); + assert_non_null(domain); + check_group(test_ctx, &groups[0], domain); + + talloc_free(tmp_ctx); +} + +void test_group_by_id_sub_domains_locator_missing_notfound(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + will_return(sss_dp_get_account_domain_recv, ERR_NOT_FOUND); + + /* Test. */ + run_group_by_id(test_ctx, NULL, 0, ENOENT); + assert_false(test_ctx->dp_called); +} + +void test_group_by_id_sub_domains_locator_cache_expired_two_calls(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + struct sss_domain_info *domain = NULL; + const char *locator_domain; + TALLOC_CTX *tmp_ctx; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + tmp_ctx = talloc_new(test_ctx); + assert_non_null(tmp_ctx); + + /* Has to be a talloc ptr, not just const, so it's stealable inside cache_req */ + locator_domain = talloc_strdup(tmp_ctx, subdomain_name); + assert_non_null(locator_domain); + + /* Setup group. */ + domain = find_domain_by_name(test_ctx->tctx->dom, + subdomain_name, + true); + assert_non_null(domain); + test_ctx->create_subgroup1 = true; + prepare_group(domain, &groups[0], -1000, time(NULL)); + + /* Note - DP will only be called once (so, we're not using will_return_always) + * because the locator will tell us which domain to look into. For the recv + * function, we use always b/c internally it mocks several values. + */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + will_return_always(sss_dp_req_recv, 0); + + will_return(sss_dp_get_account_domain_recv, EOK); + will_return(sss_dp_get_account_domain_recv, locator_domain); + + /* Test. */ + run_group_by_id(test_ctx, NULL, 0, ERR_OK); + assert_true(test_ctx->dp_called); + check_group(test_ctx, &groups[0], domain); + + /* Request the same group again */ + test_ctx->tctx->done = false; + talloc_zfree(test_ctx->result); + + run_group_by_id(test_ctx, NULL, 0, ERR_OK); + check_group(test_ctx, &groups[0], domain); + + talloc_free(tmp_ctx); +} + +void test_group_by_id_cache_valid(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup group. */ + prepare_group(test_ctx->tctx->dom, &groups[0], 1000, time(NULL)); + + /* Test. */ + run_group_by_id(test_ctx, test_ctx->tctx->dom, 0, ERR_OK); + check_group(test_ctx, &groups[0], test_ctx->tctx->dom); +} + +void test_group_by_id_cache_expired(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup group. */ + prepare_group(test_ctx->tctx->dom, &groups[0], -1000, time(NULL)); + + /* Mock values. */ + /* DP should be contacted */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + mock_account_recv_simple(); + + /* Test. */ + run_group_by_id(test_ctx, test_ctx->tctx->dom, 0, ERR_OK); + assert_true(test_ctx->dp_called); + check_group(test_ctx, &groups[0], test_ctx->tctx->dom); +} + +void test_group_by_id_cache_midpoint(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup group. */ + prepare_group(test_ctx->tctx->dom, &groups[0], 50, time(NULL) - 26); + + /* Mock values. */ + /* DP should be contacted without callback */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + + /* Test. */ + run_group_by_id(test_ctx, test_ctx->tctx->dom, 50, ERR_OK); + assert_true(test_ctx->dp_called); + check_group(test_ctx, &groups[0], test_ctx->tctx->dom); +} + +void test_group_by_id_ncache(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + errno_t ret; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup group. */ + ret = sss_ncache_set_gid(test_ctx->ncache, false, NULL, groups[0].gid); + assert_int_equal(ret, EOK); + + /* Test. */ + run_group_by_id(test_ctx, test_ctx->tctx->dom, 0, ENOENT); + assert_false(test_ctx->dp_called); +} + +void test_group_by_id_missing_found(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Mock values. */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + mock_account_recv_simple(); + + test_ctx->create_group1 = true; + test_ctx->create_group2 = false; + + /* Test. */ + run_group_by_id(test_ctx, test_ctx->tctx->dom, 0, ERR_OK); + assert_true(test_ctx->dp_called); + check_group(test_ctx, &groups[0], test_ctx->tctx->dom); +} + +void test_group_by_id_missing_notfound(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Mock values. */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + mock_account_recv_simple(); + + /* Test. */ + run_group_by_id(test_ctx, test_ctx->tctx->dom, 0, ENOENT); + assert_true(test_ctx->dp_called); +} + +static void cache_req_user_by_filter_test_done(struct tevent_req *req) +{ + struct cache_req_test_ctx *ctx = NULL; + + ctx = tevent_req_callback_data(req, struct cache_req_test_ctx); + + ctx->tctx->error = cache_req_user_by_filter_recv(ctx, req, &ctx->result); + talloc_zfree(req); + ctx->tctx->done = true; +} + +void test_user_by_recent_filter_valid(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + TALLOC_CTX *req_mem_ctx = NULL; + struct tevent_req *req = NULL; + errno_t ret; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + test_ctx->create_user1 = true; + test_ctx->create_user2 = false; + + prepare_user(test_ctx->tctx->dom, &users[1], 1000, time(NULL) - 1); + + req_mem_ctx = talloc_new(test_ctx->tctx); + check_leaks_push(req_mem_ctx); + + /* Filters always go to DP */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + mock_account_recv_simple(); + + /* User TEST_USER is created with a DP callback. */ + req = cache_req_user_by_filter_send(req_mem_ctx, test_ctx->tctx->ev, + test_ctx->rctx, + CACHE_REQ_POSIX_DOM, + test_ctx->tctx->dom->name, + TEST_USER_PREFIX); + assert_non_null(req); + + tevent_req_set_callback(req, cache_req_user_by_filter_test_done, test_ctx); + + ret = test_ev_loop(test_ctx->tctx); + assert_int_equal(ret, ERR_OK); + assert_true(check_leaks_pop(req_mem_ctx)); + + assert_non_null(test_ctx->result); + assert_int_equal(test_ctx->result->count, 1); + + assert_msg_has_shortname(test_ctx, + test_ctx->result->msgs[0], + users[0].short_name); +} + +void test_users_by_recent_filter_valid(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + TALLOC_CTX *req_mem_ctx = NULL; + struct tevent_req *req = NULL; + size_t num_users = 2; + const char **user_names; + const char *ldb_results[num_users]; + errno_t ret; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + test_ctx->create_user1 = true; + test_ctx->create_user2 = true; + + req_mem_ctx = talloc_new(test_ctx->tctx); + check_leaks_push(req_mem_ctx); + + /* Filters always go to DP */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + mock_account_recv_simple(); + + /* User TEST_USER1 and TEST_USER2 are created with a DP callback. */ + req = cache_req_user_by_filter_send(req_mem_ctx, test_ctx->tctx->ev, + test_ctx->rctx, + CACHE_REQ_POSIX_DOM, + test_ctx->tctx->dom->name, + TEST_USER_PREFIX); + assert_non_null(req); + + tevent_req_set_callback(req, cache_req_user_by_filter_test_done, test_ctx); + + ret = test_ev_loop(test_ctx->tctx); + assert_int_equal(ret, ERR_OK); + assert_true(check_leaks_pop(req_mem_ctx)); + + assert_non_null(test_ctx->result); + assert_int_equal(test_ctx->result->count, 2); + + user_names = talloc_zero_array(test_ctx, const char *, num_users); + assert_non_null(user_names); + user_names[0] = sss_create_internal_fqname(user_names, users[0].short_name, + test_ctx->result->domain->name); + assert_non_null(user_names[0]); + user_names[1] = sss_create_internal_fqname(user_names, users[1].short_name, + test_ctx->result->domain->name); + assert_non_null(user_names[1]); + + for (int i = 0; i < num_users; ++i) { + ldb_results[i] = ldb_msg_find_attr_as_string(test_ctx->result->msgs[i], + SYSDB_NAME, NULL); + assert_non_null(ldb_results[i]); + } + + assert_string_not_equal(ldb_results[0], ldb_results[1]); + + assert_true(are_values_in_array(user_names, num_users, + ldb_results, num_users)); + + talloc_free(req_mem_ctx); + talloc_free(user_names); +} + +void test_users_by_filter_filter_old(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + TALLOC_CTX *req_mem_ctx = NULL; + struct tevent_req *req = NULL; + errno_t ret; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + test_ctx->create_user1 = true; + test_ctx->create_user2 = false; + + /* This user was updated in distant past, so it won't be reported by + * the filter search */ + prepare_user(test_ctx->tctx->dom, &users[1], 1000, 1); + + req_mem_ctx = talloc_new(global_talloc_context); + check_leaks_push(req_mem_ctx); + + /* Filters always go to DP */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + mock_account_recv_simple(); + + req = cache_req_user_by_filter_send(req_mem_ctx, test_ctx->tctx->ev, + test_ctx->rctx, + CACHE_REQ_POSIX_DOM, + test_ctx->tctx->dom->name, + TEST_USER_PREFIX); + assert_non_null(req); + tevent_req_set_callback(req, cache_req_user_by_filter_test_done, test_ctx); + + ret = test_ev_loop(test_ctx->tctx); + assert_int_equal(ret, ERR_OK); + assert_true(check_leaks_pop(req_mem_ctx)); + + assert_non_null(test_ctx->result); + assert_int_equal(test_ctx->result->count, 1); + + assert_msg_has_shortname(test_ctx, + test_ctx->result->msgs[0], + users[0].short_name); +} + +void test_users_by_filter_notfound(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + TALLOC_CTX *req_mem_ctx = NULL; + struct tevent_req *req = NULL; + errno_t ret; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + req_mem_ctx = talloc_new(global_talloc_context); + check_leaks_push(req_mem_ctx); + + /* Filters always go to DP */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + mock_account_recv_simple(); + + req = cache_req_user_by_filter_send(req_mem_ctx, test_ctx->tctx->ev, + test_ctx->rctx, + CACHE_REQ_POSIX_DOM, + test_ctx->tctx->dom->name, + "nosuchuser*"); + assert_non_null(req); + tevent_req_set_callback(req, cache_req_user_by_filter_test_done, test_ctx); + + ret = test_ev_loop(test_ctx->tctx); + assert_int_equal(ret, ENOENT); + assert_true(check_leaks_pop(req_mem_ctx)); +} + +static void test_users_by_filter_multiple_domains_notfound(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + struct sss_domain_info *domain = NULL; + TALLOC_CTX *req_mem_ctx = NULL; + struct tevent_req *req = NULL; + errno_t ret; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + domain = find_domain_by_name(test_ctx->tctx->dom, + "responder_cache_req_test_d", true); + assert_non_null(domain); + + req_mem_ctx = talloc_new(global_talloc_context); + check_leaks_push(req_mem_ctx); + + /* Filters always go to DP */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + mock_account_recv_simple(); + + req = cache_req_user_by_filter_send(req_mem_ctx, test_ctx->tctx->ev, + test_ctx->rctx, + CACHE_REQ_POSIX_DOM, + domain->name, + "nosuchuser*"); + assert_non_null(req); + tevent_req_set_callback(req, cache_req_user_by_filter_test_done, test_ctx); + + ret = test_ev_loop(test_ctx->tctx); + assert_int_equal(ret, ENOENT); + assert_true(check_leaks_pop(req_mem_ctx)); +} + +static void cache_req_group_by_filter_test_done(struct tevent_req *req) +{ + struct cache_req_test_ctx *ctx = NULL; + + ctx = tevent_req_callback_data(req, struct cache_req_test_ctx); + + ctx->tctx->error = cache_req_group_by_filter_recv(ctx, req, &ctx->result); + talloc_zfree(req); + ctx->tctx->done = true; +} + +void test_group_by_recent_filter_valid(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + TALLOC_CTX *req_mem_ctx = NULL; + struct tevent_req *req = NULL; + errno_t ret; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + test_ctx->create_group1 = true; + test_ctx->create_group2 = false; + + prepare_group(test_ctx->tctx->dom, &groups[1], 1001, time(NULL) - 1); + + req_mem_ctx = talloc_new(global_talloc_context); + check_leaks_push(req_mem_ctx); + + /* Filters always go to DP */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + mock_account_recv_simple(); + + /* Group TEST_GROUP is created with a DP callback. */ + req = cache_req_group_by_filter_send(req_mem_ctx, test_ctx->tctx->ev, + test_ctx->rctx, + CACHE_REQ_POSIX_DOM, + test_ctx->tctx->dom->name, + TEST_USER_PREFIX); + assert_non_null(req); + tevent_req_set_callback(req, cache_req_group_by_filter_test_done, test_ctx); + + ret = test_ev_loop(test_ctx->tctx); + assert_int_equal(ret, ERR_OK); + assert_true(check_leaks_pop(req_mem_ctx)); + + assert_non_null(test_ctx->result); + assert_int_equal(test_ctx->result->count, 1); + + assert_msg_has_shortname(test_ctx, + test_ctx->result->msgs[0], + groups[0].short_name); +} + +void test_groups_by_recent_filter_valid(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + TALLOC_CTX *req_mem_ctx = NULL; + TALLOC_CTX *tmp_ctx = NULL; + struct tevent_req *req = NULL; + const char **group_names = NULL; + const char **ldb_results = NULL; + const char *ldbname = NULL; + errno_t ret; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + test_ctx->create_group1 = true; + test_ctx->create_group2 = true; + + prepare_group(test_ctx->tctx->dom, &groups[1], 1001, time(NULL) - 1); + + req_mem_ctx = talloc_new(global_talloc_context); + check_leaks_push(req_mem_ctx); + + /* Filters always go to DP */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + mock_account_recv_simple(); + + /* Group TEST_GROUP1 and TEST_GROUP2 are created with a DP callback. */ + req = cache_req_group_by_filter_send(req_mem_ctx, test_ctx->tctx->ev, + test_ctx->rctx, + CACHE_REQ_POSIX_DOM, + test_ctx->tctx->dom->name, + TEST_USER_PREFIX); + assert_non_null(req); + + tevent_req_set_callback(req, cache_req_group_by_filter_test_done, test_ctx); + + ret = test_ev_loop(test_ctx->tctx); + assert_int_equal(ret, ERR_OK); + assert_true(check_leaks_pop(req_mem_ctx)); + + assert_non_null(test_ctx->result); + assert_int_equal(test_ctx->result->count, 2); + + tmp_ctx = talloc_new(req_mem_ctx); + + group_names = talloc_array(tmp_ctx, const char *, 2); + assert_non_null(group_names); + group_names[0] = sss_create_internal_fqname(group_names, groups[0].short_name, + test_ctx->result->domain->name); + assert_non_null(group_names[0]); + group_names[1] = sss_create_internal_fqname(group_names, groups[1].short_name, + test_ctx->result->domain->name); + assert_non_null(group_names[1]); + + ldb_results = talloc_array(tmp_ctx, const char *, 2); + assert_non_null(ldb_results); + for (int i = 0; i < 2; ++i) { + ldbname = ldb_msg_find_attr_as_string(test_ctx->result->msgs[i], + SYSDB_NAME, NULL); + assert_non_null(ldbname); + ldb_results[i] = ldbname; + } + + assert_string_not_equal(ldb_results[0], ldb_results[1]); + + assert_true(tc_are_values_in_array(group_names, ldb_results)); + + talloc_zfree(tmp_ctx); +} + +void test_groups_by_filter_notfound(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + TALLOC_CTX *req_mem_ctx = NULL; + struct tevent_req *req = NULL; + errno_t ret; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + req_mem_ctx = talloc_new(global_talloc_context); + check_leaks_push(req_mem_ctx); + + /* Filters always go to DP */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + mock_account_recv_simple(); + + req = cache_req_group_by_filter_send(req_mem_ctx, test_ctx->tctx->ev, + test_ctx->rctx, + CACHE_REQ_POSIX_DOM, + test_ctx->tctx->dom->name, + "nosuchgroup*"); + assert_non_null(req); + tevent_req_set_callback(req, cache_req_group_by_filter_test_done, test_ctx); + + ret = test_ev_loop(test_ctx->tctx); + assert_int_equal(ret, ENOENT); + assert_true(check_leaks_pop(req_mem_ctx)); +} + +void test_groups_by_filter_multiple_domains_notfound(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + struct sss_domain_info *domain = NULL; + TALLOC_CTX *req_mem_ctx = NULL; + struct tevent_req *req = NULL; + errno_t ret; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + domain = find_domain_by_name(test_ctx->tctx->dom, + "responder_cache_req_test_d", true); + assert_non_null(domain); + + req_mem_ctx = talloc_new(global_talloc_context); + check_leaks_push(req_mem_ctx); + + /* Filters always go to DP */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + mock_account_recv_simple(); + + req = cache_req_group_by_filter_send(req_mem_ctx, test_ctx->tctx->ev, + test_ctx->rctx, + CACHE_REQ_POSIX_DOM, + domain->name, + "nosuchgroup*"); + assert_non_null(req); + tevent_req_set_callback(req, cache_req_group_by_filter_test_done, test_ctx); + + ret = test_ev_loop(test_ctx->tctx); + assert_int_equal(ret, ENOENT); + assert_true(check_leaks_pop(req_mem_ctx)); +} + +void test_object_by_sid_user_cache_valid(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + const char *attrs[] = SYSDB_PW_ATTRS; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup user. */ + prepare_user(test_ctx->tctx->dom, &users[0], 1000, time(NULL)); + + /* Test. */ + run_object_by_sid(test_ctx, test_ctx->tctx->dom, + users[0].sid, attrs, 0, ERR_OK); + check_user(test_ctx, &users[0], test_ctx->tctx->dom); +} + +void test_object_by_sid_user_cache_expired(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + const char *attrs[] = SYSDB_PW_ATTRS; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup user. */ + prepare_user(test_ctx->tctx->dom, &users[0], -1000, time(NULL)); + + /* Mock values. */ + /* DP should be contacted */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + mock_account_recv_simple(); + + /* Test. */ + run_object_by_sid(test_ctx, test_ctx->tctx->dom, + users[0].sid, attrs, 0, ERR_OK); + assert_true(test_ctx->dp_called); + check_user(test_ctx, &users[0], test_ctx->tctx->dom); +} + +void test_object_by_sid_user_cache_midpoint(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + const char *attrs[] = SYSDB_PW_ATTRS; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup user. */ + prepare_user(test_ctx->tctx->dom, &users[0], 50, time(NULL) - 26); + + /* Mock values. */ + /* DP should be contacted without callback */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + + /* Test. */ + run_object_by_sid(test_ctx, test_ctx->tctx->dom, + users[0].sid, attrs, 50, ERR_OK); + assert_true(test_ctx->dp_called); + check_user(test_ctx, &users[0], test_ctx->tctx->dom); +} + +void test_object_by_sid_user_ncache(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + const char *attrs[] = SYSDB_PW_ATTRS; + errno_t ret; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup user. */ + ret = sss_ncache_set_sid(test_ctx->ncache, false, users[0].sid); + assert_int_equal(ret, EOK); + + /* Test. */ + run_object_by_sid(test_ctx, test_ctx->tctx->dom, + users[0].sid, attrs, 0, ENOENT); + assert_false(test_ctx->dp_called); +} + +void test_object_by_sid_user_missing_found(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + const char *attrs[] = SYSDB_PW_ATTRS; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Mock values. */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + mock_account_recv_simple(); + + test_ctx->create_user1 = true; + test_ctx->create_user2 = false; + + /* Test. */ + run_object_by_sid(test_ctx, test_ctx->tctx->dom, + users[0].sid, attrs, 0, ERR_OK); + assert_true(test_ctx->dp_called); + check_user(test_ctx, &users[0], test_ctx->tctx->dom); +} + +void test_object_by_sid_user_missing_notfound(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + const char *attrs[] = SYSDB_PW_ATTRS; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Mock values. */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + mock_account_recv_simple(); + + /* Test. */ + run_object_by_sid(test_ctx, test_ctx->tctx->dom, + users[0].sid, attrs, 0, ENOENT); + assert_true(test_ctx->dp_called); +} + +void test_object_by_sid_user_multiple_domains_found(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + struct sss_domain_info *domain = NULL; + const char *attrs[] = SYSDB_PW_ATTRS; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup user. */ + domain = find_domain_by_name(test_ctx->tctx->dom, + "responder_cache_req_test_d", true); + assert_non_null(domain); + + prepare_user(domain, &users[0], 1000, time(NULL)); + + /* Mock values. */ + will_return_always(__wrap_sss_dp_get_account_send, test_ctx); + will_return_always(sss_dp_req_recv, 0); + + /* Test. */ + run_object_by_sid(test_ctx, NULL, users[0].sid, attrs, 0, ERR_OK); + assert_true(test_ctx->dp_called); + check_user(test_ctx, &users[0], domain); +} + +void test_object_by_sid_user_multiple_domains_notfound(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + const char *attrs[] = SYSDB_PW_ATTRS; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Mock values. */ + will_return_always(__wrap_sss_dp_get_account_send, test_ctx); + will_return_always(sss_dp_req_recv, 0); + + /* Test. */ + run_object_by_sid(test_ctx, NULL, users[0].sid, attrs, 0, ENOENT); + assert_true(test_ctx->dp_called); +} + +void test_object_by_sid_group_cache_valid(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + const char *attrs[] = SYSDB_GRSRC_ATTRS; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup user. */ + prepare_group(test_ctx->tctx->dom, &groups[0], 1000, time(NULL)); + + /* Test. */ + run_object_by_sid(test_ctx, test_ctx->tctx->dom, + groups[0].sid, attrs, 0, ERR_OK); + check_group(test_ctx, &groups[0], test_ctx->tctx->dom); +} + +void test_object_by_sid_group_cache_expired(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + const char *attrs[] = SYSDB_GRSRC_ATTRS; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup user. */ + prepare_group(test_ctx->tctx->dom, &groups[0], -1000, time(NULL)); + + /* Mock values. */ + /* DP should be contacted */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + mock_account_recv_simple(); + + /* Test. */ + run_object_by_sid(test_ctx, test_ctx->tctx->dom, + groups[0].sid, attrs, 0, ERR_OK); + assert_true(test_ctx->dp_called); + check_group(test_ctx, &groups[0], test_ctx->tctx->dom); +} + +void test_object_by_sid_group_cache_midpoint(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + const char *attrs[] = SYSDB_GRSRC_ATTRS; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup user. */ + prepare_group(test_ctx->tctx->dom, &groups[0], 50, time(NULL) - 26); + + /* Mock values. */ + /* DP should be contacted without callback */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + + /* Test. */ + run_object_by_sid(test_ctx, test_ctx->tctx->dom, + groups[0].sid, attrs, 50, ERR_OK); + assert_true(test_ctx->dp_called); + check_group(test_ctx, &groups[0], test_ctx->tctx->dom); +} + +void test_object_by_sid_group_ncache(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + const char *attrs[] = SYSDB_GRSRC_ATTRS; + errno_t ret; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup user. */ + ret = sss_ncache_set_sid(test_ctx->ncache, false, groups[0].sid); + assert_int_equal(ret, EOK); + + /* Test. */ + run_object_by_sid(test_ctx, test_ctx->tctx->dom, + groups[0].sid, attrs, 0, ENOENT); + assert_false(test_ctx->dp_called); +} + +void test_object_by_sid_group_missing_found(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + const char *attrs[] = SYSDB_GRSRC_ATTRS; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Mock values. */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + mock_account_recv_simple(); + + test_ctx->create_group1 = true; + test_ctx->create_group2 = false; + + /* Test. */ + run_object_by_sid(test_ctx, test_ctx->tctx->dom, + groups[0].sid, attrs, 0, ERR_OK); + assert_true(test_ctx->dp_called); + check_group(test_ctx, &groups[0], test_ctx->tctx->dom); +} + +void test_object_by_sid_group_missing_notfound(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + const char *attrs[] = SYSDB_GRSRC_ATTRS; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Mock values. */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + mock_account_recv_simple(); + + /* Test. */ + run_object_by_sid(test_ctx, test_ctx->tctx->dom, + groups[0].sid, attrs, 0, ENOENT); + assert_true(test_ctx->dp_called); +} + +void test_object_by_sid_group_multiple_domains_found(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + struct sss_domain_info *domain = NULL; + const char *attrs[] = SYSDB_GRSRC_ATTRS; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup user. */ + domain = find_domain_by_name(test_ctx->tctx->dom, + "responder_cache_req_test_d", true); + assert_non_null(domain); + + prepare_group(domain, &groups[0], 1000, time(NULL)); + + /* Mock values. */ + will_return_always(__wrap_sss_dp_get_account_send, test_ctx); + will_return_always(sss_dp_req_recv, 0); + + /* Test. */ + run_object_by_sid(test_ctx, NULL, groups[0].sid, attrs, 0, ERR_OK); + assert_true(test_ctx->dp_called); + check_group(test_ctx, &groups[0], domain); +} + +void test_object_by_sid_group_multiple_domains_notfound(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + const char *attrs[] = SYSDB_GRSRC_ATTRS; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Mock values. */ + will_return_always(__wrap_sss_dp_get_account_send, test_ctx); + will_return_always(sss_dp_req_recv, 0); + + /* Test. */ + run_object_by_sid(test_ctx, NULL, groups[0].sid, attrs, 0, ENOENT); + assert_true(test_ctx->dp_called); +} + +void test_object_by_id_user_cache_valid(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + const char *attrs[] = SYSDB_PW_ATTRS; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup user. */ + prepare_user(test_ctx->tctx->dom, &users[0], 1000, time(NULL)); + + /* Test. */ + run_object_by_id(test_ctx, NULL, users[0].uid, attrs, 0, ERR_OK); + check_user(test_ctx, &users[0], test_ctx->tctx->dom); +} + +void test_object_by_id_user_cache_expired(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + const char *attrs[] = SYSDB_PW_ATTRS; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup user. */ + prepare_user(test_ctx->tctx->dom, &users[0], -1000, time(NULL)); + + /* Mock values. */ + /* DP should be contacted */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + mock_account_recv_simple(); + + /* Test. */ + run_object_by_id(test_ctx, NULL, users[0].uid, attrs, 0, ERR_OK); + assert_true(test_ctx->dp_called); + check_user(test_ctx, &users[0], test_ctx->tctx->dom); +} + +void test_object_by_id_user_cache_midpoint(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + const char *attrs[] = SYSDB_PW_ATTRS; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup user. */ + prepare_user(test_ctx->tctx->dom, &users[0], 50, time(NULL) - 26); + + /* Mock values. */ + /* DP should be contacted without callback */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + + /* Test. */ + run_object_by_id(test_ctx, NULL, users[0].uid, attrs, 50, ERR_OK); + assert_true(test_ctx->dp_called); + check_user(test_ctx, &users[0], test_ctx->tctx->dom); +} + +void test_object_by_id_user_ncache(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + const char *attrs[] = SYSDB_PW_ATTRS; + errno_t ret; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup user. We explicitly add the UID into BOTH UID and GID + * namespaces, because otherwise the cache_req plugin would + * search the Data Provider anyway, because it can't be sure + * the object can be of the other type or not + */ + ret = sss_ncache_set_uid(test_ctx->ncache, + false, + test_ctx->tctx->dom, + users[0].uid); + assert_int_equal(ret, EOK); + + ret = sss_ncache_set_gid(test_ctx->ncache, + false, + test_ctx->tctx->dom, + users[0].uid); + assert_int_equal(ret, EOK); + + /* Test. */ + run_object_by_id(test_ctx, NULL, users[0].uid, attrs, 0, ENOENT); + assert_false(test_ctx->dp_called); +} + +void test_object_by_id_user_missing_found(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + const char *attrs[] = SYSDB_PW_ATTRS; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Mock values. */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + mock_account_recv_simple(); + + test_ctx->create_user1 = true; + test_ctx->create_user2 = false; + + /* Test. */ + run_object_by_id(test_ctx, NULL, users[0].uid, attrs, 0, ERR_OK); + assert_true(test_ctx->dp_called); + check_user(test_ctx, &users[0], test_ctx->tctx->dom); +} + +void test_object_by_id_user_missing_notfound(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + const char *attrs[] = SYSDB_PW_ATTRS; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Mock values. */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + mock_account_recv_simple(); + + /* Test. */ + run_object_by_id(test_ctx, NULL, users[0].uid, attrs, 0, ENOENT); + assert_true(test_ctx->dp_called); +} + +void test_object_by_id_user_multiple_domains_found(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + struct sss_domain_info *domain = NULL; + const char *attrs[] = SYSDB_PW_ATTRS; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup user. */ + domain = find_domain_by_name(test_ctx->tctx->dom, + "responder_cache_req_test_d", true); + assert_non_null(domain); + + prepare_user(domain, &users[0], 1000, time(NULL)); + + /* Mock values. */ + will_return_always(__wrap_sss_dp_get_account_send, test_ctx); + will_return_always(sss_dp_req_recv, 0); + will_return_always(sss_dp_get_account_domain_recv, ERR_GET_ACCT_DOM_NOT_SUPPORTED); + + /* Test. */ + run_object_by_id(test_ctx, NULL, users[0].uid, attrs, 0, ERR_OK); + assert_true(test_ctx->dp_called); + check_user(test_ctx, &users[0], domain); +} + +void test_object_by_id_user_multiple_domains_notfound(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + const char *attrs[] = SYSDB_PW_ATTRS; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Mock values. */ + will_return_always(__wrap_sss_dp_get_account_send, test_ctx); + will_return_always(sss_dp_req_recv, 0); + will_return_always(sss_dp_get_account_domain_recv, ERR_GET_ACCT_DOM_NOT_SUPPORTED); + + /* Test. */ + run_object_by_id(test_ctx, NULL, users[0].uid, attrs, 0, ENOENT); + assert_true(test_ctx->dp_called); +} + +void test_object_by_id_group_cache_valid(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + const char *attrs[] = SYSDB_GRSRC_ATTRS; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup user. */ + prepare_group(test_ctx->tctx->dom, &groups[0], 1000, time(NULL)); + + /* Test. */ + run_object_by_id(test_ctx, NULL, groups[0].gid, attrs, 0, ERR_OK); + check_group(test_ctx, &groups[0], test_ctx->tctx->dom); +} + +void test_object_by_id_group_cache_expired(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + const char *attrs[] = SYSDB_GRSRC_ATTRS; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup user. */ + prepare_group(test_ctx->tctx->dom, &groups[0], -1000, time(NULL)); + + /* Mock values. */ + /* DP should be contacted */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + mock_account_recv_simple(); + + /* Test. */ + run_object_by_id(test_ctx, NULL, groups[0].gid, attrs, 0, ERR_OK); + assert_true(test_ctx->dp_called); + check_group(test_ctx, &groups[0], test_ctx->tctx->dom); +} + +void test_object_by_id_group_cache_midpoint(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + const char *attrs[] = SYSDB_GRSRC_ATTRS; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup user. */ + prepare_group(test_ctx->tctx->dom, &groups[0], 50, time(NULL) - 26); + + /* Mock values. */ + /* DP should be contacted without callback */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + + /* Test. */ + run_object_by_id(test_ctx, NULL, groups[0].gid, attrs, 50, ERR_OK); + assert_true(test_ctx->dp_called); + check_group(test_ctx, &groups[0], test_ctx->tctx->dom); +} + +void test_object_by_id_group_ncache(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + const char *attrs[] = SYSDB_GRSRC_ATTRS; + errno_t ret; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup group. We explicitly add the UID into BOTH UID and GID + * namespaces, because otherwise the cache_req plugin would + * search the Data Provider anyway, because it can't be sure + * the object can be of the other type or not + */ + ret = sss_ncache_set_uid(test_ctx->ncache, + false, + test_ctx->tctx->dom, + groups[0].gid); + assert_int_equal(ret, EOK); + + ret = sss_ncache_set_gid(test_ctx->ncache, + false, + test_ctx->tctx->dom, + groups[0].gid); + assert_int_equal(ret, EOK); + + assert_int_equal(ret, EOK); + + /* Test. */ + run_object_by_id(test_ctx, NULL, groups[0].gid, attrs, 0, ENOENT); + assert_false(test_ctx->dp_called); +} + +void test_object_by_id_group_missing_found(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + const char *attrs[] = SYSDB_GRSRC_ATTRS; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Mock values. */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + mock_account_recv_simple(); + + test_ctx->create_group1 = true; + test_ctx->create_group2 = false; + + /* Test. */ + run_object_by_id(test_ctx, NULL, groups[0].gid, attrs, 0, ERR_OK); + assert_true(test_ctx->dp_called); + check_group(test_ctx, &groups[0], test_ctx->tctx->dom); +} + +void test_object_by_id_group_missing_notfound(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + const char *attrs[] = SYSDB_GRSRC_ATTRS; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Mock values. */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + mock_account_recv_simple(); + + /* Test. */ + run_object_by_id(test_ctx, NULL, groups[0].gid, attrs, 0, ENOENT); + assert_true(test_ctx->dp_called); +} + +void test_object_by_id_group_multiple_domains_found(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + struct sss_domain_info *domain = NULL; + const char *attrs[] = SYSDB_GRSRC_ATTRS; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Setup user. */ + domain = find_domain_by_name(test_ctx->tctx->dom, + "responder_cache_req_test_d", true); + assert_non_null(domain); + + prepare_group(domain, &groups[0], 1000, time(NULL)); + + /* Mock values. */ + will_return_always(__wrap_sss_dp_get_account_send, test_ctx); + will_return_always(sss_dp_req_recv, 0); + will_return_always(sss_dp_get_account_domain_recv, ERR_GET_ACCT_DOM_NOT_SUPPORTED); + + /* Test. */ + run_object_by_id(test_ctx, NULL, groups[0].gid, attrs, 0, ERR_OK); + assert_true(test_ctx->dp_called); + check_group(test_ctx, &groups[0], domain); +} + +void test_object_by_id_group_multiple_domains_notfound(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + const char *attrs[] = SYSDB_GRSRC_ATTRS; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + /* Mock values. */ + will_return_always(__wrap_sss_dp_get_account_send, test_ctx); + will_return_always(sss_dp_req_recv, 0); + will_return_always(sss_dp_get_account_domain_recv, ERR_GET_ACCT_DOM_NOT_SUPPORTED); + + /* Test. */ + run_object_by_id(test_ctx, NULL, groups[0].gid, attrs, 0, ENOENT); + assert_true(test_ctx->dp_called); +} + +void test_object_by_id_user_multiple_domains_locator_cache_valid(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + struct sss_domain_info *domain = NULL; + const char *locator_domain; + TALLOC_CTX *tmp_ctx; + const char *attrs[] = SYSDB_PW_ATTRS; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + tmp_ctx = talloc_new(test_ctx); + assert_non_null(tmp_ctx); + + /* Has to be a talloc ptr, not just const, so it's stealable inside cache_req */ + locator_domain = talloc_strdup(tmp_ctx, "responder_cache_req_test_d"); + assert_non_null(locator_domain); + + /* Setup user. */ + domain = find_domain_by_name(test_ctx->tctx->dom, + "responder_cache_req_test_d", true); + assert_non_null(domain); + prepare_user(domain, &users[0], 1000, time(NULL)); + + will_return(sss_dp_get_account_domain_recv, EOK); + will_return(sss_dp_get_account_domain_recv, locator_domain); + will_return_always(sss_dp_get_account_domain_recv, ERR_GET_ACCT_DOM_NOT_SUPPORTED); + + will_return_always(__wrap_sss_dp_get_account_send, test_ctx); + will_return_always(sss_dp_req_recv, EOK); + + /* Test. */ + run_object_by_id(test_ctx, NULL, users[0].uid, attrs, 0, ERR_OK); + /* Even though the locator tells us to skip all domains except d, the domains + * are standalone and the result of the locator request is only valid within + * the subdomains + */ + assert_true(test_ctx->dp_called); + check_user(test_ctx, &users[0], domain); + + talloc_free(tmp_ctx); +} + +void test_object_by_id_user_multiple_domains_locator_cache_expired(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + struct sss_domain_info *domain = NULL; + const char *locator_domain; + TALLOC_CTX *tmp_ctx; + const char *attrs[] = SYSDB_PW_ATTRS; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + tmp_ctx = talloc_new(test_ctx); + assert_non_null(tmp_ctx); + + /* Has to be a talloc ptr, not just const, so it's stealable inside cache_req */ + locator_domain = talloc_strdup(tmp_ctx, "responder_cache_req_test_d"); + assert_non_null(locator_domain); + + /* Setup user. */ + domain = find_domain_by_name(test_ctx->tctx->dom, + "responder_cache_req_test_d", true); + assert_non_null(domain); + prepare_user(domain, &users[0], -1000, time(NULL)); + + will_return_always(__wrap_sss_dp_get_account_send, test_ctx); + will_return_always(sss_dp_req_recv, EOK); + + will_return(sss_dp_get_account_domain_recv, EOK); + will_return(sss_dp_get_account_domain_recv, locator_domain); + will_return_always(sss_dp_get_account_domain_recv, ERR_GET_ACCT_DOM_NOT_SUPPORTED); + + /* Test. */ + run_object_by_id(test_ctx, NULL, users[0].uid, attrs, 0, ERR_OK); + + assert_true(test_ctx->dp_called); + check_user(test_ctx, &users[0], domain); + + talloc_free(tmp_ctx); +} + +void test_object_by_id_user_sub_domains_locator_cache_valid(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + struct sss_domain_info *domain = NULL; + const char *locator_domain; + TALLOC_CTX *tmp_ctx; + const char *attrs[] = SYSDB_PW_ATTRS; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + tmp_ctx = talloc_new(test_ctx); + assert_non_null(tmp_ctx); + + /* Has to be a talloc ptr, not just const, so it's stealable inside cache_req */ + locator_domain = talloc_strdup(tmp_ctx, subdomain_name); + assert_non_null(locator_domain); + + /* Setup user. */ + domain = find_domain_by_name(test_ctx->tctx->dom, + subdomain_name, + true); + assert_non_null(domain); + prepare_user(domain, &users[0], 1000, time(NULL)); + + will_return(sss_dp_get_account_domain_recv, EOK); + will_return(sss_dp_get_account_domain_recv, locator_domain); + + /* Test. */ + run_object_by_id(test_ctx, NULL, users[0].uid, attrs, 0, ERR_OK); + + /* Even though the ID is present in the last domain, + * we're not calling sss_dp_get_account_send, + * because the locator will cause cache_req to skip + * all domains except _d + */ + assert_false(test_ctx->dp_called); + check_user(test_ctx, &users[0], domain); + + talloc_free(tmp_ctx); +} + +void test_object_by_id_user_sub_domains_locator_cache_expired(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + struct sss_domain_info *domain = NULL; + const char *locator_domain; + TALLOC_CTX *tmp_ctx; + const char *attrs[] = SYSDB_PW_ATTRS; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + tmp_ctx = talloc_new(test_ctx); + assert_non_null(tmp_ctx); + + /* Has to be a talloc ptr, not just const, so it's stealable inside cache_req */ + locator_domain = talloc_strdup(tmp_ctx, subdomain_name); + assert_non_null(locator_domain); + + /* Setup user. */ + domain = find_domain_by_name(test_ctx->tctx->dom, + subdomain_name, + true); + assert_non_null(domain); + prepare_user(domain, &users[0], -1000, time(NULL)); + + /* Note - DP will only be called once (so, we're not using will_return_always) + * because the locator will tell us which domain to look into. For the recv + * function, we use always b/c internally it mocks several values. + */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + will_return_always(sss_dp_req_recv, 0); + + will_return(sss_dp_get_account_domain_recv, EOK); + will_return(sss_dp_get_account_domain_recv, locator_domain); + + /* Test. */ + run_object_by_id(test_ctx, NULL, users[0].uid, attrs, 0, ERR_OK); + + assert_true(test_ctx->dp_called); + check_user(test_ctx, &users[0], domain); + + talloc_free(tmp_ctx); +} + +void test_object_by_id_user_sub_domains_locator_cache_midpoint(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + struct sss_domain_info *domain = NULL; + const char *locator_domain; + TALLOC_CTX *tmp_ctx; + const char *attrs[] = SYSDB_PW_ATTRS; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + tmp_ctx = talloc_new(test_ctx); + assert_non_null(tmp_ctx); + + /* Has to be a talloc ptr, not just const, so it's stealable inside cache_req */ + locator_domain = talloc_strdup(tmp_ctx, subdomain_name); + assert_non_null(locator_domain); + + /* Setup user. */ + domain = find_domain_by_name(test_ctx->tctx->dom, + subdomain_name, + true); + assert_non_null(domain); + prepare_user(domain, &users[0], 50, time(NULL) - 26); + + /* Note - DP will only be called once and we're not waiting + * for the results (so, we're not mocking _recv) + */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + + will_return(sss_dp_get_account_domain_recv, EOK); + will_return(sss_dp_get_account_domain_recv, locator_domain); + + /* Test. */ + run_object_by_id(test_ctx, NULL, users[0].uid, attrs, 50, ERR_OK); + + assert_true(test_ctx->dp_called); + check_user(test_ctx, &users[0], domain); + + talloc_free(tmp_ctx); +} + +void test_object_by_id_user_sub_domains_locator_missing_found(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + struct sss_domain_info *domain = NULL; + const char *locator_domain; + TALLOC_CTX *tmp_ctx; + const char *attrs[] = SYSDB_PW_ATTRS; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + tmp_ctx = talloc_new(test_ctx); + assert_non_null(tmp_ctx); + + /* Has to be a talloc ptr, not just const, so it's stealable inside cache_req */ + locator_domain = talloc_strdup(tmp_ctx, subdomain_name); + assert_non_null(locator_domain); + + /* Note - DP will only be called once (so, we're not using will_return_always) + * because the locator will tell us which domain to look into. For the recv + * function, we use always b/c internally it mocks several values. + */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + will_return_always(sss_dp_req_recv, 0); + + will_return(sss_dp_get_account_domain_recv, EOK); + will_return(sss_dp_get_account_domain_recv, locator_domain); + + /* Test. */ + test_ctx->create_subuser1 = true; + run_object_by_id(test_ctx, NULL, users[0].uid, attrs, 0, ERR_OK); + + assert_true(test_ctx->dp_called); + + domain = find_domain_by_name(test_ctx->tctx->dom, + subdomain_name, + true); + assert_non_null(domain); + check_user(test_ctx, &users[0], domain); + + talloc_free(tmp_ctx); +} + +void test_object_by_id_user_sub_domains_locator_missing_notfound(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + const char *attrs[] = SYSDB_PW_ATTRS; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + will_return(sss_dp_get_account_domain_recv, ERR_NOT_FOUND); + + /* The test won't even ask the DP for the object, just iterate + * over the domains using the negative cache and quit + */ + run_object_by_id(test_ctx, NULL, users[0].uid, attrs, 0, ENOENT); + assert_false(test_ctx->dp_called); +} + +void test_object_by_id_user_sub_domains_locator_cache_expired_two_calls(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + struct sss_domain_info *domain = NULL; + const char *locator_domain; + TALLOC_CTX *tmp_ctx; + const char *attrs[] = SYSDB_PW_ATTRS; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + tmp_ctx = talloc_new(test_ctx); + assert_non_null(tmp_ctx); + + /* Has to be a talloc ptr, not just const, so it's stealable inside cache_req */ + locator_domain = talloc_strdup(tmp_ctx, subdomain_name); + assert_non_null(locator_domain); + + /* Setup user. */ + domain = find_domain_by_name(test_ctx->tctx->dom, + subdomain_name, + true); + assert_non_null(domain); + test_ctx->create_subuser1 = true; + prepare_user(domain, &users[0], -1000, time(NULL)); + + /* Note - DP will only be called once (so, we're not using will_return_always) + * because the locator will tell us which domain to look into. For the recv + * function, we use always b/c internally it mocks several values. + */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + will_return_always(sss_dp_req_recv, 0); + + will_return(sss_dp_get_account_domain_recv, EOK); + will_return(sss_dp_get_account_domain_recv, locator_domain); + + /* Test. */ + run_object_by_id(test_ctx, NULL, users[0].uid, attrs, 0, EOK); + assert_true(test_ctx->dp_called); + check_user(test_ctx, &users[0], domain); + + /* Request the same user again */ + test_ctx->tctx->done = false; + talloc_zfree(test_ctx->result); + + run_object_by_id(test_ctx, NULL, users[0].uid, attrs, 0, EOK); + check_user(test_ctx, &users[0], domain); + + talloc_free(tmp_ctx); +} + +void test_object_by_id_group_multiple_domains_locator_cache_valid(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + struct sss_domain_info *domain = NULL; + const char *locator_domain; + TALLOC_CTX *tmp_ctx; + const char *attrs[] = SYSDB_PW_ATTRS; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + tmp_ctx = talloc_new(test_ctx); + assert_non_null(tmp_ctx); + + /* Has to be a talloc ptr, not just const, so it's stealable inside cache_req */ + locator_domain = talloc_strdup(tmp_ctx, "responder_cache_req_test_d"); + assert_non_null(locator_domain); + + /* Setup group. */ + domain = find_domain_by_name(test_ctx->tctx->dom, + "responder_cache_req_test_d", true); + assert_non_null(domain); + prepare_group(domain, &groups[0], 1000, time(NULL)); + + will_return(sss_dp_get_account_domain_recv, EOK); + will_return(sss_dp_get_account_domain_recv, locator_domain); + will_return_always(sss_dp_get_account_domain_recv, ERR_GET_ACCT_DOM_NOT_SUPPORTED); + + will_return_always(__wrap_sss_dp_get_account_send, test_ctx); + will_return_always(sss_dp_req_recv, EOK); + + /* Test. */ + run_object_by_id(test_ctx, NULL, groups[0].gid, attrs, 0, ERR_OK); + /* Even though the locator tells us to skip all domains except d, the domains + * are standalone and the result of the locator request is only valid within + * the subdomains + */ + assert_true(test_ctx->dp_called); + check_group(test_ctx, &groups[0], domain); + + talloc_free(tmp_ctx); +} + +void test_object_by_id_group_multiple_domains_locator_cache_expired(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + struct sss_domain_info *domain = NULL; + const char *locator_domain; + TALLOC_CTX *tmp_ctx; + const char *attrs[] = SYSDB_PW_ATTRS; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + tmp_ctx = talloc_new(test_ctx); + assert_non_null(tmp_ctx); + + /* Has to be a talloc ptr, not just const, so it's stealable inside cache_req */ + locator_domain = talloc_strdup(tmp_ctx, "responder_cache_req_test_d"); + assert_non_null(locator_domain); + + /* Setup group. */ + domain = find_domain_by_name(test_ctx->tctx->dom, + "responder_cache_req_test_d", true); + assert_non_null(domain); + prepare_group(domain, &groups[0], -1000, time(NULL)); + + will_return_always(__wrap_sss_dp_get_account_send, test_ctx); + will_return_always(sss_dp_req_recv, EOK); + + will_return(sss_dp_get_account_domain_recv, EOK); + will_return(sss_dp_get_account_domain_recv, locator_domain); + will_return_always(sss_dp_get_account_domain_recv, ERR_GET_ACCT_DOM_NOT_SUPPORTED); + + /* Test. */ + run_object_by_id(test_ctx, NULL, groups[0].gid, attrs, 0, ERR_OK); + + assert_true(test_ctx->dp_called); + check_group(test_ctx, &groups[0], domain); + + talloc_free(tmp_ctx); +} + +void test_object_by_id_group_sub_domains_locator_cache_valid(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + struct sss_domain_info *domain = NULL; + const char *locator_domain; + TALLOC_CTX *tmp_ctx; + const char *attrs[] = SYSDB_PW_ATTRS; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + tmp_ctx = talloc_new(test_ctx); + assert_non_null(tmp_ctx); + + /* Has to be a talloc ptr, not just const, so it's stealable inside cache_req */ + locator_domain = talloc_strdup(tmp_ctx, subdomain_name); + assert_non_null(locator_domain); + + /* Setup group. */ + domain = find_domain_by_name(test_ctx->tctx->dom, + subdomain_name, + true); + assert_non_null(domain); + prepare_group(domain, &groups[0], 1000, time(NULL)); + + will_return(sss_dp_get_account_domain_recv, EOK); + will_return(sss_dp_get_account_domain_recv, locator_domain); + + /* Test. */ + run_object_by_id(test_ctx, NULL, groups[0].gid, attrs, 0, ERR_OK); + + /* Even though the ID is present in the last domain, + * we're not calling sss_dp_get_account_send, + * because the locator will cause cache_req to skip + * all domains except _d + */ + assert_false(test_ctx->dp_called); + check_group(test_ctx, &groups[0], domain); + + talloc_free(tmp_ctx); +} + +void test_object_by_id_group_sub_domains_locator_cache_expired(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + struct sss_domain_info *domain = NULL; + const char *locator_domain; + TALLOC_CTX *tmp_ctx; + const char *attrs[] = SYSDB_PW_ATTRS; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + tmp_ctx = talloc_new(test_ctx); + assert_non_null(tmp_ctx); + + /* Has to be a talloc ptr, not just const, so it's stealable inside cache_req */ + locator_domain = talloc_strdup(tmp_ctx, subdomain_name); + assert_non_null(locator_domain); + + /* Setup group. */ + domain = find_domain_by_name(test_ctx->tctx->dom, + subdomain_name, + true); + assert_non_null(domain); + prepare_group(domain, &groups[0], -1000, time(NULL)); + + /* Note - DP will only be called once (so, we're not using will_return_always) + * because the locator will tell us which domain to look into. For the recv + * function, we use always b/c internally it mocks several values. + */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + will_return_always(sss_dp_req_recv, 0); + + will_return(sss_dp_get_account_domain_recv, EOK); + will_return(sss_dp_get_account_domain_recv, locator_domain); + + /* Test. */ + run_object_by_id(test_ctx, NULL, groups[0].gid, attrs, 0, ERR_OK); + + assert_true(test_ctx->dp_called); + check_group(test_ctx, &groups[0], domain); + + talloc_free(tmp_ctx); +} + +void test_object_by_id_group_sub_domains_locator_cache_midpoint(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + struct sss_domain_info *domain = NULL; + const char *locator_domain; + TALLOC_CTX *tmp_ctx; + const char *attrs[] = SYSDB_PW_ATTRS; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + tmp_ctx = talloc_new(test_ctx); + assert_non_null(tmp_ctx); + + /* Has to be a talloc ptr, not just const, so it's stealable inside cache_req */ + locator_domain = talloc_strdup(tmp_ctx, subdomain_name); + assert_non_null(locator_domain); + + /* Setup group. */ + domain = find_domain_by_name(test_ctx->tctx->dom, + subdomain_name, + true); + assert_non_null(domain); + prepare_group(domain, &groups[0], 50, time(NULL) - 26); + + /* Note - DP will only be called once and we're not waiting + * for the results (so, we're not mocking _recv) + */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + + will_return(sss_dp_get_account_domain_recv, EOK); + will_return(sss_dp_get_account_domain_recv, locator_domain); + + /* Test. */ + run_object_by_id(test_ctx, NULL, groups[0].gid, attrs, 50, ERR_OK); + + assert_true(test_ctx->dp_called); + check_group(test_ctx, &groups[0], domain); + + talloc_free(tmp_ctx); +} + +void test_object_by_id_group_sub_domains_locator_missing_found(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + struct sss_domain_info *domain = NULL; + const char *locator_domain; + TALLOC_CTX *tmp_ctx; + const char *attrs[] = SYSDB_PW_ATTRS; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + tmp_ctx = talloc_new(test_ctx); + assert_non_null(tmp_ctx); + + /* Has to be a talloc ptr, not just const, so it's stealable inside cache_req */ + locator_domain = talloc_strdup(tmp_ctx, subdomain_name); + assert_non_null(locator_domain); + + /* Note - DP will only be called once (so, we're not using will_return_always) + * because the locator will tell us which domain to look into. For the recv + * function, we use always b/c internally it mocks several values. + */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + will_return_always(sss_dp_req_recv, 0); + + will_return(sss_dp_get_account_domain_recv, EOK); + will_return(sss_dp_get_account_domain_recv, locator_domain); + + /* Test. */ + test_ctx->create_subgroup1 = true; + run_object_by_id(test_ctx, NULL, groups[0].gid, attrs, 0, ERR_OK); + + assert_true(test_ctx->dp_called); + + domain = find_domain_by_name(test_ctx->tctx->dom, + subdomain_name, + true); + assert_non_null(domain); + check_group(test_ctx, &groups[0], domain); + + talloc_free(tmp_ctx); +} + +void test_object_by_id_group_sub_domains_locator_missing_notfound(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + const char *attrs[] = SYSDB_PW_ATTRS; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + will_return(sss_dp_get_account_domain_recv, ERR_NOT_FOUND); + + /* The test won't even ask the DP for the object, just iterate + * over the domains using the negative cache and quit + */ + run_object_by_id(test_ctx, NULL, groups[0].gid, attrs, 0, ENOENT); + assert_false(test_ctx->dp_called); +} + +void test_object_by_id_group_sub_domains_locator_cache_expired_two_calls(void **state) +{ + struct cache_req_test_ctx *test_ctx = NULL; + struct sss_domain_info *domain = NULL; + const char *locator_domain; + TALLOC_CTX *tmp_ctx; + const char *attrs[] = SYSDB_PW_ATTRS; + + test_ctx = talloc_get_type_abort(*state, struct cache_req_test_ctx); + + tmp_ctx = talloc_new(test_ctx); + assert_non_null(tmp_ctx); + + /* Has to be a talloc ptr, not just const, so it's stealable inside cache_req */ + locator_domain = talloc_strdup(tmp_ctx, subdomain_name); + assert_non_null(locator_domain); + + /* Setup group. */ + domain = find_domain_by_name(test_ctx->tctx->dom, + subdomain_name, + true); + assert_non_null(domain); + test_ctx->create_subgroup1 = true; + prepare_group(domain, &groups[0], -1000, time(NULL)); + + /* Note - DP will only be called once (so, we're not using will_return_always) + * because the locator will tell us which domain to look into. For the recv + * function, we use always b/c internally it mocks several values. + */ + will_return(__wrap_sss_dp_get_account_send, test_ctx); + will_return_always(sss_dp_req_recv, 0); + + will_return(sss_dp_get_account_domain_recv, EOK); + will_return(sss_dp_get_account_domain_recv, locator_domain); + + /* Test. */ + run_object_by_id(test_ctx, NULL, groups[0].gid, attrs, 0, EOK); + assert_true(test_ctx->dp_called); + check_group(test_ctx, &groups[0], domain); + + /* Request the same group again */ + test_ctx->tctx->done = false; + talloc_zfree(test_ctx->result); + + run_object_by_id(test_ctx, NULL, groups[0].gid, attrs, 0, EOK); + check_group(test_ctx, &groups[0], domain); + + talloc_free(tmp_ctx); +} + +int main(int argc, const char *argv[]) +{ + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + new_single_domain_test(user_by_name_cache_valid), + new_single_domain_test(user_by_name_cache_expired), + new_single_domain_test(user_by_name_cache_midpoint), + new_single_domain_test(user_by_name_ncache), + new_single_domain_test(user_by_name_missing_found), + new_single_domain_test(user_by_name_missing_notfound), + new_multi_domain_test(user_by_name_multiple_domains_found), + new_multi_domain_test(user_by_name_multiple_domains_notfound), + new_multi_domain_test(user_by_name_multiple_domains_parse), + + new_single_domain_test(user_by_upn_cache_valid), + new_single_domain_test(user_by_upn_cache_expired), + new_single_domain_test(user_by_upn_cache_midpoint), + new_single_domain_test(user_by_upn_ncache), + new_single_domain_test(user_by_upn_missing_found), + new_single_domain_test(user_by_upn_missing_notfound), + new_multi_domain_test(user_by_upn_multiple_domains_found), + new_multi_domain_test(user_by_upn_multiple_domains_notfound), + + new_single_domain_test(user_by_id_cache_valid), + new_single_domain_test(user_by_id_cache_expired), + new_single_domain_test(user_by_id_cache_midpoint), + new_single_domain_test(user_by_id_ncache), + new_single_domain_test(user_by_id_missing_found), + new_single_domain_test(user_by_id_missing_notfound), + new_multi_domain_test(user_by_id_multiple_domains_found), + new_multi_domain_test(user_by_id_multiple_domains_notfound), + new_single_domain_id_limit_test(user_by_id_below_id_range), + new_single_domain_id_limit_test(user_by_id_above_id_range), + + new_single_domain_test(group_by_name_cache_valid), + new_single_domain_test(group_by_name_cache_expired), + new_single_domain_test(group_by_name_cache_midpoint), + new_single_domain_test(group_by_name_ncache), + new_single_domain_test(group_by_name_missing_found), + new_single_domain_test(group_by_name_missing_notfound), + new_multi_domain_test(group_by_name_multiple_domains_found), + new_multi_domain_test(group_by_name_multiple_domains_notfound), + new_multi_domain_test(group_by_name_multiple_domains_parse), + new_single_domain_id_limit_test(group_by_id_below_id_range), + new_single_domain_id_limit_test(group_by_id_above_id_range), + + new_single_domain_test(group_by_id_cache_valid), + new_single_domain_test(group_by_id_cache_expired), + new_single_domain_test(group_by_id_cache_midpoint), + new_single_domain_test(group_by_id_ncache), + new_single_domain_test(group_by_id_missing_found), + new_single_domain_test(group_by_id_missing_notfound), + new_multi_domain_test(group_by_id_multiple_domains_found), + new_multi_domain_test(group_by_id_multiple_domains_notfound), + new_multi_domain_test(group_by_id_multiple_domains_outside_id_range), + + new_multi_domain_test(group_by_id_multiple_domains_locator_cache_valid), + new_multi_domain_test(group_by_id_multiple_domains_locator_cache_expired), + new_subdomain_test(group_by_id_sub_domains_locator_cache_valid), + new_subdomain_test(group_by_id_sub_domains_locator_cache_expired), + new_subdomain_test(group_by_id_sub_domains_locator_cache_midpoint), + new_subdomain_test(group_by_id_sub_domains_locator_missing_found), + new_subdomain_test(group_by_id_sub_domains_locator_missing_notfound), + new_subdomain_test(group_by_id_sub_domains_locator_cache_expired_two_calls), + + new_multi_domain_test(user_by_id_multiple_domains_locator_cache_valid), + new_multi_domain_test(user_by_id_multiple_domains_locator_cache_expired), + new_subdomain_test(user_by_id_sub_domains_locator_cache_valid), + new_subdomain_test(user_by_id_sub_domains_locator_cache_expired), + new_subdomain_test(user_by_id_sub_domains_locator_cache_midpoint), + new_subdomain_test(user_by_id_sub_domains_locator_missing_found), + new_subdomain_test(user_by_id_sub_domains_locator_missing_notfound), + new_subdomain_test(user_by_id_sub_domains_locator_cache_expired_two_calls), + + new_single_domain_test(user_by_recent_filter_valid), + new_single_domain_test(users_by_recent_filter_valid), + new_single_domain_test(group_by_recent_filter_valid), + new_single_domain_test(groups_by_recent_filter_valid), + + new_single_domain_test(users_by_filter_filter_old), + new_single_domain_test(users_by_filter_notfound), + new_multi_domain_test(users_by_filter_multiple_domains_notfound), + new_single_domain_test(groups_by_filter_notfound), + new_multi_domain_test(groups_by_filter_multiple_domains_notfound), + + new_single_domain_test(object_by_sid_user_cache_valid), + new_single_domain_test(object_by_sid_user_cache_expired), + new_single_domain_test(object_by_sid_user_cache_midpoint), + new_single_domain_test(object_by_sid_user_ncache), + new_single_domain_test(object_by_sid_user_missing_found), + new_single_domain_test(object_by_sid_user_missing_notfound), + new_multi_domain_test(object_by_sid_user_multiple_domains_found), + new_multi_domain_test(object_by_sid_user_multiple_domains_notfound), + + new_single_domain_test(object_by_sid_group_cache_valid), + new_single_domain_test(object_by_sid_group_cache_expired), + new_single_domain_test(object_by_sid_group_cache_midpoint), + new_single_domain_test(object_by_sid_group_ncache), + new_single_domain_test(object_by_sid_group_missing_found), + new_single_domain_test(object_by_sid_group_missing_notfound), + new_multi_domain_test(object_by_sid_group_multiple_domains_found), + new_multi_domain_test(object_by_sid_group_multiple_domains_notfound), + + new_single_domain_test(object_by_id_user_cache_valid), + new_single_domain_test(object_by_id_user_cache_expired), + new_single_domain_test(object_by_id_user_cache_midpoint), + new_single_domain_test(object_by_id_user_ncache), + new_single_domain_test(object_by_id_user_missing_found), + new_single_domain_test(object_by_id_user_missing_notfound), + new_multi_domain_test(object_by_id_user_multiple_domains_found), + new_multi_domain_test(object_by_id_user_multiple_domains_notfound), + + new_single_domain_test(object_by_id_group_cache_valid), + new_single_domain_test(object_by_id_group_cache_expired), + new_single_domain_test(object_by_id_group_cache_midpoint), + new_single_domain_test(object_by_id_group_ncache), + new_single_domain_test(object_by_id_group_missing_found), + new_single_domain_test(object_by_id_group_missing_notfound), + new_multi_domain_test(object_by_id_group_multiple_domains_found), + new_multi_domain_test(object_by_id_group_multiple_domains_notfound), + + new_multi_domain_test(object_by_id_user_multiple_domains_locator_cache_valid), + new_multi_domain_test(object_by_id_user_multiple_domains_locator_cache_expired), + new_subdomain_test(object_by_id_user_sub_domains_locator_cache_valid), + new_subdomain_test(object_by_id_user_sub_domains_locator_cache_expired), + new_subdomain_test(object_by_id_user_sub_domains_locator_cache_midpoint), + new_subdomain_test(object_by_id_user_sub_domains_locator_missing_found), + new_subdomain_test(object_by_id_user_sub_domains_locator_missing_notfound), + new_subdomain_test(object_by_id_user_sub_domains_locator_cache_expired_two_calls), + + new_multi_domain_test(object_by_id_group_multiple_domains_locator_cache_valid), + new_multi_domain_test(object_by_id_group_multiple_domains_locator_cache_expired), + new_subdomain_test(object_by_id_group_sub_domains_locator_cache_valid), + new_subdomain_test(object_by_id_group_sub_domains_locator_cache_expired), + new_subdomain_test(object_by_id_group_sub_domains_locator_cache_midpoint), + new_subdomain_test(object_by_id_group_sub_domains_locator_missing_found), + new_subdomain_test(object_by_id_group_sub_domains_locator_missing_notfound), + new_subdomain_test(object_by_id_group_sub_domains_locator_cache_expired_two_calls), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + /* Even though normally the tests should clean up after themselves + * they might not after a failed run. Remove the old DB to be sure */ + tests_set_cwd(); + test_multidom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, domains); + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + + return cmocka_run_group_tests(tests, NULL, NULL); +} diff --git a/src/tests/cmocka/test_responder_common.c b/src/tests/cmocka/test_responder_common.c new file mode 100644 index 0000000..632f81b --- /dev/null +++ b/src/tests/cmocka/test_responder_common.c @@ -0,0 +1,399 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2014 Red Hat + + SSSD tests: Common responder code tests + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include + +#include "tests/cmocka/common_mock.h" +#include "tests/cmocka/common_mock_resp.h" + +#define TESTS_PATH "tp_" BASE_FILE_STEM +#define TEST_CONF_DB "test_responder_conf.ldb" +#define TEST_DOM_NAME "responder_test" +#define TEST_ID_PROVIDER "ldap" + +#define NAME "username" + +/* register_cli_protocol_version is required in test since it links with + * responder_common.c module + */ +struct cli_protocol_version *register_cli_protocol_version(void) +{ + static struct cli_protocol_version responder_test_cli_protocol_version[] = { + { 0, NULL, NULL } + }; + + return responder_test_cli_protocol_version; +} + +static void +mock_sss_dp_done(struct tevent_context *ev, + struct tevent_immediate *imm, + void *pvt); + +errno_t +__wrap_sss_dp_issue_request(TALLOC_CTX *mem_ctx, struct resp_ctx *rctx, + const char *strkey, struct sss_domain_info *dom, + dbus_msg_constructor msg_create, void *pvt, + struct tevent_req *nreq) +{ + struct tevent_immediate *imm; + + imm = tevent_create_immediate(rctx->ev); + if (imm == NULL) { + return ENOMEM; + } + tevent_schedule_immediate(imm, rctx->ev, mock_sss_dp_done, nreq); + return EOK; +} + +static void +mock_sss_dp_done(struct tevent_context *ev, + struct tevent_immediate *imm, + void *pvt) +{ + struct tevent_req *req; + + talloc_free(imm); + req = talloc_get_type(pvt, struct tevent_req); + tevent_req_done(req); +} + +errno_t +__wrap_sss_dp_req_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *sidereq, + dbus_uint16_t *dp_err, + dbus_uint32_t *dp_ret, + char **err_msg) +{ + return EOK; +} + +struct parse_inp_test_ctx { + struct sss_test_ctx *tctx; + struct resp_ctx *rctx; +}; + +static int parse_inp_test_setup(void **state) +{ + struct parse_inp_test_ctx *parse_inp_ctx; + int ret; + + assert_true(leak_check_setup()); + parse_inp_ctx = talloc_zero(global_talloc_context, struct parse_inp_test_ctx); + assert_non_null(parse_inp_ctx); + + parse_inp_ctx->tctx = create_dom_test_ctx(parse_inp_ctx, TESTS_PATH, + TEST_CONF_DB, TEST_DOM_NAME, + TEST_ID_PROVIDER, NULL); + assert_non_null(parse_inp_ctx->tctx); + + parse_inp_ctx->rctx = mock_rctx(parse_inp_ctx, + parse_inp_ctx->tctx->ev, + parse_inp_ctx->tctx->dom, + parse_inp_ctx); + assert_non_null(parse_inp_ctx->rctx); + + /* Testing the request race condition should be a special case */ + gettimeofday(&parse_inp_ctx->rctx->get_domains_last_call, NULL); + + /* sysdb_master_domain_update sets the view name, if we do not call it + * here we get a leak check warning when sysdb_master_domain_update is + * called later while processing the tests. */ + ret = sysdb_master_domain_update(parse_inp_ctx->tctx->dom); + assert_int_equal(ret, EOK); + + check_leaks_push(parse_inp_ctx); + *state = parse_inp_ctx; + return 0; +} + +static int parse_inp_test_teardown(void **state) +{ + struct parse_inp_test_ctx *parse_inp_ctx = talloc_get_type(*state, + struct parse_inp_test_ctx); + + assert_true(check_leaks_pop(parse_inp_ctx) == true); + + talloc_free(parse_inp_ctx); + assert_true(leak_check_teardown()); + return 0; +} + +int __real_sss_parse_name_for_domains(TALLOC_CTX *memctx, + struct sss_domain_info *domains, + const char *default_domain, + const char *orig, char **domain, char **name); + +int __wrap_sss_parse_name_for_domains(TALLOC_CTX *memctx, + struct sss_domain_info *domains, + const char *default_domain, + const char *orig, char **domain, char **name) +{ + enum sss_test_wrapper_call wtype = sss_mock_type(enum sss_test_wrapper_call); + errno_t ret; + + if (wtype == WRAP_CALL_REAL) { + return __real_sss_parse_name_for_domains(memctx, domains, + default_domain, orig, + domain, name); + } + + ret = sss_mock_type(errno_t); + return ret; +} + +void parse_inp_simple_done(struct tevent_req *req) +{ + errno_t ret; + struct parse_inp_test_ctx *parse_inp_ctx = + tevent_req_callback_data(req, struct parse_inp_test_ctx); + char *name = NULL; + char *domname = NULL; + + ret = sss_parse_inp_recv(req, parse_inp_ctx, &name, &domname); + assert_int_equal(ret, EOK); + + test_ev_done(parse_inp_ctx->tctx, EOK); + talloc_free(req); + + assert_string_equal(name, NAME); + assert_null(domname); + talloc_free(name); +} + +void parse_inp_simple(void **state) +{ + struct parse_inp_test_ctx *parse_inp_ctx = talloc_get_type(*state, + struct parse_inp_test_ctx); + struct tevent_req *req; + errno_t ret; + + will_return(__wrap_sss_parse_name_for_domains, WRAP_CALL_REAL); + + req = sss_parse_inp_send(parse_inp_ctx, parse_inp_ctx->rctx, + parse_inp_ctx->rctx->default_domain, NAME); + assert_non_null(req); + tevent_req_set_callback(req, parse_inp_simple_done, parse_inp_ctx); + + ret = test_ev_loop(parse_inp_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void parse_inp_call_dp(void **state) +{ + struct parse_inp_test_ctx *parse_inp_ctx = talloc_get_type(*state, + struct parse_inp_test_ctx); + struct tevent_req *req; + errno_t ret; + + /* First call will indicate we need to go to DP */ + will_return(__wrap_sss_parse_name_for_domains, WRAP_CALL_WRAPPER); + will_return(__wrap_sss_parse_name_for_domains, EAGAIN); + /* The second one will succeed as the domains are up-to-date */ + will_return(__wrap_sss_parse_name_for_domains, WRAP_CALL_REAL); + + req = sss_parse_inp_send(parse_inp_ctx, parse_inp_ctx->rctx, + parse_inp_ctx->rctx->default_domain, NAME); + assert_non_null(req); + tevent_req_set_callback(req, parse_inp_simple_done, parse_inp_ctx); + + ret = test_ev_loop(parse_inp_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void parse_inp_call_attach(void **state) +{ + struct parse_inp_test_ctx *parse_inp_ctx = talloc_get_type(*state, + struct parse_inp_test_ctx); + struct tevent_req *req; + errno_t ret; + + /* simulate responder startup */ + parse_inp_ctx->rctx->get_domains_last_call.tv_sec = 0; + + /* The first parse wouldn't be called, the second one will succeed + * as the domains are up-to-date */ + will_return(__wrap_sss_parse_name_for_domains, WRAP_CALL_REAL); + + req = sss_parse_inp_send(parse_inp_ctx, parse_inp_ctx->rctx, + parse_inp_ctx->rctx->default_domain, NAME); + assert_non_null(req); + tevent_req_set_callback(req, parse_inp_simple_done, parse_inp_ctx); + + ret = test_ev_loop(parse_inp_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void parse_inp_neg_done(struct tevent_req *req) +{ + errno_t ret; + struct parse_inp_test_ctx *parse_inp_ctx = + tevent_req_callback_data(req, struct parse_inp_test_ctx); + char *name = NULL; + char *domname = NULL; + + ret = sss_parse_inp_recv(req, parse_inp_ctx, &name, &domname); + assert_int_equal(ret, ERR_INPUT_PARSE); + test_ev_done(parse_inp_ctx->tctx, EOK); + talloc_free(req); + + assert_null(name); + assert_null(domname); +} + +void parse_inp_call_neg(void **state) +{ + struct parse_inp_test_ctx *parse_inp_ctx = talloc_get_type(*state, + struct parse_inp_test_ctx); + struct tevent_req *req; + errno_t ret; + + /* Simulate an error */ + will_return(__wrap_sss_parse_name_for_domains, WRAP_CALL_WRAPPER); + will_return(__wrap_sss_parse_name_for_domains, EINVAL); + + req = sss_parse_inp_send(parse_inp_ctx, parse_inp_ctx->rctx, + parse_inp_ctx->rctx->default_domain, NAME); + assert_non_null(req); + tevent_req_set_callback(req, parse_inp_neg_done, parse_inp_ctx); + + ret = test_ev_loop(parse_inp_ctx->tctx); + assert_int_equal(ret, EOK); +} + +struct sss_nc_ctx { + struct parse_inp_test_ctx *pctx; +}; + +errno_t __wrap_sss_ncache_reset_repopulate_permanent(struct resp_ctx *rctx, + struct sss_nc_ctx *dummy_ncache_ptr) +{ + test_ev_done(dummy_ncache_ptr->pctx->tctx, EOK); + return EOK; +} + +void test_schedule_get_domains_task(void **state) +{ + struct parse_inp_test_ctx *parse_inp_ctx = talloc_get_type(*state, + struct parse_inp_test_ctx); + errno_t ret; + struct sss_nc_ctx *dummy_ncache_ptr; + + dummy_ncache_ptr = talloc(parse_inp_ctx, struct sss_nc_ctx); + assert_non_null(dummy_ncache_ptr); + dummy_ncache_ptr->pctx = parse_inp_ctx; + + ret = schedule_get_domains_task(dummy_ncache_ptr, + parse_inp_ctx->rctx->ev, + parse_inp_ctx->rctx, + dummy_ncache_ptr); + assert_int_equal(ret, EOK); + + ret = test_ev_loop(parse_inp_ctx->tctx); + assert_int_equal(ret, EOK); + talloc_free(dummy_ncache_ptr); +} + +void test_sss_output_fqname(void **state) +{ + struct parse_inp_test_ctx *parse_inp_ctx = talloc_get_type(*state, + struct parse_inp_test_ctx); + errno_t ret; + struct sized_string *res = NULL; + + ret = sized_output_name(parse_inp_ctx, parse_inp_ctx->rctx, "dummy", + parse_inp_ctx->tctx->dom, &res); + assert_int_equal(ret, EOK); + assert_non_null(res); + assert_string_equal("dummy", res->str); + assert_int_equal(6, res->len); + + talloc_zfree(res); +} + +int main(int argc, const char *argv[]) +{ + int rv; + int no_cleanup = 0; + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + {"no-cleanup", 'n', POPT_ARG_NONE, &no_cleanup, 0, + _("Do not delete the test database after a test run"), NULL }, + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(parse_inp_simple, + parse_inp_test_setup, + parse_inp_test_teardown), + cmocka_unit_test_setup_teardown(parse_inp_call_dp, + parse_inp_test_setup, + parse_inp_test_teardown), + cmocka_unit_test_setup_teardown(parse_inp_call_attach, + parse_inp_test_setup, + parse_inp_test_teardown), + cmocka_unit_test_setup_teardown(parse_inp_call_neg, + parse_inp_test_setup, + parse_inp_test_teardown), + cmocka_unit_test_setup_teardown(test_schedule_get_domains_task, + parse_inp_test_setup, + parse_inp_test_teardown), + cmocka_unit_test_setup_teardown(test_sss_output_fqname, + parse_inp_test_setup, + parse_inp_test_teardown), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + /* Even though normally the tests should clean up after themselves + * they might not after a failed run. Remove the old DB to be sure */ + tests_set_cwd(); + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + test_dom_suite_setup(TESTS_PATH); + + rv = cmocka_run_group_tests(tests, NULL, NULL); + if (rv == 0 && !no_cleanup) { + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + } + return rv; +} diff --git a/src/tests/cmocka/test_sbus_opath.c b/src/tests/cmocka/test_sbus_opath.c new file mode 100644 index 0000000..51bb35b --- /dev/null +++ b/src/tests/cmocka/test_sbus_opath.c @@ -0,0 +1,310 @@ +/* + Authors: + Jakub Hrozek + Pavel Březina + + Copyright (C) 2014 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "sbus/sssd_dbus.h" +#include "tests/cmocka/common_mock.h" +#include "tests/common.h" + +#define BASE_PATH "/some/path" + +void test_sbus_opath_strip_prefix(void **state) +{ + const char *prefix = "/org/freedesktop/sssd/"; + const char *path = "/org/freedesktop/sssd/infopipe"; + const char *strip; + + strip = sbus_opath_strip_prefix(path, prefix); + assert_non_null(prefix); + assert_string_equal(strip, "infopipe"); + + strip = sbus_opath_strip_prefix("/other/path", prefix); + assert_null(strip); +} + +void test_sbus_opath_escape_unescape(void **state) +{ + char *escaped; + char *raw; + TALLOC_CTX *mem_ctx; + + assert_true(leak_check_setup()); + mem_ctx = talloc_new(global_talloc_context); + + escaped = sbus_opath_escape_part(mem_ctx, "noescape"); + assert_non_null(escaped); + assert_string_equal(escaped, "noescape"); + raw = sbus_opath_unescape_part(mem_ctx, escaped); + talloc_free(escaped); + assert_non_null(raw); + assert_string_equal(raw, "noescape"); + talloc_free(raw); + + escaped = sbus_opath_escape_part(mem_ctx, "redhat.com"); + assert_non_null(escaped); + assert_string_equal(escaped, "redhat_2ecom"); /* dot is 0x2E in ASCII */ + raw = sbus_opath_unescape_part(mem_ctx, escaped); + talloc_free(escaped); + assert_non_null(raw); + assert_string_equal(raw, "redhat.com"); + talloc_free(raw); + + escaped = sbus_opath_escape_part(mem_ctx, "path_with_underscore"); + assert_non_null(escaped); + /* underscore is 0x5F in ASCII */ + assert_string_equal(escaped, "path_5fwith_5funderscore"); + raw = sbus_opath_unescape_part(mem_ctx, escaped); + talloc_free(escaped); + assert_non_null(raw); + assert_string_equal(raw, "path_with_underscore"); + talloc_free(raw); + + /* empty string */ + escaped = sbus_opath_escape_part(mem_ctx, ""); + assert_non_null(escaped); + assert_string_equal(escaped, "_"); + raw = sbus_opath_unescape_part(mem_ctx, escaped); + talloc_free(escaped); + assert_non_null(raw); + assert_string_equal(raw, ""); + talloc_free(raw); + + /* negative tests */ + escaped = sbus_opath_escape_part(mem_ctx, NULL); + assert_null(escaped); + raw = sbus_opath_unescape_part(mem_ctx, "wrongpath_"); + assert_null(raw); + + assert_true(leak_check_teardown()); +} + +void test_sbus_opath_compose(void **state) +{ + char *path; + + /* Doesn't need escaping */ + path = sbus_opath_compose(NULL, BASE_PATH, "domname"); + assert_non_null(path); + assert_string_equal(path, BASE_PATH "/domname"); + talloc_free(path); +} + +void test_sbus_opath_compose_escape(void **state) +{ + char *path; + + /* A dot needs escaping */ + path = sbus_opath_compose(NULL, BASE_PATH, "redhat.com", NULL); + assert_non_null(path); + assert_string_equal(path, BASE_PATH "/redhat_2ecom"); + talloc_free(path); +} + +static void check_opath_components(char **input, + const char **expected) +{ + int i; + + assert_non_null(input); + assert_non_null(expected); + + for (i = 0; input[i] != NULL; i++) { + assert_non_null(input[i]); + assert_non_null(expected[i]); + assert_string_equal(input[i], expected[i]); + } + + assert_null(input[i]); + assert_null(expected[i]); +} + +static void check_opath_components_and_length(char **input, + size_t input_len, + const char **expected, + size_t expected_len) +{ + assert_true(input_len == expected_len); + check_opath_components(input, expected); +} + +void test_sbus_opath_decompose_noprefix(void **state) +{ + const char *path = "/object/path/parts"; + const char *expected[] = {"object", "path", "parts", NULL}; + size_t expected_len = sizeof(expected) / sizeof(char *) - 1; + char **components; + size_t len; + errno_t ret; + + ret = sbus_opath_decompose(NULL, path, NULL, &components, &len); + assert_int_equal(ret, EOK); + check_opath_components_and_length(components, len, expected, expected_len); + talloc_free(components); +} + +void test_sbus_opath_decompose_prefix(void **state) +{ + const char *path = "/object/path/parts"; + const char *expected[] = {"parts", NULL}; + size_t expected_len = sizeof(expected) / sizeof(char *) - 1; + char **components; + size_t len; + errno_t ret; + + ret = sbus_opath_decompose(NULL, path, "/object/path", &components, &len); + assert_int_equal(ret, EOK); + check_opath_components_and_length(components, len, expected, expected_len); + talloc_free(components); +} + +void test_sbus_opath_decompose_prefix_slash(void **state) +{ + const char *path = "/object/path/parts"; + const char *expected[] = {"parts", NULL}; + size_t expected_len = sizeof(expected) / sizeof(char *) - 1; + char **components; + size_t len; + errno_t ret; + + ret = sbus_opath_decompose(NULL, path, "/object/path/", &components, &len); + assert_int_equal(ret, EOK); + check_opath_components_and_length(components, len, expected, expected_len); + talloc_free(components); +} + +void test_sbus_opath_decompose_wrong_prefix(void **state) +{ + const char *path = "/object/path/parts"; + char **components; + size_t len; + errno_t ret; + + ret = sbus_opath_decompose(NULL, path, "/wrong/prefix", &components, &len); + assert_int_equal(ret, ERR_SBUS_INVALID_PATH); +} + +void test_sbus_opath_decompose_escaped(void **state) +{ + const char *path = "/object/redhat_2ecom"; + const char *expected[] = {"object", "redhat.com", NULL}; + size_t expected_len = sizeof(expected) / sizeof(char *) - 1; + char **components; + size_t len; + errno_t ret; + + ret = sbus_opath_decompose(NULL, path, NULL, &components, &len); + assert_int_equal(ret, EOK); + check_opath_components_and_length(components, len, expected, expected_len); + talloc_free(components); +} + +void test_sbus_opath_decompose_exact_correct(void **state) +{ + const char *path = "/object/path/parts"; + const char *expected[] = {"object", "path", "parts", NULL}; + char **components; + errno_t ret; + + ret = sbus_opath_decompose_exact(NULL, path, NULL, 3, &components); + assert_int_equal(ret, EOK); + check_opath_components(components, expected); + talloc_free(components); +} + +void test_sbus_opath_decompose_exact_wrong(void **state) +{ + const char *path = "/object/path/parts"; + char **components; + errno_t ret; + + ret = sbus_opath_decompose_exact(NULL, path, NULL, 2, &components); + assert_int_equal(ret, ERR_SBUS_INVALID_PATH); +} + +void test_sbus_opath_get_object_name(void **state) +{ + const char *path = BASE_PATH "/redhat_2ecom"; + char *name; + + name = sbus_opath_get_object_name(NULL, path, BASE_PATH); + assert_non_null(name); + assert_string_equal(name, "redhat.com"); + talloc_free(name); + + name = sbus_opath_get_object_name(NULL, path, BASE_PATH "/"); + assert_non_null(name); + assert_string_equal(name, "redhat.com"); + talloc_free(name); + + name = sbus_opath_get_object_name(NULL, BASE_PATH, BASE_PATH); + assert_null(name); + + name = sbus_opath_get_object_name(NULL, "invalid", BASE_PATH); + assert_null(name); +} + +int main(int argc, const char *argv[]) +{ + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test(test_sbus_opath_strip_prefix), + cmocka_unit_test(test_sbus_opath_escape_unescape), + cmocka_unit_test(test_sbus_opath_compose), + cmocka_unit_test(test_sbus_opath_compose_escape), + cmocka_unit_test(test_sbus_opath_decompose_noprefix), + cmocka_unit_test(test_sbus_opath_decompose_prefix), + cmocka_unit_test(test_sbus_opath_decompose_prefix_slash), + cmocka_unit_test(test_sbus_opath_decompose_wrong_prefix), + cmocka_unit_test(test_sbus_opath_decompose_escaped), + cmocka_unit_test(test_sbus_opath_decompose_exact_correct), + cmocka_unit_test(test_sbus_opath_decompose_exact_wrong), + cmocka_unit_test(test_sbus_opath_get_object_name) + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + return cmocka_run_group_tests(tests, NULL, NULL); +} diff --git a/src/tests/cmocka/test_sdap.c b/src/tests/cmocka/test_sdap.c new file mode 100644 index 0000000..06e9f6d --- /dev/null +++ b/src/tests/cmocka/test_sdap.c @@ -0,0 +1,1221 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2014 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include + +#include "tests/cmocka/common_mock.h" +#include "providers/ldap/ldap_opts.h" +#include "providers/ipa/ipa_opts.h" +#include "util/crypto/sss_crypto.h" + +/* mock an LDAP entry */ +struct mock_ldap_attr { + const char *name; + const char **values; +}; + +struct mock_ldap_entry { + const char *dn; + struct mock_ldap_attr *attrs; +}; + +struct mock_ldap_entry *global_ldap_entry; + +static int mock_ldap_entry_iter(void) +{ + return sss_mock_type(int); +} + +static struct mock_ldap_entry *mock_ldap_entry_get(void) +{ + return sss_mock_ptr_type(struct mock_ldap_entry *); +} + +void set_entry_parse(struct mock_ldap_entry *entry) +{ + will_return_always(mock_ldap_entry_get, entry); +} + +LDAPDerefRes *mock_deref_res(TALLOC_CTX *mem_ctx, + struct mock_ldap_entry *entry) +{ + LDAPDerefRes *dref; + LDAPDerefVal *dval, *dvaltail = NULL; + size_t nattr; + size_t nval; + + dref = talloc_zero(mem_ctx, LDAPDerefRes); + assert_non_null(dref); + + dref->derefVal.bv_val = talloc_strdup(dref, entry->dn); + assert_non_null(dref->derefVal.bv_val); + dref->derefVal.bv_len = strlen(entry->dn); + + if (entry->attrs == NULL) { + /* no attributes, done */ + return dref; + } + + for (nattr = 0; entry->attrs[nattr].name; nattr++) { + dval = talloc_zero(dref, LDAPDerefVal); + assert_non_null(dval); + + dval->type = talloc_strdup(dval, entry->attrs[nattr].name); + assert_non_null(dval->type); + + for (nval = 0; entry->attrs[nattr].values[nval]; nval++); + + dval->vals = talloc_zero_array(dval, struct berval, nval+1); + assert_non_null(dval->vals); + for (nval = 0; entry->attrs[nattr].values[nval]; nval++) { + dval->vals[nval].bv_val = talloc_strdup(dval->vals, + entry->attrs[nattr].values[nval]); + assert_non_null(dval->vals[nval].bv_val); + dval->vals[nval].bv_len = strlen(dval->vals[nval].bv_val); + } + + if (dvaltail != NULL) { + dvaltail->next = dval; + dvaltail = dvaltail->next; + } else { + dvaltail = dval; + dref->attrVals = dval; + } + } + + return dref; +} + +/* libldap wrappers */ +int __wrap_ldap_set_option(LDAP *ld, + int option, + void *invalue) +{ + return LDAP_OPT_SUCCESS; +} + +char *__wrap_ldap_get_dn(LDAP *ld, LDAPMessage *entry) +{ + struct mock_ldap_entry *ldap_entry = mock_ldap_entry_get(); + return discard_const(ldap_entry->dn); +} + +void __wrap_ldap_memfree(void *p) +{ + return; +} + +struct berval **__wrap_ldap_get_values_len(LDAP *ld, + LDAPMessage *entry, + LDAP_CONST char *target) +{ + size_t count, i; + struct berval **vals; + const char **attrvals; + struct mock_ldap_entry *ldap_entry = mock_ldap_entry_get(); + + if (target == NULL) return NULL; + if (ldap_entry == NULL) return NULL; + /* Should we return empty array here? */ + if (ldap_entry->attrs == NULL) return NULL; + + attrvals = NULL; + for (i = 0; ldap_entry->attrs[i].name != NULL; i++) { + if (strcmp(ldap_entry->attrs[i].name, target) == 0) { + attrvals = ldap_entry->attrs[i].values; + break; + } + } + + if (attrvals == NULL) { + return NULL; + } + + count = 0; + for (i = 0; attrvals[i]; i++) { + count++; + } + + vals = talloc_zero_array(global_talloc_context, + struct berval *, + count + 1); + assert_non_null(vals); + + for (i = 0; attrvals[i]; i++) { + vals[i] = talloc_zero(vals, struct berval); + assert_non_null(vals[i]); + + vals[i]->bv_val = talloc_strdup(vals[i], attrvals[i]); + if (vals[i]->bv_val == NULL) { + talloc_free(vals); + return NULL; + } + vals[i]->bv_len = strlen(attrvals[i]); + } + + return vals; +} + +void __wrap_ldap_value_free_len(struct berval **vals) +{ + talloc_free(vals); /* Allocated on global_talloc_context */ +} + +char *__wrap_ldap_first_attribute(LDAP *ld, + LDAPMessage *entry, + BerElement **berout) +{ + struct mock_ldap_entry *ldap_entry = mock_ldap_entry_get(); + + if (ldap_entry == NULL) return NULL; + if (ldap_entry->attrs == NULL) return NULL; + + will_return(mock_ldap_entry_iter, 1); + return discard_const(ldap_entry->attrs[0].name); +} + +char *__wrap_ldap_next_attribute(LDAP *ld, + LDAPMessage *entry, + BerElement *ber) +{ + struct mock_ldap_entry *ldap_entry = mock_ldap_entry_get(); + + int idx = mock_ldap_entry_iter(); + char *val; + + val = discard_const(ldap_entry->attrs[idx].name); + if (val != NULL) { + will_return(mock_ldap_entry_iter, idx + 1); + } + return val; +} + +/* Mock parsing search base without overlinking the test */ +errno_t sdap_parse_search_base(TALLOC_CTX *mem_ctx, + struct dp_option *opts, int class, + struct sdap_search_base ***_search_bases) +{ + return EOK; +} + +/* Utility function */ +void assert_entry_has_attr(struct sysdb_attrs *attrs, + const char *attr, + const char *value) +{ + const char *v; + int ret; + + ret = sysdb_attrs_get_string(attrs, attr, &v); + assert_int_equal(ret, ERR_OK); + assert_non_null(v); + assert_string_equal(v, value); +} + +void assert_entry_has_no_attr(struct sysdb_attrs *attrs, + const char *attr) +{ + int ret; + const char *v; + ret = sysdb_attrs_get_string(attrs, attr, &v); + assert_int_equal(ret, ENOENT); +} + +struct parse_test_ctx { + struct sdap_handle sh; + struct sdap_msg sm; +}; + +static int parse_entry_test_setup(void **state) +{ + struct parse_test_ctx *test_ctx; + + assert_true(leak_check_setup()); + + test_ctx = talloc_zero(global_talloc_context, struct parse_test_ctx); + assert_non_null(test_ctx); + + check_leaks_push(test_ctx); + *state = test_ctx; + return 0; +} + +static int parse_entry_test_teardown(void **state) +{ + struct parse_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct parse_test_ctx); + + assert_true(check_leaks_pop(test_ctx) == true); + talloc_free(test_ctx); + assert_true(leak_check_teardown()); + return 0; +} + +void test_parse_with_map(void **state) +{ + int ret; + struct sysdb_attrs *attrs; + struct parse_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct parse_test_ctx); + struct mock_ldap_entry test_ipa_user; + struct sdap_attr_map *map; + struct ldb_message_element *el; + uint8_t *decoded_key; + size_t key_len; + + const char *oc_values[] = { "posixAccount", NULL }; + const char *uid_values[] = { "tuser1", NULL }; + const char *extra_values[] = { "extra", NULL }; + const char *multi_values[] = { "svc1", "svc2", NULL }; + const char *ssh_values[] = { "1234", NULL }; + struct mock_ldap_attr test_ipa_user_attrs[] = { + { .name = "objectClass", .values = oc_values }, + { .name = "uid", .values = uid_values }, + { .name = "extra", .values = extra_values }, + { .name = "authorizedService", .values = multi_values }, + { .name = "ipaSshPubKey", .values = ssh_values }, + { NULL, NULL } + }; + + test_ipa_user.dn = "cn=testuser,dc=example,dc=com"; + test_ipa_user.attrs = test_ipa_user_attrs; + set_entry_parse(&test_ipa_user); + + ret = sdap_copy_map(test_ctx, ipa_user_map, SDAP_OPTS_USER, &map); + assert_int_equal(ret, ERR_OK); + + ret = sdap_parse_entry(test_ctx, &test_ctx->sh, &test_ctx->sm, + map, SDAP_OPTS_USER, + &attrs, false); + assert_int_equal(ret, ERR_OK); + + assert_int_equal(attrs->num, 4); + + /* Every entry has a DN */ + assert_entry_has_attr(attrs, SYSDB_ORIG_DN, + "cn=testuser,dc=example,dc=com"); + /* Test the single-valued attribute */ + assert_entry_has_attr(attrs, SYSDB_NAME, "tuser1"); + + /* Multivalued attributes must return all values */ + ret = sysdb_attrs_get_el_ext(attrs, SYSDB_AUTHORIZED_SERVICE, false, &el); + assert_int_equal(ret, ERR_OK); + assert_int_equal(el->num_values, 2); + assert_true((strcmp((const char *) el->values[0].data, "svc1") == 0 && + strcmp((const char *) el->values[1].data, "svc2") == 0) || + (strcmp((const char *) el->values[1].data, "svc1") == 0 && + strcmp((const char *) el->values[0].data, "svc2") == 0)); + + /* The SSH attribute must be base64 encoded */ + ret = sysdb_attrs_get_el_ext(attrs, SYSDB_SSH_PUBKEY, false, &el); + assert_int_equal(ret, ERR_OK); + assert_int_equal(el->num_values, 1); + decoded_key = sss_base64_decode(test_ctx, + (const char *)el->values[0].data, + &key_len); + assert_non_null(decoded_key); + assert_memory_equal(decoded_key, "1234", key_len); + + /* The extra attribute must not be downloaded, it's not present in map */ + assert_entry_has_no_attr(attrs, "extra"); + + talloc_free(decoded_key); + talloc_free(map); + talloc_free(attrs); +} + +/* Some searches, like rootDSE search do not use any map */ +void test_parse_no_map(void **state) +{ + int ret; + struct sysdb_attrs *attrs; + struct parse_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct parse_test_ctx); + struct mock_ldap_entry test_nomap_entry; + struct ldb_message_element *el; + + const char *foo_values[] = { "fooval1", "fooval2", NULL }; + const char *bar_values[] = { "barval1", NULL }; + struct mock_ldap_attr test_nomap_entry_attrs[] = { + { .name = "foo", .values = foo_values }, + { .name = "bar", .values = bar_values }, + { NULL, NULL } + }; + + test_nomap_entry.dn = "cn=testentry,dc=example,dc=com"; + test_nomap_entry.attrs = test_nomap_entry_attrs; + set_entry_parse(&test_nomap_entry); + + ret = sdap_parse_entry(test_ctx, &test_ctx->sh, &test_ctx->sm, + NULL, 0, &attrs, false); + assert_int_equal(ret, ERR_OK); + + assert_int_equal(attrs->num, 3); + assert_entry_has_attr(attrs, SYSDB_ORIG_DN, + "cn=testentry,dc=example,dc=com"); + assert_entry_has_attr(attrs, "bar", "barval1"); + /* Multivalued attributes must return all values */ + ret = sysdb_attrs_get_el_ext(attrs, "foo", false, &el); + assert_int_equal(ret, ERR_OK); + assert_int_equal(el->num_values, 2); + assert_true((strcmp((const char *) el->values[0].data, "fooval1") == 0 && + strcmp((const char *) el->values[1].data, "fooval2") == 0) || + (strcmp((const char *) el->values[1].data, "fooval1") == 0 && + strcmp((const char *) el->values[0].data, "fooval2") == 0)); + + + talloc_free(attrs); +} + +/* Only DN and OC, no real attributes */ +void test_parse_no_attrs(void **state) +{ + int ret; + struct sysdb_attrs *attrs; + struct parse_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct parse_test_ctx); + struct mock_ldap_entry test_rfc2307_user; + struct sdap_attr_map *map; + + const char *oc_values[] = { "posixAccount", NULL }; + struct mock_ldap_attr test_rfc2307_user_attrs[] = { + { .name = "objectClass", .values = oc_values }, + { NULL, NULL } + }; + + test_rfc2307_user.dn = "cn=testuser,dc=example,dc=com"; + test_rfc2307_user.attrs = test_rfc2307_user_attrs; + set_entry_parse(&test_rfc2307_user); + + ret = sdap_copy_map(test_ctx, rfc2307_user_map, SDAP_OPTS_USER, &map); + assert_int_equal(ret, ERR_OK); + + ret = sdap_parse_entry(test_ctx, &test_ctx->sh, &test_ctx->sm, + map, SDAP_OPTS_USER, + &attrs, false); + assert_int_equal(ret, ERR_OK); + + assert_int_equal(attrs->num, 1); + assert_entry_has_attr(attrs, SYSDB_ORIG_DN, + "cn=testuser,dc=example,dc=com"); + + talloc_free(map); + talloc_free(attrs); +} + +void test_parse_dups(void **state) +{ + int ret; + struct sysdb_attrs *attrs; + struct parse_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct parse_test_ctx); + struct mock_ldap_entry test_dupattr_user; + struct sdap_attr_map *map; + int i; + + const char *oc_values[] = { "posixAccount", NULL }; + const char *uid_values[] = { "1234", NULL }; + struct mock_ldap_attr test_dupattr_attrs[] = { + { .name = "objectClass", .values = oc_values }, + { .name = "idNumber", .values = uid_values }, + { NULL, NULL } + }; + + test_dupattr_user.dn = "cn=dupuser,dc=example,dc=com"; + test_dupattr_user.attrs = test_dupattr_attrs; + set_entry_parse(&test_dupattr_user); + + ret = sdap_copy_map(test_ctx, rfc2307_user_map, SDAP_OPTS_USER, &map); + assert_int_equal(ret, ERR_OK); + /* Set both uidNumber and gidNumber to idNumber */ + for (i = 0; i < SDAP_OPTS_USER; i++) { + if (map[i].name == NULL) continue; + + if (strcmp(map[i].name, "uidNumber") == 0 + || strcmp(map[i].name, "gidNumber") == 0) { + map[i].name = discard_const("idNumber"); + } + } + + ret = sdap_parse_entry(test_ctx, &test_ctx->sh, &test_ctx->sm, + map, SDAP_OPTS_USER, + &attrs, false); + assert_int_equal(ret, ERR_OK); + + assert_int_equal(attrs->num, 3); + + /* Every entry has a DN */ + assert_entry_has_attr(attrs, SYSDB_ORIG_DN, + "cn=dupuser,dc=example,dc=com"); + /* Test the single-valued attribute */ + assert_entry_has_attr(attrs, SYSDB_UIDNUM, "1234"); + assert_entry_has_attr(attrs, SYSDB_GIDNUM, "1234"); + + talloc_free(map); + talloc_free(attrs); +} + +void test_parse_deref(void **state) +{ + errno_t ret; + struct sdap_attr_map_info minfo; + struct parse_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct parse_test_ctx); + struct sdap_deref_attrs **res; + LDAPDerefRes *dref; + + const char *oc_values[] = { "posixAccount", NULL }; + const char *uid_values[] = { "tuser1", NULL }; + const char *extra_values[] = { "extra", NULL }; + struct mock_ldap_attr test_ipa_user_attrs[] = { + { .name = "objectClass", .values = oc_values }, + { .name = "uid", .values = uid_values }, + { .name = "extra", .values = extra_values }, + { NULL, NULL } + }; + struct mock_ldap_entry test_ipa_user; + test_ipa_user.dn = "cn=testuser,dc=example,dc=com"; + test_ipa_user.attrs = test_ipa_user_attrs; + + ret = sdap_copy_map(test_ctx, rfc2307_user_map, SDAP_OPTS_USER, &minfo.map); + minfo.num_attrs = SDAP_OPTS_USER; + assert_int_equal(ret, ERR_OK); + + dref = mock_deref_res(test_ctx, &test_ipa_user); + assert_non_null(dref); + + ret = sdap_parse_deref(test_ctx, &minfo, 1, dref, &res); + talloc_free(dref); + talloc_free(minfo.map); + assert_int_equal(ret, ERR_OK); + assert_non_null(res); + + /* The extra attribute must not be downloaded, it's not present in map */ + assert_non_null(res[0]); + assert_true(res[0]->map == minfo.map); + + assert_entry_has_attr(res[0]->attrs, SYSDB_ORIG_DN, + "cn=testuser,dc=example,dc=com"); + assert_entry_has_attr(res[0]->attrs, SYSDB_NAME, "tuser1"); + assert_entry_has_no_attr(res[0]->attrs, "extra"); + talloc_free(res); +} + +void test_parse_deref_no_attrs(void **state) +{ + errno_t ret; + struct sdap_attr_map_info minfo; + struct parse_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct parse_test_ctx); + struct sdap_deref_attrs **res; + LDAPDerefRes *dref; + + struct mock_ldap_entry test_ipa_user; + test_ipa_user.dn = "cn=testuser,dc=example,dc=com"; + test_ipa_user.attrs = NULL; + + ret = sdap_copy_map(test_ctx, rfc2307_user_map, SDAP_OPTS_USER, &minfo.map); + minfo.num_attrs = SDAP_OPTS_USER; + assert_int_equal(ret, ERR_OK); + + dref = mock_deref_res(test_ctx, &test_ipa_user); + assert_non_null(dref); + + ret = sdap_parse_deref(test_ctx, &minfo, 1, dref, &res); + talloc_free(dref); + talloc_free(minfo.map); + assert_int_equal(ret, ERR_OK); + assert_null(res); /* res must be NULL on receiving no attributes */ +} + +void test_parse_deref_map_mismatch(void **state) +{ + errno_t ret; + struct sdap_attr_map_info minfo; + struct parse_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct parse_test_ctx); + struct sdap_deref_attrs **res; + LDAPDerefRes *dref; + + const char *oc_values[] = { "posixAccount", NULL }; + const char *uid_values[] = { "tuser1", NULL }; + struct mock_ldap_attr test_ipa_user_attrs[] = { + { .name = "objectClass", .values = oc_values }, + { .name = "uid", .values = uid_values }, + { NULL, NULL } + }; + struct mock_ldap_entry test_ipa_user; + test_ipa_user.dn = "cn=testuser,dc=example,dc=com"; + test_ipa_user.attrs = test_ipa_user_attrs; + + ret = sdap_copy_map(test_ctx, rfc2307_group_map, SDAP_OPTS_GROUP, &minfo.map); + minfo.num_attrs = SDAP_OPTS_GROUP; + assert_int_equal(ret, ERR_OK); + + dref = mock_deref_res(test_ctx, &test_ipa_user); + assert_non_null(dref); + + ret = sdap_parse_deref(test_ctx, &minfo, 1, dref, &res); + talloc_free(dref); + talloc_free(minfo.map); + assert_int_equal(ret, ERR_OK); + assert_non_null(res); + /* the group map didn't match, so no attrs will be parsed out of the map */ + assert_null(res[0]->attrs); + talloc_free(res); +} + +void test_parse_secondary_oc(void **state) +{ + int ret; + struct sysdb_attrs *attrs; + struct parse_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct parse_test_ctx); + struct mock_ldap_entry test_rfc2307_group; + struct sdap_attr_map *map; + + const char *oc_values[] = { "secondaryOC", NULL }; + const char *uid_values[] = { "tgroup1", NULL }; + struct mock_ldap_attr test_rfc2307_group_attrs[] = { + { .name = "objectClass", .values = oc_values }, + { .name = "uid", .values = uid_values }, + { NULL, NULL } + }; + + test_rfc2307_group.dn = "cn=testgroup,dc=example,dc=com"; + test_rfc2307_group.attrs = test_rfc2307_group_attrs; + set_entry_parse(&test_rfc2307_group); + + ret = sdap_copy_map(test_ctx, rfc2307_group_map, SDAP_OPTS_GROUP, &map); + assert_int_equal(ret, ERR_OK); + map[SDAP_OC_GROUP_ALT].name = discard_const("secondaryOC"); + + ret = sdap_parse_entry(test_ctx, &test_ctx->sh, &test_ctx->sm, + map, SDAP_OPTS_GROUP, + &attrs, false); + assert_int_equal(ret, ERR_OK); + + talloc_free(map); + talloc_free(attrs); +} + +/* Negative test - objectclass doesn't match the map */ +void test_parse_bad_oc(void **state) +{ + int ret; + struct sysdb_attrs *attrs; + struct parse_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct parse_test_ctx); + struct mock_ldap_entry test_rfc2307_user; + struct sdap_attr_map *map; + + const char *oc_values[] = { "someRandomValueWhoCaresItsAUnitTest", NULL }; + const char *uid_values[] = { "tuser1", NULL }; + struct mock_ldap_attr test_rfc2307_user_attrs[] = { + { .name = "objectClass", .values = oc_values }, + { .name = "uid", .values = uid_values }, + { NULL, NULL } + }; + + test_rfc2307_user.dn = "cn=testuser,dc=example,dc=com"; + test_rfc2307_user.attrs = test_rfc2307_user_attrs; + set_entry_parse(&test_rfc2307_user); + + ret = sdap_copy_map(test_ctx, rfc2307_user_map, SDAP_OPTS_USER, &map); + assert_int_equal(ret, ERR_OK); + + ret = sdap_parse_entry(test_ctx, &test_ctx->sh, &test_ctx->sm, + map, SDAP_OPTS_USER, + &attrs, false); + assert_int_not_equal(ret, ERR_OK); + + talloc_free(map); +} + +/* Negative test - the entry has no objectClass. Just make sure + * we don't crash + */ +void test_parse_no_oc(void **state) +{ + int ret; + struct sysdb_attrs *attrs; + struct parse_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct parse_test_ctx); + struct mock_ldap_entry test_rfc2307_user; + struct sdap_attr_map *map; + + const char *uid_values[] = { "tuser1", NULL }; + struct mock_ldap_attr test_rfc2307_user_attrs[] = { + { .name = "uid", .values = uid_values }, + { NULL, NULL } + }; + + test_rfc2307_user.dn = "cn=testuser,dc=example,dc=com"; + test_rfc2307_user.attrs = test_rfc2307_user_attrs; + set_entry_parse(&test_rfc2307_user); + + ret = sdap_copy_map(test_ctx, rfc2307_user_map, SDAP_OPTS_USER, &map); + assert_int_equal(ret, ERR_OK); + + ret = sdap_parse_entry(test_ctx, &test_ctx->sh, &test_ctx->sm, + map, SDAP_OPTS_USER, + &attrs, false); + assert_int_not_equal(ret, ERR_OK); + + talloc_free(map); +} + +/* Negative test - the entry has no DN. Just make sure + * we don't crash and detect the failure. + */ +void test_parse_no_dn(void **state) +{ + int ret; + struct sysdb_attrs *attrs; + struct parse_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct parse_test_ctx); + struct mock_ldap_entry test_rfc2307_user; + struct sdap_attr_map *map; + + const char *oc_values[] = { "posixAccount", NULL }; + const char *uid_values[] = { "tuser1", NULL }; + struct mock_ldap_attr test_rfc2307_user_attrs[] = { + { .name = "objectClass", .values = oc_values }, + { .name = "uid", .values = uid_values }, + { NULL, NULL } + }; + + test_rfc2307_user.dn = NULL; /* Test */ + test_rfc2307_user.attrs = test_rfc2307_user_attrs; + set_entry_parse(&test_rfc2307_user); + + ret = sdap_copy_map(test_ctx, rfc2307_user_map, SDAP_OPTS_USER, &map); + assert_int_equal(ret, ERR_OK); + + ret = sdap_parse_entry(test_ctx, &test_ctx->sh, &test_ctx->sm, + map, SDAP_OPTS_USER, + &attrs, false); + assert_int_not_equal(ret, ERR_OK); + + talloc_free(map); +} + +struct copy_map_entry_test_ctx { + struct sdap_attr_map *src_map; + struct sdap_attr_map *dst_map; +}; + +static int copy_map_entry_test_setup(void **state) +{ + int ret; + struct copy_map_entry_test_ctx *test_ctx; + + assert_true(leak_check_setup()); + + test_ctx = talloc_zero(global_talloc_context, + struct copy_map_entry_test_ctx); + assert_non_null(test_ctx); + + ret = sdap_copy_map(test_ctx, rfc2307_user_map, + SDAP_OPTS_USER, &test_ctx->src_map); + assert_int_equal(ret, ERR_OK); + + ret = sdap_copy_map(test_ctx, rfc2307_user_map, + SDAP_OPTS_USER, &test_ctx->dst_map); + assert_int_equal(ret, ERR_OK); + + check_leaks_push(test_ctx); + *state = test_ctx; + return 0; +} + +static int copy_map_entry_test_teardown(void **state) +{ + struct copy_map_entry_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct copy_map_entry_test_ctx); + assert_true(check_leaks_pop(test_ctx) == true); + talloc_free(test_ctx); + assert_true(leak_check_teardown()); + return 0; +} + +static const char *copy_uuid(struct copy_map_entry_test_ctx *test_ctx) +{ + errno_t ret; + + assert_null(test_ctx->dst_map[SDAP_AT_USER_UUID].name); + ret = sdap_copy_map_entry(test_ctx->src_map, test_ctx->dst_map, + SDAP_AT_USER_UUID); + assert_int_equal(ret, EOK); + return test_ctx->dst_map[SDAP_AT_USER_UUID].name; +} + +static void test_sdap_copy_map_entry(void **state) +{ + struct copy_map_entry_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct copy_map_entry_test_ctx); + const char *uuid_set_val = "test_uuid_val"; + const char *uuid_val = NULL; + + test_ctx->src_map[SDAP_AT_USER_UUID].name = discard_const(uuid_set_val); + + uuid_val = copy_uuid(test_ctx); + assert_non_null(uuid_val); + assert_string_equal(uuid_val, uuid_set_val); + talloc_free(test_ctx->dst_map[SDAP_AT_USER_UUID].name); +} + +static void test_sdap_copy_map_entry_null_name(void **state) +{ + struct copy_map_entry_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct copy_map_entry_test_ctx); + const char *uuid_val = NULL; + + uuid_val = copy_uuid(test_ctx); + assert_null(uuid_val); +} + +struct test_sdap_inherit_ctx { + struct sdap_options *parent_sdap_opts; + struct sdap_options *child_sdap_opts; +}; + +struct sdap_options *mock_sdap_opts(TALLOC_CTX *mem_ctx) +{ + int ret; + struct sdap_options *opts; + + opts = talloc_zero(mem_ctx, struct sdap_options); + assert_non_null(opts); + + ret = sdap_copy_map(opts, rfc2307_user_map, + SDAP_OPTS_USER, &opts->user_map); + assert_int_equal(ret, ERR_OK); + + ret = dp_copy_defaults(opts, default_basic_opts, + SDAP_OPTS_BASIC, &opts->basic); + assert_int_equal(ret, ERR_OK); + + return opts; +} + +static int test_sdap_inherit_option_setup(void **state) +{ + int ret; + struct test_sdap_inherit_ctx *test_ctx; + + assert_true(leak_check_setup()); + + test_ctx = talloc_zero(global_talloc_context, + struct test_sdap_inherit_ctx); + assert_non_null(test_ctx); + + test_ctx->child_sdap_opts = talloc_zero(test_ctx, struct sdap_options); + + test_ctx->parent_sdap_opts = mock_sdap_opts(test_ctx); + assert_non_null(test_ctx->parent_sdap_opts); + test_ctx->child_sdap_opts = mock_sdap_opts(test_ctx); + assert_non_null(test_ctx->child_sdap_opts); + + test_ctx->parent_sdap_opts->user_map[SDAP_AT_USER_PRINC].name = \ + discard_const("test_princ"); + + ret = dp_opt_set_int(test_ctx->parent_sdap_opts->basic, + SDAP_PURGE_CACHE_TIMEOUT, 123); + assert_int_equal(ret, EOK); + + *state = test_ctx; + return 0; +} + +static int test_sdap_inherit_option_teardown(void **state) +{ + struct test_sdap_inherit_ctx *test_ctx = \ + talloc_get_type_abort(*state, struct test_sdap_inherit_ctx); + + talloc_free(test_ctx); + assert_true(leak_check_teardown()); + return 0; +} + +static void test_sdap_inherit_option_null(void **state) +{ + struct test_sdap_inherit_ctx *test_ctx = \ + talloc_get_type_abort(*state, struct test_sdap_inherit_ctx); + int val; + + val = dp_opt_get_int(test_ctx->child_sdap_opts->basic, + SDAP_PURGE_CACHE_TIMEOUT); + assert_int_equal(val, 0); + + sdap_inherit_options(NULL, + test_ctx->parent_sdap_opts, + test_ctx->child_sdap_opts); + + val = dp_opt_get_int(test_ctx->child_sdap_opts->basic, + SDAP_PURGE_CACHE_TIMEOUT); + assert_int_equal(val, 0); +} + +static void test_sdap_inherit_option_notset(void **state) +{ + struct test_sdap_inherit_ctx *test_ctx = \ + talloc_get_type_abort(*state, struct test_sdap_inherit_ctx); + int val; + const char *inherit_options[] = { "ldap_use_tokengroups", NULL }; + + val = dp_opt_get_int(test_ctx->child_sdap_opts->basic, + SDAP_PURGE_CACHE_TIMEOUT); + assert_int_equal(val, 0); + + /* parent has nondefault, but it's not supposed to be inherited */ + sdap_inherit_options(discard_const(inherit_options), + test_ctx->parent_sdap_opts, + test_ctx->child_sdap_opts); + + val = dp_opt_get_int(test_ctx->child_sdap_opts->basic, + SDAP_PURGE_CACHE_TIMEOUT); + assert_int_equal(val, 0); +} + +static void test_sdap_inherit_option_basic(void **state) +{ + struct test_sdap_inherit_ctx *test_ctx = \ + talloc_get_type_abort(*state, struct test_sdap_inherit_ctx); + int val; + const char *inherit_options[] = { "ldap_purge_cache_timeout", NULL }; + + val = dp_opt_get_int(test_ctx->child_sdap_opts->basic, + SDAP_PURGE_CACHE_TIMEOUT); + assert_int_equal(val, 0); + + /* parent has nondefault, but it's not supposed to be inherited */ + sdap_inherit_options(discard_const(inherit_options), + test_ctx->parent_sdap_opts, + test_ctx->child_sdap_opts); + + val = dp_opt_get_int(test_ctx->child_sdap_opts->basic, + SDAP_PURGE_CACHE_TIMEOUT); + assert_int_equal(val, 123); +} + +static void test_sdap_inherit_option_user(void **state) +{ + struct test_sdap_inherit_ctx *test_ctx = \ + talloc_get_type_abort(*state, struct test_sdap_inherit_ctx); + const char *inherit_options[] = { "ldap_user_principal", NULL }; + + assert_string_equal( + test_ctx->child_sdap_opts->user_map[SDAP_AT_USER_PRINC].name, + "krbPrincipalName"); + + /* parent has nondefault, but it's not supposed to be inherited */ + sdap_inherit_options(discard_const(inherit_options), + test_ctx->parent_sdap_opts, + test_ctx->child_sdap_opts); + + assert_string_equal( + test_ctx->child_sdap_opts->user_map[SDAP_AT_USER_PRINC].name, + "test_princ"); + + talloc_free(test_ctx->child_sdap_opts->user_map[SDAP_AT_USER_PRINC].name); +} + +struct copy_dom_obj_test_ctx { + struct sdap_options *opts; + + struct sss_domain_info *parent; + struct sss_domain_info *child; + + struct sdap_domain *parent_sd; + struct sdap_domain *child_sd; + + struct sysdb_attrs **ldap_objects; + struct sysdb_attrs **dom_objects; +}; + +static struct sysdb_attrs *test_obj(TALLOC_CTX *mem_ctx, + const char *name, + const char *basedn) +{ + errno_t ret; + const char *orig_dn; + struct sysdb_attrs *obj; + + obj = sysdb_new_attrs(mem_ctx); + assert_non_null(obj); + + orig_dn = talloc_asprintf(obj, "CN=%s,%s", name, basedn); + assert_non_null(orig_dn); + + ret = sysdb_attrs_add_string(obj, SYSDB_ORIG_DN, orig_dn); + assert_int_equal(ret, EOK); + + ret = sysdb_attrs_add_string(obj, SYSDB_NAME, name); + assert_int_equal(ret, EOK); + + return obj; +} + +static struct sdap_domain *create_sdap_domain(struct sdap_options *opts, + struct sss_domain_info *dom) +{ + errno_t ret; + struct sdap_domain *sdom; + + ret = sdap_domain_add(opts, dom, &sdom); + assert_int_equal(ret, EOK); + + sdom->search_bases = talloc_array(sdom, struct sdap_search_base *, 2); + assert_non_null(sdom->search_bases); + sdom->search_bases[1] = NULL; + + ret = sdap_create_search_base(sdom, sdom->basedn, + LDAP_SCOPE_SUBTREE, + NULL, + &sdom->search_bases[0]); + assert_int_equal(ret, EOK); + + return sdom; +} + +static int sdap_copy_objects_in_dom_setup(void **state) +{ + struct copy_dom_obj_test_ctx *test_ctx; + + test_ctx = talloc_zero(NULL, + struct copy_dom_obj_test_ctx); + assert_non_null(test_ctx); + + test_ctx->opts = talloc_zero(test_ctx, struct sdap_options); + assert_non_null(test_ctx->opts); + + test_ctx->parent = named_domain(test_ctx, "win.trust.test", NULL); + assert_non_null(test_ctx->parent); + + test_ctx->child = named_domain(test_ctx, "child.win.trust.test", + test_ctx->parent); + assert_non_null(test_ctx->child); + + test_ctx->parent_sd = create_sdap_domain(test_ctx->opts, + test_ctx->parent); + assert_non_null(test_ctx->parent_sd); + + test_ctx->child_sd = create_sdap_domain(test_ctx->opts, + test_ctx->child); + assert_non_null(test_ctx->child_sd); + + /* These two objects were 'returned by LDAP' */ + test_ctx->ldap_objects = talloc_zero_array(test_ctx, + struct sysdb_attrs *, 2); + assert_non_null(test_ctx->ldap_objects); + + test_ctx->ldap_objects[0] = test_obj(test_ctx->ldap_objects, "parent", + test_ctx->parent_sd->basedn); + assert_non_null(test_ctx->ldap_objects[0]); + + test_ctx->ldap_objects[1] = test_obj(test_ctx->ldap_objects, "child", + test_ctx->child_sd->basedn); + assert_non_null(test_ctx->ldap_objects[1]); + + /* This is the array we'll filter to */ + test_ctx->dom_objects = talloc_zero_array(test_ctx, + struct sysdb_attrs *, 2); + assert_non_null(test_ctx->dom_objects); + + *state = test_ctx; + return 0; +} + +static int sdap_copy_objects_in_dom_teardown(void **state) +{ + struct copy_dom_obj_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct copy_dom_obj_test_ctx); + + talloc_free(test_ctx); + return 0; +} + +static void test_sdap_copy_objects_in_dom(void **state) +{ + struct copy_dom_obj_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct copy_dom_obj_test_ctx); + size_t count; + + assert_ptr_equal(talloc_parent(test_ctx->ldap_objects[0]), + test_ctx->ldap_objects); + assert_ptr_equal(talloc_parent(test_ctx->ldap_objects[1]), + test_ctx->ldap_objects); + + assert_null(test_ctx->dom_objects[0]); + assert_null(test_ctx->dom_objects[1]); + + count = sdap_steal_objects_in_dom(test_ctx->opts, + test_ctx->dom_objects, + 0, + test_ctx->parent, + test_ctx->ldap_objects, + 2, true); + assert_int_equal(count, 1); + + assert_non_null(test_ctx->dom_objects[0]); + assert_non_null(test_ctx->dom_objects[0] == test_ctx->ldap_objects[0]); + assert_null(test_ctx->dom_objects[1]); + + assert_ptr_equal(talloc_parent(test_ctx->ldap_objects[0]), + test_ctx->dom_objects); + + count = sdap_steal_objects_in_dom(test_ctx->opts, + test_ctx->dom_objects, + 1, + test_ctx->child, + test_ctx->ldap_objects, + 2, true); + assert_int_equal(count, 1); + + assert_non_null(test_ctx->dom_objects[1]); + assert_non_null(test_ctx->dom_objects[1] == test_ctx->ldap_objects[1]); + assert_ptr_equal(talloc_parent(test_ctx->ldap_objects[1]), + test_ctx->dom_objects); +} + +static void test_sdap_copy_objects_in_dom_nofilter(void **state) +{ + struct copy_dom_obj_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct copy_dom_obj_test_ctx); + size_t count; + + count = sdap_steal_objects_in_dom(test_ctx->opts, + test_ctx->dom_objects, + 0, + test_ctx->parent, + test_ctx->ldap_objects, + 2, false); + assert_int_equal(count, 2); + + assert_ptr_equal(talloc_parent(test_ctx->ldap_objects[0]), + test_ctx->dom_objects); + assert_ptr_equal(talloc_parent(test_ctx->ldap_objects[1]), + test_ctx->dom_objects); +} + +int main(int argc, const char *argv[]) +{ + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_parse_with_map, + parse_entry_test_setup, + parse_entry_test_teardown), + cmocka_unit_test_setup_teardown(test_parse_no_map, + parse_entry_test_setup, + parse_entry_test_teardown), + cmocka_unit_test_setup_teardown(test_parse_no_attrs, + parse_entry_test_setup, + parse_entry_test_teardown), + cmocka_unit_test_setup_teardown(test_parse_dups, + parse_entry_test_setup, + parse_entry_test_teardown), + cmocka_unit_test_setup_teardown(test_parse_deref, + parse_entry_test_setup, + parse_entry_test_teardown), + cmocka_unit_test_setup_teardown(test_parse_deref_no_attrs, + parse_entry_test_setup, + parse_entry_test_teardown), + cmocka_unit_test_setup_teardown(test_parse_secondary_oc, + parse_entry_test_setup, + parse_entry_test_teardown), + /* Negative tests */ + cmocka_unit_test_setup_teardown(test_parse_no_oc, + parse_entry_test_setup, + parse_entry_test_teardown), + cmocka_unit_test_setup_teardown(test_parse_bad_oc, + parse_entry_test_setup, + parse_entry_test_teardown), + cmocka_unit_test_setup_teardown(test_parse_no_dn, + parse_entry_test_setup, + parse_entry_test_teardown), + cmocka_unit_test_setup_teardown(test_parse_deref_map_mismatch, + parse_entry_test_setup, + parse_entry_test_teardown), + + /* Map option tests */ + cmocka_unit_test_setup_teardown(test_sdap_copy_map_entry, + copy_map_entry_test_setup, + copy_map_entry_test_teardown), + cmocka_unit_test_setup_teardown(test_sdap_copy_map_entry_null_name, + copy_map_entry_test_setup, + copy_map_entry_test_teardown), + + /* Option inherit tests */ + cmocka_unit_test_setup_teardown(test_sdap_inherit_option_null, + test_sdap_inherit_option_setup, + test_sdap_inherit_option_teardown), + cmocka_unit_test_setup_teardown(test_sdap_inherit_option_notset, + test_sdap_inherit_option_setup, + test_sdap_inherit_option_teardown), + cmocka_unit_test_setup_teardown(test_sdap_inherit_option_basic, + test_sdap_inherit_option_setup, + test_sdap_inherit_option_teardown), + cmocka_unit_test_setup_teardown(test_sdap_inherit_option_user, + test_sdap_inherit_option_setup, + test_sdap_inherit_option_teardown), + + /* Per-domain object filter tests */ + cmocka_unit_test_setup_teardown(test_sdap_copy_objects_in_dom, + sdap_copy_objects_in_dom_setup, + sdap_copy_objects_in_dom_teardown), + cmocka_unit_test_setup_teardown(test_sdap_copy_objects_in_dom_nofilter, + sdap_copy_objects_in_dom_setup, + sdap_copy_objects_in_dom_teardown), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + /* Even though normally the tests should clean up after themselves + * they might not after a failed run. Remove the old DB to be sure */ + tests_set_cwd(); + + return cmocka_run_group_tests(tests, NULL, NULL); +} diff --git a/src/tests/cmocka/test_sdap_access.c b/src/tests/cmocka/test_sdap_access.c new file mode 100644 index 0000000..900cfdb --- /dev/null +++ b/src/tests/cmocka/test_sdap_access.c @@ -0,0 +1,264 @@ +/* + Authors: + Pavel Reichl + + Copyright (C) 2015 Red Hat + + SSSD tests - sdap access + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include +#include + +#include "tests/common_check.h" +#include "tests/cmocka/test_expire_common.h" +#include "tests/cmocka/test_sdap_access.h" + +/* linking against function from sdap_access.c module */ +extern bool nds_check_expired(const char *exp_time_str); +extern errno_t sdap_access_rhost(struct ldb_message *user_entry, char *pam_rhost); + +static void nds_check_expired_wrap(void *in, void *_out) +{ + *(bool*)_out = nds_check_expired((const char*)in); +} + +void test_nds_check_expire(void **state) +{ + struct expire_test_ctx *tc; + bool res; + + tc = talloc_get_type(*state, struct expire_test_ctx); + assert_non_null(tc); + + assert_false(nds_check_expired(NULL)); + assert_true(nds_check_expired(tc->invalid_longer_format)); + assert_true(nds_check_expired(tc->invalid_format)); + assert_true(nds_check_expired(tc->past_time)); + assert_false(nds_check_expired(tc->future_time)); + + /* changing time zone has no effect as time of expiration is in UTC */ + expire_test_tz("GST+2", nds_check_expired_wrap, (void*)tc->future_time, + (void*)&res); + assert_false(res); + expire_test_tz("GST-2", nds_check_expired_wrap, (void*)tc->future_time, + (void*)&res); + assert_false(res); +} + +static int test_sdap_access_rhost_setup(void **state) +{ + TALLOC_CTX *mem_ctx; + struct test_sdap_access_rhost_ctx *test_ctx; + struct ldb_message *user_no_rhost; + struct ldb_message *user_allow_somehost; + struct ldb_message *user_deny_somehost; + struct ldb_message *user_allow_all; + struct ldb_message *user_allow_all_deny_somehost; + struct ldb_message *user_allow_all_allow_somehost_deny_somehost; + + mem_ctx = talloc_new(NULL); + assert_non_null(mem_ctx); + + test_ctx = talloc(mem_ctx, struct test_sdap_access_rhost_ctx); + assert_non_null(test_ctx); + + /* Setup empty user entry (with 0 entries for rhost) */ + user_no_rhost = ldb_msg_new(test_ctx); + assert_non_null(user_no_rhost); + user_no_rhost->num_elements = 0; + + /* Setup user entry with allow somehost */ + user_allow_somehost = ldb_msg_new(test_ctx); + assert_non_null(user_allow_somehost); + ldb_msg_add_string(user_allow_somehost, + SYSDB_AUTHORIZED_RHOST, + "somehost"); + + /* Setup user entry with deny somehost */ + user_deny_somehost = ldb_msg_new(test_ctx); + assert_non_null(user_deny_somehost); + ldb_msg_add_string(user_deny_somehost, + SYSDB_AUTHORIZED_RHOST, + "!somehost"); + + /* Setup user entry with allow all */ + user_allow_all = ldb_msg_new(test_ctx); + assert_non_null(user_allow_all); + ldb_msg_add_string(user_allow_all, + SYSDB_AUTHORIZED_RHOST, + "*"); + + /* Setup user entry with allow all and deny somehost */ + user_allow_all_deny_somehost = ldb_msg_new(test_ctx); + assert_non_null(user_allow_all_deny_somehost); + ldb_msg_add_string(user_allow_all_deny_somehost, + SYSDB_AUTHORIZED_RHOST, + "*"); + ldb_msg_add_string(user_allow_all_deny_somehost, + SYSDB_AUTHORIZED_RHOST, + "!somehost"); + + /* Setup user entry with allow all, allow somehost and deny somehost */ + user_allow_all_allow_somehost_deny_somehost = ldb_msg_new(test_ctx); + assert_non_null(user_allow_all_allow_somehost_deny_somehost); + ldb_msg_add_string(user_allow_all_allow_somehost_deny_somehost, + SYSDB_AUTHORIZED_RHOST, + "*"); + ldb_msg_add_string(user_allow_all_allow_somehost_deny_somehost, + SYSDB_AUTHORIZED_RHOST, + "!somehost"); + ldb_msg_add_string(user_allow_all_allow_somehost_deny_somehost, + SYSDB_AUTHORIZED_RHOST, + "somehost"); + + /* Setup test context */ + test_ctx->user_no_rhost = user_no_rhost; + test_ctx->user_allow_somehost = user_allow_somehost; + test_ctx->user_deny_somehost = user_deny_somehost; + test_ctx->user_allow_all = user_allow_all; + test_ctx->user_allow_all_deny_somehost = user_allow_all_deny_somehost; + test_ctx->user_allow_all_allow_somehost_deny_somehost = \ + user_allow_all_allow_somehost_deny_somehost; + + *state = test_ctx; + + return 0; +} + +static int test_sdap_access_rhost_teardown(void **state) +{ + struct test_sdap_access_rhost_ctx *test_ctx; + + test_ctx = talloc_get_type(*state, struct test_sdap_access_rhost_ctx); + assert_non_null(test_ctx); + + talloc_free(test_ctx); + + return 0; +} + +static void test_sdap_access_rhost(void **state) +{ + struct test_sdap_access_rhost_ctx *test_ctx; + errno_t ret; + + test_ctx = talloc_get_type(*state, struct test_sdap_access_rhost_ctx); + assert_non_null(test_ctx); + + char pam_rhost_mock_empty[] = ""; + char pam_rhost_mock_somehost[] = "somehost"; + char pam_rhost_mock_someotherhost[] = "someotherhost"; + + /* Test both arguments as NULL */ + ret = sdap_access_rhost(NULL, NULL); + assert_int_equal(ERR_ACCESS_DENIED, ret); /* Expected access granted */ + + /* Test with user_entry == NULL and rhost == "somehost" */ + ret = sdap_access_rhost(NULL, pam_rhost_mock_somehost); + assert_int_equal(ERR_ACCESS_DENIED, ret); /* Expected access denied */ + + /* Test with user_no_rhost and rhost == NULL */ + ret = sdap_access_rhost(test_ctx->user_no_rhost, NULL); + assert_int_equal(EOK, ret); /* Expected access granted */ + + /* Test with user_no_rhost and rhost == "" (local access) */ + ret = sdap_access_rhost(test_ctx->user_no_rhost, pam_rhost_mock_empty); + assert_int_equal(EOK, ret); /* Expected access granted */ + + /* Test with user_no_rhost and rhost == "somehost" */ + ret = sdap_access_rhost(test_ctx->user_no_rhost, pam_rhost_mock_somehost); + assert_int_equal(ERR_ACCESS_DENIED, ret); /* Expected access denied */ + + /* Test with user_allow_somehost and rhost == "somehost" */ + ret = sdap_access_rhost(test_ctx->user_allow_somehost, + pam_rhost_mock_somehost); + assert_int_equal(EOK, ret); /* Expected access allowed */ + + /* Test with user_deny_somehost and rhost == "somehost" */ + ret = sdap_access_rhost(test_ctx->user_deny_somehost, + pam_rhost_mock_somehost); + assert_int_equal(ERR_ACCESS_DENIED, ret); /* Expected access denied */ + + /* Test with user_allow_all and rhost == "somehost" */ + ret = sdap_access_rhost(test_ctx->user_allow_all, + pam_rhost_mock_somehost); + assert_int_equal(EOK, ret); /* Expected access allowed */ + + /* Test with user_allow_all_deny_somehost and rhost == "somehost" */ + ret = sdap_access_rhost(test_ctx->user_allow_all_deny_somehost, + pam_rhost_mock_somehost); + assert_int_equal(ERR_ACCESS_DENIED, ret); /* Expected access denied */ + + /* Test with user_allow_all_allow_somehost_deny_somehost + * and rhost == "somehost" */ + ret = sdap_access_rhost( + test_ctx->user_allow_all_allow_somehost_deny_somehost, + pam_rhost_mock_somehost); + assert_int_equal(ERR_ACCESS_DENIED, ret); /* Expected access denied */ + + /* Test with user_no_rhost and rhost == "someotherhost" */ + ret = sdap_access_rhost(test_ctx->user_no_rhost, + pam_rhost_mock_someotherhost); + assert_int_equal(ERR_ACCESS_DENIED, ret); /* Expected access denied */ + + /* Test with user_allow_somehost and rhost == "someotherhost" */ + ret = sdap_access_rhost(test_ctx->user_allow_somehost, + pam_rhost_mock_someotherhost); + assert_int_equal(ERR_ACCESS_DENIED, ret); /* Expected access denied */ + + /* Test with user_deny_somehost and rhost == "someotherhost" */ + ret = sdap_access_rhost(test_ctx->user_deny_somehost, + pam_rhost_mock_someotherhost); + assert_int_equal(ERR_ACCESS_DENIED, ret); /* Expected access denied */ + + /* Test with user_allow_all and rhost == "someotherhost" */ + ret = sdap_access_rhost(test_ctx->user_allow_all, + pam_rhost_mock_someotherhost); + assert_int_equal(EOK, ret); /* Expected access allowed */ + + /* Test with user_allow_all_deny_somehost and rhost == "someotherhost" */ + ret = sdap_access_rhost(test_ctx->user_allow_all_deny_somehost, + pam_rhost_mock_someotherhost); + assert_int_equal(EOK, ret); /* Expected access allowed */ + + /* Test with user_allow_all_allow_somehost_deny_somehost + * and rhost == "someotherhost" */ + ret = sdap_access_rhost( + test_ctx->user_allow_all_allow_somehost_deny_somehost, + pam_rhost_mock_someotherhost); + assert_int_equal(EOK, ret); /* Expected access allowed */ +} + +int main(void) +{ + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_nds_check_expire, + expire_test_setup, + expire_test_teardown), + cmocka_unit_test_setup_teardown(test_sdap_access_rhost, + test_sdap_access_rhost_setup, + test_sdap_access_rhost_teardown), + }; + + return cmocka_run_group_tests(tests, NULL, NULL); +} diff --git a/src/tests/cmocka/test_sdap_access.h b/src/tests/cmocka/test_sdap_access.h new file mode 100644 index 0000000..cc49a82 --- /dev/null +++ b/src/tests/cmocka/test_sdap_access.h @@ -0,0 +1,36 @@ +/* + Authors: + Alexey Kamenskiy + + SSSD tests - sdap access tests + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef TEST_SDAP_ACCESS_H +#define TEST_SDAP_ACCESS_H + +struct test_sdap_access_rhost_ctx { + struct ldb_message *user_no_rhost; + struct ldb_message *user_allow_somehost; + struct ldb_message *user_deny_somehost; + struct ldb_message *user_allow_all; + struct ldb_message *user_allow_all_deny_somehost; + struct ldb_message *user_allow_all_allow_somehost_deny_somehost; +}; + +static int test_sdap_access_rhost_setup(void **state); +static int test_sdap_access_rhost_teardown(void **state); + +#endif /* TEST_SDAP_ACCESS_H */ diff --git a/src/tests/cmocka/test_sdap_certmap.c b/src/tests/cmocka/test_sdap_certmap.c new file mode 100644 index 0000000..aeb924e --- /dev/null +++ b/src/tests/cmocka/test_sdap_certmap.c @@ -0,0 +1,244 @@ +/* + Authors: + Sumit Bose + + Copyright (C) 2017 Red Hat + + SSSD tests - sdap certmap + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include + +#include "providers/ldap/ldap_common.h" +#include "tests/common.h" +#include "db/sysdb.h" + +#define TESTS_PATH "certmap_" BASE_FILE_STEM +#define TEST_CONF_DB "test_sysdb_certmap.ldb" +#define TEST_ID_PROVIDER "ldap" +#define TEST_DOM_NAME "certmap_test" + +struct certmap_info map_a = { discard_const("map_a"), 11, + NULL, discard_const("(abc=def)"), + NULL }; +struct certmap_info map_b = { discard_const("map_b"), UINT_MAX, + NULL, NULL, NULL }; +struct certmap_info *certmap[] = { &map_a, &map_b, NULL }; + +struct certmap_test_ctx { + struct sss_test_ctx *tctx; + struct sdap_id_ctx *id_ctx; +}; + +static int test_sysdb_setup(void **state) +{ + int ret; + struct certmap_test_ctx *test_ctx; + struct sss_test_conf_param params[] = { + { NULL, NULL }, /* Sentinel */ + }; + + assert_true(leak_check_setup()); + + test_ctx = talloc_zero(global_talloc_context, + struct certmap_test_ctx); + assert_non_null(test_ctx); + check_leaks_push(test_ctx); + + test_dom_suite_setup(TESTS_PATH); + + test_ctx->tctx = create_dom_test_ctx(test_ctx, TESTS_PATH, + TEST_CONF_DB, TEST_DOM_NAME, + TEST_ID_PROVIDER, params); + assert_non_null(test_ctx->tctx); + + ret = sysdb_update_certmap(test_ctx->tctx->sysdb, certmap, false); + assert_int_equal(ret, EOK); + + test_ctx->id_ctx = talloc_zero(test_ctx->tctx, struct sdap_id_ctx); + assert_non_null(test_ctx->id_ctx); + + test_ctx->id_ctx->opts = talloc_zero(test_ctx->tctx, struct sdap_options); + assert_non_null(test_ctx->id_ctx->opts); + + test_ctx->id_ctx->be = talloc_zero(test_ctx->tctx, struct be_ctx); + assert_non_null(test_ctx->id_ctx->be); + test_ctx->id_ctx->be->domain = test_ctx->tctx->dom; + + *state = test_ctx; + return 0; +} + +static int test_sysdb_teardown(void **state) +{ + struct certmap_test_ctx *test_ctx = + talloc_get_type(*state, struct certmap_test_ctx); + + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + talloc_free(test_ctx->tctx); + assert_true(check_leaks_pop(test_ctx)); + talloc_free(test_ctx); + assert_true(leak_check_teardown()); + return 0; +} + +static void test_sdap_certmap_init(void **state) +{ + int ret; + struct certmap_test_ctx *test_ctx = talloc_get_type(*state, + struct certmap_test_ctx); + + ret = sdap_init_certmap(test_ctx, test_ctx->id_ctx); + assert_int_equal(ret, EOK); + + talloc_free(test_ctx->id_ctx->opts->sdap_certmap_ctx); +} + +static void test_sdap_get_sss_certmap(void **state) +{ + int ret; + struct certmap_test_ctx *test_ctx = talloc_get_type(*state, + struct certmap_test_ctx); + struct sss_certmap_ctx *sss_certmap_ctx; + + sss_certmap_ctx = sdap_get_sss_certmap(NULL); + assert_null(sss_certmap_ctx); + + ret = sdap_init_certmap(test_ctx, test_ctx->id_ctx); + assert_int_equal(ret, EOK); + + sss_certmap_ctx = sdap_get_sss_certmap( + test_ctx->id_ctx->opts->sdap_certmap_ctx); + assert_non_null(sss_certmap_ctx); + + talloc_free(test_ctx->id_ctx->opts->sdap_certmap_ctx); +} + +static void test_sdap_certmap_init_twice(void **state) +{ + int ret; + struct certmap_test_ctx *test_ctx = talloc_get_type(*state, + struct certmap_test_ctx); + struct sdap_certmap_ctx *sdap_certmap_ref; + struct sss_certmap_ctx *sss_certmap_ref; + + ret = sdap_init_certmap(test_ctx, test_ctx->id_ctx); + assert_int_equal(ret, EOK); + + sdap_certmap_ref = test_ctx->id_ctx->opts->sdap_certmap_ctx; + sss_certmap_ref = sdap_get_sss_certmap(sdap_certmap_ref); + + ret = sdap_init_certmap(test_ctx, test_ctx->id_ctx); + assert_int_equal(ret, EOK); + + assert_ptr_equal(sdap_certmap_ref, + test_ctx->id_ctx->opts->sdap_certmap_ctx); + assert_ptr_not_equal(sss_certmap_ref, + sdap_get_sss_certmap(sdap_certmap_ref)); + + talloc_free(test_ctx->id_ctx->opts->sdap_certmap_ctx); +} + + +static void test_sdap_setup_certmap(void **state) +{ + int ret; + struct certmap_test_ctx *test_ctx = talloc_get_type(*state, + struct certmap_test_ctx); + struct sdap_certmap_ctx *sdap_certmap_ref; + struct sss_certmap_ctx *sss_certmap_ref; + + ret = sdap_init_certmap(test_ctx, test_ctx->id_ctx); + assert_int_equal(ret, EOK); + + sdap_certmap_ref = test_ctx->id_ctx->opts->sdap_certmap_ctx; + sss_certmap_ref = sdap_get_sss_certmap(sdap_certmap_ref); + + ret = sdap_setup_certmap(NULL, NULL); + assert_int_equal(ret, EINVAL); + assert_ptr_equal(sdap_certmap_ref, + test_ctx->id_ctx->opts->sdap_certmap_ctx); + assert_ptr_equal(sss_certmap_ref, sdap_get_sss_certmap(sdap_certmap_ref)); + + ret = sdap_setup_certmap(NULL, certmap); + assert_int_equal(ret, EINVAL); + assert_ptr_equal(sdap_certmap_ref, + test_ctx->id_ctx->opts->sdap_certmap_ctx); + assert_ptr_equal(sss_certmap_ref, sdap_get_sss_certmap(sdap_certmap_ref)); + + ret = sdap_setup_certmap(sdap_certmap_ref, certmap); + assert_int_equal(ret, EOK); + assert_ptr_equal(sdap_certmap_ref, + test_ctx->id_ctx->opts->sdap_certmap_ctx); + assert_ptr_not_equal(sss_certmap_ref, + sdap_get_sss_certmap(sdap_certmap_ref)); + + talloc_free(test_ctx->id_ctx->opts->sdap_certmap_ctx); +} + +int main(int argc, const char *argv[]) +{ + int rv; + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_sdap_certmap_init, + test_sysdb_setup, + test_sysdb_teardown), + cmocka_unit_test_setup_teardown(test_sdap_get_sss_certmap, + test_sysdb_setup, + test_sysdb_teardown), + cmocka_unit_test_setup_teardown(test_sdap_certmap_init_twice, + test_sysdb_setup, + test_sysdb_teardown), + cmocka_unit_test_setup_teardown(test_sdap_setup_certmap, + test_sysdb_setup, + test_sysdb_teardown), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + tests_set_cwd(); + rv = cmocka_run_group_tests(tests, NULL, NULL); + + return rv; +} diff --git a/src/tests/cmocka/test_sdap_initgr.c b/src/tests/cmocka/test_sdap_initgr.c new file mode 100644 index 0000000..66b8819 --- /dev/null +++ b/src/tests/cmocka/test_sdap_initgr.c @@ -0,0 +1,540 @@ +/* + Authors: + Petr Čech + + Copyright (C) 2017 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "tests/cmocka/common_mock.h" +#include "tests/cmocka/common_mock_sysdb_objects.h" +#include "tests/cmocka/common_mock_sdap.h" +#include "providers/ad/ad_common.h" + +#include "providers/ad/ad_opts.c" +#include "providers/ldap/sdap_async_initgroups.c" + +/* Declarations from providers/ldap/sdap_async_initgroups.c */ +struct sdap_get_initgr_state; +static int sdap_search_initgr_user_in_batch(struct sdap_get_initgr_state *state, + struct sysdb_attrs **users, + size_t count); + +#define TESTS_PATH "tp_" BASE_FILE_STEM +#define TEST_CONF_DB "test_sdap_initgr_conf.ldb" +#define TEST_ID_PROVIDER "ldap" + +#define TEST_DOM1_NAME "domain.test.com" +#define TEST_DOM2_NAME "subdom1.domain.test.com" +#define TEST_DOM3_NAME "another_domain.test.com" + +#define OBJECT_BASE_DN1 "dc=domain,dc=test,dc=com,cn=sysdb" +#define OBJECT_BASE_DN2 "dc=subdom1,dc=domain,dc=test,dc=com,cn=sysdb" +#define OBJECT_BASE_DN3 "dc=another_domain,dc=test,dc=com,cn=sysdb" + +#define TEST_USER_1 "test_user_1" +#define TEST_USER_2 "test_user_2" +#define TEST_USER_3 "test_user_3" + +const char *domains[] = { TEST_DOM1_NAME, + TEST_DOM2_NAME, + TEST_DOM3_NAME, + NULL }; + +const char *object_bases[] = { OBJECT_BASE_DN1, + OBJECT_BASE_DN2, + OBJECT_BASE_DN3, + NULL }; + +const char *test_users[] = { TEST_USER_1, + TEST_USER_2, + TEST_USER_3, + NULL }; + +/* ====================== Utilities =============================== */ + +struct test_sdap_initgr_ctx { + struct sss_test_ctx *tctx; +}; + +static struct passwd **get_users(TALLOC_CTX *ctx) +{ + struct passwd **passwds = NULL; + char *homedir = NULL; + size_t user_count = 0; + + for (int i = 0; test_users[i] != NULL; i++) { + user_count++; + } + passwds = talloc_array(ctx, struct passwd *, user_count); + assert_non_null(passwds); + + for (int i = 0; i < user_count; i++) { + passwds[i] = talloc(passwds, struct passwd); + assert_non_null(passwds[i]); + + homedir = talloc_strdup_append(homedir, "/home/"); + homedir = talloc_strdup_append(homedir, test_users[i]); + + passwds[i]->pw_name = discard_const(test_users[i]); + passwds[i]->pw_uid = 567 + i; + passwds[i]->pw_gid = 890 + i; + passwds[i]->pw_dir = talloc_strdup(passwds[i], homedir); + passwds[i]->pw_gecos = discard_const(test_users[i]); + passwds[i]->pw_shell = discard_const("/bin/sh"); + passwds[i]->pw_passwd = discard_const("*"); + + talloc_zfree(homedir); + } + + return passwds; +} + +static struct sss_test_conf_param **get_params(TALLOC_CTX *ctx) +{ + struct sss_test_conf_param **params; + char *user_base_dn = NULL; + char *group_base_dn = NULL; + size_t base_count = 0; + + for (int i = 0; object_bases[i] != NULL; i++) { + base_count++; + } + + params = talloc_array(ctx, struct sss_test_conf_param *, base_count + 1); + assert_non_null(params); + + for (int i = 0; i < base_count; i++) { + params[i] = talloc(params, struct sss_test_conf_param); + assert_non_null(params[i]); + + user_base_dn = talloc_strdup_append(user_base_dn, "cn=users,"); + user_base_dn = talloc_strdup_append(user_base_dn, object_bases[i]); + + group_base_dn = talloc_strdup_append(group_base_dn, "cn=groups,"); + group_base_dn = talloc_strdup_append(group_base_dn, object_bases[i]); + + params[i] = talloc_array(params[i], struct sss_test_conf_param, 5); + params[i][0].key = "ldap_schema"; + params[i][0].value = "rfc2307bis"; + params[i][1].key = "ldap_search_base"; + params[i][1].value = talloc_strdup(params[i], object_bases[i]); + params[i][2].key = "ldap_user_search_base"; + params[i][2].value = talloc_strdup(params[i], user_base_dn); + params[i][3].key = "ldap_group_search_base"; + params[i][3].value = talloc_strdup(params[i], group_base_dn); + params[i][4].key = NULL; + params[i][4].value = NULL; + + talloc_zfree(user_base_dn); + talloc_zfree(group_base_dn); + } + + return params; +} + +struct sss_domain_info *get_domain_info(struct sss_domain_info *domain, + const char *domain_name) +{ + struct sss_domain_info *dom = domain; + + while(dom != NULL) { + if (strcmp(dom->name, domain_name) == 0) { + break; + } + dom = dom->next; + } + + return dom; +} + +struct sdap_get_initgr_state *prepare_state(struct test_sdap_initgr_ctx *ctx, + const char **domain_names) +{ + struct sdap_get_initgr_state *state; + struct sss_domain_info *dom_info = NULL; + struct sss_domain_info *recent_dom_info = NULL; + + state = talloc_zero(ctx->tctx, struct sdap_get_initgr_state); + assert_non_null(state); + + for (int i=0; domain_names[i] != NULL; i++) { + dom_info = get_domain_info(ctx->tctx->dom, domain_names[i]); + assert_non_null(dom_info); + + if (i == 0) { + state->dom = dom_info; + recent_dom_info = state->dom; + } else { + recent_dom_info->next = dom_info; + recent_dom_info = recent_dom_info->next; + } + } + assert_non_null(state->dom); + assert_non_null(recent_dom_info); + recent_dom_info->next = NULL; + + state->opts = mock_sdap_options_ldap(state, state->dom, + ctx->tctx->confdb, + ctx->tctx->conf_dom_path); + assert_non_null(state->opts); + + return state; +} + +/* TODO: This function is copied from test_nss_srv.c + * It could be fine move both to one place, + * for example src/tests/common_sysdb.c + */ +static errno_t store_user(TALLOC_CTX *ctx, + struct sss_domain_info *dom, + struct passwd *user, + struct sysdb_attrs *attrs, + time_t cache_update) +{ + errno_t ret; + char *fqname; + + fqname = sss_create_internal_fqname(ctx, + user->pw_name, + dom->name); + if (fqname == NULL) { + return ENOMEM; + } + + /* Prime the cache with a valid user */ + ret = sysdb_store_user(dom, + fqname, + user->pw_passwd, + user->pw_uid, + user->pw_gid, + user->pw_gecos, + user->pw_dir, + user->pw_shell, + NULL, attrs, + NULL, 300, cache_update); + talloc_free(fqname); + + return ret; +} + +/* ====================== Setup =============================== */ + +static int test_sdap_initgr_setup_one_domain(void **state) +{ + struct test_sdap_initgr_ctx *test_ctx; + struct sss_test_conf_param **params; + + assert_true(leak_check_setup()); + + test_ctx = talloc_zero(global_talloc_context, struct test_sdap_initgr_ctx); + assert_non_null(test_ctx); + + params = get_params(test_ctx); + assert_non_null(params); + + test_ctx->tctx = create_dom_test_ctx(test_ctx, TESTS_PATH, + TEST_CONF_DB, domains[0], + TEST_ID_PROVIDER, params[0]); + assert_non_null(test_ctx->tctx); + + check_leaks_push(test_ctx); + *state = test_ctx; + return 0; +} + +static int test_sdap_initgr_setup_multi_domains(void **state) +{ + struct test_sdap_initgr_ctx *test_ctx; + struct sss_test_conf_param **params; + + assert_true(leak_check_setup()); + + test_ctx = talloc_zero(global_talloc_context, struct test_sdap_initgr_ctx); + assert_non_null(test_ctx); + + params = get_params(test_ctx); + assert_non_null(params); + + test_ctx->tctx = create_multidom_test_ctx(test_ctx, TESTS_PATH, + TEST_CONF_DB, domains, + TEST_ID_PROVIDER, params); + assert_non_null(test_ctx->tctx); + + check_leaks_push(test_ctx); + *state = test_ctx; + return 0; +} + +static int test_sdap_initgr_setup_other_multi_domains(void **state) +{ + struct test_sdap_initgr_ctx *test_ctx; + struct sss_test_conf_param **params; + const char *domains_vith_other[] = { TEST_DOM1_NAME, + TEST_DOM3_NAME, + NULL }; + + assert_true(leak_check_setup()); + + test_ctx = talloc_zero(global_talloc_context, struct test_sdap_initgr_ctx); + assert_non_null(test_ctx); + + params = get_params(test_ctx); + assert_non_null(params); + + test_ctx->tctx = create_multidom_test_ctx(test_ctx, TESTS_PATH, + TEST_CONF_DB, domains_vith_other, + TEST_ID_PROVIDER, params); + assert_non_null(test_ctx->tctx); + + check_leaks_push(test_ctx); + *state = test_ctx; + return 0; +} + +static int test_sdap_initgr_teardown(void **state) +{ + struct test_sdap_initgr_ctx *test_ctx; + + test_ctx = talloc_get_type(*state, struct test_sdap_initgr_ctx); + assert_non_null(test_ctx); + + assert_true(check_leaks_pop(test_ctx) == true); + talloc_free(test_ctx); + assert_true(leak_check_teardown()); + return 0; +} + +/* ====================== The tests =============================== */ + +static void test_user_is_on_batch(void **state) +{ + struct test_sdap_initgr_ctx *test_ctx; + struct sdap_get_initgr_state *initgr_state; + const char *domains_set[] = { domains[0], NULL }; + struct sss_domain_info *dom1_info = NULL; + struct sss_domain_info *dom2_info = NULL; + struct passwd **passwd_users; + struct sysdb_attrs **users; + const char *user_name; + errno_t ret; + + test_ctx = talloc_get_type(*state, struct test_sdap_initgr_ctx); + assert_non_null(test_ctx); + + dom1_info = get_domain_info(test_ctx->tctx->dom, domains[0]); + assert_non_null(dom1_info); + dom2_info = get_domain_info(test_ctx->tctx->dom, domains[1]); + assert_non_null(dom2_info); + + initgr_state = prepare_state(test_ctx, domains_set); + assert_non_null(initgr_state); + + passwd_users = get_users(test_ctx); + assert_non_null(passwd_users); + + ret = store_user(test_ctx, dom1_info, passwd_users[0], NULL, 0); + assert_int_equal(ret, 0); + ret = store_user(test_ctx, dom2_info, passwd_users[1], NULL, 0); + assert_int_equal(ret, 0); + + users = talloc_array(test_ctx, struct sysdb_attrs *, 2); + users[0] = mock_sysdb_user(users, object_bases[0], + passwd_users[0]->pw_uid, + passwd_users[0]->pw_name); + users[1] = mock_sysdb_user(users, object_bases[1], + passwd_users[1]->pw_uid, + passwd_users[1]->pw_name); + + ret = sdap_search_initgr_user_in_batch(initgr_state, users, 2); + assert_int_equal(ret, 0); + + ret = sysdb_attrs_get_string(initgr_state->orig_user, "name", &user_name); + assert_int_equal(ret, 0); + assert_string_equal(user_name, passwd_users[0]->pw_name); + + talloc_zfree(initgr_state); + talloc_zfree(passwd_users); + talloc_zfree(users); +} + +static void test_user_is_from_subdomain(void **state) +{ + struct test_sdap_initgr_ctx *test_ctx; + struct sdap_get_initgr_state *initgr_state; + const char *domains_set[] = { domains[0], NULL }; + struct sss_domain_info *dom_info = NULL; + struct passwd **passwd_users; + struct sysdb_attrs **users; + const char *user_name; + errno_t ret; + + test_ctx = talloc_get_type(*state, struct test_sdap_initgr_ctx); + assert_non_null(test_ctx); + + dom_info = get_domain_info(test_ctx->tctx->dom, domains[0]); + assert_non_null(dom_info); + + initgr_state = prepare_state(test_ctx, domains_set); + assert_non_null(initgr_state); + + passwd_users = get_users(test_ctx); + assert_non_null(passwd_users); + + ret = store_user(test_ctx, dom_info, passwd_users[0], NULL, 0); + assert_int_equal(ret, 0); + + users = talloc_array(test_ctx, struct sysdb_attrs *, 1); + users[0] = mock_sysdb_user(users, object_bases[1], + passwd_users[1]->pw_uid, + passwd_users[1]->pw_name); + + const char *original_dn = NULL; + ret = sysdb_attrs_get_string(users[0], SYSDB_ORIG_DN, &original_dn); + + ret = sdap_search_initgr_user_in_batch(initgr_state, users, 1); + assert_int_equal(ret, 0); + + ret = sysdb_attrs_get_string(initgr_state->orig_user, "name", &user_name); + assert_int_equal(ret, 0); + assert_string_equal(user_name, passwd_users[1]->pw_name); + + talloc_zfree(initgr_state); + talloc_zfree(passwd_users); + talloc_zfree(users); +} + +static void test_user_is_from_another_domain(void **state) +{ + struct test_sdap_initgr_ctx *test_ctx; + struct sdap_get_initgr_state *initgr_state; + const char *domains_set[] = { domains[0], domains[2], NULL }; + struct sss_domain_info *dom_info = NULL; + struct sss_domain_info *other_dom_info = NULL; + struct sdap_domain *other_sdom = NULL; + struct passwd **passwd_users; + struct sysdb_attrs **users; + errno_t ret; + + test_ctx = talloc_get_type(*state, struct test_sdap_initgr_ctx); + assert_non_null(test_ctx); + + dom_info = get_domain_info(test_ctx->tctx->dom, domains[0]); + assert_non_null(dom_info); + + initgr_state = prepare_state(test_ctx, domains_set); + assert_non_null(initgr_state); + + other_dom_info = get_domain_info(test_ctx->tctx->dom, domains[2]); + assert_non_null(other_dom_info); + + ret = sdap_domain_add(initgr_state->opts, other_dom_info, &other_sdom); + assert_int_equal(ret, EOK); + + talloc_zfree(other_sdom->search_bases); + other_sdom->search_bases = talloc_array(other_sdom, + struct sdap_search_base *, 2); + assert_non_null(other_sdom->search_bases); + other_sdom->search_bases[1] = NULL; + + ret = sdap_create_search_base(other_sdom, object_bases[2], + LDAP_SCOPE_SUBTREE, NULL, + &other_sdom->search_bases[0]); + assert_int_equal(ret, EOK); + + passwd_users = get_users(test_ctx); + assert_non_null(passwd_users); + + ret = store_user(test_ctx, dom_info, passwd_users[0], NULL, 0); + assert_int_equal(ret, 0); + + users = talloc_array(test_ctx, struct sysdb_attrs *, 1); + users[0] = mock_sysdb_user(users, object_bases[2], + passwd_users[2]->pw_uid, + passwd_users[2]->pw_name); + + ret = sdap_search_initgr_user_in_batch(initgr_state, users, 1); + assert_int_equal(ret, EINVAL); + + talloc_zfree(initgr_state); + talloc_zfree(passwd_users); + talloc_zfree(users); +} + +int main(int argc, const char *argv[]) +{ + int rv; + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_user_is_on_batch, + test_sdap_initgr_setup_multi_domains, + test_sdap_initgr_teardown), + cmocka_unit_test_setup_teardown(test_user_is_from_subdomain, + test_sdap_initgr_setup_one_domain, + test_sdap_initgr_teardown), + cmocka_unit_test_setup_teardown(test_user_is_from_another_domain, + test_sdap_initgr_setup_other_multi_domains, + test_sdap_initgr_teardown), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + /* Even though normally the tests should clean up after themselves + * they might not after a failed run. Remove the old DB to be sure */ + tests_set_cwd(); + + test_multidom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, domains); + test_dom_suite_setup(TESTS_PATH); + + rv = cmocka_run_group_tests(tests, NULL, NULL); + if (rv == 0) { + test_multidom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, domains); + } + + return rv; +} diff --git a/src/tests/cmocka/test_search_bases.c b/src/tests/cmocka/test_search_bases.c new file mode 100644 index 0000000..4538eac --- /dev/null +++ b/src/tests/cmocka/test_search_bases.c @@ -0,0 +1,191 @@ +/* + Authors: + Pavel Reichl + + Copyright (C) 2013 Red Hat + + SSSD tests - Search bases + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include +#include + +#include "util/find_uid.h" +#include "util/sss_ldap.h" +#include "tests/common.h" +#include "providers/ldap/ldap_common.h" +#include "providers/ldap/sdap.h" +#include "dhash.h" +#include "tests/common_check.h" + +enum sss_test_get_by_dn { + DN_NOT_IN_DOMS, /* dn is not in any domain */ + DN_IN_DOM1, /* dn is in the domain based on dns */ + DN_IN_DOM2, /* dn is in the domain based on dns2 */ +}; + +static struct sdap_search_base** generate_bases(TALLOC_CTX *mem_ctx, + const char** dns, size_t n) +{ + struct sdap_search_base **search_bases; + errno_t err; + int i; + + search_bases = talloc_array(mem_ctx, struct sdap_search_base *, n + 1); + assert_non_null(search_bases); + + for (i=0; i < n; ++i) { + err = sdap_create_search_base(mem_ctx, dns[i], LDAP_SCOPE_SUBTREE, + NULL, &search_bases[i]); + if (err != EOK) { + fprintf(stderr, "Failed to create search base\n"); + } + assert_int_equal(err, EOK); + } + search_bases[n] = NULL; + return search_bases; +} + +static bool do_test_search_bases(const char* dn, const char** dns, size_t n) +{ + TALLOC_CTX *tmp_ctx; + struct sdap_search_base **search_bases; + bool ret; + + tmp_ctx = talloc_new(NULL); + assert_non_null(tmp_ctx); + + search_bases = generate_bases(tmp_ctx, dns, n); + check_leaks_push(tmp_ctx); + ret = sss_ldap_dn_in_search_bases(tmp_ctx, dn, search_bases, NULL); + assert_true(check_leaks_pop(tmp_ctx) == true); + + talloc_free(tmp_ctx); + return ret; +} + +void test_search_bases_fail(void **state) +{ + const char *dn = "cn=user, dc=sub, dc=ad, dc=pb"; + const char *dns[] = {"dc=example, dc=com", "dc=subdom, dc=ad, dc=pb"}; + bool ret; + + ret = do_test_search_bases(dn, dns, 2); + assert_false(ret); +} + +void test_search_bases_success(void **state) +{ + const char *dn = "cn=user, dc=sub, dc=ad, dc=pb"; + const char *dns[] = {"", "dc=ad, dc=pb", "dc=sub, dc=ad, dc=pb"}; + bool ret; + + ret = do_test_search_bases(dn, dns, 3); + assert_true(ret); +} + +static void do_test_get_by_dn(const char *dn, const char **dns, size_t n, + const char **dns2, size_t n2, int expected_result) +{ + TALLOC_CTX *tmp_ctx; + struct sdap_options *opts; + struct sdap_domain *sdom; + struct sdap_domain *sdom2; + struct sdap_domain *res_sdom; + struct sdap_search_base **search_bases; + struct sdap_search_base **search_bases2; + tmp_ctx = talloc_new(NULL); + assert_non_null(tmp_ctx); + + search_bases = generate_bases(tmp_ctx, dns, n); + search_bases2 = generate_bases(tmp_ctx, dns2, n2); + sdom = talloc_zero(tmp_ctx, struct sdap_domain); + assert_non_null(sdom); + sdom2 = talloc_zero(tmp_ctx, struct sdap_domain); + assert_non_null(sdom2); + + sdom->search_bases = search_bases; + sdom->next = sdom2; + sdom->prev = NULL; + sdom2->search_bases = search_bases2; + sdom2->next = NULL; + sdom2->prev = sdom; + + opts = talloc(tmp_ctx, struct sdap_options); + assert_non_null(opts); + opts->sdom = sdom; + res_sdom = sdap_domain_get_by_dn(opts, dn); + + switch (expected_result) { + case DN_NOT_IN_DOMS: + assert_null(res_sdom); + break; + case DN_IN_DOM1: + assert_true(res_sdom == sdom); + break; + case DN_IN_DOM2: + assert_true(res_sdom == sdom2); + break; + } + + talloc_free(tmp_ctx); +} + +void test_get_by_dn(void **state) +{ + const char *dn = "cn=user, dc=sub, dc=ad, dc=pb"; + const char *dns[] = {"dc=ad, dc=pb"}; + const char *dns2[] = {"dc=sub, dc=ad, dc=pb"}; + + do_test_get_by_dn(dn, dns, 1, dns2, 1, DN_IN_DOM2); +} + +void test_get_by_dn2(void **state) +{ + const char *dn = "cn=user, dc=ad, dc=com"; + const char *dns[] = {"dc=ad, dc=com"}; + const char *dns2[] = {"dc=sub, dc=ad, dc=pb"}; + + do_test_get_by_dn(dn, dns, 1, dns2, 1, DN_IN_DOM1); +} + +void test_get_by_dn_fail(void **state) +{ + const char *dn = "cn=user, dc=sub, dc=example, dc=com"; + const char *dns[] = {"dc=ad, dc=pb"}; + const char *dns2[] = {"dc=sub, dc=ad, dc=pb"}; + + do_test_get_by_dn(dn, dns, 1, dns2, 1, DN_NOT_IN_DOMS); +} + +int main(void) +{ + const struct CMUnitTest tests[] = { + cmocka_unit_test(test_search_bases_fail), + cmocka_unit_test(test_search_bases_success), + cmocka_unit_test(test_get_by_dn_fail), + cmocka_unit_test(test_get_by_dn), + cmocka_unit_test(test_get_by_dn2) + }; + + return cmocka_run_group_tests(tests, NULL, NULL); +} diff --git a/src/tests/cmocka/test_simple_access.c b/src/tests/cmocka/test_simple_access.c new file mode 100644 index 0000000..24d63b4 --- /dev/null +++ b/src/tests/cmocka/test_simple_access.c @@ -0,0 +1,836 @@ +/* + Copyright (C) 2015 Red Hat + + SSSD tests: Simple access provider tests + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include + +#include "tests/cmocka/common_mock.h" +#include "tests/cmocka/common_mock_be.h" +#include "tests/cmocka/common_mock_resp.h" +#include "db/sysdb_private.h" /* new_subdomain() */ +#include "providers/simple/simple_access.h" +#include "providers/simple/simple_access_pvt.h" + +#define TESTS_PATH "tp_" BASE_FILE_STEM +#define TEST_CONF_DB "test_simple_conf.ldb" +#define TEST_DOM_NAME "simple_test" +#define TEST_SUBDOM_NAME "test.subdomain" +#define TEST_ID_PROVIDER "ldap" + +struct simple_test_ctx { + struct sss_test_ctx *tctx; + struct be_ctx *be_ctx; + struct sss_domain_info *subdom; + + bool access_granted; + struct simple_ctx *ctx; + struct pam_data *pd; + struct dp_req_params *params; +}; + +static int test_simple_setup(struct sss_test_conf_param params[], void **state) +{ + struct simple_test_ctx *simple_test_ctx; + int ret; + + simple_test_ctx = talloc_zero(NULL, struct simple_test_ctx); + if (simple_test_ctx == NULL) { + return ENOMEM; + } + + simple_test_ctx->tctx = create_dom_test_ctx(simple_test_ctx, TESTS_PATH, + TEST_CONF_DB, TEST_DOM_NAME, + TEST_ID_PROVIDER, params); + assert_non_null(simple_test_ctx->tctx); + if (simple_test_ctx->tctx == NULL) { + return ENOMEM; + } + + ret = sss_names_init(simple_test_ctx, simple_test_ctx->tctx->confdb, + TEST_DOM_NAME, &simple_test_ctx->tctx->dom->names); + if (ret != EOK) { + return ENOMEM; + } + + simple_test_ctx->be_ctx = mock_be_ctx(simple_test_ctx, + simple_test_ctx->tctx); + if (simple_test_ctx->be_ctx == NULL) { + return ENOMEM; + } + + simple_test_ctx->pd = talloc_zero(simple_test_ctx, struct pam_data); + if (simple_test_ctx->pd == NULL) { + return ENOMEM; + } + simple_test_ctx->pd->cmd = SSS_PAM_ACCT_MGMT; + + simple_test_ctx->params = talloc_zero(simple_test_ctx, + struct dp_req_params); + if (simple_test_ctx->params == NULL) { + return ENOMEM; + } + simple_test_ctx->params->ev = simple_test_ctx->tctx->ev; + + *state = simple_test_ctx; + return 0; +} + +static int set_simple_lists(struct simple_test_ctx *test_ctx, + struct sss_domain_info *dom, + struct sss_test_conf_param params[]) +{ + errno_t ret; + const char *val[2] = { NULL, NULL }; + char *cdb_path; + + cdb_path = talloc_asprintf(test_ctx, CONFDB_DOMAIN_PATH_TMPL, dom->name); + if (cdb_path == NULL) { + return ENOMEM; + } + + ret = EOK; + + if (params != NULL) { + for (int i = 0; params[i].key != NULL; i++) { + val[0] = params[i].value; + ret = confdb_add_param(test_ctx->tctx->confdb, + true, cdb_path, params[i].key, val); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add parameter %s [%d]: " + "%s\n", params[i].key, ret, sss_strerror(ret)); + break; + } + } + } + + talloc_free(cdb_path); + return ret; +} + +static int setup_with_params(struct simple_test_ctx *test_ctx, + struct sss_domain_info *dom, + struct sss_test_conf_param params[]) +{ + errno_t ret; + + ret = set_simple_lists(test_ctx, dom, params); + if (ret != EOK) { + return ret; + } + + test_ctx->ctx = talloc_zero(test_ctx, struct simple_ctx); + if (test_ctx->ctx == NULL) { + return ENOMEM; + } + + test_ctx->ctx->be_ctx = test_ctx->be_ctx; + test_ctx->ctx->domain = test_ctx->tctx->dom; + + return EOK; +} + +static int simple_test_setup(void **state) +{ + test_dom_suite_setup(TESTS_PATH); + return test_simple_setup(NULL, state); +} + +static int simple_test_teardown(void **state) +{ + struct simple_test_ctx *simple_test_ctx = \ + talloc_get_type(*state, struct simple_test_ctx); + + /* make sure there are no leftovers from previous tests */ + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + talloc_free(simple_test_ctx); + return 0; +} + +static void simple_access_handler_done(struct tevent_req *req) +{ + struct simple_test_ctx *simple_test_ctx = + tevent_req_callback_data(req, struct simple_test_ctx); + + simple_test_ctx->tctx->error = simple_access_handler_recv(simple_test_ctx, + req, &simple_test_ctx->pd); + simple_test_ctx->access_granted = (simple_test_ctx->pd->pam_status == PAM_SUCCESS); + talloc_free(req); + simple_test_ctx->tctx->done = true; +} + +static void run_simple_access_check(struct simple_test_ctx *simple_test_ctx, + const char *username, + int expected_rv, + bool allow_access) +{ + int ret; + struct tevent_req *req; + + simple_test_ctx->tctx->done = false; + simple_test_ctx->pd->user = discard_const(username); + req = simple_access_handler_send(simple_test_ctx, + simple_test_ctx->ctx, + simple_test_ctx->pd, + simple_test_ctx->params); + assert_non_null(req); + tevent_req_set_callback(req, simple_access_handler_done, simple_test_ctx); + + ret = test_ev_loop(simple_test_ctx->tctx); + assert_int_equal(ret, expected_rv); + + /* otherwise the output is undefined */ + if (expected_rv == EOK) { + assert_true(simple_test_ctx->access_granted == allow_access); + } +} + +static void test_both_empty(void **state) +{ + errno_t ret; + struct simple_test_ctx *simple_test_ctx = \ + talloc_get_type(*state, struct simple_test_ctx); + + ret = setup_with_params(simple_test_ctx, simple_test_ctx->tctx->dom, NULL); + assert_int_equal(ret, EOK); + + run_simple_access_check(simple_test_ctx, "u1@simple_test", EOK, true); +} + +static void test_allow_empty(void **state) +{ + errno_t ret; + struct simple_test_ctx *simple_test_ctx = \ + talloc_get_type(*state, struct simple_test_ctx); + struct sss_test_conf_param params[] = { + { "simple_deny_users", "u1, u2" }, + { NULL, NULL }, + }; + + ret = setup_with_params(simple_test_ctx, simple_test_ctx->tctx->dom, params); + assert_int_equal(ret, EOK); + + run_simple_access_check(simple_test_ctx, "u1@simple_test", EOK, false); + run_simple_access_check(simple_test_ctx, "u3@simple_test", EOK, true); +} + +static void test_deny_empty(void **state) +{ + errno_t ret; + struct simple_test_ctx *simple_test_ctx = \ + talloc_get_type(*state, struct simple_test_ctx); + struct sss_test_conf_param params[] = { + { "simple_allow_users", "u1, u2" }, + { NULL, NULL }, + }; + ret = setup_with_params(simple_test_ctx, simple_test_ctx->tctx->dom, params); + assert_int_equal(ret, EOK); + + run_simple_access_check(simple_test_ctx, "u1@simple_test", EOK, true); + run_simple_access_check(simple_test_ctx, "u3@simple_test", EOK, false); +} + +static void test_both_set(void **state) +{ + errno_t ret; + struct simple_test_ctx *simple_test_ctx = \ + talloc_get_type(*state, struct simple_test_ctx); + struct sss_test_conf_param params[] = { + { "simple_allow_users", "u1, u2" }, + { "simple_deny_users", "u1, u2" }, + { NULL, NULL }, + }; + + ret = setup_with_params(simple_test_ctx, + simple_test_ctx->tctx->dom, + params); + assert_int_equal(ret, EOK); + + run_simple_access_check(simple_test_ctx, "u1@simple_test", EOK, false); + run_simple_access_check(simple_test_ctx, "u3@simple_test", EOK, false); +} + +static void test_deny_wrong_case(void **state) +{ + errno_t ret; + struct simple_test_ctx *simple_test_ctx = \ + talloc_get_type(*state, struct simple_test_ctx); + struct sss_test_conf_param params[] = { + { "simple_allow_users", "u1, u2" }, + { NULL, NULL }, + }; + + ret = setup_with_params(simple_test_ctx, + simple_test_ctx->tctx->dom, + params); + assert_int_equal(ret, EOK); + + run_simple_access_check(simple_test_ctx, "U1@simple_test", EOK, false); +} + +static void test_allow_case_insensitive(void **state) +{ + errno_t ret; + struct simple_test_ctx *simple_test_ctx = \ + talloc_get_type(*state, struct simple_test_ctx); + struct sss_test_conf_param params[] = { + { "simple_allow_users", "u1, u2" }, + { NULL, NULL }, + }; + + ret = setup_with_params(simple_test_ctx, + simple_test_ctx->tctx->dom, + params); + assert_int_equal(ret, EOK); + + simple_test_ctx->tctx->dom->case_sensitive = false; + run_simple_access_check(simple_test_ctx, "U1@simple_test", EOK, true); +} + +static void test_unknown_user(void **state) +{ + errno_t ret; + struct simple_test_ctx *simple_test_ctx = \ + talloc_get_type(*state, struct simple_test_ctx); + struct sss_test_conf_param params[] = { + { "simple_allow_users", "u1, u2" }, + { NULL, NULL }, + }; + + ret = setup_with_params(simple_test_ctx, + simple_test_ctx->tctx->dom, + params); + assert_int_equal(ret, EOK); + + run_simple_access_check(simple_test_ctx, "foo@simple_test", EOK, false); +} + +static void test_space(void **state) +{ + errno_t ret; + struct simple_test_ctx *simple_test_ctx = \ + talloc_get_type(*state, struct simple_test_ctx); + struct sss_test_conf_param params[] = { + { "simple_allow_users", "space user, another user@simple_test" }, + { NULL, NULL }, + }; + + ret = setup_with_params(simple_test_ctx, simple_test_ctx->tctx->dom, params); + assert_int_equal(ret, EOK); + + run_simple_access_check(simple_test_ctx, "space user@simple_test", EOK, true); + run_simple_access_check(simple_test_ctx, "another user@simple_test", EOK, true); + run_simple_access_check(simple_test_ctx, "not allowed@simple_test", EOK, false); +} + +static int simple_group_test_setup(void **state) +{ + int ret; + char *u1; + char *u2; + char *u3; + char *g1; + char *g2; + char *sp; + char *sp2; + char *pvt; + struct simple_test_ctx *test_ctx; + + ret = simple_test_setup((void **) &test_ctx); + if (ret != EOK) { + return 1; + } + + u1 = sss_create_internal_fqname(test_ctx, "u1", + test_ctx->be_ctx->domain->name); + u2 = sss_create_internal_fqname(test_ctx, "u2", + test_ctx->be_ctx->domain->name); + u3 = sss_create_internal_fqname(test_ctx, "u3", + test_ctx->be_ctx->domain->name); + g1 = sss_create_internal_fqname(test_ctx, "g1", + test_ctx->be_ctx->domain->name); + g2 = sss_create_internal_fqname(test_ctx, "g2", + test_ctx->be_ctx->domain->name); + sp = sss_create_internal_fqname(test_ctx, "space group", + test_ctx->be_ctx->domain->name); + sp2 = sss_create_internal_fqname(test_ctx, "another space", + test_ctx->be_ctx->domain->name); + pvt = sss_create_internal_fqname(test_ctx, "pvt", + test_ctx->be_ctx->domain->name); + if (u1 == NULL || u2 == NULL || u3 == NULL + || g1 == NULL || g2 == NULL || pvt == NULL + || sp == NULL || sp2 == NULL) { + return 1; + } + + ret = sysdb_add_group(test_ctx->be_ctx->domain, pvt, 999, NULL, 0, 0); + if (ret != EOK) return 1; + + ret = sysdb_store_user(test_ctx->be_ctx->domain, + u1, NULL, 123, 999, "u1", "/home/u1", + "/bin/bash", NULL, NULL, NULL, -1, 0); + if (ret != EOK) return 1; + + ret = sysdb_store_user(test_ctx->be_ctx->domain, + u2, NULL, 456, 999, "u1", "/home/u1", + "/bin/bash", NULL, NULL, NULL, -1, 0); + if (ret != EOK) return 1; + + ret = sysdb_store_user(test_ctx->be_ctx->domain, + u3, NULL, 789, 999, "u1", "/home/u1", + "/bin/bash", NULL, NULL, NULL, -1, 0); + if (ret != EOK) return 1; + + ret = sysdb_add_group(test_ctx->be_ctx->domain, g1, 321, NULL, 0, 0); + if (ret != EOK) return 1; + + ret = sysdb_add_group(test_ctx->be_ctx->domain, g2, 654, NULL, 0, 0); + if (ret != EOK) return 1; + + ret = sysdb_add_group(test_ctx->be_ctx->domain, sp, 1234, NULL, 0, 0); + if (ret != EOK) return 1; + + ret = sysdb_add_group(test_ctx->be_ctx->domain, sp2, 5678, NULL, 0, 0); + if (ret != EOK) return 1; + + ret = sysdb_add_group_member(test_ctx->be_ctx->domain, + g1, u1, SYSDB_MEMBER_USER, false); + if (ret != EOK) return 1; + + ret = sysdb_add_group_member(test_ctx->be_ctx->domain, + sp, u1, SYSDB_MEMBER_USER, false); + if (ret != EOK) return 1; + + ret = sysdb_add_group_member(test_ctx->be_ctx->domain, + g2, u2, SYSDB_MEMBER_USER, false); + if (ret != EOK) return 1; + + ret = sysdb_add_group_member(test_ctx->be_ctx->domain, + sp2, u2, SYSDB_MEMBER_USER, false); + if (ret != EOK) return 1; + + *state = test_ctx; + return 0; +} + +static int simple_group_test_teardown(void **state) +{ + int ret; + char *u1; + char *u2; + char *u3; + char *g1; + char *g2; + char *sp; + char *sp2; + char *pvt; + struct simple_test_ctx *test_ctx = \ + talloc_get_type(*state, struct simple_test_ctx); + + u1 = sss_create_internal_fqname(test_ctx, "u1", + test_ctx->be_ctx->domain->name); + u2 = sss_create_internal_fqname(test_ctx, "u2", + test_ctx->be_ctx->domain->name); + u3 = sss_create_internal_fqname(test_ctx, "u3", + test_ctx->be_ctx->domain->name); + g1 = sss_create_internal_fqname(test_ctx, "g1", + test_ctx->be_ctx->domain->name); + g2 = sss_create_internal_fqname(test_ctx, "g2", + test_ctx->be_ctx->domain->name); + sp = sss_create_internal_fqname(test_ctx, "space group", + test_ctx->be_ctx->domain->name); + sp2 = sss_create_internal_fqname(test_ctx, "another space", + test_ctx->be_ctx->domain->name); + pvt = sss_create_internal_fqname(test_ctx, "pvt", + test_ctx->be_ctx->domain->name); + if (u1 == NULL || u2 == NULL || u3 == NULL + || g1 == NULL || g2 == NULL || pvt == NULL + || sp == NULL || sp2 == NULL) { + return 1; + } + + ret = sysdb_delete_user(test_ctx->be_ctx->domain, u1, 0); + if (ret != EOK) return 1; + ret = sysdb_delete_user(test_ctx->be_ctx->domain, u2, 0); + if (ret != EOK) return 1; + ret = sysdb_delete_user(test_ctx->be_ctx->domain, u3, 0); + if (ret != EOK) return 1; + ret = sysdb_delete_group(test_ctx->be_ctx->domain, g1, 0); + if (ret != EOK) return 1; + ret = sysdb_delete_group(test_ctx->be_ctx->domain, g2, 0); + if (ret != EOK) return 1; + ret = sysdb_delete_group(test_ctx->be_ctx->domain, sp, 0); + if (ret != EOK) return 1; + ret = sysdb_delete_group(test_ctx->be_ctx->domain, sp2, 0); + if (ret != EOK) return 1; + ret = sysdb_delete_group(test_ctx->be_ctx->domain, pvt, 0); + if (ret != EOK) return 1; + + /* make sure there are no leftovers from previous tests */ + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + talloc_free(test_ctx); + return 0; +} + +static void test_group_allow_empty(void **state) +{ + errno_t ret; + struct tevent_req *req; + struct simple_test_ctx *simple_test_ctx = \ + talloc_get_type(*state, struct simple_test_ctx); + struct sss_test_conf_param params[] = { + { "simple_deny_groups", "g1, g2" }, + { NULL, NULL }, + }; + + ret = setup_with_params(simple_test_ctx, + simple_test_ctx->tctx->dom, + params); + assert_int_equal(ret, EOK); + + simple_test_ctx->pd->user = discard_const("u1@simple_test"); + req = simple_access_handler_send(simple_test_ctx, simple_test_ctx->ctx, + simple_test_ctx->pd, + simple_test_ctx->params); + assert_non_null(req); + tevent_req_set_callback(req, simple_access_handler_done, simple_test_ctx); + + ret = test_ev_loop(simple_test_ctx->tctx); + assert_int_equal(ret, EOK); + assert_false(simple_test_ctx->access_granted); + + simple_test_ctx->tctx->done = false; + simple_test_ctx->pd->user = discard_const("u3@simple_test"); + req = simple_access_handler_send(simple_test_ctx, simple_test_ctx->ctx, + simple_test_ctx->pd, + simple_test_ctx->params); + assert_non_null(req); + tevent_req_set_callback(req, simple_access_handler_done, simple_test_ctx); + + ret = test_ev_loop(simple_test_ctx->tctx); + assert_int_equal(ret, EOK); + assert_true(simple_test_ctx->access_granted); +} + +static void test_group_deny_empty(void **state) +{ + errno_t ret; + struct simple_test_ctx *simple_test_ctx = \ + talloc_get_type(*state, struct simple_test_ctx); + struct sss_test_conf_param params[] = { + { "simple_allow_groups", "g1, g2" }, + { NULL, NULL }, + }; + + ret = setup_with_params(simple_test_ctx, simple_test_ctx->tctx->dom, params); + assert_int_equal(ret, EOK); + + run_simple_access_check(simple_test_ctx, "u1@simple_test", EOK, true); + run_simple_access_check(simple_test_ctx, "u3@simple_test", EOK, false); +} + +static void test_group_both_set(void **state) +{ + errno_t ret; + struct simple_test_ctx *simple_test_ctx = \ + talloc_get_type(*state, struct simple_test_ctx); + struct sss_test_conf_param params[] = { + { "simple_allow_groups", "g1, g2" }, + { "simple_deny_groups", "g1, g2" }, + { NULL, NULL }, + }; + + ret = setup_with_params(simple_test_ctx, simple_test_ctx->tctx->dom, params); + assert_int_equal(ret, EOK); + + run_simple_access_check(simple_test_ctx, "u1@simple_test", EOK, false); + run_simple_access_check(simple_test_ctx, "u3@simple_test", EOK, false); +} + +static void test_group_deny_wrong_case(void **state) +{ + errno_t ret; + struct simple_test_ctx *simple_test_ctx = \ + talloc_get_type(*state, struct simple_test_ctx); + struct sss_test_conf_param params[] = { + { "simple_allow_groups", "G1, G2" }, + { NULL, NULL }, + }; + + ret = setup_with_params(simple_test_ctx, + simple_test_ctx->tctx->dom, + params); + assert_int_equal(ret, EOK); + + run_simple_access_check(simple_test_ctx, "u1@simple_test", EOK, false); +} + +static void test_group_allow_case_insensitive(void **state) +{ + errno_t ret; + struct simple_test_ctx *simple_test_ctx = \ + talloc_get_type(*state, struct simple_test_ctx); + struct sss_test_conf_param params[] = { + { "simple_allow_groups", "G1, G2" }, + { NULL, NULL }, + }; + + ret = setup_with_params(simple_test_ctx, + simple_test_ctx->tctx->dom, + params); + assert_int_equal(ret, EOK); + + /* Case-sensitive domain, wrong case */ + simple_test_ctx->tctx->done = false; + simple_test_ctx->tctx->dom->case_sensitive = false; + run_simple_access_check(simple_test_ctx, "u1@simple_test", EOK, true); +} + +static void test_unparseable_allow_user(void **state) +{ + errno_t ret; + struct simple_test_ctx *simple_test_ctx = \ + talloc_get_type(*state, struct simple_test_ctx); + struct sss_test_conf_param params[] = { + { "simple_allow_users", "u1, user@no.such.domain" }, + { NULL, NULL }, + }; + + ret = setup_with_params(simple_test_ctx, + simple_test_ctx->tctx->dom, + params); + assert_int_equal(ret, EOK); + + /* Case-sensitive domain, wrong case */ + simple_test_ctx->tctx->done = false; + simple_test_ctx->tctx->dom->case_sensitive = false; + /* A user that would normally be denied access will be denied because + * the access list can't be parsed + */ + run_simple_access_check(simple_test_ctx, "u2@simple_test", EOK, false); + /* A user that would normally be allowed access will be denied because + * the access list can't be parsed + */ + run_simple_access_check(simple_test_ctx, "u1@simple_test", EOK, false); +} + +static void test_unparseable_deny_user(void **state) +{ + errno_t ret; + struct simple_test_ctx *simple_test_ctx = \ + talloc_get_type(*state, struct simple_test_ctx); + struct sss_test_conf_param params[] = { + { "simple_deny_users", "u2, user@no.such.domain" }, + { NULL, NULL }, + }; + + ret = setup_with_params(simple_test_ctx, + simple_test_ctx->tctx->dom, + params); + assert_int_equal(ret, EOK); + + /* Case-sensitive domain, wrong case */ + simple_test_ctx->tctx->done = false; + simple_test_ctx->tctx->dom->case_sensitive = false; + /* A user that would normally be denied access will be denied because + * the access list can't be parsed + */ + run_simple_access_check(simple_test_ctx, "u2@simple_test", EOK, false); + /* A user that would normally be allowed access will be denied because + * the access list can't be parsed + */ + run_simple_access_check(simple_test_ctx, "u1@simple_test", EOK, false); +} + +static void test_unparseable_allow_group(void **state) +{ + errno_t ret; + struct simple_test_ctx *simple_test_ctx = \ + talloc_get_type(*state, struct simple_test_ctx); + struct sss_test_conf_param params[] = { + { "simple_allow_groups", "g1, group@no.such.domain" }, + { NULL, NULL }, + }; + + ret = setup_with_params(simple_test_ctx, + simple_test_ctx->tctx->dom, + params); + assert_int_equal(ret, EOK); + + /* Case-sensitive domain, wrong case */ + simple_test_ctx->tctx->done = false; + simple_test_ctx->tctx->dom->case_sensitive = false; + /* A group that would normally be denied access will be denied because + * the access list can't be parsed + */ + run_simple_access_check(simple_test_ctx, "u2@simple_test", EOK, false); + /* A group that would normally be allowed access will be denied because + * the access list can't be parsed + */ + run_simple_access_check(simple_test_ctx, "u1@simple_test", EOK, false); +} + +static void test_unparseable_deny_group(void **state) +{ + errno_t ret; + struct simple_test_ctx *simple_test_ctx = \ + talloc_get_type(*state, struct simple_test_ctx); + struct sss_test_conf_param params[] = { + { "simple_deny_groups", "g2, group@no.such.domain" }, + { NULL, NULL }, + }; + + ret = setup_with_params(simple_test_ctx, + simple_test_ctx->tctx->dom, + params); + assert_int_equal(ret, EOK); + + /* Case-sensitive domain, wrong case */ + simple_test_ctx->tctx->done = false; + simple_test_ctx->tctx->dom->case_sensitive = false; + /* A group that would normally be denied access will be denied because + * the access list can't be parsed + */ + run_simple_access_check(simple_test_ctx, "u2@simple_test", EOK, false); + /* A group that would normally be allowed access will be denied because + * the access list can't be parsed + */ + run_simple_access_check(simple_test_ctx, "u1@simple_test", EOK, false); +} + +static void test_group_space(void **state) +{ + errno_t ret; + struct simple_test_ctx *simple_test_ctx = \ + talloc_get_type(*state, struct simple_test_ctx); + struct sss_test_conf_param params[] = { + { "simple_allow_groups", "space group, another space@simple_test" }, + { NULL, NULL }, + }; + + ret = setup_with_params(simple_test_ctx, simple_test_ctx->tctx->dom, params); + assert_int_equal(ret, EOK); + + run_simple_access_check(simple_test_ctx, "u1@simple_test", EOK, true); + run_simple_access_check(simple_test_ctx, "u2@simple_test", EOK, true); + run_simple_access_check(simple_test_ctx, "u3@simple_test", EOK, false); +} + +int main(int argc, const char *argv[]) +{ + int rv; + int no_cleanup = 0; + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + {"no-cleanup", 'n', POPT_ARG_NONE, &no_cleanup, 0, + _("Do not delete the test database after a test run"), NULL }, + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_both_empty, + simple_test_setup, + simple_test_teardown), + cmocka_unit_test_setup_teardown(test_allow_empty, + simple_test_setup, + simple_test_teardown), + cmocka_unit_test_setup_teardown(test_deny_empty, + simple_test_setup, + simple_test_teardown), + cmocka_unit_test_setup_teardown(test_both_set, + simple_test_setup, + simple_test_teardown), + cmocka_unit_test_setup_teardown(test_deny_wrong_case, + simple_test_setup, + simple_test_teardown), + cmocka_unit_test_setup_teardown(test_allow_case_insensitive, + simple_test_setup, + simple_test_teardown), + cmocka_unit_test_setup_teardown(test_unknown_user, + simple_test_setup, + simple_test_teardown), + cmocka_unit_test_setup_teardown(test_space, + simple_test_setup, + simple_test_teardown), + cmocka_unit_test_setup_teardown(test_group_allow_empty, + simple_group_test_setup, + simple_group_test_teardown), + cmocka_unit_test_setup_teardown(test_group_deny_empty, + simple_group_test_setup, + simple_group_test_teardown), + cmocka_unit_test_setup_teardown(test_group_both_set, + simple_group_test_setup, + simple_group_test_teardown), + cmocka_unit_test_setup_teardown(test_group_deny_wrong_case, + simple_group_test_setup, + simple_group_test_teardown), + cmocka_unit_test_setup_teardown(test_group_allow_case_insensitive, + simple_group_test_setup, + simple_group_test_teardown), + cmocka_unit_test_setup_teardown(test_group_space, + simple_group_test_setup, + simple_group_test_teardown), + cmocka_unit_test_setup_teardown(test_unparseable_allow_user, + simple_test_setup, + simple_test_teardown), + cmocka_unit_test_setup_teardown(test_unparseable_deny_user, + simple_test_setup, + simple_test_teardown), + cmocka_unit_test_setup_teardown(test_unparseable_allow_group, + simple_test_setup, + simple_test_teardown), + cmocka_unit_test_setup_teardown(test_unparseable_deny_group, + simple_test_setup, + simple_test_teardown), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + /* Even though normally the tests should clean up after themselves + * they might not after a failed run. Remove the old DB to be sure */ + tests_set_cwd(); + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + test_dom_suite_setup(TESTS_PATH); + + rv = cmocka_run_group_tests(tests, NULL, NULL); + if (rv == 0 && !no_cleanup) { + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + } + return rv; +} diff --git a/src/tests/cmocka/test_ssh_srv.c b/src/tests/cmocka/test_ssh_srv.c new file mode 100644 index 0000000..93217a1 --- /dev/null +++ b/src/tests/cmocka/test_ssh_srv.c @@ -0,0 +1,658 @@ +/* + Authors: + Sumit Bose + + Copyright (C) 2015 Red Hat + + SSSD tests: PAM responder tests + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "tests/cmocka/common_mock.h" +#include "tests/cmocka/common_mock_resp.h" +#include "responder/common/responder_packet.h" +#include "responder/common/negcache.h" +#include "responder/ssh/ssh_private.h" +#include "confdb/confdb.h" + +#include "util/crypto/sss_crypto.h" +#ifdef HAVE_NSS +#include "util/crypto/nss/nss_util.h" +#endif + +#ifdef HAVE_TEST_CA +#include "tests/test_CA/SSSD_test_cert_x509_0001.h" +#include "tests/test_CA/SSSD_test_cert_pubsshkey_0001.h" +#include "tests/test_CA/SSSD_test_cert_x509_0002.h" +#include "tests/test_CA/SSSD_test_cert_pubsshkey_0002.h" +#else +#define SSSD_TEST_CERT_0001 "" +#define SSSD_TEST_CERT_SSH_KEY_0001 "" +#define SSSD_TEST_CERT_0002 "" +#define SSSD_TEST_CERT_SSH_KEY_0002 "" +#endif + +#define TESTS_PATH "tp_" BASE_FILE_STEM +#define TEST_CONF_DB "test_ssh_conf.ldb" +#define TEST_DOM_NAME "ssh_test" +#define TEST_SUBDOM_NAME "test.subdomain" +#define TEST_ID_PROVIDER "ldap" + +#define TEST_SSH_PUBKEY \ +"AAAAB3NzaC1yc2EAAAADAQABAAABAQC1" \ +"OlYGkYw8JyhKQrlNBGbZC2az9TJhUWNn" \ +"/kS26OOI9hXCZgz4eHyZnCS1bY1/0ptG" \ +"ByQAk2qvF9uYV2plxULoiOUYAWCnnqx/" \ +"bnhQ4SxmCcA5RPy3h8FX2OrxMlQEadH6" \ +"wz3ZTnOvsw57/ZV8yXjzVexJeeO1A59g" \ +"pLD43f3v056zSF/Jo1NwAZUzCJuzpFAy" \ +"Ale6mZ/1rpGN+ah6rN70wz3brwEOi4f2" \ +"HQNbKAL4idVyRYbA7oU+htCLEd6YsSdy" \ +"murxDMAEEQbLeMbF1DXNt1OunoeprXrU" \ +"UE1U9Rxi6xvPt7s3h9NbZiaLRPJU6due" \ +"+nqwn8En7mesd7LnRQST" + +struct ssh_test_ctx { + struct sss_test_ctx *tctx; + struct sss_domain_info *subdom; + + struct resp_ctx *rctx; + struct cli_ctx *cctx; + struct sss_cmd_table *ssh_cmds; + struct ssh_ctx *ssh_ctx; + + int ncache_hits; + bool provider_contacted; + + const char *ssh_user_fqdn; + const char *wrong_user_fqdn; +}; + +/* Must be global because it is needed in some wrappers */ +struct ssh_test_ctx *ssh_test_ctx; + +struct ssh_ctx *mock_ssh_ctx(TALLOC_CTX *mem_ctx) +{ + struct ssh_ctx *ssh_ctx; + + ssh_ctx = talloc_zero(mem_ctx, struct ssh_ctx); + assert_non_null(ssh_ctx); + + return ssh_ctx; +} + +static int add_confdb_params(struct sss_test_conf_param params[], + struct confdb_ctx *cdb, const char *section) +{ + const char *val[2]; + int ret; + + val[1] = NULL; + + for (int i = 0; params[i].key; i++) { + val[0] = params[i].value; + ret = confdb_add_param(cdb, true, section, params[i].key, val); + assert_int_equal(ret, EOK); + } + + return EOK; +} + +static int add_ssh_params(struct sss_test_conf_param ssh_params[], + struct confdb_ctx *cdb) +{ + return add_confdb_params(ssh_params, cdb, CONFDB_SSH_CONF_ENTRY); +} + +static int add_monitor_params(struct sss_test_conf_param monitor_params[], + struct confdb_ctx *cdb) +{ + return add_confdb_params(monitor_params, cdb, CONFDB_MONITOR_CONF_ENTRY); +} + +void test_ssh_setup(struct sss_test_conf_param dom_params[], + struct sss_test_conf_param ssh_params[], + struct sss_test_conf_param monitor_params[], + void **state) +{ + struct cli_protocol *prctx; + errno_t ret; + + ssh_test_ctx = talloc_zero(NULL, struct ssh_test_ctx); + assert_non_null(ssh_test_ctx); + + ssh_test_ctx->tctx = create_dom_test_ctx(ssh_test_ctx, TESTS_PATH, + TEST_CONF_DB, TEST_DOM_NAME, + TEST_ID_PROVIDER, dom_params); + assert_non_null(ssh_test_ctx->tctx); + + ssh_test_ctx->ssh_cmds = get_ssh_cmds(); + assert_non_null(ssh_test_ctx->ssh_cmds); + + /* FIXME - perhaps this should be folded into sssd_domain_init or strictly + * used together + */ + ret = sss_names_init(ssh_test_ctx, ssh_test_ctx->tctx->confdb, + TEST_DOM_NAME, &ssh_test_ctx->tctx->dom->names); + assert_int_equal(ret, EOK); + + /* Initialize the SSH responder */ + ssh_test_ctx->ssh_ctx = mock_ssh_ctx(ssh_test_ctx); + assert_non_null(ssh_test_ctx->ssh_ctx); + + ssh_test_ctx->rctx = mock_rctx(ssh_test_ctx, ssh_test_ctx->tctx->ev, + ssh_test_ctx->tctx->dom, + ssh_test_ctx->ssh_ctx); + assert_non_null(ssh_test_ctx->rctx); + ssh_test_ctx->rctx->cdb = ssh_test_ctx->tctx->confdb; + ssh_test_ctx->ssh_ctx->rctx = ssh_test_ctx->rctx; + + ret = add_ssh_params(ssh_params, ssh_test_ctx->rctx->cdb); + assert_int_equal(ret, EOK); + + ret = add_monitor_params(monitor_params, ssh_test_ctx->rctx->cdb); + assert_int_equal(ret, EOK); + + /* Create client context */ + ssh_test_ctx->cctx = mock_cctx(ssh_test_ctx, ssh_test_ctx->rctx); + assert_non_null(ssh_test_ctx->cctx); + ssh_test_ctx->cctx->ev = ssh_test_ctx->tctx->ev; + + prctx = mock_prctx(ssh_test_ctx->cctx); + assert_non_null(prctx); + ssh_test_ctx->cctx->protocol_ctx = prctx; + prctx->cli_protocol_version = register_cli_protocol_version(); +} + +static void ssh_test_setup_common(void) +{ + errno_t ret; + + ssh_test_ctx->ssh_user_fqdn = \ + sss_create_internal_fqname(ssh_test_ctx, + "sshuser", + ssh_test_ctx->tctx->dom->name); + assert_non_null(ssh_test_ctx->ssh_user_fqdn); + + ssh_test_ctx->wrong_user_fqdn = \ + sss_create_internal_fqname(ssh_test_ctx, + "wrongsshuser", + ssh_test_ctx->tctx->dom->name); + assert_non_null(ssh_test_ctx->wrong_user_fqdn); + + /* Prime the cache with a valid user */ + ret = sysdb_add_user(ssh_test_ctx->tctx->dom, + ssh_test_ctx->ssh_user_fqdn, + 123, 456, "ssh user", + "/home/sshuser", "/bin/sh", NULL, + NULL, 300, 0); + assert_int_equal(ret, EOK); + + /* Prime the cache with a user for wrong matches */ + ret = sysdb_add_user(ssh_test_ctx->tctx->dom, + ssh_test_ctx->wrong_user_fqdn, + 321, 654, "wrong ssh user", + "/home/wrongsshuser", "/bin/sh", NULL, + NULL, 300, 0); + assert_int_equal(ret, EOK); +} + +static int ssh_test_setup(void **state) +{ + struct sss_test_conf_param dom_params[] = { + { "enumerate", "false" }, + { "cache_credentials", "true" }, + { NULL, NULL }, /* Sentinel */ + }; + + /* When run under valgrind with --trace-children=yes we have to increase + * the timeout not because p11_child needs much more time under valgrind + * but because of the way valgrind handles the children. */ + struct sss_test_conf_param ssh_params[] = { + { "p11_child_timeout", "40" }, + { NULL, NULL }, /* Sentinel */ + }; + + struct sss_test_conf_param monitor_params[] = { + { "certificate_verification", "no_ocsp"}, + { NULL, NULL }, /* Sentinel */ + }; + + test_ssh_setup(dom_params, ssh_params, monitor_params, state); + + ssh_test_setup_common(); + return 0; +} + +static int ssh_test_teardown(void **state) +{ + int ret; + + ret = sysdb_delete_user(ssh_test_ctx->tctx->dom, + ssh_test_ctx->ssh_user_fqdn, 0); + assert_int_equal(ret, EOK); + + ret = sysdb_delete_user(ssh_test_ctx->tctx->dom, + ssh_test_ctx->wrong_user_fqdn, 0); + assert_int_equal(ret, EOK); + + talloc_free(ssh_test_ctx); + return 0; +} + +typedef int (*cmd_cb_fn_t)(uint32_t, uint8_t *, size_t); + + +int __real_read_pipe_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, + uint8_t **buf, ssize_t *len); + +void __real_sss_packet_get_body(struct sss_packet *packet, + uint8_t **body, size_t *blen); + +void __wrap_sss_packet_get_body(struct sss_packet *packet, + uint8_t **body, size_t *blen) +{ + enum sss_test_wrapper_call wtype = sss_mock_type(enum sss_test_wrapper_call); + size_t len; + + if (wtype == WRAP_CALL_REAL) { + return __real_sss_packet_get_body(packet, body, blen); + } + + *body = sss_mock_ptr_type(uint8_t *); + len = sss_mock_type(size_t); + if (len == 0) { + len = strlen((const char *) *body) + 1; + } + *blen = len; + return; +} + +void __real_sss_packet_get_body(struct sss_packet *packet, + uint8_t **body, size_t *blen); + +void __wrap_sss_cmd_done(struct cli_ctx *cctx, void *freectx) +{ + struct cli_protocol *prctx; + struct sss_packet *packet; + uint8_t *body; + size_t blen; + cmd_cb_fn_t check_cb; + + prctx = talloc_get_type(cctx->protocol_ctx, struct cli_protocol); + packet = prctx->creq->out; + assert_non_null(packet); + + check_cb = sss_mock_ptr_type(cmd_cb_fn_t); + + __real_sss_packet_get_body(packet, &body, &blen); + + ssh_test_ctx->tctx->error = check_cb(sss_packet_get_status(packet), + body, blen); + ssh_test_ctx->tctx->done = true; +} + +enum sss_cli_command __wrap_sss_packet_get_cmd(struct sss_packet *packet) +{ + return sss_mock_type(enum sss_cli_command); +} + +int __wrap_sss_cmd_send_empty(struct cli_ctx *cctx, TALLOC_CTX *freectx) +{ + ssh_test_ctx->tctx->done = true; + ssh_test_ctx->tctx->error = ENOENT; + return EOK; +} + +static void set_cmd_cb(cmd_cb_fn_t fn) +{ + will_return(__wrap_sss_cmd_done, fn); +} + +static void mock_input_user(TALLOC_CTX *mem_ctx, const char *username) +{ + uint8_t *buf; + size_t len = strlen(username); + size_t buf_len = len + 1 + 2 * sizeof(uint32_t); + + buf = talloc_size(mem_ctx, buf_len); + SAFEALIGN_SET_UINT32(&buf[0], 0, NULL); + SAFEALIGN_SET_UINT32(&buf[4], len + 1, NULL); + memcpy(&buf[8], username, len + 1); + + will_return(__wrap_sss_packet_get_body, WRAP_CALL_WRAPPER); + will_return(__wrap_sss_packet_get_body, buf); + will_return(__wrap_sss_packet_get_body, buf_len); + mock_parse_inp("sshuser", TEST_DOM_NAME, EOK); +} + +static int test_ssh_user_no_pubkeys_check(uint32_t status, + uint8_t *body, size_t blen) +{ + uint32_t val; + + assert_int_equal(status, EOK); + assert_int_equal(blen, 8); + + SAFEALIGN_COPY_UINT32(&val, &body[0], NULL); + assert_int_equal(val, 0); + + SAFEALIGN_COPY_UINT32(&val, &body[4], NULL); + assert_int_equal(val, 0); + + return EOK; +} + +void test_ssh_user_no_pubkeys(void **state) { + int ret; + + mock_input_user(ssh_test_ctx, ssh_test_ctx->ssh_user_fqdn); + will_return(__wrap_sss_packet_get_cmd, SSS_SSH_GET_USER_PUBKEYS); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + set_cmd_cb(test_ssh_user_no_pubkeys_check); + ret = sss_cmd_execute(ssh_test_ctx->cctx, SSS_SSH_GET_USER_PUBKEYS, + ssh_test_ctx->ssh_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(ssh_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +static int test_ssh_user_one_pubkey_check(uint32_t status, + uint8_t *body, size_t blen) +{ + uint32_t val; + size_t exp_len; + size_t name_len; + size_t key_len; + uint8_t *key; + size_t rp = 0; + + key = sss_base64_decode(ssh_test_ctx, TEST_SSH_PUBKEY, &key_len); + name_len = strlen(ssh_test_ctx->ssh_user_fqdn) + 1; + + exp_len = 5 * sizeof(uint32_t) + name_len + key_len; + + assert_int_equal(status, EOK); + assert_int_equal(blen, exp_len); + + SAFEALIGN_COPY_UINT32(&val, &body[rp], &rp); + assert_int_equal(val, 1); + + SAFEALIGN_COPY_UINT32(&val, &body[rp], &rp); + assert_int_equal(val, 0); + + SAFEALIGN_COPY_UINT32(&val, &body[rp], &rp); + assert_int_equal(val, 0); + + SAFEALIGN_COPY_UINT32(&val, &body[rp], &rp); + assert_int_equal(val, name_len); + + assert_memory_equal(body + rp, ssh_test_ctx->ssh_user_fqdn, name_len); + rp += name_len; + + SAFEALIGN_COPY_UINT32(&val, &body[rp], &rp); + assert_int_equal(val, key_len); + + assert_memory_equal(body + rp, key, key_len); + rp += key_len; + + assert_int_equal(rp, blen); + + return EOK; +} + +void test_ssh_user_pubkey(void **state) +{ + int ret; + struct sysdb_attrs *attrs; + + attrs = sysdb_new_attrs(ssh_test_ctx); + assert_non_null(attrs); + ret = sysdb_attrs_add_string(attrs, SYSDB_SSH_PUBKEY, TEST_SSH_PUBKEY); + assert_int_equal(ret, EOK); + + ret = sysdb_set_user_attr(ssh_test_ctx->tctx->dom, + ssh_test_ctx->ssh_user_fqdn, + attrs, + LDB_FLAG_MOD_ADD); + talloc_free(attrs); + assert_int_equal(ret, EOK); + + mock_input_user(ssh_test_ctx, ssh_test_ctx->ssh_user_fqdn); + will_return(__wrap_sss_packet_get_cmd, SSS_SSH_GET_USER_PUBKEYS); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + set_cmd_cb(test_ssh_user_one_pubkey_check); + ret = sss_cmd_execute(ssh_test_ctx->cctx, SSS_SSH_GET_USER_PUBKEYS, + ssh_test_ctx->ssh_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(ssh_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +void test_ssh_user_pubkey_cert_disabled(void **state) +{ + int ret; + struct sysdb_attrs *attrs; + + attrs = sysdb_new_attrs(ssh_test_ctx); + assert_non_null(attrs); + ret = sysdb_attrs_add_string(attrs, SYSDB_SSH_PUBKEY, TEST_SSH_PUBKEY); + assert_int_equal(ret, EOK); + ret = sysdb_attrs_add_string(attrs, SYSDB_USER_CERT, SSSD_TEST_CERT_0001); + assert_int_equal(ret, EOK); + ret = sysdb_attrs_add_string(attrs, SYSDB_USER_CERT, SSSD_TEST_CERT_0002); + assert_int_equal(ret, EOK); + + ret = sysdb_set_user_attr(ssh_test_ctx->tctx->dom, + ssh_test_ctx->ssh_user_fqdn, + attrs, + LDB_FLAG_MOD_ADD); + talloc_free(attrs); + assert_int_equal(ret, EOK); + + mock_input_user(ssh_test_ctx, ssh_test_ctx->ssh_user_fqdn); + will_return(__wrap_sss_packet_get_cmd, SSS_SSH_GET_USER_PUBKEYS); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + set_cmd_cb(test_ssh_user_one_pubkey_check); + ret = sss_cmd_execute(ssh_test_ctx->cctx, SSS_SSH_GET_USER_PUBKEYS, + ssh_test_ctx->ssh_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(ssh_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +static int test_ssh_user_pubkey_cert_check(uint32_t status, + uint8_t *body, size_t blen) +{ + uint32_t val; + size_t exp_len; + size_t name_len; + size_t key_len[3]; + uint8_t *key[3]; + size_t rp = 0; + size_t c; + + key[0] = sss_base64_decode(ssh_test_ctx, TEST_SSH_PUBKEY, &key_len[0]); + assert_non_null(key[0]); + + key[1] = sss_base64_decode(ssh_test_ctx, SSSD_TEST_CERT_SSH_KEY_0001, + &key_len[1]); + assert_non_null(key[1]); + + key[2] = sss_base64_decode(ssh_test_ctx, SSSD_TEST_CERT_SSH_KEY_0002, + &key_len[2]); + assert_non_null(key[2]); + + name_len = strlen(ssh_test_ctx->ssh_user_fqdn) + 1; + + exp_len = 2 * sizeof(uint32_t) + 3* 3* sizeof(uint32_t) + 3 * name_len + + key_len[0] + key_len[1] + key_len[2]; + + assert_int_equal(status, EOK); + assert_int_equal(blen, exp_len); + + SAFEALIGN_COPY_UINT32(&val, &body[rp], &rp); + assert_int_equal(val, 3); + + SAFEALIGN_COPY_UINT32(&val, &body[rp], &rp); + assert_int_equal(val, 0); + + for (c = 0; c < 3; c++) { + SAFEALIGN_COPY_UINT32(&val, &body[rp], &rp); + assert_int_equal(val, 0); + + SAFEALIGN_COPY_UINT32(&val, &body[rp], &rp); + assert_int_equal(val, name_len); + + assert_memory_equal(body + rp, ssh_test_ctx->ssh_user_fqdn, name_len); + rp += name_len; + + SAFEALIGN_COPY_UINT32(&val, &body[rp], &rp); + assert_int_equal(val, key_len[c]); + + assert_memory_equal(body + rp, key[c], key_len[c]); + rp += key_len[c]; + } + + assert_int_equal(rp, blen); + + return EOK; +} + +void test_ssh_user_pubkey_cert(void **state) +{ + int ret; + struct sysdb_attrs *attrs; + + attrs = sysdb_new_attrs(ssh_test_ctx); + assert_non_null(attrs); + ret = sysdb_attrs_add_string(attrs, SYSDB_SSH_PUBKEY, TEST_SSH_PUBKEY); + assert_int_equal(ret, EOK); + ret = sysdb_attrs_add_base64_blob(attrs, SYSDB_USER_CERT, + SSSD_TEST_CERT_0001); + assert_int_equal(ret, EOK); + ret = sysdb_attrs_add_base64_blob(attrs, SYSDB_USER_CERT, + SSSD_TEST_CERT_0002); + assert_int_equal(ret, EOK); + + ret = sysdb_set_user_attr(ssh_test_ctx->tctx->dom, + ssh_test_ctx->ssh_user_fqdn, + attrs, + LDB_FLAG_MOD_ADD); + talloc_free(attrs); + assert_int_equal(ret, EOK); + + mock_input_user(ssh_test_ctx, ssh_test_ctx->ssh_user_fqdn); + will_return(__wrap_sss_packet_get_cmd, SSS_SSH_GET_USER_PUBKEYS); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + will_return(__wrap_sss_packet_get_body, WRAP_CALL_REAL); + + /* Enable certificate support */ + ssh_test_ctx->ssh_ctx->use_cert_keys = true; +#ifdef HAVE_NSS + ssh_test_ctx->ssh_ctx->ca_db = discard_const("sql:" ABS_BUILD_DIR + "/src/tests/test_CA/p11_nssdb"); +#else + ssh_test_ctx->ssh_ctx->ca_db = discard_const(ABS_BUILD_DIR + "/src/tests/test_CA/SSSD_test_CA.pem"); +#endif + + set_cmd_cb(test_ssh_user_pubkey_cert_check); + ret = sss_cmd_execute(ssh_test_ctx->cctx, SSS_SSH_GET_USER_PUBKEYS, + ssh_test_ctx->ssh_cmds); + assert_int_equal(ret, EOK); + + /* Wait until the test finishes with EOK */ + ret = test_ev_loop(ssh_test_ctx->tctx); + assert_int_equal(ret, EOK); +} + +int main(int argc, const char *argv[]) +{ + int rv; + int no_cleanup = 0; + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + { "no-cleanup", 'n', POPT_ARG_NONE, &no_cleanup, 0, + _("Do not delete the test database after a test run"), NULL }, + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_ssh_user_no_pubkeys, + ssh_test_setup, ssh_test_teardown), + cmocka_unit_test_setup_teardown(test_ssh_user_pubkey, + ssh_test_setup, ssh_test_teardown), +#ifdef HAVE_TEST_CA + cmocka_unit_test_setup_teardown(test_ssh_user_pubkey_cert_disabled, + ssh_test_setup, ssh_test_teardown), + cmocka_unit_test_setup_teardown(test_ssh_user_pubkey_cert, + ssh_test_setup, ssh_test_teardown), +#endif + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while ((opt = poptGetNextOpt(pc)) != -1) { + switch (opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + /* Even though normally the tests should clean up after themselves + * they might not after a failed run. Remove the old DB to be sure */ + tests_set_cwd(); + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + test_dom_suite_setup(TESTS_PATH); + + rv = cmocka_run_group_tests(tests, NULL, NULL); + if (rv == 0 && !no_cleanup) { + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + } + +#ifdef HAVE_NSS + /* Cleanup NSS and NSPR to make Valgrind happy. */ + nspr_nss_cleanup(); +#endif + + return rv; +} diff --git a/src/tests/cmocka/test_sss_idmap.c b/src/tests/cmocka/test_sss_idmap.c new file mode 100644 index 0000000..e557019 --- /dev/null +++ b/src/tests/cmocka/test_sss_idmap.c @@ -0,0 +1,781 @@ +/* + Authors: + Sumit Bose + + Copyright (C) 2013 Red Hat + + SSSD tests: Unit tests for libsss_idmap + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "tests/cmocka/common_mock.h" + +#include "lib/idmap/sss_idmap.h" + +#define TEST_RANGE_MIN 200000 +#define TEST_RANGE_MAX 399999 +#define TEST_DOM_NAME "test.dom" +#define TEST_DOM_SID "S-1-5-21-123-456-789" +#define TEST_FIRST_RID 0 +#define TEST_EXT_MAPPING true + +#define TEST_2_RANGE_MIN 600000 +#define TEST_2_RANGE_MAX 799999 +#define TEST_2_DOM_NAME "test2.dom" +#define TEST_2_DOM_SID "S-1-5-21-987-654-321" +#define TEST_2_FIRST_RID 1000000 +#define TEST_2_EXT_MAPPING true + +#define TEST_OFFSET 1000000 +#define TEST_OFFSET_STR "1000000" + +const int TEST_2922_MIN_ID = 1842600000; +const int TEST_2922_MAX_ID = 1842799999; + +struct test_ctx { + TALLOC_CTX *mem_idmap; + struct sss_idmap_ctx *idmap_ctx; +}; + +static void *idmap_talloc(size_t size, void *pvt) +{ + return talloc_size(pvt, size); +} + +static void idmap_free(void *ptr, void *pvt) +{ + talloc_free(ptr); +} + +static int test_sss_idmap_setup(void **state) +{ + struct test_ctx *test_ctx; + enum idmap_error_code err; + + assert_true(leak_check_setup()); + + test_ctx = talloc_zero(global_talloc_context, struct test_ctx); + assert_non_null(test_ctx); + + check_leaks_push(test_ctx); + + test_ctx->mem_idmap = talloc_new(test_ctx); + assert_non_null(test_ctx->mem_idmap); + + err = sss_idmap_init(idmap_talloc, test_ctx->mem_idmap, idmap_free, + &test_ctx->idmap_ctx); + assert_int_equal(err, IDMAP_SUCCESS); + + *state = test_ctx; + return 0; +} + +static int setup_ranges(struct test_ctx *test_ctx, bool external_mapping, + bool second_domain, bool sec_slices) +{ + struct sss_idmap_range range; + enum idmap_error_code err; + const char *name; + const char *sid; + + assert_non_null(test_ctx); + + if (second_domain) { + range.min = TEST_2_RANGE_MIN; + range.max = TEST_2_RANGE_MAX; + name = TEST_2_DOM_NAME; + sid = TEST_2_DOM_SID; + } else { + range.min = TEST_RANGE_MIN; + range.max = TEST_RANGE_MAX; + name = TEST_DOM_NAME; + sid = TEST_DOM_SID; + } + + if (sec_slices) { + err = sss_idmap_add_auto_domain_ex(test_ctx->idmap_ctx, name, sid, + &range, NULL, 0, external_mapping, + NULL, NULL); + } else { + err = sss_idmap_add_domain_ex(test_ctx->idmap_ctx, name, sid, &range, + NULL, 0, external_mapping); + } + assert_int_equal(err, IDMAP_SUCCESS); + + range.min += TEST_OFFSET; + range.max += TEST_OFFSET; + + if (sec_slices) { + err = sss_idmap_add_auto_domain_ex(test_ctx->idmap_ctx, name, sid, + &range, NULL, TEST_OFFSET, + external_mapping, NULL, NULL); + } else { + err = sss_idmap_add_domain_ex(test_ctx->idmap_ctx, name, sid, &range, + NULL, TEST_OFFSET, external_mapping); + } + assert_int_equal(err, IDMAP_SUCCESS); + return 0; +} + +static int setup_ranges_2922(struct test_ctx *test_ctx) +{ + const int TEST_2922_DFL_SLIDE = 9212; + struct sss_idmap_range range; + enum idmap_error_code err; + const char *name; + const char *sid; + /* Pick a new slice. */ + id_t slice_num = -1; + + assert_non_null(test_ctx); + + name = TEST_DOM_NAME; + sid = TEST_DOM_SID; + + err = sss_idmap_calculate_range(test_ctx->idmap_ctx, sid, &slice_num, + &range); + assert_int_equal(err, IDMAP_SUCCESS); + /* Range computation should be deterministic. Lets validate that. */ + assert_int_equal(range.min, TEST_2922_MIN_ID); + assert_int_equal(range.max, TEST_2922_MAX_ID); + assert_int_equal(slice_num, TEST_2922_DFL_SLIDE); + + err = sss_idmap_add_domain_ex(test_ctx->idmap_ctx, name, sid, &range, + NULL, 0, false /* No external mapping */); + assert_int_equal(err, IDMAP_SUCCESS); + + return 0; +} + +static int test_sss_idmap_setup_with_domains(void **state) +{ + struct test_ctx *test_ctx; + + test_sss_idmap_setup(state); + + test_ctx = talloc_get_type(*state, struct test_ctx); + assert_non_null(test_ctx); + + setup_ranges(test_ctx, false, false, false); + return 0; +} + +static int test_sss_idmap_setup_with_domains_2922(void **state) +{ + struct test_ctx *test_ctx; + + test_sss_idmap_setup(state); + + test_ctx = talloc_get_type(*state, struct test_ctx); + assert_non_null(test_ctx); + + setup_ranges_2922(test_ctx); + return 0; +} + +static int test_sss_idmap_setup_with_domains_sec_slices(void **state) +{ + struct test_ctx *test_ctx; + + test_sss_idmap_setup(state); + + test_ctx = talloc_get_type(*state, struct test_ctx); + assert_non_null(test_ctx); + + setup_ranges(test_ctx, false, false, true); + return 0; +} + +static int test_sss_idmap_setup_with_external_mappings(void **state) +{ + struct test_ctx *test_ctx; + + test_sss_idmap_setup(state); + + test_ctx = talloc_get_type(*state, struct test_ctx); + assert_non_null(test_ctx); + + setup_ranges(test_ctx, true, false, false); + return 0; +} + +static int test_sss_idmap_setup_with_both(void **state) +{ + struct test_ctx *test_ctx; + + test_sss_idmap_setup(state); + + test_ctx = talloc_get_type(*state, struct test_ctx); + assert_non_null(test_ctx); + + setup_ranges(test_ctx, false, false, false); + setup_ranges(test_ctx, true, true, false); + return 0; +} + +static int test_sss_idmap_teardown(void **state) +{ + struct test_ctx *test_ctx; + + test_ctx = talloc_get_type(*state, struct test_ctx); + + assert_non_null(test_ctx); + + talloc_free(test_ctx->idmap_ctx); + talloc_free(test_ctx->mem_idmap); + assert_true(check_leaks_pop(test_ctx) == true); + talloc_free(test_ctx); + assert_true(leak_check_teardown()); + return 0; +} + +void test_add_domain(void **state) +{ + struct test_ctx *test_ctx; + enum idmap_error_code err; + struct sss_idmap_range range; + + test_ctx = talloc_get_type(*state, struct test_ctx); + + assert_non_null(test_ctx); + + range.min = TEST_RANGE_MIN; + range.max = TEST_RANGE_MAX; + + err = sss_idmap_add_domain(test_ctx->idmap_ctx, TEST_DOM_NAME, TEST_DOM_SID, + &range); + assert_int_equal(err, IDMAP_SUCCESS); + + err = sss_idmap_add_domain(test_ctx->idmap_ctx, TEST_DOM_NAME, TEST_DOM_SID, + &range); + assert_int_equal(err, IDMAP_COLLISION); + + err = sss_idmap_add_domain_ex(test_ctx->idmap_ctx, TEST_DOM_NAME, + TEST_DOM_SID, &range, NULL, 0, false); + assert_int_equal(err, IDMAP_COLLISION); + + range.min = TEST_RANGE_MIN + TEST_OFFSET; + range.max = TEST_RANGE_MAX + TEST_OFFSET; + err = sss_idmap_add_domain_ex(test_ctx->idmap_ctx, TEST_DOM_NAME, + TEST_DOM_SID, &range, NULL, 0, false); + assert_int_equal(err, IDMAP_COLLISION); + + err = sss_idmap_add_domain_ex(test_ctx->idmap_ctx, TEST_DOM_NAME"X", + TEST_DOM_SID, &range, NULL, TEST_OFFSET, + false); + assert_int_equal(err, IDMAP_COLLISION); + + err = sss_idmap_add_domain_ex(test_ctx->idmap_ctx, TEST_DOM_NAME, + TEST_DOM_SID"1", &range, NULL, TEST_OFFSET, + false); + assert_int_equal(err, IDMAP_COLLISION); + + err = sss_idmap_add_domain_ex(test_ctx->idmap_ctx, TEST_DOM_NAME, + TEST_DOM_SID, &range, NULL, TEST_OFFSET, + true); + assert_int_equal(err, IDMAP_COLLISION); + + err = sss_idmap_add_domain_ex(test_ctx->idmap_ctx, TEST_DOM_NAME, + TEST_DOM_SID, &range, NULL, TEST_OFFSET, + false); + assert_int_equal(err, IDMAP_SUCCESS); + + range.min = TEST_RANGE_MIN + 2 * TEST_OFFSET; + range.max = TEST_RANGE_MAX + 2 * TEST_OFFSET; + err = sss_idmap_add_domain_ex(test_ctx->idmap_ctx, TEST_DOM_NAME"-nosid", + NULL, &range, NULL, TEST_OFFSET, + false); + assert_int_equal(err, IDMAP_SID_INVALID); + + err = sss_idmap_add_domain_ex(test_ctx->idmap_ctx, TEST_DOM_NAME"-nosid", + NULL, &range, NULL, TEST_OFFSET, + true); + assert_int_equal(err, IDMAP_SUCCESS); +} + +void test_map_id(void **state) +{ + struct test_ctx *test_ctx; + enum idmap_error_code err; + uint32_t id; + char *sid = NULL; + + test_ctx = talloc_get_type(*state, struct test_ctx); + + assert_non_null(test_ctx); + + err = sss_idmap_sid_to_unix(test_ctx->idmap_ctx, TEST_DOM_SID"1-1", &id); + assert_int_equal(err, IDMAP_NO_DOMAIN); + + err = sss_idmap_sid_to_unix(test_ctx->idmap_ctx, TEST_DOM_SID"-400000", + &id); + assert_int_equal(err, IDMAP_NO_RANGE); + + err = sss_idmap_unix_to_sid(test_ctx->idmap_ctx, TEST_OFFSET - 1, &sid); + assert_int_equal(err, IDMAP_NO_DOMAIN); + + err = sss_idmap_sid_to_unix(test_ctx->idmap_ctx, TEST_DOM_SID"-0", &id); + assert_int_equal(err, IDMAP_SUCCESS); + assert_int_equal(id, TEST_RANGE_MIN); + + err = sss_idmap_unix_to_sid(test_ctx->idmap_ctx, id, &sid); + assert_int_equal(err, IDMAP_SUCCESS); + assert_string_equal(sid, TEST_DOM_SID"-0"); + sss_idmap_free_sid(test_ctx->idmap_ctx, sid); + + err = sss_idmap_sid_to_unix(test_ctx->idmap_ctx, + TEST_DOM_SID"-"TEST_OFFSET_STR, &id); + assert_int_equal(err, IDMAP_SUCCESS); + assert_int_equal(id, TEST_RANGE_MIN+TEST_OFFSET); + + err = sss_idmap_unix_to_sid(test_ctx->idmap_ctx, id, &sid); + assert_int_equal(err, IDMAP_SUCCESS); + assert_string_equal(sid, TEST_DOM_SID"-"TEST_OFFSET_STR); + sss_idmap_free_sid(test_ctx->idmap_ctx, sid); +} + +/* https://fedorahosted.org/sssd/ticket/2922 */ +/* ID mapping - bug in computing max id for slice range */ +void test_map_id_2922(void **state) +{ + const char* TEST_2922_FIRST_SID = TEST_DOM_SID"-0"; + /* Last SID = first SID + (default) rangesize -1 */ + const char* TEST_2922_LAST_SID = TEST_DOM_SID"-199999"; + /* Last SID = first SID + rangesize */ + const char* TEST_2922_LAST_SID_PLUS_ONE = TEST_DOM_SID"-200000"; + struct test_ctx *test_ctx; + enum idmap_error_code err; + uint32_t id; + char *sid = NULL; + + test_ctx = talloc_get_type(*state, struct test_ctx); + + assert_non_null(test_ctx); + + /* Min UNIX ID to SID */ + err = sss_idmap_unix_to_sid(test_ctx->idmap_ctx, TEST_2922_MIN_ID, &sid); + assert_int_equal(err, IDMAP_SUCCESS); + assert_string_equal(sid, TEST_2922_FIRST_SID); + sss_idmap_free_sid(test_ctx->idmap_ctx, sid); + + /* First SID to UNIX ID */ + err = sss_idmap_sid_to_unix(test_ctx->idmap_ctx, TEST_2922_FIRST_SID, &id); + assert_int_equal(err, IDMAP_SUCCESS); + assert_int_equal(id, TEST_2922_MIN_ID); + + /* Max UNIX ID to SID */ + err = sss_idmap_unix_to_sid(test_ctx->idmap_ctx, TEST_2922_MAX_ID, &sid); + assert_int_equal(err, IDMAP_SUCCESS); + assert_string_equal(sid, TEST_2922_LAST_SID); + sss_idmap_free_sid(test_ctx->idmap_ctx, sid); + + /* Last SID to UNIX ID */ + err = sss_idmap_sid_to_unix(test_ctx->idmap_ctx, TEST_2922_LAST_SID, &id); + assert_int_equal(err, IDMAP_SUCCESS); + assert_int_equal(id, TEST_2922_MAX_ID); + + /* Max UNIX ID + 1 to SID */ + err = sss_idmap_unix_to_sid(test_ctx->idmap_ctx, TEST_2922_MAX_ID + 1, + &sid); + assert_int_equal(err, IDMAP_NO_DOMAIN); + + /* Last SID + 1 to UNIX ID */ + err = sss_idmap_sid_to_unix(test_ctx->idmap_ctx, + TEST_2922_LAST_SID_PLUS_ONE, &id); + /* Auto adding new ranges is disable in this test. */ + assert_int_equal(err, IDMAP_NO_RANGE); +} + +void test_map_id_sec_slices(void **state) +{ + struct test_ctx *test_ctx; + enum idmap_error_code err; + uint32_t id; + char *sid = NULL; + + test_ctx = talloc_get_type(*state, struct test_ctx); + + assert_non_null(test_ctx); + + err = sss_idmap_sid_to_unix(test_ctx->idmap_ctx, TEST_DOM_SID"1-1", &id); + assert_int_equal(err, IDMAP_NO_DOMAIN); + + err = sss_idmap_sid_to_unix(test_ctx->idmap_ctx, TEST_DOM_SID"-4000000", + &id); + assert_int_equal(err, IDMAP_SUCCESS); + assert_int_equal(id, 575600000); + + err = sss_idmap_unix_to_sid(test_ctx->idmap_ctx, TEST_OFFSET - 1, &sid); + assert_int_equal(err, IDMAP_NO_DOMAIN); + + err = sss_idmap_sid_to_unix(test_ctx->idmap_ctx, TEST_DOM_SID"-0", &id); + assert_int_equal(err, IDMAP_SUCCESS); + assert_int_equal(id, TEST_RANGE_MIN); + + err = sss_idmap_unix_to_sid(test_ctx->idmap_ctx, id, &sid); + assert_int_equal(err, IDMAP_SUCCESS); + assert_string_equal(sid, TEST_DOM_SID"-0"); + sss_idmap_free_sid(test_ctx->idmap_ctx, sid); + + err = sss_idmap_sid_to_unix(test_ctx->idmap_ctx, + TEST_DOM_SID"-"TEST_OFFSET_STR, &id); + assert_int_equal(err, IDMAP_SUCCESS); + assert_int_equal(id, TEST_RANGE_MIN+TEST_OFFSET); + + err = sss_idmap_unix_to_sid(test_ctx->idmap_ctx, id, &sid); + assert_int_equal(err, IDMAP_SUCCESS); + assert_string_equal(sid, TEST_DOM_SID"-"TEST_OFFSET_STR); + sss_idmap_free_sid(test_ctx->idmap_ctx, sid); +} + +void test_map_id_external(void **state) +{ + struct test_ctx *test_ctx; + enum idmap_error_code err; + uint32_t id; + char *sid = NULL; + + test_ctx = talloc_get_type(*state, struct test_ctx); + + assert_non_null(test_ctx); + + err = sss_idmap_sid_to_unix(test_ctx->idmap_ctx, TEST_DOM_SID"1-1", &id); + assert_int_equal(err, IDMAP_NO_DOMAIN); + + err = sss_idmap_sid_to_unix(test_ctx->idmap_ctx, TEST_DOM_SID"-400000", + &id); + assert_int_equal(err, IDMAP_EXTERNAL); + + err = sss_idmap_unix_to_sid(test_ctx->idmap_ctx, TEST_OFFSET - 1, &sid); + assert_int_equal(err, IDMAP_NO_DOMAIN); + + err = sss_idmap_sid_to_unix(test_ctx->idmap_ctx, TEST_DOM_SID"-0", &id); + assert_int_equal(err, IDMAP_EXTERNAL); + + err = sss_idmap_unix_to_sid(test_ctx->idmap_ctx, TEST_RANGE_MIN, &sid); + assert_int_equal(err, IDMAP_EXTERNAL); + + err = sss_idmap_sid_to_unix(test_ctx->idmap_ctx, + TEST_DOM_SID"-"TEST_OFFSET_STR, &id); + assert_int_equal(err, IDMAP_EXTERNAL); + + err = sss_idmap_unix_to_sid(test_ctx->idmap_ctx, + TEST_RANGE_MIN + TEST_OFFSET, &sid); + assert_int_equal(err, IDMAP_EXTERNAL); +} + +void test_check_sid_id(void **state) +{ + struct test_ctx *test_ctx; + enum idmap_error_code err; + + test_ctx = talloc_get_type(*state, struct test_ctx); + + assert_non_null(test_ctx); + + err = sss_idmap_check_sid_unix(test_ctx->idmap_ctx, TEST_DOM_SID"-400000", + TEST_RANGE_MIN-1); + assert_int_equal(err, IDMAP_NO_RANGE); + + err = sss_idmap_check_sid_unix(test_ctx->idmap_ctx, TEST_DOM_SID"-400000", + TEST_RANGE_MIN); + assert_int_equal(err, IDMAP_SUCCESS); + + err = sss_idmap_check_sid_unix(test_ctx->idmap_ctx, TEST_DOM_SID"1-400000", + TEST_RANGE_MIN); + assert_int_equal(err, IDMAP_SID_UNKNOWN); + + err = sss_idmap_check_sid_unix(test_ctx->idmap_ctx, TEST_DOM_SID"-400000", + TEST_RANGE_MAX + TEST_OFFSET); + assert_int_equal(err, IDMAP_SUCCESS); + + err = sss_idmap_check_sid_unix(test_ctx->idmap_ctx, TEST_DOM_SID"-400000", + TEST_RANGE_MAX + TEST_OFFSET + 1); + assert_int_equal(err, IDMAP_NO_RANGE); +} + +void test_has_algorithmic(void **state) +{ + struct test_ctx *test_ctx; + bool use_id_mapping; + enum idmap_error_code err; + + test_ctx = talloc_get_type(*state, struct test_ctx); + + assert_non_null(test_ctx); + + err = sss_idmap_domain_has_algorithmic_mapping(NULL, NULL, &use_id_mapping); + assert_int_equal(err, IDMAP_SID_INVALID); + + err = sss_idmap_domain_has_algorithmic_mapping(NULL, TEST_DOM_SID, + &use_id_mapping); + assert_int_equal(err, IDMAP_CONTEXT_INVALID); + + err = sss_idmap_domain_has_algorithmic_mapping(test_ctx->idmap_ctx, NULL, + &use_id_mapping); + assert_int_equal(err, IDMAP_SID_INVALID); + + err = sss_idmap_domain_has_algorithmic_mapping(test_ctx->idmap_ctx, + TEST_DOM_SID"1", + &use_id_mapping); + assert_int_equal(err, IDMAP_SID_UNKNOWN); + + err = sss_idmap_domain_has_algorithmic_mapping(test_ctx->idmap_ctx, + TEST_DOM_SID, + &use_id_mapping); + assert_int_equal(err, IDMAP_SUCCESS); + assert_true(use_id_mapping); + + err = sss_idmap_domain_has_algorithmic_mapping(test_ctx->idmap_ctx, + TEST_2_DOM_SID, + &use_id_mapping); + assert_int_equal(err, IDMAP_SUCCESS); + assert_false(use_id_mapping); +} + +void test_has_algorithmic_by_name(void **state) +{ + struct test_ctx *test_ctx; + bool use_id_mapping; + enum idmap_error_code err; + + test_ctx = talloc_get_type(*state, struct test_ctx); + + assert_non_null(test_ctx); + + err = sss_idmap_domain_by_name_has_algorithmic_mapping(NULL, NULL, &use_id_mapping); + assert_int_equal(err, IDMAP_ERROR); + + err = sss_idmap_domain_by_name_has_algorithmic_mapping(NULL, TEST_DOM_SID, + &use_id_mapping); + assert_int_equal(err, IDMAP_CONTEXT_INVALID); + + err = sss_idmap_domain_by_name_has_algorithmic_mapping(test_ctx->idmap_ctx, NULL, + &use_id_mapping); + assert_int_equal(err, IDMAP_ERROR); + + err = sss_idmap_domain_by_name_has_algorithmic_mapping(test_ctx->idmap_ctx, + TEST_DOM_NAME"1", + &use_id_mapping); + assert_int_equal(err, IDMAP_NAME_UNKNOWN); + + err = sss_idmap_domain_by_name_has_algorithmic_mapping(test_ctx->idmap_ctx, + TEST_DOM_NAME, + &use_id_mapping); + assert_int_equal(err, IDMAP_SUCCESS); + assert_true(use_id_mapping); + + err = sss_idmap_domain_by_name_has_algorithmic_mapping(test_ctx->idmap_ctx, + TEST_2_DOM_NAME, + &use_id_mapping); + assert_int_equal(err, IDMAP_SUCCESS); + assert_false(use_id_mapping); +} + +void test_sss_idmap_check_collision_ex(void **state) +{ + enum idmap_error_code err; + struct sss_idmap_range r1 = {TEST_RANGE_MIN, TEST_RANGE_MAX}; + struct sss_idmap_range r2 = {TEST_2_RANGE_MIN, TEST_2_RANGE_MAX}; + + err = sss_idmap_check_collision_ex(TEST_DOM_NAME, TEST_DOM_SID, &r1, + TEST_FIRST_RID, NULL, + TEST_EXT_MAPPING, + TEST_2_DOM_NAME, TEST_2_DOM_SID, &r2, + TEST_2_FIRST_RID, NULL, + TEST_2_EXT_MAPPING); + assert_int_equal(err, IDMAP_SUCCESS); + + /* Same name, different SID */ + err = sss_idmap_check_collision_ex(TEST_DOM_NAME, TEST_DOM_SID, &r1, + TEST_FIRST_RID, NULL, + TEST_EXT_MAPPING, + TEST_DOM_NAME, TEST_2_DOM_SID, &r2, + TEST_2_FIRST_RID, NULL, + TEST_2_EXT_MAPPING); + assert_int_equal(err, IDMAP_COLLISION); + + /* Same SID, different name */ + err = sss_idmap_check_collision_ex(TEST_DOM_NAME, TEST_DOM_SID, &r1, + TEST_FIRST_RID, NULL, + TEST_EXT_MAPPING, + TEST_2_DOM_NAME, TEST_DOM_SID, &r2, + TEST_2_FIRST_RID, NULL, + TEST_2_EXT_MAPPING); + assert_int_equal(err, IDMAP_COLLISION); + + /* Same SID and name, no overlaps */ + err = sss_idmap_check_collision_ex(TEST_DOM_NAME, TEST_DOM_SID, &r1, + TEST_FIRST_RID, NULL, + TEST_EXT_MAPPING, + TEST_DOM_NAME, TEST_DOM_SID, &r2, + TEST_2_FIRST_RID, NULL, + TEST_2_EXT_MAPPING); + assert_int_equal(err, IDMAP_SUCCESS); + + /* Same SID and name, different mappings */ + err = sss_idmap_check_collision_ex(TEST_DOM_NAME, TEST_DOM_SID, &r1, + TEST_FIRST_RID, NULL, + TEST_EXT_MAPPING, + TEST_DOM_NAME, TEST_DOM_SID, &r2, + TEST_2_FIRST_RID, NULL, + !TEST_EXT_MAPPING); + assert_int_equal(err, IDMAP_COLLISION); + + /* Same SID and name, Overlapping RID range */ + err = sss_idmap_check_collision_ex(TEST_DOM_NAME, TEST_DOM_SID, &r1, + TEST_FIRST_RID, NULL, + false, + TEST_DOM_NAME, TEST_DOM_SID, &r2, + TEST_FIRST_RID, NULL, + false); + assert_int_equal(err, IDMAP_COLLISION); + + /* Different SID and name, Overlapping RID range */ + err = sss_idmap_check_collision_ex(TEST_DOM_NAME, TEST_DOM_SID, &r1, + TEST_FIRST_RID, NULL, + false, + TEST_2_DOM_NAME, TEST_2_DOM_SID, &r2, + TEST_FIRST_RID, NULL, + false); + assert_int_equal(err, IDMAP_SUCCESS); + + + /* Overlapping ranges with no external mapping */ + err = sss_idmap_check_collision_ex(TEST_DOM_NAME, TEST_DOM_SID, &r1, + TEST_FIRST_RID, NULL, + false, + TEST_2_DOM_NAME, TEST_2_DOM_SID, &r1, + TEST_2_FIRST_RID, NULL, + false); + assert_int_equal(err, IDMAP_COLLISION); + + /* Overlapping ranges with external mapping */ + err = sss_idmap_check_collision_ex(TEST_DOM_NAME, TEST_DOM_SID, &r1, + TEST_FIRST_RID, NULL, + true, + TEST_2_DOM_NAME, TEST_2_DOM_SID, &r1, + TEST_2_FIRST_RID, NULL, + true); + assert_int_equal(err, IDMAP_SUCCESS); +} + +void test_sss_idmap_error_string(void **state) +{ + size_t c; + + for (c = IDMAP_SUCCESS; c < IDMAP_ERR_LAST; c++) { + assert_string_not_equal(idmap_error_string(c), + idmap_error_string(IDMAP_ERR_LAST)); + } +} + +void test_sss_idmap_calculate_range_slice_collision(void **state) +{ + struct test_ctx *test_ctx; + enum idmap_error_code err; + struct sss_idmap_range range; + id_t slice_num = 123; + + test_ctx = talloc_get_type(*state, struct test_ctx); + + assert_non_null(test_ctx); + + err = sss_idmap_calculate_range(test_ctx->idmap_ctx, NULL, &slice_num, + &range); + assert_int_equal(err, IDMAP_SUCCESS); + + err = sss_idmap_add_domain_ex(test_ctx->idmap_ctx, TEST_DOM_NAME, + TEST_DOM_SID, &range, NULL, 0, false); + assert_int_equal(err, IDMAP_SUCCESS); + + err = sss_idmap_calculate_range(test_ctx->idmap_ctx, NULL, &slice_num, + &range); + assert_int_equal(err, IDMAP_COLLISION); + + slice_num++; + err = sss_idmap_calculate_range(test_ctx->idmap_ctx, NULL, &slice_num, + &range); + assert_int_equal(err, IDMAP_SUCCESS); +} + +int main(int argc, const char *argv[]) +{ + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_add_domain, + test_sss_idmap_setup, + test_sss_idmap_teardown), + cmocka_unit_test_setup_teardown(test_map_id, + test_sss_idmap_setup_with_domains, + test_sss_idmap_teardown), + cmocka_unit_test_setup_teardown(test_map_id_2922, + test_sss_idmap_setup_with_domains_2922, + test_sss_idmap_teardown), + cmocka_unit_test_setup_teardown(test_map_id_sec_slices, + test_sss_idmap_setup_with_domains_sec_slices, + test_sss_idmap_teardown), + cmocka_unit_test_setup_teardown(test_map_id_external, + test_sss_idmap_setup_with_external_mappings, + test_sss_idmap_teardown), + cmocka_unit_test_setup_teardown(test_check_sid_id, + test_sss_idmap_setup_with_domains, + test_sss_idmap_teardown), + cmocka_unit_test_setup_teardown(test_check_sid_id, + test_sss_idmap_setup_with_external_mappings, + test_sss_idmap_teardown), + cmocka_unit_test_setup_teardown(test_has_algorithmic, + test_sss_idmap_setup_with_both, + test_sss_idmap_teardown), + cmocka_unit_test_setup_teardown(test_has_algorithmic_by_name, + test_sss_idmap_setup_with_both, + test_sss_idmap_teardown), + cmocka_unit_test(test_sss_idmap_check_collision_ex), + cmocka_unit_test(test_sss_idmap_error_string), + cmocka_unit_test_setup_teardown(test_sss_idmap_calculate_range_slice_collision, + test_sss_idmap_setup, + test_sss_idmap_teardown), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + tests_set_cwd(); + + return cmocka_run_group_tests(tests, NULL, NULL); +} diff --git a/src/tests/cmocka/test_sss_sifp.c b/src/tests/cmocka/test_sss_sifp.c new file mode 100644 index 0000000..31d23ec --- /dev/null +++ b/src/tests/cmocka/test_sss_sifp.c @@ -0,0 +1,2250 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2014 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "tests/cmocka/common_mock.h" +#include "lib/sifp/sss_sifp.h" +#include "lib/sifp/sss_sifp_dbus.h" +#include "lib/sifp/sss_sifp_private.h" +#include "responder/ifp/ifp_iface.h" + +struct { + sss_sifp_ctx *dbus_ctx; + DBusMessage *reply; +} test_ctx; + +DBusConnection * +__wrap_dbus_bus_get(DBusBusType type, DBusError *error) +{ + /* we won't use the connection anywhere, so we can just return NULL */ + return NULL; +} + +DBusMessage * +__wrap_dbus_connection_send_with_reply_and_block(DBusConnection *connection, + DBusMessage *message, + int timeout_milliseconds, + DBusError *error) +{ + if (message == NULL || error == NULL) { + return NULL; + } + + return sss_mock_ptr_type(DBusMessage *); +} + +static void reply_variant_basic(DBusMessage *reply, + const char *type, + const void *val) +{ + DBusMessageIter iter; + DBusMessageIter variant_iter; + dbus_bool_t bret; + + dbus_message_iter_init_append(reply, &iter); + + + bret = dbus_message_iter_open_container(&iter, DBUS_TYPE_VARIANT, + type, &variant_iter); + assert_true(bret); + + /* Now add the value */ + bret = dbus_message_iter_append_basic(&variant_iter, type[0], val); + assert_true(bret); + + bret = dbus_message_iter_close_container(&iter, &variant_iter); + assert_true(bret); +} + +static void reply_variant_array(DBusMessage *reply, + const char *type, + int num_vals, + uint8_t *vals, + unsigned int item_size) +{ + DBusMessageIter iter; + DBusMessageIter variant_iter; + DBusMessageIter array_iter; + dbus_bool_t bret; + char array_type[3]; + int i; + void *addr; + + array_type[0] = DBUS_TYPE_ARRAY; + array_type[1] = type[0]; + array_type[2] = '\0'; + + dbus_message_iter_init_append(reply, &iter); + + + bret = dbus_message_iter_open_container(&iter, DBUS_TYPE_VARIANT, + array_type, &variant_iter); + assert_true(bret); + + bret = dbus_message_iter_open_container(&variant_iter, DBUS_TYPE_ARRAY, + type, &array_iter); + assert_true(bret); + + for (i = 0; i < num_vals; i++) { + addr = vals + i*item_size; + bret = dbus_message_iter_append_basic(&array_iter, type[0], addr); + assert_true(bret); + } + + bret = dbus_message_iter_close_container(&iter, &array_iter); + assert_true(bret); + + bret = dbus_message_iter_close_container(&iter, &variant_iter); + assert_true(bret); +} + +static int test_setup(void **state) +{ + sss_sifp_error ret; + + ret = sss_sifp_init(&test_ctx.dbus_ctx); + assert_int_equal(ret, SSS_SIFP_OK); + + test_ctx.reply = dbus_message_new(DBUS_MESSAGE_TYPE_METHOD_RETURN); + assert_non_null(test_ctx.reply); + return 0; +} + +static int test_teardown_parser(void **state) +{ + sss_sifp_free(&test_ctx.dbus_ctx); + assert_null(test_ctx.dbus_ctx); + + dbus_message_unref(test_ctx.reply); + test_ctx.reply = NULL; + return 0; +} + +static int test_teardown_api(void **state) +{ + sss_sifp_free(&test_ctx.dbus_ctx); + assert_null(test_ctx.dbus_ctx); + + /* sss_sifp is responsible for freeing the reply */ + return 0; +} + +void test_sss_sifp_strdup_valid(void **state) +{ + const char *str = "test_string"; + char *dup_str = sss_sifp_strdup(test_ctx.dbus_ctx, str); + assert_non_null(dup_str); + assert_string_equal(str, dup_str); + + sss_sifp_free_string(test_ctx.dbus_ctx, &dup_str); + assert_null(dup_str); +} + +void test_sss_sifp_strdup_null(void **state) +{ + char *dup_str = sss_sifp_strdup(test_ctx.dbus_ctx, NULL); + assert_null(dup_str); +} + +void test_sss_sifp_strcat_valid(void **state) +{ + char *cat = sss_sifp_strcat(test_ctx.dbus_ctx, "hello ", "world"); + assert_non_null(cat); + assert_string_equal("hello world", cat); + + sss_sifp_free_string(test_ctx.dbus_ctx, &cat); + assert_null(cat); +} + +void test_sss_sifp_strcat_left_null(void **state) +{ + char *cat = sss_sifp_strcat(test_ctx.dbus_ctx, NULL, "world"); + assert_non_null(cat); + assert_string_equal("world", cat); + + sss_sifp_free_string(test_ctx.dbus_ctx, &cat); + assert_null(cat); +} + +void test_sss_sifp_strcat_right_null(void **state) +{ + char *cat = sss_sifp_strcat(test_ctx.dbus_ctx, "hello ", NULL); + assert_non_null(cat); + assert_string_equal("hello ", cat); + + sss_sifp_free_string(test_ctx.dbus_ctx, &cat); + assert_null(cat); +} + +void test_sss_sifp_strcat_both_null(void **state) +{ + char *cat = sss_sifp_strcat(test_ctx.dbus_ctx, NULL, NULL); + assert_null(cat); +} + +void test_sss_sifp_parse_object_path_valid(void **state) +{ + sss_sifp_ctx *ctx = test_ctx.dbus_ctx; + DBusMessage *reply = test_ctx.reply; + dbus_bool_t bret; + sss_sifp_error ret; + const char *path_in = "/object/path"; + char *path_out = NULL; + + /* prepare message */ + bret = dbus_message_append_args(reply, DBUS_TYPE_OBJECT_PATH, &path_in, + DBUS_TYPE_INVALID); + assert_true(bret); + + /* test */ + ret = sss_sifp_parse_object_path(ctx, reply, &path_out); + assert_int_equal(ret, SSS_SIFP_OK); + assert_non_null(path_out); + assert_string_equal(path_in, path_out); + + sss_sifp_free_string(ctx, &path_out); + assert_null(path_out); +} + +void test_sss_sifp_parse_object_path_invalid(void **state) +{ + sss_sifp_ctx *ctx = test_ctx.dbus_ctx; + DBusMessage *reply = test_ctx.reply; + dbus_bool_t bret; + sss_sifp_error ret; + uint16_t path_in = 10; + char *path_out = NULL; + + /* prepare message */ + bret = dbus_message_append_args(reply, DBUS_TYPE_UINT16, &path_in, + DBUS_TYPE_INVALID); + assert_true(bret); + + /* test */ + ret = sss_sifp_parse_object_path(ctx, reply, &path_out); + assert_int_not_equal(ret, SSS_SIFP_OK); + assert_null(path_out); +} + +void test_sss_sifp_parse_object_path_list_valid(void **state) +{ + sss_sifp_ctx *ctx = test_ctx.dbus_ctx; + DBusMessage *reply = test_ctx.reply; + dbus_bool_t bret; + sss_sifp_error ret; + char **path_out = NULL; + const char *path_in[] = {"/object/path1", "/object/path2"}; + const char **paths = path_in; + int path_in_len = 2; + int i; + + /* prepare message */ + bret = dbus_message_append_args(reply, DBUS_TYPE_ARRAY, + DBUS_TYPE_OBJECT_PATH, + &paths, path_in_len, + DBUS_TYPE_INVALID); + assert_true(bret); + + /* test */ + ret = sss_sifp_parse_object_path_list(ctx, reply, &path_out); + assert_int_equal(ret, SSS_SIFP_OK); + assert_non_null(path_out); + + for (i = 0; path_out[i] != NULL; i++) { + assert_true(i < path_in_len); + assert_non_null(path_out[i]); + assert_string_equal(path_in[i], path_out[i]); + } + + sss_sifp_free_string_array(ctx, &path_out); + assert_null(path_out); +} + +void test_sss_sifp_parse_object_path_list_invalid(void **state) +{ + sss_sifp_ctx *ctx = test_ctx.dbus_ctx; + DBusMessage *reply = test_ctx.reply; + dbus_bool_t bret; + sss_sifp_error ret; + char **path_out = NULL; + const char *path_in = "/object/path"; + + /* prepare message */ + bret = dbus_message_append_args(reply, DBUS_TYPE_OBJECT_PATH, &path_in, + DBUS_TYPE_INVALID); + assert_true(bret); + + /* test */ + ret = sss_sifp_parse_object_path_list(ctx, reply, &path_out); + assert_int_not_equal(ret, SSS_SIFP_OK); + assert_null(path_out); +} + +void test_sss_sifp_parse_attr_bool(void **state) +{ + sss_sifp_ctx *ctx = test_ctx.dbus_ctx; + DBusMessage *reply = test_ctx.reply; + sss_sifp_error ret; + sss_sifp_attr **attrs = NULL; + const char *name = "test-attr"; + dbus_bool_t in = 1; + bool out; + + /* prepare message */ + reply_variant_basic(reply, DBUS_TYPE_BOOLEAN_AS_STRING, &in); + + /* test */ + ret = sss_sifp_parse_attr(ctx, name, reply, &attrs); + + assert_int_equal(ret, SSS_SIFP_OK); + assert_non_null(attrs); + assert_non_null(attrs[0]); + assert_null(attrs[1]); + + assert_int_equal(attrs[0]->num_values, 1); + assert_int_equal(attrs[0]->type, SSS_SIFP_ATTR_TYPE_BOOL); + assert_string_equal(attrs[0]->name, name); + + ret = sss_sifp_find_attr_as_bool(attrs, name, &out); + assert_int_equal(ret, SSS_SIFP_OK); + assert_true(in == out); + + sss_sifp_free_attrs(ctx, &attrs); + assert_null(attrs); +} + +void test_sss_sifp_parse_attr_int16(void **state) +{ + sss_sifp_ctx *ctx = test_ctx.dbus_ctx; + DBusMessage *reply = test_ctx.reply; + sss_sifp_error ret; + sss_sifp_attr **attrs = NULL; + const char *name = "test-attr"; + int16_t in = INT16_MIN; + int16_t out; + + /* prepare message */ + reply_variant_basic(reply, DBUS_TYPE_INT16_AS_STRING, &in); + + /* test */ + ret = sss_sifp_parse_attr(ctx, name, reply, &attrs); + + assert_int_equal(ret, SSS_SIFP_OK); + assert_non_null(attrs); + assert_non_null(attrs[0]); + assert_null(attrs[1]); + + assert_int_equal(attrs[0]->num_values, 1); + assert_int_equal(attrs[0]->type, SSS_SIFP_ATTR_TYPE_INT16); + assert_string_equal(attrs[0]->name, name); + + ret = sss_sifp_find_attr_as_int16(attrs, name, &out); + assert_int_equal(ret, SSS_SIFP_OK); + assert_int_equal(in, out); + + sss_sifp_free_attrs(ctx, &attrs); + assert_null(attrs); +} + +void test_sss_sifp_parse_attr_uint16(void **state) +{ + sss_sifp_ctx *ctx = test_ctx.dbus_ctx; + DBusMessage *reply = test_ctx.reply; + sss_sifp_error ret; + sss_sifp_attr **attrs = NULL; + const char *name = "test-attr"; + uint16_t in = UINT16_MAX; + uint16_t out; + + /* prepare message */ + reply_variant_basic(reply, DBUS_TYPE_UINT16_AS_STRING, &in); + + /* test */ + ret = sss_sifp_parse_attr(ctx, name, reply, &attrs); + + assert_int_equal(ret, SSS_SIFP_OK); + assert_non_null(attrs); + assert_non_null(attrs[0]); + assert_null(attrs[1]); + + assert_int_equal(attrs[0]->num_values, 1); + assert_int_equal(attrs[0]->type, SSS_SIFP_ATTR_TYPE_UINT16); + assert_string_equal(attrs[0]->name, name); + + ret = sss_sifp_find_attr_as_uint16(attrs, name, &out); + assert_int_equal(ret, SSS_SIFP_OK); + assert_int_equal(in, out); + + sss_sifp_free_attrs(ctx, &attrs); + assert_null(attrs); +} + +void test_sss_sifp_parse_attr_int32(void **state) +{ + sss_sifp_ctx *ctx = test_ctx.dbus_ctx; + DBusMessage *reply = test_ctx.reply; + sss_sifp_error ret; + sss_sifp_attr **attrs = NULL; + const char *name = "test-attr"; + int32_t in = INT32_MIN; + int32_t out; + + /* prepare message */ + reply_variant_basic(reply, DBUS_TYPE_INT32_AS_STRING, &in); + + /* test */ + ret = sss_sifp_parse_attr(ctx, name, reply, &attrs); + + assert_int_equal(ret, SSS_SIFP_OK); + assert_non_null(attrs); + assert_non_null(attrs[0]); + assert_null(attrs[1]); + + assert_int_equal(attrs[0]->num_values, 1); + assert_int_equal(attrs[0]->type, SSS_SIFP_ATTR_TYPE_INT32); + assert_string_equal(attrs[0]->name, name); + + ret = sss_sifp_find_attr_as_int32(attrs, name, &out); + assert_int_equal(ret, SSS_SIFP_OK); + assert_int_equal(in, out); + + sss_sifp_free_attrs(ctx, &attrs); + assert_null(attrs); +} + +void test_sss_sifp_parse_attr_uint32(void **state) +{ + sss_sifp_ctx *ctx = test_ctx.dbus_ctx; + DBusMessage *reply = test_ctx.reply; + sss_sifp_error ret; + sss_sifp_attr **attrs = NULL; + const char *name = "test-attr"; + uint32_t in = UINT32_MAX; + uint32_t out; + + /* prepare message */ + reply_variant_basic(reply, DBUS_TYPE_UINT32_AS_STRING, &in); + + /* test */ + ret = sss_sifp_parse_attr(ctx, name, reply, &attrs); + + assert_int_equal(ret, SSS_SIFP_OK); + assert_non_null(attrs); + assert_non_null(attrs[0]); + assert_null(attrs[1]); + + assert_int_equal(attrs[0]->num_values, 1); + assert_int_equal(attrs[0]->type, SSS_SIFP_ATTR_TYPE_UINT32); + assert_string_equal(attrs[0]->name, name); + + ret = sss_sifp_find_attr_as_uint32(attrs, name, &out); + assert_int_equal(ret, SSS_SIFP_OK); + assert_int_equal(in, out); + + sss_sifp_free_attrs(ctx, &attrs); + assert_null(attrs); + + sss_sifp_free_attrs(ctx, &attrs); + assert_null(attrs); +} + +void test_sss_sifp_parse_attr_int64(void **state) +{ + sss_sifp_ctx *ctx = test_ctx.dbus_ctx; + DBusMessage *reply = test_ctx.reply; + sss_sifp_error ret; + sss_sifp_attr **attrs = NULL; + const char *name = "test-attr"; + int64_t in = INT64_MIN; + int64_t out; + + /* prepare message */ + reply_variant_basic(reply, DBUS_TYPE_INT64_AS_STRING, &in); + + /* test */ + ret = sss_sifp_parse_attr(ctx, name, reply, &attrs); + + assert_int_equal(ret, SSS_SIFP_OK); + assert_non_null(attrs); + assert_non_null(attrs[0]); + assert_null(attrs[1]); + + assert_int_equal(attrs[0]->num_values, 1); + assert_int_equal(attrs[0]->type, SSS_SIFP_ATTR_TYPE_INT64); + assert_string_equal(attrs[0]->name, name); + + ret = sss_sifp_find_attr_as_int64(attrs, name, &out); + assert_int_equal(ret, SSS_SIFP_OK); + assert_int_equal(in, out); + + sss_sifp_free_attrs(ctx, &attrs); + assert_null(attrs); +} + +void test_sss_sifp_parse_attr_uint64(void **state) +{ + sss_sifp_ctx *ctx = test_ctx.dbus_ctx; + DBusMessage *reply = test_ctx.reply; + sss_sifp_error ret; + sss_sifp_attr **attrs = NULL; + const char *name = "test-attr"; + uint64_t in = UINT64_MAX; + uint64_t out; + + /* prepare message */ + reply_variant_basic(reply, DBUS_TYPE_UINT64_AS_STRING, &in); + + /* test */ + ret = sss_sifp_parse_attr(ctx, name, reply, &attrs); + + assert_int_equal(ret, SSS_SIFP_OK); + assert_non_null(attrs); + assert_non_null(attrs[0]); + assert_null(attrs[1]); + + assert_int_equal(attrs[0]->num_values, 1); + assert_int_equal(attrs[0]->type, SSS_SIFP_ATTR_TYPE_UINT64); + assert_string_equal(attrs[0]->name, name); + + ret = sss_sifp_find_attr_as_uint64(attrs, name, &out); + assert_int_equal(ret, SSS_SIFP_OK); + assert_int_equal(in, out); + + sss_sifp_free_attrs(ctx, &attrs); + assert_null(attrs); +} + +void test_sss_sifp_parse_attr_string(void **state) +{ + sss_sifp_ctx *ctx = test_ctx.dbus_ctx; + DBusMessage *reply = test_ctx.reply; + sss_sifp_error ret; + sss_sifp_attr **attrs = NULL; + const char *name = "test-attr"; + const char *in = "test value"; + const char *out; + + /* prepare message */ + reply_variant_basic(reply, DBUS_TYPE_STRING_AS_STRING, &in); + + /* test */ + ret = sss_sifp_parse_attr(ctx, name, reply, &attrs); + + assert_int_equal(ret, SSS_SIFP_OK); + assert_non_null(attrs); + assert_non_null(attrs[0]); + assert_null(attrs[1]); + + assert_int_equal(attrs[0]->num_values, 1); + assert_int_equal(attrs[0]->type, SSS_SIFP_ATTR_TYPE_STRING); + assert_string_equal(attrs[0]->name, name); + + ret = sss_sifp_find_attr_as_string(attrs, name, &out); + assert_int_equal(ret, SSS_SIFP_OK); + assert_string_equal(in, out); + + sss_sifp_free_attrs(ctx, &attrs); + assert_null(attrs); +} + +void test_sss_sifp_parse_attr_object_path(void **state) +{ + sss_sifp_ctx *ctx = test_ctx.dbus_ctx; + DBusMessage *reply = test_ctx.reply; + sss_sifp_error ret; + sss_sifp_attr **attrs = NULL; + const char *name = "test-attr"; + const char *in = "/object/path"; + const char *out; + + /* prepare message */ + reply_variant_basic(reply, DBUS_TYPE_OBJECT_PATH_AS_STRING, &in); + + /* test */ + ret = sss_sifp_parse_attr(ctx, name, reply, &attrs); + + assert_int_equal(ret, SSS_SIFP_OK); + assert_non_null(attrs); + assert_non_null(attrs[0]); + assert_null(attrs[1]); + + assert_int_equal(attrs[0]->num_values, 1); + assert_int_equal(attrs[0]->type, SSS_SIFP_ATTR_TYPE_STRING); + assert_string_equal(attrs[0]->name, name); + + ret = sss_sifp_find_attr_as_string(attrs, name, &out); + assert_int_equal(ret, SSS_SIFP_OK); + assert_string_equal(in, out); + + sss_sifp_free_attrs(ctx, &attrs); + assert_null(attrs); +} + +void test_sss_sifp_parse_attr_string_dict(void **state) +{ + sss_sifp_ctx *ctx = test_ctx.dbus_ctx; + DBusMessage *reply = test_ctx.reply; + DBusMessageIter iter; + DBusMessageIter var_iter; + DBusMessageIter array_iter; + DBusMessageIter dict_iter; + dbus_bool_t bret; + sss_sifp_error ret; + sss_sifp_attr **attrs = NULL; + const char *name = "test-attr"; + struct { + const char *key; + const char *value; + } data = {"key", "value"}; + hash_table_t *out; + hash_key_t key; + hash_value_t value; + char **values; + int hret; + + /* prepare message */ + dbus_message_iter_init_append(reply, &iter); + + bret = dbus_message_iter_open_container(&iter, DBUS_TYPE_VARIANT, + DBUS_TYPE_ARRAY_AS_STRING + DBUS_DICT_ENTRY_BEGIN_CHAR_AS_STRING + DBUS_TYPE_STRING_AS_STRING + DBUS_TYPE_STRING_AS_STRING + DBUS_DICT_ENTRY_END_CHAR_AS_STRING, + &var_iter); + assert_true(bret); + + bret = dbus_message_iter_open_container(&var_iter, DBUS_TYPE_ARRAY, + DBUS_DICT_ENTRY_BEGIN_CHAR_AS_STRING + DBUS_TYPE_STRING_AS_STRING + DBUS_TYPE_STRING_AS_STRING + DBUS_DICT_ENTRY_END_CHAR_AS_STRING, + &array_iter); + assert_true(bret); + + bret = dbus_message_iter_open_container(&array_iter, + DBUS_TYPE_DICT_ENTRY, + NULL, &dict_iter); + assert_true(bret); + + bret = dbus_message_iter_append_basic(&dict_iter, DBUS_TYPE_STRING, + &data.key); + assert_true(bret); + + bret = dbus_message_iter_append_basic(&dict_iter, DBUS_TYPE_STRING, + &data.value); + assert_true(bret); + + bret = dbus_message_iter_close_container(&array_iter, &dict_iter); + assert_true(bret); + + bret = dbus_message_iter_close_container(&var_iter, &array_iter); + assert_true(bret); + + bret = dbus_message_iter_close_container(&iter, &var_iter); + assert_true(bret); + + ret = sss_sifp_parse_attr(ctx, name, reply, &attrs); + assert_int_equal(ret, SSS_SIFP_OK); + assert_non_null(attrs); + assert_non_null(attrs[0]); + assert_null(attrs[1]); + + assert_int_equal(attrs[0]->num_values, 1); + assert_int_equal(attrs[0]->type, SSS_SIFP_ATTR_TYPE_STRING_DICT); + assert_string_equal(attrs[0]->name, name); + + ret = sss_sifp_find_attr_as_string_dict(attrs, name, &out); + assert_int_equal(ret, SSS_SIFP_OK); + assert_int_equal(hash_count(out), 1); + + key.type = HASH_KEY_STRING; + key.str = discard_const(data.key); + hret = hash_lookup(out, &key, &value); + assert_int_equal(hret, HASH_SUCCESS); + assert_int_equal(value.type, HASH_VALUE_PTR); + assert_non_null(value.ptr); + values = value.ptr; + assert_non_null(values[0]); + assert_string_equal(values[0], data.value); + assert_null(values[1]); + + sss_sifp_free_attrs(ctx, &attrs); + assert_null(attrs); +} + +void test_sss_sifp_parse_attr_bool_array(void **state) +{ + sss_sifp_ctx *ctx = test_ctx.dbus_ctx; + DBusMessage *reply = test_ctx.reply; + sss_sifp_error ret; + sss_sifp_attr **attrs = NULL; + const char *name = "test-attr"; + unsigned int num_values = 5; + dbus_bool_t in_array[] = {1, 1, 0, 0, 1}; + dbus_bool_t *in = in_array; + unsigned int out_num; + bool *out; + unsigned int i; + + /* prepare message */ + reply_variant_array(reply, DBUS_TYPE_BOOLEAN_AS_STRING, num_values, + (uint8_t*)in, sizeof(dbus_bool_t)); + + /* test */ + ret = sss_sifp_parse_attr(ctx, name, reply, &attrs); + + assert_int_equal(ret, SSS_SIFP_OK); + assert_non_null(attrs); + assert_non_null(attrs[0]); + assert_null(attrs[1]); + + assert_int_equal(attrs[0]->num_values, num_values); + assert_int_equal(attrs[0]->type, SSS_SIFP_ATTR_TYPE_BOOL); + assert_string_equal(attrs[0]->name, name); + + ret = sss_sifp_find_attr_as_bool_array(attrs, name, &out_num, &out); + assert_int_equal(ret, SSS_SIFP_OK); + assert_int_equal(num_values, out_num); + + for (i = 0; i < num_values; i++) { + assert_true(in[i] == out[i]); + } + + sss_sifp_free_attrs(ctx, &attrs); + assert_null(attrs); +} + +void test_sss_sifp_parse_attr_bool_array_empty(void **state) +{ + sss_sifp_ctx *ctx = test_ctx.dbus_ctx; + DBusMessage *reply = test_ctx.reply; + sss_sifp_error ret; + sss_sifp_attr **attrs = NULL; + const char *name = "test-attr"; + unsigned int num_values = 0; + unsigned int out_num; + bool *out; + + /* prepare message */ + reply_variant_array(reply, DBUS_TYPE_BOOLEAN_AS_STRING, num_values, + NULL, sizeof(dbus_bool_t)); + + /* test */ + ret = sss_sifp_parse_attr(ctx, name, reply, &attrs); + + assert_int_equal(ret, SSS_SIFP_OK); + assert_non_null(attrs); + assert_non_null(attrs[0]); + assert_null(attrs[1]); + + assert_int_equal(attrs[0]->num_values, num_values); + assert_int_equal(attrs[0]->type, SSS_SIFP_ATTR_TYPE_BOOL); + assert_string_equal(attrs[0]->name, name); + + ret = sss_sifp_find_attr_as_bool_array(attrs, name, &out_num, &out); + assert_int_equal(ret, SSS_SIFP_ATTR_NULL); + assert_int_equal(num_values, out_num); + assert_null(out); + + sss_sifp_free_attrs(ctx, &attrs); + assert_null(attrs); +} + +void test_sss_sifp_parse_attr_int16_array(void **state) +{ + sss_sifp_ctx *ctx = test_ctx.dbus_ctx; + DBusMessage *reply = test_ctx.reply; + sss_sifp_error ret; + sss_sifp_attr **attrs = NULL; + const char *name = "test-attr"; + unsigned int num_values = 5; + int16_t in_array[] = {10, 15, -10, -15, 5559}; + int16_t *in = in_array; + unsigned int out_num; + int16_t *out; + unsigned int i; + + /* prepare message */ + reply_variant_array(reply, DBUS_TYPE_INT16_AS_STRING, num_values, + (uint8_t*)in, sizeof(int16_t)); + + /* test */ + ret = sss_sifp_parse_attr(ctx, name, reply, &attrs); + + assert_int_equal(ret, SSS_SIFP_OK); + assert_non_null(attrs); + assert_non_null(attrs[0]); + assert_null(attrs[1]); + + assert_int_equal(attrs[0]->num_values, num_values); + assert_int_equal(attrs[0]->type, SSS_SIFP_ATTR_TYPE_INT16); + assert_string_equal(attrs[0]->name, name); + + ret = sss_sifp_find_attr_as_int16_array(attrs, name, &out_num, &out); + assert_int_equal(ret, SSS_SIFP_OK); + assert_int_equal(num_values, out_num); + + for (i = 0; i < num_values; i++) { + assert_int_equal(in[i], out[i]); + } + + sss_sifp_free_attrs(ctx, &attrs); + assert_null(attrs); +} + +void test_sss_sifp_parse_attr_int16_array_empty(void **state) +{ + sss_sifp_ctx *ctx = test_ctx.dbus_ctx; + DBusMessage *reply = test_ctx.reply; + sss_sifp_error ret; + sss_sifp_attr **attrs = NULL; + const char *name = "test-attr"; + unsigned int num_values = 0; + unsigned int out_num; + int16_t *out; + + /* prepare message */ + reply_variant_array(reply, DBUS_TYPE_INT16_AS_STRING, num_values, + NULL, sizeof(int16_t)); + + /* test */ + ret = sss_sifp_parse_attr(ctx, name, reply, &attrs); + + assert_int_equal(ret, SSS_SIFP_OK); + assert_non_null(attrs); + assert_non_null(attrs[0]); + assert_null(attrs[1]); + + assert_int_equal(attrs[0]->num_values, num_values); + assert_int_equal(attrs[0]->type, SSS_SIFP_ATTR_TYPE_INT16); + assert_string_equal(attrs[0]->name, name); + + ret = sss_sifp_find_attr_as_int16_array(attrs, name, &out_num, &out); + assert_int_equal(ret, SSS_SIFP_ATTR_NULL); + assert_int_equal(num_values, out_num); + assert_null(out); + + sss_sifp_free_attrs(ctx, &attrs); + assert_null(attrs); +} + +void test_sss_sifp_parse_attr_uint16_array(void **state) +{ + sss_sifp_ctx *ctx = test_ctx.dbus_ctx; + DBusMessage *reply = test_ctx.reply; + sss_sifp_error ret; + sss_sifp_attr **attrs = NULL; + const char *name = "test-attr"; + unsigned int num_values = 5; + uint16_t in_array[] = {10, 15, 8885, 3224, 5559}; + uint16_t *in = in_array; + unsigned int out_num; + uint16_t *out; + unsigned int i; + + /* prepare message */ + reply_variant_array(reply, DBUS_TYPE_UINT16_AS_STRING, num_values, + (uint8_t*)in, sizeof(uint16_t)); + + /* test */ + ret = sss_sifp_parse_attr(ctx, name, reply, &attrs); + + assert_int_equal(ret, SSS_SIFP_OK); + assert_non_null(attrs); + assert_non_null(attrs[0]); + assert_null(attrs[1]); + + assert_int_equal(attrs[0]->num_values, num_values); + assert_int_equal(attrs[0]->type, SSS_SIFP_ATTR_TYPE_UINT16); + assert_string_equal(attrs[0]->name, name); + + ret = sss_sifp_find_attr_as_uint16_array(attrs, name, &out_num, &out); + assert_int_equal(ret, SSS_SIFP_OK); + assert_int_equal(num_values, out_num); + + for (i = 0; i < num_values; i++) { + assert_int_equal(in[i], out[i]); + } + + sss_sifp_free_attrs(ctx, &attrs); + assert_null(attrs); +} + +void test_sss_sifp_parse_attr_uint16_array_empty(void **state) +{ + sss_sifp_ctx *ctx = test_ctx.dbus_ctx; + DBusMessage *reply = test_ctx.reply; + sss_sifp_error ret; + sss_sifp_attr **attrs = NULL; + const char *name = "test-attr"; + unsigned int num_values = 0; + unsigned int out_num; + uint16_t *out; + + /* prepare message */ + reply_variant_array(reply, DBUS_TYPE_UINT16_AS_STRING, num_values, + NULL, sizeof(uint16_t)); + + /* test */ + ret = sss_sifp_parse_attr(ctx, name, reply, &attrs); + + assert_int_equal(ret, SSS_SIFP_OK); + assert_non_null(attrs); + assert_non_null(attrs[0]); + assert_null(attrs[1]); + + assert_int_equal(attrs[0]->num_values, num_values); + assert_int_equal(attrs[0]->type, SSS_SIFP_ATTR_TYPE_UINT16); + assert_string_equal(attrs[0]->name, name); + + ret = sss_sifp_find_attr_as_uint16_array(attrs, name, &out_num, &out); + assert_int_equal(ret, SSS_SIFP_ATTR_NULL); + assert_int_equal(num_values, out_num); + assert_null(out); + + sss_sifp_free_attrs(ctx, &attrs); + assert_null(attrs); +} + +void test_sss_sifp_parse_attr_int32_array(void **state) +{ + sss_sifp_ctx *ctx = test_ctx.dbus_ctx; + DBusMessage *reply = test_ctx.reply; + sss_sifp_error ret; + sss_sifp_attr **attrs = NULL; + const char *name = "test-attr"; + unsigned int num_values = 5; + int32_t in_array[] = {10, 15, -10, -15, 5559}; + int32_t *in = in_array; + unsigned int out_num; + int32_t *out; + unsigned int i; + + /* prepare message */ + reply_variant_array(reply, DBUS_TYPE_INT32_AS_STRING, num_values, + (uint8_t*)in, sizeof(int32_t)); + + /* test */ + ret = sss_sifp_parse_attr(ctx, name, reply, &attrs); + + assert_int_equal(ret, SSS_SIFP_OK); + assert_non_null(attrs); + assert_non_null(attrs[0]); + assert_null(attrs[1]); + + assert_int_equal(attrs[0]->num_values, num_values); + assert_int_equal(attrs[0]->type, SSS_SIFP_ATTR_TYPE_INT32); + assert_string_equal(attrs[0]->name, name); + + ret = sss_sifp_find_attr_as_int32_array(attrs, name, &out_num, &out); + assert_int_equal(ret, SSS_SIFP_OK); + assert_int_equal(num_values, out_num); + + for (i = 0; i < num_values; i++) { + assert_int_equal(in[i], out[i]); + } + + sss_sifp_free_attrs(ctx, &attrs); + assert_null(attrs); +} + +void test_sss_sifp_parse_attr_int32_array_empty(void **state) +{ + sss_sifp_ctx *ctx = test_ctx.dbus_ctx; + DBusMessage *reply = test_ctx.reply; + sss_sifp_error ret; + sss_sifp_attr **attrs = NULL; + const char *name = "test-attr"; + unsigned int num_values = 0; + unsigned int out_num; + int32_t *out; + + /* prepare message */ + reply_variant_array(reply, DBUS_TYPE_INT32_AS_STRING, num_values, + NULL, sizeof(int32_t)); + + /* test */ + ret = sss_sifp_parse_attr(ctx, name, reply, &attrs); + + assert_int_equal(ret, SSS_SIFP_OK); + assert_non_null(attrs); + assert_non_null(attrs[0]); + assert_null(attrs[1]); + + assert_int_equal(attrs[0]->num_values, num_values); + assert_int_equal(attrs[0]->type, SSS_SIFP_ATTR_TYPE_INT32); + assert_string_equal(attrs[0]->name, name); + + ret = sss_sifp_find_attr_as_int32_array(attrs, name, &out_num, &out); + assert_int_equal(ret, SSS_SIFP_ATTR_NULL); + assert_int_equal(num_values, out_num); + assert_null(out); + + sss_sifp_free_attrs(ctx, &attrs); + assert_null(attrs); +} + +void test_sss_sifp_parse_attr_uint32_array(void **state) +{ + sss_sifp_ctx *ctx = test_ctx.dbus_ctx; + DBusMessage *reply = test_ctx.reply; + sss_sifp_error ret; + sss_sifp_attr **attrs = NULL; + const char *name = "test-attr"; + unsigned int num_values = 5; + uint32_t in_array[] = {10, 15, 8885, 3224, 5559}; + uint32_t *in = in_array; + unsigned int out_num; + uint32_t *out; + unsigned int i; + + /* prepare message */ + reply_variant_array(reply, DBUS_TYPE_UINT32_AS_STRING, num_values, + (uint8_t*)in, sizeof(uint32_t)); + + /* test */ + ret = sss_sifp_parse_attr(ctx, name, reply, &attrs); + + assert_int_equal(ret, SSS_SIFP_OK); + assert_non_null(attrs); + assert_non_null(attrs[0]); + assert_null(attrs[1]); + + assert_int_equal(attrs[0]->num_values, num_values); + assert_int_equal(attrs[0]->type, SSS_SIFP_ATTR_TYPE_UINT32); + assert_string_equal(attrs[0]->name, name); + + ret = sss_sifp_find_attr_as_uint32_array(attrs, name, &out_num, &out); + assert_int_equal(ret, SSS_SIFP_OK); + assert_int_equal(num_values, out_num); + + for (i = 0; i < num_values; i++) { + assert_int_equal(in[i], out[i]); + } + + sss_sifp_free_attrs(ctx, &attrs); + assert_null(attrs); +} + +void test_sss_sifp_parse_attr_uint32_array_empty(void **state) +{ + sss_sifp_ctx *ctx = test_ctx.dbus_ctx; + DBusMessage *reply = test_ctx.reply; + sss_sifp_error ret; + sss_sifp_attr **attrs = NULL; + const char *name = "test-attr"; + unsigned int num_values = 0; + unsigned int out_num; + uint32_t *out; + + /* prepare message */ + reply_variant_array(reply, DBUS_TYPE_UINT32_AS_STRING, num_values, + NULL, sizeof(uint32_t)); + + /* test */ + ret = sss_sifp_parse_attr(ctx, name, reply, &attrs); + + assert_int_equal(ret, SSS_SIFP_OK); + assert_non_null(attrs); + assert_non_null(attrs[0]); + assert_null(attrs[1]); + + assert_int_equal(attrs[0]->num_values, num_values); + assert_int_equal(attrs[0]->type, SSS_SIFP_ATTR_TYPE_UINT32); + assert_string_equal(attrs[0]->name, name); + + ret = sss_sifp_find_attr_as_uint32_array(attrs, name, &out_num, &out); + assert_int_equal(ret, SSS_SIFP_ATTR_NULL); + assert_int_equal(num_values, out_num); + assert_null(out); + + sss_sifp_free_attrs(ctx, &attrs); + assert_null(attrs); +} + +void test_sss_sifp_parse_attr_int64_array(void **state) +{ + sss_sifp_ctx *ctx = test_ctx.dbus_ctx; + DBusMessage *reply = test_ctx.reply; + sss_sifp_error ret; + sss_sifp_attr **attrs = NULL; + const char *name = "test-attr"; + unsigned int num_values = 5; + int64_t in_array[] = {10, 15, -10, -15, 5559}; + int64_t *in = in_array; + unsigned int out_num; + int64_t *out; + unsigned int i; + + /* prepare message */ + reply_variant_array(reply, DBUS_TYPE_INT64_AS_STRING, num_values, + (uint8_t*)in, sizeof(int64_t)); + + /* test */ + ret = sss_sifp_parse_attr(ctx, name, reply, &attrs); + + assert_int_equal(ret, SSS_SIFP_OK); + assert_non_null(attrs); + assert_non_null(attrs[0]); + assert_null(attrs[1]); + + assert_int_equal(attrs[0]->num_values, num_values); + assert_int_equal(attrs[0]->type, SSS_SIFP_ATTR_TYPE_INT64); + assert_string_equal(attrs[0]->name, name); + + ret = sss_sifp_find_attr_as_int64_array(attrs, name, &out_num, &out); + assert_int_equal(ret, SSS_SIFP_OK); + assert_int_equal(num_values, out_num); + + for (i = 0; i < num_values; i++) { + assert_int_equal(in[i], out[i]); + } + + sss_sifp_free_attrs(ctx, &attrs); + assert_null(attrs); +} + +void test_sss_sifp_parse_attr_int64_array_empty(void **state) +{ + sss_sifp_ctx *ctx = test_ctx.dbus_ctx; + DBusMessage *reply = test_ctx.reply; + sss_sifp_error ret; + sss_sifp_attr **attrs = NULL; + const char *name = "test-attr"; + unsigned int num_values = 0; + unsigned int out_num; + int64_t *out; + + /* prepare message */ + reply_variant_array(reply, DBUS_TYPE_INT64_AS_STRING, num_values, + NULL, sizeof(int64_t)); + + /* test */ + ret = sss_sifp_parse_attr(ctx, name, reply, &attrs); + + assert_int_equal(ret, SSS_SIFP_OK); + assert_non_null(attrs); + assert_non_null(attrs[0]); + assert_null(attrs[1]); + + assert_int_equal(attrs[0]->num_values, num_values); + assert_int_equal(attrs[0]->type, SSS_SIFP_ATTR_TYPE_INT64); + assert_string_equal(attrs[0]->name, name); + + ret = sss_sifp_find_attr_as_int64_array(attrs, name, &out_num, &out); + assert_int_equal(ret, SSS_SIFP_ATTR_NULL); + assert_int_equal(num_values, out_num); + assert_null(out); + + sss_sifp_free_attrs(ctx, &attrs); + assert_null(attrs); +} + +void test_sss_sifp_parse_attr_uint64_array(void **state) +{ + sss_sifp_ctx *ctx = test_ctx.dbus_ctx; + DBusMessage *reply = test_ctx.reply; + sss_sifp_error ret; + sss_sifp_attr **attrs = NULL; + const char *name = "test-attr"; + unsigned int num_values = 5; + uint64_t in_array[] = {10, 15, 8885, 3224, 5559}; + uint64_t *in = in_array; + unsigned int out_num; + uint64_t *out; + unsigned int i; + + /* prepare message */ + reply_variant_array(reply, DBUS_TYPE_UINT64_AS_STRING, num_values, + (uint8_t*)in, sizeof(uint64_t)); + + /* test */ + ret = sss_sifp_parse_attr(ctx, name, reply, &attrs); + + assert_int_equal(ret, SSS_SIFP_OK); + assert_non_null(attrs); + assert_non_null(attrs[0]); + assert_null(attrs[1]); + + assert_int_equal(attrs[0]->num_values, num_values); + assert_int_equal(attrs[0]->type, SSS_SIFP_ATTR_TYPE_UINT64); + assert_string_equal(attrs[0]->name, name); + + ret = sss_sifp_find_attr_as_uint64_array(attrs, name, &out_num, &out); + assert_int_equal(ret, SSS_SIFP_OK); + assert_int_equal(num_values, out_num); + + for (i = 0; i < num_values; i++) { + assert_int_equal(in[i], out[i]); + } + + sss_sifp_free_attrs(ctx, &attrs); + assert_null(attrs); +} + +void test_sss_sifp_parse_attr_uint64_array_empty(void **state) +{ + sss_sifp_ctx *ctx = test_ctx.dbus_ctx; + DBusMessage *reply = test_ctx.reply; + sss_sifp_error ret; + sss_sifp_attr **attrs = NULL; + const char *name = "test-attr"; + unsigned int num_values = 0; + unsigned int out_num; + uint64_t *out; + + /* prepare message */ + reply_variant_array(reply, DBUS_TYPE_UINT64_AS_STRING, num_values, + NULL, sizeof(uint64_t)); + + /* test */ + ret = sss_sifp_parse_attr(ctx, name, reply, &attrs); + + assert_int_equal(ret, SSS_SIFP_OK); + assert_non_null(attrs); + assert_non_null(attrs[0]); + assert_null(attrs[1]); + + assert_int_equal(attrs[0]->num_values, num_values); + assert_int_equal(attrs[0]->type, SSS_SIFP_ATTR_TYPE_UINT64); + assert_string_equal(attrs[0]->name, name); + + ret = sss_sifp_find_attr_as_uint64_array(attrs, name, &out_num, &out); + assert_int_equal(ret, SSS_SIFP_ATTR_NULL); + assert_int_equal(num_values, out_num); + assert_null(out); + + sss_sifp_free_attrs(ctx, &attrs); + assert_null(attrs); +} + +void test_sss_sifp_parse_attr_string_array(void **state) +{ + sss_sifp_ctx *ctx = test_ctx.dbus_ctx; + DBusMessage *reply = test_ctx.reply; + sss_sifp_error ret; + sss_sifp_attr **attrs = NULL; + const char *name = "test-attr"; + unsigned int num_values = 6; + const char *in_array[] = {"I", "don't", "like", "writing", "unit", "tests"}; + const char **in = in_array; + unsigned int out_num; + const char * const *out; + unsigned int i; + + /* prepare message */ + reply_variant_array(reply, DBUS_TYPE_STRING_AS_STRING, num_values, + (uint8_t*)in, sizeof(const char*)); + + /* test */ + ret = sss_sifp_parse_attr(ctx, name, reply, &attrs); + + assert_int_equal(ret, SSS_SIFP_OK); + assert_non_null(attrs); + assert_non_null(attrs[0]); + assert_null(attrs[1]); + + assert_int_equal(attrs[0]->num_values, num_values); + assert_int_equal(attrs[0]->type, SSS_SIFP_ATTR_TYPE_STRING); + assert_string_equal(attrs[0]->name, name); + + ret = sss_sifp_find_attr_as_string_array(attrs, name, &out_num, &out); + assert_int_equal(ret, SSS_SIFP_OK); + assert_int_equal(num_values, out_num); + + for (i = 0; i < num_values; i++) { + assert_string_equal(in[i], out[i]); + } + + sss_sifp_free_attrs(ctx, &attrs); + assert_null(attrs); +} + +void test_sss_sifp_parse_attr_string_array_empty(void **state) +{ + sss_sifp_ctx *ctx = test_ctx.dbus_ctx; + DBusMessage *reply = test_ctx.reply; + sss_sifp_error ret; + sss_sifp_attr **attrs = NULL; + const char *name = "test-attr"; + unsigned int num_values = 0; + unsigned int out_num; + const char * const *out; + + /* prepare message */ + reply_variant_array(reply, DBUS_TYPE_STRING_AS_STRING, num_values, + NULL, sizeof(const char*)); + + /* test */ + ret = sss_sifp_parse_attr(ctx, name, reply, &attrs); + + assert_int_equal(ret, SSS_SIFP_OK); + assert_non_null(attrs); + assert_non_null(attrs[0]); + assert_null(attrs[1]); + + assert_int_equal(attrs[0]->num_values, num_values); + assert_int_equal(attrs[0]->type, SSS_SIFP_ATTR_TYPE_STRING); + assert_string_equal(attrs[0]->name, name); + + ret = sss_sifp_find_attr_as_string_array(attrs, name, &out_num, &out); + assert_int_equal(ret, SSS_SIFP_ATTR_NULL); + assert_int_equal(num_values, out_num); + assert_null(out); + + sss_sifp_free_attrs(ctx, &attrs); + assert_null(attrs); +} + +void test_sss_sifp_parse_attr_object_path_array(void **state) +{ + sss_sifp_ctx *ctx = test_ctx.dbus_ctx; + DBusMessage *reply = test_ctx.reply; + sss_sifp_error ret; + sss_sifp_attr **attrs = NULL; + const char *name = "test-attr"; + unsigned int num_values = 2; + const char *in_array[] = {"/object/path1", "/object/path2"}; + const char **in = in_array; + unsigned int out_num; + const char * const *out; + unsigned int i; + + /* prepare message */ + reply_variant_array(reply, DBUS_TYPE_OBJECT_PATH_AS_STRING, num_values, + (uint8_t*)in, sizeof(const char*)); + + /* test */ + ret = sss_sifp_parse_attr(ctx, name, reply, &attrs); + + assert_int_equal(ret, SSS_SIFP_OK); + assert_non_null(attrs); + assert_non_null(attrs[0]); + assert_null(attrs[1]); + + assert_int_equal(attrs[0]->num_values, num_values); + assert_int_equal(attrs[0]->type, SSS_SIFP_ATTR_TYPE_STRING); + assert_string_equal(attrs[0]->name, name); + + ret = sss_sifp_find_attr_as_string_array(attrs, name, &out_num, &out); + assert_int_equal(ret, SSS_SIFP_OK); + assert_int_equal(num_values, out_num); + + for (i = 0; i < num_values; i++) { + assert_string_equal(in[i], out[i]); + } + + sss_sifp_free_attrs(ctx, &attrs); + assert_null(attrs); +} + +void test_sss_sifp_parse_attr_object_path_array_empty(void **state) +{ + sss_sifp_ctx *ctx = test_ctx.dbus_ctx; + DBusMessage *reply = test_ctx.reply; + sss_sifp_error ret; + sss_sifp_attr **attrs = NULL; + const char *name = "test-attr"; + unsigned int num_values = 0; + unsigned int out_num; + const char * const *out; + + /* prepare message */ + reply_variant_array(reply, DBUS_TYPE_OBJECT_PATH_AS_STRING, num_values, + NULL, sizeof(const char*)); + + /* test */ + ret = sss_sifp_parse_attr(ctx, name, reply, &attrs); + + assert_int_equal(ret, SSS_SIFP_OK); + assert_non_null(attrs); + assert_non_null(attrs[0]); + assert_null(attrs[1]); + + assert_int_equal(attrs[0]->num_values, num_values); + assert_int_equal(attrs[0]->type, SSS_SIFP_ATTR_TYPE_STRING); + assert_string_equal(attrs[0]->name, name); + + ret = sss_sifp_find_attr_as_string_array(attrs, name, &out_num, &out); + assert_int_equal(ret, SSS_SIFP_ATTR_NULL); + assert_int_equal(num_values, out_num); + assert_null(out); + + sss_sifp_free_attrs(ctx, &attrs); + assert_null(attrs); +} + +void test_sss_sifp_parse_attr_string_dict_array(void **state) +{ + return; + + sss_sifp_ctx *ctx = test_ctx.dbus_ctx; + DBusMessage *reply = test_ctx.reply; + DBusMessageIter iter; + DBusMessageIter var_iter; + DBusMessageIter array_iter; + DBusMessageIter dict_iter; + DBusMessageIter val_iter; + dbus_bool_t bret; + sss_sifp_error ret; + sss_sifp_attr **attrs = NULL; + const char *name = "test-attr"; + static struct { + const char *key; + const char *values[]; + } data = {"key", {"value1", "value2", "value3"}}; + unsigned int num_values = 3; + hash_table_t *out; + hash_key_t key; + hash_value_t value; + char **values; + unsigned int i; + int hret; + + /* prepare message */ + dbus_message_iter_init_append(reply, &iter); + + bret = dbus_message_iter_open_container(&iter, DBUS_TYPE_VARIANT, + DBUS_TYPE_ARRAY_AS_STRING + DBUS_DICT_ENTRY_BEGIN_CHAR_AS_STRING + DBUS_TYPE_STRING_AS_STRING + DBUS_TYPE_ARRAY_AS_STRING + DBUS_TYPE_STRING_AS_STRING + DBUS_DICT_ENTRY_END_CHAR_AS_STRING, + &var_iter); + assert_true(bret); + + bret = dbus_message_iter_open_container(&var_iter, DBUS_TYPE_ARRAY, + DBUS_DICT_ENTRY_BEGIN_CHAR_AS_STRING + DBUS_TYPE_STRING_AS_STRING + DBUS_TYPE_ARRAY_AS_STRING + DBUS_TYPE_STRING_AS_STRING + DBUS_DICT_ENTRY_END_CHAR_AS_STRING, + &array_iter); + assert_true(bret); + + bret = dbus_message_iter_open_container(&array_iter, + DBUS_TYPE_DICT_ENTRY, + NULL, &dict_iter); + assert_true(bret); + + bret = dbus_message_iter_append_basic(&dict_iter, DBUS_TYPE_STRING, + &data.key); + assert_true(bret); + + bret = dbus_message_iter_open_container(&dict_iter, DBUS_TYPE_ARRAY, + DBUS_TYPE_STRING_AS_STRING, + &val_iter); + assert_true(bret); + + for (i = 0; i < num_values; i++) { + bret = dbus_message_iter_append_basic(&val_iter, DBUS_TYPE_STRING, + &data.values[i]); + assert_true(bret); + } + + bret = dbus_message_iter_close_container(&dict_iter, &val_iter); + assert_true(bret); + + bret = dbus_message_iter_close_container(&array_iter, &dict_iter); + assert_true(bret); + + bret = dbus_message_iter_close_container(&var_iter, &array_iter); + assert_true(bret); + + bret = dbus_message_iter_close_container(&iter, &var_iter); + assert_true(bret); + + ret = sss_sifp_parse_attr(ctx, name, reply, &attrs); + assert_int_equal(ret, SSS_SIFP_OK); + assert_non_null(attrs); + assert_non_null(attrs[0]); + assert_null(attrs[1]); + + assert_int_equal(attrs[0]->num_values, 1); + assert_int_equal(attrs[0]->type, SSS_SIFP_ATTR_TYPE_STRING_DICT); + assert_string_equal(attrs[0]->name, name); + + ret = sss_sifp_find_attr_as_string_dict(attrs, name, &out); + assert_int_equal(ret, SSS_SIFP_OK); + assert_int_equal(hash_count(out), 1); + + key.type = HASH_KEY_STRING; + key.str = discard_const(data.key); + hret = hash_lookup(out, &key, &value); + assert_int_equal(hret, HASH_SUCCESS); + assert_int_equal(value.type, HASH_VALUE_PTR); + assert_non_null(value.ptr); + values = value.ptr; + + for (i = 0; i < num_values; i++) { + assert_non_null(values[i]); + assert_string_equal(values[i], data.values[i]); + } + assert_null(values[i]); + + + sss_sifp_free_attrs(ctx, &attrs); + assert_null(attrs); +} + +void test_sss_sifp_parse_attr_list(void **state) +{ + sss_sifp_ctx *ctx = test_ctx.dbus_ctx; + DBusMessage *reply = test_ctx.reply; + DBusMessageIter iter; + DBusMessageIter array_iter; + DBusMessageIter dict_iter; + DBusMessageIter var_iter; + dbus_bool_t bret; + sss_sifp_error ret; + sss_sifp_attr **attrs = NULL; + struct { + const char *name; + uint32_t value; + } data[] = {{"attr1", 1}, {"attr2", 2}, {"attr3", 3}, {NULL, 0}}; + uint32_t out; + int i; + + /* prepare message */ + dbus_message_iter_init_append(reply, &iter); + + bret = dbus_message_iter_open_container(&iter, DBUS_TYPE_ARRAY, + DBUS_DICT_ENTRY_BEGIN_CHAR_AS_STRING + DBUS_TYPE_STRING_AS_STRING + DBUS_TYPE_VARIANT_AS_STRING + DBUS_DICT_ENTRY_END_CHAR_AS_STRING, + &array_iter); + assert_true(bret); + + for (i = 0; data[i].name != NULL; i++) { + bret = dbus_message_iter_open_container(&array_iter, + DBUS_TYPE_DICT_ENTRY, + NULL, &dict_iter); + assert_true(bret); + + bret = dbus_message_iter_append_basic(&dict_iter, DBUS_TYPE_STRING, + &data[i].name); + assert_true(bret); + + bret = dbus_message_iter_open_container(&dict_iter, DBUS_TYPE_VARIANT, + DBUS_TYPE_UINT32_AS_STRING, + &var_iter); + assert_true(bret); + + bret = dbus_message_iter_append_basic(&var_iter, DBUS_TYPE_UINT32, + &data[i].value); + assert_true(bret); + + bret = dbus_message_iter_close_container(&dict_iter, &var_iter); + assert_true(bret); + + bret = dbus_message_iter_close_container(&array_iter, &dict_iter); + assert_true(bret); + } + + bret = dbus_message_iter_close_container(&iter, &array_iter); + assert_true(bret); + + ret = sss_sifp_parse_attr_list(ctx, reply, &attrs); + assert_int_equal(ret, SSS_SIFP_OK); + assert_non_null(attrs); + + for (i = 0; data[i].name != NULL; i++) { + assert_non_null(attrs[i]); + assert_int_equal(attrs[i]->num_values, 1); + assert_int_equal(attrs[i]->type, SSS_SIFP_ATTR_TYPE_UINT32); + assert_string_equal(attrs[i]->name, data[i].name); + + ret = sss_sifp_find_attr_as_uint32(attrs, data[i].name, &out); + assert_int_equal(ret, SSS_SIFP_OK); + assert_int_equal(data[i].value, out); + } + + assert_null(attrs[i]); + + sss_sifp_free_attrs(ctx, &attrs); + assert_null(attrs); +} + +void test_sss_sifp_parse_attr_list_empty(void **state) +{ + sss_sifp_ctx *ctx = test_ctx.dbus_ctx; + DBusMessage *reply = test_ctx.reply; + DBusMessageIter iter; + DBusMessageIter array_iter; + dbus_bool_t bret; + sss_sifp_error ret; + sss_sifp_attr **attrs = NULL; + + /* prepare message */ + dbus_message_iter_init_append(reply, &iter); + + bret = dbus_message_iter_open_container(&iter, DBUS_TYPE_ARRAY, + DBUS_DICT_ENTRY_BEGIN_CHAR_AS_STRING + DBUS_TYPE_STRING_AS_STRING + DBUS_TYPE_VARIANT_AS_STRING + DBUS_DICT_ENTRY_END_CHAR_AS_STRING, + &array_iter); + assert_true(bret); + + bret = dbus_message_iter_close_container(&iter, &array_iter); + assert_true(bret); + + ret = sss_sifp_parse_attr_list(ctx, reply, &attrs); + assert_int_equal(ret, SSS_SIFP_OK); + assert_non_null(attrs); + assert_null(attrs[0]); + + sss_sifp_free_attrs(ctx, &attrs); + assert_null(attrs); +} + +void test_sss_sifp_fetch_attr(void **state) +{ + sss_sifp_ctx *ctx = test_ctx.dbus_ctx; + DBusMessage *reply = test_ctx.reply; + sss_sifp_error ret; + sss_sifp_attr **attrs = NULL; + const char *name = "test-attr"; + uint32_t in = UINT32_MAX; + uint32_t out; + + /* prepare message */ + reply_variant_basic(reply, DBUS_TYPE_UINT32_AS_STRING, &in); + will_return(__wrap_dbus_connection_send_with_reply_and_block, reply); + + /* test */ + ret = sss_sifp_fetch_attr(ctx, "/test/object", "test.com", name, &attrs); + + assert_int_equal(ret, SSS_SIFP_OK); + assert_non_null(attrs); + assert_non_null(attrs[0]); + assert_null(attrs[1]); + + assert_int_equal(attrs[0]->num_values, 1); + assert_int_equal(attrs[0]->type, SSS_SIFP_ATTR_TYPE_UINT32); + assert_string_equal(attrs[0]->name, name); + + ret = sss_sifp_find_attr_as_uint32(attrs, name, &out); + assert_int_equal(ret, SSS_SIFP_OK); + assert_int_equal(in, out); + + sss_sifp_free_attrs(ctx, &attrs); + assert_null(attrs); +} + +void test_sss_sifp_fetch_all_attrs(void **state) +{ + sss_sifp_ctx *ctx = test_ctx.dbus_ctx; + DBusMessage *reply = test_ctx.reply; + DBusMessageIter iter; + DBusMessageIter array_iter; + DBusMessageIter dict_iter; + DBusMessageIter var_iter; + dbus_bool_t bret; + sss_sifp_error ret; + sss_sifp_attr **attrs = NULL; + struct { + const char *name; + uint32_t value; + } data[] = {{"attr1", 1}, {"attr2", 2}, {"attr3", 3}, {NULL, 0}}; + uint32_t out; + int i; + + /* prepare message */ + dbus_message_iter_init_append(reply, &iter); + + bret = dbus_message_iter_open_container(&iter, DBUS_TYPE_ARRAY, + DBUS_DICT_ENTRY_BEGIN_CHAR_AS_STRING + DBUS_TYPE_STRING_AS_STRING + DBUS_TYPE_VARIANT_AS_STRING + DBUS_DICT_ENTRY_END_CHAR_AS_STRING, + &array_iter); + assert_true(bret); + + for (i = 0; data[i].name != NULL; i++) { + bret = dbus_message_iter_open_container(&array_iter, + DBUS_TYPE_DICT_ENTRY, + NULL, &dict_iter); + assert_true(bret); + + bret = dbus_message_iter_append_basic(&dict_iter, DBUS_TYPE_STRING, + &data[i].name); + assert_true(bret); + + bret = dbus_message_iter_open_container(&dict_iter, DBUS_TYPE_VARIANT, + DBUS_TYPE_UINT32_AS_STRING, + &var_iter); + assert_true(bret); + + bret = dbus_message_iter_append_basic(&var_iter, DBUS_TYPE_UINT32, + &data[i].value); + assert_true(bret); + + bret = dbus_message_iter_close_container(&dict_iter, &var_iter); + assert_true(bret); + + bret = dbus_message_iter_close_container(&array_iter, &dict_iter); + assert_true(bret); + } + + bret = dbus_message_iter_close_container(&iter, &array_iter); + assert_true(bret); + will_return(__wrap_dbus_connection_send_with_reply_and_block, reply); + + ret = sss_sifp_fetch_all_attrs(ctx, "/test/object", "test.com", &attrs); + assert_int_equal(ret, SSS_SIFP_OK); + assert_non_null(attrs); + + for (i = 0; data[i].name != NULL; i++) { + assert_non_null(attrs[i]); + assert_int_equal(attrs[i]->num_values, 1); + assert_int_equal(attrs[i]->type, SSS_SIFP_ATTR_TYPE_UINT32); + assert_string_equal(attrs[i]->name, data[i].name); + + ret = sss_sifp_find_attr_as_uint32(attrs, data[i].name, &out); + assert_int_equal(ret, SSS_SIFP_OK); + assert_int_equal(data[i].value, out); + } + + assert_null(attrs[i]); + + sss_sifp_free_attrs(ctx, &attrs); + assert_null(attrs); +} + +void test_sss_sifp_fetch_object(void **state) +{ + sss_sifp_ctx *ctx = test_ctx.dbus_ctx; + DBusMessage *reply = test_ctx.reply; + DBusMessageIter iter; + DBusMessageIter array_iter; + DBusMessageIter dict_iter; + DBusMessageIter var_iter; + const char *path = "/test/object"; + const char *iface = "test.com"; + dbus_bool_t bret; + sss_sifp_error ret; + sss_sifp_object *object = NULL; + struct { + const char *name; + const char *value; + } data[] = {{"name", "test-object"}, {"a1", "a"}, {"a2", "b"}, {NULL, 0}}; + const char *out; + int i; + + /* prepare message */ + dbus_message_iter_init_append(reply, &iter); + + bret = dbus_message_iter_open_container(&iter, DBUS_TYPE_ARRAY, + DBUS_DICT_ENTRY_BEGIN_CHAR_AS_STRING + DBUS_TYPE_STRING_AS_STRING + DBUS_TYPE_VARIANT_AS_STRING + DBUS_DICT_ENTRY_END_CHAR_AS_STRING, + &array_iter); + assert_true(bret); + + for (i = 0; data[i].name != NULL; i++) { + bret = dbus_message_iter_open_container(&array_iter, + DBUS_TYPE_DICT_ENTRY, + NULL, &dict_iter); + assert_true(bret); + + bret = dbus_message_iter_append_basic(&dict_iter, DBUS_TYPE_STRING, + &data[i].name); + assert_true(bret); + + bret = dbus_message_iter_open_container(&dict_iter, DBUS_TYPE_VARIANT, + DBUS_TYPE_STRING_AS_STRING, + &var_iter); + assert_true(bret); + + bret = dbus_message_iter_append_basic(&var_iter, DBUS_TYPE_STRING, + &data[i].value); + assert_true(bret); + + bret = dbus_message_iter_close_container(&dict_iter, &var_iter); + assert_true(bret); + + bret = dbus_message_iter_close_container(&array_iter, &dict_iter); + assert_true(bret); + } + + bret = dbus_message_iter_close_container(&iter, &array_iter); + assert_true(bret); + will_return(__wrap_dbus_connection_send_with_reply_and_block, reply); + + ret = sss_sifp_fetch_object(ctx, path, iface, &object); + assert_int_equal(ret, SSS_SIFP_OK); + assert_non_null(object); + assert_non_null(object->attrs); + assert_non_null(object->name); + assert_non_null(object->object_path); + assert_non_null(object->interface); + + assert_string_equal(object->name, "test-object"); + assert_string_equal(object->object_path, path); + assert_string_equal(object->interface, iface); + + for (i = 0; data[i].name != NULL; i++) { + assert_non_null(object->attrs[i]); + assert_int_equal(object->attrs[i]->num_values, 1); + assert_int_equal(object->attrs[i]->type, SSS_SIFP_ATTR_TYPE_STRING); + assert_string_equal(object->attrs[i]->name, data[i].name); + + ret = sss_sifp_find_attr_as_string(object->attrs, data[i].name, &out); + assert_int_equal(ret, SSS_SIFP_OK); + assert_string_equal(data[i].value, out); + } + + assert_null(object->attrs[i]); + + sss_sifp_free_object(ctx, &object); + assert_null(object); +} + +void test_sss_sifp_invoke_list_zeroargs(void **state) +{ + sss_sifp_ctx *ctx = test_ctx.dbus_ctx; + DBusMessage *reply = test_ctx.reply; + dbus_bool_t bret; + sss_sifp_error ret; + char **path_out = NULL; + const char *path_in[] = {"/object/path1", "/object/path2"}; + const char **paths = path_in; + int path_in_len = 2; + int i; + + /* prepare message */ + bret = dbus_message_append_args(reply, DBUS_TYPE_ARRAY, + DBUS_TYPE_OBJECT_PATH, + &paths, path_in_len, + DBUS_TYPE_INVALID); + assert_true(bret); + will_return(__wrap_dbus_connection_send_with_reply_and_block, reply); + + /* test */ + ret = sss_sifp_invoke_list_ex(ctx, SSS_SIFP_PATH, SSS_SIFP_IFACE, + "MyMethod", &path_out, DBUS_TYPE_INVALID); + assert_int_equal(ret, SSS_SIFP_OK); + assert_non_null(path_out); + + for (i = 0; path_out[i] != NULL; i++) { + assert_true(i < path_in_len); + assert_non_null(path_out[i]); + assert_string_equal(path_in[i], path_out[i]); + } + + sss_sifp_free_string_array(ctx, &path_out); + assert_null(path_out); +} + +void test_sss_sifp_invoke_list_withargs(void **state) +{ + sss_sifp_ctx *ctx = test_ctx.dbus_ctx; + DBusMessage *reply = test_ctx.reply; + dbus_bool_t bret; + sss_sifp_error ret; + char **path_out = NULL; + const char *path_in[] = {"/object/path1", "/object/path2"}; + const char **paths = path_in; + const char *arg = "first-arg"; + int path_in_len = 2; + int i; + + /* prepare message */ + bret = dbus_message_append_args(reply, DBUS_TYPE_ARRAY, + DBUS_TYPE_OBJECT_PATH, + &paths, path_in_len, + DBUS_TYPE_INVALID); + assert_true(bret); + will_return(__wrap_dbus_connection_send_with_reply_and_block, reply); + + /* test */ + ret = sss_sifp_invoke_list_ex(ctx, SSS_SIFP_PATH, SSS_SIFP_IFACE, + "MyMethod", &path_out, + DBUS_TYPE_STRING, &arg, + DBUS_TYPE_INVALID); + assert_int_equal(ret, SSS_SIFP_OK); + assert_non_null(path_out); + + for (i = 0; path_out[i] != NULL; i++) { + assert_true(i < path_in_len); + assert_non_null(path_out[i]); + assert_string_equal(path_in[i], path_out[i]); + } + + sss_sifp_free_string_array(ctx, &path_out); + assert_null(path_out); +} + +void test_sss_sifp_invoke_find_zeroargs(void **state) +{ + sss_sifp_ctx *ctx = test_ctx.dbus_ctx; + DBusMessage *reply = test_ctx.reply; + dbus_bool_t bret; + sss_sifp_error ret; + const char *path_in = "/object/path"; + char *path_out = NULL; + + /* prepare message */ + bret = dbus_message_append_args(reply, DBUS_TYPE_OBJECT_PATH, &path_in, + DBUS_TYPE_INVALID); + assert_true(bret); + will_return(__wrap_dbus_connection_send_with_reply_and_block, reply); + + /* test */ + ret = sss_sifp_invoke_find_ex(ctx, SSS_SIFP_PATH, SSS_SIFP_IFACE, + "MyMethod", &path_out, DBUS_TYPE_INVALID); + assert_int_equal(ret, SSS_SIFP_OK); + assert_non_null(path_out); + assert_string_equal(path_in, path_out); + + sss_sifp_free_string(ctx, &path_out); + assert_null(path_out); +} + +void test_sss_sifp_invoke_find_withargs(void **state) +{ + sss_sifp_ctx *ctx = test_ctx.dbus_ctx; + DBusMessage *reply = test_ctx.reply; + dbus_bool_t bret; + sss_sifp_error ret; + const char *path_in = "/object/path"; + char *path_out = NULL; + const char *arg = "first-arg"; + + /* prepare message */ + bret = dbus_message_append_args(reply, DBUS_TYPE_OBJECT_PATH, &path_in, + DBUS_TYPE_INVALID); + assert_true(bret); + will_return(__wrap_dbus_connection_send_with_reply_and_block, reply); + + /* test */ + ret = sss_sifp_invoke_find_ex(ctx, SSS_SIFP_PATH, SSS_SIFP_IFACE, + "MyMethod", &path_out, + DBUS_TYPE_STRING, &arg, + DBUS_TYPE_INVALID); + assert_int_equal(ret, SSS_SIFP_OK); + assert_non_null(path_out); + assert_string_equal(path_in, path_out); + + sss_sifp_free_string(ctx, &path_out); + assert_null(path_out); +} + +void test_sss_sifp_list_domains(void **state) +{ + sss_sifp_ctx *ctx = test_ctx.dbus_ctx; + DBusMessage *msg_paths = NULL; + DBusMessage *msg_ldap = NULL; + DBusMessage *msg_ipa = NULL; + dbus_bool_t bret; + sss_sifp_error ret; + const char *in[] = {SSS_SIFP_PATH "/Domains/LDAP", + SSS_SIFP_PATH "/Domains/IPA"}; + const char **paths = in; + const char *names[] = {"LDAP", "IPA"}; + char **out = NULL; + int in_len = 2; + int i; + + msg_paths = dbus_message_new(DBUS_MESSAGE_TYPE_METHOD_RETURN); + assert_non_null(msg_paths); + + msg_ldap = dbus_message_new(DBUS_MESSAGE_TYPE_METHOD_RETURN); + assert_non_null(msg_ldap); + + msg_ipa = dbus_message_new(DBUS_MESSAGE_TYPE_METHOD_RETURN); + assert_non_null(msg_ipa); + + /* prepare message */ + bret = dbus_message_append_args(msg_paths, DBUS_TYPE_ARRAY, + DBUS_TYPE_OBJECT_PATH, + &paths, in_len, + DBUS_TYPE_INVALID); + assert_true(bret); + + reply_variant_basic(msg_ldap, DBUS_TYPE_STRING_AS_STRING, &names[0]); + reply_variant_basic(msg_ipa, DBUS_TYPE_STRING_AS_STRING, &names[1]); + + will_return(__wrap_dbus_connection_send_with_reply_and_block, msg_paths); + will_return(__wrap_dbus_connection_send_with_reply_and_block, msg_ldap); + will_return(__wrap_dbus_connection_send_with_reply_and_block, msg_ipa); + + /* test */ + ret = sss_sifp_list_domains(ctx, &out); + assert_int_equal(ret, SSS_SIFP_OK); + assert_non_null(out); + + for (i = 0; i < in_len; i++) { + assert_non_null(out[i]); + assert_string_equal(out[i], names[i]); + } + + assert_null(out[i]); + + sss_sifp_free_string_array(ctx, &out); + assert_null(out); + + /* messages are unreferenced in the library */ +} + +void test_sss_sifp_fetch_domain_by_name(void **state) +{ + sss_sifp_ctx *ctx = test_ctx.dbus_ctx; + DBusMessage *msg_path = NULL; + DBusMessage *msg_props = NULL; + DBusMessageIter iter; + DBusMessageIter array_iter; + DBusMessageIter dict_iter; + DBusMessageIter var_iter; + dbus_bool_t bret; + sss_sifp_error ret; + const char *in =SSS_SIFP_PATH "/Domains/LDAP"; + const char *name = "LDAP"; + const char *prop = NULL; + sss_sifp_object *out = NULL; + struct { + const char *name; + const char *value; + } props[] = {{"name", name}, {"a1", "a"}, {"a2", "b"}, {NULL, 0}}; + int i; + + + msg_path = dbus_message_new(DBUS_MESSAGE_TYPE_METHOD_RETURN); + assert_non_null(msg_path); + + msg_props = dbus_message_new(DBUS_MESSAGE_TYPE_METHOD_RETURN); + assert_non_null(msg_props); + + /* prepare message */ + bret = dbus_message_append_args(msg_path, DBUS_TYPE_OBJECT_PATH, &in, + DBUS_TYPE_INVALID); + assert_true(bret); + + dbus_message_iter_init_append(msg_props, &iter); + + bret = dbus_message_iter_open_container(&iter, DBUS_TYPE_ARRAY, + DBUS_DICT_ENTRY_BEGIN_CHAR_AS_STRING + DBUS_TYPE_STRING_AS_STRING + DBUS_TYPE_VARIANT_AS_STRING + DBUS_DICT_ENTRY_END_CHAR_AS_STRING, + &array_iter); + assert_true(bret); + + for (i = 0; props[i].name != NULL; i++) { + bret = dbus_message_iter_open_container(&array_iter, + DBUS_TYPE_DICT_ENTRY, + NULL, &dict_iter); + assert_true(bret); + + bret = dbus_message_iter_append_basic(&dict_iter, DBUS_TYPE_STRING, + &props[i].name); + assert_true(bret); + + bret = dbus_message_iter_open_container(&dict_iter, DBUS_TYPE_VARIANT, + DBUS_TYPE_STRING_AS_STRING, + &var_iter); + assert_true(bret); + + bret = dbus_message_iter_append_basic(&var_iter, DBUS_TYPE_STRING, + &props[i].value); + assert_true(bret); + + bret = dbus_message_iter_close_container(&dict_iter, &var_iter); + assert_true(bret); + + bret = dbus_message_iter_close_container(&array_iter, &dict_iter); + assert_true(bret); + } + + bret = dbus_message_iter_close_container(&iter, &array_iter); + assert_true(bret); + + will_return(__wrap_dbus_connection_send_with_reply_and_block, msg_path); + will_return(__wrap_dbus_connection_send_with_reply_and_block, msg_props); + + /* test */ + ret = sss_sifp_fetch_domain_by_name(ctx, name, &out); + assert_int_equal(ret, SSS_SIFP_OK); + assert_non_null(out); + assert_non_null(out->attrs); + assert_non_null(out->name); + assert_non_null(out->object_path); + assert_non_null(out->interface); + + assert_string_equal(out->name, name); + assert_string_equal(out->object_path, in); + assert_string_equal(out->interface, IFACE_IFP_DOMAINS); + + for (i = 0; props[i].name != NULL; i++) { + assert_non_null(out->attrs[i]); + assert_int_equal(out->attrs[i]->num_values, 1); + assert_int_equal(out->attrs[i]->type, SSS_SIFP_ATTR_TYPE_STRING); + assert_string_equal(out->attrs[i]->name, props[i].name); + + ret = sss_sifp_find_attr_as_string(out->attrs, props[i].name, &prop); + assert_int_equal(ret, SSS_SIFP_OK); + assert_string_equal(props[i].value, prop); + } + + assert_null(out->attrs[i]); + + sss_sifp_free_object(ctx, &out); + assert_null(out); + + /* messages are unreferenced in the library */ +} + +int main(int argc, const char *argv[]) +{ + int rv; + int no_cleanup = 0; + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + {"no-cleanup", 'n', POPT_ARG_NONE, &no_cleanup, 0, + _("Do not delete the test database after a test run"), NULL }, + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_sss_sifp_strdup_valid, + test_setup, test_teardown_parser), + cmocka_unit_test_setup_teardown(test_sss_sifp_strdup_null, + test_setup, test_teardown_parser), + cmocka_unit_test_setup_teardown(test_sss_sifp_strcat_valid, + test_setup, test_teardown_parser), + cmocka_unit_test_setup_teardown(test_sss_sifp_strcat_left_null, + test_setup, test_teardown_parser), + cmocka_unit_test_setup_teardown(test_sss_sifp_strcat_right_null, + test_setup, test_teardown_parser), + cmocka_unit_test_setup_teardown(test_sss_sifp_strcat_both_null, + test_setup, test_teardown_parser), + cmocka_unit_test_setup_teardown(test_sss_sifp_parse_object_path_valid, + test_setup, test_teardown_parser), + cmocka_unit_test_setup_teardown(test_sss_sifp_parse_object_path_invalid, + test_setup, test_teardown_parser), + cmocka_unit_test_setup_teardown(test_sss_sifp_parse_object_path_list_valid, + test_setup, test_teardown_parser), + cmocka_unit_test_setup_teardown(test_sss_sifp_parse_object_path_list_invalid, + test_setup, test_teardown_parser), + cmocka_unit_test_setup_teardown(test_sss_sifp_parse_attr_bool, + test_setup, test_teardown_parser), + cmocka_unit_test_setup_teardown(test_sss_sifp_parse_attr_int16, + test_setup, test_teardown_parser), + cmocka_unit_test_setup_teardown(test_sss_sifp_parse_attr_uint16, + test_setup, test_teardown_parser), + cmocka_unit_test_setup_teardown(test_sss_sifp_parse_attr_int32, + test_setup, test_teardown_parser), + cmocka_unit_test_setup_teardown(test_sss_sifp_parse_attr_uint32, + test_setup, test_teardown_parser), + cmocka_unit_test_setup_teardown(test_sss_sifp_parse_attr_int64, + test_setup, test_teardown_parser), + cmocka_unit_test_setup_teardown(test_sss_sifp_parse_attr_uint64, + test_setup, test_teardown_parser), + cmocka_unit_test_setup_teardown(test_sss_sifp_parse_attr_string, + test_setup, test_teardown_parser), + cmocka_unit_test_setup_teardown(test_sss_sifp_parse_attr_object_path, + test_setup, test_teardown_parser), + cmocka_unit_test_setup_teardown(test_sss_sifp_parse_attr_string_dict, + test_setup, test_teardown_parser), + cmocka_unit_test_setup_teardown(test_sss_sifp_parse_attr_bool_array, + test_setup, test_teardown_parser), + cmocka_unit_test_setup_teardown(test_sss_sifp_parse_attr_bool_array_empty, + test_setup, test_teardown_parser), + cmocka_unit_test_setup_teardown(test_sss_sifp_parse_attr_int32_array, + test_setup, test_teardown_parser), + cmocka_unit_test_setup_teardown(test_sss_sifp_parse_attr_int32_array_empty, + test_setup, test_teardown_parser), + cmocka_unit_test_setup_teardown(test_sss_sifp_parse_attr_uint32_array, + test_setup, test_teardown_parser), + cmocka_unit_test_setup_teardown(test_sss_sifp_parse_attr_uint32_array_empty, + test_setup, test_teardown_parser), + cmocka_unit_test_setup_teardown(test_sss_sifp_parse_attr_int64_array, + test_setup, test_teardown_parser), + cmocka_unit_test_setup_teardown(test_sss_sifp_parse_attr_int64_array_empty, + test_setup, test_teardown_parser), + cmocka_unit_test_setup_teardown(test_sss_sifp_parse_attr_uint64_array, + test_setup, test_teardown_parser), + cmocka_unit_test_setup_teardown(test_sss_sifp_parse_attr_uint64_array_empty, + test_setup, test_teardown_parser), + cmocka_unit_test_setup_teardown(test_sss_sifp_parse_attr_string_array, + test_setup, test_teardown_parser), + cmocka_unit_test_setup_teardown(test_sss_sifp_parse_attr_string_array_empty, + test_setup, test_teardown_parser), + cmocka_unit_test_setup_teardown(test_sss_sifp_parse_attr_object_path_array, + test_setup, test_teardown_parser), + cmocka_unit_test_setup_teardown(test_sss_sifp_parse_attr_object_path_array_empty, + test_setup, test_teardown_parser), + cmocka_unit_test_setup_teardown(test_sss_sifp_parse_attr_string_dict_array, + test_setup, test_teardown_parser), + cmocka_unit_test_setup_teardown(test_sss_sifp_parse_attr_list, + test_setup, test_teardown_parser), + cmocka_unit_test_setup_teardown(test_sss_sifp_parse_attr_list_empty, + test_setup, test_teardown_parser), + cmocka_unit_test_setup_teardown(test_sss_sifp_fetch_attr, + test_setup, test_teardown_api), + cmocka_unit_test_setup_teardown(test_sss_sifp_fetch_all_attrs, + test_setup, test_teardown_api), + cmocka_unit_test_setup_teardown(test_sss_sifp_fetch_object, + test_setup, test_teardown_api), + cmocka_unit_test_setup_teardown(test_sss_sifp_invoke_list_zeroargs, + test_setup, test_teardown_api), + cmocka_unit_test_setup_teardown(test_sss_sifp_invoke_list_withargs, + test_setup, test_teardown_api), + cmocka_unit_test_setup_teardown(test_sss_sifp_invoke_find_zeroargs, + test_setup, test_teardown_api), + cmocka_unit_test_setup_teardown(test_sss_sifp_invoke_find_withargs, + test_setup, test_teardown_api), + cmocka_unit_test_setup_teardown(test_sss_sifp_list_domains, + test_setup, test_teardown_api), + cmocka_unit_test_setup_teardown(test_sss_sifp_fetch_domain_by_name, + test_setup, test_teardown_api), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + rv = cmocka_run_group_tests(tests, NULL, NULL); + + return rv; +} diff --git a/src/tests/cmocka/test_sss_ssh.c b/src/tests/cmocka/test_sss_ssh.c new file mode 100644 index 0000000..10e1af7 --- /dev/null +++ b/src/tests/cmocka/test_sss_ssh.c @@ -0,0 +1,100 @@ +/* + Authors: + Pavel Reichl + + Copyright (C) 2014 Red Hat + + Test for the NSS Responder ID-SID mapping interface + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "util/sss_ssh.h" +#include "tests/cmocka/common_mock.h" +#include "test_utils.h" + +uint8_t key_data_noLF[] = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfymad64oZkWa6q3xLXmCt/LfCRnd6yZSDp7UK6Irx5/Dv69dEKK2kBGL9Wfn+3ZDa6ov2XZrBmUthh8KOJvTw72+axox3kcJ5HwOYZCMeKbcr10RNScGuHErA1HhjTY6M9L8d0atVH2QIxw7ZHoVVnTHC4U4+541YfJkNUiOUIj65cFFZm9ULp32ZPrK+j2wW+XZkHhrZeFMlg4x4fe5FocO6ik1eqLxBejo7tMy+1m3R2a795AIguf6vNWeE5aNMd4pcmPcZHb3JOq3ItzE/3lepXD/3wqMt36EqNykBVE7aJj+LVkcEgjP9CDDsg9j9NB+AuWYmIYqrHW/Rg/vJ developer@sssd.dev.work"; + +uint8_t key_data_LF[] = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfymad64oZkWa6q3xLXmCt/LfCRnd6yZSDp7UK6Irx5/Dv69dEKK2kBGL9Wfn+3ZDa6ov2XZrBmUthh8KOJvTw72+axox3kcJ5HwOYZCMeKbcr10RNScGuHErA1HhjTY6M9L8d0atVH2QIxw7ZHoVVnTHC4U4+541YfJkNUiOUIj65cFFZm9ULp32ZPrK+j2wW+XZkHhrZeFMlg4x4fe5FocO6ik1eqLxBejo7tMy+1m3R2a795AIguf6vNWeE5aNMd4pcmPcZHb3JOq3ItzE/3lepXD/3wqMt36EqNykBVE7aJj+LVkcEgjP9CDDsg9j9NB+AuWYmIYqrHW/Rg/vJ developer@sssd.dev.work\n"; + +uint8_t key_data_LFLF[] = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfymad64oZkWa6q3xLXmCt/LfCRnd6yZSDp7UK6Irx5/Dv69dEKK2kBGL9Wfn+3ZDa6ov2XZrBmUthh8KOJvTw72+axox3kcJ5HwOYZCMeKbcr10RNScGuHErA1HhjTY6M9L8d0atVH2QIxw7ZHoVVnTHC4U4+541YfJkNUiOUIj65cFFZm9ULp32ZPrK+j2wW+XZkHhrZeFMlg4x4fe5FocO6ik1eqLxBejo7tMy+1m3R2a795AIguf6vNWeE5aNMd4pcmPcZHb3JOq3ItzE/3lepXD/3wqMt36EqNykBVE7aJj+LVkcEgjP9CDDsg9j9NB+AuWYmIYqrHW/Rg/vJ developer@sssd.dev.work\n\n"; + +uint8_t key_data_CRLF[] = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfymad64oZkWa6q3xLXmCt/LfCRnd6yZSDp7UK6Irx5/Dv69dEKK2kBGL9Wfn+3ZDa6ov2XZrBmUthh8KOJvTw72+axox3kcJ5HwOYZCMeKbcr10RNScGuHErA1HhjTY6M9L8d0atVH2QIxw7ZHoVVnTHC4U4+541YfJkNUiOUIj65cFFZm9ULp32ZPrK+j2wW+XZkHhrZeFMlg4x4fe5FocO6ik1eqLxBejo7tMy+1m3R2a795AIguf6vNWeE5aNMd4pcmPcZHb3JOq3ItzE/3lepXD/3wqMt36EqNykBVE7aJj+LVkcEgjP9CDDsg9j9NB+AuWYmIYqrHW/Rg/vJ developer@sssd.dev.work\r\n"; + +uint8_t key_data_CR_somewhere[] = "ssh-rsa AA\rAAB3NzaC1yc2EAAAADAQABAAABAQDfymad64oZkWa6q3xLXmCt/LfCRnd6yZSDp7UK6Irx5/Dv69dEKK2kBGL9Wf+3ZDa6ov2XZrBmUthh8KOJvTw72+axox3kcJ5HwOYZCMeKbcr10RNScGuHErA1HhjTY6M9L8d0atVH2QIxw7ZHoVVnTHC4U4+541YfJkNUiOUIj65cFFZm9ULp32ZPrK+j2wW+XZkHhrZeFMlg4x4fe5FocO6ik1eqLxBejo7tMy+1m3R2a795AIguf6vNWeE5aNMd4pcmPcZHb3JOq3ItzE/3lepXD/3wqMt36EqNykBVE7aJj+LVkcEgjP9CDDsg9j9NB+AuWYmIYqrHW/Rg/vJ developer@sssd.dev.work\n"; + +void test_textual_public_key(void **state) +{ + TALLOC_CTX *mem_ctx; + errno_t ret; + char *res; + + struct sss_ssh_pubkey pkey_null_terminated = { + .data = key_data_noLF, + .data_len = sizeof(key_data_noLF) + }; + + struct sss_ssh_pubkey pkey = { + .data = key_data_noLF, + .data_len = sizeof(key_data_noLF) - 1 /* ignore trailling '\0' */ + }; + + struct sss_ssh_pubkey pkey_LF = { + .data = key_data_LF, + .data_len = sizeof(key_data_LF) - 1 /* ignore trailling '\0' */ + }; + + struct sss_ssh_pubkey pkey_LFLF = { + .data = key_data_LFLF, + .data_len = sizeof(key_data_LFLF) - 1 /* ignore trailling '\0' */ + }; + + struct sss_ssh_pubkey pkey_CRLF = { + .data = key_data_CRLF, + .data_len = sizeof(key_data_CRLF) - 1 /* ignore trailling '\0' */ + }; + + struct sss_ssh_pubkey pkey_CR_somewhere = { + .data = key_data_CR_somewhere, + .data_len = sizeof(key_data_CR_somewhere) - 1 /* ignore traill. '\0' */ + }; + + mem_ctx = talloc_new(NULL); + assert_non_null(mem_ctx); + check_leaks_push(mem_ctx); + + ret = sss_ssh_format_pubkey(mem_ctx, &pkey, &res); + assert_int_equal(ret, EOK); + talloc_free(res); + + ret = sss_ssh_format_pubkey(mem_ctx, &pkey_LF, &res); + assert_int_equal(ret, EOK); + talloc_free(res); + + ret = sss_ssh_format_pubkey(mem_ctx, &pkey_LFLF, &res); + assert_int_equal(ret, EINVAL); + + ret = sss_ssh_format_pubkey(mem_ctx, &pkey_null_terminated, &res); + assert_int_equal(ret, EINVAL); + + ret = sss_ssh_format_pubkey(mem_ctx, &pkey_CRLF, &res); + assert_int_equal(ret, EINVAL); + + ret = sss_ssh_format_pubkey(mem_ctx, &pkey_CR_somewhere, &res); + assert_int_equal(ret, EINVAL); + + assert_true(check_leaks_pop(mem_ctx) == true); + talloc_free(mem_ctx); +} diff --git a/src/tests/cmocka/test_sssd_krb5_localauth_plugin.c b/src/tests/cmocka/test_sssd_krb5_localauth_plugin.c new file mode 100644 index 0000000..d75bef3 --- /dev/null +++ b/src/tests/cmocka/test_sssd_krb5_localauth_plugin.c @@ -0,0 +1,197 @@ +/* + Authors: + Sumit Bose + + Copyright (C) 2017 Red Hat + + Test for the MIT Kerberos localauth plugin + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include + +#include "tests/cmocka/common_mock.h" + +struct _nss_sss_getpwnam_r_test_data { + uid_t uid; + const char *name; + enum nss_status status; +}; + +enum nss_status _nss_sss_getpwnam_r(const char *name, struct passwd *result, + char *buffer, size_t buflen, int *errnop) +{ + struct _nss_sss_getpwnam_r_test_data *test_data; + + assert_non_null(name); + assert_non_null(result); + assert_non_null(buffer); + assert_int_not_equal(buflen, 0); + assert_non_null(errnop); + + test_data = sss_mock_ptr_type(struct _nss_sss_getpwnam_r_test_data *); + + result->pw_uid = test_data->uid; + if (test_data->name != NULL) { + assert_true(buflen > strlen(test_data->name)); + strncpy(buffer, test_data->name, buflen); + result->pw_name = buffer; + } + + return test_data->status; +} + +krb5_error_code +localauth_sssd_initvt(krb5_context context, int maj_ver, int min_ver, + krb5_plugin_vtable vtable); + +void test_localauth_sssd_initvt(void **state) +{ + krb5_error_code kerr; + struct krb5_localauth_vtable_st vtable = { 0 }; + + kerr = localauth_sssd_initvt(NULL, 0, 0, (krb5_plugin_vtable) &vtable); + assert_int_equal(kerr, KRB5_PLUGIN_VER_NOTSUPP); + + kerr = localauth_sssd_initvt(NULL, 1, 1, (krb5_plugin_vtable) &vtable); + assert_int_equal(kerr, 0); + assert_string_equal(vtable.name, "sssd"); + assert_null(vtable.init); + assert_null(vtable.fini); + assert_non_null(vtable.an2ln); + assert_non_null(vtable.userok); + assert_non_null(vtable.free_string); +} + +void test_sss_userok(void **state) +{ + krb5_error_code kerr; + struct krb5_localauth_vtable_st vtable = { 0 }; + krb5_context krb5_ctx; + krb5_principal princ; + size_t c; + + struct test_data { + struct _nss_sss_getpwnam_r_test_data d1; + struct _nss_sss_getpwnam_r_test_data d2; + krb5_error_code kerr; + } test_data[] = { + {{ 1234, NULL, NSS_STATUS_SUCCESS}, { 1234, NULL, NSS_STATUS_SUCCESS}, + 0}, + /* second _nss_sss_getpwnam_r() is never called because the first one + * already returned an error */ + {{ 1234, NULL, NSS_STATUS_NOTFOUND}, { 0, NULL, 0}, + KRB5_PLUGIN_NO_HANDLE}, + {{ 1234, NULL, NSS_STATUS_SUCCESS}, { 1234, NULL, NSS_STATUS_NOTFOUND}, + KRB5_PLUGIN_NO_HANDLE}, + {{ 1234, NULL, NSS_STATUS_SUCCESS}, { 4321, NULL, NSS_STATUS_SUCCESS}, + KRB5_PLUGIN_NO_HANDLE}, + /* second _nss_sss_getpwnam_r() is never called because the first one + * already returned an error */ + {{ 1234, NULL, NSS_STATUS_UNAVAIL}, { 0, NULL, 0}, + KRB5_PLUGIN_NO_HANDLE}, + {{ 1234, NULL, NSS_STATUS_SUCCESS}, { 1234, NULL, NSS_STATUS_TRYAGAIN}, + KRB5_PLUGIN_NO_HANDLE}, + {{ 0, NULL, 0 }, {0 , NULL, 0}, 0} + }; + + kerr = krb5_init_context(&krb5_ctx); + assert_int_equal(kerr, 0); + + kerr = localauth_sssd_initvt(krb5_ctx, 1, 1, (krb5_plugin_vtable) &vtable); + assert_int_equal(kerr, 0); + + kerr = krb5_parse_name(krb5_ctx, "name@REALM", &princ); + assert_int_equal(kerr, 0); + + + for (c = 0; test_data[c].d1.uid != 0; c++) { + will_return(_nss_sss_getpwnam_r, &test_data[c].d1); + if (test_data[c].d2.uid != 0) { + will_return(_nss_sss_getpwnam_r, &test_data[c].d2); + } + kerr = vtable.userok(krb5_ctx, NULL, princ, "name"); + assert_int_equal(kerr, test_data[c].kerr); + } + + krb5_free_principal(krb5_ctx, princ); + krb5_free_context(krb5_ctx); +} + +void test_sss_an2ln(void **state) +{ + krb5_error_code kerr; + struct krb5_localauth_vtable_st vtable = { 0 }; + krb5_context krb5_ctx; + krb5_principal princ; + size_t c; + char *lname; + + struct test_data { + struct _nss_sss_getpwnam_r_test_data d; + krb5_error_code kerr; + } test_data[] = { + { { 0, "my_name", NSS_STATUS_SUCCESS}, 0}, + { { 0, "my_name", NSS_STATUS_NOTFOUND}, KRB5_LNAME_NOTRANS}, + { { 0, "my_name", NSS_STATUS_UNAVAIL}, EIO}, + { { 0, NULL, 0 } , 0} + }; + + kerr = krb5_init_context(&krb5_ctx); + assert_int_equal(kerr, 0); + + kerr = localauth_sssd_initvt(krb5_ctx, 1, 1, (krb5_plugin_vtable) &vtable); + assert_int_equal(kerr, 0); + + kerr = krb5_parse_name(krb5_ctx, "name@REALM", &princ); + assert_int_equal(kerr, 0); + + + for (c = 0; test_data[c].d.name != NULL; c++) { + will_return(_nss_sss_getpwnam_r, &test_data[c].d); + kerr = vtable.an2ln(krb5_ctx, NULL, NULL, NULL, princ, &lname); + assert_int_equal(kerr, test_data[c].kerr); + if (kerr == 0) { + assert_string_equal(lname, test_data[c].d.name); + vtable.free_string(krb5_ctx, NULL, lname); + } + } + + krb5_free_principal(krb5_ctx, princ); + krb5_free_context(krb5_ctx); +} + +int main(int argc, const char *argv[]) +{ + + const struct CMUnitTest tests[] = { + cmocka_unit_test(test_localauth_sssd_initvt), + cmocka_unit_test(test_sss_userok), + cmocka_unit_test(test_sss_an2ln), + }; + + return cmocka_run_group_tests(tests, NULL, NULL); +} diff --git a/src/tests/cmocka/test_sssd_krb5_locator_plugin.c b/src/tests/cmocka/test_sssd_krb5_locator_plugin.c new file mode 100644 index 0000000..3e7d006 --- /dev/null +++ b/src/tests/cmocka/test_sssd_krb5_locator_plugin.c @@ -0,0 +1,631 @@ +/* + SSSD + + Unit test for SSSD's MIT Kerberos locator plugin + + Authors: + Sumit Bose + + Copyright (C) 2018 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +#include "config.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "tests/cmocka/common_mock.h" + +#define TEST_REALM "TEST.REALM" +#define TEST_IP_1 "123.231.132.213" +#define TEST_IPV6_1_PURE "7025:4d2d:2b06:e321:d971:16c0:6eeb:cc41" +#define TEST_IPV6_1 "["TEST_IPV6_1_PURE"]" +#define TEST_SERVICE_1 "22334" +#define TEST_SERVICE_2 "54321" +#define TEST_IP_1_WITH_SERVICE TEST_IP_1":"TEST_SERVICE_1 +#define TEST_IPV6_1_WITH_SERVICE TEST_IPV6_1":"TEST_SERVICE_2 + +struct test_state { + void *dummy; +}; + +static int setup(void **state) +{ + struct test_state *ts = NULL; + + assert_true(leak_check_setup()); + + ts = talloc(global_talloc_context, struct test_state); + assert_non_null(ts); + + check_leaks_push(ts); + *state = (void *)ts; + + unlink(TEST_PUBCONF_PATH"/kdcinfo."TEST_REALM); + rmdir(TEST_PUBCONF_PATH); + + return 0; +} + +static int teardown(void **state) +{ + struct test_state *ts = talloc_get_type_abort(*state, struct test_state); + + assert_non_null(ts); + + assert_true(check_leaks_pop(ts)); + talloc_free(ts); + assert_true(leak_check_teardown()); + return 0; +} + +/* Taken from MIT Kerberos src/lib/krb5/os/locate_kdc.c and + * lib/krb5/os/os-proto.h */ + +typedef enum { + TCP_OR_UDP = 0, + TCP, + UDP, + HTTPS, +} k5_transport; + +/* A single server hostname or address. */ +struct server_entry { + char *hostname; /* NULL -> use addrlen/addr instead */ + int port; /* Used only if hostname set */ + k5_transport transport; /* May be 0 for UDP/TCP if hostname set */ + char *uri_path; /* Used only if transport is HTTPS */ + int family; /* May be 0 (aka AF_UNSPEC) if hostname set */ + int master; /* True, false, or -1 for unknown. */ + size_t addrlen; + struct sockaddr_storage addr; +}; + +/* A list of server hostnames/addresses. */ +struct serverlist { + struct server_entry *servers; + size_t nservers; +}; +#define SERVERLIST_INIT { NULL, 0 } + +/* Free up everything pointed to by the serverlist structure, but don't + * * free the structure itself. */ +void +k5_free_serverlist (struct serverlist *list) +{ + size_t i; + + for (i = 0; i < list->nservers; i++) { + free(list->servers[i].hostname); + free(list->servers[i].uri_path); + } + free(list->servers); + list->servers = NULL; + list->nservers = 0; +} + +/* Make room for a new server entry in list and return a pointer to the new + * entry. (Do not increment list->nservers.) */ +static struct server_entry * +new_server_entry(struct serverlist *list) +{ + struct server_entry *newservers, *entry; + size_t newspace = (list->nservers + 1) * sizeof(struct server_entry); + + newservers = realloc(list->servers, newspace); + if (newservers == NULL) + return NULL; + list->servers = newservers; + entry = &newservers[list->nservers]; + memset(entry, 0, sizeof(*entry)); + entry->master = -1; + return entry; +} + +/* Add an address entry to list. */ +static int +add_addr_to_list(struct serverlist *list, k5_transport transport, int family, + size_t addrlen, struct sockaddr *addr) +{ + struct server_entry *entry; + + entry = new_server_entry(list); + if (entry == NULL) + return ENOMEM; + entry->transport = transport; + entry->family = family; + entry->hostname = NULL; + entry->uri_path = NULL; + entry->addrlen = addrlen; + memcpy(&entry->addr, addr, addrlen); + list->nservers++; + return 0; +} + +struct module_callback_data { + int out_of_mem; + struct serverlist *list; +}; + +static int +module_callback(void *cbdata, int socktype, struct sockaddr *sa) +{ + struct module_callback_data *d = cbdata; + size_t addrlen; + k5_transport transport; + + if (socktype != SOCK_STREAM && socktype != SOCK_DGRAM) + return 0; + if (sa->sa_family == AF_INET) + addrlen = sizeof(struct sockaddr_in); + else if (sa->sa_family == AF_INET6) + addrlen = sizeof(struct sockaddr_in6); + else + return 0; + transport = (socktype == SOCK_STREAM) ? TCP : UDP; + if (add_addr_to_list(d->list, transport, sa->sa_family, addrlen, + sa) != 0) { + /* Assumes only error is ENOMEM. */ + d->out_of_mem = 1; + return 1; + } + return 0; +} + +krb5_error_code sssd_krb5_locator_init(krb5_context context, + void **private_data); +void sssd_krb5_locator_close(void *private_data); + +krb5_error_code sssd_krb5_locator_lookup(void *private_data, + enum locate_service_type svc, + const char *realm, + int socktype, + int family, + int (*cbfunc)(void *, int, struct sockaddr *), + void *cbdata); + +void test_init(void **state) +{ + krb5_context ctx; + krb5_error_code kerr; + void *priv; + + kerr = krb5_init_context (&ctx); + assert_int_equal(kerr, 0); + + kerr = sssd_krb5_locator_init(ctx, &priv); + assert_int_equal(kerr, 0); + + sssd_krb5_locator_close(priv); + + krb5_free_context(ctx); +} + +void test_failed_lookup(void **state) +{ + krb5_context ctx; + krb5_error_code kerr; + void *priv; + struct module_callback_data cbdata = { 0 }; + + + kerr = krb5_init_context (&ctx); + assert_int_equal(kerr, 0); + + kerr = sssd_krb5_locator_init(ctx, &priv); + assert_int_equal(kerr, 0); + + kerr = sssd_krb5_locator_lookup(NULL, -1, NULL, -1, -1, NULL, NULL); + assert_int_equal(kerr, KRB5_PLUGIN_NO_HANDLE); + + kerr = sssd_krb5_locator_lookup(priv, -1, NULL, -1, -1, NULL, NULL); + assert_int_equal(kerr, KRB5_PLUGIN_NO_HANDLE); + + kerr = sssd_krb5_locator_lookup(priv, locate_service_kdc , NULL, -1, -1, + NULL, NULL); + assert_int_equal(kerr, KRB5_PLUGIN_NO_HANDLE); + + kerr = sssd_krb5_locator_lookup(priv, locate_service_kdc , TEST_REALM, -1, + -1, NULL, NULL); + assert_int_equal(kerr, KRB5_PLUGIN_NO_HANDLE); + + kerr = sssd_krb5_locator_lookup(priv, locate_service_kdc , TEST_REALM, + SOCK_DGRAM, -1, NULL, NULL); + assert_int_equal(kerr, KRB5_PLUGIN_NO_HANDLE); + + kerr = sssd_krb5_locator_lookup(priv, locate_service_kdc , TEST_REALM, + SOCK_DGRAM, AF_INET6, NULL, NULL); + assert_int_equal(kerr, KRB5_PLUGIN_NO_HANDLE); + + kerr = sssd_krb5_locator_lookup(priv, locate_service_kdc , TEST_REALM, + SOCK_DGRAM, AF_INET6, module_callback, + NULL); + assert_int_equal(kerr, KRB5_PLUGIN_NO_HANDLE); + + kerr = sssd_krb5_locator_lookup(priv, locate_service_kdc , TEST_REALM, + SOCK_DGRAM, AF_INET6, module_callback, + &cbdata); + assert_int_equal(kerr, KRB5_PLUGIN_NO_HANDLE); + + sssd_krb5_locator_close(priv); + + krb5_free_context(ctx); +} + +void test_empty(void **state) +{ + krb5_context ctx; + krb5_error_code kerr; + void *priv; + int fd; + struct module_callback_data cbdata = { 0 }; + + kerr = krb5_init_context (&ctx); + assert_int_equal(kerr, 0); + + kerr = sssd_krb5_locator_init(ctx, &priv); + assert_int_equal(kerr, 0); + + mkdir(TEST_PUBCONF_PATH, 0777); + fd = open(TEST_PUBCONF_PATH"/kdcinfo."TEST_REALM, O_CREAT, 0777); + assert_int_not_equal(fd, -1); + close(fd); + + kerr = sssd_krb5_locator_lookup(priv, locate_service_kdc , TEST_REALM, + SOCK_DGRAM, AF_INET6, module_callback, + &cbdata); + assert_int_equal(kerr, KRB5_PLUGIN_NO_HANDLE); + unlink(TEST_PUBCONF_PATH"/kdcinfo."TEST_REALM); + rmdir(TEST_PUBCONF_PATH); + + sssd_krb5_locator_close(priv); + + krb5_free_context(ctx); +} + +void test_single(void **state) +{ + krb5_context ctx; + krb5_error_code kerr; + void *priv; + int fd; + struct serverlist list = SERVERLIST_INIT; + struct module_callback_data cbdata = { 0 }; + ssize_t s; + int ret; + char host[NI_MAXHOST]; + char service[NI_MAXSERV]; + + cbdata.list = &list; + + kerr = krb5_init_context (&ctx); + assert_int_equal(kerr, 0); + + kerr = sssd_krb5_locator_init(ctx, &priv); + assert_int_equal(kerr, 0); + + mkdir(TEST_PUBCONF_PATH, 0777); + fd = open(TEST_PUBCONF_PATH"/kdcinfo."TEST_REALM, O_CREAT|O_RDWR, 0777); + assert_int_not_equal(fd, -1); + s = write(fd, TEST_IP_1, sizeof(TEST_IP_1)); + assert_int_equal(s, sizeof(TEST_IP_1)); + close(fd); + + kerr = sssd_krb5_locator_lookup(priv, locate_service_kdc , TEST_REALM, + SOCK_DGRAM, AF_INET6, module_callback, + &cbdata); + assert_int_equal(kerr, 0); + + /* We asked for AF_INET6, but TEST_IP_1 is IPv4 */ + assert_int_equal(list.nservers, 0); + assert_null(list.servers); + + kerr = sssd_krb5_locator_lookup(priv, locate_service_kdc , TEST_REALM, + SOCK_DGRAM, AF_INET, module_callback, + &cbdata); + assert_int_equal(kerr, 0); + assert_int_equal(list.nservers, 1); + assert_non_null(list.servers); + assert_int_equal(list.servers[0].addrlen, 16); + ret = getnameinfo((struct sockaddr *) &list.servers[0].addr, + list.servers[0].addrlen, + host, sizeof(host), service, sizeof(service), + NI_NUMERICHOST|NI_NUMERICSERV); + assert_int_equal(ret, 0); + assert_string_equal(TEST_IP_1, host); + assert_string_equal("88", service); + + k5_free_serverlist(&list); + + kerr = sssd_krb5_locator_lookup(priv, locate_service_kdc , TEST_REALM, + SOCK_DGRAM, AF_UNSPEC, module_callback, + &cbdata); + assert_int_equal(kerr, 0); + assert_int_equal(list.nservers, 1); + assert_non_null(list.servers); + assert_int_equal(list.servers[0].addrlen, 16); + ret = getnameinfo((struct sockaddr *) &list.servers[0].addr, + list.servers[0].addrlen, + host, sizeof(host), service, sizeof(service), + NI_NUMERICHOST|NI_NUMERICSERV); + assert_int_equal(ret, 0); + assert_string_equal(TEST_IP_1, host); + assert_string_equal("88", service); + + k5_free_serverlist(&list); + + unlink(TEST_PUBCONF_PATH"/kdcinfo."TEST_REALM); + rmdir(TEST_PUBCONF_PATH); + sssd_krb5_locator_close(priv); + + krb5_free_context(ctx); +} + +struct test_data { + const char *ip; + bool found; +}; + +void test_multi_check_results(struct test_data *test_data, + struct serverlist *list, + const char *exp_service) +{ + int ret; + char host[NI_MAXHOST]; + char service[NI_MAXSERV]; + size_t c; + size_t d; + + /* To make sure each result from list has a matching entry in test_data we + * use a flag to mark found entries, this way we can properly detect is + * the same address is used multiple times. */ + for (d = 0; test_data[d].ip != NULL; d++) { + test_data[d].found = false; + } + + for (c = 0; c < list->nservers; c++) { + ret = getnameinfo((struct sockaddr *) &list->servers[c].addr, + list->servers[c].addrlen, + host, sizeof(host), service, sizeof(service), + NI_NUMERICHOST|NI_NUMERICSERV); + assert_int_equal(ret, 0); + assert_string_equal(exp_service, service); + for (d = 0; test_data[d].ip != NULL; d++) { + /* Compare result with test_data, be aware that the test_data has + * '[]' around IPv& addresses */ + if (strncmp(host, + test_data[d].ip + (test_data[d].ip[0] == '[' ? 1 : 0), + strlen(host)) == 0 && !test_data[d].found) { + test_data[d].found = true; + break; + } + } + /* Make sure we found the result in the list */ + assert_non_null(test_data[d].ip); + } +} + +void test_multi(void **state) +{ + krb5_context ctx; + krb5_error_code kerr; + void *priv; + int fd; + struct serverlist list = SERVERLIST_INIT; + struct module_callback_data cbdata = { 0 }; + ssize_t s; + size_t c; + struct test_data test_data[] = { + {TEST_IP_1, false}, + {TEST_IPV6_1, false}, + {"[c89a:565b:4510:5b9f:41fe:ea81:87a0:f21b]", false}, + {"155.42.66.53", false}, + {"[f812:5941:ba69:2bae:e806:3b68:770d:d75e]", false}, + {"[3ad3:9dda:50e4:3c82:548f:eaa1:e120:6dd]", false}, + {"55.116.79.183", false}, + {"[ce8a:ee99:98cd:d8cd:218d:393e:d5a9:dc52]", false}, + /* the following address is added twice to check if + * an address can be added more than once. */ + {"37.230.88.162", false}, + {"37.230.88.162", false}, + {NULL, false} }; + + cbdata.list = &list; + + kerr = krb5_init_context (&ctx); + assert_int_equal(kerr, 0); + + kerr = sssd_krb5_locator_init(ctx, &priv); + assert_int_equal(kerr, 0); + + mkdir(TEST_PUBCONF_PATH, 0777); + fd = open(TEST_PUBCONF_PATH"/kdcinfo."TEST_REALM, O_CREAT|O_RDWR, 0777); + assert_int_not_equal(fd, -1); + for (c = 0; test_data[c].ip != NULL; c++) { + s = write(fd, test_data[c].ip, strlen(test_data[c].ip)); + assert_int_equal(s, strlen(test_data[c].ip)); + s = write(fd, "\n", 1); + assert_int_equal(s, 1); + } + close(fd); + + kerr = sssd_krb5_locator_lookup(priv, locate_service_kdc , TEST_REALM, + SOCK_DGRAM, AF_INET6, module_callback, + &cbdata); + assert_int_equal(kerr, 0); + + assert_int_equal(list.nservers, 5); + assert_non_null(list.servers); + test_multi_check_results(test_data, &list, "88"); + + k5_free_serverlist(&list); + + kerr = sssd_krb5_locator_lookup(priv, locate_service_kdc , TEST_REALM, + SOCK_DGRAM, AF_INET, module_callback, + &cbdata); + assert_int_equal(kerr, 0); + + assert_int_equal(list.nservers, 5); + assert_non_null(list.servers); + test_multi_check_results(test_data, &list, "88"); + + + k5_free_serverlist(&list); + + kerr = sssd_krb5_locator_lookup(priv, locate_service_kdc , TEST_REALM, + SOCK_DGRAM, AF_UNSPEC, module_callback, + &cbdata); + assert_int_equal(kerr, 0); + + assert_int_equal(list.nservers, 10); + assert_non_null(list.servers); + test_multi_check_results(test_data, &list, "88"); + + k5_free_serverlist(&list); + + unlink(TEST_PUBCONF_PATH"/kdcinfo."TEST_REALM); + rmdir(TEST_PUBCONF_PATH); + sssd_krb5_locator_close(priv); + + krb5_free_context(ctx); +} + +void test_service(void **state) +{ + krb5_context ctx; + krb5_error_code kerr; + void *priv; + int fd; + struct serverlist list = SERVERLIST_INIT; + struct module_callback_data cbdata = { 0 }; + ssize_t s; + int ret; + char host[NI_MAXHOST]; + char service[NI_MAXSERV]; + + cbdata.list = &list; + + kerr = krb5_init_context (&ctx); + assert_int_equal(kerr, 0); + + kerr = sssd_krb5_locator_init(ctx, &priv); + assert_int_equal(kerr, 0); + + mkdir(TEST_PUBCONF_PATH, 0777); + fd = open(TEST_PUBCONF_PATH"/kdcinfo."TEST_REALM, O_CREAT|O_RDWR, 0777); + assert_int_not_equal(fd, -1); + s = write(fd, TEST_IP_1_WITH_SERVICE, sizeof(TEST_IP_1_WITH_SERVICE)); + assert_int_equal(s, sizeof(TEST_IP_1_WITH_SERVICE)); + s = write(fd, "\n", 1); + assert_int_equal(s, 1); + s = write(fd, TEST_IPV6_1_WITH_SERVICE, sizeof(TEST_IPV6_1_WITH_SERVICE)); + assert_int_equal(s, sizeof(TEST_IPV6_1_WITH_SERVICE)); + close(fd); + + kerr = sssd_krb5_locator_lookup(priv, locate_service_kdc , TEST_REALM, + SOCK_DGRAM, AF_INET6, module_callback, + &cbdata); + assert_int_equal(kerr, 0); + + assert_int_equal(list.nservers, 1); + assert_non_null(list.servers); + ret = getnameinfo((struct sockaddr *) &list.servers[0].addr, + list.servers[0].addrlen, + host, sizeof(host), service, sizeof(service), + NI_NUMERICHOST|NI_NUMERICSERV); + assert_int_equal(ret, 0); + assert_string_equal(TEST_IPV6_1_PURE, host); + assert_string_equal(TEST_SERVICE_2, service); + + k5_free_serverlist(&list); + + kerr = sssd_krb5_locator_lookup(priv, locate_service_kdc , TEST_REALM, + SOCK_DGRAM, AF_INET, module_callback, + &cbdata); + assert_int_equal(kerr, 0); + assert_int_equal(list.nservers, 1); + assert_non_null(list.servers); + ret = getnameinfo((struct sockaddr *) &list.servers[0].addr, + list.servers[0].addrlen, + host, sizeof(host), service, sizeof(service), + NI_NUMERICHOST|NI_NUMERICSERV); + assert_int_equal(ret, 0); + assert_string_equal(TEST_IP_1, host); + assert_string_equal(TEST_SERVICE_1, service); + + k5_free_serverlist(&list); + + + unlink(TEST_PUBCONF_PATH"/kdcinfo."TEST_REALM); + rmdir(TEST_PUBCONF_PATH); + sssd_krb5_locator_close(priv); + + krb5_free_context(ctx); +} + +int main(int argc, const char *argv[]) +{ + poptContext pc; + int opt; + int ret; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_init, + setup, teardown), + cmocka_unit_test_setup_teardown(test_failed_lookup, + setup, teardown), + cmocka_unit_test_setup_teardown(test_empty, + setup, teardown), + cmocka_unit_test_setup_teardown(test_single, + setup, teardown), + cmocka_unit_test_setup_teardown(test_multi, + setup, teardown), + cmocka_unit_test_setup_teardown(test_service, + setup, teardown), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + ret = cmocka_run_group_tests(tests, NULL, NULL); + + return ret; +} diff --git a/src/tests/cmocka/test_string_utils.c b/src/tests/cmocka/test_string_utils.c new file mode 100644 index 0000000..57e6f26 --- /dev/null +++ b/src/tests/cmocka/test_string_utils.c @@ -0,0 +1,271 @@ +/* + Authors: + Lukas Slebodnik + + Copyright (C) 2014 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "tests/cmocka/common_mock.h" + +void test_replace_whitespaces(void **state) +{ + TALLOC_CTX *mem_ctx; + const char *input_str = "Lorem ipsum dolor sit amet"; + const char *res; + size_t i; + + struct { + const char *input; + const char *output; + const char replace_char; + } data_set[] = { + { "", "", '-' }, + { " ", "-", '-' }, + { "abcd", "abcd", '-' }, + { "a b c d", "a-b-c-d", '-' }, + { " a b c d ", "-a-b-c-d-", '-' }, + { " ", "^", '^' }, + { "abcd", "abcd", '^' }, + { "a b c d", "a^b^c^d", '^' }, + { " a b c d ", "^a^b^c^d^", '^' }, + { " ", "^", '^' }, + { " ", " ", ' ' }, + { " ", " ", ' ' }, + { "abcd", "abcd", ' ' }, + { "a b c d", "a b c d", ' ' }, + { "a b^c d", "a b^c d", '^' }, + { NULL, NULL, '\0' }, + }; + + mem_ctx = talloc_new(NULL); + assert_non_null(mem_ctx); + check_leaks_push(mem_ctx); + + res = sss_replace_space(mem_ctx, input_str, '\0'); + assert_string_equal(res, input_str); + talloc_zfree(res); + + res = sss_replace_space(mem_ctx, input_str, '\0'); + assert_string_equal(res, input_str); + talloc_zfree(res); + + for (i=0; data_set[i].input != NULL; ++i) { + res = sss_replace_space(mem_ctx, data_set[i].input, + data_set[i].replace_char); + assert_non_null(res); + assert_string_equal(res, data_set[i].output); + talloc_zfree(res); + } + + assert_true(check_leaks_pop(mem_ctx) == true); + talloc_free(mem_ctx); +} + +void test_reverse_replace_whitespaces(void **state) +{ + TALLOC_CTX *mem_ctx; + char *input_str = discard_const_p(char, "Lorem ipsum dolor sit amet"); + char *res; + size_t i; + + struct { + const char *input; + const char *output; + const char replace_char; + } data_set[] = { + { "", "", '-' }, + { "-", " ", '-' }, + { "----", " ", '-' }, + { "abcd", "abcd", '-' }, + { "a-b-c-d", "a b c d", '-' }, + { "-a-b-c-d-", " a b c d ", '-' }, + { "a b c d", "a b c d", '-' }, + { " a b c d ", " a b c d ", '-' }, + { "^", " ", '^' }, + { "^^^^", " ", '^' }, + { "abcd", "abcd", '^' }, + { "a^b^c^d", "a b c d", '^' }, + { "^a^b^c^d^", " a b c d ", '^' }, + { " ", " ", ' ' }, + { " ", " ", ' ' }, + { "abcd", "abcd", ' ' }, + { "a b c d", "a b c d", ' ' }, + { " a b c d ", " a b c d ", ' ' }, + { "a b^c d", "a b^c d", '^' }, + { NULL, NULL, '\0' }, + }; + + mem_ctx = talloc_new(NULL); + assert_non_null(mem_ctx); + check_leaks_push(mem_ctx); + + res = sss_reverse_replace_space(mem_ctx, input_str, '\0'); + assert_string_equal(res, input_str); + talloc_free(res); + + res = sss_reverse_replace_space(mem_ctx, input_str, '\0'); + assert_string_equal(res, input_str); + talloc_free(res); + + for (i=0; data_set[i].input != NULL; ++i) { + input_str = discard_const_p(char, data_set[i].input); + res = sss_reverse_replace_space(mem_ctx, input_str, + data_set[i].replace_char); + assert_non_null(res); + assert_string_equal(res, data_set[i].output); + talloc_zfree(res); + } + + assert_true(check_leaks_pop(mem_ctx) == true); + talloc_free(mem_ctx); +} + +void test_guid_blob_to_string_buf(void **state) +{ + int ret; + char str_buf[GUID_STR_BUF_SIZE]; + size_t c; + + /* How to get test data: + * The objectGUID attribute contains a 16byte long binary value + * representing the GUID of the object. This data can be converted + * manually to the string representation but it might be easier to use + * LDAP_SERVER_EXTENDED_DN_OID as described in [MS-ADST] section + * 3.1.1.3.4.1.5. This is an LDAP extended control which adds the GUID and + * the SID to the DN of an object. This can be activate with the -E + * ldapsearch option like: + * + * ldapsearch -E 1.2.840.113556.1.4.529=::MAMCAQE= .... + * + * where 'MAMCAQE=' is the base64 encoded BER sequence with the integer + * value 1 (see [MS-ADTS] for details about possible values). + * + * Btw, if you want to use the string representation of a GUID to search + * for an object in AD you have to use the GUID as the search base in the + * following form: + * + * ldapsearch b '' ... + * + * (please note that the '<' and '>' are really needed). + */ + struct test_data { + uint8_t blob[16]; + const char *guid_str; + } test_data[] = { + {{0x8d, 0x0d, 0xa8, 0xfe, 0xd5, 0xdb, 0x84, 0x4f, + 0x85, 0x74, 0x7d, 0xb0, 0x47, 0x7f, 0x96, 0x2e}, + "fea80d8d-dbd5-4f84-8574-7db0477f962e"}, + {{0x91, 0x7e, 0x2e, 0xf8, 0x4e, 0x44, 0xfa, 0x4e, + 0xb1, 0x13, 0x08, 0x98, 0x63, 0x49, 0x6c, 0xc6}, + "f82e7e91-444e-4efa-b113-089863496cc6"}, + {{0}, NULL} + }; + + ret = guid_blob_to_string_buf(NULL, str_buf, GUID_STR_BUF_SIZE); + assert_int_equal(ret, EINVAL); + + ret = guid_blob_to_string_buf((const uint8_t *) "1234567812345678", NULL, + GUID_STR_BUF_SIZE); + assert_int_equal(ret, EINVAL); + + ret = guid_blob_to_string_buf((const uint8_t *) "1234567812345678", str_buf, 0); + assert_int_equal(ret, EINVAL); + + for (c = 0; test_data[c].guid_str != NULL; c++) { + ret = guid_blob_to_string_buf(test_data[c].blob, str_buf, + sizeof(str_buf)); + assert_int_equal(ret, EOK); + assert_string_equal(test_data[c].guid_str, str_buf); + } +} + +void test_get_last_x_chars(void **state) +{ + const char *s; + + s = get_last_x_chars(NULL, 0); + assert_null(s); + + s = get_last_x_chars("abc", 0); + assert_non_null(s); + assert_string_equal(s, ""); + + s = get_last_x_chars("abc", 1); + assert_non_null(s); + assert_string_equal(s, "c"); + + s = get_last_x_chars("abc", 2); + assert_non_null(s); + assert_string_equal(s, "bc"); + + s = get_last_x_chars("abc", 3); + assert_non_null(s); + assert_string_equal(s, "abc"); + + s = get_last_x_chars("abc", 4); + assert_non_null(s); + assert_string_equal(s, "abc"); +} + +void test_concatenate_string_array(void **state) +{ + TALLOC_CTX *mem_ctx; + char **a1; + size_t a1_len = 2; + char **a2; + size_t a2_len = 3; + char **res; + size_t c; + + mem_ctx = talloc_new(NULL); + assert_non_null(mem_ctx); + check_leaks_push(mem_ctx); + + res = concatenate_string_array(mem_ctx, NULL, 0, NULL, 0); + assert_non_null(res); + assert_null(res[0]); + talloc_free(res); + + a1 = talloc_array(mem_ctx, char *, a1_len); + assert_non_null(a1); + for (c = 0; c < a1_len; c++) { + a1[c] = talloc_asprintf(a1, "%zu", c); + assert_non_null(a1[c]); + } + + a2 = talloc_array(mem_ctx, char *, a2_len); + assert_non_null(a2); + for (c = 0; c < a2_len; c++) { + a2[c] = talloc_asprintf(a2, "%zu", c + a1_len); + assert_non_null(a2[c]); + } + + res = concatenate_string_array(mem_ctx, a1, a1_len, a2, a2_len); + assert_non_null(res); + assert_null(res[a1_len + a2_len]); + for (c = 0; c < (a1_len + a2_len); c++) { + assert_string_equal(res[c], talloc_asprintf(res, "%zu", c)); + } + + talloc_free(res); + /* Since concatenate_string_array() uses talloc_realloc on a1 it should + * not be needed to free a1 explicitly. */ + talloc_free(a2); + + assert_true(check_leaks_pop(mem_ctx) == true); + talloc_free(mem_ctx); +} diff --git a/src/tests/cmocka/test_sysdb_certmap.c b/src/tests/cmocka/test_sysdb_certmap.c new file mode 100644 index 0000000..e78ea85 --- /dev/null +++ b/src/tests/cmocka/test_sysdb_certmap.c @@ -0,0 +1,261 @@ +/* + SSSD + + sysdb_certmap - Tests for sysdb certmap related calls + + Authors: + Jakub Hrozek + + Copyright (C) 2017 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include + +#include "tests/cmocka/common_mock.h" +#include "tests/common.h" + +#define TESTS_PATH "certmap_" BASE_FILE_STEM +#define TEST_CONF_DB "test_sysdb_certmap.ldb" +#define TEST_ID_PROVIDER "ldap" +#define TEST_DOM_NAME "certmap_test" + +struct certmap_test_ctx { + struct sss_test_ctx *tctx; +}; + +static int test_sysdb_setup(void **state) +{ + struct certmap_test_ctx *test_ctx; + struct sss_test_conf_param params[] = { + { NULL, NULL }, /* Sentinel */ + }; + + assert_true(leak_check_setup()); + + test_ctx = talloc_zero(global_talloc_context, + struct certmap_test_ctx); + assert_non_null(test_ctx); + check_leaks_push(test_ctx); + + test_dom_suite_setup(TESTS_PATH); + + test_ctx->tctx = create_dom_test_ctx(test_ctx, TESTS_PATH, + TEST_CONF_DB, TEST_DOM_NAME, + TEST_ID_PROVIDER, params); + assert_non_null(test_ctx->tctx); + + *state = test_ctx; + return 0; +} + +static int test_sysdb_teardown(void **state) +{ + struct certmap_test_ctx *test_ctx = + talloc_get_type(*state, struct certmap_test_ctx); + + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + talloc_free(test_ctx->tctx); + assert_true(check_leaks_pop(test_ctx)); + talloc_free(test_ctx); + assert_true(leak_check_teardown()); + return 0; +} + +static void test_sysdb_get_certmap_not_exists(void **state) +{ + int ret; + struct certmap_info **certmap; + bool user_name_hint; + struct certmap_test_ctx *ctctx = talloc_get_type(*state, + struct certmap_test_ctx); + + ret = sysdb_get_certmap(ctctx, ctctx->tctx->sysdb, &certmap, + &user_name_hint); + assert_int_equal(ret, EOK); + assert_null(certmap); +} + +static void check_certmap(struct certmap_info *m, struct certmap_info *r, + size_t exp_domains) +{ + size_t d; + + assert_non_null(r); + assert_non_null(m); + assert_string_equal(m->name, r->name); + + if (r->map_rule == NULL) { + assert_null(m->map_rule); + } else { + assert_string_equal(m->map_rule, r->map_rule); + } + + if (r->match_rule == NULL) { + assert_null(m->match_rule); + } else { + assert_string_equal(m->match_rule, r->match_rule); + } + + assert_int_equal(m->priority, r->priority); + assert_non_null(m->domains); + if (r->domains == NULL) { + assert_null(m->domains[0]); + } else { + for (d = 0; r->domains[d]; d++) { + assert_non_null(m->domains[d]); + assert_true(string_in_list(m->domains[d], discard_const(r->domains), + true)); + } + + assert_int_equal(d, exp_domains); + } + +} + +static void test_sysdb_update_certmap(void **state) +{ + int ret; + const char *domains[] = { "dom1.test", "dom2.test", "dom3.test", NULL }; + struct certmap_info map_a = { discard_const("map_a"), 11, discard_const("abc"), discard_const("def"), NULL }; + struct certmap_info map_b = { discard_const("map_b"), UINT_MAX, discard_const("abc"), NULL, domains }; + struct certmap_info *certmap_empty[] = { NULL }; + struct certmap_info *certmap_a[] = { &map_a, NULL }; + struct certmap_info *certmap_b[] = { &map_b, NULL }; + struct certmap_info *certmap_ab[] = { &map_a, &map_b, NULL }; + struct certmap_info **certmap; + struct certmap_test_ctx *ctctx = talloc_get_type(*state, + struct certmap_test_ctx); + bool user_name_hint; + + ret = sysdb_update_certmap(ctctx->tctx->sysdb, NULL, false); + assert_int_equal(ret, EINVAL); + + ret = sysdb_update_certmap(ctctx->tctx->sysdb, certmap_empty, false); + assert_int_equal(ret, EOK); + + ret = sysdb_get_certmap(ctctx, ctctx->tctx->sysdb, &certmap, + &user_name_hint); + assert_int_equal(ret, EOK); + assert_null(certmap); + + ret = sysdb_update_certmap(ctctx->tctx->sysdb, certmap_a, false); + assert_int_equal(ret, EOK); + + ret = sysdb_get_certmap(ctctx, ctctx->tctx->sysdb, &certmap, + &user_name_hint); + assert_int_equal(ret, EOK); + assert_false(user_name_hint); + assert_non_null(certmap); + assert_non_null(certmap[0]); + assert_string_equal(certmap[0]->name, map_a.name); + assert_string_equal(certmap[0]->map_rule, map_a.map_rule); + assert_string_equal(certmap[0]->match_rule, map_a.match_rule); + assert_int_equal(certmap[0]->priority, map_a.priority); + assert_non_null(certmap[0]->domains); + assert_null(certmap[0]->domains[0]); + assert_null(certmap[1]); + check_certmap(certmap[0], &map_a, 0); + talloc_free(certmap); + + ret = sysdb_update_certmap(ctctx->tctx->sysdb, certmap_b, true); + assert_int_equal(ret, EOK); + + ret = sysdb_get_certmap(ctctx, ctctx->tctx->sysdb, &certmap, + &user_name_hint); + assert_int_equal(ret, EOK); + assert_true(user_name_hint); + assert_non_null(certmap); + assert_non_null(certmap[0]); + + check_certmap(certmap[0], &map_b, 3); + assert_null(certmap[1]); + talloc_free(certmap); + + ret = sysdb_update_certmap(ctctx->tctx->sysdb, certmap_ab, false); + assert_int_equal(ret, EOK); + + ret = sysdb_get_certmap(ctctx, ctctx->tctx->sysdb, &certmap, + &user_name_hint); + assert_int_equal(ret, EOK); + assert_false(user_name_hint); + assert_non_null(certmap); + assert_non_null(certmap[0]); + assert_non_null(certmap[1]); + assert_null(certmap[2]); + if (strcmp(certmap[0]->name, "map_a") == 0) { + check_certmap(certmap[0], &map_a, 0); + check_certmap(certmap[1], &map_b, 3); + } else { + check_certmap(certmap[0], &map_b, 3); + check_certmap(certmap[1], &map_a, 0); + } + talloc_free(certmap); +} + +int main(int argc, const char *argv[]) +{ + int rv; + int no_cleanup = 0; + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + {"no-cleanup", 'n', POPT_ARG_NONE, &no_cleanup, 0, + _("Do not delete the test database after a test run"), NULL }, + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_sysdb_get_certmap_not_exists, + test_sysdb_setup, + test_sysdb_teardown), + cmocka_unit_test_setup_teardown(test_sysdb_update_certmap, + test_sysdb_setup, + test_sysdb_teardown), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + tests_set_cwd(); + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, LOCAL_SYSDB_FILE); + test_dom_suite_setup(TESTS_PATH); + rv = cmocka_run_group_tests(tests, NULL, NULL); + + if (rv == 0 && no_cleanup == 0) { + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, LOCAL_SYSDB_FILE); + } + return rv; +} diff --git a/src/tests/cmocka/test_sysdb_domain_resolution_order.c b/src/tests/cmocka/test_sysdb_domain_resolution_order.c new file mode 100644 index 0000000..c8b22a4 --- /dev/null +++ b/src/tests/cmocka/test_sysdb_domain_resolution_order.c @@ -0,0 +1,190 @@ +/* + SSSD + + sysdb_domain_resolution_order - Tests for domain resolution order calls + + Authors: + Fabiano Fidêncio + + Copyright (C) 2017 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include + +#include "tests/cmocka/common_mock.h" +#include "tests/common.h" +#include "db/sysdb_domain_resolution_order.h" +#include "db/sysdb_private.h" /* for sysdb->ldb member */ + +#define TESTS_PATH "tp_" BASE_FILE_STEM +#define TEST_CONF_DB "test_sysdb_domain_resolution_order.ldb" + +#define TEST_DOM_NAME "test_sysdb_domain_resolution_order" + +#define TEST_ID_PROVIDER "ldap" + +struct domain_resolution_order_test_ctx { + struct sss_test_ctx *tctx; +}; + +static int test_sysdb_domain_resolution_order_setup(void **state) +{ + struct domain_resolution_order_test_ctx *test_ctx; + + assert_true(leak_check_setup()); + + test_ctx = talloc_zero(global_talloc_context, + struct domain_resolution_order_test_ctx); + assert_non_null(test_ctx); + + test_dom_suite_setup(TESTS_PATH); + + test_ctx->tctx = create_dom_test_ctx(test_ctx, TESTS_PATH, + TEST_CONF_DB, TEST_DOM_NAME, + TEST_ID_PROVIDER, NULL); + assert_non_null(test_ctx->tctx); + + *state = test_ctx; + return 0; +} + +static int test_sysdb_domain_resolution_order_teardown(void **state) +{ + struct domain_resolution_order_test_ctx *test_ctx = + talloc_get_type(*state, struct domain_resolution_order_test_ctx); + + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + talloc_free(test_ctx); + assert_true(leak_check_teardown()); + return 0; +} + +static void test_sysdb_domain_resolution_order_ops(void **state) +{ + errno_t ret; + struct domain_resolution_order_test_ctx *test_ctx = + talloc_get_type(*state, struct domain_resolution_order_test_ctx); + const char *domains_in = NULL; + const char *domains_out = NULL; + struct ldb_dn *dn; + + dn = sysdb_domain_dn(test_ctx, test_ctx->tctx->dom); + assert_non_null(dn); + + /* Adding domainResolutionOrder for the first time */ + domains_in = "foo:bar:foobar"; + ret = sysdb_update_domain_resolution_order(test_ctx->tctx->dom->sysdb, + dn, domains_in); + assert_int_equal(ret, EOK); + + ret = sysdb_get_domain_resolution_order(test_ctx, + test_ctx->tctx->dom->sysdb, dn, + &domains_out); + assert_int_equal(ret, EOK); + assert_true(strcmp(domains_in, domains_out) == 0); + + /* Setting the domainResolutionOrder to ":" ... + * + * It means, the domainResolutionOrder is set, but if there's another + * domainResolutionOrder with lower precedence those must be ignored. + */ + domains_in = ":"; + ret = sysdb_update_domain_resolution_order(test_ctx->tctx->dom->sysdb, + dn, domains_in); + assert_int_equal(ret, EOK); + + ret = sysdb_get_domain_resolution_order(test_ctx, + test_ctx->tctx->dom->sysdb, dn, + &domains_out); + assert_int_equal(ret, EOK); + assert_true(strcmp(domains_in, domains_out) == 0); + + /* Changing the domainResolutionOrder */ + domains_in = "bar:foobar:foo"; + ret = sysdb_update_domain_resolution_order(test_ctx->tctx->dom->sysdb, + dn, domains_in); + assert_int_equal(ret, EOK); + + ret = sysdb_get_domain_resolution_order(test_ctx, + test_ctx->tctx->dom->sysdb, dn, + &domains_out); + assert_int_equal(ret, EOK); + assert_true(strcmp(domains_in, domains_out) == 0); + + /* Removing the domainResolutionOrder attribute */ + domains_in = NULL; + ret = sysdb_update_domain_resolution_order(test_ctx->tctx->dom->sysdb, + dn, domains_in); + assert_int_equal(ret, EOK); + + ret = sysdb_get_domain_resolution_order(test_ctx, + test_ctx->tctx->dom->sysdb, dn, + &domains_out); + assert_int_equal(ret, ENOENT); + assert_true(domains_out == NULL); +} + +int main(int argc, const char *argv[]) +{ + int rv; + int no_cleanup = 0; + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + {"no-cleanup", 'n', POPT_ARG_NONE, &no_cleanup, 0, + _("Do not delete the test database after a test run"), NULL }, + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_sysdb_domain_resolution_order_ops, + test_sysdb_domain_resolution_order_setup, + test_sysdb_domain_resolution_order_teardown), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + tests_set_cwd(); + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, LOCAL_SYSDB_FILE); + test_dom_suite_setup(TESTS_PATH); + rv = cmocka_run_group_tests(tests, NULL, NULL); + + if (rv == 0 && no_cleanup == 0) { + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, LOCAL_SYSDB_FILE); + } + return rv; +} diff --git a/src/tests/cmocka/test_sysdb_subdomains.c b/src/tests/cmocka/test_sysdb_subdomains.c new file mode 100644 index 0000000..4f154b8 --- /dev/null +++ b/src/tests/cmocka/test_sysdb_subdomains.c @@ -0,0 +1,605 @@ +/* + SSSD + + sysdb_subdomains - Tests for subdomains and related calls + + Authors: + Jakub Hrozek + + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include + +#include "tests/cmocka/common_mock.h" +#include "tests/common.h" +#include "db/sysdb_private.h" /* for sysdb->ldb member */ + +#define TESTS_PATH "tp_" BASE_FILE_STEM +#define TEST_CONF_DB "test_sysdb_subdomains.ldb" + +#define TEST_DOM1_NAME "test_sysdb_subdomains_1" + +#define TEST_FLAT_NAME "TEST_1" +#define TEST_SID "S-1" +#define TEST_REALM "TEST_SYSDB_SUBDOMAINS" +#define TEST_FOREST TEST_REALM +#define TEST_ID_PROVIDER "ldap" + +#define TEST_DOM2_NAME "child2.test_sysdb_subdomains_2" +#define TEST_FLAT_NAME2 "CHILD2" +#define TEST_SID2 "S-2" +#define TEST_REALM2 "TEST_SYSDB_SUBDOMAINS2" +#define TEST_FOREST2 TEST_REALM2 + +const char *domains[] = { TEST_DOM1_NAME, + TEST_DOM2_NAME, + NULL }; + +struct subdom_test_ctx { + struct sss_test_ctx *tctx; +}; + +static int test_sysdb_subdom_setup(void **state) +{ + struct subdom_test_ctx *test_ctx; + + assert_true(leak_check_setup()); + + test_ctx = talloc_zero(global_talloc_context, + struct subdom_test_ctx); + assert_non_null(test_ctx); + + test_dom_suite_setup(TESTS_PATH); + + test_ctx->tctx = create_multidom_test_ctx(test_ctx, TESTS_PATH, + TEST_CONF_DB, domains, + TEST_ID_PROVIDER, NULL); + assert_non_null(test_ctx->tctx); + + *state = test_ctx; + return 0; +} + +static int test_sysdb_subdom_teardown(void **state) +{ + struct subdom_test_ctx *test_ctx = + talloc_get_type(*state, struct subdom_test_ctx); + + test_multidom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, domains); + talloc_free(test_ctx); + assert_true(leak_check_teardown()); + return 0; +} + +static void test_sysdb_subdomain_create(void **state) +{ + errno_t ret; + struct subdom_test_ctx *test_ctx = + talloc_get_type(*state, struct subdom_test_ctx); + + const char *const dom1[4] = { "dom1.sub", "DOM1.SUB", "dom1", "S-1" }; + const char *const dom2[4] = { "dom2.sub", "DOM2.SUB", "dom2", "S-2" }; + + ret = sysdb_subdomain_store(test_ctx->tctx->sysdb, + dom1[0], dom1[1], dom1[2], dom1[3], + false, false, NULL, 0, NULL); + assert_int_equal(ret, EOK); + + ret = sysdb_update_subdomains(test_ctx->tctx->dom, test_ctx->tctx->confdb); + assert_int_equal(ret, EOK); + + assert_non_null(test_ctx->tctx->dom->subdomains); + assert_string_equal(test_ctx->tctx->dom->subdomains->name, dom1[0]); + assert_int_equal(test_ctx->tctx->dom->subdomains->trust_direction, 0); + + ret = sysdb_subdomain_store(test_ctx->tctx->sysdb, + dom2[0], dom2[1], dom2[2], dom2[3], + false, false, NULL, 1, NULL); + assert_int_equal(ret, EOK); + + ret = sysdb_update_subdomains(test_ctx->tctx->dom, test_ctx->tctx->confdb); + assert_int_equal(ret, EOK); + + assert_non_null(test_ctx->tctx->dom->subdomains->next); + assert_string_equal(test_ctx->tctx->dom->subdomains->next->name, dom2[0]); + assert_int_equal(test_ctx->tctx->dom->subdomains->next->trust_direction, 1); + + /* Reverse the trust directions */ + ret = sysdb_subdomain_store(test_ctx->tctx->sysdb, + dom1[0], dom1[1], dom1[2], dom1[3], + false, false, NULL, 1, NULL); + assert_int_equal(ret, EOK); + + ret = sysdb_subdomain_store(test_ctx->tctx->sysdb, + dom2[0], dom2[1], dom2[2], dom2[3], + false, false, NULL, 0, NULL); + assert_int_equal(ret, EOK); + + ret = sysdb_update_subdomains(test_ctx->tctx->dom, test_ctx->tctx->confdb); + assert_int_equal(ret, EOK); + + assert_int_equal(test_ctx->tctx->dom->subdomains->trust_direction, 1); + assert_int_equal(test_ctx->tctx->dom->subdomains->next->trust_direction, 0); + + ret = sysdb_subdomain_delete(test_ctx->tctx->sysdb, dom2[0]); + assert_int_equal(ret, EOK); + + ret = sysdb_subdomain_delete(test_ctx->tctx->sysdb, dom1[0]); + assert_int_equal(ret, EOK); + + ret = sysdb_update_subdomains(test_ctx->tctx->dom, test_ctx->tctx->confdb); + assert_int_equal(ret, EOK); + + assert_int_equal(sss_domain_get_state(test_ctx->tctx->dom->subdomains), + DOM_DISABLED); + assert_int_equal( + sss_domain_get_state(test_ctx->tctx->dom->subdomains->next), + DOM_DISABLED); +} + +static void test_sysdb_master_domain_ops(void **state) +{ + errno_t ret; + struct subdom_test_ctx *test_ctx = + talloc_get_type(*state, struct subdom_test_ctx); + + ret = sysdb_master_domain_add_info(test_ctx->tctx->dom, + "realm1", "flat1", "id1", "forest1", + NULL); + assert_int_equal(ret, EOK); + + ret = sysdb_master_domain_update(test_ctx->tctx->dom); + assert_int_equal(ret, EOK); + + assert_string_equal(test_ctx->tctx->dom->realm, "realm1"); + assert_string_equal(test_ctx->tctx->dom->flat_name, "flat1"); + assert_string_equal(test_ctx->tctx->dom->domain_id, "id1"); + assert_string_equal(test_ctx->tctx->dom->forest, "forest1"); + + ret = sysdb_master_domain_add_info(test_ctx->tctx->dom, + "realm2", "flat2", "id2", "forest2", + NULL); + assert_int_equal(ret, EOK); + + ret = sysdb_master_domain_update(test_ctx->tctx->dom); + assert_int_equal(ret, EOK); + + assert_string_equal(test_ctx->tctx->dom->realm, "realm2"); + assert_string_equal(test_ctx->tctx->dom->flat_name, "flat2"); + assert_string_equal(test_ctx->tctx->dom->domain_id, "id2"); + assert_string_equal(test_ctx->tctx->dom->forest, "forest2"); +} + +/* Parent domain totally separate from subdomains that imitate + * IPA domain and two forests + */ +static void test_sysdb_link_forest_root_ipa(void **state) +{ + errno_t ret; + struct subdom_test_ctx *test_ctx = + talloc_get_type(*state, struct subdom_test_ctx); + struct sss_domain_info *main_dom; + struct sss_domain_info *sub; + struct sss_domain_info *child; + + /* name, realm, flat, SID, forest */ + const char *const dom1[5] = { "dom1.sub", "DOM1.SUB", + "DOM1", "S-1", "DOM1.SUB" }; + const char *const child_dom1[5] = { "child1.dom1.sub", "CHILD1.DOM1.SUB", + "CHILD1.DOM1", "S-1-2", "DOM1.SUB" }; + const char *const dom2[5] = { "dom2.sub", "DOM2.SUB", + "DOM2", "S-2", "DOM2.SUB" }; + const char *const child_dom2[5] = { "child2.dom2.sub", "CHILD2.DOM1.SUB", + "CHILD2.DOM1", "S-2-2", "DOM2.SUB" }; + + ret = sysdb_subdomain_store(test_ctx->tctx->sysdb, + dom1[0], dom1[1], dom1[2], dom1[3], + false, false, dom1[4], 0, NULL); + assert_int_equal(ret, EOK); + + ret = sysdb_subdomain_store(test_ctx->tctx->sysdb, + child_dom1[0], child_dom1[1], + child_dom1[2], child_dom1[3], + false, false, child_dom1[4], + 0, NULL); + assert_int_equal(ret, EOK); + + ret = sysdb_subdomain_store(test_ctx->tctx->sysdb, + dom2[0], dom2[1], dom2[2], dom2[3], + false, false, dom2[4], + 0, NULL); + assert_int_equal(ret, EOK); + + ret = sysdb_subdomain_store(test_ctx->tctx->sysdb, + child_dom2[0], child_dom2[1], + child_dom2[2], child_dom2[3], + false, false, child_dom2[4], + 0, NULL); + assert_int_equal(ret, EOK); + + ret = sysdb_update_subdomains(test_ctx->tctx->dom, test_ctx->tctx->confdb); + assert_int_equal(ret, EOK); + + /* Also update dom2 */ + ret = sysdb_update_subdomains(test_ctx->tctx->dom->next, test_ctx->tctx->confdb); + assert_int_equal(ret, EOK); + + sub = find_domain_by_name(test_ctx->tctx->dom, dom1[0], true); + assert_non_null(sub->forest_root); + assert_ptr_equal(sub->forest_root, sub); + + child = find_domain_by_name(test_ctx->tctx->dom, child_dom1[0], true); + assert_non_null(child->forest_root); + assert_ptr_equal(child->forest_root, sub); + + sub = find_domain_by_name(test_ctx->tctx->dom, dom2[0], true); + assert_non_null(sub->forest_root); + assert_ptr_equal(sub->forest_root, sub); + + child = find_domain_by_name(test_ctx->tctx->dom, child_dom2[0], true); + assert_non_null(child->forest_root); + assert_ptr_equal(child->forest_root, sub); + + main_dom = find_domain_by_name(test_ctx->tctx->dom, TEST_DOM1_NAME, true); + assert_non_null(main_dom); + assert_non_null(main_dom->forest_root); + assert_true(main_dom->forest_root == main_dom); + + main_dom = find_domain_by_name(test_ctx->tctx->dom, TEST_DOM2_NAME, true); + assert_non_null(main_dom); + assert_non_null(main_dom->forest_root); + assert_true(main_dom->forest_root == main_dom); +} + +/* Parent domain is an AD forest root and there are two subdomains + * child and parallel + */ +static void test_sysdb_link_forest_root_ad(void **state) +{ + errno_t ret; + struct subdom_test_ctx *test_ctx = + talloc_get_type(*state, struct subdom_test_ctx); + struct sss_domain_info *main_dom; + struct sss_domain_info *sub; + struct sss_domain_info *child; + + const char *const child_dom[5] = { "child.test_sysdb_subdomains",/* name */ + "CHILD.TEST_SYSDB_SUBDOMAINS",/* realm */ + "CHILD", /* flat */ + "S-1-2", /* sid */ + TEST_FOREST }; /* forest */ + + const char *const sub_dom[5] = { "another.subdomain", /* name */ + "ANOTHER.SUBDOMAIN", /* realm */ + "ANOTHER", /* flat */ + "S-1-3", /* sid */ + TEST_FOREST }; /* forest */ + + ret = sysdb_master_domain_add_info(test_ctx->tctx->dom, + TEST_REALM, + TEST_FLAT_NAME, + TEST_SID, + TEST_FOREST, + NULL); + assert_int_equal(ret, EOK); + + ret = sysdb_subdomain_store(test_ctx->tctx->sysdb, + child_dom[0], child_dom[1], + child_dom[2], child_dom[3], + false, false, child_dom[4], + 0, NULL); + assert_int_equal(ret, EOK); + + ret = sysdb_subdomain_store(test_ctx->tctx->sysdb, + sub_dom[0], sub_dom[1], + sub_dom[2], sub_dom[3], + false, false, sub_dom[4], + 0, NULL); + assert_int_equal(ret, EOK); + + ret = sysdb_update_subdomains(test_ctx->tctx->dom, test_ctx->tctx->confdb); + assert_int_equal(ret, EOK); + + /* Also update dom2 */ + ret = sysdb_update_subdomains(test_ctx->tctx->dom->next, test_ctx->tctx->confdb); + assert_int_equal(ret, EOK); + + assert_non_null(test_ctx->tctx->dom->forest_root); + assert_true(test_ctx->tctx->dom->forest_root == test_ctx->tctx->dom); + assert_string_equal(test_ctx->tctx->dom->name, TEST_DOM1_NAME); + + child = find_domain_by_name(test_ctx->tctx->dom, child_dom[0], true); + assert_non_null(child->forest_root); + assert_ptr_equal(child->forest_root, test_ctx->tctx->dom); + + sub = find_domain_by_name(test_ctx->tctx->dom, sub_dom[0], true); + assert_non_null(sub->forest_root); + assert_ptr_equal(sub->forest_root, test_ctx->tctx->dom); + + /* Another separate domain is a forest of its own */ + main_dom = find_domain_by_name(test_ctx->tctx->dom, TEST_DOM2_NAME, true); + assert_non_null(main_dom); + assert_non_null(main_dom->forest_root); + assert_true(main_dom->forest_root == main_dom); +} + +/* Parent domain is an AD member domain connected to a root domain + */ +static void test_sysdb_link_forest_member_ad(void **state) +{ + errno_t ret; + struct subdom_test_ctx *test_ctx = + talloc_get_type(*state, struct subdom_test_ctx); + struct sss_domain_info *main_dom; + struct sss_domain_info *sub; + struct sss_domain_info *root; + + const char *const forest_root[5] = { test_ctx->tctx->dom->name, /* name */ + TEST_FOREST, /* realm */ + TEST_FLAT_NAME, /* flat */ + TEST_SID, /* sid */ + TEST_FOREST }; /* forest */ + + const char *const child_dom[5] = { "child.test_sysdb_subdomains",/* name */ + "CHILD.TEST_SYSDB_SUBDOMAINS",/* realm */ + "CHILD", /* flat */ + "S-1-2", /* sid */ + TEST_FOREST }; /* forest */ + + const char *const sub_dom[5] = { "another.subdomain", /* name */ + "ANOTHER.SUBDOMAIN", /* realm */ + "ANOTHER", /* flat */ + "S-1-3", /* sid */ + TEST_FOREST }; /* forest */ + + ret = sysdb_master_domain_add_info(test_ctx->tctx->dom, + child_dom[1], + child_dom[2], + child_dom[3], + TEST_FOREST, + NULL); + assert_int_equal(ret, EOK); + + ret = sysdb_subdomain_store(test_ctx->tctx->sysdb, + sub_dom[0], sub_dom[1], + sub_dom[2], sub_dom[3], + false, false, sub_dom[4], + 0, NULL); + assert_int_equal(ret, EOK); + + ret = sysdb_subdomain_store(test_ctx->tctx->sysdb, + forest_root[0], forest_root[1], + forest_root[2], forest_root[3], + false, false, forest_root[4], + 0, NULL); + assert_int_equal(ret, EOK); + + ret = sysdb_master_domain_update(test_ctx->tctx->dom); + assert_int_equal(ret, EOK); + + ret = sysdb_update_subdomains(test_ctx->tctx->dom, test_ctx->tctx->confdb); + assert_int_equal(ret, EOK); + + /* Also update dom2 */ + ret = sysdb_master_domain_update(test_ctx->tctx->dom->next); + assert_int_equal(ret, EOK); + + ret = sysdb_update_subdomains(test_ctx->tctx->dom->next, + test_ctx->tctx->confdb); + assert_int_equal(ret, EOK); + + /* Checks */ + root = find_domain_by_name(test_ctx->tctx->dom, forest_root[0], true); + assert_non_null(root->forest_root); + assert_ptr_equal(root->forest_root, root); + + assert_non_null(test_ctx->tctx->dom->forest_root); + assert_true(test_ctx->tctx->dom->forest_root == root); + + sub = find_domain_by_name(test_ctx->tctx->dom, sub_dom[0], true); + assert_non_null(sub->forest_root); + assert_ptr_equal(sub->forest_root, root); + + /* Another separate domain is a forest of its own */ + main_dom = find_domain_by_name(test_ctx->tctx->dom, TEST_DOM2_NAME, true); + assert_non_null(main_dom); + assert_non_null(main_dom->forest_root); + assert_true(main_dom->forest_root == main_dom); +} + + +/* Each parent domain has a subdomain. One parent domain is a root domain, + * the other is not. + */ +static void test_sysdb_link_ad_multidom(void **state) +{ + errno_t ret; + struct subdom_test_ctx *test_ctx = + talloc_get_type(*state, struct subdom_test_ctx); + struct sss_domain_info *main_dom1; + struct sss_domain_info *main_dom2; + struct sss_domain_info *root; + + const char *const child_dom[5] = { "child.test_sysdb_subdomains",/* name */ + "CHILD.TEST_SYSDB_SUBDOMAINS",/* realm */ + "CHILD", /* flat */ + "S-1-2", /* sid */ + TEST_FOREST }; /* forest */ + + const char *const dom2_forest_root[5] = \ + { "test_sysdb_subdomains_2", /* name */ + TEST_FOREST2, /* realm */ + "TEST2", /* flat */ + TEST_SID2, /* sid */ + TEST_FOREST2 }; /* forest */ + + + main_dom1 = find_domain_by_name(test_ctx->tctx->dom, TEST_DOM1_NAME, true); + main_dom2 = find_domain_by_name(test_ctx->tctx->dom, TEST_DOM2_NAME, true); + + ret = sysdb_master_domain_add_info(main_dom1, + TEST_REALM, + TEST_FLAT_NAME, + TEST_SID, + TEST_FOREST, + NULL); + assert_int_equal(ret, EOK); + + ret = sysdb_subdomain_store(main_dom1->sysdb, + child_dom[0], child_dom[1], + child_dom[2], child_dom[3], + false, false, child_dom[4], + 0, NULL); + assert_int_equal(ret, EOK); + + ret = sysdb_master_domain_update(main_dom1); + assert_int_equal(ret, EOK); + + ret = sysdb_update_subdomains(main_dom1, NULL); + assert_int_equal(ret, EOK); + + ret = sysdb_master_domain_add_info(main_dom2, + TEST_REALM2, + TEST_FLAT_NAME2, + TEST_SID2, + TEST_FOREST2, + NULL); + assert_int_equal(ret, EOK); + + ret = sysdb_subdomain_store(main_dom2->sysdb, + dom2_forest_root[0], dom2_forest_root[1], + dom2_forest_root[2], dom2_forest_root[3], + false, false, dom2_forest_root[4], 0, NULL); + assert_int_equal(ret, EOK); + + ret = sysdb_master_domain_update(main_dom2); + assert_int_equal(ret, EOK); + + ret = sysdb_update_subdomains(main_dom2, NULL); + assert_int_equal(ret, EOK); + + main_dom1 = find_domain_by_name(test_ctx->tctx->dom, TEST_DOM1_NAME, true); + assert_non_null(main_dom1); + assert_non_null(main_dom1->forest_root); + assert_true(main_dom1->forest_root == main_dom1); + + main_dom2 = find_domain_by_name(test_ctx->tctx->dom, TEST_DOM2_NAME, true); + assert_non_null(main_dom1); + assert_non_null(main_dom1->forest_root); + assert_true(main_dom1->forest_root == main_dom1); + + root = find_domain_by_name(test_ctx->tctx->dom, dom2_forest_root[0], true); + assert_non_null(root); + assert_non_null(root->forest_root); + assert_ptr_equal(root->forest_root, main_dom2); + +} + +static void test_sysdb_set_and_get_site(void **state) +{ + TALLOC_CTX *tmp_ctx; + struct subdom_test_ctx *test_ctx = + talloc_get_type(*state, struct subdom_test_ctx); + const char *site; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + assert_non_null(test_ctx); + + ret = sysdb_get_site(test_ctx, test_ctx->tctx->dom, &site); + assert_int_equal(ret, EOK); + assert_null(site); + + ret = sysdb_set_site(test_ctx->tctx->dom, "TestSite"); + assert_int_equal(ret, EOK); + + ret = sysdb_get_site(tmp_ctx, test_ctx->tctx->dom, &site); + assert_int_equal(ret, EOK); + assert_string_equal(site, "TestSite"); + + talloc_free(tmp_ctx); +} + +int main(int argc, const char *argv[]) +{ + int rv; + int no_cleanup = 0; + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + {"no-cleanup", 'n', POPT_ARG_NONE, &no_cleanup, 0, + _("Do not delete the test database after a test run"), NULL }, + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_sysdb_master_domain_ops, + test_sysdb_subdom_setup, + test_sysdb_subdom_teardown), + cmocka_unit_test_setup_teardown(test_sysdb_subdomain_create, + test_sysdb_subdom_setup, + test_sysdb_subdom_teardown), + cmocka_unit_test_setup_teardown(test_sysdb_link_forest_root_ipa, + test_sysdb_subdom_setup, + test_sysdb_subdom_teardown), + cmocka_unit_test_setup_teardown(test_sysdb_link_forest_root_ad, + test_sysdb_subdom_setup, + test_sysdb_subdom_teardown), + cmocka_unit_test_setup_teardown(test_sysdb_link_forest_member_ad, + test_sysdb_subdom_setup, + test_sysdb_subdom_teardown), + cmocka_unit_test_setup_teardown(test_sysdb_link_ad_multidom, + test_sysdb_subdom_setup, + test_sysdb_subdom_teardown), + cmocka_unit_test_setup_teardown(test_sysdb_set_and_get_site, + test_sysdb_subdom_setup, + test_sysdb_subdom_teardown), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + tests_set_cwd(); + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, LOCAL_SYSDB_FILE); + test_dom_suite_setup(TESTS_PATH); + rv = cmocka_run_group_tests(tests, NULL, NULL); + + if (rv == 0 && no_cleanup == 0) { + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, LOCAL_SYSDB_FILE); + } + return rv; +} diff --git a/src/tests/cmocka/test_sysdb_sudo.c b/src/tests/cmocka/test_sysdb_sudo.c new file mode 100644 index 0000000..fc6a47a --- /dev/null +++ b/src/tests/cmocka/test_sysdb_sudo.c @@ -0,0 +1,1056 @@ +/* + Authors: + Petr Čech + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include + +#include "tests/cmocka/common_mock.h" +#include "src/db/sysdb_sudo.h" +#include "src/db/sysdb_private.h" + +#define TESTS_PATH "tp_" BASE_FILE_STEM +#define TEST_CONF_DB "test_sysdb_sudorules.ldb" +#define TEST_DOM_NAME "test_domain.test" + +#define TEST_CACHE_SUDO_TIMEOUT "20" + +#define TEST_USER_NON_EXIST "no_user" + +#define TEST_GROUP_NAME "test_sudo_group" +#define TEST_GID 10001 + +#define OVERRIDE_USER_NAME "user_test" +#define OVERRIDE_GROUP_NAME "group_sudo_test" +#define OVERRIDE_UID 2112 + +struct test_user { + const char *name; + uid_t uid; + gid_t gid; +} users[] = { { "test_USER1", 1001, 1001 }, + { "test_user2", 1002, 1002 }, + { "test_user3", 1003, 1003 } }; + +struct test_rule { + const char *name; + const char *host; + const char *as_user; +} rules[] = { { "test_rule1", "test_host1.test_domain.test", "root" }, + { "test_rule2", "test_host2.test_domain.test", "root" }, + { "test_rule3", "test_host3.test_domain.test", "root" } }; + +struct sysdb_test_ctx { + struct sss_test_ctx *tctx; +}; + +static void create_groups(struct sss_domain_info *domain) +{ + errno_t ret; + + ret = sysdb_add_group(domain, TEST_GROUP_NAME, TEST_GID, + NULL, 30, time(NULL)); + assert_int_equal(ret, EOK); +} + +static void create_users(struct sss_domain_info *domain) +{ + errno_t ret; + int gid; + + for (int i = 0; i < 3; i++) { + gid = (i == 0) ? 0 : TEST_GID; + ret = sysdb_add_user(domain, users[i].name, users[i].uid, gid, + users[i].name, NULL, "/bin/bash", domain->name, + NULL, 30, time(NULL)); + assert_int_equal(ret, EOK); + } +} + +static void create_rule_attrs(struct sysdb_attrs *rule, int i) +{ + errno_t ret; + + ret = sysdb_attrs_add_string_safe(rule, SYSDB_SUDO_CACHE_AT_CN, + rules[i].name); + assert_int_equal(ret, EOK); + + ret = sysdb_attrs_add_string_safe(rule, SYSDB_SUDO_CACHE_AT_HOST, + rules[i].host); + assert_int_equal(ret, EOK); + + ret = sysdb_attrs_add_string_safe(rule, SYSDB_SUDO_CACHE_AT_RUNASUSER, + rules[i].as_user); + assert_int_equal(ret, EOK); + + ret = sysdb_attrs_add_string_safe(rule, SYSDB_SUDO_CACHE_AT_USER, + users[i].name); + assert_int_equal(ret, EOK); +} + +static void create_rule_attrs_multiple_sudoUser(struct sysdb_attrs *rule) +{ + errno_t ret; + + ret = sysdb_attrs_add_string_safe(rule, SYSDB_SUDO_CACHE_AT_CN, + rules[0].name); + assert_int_equal(ret, EOK); + + ret = sysdb_attrs_add_string_safe(rule, SYSDB_SUDO_CACHE_AT_HOST, + rules[0].host); + assert_int_equal(ret, EOK); + + ret = sysdb_attrs_add_string_safe(rule, SYSDB_SUDO_CACHE_AT_RUNASUSER, + rules[0].as_user); + assert_int_equal(ret, EOK); + + for (int i = 0; i < 3; i++ ) { + ret = sysdb_attrs_add_string_safe(rule, SYSDB_SUDO_CACHE_AT_USER, + users[i].name); + assert_int_equal(ret, EOK); + } +} + +static int get_stored_rules_count(struct sysdb_test_ctx *test_ctx) +{ + errno_t ret; + const char *attrs[] = { SYSDB_SUDO_CACHE_AT_CN, NULL }; + struct ldb_message **msgs = NULL; + size_t msgs_count; + + ret = sysdb_search_sudo_rules(test_ctx, test_ctx->tctx->dom, + "(objectClass=sudoRule)", + attrs, &msgs_count, &msgs); + if (!(ret == EOK || ret == ENOENT)) { + msgs_count = -1; + } + talloc_zfree(msgs); + + return msgs_count; +} + +static int test_sysdb_setup(void **state) +{ + struct sysdb_test_ctx *test_ctx; + + assert_true(leak_check_setup()); + + test_ctx = talloc_zero(global_talloc_context, struct sysdb_test_ctx); + assert_non_null(test_ctx); + + test_dom_suite_setup(TESTS_PATH); + + test_ctx->tctx = create_dom_test_ctx(test_ctx, TESTS_PATH, TEST_CONF_DB, + TEST_DOM_NAME, "ipa", NULL); + assert_non_null(test_ctx->tctx); + + create_groups(test_ctx->tctx->dom); + create_users(test_ctx->tctx->dom); + + reset_ldb_errstrings(test_ctx->tctx->dom); + check_leaks_push(test_ctx); + + *state = (void *)test_ctx; + return 0; +} + +static int test_sysdb_teardown(void **state) +{ + struct sysdb_test_ctx *test_ctx; + + test_ctx = talloc_get_type_abort(*state, struct sysdb_test_ctx); + + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + + reset_ldb_errstrings(test_ctx->tctx->dom); + assert_true(check_leaks_pop(test_ctx)); + talloc_zfree(test_ctx); + assert_true(leak_check_teardown()); + + return 0; +} + +static int test_sysdb_views_setup(void **state) +{ + struct sysdb_test_ctx *test_ctx; + errno_t ret; + + assert_true(leak_check_setup()); + + test_ctx = talloc_zero(global_talloc_context, struct sysdb_test_ctx); + assert_non_null(test_ctx); + + test_dom_suite_setup(TESTS_PATH); + + test_ctx->tctx = create_dom_test_ctx(test_ctx, TESTS_PATH, TEST_CONF_DB, + TEST_DOM_NAME, "ipa", NULL); + assert_non_null(test_ctx->tctx); + + create_groups(test_ctx->tctx->dom); + create_users(test_ctx->tctx->dom); + + ret = sysdb_update_view_name(test_ctx->tctx->dom->sysdb, SYSDB_LOCAL_VIEW_NAME); + assert_int_equal(ret, EOK); + sysdb_master_domain_update(test_ctx->tctx->dom); + + reset_ldb_errstrings(test_ctx->tctx->dom); + check_leaks_push(test_ctx); + + *state = (void *)test_ctx; + return 0; +} + +static int test_sysdb_views_teardown(void **state) +{ + struct sysdb_test_ctx *test_ctx; + + test_ctx = talloc_get_type_abort(*state, struct sysdb_test_ctx); + + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + + reset_ldb_errstrings(test_ctx->tctx->dom); + assert_true(check_leaks_pop(test_ctx)); + talloc_zfree(test_ctx); + assert_true(leak_check_teardown()); + + return 0; +} + +void test_store_sudo(void **state) +{ + errno_t ret; + char *filter; + const char *attrs[] = { SYSDB_SUDO_CACHE_AT_CN, SYSDB_SUDO_CACHE_AT_HOST, + SYSDB_SUDO_CACHE_AT_RUNASUSER, + SYSDB_SUDO_CACHE_AT_USER, NULL }; + struct ldb_message **msgs = NULL; + size_t msgs_count; + const char *result; + struct sysdb_attrs *rule; + struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_test_ctx); + + rule = sysdb_new_attrs(test_ctx); + assert_non_null(rule); + create_rule_attrs(rule, 0); + + ret = sysdb_sudo_store(test_ctx->tctx->dom, &rule, 1); + assert_int_equal(ret, EOK); + + filter = sysdb_sudo_filter_user(test_ctx, users[0].name, NULL, 0); + assert_non_null(filter); + + ret = sysdb_search_sudo_rules(test_ctx, test_ctx->tctx->dom, filter, + attrs, &msgs_count, &msgs); + assert_int_equal(ret, EOK); + + assert_int_equal(msgs_count, 1); + + result = ldb_msg_find_attr_as_string(msgs[0], SYSDB_SUDO_CACHE_AT_CN, NULL); + assert_non_null(result); + assert_string_equal(result, rules[0].name); + + result = ldb_msg_find_attr_as_string(msgs[0], SYSDB_SUDO_CACHE_AT_HOST, + NULL); + assert_non_null(result); + assert_string_equal(result, rules[0].host); + + result = ldb_msg_find_attr_as_string(msgs[0], SYSDB_SUDO_CACHE_AT_RUNASUSER, + NULL); + assert_non_null(result); + assert_string_equal(result, rules[0].as_user); + + result = ldb_msg_find_attr_as_string(msgs[0], SYSDB_SUDO_CACHE_AT_USER, + NULL); + assert_non_null(result); + assert_string_equal(result, users[0].name); + + talloc_zfree(rule); + talloc_zfree(filter); + talloc_zfree(msgs); +} + +void test_store_sudo_case_sensitive(void **state) +{ + errno_t ret; + char *filter; + const char *attrs[] = { SYSDB_SUDO_CACHE_AT_CN, SYSDB_SUDO_CACHE_AT_HOST, + SYSDB_SUDO_CACHE_AT_RUNASUSER, + SYSDB_SUDO_CACHE_AT_USER, NULL }; + struct ldb_message **msgs = NULL; + size_t msgs_count; + const char *result; + struct ldb_message_element *element; + struct sysdb_attrs *rule; + struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_test_ctx); + const char *lowered_name = sss_tc_utf8_str_tolower(test_ctx, users[0].name); + + rule = sysdb_new_attrs(test_ctx); + assert_non_null(rule); + create_rule_attrs_multiple_sudoUser(rule); + + test_ctx->tctx->dom->case_sensitive = true; + + ret = sysdb_sudo_store(test_ctx->tctx->dom, &rule, 1); + assert_int_equal(ret, EOK); + + filter = sysdb_sudo_filter_user(test_ctx, users[0].name, NULL, 0); + assert_non_null(filter); + + ret = sysdb_search_sudo_rules(test_ctx, test_ctx->tctx->dom, filter, + attrs, &msgs_count, &msgs); + assert_int_equal(ret, EOK); + + assert_int_equal(msgs_count, 1); + + result = ldb_msg_find_attr_as_string(msgs[0], SYSDB_SUDO_CACHE_AT_CN, NULL); + assert_non_null(result); + assert_string_equal(result, rules[0].name); + + result = ldb_msg_find_attr_as_string(msgs[0], SYSDB_SUDO_CACHE_AT_HOST, + NULL); + assert_non_null(result); + assert_string_equal(result, rules[0].host); + + result = ldb_msg_find_attr_as_string(msgs[0], SYSDB_SUDO_CACHE_AT_RUNASUSER, + NULL); + assert_non_null(result); + assert_string_equal(result, rules[0].as_user); + + ret = ldb_msg_check_string_attribute(msgs[0], SYSDB_SUDO_CACHE_AT_USER, + users[0].name); + assert_int_equal(ret, 1); + + ret = ldb_msg_check_string_attribute(msgs[0], SYSDB_SUDO_CACHE_AT_USER, + lowered_name); + assert_int_equal(ret, 0); + + ret = ldb_msg_check_string_attribute(msgs[0], SYSDB_SUDO_CACHE_AT_USER, + users[1].name); + assert_int_equal(ret, 1); + + ret = ldb_msg_check_string_attribute(msgs[0], SYSDB_SUDO_CACHE_AT_USER, + users[2].name); + assert_int_equal(ret, 1); + + element = ldb_msg_find_element(msgs[0], SYSDB_SUDO_CACHE_AT_USER); + assert_int_equal(element->num_values, 3); + + talloc_zfree(lowered_name); + talloc_zfree(rule); + talloc_zfree(filter); + talloc_zfree(msgs); +} + +void test_store_sudo_case_insensitive(void **state) +{ + errno_t ret; + char *filter; + const char *attrs[] = { SYSDB_SUDO_CACHE_AT_CN, SYSDB_SUDO_CACHE_AT_HOST, + SYSDB_SUDO_CACHE_AT_RUNASUSER, + SYSDB_SUDO_CACHE_AT_USER, NULL }; + struct ldb_message **msgs = NULL; + size_t msgs_count; + const char *result; + struct ldb_message_element *element; + struct sysdb_attrs *rule; + struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_test_ctx); + const char *lowered_name = sss_tc_utf8_str_tolower(test_ctx, users[0].name); + + rule = sysdb_new_attrs(test_ctx); + assert_non_null(rule); + create_rule_attrs_multiple_sudoUser(rule); + + test_ctx->tctx->dom->case_sensitive = false; + + ret = sysdb_attrs_add_lower_case_string(rule, false, + SYSDB_SUDO_CACHE_AT_USER, + users[0].name); + assert_int_equal(ret, EOK); + + ret = sysdb_sudo_store(test_ctx->tctx->dom, &rule, 1); + assert_int_equal(ret, EOK); + + filter = sysdb_sudo_filter_user(test_ctx, users[0].name, NULL, 0); + assert_non_null(filter); + + ret = sysdb_search_sudo_rules(test_ctx, test_ctx->tctx->dom, filter, + attrs, &msgs_count, &msgs); + assert_int_equal(ret, EOK); + + assert_int_equal(msgs_count, 1); + + result = ldb_msg_find_attr_as_string(msgs[0], SYSDB_SUDO_CACHE_AT_CN, NULL); + assert_non_null(result); + assert_string_equal(result, rules[0].name); + + result = ldb_msg_find_attr_as_string(msgs[0], SYSDB_SUDO_CACHE_AT_HOST, + NULL); + assert_non_null(result); + assert_string_equal(result, rules[0].host); + + result = ldb_msg_find_attr_as_string(msgs[0], SYSDB_SUDO_CACHE_AT_RUNASUSER, + NULL); + assert_non_null(result); + assert_string_equal(result, rules[0].as_user); + + for (int i = 0; i < 3; i++) { + ret = ldb_msg_check_string_attribute(msgs[0], SYSDB_SUDO_CACHE_AT_USER, + users[i].name); + assert_int_equal(ret, 1); + } + + /* test there is no duplication of lowercase forms */ + element = ldb_msg_find_element(msgs[0], SYSDB_SUDO_CACHE_AT_USER); + assert_int_equal(element->num_values, 4); + + talloc_zfree(lowered_name); + talloc_zfree(rule); + talloc_zfree(filter); + talloc_zfree(msgs); +} + +void test_sudo_purge_by_filter(void **state) +{ + errno_t ret; + struct sysdb_attrs *rule; + char *delete_filter; + struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_test_ctx); + + rule = sysdb_new_attrs(test_ctx); + assert_non_null(rule); + create_rule_attrs(rule, 0); + + ret = sysdb_sudo_store(test_ctx->tctx->dom, &rule, 1); + assert_int_equal(ret, EOK); + assert_int_equal(get_stored_rules_count(test_ctx), 1); + + delete_filter = sysdb_sudo_filter_user(test_ctx, users[0].name, NULL, 0); + assert_non_null(delete_filter); + + ret = sysdb_sudo_purge(test_ctx->tctx->dom, delete_filter, NULL, 0); + assert_int_equal(ret, EOK); + assert_int_equal(get_stored_rules_count(test_ctx), 0); + + talloc_zfree(rule); + talloc_zfree(delete_filter); +} + +void test_sudo_purge_by_rules(void **state) +{ + errno_t ret; + struct sysdb_attrs *rule; + struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_test_ctx); + + rule = sysdb_new_attrs(test_ctx); + assert_non_null(rule); + create_rule_attrs(rule, 0); + + ret = sysdb_sudo_store(test_ctx->tctx->dom, &rule, 1); + assert_int_equal(ret, EOK); + assert_int_equal(get_stored_rules_count(test_ctx), 1); + + ret = sysdb_sudo_purge(test_ctx->tctx->dom, NULL, &rule, 1); + assert_int_equal(ret, EOK); + assert_int_equal(get_stored_rules_count(test_ctx), 0); + + talloc_zfree(rule); +} + +void test_sudo_set_get_last_full_refresh(void **state) +{ + errno_t ret; + time_t now; + time_t loaded_time; + struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_test_ctx); + + now = time(NULL); + ret = sysdb_sudo_set_last_full_refresh(test_ctx->tctx->dom, now); + assert_int_equal(ret, EOK); + + ret = sysdb_sudo_get_last_full_refresh(test_ctx->tctx->dom, &loaded_time); + assert_int_equal(ret, EOK); + assert_int_equal(now, loaded_time); +} + +void test_get_sudo_user_info(void **state) +{ + errno_t ret; + char **groupnames = NULL; + const char *orig_username; + struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_test_ctx); + + /* User 1 has group. */ + ret = sysdb_get_sudo_user_info(test_ctx, test_ctx->tctx->dom, users[1].name, + &orig_username, NULL, &groupnames); + assert_int_equal(ret, EOK); + assert_string_equal(groupnames[0], TEST_GROUP_NAME); + assert_string_equal(orig_username, users[1].name); + + talloc_zfree(groupnames); + talloc_zfree(orig_username); +} + +void test_get_overriden_sudo_user_info(void **state) +{ + errno_t ret; + char **groupnames = NULL; + const char *orig_username; + uid_t orig_uid; + struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_test_ctx); + + char *strdn; + char *safe_dn; + char *anchor; + char *group_fqname; + char *user_fqname; + struct sysdb_attrs *attrs; + struct ldb_dn *ldb_dn; + + attrs = sysdb_new_attrs(test_ctx); + assert_non_null(attrs); + + /* Override user's name and primary UID */ + user_fqname = sss_create_internal_fqname(test_ctx, + OVERRIDE_USER_NAME, + test_ctx->tctx->dom->name); + assert_non_null(user_fqname); + + ldb_dn = sysdb_user_dn(attrs, test_ctx->tctx->dom, users[1].name); + assert_non_null(ldb_dn); + strdn = sysdb_user_strdn(attrs, test_ctx->tctx->dom->name, users[1].name); + assert_non_null(strdn); + ret = sysdb_dn_sanitize(attrs, strdn, &safe_dn); + assert_int_equal(ret, EOK); + anchor = talloc_asprintf(attrs, ":%s:%s", SYSDB_LOCAL_VIEW_NAME, safe_dn); + assert_non_null(anchor); + + ret = sysdb_attrs_add_string(attrs, SYSDB_OVERRIDE_ANCHOR_UUID, anchor); + assert_int_equal(ret, EOK); + ret = sysdb_attrs_add_string(attrs, SYSDB_NAME, user_fqname); + assert_int_equal(ret, EOK); + ret = sysdb_attrs_add_uint32(attrs, SYSDB_UIDNUM, OVERRIDE_UID); + assert_int_equal(ret, EOK); + + ret = sysdb_store_override(test_ctx->tctx->dom, SYSDB_LOCAL_VIEW_NAME, + SYSDB_MEMBER_USER, attrs, ldb_dn); + assert_int_equal(ret, EOK); + talloc_zfree(attrs); + + /* Override user's secondary group name */ + attrs = sysdb_new_attrs(test_ctx); + assert_non_null(attrs); + + group_fqname = sss_create_internal_fqname(test_ctx, + OVERRIDE_GROUP_NAME, + test_ctx->tctx->dom->name); + assert_non_null(group_fqname); + + ldb_dn = sysdb_group_dn(attrs, test_ctx->tctx->dom, TEST_GROUP_NAME); + assert_non_null(ldb_dn); + strdn = sysdb_group_strdn(attrs, test_ctx->tctx->dom->name, TEST_GROUP_NAME); + assert_non_null(strdn); + ret = sysdb_dn_sanitize(attrs, strdn, &safe_dn); + assert_int_equal(ret, EOK); + anchor = talloc_asprintf(attrs, ":%s:%s", SYSDB_LOCAL_VIEW_NAME, safe_dn); + assert_non_null(anchor); + + ret = sysdb_attrs_add_string(attrs, SYSDB_OVERRIDE_ANCHOR_UUID, anchor); + assert_int_equal(ret, EOK); + ret = sysdb_attrs_add_string(attrs, SYSDB_NAME, group_fqname); + assert_int_equal(ret, EOK); + + ret = sysdb_store_override(test_ctx->tctx->dom, SYSDB_LOCAL_VIEW_NAME, + SYSDB_MEMBER_GROUP, attrs, ldb_dn); + assert_int_equal(ret, EOK); + + /* User must be searchable by their overriden name */ + ret = sysdb_get_sudo_user_info(test_ctx, test_ctx->tctx->dom, user_fqname, + &orig_username, &orig_uid, &groupnames); + assert_int_equal(ret, EOK); + + /* sysdb_get_sudo_user_info must return the original values, not the + * overriden one */ + assert_string_equal(groupnames[0], TEST_GROUP_NAME); + assert_string_equal(orig_username, users[1].name); + assert_int_equal(orig_uid, users[1].uid); + + talloc_zfree(groupnames); + talloc_zfree(orig_username); + talloc_zfree(attrs); + talloc_zfree(user_fqname); + talloc_zfree(group_fqname); +} + +void test_get_sudo_user_info_nogroup(void **state) +{ + errno_t ret; + char **groupnames = NULL; + const char *orig_username; + struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_test_ctx); + + /* User 0 hasn't group. */ + ret = sysdb_get_sudo_user_info(test_ctx, test_ctx->tctx->dom, users[0].name, + &orig_username, NULL, &groupnames); + assert_int_equal(ret, EOK); + assert_null(groupnames); + assert_string_equal(orig_username, users[0].name); + + talloc_zfree(groupnames); + talloc_zfree(orig_username); +} + +void test_get_sudo_nouser(void **state) +{ + errno_t ret; + char **groupnames = NULL; + const char *orig_username = NULL; + struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_test_ctx); + + ret = sysdb_get_sudo_user_info(test_ctx, test_ctx->tctx->dom, + TEST_USER_NON_EXIST, + &orig_username, NULL, &groupnames); + assert_int_equal(ret, ENOENT); + assert_null(orig_username); + assert_null(groupnames); +} + +void test_set_sudo_rule_attr_add(void **state) +{ + errno_t ret; + struct sysdb_attrs *rule; + struct sysdb_attrs *new_rule; + const char *attrs[] = { SYSDB_SUDO_CACHE_AT_CN, SYSDB_SUDO_CACHE_AT_COMMAND, + NULL }; + char *filter; + struct ldb_message **msgs = NULL; + size_t msgs_count; + const char *result; + struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_test_ctx); + + rule = sysdb_new_attrs(test_ctx); + assert_non_null(rule); + create_rule_attrs(rule, 0); + + ret = sysdb_sudo_store(test_ctx->tctx->dom, &rule, 1); + assert_int_equal(ret, EOK); + assert_int_equal(get_stored_rules_count(test_ctx), 1); + + new_rule = sysdb_new_attrs(test_ctx); + assert_non_null(new_rule); + ret = sysdb_attrs_add_string(new_rule, SYSDB_SUDO_CACHE_AT_COMMAND, + "test_command"); + assert_int_equal(ret, EOK); + + ret = sysdb_set_sudo_rule_attr(test_ctx->tctx->dom, rules[0].name, + new_rule, SYSDB_MOD_ADD); + assert_int_equal(ret, EOK); + + filter = sysdb_sudo_filter_user(test_ctx, users[0].name, NULL, 0); + assert_non_null(filter); + + ret = sysdb_search_sudo_rules(test_ctx, test_ctx->tctx->dom, filter, + attrs, &msgs_count, &msgs); + assert_int_equal(ret, EOK); + assert_int_equal(msgs_count, 1); + + result = ldb_msg_find_attr_as_string(msgs[0], SYSDB_SUDO_CACHE_AT_CN, NULL); + assert_non_null(result); + assert_string_equal(result, rules[0].name); + + result = ldb_msg_find_attr_as_string(msgs[0], SYSDB_SUDO_CACHE_AT_COMMAND, + NULL); + assert_non_null(result); + assert_string_equal(result, "test_command"); + + talloc_zfree(rule); + talloc_zfree(new_rule); + talloc_zfree(filter); + talloc_zfree(msgs); +} + +void test_set_sudo_rule_attr_replace(void **state) +{ + errno_t ret; + struct sysdb_attrs *rule; + struct sysdb_attrs *new_rule; + const char *attrs[] = { SYSDB_SUDO_CACHE_AT_CN, SYSDB_CACHE_EXPIRE, NULL }; + char *filter; + struct ldb_message **msgs = NULL; + size_t msgs_count; + const char *result; + struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_test_ctx); + + rule = sysdb_new_attrs(test_ctx); + assert_non_null(rule); + create_rule_attrs(rule, 0); + + ret = sysdb_sudo_store(test_ctx->tctx->dom, &rule, 1); + assert_int_equal(ret, EOK); + assert_int_equal(get_stored_rules_count(test_ctx), 1); + + new_rule = sysdb_new_attrs(test_ctx); + assert_non_null(new_rule); + ret = sysdb_attrs_add_time_t(new_rule, SYSDB_CACHE_EXPIRE, 10); + assert_int_equal(ret, EOK); + + ret = sysdb_set_sudo_rule_attr(test_ctx->tctx->dom, rules[0].name, + new_rule, SYSDB_MOD_REP); + assert_int_equal(ret, EOK); + + filter = sysdb_sudo_filter_user(test_ctx, users[0].name, NULL, 0); + assert_non_null(filter); + + ret = sysdb_search_sudo_rules(test_ctx, test_ctx->tctx->dom, filter, + attrs, &msgs_count, &msgs); + assert_int_equal(ret, EOK); + assert_int_equal(msgs_count, 1); + + result = ldb_msg_find_attr_as_string(msgs[0], SYSDB_SUDO_CACHE_AT_CN, NULL); + assert_non_null(result); + assert_string_equal(result, rules[0].name); + + result = ldb_msg_find_attr_as_string(msgs[0], SYSDB_CACHE_EXPIRE, NULL); + assert_non_null(result); + assert_string_equal(result, "10"); + + talloc_zfree(rule); + talloc_zfree(new_rule); + talloc_zfree(filter); + talloc_zfree(msgs); +} + +void test_set_sudo_rule_attr_delete(void **state) +{ + errno_t ret; + struct sysdb_attrs *rule; + struct sysdb_attrs *new_rule; + const char *attrs[] = { SYSDB_SUDO_CACHE_AT_CN, SYSDB_SUDO_CACHE_AT_HOST, + NULL }; + char *filter; + struct ldb_message **msgs = NULL; + size_t msgs_count; + const char *result; + struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_test_ctx); + + rule = sysdb_new_attrs(test_ctx); + assert_non_null(rule); + create_rule_attrs(rule, 0); + + ret = sysdb_sudo_store(test_ctx->tctx->dom, &rule, 1); + assert_int_equal(ret, EOK); + assert_int_equal(get_stored_rules_count(test_ctx), 1); + + new_rule = sysdb_new_attrs(test_ctx); + assert_non_null(new_rule); + ret = sysdb_attrs_add_string(new_rule, SYSDB_SUDO_CACHE_AT_HOST, + rules[0].host); + assert_int_equal(ret, EOK); + + ret = sysdb_set_sudo_rule_attr(test_ctx->tctx->dom, rules[0].name, + new_rule, LDB_FLAG_MOD_DELETE); + assert_int_equal(ret, EOK); + + filter = sysdb_sudo_filter_user(test_ctx, users[0].name, NULL, 0); + assert_non_null(filter); + + ret = sysdb_search_sudo_rules(test_ctx, test_ctx->tctx->dom, filter, + attrs, &msgs_count, &msgs); + assert_int_equal(ret, EOK); + assert_int_equal(msgs_count, 1); + + result = ldb_msg_find_attr_as_string(msgs[0], SYSDB_SUDO_CACHE_AT_CN, NULL); + assert_non_null(result); + assert_string_equal(result, rules[0].name); + + result = ldb_msg_find_attr_as_string(msgs[0], SYSDB_SUDO_CACHE_AT_HOST, + "deleted"); + assert_non_null(result); + assert_string_equal(result, "deleted"); + + talloc_zfree(rule); + talloc_zfree(new_rule); + talloc_zfree(filter); + talloc_zfree(msgs); +} + +void test_search_sudo_rules(void **state) +{ + errno_t ret; + const char *filter; + const char *attrs[] = { SYSDB_NAME, NULL }; + struct ldb_message **msgs = NULL; + size_t msgs_count; + size_t num_rules = 2; + struct sysdb_attrs *tmp_rules[num_rules]; + const char *rule_names[num_rules]; + const char *db_results[num_rules]; + struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_test_ctx); + + tmp_rules[0] = sysdb_new_attrs(test_ctx); + assert_non_null(tmp_rules[0]); + create_rule_attrs(tmp_rules[0], 0); + + tmp_rules[1] = sysdb_new_attrs(test_ctx); + assert_non_null(tmp_rules[1]); + create_rule_attrs(tmp_rules[1], 1); + + ret = sysdb_sudo_store(test_ctx->tctx->dom, tmp_rules, 2); + assert_int_equal(ret, EOK); + assert_int_equal(get_stored_rules_count(test_ctx), 2); + + filter = "(objectClass=" SYSDB_SUDO_CACHE_OC ")"; + + ret = sysdb_search_sudo_rules(test_ctx, test_ctx->tctx->dom, filter, + attrs, &msgs_count, &msgs); + assert_int_equal(ret, EOK); + + assert_int_equal(msgs_count, 2); + + rule_names[0] = rules[0].name; + rule_names[1] = rules[1].name; + + for (int i = 0; i < num_rules; ++i) { + db_results[i] = ldb_msg_find_attr_as_string(msgs[i], SYSDB_NAME, NULL); + assert_non_null(db_results[i]); + } + + assert_string_not_equal(db_results[0], db_results[1]); + assert_true(are_values_in_array(rule_names, num_rules, + db_results, num_rules)); + + talloc_zfree(tmp_rules[0]); + talloc_zfree(tmp_rules[1]); + talloc_zfree(msgs); +} + +void test_filter_rules_by_time(void **state) +{ + errno_t ret; + time_t cur_time; + struct sysdb_attrs *tmp_attr; + uint32_t _num_rules; + struct sysdb_attrs *tmp_rules[2]; + struct sysdb_attrs **_rules; + struct sysdb_attrs **loaded_rules; + size_t msgs_count; + struct ldb_message **msgs = NULL; + char buff[20]; + const char *attrs[] = { SYSDB_SUDO_CACHE_AT_CN, SYSDB_SUDO_CACHE_AT_HOST, + SYSDB_SUDO_CACHE_AT_RUNASUSER, + SYSDB_SUDO_CACHE_AT_USER, + SYSDB_IPA_SUDORULE_NOTBEFORE, + SYSDB_IPA_SUDORULE_NOTAFTER, NULL }; + struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_test_ctx); + + tmp_rules[0] = sysdb_new_attrs(test_ctx); + assert_non_null(tmp_rules[0]); + create_rule_attrs(tmp_rules[0], 0); + + tmp_rules[1] = sysdb_new_attrs(test_ctx); + assert_non_null(tmp_rules[1]); + create_rule_attrs(tmp_rules[1], 1); + + ret = sysdb_sudo_store(test_ctx->tctx->dom, tmp_rules, 2); + assert_int_equal(ret, EOK); + assert_int_equal(get_stored_rules_count(test_ctx), 2); + + /* + * We hit DST issue of time functions, + * so we use big time shift to avoid this. + */ + + tmp_attr = sysdb_new_attrs(test_ctx); + assert_non_null(tmp_attr); + cur_time = time(NULL) + 10000; + strftime(buff, 20, "%Y%m%d%H%M%S%z", localtime(&cur_time)); + ret = sysdb_attrs_add_string(tmp_attr, SYSDB_SUDO_CACHE_AT_NOTBEFORE, buff); + assert_int_equal(ret, EOK); + cur_time = time(NULL) + 20000; + strftime(buff, 20, "%Y%m%d%H%M%S%z", localtime(&cur_time)); + ret = sysdb_attrs_add_string(tmp_attr, SYSDB_SUDO_CACHE_AT_NOTAFTER, buff); + assert_int_equal(ret, EOK); + ret = sysdb_set_sudo_rule_attr(test_ctx->tctx->dom, rules[0].name, + tmp_attr, SYSDB_MOD_ADD); + assert_int_equal(ret, EOK); + talloc_zfree(tmp_attr); + + tmp_attr = sysdb_new_attrs(test_ctx); + assert_non_null(tmp_attr); + cur_time = time(NULL) - 10000; + strftime(buff, 20, "%Y%m%d%H%M%S%z", localtime(&cur_time)); + ret = sysdb_attrs_add_string(tmp_attr, SYSDB_SUDO_CACHE_AT_NOTBEFORE, buff); + assert_int_equal(ret, EOK); + cur_time = time(NULL) + 10000; + strftime(buff, 20, "%Y%m%d%H%M%S%z", localtime(&cur_time)); + ret = sysdb_attrs_add_string(tmp_attr, SYSDB_SUDO_CACHE_AT_NOTAFTER, buff); + assert_int_equal(ret, EOK); + ret = sysdb_set_sudo_rule_attr(test_ctx->tctx->dom, rules[1].name, + tmp_attr, SYSDB_MOD_ADD); + assert_int_equal(ret, EOK); + talloc_zfree(tmp_attr); + + assert_int_equal(get_stored_rules_count(test_ctx), 2); + + ret = sysdb_search_sudo_rules(test_ctx, test_ctx->tctx->dom, + "(objectClass=sudoRule)", + attrs, &msgs_count, &msgs); + assert_int_equal(ret, EOK); + assert_int_equal(msgs_count, 2); + + ret = sysdb_msg2attrs(test_ctx, 2, msgs, &loaded_rules); + assert_int_equal(ret, EOK); + + talloc_zfree(msgs); + + ret = sysdb_sudo_filter_rules_by_time(test_ctx, 2, loaded_rules, 0, + &_num_rules, &_rules); + + assert_int_equal(ret, EOK); + assert_int_equal(_num_rules, 1); + + talloc_zfree(tmp_rules[0]); + talloc_zfree(tmp_rules[1]); + talloc_zfree(loaded_rules); + talloc_zfree(_rules); +} + +int main(int argc, const char *argv[]) +{ + int rv; + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + /* sysdb_sudo_store() */ + cmocka_unit_test_setup_teardown(test_store_sudo, + test_sysdb_setup, + test_sysdb_teardown), + cmocka_unit_test_setup_teardown(test_store_sudo_case_sensitive, + test_sysdb_setup, + test_sysdb_teardown), + cmocka_unit_test_setup_teardown(test_store_sudo_case_insensitive, + test_sysdb_setup, + test_sysdb_teardown), + + /* sysdb_sudo_purge() */ + cmocka_unit_test_setup_teardown(test_sudo_purge_by_filter, + test_sysdb_setup, + test_sysdb_teardown), + + cmocka_unit_test_setup_teardown(test_sudo_purge_by_rules, + test_sysdb_setup, + test_sysdb_teardown), + + /* + * sysdb_sudo_set_last_full_refresh() + * sysdb_sudo_get_last_full_refresh() + */ + cmocka_unit_test_setup_teardown(test_sudo_set_get_last_full_refresh, + test_sysdb_setup, + test_sysdb_teardown), + + /* sysdb_get_sudo_user_info() */ + cmocka_unit_test_setup_teardown(test_get_sudo_user_info, + test_sysdb_setup, + test_sysdb_teardown), + cmocka_unit_test_setup_teardown(test_get_sudo_user_info_nogroup, + test_sysdb_setup, + test_sysdb_teardown), + + cmocka_unit_test_setup_teardown(test_get_sudo_nouser, + test_sysdb_setup, + test_sysdb_teardown), + + /* The override tests use a different setup/teardown because loading + * the view allocates some data on the confdb and domain pointers, + * which would confuse the leak check + */ + cmocka_unit_test_setup_teardown(test_get_overriden_sudo_user_info, + test_sysdb_views_setup, + test_sysdb_views_teardown), + + /* sysdb_set_sudo_rule_attr() */ + cmocka_unit_test_setup_teardown(test_set_sudo_rule_attr_add, + test_sysdb_setup, + test_sysdb_teardown), + cmocka_unit_test_setup_teardown(test_set_sudo_rule_attr_replace, + test_sysdb_setup, + test_sysdb_teardown), + cmocka_unit_test_setup_teardown(test_set_sudo_rule_attr_delete, + test_sysdb_setup, + test_sysdb_teardown), + + /* sysdb_search_sudo_rules() */ + cmocka_unit_test_setup_teardown(test_search_sudo_rules, + test_sysdb_setup, + test_sysdb_teardown), + + /* sysdb_sudo_filter_rules_by_time() */ + cmocka_unit_test_setup_teardown(test_filter_rules_by_time, + test_sysdb_setup, + test_sysdb_teardown), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while ((opt = poptGetNextOpt(pc)) != -1) { + switch (opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + tests_set_cwd(); + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + rv = cmocka_run_group_tests(tests, NULL, NULL); + + return rv; +} diff --git a/src/tests/cmocka/test_sysdb_ts_cache.c b/src/tests/cmocka/test_sysdb_ts_cache.c new file mode 100644 index 0000000..fdf9935 --- /dev/null +++ b/src/tests/cmocka/test_sysdb_ts_cache.c @@ -0,0 +1,1493 @@ +/* + SSSD + + sysdb_ts - Test for sysdb timestamp cache + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include + +#include "tests/cmocka/common_mock.h" +#include "db/sysdb_private.h" + +#define TESTS_PATH "tp_" BASE_FILE_STEM +#define TEST_CONF_DB "tests_conf.ldb" +#define TEST_ID_PROVIDER "ldap" + +#define TEST_DOM1_NAME "test_sysdb_ts_1" + +#define TEST_GROUP_NAME "test_group" +#define TEST_GROUP_NAME_2 "test_group_2" +#define TEST_GROUP_NAME_3 "test_group_3" +#define TEST_GROUP_NAME_OLD "test_group_old" +#define TEST_GROUP_GID 1234 +#define TEST_GROUP_GID_2 1235 +#define TEST_GROUP_GID_3 1236 +#define TEST_GROUP_SID "S-1-5-21-123-456-789-111" + +#define TEST_USER_NAME "test_user" +#define TEST_USER_UID 4321 +#define TEST_USER_GID 4322 +#define TEST_USER_SID "S-1-5-21-123-456-789-222" +#define TEST_USER_UPN "test_user@TEST_REALM" + +#define TEST_MODSTAMP_1 "20160408132553Z" +#define TEST_MODSTAMP_2 "20160408142553Z" +#define TEST_MODSTAMP_3 "20160408152553Z" + +#define TEST_CACHE_TIMEOUT 5 + +#define TEST_NOW_1 100 +#define TEST_NOW_2 200 +#define TEST_NOW_3 300 +#define TEST_NOW_4 400 +#define TEST_NOW_5 500 +#define TEST_NOW_6 600 + +#define TS_FILTER_ALL "("SYSDB_CACHE_EXPIRE"=*)" + +struct sysdb_ts_test_ctx { + struct sss_test_ctx *tctx; +}; + +const char *domains[] = { TEST_DOM1_NAME, + NULL }; + +static int test_sysdb_ts_setup(void **state) +{ + struct sysdb_ts_test_ctx *test_ctx; + + assert_true(leak_check_setup()); + + test_ctx = talloc_zero(global_talloc_context, + struct sysdb_ts_test_ctx); + assert_non_null(test_ctx); + + test_dom_suite_setup(TESTS_PATH); + + test_ctx->tctx = create_multidom_test_ctx(test_ctx, TESTS_PATH, + TEST_CONF_DB, domains, + TEST_ID_PROVIDER, NULL); + assert_non_null(test_ctx->tctx); + + check_leaks_push(test_ctx); + *state = test_ctx; + return 0; +} + +static int test_sysdb_ts_teardown(void **state) +{ + struct sysdb_ts_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_ts_test_ctx); + + //assert_true(check_leaks_pop(test_ctx)); + talloc_zfree(test_ctx); + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM1_NAME); + return 0; +} + +static struct sysdb_attrs *create_modstamp_attrs(TALLOC_CTX *mem_ctx, + const char *modstamp) +{ + int ret; + struct sysdb_attrs *attrs; + + attrs = sysdb_new_attrs(mem_ctx); + if (attrs == NULL) { + return NULL; + } + + ret = sysdb_attrs_add_string(attrs, + SYSDB_ORIG_MODSTAMP, + modstamp); + if (ret != EOK) { + talloc_free(attrs); + return NULL; + } + + return attrs; +} + +static struct sysdb_attrs *create_str_attrs(TALLOC_CTX *mem_ctx, + const char *key, + const char *value) +{ + int ret; + struct sysdb_attrs *attrs; + + attrs = sysdb_new_attrs(mem_ctx); + if (attrs == NULL) { + return NULL; + } + + ret = sysdb_attrs_add_string(attrs, key, value); + if (ret != EOK) { + talloc_free(attrs); + return NULL; + } + + return attrs; +} + +static struct sysdb_attrs *create_sidstr_attrs(TALLOC_CTX *mem_ctx, + const char *sid_str) +{ + return create_str_attrs(mem_ctx, SYSDB_SID_STR, sid_str); +} + +static struct sysdb_attrs *create_upnstr_attrs(TALLOC_CTX *mem_ctx, + const char *upn_str) +{ + return create_str_attrs(mem_ctx, SYSDB_UPN, upn_str); +} + +static struct sysdb_attrs *create_ts_attrs(TALLOC_CTX *mem_ctx, + time_t expiration, + time_t last_update) +{ + int ret; + struct sysdb_attrs *attrs; + + attrs = sysdb_new_attrs(mem_ctx); + if (attrs == NULL) { + return NULL; + } + + ret = sysdb_attrs_add_time_t(attrs, + SYSDB_CACHE_EXPIRE, + expiration); + if (ret != EOK) { + talloc_free(attrs); + return NULL; + } + + ret = sysdb_attrs_add_time_t(attrs, + SYSDB_LAST_UPDATE, + last_update); + if (ret != EOK) { + talloc_free(attrs); + return NULL; + } + + return attrs; +} + +static struct ldb_result *sysdb_getgrnam_res(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *name) +{ + int ret; + struct ldb_result *res = NULL; + + ret = sysdb_getgrnam(mem_ctx, domain, name, &res); + assert_int_equal(ret, EOK); + assert_non_null(res); + + return res; +} + +static struct ldb_result *sysdb_getpwnam_res(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *name) +{ + int ret; + struct ldb_result *res = NULL; + + ret = sysdb_getpwnam(mem_ctx, domain, name, &res); + assert_int_equal(ret, EOK); + assert_non_null(res); + + return res; +} + +static uint64_t get_dn_cache_timestamp(struct sysdb_ts_test_ctx *test_ctx, + struct ldb_dn *dn) +{ + int ret; + uint64_t cache_expire_sysdb; + struct ldb_result *res; + + const char *attrs[] = { SYSDB_CACHE_EXPIRE, + NULL, + }; + + ret = ldb_search(test_ctx->tctx->sysdb->ldb, test_ctx, &res, + dn, LDB_SCOPE_BASE, attrs, NULL); + if (ret != EOK || res == NULL || res->count != 1) { + talloc_free(res); + return 0; + } + + cache_expire_sysdb = ldb_msg_find_attr_as_uint64(res->msgs[0], + SYSDB_CACHE_EXPIRE, + 0); + talloc_free(res); + return cache_expire_sysdb; +} + +static uint64_t get_gr_cache_timestamp(struct sysdb_ts_test_ctx *test_ctx, + const char *name) +{ + struct ldb_dn *dn; + uint64_t cache_expire_sysdb; + + dn = sysdb_group_dn(test_ctx, test_ctx->tctx->dom, name); + if (dn == NULL) { + return 0; + } + + cache_expire_sysdb = get_dn_cache_timestamp(test_ctx, dn); + talloc_free(dn); + return cache_expire_sysdb; +} + +static uint64_t get_pw_cache_timestamp(struct sysdb_ts_test_ctx *test_ctx, + const char *name) +{ + struct ldb_dn *dn; + uint64_t cache_expire_sysdb; + + dn = sysdb_user_dn(test_ctx, test_ctx->tctx->dom, name); + if (dn == NULL) { + return 0; + } + + cache_expire_sysdb = get_dn_cache_timestamp(test_ctx, dn); + talloc_free(dn); + return cache_expire_sysdb; +} + +static uint64_t get_dn_ts_cache_timestamp(struct sysdb_ts_test_ctx *test_ctx, + struct ldb_dn *dn) +{ + size_t msg_count; + struct ldb_message **msgs; + uint64_t cache_expire_ts; + const char *attrs[] = { SYSDB_CACHE_EXPIRE, + NULL, + }; + int ret; + + ret = sysdb_search_ts_entry(test_ctx, test_ctx->tctx->sysdb, + dn, LDB_SCOPE_BASE, NULL, attrs, + &msg_count, &msgs); + if (ret != EOK) { + return 0; + } + + if (msg_count != 1) { + return 0; + } + + cache_expire_ts = ldb_msg_find_attr_as_uint64(msgs[0], + SYSDB_CACHE_EXPIRE, 0); + talloc_free(msgs); + return cache_expire_ts; +} + +static uint64_t get_gr_ts_cache_timestamp(struct sysdb_ts_test_ctx *test_ctx, + const char *name) +{ + struct ldb_dn *dn; + uint64_t cache_expire_ts; + + dn = sysdb_group_dn(test_ctx, test_ctx->tctx->dom, name); + if (dn == NULL) { + return 0; + } + + cache_expire_ts = get_dn_ts_cache_timestamp(test_ctx, dn); + talloc_free(dn); + return cache_expire_ts; +} + +static uint64_t get_pw_ts_cache_timestamp(struct sysdb_ts_test_ctx *test_ctx, + const char *name) +{ + struct ldb_dn *dn; + uint64_t cache_expire_ts; + + dn = sysdb_user_dn(test_ctx, test_ctx->tctx->dom, name); + if (dn == NULL) { + return 0; + } + + cache_expire_ts = get_dn_ts_cache_timestamp(test_ctx, dn); + talloc_free(dn); + return cache_expire_ts; +} + +static void get_gr_timestamp_attrs(struct sysdb_ts_test_ctx *test_ctx, + const char *name, + uint64_t *cache_expire_sysdb, + uint64_t *cache_expire_ts) +{ + *cache_expire_sysdb = get_gr_cache_timestamp(test_ctx, name); + *cache_expire_ts = get_gr_ts_cache_timestamp(test_ctx, name); +} + +static void get_pw_timestamp_attrs(struct sysdb_ts_test_ctx *test_ctx, + const char *name, + uint64_t *cache_expire_sysdb, + uint64_t *cache_expire_ts) +{ + *cache_expire_sysdb = get_pw_cache_timestamp(test_ctx, name); + *cache_expire_ts = get_pw_ts_cache_timestamp(test_ctx, name); +} + +static void test_sysdb_group_update(void **state) +{ + int ret; + struct sysdb_ts_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_ts_test_ctx); + struct ldb_result *res = NULL; + struct sysdb_attrs *group_attrs = NULL; + uint64_t cache_expire_sysdb; + uint64_t cache_expire_ts; + char *test_user_member = NULL; + + /* Nothing must be stored in either cache at the beginning of the test */ + res = sysdb_getgrnam_res(test_ctx, test_ctx->tctx->dom, TEST_GROUP_NAME); + assert_int_equal(res->count, 0); + talloc_free(res); + + /* Store a group without a modifyTimestamp. Must not throw an error. This + * tests that the sysdb timestamp code is able to cope with absence of an + * attribute it operates on gracefully. + */ + ret = sysdb_store_group(test_ctx->tctx->dom, + TEST_GROUP_NAME, + TEST_GROUP_GID, + group_attrs, + TEST_CACHE_TIMEOUT, + TEST_NOW_1); + assert_int_equal(ret, EOK); + + get_gr_timestamp_attrs(test_ctx, TEST_GROUP_NAME, + &cache_expire_sysdb, &cache_expire_ts); + assert_int_equal(cache_expire_sysdb, TEST_CACHE_TIMEOUT + TEST_NOW_1); + assert_int_equal(cache_expire_ts, TEST_CACHE_TIMEOUT + TEST_NOW_1); + + /* Store a group and add a modifyTimestamp this time. + * Since we want to write the timestamp attributes if they are not present, + * both caches will be bumped. + */ + group_attrs = create_modstamp_attrs(test_ctx, TEST_MODSTAMP_1); + assert_non_null(group_attrs); + + ret = sysdb_store_group(test_ctx->tctx->dom, + TEST_GROUP_NAME, + TEST_GROUP_GID, + group_attrs, + TEST_CACHE_TIMEOUT, + TEST_NOW_2); + assert_int_equal(ret, EOK); + + get_gr_timestamp_attrs(test_ctx, TEST_GROUP_NAME, + &cache_expire_sysdb, &cache_expire_ts); + assert_int_equal(cache_expire_sysdb, TEST_CACHE_TIMEOUT + TEST_NOW_2); + assert_int_equal(cache_expire_ts, TEST_CACHE_TIMEOUT + TEST_NOW_2); + + /* Update the same attrs and the same modifyTimestamp. + * Only the timestamp cache must be bumped */ + ret = sysdb_store_group(test_ctx->tctx->dom, + TEST_GROUP_NAME, + TEST_GROUP_GID, + group_attrs, + TEST_CACHE_TIMEOUT, + TEST_NOW_3); + assert_int_equal(ret, EOK); + + get_gr_timestamp_attrs(test_ctx, TEST_GROUP_NAME, + &cache_expire_sysdb, &cache_expire_ts); + assert_int_equal(cache_expire_sysdb, TEST_CACHE_TIMEOUT + TEST_NOW_2); + assert_int_equal(cache_expire_ts, TEST_CACHE_TIMEOUT + TEST_NOW_3); + + /* Update with different modifyTimestamp but same attrs as previously + * saved to the timestamp cache. We should detect the 'real' attributes + * are the same and only bump the timestamp cache + */ + talloc_free(group_attrs); + group_attrs = create_modstamp_attrs(test_ctx, TEST_MODSTAMP_2); + assert_non_null(group_attrs); + + ret = sysdb_store_group(test_ctx->tctx->dom, + TEST_GROUP_NAME, + TEST_GROUP_GID, + group_attrs, + TEST_CACHE_TIMEOUT, + TEST_NOW_4); + assert_int_equal(ret, EOK); + + get_gr_timestamp_attrs(test_ctx, TEST_GROUP_NAME, + &cache_expire_sysdb, &cache_expire_ts); + assert_int_equal(cache_expire_sysdb, TEST_CACHE_TIMEOUT + TEST_NOW_2); + assert_int_equal(cache_expire_ts, TEST_CACHE_TIMEOUT + TEST_NOW_4); + + /* Update with different modifyTimestamp and different attrs (add a + * member as a real-world example). Both caches must be updated. */ + ret = sysdb_store_user(test_ctx->tctx->dom, + TEST_USER_NAME, + NULL, + TEST_USER_UID, + TEST_USER_GID, + NULL, NULL, NULL, NULL, NULL, NULL, + TEST_CACHE_TIMEOUT, TEST_NOW_5); + assert_int_equal(ret, EOK); + + talloc_free(group_attrs); + group_attrs = create_modstamp_attrs(test_ctx, TEST_MODSTAMP_3); + assert_non_null(group_attrs); + + test_user_member = sysdb_user_strdn(group_attrs, + test_ctx->tctx->dom->name, + TEST_USER_NAME); + assert_non_null(test_user_member); + + ret = sysdb_attrs_add_string(group_attrs, SYSDB_MEMBER, test_user_member); + assert_int_equal(ret, EOK); + + ret = sysdb_store_group(test_ctx->tctx->dom, + TEST_GROUP_NAME, + TEST_GROUP_GID, + group_attrs, + TEST_CACHE_TIMEOUT, + TEST_NOW_5); + assert_int_equal(ret, EOK); + + get_gr_timestamp_attrs(test_ctx, TEST_GROUP_NAME, + &cache_expire_sysdb, &cache_expire_ts); + assert_int_equal(cache_expire_sysdb, TEST_CACHE_TIMEOUT + TEST_NOW_5); + assert_int_equal(cache_expire_ts, TEST_CACHE_TIMEOUT + TEST_NOW_5); + + /* Try to save the same member again, while it's already saved. Only the + * timestamps cache must be bumped now + */ + ret = sysdb_store_group(test_ctx->tctx->dom, + TEST_GROUP_NAME, + TEST_GROUP_GID, + group_attrs, + TEST_CACHE_TIMEOUT, + TEST_NOW_6); + assert_int_equal(ret, EOK); + + get_gr_timestamp_attrs(test_ctx, TEST_GROUP_NAME, + &cache_expire_sysdb, &cache_expire_ts); + assert_int_equal(cache_expire_sysdb, TEST_CACHE_TIMEOUT + TEST_NOW_5); + assert_int_equal(cache_expire_ts, TEST_CACHE_TIMEOUT + TEST_NOW_6); + talloc_free(group_attrs); +} + +static void test_sysdb_group_delete(void **state) +{ + int ret; + struct sysdb_ts_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_ts_test_ctx); + struct ldb_result *res = NULL; + struct sysdb_attrs *group_attrs = NULL; + uint64_t cache_expire_sysdb; + uint64_t cache_expire_ts; + struct ldb_result *ts_res; + + ts_res = talloc_zero(test_ctx, struct ldb_result); + assert_non_null(ts_res); + + /* Nothing must be stored in either cache at the beginning of the test */ + res = sysdb_getgrnam_res(test_ctx, test_ctx->tctx->dom, TEST_GROUP_NAME); + assert_int_equal(res->count, 0); + talloc_free(res); + + ret = sysdb_search_ts_groups(ts_res, + test_ctx->tctx->dom, + TS_FILTER_ALL, + sysdb_ts_cache_attrs, + ts_res); + assert_int_equal(ret, ENOENT); + + group_attrs = create_modstamp_attrs(test_ctx, TEST_MODSTAMP_1); + assert_non_null(group_attrs); + + ret = sysdb_store_group(test_ctx->tctx->dom, + TEST_GROUP_NAME, + TEST_GROUP_GID, + group_attrs, + TEST_CACHE_TIMEOUT, + TEST_NOW_1); + assert_int_equal(ret, EOK); + talloc_free(group_attrs); + + ret = sysdb_search_ts_groups(ts_res, + test_ctx->tctx->dom, + TS_FILTER_ALL, + sysdb_ts_cache_attrs, + ts_res); + assert_int_equal(ret, EOK); + assert_int_equal(ts_res->count, 1); + + get_gr_timestamp_attrs(test_ctx, TEST_GROUP_NAME, + &cache_expire_sysdb, &cache_expire_ts); + assert_int_equal(cache_expire_sysdb, TEST_CACHE_TIMEOUT + TEST_NOW_1); + assert_int_equal(cache_expire_ts, TEST_CACHE_TIMEOUT + TEST_NOW_1); + + ret = sysdb_delete_group(test_ctx->tctx->dom, + TEST_GROUP_NAME, + TEST_GROUP_GID); + assert_int_equal(ret, EOK); + + /* Nothing must be stored in either cache at the end of the test */ + ret = sysdb_search_ts_groups(ts_res, + test_ctx->tctx->dom, + TS_FILTER_ALL, + sysdb_ts_cache_attrs, + ts_res); + assert_int_equal(ret, ENOENT); + + res = sysdb_getgrnam_res(test_ctx, test_ctx->tctx->dom, TEST_GROUP_NAME); + assert_int_equal(res->count, 0); + talloc_free(res); + + get_gr_timestamp_attrs(test_ctx, TEST_GROUP_NAME, + &cache_expire_sysdb, &cache_expire_ts); + assert_int_equal(cache_expire_sysdb, 0); + assert_int_equal(cache_expire_ts, 0); + + talloc_free(ts_res); +} + +static void test_sysdb_group_rename(void **state) +{ + int ret; + struct sysdb_ts_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_ts_test_ctx); + struct ldb_result *res = NULL; + uint64_t cache_expire_sysdb; + uint64_t cache_expire_ts; + struct ldb_result *ts_res; + char *filter; + + ts_res = talloc_zero(test_ctx, struct ldb_result); + assert_non_null(ts_res); + + /* Nothing must be stored in either cache at the beginning of the test */ + res = sysdb_getgrnam_res(test_ctx, test_ctx->tctx->dom, TEST_GROUP_NAME); + assert_int_equal(res->count, 0); + talloc_free(res); + res = sysdb_getgrnam_res(test_ctx, test_ctx->tctx->dom, + TEST_GROUP_NAME_OLD); + assert_int_equal(res->count, 0); + talloc_free(res); + + filter = talloc_asprintf(ts_res, "(|(%s=%s)(%s=%s))", + SYSDB_NAME, TEST_GROUP_NAME_OLD, + SYSDB_NAME, TEST_GROUP_NAME); + assert_non_null(filter); + + ret = sysdb_search_ts_groups(ts_res, + test_ctx->tctx->dom, + filter, + sysdb_ts_cache_attrs, + ts_res); + assert_int_equal(ret, ENOENT); + talloc_free(filter); + + /* Store an old group */ + ret = sysdb_store_group(test_ctx->tctx->dom, + TEST_GROUP_NAME_OLD, + TEST_GROUP_GID, + NULL, + TEST_CACHE_TIMEOUT, + TEST_NOW_1); + assert_int_equal(ret, EOK); + + get_gr_timestamp_attrs(test_ctx, TEST_GROUP_NAME_OLD, + &cache_expire_sysdb, &cache_expire_ts); + assert_int_equal(cache_expire_sysdb, TEST_CACHE_TIMEOUT + TEST_NOW_1); + assert_int_equal(cache_expire_ts, TEST_CACHE_TIMEOUT + TEST_NOW_1); + + /* Replace with a new one */ + ret = sysdb_store_group(test_ctx->tctx->dom, + TEST_GROUP_NAME, + TEST_GROUP_GID, + NULL, + TEST_CACHE_TIMEOUT, + TEST_NOW_1); + assert_int_equal(ret, EOK); + + /* The old entry must be gone from both caches */ + get_gr_timestamp_attrs(test_ctx, TEST_GROUP_NAME_OLD, + &cache_expire_sysdb, &cache_expire_ts); + assert_int_equal(cache_expire_sysdb, 0); + assert_int_equal(cache_expire_ts, 0); + + get_gr_timestamp_attrs(test_ctx, TEST_GROUP_NAME, + &cache_expire_sysdb, &cache_expire_ts); + assert_int_equal(cache_expire_sysdb, TEST_CACHE_TIMEOUT + TEST_NOW_1); + assert_int_equal(cache_expire_ts, TEST_CACHE_TIMEOUT + TEST_NOW_1); + + res = sysdb_getgrnam_res(test_ctx, test_ctx->tctx->dom, + TEST_GROUP_NAME_OLD); + assert_int_equal(res->count, 0); + talloc_free(res); + + talloc_free(ts_res); +} + +static void assert_ts_attrs_msg(struct ldb_message *msg, + uint64_t exp_expiration, + uint64_t exp_last_update) +{ + uint64_t expiration; + uint64_t last_update; + const char *modstamp; + + /* Attributes normally requested with getgrnam are merged */ + expiration = ldb_msg_find_attr_as_uint64(msg, SYSDB_CACHE_EXPIRE, 0); + assert_int_equal(expiration, exp_expiration); + last_update = ldb_msg_find_attr_as_uint64(msg, SYSDB_LAST_UPDATE, 0); + assert_int_equal(last_update, exp_last_update); + + /* Attributes not requested are not */ + modstamp = ldb_msg_find_attr_as_string(msg, SYSDB_ORIG_MODSTAMP, NULL); + assert_null(modstamp); +} + +static void assert_ts_attrs_res(struct ldb_result *res, + uint64_t exp_expiration, + uint64_t exp_last_update) +{ + return assert_ts_attrs_msg(res->msgs[0], exp_expiration, exp_last_update); +} + +static void assert_ts_attrs_msgs_list(size_t msgs_count, + struct ldb_message **msgs, + uint64_t exp_expiration, + uint64_t exp_last_update) +{ + struct ldb_result res; + + res.count = msgs_count; + res.msgs = msgs; + return assert_ts_attrs_res(&res, exp_expiration, exp_last_update); +} + +static void test_sysdb_getgr_merges(void **state) +{ + int ret; + struct sysdb_ts_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_ts_test_ctx); + struct sysdb_attrs *group_attrs = NULL; + const char *gr_fetch_attrs[] = SYSDB_GRSRC_ATTRS; + char *filter = NULL; + struct ldb_result *res = NULL; + size_t msgs_count; + struct ldb_message **msgs = NULL; + struct ldb_message *msg = NULL; + + group_attrs = create_modstamp_attrs(test_ctx, TEST_MODSTAMP_1); + assert_non_null(group_attrs); + + ret = sysdb_store_group(test_ctx->tctx->dom, + TEST_GROUP_NAME, + TEST_GROUP_GID, + group_attrs, + TEST_CACHE_TIMEOUT, + TEST_NOW_1); + talloc_free(group_attrs); + assert_int_equal(ret, EOK); + + group_attrs = create_modstamp_attrs(test_ctx, TEST_MODSTAMP_2); + assert_non_null(group_attrs); + + ret = sysdb_store_group(test_ctx->tctx->dom, + TEST_GROUP_NAME, + TEST_GROUP_GID, + group_attrs, + TEST_CACHE_TIMEOUT, + TEST_NOW_2); + talloc_free(group_attrs); + assert_int_equal(ret, EOK); + + ret = sysdb_getgrnam(test_ctx, test_ctx->tctx->dom, TEST_GROUP_NAME, &res); + assert_int_equal(ret, EOK); + assert_int_equal(res->count, 1); + assert_ts_attrs_res(res, TEST_NOW_2 + TEST_CACHE_TIMEOUT, TEST_NOW_2); + talloc_free(res); + + ret = sysdb_getgrgid(test_ctx, test_ctx->tctx->dom, TEST_GROUP_GID, &res); + assert_int_equal(ret, EOK); + assert_int_equal(res->count, 1); + assert_ts_attrs_res(res, TEST_NOW_2 + TEST_CACHE_TIMEOUT, TEST_NOW_2); + talloc_free(res); + + filter = talloc_asprintf(test_ctx, "(%s=%s)", + SYSDB_NAME, TEST_GROUP_NAME); + assert_non_null(filter); + ret = sysdb_search_groups(test_ctx, test_ctx->tctx->dom, + filter, gr_fetch_attrs, + &msgs_count, &msgs); + talloc_free(filter); + assert_int_equal(ret, EOK); + assert_int_equal(msgs_count, 1); + assert_ts_attrs_msgs_list(msgs_count, msgs, + TEST_NOW_2 + TEST_CACHE_TIMEOUT, TEST_NOW_2); + talloc_free(msgs); + + group_attrs = create_ts_attrs(test_ctx, TEST_NOW_3 + TEST_CACHE_TIMEOUT, TEST_NOW_3); + assert_non_null(group_attrs); + ret = sysdb_set_group_attr(test_ctx->tctx->dom, TEST_GROUP_NAME, + group_attrs, SYSDB_MOD_REP); + talloc_free(group_attrs); + + ret = sysdb_getgrnam(test_ctx, test_ctx->tctx->dom, TEST_GROUP_NAME, &res); + assert_int_equal(ret, EOK); + assert_int_equal(res->count, 1); + assert_ts_attrs_res(res, TEST_NOW_3 + TEST_CACHE_TIMEOUT, TEST_NOW_3); + talloc_free(res); + + /* Make sure sysdb_search_group_by_name includes timestamp attributes */ + ret = sysdb_search_group_by_name(test_ctx, test_ctx->tctx->dom, + TEST_GROUP_NAME, gr_fetch_attrs, &msg); + assert_int_equal(ret, EOK); + assert_non_null(msg); + assert_ts_attrs_msg(msg, TEST_NOW_3 + TEST_CACHE_TIMEOUT, TEST_NOW_3); + talloc_free(msg); + + ret = sysdb_search_group_by_gid(test_ctx, test_ctx->tctx->dom, + TEST_GROUP_GID, gr_fetch_attrs, &msg); + assert_int_equal(ret, EOK); + assert_non_null(msg); + assert_ts_attrs_msg(msg, TEST_NOW_3 + TEST_CACHE_TIMEOUT, TEST_NOW_3); + talloc_free(msg); +} + +static void test_merge_ldb_results(void **state) +{ + int ret; + struct sysdb_ts_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_ts_test_ctx); + const char *gr_fetch_attrs[] = SYSDB_GRSRC_ATTRS; + char *filter; + struct ldb_result *res; + struct ldb_result *res1; + struct ldb_result *res2; + size_t msgs_count; + + res1 = talloc_zero(test_ctx, struct ldb_result); + assert_non_null(res1); + res2 = talloc_zero(test_ctx, struct ldb_result); + assert_non_null(res2); + + ret = sysdb_store_group(test_ctx->tctx->dom, + TEST_GROUP_NAME, + TEST_GROUP_GID, + NULL, + TEST_CACHE_TIMEOUT, + TEST_NOW_1); + assert_int_equal(ret, EOK); + + ret = sysdb_store_group(test_ctx->tctx->dom, + TEST_GROUP_NAME_2, + TEST_GROUP_GID_2, + NULL, + TEST_CACHE_TIMEOUT, + TEST_NOW_2); + assert_int_equal(ret, EOK); + + ret = sysdb_store_group(test_ctx->tctx->dom, + TEST_GROUP_NAME_3, + TEST_GROUP_GID_3, + NULL, + TEST_CACHE_TIMEOUT, + TEST_NOW_3); + assert_int_equal(ret, EOK); + + filter = talloc_asprintf(test_ctx, "(|(%s=%s)(%s=%s))", + SYSDB_NAME, TEST_GROUP_NAME, + SYSDB_NAME, TEST_GROUP_NAME_2); + assert_non_null(filter); + ret = sysdb_search_groups(res1, test_ctx->tctx->dom, + filter, gr_fetch_attrs, + &msgs_count, &res1->msgs); + res1->count = (unsigned)msgs_count; + talloc_free(filter); + assert_int_equal(ret, EOK); + assert_int_equal(res1->count, 2); + + filter = talloc_asprintf(test_ctx, "(|(%s=%s)(%s=%s))", + SYSDB_NAME, TEST_GROUP_NAME_2, + SYSDB_NAME, TEST_GROUP_NAME_3); + assert_non_null(filter); + ret = sysdb_search_groups(res2, test_ctx->tctx->dom, + filter, gr_fetch_attrs, + &msgs_count, &res2->msgs); + res2->count = (unsigned)msgs_count; + talloc_free(filter); + assert_int_equal(ret, EOK); + assert_int_equal(res2->count, 2); + + res = sss_merge_ldb_results(res1, res2); + assert_non_null(res); + assert_int_equal(res->count, 3); + + talloc_free(res1); + talloc_free(res2); +} + +static void test_group_bysid(void **state) +{ + int ret; + struct sysdb_ts_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_ts_test_ctx); + const char *gr_fetch_attrs[] = SYSDB_GRSRC_ATTRS; + struct sysdb_attrs *group_attrs = NULL; + struct ldb_result *res; + struct ldb_message *msg = NULL; + struct ldb_result ts_res; + + group_attrs = create_sidstr_attrs(test_ctx, TEST_GROUP_SID); + assert_non_null(group_attrs); + + ret = sysdb_search_object_by_sid(test_ctx, + test_ctx->tctx->dom, + TEST_GROUP_SID, + gr_fetch_attrs, + &res); + assert_int_equal(ret, ENOENT); + + ret = sysdb_store_group(test_ctx->tctx->dom, + TEST_GROUP_NAME, + TEST_GROUP_GID, + group_attrs, + TEST_CACHE_TIMEOUT, + TEST_NOW_1); + talloc_free(group_attrs); + assert_int_equal(ret, EOK); + + ret = sysdb_store_group(test_ctx->tctx->dom, + TEST_GROUP_NAME, + TEST_GROUP_GID, + NULL, + TEST_CACHE_TIMEOUT, + TEST_NOW_2); + assert_int_equal(ret, EOK); + + ret = sysdb_search_object_by_sid(test_ctx, + test_ctx->tctx->dom, + TEST_GROUP_SID, + gr_fetch_attrs, + &res); + assert_int_equal(ret, EOK); + assert_int_equal(res->count, 1); + assert_ts_attrs_res(res, TEST_NOW_2 + TEST_CACHE_TIMEOUT, TEST_NOW_2); + talloc_free(res); + + ret = sysdb_search_group_by_sid_str(test_ctx, + test_ctx->tctx->dom, + TEST_GROUP_SID, + gr_fetch_attrs, + &msg); + assert_int_equal(ret, EOK); + assert_ts_attrs_msg(msg, TEST_NOW_2 + TEST_CACHE_TIMEOUT, TEST_NOW_2); + + ret = sysdb_delete_by_sid(test_ctx->tctx->dom->sysdb, + test_ctx->tctx->dom, + TEST_GROUP_SID); + assert_int_equal(ret, EOK); + + ret = sysdb_search_object_by_sid(test_ctx, + test_ctx->tctx->dom, + TEST_GROUP_SID, + gr_fetch_attrs, + &res); + assert_int_equal(ret, ENOENT); + + ret = sysdb_search_ts_groups(test_ctx, + test_ctx->tctx->dom, + TS_FILTER_ALL, + sysdb_ts_cache_attrs, + &ts_res); + assert_int_equal(ret, ENOENT); +} + +static void test_sysdb_user_update(void **state) +{ + int ret; + struct sysdb_ts_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_ts_test_ctx); + struct ldb_result *res = NULL; + struct sysdb_attrs *user_attrs = NULL; + uint64_t cache_expire_sysdb; + uint64_t cache_expire_ts; + + /* Nothing must be stored in either cache at the beginning of the test */ + res = sysdb_getpwnam_res(test_ctx, test_ctx->tctx->dom, TEST_USER_NAME); + assert_int_equal(res->count, 0); + talloc_free(res); + + /* Store a user without a modifyTimestamp. Must not throw an error. This + * tests that the sysdb timestamp code is able to cope with absence of an + * attribute it operates on gracefully. + */ + ret = sysdb_store_user(test_ctx->tctx->dom, TEST_USER_NAME, NULL, + TEST_USER_UID, TEST_USER_GID, TEST_USER_NAME, + "/home/"TEST_USER_NAME, "/bin/bash", NULL, + user_attrs, NULL, TEST_CACHE_TIMEOUT, + TEST_NOW_1); + assert_int_equal(ret, EOK); + + get_pw_timestamp_attrs(test_ctx, TEST_USER_NAME, + &cache_expire_sysdb, &cache_expire_ts); + assert_int_equal(cache_expire_sysdb, TEST_CACHE_TIMEOUT + TEST_NOW_1); + assert_int_equal(cache_expire_ts, TEST_CACHE_TIMEOUT + TEST_NOW_1); + + /* Store a user and add a modifyTimestamp this time. + * Since we want to write the timestamp attributes if they are not present, + * both caches will be bumped. + */ + user_attrs = create_modstamp_attrs(test_ctx, TEST_MODSTAMP_1); + assert_non_null(user_attrs); + + ret = sysdb_store_user(test_ctx->tctx->dom, TEST_USER_NAME, NULL, + TEST_USER_UID, TEST_USER_GID, TEST_USER_NAME, + "/home/"TEST_USER_NAME, "/bin/bash", NULL, + user_attrs, NULL, TEST_CACHE_TIMEOUT, + TEST_NOW_2); + assert_int_equal(ret, EOK); + + get_pw_timestamp_attrs(test_ctx, TEST_USER_NAME, + &cache_expire_sysdb, &cache_expire_ts); + assert_int_equal(cache_expire_sysdb, TEST_CACHE_TIMEOUT + TEST_NOW_2); + assert_int_equal(cache_expire_ts, TEST_CACHE_TIMEOUT + TEST_NOW_2); + + /* Update with different modifyTimestamp but same attrs as previously + * saved to the timestamp cache. We should detect the 'real' attributes + * are the same and only bump the timestamp cache + */ + talloc_free(user_attrs); + user_attrs = create_modstamp_attrs(test_ctx, TEST_MODSTAMP_2); + assert_non_null(user_attrs); + + ret = sysdb_store_user(test_ctx->tctx->dom, TEST_USER_NAME, NULL, + TEST_USER_UID, TEST_USER_GID, TEST_USER_NAME, + "/home/"TEST_USER_NAME, "/bin/bash", NULL, + user_attrs, NULL, TEST_CACHE_TIMEOUT, + TEST_NOW_4); + assert_int_equal(ret, EOK); + + get_pw_timestamp_attrs(test_ctx, TEST_USER_NAME, + &cache_expire_sysdb, &cache_expire_ts); + assert_int_equal(cache_expire_sysdb, TEST_CACHE_TIMEOUT + TEST_NOW_2); + assert_int_equal(cache_expire_ts, TEST_CACHE_TIMEOUT + TEST_NOW_4); + + /* Update with different modifyTimestamp and different attrs (change + * the shell as a real-world example). Both caches must be updated. */ + talloc_free(user_attrs); + user_attrs = create_modstamp_attrs(test_ctx, TEST_MODSTAMP_3); + assert_non_null(user_attrs); + + ret = sysdb_store_user(test_ctx->tctx->dom, TEST_USER_NAME, NULL, + TEST_USER_UID, TEST_USER_GID, TEST_USER_NAME, + "/home/"TEST_USER_NAME, "/bin/zsh", NULL, + user_attrs, NULL, TEST_CACHE_TIMEOUT, + TEST_NOW_5); + assert_int_equal(ret, EOK); + + get_pw_timestamp_attrs(test_ctx, TEST_USER_NAME, + &cache_expire_sysdb, &cache_expire_ts); + assert_int_equal(cache_expire_sysdb, TEST_CACHE_TIMEOUT + TEST_NOW_5); + assert_int_equal(cache_expire_ts, TEST_CACHE_TIMEOUT + TEST_NOW_5); +} + +static void test_sysdb_user_delete(void **state) +{ + int ret; + struct sysdb_ts_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_ts_test_ctx); + struct ldb_result *res = NULL; + struct sysdb_attrs *user_attrs = NULL; + uint64_t cache_expire_sysdb; + uint64_t cache_expire_ts; + struct ldb_result *ts_res; + + ts_res = talloc_zero(test_ctx, struct ldb_result); + assert_non_null(ts_res); + + /* Nothing must be stored in either cache at the beginning of the test */ + res = sysdb_getpwnam_res(test_ctx, test_ctx->tctx->dom, TEST_USER_NAME); + assert_int_equal(res->count, 0); + talloc_free(res); + + ret = sysdb_search_ts_users(ts_res, + test_ctx->tctx->dom, + TS_FILTER_ALL, + sysdb_ts_cache_attrs, + ts_res); + assert_int_equal(ret, ENOENT); + + user_attrs = create_modstamp_attrs(test_ctx, TEST_MODSTAMP_1); + assert_non_null(user_attrs); + + ret = sysdb_store_user(test_ctx->tctx->dom, TEST_USER_NAME, NULL, + TEST_USER_UID, TEST_USER_GID, TEST_USER_NAME, + "/home/"TEST_USER_NAME, "/bin/bash", NULL, + user_attrs, NULL, TEST_CACHE_TIMEOUT, + TEST_NOW_1); + assert_int_equal(ret, EOK); + + get_pw_timestamp_attrs(test_ctx, TEST_USER_NAME, + &cache_expire_sysdb, &cache_expire_ts); + assert_int_equal(cache_expire_sysdb, TEST_CACHE_TIMEOUT + TEST_NOW_1); + assert_int_equal(cache_expire_ts, TEST_CACHE_TIMEOUT + TEST_NOW_1); + + ret = sysdb_search_ts_users(ts_res, + test_ctx->tctx->dom, + TS_FILTER_ALL, + sysdb_ts_cache_attrs, + ts_res); + assert_int_equal(ret, EOK); + assert_int_equal(ts_res->count, 1); + + get_pw_timestamp_attrs(test_ctx, TEST_USER_NAME, + &cache_expire_sysdb, &cache_expire_ts); + assert_int_equal(cache_expire_sysdb, TEST_CACHE_TIMEOUT + TEST_NOW_1); + assert_int_equal(cache_expire_ts, TEST_CACHE_TIMEOUT + TEST_NOW_1); + + ret = sysdb_delete_user(test_ctx->tctx->dom, + TEST_USER_NAME, + TEST_USER_UID); + assert_int_equal(ret, EOK); + + /* Nothing must be stored in either cache at the end of the test */ + res = sysdb_getpwnam_res(test_ctx, test_ctx->tctx->dom, TEST_USER_NAME); + assert_int_equal(res->count, 0); + talloc_free(res); + + ret = sysdb_search_ts_users(ts_res, + test_ctx->tctx->dom, + TS_FILTER_ALL, + sysdb_ts_cache_attrs, + ts_res); + assert_int_equal(ret, ENOENT); + + get_pw_timestamp_attrs(test_ctx, TEST_USER_NAME, + &cache_expire_sysdb, &cache_expire_ts); + assert_int_equal(cache_expire_sysdb, 0); + assert_int_equal(cache_expire_ts, 0); + + talloc_free(ts_res); +} + +static void test_sysdb_getpw_merges(void **state) +{ + int ret; + struct sysdb_ts_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_ts_test_ctx); + struct sysdb_attrs *user_attrs = NULL; + const char *pw_fetch_attrs[] = SYSDB_PW_ATTRS; + char *filter = NULL; + struct ldb_result *res = NULL; + size_t msgs_count; + struct ldb_message **msgs = NULL; + struct ldb_message *msg = NULL; + + user_attrs = create_modstamp_attrs(test_ctx, TEST_MODSTAMP_1); + assert_non_null(user_attrs); + + ret = sysdb_store_user(test_ctx->tctx->dom, TEST_USER_NAME, NULL, + TEST_USER_UID, TEST_USER_GID, TEST_USER_NAME, + "/home/"TEST_USER_NAME, "/bin/bash", NULL, + user_attrs, NULL, TEST_CACHE_TIMEOUT, + TEST_NOW_1); + talloc_free(user_attrs); + assert_int_equal(ret, EOK); + + user_attrs = create_modstamp_attrs(test_ctx, TEST_MODSTAMP_2); + assert_non_null(user_attrs); + + /* sysdb cache will have test_now1 and ts cache test_now2 at this point */ + ret = sysdb_store_user(test_ctx->tctx->dom, TEST_USER_NAME, NULL, + TEST_USER_UID, TEST_USER_GID, TEST_USER_NAME, + "/home/"TEST_USER_NAME, "/bin/bash", NULL, + user_attrs, NULL, TEST_CACHE_TIMEOUT, + TEST_NOW_2); + talloc_free(user_attrs); + assert_int_equal(ret, EOK); + + /* getpwnam must return the timestamp from the ts cache */ + ret = sysdb_getpwnam(test_ctx, test_ctx->tctx->dom, TEST_USER_NAME, &res); + assert_int_equal(ret, EOK); + assert_int_equal(res->count, 1); + assert_ts_attrs_res(res, TEST_NOW_2 + TEST_CACHE_TIMEOUT, TEST_NOW_2); + talloc_free(res); + + /* getpwuid must return the timestamp from the ts cache */ + ret = sysdb_getpwuid(test_ctx, test_ctx->tctx->dom, TEST_USER_UID, &res); + assert_int_equal(ret, EOK); + assert_int_equal(res->count, 1); + assert_ts_attrs_res(res, TEST_NOW_2 + TEST_CACHE_TIMEOUT, TEST_NOW_2); + talloc_free(res); + + filter = talloc_asprintf(test_ctx, "(%s=%s)", + SYSDB_NAME, TEST_USER_NAME); + assert_non_null(filter); + ret = sysdb_search_users(test_ctx, test_ctx->tctx->dom, + filter, pw_fetch_attrs, + &msgs_count, &msgs); + talloc_free(filter); + assert_int_equal(ret, EOK); + assert_int_equal(msgs_count, 1); + assert_ts_attrs_msgs_list(msgs_count, msgs, + TEST_NOW_2 + TEST_CACHE_TIMEOUT, TEST_NOW_2); + talloc_free(msgs); + + /* set_user_attrs must bump the ts cache */ + user_attrs = create_ts_attrs(test_ctx, TEST_NOW_3 + TEST_CACHE_TIMEOUT, TEST_NOW_3); + assert_non_null(user_attrs); + ret = sysdb_set_user_attr(test_ctx->tctx->dom, TEST_USER_NAME, + user_attrs, SYSDB_MOD_REP); + talloc_free(user_attrs); + + /* getpwnam must return the timestamp from the ts cache */ + ret = sysdb_getpwnam(test_ctx, test_ctx->tctx->dom, TEST_USER_NAME, &res); + assert_int_equal(ret, EOK); + assert_int_equal(res->count, 1); + assert_ts_attrs_res(res, TEST_NOW_3 + TEST_CACHE_TIMEOUT, TEST_NOW_3); + talloc_free(res); + + ret = sysdb_initgroups(test_ctx, test_ctx->tctx->dom, TEST_USER_NAME, &res); + assert_int_equal(ret, EOK); + assert_int_equal(res->count, 1); + assert_ts_attrs_res(res, TEST_NOW_3 + TEST_CACHE_TIMEOUT, TEST_NOW_3); + talloc_free(res); + + ret = sysdb_get_user_attr(test_ctx, test_ctx->tctx->dom, + TEST_USER_NAME, pw_fetch_attrs, &res); + assert_int_equal(ret, EOK); + assert_int_equal(res->count, 1); + assert_ts_attrs_res(res, TEST_NOW_3 + TEST_CACHE_TIMEOUT, TEST_NOW_3); + talloc_free(res); + + /* Make sure sysdb_search_user_by_name includes timestamp attributes */ + ret = sysdb_search_user_by_name(test_ctx, test_ctx->tctx->dom, + TEST_USER_NAME, pw_fetch_attrs, &msg); + assert_int_equal(ret, EOK); + assert_non_null(msg); + assert_ts_attrs_msg(msg, TEST_NOW_3 + TEST_CACHE_TIMEOUT, TEST_NOW_3); + talloc_free(msg); + + ret = sysdb_search_user_by_uid(test_ctx, test_ctx->tctx->dom, + TEST_USER_UID, pw_fetch_attrs, &msg); + assert_int_equal(ret, EOK); + assert_non_null(msg); + assert_ts_attrs_msg(msg, TEST_NOW_3 + TEST_CACHE_TIMEOUT, TEST_NOW_3); + talloc_free(msg); +} + +static void test_user_bysid(void **state) +{ + int ret; + struct sysdb_ts_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_ts_test_ctx); + const char *pw_fetch_attrs[] = SYSDB_PW_ATTRS; + struct sysdb_attrs *user_attrs = NULL; + struct ldb_result *res; + struct ldb_message *msg = NULL; + struct ldb_result ts_res; + + user_attrs = create_sidstr_attrs(test_ctx, TEST_USER_SID); + assert_non_null(user_attrs); + + ret = sysdb_search_object_by_sid(test_ctx, + test_ctx->tctx->dom, + TEST_USER_SID, + pw_fetch_attrs, + &res); + assert_int_equal(ret, ENOENT); + + ret = sysdb_store_user(test_ctx->tctx->dom, TEST_USER_NAME, NULL, + TEST_USER_UID, TEST_USER_GID, TEST_USER_NAME, + "/home/"TEST_USER_NAME, "/bin/bash", NULL, + user_attrs, NULL, TEST_CACHE_TIMEOUT, + TEST_NOW_1); + talloc_zfree(user_attrs); + assert_int_equal(ret, EOK); + + ret = sysdb_store_user(test_ctx->tctx->dom, TEST_USER_NAME, NULL, + TEST_USER_UID, TEST_USER_GID, TEST_USER_NAME, + "/home/"TEST_USER_NAME, "/bin/bash", NULL, + user_attrs, NULL, TEST_CACHE_TIMEOUT, + TEST_NOW_2); + assert_int_equal(ret, EOK); + + ret = sysdb_search_object_by_sid(test_ctx, + test_ctx->tctx->dom, + TEST_USER_SID, + pw_fetch_attrs, + &res); + assert_int_equal(ret, EOK); + assert_int_equal(res->count, 1); + assert_ts_attrs_res(res, TEST_NOW_2 + TEST_CACHE_TIMEOUT, TEST_NOW_2); + talloc_free(res); + + ret = sysdb_search_user_by_sid_str(test_ctx, + test_ctx->tctx->dom, + TEST_USER_SID, + pw_fetch_attrs, + &msg); + assert_int_equal(ret, EOK); + assert_ts_attrs_msg(msg, TEST_NOW_2 + TEST_CACHE_TIMEOUT, TEST_NOW_2); + + ret = sysdb_delete_by_sid(test_ctx->tctx->dom->sysdb, + test_ctx->tctx->dom, + TEST_USER_SID); + assert_int_equal(ret, EOK); + + ret = sysdb_search_object_by_sid(test_ctx, + test_ctx->tctx->dom, + TEST_USER_SID, + pw_fetch_attrs, + &res); + assert_int_equal(ret, ENOENT); + + ret = sysdb_search_ts_users(test_ctx, + test_ctx->tctx->dom, + TS_FILTER_ALL, + sysdb_ts_cache_attrs, + &ts_res); + assert_int_equal(ret, ENOENT); +} + +static void test_user_byupn(void **state) +{ + int ret; + struct sysdb_ts_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_ts_test_ctx); + const char *pw_fetch_attrs[] = SYSDB_PW_ATTRS; + struct sysdb_attrs *user_attrs = NULL; + struct ldb_result *res; + struct ldb_message *msg = NULL; + + user_attrs = create_upnstr_attrs(test_ctx, TEST_USER_UPN); + assert_non_null(user_attrs); + + ret = sysdb_store_user(test_ctx->tctx->dom, TEST_USER_NAME, NULL, + TEST_USER_UID, TEST_USER_GID, TEST_USER_NAME, + "/home/"TEST_USER_NAME, "/bin/bash", NULL, + user_attrs, NULL, TEST_CACHE_TIMEOUT, + TEST_NOW_1); + talloc_zfree(user_attrs); + assert_int_equal(ret, EOK); + + ret = sysdb_store_user(test_ctx->tctx->dom, TEST_USER_NAME, NULL, + TEST_USER_UID, TEST_USER_GID, TEST_USER_NAME, + "/home/"TEST_USER_NAME, "/bin/bash", NULL, + user_attrs, NULL, TEST_CACHE_TIMEOUT, + TEST_NOW_2); + assert_int_equal(ret, EOK); + + ret = sysdb_getpwupn(test_ctx, test_ctx->tctx->dom, false, TEST_USER_UPN, &res); + assert_int_equal(ret, EOK); + assert_int_equal(res->count, 1); + assert_ts_attrs_res(res, TEST_NOW_2 + TEST_CACHE_TIMEOUT, TEST_NOW_2); + talloc_free(res); + + ret = sysdb_search_user_by_upn_res(test_ctx, test_ctx->tctx->dom, + false, TEST_USER_UPN, pw_fetch_attrs, + &res); + assert_int_equal(ret, EOK); + assert_int_equal(res->count, 1); + assert_ts_attrs_res(res, TEST_NOW_2 + TEST_CACHE_TIMEOUT, TEST_NOW_2); + talloc_free(res); + + ret = sysdb_search_user_by_upn(test_ctx, test_ctx->tctx->dom, + false, TEST_USER_UPN, pw_fetch_attrs, + &msg); + assert_int_equal(ret, EOK); + assert_ts_attrs_msg(msg, TEST_NOW_2 + TEST_CACHE_TIMEOUT, TEST_NOW_2); + + ret = sysdb_initgroups_by_upn(test_ctx, test_ctx->tctx->dom, + TEST_USER_UPN, &res); + assert_int_equal(ret, EOK); + assert_int_equal(res->count, 1); + assert_ts_attrs_res(res, TEST_NOW_2 + TEST_CACHE_TIMEOUT, TEST_NOW_2); + talloc_free(res); +} + +static void test_sysdb_zero_now(void **state) +{ + int ret; + struct sysdb_ts_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_ts_test_ctx); + struct ldb_result *res = NULL; + uint64_t cache_expire_sysdb; + uint64_t cache_expire_ts; + struct sysdb_attrs *attrs = NULL; + + /* Nothing must be stored in either cache at the beginning of the test */ + res = sysdb_getpwnam_res(test_ctx, test_ctx->tctx->dom, TEST_USER_NAME); + assert_int_equal(res->count, 0); + talloc_free(res); + + res = sysdb_getgrnam_res(test_ctx, test_ctx->tctx->dom, TEST_GROUP_NAME); + assert_int_equal(res->count, 0); + talloc_free(res); + + attrs = create_modstamp_attrs(test_ctx, TEST_MODSTAMP_1); + assert_non_null(attrs); + + ret = sysdb_store_user(test_ctx->tctx->dom, TEST_USER_NAME, NULL, + TEST_USER_UID, TEST_USER_GID, TEST_USER_NAME, + "/home/"TEST_USER_NAME, "/bin/bash", NULL, + attrs, NULL, TEST_CACHE_TIMEOUT, + 0); + talloc_zfree(attrs); + assert_int_equal(ret, EOK); + + attrs = create_modstamp_attrs(test_ctx, TEST_MODSTAMP_1); + assert_non_null(attrs); + + ret = sysdb_store_group(test_ctx->tctx->dom, + TEST_GROUP_NAME, + TEST_GROUP_GID, + attrs, + TEST_CACHE_TIMEOUT, + 0); + talloc_zfree(attrs); + assert_int_equal(ret, EOK); + talloc_zfree(attrs); + + attrs = create_modstamp_attrs(test_ctx, TEST_MODSTAMP_1); + assert_non_null(attrs); + + ret = sysdb_store_user(test_ctx->tctx->dom, TEST_USER_NAME, NULL, + TEST_USER_UID, TEST_USER_GID, TEST_USER_NAME, + "/home/"TEST_USER_NAME, "/bin/bash", NULL, + attrs, NULL, TEST_CACHE_TIMEOUT, + 0); + talloc_zfree(attrs); + assert_int_equal(ret, EOK); + + attrs = create_modstamp_attrs(test_ctx, TEST_MODSTAMP_1); + assert_non_null(attrs); + + ret = sysdb_store_group(test_ctx->tctx->dom, + TEST_GROUP_NAME, + TEST_GROUP_GID, + attrs, + TEST_CACHE_TIMEOUT, + 0); + talloc_zfree(attrs); + assert_int_equal(ret, EOK); + + /* Even though we passed zero as the timestamp, the timestamp cache should + * have used the current time instead + */ + get_pw_timestamp_attrs(test_ctx, TEST_USER_NAME, + &cache_expire_sysdb, &cache_expire_ts); + assert_true(cache_expire_sysdb > TEST_CACHE_TIMEOUT); + assert_true(cache_expire_ts > TEST_CACHE_TIMEOUT); + + get_gr_timestamp_attrs(test_ctx, TEST_GROUP_NAME, + &cache_expire_sysdb, &cache_expire_ts); + assert_true(cache_expire_sysdb > TEST_CACHE_TIMEOUT); + assert_true(cache_expire_ts > TEST_CACHE_TIMEOUT); +} + +int main(int argc, const char *argv[]) +{ + int rv; + int no_cleanup = 0; + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + {"no-cleanup", 'n', POPT_ARG_NONE, &no_cleanup, 0, + _("Do not delete the test database after a test run"), NULL }, + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_sysdb_group_update, + test_sysdb_ts_setup, + test_sysdb_ts_teardown), + cmocka_unit_test_setup_teardown(test_sysdb_group_delete, + test_sysdb_ts_setup, + test_sysdb_ts_teardown), + cmocka_unit_test_setup_teardown(test_sysdb_group_rename, + test_sysdb_ts_setup, + test_sysdb_ts_teardown), + cmocka_unit_test_setup_teardown(test_sysdb_getgr_merges, + test_sysdb_ts_setup, + test_sysdb_ts_teardown), + cmocka_unit_test_setup_teardown(test_group_bysid, + test_sysdb_ts_setup, + test_sysdb_ts_teardown), + cmocka_unit_test_setup_teardown(test_merge_ldb_results, + test_sysdb_ts_setup, + test_sysdb_ts_teardown), + cmocka_unit_test_setup_teardown(test_sysdb_user_update, + test_sysdb_ts_setup, + test_sysdb_ts_teardown), + cmocka_unit_test_setup_teardown(test_sysdb_user_delete, + test_sysdb_ts_setup, + test_sysdb_ts_teardown), + cmocka_unit_test_setup_teardown(test_sysdb_getpw_merges, + test_sysdb_ts_setup, + test_sysdb_ts_teardown), + cmocka_unit_test_setup_teardown(test_user_bysid, + test_sysdb_ts_setup, + test_sysdb_ts_teardown), + cmocka_unit_test_setup_teardown(test_user_byupn, + test_sysdb_ts_setup, + test_sysdb_ts_teardown), + cmocka_unit_test_setup_teardown(test_sysdb_zero_now, + test_sysdb_ts_setup, + test_sysdb_ts_teardown), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + tests_set_cwd(); + test_multidom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, domains); + test_dom_suite_setup(TESTS_PATH); + rv = cmocka_run_group_tests(tests, NULL, NULL); + + if (rv == 0 && no_cleanup == 0) { + test_multidom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, domains); + } + return rv; +} diff --git a/src/tests/cmocka/test_sysdb_utils.c b/src/tests/cmocka/test_sysdb_utils.c new file mode 100644 index 0000000..b52127b --- /dev/null +++ b/src/tests/cmocka/test_sysdb_utils.c @@ -0,0 +1,178 @@ +/* + SSSD + + sysdb_utils - Tests for various sysdb calls + + Authors: + Sumit Bose + + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include + +#include "tests/cmocka/common_mock.h" + +#define IPA_UUID "bcae7c40-97eb-11e4-88ca-525400e96a6b" + +#define AD_GUID_BIN {0x8d, 0x0d, 0xa8, 0xfe, 0xd5, 0xdb, 0x84, 0x4f, \ + 0x85, 0x74, 0x7d, 0xb0, 0x47, 0x7f, 0x96, 0x2e}; +#define AD_GUID "fea80d8d-dbd5-4f84-8574-7db0477f962e" +static void test_sysdb_handle_original_uuid(void **state) +{ + int ret; + struct sysdb_attrs *src_attrs; + struct sysdb_attrs *dest_attrs; + const char *guid; + uint8_t bin_guid[] = AD_GUID_BIN; + struct ldb_val guid_val = {bin_guid, 16}; + + ret = sysdb_handle_original_uuid(NULL, NULL, NULL, NULL, NULL); + assert_int_equal(ret, ENOENT); + + src_attrs = sysdb_new_attrs(NULL); + assert_non_null(src_attrs); + + dest_attrs = sysdb_new_attrs(NULL); + assert_non_null(dest_attrs); + + ret = sysdb_handle_original_uuid("xyz", src_attrs, "abc", dest_attrs, + "def"); + assert_int_equal(ret, ENOENT); + + ret = sysdb_attrs_add_val(src_attrs, "GUID", &guid_val); + assert_int_equal(ret, EOK); + + ret = sysdb_attrs_add_string(src_attrs, "UUID", IPA_UUID); + assert_int_equal(ret, EOK); + + ret = sysdb_handle_original_uuid(NULL, src_attrs, "GUID", + dest_attrs, "def"); + assert_int_equal(ret, ENOENT); + + ret = sysdb_handle_original_uuid("objectGUID", NULL, "GUID", + dest_attrs, "def"); + assert_int_equal(ret, EINVAL); + + ret = sysdb_handle_original_uuid("objectGUID", src_attrs, "GUID", + dest_attrs, "def"); + assert_int_equal(ret, EOK); + ret = sysdb_attrs_get_string(dest_attrs, "def", &guid); + assert_int_equal(ret, EOK); + assert_string_equal(guid, AD_GUID); + + ret = sysdb_handle_original_uuid("ipaUniqueID", src_attrs, "UUID", + dest_attrs, "ghi"); + assert_int_equal(ret, EOK); + ret = sysdb_attrs_get_string(dest_attrs, "ghi", &guid); + assert_int_equal(ret, EOK); + assert_string_equal(guid, IPA_UUID); + + talloc_free(src_attrs); + src_attrs = sysdb_new_attrs(NULL); + assert_non_null(src_attrs); + + /* check objectGUID with length other than 16 */ + ret = sysdb_attrs_add_string(src_attrs, "GUID", IPA_UUID); + assert_int_equal(ret, EOK); + ret = sysdb_handle_original_uuid("objectGUID", src_attrs, "GUID", + dest_attrs, "jkl"); + assert_int_equal(ret, EOK); + ret = sysdb_attrs_get_string(dest_attrs, "jkl", &guid); + assert_int_equal(ret, EOK); + assert_string_equal(guid, IPA_UUID); + + talloc_free(src_attrs); + talloc_free(dest_attrs); +} + +#define TEST_BASE64_ABC "YWJj" +#define TEST_BASE64_123 "AQID" +static void test_sysdb_attrs_add_base64_blob(void **state) +{ + struct sysdb_attrs *attrs; + struct ldb_message_element *el; + char zero[] = { '\1', '\2', '\3' }; + int ret; + + attrs = sysdb_new_attrs(NULL); + assert_non_null(attrs); + + ret = sysdb_attrs_add_base64_blob(attrs, "testAttrABC", TEST_BASE64_ABC); + assert_int_equal(ret, EOK); + + ret = sysdb_attrs_add_base64_blob(attrs, "testAttr000", TEST_BASE64_123); + assert_int_equal(ret, EOK); + + ret = sysdb_attrs_get_el(attrs, "testAttrABC", &el); + assert_int_equal(ret, EOK); + assert_int_equal(el->num_values, 1); + assert_non_null(el->values); + assert_non_null(el->values[0].data); + assert_int_equal(el->values[0].length, 3); + assert_memory_equal(el->values[0].data, "abc", 3); + + ret = sysdb_attrs_get_el(attrs, "testAttr000", &el); + assert_int_equal(ret, EOK); + assert_int_equal(el->num_values, 1); + assert_non_null(el->values); + assert_non_null(el->values[0].data); + assert_int_equal(el->values[0].length, 3); + assert_memory_equal(el->values[0].data, zero, 3); +} + +int main(int argc, const char *argv[]) +{ + int rv; + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test(test_sysdb_handle_original_uuid), + cmocka_unit_test(test_sysdb_attrs_add_base64_blob), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + tests_set_cwd(); + rv = cmocka_run_group_tests(tests, NULL, NULL); + + return rv; +} diff --git a/src/tests/cmocka/test_sysdb_views.c b/src/tests/cmocka/test_sysdb_views.c new file mode 100644 index 0000000..a0f57c8 --- /dev/null +++ b/src/tests/cmocka/test_sysdb_views.c @@ -0,0 +1,1129 @@ +/* + SSSD + + sysdb_views - Tests for view and override related sysdb calls + + Authors: + Sumit Bose + + Copyright (C) 2014 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include + +#include "tests/cmocka/common_mock.h" +#include "providers/ipa/ipa_id.h" +#include "db/sysdb_private.h" /* for sysdb->ldb member */ + +#define TESTS_PATH "tp_" BASE_FILE_STEM +#define TEST_CONF_FILE "tests_conf.ldb" + +#define TEST_ANCHOR_PREFIX ":ANCHOR:" +#define TEST_VIEW_NAME "test view" +#define TEST_VIEW_CONTAINER "cn=" TEST_VIEW_NAME ",cn=views,cn=sysdb" +#define TEST_USER_NAME "test_user" +#define TEST_USER_UID 1234 +#define TEST_USER_GID 5678 +#define TEST_USER_GECOS "Gecos field" +#define TEST_USER_HOMEDIR "/home/home" +#define TEST_USER_SHELL "/bin/shell" +#define TEST_USER_SID "S-1-2-3-4" +#define TEST_GID_OVERRIDE_BASE 100 + +struct sysdb_test_ctx { + struct sysdb_ctx *sysdb; + struct confdb_ctx *confdb; + struct tevent_context *ev; + struct sss_domain_info *domain; +}; + +static int _setup_sysdb_tests(struct sysdb_test_ctx **ctx, bool enumerate) +{ + struct sysdb_test_ctx *test_ctx; + char *conf_db; + int ret; + + const char *val[2]; + val[1] = NULL; + + /* Create tests directory if it doesn't exist */ + /* (relative to current dir) */ + ret = mkdir(TESTS_PATH, 0775); + assert_true(ret == 0 || errno == EEXIST); + + test_ctx = talloc_zero(global_talloc_context, struct sysdb_test_ctx); + assert_non_null(test_ctx); + + /* Create an event context + * It will not be used except in confdb_init and sysdb_init + */ + test_ctx->ev = tevent_context_init(test_ctx); + assert_non_null(test_ctx->ev); + + conf_db = talloc_asprintf(test_ctx, "%s/%s", TESTS_PATH, TEST_CONF_FILE); + assert_non_null(conf_db); + DEBUG(SSSDBG_MINOR_FAILURE, "CONFDB: %s\n", conf_db); + + /* Connect to the conf db */ + ret = confdb_init(test_ctx, &test_ctx->confdb, conf_db); + assert_int_equal(ret, EOK); + + val[0] = "LOCAL"; + ret = confdb_add_param(test_ctx->confdb, true, + "config/sssd", "domains", val); + assert_int_equal(ret, EOK); + + val[0] = "local"; + ret = confdb_add_param(test_ctx->confdb, true, + "config/domain/LOCAL", "id_provider", val); + assert_int_equal(ret, EOK); + + val[0] = enumerate ? "TRUE" : "FALSE"; + ret = confdb_add_param(test_ctx->confdb, true, + "config/domain/LOCAL", "enumerate", val); + assert_int_equal(ret, EOK); + + val[0] = "TRUE"; + ret = confdb_add_param(test_ctx->confdb, true, + "config/domain/LOCAL", "cache_credentials", val); + assert_int_equal(ret, EOK); + + ret = sssd_domain_init(test_ctx, test_ctx->confdb, "local", + TESTS_PATH, &test_ctx->domain); + assert_int_equal(ret, EOK); + + test_ctx->domain->has_views = true; + test_ctx->sysdb = test_ctx->domain->sysdb; + + *ctx = test_ctx; + return EOK; +} + +#define setup_sysdb_tests(ctx) _setup_sysdb_tests((ctx), false) +#define setup_sysdb_enum_tests(ctx) _setup_sysdb_tests((ctx), true) + +static int test_sysdb_setup(void **state) +{ + int ret; + struct sysdb_test_ctx *test_ctx; + + assert_true(leak_check_setup()); + + ret = setup_sysdb_tests(&test_ctx); + assert_int_equal(ret, EOK); + + *state = (void *) test_ctx; + return 0; +} + +static int test_sysdb_teardown(void **state) +{ + struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_test_ctx); + + talloc_free(test_ctx); + assert_true(leak_check_teardown()); + return 0; +} + +static void test_sysdb_store_override(void **state) +{ + int ret; + struct ldb_message *msg; + struct ldb_message **msgs; + struct sysdb_attrs *attrs; + size_t count; + char *name; + const char override_dn_str[] = SYSDB_OVERRIDE_ANCHOR_UUID "=" \ + TEST_ANCHOR_PREFIX TEST_USER_SID "," TEST_VIEW_CONTAINER; + + struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_test_ctx); + + test_ctx->domain->mpg = false; + name = sss_create_internal_fqname(test_ctx, TEST_USER_NAME, + test_ctx->domain->name); + assert_non_null(name); + + ret = sysdb_store_user(test_ctx->domain, name, NULL, + TEST_USER_UID, TEST_USER_GID, TEST_USER_GECOS, + TEST_USER_HOMEDIR, TEST_USER_SHELL, NULL, NULL, NULL, + 0,0); + assert_int_equal(ret, EOK); + + ret = sysdb_search_user_by_name(test_ctx, test_ctx->domain, name, + NULL, &msg); + assert_int_equal(ret, EOK); + assert_non_null(msg); + + /* No override exists */ + ret = sysdb_store_override(test_ctx->domain, TEST_VIEW_NAME, + SYSDB_MEMBER_USER, NULL, msg->dn); + assert_int_equal(ret, EOK); + + ret = sysdb_search_entry(test_ctx, test_ctx->domain->sysdb,msg->dn, + LDB_SCOPE_BASE, NULL, NULL, &count, &msgs); + assert_int_equal(ret, EOK); + assert_int_equal(count, 1); + assert_string_equal(ldb_dn_get_linearized(msg->dn), + ldb_msg_find_attr_as_string(msgs[0], + SYSDB_OVERRIDE_DN, NULL)); + + ret = sysdb_invalidate_overrides(test_ctx->domain->sysdb); + assert_int_equal(ret, EOK); + + attrs = sysdb_new_attrs(test_ctx); + assert_non_null(attrs); + + /* Missing anchor attribute */ + ret = sysdb_store_override(test_ctx->domain, TEST_VIEW_NAME, + SYSDB_MEMBER_USER, attrs, msg->dn); + assert_int_equal(ret, EINVAL); + + /* With anchor */ + ret = sysdb_attrs_add_string(attrs, SYSDB_OVERRIDE_ANCHOR_UUID, + TEST_ANCHOR_PREFIX TEST_USER_SID); + assert_int_equal(ret, EOK); + + ret = sysdb_store_override(test_ctx->domain, TEST_VIEW_NAME, + SYSDB_MEMBER_USER, attrs, msg->dn); + assert_int_equal(ret, EOK); + + ret = sysdb_search_entry(test_ctx, test_ctx->domain->sysdb,msg->dn, + LDB_SCOPE_BASE, NULL, NULL, &count, &msgs); + assert_int_equal(ret, EOK); + assert_int_equal(count, 1); + assert_string_equal(override_dn_str, ldb_msg_find_attr_as_string(msgs[0], + SYSDB_OVERRIDE_DN, NULL)); + +} + +void test_sysdb_add_overrides_to_object(void **state) +{ + int ret; + struct ldb_message *orig; + struct ldb_message *override; + struct ldb_message_element *el; + char *tmp_str; + struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_test_ctx); + + orig = ldb_msg_new(test_ctx); + assert_non_null(orig); + + tmp_str = talloc_strdup(orig, "ORIGNAME"); + assert_non_null(tmp_str); + ret = ldb_msg_add_string(orig, SYSDB_NAME, tmp_str); + assert_int_equal(ret, EOK); + + tmp_str = talloc_strdup(orig, "ORIGGECOS"); + assert_non_null(tmp_str); + ret = ldb_msg_add_string(orig, SYSDB_GECOS, tmp_str); + assert_int_equal(ret, EOK); + + override = ldb_msg_new(test_ctx); + assert_non_null(override); + + tmp_str = talloc_strdup(override, "OVERRIDENAME"); + assert_non_null(tmp_str); + ret = ldb_msg_add_string(override, SYSDB_NAME, tmp_str); + assert_int_equal(ret, EOK); + + tmp_str = talloc_strdup(override, "OVERRIDEGECOS"); + assert_non_null(tmp_str); + ret = ldb_msg_add_string(override, SYSDB_GECOS, tmp_str); + assert_int_equal(ret, EOK); + + tmp_str = talloc_strdup(override, "OVERRIDEKEY1"); + assert_non_null(tmp_str); + ret = ldb_msg_add_string(override, SYSDB_SSH_PUBKEY, tmp_str); + assert_int_equal(ret, EOK); + + tmp_str = talloc_strdup(override, "OVERRIDEKEY2"); + assert_non_null(tmp_str); + ret = ldb_msg_add_string(override, SYSDB_SSH_PUBKEY, tmp_str); + assert_int_equal(ret, EOK); + + + ret = sysdb_add_overrides_to_object(test_ctx->domain, orig, override, NULL); + assert_int_equal(ret, EOK); + + assert_string_equal(ldb_msg_find_attr_as_string(orig, SYSDB_NAME, NULL), + "ORIGNAME"); + assert_string_equal(ldb_msg_find_attr_as_string(orig, SYSDB_GECOS, NULL), + "ORIGGECOS"); + assert_string_equal(ldb_msg_find_attr_as_string(orig, + OVERRIDE_PREFIX SYSDB_NAME, + NULL), + "OVERRIDENAME"); + assert_string_equal(ldb_msg_find_attr_as_string(orig, + OVERRIDE_PREFIX SYSDB_GECOS, + NULL), + "OVERRIDEGECOS"); + + el = ldb_msg_find_element(orig, OVERRIDE_PREFIX SYSDB_SSH_PUBKEY); + assert_non_null(el); + assert_int_equal(el->num_values, 2); + assert_int_equal(ldb_val_string_cmp(&el->values[0], "OVERRIDEKEY1"), 0); + assert_int_equal(ldb_val_string_cmp(&el->values[1], "OVERRIDEKEY2"), 0); +} + +void test_sysdb_add_overrides_to_object_local(void **state) +{ + int ret; + struct ldb_message *orig; + char *tmp_str; + struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_test_ctx); + + orig = ldb_msg_new(test_ctx); + assert_non_null(orig); + + tmp_str = talloc_strdup(orig, "ORIGNAME"); + assert_non_null(tmp_str); + ret = ldb_msg_add_string(orig, SYSDB_NAME, tmp_str); + assert_int_equal(ret, EOK); + + tmp_str = talloc_strdup(orig, "ORIGGECOS"); + assert_non_null(tmp_str); + ret = ldb_msg_add_string(orig, SYSDB_GECOS, tmp_str); + assert_int_equal(ret, EOK); + + test_ctx->domain->has_views = true; + test_ctx->domain->view_name = "LOCAL"; + + ret = sysdb_add_overrides_to_object(test_ctx->domain, orig, NULL, NULL); + assert_int_equal(ret, EOK); +} + +void test_sysdb_add_overrides_to_object_missing_overridedn(void **state) +{ + int ret; + struct ldb_message *orig; + char *tmp_str; + struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_test_ctx); + + orig = ldb_msg_new(test_ctx); + assert_non_null(orig); + + orig->dn = ldb_dn_new(orig, test_ctx->domain->sysdb->ldb, + "cn=somedn,dc=example,dc=com"); + assert_non_null(orig->dn); + + tmp_str = talloc_strdup(orig, "ORIGNAME"); + assert_non_null(tmp_str); + ret = ldb_msg_add_string(orig, SYSDB_NAME, tmp_str); + assert_int_equal(ret, EOK); + + tmp_str = talloc_strdup(orig, "ORIGGECOS"); + assert_non_null(tmp_str); + ret = ldb_msg_add_string(orig, SYSDB_GECOS, tmp_str); + assert_int_equal(ret, EOK); + + test_ctx->domain->has_views = true; + test_ctx->domain->view_name = "NON-LOCAL"; + + ret = sysdb_add_overrides_to_object(test_ctx->domain, orig, NULL, NULL); + assert_int_equal(ret, ENOENT); +} + +void test_split_ipa_anchor(void **state) +{ + int ret; + char *dom; + char *uuid; + struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_test_ctx); + + ret = split_ipa_anchor(test_ctx, NULL, &dom, &uuid); + assert_int_equal(ret, EINVAL); + + ret = split_ipa_anchor(test_ctx, "fwfkwjfkw", &dom, &uuid); + assert_int_equal(ret, ENOMSG); + + ret = split_ipa_anchor(test_ctx, ":IPA:", &dom, &uuid); + assert_int_equal(ret, EINVAL); + + ret = split_ipa_anchor(test_ctx, ":IPA:abc", &dom, &uuid); + assert_int_equal(ret, EINVAL); + + ret = split_ipa_anchor(test_ctx, ":IPA:abc:", &dom, &uuid); + assert_int_equal(ret, EINVAL); + + ret = split_ipa_anchor(test_ctx, ":IPA:abc:def", &dom, &uuid); + assert_int_equal(ret, EOK); + assert_string_equal(dom, "abc"); + assert_string_equal(uuid, "def"); +} + +void test_sysdb_delete_view_tree(void **state) +{ + int ret; + struct ldb_message *msg; + struct ldb_message **msgs = NULL; + struct sysdb_attrs *attrs; + size_t count; + struct ldb_dn *views_dn; + char *name; + + struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_test_ctx); + + test_ctx->domain->mpg = false; + + ret = sysdb_update_view_name(test_ctx->domain->sysdb, TEST_VIEW_NAME); + assert_int_equal(ret, EOK); + + name = sss_create_internal_fqname(test_ctx, TEST_USER_NAME, + test_ctx->domain->name); + assert_non_null(name); + + ret = sysdb_store_user(test_ctx->domain, name, NULL, + TEST_USER_UID, TEST_USER_GID, TEST_USER_GECOS, + TEST_USER_HOMEDIR, TEST_USER_SHELL, NULL, NULL, NULL, + 0,0); + assert_int_equal(ret, EOK); + + ret = sysdb_search_user_by_name(test_ctx, test_ctx->domain, name, + NULL, &msg); + assert_int_equal(ret, EOK); + assert_non_null(msg); + + attrs = sysdb_new_attrs(test_ctx); + assert_non_null(attrs); + + ret = sysdb_attrs_add_string(attrs, SYSDB_OVERRIDE_ANCHOR_UUID, + TEST_ANCHOR_PREFIX TEST_USER_SID); + assert_int_equal(ret, EOK); + + ret = sysdb_store_override(test_ctx->domain, TEST_VIEW_NAME, + SYSDB_MEMBER_USER, attrs, msg->dn); + assert_int_equal(ret, EOK); + + views_dn = ldb_dn_new(test_ctx, test_ctx->domain->sysdb->ldb, + SYSDB_TMPL_VIEW_BASE); + assert_non_null(views_dn); + + ret = sysdb_search_entry(test_ctx, test_ctx->domain->sysdb, views_dn, + LDB_SCOPE_SUBTREE, NULL, NULL, &count, &msgs); + assert_int_equal(ret, EOK); + assert_true(count > 1); + assert_non_null(msgs); + + ret = sysdb_delete_view_tree(test_ctx->domain->sysdb, TEST_VIEW_NAME); + assert_int_equal(ret, EOK); + + ret = sysdb_search_entry(test_ctx, test_ctx->domain->sysdb, views_dn, + LDB_SCOPE_SUBTREE, NULL, NULL, &count, &msgs); + assert_int_equal(ret, EOK); + assert_int_equal(count, 1); + assert_true(ldb_dn_compare(views_dn, msgs[0]->dn) == 0); + +} + +void test_sysdb_invalidate_overrides(void **state) +{ + int ret; + struct ldb_message *msg; + struct sysdb_attrs *attrs; + struct ldb_dn *views_dn; + char *name; + const char *user_attrs[] = { SYSDB_NAME, + SYSDB_CACHE_EXPIRE, + SYSDB_OVERRIDE_DN, + NULL}; + + struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_test_ctx); + + test_ctx->domain->mpg = false; + name = sss_create_internal_fqname(test_ctx, TEST_USER_NAME, + test_ctx->domain->name); + assert_non_null(name); + + + ret = sysdb_update_view_name(test_ctx->domain->sysdb, TEST_VIEW_NAME); + assert_int_equal(ret, EOK); + + ret = sysdb_store_user(test_ctx->domain, name, NULL, + TEST_USER_UID, TEST_USER_GID, TEST_USER_GECOS, + TEST_USER_HOMEDIR, TEST_USER_SHELL, NULL, NULL, NULL, + 10,0); + assert_int_equal(ret, EOK); + + ret = sysdb_search_user_by_name(test_ctx, test_ctx->domain, name, + NULL, &msg); + assert_int_equal(ret, EOK); + assert_non_null(msg); + + attrs = sysdb_new_attrs(test_ctx); + assert_non_null(attrs); + + ret = sysdb_attrs_add_string(attrs, SYSDB_OVERRIDE_ANCHOR_UUID, + TEST_ANCHOR_PREFIX TEST_USER_SID); + assert_int_equal(ret, EOK); + + ret = sysdb_store_override(test_ctx->domain, TEST_VIEW_NAME, + SYSDB_MEMBER_USER, attrs, msg->dn); + assert_int_equal(ret, EOK); + + views_dn = ldb_dn_new(test_ctx, test_ctx->domain->sysdb->ldb, + SYSDB_TMPL_VIEW_BASE); + assert_non_null(views_dn); + + ret = sysdb_delete_view_tree(test_ctx->domain->sysdb, TEST_VIEW_NAME); + assert_int_equal(ret, EOK); + + ret = sysdb_search_user_by_name(test_ctx, test_ctx->domain, name, + user_attrs, &msg); + assert_int_equal(ret, EOK); + assert_non_null(msg); + assert_true(ldb_msg_find_attr_as_uint64(msg, SYSDB_CACHE_EXPIRE, 0) > 1); + assert_non_null(ldb_msg_find_attr_as_string(msg, SYSDB_OVERRIDE_DN, NULL)); + + ret = sysdb_invalidate_overrides(test_ctx->domain->sysdb); + assert_int_equal(ret, EOK); + + ret = sysdb_search_user_by_name(test_ctx, test_ctx->domain, name, + user_attrs, &msg); + assert_int_equal(ret, EOK); + assert_non_null(msg); + assert_int_equal(ldb_msg_find_attr_as_uint64(msg, SYSDB_CACHE_EXPIRE, 0), + 1); + assert_null(ldb_msg_find_attr_as_string(msg, SYSDB_OVERRIDE_DN, NULL)); + + ret = sysdb_delete_user(test_ctx->domain, name, 0); + assert_int_equal(ret, EOK); +} + +static const char *users[] = { "alice", "bob", "barney", NULL }; + +static void enum_test_user_override(struct sysdb_test_ctx *test_ctx, + const char *name) +{ + int ret; + struct sysdb_attrs *attrs; + struct ldb_dn *dn; + TALLOC_CTX *tmp_ctx; + const char *anchor; + const char *override_gecos; + + tmp_ctx = talloc_new(test_ctx); + assert_non_null(tmp_ctx); + + attrs = sysdb_new_attrs(tmp_ctx); + assert_non_null(attrs); + + dn = sysdb_user_dn(tmp_ctx, test_ctx->domain, name); + assert_non_null(dn); + + anchor = talloc_asprintf(tmp_ctx, "%s%s", TEST_ANCHOR_PREFIX, name); + ret = sysdb_attrs_add_string(attrs, SYSDB_OVERRIDE_ANCHOR_UUID, anchor); + assert_int_equal(ret, EOK); + + override_gecos = talloc_asprintf(attrs, "%s_GECOS_OVERRIDE", name); + ret = sysdb_attrs_add_string(attrs, SYSDB_GECOS, override_gecos); + assert_int_equal(ret, EOK); + + ret = sysdb_store_override(test_ctx->domain, TEST_VIEW_NAME, + SYSDB_MEMBER_USER, attrs, dn); + assert_int_equal(ret, EOK); + + talloc_free(tmp_ctx); +} + +static void enum_test_add_users(struct sysdb_test_ctx *test_ctx, + const char *usernames[]) +{ + int i; + int ret; + struct sysdb_attrs *attrs; + char *fqname = NULL; + + for (i = 0; usernames[i] != NULL; i++) { + attrs = talloc(test_ctx, struct sysdb_attrs); + assert_non_null(attrs); + fqname = sss_create_internal_fqname(test_ctx, usernames[i], + test_ctx->domain->name); + assert_non_null(fqname); + ret = sysdb_store_user(test_ctx->domain, fqname, + NULL, 0, 0, fqname, "/", "/bin/sh", + NULL, NULL, NULL, 1, 1234 + i); + assert_int_equal(ret, EOK); + + enum_test_user_override(test_ctx, fqname); + + talloc_free(attrs); + talloc_free(fqname); + } +} + +static void enum_test_del_users(struct sysdb_test_ctx *test_ctx, + const char *usernames[]) +{ + int i; + int ret; + char *fqname = NULL; + + for (i = 0; usernames[i] != NULL; i++) { + fqname = sss_create_internal_fqname(test_ctx, usernames[i], + test_ctx->domain->name); + assert_non_null(fqname); + + ret = sysdb_delete_user(test_ctx->domain, fqname, 0); + talloc_free(fqname); + if (ret != EOK && ret != ENOENT) { + fail(); + } + } +} + +static int test_enum_users_setup(void **state) +{ + int ret; + struct sysdb_test_ctx *test_ctx; + + assert_true(leak_check_setup()); + + ret = setup_sysdb_enum_tests(&test_ctx); + assert_int_equal(ret, EOK); + + enum_test_add_users(test_ctx, users); + + *state = (void *) test_ctx; + return 0; +} + +static int cmp_func(const void *a, const void *b) +{ + const char *str1; + const char *str2; + struct ldb_message *msg1 = *(struct ldb_message **)discard_const(a); + struct ldb_message *msg2 = *(struct ldb_message **)discard_const(b); + + str1 = ldb_msg_find_attr_as_string(msg1, SYSDB_NAME, NULL); + str2 = ldb_msg_find_attr_as_string(msg2, SYSDB_NAME, NULL); + + return strcmp(str1, str2); +} + +/* Make the order of ldb results deterministic */ +static void order_ldb_res_msgs(struct ldb_result *res) +{ + if (res == NULL || res->count < 2) { + /* Nothing to do */ + return; + } + + qsort(res->msgs, res->count, sizeof(struct ldb_message *), cmp_func); + return; +} + +static void assert_user_attrs(struct ldb_message *msg, + struct sss_domain_info *dom, + const char *shortname, + bool has_views) +{ + const char *str; + char *fqname; + + fqname = sss_create_internal_fqname(msg, shortname, dom->name); + assert_non_null(fqname); + + str = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); + assert_string_equal(str, fqname); + str = ldb_msg_find_attr_as_string(msg, SYSDB_GECOS, NULL); + assert_string_equal(str, fqname); + + str = ldb_msg_find_attr_as_string(msg, OVERRIDE_PREFIX SYSDB_GECOS, NULL); + if (has_views) { + char *override; + + assert_non_null(str); + override = talloc_asprintf(msg, "%s_GECOS_OVERRIDE", fqname); + assert_non_null(override); + + assert_string_equal(str, override); + talloc_free(override); + } else { + assert_null(str); + } + + talloc_free(fqname); +} + +static int test_enum_users_teardown(void **state) +{ + struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_test_ctx); + + enum_test_del_users(test_ctx, users); + return test_sysdb_teardown(state); +} + +static void check_enumpwent(int ret, struct sss_domain_info *dom, + struct ldb_result *res, bool views) +{ + assert_int_equal(ret, EOK); + assert_int_equal(res->count, N_ELEMENTS(users)-1); + + order_ldb_res_msgs(res); + assert_user_attrs(res->msgs[0], dom, "alice", views); + assert_user_attrs(res->msgs[1], dom, "barney", views); + assert_user_attrs(res->msgs[2], dom, "bob", views); +} + +static void test_sysdb_enumpwent(void **state) +{ + int ret; + struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_test_ctx); + struct ldb_result *res; + + ret = sysdb_enumpwent(test_ctx, test_ctx->domain, &res); + check_enumpwent(ret, test_ctx->domain, res, false); +} + +static void test_sysdb_enumpwent_views(void **state) +{ + int ret; + struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_test_ctx); + struct ldb_result *res; + + ret = sysdb_enumpwent_with_views(test_ctx, test_ctx->domain, &res); + check_enumpwent(ret, test_ctx->domain, res, true); +} + +static void test_sysdb_enumpwent_filter(void **state) +{ + int ret; + struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_test_ctx); + struct ldb_result *res; + char *addtl_filter; + + ret = sysdb_enumpwent_filter(test_ctx, test_ctx->domain, "a*", 0, &res); + assert_int_equal(ret, EOK); + assert_int_equal(res->count, 1); + assert_user_attrs(res->msgs[0], test_ctx->domain, "alice", false); + + ret = sysdb_enumpwent_filter(test_ctx, test_ctx->domain, "b*", 0, &res); + assert_int_equal(ret, EOK); + assert_int_equal(res->count, 2); + order_ldb_res_msgs(res); + assert_user_attrs(res->msgs[0], test_ctx->domain, "barney", false); + assert_user_attrs(res->msgs[1], test_ctx->domain, "bob", false); + + ret = sysdb_enumpwent_filter(test_ctx, test_ctx->domain, "c*", 0, &res); + assert_int_equal(ret, EOK); + assert_int_equal(res->count, 0); + + ret = sysdb_enumpwent_filter(test_ctx, test_ctx->domain, "*", 0, &res); + assert_int_equal(ret, EOK); + assert_int_equal(res->count, N_ELEMENTS(users)-1); + + /* Test searching based on time as well */ + addtl_filter = talloc_asprintf(test_ctx, "(%s<=%d)", + SYSDB_LAST_UPDATE, 1233); + ret = sysdb_enumpwent_filter(test_ctx, test_ctx->domain, "a*", addtl_filter, &res); + talloc_free(addtl_filter); + assert_int_equal(ret, EOK); + assert_int_equal(res->count, 0); + + addtl_filter = talloc_asprintf(test_ctx, "(%s<=%d)", + SYSDB_LAST_UPDATE, 1234); + ret = sysdb_enumpwent_filter(test_ctx, test_ctx->domain, "a*", addtl_filter, &res); + talloc_free(addtl_filter); + assert_int_equal(ret, EOK); + assert_int_equal(res->count, 1); + assert_user_attrs(res->msgs[0], test_ctx->domain, "alice", false); +} + +static void test_sysdb_enumpwent_filter_views(void **state) +{ + int ret; + struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_test_ctx); + struct ldb_result *res; + char *addtl_filter; + + ret = sysdb_enumpwent_filter_with_views(test_ctx, test_ctx->domain, + "a*", NULL, &res); + assert_int_equal(ret, EOK); + assert_int_equal(res->count, 1); + assert_user_attrs(res->msgs[0], test_ctx->domain, "alice", true); + + ret = sysdb_enumpwent_filter_with_views(test_ctx, test_ctx->domain, + "b*", NULL, &res); + assert_int_equal(ret, EOK); + assert_int_equal(res->count, 2); + order_ldb_res_msgs(res); + assert_user_attrs(res->msgs[0], test_ctx->domain, "barney", true); + assert_user_attrs(res->msgs[1], test_ctx->domain, "bob", true); + + addtl_filter = talloc_asprintf(test_ctx, "(%s<=%d)", + SYSDB_LAST_UPDATE, 1235); + ret = sysdb_enumpwent_filter_with_views(test_ctx, test_ctx->domain, + "b*", addtl_filter, &res); + talloc_free(addtl_filter); + assert_int_equal(ret, EOK); + assert_int_equal(res->count, 1); + assert_user_attrs(res->msgs[0], test_ctx->domain, "bob", true); + + ret = sysdb_enumpwent_filter_with_views(test_ctx, + test_ctx->domain, "c*", NULL, &res); + assert_int_equal(ret, EOK); + assert_int_equal(res->count, 0); + + ret = sysdb_enumpwent_filter_with_views(test_ctx, + test_ctx->domain, "*", NULL, &res); + check_enumpwent(ret, test_ctx->domain, res, true); +} + +static const char *groups[] = { "one", "two", "three", NULL }; + +static void enum_test_group_override(struct sysdb_test_ctx *test_ctx, + const char *name, + unsigned override_gid) +{ + int ret; + struct sysdb_attrs *attrs; + struct ldb_dn *dn; + TALLOC_CTX *tmp_ctx; + const char *anchor; + + tmp_ctx = talloc_new(test_ctx); + assert_non_null(tmp_ctx); + + attrs = sysdb_new_attrs(tmp_ctx); + assert_non_null(attrs); + + dn = sysdb_group_dn(tmp_ctx, test_ctx->domain, name); + assert_non_null(dn); + + anchor = talloc_asprintf(tmp_ctx, "%s%s", TEST_ANCHOR_PREFIX, name); + ret = sysdb_attrs_add_string(attrs, SYSDB_OVERRIDE_ANCHOR_UUID, anchor); + assert_int_equal(ret, EOK); + + ret = sysdb_attrs_add_uint32(attrs, SYSDB_GIDNUM, override_gid); + assert_int_equal(ret, EOK); + + ret = sysdb_store_override(test_ctx->domain, TEST_VIEW_NAME, + SYSDB_MEMBER_GROUP, attrs, dn); + assert_int_equal(ret, EOK); + + talloc_free(tmp_ctx); +} + +static void enum_test_add_groups(struct sysdb_test_ctx *test_ctx, + const char *groupnames[]) +{ + int i; + int ret; + struct sysdb_attrs *attrs; + char *gr_name; + + for (i = 0; groupnames[i] != NULL; i++) { + attrs = talloc(test_ctx, struct sysdb_attrs); + assert_non_null(attrs); + + gr_name = sss_create_internal_fqname(test_ctx, groupnames[i], + test_ctx->domain->name); + ret = sysdb_store_group(test_ctx->domain, gr_name, + 0, NULL, 1, 1234 + i); + assert_int_equal(ret, EOK); + + enum_test_group_override(test_ctx, gr_name, + TEST_GID_OVERRIDE_BASE + i); + talloc_free(attrs); + } +} + +static void enum_test_del_groups(struct sss_domain_info *dom, + const char *groupnames[]) +{ + int i; + int ret; + + for (i = 0; groupnames[i] != NULL; i++) { + ret = sysdb_delete_group(dom, groupnames[i], 0); + if (ret != EOK && ret != ENOENT) { + fail(); + } + } +} + +static int test_enum_groups_setup(void **state) +{ + int ret; + struct sysdb_test_ctx *test_ctx; + + assert_true(leak_check_setup()); + + ret = setup_sysdb_enum_tests(&test_ctx); + assert_int_equal(ret, EOK); + + enum_test_add_groups(test_ctx, groups); + + *state = (void *) test_ctx; + return 0; +} + +static int test_enum_groups_teardown(void **state) +{ + struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_test_ctx); + + enum_test_del_groups(test_ctx->domain, groups); + return test_sysdb_teardown(state); +} + +static void assert_group_attrs(struct ldb_message *msg, + struct sss_domain_info *dom, + const char *shortname, + unsigned expected_override_gid) +{ + const char *str; + unsigned gid; + char *fqname; + + fqname = sss_create_internal_fqname(msg, shortname, dom->name); + assert_non_null(fqname); + + str = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); + assert_string_equal(str, fqname); + + if (expected_override_gid) { + gid = ldb_msg_find_attr_as_uint64(msg, + OVERRIDE_PREFIX SYSDB_GIDNUM, 0); + assert_int_equal(gid, expected_override_gid); + } +} + +static void check_enumgrent(int ret, struct sss_domain_info *dom, + struct ldb_result *res, bool views) +{ + assert_int_equal(ret, EOK); + assert_int_equal(res->count, N_ELEMENTS(groups)-1); + order_ldb_res_msgs(res); + assert_group_attrs(res->msgs[0], dom, "one", + views ? TEST_GID_OVERRIDE_BASE : 0); + assert_group_attrs(res->msgs[1], dom, "three", + views ? TEST_GID_OVERRIDE_BASE + 2 : 0); + assert_group_attrs(res->msgs[2], dom, "two", + views ? TEST_GID_OVERRIDE_BASE + 1 : 0); +} + +static void test_sysdb_enumgrent(void **state) +{ + int ret; + struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_test_ctx); + struct ldb_result *res; + + ret = sysdb_enumgrent(test_ctx, test_ctx->domain, &res); + check_enumgrent(ret, test_ctx->domain, res, false); +} + +static void test_sysdb_enumgrent_views(void **state) +{ + int ret; + struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_test_ctx); + struct ldb_result *res; + + ret = sysdb_enumgrent_with_views(test_ctx, test_ctx->domain, &res); + check_enumgrent(ret, test_ctx->domain, res, true); +} + +static void test_sysdb_enumgrent_filter(void **state) +{ + int ret; + struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_test_ctx); + struct ldb_result *res; + char *addtl_filter; + + ret = sysdb_enumgrent_filter(test_ctx, test_ctx->domain, "o*", 0, &res); + assert_int_equal(ret, EOK); + assert_int_equal(res->count, 1); + assert_group_attrs(res->msgs[0], test_ctx->domain, "one", 0); + + ret = sysdb_enumgrent_filter(test_ctx, test_ctx->domain, "t*", 0, &res); + assert_int_equal(ret, EOK); + assert_int_equal(res->count, 2); + order_ldb_res_msgs(res); + assert_group_attrs(res->msgs[0], test_ctx->domain, "three", 0); + assert_group_attrs(res->msgs[1], test_ctx->domain, "two", 0); + + ret = sysdb_enumgrent_filter(test_ctx, test_ctx->domain, "x*", 0, &res); + assert_int_equal(ret, EOK); + assert_int_equal(res->count, 0); + + ret = sysdb_enumgrent_filter(test_ctx, test_ctx->domain, "*", 0, &res); + check_enumgrent(ret, test_ctx->domain, res, false); + + addtl_filter = talloc_asprintf(test_ctx, "(%s<=%d)", + SYSDB_LAST_UPDATE, 1233); + ret = sysdb_enumgrent_filter(test_ctx, test_ctx->domain, "o*", addtl_filter, &res); + talloc_free(addtl_filter); + assert_int_equal(ret, EOK); + assert_int_equal(res->count, 0); + + addtl_filter = talloc_asprintf(test_ctx, "(%s<=%d)", + SYSDB_LAST_UPDATE, 1234); + ret = sysdb_enumgrent_filter(test_ctx, test_ctx->domain, "o*", addtl_filter, &res); + talloc_free(addtl_filter); + assert_int_equal(ret, EOK); + assert_int_equal(res->count, 1); + assert_group_attrs(res->msgs[0], test_ctx->domain, "one", 0); + +} + +static void test_sysdb_enumgrent_filter_views(void **state) +{ + int ret; + struct sysdb_test_ctx *test_ctx = talloc_get_type_abort(*state, + struct sysdb_test_ctx); + struct ldb_result *res; + char *addtl_filter; + + ret = sysdb_enumgrent_filter_with_views(test_ctx, test_ctx->domain, + "o*", NULL, &res); + assert_int_equal(ret, EOK); + assert_int_equal(res->count, 1); + assert_group_attrs(res->msgs[0], test_ctx->domain, + "one", TEST_GID_OVERRIDE_BASE); + + ret = sysdb_enumgrent_filter_with_views(test_ctx, test_ctx->domain, + "t*", NULL, &res); + assert_int_equal(ret, EOK); + assert_int_equal(res->count, 2); + order_ldb_res_msgs(res); + assert_group_attrs(res->msgs[0], test_ctx->domain, + "three", TEST_GID_OVERRIDE_BASE + 2); + assert_group_attrs(res->msgs[1], test_ctx->domain, "two", + TEST_GID_OVERRIDE_BASE + 1); + + addtl_filter = talloc_asprintf(test_ctx, "(%s<=%d)", + SYSDB_LAST_UPDATE, 1235); + ret = sysdb_enumgrent_filter_with_views(test_ctx, test_ctx->domain, + "t*", addtl_filter, &res); + talloc_free(addtl_filter); + assert_int_equal(ret, EOK); + assert_int_equal(res->count, 1); + assert_group_attrs(res->msgs[0], test_ctx->domain, "two", + TEST_GID_OVERRIDE_BASE + 1); + + ret = sysdb_enumgrent_filter_with_views(test_ctx, test_ctx->domain, + "x*", NULL, &res); + assert_int_equal(ret, EOK); + assert_int_equal(res->count, 0); + + ret = sysdb_enumgrent_filter_with_views(test_ctx, test_ctx->domain, + "*", NULL, &res); + check_enumgrent(ret, test_ctx->domain, res, true); +} + +int main(int argc, const char *argv[]) +{ + int rv; + int no_cleanup = 0; + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + {"no-cleanup", 'n', POPT_ARG_NONE, &no_cleanup, 0, + _("Do not delete the test database after a test run"), NULL }, + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_sysdb_store_override, + test_sysdb_setup, test_sysdb_teardown), + cmocka_unit_test_setup_teardown(test_sysdb_add_overrides_to_object, + test_sysdb_setup, test_sysdb_teardown), + cmocka_unit_test_setup_teardown(test_sysdb_add_overrides_to_object_local, + test_sysdb_setup, test_sysdb_teardown), + cmocka_unit_test_setup_teardown(test_sysdb_add_overrides_to_object_missing_overridedn, + test_sysdb_setup, test_sysdb_teardown), + cmocka_unit_test_setup_teardown(test_split_ipa_anchor, + test_sysdb_setup, test_sysdb_teardown), + cmocka_unit_test_setup_teardown(test_sysdb_delete_view_tree, + test_sysdb_setup, test_sysdb_teardown), + cmocka_unit_test_setup_teardown(test_sysdb_invalidate_overrides, + test_sysdb_setup, test_sysdb_teardown), + cmocka_unit_test_setup_teardown(test_sysdb_enumpwent, + test_enum_users_setup, + test_enum_users_teardown), + cmocka_unit_test_setup_teardown(test_sysdb_enumpwent_views, + test_enum_users_setup, + test_enum_users_teardown), + cmocka_unit_test_setup_teardown(test_sysdb_enumpwent_filter, + test_enum_users_setup, + test_enum_users_teardown), + cmocka_unit_test_setup_teardown(test_sysdb_enumpwent_filter_views, + test_enum_users_setup, + test_enum_users_teardown), + cmocka_unit_test_setup_teardown(test_sysdb_enumgrent, + test_enum_groups_setup, + test_enum_groups_teardown), + cmocka_unit_test_setup_teardown(test_sysdb_enumgrent_views, + test_enum_groups_setup, + test_enum_groups_teardown), + cmocka_unit_test_setup_teardown(test_sysdb_enumgrent_filter, + test_enum_groups_setup, + test_enum_groups_teardown), + cmocka_unit_test_setup_teardown(test_sysdb_enumgrent_filter_views, + test_enum_groups_setup, + test_enum_groups_teardown), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + tests_set_cwd(); + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_FILE, LOCAL_SYSDB_FILE); + test_dom_suite_setup(TESTS_PATH); + rv = cmocka_run_group_tests(tests, NULL, NULL); + + if (rv == 0 && no_cleanup == 0) { + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_FILE, LOCAL_SYSDB_FILE); + } + return rv; +} diff --git a/src/tests/cmocka/test_tools_colondb.c b/src/tests/cmocka/test_tools_colondb.c new file mode 100644 index 0000000..279b0a5 --- /dev/null +++ b/src/tests/cmocka/test_tools_colondb.c @@ -0,0 +1,417 @@ +/* + Authors: + Petr Čech + + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "tests/cmocka/common_mock.h" +#include "src/tools/common/sss_colondb.h" + +#define TESTS_PATH "tp_" BASE_FILE_STEM +#define TESTS_FILE "test_colondb.ldb" + +const char *TEST_STRING1 = "white"; +const int TEST_INT1 = 12; + +const char *TEST_STRING2 = "black"; +const int TEST_INT2 = 34; + +static void create_dir(const char *path) +{ + errno_t ret; + + errno = 0; + ret = mkdir(path, 0775); + assert_return_code(ret, errno); +} + +static void create_empty_file(TALLOC_CTX *test_ctx, const char *path, + const char *name) +{ + TALLOC_CTX *tmp_ctx = NULL; + char *file_name = NULL; + FILE *fp = NULL; + + tmp_ctx = talloc_new(test_ctx); + assert_non_null(tmp_ctx); + + create_dir(path); + + file_name = talloc_asprintf(tmp_ctx, "%s/%s", path, name); + assert_non_null(file_name); + + fp = fopen(file_name, "w"); + assert_non_null(fp); + fclose(fp); + + talloc_free(tmp_ctx); +} + +static void create_nonempty_file(TALLOC_CTX *test_ctx, + const char *path, const char *name) +{ + TALLOC_CTX *tmp_ctx = NULL; + struct sss_colondb *db = NULL; + errno_t ret; + struct sss_colondb_write_field table[] = { + { SSS_COLONDB_STRING, { .str = TEST_STRING2 } }, + { SSS_COLONDB_UINT32, { .uint32 = TEST_INT2 } }, + { SSS_COLONDB_SENTINEL, { 0 } } + }; + + tmp_ctx = talloc_new(test_ctx); + assert_non_null(tmp_ctx); + + create_empty_file(test_ctx, TESTS_PATH, TESTS_FILE); + + db = sss_colondb_open(tmp_ctx, SSS_COLONDB_WRITE, + TESTS_PATH "/" TESTS_FILE); + assert_non_null(db); + + ret = sss_colondb_writeline(db, table); + assert_int_equal(ret, EOK); + + talloc_free(db); + talloc_free(tmp_ctx); +} + +static int setup(void **state, int file_state) +{ + TALLOC_CTX *test_ctx = NULL; + + assert_true(leak_check_setup()); + + test_ctx = talloc_new(global_talloc_context); + assert_non_null(test_ctx); + + switch (file_state) { + case 0: + break; + case 1: + create_empty_file(test_ctx, TESTS_PATH, TESTS_FILE); + break; + case 2: + create_nonempty_file(test_ctx, TESTS_PATH, TESTS_FILE); + break; + default: + break; + } + + check_leaks_push(test_ctx); + *state = test_ctx; + + return 0; +} + +static int without_file_setup(void **state) +{ + return setup(state, 0); +} + +static int with_empty_file_setup(void **state) +{ + return setup(state, 1); +} + +static int with_nonempty_file_setup(void **state) +{ + return setup(state, 2); +} + +static int teardown(void **state) +{ + errno_t ret; + + errno = 0; + ret = unlink(TESTS_PATH "/" TESTS_FILE); + if (ret != 0) { + assert_int_equal(errno, ENOENT); + } + + assert_true(check_leaks_pop(*state)); + talloc_zfree(*state); + + test_dom_suite_cleanup(TESTS_PATH, NULL, NULL); + assert_true(leak_check_teardown()); + + return 0; +} + +void test_open_nonexist_for_read(void **state) +{ + TALLOC_CTX *test_ctx = *state; + struct sss_colondb *db = NULL; + + db = sss_colondb_open(test_ctx, SSS_COLONDB_READ, + TESTS_PATH "/" TESTS_FILE); + assert_null(db); + talloc_free(db); +} + +void test_open_nonexist_for_write(void **state) +{ + TALLOC_CTX *test_ctx = *state; + struct sss_colondb *db = NULL; + + db = sss_colondb_open(test_ctx, SSS_COLONDB_WRITE, + TESTS_PATH "/" TESTS_FILE); + assert_null(db); + talloc_free(db); +} + +void test_open_exist_for_read(void **state) +{ + TALLOC_CTX *test_ctx = *state; + struct sss_colondb *db = NULL; + + db = sss_colondb_open(test_ctx, SSS_COLONDB_READ, + TESTS_PATH "/" TESTS_FILE); + assert_non_null(db); + talloc_free(db); +} + +void test_open_exist_for_write(void **state) +{ + TALLOC_CTX *test_ctx = *state; + struct sss_colondb *db = NULL; + + db = sss_colondb_open(test_ctx, SSS_COLONDB_WRITE, + TESTS_PATH "/" TESTS_FILE); + assert_non_null(db); + talloc_free(db); +} + +void test_open_nonempty_for_read(void **state) +{ + TALLOC_CTX *test_ctx = *state; + struct sss_colondb *db = NULL; + + db = sss_colondb_open(test_ctx, SSS_COLONDB_READ, + TESTS_PATH "/" TESTS_FILE); + assert_non_null(db); + talloc_free(db); +} + +void test_open_nonempty_for_write(void **state) +{ + + TALLOC_CTX *test_ctx = *state; + struct sss_colondb *db = NULL; + + db = sss_colondb_open(test_ctx, SSS_COLONDB_WRITE, + TESTS_PATH "/" TESTS_FILE); + assert_non_null(db); + talloc_free(db); +} + +void test_write_to_empty(void **state) +{ + TALLOC_CTX *test_ctx = *state; + struct sss_colondb *db = NULL; + struct sss_colondb_write_field table[] = { + { SSS_COLONDB_STRING, { .str = TEST_STRING1 } }, + { SSS_COLONDB_UINT32, { .uint32 = TEST_INT1 } }, + { SSS_COLONDB_SENTINEL, { 0 } } + }; + errno_t ret; + + db = sss_colondb_open(test_ctx, SSS_COLONDB_WRITE, + TESTS_PATH "/" TESTS_FILE); + assert_non_null(db); + + ret = sss_colondb_writeline(db, table); + assert_int_equal(ret, 0); + + talloc_free(db); +} + +void test_write_to_nonempty(void **state) +{ + TALLOC_CTX *test_ctx = *state; + struct sss_colondb *db = NULL; + struct sss_colondb_write_field table[] = { + { SSS_COLONDB_STRING, { .str = TEST_STRING1 } }, + { SSS_COLONDB_UINT32, { .uint32 = TEST_INT1 } }, + { SSS_COLONDB_SENTINEL, { 0 } } + }; + errno_t ret; + + db = sss_colondb_open(test_ctx, SSS_COLONDB_WRITE, + TESTS_PATH "/" TESTS_FILE); + assert_non_null(db); + + ret = sss_colondb_writeline(db, table); + assert_int_equal(ret, 0); + + talloc_free(db); +} + +void test_read_from_nonempty(void **state) +{ + TALLOC_CTX *test_ctx = *state; + struct sss_colondb *db = NULL; + errno_t ret; + const char *string = NULL; + uint32_t number; + struct sss_colondb_read_field table[] = { + { SSS_COLONDB_STRING, { .str = &string } }, + { SSS_COLONDB_UINT32, { .uint32 = &number } }, + { SSS_COLONDB_SENTINEL, { 0 } } + }; + + db = sss_colondb_open(test_ctx, SSS_COLONDB_READ, + TESTS_PATH "/" TESTS_FILE); + assert_non_null(db); + + ret = sss_colondb_readline(test_ctx, db, table); + assert_int_equal(ret, 0); + assert_string_equal(string, TEST_STRING2); + assert_int_equal(number, TEST_INT2); + + talloc_zfree(string); + talloc_free(db); +} + +void test_read_from_empty(void **state) +{ + TALLOC_CTX *test_ctx = *state; + struct sss_colondb *db = NULL; + errno_t ret; + const char *string; + uint32_t number; + struct sss_colondb_read_field table[] = { + { SSS_COLONDB_STRING, { .str = &string } }, + { SSS_COLONDB_UINT32, { .uint32 = &number } }, + { SSS_COLONDB_SENTINEL, { 0 } } + }; + + db = sss_colondb_open(test_ctx, SSS_COLONDB_READ, + TESTS_PATH "/" TESTS_FILE); + assert_non_null(db); + + ret = sss_colondb_readline(test_ctx, db, table); + assert_int_equal(ret, EOF); + + talloc_free(db); +} + +void test_write_read(void **state) +{ + TALLOC_CTX *test_ctx = *state; + struct sss_colondb *db = NULL; + errno_t ret; + const char *string = NULL; + uint32_t number; + struct sss_colondb_write_field table_in[] = { + { SSS_COLONDB_STRING, { .str = TEST_STRING2 } }, + { SSS_COLONDB_UINT32, { .uint32 = TEST_INT2 } }, + { SSS_COLONDB_SENTINEL, { 0 } } + }; + struct sss_colondb_read_field table_out[] = { + { SSS_COLONDB_STRING, { .str = &string } }, + { SSS_COLONDB_UINT32, { .uint32 = &number } }, + { SSS_COLONDB_SENTINEL, { 0 } } + }; + + db = sss_colondb_open(test_ctx, SSS_COLONDB_WRITE, + TESTS_PATH "/" TESTS_FILE); + assert_non_null(db); + + ret = sss_colondb_writeline(db, table_in); + assert_int_equal(ret, 0); + + talloc_free(db); + + db = sss_colondb_open(test_ctx, SSS_COLONDB_READ, + TESTS_PATH "/" TESTS_FILE); + assert_non_null(db); + + ret = sss_colondb_readline(test_ctx, db, table_out); + assert_int_equal(ret, 0); + assert_string_equal(string, TEST_STRING2); + assert_int_equal(number, TEST_INT2); + + talloc_zfree(string); + talloc_free(db); +} + +int main(int argc, const char *argv[]) +{ + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_open_nonexist_for_read, + without_file_setup, teardown), + cmocka_unit_test_setup_teardown(test_open_nonexist_for_write, + without_file_setup, teardown), + cmocka_unit_test_setup_teardown(test_open_exist_for_read, + with_empty_file_setup, teardown), + cmocka_unit_test_setup_teardown(test_open_exist_for_write, + with_empty_file_setup, teardown), + cmocka_unit_test_setup_teardown(test_open_nonempty_for_read, + with_nonempty_file_setup, teardown), + cmocka_unit_test_setup_teardown(test_open_nonempty_for_write, + with_nonempty_file_setup, teardown), + + cmocka_unit_test_setup_teardown(test_write_to_empty, + with_empty_file_setup, teardown), + cmocka_unit_test_setup_teardown(test_write_to_nonempty, + with_nonempty_file_setup, teardown), + + cmocka_unit_test_setup_teardown(test_read_from_empty, + with_empty_file_setup, teardown), + cmocka_unit_test_setup_teardown(test_read_from_nonempty, + with_nonempty_file_setup, teardown), + + cmocka_unit_test_setup_teardown(test_write_read, + with_empty_file_setup, teardown), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while ((opt = poptGetNextOpt(pc)) != -1) { + switch (opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", poptBadOption(pc, 0), + poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + /* Even though normally the tests should clean up after themselves + * they might not after a failed run. Remove the old DB to be sure */ + tests_set_cwd(); + test_dom_suite_cleanup(TESTS_PATH, NULL, NULL); + + return cmocka_run_group_tests(tests, NULL, NULL); +} diff --git a/src/tests/cmocka/test_utils.c b/src/tests/cmocka/test_utils.c new file mode 100644 index 0000000..1a8699a --- /dev/null +++ b/src/tests/cmocka/test_utils.c @@ -0,0 +1,1978 @@ +/* + Authors: + Sumit Bose + + Copyright (C) 2013 Red Hat + + SSSD tests: Tests for utility functions + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#define _GNU_SOURCE +#include +#include + +#include "tests/cmocka/common_mock.h" +#include "util/sss_nss.h" +#include "test_utils.h" + +#define TESTS_PATH "tp_" BASE_FILE_STEM +#define TEST_CONF_DB "test_utils_conf.ldb" +#define TEST_DOM_NAME "utils_test.ldb" + +#define DOM_COUNT 10 +#define DOMNAME_TMPL "name_%zu.dom" +#define FLATNAME_TMPL "name_%zu" +#define SID_TMPL "S-1-5-21-1-2-%zu" + +#define MACRO_EXPAND(tok) #tok +#define STR(tok) MACRO_EXPAND(tok) + +#define USERNAME "sssduser" +#define FIRST_LETTER "s" +#define UID 1234 +#define DOMAIN "sssddomain" +#define ORIGINAL_HOME "/home/user" +#define FLATNAME "flatname" +#define HOMEDIR_SUBSTR "/mnt/home" + +#define DUMMY "dummy" +#define DUMMY2 "dummy2" + +struct dom_list_test_ctx { + size_t dom_count; + struct sss_domain_info *dom_list; +}; + +static int setup_dom_list_with_subdomains(void **state) +{ + struct dom_list_test_ctx *test_ctx; + struct sss_domain_info *dom = NULL; + struct sss_domain_info *c = NULL; + + assert_true(leak_check_setup()); + + test_ctx = talloc_zero(global_talloc_context, struct dom_list_test_ctx); + assert_non_null(test_ctx); + + dom = talloc_zero(test_ctx, struct sss_domain_info); + assert_non_null(dom); + + dom->name = talloc_asprintf(dom, "configured.dom"); + assert_non_null(dom->name); + + dom->realm = talloc_asprintf(dom, "CONFIGURED.DOM"); + assert_non_null(dom->realm); + + dom->flat_name = talloc_asprintf(dom, "CONFIGURED"); + assert_non_null(dom->flat_name); + + dom->domain_id = talloc_asprintf(dom, "S-1-5-21-1-2-1"); + assert_non_null(dom->domain_id); + + DLIST_ADD(test_ctx->dom_list, dom); + + c = talloc_zero(test_ctx, struct sss_domain_info); + assert_non_null(c); + + c->name = talloc_asprintf(c, "subdom1.dom"); + assert_non_null(c->name); + + c->realm = talloc_asprintf(c, "SUBDOM1.DOM"); + assert_non_null(c->realm); + + c->flat_name = talloc_asprintf(c, "subdom1"); + assert_non_null(c->flat_name); + + c->domain_id = talloc_asprintf(c, "S-1-5-21-1-2-2"); + assert_non_null(c->domain_id); + + c->parent = dom; + + DLIST_ADD_END(test_ctx->dom_list, c, struct sss_domain_info *); + + c = talloc_zero(test_ctx, struct sss_domain_info); + assert_non_null(c); + + c->name = talloc_asprintf(c, "subdom2.dom"); + assert_non_null(c->name); + + c->realm = talloc_asprintf(c, "SUBDOM2.DOM"); + assert_non_null(c->realm); + + c->flat_name = talloc_asprintf(c, "subdom2"); + assert_non_null(c->flat_name); + + c->domain_id = talloc_asprintf(c, "S-1-5-21-1-2-3"); + assert_non_null(c->domain_id); + + c->parent = dom; + + DLIST_ADD_END(test_ctx->dom_list, c, struct sss_domain_info *); + + c = talloc_zero(test_ctx, struct sss_domain_info); + assert_non_null(c); + + c->name = talloc_asprintf(c, "subdom3.dom"); + assert_non_null(c->name); + + c->realm = talloc_asprintf(c, "SUBDOM3.DOM"); + assert_non_null(c->realm); + + c->flat_name = talloc_asprintf(c, "subdom3"); + assert_non_null(c->flat_name); + + c->domain_id = talloc_asprintf(c, "S-1-5-21-1-2-4"); + assert_non_null(c->domain_id); + + c->parent = dom; + + DLIST_ADD_END(test_ctx->dom_list, c, struct sss_domain_info *); + + check_leaks_push(test_ctx); + *state = test_ctx; + return 0; +} + +static int setup_dom_list(void **state) +{ + struct dom_list_test_ctx *test_ctx; + struct sss_domain_info *dom = NULL; + size_t c; + + assert_true(leak_check_setup()); + + test_ctx = talloc_zero(global_talloc_context, struct dom_list_test_ctx); + assert_non_null(test_ctx); + + test_ctx->dom_count = DOM_COUNT; + + for (c = 0; c < test_ctx->dom_count; c++) { + dom = talloc_zero(test_ctx, struct sss_domain_info); + assert_non_null(dom); + + dom->name = talloc_asprintf(dom, DOMNAME_TMPL, c); + assert_non_null(dom->name); + + dom->flat_name = talloc_asprintf(dom, FLATNAME_TMPL, c); + assert_non_null(dom->flat_name); + + dom->domain_id = talloc_asprintf(dom, SID_TMPL, c); + assert_non_null(dom->domain_id); + + DLIST_ADD(test_ctx->dom_list, dom); + } + + check_leaks_push(test_ctx); + *state = test_ctx; + return 0; +} + +static int teardown_dom_list(void **state) +{ + struct dom_list_test_ctx *test_ctx = talloc_get_type(*state, + struct dom_list_test_ctx); + if (test_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Type mismatch\n"); + return 1; + } + + assert_true(check_leaks_pop(test_ctx) == true); + talloc_free(test_ctx); + assert_true(leak_check_teardown()); + return 0; +} + +void test_find_domain_by_name_null(void **state) +{ + struct dom_list_test_ctx *test_ctx = talloc_get_type(*state, + struct dom_list_test_ctx); + struct sss_domain_info *dom; + + dom = find_domain_by_name(NULL, NULL, false); + assert_null(dom); + + dom = find_domain_by_name(test_ctx->dom_list, NULL, false); + assert_null(dom); + + dom = find_domain_by_name(NULL, "test", false); + assert_null(dom); +} + +void test_find_domain_by_name(void **state) +{ + struct dom_list_test_ctx *test_ctx = talloc_get_type(*state, + struct dom_list_test_ctx); + struct sss_domain_info *dom; + size_t c; + char *name; + char *flat_name; + char *sid; + + for (c = 0; c < test_ctx->dom_count; c++) { + name = talloc_asprintf(global_talloc_context, DOMNAME_TMPL, c); + assert_non_null(name); + + flat_name = talloc_asprintf(global_talloc_context, FLATNAME_TMPL, c); + assert_non_null(flat_name); + + sid = talloc_asprintf(global_talloc_context, SID_TMPL, c); + assert_non_null(sid); + + dom = find_domain_by_name(test_ctx->dom_list, name, false); + assert_non_null(dom); + assert_string_equal(name, dom->name); + assert_string_equal(flat_name, dom->flat_name); + assert_string_equal(sid, dom->domain_id); + + dom = find_domain_by_name(test_ctx->dom_list, name, true); + assert_non_null(dom); + assert_string_equal(name, dom->name); + assert_string_equal(flat_name, dom->flat_name); + assert_string_equal(sid, dom->domain_id); + + dom = find_domain_by_name(test_ctx->dom_list, flat_name, true); + assert_non_null(dom); + assert_string_equal(name, dom->name); + assert_string_equal(flat_name, dom->flat_name); + assert_string_equal(sid, dom->domain_id); + + dom = find_domain_by_name(test_ctx->dom_list, flat_name, false); + assert_null(dom); + + talloc_free(name); + talloc_free(flat_name); + talloc_free(sid); + } +} + +void test_find_domain_by_name_missing_flat_name(void **state) +{ + struct dom_list_test_ctx *test_ctx = talloc_get_type(*state, + struct dom_list_test_ctx); + struct sss_domain_info *dom; + size_t c; + char *name; + char *flat_name; + char *sid; + size_t mis; + + mis = test_ctx->dom_count/2; + assert_true((mis >= 1 && mis < test_ctx->dom_count)); + + dom = test_ctx->dom_list; + for (c = 0; c < mis; c++) { + assert_non_null(dom); + dom = dom->next; + } + assert_non_null(dom); + dom->flat_name = NULL; + + for (c = 0; c < test_ctx->dom_count; c++) { + name = talloc_asprintf(global_talloc_context, DOMNAME_TMPL, c); + assert_non_null(name); + + flat_name = talloc_asprintf(global_talloc_context, FLATNAME_TMPL, c); + assert_non_null(flat_name); + + sid = talloc_asprintf(global_talloc_context, SID_TMPL, c); + assert_non_null(sid); + + dom = find_domain_by_name(test_ctx->dom_list, name, true); + assert_non_null(dom); + assert_string_equal(name, dom->name); + if (c == mis - 1) { + assert_null(dom->flat_name); + } else { + assert_string_equal(flat_name, dom->flat_name); + } + assert_string_equal(sid, dom->domain_id); + + dom = find_domain_by_name(test_ctx->dom_list, name, false); + assert_non_null(dom); + assert_string_equal(name, dom->name); + if (c == mis - 1) { + assert_null(dom->flat_name); + } else { + assert_string_equal(flat_name, dom->flat_name); + } + assert_string_equal(sid, dom->domain_id); + + dom = find_domain_by_name(test_ctx->dom_list, flat_name, true); + if (c == mis - 1) { + assert_null(dom); + } else { + assert_non_null(dom); + assert_string_equal(name, dom->name); + assert_string_equal(flat_name, dom->flat_name); + assert_string_equal(sid, dom->domain_id); + } + + dom = find_domain_by_name(test_ctx->dom_list, flat_name, false); + assert_null(dom); + + talloc_free(name); + talloc_free(flat_name); + talloc_free(sid); + } +} + +void test_find_domain_by_name_disabled(void **state) +{ + struct dom_list_test_ctx *test_ctx = talloc_get_type(*state, + struct dom_list_test_ctx); + struct sss_domain_info *dom; + size_t c; + char *name; + char *flat_name; + char *sid; + size_t mis; + + mis = test_ctx->dom_count/2; + assert_true((mis >= 1 && mis < test_ctx->dom_count)); + + dom = test_ctx->dom_list; + for (c = 0; c < mis; c++) { + assert_non_null(dom); + dom = dom->next; + } + assert_non_null(dom); + sss_domain_set_state(dom, DOM_DISABLED); + + for (c = 0; c < test_ctx->dom_count; c++) { + name = talloc_asprintf(global_talloc_context, DOMNAME_TMPL, c); + assert_non_null(name); + + flat_name = talloc_asprintf(global_talloc_context, FLATNAME_TMPL, c); + assert_non_null(flat_name); + + sid = talloc_asprintf(global_talloc_context, SID_TMPL, c); + assert_non_null(sid); + + dom = find_domain_by_name(test_ctx->dom_list, name, true); + if (c == mis - 1) { + assert_null(dom); + } else { + assert_non_null(dom); + assert_string_equal(name, dom->name); + assert_string_equal(flat_name, dom->flat_name); + assert_string_equal(sid, dom->domain_id); + } + + dom = find_domain_by_name(test_ctx->dom_list, name, false); + if (c == mis - 1) { + assert_null(dom); + } else { + assert_non_null(dom); + assert_string_equal(name, dom->name); + assert_string_equal(flat_name, dom->flat_name); + assert_string_equal(sid, dom->domain_id); + } + + dom = find_domain_by_name(test_ctx->dom_list, flat_name, true); + if (c == mis - 1) { + assert_null(dom); + } else { + assert_non_null(dom); + assert_string_equal(name, dom->name); + assert_string_equal(flat_name, dom->flat_name); + assert_string_equal(sid, dom->domain_id); + } + + dom = find_domain_by_name(test_ctx->dom_list, flat_name, false); + assert_null(dom); + + talloc_free(name); + talloc_free(flat_name); + talloc_free(sid); + } +} + +void test_find_domain_by_sid_null(void **state) +{ + struct dom_list_test_ctx *test_ctx = talloc_get_type(*state, + struct dom_list_test_ctx); + struct sss_domain_info *dom; + + dom = find_domain_by_sid(NULL, NULL); + assert_null(dom); + + dom = find_domain_by_sid(test_ctx->dom_list, NULL); + assert_null(dom); + + dom = find_domain_by_sid(NULL, "S-1-5-21-1-2-3"); + assert_null(dom); +} + +void test_find_domain_by_sid(void **state) +{ + struct dom_list_test_ctx *test_ctx = talloc_get_type(*state, + struct dom_list_test_ctx); + struct sss_domain_info *dom; + size_t c; + char *name; + char *flat_name; + char *sid; + + for (c = 0; c < test_ctx->dom_count; c++) { + name = talloc_asprintf(global_talloc_context, DOMNAME_TMPL, c); + assert_non_null(name); + + flat_name = talloc_asprintf(global_talloc_context, FLATNAME_TMPL, c); + assert_non_null(flat_name); + + sid = talloc_asprintf(global_talloc_context, SID_TMPL, c); + assert_non_null(sid); + + dom = find_domain_by_sid(test_ctx->dom_list, sid); + assert_non_null(dom); + assert_string_equal(name, dom->name); + assert_string_equal(flat_name, dom->flat_name); + assert_string_equal(sid, dom->domain_id); + + talloc_free(name); + talloc_free(flat_name); + talloc_free(sid); + } +} + +void test_find_domain_by_sid_missing_sid(void **state) +{ + struct dom_list_test_ctx *test_ctx = talloc_get_type(*state, + struct dom_list_test_ctx); + struct sss_domain_info *dom; + size_t c; + char *name; + char *flat_name; + char *sid; + size_t mis; + + mis = test_ctx->dom_count/2; + assert_true((mis >= 1 && mis < test_ctx->dom_count)); + + dom = test_ctx->dom_list; + for (c = 0; c < mis; c++) { + assert_non_null(dom); + dom = dom->next; + } + assert_non_null(dom); + dom->domain_id = NULL; + + for (c = 0; c < test_ctx->dom_count; c++) { + name = talloc_asprintf(global_talloc_context, DOMNAME_TMPL, c); + assert_non_null(name); + + flat_name = talloc_asprintf(global_talloc_context, FLATNAME_TMPL, c); + assert_non_null(flat_name); + + sid = talloc_asprintf(global_talloc_context, SID_TMPL, c); + assert_non_null(sid); + + dom = find_domain_by_sid(test_ctx->dom_list, sid); + if (c == mis - 1) { + assert_null(dom); + } else { + assert_non_null(dom); + assert_string_equal(name, dom->name); + assert_string_equal(flat_name, dom->flat_name); + assert_string_equal(sid, dom->domain_id); + } + + talloc_free(name); + talloc_free(flat_name); + talloc_free(sid); + } +} + +void test_find_domain_by_sid_disabled(void **state) +{ + struct dom_list_test_ctx *test_ctx = talloc_get_type(*state, + struct dom_list_test_ctx); + struct sss_domain_info *dom; + size_t c; + char *name; + char *flat_name; + char *sid; + size_t mis; + + mis = test_ctx->dom_count/2; + assert_true((mis >= 1 && mis < test_ctx->dom_count)); + + dom = test_ctx->dom_list; + for (c = 0; c < mis; c++) { + assert_non_null(dom); + dom = dom->next; + } + assert_non_null(dom); + sss_domain_set_state(dom, DOM_DISABLED); + + for (c = 0; c < test_ctx->dom_count; c++) { + name = talloc_asprintf(global_talloc_context, DOMNAME_TMPL, c); + assert_non_null(name); + + flat_name = talloc_asprintf(global_talloc_context, FLATNAME_TMPL, c); + assert_non_null(flat_name); + + sid = talloc_asprintf(global_talloc_context, SID_TMPL, c); + assert_non_null(sid); + + dom = find_domain_by_sid(test_ctx->dom_list, sid); + if (c == mis - 1) { + assert_null(dom); + } else { + assert_non_null(dom); + assert_string_equal(name, dom->name); + assert_string_equal(flat_name, dom->flat_name); + assert_string_equal(sid, dom->domain_id); + } + + talloc_free(name); + talloc_free(flat_name); + talloc_free(sid); + } +} + +/* + * dom1 -> sub1a + * | + * dom2 -> sub2a -> sub2b + * + */ +static int setup_dom_tree(void **state) +{ + struct dom_list_test_ctx *test_ctx; + struct sss_domain_info *head = NULL; + struct sss_domain_info *dom = NULL; + + assert_true(leak_check_setup()); + + test_ctx = talloc_zero(global_talloc_context, struct dom_list_test_ctx); + assert_non_null(test_ctx); + + dom = named_domain(test_ctx, "dom1", NULL); + assert_non_null(dom); + head = dom; + + dom = named_domain(test_ctx, "sub1a", head); + assert_non_null(dom); + head->subdomains = dom; + + dom = named_domain(test_ctx, "dom2", NULL); + assert_non_null(dom); + head->next = dom; + + dom = named_domain(test_ctx, "sub2a", head->next); + assert_non_null(dom); + head->next->subdomains = dom; + + dom = named_domain(test_ctx, "sub2b", head->next); + assert_non_null(dom); + head->next->subdomains->next = dom; + + test_ctx->dom_count = 2; + test_ctx->dom_list = head; + + check_leaks_push(test_ctx); + *state = test_ctx; + return 0; +} + +static int teardown_dom_tree(void **state) +{ + struct dom_list_test_ctx *test_ctx = talloc_get_type(*state, + struct dom_list_test_ctx); + if (test_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Type mismatch\n"); + return 1; + } + + assert_true(check_leaks_pop(test_ctx)); + talloc_free(test_ctx); + assert_true(leak_check_teardown()); + return 0; +} + +static void test_get_next_domain(void **state) +{ + struct dom_list_test_ctx *test_ctx = talloc_get_type(*state, + struct dom_list_test_ctx); + struct sss_domain_info *dom = NULL; + + dom = get_next_domain(test_ctx->dom_list, 0); + assert_non_null(dom); + assert_string_equal(dom->name, "dom2"); + + dom = get_next_domain(dom, 0); + assert_null(dom); +} + +static void test_get_next_domain_descend(void **state) +{ + struct dom_list_test_ctx *test_ctx = talloc_get_type(*state, + struct dom_list_test_ctx); + struct sss_domain_info *dom = NULL; + + dom = get_next_domain(test_ctx->dom_list, SSS_GND_DESCEND); + assert_non_null(dom); + assert_string_equal(dom->name, "sub1a"); + + dom = get_next_domain(dom, SSS_GND_DESCEND); + assert_non_null(dom); + assert_string_equal(dom->name, "dom2"); + + dom = get_next_domain(dom, SSS_GND_DESCEND); + assert_non_null(dom); + assert_string_equal(dom->name, "sub2a"); + + dom = get_next_domain(dom, SSS_GND_DESCEND); + assert_non_null(dom); + assert_string_equal(dom->name, "sub2b"); + + dom = get_next_domain(dom, 0); + assert_null(dom); +} + +static void test_get_next_domain_disabled(void **state) +{ + struct dom_list_test_ctx *test_ctx = talloc_get_type(*state, + struct dom_list_test_ctx); + struct sss_domain_info *dom = NULL; + + for (dom = test_ctx->dom_list; dom; + dom = get_next_domain(dom, SSS_GND_DESCEND)) { + sss_domain_set_state(dom, DOM_DISABLED); + } + + dom = get_next_domain(test_ctx->dom_list, SSS_GND_DESCEND); + assert_null(dom); +} + +static void test_get_next_domain_flags(void **state) +{ + struct dom_list_test_ctx *test_ctx = talloc_get_type(*state, + struct dom_list_test_ctx); + struct sss_domain_info *dom = NULL; + uint32_t gnd_flags; + + /* No flags; all doms enabled */ + gnd_flags = 0; + + dom = get_next_domain(test_ctx->dom_list, gnd_flags); + assert_non_null(dom); + assert_string_equal(dom->name, "dom2"); + + dom = get_next_domain(dom, gnd_flags); + assert_null(dom); + + /* Descend flag only; all doms enabled */ + gnd_flags = SSS_GND_DESCEND; + + dom = get_next_domain(test_ctx->dom_list, gnd_flags); + assert_non_null(dom); + assert_string_equal(dom->name, "sub1a"); + + dom = get_next_domain(dom, gnd_flags); + assert_non_null(dom); + assert_string_equal(dom->name, "dom2"); + + dom = get_next_domain(dom, gnd_flags); + assert_non_null(dom); + assert_string_equal(dom->name, "sub2a"); + + dom = get_next_domain(dom, gnd_flags); + assert_non_null(dom); + assert_string_equal(dom->name, "sub2b"); + + dom = get_next_domain(dom, gnd_flags); + assert_null(dom); + + /* Incl. disabled flag only; all doms enabled */ + gnd_flags = SSS_GND_INCLUDE_DISABLED; + + dom = get_next_domain(test_ctx->dom_list, gnd_flags); + assert_non_null(dom); + assert_string_equal(dom->name, "dom2"); + + dom = get_next_domain(dom, gnd_flags); + assert_null(dom); + + /* Descend and include disabled; all doms enabled */ + gnd_flags = SSS_GND_DESCEND | SSS_GND_INCLUDE_DISABLED; + + dom = get_next_domain(test_ctx->dom_list, gnd_flags); + assert_non_null(dom); + assert_string_equal(dom->name, "sub1a"); + + dom = get_next_domain(dom, gnd_flags); + assert_non_null(dom); + assert_string_equal(dom->name, "dom2"); + + dom = get_next_domain(dom, gnd_flags); + assert_non_null(dom); + assert_string_equal(dom->name, "sub2a"); + + dom = get_next_domain(dom, gnd_flags); + assert_non_null(dom); + assert_string_equal(dom->name, "sub2b"); + + dom = get_next_domain(dom, gnd_flags); + assert_null(dom); + + /* Now disable dom2 and sub2a */ + dom = find_domain_by_name(test_ctx->dom_list, "dom2", false); + assert_non_null(dom); + sss_domain_set_state(dom, DOM_DISABLED); + + dom = find_domain_by_name(test_ctx->dom_list, "sub2a", false); + assert_non_null(dom); + sss_domain_set_state(dom, DOM_DISABLED); + + /* No flags; dom2 and sub2a disabled */ + gnd_flags = 0; + + dom = get_next_domain(test_ctx->dom_list, gnd_flags); + assert_null(dom); + + /* Descend flag only; dom2 and sub2a disabled */ + gnd_flags = SSS_GND_DESCEND; + + dom = get_next_domain(test_ctx->dom_list, gnd_flags); + assert_non_null(dom); + assert_string_equal(dom->name, "sub1a"); + + dom = get_next_domain(dom, gnd_flags); + assert_non_null(dom); + assert_string_equal(dom->name, "sub2b"); + + dom = get_next_domain(dom, gnd_flags); + assert_null(dom); + + /* Incl. disabled flag only; dom2 and sub2a disabled */ + gnd_flags = SSS_GND_INCLUDE_DISABLED; + + dom = get_next_domain(test_ctx->dom_list, gnd_flags); + assert_non_null(dom); + assert_string_equal(dom->name, "dom2"); + + dom = get_next_domain(dom, gnd_flags); + assert_null(dom); + + /* Descend and include disabled; dom2 and sub2a disabled */ + gnd_flags = SSS_GND_DESCEND | SSS_GND_INCLUDE_DISABLED; + + dom = get_next_domain(test_ctx->dom_list, gnd_flags); + assert_non_null(dom); + assert_string_equal(dom->name, "sub1a"); + + dom = get_next_domain(dom, gnd_flags); + assert_non_null(dom); + assert_string_equal(dom->name, "dom2"); + + dom = get_next_domain(dom, gnd_flags); + assert_non_null(dom); + assert_string_equal(dom->name, "sub2a"); + + dom = get_next_domain(dom, gnd_flags); + assert_non_null(dom); + assert_string_equal(dom->name, "sub2b"); + + dom = get_next_domain(dom, gnd_flags); + assert_null(dom); +} + +struct name_init_test_ctx { + struct confdb_ctx *confdb; +}; + +#define GLOBAL_FULL_NAME_FORMAT "%1$s@%2$s" +#define GLOBAL_RE_EXPRESSION "(?P[^@]+)@?(?P[^@]*$)" + +#define TEST_DOMAIN_NAME "test.dom" +#define DOMAIN_FULL_NAME_FORMAT "%3$s\\%1$s" +#define DOMAIN_RE_EXPRESSION "(((?P[^\\\\]+)\\\\(?P.+$))|" \ + "((?P[^@]+)@(?P.+$))|" \ + "(^(?P[^@\\\\]+)$))" + +static int confdb_test_setup(void **state) +{ + struct name_init_test_ctx *test_ctx; + char *conf_db = NULL; + char *dompath = NULL; + int ret; + const char *val[2]; + val[1] = NULL; + + assert_true(leak_check_setup()); + + test_ctx = talloc_zero(global_talloc_context, struct name_init_test_ctx); + assert_non_null(test_ctx); + + conf_db = talloc_asprintf(test_ctx, "%s/%s", TESTS_PATH, TEST_CONF_DB); + assert_non_null(conf_db); + + ret = confdb_init(test_ctx, &test_ctx->confdb, conf_db); + assert_int_equal(ret, EOK); + + talloc_free(conf_db); + + val[0] = TEST_DOMAIN_NAME; + ret = confdb_add_param(test_ctx->confdb, true, + "config/sssd", "domains", val); + assert_int_equal(ret, EOK); + + val[0] = GLOBAL_FULL_NAME_FORMAT; + ret = confdb_add_param(test_ctx->confdb, true, + "config/sssd", "full_name_format", val); + assert_int_equal(ret, EOK); + + val[0] = GLOBAL_RE_EXPRESSION; + ret = confdb_add_param(test_ctx->confdb, true, + "config/sssd", "re_expression", val); + assert_int_equal(ret, EOK); + + dompath = talloc_asprintf(test_ctx, "config/domain/%s", TEST_DOMAIN_NAME); + assert_non_null(dompath); + + val[0] = "ldap"; + ret = confdb_add_param(test_ctx->confdb, true, + dompath, "id_provider", val); + assert_int_equal(ret, EOK); + + val[0] = DOMAIN_FULL_NAME_FORMAT; + ret = confdb_add_param(test_ctx->confdb, true, + dompath, "full_name_format", val); + assert_int_equal(ret, EOK); + + val[0] = DOMAIN_RE_EXPRESSION; + ret = confdb_add_param(test_ctx->confdb, true, + dompath, "re_expression", val); + assert_int_equal(ret, EOK); + + talloc_free(dompath); + + check_leaks_push(test_ctx); + *state = test_ctx; + return 0; +} + +static int confdb_test_teardown(void **state) +{ + struct name_init_test_ctx *test_ctx; + + test_ctx = talloc_get_type(*state, struct name_init_test_ctx); + + assert_true(check_leaks_pop(test_ctx) == true); + talloc_free(test_ctx); + assert_true(leak_check_teardown()); + return 0; +} + +void test_sss_names_init(void **state) +{ + struct name_init_test_ctx *test_ctx; + struct sss_names_ctx *names_ctx; + int ret; + + test_ctx = talloc_get_type(*state, struct name_init_test_ctx); + + ret = sss_names_init(test_ctx, test_ctx->confdb, NULL, &names_ctx); + assert_int_equal(ret, EOK); + assert_non_null(names_ctx); + assert_string_equal(names_ctx->re_pattern, GLOBAL_RE_EXPRESSION); + assert_string_equal(names_ctx->fq_fmt, GLOBAL_FULL_NAME_FORMAT); + + talloc_free(names_ctx); + + ret = sss_names_init(test_ctx, test_ctx->confdb, TEST_DOMAIN_NAME, + &names_ctx); + assert_int_equal(ret, EOK); + assert_non_null(names_ctx); + assert_string_equal(names_ctx->re_pattern, DOMAIN_RE_EXPRESSION); + assert_string_equal(names_ctx->fq_fmt, DOMAIN_FULL_NAME_FORMAT); + + talloc_free(names_ctx); +} + +void test_well_known_sid_to_name(void **state) +{ + int ret; + const char *name; + const char *dom; + + ret = well_known_sid_to_name(NULL, NULL, NULL); + assert_int_equal(ret, EINVAL); + + ret = well_known_sid_to_name("abc", &dom, &name); + assert_int_equal(ret, EINVAL); + + ret = well_known_sid_to_name("S-1", &dom, &name); + assert_int_equal(ret, EINVAL); + + ret = well_known_sid_to_name("S-1-", &dom, &name); + assert_int_equal(ret, EINVAL); + + ret = well_known_sid_to_name("S-1-0", &dom, &name); + assert_int_equal(ret, EINVAL); + + ret = well_known_sid_to_name("S-1-0-", &dom, &name); + assert_int_equal(ret, EINVAL); + + ret = well_known_sid_to_name("S-1-0-0", &dom, &name); + assert_int_equal(ret, EOK); + assert_string_equal(dom, "NULL AUTHORITY"); + assert_string_equal(name, "NULL SID"); + + ret = well_known_sid_to_name("S-1-0-0-", &dom, &name); + assert_int_equal(ret, EINVAL); + + ret = well_known_sid_to_name("S-1-5", &dom, &name); + assert_int_equal(ret, EINVAL); + + ret = well_known_sid_to_name("S-1-5-", &dom, &name); + assert_int_equal(ret, EINVAL); + + ret = well_known_sid_to_name("S-1-5-6", &dom, &name); + assert_int_equal(ret, EOK); + assert_string_equal(dom, "NT AUTHORITY"); + assert_string_equal(name, "SERVICE"); + + ret = well_known_sid_to_name("S-1-5-6-", &dom, &name); + assert_int_equal(ret, EINVAL); + + ret = well_known_sid_to_name("S-1-5-21", &dom, &name); + assert_int_equal(ret, EINVAL); + + ret = well_known_sid_to_name("S-1-5-21-", &dom, &name); + assert_int_equal(ret, ENOENT); + + ret = well_known_sid_to_name("S-1-5-21-abc", &dom, &name); + assert_int_equal(ret, ENOENT); + + ret = well_known_sid_to_name("S-1-5-32", &dom, &name); + assert_int_equal(ret, EINVAL); + + ret = well_known_sid_to_name("S-1-5-32-", &dom, &name); + assert_int_equal(ret, EINVAL); + + ret = well_known_sid_to_name("S-1-5-32-551", &dom, &name); + assert_int_equal(ret, EOK); + assert_string_equal(dom, "BUILTIN"); + assert_string_equal(name, "Backup Operators"); + + ret = well_known_sid_to_name("S-1-5-32-551-", &dom, &name); + assert_int_equal(ret, EINVAL); + +} + +void test_name_to_well_known_sid(void **state) +{ + int ret; + const char *sid; + + ret = name_to_well_known_sid(NULL, NULL, NULL); + assert_int_equal(ret, EINVAL); + + ret = name_to_well_known_sid("abc", "def", &sid); + assert_int_equal(ret, ENOENT); + + ret = name_to_well_known_sid("", "def", &sid); + assert_int_equal(ret, ENOENT); + + ret = name_to_well_known_sid("BUILTIN", "def", &sid); + assert_int_equal(ret, EINVAL); + + ret = name_to_well_known_sid("NT AUTHORITY", "def", &sid); + assert_int_equal(ret, EINVAL); + + ret = name_to_well_known_sid("LOCAL AUTHORITY", "LOCAL", &sid); + assert_int_equal(ret, EOK); + assert_string_equal(sid, "S-1-2-0"); + + ret = name_to_well_known_sid(NULL, "LOCAL", &sid); + assert_int_equal(ret, EINVAL); + + ret = name_to_well_known_sid("BUILTIN", "Cryptographic Operators", &sid); + assert_int_equal(ret, EOK); + assert_string_equal(sid, "S-1-5-32-569"); + + ret = name_to_well_known_sid("NT AUTHORITY", "DIALUP", &sid); + assert_int_equal(ret, EOK); + assert_string_equal(sid, "S-1-5-1"); +} + +#define TEST_SANITIZE_INPUT "TestUser@Test.Domain" +#define TEST_SANITIZE_LC_INPUT "testuser@test.domain" + +void test_sss_filter_sanitize_for_dom(void **state) +{ + struct dom_list_test_ctx *test_ctx; + int ret; + char *sanitized; + char *lc_sanitized; + struct sss_domain_info *dom; + + test_ctx = talloc_get_type(*state, struct dom_list_test_ctx); + dom = test_ctx->dom_list; + + dom->case_sensitive = true; + + ret = sss_filter_sanitize_for_dom(test_ctx, TEST_SANITIZE_INPUT, dom, + &sanitized, &lc_sanitized); + assert_int_equal(ret, EOK); + assert_string_equal(sanitized, TEST_SANITIZE_INPUT); + assert_string_equal(lc_sanitized, TEST_SANITIZE_INPUT); + talloc_free(sanitized); + talloc_free(lc_sanitized); + + dom->case_sensitive = false; + + ret = sss_filter_sanitize_for_dom(test_ctx, TEST_SANITIZE_INPUT, dom, + &sanitized, &lc_sanitized); + assert_int_equal(ret, EOK); + assert_string_equal(sanitized, TEST_SANITIZE_INPUT); + assert_string_equal(lc_sanitized, TEST_SANITIZE_LC_INPUT); + talloc_free(sanitized); + talloc_free(lc_sanitized); +} + +void check_expanded_value(TALLOC_CTX *tmp_ctx, + struct sss_nss_homedir_ctx *homedir_ctx, + const char *template, const char *exp_val) +{ + char *homedir; + + homedir = expand_homedir_template(tmp_ctx, template, false, homedir_ctx); + if (exp_val != NULL) { + assert_string_equal(homedir, exp_val); + } else { + assert_null(homedir); + } + + talloc_free(homedir); +} + +static int setup_homedir_ctx(void **state) +{ + struct sss_nss_homedir_ctx *homedir_ctx; + + assert_true(leak_check_setup()); + + homedir_ctx= talloc_zero(global_talloc_context, + struct sss_nss_homedir_ctx); + assert_non_null(homedir_ctx); + + homedir_ctx->username = sss_create_internal_fqname(homedir_ctx, + USERNAME, DOMAIN); + if (homedir_ctx->username == NULL) { + talloc_free(homedir_ctx); + return 1; + } + + homedir_ctx->uid = UID; + homedir_ctx->original = ORIGINAL_HOME; + homedir_ctx->domain = DOMAIN; + homedir_ctx->flatname = FLATNAME; + homedir_ctx->config_homedir_substr = HOMEDIR_SUBSTR; + + check_leaks_push(homedir_ctx); + *state = homedir_ctx; + return 0; +} + +static int teardown_homedir_ctx(void **state) +{ + struct sss_nss_homedir_ctx *homedir_ctx = talloc_get_type(*state, + struct sss_nss_homedir_ctx); + if (homedir_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Type mismatch\n"); + return 1; + } + + assert_true(check_leaks_pop(homedir_ctx) == true); + talloc_free(homedir_ctx); + assert_true(leak_check_teardown()); + return 0; +} + +void test_expand_homedir_template_NULL(void **state) +{ + TALLOC_CTX *tmp_ctx; + char *homedir; + struct sss_nss_homedir_ctx *homedir_ctx; + + /* following format strings requires data in homedir_ctx */ + const char *format_strings[] = { "%u", "%U", "%d", "%f", "%F", "%H", + NULL }; + int i; + + tmp_ctx = talloc_new(NULL); + assert_non_null(tmp_ctx); + + homedir_ctx = talloc_zero(tmp_ctx, struct sss_nss_homedir_ctx); + assert_non_null(homedir_ctx); + + homedir = expand_homedir_template(tmp_ctx, NULL, false, NULL); + assert_null(homedir); + + homedir = expand_homedir_template(tmp_ctx, "template", false, NULL); + assert_null(homedir); + + /* missing data in homedir_ctx */ + check_expanded_value(tmp_ctx, homedir_ctx, "%%", "%"); + check_expanded_value(tmp_ctx, homedir_ctx, "%o", ""); + + for (i = 0; format_strings[i] != NULL; ++i) { + check_expanded_value(tmp_ctx, homedir_ctx, format_strings[i], NULL); + } + + /* flatname requires domain and username */ + homedir_ctx->username = DUMMY; + check_expanded_value(tmp_ctx, homedir_ctx, "%f", NULL); + + homedir_ctx->username = NULL; + homedir_ctx->domain = DUMMY; + check_expanded_value(tmp_ctx, homedir_ctx, "%f", NULL); + + /* test unknown format string */ + check_expanded_value(tmp_ctx, homedir_ctx, "%x", NULL); + + /* test malformed format string */ + check_expanded_value(tmp_ctx, homedir_ctx, "%", NULL); + + talloc_free(tmp_ctx); +} + +void test_expand_homedir_template(void **state) +{ + struct sss_nss_homedir_ctx *homedir_ctx = talloc_get_type(*state, + struct sss_nss_homedir_ctx); + TALLOC_CTX *tmp_ctx; + + tmp_ctx = talloc_new(NULL); + assert_non_null(tmp_ctx); + + /* string without template */ + check_expanded_value(tmp_ctx, homedir_ctx, DUMMY, DUMMY); + + check_expanded_value(tmp_ctx, homedir_ctx, "%u", USERNAME); + check_expanded_value(tmp_ctx, homedir_ctx, DUMMY"%u", DUMMY USERNAME); + check_expanded_value(tmp_ctx, homedir_ctx, "%u"DUMMY, USERNAME DUMMY); + check_expanded_value(tmp_ctx, homedir_ctx, DUMMY"%u"DUMMY2, + DUMMY USERNAME DUMMY2); + + check_expanded_value(tmp_ctx, homedir_ctx, "%U", STR(UID)); + check_expanded_value(tmp_ctx, homedir_ctx, DUMMY"%U", DUMMY STR(UID)); + check_expanded_value(tmp_ctx, homedir_ctx, "%U"DUMMY, STR(UID) DUMMY); + check_expanded_value(tmp_ctx, homedir_ctx, DUMMY"%U"DUMMY2, + DUMMY STR(UID) DUMMY2); + + check_expanded_value(tmp_ctx, homedir_ctx, "%d", DOMAIN); + check_expanded_value(tmp_ctx, homedir_ctx, DUMMY"%d", DUMMY DOMAIN); + check_expanded_value(tmp_ctx, homedir_ctx, "%d"DUMMY, DOMAIN DUMMY); + check_expanded_value(tmp_ctx, homedir_ctx, DUMMY"%d"DUMMY2, + DUMMY DOMAIN DUMMY2); + + check_expanded_value(tmp_ctx, homedir_ctx, "%f", USERNAME"@"DOMAIN); + check_expanded_value(tmp_ctx, homedir_ctx, DUMMY"%f", + DUMMY USERNAME"@"DOMAIN); + check_expanded_value(tmp_ctx, homedir_ctx, "%f"DUMMY, + USERNAME"@"DOMAIN DUMMY); + check_expanded_value(tmp_ctx, homedir_ctx, DUMMY"%f"DUMMY2, + DUMMY USERNAME"@"DOMAIN DUMMY2); + + check_expanded_value(tmp_ctx, homedir_ctx, "%o", ORIGINAL_HOME); + check_expanded_value(tmp_ctx, homedir_ctx, DUMMY"%o", DUMMY ORIGINAL_HOME); + check_expanded_value(tmp_ctx, homedir_ctx, "%o"DUMMY, ORIGINAL_HOME DUMMY); + check_expanded_value(tmp_ctx, homedir_ctx, DUMMY"%o"DUMMY2, + DUMMY ORIGINAL_HOME DUMMY2); + + check_expanded_value(tmp_ctx, homedir_ctx, "%F", FLATNAME); + check_expanded_value(tmp_ctx, homedir_ctx, DUMMY"%F", DUMMY FLATNAME); + check_expanded_value(tmp_ctx, homedir_ctx, "%F"DUMMY, FLATNAME DUMMY); + check_expanded_value(tmp_ctx, homedir_ctx, DUMMY"%F"DUMMY2, + DUMMY FLATNAME DUMMY2); + + check_expanded_value(tmp_ctx, homedir_ctx, "%H", HOMEDIR_SUBSTR); + check_expanded_value(tmp_ctx, homedir_ctx, DUMMY"%H", + DUMMY HOMEDIR_SUBSTR); + check_expanded_value(tmp_ctx, homedir_ctx, "%H"DUMMY, + HOMEDIR_SUBSTR DUMMY); + check_expanded_value(tmp_ctx, homedir_ctx, DUMMY"%H"DUMMY2, + DUMMY HOMEDIR_SUBSTR DUMMY2); + + check_expanded_value(tmp_ctx, homedir_ctx, "%%", "%"); + check_expanded_value(tmp_ctx, homedir_ctx, DUMMY"%%", DUMMY"%"); + check_expanded_value(tmp_ctx, homedir_ctx, "%%"DUMMY, "%"DUMMY); + check_expanded_value(tmp_ctx, homedir_ctx, DUMMY"%%"DUMMY2, + DUMMY"%"DUMMY2); + + check_expanded_value(tmp_ctx, homedir_ctx, "%l", FIRST_LETTER); + check_expanded_value(tmp_ctx, homedir_ctx, DUMMY"%l", DUMMY FIRST_LETTER); + check_expanded_value(tmp_ctx, homedir_ctx, "%l"DUMMY, FIRST_LETTER DUMMY); + check_expanded_value(tmp_ctx, homedir_ctx, DUMMY"%l"DUMMY2, + DUMMY FIRST_LETTER DUMMY2); + + /* test all format strings */ + check_expanded_value(tmp_ctx, homedir_ctx, + DUMMY"/%u/%U/%d/%f/%o/%F/%%/%H/%l/"DUMMY2, + DUMMY"/"USERNAME"/" STR(UID) "/"DOMAIN"/" + USERNAME"@"DOMAIN"/"ORIGINAL_HOME"/"FLATNAME"/%/" + HOMEDIR_SUBSTR"/"FIRST_LETTER"/"DUMMY2); + talloc_free(tmp_ctx); +} + +static int setup_leak_tests(void **state) +{ + assert_true(leak_check_setup()); + + return 0; +} + +static int teardown_leak_tests(void **state) +{ + assert_true(leak_check_teardown()); + return 0; +} + +void test_add_strings_lists(void **state) +{ + const char *l1[] = {"a", "b", "c", NULL}; + const char *l2[] = {"1", "2", "3", NULL}; + char **res; + int ret; + size_t c; + size_t d; + + ret = add_strings_lists(global_talloc_context, NULL, NULL, true, &res); + assert_int_equal(ret, EOK); + assert_non_null(res); + assert_null(res[0]); + talloc_free(res); + + ret = add_strings_lists(global_talloc_context, NULL, NULL, false, &res); + assert_int_equal(ret, EOK); + assert_non_null(res); + assert_null(res[0]); + talloc_free(res); + + ret = add_strings_lists(global_talloc_context, l1, NULL, false, &res); + assert_int_equal(ret, EOK); + assert_non_null(res); + for (c = 0; l1[c] != NULL; c++) { + /* 'copy_strings' is 'false', pointers must be equal */ + assert_int_equal(memcmp(&l1[c], &res[c], sizeof(char *)), 0); + } + assert_null(res[c]); + talloc_free(res); + + ret = add_strings_lists(global_talloc_context, l1, NULL, true, &res); + assert_int_equal(ret, EOK); + assert_non_null(res); + for (c = 0; l1[c] != NULL; c++) { + /* 'copy_strings' is 'true', pointers must be different, but strings + * must be equal */ + assert_int_not_equal(memcmp(&l1[c], &res[c], sizeof(char *)), 0); + assert_string_equal(l1[c], res[c]); + } + assert_null(res[c]); + talloc_free(res); + + ret = add_strings_lists(global_talloc_context, NULL, l1, false, &res); + assert_int_equal(ret, EOK); + assert_non_null(res); + for (c = 0; l1[c] != NULL; c++) { + /* 'copy_strings' is 'false', pointers must be equal */ + assert_int_equal(memcmp(&l1[c], &res[c], sizeof(char *)), 0); + } + assert_null(res[c]); + talloc_free(res); + + ret = add_strings_lists(global_talloc_context, NULL, l1, true, &res); + assert_int_equal(ret, EOK); + assert_non_null(res); + for (c = 0; l1[c] != NULL; c++) { + /* 'copy_strings' is 'true', pointers must be different, but strings + * must be equal */ + assert_int_not_equal(memcmp(&l1[c], &res[c], sizeof(char *)), 0); + assert_string_equal(l1[c], res[c]); + } + assert_null(res[c]); + talloc_free(res); + + ret = add_strings_lists(global_talloc_context, l1, l2, false, &res); + assert_int_equal(ret, EOK); + assert_non_null(res); + for (c = 0; l1[c] != NULL; c++) { + /* 'copy_strings' is 'false', pointers must be equal */ + assert_int_equal(memcmp(&l1[c], &res[c], sizeof(char *)), 0); + } + for (d = 0; l2[d] != NULL; d++) { + assert_int_equal(memcmp(&l2[d], &res[c+d], sizeof(char *)), 0); + } + assert_null(res[c+d]); + talloc_free(res); + + ret = add_strings_lists(global_talloc_context, l1, l2, true, &res); + assert_int_equal(ret, EOK); + assert_non_null(res); + for (c = 0; l1[c] != NULL; c++) { + /* 'copy_strings' is 'true', pointers must be different, but strings + * must be equal */ + assert_int_not_equal(memcmp(&l1[c], &res[c], sizeof(char *)), 0); + assert_string_equal(l1[c], res[c]); + } + for (d = 0; l2[d] != NULL; d++) { + assert_int_not_equal(memcmp(&l2[d], &res[c+d], sizeof(char *)), 0); + assert_string_equal(l2[d], res[c+d]); + } + assert_null(res[c+d]); + talloc_free(res); +} + +void test_sss_write_krb5_conf_snippet(void **state) +{ + int ret; + char buf[PATH_MAX]; + char *cwd; + char *path; + char *file; + char *file_krb5_libdefaults; + + ret = sss_write_krb5_conf_snippet(NULL, false, false); + assert_int_equal(ret, EINVAL); + + ret = sss_write_krb5_conf_snippet("abc", false, false); + assert_int_equal(ret, EINVAL); + + ret = sss_write_krb5_conf_snippet("", false, false); + assert_int_equal(ret, EOK); + + ret = sss_write_krb5_conf_snippet("none", false, false); + assert_int_equal(ret, EOK); + + cwd = getcwd(buf, PATH_MAX); + assert_non_null(cwd); + + ret = asprintf(&path, "%s/%s", cwd, TESTS_PATH); + assert_true(ret > 0); + + ret = asprintf(&file, "%s/%s/localauth_plugin", cwd, TESTS_PATH); + assert_true(ret > 0); + + ret = asprintf(&file_krb5_libdefaults, + "%s/%s/krb5_libdefaults", cwd, TESTS_PATH); + assert_true(ret > 0); + + ret = sss_write_krb5_conf_snippet(path, true, true); + assert_int_equal(ret, EOK); + + /* Check if writing a second time will work as well */ + ret = sss_write_krb5_conf_snippet(path, true, true); + assert_int_equal(ret, EOK); + +#ifdef HAVE_KRB5_LOCALAUTH_PLUGIN + ret = unlink(file); + assert_int_equal(ret, EOK); +#endif + + ret = unlink(file_krb5_libdefaults); + assert_int_equal(ret, EOK); + + free(file); + free(file_krb5_libdefaults); + free(path); +} + + +struct unique_file_test_ctx { + char *filename; +}; + +static int unique_file_test_setup(void **state) +{ + struct unique_file_test_ctx *test_ctx; + + assert_true(leak_check_setup()); + + test_ctx = talloc_zero(global_talloc_context, struct unique_file_test_ctx); + assert_non_null(test_ctx); + + test_ctx->filename = talloc_strdup(test_ctx, "test_unique_file_XXXXXX"); + assert_non_null(test_ctx); + + *state = test_ctx; + return 0; +} + +static int unique_file_test_teardown(void **state) +{ + struct unique_file_test_ctx *test_ctx; + errno_t ret; + + test_ctx = talloc_get_type(*state, struct unique_file_test_ctx); + + errno = 0; + ret = unlink(test_ctx->filename); + if (ret != 0 && errno != ENOENT) { + fail(); + } + + talloc_free(test_ctx); + assert_true(leak_check_teardown()); + return 0; +} + +static void assert_destructor(TALLOC_CTX *owner, + struct unique_file_test_ctx *test_ctx) +{ + int fd; + errno_t ret; + char *check_filename; + + /* Test that the destructor works */ + if (owner == NULL) { + return; + } + + check_filename = talloc_strdup(test_ctx, test_ctx->filename); + assert_non_null(check_filename); + + talloc_free(owner); + + ret = check_and_open_readonly(test_ctx->filename, &fd, + geteuid(), getegid(), + (S_IRUSR | S_IWUSR | S_IFREG), 0); + close(fd); + assert_int_not_equal(ret, EOK); +} + +static void sss_unique_file_test(struct unique_file_test_ctx *test_ctx, + bool test_destructor) +{ + int fd; + errno_t ret; + struct stat sb; + TALLOC_CTX *owner = NULL; + + if (test_destructor) { + owner = talloc_new(test_ctx); + assert_non_null(owner); + } + + fd = sss_unique_file(owner, test_ctx->filename, &ret); + assert_int_not_equal(fd, -1); + assert_int_equal(ret, EOK); + + ret = check_fd(fd, geteuid(), getegid(), + (S_IRUSR | S_IWUSR | S_IFREG), 0, &sb); + close(fd); + assert_int_equal(ret, EOK); + + assert_destructor(owner, test_ctx); +} + +static void test_sss_unique_file(void **state) +{ + struct unique_file_test_ctx *test_ctx; + test_ctx = talloc_get_type(*state, struct unique_file_test_ctx); + sss_unique_file_test(test_ctx, false); +} + +static void test_sss_unique_file_destruct(void **state) +{ + struct unique_file_test_ctx *test_ctx; + test_ctx = talloc_get_type(*state, struct unique_file_test_ctx); + sss_unique_file_test(test_ctx, true); +} + +static void test_sss_unique_file_neg(void **state) +{ + int fd; + errno_t ret; + + fd = sss_unique_file(NULL, discard_const("badpattern"), &ret); + assert_int_equal(fd, -1); + assert_int_equal(ret, EINVAL); +} + +static void sss_unique_filename_test(struct unique_file_test_ctx *test_ctx, + bool test_destructor) +{ + int fd; + errno_t ret; + char *tmp_filename; + TALLOC_CTX *owner = NULL; + + tmp_filename = talloc_strdup(test_ctx, test_ctx->filename); + assert_non_null(tmp_filename); + + if (test_destructor) { + owner = talloc_new(test_ctx); + assert_non_null(owner); + } + + ret = sss_unique_filename(owner, test_ctx->filename); + assert_int_equal(ret, EOK); + + assert_int_equal(strncmp(test_ctx->filename, + tmp_filename, + strlen(tmp_filename) - sizeof("XXXXXX")), + 0); + + ret = check_and_open_readonly(test_ctx->filename, &fd, + geteuid(), getegid(), + (S_IRUSR | S_IWUSR | S_IFREG), 0); + close(fd); + assert_int_equal(ret, EOK); + + assert_destructor(owner, test_ctx); +} + +static void test_sss_unique_filename(void **state) +{ + struct unique_file_test_ctx *test_ctx; + + test_ctx = talloc_get_type(*state, struct unique_file_test_ctx); + sss_unique_filename_test(test_ctx, false); +} + +static void test_sss_unique_filename_destruct(void **state) +{ + struct unique_file_test_ctx *test_ctx; + + test_ctx = talloc_get_type(*state, struct unique_file_test_ctx); + sss_unique_filename_test(test_ctx, true); +} + +static void test_parse_cert_verify_opts(void **state) +{ + int ret; + struct cert_verify_opts *cv_opts; + + ret = parse_cert_verify_opts(global_talloc_context, NULL, &cv_opts); + assert_int_equal(ret, EOK); + assert_true(cv_opts->do_verification); + assert_true(cv_opts->do_ocsp); + assert_null(cv_opts->ocsp_default_responder); + assert_null(cv_opts->ocsp_default_responder_signing_cert); + talloc_free(cv_opts); + + ret = parse_cert_verify_opts(global_talloc_context, "wedfkwefjk", &cv_opts); + assert_int_equal(ret, EOK); + assert_true(cv_opts->do_verification); + assert_true(cv_opts->do_ocsp); + assert_null(cv_opts->ocsp_default_responder); + assert_null(cv_opts->ocsp_default_responder_signing_cert); + talloc_free(cv_opts); + + ret = parse_cert_verify_opts(global_talloc_context, "no_ocsp", &cv_opts); + assert_int_equal(ret, EOK); + assert_true(cv_opts->do_verification); + assert_false(cv_opts->do_ocsp); + assert_null(cv_opts->ocsp_default_responder); + assert_null(cv_opts->ocsp_default_responder_signing_cert); + talloc_free(cv_opts); + + ret = parse_cert_verify_opts(global_talloc_context, "no_verification", + &cv_opts); + assert_int_equal(ret, EOK); + assert_false(cv_opts->do_verification); + assert_true(cv_opts->do_ocsp); + assert_null(cv_opts->ocsp_default_responder); + assert_null(cv_opts->ocsp_default_responder_signing_cert); + talloc_free(cv_opts); + + ret = parse_cert_verify_opts(global_talloc_context, + "no_ocsp,no_verification", &cv_opts); + assert_int_equal(ret, EOK); + assert_false(cv_opts->do_verification); + assert_false(cv_opts->do_ocsp); + assert_null(cv_opts->ocsp_default_responder); + assert_null(cv_opts->ocsp_default_responder_signing_cert); + talloc_free(cv_opts); + + ret = parse_cert_verify_opts(global_talloc_context, + "ocsp_default_responder=", &cv_opts); + assert_int_equal(ret, EINVAL); + + ret = parse_cert_verify_opts(global_talloc_context, + "ocsp_default_responder_signing_cert=", + &cv_opts); + assert_int_equal(ret, EINVAL); + + ret = parse_cert_verify_opts(global_talloc_context, + "ocsp_default_responder=abc", &cv_opts); + assert_int_equal(ret, EINVAL); + + ret = parse_cert_verify_opts(global_talloc_context, + "ocsp_default_responder_signing_cert=def", + &cv_opts); + assert_int_equal(ret, EINVAL); + + ret = parse_cert_verify_opts(global_talloc_context, + "ocsp_default_responder=abc," + "ocsp_default_responder_signing_cert=def", + &cv_opts); + assert_int_equal(ret, EOK); + assert_true(cv_opts->do_verification); + assert_true(cv_opts->do_ocsp); + assert_string_equal(cv_opts->ocsp_default_responder, "abc"); + assert_string_equal(cv_opts->ocsp_default_responder_signing_cert, "def"); + talloc_free(cv_opts); +} + +static void assert_parse_fqname(const char *fqname, + const char *exp_shortname, + const char *exp_domname) +{ + errno_t ret; + char *shortname = NULL; + char *domname = NULL; + + check_leaks_push(global_talloc_context); + + ret = sss_parse_internal_fqname(global_talloc_context, fqname, + exp_shortname ? &shortname : NULL, + exp_domname ? &domname : NULL); + assert_int_equal(ret, EOK); + + if (exp_shortname) { + assert_string_equal(shortname, exp_shortname); + } + if (exp_domname) { + assert_string_equal(domname, exp_domname); + } + + talloc_free(shortname); + talloc_free(domname); + + assert_true(check_leaks_pop(global_talloc_context) == true); +} + +static void assert_fqname_unparseable(const char *fqname, errno_t retval) +{ + errno_t ret; + char *shortname = NULL; + char *domname = NULL; + + check_leaks_push(global_talloc_context); + + ret = sss_parse_internal_fqname(global_talloc_context, fqname, + &shortname, &domname); + assert_int_equal(ret, retval); + assert_null(shortname); + assert_null(domname); + + assert_true(check_leaks_pop(global_talloc_context) == true); +} + +static void test_sss_parse_internal_fqname(void **state) +{ + assert_parse_fqname("foo@bar", "foo", "bar"); + assert_parse_fqname("foo@bar", NULL, "bar"); + assert_parse_fqname("foo@bar", "foo", NULL); + assert_parse_fqname("foo@bar", NULL, NULL); + assert_parse_fqname("foo@bar@baz", "foo@bar", "baz"); + + assert_fqname_unparseable("foo", ERR_WRONG_NAME_FORMAT); + assert_fqname_unparseable("foo@", ERR_WRONG_NAME_FORMAT); + assert_fqname_unparseable("@", ERR_WRONG_NAME_FORMAT); + assert_fqname_unparseable("@bar", ERR_WRONG_NAME_FORMAT); + assert_fqname_unparseable(NULL, EINVAL); +} + +static void test_sss_create_internal_fqname(void **state) +{ + char *fqname = NULL; + + check_leaks_push(global_talloc_context); + + fqname = sss_create_internal_fqname(global_talloc_context, "foo", "bar"); + assert_string_equal(fqname, "foo@bar"); + talloc_zfree(fqname); + + fqname = sss_create_internal_fqname(global_talloc_context, "foo", "BAR"); + assert_string_equal(fqname, "foo@bar"); + talloc_zfree(fqname); + + fqname = sss_create_internal_fqname(global_talloc_context, "foo", NULL); + assert_null(fqname); + + fqname = sss_create_internal_fqname(global_talloc_context, NULL, "bar"); + assert_null(fqname); + + fqname = sss_create_internal_fqname(global_talloc_context, NULL, NULL); + assert_null(fqname); + + assert_true(check_leaks_pop(global_talloc_context) == true); +} + +static void test_sss_create_internal_fqname_list(void **state) +{ + char **fqlist = NULL; + const char *in_list1[] = { "aaa", "bbb", NULL }; + + check_leaks_push(global_talloc_context); + + fqlist = sss_create_internal_fqname_list(global_talloc_context, + in_list1, "DOM"); + assert_string_equal(fqlist[0], "aaa@dom"); + assert_string_equal(fqlist[1], "bbb@dom"); + assert_null(fqlist[2]); + talloc_zfree(fqlist); + + fqlist = sss_create_internal_fqname_list(global_talloc_context, + in_list1, NULL); + assert_null(fqlist); + + fqlist = sss_create_internal_fqname_list(global_talloc_context, + NULL, "DOM"); + assert_null(fqlist); + + fqlist = sss_create_internal_fqname_list(global_talloc_context, + NULL, NULL); + assert_null(fqlist); + + assert_true(check_leaks_pop(global_talloc_context) == true); +} + +static void test_sss_output_name(void **state) +{ + char *outname; + char *fqname; + + check_leaks_push(global_talloc_context); + + fqname = sss_create_internal_fqname(global_talloc_context, + "Foo Bar", "DOM"); + assert_non_null(fqname); + + outname = sss_output_name(global_talloc_context, fqname, true, 0); + assert_non_null(outname); + assert_string_equal(outname, "Foo Bar"); + talloc_zfree(outname); + + outname = sss_output_name(global_talloc_context, fqname, false, 0); + assert_non_null(outname); + assert_string_equal(outname, "foo bar"); + talloc_zfree(outname); + + outname = sss_output_name(global_talloc_context, fqname, false, '-'); + assert_non_null(outname); + assert_string_equal(outname, "foo-bar"); + talloc_zfree(outname); + + talloc_free(fqname); + assert_true(check_leaks_pop(global_talloc_context) == true); +} + +static void test_sss_get_domain_mappings_content(void **state) +{ + struct dom_list_test_ctx *test_ctx; + int ret; + struct sss_domain_info *dom; + char *content; + struct sss_domain_info *c; + + ret = sss_get_domain_mappings_content(NULL, NULL, NULL); + assert_int_equal(ret, EINVAL); + + test_ctx = talloc_get_type(*state, struct dom_list_test_ctx); + assert_non_null(test_ctx); + + dom = get_domains_head(test_ctx->dom_list); + assert_non_null(dom); + + /* no forest */ + ret = sss_get_domain_mappings_content(test_ctx, dom, &content); + assert_int_equal(ret, EOK); + assert_string_equal(content, + "[domain_realm]\n" + ".subdom1.dom = SUBDOM1.DOM\n" + "subdom1.dom = SUBDOM1.DOM\n" + ".subdom2.dom = SUBDOM2.DOM\n" + "subdom2.dom = SUBDOM2.DOM\n" + ".subdom3.dom = SUBDOM3.DOM\n" + "subdom3.dom = SUBDOM3.DOM\n"); + talloc_free(content); + + /* IPA with forest */ + c = find_domain_by_name(dom, "subdom2.dom", true); + assert_non_null(c); + c->forest_root = find_domain_by_name(dom, "subdom1.dom", true); + assert_non_null(c->forest_root); + c->forest = discard_const_p(char, "subdom1.dom"); + + c = find_domain_by_name(dom, "subdom3.dom", true); + assert_non_null(c); + c->forest_root = find_domain_by_name(dom, "subdom1.dom", true); + assert_non_null(c->forest_root); + c->forest = discard_const_p(char, "subdom1.dom"); + + ret = sss_get_domain_mappings_content(test_ctx, dom, &content); + assert_int_equal(ret, EOK); + assert_string_equal(content, + "[domain_realm]\n" + ".subdom1.dom = SUBDOM1.DOM\n" + "subdom1.dom = SUBDOM1.DOM\n" + ".subdom2.dom = SUBDOM2.DOM\n" + "subdom2.dom = SUBDOM2.DOM\n" + ".subdom3.dom = SUBDOM3.DOM\n" + "subdom3.dom = SUBDOM3.DOM\n" + "[capaths]\n" + "SUBDOM2.DOM = {\n" + " CONFIGURED.DOM = SUBDOM1.DOM\n" + "}\n" + "SUBDOM3.DOM = {\n" + " CONFIGURED.DOM = SUBDOM1.DOM\n" + "}\n" + "CONFIGURED.DOM = {\n" + " SUBDOM2.DOM = SUBDOM1.DOM\n" + " SUBDOM3.DOM = SUBDOM1.DOM\n" + "}\n"); + talloc_free(content); + + /* Next steps, test AD domain setup. If we join a child domain we have a + * similar case as with IPA but if we join the forest root the generate + * capaths might not be as expected. */ +} + +int main(int argc, const char *argv[]) +{ + poptContext pc; + int opt; + int rv; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test_setup_teardown(test_find_domain_by_sid_null, + setup_dom_list, teardown_dom_list), + cmocka_unit_test_setup_teardown(test_find_domain_by_sid, + setup_dom_list, teardown_dom_list), + cmocka_unit_test_setup_teardown(test_find_domain_by_sid_missing_sid, + setup_dom_list, teardown_dom_list), + cmocka_unit_test_setup_teardown(test_find_domain_by_sid_disabled, + setup_dom_list, teardown_dom_list), + cmocka_unit_test_setup_teardown(test_find_domain_by_name_null, + setup_dom_list, teardown_dom_list), + cmocka_unit_test_setup_teardown(test_find_domain_by_name, + setup_dom_list, teardown_dom_list), + cmocka_unit_test_setup_teardown(test_find_domain_by_name_missing_flat_name, + setup_dom_list, teardown_dom_list), + cmocka_unit_test_setup_teardown(test_find_domain_by_name_disabled, + setup_dom_list, teardown_dom_list), + + cmocka_unit_test_setup_teardown(test_sss_names_init, + confdb_test_setup, + confdb_test_teardown), + + cmocka_unit_test_setup_teardown(test_get_next_domain, + setup_dom_tree, teardown_dom_tree), + cmocka_unit_test_setup_teardown(test_get_next_domain_descend, + setup_dom_tree, teardown_dom_tree), + cmocka_unit_test_setup_teardown(test_get_next_domain_disabled, + setup_dom_tree, teardown_dom_tree), + cmocka_unit_test_setup_teardown(test_get_next_domain_flags, + setup_dom_tree, teardown_dom_tree), + + cmocka_unit_test(test_well_known_sid_to_name), + cmocka_unit_test(test_name_to_well_known_sid), + + cmocka_unit_test_setup_teardown(test_sss_filter_sanitize_for_dom, + setup_dom_list, + teardown_dom_list), + + cmocka_unit_test(test_expand_homedir_template_NULL), + cmocka_unit_test_setup_teardown(test_expand_homedir_template, + setup_homedir_ctx, + teardown_homedir_ctx), +#ifdef BUILD_SSH + cmocka_unit_test(test_textual_public_key), +#endif + cmocka_unit_test(test_replace_whitespaces), + cmocka_unit_test(test_reverse_replace_whitespaces), + cmocka_unit_test(test_guid_blob_to_string_buf), + cmocka_unit_test(test_get_last_x_chars), + cmocka_unit_test(test_concatenate_string_array), + cmocka_unit_test_setup_teardown(test_add_strings_lists, + setup_leak_tests, + teardown_leak_tests), + cmocka_unit_test(test_sss_write_krb5_conf_snippet), + cmocka_unit_test_setup_teardown(test_sss_unique_file, + unique_file_test_setup, + unique_file_test_teardown), + cmocka_unit_test_setup_teardown(test_sss_unique_file_destruct, + unique_file_test_setup, + unique_file_test_teardown), + cmocka_unit_test(test_sss_unique_file_neg), + cmocka_unit_test_setup_teardown(test_sss_unique_filename, + unique_file_test_setup, + unique_file_test_teardown), + cmocka_unit_test_setup_teardown(test_sss_unique_filename_destruct, + unique_file_test_setup, + unique_file_test_teardown), + cmocka_unit_test_setup_teardown(test_parse_cert_verify_opts, + setup_leak_tests, + teardown_leak_tests), + cmocka_unit_test_setup_teardown(test_sss_parse_internal_fqname, + setup_leak_tests, + teardown_leak_tests), + cmocka_unit_test_setup_teardown(test_sss_create_internal_fqname, + setup_leak_tests, + teardown_leak_tests), + cmocka_unit_test_setup_teardown(test_sss_create_internal_fqname_list, + setup_leak_tests, + teardown_leak_tests), + cmocka_unit_test_setup_teardown(test_sss_output_name, + setup_leak_tests, + teardown_leak_tests), + cmocka_unit_test_setup_teardown(test_sss_get_domain_mappings_content, + setup_dom_list_with_subdomains, + teardown_dom_list), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + /* Even though normally the tests should clean up after themselves + * they might not after a failed run. Remove the old DB to be sure */ + tests_set_cwd(); + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + test_dom_suite_setup(TESTS_PATH); + + rv = cmocka_run_group_tests(tests, NULL, NULL); + if (rv == 0) { + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + } + return rv; +} diff --git a/src/tests/cmocka/test_utils.h b/src/tests/cmocka/test_utils.h new file mode 100644 index 0000000..e93e0da --- /dev/null +++ b/src/tests/cmocka/test_utils.h @@ -0,0 +1,36 @@ +/* + Authors: + Lukas Slebodnik + + Copyright (C) 2014 Red Hat + + SSSD tests: Tests for utility functions + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __TESTS__CMOCKA__TEST_UTILS_H__ +#define __TESTS__CMOCKA__TEST_UTILS_H__ + +/* from src/tests/cmocka/test_sss_ssh.c */ +void test_textual_public_key(void **state); + +/* from src/tests/cmocka/test_string_utils.c */ +void test_replace_whitespaces(void **state); +void test_reverse_replace_whitespaces(void **state); +void test_guid_blob_to_string_buf(void **state); +void test_get_last_x_chars(void **state); +void test_concatenate_string_array(void **state); + +#endif /* __TESTS__CMOCKA__TEST_UTILS_H__ */ diff --git a/src/tests/cmocka/test_wbc_calls.c b/src/tests/cmocka/test_wbc_calls.c new file mode 100644 index 0000000..9f55354 --- /dev/null +++ b/src/tests/cmocka/test_wbc_calls.c @@ -0,0 +1,122 @@ +/* + SSSD + + wbc-calls - Tests for selected libwbclient calls + + Authors: + Sumit Bose + + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include + +#include "tests/cmocka/common_mock.h" + +#include "sss_client/libwbclient/wbclient_sssd.h" +#include "sss_client/idmap/sss_nss_idmap.h" + +struct wbcDomainSid test_sid = {1, 5, {0, 0, 0, 0, 0, 5}, + {21, 2127521184, 1604012920, 1887927527, 72713, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}}; + +int __wrap_sss_nss_getnamebysid(const char *sid, char **fq_name, + enum sss_id_type *type) +{ + *fq_name = strdup("name@domain"); + assert_non_null(*fq_name); + *type = SSS_ID_TYPE_UID; + + return EOK; +} + +void test_wbcLookupSid(void **state) +{ + wbcErr wbc_status; + char *pdomain; + char *pname; + enum wbcSidType pname_type; + + wbc_status = wbcLookupSid(NULL, NULL, NULL, NULL); + assert_int_equal(wbc_status, WBC_ERR_INVALID_SID); + + wbc_status = wbcLookupSid(&test_sid, NULL, NULL, NULL); + assert_int_equal(wbc_status, WBC_ERR_SUCCESS); + + wbc_status = wbcLookupSid(&test_sid, &pdomain, NULL, NULL); + assert_int_equal(wbc_status, WBC_ERR_SUCCESS); + assert_string_equal(pdomain, "domain"); + wbcFreeMemory(pdomain); + + wbc_status = wbcLookupSid(&test_sid, NULL, &pname, NULL); + assert_int_equal(wbc_status, WBC_ERR_SUCCESS); + assert_string_equal(pname, "name"); + wbcFreeMemory(pname); + + wbc_status = wbcLookupSid(&test_sid, NULL, NULL, &pname_type); + assert_int_equal(wbc_status, WBC_ERR_SUCCESS); + assert_int_equal(pname_type, WBC_SID_NAME_USER); + + wbc_status = wbcLookupSid(&test_sid, &pdomain, &pname, &pname_type); + assert_int_equal(wbc_status, WBC_ERR_SUCCESS); + assert_string_equal(pdomain, "domain"); + assert_string_equal(pname, "name"); + assert_int_equal(pname_type, WBC_SID_NAME_USER); + wbcFreeMemory(pdomain); + wbcFreeMemory(pname); +} + +int main(int argc, const char *argv[]) +{ + int rv; + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test(test_wbcLookupSid), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while ((opt = poptGetNextOpt(pc)) != -1) { + switch (opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + tests_set_cwd(); + rv = cmocka_run_group_tests(tests, NULL, NULL); + + return rv; +} diff --git a/src/tests/cmocka/wrap_sss_nss_make_request_timeout.c b/src/tests/cmocka/wrap_sss_nss_make_request_timeout.c new file mode 100644 index 0000000..6d2a957 --- /dev/null +++ b/src/tests/cmocka/wrap_sss_nss_make_request_timeout.c @@ -0,0 +1,37 @@ +/* + Authors: + Sumit Bose + + Copyright (C) 2018 Red Hat + + Helper to make dlopen-tests pass for libsss_nss_idmap_tests.so. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "sss_client/sss_cli.h" + +enum nss_status __wrap_sss_nss_make_request_timeout(enum sss_cli_command cmd, + struct sss_cli_req_data *rd, + int timeout, + uint8_t **repbuf, + size_t *replen, + int *errnop) +{ + return NSS_STATUS_SUCCESS; +} diff --git a/src/tests/common.c b/src/tests/common.c new file mode 100644 index 0000000..8ba73a2 --- /dev/null +++ b/src/tests/common.c @@ -0,0 +1,141 @@ +/* + SSSD + + Common utilities for check-based tests using talloc. + + Authors: + Martin Nagy + + Copyright (C) Red Hat, Inc 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include "tests/common.h" +#include "util/util.h" + +void +tests_set_cwd(void) +{ + int ret; + + ret = chdir(TEST_DIR); + if (ret == -1) { + fprintf(stderr, "Could not chdir to [%s].\n" + "Attempting to continue with current dir\n", TEST_DIR); + } +} + +void test_dom_suite_setup(const char *tests_path) +{ + errno_t ret; + + /* Create tests directory if it doesn't exist */ + /* (relative to current dir) */ + ret = mkdir(tests_path, 0775); + if (ret != 0 && errno != EEXIST) { + fprintf(stderr, "Could not create test directory\n"); + } +} + +/* Check that the option names of the two maps are the same + * and appear in the same order. + */ +errno_t +compare_dp_options(struct dp_option *map1, size_t size1, + struct dp_option *map2) +{ + size_t i; + + for (i = 0; i < size1; i++) { + /* Check for a valid option */ + if (map1[i].opt_name == NULL) return EINVAL; + + /* Check whether we've gone past the end of map2 */ + if (map2[i].opt_name == NULL) return ERANGE; + + /* Ensure that the option names are the same */ + if(strcmp(map1[i].opt_name, map2[i].opt_name) != 0) { + fprintf(stderr, "Expected [%s], got [%s]\n", + map1[i].opt_name, map2[i].opt_name); + return EINVAL; + } + } + + /* Leftover options in map2 */ + if (map2[i].opt_name != NULL) return ERANGE; + + return EOK; +} + +/* Check that the option names of the two maps are the same + * and appear in the same order. + */ +errno_t +compare_sdap_attr_maps(struct sdap_attr_map *map1, size_t size1, + struct sdap_attr_map *map2) +{ + size_t i; + + for (i = 0; i < size1; i++) { + /* Check for a valid option */ + if (map1[i].opt_name == NULL) return EINVAL; + + /* Check whether we've gone past the end of map2 */ + if (map2[i].opt_name == NULL) return ERANGE; + + /* Ensure that the option names are the same */ + if(strcmp(map1[i].opt_name, map2[i].opt_name) != 0) { + fprintf(stderr, "Expected [%s], got [%s]\n", + map1[i].opt_name, map2[i].opt_name); + return EINVAL; + } + } + + /* Leftover options in map2 */ + if (map2[i].opt_name != NULL) return ERANGE; + + return EOK; +} + +bool ldb_modules_path_is_set(void) +{ + if (getenv("LDB_MODULES_PATH")) { + return true; + } + + return false; +} + +/* Returns true if all values are in array (else returns false) */ +bool are_values_in_array(const char **values, size_t values_len, + const char **array, size_t array_len) +{ + bool is_value_in_element = false; + bool is_value_in_array = false; + bool ret = true; + + for (size_t i = 0; i < values_len; i++) { + is_value_in_array = false; + for (size_t j = 0; j < array_len; j++) { + is_value_in_element = strcmp(values[i], array[j]) == 0 ? \ + true : false; + is_value_in_array = is_value_in_array || is_value_in_element; + } + ret = ret && is_value_in_array; + } + + return ret; +} diff --git a/src/tests/common.h b/src/tests/common.h new file mode 100644 index 0000000..c06568d --- /dev/null +++ b/src/tests/common.h @@ -0,0 +1,156 @@ +/* + SSSD + + Common utilities for check-based tests using talloc. + + Authors: + Martin Nagy + + Copyright (C) Red Hat, Inc 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __TESTS_COMMON_H__ +#define __TESTS_COMMON_H__ + +#include "config.h" + +#include +#include "util/util.h" +#include "providers/data_provider.h" +#include "providers/ldap/sdap.h" + + +#ifdef HAVE_FUNCTION_ATTRIBUTE_WARN_UNUSED_RESULT +#define SSS_ATTRIBUTE_WARN_UNUSED_RESULT __attribute__((warn_unused_result)) +#else +#define SSS_ATTRIBUTE_WARN_UNUSED_RESULT +#endif + +#define N_ELEMENTS(arr) (sizeof(arr) / sizeof(arr[0])) + +extern TALLOC_CTX *global_talloc_context; + +void check_leaks_push(TALLOC_CTX *ctx); + +#define check_leaks_pop(ctx) _check_leaks_pop((ctx), __location__) +bool _check_leaks_pop(TALLOC_CTX *ctx, const char *location) + SSS_ATTRIBUTE_WARN_UNUSED_RESULT; + +bool leak_check_setup(void) SSS_ATTRIBUTE_WARN_UNUSED_RESULT; +bool leak_check_teardown(void) SSS_ATTRIBUTE_WARN_UNUSED_RESULT; +const char *check_leaks_err_msg(void); + +void tests_set_cwd(void); + +errno_t +compare_dp_options(struct dp_option *map1, size_t size1, + struct dp_option *map2); + +errno_t +compare_sdap_attr_maps(struct sdap_attr_map *map1, size_t size1, + struct sdap_attr_map *map2); + +/* A common test structure for tests that require a domain to be set up. */ +struct sss_test_ctx { + struct sysdb_ctx *sysdb; + struct confdb_ctx *confdb; + struct tevent_context *ev; + struct sss_domain_info *dom; + struct sss_names_ctx *nctx; + char *confdb_path; + char *conf_dom_path; + + bool done; + int error; +}; + +struct sss_test_conf_param { + const char *key; + const char *value; +}; + +struct sss_test_ctx *create_ev_test_ctx(TALLOC_CTX *mem_ctx); + +void reset_ldb_errstrings(struct sss_domain_info *dom); + +struct sss_test_ctx * +create_multidom_test_ctx(TALLOC_CTX *mem_ctx, + const char *tests_path, + const char *cdb_file, + const char **domains, + const char *id_provider, + struct sss_test_conf_param **params); + +struct sss_test_ctx * +create_dom_test_ctx(TALLOC_CTX *mem_ctx, + const char *tests_path, + const char *confdb_path, + const char *domain_name, + const char *id_provider, + struct sss_test_conf_param *params); + +void test_dom_suite_setup(const char *tests_path); + +void test_multidom_suite_cleanup(const char *tests_path, + const char *cdb_file, + const char **domains); + +void test_dom_suite_cleanup(const char *tests_path, + const char *cdb_file, + const char *domain); + +struct tevent_req * +test_request_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, errno_t err); + +#define test_req_succeed_send(mem_ctx, ev) test_request_send(mem_ctx, ev, 0) + +errno_t test_request_recv(struct tevent_req *req); + +int test_ev_loop(struct sss_test_ctx *tctx); + +/* Mark the test as done with an error code */ +void test_ev_done(struct sss_test_ctx *tctx, errno_t ret); + +bool ldb_modules_path_is_set(void); + +DBusConnection * +test_dbus_setup_mock(TALLOC_CTX *mem_ctx, + struct tevent_context *loop, + sbus_server_conn_init_fn init_fn, + void *init_pvt_data); + +DBusMessage * +test_dbus_call_sync(DBusConnection *conn, + const char *object_path, + const char *interface, + const char *method, + DBusError *error, + int first_arg_type, + ...); + +struct sss_domain_info *named_domain(TALLOC_CTX *mem_ctx, + const char *name, + struct sss_domain_info *parent); + +/* Returns true if all values are in array (else returns false) */ +bool are_values_in_array(const char **values, size_t values_len, + const char **array, size_t array_len); + +#define tc_are_values_in_array(values, array) \ + are_values_in_array(values, talloc_array_length(values), \ + array, talloc_array_length(array)) + +#endif /* !__TESTS_COMMON_H__ */ diff --git a/src/tests/common_check.c b/src/tests/common_check.c new file mode 100644 index 0000000..d1b9d6c --- /dev/null +++ b/src/tests/common_check.c @@ -0,0 +1,40 @@ +/* + SSSD + + Memory leak/growth checks for check-based tests using talloc. + + Authors: + Martin Nagy + + Copyright (C) Red Hat, Inc 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "tests/common.h" +#include "tests/common_check.h" + +void ck_leak_check_setup(void) +{ + fail_unless(leak_check_setup() == true, + "Cannot set up leaks test: %s\n", check_leaks_err_msg()); +} + +void ck_leak_check_teardown(void) +{ + fail_unless(leak_check_teardown() == true, + "Cannot tear down leaks test: %s\n", check_leaks_err_msg()); +} diff --git a/src/tests/common_check.h b/src/tests/common_check.h new file mode 100644 index 0000000..51c3c3f --- /dev/null +++ b/src/tests/common_check.h @@ -0,0 +1,36 @@ +/* + SSSD + + Memory leak/growth checks for check-based tests using talloc. + + Authors: + Martin Nagy + + Copyright (C) Red Hat, Inc 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __TESTS_COMMON_CHECK_H__ +#define __TESTS_COMMON_CHECK_H__ + +#include "tests/common.h" + +void ck_leak_check_setup(void); +void ck_leak_check_teardown(void); + +#define ck_leaks_push(ctx) check_leaks_push(ctx) +#define ck_leaks_pop(ctx) fail_unless(check_leaks_pop(ctx) == true, check_leaks_err_msg()) + +#endif /* __TESTS_COMMON_CHECK_H__ */ diff --git a/src/tests/common_dbus.c b/src/tests/common_dbus.c new file mode 100644 index 0000000..103512d --- /dev/null +++ b/src/tests/common_dbus.c @@ -0,0 +1,199 @@ +/* + SSSD + + Common utilities for dbus based tests. + + Authors: + Stef Walter + + Copyright (C) Red Hat, Inc 2014 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include +#include "tests/common.h" + +struct mock_server { + char *temp_dir; + char *dbus_address; + pid_t pid; + DBusConnection *client; + + /* Used for synchronization */ + int sync_fds[2]; + + /* Only used during init */ + sbus_server_conn_init_fn init_fn; + void *init_pvt_data; +}; + +/* + * If you think we're going to do full error propagation during tests ... + * you're going to have a bad time (reading this code) + */ +#define verify_eq(x, y) \ + do { if ((x) != (y)) { fprintf(stderr, "failed: %s == %s\n", #x, #y); abort(); } } while (0) +#define verify_neq(x, y) \ + do { if ((x) == (y)) { fprintf(stderr, "failed: %s != %s\n", #x, #y); abort(); } } while (0) + +static int +mock_server_cleanup(struct mock_server *mock) +{ + int child_status; + const char *file; + struct stat sb; + + dbus_connection_close(mock->client); + dbus_connection_unref(mock->client); + + /* Tell the server thread to quit */ + verify_eq (write(mock->sync_fds[0], "X", 1), 1); + + /* Wait for the server child, it always returns mock */ + verify_eq (waitpid(mock->pid, &child_status, 0), mock->pid); + verify_eq (child_status, 0); + + file = strchr(mock->dbus_address, '/'); + if (stat(file, &sb) == 0) { + verify_eq (unlink(file), 0); + } + verify_eq (rmdir(mock->temp_dir), 0); + + return EOK; +} + +static int +on_accept_connection(struct sbus_connection *conn, + void *data) +{ + struct mock_server *mock = data; + + verify_eq (mock->init_fn(conn, mock->init_pvt_data), EOK); + + /* Synchronization point: test_dbus_setup_mock() should return */ + verify_eq (write(mock->sync_fds[1], "X", 1), 1); + + return EOK; +} + +static void +on_sync_fd_written(struct tevent_context *loop, + struct tevent_fd *fde, + uint16_t flags, + void *data) +{ + bool *stop_server = data; + *stop_server = true; +} + +static void +mock_server_child(void *data) +{ + struct mock_server *mock = data; + struct tevent_context *loop; + struct sbus_connection *server; + bool stop_server = false; + TALLOC_CTX *ctx; + + ctx = talloc_new(NULL); + loop = tevent_context_init(ctx); + + verify_eq (sbus_new_server(ctx, loop, mock->dbus_address, geteuid(), getegid(), + false, &server, on_accept_connection, mock, + NULL), EOK); + + tevent_add_fd(loop, ctx, mock->sync_fds[1], TEVENT_FD_READ, + on_sync_fd_written, &stop_server); + + /* Synchronization point: test_dbus_setup_mock() should connect */ + verify_eq (write(mock->sync_fds[1], "X", 1), 1); + + /* Do the loop */ + while(!stop_server) { + verify_eq (tevent_loop_once(loop), 0); + } + + /* TODO: sbus doesn't support cleanup of a server */ + + talloc_free(ctx); +} + +struct DBusConnection * +test_dbus_setup_mock(TALLOC_CTX *mem_ctx, + struct tevent_context *loop, + sbus_server_conn_init_fn init_fn, + void *init_pvt_data) +{ + struct mock_server *mock; + char dummy; + + mock = talloc_zero(mem_ctx, struct mock_server); + talloc_set_destructor(mock, mock_server_cleanup); + mock->init_fn = init_fn; + mock->init_pvt_data = init_pvt_data; + + mock->temp_dir = mkdtemp(talloc_strdup(mock, "/tmp/sssd-dbus-tests.XXXXXX")); + verify_neq (mock->temp_dir, NULL); + mock->dbus_address = talloc_asprintf(mock, "unix:path=%s/sbus", mock->temp_dir); + verify_neq (mock->dbus_address, NULL); + + /* We use an fd pair as a synchronization device, integrates with tevent well */ + verify_eq (socketpair(PF_LOCAL, SOCK_STREAM, 0, mock->sync_fds), 0); + + /* Run the dbus server in a child process */ + mock->pid = fork(); + if (mock->pid == 0) { + mock_server_child(mock); + _exit(0); + } + + verify_neq (mock->pid, -1); + + /* Synchronization point: wait for sync point in mock_server_child */ + verify_eq (read(mock->sync_fds[0], &dummy, 1), 1); + + /* Open a shared D-BUS connection to the address */ + mock->client = dbus_connection_open_private(mock->dbus_address, NULL); + verify_neq (mock->client, NULL); + + /* Synchronization point: wait for sync point in on_accept_connection */ + verify_eq (read(mock->sync_fds[0], &dummy, 1), 1); + + return mock->client; +} + +DBusMessage * +test_dbus_call_sync(DBusConnection *conn, const char *object_path, + const char *interface, const char *method, + DBusError *error, int first_arg_type, ...) +{ + DBusMessage *message; + DBusMessage *reply; + va_list va; + + message = dbus_message_new_method_call(NULL, object_path, interface, method); + verify_neq(message, NULL); + + va_start(va, first_arg_type); + verify_eq(dbus_message_append_args_valist(message, first_arg_type, va), TRUE); + va_end(va); + + reply = dbus_connection_send_with_reply_and_block(conn, message, -1, error); + dbus_message_unref(message); + + return reply; +} diff --git a/src/tests/common_dom.c b/src/tests/common_dom.c new file mode 100644 index 0000000..def28d5 --- /dev/null +++ b/src/tests/common_dom.c @@ -0,0 +1,429 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2013 Red Hat + + SSSD tests: Common utilities for tests that exercise domains + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +/* Including private header makes sure we can initialize test domains. */ +#include "db/sysdb_private.h" +#include "tests/common.h" + +static errno_t +mock_confdb(TALLOC_CTX *mem_ctx, + const char *tests_path, + const char *cdb_file, + struct confdb_ctx **_cdb) +{ + TALLOC_CTX *tmp_ctx = NULL; + struct confdb_ctx *cdb = NULL; + char *cdb_path = NULL; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return ENOMEM; + } + + cdb_path = talloc_asprintf(tmp_ctx, "%s/%s", tests_path, cdb_file); + if (cdb_path == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed\n"); + ret = ENOMEM; + goto done; + } + + /* connect to the confdb */ + ret = confdb_init(tmp_ctx, &cdb, cdb_path); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "confdb_init failed: %d\n", ret); + goto done; + } + + *_cdb = talloc_steal(mem_ctx, cdb); + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static errno_t +mock_confdb_domain(TALLOC_CTX *mem_ctx, + struct confdb_ctx *cdb, + const char *db_path, + const char *name, + const char *id_provider, + struct sss_test_conf_param *params, + char **_cdb_path) +{ + TALLOC_CTX *tmp_ctx = NULL; + const char *val[2] = {NULL, NULL}; + char *cdb_path = NULL; + char **array = NULL; + char *list = NULL; + bool exists = false; + errno_t ret; + int i; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return ENOMEM; + } + + /* get current domain list */ + ret = confdb_get_string(cdb, tmp_ctx, "config/sssd", "domains", + NULL, &list); + if (ret != EOK) { + goto done; + } + + /* check if the domain is already in */ + if (list != NULL) { + ret = split_on_separator(tmp_ctx, list, ',', true, true, &array, NULL); + if (ret != EOK) { + goto done; + } + + for (i = 0; array[i] != NULL; i++) { + if (strcmp(array[i], name) == 0) { + exists = true; + break; + } + } + } + + /* add domain to the list of enabled domains */ + if (!exists) { + if (list == NULL) { + list = talloc_strdup(tmp_ctx, name); + } else { + list = talloc_asprintf_append(list, ", %s", name); + } + + if (list == NULL) { + ret = ENOMEM; + goto done; + } + + val[0] = list; + ret = confdb_add_param(cdb, true, "config/sssd", "domains", val); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to change domain list [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + } + + /* create domain section */ + cdb_path = talloc_asprintf(tmp_ctx, CONFDB_DOMAIN_PATH_TMPL, name); + if (cdb_path == NULL) { + ret = ENOMEM; + goto done; + } + + val[0] = id_provider; + ret = confdb_add_param(cdb, true, cdb_path, "id_provider", val); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add id_provider [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + if (params != NULL) { + for (i = 0; params[i].key != NULL; i++) { + val[0] = params[i].value; + ret = confdb_add_param(cdb, true, cdb_path, params[i].key, val); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add parameter %s [%d]: " + "%s\n", params[i].key, ret, sss_strerror(ret)); + goto done; + } + } + } + + if (_cdb_path != NULL) { + *_cdb_path = talloc_steal(mem_ctx, cdb_path); + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +void reset_ldb_errstrings(struct sss_domain_info *dom) +{ + ldb_reset_err_string(sysdb_ctx_get_ldb(dom->sysdb)); + if (dom->sysdb->ldb_ts) { + ldb_reset_err_string(dom->sysdb->ldb_ts); + } +} + +static errno_t +mock_domain(TALLOC_CTX *mem_ctx, + struct confdb_ctx *cdb, + const char *db_path, + const char *name, + struct sss_domain_info **_domain) +{ + struct sss_domain_info *domain = NULL; + errno_t ret; + + /* initialize sysdb */ + ret = sssd_domain_init(mem_ctx, cdb, name, db_path, &domain); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sssd_domain_init() of %s failed " + "[%d]: %s\n", name, ret, sss_strerror(ret)); + goto done; + } + + reset_ldb_errstrings(domain); + + /* init with an AD-style regex to be able to test flat name */ + ret = sss_names_init_from_args(domain, + "(((?P[^\\\\]+)\\\\(?P.+$))|" \ + "((?P[^@]+)@(?P.+$))|" \ + "(^(?P[^@\\\\]+)$))", + "%1$s@%2$s", &domain->names); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "cannot create names context\n"); + goto done; + } + + if (_domain != NULL) { + *_domain = domain; + } + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(domain); + } + return ret; +} + +struct sss_test_ctx * +create_multidom_test_ctx(TALLOC_CTX *mem_ctx, + const char *tests_path, + const char *cdb_file, + const char **domains, + const char *id_provider, + struct sss_test_conf_param **params) +{ + struct sss_domain_info *domain = NULL; + struct sss_test_ctx *test_ctx = NULL; + char *cdb_path = NULL; + errno_t ret; + int i; + + test_ctx = create_ev_test_ctx(mem_ctx); + if (test_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "create_ev_test_ctx() failed\n"); + goto fail; + } + + ret = mock_confdb(test_ctx, tests_path, cdb_file, &test_ctx->confdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize confdb [%d]: %s\n", + ret, sss_strerror(ret)); + goto fail; + } + + /* create confdb objects for the domains */ + for (i = 0; domains[i] != NULL; i++) { + ret = mock_confdb_domain(test_ctx, test_ctx->confdb, tests_path, + domains[i], id_provider, params != NULL ? params[i] : NULL, + (cdb_path == NULL ? &cdb_path : NULL)); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize confdb domain " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto fail; + } + } + + /* initialize domain list and sysdb of the domains */ + for (i = 0; domains[i] != NULL; i++) { + ret = mock_domain(test_ctx, test_ctx->confdb, tests_path, domains[i], + (domain == NULL ? &domain : NULL)); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add new domain [%d]: %s\n", + ret, sss_strerror(ret)); + goto fail; + } + } + + /* the first domain we obtained is already head of the complete list */ + test_ctx->dom = domain; + + /* set data from the first domain */ + test_ctx->sysdb = test_ctx->dom->sysdb; + test_ctx->nctx = test_ctx->dom->names; + test_ctx->conf_dom_path = cdb_path; + + return test_ctx; + +fail: + talloc_free(test_ctx); + return NULL; +} + + +struct sss_test_ctx * +create_dom_test_ctx(TALLOC_CTX *mem_ctx, + const char *tests_path, + const char *confdb_path, + const char *domain_name, + const char *id_provider, + struct sss_test_conf_param *params) +{ + const char *domains[] = {domain_name, NULL}; + + return create_multidom_test_ctx(mem_ctx, tests_path, confdb_path, domains, + id_provider, ¶ms); +} + +void test_multidom_suite_cleanup(const char *tests_path, + const char *cdb_file, + const char **domains) +{ + TALLOC_CTX *tmp_ctx = NULL; + char *cdb_path = NULL; + char *sysdb_path = NULL; + char *sysdb_ts_path = NULL; + errno_t ret; + int i; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return; + } + + if (cdb_file != NULL) { + cdb_path = talloc_asprintf(tmp_ctx, "%s/%s", tests_path, cdb_file); + if (cdb_path == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not contruct cdb path\n"); + goto done; + } + + errno = 0; + ret = unlink(cdb_path); + if (ret != 0 && errno != ENOENT) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "Could not delete the test config " + "ldb file [%d]: (%s)\n", ret, sss_strerror(ret)); + } + } + + if (domains != NULL) { + for (i = 0; domains[i] != NULL; i++) { + if (strcmp(domains[i], LOCAL_SYSDB_FILE) == 0) { + /* local domain */ + ret = sysdb_get_db_file(tmp_ctx, "local", domains[i], tests_path, + &sysdb_path, &sysdb_ts_path); + if (ret != EOK) { + goto done; + } + } else { + /* The mocked database doesn't really care about its provider type, just + * distinguishes between a local and non-local databases + */ + ret = sysdb_get_db_file(tmp_ctx, "fake_nonlocal", domains[i], tests_path, + &sysdb_path, &sysdb_ts_path); + if (ret != EOK) { + goto done; + } + } + if (sysdb_path == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not construct sysdb path\n"); + goto done; + } + + errno = 0; + ret = unlink(sysdb_path); + if (ret != 0 && errno != ENOENT) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "Could not delete the test domain " + "ldb file [%d]: (%s)\n", ret, sss_strerror(ret)); + } + + if (sysdb_ts_path) { + errno = 0; + ret = unlink(sysdb_ts_path); + if (ret != 0 && errno != ENOENT) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "Could not delete the test domain " + "ldb timestamp file [%d]: (%s)\n", ret, sss_strerror(ret)); + } + } + + talloc_zfree(sysdb_path); + + } + } + + errno = 0; + ret = rmdir(tests_path); + if (ret != 0 && errno != ENOENT) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "Could not delete the test dir (%d) (%s)\n", + ret, sss_strerror(ret)); + } + +done: + talloc_free(tmp_ctx); +} + +void test_dom_suite_cleanup(const char *tests_path, + const char *cdb_file, + const char *domain) +{ + const char *domains[] = {domain, NULL}; + + test_multidom_suite_cleanup(tests_path, cdb_file, domains); +} + +struct sss_domain_info *named_domain(TALLOC_CTX *mem_ctx, + const char *name, + struct sss_domain_info *parent) +{ + struct sss_domain_info *dom = NULL; + + dom = talloc_zero(mem_ctx, struct sss_domain_info); + if (dom == NULL) { + return NULL; + } + + dom->name = talloc_strdup(dom, name); + if (dom->name == NULL) { + talloc_free(dom); + return NULL; + } + + dom->parent = parent; + + return dom; +} diff --git a/src/tests/common_tev.c b/src/tests/common_tev.c new file mode 100644 index 0000000..808efd4 --- /dev/null +++ b/src/tests/common_tev.c @@ -0,0 +1,91 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2013 Red Hat + + SSSD tests: Common utilities for tests that exercise domains + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "tests/common.h" + +struct sss_test_ctx * +create_ev_test_ctx(TALLOC_CTX *mem_ctx) +{ + struct sss_test_ctx *test_ctx; + + test_ctx = talloc_zero(mem_ctx, struct sss_test_ctx); + if (test_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed\n"); + goto fail; + } + + /* Create an event context */ + test_ctx->ev = tevent_context_init(test_ctx); + if (test_ctx->ev == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_context_init failed\n"); + goto fail; + } + + return test_ctx; + +fail: + talloc_free(test_ctx); + return NULL; +} + +struct tevent_req * +test_request_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, errno_t err) +{ + struct tevent_req *req; + int *state; + + req = tevent_req_create(mem_ctx, &state, int); + if (!req) return NULL; + + if (err == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, err); + } + tevent_req_post(req, ev); + return req; +} + +errno_t test_request_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +int test_ev_loop(struct sss_test_ctx *tctx) +{ + while (!tctx->done) + tevent_loop_once(tctx->ev); + + return tctx->error; +} + +void test_ev_done(struct sss_test_ctx *tctx, errno_t ret) +{ + tctx->error = ret; + tctx->done = true; +} diff --git a/src/tests/crypto-tests.c b/src/tests/crypto-tests.c new file mode 100644 index 0000000..6f5e22a --- /dev/null +++ b/src/tests/crypto-tests.c @@ -0,0 +1,296 @@ +/* + SSSD + + Crypto tests + + Author: Jakub Hrozek + + Copyright (C) Red Hat, Inc 2010 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "util/util.h" +#include "tests/common_check.h" + +/* interfaces under test */ +#include "util/crypto/sss_crypto.h" +#include "util/crypto/nss/nss_util.h" + +static TALLOC_CTX *test_ctx = NULL; + +#ifdef HAVE_NSS +START_TEST(test_nss_init) +{ + int ret; + + ret = nspr_nss_init(); + fail_if(ret != EOK); + + ret = nspr_nss_cleanup(); + fail_if(ret != EOK); +} +END_TEST +#endif + +START_TEST(test_sss_password_encrypt_decrypt) +{ + const char *password[] = { "test123", /* general */ + "12345678901234567", /* just above blocksize */ + "", /* empty */ + NULL}; /* sentinel */ + int i; + char *obfpwd = NULL; + char *ctpwd = NULL; + int ret; + int expected; + +#if defined(HAVE_NSS) || defined(HAVE_LIBCRYPTO) + expected = EOK; +#else +#error Unknown crypto back end +#endif + + test_ctx = talloc_new(NULL); + fail_if(test_ctx == NULL); + ck_leaks_push(test_ctx); + + for (i=0; password[i]; i++) { + ret = sss_password_encrypt(test_ctx, password[i], strlen(password[i])+1, + AES_256, &obfpwd); + fail_if(ret != expected); + + ret = sss_password_decrypt(test_ctx, obfpwd, &ctpwd); + fail_if(ret != expected); + + fail_if(ctpwd && strcmp(password[i], ctpwd) != 0); + + talloc_free(obfpwd); + talloc_free(ctpwd); + } + + ck_leaks_pop(test_ctx); + talloc_free(test_ctx); +} +END_TEST + +START_TEST(test_hmac_sha1) +{ + const char *message = "test message"; + const char *keys[] = { + "short", + "proper6789012345678901234567890123456789012345678901234567890123", + "longlonglonglonglonglonglonglonglonglonglonglonglonglonglonglonglong", + NULL }; + const char *results[] = { + "\x2b\x27\x53\x07\x17\xd8\xc0\x8f\x97\x27\xdd\xb3\xec\x41\xd8\xa3\x94\x97\xaa\x35", + "\x37\xe7\x0a\x6f\x71\x0b\xa9\x93\x81\x53\x8f\x5c\x06\x83\x44\x2f\xc9\x41\xe3\xed", + "\xbd\x99\xa7\x7f\xfc\x5e\xde\x04\x32\x7f\x7b\x71\x4d\xc0\x3f\x51\x2d\x25\x01\x28", + NULL }; + unsigned char out[SSS_SHA1_LENGTH]; + int ret, expected; + int i; + +#if defined(HAVE_NSS) || defined(HAVE_LIBCRYPTO) + expected = EOK; +#else +#error Unknown crypto back end +#endif + + for (i = 0; keys[i]; i++) { + ret = sss_hmac_sha1((const unsigned char *)keys[i], strlen(keys[i]), + (const unsigned char *)message, strlen(message), + out); + fail_if(ret != expected); + fail_if(ret == EOK && memcmp(out, results[i], SSS_SHA1_LENGTH) != 0); + } +} +END_TEST + +START_TEST(test_base64_encode) +{ + const unsigned char obfbuf[] = "test"; + const char expected[] = "dGVzdA=="; + char *obfpwd = NULL; + + test_ctx = talloc_new(NULL); + fail_if(test_ctx == NULL); + /* Base64 encode the buffer */ + obfpwd = sss_base64_encode(test_ctx, obfbuf, strlen((const char*)obfbuf)); + fail_if(obfpwd == NULL); + fail_if(strcmp(obfpwd,expected) != 0); + + talloc_free(test_ctx); +} +END_TEST + +START_TEST(test_base64_decode) +{ + unsigned char *obfbuf = NULL; + size_t obflen; + const char b64encoded[] = "dGVzdA=="; + const unsigned char expected[] = "test"; + + test_ctx = talloc_new(NULL); + fail_if(test_ctx == NULL); + /* Base64 decode the buffer */ + obfbuf = sss_base64_decode(test_ctx, b64encoded, &obflen); + fail_if(!obfbuf); + fail_if(obflen != strlen((const char*)expected)); + fail_if(memcmp(obfbuf, expected, obflen) != 0); + + talloc_free(test_ctx); +} +END_TEST + +START_TEST(test_sss_encrypt_decrypt) +{ + uint8_t key[] = { + 0x0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, + 0x8, 0x9, 0xa, 0xb, 0xc, 0xd, 0xe, 0xf, + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, + 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f + }; + size_t key_len = sizeof(key); /* need to be 32 */ + const char input_text[] = "Secret text"; + const size_t input_text_len = sizeof(input_text) - 1; + uint8_t *cipher_text; + size_t cipher_text_len; + uint8_t *plain_text; + size_t plain_text_len; + int ret; + + test_ctx = talloc_new(NULL); + fail_if(test_ctx == NULL); + + ret = sss_encrypt(test_ctx, AES256CBC_HMAC_SHA256, key, key_len, + (const uint8_t *)input_text, input_text_len, + &cipher_text, &cipher_text_len); + + fail_if(ret != 0); + fail_if(cipher_text_len == 0); + + ret = memcmp(input_text, cipher_text, input_text_len); + fail_if(ret == 0, "Input and encrypted text has common prefix"); + + ret = sss_decrypt(test_ctx, AES256CBC_HMAC_SHA256, key, key_len, + cipher_text, cipher_text_len, + &plain_text, &plain_text_len); + fail_if(ret != 0); + fail_if(plain_text_len != input_text_len); + + ret = memcmp(plain_text, input_text, input_text_len); + fail_if(ret != 0, "input text is not the same as de-encrypted text"); + + talloc_free(test_ctx); +} +END_TEST + +START_TEST(test_s3crypt_sha512) +{ + int ret; + char *salt; + char *userhash; + char *comphash; + const char *password = "password123"; + const char *expected_hash = "$6$tU67Q/9h3tm5WJ.U$aL9gjCfiSZQewHTI6A4/MHCVWrMCiJZ.gNXEIw6HO39XGbg.s2nTyGlYXeoQyQtDll3XSbIZN41fJEC3v7ELy0"; + + test_ctx = talloc_new(NULL); + fail_if(test_ctx == NULL); + + ret = s3crypt_gen_salt(test_ctx, &salt); + fail_if(ret != 0); + + ret = s3crypt_sha512(test_ctx, password, salt, &userhash); + fail_if(ret != 0); + + ret = s3crypt_sha512(test_ctx, password, userhash, &comphash); + fail_if(ret != 0); + ck_assert_str_eq(userhash, comphash); + talloc_free(comphash); + + ret = s3crypt_sha512(test_ctx, password, expected_hash, &comphash); + fail_if(ret != 0); + ck_assert_str_eq(expected_hash, comphash); + + talloc_free(test_ctx); +} +END_TEST + +Suite *crypto_suite(void) +{ + Suite *s = suite_create("sss_crypto"); + + TCase *tc = tcase_create("sss crypto tests"); + tcase_add_checked_fixture(tc, ck_leak_check_setup, ck_leak_check_teardown); + /* Do some testing */ +#ifdef HAVE_NSS + tcase_add_test(tc, test_nss_init); +#endif + tcase_add_test(tc, test_sss_password_encrypt_decrypt); + tcase_add_test(tc, test_hmac_sha1); + tcase_add_test(tc, test_base64_encode); + tcase_add_test(tc, test_base64_decode); + tcase_add_test(tc, test_sss_encrypt_decrypt); + tcase_add_test(tc, test_s3crypt_sha512); + /* Add all test cases to the test suite */ + suite_add_tcase(s, tc); + + return s; +} + + +int main(int argc, const char *argv[]) +{ + int opt; + poptContext pc; + int number_failed; + + struct poptOption long_options[] = { + POPT_AUTOHELP + { "debug-level", 'd', POPT_ARG_INT, &debug_level, 0, "Set debug level", NULL }, + POPT_TABLEEND + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + tests_set_cwd(); + + Suite *s = crypto_suite(); + SRunner *sr = srunner_create(s); + srunner_run_all(sr, CK_ENV); + number_failed = srunner_ntests_failed(sr); + srunner_free(sr); + + return (number_failed == 0 ? EXIT_SUCCESS : EXIT_FAILURE); +} diff --git a/src/tests/cwrap/Makefile.am b/src/tests/cwrap/Makefile.am new file mode 100644 index 0000000..a559abe --- /dev/null +++ b/src/tests/cwrap/Makefile.am @@ -0,0 +1,219 @@ +AM_CPPFLAGS = \ + -std=gnu99 \ + -Wall \ + -I$(top_srcdir)/src \ + -I. \ + -DLOCALEDIR=\"$(localedir)\" \ + -DLIBDIR=\"$(libdir)\" \ + -DVARDIR=\"$(localstatedir)\" \ + -DSSS_STATEDIR=\"$(localstatedir)/lib/sss\" \ + -DSYSCONFDIR=\"$(sysconfdir)\" \ + $(DBUS_CFLAGS) \ + $(GLIB2_CFLAGS) \ + $(NULL) + +TESTS_ENVIRONMENT = \ + CWRAP_TEST_SRCDIR=$(abs_srcdir) \ + ABS_TOP_BUILDDIR=$(abs_top_builddir) \ + . $(srcdir)/cwrap_test_setup.sh; \ + $(AUX_TESTS_ENVIRONMENT) \ + $(NULL) + +dist_noinst_SCRIPTS = \ + cwrap_test_setup.sh \ + $(NULL) + +SSSD_LIBS = \ + $(TALLOC_LIBS) \ + $(TEVENT_LIBS) \ + $(POPT_LIBS) \ + $(LDB_LIBS) \ + $(DBUS_LIBS) \ + $(PCRE_LIBS) \ + $(INI_CONFIG_LIBS) \ + $(COLLECTION_LIBS) \ + $(DHASH_LIBS) \ + $(OPENLDAP_LIBS) \ + $(TDB_LIBS) + +SSSD_CACHE_REQ_OBJ = \ + ../../../src/responder/common/cache_req/cache_req.c \ + ../../../src/responder/common/cache_req/cache_req_result.c \ + ../../../src/responder/common/cache_req/cache_req_search.c \ + ../../../src/responder/common/cache_req/cache_req_data.c \ + ../../../src/responder/common/cache_req/cache_req_domain.c \ + ../../../src/responder/common/cache_req/cache_req_sr_overlay.c \ + ../../../src/responder/common/cache_req/plugins/cache_req_common.c \ + ../../../src/responder/common/cache_req/plugins/cache_req_enum_users.c \ + ../../../src/responder/common/cache_req/plugins/cache_req_enum_groups.c \ + ../../../src/responder/common/cache_req/plugins/cache_req_enum_svc.c \ + ../../../src/responder/common/cache_req/plugins/cache_req_user_by_name.c \ + ../../../src/responder/common/cache_req/plugins/cache_req_user_by_upn.c \ + ../../../src/responder/common/cache_req/plugins/cache_req_user_by_id.c \ + ../../../src/responder/common/cache_req/plugins/cache_req_user_by_filter.c \ + ../../../src/responder/common/cache_req/plugins/cache_req_user_by_cert.c \ + ../../../src/responder/common/cache_req/plugins/cache_req_group_by_name.c \ + ../../../src/responder/common/cache_req/plugins/cache_req_group_by_id.c \ + ../../../src/responder/common/cache_req/plugins/cache_req_group_by_filter.c \ + ../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c \ + ../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c \ + ../../../src/responder/common/cache_req/plugins/cache_req_object_by_sid.c \ + ../../../src/responder/common/cache_req/plugins/cache_req_object_by_name.c \ + ../../../src/responder/common/cache_req/plugins/cache_req_object_by_id.c \ + ../../../src/responder/common/cache_req/plugins/cache_req_svc_by_name.c \ + ../../../src/responder/common/cache_req/plugins/cache_req_svc_by_port.c \ + ../../../src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c \ + ../../../src/responder/common/cache_req/plugins/cache_req_host_by_name.c \ + $(NULL) + +SSSD_RESPONDER_IFACE_OBJ = \ + ../../../src/responder/common/iface/responder_iface.c \ + ../../../src/responder/common/iface/responder_domain.c \ + ../../../src/responder/common/iface/responder_ncache.c \ + ../../../src/responder/common/iface/responder_iface_generated.c \ + $(NULL) + +SSSD_RESPONDER_OBJ = \ + ../../../src/responder/common/negcache_files.c \ + ../../../src/responder/common/negcache.c \ + ../../../src/responder/common/responder_cmd.c \ + ../../../src/responder/common/responder_common.c \ + ../../../src/responder/common/responder_dp.c \ + ../../../src/responder/common/responder_dp_ssh.c \ + ../../../src/responder/common/responder_packet.c \ + ../../../src/responder/common/responder_get_domains.c \ + ../../../src/responder/common/responder_utils.c \ + ../../../src/responder/common/data_provider/rdp_message.c \ + ../../../src/responder/common/data_provider/rdp_client.c \ + ../../../src/monitor/monitor_iface_generated.c \ + ../../../src/providers/data_provider_req.c \ + ../../../src/util/session_recording.c \ + $(SSSD_RESPONDER_IFACE_OBJ) \ + $(SSSD_CACHE_REQ_OBJ) \ + $(NULL) + +dist_noinst_DATA = \ + group \ + passwd \ + $(NULL) + +check_PROGRAMS = +if HAVE_CMOCKA +if HAVE_NSS_WRAPPER +if HAVE_UID_WRAPPER +check_PROGRAMS += \ + become_user-tests \ + server-tests \ + usertools-tests \ + responder_common-tests \ + negcache-tests \ + $(NULL) +endif # HAVE_UID_WRAPPER +endif # HAVE_NSS_WRAPPER +endif # HAVE_CMOCKA + +TESTS = $(check_PROGRAMS) + +become_user_tests_SOURCES = \ + test_become_user.c \ + $(NULL) +become_user_tests_CFLAGS = \ + $(AM_CFLAGS) \ + $(NULL) +become_user_tests_LDADD = \ + $(POPT_LIBS) \ + $(CMOCKA_LIBS) \ + $(abs_top_builddir)/libsss_debug.la \ + $(abs_top_builddir)/libsss_test_common.la \ + $(NULL) + +server_tests_SOURCES = \ + test_server.c \ + ../../../src/util/server.c \ + $(NULL) +server_tests_CFLAGS = \ + $(AM_CFLAGS) \ + -DTEST_DB_PATH=\"server_tests\" \ + -DTEST_PID_PATH=\"server_tests\" \ + -DUNIT_TESTING \ + $(NULL) +server_tests_LDADD = \ + $(CMOCKA_LIBS) \ + $(POPT_LIBS) \ + $(TALLOC_LIBS) \ + $(TEVENT_LIBS) \ + $(abs_top_builddir)/libsss_util.la \ + $(abs_top_builddir)/libsss_debug.la \ + $(abs_top_builddir)/libsss_test_common.la \ + $(NULL) +if BUILD_SYSTEMTAP +server_tests_LDADD += $(abs_top_builddir)/stap_generated_probes.lo +endif + +usertools_tests_SOURCES = \ + test_usertools.c \ + $(NULL) +usertools_tests_CFLAGS = \ + $(AM_CFLAGS) \ + $(NULL) +usertools_tests_LDADD = \ + $(CMOCKA_LIBS) \ + $(POPT_LIBS) \ + $(TALLOC_LIBS) \ + $(abs_top_builddir)/libsss_util.la \ + $(abs_top_builddir)/libsss_debug.la \ + $(abs_top_builddir)/libsss_test_common.la \ + $(NULL) +if BUILD_SYSTEMTAP +usertools_tests_LDADD += $(abs_top_builddir)/stap_generated_probes.lo +endif + +responder_common_tests_SOURCES =\ + test_responder_common.c \ + ../../../src/responder/common/iface/responder_iface.c \ + ../../../src/responder/common/iface/responder_domain.c \ + ../../../src/responder/common/iface/responder_ncache.c \ + ../../../src/responder/common/iface/responder_iface_generated.c \ + ../../../src/responder/common/negcache_files.c \ + ../../../src/responder/common/negcache.c \ + ../../../src/responder/common/data_provider/rdp_message.c \ + ../../../src/responder/common/data_provider/rdp_client.c \ + ../../../src/responder/common/responder_common.c \ + ../../../src/responder/common/responder_packet.c \ + ../../../src/responder/common/responder_cmd.c \ + ../../../src/tests/cmocka/common_mock_resp_dp.c \ + ../../../src/util/session_recording.c \ + $(SSSD_CACHE_REQ_OBJ) \ + $(NULL) +responder_common_tests_CFLAGS = \ + $(AM_CFLAGS) \ + $(NULL) +responder_common_tests_LDADD = \ + $(CMOCKA_LIBS) \ + $(SSSD_LIBS) \ + $(SELINUX_LIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ + $(abs_top_builddir)/libsss_util.la \ + $(abs_top_builddir)/libsss_debug.la \ + $(abs_top_builddir)/libsss_test_common.la \ + $(NULL) + +negcache_tests_SOURCES =\ + $(SSSD_RESPONDER_OBJ) \ + test_negcache.c \ + $(NULL) +negcache_tests_CFLAGS = \ + $(AM_CFLAGS) \ + -DBASE_FILE_STEM=\"$(*F)\" \ + $(NULL) +negcache_tests_LDADD = \ + $(CMOCKA_LIBS) \ + $(SSSD_LIBS) \ + $(SELINUX_LIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ + $(abs_top_builddir)/libsss_util.la \ + $(abs_top_builddir)/libsss_debug.la \ + $(abs_top_builddir)/libsss_test_common.la \ + $(NULL) + +tests: $(check_PROGRAMS) diff --git a/src/tests/cwrap/Makefile.in b/src/tests/cwrap/Makefile.in new file mode 100644 index 0000000..03af085 --- /dev/null +++ b/src/tests/cwrap/Makefile.in @@ -0,0 +1,3293 @@ +# Makefile.in generated by automake 1.15.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2017 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + + +VPATH = @srcdir@ +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +check_PROGRAMS = $(am__EXEEXT_1) +@HAVE_CMOCKA_TRUE@@HAVE_NSS_WRAPPER_TRUE@@HAVE_UID_WRAPPER_TRUE@am__append_1 = \ +@HAVE_CMOCKA_TRUE@@HAVE_NSS_WRAPPER_TRUE@@HAVE_UID_WRAPPER_TRUE@ become_user-tests \ +@HAVE_CMOCKA_TRUE@@HAVE_NSS_WRAPPER_TRUE@@HAVE_UID_WRAPPER_TRUE@ server-tests \ +@HAVE_CMOCKA_TRUE@@HAVE_NSS_WRAPPER_TRUE@@HAVE_UID_WRAPPER_TRUE@ usertools-tests \ +@HAVE_CMOCKA_TRUE@@HAVE_NSS_WRAPPER_TRUE@@HAVE_UID_WRAPPER_TRUE@ responder_common-tests \ +@HAVE_CMOCKA_TRUE@@HAVE_NSS_WRAPPER_TRUE@@HAVE_UID_WRAPPER_TRUE@ negcache-tests \ +@HAVE_CMOCKA_TRUE@@HAVE_NSS_WRAPPER_TRUE@@HAVE_UID_WRAPPER_TRUE@ $(NULL) + +@BUILD_SYSTEMTAP_TRUE@am__append_2 = $(abs_top_builddir)/stap_generated_probes.lo +@BUILD_SYSTEMTAP_TRUE@am__append_3 = $(abs_top_builddir)/stap_generated_probes.lo +subdir = src/tests/cwrap +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ + $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ + $(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \ + $(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/m4/nls.m4 \ + $(top_srcdir)/m4/po.m4 $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/version.m4 $(top_srcdir)/src/build_macros.m4 \ + $(top_srcdir)/src/external/platform.m4 \ + $(top_srcdir)/src/conf_macros.m4 \ + $(top_srcdir)/src/external/pkg.m4 \ + $(top_srcdir)/src/external/libpopt.m4 \ + $(top_srcdir)/src/external/libtalloc.m4 \ + $(top_srcdir)/src/external/libtdb.m4 \ + $(top_srcdir)/src/external/libtevent.m4 \ + $(top_srcdir)/src/external/libldb.m4 \ + $(top_srcdir)/src/external/libdhash.m4 \ + $(top_srcdir)/src/external/libcollection.m4 \ + $(top_srcdir)/src/external/libini_config.m4 \ + $(top_srcdir)/src/external/pam.m4 \ + $(top_srcdir)/src/external/ldap.m4 \ + $(top_srcdir)/src/external/libpcre.m4 \ + $(top_srcdir)/src/external/krb5.m4 \ + $(top_srcdir)/src/external/libcares.m4 \ + $(top_srcdir)/src/external/libcmocka.m4 \ + $(top_srcdir)/src/external/docbook.m4 \ + $(top_srcdir)/src/external/sizes.m4 \ + $(top_srcdir)/src/external/python.m4 \ + $(top_srcdir)/src/external/selinux.m4 \ + $(top_srcdir)/src/external/crypto.m4 \ + $(top_srcdir)/src/external/nscd.m4 \ + $(top_srcdir)/src/external/nsupdate.m4 \ + $(top_srcdir)/src/external/libkeyutils.m4 \ + $(top_srcdir)/src/external/libnl.m4 \ + $(top_srcdir)/src/external/systemd.m4 \ + $(top_srcdir)/src/external/pac_responder.m4 \ + $(top_srcdir)/src/external/cifsidmap.m4 \ + $(top_srcdir)/src/external/signal.m4 \ + $(top_srcdir)/src/external/inotify.m4 \ + $(top_srcdir)/src/external/samba.m4 \ + $(top_srcdir)/src/external/sasl.m4 \ + $(top_srcdir)/src/external/libnfsidmap.m4 \ + $(top_srcdir)/src/external/cwrap.m4 \ + $(top_srcdir)/src/external/libresolv.m4 \ + $(top_srcdir)/src/external/intgcheck.m4 \ + $(top_srcdir)/src/external/systemtap.m4 \ + $(top_srcdir)/src/external/service.m4 \ + $(top_srcdir)/src/external/test_ca.m4 \ + $(top_srcdir)/src/external/libhttp_parser.m4 \ + $(top_srcdir)/src/external/libuuid.m4 \ + $(top_srcdir)/src/external/libcurl.m4 \ + $(top_srcdir)/src/external/libjansson.m4 \ + $(top_srcdir)/src/external/libunistring.m4 \ + $(top_srcdir)/src/external/glib.m4 \ + $(top_srcdir)/src/external/p11-kit.m4 \ + $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_noinst_SCRIPTS) \ + $(dist_noinst_DATA) $(am__DIST_COMMON) +mkinstalldirs = $(SHELL) $(top_srcdir)/build/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +@HAVE_CMOCKA_TRUE@@HAVE_NSS_WRAPPER_TRUE@@HAVE_UID_WRAPPER_TRUE@am__EXEEXT_1 = become_user-tests$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@@HAVE_NSS_WRAPPER_TRUE@@HAVE_UID_WRAPPER_TRUE@ server-tests$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@@HAVE_NSS_WRAPPER_TRUE@@HAVE_UID_WRAPPER_TRUE@ usertools-tests$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@@HAVE_NSS_WRAPPER_TRUE@@HAVE_UID_WRAPPER_TRUE@ responder_common-tests$(EXEEXT) \ +@HAVE_CMOCKA_TRUE@@HAVE_NSS_WRAPPER_TRUE@@HAVE_UID_WRAPPER_TRUE@ negcache-tests$(EXEEXT) +am_become_user_tests_OBJECTS = \ + become_user_tests-test_become_user.$(OBJEXT) +become_user_tests_OBJECTS = $(am_become_user_tests_OBJECTS) +am__DEPENDENCIES_1 = +become_user_tests_DEPENDENCIES = $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(abs_top_builddir)/libsss_debug.la \ + $(abs_top_builddir)/libsss_test_common.la +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +become_user_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(become_user_tests_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) \ + -o $@ +am__dirstamp = $(am__leading_dot)dirstamp +am__objects_1 = ../../../src/responder/common/iface/negcache_tests-responder_iface.$(OBJEXT) \ + ../../../src/responder/common/iface/negcache_tests-responder_domain.$(OBJEXT) \ + ../../../src/responder/common/iface/negcache_tests-responder_ncache.$(OBJEXT) \ + ../../../src/responder/common/iface/negcache_tests-responder_iface_generated.$(OBJEXT) +am__objects_2 = ../../../src/responder/common/cache_req/negcache_tests-cache_req.$(OBJEXT) \ + ../../../src/responder/common/cache_req/negcache_tests-cache_req_result.$(OBJEXT) \ + ../../../src/responder/common/cache_req/negcache_tests-cache_req_search.$(OBJEXT) \ + ../../../src/responder/common/cache_req/negcache_tests-cache_req_data.$(OBJEXT) \ + ../../../src/responder/common/cache_req/negcache_tests-cache_req_domain.$(OBJEXT) \ + ../../../src/responder/common/cache_req/negcache_tests-cache_req_sr_overlay.$(OBJEXT) \ + ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_common.$(OBJEXT) \ + ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_enum_users.$(OBJEXT) \ + ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_enum_groups.$(OBJEXT) \ + ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_enum_svc.$(OBJEXT) \ + ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_name.$(OBJEXT) \ + ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_upn.$(OBJEXT) \ + ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_id.$(OBJEXT) \ + ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_filter.$(OBJEXT) \ + ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_cert.$(OBJEXT) \ + ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_group_by_name.$(OBJEXT) \ + ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_group_by_id.$(OBJEXT) \ + ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_group_by_filter.$(OBJEXT) \ + ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_initgroups_by_name.$(OBJEXT) \ + ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_initgroups_by_upn.$(OBJEXT) \ + ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_object_by_sid.$(OBJEXT) \ + ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_object_by_name.$(OBJEXT) \ + ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_object_by_id.$(OBJEXT) \ + ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_svc_by_name.$(OBJEXT) \ + ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_svc_by_port.$(OBJEXT) \ + ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_netgroup_by_name.$(OBJEXT) \ + ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_host_by_name.$(OBJEXT) +am__objects_3 = ../../../src/responder/common/negcache_tests-negcache_files.$(OBJEXT) \ + ../../../src/responder/common/negcache_tests-negcache.$(OBJEXT) \ + ../../../src/responder/common/negcache_tests-responder_cmd.$(OBJEXT) \ + ../../../src/responder/common/negcache_tests-responder_common.$(OBJEXT) \ + ../../../src/responder/common/negcache_tests-responder_dp.$(OBJEXT) \ + ../../../src/responder/common/negcache_tests-responder_dp_ssh.$(OBJEXT) \ + ../../../src/responder/common/negcache_tests-responder_packet.$(OBJEXT) \ + ../../../src/responder/common/negcache_tests-responder_get_domains.$(OBJEXT) \ + ../../../src/responder/common/negcache_tests-responder_utils.$(OBJEXT) \ + ../../../src/responder/common/data_provider/negcache_tests-rdp_message.$(OBJEXT) \ + ../../../src/responder/common/data_provider/negcache_tests-rdp_client.$(OBJEXT) \ + ../../../src/monitor/negcache_tests-monitor_iface_generated.$(OBJEXT) \ + ../../../src/providers/negcache_tests-data_provider_req.$(OBJEXT) \ + ../../../src/util/negcache_tests-session_recording.$(OBJEXT) \ + $(am__objects_1) $(am__objects_2) +am_negcache_tests_OBJECTS = $(am__objects_3) \ + negcache_tests-test_negcache.$(OBJEXT) +negcache_tests_OBJECTS = $(am_negcache_tests_OBJECTS) +am__DEPENDENCIES_2 = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) +negcache_tests_DEPENDENCIES = $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(abs_top_builddir)/libsss_util.la \ + $(abs_top_builddir)/libsss_debug.la \ + $(abs_top_builddir)/libsss_test_common.la +negcache_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(negcache_tests_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o \ + $@ +am__objects_4 = ../../../src/responder/common/cache_req/responder_common_tests-cache_req.$(OBJEXT) \ + ../../../src/responder/common/cache_req/responder_common_tests-cache_req_result.$(OBJEXT) \ + ../../../src/responder/common/cache_req/responder_common_tests-cache_req_search.$(OBJEXT) \ + ../../../src/responder/common/cache_req/responder_common_tests-cache_req_data.$(OBJEXT) \ + ../../../src/responder/common/cache_req/responder_common_tests-cache_req_domain.$(OBJEXT) \ + ../../../src/responder/common/cache_req/responder_common_tests-cache_req_sr_overlay.$(OBJEXT) \ + ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_common.$(OBJEXT) \ + ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_enum_users.$(OBJEXT) \ + ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_enum_groups.$(OBJEXT) \ + ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_enum_svc.$(OBJEXT) \ + ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_name.$(OBJEXT) \ + ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_upn.$(OBJEXT) \ + ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_id.$(OBJEXT) \ + ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_filter.$(OBJEXT) \ + ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_cert.$(OBJEXT) \ + ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_group_by_name.$(OBJEXT) \ + ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_group_by_id.$(OBJEXT) \ + ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_group_by_filter.$(OBJEXT) \ + ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_initgroups_by_name.$(OBJEXT) \ + ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_initgroups_by_upn.$(OBJEXT) \ + ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_object_by_sid.$(OBJEXT) \ + ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_object_by_name.$(OBJEXT) \ + ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_object_by_id.$(OBJEXT) \ + ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_svc_by_name.$(OBJEXT) \ + ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_svc_by_port.$(OBJEXT) \ + ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_netgroup_by_name.$(OBJEXT) \ + ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_host_by_name.$(OBJEXT) +am_responder_common_tests_OBJECTS = \ + responder_common_tests-test_responder_common.$(OBJEXT) \ + ../../../src/responder/common/iface/responder_common_tests-responder_iface.$(OBJEXT) \ + ../../../src/responder/common/iface/responder_common_tests-responder_domain.$(OBJEXT) \ + ../../../src/responder/common/iface/responder_common_tests-responder_ncache.$(OBJEXT) \ + ../../../src/responder/common/iface/responder_common_tests-responder_iface_generated.$(OBJEXT) \ + ../../../src/responder/common/responder_common_tests-negcache_files.$(OBJEXT) \ + ../../../src/responder/common/responder_common_tests-negcache.$(OBJEXT) \ + ../../../src/responder/common/data_provider/responder_common_tests-rdp_message.$(OBJEXT) \ + ../../../src/responder/common/data_provider/responder_common_tests-rdp_client.$(OBJEXT) \ + ../../../src/responder/common/responder_common_tests-responder_common.$(OBJEXT) \ + ../../../src/responder/common/responder_common_tests-responder_packet.$(OBJEXT) \ + ../../../src/responder/common/responder_common_tests-responder_cmd.$(OBJEXT) \ + ../../../src/tests/cmocka/responder_common_tests-common_mock_resp_dp.$(OBJEXT) \ + ../../../src/util/responder_common_tests-session_recording.$(OBJEXT) \ + $(am__objects_4) +responder_common_tests_OBJECTS = $(am_responder_common_tests_OBJECTS) +responder_common_tests_DEPENDENCIES = $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(abs_top_builddir)/libsss_util.la \ + $(abs_top_builddir)/libsss_debug.la \ + $(abs_top_builddir)/libsss_test_common.la +responder_common_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(responder_common_tests_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +am_server_tests_OBJECTS = server_tests-test_server.$(OBJEXT) \ + ../../../src/util/server_tests-server.$(OBJEXT) +server_tests_OBJECTS = $(am_server_tests_OBJECTS) +server_tests_DEPENDENCIES = $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(abs_top_builddir)/libsss_util.la \ + $(abs_top_builddir)/libsss_debug.la \ + $(abs_top_builddir)/libsss_test_common.la $(am__append_2) +server_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(server_tests_CFLAGS) \ + $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ +am_usertools_tests_OBJECTS = usertools_tests-test_usertools.$(OBJEXT) +usertools_tests_OBJECTS = $(am_usertools_tests_OBJECTS) +usertools_tests_DEPENDENCIES = $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ + $(abs_top_builddir)/libsss_util.la \ + $(abs_top_builddir)/libsss_debug.la \ + $(abs_top_builddir)/libsss_test_common.la $(am__append_3) +usertools_tests_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(usertools_tests_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) \ + -o $@ +SCRIPTS = $(dist_noinst_SCRIPTS) +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/build/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = +CCLD = $(CC) +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = +SOURCES = $(become_user_tests_SOURCES) $(negcache_tests_SOURCES) \ + $(responder_common_tests_SOURCES) $(server_tests_SOURCES) \ + $(usertools_tests_SOURCES) +DIST_SOURCES = $(become_user_tests_SOURCES) $(negcache_tests_SOURCES) \ + $(responder_common_tests_SOURCES) $(server_tests_SOURCES) \ + $(usertools_tests_SOURCES) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +DATA = $(dist_noinst_DATA) +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +ETAGS = etags +CTAGS = ctags +am__tty_colors_dummy = \ + mgn= red= grn= lgn= blu= brg= std=; \ + am__color_tests=no +am__tty_colors = { \ + $(am__tty_colors_dummy); \ + if test "X$(AM_COLOR_TESTS)" = Xno; then \ + am__color_tests=no; \ + elif test "X$(AM_COLOR_TESTS)" = Xalways; then \ + am__color_tests=yes; \ + elif test "X$$TERM" != Xdumb && { test -t 1; } 2>/dev/null; then \ + am__color_tests=yes; \ + fi; \ + if test $$am__color_tests = yes; then \ + red=''; \ + grn=''; \ + lgn=''; \ + blu=''; \ + mgn=''; \ + brg=''; \ + std=''; \ + fi; \ +} +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +am__recheck_rx = ^[ ]*:recheck:[ ]* +am__global_test_result_rx = ^[ ]*:global-test-result:[ ]* +am__copy_in_global_log_rx = ^[ ]*:copy-in-global-log:[ ]* +# A command that, given a newline-separated list of test names on the +# standard input, print the name of the tests that are to be re-run +# upon "make recheck". +am__list_recheck_tests = $(AWK) '{ \ + recheck = 1; \ + while ((rc = (getline line < ($$0 ".trs"))) != 0) \ + { \ + if (rc < 0) \ + { \ + if ((getline line2 < ($$0 ".log")) < 0) \ + recheck = 0; \ + break; \ + } \ + else if (line ~ /$(am__recheck_rx)[nN][Oo]/) \ + { \ + recheck = 0; \ + break; \ + } \ + else if (line ~ /$(am__recheck_rx)[yY][eE][sS]/) \ + { \ + break; \ + } \ + }; \ + if (recheck) \ + print $$0; \ + close ($$0 ".trs"); \ + close ($$0 ".log"); \ +}' +# A command that, given a newline-separated list of test names on the +# standard input, create the global log from their .trs and .log files. +am__create_global_log = $(AWK) ' \ +function fatal(msg) \ +{ \ + print "fatal: making $@: " msg | "cat >&2"; \ + exit 1; \ +} \ +function rst_section(header) \ +{ \ + print header; \ + len = length(header); \ + for (i = 1; i <= len; i = i + 1) \ + printf "="; \ + printf "\n\n"; \ +} \ +{ \ + copy_in_global_log = 1; \ + global_test_result = "RUN"; \ + while ((rc = (getline line < ($$0 ".trs"))) != 0) \ + { \ + if (rc < 0) \ + fatal("failed to read from " $$0 ".trs"); \ + if (line ~ /$(am__global_test_result_rx)/) \ + { \ + sub("$(am__global_test_result_rx)", "", line); \ + sub("[ ]*$$", "", line); \ + global_test_result = line; \ + } \ + else if (line ~ /$(am__copy_in_global_log_rx)[nN][oO]/) \ + copy_in_global_log = 0; \ + }; \ + if (copy_in_global_log) \ + { \ + rst_section(global_test_result ": " $$0); \ + while ((rc = (getline line < ($$0 ".log"))) != 0) \ + { \ + if (rc < 0) \ + fatal("failed to read from " $$0 ".log"); \ + print line; \ + }; \ + printf "\n"; \ + }; \ + close ($$0 ".trs"); \ + close ($$0 ".log"); \ +}' +# Restructured Text title. +am__rst_title = { sed 's/.*/ & /;h;s/./=/g;p;x;s/ *$$//;p;g' && echo; } +# Solaris 10 'make', and several other traditional 'make' implementations, +# pass "-e" to $(SHELL), and POSIX 2008 even requires this. Work around it +# by disabling -e (using the XSI extension "set +e") if it's set. +am__sh_e_setup = case $$- in *e*) set +e;; esac +# Default flags passed to test drivers. +am__common_driver_flags = \ + --color-tests "$$am__color_tests" \ + --enable-hard-errors "$$am__enable_hard_errors" \ + --expect-failure "$$am__expect_failure" +# To be inserted before the command running the test. Creates the +# directory for the log if needed. Stores in $dir the directory +# containing $f, in $tst the test, in $log the log. Executes the +# developer- defined test setup AM_TESTS_ENVIRONMENT (if any), and +# passes TESTS_ENVIRONMENT. Set up options for the wrapper that +# will run the test scripts (or their associated LOG_COMPILER, if +# thy have one). +am__check_pre = \ +$(am__sh_e_setup); \ +$(am__vpath_adj_setup) $(am__vpath_adj) \ +$(am__tty_colors); \ +srcdir=$(srcdir); export srcdir; \ +case "$@" in \ + */*) am__odir=`echo "./$@" | sed 's|/[^/]*$$||'`;; \ + *) am__odir=.;; \ +esac; \ +test "x$$am__odir" = x"." || test -d "$$am__odir" \ + || $(MKDIR_P) "$$am__odir" || exit $$?; \ +if test -f "./$$f"; then dir=./; \ +elif test -f "$$f"; then dir=; \ +else dir="$(srcdir)/"; fi; \ +tst=$$dir$$f; log='$@'; \ +if test -n '$(DISABLE_HARD_ERRORS)'; then \ + am__enable_hard_errors=no; \ +else \ + am__enable_hard_errors=yes; \ +fi; \ +case " $(XFAIL_TESTS) " in \ + *[\ \ ]$$f[\ \ ]* | *[\ \ ]$$dir$$f[\ \ ]*) \ + am__expect_failure=yes;; \ + *) \ + am__expect_failure=no;; \ +esac; \ +$(AM_TESTS_ENVIRONMENT) $(TESTS_ENVIRONMENT) +# A shell command to get the names of the tests scripts with any registered +# extension removed (i.e., equivalently, the names of the test logs, with +# the '.log' extension removed). The result is saved in the shell variable +# '$bases'. This honors runtime overriding of TESTS and TEST_LOGS. Sadly, +# we cannot use something simpler, involving e.g., "$(TEST_LOGS:.log=)", +# since that might cause problem with VPATH rewrites for suffix-less tests. +# See also 'test-harness-vpath-rewrite.sh' and 'test-trs-basic.sh'. +am__set_TESTS_bases = \ + bases='$(TEST_LOGS)'; \ + bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ + bases=`echo $$bases` +RECHECK_LOGS = $(TEST_LOGS) +AM_RECURSIVE_TARGETS = check recheck +TEST_SUITE_LOG = test-suite.log +TEST_EXTENSIONS = @EXEEXT@ .test +LOG_DRIVER = $(SHELL) $(top_srcdir)/build/test-driver +LOG_COMPILE = $(LOG_COMPILER) $(AM_LOG_FLAGS) $(LOG_FLAGS) +am__set_b = \ + case '$@' in \ + */*) \ + case '$*' in \ + */*) b='$*';; \ + *) b=`echo '$@' | sed 's/\.log$$//'`; \ + esac;; \ + *) \ + b='$*';; \ + esac +am__test_logs1 = $(TESTS:=.log) +am__test_logs2 = $(am__test_logs1:@EXEEXT@.log=.log) +TEST_LOGS = $(am__test_logs2:.test.log=.log) +TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build/test-driver +TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ + $(TEST_LOG_FLAGS) +am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/build/depcomp \ + $(top_srcdir)/build/mkinstalldirs \ + $(top_srcdir)/build/test-driver +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +CARES_CFLAGS = @CARES_CFLAGS@ +CARES_LIBS = @CARES_LIBS@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CERTUTIL = @CERTUTIL@ +CFLAGS = @CFLAGS@ +CHECK_CFLAGS = @CHECK_CFLAGS@ +CHECK_LIBS = @CHECK_LIBS@ +CMOCKA_CFLAGS = @CMOCKA_CFLAGS@ +CMOCKA_LIBS = @CMOCKA_LIBS@ +COLLECTION_CFLAGS = @COLLECTION_CFLAGS@ +COLLECTION_LIBS = @COLLECTION_LIBS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CRYPTO_CFLAGS = @CRYPTO_CFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CURL_CFLAGS = @CURL_CFLAGS@ +CURL_LIBS = @CURL_LIBS@ +CYGPATH_W = @CYGPATH_W@ +DBUS_CFLAGS = @DBUS_CFLAGS@ +DBUS_LIBS = @DBUS_LIBS@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DHASH_CFLAGS = @DHASH_CFLAGS@ +DHASH_LIBS = @DHASH_LIBS@ +DLLTOOL = @DLLTOOL@ +DOCBOOK_XSLT = @DOCBOOK_XSLT@ +DOXYGEN = @DOXYGEN@ +DSYMUTIL = @DSYMUTIL@ +DTRACE = @DTRACE@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GDM_PAM_EXTENSIONS_CFLAGS = @GDM_PAM_EXTENSIONS_CFLAGS@ +GDM_PAM_EXTENSIONS_LIBS = @GDM_PAM_EXTENSIONS_LIBS@ +GLIB2_CFLAGS = @GLIB2_CFLAGS@ +GLIB2_LIBS = @GLIB2_LIBS@ +GMSGFMT = @GMSGFMT@ +GPO_DEFAULT = @GPO_DEFAULT@ +GREP = @GREP@ +HAVE_FAKEROOT = @HAVE_FAKEROOT@ +HAVE_LDAPMODIFY = @HAVE_LDAPMODIFY@ +HAVE_MANPAGES = @HAVE_MANPAGES@ +HAVE_NSS_WRAPPER = @HAVE_NSS_WRAPPER@ +HAVE_PYTHON2 = @HAVE_PYTHON2@ +HAVE_PYTHON2_BINDINGS = @HAVE_PYTHON2_BINDINGS@ +HAVE_PYTHON3 = @HAVE_PYTHON3@ +HAVE_PYTHON3_BINDINGS = @HAVE_PYTHON3_BINDINGS@ +HAVE_SELINUX = @HAVE_SELINUX@ +HAVE_SEMANAGE = @HAVE_SEMANAGE@ +HAVE_UID_WRAPPER = @HAVE_UID_WRAPPER@ +HTTP_PARSER_CFLAGS = @HTTP_PARSER_CFLAGS@ +HTTP_PARSER_LIBS = @HTTP_PARSER_LIBS@ +INI_CONFIG_CFLAGS = @INI_CONFIG_CFLAGS@ +INI_CONFIG_LIBS = @INI_CONFIG_LIBS@ +INI_CONFIG_V0_CFLAGS = @INI_CONFIG_V0_CFLAGS@ +INI_CONFIG_V0_LIBS = @INI_CONFIG_V0_LIBS@ +INI_CONFIG_V1_1_CFLAGS = @INI_CONFIG_V1_1_CFLAGS@ +INI_CONFIG_V1_1_LIBS = @INI_CONFIG_V1_1_LIBS@ +INI_CONFIG_V1_3_CFLAGS = @INI_CONFIG_V1_3_CFLAGS@ +INI_CONFIG_V1_3_LIBS = @INI_CONFIG_V1_3_LIBS@ +INI_CONFIG_V1_CFLAGS = @INI_CONFIG_V1_CFLAGS@ +INI_CONFIG_V1_LIBS = @INI_CONFIG_V1_LIBS@ +INOTIFY_LIBS = @INOTIFY_LIBS@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +JANSSON_CFLAGS = @JANSSON_CFLAGS@ +JANSSON_LIBS = @JANSSON_LIBS@ +JOURNALD_CFLAGS = @JOURNALD_CFLAGS@ +JOURNALD_LIBS = @JOURNALD_LIBS@ +KEYUTILS_LIBS = @KEYUTILS_LIBS@ +KRB5_CFLAGS = @KRB5_CFLAGS@ +KRB5_CONFIG = @KRB5_CONFIG@ +KRB5_LIBS = @KRB5_LIBS@ +LD = @LD@ +LDB_CFLAGS = @LDB_CFLAGS@ +LDB_LIBS = @LDB_LIBS@ +LDFLAGS = @LDFLAGS@ +LIBADD_DL = @LIBADD_DL@ +LIBADD_DLD_LINK = @LIBADD_DLD_LINK@ +LIBADD_DLOPEN = @LIBADD_DLOPEN@ +LIBADD_SHL_LOAD = @LIBADD_SHL_LOAD@ +LIBADD_TIMER = @LIBADD_TIMER@ +LIBCLOCK_GETTIME = @LIBCLOCK_GETTIME@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNL1_CFLAGS = @LIBNL1_CFLAGS@ +LIBNL1_LIBS = @LIBNL1_LIBS@ +LIBNL3_CFLAGS = @LIBNL3_CFLAGS@ +LIBNL3_LIBS = @LIBNL3_LIBS@ +LIBNL_CFLAGS = @LIBNL_CFLAGS@ +LIBNL_LIBS = @LIBNL_LIBS@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +LT_DLLOADERS = @LT_DLLOADERS@ +LT_DLPREOPEN = @LT_DLPREOPEN@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +MKINSTALLDIRS = @MKINSTALLDIRS@ +MSGFMT = @MSGFMT@ +MSGMERGE = @MSGMERGE@ +NDR_KRB5PAC_CFLAGS = @NDR_KRB5PAC_CFLAGS@ +NDR_KRB5PAC_LIBS = @NDR_KRB5PAC_LIBS@ +NDR_NBT_CFLAGS = @NDR_NBT_CFLAGS@ +NDR_NBT_LIBS = @NDR_NBT_LIBS@ +NFSIDMAP_CFLAGS = @NFSIDMAP_CFLAGS@ +NFSIDMAP_LIBS = @NFSIDMAP_LIBS@ +NFSIDMAP_OBJ = @NFSIDMAP_OBJ@ +NM = @NM@ +NMEDIT = @NMEDIT@ +NSCD = @NSCD@ +NSCD_PATH = @NSCD_PATH@ +NSS_CFLAGS = @NSS_CFLAGS@ +NSS_LIBS = @NSS_LIBS@ +NSUPDATE = @NSUPDATE@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OPENLDAP_CFLAGS = @OPENLDAP_CFLAGS@ +OPENLDAP_LIBS = @OPENLDAP_LIBS@ +OPENSSL = @OPENSSL@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +P11TOOL = @P11TOOL@ +P11_KIT_CFLAGS = @P11_KIT_CFLAGS@ +P11_KIT_LIBS = @P11_KIT_LIBS@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_LIBS = @PAM_LIBS@ +PAM_MISC_LIBS = @PAM_MISC_LIBS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PCRE_CFLAGS = @PCRE_CFLAGS@ +PCRE_LIBS = @PCRE_LIBS@ +PK12UTIL = @PK12UTIL@ +PKG_CONFIG = @PKG_CONFIG@ +PO4A = @PO4A@ +POPT_CFLAGS = @POPT_CFLAGS@ +POPT_LIBS = @POPT_LIBS@ +POSUB = @POSUB@ +PRERELEASE_VERSION = @PRERELEASE_VERSION@ +PYTEST = @PYTEST@ +PYTHON = @PYTHON@ +PYTHON2 = @PYTHON2@ +PYTHON2_CFLAGS = @PYTHON2_CFLAGS@ +PYTHON2_EXEC_PREFIX = @PYTHON2_EXEC_PREFIX@ +PYTHON2_INCLUDES = @PYTHON2_INCLUDES@ +PYTHON2_LIBS = @PYTHON2_LIBS@ +PYTHON2_PREFIX = @PYTHON2_PREFIX@ +PYTHON2_VERSION = @PYTHON2_VERSION@ +PYTHON3 = @PYTHON3@ +PYTHON3_CFLAGS = @PYTHON3_CFLAGS@ +PYTHON3_EXEC_PREFIX = @PYTHON3_EXEC_PREFIX@ +PYTHON3_INCLUDES = @PYTHON3_INCLUDES@ +PYTHON3_LIBS = @PYTHON3_LIBS@ +PYTHON3_PREFIX = @PYTHON3_PREFIX@ +PYTHON3_VERSION = @PYTHON3_VERSION@ +PYTHON_CONFIG = @PYTHON_CONFIG@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ +RANLIB = @RANLIB@ +RESOLV_CFLAGS = @RESOLV_CFLAGS@ +RESOLV_LIBS = @RESOLV_LIBS@ +SASL_CFLAGS = @SASL_CFLAGS@ +SASL_LIBS = @SASL_LIBS@ +SED = @SED@ +SELINUX_LIBS = @SELINUX_LIBS@ +SEMANAGE_LIBS = @SEMANAGE_LIBS@ +SERVICE = @SERVICE@ +SET_MAKE = @SET_MAKE@ +SGML_CATALOG_FILES = @SGML_CATALOG_FILES@ +SHELL = @SHELL@ +SLAPD = @SLAPD@ +SMBCLIENT_CFLAGS = @SMBCLIENT_CFLAGS@ +SMBCLIENT_LIBS = @SMBCLIENT_LIBS@ +SOFTHSM2_PATH = @SOFTHSM2_PATH@ +SOFTHSM2_UTIL = @SOFTHSM2_UTIL@ +SSH_KEYGEN = @SSH_KEYGEN@ +SSL_CFLAGS = @SSL_CFLAGS@ +SSL_LIBS = @SSL_LIBS@ +SSSD_USER = @SSSD_USER@ +STRIP = @STRIP@ +SYSTEMD_DAEMON_CFLAGS = @SYSTEMD_DAEMON_CFLAGS@ +SYSTEMD_DAEMON_LIBS = @SYSTEMD_DAEMON_LIBS@ +SYSTEMD_LOGIN_CFLAGS = @SYSTEMD_LOGIN_CFLAGS@ +SYSTEMD_LOGIN_LIBS = @SYSTEMD_LOGIN_LIBS@ +TALLOC_CFLAGS = @TALLOC_CFLAGS@ +TALLOC_LIBS = @TALLOC_LIBS@ +TDB_CFLAGS = @TDB_CFLAGS@ +TDB_LIBS = @TDB_LIBS@ +TEST_DIR = @TEST_DIR@ +TEVENT_CFLAGS = @TEVENT_CFLAGS@ +TEVENT_LIBS = @TEVENT_LIBS@ +UNICODE_LIBS = @UNICODE_LIBS@ +USE_NLS = @USE_NLS@ +UUID_CFLAGS = @UUID_CFLAGS@ +UUID_LIBS = @UUID_LIBS@ +VERSION = @VERSION@ +XGETTEXT = @XGETTEXT@ +XMLLINT = @XMLLINT@ +XSLTPROC = @XSLTPROC@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +appmodpath = @appmodpath@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +cifspluginpath = @cifspluginpath@ +config_def_ccache_dir = @config_def_ccache_dir@ +config_def_ccname_template = @config_def_ccname_template@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbpath = @dbpath@ +docdir = @docdir@ +dvidir = @dvidir@ +environment_file = @environment_file@ +exec_prefix = @exec_prefix@ +gpocachepath = @gpocachepath@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +initdir = @initdir@ +install_sh = @install_sh@ +krb5authdatapluginpath = @krb5authdatapluginpath@ +krb5pluginpath = @krb5pluginpath@ +krb5rcachedir = @krb5rcachedir@ +ldblibdir = @ldblibdir@ +libdir = @libdir@ +libexecdir = @libexecdir@ +libwbclient_version = @libwbclient_version@ +libwbclient_version_info = @libwbclient_version_info@ +localedir = @localedir@ +localstatedir = @localstatedir@ +logpath = @logpath@ +mandir = @mandir@ +mcpath = @mcpath@ +mkdir_p = @mkdir_p@ +nfsidmaplibdir = @nfsidmaplibdir@ +nfslibpath = @nfslibpath@ +nsslibdir = @nsslibdir@ +oldincludedir = @oldincludedir@ +pammoddir = @pammoddir@ +pdfdir = @pdfdir@ +pidpath = @pidpath@ +pipepath = @pipepath@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ +pluginpath = @pluginpath@ +polkitdir = @polkitdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +pubconfpath = @pubconfpath@ +py2execdir = @py2execdir@ +py3execdir = @py3execdir@ +pyexecdir = @pyexecdir@ +python2dir = @python2dir@ +python3dir = @python3dir@ +pythondir = @pythondir@ +runstatedir = @runstatedir@ +sbindir = @sbindir@ +secdbpath = @secdbpath@ +session_recording_shell = @session_recording_shell@ +sharedbuilddir = @sharedbuilddir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sudolibpath = @sudolibpath@ +sysconfdir = @sysconfdir@ +systemdconfdir = @systemdconfdir@ +systemdunitdir = @systemdunitdir@ +tapset_dir = @tapset_dir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +winbindpluginpath = @winbindpluginpath@ +AM_CPPFLAGS = \ + -std=gnu99 \ + -Wall \ + -I$(top_srcdir)/src \ + -I. \ + -DLOCALEDIR=\"$(localedir)\" \ + -DLIBDIR=\"$(libdir)\" \ + -DVARDIR=\"$(localstatedir)\" \ + -DSSS_STATEDIR=\"$(localstatedir)/lib/sss\" \ + -DSYSCONFDIR=\"$(sysconfdir)\" \ + $(DBUS_CFLAGS) \ + $(GLIB2_CFLAGS) \ + $(NULL) + +TESTS_ENVIRONMENT = \ + CWRAP_TEST_SRCDIR=$(abs_srcdir) \ + ABS_TOP_BUILDDIR=$(abs_top_builddir) \ + . $(srcdir)/cwrap_test_setup.sh; \ + $(AUX_TESTS_ENVIRONMENT) \ + $(NULL) + +dist_noinst_SCRIPTS = \ + cwrap_test_setup.sh \ + $(NULL) + +SSSD_LIBS = \ + $(TALLOC_LIBS) \ + $(TEVENT_LIBS) \ + $(POPT_LIBS) \ + $(LDB_LIBS) \ + $(DBUS_LIBS) \ + $(PCRE_LIBS) \ + $(INI_CONFIG_LIBS) \ + $(COLLECTION_LIBS) \ + $(DHASH_LIBS) \ + $(OPENLDAP_LIBS) \ + $(TDB_LIBS) + +SSSD_CACHE_REQ_OBJ = \ + ../../../src/responder/common/cache_req/cache_req.c \ + ../../../src/responder/common/cache_req/cache_req_result.c \ + ../../../src/responder/common/cache_req/cache_req_search.c \ + ../../../src/responder/common/cache_req/cache_req_data.c \ + ../../../src/responder/common/cache_req/cache_req_domain.c \ + ../../../src/responder/common/cache_req/cache_req_sr_overlay.c \ + ../../../src/responder/common/cache_req/plugins/cache_req_common.c \ + ../../../src/responder/common/cache_req/plugins/cache_req_enum_users.c \ + ../../../src/responder/common/cache_req/plugins/cache_req_enum_groups.c \ + ../../../src/responder/common/cache_req/plugins/cache_req_enum_svc.c \ + ../../../src/responder/common/cache_req/plugins/cache_req_user_by_name.c \ + ../../../src/responder/common/cache_req/plugins/cache_req_user_by_upn.c \ + ../../../src/responder/common/cache_req/plugins/cache_req_user_by_id.c \ + ../../../src/responder/common/cache_req/plugins/cache_req_user_by_filter.c \ + ../../../src/responder/common/cache_req/plugins/cache_req_user_by_cert.c \ + ../../../src/responder/common/cache_req/plugins/cache_req_group_by_name.c \ + ../../../src/responder/common/cache_req/plugins/cache_req_group_by_id.c \ + ../../../src/responder/common/cache_req/plugins/cache_req_group_by_filter.c \ + ../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c \ + ../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c \ + ../../../src/responder/common/cache_req/plugins/cache_req_object_by_sid.c \ + ../../../src/responder/common/cache_req/plugins/cache_req_object_by_name.c \ + ../../../src/responder/common/cache_req/plugins/cache_req_object_by_id.c \ + ../../../src/responder/common/cache_req/plugins/cache_req_svc_by_name.c \ + ../../../src/responder/common/cache_req/plugins/cache_req_svc_by_port.c \ + ../../../src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c \ + ../../../src/responder/common/cache_req/plugins/cache_req_host_by_name.c \ + $(NULL) + +SSSD_RESPONDER_IFACE_OBJ = \ + ../../../src/responder/common/iface/responder_iface.c \ + ../../../src/responder/common/iface/responder_domain.c \ + ../../../src/responder/common/iface/responder_ncache.c \ + ../../../src/responder/common/iface/responder_iface_generated.c \ + $(NULL) + +SSSD_RESPONDER_OBJ = \ + ../../../src/responder/common/negcache_files.c \ + ../../../src/responder/common/negcache.c \ + ../../../src/responder/common/responder_cmd.c \ + ../../../src/responder/common/responder_common.c \ + ../../../src/responder/common/responder_dp.c \ + ../../../src/responder/common/responder_dp_ssh.c \ + ../../../src/responder/common/responder_packet.c \ + ../../../src/responder/common/responder_get_domains.c \ + ../../../src/responder/common/responder_utils.c \ + ../../../src/responder/common/data_provider/rdp_message.c \ + ../../../src/responder/common/data_provider/rdp_client.c \ + ../../../src/monitor/monitor_iface_generated.c \ + ../../../src/providers/data_provider_req.c \ + ../../../src/util/session_recording.c \ + $(SSSD_RESPONDER_IFACE_OBJ) \ + $(SSSD_CACHE_REQ_OBJ) \ + $(NULL) + +dist_noinst_DATA = \ + group \ + passwd \ + $(NULL) + +TESTS = $(check_PROGRAMS) +become_user_tests_SOURCES = \ + test_become_user.c \ + $(NULL) + +become_user_tests_CFLAGS = \ + $(AM_CFLAGS) \ + $(NULL) + +become_user_tests_LDADD = \ + $(POPT_LIBS) \ + $(CMOCKA_LIBS) \ + $(abs_top_builddir)/libsss_debug.la \ + $(abs_top_builddir)/libsss_test_common.la \ + $(NULL) + +server_tests_SOURCES = \ + test_server.c \ + ../../../src/util/server.c \ + $(NULL) + +server_tests_CFLAGS = \ + $(AM_CFLAGS) \ + -DTEST_DB_PATH=\"server_tests\" \ + -DTEST_PID_PATH=\"server_tests\" \ + -DUNIT_TESTING \ + $(NULL) + +server_tests_LDADD = $(CMOCKA_LIBS) $(POPT_LIBS) $(TALLOC_LIBS) \ + $(TEVENT_LIBS) $(abs_top_builddir)/libsss_util.la \ + $(abs_top_builddir)/libsss_debug.la \ + $(abs_top_builddir)/libsss_test_common.la $(NULL) \ + $(am__append_2) +usertools_tests_SOURCES = \ + test_usertools.c \ + $(NULL) + +usertools_tests_CFLAGS = \ + $(AM_CFLAGS) \ + $(NULL) + +usertools_tests_LDADD = $(CMOCKA_LIBS) $(POPT_LIBS) $(TALLOC_LIBS) \ + $(abs_top_builddir)/libsss_util.la \ + $(abs_top_builddir)/libsss_debug.la \ + $(abs_top_builddir)/libsss_test_common.la $(NULL) \ + $(am__append_3) +responder_common_tests_SOURCES = \ + test_responder_common.c \ + ../../../src/responder/common/iface/responder_iface.c \ + ../../../src/responder/common/iface/responder_domain.c \ + ../../../src/responder/common/iface/responder_ncache.c \ + ../../../src/responder/common/iface/responder_iface_generated.c \ + ../../../src/responder/common/negcache_files.c \ + ../../../src/responder/common/negcache.c \ + ../../../src/responder/common/data_provider/rdp_message.c \ + ../../../src/responder/common/data_provider/rdp_client.c \ + ../../../src/responder/common/responder_common.c \ + ../../../src/responder/common/responder_packet.c \ + ../../../src/responder/common/responder_cmd.c \ + ../../../src/tests/cmocka/common_mock_resp_dp.c \ + ../../../src/util/session_recording.c \ + $(SSSD_CACHE_REQ_OBJ) \ + $(NULL) + +responder_common_tests_CFLAGS = \ + $(AM_CFLAGS) \ + $(NULL) + +responder_common_tests_LDADD = \ + $(CMOCKA_LIBS) \ + $(SSSD_LIBS) \ + $(SELINUX_LIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ + $(abs_top_builddir)/libsss_util.la \ + $(abs_top_builddir)/libsss_debug.la \ + $(abs_top_builddir)/libsss_test_common.la \ + $(NULL) + +negcache_tests_SOURCES = \ + $(SSSD_RESPONDER_OBJ) \ + test_negcache.c \ + $(NULL) + +negcache_tests_CFLAGS = \ + $(AM_CFLAGS) \ + -DBASE_FILE_STEM=\"$(*F)\" \ + $(NULL) + +negcache_tests_LDADD = \ + $(CMOCKA_LIBS) \ + $(SSSD_LIBS) \ + $(SELINUX_LIBS) \ + $(SYSTEMD_DAEMON_LIBS) \ + $(abs_top_builddir)/libsss_util.la \ + $(abs_top_builddir)/libsss_debug.la \ + $(abs_top_builddir)/libsss_test_common.la \ + $(NULL) + +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .log .o .obj .test .test$(EXEEXT) .trs +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/tests/cwrap/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/tests/cwrap/Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-checkPROGRAMS: + @list='$(check_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list + +become_user-tests$(EXEEXT): $(become_user_tests_OBJECTS) $(become_user_tests_DEPENDENCIES) $(EXTRA_become_user_tests_DEPENDENCIES) + @rm -f become_user-tests$(EXEEXT) + $(AM_V_CCLD)$(become_user_tests_LINK) $(become_user_tests_OBJECTS) $(become_user_tests_LDADD) $(LIBS) +../../../src/responder/common/$(am__dirstamp): + @$(MKDIR_P) ../../../src/responder/common + @: > ../../../src/responder/common/$(am__dirstamp) +../../../src/responder/common/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) ../../../src/responder/common/$(DEPDIR) + @: > ../../../src/responder/common/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/negcache_tests-negcache_files.$(OBJEXT): \ + ../../../src/responder/common/$(am__dirstamp) \ + ../../../src/responder/common/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/negcache_tests-negcache.$(OBJEXT): \ + ../../../src/responder/common/$(am__dirstamp) \ + ../../../src/responder/common/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/negcache_tests-responder_cmd.$(OBJEXT): \ + ../../../src/responder/common/$(am__dirstamp) \ + ../../../src/responder/common/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/negcache_tests-responder_common.$(OBJEXT): \ + ../../../src/responder/common/$(am__dirstamp) \ + ../../../src/responder/common/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/negcache_tests-responder_dp.$(OBJEXT): \ + ../../../src/responder/common/$(am__dirstamp) \ + ../../../src/responder/common/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/negcache_tests-responder_dp_ssh.$(OBJEXT): \ + ../../../src/responder/common/$(am__dirstamp) \ + ../../../src/responder/common/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/negcache_tests-responder_packet.$(OBJEXT): \ + ../../../src/responder/common/$(am__dirstamp) \ + ../../../src/responder/common/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/negcache_tests-responder_get_domains.$(OBJEXT): \ + ../../../src/responder/common/$(am__dirstamp) \ + ../../../src/responder/common/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/negcache_tests-responder_utils.$(OBJEXT): \ + ../../../src/responder/common/$(am__dirstamp) \ + ../../../src/responder/common/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/data_provider/$(am__dirstamp): + @$(MKDIR_P) ../../../src/responder/common/data_provider + @: > ../../../src/responder/common/data_provider/$(am__dirstamp) +../../../src/responder/common/data_provider/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) ../../../src/responder/common/data_provider/$(DEPDIR) + @: > ../../../src/responder/common/data_provider/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/data_provider/negcache_tests-rdp_message.$(OBJEXT): \ + ../../../src/responder/common/data_provider/$(am__dirstamp) \ + ../../../src/responder/common/data_provider/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/data_provider/negcache_tests-rdp_client.$(OBJEXT): \ + ../../../src/responder/common/data_provider/$(am__dirstamp) \ + ../../../src/responder/common/data_provider/$(DEPDIR)/$(am__dirstamp) +../../../src/monitor/$(am__dirstamp): + @$(MKDIR_P) ../../../src/monitor + @: > ../../../src/monitor/$(am__dirstamp) +../../../src/monitor/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) ../../../src/monitor/$(DEPDIR) + @: > ../../../src/monitor/$(DEPDIR)/$(am__dirstamp) +../../../src/monitor/negcache_tests-monitor_iface_generated.$(OBJEXT): \ + ../../../src/monitor/$(am__dirstamp) \ + ../../../src/monitor/$(DEPDIR)/$(am__dirstamp) +../../../src/providers/$(am__dirstamp): + @$(MKDIR_P) ../../../src/providers + @: > ../../../src/providers/$(am__dirstamp) +../../../src/providers/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) ../../../src/providers/$(DEPDIR) + @: > ../../../src/providers/$(DEPDIR)/$(am__dirstamp) +../../../src/providers/negcache_tests-data_provider_req.$(OBJEXT): \ + ../../../src/providers/$(am__dirstamp) \ + ../../../src/providers/$(DEPDIR)/$(am__dirstamp) +../../../src/util/$(am__dirstamp): + @$(MKDIR_P) ../../../src/util + @: > ../../../src/util/$(am__dirstamp) +../../../src/util/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) ../../../src/util/$(DEPDIR) + @: > ../../../src/util/$(DEPDIR)/$(am__dirstamp) +../../../src/util/negcache_tests-session_recording.$(OBJEXT): \ + ../../../src/util/$(am__dirstamp) \ + ../../../src/util/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/iface/$(am__dirstamp): + @$(MKDIR_P) ../../../src/responder/common/iface + @: > ../../../src/responder/common/iface/$(am__dirstamp) +../../../src/responder/common/iface/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) ../../../src/responder/common/iface/$(DEPDIR) + @: > ../../../src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/iface/negcache_tests-responder_iface.$(OBJEXT): \ + ../../../src/responder/common/iface/$(am__dirstamp) \ + ../../../src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/iface/negcache_tests-responder_domain.$(OBJEXT): \ + ../../../src/responder/common/iface/$(am__dirstamp) \ + ../../../src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/iface/negcache_tests-responder_ncache.$(OBJEXT): \ + ../../../src/responder/common/iface/$(am__dirstamp) \ + ../../../src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/iface/negcache_tests-responder_iface_generated.$(OBJEXT): \ + ../../../src/responder/common/iface/$(am__dirstamp) \ + ../../../src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/$(am__dirstamp): + @$(MKDIR_P) ../../../src/responder/common/cache_req + @: > ../../../src/responder/common/cache_req/$(am__dirstamp) +../../../src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) ../../../src/responder/common/cache_req/$(DEPDIR) + @: > ../../../src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/negcache_tests-cache_req.$(OBJEXT): \ + ../../../src/responder/common/cache_req/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/negcache_tests-cache_req_result.$(OBJEXT): \ + ../../../src/responder/common/cache_req/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/negcache_tests-cache_req_search.$(OBJEXT): \ + ../../../src/responder/common/cache_req/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/negcache_tests-cache_req_data.$(OBJEXT): \ + ../../../src/responder/common/cache_req/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/negcache_tests-cache_req_domain.$(OBJEXT): \ + ../../../src/responder/common/cache_req/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/negcache_tests-cache_req_sr_overlay.$(OBJEXT): \ + ../../../src/responder/common/cache_req/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/plugins/$(am__dirstamp): + @$(MKDIR_P) ../../../src/responder/common/cache_req/plugins + @: > ../../../src/responder/common/cache_req/plugins/$(am__dirstamp) +../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) ../../../src/responder/common/cache_req/plugins/$(DEPDIR) + @: > ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_common.$(OBJEXT): ../../../src/responder/common/cache_req/plugins/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_enum_users.$(OBJEXT): ../../../src/responder/common/cache_req/plugins/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_enum_groups.$(OBJEXT): ../../../src/responder/common/cache_req/plugins/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_enum_svc.$(OBJEXT): ../../../src/responder/common/cache_req/plugins/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_name.$(OBJEXT): ../../../src/responder/common/cache_req/plugins/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_upn.$(OBJEXT): ../../../src/responder/common/cache_req/plugins/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_id.$(OBJEXT): ../../../src/responder/common/cache_req/plugins/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_filter.$(OBJEXT): ../../../src/responder/common/cache_req/plugins/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_cert.$(OBJEXT): ../../../src/responder/common/cache_req/plugins/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_group_by_name.$(OBJEXT): ../../../src/responder/common/cache_req/plugins/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_group_by_id.$(OBJEXT): ../../../src/responder/common/cache_req/plugins/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_group_by_filter.$(OBJEXT): ../../../src/responder/common/cache_req/plugins/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_initgroups_by_name.$(OBJEXT): ../../../src/responder/common/cache_req/plugins/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_initgroups_by_upn.$(OBJEXT): ../../../src/responder/common/cache_req/plugins/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_object_by_sid.$(OBJEXT): ../../../src/responder/common/cache_req/plugins/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_object_by_name.$(OBJEXT): ../../../src/responder/common/cache_req/plugins/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_object_by_id.$(OBJEXT): ../../../src/responder/common/cache_req/plugins/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_svc_by_name.$(OBJEXT): ../../../src/responder/common/cache_req/plugins/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_svc_by_port.$(OBJEXT): ../../../src/responder/common/cache_req/plugins/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_netgroup_by_name.$(OBJEXT): ../../../src/responder/common/cache_req/plugins/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_host_by_name.$(OBJEXT): ../../../src/responder/common/cache_req/plugins/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) + +negcache-tests$(EXEEXT): $(negcache_tests_OBJECTS) $(negcache_tests_DEPENDENCIES) $(EXTRA_negcache_tests_DEPENDENCIES) + @rm -f negcache-tests$(EXEEXT) + $(AM_V_CCLD)$(negcache_tests_LINK) $(negcache_tests_OBJECTS) $(negcache_tests_LDADD) $(LIBS) +../../../src/responder/common/iface/responder_common_tests-responder_iface.$(OBJEXT): \ + ../../../src/responder/common/iface/$(am__dirstamp) \ + ../../../src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/iface/responder_common_tests-responder_domain.$(OBJEXT): \ + ../../../src/responder/common/iface/$(am__dirstamp) \ + ../../../src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/iface/responder_common_tests-responder_ncache.$(OBJEXT): \ + ../../../src/responder/common/iface/$(am__dirstamp) \ + ../../../src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/iface/responder_common_tests-responder_iface_generated.$(OBJEXT): \ + ../../../src/responder/common/iface/$(am__dirstamp) \ + ../../../src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/responder_common_tests-negcache_files.$(OBJEXT): \ + ../../../src/responder/common/$(am__dirstamp) \ + ../../../src/responder/common/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/responder_common_tests-negcache.$(OBJEXT): \ + ../../../src/responder/common/$(am__dirstamp) \ + ../../../src/responder/common/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/data_provider/responder_common_tests-rdp_message.$(OBJEXT): \ + ../../../src/responder/common/data_provider/$(am__dirstamp) \ + ../../../src/responder/common/data_provider/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/data_provider/responder_common_tests-rdp_client.$(OBJEXT): \ + ../../../src/responder/common/data_provider/$(am__dirstamp) \ + ../../../src/responder/common/data_provider/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/responder_common_tests-responder_common.$(OBJEXT): \ + ../../../src/responder/common/$(am__dirstamp) \ + ../../../src/responder/common/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/responder_common_tests-responder_packet.$(OBJEXT): \ + ../../../src/responder/common/$(am__dirstamp) \ + ../../../src/responder/common/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/responder_common_tests-responder_cmd.$(OBJEXT): \ + ../../../src/responder/common/$(am__dirstamp) \ + ../../../src/responder/common/$(DEPDIR)/$(am__dirstamp) +../../../src/tests/cmocka/$(am__dirstamp): + @$(MKDIR_P) ../../../src/tests/cmocka + @: > ../../../src/tests/cmocka/$(am__dirstamp) +../../../src/tests/cmocka/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) ../../../src/tests/cmocka/$(DEPDIR) + @: > ../../../src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +../../../src/tests/cmocka/responder_common_tests-common_mock_resp_dp.$(OBJEXT): \ + ../../../src/tests/cmocka/$(am__dirstamp) \ + ../../../src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) +../../../src/util/responder_common_tests-session_recording.$(OBJEXT): \ + ../../../src/util/$(am__dirstamp) \ + ../../../src/util/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/responder_common_tests-cache_req.$(OBJEXT): \ + ../../../src/responder/common/cache_req/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/responder_common_tests-cache_req_result.$(OBJEXT): \ + ../../../src/responder/common/cache_req/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/responder_common_tests-cache_req_search.$(OBJEXT): \ + ../../../src/responder/common/cache_req/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/responder_common_tests-cache_req_data.$(OBJEXT): \ + ../../../src/responder/common/cache_req/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/responder_common_tests-cache_req_domain.$(OBJEXT): \ + ../../../src/responder/common/cache_req/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/responder_common_tests-cache_req_sr_overlay.$(OBJEXT): \ + ../../../src/responder/common/cache_req/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_common.$(OBJEXT): ../../../src/responder/common/cache_req/plugins/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_enum_users.$(OBJEXT): ../../../src/responder/common/cache_req/plugins/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_enum_groups.$(OBJEXT): ../../../src/responder/common/cache_req/plugins/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_enum_svc.$(OBJEXT): ../../../src/responder/common/cache_req/plugins/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_name.$(OBJEXT): ../../../src/responder/common/cache_req/plugins/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_upn.$(OBJEXT): ../../../src/responder/common/cache_req/plugins/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_id.$(OBJEXT): ../../../src/responder/common/cache_req/plugins/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_filter.$(OBJEXT): ../../../src/responder/common/cache_req/plugins/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_cert.$(OBJEXT): ../../../src/responder/common/cache_req/plugins/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_group_by_name.$(OBJEXT): ../../../src/responder/common/cache_req/plugins/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_group_by_id.$(OBJEXT): ../../../src/responder/common/cache_req/plugins/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_group_by_filter.$(OBJEXT): ../../../src/responder/common/cache_req/plugins/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_initgroups_by_name.$(OBJEXT): ../../../src/responder/common/cache_req/plugins/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_initgroups_by_upn.$(OBJEXT): ../../../src/responder/common/cache_req/plugins/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_object_by_sid.$(OBJEXT): ../../../src/responder/common/cache_req/plugins/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_object_by_name.$(OBJEXT): ../../../src/responder/common/cache_req/plugins/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_object_by_id.$(OBJEXT): ../../../src/responder/common/cache_req/plugins/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_svc_by_name.$(OBJEXT): ../../../src/responder/common/cache_req/plugins/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_svc_by_port.$(OBJEXT): ../../../src/responder/common/cache_req/plugins/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_netgroup_by_name.$(OBJEXT): ../../../src/responder/common/cache_req/plugins/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_host_by_name.$(OBJEXT): ../../../src/responder/common/cache_req/plugins/$(am__dirstamp) \ + ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) + +responder_common-tests$(EXEEXT): $(responder_common_tests_OBJECTS) $(responder_common_tests_DEPENDENCIES) $(EXTRA_responder_common_tests_DEPENDENCIES) + @rm -f responder_common-tests$(EXEEXT) + $(AM_V_CCLD)$(responder_common_tests_LINK) $(responder_common_tests_OBJECTS) $(responder_common_tests_LDADD) $(LIBS) +../../../src/util/server_tests-server.$(OBJEXT): \ + ../../../src/util/$(am__dirstamp) \ + ../../../src/util/$(DEPDIR)/$(am__dirstamp) + +server-tests$(EXEEXT): $(server_tests_OBJECTS) $(server_tests_DEPENDENCIES) $(EXTRA_server_tests_DEPENDENCIES) + @rm -f server-tests$(EXEEXT) + $(AM_V_CCLD)$(server_tests_LINK) $(server_tests_OBJECTS) $(server_tests_LDADD) $(LIBS) + +usertools-tests$(EXEEXT): $(usertools_tests_OBJECTS) $(usertools_tests_DEPENDENCIES) $(EXTRA_usertools_tests_DEPENDENCIES) + @rm -f usertools-tests$(EXEEXT) + $(AM_V_CCLD)$(usertools_tests_LINK) $(usertools_tests_OBJECTS) $(usertools_tests_LDADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + -rm -f ../../../src/monitor/*.$(OBJEXT) + -rm -f ../../../src/providers/*.$(OBJEXT) + -rm -f ../../../src/responder/common/*.$(OBJEXT) + -rm -f ../../../src/responder/common/cache_req/*.$(OBJEXT) + -rm -f ../../../src/responder/common/cache_req/plugins/*.$(OBJEXT) + -rm -f ../../../src/responder/common/data_provider/*.$(OBJEXT) + -rm -f ../../../src/responder/common/iface/*.$(OBJEXT) + -rm -f ../../../src/tests/cmocka/*.$(OBJEXT) + -rm -f ../../../src/util/*.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/monitor/$(DEPDIR)/negcache_tests-monitor_iface_generated.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/providers/$(DEPDIR)/negcache_tests-data_provider_req.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/$(DEPDIR)/negcache_tests-negcache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/$(DEPDIR)/negcache_tests-negcache_files.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_cmd.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_dp.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_dp_ssh.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_get_domains.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_packet.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_utils.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/$(DEPDIR)/responder_common_tests-negcache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/$(DEPDIR)/responder_common_tests-negcache_files.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/$(DEPDIR)/responder_common_tests-responder_cmd.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/$(DEPDIR)/responder_common_tests-responder_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/$(DEPDIR)/responder_common_tests-responder_packet.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/$(DEPDIR)/negcache_tests-cache_req.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/$(DEPDIR)/negcache_tests-cache_req_data.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/$(DEPDIR)/negcache_tests-cache_req_domain.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/$(DEPDIR)/negcache_tests-cache_req_result.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/$(DEPDIR)/negcache_tests-cache_req_search.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/$(DEPDIR)/negcache_tests-cache_req_sr_overlay.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/$(DEPDIR)/responder_common_tests-cache_req.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/$(DEPDIR)/responder_common_tests-cache_req_data.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/$(DEPDIR)/responder_common_tests-cache_req_domain.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/$(DEPDIR)/responder_common_tests-cache_req_result.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/$(DEPDIR)/responder_common_tests-cache_req_search.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/$(DEPDIR)/responder_common_tests-cache_req_sr_overlay.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_enum_groups.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_enum_svc.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_enum_users.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_group_by_filter.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_group_by_id.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_group_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_host_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_initgroups_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_initgroups_by_upn.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_netgroup_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_object_by_id.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_object_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_object_by_sid.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_svc_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_svc_by_port.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_user_by_cert.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_user_by_filter.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_user_by_id.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_user_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_user_by_upn.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_enum_groups.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_enum_svc.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_enum_users.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_group_by_filter.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_group_by_id.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_group_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_host_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_initgroups_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_initgroups_by_upn.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_netgroup_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_object_by_id.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_object_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_object_by_sid.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_svc_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_svc_by_port.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_user_by_cert.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_user_by_filter.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_user_by_id.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_user_by_name.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_user_by_upn.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/data_provider/$(DEPDIR)/negcache_tests-rdp_client.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/data_provider/$(DEPDIR)/negcache_tests-rdp_message.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/data_provider/$(DEPDIR)/responder_common_tests-rdp_client.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/data_provider/$(DEPDIR)/responder_common_tests-rdp_message.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/iface/$(DEPDIR)/negcache_tests-responder_domain.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/iface/$(DEPDIR)/negcache_tests-responder_iface.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/iface/$(DEPDIR)/negcache_tests-responder_iface_generated.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/iface/$(DEPDIR)/negcache_tests-responder_ncache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/iface/$(DEPDIR)/responder_common_tests-responder_domain.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/iface/$(DEPDIR)/responder_common_tests-responder_iface.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/iface/$(DEPDIR)/responder_common_tests-responder_iface_generated.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/responder/common/iface/$(DEPDIR)/responder_common_tests-responder_ncache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/tests/cmocka/$(DEPDIR)/responder_common_tests-common_mock_resp_dp.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/util/$(DEPDIR)/negcache_tests-session_recording.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/util/$(DEPDIR)/responder_common_tests-session_recording.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@../../../src/util/$(DEPDIR)/server_tests-server.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/become_user_tests-test_become_user.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/negcache_tests-test_negcache.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/responder_common_tests-test_responder_common.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/server_tests-test_server.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/usertools_tests-test_usertools.Po@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< + +.c.obj: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\ +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< + +become_user_tests-test_become_user.o: test_become_user.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(become_user_tests_CFLAGS) $(CFLAGS) -MT become_user_tests-test_become_user.o -MD -MP -MF $(DEPDIR)/become_user_tests-test_become_user.Tpo -c -o become_user_tests-test_become_user.o `test -f 'test_become_user.c' || echo '$(srcdir)/'`test_become_user.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/become_user_tests-test_become_user.Tpo $(DEPDIR)/become_user_tests-test_become_user.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='test_become_user.c' object='become_user_tests-test_become_user.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(become_user_tests_CFLAGS) $(CFLAGS) -c -o become_user_tests-test_become_user.o `test -f 'test_become_user.c' || echo '$(srcdir)/'`test_become_user.c + +become_user_tests-test_become_user.obj: test_become_user.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(become_user_tests_CFLAGS) $(CFLAGS) -MT become_user_tests-test_become_user.obj -MD -MP -MF $(DEPDIR)/become_user_tests-test_become_user.Tpo -c -o become_user_tests-test_become_user.obj `if test -f 'test_become_user.c'; then $(CYGPATH_W) 'test_become_user.c'; else $(CYGPATH_W) '$(srcdir)/test_become_user.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/become_user_tests-test_become_user.Tpo $(DEPDIR)/become_user_tests-test_become_user.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='test_become_user.c' object='become_user_tests-test_become_user.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(become_user_tests_CFLAGS) $(CFLAGS) -c -o become_user_tests-test_become_user.obj `if test -f 'test_become_user.c'; then $(CYGPATH_W) 'test_become_user.c'; else $(CYGPATH_W) '$(srcdir)/test_become_user.c'; fi` + +../../../src/responder/common/negcache_tests-negcache_files.o: ../../../src/responder/common/negcache_files.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/negcache_tests-negcache_files.o -MD -MP -MF ../../../src/responder/common/$(DEPDIR)/negcache_tests-negcache_files.Tpo -c -o ../../../src/responder/common/negcache_tests-negcache_files.o `test -f '../../../src/responder/common/negcache_files.c' || echo '$(srcdir)/'`../../../src/responder/common/negcache_files.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/$(DEPDIR)/negcache_tests-negcache_files.Tpo ../../../src/responder/common/$(DEPDIR)/negcache_tests-negcache_files.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/negcache_files.c' object='../../../src/responder/common/negcache_tests-negcache_files.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/negcache_tests-negcache_files.o `test -f '../../../src/responder/common/negcache_files.c' || echo '$(srcdir)/'`../../../src/responder/common/negcache_files.c + +../../../src/responder/common/negcache_tests-negcache_files.obj: ../../../src/responder/common/negcache_files.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/negcache_tests-negcache_files.obj -MD -MP -MF ../../../src/responder/common/$(DEPDIR)/negcache_tests-negcache_files.Tpo -c -o ../../../src/responder/common/negcache_tests-negcache_files.obj `if test -f '../../../src/responder/common/negcache_files.c'; then $(CYGPATH_W) '../../../src/responder/common/negcache_files.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/negcache_files.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/$(DEPDIR)/negcache_tests-negcache_files.Tpo ../../../src/responder/common/$(DEPDIR)/negcache_tests-negcache_files.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/negcache_files.c' object='../../../src/responder/common/negcache_tests-negcache_files.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/negcache_tests-negcache_files.obj `if test -f '../../../src/responder/common/negcache_files.c'; then $(CYGPATH_W) '../../../src/responder/common/negcache_files.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/negcache_files.c'; fi` + +../../../src/responder/common/negcache_tests-negcache.o: ../../../src/responder/common/negcache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/negcache_tests-negcache.o -MD -MP -MF ../../../src/responder/common/$(DEPDIR)/negcache_tests-negcache.Tpo -c -o ../../../src/responder/common/negcache_tests-negcache.o `test -f '../../../src/responder/common/negcache.c' || echo '$(srcdir)/'`../../../src/responder/common/negcache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/$(DEPDIR)/negcache_tests-negcache.Tpo ../../../src/responder/common/$(DEPDIR)/negcache_tests-negcache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/negcache.c' object='../../../src/responder/common/negcache_tests-negcache.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/negcache_tests-negcache.o `test -f '../../../src/responder/common/negcache.c' || echo '$(srcdir)/'`../../../src/responder/common/negcache.c + +../../../src/responder/common/negcache_tests-negcache.obj: ../../../src/responder/common/negcache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/negcache_tests-negcache.obj -MD -MP -MF ../../../src/responder/common/$(DEPDIR)/negcache_tests-negcache.Tpo -c -o ../../../src/responder/common/negcache_tests-negcache.obj `if test -f '../../../src/responder/common/negcache.c'; then $(CYGPATH_W) '../../../src/responder/common/negcache.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/negcache.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/$(DEPDIR)/negcache_tests-negcache.Tpo ../../../src/responder/common/$(DEPDIR)/negcache_tests-negcache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/negcache.c' object='../../../src/responder/common/negcache_tests-negcache.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/negcache_tests-negcache.obj `if test -f '../../../src/responder/common/negcache.c'; then $(CYGPATH_W) '../../../src/responder/common/negcache.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/negcache.c'; fi` + +../../../src/responder/common/negcache_tests-responder_cmd.o: ../../../src/responder/common/responder_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/negcache_tests-responder_cmd.o -MD -MP -MF ../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_cmd.Tpo -c -o ../../../src/responder/common/negcache_tests-responder_cmd.o `test -f '../../../src/responder/common/responder_cmd.c' || echo '$(srcdir)/'`../../../src/responder/common/responder_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_cmd.Tpo ../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_cmd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/responder_cmd.c' object='../../../src/responder/common/negcache_tests-responder_cmd.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/negcache_tests-responder_cmd.o `test -f '../../../src/responder/common/responder_cmd.c' || echo '$(srcdir)/'`../../../src/responder/common/responder_cmd.c + +../../../src/responder/common/negcache_tests-responder_cmd.obj: ../../../src/responder/common/responder_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/negcache_tests-responder_cmd.obj -MD -MP -MF ../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_cmd.Tpo -c -o ../../../src/responder/common/negcache_tests-responder_cmd.obj `if test -f '../../../src/responder/common/responder_cmd.c'; then $(CYGPATH_W) '../../../src/responder/common/responder_cmd.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/responder_cmd.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_cmd.Tpo ../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_cmd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/responder_cmd.c' object='../../../src/responder/common/negcache_tests-responder_cmd.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/negcache_tests-responder_cmd.obj `if test -f '../../../src/responder/common/responder_cmd.c'; then $(CYGPATH_W) '../../../src/responder/common/responder_cmd.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/responder_cmd.c'; fi` + +../../../src/responder/common/negcache_tests-responder_common.o: ../../../src/responder/common/responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/negcache_tests-responder_common.o -MD -MP -MF ../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_common.Tpo -c -o ../../../src/responder/common/negcache_tests-responder_common.o `test -f '../../../src/responder/common/responder_common.c' || echo '$(srcdir)/'`../../../src/responder/common/responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_common.Tpo ../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/responder_common.c' object='../../../src/responder/common/negcache_tests-responder_common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/negcache_tests-responder_common.o `test -f '../../../src/responder/common/responder_common.c' || echo '$(srcdir)/'`../../../src/responder/common/responder_common.c + +../../../src/responder/common/negcache_tests-responder_common.obj: ../../../src/responder/common/responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/negcache_tests-responder_common.obj -MD -MP -MF ../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_common.Tpo -c -o ../../../src/responder/common/negcache_tests-responder_common.obj `if test -f '../../../src/responder/common/responder_common.c'; then $(CYGPATH_W) '../../../src/responder/common/responder_common.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/responder_common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_common.Tpo ../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/responder_common.c' object='../../../src/responder/common/negcache_tests-responder_common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/negcache_tests-responder_common.obj `if test -f '../../../src/responder/common/responder_common.c'; then $(CYGPATH_W) '../../../src/responder/common/responder_common.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/responder_common.c'; fi` + +../../../src/responder/common/negcache_tests-responder_dp.o: ../../../src/responder/common/responder_dp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/negcache_tests-responder_dp.o -MD -MP -MF ../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_dp.Tpo -c -o ../../../src/responder/common/negcache_tests-responder_dp.o `test -f '../../../src/responder/common/responder_dp.c' || echo '$(srcdir)/'`../../../src/responder/common/responder_dp.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_dp.Tpo ../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_dp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/responder_dp.c' object='../../../src/responder/common/negcache_tests-responder_dp.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/negcache_tests-responder_dp.o `test -f '../../../src/responder/common/responder_dp.c' || echo '$(srcdir)/'`../../../src/responder/common/responder_dp.c + +../../../src/responder/common/negcache_tests-responder_dp.obj: ../../../src/responder/common/responder_dp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/negcache_tests-responder_dp.obj -MD -MP -MF ../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_dp.Tpo -c -o ../../../src/responder/common/negcache_tests-responder_dp.obj `if test -f '../../../src/responder/common/responder_dp.c'; then $(CYGPATH_W) '../../../src/responder/common/responder_dp.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/responder_dp.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_dp.Tpo ../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_dp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/responder_dp.c' object='../../../src/responder/common/negcache_tests-responder_dp.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/negcache_tests-responder_dp.obj `if test -f '../../../src/responder/common/responder_dp.c'; then $(CYGPATH_W) '../../../src/responder/common/responder_dp.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/responder_dp.c'; fi` + +../../../src/responder/common/negcache_tests-responder_dp_ssh.o: ../../../src/responder/common/responder_dp_ssh.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/negcache_tests-responder_dp_ssh.o -MD -MP -MF ../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_dp_ssh.Tpo -c -o ../../../src/responder/common/negcache_tests-responder_dp_ssh.o `test -f '../../../src/responder/common/responder_dp_ssh.c' || echo '$(srcdir)/'`../../../src/responder/common/responder_dp_ssh.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_dp_ssh.Tpo ../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_dp_ssh.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/responder_dp_ssh.c' object='../../../src/responder/common/negcache_tests-responder_dp_ssh.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/negcache_tests-responder_dp_ssh.o `test -f '../../../src/responder/common/responder_dp_ssh.c' || echo '$(srcdir)/'`../../../src/responder/common/responder_dp_ssh.c + +../../../src/responder/common/negcache_tests-responder_dp_ssh.obj: ../../../src/responder/common/responder_dp_ssh.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/negcache_tests-responder_dp_ssh.obj -MD -MP -MF ../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_dp_ssh.Tpo -c -o ../../../src/responder/common/negcache_tests-responder_dp_ssh.obj `if test -f '../../../src/responder/common/responder_dp_ssh.c'; then $(CYGPATH_W) '../../../src/responder/common/responder_dp_ssh.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/responder_dp_ssh.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_dp_ssh.Tpo ../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_dp_ssh.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/responder_dp_ssh.c' object='../../../src/responder/common/negcache_tests-responder_dp_ssh.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/negcache_tests-responder_dp_ssh.obj `if test -f '../../../src/responder/common/responder_dp_ssh.c'; then $(CYGPATH_W) '../../../src/responder/common/responder_dp_ssh.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/responder_dp_ssh.c'; fi` + +../../../src/responder/common/negcache_tests-responder_packet.o: ../../../src/responder/common/responder_packet.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/negcache_tests-responder_packet.o -MD -MP -MF ../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_packet.Tpo -c -o ../../../src/responder/common/negcache_tests-responder_packet.o `test -f '../../../src/responder/common/responder_packet.c' || echo '$(srcdir)/'`../../../src/responder/common/responder_packet.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_packet.Tpo ../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_packet.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/responder_packet.c' object='../../../src/responder/common/negcache_tests-responder_packet.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/negcache_tests-responder_packet.o `test -f '../../../src/responder/common/responder_packet.c' || echo '$(srcdir)/'`../../../src/responder/common/responder_packet.c + +../../../src/responder/common/negcache_tests-responder_packet.obj: ../../../src/responder/common/responder_packet.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/negcache_tests-responder_packet.obj -MD -MP -MF ../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_packet.Tpo -c -o ../../../src/responder/common/negcache_tests-responder_packet.obj `if test -f '../../../src/responder/common/responder_packet.c'; then $(CYGPATH_W) '../../../src/responder/common/responder_packet.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/responder_packet.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_packet.Tpo ../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_packet.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/responder_packet.c' object='../../../src/responder/common/negcache_tests-responder_packet.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/negcache_tests-responder_packet.obj `if test -f '../../../src/responder/common/responder_packet.c'; then $(CYGPATH_W) '../../../src/responder/common/responder_packet.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/responder_packet.c'; fi` + +../../../src/responder/common/negcache_tests-responder_get_domains.o: ../../../src/responder/common/responder_get_domains.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/negcache_tests-responder_get_domains.o -MD -MP -MF ../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_get_domains.Tpo -c -o ../../../src/responder/common/negcache_tests-responder_get_domains.o `test -f '../../../src/responder/common/responder_get_domains.c' || echo '$(srcdir)/'`../../../src/responder/common/responder_get_domains.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_get_domains.Tpo ../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_get_domains.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/responder_get_domains.c' object='../../../src/responder/common/negcache_tests-responder_get_domains.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/negcache_tests-responder_get_domains.o `test -f '../../../src/responder/common/responder_get_domains.c' || echo '$(srcdir)/'`../../../src/responder/common/responder_get_domains.c + +../../../src/responder/common/negcache_tests-responder_get_domains.obj: ../../../src/responder/common/responder_get_domains.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/negcache_tests-responder_get_domains.obj -MD -MP -MF ../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_get_domains.Tpo -c -o ../../../src/responder/common/negcache_tests-responder_get_domains.obj `if test -f '../../../src/responder/common/responder_get_domains.c'; then $(CYGPATH_W) '../../../src/responder/common/responder_get_domains.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/responder_get_domains.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_get_domains.Tpo ../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_get_domains.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/responder_get_domains.c' object='../../../src/responder/common/negcache_tests-responder_get_domains.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/negcache_tests-responder_get_domains.obj `if test -f '../../../src/responder/common/responder_get_domains.c'; then $(CYGPATH_W) '../../../src/responder/common/responder_get_domains.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/responder_get_domains.c'; fi` + +../../../src/responder/common/negcache_tests-responder_utils.o: ../../../src/responder/common/responder_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/negcache_tests-responder_utils.o -MD -MP -MF ../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_utils.Tpo -c -o ../../../src/responder/common/negcache_tests-responder_utils.o `test -f '../../../src/responder/common/responder_utils.c' || echo '$(srcdir)/'`../../../src/responder/common/responder_utils.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_utils.Tpo ../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/responder_utils.c' object='../../../src/responder/common/negcache_tests-responder_utils.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/negcache_tests-responder_utils.o `test -f '../../../src/responder/common/responder_utils.c' || echo '$(srcdir)/'`../../../src/responder/common/responder_utils.c + +../../../src/responder/common/negcache_tests-responder_utils.obj: ../../../src/responder/common/responder_utils.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/negcache_tests-responder_utils.obj -MD -MP -MF ../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_utils.Tpo -c -o ../../../src/responder/common/negcache_tests-responder_utils.obj `if test -f '../../../src/responder/common/responder_utils.c'; then $(CYGPATH_W) '../../../src/responder/common/responder_utils.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/responder_utils.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_utils.Tpo ../../../src/responder/common/$(DEPDIR)/negcache_tests-responder_utils.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/responder_utils.c' object='../../../src/responder/common/negcache_tests-responder_utils.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/negcache_tests-responder_utils.obj `if test -f '../../../src/responder/common/responder_utils.c'; then $(CYGPATH_W) '../../../src/responder/common/responder_utils.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/responder_utils.c'; fi` + +../../../src/responder/common/data_provider/negcache_tests-rdp_message.o: ../../../src/responder/common/data_provider/rdp_message.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/data_provider/negcache_tests-rdp_message.o -MD -MP -MF ../../../src/responder/common/data_provider/$(DEPDIR)/negcache_tests-rdp_message.Tpo -c -o ../../../src/responder/common/data_provider/negcache_tests-rdp_message.o `test -f '../../../src/responder/common/data_provider/rdp_message.c' || echo '$(srcdir)/'`../../../src/responder/common/data_provider/rdp_message.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/data_provider/$(DEPDIR)/negcache_tests-rdp_message.Tpo ../../../src/responder/common/data_provider/$(DEPDIR)/negcache_tests-rdp_message.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/data_provider/rdp_message.c' object='../../../src/responder/common/data_provider/negcache_tests-rdp_message.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/data_provider/negcache_tests-rdp_message.o `test -f '../../../src/responder/common/data_provider/rdp_message.c' || echo '$(srcdir)/'`../../../src/responder/common/data_provider/rdp_message.c + +../../../src/responder/common/data_provider/negcache_tests-rdp_message.obj: ../../../src/responder/common/data_provider/rdp_message.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/data_provider/negcache_tests-rdp_message.obj -MD -MP -MF ../../../src/responder/common/data_provider/$(DEPDIR)/negcache_tests-rdp_message.Tpo -c -o ../../../src/responder/common/data_provider/negcache_tests-rdp_message.obj `if test -f '../../../src/responder/common/data_provider/rdp_message.c'; then $(CYGPATH_W) '../../../src/responder/common/data_provider/rdp_message.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/data_provider/rdp_message.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/data_provider/$(DEPDIR)/negcache_tests-rdp_message.Tpo ../../../src/responder/common/data_provider/$(DEPDIR)/negcache_tests-rdp_message.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/data_provider/rdp_message.c' object='../../../src/responder/common/data_provider/negcache_tests-rdp_message.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/data_provider/negcache_tests-rdp_message.obj `if test -f '../../../src/responder/common/data_provider/rdp_message.c'; then $(CYGPATH_W) '../../../src/responder/common/data_provider/rdp_message.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/data_provider/rdp_message.c'; fi` + +../../../src/responder/common/data_provider/negcache_tests-rdp_client.o: ../../../src/responder/common/data_provider/rdp_client.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/data_provider/negcache_tests-rdp_client.o -MD -MP -MF ../../../src/responder/common/data_provider/$(DEPDIR)/negcache_tests-rdp_client.Tpo -c -o ../../../src/responder/common/data_provider/negcache_tests-rdp_client.o `test -f '../../../src/responder/common/data_provider/rdp_client.c' || echo '$(srcdir)/'`../../../src/responder/common/data_provider/rdp_client.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/data_provider/$(DEPDIR)/negcache_tests-rdp_client.Tpo ../../../src/responder/common/data_provider/$(DEPDIR)/negcache_tests-rdp_client.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/data_provider/rdp_client.c' object='../../../src/responder/common/data_provider/negcache_tests-rdp_client.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/data_provider/negcache_tests-rdp_client.o `test -f '../../../src/responder/common/data_provider/rdp_client.c' || echo '$(srcdir)/'`../../../src/responder/common/data_provider/rdp_client.c + +../../../src/responder/common/data_provider/negcache_tests-rdp_client.obj: ../../../src/responder/common/data_provider/rdp_client.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/data_provider/negcache_tests-rdp_client.obj -MD -MP -MF ../../../src/responder/common/data_provider/$(DEPDIR)/negcache_tests-rdp_client.Tpo -c -o ../../../src/responder/common/data_provider/negcache_tests-rdp_client.obj `if test -f '../../../src/responder/common/data_provider/rdp_client.c'; then $(CYGPATH_W) '../../../src/responder/common/data_provider/rdp_client.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/data_provider/rdp_client.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/data_provider/$(DEPDIR)/negcache_tests-rdp_client.Tpo ../../../src/responder/common/data_provider/$(DEPDIR)/negcache_tests-rdp_client.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/data_provider/rdp_client.c' object='../../../src/responder/common/data_provider/negcache_tests-rdp_client.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/data_provider/negcache_tests-rdp_client.obj `if test -f '../../../src/responder/common/data_provider/rdp_client.c'; then $(CYGPATH_W) '../../../src/responder/common/data_provider/rdp_client.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/data_provider/rdp_client.c'; fi` + +../../../src/monitor/negcache_tests-monitor_iface_generated.o: ../../../src/monitor/monitor_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/monitor/negcache_tests-monitor_iface_generated.o -MD -MP -MF ../../../src/monitor/$(DEPDIR)/negcache_tests-monitor_iface_generated.Tpo -c -o ../../../src/monitor/negcache_tests-monitor_iface_generated.o `test -f '../../../src/monitor/monitor_iface_generated.c' || echo '$(srcdir)/'`../../../src/monitor/monitor_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/monitor/$(DEPDIR)/negcache_tests-monitor_iface_generated.Tpo ../../../src/monitor/$(DEPDIR)/negcache_tests-monitor_iface_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/monitor/monitor_iface_generated.c' object='../../../src/monitor/negcache_tests-monitor_iface_generated.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/monitor/negcache_tests-monitor_iface_generated.o `test -f '../../../src/monitor/monitor_iface_generated.c' || echo '$(srcdir)/'`../../../src/monitor/monitor_iface_generated.c + +../../../src/monitor/negcache_tests-monitor_iface_generated.obj: ../../../src/monitor/monitor_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/monitor/negcache_tests-monitor_iface_generated.obj -MD -MP -MF ../../../src/monitor/$(DEPDIR)/negcache_tests-monitor_iface_generated.Tpo -c -o ../../../src/monitor/negcache_tests-monitor_iface_generated.obj `if test -f '../../../src/monitor/monitor_iface_generated.c'; then $(CYGPATH_W) '../../../src/monitor/monitor_iface_generated.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/monitor/monitor_iface_generated.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/monitor/$(DEPDIR)/negcache_tests-monitor_iface_generated.Tpo ../../../src/monitor/$(DEPDIR)/negcache_tests-monitor_iface_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/monitor/monitor_iface_generated.c' object='../../../src/monitor/negcache_tests-monitor_iface_generated.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/monitor/negcache_tests-monitor_iface_generated.obj `if test -f '../../../src/monitor/monitor_iface_generated.c'; then $(CYGPATH_W) '../../../src/monitor/monitor_iface_generated.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/monitor/monitor_iface_generated.c'; fi` + +../../../src/providers/negcache_tests-data_provider_req.o: ../../../src/providers/data_provider_req.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/providers/negcache_tests-data_provider_req.o -MD -MP -MF ../../../src/providers/$(DEPDIR)/negcache_tests-data_provider_req.Tpo -c -o ../../../src/providers/negcache_tests-data_provider_req.o `test -f '../../../src/providers/data_provider_req.c' || echo '$(srcdir)/'`../../../src/providers/data_provider_req.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/providers/$(DEPDIR)/negcache_tests-data_provider_req.Tpo ../../../src/providers/$(DEPDIR)/negcache_tests-data_provider_req.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/providers/data_provider_req.c' object='../../../src/providers/negcache_tests-data_provider_req.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/providers/negcache_tests-data_provider_req.o `test -f '../../../src/providers/data_provider_req.c' || echo '$(srcdir)/'`../../../src/providers/data_provider_req.c + +../../../src/providers/negcache_tests-data_provider_req.obj: ../../../src/providers/data_provider_req.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/providers/negcache_tests-data_provider_req.obj -MD -MP -MF ../../../src/providers/$(DEPDIR)/negcache_tests-data_provider_req.Tpo -c -o ../../../src/providers/negcache_tests-data_provider_req.obj `if test -f '../../../src/providers/data_provider_req.c'; then $(CYGPATH_W) '../../../src/providers/data_provider_req.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/providers/data_provider_req.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/providers/$(DEPDIR)/negcache_tests-data_provider_req.Tpo ../../../src/providers/$(DEPDIR)/negcache_tests-data_provider_req.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/providers/data_provider_req.c' object='../../../src/providers/negcache_tests-data_provider_req.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/providers/negcache_tests-data_provider_req.obj `if test -f '../../../src/providers/data_provider_req.c'; then $(CYGPATH_W) '../../../src/providers/data_provider_req.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/providers/data_provider_req.c'; fi` + +../../../src/util/negcache_tests-session_recording.o: ../../../src/util/session_recording.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/util/negcache_tests-session_recording.o -MD -MP -MF ../../../src/util/$(DEPDIR)/negcache_tests-session_recording.Tpo -c -o ../../../src/util/negcache_tests-session_recording.o `test -f '../../../src/util/session_recording.c' || echo '$(srcdir)/'`../../../src/util/session_recording.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/util/$(DEPDIR)/negcache_tests-session_recording.Tpo ../../../src/util/$(DEPDIR)/negcache_tests-session_recording.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/util/session_recording.c' object='../../../src/util/negcache_tests-session_recording.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/util/negcache_tests-session_recording.o `test -f '../../../src/util/session_recording.c' || echo '$(srcdir)/'`../../../src/util/session_recording.c + +../../../src/util/negcache_tests-session_recording.obj: ../../../src/util/session_recording.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/util/negcache_tests-session_recording.obj -MD -MP -MF ../../../src/util/$(DEPDIR)/negcache_tests-session_recording.Tpo -c -o ../../../src/util/negcache_tests-session_recording.obj `if test -f '../../../src/util/session_recording.c'; then $(CYGPATH_W) '../../../src/util/session_recording.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/util/session_recording.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/util/$(DEPDIR)/negcache_tests-session_recording.Tpo ../../../src/util/$(DEPDIR)/negcache_tests-session_recording.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/util/session_recording.c' object='../../../src/util/negcache_tests-session_recording.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/util/negcache_tests-session_recording.obj `if test -f '../../../src/util/session_recording.c'; then $(CYGPATH_W) '../../../src/util/session_recording.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/util/session_recording.c'; fi` + +../../../src/responder/common/iface/negcache_tests-responder_iface.o: ../../../src/responder/common/iface/responder_iface.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/iface/negcache_tests-responder_iface.o -MD -MP -MF ../../../src/responder/common/iface/$(DEPDIR)/negcache_tests-responder_iface.Tpo -c -o ../../../src/responder/common/iface/negcache_tests-responder_iface.o `test -f '../../../src/responder/common/iface/responder_iface.c' || echo '$(srcdir)/'`../../../src/responder/common/iface/responder_iface.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/iface/$(DEPDIR)/negcache_tests-responder_iface.Tpo ../../../src/responder/common/iface/$(DEPDIR)/negcache_tests-responder_iface.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/iface/responder_iface.c' object='../../../src/responder/common/iface/negcache_tests-responder_iface.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/iface/negcache_tests-responder_iface.o `test -f '../../../src/responder/common/iface/responder_iface.c' || echo '$(srcdir)/'`../../../src/responder/common/iface/responder_iface.c + +../../../src/responder/common/iface/negcache_tests-responder_iface.obj: ../../../src/responder/common/iface/responder_iface.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/iface/negcache_tests-responder_iface.obj -MD -MP -MF ../../../src/responder/common/iface/$(DEPDIR)/negcache_tests-responder_iface.Tpo -c -o ../../../src/responder/common/iface/negcache_tests-responder_iface.obj `if test -f '../../../src/responder/common/iface/responder_iface.c'; then $(CYGPATH_W) '../../../src/responder/common/iface/responder_iface.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/iface/responder_iface.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/iface/$(DEPDIR)/negcache_tests-responder_iface.Tpo ../../../src/responder/common/iface/$(DEPDIR)/negcache_tests-responder_iface.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/iface/responder_iface.c' object='../../../src/responder/common/iface/negcache_tests-responder_iface.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/iface/negcache_tests-responder_iface.obj `if test -f '../../../src/responder/common/iface/responder_iface.c'; then $(CYGPATH_W) '../../../src/responder/common/iface/responder_iface.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/iface/responder_iface.c'; fi` + +../../../src/responder/common/iface/negcache_tests-responder_domain.o: ../../../src/responder/common/iface/responder_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/iface/negcache_tests-responder_domain.o -MD -MP -MF ../../../src/responder/common/iface/$(DEPDIR)/negcache_tests-responder_domain.Tpo -c -o ../../../src/responder/common/iface/negcache_tests-responder_domain.o `test -f '../../../src/responder/common/iface/responder_domain.c' || echo '$(srcdir)/'`../../../src/responder/common/iface/responder_domain.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/iface/$(DEPDIR)/negcache_tests-responder_domain.Tpo ../../../src/responder/common/iface/$(DEPDIR)/negcache_tests-responder_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/iface/responder_domain.c' object='../../../src/responder/common/iface/negcache_tests-responder_domain.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/iface/negcache_tests-responder_domain.o `test -f '../../../src/responder/common/iface/responder_domain.c' || echo '$(srcdir)/'`../../../src/responder/common/iface/responder_domain.c + +../../../src/responder/common/iface/negcache_tests-responder_domain.obj: ../../../src/responder/common/iface/responder_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/iface/negcache_tests-responder_domain.obj -MD -MP -MF ../../../src/responder/common/iface/$(DEPDIR)/negcache_tests-responder_domain.Tpo -c -o ../../../src/responder/common/iface/negcache_tests-responder_domain.obj `if test -f '../../../src/responder/common/iface/responder_domain.c'; then $(CYGPATH_W) '../../../src/responder/common/iface/responder_domain.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/iface/responder_domain.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/iface/$(DEPDIR)/negcache_tests-responder_domain.Tpo ../../../src/responder/common/iface/$(DEPDIR)/negcache_tests-responder_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/iface/responder_domain.c' object='../../../src/responder/common/iface/negcache_tests-responder_domain.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/iface/negcache_tests-responder_domain.obj `if test -f '../../../src/responder/common/iface/responder_domain.c'; then $(CYGPATH_W) '../../../src/responder/common/iface/responder_domain.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/iface/responder_domain.c'; fi` + +../../../src/responder/common/iface/negcache_tests-responder_ncache.o: ../../../src/responder/common/iface/responder_ncache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/iface/negcache_tests-responder_ncache.o -MD -MP -MF ../../../src/responder/common/iface/$(DEPDIR)/negcache_tests-responder_ncache.Tpo -c -o ../../../src/responder/common/iface/negcache_tests-responder_ncache.o `test -f '../../../src/responder/common/iface/responder_ncache.c' || echo '$(srcdir)/'`../../../src/responder/common/iface/responder_ncache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/iface/$(DEPDIR)/negcache_tests-responder_ncache.Tpo ../../../src/responder/common/iface/$(DEPDIR)/negcache_tests-responder_ncache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/iface/responder_ncache.c' object='../../../src/responder/common/iface/negcache_tests-responder_ncache.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/iface/negcache_tests-responder_ncache.o `test -f '../../../src/responder/common/iface/responder_ncache.c' || echo '$(srcdir)/'`../../../src/responder/common/iface/responder_ncache.c + +../../../src/responder/common/iface/negcache_tests-responder_ncache.obj: ../../../src/responder/common/iface/responder_ncache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/iface/negcache_tests-responder_ncache.obj -MD -MP -MF ../../../src/responder/common/iface/$(DEPDIR)/negcache_tests-responder_ncache.Tpo -c -o ../../../src/responder/common/iface/negcache_tests-responder_ncache.obj `if test -f '../../../src/responder/common/iface/responder_ncache.c'; then $(CYGPATH_W) '../../../src/responder/common/iface/responder_ncache.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/iface/responder_ncache.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/iface/$(DEPDIR)/negcache_tests-responder_ncache.Tpo ../../../src/responder/common/iface/$(DEPDIR)/negcache_tests-responder_ncache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/iface/responder_ncache.c' object='../../../src/responder/common/iface/negcache_tests-responder_ncache.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/iface/negcache_tests-responder_ncache.obj `if test -f '../../../src/responder/common/iface/responder_ncache.c'; then $(CYGPATH_W) '../../../src/responder/common/iface/responder_ncache.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/iface/responder_ncache.c'; fi` + +../../../src/responder/common/iface/negcache_tests-responder_iface_generated.o: ../../../src/responder/common/iface/responder_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/iface/negcache_tests-responder_iface_generated.o -MD -MP -MF ../../../src/responder/common/iface/$(DEPDIR)/negcache_tests-responder_iface_generated.Tpo -c -o ../../../src/responder/common/iface/negcache_tests-responder_iface_generated.o `test -f '../../../src/responder/common/iface/responder_iface_generated.c' || echo '$(srcdir)/'`../../../src/responder/common/iface/responder_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/iface/$(DEPDIR)/negcache_tests-responder_iface_generated.Tpo ../../../src/responder/common/iface/$(DEPDIR)/negcache_tests-responder_iface_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/iface/responder_iface_generated.c' object='../../../src/responder/common/iface/negcache_tests-responder_iface_generated.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/iface/negcache_tests-responder_iface_generated.o `test -f '../../../src/responder/common/iface/responder_iface_generated.c' || echo '$(srcdir)/'`../../../src/responder/common/iface/responder_iface_generated.c + +../../../src/responder/common/iface/negcache_tests-responder_iface_generated.obj: ../../../src/responder/common/iface/responder_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/iface/negcache_tests-responder_iface_generated.obj -MD -MP -MF ../../../src/responder/common/iface/$(DEPDIR)/negcache_tests-responder_iface_generated.Tpo -c -o ../../../src/responder/common/iface/negcache_tests-responder_iface_generated.obj `if test -f '../../../src/responder/common/iface/responder_iface_generated.c'; then $(CYGPATH_W) '../../../src/responder/common/iface/responder_iface_generated.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/iface/responder_iface_generated.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/iface/$(DEPDIR)/negcache_tests-responder_iface_generated.Tpo ../../../src/responder/common/iface/$(DEPDIR)/negcache_tests-responder_iface_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/iface/responder_iface_generated.c' object='../../../src/responder/common/iface/negcache_tests-responder_iface_generated.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/iface/negcache_tests-responder_iface_generated.obj `if test -f '../../../src/responder/common/iface/responder_iface_generated.c'; then $(CYGPATH_W) '../../../src/responder/common/iface/responder_iface_generated.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/iface/responder_iface_generated.c'; fi` + +../../../src/responder/common/cache_req/negcache_tests-cache_req.o: ../../../src/responder/common/cache_req/cache_req.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/negcache_tests-cache_req.o -MD -MP -MF ../../../src/responder/common/cache_req/$(DEPDIR)/negcache_tests-cache_req.Tpo -c -o ../../../src/responder/common/cache_req/negcache_tests-cache_req.o `test -f '../../../src/responder/common/cache_req/cache_req.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/cache_req.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/$(DEPDIR)/negcache_tests-cache_req.Tpo ../../../src/responder/common/cache_req/$(DEPDIR)/negcache_tests-cache_req.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/cache_req.c' object='../../../src/responder/common/cache_req/negcache_tests-cache_req.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/negcache_tests-cache_req.o `test -f '../../../src/responder/common/cache_req/cache_req.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/cache_req.c + +../../../src/responder/common/cache_req/negcache_tests-cache_req.obj: ../../../src/responder/common/cache_req/cache_req.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/negcache_tests-cache_req.obj -MD -MP -MF ../../../src/responder/common/cache_req/$(DEPDIR)/negcache_tests-cache_req.Tpo -c -o ../../../src/responder/common/cache_req/negcache_tests-cache_req.obj `if test -f '../../../src/responder/common/cache_req/cache_req.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/cache_req.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/cache_req.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/$(DEPDIR)/negcache_tests-cache_req.Tpo ../../../src/responder/common/cache_req/$(DEPDIR)/negcache_tests-cache_req.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/cache_req.c' object='../../../src/responder/common/cache_req/negcache_tests-cache_req.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/negcache_tests-cache_req.obj `if test -f '../../../src/responder/common/cache_req/cache_req.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/cache_req.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/cache_req.c'; fi` + +../../../src/responder/common/cache_req/negcache_tests-cache_req_result.o: ../../../src/responder/common/cache_req/cache_req_result.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/negcache_tests-cache_req_result.o -MD -MP -MF ../../../src/responder/common/cache_req/$(DEPDIR)/negcache_tests-cache_req_result.Tpo -c -o ../../../src/responder/common/cache_req/negcache_tests-cache_req_result.o `test -f '../../../src/responder/common/cache_req/cache_req_result.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/cache_req_result.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/$(DEPDIR)/negcache_tests-cache_req_result.Tpo ../../../src/responder/common/cache_req/$(DEPDIR)/negcache_tests-cache_req_result.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/cache_req_result.c' object='../../../src/responder/common/cache_req/negcache_tests-cache_req_result.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/negcache_tests-cache_req_result.o `test -f '../../../src/responder/common/cache_req/cache_req_result.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/cache_req_result.c + +../../../src/responder/common/cache_req/negcache_tests-cache_req_result.obj: ../../../src/responder/common/cache_req/cache_req_result.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/negcache_tests-cache_req_result.obj -MD -MP -MF ../../../src/responder/common/cache_req/$(DEPDIR)/negcache_tests-cache_req_result.Tpo -c -o ../../../src/responder/common/cache_req/negcache_tests-cache_req_result.obj `if test -f '../../../src/responder/common/cache_req/cache_req_result.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/cache_req_result.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/cache_req_result.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/$(DEPDIR)/negcache_tests-cache_req_result.Tpo ../../../src/responder/common/cache_req/$(DEPDIR)/negcache_tests-cache_req_result.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/cache_req_result.c' object='../../../src/responder/common/cache_req/negcache_tests-cache_req_result.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/negcache_tests-cache_req_result.obj `if test -f '../../../src/responder/common/cache_req/cache_req_result.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/cache_req_result.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/cache_req_result.c'; fi` + +../../../src/responder/common/cache_req/negcache_tests-cache_req_search.o: ../../../src/responder/common/cache_req/cache_req_search.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/negcache_tests-cache_req_search.o -MD -MP -MF ../../../src/responder/common/cache_req/$(DEPDIR)/negcache_tests-cache_req_search.Tpo -c -o ../../../src/responder/common/cache_req/negcache_tests-cache_req_search.o `test -f '../../../src/responder/common/cache_req/cache_req_search.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/cache_req_search.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/$(DEPDIR)/negcache_tests-cache_req_search.Tpo ../../../src/responder/common/cache_req/$(DEPDIR)/negcache_tests-cache_req_search.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/cache_req_search.c' object='../../../src/responder/common/cache_req/negcache_tests-cache_req_search.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/negcache_tests-cache_req_search.o `test -f '../../../src/responder/common/cache_req/cache_req_search.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/cache_req_search.c + +../../../src/responder/common/cache_req/negcache_tests-cache_req_search.obj: ../../../src/responder/common/cache_req/cache_req_search.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/negcache_tests-cache_req_search.obj -MD -MP -MF ../../../src/responder/common/cache_req/$(DEPDIR)/negcache_tests-cache_req_search.Tpo -c -o ../../../src/responder/common/cache_req/negcache_tests-cache_req_search.obj `if test -f '../../../src/responder/common/cache_req/cache_req_search.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/cache_req_search.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/cache_req_search.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/$(DEPDIR)/negcache_tests-cache_req_search.Tpo ../../../src/responder/common/cache_req/$(DEPDIR)/negcache_tests-cache_req_search.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/cache_req_search.c' object='../../../src/responder/common/cache_req/negcache_tests-cache_req_search.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/negcache_tests-cache_req_search.obj `if test -f '../../../src/responder/common/cache_req/cache_req_search.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/cache_req_search.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/cache_req_search.c'; fi` + +../../../src/responder/common/cache_req/negcache_tests-cache_req_data.o: ../../../src/responder/common/cache_req/cache_req_data.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/negcache_tests-cache_req_data.o -MD -MP -MF ../../../src/responder/common/cache_req/$(DEPDIR)/negcache_tests-cache_req_data.Tpo -c -o ../../../src/responder/common/cache_req/negcache_tests-cache_req_data.o `test -f '../../../src/responder/common/cache_req/cache_req_data.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/cache_req_data.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/$(DEPDIR)/negcache_tests-cache_req_data.Tpo ../../../src/responder/common/cache_req/$(DEPDIR)/negcache_tests-cache_req_data.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/cache_req_data.c' object='../../../src/responder/common/cache_req/negcache_tests-cache_req_data.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/negcache_tests-cache_req_data.o `test -f '../../../src/responder/common/cache_req/cache_req_data.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/cache_req_data.c + +../../../src/responder/common/cache_req/negcache_tests-cache_req_data.obj: ../../../src/responder/common/cache_req/cache_req_data.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/negcache_tests-cache_req_data.obj -MD -MP -MF ../../../src/responder/common/cache_req/$(DEPDIR)/negcache_tests-cache_req_data.Tpo -c -o ../../../src/responder/common/cache_req/negcache_tests-cache_req_data.obj `if test -f '../../../src/responder/common/cache_req/cache_req_data.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/cache_req_data.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/cache_req_data.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/$(DEPDIR)/negcache_tests-cache_req_data.Tpo ../../../src/responder/common/cache_req/$(DEPDIR)/negcache_tests-cache_req_data.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/cache_req_data.c' object='../../../src/responder/common/cache_req/negcache_tests-cache_req_data.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/negcache_tests-cache_req_data.obj `if test -f '../../../src/responder/common/cache_req/cache_req_data.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/cache_req_data.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/cache_req_data.c'; fi` + +../../../src/responder/common/cache_req/negcache_tests-cache_req_domain.o: ../../../src/responder/common/cache_req/cache_req_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/negcache_tests-cache_req_domain.o -MD -MP -MF ../../../src/responder/common/cache_req/$(DEPDIR)/negcache_tests-cache_req_domain.Tpo -c -o ../../../src/responder/common/cache_req/negcache_tests-cache_req_domain.o `test -f '../../../src/responder/common/cache_req/cache_req_domain.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/cache_req_domain.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/$(DEPDIR)/negcache_tests-cache_req_domain.Tpo ../../../src/responder/common/cache_req/$(DEPDIR)/negcache_tests-cache_req_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/cache_req_domain.c' object='../../../src/responder/common/cache_req/negcache_tests-cache_req_domain.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/negcache_tests-cache_req_domain.o `test -f '../../../src/responder/common/cache_req/cache_req_domain.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/cache_req_domain.c + +../../../src/responder/common/cache_req/negcache_tests-cache_req_domain.obj: ../../../src/responder/common/cache_req/cache_req_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/negcache_tests-cache_req_domain.obj -MD -MP -MF ../../../src/responder/common/cache_req/$(DEPDIR)/negcache_tests-cache_req_domain.Tpo -c -o ../../../src/responder/common/cache_req/negcache_tests-cache_req_domain.obj `if test -f '../../../src/responder/common/cache_req/cache_req_domain.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/cache_req_domain.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/cache_req_domain.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/$(DEPDIR)/negcache_tests-cache_req_domain.Tpo ../../../src/responder/common/cache_req/$(DEPDIR)/negcache_tests-cache_req_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/cache_req_domain.c' object='../../../src/responder/common/cache_req/negcache_tests-cache_req_domain.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/negcache_tests-cache_req_domain.obj `if test -f '../../../src/responder/common/cache_req/cache_req_domain.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/cache_req_domain.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/cache_req_domain.c'; fi` + +../../../src/responder/common/cache_req/negcache_tests-cache_req_sr_overlay.o: ../../../src/responder/common/cache_req/cache_req_sr_overlay.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/negcache_tests-cache_req_sr_overlay.o -MD -MP -MF ../../../src/responder/common/cache_req/$(DEPDIR)/negcache_tests-cache_req_sr_overlay.Tpo -c -o ../../../src/responder/common/cache_req/negcache_tests-cache_req_sr_overlay.o `test -f '../../../src/responder/common/cache_req/cache_req_sr_overlay.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/cache_req_sr_overlay.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/$(DEPDIR)/negcache_tests-cache_req_sr_overlay.Tpo ../../../src/responder/common/cache_req/$(DEPDIR)/negcache_tests-cache_req_sr_overlay.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/cache_req_sr_overlay.c' object='../../../src/responder/common/cache_req/negcache_tests-cache_req_sr_overlay.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/negcache_tests-cache_req_sr_overlay.o `test -f '../../../src/responder/common/cache_req/cache_req_sr_overlay.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/cache_req_sr_overlay.c + +../../../src/responder/common/cache_req/negcache_tests-cache_req_sr_overlay.obj: ../../../src/responder/common/cache_req/cache_req_sr_overlay.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/negcache_tests-cache_req_sr_overlay.obj -MD -MP -MF ../../../src/responder/common/cache_req/$(DEPDIR)/negcache_tests-cache_req_sr_overlay.Tpo -c -o ../../../src/responder/common/cache_req/negcache_tests-cache_req_sr_overlay.obj `if test -f '../../../src/responder/common/cache_req/cache_req_sr_overlay.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/cache_req_sr_overlay.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/cache_req_sr_overlay.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/$(DEPDIR)/negcache_tests-cache_req_sr_overlay.Tpo ../../../src/responder/common/cache_req/$(DEPDIR)/negcache_tests-cache_req_sr_overlay.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/cache_req_sr_overlay.c' object='../../../src/responder/common/cache_req/negcache_tests-cache_req_sr_overlay.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/negcache_tests-cache_req_sr_overlay.obj `if test -f '../../../src/responder/common/cache_req/cache_req_sr_overlay.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/cache_req_sr_overlay.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/cache_req_sr_overlay.c'; fi` + +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_common.o: ../../../src/responder/common/cache_req/plugins/cache_req_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_common.o -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_common.Tpo -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_common.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_common.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_common.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_common.c' object='../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_common.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_common.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_common.c + +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_common.obj: ../../../src/responder/common/cache_req/plugins/cache_req_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_common.obj -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_common.Tpo -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_common.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_common.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_common.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_common.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_common.c' object='../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_common.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_common.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_common.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_common.c'; fi` + +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_enum_users.o: ../../../src/responder/common/cache_req/plugins/cache_req_enum_users.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_enum_users.o -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_enum_users.Tpo -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_enum_users.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_enum_users.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_enum_users.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_enum_users.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_enum_users.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_enum_users.c' object='../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_enum_users.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_enum_users.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_enum_users.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_enum_users.c + +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_enum_users.obj: ../../../src/responder/common/cache_req/plugins/cache_req_enum_users.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_enum_users.obj -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_enum_users.Tpo -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_enum_users.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_enum_users.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_enum_users.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_enum_users.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_enum_users.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_enum_users.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_enum_users.c' object='../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_enum_users.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_enum_users.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_enum_users.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_enum_users.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_enum_users.c'; fi` + +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_enum_groups.o: ../../../src/responder/common/cache_req/plugins/cache_req_enum_groups.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_enum_groups.o -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_enum_groups.Tpo -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_enum_groups.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_enum_groups.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_enum_groups.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_enum_groups.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_enum_groups.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_enum_groups.c' object='../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_enum_groups.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_enum_groups.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_enum_groups.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_enum_groups.c + +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_enum_groups.obj: ../../../src/responder/common/cache_req/plugins/cache_req_enum_groups.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_enum_groups.obj -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_enum_groups.Tpo -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_enum_groups.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_enum_groups.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_enum_groups.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_enum_groups.c' object='../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_enum_groups.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_enum_groups.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; fi` + +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_enum_svc.o: ../../../src/responder/common/cache_req/plugins/cache_req_enum_svc.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_enum_svc.o -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_enum_svc.Tpo -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_enum_svc.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_enum_svc.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_enum_svc.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_enum_svc.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_enum_svc.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_enum_svc.c' object='../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_enum_svc.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_enum_svc.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_enum_svc.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_enum_svc.c + +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_enum_svc.obj: ../../../src/responder/common/cache_req/plugins/cache_req_enum_svc.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_enum_svc.obj -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_enum_svc.Tpo -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_enum_svc.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_enum_svc.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_enum_svc.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_enum_svc.c' object='../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_enum_svc.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_enum_svc.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; fi` + +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_name.o: ../../../src/responder/common/cache_req/plugins/cache_req_user_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_name.o -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_user_by_name.Tpo -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_name.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_user_by_name.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_user_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_user_by_name.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_user_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_user_by_name.c' object='../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_name.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_user_by_name.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_user_by_name.c + +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_name.obj: ../../../src/responder/common/cache_req/plugins/cache_req_user_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_name.obj -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_user_by_name.Tpo -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_name.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_user_by_name.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_user_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_user_by_name.c' object='../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_name.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; fi` + +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_upn.o: ../../../src/responder/common/cache_req/plugins/cache_req_user_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_upn.o -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_user_by_upn.Tpo -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_upn.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_user_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_user_by_upn.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_user_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' object='../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_upn.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_upn.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_user_by_upn.c + +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_upn.obj: ../../../src/responder/common/cache_req/plugins/cache_req_user_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_upn.obj -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_user_by_upn.Tpo -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_upn.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_user_by_upn.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_user_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' object='../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_upn.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_upn.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; fi` + +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_id.o: ../../../src/responder/common/cache_req/plugins/cache_req_user_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_id.o -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_user_by_id.Tpo -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_id.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_user_by_id.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_user_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_user_by_id.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_user_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_user_by_id.c' object='../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_id.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_id.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_user_by_id.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_user_by_id.c + +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_id.obj: ../../../src/responder/common/cache_req/plugins/cache_req_user_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_id.obj -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_user_by_id.Tpo -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_id.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_user_by_id.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_user_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_user_by_id.c' object='../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_id.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_id.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; fi` + +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_filter.o: ../../../src/responder/common/cache_req/plugins/cache_req_user_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_filter.o -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_user_by_filter.Tpo -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_filter.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_user_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_user_by_filter.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_user_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' object='../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_filter.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_filter.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_user_by_filter.c + +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_filter.obj: ../../../src/responder/common/cache_req/plugins/cache_req_user_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_filter.obj -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_user_by_filter.Tpo -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_filter.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_user_by_filter.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_user_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' object='../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_filter.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_filter.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; fi` + +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_cert.o: ../../../src/responder/common/cache_req/plugins/cache_req_user_by_cert.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_cert.o -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_user_by_cert.Tpo -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_cert.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_user_by_cert.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_user_by_cert.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_user_by_cert.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' object='../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_cert.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_cert.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_user_by_cert.c + +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_cert.obj: ../../../src/responder/common/cache_req/plugins/cache_req_user_by_cert.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_cert.obj -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_user_by_cert.Tpo -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_cert.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_user_by_cert.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_user_by_cert.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' object='../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_cert.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_user_by_cert.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; fi` + +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_group_by_name.o: ../../../src/responder/common/cache_req/plugins/cache_req_group_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_group_by_name.o -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_group_by_name.Tpo -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_group_by_name.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_group_by_name.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_group_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_group_by_name.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_group_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_group_by_name.c' object='../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_group_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_group_by_name.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_group_by_name.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_group_by_name.c + +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_group_by_name.obj: ../../../src/responder/common/cache_req/plugins/cache_req_group_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_group_by_name.obj -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_group_by_name.Tpo -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_group_by_name.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_group_by_name.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_group_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_group_by_name.c' object='../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_group_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_group_by_name.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; fi` + +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_group_by_id.o: ../../../src/responder/common/cache_req/plugins/cache_req_group_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_group_by_id.o -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_group_by_id.Tpo -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_group_by_id.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_group_by_id.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_group_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_group_by_id.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_group_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_group_by_id.c' object='../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_group_by_id.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_group_by_id.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_group_by_id.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_group_by_id.c + +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_group_by_id.obj: ../../../src/responder/common/cache_req/plugins/cache_req_group_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_group_by_id.obj -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_group_by_id.Tpo -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_group_by_id.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_group_by_id.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_group_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_group_by_id.c' object='../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_group_by_id.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_group_by_id.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; fi` + +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_group_by_filter.o: ../../../src/responder/common/cache_req/plugins/cache_req_group_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_group_by_filter.o -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_group_by_filter.Tpo -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_group_by_filter.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_group_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_group_by_filter.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_group_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' object='../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_group_by_filter.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_group_by_filter.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_group_by_filter.c + +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_group_by_filter.obj: ../../../src/responder/common/cache_req/plugins/cache_req_group_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_group_by_filter.obj -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_group_by_filter.Tpo -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_group_by_filter.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_group_by_filter.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_group_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' object='../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_group_by_filter.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_group_by_filter.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; fi` + +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_initgroups_by_name.o: ../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_initgroups_by_name.o -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_initgroups_by_name.Tpo -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_initgroups_by_name.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_initgroups_by_name.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_initgroups_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' object='../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_initgroups_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_initgroups_by_name.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c + +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_initgroups_by_name.obj: ../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_initgroups_by_name.obj -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_initgroups_by_name.Tpo -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_initgroups_by_name.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_initgroups_by_name.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_initgroups_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' object='../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_initgroups_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_initgroups_by_name.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; fi` + +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_initgroups_by_upn.o: ../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_initgroups_by_upn.o -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_initgroups_by_upn.Tpo -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_initgroups_by_upn.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_initgroups_by_upn.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_initgroups_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' object='../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_initgroups_by_upn.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_initgroups_by_upn.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c + +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_initgroups_by_upn.obj: ../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_initgroups_by_upn.obj -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_initgroups_by_upn.Tpo -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_initgroups_by_upn.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_initgroups_by_upn.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_initgroups_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' object='../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_initgroups_by_upn.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_initgroups_by_upn.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; fi` + +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_object_by_sid.o: ../../../src/responder/common/cache_req/plugins/cache_req_object_by_sid.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_object_by_sid.o -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_object_by_sid.Tpo -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_object_by_sid.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_object_by_sid.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_object_by_sid.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_object_by_sid.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' object='../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_object_by_sid.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_object_by_sid.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_object_by_sid.c + +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_object_by_sid.obj: ../../../src/responder/common/cache_req/plugins/cache_req_object_by_sid.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_object_by_sid.obj -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_object_by_sid.Tpo -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_object_by_sid.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_object_by_sid.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_object_by_sid.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' object='../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_object_by_sid.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_object_by_sid.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; fi` + +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_object_by_name.o: ../../../src/responder/common/cache_req/plugins/cache_req_object_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_object_by_name.o -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_object_by_name.Tpo -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_object_by_name.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_object_by_name.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_object_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_object_by_name.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_object_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_object_by_name.c' object='../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_object_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_object_by_name.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_object_by_name.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_object_by_name.c + +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_object_by_name.obj: ../../../src/responder/common/cache_req/plugins/cache_req_object_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_object_by_name.obj -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_object_by_name.Tpo -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_object_by_name.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_object_by_name.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_object_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_object_by_name.c' object='../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_object_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_object_by_name.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; fi` + +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_object_by_id.o: ../../../src/responder/common/cache_req/plugins/cache_req_object_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_object_by_id.o -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_object_by_id.Tpo -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_object_by_id.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_object_by_id.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_object_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_object_by_id.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_object_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_object_by_id.c' object='../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_object_by_id.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_object_by_id.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_object_by_id.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_object_by_id.c + +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_object_by_id.obj: ../../../src/responder/common/cache_req/plugins/cache_req_object_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_object_by_id.obj -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_object_by_id.Tpo -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_object_by_id.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_object_by_id.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_object_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_object_by_id.c' object='../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_object_by_id.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_object_by_id.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; fi` + +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_svc_by_name.o: ../../../src/responder/common/cache_req/plugins/cache_req_svc_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_svc_by_name.o -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_svc_by_name.Tpo -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_svc_by_name.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_svc_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_svc_by_name.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_svc_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' object='../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_svc_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_svc_by_name.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_svc_by_name.c + +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_svc_by_name.obj: ../../../src/responder/common/cache_req/plugins/cache_req_svc_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_svc_by_name.obj -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_svc_by_name.Tpo -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_svc_by_name.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_svc_by_name.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_svc_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' object='../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_svc_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_svc_by_name.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; fi` + +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_svc_by_port.o: ../../../src/responder/common/cache_req/plugins/cache_req_svc_by_port.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_svc_by_port.o -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_svc_by_port.Tpo -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_svc_by_port.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_svc_by_port.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_svc_by_port.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_svc_by_port.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' object='../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_svc_by_port.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_svc_by_port.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_svc_by_port.c + +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_svc_by_port.obj: ../../../src/responder/common/cache_req/plugins/cache_req_svc_by_port.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_svc_by_port.obj -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_svc_by_port.Tpo -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_svc_by_port.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_svc_by_port.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_svc_by_port.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' object='../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_svc_by_port.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_svc_by_port.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; fi` + +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_netgroup_by_name.o: ../../../src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_netgroup_by_name.o -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_netgroup_by_name.Tpo -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_netgroup_by_name.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_netgroup_by_name.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_netgroup_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' object='../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_netgroup_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_netgroup_by_name.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c + +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_netgroup_by_name.obj: ../../../src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_netgroup_by_name.obj -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_netgroup_by_name.Tpo -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_netgroup_by_name.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_netgroup_by_name.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_netgroup_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' object='../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_netgroup_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_netgroup_by_name.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; fi` + +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_host_by_name.o: ../../../src/responder/common/cache_req/plugins/cache_req_host_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_host_by_name.o -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_host_by_name.Tpo -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_host_by_name.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_host_by_name.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_host_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_host_by_name.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_host_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_host_by_name.c' object='../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_host_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_host_by_name.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_host_by_name.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_host_by_name.c + +../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_host_by_name.obj: ../../../src/responder/common/cache_req/plugins/cache_req_host_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_host_by_name.obj -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_host_by_name.Tpo -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_host_by_name.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_host_by_name.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/negcache_tests-cache_req_host_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_host_by_name.c' object='../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_host_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/negcache_tests-cache_req_host_by_name.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; fi` + +negcache_tests-test_negcache.o: test_negcache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT negcache_tests-test_negcache.o -MD -MP -MF $(DEPDIR)/negcache_tests-test_negcache.Tpo -c -o negcache_tests-test_negcache.o `test -f 'test_negcache.c' || echo '$(srcdir)/'`test_negcache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/negcache_tests-test_negcache.Tpo $(DEPDIR)/negcache_tests-test_negcache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='test_negcache.c' object='negcache_tests-test_negcache.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o negcache_tests-test_negcache.o `test -f 'test_negcache.c' || echo '$(srcdir)/'`test_negcache.c + +negcache_tests-test_negcache.obj: test_negcache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -MT negcache_tests-test_negcache.obj -MD -MP -MF $(DEPDIR)/negcache_tests-test_negcache.Tpo -c -o negcache_tests-test_negcache.obj `if test -f 'test_negcache.c'; then $(CYGPATH_W) 'test_negcache.c'; else $(CYGPATH_W) '$(srcdir)/test_negcache.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/negcache_tests-test_negcache.Tpo $(DEPDIR)/negcache_tests-test_negcache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='test_negcache.c' object='negcache_tests-test_negcache.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(negcache_tests_CFLAGS) $(CFLAGS) -c -o negcache_tests-test_negcache.obj `if test -f 'test_negcache.c'; then $(CYGPATH_W) 'test_negcache.c'; else $(CYGPATH_W) '$(srcdir)/test_negcache.c'; fi` + +responder_common_tests-test_responder_common.o: test_responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT responder_common_tests-test_responder_common.o -MD -MP -MF $(DEPDIR)/responder_common_tests-test_responder_common.Tpo -c -o responder_common_tests-test_responder_common.o `test -f 'test_responder_common.c' || echo '$(srcdir)/'`test_responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/responder_common_tests-test_responder_common.Tpo $(DEPDIR)/responder_common_tests-test_responder_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='test_responder_common.c' object='responder_common_tests-test_responder_common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o responder_common_tests-test_responder_common.o `test -f 'test_responder_common.c' || echo '$(srcdir)/'`test_responder_common.c + +responder_common_tests-test_responder_common.obj: test_responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT responder_common_tests-test_responder_common.obj -MD -MP -MF $(DEPDIR)/responder_common_tests-test_responder_common.Tpo -c -o responder_common_tests-test_responder_common.obj `if test -f 'test_responder_common.c'; then $(CYGPATH_W) 'test_responder_common.c'; else $(CYGPATH_W) '$(srcdir)/test_responder_common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/responder_common_tests-test_responder_common.Tpo $(DEPDIR)/responder_common_tests-test_responder_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='test_responder_common.c' object='responder_common_tests-test_responder_common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o responder_common_tests-test_responder_common.obj `if test -f 'test_responder_common.c'; then $(CYGPATH_W) 'test_responder_common.c'; else $(CYGPATH_W) '$(srcdir)/test_responder_common.c'; fi` + +../../../src/responder/common/iface/responder_common_tests-responder_iface.o: ../../../src/responder/common/iface/responder_iface.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/iface/responder_common_tests-responder_iface.o -MD -MP -MF ../../../src/responder/common/iface/$(DEPDIR)/responder_common_tests-responder_iface.Tpo -c -o ../../../src/responder/common/iface/responder_common_tests-responder_iface.o `test -f '../../../src/responder/common/iface/responder_iface.c' || echo '$(srcdir)/'`../../../src/responder/common/iface/responder_iface.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/iface/$(DEPDIR)/responder_common_tests-responder_iface.Tpo ../../../src/responder/common/iface/$(DEPDIR)/responder_common_tests-responder_iface.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/iface/responder_iface.c' object='../../../src/responder/common/iface/responder_common_tests-responder_iface.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/iface/responder_common_tests-responder_iface.o `test -f '../../../src/responder/common/iface/responder_iface.c' || echo '$(srcdir)/'`../../../src/responder/common/iface/responder_iface.c + +../../../src/responder/common/iface/responder_common_tests-responder_iface.obj: ../../../src/responder/common/iface/responder_iface.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/iface/responder_common_tests-responder_iface.obj -MD -MP -MF ../../../src/responder/common/iface/$(DEPDIR)/responder_common_tests-responder_iface.Tpo -c -o ../../../src/responder/common/iface/responder_common_tests-responder_iface.obj `if test -f '../../../src/responder/common/iface/responder_iface.c'; then $(CYGPATH_W) '../../../src/responder/common/iface/responder_iface.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/iface/responder_iface.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/iface/$(DEPDIR)/responder_common_tests-responder_iface.Tpo ../../../src/responder/common/iface/$(DEPDIR)/responder_common_tests-responder_iface.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/iface/responder_iface.c' object='../../../src/responder/common/iface/responder_common_tests-responder_iface.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/iface/responder_common_tests-responder_iface.obj `if test -f '../../../src/responder/common/iface/responder_iface.c'; then $(CYGPATH_W) '../../../src/responder/common/iface/responder_iface.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/iface/responder_iface.c'; fi` + +../../../src/responder/common/iface/responder_common_tests-responder_domain.o: ../../../src/responder/common/iface/responder_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/iface/responder_common_tests-responder_domain.o -MD -MP -MF ../../../src/responder/common/iface/$(DEPDIR)/responder_common_tests-responder_domain.Tpo -c -o ../../../src/responder/common/iface/responder_common_tests-responder_domain.o `test -f '../../../src/responder/common/iface/responder_domain.c' || echo '$(srcdir)/'`../../../src/responder/common/iface/responder_domain.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/iface/$(DEPDIR)/responder_common_tests-responder_domain.Tpo ../../../src/responder/common/iface/$(DEPDIR)/responder_common_tests-responder_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/iface/responder_domain.c' object='../../../src/responder/common/iface/responder_common_tests-responder_domain.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/iface/responder_common_tests-responder_domain.o `test -f '../../../src/responder/common/iface/responder_domain.c' || echo '$(srcdir)/'`../../../src/responder/common/iface/responder_domain.c + +../../../src/responder/common/iface/responder_common_tests-responder_domain.obj: ../../../src/responder/common/iface/responder_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/iface/responder_common_tests-responder_domain.obj -MD -MP -MF ../../../src/responder/common/iface/$(DEPDIR)/responder_common_tests-responder_domain.Tpo -c -o ../../../src/responder/common/iface/responder_common_tests-responder_domain.obj `if test -f '../../../src/responder/common/iface/responder_domain.c'; then $(CYGPATH_W) '../../../src/responder/common/iface/responder_domain.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/iface/responder_domain.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/iface/$(DEPDIR)/responder_common_tests-responder_domain.Tpo ../../../src/responder/common/iface/$(DEPDIR)/responder_common_tests-responder_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/iface/responder_domain.c' object='../../../src/responder/common/iface/responder_common_tests-responder_domain.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/iface/responder_common_tests-responder_domain.obj `if test -f '../../../src/responder/common/iface/responder_domain.c'; then $(CYGPATH_W) '../../../src/responder/common/iface/responder_domain.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/iface/responder_domain.c'; fi` + +../../../src/responder/common/iface/responder_common_tests-responder_ncache.o: ../../../src/responder/common/iface/responder_ncache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/iface/responder_common_tests-responder_ncache.o -MD -MP -MF ../../../src/responder/common/iface/$(DEPDIR)/responder_common_tests-responder_ncache.Tpo -c -o ../../../src/responder/common/iface/responder_common_tests-responder_ncache.o `test -f '../../../src/responder/common/iface/responder_ncache.c' || echo '$(srcdir)/'`../../../src/responder/common/iface/responder_ncache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/iface/$(DEPDIR)/responder_common_tests-responder_ncache.Tpo ../../../src/responder/common/iface/$(DEPDIR)/responder_common_tests-responder_ncache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/iface/responder_ncache.c' object='../../../src/responder/common/iface/responder_common_tests-responder_ncache.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/iface/responder_common_tests-responder_ncache.o `test -f '../../../src/responder/common/iface/responder_ncache.c' || echo '$(srcdir)/'`../../../src/responder/common/iface/responder_ncache.c + +../../../src/responder/common/iface/responder_common_tests-responder_ncache.obj: ../../../src/responder/common/iface/responder_ncache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/iface/responder_common_tests-responder_ncache.obj -MD -MP -MF ../../../src/responder/common/iface/$(DEPDIR)/responder_common_tests-responder_ncache.Tpo -c -o ../../../src/responder/common/iface/responder_common_tests-responder_ncache.obj `if test -f '../../../src/responder/common/iface/responder_ncache.c'; then $(CYGPATH_W) '../../../src/responder/common/iface/responder_ncache.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/iface/responder_ncache.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/iface/$(DEPDIR)/responder_common_tests-responder_ncache.Tpo ../../../src/responder/common/iface/$(DEPDIR)/responder_common_tests-responder_ncache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/iface/responder_ncache.c' object='../../../src/responder/common/iface/responder_common_tests-responder_ncache.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/iface/responder_common_tests-responder_ncache.obj `if test -f '../../../src/responder/common/iface/responder_ncache.c'; then $(CYGPATH_W) '../../../src/responder/common/iface/responder_ncache.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/iface/responder_ncache.c'; fi` + +../../../src/responder/common/iface/responder_common_tests-responder_iface_generated.o: ../../../src/responder/common/iface/responder_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/iface/responder_common_tests-responder_iface_generated.o -MD -MP -MF ../../../src/responder/common/iface/$(DEPDIR)/responder_common_tests-responder_iface_generated.Tpo -c -o ../../../src/responder/common/iface/responder_common_tests-responder_iface_generated.o `test -f '../../../src/responder/common/iface/responder_iface_generated.c' || echo '$(srcdir)/'`../../../src/responder/common/iface/responder_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/iface/$(DEPDIR)/responder_common_tests-responder_iface_generated.Tpo ../../../src/responder/common/iface/$(DEPDIR)/responder_common_tests-responder_iface_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/iface/responder_iface_generated.c' object='../../../src/responder/common/iface/responder_common_tests-responder_iface_generated.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/iface/responder_common_tests-responder_iface_generated.o `test -f '../../../src/responder/common/iface/responder_iface_generated.c' || echo '$(srcdir)/'`../../../src/responder/common/iface/responder_iface_generated.c + +../../../src/responder/common/iface/responder_common_tests-responder_iface_generated.obj: ../../../src/responder/common/iface/responder_iface_generated.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/iface/responder_common_tests-responder_iface_generated.obj -MD -MP -MF ../../../src/responder/common/iface/$(DEPDIR)/responder_common_tests-responder_iface_generated.Tpo -c -o ../../../src/responder/common/iface/responder_common_tests-responder_iface_generated.obj `if test -f '../../../src/responder/common/iface/responder_iface_generated.c'; then $(CYGPATH_W) '../../../src/responder/common/iface/responder_iface_generated.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/iface/responder_iface_generated.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/iface/$(DEPDIR)/responder_common_tests-responder_iface_generated.Tpo ../../../src/responder/common/iface/$(DEPDIR)/responder_common_tests-responder_iface_generated.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/iface/responder_iface_generated.c' object='../../../src/responder/common/iface/responder_common_tests-responder_iface_generated.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/iface/responder_common_tests-responder_iface_generated.obj `if test -f '../../../src/responder/common/iface/responder_iface_generated.c'; then $(CYGPATH_W) '../../../src/responder/common/iface/responder_iface_generated.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/iface/responder_iface_generated.c'; fi` + +../../../src/responder/common/responder_common_tests-negcache_files.o: ../../../src/responder/common/negcache_files.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/responder_common_tests-negcache_files.o -MD -MP -MF ../../../src/responder/common/$(DEPDIR)/responder_common_tests-negcache_files.Tpo -c -o ../../../src/responder/common/responder_common_tests-negcache_files.o `test -f '../../../src/responder/common/negcache_files.c' || echo '$(srcdir)/'`../../../src/responder/common/negcache_files.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/$(DEPDIR)/responder_common_tests-negcache_files.Tpo ../../../src/responder/common/$(DEPDIR)/responder_common_tests-negcache_files.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/negcache_files.c' object='../../../src/responder/common/responder_common_tests-negcache_files.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/responder_common_tests-negcache_files.o `test -f '../../../src/responder/common/negcache_files.c' || echo '$(srcdir)/'`../../../src/responder/common/negcache_files.c + +../../../src/responder/common/responder_common_tests-negcache_files.obj: ../../../src/responder/common/negcache_files.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/responder_common_tests-negcache_files.obj -MD -MP -MF ../../../src/responder/common/$(DEPDIR)/responder_common_tests-negcache_files.Tpo -c -o ../../../src/responder/common/responder_common_tests-negcache_files.obj `if test -f '../../../src/responder/common/negcache_files.c'; then $(CYGPATH_W) '../../../src/responder/common/negcache_files.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/negcache_files.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/$(DEPDIR)/responder_common_tests-negcache_files.Tpo ../../../src/responder/common/$(DEPDIR)/responder_common_tests-negcache_files.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/negcache_files.c' object='../../../src/responder/common/responder_common_tests-negcache_files.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/responder_common_tests-negcache_files.obj `if test -f '../../../src/responder/common/negcache_files.c'; then $(CYGPATH_W) '../../../src/responder/common/negcache_files.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/negcache_files.c'; fi` + +../../../src/responder/common/responder_common_tests-negcache.o: ../../../src/responder/common/negcache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/responder_common_tests-negcache.o -MD -MP -MF ../../../src/responder/common/$(DEPDIR)/responder_common_tests-negcache.Tpo -c -o ../../../src/responder/common/responder_common_tests-negcache.o `test -f '../../../src/responder/common/negcache.c' || echo '$(srcdir)/'`../../../src/responder/common/negcache.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/$(DEPDIR)/responder_common_tests-negcache.Tpo ../../../src/responder/common/$(DEPDIR)/responder_common_tests-negcache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/negcache.c' object='../../../src/responder/common/responder_common_tests-negcache.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/responder_common_tests-negcache.o `test -f '../../../src/responder/common/negcache.c' || echo '$(srcdir)/'`../../../src/responder/common/negcache.c + +../../../src/responder/common/responder_common_tests-negcache.obj: ../../../src/responder/common/negcache.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/responder_common_tests-negcache.obj -MD -MP -MF ../../../src/responder/common/$(DEPDIR)/responder_common_tests-negcache.Tpo -c -o ../../../src/responder/common/responder_common_tests-negcache.obj `if test -f '../../../src/responder/common/negcache.c'; then $(CYGPATH_W) '../../../src/responder/common/negcache.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/negcache.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/$(DEPDIR)/responder_common_tests-negcache.Tpo ../../../src/responder/common/$(DEPDIR)/responder_common_tests-negcache.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/negcache.c' object='../../../src/responder/common/responder_common_tests-negcache.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/responder_common_tests-negcache.obj `if test -f '../../../src/responder/common/negcache.c'; then $(CYGPATH_W) '../../../src/responder/common/negcache.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/negcache.c'; fi` + +../../../src/responder/common/data_provider/responder_common_tests-rdp_message.o: ../../../src/responder/common/data_provider/rdp_message.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/data_provider/responder_common_tests-rdp_message.o -MD -MP -MF ../../../src/responder/common/data_provider/$(DEPDIR)/responder_common_tests-rdp_message.Tpo -c -o ../../../src/responder/common/data_provider/responder_common_tests-rdp_message.o `test -f '../../../src/responder/common/data_provider/rdp_message.c' || echo '$(srcdir)/'`../../../src/responder/common/data_provider/rdp_message.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/data_provider/$(DEPDIR)/responder_common_tests-rdp_message.Tpo ../../../src/responder/common/data_provider/$(DEPDIR)/responder_common_tests-rdp_message.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/data_provider/rdp_message.c' object='../../../src/responder/common/data_provider/responder_common_tests-rdp_message.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/data_provider/responder_common_tests-rdp_message.o `test -f '../../../src/responder/common/data_provider/rdp_message.c' || echo '$(srcdir)/'`../../../src/responder/common/data_provider/rdp_message.c + +../../../src/responder/common/data_provider/responder_common_tests-rdp_message.obj: ../../../src/responder/common/data_provider/rdp_message.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/data_provider/responder_common_tests-rdp_message.obj -MD -MP -MF ../../../src/responder/common/data_provider/$(DEPDIR)/responder_common_tests-rdp_message.Tpo -c -o ../../../src/responder/common/data_provider/responder_common_tests-rdp_message.obj `if test -f '../../../src/responder/common/data_provider/rdp_message.c'; then $(CYGPATH_W) '../../../src/responder/common/data_provider/rdp_message.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/data_provider/rdp_message.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/data_provider/$(DEPDIR)/responder_common_tests-rdp_message.Tpo ../../../src/responder/common/data_provider/$(DEPDIR)/responder_common_tests-rdp_message.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/data_provider/rdp_message.c' object='../../../src/responder/common/data_provider/responder_common_tests-rdp_message.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/data_provider/responder_common_tests-rdp_message.obj `if test -f '../../../src/responder/common/data_provider/rdp_message.c'; then $(CYGPATH_W) '../../../src/responder/common/data_provider/rdp_message.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/data_provider/rdp_message.c'; fi` + +../../../src/responder/common/data_provider/responder_common_tests-rdp_client.o: ../../../src/responder/common/data_provider/rdp_client.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/data_provider/responder_common_tests-rdp_client.o -MD -MP -MF ../../../src/responder/common/data_provider/$(DEPDIR)/responder_common_tests-rdp_client.Tpo -c -o ../../../src/responder/common/data_provider/responder_common_tests-rdp_client.o `test -f '../../../src/responder/common/data_provider/rdp_client.c' || echo '$(srcdir)/'`../../../src/responder/common/data_provider/rdp_client.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/data_provider/$(DEPDIR)/responder_common_tests-rdp_client.Tpo ../../../src/responder/common/data_provider/$(DEPDIR)/responder_common_tests-rdp_client.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/data_provider/rdp_client.c' object='../../../src/responder/common/data_provider/responder_common_tests-rdp_client.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/data_provider/responder_common_tests-rdp_client.o `test -f '../../../src/responder/common/data_provider/rdp_client.c' || echo '$(srcdir)/'`../../../src/responder/common/data_provider/rdp_client.c + +../../../src/responder/common/data_provider/responder_common_tests-rdp_client.obj: ../../../src/responder/common/data_provider/rdp_client.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/data_provider/responder_common_tests-rdp_client.obj -MD -MP -MF ../../../src/responder/common/data_provider/$(DEPDIR)/responder_common_tests-rdp_client.Tpo -c -o ../../../src/responder/common/data_provider/responder_common_tests-rdp_client.obj `if test -f '../../../src/responder/common/data_provider/rdp_client.c'; then $(CYGPATH_W) '../../../src/responder/common/data_provider/rdp_client.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/data_provider/rdp_client.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/data_provider/$(DEPDIR)/responder_common_tests-rdp_client.Tpo ../../../src/responder/common/data_provider/$(DEPDIR)/responder_common_tests-rdp_client.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/data_provider/rdp_client.c' object='../../../src/responder/common/data_provider/responder_common_tests-rdp_client.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/data_provider/responder_common_tests-rdp_client.obj `if test -f '../../../src/responder/common/data_provider/rdp_client.c'; then $(CYGPATH_W) '../../../src/responder/common/data_provider/rdp_client.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/data_provider/rdp_client.c'; fi` + +../../../src/responder/common/responder_common_tests-responder_common.o: ../../../src/responder/common/responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/responder_common_tests-responder_common.o -MD -MP -MF ../../../src/responder/common/$(DEPDIR)/responder_common_tests-responder_common.Tpo -c -o ../../../src/responder/common/responder_common_tests-responder_common.o `test -f '../../../src/responder/common/responder_common.c' || echo '$(srcdir)/'`../../../src/responder/common/responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/$(DEPDIR)/responder_common_tests-responder_common.Tpo ../../../src/responder/common/$(DEPDIR)/responder_common_tests-responder_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/responder_common.c' object='../../../src/responder/common/responder_common_tests-responder_common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/responder_common_tests-responder_common.o `test -f '../../../src/responder/common/responder_common.c' || echo '$(srcdir)/'`../../../src/responder/common/responder_common.c + +../../../src/responder/common/responder_common_tests-responder_common.obj: ../../../src/responder/common/responder_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/responder_common_tests-responder_common.obj -MD -MP -MF ../../../src/responder/common/$(DEPDIR)/responder_common_tests-responder_common.Tpo -c -o ../../../src/responder/common/responder_common_tests-responder_common.obj `if test -f '../../../src/responder/common/responder_common.c'; then $(CYGPATH_W) '../../../src/responder/common/responder_common.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/responder_common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/$(DEPDIR)/responder_common_tests-responder_common.Tpo ../../../src/responder/common/$(DEPDIR)/responder_common_tests-responder_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/responder_common.c' object='../../../src/responder/common/responder_common_tests-responder_common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/responder_common_tests-responder_common.obj `if test -f '../../../src/responder/common/responder_common.c'; then $(CYGPATH_W) '../../../src/responder/common/responder_common.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/responder_common.c'; fi` + +../../../src/responder/common/responder_common_tests-responder_packet.o: ../../../src/responder/common/responder_packet.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/responder_common_tests-responder_packet.o -MD -MP -MF ../../../src/responder/common/$(DEPDIR)/responder_common_tests-responder_packet.Tpo -c -o ../../../src/responder/common/responder_common_tests-responder_packet.o `test -f '../../../src/responder/common/responder_packet.c' || echo '$(srcdir)/'`../../../src/responder/common/responder_packet.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/$(DEPDIR)/responder_common_tests-responder_packet.Tpo ../../../src/responder/common/$(DEPDIR)/responder_common_tests-responder_packet.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/responder_packet.c' object='../../../src/responder/common/responder_common_tests-responder_packet.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/responder_common_tests-responder_packet.o `test -f '../../../src/responder/common/responder_packet.c' || echo '$(srcdir)/'`../../../src/responder/common/responder_packet.c + +../../../src/responder/common/responder_common_tests-responder_packet.obj: ../../../src/responder/common/responder_packet.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/responder_common_tests-responder_packet.obj -MD -MP -MF ../../../src/responder/common/$(DEPDIR)/responder_common_tests-responder_packet.Tpo -c -o ../../../src/responder/common/responder_common_tests-responder_packet.obj `if test -f '../../../src/responder/common/responder_packet.c'; then $(CYGPATH_W) '../../../src/responder/common/responder_packet.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/responder_packet.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/$(DEPDIR)/responder_common_tests-responder_packet.Tpo ../../../src/responder/common/$(DEPDIR)/responder_common_tests-responder_packet.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/responder_packet.c' object='../../../src/responder/common/responder_common_tests-responder_packet.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/responder_common_tests-responder_packet.obj `if test -f '../../../src/responder/common/responder_packet.c'; then $(CYGPATH_W) '../../../src/responder/common/responder_packet.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/responder_packet.c'; fi` + +../../../src/responder/common/responder_common_tests-responder_cmd.o: ../../../src/responder/common/responder_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/responder_common_tests-responder_cmd.o -MD -MP -MF ../../../src/responder/common/$(DEPDIR)/responder_common_tests-responder_cmd.Tpo -c -o ../../../src/responder/common/responder_common_tests-responder_cmd.o `test -f '../../../src/responder/common/responder_cmd.c' || echo '$(srcdir)/'`../../../src/responder/common/responder_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/$(DEPDIR)/responder_common_tests-responder_cmd.Tpo ../../../src/responder/common/$(DEPDIR)/responder_common_tests-responder_cmd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/responder_cmd.c' object='../../../src/responder/common/responder_common_tests-responder_cmd.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/responder_common_tests-responder_cmd.o `test -f '../../../src/responder/common/responder_cmd.c' || echo '$(srcdir)/'`../../../src/responder/common/responder_cmd.c + +../../../src/responder/common/responder_common_tests-responder_cmd.obj: ../../../src/responder/common/responder_cmd.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/responder_common_tests-responder_cmd.obj -MD -MP -MF ../../../src/responder/common/$(DEPDIR)/responder_common_tests-responder_cmd.Tpo -c -o ../../../src/responder/common/responder_common_tests-responder_cmd.obj `if test -f '../../../src/responder/common/responder_cmd.c'; then $(CYGPATH_W) '../../../src/responder/common/responder_cmd.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/responder_cmd.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/$(DEPDIR)/responder_common_tests-responder_cmd.Tpo ../../../src/responder/common/$(DEPDIR)/responder_common_tests-responder_cmd.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/responder_cmd.c' object='../../../src/responder/common/responder_common_tests-responder_cmd.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/responder_common_tests-responder_cmd.obj `if test -f '../../../src/responder/common/responder_cmd.c'; then $(CYGPATH_W) '../../../src/responder/common/responder_cmd.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/responder_cmd.c'; fi` + +../../../src/tests/cmocka/responder_common_tests-common_mock_resp_dp.o: ../../../src/tests/cmocka/common_mock_resp_dp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/tests/cmocka/responder_common_tests-common_mock_resp_dp.o -MD -MP -MF ../../../src/tests/cmocka/$(DEPDIR)/responder_common_tests-common_mock_resp_dp.Tpo -c -o ../../../src/tests/cmocka/responder_common_tests-common_mock_resp_dp.o `test -f '../../../src/tests/cmocka/common_mock_resp_dp.c' || echo '$(srcdir)/'`../../../src/tests/cmocka/common_mock_resp_dp.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/tests/cmocka/$(DEPDIR)/responder_common_tests-common_mock_resp_dp.Tpo ../../../src/tests/cmocka/$(DEPDIR)/responder_common_tests-common_mock_resp_dp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/tests/cmocka/common_mock_resp_dp.c' object='../../../src/tests/cmocka/responder_common_tests-common_mock_resp_dp.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/tests/cmocka/responder_common_tests-common_mock_resp_dp.o `test -f '../../../src/tests/cmocka/common_mock_resp_dp.c' || echo '$(srcdir)/'`../../../src/tests/cmocka/common_mock_resp_dp.c + +../../../src/tests/cmocka/responder_common_tests-common_mock_resp_dp.obj: ../../../src/tests/cmocka/common_mock_resp_dp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/tests/cmocka/responder_common_tests-common_mock_resp_dp.obj -MD -MP -MF ../../../src/tests/cmocka/$(DEPDIR)/responder_common_tests-common_mock_resp_dp.Tpo -c -o ../../../src/tests/cmocka/responder_common_tests-common_mock_resp_dp.obj `if test -f '../../../src/tests/cmocka/common_mock_resp_dp.c'; then $(CYGPATH_W) '../../../src/tests/cmocka/common_mock_resp_dp.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/tests/cmocka/common_mock_resp_dp.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/tests/cmocka/$(DEPDIR)/responder_common_tests-common_mock_resp_dp.Tpo ../../../src/tests/cmocka/$(DEPDIR)/responder_common_tests-common_mock_resp_dp.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/tests/cmocka/common_mock_resp_dp.c' object='../../../src/tests/cmocka/responder_common_tests-common_mock_resp_dp.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/tests/cmocka/responder_common_tests-common_mock_resp_dp.obj `if test -f '../../../src/tests/cmocka/common_mock_resp_dp.c'; then $(CYGPATH_W) '../../../src/tests/cmocka/common_mock_resp_dp.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/tests/cmocka/common_mock_resp_dp.c'; fi` + +../../../src/util/responder_common_tests-session_recording.o: ../../../src/util/session_recording.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/util/responder_common_tests-session_recording.o -MD -MP -MF ../../../src/util/$(DEPDIR)/responder_common_tests-session_recording.Tpo -c -o ../../../src/util/responder_common_tests-session_recording.o `test -f '../../../src/util/session_recording.c' || echo '$(srcdir)/'`../../../src/util/session_recording.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/util/$(DEPDIR)/responder_common_tests-session_recording.Tpo ../../../src/util/$(DEPDIR)/responder_common_tests-session_recording.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/util/session_recording.c' object='../../../src/util/responder_common_tests-session_recording.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/util/responder_common_tests-session_recording.o `test -f '../../../src/util/session_recording.c' || echo '$(srcdir)/'`../../../src/util/session_recording.c + +../../../src/util/responder_common_tests-session_recording.obj: ../../../src/util/session_recording.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/util/responder_common_tests-session_recording.obj -MD -MP -MF ../../../src/util/$(DEPDIR)/responder_common_tests-session_recording.Tpo -c -o ../../../src/util/responder_common_tests-session_recording.obj `if test -f '../../../src/util/session_recording.c'; then $(CYGPATH_W) '../../../src/util/session_recording.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/util/session_recording.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/util/$(DEPDIR)/responder_common_tests-session_recording.Tpo ../../../src/util/$(DEPDIR)/responder_common_tests-session_recording.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/util/session_recording.c' object='../../../src/util/responder_common_tests-session_recording.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/util/responder_common_tests-session_recording.obj `if test -f '../../../src/util/session_recording.c'; then $(CYGPATH_W) '../../../src/util/session_recording.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/util/session_recording.c'; fi` + +../../../src/responder/common/cache_req/responder_common_tests-cache_req.o: ../../../src/responder/common/cache_req/cache_req.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/responder_common_tests-cache_req.o -MD -MP -MF ../../../src/responder/common/cache_req/$(DEPDIR)/responder_common_tests-cache_req.Tpo -c -o ../../../src/responder/common/cache_req/responder_common_tests-cache_req.o `test -f '../../../src/responder/common/cache_req/cache_req.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/cache_req.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/$(DEPDIR)/responder_common_tests-cache_req.Tpo ../../../src/responder/common/cache_req/$(DEPDIR)/responder_common_tests-cache_req.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/cache_req.c' object='../../../src/responder/common/cache_req/responder_common_tests-cache_req.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/responder_common_tests-cache_req.o `test -f '../../../src/responder/common/cache_req/cache_req.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/cache_req.c + +../../../src/responder/common/cache_req/responder_common_tests-cache_req.obj: ../../../src/responder/common/cache_req/cache_req.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/responder_common_tests-cache_req.obj -MD -MP -MF ../../../src/responder/common/cache_req/$(DEPDIR)/responder_common_tests-cache_req.Tpo -c -o ../../../src/responder/common/cache_req/responder_common_tests-cache_req.obj `if test -f '../../../src/responder/common/cache_req/cache_req.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/cache_req.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/cache_req.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/$(DEPDIR)/responder_common_tests-cache_req.Tpo ../../../src/responder/common/cache_req/$(DEPDIR)/responder_common_tests-cache_req.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/cache_req.c' object='../../../src/responder/common/cache_req/responder_common_tests-cache_req.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/responder_common_tests-cache_req.obj `if test -f '../../../src/responder/common/cache_req/cache_req.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/cache_req.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/cache_req.c'; fi` + +../../../src/responder/common/cache_req/responder_common_tests-cache_req_result.o: ../../../src/responder/common/cache_req/cache_req_result.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/responder_common_tests-cache_req_result.o -MD -MP -MF ../../../src/responder/common/cache_req/$(DEPDIR)/responder_common_tests-cache_req_result.Tpo -c -o ../../../src/responder/common/cache_req/responder_common_tests-cache_req_result.o `test -f '../../../src/responder/common/cache_req/cache_req_result.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/cache_req_result.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/$(DEPDIR)/responder_common_tests-cache_req_result.Tpo ../../../src/responder/common/cache_req/$(DEPDIR)/responder_common_tests-cache_req_result.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/cache_req_result.c' object='../../../src/responder/common/cache_req/responder_common_tests-cache_req_result.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/responder_common_tests-cache_req_result.o `test -f '../../../src/responder/common/cache_req/cache_req_result.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/cache_req_result.c + +../../../src/responder/common/cache_req/responder_common_tests-cache_req_result.obj: ../../../src/responder/common/cache_req/cache_req_result.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/responder_common_tests-cache_req_result.obj -MD -MP -MF ../../../src/responder/common/cache_req/$(DEPDIR)/responder_common_tests-cache_req_result.Tpo -c -o ../../../src/responder/common/cache_req/responder_common_tests-cache_req_result.obj `if test -f '../../../src/responder/common/cache_req/cache_req_result.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/cache_req_result.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/cache_req_result.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/$(DEPDIR)/responder_common_tests-cache_req_result.Tpo ../../../src/responder/common/cache_req/$(DEPDIR)/responder_common_tests-cache_req_result.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/cache_req_result.c' object='../../../src/responder/common/cache_req/responder_common_tests-cache_req_result.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/responder_common_tests-cache_req_result.obj `if test -f '../../../src/responder/common/cache_req/cache_req_result.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/cache_req_result.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/cache_req_result.c'; fi` + +../../../src/responder/common/cache_req/responder_common_tests-cache_req_search.o: ../../../src/responder/common/cache_req/cache_req_search.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/responder_common_tests-cache_req_search.o -MD -MP -MF ../../../src/responder/common/cache_req/$(DEPDIR)/responder_common_tests-cache_req_search.Tpo -c -o ../../../src/responder/common/cache_req/responder_common_tests-cache_req_search.o `test -f '../../../src/responder/common/cache_req/cache_req_search.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/cache_req_search.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/$(DEPDIR)/responder_common_tests-cache_req_search.Tpo ../../../src/responder/common/cache_req/$(DEPDIR)/responder_common_tests-cache_req_search.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/cache_req_search.c' object='../../../src/responder/common/cache_req/responder_common_tests-cache_req_search.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/responder_common_tests-cache_req_search.o `test -f '../../../src/responder/common/cache_req/cache_req_search.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/cache_req_search.c + +../../../src/responder/common/cache_req/responder_common_tests-cache_req_search.obj: ../../../src/responder/common/cache_req/cache_req_search.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/responder_common_tests-cache_req_search.obj -MD -MP -MF ../../../src/responder/common/cache_req/$(DEPDIR)/responder_common_tests-cache_req_search.Tpo -c -o ../../../src/responder/common/cache_req/responder_common_tests-cache_req_search.obj `if test -f '../../../src/responder/common/cache_req/cache_req_search.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/cache_req_search.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/cache_req_search.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/$(DEPDIR)/responder_common_tests-cache_req_search.Tpo ../../../src/responder/common/cache_req/$(DEPDIR)/responder_common_tests-cache_req_search.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/cache_req_search.c' object='../../../src/responder/common/cache_req/responder_common_tests-cache_req_search.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/responder_common_tests-cache_req_search.obj `if test -f '../../../src/responder/common/cache_req/cache_req_search.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/cache_req_search.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/cache_req_search.c'; fi` + +../../../src/responder/common/cache_req/responder_common_tests-cache_req_data.o: ../../../src/responder/common/cache_req/cache_req_data.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/responder_common_tests-cache_req_data.o -MD -MP -MF ../../../src/responder/common/cache_req/$(DEPDIR)/responder_common_tests-cache_req_data.Tpo -c -o ../../../src/responder/common/cache_req/responder_common_tests-cache_req_data.o `test -f '../../../src/responder/common/cache_req/cache_req_data.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/cache_req_data.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/$(DEPDIR)/responder_common_tests-cache_req_data.Tpo ../../../src/responder/common/cache_req/$(DEPDIR)/responder_common_tests-cache_req_data.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/cache_req_data.c' object='../../../src/responder/common/cache_req/responder_common_tests-cache_req_data.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/responder_common_tests-cache_req_data.o `test -f '../../../src/responder/common/cache_req/cache_req_data.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/cache_req_data.c + +../../../src/responder/common/cache_req/responder_common_tests-cache_req_data.obj: ../../../src/responder/common/cache_req/cache_req_data.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/responder_common_tests-cache_req_data.obj -MD -MP -MF ../../../src/responder/common/cache_req/$(DEPDIR)/responder_common_tests-cache_req_data.Tpo -c -o ../../../src/responder/common/cache_req/responder_common_tests-cache_req_data.obj `if test -f '../../../src/responder/common/cache_req/cache_req_data.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/cache_req_data.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/cache_req_data.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/$(DEPDIR)/responder_common_tests-cache_req_data.Tpo ../../../src/responder/common/cache_req/$(DEPDIR)/responder_common_tests-cache_req_data.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/cache_req_data.c' object='../../../src/responder/common/cache_req/responder_common_tests-cache_req_data.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/responder_common_tests-cache_req_data.obj `if test -f '../../../src/responder/common/cache_req/cache_req_data.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/cache_req_data.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/cache_req_data.c'; fi` + +../../../src/responder/common/cache_req/responder_common_tests-cache_req_domain.o: ../../../src/responder/common/cache_req/cache_req_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/responder_common_tests-cache_req_domain.o -MD -MP -MF ../../../src/responder/common/cache_req/$(DEPDIR)/responder_common_tests-cache_req_domain.Tpo -c -o ../../../src/responder/common/cache_req/responder_common_tests-cache_req_domain.o `test -f '../../../src/responder/common/cache_req/cache_req_domain.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/cache_req_domain.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/$(DEPDIR)/responder_common_tests-cache_req_domain.Tpo ../../../src/responder/common/cache_req/$(DEPDIR)/responder_common_tests-cache_req_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/cache_req_domain.c' object='../../../src/responder/common/cache_req/responder_common_tests-cache_req_domain.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/responder_common_tests-cache_req_domain.o `test -f '../../../src/responder/common/cache_req/cache_req_domain.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/cache_req_domain.c + +../../../src/responder/common/cache_req/responder_common_tests-cache_req_domain.obj: ../../../src/responder/common/cache_req/cache_req_domain.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/responder_common_tests-cache_req_domain.obj -MD -MP -MF ../../../src/responder/common/cache_req/$(DEPDIR)/responder_common_tests-cache_req_domain.Tpo -c -o ../../../src/responder/common/cache_req/responder_common_tests-cache_req_domain.obj `if test -f '../../../src/responder/common/cache_req/cache_req_domain.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/cache_req_domain.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/cache_req_domain.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/$(DEPDIR)/responder_common_tests-cache_req_domain.Tpo ../../../src/responder/common/cache_req/$(DEPDIR)/responder_common_tests-cache_req_domain.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/cache_req_domain.c' object='../../../src/responder/common/cache_req/responder_common_tests-cache_req_domain.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/responder_common_tests-cache_req_domain.obj `if test -f '../../../src/responder/common/cache_req/cache_req_domain.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/cache_req_domain.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/cache_req_domain.c'; fi` + +../../../src/responder/common/cache_req/responder_common_tests-cache_req_sr_overlay.o: ../../../src/responder/common/cache_req/cache_req_sr_overlay.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/responder_common_tests-cache_req_sr_overlay.o -MD -MP -MF ../../../src/responder/common/cache_req/$(DEPDIR)/responder_common_tests-cache_req_sr_overlay.Tpo -c -o ../../../src/responder/common/cache_req/responder_common_tests-cache_req_sr_overlay.o `test -f '../../../src/responder/common/cache_req/cache_req_sr_overlay.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/cache_req_sr_overlay.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/$(DEPDIR)/responder_common_tests-cache_req_sr_overlay.Tpo ../../../src/responder/common/cache_req/$(DEPDIR)/responder_common_tests-cache_req_sr_overlay.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/cache_req_sr_overlay.c' object='../../../src/responder/common/cache_req/responder_common_tests-cache_req_sr_overlay.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/responder_common_tests-cache_req_sr_overlay.o `test -f '../../../src/responder/common/cache_req/cache_req_sr_overlay.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/cache_req_sr_overlay.c + +../../../src/responder/common/cache_req/responder_common_tests-cache_req_sr_overlay.obj: ../../../src/responder/common/cache_req/cache_req_sr_overlay.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/responder_common_tests-cache_req_sr_overlay.obj -MD -MP -MF ../../../src/responder/common/cache_req/$(DEPDIR)/responder_common_tests-cache_req_sr_overlay.Tpo -c -o ../../../src/responder/common/cache_req/responder_common_tests-cache_req_sr_overlay.obj `if test -f '../../../src/responder/common/cache_req/cache_req_sr_overlay.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/cache_req_sr_overlay.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/cache_req_sr_overlay.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/$(DEPDIR)/responder_common_tests-cache_req_sr_overlay.Tpo ../../../src/responder/common/cache_req/$(DEPDIR)/responder_common_tests-cache_req_sr_overlay.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/cache_req_sr_overlay.c' object='../../../src/responder/common/cache_req/responder_common_tests-cache_req_sr_overlay.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/responder_common_tests-cache_req_sr_overlay.obj `if test -f '../../../src/responder/common/cache_req/cache_req_sr_overlay.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/cache_req_sr_overlay.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/cache_req_sr_overlay.c'; fi` + +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_common.o: ../../../src/responder/common/cache_req/plugins/cache_req_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_common.o -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_common.Tpo -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_common.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_common.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_common.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_common.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_common.c' object='../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_common.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_common.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_common.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_common.c + +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_common.obj: ../../../src/responder/common/cache_req/plugins/cache_req_common.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_common.obj -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_common.Tpo -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_common.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_common.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_common.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_common.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_common.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_common.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_common.c' object='../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_common.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_common.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_common.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_common.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_common.c'; fi` + +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_enum_users.o: ../../../src/responder/common/cache_req/plugins/cache_req_enum_users.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_enum_users.o -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_enum_users.Tpo -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_enum_users.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_enum_users.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_enum_users.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_enum_users.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_enum_users.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_enum_users.c' object='../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_enum_users.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_enum_users.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_enum_users.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_enum_users.c + +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_enum_users.obj: ../../../src/responder/common/cache_req/plugins/cache_req_enum_users.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_enum_users.obj -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_enum_users.Tpo -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_enum_users.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_enum_users.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_enum_users.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_enum_users.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_enum_users.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_enum_users.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_enum_users.c' object='../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_enum_users.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_enum_users.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_enum_users.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_enum_users.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_enum_users.c'; fi` + +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_enum_groups.o: ../../../src/responder/common/cache_req/plugins/cache_req_enum_groups.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_enum_groups.o -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_enum_groups.Tpo -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_enum_groups.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_enum_groups.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_enum_groups.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_enum_groups.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_enum_groups.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_enum_groups.c' object='../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_enum_groups.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_enum_groups.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_enum_groups.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_enum_groups.c + +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_enum_groups.obj: ../../../src/responder/common/cache_req/plugins/cache_req_enum_groups.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_enum_groups.obj -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_enum_groups.Tpo -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_enum_groups.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_enum_groups.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_enum_groups.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_enum_groups.c' object='../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_enum_groups.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_enum_groups.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_enum_groups.c'; fi` + +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_enum_svc.o: ../../../src/responder/common/cache_req/plugins/cache_req_enum_svc.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_enum_svc.o -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_enum_svc.Tpo -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_enum_svc.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_enum_svc.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_enum_svc.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_enum_svc.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_enum_svc.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_enum_svc.c' object='../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_enum_svc.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_enum_svc.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_enum_svc.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_enum_svc.c + +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_enum_svc.obj: ../../../src/responder/common/cache_req/plugins/cache_req_enum_svc.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_enum_svc.obj -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_enum_svc.Tpo -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_enum_svc.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_enum_svc.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_enum_svc.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_enum_svc.c' object='../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_enum_svc.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_enum_svc.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_enum_svc.c'; fi` + +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_name.o: ../../../src/responder/common/cache_req/plugins/cache_req_user_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_name.o -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_user_by_name.Tpo -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_name.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_user_by_name.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_user_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_user_by_name.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_user_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_user_by_name.c' object='../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_name.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_user_by_name.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_user_by_name.c + +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_name.obj: ../../../src/responder/common/cache_req/plugins/cache_req_user_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_name.obj -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_user_by_name.Tpo -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_name.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_user_by_name.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_user_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_user_by_name.c' object='../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_name.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_user_by_name.c'; fi` + +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_upn.o: ../../../src/responder/common/cache_req/plugins/cache_req_user_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_upn.o -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_user_by_upn.Tpo -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_upn.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_user_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_user_by_upn.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_user_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' object='../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_upn.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_upn.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_user_by_upn.c + +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_upn.obj: ../../../src/responder/common/cache_req/plugins/cache_req_user_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_upn.obj -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_user_by_upn.Tpo -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_upn.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_user_by_upn.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_user_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_user_by_upn.c' object='../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_upn.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_upn.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_user_by_upn.c'; fi` + +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_id.o: ../../../src/responder/common/cache_req/plugins/cache_req_user_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_id.o -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_user_by_id.Tpo -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_id.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_user_by_id.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_user_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_user_by_id.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_user_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_user_by_id.c' object='../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_id.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_id.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_user_by_id.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_user_by_id.c + +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_id.obj: ../../../src/responder/common/cache_req/plugins/cache_req_user_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_id.obj -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_user_by_id.Tpo -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_id.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_user_by_id.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_user_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_user_by_id.c' object='../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_id.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_id.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_user_by_id.c'; fi` + +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_filter.o: ../../../src/responder/common/cache_req/plugins/cache_req_user_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_filter.o -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_user_by_filter.Tpo -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_filter.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_user_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_user_by_filter.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_user_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' object='../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_filter.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_filter.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_user_by_filter.c + +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_filter.obj: ../../../src/responder/common/cache_req/plugins/cache_req_user_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_filter.obj -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_user_by_filter.Tpo -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_filter.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_user_by_filter.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_user_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_user_by_filter.c' object='../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_filter.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_filter.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_user_by_filter.c'; fi` + +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_cert.o: ../../../src/responder/common/cache_req/plugins/cache_req_user_by_cert.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_cert.o -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_user_by_cert.Tpo -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_cert.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_user_by_cert.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_user_by_cert.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_user_by_cert.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' object='../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_cert.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_cert.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_user_by_cert.c + +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_cert.obj: ../../../src/responder/common/cache_req/plugins/cache_req_user_by_cert.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_cert.obj -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_user_by_cert.Tpo -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_cert.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_user_by_cert.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_user_by_cert.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_user_by_cert.c' object='../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_cert.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_user_by_cert.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_user_by_cert.c'; fi` + +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_group_by_name.o: ../../../src/responder/common/cache_req/plugins/cache_req_group_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_group_by_name.o -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_group_by_name.Tpo -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_group_by_name.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_group_by_name.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_group_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_group_by_name.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_group_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_group_by_name.c' object='../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_group_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_group_by_name.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_group_by_name.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_group_by_name.c + +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_group_by_name.obj: ../../../src/responder/common/cache_req/plugins/cache_req_group_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_group_by_name.obj -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_group_by_name.Tpo -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_group_by_name.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_group_by_name.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_group_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_group_by_name.c' object='../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_group_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_group_by_name.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_group_by_name.c'; fi` + +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_group_by_id.o: ../../../src/responder/common/cache_req/plugins/cache_req_group_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_group_by_id.o -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_group_by_id.Tpo -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_group_by_id.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_group_by_id.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_group_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_group_by_id.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_group_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_group_by_id.c' object='../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_group_by_id.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_group_by_id.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_group_by_id.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_group_by_id.c + +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_group_by_id.obj: ../../../src/responder/common/cache_req/plugins/cache_req_group_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_group_by_id.obj -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_group_by_id.Tpo -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_group_by_id.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_group_by_id.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_group_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_group_by_id.c' object='../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_group_by_id.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_group_by_id.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_group_by_id.c'; fi` + +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_group_by_filter.o: ../../../src/responder/common/cache_req/plugins/cache_req_group_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_group_by_filter.o -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_group_by_filter.Tpo -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_group_by_filter.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_group_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_group_by_filter.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_group_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' object='../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_group_by_filter.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_group_by_filter.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_group_by_filter.c + +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_group_by_filter.obj: ../../../src/responder/common/cache_req/plugins/cache_req_group_by_filter.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_group_by_filter.obj -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_group_by_filter.Tpo -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_group_by_filter.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_group_by_filter.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_group_by_filter.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_group_by_filter.c' object='../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_group_by_filter.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_group_by_filter.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_group_by_filter.c'; fi` + +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_initgroups_by_name.o: ../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_initgroups_by_name.o -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_initgroups_by_name.Tpo -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_initgroups_by_name.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_initgroups_by_name.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_initgroups_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' object='../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_initgroups_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_initgroups_by_name.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c + +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_initgroups_by_name.obj: ../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_initgroups_by_name.obj -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_initgroups_by_name.Tpo -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_initgroups_by_name.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_initgroups_by_name.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_initgroups_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c' object='../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_initgroups_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_initgroups_by_name.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_name.c'; fi` + +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_initgroups_by_upn.o: ../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_initgroups_by_upn.o -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_initgroups_by_upn.Tpo -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_initgroups_by_upn.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_initgroups_by_upn.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_initgroups_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' object='../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_initgroups_by_upn.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_initgroups_by_upn.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c + +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_initgroups_by_upn.obj: ../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_initgroups_by_upn.obj -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_initgroups_by_upn.Tpo -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_initgroups_by_upn.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_initgroups_by_upn.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_initgroups_by_upn.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c' object='../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_initgroups_by_upn.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_initgroups_by_upn.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_initgroups_by_upn.c'; fi` + +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_object_by_sid.o: ../../../src/responder/common/cache_req/plugins/cache_req_object_by_sid.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_object_by_sid.o -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_object_by_sid.Tpo -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_object_by_sid.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_object_by_sid.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_object_by_sid.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_object_by_sid.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' object='../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_object_by_sid.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_object_by_sid.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_object_by_sid.c + +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_object_by_sid.obj: ../../../src/responder/common/cache_req/plugins/cache_req_object_by_sid.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_object_by_sid.obj -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_object_by_sid.Tpo -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_object_by_sid.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_object_by_sid.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_object_by_sid.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_object_by_sid.c' object='../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_object_by_sid.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_object_by_sid.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_object_by_sid.c'; fi` + +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_object_by_name.o: ../../../src/responder/common/cache_req/plugins/cache_req_object_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_object_by_name.o -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_object_by_name.Tpo -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_object_by_name.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_object_by_name.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_object_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_object_by_name.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_object_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_object_by_name.c' object='../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_object_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_object_by_name.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_object_by_name.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_object_by_name.c + +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_object_by_name.obj: ../../../src/responder/common/cache_req/plugins/cache_req_object_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_object_by_name.obj -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_object_by_name.Tpo -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_object_by_name.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_object_by_name.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_object_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_object_by_name.c' object='../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_object_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_object_by_name.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_object_by_name.c'; fi` + +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_object_by_id.o: ../../../src/responder/common/cache_req/plugins/cache_req_object_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_object_by_id.o -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_object_by_id.Tpo -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_object_by_id.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_object_by_id.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_object_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_object_by_id.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_object_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_object_by_id.c' object='../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_object_by_id.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_object_by_id.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_object_by_id.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_object_by_id.c + +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_object_by_id.obj: ../../../src/responder/common/cache_req/plugins/cache_req_object_by_id.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_object_by_id.obj -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_object_by_id.Tpo -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_object_by_id.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_object_by_id.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_object_by_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_object_by_id.c' object='../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_object_by_id.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_object_by_id.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_object_by_id.c'; fi` + +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_svc_by_name.o: ../../../src/responder/common/cache_req/plugins/cache_req_svc_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_svc_by_name.o -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_svc_by_name.Tpo -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_svc_by_name.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_svc_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_svc_by_name.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_svc_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' object='../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_svc_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_svc_by_name.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_svc_by_name.c + +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_svc_by_name.obj: ../../../src/responder/common/cache_req/plugins/cache_req_svc_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_svc_by_name.obj -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_svc_by_name.Tpo -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_svc_by_name.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_svc_by_name.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_svc_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_svc_by_name.c' object='../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_svc_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_svc_by_name.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_svc_by_name.c'; fi` + +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_svc_by_port.o: ../../../src/responder/common/cache_req/plugins/cache_req_svc_by_port.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_svc_by_port.o -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_svc_by_port.Tpo -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_svc_by_port.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_svc_by_port.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_svc_by_port.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_svc_by_port.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' object='../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_svc_by_port.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_svc_by_port.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_svc_by_port.c + +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_svc_by_port.obj: ../../../src/responder/common/cache_req/plugins/cache_req_svc_by_port.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_svc_by_port.obj -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_svc_by_port.Tpo -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_svc_by_port.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_svc_by_port.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_svc_by_port.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_svc_by_port.c' object='../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_svc_by_port.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_svc_by_port.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_svc_by_port.c'; fi` + +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_netgroup_by_name.o: ../../../src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_netgroup_by_name.o -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_netgroup_by_name.Tpo -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_netgroup_by_name.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_netgroup_by_name.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_netgroup_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' object='../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_netgroup_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_netgroup_by_name.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c + +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_netgroup_by_name.obj: ../../../src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_netgroup_by_name.obj -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_netgroup_by_name.Tpo -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_netgroup_by_name.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_netgroup_by_name.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_netgroup_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c' object='../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_netgroup_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_netgroup_by_name.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_netgroup_by_name.c'; fi` + +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_host_by_name.o: ../../../src/responder/common/cache_req/plugins/cache_req_host_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_host_by_name.o -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_host_by_name.Tpo -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_host_by_name.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_host_by_name.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_host_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_host_by_name.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_host_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_host_by_name.c' object='../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_host_by_name.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_host_by_name.o `test -f '../../../src/responder/common/cache_req/plugins/cache_req_host_by_name.c' || echo '$(srcdir)/'`../../../src/responder/common/cache_req/plugins/cache_req_host_by_name.c + +../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_host_by_name.obj: ../../../src/responder/common/cache_req/plugins/cache_req_host_by_name.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -MT ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_host_by_name.obj -MD -MP -MF ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_host_by_name.Tpo -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_host_by_name.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_host_by_name.Tpo ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/responder_common_tests-cache_req_host_by_name.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/responder/common/cache_req/plugins/cache_req_host_by_name.c' object='../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_host_by_name.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(responder_common_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/responder/common/cache_req/plugins/responder_common_tests-cache_req_host_by_name.obj `if test -f '../../../src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; then $(CYGPATH_W) '../../../src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/responder/common/cache_req/plugins/cache_req_host_by_name.c'; fi` + +server_tests-test_server.o: test_server.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(server_tests_CFLAGS) $(CFLAGS) -MT server_tests-test_server.o -MD -MP -MF $(DEPDIR)/server_tests-test_server.Tpo -c -o server_tests-test_server.o `test -f 'test_server.c' || echo '$(srcdir)/'`test_server.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/server_tests-test_server.Tpo $(DEPDIR)/server_tests-test_server.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='test_server.c' object='server_tests-test_server.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(server_tests_CFLAGS) $(CFLAGS) -c -o server_tests-test_server.o `test -f 'test_server.c' || echo '$(srcdir)/'`test_server.c + +server_tests-test_server.obj: test_server.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(server_tests_CFLAGS) $(CFLAGS) -MT server_tests-test_server.obj -MD -MP -MF $(DEPDIR)/server_tests-test_server.Tpo -c -o server_tests-test_server.obj `if test -f 'test_server.c'; then $(CYGPATH_W) 'test_server.c'; else $(CYGPATH_W) '$(srcdir)/test_server.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/server_tests-test_server.Tpo $(DEPDIR)/server_tests-test_server.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='test_server.c' object='server_tests-test_server.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(server_tests_CFLAGS) $(CFLAGS) -c -o server_tests-test_server.obj `if test -f 'test_server.c'; then $(CYGPATH_W) 'test_server.c'; else $(CYGPATH_W) '$(srcdir)/test_server.c'; fi` + +../../../src/util/server_tests-server.o: ../../../src/util/server.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(server_tests_CFLAGS) $(CFLAGS) -MT ../../../src/util/server_tests-server.o -MD -MP -MF ../../../src/util/$(DEPDIR)/server_tests-server.Tpo -c -o ../../../src/util/server_tests-server.o `test -f '../../../src/util/server.c' || echo '$(srcdir)/'`../../../src/util/server.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/util/$(DEPDIR)/server_tests-server.Tpo ../../../src/util/$(DEPDIR)/server_tests-server.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/util/server.c' object='../../../src/util/server_tests-server.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(server_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/util/server_tests-server.o `test -f '../../../src/util/server.c' || echo '$(srcdir)/'`../../../src/util/server.c + +../../../src/util/server_tests-server.obj: ../../../src/util/server.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(server_tests_CFLAGS) $(CFLAGS) -MT ../../../src/util/server_tests-server.obj -MD -MP -MF ../../../src/util/$(DEPDIR)/server_tests-server.Tpo -c -o ../../../src/util/server_tests-server.obj `if test -f '../../../src/util/server.c'; then $(CYGPATH_W) '../../../src/util/server.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/util/server.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../../../src/util/$(DEPDIR)/server_tests-server.Tpo ../../../src/util/$(DEPDIR)/server_tests-server.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../../../src/util/server.c' object='../../../src/util/server_tests-server.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(server_tests_CFLAGS) $(CFLAGS) -c -o ../../../src/util/server_tests-server.obj `if test -f '../../../src/util/server.c'; then $(CYGPATH_W) '../../../src/util/server.c'; else $(CYGPATH_W) '$(srcdir)/../../../src/util/server.c'; fi` + +usertools_tests-test_usertools.o: test_usertools.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(usertools_tests_CFLAGS) $(CFLAGS) -MT usertools_tests-test_usertools.o -MD -MP -MF $(DEPDIR)/usertools_tests-test_usertools.Tpo -c -o usertools_tests-test_usertools.o `test -f 'test_usertools.c' || echo '$(srcdir)/'`test_usertools.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/usertools_tests-test_usertools.Tpo $(DEPDIR)/usertools_tests-test_usertools.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='test_usertools.c' object='usertools_tests-test_usertools.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(usertools_tests_CFLAGS) $(CFLAGS) -c -o usertools_tests-test_usertools.o `test -f 'test_usertools.c' || echo '$(srcdir)/'`test_usertools.c + +usertools_tests-test_usertools.obj: test_usertools.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(usertools_tests_CFLAGS) $(CFLAGS) -MT usertools_tests-test_usertools.obj -MD -MP -MF $(DEPDIR)/usertools_tests-test_usertools.Tpo -c -o usertools_tests-test_usertools.obj `if test -f 'test_usertools.c'; then $(CYGPATH_W) 'test_usertools.c'; else $(CYGPATH_W) '$(srcdir)/test_usertools.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/usertools_tests-test_usertools.Tpo $(DEPDIR)/usertools_tests-test_usertools.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='test_usertools.c' object='usertools_tests-test_usertools.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(usertools_tests_CFLAGS) $(CFLAGS) -c -o usertools_tests-test_usertools.obj `if test -f 'test_usertools.c'; then $(CYGPATH_W) 'test_usertools.c'; else $(CYGPATH_W) '$(srcdir)/test_usertools.c'; fi` + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-am +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-am + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-am + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +# Recover from deleted '.trs' file; this should ensure that +# "rm -f foo.log; make foo.trs" re-run 'foo.test', and re-create +# both 'foo.log' and 'foo.trs'. Break the recipe in two subshells +# to avoid problems with "make -n". +.log.trs: + rm -f $< $@ + $(MAKE) $(AM_MAKEFLAGS) $< + +# Leading 'am--fnord' is there to ensure the list of targets does not +# expand to empty, as could happen e.g. with make check TESTS=''. +am--fnord $(TEST_LOGS) $(TEST_LOGS:.log=.trs): $(am__force_recheck) +am--force-recheck: + @: + +$(TEST_SUITE_LOG): $(TEST_LOGS) + @$(am__set_TESTS_bases); \ + am__f_ok () { test -f "$$1" && test -r "$$1"; }; \ + redo_bases=`for i in $$bases; do \ + am__f_ok $$i.trs && am__f_ok $$i.log || echo $$i; \ + done`; \ + if test -n "$$redo_bases"; then \ + redo_logs=`for i in $$redo_bases; do echo $$i.log; done`; \ + redo_results=`for i in $$redo_bases; do echo $$i.trs; done`; \ + if $(am__make_dryrun); then :; else \ + rm -f $$redo_logs && rm -f $$redo_results || exit 1; \ + fi; \ + fi; \ + if test -n "$$am__remaking_logs"; then \ + echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ + "recursion detected" >&2; \ + elif test -n "$$redo_logs"; then \ + am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ + fi; \ + if $(am__make_dryrun); then :; else \ + st=0; \ + errmsg="fatal: making $(TEST_SUITE_LOG): failed to create"; \ + for i in $$redo_bases; do \ + test -f $$i.trs && test -r $$i.trs \ + || { echo "$$errmsg $$i.trs" >&2; st=1; }; \ + test -f $$i.log && test -r $$i.log \ + || { echo "$$errmsg $$i.log" >&2; st=1; }; \ + done; \ + test $$st -eq 0 || exit 1; \ + fi + @$(am__sh_e_setup); $(am__tty_colors); $(am__set_TESTS_bases); \ + ws='[ ]'; \ + results=`for b in $$bases; do echo $$b.trs; done`; \ + test -n "$$results" || results=/dev/null; \ + all=` grep "^$$ws*:test-result:" $$results | wc -l`; \ + pass=` grep "^$$ws*:test-result:$$ws*PASS" $$results | wc -l`; \ + fail=` grep "^$$ws*:test-result:$$ws*FAIL" $$results | wc -l`; \ + skip=` grep "^$$ws*:test-result:$$ws*SKIP" $$results | wc -l`; \ + xfail=`grep "^$$ws*:test-result:$$ws*XFAIL" $$results | wc -l`; \ + xpass=`grep "^$$ws*:test-result:$$ws*XPASS" $$results | wc -l`; \ + error=`grep "^$$ws*:test-result:$$ws*ERROR" $$results | wc -l`; \ + if test `expr $$fail + $$xpass + $$error` -eq 0; then \ + success=true; \ + else \ + success=false; \ + fi; \ + br='==================='; br=$$br$$br$$br$$br; \ + result_count () \ + { \ + if test x"$$1" = x"--maybe-color"; then \ + maybe_colorize=yes; \ + elif test x"$$1" = x"--no-color"; then \ + maybe_colorize=no; \ + else \ + echo "$@: invalid 'result_count' usage" >&2; exit 4; \ + fi; \ + shift; \ + desc=$$1 count=$$2; \ + if test $$maybe_colorize = yes && test $$count -gt 0; then \ + color_start=$$3 color_end=$$std; \ + else \ + color_start= color_end=; \ + fi; \ + echo "$${color_start}# $$desc $$count$${color_end}"; \ + }; \ + create_testsuite_report () \ + { \ + result_count $$1 "TOTAL:" $$all "$$brg"; \ + result_count $$1 "PASS: " $$pass "$$grn"; \ + result_count $$1 "SKIP: " $$skip "$$blu"; \ + result_count $$1 "XFAIL:" $$xfail "$$lgn"; \ + result_count $$1 "FAIL: " $$fail "$$red"; \ + result_count $$1 "XPASS:" $$xpass "$$red"; \ + result_count $$1 "ERROR:" $$error "$$mgn"; \ + }; \ + { \ + echo "$(PACKAGE_STRING): $(subdir)/$(TEST_SUITE_LOG)" | \ + $(am__rst_title); \ + create_testsuite_report --no-color; \ + echo; \ + echo ".. contents:: :depth: 2"; \ + echo; \ + for b in $$bases; do echo $$b; done \ + | $(am__create_global_log); \ + } >$(TEST_SUITE_LOG).tmp || exit 1; \ + mv $(TEST_SUITE_LOG).tmp $(TEST_SUITE_LOG); \ + if $$success; then \ + col="$$grn"; \ + else \ + col="$$red"; \ + test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ + fi; \ + echo "$${col}$$br$${std}"; \ + echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}$$br$${std}"; \ + create_testsuite_report --maybe-color; \ + echo "$$col$$br$$std"; \ + if $$success; then :; else \ + echo "$${col}See $(subdir)/$(TEST_SUITE_LOG)$${std}"; \ + if test -n "$(PACKAGE_BUGREPORT)"; then \ + echo "$${col}Please report to $(PACKAGE_BUGREPORT)$${std}"; \ + fi; \ + echo "$$col$$br$$std"; \ + fi; \ + $$success || exit 1 + +check-TESTS: + @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list + @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list + @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) + @set +e; $(am__set_TESTS_bases); \ + log_list=`for i in $$bases; do echo $$i.log; done`; \ + trs_list=`for i in $$bases; do echo $$i.trs; done`; \ + log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ + $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ + exit $$?; +recheck: all $(check_PROGRAMS) + @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) + @set +e; $(am__set_TESTS_bases); \ + bases=`for i in $$bases; do echo $$i; done \ + | $(am__list_recheck_tests)` || exit 1; \ + log_list=`for i in $$bases; do echo $$i.log; done`; \ + log_list=`echo $$log_list`; \ + $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) \ + am__force_recheck=am--force-recheck \ + TEST_LOGS="$$log_list"; \ + exit $$? +become_user-tests.log: become_user-tests$(EXEEXT) + @p='become_user-tests$(EXEEXT)'; \ + b='become_user-tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +server-tests.log: server-tests$(EXEEXT) + @p='server-tests$(EXEEXT)'; \ + b='server-tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +usertools-tests.log: usertools-tests$(EXEEXT) + @p='usertools-tests$(EXEEXT)'; \ + b='usertools-tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +responder_common-tests.log: responder_common-tests$(EXEEXT) + @p='responder_common-tests$(EXEEXT)'; \ + b='responder_common-tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +negcache-tests.log: negcache-tests$(EXEEXT) + @p='negcache-tests$(EXEEXT)'; \ + b='negcache-tests'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +.test.log: + @p='$<'; \ + $(am__set_b); \ + $(am__check_pre) $(TEST_LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +@am__EXEEXT_TRUE@.test$(EXEEXT).log: +@am__EXEEXT_TRUE@ @p='$<'; \ +@am__EXEEXT_TRUE@ $(am__set_b); \ +@am__EXEEXT_TRUE@ $(am__check_pre) $(TEST_LOG_DRIVER) --test-name "$$f" \ +@am__EXEEXT_TRUE@ --log-file $$b.log --trs-file $$b.trs \ +@am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ +@am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(SCRIPTS) $(DATA) +installdirs: +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + -test -z "$(TEST_LOGS)" || rm -f $(TEST_LOGS) + -test -z "$(TEST_LOGS:.log=.trs)" || rm -f $(TEST_LOGS:.log=.trs) + -test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + -rm -f ../../../src/monitor/$(DEPDIR)/$(am__dirstamp) + -rm -f ../../../src/monitor/$(am__dirstamp) + -rm -f ../../../src/providers/$(DEPDIR)/$(am__dirstamp) + -rm -f ../../../src/providers/$(am__dirstamp) + -rm -f ../../../src/responder/common/$(DEPDIR)/$(am__dirstamp) + -rm -f ../../../src/responder/common/$(am__dirstamp) + -rm -f ../../../src/responder/common/cache_req/$(DEPDIR)/$(am__dirstamp) + -rm -f ../../../src/responder/common/cache_req/$(am__dirstamp) + -rm -f ../../../src/responder/common/cache_req/plugins/$(DEPDIR)/$(am__dirstamp) + -rm -f ../../../src/responder/common/cache_req/plugins/$(am__dirstamp) + -rm -f ../../../src/responder/common/data_provider/$(DEPDIR)/$(am__dirstamp) + -rm -f ../../../src/responder/common/data_provider/$(am__dirstamp) + -rm -f ../../../src/responder/common/iface/$(DEPDIR)/$(am__dirstamp) + -rm -f ../../../src/responder/common/iface/$(am__dirstamp) + -rm -f ../../../src/tests/cmocka/$(DEPDIR)/$(am__dirstamp) + -rm -f ../../../src/tests/cmocka/$(am__dirstamp) + -rm -f ../../../src/util/$(DEPDIR)/$(am__dirstamp) + -rm -f ../../../src/util/$(am__dirstamp) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-checkPROGRAMS clean-generic clean-libtool \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ../../../src/monitor/$(DEPDIR) ../../../src/providers/$(DEPDIR) ../../../src/responder/common/$(DEPDIR) ../../../src/responder/common/cache_req/$(DEPDIR) ../../../src/responder/common/cache_req/plugins/$(DEPDIR) ../../../src/responder/common/data_provider/$(DEPDIR) ../../../src/responder/common/iface/$(DEPDIR) ../../../src/tests/cmocka/$(DEPDIR) ../../../src/util/$(DEPDIR) ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ../../../src/monitor/$(DEPDIR) ../../../src/providers/$(DEPDIR) ../../../src/responder/common/$(DEPDIR) ../../../src/responder/common/cache_req/$(DEPDIR) ../../../src/responder/common/cache_req/plugins/$(DEPDIR) ../../../src/responder/common/data_provider/$(DEPDIR) ../../../src/responder/common/iface/$(DEPDIR) ../../../src/tests/cmocka/$(DEPDIR) ../../../src/util/$(DEPDIR) ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: + +.MAKE: check-am install-am install-strip + +.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ + clean-checkPROGRAMS clean-generic clean-libtool cscopelist-am \ + ctags ctags-am distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-ps install-ps-am install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + recheck tags tags-am uninstall uninstall-am + +.PRECIOUS: Makefile + + +tests: $(check_PROGRAMS) + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/tests/cwrap/cwrap_test_setup.sh b/src/tests/cwrap/cwrap_test_setup.sh new file mode 100755 index 0000000..e2f78e9 --- /dev/null +++ b/src/tests/cwrap/cwrap_test_setup.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +pkg-config --exists nss_wrapper || exit 1 +pkg-config --exists uid_wrapper || exit 1 + +nss_wrapper=$(pkg-config --libs nss_wrapper) +uid_wrapper=$(pkg-config --libs uid_wrapper) +if [ -z $nss_wrapper -o -z $uid_wrapper ]; then + echo "Cannot locate cwrap libraries" + exit 2 +fi + +export LD_PRELOAD="$nss_wrapper $uid_wrapper" +export NSS_WRAPPER_PASSWD=$CWRAP_TEST_SRCDIR/passwd +export NSS_WRAPPER_GROUP=$CWRAP_TEST_SRCDIR/group +export UID_WRAPPER=1 +export UID_WRAPPER_ROOT=1 + +export LDB_MODULES_PATH=$ABS_TOP_BUILDDIR/ldb_mod_test_dir diff --git a/src/tests/cwrap/group b/src/tests/cwrap/group new file mode 100644 index 0000000..d0cea65 --- /dev/null +++ b/src/tests/cwrap/group @@ -0,0 +1,2 @@ +sssd:x:123: +foogroup:x:10001: diff --git a/src/tests/cwrap/passwd b/src/tests/cwrap/passwd new file mode 100644 index 0000000..862ccfe --- /dev/null +++ b/src/tests/cwrap/passwd @@ -0,0 +1,2 @@ +sssd:x:123:456:sssd unprivileged user:/:/sbin/nologin +foobar:x:10001:10001:User for SSSD testing:/home/foobar:/bin/bash diff --git a/src/tests/cwrap/test_become_user.c b/src/tests/cwrap/test_become_user.c new file mode 100644 index 0000000..e63cde9 --- /dev/null +++ b/src/tests/cwrap/test_become_user.c @@ -0,0 +1,165 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2014 Red Hat + + SSSD tests: User switching + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +/* Yes, a .c file. We need to call static functions during the test */ +#include "../../../src/util/become_user.c" + +#include +#include "util/util.h" +#include "tests/cmocka/common_mock.h" + +void test_become_user(void **state) +{ + struct passwd *sssd; + errno_t ret; + pid_t pid, wpid; + int status; + + /* Must root as root, real or fake */ + assert_int_equal(geteuid(), 0); + + sssd = getpwnam("sssd"); + assert_non_null(sssd); + + pid = fork(); + if (pid == 0) { + /* Change the UID in a child */ + ret = become_user(sssd->pw_uid, sssd->pw_gid); + assert_int_equal(ret, EOK); + + /* Make sure we have the requested UID and GID now and there + * are no supplementary groups + */ + assert_int_equal(geteuid(), sssd->pw_uid); + assert_int_equal(getegid(), sssd->pw_gid); + assert_int_equal(getuid(), sssd->pw_uid); + assert_int_equal(getgid(), sssd->pw_gid); + + /* Another become_user is a no-op */ + ret = become_user(sssd->pw_uid, sssd->pw_gid); + assert_int_equal(ret, EOK); + + assert_int_equal(getgroups(0, NULL), 0); + exit(0); + } + + assert_int_not_equal(pid, -1); + + wpid = waitpid(pid, &status, 0); + assert_int_equal(wpid, pid); + assert_true(WIFEXITED(status)); + assert_int_equal(WEXITSTATUS(status), 0); +} + +void test_switch_user(void **state) +{ + errno_t ret; + struct passwd *sssd; + TALLOC_CTX *tmp_ctx; + struct sss_creds *saved_creds; + struct sss_creds *saved_creds2 = NULL; + + assert_true(leak_check_setup()); + + tmp_ctx = talloc_new(global_talloc_context); + assert_non_null(tmp_ctx); + + /* Must root as root, real or fake */ + assert_int_equal(geteuid(), 0); + + sssd = getpwnam("sssd"); + assert_non_null(sssd); + + check_leaks_push(tmp_ctx); + + ret = switch_creds(tmp_ctx, sssd->pw_uid, sssd->pw_gid, + 0, NULL, &saved_creds); + assert_int_equal(ret, EOK); + assert_int_equal(geteuid(), sssd->pw_uid); + assert_int_equal(getegid(), sssd->pw_gid); + /* Only effective UID is changed.. */ + assert_int_equal(getuid(), 0); + assert_int_equal(getgid(), 0); + + assert_non_null(saved_creds); + assert_int_equal(saved_creds->uid, 0); + assert_int_equal(saved_creds->gid, 0); + + /* Attempt to restore creds again */ + ret = switch_creds(tmp_ctx, sssd->pw_uid, sssd->pw_gid, + 0, NULL, &saved_creds2); + assert_int_equal(ret, EOK); + assert_null(saved_creds2); + + /* restore root */ + ret = restore_creds(saved_creds); + assert_int_equal(ret, EOK); + assert_int_equal(geteuid(), 0); + assert_int_equal(getegid(), 0); + assert_int_equal(getuid(), 0); + assert_int_equal(getgid(), 0); + + talloc_free(saved_creds); + assert_true(check_leaks_pop(tmp_ctx)); + talloc_free(tmp_ctx); + + assert_true(leak_check_teardown()); +} + +int main(int argc, const char *argv[]) +{ + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test(test_become_user), + cmocka_unit_test(test_switch_user), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + /* Even though normally the tests should clean up after themselves + * they might not after a failed run. Remove the old DB to be sure */ + tests_set_cwd(); + + return cmocka_run_group_tests(tests, NULL, NULL); +} diff --git a/src/tests/cwrap/test_negcache.c b/src/tests/cwrap/test_negcache.c new file mode 100644 index 0000000..c4f601b --- /dev/null +++ b/src/tests/cwrap/test_negcache.c @@ -0,0 +1,741 @@ +/* + Authors: + Petr Čech + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include + +#include "tests/common.h" +#include "responder/common/negcache.h" +#include "responder/common/negcache_files.h" +#include "responder/common/responder.h" + +#define TIMEOUT 10000 + +#define TESTS_PATH "tp_" BASE_FILE_STEM +#define TEST_CONF_DB "test_negcache_confdb.ldb" +#define TEST_DOM_NAME "test_domain.test" + +#define TEST_LOCAL_USER_NAME_1 "foobar" +#define TEST_LOCAL_USER_NAME_2 "sssd" + +#define TEST_LOCAL_USER_UID_1 10001 +#define TEST_LOCAL_USER_UID_2 123 + +#define TEST_LOCAL_GROUP_NAME_1 "foogroup" +#define TEST_LOCAL_GROUP_NAME_2 "sssd" + +#define TEST_LOCAL_GID_1 10001 +#define TEST_LOCAL_GID_2 123 + +struct test_user { + const char *name; + uid_t uid; + gid_t gid; +} users[] = { { "test_user1", 1001, 50001 }, + { "test_user2", 1002, 50002 } }; + +static void create_users(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain) +{ + errno_t ret; + char *fqname; + + for (int i = 0; i < 2; i++) { + fqname = sss_create_internal_fqname(mem_ctx, + users[i].name, + domain->name); + assert_non_null(fqname); + + ret = sysdb_add_user(domain, users[i].name, users[i].uid, users[i].gid, + fqname, NULL, "/bin/bash", domain->name, + NULL, 30, time(NULL)); + talloc_free(fqname); + assert_int_equal(ret, EOK); + } +} + +struct test_group { + const char *name; + gid_t gid; +} groups[] = { { "test_group1", 50001 }, + { "test_group2", 50002 } }; + +struct ncache_test_ctx { + struct sss_test_ctx *tctx; + struct sss_nc_ctx *ncache; +}; + +static void create_groups(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain) +{ + errno_t ret; + char *fqname; + + for (int i = 0; i < 2; i++) { + fqname = sss_create_internal_fqname(mem_ctx, + groups[i].name, + domain->name); + assert_non_null(fqname); + + ret = sysdb_add_group(domain, fqname, groups[i].gid, + NULL, 30, time(NULL)); + talloc_free(fqname); + assert_int_equal(ret, EOK); + } +} + +/* register_cli_protocol_version is required in test since it links with + * responder_common.c module + */ +struct cli_protocol_version *register_cli_protocol_version(void) +{ + static struct cli_protocol_version responder_test_cli_protocol_version[] = { + { 0, NULL, NULL } + }; + + return responder_test_cli_protocol_version; +} + +static int test_ncache_setup(void **state) +{ + struct ncache_test_ctx *test_ctx; + + assert_true(leak_check_setup()); + + test_ctx = talloc_zero(global_talloc_context, struct ncache_test_ctx); + assert_non_null(test_ctx); + + test_dom_suite_setup(TESTS_PATH); + + test_ctx->tctx = create_dom_test_ctx(test_ctx, TESTS_PATH, TEST_CONF_DB, + TEST_DOM_NAME, "ipa", NULL); + assert_non_null(test_ctx->tctx); + + create_groups(test_ctx, test_ctx->tctx->dom); + create_users(test_ctx, test_ctx->tctx->dom); + + check_leaks_push(test_ctx); + + *state = (void *)test_ctx; + + return 0; +} + +static int test_ncache_teardown(void **state) +{ + struct ncache_test_ctx *test_ctx; + + test_ctx = talloc_get_type_abort(*state, struct ncache_test_ctx); + + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + + assert_true(check_leaks_pop(test_ctx)); + talloc_zfree(test_ctx); + assert_true(leak_check_teardown()); + + return 0; +} + +static int set_user_in_ncache(struct sss_nc_ctx *ctx, bool permanent, + struct sss_domain_info *dom, const char *name) +{ + char *fqdn; + int ret; + + fqdn = sss_create_internal_fqname(ctx, name, dom->name); + ret = sss_ncache_set_user(ctx, permanent, dom, fqdn); + talloc_free(fqdn); + return ret; +} + +static int set_group_in_ncache(struct sss_nc_ctx *ctx, bool permanent, + struct sss_domain_info *dom, const char *name) +{ + char *fqdn; + int ret; + + fqdn = sss_create_internal_fqname(ctx, name, dom->name); + ret = sss_ncache_set_group(ctx, permanent, dom, fqdn); + talloc_free(fqdn); + return ret; +} + +static int check_user_in_ncache(struct sss_nc_ctx *ctx, + struct sss_domain_info *dom, + const char *name) +{ + char *fqdn; + int ret; + + fqdn = sss_create_internal_fqname(ctx, name, dom->name); + ret = sss_ncache_check_user(ctx, dom, fqdn); + talloc_free(fqdn); + return ret; +} + +static int check_group_in_ncache(struct sss_nc_ctx *ctx, + struct sss_domain_info *dom, + const char *name) +{ + char *fqdn; + int ret; + + fqdn = sss_create_internal_fqname(ctx, name, dom->name); + ret = sss_ncache_check_group(ctx, dom, fqdn); + talloc_free(fqdn); + return ret; +} + +/* user utils */ + +static void set_users(struct ncache_test_ctx *test_ctx) +{ + int ret; + + ret = set_user_in_ncache(test_ctx->ncache, false, test_ctx->tctx->dom, + users[0].name); + assert_int_equal(ret, EOK); + + ret = set_user_in_ncache(test_ctx->ncache, false, test_ctx->tctx->dom, + TEST_LOCAL_USER_NAME_1); + assert_int_equal(ret, EOK); +} + +static void check_users(struct ncache_test_ctx *test_ctx, + int case_a, int case_b, int case_c, int case_d) +{ + int ret; + + ret = check_user_in_ncache(test_ctx->ncache, test_ctx->tctx->dom, + users[0].name); + assert_int_equal(ret, case_a); + + ret = check_user_in_ncache(test_ctx->ncache, test_ctx->tctx->dom, + users[1].name); + assert_int_equal(ret, case_b); + + ret = check_user_in_ncache(test_ctx->ncache, test_ctx->tctx->dom, + TEST_LOCAL_USER_NAME_1); + assert_int_equal(ret, case_c); + + ret = check_user_in_ncache(test_ctx->ncache, test_ctx->tctx->dom, + TEST_LOCAL_USER_NAME_2); + assert_int_equal(ret, case_d); +} + +/* user tests */ + +void test_ncache_nocache_user(void **state) +{ + errno_t ret; + struct ncache_test_ctx *test_ctx; + + test_ctx = talloc_get_type_abort(*state, struct ncache_test_ctx); + assert_non_null(test_ctx); + + ret = sss_ncache_init(test_ctx, 0, 0, &test_ctx->ncache); + assert_int_equal(ret, EOK); + + set_users(test_ctx); + + check_users(test_ctx, ENOENT, ENOENT, ENOENT, ENOENT); + + talloc_zfree(test_ctx->ncache); +} + +void test_ncache_local_user(void **state) +{ + errno_t ret; + struct ncache_test_ctx *test_ctx; + + test_ctx = talloc_get_type_abort(*state, struct ncache_test_ctx); + assert_non_null(test_ctx); + + ret = sss_ncache_init(test_ctx, 0, TIMEOUT, &test_ctx->ncache); + assert_int_equal(ret, EOK); + + set_users(test_ctx); + + check_users(test_ctx, ENOENT, ENOENT, EEXIST, ENOENT); + + talloc_zfree(test_ctx->ncache); +} + +void test_ncache_domain_user(void **state) +{ + errno_t ret; + struct ncache_test_ctx *test_ctx; + + test_ctx = talloc_get_type_abort(*state, struct ncache_test_ctx); + assert_non_null(test_ctx); + + ret = sss_ncache_init(test_ctx, TIMEOUT, 0, &test_ctx->ncache); + assert_int_equal(ret, EOK); + + set_users(test_ctx); + + check_users(test_ctx, EEXIST, ENOENT, EEXIST, ENOENT); + + talloc_zfree(test_ctx->ncache); +} + +void test_ncache_both_user(void **state) +{ + errno_t ret; + struct ncache_test_ctx *test_ctx; + + test_ctx = talloc_get_type_abort(*state, struct ncache_test_ctx); + assert_non_null(test_ctx); + + ret = sss_ncache_init(test_ctx, TIMEOUT, TIMEOUT, &test_ctx->ncache); + assert_int_equal(ret, EOK); + + set_users(test_ctx); + + check_users(test_ctx, EEXIST, ENOENT, EEXIST, ENOENT); + + talloc_zfree(test_ctx->ncache); +} + +/* uid utils */ + +static void set_uids(struct ncache_test_ctx *test_ctx) +{ + int ret; + + ret = sss_ncache_set_uid(test_ctx->ncache, false, test_ctx->tctx->dom, + users[0].uid); + assert_int_equal(ret, EOK); + + ret = sss_ncache_set_uid(test_ctx->ncache, false, test_ctx->tctx->dom, + TEST_LOCAL_USER_UID_1); + assert_int_equal(ret, EOK); +} + +static void check_uids(struct ncache_test_ctx *test_ctx, + int case_a, int case_b, int case_c, int case_d) +{ + int ret; + + ret = sss_ncache_check_uid(test_ctx->ncache, test_ctx->tctx->dom, + users[0].uid); + assert_int_equal(ret, case_a); + + ret = sss_ncache_check_uid(test_ctx->ncache, test_ctx->tctx->dom, + users[1].uid); + assert_int_equal(ret, case_b); + + ret = sss_ncache_check_uid(test_ctx->ncache, test_ctx->tctx->dom, + TEST_LOCAL_USER_UID_1); + assert_int_equal(ret, case_c); + + ret = sss_ncache_check_uid(test_ctx->ncache, test_ctx->tctx->dom, + TEST_LOCAL_USER_UID_2); + assert_int_equal(ret, case_d); +} + +/* uid tests */ + +void test_ncache_nocache_uid(void **state) +{ + errno_t ret; + struct ncache_test_ctx *test_ctx; + + test_ctx = talloc_get_type_abort(*state, struct ncache_test_ctx); + assert_non_null(test_ctx); + + ret = sss_ncache_init(test_ctx, 0, 0, &test_ctx->ncache); + assert_int_equal(ret, EOK); + + set_uids(test_ctx); + + check_uids(test_ctx, ENOENT, ENOENT, ENOENT, ENOENT); + + talloc_zfree(test_ctx->ncache); +} + +void test_ncache_local_uid(void **state) +{ + errno_t ret; + struct ncache_test_ctx *test_ctx; + + test_ctx = talloc_get_type_abort(*state, struct ncache_test_ctx); + assert_non_null(test_ctx); + + ret = sss_ncache_init(test_ctx, 0, TIMEOUT, &test_ctx->ncache); + assert_int_equal(ret, EOK); + + set_uids(test_ctx); + + check_uids(test_ctx, ENOENT, ENOENT, EEXIST, ENOENT); + + talloc_zfree(test_ctx->ncache); +} + +void test_ncache_domain_uid(void **state) +{ + errno_t ret; + struct ncache_test_ctx *test_ctx; + + test_ctx = talloc_get_type_abort(*state, struct ncache_test_ctx); + assert_non_null(test_ctx); + + ret = sss_ncache_init(test_ctx, TIMEOUT, 0, &test_ctx->ncache); + assert_int_equal(ret, EOK); + + set_uids(test_ctx); + + check_uids(test_ctx, EEXIST, ENOENT, EEXIST, ENOENT); + + talloc_zfree(test_ctx->ncache); +} + +void test_ncache_both_uid(void **state) +{ + errno_t ret; + struct ncache_test_ctx *test_ctx; + + test_ctx = talloc_get_type_abort(*state, struct ncache_test_ctx); + assert_non_null(test_ctx); + + ret = sss_ncache_init(test_ctx, TIMEOUT, TIMEOUT, &test_ctx->ncache); + assert_int_equal(ret, EOK); + + set_uids(test_ctx); + + check_uids(test_ctx, EEXIST, ENOENT, EEXIST, ENOENT); + + talloc_zfree(test_ctx->ncache); +} + +/* group utils */ + +static void set_groups(struct ncache_test_ctx *test_ctx) +{ + int ret; + + ret = set_group_in_ncache(test_ctx->ncache, false, test_ctx->tctx->dom, + groups[0].name); + assert_int_equal(ret, EOK); + + ret = set_group_in_ncache(test_ctx->ncache, false, test_ctx->tctx->dom, + TEST_LOCAL_GROUP_NAME_1); + assert_int_equal(ret, EOK); +} + +static void check_groups(struct ncache_test_ctx *test_ctx, + int case_a, int case_b, int case_c, int case_d) +{ + int ret; + + ret = check_group_in_ncache(test_ctx->ncache, test_ctx->tctx->dom, + groups[0].name); + assert_int_equal(ret, case_a); + + ret = check_group_in_ncache(test_ctx->ncache, test_ctx->tctx->dom, + groups[1].name); + assert_int_equal(ret, case_b); + + ret = check_group_in_ncache(test_ctx->ncache, test_ctx->tctx->dom, + TEST_LOCAL_GROUP_NAME_1); + assert_int_equal(ret, case_c); + + ret = check_group_in_ncache(test_ctx->ncache, test_ctx->tctx->dom, + TEST_LOCAL_GROUP_NAME_2); + assert_int_equal(ret, case_d); +} + +/* group tests */ + +void test_ncache_nocache_group(void **state) +{ + errno_t ret; + struct ncache_test_ctx *test_ctx; + + test_ctx = talloc_get_type_abort(*state, struct ncache_test_ctx); + assert_non_null(test_ctx); + + ret = sss_ncache_init(test_ctx, 0, 0, &test_ctx->ncache); + assert_int_equal(ret, EOK); + + set_groups(test_ctx); + + check_groups(test_ctx, ENOENT, ENOENT, ENOENT, ENOENT); + + talloc_zfree(test_ctx->ncache); +} + +void test_ncache_local_group(void **state) +{ + errno_t ret; + struct ncache_test_ctx *test_ctx; + + test_ctx = talloc_get_type_abort(*state, struct ncache_test_ctx); + assert_non_null(test_ctx); + + ret = sss_ncache_init(test_ctx, 0, TIMEOUT, &test_ctx->ncache); + assert_int_equal(ret, EOK); + + set_groups(test_ctx); + + check_groups(test_ctx, ENOENT, ENOENT, EEXIST, ENOENT); + + talloc_zfree(test_ctx->ncache); +} + +void test_ncache_domain_group(void **state) +{ + errno_t ret; + struct ncache_test_ctx *test_ctx; + + test_ctx = talloc_get_type_abort(*state, struct ncache_test_ctx); + assert_non_null(test_ctx); + + ret = sss_ncache_init(test_ctx, TIMEOUT, 0, &test_ctx->ncache); + assert_int_equal(ret, EOK); + + set_groups(test_ctx); + + check_groups(test_ctx, EEXIST, ENOENT, EEXIST, ENOENT); + + talloc_zfree(test_ctx->ncache); +} + +void test_ncache_both_group(void **state) +{ + errno_t ret; + struct ncache_test_ctx *test_ctx; + + test_ctx = talloc_get_type_abort(*state, struct ncache_test_ctx); + assert_non_null(test_ctx); + + ret = sss_ncache_init(test_ctx, TIMEOUT, TIMEOUT, &test_ctx->ncache); + assert_int_equal(ret, EOK); + + set_groups(test_ctx); + + check_groups(test_ctx, EEXIST, ENOENT, EEXIST, ENOENT); + + talloc_zfree(test_ctx->ncache); +} + +/* gid utils */ + +static void set_gids(struct ncache_test_ctx *test_ctx) +{ + int ret; + + ret = sss_ncache_set_gid(test_ctx->ncache, false, test_ctx->tctx->dom, + users[0].gid); + assert_int_equal(ret, EOK); + + ret = sss_ncache_set_gid(test_ctx->ncache, false, test_ctx->tctx->dom, + TEST_LOCAL_GID_1); + assert_int_equal(ret, EOK); +} + +static void check_gids(struct ncache_test_ctx *test_ctx, + int case_a, int case_b, int case_c, int case_d) +{ + int ret; + + ret = sss_ncache_check_gid(test_ctx->ncache, test_ctx->tctx->dom, + users[0].gid); + assert_int_equal(ret, case_a); + + ret = sss_ncache_check_gid(test_ctx->ncache, test_ctx->tctx->dom, + users[1].gid); + assert_int_equal(ret, case_b); + + ret = sss_ncache_check_gid(test_ctx->ncache, test_ctx->tctx->dom, + TEST_LOCAL_GID_1); + assert_int_equal(ret, case_c); + + ret = sss_ncache_check_gid(test_ctx->ncache, test_ctx->tctx->dom, + TEST_LOCAL_GID_2); + assert_int_equal(ret, case_d); +} + +/* uid tests */ + +void test_ncache_nocache_gid(void **state) +{ + errno_t ret; + struct ncache_test_ctx *test_ctx; + + test_ctx = talloc_get_type_abort(*state, struct ncache_test_ctx); + assert_non_null(test_ctx); + + ret = sss_ncache_init(test_ctx, 0, 0, &test_ctx->ncache); + assert_int_equal(ret, EOK); + + set_gids(test_ctx); + + check_gids(test_ctx, ENOENT, ENOENT, ENOENT, ENOENT); + + talloc_zfree(test_ctx->ncache); +} + +void test_ncache_local_gid(void **state) +{ + errno_t ret; + struct ncache_test_ctx *test_ctx; + + test_ctx = talloc_get_type_abort(*state, struct ncache_test_ctx); + assert_non_null(test_ctx); + + ret = sss_ncache_init(test_ctx, 0, TIMEOUT, &test_ctx->ncache); + assert_int_equal(ret, EOK); + + set_gids(test_ctx); + + check_gids(test_ctx, ENOENT, ENOENT, EEXIST, ENOENT); + + talloc_zfree(test_ctx->ncache); +} + +void test_ncache_domain_gid(void **state) +{ + errno_t ret; + struct ncache_test_ctx *test_ctx; + + test_ctx = talloc_get_type_abort(*state, struct ncache_test_ctx); + assert_non_null(test_ctx); + + ret = sss_ncache_init(test_ctx, TIMEOUT, 0, &test_ctx->ncache); + assert_int_equal(ret, EOK); + + set_gids(test_ctx); + + check_gids(test_ctx, EEXIST, ENOENT, EEXIST, ENOENT); + + talloc_zfree(test_ctx->ncache); +} + +void test_ncache_both_gid(void **state) +{ + errno_t ret; + struct ncache_test_ctx *test_ctx; + + test_ctx = talloc_get_type_abort(*state, struct ncache_test_ctx); + assert_non_null(test_ctx); + + ret = sss_ncache_init(test_ctx, TIMEOUT, TIMEOUT, &test_ctx->ncache); + assert_int_equal(ret, EOK); + + set_gids(test_ctx); + + check_gids(test_ctx, EEXIST, ENOENT, EEXIST, ENOENT); + + talloc_zfree(test_ctx->ncache); +} + +int main(int argc, const char *argv[]) +{ + int rv; + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + /* user */ + cmocka_unit_test_setup_teardown(test_ncache_nocache_user, + test_ncache_setup, + test_ncache_teardown), + cmocka_unit_test_setup_teardown(test_ncache_local_user, + test_ncache_setup, + test_ncache_teardown), + cmocka_unit_test_setup_teardown(test_ncache_domain_user, + test_ncache_setup, + test_ncache_teardown), + cmocka_unit_test_setup_teardown(test_ncache_both_user, + test_ncache_setup, + test_ncache_teardown), + /* uid */ + cmocka_unit_test_setup_teardown(test_ncache_nocache_uid, + test_ncache_setup, + test_ncache_teardown), + cmocka_unit_test_setup_teardown(test_ncache_local_uid, + test_ncache_setup, + test_ncache_teardown), + cmocka_unit_test_setup_teardown(test_ncache_domain_uid, + test_ncache_setup, + test_ncache_teardown), + cmocka_unit_test_setup_teardown(test_ncache_both_uid, + test_ncache_setup, + test_ncache_teardown), + /* group */ + cmocka_unit_test_setup_teardown(test_ncache_nocache_group, + test_ncache_setup, + test_ncache_teardown), + cmocka_unit_test_setup_teardown(test_ncache_local_group, + test_ncache_setup, + test_ncache_teardown), + cmocka_unit_test_setup_teardown(test_ncache_domain_group, + test_ncache_setup, + test_ncache_teardown), + cmocka_unit_test_setup_teardown(test_ncache_both_group, + test_ncache_setup, + test_ncache_teardown), + /* gid */ + cmocka_unit_test_setup_teardown(test_ncache_nocache_gid, + test_ncache_setup, + test_ncache_teardown), + cmocka_unit_test_setup_teardown(test_ncache_local_gid, + test_ncache_setup, + test_ncache_teardown), + cmocka_unit_test_setup_teardown(test_ncache_domain_gid, + test_ncache_setup, + test_ncache_teardown), + cmocka_unit_test_setup_teardown(test_ncache_both_gid, + test_ncache_setup, + test_ncache_teardown), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while ((opt = poptGetNextOpt(pc)) != -1) { + switch (opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + tests_set_cwd(); + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_DB, TEST_DOM_NAME); + rv = cmocka_run_group_tests(tests, NULL, NULL); + + return rv; +} diff --git a/src/tests/cwrap/test_responder_common.c b/src/tests/cwrap/test_responder_common.c new file mode 100644 index 0000000..11cc3ab --- /dev/null +++ b/src/tests/cwrap/test_responder_common.c @@ -0,0 +1,237 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2014 Red Hat + + SSSD tests: User utilities + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include + +#include +#include "util/util.h" +#include "responder/common/responder.h" +#include "tests/cmocka/common_mock.h" + +/* Just to satisfy dependencies */ +struct cli_protocol_version *register_cli_protocol_version(void) +{ + static struct cli_protocol_version responder_test_cli_protocol_version[] = { + {0, NULL, NULL} + }; + + return responder_test_cli_protocol_version; +} + +void test_uid_csv_to_uid_list(void **state) +{ + TALLOC_CTX *tmp_ctx; + errno_t ret; + size_t count; + uid_t *list; + + tmp_ctx = talloc_new(global_talloc_context); + assert_non_null(tmp_ctx); + + check_leaks_push(tmp_ctx); + + ret = csv_string_to_uid_array(tmp_ctx, "1, 2, 3", false, &count, &list); + assert_int_equal(ret, EOK); + assert_int_equal(count, 3); + assert_int_equal(list[0], 1); + assert_int_equal(list[1], 2); + assert_int_equal(list[2], 3); + + talloc_free(list); + assert_true(check_leaks_pop(tmp_ctx)); + talloc_free(tmp_ctx); +} + +void test_name_csv_to_uid_list(void **state) +{ + TALLOC_CTX *tmp_ctx; + errno_t ret; + size_t count; + uid_t *list; + + tmp_ctx = talloc_new(global_talloc_context); + assert_non_null(tmp_ctx); + + check_leaks_push(tmp_ctx); + + ret = csv_string_to_uid_array(tmp_ctx, "sssd, foobar", true, &count, &list); + assert_int_equal(ret, EOK); + assert_int_equal(count, 2); + assert_int_equal(list[0], 123); + assert_int_equal(list[1], 10001); + + talloc_free(list); + assert_true(check_leaks_pop(tmp_ctx)); + talloc_free(tmp_ctx); +} + +void test_csv_to_uid_list_neg(void **state) +{ + TALLOC_CTX *tmp_ctx; + errno_t ret; + size_t count; + uid_t *list = NULL; + + tmp_ctx = talloc_new(global_talloc_context); + assert_non_null(tmp_ctx); + + check_leaks_push(tmp_ctx); + + ret = csv_string_to_uid_array(tmp_ctx, "nosuchuser", true, &count, &list); + assert_int_not_equal(ret, EOK); + + assert_true(check_leaks_pop(tmp_ctx)); + talloc_free(tmp_ctx); +} + +struct create_pipe_ctx { + int fd; + const char *sock_name; +}; + +static int test_create_pipe_fd_setup(void **state) +{ + struct create_pipe_ctx *ctx; + + ctx = talloc(global_talloc_context, struct create_pipe_ctx); + assert_non_null(ctx); + ctx->fd = -1; + + *state = ctx; + return 0; +} + +void check_sock_properties(struct create_pipe_ctx *ctx, mode_t mode) +{ + int ret; + int optval; + socklen_t optlen; + struct stat sbuf; + + /* Check existence of the file and the permissions */ + ret = stat(ctx->sock_name, &sbuf); + assert_int_equal(ret, 0); + assert_true(S_ISSOCK(sbuf.st_mode)); + assert_true((sbuf.st_mode & ~S_IFMT) == mode); + + /* Check it's a UNIX socket */ + optlen = sizeof(optval); + ret = getsockopt(ctx->fd, SOL_SOCKET, SO_DOMAIN, &optval, &optlen); + assert_int_equal(ret, 0); + assert_int_equal(optval, AF_UNIX); + + optlen = sizeof(optval); + ret = getsockopt(ctx->fd, SOL_SOCKET, SO_TYPE, &optval, &optlen); + assert_int_equal(ret, 0); + assert_int_equal(optval, SOCK_STREAM); + + /* Make sure this is a listening socket */ + optlen = sizeof(optval); + ret = getsockopt(ctx->fd, SOL_SOCKET, SO_ACCEPTCONN, &optval, &optlen); + assert_int_equal(ret, 0); + assert_int_equal(optval, 1); + + /* Check the right protocol */ + optlen = sizeof(optval); + ret = getsockopt(ctx->fd, SOL_SOCKET, SO_PROTOCOL, &optval, &optlen); + assert_int_equal(ret, 0); + assert_int_equal(optval, 0); + +} + +void test_create_pipe_fd(void **state) +{ + int ret; + struct create_pipe_ctx *ctx; + + ctx = talloc_get_type(*state, struct create_pipe_ctx); + + ctx->sock_name = __FUNCTION__; + + ret = create_pipe_fd(ctx->sock_name, &ctx->fd, 0111); + assert_int_equal(ret, EOK); + assert_int_not_equal(ctx->fd, -1); + check_sock_properties(ctx, 0666); + + /* Make sure we can overwrite an existing socket */ + ret = create_pipe_fd(ctx->sock_name, &ctx->fd, 0000); + assert_int_equal(ret, EOK); + assert_int_not_equal(ctx->fd, -1); + check_sock_properties(ctx, 0777); +} + +static int test_create_pipe_fd_teardown(void **state) +{ + struct create_pipe_ctx *ctx; + + ctx = talloc_get_type(*state, struct create_pipe_ctx); + + if (ctx->fd != -1) { + unlink(ctx->sock_name); + close(ctx->fd); + } + return 0; +} + +int main(int argc, const char *argv[]) +{ + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test(test_uid_csv_to_uid_list), + cmocka_unit_test(test_name_csv_to_uid_list), + cmocka_unit_test(test_csv_to_uid_list_neg), + cmocka_unit_test_setup_teardown(test_create_pipe_fd, + test_create_pipe_fd_setup, + test_create_pipe_fd_teardown) + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + tests_set_cwd(); + + return cmocka_run_group_tests(tests, NULL, NULL); +} diff --git a/src/tests/cwrap/test_server.c b/src/tests/cwrap/test_server.c new file mode 100644 index 0000000..85ecb7f --- /dev/null +++ b/src/tests/cwrap/test_server.c @@ -0,0 +1,210 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2014 Red Hat + + SSSD tests: Server instantiation + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include +#include "util/util.h" +#include "util/strtonum.h" +#include "tests/cmocka/common_mock.h" + +static void wait_for_fg_server(pid_t pid) +{ + pid_t wpid; + int status; + + assert_int_not_equal(pid, -1); + + wpid = waitpid(pid, &status, 0); + assert_int_equal(wpid, pid); + assert_true(WIFEXITED(status)); + assert_int_equal(WEXITSTATUS(status), 0); +} + +static void wait_for_bg_server(const char *pidfile) +{ + int fd; + uint32_t tmp; + char buf[16]; + pid_t pid; + int ret; + int count; + + count = 0; + do { + struct stat sb; + + count++; + if (count > 200) { + fail(); + break; + } + + ret = stat(pidfile, &sb); + usleep(50000); + } while (ret != 0); + + /* read the pidfile */ + fd = open(pidfile, O_RDONLY); + assert_false(fd < 0); + + ret = read(fd, buf, sizeof(buf)); + close(fd); + assert_false(ret <= 0); + + buf[sizeof(buf) - 1] = '\0'; + + errno = 0; + tmp = strtouint32(buf, NULL, 10); + assert_int_not_equal(tmp, 0); + assert_int_equal(errno, 0); + + pid = (pid_t) (tmp); + + /* Make sure the daemon goes away! */ + ret = kill(pid, SIGTERM); + fprintf(stderr, "killing %u\n", pid); + assert_true(ret == 0); + + unlink(pidfile); +} + +void test_run_as_root_fg(void **state) +{ + int ret; + struct main_context *main_ctx; + pid_t pid; + + /* Must root as root, real or fake */ + assert_int_equal(geteuid(), 0); + + pid = fork(); + if (pid == 0) { + ret = server_setup(__FUNCTION__, 0, 0, 0, + __FUNCTION__, &main_ctx); + assert_int_equal(ret, 0); + exit(0); + } + wait_for_fg_server(pid); +} + +void test_run_as_sssd_fg(void **state) +{ + int ret; + struct main_context *main_ctx; + struct passwd *sssd; + pid_t pid; + + /* Must root as root, real or fake */ + assert_int_equal(geteuid(), 0); + + sssd = getpwnam("sssd"); + assert_non_null(sssd); + + pid = fork(); + if (pid == 0) { + ret = server_setup(__FUNCTION__, 0, sssd->pw_uid, sssd->pw_gid, + __FUNCTION__, &main_ctx); + assert_int_equal(ret, 0); + exit(0); + } + wait_for_fg_server(pid); +} + +void test_run_as_root_daemon(void **state) +{ + int ret; + struct main_context *main_ctx; + pid_t pid; + char *pidfile; + + /* Must root as root, real or fake */ + assert_int_equal(geteuid(), 0); + + pidfile = talloc_asprintf(NULL, "%s/%s.pid", TEST_PID_PATH, __FUNCTION__); + + /* Make sure there are no leftovers */ + unlink(pidfile); + + pid = fork(); + if (pid == 0) { + ret = server_setup(__FUNCTION__, FLAGS_PID_FILE, + 0, 0, __FUNCTION__, &main_ctx); + assert_int_equal(ret, 0); + + server_loop(main_ctx); + exit(0); + } + + wait_for_bg_server(pidfile); + talloc_free(pidfile); +} + +int main(int argc, const char *argv[]) +{ + poptContext pc; + int opt; + int rv; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test(test_run_as_root_fg), + cmocka_unit_test(test_run_as_sssd_fg), + cmocka_unit_test(test_run_as_root_daemon), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + /* Even though normally the tests should clean up after themselves + * they might not after a failed run. Remove the old DB to be sure */ + tests_set_cwd(); + test_dom_suite_cleanup(TEST_DB_PATH, CONFDB_FILE, NULL); + test_dom_suite_setup(TEST_DB_PATH); + + rv = cmocka_run_group_tests(tests, NULL, NULL); + if (rv == 0) { + test_dom_suite_cleanup(TEST_DB_PATH, CONFDB_FILE, NULL); + } + + return rv; +} diff --git a/src/tests/cwrap/test_usertools.c b/src/tests/cwrap/test_usertools.c new file mode 100644 index 0000000..f61ae83 --- /dev/null +++ b/src/tests/cwrap/test_usertools.c @@ -0,0 +1,106 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2014 Red Hat + + SSSD tests: User utilities + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include +#include "util/util.h" +#include "tests/cmocka/common_mock.h" + +void test_get_user_num(void **state) +{ + uid_t uid; + gid_t gid; + errno_t ret; + + ret = sss_user_by_name_or_uid("123", &uid, &gid); + assert_int_equal(ret, EOK); + assert_int_equal(uid, 123); + assert_int_equal(gid, 456); +} + +void test_get_user_str(void **state) +{ + uid_t uid; + gid_t gid; + errno_t ret; + + ret = sss_user_by_name_or_uid("sssd", &uid, &gid); + assert_int_equal(ret, EOK); + assert_int_equal(uid, 123); + assert_int_equal(gid, 456); +} + +void test_get_user_nullparm(void **state) +{ + uid_t uid; + gid_t gid; + errno_t ret; + + ret = sss_user_by_name_or_uid("sssd", &uid, NULL); + assert_int_equal(ret, EOK); + assert_int_equal(uid, 123); + + ret = sss_user_by_name_or_uid("sssd", NULL, &gid); + assert_int_equal(ret, EOK); + assert_int_equal(gid, 456); +} + +int main(int argc, const char *argv[]) +{ + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + + const struct CMUnitTest tests[] = { + cmocka_unit_test(test_get_user_num), + cmocka_unit_test(test_get_user_str), + cmocka_unit_test(test_get_user_nullparm), + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + tests_set_cwd(); + + return cmocka_run_group_tests(tests, NULL, NULL); +} diff --git a/src/tests/debug-tests.c b/src/tests/debug-tests.c new file mode 100644 index 0000000..1446ec0 --- /dev/null +++ b/src/tests/debug-tests.c @@ -0,0 +1,704 @@ +/* + SSSD + + debug-tests.c + + Authors: + Pavel Březina + + Copyright (C) 2011 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include "util/util.h" +#include "tests/common.h" + +#define DEBUG_TEST_ERROR -1 +#define DEBUG_TEST_NOK 1 +#define DEBUG_TEST_NOK_TS 2 + +START_TEST(test_debug_convert_old_level_old_format) +{ + int expected_level = 0x0000; + int old_level; + int levels[] = { + SSSDBG_FATAL_FAILURE, + SSSDBG_CRIT_FAILURE, + SSSDBG_OP_FAILURE, + SSSDBG_MINOR_FAILURE, + SSSDBG_CONF_SETTINGS, + SSSDBG_FUNC_DATA, + SSSDBG_TRACE_FUNC, + SSSDBG_TRACE_LIBS, + SSSDBG_TRACE_INTERNAL, + SSSDBG_TRACE_ALL | SSSDBG_BE_FO + }; + + for (old_level = 0; old_level <= 9; old_level++) { + expected_level |= levels[old_level]; + + char *msg = NULL; + msg = talloc_asprintf(NULL, "Invalid conversion of %d", old_level); + fail_unless(debug_convert_old_level(old_level) == expected_level, msg); + talloc_free(msg); + } +} +END_TEST + +START_TEST(test_debug_convert_old_level_new_format) +{ + fail_unless( + debug_convert_old_level(SSSDBG_UNRESOLVED) == SSSDBG_FATAL_FAILURE, + "Invalid conversion of SSSDBG_UNRESOLVED" + ); + fail_unless( + debug_convert_old_level(SSSDBG_FATAL_FAILURE) == SSSDBG_FATAL_FAILURE, + "Invalid conversion of SSSDBG_FATAL_FAILURE" + ); + fail_unless( + debug_convert_old_level(SSSDBG_CRIT_FAILURE) == SSSDBG_CRIT_FAILURE, + "Invalid conversion of SSSDBG_CRIT_FAILURE" + ); + fail_unless( + debug_convert_old_level(SSSDBG_OP_FAILURE) == SSSDBG_OP_FAILURE, + "Invalid conversion of SSSDBG_OP_FAILURE" + ); + fail_unless( + debug_convert_old_level(SSSDBG_MINOR_FAILURE) == SSSDBG_MINOR_FAILURE, + "Invalid conversion of SSSDBG_MINOR_FAILURE" + ); + fail_unless( + debug_convert_old_level(SSSDBG_CONF_SETTINGS) == SSSDBG_CONF_SETTINGS, + "Invalid conversion of SSSDBG_CONF_SETTINGS" + ); + fail_unless( + debug_convert_old_level(SSSDBG_FUNC_DATA) == SSSDBG_FUNC_DATA, + "Invalid conversion of SSSDBG_FUNC_DATA" + ); + fail_unless( + debug_convert_old_level(SSSDBG_TRACE_FUNC) == SSSDBG_TRACE_FUNC, + "Invalid conversion of SSSDBG_TRACE_FUNC" + ); + fail_unless( + debug_convert_old_level(SSSDBG_TRACE_LIBS) == SSSDBG_TRACE_LIBS, + "Invalid conversion of SSSDBG_TRACE_LIBS" + ); + fail_unless( + debug_convert_old_level(SSSDBG_TRACE_INTERNAL) == SSSDBG_TRACE_INTERNAL, + "Invalid conversion of SSSDBG_TRACE_INTERNAL" + ); + fail_unless( + debug_convert_old_level(SSSDBG_TRACE_ALL) == SSSDBG_TRACE_ALL, + "Invalid conversion of SSSDBG_TRACE_ALL" + ); + fail_unless( + debug_convert_old_level(SSSDBG_MASK_ALL) == SSSDBG_MASK_ALL, + "Invalid conversion of SSSDBG_MASK_ALL" + ); +} +END_TEST + +int test_helper_debug_check_message(int level) +{ + TALLOC_CTX *ctx = talloc_new(NULL); + char filename[24] = {'\0'}; + char *msg = NULL; + char *compare_to = NULL; + const char *function = __FUNCTION__; + const char *body = "some error"; + int filesize; + int fsize; + int fd; + int ret; + int _errno = 0; + mode_t old_umask; + FILE *file = NULL; + + strncpy(filename, "sssd_debug_tests.XXXXXX", 24); + + old_umask = umask(SSS_DFL_UMASK); + fd = mkstemp(filename); + umask(old_umask); + if (fd == -1) { + _errno = errno; + talloc_free(ctx); + errno = _errno; + return DEBUG_TEST_ERROR; + } + + file = fdopen(fd, "r"); + if (file == NULL) { + _errno = errno; + ret = DEBUG_TEST_ERROR; + goto done; + } + + ret = set_debug_file_from_fd(fd); + if (ret != EOK) { + _errno = ret; + ret = DEBUG_TEST_ERROR; + goto done; + } + + DEBUG(level, "%s\n", body); + + ret = fseek(file, 0, SEEK_END); + if (ret == -1) { + _errno = errno; + ret = DEBUG_TEST_ERROR; + goto done; + } + + filesize = ftell(file); + if (filesize == -1) { + _errno = errno; + ret = DEBUG_TEST_ERROR; + goto done; + } + + rewind(file); + + msg = talloc_array(ctx, char, filesize+1); + if (msg == NULL) { + _errno = ENOMEM; + ret = DEBUG_TEST_ERROR; + goto done; + } + fsize = fread(msg, sizeof(char), filesize, file); + if (fsize != filesize) { + _errno = EIO; + ret = DEBUG_TEST_ERROR; + goto done; + } + msg[fsize] = '\0'; + + if (debug_timestamps == 1) { + char time_day[4] = {'\0', '\0', '\0', '\0'}; + char time_month[4] = {'\0', '\0', '\0', '\0'}; + int time_day_num = 0; + int time_hour = 0; + int time_min = 0; + int time_sec = 0; + int time_usec = 0; + int time_year = 0; + int scan_return = 0; + + if (debug_microseconds == 0) { + scan_return = sscanf(msg, "(%s %s %d %d:%d:%d %d)", time_day, time_month, + &time_day_num, &time_hour, &time_min, &time_sec, &time_year); + + if (scan_return != 7) { + ret = DEBUG_TEST_NOK_TS; + goto done; + } + compare_to = talloc_asprintf(ctx, + "(%s %s %2d %.2d:%.2d:%.2d %.4d) " + "[%s] [%s] (%#.4x): %s\n", + time_day, time_month, time_day_num, + time_hour, time_min, time_sec, time_year, + debug_prg_name, function, level, body); + if (compare_to == NULL) { + _errno = ENOMEM; + ret = DEBUG_TEST_ERROR; + goto done; + } + } else { + scan_return = sscanf(msg, "(%s %s %d %d:%d:%d:%d %d)", time_day, time_month, + &time_day_num, &time_hour, &time_min, &time_sec, + &time_usec, &time_year); + + if (scan_return != 8) { + ret = DEBUG_TEST_NOK_TS; + goto done; + } + compare_to = talloc_asprintf(ctx, + "(%s %s %2d %.2d:%.2d:%.2d:%.6d %.4d) " + "[%s] [%s] (%#.4x): %s\n", + time_day, time_month, time_day_num, + time_hour, time_min, time_sec, time_usec, + time_year, debug_prg_name, function, level, body); + if (compare_to == NULL) { + _errno = ENOMEM; + ret = DEBUG_TEST_ERROR; + goto done; + } + } + } else { + compare_to = talloc_asprintf(ctx, "[%s] [%s] (%#.4x): %s\n", + debug_prg_name, function, level, body); + if (compare_to == NULL) { + _errno = ENOMEM; + ret = DEBUG_TEST_ERROR; + goto done; + } + } + ret = strncmp(msg, compare_to, filesize) == 0 ? EOK : DEBUG_TEST_NOK; + +done: + talloc_free(ctx); + if (file != NULL) { + fclose(file); + } + remove(filename); + errno = _errno; + return ret; +} + +int test_helper_debug_is_empty_message(int level) +{ + char filename[24] = {'\0'}; + int fd; + int filesize; + int ret; + int _errno = 0; + mode_t old_umask; + FILE *file; + + strncpy(filename, "sssd_debug_tests.XXXXXX", 24); + + old_umask = umask(SSS_DFL_UMASK); + fd = mkstemp(filename); + umask(old_umask); + if (fd == -1) { + return DEBUG_TEST_ERROR; + } + + file = fdopen(fd, "r"); + if (file == NULL) { + _errno = errno; + ret = DEBUG_TEST_ERROR; + goto done; + } + + ret = set_debug_file_from_fd(fd); + if (ret != EOK) { + _errno = ret; + ret = DEBUG_TEST_ERROR; + goto done; + } + + DEBUG(level, "some error\n"); + + ret = fseek(file, 0, SEEK_END); + if (ret == -1) { + _errno = errno; + ret = DEBUG_TEST_ERROR; + goto done; + } + + filesize = ftell(file); + if (filesize == -1) { + _errno = errno; + ret = DEBUG_TEST_ERROR; + goto done; + } + + ret = filesize == 0 ? EOK : DEBUG_TEST_NOK; + +done: + if (file != NULL) { + fclose(file); + } + remove(filename); + errno = _errno; + return ret; +} + +START_TEST(test_debug_is_set_single_no_timestamp) +{ + int i; + int result; + int levels[] = { + SSSDBG_FATAL_FAILURE, + SSSDBG_CRIT_FAILURE, + SSSDBG_OP_FAILURE, + SSSDBG_MINOR_FAILURE, + SSSDBG_CONF_SETTINGS, + SSSDBG_FUNC_DATA, + SSSDBG_TRACE_FUNC, + SSSDBG_TRACE_LIBS, + SSSDBG_TRACE_INTERNAL, + SSSDBG_TRACE_ALL + }; + char *error_msg; + + debug_timestamps = 0; + debug_microseconds = 0; + debug_to_file = 1; + debug_prg_name = "sssd"; + sss_set_logger(sss_logger_str[FILES_LOGGER]); + + for (i = 0; i <= 9; i++) { + debug_level = levels[i]; + + errno = 0; + result = test_helper_debug_check_message(levels[i]); + + if (result == DEBUG_TEST_ERROR) { + error_msg = strerror(errno); + fail(error_msg); + } + + char *msg = NULL; + msg = talloc_asprintf(NULL, "Test of level %#.4x failed - message don't match", levels[i]); + fail_unless(result == EOK, msg); + talloc_free(msg); + } +} +END_TEST + +START_TEST(test_debug_is_set_single_timestamp) +{ + int i; + int result; + int levels[] = { + SSSDBG_FATAL_FAILURE, + SSSDBG_CRIT_FAILURE, + SSSDBG_OP_FAILURE, + SSSDBG_MINOR_FAILURE, + SSSDBG_CONF_SETTINGS, + SSSDBG_FUNC_DATA, + SSSDBG_TRACE_FUNC, + SSSDBG_TRACE_LIBS, + SSSDBG_TRACE_INTERNAL, + SSSDBG_TRACE_ALL + }; + char *error_msg; + + debug_timestamps = 1; + debug_microseconds = 0; + debug_to_file = 1; + debug_prg_name = "sssd"; + sss_set_logger(sss_logger_str[FILES_LOGGER]); + + + for (i = 0; i <= 9; i++) { + debug_level = levels[i]; + + errno = 0; + result = test_helper_debug_check_message(levels[i]); + + if (result == DEBUG_TEST_ERROR) { + error_msg = strerror(errno); + fail(error_msg); + } + + char *msg = NULL; + + msg = talloc_asprintf(NULL, "Test of level %#.4x failed - invalid timestamp", levels[i]); + fail_if(result == DEBUG_TEST_NOK_TS, msg); + talloc_free(msg); + + msg = talloc_asprintf(NULL, "Test of level %#.4x failed - message don't match", levels[i]); + fail_unless(result == EOK, msg); + talloc_free(msg); + } +} +END_TEST + +START_TEST(test_debug_is_set_single_timestamp_microseconds) +{ + int i; + int result; + int levels[] = { + SSSDBG_FATAL_FAILURE, + SSSDBG_CRIT_FAILURE, + SSSDBG_OP_FAILURE, + SSSDBG_MINOR_FAILURE, + SSSDBG_CONF_SETTINGS, + SSSDBG_FUNC_DATA, + SSSDBG_TRACE_FUNC, + SSSDBG_TRACE_LIBS, + SSSDBG_TRACE_INTERNAL, + SSSDBG_TRACE_ALL + }; + char *error_msg; + + debug_timestamps = 1; + debug_microseconds = 1; + debug_to_file = 1; + debug_prg_name = "sssd"; + sss_set_logger(sss_logger_str[FILES_LOGGER]); + + + for (i = 0; i <= 9; i++) { + debug_level = levels[i]; + + errno = 0; + result = test_helper_debug_check_message(levels[i]); + + if (result == DEBUG_TEST_ERROR) { + error_msg = strerror(errno); + fail(error_msg); + } + + char *msg = NULL; + + msg = talloc_asprintf(NULL, "Test of level %#.4x failed - invalid timestamp", levels[i]); + fail_if(result == DEBUG_TEST_NOK_TS, msg); + talloc_free(msg); + + msg = talloc_asprintf(NULL, "Test of level %#.4x failed - message don't match", levels[i]); + fail_unless(result == EOK, msg); + talloc_free(msg); + } +} +END_TEST + +START_TEST(test_debug_is_notset_no_timestamp) +{ + int i; + int result; + int all_set = SSSDBG_MASK_ALL; + int levels[] = { + SSSDBG_FATAL_FAILURE, + SSSDBG_CRIT_FAILURE, + SSSDBG_OP_FAILURE, + SSSDBG_MINOR_FAILURE, + SSSDBG_CONF_SETTINGS, + SSSDBG_FUNC_DATA, + SSSDBG_TRACE_FUNC, + SSSDBG_TRACE_LIBS, + SSSDBG_TRACE_INTERNAL, + SSSDBG_TRACE_ALL + }; + char *error_msg; + + debug_timestamps = 0; + debug_microseconds = 0; + debug_to_file = 1; + debug_prg_name = "sssd"; + sss_set_logger(sss_logger_str[FILES_LOGGER]); + + + for (i = 0; i <= 9; i++) { + debug_level = all_set & ~levels[i]; + + errno = 0; + result = test_helper_debug_is_empty_message(levels[i]); + + if (result == DEBUG_TEST_ERROR) { + error_msg = strerror(errno); + fail(error_msg); + } + + char *msg = NULL; + msg = talloc_asprintf(NULL, + "Test of level %#.4x failed - message has been written", + levels[i]); + fail_unless(result == EOK, msg); + talloc_free(msg); + } +} +END_TEST + +START_TEST(test_debug_is_notset_timestamp) +{ + int i; + int result; + int all_set = SSSDBG_MASK_ALL; + int levels[] = { + SSSDBG_FATAL_FAILURE, + SSSDBG_CRIT_FAILURE, + SSSDBG_OP_FAILURE, + SSSDBG_MINOR_FAILURE, + SSSDBG_CONF_SETTINGS, + SSSDBG_FUNC_DATA, + SSSDBG_TRACE_FUNC, + SSSDBG_TRACE_LIBS, + SSSDBG_TRACE_INTERNAL, + SSSDBG_TRACE_ALL + }; + char *error_msg; + + debug_timestamps = 0; + debug_microseconds = 0; + debug_to_file = 1; + debug_prg_name = "sssd"; + sss_set_logger(sss_logger_str[FILES_LOGGER]); + + + for (i = 0; i <= 9; i++) { + debug_level = all_set & ~levels[i]; + + errno = 0; + result = test_helper_debug_is_empty_message(levels[i]); + + if (result == DEBUG_TEST_ERROR) { + error_msg = strerror(errno); + fail(error_msg); + } + + char *msg = NULL; + msg = talloc_asprintf(NULL, + "Test of level %#.4x failed - message has been written", + levels[i]); + fail_unless(result == EOK, msg); + talloc_free(msg); + } +} +END_TEST + +START_TEST(test_debug_is_notset_timestamp_microseconds) +{ + int i; + int result; + int all_set = SSSDBG_MASK_ALL; + int levels[] = { + SSSDBG_FATAL_FAILURE, + SSSDBG_CRIT_FAILURE, + SSSDBG_OP_FAILURE, + SSSDBG_MINOR_FAILURE, + SSSDBG_CONF_SETTINGS, + SSSDBG_FUNC_DATA, + SSSDBG_TRACE_FUNC, + SSSDBG_TRACE_LIBS, + SSSDBG_TRACE_INTERNAL, + SSSDBG_TRACE_ALL + }; + char *error_msg; + + debug_timestamps = 0; + debug_microseconds = 1; + debug_to_file = 1; + debug_prg_name = "sssd"; + sss_set_logger(sss_logger_str[FILES_LOGGER]); + + for (i = 0; i <= 9; i++) { + debug_level = all_set & ~levels[i]; + + errno = 0; + result = test_helper_debug_is_empty_message(levels[i]); + + if (result == DEBUG_TEST_ERROR) { + error_msg = strerror(errno); + fail(error_msg); + } + + char *msg = NULL; + msg = talloc_asprintf(NULL, + "Test of level %#.4x failed - message has been written", + levels[i]); + fail_unless(result == EOK, msg); + talloc_free(msg); + } +} +END_TEST + +START_TEST(test_debug_is_set_true) +{ + int i; + int result; + int levels[] = { + SSSDBG_FATAL_FAILURE, + SSSDBG_CRIT_FAILURE, + SSSDBG_OP_FAILURE, + SSSDBG_MINOR_FAILURE, + SSSDBG_CONF_SETTINGS, + SSSDBG_FUNC_DATA, + SSSDBG_TRACE_FUNC, + SSSDBG_TRACE_LIBS, + SSSDBG_TRACE_INTERNAL, + SSSDBG_TRACE_ALL + }; + + debug_level = SSSDBG_MASK_ALL; + + for (i = 0; i <= 9; i++) { + result = DEBUG_IS_SET(levels[i]); + char *msg = NULL; + msg = talloc_asprintf(NULL, "Test of level %#.4x failed - result is 0x%.4x", levels[i], result); + fail_unless(result > 0, msg); + talloc_free(msg); + } +} +END_TEST + +START_TEST(test_debug_is_set_false) +{ + int i; + int result; + int all_set = SSSDBG_MASK_ALL; + int levels[] = { + SSSDBG_FATAL_FAILURE, + SSSDBG_CRIT_FAILURE, + SSSDBG_OP_FAILURE, + SSSDBG_MINOR_FAILURE, + SSSDBG_CONF_SETTINGS, + SSSDBG_FUNC_DATA, + SSSDBG_TRACE_FUNC, + SSSDBG_TRACE_LIBS, + SSSDBG_TRACE_INTERNAL, + SSSDBG_TRACE_ALL + }; + + for (i = 0; i <= 9; i++) { + debug_level = all_set & ~levels[i]; + + result = DEBUG_IS_SET(levels[i]); + char *msg = NULL; + msg = talloc_asprintf(NULL, "Test of level %#.4x failed - result is 0x%.4x", levels[i], result); + fail_unless(result == 0, msg); + talloc_free(msg); + } +} +END_TEST + +Suite *debug_suite(void) +{ + Suite *s = suite_create("debug"); + + TCase *tc_debug = tcase_create("debug"); + + tcase_add_test(tc_debug, test_debug_convert_old_level_old_format); + tcase_add_test(tc_debug, test_debug_convert_old_level_new_format); + tcase_add_test(tc_debug, test_debug_is_set_single_no_timestamp); + tcase_add_test(tc_debug, test_debug_is_set_single_timestamp); + tcase_add_test(tc_debug, test_debug_is_set_single_timestamp_microseconds); + tcase_add_test(tc_debug, test_debug_is_notset_no_timestamp); + tcase_add_test(tc_debug, test_debug_is_notset_timestamp); + tcase_add_test(tc_debug, test_debug_is_notset_timestamp_microseconds); + tcase_add_test(tc_debug, test_debug_is_set_true); + tcase_add_test(tc_debug, test_debug_is_set_false); + tcase_set_timeout(tc_debug, 60); + + suite_add_tcase(s, tc_debug); + + return s; +} + +int main(int argc, const char *argv[]) +{ + int number_failed; + + tests_set_cwd(); + + Suite *s = debug_suite(); + SRunner *sr = srunner_create(s); + + srunner_run_all(sr, CK_NORMAL); + number_failed = srunner_ntests_failed(sr); + srunner_free(sr); + + if (number_failed == 0) + return EXIT_SUCCESS; + + return EXIT_FAILURE; +} diff --git a/src/tests/dlopen-tests.c b/src/tests/dlopen-tests.c new file mode 100644 index 0000000..9a5d359 --- /dev/null +++ b/src/tests/dlopen-tests.c @@ -0,0 +1,270 @@ +/* + SSSD + + debug-tests.c + + Authors: + Simo Sorce + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include +#include +#include +#include +#include +#include +#include +#include "tests/common.h" + +#define LIBPFX ABS_BUILD_DIR "/" LT_OBJDIR + +struct so { + const char *name; + const char *libs[6]; +} so[] = { + { "libsss_debug.so", { LIBPFX"libsss_debug.so", NULL } }, + { "libsss_semanage.so", { LIBPFX"libsss_semanage.so", NULL } }, + { "libipa_hbac.so", { LIBPFX"libipa_hbac.so", NULL } }, + { "libsss_idmap.so", { LIBPFX"libsss_idmap.so", NULL } }, + { "libsss_nss_idmap.so", { LIBPFX"libsss_nss_idmap.so", NULL } }, + { "libnss_sss.so", { LIBPFX"libnss_sss.so", NULL } }, + { "libsss_certmap.so", { LIBPFX"libsss_certmap.so", NULL } }, + { "pam_sss.so", { LIBPFX"pam_sss.so", NULL } }, +#ifdef BUILD_LIBWBCLIENT + { "libwbclient.so", { LIBPFX"libwbclient.so", NULL } }, +#endif /* BUILD_LIBWBCLIENT */ +#ifdef BUILD_IFP + { "libsss_simpleifp.so", { LIBPFX"libsss_simpleifp.so", NULL } }, +#endif /* BUILD_IFP */ +#ifdef BUILD_SUDO + { "libsss_sudo.so", { LIBPFX"libsss_sudo.so", NULL } }, +#endif +#ifdef BUILD_AUTOFS + { "libsss_autofs.so", { LIBPFX"libsss_autofs.so", NULL } }, +#endif +#ifdef HAVE_KRB5_LOCATOR_PLUGIN + { "sssd_krb5_locator_plugin.so", { LIBPFX"sssd_krb5_locator_plugin.so", + NULL } }, +#endif +#ifdef HAVE_KRB5_LOCALAUTH_PLUGIN + { "sssd_krb5_localauth_plugin.so", { LIBPFX"sssd_krb5_localauth_plugin.so", + NULL } }, +#endif +#ifdef HAVE_PAC_RESPONDER + { "sssd_pac_plugin.so", { LIBPFX"sssd_pac_plugin.so", NULL } }, +#endif +#ifdef HAVE_CIFS_IDMAP_PLUGIN + { "cifs_idmap_sss.so", { LIBPFX"cifs_idmap_sss.so", NULL } }, +#endif + { "memberof.so", { LIBPFX"memberof.so", NULL } }, + { "libsss_child.so", { LIBPFX"libsss_util.so", + LIBPFX"libsss_child.so", NULL } }, + { "libsss_crypt.so", { LIBPFX"libsss_crypt.so", NULL } }, + { "libsss_cert.so", { LIBPFX"libsss_util.so", + LIBPFX"libsss_cert.so", NULL } }, + { "libsss_util.so", { LIBPFX"libsss_util.so", NULL } }, + { "libsss_simple.so", { LIBPFX"libdlopen_test_providers.so", + LIBPFX"libsss_simple.so", NULL } }, + { "libsss_files.so", { LIBPFX"libdlopen_test_providers.so", + LIBPFX"libsss_files.so", NULL } }, +#ifdef BUILD_SAMBA + { "libsss_ad.so", { LIBPFX"libdlopen_test_providers.so", + LIBPFX"libsss_ad.so", NULL } }, + { "libsss_ipa.so", { LIBPFX"libdlopen_test_providers.so", + LIBPFX"libsss_ipa.so", NULL } }, + { "winbind_idmap_sss.so", { LIBPFX"libdlopen_test_winbind_idmap.so", + LIBPFX"winbind_idmap_sss.so", NULL } }, +#endif /* BUILD_SAMBA */ + { "libsss_krb5.so", { LIBPFX"libdlopen_test_providers.so", + LIBPFX"libsss_krb5.so", NULL } }, + { "libsss_krb5_common.so", { LIBPFX"libdlopen_test_providers.so", + LIBPFX"libsss_krb5_common.so", NULL } }, + { "libsss_ldap.so", { LIBPFX"libdlopen_test_providers.so", + LIBPFX"libsss_ldap.so", NULL } }, + { "libsss_ldap_common.so", { LIBPFX"libdlopen_test_providers.so", + LIBPFX"libsss_ldap_common.so", NULL } }, + { "libsss_proxy.so", { LIBPFX"libdlopen_test_providers.so", + LIBPFX"libsss_proxy.so", NULL } }, +#ifdef HAVE_PYTHON2_BINDINGS + { "_py2hbac.so", { LIBPFX"_py2hbac.so", NULL } }, + { "_py2sss.so", { LIBPFX"_py2sss.so", NULL } }, + { "_py2sss_murmur.so", { LIBPFX"_py2sss_murmur.so", NULL } }, + { "_py2sss_nss_idmap.so", { LIBPFX"_py2sss_nss_idmap.so", NULL } }, +#endif +#ifdef HAVE_PYTHON3_BINDINGS + { "_py3hbac.so", { LIBPFX"_py3hbac.so", NULL } }, + { "_py3sss.so", { LIBPFX"_py3sss.so", NULL } }, + { "_py3sss_murmur.so", { LIBPFX"_py3sss_murmur.so", NULL } }, + { "_py3sss_nss_idmap.so", { LIBPFX"_py3sss_nss_idmap.so", NULL } }, +#endif +#ifdef BUILD_NFS_IDMAP + { "sss.so", { LIBPFX"sss.so", NULL } }, +#endif + /* for testing purposes */ + { "libdlopen_test_providers.so", { LIBPFX"libdlopen_test_providers.so", + NULL } }, + { "libsss_nss_idmap_tests.so", { LIBPFX"libdlopen_test_providers.so", + LIBPFX"libsss_nss_idmap_tests.so", + NULL } }, +#ifdef BUILD_SAMBA + { "libdlopen_test_winbind_idmap.so", + { LIBPFX"libdlopen_test_winbind_idmap.so", NULL } }, + { "libsss_ad_tests.so", { LIBPFX"libdlopen_test_providers.so", + LIBPFX"libsss_ad_tests.so", NULL } }, +#endif + { NULL } +}; + +static bool recursive_dlopen(const char **name, int round, char **errmsg) +{ + void *handle; + bool ok; + + *errmsg = NULL; + + handle = dlopen(name[round], RTLD_GLOBAL|RTLD_NOW); + if (!handle) { + if (asprintf(errmsg, "dlopen() failed: %s", dlerror()) == -1) + *errmsg = NULL; + return false; + } + + round++; + if (name[round]) { + ok = recursive_dlopen(name, round, errmsg); + } else { + ok = true; + } + + dlclose(handle); + return ok; +} + +static int file_so_filter(const struct dirent *ent) +{ + char *suffix; + + suffix = rindex(ent->d_name, '.'); + if (suffix != NULL + && strcmp(suffix, ".so") == 0 + && suffix[3] == '\0') { + return 1; + } + + return 0; +} + +static char **get_so_files(size_t *_list_size) +{ + int n; + struct dirent **namelist; + char **libraries; + + n = scandir(LIBPFX, &namelist, file_so_filter, alphasort); + fail_unless(n > 0); + + libraries = calloc(n + 1, sizeof(char *)); + + for (int i = 0; i < n; ++i) { + libraries[i] = strdup(namelist[i]->d_name); + fail_if(libraries[i] == NULL); + + free(namelist[i]); + } + free(namelist); + + *_list_size = (size_t)n; + return libraries; +} + +static void remove_library_from_list(const char *library, char **list, + size_t list_size) +{ + for (size_t i = 0; i < list_size; ++i) { + if (list[i] != NULL && strcmp(library, list[i]) == 0) { + /* found library need to be removed from list */ + free(list[i]); + list[i] = NULL; + return; + } + } + + ck_abort_msg("Cannot find expected library: %s", library); +} + +START_TEST(test_dlopen_base) +{ + char *errmsg; + bool ok; + int i; + size_t found_libraries_size; + char **found_libraries = get_so_files(&found_libraries_size); + bool unchecked_library = false; + + for (i = 0; so[i].name != NULL; i++) { + ok = recursive_dlopen(so[i].libs, 0, &errmsg); + fail_unless(ok, "Error opening %s: [%s]", so[i].name, errmsg); + + remove_library_from_list(so[i].name, found_libraries, + found_libraries_size); + } + + for (i = 0; i < found_libraries_size; ++i) { + if (found_libraries[i] != NULL) { + printf("Unchecked library found: %s\n", found_libraries[i]); + unchecked_library = true; + } + } + free(found_libraries); + + fail_if(unchecked_library); +} +END_TEST + +Suite *dlopen_suite(void) +{ + Suite *s = suite_create("dlopen"); + + TCase *tc_dlopen = tcase_create("dlopen"); + + tcase_add_test(tc_dlopen, test_dlopen_base); + tcase_set_timeout(tc_dlopen, 10); + + suite_add_tcase(s, tc_dlopen); + + return s; +} + +int main(int argc, const char *argv[]) +{ + int number_failed; + + Suite *s = dlopen_suite(); + SRunner *sr = srunner_create(s); + + srunner_run_all(sr, CK_NORMAL); + number_failed = srunner_ntests_failed(sr); + srunner_free(sr); + + if (number_failed == 0) + return EXIT_SUCCESS; + + return EXIT_FAILURE; +} diff --git a/src/tests/double_semicolon_test b/src/tests/double_semicolon_test new file mode 100755 index 0000000..bbc05fa --- /dev/null +++ b/src/tests/double_semicolon_test @@ -0,0 +1,38 @@ +#!/bin/bash + +set -e -u -o pipefail + +# An AWK regex matching tracked file paths to be included for the search. +# Example: '.*\.po|README' +PATH_INCLUDE_REGEX='.*\.c|.*\.h' + +export GIT_DIR="$ABS_TOP_SRCDIR/.git" +export GIT_WORK_TREE="$ABS_TOP_SRCDIR" + +if [ ! -d "$GIT_DIR" ]; then + echo "Git repository is required for this test!" 1>&2 + exit 77 +fi + +{ + # Look for lines with double semicolon at the end of line + # in all files tracked by Git + git grep -n -I ';\s*;$' -- "$(git rev-parse --show-toplevel)" || + # Don't fail if no such lines were found anywhere + [[ $? == 1 ]] +} | + awk -- " + BEGIN { + found = 0 + } + /^($PATH_INCLUDE_REGEX):/ { + if (!found) { + print \"Double semicolon found:\" + found = 1 + } + print + } + END { + exit found + } + " diff --git a/src/tests/fail_over-tests.c b/src/tests/fail_over-tests.c new file mode 100644 index 0000000..5312b27 --- /dev/null +++ b/src/tests/fail_over-tests.c @@ -0,0 +1,336 @@ +/* + SSSD + + Fail over tests. + + Authors: + Martin Nagy + + Copyright (C) Red Hat, Inc 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include +#include +#include +#include +#include +#include + +#include "resolv/async_resolv.h" +#include "tests/common_check.h" +#include "util/util.h" + +/* Interface under test */ +#include "providers/fail_over.h" + +int use_net_test; + +struct test_ctx { + struct tevent_context *ev; + struct resolv_ctx *resolv; + struct fo_ctx *fo_ctx; + int tasks; +}; + +struct task { + struct test_ctx *test_ctx; + const char *location; + struct fo_service *service; + int recv; + int port; + int new_server_status; + int new_port_status; +}; + +static struct test_ctx * +setup_test(void) +{ + struct test_ctx *ctx; + struct fo_options fopts; + int ret; + + ctx = talloc_zero(global_talloc_context, struct test_ctx); + fail_if(ctx == NULL, "Could not allocate memory for test context"); + + ctx->ev = tevent_context_init(ctx); + if (ctx->ev == NULL) { + talloc_free(ctx); + fail("Could not init tevent context"); + } + + ret = resolv_init(ctx, ctx->ev, 5, &ctx->resolv); + if (ret != EOK) { + talloc_free(ctx); + fail("Could not init resolv context"); + } + + memset(&fopts, 0, sizeof(fopts)); + fopts.retry_timeout = 30; + fopts.family_order = IPV4_FIRST; + + ctx->fo_ctx = fo_context_init(ctx, &fopts); + if (ctx->fo_ctx == NULL) { + talloc_free(ctx); + fail("Could not init fail over context"); + } + + return ctx; +} + +static void +test_loop(struct test_ctx *data) +{ + while (data->tasks != 0) + tevent_loop_once(data->ev); +} + +START_TEST(test_fo_new_service) +{ + int i; + int ret; + struct test_ctx *ctx; + struct fo_service *service; + struct fo_service *services[10]; + + ctx = setup_test(); + ck_leaks_push(ctx); + + for (i = 0; i < 10; i++) { + char buf[16]; + sprintf(buf, "service_%d", i); + + ck_leaks_push(ctx); + ret = fo_new_service(ctx->fo_ctx, buf, NULL, &services[i]); + fail_if(ret != EOK); + } + + ret = fo_new_service(ctx->fo_ctx, "service_3", NULL, &service); + fail_if(ret != EEXIST); + + for (i = 9; i >= 0; i--) { + char buf[16]; + sprintf(buf, "service_%d", i); + + ret = fo_get_service(ctx->fo_ctx, buf, &service); + fail_if(ret != EOK); + fail_if(service != services[i]); + talloc_free(service); + ck_leaks_pop(ctx); + + ret = fo_get_service(ctx->fo_ctx, buf, &service); + fail_if(ret != ENOENT); + } + + ck_leaks_pop(ctx); + talloc_free(ctx); +} +END_TEST + +static void +test_resolve_service_callback(struct tevent_req *req) +{ + uint64_t recv_status; + int port; + struct task *task; + struct fo_server *server = NULL; + struct fo_server *active_server = NULL; + struct resolv_hostent *he; + int i; + + task = tevent_req_callback_data(req, struct task); + + task->test_ctx->tasks--; + + recv_status = fo_resolve_service_recv(req, req, &server); + talloc_free(req); + fail_if(recv_status != task->recv, "%s: Expected return of %d, got %d", + task->location, task->recv, recv_status); + if (recv_status != EOK) + return; + fail_if(server == NULL); + port = fo_get_server_port(server); + fail_if(port != task->port, "%s: Expected port %d, got %d", task->location, + task->port, port); + + if (task->new_port_status >= 0) + fo_set_port_status(server, task->new_port_status); + if (task->new_server_status >= 0) + fo_set_server_status(server, task->new_server_status); + + if (fo_get_server_name(server) != NULL) { + he = fo_get_server_hostent(server); + fail_if(he == NULL, "fo_get_server_hostent() returned NULL"); + for (i = 0; he->addr_list[i]; i++) { + char buf[256]; + + inet_ntop(he->family, he->addr_list[i]->ipaddr, buf, sizeof(buf)); + fail_if(strcmp(buf, "127.0.0.1") != 0 && strcmp(buf, "::1") != 0); + } + } + + if (task->new_port_status == PORT_WORKING + && task->new_server_status == SERVER_WORKING) { + active_server = fo_get_active_server(task->service); + fail_if(active_server == NULL, "Missing active server"); + fail_if(server != active_server, "Current server is not active server"); + } + +} + +#define get_request(a, b, c, d, e, f) \ + _get_request(a, b, c, d, e, f, __location__) + +static void +_get_request(struct test_ctx *test_ctx, struct fo_service *service, + int expected_recv, int expected_port, int new_port_status, + int new_server_status, const char *location) +{ + struct tevent_req *req; + struct task *task; + + task = talloc(test_ctx, struct task); + fail_if(task == NULL); + + task->test_ctx = test_ctx; + task->recv = expected_recv; + task->port = expected_port; + task->new_port_status = new_port_status; + task->new_server_status = new_server_status; + task->location = location; + task->service = service; + test_ctx->tasks++; + + req = fo_resolve_service_send(test_ctx, test_ctx->ev, + test_ctx->resolv, + test_ctx->fo_ctx, service); + fail_if(req == NULL, "%s: fo_resolve_service_send() failed", location); + + tevent_req_set_callback(req, test_resolve_service_callback, task); + test_loop(test_ctx); +} + +START_TEST(test_fo_resolve_service) +{ + struct test_ctx *ctx; + struct fo_service *service[3]; + + ctx = setup_test(); + fail_if(ctx == NULL); + + /* Add service. */ + fail_if(fo_new_service(ctx->fo_ctx, "http", NULL, &service[0]) != EOK); + + fail_if(fo_new_service(ctx->fo_ctx, "ldap", NULL, &service[1]) != EOK); + + fail_if(fo_new_service(ctx->fo_ctx, "ntp", NULL, &service[2]) != EOK); + + /* Add servers. */ + fail_if(fo_add_server(service[0], "localhost", 20, NULL, true) != EOK); + fail_if(fo_add_server(service[0], "127.0.0.1", 80, NULL, false) != EOK); + + fail_if(fo_add_server(service[1], "localhost", 30, NULL, false) != EOK); + fail_if(fo_add_server(service[1], "127.0.0.1", 389, NULL, true) != EOK); + fail_if(fo_add_server(service[1], "127.0.0.1", 389, NULL, true) != EEXIST); + fail_if(fo_add_server(service[1], "127.0.0.1", 389, NULL, false) != EEXIST); + + fail_if(fo_add_server(service[2], NULL, 123, NULL, true) != EOK); + + /* Make requests. */ + get_request(ctx, service[0], EOK, 20, PORT_WORKING, -1); + get_request(ctx, service[0], EOK, 20, PORT_WORKING, SERVER_WORKING); + get_request(ctx, service[0], EOK, 20, -1, SERVER_NOT_WORKING); + get_request(ctx, service[0], EOK, 80, PORT_WORKING, -1); + get_request(ctx, service[0], EOK, 80, PORT_NOT_WORKING, -1); + get_request(ctx, service[0], ENOENT, 0, -1, -1); + + get_request(ctx, service[1], EOK, 389, PORT_WORKING, -1); + get_request(ctx, service[1], EOK, 389, -1, SERVER_NOT_WORKING); + get_request(ctx, service[1], ENOENT, 0, -1, -1); + + get_request(ctx, service[2], EOK, 123, -1, -1); + + talloc_free(ctx); +} +END_TEST + +Suite * +create_suite(void) +{ + Suite *s = suite_create("fail_over"); + + TCase *tc = tcase_create("FAIL_OVER Tests"); + + tcase_add_checked_fixture(tc, ck_leak_check_setup, ck_leak_check_teardown); + /* Do some testing */ + tcase_add_test(tc, test_fo_new_service); + tcase_add_test(tc, test_fo_resolve_service); + if (use_net_test) { + } + /* Add all test cases to the test suite */ + suite_add_tcase(s, tc); + + return s; +} + +int +main(int argc, const char *argv[]) +{ + int opt; + poptContext pc; + int failure_count; + Suite *suite; + SRunner *sr; + + struct poptOption long_options[] = { + POPT_AUTOHELP + { "debug-level", 'd', POPT_ARG_INT, &debug_level, 0, "Set debug level", NULL }, + { "use-net-test", 'n', POPT_ARG_NONE, 0, 'n', "Run tests that need an active internet connection", NULL }, + POPT_TABLEEND + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + case 'n': + use_net_test = 1; + break; + + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + tests_set_cwd(); + + suite = create_suite(); + sr = srunner_create(suite); + /* If CK_VERBOSITY is set, use that, otherwise it defaults to CK_NORMAL */ + srunner_run_all(sr, CK_ENV); + failure_count = srunner_ntests_failed(sr); + srunner_free(sr); + return (failure_count == 0 ? EXIT_SUCCESS : EXIT_FAILURE); +} diff --git a/src/tests/files-tests.c b/src/tests/files-tests.c new file mode 100644 index 0000000..d0fcd6c --- /dev/null +++ b/src/tests/files-tests.c @@ -0,0 +1,475 @@ +/* + * Authors: + * Jakub Hrozek + * + * Copyright (C) 2008 Red Hat + * see file 'COPYING' for use and warranty information + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; version 3 or (at + * your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "config.h" +#include "util/util.h" +#include "tests/common.h" + +#define TESTS_PATH "tp_" BASE_FILE_STEM + +static char tpl_dir[] = "file-tests-dir-XXXXXX"; +static char *dir_path; +static char *dst_path; +static uid_t uid; +static gid_t gid; +static TALLOC_CTX *test_ctx = NULL; + +static void setup_files_test(void) +{ + /* create a temporary directory that we fill with stuff later on */ + test_ctx = talloc_new(NULL); + mkdir(TESTS_PATH, 0700); + dir_path = mkdtemp(talloc_asprintf(test_ctx, "%s/%s", TESTS_PATH, tpl_dir)); + dst_path = mkdtemp(talloc_asprintf(test_ctx, "%s/%s", TESTS_PATH, tpl_dir)); + + uid = getuid(); + gid = getgid(); +} + +static void teardown_files_test(void) +{ + char *cmd = NULL; + int ret; + + /* OK this is crude but since the functions to remove tree are under test.. */ + if (dir_path && test_ctx) { + cmd = talloc_asprintf(test_ctx, "/bin/rm -rf %s\n", dir_path); + ret = system(cmd); + if (ret == -1) { + DEBUG(SSSDBG_CRIT_FAILURE, "Removing [%s] failed.\n", dir_path); + } + } + if (dst_path && test_ctx) { + cmd = talloc_asprintf(test_ctx, "/bin/rm -rf %s\n", dst_path); + ret = system(cmd); + if (ret == -1) { + DEBUG(SSSDBG_CRIT_FAILURE, "Removing [%s] failed.\n", dst_path); + } + } + + rmdir(TESTS_PATH); + /* clean up */ + talloc_zfree(test_ctx); +} + +static int create_simple_file(const char *name, const char *content) +{ + int fd; + ssize_t size; + int ret; + + fd = open(name, O_WRONLY | O_CREAT | O_TRUNC, 0700); + fail_if(fd == -1, "Cannot create simple file\n"); + + size = write(fd, "abc", 3); + fail_if(size == -1, "Cannot write to file\n"); + + ret = fsync(fd); + fail_if(ret == -1, "Cannot sync file\n"); + + ret = close(fd); + fail_if(ret == -1, "Cannot close file\n"); + + return ret; +} + +START_TEST(test_remove_tree) +{ + int ret; + char origpath[PATH_MAX+1]; + + errno = 0; + fail_unless(getcwd(origpath, PATH_MAX) == origpath, "Cannot getcwd\n"); + fail_unless(errno == 0, "Cannot getcwd\n"); + + DEBUG(SSSDBG_FUNC_DATA, "About to delete %s\n", dir_path); + + /* create a file */ + ret = chdir(dir_path); + fail_if(ret == -1, "Cannot chdir1\n"); + + ret = create_simple_file("bar", "bar"); + fail_if(ret == -1, "Cannot create file1\n"); + + /* create a subdir and file inside it */ + ret = mkdir("subdir", 0700); + fail_if(ret == -1, "Cannot create subdir\n"); + + ret = chdir("subdir"); + fail_if(ret == -1, "Cannot chdir\n"); + + ret = create_simple_file("foo", "foo"); + fail_if(ret == -1, "Cannot create file\n"); + + /* create another subdir, empty this time */ + ret = mkdir("subdir2", 0700); + fail_if(ret == -1, "Cannot create subdir\n"); + + ret = chdir(origpath); + fail_if(ret == -1, "Cannot chdir2\n"); + + /* go back */ + ret = chdir(origpath); + fail_if(ret == -1, "Cannot chdir\n"); + + /* and finally wipe it out.. */ + ret = sss_remove_tree(dir_path); + fail_unless(ret == EOK, "remove_tree failed\n"); + + /* check if really gone */ + ret = access(dir_path, F_OK); + fail_unless(ret == -1, "directory still there after remove_tree\n"); +} +END_TEST + +START_TEST(test_remove_subtree) +{ + int ret; + char origpath[PATH_MAX+1]; + + errno = 0; + fail_unless(getcwd(origpath, PATH_MAX) == origpath, "Cannot getcwd\n"); + fail_unless(errno == 0, "Cannot getcwd\n"); + + DEBUG(SSSDBG_FUNC_DATA, "About to delete %s\n", dir_path); + + /* create a file */ + ret = chdir(dir_path); + fail_if(ret == -1, "Cannot chdir1\n"); + + ret = create_simple_file("bar", "bar"); + fail_if(ret == -1, "Cannot create file1\n"); + + /* create a subdir and file inside it */ + ret = mkdir("subdir", 0700); + fail_if(ret == -1, "Cannot create subdir\n"); + + ret = chdir("subdir"); + fail_if(ret == -1, "Cannot chdir\n"); + + ret = create_simple_file("foo", "foo"); + fail_if(ret == -1, "Cannot create file\n"); + + /* create another subdir, empty this time */ + ret = mkdir("subdir2", 0700); + fail_if(ret == -1, "Cannot create subdir\n"); + + ret = chdir(origpath); + fail_if(ret == -1, "Cannot chdir2\n"); + + /* go back */ + ret = chdir(origpath); + fail_if(ret == -1, "Cannot chdir\n"); + + /* and finally wipe it out.. */ + ret = sss_remove_subtree(dir_path); + fail_unless(ret == EOK, "remove_subtree failed\n"); + + /* check if really gone */ + ret = access(dir_path, F_OK); + fail_unless(ret == 0, "directory was deleted\n"); + + ret = rmdir(dir_path); + fail_unless(ret == 0, "unable to delete root directory\n"); +} +END_TEST + +START_TEST(test_simple_copy) +{ + int ret; + char origpath[PATH_MAX+1]; + char *tmp; + int fd = -1; + + errno = 0; + fail_unless(getcwd(origpath, PATH_MAX) == origpath, "Cannot getcwd\n"); + fail_unless(errno == 0, "Cannot getcwd\n"); + + /* create a file */ + ret = chdir(dir_path); + fail_if(ret == -1, "Cannot chdir1\n"); + + ret = create_simple_file("bar", "bar"); + fail_if(ret == -1, "Cannot create file1\n"); + + /* create a subdir and file inside it */ + ret = mkdir("subdir", 0700); + fail_if(ret == -1, "Cannot create subdir\n"); + + ret = chdir("subdir"); + fail_if(ret == -1, "Cannot chdir\n"); + + ret = create_simple_file("foo", "foo"); + fail_if(ret == -1, "Cannot create file\n"); + + /* go back */ + ret = chdir(origpath); + fail_if(ret == -1, "Cannot chdir\n"); + + /* and finally copy.. */ + DEBUG(SSSDBG_FUNC_DATA, + "Will copy from '%s' to '%s'\n", dir_path, dst_path); + ret = sss_copy_tree(dir_path, dst_path, 0700, uid, gid); + fail_unless(ret == EOK, "copy_tree failed\n"); + + /* check if really copied */ + ret = access(dst_path, F_OK); + fail_unless(ret == 0, "destination directory not there\n"); + + tmp = talloc_asprintf(test_ctx, "%s/bar", dst_path); + ret = check_and_open_readonly(tmp, &fd, uid, gid, S_IFREG|S_IRWXU, 0); + fail_unless(ret == EOK, "Cannot open %s\n", tmp); + close(fd); + talloc_free(tmp); +} +END_TEST + +START_TEST(test_copy_file) +{ + TALLOC_CTX *tmp_ctx = talloc_new(test_ctx); + int ret; + char origpath[PATH_MAX+1]; + char *foo_path; + char *bar_path; + int fd = -1; + + errno = 0; + fail_unless(getcwd(origpath, PATH_MAX) == origpath, "Cannot getcwd\n"); + fail_unless(errno == 0, "Cannot getcwd\n"); + + /* create a file */ + ret = chdir(dir_path); + fail_if(ret == -1, "Cannot chdir1\n"); + + ret = create_simple_file("foo", "foo"); + fail_if(ret == -1, "Cannot create foo\n"); + foo_path = talloc_asprintf(tmp_ctx, "%s/foo", dir_path); + bar_path = talloc_asprintf(tmp_ctx, "%s/bar", dst_path); + + /* create a file */ + ret = chdir(origpath); + fail_if(ret == -1, "Cannot chdir1\n"); + + /* Copy this file to a new file */ + DEBUG(SSSDBG_FUNC_DATA, + "Will copy from 'foo' to 'bar'\n"); + ret = sss_copy_file_secure(foo_path, bar_path, 0700, uid, gid, 0); + fail_unless(ret == EOK, "copy_file_secure failed\n"); + + /* check if really copied */ + ret = access(bar_path, F_OK); + fail_unless(ret == 0, "destination file 'bar' not there\n"); + + ret = check_and_open_readonly(bar_path, &fd, uid, gid, S_IFREG|S_IRWXU, 0); + fail_unless(ret == EOK, "Cannot open %s\n", bar_path); + close(fd); + talloc_free(tmp_ctx); +} +END_TEST + +START_TEST(test_copy_symlink) +{ + int ret; + char origpath[PATH_MAX+1]; + char *tmp; + struct stat statbuf; + + errno = 0; + fail_unless(getcwd(origpath, PATH_MAX) == origpath, "Cannot getcwd\n"); + fail_unless(errno == 0, "Cannot getcwd\n"); + + /* create a subdir */ + ret = chdir(dir_path); + fail_if(ret == -1, "Cannot chdir\n"); + + ret = create_simple_file("footarget", "foo"); + fail_if(ret == -1, "Cannot create file\n"); + + ret = symlink("footarget", "foolink"); + fail_if(ret == -1, "Cannot create symlink\n"); + + /* go back */ + ret = chdir(origpath); + fail_if(ret == -1, "Cannot chdir\n"); + + /* and finally copy.. */ + DEBUG(SSSDBG_FUNC_DATA, + "Will copy from '%s' to '%s'\n", dir_path, dst_path); + ret = sss_copy_tree(dir_path, dst_path, 0700, uid, gid); + fail_unless(ret == EOK, "copy_tree failed\n"); + + /* check if really copied */ + ret = access(dst_path, F_OK); + fail_unless(ret == 0, "destination directory not there\n"); + + tmp = talloc_asprintf(test_ctx, "%s/foolink", dst_path); + ret = lstat(tmp, &statbuf); + fail_unless(ret == 0, "cannot stat the symlink %s\n", tmp); + fail_unless(S_ISLNK(statbuf.st_mode), "%s not a symlink?\n", tmp); + talloc_free(tmp); +} +END_TEST + +START_TEST(test_copy_node) +{ + int ret; + char origpath[PATH_MAX+1]; + char *tmp; + + errno = 0; + fail_unless(getcwd(origpath, PATH_MAX) == origpath, "Cannot getcwd\n"); + fail_unless(errno == 0, "Cannot getcwd\n"); + + /* create a node */ + ret = chdir(dir_path); + fail_if(ret == -1, "Cannot chdir\n"); + + ret = mknod("testnode", S_IFIFO | S_IWUSR | S_IRUSR | S_IRGRP | S_IROTH, 0); + fail_unless(ret == 0, "cannot stat /dev/null: %s", strerror(errno)); + + /* go back */ + ret = chdir(origpath); + fail_if(ret == -1, "Cannot chdir\n"); + + /* and finally copy.. */ + DEBUG(SSSDBG_FUNC_DATA, + "Will copy from '%s' to '%s'\n", dir_path, dst_path); + ret = sss_copy_tree(dir_path, dst_path, 0700, uid, gid); + fail_unless(ret == EOK, "copy_tree failed\n"); + + /* check if really copied and without special files */ + ret = access(dst_path, F_OK); + fail_unless(ret == 0, "destination directory not there\n"); + + tmp = talloc_asprintf(test_ctx, "%s/testnode", dst_path); + ret = access(tmp, F_OK); + fail_unless(ret == -1, "special file %s exists, it shouldn't\n", tmp); + talloc_free(tmp); +} +END_TEST + +START_TEST(test_create_dir) +{ + int ret; + char origpath[PATH_MAX+1]; + char *new_dir; + struct stat info; + + errno = 0; + + fail_unless(getcwd(origpath, PATH_MAX) == origpath, "Cannot getcwd\n"); + fail_unless(errno == 0, "Cannot getcwd\n"); + + /* create a dir */ + ret = sss_create_dir(dir_path, "testdir", S_IRUSR | S_IXUSR, uid, gid); + fail_unless(ret == EOK, "cannot create dir: %s", strerror(ret)); + + new_dir = talloc_asprintf(NULL, "%s/testdir", dir_path); + ret = stat(new_dir, &info); + fail_unless(ret == EOK, "failed to stat '%s'\n", new_dir); + + /* check the dir has been created */ + fail_unless(S_ISDIR(info.st_mode) != 0, "'%s' is not a dir.\n", new_dir); + + /* check the permissions are okay */ + fail_unless((info.st_mode & S_IRUSR) != 0, "Read permission is not set\n"); + fail_unless((info.st_mode & S_IWUSR) == 0, "Write permission is set\n"); + fail_unless((info.st_mode & S_IXUSR) != 0, "Exec permission is not set\n"); + + /* check the owner is okay */ + fail_unless(info.st_uid == uid, "Dir created with the wrong uid\n"); + fail_unless(info.st_gid == gid, "Dir created with the wrong gid\n"); + + talloc_free(new_dir); +} +END_TEST + +static Suite *files_suite(void) +{ + Suite *s = suite_create("files_suite"); + + TCase *tc_files = tcase_create("files"); + tcase_add_checked_fixture(tc_files, + setup_files_test, + teardown_files_test); + + tcase_add_test(tc_files, test_remove_tree); + tcase_add_test(tc_files, test_remove_subtree); + tcase_add_test(tc_files, test_simple_copy); + tcase_add_test(tc_files, test_copy_file); + tcase_add_test(tc_files, test_copy_symlink); + tcase_add_test(tc_files, test_copy_node); + tcase_add_test(tc_files, test_create_dir); + suite_add_tcase(s, tc_files); + + return s; +} + +int main(int argc, const char *argv[]) +{ + int number_failed; + int opt; + poptContext pc; + int debug = 0; + + struct poptOption long_options[] = { + POPT_AUTOHELP + { "debug-level", 'd', POPT_ARG_INT, &debug, 0, "Set debug level", NULL }, + POPT_TABLEEND + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, (const char **) argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug); + + tests_set_cwd(); + + Suite *s = files_suite(); + SRunner *sr = srunner_create(s); + /* If CK_VERBOSITY is set, use that, otherwise it defaults to CK_NORMAL */ + srunner_run_all(sr, CK_ENV); + number_failed = srunner_ntests_failed(sr); + srunner_free(sr); + return (number_failed == 0) ? EXIT_SUCCESS : EXIT_FAILURE; +} + diff --git a/src/tests/find_uid-tests.c b/src/tests/find_uid-tests.c new file mode 100644 index 0000000..a8f7405 --- /dev/null +++ b/src/tests/find_uid-tests.c @@ -0,0 +1,129 @@ +/* + SSSD + + find_uid - Utilities tests + + Authors: + Sumit Bose + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include + +#include "util/find_uid.h" +#include "tests/common.h" + + +START_TEST(test_check_if_uid_is_active_success) +{ + uid_t uid; + bool result; + int ret; + + uid = getuid(); + + ret = check_if_uid_is_active(uid, &result); + fail_unless(ret == EOK, "check_if_uid_is_active failed."); + fail_unless(result, "check_if_uid_is_active did not found my uid [%d]", + uid); +} +END_TEST + +START_TEST(test_check_if_uid_is_active_fail) +{ + uid_t uid; + bool result; + int ret; + + uid = (uid_t) -4; + + ret = check_if_uid_is_active(uid, &result); + fail_unless(ret == EOK, "check_if_uid_is_active failed."); + fail_unless(!result, "check_if_uid_is_active found (hopefully not active) " + "uid [%d]", uid); +} +END_TEST + +START_TEST(test_get_uid_table) +{ + uid_t uid; + int ret; + TALLOC_CTX *tmp_ctx; + hash_table_t *table; + hash_key_t key; + hash_value_t value; + + tmp_ctx = talloc_new(NULL); + fail_unless(tmp_ctx != NULL, "talloc_new failed."); + + ret = get_uid_table(tmp_ctx, &table); + fail_unless(ret == EOK, "get_uid_table failed."); + + uid = getuid(); + key.type = HASH_KEY_ULONG; + key.ul = (unsigned long) uid; + + ret = hash_lookup(table, &key, &value); + + fail_unless(ret == HASH_SUCCESS, "Cannot find my uid [%d] in the table", uid); + + uid = (uid_t) -4; + key.type = HASH_KEY_ULONG; + key.ul = (unsigned long) uid; + + ret = hash_lookup(table, &key, &value); + + fail_unless(ret == HASH_ERROR_KEY_NOT_FOUND, "Found (hopefully not active) " + "uid [%d] in the table", uid); + + talloc_free(tmp_ctx); +} +END_TEST + +Suite *find_uid_suite (void) +{ + Suite *s = suite_create ("find_uid"); + + TCase *tc_find_uid = tcase_create ("find_uid"); + + tcase_add_test (tc_find_uid, test_check_if_uid_is_active_success); + tcase_add_test (tc_find_uid, test_check_if_uid_is_active_fail); + tcase_add_test (tc_find_uid, test_get_uid_table); + suite_add_tcase (s, tc_find_uid); + + return s; +} + +int main(void) +{ + debug_level = SSSDBG_MASK_ALL; + int number_failed; + + tests_set_cwd(); + + Suite *s = find_uid_suite (); + SRunner *sr = srunner_create (s); + /* If CK_VERBOSITY is set, use that, otherwise it defaults to CK_NORMAL */ + srunner_run_all(sr, CK_ENV); + number_failed = srunner_ntests_failed (sr); + srunner_free (sr); + return (number_failed == 0) ? EXIT_SUCCESS : EXIT_FAILURE; +} diff --git a/src/tests/intg/Makefile.am b/src/tests/intg/Makefile.am new file mode 100644 index 0000000..65da9ca --- /dev/null +++ b/src/tests/intg/Makefile.am @@ -0,0 +1,144 @@ +dist_noinst_DATA = \ + __init__.py \ + config.py.m4 \ + util.py \ + sssd_nss.py \ + sssd_id.py \ + sssd_ldb.py \ + sssd_netgroup.py \ + sssd_passwd.py \ + sssd_group.py \ + ds.py \ + ds_openldap.py \ + ent.py \ + ent_test.py \ + ldap_ent.py \ + ldap_local_override_test.py \ + test_local_domain.py \ + util.py \ + test_enumeration.py \ + test_ldap.py \ + test_memory_cache.py \ + test_session_recording.py \ + test_ts_cache.py \ + test_netgroup.py \ + secrets.py \ + test_secrets.py \ + test_sssctl.py \ + files_ops.py \ + test_files_ops.py \ + test_files_provider.py \ + kdc.py \ + krb5utils.py \ + test_kcm.py \ + test_pac_responder.py \ + data/ad_data.ldif \ + data/ad_schema.ldif \ + data/sudo_schema.ldif \ + test_pysss_nss_idmap.py \ + test_infopipe.py \ + test_ssh_pubkey.py \ + test_pam_responder.py \ + test_sudo.py \ + $(NULL) + +EXTRA_DIST = data/cwrap-dbus-system.conf.in + +dbussysconfdir = $(sysconfdir)/dbus-1 +dbusservicedir = $(datadir)/dbus-1/system-services + +if INTG_BUILD +lib_LTLIBRARIES = getsockopt_wrapper.la + +getsockopt_wrapper_la_SOURCES = \ + getsockopt_wrapper.c +getsockopt_wrapper_la_CFLAGS = \ + $(AM_CFLAGS) +getsockopt_wrapper_la_LIBADD = \ + $(LIBADD_DL) \ + $(NULL) +getsockopt_wrapper_la_LDFLAGS = \ + -avoid-version \ + -module + +dist_dbussysconf_DATA = cwrap-dbus-system.conf + +install-data-hook: + $(MKDIR_P) $(DESTDIR)$(runstatedir)/dbus + $(MKDIR_P) $(DESTDIR)$(sysconfdir)/session.d + +endif + +cwrap-dbus-system.conf: data/cwrap-dbus-system.conf.in Makefile + $(SED) -e "s!@runstatedir[@]!$(runstatedir)!" \ + -e "s!@dbusservicedir[@]!$(dbusservicedir)!" \ + $< > $@ + +config.py: config.py.m4 + m4 -D "prefix=\`$(prefix)'" \ + -D "sysconfdir=\`$(sysconfdir)'" \ + -D "nsslibdir=\`$(nsslibdir)'" \ + -D "dbpath=\`$(dbpath)'" \ + -D "pubconfpath=\`$(pubconfpath)'" \ + -D "pidpath=\`$(pidpath)'" \ + -D "logpath=\`$(logpath)'" \ + -D "mcpath=\`$(mcpath)'" \ + -D "secdbpath=\`$(secdbpath)'" \ + -D "libexecpath=\`$(libexecdir)'" \ + -D "runstatedir=\`$(runstatedir)'" \ + -D "abs_builddir=\`$(abs_builddir)'" \ + -D "session_recording_shell=\`$(session_recording_shell)'" \ + -D "py2execdir=\`$(py2execdir)'" \ + -D "py3execdir=\`$(py3execdir)'" \ + -D "python2dir=\`$(python2dir)'" \ + -D "python3dir=\`$(python3dir)'" \ + $< > $@ + +root: + : "Create directory for emulated root's D-Bus cookies." + : "See http://dbus.freedesktop.org/doc/dbus-specification.html#auth-mechanisms" + $(MKDIR_P) -m 0700 root/.dbus-keyrings + +passwd: root + echo "root:x:0:0:root:$(abs_builddir)/root:/bin/bash" > $@ + +group: + echo "root:x:0:" > $@ + +CLEANFILES=config.py config.pyc passwd group + +clean-local: + rm -Rf root + rm -f $(builddir)/cwrap-dbus-system.conf + +intgcheck-installed: config.py passwd group + pipepath="$(DESTDIR)$(pipepath)"; \ + if test $${#pipepath} -gt 80; then \ + echo "error: Pipe directory path too long," \ + "D-Bus won't be able to open sockets" >&2; \ + exit 1; \ + fi + set -e; \ + cd "$(abs_srcdir)"; \ + nss_wrapper=$$(pkg-config --libs nss_wrapper); \ + uid_wrapper=$$(pkg-config --libs uid_wrapper); \ + unset HOME; \ + PATH="$$(dirname -- $(SLAPD)):$$PATH" \ + PATH="$(DESTDIR)$(sbindir):$(DESTDIR)$(bindir):$$PATH" \ + PATH="$$PATH:$(abs_builddir):$(abs_srcdir)" \ + PYTHONPATH="$(abs_builddir):$(abs_srcdir)" \ + LDB_MODULES_PATH="$(DESTDIR)$(ldblibdir)" \ + NON_WRAPPED_UID=$$(id -u) \ + LD_PRELOAD="$(libdir)/getsockopt_wrapper.so:$$nss_wrapper:$$uid_wrapper" \ + NSS_WRAPPER_PASSWD="$(abs_builddir)/passwd" \ + NSS_WRAPPER_GROUP="$(abs_builddir)/group" \ + NSS_WRAPPER_MODULE_SO_PATH="$(DESTDIR)$(nsslibdir)/libnss_sss.so.2" \ + NSS_WRAPPER_MODULE_FN_PREFIX="sss" \ + UID_WRAPPER=1 \ + UID_WRAPPER_ROOT=1 \ + DBUS_SOCK_DIR="$(DESTDIR)$(runstatedir)/dbus/" \ + DBUS_SESSION_BUS_ADDRESS="unix:path=$$DBUS_SOCK_DIR/fake_socket" \ + DBUS_SYSTEM_BUS_ADDRESS="unix:path=$$DBUS_SOCK_DIR/system_bus_socket" \ + DBUS_SYSTEM_BUS_DEFAULT_ADDRESS="$$DBUS_SYSTEM_BUS_ADDRESS" \ + fakeroot $(PYTHON2) $(PYTEST) -v --tb=native $(INTGCHECK_PYTEST_ARGS) . + rm -f $(DESTDIR)$(logpath)/* diff --git a/src/tests/intg/Makefile.in b/src/tests/intg/Makefile.in new file mode 100644 index 0000000..cc4b264 --- /dev/null +++ b/src/tests/intg/Makefile.in @@ -0,0 +1,1087 @@ +# Makefile.in generated by automake 1.15.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2017 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + + +VPATH = @srcdir@ +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/tests/intg +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ + $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ + $(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \ + $(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/m4/nls.m4 \ + $(top_srcdir)/m4/po.m4 $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/version.m4 $(top_srcdir)/src/build_macros.m4 \ + $(top_srcdir)/src/external/platform.m4 \ + $(top_srcdir)/src/conf_macros.m4 \ + $(top_srcdir)/src/external/pkg.m4 \ + $(top_srcdir)/src/external/libpopt.m4 \ + $(top_srcdir)/src/external/libtalloc.m4 \ + $(top_srcdir)/src/external/libtdb.m4 \ + $(top_srcdir)/src/external/libtevent.m4 \ + $(top_srcdir)/src/external/libldb.m4 \ + $(top_srcdir)/src/external/libdhash.m4 \ + $(top_srcdir)/src/external/libcollection.m4 \ + $(top_srcdir)/src/external/libini_config.m4 \ + $(top_srcdir)/src/external/pam.m4 \ + $(top_srcdir)/src/external/ldap.m4 \ + $(top_srcdir)/src/external/libpcre.m4 \ + $(top_srcdir)/src/external/krb5.m4 \ + $(top_srcdir)/src/external/libcares.m4 \ + $(top_srcdir)/src/external/libcmocka.m4 \ + $(top_srcdir)/src/external/docbook.m4 \ + $(top_srcdir)/src/external/sizes.m4 \ + $(top_srcdir)/src/external/python.m4 \ + $(top_srcdir)/src/external/selinux.m4 \ + $(top_srcdir)/src/external/crypto.m4 \ + $(top_srcdir)/src/external/nscd.m4 \ + $(top_srcdir)/src/external/nsupdate.m4 \ + $(top_srcdir)/src/external/libkeyutils.m4 \ + $(top_srcdir)/src/external/libnl.m4 \ + $(top_srcdir)/src/external/systemd.m4 \ + $(top_srcdir)/src/external/pac_responder.m4 \ + $(top_srcdir)/src/external/cifsidmap.m4 \ + $(top_srcdir)/src/external/signal.m4 \ + $(top_srcdir)/src/external/inotify.m4 \ + $(top_srcdir)/src/external/samba.m4 \ + $(top_srcdir)/src/external/sasl.m4 \ + $(top_srcdir)/src/external/libnfsidmap.m4 \ + $(top_srcdir)/src/external/cwrap.m4 \ + $(top_srcdir)/src/external/libresolv.m4 \ + $(top_srcdir)/src/external/intgcheck.m4 \ + $(top_srcdir)/src/external/systemtap.m4 \ + $(top_srcdir)/src/external/service.m4 \ + $(top_srcdir)/src/external/test_ca.m4 \ + $(top_srcdir)/src/external/libhttp_parser.m4 \ + $(top_srcdir)/src/external/libuuid.m4 \ + $(top_srcdir)/src/external/libcurl.m4 \ + $(top_srcdir)/src/external/libjansson.m4 \ + $(top_srcdir)/src/external/libunistring.m4 \ + $(top_srcdir)/src/external/glib.m4 \ + $(top_srcdir)/src/external/p11-kit.m4 \ + $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__dist_dbussysconf_DATA_DIST) \ + $(dist_noinst_DATA) $(am__DIST_COMMON) +mkinstalldirs = $(SHELL) $(top_srcdir)/build/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(dbussysconfdir)" +LTLIBRARIES = $(lib_LTLIBRARIES) +am__DEPENDENCIES_1 = +@INTG_BUILD_TRUE@getsockopt_wrapper_la_DEPENDENCIES = \ +@INTG_BUILD_TRUE@ $(am__DEPENDENCIES_1) +am__getsockopt_wrapper_la_SOURCES_DIST = getsockopt_wrapper.c +@INTG_BUILD_TRUE@am_getsockopt_wrapper_la_OBJECTS = \ +@INTG_BUILD_TRUE@ getsockopt_wrapper_la-getsockopt_wrapper.lo +getsockopt_wrapper_la_OBJECTS = $(am_getsockopt_wrapper_la_OBJECTS) +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +getsockopt_wrapper_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(getsockopt_wrapper_la_CFLAGS) $(CFLAGS) \ + $(getsockopt_wrapper_la_LDFLAGS) $(LDFLAGS) -o $@ +@INTG_BUILD_TRUE@am_getsockopt_wrapper_la_rpath = -rpath $(libdir) +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/build/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = +CCLD = $(CC) +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = +SOURCES = $(getsockopt_wrapper_la_SOURCES) +DIST_SOURCES = $(am__getsockopt_wrapper_la_SOURCES_DIST) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__dist_dbussysconf_DATA_DIST = cwrap-dbus-system.conf +DATA = $(dist_dbussysconf_DATA) $(dist_noinst_DATA) +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +ETAGS = etags +CTAGS = ctags +am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/build/depcomp \ + $(top_srcdir)/build/mkinstalldirs +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +CARES_CFLAGS = @CARES_CFLAGS@ +CARES_LIBS = @CARES_LIBS@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CERTUTIL = @CERTUTIL@ +CFLAGS = @CFLAGS@ +CHECK_CFLAGS = @CHECK_CFLAGS@ +CHECK_LIBS = @CHECK_LIBS@ +CMOCKA_CFLAGS = @CMOCKA_CFLAGS@ +CMOCKA_LIBS = @CMOCKA_LIBS@ +COLLECTION_CFLAGS = @COLLECTION_CFLAGS@ +COLLECTION_LIBS = @COLLECTION_LIBS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CRYPTO_CFLAGS = @CRYPTO_CFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CURL_CFLAGS = @CURL_CFLAGS@ +CURL_LIBS = @CURL_LIBS@ +CYGPATH_W = @CYGPATH_W@ +DBUS_CFLAGS = @DBUS_CFLAGS@ +DBUS_LIBS = @DBUS_LIBS@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DHASH_CFLAGS = @DHASH_CFLAGS@ +DHASH_LIBS = @DHASH_LIBS@ +DLLTOOL = @DLLTOOL@ +DOCBOOK_XSLT = @DOCBOOK_XSLT@ +DOXYGEN = @DOXYGEN@ +DSYMUTIL = @DSYMUTIL@ +DTRACE = @DTRACE@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GDM_PAM_EXTENSIONS_CFLAGS = @GDM_PAM_EXTENSIONS_CFLAGS@ +GDM_PAM_EXTENSIONS_LIBS = @GDM_PAM_EXTENSIONS_LIBS@ +GLIB2_CFLAGS = @GLIB2_CFLAGS@ +GLIB2_LIBS = @GLIB2_LIBS@ +GMSGFMT = @GMSGFMT@ +GPO_DEFAULT = @GPO_DEFAULT@ +GREP = @GREP@ +HAVE_FAKEROOT = @HAVE_FAKEROOT@ +HAVE_LDAPMODIFY = @HAVE_LDAPMODIFY@ +HAVE_MANPAGES = @HAVE_MANPAGES@ +HAVE_NSS_WRAPPER = @HAVE_NSS_WRAPPER@ +HAVE_PYTHON2 = @HAVE_PYTHON2@ +HAVE_PYTHON2_BINDINGS = @HAVE_PYTHON2_BINDINGS@ +HAVE_PYTHON3 = @HAVE_PYTHON3@ +HAVE_PYTHON3_BINDINGS = @HAVE_PYTHON3_BINDINGS@ +HAVE_SELINUX = @HAVE_SELINUX@ +HAVE_SEMANAGE = @HAVE_SEMANAGE@ +HAVE_UID_WRAPPER = @HAVE_UID_WRAPPER@ +HTTP_PARSER_CFLAGS = @HTTP_PARSER_CFLAGS@ +HTTP_PARSER_LIBS = @HTTP_PARSER_LIBS@ +INI_CONFIG_CFLAGS = @INI_CONFIG_CFLAGS@ +INI_CONFIG_LIBS = @INI_CONFIG_LIBS@ +INI_CONFIG_V0_CFLAGS = @INI_CONFIG_V0_CFLAGS@ +INI_CONFIG_V0_LIBS = @INI_CONFIG_V0_LIBS@ +INI_CONFIG_V1_1_CFLAGS = @INI_CONFIG_V1_1_CFLAGS@ +INI_CONFIG_V1_1_LIBS = @INI_CONFIG_V1_1_LIBS@ +INI_CONFIG_V1_3_CFLAGS = @INI_CONFIG_V1_3_CFLAGS@ +INI_CONFIG_V1_3_LIBS = @INI_CONFIG_V1_3_LIBS@ +INI_CONFIG_V1_CFLAGS = @INI_CONFIG_V1_CFLAGS@ +INI_CONFIG_V1_LIBS = @INI_CONFIG_V1_LIBS@ +INOTIFY_LIBS = @INOTIFY_LIBS@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +JANSSON_CFLAGS = @JANSSON_CFLAGS@ +JANSSON_LIBS = @JANSSON_LIBS@ +JOURNALD_CFLAGS = @JOURNALD_CFLAGS@ +JOURNALD_LIBS = @JOURNALD_LIBS@ +KEYUTILS_LIBS = @KEYUTILS_LIBS@ +KRB5_CFLAGS = @KRB5_CFLAGS@ +KRB5_CONFIG = @KRB5_CONFIG@ +KRB5_LIBS = @KRB5_LIBS@ +LD = @LD@ +LDB_CFLAGS = @LDB_CFLAGS@ +LDB_LIBS = @LDB_LIBS@ +LDFLAGS = @LDFLAGS@ +LIBADD_DL = @LIBADD_DL@ +LIBADD_DLD_LINK = @LIBADD_DLD_LINK@ +LIBADD_DLOPEN = @LIBADD_DLOPEN@ +LIBADD_SHL_LOAD = @LIBADD_SHL_LOAD@ +LIBADD_TIMER = @LIBADD_TIMER@ +LIBCLOCK_GETTIME = @LIBCLOCK_GETTIME@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNL1_CFLAGS = @LIBNL1_CFLAGS@ +LIBNL1_LIBS = @LIBNL1_LIBS@ +LIBNL3_CFLAGS = @LIBNL3_CFLAGS@ +LIBNL3_LIBS = @LIBNL3_LIBS@ +LIBNL_CFLAGS = @LIBNL_CFLAGS@ +LIBNL_LIBS = @LIBNL_LIBS@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +LT_DLLOADERS = @LT_DLLOADERS@ +LT_DLPREOPEN = @LT_DLPREOPEN@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +MKINSTALLDIRS = @MKINSTALLDIRS@ +MSGFMT = @MSGFMT@ +MSGMERGE = @MSGMERGE@ +NDR_KRB5PAC_CFLAGS = @NDR_KRB5PAC_CFLAGS@ +NDR_KRB5PAC_LIBS = @NDR_KRB5PAC_LIBS@ +NDR_NBT_CFLAGS = @NDR_NBT_CFLAGS@ +NDR_NBT_LIBS = @NDR_NBT_LIBS@ +NFSIDMAP_CFLAGS = @NFSIDMAP_CFLAGS@ +NFSIDMAP_LIBS = @NFSIDMAP_LIBS@ +NFSIDMAP_OBJ = @NFSIDMAP_OBJ@ +NM = @NM@ +NMEDIT = @NMEDIT@ +NSCD = @NSCD@ +NSCD_PATH = @NSCD_PATH@ +NSS_CFLAGS = @NSS_CFLAGS@ +NSS_LIBS = @NSS_LIBS@ +NSUPDATE = @NSUPDATE@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OPENLDAP_CFLAGS = @OPENLDAP_CFLAGS@ +OPENLDAP_LIBS = @OPENLDAP_LIBS@ +OPENSSL = @OPENSSL@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +P11TOOL = @P11TOOL@ +P11_KIT_CFLAGS = @P11_KIT_CFLAGS@ +P11_KIT_LIBS = @P11_KIT_LIBS@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_LIBS = @PAM_LIBS@ +PAM_MISC_LIBS = @PAM_MISC_LIBS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PCRE_CFLAGS = @PCRE_CFLAGS@ +PCRE_LIBS = @PCRE_LIBS@ +PK12UTIL = @PK12UTIL@ +PKG_CONFIG = @PKG_CONFIG@ +PO4A = @PO4A@ +POPT_CFLAGS = @POPT_CFLAGS@ +POPT_LIBS = @POPT_LIBS@ +POSUB = @POSUB@ +PRERELEASE_VERSION = @PRERELEASE_VERSION@ +PYTEST = @PYTEST@ +PYTHON = @PYTHON@ +PYTHON2 = @PYTHON2@ +PYTHON2_CFLAGS = @PYTHON2_CFLAGS@ +PYTHON2_EXEC_PREFIX = @PYTHON2_EXEC_PREFIX@ +PYTHON2_INCLUDES = @PYTHON2_INCLUDES@ +PYTHON2_LIBS = @PYTHON2_LIBS@ +PYTHON2_PREFIX = @PYTHON2_PREFIX@ +PYTHON2_VERSION = @PYTHON2_VERSION@ +PYTHON3 = @PYTHON3@ +PYTHON3_CFLAGS = @PYTHON3_CFLAGS@ +PYTHON3_EXEC_PREFIX = @PYTHON3_EXEC_PREFIX@ +PYTHON3_INCLUDES = @PYTHON3_INCLUDES@ +PYTHON3_LIBS = @PYTHON3_LIBS@ +PYTHON3_PREFIX = @PYTHON3_PREFIX@ +PYTHON3_VERSION = @PYTHON3_VERSION@ +PYTHON_CONFIG = @PYTHON_CONFIG@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ +RANLIB = @RANLIB@ +RESOLV_CFLAGS = @RESOLV_CFLAGS@ +RESOLV_LIBS = @RESOLV_LIBS@ +SASL_CFLAGS = @SASL_CFLAGS@ +SASL_LIBS = @SASL_LIBS@ +SED = @SED@ +SELINUX_LIBS = @SELINUX_LIBS@ +SEMANAGE_LIBS = @SEMANAGE_LIBS@ +SERVICE = @SERVICE@ +SET_MAKE = @SET_MAKE@ +SGML_CATALOG_FILES = @SGML_CATALOG_FILES@ +SHELL = @SHELL@ +SLAPD = @SLAPD@ +SMBCLIENT_CFLAGS = @SMBCLIENT_CFLAGS@ +SMBCLIENT_LIBS = @SMBCLIENT_LIBS@ +SOFTHSM2_PATH = @SOFTHSM2_PATH@ +SOFTHSM2_UTIL = @SOFTHSM2_UTIL@ +SSH_KEYGEN = @SSH_KEYGEN@ +SSL_CFLAGS = @SSL_CFLAGS@ +SSL_LIBS = @SSL_LIBS@ +SSSD_USER = @SSSD_USER@ +STRIP = @STRIP@ +SYSTEMD_DAEMON_CFLAGS = @SYSTEMD_DAEMON_CFLAGS@ +SYSTEMD_DAEMON_LIBS = @SYSTEMD_DAEMON_LIBS@ +SYSTEMD_LOGIN_CFLAGS = @SYSTEMD_LOGIN_CFLAGS@ +SYSTEMD_LOGIN_LIBS = @SYSTEMD_LOGIN_LIBS@ +TALLOC_CFLAGS = @TALLOC_CFLAGS@ +TALLOC_LIBS = @TALLOC_LIBS@ +TDB_CFLAGS = @TDB_CFLAGS@ +TDB_LIBS = @TDB_LIBS@ +TEST_DIR = @TEST_DIR@ +TEVENT_CFLAGS = @TEVENT_CFLAGS@ +TEVENT_LIBS = @TEVENT_LIBS@ +UNICODE_LIBS = @UNICODE_LIBS@ +USE_NLS = @USE_NLS@ +UUID_CFLAGS = @UUID_CFLAGS@ +UUID_LIBS = @UUID_LIBS@ +VERSION = @VERSION@ +XGETTEXT = @XGETTEXT@ +XMLLINT = @XMLLINT@ +XSLTPROC = @XSLTPROC@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +appmodpath = @appmodpath@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +cifspluginpath = @cifspluginpath@ +config_def_ccache_dir = @config_def_ccache_dir@ +config_def_ccname_template = @config_def_ccname_template@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbpath = @dbpath@ +docdir = @docdir@ +dvidir = @dvidir@ +environment_file = @environment_file@ +exec_prefix = @exec_prefix@ +gpocachepath = @gpocachepath@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +initdir = @initdir@ +install_sh = @install_sh@ +krb5authdatapluginpath = @krb5authdatapluginpath@ +krb5pluginpath = @krb5pluginpath@ +krb5rcachedir = @krb5rcachedir@ +ldblibdir = @ldblibdir@ +libdir = @libdir@ +libexecdir = @libexecdir@ +libwbclient_version = @libwbclient_version@ +libwbclient_version_info = @libwbclient_version_info@ +localedir = @localedir@ +localstatedir = @localstatedir@ +logpath = @logpath@ +mandir = @mandir@ +mcpath = @mcpath@ +mkdir_p = @mkdir_p@ +nfsidmaplibdir = @nfsidmaplibdir@ +nfslibpath = @nfslibpath@ +nsslibdir = @nsslibdir@ +oldincludedir = @oldincludedir@ +pammoddir = @pammoddir@ +pdfdir = @pdfdir@ +pidpath = @pidpath@ +pipepath = @pipepath@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ +pluginpath = @pluginpath@ +polkitdir = @polkitdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +pubconfpath = @pubconfpath@ +py2execdir = @py2execdir@ +py3execdir = @py3execdir@ +pyexecdir = @pyexecdir@ +python2dir = @python2dir@ +python3dir = @python3dir@ +pythondir = @pythondir@ +runstatedir = @runstatedir@ +sbindir = @sbindir@ +secdbpath = @secdbpath@ +session_recording_shell = @session_recording_shell@ +sharedbuilddir = @sharedbuilddir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sudolibpath = @sudolibpath@ +sysconfdir = @sysconfdir@ +systemdconfdir = @systemdconfdir@ +systemdunitdir = @systemdunitdir@ +tapset_dir = @tapset_dir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +winbindpluginpath = @winbindpluginpath@ +dist_noinst_DATA = \ + __init__.py \ + config.py.m4 \ + util.py \ + sssd_nss.py \ + sssd_id.py \ + sssd_ldb.py \ + sssd_netgroup.py \ + sssd_passwd.py \ + sssd_group.py \ + ds.py \ + ds_openldap.py \ + ent.py \ + ent_test.py \ + ldap_ent.py \ + ldap_local_override_test.py \ + test_local_domain.py \ + util.py \ + test_enumeration.py \ + test_ldap.py \ + test_memory_cache.py \ + test_session_recording.py \ + test_ts_cache.py \ + test_netgroup.py \ + secrets.py \ + test_secrets.py \ + test_sssctl.py \ + files_ops.py \ + test_files_ops.py \ + test_files_provider.py \ + kdc.py \ + krb5utils.py \ + test_kcm.py \ + test_pac_responder.py \ + data/ad_data.ldif \ + data/ad_schema.ldif \ + data/sudo_schema.ldif \ + test_pysss_nss_idmap.py \ + test_infopipe.py \ + test_ssh_pubkey.py \ + test_pam_responder.py \ + test_sudo.py \ + $(NULL) + +EXTRA_DIST = data/cwrap-dbus-system.conf.in +dbussysconfdir = $(sysconfdir)/dbus-1 +dbusservicedir = $(datadir)/dbus-1/system-services +@INTG_BUILD_TRUE@lib_LTLIBRARIES = getsockopt_wrapper.la +@INTG_BUILD_TRUE@getsockopt_wrapper_la_SOURCES = \ +@INTG_BUILD_TRUE@ getsockopt_wrapper.c + +@INTG_BUILD_TRUE@getsockopt_wrapper_la_CFLAGS = \ +@INTG_BUILD_TRUE@ $(AM_CFLAGS) + +@INTG_BUILD_TRUE@getsockopt_wrapper_la_LIBADD = \ +@INTG_BUILD_TRUE@ $(LIBADD_DL) \ +@INTG_BUILD_TRUE@ $(NULL) + +@INTG_BUILD_TRUE@getsockopt_wrapper_la_LDFLAGS = \ +@INTG_BUILD_TRUE@ -avoid-version \ +@INTG_BUILD_TRUE@ -module + +@INTG_BUILD_TRUE@dist_dbussysconf_DATA = cwrap-dbus-system.conf +CLEANFILES = config.py config.pyc passwd group +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/tests/intg/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/tests/intg/Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +install-libLTLIBRARIES: $(lib_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(libdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(libdir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \ + } + +uninstall-libLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$f"; \ + done + +clean-libLTLIBRARIES: + -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) + @list='$(lib_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +getsockopt_wrapper.la: $(getsockopt_wrapper_la_OBJECTS) $(getsockopt_wrapper_la_DEPENDENCIES) $(EXTRA_getsockopt_wrapper_la_DEPENDENCIES) + $(AM_V_CCLD)$(getsockopt_wrapper_la_LINK) $(am_getsockopt_wrapper_la_rpath) $(getsockopt_wrapper_la_OBJECTS) $(getsockopt_wrapper_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/getsockopt_wrapper_la-getsockopt_wrapper.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< + +.c.obj: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\ +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< + +getsockopt_wrapper_la-getsockopt_wrapper.lo: getsockopt_wrapper.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(getsockopt_wrapper_la_CFLAGS) $(CFLAGS) -MT getsockopt_wrapper_la-getsockopt_wrapper.lo -MD -MP -MF $(DEPDIR)/getsockopt_wrapper_la-getsockopt_wrapper.Tpo -c -o getsockopt_wrapper_la-getsockopt_wrapper.lo `test -f 'getsockopt_wrapper.c' || echo '$(srcdir)/'`getsockopt_wrapper.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/getsockopt_wrapper_la-getsockopt_wrapper.Tpo $(DEPDIR)/getsockopt_wrapper_la-getsockopt_wrapper.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='getsockopt_wrapper.c' object='getsockopt_wrapper_la-getsockopt_wrapper.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(getsockopt_wrapper_la_CFLAGS) $(CFLAGS) -c -o getsockopt_wrapper_la-getsockopt_wrapper.lo `test -f 'getsockopt_wrapper.c' || echo '$(srcdir)/'`getsockopt_wrapper.c + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-dist_dbussysconfDATA: $(dist_dbussysconf_DATA) + @$(NORMAL_INSTALL) + @list='$(dist_dbussysconf_DATA)'; test -n "$(dbussysconfdir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(dbussysconfdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(dbussysconfdir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(dbussysconfdir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(dbussysconfdir)" || exit $$?; \ + done + +uninstall-dist_dbussysconfDATA: + @$(NORMAL_UNINSTALL) + @list='$(dist_dbussysconf_DATA)'; test -n "$(dbussysconfdir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(dbussysconfdir)'; $(am__uninstall_files_from_dir) + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-am +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-am + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-am + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(dbussysconfdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +@INTG_BUILD_FALSE@install-data-hook: +clean: clean-am + +clean-am: clean-generic clean-libLTLIBRARIES clean-libtool clean-local \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-dist_dbussysconfDATA + @$(NORMAL_INSTALL) + $(MAKE) $(AM_MAKEFLAGS) install-data-hook +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: install-libLTLIBRARIES + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-dist_dbussysconfDATA uninstall-libLTLIBRARIES + +.MAKE: install-am install-data-am install-strip + +.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ + clean-libLTLIBRARIES clean-libtool clean-local cscopelist-am \ + ctags ctags-am distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-data-hook install-dist_dbussysconfDATA \ + install-dvi install-dvi-am install-exec install-exec-am \ + install-html install-html-am install-info install-info-am \ + install-libLTLIBRARIES install-man install-pdf install-pdf-am \ + install-ps install-ps-am install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags tags-am uninstall uninstall-am \ + uninstall-dist_dbussysconfDATA uninstall-libLTLIBRARIES + +.PRECIOUS: Makefile + + +@INTG_BUILD_TRUE@install-data-hook: +@INTG_BUILD_TRUE@ $(MKDIR_P) $(DESTDIR)$(runstatedir)/dbus +@INTG_BUILD_TRUE@ $(MKDIR_P) $(DESTDIR)$(sysconfdir)/session.d + +cwrap-dbus-system.conf: data/cwrap-dbus-system.conf.in Makefile + $(SED) -e "s!@runstatedir[@]!$(runstatedir)!" \ + -e "s!@dbusservicedir[@]!$(dbusservicedir)!" \ + $< > $@ + +config.py: config.py.m4 + m4 -D "prefix=\`$(prefix)'" \ + -D "sysconfdir=\`$(sysconfdir)'" \ + -D "nsslibdir=\`$(nsslibdir)'" \ + -D "dbpath=\`$(dbpath)'" \ + -D "pubconfpath=\`$(pubconfpath)'" \ + -D "pidpath=\`$(pidpath)'" \ + -D "logpath=\`$(logpath)'" \ + -D "mcpath=\`$(mcpath)'" \ + -D "secdbpath=\`$(secdbpath)'" \ + -D "libexecpath=\`$(libexecdir)'" \ + -D "runstatedir=\`$(runstatedir)'" \ + -D "abs_builddir=\`$(abs_builddir)'" \ + -D "session_recording_shell=\`$(session_recording_shell)'" \ + -D "py2execdir=\`$(py2execdir)'" \ + -D "py3execdir=\`$(py3execdir)'" \ + -D "python2dir=\`$(python2dir)'" \ + -D "python3dir=\`$(python3dir)'" \ + $< > $@ + +root: + : "Create directory for emulated root's D-Bus cookies." + : "See http://dbus.freedesktop.org/doc/dbus-specification.html#auth-mechanisms" + $(MKDIR_P) -m 0700 root/.dbus-keyrings + +passwd: root + echo "root:x:0:0:root:$(abs_builddir)/root:/bin/bash" > $@ + +group: + echo "root:x:0:" > $@ + +clean-local: + rm -Rf root + rm -f $(builddir)/cwrap-dbus-system.conf + +intgcheck-installed: config.py passwd group + pipepath="$(DESTDIR)$(pipepath)"; \ + if test $${#pipepath} -gt 80; then \ + echo "error: Pipe directory path too long," \ + "D-Bus won't be able to open sockets" >&2; \ + exit 1; \ + fi + set -e; \ + cd "$(abs_srcdir)"; \ + nss_wrapper=$$(pkg-config --libs nss_wrapper); \ + uid_wrapper=$$(pkg-config --libs uid_wrapper); \ + unset HOME; \ + PATH="$$(dirname -- $(SLAPD)):$$PATH" \ + PATH="$(DESTDIR)$(sbindir):$(DESTDIR)$(bindir):$$PATH" \ + PATH="$$PATH:$(abs_builddir):$(abs_srcdir)" \ + PYTHONPATH="$(abs_builddir):$(abs_srcdir)" \ + LDB_MODULES_PATH="$(DESTDIR)$(ldblibdir)" \ + NON_WRAPPED_UID=$$(id -u) \ + LD_PRELOAD="$(libdir)/getsockopt_wrapper.so:$$nss_wrapper:$$uid_wrapper" \ + NSS_WRAPPER_PASSWD="$(abs_builddir)/passwd" \ + NSS_WRAPPER_GROUP="$(abs_builddir)/group" \ + NSS_WRAPPER_MODULE_SO_PATH="$(DESTDIR)$(nsslibdir)/libnss_sss.so.2" \ + NSS_WRAPPER_MODULE_FN_PREFIX="sss" \ + UID_WRAPPER=1 \ + UID_WRAPPER_ROOT=1 \ + DBUS_SOCK_DIR="$(DESTDIR)$(runstatedir)/dbus/" \ + DBUS_SESSION_BUS_ADDRESS="unix:path=$$DBUS_SOCK_DIR/fake_socket" \ + DBUS_SYSTEM_BUS_ADDRESS="unix:path=$$DBUS_SOCK_DIR/system_bus_socket" \ + DBUS_SYSTEM_BUS_DEFAULT_ADDRESS="$$DBUS_SYSTEM_BUS_ADDRESS" \ + fakeroot $(PYTHON2) $(PYTEST) -v --tb=native $(INTGCHECK_PYTEST_ARGS) . + rm -f $(DESTDIR)$(logpath)/* + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/tests/intg/__init__.py b/src/tests/intg/__init__.py new file mode 100644 index 0000000..542f4d1 --- /dev/null +++ b/src/tests/intg/__init__.py @@ -0,0 +1,13 @@ +import sys +import config + +if sys.version_info[0] > 2: + LOCAL_PYEXECDIR = config.PY3EXECDIR + LOCAL_PYDIR = config.PY3DIR +else: + LOCAL_PYEXECDIR = config.PY2EXECDIR + LOCAL_PYDIR = config.PY2DIR + +for path in [LOCAL_PYEXECDIR, LOCAL_PYDIR]: + if path not in sys.path: + sys.path.insert(0, path) diff --git a/src/tests/intg/config.py.m4 b/src/tests/intg/config.py.m4 new file mode 100644 index 0000000..aed8128 --- /dev/null +++ b/src/tests/intg/config.py.m4 @@ -0,0 +1,24 @@ +""" +Build configuration variables. +""" + +PREFIX = "prefix" +SYSCONFDIR = "sysconfdir" +NSS_MODULE_DIR = "nsslibdir" +SSSDCONFDIR = SYSCONFDIR + "/sssd" +CONF_PATH = SSSDCONFDIR + "/sssd.conf" +DB_PATH = "dbpath" +PID_PATH = "pidpath" +PUBCONF_PATH = "pubconfpath" +PIDFILE_PATH = PID_PATH + "/sssd.pid" +LOG_PATH = "logpath" +MCACHE_PATH = "mcpath" +SECDB_PATH = "secdbpath" +LIBEXEC_PATH = "libexecpath" +RUNSTATEDIR = "runstatedir" +ABS_BUILDDIR = "abs_builddir" +SESSION_RECORDING_SHELL = "session_recording_shell" +PY2EXECDIR = "py2execdir" +PY2DIR = "python2dir" +PY3EXECDIR = "py3execdir" +PY3DIR = "python3dir" diff --git a/src/tests/intg/cwrap-dbus-system.conf b/src/tests/intg/cwrap-dbus-system.conf new file mode 100644 index 0000000..1410491 --- /dev/null +++ b/src/tests/intg/cwrap-dbus-system.conf @@ -0,0 +1,83 @@ + + + + + + + + + system + + + + + + + + + + + /usr/local/share/dbus-1/system-services + + + + /usr/local/var/run/dbus/messagebus.pid + + + EXTERNAL + + + unix:path=/usr/local/var/run/dbus/system_bus_socket + + + + + + + + + + + system.d + + + + + /etc/dbus-1/system-local.conf + + contexts/dbus_contexts + + + + + + + diff --git a/src/tests/intg/data/ad_data.ldif b/src/tests/intg/data/ad_data.ldif new file mode 100644 index 0000000..0d2ec44 --- /dev/null +++ b/src/tests/intg/data/ad_data.ldif @@ -0,0 +1,815 @@ +dn: cn=Users,dc=example,dc=com +objectClass: top +objectClass: container +cn: Users +description: Default container for upgraded user accounts +distinguishedName: cn=Users,dc=example,dc=com +instanceType: 4 +whenCreated: 20140923233930.0Z +whenChanged: 20140923233930.0Z +uSNCreated: 5696 +uSNChanged: 5696 +showInAdvancedViewOnly: FALSE +name: Users +objectGUID:: 6Gd2SrsmeEiT3Hmh/5hTqw== +systemFlags: -1946157056 +objectCategory: cn=Container,cn=Schema,cn=Configuration,dc=example,dc=com +isCriticalSystemObject: TRUE +dSCorePropagationData: 16010101000000.0Z + +dn: cn=CHILD1$,cn=Users,dc=example,dc=com +objectClass: top +objectClass: person +objectClass: organizationalPerson +objectClass: user +cn: CHILD1$ +distinguishedName: cn=CHILD1$,cn=Users,dc=example,dc=com +instanceType: 4 +whenCreated: 20140923224256.0Z +whenChanged: 20160423221800.0Z +uSNCreated: 20732 +uSNChanged: 2181674 +name: CHILD1$ +objectGUID:: ACE60RcYu0iZv4CMYPK+eg== +userAccountControl: 2080 +badPwdCount: 0 +codePage: 0 +countryCode: 0 +badPasswordTime: 0 +lastLogoff: 0 +lastLogon: 0 +pwdLastSet: 131059234804699243 +primaryGroupID: 513 +objectSid:: AQUAAAAAAAUVAAAADcfLTVzC66zo0l8EUAQAAA== +accountExpires: 9223372036854775807 +logonCount: 0 +sAMAccountName: CHILD1$ +sAMAccountType: 805306370 +objectCategory: cn=Person,cn=Schema,cn=Configuration,dc=example,dc=com +isCriticalSystemObject: TRUE +dSCorePropagationData: 16010101000000.0Z + +dn: cn=krbtgt,cn=Users,dc=example,dc=com +objectClass: top +objectClass: person +objectClass: organizationalPerson +objectClass: user +cn: krbtgt +description: Key Distribution Center Service Account +distinguishedName: cn=krbtgt,cn=Users,dc=example,dc=com +instanceType: 4 +whenCreated: 20140923234018.0Z +whenChanged: 20140923185530.0Z +uSNCreated: 12324 +memberOf: cn=Denied ROdc Password Replication Group,cn=Users,dc=example,dc=com +uSNChanged: 12723 +showInAdvancedViewOnly: TRUE +name: krbtgt +objectGUID:: F/Yrx8X81ESM6t14mMxcxA== +userAccountControl: 514 +badPwdCount: 0 +codePage: 0 +countryCode: 0 +badPasswordTime: 0 +lastLogoff: 0 +lastLogon: 0 +pwdLastSet: 130559892182968750 +primaryGroupID: 513 +objectSid:: AQUAAAAAAAUVAAAADcfLTVzC66zo0l8E9gEAAA== +adminCount: 1 +accountExpires: 9223372036854775807 +logonCount: 0 +sAMAccountName: krbtgt +sAMAccountType: 805306368 +servicePrincipalName: kadmin/changepw +objectCategory: cn=Person,cn=Schema,cn=Configuration,dc=example,dc=com +isCriticalSystemObject: TRUE +dSCorePropagationData: 20140923185530.0Z +dSCorePropagationData: 16010101000000.0Z + +dn: cn=Domain Computers,cn=Users,dc=example,dc=com +objectClass: top +objectClass: group +cn: Domain Computers +description: All workstations and servers joined to the domain +distinguishedName: cn=Domain Computers,cn=Users,dc=example,dc=com +instanceType: 4 +whenCreated: 20140923234018.0Z +whenChanged: 20140923234018.0Z +uSNCreated: 12330 +uSNChanged: 12332 +name: Domain Computers +objectGUID:: 09VIVs7CDkOMTnLtMkZMUA== +objectSid:: AQUAAAAAAAUVAAAADcfLTVzC66zo0l8EAwIAAA== +sAMAccountName: Domain Computers +sAMAccountType: 268435456 +groupType: -2147483646 +objectCategory: cn=Group,cn=Schema,cn=Configuration,dc=example,dc=com +isCriticalSystemObject: TRUE +dSCorePropagationData: 16010101000000.0Z + +dn: cn=Domain Controllers,cn=Users,dc=example,dc=com +objectClass: top +objectClass: group +cn: Domain Controllers +description: All domain controllers in the domain +distinguishedName: cn=Domain Controllers,cn=Users,dc=example,dc=com +instanceType: 4 +whenCreated: 20140923234018.0Z +whenChanged: 20140923185530.0Z +uSNCreated: 12333 +memberOf: cn=Denied ROdc Password Replication Group,cn=Users,dc=example,dc=com +uSNChanged: 12726 +name: Domain Controllers +objectGUID:: a6OG+FLmnECf3fAe0a8o6w== +objectSid:: AQUAAAAAAAUVAAAADcfLTVzC66zo0l8EBAIAAA== +adminCount: 1 +sAMAccountName: Domain Controllers +sAMAccountType: 268435456 +groupType: -2147483646 +objectCategory: cn=Group,cn=Schema,cn=Configuration,dc=example,dc=com +isCriticalSystemObject: TRUE +dSCorePropagationData: 20140923185530.0Z +dSCorePropagationData: 16010101000000.0Z + +dn: cn=Schema Admins,cn=Users,dc=example,dc=com +objectClass: top +objectClass: group +cn: Schema Admins +description: Designated administrators of the schema +member: cn=Administrator,cn=Users,dc=example,dc=com +distinguishedName: cn=Schema Admins,cn=Users,dc=example,dc=com +instanceType: 4 +whenCreated: 20140923234018.0Z +whenChanged: 20140923185530.0Z +uSNCreated: 12336 +memberOf: cn=Denied ROdc Password Replication Group,cn=Users,dc=example,dc=com +uSNChanged: 12708 +name: Schema Admins +objectGUID:: ONs7cn0OF0uEip0yMnLv2Q== +objectSid:: AQUAAAAAAAUVAAAADcfLTVzC66zo0l8EBgIAAA== +adminCount: 1 +sAMAccountName: Schema Admins +sAMAccountType: 268435456 +groupType: -2147483640 +objectCategory: cn=Group,cn=Schema,cn=Configuration,dc=example,dc=com +isCriticalSystemObject: TRUE +dSCorePropagationData: 20140923185530.0Z +dSCorePropagationData: 16010101000000.0Z + +dn: cn=Enterprise Admins,cn=Users,dc=example,dc=com +objectClass: top +objectClass: group +cn: Enterprise Admins +description: Designated administrators of the enterprise +member: cn=Administrator,cn=Users,dc=example,dc=com +distinguishedName: cn=Enterprise Admins,cn=Users,dc=example,dc=com +instanceType: 4 +whenCreated: 20140923234018.0Z +whenChanged: 20140923185530.0Z +uSNCreated: 12339 +memberOf: cn=Denied ROdc Password Replication Group,cn=Users,dc=example,dc=com +memberOf: cn=Administrators,cn=Builtin,dc=example,dc=com +uSNChanged: 12712 +name: Enterprise Admins +objectGUID:: rD6jEoiL8U6huv7c/OJPwg== +objectSid:: AQUAAAAAAAUVAAAADcfLTVzC66zo0l8EBwIAAA== +adminCount: 1 +sAMAccountName: Enterprise Admins +sAMAccountType: 268435456 +groupType: -2147483640 +objectCategory: cn=Group,cn=Schema,cn=Configuration,dc=example,dc=com +isCriticalSystemObject: TRUE +dSCorePropagationData: 20140923185530.0Z +dSCorePropagationData: 16010101000000.0Z + +dn: cn=Cert Publishers,cn=Users,dc=example,dc=com +objectClass: top +objectClass: group +cn: Cert Publishers +description: Members of this group are permitted to publish certificates to the directory +member: cn=PLUTO,OU=Domain Controllers,dc=example,dc=com +distinguishedName: cn=Cert Publishers,cn=Users,dc=example,dc=com +instanceType: 4 +whenCreated: 20140923234018.0Z +whenChanged: 20140923191508.0Z +uSNCreated: 12342 +memberOf: cn=Denied ROdc Password Replication Group,cn=Users,dc=example,dc=com +uSNChanged: 12749 +name: Cert Publishers +objectGUID:: zWTUMdl6tEWA1J0QnPLkRQ== +objectSid:: AQUAAAAAAAUVAAAADcfLTVzC66zo0l8EBQIAAA== +sAMAccountName: Cert Publishers +sAMAccountType: 536870912 +groupType: -2147483644 +objectCategory: cn=Group,cn=Schema,cn=Configuration,dc=example,dc=com +isCriticalSystemObject: TRUE +dSCorePropagationData: 16010101000000.0Z + +dn: cn=Domain Admins,cn=Users,dc=example,dc=com +objectClass: top +objectClass: group +cn: Domain Admins +description: Designated administrators of the domain +member: cn=Administrator,cn=Users,dc=example,dc=com +distinguishedName: cn=Domain Admins,cn=Users,dc=example,dc=com +instanceType: 4 +whenCreated: 20140923234018.0Z +whenChanged: 20140923185530.0Z +uSNCreated: 12345 +memberOf: cn=Denied ROdc Password Replication Group,cn=Users,dc=example,dc=com +memberOf: cn=Administrators,cn=Builtin,dc=example,dc=com +uSNChanged: 12711 +name: Domain Admins +objectGUID:: YxI+YLrC3UeNNsmMnXGTlg== +objectSid:: AQUAAAAAAAUVAAAADcfLTVzC66zo0l8EAAIAAA== +adminCount: 1 +sAMAccountName: Domain Admins +sAMAccountType: 268435456 +groupType: -2147483646 +objectCategory: cn=Group,cn=Schema,cn=Configuration,dc=example,dc=com +isCriticalSystemObject: TRUE +dSCorePropagationData: 20140923185530.0Z +dSCorePropagationData: 16010101000000.0Z + +dn: cn=Domain Users,cn=Users,dc=example,dc=com +objectClass: top +objectClass: group +cn: Domain Users +description: All domain users +distinguishedName: cn=Domain Users,cn=Users,dc=example,dc=com +instanceType: 4 +whenCreated: 20140923234018.0Z +whenChanged: 20150202222731.0Z +uSNCreated: 12348 +memberOf: cn=Users,cn=Builtin,dc=example,dc=com +uSNChanged: 213433 +name: Domain Users +objectGUID:: JRHvlJXoU0+LOYXs3vESow== +objectSid:: AQUAAAAAAAUVAAAADcfLTVzC66zo0l8EAQIAAA== +sAMAccountName: Domain Users +sAMAccountType: 268435456 +groupType: -2147483646 +objectCategory: cn=Group,cn=Schema,cn=Configuration,dc=example,dc=com +isCriticalSystemObject: TRUE +dSCorePropagationData: 16010101000000.0Z +msSFU30NisDomain: example +gidNumber: 100000 + +dn: cn=Domain Guests,cn=Users,dc=example,dc=com +objectClass: top +objectClass: group +cn: Domain Guests +description: All domain guests +distinguishedName: cn=Domain Guests,cn=Users,dc=example,dc=com +instanceType: 4 +whenCreated: 20140923234018.0Z +whenChanged: 20140923234018.0Z +uSNCreated: 12351 +memberOf: cn=Guests,cn=Builtin,dc=example,dc=com +uSNChanged: 12353 +name: Domain Guests +objectGUID:: Rx/t/vuPwUGOMoprY1KFog== +objectSid:: AQUAAAAAAAUVAAAADcfLTVzC66zo0l8EAgIAAA== +sAMAccountName: Domain Guests +sAMAccountType: 268435456 +groupType: -2147483646 +objectCategory: cn=Group,cn=Schema,cn=Configuration,dc=example,dc=com +isCriticalSystemObject: TRUE +dSCorePropagationData: 16010101000000.0Z + +dn: cn=Group Policy Creator Owners,cn=Users,dc=example,dc=com +objectClass: top +objectClass: group +cn: Group Policy Creator Owners +description: Members in this group can modify group policy for the domain +member: cn=Administrator,cn=Users,dc=example,dc=com +distinguishedName: cn=Group Policy Creator Owners,cn=Users,dc=example,dc=com +instanceType: 4 +whenCreated: 20140923234018.0Z +whenChanged: 20140923234018.0Z +uSNCreated: 12354 +memberOf: cn=Denied ROdc Password Replication Group,cn=Users,dc=example,dc=com +uSNChanged: 12391 +name: Group Policy Creator Owners +objectGUID:: V3HfwcWfZ0yv1br3tRP6bA== +objectSid:: AQUAAAAAAAUVAAAADcfLTVzC66zo0l8ECAIAAA== +sAMAccountName: Group Policy Creator Owners +sAMAccountType: 268435456 +groupType: -2147483646 +objectCategory: cn=Group,cn=Schema,cn=Configuration,dc=example,dc=com +isCriticalSystemObject: TRUE +dSCorePropagationData: 16010101000000.0Z + +dn: cn=RAS and IAS Servers,cn=Users,dc=example,dc=com +objectClass: top +objectClass: group +cn: RAS and IAS Servers +description: Servers in this group can access remote access properties of users +distinguishedName: cn=RAS and IAS Servers,cn=Users,dc=example,dc=com +instanceType: 4 +whenCreated: 20140923234018.0Z +whenChanged: 20140923234018.0Z +uSNCreated: 12357 +uSNChanged: 12359 +name: RAS and IAS Servers +objectGUID:: PHyDebZK7UKVG9HG+mT8ng== +objectSid:: AQUAAAAAAAUVAAAADcfLTVzC66zo0l8EKQIAAA== +sAMAccountName: RAS and IAS Servers +sAMAccountType: 536870912 +groupType: -2147483644 +objectCategory: cn=Group,cn=Schema,cn=Configuration,dc=example,dc=com +isCriticalSystemObject: TRUE +dSCorePropagationData: 16010101000000.0Z + +dn: cn=Allowed ROdc Password Replication Group,cn=Users,dc=example,dc=com +objectClass: top +objectClass: group +cn: Allowed ROdc Password Replication Group +description: Members in this group can have their passwords replicated to all read-only domain controllers in the domain +distinguishedName: cn=Allowed ROdc Password Replication Group,cn=Users,dc=example,dc=com +instanceType: 4 +whenCreated: 20140923234018.0Z +whenChanged: 20140923234018.0Z +uSNCreated: 12402 +uSNChanged: 12404 +name: Allowed ROdc Password Replication Group +objectGUID:: pKN3Txn0SUenHm8Z58ZQYA== +objectSid:: AQUAAAAAAAUVAAAADcfLTVzC66zo0l8EOwIAAA== +sAMAccountName: Allowed ROdc Password Replication Group +sAMAccountType: 536870912 +groupType: -2147483644 +objectCategory: cn=Group,cn=Schema,cn=Configuration,dc=example,dc=com +isCriticalSystemObject: TRUE +dSCorePropagationData: 16010101000000.0Z + +dn: cn=Denied ROdc Password Replication Group,cn=Users,dc=example,dc=com +objectClass: top +objectClass: group +cn: Denied ROdc Password Replication Group +description: Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain +member: cn=Read-only Domain Controllers,cn=Users,dc=example,dc=com +member: cn=Group Policy Creator Owners,cn=Users,dc=example,dc=com +member: cn=Domain Admins,cn=Users,dc=example,dc=com +member: cn=Cert Publishers,cn=Users,dc=example,dc=com +member: cn=Enterprise Admins,cn=Users,dc=example,dc=com +member: cn=Schema Admins,cn=Users,dc=example,dc=com +member: cn=Domain Controllers,cn=Users,dc=example,dc=com +member: cn=krbtgt,cn=Users,dc=example,dc=com +distinguishedName: cn=Denied ROdc Password Replication Group,cn=Users,dc=example,dc=com +instanceType: 4 +whenCreated: 20140923234018.0Z +whenChanged: 20140923234018.0Z +uSNCreated: 12405 +uSNChanged: 12433 +name: Denied ROdc Password Replication Group +objectGUID:: OoOtLxLbXUSdCGKeGvzc7Q== +objectSid:: AQUAAAAAAAUVAAAADcfLTVzC66zo0l8EPAIAAA== +sAMAccountName: Denied ROdc Password Replication Group +sAMAccountType: 536870912 +groupType: -2147483644 +objectCategory: cn=Group,cn=Schema,cn=Configuration,dc=example,dc=com +isCriticalSystemObject: TRUE +dSCorePropagationData: 16010101000000.0Z + +dn: cn=Read-only Domain Controllers,cn=Users,dc=example,dc=com +objectClass: top +objectClass: group +cn: Read-only Domain Controllers +description: Members of this group are Read-Only Domain Controllers in the domain +distinguishedName: cn=Read-only Domain Controllers,cn=Users,dc=example,dc=com +instanceType: 4 +whenCreated: 20140923234018.0Z +whenChanged: 20140923185530.0Z +uSNCreated: 12419 +memberOf: cn=Denied ROdc Password Replication Group,cn=Users,dc=example,dc=com +uSNChanged: 12725 +name: Read-only Domain Controllers +objectGUID:: GoeeiCJ87UqBN3C9MhqQ3w== +objectSid:: AQUAAAAAAAUVAAAADcfLTVzC66zo0l8ECQIAAA== +adminCount: 1 +sAMAccountName: Read-only Domain Controllers +sAMAccountType: 268435456 +groupType: -2147483646 +objectCategory: cn=Group,cn=Schema,cn=Configuration,dc=example,dc=com +isCriticalSystemObject: TRUE +dSCorePropagationData: 20140923185530.0Z +dSCorePropagationData: 16010101000000.0Z + +dn: cn=Enterprise Read-only Domain Controllers,cn=Users,dc=example,dc=com +objectClass: top +objectClass: group +cn: Enterprise Read-only Domain Controllers +description: Members of this group are Read-Only Domain Controllers in the enterprise +distinguishedName: cn=Enterprise Read-only Domain Controllers,cn=Users,dc=example,dc=com +instanceType: 4 +whenCreated: 20140923234018.0Z +whenChanged: 20140923234018.0Z +uSNCreated: 12429 +uSNChanged: 12431 +name: Enterprise Read-only Domain Controllers +objectGUID:: qHRH+tAgFUy7660VnrFpTA== +objectSid:: AQUAAAAAAAUVAAAADcfLTVzC66zo0l8E8gEAAA== +sAMAccountName: Enterprise Read-only Domain Controllers +sAMAccountType: 268435456 +groupType: -2147483640 +objectCategory: cn=Group,cn=Schema,cn=Configuration,dc=example,dc=com +isCriticalSystemObject: TRUE +dSCorePropagationData: 16010101000000.0Z + +dn: cn=DnsAdmins,cn=Users,dc=example,dc=com +objectClass: top +objectClass: group +cn: DnsAdmins +description: DNS Administrators Group +distinguishedName: cn=DnsAdmins,cn=Users,dc=example,dc=com +instanceType: 4 +whenCreated: 20140923234058.0Z +whenChanged: 20140923234058.0Z +uSNCreated: 12459 +uSNChanged: 12461 +name: DnsAdmins +objectGUID:: w4cyv6dWNEGQao3mL5RpTA== +objectSid:: AQUAAAAAAAUVAAAADcfLTVzC66zo0l8ETQQAAA== +sAMAccountName: DnsAdmins +sAMAccountType: 536870912 +groupType: -2147483644 +objectCategory: cn=Group,cn=Schema,cn=Configuration,dc=example,dc=com +dSCorePropagationData: 16010101000000.0Z + +dn: cn=DnsUpdateProxy,cn=Users,dc=example,dc=com +objectClass: top +objectClass: group +cn: DnsUpdateProxy +description: DNS clients who are permitted to perform dynamic updates on behalf of some other clients (such as DHCP servers). +distinguishedName: cn=DnsUpdateProxy,cn=Users,dc=example,dc=com +instanceType: 4 +whenCreated: 20140923234058.0Z +whenChanged: 20140923234058.0Z +uSNCreated: 12464 +uSNChanged: 12464 +name: DnsUpdateProxy +objectGUID:: LMyHGT2RuEG+IGrGL80qMg== +objectSid:: AQUAAAAAAAUVAAAADcfLTVzC66zo0l8ETgQAAA== +sAMAccountName: DnsUpdateProxy +sAMAccountType: 268435456 +groupType: -2147483646 +objectCategory: cn=Group,cn=Schema,cn=Configuration,dc=example,dc=com +dSCorePropagationData: 16010101000000.0Z + +dn: cn=user1_dom1-19661,cn=Users,dc=example,dc=com +objectClass: top +objectClass: person +objectClass: organizationalPerson +objectClass: user +cn: user1_dom1-19661 +givenName: user1_dom1-19661 +distinguishedName: cn=user1_dom1-19661,cn=Users,dc=example,dc=com +instanceType: 4 +whenCreated: 20160517121016.0Z +whenChanged: 20160517121017.0Z +displayName: user1_dom1-19661 +uSNCreated: 2223663 +memberOf: cn=group1_dom1-19661,cn=Users,dc=example,dc=com +uSNChanged: 2223667 +name: user1_dom1-19661 +objectGUID:: qyJVkvQrRUyig6rpPsXNUw== +userAccountControl: 512 +badPwdCount: 0 +codePage: 0 +countryCode: 0 +badPasswordTime: 0 +lastLogoff: 0 +lastLogon: 0 +pwdLastSet: 131079606172284326 +primaryGroupID: 513 +objectSid:: AQUAAAAAAAUVAAAADcfLTVzC66zo0l8EeUMBAA== +accountExpires: 0 +logonCount: 0 +sAMAccountName: user1_dom1-19661 +sAMAccountType: 805306368 +userPrincipalName: user1_dom1-19661@example.com +objectCategory: cn=Person,cn=Schema,cn=Configuration,dc=example,dc=com +dSCorePropagationData: 16010101000000.0Z +uid: user1_dom1-19661 +msSFU30Name: user1_dom1-19661 + +dn: cn=group1_dom1-19661,cn=Users,dc=example,dc=com +objectClass: top +objectClass: group +cn: group1_dom1-19661 +member: cn=user1_dom1-19661,cn=Users,dc=example,dc=com +distinguishedName: cn=group1_dom1-19661,cn=Users,dc=example,dc=com +instanceType: 4 +whenCreated: 20160517121017.0Z +whenChanged: 20160517121018.0Z +uSNCreated: 2223669 +uSNChanged: 2223673 +name: group1_dom1-19661 +objectGUID:: 8BulXIrOCkmlc6HgV+PAvw== +objectSid:: AQUAAAAAAAUVAAAADcfLTVzC66zo0l8EekMBAA== +sAMAccountName: group1_dom1-19661 +sAMAccountType: 268435456 +groupType: -2147483640 +objectCategory: cn=Group,cn=Schema,cn=Configuration,dc=example,dc=com +dSCorePropagationData: 16010101000000.0Z + +dn: cn=user2_dom1-19661,cn=Users,dc=example,dc=com +objectClass: top +objectClass: person +objectClass: organizationalPerson +objectClass: user +cn: user2_dom1-19661 +givenName: user2_dom1-19661 +distinguishedName: cn=user2_dom1-19661,cn=Users,dc=example,dc=com +instanceType: 4 +whenCreated: 20160517121018.0Z +whenChanged: 20160517121019.0Z +displayName: user2_dom1-19661 +uSNCreated: 2223676 +memberOf: cn=group2_dom2-19661,cn=Users,dc=example_tree,dc=com +uSNChanged: 2223680 +name: user2_dom1-19661 +objectGUID:: YSnhUKGpFUC+SqxUvvXugA== +userAccountControl: 512 +badPwdCount: 0 +codePage: 0 +countryCode: 0 +badPasswordTime: 0 +lastLogoff: 0 +lastLogon: 0 +pwdLastSet: 131079606188221826 +primaryGroupID: 513 +objectSid:: AQUAAAAAAAUVAAAADcfLTVzC66zo0l8Ee0MBAA== +accountExpires: 0 +logonCount: 0 +sAMAccountName: user2_dom1-19661 +sAMAccountType: 805306368 +userPrincipalName: user2_dom1-19661@example.com +objectCategory: cn=Person,cn=Schema,cn=Configuration,dc=example,dc=com +dSCorePropagationData: 16010101000000.0Z +uid: user2_dom1-19661 +msSFU30Name: user2_dom1-19661 + +dn: cn=group3_dom1-19661,cn=Users,dc=example,dc=com +objectClass: top +objectClass: group +cn: group3_dom1-19661 +member: cn=user3_dom3-19661,cn=Users,dc=child1,dc=example,dc=com +distinguishedName: cn=group3_dom1-19661,cn=Users,dc=example,dc=com +instanceType: 4 +whenCreated: 20160517121145.0Z +whenChanged: 20160517121146.0Z +uSNCreated: 2223750 +uSNChanged: 2223754 +name: group3_dom1-19661 +objectGUID:: 7bIPzON/JEKmGsVlRmhU3g== +objectSid:: AQUAAAAAAAUVAAAADcfLTVzC66zo0l8EfEMBAA== +sAMAccountName: group3_dom1-19661 +sAMAccountType: 268435456 +groupType: -2147483640 +objectCategory: cn=Group,cn=Schema,cn=Configuration,dc=example,dc=com +dSCorePropagationData: 16010101000000.0Z + +dn: cn=TelnetClients,cn=Users,dc=example,dc=com +objectClass: top +objectClass: group +cn: TelnetClients +distinguishedName: cn=TelnetClients,cn=Users,dc=example,dc=com +instanceType: 4 +whenCreated: 20140923184913.0Z +whenChanged: 20140923184913.0Z +uSNCreated: 12704 +uSNChanged: 12706 +name: TelnetClients +objectGUID:: pen22ZTevU2Rb+8+krexQA== +objectSid:: AQUAAAAAAAUVAAAADcfLTVzC66zo0l8ETwQAAA== +sAMAccountName: TelnetClients +sAMAccountType: 536870912 +groupType: -2147483644 +objectCategory: cn=Group,cn=Schema,cn=Configuration,dc=example,dc=com +dSCorePropagationData: 16010101000000.0Z + +dn: cn=SSSDAD_TREE$,cn=Users,dc=example,dc=com +objectClass: top +objectClass: person +objectClass: organizationalPerson +objectClass: user +cn: SSSDAD_TREE$ +distinguishedName: cn=SSSDAD_TREE$,cn=Users,dc=example,dc=com +instanceType: 4 +whenCreated: 20141002150546.0Z +whenChanged: 20160504032042.0Z +uSNCreated: 31148 +uSNChanged: 2196300 +name: SSSDAD_TREE$ +objectGUID:: SYm5qEjtH0SySg5aQw6XNA== +userAccountControl: 2080 +badPwdCount: 0 +codePage: 0 +countryCode: 0 +badPasswordTime: 0 +lastLogoff: 0 +lastLogon: 0 +pwdLastSet: 131068056421414345 +primaryGroupID: 513 +objectSid:: AQUAAAAAAAUVAAAADcfLTVzC66zo0l8EUQQAAA== +accountExpires: 9223372036854775807 +logonCount: 0 +sAMAccountName: SSSDAD_TREE$ +sAMAccountType: 805306370 +objectCategory: cn=Person,cn=Schema,cn=Configuration,dc=example,dc=com +isCriticalSystemObject: TRUE +dSCorePropagationData: 16010101000000.0Z + +dn: cn=user1_dom1-17775,cn=Users,dc=example,dc=com +objectClass: top +objectClass: person +objectClass: organizationalPerson +objectClass: user +cn: user1_dom1-17775 +givenName: user1_dom1-17775 +distinguishedName: cn=user1_dom1-17775,cn=Users,dc=example,dc=com +instanceType: 4 +whenCreated: 20160517104141.0Z +whenChanged: 20160517105245.0Z +displayName: user1_dom1-17775 +uSNCreated: 2220148 +memberOf: cn=group1_dom1-17775,cn=Users,dc=example,dc=com +uSNChanged: 2220869 +name: user1_dom1-17775 +objectGUID:: dCwgefPZTEaA5Gq7fuH9eQ== +userAccountControl: 512 +badPwdCount: 0 +codePage: 0 +countryCode: 0 +badPasswordTime: 0 +lastLogoff: 0 +lastLogon: 131079562057827406 +pwdLastSet: 131079557906733656 +primaryGroupID: 513 +objectSid:: AQUAAAAAAAUVAAAADcfLTVzC66zo0l8ESUMBAA== +accountExpires: 0 +logonCount: 46 +sAMAccountName: user1_dom1-17775 +sAMAccountType: 805306368 +userPrincipalName: user1_dom1-17775@example.com +objectCategory: cn=Person,cn=Schema,cn=Configuration,dc=example,dc=com +dSCorePropagationData: 16010101000000.0Z +lastLogonTimestamp: 131079557817046156 +uid: user1_dom1-17775 +msSFU30Name: user1_dom1-17775 + +dn: cn=group1_dom1-17775,cn=Users,dc=example,dc=com +objectClass: top +objectClass: group +cn: group1_dom1-17775 +member: cn=user1_dom1-17775,cn=Users,dc=example,dc=com +distinguishedName: cn=group1_dom1-17775,cn=Users,dc=example,dc=com +instanceType: 4 +whenCreated: 20160517104143.0Z +whenChanged: 20160517104143.0Z +uSNCreated: 2220154 +uSNChanged: 2220158 +name: group1_dom1-17775 +objectGUID:: UfJpBGL6gE2d5hqzqNlRGQ== +objectSid:: AQUAAAAAAAUVAAAADcfLTVzC66zo0l8ESkMBAA== +sAMAccountName: group1_dom1-17775 +sAMAccountType: 268435456 +groupType: -2147483640 +objectCategory: cn=Group,cn=Schema,cn=Configuration,dc=example,dc=com +dSCorePropagationData: 16010101000000.0Z + +dn: cn=user2_dom1-17775,cn=Users,dc=example,dc=com +objectClass: top +objectClass: person +objectClass: organizationalPerson +objectClass: user +cn: user2_dom1-17775 +givenName: user2_dom1-17775 +distinguishedName: cn=user2_dom1-17775,cn=Users,dc=example,dc=com +instanceType: 4 +whenCreated: 20160517104143.0Z +whenChanged: 20160517105302.0Z +displayName: user2_dom1-17775 +uSNCreated: 2220161 +memberOf: cn=group2_dom2-17775,cn=Users,dc=example_tree,dc=com +uSNChanged: 2220886 +name: user2_dom1-17775 +objectGUID:: r22lHyI8Y0eMVzeTH2dzoQ== +userAccountControl: 512 +badPwdCount: 0 +codePage: 0 +countryCode: 0 +badPasswordTime: 0 +lastLogoff: 0 +lastLogon: 131079561237671156 +pwdLastSet: 131079553041264906 +primaryGroupID: 513 +objectSid:: AQUAAAAAAAUVAAAADcfLTVzC66zo0l8ES0MBAA== +accountExpires: 0 +logonCount: 14 +sAMAccountName: user2_dom1-17775 +sAMAccountType: 805306368 +userPrincipalName: user2_dom1-17775@example.com +objectCategory: cn=Person,cn=Schema,cn=Configuration,dc=example,dc=com +dSCorePropagationData: 16010101000000.0Z +lastLogonTimestamp: 131079559824702406 +uid: user2_dom1-17775 +msSFU30Name: user2_dom1-17775 + +dn: cn=group3_dom1-17775,cn=Users,dc=example,dc=com +objectClass: top +objectClass: group +cn: group3_dom1-17775 +member: cn=user3_dom3-17775,cn=Users,dc=child1,dc=example,dc=com +distinguishedName: cn=group3_dom1-17775,cn=Users,dc=example,dc=com +instanceType: 4 +whenCreated: 20160517104312.0Z +whenChanged: 20160517104312.0Z +uSNCreated: 2220239 +uSNChanged: 2220243 +name: group3_dom1-17775 +objectGUID:: jkkwGJCVb0K4OCjHZVDmdQ== +objectSid:: AQUAAAAAAAUVAAAADcfLTVzC66zo0l8ETEMBAA== +sAMAccountName: group3_dom1-17775 +sAMAccountType: 268435456 +groupType: -2147483640 +objectCategory: cn=Group,cn=Schema,cn=Configuration,dc=example,dc=com +dSCorePropagationData: 16010101000000.0Z + +dn: cn=Administrator,cn=Users,dc=example,dc=com +objectClass: top +objectClass: person +objectClass: organizationalPerson +objectClass: user +cn: Administrator +description: Built-in account for administering the computer/domain +distinguishedName: cn=Administrator,cn=Users,dc=example,dc=com +instanceType: 4 +whenCreated: 20140923233931.0Z +whenChanged: 20160510092815.0Z +uSNCreated: 8196 +memberOf: cn=Group Policy Creator Owners,cn=Users,dc=example,dc=com +memberOf: cn=Domain Admins,cn=Users,dc=example,dc=com +memberOf: cn=Enterprise Admins,cn=Users,dc=example,dc=com +memberOf: cn=Schema Admins,cn=Users,dc=example,dc=com +memberOf: cn=Administrators,cn=Builtin,dc=example,dc=com +uSNChanged: 2204950 +name: Administrator +objectGUID:: QeHMqu/QPEyjJ+KQEqcKFw== +userAccountControl: 66048 +badPwdCount: 0 +codePage: 0 +countryCode: 0 +badPasswordTime: 131074379403763791 +lastLogoff: 0 +lastLogon: 131079606125409326 +logonHours:: //////////////////////////// +pwdLastSet: 130553133586093750 +primaryGroupID: 513 +objectSid:: AQUAAAAAAAUVAAAADcfLTVzC66zo0l8E9AEAAA== +adminCount: 1 +accountExpires: 0 +logonCount: 7477 +sAMAccountName: Administrator +sAMAccountType: 805306368 +objectCategory: cn=Person,cn=Schema,cn=Configuration,dc=example,dc=com +isCriticalSystemObject: TRUE +dSCorePropagationData: 20140923185530.0Z +dSCorePropagationData: 16010101000000.0Z +lastLogonTimestamp: 131073460951421705 + +dn: cn=Guest,cn=Users,dc=example,dc=com +objectClass: top +objectClass: person +objectClass: organizationalPerson +objectClass: user +cn: Guest +description: Built-in account for guest access to the computer/domain +distinguishedName: cn=Guest,cn=Users,dc=example,dc=com +instanceType: 4 +whenCreated: 20140923233931.0Z +whenChanged: 20140923233931.0Z +uSNCreated: 8197 +memberOf: cn=Guests,cn=Builtin,dc=example,dc=com +uSNChanged: 8197 +name: Guest +objectGUID:: pZVy9Q6Eh02XuYDEXDE9Cg== +userAccountControl: 66082 +badPwdCount: 0 +codePage: 0 +countryCode: 0 +badPasswordTime: 0 +lastLogoff: 0 +lastLogon: 0 +pwdLastSet: 0 +primaryGroupID: 514 +objectSid:: AQUAAAAAAAUVAAAADcfLTVzC66zo0l8E9QEAAA== +accountExpires: 9223372036854775807 +logonCount: 0 +sAMAccountName: Guest +sAMAccountType: 805306368 +objectCategory: cn=Person,cn=Schema,cn=Configuration,dc=example,dc=com +isCriticalSystemObject: TRUE +dSCorePropagationData: 16010101000000.0Z diff --git a/src/tests/intg/data/ad_schema.ldif b/src/tests/intg/data/ad_schema.ldif new file mode 100644 index 0000000..1e4b777 --- /dev/null +++ b/src/tests/intg/data/ad_schema.ldif @@ -0,0 +1,42 @@ +dn: cn=ad,cn=schema,cn=config +objectClass: olcSchemaConfig +cn: ad +structuralObjectClass: olcSchemaConfig +olcAttributeTypes: {0}( 1.2.840.113556.1.4.750 NAME 'groupType' SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE ) +olcAttributeTypes: {1}( 1.2.840.113556.1.4.221 NAME 'sAMAccountName' EQUALITY caseExactMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) +olcAttributeTypes: {2}( 1.2.840.113556.1.4.35 NAME 'employeeID' EQUALITY integerMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE ) +olcAttributeTypes: {3}( 1.2.840.113556.1.2.1 NAME 'instanceType' EQUALITY integerMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE ) +olcAttributeTypes: {4}( 1.2.840.113556.1.4.782 NAME 'objectCategory' EQUALITY caseExactMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) +olcAttributeTypes: {5}( 1.2.840.113556.1.2.2 NAME 'whenCreated' EQUALITY caseExactMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) +olcAttributeTypes: {6}( 1.2.840.113556.1.2.3 NAME 'whenChanged' EQUALITY caseExactMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) +olcAttributeTypes: {7}( 1.2.840.113556.1.2.19 NAME 'uSNCreated' EQUALITY integerMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE ) +olcAttributeTypes: {8}( 1.2.840.113556.1.2.120 NAME 'uSNChanged' EQUALITY integerMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE ) +olcAttributeTypes: {9}( 1.2.840.113556.1.2.169 NAME 'showInAdvancedViewOnly' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) +olcAttributeTypes: {10}( 1.2.840.113556.1.4.2 NAME 'objectGUID' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE) +olcAttributeTypes: {11}( 1.2.840.113556.1.4.375 NAME 'systemFlags' EQUALITY integerMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE ) +olcAttributeTypes: {12}( 1.2.840.113556.1.4.868 NAME 'isCriticalSystemObject' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) +olcAttributeTypes: {13}( 1.2.840.113556.1.4.1357 NAME 'dSCorePropagationData' EQUALITY caseExactMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' ) +olcAttributeTypes: {14}( 1.2.840.113556.1.4.8 NAME 'userAccountControl' EQUALITY integerMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE ) +olcAttributeTypes: {15}( 1.2.840.113556.1.4.12 NAME 'badPwdCount' EQUALITY integerMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE ) +olcAttributeTypes: {16}( 1.2.840.113556.1.4.146 NAME 'objectSid' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE) +olcAttributeTypes: {17}( 1.2.840.113556.1.2.102 NAME 'memberOf' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) +olcAttributeTypes: {18}( 1.2.840.113556.1.4.16 NAME 'codePage' EQUALITY integerMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE ) +olcAttributeTypes: {19}( 1.2.840.113556.1.4.302 NAME 'sAMAccountType' EQUALITY integerMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE ) +olcAttributeTypes: {20}( 1.2.840.113556.1.4.150 NAME 'adminCount' EQUALITY integerMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE ) +olcAttributeTypes: {21}( 1.2.840.113556.1.4.25 NAME 'countryCode' EQUALITY integerMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE ) +olcAttributeTypes: {22}( 1.2.840.113556.1.4.49 NAME 'badPasswordTime' EQUALITY caseExactMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) +olcAttributeTypes: {23}( 1.2.840.113556.1.6.18.1.339 NAME 'msSFU30NisDomain' EQUALITY caseExactMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) +olcAttributeTypes: {24}( 1.2.840.113556.1.4.51 NAME 'lastLogoff' EQUALITY integerMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE ) +olcAttributeTypes: {25}( 1.2.840.113556.1.4.52 NAME 'lastLogon' EQUALITY integerMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE ) +olcAttributeTypes: {26}( 1.2.840.113556.1.4.96 NAME 'pwdLastSet' EQUALITY numericStringMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.36' SINGLE-VALUE ) +olcAttributeTypes: {27}( 1.2.840.113556.1.4.64 NAME 'logonHours' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE) +olcAttributeTypes: {28}( 1.2.840.113556.1.4.98 NAME 'primaryGroupID' EQUALITY integerMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE ) +olcAttributeTypes: {29}( 1.2.840.113556.1.4.159 NAME 'accountExpires' EQUALITY numericStringMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.36' SINGLE-VALUE ) +olcAttributeTypes: {30}( 1.2.840.113556.1.4.169 NAME 'logonCount' EQUALITY integerMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE ) +olcAttributeTypes: {31}( 1.2.840.113556.1.4.771 NAME 'servicePrincipalName' EQUALITY caseExactMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) +olcAttributeTypes: {31}( 1.2.840.113556.1.4.656 NAME 'userPrincipalName' EQUALITY caseExactMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) +olcAttributeTypes: {32}( 1.2.840.113556.1.6.18.1.309 NAME 'msSFU30Name' EQUALITY caseExactMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) +olcAttributeTypes: {33}( 1.2.840.113556.1.4.1696 NAME 'lastLogonTimestamp' EQUALITY numericStringMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.36' SINGLE-VALUE ) +olcObjectClasses: {1}( 1.2.840.113556.1.5.9 NAME 'user' DESC 'a user' SUP organizationalPerson STRUCTURAL MUST ( cn $ objectSid $ instanceType $ sAMAccountName $ objectCategory ) MAY ( userPassword $ description $ distinguishedName $ name $ userAccountControl $ badPwdCount $ memberOf $ codePage $ sAMAccountType $ adminCount $ countryCode $ dSCorePropagationData $ whenCreated $ whenChanged $ uSNCreated $ uSNChanged $ badPasswordTime $ msSFU30NisDomain $ lastLogoff $ lastLogon $ objectGUID $ pwdLastSet $ logonCount $ logonHours $ primaryGroupID $ accountExpires $ isCriticalSystemObject $ servicePrincipalName $ userPrincipalName $ msSFU30Name $ lastLogonTimestamp $ showInAdvancedViewOnly $ givenName $ displayName $ uid ) ) +olcObjectClasses: {2}( 1.2.840.113556.1.5.8 NAME 'group' DESC 'a group of users' SUP top STRUCTURAL MUST ( groupType $ cn $ objectSid $ instanceType $ sAMAccountName $ objectCategory ) MAY ( member $ description $ distinguishedName $ name $ memberOf $ sAMAccountType $ adminCount $ dSCorePropagationData $ whenCreated $ whenChanged $ uSNCreated $ uSNChanged $ msSFU30NisDomain $ objectGUID $ isCriticalSystemObject $ gidNumber ) ) +olcObjectClasses: {3}( 1.2.840.113556.1.3.23 NAME 'container' DESC 'asdasd' SUP top STRUCTURAL MUST ( cn $ instanceType $ objectCategory ) MAY ( whenCreated $ whenChanged $ uSNCreated $ uSNChanged $ showInAdvancedViewOnly $ objectGUID $ systemFlags $ isCriticalSystemObject $ dSCorePropagationData $ description $ distinguishedName $ name ) ) diff --git a/src/tests/intg/data/cwrap-dbus-system.conf.in b/src/tests/intg/data/cwrap-dbus-system.conf.in new file mode 100644 index 0000000..7369054 --- /dev/null +++ b/src/tests/intg/data/cwrap-dbus-system.conf.in @@ -0,0 +1,83 @@ + + + + + + + + + system + + + + + + + + + + + @dbusservicedir@ + + + + @runstatedir@/dbus/messagebus.pid + + + EXTERNAL + + + unix:path=@runstatedir@/dbus/system_bus_socket + + + + + + + + + + + system.d + + + + + /etc/dbus-1/system-local.conf + + contexts/dbus_contexts + + + + + + + diff --git a/src/tests/intg/data/sudo_schema.ldif b/src/tests/intg/data/sudo_schema.ldif new file mode 100644 index 0000000..8c1f4e3 --- /dev/null +++ b/src/tests/intg/data/sudo_schema.ldif @@ -0,0 +1,11 @@ +dn: cn=sudo,cn=schema,cn=config +objectClass: olcSchemaConfig +cn: sudo +olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcObjectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ description ) ) diff --git a/src/tests/intg/ds.py b/src/tests/intg/ds.py new file mode 100644 index 0000000..faf664c --- /dev/null +++ b/src/tests/intg/ds.py @@ -0,0 +1,58 @@ +# +# Abstract directory server instance class +# +# Copyright (c) 2015 Red Hat, Inc. +# Author: Nikolai Kondrashov +# +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import ldap + + +class DS(object): + """Abstract directory server instance.""" + + def __init__(self, dir, port, base_dn, admin_rdn, admin_pw): + """ + Initialize the instance. + + Arguments: + dir Path to the root of the filesystem hierarchy to create + the instance under. + port TCP port on localhost to bind the server to. + base_dn Base DN. + admin_rdn Administrator DN, relative to BASE_DN. + admin_pw Administrator password. + """ + self.dir = dir + self.port = port + self.ldap_url = "ldap://localhost:" + str(self.port) + self.base_dn = base_dn + self.admin_rdn = admin_rdn + self.admin_dn = admin_rdn + "," + base_dn + self.admin_pw = admin_pw + + def setup(self): + """Setup the instance""" + raise NotImplementedError() + + def teardown(self): + """Teardown the instance""" + raise NotImplementedError() + + def bind(self): + """Connect to the server and bind as admin, return connection.""" + conn = ldap.initialize(self.ldap_url) + conn.simple_bind_s(self.admin_dn, self.admin_pw) + return conn diff --git a/src/tests/intg/ds_openldap.py b/src/tests/intg/ds_openldap.py new file mode 100644 index 0000000..466db05 --- /dev/null +++ b/src/tests/intg/ds_openldap.py @@ -0,0 +1,390 @@ +# +# OpenLDAP directory server instance class +# +# Copyright (c) 2015 Red Hat, Inc. +# Author: Nikolai Kondrashov +# Author: Lukas Slebodnik +# +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import hashlib +import base64 +import time +import ldap +import os +import errno +import signal +import shutil +import sys +from util import * +from ds import DS + +try: + from urllib import quote as url_quote +except ImportError: + from urllib.parse import quote as url_quote + + +def hash_password(password): + """Generate userPassword value for a password.""" + salt = os.urandom(4) + hash = hashlib.sha1(password.encode('utf-8')) + hash.update(salt) + hash_base64 = base64.standard_b64encode(hash.digest() + salt) + return "{SSHA}" + hash_base64.decode('utf-8') + + +class DSOpenLDAP(DS): + """OpenLDAP directory server instance.""" + + def __init__(self, dir, port, base_dn, admin_rdn, admin_pw): + """ + Initialize the instance. + + Arguments: + dir Path to the root of the filesystem hierarchy to create + the instance under. + port TCP port on localhost to bind the server to. + base_dn Base DN. + admin_rdn Administrator DN, relative to BASE_DN. + admin_pw Administrator password. + """ + DS.__init__(self, dir, port, base_dn, admin_rdn, admin_pw) + self.run_dir = self.dir + "/var/run/ldap" + self.pid_path = self.run_dir + "/slapd.pid" + self.conf_dir = self.dir + "/etc/ldap" + self.conf_slapd_d_dir = self.conf_dir + "/slapd.d" + self.data_dir = self.dir + "/var/lib/ldap" + + def _setup_config(self): + """Setup the instance initial configuration.""" + dist_lib_dir = first_dir("/usr/lib64/openldap", + "/usr/lib/openldap", + "/usr/lib/ldap") + dist_conf_dir = first_dir("/etc/ldap", + "/etc/openldap") + args_file = self.run_dir + "/slapd.args" + admin_pw_hash = hash_password(self.admin_pw) + uid = os.geteuid() + gid = os.getegid() + + # + # Add configuration + # + config = unindent(""" + dn: cn=config + objectClass: olcGlobal + cn: config + olcPidFile: {self.pid_path} + olcArgsFile: {args_file} + # Read slapd.conf(5) for possible values + olcLogLevel: none + + # Frontend settings + dn: olcDatabase={{-1}}frontend,cn=config + objectClass: olcDatabaseConfig + objectClass: olcFrontendConfig + olcDatabase: {{-1}}frontend + # The maximum number of entries that is returned for + # a search operation + olcSizeLimit: 500 + # Allow unlimited access to local connection from the local root + olcAccess: {{0}}to * by dn.exact=gidNumber={gid}+uidNumber={uid}, + cn=peercred,cn=external,cn=auth manage by * break + # Allow unauthenticated read access for schema and + # base DN autodiscovery + olcAccess: {{1}}to dn.exact="" by * read + olcAccess: {{2}}to dn.base="cn=Subschema" by * read + + # Config db settings + dn: olcDatabase=config,cn=config + objectClass: olcDatabaseConfig + olcDatabase: config + # Allow unlimited access to local connection from the local root + olcAccess: to * by dn.exact=gidNumber={gid}+uidNumber={uid}, + cn=peercred,cn=external,cn=auth manage by * break + olcRootDN: {self.admin_rdn},cn=config + olcRootPW: {admin_pw_hash} + + # Load schemas + dn: cn=schema,cn=config + objectClass: olcSchemaConfig + cn: schema + + include: file://{dist_conf_dir}/schema/core.ldif + include: file://{dist_conf_dir}/schema/cosine.ldif + include: file://{dist_conf_dir}/schema/nis.ldif + include: file://{dist_conf_dir}/schema/inetorgperson.ldif + + # Load module + dn: cn=module{{0}},cn=config + objectClass: olcModuleList + cn: module{{0}} + olcModulePath: {dist_lib_dir} + olcModuleLoad: back_hdb + + # Set defaults for the backend + dn: olcBackend=hdb,cn=config + objectClass: olcBackendConfig + olcBackend: hdb + + # The database definition. + dn: olcDatabase=hdb,cn=config + objectClass: olcDatabaseConfig + objectClass: olcHdbConfig + olcDatabase: hdb + olcDbCheckpoint: 512 30 + olcLastMod: TRUE + olcSuffix: {self.base_dn} + olcDbDirectory: {self.data_dir} + olcRootDN: {self.admin_dn} + olcRootPW: {admin_pw_hash} + olcDbIndex: objectClass eq + olcDbIndex: cn,uid eq + olcDbIndex: uidNumber,gidNumber eq + olcDbIndex: member,memberUid eq + olcAccess: to attrs=userPassword,shadowLastChange + by self write + by anonymous auth + by * none + olcAccess: to dn.base="" by * read + olcAccess: to * + by * read + """).format(**locals()) + + slapadd = subprocess.Popen( + ["slapadd", "-F", self.conf_slapd_d_dir, "-b", "cn=config"], + stdin=subprocess.PIPE, close_fds=True + ) + slapadd.communicate(config.encode('utf-8')) + if slapadd.returncode != 0: + raise Exception("Failed to add configuration with slapadd") + + # + # Add database config (example from distribution) + # + db_config = unindent(""" + # One 0.25 GB cache + set_cachesize 0 268435456 1 + + # Transaction Log settings + set_lg_regionmax 262144 + set_lg_bsize 2097152 + """) + db_config_file = open(self.data_dir + "/DB_CONFIG", "w") + db_config_file.write(db_config) + db_config_file.close() + + # Import ad schema + subprocess.check_call( + ["slapadd", "-F", self.conf_slapd_d_dir, "-b", "cn=config", + "-l", "data/ssh_schema.ldif"], + ) + + # Import sudo schema + subprocess.check_call( + ["slapadd", "-F", self.conf_slapd_d_dir, "-b", "cn=config", + "-l", "data/sudo_schema.ldif"], + ) + + def _start_daemon(self): + """Start the instance.""" + if subprocess.call(["slapd", "-F", self.conf_slapd_d_dir, + "-h", self.url_list]) != 0: + raise Exception("Failed to start slapd") + + # + # Wait until it is available + # + attempt = 0 + while True: + try: + ldap_conn = ldap.initialize(self.ldapi_url) + ldap_conn.simple_bind_s(self.admin_rdn + ",cn=config", + self.admin_pw) + ldap_conn.unbind_s() + ldap_conn = ldap.initialize(self.ldap_url) + ldap_conn.simple_bind_s(self.admin_dn, self.admin_pw) + ldap_conn.unbind_s() + break + except ldap.SERVER_DOWN: + pass + attempt = attempt + 1 + if attempt > 30: + raise Exception("Failed to start slapd") + time.sleep(1) + + def setup(self): + """Setup the instance.""" + ldapi_socket = self.run_dir + "/ldapi" + self.ldapi_url = "ldapi://" + url_quote(ldapi_socket, "") + self.url_list = self.ldapi_url + " " + self.ldap_url + + os.makedirs(self.conf_slapd_d_dir) + os.makedirs(self.run_dir) + os.makedirs(self.data_dir) + + # + # Setup initial configuration + # + self._setup_config() + + self._start_daemon() + + # + # Relax requirement of member attribute presence in groupOfNames + # + modlist = [ + (ldap.MOD_DELETE, "olcObjectClasses", + b"{7}( 2.5.6.9 NAME 'groupOfNames' " + b"DESC 'RFC2256: a group of names (DNs)' SUP top " + b"STRUCTURAL MUST ( member $ cn ) MAY ( businessCategory $ " + b"seeAlso $ owner $ ou $ o $ description ) )"), + (ldap.MOD_ADD, "olcObjectClasses", + b"{7}( 2.5.6.9 NAME 'groupOfNames' " + b"DESC 'RFC2256: a group of names (DNs)' SUP top " + b"STRUCTURAL MUST ( cn ) MAY ( member $ businessCategory $ " + b"seeAlso $ owner $ ou $ o $ description ) )"), + ] + ldap_conn = ldap.initialize(self.ldapi_url) + ldap_conn.simple_bind_s(self.admin_rdn + ",cn=config", self.admin_pw) + ldap_conn.modify_s("cn={0}core,cn=schema,cn=config", modlist) + ldap_conn.unbind_s() + + # + # Add data + # + ldap_conn = ldap.initialize(self.ldap_url) + ldap_conn.simple_bind_s(self.admin_dn, self.admin_pw) + ldap_conn.add_s(self.base_dn, [ + ("objectClass", [b"dcObject", b"organization"]), + ("o", b"Example Company"), + ]) + ldap_conn.add_s("cn=Manager," + self.base_dn, [ + ("objectClass", b"organizationalRole"), + ]) + for ou in ("Users", "Groups", "Netgroups", "Services", "Policies"): + ldap_conn.add_s("ou=" + ou + "," + self.base_dn, [ + ("objectClass", [b"top", b"organizationalUnit"]), + ]) + ldap_conn.add_s("ou=sudoers," + self.base_dn, [ + ("objectClass", [b"top", b"organizationalUnit"]), + ]) + ldap_conn.add_s("cn=testrule,ou=sudoers," + self.base_dn, [ + ("objectClass", [b"top", b"sudoRole"]), + ("sudoUser", [b"tuser"]), + ]) + ldap_conn.unbind_s() + + def _stop_daemon(self): + """Stop the instance.""" + # Wait for slapd to stop + try: + pid_file = open(self.pid_path, "r") + try: + os.kill(int(pid_file.read()), signal.SIGTERM) + finally: + pid_file.close() + attempt = 0 + while os.path.isfile(self.pid_path): + attempt = attempt + 1 + if attempt > 30: + raise Exception("Failed to stop slapd") + time.sleep(1) + except IOError as e: + if e.errno != errno.ENOENT: + raise + + def teardown(self): + """Teardown the instance.""" + self._stop_daemon() + + for path in (self.conf_slapd_d_dir, self.run_dir, self.data_dir): + shutil.rmtree(path, True) + + +class FakeAD(DSOpenLDAP): + """Fake Active Directory based on OpenLDAP directory server.""" + + def _setup_config(self): + """Setup the instance initial configuration.""" + + # Import ad schema + subprocess.check_call( + ["slapadd", "-F", self.conf_slapd_d_dir, "-b", "cn=config", + "-l", "data/ad_schema.ldif"], + ) + + def setup(self): + """Setup the instance.""" + ldapi_socket = self.run_dir + "/ldapi" + self.ldapi_url = "ldapi://" + url_quote(ldapi_socket, "") + self.url_list = self.ldapi_url + " " + self.ldap_url + + os.makedirs(self.conf_slapd_d_dir) + os.makedirs(self.run_dir) + os.makedirs(self.data_dir) + + super(FakeAD, self)._setup_config() + self._setup_config() + + # Start the daemon + super(FakeAD, self)._start_daemon() + + # Relax requirement of surname attribute presence in person + modlist = [ + (ldap.MOD_DELETE, "olcObjectClasses", + b"{4}( 2.5.6.6 NAME 'person' DESC 'RFC2256: a person' SUP top " + b"STRUCTURAL MUST ( sn $ cn ) MAY ( userPassword $ " + b"telephoneNumber $ seeAlso $ description ) )"), + (ldap.MOD_ADD, "olcObjectClasses", + b"{4}( 2.5.6.6 NAME 'person' DESC 'RFC2256: a person' SUP top " + b"STRUCTURAL MUST ( cn ) MAY ( sn $ userPassword $ " + b"telephoneNumber $ seeAlso $ description ) )"), + ] + ldap_conn = ldap.initialize(self.ldapi_url) + ldap_conn.simple_bind_s(self.admin_rdn + ",cn=config", self.admin_pw) + ldap_conn.modify_s("cn={0}core,cn=schema,cn=config", modlist) + ldap_conn.unbind_s() + + # restart daemon for reloading schema + super(FakeAD, self)._stop_daemon() + super(FakeAD, self)._start_daemon() + + # Add data + ldap_conn = ldap.initialize(self.ldap_url) + ldap_conn.simple_bind_s(self.admin_dn, self.admin_pw) + ldap_conn.add_s(self.base_dn, [ + ("objectClass", [b"dcObject", b"organization"]), + ("o", b"Example Company"), + ]) + ldap_conn.add_s("cn=Manager," + self.base_dn, [ + ("objectClass", b"organizationalRole"), + ]) + for ou in ("Users", "Groups", "Netgroups", "Services", "Policies"): + ldap_conn.add_s("ou=" + ou + "," + self.base_dn, [ + ("objectClass", [b"top", b"organizationalUnit"]), + ]) + ldap_conn.unbind_s() + + # import data from real AD + subprocess.check_call( + ["ldapadd", "-x", "-w", self.admin_pw, "-D", + self.admin_dn, "-H", self.ldap_url, + "-f", "data/ad_data.ldif"], + ) + + def teardown(self): + """Teardown the instance.""" + super(FakeAD, self).teardown() diff --git a/src/tests/intg/ent.py b/src/tests/intg/ent.py new file mode 100644 index 0000000..23236ee --- /dev/null +++ b/src/tests/intg/ent.py @@ -0,0 +1,505 @@ +# +# Abstract passwd/group entry management +# +# Copyright (c) 2015 Red Hat, Inc. +# Author: Nikolai Kondrashov +# +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +from pprint import pformat +import pwd +import grp + +_PASSWD_LIST_DESC = {None: ("user", {})} +_GROUP_DESC = {"mem": ("member list", {None: ("member", {})})} +_GROUP_LIST_DESC = {None: ("group", _GROUP_DESC)} + + +def _get_desc(desc_map, key): + """ + Get an item description from a container description map. + + Arguments: + desc_map Container description map. + key Item key, None for wildcard description. + """ + assert isinstance(desc_map, dict) + if key in desc_map: + return desc_map[key] + if None in desc_map: + desc = desc_map[None] + if key is not None: + desc = (desc[0] + " " + pformat(key), desc[1]) + return desc + elif key is None: + return ("item", {}) + else: + return (pformat(key), {}) + + +def _diff(ent, pattern, desc_map={}): + """ + Describe difference between an entry and a pattern. + Return None, if none. + + Arguments: + ent Entry. + pattern Pattern. + desc_map Container pattern description map. + + An entry is a value, a list of entries, or a dictionary of entries. + Entries are used to store passwd and group database entries as + dictionaries, in lists and dictionaries. + + A pattern is a value, a tuple, a list, or a dictionary of patterns. + + E.g. 123, "abc", [ 123, "abc" ], { "abc": 123 }, { "abc": ( 123 ) } + + A pattern can be matched against a value, a list, or a dictionary entry. + + A value is considered matching, if it's equal to the pattern. + + E.g. 123 == 123, 123 != 456, "abc" == "abc", "abc" != "def", 123 != "abc" + + A list is considered matching a pattern, if the pattern is a list or a + tuple, where each of pattern list items matches an entry list item and + vice versa, or where each pattern tuple item matches an entry list item, + but not necessarily the other way around. + + E.g. [] != "abc", [] == [], [ "abc", 123 ] == [ 123, "abc" ], + [ "abc" ] != [ 123 ], [ 123 ] != [], + [] == (), [ "abc", 123 ] == ( 123, "abc" ), + [ "abc" ] != ( 123 ), [ 123 ] == (), [ 123, "abc" ] == ( 123 ) + + NOTE: For the sake of readability, it is recommended to use + "contains_only" function to create patterns matching all entry list + items (list patterns), and "contains" function to create patterns + matching a subset of entry list items (tuple patterns). + + A dictionary is considered matching a pattern, if it is also a dictionary, + and all of pattern values match identically-keyed values of the + dictionary. + + E.g. {} == {}, {} != "abc", { "abc": 123, "def": 456 } == { "abc": 123 }, + { "abc": 123 } == {} + + Container pattern description map is a dictionary with keys being item + keys/indices and values being (name, description map) tuples. None key + points to a wildcard description, others to specific item descriptions. + The description map argument is optional, and is used to generate more + readable difference explanations. + """ + assert isinstance(desc_map, dict) + + if isinstance(pattern, dict): + if not isinstance(ent, dict): + return "not a dict, " + str(type(ent)) + + for key, value in pattern.items(): + item_name, item_map = _get_desc(desc_map, key) + d = _diff(ent[key], value, item_map) + if d: + return item_name + " mismatch: " + d + elif isinstance(pattern, tuple): + if not isinstance(ent, list): + return "not a list, " + str(type(ent)) + + pattern_matches = [0 for pv in pattern] + + for ei, ev in enumerate(ent): + for pi, pv in enumerate(pattern): + d = _diff(ev, pv) + if not d: + pattern_matches[pi] += 1 + + unmatched_pattern = [pattern[pi] for pi in range(0, len(pattern)) + if pattern_matches[pi] == 0] + + items = _get_desc(desc_map, None)[0] + "s" + if len(unmatched_pattern) > 0: + return "\nexpected " + items + " not found:\n" + \ + pformat(unmatched_pattern) + elif isinstance(pattern, list): + if not isinstance(ent, list): + return "not a list, " + str(type(ent)) + + pattern_matches = [0 for pv in pattern] + ent_matches = [0 for ev in ent] + + for ei, ev in enumerate(ent): + for pi, pv in enumerate(pattern): + d = _diff(ev, pv) + if not d: + pattern_matches[pi] += 1 + ent_matches[ei] += 1 + + unmatched_pattern = [pattern[pi] for pi in range(0, len(pattern)) + if pattern_matches[pi] == 0] + unmatched_ent = [ent[pi] for pi in range(0, len(ent)) + if ent_matches[pi] == 0] + + items = _get_desc(desc_map, None)[0] + "s" + d = "" + if len(unmatched_pattern) > 0: + d += "\nexpected " + items + " not found:\n" + \ + pformat(unmatched_pattern) + if len(unmatched_ent) != 0: + d += "\nunexpected " + items + " found:\n" + \ + pformat(unmatched_ent) + if len(d) > 0: + return d + else: + if pattern != ent: + return pformat(pattern) + " != " + pformat(ent) + + return None + + +def contains_only(*args): + """ + Produce a pattern matching all list items against arguments. + Use this function instead of constructing bare lists, for readability. + """ + return list(args) + + +def contains(*args): + """ + Produce a pattern matching a subset of list items against arguments. + Use this function instead of constructing bare tuples, for readability. + """ + return args + + +def _convert_passwd(passwd): + """ + Convert a passwd entry returned by pwd module to an entry dictionary. + """ + return dict( + name=passwd.pw_name, + passwd=passwd.pw_passwd, + uid=passwd.pw_uid, + gid=passwd.pw_gid, + gecos=passwd.pw_gecos, + dir=passwd.pw_dir, + shell=passwd.pw_shell + ) + + +def get_passwd_by_name(name): + """Get a passwd database entry by name.""" + return _convert_passwd(pwd.getpwnam(name)) + + +def get_passwd_by_uid(uid): + """Get a passwd database entry by UID.""" + return _convert_passwd(pwd.getpwuid(uid)) + + +def assert_passwd_by_name(name, pattern): + """Assert a passwd entry, retrieved by name, matches a pattern.""" + try: + ent = get_passwd_by_name(name) + except KeyError as err: + assert False, err + d = _diff(ent, pattern) + assert not d, d + + +def assert_passwd_by_uid(uid, pattern): + """Assert a passwd entry, retrieved by UID, matches a pattern.""" + try: + ent = get_passwd_by_uid(uid) + except KeyError as err: + assert False, err + d = _diff(ent, pattern) + assert not d, d + + +def get_passwd_list(): + """Get passwd database entry list with root user removed.""" + passwd_list = pwd.getpwall() + for i, v in enumerate(passwd_list): + if v.pw_name == "root" and v.pw_uid == 0 and v.pw_gid == 0: + del passwd_list[i] + return list(map(_convert_passwd, passwd_list)) + raise Exception("no root user found") + + +def assert_passwd_list(pattern): + """Assert retrieved passwd list matches a pattern.""" + d = _diff(get_passwd_list(), pattern, _PASSWD_LIST_DESC) + assert not d, d + + +def _diff_each_passwd_by_name(pattern_dict): + """ + Describe difference between each pattern_dict value and a passwd entry + retrieved by name being the corresponding key. + """ + try: + ent = dict((k, get_passwd_by_name(k)) for k in pattern_dict.keys()) + except KeyError as err: + return str(err) + return _diff(ent, pattern_dict, _PASSWD_LIST_DESC) + + +def _diff_each_passwd_by_uid(pattern_dict): + """ + Describe difference between each pattern_dict value and a passwd entry + retrieved by UID being the corresponding key. + """ + try: + ent = dict((k, get_passwd_by_uid(k)) for k in pattern_dict.keys()) + except KeyError as err: + return str(err) + return _diff(ent, pattern_dict, _PASSWD_LIST_DESC) + + +def _diff_each_passwd_with_name(pattern_seq): + """ + Describe difference between each pattern in pattern_seq sequence and a + passwd entry retrieved by name being the pattern's "name" value. + """ + return _diff_each_passwd_by_name(dict((p["name"], p) for p in pattern_seq)) + + +def _diff_each_passwd_with_uid(pattern_seq): + """ + Describe difference between each pattern in pattern_seq sequence and a + passwd entry retrieved by UID being the pattern's "uid" value. + """ + return _diff_each_passwd_by_uid(dict((p["uid"], p) for p in pattern_seq)) + + +def assert_each_passwd_by_name(pattern_dict): + """ + Assert each pattern_dict value matches a passwd entry retrieved by + name being the corresponding key. + """ + d = _diff_each_passwd_by_name(pattern_dict) + assert not d, d + + +def assert_each_passwd_by_uid(pattern_dict): + """ + Assert each pattern_dict value matches a passwd entry retrieved by + UID being the corresponding key. + """ + d = _diff_each_passwd_by_uid(pattern_dict) + assert not d, d + + +def assert_each_passwd_with_name(pattern_seq): + """ + Assert each pattern in pattern_seq sequence matches a passwd entry + retrieved by name being the pattern's "name" value. + """ + d = _diff_each_passwd_with_name(pattern_seq) + assert not d, d + + +def assert_each_passwd_with_uid(pattern_seq): + """ + Assert each pattern in pattern_seq sequence matches a passwd entry + retrieved by UID being the pattern's "uid" value. + """ + d = _diff_each_passwd_with_uid(pattern_seq) + assert not d, d + + +def _diff_passwd(pattern): + """ + Describe difference between passwd database and a pattern. + Each pattern entry must have "name" and "uid" attribute. + """ + d = _diff(get_passwd_list(), pattern, _PASSWD_LIST_DESC) + if d: + return "list mismatch: " + d + d = _diff_each_passwd_with_name(pattern) + if d: + return "name retrieval mismatch: " + d + d = _diff_each_passwd_with_uid(pattern) + if d: + return "UID retrieval mismatch: " + d + return None + + +def assert_passwd(pattern): + """ + Assert passwd database matches a pattern. + Each pattern entry must have "name" and "uid" attribute. + """ + d = _diff_passwd(pattern) + assert not d, d + + +def _convert_group(group): + """ + Convert a group entry returned by grp module to an entry dictionary. + """ + return dict( + name=group.gr_name, + passwd=group.gr_passwd, + gid=group.gr_gid, + mem=group.gr_mem + ) + + +def get_group_by_name(name): + """Get a group database entry by name.""" + return _convert_group(grp.getgrnam(name)) + + +def get_group_by_gid(gid): + """Get a group database entry by GID.""" + return _convert_group(grp.getgrgid(gid)) + + +def assert_group_by_name(name, pattern): + """Assert a group entry, retrieved by name, matches a pattern.""" + try: + ent = get_group_by_name(name) + except KeyError as err: + assert False, err + d = _diff(ent, pattern, _GROUP_DESC) + assert not d, d + + +def assert_group_by_gid(gid, pattern): + """Assert a group entry, retrieved by GID, matches a pattern.""" + try: + ent = get_group_by_gid(gid) + except KeyError as err: + assert False, err + d = _diff(ent, pattern, _GROUP_DESC) + assert not d, d + + +def get_group_list(): + """Get group database entry list with root group removed.""" + group_list = grp.getgrall() + for i, v in enumerate(group_list): + if v.gr_name == "root" and v.gr_gid == 0: + del group_list[i] + return list(map(_convert_group, group_list)) + raise Exception("no root group found") + + +def assert_group_list(pattern): + """Assert retrieved group list matches a pattern.""" + d = _diff(get_group_list(), pattern, _GROUP_LIST_DESC) + assert not d, d + + +def _diff_each_group_by_name(pattern_dict): + """ + Describe difference between each pattern_dict value and a group entry + retrieved by name being the corresponding key. + """ + try: + ent = dict((k, get_group_by_name(k)) for k in pattern_dict.keys()) + except KeyError as err: + return str(err) + return _diff(ent, pattern_dict, _GROUP_LIST_DESC) + + +def _diff_each_group_by_gid(pattern_dict): + """ + Describe difference between each pattern_dict value and a group entry + retrieved by GID being the corresponding key. + """ + try: + ent = dict((k, get_group_by_gid(k)) for k in pattern_dict.keys()) + except KeyError as err: + return str(err) + return _diff(ent, pattern_dict, _GROUP_LIST_DESC) + + +def _diff_each_group_with_name(pattern_seq): + """ + Describe difference between each pattern in pattern_seq sequence and a + group entry retrieved name being the pattern's "name" value. + """ + return _diff_each_group_by_name(dict((p["name"], p) for p in pattern_seq)) + + +def _diff_each_group_with_gid(pattern_seq): + """ + Describe difference between each pattern in pattern_seq sequence and a + group entry retrieved by GID being the pattern's "gid" value. + """ + return _diff_each_group_by_gid(dict((p["gid"], p) for p in pattern_seq)) + + +def assert_each_group_by_name(pattern_dict): + """ + Assert each pattern_dict value matches a group entry retrieved by + name being the corresponding key. + """ + d = _diff_each_group_by_name(pattern_dict) + assert not d, d + + +def assert_each_group_by_gid(pattern_dict): + """ + Assert each pattern_dict value matches a group entry retrieved by + GID being the corresponding key. + """ + d = _diff_each_group_by_gid(pattern_dict) + assert not d, d + + +def assert_each_group_with_name(pattern_seq): + """ + Assert each pattern in pattern_seq sequence matches a group entry + retrieved by name being the pattern's "name" value. + """ + d = _diff_each_group_with_name(pattern_seq) + assert not d, d + + +def assert_each_group_with_gid(pattern_seq): + """ + Assert each pattern in pattern_seq sequence matches a group entry + retrieved by GID being the pattern's "gid" value. + """ + d = _diff_each_group_with_gid(pattern_seq) + assert not d, d + + +def _diff_group(pattern): + """ + Describe difference between group database and a pattern. + Each pattern entry must have "name" and "gid" attribute. + """ + d = _diff(get_group_list(), pattern, _GROUP_LIST_DESC) + if d: + return "list mismatch: " + d + d = _diff_each_group_with_name(pattern) + if d: + return "name retrieval mismatch: " + d + d = _diff_each_group_with_gid(pattern) + if d: + return "GID retrieval mismatch: " + d + return None + + +def assert_group(pattern): + """ + Assert group database matches a pattern. + Each pattern entry must have "name" and "gid" attribute. + """ + d = _diff_group(pattern) + assert not d, d diff --git a/src/tests/intg/ent_test.py b/src/tests/intg/ent_test.py new file mode 100644 index 0000000..6b240ae --- /dev/null +++ b/src/tests/intg/ent_test.py @@ -0,0 +1,424 @@ +# +# ent.py module tests +# +# Copyright (c) 2015 Red Hat, Inc. +# Author: Nikolai Kondrashov +# +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +import re +import os +import io +import pytest +import ent +from util import * + + +@pytest.fixture(scope="module") +def passwd_path(request): + name = "NSS_WRAPPER_PASSWD" + request.addfinalizer(lambda: restore_envvar_file(name)) + return backup_envvar_file(name) + + +@pytest.fixture(scope="module") +def group_path(request): + name = "NSS_WRAPPER_GROUP" + request.addfinalizer(lambda: restore_envvar_file(name)) + return backup_envvar_file(name) + + +USER1 = dict(name="user1", passwd="x", uid=1001, gid=2001, + gecos="User 1", dir="/home/user1", shell="/bin/bash") +USER2 = dict(name="user2", passwd="x", uid=1002, gid=2002, + gecos="User 2", dir="/home/user2", shell="/bin/bash") +USER_LIST = [USER1, USER2] +USER_NAME_DICT = dict((u["name"], u) for u in USER_LIST) +USER_UID_DICT = dict((u["uid"], u) for u in USER_LIST) + + +EMPTY_GROUP = dict(name="empty_group", passwd="x", gid=2000, + mem=ent.contains_only()) +GROUP1 = dict(name="group1", passwd="x", gid=2001, + mem=ent.contains_only()) +GROUP2 = dict(name="group2", passwd="x", gid=2002, + mem=ent.contains_only()) +ONE_USER_GROUP1 = dict(name="one_user_group1", passwd="x", gid=2011, + mem=ent.contains_only("user1")) +ONE_USER_GROUP2 = dict(name="one_user_group2", passwd="x", gid=2012, + mem=ent.contains_only("user2")) +TWO_USER_GROUP = dict(name="two_user_group", passwd="x", gid=2020, + mem=ent.contains_only("user1", "user2")) +GROUP_LIST = [EMPTY_GROUP, + GROUP1, + GROUP2, + ONE_USER_GROUP1, + ONE_USER_GROUP2, + TWO_USER_GROUP] +GROUP_NAME_DICT = dict((g["name"], g) for g in GROUP_LIST) +GROUP_GID_DICT = dict((g["gid"], g) for g in GROUP_LIST) + + +@pytest.fixture(scope="module") +def users_and_groups(request, passwd_path, group_path): + passwd_contents = "".join([ + "{name}:{passwd}:{uid}:{gid}:{gecos}:{dir}:{shell}\n".format(**u) + for u in USER_LIST + ]) + group_contents = "".join([ + "%s:%s:%s:%s\n" % (g["name"], g["passwd"], g["gid"], + ",".join(g["mem"])) + for g in GROUP_LIST + ]) + + with open(passwd_path, "a") as f: + f.write(passwd_contents) + with open(group_path, "a") as f: + f.write(group_contents) + + +def test_assert_passwd_by_name(users_and_groups): + ent.assert_passwd_by_name("user1", {}) + ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001)) + ent.assert_passwd_by_name("user1", USER1) + + try: + ent.assert_passwd_by_name("user3", {}) + assert False + except AssertionError as e: + assert str(e) == "'getpwnam(): name not found: user3'" + + try: + ent.assert_passwd_by_name("user2", dict(name="user1")) + assert False + except AssertionError as e: + assert str(e) == "'name' mismatch: 'user1' != 'user2'" + + +def test_assert_passwd_by_uid(users_and_groups): + ent.assert_passwd_by_uid(1001, {}) + ent.assert_passwd_by_uid(1001, dict(name="user1", uid=1001)) + ent.assert_passwd_by_uid(1001, USER1) + + try: + ent.assert_passwd_by_uid(1003, {}) + assert False + except AssertionError as e: + assert str(e) == "'getpwuid(): uid not found: 1003'" + + try: + ent.assert_passwd_by_uid(1002, dict(name="user1")) + assert False + except AssertionError as e: + assert str(e) == "'name' mismatch: 'user1' != 'user2'" + + +def test_assert_passwd_list(users_and_groups): + ent.assert_passwd_list(ent.contains()) + ent.assert_passwd_list(ent.contains(USER1)) + ent.assert_passwd_list(ent.contains_only(*USER_LIST)) + try: + ent.assert_passwd_list(ent.contains_only()) + assert False + except AssertionError as e: + assert not re.search("expected users not found:", str(e)) + assert re.search("unexpected users found:", str(e)) + try: + ent.assert_passwd_list(ent.contains(dict(name="non_existent"))) + assert False + except AssertionError as e: + assert re.search("expected users not found:", str(e)) + assert not re.search("unexpected users found:", str(e)) + + +def test_assert_each_passwd_by_name(users_and_groups): + ent.assert_each_passwd_by_name({}) + ent.assert_each_passwd_by_name(dict(user1=USER1)) + ent.assert_each_passwd_by_name(USER_NAME_DICT) + try: + ent.assert_each_passwd_by_name(dict(user3={})) + assert False + except AssertionError as e: + assert str(e) == "'getpwnam(): name not found: user3'" + try: + ent.assert_each_passwd_by_name(dict(user1=dict(name="user2"))) + assert False + except AssertionError as e: + assert str(e) == \ + "user 'user1' mismatch: 'name' mismatch: 'user2' != 'user1'" + + +def test_assert_each_passwd_by_uid(users_and_groups): + ent.assert_each_passwd_by_uid({}) + ent.assert_each_passwd_by_uid({1001: USER1}) + ent.assert_each_passwd_by_uid(USER_UID_DICT) + try: + ent.assert_each_passwd_by_uid({1003: {}}) + assert False + except AssertionError as e: + assert str(e) == "'getpwuid(): uid not found: 1003'" + try: + ent.assert_each_passwd_by_uid({1001: dict(uid=1002)}) + assert False + except AssertionError as e: + assert str(e) == \ + "user 1001 mismatch: 'uid' mismatch: 1002 != 1001" + + +def test_assert_each_passwd_with_name(users_and_groups): + ent.assert_each_passwd_with_name([]) + ent.assert_each_passwd_with_name([USER1]) + ent.assert_each_passwd_with_name(USER_LIST) + try: + ent.assert_each_passwd_with_name([dict(name="user3")]) + assert False + except AssertionError as e: + assert str(e) == "'getpwnam(): name not found: user3'" + try: + ent.assert_each_passwd_with_name([dict(name="user1", uid=1002)]) + assert False + except AssertionError as e: + assert str(e) == \ + "user 'user1' mismatch: 'uid' mismatch: 1002 != 1001" + + +def test_assert_each_passwd_with_uid(users_and_groups): + ent.assert_each_passwd_with_uid([]) + ent.assert_each_passwd_with_uid([USER1]) + ent.assert_each_passwd_with_uid(USER_LIST) + try: + ent.assert_each_passwd_with_uid([dict(uid=1003)]) + assert False + except AssertionError as e: + assert str(e) == "'getpwuid(): uid not found: 1003'" + try: + ent.assert_each_passwd_with_uid([dict(name="user2", uid=1001)]) + assert False + except AssertionError as e: + assert str(e) == \ + "user 1001 mismatch: 'name' mismatch: 'user2' != 'user1'" + + +def test_assert_passwd(users_and_groups): + ent.assert_passwd(ent.contains()) + ent.assert_passwd(ent.contains(USER1)) + ent.assert_passwd(ent.contains_only(*USER_LIST)) + try: + ent.assert_passwd(ent.contains(dict(name="user3", uid=1003))) + assert False + except AssertionError as e: + assert re.search("list mismatch:", str(e)) + assert re.search("expected users not found:", str(e)) + assert not re.search("unexpected users found:", str(e)) + try: + ent.assert_passwd(ent.contains_only(USER1)) + assert False + except AssertionError as e: + assert re.search("list mismatch:", str(e)) + assert not re.search("expected users not found:", str(e)) + assert re.search("unexpected users found:", str(e)) + + +def test_group_member_matching(users_and_groups): + ent.assert_group_by_name("empty_group", dict(mem=ent.contains())) + ent.assert_group_by_name("empty_group", dict(mem=ent.contains_only())) + try: + ent.assert_group_by_name("empty_group", + dict(mem=ent.contains("user1"))) + except AssertionError as e: + assert re.search("member list mismatch:", str(e)) + assert re.search("expected members not found:", str(e)) + + ent.assert_group_by_name("one_user_group1", dict(mem=ent.contains())) + ent.assert_group_by_name("one_user_group1", + dict(mem=ent.contains("user1"))) + ent.assert_group_by_name("one_user_group1", + dict(mem=ent.contains_only("user1"))) + try: + ent.assert_group_by_name("one_user_group1", + dict(mem=ent.contains_only())) + except AssertionError as e: + assert re.search("member list mismatch:", str(e)) + assert re.search("unexpected members found:", str(e)) + assert not re.search("expected members not found:", str(e)) + try: + ent.assert_group_by_name("one_user_group1", + dict(mem=ent.contains_only("user3"))) + except AssertionError as e: + assert re.search("member list mismatch:", str(e)) + assert re.search("unexpected members found:", str(e)) + assert re.search("expected members not found:", str(e)) + try: + ent.assert_group_by_name("one_user_group1", + dict(mem=ent.contains("user3"))) + except AssertionError as e: + assert re.search("member list mismatch:", str(e)) + assert not re.search("unexpected members found:", str(e)) + assert re.search("expected members not found:", str(e)) + + ent.assert_group_by_name("two_user_group", dict(mem=ent.contains())) + ent.assert_group_by_name("two_user_group", + dict(mem=ent.contains("user1"))) + ent.assert_group_by_name("two_user_group", + dict(mem=ent.contains("user1", "user2"))) + ent.assert_group_by_name("two_user_group", + dict(mem=ent.contains_only("user1", "user2"))) + try: + ent.assert_group_by_name("two_user_group", + dict(mem=ent.contains_only("user1"))) + except AssertionError as e: + assert re.search("member list mismatch:", str(e)) + assert re.search("unexpected members found:", str(e)) + assert not re.search("expected members not found:", str(e)) + + +def test_assert_group_by_name(users_and_groups): + ent.assert_group_by_name("group1", {}) + ent.assert_group_by_name("group1", dict(name="group1", gid=2001)) + ent.assert_group_by_name("group1", GROUP1) + + try: + ent.assert_group_by_name("group3", {}) + assert False + except AssertionError as e: + assert str(e) == "'getgrnam(): name not found: group3'" + + try: + ent.assert_group_by_name("group2", dict(name="group1")) + assert False + except AssertionError as e: + assert str(e) == "'name' mismatch: 'group1' != 'group2'" + + +def test_assert_group_by_gid(users_and_groups): + ent.assert_group_by_gid(2001, {}) + ent.assert_group_by_gid(2001, dict(name="group1", gid=2001)) + ent.assert_group_by_gid(2001, GROUP1) + + try: + ent.assert_group_by_gid(2003, {}) + assert False + except AssertionError as e: + assert str(e) == "'getgrgid(): gid not found: 2003'" + + try: + ent.assert_group_by_gid(2002, dict(name="group1")) + assert False + except AssertionError as e: + assert str(e) == "'name' mismatch: 'group1' != 'group2'" + + +def test_assert_group_list(users_and_groups): + ent.assert_group_list(ent.contains()) + ent.assert_group_list(ent.contains(GROUP1)) + ent.assert_group_list(ent.contains_only(*GROUP_LIST)) + try: + ent.assert_group_list(ent.contains_only()) + assert False + except AssertionError as e: + assert not re.search("expected groups not found:", str(e)) + assert re.search("unexpected groups found:", str(e)) + try: + ent.assert_group_list(ent.contains(dict(name="non_existent"))) + assert False + except AssertionError as e: + assert re.search("expected groups not found:", str(e)) + assert not re.search("unexpected groups found:", str(e)) + + +def test_assert_each_group_by_name(users_and_groups): + ent.assert_each_group_by_name({}) + ent.assert_each_group_by_name(dict(group1=GROUP1)) + ent.assert_each_group_by_name(GROUP_NAME_DICT) + try: + ent.assert_each_group_by_name(dict(group3={})) + assert False + except AssertionError as e: + assert str(e) == "'getgrnam(): name not found: group3'" + try: + ent.assert_each_group_by_name(dict(group1=dict(name="group2"))) + assert False + except AssertionError as e: + assert str(e) == "group 'group1' mismatch: " + \ + "'name' mismatch: 'group2' != 'group1'" + + +def test_assert_each_group_by_gid(users_and_groups): + ent.assert_each_group_by_gid({}) + ent.assert_each_group_by_gid({2001: GROUP1}) + ent.assert_each_group_by_gid(GROUP_GID_DICT) + try: + ent.assert_each_group_by_gid({2003: {}}) + assert False + except AssertionError as e: + assert str(e) == "'getgrgid(): gid not found: 2003'" + try: + ent.assert_each_group_by_gid({2001: dict(gid=2002)}) + assert False + except AssertionError as e: + assert str(e) == \ + "group 2001 mismatch: 'gid' mismatch: 2002 != 2001" + + +def test_assert_each_group_with_name(users_and_groups): + ent.assert_each_group_with_name([]) + ent.assert_each_group_with_name([GROUP1]) + ent.assert_each_group_with_name(GROUP_LIST) + try: + ent.assert_each_group_with_name([dict(name="group3")]) + assert False + except AssertionError as e: + assert str(e) == "'getgrnam(): name not found: group3'" + try: + ent.assert_each_group_with_name([dict(name="group1", gid=2002)]) + assert False + except AssertionError as e: + assert str(e) == \ + "group 'group1' mismatch: 'gid' mismatch: 2002 != 2001" + + +def test_assert_each_group_with_gid(users_and_groups): + ent.assert_each_group_with_gid([]) + ent.assert_each_group_with_gid([GROUP1]) + ent.assert_each_group_with_gid(GROUP_LIST) + try: + ent.assert_each_group_with_gid([dict(gid=2003)]) + assert False + except AssertionError as e: + assert str(e) == "'getgrgid(): gid not found: 2003'" + try: + ent.assert_each_group_with_gid([dict(name="group2", gid=2001)]) + assert False + except AssertionError as e: + assert str(e) == \ + "group 2001 mismatch: 'name' mismatch: 'group2' != 'group1'" + + +def test_assert_group(users_and_groups): + ent.assert_group(ent.contains()) + ent.assert_group(ent.contains(GROUP1)) + ent.assert_group(ent.contains_only(*GROUP_LIST)) + try: + ent.assert_group(ent.contains(dict(name="group3", gid=2003))) + assert False + except AssertionError as e: + assert re.search("list mismatch:", str(e)) + assert re.search("expected groups not found:", str(e)) + assert not re.search("unexpected groups found:", str(e)) + try: + ent.assert_group(ent.contains_only(GROUP1)) + assert False + except AssertionError as e: + assert re.search("list mismatch:", str(e)) + assert not re.search("expected groups not found:", str(e)) + assert re.search("unexpected groups found:", str(e)) diff --git a/src/tests/intg/files_ops.py b/src/tests/intg/files_ops.py new file mode 100644 index 0000000..62f5651 --- /dev/null +++ b/src/tests/intg/files_ops.py @@ -0,0 +1,159 @@ +# +# SSSD integration test - operations on UNIX user and group database +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import os +import os.path +import tempfile +import pytest + +import ent +from util import backup_envvar_file, restore_envvar_file + + +@pytest.fixture +def passwd_ops_setup(request): + pwd_file = os.environ["NSS_WRAPPER_PASSWD"] + backup_envvar_file("NSS_WRAPPER_PASSWD") + request.addfinalizer(lambda: restore_envvar_file("NSS_WRAPPER_PASSWD")) + pwd_ops = PasswdOps(pwd_file) + return pwd_ops + + +@pytest.fixture +def group_ops_setup(request): + grp_file = os.environ["NSS_WRAPPER_GROUP"] + backup_envvar_file("NSS_WRAPPER_GROUP") + request.addfinalizer(lambda: restore_envvar_file("NSS_WRAPPER_GROUP")) + grp_ops = GroupOps(grp_file) + return grp_ops + + +@pytest.fixture +def group_db_setup(request): + group = request.param + grp_ops = group_ops_setup(request) + grp_ops.groupadd(**group) + ent.assert_group_by_name(group['name'], group) + return grp_ops + + +class FilesOps(object): + """ + A naive implementation of operations as a basis for user or group + operations. Uses rename to (hopefully) trigger the same fs-level + notifications as shadow-utils would. + """ + def __init__(self, file_name): + self.file_name = file_name + self.tmp_dir = os.path.dirname(self.file_name) + + @staticmethod + def _get_named_line(name, contents): + for num, line in enumerate(contents, 0): + pname = line.split(':')[0] + if name == pname: + return num + raise KeyError("%s not found" % name) + + def _read_contents(self): + with open(self.file_name, "r") as pfile: + contents = pfile.readlines() + return contents + + def _write_contents(self, contents): + tmp_file = tempfile.NamedTemporaryFile(mode='w', dir=self.tmp_dir, + delete=False) + tmp_file.writelines(contents) + tmp_file.flush() + + os.rename(tmp_file.name, self.file_name) + + def _append_line(self, new_line): + contents = self._read_contents() + contents.extend(new_line) + self._write_contents(contents) + + def _subst_line(self, key, line): + contents = self._read_contents() + kindex = self._get_named_line(key, contents) + contents[kindex] = line + self._write_contents(contents) + + def _del_line(self, key): + contents = self._read_contents() + kindex = self._get_named_line(key, contents) + contents.pop(kindex) + self._write_contents(contents) + + contents = self._read_contents() + + +class PasswdOps(FilesOps): + """ + A naive implementation of user operations + """ + def __init__(self, file_name): + super(PasswdOps, self).__init__(file_name) + + def _pwd2line(self, name, uid, gid, passwd, gecos, homedir, shell): + pwd_fmt = "{name}:{passwd}:{uid}:{gid}:{gecos}:{homedir}:{shell}\n" + return pwd_fmt.format(name=name, + passwd=passwd, + uid=uid, + gid=gid, + gecos=gecos, + homedir=homedir, + shell=shell) + + def useradd(self, name, uid, gid, passwd='', gecos='', dir='', shell=''): + pwd_line = self._pwd2line(name, uid, gid, passwd, gecos, dir, shell) + self._append_line(pwd_line) + + def usermod(self, name, uid, gid, passwd='', gecos='', dir='', shell=''): + pwd_line = self._pwd2line(name, uid, gid, passwd, gecos, dir, shell) + self._subst_line(name, pwd_line) + + def userdel(self, name): + self._del_line(name) + + +class GroupOps(FilesOps): + """ + A naive implementation of group operations + """ + def __init__(self, file_name): + super(GroupOps, self).__init__(file_name) + + def _grp2line(self, name, gid, mem, passwd): + member_list = ",".join(m for m in mem) + grp_fmt = "{name}:{passwd}:{gid}:{member_list}\n" + return grp_fmt.format(name=name, + passwd=passwd, + gid=gid, + member_list=member_list) + + def groupadd(self, name, gid, mem, passwd="*"): + grp_line = self._grp2line(name, gid, mem, passwd) + self._append_line(grp_line) + + def groupmod(self, old_name, name, gid, mem, passwd="*"): + grp_line = self._grp2line(name, gid, mem, passwd) + self._subst_line(old_name, grp_line) + + def groupdel(self, name): + self._del_line(name) diff --git a/src/tests/intg/getsockopt_wrapper.c b/src/tests/intg/getsockopt_wrapper.c new file mode 100644 index 0000000..77c8323 --- /dev/null +++ b/src/tests/intg/getsockopt_wrapper.c @@ -0,0 +1,59 @@ +/* gcc -Wall -fPIC -shared -o getsockopt_wrapper.so getsockopt_wrapper.c -ldl */ + +/* for RTLD_NEXT */ +#define _GNU_SOURCE 1 + +#include +#include +#include +#include +#include +#include + +static bool is_dbus_socket(int fd) +{ + int ret; + struct sockaddr_storage addr = { 0 }; + socklen_t addrlen = sizeof(addr); + struct sockaddr_un *unix_socket; + + ret = getsockname(fd, (struct sockaddr *)&addr, &addrlen); + if (ret != 0) return false; + + if (addr.ss_family != AF_UNIX) return false; + + unix_socket = (struct sockaddr_un *)&addr; + + return NULL != strstr(unix_socket->sun_path, "system_bus_socket"); +} + +typedef typeof(getsockopt) getsockopt_fn_t; + +static getsockopt_fn_t *orig_getsockopt = NULL; + +int getsockopt(int sockfd, int level, int optname, + void *optval, socklen_t *optlen) +{ + int ret; +#ifdef __OpenBSD__ + struct sockpeercred *cr; +#else + struct ucred *cr; +#endif + + if (orig_getsockopt == NULL) { + orig_getsockopt = (getsockopt_fn_t *)dlsym(RTLD_NEXT, "getsockopt"); + } + + ret = orig_getsockopt(sockfd, level, optname, optval, optlen); + + if (ret == 0 && level == SOL_SOCKET && optname == SO_PEERCRED + && *optlen == sizeof(*cr)) { + cr = optval; + if (cr->uid != 0 && is_dbus_socket(sockfd)) { + cr->uid = 0; + } + } + + return ret; +} diff --git a/src/tests/intg/kdc.py b/src/tests/intg/kdc.py new file mode 100644 index 0000000..dec33a9 --- /dev/null +++ b/src/tests/intg/kdc.py @@ -0,0 +1,175 @@ +# +# MIT Kerberos server class +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +import os +import signal +import shutil +import subprocess + +from util import * + + +class KDC(object): + """ + MIT Kerberos KDC instance + """ + + def __init__(self, basedir, realm, + includedir=None, + kdc_port=10088, + kadmin_port=10749, + master_key='master'): + self.basedir = basedir + self.realm = realm + self.kdc_port = kdc_port + self.kadmin_port = kadmin_port + self.master_key = master_key + + self.kdc_basedir = self.basedir + "/var/krb5kdc" + self.includedir = includedir or (self.kdc_basedir + "/include") + self.kdc_logdir = self.kdc_basedir + "/log" + self.kdc_conf_path = self.kdc_basedir + "/kdc.conf" + self.krb5_conf_path = self.kdc_basedir + "/krb5.conf" + + self.kdc_pid_file = self.kdc_basedir + "/kdc.pid" + + self.acl_file = self.kdc_basedir + "/kadm5.acl" + + self.admin_princ = "admin/admin@" + self.realm + + def start_kdc(self, extra_args=[]): + args = ["krb5kdc", '-P', self.kdc_pid_file] + extra_args + return self._run_in_env(args, self.get_krb5_env()) + + def stop_kdc(self): + try: + with open(self.kdc_pid_file, "r") as pid_file: + os.kill(int(pid_file.read()), signal.SIGTERM) + except IOError as ioex: + if ioex.errno == 2: + pass + else: + raise ioex + + def teardown(self): + self.stop_kdc() + shutil.rmtree(self.kdc_basedir) + + def set_up(self): + self._create_config() + self._create_acl() + self._create_kdb() + + def get_krb5_env(self): + my_env = os.environ + my_env['KRB5_CONFIG'] = self.krb5_conf_path + my_env['KRB5_KDC_PROFILE'] = self.kdc_conf_path + return my_env + + def add_config(self, include_files): + for name, contents in include_files.items(): + include_fpath = os.path.join(self.includedir, name) + with open(include_fpath, 'w') as include_file: + include_file.write(contents) + + def add_principal(self, princ, password=None): + args = ["kadmin.local", "-q"] + if password is None: + args += ["addprinc -randkey %s" % (princ)] + else: + args += ["addprinc -pw %s %s" % (password, princ)] + return self._run_in_env(args, self.get_krb5_env()) + + def _run_in_env(self, args, env): + cmd = subprocess.Popen(args, env=env) + out, err = cmd.communicate() + return cmd.returncode, out, err + + def _create_config(self): + try: + os.makedirs(self.kdc_basedir) + os.makedirs(self.kdc_logdir) + os.makedirs(self.includedir) + except OSError as osex: + if osex.errno == 17: + pass + + kdc_conf = self._format_kdc_conf() + with open(self.kdc_conf_path, 'w') as kdc_conf_file: + kdc_conf_file.write(kdc_conf) + + krb5_conf = self._format_krb5_conf() + with open(self.krb5_conf_path, 'w') as krb5_conf_file: + krb5_conf_file.write(krb5_conf) + + def _create_acl(self): + with open(self.acl_file, 'w') as acl_fobject: + acl_fobject.write(self.admin_princ) + + def _create_kdb(self): + self._run_in_env( + ['kdb5_util', 'create', '-W', '-s', '-P', self.master_key], + self.get_krb5_env() + ) + + def _format_kdc_conf(self): + database_path = self.kdc_basedir + "/principal" + key_stash = self.kdc_basedir + "/stash." + self.realm + + kdc_logfile = "FILE:" + self.kdc_logdir + "/krb5kdc.log" + kadmin_logfile = "FILE:" + self.kdc_logdir + "/kadmin.log" + libkrb5_logfile = "FILE:" + self.kdc_logdir + "/libkrb5.log" + + kdc_conf = unindent(""" + [kdcdefaults] + kdc_ports = {self.kdc_port} + kdc_tcp_ports = {self.kdc_port} + + [realms] + {self.realm} = {{ + kadmind_port = {self.kadmin_port} + database_name = {database_path} + key_stash_file = {key_stash} + acl_file = {self.acl_file} + }} + + [logging] + kdc = {kdc_logfile} + admin_server = {kadmin_logfile} + default = {libkrb5_logfile} + """).format(**locals()) + return kdc_conf + + def _format_krb5_conf(self): + kdc_uri = "localhost:%d" % self.kdc_port + kadmin_uri = "localhost:%d" % self.kadmin_port + + krb5_conf = unindent(""" + includedir {self.includedir} + + [libdefaults] + default_realm = {self.realm} + dns_lookup_kdc = false + dns_lookup_realm = false + + [realms] + {self.realm} = {{ + kdc = {kdc_uri} + admin_server = {kadmin_uri} + }} + """).format(**locals()) + return krb5_conf diff --git a/src/tests/intg/krb5utils.py b/src/tests/intg/krb5utils.py new file mode 100644 index 0000000..0349ff3 --- /dev/null +++ b/src/tests/intg/krb5utils.py @@ -0,0 +1,160 @@ +# +# MIT Kerberos server class +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +import os +import subprocess + + +class NoPrincipals(Exception): + def __init__(self): + Exception.__init__(self, 'No principals in the collection') + + +class PrincNotFound(Exception): + def __init__(self, principal): + Exception.__init__(self, 'Principal %s not found' % principal) + + +class Krb5Utils(object): + """ + Helper class to test Kerberos command line utilities + """ + def __init__(self, krb5_conf_path): + self.krb5_conf_path = krb5_conf_path + + def spawn_in_env(self, args, stdin=None, extra_env=None): + my_env = os.environ + my_env['KRB5_CONFIG'] = self.krb5_conf_path + + if 'KRB5CCNAME' in my_env: + del my_env['KRB5CCNAME'] + if extra_env is not None: + my_env.update(extra_env) + + cmd = subprocess.Popen(args, + env=my_env, + stdin=subprocess.PIPE, + stdout=subprocess.PIPE, + stderr=subprocess.PIPE) + return cmd + + def _run_in_env(self, args, stdin=None, extra_env=None): + cmd = self.spawn_in_env(args, stdin, extra_env) + out, err = cmd.communicate(stdin) + return cmd.returncode, out.decode('utf-8'), err.decode('utf-8') + + def kinit(self, principal, password, env=None): + args = ["kinit", principal] + return self._run_in_env(args, password.encode('utf-8'), env) + + def kvno(self, principal, env=None): + args = ["kvno", principal] + return self._run_in_env(args, env) + + def kdestroy(self, all_ccaches=False, env=None): + args = ["kdestroy"] + if all_ccaches is True: + args += ["-A"] + retval, _, _ = self._run_in_env(args, env) + return retval + + def kswitch(self, principal, env=None): + args = ["kswitch", '-p', principal] + retval, _, _ = self._run_in_env(args, env) + return retval + + def _check_klist_l(self, line, exp_principal, exp_cache): + try: + princ, cache = line.split() + except ValueError: + return False + + if exp_cache is not None and cache != exp_cache: + return False + + if exp_principal != princ: + return False + + return True + + def num_princs(self, env=None): + args = ["klist", "-l"] + retval, out, err = self._run_in_env(args, extra_env=env) + if retval != 0: + return 0 + + outlines = [l for l in out.split('\n') if len(l) > 1] + return len(outlines) - 2 + + def list_princs(self, env=None): + args = ["klist", "-l"] + retval, out, err = self._run_in_env(args, extra_env=env) + if retval == 1: + raise NoPrincipals + elif retval != 0: + raise Exception("klist failed: %d: %s\n", retval, err) + + outlines = out.split('\n') + if len(outlines) < 2: + raise Exception("Not enough output from klist -l") + + return [l for l in outlines[2:] if len(l) > 0] + + def has_principal(self, exp_principal, exp_cache=None, env=None): + try: + princlist = self.list_princs(env) + except NoPrincipals: + return False + + for line in princlist: + matches = self._check_klist_l(line, exp_principal, exp_cache) + if matches is True: + return True + + return False + + def default_principal(self, env=None): + principals = self.list_princs(env) + return principals[0].split()[0] + + def _parse_klist_a(self, out): + dflprinc = None + thisrealm = None + ccache_dict = dict() + + for line in [l for l in out.split('\n') if len(l) > 0]: + if line.startswith("Default principal"): + dflprinc = line.split()[2] + thisrealm = '@' + dflprinc.split('@')[1] + elif thisrealm is not None and line.endswith(thisrealm): + svc = line.split()[-1] + if dflprinc in ccache_dict: + ccache_dict[dflprinc].append(svc) + else: + ccache_dict[dflprinc] = [svc] + + return ccache_dict + + def list_all_princs(self, env=None): + args = ["klist", "-A"] + retval, out, err = self._run_in_env(args, extra_env=env) + if retval == 1: + raise NoPrincipals + elif retval != 0: + raise Exception("klist -A failed: %d: %s\n", retval, err) + + return self._parse_klist_a(out) diff --git a/src/tests/intg/ldap_ent.py b/src/tests/intg/ldap_ent.py new file mode 100644 index 0000000..80e7698 --- /dev/null +++ b/src/tests/intg/ldap_ent.py @@ -0,0 +1,188 @@ +# +# LDAP modlist generation +# +# Copyright (c) 2015 Red Hat, Inc. +# Author: Nikolai Kondrashov +# +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + + +def user(base_dn, uid, uidNumber, gidNumber, + userPassword=None, + gecos=None, + homeDirectory=None, + loginShell=None, + cn=None, + sn=None, + sshPubKey=(), + mail=None): + """ + Generate an RFC2307(bis) user add-modlist for passing to ldap.add* + """ + uidNumber = str(uidNumber).encode('utf-8') + gidNumber = str(gidNumber).encode('utf-8') + user = ( + "uid=" + uid + ",ou=Users," + base_dn, + [ + ('objectClass', [b'top', b'inetOrgPerson', + b'posixAccount', b'ldapPublicKey']), + ('cn', [uidNumber if cn is None else cn.encode('utf-8')]), + ('sn', [b'User' if sn is None else sn.encode('utf-8')]), + ('uidNumber', [uidNumber]), + ('gidNumber', [gidNumber]), + ('userPassword', [b'Password' + uidNumber + if userPassword is None + else userPassword.encode('utf-8')]), + ('homeDirectory', [b'/home/' + uid.encode('utf-8') + if homeDirectory is None + else homeDirectory.encode('utf-8')]), + ('loginShell', [b'/bin/bash' + if loginShell is None + else loginShell.encode('utf-8')]), + ] + ) + if gecos is not None: + user[1].append(('gecos', [gecos.encode('utf-8')])) + if len(sshPubKey) > 0: + pubkeys = [key.encode('utf-8') for key in sshPubKey] + user[1].append(('sshPublicKey', pubkeys)) + if mail is not None: + user[1].append(('mail', [mail.encode('utf-8')])) + return user + + +def group(base_dn, cn, gidNumber, member_uids=()): + """ + Generate an RFC2307 group add-modlist for passing to ldap.add*. + """ + gidNumber = str(gidNumber).encode('utf-8') + attr_list = [ + ('objectClass', [b'top', b'posixGroup']), + ('gidNumber', [gidNumber]) + ] + if len(member_uids) > 0: + mem_uids = [member.encode('utf-8') for member in member_uids] + attr_list.append(('memberUid', mem_uids)) + return ("cn=" + cn + ",ou=Groups," + base_dn, attr_list) + + +def group_bis(base_dn, cn, gidNumber, member_uids=(), member_gids=()): + """ + Generate an RFC2307bis group add-modlist for passing to ldap.add*. + """ + gidNumber = str(gidNumber).encode('utf-8') + attr_list = [ + ('objectClass', [b'top', b'extensibleObject', b'groupOfNames']), + ('gidNumber', [gidNumber]) + ] + member_list = [] + for uid in member_uids: + member_list.append("uid=" + uid + ",ou=Users," + base_dn) + for gid in member_gids: + member_list.append("cn=" + gid + ",ou=Groups," + base_dn) + if len(member_list) > 0: + mem_list = [member.encode('utf-8') for member in member_list] + attr_list.append(('member', mem_list)) + return ("cn=" + cn + ",ou=Groups," + base_dn, attr_list) + + +def netgroup(base_dn, cn, triples=(), members=()): + """ + Generate an RFC2307bis netgroup add-modlist for passing to ldap.add*. + """ + attr_list = [ + ('objectClass', [b'top', b'nisNetgroup']) + ] + if triples: + triples = [triple.encode('utf-8') for triple in triples] + attr_list.append(('nisNetgroupTriple', triples)) + if members: + members = [member.encode('utf-8') for member in members] + attr_list.append(('memberNisNetgroup', members)) + return ("cn=" + cn + ",ou=Netgroups," + base_dn, attr_list) + + +def sudo_rule(base_dn, name, users=(), hosts=(), commands=()): + """ + Generate a sudo rule for passing to ldap.add* + """ + attr_list = [ + ('objectClass', [b'top', b'sudoRole']), + ('cn', [name.encode('utf-8')]) + ] + + if len(users) > 0: + sudo_user_list = [u.encode('utf-8') for u in users] + attr_list.append(('sudoUser', sudo_user_list)) + if len(hosts) > 0: + sudo_host_list = [h.encode('utf-8') for h in hosts] + attr_list.append(('sudoHost', sudo_host_list)) + if len(commands) > 0: + sudo_command_list = [cmd.encode('utf-8') for cmd in commands] + attr_list.append(('sudoCommand', sudo_command_list)) + return ("cn=" + name + ",ou=sudoers," + base_dn, attr_list) + + +class List(list): + """LDAP add-modlist list""" + + def __init__(self, base_dn): + self.base_dn = base_dn + + def add_user(self, uid, uidNumber, gidNumber, + base_dn=None, + userPassword=None, + gecos=None, + homeDirectory=None, + loginShell=None, + cn=None, + sn=None, + sshPubKey=(), + mail=None): + """Add an RFC2307(bis) user add-modlist.""" + self.append(user(base_dn or self.base_dn, + uid, uidNumber, gidNumber, + userPassword=userPassword, + gecos=gecos, + homeDirectory=homeDirectory, + loginShell=loginShell, + cn=cn, + sn=sn, + sshPubKey=sshPubKey, + mail=mail)) + + def add_group(self, cn, gidNumber, member_uids=[], + base_dn=None): + """Add an RFC2307 group add-modlist.""" + self.append(group(base_dn or self.base_dn, + cn, gidNumber, member_uids)) + + def add_group_bis(self, cn, gidNumber, + member_uids=[], member_gids=[], + base_dn=None): + """Add an RFC2307bis group add-modlist.""" + self.append(group_bis(base_dn or self.base_dn, + cn, gidNumber, + member_uids, member_gids)) + + def add_netgroup(self, cn, triples=(), members=(), base_dn=None): + """Add an RFC2307bis netgroup add-modlist.""" + self.append(netgroup(base_dn or self.base_dn, + cn, triples, members)) + + def add_sudo_rule(self, name, + users=(), hosts=(), commands=(), + base_dn=None): + self.append(sudo_rule(base_dn or self.base_dn, + name, users, hosts, commands)) diff --git a/src/tests/intg/ldap_local_override_test.py b/src/tests/intg/ldap_local_override_test.py new file mode 100644 index 0000000..249c07a --- /dev/null +++ b/src/tests/intg/ldap_local_override_test.py @@ -0,0 +1,1120 @@ +# +# integration test for sss_override tool +# +# Copyright (c) 2015 Red Hat, Inc. +# Author: Pavel Reichl +# +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +import os +import stat +import ent +import grp +import pwd +import config +import signal +import subprocess +import time +import pytest +import ds_openldap +import ldap_ent +import sssd_id +from util import unindent + +try: + from subprocess import check_output +except ImportError: + # In Python 2.6, the module subprocess does not have the function + # check_output. This is a fallback implementation. + def check_output(*popenargs, **kwargs): + if 'stdout' in kwargs: + raise ValueError('stdout argument not allowed, it will be ' + 'overridden.') + process = subprocess.Popen(stdout=subprocess.PIPE, *popenargs, + **kwargs) + output, _ = process.communicate() + retcode = process.poll() + if retcode: + cmd = kwargs.get("args") + if cmd is None: + cmd = popenargs[0] + raise subprocess.CalledProcessError(retcode, cmd, output=output) + return output + + +@pytest.fixture(scope="module") +def ds_inst(request): + """LDAP server instance fixture""" + ds_inst = ds_openldap.DSOpenLDAP( + config.PREFIX, 10389, 'dc=example,dc=com', + "cn=admin", "Secret123") + try: + ds_inst.setup() + except: + ds_inst.teardown() + raise + request.addfinalizer(lambda: ds_inst.teardown()) + return ds_inst + + +@pytest.fixture(scope="module") +def ldap_conn(request, ds_inst): + """LDAP server connection fixture""" + ldap_conn = ds_inst.bind() + ldap_conn.ds_inst = ds_inst + request.addfinalizer(lambda: ldap_conn.unbind_s()) + return ldap_conn + + +def create_ldap_fixture(request, ldap_conn, ent_list): + """Add LDAP entries and add teardown for removing them""" + for entry in ent_list: + ldap_conn.add_s(entry[0], entry[1]) + + def teardown(): + for entry in ent_list: + ldap_conn.delete_s(entry[0]) + request.addfinalizer(teardown) + + +def create_conf_fixture(request, contents): + """Generate sssd.conf and add teardown for removing it""" + conf = open(config.CONF_PATH, "w") + conf.write(contents) + conf.close() + os.chmod(config.CONF_PATH, stat.S_IRUSR | stat.S_IWUSR) + request.addfinalizer(lambda: os.unlink(config.CONF_PATH)) + + +def stop_sssd(): + pid_file = open(config.PIDFILE_PATH, "r") + pid = int(pid_file.read()) + os.kill(pid, signal.SIGTERM) + while True: + try: + os.kill(pid, signal.SIGCONT) + except: + break + time.sleep(1) + + +def start_sssd(): + """Start sssd""" + if subprocess.call(["sssd", "-D", "-f"]) != 0: + raise Exception("sssd start failed") + + +def restart_sssd(): + stop_sssd() + start_sssd() + + +def create_sssd_fixture(request): + """Start sssd and add teardown for stopping it and removing state""" + if subprocess.call(["sssd", "-D", "-f"]) != 0: + raise Exception("sssd start failed") + + def teardown(): + try: + stop_sssd() + except: + pass + for path in os.listdir(config.DB_PATH): + os.unlink(config.DB_PATH + "/" + path) + for path in os.listdir(config.MCACHE_PATH): + os.unlink(config.MCACHE_PATH + "/" + path) + request.addfinalizer(teardown) + + +OVERRIDE_FILENAME = "export_file" + + +def prepare_sssd(request, ldap_conn, use_fully_qualified_names=False, + case_sensitive=True): + """Prepare SSSD with defaults""" + conf = unindent("""\ + [sssd] + domains = LDAP + services = nss + + [nss] + memcache_timeout = 1 + + [domain/LDAP] + ldap_auth_disable_tls_never_use_in_production = true + ldap_schema = rfc2307 + id_provider = ldap + auth_provider = ldap + sudo_provider = ldap + ldap_uri = {ldap_conn.ds_inst.ldap_url} + ldap_search_base = {ldap_conn.ds_inst.base_dn} + use_fully_qualified_names = {use_fully_qualified_names} + case_sensitive = {case_sensitive} + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + def teardown(): + # remove user export file + try: + os.unlink(OVERRIDE_FILENAME) + except: + pass + request.addfinalizer(teardown) + + +# +# Common asserts for users +# + +def assert_user_default(): + + # Assert entries are not overriden + with pytest.raises(KeyError): + pwd.getpwnam('ov_user1') + with pytest.raises(KeyError): + pwd.getpwnam('ov_user1@LDAP') + with pytest.raises(KeyError): + pwd.getpwnam('ov_user2') + with pytest.raises(KeyError): + pwd.getpwnam('ov_user2@LDAP') + + user1 = dict(name='user1', passwd='*', uid=10001, gid=20001, + gecos='User Number 1', + dir='/home/user1', + shell='/bin/user1_shell') + user2 = dict(name='user2', passwd='*', uid=10002, gid=20001, + gecos='User Number 2', + dir='/home/user2', + shell='/bin/user2_shell') + + ent.assert_passwd_by_name('user1', user1) + ent.assert_passwd_by_name('user1@LDAP', user1) + + ent.assert_passwd_by_name('user2', user2) + ent.assert_passwd_by_name('user2@LDAP', user2) + + +def assert_user_overriden(override_name=True): + + if override_name: + name1 = "ov_user1" + name2 = "ov_user2" + else: + name1 = "user1" + name2 = "user2" + + user1 = dict(name=name1, passwd='*', uid=10010, gid=20010, + gecos='Overriden User 1', + dir='/home/ov/user1', + shell='/bin/ov_user1_shell') + + user2 = dict(name=name2, passwd='*', uid=10020, gid=20020, + gecos='Overriden User 2', + dir='/home/ov/user2', + shell='/bin/ov_user2_shell') + + ent.assert_passwd_by_name('user1', user1) + ent.assert_passwd_by_name('user1@LDAP', user1) + + if override_name: + ent.assert_passwd_by_name('ov_user1', user1) + ent.assert_passwd_by_name('ov_user1@LDAP', user1) + + ent.assert_passwd_by_name('user2', user2) + ent.assert_passwd_by_name('user2@LDAP', user2) + + if override_name: + ent.assert_passwd_by_name('ov_user2', user2) + ent.assert_passwd_by_name('ov_user2@LDAP', user2) + + +# +# Common fixtures for users +# + + +@pytest.fixture +def env_two_users_and_group(request, ldap_conn): + + prepare_sssd(request, ldap_conn) + + # Add entries + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user1", 10001, 20001, + gecos='User Number 1', + loginShell='/bin/user1_shell', + homeDirectory='/home/user1') + + ent_list.add_user("user2", 10002, 20001, + gecos='User Number 2', + loginShell='/bin/user2_shell', + homeDirectory='/home/user2') + + ent_list.add_group("group", 2001, + ["user2", "user1"]) + + create_ldap_fixture(request, ldap_conn, ent_list) + + # Assert entries are not overriden + assert_user_default() + + +@pytest.fixture +def env_two_users_and_group_overriden(request, ldap_conn, + env_two_users_and_group): + + # Override + subprocess.check_call(["sss_override", "user-add", "user1", + "-u", "10010", + "-g", "20010", + "-n", "ov_user1", + "-c", "Overriden User 1", + "-h", "/home/ov/user1", + "-s", "/bin/ov_user1_shell"]) + + subprocess.check_call(["sss_override", "user-add", "user2@LDAP", + "-u", "10020", + "-g", "20020", + "-n", "ov_user2", + "-c", "Overriden User 2", + "-h", "/home/ov/user2", + "-s", "/bin/ov_user2_shell"]) + + # Restart SSSD so the override might take effect + restart_sssd() + + # Assert entries are overriden + assert_user_overriden() + + +# +# Simple user override +# + + +@pytest.fixture +def env_simple_user_override(request, ldap_conn, env_two_users_and_group): + + # Override + subprocess.check_call(["sss_override", "user-add", "user1", + "-u", "10010", + "-g", "20010", + "-n", "ov_user1", + "-c", "Overriden User 1", + "-h", "/home/ov/user1", + "-s", "/bin/ov_user1_shell"]) + + subprocess.check_call(["sss_override", "user-add", "user2@LDAP", + "-u", "10020", + "-g", "20020", + "-n", "ov_user2", + "-c", "Overriden User 2", + "-h", "/home/ov/user2", + "-s", "/bin/ov_user2_shell"]) + + # Restart SSSD so the override might take effect + restart_sssd() + + +def test_simple_user_override(ldap_conn, env_simple_user_override): + """Test entries are overriden""" + + assert_user_overriden() + + +# +# Root user override +# + + +@pytest.fixture +def env_root_user_override(request, ldap_conn, env_two_users_and_group): + + # Assert entries are not overriden + ent.assert_passwd_by_name( + 'root', + dict(name='root', uid=0, gid=0)) + + ent.assert_passwd_by_uid(0, dict(name="root")) + + # Override + subprocess.check_call(["sss_override", "user-add", "user1", + "-u", "0", + "-g", "0", + "-n", "ov_user1", + "-c", "Overriden User 1", + "-h", "/home/ov/user1", + "-s", "/bin/ov_user1_shell"]) + + subprocess.check_call(["sss_override", "user-add", "user2", + "-u", "10020", + "-g", "20020", + "-n", "root", + "-c", "Overriden User 2", + "-h", "/home/ov/user2", + "-s", "/bin/ov_user2_shell"]) + + # Restart SSSD so the override might take effect + restart_sssd() + + +def test_root_user_override(ldap_conn, env_root_user_override): + """Test entries are not overriden to root""" + + # Override does not have to happen completly, trying to set uid or gid + # to 0 is simply ignored. + ent.assert_passwd_by_name( + 'ov_user1', + dict(name='ov_user1', passwd='*', uid=10001, gid=20001, + gecos='Overriden User 1', + dir='/home/ov/user1', + shell='/bin/ov_user1_shell')) + + # We can create override with name root. This test is just for tracking + # that this particular behavior won't change. + ent.assert_passwd_by_name( + 'user2', + dict(name='root', passwd='*', uid=10020, gid=20020, + gecos='Overriden User 2', + dir='/home/ov/user2', + shell='/bin/ov_user2_shell')) + + ent.assert_passwd_by_uid(0, dict(name="root")) + + +# +# Override replaces previous override +# + + +@pytest.fixture +def env_replace_user_override(request, ldap_conn): + + prepare_sssd(request, ldap_conn) + + # Add entries + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user1", 10001, 20001, + gecos='User Number 1', + loginShell='/bin/user1_shell', + homeDirectory='/home/user1') + + create_ldap_fixture(request, ldap_conn, ent_list) + + # Assert entries are not overriden + ent.assert_passwd_by_name( + 'user1', + dict(name='user1', passwd='*', uid=10001, gid=20001, + gecos='User Number 1', + dir='/home/user1', + shell='/bin/user1_shell')) + + # Override + subprocess.check_call(["sss_override", "user-add", "user1", + "-u", "10010", + "-g", "20010", + "-n", "ov_user1", + "-c", "Overriden User 1", + "-h", "/home/ov/user1", + "-s", "/bin/ov_user1_shell"]) + + # Restart SSSD so the override might take effect + restart_sssd() + + # Assert entries are overriden + ent.assert_passwd_by_name( + 'user1', + dict(name='ov_user1', passwd='*', uid=10010, gid=20010, + gecos='Overriden User 1', + dir='/home/ov/user1', + shell='/bin/ov_user1_shell')) + + # Override of override + subprocess.check_call(["sss_override", "user-add", "user1", + "-u", "10100", + "-g", "20100", + "-n", "ov2_user1", + "-c", "Overriden2 User 1", + "-h", "/home/ov2/user1", + "-s", "/bin/ov2_user1_shell"]) + + # Restart SSSD so the override might take effect + restart_sssd() + + +def test_replace_user_override(ldap_conn, env_replace_user_override): + + user = dict(name='ov2_user1', passwd='*', uid=10100, gid=20100, + gecos='Overriden2 User 1', + dir='/home/ov2/user1', + shell='/bin/ov2_user1_shell') + + ent.assert_passwd_by_name('ov2_user1', user) + ent.assert_passwd_by_name('ov2_user1@LDAP', user) + + with pytest.raises(KeyError): + pwd.getpwnam('ov_user1') + with pytest.raises(KeyError): + pwd.getpwnam('ov_user1@LDAP') + + +# +# Override removal +# + + +@pytest.fixture +def env_remove_user_override(request, ldap_conn, + env_two_users_and_group_overriden): + + # Drop all overrides + subprocess.check_call(["sss_override", "user-del", "user1"]) + subprocess.check_call(["sss_override", "user-del", "user2@LDAP"]) + + # Avoid hitting memory cache + time.sleep(2) + + +def test_remove_user_override(ldap_conn, env_remove_user_override): + + # Test entries are not overriden + assert_user_default() + + +# +# Override import/export +# + + +@pytest.fixture +def env_imp_exp_user_override(request, ldap_conn, + env_two_users_and_group_overriden): + + # Export overrides + subprocess.check_call(["sss_override", "user-export", OVERRIDE_FILENAME]) + + # Drop all overrides + subprocess.check_call(["sss_override", "user-del", "user1"]) + subprocess.check_call(["sss_override", "user-del", "user2@LDAP"]) + + # Avoid hitting memory cache + time.sleep(2) + + # Assert entries are not overridden + assert_user_default() + + # Import overrides + subprocess.check_call(["sss_override", "user-import", + OVERRIDE_FILENAME]) + restart_sssd() + + +def test_imp_exp_user_override(ldap_conn, env_imp_exp_user_override): + + assert_user_overriden() + + +# Regression test for bug 3179 + + +def test_imp_exp_user_overrride_noname(ldap_conn, + env_two_users_and_group): + + # Override + subprocess.check_call(["sss_override", "user-add", "user1", + "-u", "10010", + "-g", "20010", + "-c", "Overriden User 1", + "-h", "/home/ov/user1", + "-s", "/bin/ov_user1_shell"]) + + subprocess.check_call(["sss_override", "user-add", "user2@LDAP", + "-u", "10020", + "-g", "20020", + "-c", "Overriden User 2", + "-h", "/home/ov/user2", + "-s", "/bin/ov_user2_shell"]) + + # Restart SSSD so the override might take effect + restart_sssd() + + # Assert entries are overriden + assert_user_overriden(override_name=False) + + # Export overrides + subprocess.check_call(["sss_override", "user-export", OVERRIDE_FILENAME]) + + # Drop all overrides + subprocess.check_call(["sss_override", "user-del", "user1"]) + subprocess.check_call(["sss_override", "user-del", "user2@LDAP"]) + + # Avoid hitting memory cache + time.sleep(2) + + # Assert entries are not overridden + assert_user_default() + + # Import overrides + subprocess.check_call(["sss_override", "user-import", + OVERRIDE_FILENAME]) + restart_sssd() + + assert_user_overriden(override_name=False) + + +# +# Override user-show +# + + +@pytest.fixture +def env_show_user_override(request, ldap_conn, + env_two_users_and_group_overriden): + pass + + +def test_show_user_override(ldap_conn, env_show_user_override): + + out = check_output(['sss_override', 'user-show', 'user1']).decode('utf-8') + assert out == "user1@LDAP:ov_user1:10010:20010:Overriden User 1:"\ + "/home/ov/user1:/bin/ov_user1_shell:\n" + + out = check_output(['sss_override', 'user-show', + 'user2@LDAP']).decode('utf-8') + assert out == "user2@LDAP:ov_user2:10020:20020:Overriden User 2:"\ + "/home/ov/user2:/bin/ov_user2_shell:\n" + + # Return error on non-existing user + ret = subprocess.call(['sss_override', 'user-show', 'nonexisting_user']) + assert ret == 1 + + +# +# Override user-find +# + + +@pytest.fixture +def env_find_user_override(request, ldap_conn, + env_two_users_and_group_overriden): + pass + + +def test_find_user_override(ldap_conn, env_find_user_override): + + out = check_output(['sss_override', 'user-find']).decode('utf-8') + + # Expected override of users + exp_usr_ovrd = ['user1@LDAP:ov_user1:10010:20010:Overriden User 1:' + '/home/ov/user1:/bin/ov_user1_shell:', + 'user2@LDAP:ov_user2:10020:20020:Overriden User 2:' + '/home/ov/user2:/bin/ov_user2_shell:'] + + assert set(out.splitlines()) == set(exp_usr_ovrd) + + out = check_output(['sss_override', 'user-find', '--domain=LDAP']) + + assert set(out.decode('utf-8').splitlines()) == set(exp_usr_ovrd) + + # Unexpected parameter is reported + ret = subprocess.call(['sss_override', 'user-find', 'PARAM']) + assert ret == 1 + + +# +# Group tests +# + + +# +# Common group asserts +# + +def assert_group_overriden(override_name=True): + + # Assert entries are overridden + empty_group = dict(gid=3002, mem=ent.contains_only()) + group = dict(gid=3001, mem=ent.contains_only("user1", "user2")) + + ent.assert_group_by_name("group", group) + ent.assert_group_by_name("group@LDAP", group) + + if override_name: + ent.assert_group_by_name("ov_group", group) + ent.assert_group_by_name("ov_group@LDAP", group) + + ent.assert_group_by_name("empty_group", empty_group) + ent.assert_group_by_name("empty_group@LDAP", empty_group) + + if override_name: + ent.assert_group_by_name("ov_empty_group", empty_group) + ent.assert_group_by_name("ov_empty_group@LDAP", empty_group) + + +def assert_group_default(): + + # Assert entries are not overridden + with pytest.raises(KeyError): + pwd.getpwnam('ov_group') + with pytest.raises(KeyError): + pwd.getpwnam('ov_group@LDAP') + with pytest.raises(KeyError): + pwd.getpwnam('ov_empty_group') + with pytest.raises(KeyError): + pwd.getpwnam('ov_empty_group@LDAP') + + empty_group = dict(gid=2002, mem=ent.contains_only()) + group = dict(gid=2001, mem=ent.contains_only("user1", "user2")) + + ent.assert_group_by_name("group", group) + ent.assert_group_by_name("group@LDAP", group) + ent.assert_group_by_name("empty_group", empty_group) + ent.assert_group_by_name("empty_group@LDAP", empty_group) + + +# +# Common fixtures for groups +# + + +@pytest.fixture +def env_group_basic(request, ldap_conn): + prepare_sssd(request, ldap_conn) + + # Add entries + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user1", 10001, 20001, + gecos='User Number 1', + loginShell='/bin/user1_shell', + homeDirectory='/home/user1') + + ent_list.add_user("user2", 10002, 20001, + gecos='User Number 2', + loginShell='/bin/user2_shell', + homeDirectory='/home/user2') + + ent_list.add_group("group", 2001, + ["user2", "user1"]) + ent_list.add_group("empty_group", 2002, []) + + create_ldap_fixture(request, ldap_conn, ent_list) + + # Assert entries are not overriden + with pytest.raises(KeyError): + pwd.getpwnam('ov_group') + with pytest.raises(KeyError): + pwd.getpwnam('ov_group@LDAP') + with pytest.raises(KeyError): + pwd.getpwnam('ov_empty_group') + with pytest.raises(KeyError): + pwd.getpwnam('ov_empty_group@LDAP') + + +@pytest.fixture +def env_group_override(request, ldap_conn, env_group_basic): + + # Override + subprocess.check_call(["sss_override", "group-add", "group", + "-n", "ov_group", + "-g", "3001"]) + + subprocess.check_call(["sss_override", "group-add", "empty_group@LDAP", + "--name", "ov_empty_group", + "--gid", "3002"]) + + # Restart SSSD so the override might take effect + restart_sssd() + + # Assert entries are overridden + assert_group_overriden() + + +# +# Simple group override +# + + +@pytest.fixture +def env_simple_group_override(request, ldap_conn, env_group_basic): + + # Override + subprocess.check_call(["sss_override", "group-add", "group", + "-n", "ov_group", + "-g", "3001"]) + + subprocess.check_call(["sss_override", "group-add", "empty_group@LDAP", + "--name", "ov_empty_group", + "--gid", "3002"]) + + # Restart SSSD so the override might take effect + restart_sssd() + + +def test_simple_group_override(ldap_conn, env_simple_group_override): + """Test entries are overriden""" + + assert_group_overriden() + + +# +# Root group override +# + + +@pytest.fixture +def env_root_group_override(request, ldap_conn, env_group_basic): + + # Override + subprocess.check_call(["sss_override", "group-add", "group", + "-n", "ov_group", + "-g", "0"]) + + subprocess.check_call(["sss_override", "group-add", "empty_group@LDAP", + "--name", "ov_empty_group", + "--gid", "0"]) + + # Restart SSSD so the override might take effect + restart_sssd() + + +def test_root_group_override(ldap_conn, env_root_group_override): + """Test entries are overriden""" + + group = dict(gid=2001, mem=ent.contains_only("user1", "user2")) + empty_group = dict(gid=2002, mem=ent.contains_only()) + + ent.assert_group_by_name("group", group) + ent.assert_group_by_name("ov_group", group) + ent.assert_group_by_name("group@LDAP", group) + ent.assert_group_by_name("ov_group@LDAP", group) + ent.assert_group_by_name("empty_group", empty_group) + ent.assert_group_by_name("ov_empty_group", empty_group) + ent.assert_group_by_name("empty_group@LDAP", empty_group) + ent.assert_group_by_name("ov_empty_group@LDAP", empty_group) + + +# +# Replace group override +# + + +@pytest.fixture +def env_replace_group_override(request, ldap_conn, env_group_override): + + # Override of override + subprocess.check_call(["sss_override", "group-add", "group", + "-n", "ov2_group", + "-g", "4001"]) + + subprocess.check_call(["sss_override", "group-add", "empty_group@LDAP", + "--name", "ov2_empty_group", + "--gid", "4002"]) + + # Restart SSSD so the override might take effect + restart_sssd() + + +def test_replace_group_override(ldap_conn, env_replace_group_override): + + # Test overrides are overridden + with pytest.raises(KeyError): + pwd.getpwnam('ov_group') + with pytest.raises(KeyError): + pwd.getpwnam('ov_group@LDAP') + with pytest.raises(KeyError): + pwd.getpwnam('ov_empty_group') + with pytest.raises(KeyError): + pwd.getpwnam('ov_empty_group@LDAP') + + group = dict(gid=4001, mem=ent.contains_only("user1", "user2")) + empty_group = dict(gid=4002, mem=ent.contains_only()) + + ent.assert_group_by_name("group", group) + ent.assert_group_by_name("ov2_group", group) + ent.assert_group_by_name("group@LDAP", group) + ent.assert_group_by_name("ov2_group@LDAP", group) + + ent.assert_group_by_name("empty_group", empty_group) + ent.assert_group_by_name("empty_group@LDAP", empty_group) + ent.assert_group_by_name("ov2_empty_group", empty_group) + ent.assert_group_by_name("ov2_empty_group@LDAP", empty_group) + + +# +# Remove group override +# + + +@pytest.fixture +def env_remove_group_override(request, ldap_conn, env_group_override): + + # Drop all overrides + subprocess.check_call(["sss_override", "group-del", "group"]) + subprocess.check_call(["sss_override", "group-del", "empty_group@LDAP"]) + + # Avoid hitting memory cache + time.sleep(2) + + +def test_remove_group_override(ldap_conn, env_remove_group_override): + + # Test overrides were dropped + assert_group_default() + + +# +# Overridde group import/export +# + + +@pytest.fixture +def env_imp_exp_group_override(request, ldap_conn, env_group_override): + + # Export overrides + subprocess.check_call(["sss_override", "group-export", + OVERRIDE_FILENAME]) + + # Drop all overrides + subprocess.check_call(["sss_override", "group-del", "group"]) + subprocess.check_call(["sss_override", "group-del", "empty_group@LDAP"]) + + # Avoid hitting memory cache + time.sleep(2) + + assert_group_default() + + # Import overrides + subprocess.check_call(["sss_override", "group-import", + OVERRIDE_FILENAME]) + restart_sssd() + + +def test_imp_exp_group_override(ldap_conn, env_imp_exp_group_override): + + assert_group_overriden() + + +# Regression test for bug 3179 + + +def test_imp_exp_group_override_noname(ldap_conn, env_group_basic): + + # Override - do not use -n here) + subprocess.check_call(["sss_override", "group-add", "group", + "-g", "3001"]) + + subprocess.check_call(["sss_override", "group-add", "empty_group@LDAP", + "--gid", "3002"]) + + # Restart SSSD so the override might take effect + restart_sssd() + + # Assert entries are overridden + assert_group_overriden(override_name=False) + + # Export overrides + subprocess.check_call(["sss_override", "group-export", + OVERRIDE_FILENAME]) + + # Drop all overrides + subprocess.check_call(["sss_override", "group-del", "group"]) + subprocess.check_call(["sss_override", "group-del", "empty_group@LDAP"]) + + # Avoid hitting memory cache + time.sleep(2) + + assert_group_default() + + # Import overrides + subprocess.check_call(["sss_override", "group-import", + OVERRIDE_FILENAME]) + restart_sssd() + + assert_group_overriden(override_name=False) + + +# Regression test for bug #2802 +# sss_override segfaults when accidentally adding --help flag to some commands + + +@pytest.fixture +def env_regr_2802_override(request, ldap_conn): + + prepare_sssd(request, ldap_conn) + + +def test_regr_2802_override(ldap_conn, env_regr_2802_override): + + subprocess.check_call(["sss_override", "user-del", "--help"]) + + +# Regression test for bug #2757 +# sss_override does not work correctly when 'use_fully_qualified_names = True' + + +@pytest.fixture +def env_regr_2757_override(request, ldap_conn): + + prepare_sssd(request, ldap_conn, use_fully_qualified_names=True) + + # Add entries + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user1", 10001, 20001) + + create_ldap_fixture(request, ldap_conn, ent_list) + + # Assert entries are not overridden + ent.assert_passwd_by_name( + 'user1@LDAP', + dict(name='user1@LDAP', passwd='*', uid=10001, gid=20001)) + with pytest.raises(KeyError): + pwd.getpwnam('alias1') + with pytest.raises(KeyError): + pwd.getpwnam('alias1@LDAP') + + # Override + subprocess.check_call(["sss_override", "user-add", "user1@LDAP", + "-n", "alias1"]) + restart_sssd() + + +def test_regr_2757_override(ldap_conn, env_regr_2757_override): + + # Assert entries are overridden + ent.assert_passwd_by_name( + 'user1@LDAP', + dict(name='alias1@LDAP', passwd='*', uid=10001, gid=20001)) + ent.assert_passwd_by_name( + 'alias1@LDAP', + dict(name='alias1@LDAP', passwd='*', uid=10001, gid=20001)) + + with pytest.raises(KeyError): + pwd.getpwnam('user1') + with pytest.raises(KeyError): + pwd.getpwnam('alias1') + + +# Regression test for bug #2790 +# sss_override --name doesn't work with RFC2307 and ghost users + + +@pytest.fixture +def env_regr_2790_override(request, ldap_conn): + + prepare_sssd(request, ldap_conn) + + # Add entries + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user1", 10001, 20001) + ent_list.add_user("user2", 10002, 20002) + ent_list.add_group("group1", 2001, + ["user1", "user2"]) + ent_list.add_group("group2", 2002, + ["user2"]) + + create_ldap_fixture(request, ldap_conn, ent_list) + + # Assert entries are not overridden + with pytest.raises(KeyError): + pwd.getpwnam('alias1') + with pytest.raises(KeyError): + pwd.getpwnam('alias1@LDAP') + with pytest.raises(KeyError): + pwd.getpwnam('alias2') + with pytest.raises(KeyError): + pwd.getpwnam('alias2@LDAP') + + # Override + subprocess.check_call(["sss_override", "user-add", "user1", + "-n", "alias1"]) + subprocess.check_call(["sss_override", "user-add", "user2", + "-n", "alias2"]) + + restart_sssd() + + +def test_regr_2790_override(ldap_conn, env_regr_2790_override): + + # Assert entries are overridden + (res, errno, grp_list) = sssd_id.get_user_groups("alias1") + assert res == sssd_id.NssReturnCode.SUCCESS, \ + "Could not find groups for user1 %d" % errno + assert sorted(grp_list) == sorted(["20001", "group1"]) + + (res, errno, grp_list) = sssd_id.get_user_groups("alias2") + assert res == sssd_id.NssReturnCode.SUCCESS, \ + "Could not find groups for user2 %d" % errno + assert sorted(grp_list) == sorted(["20002", "group1", "group2"]) + + +# Test fully qualified and case-insensitive names +@pytest.fixture +def env_mix_cased_name_override(request, ldap_conn): + """Setup test for mixed case names""" + + prepare_sssd(request, ldap_conn, True, False) + + # Add entries + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user1", 10001, 20001) + ent_list.add_user("uSeR2", 10002, 20002) + + create_ldap_fixture(request, ldap_conn, ent_list) + + pwd.getpwnam('user1@LDAP') + pwd.getpwnam('user2@LDAP') + with pytest.raises(KeyError): + pwd.getpwnam('ov_user1@LDAP') + with pytest.raises(KeyError): + pwd.getpwnam('ov_user2@LDAP') + + # Override + subprocess.check_call(["sss_override", "user-add", "user1@LDAP", + "-u", "10010", + "-g", "20010", + "-n", "ov_user1", + "-c", "Overriden User 1", + "-h", "/home/ov/user1", + "-s", "/bin/ov_user1_shell"]) + + subprocess.check_call(["sss_override", "user-add", "user2@LDAP", + "-u", "10020", + "-g", "20020", + "-n", "ov_user2", + "-c", "Overriden User 2", + "-h", "/home/ov/user2", + "-s", "/bin/ov_user2_shell"]) + + restart_sssd() + + +def test_mix_cased_name_override(ldap_conn, env_mix_cased_name_override): + """Test if names with upper and lower case letter are overridden""" + + # Assert entries are overridden + user1 = dict(name='ov_user1@LDAP', passwd='*', uid=10010, gid=20010, + gecos='Overriden User 1', + dir='/home/ov/user1', + shell='/bin/ov_user1_shell') + + user2 = dict(name='ov_user2@LDAP', passwd='*', uid=10020, gid=20020, + gecos='Overriden User 2', + dir='/home/ov/user2', + shell='/bin/ov_user2_shell') + + ent.assert_passwd_by_name('user1@LDAP', user1) + ent.assert_passwd_by_name('ov_user1@LDAP', user1) + + ent.assert_passwd_by_name('user2@LDAP', user2) + ent.assert_passwd_by_name('ov_user2@LDAP', user2) diff --git a/src/tests/intg/secrets.py b/src/tests/intg/secrets.py new file mode 100644 index 0000000..5d4c0e2 --- /dev/null +++ b/src/tests/intg/secrets.py @@ -0,0 +1,137 @@ +# +# Secrets responder test client +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import socket +import requests + +from requests.adapters import HTTPAdapter +from requests.packages.urllib3.connection import HTTPConnection +from requests.packages.urllib3.connectionpool import HTTPConnectionPool +from requests.compat import quote, unquote, urlparse + + +class HTTPUnixConnection(HTTPConnection): + def __init__(self, host, timeout=60, **kwargs): + super(HTTPUnixConnection, self).__init__('localhost') + self.unix_socket = host + self.timeout = timeout + + def connect(self): + sock = socket.socket(family=socket.AF_UNIX) + sock.settimeout(self.timeout) + sock.connect(self.unix_socket) + self.sock = sock + + +class HTTPUnixConnectionPool(HTTPConnectionPool): + scheme = 'http+unix' + ConnectionCls = HTTPUnixConnection + + +class HTTPUnixAdapter(HTTPAdapter): + def get_connection(self, url, proxies=None): + # proxies, silently ignored + path = unquote(urlparse(url).netloc) + return HTTPUnixConnectionPool(path) + + +class SecretsHttpClient(object): + secrets_sock_path = '/var/run/secrets.socket' + secrets_container = 'secrets' + + def __init__(self, content_type='application/json', sock_path=None): + if sock_path is None: + sock_path = self.secrets_sock_path + + self.content_type = content_type + self.session = requests.Session() + self.session.mount('http+unix://', HTTPUnixAdapter()) + self.headers = dict({'Content-Type': content_type}) + self.url = 'http+unix://' + \ + quote(sock_path, safe='') + \ + '/' + \ + self.secrets_container + self._last_response = None + + def _join_url(self, resource): + path = self.url.rstrip('/') + '/' + if resource is not None: + path = path + resource.lstrip('/') + return path + + def _add_headers(self, **kwargs): + headers = kwargs.get('headers', None) + if headers is None: + headers = dict() + headers.update(self.headers) + return headers + + def _request(self, cmd, path, **kwargs): + self._last_response = None + url = self._join_url(path) + kwargs['headers'] = self._add_headers(**kwargs) + self._last_response = cmd(url, **kwargs) + return self._last_response + + @property + def last_response(self): + return self._last_response + + def get(self, path, **kwargs): + return self._request(self.session.get, path, **kwargs) + + def list(self, **kwargs): + return self._request(self.session.get, None, **kwargs) + + def put(self, name, **kwargs): + return self._request(self.session.put, name, **kwargs) + + def delete(self, name, **kwargs): + return self._request(self.session.delete, name, **kwargs) + + def post(self, name, **kwargs): + return self._request(self.session.post, name, **kwargs) + + +class SecretsLocalClient(SecretsHttpClient): + def list_secrets(self): + res = self.list() + res.raise_for_status() + simple = res.json() + return simple + + def get_secret(self, name): + res = self.get(name) + res.raise_for_status() + simple = res.json() + ktype = simple.get("type", None) + if ktype != "simple": + raise TypeError("Invalid key type: %s" % ktype) + return simple["value"] + + def set_secret(self, name, value): + res = self.put(name, json={"type": "simple", "value": value}) + res.raise_for_status() + + def del_secret(self, name): + res = self.delete(name) + res.raise_for_status() + + def create_container(self, name): + res = self.post(name) + res.raise_for_status() diff --git a/src/tests/intg/sssd_group.py b/src/tests/intg/sssd_group.py new file mode 100644 index 0000000..adfdc67 --- /dev/null +++ b/src/tests/intg/sssd_group.py @@ -0,0 +1,131 @@ +# +# Module for simulation of utility "getent group -s sss" from coreutils +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +from ctypes import (c_int, c_char_p, c_ulong, POINTER, Structure, + create_string_buffer) +from sssd_nss import NssReturnCode, SssdNssError, nss_sss_ctypes_loader + +GROUP_BUFLEN = 1024 + + +class Group(Structure): + _fields_ = [("gr_name", c_char_p), + ("gr_passwd", c_char_p), + ("gr_gid", c_int), + ("gr_mem", POINTER(c_char_p))] + + +def getgrnam_r(name, result_p, buffer_p, buflen): + """ + ctypes wrapper for: + enum nss_status _nss_sss_getgrnam_r(const char *name, + struct group *result, + char *buffer, + size_t buflen, + int *errnop) + """ + func = nss_sss_ctypes_loader("_nss_sss_getgrnam_r") + func.restype = c_int + func.argtypes = [c_char_p, POINTER(Group), + c_char_p, c_ulong, POINTER(c_int)] + + errno = POINTER(c_int)(c_int(0)) + + name = name.encode('utf-8') + res = func(c_char_p(name), result_p, buffer_p, buflen, errno) + + return (int(res), int(errno[0]), result_p) + + +def getgrgid_r(gid, result_p, buffer_p, buflen): + """ + ctypes wrapper for: + enum nss_status _nss_sss_getgrgid_r(gid_t gid, + struct passwd *result, + char *buffer, + size_t buflen, + int *errnop) + """ + func = nss_sss_ctypes_loader("_nss_sss_getgrgid_r") + func.restype = c_int + func.argtypes = [c_ulong, POINTER(Group), + c_char_p, c_ulong, POINTER(c_int)] + + errno = POINTER(c_int)(c_int(0)) + + res = func(gid, result_p, buffer_p, buflen, errno) + + return (int(res), int(errno[0]), result_p) + + +def set_group_dict(res, result_p): + if res != NssReturnCode.SUCCESS: + return dict() + + group_dict = dict() + group_dict['name'] = result_p[0].gr_name.decode('utf-8') + group_dict['gid'] = result_p[0].gr_gid + group_dict['mem'] = list() + + i = 0 + while result_p[0].gr_mem[i] is not None: + grp_name = result_p[0].gr_mem[i].decode('utf-8') + group_dict['mem'].append(grp_name) + i = i+1 + + return group_dict + + +def call_sssd_getgrnam(name): + """ + A Python wrapper to retrieve a group by name. Returns: + (res, group_dict) + if res is NssReturnCode.SUCCESS, then group_dict contains the keys + corresponding to the C passwd structure fields. Otherwise, the dictionary + is empty and errno indicates the error code + """ + result = Group() + result_p = POINTER(Group)(result) + buff = create_string_buffer(GROUP_BUFLEN) + + res, errno, result_p = getgrnam_r(name, result_p, buff, GROUP_BUFLEN) + if errno != 0: + raise SssdNssError(errno, "getgrnam_r") + + group_dict = set_group_dict(res, result_p) + return res, group_dict + + +def call_sssd_getgrgid(gid): + """ + A Python wrapper to retrieve a group by GID. Returns: + (res, group_dict) + if res is NssReturnCode.SUCCESS, then group_dict contains the keys + corresponding to the C passwd structure fields. Otherwise, the dictionary + is empty and errno indicates the error code + """ + result = Group() + result_p = POINTER(Group)(result) + buff = create_string_buffer(GROUP_BUFLEN) + + res, errno, result_p = getgrgid_r(gid, result_p, buff, GROUP_BUFLEN) + if errno != 0: + raise SssdNssError(errno, "getgrgid_r") + + group_dict = set_group_dict(res, result_p) + return res, group_dict diff --git a/src/tests/intg/sssd_id.py b/src/tests/intg/sssd_id.py new file mode 100644 index 0000000..f4ab9cf --- /dev/null +++ b/src/tests/intg/sssd_id.py @@ -0,0 +1,129 @@ +# +# Module for simulation of utility "id" from coreutils +# +# Copyright (c) 2015 Red Hat, Inc. +# Author: Lukas Slebodnik +# +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +import config +import pwd +import grp +from ctypes import (cdll, c_int, c_char, c_uint32, c_long, c_char_p, + POINTER, pointer) +from sssd_nss import NssReturnCode, nss_sss_ctypes_loader + + +def call_sssd_initgroups(user, gid): + """ + Function will initialize the supplementary group access list + for given user. It will gather groups only provided by sssd. + + Arguments are the same as for C function initgroups + @param string user name of user + @param int gid the additional gid will be also added to the list. + + @return (int, int, List[int]) (err, errno, gids) + gids should contain user group IDs if err is NssReturnCode.SUCCESS + otherwise errno will contain non-zero value. + """ + func = nss_sss_ctypes_loader('_nss_sss_initgroups_dyn') + + func.restype = c_int + func.argtypes = [POINTER(c_char), c_uint32, POINTER(c_long), + POINTER(c_long), POINTER(POINTER(c_uint32)), c_long, + POINTER(c_int)] + + start = POINTER(c_long)(c_long(0)) + size = POINTER(c_long)(c_long(0)) + groups = POINTER(c_uint32)() + p_groups = pointer(groups) + limit = c_long(-1) + errno = POINTER(c_int)(c_int(0)) + + res = func(c_char_p(user.encode('utf-8)')), c_uint32(gid), start, size, + p_groups, limit, errno) + + gids = [] + if res == NssReturnCode.SUCCESS: + gids_count = size[0] + assert gids_count > 0, "_nss_sss_initgroups_dyn should return " \ + "one gid" + + for i in range(0, gids_count): + gids.append(int(p_groups.contents[i])) + + # add primary group if missing + if gid not in gids: + gids.append(gid) + + return (int(res), errno[0], gids) + + +def get_user_gids(user): + """ + Function will initialize the supplementary group access list + for given user. It will gather groups only provided by sssd. + + Arguments are the same as for C function initgroups + @param string user name of user + + @return (int, int, List[int]) (err, errno, gids) + gids should contain user group IDs if err is NssReturnCode.SUCCESS + otherwise errno will contain non-zero value. + """ + pwd_user = pwd.getpwnam(user) + uid = pwd_user.pw_uid + gid = pwd_user.pw_gid + + user = pwd.getpwuid(uid).pw_name + + return call_sssd_initgroups(user, gid) + + +def gid_to_str(gid): + """ + Function will map numeric GID into names. + If there isn't a group for GID (getgrgid failed) + then the function will return decimal representation of ID. + + @param int gid ID of groups which should be converted to string. + @return string name of group with requested ID or decimal + representation of ID + """ + try: + return grp.getgrgid(gid).gr_name + except KeyError: + return str(gid) + + +def get_user_groups(user): + """ + Function will initialize the supplementary group access list + for given user. It will gather groups only provided by sssd. + + Arguments are the same as for C function initgroups + @param string user name of user + + @return (int, int, List[string]) (err, errno, groups) + groups should contain names of user groups + if err is NssReturnCode.SUCCESS + otherwise errno will contain non-zero value. + """ + (res, errno, gids) = get_user_gids(user) + groups = [] + + if res == NssReturnCode.SUCCESS: + groups = [gid_to_str(gid) for gid in gids] + + return (res, errno, groups) diff --git a/src/tests/intg/sssd_ldb.py b/src/tests/intg/sssd_ldb.py new file mode 100644 index 0000000..7c6a5f4 --- /dev/null +++ b/src/tests/intg/sssd_ldb.py @@ -0,0 +1,96 @@ +# +# SSSD integration test - access the ldb cache +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import os +import ldb +import config +import subprocess + + +class CacheType(object): + sysdb = 1 + timestamps = 2 + + +class TsCacheEntry(object): + user = 1 + group = 2 + + +class SssdLdb(object): + def __init__(self, domain_name): + self._domain_name = domain_name + self._sysdb = self._create_dbconn(CacheType.sysdb, + domain_name) + self._timestamps = self._create_dbconn(CacheType.timestamps, + domain_name) + + def _create_dbconn(self, cache_type, domain_name): + if cache_type == CacheType.sysdb: + db_path = os.path.join(config.DB_PATH, + "cache_%s.ldb" % domain_name) + elif cache_type == CacheType.timestamps: + db_path = os.path.join(config.DB_PATH, + "timestamps_%s.ldb" % domain_name) + else: + raise ValueError("Unknown cache type\n") + + pyldb = ldb.Ldb() + pyldb.connect(db_path) + return pyldb + + def _get_dbconn(self, cache_type): + dbconn = None + if cache_type == CacheType.sysdb: + dbconn = self._sysdb + elif cache_type == CacheType.timestamps: + dbconn = self._timestamps + return dbconn + + def _entry_basedn(self, entry_type): + if entry_type == TsCacheEntry.user: + rdn = "users" + elif entry_type == TsCacheEntry.group: + rdn = "groups" + else: + raise ValueError("Unknown entry type\n") + return "cn=%s,cn=%s,cn=sysdb" % (rdn, self._domain_name) + + def _basedn(self, name, domain, entry_type): + return "name=%s@%s,%s" % (name, domain.lower(), + self._entry_basedn(entry_type)) + + def get_entry_attr(self, cache_type, entry_type, name, domain, attr): + dbconn = self._get_dbconn(cache_type) + basedn = self._basedn(name, domain, entry_type) + + res = dbconn.search(base=basedn, scope=ldb.SCOPE_BASE, attrs=[attr]) + if res.count != 1: + return None + + return res.msgs[0].get(attr).get(0) + + def invalidate_entry(self, name, entry_type, domain): + dbconn = self._get_dbconn(CacheType.timestamps) + + m = ldb.Message() + m.dn = ldb.Dn(dbconn, self._basedn(name, domain, entry_type)) + m["dataExpireTimestamp"] = ldb.MessageElement(str(1), + ldb.FLAG_MOD_REPLACE, + "dataExpireTimestamp") + dbconn.modify(m) diff --git a/src/tests/intg/sssd_netgroup.py b/src/tests/intg/sssd_netgroup.py new file mode 100644 index 0000000..571de96 --- /dev/null +++ b/src/tests/intg/sssd_netgroup.py @@ -0,0 +1,247 @@ +# +# Module for simulation of utility "getent netgroup -s sss" from coreutils +# +# Copyright (c) 2016 Red Hat, Inc. +# Author: Lukas Slebodnik +# +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +from ctypes import (cdll, c_int, c_char, c_char_p, c_size_t, c_void_p, c_ulong, + POINTER, Structure, Union, create_string_buffer, get_errno) +import config +from sssd_nss import NssReturnCode, nss_sss_ctypes_loader + + +class NetgroupType(object): + """ 'enum' class for type of netgroup """ + TRIPLE_VAL = 0 + GROUP_VAL = 1 + + +class Triple(Structure): + _fields_ = [("host", c_char_p), + ("user", c_char_p), + ("domain", c_char_p)] + + +class Val(Union): + _fields_ = [("triple", Triple), + ("group", c_char_p)] + + +class Idx(Union): + _fields_ = [("cursor", POINTER(c_char)), + ("position", c_ulong)] + + +class NameList(Structure): + pass + + +NameList._fields_ = [("next", POINTER(NameList)), + ("name", POINTER(c_char))] + + +class Netgrent(Structure): + _fields_ = [("type", c_int), + ("val", Val), + ("data", POINTER(c_char)), + ("data_size", c_size_t), + ("idx", Idx), + ("first", c_int), + ("known_groups", POINTER(NameList)), + ("needed_groups", POINTER(NameList)), + ("nip", c_void_p)] + + +class NetgroupRetriever(object): + def __init__(self, name): + self.name = name.encode('utf-8') + self.needed_groups = [] + self.known_groups = [] + self.netgroups = [] + + @staticmethod + def _setnetgrent(netgroup): + """ + This private method is ctypes wrapper for + enum nss_status _nss_sss_setnetgrent(const char *netgroup, + struct __netgrent *result) + + @param string name name of netgroup + + @return (int, POINTER(Netgrent)) (err, result_p) + err is a constant from class NssReturnCode and in case of SUCCESS + result_p will contain POINTER(Netgrent) which can be used in + _getnetgrent_r or _getnetgrent_r. + """ + func = nss_sss_ctypes_loader('_nss_sss_setnetgrent') + func.restype = c_int + func.argtypes = [c_char_p, POINTER(Netgrent)] + + result = Netgrent() + result_p = POINTER(Netgrent)(result) + + res = func(c_char_p(netgroup), result_p) + + return (int(res), result_p) + + @staticmethod + def _getnetgrent_r(result_p, buff, buff_len): + """ + This private method is ctypes wrapper for + enum nss_status _nss_sss_getnetgrent_r(struct __netgrent *result, + char *buffer, size_t buflen, + int *errnop) + @param POINTER(Netgrent) result_p pointer to initialized C structure + struct __netgrent + @param ctypes.c_char_Array buff buffer used by C functions + @param int buff_len size of c_char_Array passed as a paramere buff + + @return (int, int, List[(string, string, string]) + (err, errno, netgroups) + if err is NssReturnCode.SUCCESS netgroups will contain list of + touples. Each touple will consist of 3 elements either string or + """ + func = nss_sss_ctypes_loader('_nss_sss_getnetgrent_r') + func.restype = c_int + func.argtypes = [POINTER(Netgrent), POINTER(c_char), c_size_t, + POINTER(c_int)] + + errno = POINTER(c_int)(c_int(0)) + + res = func(result_p, buff, buff_len, errno) + + return (int(res), int(errno[0]), result_p) + + @staticmethod + def _endnetgrent(result_p): + """ + This private method is ctypes wrapper for + enum nss_status _nss_sss_endnetgrent(struct __netgrent *result) + + @param POINTER(Netgrent) result_p pointer to initialized C structure + struct __netgrent + + @return int a constant from class NssReturnCode + """ + func = nss_sss_ctypes_loader('_nss_sss_endnetgrent') + func.restype = c_int + func.argtypes = [POINTER(Netgrent)] + + res = func(result_p) + + return int(res) + + def get_netgroups(self): + """ + Function will return netgroup triplets for given user. All nested + netgroups will be retieved as part of executions and will content + will be merged with direct triplets. + Missing nested netgroups will not cause failure and are considered + as an empty netgroup without triplets. + + @param string name name of netgroup + + @return (int, int, List[(string, string, string]) + (err, errno, netgroups) + if err is NssReturnCode.SUCCESS netgroups will contain list of + touples. Each touple will consist of 3 elements either string or + None (host, user, domain). + """ + res, errno, result = self._flat_fetch_netgroups(self.name) + if res != NssReturnCode.SUCCESS: + return (res, errno, self.netgroups) + + self.netgroups += result + + while self.needed_groups: + name = self.needed_groups.pop(0) + + nest_res, nest_errno, result = self._flat_fetch_netgroups(name) + # do not fail for missing nested netgroup + if nest_res not in (NssReturnCode.SUCCESS, NssReturnCode.NOTFOUND): + return (nest_res, nest_errno, self.netgroups) + + self.netgroups = result + self.netgroups + + return (res, errno, self.netgroups) + + def _flat_fetch_netgroups(self, name): + """ + Function will return netgroup triplets for given user. The nested + netgroups will not be returned. Missing nested netgroups will be + appended to the array needed_groups + + @param string name name of netgroup + + @return (int, int, List[(string, string, string]) + (err, errno, netgroups) + if err is NssReturnCode.SUCCESS netgroups will contain list of + touples. Each touple will consist of 3 elements either string or + None (host, user, domain). + """ + buff_len = 1024 * 1024 + buff = create_string_buffer(buff_len) + + result = [] + + res, result_p = self._setnetgrent(name) + if res != NssReturnCode.SUCCESS: + return (res, get_errno(), result) + + res, errno, result_p = self._getnetgrent_r(result_p, buff, buff_len) + while res == NssReturnCode.SUCCESS: + if result_p[0].type == NetgroupType.GROUP_VAL: + nested_netgroup = result_p[0].val.group + if nested_netgroup not in self.known_groups: + self.needed_groups.append(nested_netgroup) + self.known_groups.append(nested_netgroup) + + if result_p[0].type == NetgroupType.TRIPLE_VAL: + triple = result_p[0].val.triple + result.append((triple.host and triple.host.decode('utf-8') + or "", + triple.user and triple.user.decode('utf-8') + or "", + triple.domain and triple.domain.decode('utf-8') + or "")) + + res, errno, result_p = self._getnetgrent_r(result_p, buff, + buff_len) + + if res != NssReturnCode.RETURN: + return (res, errno, result) + + res = self._endnetgrent(result_p) + + return (res, errno, result) + + +def get_sssd_netgroups(name): + """ + Function will return netgroup triplets for given user. It will gather + netgroups only provided by sssd. + The equivalent of "getent netgroup -s sss user" + + @param string name name of netgroup + + @return (int, int, List[(string, string, string]) (err, errno, netgroups) + if err is NssReturnCode.SUCCESS netgroups will contain list of touples. + Each touple will consist of 3 elements either string or None + (host, user, domain). + """ + + retriever = NetgroupRetriever(name) + + return retriever.get_netgroups() diff --git a/src/tests/intg/sssd_nss.py b/src/tests/intg/sssd_nss.py new file mode 100644 index 0000000..1e84631 --- /dev/null +++ b/src/tests/intg/sssd_nss.py @@ -0,0 +1,46 @@ +# +# Shared module for integration tests that need to access the sssd_nss +# module directly +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +import config +import ctypes + + +class NssReturnCode(object): + """ 'enum' class for name service switch return code """ + TRYAGAIN = -2, + UNAVAIL = -1 + NOTFOUND = 0 + SUCCESS = 1 + RETURN = 2 + + +class SssdNssError(Exception): + """ Raised when one of the NSS operations fail """ + def __init__(self, errno, nssop): + self.errno = errno + self.nssop = nssop + + def __str__(self): + return "NSS operation %s failed %d" % (nssop, errno) + + +def nss_sss_ctypes_loader(func_name): + libnss_sss_path = config.NSS_MODULE_DIR + "/libnss_sss.so.2" + libnss_sss = ctypes.cdll.LoadLibrary(libnss_sss_path) + func = getattr(libnss_sss, func_name) + return func diff --git a/src/tests/intg/sssd_passwd.py b/src/tests/intg/sssd_passwd.py new file mode 100644 index 0000000..e97b0c1 --- /dev/null +++ b/src/tests/intg/sssd_passwd.py @@ -0,0 +1,209 @@ +# +# Module for simulation of utility "getent passwd -s sss" from coreutils +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +from ctypes import (c_int, c_char_p, c_ulong, POINTER, + Structure, create_string_buffer, get_errno) +from sssd_nss import NssReturnCode, SssdNssError, nss_sss_ctypes_loader + +PASSWD_BUFLEN = 1024 + + +class Passwd(Structure): + _fields_ = [("pw_name", c_char_p), + ("pw_passwd", c_char_p), + ("pw_uid", c_int), + ("pw_gid", c_int), + ("pw_gecos", c_char_p), + ("pw_dir", c_char_p), + ("pw_shell", c_char_p)] + + +def set_user_dict(res, result_p): + if res != NssReturnCode.SUCCESS: + return dict() + + user_dict = dict() + user_dict['name'] = result_p[0].pw_name.decode('utf-8') + user_dict['passwd'] = result_p[0].pw_passwd.decode('utf-8') + user_dict['uid'] = result_p[0].pw_uid + user_dict['gid'] = result_p[0].pw_gid + user_dict['gecos'] = result_p[0].pw_gecos.decode('utf-8') + user_dict['dir'] = result_p[0].pw_dir.decode('utf-8') + user_dict['shell'] = result_p[0].pw_shell.decode('utf-8') + return user_dict + + +def getpwnam_r(name, result_p, buffer_p, buflen): + """ + ctypes wrapper for: + enum nss_status _nss_sss_getpwnam_r(const char *name, + struct passwd *result, + char *buffer, + size_t buflen, + int *errnop) + """ + func = nss_sss_ctypes_loader("_nss_sss_getpwnam_r") + func.restype = c_int + func.argtypes = [c_char_p, POINTER(Passwd), + c_char_p, c_ulong, POINTER(c_int)] + + errno = POINTER(c_int)(c_int(0)) + + name = name.encode('utf-8') + res = func(c_char_p(name), result_p, buffer_p, buflen, errno) + + return (int(res), int(errno[0]), result_p) + + +def getpwuid_r(uid, result_p, buffer_p, buflen): + """ + ctypes wrapper for: + enum nss_status _nss_sss_getpwuid_r(uid_t uid, + struct passwd *result, + char *buffer, + size_t buflen, + int *errnop) + """ + func = nss_sss_ctypes_loader("_nss_sss_getpwuid_r") + func.restype = c_int + func.argtypes = [c_ulong, POINTER(Passwd), + c_char_p, c_ulong, POINTER(c_int)] + + errno = POINTER(c_int)(c_int(0)) + + res = func(uid, result_p, buffer_p, buflen, errno) + + return (int(res), int(errno[0]), result_p) + + +def setpwent(): + """ + ctypes wrapper for: + void setpwent(void) + """ + func = nss_sss_ctypes_loader("_nss_sss_setpwent") + func.argtypes = [] + + res = func() + assert res == NssReturnCode.SUCCESS + + errno = get_errno() + if errno != 0: + raise SssdNssError(errno, "setpwent") + + +def endpwent(): + """ + ctypes wrapper for: + void endpwent(void) + """ + func = nss_sss_ctypes_loader("_nss_sss_endpwent") + func.argtypes = [] + + res = func() + assert res == NssReturnCode.SUCCESS + + errno = get_errno() + if errno != 0: + raise SssdNssError(errno, "endpwent") + + +def getpwent_r(result_p, buffer_p, buflen): + """ + ctypes wrapper for: + enum nss_status _nss_sss_getpwent_r(struct passwd *result, + char *buffer, size_t buflen, + int *errnop) + """ + func = nss_sss_ctypes_loader("_nss_sss_getpwent_r") + func.restype = c_int + func.argtypes = [POINTER(Passwd), c_char_p, c_ulong, POINTER(c_int)] + + errno = POINTER(c_int)(c_int(0)) + + res = func(result_p, buffer_p, buflen, errno) + return (int(res), int(errno[0]), result_p) + + +def getpwent(): + result = Passwd() + result_p = POINTER(Passwd)(result) + buff = create_string_buffer(PASSWD_BUFLEN) + + res, errno, result_p = getpwent_r(result_p, buff, PASSWD_BUFLEN) + if errno != 0: + raise SssdNssError(errno, "getpwent_r") + + user_dict = set_user_dict(res, result_p) + return res, user_dict + + +def call_sssd_getpwnam(name): + """ + A Python wrapper to retrieve a user by name. Returns: + (res, user_dict) + if res is NssReturnCode.SUCCESS, then user_dict contains the keys + corresponding to the C passwd structure fields. Otherwise, the dictionary + is empty and errno indicates the error code + """ + result = Passwd() + result_p = POINTER(Passwd)(result) + buff = create_string_buffer(PASSWD_BUFLEN) + + res, errno, result_p = getpwnam_r(name, result_p, buff, PASSWD_BUFLEN) + if errno != 0: + raise SssdNssError(errno, "getpwnam_r") + + user_dict = set_user_dict(res, result_p) + return res, user_dict + + +def call_sssd_getpwuid(uid): + """ + A Python wrapper to retrieve a user by UID. Returns: + (res, user_dict) + if res is NssReturnCode.SUCCESS, then user_dict contains the keys + corresponding to the C passwd structure fields. Otherwise, the dictionary + is empty and errno indicates the error code + """ + result = Passwd() + result_p = POINTER(Passwd)(result) + buff = create_string_buffer(PASSWD_BUFLEN) + + res, errno, result_p = getpwuid_r(uid, result_p, buff, PASSWD_BUFLEN) + if errno != 0: + raise SssdNssError(errno, "getpwuid_r") + + user_dict = set_user_dict(res, result_p) + return res, user_dict + + +def call_sssd_enumeration(): + """ + enumerate users from sssd module only + """ + setpwent() + user_list = [] + + res, user = getpwent() + while res == NssReturnCode.SUCCESS: + user_list.append(user) + res, user = getpwent() + + endpwent() + return user_list diff --git a/src/tests/intg/test_enumeration.py b/src/tests/intg/test_enumeration.py new file mode 100644 index 0000000..1a4c0b3 --- /dev/null +++ b/src/tests/intg/test_enumeration.py @@ -0,0 +1,771 @@ +# +# LDAP integration test +# +# Copyright (c) 2015 Red Hat, Inc. +# Author: Nikolai Kondrashov +# +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +import os +import stat +import pwd +import grp +import ent +import config +import signal +import subprocess +import time +import ldap +import pytest +import ds_openldap +import ldap_ent +from util import * + +LDAP_BASE_DN = "dc=example,dc=com" +INTERACTIVE_TIMEOUT = 4 + + +@pytest.fixture(scope="module") +def ds_inst(request): + """LDAP server instance fixture""" + ds_inst = ds_openldap.DSOpenLDAP( + config.PREFIX, 10389, LDAP_BASE_DN, + "cn=admin", "Secret123" + ) + + try: + ds_inst.setup() + except: + ds_inst.teardown() + raise + request.addfinalizer(lambda: ds_inst.teardown()) + return ds_inst + + +@pytest.fixture(scope="module") +def ldap_conn(request, ds_inst): + """LDAP server connection fixture""" + ldap_conn = ds_inst.bind() + ldap_conn.ds_inst = ds_inst + request.addfinalizer(lambda: ldap_conn.unbind_s()) + return ldap_conn + + +def create_ldap_entries(ldap_conn, ent_list=None): + """Add LDAP entries from ent_list""" + if ent_list is not None: + for entry in ent_list: + ldap_conn.add_s(entry[0], entry[1]) + + +def cleanup_ldap_entries(ldap_conn, ent_list=None): + """Remove LDAP entries added by create_ldap_entries""" + if ent_list is None: + for ou in ("Users", "Groups", "Netgroups", "Services", "Policies"): + for entry in ldap_conn.search_s("ou=" + ou + "," + + ldap_conn.ds_inst.base_dn, + ldap.SCOPE_ONELEVEL, + attrlist=[]): + ldap_conn.delete_s(entry[0]) + else: + for entry in ent_list: + ldap_conn.delete_s(entry[0]) + + +def create_ldap_cleanup(request, ldap_conn, ent_list=None): + """Add teardown for removing all user/group LDAP entries""" + request.addfinalizer(lambda: cleanup_ldap_entries(ldap_conn, ent_list)) + + +def create_ldap_fixture(request, ldap_conn, ent_list=None): + """Add LDAP entries and add teardown for removing them""" + create_ldap_entries(ldap_conn, ent_list) + create_ldap_cleanup(request, ldap_conn, ent_list) + + +SCHEMA_RFC2307 = "rfc2307" +SCHEMA_RFC2307_BIS = "rfc2307bis" + + +def format_basic_conf(ldap_conn, schema): + """ + Format a basic SSSD configuration + + The files domain is defined but not enabled in order to avoid enumerating + users from the files domain that would otherwise by implicitly enabled + """ + schema_conf = "ldap_schema = " + schema + "\n" + if schema == SCHEMA_RFC2307_BIS: + schema_conf += "ldap_group_object_class = groupOfNames\n" + return unindent("""\ + [sssd] + debug_level = 0xffff + domains = LDAP + services = nss, pam + + [nss] + debug_level = 0xffff + memcache_timeout = 0 + + [pam] + debug_level = 0xffff + + [domain/files] + id_provider = files + + [domain/LDAP] + ldap_auth_disable_tls_never_use_in_production = true + debug_level = 0xffff + enumerate = true + {schema_conf} + id_provider = ldap + auth_provider = ldap + ldap_uri = {ldap_conn.ds_inst.ldap_url} + ldap_search_base = {ldap_conn.ds_inst.base_dn} + """).format(**locals()) + + +def format_interactive_conf(ldap_conn, schema): + """Format an SSSD configuration with all caches refreshing in 4 seconds""" + return \ + format_basic_conf(ldap_conn, schema) + \ + unindent(""" + [nss] + memcache_timeout = 0 + enum_cache_timeout = {0} + entry_negative_timeout = 0 + + [domain/LDAP] + ldap_enumeration_refresh_timeout = {0} + ldap_purge_cache_timeout = 1 + entry_cache_timeout = {0} + """).format(INTERACTIVE_TIMEOUT) + + +def create_conf_file(contents): + """Create sssd.conf with specified contents""" + conf = open(config.CONF_PATH, "w") + conf.write(contents) + conf.close() + os.chmod(config.CONF_PATH, stat.S_IRUSR | stat.S_IWUSR) + + +def cleanup_conf_file(): + """Remove sssd.conf, if it exists""" + if os.path.lexists(config.CONF_PATH): + os.unlink(config.CONF_PATH) + + +def create_conf_cleanup(request): + """Add teardown for removing sssd.conf""" + request.addfinalizer(cleanup_conf_file) + + +def create_conf_fixture(request, contents): + """ + Create sssd.conf with specified contents and add teardown for removing it + """ + create_conf_file(contents) + create_conf_cleanup(request) + + +def create_sssd_process(): + """Start the SSSD process""" + if subprocess.call(["sssd", "-D", "-f"]) != 0: + raise Exception("sssd start failed") + + +def cleanup_sssd_process(): + """Stop the SSSD process and remove its state""" + try: + pid_file = open(config.PIDFILE_PATH, "r") + pid = int(pid_file.read()) + os.kill(pid, signal.SIGTERM) + while True: + try: + os.kill(pid, signal.SIGCONT) + except: + break + time.sleep(1) + except: + pass + for path in os.listdir(config.DB_PATH): + os.unlink(config.DB_PATH + "/" + path) + for path in os.listdir(config.MCACHE_PATH): + os.unlink(config.MCACHE_PATH + "/" + path) + + +def create_sssd_cleanup(request): + """Add teardown for stopping SSSD and removing its state""" + request.addfinalizer(cleanup_sssd_process) + + +def create_sssd_fixture(request): + """Start SSSD and add teardown for stopping it and removing its state""" + create_sssd_process() + create_sssd_cleanup(request) + + +@pytest.fixture +def sanity_rfc2307(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user1", 1001, 2001) + ent_list.add_user("user2", 1002, 2002) + ent_list.add_user("user3", 1003, 2003) + + ent_list.add_group("group1", 2001) + ent_list.add_group("group2", 2002) + ent_list.add_group("group3", 2003) + + ent_list.add_group("empty_group", 2010) + + ent_list.add_group("two_user_group", 2012, ["user1", "user2"]) + create_ldap_fixture(request, ldap_conn, ent_list) + + conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +def populate_rfc2307bis(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user1", 1001, 2001) + ent_list.add_user("user2", 1002, 2002) + ent_list.add_user("user3", 1003, 2003) + + ent_list.add_group_bis("group1", 2001) + ent_list.add_group_bis("group2", 2002) + ent_list.add_group_bis("group3", 2003) + + ent_list.add_group_bis("empty_group1", 2010) + ent_list.add_group_bis("empty_group2", 2011) + + ent_list.add_group_bis("two_user_group", 2012, ["user1", "user2"]) + ent_list.add_group_bis("group_empty_group", 2013, [], ["empty_group1"]) + ent_list.add_group_bis("group_two_empty_groups", 2014, + [], ["empty_group1", "empty_group2"]) + ent_list.add_group_bis("one_user_group1", 2015, ["user1"]) + ent_list.add_group_bis("one_user_group2", 2016, ["user2"]) + ent_list.add_group_bis("group_one_user_group", 2017, + [], ["one_user_group1"]) + ent_list.add_group_bis("group_two_user_group", 2018, + [], ["two_user_group"]) + ent_list.add_group_bis("group_two_one_user_groups", 2019, + [], ["one_user_group1", "one_user_group2"]) + + create_ldap_fixture(request, ldap_conn, ent_list) + + +@pytest.fixture +def sanity_rfc2307_bis(request, ldap_conn): + populate_rfc2307bis(request, ldap_conn) + conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +def test_sanity_rfc2307(ldap_conn, sanity_rfc2307): + passwd_pattern = ent.contains_only( + dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', + dir='/home/user1', shell='/bin/bash'), + dict(name='user2', passwd='*', uid=1002, gid=2002, gecos='1002', + dir='/home/user2', shell='/bin/bash'), + dict(name='user3', passwd='*', uid=1003, gid=2003, gecos='1003', + dir='/home/user3', shell='/bin/bash') + ) + ent.assert_passwd(passwd_pattern) + + group_pattern = ent.contains_only( + dict(name='group1', passwd='*', gid=2001, mem=ent.contains_only()), + dict(name='group2', passwd='*', gid=2002, mem=ent.contains_only()), + dict(name='group3', passwd='*', gid=2003, mem=ent.contains_only()), + dict(name='empty_group', passwd='*', gid=2010, + mem=ent.contains_only()), + dict(name='two_user_group', passwd='*', gid=2012, + mem=ent.contains_only("user1", "user2")) + ) + ent.assert_group(group_pattern) + + with pytest.raises(KeyError): + pwd.getpwnam("non_existent_user") + with pytest.raises(KeyError): + pwd.getpwuid(1) + with pytest.raises(KeyError): + grp.getgrnam("non_existent_group") + with pytest.raises(KeyError): + grp.getgrgid(1) + + +def test_sanity_rfc2307_bis(ldap_conn, sanity_rfc2307_bis): + passwd_pattern = ent.contains_only( + dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', + dir='/home/user1', shell='/bin/bash'), + dict(name='user2', passwd='*', uid=1002, gid=2002, gecos='1002', + dir='/home/user2', shell='/bin/bash'), + dict(name='user3', passwd='*', uid=1003, gid=2003, gecos='1003', + dir='/home/user3', shell='/bin/bash') + ) + ent.assert_passwd(passwd_pattern) + + group_pattern = ent.contains_only( + dict(name='group1', passwd='*', gid=2001, mem=ent.contains_only()), + dict(name='group2', passwd='*', gid=2002, mem=ent.contains_only()), + dict(name='group3', passwd='*', gid=2003, mem=ent.contains_only()), + dict(name='empty_group1', passwd='*', gid=2010, + mem=ent.contains_only()), + dict(name='empty_group2', passwd='*', gid=2011, + mem=ent.contains_only()), + dict(name='two_user_group', passwd='*', gid=2012, + mem=ent.contains_only("user1", "user2")), + dict(name='group_empty_group', passwd='*', gid=2013, + mem=ent.contains_only()), + dict(name='group_two_empty_groups', passwd='*', gid=2014, + mem=ent.contains_only()), + dict(name='one_user_group1', passwd='*', gid=2015, + mem=ent.contains_only("user1")), + dict(name='one_user_group2', passwd='*', gid=2016, + mem=ent.contains_only("user2")), + dict(name='group_one_user_group', passwd='*', gid=2017, + mem=ent.contains_only("user1")), + dict(name='group_two_user_group', passwd='*', gid=2018, + mem=ent.contains_only("user1", "user2")), + dict(name='group_two_one_user_groups', passwd='*', gid=2019, + mem=ent.contains_only("user1", "user2")) + ) + ent.assert_group(group_pattern) + + with pytest.raises(KeyError): + pwd.getpwnam("non_existent_user") + with pytest.raises(KeyError): + pwd.getpwuid(1) + with pytest.raises(KeyError): + grp.getgrnam("non_existent_group") + with pytest.raises(KeyError): + grp.getgrgid(1) + + +@pytest.fixture +def blank_rfc2307(request, ldap_conn): + """Create blank RFC2307 directory fixture with interactive SSSD conf""" + create_ldap_cleanup(request, ldap_conn) + create_conf_fixture(request, + format_interactive_conf(ldap_conn, SCHEMA_RFC2307)) + create_sssd_fixture(request) + + +@pytest.fixture +def blank_rfc2307_bis(request, ldap_conn): + """Create blank RFC2307bis directory fixture with interactive SSSD conf""" + create_ldap_cleanup(request, ldap_conn) + create_conf_fixture(request, + format_interactive_conf(ldap_conn, SCHEMA_RFC2307_BIS)) + create_sssd_fixture(request) + + +@pytest.fixture +def user_and_group_rfc2307(request, ldap_conn): + """ + Create an RFC2307 directory fixture with interactive SSSD conf, + one user and one group + """ + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user", 1001, 2000) + ent_list.add_group("group", 2001) + create_ldap_fixture(request, ldap_conn, ent_list) + create_conf_fixture(request, + format_interactive_conf(ldap_conn, SCHEMA_RFC2307)) + create_sssd_fixture(request) + return None + + +@pytest.fixture +def user_and_groups_rfc2307_bis(request, ldap_conn): + """ + Create an RFC2307bis directory fixture with interactive SSSD conf, + one user and two groups + """ + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user", 1001, 2000) + ent_list.add_group_bis("group1", 2001) + ent_list.add_group_bis("group2", 2002) + create_ldap_fixture(request, ldap_conn, ent_list) + create_conf_fixture(request, + format_interactive_conf(ldap_conn, SCHEMA_RFC2307_BIS)) + create_sssd_fixture(request) + return None + + +def test_add_remove_user(ldap_conn, blank_rfc2307): + """Test user addition and removal are reflected by SSSD""" + e = ldap_ent.user(ldap_conn.ds_inst.base_dn, "user", 2001, 2000) + time.sleep(INTERACTIVE_TIMEOUT/2) + # Add the user + ent.assert_passwd(ent.contains_only()) + ldap_conn.add_s(*e) + time.sleep(INTERACTIVE_TIMEOUT) + ent.assert_passwd(ent.contains_only(dict(name="user", uid=2001))) + # Remove the user + ldap_conn.delete_s(e[0]) + time.sleep(INTERACTIVE_TIMEOUT) + ent.assert_passwd(ent.contains_only()) + + +def test_add_remove_group_rfc2307(ldap_conn, blank_rfc2307): + """Test RFC2307 group addition and removal are reflected by SSSD""" + e = ldap_ent.group(ldap_conn.ds_inst.base_dn, "group", 2001) + time.sleep(INTERACTIVE_TIMEOUT/2) + # Add the group + ent.assert_group(ent.contains_only()) + ldap_conn.add_s(*e) + time.sleep(INTERACTIVE_TIMEOUT) + ent.assert_group(ent.contains_only(dict(name="group", gid=2001))) + # Remove the group + ldap_conn.delete_s(e[0]) + time.sleep(INTERACTIVE_TIMEOUT) + ent.assert_group(ent.contains_only()) + + +def test_add_remove_group_rfc2307_bis(ldap_conn, blank_rfc2307_bis): + """Test RFC2307bis group addition and removal are reflected by SSSD""" + e = ldap_ent.group_bis(ldap_conn.ds_inst.base_dn, "group", 2001) + time.sleep(INTERACTIVE_TIMEOUT/2) + # Add the group + ent.assert_group(ent.contains_only()) + ldap_conn.add_s(*e) + time.sleep(INTERACTIVE_TIMEOUT) + ent.assert_group(ent.contains_only(dict(name="group", gid=2001))) + # Remove the group + ldap_conn.delete_s(e[0]) + time.sleep(INTERACTIVE_TIMEOUT) + ent.assert_group(ent.contains_only()) + + +def test_add_remove_membership_rfc2307(ldap_conn, user_and_group_rfc2307): + """Test user membership addition and removal are reflected by SSSD""" + time.sleep(INTERACTIVE_TIMEOUT/2) + # Add user to group + ent.assert_group_by_name("group", dict(mem=ent.contains_only())) + ldap_conn.modify_s("cn=group,ou=Groups," + ldap_conn.ds_inst.base_dn, + [(ldap.MOD_REPLACE, "memberUid", b"user")]) + time.sleep(INTERACTIVE_TIMEOUT) + ent.assert_group_by_name("group", dict(mem=ent.contains_only("user"))) + # Remove user from group + ldap_conn.modify_s("cn=group,ou=Groups," + ldap_conn.ds_inst.base_dn, + [(ldap.MOD_DELETE, "memberUid", None)]) + time.sleep(INTERACTIVE_TIMEOUT) + ent.assert_group_by_name("group", dict(mem=ent.contains_only())) + + +def test_add_remove_membership_rfc2307_bis(ldap_conn, + user_and_groups_rfc2307_bis): + """ + Test user and group membership addition and removal are reflected by SSSD, + with RFC2307bis schema + """ + base_dn_bytes = ldap_conn.ds_inst.base_dn.encode('utf-8') + + time.sleep(INTERACTIVE_TIMEOUT/2) + # Add user to group1 + ent.assert_group_by_name("group1", dict(mem=ent.contains_only())) + ldap_conn.modify_s("cn=group1,ou=Groups," + ldap_conn.ds_inst.base_dn, + [(ldap.MOD_REPLACE, "member", + b"uid=user,ou=Users," + base_dn_bytes)]) + time.sleep(INTERACTIVE_TIMEOUT) + ent.assert_group_by_name("group1", dict(mem=ent.contains_only("user"))) + + # Add group1 to group2 + ldap_conn.modify_s("cn=group2,ou=Groups," + ldap_conn.ds_inst.base_dn, + [(ldap.MOD_REPLACE, "member", + b"cn=group1,ou=Groups," + base_dn_bytes)]) + time.sleep(INTERACTIVE_TIMEOUT) + ent.assert_group_by_name("group2", dict(mem=ent.contains_only("user"))) + + # Remove group1 from group2 + ldap_conn.modify_s("cn=group2,ou=Groups," + ldap_conn.ds_inst.base_dn, + [(ldap.MOD_DELETE, "member", None)]) + time.sleep(INTERACTIVE_TIMEOUT) + ent.assert_group_by_name("group2", dict(mem=ent.contains_only())) + + # Remove user from group1 + ldap_conn.modify_s("cn=group1,ou=Groups," + ldap_conn.ds_inst.base_dn, + [(ldap.MOD_DELETE, "member", None)]) + time.sleep(INTERACTIVE_TIMEOUT) + ent.assert_group_by_name("group1", dict(mem=ent.contains_only())) + + +@pytest.fixture +def override_homedir(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user_with_homedir_A", 1001, 2001, + homeDirectory="/home/A") + ent_list.add_user("user_with_homedir_B", 1002, 2002, + homeDirectory="/home/B") + ent_list.add_user("user_with_empty_homedir", 1003, 2003, + homeDirectory="") + create_ldap_fixture(request, ldap_conn, ent_list) + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \ + unindent("""\ + [nss] + override_homedir = /home/B + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + +def test_override_homedir(override_homedir): + """Test the effect of the "override_homedir" option""" + ent.assert_passwd( + ent.contains_only( + dict(name="user_with_homedir_A", uid=1001, dir="/home/B"), + dict(name="user_with_homedir_B", uid=1002, dir="/home/B"), + dict(name="user_with_empty_homedir", uid=1003, dir="/home/B") + ) + ) + + +@pytest.fixture +def fallback_homedir(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user_with_homedir_A", 1001, 2001, + homeDirectory="/home/A") + ent_list.add_user("user_with_homedir_B", 1002, 2002, + homeDirectory="/home/B") + ent_list.add_user("user_with_empty_homedir", 1003, 2003, + homeDirectory="") + create_ldap_fixture(request, ldap_conn, ent_list) + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \ + unindent("""\ + [nss] + fallback_homedir = /home/B + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + +def test_fallback_homedir(fallback_homedir): + """Test the effect of the "fallback_homedir" option""" + ent.assert_passwd( + ent.contains_only( + dict(name="user_with_homedir_A", uid=1001, dir="/home/A"), + dict(name="user_with_homedir_B", uid=1002, dir="/home/B"), + dict(name="user_with_empty_homedir", uid=1003, dir="/home/B") + ) + ) + + +@pytest.fixture +def override_shell(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user_with_shell_A", 1001, 2001, + loginShell="/bin/A") + ent_list.add_user("user_with_shell_B", 1002, 2002, + loginShell="/bin/B") + ent_list.add_user("user_with_empty_shell", 1003, 2003, + loginShell="") + create_ldap_fixture(request, ldap_conn, ent_list) + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \ + unindent("""\ + [nss] + override_shell = /bin/B + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + +def test_override_shell(override_shell): + """Test the effect of the "override_shell" option""" + ent.assert_passwd( + ent.contains_only( + dict(name="user_with_shell_A", uid=1001, shell="/bin/B"), + dict(name="user_with_shell_B", uid=1002, shell="/bin/B"), + dict(name="user_with_empty_shell", uid=1003, shell="/bin/B") + ) + ) + + +@pytest.fixture +def shell_fallback(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user_with_sh_shell", 1001, 2001, + loginShell="/bin/sh") + ent_list.add_user("user_with_not_installed_shell", 1002, 2002, + loginShell="/bin/not_installed") + ent_list.add_user("user_with_empty_shell", 1003, 2003, + loginShell="") + create_ldap_fixture(request, ldap_conn, ent_list) + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \ + unindent("""\ + [nss] + shell_fallback = /bin/fallback + allowed_shells = /bin/not_installed + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + +def test_shell_fallback(shell_fallback): + """Test the effect of the "shell_fallback" option""" + ent.assert_passwd( + ent.contains_only( + dict(name="user_with_sh_shell", uid=1001, shell="/bin/sh"), + dict(name="user_with_not_installed_shell", uid=1002, + shell="/bin/fallback"), + dict(name="user_with_empty_shell", uid=1003, shell="") + ) + ) + + +@pytest.fixture +def default_shell(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user_with_sh_shell", 1001, 2001, + loginShell="/bin/sh") + ent_list.add_user("user_with_not_installed_shell", 1002, 2002, + loginShell="/bin/not_installed") + ent_list.add_user("user_with_empty_shell", 1003, 2003, + loginShell="") + create_ldap_fixture(request, ldap_conn, ent_list) + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \ + unindent("""\ + [nss] + default_shell = /bin/default + allowed_shells = /bin/default, /bin/not_installed + shell_fallback = /bin/fallback + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + +def test_default_shell(default_shell): + """Test the effect of the "default_shell" option""" + ent.assert_passwd( + ent.contains_only( + dict(name="user_with_sh_shell", uid=1001, shell="/bin/sh"), + dict(name="user_with_not_installed_shell", uid=1002, + shell="/bin/fallback"), + dict(name="user_with_empty_shell", uid=1003, + shell="/bin/default") + ) + ) + + +@pytest.fixture +def vetoed_shells(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user_with_sh_shell", 1001, 2001, + loginShell="/bin/sh") + ent_list.add_user("user_with_vetoed_shell", 1002, 2002, + loginShell="/bin/vetoed") + ent_list.add_user("user_with_empty_shell", 1003, 2003, + loginShell="") + create_ldap_fixture(request, ldap_conn, ent_list) + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \ + unindent("""\ + [nss] + default_shell = /bin/default + vetoed_shells = /bin/vetoed + shell_fallback = /bin/fallback + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + +def test_vetoed_shells(vetoed_shells): + """Test the effect of the "vetoed_shells" option""" + ent.assert_passwd( + ent.contains_only( + dict(name="user_with_sh_shell", uid=1001, shell="/bin/sh"), + dict(name="user_with_vetoed_shell", uid=1002, + shell="/bin/fallback"), + dict(name="user_with_empty_shell", uid=1003, + shell="/bin/default") + ) + ) + + +@pytest.fixture +def sanity_rfc2307_bis_mpg(request, ldap_conn): + populate_rfc2307bis(request, ldap_conn) + + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_group_bis("conflict1", 1001) + ent_list.add_group_bis("conflict2", 1002) + create_ldap_fixture(request, ldap_conn, ent_list) + + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + \ + unindent(""" + [domain/LDAP] + auto_private_groups = True + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +def test_ldap_auto_private_groups_enumerate(ldap_conn, + sanity_rfc2307_bis_mpg): + """ + Test the auto_private_groups together with enumeration + """ + passwd_pattern = ent.contains_only( + dict(name='user1', passwd='*', uid=1001, gid=1001, gecos='1001', + dir='/home/user1', shell='/bin/bash'), + dict(name='user2', passwd='*', uid=1002, gid=1002, gecos='1002', + dir='/home/user2', shell='/bin/bash'), + dict(name='user3', passwd='*', uid=1003, gid=1003, gecos='1003', + dir='/home/user3', shell='/bin/bash') + ) + ent.assert_passwd(passwd_pattern) + + group_pattern = ent.contains_only( + dict(name='user1', passwd='*', gid=1001, mem=ent.contains_only()), + dict(name='user2', passwd='*', gid=1002, mem=ent.contains_only()), + dict(name='user3', passwd='*', gid=1003, mem=ent.contains_only()), + dict(name='group1', passwd='*', gid=2001, mem=ent.contains_only()), + dict(name='group2', passwd='*', gid=2002, mem=ent.contains_only()), + dict(name='group3', passwd='*', gid=2003, mem=ent.contains_only()), + dict(name='empty_group1', passwd='*', gid=2010, + mem=ent.contains_only()), + dict(name='empty_group2', passwd='*', gid=2011, + mem=ent.contains_only()), + dict(name='two_user_group', passwd='*', gid=2012, + mem=ent.contains_only("user1", "user2")), + dict(name='group_empty_group', passwd='*', gid=2013, + mem=ent.contains_only()), + dict(name='group_two_empty_groups', passwd='*', gid=2014, + mem=ent.contains_only()), + dict(name='one_user_group1', passwd='*', gid=2015, + mem=ent.contains_only("user1")), + dict(name='one_user_group2', passwd='*', gid=2016, + mem=ent.contains_only("user2")), + dict(name='group_one_user_group', passwd='*', gid=2017, + mem=ent.contains_only("user1")), + dict(name='group_two_user_group', passwd='*', gid=2018, + mem=ent.contains_only("user1", "user2")), + dict(name='group_two_one_user_groups', passwd='*', gid=2019, + mem=ent.contains_only("user1", "user2")) + ) + ent.assert_group(group_pattern) + + with pytest.raises(KeyError): + grp.getgrnam("conflict1") + ent.assert_group_by_gid(1002, dict(name="user2", mem=ent.contains_only())) diff --git a/src/tests/intg/test_files_ops.py b/src/tests/intg/test_files_ops.py new file mode 100644 index 0000000..63816ac --- /dev/null +++ b/src/tests/intg/test_files_ops.py @@ -0,0 +1,84 @@ +# +# SSSD integration test - operations on UNIX user and group database +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +import pwd +import grp +import pytest + +import ent +from files_ops import passwd_ops_setup, group_ops_setup + +USER1 = dict(name='user1', passwd='*', uid=10001, gid=20001, + gecos='User for tests', + dir='/home/user1', + shell='/bin/bash') + +GROUP1 = dict(name='group1', + gid=30001, + mem=['user1']) + + +def test_useradd(passwd_ops_setup): + with pytest.raises(KeyError): + pwd.getpwnam("user1") + passwd_ops_setup.useradd(**USER1) + ent.assert_passwd_by_name("user1", USER1) + + +def test_usermod(passwd_ops_setup): + passwd_ops_setup.useradd(**USER1) + ent.assert_passwd_by_name("user1", USER1) + + USER1['shell'] = '/bin/zsh' + passwd_ops_setup.usermod(**USER1) + ent.assert_passwd_by_name("user1", USER1) + + +def test_userdel(passwd_ops_setup): + passwd_ops_setup.useradd(**USER1) + ent.assert_passwd_by_name("user1", USER1) + + passwd_ops_setup.userdel("user1") + with pytest.raises(KeyError): + pwd.getpwnam("user1") + + +def test_groupadd(group_ops_setup): + with pytest.raises(KeyError): + grp.getgrnam("group1") + group_ops_setup.groupadd(**GROUP1) + ent.assert_group_by_name("group1", GROUP1) + + +def test_groupmod(group_ops_setup): + group_ops_setup.groupadd(**GROUP1) + ent.assert_group_by_name("group1", GROUP1) + + modgroup = dict(GROUP1) + modgroup['mem'] = [] + + group_ops_setup.groupmod(old_name=GROUP1["name"], **modgroup) + ent.assert_group_by_name("group1", modgroup) + + +def test_groupdel(group_ops_setup): + group_ops_setup.groupadd(**GROUP1) + ent.assert_group_by_name("group1", GROUP1) + + group_ops_setup.groupdel("group1") + with pytest.raises(KeyError): + grp.getgrnam("group1") diff --git a/src/tests/intg/test_files_provider.py b/src/tests/intg/test_files_provider.py new file mode 100644 index 0000000..ab790a7 --- /dev/null +++ b/src/tests/intg/test_files_provider.py @@ -0,0 +1,1235 @@ +# +# SSSD files domain tests +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import os +import stat +import time +import config +import signal +import subprocess +import pwd +import grp +import pytest +import tempfile + +import ent +import sssd_id +from sssd_nss import NssReturnCode +from sssd_passwd import (call_sssd_getpwnam, + call_sssd_enumeration, + call_sssd_getpwuid) +from sssd_group import call_sssd_getgrnam, call_sssd_getgrgid +from files_ops import passwd_ops_setup, group_ops_setup, PasswdOps, GroupOps +from util import unindent + +# Sync this with files_ops.c +FILES_REALLOC_CHUNK = 64 + +CANARY = dict(name='canary', passwd='x', uid=100001, gid=200001, + gecos='Used to check if passwd is resolvable', + dir='/home/canary', + shell='/bin/bash') + +USER1 = dict(name='user1', passwd='x', uid=10001, gid=20001, + gecos='User for tests', + dir='/home/user1', + shell='/bin/bash') + +USER2 = dict(name='user2', passwd='x', uid=10002, gid=20001, + gecos='User2 for tests', + dir='/home/user2', + shell='/bin/bash') + +OV_USER1 = dict(name='ov_user1', passwd='x', uid=10010, gid=20010, + gecos='Overriden User 1', + dir='/home/ov/user1', + shell='/bin/ov_user1_shell') + +ALT_USER1 = dict(name='altuser1', passwd='x', uid=60001, gid=70001, + gecos='User for tests from alt files', + dir='/home/altuser1', + shell='/bin/bash') + +CANARY_GR = dict(name='canary', + gid=300001, + mem=[]) + +GROUP1 = dict(name='group1', + gid=30001, + mem=['user1']) + +OV_GROUP1 = dict(name='ov_group1', + gid=30002, + mem=['user1']) + +GROUP12 = dict(name='group12', + gid=30012, + mem=['user1', 'user2']) + +GROUP_NOMEM = dict(name='group_nomem', + gid=40000, + mem=[]) + +ALT_GROUP1 = dict(name='alt_group1', + gid=80001, + mem=['alt_user1']) + + +def start_sssd(): + """Start sssd and add teardown for stopping it and removing state""" + os.environ["SSS_FILES_PASSWD"] = os.environ["NSS_WRAPPER_PASSWD"] + os.environ["SSS_FILES_GROUP"] = os.environ["NSS_WRAPPER_GROUP"] + if subprocess.call(["sssd", "-D", "-f"]) != 0: + raise Exception("sssd start failed") + + +def stop_sssd(): + pid_file = open(config.PIDFILE_PATH, "r") + pid = int(pid_file.read()) + os.kill(pid, signal.SIGTERM) + while True: + try: + os.kill(pid, signal.SIGCONT) + except: + break + time.sleep(1) + + +def restart_sssd(): + stop_sssd() + start_sssd() + + +def create_conf_fixture(request, contents): + """Generate sssd.conf and add teardown for removing it""" + conf = open(config.CONF_PATH, "w") + conf.write(contents) + conf.close() + os.chmod(config.CONF_PATH, stat.S_IRUSR | stat.S_IWUSR) + request.addfinalizer(lambda: os.unlink(config.CONF_PATH)) + + +def create_sssd_fixture(request): + start_sssd() + + def teardown(): + try: + stop_sssd() + except: + pass + for path in os.listdir(config.DB_PATH): + os.unlink(config.DB_PATH + "/" + path) + for path in os.listdir(config.MCACHE_PATH): + os.unlink(config.MCACHE_PATH + "/" + path) + request.addfinalizer(teardown) + + +# Fixtures +@pytest.fixture +def files_domain_only(request): + conf = unindent("""\ + [sssd] + domains = files + services = nss + + [domain/files] + id_provider = files + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +@pytest.fixture +def files_multiple_sources(request): + _, alt_passwd_path = tempfile.mkstemp(prefix='altpasswd') + request.addfinalizer(lambda: os.unlink(alt_passwd_path)) + alt_pwops = PasswdOps(alt_passwd_path) + + _, alt_group_path = tempfile.mkstemp(prefix='altgroup') + request.addfinalizer(lambda: os.unlink(alt_group_path)) + alt_grops = GroupOps(alt_group_path) + + passwd_list = ",".join([os.environ["NSS_WRAPPER_PASSWD"], alt_passwd_path]) + group_list = ",".join([os.environ["NSS_WRAPPER_GROUP"], alt_group_path]) + + conf = unindent("""\ + [sssd] + domains = files + services = nss + + [nss] + debug_level = 10 + + [domain/files] + id_provider = files + passwd_files = {passwd_list} + group_files = {group_list} + debug_level = 10 + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return alt_pwops, alt_grops + + +@pytest.fixture +def files_multiple_sources_nocreate(request): + """ + Sets up SSSD with multiple sources, but does not actually create + the files. + """ + alt_passwd_path = tempfile.mktemp(prefix='altpasswd') + request.addfinalizer(lambda: os.unlink(alt_passwd_path)) + + alt_group_path = tempfile.mktemp(prefix='altgroup') + request.addfinalizer(lambda: os.unlink(alt_group_path)) + + passwd_list = ",".join([os.environ["NSS_WRAPPER_PASSWD"], alt_passwd_path]) + group_list = ",".join([os.environ["NSS_WRAPPER_GROUP"], alt_group_path]) + + conf = unindent("""\ + [sssd] + domains = files + services = nss + + [nss] + debug_level = 10 + + [domain/files] + id_provider = files + passwd_files = {passwd_list} + group_files = {group_list} + debug_level = 10 + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return alt_passwd_path, alt_group_path + + +@pytest.fixture +def proxy_to_files_domain_only(request): + conf = unindent("""\ + [sssd] + domains = proxy, local + services = nss + + [domain/local] + id_provider = local + + [domain/proxy] + id_provider = proxy + proxy_lib_name = files + auth_provider = none + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +@pytest.fixture +def no_sssd_domain(request): + conf = unindent("""\ + [sssd] + services = nss + enable_files_domain = true + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +@pytest.fixture +def no_files_domain(request): + conf = unindent("""\ + [sssd] + domains = local + services = nss + enable_files_domain = true + + [domain/local] + id_provider = local + + [domain/disabled.files] + id_provider = files + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +@pytest.fixture +def disabled_files_domain(request): + conf = unindent("""\ + [sssd] + domains = local + services = nss + enable_files_domain = false + + [domain/local] + id_provider = local + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +@pytest.fixture +def no_sssd_conf(request): + create_sssd_fixture(request) + return None + + +@pytest.fixture +def domain_resolution_order(request): + conf = unindent("""\ + [sssd] + domains = files + services = nss + domain_resolution_order = foo + + [domain/files] + id_provider = files + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +@pytest.fixture +def override_homedir_and_shell(request): + conf = unindent("""\ + [sssd] + domains = files + services = nss + + [domain/files] + id_provider = files + override_homedir = /test/bar + override_shell = /bin/bar + + [nss] + override_homedir = /test/foo + override_shell = /bin/foo + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +def setup_pw_with_list(request, user_list): + pwd_ops = passwd_ops_setup(request) + for user in user_list: + pwd_ops.useradd(**user) + ent.assert_passwd_by_name(CANARY['name'], CANARY) + return pwd_ops + + +@pytest.fixture +def add_user_with_canary(request): + return setup_pw_with_list(request, [CANARY, USER1]) + + +@pytest.fixture +def setup_pw_with_canary(request): + return setup_pw_with_list(request, [CANARY]) + + +def setup_gr_with_list(request, group_list): + grp_ops = group_ops_setup(request) + for group in group_list: + grp_ops.groupadd(**group) + ent.assert_group_by_name(CANARY_GR['name'], CANARY_GR) + return grp_ops + + +@pytest.fixture +def add_group_with_canary(request): + return setup_gr_with_list(request, [GROUP1, CANARY_GR]) + + +@pytest.fixture +def setup_gr_with_canary(request): + return setup_gr_with_list(request, [CANARY_GR]) + + +def poll_canary(fn, name, threshold=20): + """ + If we query SSSD while it's updating its cache, it would return NOTFOUND + rather than a result from potentially outdated or incomplete cache. In + reality this doesn't hurt because the order of the modules is normally + "sss files" so the user lookup would fall back to files. But in tests + we use this loop to wait until the canary user who is always there is + resolved. + """ + for _ in range(0, threshold): + res, _ = fn(name) + if res == NssReturnCode.SUCCESS: + return True + elif res == NssReturnCode.NOTFOUND: + time.sleep(0.1) + continue + else: + return False + return False + + +def sssd_getpwnam_sync(name): + ret = poll_canary(call_sssd_getpwnam, CANARY["name"]) + if ret is False: + return NssReturnCode.NOTFOUND, None + + return call_sssd_getpwnam(name) + + +def sssd_getpwuid_sync(uid): + ret = poll_canary(call_sssd_getpwnam, CANARY["name"]) + if ret is False: + return NssReturnCode.NOTFOUND, None + + return call_sssd_getpwuid(uid) + + +def sssd_getgrnam_sync(name): + ret = poll_canary(call_sssd_getgrnam, CANARY_GR["name"]) + if ret is False: + return NssReturnCode.NOTFOUND, None + + return call_sssd_getgrnam(name) + + +def sssd_getgrgid_sync(name): + ret = poll_canary(call_sssd_getgrnam, CANARY_GR["name"]) + if ret is False: + return NssReturnCode.NOTFOUND, None + + return call_sssd_getgrgid(name) + + +def sssd_id_sync(name): + sssd_getpwnam_sync(CANARY["name"]) + res, _, groups = sssd_id.get_user_groups(name) + return res, groups + + +# Helper functions +def user_generator(seqnum): + return dict(name='user%d' % seqnum, + passwd='x', + uid=10000 + seqnum, + gid=20000 + seqnum, + gecos='User for tests', + dir='/home/user%d' % seqnum, + shell='/bin/bash') + + +def check_user(exp_user, delay=1.0): + if delay > 0: + time.sleep(delay) + + res, found_user = sssd_getpwnam_sync(exp_user["name"]) + assert res == NssReturnCode.SUCCESS + assert found_user == exp_user + + +def group_generator(seqnum): + return dict(name='group%d' % seqnum, + gid=30000 + seqnum, + mem=[]) + + +def check_group(exp_group, delay=1.0): + if delay > 0: + time.sleep(delay) + + res, found_group = sssd_getgrnam_sync(exp_group["name"]) + assert res == NssReturnCode.SUCCESS + assert found_group == exp_group + + +def check_group_by_gid(exp_group, delay=1.0): + if delay > 0: + time.sleep(delay) + + res, found_group = sssd_getgrgid_sync(exp_group["gid"]) + assert res == NssReturnCode.SUCCESS + assert found_group == exp_group + + +def check_group_list(exp_groups_list): + for exp_group in exp_groups_list: + check_group(exp_group) + + +def assert_user_overriden(): + # There is an issue in nss_wrapper [0] and nss_wrapper always looks into + # the files first before using the NSS module. This lets this check fail + # because the user is found in the file and hence will be returned + # without overridden values. + # In order to work this around while there's no fix for nss_wrapper, let's + # use the fully-qualified name when looking up the USER1 + # + # https://bugzilla.samba.org/show_bug.cgi?id=12883) + ent.assert_passwd_by_name(USER1["name"]+"@files", OV_USER1) + ent.assert_passwd_by_name(OV_USER1["name"], OV_USER1) + + +def assert_group_overriden(): + # There is an issue in nss_wrapper [0] and nss_wrapper always looks into + # the files first before using the NSS module. This lets this check fail + # because the user is found in the file and hence will be returned + # without overridden values. + # In order to work this around while there's no fix for nss_wrapper, let's + # use the fully-qualified name when looking up the GROUP1 + # + # https://bugzilla.samba.org/show_bug.cgi?id=12883) + ent.assert_group_by_name(GROUP1["name"]+"@files", OV_GROUP1) + ent.assert_group_by_name(OV_GROUP1["name"], OV_GROUP1) + + +# User tests +def test_getpwnam_after_start(add_user_with_canary, files_domain_only): + """ + Test that after startup without any additional operations, a user + can be resolved through sssd + """ + res, user = sssd_getpwnam_sync(USER1["name"]) + assert res == NssReturnCode.SUCCESS + assert user == USER1 + + +def test_getpwuid_after_start(add_user_with_canary, files_domain_only): + """ + Test that after startup without any additional operations, a user + can be resolved through sssd + """ + res, user = sssd_getpwuid_sync(USER1["uid"]) + assert res == NssReturnCode.SUCCESS + assert user == USER1 + + +def test_user_overriden(add_user_with_canary, files_domain_only): + """ + Test that user override works with files domain only + """ + # Override + subprocess.check_call(["sss_override", "user-add", USER1["name"], + "-u", str(OV_USER1["uid"]), + "-g", str(OV_USER1["gid"]), + "-n", OV_USER1["name"], + "-c", OV_USER1["gecos"], + "-h", OV_USER1["dir"], + "-s", OV_USER1["shell"]]) + + restart_sssd() + + assert_user_overriden() + + +def test_group_overriden(add_group_with_canary, files_domain_only): + """ + Test that user override works with files domain only + """ + # Override + subprocess.check_call(["sss_override", "group-add", GROUP1["name"], + "-n", OV_GROUP1["name"], + "-g", str(OV_GROUP1["gid"])]) + + restart_sssd() + + assert_group_overriden() + + +def test_getpwnam_neg(files_domain_only): + """ + Test that a nonexistent user cannot be resolved by name + """ + res, _ = call_sssd_getpwnam("nosuchuser") + assert res == NssReturnCode.NOTFOUND + + +def test_getpwuid_neg(files_domain_only): + """ + Test that a nonexistent user cannot be resolved by UID + """ + res, _ = call_sssd_getpwuid(12345) + assert res == NssReturnCode.NOTFOUND + + +def test_root_does_not_resolve(files_domain_only): + """ + SSSD currently does not resolve the root user even though it can + be resolved through the NSS interface + """ + nss_root = pwd.getpwnam("root") + assert nss_root is not None + + res, _ = call_sssd_getpwnam("root") + assert res == NssReturnCode.NOTFOUND + + +def test_uid_zero_does_not_resolve(files_domain_only): + """ + SSSD currently does not resolve the UID 0 even though it can + be resolved through the NSS interface + """ + nss_root = pwd.getpwuid(0) + assert nss_root is not None + + res, _ = call_sssd_getpwuid(0) + assert res == NssReturnCode.NOTFOUND + + +def test_add_remove_add_file_user(setup_pw_with_canary, files_domain_only): + """ + Test that removing a user is detected and the user + is removed from the sssd database. Similarly, an add + should be detected. Do this several times to test retaining + the inotify watch for moved and unlinked files. + """ + res, _ = call_sssd_getpwnam(USER1["name"]) + assert res == NssReturnCode.NOTFOUND + + setup_pw_with_canary.useradd(**USER1) + check_user(USER1) + + setup_pw_with_canary.userdel(USER1["name"]) + time.sleep(1.0) + res, _ = sssd_getpwnam_sync(USER1["name"]) + assert res == NssReturnCode.NOTFOUND + + setup_pw_with_canary.useradd(**USER1) + check_user(USER1) + + +def test_mod_user_shell(add_user_with_canary, files_domain_only): + """ + Test that modifying a user shell is detected and the user + is modified in the sssd database + """ + res, user = sssd_getpwnam_sync(USER1["name"]) + assert res == NssReturnCode.SUCCESS + assert user == USER1 + + moduser = dict(USER1) + moduser['shell'] = '/bin/zsh' + add_user_with_canary.usermod(**moduser) + + check_user(moduser) + + +def test_enum_users(setup_pw_with_canary, files_domain_only): + """ + Test that enumerating all users works with the default configuration. Also + test that removing all entries and then enumerating again returns an empty + set + """ + num_users = 10 + for i in range(1, num_users+1): + user = user_generator(i) + setup_pw_with_canary.useradd(**user) + + sssd_getpwnam_sync(CANARY["name"]) + user_list = call_sssd_enumeration() + # +1 because the canary is added + assert len(user_list) == num_users+1 + + +def incomplete_user_setup(pwd_ops, del_field, exp_field): + adduser = dict(USER1) + del adduser[del_field] + exp_user = dict(USER1) + exp_user[del_field] = exp_field + + pwd_ops.useradd(**adduser) + + return exp_user + + +def test_user_no_shell(setup_pw_with_canary, files_domain_only): + """ + Test that resolving a user without a shell defined works and returns + a fallback value + """ + check_user(incomplete_user_setup(setup_pw_with_canary, 'shell', '')) + + +def test_user_no_dir(setup_pw_with_canary, files_domain_only): + """ + Test that resolving a user without a homedir defined works and returns + a fallback value + """ + check_user(incomplete_user_setup(setup_pw_with_canary, 'dir', '/')) + + +def test_user_no_gecos(setup_pw_with_canary, files_domain_only): + """ + Test that resolving a user without a gecos defined works and returns + a fallback value + """ + check_user(incomplete_user_setup(setup_pw_with_canary, 'gecos', '')) + + +def test_user_no_passwd(setup_pw_with_canary, files_domain_only): + """ + Test that resolving a user without a password defined works and returns + a fallback value + """ + check_user(incomplete_user_setup(setup_pw_with_canary, 'passwd', 'x')) + + +def bad_incomplete_user_setup(pwd_ops, del_field): + adduser = dict(USER1) + adduser[del_field] = '' + + pwd_ops.useradd(**adduser) + + +def test_incomplete_user_fail(setup_pw_with_canary, files_domain_only): + """ + Test resolving an incomplete user where the missing field is required + to be present in the user record and thus the user shouldn't resolve. + + We cannot test UID and GID missing because nss_wrapper doesn't even + load the malformed passwd file, then. + """ + bad_incomplete_user_setup(setup_pw_with_canary, 'name') + res, user = sssd_getpwnam_sync(USER1["name"]) + assert res == NssReturnCode.NOTFOUND + + +def test_getgrnam_after_start(add_group_with_canary, files_domain_only): + """ + Test that after startup without any additional operations, a group + can be resolved through sssd by name + """ + check_group(GROUP1) + + +def test_getgrgid_after_start(add_group_with_canary, files_domain_only): + """ + Test that after startup without any additional operations, a group + can be resolved through sssd by GID + """ + check_group_by_gid(GROUP1) + + +def test_getgrnam_neg(files_domain_only): + """ + Test that a nonexistent group cannot be resolved + """ + res, user = sssd_getgrnam_sync("nosuchgroup") + assert res == NssReturnCode.NOTFOUND + + +def test_getgrgid_neg(files_domain_only): + """ + Test that a nonexistent group cannot be resolved + """ + res, user = sssd_getgrgid_sync(123456) + assert res == NssReturnCode.NOTFOUND + + +def test_root_group_does_not_resolve(files_domain_only): + """ + SSSD currently does not resolve the root group even though it can + be resolved through the NSS interface + """ + nss_root = grp.getgrnam("root") + assert nss_root is not None + + res, user = call_sssd_getgrnam("root") + assert res == NssReturnCode.NOTFOUND + + +def test_gid_zero_does_not_resolve(files_domain_only): + """ + SSSD currently does not resolve the group with GID 0 even though it + can be resolved through the NSS interface + """ + nss_root = grp.getgrgid(0) + assert nss_root is not None + + res, user = call_sssd_getgrgid(0) + assert res == NssReturnCode.NOTFOUND + + +def test_add_remove_add_file_group(setup_gr_with_canary, files_domain_only): + """ + Test that removing a group is detected and the group + is removed from the sssd database. Similarly, an add + should be detected. Do this several times to test retaining + the inotify watch for moved and unlinked files. + """ + res, group = call_sssd_getgrnam(GROUP1["name"]) + assert res == NssReturnCode.NOTFOUND + + setup_gr_with_canary.groupadd(**GROUP1) + check_group(GROUP1) + + setup_gr_with_canary.groupdel(GROUP1["name"]) + time.sleep(1) + res, group = call_sssd_getgrnam(GROUP1["name"]) + assert res == NssReturnCode.NOTFOUND + + setup_gr_with_canary.groupadd(**GROUP1) + check_group(GROUP1) + + +def test_mod_group_name(add_group_with_canary, files_domain_only): + """ + Test that modifying a group name is detected and the group + is modified in the sssd database + """ + check_group(GROUP1) + + modgroup = dict(GROUP1) + modgroup['name'] = 'group1_mod' + add_group_with_canary.groupmod(old_name=GROUP1["name"], **modgroup) + + check_group(modgroup) + + +def test_mod_group_gid(add_group_with_canary, files_domain_only): + """ + Test that modifying a group name is detected and the group + is modified in the sssd database + """ + check_group(GROUP1) + + modgroup = dict(GROUP1) + modgroup['gid'] = 30002 + add_group_with_canary.groupmod(old_name=GROUP1["name"], **modgroup) + + check_group(modgroup) + + +@pytest.fixture +def add_group_nomem_with_canary(request): + return setup_gr_with_list(request, [GROUP_NOMEM, CANARY_GR]) + + +def test_getgrnam_no_members(add_group_nomem_with_canary, files_domain_only): + """ + Test that after startup without any additional operations, a group + can be resolved through sssd + """ + check_group(GROUP_NOMEM) + + +def groupadd_list(grp_ops, groups): + for grp in groups: + grp_ops.groupadd(**grp) + + +def useradd_list(pwd_ops, users): + for usr in users: + pwd_ops.useradd(**usr) + + +def user_and_group_setup(pwd_ops, grp_ops, users, groups, reverse): + """ + The reverse is added so that we test cases where a group is added first, + then a user for this group is created -- in that case, we need to properly + link the group after the user is added. + """ + if reverse is False: + useradd_list(pwd_ops, users) + groupadd_list(grp_ops, groups) + else: + groupadd_list(grp_ops, groups) + useradd_list(pwd_ops, users) + + +def members_check(added_groups): + # Test that users are members as per getgrnam + check_group_list(added_groups) + + # Test that users are members as per initgroups + for group in added_groups: + for member in group['mem']: + res, groups = sssd_id_sync(member) + assert res == sssd_id.NssReturnCode.SUCCESS + assert group['name'] in groups + + +def test_getgrnam_members_users_first(setup_pw_with_canary, + setup_gr_with_canary, + files_domain_only): + """ + A user is linked with a group + """ + user_and_group_setup(setup_pw_with_canary, + setup_gr_with_canary, + [USER1], + [GROUP1], + False) + members_check([GROUP1]) + + +def test_getgrnam_members_users_multiple(setup_pw_with_canary, + setup_gr_with_canary, + files_domain_only): + """ + Multiple users are linked with a group + """ + user_and_group_setup(setup_pw_with_canary, + setup_gr_with_canary, + [USER1, USER2], + [GROUP12], + False) + members_check([GROUP12]) + + +def test_getgrnam_members_groups_first(setup_pw_with_canary, + setup_gr_with_canary, + files_domain_only): + """ + A group is linked with a user + """ + user_and_group_setup(setup_pw_with_canary, + setup_gr_with_canary, + [USER1], + [GROUP1], + True) + members_check([GROUP1]) + + +def test_getgrnam_ghost(setup_pw_with_canary, + setup_gr_with_canary, + files_domain_only): + """ + Test that a group with members while the members are not present + are added as ghosts. This is also what nss_files does, getgrnam would + return group members that do not exist as well. + """ + user_and_group_setup(setup_pw_with_canary, + setup_gr_with_canary, + [], + [GROUP12], + False) + check_group(GROUP12) + for member in GROUP12['mem']: + res, _ = call_sssd_getpwnam(member) + assert res == NssReturnCode.NOTFOUND + + +def ghost_and_member_test(pw_ops, grp_ops, reverse): + user_and_group_setup(pw_ops, + grp_ops, + [USER1], + [GROUP12], + reverse) + check_group(GROUP12) + + # We checked that the group added has the same members as group12, + # so both user1 and user2. Now check that user1 is a member of + # group12 and its own primary GID but user2 doesn't exist, it's + # just a ghost entry + res, groups = sssd_id_sync('user1') + assert res == sssd_id.NssReturnCode.SUCCESS + assert len(groups) == 2 + assert 'group12' in groups + + res, _ = call_sssd_getpwnam('user2') + assert res == NssReturnCode.NOTFOUND + + +def test_getgrnam_user_ghost_and_member(setup_pw_with_canary, + setup_gr_with_canary, + files_domain_only): + """ + Test that a group with one member and one ghost. + """ + ghost_and_member_test(setup_pw_with_canary, + setup_gr_with_canary, + False) + + +def test_getgrnam_user_member_and_ghost(setup_pw_with_canary, + setup_gr_with_canary, + files_domain_only): + """ + Test that a group with one member and one ghost, adding the group + first and then linking the member + """ + ghost_and_member_test(setup_pw_with_canary, + setup_gr_with_canary, + True) + + +def test_getgrnam_add_remove_members(setup_pw_with_canary, + add_group_nomem_with_canary, + files_domain_only): + """ + Test that a user is linked with a group + """ + pwd_ops = setup_pw_with_canary + + check_group(GROUP_NOMEM) + + for usr in [USER1, USER2]: + pwd_ops.useradd(**usr) + + modgroup = dict(GROUP_NOMEM) + modgroup['mem'] = ['user1', 'user2'] + add_group_nomem_with_canary.groupmod(old_name=modgroup['name'], **modgroup) + check_group(modgroup) + + res, groups = sssd_id_sync('user1') + assert res == sssd_id.NssReturnCode.SUCCESS + assert len(groups) == 2 + assert 'group_nomem' in groups + + res, groups = sssd_id_sync('user2') + assert res == sssd_id.NssReturnCode.SUCCESS + assert 'group_nomem' in groups + + modgroup['mem'] = ['user2'] + add_group_nomem_with_canary.groupmod(old_name=modgroup['name'], **modgroup) + check_group(modgroup) + + # User1 exists, but is not a member of any supplementary group anymore + res, _ = call_sssd_getpwnam('user1') + assert res == sssd_id.NssReturnCode.SUCCESS + res, groups = sssd_id_sync('user1') + assert res == sssd_id.NssReturnCode.NOTFOUND + + # user2 still is + res, groups = sssd_id_sync('user2') + assert res == sssd_id.NssReturnCode.SUCCESS + assert len(groups) == 2 + assert 'group_nomem' in groups + + +def test_getgrnam_add_remove_ghosts(setup_pw_with_canary, + add_group_nomem_with_canary, + files_domain_only): + """ + Test that a user is linked with a group + """ + pwd_ops = setup_pw_with_canary + + check_group(GROUP_NOMEM) + + modgroup = dict(GROUP_NOMEM) + modgroup['mem'] = ['user1', 'user2'] + add_group_nomem_with_canary.groupmod(old_name=modgroup['name'], **modgroup) + check_group(modgroup) + + modgroup['mem'] = ['user2'] + add_group_nomem_with_canary.groupmod(old_name=modgroup['name'], **modgroup) + check_group(modgroup) + + res, _ = call_sssd_getpwnam('user1') + assert res == NssReturnCode.NOTFOUND + res, _ = call_sssd_getpwnam('user2') + assert res == NssReturnCode.NOTFOUND + + # Add this user and verify it's been added as a member + pwd_ops.useradd(**USER2) + res, groups = sssd_id_sync('user2') + assert res == sssd_id.NssReturnCode.SUCCESS + assert len(groups) == 2 + assert 'group_nomem' in groups + + +def realloc_users(pwd_ops, num): + # Intentionally not including the the last one because + # canary is added first + for i in range(1, num): + user = user_generator(i) + pwd_ops.useradd(**user) + + user = user_generator(num-1) + check_user(user) + + +def test_realloc_users_exact(setup_pw_with_canary, files_domain_only): + """ + Test that returning exactly FILES_REALLOC_CHUNK users (see files_ops.c) + works fine to test reallocation logic. Test exact number of users to + check for off-by-one errors. + """ + realloc_users(setup_pw_with_canary, FILES_REALLOC_CHUNK) + + +def test_realloc_users(setup_pw_with_canary, files_domain_only): + """ + Test that returning exactly FILES_REALLOC_CHUNK users (see files_ops.c) + works fine to test reallocation logic. + """ + realloc_users(setup_pw_with_canary, FILES_REALLOC_CHUNK*3) + + +def realloc_groups(grp_ops, num): + for i in range(1, num): + group = group_generator(i) + grp_ops.groupadd(**group) + + group = group_generator(num-1) + check_group(group) + + +def test_realloc_groups_exact(setup_gr_with_canary, files_domain_only): + """ + Test that returning exactly FILES_REALLOC_CHUNK groups (see files_ops.c) + works fine to test reallocation logic. Test exact number of groups to + check for off-by-one errors. + """ + realloc_groups(setup_gr_with_canary, FILES_REALLOC_CHUNK*3) + + +def test_realloc_groups(setup_gr_with_canary, files_domain_only): + """ + Test that returning exactly FILES_REALLOC_CHUNK groups (see files_ops.c) + works fine to test reallocation logic. Test exact number of groups to + check for off-by-one errors. + """ + realloc_groups(setup_gr_with_canary, FILES_REALLOC_CHUNK*3) + + +# Files domain autoconfiguration tests +def test_no_sssd_domain(add_user_with_canary, no_sssd_domain): + """ + Test that if no sssd domain is configured, sssd will add the implicit one + """ + res, user = sssd_getpwnam_sync(USER1["name"]) + assert res == NssReturnCode.SUCCESS + assert user == USER1 + + +def test_proxy_to_files_domain_only(add_user_with_canary, + proxy_to_files_domain_only): + """ + Test that implicit_files domain is not started together with proxy to files + """ + local_user1 = dict(name='user1', passwd='*', uid=10009, gid=10009, + gecos='user1', dir='/home/user1', shell='/bin/bash') + + # Add a user with a different UID than the one in files + subprocess.check_call( + ["sss_useradd", "-u", "10009", "-M", USER1["name"]]) + + res, user = call_sssd_getpwnam(USER1["name"]) + assert res == NssReturnCode.SUCCESS + assert user == local_user1 + + res, _ = call_sssd_getpwnam("{0}@implicit_files".format(USER1["name"])) + assert res == NssReturnCode.NOTFOUND + + +def test_no_files_domain(add_user_with_canary, no_files_domain): + """ + Test that if no files domain is configured, sssd will add the implicit one + before any explicitly configured domains + """ + # Add a user with a different UID than the one in files + subprocess.check_call( + ["sss_useradd", "-u", "10009", "-M", USER1["name"]]) + + # Even though the local domain is the only one configured, + # files will be resolved first + res, user = sssd_getpwnam_sync(USER1["name"]) + assert res == NssReturnCode.SUCCESS + assert user == USER1 + + +def test_disable_files_domain(add_user_with_canary, disabled_files_domain): + """ + Test that if no files domain is configured, sssd will add the implicit one + before any explicitly configured domains + """ + # The local user will not be resolvable through nss_sss now + res, user = sssd_getpwnam_sync(USER1["name"]) + assert res != NssReturnCode.SUCCESS + + +def test_no_sssd_conf(add_user_with_canary, no_sssd_conf): + """ + Test that running without sssd.conf implicitly configures one with + id_provider=files + """ + res, user = sssd_getpwnam_sync(USER1["name"]) + assert res == NssReturnCode.SUCCESS + assert user == USER1 + + +def test_multiple_passwd_group_files(add_user_with_canary, + add_group_with_canary, + files_multiple_sources): + """ + Test that users and groups can be mirrored from multiple files + """ + alt_pwops, alt_grops = files_multiple_sources + alt_pwops.useradd(**ALT_USER1) + alt_grops.groupadd(**ALT_GROUP1) + + check_user(USER1) + check_user(ALT_USER1) + + check_group(GROUP1) + check_group(ALT_GROUP1) + + +def test_multiple_files_created_after_startup(add_user_with_canary, + add_group_with_canary, + files_multiple_sources_nocreate): + """ + Test that users and groups can be mirrored from multiple files, + but those files are not created when SSSD starts, only afterwards. + """ + alt_passwd_path, alt_group_path = files_multiple_sources_nocreate + + check_user(USER1) + check_group(GROUP1) + + # touch the files + for fpath in (alt_passwd_path, alt_group_path): + with open(fpath, "w") as f: + pass + + alt_pwops = PasswdOps(alt_passwd_path) + alt_grops = GroupOps(alt_group_path) + alt_pwops.useradd(**ALT_USER1) + alt_grops.groupadd(**ALT_GROUP1) + + check_user(ALT_USER1) + check_group(ALT_GROUP1) + + +def test_files_with_domain_resolution_order(add_user_with_canary, + domain_resolution_order): + """ + Test that when using domain_resolution_order the user won't be using + its fully-qualified name. + """ + check_user(USER1) + + +def test_files_with_override_homedir(add_user_with_canary, + override_homedir_and_shell): + res, user = sssd_getpwnam_sync(USER1["name"]) + assert res == NssReturnCode.SUCCESS + assert user["dir"] == USER1["dir"] + + +def test_files_with_override_shell(add_user_with_canary, + override_homedir_and_shell): + res, user = sssd_getpwnam_sync(USER1["name"]) + assert res == NssReturnCode.SUCCESS + assert user["shell"] == USER1["shell"] diff --git a/src/tests/intg/test_infopipe.py b/src/tests/intg/test_infopipe.py new file mode 100644 index 0000000..b851bbd --- /dev/null +++ b/src/tests/intg/test_infopipe.py @@ -0,0 +1,547 @@ +# +# Infopipe integration test +# +# Copyright (c) 2017 Red Hat, Inc. +# Author: Lukas Slebodnik +# +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +from __future__ import print_function + +import os +import stat +import pwd +import signal +import subprocess +import errno +import time +import ldap +import ldap.modlist +import pytest +import dbus + +import config +import ds_openldap +import ldap_ent +from util import unindent, get_call_output + +LDAP_BASE_DN = "dc=example,dc=com" +INTERACTIVE_TIMEOUT = 4 + + +class DbusDaemon(object): + def __init__(self): + self.pid = 0 + + def start(self): + """Start the SSSD process""" + assert self.pid == 0 + + dbus_config_path = config.SYSCONFDIR + "/dbus-1/cwrap-dbus-system.conf" + dbus_commands = [ + ["dbus-daemon", "--config-file", dbus_config_path, + "--nosyslog", "--fork"], + ["dbus-daemon", "--config-file", dbus_config_path, "--fork"], + ] + dbus_started = False + for dbus_command in dbus_commands: + try: + if subprocess.call(dbus_command) == 0: + dbus_started = True + break + else: + print("start failed for %s" % " ".join(dbus_command)) + except OSError as ex: + if ex.errno == errno.ENOENT: + print("%s does not exist" % (dbus_command[0])) + pass + + if not dbus_started: + raise Exception("dbus-daemon start failed") + dbus_pid_path = config.RUNSTATEDIR + "/dbus/messagebus.pid" + # wait 10 seconds for pidfile + wait_time = 10 + for _ in range(wait_time * 10): + if os.path.isfile(dbus_pid_path): + break + time.sleep(.1) + + assert os.path.isfile(dbus_pid_path) + with open(dbus_pid_path, "r") as pid_file: + self.pid = int(pid_file.read()) + + def stop(self): + """Stop the SSSD process and remove its state""" + + # stop process only if running + if self.pid != 0: + try: + os.kill(self.pid, signal.SIGTERM) + while True: + try: + os.kill(self.pid, signal.SIGCONT) + except: + break + time.sleep(.1) + except: + pass + + # clean pid so we can start service one more time + self.pid = 0 + + # dbus-daemon 1.2.24 does not clean pid file after itself + try: + os.unlink(config.RUNSTATEDIR + "/dbus/messagebus.pid") + except OSError as ex: + if ex.errno != errno.ENOENT: + raise + + +@pytest.fixture(scope="module") +def dbus_system_bus(request): + dbus_daemon = DbusDaemon() + dbus_daemon.start() + + def cleanup_dbus_process(): + dbus_daemon.stop() + request.addfinalizer(cleanup_dbus_process) + + return dbus.SystemBus() + + +@pytest.fixture(scope="module") +def ds_inst(request): + """LDAP server instance fixture""" + ds_inst = ds_openldap.DSOpenLDAP( + config.PREFIX, 10389, LDAP_BASE_DN, + "cn=admin", "Secret123" + ) + + try: + ds_inst.setup() + except: + ds_inst.teardown() + raise + request.addfinalizer(ds_inst.teardown) + + return ds_inst + + +@pytest.fixture(scope="module") +def ldap_conn(request, ds_inst): + """LDAP server connection fixture""" + ldap_conn = ds_inst.bind() + ldap_conn.ds_inst = ds_inst + request.addfinalizer(ldap_conn.unbind_s) + return ldap_conn + + +def create_ldap_entries(ldap_conn, ent_list=None): + """Add LDAP entries from ent_list""" + if ent_list is not None: + for entry in ent_list: + ldap_conn.add_s(entry[0], entry[1]) + + +def cleanup_ldap_entries(ldap_conn, ent_list=None): + """Remove LDAP entries added by create_ldap_entries""" + if ent_list is None: + for ou in ("Users", "Groups", "Netgroups", "Services", "Policies"): + for entry in ldap_conn.search_s("ou=" + ou + "," + + ldap_conn.ds_inst.base_dn, + ldap.SCOPE_ONELEVEL, + attrlist=[]): + ldap_conn.delete_s(entry[0]) + else: + for entry in ent_list: + ldap_conn.delete_s(entry[0]) + + +def create_ldap_cleanup(request, ldap_conn, ent_list=None): + """Add teardown for removing all user/group LDAP entries""" + request.addfinalizer(lambda: cleanup_ldap_entries(ldap_conn, ent_list)) + + +def create_ldap_fixture(request, ldap_conn, ent_list=None): + """Add LDAP entries and add teardown for removing them""" + create_ldap_entries(ldap_conn, ent_list) + create_ldap_cleanup(request, ldap_conn, ent_list) + + +SCHEMA_RFC2307 = "rfc2307" +SCHEMA_RFC2307_BIS = "rfc2307bis" + + +def format_basic_conf(ldap_conn, schema): + """Format a basic SSSD configuration""" + schema_conf = "ldap_schema = " + schema + "\n" + if schema == SCHEMA_RFC2307_BIS: + schema_conf += "ldap_group_object_class = groupOfNames\n" + + valgrind_cmd = "valgrind --log-file=%s/valgrind_ifp.log" % config.LOG_PATH + ifp_command = "%s %s/sssd/sssd_ifp " % (valgrind_cmd, config.LIBEXEC_PATH) + return unindent("""\ + [sssd] + debug_level = 0xffff + domains = LDAP, app + services = nss, ifp + enable_files_domain = false + + [nss] + memcache_timeout = 0 + + [ifp] + # it need to be executed with valgrind because there is a problem + # problem with "ifp" + client regristration in monitor + # There is not such problem in 1st test. Just in following tests. + command = {ifp_command} --uid 0 --gid 0 --debug-to-files + + [domain/LDAP] + {schema_conf} + id_provider = ldap + ldap_uri = {ldap_conn.ds_inst.ldap_url} + ldap_search_base = {ldap_conn.ds_inst.base_dn} + + [application/app] + inherit_from = LDAP + """).format(**locals()) + + +def format_interactive_conf(ldap_conn, schema): + """Format an SSSD configuration with all caches refreshing in 4 seconds""" + return \ + format_basic_conf(ldap_conn, schema) + \ + unindent(""" + [nss] + memcache_timeout = 0 + entry_negative_timeout = 0 + + [domain/LDAP] + ldap_purge_cache_timeout = 1 + entry_cache_timeout = {0} + """).format(INTERACTIVE_TIMEOUT) + + +def create_conf_file(contents): + """Create sssd.conf with specified contents""" + with open(config.CONF_PATH, "w") as conf: + conf.write(contents) + os.chmod(config.CONF_PATH, stat.S_IRUSR | stat.S_IWUSR) + + +def cleanup_conf_file(): + """Remove sssd.conf, if it exists""" + if os.path.lexists(config.CONF_PATH): + os.unlink(config.CONF_PATH) + + +def create_conf_cleanup(request): + """Add teardown for removing sssd.conf""" + request.addfinalizer(cleanup_conf_file) + + +def create_conf_fixture(request, contents): + """ + Create sssd.conf with specified contents and add teardown for removing it + """ + create_conf_file(contents) + create_conf_cleanup(request) + + +def create_sssd_process(): + """Start the SSSD process""" + if subprocess.call(["sssd", "-D", "-f"]) != 0: + raise Exception("sssd start failed") + + +def cleanup_sssd_process(): + """Stop the SSSD process and remove its state""" + try: + with open(config.PIDFILE_PATH, "r") as pid_file: + pid = int(pid_file.read()) + os.kill(pid, signal.SIGTERM) + while True: + try: + os.kill(pid, signal.SIGCONT) + except: + break + time.sleep(1) + except: + pass + for path in os.listdir(config.DB_PATH): + os.unlink(config.DB_PATH + "/" + path) + for path in os.listdir(config.MCACHE_PATH): + os.unlink(config.MCACHE_PATH + "/" + path) + + +def create_sssd_cleanup(request): + """Add teardown for stopping SSSD and removing its state""" + request.addfinalizer(cleanup_sssd_process) + + +def create_sssd_fixture(request): + """Start SSSD and add teardown for stopping it and removing its state""" + create_sssd_process() + create_sssd_cleanup(request) + + +@pytest.fixture +def sanity_rfc2307(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user1", 1001, 2001) + ent_list.add_user("user2", 1002, 2002) + ent_list.add_user("user3", 1003, 2003) + + ent_list.add_group("group1", 2001) + ent_list.add_group("group2", 2002) + ent_list.add_group("group3", 2003) + + ent_list.add_group("empty_group", 2010) + + ent_list.add_group("single_user_group", 2011, ["user1"]) + ent_list.add_group("two_user_group", 2012, ["user1", "user2"]) + + create_ldap_fixture(request, ldap_conn, ent_list) + + conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +@pytest.fixture +def simple_rfc2307(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user('usr\\\\001', 181818, 181818) + ent_list.add_group("group1", 181818) + create_ldap_fixture(request, ldap_conn, ent_list) + conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +def test_ping_raw(dbus_system_bus, ldap_conn, simple_rfc2307): + # test with disabled introspection + sssd_obj = dbus_system_bus.get_object('org.freedesktop.sssd.infopipe', + '/org/freedesktop/sssd/infopipe', + introspect=False) + sssd_interface = dbus.Interface(sssd_obj, 'org.freedesktop.sssd.infopipe') + + # test missing parameter + with pytest.raises(dbus.exceptions.DBusException) as exc_info: + sssd_interface.Ping() + assert exc_info.errisinstance(dbus.exceptions.DBusException) + + ex = exc_info.value + assert ex.get_dbus_name() == 'org.freedesktop.DBus.Error.InvalidArgs' + assert ex.get_dbus_message() == 'Argument 0 is specified to be of type ' \ + '"string", but is actually of type ' \ + '"invalid"\n' + + # test wrong parameter type + with pytest.raises(dbus.exceptions.DBusException) as exc_info: + sssd_interface.Ping(1) + assert exc_info.errisinstance(dbus.exceptions.DBusException) + + ex = exc_info.value + assert ex.get_dbus_name() == 'org.freedesktop.DBus.Error.InvalidArgs' + assert ex.get_dbus_message() == 'Argument 0 is specified to be of type ' \ + '"string", but is actually of type ' \ + '"int32"\n' + + # test wrong parameter value + with pytest.raises(dbus.exceptions.DBusException) as exc_info: + sssd_interface.Ping('test') + assert exc_info.errisinstance(dbus.exceptions.DBusException) + + ex = exc_info.value + assert ex.get_dbus_name() == 'org.freedesktop.DBus.Error.InvalidArgs' + assert ex.get_dbus_message() == 'Ping() only accepts "ping" as a param\n' + + # positive test + ret = sssd_interface.Ping('ping') + assert ret == "PONG" + + # test case insensitive input + ret = sssd_interface.Ping('PinG') + assert ret == "PONG" + + ret = sssd_interface.Ping('PING') + assert ret == "PONG" + + +def test_ping_introspection(dbus_system_bus, ldap_conn, simple_rfc2307): + sssd_obj = dbus_system_bus.get_object('org.freedesktop.sssd.infopipe', + '/org/freedesktop/sssd/infopipe') + sssd_interface = dbus.Interface(sssd_obj, 'org.freedesktop.sssd.infopipe') + + # test missing parameter + with pytest.raises(TypeError) as exc_info: + sssd_interface.Ping() + assert exc_info.errisinstance(TypeError) + + ex = exc_info.value + assert str(ex) == 'More items found in D-Bus signature than in Python ' \ + 'arguments' + + # test wrong parameter type + with pytest.raises(TypeError) as exc_info: + sssd_interface.Ping(1) + assert exc_info.errisinstance(TypeError) + + ex = exc_info.value + assert str(ex) == 'Expected a string or unicode object' + + # test wrong parameter value + with pytest.raises(dbus.exceptions.DBusException) as exc_info: + sssd_interface.Ping('test') + assert exc_info.errisinstance(dbus.exceptions.DBusException) + + ex = exc_info.value + assert ex.get_dbus_name() == 'org.freedesktop.DBus.Error.InvalidArgs' + assert ex.get_dbus_message() == 'Ping() only accepts "ping" as a param\n' + + # positive test + ret = sssd_interface.Ping('ping') + assert ret == "PONG" + + # test case insensitive input + ret = sssd_interface.Ping('PinG') + assert ret == "PONG" + + ret = sssd_interface.Ping('PING') + assert ret == "PONG" + + +def test_special_characters(dbus_system_bus, ldap_conn, simple_rfc2307): + sssd_obj = dbus_system_bus.get_object('org.freedesktop.sssd.infopipe', + '/org/freedesktop/sssd/infopipe') + sssd_interface = dbus.Interface(sssd_obj, 'org.freedesktop.sssd.infopipe') + + attributes = ['name', 'uidNumber', 'gidNumber', 'gecos', 'homeDirectory', + 'loginShell'] + expected = dict(name='usr\\001', uidNumber='181818', gidNumber='181818', + gecos='181818', homeDirectory='/home/usr\\\\001', + loginShell='/bin/bash') + + user_attrs = sssd_interface.GetUserAttr('usr\\001', attributes) + assert user_attrs.signature == 'sv' + assert user_attrs.variant_level == 0 + + assert len(attributes) == len(user_attrs) + assert sorted(attributes) == sorted(user_attrs.keys()) + + # check values of attributes + for attr in user_attrs: + assert user_attrs[attr].signature == 's' + assert user_attrs[attr].variant_level == 1 + assert user_attrs[attr][0] == expected[attr] + + +def test_get_user_attr(dbus_system_bus, ldap_conn, sanity_rfc2307): + sssd_obj = dbus_system_bus.get_object('org.freedesktop.sssd.infopipe', + '/org/freedesktop/sssd/infopipe') + sssd_interface = dbus.Interface(sssd_obj, 'org.freedesktop.sssd.infopipe') + + # negative test + with pytest.raises(dbus.exceptions.DBusException) as exc_info: + sssd_interface.GetUserAttr('non_existent_user', ['name']) + assert exc_info.errisinstance(dbus.exceptions.DBusException) + + ex = exc_info.value + assert ex.get_dbus_name() == 'org.freedesktop.DBus.Error.Failed' + assert ex.get_dbus_message() == 'No such user\n' + + # test 0 attributes + user_attrs = sssd_interface.GetUserAttr('user1', []) + + assert user_attrs.signature == 'sv' + assert user_attrs.variant_level == 0 + + # expect empty sequence; len(user_attrs) == 0 + assert not user_attrs + + # positive test + attributes = ['name', 'uidNumber', 'gidNumber', 'gecos', 'homeDirectory', + 'loginShell'] + expected = dict(name='user1', uidNumber='1001', gidNumber='2001', + gecos='1001', homeDirectory='/home/user1', + loginShell='/bin/bash') + user_attrs = sssd_interface.GetUserAttr('user1', attributes) + + assert user_attrs.signature == 'sv' + assert user_attrs.variant_level == 0 + + assert len(attributes) == len(user_attrs) + assert sorted(attributes) == sorted(user_attrs.keys()) + + # check values of attributes + for attr in user_attrs: + assert user_attrs[attr].signature == 's' + assert user_attrs[attr].variant_level == 1 + assert user_attrs[attr][0] == expected[attr] + + +def test_get_user_groups(dbus_system_bus, ldap_conn, sanity_rfc2307): + sssd_obj = dbus_system_bus.get_object('org.freedesktop.sssd.infopipe', + '/org/freedesktop/sssd/infopipe') + sssd_interface = dbus.Interface(sssd_obj, 'org.freedesktop.sssd.infopipe') + + # negative test + with pytest.raises(dbus.exceptions.DBusException) as exc_info: + sssd_interface.GetUserGroups('non_existent_user') + assert exc_info.errisinstance(dbus.exceptions.DBusException) + + ex = exc_info.value + assert ex.get_dbus_name() == 'org.freedesktop.DBus.Error.Failed' + assert ex.get_dbus_message() == 'No such user\n' + + # the same test via nss responder + with pytest.raises(KeyError): + pwd.getpwnam("non_existent_user") + + # 0 groups + res = sssd_interface.GetUserGroups('user3') + assert res.signature == 's' + assert res.variant_level == 0 + + # expect empty sequence; len(res) == 0 + assert not res + + # single group + res = sssd_interface.GetUserGroups('user2') + assert res.signature == 's' + assert res.variant_level == 0 + + assert len(res) == 1 + assert res[0] == 'two_user_group' + + # more groups + res = sssd_interface.GetUserGroups('user1') + assert res.signature == 's' + assert res.variant_level == 0 + + assert len(res) == 2 + assert sorted(res) == ['single_user_group', 'two_user_group'] + + +def test_sssctl_domain_list_app_domain(dbus_system_bus, + ldap_conn, + sanity_rfc2307): + output = get_call_output(["sssctl", "domain-list"], subprocess.STDOUT) + + assert "Error" not in output + assert output.find("LDAP") != -1 + assert output.find("app") != -1 diff --git a/src/tests/intg/test_kcm.py b/src/tests/intg/test_kcm.py new file mode 100644 index 0000000..5bacc6f --- /dev/null +++ b/src/tests/intg/test_kcm.py @@ -0,0 +1,516 @@ +# +# KCM responder integration tests +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +import os +import os.path +import stat +import subprocess +import pytest +import socket +import time +import signal +from requests import HTTPError + +import kdc +import krb5utils +import config +from util import unindent +from test_secrets import create_sssd_secrets_fixture +from secrets import SecretsLocalClient + +MAX_SECRETS = 10 + + +class KcmTestEnv(object): + def __init__(self, k5kdc, k5util): + self.k5kdc = k5kdc + self.k5util = k5util + self.counter = 0 + + def my_uid(self): + s_myuid = os.environ['NON_WRAPPED_UID'] + return int(s_myuid) + + def ccname(self, my_uid=None): + if my_uid is None: + my_uid = self.my_uid() + + return "KCM:%d" % my_uid + + +@pytest.fixture(scope="module") +def kdc_instance(request): + """Kerberos server instance fixture""" + kdc_instance = kdc.KDC(config.PREFIX, "KCMTEST") + try: + kdc_instance.set_up() + kdc_instance.start_kdc() + except: + kdc_instance.teardown() + raise + request.addfinalizer(kdc_instance.teardown) + return kdc_instance + + +def create_conf_fixture(request, contents): + """Generate sssd.conf and add teardown for removing it""" + with open(config.CONF_PATH, "w") as conf: + conf.write(contents) + os.chmod(config.CONF_PATH, stat.S_IRUSR | stat.S_IWUSR) + request.addfinalizer(lambda: os.unlink(config.CONF_PATH)) + + +def create_sssd_kcm_fixture(sock_path, request): + if subprocess.call(['sssd', "--genconf"]) != 0: + raise Exception("failed to regenerate confdb") + + resp_path = os.path.join(config.LIBEXEC_PATH, "sssd", "sssd_kcm") + if not os.access(resp_path, os.X_OK): + # It would be cleaner to use pytest.mark.skipif on the package level + # but upstream insists on supporting RHEL-6.. + pytest.skip("No KCM responder, skipping") + + kcm_pid = os.fork() + assert kcm_pid >= 0 + + if kcm_pid == 0: + if subprocess.call([resp_path, "--uid=0", "--gid=0"]) != 0: + print("sssd_kcm failed to start") + sys.exit(99) + else: + abs_sock_path = os.path.join(config.RUNSTATEDIR, sock_path) + sck = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) + for _ in range(1, 100): + try: + sck.connect(abs_sock_path) + except: + time.sleep(0.1) + else: + break + sck.close() + assert os.path.exists(abs_sock_path) + + def kcm_teardown(): + if kcm_pid == 0: + return + os.kill(kcm_pid, signal.SIGTERM) + + request.addfinalizer(kcm_teardown) + return kcm_pid + + +def create_sssd_conf(kcm_path, ccache_storage, max_secrets=MAX_SECRETS): + return unindent("""\ + [sssd] + domains = local + services = nss + + [domain/local] + id_provider = local + + [kcm] + socket_path = {kcm_path} + ccache_storage = {ccache_storage} + + [secrets] + max_secrets = {max_secrets} + """).format(**locals()) + + +def common_setup_for_kcm_mem(request, kdc_instance, kcm_path, sssd_conf): + kcm_socket_include = unindent(""" + [libdefaults] + default_ccache_name = KCM: + kcm_socket = {kcm_path} + """).format(**locals()) + kdc_instance.add_config({'kcm_socket': kcm_socket_include}) + + create_conf_fixture(request, sssd_conf) + create_sssd_kcm_fixture(kcm_path, request) + + k5util = krb5utils.Krb5Utils(kdc_instance.krb5_conf_path) + + return KcmTestEnv(kdc_instance, k5util) + + +@pytest.fixture +def setup_for_kcm_mem(request, kdc_instance): + """ + Just set up the local provider for tests and enable the KCM + responder + """ + kcm_path = os.path.join(config.RUNSTATEDIR, "kcm.socket") + sssd_conf = create_sssd_conf(kcm_path, "memory") + return common_setup_for_kcm_mem(request, kdc_instance, kcm_path, sssd_conf) + + +@pytest.fixture +def setup_secrets(request): + create_sssd_secrets_fixture(request) + + +@pytest.fixture +def setup_for_kcm_sec(request, kdc_instance): + """ + Just set up the local provider for tests and enable the KCM + responder + """ + kcm_path = os.path.join(config.RUNSTATEDIR, "kcm.socket") + sssd_conf = create_sssd_conf(kcm_path, "secrets") + return common_setup_for_kcm_mem(request, kdc_instance, kcm_path, sssd_conf) + + +def kcm_init_list_destroy(testenv): + """ + Test that kinit, kdestroy and klist work with KCM + """ + testenv.k5kdc.add_principal("kcmtest", "Secret123") + + ok = testenv.k5util.has_principal("kcmtest@KCMTEST") + assert ok is False + nprincs = testenv.k5util.num_princs() + assert nprincs == 0 + + out, _, _ = testenv.k5util.kinit("kcmtest", "Secret123") + assert out == 0 + nprincs = testenv.k5util.num_princs() + assert nprincs == 1 + + exp_ccname = testenv.ccname() + ok = testenv.k5util.has_principal("kcmtest@KCMTEST", exp_ccname) + assert ok is True + + out = testenv.k5util.kdestroy() + assert out == 0 + + ok = testenv.k5util.has_principal("kcmtest@KCMTEST") + assert ok is False + nprincs = testenv.k5util.num_princs() + assert nprincs == 0 + + +def test_kcm_mem_init_list_destroy(setup_for_kcm_mem): + testenv = setup_for_kcm_mem + kcm_init_list_destroy(testenv) + + +def test_kcm_sec_init_list_destroy(setup_for_kcm_sec, + setup_secrets): + testenv = setup_for_kcm_sec + kcm_init_list_destroy(testenv) + + +def kcm_overwrite(testenv): + """ + Test that reusing a ccache reinitializes the cache and doesn't + add the same principal twice + """ + testenv.k5kdc.add_principal("kcmtest", "Secret123") + exp_ccache = {'kcmtest@KCMTEST': ['krbtgt/KCMTEST@KCMTEST']} + + assert testenv.k5util.num_princs() == 0 + + out, _, _ = testenv.k5util.kinit("kcmtest", "Secret123") + assert out == 0 + assert exp_ccache == testenv.k5util.list_all_princs() + + out, _, _ = testenv.k5util.kinit("kcmtest", "Secret123") + assert out == 0 + assert exp_ccache == testenv.k5util.list_all_princs() + + +def test_kcm_mem_overwrite(setup_for_kcm_mem): + testenv = setup_for_kcm_mem + kcm_overwrite(testenv) + + +def test_kcm_sec_overwrite(setup_for_kcm_sec, + setup_secrets): + testenv = setup_for_kcm_sec + kcm_overwrite(testenv) + + +def collection_init_list_destroy(testenv): + """ + Test that multiple principals and service tickets can be stored + in a collection. + """ + testenv.k5kdc.add_principal("alice", "alicepw") + testenv.k5kdc.add_principal("bob", "bobpw") + testenv.k5kdc.add_principal("carol", "carolpw") + testenv.k5kdc.add_principal("host/somehostname") + + assert testenv.k5util.num_princs() == 0 + + out, _, _ = testenv.k5util.kinit("alice", "alicepw") + assert out == 0 + assert testenv.k5util.default_principal() == 'alice@KCMTEST' + cc_coll = testenv.k5util.list_all_princs() + assert len(cc_coll) == 1 + assert cc_coll['alice@KCMTEST'] == ['krbtgt/KCMTEST@KCMTEST'] + assert 'bob@KCMTEST' not in cc_coll + assert 'carol@KCMTEST' not in cc_coll + + out, _, _ = testenv.k5util.kinit("bob", "bobpw") + assert out == 0 + assert testenv.k5util.default_principal() == 'bob@KCMTEST' + cc_coll = testenv.k5util.list_all_princs() + assert len(cc_coll) == 2 + assert cc_coll['alice@KCMTEST'] == ['krbtgt/KCMTEST@KCMTEST'] + assert cc_coll['bob@KCMTEST'] == ['krbtgt/KCMTEST@KCMTEST'] + assert 'carol@KCMTEST' not in cc_coll + + out, _, _ = testenv.k5util.kinit("carol", "carolpw") + assert out == 0 + assert testenv.k5util.default_principal() == 'carol@KCMTEST' + cc_coll = testenv.k5util.list_all_princs() + assert len(cc_coll) == 3 + assert cc_coll['alice@KCMTEST'] == ['krbtgt/KCMTEST@KCMTEST'] + assert cc_coll['bob@KCMTEST'] == ['krbtgt/KCMTEST@KCMTEST'] + assert cc_coll['carol@KCMTEST'] == ['krbtgt/KCMTEST@KCMTEST'] + + out, _, _ = testenv.k5util.kvno('host/somehostname') + assert out == 0 + cc_coll = testenv.k5util.list_all_princs() + assert len(cc_coll) == 3 + assert set(cc_coll['carol@KCMTEST']) == set(['krbtgt/KCMTEST@KCMTEST', + 'host/somehostname@KCMTEST']) + + out = testenv.k5util.kdestroy() + assert out == 0 + # If the default is removed, KCM just uses whetever is the first entry + # in the collection as the default. And sine the KCM back ends don't + # guarantee if they are FIFO or LIFO, just check for either alice or bob + assert testenv.k5util.default_principal() in \ + ['alice@KCMTEST', 'bob@KCMTEST'] + cc_coll = testenv.k5util.list_all_princs() + assert len(cc_coll) == 2 + assert cc_coll['alice@KCMTEST'] == ['krbtgt/KCMTEST@KCMTEST'] + assert cc_coll['bob@KCMTEST'] == ['krbtgt/KCMTEST@KCMTEST'] + assert 'carol@KCMTEST' not in cc_coll + + +def test_kcm_mem_collection_init_list_destroy(setup_for_kcm_mem): + testenv = setup_for_kcm_mem + collection_init_list_destroy(testenv) + + +def test_kcm_sec_collection_init_list_destroy(setup_for_kcm_sec, + setup_secrets): + testenv = setup_for_kcm_sec + collection_init_list_destroy(testenv) + + +def exercise_kswitch(testenv): + """ + Test switching between principals + """ + testenv.k5kdc.add_principal("alice", "alicepw") + testenv.k5kdc.add_principal("bob", "bobpw") + testenv.k5kdc.add_principal("host/somehostname") + testenv.k5kdc.add_principal("host/differenthostname") + + out, _, _ = testenv.k5util.kinit("alice", "alicepw") + assert out == 0 + assert testenv.k5util.default_principal() == 'alice@KCMTEST' + + out, _, _ = testenv.k5util.kinit("bob", "bobpw") + assert out == 0 + assert testenv.k5util.default_principal() == 'bob@KCMTEST' + + cc_coll = testenv.k5util.list_all_princs() + assert len(cc_coll) == 2 + assert cc_coll['alice@KCMTEST'] == ['krbtgt/KCMTEST@KCMTEST'] + assert cc_coll['bob@KCMTEST'] == ['krbtgt/KCMTEST@KCMTEST'] + + out = testenv.k5util.kswitch("alice@KCMTEST") + assert testenv.k5util.default_principal() == 'alice@KCMTEST' + out, _, _ = testenv.k5util.kvno('host/somehostname') + assert out == 0 + cc_coll = testenv.k5util.list_all_princs() + assert len(cc_coll) == 2 + assert set(cc_coll['alice@KCMTEST']) == set(['krbtgt/KCMTEST@KCMTEST', + 'host/somehostname@KCMTEST']) + assert cc_coll['bob@KCMTEST'] == ['krbtgt/KCMTEST@KCMTEST'] + + out = testenv.k5util.kswitch("bob@KCMTEST") + assert testenv.k5util.default_principal() == 'bob@KCMTEST' + out, _, _ = testenv.k5util.kvno('host/differenthostname') + assert out == 0 + cc_coll = testenv.k5util.list_all_princs() + assert len(cc_coll) == 2 + assert set(cc_coll['alice@KCMTEST']) == set(['krbtgt/KCMTEST@KCMTEST', + 'host/somehostname@KCMTEST']) + assert set(cc_coll['bob@KCMTEST']) == set([ + 'krbtgt/KCMTEST@KCMTEST', + 'host/differenthostname@KCMTEST']) + + +def test_kcm_mem_kswitch(setup_for_kcm_mem): + testenv = setup_for_kcm_mem + exercise_kswitch(testenv) + + +def test_kcm_sec_kswitch(setup_for_kcm_sec, + setup_secrets): + testenv = setup_for_kcm_sec + exercise_kswitch(testenv) + + +def exercise_subsidiaries(testenv): + """ + Test that subsidiary caches are usable and KCM: without specifying UID + can be used to identify the collection + """ + testenv.k5kdc.add_principal("alice", "alicepw") + testenv.k5kdc.add_principal("bob", "bobpw") + testenv.k5kdc.add_principal("host/somehostname") + testenv.k5kdc.add_principal("host/differenthostname") + + out, _, _ = testenv.k5util.kinit("alice", "alicepw") + assert out == 0 + out, _, _ = testenv.k5util.kvno('host/somehostname') + + out, _, _ = testenv.k5util.kinit("bob", "bobpw") + assert out == 0 + out, _, _ = testenv.k5util.kvno('host/differenthostname') + + exp_cc_coll = dict() + exp_cc_coll['alice@KCMTEST'] = 'host/somehostname@KCMTEST' + exp_cc_coll['bob@KCMTEST'] = 'host/differenthostname@KCMTEST' + + klist_l = testenv.k5util.list_princs() + princ_ccache = dict() + for line in klist_l: + princ, subsidiary = line.split() + princ_ccache[princ] = subsidiary + + for princ, subsidiary in princ_ccache.items(): + env = {'KRB5CCNAME': subsidiary} + cc_coll = testenv.k5util.list_all_princs(env=env) + assert len(cc_coll) == 1 + assert princ in cc_coll + assert exp_cc_coll[princ] in cc_coll[princ] + + cc_coll = testenv.k5util.list_all_princs(env={'KRB5CCNAME': 'KCM:'}) + assert len(cc_coll) == 2 + assert set(cc_coll['alice@KCMTEST']) == set(['krbtgt/KCMTEST@KCMTEST', + 'host/somehostname@KCMTEST']) + assert set(cc_coll['bob@KCMTEST']) == set([ + 'krbtgt/KCMTEST@KCMTEST', + 'host/differenthostname@KCMTEST']) + + +def test_kcm_mem_subsidiaries(setup_for_kcm_mem): + testenv = setup_for_kcm_mem + exercise_subsidiaries(testenv) + + +def test_kcm_sec_subsidiaries(setup_for_kcm_sec, + setup_secrets): + testenv = setup_for_kcm_sec + exercise_subsidiaries(testenv) + + +def kdestroy_nocache(testenv): + """ + Destroying a non-existing ccache should not throw an error + """ + testenv.k5kdc.add_principal("alice", "alicepw") + out, _, _ = testenv.k5util.kinit("alice", "alicepw") + assert out == 0 + + testenv.k5util.kdestroy() + assert out == 0 + out = testenv.k5util.kdestroy() + assert out == 0 + + +def test_kcm_mem_kdestroy_nocache(setup_for_kcm_mem): + testenv = setup_for_kcm_mem + exercise_subsidiaries(testenv) + + +def test_kcm_sec_kdestroy_nocache(setup_for_kcm_sec, + setup_secrets): + testenv = setup_for_kcm_sec + exercise_subsidiaries(testenv) + + +def test_kcm_sec_parallel_klist(setup_for_kcm_sec, + setup_secrets): + """ + Test that parallel operations from a single UID are handled well. + Regression test for https://pagure.io/SSSD/sssd/issue/3372 + """ + testenv = setup_for_kcm_sec + + testenv.k5kdc.add_principal("alice", "alicepw") + out, _, _ = testenv.k5util.kinit("alice", "alicepw") + assert out == 0 + + processes = [] + for i in range(0, 10): + p = testenv.k5util.spawn_in_env(['klist', '-A']) + processes.append(p) + + for p in processes: + rc = p.wait() + assert rc == 0 + + +def get_secrets_socket(): + return os.path.join(config.RUNSTATEDIR, "secrets.socket") + + +@pytest.fixture +def secrets_cli(request): + sock_path = get_secrets_socket() + cli = SecretsLocalClient(sock_path=sock_path) + return cli + + +def test_kcm_secrets_quota(setup_for_kcm_sec, + setup_secrets, + secrets_cli): + testenv = setup_for_kcm_sec + cli = secrets_cli + + # Make sure the secrets store is depleted first + sec_value = "value" + for i in range(MAX_SECRETS): + cli.set_secret(str(i), sec_value) + + with pytest.raises(HTTPError) as err507: + cli.set_secret(str(MAX_SECRETS), sec_value) + assert str(err507.value).startswith("507") + + # We should still be able to store KCM ccaches, but no more + # than MAX_SECRETS + for i in range(MAX_SECRETS): + princ = "%s%d" % ("kcmtest", i) + testenv.k5kdc.add_principal(princ, princ) + + for i in range(MAX_SECRETS-1): + princ = "%s%d" % ("kcmtest", i) + out, _, _ = testenv.k5util.kinit(princ, princ) + assert out == 0 + + # we stored 0 to MAX_SECRETS-1, storing another one must fail + princ = "%s%d" % ("kcmtest", MAX_SECRETS) + out, _, _ = testenv.k5util.kinit(princ, princ) + assert out != 0 diff --git a/src/tests/intg/test_ldap.py b/src/tests/intg/test_ldap.py new file mode 100644 index 0000000..d70ae39 --- /dev/null +++ b/src/tests/intg/test_ldap.py @@ -0,0 +1,1802 @@ +# +# LDAP integration test +# +# Copyright (c) 2015 Red Hat, Inc. +# Author: Nikolai Kondrashov +# +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +import os +import stat +import pwd +import grp +import signal +import subprocess +import time +import ldap +import ldap.modlist +import pytest + +import config +import ds_openldap +import ent +import ldap_ent +import sssd_id +import sssd_ldb +from util import unindent +from sssd_nss import NssReturnCode +from sssd_passwd import call_sssd_getpwnam, call_sssd_getpwuid +from sssd_group import call_sssd_getgrnam, call_sssd_getgrgid +from files_ops import passwd_ops_setup, group_ops_setup + +LDAP_BASE_DN = "dc=example,dc=com" +INTERACTIVE_TIMEOUT = 4 + +PASSWD_USER = dict(name='passwduser', passwd='x', uid=100000, gid=2000, + gecos='User for tests', + dir='/home/passwduser', + shell='/bin/bash') + +PASSWD_GROUP = dict(name='passwdgroup', + gid=200000, + mem=['passwduser']) + + +@pytest.fixture(scope="module") +def ds_inst(request): + """LDAP server instance fixture""" + ds_inst = ds_openldap.DSOpenLDAP( + config.PREFIX, 10389, LDAP_BASE_DN, + "cn=admin", "Secret123" + ) + + try: + ds_inst.setup() + except: + ds_inst.teardown() + raise + request.addfinalizer(ds_inst.teardown) + return ds_inst + + +@pytest.fixture(scope="module") +def ldap_conn(request, ds_inst): + """LDAP server connection fixture""" + ldap_conn = ds_inst.bind() + ldap_conn.ds_inst = ds_inst + request.addfinalizer(ldap_conn.unbind_s) + return ldap_conn + + +def create_ldap_entries(ldap_conn, ent_list=None): + """Add LDAP entries from ent_list""" + if ent_list is not None: + for entry in ent_list: + ldap_conn.add_s(entry[0], entry[1]) + + +def cleanup_ldap_entries(ldap_conn, ent_list=None): + """Remove LDAP entries added by create_ldap_entries""" + if ent_list is None: + for ou in ("Users", "Groups", "Netgroups", "Services", "Policies"): + for entry in ldap_conn.search_s("ou=" + ou + "," + + ldap_conn.ds_inst.base_dn, + ldap.SCOPE_ONELEVEL, + attrlist=[]): + ldap_conn.delete_s(entry[0]) + else: + for entry in ent_list: + ldap_conn.delete_s(entry[0]) + + +def create_ldap_cleanup(request, ldap_conn, ent_list=None): + """Add teardown for removing all user/group LDAP entries""" + request.addfinalizer(lambda: cleanup_ldap_entries(ldap_conn, ent_list)) + + +def create_ldap_fixture(request, ldap_conn, ent_list=None, cleanup=True): + """Add LDAP entries and add teardown for removing them""" + create_ldap_entries(ldap_conn, ent_list) + if cleanup: + create_ldap_cleanup(request, ldap_conn, ent_list) + + +SCHEMA_RFC2307 = "rfc2307" +SCHEMA_RFC2307_BIS = "rfc2307bis" + + +def format_basic_conf(ldap_conn, schema): + """Format a basic SSSD configuration""" + schema_conf = "ldap_schema = " + schema + "\n" + if schema == SCHEMA_RFC2307_BIS: + schema_conf += "ldap_group_object_class = groupOfNames\n" + return unindent("""\ + [sssd] + debug_level = 0xffff + domains = LDAP + services = nss, pam + + [nss] + debug_level = 0xffff + memcache_timeout = 0 + entry_negative_timeout = 1 + + [pam] + debug_level = 0xffff + + [domain/LDAP] + ldap_auth_disable_tls_never_use_in_production = true + debug_level = 0xffff + {schema_conf} + id_provider = ldap + auth_provider = ldap + ldap_uri = {ldap_conn.ds_inst.ldap_url} + ldap_search_base = {ldap_conn.ds_inst.base_dn} + """).format(**locals()) + + +def format_interactive_conf(ldap_conn, schema): + """Format an SSSD configuration with all caches refreshing in 4 seconds""" + return \ + format_basic_conf(ldap_conn, schema) + \ + unindent(""" + [nss] + memcache_timeout = 0 + entry_negative_timeout = 0 + + [domain/LDAP] + ldap_purge_cache_timeout = 1 + entry_cache_timeout = {0} + """).format(INTERACTIVE_TIMEOUT) + + +def format_rfc2307bis_deref_conf(ldap_conn, schema): + """Format an SSSD configuration with all caches refreshing in 4 seconds""" + return \ + format_basic_conf(ldap_conn, schema) + \ + unindent(""" + [nss] + memcache_timeout = 0 + entry_negative_timeout = 0 + + [domain/LDAP] + entry_cache_timeout = {0} + ldap_deref_threshold = 1 + """).format(INTERACTIVE_TIMEOUT) + + +def create_conf_file(contents): + """Create sssd.conf with specified contents""" + conf = open(config.CONF_PATH, "w") + conf.write(contents) + conf.close() + os.chmod(config.CONF_PATH, stat.S_IRUSR | stat.S_IWUSR) + + +def cleanup_conf_file(): + """Remove sssd.conf, if it exists""" + if os.path.lexists(config.CONF_PATH): + os.unlink(config.CONF_PATH) + + +def create_conf_cleanup(request): + """Add teardown for removing sssd.conf""" + request.addfinalizer(cleanup_conf_file) + + +def create_conf_fixture(request, contents): + """ + Create sssd.conf with specified contents and add teardown for removing it + """ + create_conf_file(contents) + create_conf_cleanup(request) + + +def create_sssd_process(): + """Start the SSSD process""" + if subprocess.call(["sssd", "-D", "-f"]) != 0: + raise Exception("sssd start failed") + + +def cleanup_sssd_process(): + """Stop the SSSD process and remove its state""" + try: + pid_file = open(config.PIDFILE_PATH, "r") + pid = int(pid_file.read()) + os.kill(pid, signal.SIGTERM) + while True: + try: + os.kill(pid, signal.SIGCONT) + except: + break + time.sleep(1) + except: + pass + for path in os.listdir(config.DB_PATH): + os.unlink(config.DB_PATH + "/" + path) + for path in os.listdir(config.MCACHE_PATH): + os.unlink(config.MCACHE_PATH + "/" + path) + + +def create_sssd_cleanup(request): + """Add teardown for stopping SSSD and removing its state""" + request.addfinalizer(cleanup_sssd_process) + + +def create_sssd_fixture(request): + """Start SSSD and add teardown for stopping it and removing its state""" + create_sssd_process() + create_sssd_cleanup(request) + + +@pytest.fixture +def sanity_rfc2307(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user1", 1001, 2001) + ent_list.add_user("user2", 1002, 2002) + ent_list.add_user("user3", 1003, 2003) + + ent_list.add_group("group1", 2001) + ent_list.add_group("group2", 2002) + ent_list.add_group("group3", 2003) + + ent_list.add_group("empty_group", 2010) + + ent_list.add_group("two_user_group", 2012, ["user1", "user2"]) + + ent_list.add_user("t(u)ser", 5000, 5001) + ent_list.add_group("group(_u)ser1", 5001, ["t(u)ser"]) + create_ldap_fixture(request, ldap_conn, ent_list) + + conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +@pytest.fixture +def simple_rfc2307(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user('usr\\\\001', 181818, 181818) + ent_list.add_group("group1", 181818) + create_ldap_fixture(request, ldap_conn, ent_list) + conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +@pytest.fixture +def sanity_rfc2307_bis(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user1", 1001, 2001) + ent_list.add_user("user2", 1002, 2002) + ent_list.add_user("user3", 1003, 2003) + + ent_list.add_group_bis("group1", 2001) + ent_list.add_group_bis("group2", 2002) + ent_list.add_group_bis("group3", 2003) + + ent_list.add_group_bis("empty_group1", 2010) + ent_list.add_group_bis("empty_group2", 2011) + + ent_list.add_group_bis("two_user_group", 2012, ["user1", "user2"]) + ent_list.add_group_bis("group_empty_group", 2013, [], ["empty_group1"]) + ent_list.add_group_bis("group_two_empty_groups", 2014, + [], ["empty_group1", "empty_group2"]) + ent_list.add_group_bis("one_user_group1", 2015, ["user1"]) + ent_list.add_group_bis("one_user_group2", 2016, ["user2"]) + ent_list.add_group_bis("group_one_user_group", 2017, + [], ["one_user_group1"]) + ent_list.add_group_bis("group_two_user_group", 2018, + [], ["two_user_group"]) + ent_list.add_group_bis("group_two_one_user_groups", 2019, + [], ["one_user_group1", "one_user_group2"]) + + create_ldap_fixture(request, ldap_conn, ent_list) + conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +def expected_list_to_name_dict(entries): + return dict((u["name"], u) for u in entries) + + +def test_regression_ticket2163(ldap_conn, simple_rfc2307): + ent.assert_passwd_by_name( + 'usr\\001', + dict(name='usr\\001', passwd='*', uid=181818, gid=181818, + gecos='181818', shell='/bin/bash')) + + +def test_sanity_rfc2307(ldap_conn, sanity_rfc2307): + passwd_pattern = expected_list_to_name_dict([ + dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', + dir='/home/user1', shell='/bin/bash'), + dict(name='user2', passwd='*', uid=1002, gid=2002, gecos='1002', + dir='/home/user2', shell='/bin/bash'), + dict(name='user3', passwd='*', uid=1003, gid=2003, gecos='1003', + dir='/home/user3', shell='/bin/bash') + ]) + ent.assert_each_passwd_by_name(passwd_pattern) + + group_pattern = expected_list_to_name_dict([ + dict(name='group1', passwd='*', gid=2001, mem=ent.contains_only()), + dict(name='group2', passwd='*', gid=2002, mem=ent.contains_only()), + dict(name='group3', passwd='*', gid=2003, mem=ent.contains_only()), + dict(name='empty_group', passwd='*', gid=2010, + mem=ent.contains_only()), + dict(name='two_user_group', passwd='*', gid=2012, + mem=ent.contains_only("user1", "user2")) + ]) + ent.assert_each_group_by_name(group_pattern) + + with pytest.raises(KeyError): + pwd.getpwnam("non_existent_user") + with pytest.raises(KeyError): + pwd.getpwuid(1) + with pytest.raises(KeyError): + grp.getgrnam("non_existent_group") + with pytest.raises(KeyError): + grp.getgrgid(1) + + +def test_sanity_rfc2307_bis(ldap_conn, sanity_rfc2307_bis): + passwd_pattern = expected_list_to_name_dict([ + dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', + dir='/home/user1', shell='/bin/bash'), + dict(name='user2', passwd='*', uid=1002, gid=2002, gecos='1002', + dir='/home/user2', shell='/bin/bash'), + dict(name='user3', passwd='*', uid=1003, gid=2003, gecos='1003', + dir='/home/user3', shell='/bin/bash') + ]) + ent.assert_each_passwd_by_name(passwd_pattern) + + group_pattern = expected_list_to_name_dict([ + dict(name='group1', passwd='*', gid=2001, mem=ent.contains_only()), + dict(name='group2', passwd='*', gid=2002, mem=ent.contains_only()), + dict(name='group3', passwd='*', gid=2003, mem=ent.contains_only()), + dict(name='empty_group1', passwd='*', gid=2010, + mem=ent.contains_only()), + dict(name='empty_group2', passwd='*', gid=2011, + mem=ent.contains_only()), + dict(name='two_user_group', passwd='*', gid=2012, + mem=ent.contains_only("user1", "user2")), + dict(name='group_empty_group', passwd='*', gid=2013, + mem=ent.contains_only()), + dict(name='group_two_empty_groups', passwd='*', gid=2014, + mem=ent.contains_only()), + dict(name='one_user_group1', passwd='*', gid=2015, + mem=ent.contains_only("user1")), + dict(name='one_user_group2', passwd='*', gid=2016, + mem=ent.contains_only("user2")), + dict(name='group_one_user_group', passwd='*', gid=2017, + mem=ent.contains_only("user1")), + dict(name='group_two_user_group', passwd='*', gid=2018, + mem=ent.contains_only("user1", "user2")), + dict(name='group_two_one_user_groups', passwd='*', gid=2019, + mem=ent.contains_only("user1", "user2")) + ]) + ent.assert_each_group_by_name(group_pattern) + + with pytest.raises(KeyError): + pwd.getpwnam("non_existent_user") + with pytest.raises(KeyError): + pwd.getpwuid(1) + with pytest.raises(KeyError): + grp.getgrnam("non_existent_group") + with pytest.raises(KeyError): + grp.getgrgid(1) + + +@pytest.fixture +def refresh_after_cleanup_task(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user1", 1001, 2001) + + ent_list.add_group_bis("group1", 2001, ["user1"]) + ent_list.add_group_bis("group2", 2002, [], ["group1"]) + + create_ldap_fixture(request, ldap_conn, ent_list) + + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + \ + unindent(""" + [domain/LDAP] + entry_cache_user_timeout = 1 + entry_cache_group_timeout = 5000 + ldap_purge_cache_timeout = 3 + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +def test_refresh_after_cleanup_task(ldap_conn, refresh_after_cleanup_task): + """ + Regression test for ticket: + https://fedorahosted.org/sssd/ticket/2676 + """ + ent.assert_group_by_name( + "group2", + dict(mem=ent.contains_only("user1"))) + + ent.assert_passwd_by_name( + 'user1', + dict(name='user1', passwd='*', uid=1001, gid=2001, + gecos='1001', shell='/bin/bash')) + + time.sleep(15) + + ent.assert_group_by_name( + "group2", + dict(mem=ent.contains_only("user1"))) + + +@pytest.fixture +def update_ts_after_cleanup_task(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user1", 1001, 2001) + ent_list.add_user("user2", 1002, 2001) + + ent_list.add_group_bis("group1", 2001, ["user1", "user2"]) + + create_ldap_fixture(request, ldap_conn, ent_list) + + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + \ + unindent(""" + [domain/LDAP] + ldap_purge_cache_timeout = 3 + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +def test_update_ts_cache_after_cleanup_task(ldap_conn, + update_ts_after_cleanup_task): + """ + Regression test for ticket: + https://fedorahosted.org/sssd/ticket/2676 + """ + ent.assert_group_by_name( + "group1", + dict(mem=ent.contains_only("user1", "user2"))) + + ent.assert_passwd_by_name( + 'user1', + dict(name='user1', passwd='*', uid=1001, gid=2001, + gecos='1001', shell='/bin/bash')) + + ent.assert_passwd_by_name( + 'user2', + dict(name='user2', passwd='*', uid=1002, gid=2001, + gecos='1002', shell='/bin/bash')) + + if subprocess.call(["sss_cache", "-u", "user1"]) != 0: + raise Exception("sssd_cache failed") + + # The cleanup task runs every 3 seconds, so sleep for 6 + # so that we know the cleanup task ran at least once + # even if we start sleeping during the first one + time.sleep(6) + + ent.assert_group_by_name( + "group1", + dict(mem=ent.contains_only("user1", "user2"))) + + +@pytest.fixture +def blank_rfc2307(request, ldap_conn): + """Create blank RFC2307 directory fixture with interactive SSSD conf""" + create_ldap_cleanup(request, ldap_conn) + create_conf_fixture(request, + format_interactive_conf(ldap_conn, SCHEMA_RFC2307)) + create_sssd_fixture(request) + + +@pytest.fixture +def blank_rfc2307_bis(request, ldap_conn): + """Create blank RFC2307bis directory fixture with interactive SSSD conf""" + create_ldap_cleanup(request, ldap_conn) + create_conf_fixture(request, + format_interactive_conf(ldap_conn, SCHEMA_RFC2307_BIS)) + create_sssd_fixture(request) + + +@pytest.fixture +def user_and_group_rfc2307(request, ldap_conn): + """ + Create an RFC2307 directory fixture with interactive SSSD conf, + one user and one group + """ + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user", 1001, 2000) + ent_list.add_group("group", 2001) + create_ldap_fixture(request, ldap_conn, ent_list) + create_conf_fixture(request, + format_interactive_conf(ldap_conn, SCHEMA_RFC2307)) + create_sssd_fixture(request) + return None + + +@pytest.fixture +def user_and_groups_rfc2307_bis(request, ldap_conn): + """ + Create an RFC2307bis directory fixture with interactive SSSD conf, + one user and two groups + """ + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user", 1001, 2000) + ent_list.add_group_bis("group1", 2001) + ent_list.add_group_bis("group2", 2002) + create_ldap_fixture(request, ldap_conn, ent_list) + create_conf_fixture(request, + format_interactive_conf(ldap_conn, SCHEMA_RFC2307_BIS)) + create_sssd_fixture(request) + return None + + +@pytest.fixture +def rfc2307bis_deref_group_with_users(request, ldap_conn): + """ + Create an RFC2307bis directory fixture with interactive SSSD conf, + one user and two groups + """ + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user1", 1001, 2000) + ent_list.add_user("user2", 1001, 2000) + ent_list.add_user("user3", 1001, 2000) + ent_list.add_group_bis("group1", 20000, member_uids=("user1", "user2")) + create_ldap_fixture(request, ldap_conn, ent_list) + create_conf_fixture(request, + format_rfc2307bis_deref_conf( + ldap_conn, + SCHEMA_RFC2307_BIS)) + create_sssd_fixture(request) + return None + + +def test_ldap_group_dereference(ldap_conn, rfc2307bis_deref_group_with_users): + ent.assert_group_by_name("group1", + dict(mem=ent.contains_only("user1", "user2"))) + + +@pytest.fixture +def override_homedir(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user_with_homedir_A", 1001, 2001, + homeDirectory="/home/A") + ent_list.add_user("user_with_homedir_B", 1002, 2002, + homeDirectory="/home/B") + ent_list.add_user("user_with_empty_homedir", 1003, 2003, + homeDirectory="") + create_ldap_fixture(request, ldap_conn, ent_list) + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \ + unindent("""\ + [nss] + override_homedir = /home/B + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + +def test_override_homedir(override_homedir): + """Test the effect of the "override_homedir" option""" + passwd_pattern = expected_list_to_name_dict([ + dict(name="user_with_homedir_A", uid=1001, dir="/home/B"), + dict(name="user_with_homedir_B", uid=1002, dir="/home/B"), + dict(name="user_with_empty_homedir", uid=1003, dir="/home/B") + ]) + + ent.assert_each_passwd_by_name(passwd_pattern) + + +@pytest.fixture +def fallback_homedir(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user_with_homedir_A", 1001, 2001, + homeDirectory="/home/A") + ent_list.add_user("user_with_homedir_B", 1002, 2002, + homeDirectory="/home/B") + ent_list.add_user("user_with_empty_homedir", 1003, 2003, + homeDirectory="") + create_ldap_fixture(request, ldap_conn, ent_list) + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \ + unindent("""\ + [nss] + fallback_homedir = /home/B + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + +def test_fallback_homedir(fallback_homedir): + """Test the effect of the "fallback_homedir" option""" + passwd_pattern = expected_list_to_name_dict([ + dict(name="user_with_homedir_A", uid=1001, dir="/home/A"), + dict(name="user_with_homedir_B", uid=1002, dir="/home/B"), + dict(name="user_with_empty_homedir", uid=1003, dir="/home/B") + ]) + + ent.assert_each_passwd_by_name(passwd_pattern) + + +@pytest.fixture +def override_shell(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user_with_shell_A", 1001, 2001, + loginShell="/bin/A") + ent_list.add_user("user_with_shell_B", 1002, 2002, + loginShell="/bin/B") + ent_list.add_user("user_with_empty_shell", 1003, 2003, + loginShell="") + create_ldap_fixture(request, ldap_conn, ent_list) + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \ + unindent("""\ + [nss] + override_shell = /bin/B + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + +def test_override_shell(override_shell): + """Test the effect of the "override_shell" option""" + passwd_pattern = expected_list_to_name_dict([ + dict(name="user_with_shell_A", uid=1001, shell="/bin/B"), + dict(name="user_with_shell_B", uid=1002, shell="/bin/B"), + dict(name="user_with_empty_shell", uid=1003, shell="/bin/B") + ]) + + ent.assert_each_passwd_by_name(passwd_pattern) + + +@pytest.fixture +def shell_fallback(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user_with_sh_shell", 1001, 2001, + loginShell="/bin/sh") + ent_list.add_user("user_with_not_installed_shell", 1002, 2002, + loginShell="/bin/not_installed") + ent_list.add_user("user_with_empty_shell", 1003, 2003, + loginShell="") + create_ldap_fixture(request, ldap_conn, ent_list) + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \ + unindent("""\ + [nss] + shell_fallback = /bin/fallback + allowed_shells = /bin/not_installed + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + +def test_shell_fallback(shell_fallback): + """Test the effect of the "shell_fallback" option""" + passwd_pattern = expected_list_to_name_dict([ + dict(name="user_with_sh_shell", uid=1001, shell="/bin/sh"), + dict(name="user_with_not_installed_shell", uid=1002, + shell="/bin/fallback"), + dict(name="user_with_empty_shell", uid=1003, shell="") + ]) + + ent.assert_each_passwd_by_name(passwd_pattern) + + +@pytest.fixture +def default_shell(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user_with_sh_shell", 1001, 2001, + loginShell="/bin/sh") + ent_list.add_user("user_with_not_installed_shell", 1002, 2002, + loginShell="/bin/not_installed") + ent_list.add_user("user_with_empty_shell", 1003, 2003, + loginShell="") + create_ldap_fixture(request, ldap_conn, ent_list) + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \ + unindent("""\ + [nss] + default_shell = /bin/default + allowed_shells = /bin/default, /bin/not_installed + shell_fallback = /bin/fallback + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + +def test_default_shell(default_shell): + """Test the effect of the "default_shell" option""" + passwd_pattern = expected_list_to_name_dict([ + dict(name="user_with_sh_shell", uid=1001, shell="/bin/sh"), + dict(name="user_with_not_installed_shell", uid=1002, + shell="/bin/fallback"), + dict(name="user_with_empty_shell", uid=1003, + shell="/bin/default") + ]) + + ent.assert_each_passwd_by_name(passwd_pattern) + + +@pytest.fixture +def vetoed_shells(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user_with_sh_shell", 1001, 2001, + loginShell="/bin/sh") + ent_list.add_user("user_with_vetoed_shell", 1002, 2002, + loginShell="/bin/vetoed") + ent_list.add_user("user_with_empty_shell", 1003, 2003, + loginShell="") + create_ldap_fixture(request, ldap_conn, ent_list) + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \ + unindent("""\ + [nss] + default_shell = /bin/default + vetoed_shells = /bin/vetoed + shell_fallback = /bin/fallback + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + +def test_vetoed_shells(vetoed_shells): + """Test the effect of the "vetoed_shells" option""" + passwd_pattern = expected_list_to_name_dict([ + dict(name="user_with_sh_shell", uid=1001, shell="/bin/sh"), + dict(name="user_with_vetoed_shell", uid=1002, + shell="/bin/fallback"), + dict(name="user_with_empty_shell", uid=1003, + shell="/bin/default") + ]) + + ent.assert_each_passwd_by_name(passwd_pattern) + + +def test_user_2307bis_nested_groups(ldap_conn, + sanity_rfc2307_bis): + """ + Test nested groups. + + Regression test for ticket: + https://fedorahosted.org/sssd/ticket/3093 + """ + primary_gid = 2001 + # group1, two_user_group, one_user_group1, group_one_user_group, + # group_two_user_group, group_two_one_user_groups + expected_gids = [2001, 2012, 2015, 2017, 2018, 2019] + + ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, + gid=primary_gid)) + + (res, errno, gids) = sssd_id.call_sssd_initgroups("user1", primary_gid) + assert res == sssd_id.NssReturnCode.SUCCESS + + assert sorted(gids) == sorted(expected_gids), \ + "result: %s\n expected %s" % ( + ", ".join(["%s" % s for s in sorted(gids)]), + ", ".join(["%s" % s for s in sorted(expected_gids)]) + ) + + +def test_special_characters_in_names(ldap_conn, sanity_rfc2307): + """ + Test special characters which could cause malformed filter + in ldb_seach. + + Regression test for ticket: + https://fedorahosted.org/sssd/ticket/3121 + """ + ent.assert_passwd_by_name( + "t(u)ser", + dict(name="t(u)ser", passwd="*", uid=5000, gid=5001, + gecos="5000", shell="/bin/bash")) + + ent.assert_group_by_name( + "group(_u)ser1", + dict(name="group(_u)ser1", passwd="*", gid=5001, + mem=ent.contains_only("t(u)ser"))) + + +@pytest.fixture +def extra_attributes(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user", 2001, 2000) + ent_list.add_group("group", 2000) + create_ldap_fixture(request, ldap_conn, ent_list) + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \ + unindent("""\ + [domain/LDAP] + ldap_user_extra_attrs = mail, name:uid, givenName + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + +def test_extra_attribute_already_exists(ldap_conn, extra_attributes): + """Test the effect of the "vetoed_shells" option""" + + user = 'user' + extra_attribute = 'givenName' + given_name = b'unix_user' + + user_dn = "uid=" + user + ",ou=Users," + ldap_conn.ds_inst.base_dn + + old = {'objectClass': [b'top', b'inetOrgPerson', b'posixAccount']} + new = {'objectClass': [b'top', b'inetOrgPerson', b'posixAccount', + b'extensibleObject']} + ldif = ldap.modlist.modifyModlist(old, new) + + ldap_conn.modify_s(user_dn, ldif) + ldap_conn.modify_s(user_dn, [(ldap.MOD_ADD, extra_attribute, given_name)]) + + ent.assert_passwd_by_name( + user, + dict(name="user", uid=2001, gid=2000, shell="/bin/bash"), + ) + + domain = 'LDAP' + ldb_conn = sssd_ldb.SssdLdb('LDAP') + val = ldb_conn.get_entry_attr(sssd_ldb.CacheType.sysdb, + sssd_ldb.TsCacheEntry.user, + user, domain, extra_attribute) + + assert val == given_name + + +@pytest.fixture +def add_user_to_group(request, ldap_conn): + """ + Adding user to group + """ + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user1", 1001, 2001) + ent_list.add_group_bis("group1", 20001, member_uids=["user1"]) + create_ldap_fixture(request, ldap_conn, ent_list) + create_conf_fixture(request, + format_rfc2307bis_deref_conf( + ldap_conn, + SCHEMA_RFC2307_BIS)) + create_sssd_fixture(request) + return None + + +def test_add_user_to_group(ldap_conn, add_user_to_group): + ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=2001)) + ent.assert_group_by_name("group1", dict(mem=ent.contains_only("user1"))) + + +@pytest.fixture +def remove_user_from_group(request, ldap_conn): + """ + Adding user to group + """ + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user1", 1001, 2001) + ent_list.add_user("user2", 1002, 2002) + ent_list.add_group_bis("group1", 20001, member_uids=["user1", "user2"]) + create_ldap_fixture(request, ldap_conn, ent_list) + create_conf_fixture(request, + format_rfc2307bis_deref_conf( + ldap_conn, + SCHEMA_RFC2307_BIS)) + create_sssd_fixture(request) + return None + + +def test_remove_user_from_group(ldap_conn, remove_user_from_group): + """ + Removing two users from group, step by step + """ + group1_dn = 'cn=group1,ou=Groups,' + ldap_conn.ds_inst.base_dn + + ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=2001)) + ent.assert_passwd_by_name("user2", dict(name="user2", uid=1002, gid=2002)) + ent.assert_group_by_name("group1", + dict(mem=ent.contains_only("user1", "user2"))) + + # removing of user2 from group1 + old = {'member': [b"uid=user1,ou=Users,dc=example,dc=com", + b"uid=user2,ou=Users,dc=example,dc=com"]} + new = {'member': [b"uid=user1,ou=Users,dc=example,dc=com"]} + + ldif = ldap.modlist.modifyModlist(old, new) + ldap_conn.modify_s(group1_dn, ldif) + + if subprocess.call(["sss_cache", "-GU"]) != 0: + raise Exception("sssd_cache failed") + + ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=2001)) + ent.assert_passwd_by_name("user2", dict(name="user2", uid=1002, gid=2002)) + ent.assert_group_by_name("group1", dict(mem=ent.contains_only("user1"))) + + # removing of user1 from group1 + old = {'member': [b"uid=user1,ou=Users,dc=example,dc=com"]} + new = {'member': []} + + ldif = ldap.modlist.modifyModlist(old, new) + ldap_conn.modify_s(group1_dn, ldif) + + if subprocess.call(["sss_cache", "-GU"]) != 0: + raise Exception("sssd_cache failed") + + ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=2001)) + ent.assert_passwd_by_name("user2", dict(name="user2", uid=1002, gid=2002)) + ent.assert_group_by_name("group1", dict(mem=ent.contains_only())) + + +@pytest.fixture +def remove_user_from_nested_group(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user1", 1001, 2001) + ent_list.add_user("user2", 1002, 2002) + ent_list.add_group_bis("group1", 20001, member_uids=["user1"]) + ent_list.add_group_bis("group2", 20002, member_uids=["user2"]) + ent_list.add_group_bis("group3", 20003, member_gids=["group1", "group2"]) + create_ldap_fixture(request, ldap_conn, ent_list) + create_conf_fixture(request, + format_rfc2307bis_deref_conf( + ldap_conn, + SCHEMA_RFC2307_BIS)) + create_sssd_fixture(request) + return None + + +def test_remove_user_from_nested_group(ldap_conn, + remove_user_from_nested_group): + + group3_dn = 'cn=group3,ou=Groups,' + ldap_conn.ds_inst.base_dn + + ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=2001)) + ent.assert_passwd_by_name("user2", dict(name="user2", uid=1002, gid=2002)) + + ent.assert_group_by_name("group1", + dict(mem=ent.contains_only("user1"))) + ent.assert_group_by_name("group2", + dict(mem=ent.contains_only("user2"))) + + ent.assert_group_by_name("group3", + dict(mem=ent.contains_only("user1", + "user2"))) + + # removing of group2 from group3 + old = {'member': [b"cn=group1,ou=Groups,dc=example,dc=com", + b"cn=group2,ou=Groups,dc=example,dc=com"]} + new = {'member': [b"cn=group1,ou=Groups,dc=example,dc=com"]} + + ldif = ldap.modlist.modifyModlist(old, new) + ldap_conn.modify_s(group3_dn, ldif) + + if subprocess.call(["sss_cache", "-GU"]) != 0: + raise Exception("sssd_cache failed") + + ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=2001)) + ent.assert_passwd_by_name("user2", dict(name="user2", uid=1002, gid=2002)) + + ent.assert_group_by_name("group1", + dict(mem=ent.contains_only("user1"))) + ent.assert_group_by_name("group2", + dict(mem=ent.contains_only("user2"))) + ent.assert_group_by_name("group3", + dict(mem=ent.contains_only("user1"))) + + # removing of group1 from group3 + old = {'member': [b"cn=group1,ou=Groups,dc=example,dc=com"]} + new = {'member': []} + + ldif = ldap.modlist.modifyModlist(old, new) + ldap_conn.modify_s(group3_dn, ldif) + + if subprocess.call(["sss_cache", "-GU"]) != 0: + raise Exception("sssd_cache failed") + + ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=2001)) + ent.assert_passwd_by_name("user2", dict(name="user2", uid=1002, gid=2002)) + + ent.assert_group_by_name("group1", + dict(mem=ent.contains_only("user1"))) + ent.assert_group_by_name("group2", + dict(mem=ent.contains_only("user2"))) + ent.assert_group_by_name("group3", + dict(mem=ent.contains_only())) + + +def zero_nesting_sssd_conf(ldap_conn, schema): + """Format an SSSD configuration with group nesting disabled""" + return \ + format_basic_conf(ldap_conn, schema) + \ + unindent(""" + [domain/LDAP] + ldap_group_nesting_level = 0 + """).format(INTERACTIVE_TIMEOUT) + + +@pytest.fixture +def rfc2307bis_no_nesting(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user1", 1001, 2001) + ent_list.add_group_bis("primarygroup", 2001) + ent_list.add_group_bis("parentgroup", 2010, member_uids=["user1"]) + ent_list.add_group_bis("nestedgroup", 2011, member_gids=["parentgroup"]) + create_ldap_fixture(request, ldap_conn, ent_list) + create_conf_fixture(request, + zero_nesting_sssd_conf( + ldap_conn, + SCHEMA_RFC2307_BIS)) + create_sssd_fixture(request) + return None + + +def test_zero_nesting_level(ldap_conn, rfc2307bis_no_nesting): + """ + Test initgroups operation with rfc2307bis schema asserting + only primary group and parent groups are included in group + list. No parent groups of groups should be returned with zero + group nesting level. + """ + ent.assert_group_by_name("parentgroup", + dict(mem=ent.contains_only("user1"))) + ent.assert_group_by_name("nestedgroup", + dict(mem=ent.contains_only())) + + (res, errno, grp_list) = sssd_id.get_user_groups("user1") + assert res == sssd_id.NssReturnCode.SUCCESS, \ + "Could not find groups for user1, %d" % errno + + # test nestedgroup is not returned in group list + assert sorted(grp_list) == sorted(["primarygroup", "parentgroup"]) + + +@pytest.fixture +def sanity_nss_filter(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user1", 1001, 2001) + ent_list.add_user("user2", 1002, 2002) + ent_list.add_user("user3", 1003, 2003) + + ent_list.add_group_bis("group1", 2001) + ent_list.add_group_bis("group2", 2002) + ent_list.add_group_bis("group3", 2003) + + ent_list.add_group_bis("empty_group1", 2010) + ent_list.add_group_bis("empty_group2", 2011) + + ent_list.add_group_bis("two_user_group", 2012, ["user1", "user2"]) + ent_list.add_group_bis("group_empty_group", 2013, [], ["empty_group1"]) + ent_list.add_group_bis("group_two_empty_groups", 2014, + [], ["empty_group1", "empty_group2"]) + ent_list.add_group_bis("one_user_group1", 2015, ["user1"]) + ent_list.add_group_bis("one_user_group2", 2016, ["user2"]) + ent_list.add_group_bis("group_one_user_group", 2017, + [], ["one_user_group1"]) + ent_list.add_group_bis("group_two_user_group", 2018, + [], ["two_user_group"]) + ent_list.add_group_bis("group_two_one_user_groups", 2019, + [], ["one_user_group1", "one_user_group2"]) + + create_ldap_fixture(request, ldap_conn, ent_list) + conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + \ + unindent(""" + [nss] + filter_users = user2 + filter_groups = group_two_one_user_groups + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +def test_nss_filters(ldap_conn, sanity_nss_filter): + passwd_pattern = expected_list_to_name_dict([ + dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', + dir='/home/user1', shell='/bin/bash'), + dict(name='user3', passwd='*', uid=1003, gid=2003, gecos='1003', + dir='/home/user3', shell='/bin/bash') + ]) + + # test filtered user + ent.assert_each_passwd_by_name(passwd_pattern) + with pytest.raises(KeyError): + pwd.getpwnam("user2") + with pytest.raises(KeyError): + pwd.getpwuid(1002) + + group_pattern = expected_list_to_name_dict([ + dict(name='group1', passwd='*', gid=2001, mem=ent.contains_only()), + dict(name='group2', passwd='*', gid=2002, mem=ent.contains_only()), + dict(name='group3', passwd='*', gid=2003, mem=ent.contains_only()), + dict(name='empty_group1', passwd='*', gid=2010, + mem=ent.contains_only()), + dict(name='empty_group2', passwd='*', gid=2011, + mem=ent.contains_only()), + dict(name='two_user_group', passwd='*', gid=2012, + mem=ent.contains_only("user1")), + dict(name='group_empty_group', passwd='*', gid=2013, + mem=ent.contains_only()), + dict(name='group_two_empty_groups', passwd='*', gid=2014, + mem=ent.contains_only()), + dict(name='one_user_group1', passwd='*', gid=2015, + mem=ent.contains_only("user1")), + dict(name='one_user_group2', passwd='*', gid=2016, + mem=ent.contains_only()), + dict(name='group_one_user_group', passwd='*', gid=2017, + mem=ent.contains_only("user1")), + dict(name='group_two_user_group', passwd='*', gid=2018, + mem=ent.contains_only("user1")), + ]) + + # test filtered group + ent.assert_each_group_by_name(group_pattern) + with pytest.raises(KeyError): + grp.getgrnam("group_two_one_user_groups") + with pytest.raises(KeyError): + grp.getgrgid(2019) + + # test non-existing user/group + with pytest.raises(KeyError): + pwd.getpwnam("non_existent_user") + with pytest.raises(KeyError): + pwd.getpwuid(9) + with pytest.raises(KeyError): + grp.getgrnam("non_existent_group") + with pytest.raises(KeyError): + grp.getgrgid(14) + + +@pytest.fixture +def sanity_nss_filter_cached(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user1", 1001, 2001) + ent_list.add_user("user2", 1002, 2002) + ent_list.add_user("user3", 1003, 2003) + ent_list.add_user("root", 1004, 2004) + ent_list.add_user("zerouid", 0, 0) + + ent_list.add_group_bis("group1", 2001) + ent_list.add_group_bis("group2", 2002) + ent_list.add_group_bis("group3", 2003) + ent_list.add_group_bis("root", 2004) + ent_list.add_group_bis("zerogid", 0) + + create_ldap_fixture(request, ldap_conn, ent_list) + conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + \ + unindent(""" + [nss] + filter_users = user2 + filter_groups = group2 + entry_negative_timeout = 1 + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +def test_nss_filters_cached(ldap_conn, sanity_nss_filter_cached): + passwd_pattern = expected_list_to_name_dict([ + dict(name='user1', passwd='*', uid=1001, gid=2001, gecos='1001', + dir='/home/user1', shell='/bin/bash'), + dict(name='user3', passwd='*', uid=1003, gid=2003, gecos='1003', + dir='/home/user3', shell='/bin/bash') + ]) + ent.assert_each_passwd_by_name(passwd_pattern) + + # test filtered user + with pytest.raises(KeyError): + pwd.getpwuid(1002) + time.sleep(2) + with pytest.raises(KeyError): + pwd.getpwuid(1002) + + group_pattern = expected_list_to_name_dict([ + dict(name='group1', passwd='*', gid=2001, mem=ent.contains_only()), + dict(name='group3', passwd='*', gid=2003, mem=ent.contains_only()), + ]) + ent.assert_each_group_by_name(group_pattern) + + # test filtered group + with pytest.raises(KeyError): + grp.getgrgid(2002) + time.sleep(2) + with pytest.raises(KeyError): + grp.getgrgid(2002) + + # test that root is always filtered even if filter_users contains other + # entries. This is a regression test for upstream ticket #3460 + res, _ = call_sssd_getpwnam("root") + assert res == NssReturnCode.NOTFOUND + + res, _ = call_sssd_getgrnam("root") + assert res == NssReturnCode.NOTFOUND + + res, _ = call_sssd_getpwuid(0) + assert res == NssReturnCode.NOTFOUND + + res, _ = call_sssd_getgrgid(0) + assert res == NssReturnCode.NOTFOUND + + +@pytest.fixture +def mpg_setup(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user1", 1001, 2001) + ent_list.add_user("user2", 1002, 2002) + ent_list.add_user("user3", 1003, 2003) + + ent_list.add_group_bis("group1", 2001) + ent_list.add_group_bis("group2", 2002) + ent_list.add_group_bis("group3", 2003) + + ent_list.add_group_bis("two_user_group", 2012, ["user1", "user2"]) + ent_list.add_group_bis("one_user_group1", 2015, ["user1"]) + ent_list.add_group_bis("one_user_group2", 2016, ["user2"]) + + create_ldap_entries(ldap_conn, ent_list) + create_ldap_cleanup(request, ldap_conn, None) + + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + \ + unindent(""" + [domain/LDAP] + auto_private_groups = True + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +def test_ldap_auto_private_groups_direct(ldap_conn, mpg_setup): + """ + Integration test for auto_private_groups + + See also ticket https://pagure.io/SSSD/sssd/issue/1872 + """ + # Make sure the user's GID is taken from their uidNumber + ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=1001)) + # Make sure the private group is resolvable by name and by GID + ent.assert_group_by_name("user1", dict(gid=1001, mem=ent.contains_only())) + ent.assert_group_by_gid(1001, dict(name="user1", mem=ent.contains_only())) + + # The group referenced in user's gidNumber attribute should be still + # visible, but it's fine that it doesn't contain the user as a member + # as the group is currently added during the initgroups operation only + ent.assert_group_by_name("group1", dict(gid=2001, mem=ent.contains_only())) + ent.assert_group_by_gid(2001, dict(name="group1", mem=ent.contains_only())) + + # The user's secondary groups list must be correct as well + # Note that the original GID is listed as well -- this is correct and + # expected because we save the original GID in the + # SYSDB_PRIMARY_GROUP_GIDNUM attribute + user1_expected_gids = [1001, 2001, 2012, 2015] + (res, errno, gids) = sssd_id.call_sssd_initgroups("user1", 1001) + assert res == sssd_id.NssReturnCode.SUCCESS + + assert sorted(gids) == sorted(user1_expected_gids), \ + "result: %s\n expected %s" % ( + ", ".join(["%s" % s for s in sorted(gids)]), + ", ".join(["%s" % s for s in sorted(user1_expected_gids)]) + ) + + # Request user2's private group by GID without resolving the user first. + # This must trigger user resolution through by-GID resolution, since the + # GID doesn't exist on its own in LDAP + ent.assert_group_by_gid(1002, dict(name="user2", mem=ent.contains_only())) + + # Test supplementary groups for user2 as well + user1_expected_gids = [1002, 2002, 2012, 2016] + (res, errno, gids) = sssd_id.call_sssd_initgroups("user2", 1002) + assert res == sssd_id.NssReturnCode.SUCCESS + + assert sorted(gids) == sorted(user1_expected_gids), \ + "result: %s\n expected %s" % ( + ", ".join(["%s" % s for s in sorted(gids)]), + ", ".join(["%s" % s for s in sorted(user1_expected_gids)]) + ) + + # Request user3's private group by name without resolving the user first + # This must trigger user resolution through by-name resolution, since the + # name doesn't exist on its own in LDAP + ent.assert_group_by_name("user3", dict(gid=1003, mem=ent.contains_only())) + + # Remove entries and request them again to make sure they are not + # resolvable anymore + cleanup_ldap_entries(ldap_conn, None) + + if subprocess.call(["sss_cache", "-GU"]) != 0: + raise Exception("sssd_cache failed") + + with pytest.raises(KeyError): + pwd.getpwnam("user1") + with pytest.raises(KeyError): + grp.getgrnam("user1") + with pytest.raises(KeyError): + grp.getgrgid(1002) + with pytest.raises(KeyError): + grp.getgrnam("user3") + + +@pytest.fixture +def mpg_setup_conflict(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user1", 1001, 2001) + ent_list.add_user("user2", 1002, 2002) + ent_list.add_user("user3", 1003, 1003) + ent_list.add_group_bis("group1", 1001) + ent_list.add_group_bis("group2", 1002) + ent_list.add_group_bis("group3", 1003) + ent_list.add_group_bis("supp_group", 2015, ["user3"]) + create_ldap_fixture(request, ldap_conn, ent_list) + + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + \ + unindent(""" + [domain/LDAP] + auto_private_groups = True + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +def test_ldap_auto_private_groups_conflict(ldap_conn, mpg_setup_conflict): + """ + Make sure that conflicts between groups that are auto-created with the + help of the auto_private_groups option and between 'real' LDAP groups + are handled in a predictable manner. + """ + # Make sure the user's GID is taken from their uidNumber + ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=1001)) + # Make sure the private group is resolvable by name and by GID + ent.assert_group_by_name("user1", dict(gid=1001, mem=ent.contains_only())) + ent.assert_group_by_gid(1001, dict(name="user1", mem=ent.contains_only())) + + # Let's request the group with the same ID as user2's private group + # The request should match the 'real' group + ent.assert_group_by_gid(1002, dict(name="group2", mem=ent.contains_only())) + # But because of the GID conflict, the user cannot be resolved + with pytest.raises(KeyError): + pwd.getpwnam("user2") + + # This user's GID is the same as the UID in this entry. The most important + # thing here is that the supplementary groups are correct and the GID + # resolves to the private group (as long as the user was requested first) + user3_expected_gids = [1003, 2015] + ent.assert_passwd_by_name("user3", dict(name="user3", uid=1003, gid=1003)) + (res, errno, gids) = sssd_id.call_sssd_initgroups("user3", 1003) + assert res == sssd_id.NssReturnCode.SUCCESS + + assert sorted(gids) == sorted(user3_expected_gids), \ + "result: %s\n expected %s" % ( + ", ".join(["%s" % s for s in sorted(gids)]), + ", ".join(["%s" % s for s in sorted(user3_expected_gids)]) + ) + # Make sure the private group is resolvable by name and by GID + ent.assert_group_by_gid(1003, dict(name="user3", mem=ent.contains_only())) + ent.assert_group_by_name("user3", dict(gid=1003, mem=ent.contains_only())) + + +@pytest.fixture +def mpg_setup_no_gid(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user1", 1001, 2001) + + ent_list.add_group_bis("group1", 2001) + ent_list.add_group_bis("one_user_group1", 2015, ["user1"]) + + create_ldap_entries(ldap_conn, ent_list) + create_ldap_cleanup(request, ldap_conn, None) + + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + \ + unindent(""" + [domain/LDAP] + auto_private_groups = True + ldap_user_gid_number = no_such_attribute + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +def test_ldap_auto_private_groups_direct_no_gid(ldap_conn, mpg_setup_no_gid): + """ + Integration test for auto_private_groups - test that even a user with + no GID assigned at all can be resolved including their autogenerated + primary group. + + See also ticket https://pagure.io/SSSD/sssd/issue/1872 + """ + # Make sure the user's GID is taken from their uidNumber + ent.assert_passwd_by_name("user1", dict(name="user1", uid=1001, gid=1001)) + # Make sure the private group is resolvable by name and by GID + ent.assert_group_by_name("user1", dict(gid=1001, mem=ent.contains_only())) + ent.assert_group_by_gid(1001, dict(name="user1", mem=ent.contains_only())) + + # The group referenced in user's gidNumber attribute should be still + # visible, but shouldn't have any relation to the user + ent.assert_group_by_name("group1", dict(gid=2001, mem=ent.contains_only())) + ent.assert_group_by_gid(2001, dict(name="group1", mem=ent.contains_only())) + + # The user's secondary groups list must be correct as well. This time only + # the generated group and the explicit secondary group are added, since + # there is no original GID + user1_expected_gids = [1001, 2015] + (res, errno, gids) = sssd_id.call_sssd_initgroups("user1", 1001) + assert res == sssd_id.NssReturnCode.SUCCESS + + assert sorted(gids) == sorted(user1_expected_gids), \ + "result: %s\n expected %s" % ( + ", ".join(["%s" % s for s in sorted(gids)]), + ", ".join(["%s" % s for s in sorted(user1_expected_gids)]) + ) + + +def rename_setup_no_cleanup(request, ldap_conn, cleanup_ent=None): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user1", 1001, 2001) + ent_list.add_group_bis("user1_private", 2001) + + ent_list.add_user("user2", 1002, 2002) + ent_list.add_group_bis("user2_private", 2002) + + ent_list.add_group_bis("group1", 2015, ["user1", "user2"]) + + if cleanup_ent is None: + create_ldap_fixture(request, ldap_conn, ent_list) + else: + # Since the entries were renamed, we need to clean up + # the renamed entries.. + create_ldap_fixture(request, ldap_conn, ent_list, cleanup=False) + create_ldap_cleanup(request, ldap_conn, None) + + +@pytest.fixture +def rename_setup_cleanup(request, ldap_conn): + cleanup_ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + cleanup_ent_list.add_user("user1", 1001, 2001) + cleanup_ent_list.add_group_bis("new_user1_private", 2001) + + cleanup_ent_list.add_user("user2", 1002, 2002) + cleanup_ent_list.add_group_bis("new_user2_private", 2002) + + cleanup_ent_list.add_group_bis("new_group1", 2015, ["user1", "user2"]) + + rename_setup_no_cleanup(request, ldap_conn, cleanup_ent_list) + + conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +@pytest.fixture +def rename_setup_with_name(request, ldap_conn): + rename_setup_no_cleanup(request, ldap_conn) + + conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + \ + unindent(""" + [nss] + [domain/LDAP] + ldap_group_name = name + timeout = 3000 + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +def test_rename_incomplete_group_same_dn(ldap_conn, rename_setup_with_name): + """ + Test that if a group's name attribute changes, but the DN stays the same, + the incomplete group object will be renamed. + + Because the RDN attribute must be present in the entry, we add another + attribute "name" that is purposefully different from the CN and make + sure the group names are reflected in name + + Regression test for https://pagure.io/SSSD/sssd/issue/3282 + """ + pvt_dn1 = 'cn=user1_private,ou=Groups,' + ldap_conn.ds_inst.base_dn + pvt_dn2 = 'cn=user2_private,ou=Groups,' + ldap_conn.ds_inst.base_dn + group1_dn = 'cn=group1,ou=Groups,' + ldap_conn.ds_inst.base_dn + + # Add the name we want for both private and secondary group + old = {'name': []} + new = {'name': [b"user1_group1"]} + ldif = ldap.modlist.modifyModlist(old, new) + ldap_conn.modify_s(group1_dn, ldif) + + new = {'name': [b"pvt_user1"]} + ldif = ldap.modlist.modifyModlist(old, new) + ldap_conn.modify_s(pvt_dn1, ldif) + + new = {'name': [b"pvt_user2"]} + ldif = ldap.modlist.modifyModlist(old, new) + ldap_conn.modify_s(pvt_dn2, ldif) + + # Make sure the old name shows up in the id output + (res, errno, grp_list) = sssd_id.get_user_groups("user1") + assert res == sssd_id.NssReturnCode.SUCCESS, \ + "Could not find groups for user1, %d" % errno + + assert sorted(grp_list) == sorted(["pvt_user1", "user1_group1"]) + + # Rename the group by changing the cn attribute, but keep the DN the same + old = {'name': [b"user1_group1"]} + new = {'name': [b"new_user1_group1"]} + ldif = ldap.modlist.modifyModlist(old, new) + ldap_conn.modify_s(group1_dn, ldif) + + (res, errno, grp_list) = sssd_id.get_user_groups("user2") + assert res == sssd_id.NssReturnCode.SUCCESS, \ + "Could not find groups for user2, %d" % errno + + assert sorted(grp_list) == sorted(["pvt_user2", "new_user1_group1"]) + + (res, errno, grp_list) = sssd_id.get_user_groups("user1") + assert res == sssd_id.NssReturnCode.SUCCESS, \ + "Could not find groups for user1, %d" % errno + + assert sorted(grp_list) == sorted(["pvt_user1", "new_user1_group1"]) + + +def test_rename_incomplete_group_rdn_changed(ldap_conn, rename_setup_cleanup): + """ + Test that if a group's name attribute changes, and the DN changes with + the RDN. Then adding the second group will fail because we can't tell if + there are two duplicate groups in LDAP when saving the group or if the + group was renamed. + + Please note that with many directories (AD, IPA), the code can rely on + other heuristics (SID, UUID) to find out the group is in fact the same. + + Regression test for https://pagure.io/SSSD/sssd/issue/3282 + """ + pvt_dn = 'cn=user1_private,ou=Groups,' + ldap_conn.ds_inst.base_dn + group1_dn = 'cn=group1,ou=Groups,' + ldap_conn.ds_inst.base_dn + + # Make sure the old name shows up in the id output + (res, errno, grp_list) = sssd_id.get_user_groups("user1") + assert res == sssd_id.NssReturnCode.SUCCESS, \ + "Could not find groups for user1, %d" % errno + + assert sorted(grp_list) == sorted(["user1_private", "group1"]) + + # Rename the groups, changing the RDN + ldap_conn.rename_s(group1_dn, "cn=new_group1") + ldap_conn.rename_s(pvt_dn, "cn=new_user1_private") + + (res, errno, grp_list) = sssd_id.get_user_groups("user2") + assert res == sssd_id.NssReturnCode.SUCCESS, \ + "Could not find groups for user2, %d" % errno + + # The initgroups succeeds, but because saving the new group fails, + # SSSD will revert to the cache contents and return what's in the cache + assert sorted(grp_list) == sorted(["user2_private", "group1"]) + + +@pytest.fixture +def user_and_group_rfc2307_lcl(request, ldap_conn): + pwd_ops = passwd_ops_setup(request) + pwd_ops.useradd(**PASSWD_USER) + grp_ops = group_ops_setup(request) + grp_ops.groupadd(**PASSWD_GROUP) + + return user_and_group_rfc2307(request, ldap_conn) + + +def test_local_negative_timeout_enabled_by_default(ldap_conn, + user_and_group_rfc2307_lcl): + """ + Test that with the default local_negative_timeout value, a user who can't + be resolved through SSSD but can be resolved in LDAP is negatively cached + """ + # sanity check - try resolving an LDAP user + ent.assert_passwd_by_name("user", dict(name="user", uid=1001, gid=2000)) + + # resolve a user who is not in LDAP, but exists locally + res, _ = call_sssd_getpwnam("passwduser") + assert res == NssReturnCode.NOTFOUND + res = pwd.getpwnam("passwduser") + assert res is not None + # Do the same by UID + res, _ = call_sssd_getpwuid(100000) + assert res == NssReturnCode.NOTFOUND + res = pwd.getpwuid(100000) + assert res is not None + + # Do the same for a group both by name and by ID + res, _ = call_sssd_getgrnam("passwdgroup") + assert res == NssReturnCode.NOTFOUND + res = grp.getgrnam("passwdgroup") + assert res is not None + res, _ = call_sssd_getgrgid(200000) + assert res == NssReturnCode.NOTFOUND + res = grp.getgrgid(200000) + assert res is not None + + # add the user and the group to LDAP + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("passwduser", 100000, 2000) + ent_list.add_group("passwdgroup", 200000) + create_ldap_entries(ldap_conn, ent_list) + + # Make sure the negative cache expired + time.sleep(2) + + # The user is now negatively cached and can't be resolved by either + # name or UID + res, _ = call_sssd_getpwnam("passwduser") + assert res == NssReturnCode.NOTFOUND + res, _ = call_sssd_getpwuid(100000) + assert res == NssReturnCode.NOTFOUND + + res, _ = call_sssd_getgrnam("passwdgroup") + assert res == NssReturnCode.NOTFOUND + res, _ = call_sssd_getgrgid(200000) + assert res == NssReturnCode.NOTFOUND + + cleanup_ldap_entries(ldap_conn, ent_list) + + +@pytest.fixture +def usr_and_grp_rfc2307_no_local_ncache(request, ldap_conn): + """ + Create an RFC2307 directory fixture with interactive SSSD conf, + one user and one group but with the local negative timeout + disabled + """ + pwd_ops = passwd_ops_setup(request) + pwd_ops.useradd(**PASSWD_USER) + grp_ops = group_ops_setup(request) + grp_ops.groupadd(**PASSWD_GROUP) + + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user", 1001, 2000) + ent_list.add_group("group", 2001) + create_ldap_fixture(request, ldap_conn, ent_list) + conf = format_interactive_conf(ldap_conn, SCHEMA_RFC2307) + \ + unindent(""" + [nss] + local_negative_timeout = 0 + """) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +def test_local_negative_timeout_disabled(ldap_conn, + usr_and_grp_rfc2307_no_local_ncache): + """ + Test that with the local negative cache disabled, a user who is in both + LDAP and files can be resolved once the negative cache expires + """ + # sanity check - try resolving an LDAP user + ent.assert_passwd_by_name("user", dict(name="user", uid=1001, gid=2000)) + + # resolve a user who is not in LDAP, but exists locally + res, _ = call_sssd_getpwnam("passwduser") + assert res == NssReturnCode.NOTFOUND + res = pwd.getpwnam("passwduser") + assert res is not None + # Do the same by UID + res, _ = call_sssd_getpwuid(100000) + assert res == NssReturnCode.NOTFOUND + res = pwd.getpwuid(100000) + assert res is not None + + # Do the same for a group both by name and by ID + res, _ = call_sssd_getgrnam("passwdgroup") + assert res == NssReturnCode.NOTFOUND + res = grp.getgrnam("passwdgroup") + assert res is not None + res, _ = call_sssd_getgrgid(200000) + assert res == NssReturnCode.NOTFOUND + res = grp.getgrgid(200000) + assert res is not None + + # add the user and the group to LDAP + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("passwduser", 100000, 2000) + ent_list.add_group("passwdgroup", 200000) + create_ldap_entries(ldap_conn, ent_list) + + # Make sure the negative cache expired + time.sleep(2) + + # The user can now be resolved + res, _ = call_sssd_getpwnam("passwduser") + assert res == NssReturnCode.SUCCESS + # Do the same by UID + res, _ = call_sssd_getpwuid(100000) + assert res == NssReturnCode.SUCCESS + + res, _ = call_sssd_getgrnam("passwdgroup") + assert res == NssReturnCode.SUCCESS + res, _ = call_sssd_getgrgid(200000) + assert res == NssReturnCode.SUCCESS + + cleanup_ldap_entries(ldap_conn, ent_list) + + +@pytest.fixture +def users_with_email_setup(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user1", 1001, 2001, mail="user1.email@LDAP") + + ent_list.add_user("emailuser", 1002, 2002) + ent_list.add_user("emailuser2", 1003, 2003, mail="emailuser@LDAP") + + ent_list.add_user("userx", 1004, 2004, mail="userxy@LDAP") + ent_list.add_user("usery", 1005, 2005, mail="userxy@LDAP") + + create_ldap_fixture(request, ldap_conn, ent_list) + + conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +def test_lookup_by_email(ldap_conn, users_with_email_setup): + """ + Test the simple case of looking up a user by e-mail + """ + ent.assert_passwd_by_name("user1.email@LDAP", + dict(name="user1", uid=1001, gid=2001)) + + +def test_conflicting_mail_addresses_and_fqdn(ldap_conn, + users_with_email_setup): + """ + Test that we handle the case where one user's mail address is the + same as another user's FQDN + + This is a regression test for https://pagure.io/SSSD/sssd/issue/3607 + """ + # With #3607 unfixed, these two lookups would prime the cache with + # nameAlias: emailuser@LDAP for both entries.. + ent.assert_passwd_by_name("emailuser@LDAP", + dict(name="emailuser", uid=1002, gid=2002)) + ent.assert_passwd_by_name("emailuser2@LDAP", + dict(name="emailuser2", uid=1003, gid=2003)) + + # ..and subsequently, emailuser would not be returned because the cache + # lookup would have had returned two entries which is an error + ent.assert_passwd_by_name("emailuser@LDAP", + dict(name="emailuser", uid=1002, gid=2002)) + ent.assert_passwd_by_name("emailuser2@LDAP", + dict(name="emailuser2", uid=1003, gid=2003)) + + +def test_conflicting_mail_addresses(ldap_conn, + users_with_email_setup): + """ + Negative test: looking up a user by e-mail which belongs to more than + one account fails in the back end. + """ + with pytest.raises(KeyError): + pwd.getpwnam("userxy@LDAP") + + # However resolving the users on their own must work + ent.assert_passwd_by_name("userx", dict(name="userx", uid=1004, gid=2004)) + ent.assert_passwd_by_name("usery", dict(name="usery", uid=1005, gid=2005)) diff --git a/src/tests/intg/test_local_domain.py b/src/tests/intg/test_local_domain.py new file mode 100644 index 0000000..8e1d6fb --- /dev/null +++ b/src/tests/intg/test_local_domain.py @@ -0,0 +1,276 @@ +# +# SSSD LOCAL domain tests +# +# Copyright (c) 2015 Red Hat, Inc. +# Author: Michal Zidek +# +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +import os +import stat +import pwd +import grp +import time +import config +import signal +import subprocess +import pytest +import ent +from util import unindent + + +def stop_sssd(): + pid_file = open(config.PIDFILE_PATH, "r") + pid = int(pid_file.read()) + os.kill(pid, signal.SIGTERM) + while True: + try: + os.kill(pid, signal.SIGCONT) + except: + break + time.sleep(1) + + +def create_conf_fixture(request, contents): + """Generate sssd.conf and add teardown for removing it""" + conf = open(config.CONF_PATH, "w") + conf.write(contents) + conf.close() + os.chmod(config.CONF_PATH, stat.S_IRUSR | stat.S_IWUSR) + request.addfinalizer(lambda: os.unlink(config.CONF_PATH)) + + +def create_sssd_fixture(request): + """Start sssd and add teardown for stopping it and removing state""" + if subprocess.call(["sssd", "-D", "-f"]) != 0: + raise Exception("sssd start failed") + + def teardown(): + try: + stop_sssd() + except: + pass + for path in os.listdir(config.DB_PATH): + os.unlink(config.DB_PATH + "/" + path) + for path in os.listdir(config.MCACHE_PATH): + os.unlink(config.MCACHE_PATH + "/" + path) + request.addfinalizer(teardown) + + +@pytest.fixture +def local_domain_only(request): + conf = unindent("""\ + [sssd] + domains = LOCAL + services = nss + + [nss] + memcache_timeout = 0 + + [domain/LOCAL] + id_provider = local + min_id = 10000 + max_id = 20000 + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +@pytest.fixture +def local_domain_only_fqdn(request): + conf = unindent("""\ + [sssd] + domains = LOCAL + services = nss + + [nss] + memcache_timeout = 0 + + [domain/LOCAL] + id_provider = local + min_id = 10000 + max_id = 20000 + use_fully_qualified_names = True + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +def assert_nonexistent_user(name): + with pytest.raises(KeyError): + pwd.getpwnam(name) + + +def assert_nonexistent_group(name): + with pytest.raises(KeyError): + grp.getgrnam(name) + + +def test_groupshow_mpg(local_domain_only): + """ + Regression test for ticket + https://fedorahosted.org/sssd/ticket/3184 + """ + subprocess.check_call(["sss_useradd", "foo", "-M"]) + + # The user's mpg has to be found (should return 0) + subprocess.check_call(["sss_groupshow", "foo"]) + + +def test_groupshow_mpg_fqdn(local_domain_only_fqdn): + """ + Regression test for ticket (fq variant) + https://fedorahosted.org/sssd/ticket/3184 + """ + subprocess.check_call(["sss_useradd", "foo@LOCAL", "-M"]) + + # The user's mpg has to be found (should return 0) + subprocess.check_call(["sss_groupshow", "foo@LOCAL"]) + + +def test_wrong_LC_ALL(local_domain_only): + """ + Regression test for ticket + https://fedorahosted.org/sssd/ticket/2785 + + """ + subprocess.check_call(["sss_useradd", "foo", "-M"]) + pwd.getpwnam("foo") + + # Change the LC_ALL variable to nonexistent locale + oldvalue = os.environ.get("LC_ALL", "") + os.environ["LC_ALL"] = "nonexistent_locale" + + # sss_userdel must remove the user despite wrong LC_ALL + subprocess.check_call(["sss_userdel", "foo", "-R"]) + assert_nonexistent_user("foo") + os.environ["LC_ALL"] = oldvalue + + +def test_sss_group_add_show_del(local_domain_only): + """ + Regression test for tickets + https://fedorahosted.org/sssd/ticket/3173 + https://fedorahosted.org/sssd/ticket/3175 + """ + + subprocess.check_call(["sss_groupadd", "foo", "-g", "10001"]) + + "This should not raise KeyError" + ent.assert_group_by_name("foo", dict(name="foo", gid=10001)) + + "sss_grupshow should return 0 with existing group name" + subprocess.check_call(["sss_groupshow", "foo"]) + + subprocess.check_call(["sss_groupdel", "foo"]) + assert_nonexistent_group("foo") + + +def test_add_local_user_to_local_group(local_domain_only): + """ + Regression test for ticket + https://fedorahosted.org/sssd/ticket/3178 + """ + subprocess.check_call(["sss_groupadd", "-g", "10009", "group10009"]) + subprocess.check_call(["sss_useradd", "-u", "10009", "-M", "user10009"]) + subprocess.check_call(["sss_usermod", "-a", "group10009", "user10009"]) + + ent.assert_group_by_name( + "group10009", + dict(name="group10009", passwd="*", gid=10009, + mem=ent.contains_only("user10009"))) + + +def test_add_local_group_to_local_group(local_domain_only): + """ + Regression test for tickets + https://fedorahosted.org/sssd/ticket/3178 + """ + subprocess.check_call(["sss_groupadd", "-g", "10009", "group_child"]) + subprocess.check_call(["sss_useradd", "-u", "10009", "-M", "user_child"]) + subprocess.check_call(["sss_usermod", "-a", "group_child", "user_child"]) + + subprocess.check_call(["sss_groupadd", "-g", "10008", "group_parent"]) + subprocess.check_call( + ["sss_groupmod", "-a", "group_parent", "group_child"]) + + # User from child_group is member of parent_group, so child_group's + # member must be also parent_group's member + ent.assert_group_by_name( + "group_parent", + dict(name="group_parent", passwd="*", gid=10008, + mem=ent.contains_only("user_child"))) + + +def test_sss_group_add_show_del_fqdn(local_domain_only_fqdn): + """ + Regression test for tickets + https://fedorahosted.org/sssd/ticket/3173 + https://fedorahosted.org/sssd/ticket/3175 + """ + + subprocess.check_call(["sss_groupadd", "foo@LOCAL", "-g", "10001"]) + + "This should not raise KeyError" + ent.assert_group_by_name("foo@LOCAL", dict(name="foo@LOCAL", gid=10001)) + + "sss_grupshow should return 0 with existing group name" + subprocess.check_call(["sss_groupshow", "foo@LOCAL"]) + + subprocess.check_call(["sss_groupdel", "foo@LOCAL"]) + assert_nonexistent_group("foo@LOCAL") + + +def test_add_local_user_to_local_group_fqdn(local_domain_only_fqdn): + """ + Regression test for ticket + https://fedorahosted.org/sssd/ticket/3178 + """ + subprocess.check_call( + ["sss_groupadd", "-g", "10009", "group10009@LOCAL"]) + subprocess.check_call( + ["sss_useradd", "-u", "10009", "-M", "user10009@LOCAL"]) + subprocess.check_call( + ["sss_usermod", "-a", "group10009@LOCAL", "user10009@LOCAL"]) + + ent.assert_group_by_name( + "group10009@LOCAL", + dict(name="group10009@LOCAL", passwd="*", gid=10009, + mem=ent.contains_only("user10009@LOCAL"))) + + +def test_add_local_group_to_local_group_fqdn(local_domain_only_fqdn): + """ + Regression test for tickets + https://fedorahosted.org/sssd/ticket/3178 + """ + subprocess.check_call( + ["sss_groupadd", "-g", "10009", "group_child@LOCAL"]) + subprocess.check_call( + ["sss_useradd", "-u", "10009", "-M", "user_child@LOCAL"]) + subprocess.check_call( + ["sss_usermod", "-a", "group_child@LOCAL", "user_child@LOCAL"]) + + subprocess.check_call( + ["sss_groupadd", "-g", "10008", "group_parent@LOCAL"]) + subprocess.check_call( + ["sss_groupmod", "-a", "group_parent@LOCAL", "group_child@LOCAL"]) + + # User from child_group is member of parent_group, so child_group's + # member must be also parent_group's member + ent.assert_group_by_name( + "group_parent@LOCAL", + dict(name="group_parent@LOCAL", passwd="*", gid=10008, + mem=ent.contains_only("user_child@LOCAL"))) diff --git a/src/tests/intg/test_memory_cache.py b/src/tests/intg/test_memory_cache.py new file mode 100644 index 0000000..0d13273 --- /dev/null +++ b/src/tests/intg/test_memory_cache.py @@ -0,0 +1,920 @@ +# +# LDAP integration test +# +# Copyright (c) 2015 Red Hat, Inc. +# Author: Lukas Slebodnik +# +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +import os +import stat +import ent +import grp +import pwd +import config +import random +import signal +import string +import struct +import subprocess +import time +import pytest +import pysss_murmur + +import ds_openldap +import ldap_ent +import sssd_id +from util import unindent + +LDAP_BASE_DN = "dc=example,dc=com" + + +@pytest.fixture(scope="module") +def ds_inst(request): + """LDAP server instance fixture""" + ds_inst = ds_openldap.DSOpenLDAP( + config.PREFIX, 10389, LDAP_BASE_DN, + "cn=admin", "Secret123") + try: + ds_inst.setup() + except: + ds_inst.teardown() + raise + request.addfinalizer(lambda: ds_inst.teardown()) + return ds_inst + + +@pytest.fixture(scope="module") +def ldap_conn(request, ds_inst): + """LDAP server connection fixture""" + ldap_conn = ds_inst.bind() + ldap_conn.ds_inst = ds_inst + request.addfinalizer(lambda: ldap_conn.unbind_s()) + return ldap_conn + + +def create_ldap_fixture(request, ldap_conn, ent_list): + """Add LDAP entries and add teardown for removing them""" + for entry in ent_list: + ldap_conn.add_s(entry[0], entry[1]) + + def teardown(): + for entry in ent_list: + ldap_conn.delete_s(entry[0]) + request.addfinalizer(teardown) + + +def create_conf_fixture(request, contents): + """Generate sssd.conf and add teardown for removing it""" + conf = open(config.CONF_PATH, "w") + conf.write(contents) + conf.close() + os.chmod(config.CONF_PATH, stat.S_IRUSR | stat.S_IWUSR) + request.addfinalizer(lambda: os.unlink(config.CONF_PATH)) + + +def stop_sssd(): + pid_file = open(config.PIDFILE_PATH, "r") + pid = int(pid_file.read()) + os.kill(pid, signal.SIGTERM) + while True: + try: + os.kill(pid, signal.SIGCONT) + except: + break + time.sleep(1) + + +def create_sssd_fixture(request): + """Start sssd and add teardown for stopping it and removing state""" + if subprocess.call(["sssd", "-D", "-f"]) != 0: + raise Exception("sssd start failed") + + def teardown(): + try: + stop_sssd() + except: + pass + for path in os.listdir(config.DB_PATH): + os.unlink(config.DB_PATH + "/" + path) + for path in os.listdir(config.MCACHE_PATH): + os.unlink(config.MCACHE_PATH + "/" + path) + request.addfinalizer(teardown) + + +def load_data_to_ldap(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user1", 1001, 2001) + ent_list.add_user("user2", 1002, 2002) + ent_list.add_user("user3", 1003, 2003) + ent_list.add_user("user11", 1011, 2001) + ent_list.add_user("user12", 1012, 2002) + ent_list.add_user("user13", 1013, 2003) + ent_list.add_user("user21", 1021, 2001) + ent_list.add_user("user22", 1022, 2002) + ent_list.add_user("user23", 1023, 2003) + + ent_list.add_group("group1", 2001, ["user1", "user11", "user21"]) + ent_list.add_group("group2", 2002, ["user2", "user12", "user22"]) + ent_list.add_group("group3", 2003, ["user3", "user13", "user23"]) + + ent_list.add_group("group0x", 2000, ["user1", "user2", "user3"]) + ent_list.add_group("group1x", 2010, ["user11", "user12", "user13"]) + ent_list.add_group("group2x", 2020, ["user21", "user22", "user23"]) + create_ldap_fixture(request, ldap_conn, ent_list) + + +@pytest.fixture +def sanity_rfc2307(request, ldap_conn): + load_data_to_ldap(request, ldap_conn) + + conf = unindent("""\ + [sssd] + domains = LDAP + services = nss + + [nss] + + [domain/LDAP] + ldap_auth_disable_tls_never_use_in_production = true + ldap_schema = rfc2307 + id_provider = ldap + auth_provider = ldap + sudo_provider = ldap + ldap_uri = {ldap_conn.ds_inst.ldap_url} + ldap_search_base = {ldap_conn.ds_inst.base_dn} + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +@pytest.fixture +def fqname_rfc2307(request, ldap_conn): + load_data_to_ldap(request, ldap_conn) + + conf = unindent("""\ + [sssd] + domains = LDAP + services = nss + + [nss] + + [domain/LDAP] + ldap_auth_disable_tls_never_use_in_production = true + ldap_schema = rfc2307 + id_provider = ldap + auth_provider = ldap + sudo_provider = ldap + ldap_uri = {ldap_conn.ds_inst.ldap_url} + ldap_search_base = {ldap_conn.ds_inst.base_dn} + use_fully_qualified_names = true + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +@pytest.fixture +def fqname_case_insensitive_rfc2307(request, ldap_conn): + load_data_to_ldap(request, ldap_conn) + + conf = unindent("""\ + [sssd] + domains = LDAP + services = nss + + [nss] + + [domain/LDAP] + ldap_auth_disable_tls_never_use_in_production = true + ldap_schema = rfc2307 + id_provider = ldap + auth_provider = ldap + sudo_provider = ldap + ldap_uri = {ldap_conn.ds_inst.ldap_url} + ldap_search_base = {ldap_conn.ds_inst.base_dn} + use_fully_qualified_names = true + case_sensitive = false + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +@pytest.fixture +def zero_timeout_rfc2307(request, ldap_conn): + load_data_to_ldap(request, ldap_conn) + + conf = unindent("""\ + [sssd] + domains = LDAP + services = nss + + [nss] + memcache_timeout = 0 + + [domain/LDAP] + ldap_auth_disable_tls_never_use_in_production = true + ldap_schema = rfc2307 + id_provider = ldap + auth_provider = ldap + sudo_provider = ldap + ldap_uri = {ldap_conn.ds_inst.ldap_url} + ldap_search_base = {ldap_conn.ds_inst.base_dn} + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +def test_getpwnam(ldap_conn, sanity_rfc2307): + ent.assert_passwd_by_name( + 'user1', + dict(name='user1', passwd='*', uid=1001, gid=2001, + gecos='1001', shell='/bin/bash')) + ent.assert_passwd_by_uid( + 1001, + dict(name='user1', passwd='*', uid=1001, gid=2001, + gecos='1001', shell='/bin/bash')) + + ent.assert_passwd_by_name( + 'user2', + dict(name='user2', passwd='*', uid=1002, gid=2002, + gecos='1002', shell='/bin/bash')) + ent.assert_passwd_by_uid( + 1002, + dict(name='user2', passwd='*', uid=1002, gid=2002, + gecos='1002', shell='/bin/bash')) + + ent.assert_passwd_by_name( + 'user3', + dict(name='user3', passwd='*', uid=1003, gid=2003, + gecos='1003', shell='/bin/bash')) + ent.assert_passwd_by_uid( + 1003, + dict(name='user3', passwd='*', uid=1003, gid=2003, + gecos='1003', shell='/bin/bash')) + + ent.assert_passwd_by_name( + 'user11', + dict(name='user11', passwd='*', uid=1011, gid=2001, + gecos='1011', shell='/bin/bash')) + ent.assert_passwd_by_uid( + 1011, + dict(name='user11', passwd='*', uid=1011, gid=2001, + gecos='1011', shell='/bin/bash')) + + ent.assert_passwd_by_name( + 'user12', + dict(name='user12', passwd='*', uid=1012, gid=2002, + gecos='1012', shell='/bin/bash')) + ent.assert_passwd_by_uid( + 1012, + dict(name='user12', passwd='*', uid=1012, gid=2002, + gecos='1012', shell='/bin/bash')) + + ent.assert_passwd_by_name( + 'user13', + dict(name='user13', passwd='*', uid=1013, gid=2003, + gecos='1013', shell='/bin/bash')) + ent.assert_passwd_by_uid( + 1013, + dict(name='user13', passwd='*', uid=1013, gid=2003, + gecos='1013', shell='/bin/bash')) + + ent.assert_passwd_by_name( + 'user21', + dict(name='user21', passwd='*', uid=1021, gid=2001, + gecos='1021', shell='/bin/bash')) + ent.assert_passwd_by_uid( + 1021, + dict(name='user21', passwd='*', uid=1021, gid=2001, + gecos='1021', shell='/bin/bash')) + + ent.assert_passwd_by_name( + 'user22', + dict(name='user22', passwd='*', uid=1022, gid=2002, + gecos='1022', shell='/bin/bash')) + ent.assert_passwd_by_uid( + 1022, + dict(name='user22', passwd='*', uid=1022, gid=2002, + gecos='1022', shell='/bin/bash')) + + ent.assert_passwd_by_name( + 'user23', + dict(name='user23', passwd='*', uid=1023, gid=2003, + gecos='1023', shell='/bin/bash')) + ent.assert_passwd_by_uid( + 1023, + dict(name='user23', passwd='*', uid=1023, gid=2003, + gecos='1023', shell='/bin/bash')) + + +def test_getpwnam_with_mc(ldap_conn, sanity_rfc2307): + test_getpwnam(ldap_conn, sanity_rfc2307) + stop_sssd() + test_getpwnam(ldap_conn, sanity_rfc2307) + + +def test_getgrnam_simple(ldap_conn, sanity_rfc2307): + ent.assert_group_by_name("group1", dict(name="group1", gid=2001)) + ent.assert_group_by_gid(2001, dict(name="group1", gid=2001)) + + ent.assert_group_by_name("group2", dict(name="group2", gid=2002)) + ent.assert_group_by_gid(2002, dict(name="group2", gid=2002)) + + ent.assert_group_by_name("group3", dict(name="group3", gid=2003)) + ent.assert_group_by_gid(2003, dict(name="group3", gid=2003)) + + ent.assert_group_by_name("group0x", dict(name="group0x", gid=2000)) + ent.assert_group_by_gid(2000, dict(name="group0x", gid=2000)) + + ent.assert_group_by_name("group1x", dict(name="group1x", gid=2010)) + ent.assert_group_by_gid(2010, dict(name="group1x", gid=2010)) + + ent.assert_group_by_name("group2x", dict(name="group2x", gid=2020)) + ent.assert_group_by_gid(2020, dict(name="group2x", gid=2020)) + + +def test_getgrnam_simple_with_mc(ldap_conn, sanity_rfc2307): + test_getgrnam_simple(ldap_conn, sanity_rfc2307) + stop_sssd() + test_getgrnam_simple(ldap_conn, sanity_rfc2307) + + +def test_getgrnam_membership(ldap_conn, sanity_rfc2307): + ent.assert_group_by_name( + "group1", + dict(mem=ent.contains_only("user1", "user11", "user21"))) + ent.assert_group_by_gid( + 2001, + dict(mem=ent.contains_only("user1", "user11", "user21"))) + + ent.assert_group_by_name( + "group2", + dict(mem=ent.contains_only("user2", "user12", "user22"))) + ent.assert_group_by_gid( + 2002, + dict(mem=ent.contains_only("user2", "user12", "user22"))) + + ent.assert_group_by_name( + "group3", + dict(mem=ent.contains_only("user3", "user13", "user23"))) + ent.assert_group_by_gid( + 2003, + dict(mem=ent.contains_only("user3", "user13", "user23"))) + + ent.assert_group_by_name( + "group0x", + dict(mem=ent.contains_only("user1", "user2", "user3"))) + ent.assert_group_by_gid( + 2000, + dict(mem=ent.contains_only("user1", "user2", "user3"))) + + ent.assert_group_by_name( + "group1x", + dict(mem=ent.contains_only("user11", "user12", "user13"))) + ent.assert_group_by_gid( + 2010, + dict(mem=ent.contains_only("user11", "user12", "user13"))) + + ent.assert_group_by_name( + "group2x", + dict(mem=ent.contains_only("user21", "user22", "user23"))) + ent.assert_group_by_gid( + 2020, + dict(mem=ent.contains_only("user21", "user22", "user23"))) + + +def test_getgrnam_membership_with_mc(ldap_conn, sanity_rfc2307): + test_getgrnam_membership(ldap_conn, sanity_rfc2307) + stop_sssd() + test_getgrnam_membership(ldap_conn, sanity_rfc2307) + + +def assert_user_gids_equal(user, expected_gids): + (res, errno, gids) = sssd_id.get_user_gids(user) + assert res == sssd_id.NssReturnCode.SUCCESS, \ + "Could not find groups for user %s, %d" % (user, errno) + + assert sorted(gids) == sorted(expected_gids), \ + "result: %s\n expected %s" % ( + ", ".join(["%s" % s for s in sorted(gids)]), + ", ".join(["%s" % s for s in sorted(expected_gids)]) + ) + + +def test_initgroups(ldap_conn, sanity_rfc2307): + assert_user_gids_equal('user1', [2000, 2001]) + assert_user_gids_equal('user2', [2000, 2002]) + assert_user_gids_equal('user3', [2000, 2003]) + + assert_user_gids_equal('user11', [2010, 2001]) + assert_user_gids_equal('user12', [2010, 2002]) + assert_user_gids_equal('user13', [2010, 2003]) + + assert_user_gids_equal('user21', [2020, 2001]) + assert_user_gids_equal('user22', [2020, 2002]) + assert_user_gids_equal('user23', [2020, 2003]) + + +def test_initgroups_with_mc(ldap_conn, sanity_rfc2307): + test_initgroups(ldap_conn, sanity_rfc2307) + stop_sssd() + test_initgroups(ldap_conn, sanity_rfc2307) + + +def test_initgroups_fqname_with_mc(ldap_conn, fqname_rfc2307): + assert_user_gids_equal('user1@LDAP', [2000, 2001]) + stop_sssd() + assert_user_gids_equal('user1@LDAP', [2000, 2001]) + + +def assert_initgroups_equal(user, primary_gid, expected_gids): + (res, errno, gids) = sssd_id.call_sssd_initgroups(user, primary_gid) + assert res == sssd_id.NssReturnCode.SUCCESS, \ + "Could not find groups for user %s, %d" % (user, errno) + + assert sorted(gids) == sorted(expected_gids), \ + "result: %s\n expected %s" % ( + ", ".join(["%s" % s for s in sorted(gids)]), + ", ".join(["%s" % s for s in sorted(expected_gids)]) + ) + + +def assert_stored_last_initgroups(user1_case1, user1_case2, user1_case_last, + primary_gid, expected_gids): + + assert_initgroups_equal(user1_case1, primary_gid, expected_gids) + assert_initgroups_equal(user1_case2, primary_gid, expected_gids) + assert_initgroups_equal(user1_case_last, primary_gid, expected_gids) + stop_sssd() + + user = user1_case1 + (res, errno, _) = sssd_id.call_sssd_initgroups(user, primary_gid) + assert res == sssd_id.NssReturnCode.UNAVAIL, \ + "Initgroups for user shoudl fail user %s, %d, %d" % (user, res, errno) + + user = user1_case2 + (res, errno, _) = sssd_id.call_sssd_initgroups(user, primary_gid) + assert res == sssd_id.NssReturnCode.UNAVAIL, \ + "Initgroups for user shoudl fail user %s, %d, %d" % (user, res, errno) + + # Just last invocation of initgroups shoudl PASS + # Otherwise, we would not be able to invalidate it + assert_initgroups_equal(user1_case_last, primary_gid, expected_gids) + + +def test_initgroups_case_insensitive_with_mc1(ldap_conn, + fqname_case_insensitive_rfc2307): + user1_case1 = 'User1@LDAP' + user1_case2 = 'uSer1@LDAP' + user1_case_last = 'usEr1@LDAP' + primary_gid = 2001 + expected_gids = [2000, 2001] + + assert_stored_last_initgroups(user1_case1, user1_case2, user1_case_last, + primary_gid, expected_gids) + + +def test_initgroups_case_insensitive_with_mc2(ldap_conn, + fqname_case_insensitive_rfc2307): + user1_case1 = 'usEr1@LDAP' + user1_case2 = 'User1@LDAP' + user1_case_last = 'uSer1@LDAP' + primary_gid = 2001 + expected_gids = [2000, 2001] + + assert_stored_last_initgroups(user1_case1, user1_case2, user1_case_last, + primary_gid, expected_gids) + + +def test_initgroups_case_insensitive_with_mc3(ldap_conn, + fqname_case_insensitive_rfc2307): + user1_case1 = 'uSer1@LDAP' + user1_case2 = 'usEr1@LDAP' + user1_case_last = 'User1@LDAP' + primary_gid = 2001 + expected_gids = [2000, 2001] + + assert_stored_last_initgroups(user1_case1, user1_case2, user1_case_last, + primary_gid, expected_gids) + + +def run_simple_test_with_initgroups(): + ent.assert_passwd_by_name( + 'user1', + dict(name='user1', passwd='*', uid=1001, gid=2001, + gecos='1001', shell='/bin/bash')) + ent.assert_passwd_by_uid( + 1001, + dict(name='user1', passwd='*', uid=1001, gid=2001, + gecos='1001', shell='/bin/bash')) + + ent.assert_group_by_name( + "group1", + dict(mem=ent.contains_only("user1", "user11", "user21"))) + ent.assert_group_by_gid( + 2001, + dict(mem=ent.contains_only("user1", "user11", "user21"))) + + # unrelated group to user1 + ent.assert_group_by_name( + "group2", + dict(mem=ent.contains_only("user2", "user12", "user22"))) + ent.assert_group_by_gid( + 2002, + dict(mem=ent.contains_only("user2", "user12", "user22"))) + + assert_initgroups_equal("user1", 2001, [2000, 2001]) + + +def test_invalidation_of_gids_after_initgroups(ldap_conn, sanity_rfc2307): + + # the sssd cache was empty and not all user's group were + # resolved with getgr{nm,gid}. Therefore there is a change in + # group membership => user groups should be invalidated + run_simple_test_with_initgroups() + assert_initgroups_equal("user1", 2001, [2000, 2001]) + + stop_sssd() + + ent.assert_passwd_by_name( + 'user1', + dict(name='user1', passwd='*', uid=1001, gid=2001, + gecos='1001', shell='/bin/bash')) + ent.assert_passwd_by_uid( + 1001, + dict(name='user1', passwd='*', uid=1001, gid=2001, + gecos='1001', shell='/bin/bash')) + + # unrelated group to user1 must be returned + ent.assert_group_by_name( + "group2", + dict(mem=ent.contains_only("user2", "user12", "user22"))) + ent.assert_group_by_gid( + 2002, + dict(mem=ent.contains_only("user2", "user12", "user22"))) + + assert_initgroups_equal("user1", 2001, [2000, 2001]) + + # user groups must be invalidated + for group in ["group1", "group0x"]: + with pytest.raises(KeyError): + grp.getgrnam(group) + + for gid in [2000, 2001]: + with pytest.raises(KeyError): + grp.getgrgid(gid) + + +def test_initgroups_without_change_in_membership(ldap_conn, sanity_rfc2307): + + # the sssd cache was empty and not all user's group were + # resolved with getgr{nm,gid}. Therefore there is a change in + # group membership => user groups should be invalidated + run_simple_test_with_initgroups() + + # invalidate cache + subprocess.call(["sss_cache", "-E"]) + + # all users and groups will be just refreshed from LDAP + # but there will not be a change in group membership + # user groups should not be invlaidated + run_simple_test_with_initgroups() + + stop_sssd() + + # everything should be in memory cache + run_simple_test_with_initgroups() + + +def assert_mc_records_for_user1(): + ent.assert_passwd_by_name( + 'user1', + dict(name='user1', passwd='*', uid=1001, gid=2001, + gecos='1001', shell='/bin/bash')) + ent.assert_passwd_by_uid( + 1001, + dict(name='user1', passwd='*', uid=1001, gid=2001, + gecos='1001', shell='/bin/bash')) + + ent.assert_group_by_name( + "group1", + dict(mem=ent.contains_only("user1", "user11", "user21"))) + ent.assert_group_by_gid( + 2001, + dict(mem=ent.contains_only("user1", "user11", "user21"))) + ent.assert_group_by_name( + "group0x", + dict(mem=ent.contains_only("user1", "user2", "user3"))) + ent.assert_group_by_gid( + 2000, + dict(mem=ent.contains_only("user1", "user2", "user3"))) + + assert_initgroups_equal("user1", 2001, [2000, 2001]) + + +def assert_missing_mc_records_for_user1(): + with pytest.raises(KeyError): + pwd.getpwnam("user1") + with pytest.raises(KeyError): + pwd.getpwuid(1001) + + for gid in [2000, 2001]: + with pytest.raises(KeyError): + grp.getgrgid(gid) + for group in ["group0x", "group1"]: + with pytest.raises(KeyError): + grp.getgrnam(group) + + (res, err, _) = sssd_id.call_sssd_initgroups("user1", 2001) + assert res == sssd_id.NssReturnCode.UNAVAIL, \ + "Initgroups should not find anything after invalidation of mc.\n" \ + "User user1, errno:%d" % err + + +def test_invalidate_user_before_stop(ldap_conn, sanity_rfc2307): + # initialize cache with full ID + (res, errno, _) = sssd_id.get_user_groups("user1") + assert res == sssd_id.NssReturnCode.SUCCESS, \ + "Could not find groups for user1, %d" % errno + assert_mc_records_for_user1() + + subprocess.call(["sss_cache", "-u", "user1"]) + stop_sssd() + + assert_missing_mc_records_for_user1() + + +def test_invalidate_user_after_stop(ldap_conn, sanity_rfc2307): + # initialize cache with full ID + (res, errno, _) = sssd_id.get_user_groups("user1") + assert res == sssd_id.NssReturnCode.SUCCESS, \ + "Could not find groups for user1, %d" % errno + assert_mc_records_for_user1() + + stop_sssd() + subprocess.call(["sss_cache", "-u", "user1"]) + + assert_missing_mc_records_for_user1() + + +def test_invalidate_users_before_stop(ldap_conn, sanity_rfc2307): + # initialize cache with full ID + (res, errno, _) = sssd_id.get_user_groups("user1") + assert res == sssd_id.NssReturnCode.SUCCESS, \ + "Could not find groups for user1, %d" % errno + assert_mc_records_for_user1() + + subprocess.call(["sss_cache", "-U"]) + stop_sssd() + + assert_missing_mc_records_for_user1() + + +def test_invalidate_users_after_stop(ldap_conn, sanity_rfc2307): + # initialize cache with full ID + (res, errno, _) = sssd_id.get_user_groups("user1") + assert res == sssd_id.NssReturnCode.SUCCESS, \ + "Could not find groups for user1, %d" % errno + assert_mc_records_for_user1() + + stop_sssd() + subprocess.call(["sss_cache", "-U"]) + + assert_missing_mc_records_for_user1() + + +def test_invalidate_group_before_stop(ldap_conn, sanity_rfc2307): + # initialize cache with full ID + (res, errno, _) = sssd_id.get_user_groups("user1") + assert res == sssd_id.NssReturnCode.SUCCESS, \ + "Could not find groups for user1, %d" % errno + assert_mc_records_for_user1() + + subprocess.call(["sss_cache", "-g", "group1"]) + stop_sssd() + + assert_missing_mc_records_for_user1() + + +def test_invalidate_group_after_stop(ldap_conn, sanity_rfc2307): + # initialize cache with full ID + (res, errno, _) = sssd_id.get_user_groups("user1") + assert res == sssd_id.NssReturnCode.SUCCESS, \ + "Could not find groups for user1, %d" % errno + assert_mc_records_for_user1() + + stop_sssd() + subprocess.call(["sss_cache", "-g", "group1"]) + + assert_missing_mc_records_for_user1() + + +def test_invalidate_groups_before_stop(ldap_conn, sanity_rfc2307): + # initialize cache with full ID + (res, errno, _) = sssd_id.get_user_groups("user1") + assert res == sssd_id.NssReturnCode.SUCCESS, \ + "Could not find groups for user1, %d" % errno + assert_mc_records_for_user1() + + subprocess.call(["sss_cache", "-G"]) + stop_sssd() + + assert_missing_mc_records_for_user1() + + +def test_invalidate_groups_after_stop(ldap_conn, sanity_rfc2307): + # initialize cache with full ID + (res, errno, _) = sssd_id.get_user_groups("user1") + assert res == sssd_id.NssReturnCode.SUCCESS, \ + "Could not find groups for user1, %d" % errno + assert_mc_records_for_user1() + + stop_sssd() + subprocess.call(["sss_cache", "-G"]) + + assert_missing_mc_records_for_user1() + + +def test_invalidate_everything_before_stop(ldap_conn, sanity_rfc2307): + # initialize cache with full ID + (res, errno, _) = sssd_id.get_user_groups("user1") + assert res == sssd_id.NssReturnCode.SUCCESS, \ + "Could not find groups for user1, %d" % errno + assert_mc_records_for_user1() + + subprocess.call(["sss_cache", "-E"]) + stop_sssd() + + assert_missing_mc_records_for_user1() + + +def test_invalidate_everything_after_stop(ldap_conn, sanity_rfc2307): + # initialize cache with full ID + (res, errno, _) = sssd_id.get_user_groups("user1") + assert res == sssd_id.NssReturnCode.SUCCESS, \ + "Could not find groups for user1, %d" % errno + assert_mc_records_for_user1() + + stop_sssd() + subprocess.call(["sss_cache", "-E"]) + + assert_missing_mc_records_for_user1() + + +def get_random_string(length): + return ''.join([random.choice(string.ascii_letters + string.digits) + for n in range(length)]) + + +class MemoryCache(object): + SIZEOF_UINT32_T = 4 + + def __init__(self, path): + with open(path, "rb") as fin: + fin.seek(4 * self.SIZEOF_UINT32_T) + self.seed = struct.unpack('i', fin.read(4))[0] + self.data_size = struct.unpack('i', fin.read(4))[0] + self.ft_size = struct.unpack('i', fin.read(4))[0] + hash_len = struct.unpack('i', fin.read(4))[0] + self.hash_size = hash_len / self.SIZEOF_UINT32_T + + def sss_nss_mc_hash(self, key): + input_key = key + '\0' + input_len = len(key) + 1 + + murmur_hash = pysss_murmur.murmurhash3(input_key, input_len, self.seed) + return murmur_hash % self.hash_size + + +def test_colliding_hashes(ldap_conn, sanity_rfc2307): + """ + Regression test for ticket: + https://pagure.io/SSSD/sssd/issue/3571 + """ + + first_user = 'user1' + + # initialize data in memcache + ent.assert_passwd_by_name( + first_user, + dict(name='user1', passwd='*', uid=1001, gid=2001, + gecos='1001', shell='/bin/bash')) + + mem_cache = MemoryCache(config.MCACHE_PATH + '/passwd') + + colliding_hash = mem_cache.sss_nss_mc_hash(first_user) + + while True: + # string for colliding hash need to be longer then data for user1 + # stored in memory cache (almost equivalent to: + # `getent passwd user1 | wc -c` ==> 45 + second_user = get_random_string(80) + val = mem_cache.sss_nss_mc_hash(second_user) + if val == colliding_hash: + break + + # add new user to LDAP + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user(second_user, 5001, 5001) + ldap_conn.add_s(ent_list[0][0], ent_list[0][1]) + + ent.assert_passwd_by_name( + second_user, + dict(name=second_user, passwd='*', uid=5001, gid=5001, + gecos='5001', shell='/bin/bash')) + + stop_sssd() + + # check that both users are stored in cache + ent.assert_passwd_by_name( + first_user, + dict(name='user1', passwd='*', uid=1001, gid=2001, + gecos='1001', shell='/bin/bash')) + + ent.assert_passwd_by_name( + second_user, + dict(name=second_user, passwd='*', uid=5001, gid=5001, + gecos='5001', shell='/bin/bash')) + + +def test_removed_mc(ldap_conn, sanity_rfc2307): + """ + Regression test for ticket: + https://fedorahosted.org/sssd/ticket/2726 + """ + + ent.assert_passwd_by_name( + 'user1', + dict(name='user1', passwd='*', uid=1001, gid=2001, + gecos='1001', shell='/bin/bash')) + ent.assert_passwd_by_uid( + 1001, + dict(name='user1', passwd='*', uid=1001, gid=2001, + gecos='1001', shell='/bin/bash')) + + ent.assert_group_by_name("group1", dict(name="group1", gid=2001)) + ent.assert_group_by_gid(2001, dict(name="group1", gid=2001)) + stop_sssd() + + # remove cache without invalidation + for path in os.listdir(config.MCACHE_PATH): + os.unlink(config.MCACHE_PATH + "/" + path) + + # sssd is stopped; so the memory cache should not be used + # in long living clients (py.test in this case) + with pytest.raises(KeyError): + pwd.getpwnam('user1') + with pytest.raises(KeyError): + pwd.getpwuid(1001) + + with pytest.raises(KeyError): + grp.getgrnam('group1') + with pytest.raises(KeyError): + grp.getgrgid(2001) + + +def test_mc_zero_timeout(ldap_conn, zero_timeout_rfc2307): + """ + Test that the memory cache is not created at all with memcache_timeout=0 + """ + # No memory cache files must be created + assert len(os.listdir(config.MCACHE_PATH)) == 0 + + ent.assert_passwd_by_name( + 'user1', + dict(name='user1', passwd='*', uid=1001, gid=2001, + gecos='1001', shell='/bin/bash')) + ent.assert_passwd_by_uid( + 1001, + dict(name='user1', passwd='*', uid=1001, gid=2001, + gecos='1001', shell='/bin/bash')) + + ent.assert_group_by_name("group1", dict(name="group1", gid=2001)) + ent.assert_group_by_gid(2001, dict(name="group1", gid=2001)) + stop_sssd() + + # sssd is stopped; so the memory cache should not be used + # in long living clients (py.test in this case) + with pytest.raises(KeyError): + pwd.getpwnam('user1') + with pytest.raises(KeyError): + pwd.getpwuid(1001) + + with pytest.raises(KeyError): + grp.getgrnam('group1') + with pytest.raises(KeyError): + grp.getgrgid(2001) diff --git a/src/tests/intg/test_netgroup.py b/src/tests/intg/test_netgroup.py new file mode 100644 index 0000000..d0e2c6a --- /dev/null +++ b/src/tests/intg/test_netgroup.py @@ -0,0 +1,511 @@ +# +# Netgroup integration test +# +# Copyright (c) 2016 Red Hat, Inc. +# Author: Petr Cech +# +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import os +import stat +import signal +import subprocess +import time +import ldap +import ldap.modlist +import pytest + +import config +import ds_openldap +import ldap_ent +from util import unindent +from sssd_nss import NssReturnCode +from sssd_netgroup import get_sssd_netgroups + +LDAP_BASE_DN = "dc=example,dc=com" + + +@pytest.fixture(scope="module") +def ds_inst(request): + """LDAP server instance fixture""" + ds_inst = ds_openldap.DSOpenLDAP( + config.PREFIX, 10389, LDAP_BASE_DN, + "cn=admin", "Secret123" + ) + + try: + ds_inst.setup() + except: + ds_inst.teardown() + raise + request.addfinalizer(ds_inst.teardown) + return ds_inst + + +@pytest.fixture(scope="module") +def ldap_conn(request, ds_inst): + """LDAP server connection fixture""" + ldap_conn = ds_inst.bind() + ldap_conn.ds_inst = ds_inst + request.addfinalizer(ldap_conn.unbind_s) + return ldap_conn + + +def create_ldap_entries(ldap_conn, ent_list=None): + """Add LDAP entries from ent_list""" + if ent_list is not None: + for entry in ent_list: + ldap_conn.add_s(entry[0], entry[1]) + + +def cleanup_ldap_entries(ldap_conn, ent_list=None): + """Remove LDAP entries added by create_ldap_entries""" + if ent_list is None: + for ou in ("Users", "Groups", "Netgroups", "Services", "Policies"): + for entry in ldap_conn.search_s("ou=" + ou + "," + + ldap_conn.ds_inst.base_dn, + ldap.SCOPE_ONELEVEL, + attrlist=[]): + ldap_conn.delete_s(entry[0]) + else: + for entry in ent_list: + ldap_conn.delete_s(entry[0]) + + +def create_ldap_cleanup(request, ldap_conn, ent_list=None): + """Add teardown for removing all user/group LDAP entries""" + request.addfinalizer(lambda: cleanup_ldap_entries(ldap_conn, ent_list)) + + +def create_ldap_fixture(request, ldap_conn, ent_list=None): + """Add LDAP entries and add teardown for removing them""" + create_ldap_entries(ldap_conn, ent_list) + create_ldap_cleanup(request, ldap_conn, ent_list) + + +SCHEMA_RFC2307_BIS = "rfc2307bis" + + +def format_basic_conf(ldap_conn, schema): + """Format a basic SSSD configuration""" + schema_conf = "ldap_schema = " + schema + "\n" + schema_conf += "ldap_group_object_class = groupOfNames\n" + return unindent("""\ + [sssd] + domains = LDAP + services = nss + disable_netlink = true + + [nss] + + [domain/LDAP] + {schema_conf} + id_provider = ldap + auth_provider = ldap + ldap_uri = {ldap_conn.ds_inst.ldap_url} + ldap_search_base = {ldap_conn.ds_inst.base_dn} + ldap_netgroup_search_base = ou=Netgroups,{ldap_conn.ds_inst.base_dn} + """).format(**locals()) + + +def create_conf_file(contents): + """Create sssd.conf with specified contents""" + conf = open(config.CONF_PATH, "w") + conf.write(contents) + conf.close() + os.chmod(config.CONF_PATH, stat.S_IRUSR | stat.S_IWUSR) + + +def cleanup_conf_file(): + """Remove sssd.conf, if it exists""" + if os.path.lexists(config.CONF_PATH): + os.unlink(config.CONF_PATH) + + +def create_conf_cleanup(request): + """Add teardown for removing sssd.conf""" + request.addfinalizer(cleanup_conf_file) + + +def create_conf_fixture(request, contents): + """ + Create sssd.conf with specified contents and add teardown for removing it + """ + create_conf_file(contents) + create_conf_cleanup(request) + + +def create_sssd_process(): + """Start the SSSD process""" + if subprocess.call(["sssd", "-D", "-f"]) != 0: + raise Exception("sssd start failed") + + +def get_sssd_pid(): + pid_file = open(config.PIDFILE_PATH, "r") + pid = int(pid_file.read()) + return pid + + +def cleanup_sssd_process(): + """Stop the SSSD process and remove its state""" + try: + pid = get_sssd_pid() + os.kill(pid, signal.SIGTERM) + while True: + try: + os.kill(pid, signal.SIGCONT) + except: + break + time.sleep(1) + except: + pass + for path in os.listdir(config.DB_PATH): + os.unlink(config.DB_PATH + "/" + path) + for path in os.listdir(config.MCACHE_PATH): + os.unlink(config.MCACHE_PATH + "/" + path) + + +def create_sssd_cleanup(request): + """Add teardown for stopping SSSD and removing its state""" + request.addfinalizer(cleanup_sssd_process) + + +def simulate_offline(): + pid = get_sssd_pid() + os.kill(pid, signal.SIGUSR1) + + +def create_sssd_fixture(request): + """Start SSSD and add teardown for stopping it and removing its state""" + create_sssd_process() + create_sssd_cleanup(request) + + +@pytest.fixture +def add_empty_netgroup(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + + ent_list.add_netgroup("empty_netgroup") + + create_ldap_fixture(request, ldap_conn, ent_list) + conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +def test_add_empty_netgroup(add_empty_netgroup): + """ + Adding empty netgroup. + """ + + res, _, netgroups = get_sssd_netgroups("empty_netgroup") + assert res == NssReturnCode.SUCCESS + assert netgroups == [] + + +@pytest.fixture +def add_tripled_netgroup(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + + ent_list.add_netgroup("tripled_netgroup", ["(host,user,domain)"]) + + ent_list.add_netgroup("adv_tripled_netgroup", ["(host1,user1,domain1)", + "(host2,user2,domain2)"]) + + ent_list.add_netgroup("tripled_netgroup_no_domain", ["(host,user,)"]) + + ent_list.add_netgroup("tripled_netgroup_no_user", ["(host,,domain)"]) + + ent_list.add_netgroup("tripled_netgroup_no_host", ["(,user,domain)"]) + + ent_list.add_netgroup("tripled_netgroup_none", ["(,,)"]) + + create_ldap_fixture(request, ldap_conn, ent_list) + conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +def test_add_tripled_netgroup(add_tripled_netgroup): + """ + Adding netgroup with triplet. + """ + + res, _, netgrps = get_sssd_netgroups("tripled_netgroup") + assert res == NssReturnCode.SUCCESS + assert netgrps == [("host", "user", "domain")] + + res, _, netgrps = get_sssd_netgroups("adv_tripled_netgroup") + assert res == NssReturnCode.SUCCESS + assert sorted(netgrps) == sorted([("host1", "user1", "domain1"), + ("host2", "user2", "domain2")]) + + res, _, netgrps = get_sssd_netgroups("tripled_netgroup_no_domain") + assert res == NssReturnCode.SUCCESS + assert netgrps == [("host", "user", "")] + + res, _, netgrps = get_sssd_netgroups("tripled_netgroup_no_user") + assert res == NssReturnCode.SUCCESS + assert netgrps == [("host", "", "domain")] + + res, _, netgrps = get_sssd_netgroups("tripled_netgroup_no_host") + assert res == NssReturnCode.SUCCESS + assert netgrps == [("", "user", "domain")] + + res, _, netgrps = get_sssd_netgroups("tripled_netgroup_none") + assert res == NssReturnCode.SUCCESS + assert netgrps == [("", "", "")] + + +@pytest.fixture +def add_mixed_netgroup(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + + ent_list.add_netgroup("mixed_netgroup1") + ent_list.add_netgroup("mixed_netgroup2", members=["mixed_netgroup1"]) + + ent_list.add_netgroup("mixed_netgroup3", ["(host1,user1,domain1)"]) + ent_list.add_netgroup("mixed_netgroup4", + ["(host2,user2,domain2)", "(host3,user3,domain3)"]) + + ent_list.add_netgroup("mixed_netgroup5", + ["(host4,user4,domain4)"], + ["mixed_netgroup1"]) + ent_list.add_netgroup("mixed_netgroup6", + ["(host5,user5,domain5)"], + ["mixed_netgroup2"]) + + ent_list.add_netgroup("mixed_netgroup7", members=["mixed_netgroup3"]) + ent_list.add_netgroup("mixed_netgroup8", + members=["mixed_netgroup3", "mixed_netgroup4"]) + + ent_list.add_netgroup("mixed_netgroup9", + ["(host6,user6,domain6)"], + ["mixed_netgroup3", "mixed_netgroup4"]) + + create_ldap_fixture(request, ldap_conn, ent_list) + conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +def test_add_mixed_netgroup(add_mixed_netgroup): + """ + Adding many netgroups of different type. + """ + + res, _, netgroups = get_sssd_netgroups("mixed_netgroup1") + assert res == NssReturnCode.SUCCESS + assert netgroups == [] + + res, _, netgroups = get_sssd_netgroups("mixed_netgroup2") + assert res == NssReturnCode.SUCCESS + assert netgroups == [] + + res, _, netgroups = get_sssd_netgroups("mixed_netgroup3") + assert res == NssReturnCode.SUCCESS + assert netgroups == [("host1", "user1", "domain1")] + + res, _, netgroups = get_sssd_netgroups("mixed_netgroup4") + assert res == NssReturnCode.SUCCESS + assert sorted(netgroups) == sorted([("host2", "user2", "domain2"), + ("host3", "user3", "domain3")]) + + res, _, netgroups = get_sssd_netgroups("mixed_netgroup5") + assert res == NssReturnCode.SUCCESS + assert netgroups == [("host4", "user4", "domain4")] + + res, _, netgroups = get_sssd_netgroups("mixed_netgroup6") + assert res == NssReturnCode.SUCCESS + assert netgroups == [("host5", "user5", "domain5")] + + res, _, netgroups = get_sssd_netgroups("mixed_netgroup7") + assert res == NssReturnCode.SUCCESS + assert netgroups == [("host1", "user1", "domain1")] + + res, _, netgroups = get_sssd_netgroups("mixed_netgroup8") + assert res == NssReturnCode.SUCCESS + assert sorted(netgroups) == sorted([("host1", "user1", "domain1"), + ("host2", "user2", "domain2"), + ("host3", "user3", "domain3")]) + + res, _, netgroups = get_sssd_netgroups("mixed_netgroup9") + assert res == NssReturnCode.SUCCESS + assert sorted(netgroups) == sorted([("host1", "user1", "domain1"), + ("host2", "user2", "domain2"), + ("host3", "user3", "domain3"), + ("host6", "user6", "domain6")]) + + +@pytest.fixture +def remove_step_by_step(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + + ent_list.add_netgroup("rm_empty_netgroup1", ["(host1,user1,domain1)"]) + ent_list.add_netgroup("rm_empty_netgroup2", + ["(host2,user2,domain2)"], + ["rm_empty_netgroup1"]) + + create_ldap_fixture(request, ldap_conn, ent_list) + conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return ent_list + + +def test_remove_step_by_step(remove_step_by_step, ldap_conn): + """ + Removing netgroups step by step. + """ + + ent_list = remove_step_by_step + + res, _, netgroups = get_sssd_netgroups("rm_empty_netgroup1") + assert res == NssReturnCode.SUCCESS + assert netgroups == [('host1', 'user1', 'domain1')] + + res, _, netgroups = get_sssd_netgroups("rm_empty_netgroup2") + assert res == NssReturnCode.SUCCESS + assert sorted(netgroups) == sorted([('host1', 'user1', 'domain1'), + ('host2', 'user2', 'domain2')]) + + # removing of rm_empty_netgroup1 + ldap_conn.delete_s(ent_list[0][0]) + ent_list.remove(ent_list[0]) + + if subprocess.call(["sss_cache", "-N"]) != 0: + raise Exception("sssd_cache failed") + + res, _, netgroups = get_sssd_netgroups("rm_empty_netgroup1") + assert res == NssReturnCode.NOTFOUND + assert netgroups == [] + + res, _, netgroups = get_sssd_netgroups("rm_empty_netgroup2") + assert res == NssReturnCode.SUCCESS + assert netgroups == [('host2', 'user2', 'domain2')] + + # removing of rm_empty_netgroup2 + ldap_conn.delete_s(ent_list[0][0]) + ent_list.remove(ent_list[0]) + + if subprocess.call(["sss_cache", "-N"]) != 0: + raise Exception("sssd_cache failed") + + res, _, netgroups = get_sssd_netgroups("rm_empty_netgroup1") + assert res == NssReturnCode.NOTFOUND + assert netgroups == [] + + res, _, netgroups = get_sssd_netgroups("rm_empty_netgroup2") + assert res == NssReturnCode.NOTFOUND + assert netgroups == [] + + +@pytest.fixture +def removing_nested_netgroups(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + + ent_list.add_netgroup("t2841_netgroup1", ["(host1,user1,domain1)"]) + ent_list.add_netgroup("t2841_netgroup2", ["(host2,user2,domain2)"]) + ent_list.add_netgroup("t2841_netgroup3", + members=["t2841_netgroup1", "t2841_netgroup2"]) + + create_ldap_fixture(request, ldap_conn, ent_list) + conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +def test_removing_nested_netgroups(removing_nested_netgroups, ldap_conn): + """ + Regression test for ticket 2841. + https://fedorahosted.org/sssd/ticket/2841 + """ + + netgrp_dn = 'cn=t2841_netgroup3,ou=Netgroups,' + ldap_conn.ds_inst.base_dn + + res, _, netgroups = get_sssd_netgroups("t2841_netgroup1") + assert res == NssReturnCode.SUCCESS + assert netgroups == [('host1', 'user1', 'domain1')] + + res, _, netgroups = get_sssd_netgroups("t2841_netgroup2") + assert res == NssReturnCode.SUCCESS + assert netgroups == [('host2', 'user2', 'domain2')] + + res, _, netgroups = get_sssd_netgroups("t2841_netgroup3") + assert res == NssReturnCode.SUCCESS + assert sorted(netgroups) == sorted([('host1', 'user1', 'domain1'), + ('host2', 'user2', 'domain2')]) + + # removing of t2841_netgroup1 from t2841_netgroup3 + old = {'memberNisNetgroup': [b"t2841_netgroup1", b"t2841_netgroup2"]} + new = {'memberNisNetgroup': [b"t2841_netgroup2"]} + + ldif = ldap.modlist.modifyModlist(old, new) + ldap_conn.modify_s(netgrp_dn, ldif) + + if subprocess.call(["sss_cache", "-N"]) != 0: + raise Exception("sssd_cache failed") + + res, _, netgroups = get_sssd_netgroups("t2841_netgroup1") + assert res == NssReturnCode.SUCCESS + assert netgroups == [('host1', 'user1', 'domain1')] + + res, _, netgroups = get_sssd_netgroups("t2841_netgroup2") + assert res == NssReturnCode.SUCCESS + assert netgroups == [('host2', 'user2', 'domain2')] + + res, _, netgroups = get_sssd_netgroups("t2841_netgroup3") + assert res == NssReturnCode.SUCCESS + assert netgroups == [('host2', 'user2', 'domain2')] + + # removing of t2841_netgroup2 from t2841_netgroup3 + old = {'memberNisNetgroup': [b"t2841_netgroup2"]} + new = {'memberNisNetgroup': []} + + ldif = ldap.modlist.modifyModlist(old, new) + ldap_conn.modify_s(netgrp_dn, ldif) + + if subprocess.call(["sss_cache", "-N"]) != 0: + raise Exception("sssd_cache failed") + + res, _, netgroups = get_sssd_netgroups("t2841_netgroup1") + assert res == NssReturnCode.SUCCESS + assert netgroups == [('host1', 'user1', 'domain1')] + + res, _, netgroups = get_sssd_netgroups("t2841_netgroup2") + assert res == NssReturnCode.SUCCESS + assert netgroups == [('host2', 'user2', 'domain2')] + + res, _, netgroups = get_sssd_netgroups("t2841_netgroup3") + assert res == NssReturnCode.SUCCESS + assert netgroups == [] + + +def test_offline_netgroups(add_tripled_netgroup): + res, _, netgrps = get_sssd_netgroups("tripled_netgroup") + assert res == NssReturnCode.SUCCESS + assert netgrps == [("host", "user", "domain")] + + subprocess.check_call(["sss_cache", "-N"]) + + simulate_offline() + + res, _, netgrps = get_sssd_netgroups("tripled_netgroup") + assert res == NssReturnCode.SUCCESS + assert netgrps == [("host", "user", "domain")] diff --git a/src/tests/intg/test_pac_responder.py b/src/tests/intg/test_pac_responder.py new file mode 100644 index 0000000..4354a5d --- /dev/null +++ b/src/tests/intg/test_pac_responder.py @@ -0,0 +1,120 @@ +# +# SSSD PAC responder tests +# +# Copyright (c) 2017 Red Hat, Inc. +# Author: Sumit Bose +# +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +import os +import stat +import time +import config +import signal +import subprocess +import pytest +from util import unindent + + +def stop_sssd(): + with open(config.PIDFILE_PATH, "r") as pid_file: + pid = int(pid_file.read()) + os.kill(pid, signal.SIGTERM) + while True: + try: + os.kill(pid, signal.SIGCONT) + except: + break + time.sleep(1) + + +def create_conf_fixture(request, contents): + """Generate sssd.conf and add teardown for removing it""" + conf = open(config.CONF_PATH, "w") + conf.write(contents) + conf.close() + os.chmod(config.CONF_PATH, stat.S_IRUSR | stat.S_IWUSR) + request.addfinalizer(lambda: os.unlink(config.CONF_PATH)) + + +def create_sssd_fixture(request): + """Start sssd and add teardown for stopping it and removing state""" + if subprocess.call(["sssd", "-D", "-f"]) != 0: + raise Exception("sssd start failed") + + def teardown(): + try: + stop_sssd() + except: + pass + for path in os.listdir(config.DB_PATH): + os.unlink(config.DB_PATH + "/" + path) + for path in os.listdir(config.MCACHE_PATH): + os.unlink(config.MCACHE_PATH + "/" + path) + request.addfinalizer(teardown) + + +@pytest.fixture +def local_domain_only(request): + conf = unindent("""\ + [sssd] + domains = LOCAL + services = nss, pac + + [nss] + memcache_timeout = 0 + + [domain/LOCAL] + id_provider = local + min_id = 10000 + max_id = 20000 + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +@pytest.fixture +def sssd_pac_test_client(request): + path = os.path.join(config.ABS_BUILDDIR, + "..", "..", "..", "sssd_pac_test_client") + if os.access(path, os.X_OK): + return path + + return None + + +def timeout_handler(signum, frame): + raise Exception("Timeout") + + +def test_multithreaded_pac_client(local_domain_only, sssd_pac_test_client): + """ + Test for ticket + https://pagure.io/SSSD/sssd/issue/3518 + """ + + if not sssd_pac_test_client: + pytest.skip("The sssd_pac_test_client is not available, skipping test") + + signal.signal(signal.SIGALRM, timeout_handler) + signal.alarm(10) + + try: + subprocess.check_call(sssd_pac_test_client) + except: + # cancel alarm + signal.alarm(0) + raise Exception("sssd_pac_test_client failed") + + signal.alarm(0) diff --git a/src/tests/intg/test_pam_responder.py b/src/tests/intg/test_pam_responder.py new file mode 100644 index 0000000..09aedd7 --- /dev/null +++ b/src/tests/intg/test_pam_responder.py @@ -0,0 +1,130 @@ +# +# Test for the PAM responder +# +# Copyright (c) 2018 Red Hat, Inc. +# Author: Sumit Bose +# +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +""" +Tests for the PAM responder +""" +import os +import stat +import signal +import errno +import subprocess +import time +import pytest + +import config + +from util import unindent + + +def format_pam_cert_auth_conf(): + """Format a basic SSSD configuration""" + return unindent("""\ + [sssd] + domains = auth_only + services = pam + + [nss] + + [pam] + pam_cert_auth = True + debug_level = 10 + + [domain/auth_only] + id_provider = ldap + auth_provider = ldap + chpass_provider = ldap + access_provider = ldap + """).format(**locals()) + + +def create_conf_file(contents): + """Create sssd.conf with specified contents""" + conf = open(config.CONF_PATH, "w") + conf.write(contents) + conf.close() + os.chmod(config.CONF_PATH, stat.S_IRUSR | stat.S_IWUSR) + + +def create_conf_fixture(request, contents): + """ + Create sssd.conf with specified contents and add teardown for removing it + """ + create_conf_file(contents) + + def cleanup_conf_file(): + """Remove sssd.conf, if it exists""" + if os.path.lexists(config.CONF_PATH): + os.unlink(config.CONF_PATH) + + request.addfinalizer(cleanup_conf_file) + + +def create_sssd_process(): + """Start the SSSD process""" + if subprocess.call(["sssd", "-D", "-f"]) != 0: + raise Exception("sssd start failed") + + +def cleanup_sssd_process(): + """Stop the SSSD process and remove its state""" + try: + with open(config.PIDFILE_PATH, "r") as pid_file: + pid = int(pid_file.read()) + os.kill(pid, signal.SIGTERM) + while True: + try: + os.kill(pid, signal.SIGCONT) + except OSError as ex: + break + time.sleep(1) + except OSError as ex: + pass + for path in os.listdir(config.DB_PATH): + os.unlink(config.DB_PATH + "/" + path) + for path in os.listdir(config.MCACHE_PATH): + os.unlink(config.MCACHE_PATH + "/" + path) + + # make sure that the indicator file is removed during shutdown + try: + assert not os.stat(config.PUBCONF_PATH + "/pam_preauth_available") + except OSError as ex: + if ex.errno != errno.ENOENT: + raise ex + + +def create_sssd_fixture(request): + """Start SSSD and add teardown for stopping it and removing its state""" + create_sssd_process() + request.addfinalizer(cleanup_sssd_process) + + +@pytest.fixture +def simple_pam_cert_auth(request): + """Setup SSSD with pam_cert_auth=True""" + conf = format_pam_cert_auth_conf() + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +def test_preauth_indicator(simple_pam_cert_auth): + """Check if preauth indicator file is created""" + statinfo = os.stat(config.PUBCONF_PATH + "/pam_preauth_available") + assert stat.S_ISREG(statinfo.st_mode) diff --git a/src/tests/intg/test_pysss_nss_idmap.py b/src/tests/intg/test_pysss_nss_idmap.py new file mode 100644 index 0000000..8d0d9b7 --- /dev/null +++ b/src/tests/intg/test_pysss_nss_idmap.py @@ -0,0 +1,290 @@ +# +# LDAP integration test +# +# Copyright (c) 2017 Red Hat, Inc. +# Author: Lukas Slebodnik +# +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +import os +import stat +import pwd +import grp +import signal +import subprocess +import time +import pytest +import ldb +import pysss_nss_idmap + +import config +import ds_openldap + +from .util import unindent + +LDAP_BASE_DN = "dc=example,dc=com" + + +@pytest.fixture(scope="module") +def ad_inst(request): + """Fake AD server instance fixture""" + instance = ds_openldap.FakeAD( + config.PREFIX, 10389, LDAP_BASE_DN, + "cn=admin", "Secret123" + ) + + try: + instance.setup() + except: + instance.teardown() + raise + request.addfinalizer(instance.teardown) + return instance + + +@pytest.fixture(scope="module") +def ldap_conn(request, ad_inst): + """LDAP server connection fixture""" + ldap_conn = ad_inst.bind() + ldap_conn.ad_inst = ad_inst + request.addfinalizer(ldap_conn.unbind_s) + return ldap_conn + + +def format_basic_conf(ldap_conn): + """Format a basic SSSD configuration""" + return unindent("""\ + [sssd] + domains = FakeAD + services = nss + + [nss] + + [pam] + + [domain/FakeAD] + ldap_search_base = {ldap_conn.ad_inst.base_dn} + ldap_referrals = false + + id_provider = ldap + auth_provider = ldap + chpass_provider = ldap + access_provider = ldap + + ldap_uri = {ldap_conn.ad_inst.ldap_url} + ldap_default_bind_dn = {ldap_conn.ad_inst.admin_dn} + ldap_default_authtok_type = password + ldap_default_authtok = {ldap_conn.ad_inst.admin_pw} + + ldap_schema = ad + ldap_id_mapping = true + ldap_idmap_default_domain_sid = S-1-5-21-1305200397-2901131868-73388776 + case_sensitive = False + """).format(**locals()) + + +def create_conf_file(contents): + """Create sssd.conf with specified contents""" + conf = open(config.CONF_PATH, "w") + conf.write(contents) + conf.close() + os.chmod(config.CONF_PATH, stat.S_IRUSR | stat.S_IWUSR) + + +def create_conf_fixture(request, contents): + """ + Create sssd.conf with specified contents and add teardown for removing it + """ + create_conf_file(contents) + + def cleanup_conf_file(): + """Remove sssd.conf, if it exists""" + if os.path.lexists(config.CONF_PATH): + os.unlink(config.CONF_PATH) + + request.addfinalizer(cleanup_conf_file) + + +def create_sssd_process(): + """Start the SSSD process""" + if subprocess.call(["sssd", "-D", "-f"]) != 0: + raise Exception("sssd start failed") + + +def cleanup_sssd_process(): + """Stop the SSSD process and remove its state""" + try: + with open(config.PIDFILE_PATH, "r") as pid_file: + pid = int(pid_file.read()) + os.kill(pid, signal.SIGTERM) + while True: + try: + os.kill(pid, signal.SIGCONT) + except: + break + time.sleep(1) + except: + pass + for path in os.listdir(config.DB_PATH): + os.unlink(config.DB_PATH + "/" + path) + for path in os.listdir(config.MCACHE_PATH): + os.unlink(config.MCACHE_PATH + "/" + path) + + +def create_sssd_fixture(request): + """Start SSSD and add teardown for stopping it and removing its state""" + create_sssd_process() + request.addfinalizer(cleanup_sssd_process) + + +def sysdb_sed_domainid(domain_name, doamin_id): + sssd_cache = "{0}/cache_{1}.ldb".format(config.DB_PATH, domain_name) + domain_ldb = ldb.Ldb(sssd_cache) + + msg = ldb.Message() + msg.dn = ldb.Dn(domain_ldb, "cn=sysdb") + msg["cn"] = "sysdb" + msg["description"] = "base object" + msg["version"] = "0.17" + domain_ldb.add(msg) + + # Set domainID for fake AD domain + msg = ldb.Message() + msg.dn = ldb.Dn(domain_ldb, "cn={0},cn=sysdb".format(domain_name)) + msg["cn"] = domain_name + msg["domainID"] = doamin_id + msg["distinguishedName"] = "cn={0},cn=sysdb".format(domain_name) + domain_ldb.add(msg) + + msg = ldb.Message() + msg.dn = ldb.Dn(domain_ldb, "@ATTRIBUTES") + msg["distinguishedName"] = "@ATTRIBUTES" + for attr in ['cn', 'dc', 'dn', 'objectclass', 'originalDN', + 'userPrincipalName']: + msg[attr] = "CASE_INSENSITIVE" + domain_ldb.add(msg) + + msg = ldb.Message() + msg.dn = ldb.Dn(domain_ldb, "@INDEXLIST") + msg["distinguishedName"] = "@INDEXLIST" + msg["@IDXONE"] = "1" + for attr in ['cn', 'objectclass', 'member', 'memberof', 'name', + 'uidNumber', 'gidNumber', 'lastUpdate', 'dataExpireTimestamp', + 'originalDN', 'nameAlias', 'servicePort', 'serviceProtocol', + 'sudoUser', 'sshKnownHostsExpire', 'objectSIDString']: + msg["@IDXATTR"] = attr + domain_ldb.add(msg) + + msg = ldb.Message() + msg.dn = ldb.Dn(domain_ldb, "@MODULES") + msg["distinguishedName"] = "@MODULES" + msg["@LIST"] = "asq,memberof" + domain_ldb.add(msg) + + +@pytest.fixture +def simple_ad(request, ldap_conn): + conf = format_basic_conf(ldap_conn) + sysdb_sed_domainid("FakeAD", "S-1-5-21-1305200397-2901131868-73388776") + + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +def test_user_operations(ldap_conn, simple_ad): + user = 'user1_dom1-19661' + user_id = pwd.getpwnam(user).pw_uid + user_sid = 'S-1-5-21-1305200397-2901131868-73388776-82809' + + output = pysss_nss_idmap.getsidbyname(user)[user] + assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_USER + assert output[pysss_nss_idmap.SID_KEY] == user_sid + + output = pysss_nss_idmap.getsidbyid(user_id)[user_id] + assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_USER + assert output[pysss_nss_idmap.SID_KEY] == user_sid + + output = pysss_nss_idmap.getsidbyuid(user_id)[user_id] + assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_USER + assert output[pysss_nss_idmap.SID_KEY] == user_sid + + output = pysss_nss_idmap.getsidbygid(user_id) + assert len(output) == 0 + + output = pysss_nss_idmap.getidbysid(user_sid)[user_sid] + assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_USER + assert output[pysss_nss_idmap.ID_KEY] == user_id + + output = pysss_nss_idmap.getnamebysid(user_sid)[user_sid] + assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_USER + assert output[pysss_nss_idmap.NAME_KEY] == user + + +def test_group_operations(ldap_conn, simple_ad): + group = 'group3_dom1-17775' + group_id = grp.getgrnam(group).gr_gid + group_sid = 'S-1-5-21-1305200397-2901131868-73388776-82764' + + output = pysss_nss_idmap.getsidbyname(group)[group] + assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP + assert output[pysss_nss_idmap.SID_KEY] == group_sid + + output = pysss_nss_idmap.getsidbyid(group_id)[group_id] + assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP + assert output[pysss_nss_idmap.SID_KEY] == group_sid + + output = pysss_nss_idmap.getsidbygid(group_id)[group_id] + assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP + assert output[pysss_nss_idmap.SID_KEY] == group_sid + + output = pysss_nss_idmap.getsidbyuid(group_id) + assert len(output) == 0 + + output = pysss_nss_idmap.getidbysid(group_sid)[group_sid] + assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP + assert output[pysss_nss_idmap.ID_KEY] == group_id + + output = pysss_nss_idmap.getnamebysid(group_sid)[group_sid] + assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP + assert output[pysss_nss_idmap.NAME_KEY] == group + + +def test_case_insensitive(ldap_conn, simple_ad): + # resolve group and also member of this group + group = 'Domain Users' + group_id = grp.getgrnam(group).gr_gid + group_sid = 'S-1-5-21-1305200397-2901131868-73388776-513' + + output = pysss_nss_idmap.getsidbyname(group)[group] + assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP + assert output[pysss_nss_idmap.SID_KEY] == group_sid + + output = pysss_nss_idmap.getsidbyid(group_id)[group_id] + assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP + assert output[pysss_nss_idmap.SID_KEY] == group_sid + + output = pysss_nss_idmap.getsidbygid(group_id)[group_id] + assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP + assert output[pysss_nss_idmap.SID_KEY] == group_sid + + output = pysss_nss_idmap.getsidbyuid(group_id) + assert len(output) == 0 + + output = pysss_nss_idmap.getidbysid(group_sid)[group_sid] + assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP + assert output[pysss_nss_idmap.ID_KEY] == group_id + + output = pysss_nss_idmap.getnamebysid(group_sid)[group_sid] + assert output[pysss_nss_idmap.TYPE_KEY] == pysss_nss_idmap.ID_GROUP + assert output[pysss_nss_idmap.NAME_KEY] == group.lower() diff --git a/src/tests/intg/test_secrets.py b/src/tests/intg/test_secrets.py new file mode 100644 index 0000000..7979cd3 --- /dev/null +++ b/src/tests/intg/test_secrets.py @@ -0,0 +1,688 @@ +# +# Secrets responder integration tests +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +from __future__ import print_function +import os +import stat +import sys +import config +import signal +import subprocess +import time +import socket +import pytest +import psutil +from requests import HTTPError + +from util import unindent +from secrets import SecretsLocalClient + + +def create_conf_fixture(request, contents): + """Generate sssd.conf and add teardown for removing it""" + conf = open(config.CONF_PATH, "w") + conf.write(contents) + conf.close() + os.chmod(config.CONF_PATH, stat.S_IRUSR | stat.S_IWUSR) + request.addfinalizer(lambda: os.unlink(config.CONF_PATH)) + + +def create_sssd_secrets_fixture(request, teardown=True): + if subprocess.call(['sssd', "--genconf"]) != 0: + raise Exception("failed to regenerate confdb") + + resp_path = os.path.join(config.LIBEXEC_PATH, "sssd", "sssd_secrets") + if not os.access(resp_path, os.X_OK): + # It would be cleaner to use pytest.mark.skipif on the package level + # but upstream insists on supporting RHEL-6. + pytest.skip("No Secrets responder, skipping") + + secpid = os.fork() + assert secpid >= 0 + + if secpid == 0: + os.execv(resp_path, ("--uid=0", "--gid=0")) + print("sssd_secrets failed to start") + sys.exit(99) + else: + sock_path = os.path.join(config.RUNSTATEDIR, "secrets.socket") + sck = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) + for _ in range(1, 100): + try: + sck.connect(sock_path) + except: + time.sleep(0.1) + else: + break + sck.close() + + assert os.path.exists(sock_path) + + def unlink_secdb(): + for secdb_file in os.listdir(config.SECDB_PATH): + os.unlink(config.SECDB_PATH + "/" + secdb_file) + + def sec_teardown(): + if teardown is False: + unlink_secdb() + return + + if secpid == 0: + return + + os.kill(secpid, signal.SIGTERM) + unlink_secdb() + + request.addfinalizer(sec_teardown) + return secpid + + +def generate_sec_config(): + return unindent("""\ + [sssd] + domains = local + services = nss + + [domain/local] + id_provider = local + + [secrets] + max_secrets = 10 + max_payload_size = 2 + """) + + +@pytest.fixture +def setup_for_secrets(request): + """ + Just set up the local provider for tests and enable the secrets + responder + """ + conf = generate_sec_config() + + create_conf_fixture(request, conf) + return create_sssd_secrets_fixture(request) + + +def get_secrets_socket(): + return os.path.join(config.RUNSTATEDIR, "secrets.socket") + + +@pytest.fixture +def secrets_cli(request): + sock_path = get_secrets_socket() + cli = SecretsLocalClient(sock_path=sock_path) + return cli + + +@pytest.fixture +def curlwrap_tool(request): + curlwrap_path = os.path.join(config.ABS_BUILDDIR, + "..", "..", "..", "tcurl-test-tool") + if os.access(curlwrap_path, os.X_OK): + return curlwrap_path + + return None + + +def test_crd_ops(setup_for_secrets, secrets_cli): + """ + Test that the basic Create, Retrieve, Delete operations work + """ + cli = secrets_cli + + # Listing a totally empty database yields a 404 error, no secrets are there + with pytest.raises(HTTPError) as err404: + secrets = cli.list_secrets() + assert str(err404.value).startswith("404") + + # Set some value, should succeed + cli.set_secret("foo", "bar") + + fooval = cli.get_secret("foo") + assert fooval == "bar" + + # Listing secrets should work now as well + secrets = cli.list_secrets() + assert len(secrets) == 1 + assert "foo" in secrets + + # Overwriting a secret is an error + with pytest.raises(HTTPError) as err409: + cli.set_secret("foo", "baz") + assert str(err409.value).startswith("409") + + # Delete a secret + cli.del_secret("foo") + with pytest.raises(HTTPError) as err404: + fooval = cli.get_secret("foo") + assert str(err404.value).startswith("404") + + # Delete a non-existent secret must yield a 404 + with pytest.raises(HTTPError) as err404: + cli.del_secret("foo") + assert str(err404.value).startswith("404") + + +def run_curlwrap_tool(args, exp_http_code): + cmd = subprocess.Popen(args, + stdin=subprocess.PIPE, + stdout=subprocess.PIPE, + stderr=subprocess.PIPE) + out, _ = cmd.communicate() + + assert cmd.returncode == 0 + + out = out.decode('utf-8') + exp_http_code_str = "Request HTTP code: %d" % exp_http_code + assert exp_http_code_str in out + + return out + + +def test_curlwrap_crd_ops(setup_for_secrets, + curlwrap_tool): + """ + Test that the basic Create, Retrieve, Delete operations work using our + tevent libcurl code + """ + if not curlwrap_tool: + pytest.skip("The tcurl tool is not available, skipping test") + sock_path = get_secrets_socket() + + # listing an empty DB yields a 404 + run_curlwrap_tool([curlwrap_tool, + '-v', '-s', sock_path, + 'http://localhost/secrets/'], + 404) + + # listing a non-existent secret yields a 404 + run_curlwrap_tool([curlwrap_tool, + '-v', '-s', sock_path, + 'http://localhost/secrets/foo'], + 404) + + # set a secret foo:bar + run_curlwrap_tool([curlwrap_tool, '-p', + '-v', '-s', sock_path, + 'http://localhost/secrets/foo', + 'bar'], + 200) + + # list secrets + output = run_curlwrap_tool([curlwrap_tool, + '-v', '-s', sock_path, + 'http://localhost/secrets/'], + 200) + assert "foo" in output + + # get the foo secret + output = run_curlwrap_tool([curlwrap_tool, + '-v', '-s', sock_path, + 'http://localhost/secrets/foo'], + 200) + assert "bar" in output + + # Overwriting a secret is an error + run_curlwrap_tool([curlwrap_tool, '-p', + '-v', '-s', sock_path, + 'http://localhost/secrets/foo', + 'baz'], + 409) + + # Delete a secret + run_curlwrap_tool([curlwrap_tool, '-d', + '-v', '-s', sock_path, + 'http://localhost/secrets/foo'], + 200) + + # Delete a non-existent secret must yield a 404 + run_curlwrap_tool([curlwrap_tool, '-d', + '-v', '-s', sock_path, + 'http://localhost/secrets/foo'], + 404) + + # Create a container + run_curlwrap_tool([curlwrap_tool, '-o', + '-v', '-s', sock_path, + 'http://localhost/secrets/cont/'], + 200) + + # set a secret foo:bar + run_curlwrap_tool([curlwrap_tool, '-p', + '-v', '-s', sock_path, + 'http://localhost/secrets/cont/cfoo', + 'foo_under_cont'], + 200) + + # list secrets + output = run_curlwrap_tool([curlwrap_tool, + '-v', '-s', sock_path, + 'http://localhost/secrets/cont/'], + 200) + assert "cfoo" in output + + # get the foo secret + output = run_curlwrap_tool([curlwrap_tool, + '-v', '-s', sock_path, + 'http://localhost/secrets/cont/cfoo'], + 200) + assert "foo_under_cont" in output + + +def test_curlwrap_parallel(setup_for_secrets, + curlwrap_tool): + """ + The tevent libcurl wrapper is meant to be non-blocking. Test + its operation in parallel. + """ + if not curlwrap_tool: + pytest.skip("The tcurl tool is not available, skipping test") + sock_path = get_secrets_socket() + + secrets = dict() + nsecrets = 10 + + for i in range(0, nsecrets): + secrets["key" + str(i)] = "value" + str(i) + + args = [curlwrap_tool, '-p', '-v', '-s', sock_path] + for skey, svalue in secrets.items(): + args.extend(['http://localhost/secrets/%s' % skey, svalue]) + run_curlwrap_tool(args, 200) + + output = run_curlwrap_tool([curlwrap_tool, + '-v', '-s', sock_path, + 'http://localhost/secrets/'], + 200) + for skey in secrets: + assert skey in output + + args = [curlwrap_tool, '-g', '-v', '-s', sock_path] + for skey in secrets: + args.extend(['http://localhost/secrets/%s' % skey]) + output = run_curlwrap_tool(args, 200) + + for svalue in secrets.values(): + assert svalue in output + + args = [curlwrap_tool, '-d', '-v', '-s', sock_path] + for skey in secrets: + args.extend(['http://localhost/secrets/%s' % skey]) + output = run_curlwrap_tool(args, 200) + + run_curlwrap_tool([curlwrap_tool, + '-v', '-s', sock_path, + 'http://localhost/secrets/'], + 404) + + +def test_containers(setup_for_secrets, secrets_cli): + """ + Test that storing secrets inside containers works + """ + cli = secrets_cli + + # No trailing slash, no game.. + with pytest.raises(HTTPError) as err400: + cli.create_container("mycontainer") + assert str(err400.value).startswith("400") + + cli.create_container("mycontainer/") + cli.set_secret("mycontainer/foo", "containedfooval") + assert cli.get_secret("mycontainer/foo") == "containedfooval" + + # Removing a non-empty container should not succeed + with pytest.raises(HTTPError) as err409: + cli.del_secret("mycontainer/") + assert str(err409.value).startswith("409") + + # Try removing the secret first, then the container + cli.del_secret("mycontainer/foo") + cli.del_secret("mycontainer/") + + # Don't allow creating a container after reaching the max nested level + DEFAULT_CONTAINERS_NEST_LEVEL = 4 + container = "mycontainer" + for x in range(DEFAULT_CONTAINERS_NEST_LEVEL): + container += "%s/" % str(x) + cli.create_container(container) + + container += "%s/" % str(DEFAULT_CONTAINERS_NEST_LEVEL) + with pytest.raises(HTTPError) as err406: + cli.create_container(container) + assert str(err406.value).startswith("406") + + +def get_fds(pid): + procpath = os.path.join("/proc/", str(pid), "fd") + return os.listdir(procpath) + + +@pytest.fixture +def setup_for_cli_timeout_test(request): + """ + Same as the generic setup, except a short client_idle_timeout so that + the test_cli_idle_timeout() test closes the fd towards the client. + """ + conf = generate_sec_config() + \ + unindent(""" + client_idle_timeout = 10 + """).format() + + create_conf_fixture(request, conf) + return create_sssd_secrets_fixture(request) + + +def test_cli_idle_timeout(setup_for_cli_timeout_test): + """ + Test that idle file descriptors are reaped after the idle timeout + passes + """ + secpid = setup_for_cli_timeout_test + sock_path = get_secrets_socket() + + nfds_pre = get_fds(secpid) + + sock = socket.socket(family=socket.AF_UNIX) + sock.connect(sock_path) + time.sleep(1) + nfds_conn = get_fds(secpid) + if len(nfds_pre) + 1 < len(nfds_conn): + raise Exception("FD difference %s\n", set(nfds_pre) - set(nfds_conn)) + # With the idle timeout set to 10 seconds, we need to sleep at least 15, + # because the internal timer ticks every timeout/2 seconds, so it would + # tick at 5, 10 and 15 seconds and the client timeout check uses a + # greater-than comparison, so the 10-seconds tick wouldn't yet trigger + # disconnect + time.sleep(15) + + nfds_post = get_fds(secpid) + if len(nfds_pre) != len(nfds_post): + raise Exception("FD difference %s\n", set(nfds_pre) - set(nfds_post)) + + +def run_quota_test(cli, max_secrets, max_payload_size): + sec_value = "value" + for x in range(max_secrets): + cli.set_secret(str(x), sec_value) + + with pytest.raises(HTTPError) as err507: + cli.set_secret(str(max_secrets), sec_value) + assert str(err507.value).startswith("507") + + # Delete all stored secrets used for max secrets tests + for x in range(max_secrets): + cli.del_secret(str(x)) + + # Don't allow storing a secrets which has a payload larger + # than max_payload_size + KILOBYTE = 1024 + kb_payload_size = max_payload_size * KILOBYTE + + sec_value = "x" * kb_payload_size + + cli.set_secret("foo", sec_value) + + sec_value += "x" + with pytest.raises(HTTPError) as err413: + cli.set_secret("bar", sec_value) + assert str(err413.value).startswith("413") + + +@pytest.fixture +def setup_for_global_quota(request): + conf = unindent("""\ + [sssd] + domains = local + services = nss + + [domain/local] + id_provider = local + + [secrets] + max_secrets = 10 + max_payload_size = 2 + """).format(**locals()) + + create_conf_fixture(request, conf) + create_sssd_secrets_fixture(request) + return None + + +def test_global_quota(setup_for_global_quota, secrets_cli): + """ + Test that the deprecated configuration of quotas in the global + secrets section is still supported + """ + cli = secrets_cli + + # Don't allow storing more secrets after reaching the max + # number of entries. + run_quota_test(cli, 10, 2) + + +@pytest.fixture +def setup_for_secrets_quota(request): + conf = unindent("""\ + [sssd] + domains = local + services = nss + + [domain/local] + id_provider = local + + [secrets] + max_secrets = 5 + max_payload_size = 1 + + [secrets/secrets] + max_secrets = 10 + max_payload_size = 2 + """).format(**locals()) + + create_conf_fixture(request, conf) + create_sssd_secrets_fixture(request) + return None + + +def test_sec_quota(setup_for_secrets_quota, secrets_cli): + """ + Test that the new secrets/secrets section takes precedence. + """ + cli = secrets_cli + + # Don't allow storing more secrets after reaching the max + # number of entries. + run_quota_test(cli, 10, 2) + + +@pytest.fixture +def setup_for_uid_limit(request): + conf = unindent("""\ + [sssd] + domains = local + services = nss + + [domain/local] + id_provider = local + + [secrets] + + [secrets/secrets] + max_secrets = 10 + max_uid_secrets = 5 + """).format(**locals()) + + create_conf_fixture(request, conf) + create_sssd_secrets_fixture(request) + return None + + +def test_per_uid_limit(setup_for_uid_limit, secrets_cli): + """ + Test that per-UID limits are enforced even if the global limit would still + allow to store more secrets + """ + cli = secrets_cli + + # Don't allow storing more secrets after reaching the max + # number of entries. + MAX_UID_SECRETS = 5 + + sec_value = "value" + for i in range(MAX_UID_SECRETS): + cli.set_secret(str(i), sec_value) + + with pytest.raises(HTTPError) as err507: + cli.set_secret(str(MAX_UID_SECRETS), sec_value) + assert str(err507.value).startswith("507") + + # FIXME - at this point, it would be nice to test that another UID can + # still store secrets, but sadly socket_wrapper doesn't allow us to fake + # UIDs yet + + +@pytest.fixture +def setup_for_unlimited_quotas(request): + conf = unindent("""\ + [sssd] + domains = local + services = nss + + [domain/local] + id_provider = local + + [secrets] + debug_level = 10 + + [secrets/secrets] + max_secrets = 0 + max_uid_secrets = 0 + max_payload_size = 0 + containers_nest_level = 0 + """).format(**locals()) + + create_conf_fixture(request, conf) + create_sssd_secrets_fixture(request) + return None + + +def test_unlimited_quotas(setup_for_unlimited_quotas, secrets_cli): + """ + Test that setting quotas to zero disabled any checks and lets + store whatever. + """ + cli = secrets_cli + + # test much larger amount of secrets that we allow by default + sec_value = "value" + for i in range(2048): + cli.set_secret(str(i), sec_value) + + # test a much larger secret size than the default one + KILOBYTE = 1024 + payload_size = 32 * KILOBYTE + + sec_value = "x" * payload_size + cli.set_secret("foo", sec_value) + + fooval = cli.get_secret("foo") + assert fooval == sec_value + + # test a deep secret nesting structure + DEFAULT_CONTAINERS_NEST_LEVEL = 128 + container = "mycontainer" + for i in range(DEFAULT_CONTAINERS_NEST_LEVEL): + container += "%s/" % str(i) + cli.create_container(container) + + +@pytest.fixture +def setup_for_resp_timeout_test(request): + """ + Same as the generic setup, except a short responder_idle_timeout + so that the test_responder_idle_timeout() test verifies that the + responder has been shot down. + """ + conf = generate_sec_config() + \ + unindent(""" + responder_idle_timeout = 60 + """).format() + + create_conf_fixture(request, conf) + return create_sssd_secrets_fixture(request, False) + + +@pytest.mark.slow +def test_resp_idle_timeout_shutdown_slow(setup_for_resp_timeout_test): + """ + Test that the responder is shutdown after the respoder_idle_timeout is + over + """ + secpid = setup_for_resp_timeout_test + p = psutil.Process(secpid) + + # With the responder_idle_timeout set to 60 seconds, we need to wait at + # least 90, because the internal timer ticks every timeout/2 seconds, so + # so it would tick at 30, 60 and 90 seconds and the responder_idle_timeout + # uses a greater-than comparison, so the 60-seconds tick wouldn't yet + # trigger the process' shutdown. + # 100s has been chosen in order to take a safer path when running our CI + # tests. + p.wait(timeout=100) + assert p.is_running() is False + + +@pytest.mark.slow +def test_resp_idle_timeout_postpone_shutdown_slow(setup_for_resp_timeout_test, + secrets_cli): + """ + Test that the responder's shutdown is postponed in case an activity + happens, but it's still shutdown after the responder_idle_timeout is + over + """ + cli = secrets_cli + + secpid = setup_for_resp_timeout_test + p = psutil.Process(secpid) + + # Wait for 65 seconds and then fire a request to the responder, so its + # last_request_time gets updated and the process doesn't get shutdown. + time.sleep(65) + cli.set_secret("foo", "bar") + try: + # Wait for the process to finish for more 25 seconds, which is the + # time it'd be shutdown in case the last_request_time is not updated. + p.wait(timeout=25) + except psutil.TimeoutExpired: + # In case the timeout expired, we're fine, it just means that the + # last_request_time has been updated properly. + pass + + # Assert that the process is still running after the 60s idle timeout has + # expired but some activity happened (thus,the last_request_time has been + # updated). + assert p.is_running() is True + + # Wait at least 60s in order to be sure that the process actually is + # shutdown when it should be. + # 70s has been chosen in order to take a safer path when running our CI + # tests. + p.wait(timeout=70) + assert p.is_running() is False diff --git a/src/tests/intg/test_session_recording.py b/src/tests/intg/test_session_recording.py new file mode 100644 index 0000000..0ed824f --- /dev/null +++ b/src/tests/intg/test_session_recording.py @@ -0,0 +1,1001 @@ +# +# Session Recording tests +# +# Copyright (c) 2016 Red Hat, Inc. +# Author: Nikolai Kondrashov +# +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +import os +import stat +import ent +import config +import signal +import subprocess +import time +import ldap +import pytest +import ds_openldap +import ldap_ent +from util import * + +LDAP_BASE_DN = "dc=example,dc=com" +INTERACTIVE_TIMEOUT = 4 + + +def stop_sssd(): + """Stop sssd""" + pid_file = open(config.PIDFILE_PATH, "r") + pid = int(pid_file.read()) + os.kill(pid, signal.SIGTERM) + while True: + try: + os.kill(pid, signal.SIGCONT) + except: + break + time.sleep(1) + + +def start_sssd(): + """Start sssd""" + if subprocess.call(["sssd", "-D", "-f"]) != 0: + raise Exception("sssd start failed") + + +def restart_sssd(): + """Restart sssd""" + stop_sssd() + start_sssd() + + +@pytest.fixture(scope="module") +def ds_inst(request): + """LDAP server instance fixture""" + ds_inst = ds_openldap.DSOpenLDAP( + config.PREFIX, 10389, LDAP_BASE_DN, + "cn=admin", "Secret123" + ) + + try: + ds_inst.setup() + except: + ds_inst.teardown() + raise + request.addfinalizer(lambda: ds_inst.teardown()) + return ds_inst + + +@pytest.fixture(scope="module") +def ldap_conn(request, ds_inst): + """LDAP server connection fixture""" + ldap_conn = ds_inst.bind() + ldap_conn.ds_inst = ds_inst + request.addfinalizer(lambda: ldap_conn.unbind_s()) + return ldap_conn + + +def create_ldap_entries(ldap_conn, ent_list=None): + """Add LDAP entries from ent_list""" + if ent_list is not None: + for entry in ent_list: + ldap_conn.add_s(entry[0], entry[1]) + + +def cleanup_ldap_entries(ldap_conn, ent_list=None): + """Remove LDAP entries added by create_ldap_entries""" + if ent_list is None: + for ou in ("Users", "Groups", "Netgroups", "Services", "Policies"): + for entry in ldap_conn.search_s("ou=" + ou + "," + + ldap_conn.ds_inst.base_dn, + ldap.SCOPE_ONELEVEL, + attrlist=[]): + ldap_conn.delete_s(entry[0]) + else: + for entry in ent_list: + ldap_conn.delete_s(entry[0]) + + +def create_ldap_cleanup(request, ldap_conn, ent_list=None): + """Add teardown for removing all user/group LDAP entries""" + request.addfinalizer(lambda: cleanup_ldap_entries(ldap_conn, ent_list)) + + +def create_ldap_fixture(request, ldap_conn, ent_list=None): + """Add LDAP entries and add teardown for removing them""" + create_ldap_entries(ldap_conn, ent_list) + create_ldap_cleanup(request, ldap_conn, ent_list) + + +SCHEMA_RFC2307 = "rfc2307" +SCHEMA_RFC2307_BIS = "rfc2307bis" + + +def format_basic_conf(ldap_conn, schema): + """ + Format a basic SSSD configuration. + + The files domain is defined but not enabled in order to avoid enumerating + users from the files domain that would otherwise by implicitly enabled. + """ + schema_conf = "ldap_schema = " + schema + "\n" + if schema == SCHEMA_RFC2307_BIS: + schema_conf += "ldap_group_object_class = groupOfNames\n" + return unindent("""\ + [sssd] + debug_level = 0xffff + domains = LDAP + services = nss, pam + + [nss] + debug_level = 0xffff + memcache_timeout = 0 + + [pam] + debug_level = 0xffff + + [domain/files] + id_provider = files + + [domain/LDAP] + ldap_auth_disable_tls_never_use_in_production = true + debug_level = 0xffff + enumerate = true + {schema_conf} + id_provider = ldap + auth_provider = ldap + ldap_uri = {ldap_conn.ds_inst.ldap_url} + ldap_search_base = {ldap_conn.ds_inst.base_dn} + """).format(**locals()) + + +def create_conf_file(contents): + """Create sssd.conf with specified contents""" + conf = open(config.CONF_PATH, "w") + conf.write(contents) + conf.close() + os.chmod(config.CONF_PATH, stat.S_IRUSR | stat.S_IWUSR) + + +def cleanup_conf_file(): + """Remove sssd.conf, if it exists""" + if os.path.lexists(config.CONF_PATH): + os.unlink(config.CONF_PATH) + + +def create_conf_cleanup(request): + """Add teardown for removing sssd.conf""" + request.addfinalizer(cleanup_conf_file) + + +def create_conf_fixture(request, contents): + """ + Create sssd.conf with specified contents and add teardown for removing it. + """ + create_conf_file(contents) + create_conf_cleanup(request) + + +def create_sssd_process(): + """Start the SSSD process""" + if subprocess.call(["sssd", "-D", "-f"]) != 0: + raise Exception("sssd start failed") + + +def cleanup_sssd_process(): + """Stop the SSSD process and remove its state""" + try: + pid_file = open(config.PIDFILE_PATH, "r") + pid = int(pid_file.read()) + os.kill(pid, signal.SIGTERM) + while True: + try: + os.kill(pid, signal.SIGCONT) + except: + break + time.sleep(1) + except: + pass + for path in os.listdir(config.DB_PATH): + os.unlink(config.DB_PATH + "/" + path) + for path in os.listdir(config.MCACHE_PATH): + os.unlink(config.MCACHE_PATH + "/" + path) + + +def create_sssd_cleanup(request): + """Add teardown for stopping SSSD and removing its state""" + request.addfinalizer(cleanup_sssd_process) + + +def create_sssd_fixture(request): + """Start SSSD and add teardown for stopping it and removing its state""" + create_sssd_process() + create_sssd_cleanup(request) + + +@pytest.fixture +def users_and_groups(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user1", 1001, 2001, loginShell="/bin/sh1") + ent_list.add_user("user2", 1002, 2002, loginShell="/bin/sh2") + ent_list.add_user("user3", 1003, 2003, loginShell="/bin/sh3") + # User without primary group + ent_list.add_user("user4", 1004, 2004, loginShell="/bin/sh4") + ent_list.add_group("group1", 2001) + ent_list.add_group("group2", 2002) + ent_list.add_group("group3", 2003) + ent_list.add_group("empty_group", 2010) + ent_list.add_group("one_user_group", 2011, ["user1"]) + ent_list.add_group("two_user_group", 2012, ["user1", "user2"]) + ent_list.add_group("three_user_group", 2013, ["user1", "user2", "user3"]) + # Supplementary group for a user without primary group + ent_list.add_group("groupless_user_group", 2014, ["user4"]) + create_ldap_fixture(request, ldap_conn, ent_list) + + +@pytest.fixture +def none(request, ldap_conn, users_and_groups): + """ + Fixture with scope "none". + """ + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \ + unindent("""\ + [session_recording] + scope = none + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + +def test_none(none): + """Test "none" scope""" + ent.assert_passwd( + ent.contains_only( + dict(name="user1", uid=1001, shell="/bin/sh1"), + dict(name="user2", uid=1002, shell="/bin/sh2"), + dict(name="user3", uid=1003, shell="/bin/sh3"), + dict(name="user4", uid=1004, shell="/bin/sh4"), + ) + ) + + +@pytest.fixture +def all(request, ldap_conn, users_and_groups): + """ + Fixture with scope "all". + """ + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \ + unindent("""\ + [session_recording] + scope = all + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + +def test_all_nam(all): + """Test "all" scope with getpwnam""" + ent.assert_each_passwd_by_name(dict( + user1=dict(name="user1", uid=1001, + shell=config.SESSION_RECORDING_SHELL), + user2=dict(name="user2", uid=1002, + shell=config.SESSION_RECORDING_SHELL), + user3=dict(name="user3", uid=1003, + shell=config.SESSION_RECORDING_SHELL), + user4=dict(name="user4", uid=1004, + shell=config.SESSION_RECORDING_SHELL), + )) + + +def test_all_uid(all): + """Test "all" scope with getpwuid""" + ent.assert_each_passwd_by_uid({ + 1001: dict(name="user1", uid=1001, + shell=config.SESSION_RECORDING_SHELL), + 1002: dict(name="user2", uid=1002, + shell=config.SESSION_RECORDING_SHELL), + 1003: dict(name="user3", uid=1003, + shell=config.SESSION_RECORDING_SHELL), + 1004: dict(name="user4", uid=1004, + shell=config.SESSION_RECORDING_SHELL), + }) + + +def test_all_ent(all): + """Test "all" scope with getpwent""" + ent.assert_passwd_list( + ent.contains_only( + dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL), + dict(name="user2", uid=1002, shell=config.SESSION_RECORDING_SHELL), + dict(name="user3", uid=1003, shell=config.SESSION_RECORDING_SHELL), + dict(name="user4", uid=1004, shell=config.SESSION_RECORDING_SHELL), + ) + ) + + +@pytest.fixture +def some_empty(request, ldap_conn, users_and_groups): + """ + Fixture with scope "some", but no users or groups listed. + """ + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \ + unindent("""\ + [session_recording] + scope = some + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + +def test_some_empty(some_empty): + """Test "some" scope with no users or groups""" + ent.assert_passwd( + ent.contains_only( + dict(name="user1", uid=1001, shell="/bin/sh1"), + dict(name="user2", uid=1002, shell="/bin/sh2"), + dict(name="user3", uid=1003, shell="/bin/sh3"), + dict(name="user4", uid=1004, shell="/bin/sh4"), + ) + ) + + +@pytest.fixture +def some_users(request, ldap_conn, users_and_groups): + """ + Fixture with scope "some", and some users listed. + """ + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \ + unindent("""\ + [session_recording] + scope = some + users = user1, user2 + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + +def test_some_users_nam(some_users): + """Test "some" scope with user list and getpwnam""" + ent.assert_each_passwd_by_name(dict( + user1=dict(name="user1", uid=1001, + shell=config.SESSION_RECORDING_SHELL), + user2=dict(name="user2", uid=1002, + shell=config.SESSION_RECORDING_SHELL), + user3=dict(name="user3", uid=1003, shell="/bin/sh3"), + user4=dict(name="user4", uid=1004, shell="/bin/sh4"), + )) + + +def test_some_users_uid(some_users): + """Test "some" scope with user list and getpwuid""" + ent.assert_each_passwd_by_uid({ + 1001: dict(name="user1", uid=1001, + shell=config.SESSION_RECORDING_SHELL), + 1002: dict(name="user2", uid=1002, + shell=config.SESSION_RECORDING_SHELL), + 1003: dict(name="user3", uid=1003, shell="/bin/sh3"), + 1004: dict(name="user4", uid=1004, shell="/bin/sh4"), + }) + + +def test_some_users_ent(some_users): + """Test "some" scope with user list and getpwent""" + ent.assert_passwd_list( + ent.contains_only( + dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL), + dict(name="user2", uid=1002, shell=config.SESSION_RECORDING_SHELL), + dict(name="user3", uid=1003, shell="/bin/sh3"), + dict(name="user4", uid=1004, shell="/bin/sh4"), + ) + ) + + +@pytest.fixture +def some_users_overridden(request, ldap_conn, users_and_groups): + """ + Fixture with scope "some", specifying two users with + overridden names, but one listed with the original name. + """ + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \ + unindent("""\ + [session_recording] + scope = some + users = overridden_user1, user2 + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + subprocess.check_call(["sss_override", "user-add", "user1", + "-n", "overridden_user1"]) + subprocess.check_call(["sss_override", "user-add", "user2", + "-n", "overridden_user2"]) + restart_sssd() + + +def test_some_users_overridden_nam(some_users_overridden): + """ + Test "some" scope with user list containing some + overridden users, requested with getpwnam. + """ + ent.assert_each_passwd_by_name(dict( + overridden_user1=dict(name="overridden_user1", uid=1001, + shell=config.SESSION_RECORDING_SHELL), + overridden_user2=dict(name="overridden_user2", uid=1002, + shell="/bin/sh2"), + user3=dict(name="user3", uid=1003, shell="/bin/sh3"), + user4=dict(name="user4", uid=1004, shell="/bin/sh4"), + )) + + +def test_some_users_overridden_uid(some_users_overridden): + """ + Test "some" scope with user list containing some + overridden users, requested with getpwuid. + """ + ent.assert_each_passwd_by_uid({ + 1001: dict(name="overridden_user1", uid=1001, + shell=config.SESSION_RECORDING_SHELL), + 1002: dict(name="overridden_user2", uid=1002, + shell="/bin/sh2"), + 1003: dict(name="user3", uid=1003, shell="/bin/sh3"), + 1004: dict(name="user4", uid=1004, shell="/bin/sh4"), + }) + + +def test_some_users_overridden_ent(some_users_overridden): + """ + Test "some" scope with user list containing some + overridden users, requested with getpwent. + """ + ent.assert_passwd_list( + ent.contains_only( + dict(name="overridden_user1", uid=1001, + shell=config.SESSION_RECORDING_SHELL), + dict(name="overridden_user2", uid=1002, + shell="/bin/sh2"), + dict(name="user3", uid=1003, shell="/bin/sh3"), + dict(name="user4", uid=1004, shell="/bin/sh4"), + ) + ) + + +@pytest.fixture +def some_groups1(request, ldap_conn, users_and_groups): + """ + Fixture with scope "some", specifying a single-user supplementary group, + and a two-user supplementary group intersecting with the first one. + """ + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \ + unindent("""\ + [session_recording] + scope = some + groups = one_user_group, two_user_group + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + +@pytest.fixture +def some_groups2(request, ldap_conn, users_and_groups): + """ + Fixture with scope "some", specifying a three-user supplementary group. + """ + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \ + unindent("""\ + [session_recording] + scope = some + groups = three_user_group + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + +@pytest.fixture +def some_groups3(request, ldap_conn, users_and_groups): + """ + Fixture with scope "some", specifying a group with a user with + non-existent primary group. + """ + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \ + unindent("""\ + [session_recording] + scope = some + groups = groupless_user_group + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + +@pytest.fixture +def some_groups4(request, ldap_conn, users_and_groups): + """ + Fixture with scope "some", specifying two primary groups. + """ + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \ + unindent("""\ + [session_recording] + scope = some + groups = group1, group3 + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + +def test_some_groups1_nam(some_groups1): + """Test "some" scope with group list and getpwnam""" + ent.assert_each_passwd_by_name(dict( + user1=dict(name="user1", uid=1001, + shell=config.SESSION_RECORDING_SHELL), + user2=dict(name="user2", uid=1002, + shell=config.SESSION_RECORDING_SHELL), + user3=dict(name="user3", uid=1003, shell="/bin/sh3"), + user4=dict(name="user4", uid=1004, shell="/bin/sh4"), + )) + + +def test_some_groups1_uid(some_groups1): + """Test "some" scope with group list and getpwuid""" + ent.assert_each_passwd_by_uid({ + 1001: dict(name="user1", uid=1001, + shell=config.SESSION_RECORDING_SHELL), + 1002: dict(name="user2", uid=1002, + shell=config.SESSION_RECORDING_SHELL), + 1003: dict(name="user3", uid=1003, shell="/bin/sh3"), + 1004: dict(name="user4", uid=1004, shell="/bin/sh4"), + }) + + +def test_some_groups1_ent(some_groups1): + """Test "some" scope with group list and getpwent""" + ent.assert_passwd_list( + ent.contains_only( + dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL), + dict(name="user2", uid=1002, shell=config.SESSION_RECORDING_SHELL), + dict(name="user3", uid=1003, shell="/bin/sh3"), + dict(name="user4", uid=1004, shell="/bin/sh4"), + ) + ) + + +def test_some_groups2_nam(some_groups2): + """Test "some" scope with group list and getpwnam""" + ent.assert_each_passwd_by_name(dict( + user1=dict(name="user1", uid=1001, + shell=config.SESSION_RECORDING_SHELL), + user2=dict(name="user2", uid=1002, + shell=config.SESSION_RECORDING_SHELL), + user3=dict(name="user3", uid=1003, + shell=config.SESSION_RECORDING_SHELL), + user4=dict(name="user4", uid=1004, shell="/bin/sh4"), + )) + + +def test_some_groups2_uid(some_groups2): + """Test "some" scope with group list and getpwuid""" + ent.assert_each_passwd_by_uid({ + 1001: dict(name="user1", uid=1001, + shell=config.SESSION_RECORDING_SHELL), + 1002: dict(name="user2", uid=1002, + shell=config.SESSION_RECORDING_SHELL), + 1003: dict(name="user3", uid=1003, + shell=config.SESSION_RECORDING_SHELL), + 1004: dict(name="user4", uid=1004, shell="/bin/sh4"), + }) + + +def test_some_groups2_ent(some_groups2): + """Test "some" scope with group list and getpwent""" + ent.assert_passwd_list( + ent.contains_only( + dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL), + dict(name="user2", uid=1002, shell=config.SESSION_RECORDING_SHELL), + dict(name="user3", uid=1003, shell=config.SESSION_RECORDING_SHELL), + dict(name="user4", uid=1004, shell="/bin/sh4"), + ) + ) + + +def test_some_groups3_nam(some_groups3): + """Test "some" scope with group list and getpwnam""" + ent.assert_each_passwd_by_name(dict( + user1=dict(name="user1", uid=1001, shell="/bin/sh1"), + user2=dict(name="user2", uid=1002, shell="/bin/sh2"), + user3=dict(name="user3", uid=1003, shell="/bin/sh3"), + user4=dict(name="user4", uid=1004, + shell=config.SESSION_RECORDING_SHELL), + )) + + +def test_some_groups3_uid(some_groups3): + """Test "some" scope with group list and getpwuid""" + ent.assert_each_passwd_by_uid({ + 1001: dict(name="user1", uid=1001, shell="/bin/sh1"), + 1002: dict(name="user2", uid=1002, shell="/bin/sh2"), + 1003: dict(name="user3", uid=1003, shell="/bin/sh3"), + 1004: dict(name="user4", uid=1004, + shell=config.SESSION_RECORDING_SHELL), + }) + + +def test_some_groups3_ent(some_groups3): + """Test "some" scope with group list and getpwent""" + ent.assert_passwd_list( + ent.contains_only( + dict(name="user1", uid=1001, shell="/bin/sh1"), + dict(name="user2", uid=1002, shell="/bin/sh2"), + dict(name="user3", uid=1003, shell="/bin/sh3"), + dict(name="user4", uid=1004, shell=config.SESSION_RECORDING_SHELL), + ) + ) + + +def test_some_groups4_nam(some_groups4): + """Test "some" scope with group list and getpwnam""" + ent.assert_each_passwd_by_name(dict( + user1=dict(name="user1", uid=1001, + shell=config.SESSION_RECORDING_SHELL), + user2=dict(name="user2", uid=1002, shell="/bin/sh2"), + user3=dict(name="user3", uid=1003, + shell=config.SESSION_RECORDING_SHELL), + user4=dict(name="user4", uid=1004, shell="/bin/sh4"), + )) + + +def test_some_groups4_uid(some_groups4): + """Test "some" scope with group list and getpwuid""" + ent.assert_each_passwd_by_uid({ + 1001: dict(name="user1", uid=1001, + shell=config.SESSION_RECORDING_SHELL), + 1002: dict(name="user2", uid=1002, shell="/bin/sh2"), + 1003: dict(name="user3", uid=1003, + shell=config.SESSION_RECORDING_SHELL), + 1004: dict(name="user4", uid=1004, shell="/bin/sh4"), + }) + + +def test_some_groups4_ent(some_groups4): + """Test "some" scope with group list and getpwent""" + ent.assert_passwd_list( + ent.contains_only( + dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL), + dict(name="user2", uid=1002, shell="/bin/sh2"), + dict(name="user3", uid=1003, shell=config.SESSION_RECORDING_SHELL), + dict(name="user4", uid=1004, shell="/bin/sh4"), + ) + ) + + +@pytest.fixture +def some_groups_overridden1(request, ldap_conn, users_and_groups): + """ + Fixture with scope "some", specifying two primary groups with + overridden names, but one listed with the original name. + """ + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \ + unindent("""\ + [session_recording] + scope = some + groups = overridden_group1, group2 + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + subprocess.check_call(["sss_override", "group-add", "group1", + "-n", "overridden_group1"]) + subprocess.check_call(["sss_override", "group-add", "group2", + "-n", "overridden_group2"]) + restart_sssd() + + +def test_some_groups_overridden1_nam(some_groups_overridden1): + """ + Test "some" scope with group list containing some + overridden groups, and users requested with getpwnam. + """ + ent.assert_each_passwd_by_name(dict( + user1=dict(name="user1", uid=1001, + shell=config.SESSION_RECORDING_SHELL), + user2=dict(name="user2", uid=1002, shell="/bin/sh2"), + user3=dict(name="user3", uid=1003, shell="/bin/sh3"), + user4=dict(name="user4", uid=1004, shell="/bin/sh4"), + )) + + +def test_some_groups_overridden1_uid(some_groups_overridden1): + """ + Test "some" scope with group list containing some + overridden groups, and users requested with getpwuid. + """ + ent.assert_each_passwd_by_uid({ + 1001: dict(name="user1", uid=1001, + shell=config.SESSION_RECORDING_SHELL), + 1002: dict(name="user2", uid=1002, shell="/bin/sh2"), + 1003: dict(name="user3", uid=1003, shell="/bin/sh3"), + 1004: dict(name="user4", uid=1004, shell="/bin/sh4"), + }) + + +def test_some_groups_overridden1_ent(some_groups_overridden1): + """ + Test "some" scope with group list containing some + overridden groups, and users requested with getpwent. + """ + ent.assert_passwd_list( + ent.contains_only( + dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL), + dict(name="user2", uid=1002, shell="/bin/sh2"), + dict(name="user3", uid=1003, shell="/bin/sh3"), + dict(name="user4", uid=1004, shell="/bin/sh4"), + ) + ) + + +@pytest.fixture +def some_groups_overridden2(request, ldap_conn, users_and_groups): + """ + Fixture with scope "some", specifying two supplementary groups with + overridden names, but one listed with the original name. + """ + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \ + unindent("""\ + [session_recording] + scope = some + groups = one_user_group_overridden, two_user_group + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + subprocess.check_call(["sss_override", "group-add", "one_user_group", + "-n", "one_user_group_overridden"]) + subprocess.check_call(["sss_override", "group-add", "two_user_group", + "-n", "two_user_group_overridden"]) + restart_sssd() + + +def test_some_groups_overridden2_nam(some_groups_overridden2): + """ + Test "some" scope with group list containing some + overridden groups, and users requested with getpwnam. + """ + ent.assert_each_passwd_by_name(dict( + user1=dict(name="user1", uid=1001, + shell=config.SESSION_RECORDING_SHELL), + user2=dict(name="user2", uid=1002, shell="/bin/sh2"), + user3=dict(name="user3", uid=1003, shell="/bin/sh3"), + user4=dict(name="user4", uid=1004, shell="/bin/sh4"), + )) + + +def test_some_groups_overridden2_uid(some_groups_overridden2): + """ + Test "some" scope with group list containing some + overridden groups, and users requested with getpwuid. + """ + ent.assert_each_passwd_by_uid({ + 1001: dict(name="user1", uid=1001, + shell=config.SESSION_RECORDING_SHELL), + 1002: dict(name="user2", uid=1002, shell="/bin/sh2"), + 1003: dict(name="user3", uid=1003, shell="/bin/sh3"), + 1004: dict(name="user4", uid=1004, shell="/bin/sh4"), + }) + + +def test_some_groups_overridden2_ent(some_groups_overridden2): + """ + Test "some" scope with group list containing some + overridden groups, and users requested with getpwent. + """ + ent.assert_passwd_list( + ent.contains_only( + dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL), + dict(name="user2", uid=1002, shell="/bin/sh2"), + dict(name="user3", uid=1003, shell="/bin/sh3"), + dict(name="user4", uid=1004, shell="/bin/sh4"), + ) + ) + + +@pytest.fixture +def some_groups_overridden3(request, ldap_conn, users_and_groups): + """ + Fixture with scope "some", having two primary groups with + IDs swapped via overriding, but only one of them listed. + """ + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \ + unindent("""\ + [session_recording] + scope = some + groups = group2 + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + subprocess.check_call(["sss_override", "group-add", "group1", + "-g", "2002"]) + subprocess.check_call(["sss_override", "group-add", "group2", + "-g", "2001"]) + restart_sssd() + + +def test_some_groups_overridden3_nam(some_groups_overridden3): + """ + Test "some" scope with group list containing some + overridden group, and users requested with getpwnam. + """ + ent.assert_each_passwd_by_name(dict( + user1=dict(name="user1", uid=1001, + shell=config.SESSION_RECORDING_SHELL), + user2=dict(name="user2", uid=1002, shell="/bin/sh2"), + user3=dict(name="user3", uid=1003, shell="/bin/sh3"), + user4=dict(name="user4", uid=1004, shell="/bin/sh4"), + )) + + +def test_some_groups_overridden3_uid(some_groups_overridden3): + """ + Test "some" scope with group list containing some + overridden group, and users requested with getpwuid. + """ + ent.assert_each_passwd_by_uid({ + 1001: dict(name="user1", uid=1001, + shell=config.SESSION_RECORDING_SHELL), + 1002: dict(name="user2", uid=1002, shell="/bin/sh2"), + 1003: dict(name="user3", uid=1003, shell="/bin/sh3"), + 1004: dict(name="user4", uid=1004, shell="/bin/sh4"), + }) + + +def test_some_groups_overridden3_ent(some_groups_overridden3): + """ + Test "some" scope with group list containing some + overridden group, and users requested with getpwent. + """ + ent.assert_passwd_list( + ent.contains_only( + dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL), + dict(name="user2", uid=1002, shell="/bin/sh2"), + dict(name="user3", uid=1003, shell="/bin/sh3"), + dict(name="user4", uid=1004, shell="/bin/sh4"), + ) + ) + + +@pytest.fixture +def some_groups_overridden4(request, ldap_conn, users_and_groups): + """ + Fixture with scope "some", two users with GIDs swapped via overridding, + and one of their primary groups listed. + """ + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \ + unindent("""\ + [session_recording] + scope = some + groups = group2 + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + subprocess.check_call(["sss_override", "user-add", "user1", + "-g", "2002"]) + subprocess.check_call(["sss_override", "user-add", "user2", + "-g", "2001"]) + restart_sssd() + + +def test_some_groups_overridden4_nam(some_groups_overridden3): + """ + Test "some" scope with group list containing some + overridden group, and users requested with getpwnam. + """ + ent.assert_each_passwd_by_name(dict( + user1=dict(name="user1", uid=1001, + shell=config.SESSION_RECORDING_SHELL), + user2=dict(name="user2", uid=1002, shell="/bin/sh2"), + user3=dict(name="user3", uid=1003, shell="/bin/sh3"), + user4=dict(name="user4", uid=1004, shell="/bin/sh4"), + )) + + +def test_some_groups_overridden4_uid(some_groups_overridden3): + """ + Test "some" scope with group list containing some + overridden group, and users requested with getpwuid. + """ + ent.assert_each_passwd_by_uid({ + 1001: dict(name="user1", uid=1001, + shell=config.SESSION_RECORDING_SHELL), + 1002: dict(name="user2", uid=1002, shell="/bin/sh2"), + 1003: dict(name="user3", uid=1003, shell="/bin/sh3"), + 1004: dict(name="user4", uid=1004, shell="/bin/sh4"), + }) + + +def test_some_groups_overridden4_ent(some_groups_overridden3): + """ + Test "some" scope with group list containing some + overridden group, and users requested with getpwent. + """ + ent.assert_passwd_list( + ent.contains_only( + dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL), + dict(name="user2", uid=1002, shell="/bin/sh2"), + dict(name="user3", uid=1003, shell="/bin/sh3"), + dict(name="user4", uid=1004, shell="/bin/sh4"), + ) + ) + + +@pytest.fixture +def some_users_and_groups(request, ldap_conn, users_and_groups): + """ + Fixture with scope "some", listing some users and groups. + """ + conf = \ + format_basic_conf(ldap_conn, SCHEMA_RFC2307) + \ + unindent("""\ + [session_recording] + scope = some + users = user3 + groups = one_user_group + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + + +def test_some_users_and_groups_nam(some_users_and_groups): + """ + Test "some" scope with user and group lists and getpwnam. + """ + ent.assert_each_passwd_by_name(dict( + user1=dict(name="user1", uid=1001, + shell=config.SESSION_RECORDING_SHELL), + user2=dict(name="user2", uid=1002, shell="/bin/sh2"), + user3=dict(name="user3", uid=1003, + shell=config.SESSION_RECORDING_SHELL), + user4=dict(name="user4", uid=1004, shell="/bin/sh4"), + )) + + +def test_some_users_and_groups_uid(some_users_and_groups): + """ + Test "some" scope with user and group lists and getpwuid. + """ + ent.assert_each_passwd_by_uid({ + 1001: dict(name="user1", uid=1001, + shell=config.SESSION_RECORDING_SHELL), + 1002: dict(name="user2", uid=1002, shell="/bin/sh2"), + 1003: dict(name="user3", uid=1003, + shell=config.SESSION_RECORDING_SHELL), + 1004: dict(name="user4", uid=1004, shell="/bin/sh4"), + }) + + +def test_some_users_and_groups_ent(some_users_and_groups): + """ + Test "some" scope with user and group lists and getpwent. + """ + ent.assert_passwd_list( + ent.contains_only( + dict(name="user1", uid=1001, shell=config.SESSION_RECORDING_SHELL), + dict(name="user2", uid=1002, shell="/bin/sh2"), + dict(name="user3", uid=1003, shell=config.SESSION_RECORDING_SHELL), + dict(name="user4", uid=1004, shell="/bin/sh4"), + ) + ) diff --git a/src/tests/intg/test_ssh_pubkey.py b/src/tests/intg/test_ssh_pubkey.py new file mode 100644 index 0000000..8fb41c6 --- /dev/null +++ b/src/tests/intg/test_ssh_pubkey.py @@ -0,0 +1,290 @@ +# +# ssh public key integration test +# +# Copyright (c) 2018 Red Hat, Inc. +# +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import os +import stat +import signal +import subprocess +import time +import ldap +import ldap.modlist +import pytest +import string +import random + +import config +import ds_openldap +import ent +import ldap_ent +from util import unindent, get_call_output + +LDAP_BASE_DN = "dc=example,dc=com" + +USER1_PUBKEY1 = "ssh-dss AAAAB3NzaC1kc3MAAACBAPMkvcU53RVhBtjwiC3IqeRIWR9Qwdv8\ +DmZzEsDD3Csd6jYxMsPZoXcPrHqwYcEj1s5MVqhdSFS0Cjz13e7gO6OMLInO3xMBSSFHjfp9RE1H\ +pgc4WisazzyJaW9EMkQo/DqvkFkKh31oqAmxcSbLAFJRg4TTIqm18qu8IRKS6m/RAAAAFQC97TA5\ +JSsMsaX1bRszC7y4PhMBvQAAAIEAt9Yo9v/h9W4nDbzUdkGwNRszlPEK+T12bJv0O9Fk6subD3Do\ +6A4Qru/Nr6voXoq8b018Wb7iFWvKOoz5uT/plWBKLXL2NN7ovTR+dUJIzvwurQZroukmU1EghNey\ +lkSHmDlxSoMK6Nh21uGu6l+b6x5pXNaZHMpsywG4kY8SoC0AAACAAWLHneEGvqkYA8La4Eob+Hjj\ +mAKilx8byxm3Kfb1XO+ZrR6XxadofZOaUYRMpPKgFjKAKPxJftPLiDjWM7lSe6h8df0dUMLVXt6m\ +eA83kE0uK5JOOGJfJDqmRed2YnfxUDNNFQGT4xFWGrNtYNbGyw9BWKbkooAsLqaO04zP3Rs= \ +user1@LDAP" + +USER1_PUBKEY2 = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwHUUF3HPH+DkU6j8k7Q1wHG\ +RJY9NeLqSav3h95mTSCQYPSC7I9RTJ4OORgqCbEzrP/DYrrn4TtQ9dhRJar3ZY+F36SH5yFIXORb\ +lAIbFU+/anahBuFS9vHi1MqFPckGmwJ4QCpjQhdYxo1ro0e1RuGSaQNp/w9N6S/fDz4Cj4I99xDz\ +SeQeGHxYv0e60plQ8dUajmnaGmYRJHF9a6Ban7IWySActCja7eQP2zIRXEZMpuhl1E0U4y+gHTFI\ +gD3zQai3QrXm8RUrQURIJ0u6BlGS910OPbHqLpLTFWG08L8sNUcYzC+DY6yoCSO0n/Df3pVRS4C9\ +5Krf3FqppMTjdfQ== user1@LDAP" + + +@pytest.fixture(scope="module") +def ds_inst(request): + """LDAP server instance fixture""" + ds_inst = ds_openldap.DSOpenLDAP( + config.PREFIX, 10389, LDAP_BASE_DN, + "cn=admin", "Secret123" + ) + + try: + ds_inst.setup() + except: + ds_inst.teardown() + raise + request.addfinalizer(ds_inst.teardown) + return ds_inst + + +@pytest.fixture(scope="module") +def ldap_conn(request, ds_inst): + """LDAP server connection fixture""" + ldap_conn = ds_inst.bind() + ldap_conn.ds_inst = ds_inst + request.addfinalizer(ldap_conn.unbind_s) + return ldap_conn + + +def create_ldap_entries(ldap_conn, ent_list=None): + """Add LDAP entries from ent_list""" + if ent_list is not None: + for entry in ent_list: + ldap_conn.add_s(entry[0], entry[1]) + + +def cleanup_ldap_entries(ldap_conn, ent_list=None): + """Remove LDAP entries added by create_ldap_entries""" + if ent_list is None: + for ou in ("Users", "Groups", "Netgroups", "Services", "Policies"): + for entry in ldap_conn.search_s("ou=" + ou + "," + + ldap_conn.ds_inst.base_dn, + ldap.SCOPE_ONELEVEL, + attrlist=[]): + ldap_conn.delete_s(entry[0]) + else: + for entry in ent_list: + ldap_conn.delete_s(entry[0]) + + +def create_ldap_cleanup(request, ldap_conn, ent_list=None): + """Add teardown for removing all user/group LDAP entries""" + request.addfinalizer(lambda: cleanup_ldap_entries(ldap_conn, ent_list)) + + +def create_ldap_fixture(request, ldap_conn, ent_list=None): + """Add LDAP entries and add teardown for removing them""" + create_ldap_entries(ldap_conn, ent_list) + create_ldap_cleanup(request, ldap_conn, ent_list) + + +SCHEMA_RFC2307_BIS = "rfc2307bis" + + +def format_basic_conf(ldap_conn, schema): + """Format a basic SSSD configuration""" + schema_conf = "ldap_schema = " + schema + "\n" + schema_conf += "ldap_group_object_class = groupOfNames\n" + return unindent("""\ + [sssd] + domains = LDAP + services = nss, ssh + + [nss] + + [ssh] + debug_level=10 + + [domain/LDAP] + {schema_conf} + id_provider = ldap + auth_provider = ldap + ldap_uri = {ldap_conn.ds_inst.ldap_url} + ldap_search_base = {ldap_conn.ds_inst.base_dn} + ldap_sudo_use_host_filter = false + debug_level=10 + """).format(**locals()) + + +def create_conf_file(contents): + """Create sssd.conf with specified contents""" + conf = open(config.CONF_PATH, "w") + conf.write(contents) + conf.close() + os.chmod(config.CONF_PATH, stat.S_IRUSR | stat.S_IWUSR) + + +def cleanup_conf_file(): + """Remove sssd.conf, if it exists""" + if os.path.lexists(config.CONF_PATH): + os.unlink(config.CONF_PATH) + + +def create_conf_cleanup(request): + """Add teardown for removing sssd.conf""" + request.addfinalizer(cleanup_conf_file) + + +def create_conf_fixture(request, contents): + """ + Create sssd.conf with specified contents and add teardown for removing it + """ + create_conf_file(contents) + create_conf_cleanup(request) + + +def create_sssd_process(): + """Start the SSSD process""" + if subprocess.call(["sssd", "-D", "-f"]) != 0: + raise Exception("sssd start failed") + + +def get_sssd_pid(): + pid_file = open(config.PIDFILE_PATH, "r") + pid = int(pid_file.read()) + return pid + + +def cleanup_sssd_process(): + """Stop the SSSD process and remove its state""" + try: + pid = get_sssd_pid() + os.kill(pid, signal.SIGTERM) + while True: + try: + os.kill(pid, signal.SIGCONT) + except: + break + time.sleep(1) + except: + pass + for path in os.listdir(config.DB_PATH): + os.unlink(config.DB_PATH + "/" + path) + for path in os.listdir(config.MCACHE_PATH): + os.unlink(config.MCACHE_PATH + "/" + path) + + +def create_sssd_fixture(request): + """Start SSSD and add teardown for stopping it and removing its state""" + create_sssd_process() + create_sssd_cleanup(request) + + +def create_sssd_cleanup(request): + """Add teardown for stopping SSSD and removing its state""" + request.addfinalizer(cleanup_sssd_process) + + +@pytest.fixture +def add_user_with_ssh_key(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user1", 1001, 2001, + sshPubKey=(USER1_PUBKEY1, USER1_PUBKEY2)) + ent_list.add_user("user2", 1002, 2001) + create_ldap_fixture(request, ldap_conn, ent_list) + + conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +def test_ssh_pubkey_retrieve(add_user_with_ssh_key): + """ + Test that we can retrieve an SSH public key for a user who has one + and can't retrieve a key for a user who does not have one. + """ + sshpubkey = get_call_output(["sss_ssh_authorizedkeys", "user1"]) + assert sshpubkey == USER1_PUBKEY1 + '\n' + USER1_PUBKEY2 + '\n' + + sshpubkey = get_call_output(["sss_ssh_authorizedkeys", "user2"]) + assert len(sshpubkey) == 0 + + +@pytest.fixture() +def sighup_client(request): + test_ssh_cli_path = os.path.join(config.ABS_BUILDDIR, + "..", "..", "..", "test_ssh_client") + assert os.access(test_ssh_cli_path, os.X_OK) + return test_ssh_cli_path + + +@pytest.fixture +def add_user_with_many_keys(request, ldap_conn): + # Generate a large list of unique ssh pubkeys + pubkey_list = [] + while len(pubkey_list) < 50: + new_pubkey = list(USER1_PUBKEY1) + new_pubkey[10] = random.choice(string.ascii_uppercase) + new_pubkey[11] = random.choice(string.ascii_uppercase) + new_pubkey[12] = random.choice(string.ascii_uppercase) + str_new_pubkey = ''.join(c for c in new_pubkey) + if str_new_pubkey in pubkey_list: + continue + pubkey_list.append(str_new_pubkey) + + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user1", 1001, 2001, sshPubKey=pubkey_list) + create_ldap_fixture(request, ldap_conn, ent_list) + + conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +def test_ssh_sighup(add_user_with_many_keys, sighup_client): + """ + A regression test for https://pagure.io/SSSD/sssd/issue/3747 + + OpenSSH can close its end of the pipe towards sss_ssh_authorizedkeys + before all of the output is read. In that case, older versions + of sss_ssh_authorizedkeys were receiving a SIGPIPE + """ + cli_path = sighup_client + + # python actually does the sensible, but unexpected (for a C programmer) + # thing and handles SIGPIPE. In order to reproduce the bug, we need + # to unset the SIGPIPE handler + signal.signal(signal.SIGPIPE, signal.SIG_DFL) + + process = subprocess.Popen([cli_path, "user1"], + stdout=subprocess.PIPE, + stderr=subprocess.PIPE) + _, _ = process.communicate() + # If the test tool detects that sss_ssh_authorizedkeys was killed with a + # signal, it would have returned 1 + assert process.returncode == 0 diff --git a/src/tests/intg/test_sssctl.py b/src/tests/intg/test_sssctl.py new file mode 100644 index 0000000..e8861dd --- /dev/null +++ b/src/tests/intg/test_sssctl.py @@ -0,0 +1,381 @@ +# +# sssctl tool integration test +# +# Copyright (c) 2016 Red Hat, Inc. +# Author: Michal Zidek +# +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +import os +import ent +import grp +import pwd +import subprocess +import pytest +import stat +import time +import signal +import ds_openldap +import ldap_ent +import config +from util import unindent, get_call_output +import sssd_netgroup + +LDAP_BASE_DN = "dc=example,dc=com" + + +@pytest.fixture(scope="module") +def ds_inst(request): + """LDAP server instance fixture""" + ds_inst = ds_openldap.DSOpenLDAP( + config.PREFIX, 10389, LDAP_BASE_DN, + "cn=admin", "Secret123") + try: + ds_inst.setup() + except: + ds_inst.teardown() + raise + request.addfinalizer(lambda: ds_inst.teardown()) + return ds_inst + + +@pytest.fixture(scope="module") +def ldap_conn(request, ds_inst): + """LDAP server connection fixture""" + ldap_conn = ds_inst.bind() + ldap_conn.ds_inst = ds_inst + request.addfinalizer(lambda: ldap_conn.unbind_s()) + return ldap_conn + + +def create_ldap_fixture(request, ldap_conn, ent_list): + """Add LDAP entries and add teardown for removing them""" + for entry in ent_list: + ldap_conn.add_s(entry[0], entry[1]) + + def teardown(): + for entry in ent_list: + ldap_conn.delete_s(entry[0]) + request.addfinalizer(teardown) + + +def create_conf_fixture(request, contents): + """Generate sssd.conf and add teardown for removing it""" + conf = open(config.CONF_PATH, "w") + conf.write(contents) + conf.close() + os.chmod(config.CONF_PATH, stat.S_IRUSR | stat.S_IWUSR) + request.addfinalizer(lambda: os.unlink(config.CONF_PATH)) + + +def stop_sssd(): + pid_file = open(config.PIDFILE_PATH, "r") + pid = int(pid_file.read()) + os.kill(pid, signal.SIGTERM) + while True: + try: + os.kill(pid, signal.SIGCONT) + except: + break + time.sleep(1) + + +def create_sssd_fixture(request): + """Start sssd and add teardown for stopping it and removing state""" + if subprocess.call(["sssd", "-D", "-f"]) != 0: + raise Exception("sssd start failed") + + def teardown(): + try: + stop_sssd() + except: + pass + for path in os.listdir(config.DB_PATH): + os.unlink(config.DB_PATH + "/" + path) + for path in os.listdir(config.MCACHE_PATH): + os.unlink(config.MCACHE_PATH + "/" + path) + request.addfinalizer(teardown) + + +@pytest.fixture +def portable_LC_ALL(request): + os.environ["LC_ALL"] = "C" + return None + + +def load_data_to_ldap(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user1", 1001, 2001) + ent_list.add_user("CamelCaseUser1", 1002, 2002) + + ent_list.add_group("group1", 2001, ["user1"]) + ent_list.add_group("CamelCaseGroup1", 2002, ["CamelCaseUser1"]) + + create_ldap_fixture(request, ldap_conn, ent_list) + + +@pytest.fixture +def sanity_rfc2307(request, ldap_conn): + load_data_to_ldap(request, ldap_conn) + + conf = unindent("""\ + [sssd] + domains = LDAP + services = nss + + [nss] + + [domain/LDAP] + ldap_auth_disable_tls_never_use_in_production = true + ldap_schema = rfc2307 + id_provider = ldap + auth_provider = ldap + sudo_provider = ldap + ldap_uri = {ldap_conn.ds_inst.ldap_url} + ldap_search_base = {ldap_conn.ds_inst.base_dn} + ldap_netgroup_search_base = ou=Netgroups,{ldap_conn.ds_inst.base_dn} + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +@pytest.fixture +def fqname_rfc2307(request, ldap_conn): + load_data_to_ldap(request, ldap_conn) + + conf = unindent("""\ + [sssd] + domains = LDAP + services = nss + + [nss] + + [domain/LDAP] + ldap_auth_disable_tls_never_use_in_production = true + ldap_schema = rfc2307 + id_provider = ldap + auth_provider = ldap + sudo_provider = ldap + ldap_uri = {ldap_conn.ds_inst.ldap_url} + ldap_search_base = {ldap_conn.ds_inst.base_dn} + use_fully_qualified_names = true + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +@pytest.fixture +def fqname_case_insensitive_rfc2307(request, ldap_conn): + load_data_to_ldap(request, ldap_conn) + + conf = unindent("""\ + [sssd] + domains = LDAP + services = nss + + [nss] + + [domain/LDAP] + ldap_auth_disable_tls_never_use_in_production = true + ldap_schema = rfc2307 + id_provider = ldap + auth_provider = ldap + sudo_provider = ldap + ldap_uri = {ldap_conn.ds_inst.ldap_url} + ldap_search_base = {ldap_conn.ds_inst.base_dn} + use_fully_qualified_names = true + case_sensitive = false + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +def test_user_show_basic_sanity(ldap_conn, sanity_rfc2307, portable_LC_ALL): + # Fill the cache first + ent.assert_passwd_by_name( + 'user1', + dict(name='user1', passwd='*', uid=1001, gid=2001, + gecos='1001', shell='/bin/bash')) + ent.assert_passwd_by_name( + 'CamelCaseUser1', + dict(name='CamelCaseUser1', passwd='*', uid=1002, gid=2002, + gecos='1002', shell='/bin/bash')) + + output = get_call_output(["sssctl", "user-show", "user1"]) + assert output.find("Name: user1") != -1 + assert output.find("Initgroups expiration time: Initgroups were not yet " + "performed") != -1 + assert output.find("Cached in InfoPipe: No") != -1 + + output = get_call_output(["sssctl", "user-show", + "CamelCaseUser1"]) + assert output.find("Name: CamelCaseUser1") != -1 + assert output.find("Initgroups expiration time: Initgroups were not yet " + "performed") != -1 + assert output.find("Cached in InfoPipe: No") != -1 + + output = get_call_output(["sssctl", "user-show", "camelcaseuser1"]) + assert output.find("User camelcaseuser1 is not present in cache.") != -1 + + +def test_user_show_basic_fqname(ldap_conn, fqname_rfc2307, portable_LC_ALL): + # Fill the cache first + ent.assert_passwd_by_name( + 'user1@LDAP', + dict(name='user1@LDAP', passwd='*', uid=1001, gid=2001, + gecos='1001', shell='/bin/bash')) + ent.assert_passwd_by_name( + 'CamelCaseUser1@LDAP', + dict(name='CamelCaseUser1@LDAP', passwd='*', uid=1002, gid=2002, + gecos='1002', shell='/bin/bash')) + + output = get_call_output(["sssctl", "user-show", "user1@LDAP"]) + assert output.find("Name: user1@LDAP") != -1 + assert output.find("Initgroups expiration time: Initgroups were not yet " + "performed") != -1 + assert output.find("Cached in InfoPipe: No") != -1 + + output = get_call_output(["sssctl", "user-show", "CamelCaseUser1@LDAP"]) + assert output.find("Name: CamelCaseUser1@LDAP") != -1 + assert output.find("Initgroups expiration time: Initgroups were not yet " + "performed") != -1 + assert output.find("Cached in InfoPipe: No") != -1 + + output = get_call_output(["sssctl", "user-show", "camelcaseuser1@LDAP"]) + assert output.find("User camelcaseuser1 is not present in cache.") != -1 + + +def test_user_show_basic_fqname_insensitive(ldap_conn, + fqname_case_insensitive_rfc2307, + portable_LC_ALL): + # Fill the cache first + ent.assert_passwd_by_name( + 'user1@LDAP', + dict(name='user1@LDAP', passwd='*', uid=1001, gid=2001, + gecos='1001', shell='/bin/bash')) + ent.assert_passwd_by_name( + 'CamelCaseUser1@LDAP', + dict(name='camelcaseuser1@LDAP', passwd='*', uid=1002, gid=2002, + gecos='1002', shell='/bin/bash')) + + output = get_call_output(["sssctl", "user-show", "user1@LDAP"]) + assert output.find("Name: user1@LDAP") != -1 + assert output.find("Initgroups expiration time: Initgroups were not yet " + "performed") != -1 + assert output.find("Cached in InfoPipe: No") != -1 + + output = get_call_output(["sssctl", "user-show", "CamelCaseUser1@LDAP"]) + assert output.find("Name: camelcaseuser1@LDAP") != -1 + assert output.find("Initgroups expiration time: Initgroups were not yet " + "performed") != -1 + assert output.find("Cached in InfoPipe: No") != -1 + + output = get_call_output(["sssctl", "user-show", "camelcaseuser1@LDAP"]) + assert output.find("Name: camelcaseuser1@LDAP") != -1 + assert output.find("Initgroups expiration time: Initgroups were not yet " + "performed") != -1 + assert output.find("Cached in InfoPipe: No") != -1 + + +def test_group_show_basic_sanity(ldap_conn, sanity_rfc2307, portable_LC_ALL): + # Fill the cache first + ent.assert_group_by_name( + "group1", + dict(mem=ent.contains_only("user1"))) + ent.assert_group_by_name( + "CamelCaseGroup1", + dict(mem=ent.contains_only("CamelCaseUser1"))) + + output = get_call_output(["sssctl", "group-show", "group1"]) + assert output.find("Name: group1") != -1 + assert output.find("Cached in InfoPipe: No") != -1 + + output = get_call_output(["sssctl", "group-show", "CamelCaseGroup1"]) + assert output.find("Name: CamelCaseGroup1") != -1 + assert output.find("Cached in InfoPipe: No") != -1 + + output = get_call_output(["sssctl", "group-show", "camelcasegroup1"]) + assert output.find("Group camelcasegroup1 is not present in cache.") != -1 + + +def test_group_show_basic_fqname(ldap_conn, fqname_rfc2307, portable_LC_ALL): + # Fill the cache first + ent.assert_group_by_name( + "group1@LDAP", + dict(mem=ent.contains_only("user1@LDAP"))) + ent.assert_group_by_name( + "CamelCaseGroup1@LDAP", + dict(mem=ent.contains_only("CamelCaseUser1@LDAP"))) + + output = get_call_output(["sssctl", "group-show", "group1@LDAP"]) + assert output.find("Name: group1@LDAP") != -1 + assert output.find("Cached in InfoPipe: No") != -1 + + output = get_call_output(["sssctl", "group-show", "CamelCaseGroup1@LDAP"]) + assert output.find("Name: CamelCaseGroup1@LDAP") != -1 + assert output.find("Cached in InfoPipe: No") != -1 + + output = get_call_output(["sssctl", "group-show", "camelcasegroup1@LDAP"]) + assert output.find("Group camelcasegroup1 is not present in cache.") != -1 + + +def test_group_show_basic_fqname_insensitive(ldap_conn, + fqname_case_insensitive_rfc2307, + portable_LC_ALL): + # Fill the cache first + ent.assert_group_by_name( + "group1@LDAP", + dict(mem=ent.contains_only("user1@LDAP"))) + ent.assert_group_by_name( + "camelcasegroup1@LDAP", + dict(mem=ent.contains_only("camelcaseuser1@LDAP"))) + + output = get_call_output(["sssctl", "group-show", "group1@LDAP"]) + assert output.find("Name: group1@LDAP") != -1 + assert output.find("Cached in InfoPipe: No") != -1 + + output = get_call_output(["sssctl", "group-show", "CamelCaseGroup1@LDAP"]) + assert output.find("Name: camelcasegroup1@LDAP") != -1 + assert output.find("Cached in InfoPipe: No") != -1 + + output = get_call_output(["sssctl", "group-show", "camelcasegroup1@LDAP"]) + assert output.find("Name: camelcasegroup1@LDAP") != -1 + assert output.find("Cached in InfoPipe: No") != -1 + + +@pytest.fixture +def add_tripled_netgroup(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + + ent_list.add_netgroup("tripled_netgroup", ["(host,user,domain)"]) + + create_ldap_fixture(request, ldap_conn, ent_list) + return None + + +def test_netgroup_show(ldap_conn, + sanity_rfc2307, + portable_LC_ALL, + add_tripled_netgroup): + output = get_call_output(["sssctl", "netgroup-show", "tripled_netgroup"]) + assert "Name: tripled_netgroup" not in output + + res, _, netgrps = sssd_netgroup.get_sssd_netgroups("tripled_netgroup") + assert res == sssd_netgroup.NssReturnCode.SUCCESS + assert netgrps == [("host", "user", "domain")] + + output = get_call_output(["sssctl", "netgroup-show", "tripled_netgroup"]) + assert "Name: tripled_netgroup" in output diff --git a/src/tests/intg/test_sudo.py b/src/tests/intg/test_sudo.py new file mode 100644 index 0000000..8f3d8be --- /dev/null +++ b/src/tests/intg/test_sudo.py @@ -0,0 +1,280 @@ +# +# Sudo integration test +# +# Copyright (c) 2018 Red Hat, Inc. +# +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import os +import stat +import signal +import subprocess +import time +import ldap +import pytest +import json + +import config +import ds_openldap +import ldap_ent +from util import unindent, get_call_output + +LDAP_BASE_DN = "dc=example,dc=com" + + +class SudoReplyElement: + def __init__(self, retval, rules): + self.retval = retval + self.rules = rules + + +class SudoReply: + def __init__(self, json_string): + self.jres = json.loads(json_string) + for reply_elem in self.jres: + el = SudoReplyElement(reply_elem['retval'], + reply_elem['result']['rules']) + if reply_elem['type'] == 'default': + self.defaults = el + if reply_elem['type'] == 'rules': + self.sudo_rules = el + + +@pytest.fixture(scope="module") +def ds_inst(request): + """LDAP server instance fixture""" + ds_inst = ds_openldap.DSOpenLDAP( + config.PREFIX, 10389, LDAP_BASE_DN, + "cn=admin", "Secret123" + ) + + try: + ds_inst.setup() + except: + ds_inst.teardown() + raise + request.addfinalizer(ds_inst.teardown) + return ds_inst + + +@pytest.fixture(scope="module") +def ldap_conn(request, ds_inst): + """LDAP server connection fixture""" + ldap_conn = ds_inst.bind() + ldap_conn.ds_inst = ds_inst + request.addfinalizer(ldap_conn.unbind_s) + return ldap_conn + + +def create_ldap_entries(ldap_conn, ent_list=None): + """Add LDAP entries from ent_list""" + if ent_list is not None: + for entry in ent_list: + ldap_conn.add_s(entry[0], entry[1]) + + +def cleanup_ldap_entries(ldap_conn, ent_list=None): + """Remove LDAP entries added by create_ldap_entries""" + if ent_list is None: + for ou in ("Users", "Groups", "Netgroups", "Services", "Policies"): + for entry in ldap_conn.search_s("ou=" + ou + "," + + ldap_conn.ds_inst.base_dn, + ldap.SCOPE_ONELEVEL, + attrlist=[]): + ldap_conn.delete_s(entry[0]) + else: + for entry in ent_list: + ldap_conn.delete_s(entry[0]) + + +def create_ldap_cleanup(request, ldap_conn, ent_list=None): + """Add teardown for removing all user/group LDAP entries""" + request.addfinalizer(lambda: cleanup_ldap_entries(ldap_conn, ent_list)) + + +def create_ldap_fixture(request, ldap_conn, ent_list=None): + """Add LDAP entries and add teardown for removing them""" + create_ldap_entries(ldap_conn, ent_list) + create_ldap_cleanup(request, ldap_conn, ent_list) + + +SCHEMA_RFC2307_BIS = "rfc2307bis" + + +def format_basic_conf(ldap_conn, schema): + """Format a basic SSSD configuration""" + schema_conf = "ldap_schema = " + schema + "\n" + schema_conf += "ldap_group_object_class = groupOfNames\n" + return unindent("""\ + [sssd] + domains = LDAP + services = nss, sudo + + [nss] + + [sudo] + debug_level=10 + + [domain/LDAP] + {schema_conf} + id_provider = ldap + auth_provider = ldap + ldap_uri = {ldap_conn.ds_inst.ldap_url} + ldap_search_base = {ldap_conn.ds_inst.base_dn} + ldap_sudo_use_host_filter = false + debug_level=10 + """).format(**locals()) + + +def create_conf_file(contents): + """Create sssd.conf with specified contents""" + conf = open(config.CONF_PATH, "w") + conf.write(contents) + conf.close() + os.chmod(config.CONF_PATH, stat.S_IRUSR | stat.S_IWUSR) + + +def cleanup_conf_file(): + """Remove sssd.conf, if it exists""" + if os.path.lexists(config.CONF_PATH): + os.unlink(config.CONF_PATH) + + +def create_conf_cleanup(request): + """Add teardown for removing sssd.conf""" + request.addfinalizer(cleanup_conf_file) + + +def create_conf_fixture(request, contents): + """ + Create sssd.conf with specified contents and add teardown for removing it + """ + create_conf_file(contents) + create_conf_cleanup(request) + + +def create_sssd_process(): + """Start the SSSD process""" + if subprocess.call(["sssd", "-D", "-f"]) != 0: + raise Exception("sssd start failed") + + +def get_sssd_pid(): + pid_file = open(config.PIDFILE_PATH, "r") + pid = int(pid_file.read()) + return pid + + +def cleanup_sssd_process(): + """Stop the SSSD process and remove its state""" + try: + pid = get_sssd_pid() + os.kill(pid, signal.SIGTERM) + while True: + try: + os.kill(pid, signal.SIGCONT) + except: + break + time.sleep(1) + except: + pass + for path in os.listdir(config.DB_PATH): + os.unlink(config.DB_PATH + "/" + path) + for path in os.listdir(config.MCACHE_PATH): + os.unlink(config.MCACHE_PATH + "/" + path) + + +def create_sssd_fixture(request): + """Start SSSD and add teardown for stopping it and removing its state""" + create_sssd_process() + create_sssd_cleanup(request) + + +def create_sssd_cleanup(request): + """Add teardown for stopping SSSD and removing its state""" + request.addfinalizer(cleanup_sssd_process) + + +@pytest.fixture() +def sudocli_tool(request): + sudocli_path = os.path.join(config.ABS_BUILDDIR, + "..", "..", "..", "sss_sudo_cli") + assert os.access(sudocli_path, os.X_OK) + return sudocli_path + + +@pytest.fixture +def add_common_rules(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user1", 1001, 2001) + ent_list.add_user("user2", 1001, 2001) + ent_list.add_sudo_rule("user1_allow_less_shadow", + users=("user1",), + hosts=("ALL",), + commands=("/usr/bin/less /etc/shadow", "/bin/ls")) + create_ldap_fixture(request, ldap_conn, ent_list) + conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +def test_sudo_rule_for_user(add_common_rules, sudocli_tool): + """ + Test that user1 is allowed in the rule but user2 is not + """ + user1_rules = get_call_output([sudocli_tool, "user1"]) + reply = SudoReply(user1_rules) + assert len(reply.sudo_rules.rules) == 1 + assert reply.sudo_rules.rules[0]['cn'] == 'user1_allow_less_shadow' + + user2_rules = get_call_output([sudocli_tool, "user2"]) + reply = SudoReply(user2_rules) + assert len(reply.sudo_rules.rules) == 0 + + +@pytest.fixture +def add_double_qualified_rules(request, ldap_conn): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user1", 1001, 2001) + ent_list.add_user("user2", 1002, 2001) + ent_list.add_user("user3", 1003, 2001) + ent_list.add_user("user4", 1004, 2001) + ent_list.add_sudo_rule("user1_allow_less_shadow", + users=("user1", "user2", "user2@LDAP", "user3"), + hosts=("ALL",), + commands=("/usr/bin/less /etc/shadow", "/bin/ls")) + create_ldap_fixture(request, ldap_conn, ent_list) + conf = format_basic_conf(ldap_conn, SCHEMA_RFC2307_BIS) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +def test_sudo_rule_duplicate_sudo_user(add_double_qualified_rules, + sudocli_tool): + """ + Test that despite user1 and user1@LDAP meaning the same user, + the rule is still usable + """ + # Try several users to make sure we don't mangle the list + for u in ["user1", "user2", "user3"]: + user_rules = get_call_output([sudocli_tool, u]) + reply = SudoReply(user_rules) + assert len(reply.sudo_rules.rules) == 1 + assert reply.sudo_rules.rules[0]['cn'] == 'user1_allow_less_shadow' + + user4_rules = get_call_output([sudocli_tool, "user4"]) + reply = SudoReply(user4_rules) + assert len(reply.sudo_rules.rules) == 0 diff --git a/src/tests/intg/test_ts_cache.py b/src/tests/intg/test_ts_cache.py new file mode 100644 index 0000000..c3819e2 --- /dev/null +++ b/src/tests/intg/test_ts_cache.py @@ -0,0 +1,678 @@ +# +# LDAP integration test - test updating the sysdb and timestamp +# cache +# +# Copyright (c) 2016 Red Hat, Inc. +# +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import os +import stat +import ent +import grp +import pwd +import config +import signal +import subprocess +import time +import ldap +import pytest +import ds_openldap +import ldap_ent +import sssd_ldb +import sssd_id +from util import unindent + +LDAP_BASE_DN = "dc=example,dc=com" +SSSD_DOMAIN = "LDAP" + +SCHEMA_RFC2307 = "rfc2307" +SCHEMA_RFC2307_BIS = "rfc2307bis" + +TS_ATTRLIST = ("dataExpireTimestamp", "originalModifyTimestamp") + + +@pytest.fixture(scope="module") +def ds_inst(request): + """LDAP server instance fixture""" + ds_inst = ds_openldap.DSOpenLDAP( + config.PREFIX, 10389, LDAP_BASE_DN, + "cn=admin", "Secret123") + try: + ds_inst.setup() + except: + ds_inst.teardown() + raise + request.addfinalizer(lambda: ds_inst.teardown()) + return ds_inst + + +@pytest.fixture(scope="module") +def ldap_conn(request, ds_inst): + """LDAP server connection fixture""" + ldap_conn = ds_inst.bind() + ldap_conn.ds_inst = ds_inst + request.addfinalizer(lambda: ldap_conn.unbind_s()) + return ldap_conn + + +def create_ldap_fixture(request, ldap_conn, ent_list): + """Add LDAP entries and add teardown for removing them""" + for entry in ent_list: + ldap_conn.add_s(entry[0], entry[1]) + + def teardown(): + for entry in ent_list: + try: + ldap_conn.delete_s(entry[0]) + except ldap.NO_SUCH_OBJECT: + # if the test already removed an object, it's fine + # to not care in the teardown + pass + request.addfinalizer(teardown) + + +def create_conf_fixture(request, contents): + """Generate sssd.conf and add teardown for removing it""" + conf = open(config.CONF_PATH, "w") + conf.write(contents) + conf.close() + os.chmod(config.CONF_PATH, stat.S_IRUSR | stat.S_IWUSR) + request.addfinalizer(lambda: os.unlink(config.CONF_PATH)) + + +def stop_sssd(): + pid_file = open(config.PIDFILE_PATH, "r") + pid = int(pid_file.read()) + os.kill(pid, signal.SIGTERM) + while True: + try: + os.kill(pid, signal.SIGCONT) + except: + break + time.sleep(1) + + +def create_sssd_fixture(request): + """Start sssd and add teardown for stopping it and removing state""" + if subprocess.call(["sssd", "-D", "-f"]) != 0: + raise Exception("sssd start failed") + + def teardown(): + try: + stop_sssd() + except: + pass + for path in os.listdir(config.DB_PATH): + os.unlink(config.DB_PATH + "/" + path) + for path in os.listdir(config.MCACHE_PATH): + os.unlink(config.MCACHE_PATH + "/" + path) + request.addfinalizer(teardown) + + +def load_data_to_ldap(request, ldap_conn, schema): + ent_list = ldap_ent.List(ldap_conn.ds_inst.base_dn) + ent_list.add_user("user1", 1001, 2001) + ent_list.add_user("user11", 1011, 2001) + ent_list.add_user("user21", 1021, 2001) + + if schema == SCHEMA_RFC2307_BIS: + ent_list.add_group_bis("group1", 2001, ("user1", "user11", "user21")) + elif schema == SCHEMA_RFC2307: + ent_list.add_group("group1", 2001, ("user1", "user11", "user21")) + create_ldap_fixture(request, ldap_conn, ent_list) + + +def load_2307bis_data_to_ldap(request, ldap_conn): + return load_data_to_ldap(request, ldap_conn, SCHEMA_RFC2307_BIS) + + +def load_2307_data_to_ldap(request, ldap_conn): + return load_data_to_ldap(request, ldap_conn, SCHEMA_RFC2307) + + +@pytest.fixture +def setup_rfc2307bis(request, ldap_conn): + load_2307bis_data_to_ldap(request, ldap_conn) + + conf = unindent("""\ + [sssd] + domains = LDAP + services = nss + + [nss] + memcache_timeout = 1 + + [domain/LDAP] + ldap_schema = rfc2307bis + id_provider = ldap + auth_provider = ldap + sudo_provider = ldap + ldap_group_object_class = groupOfNames + ldap_uri = {ldap_conn.ds_inst.ldap_url} + ldap_search_base = {ldap_conn.ds_inst.base_dn} + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +@pytest.fixture +def setup_rfc2307(request, ldap_conn): + load_2307_data_to_ldap(request, ldap_conn) + + conf = unindent("""\ + [sssd] + domains = LDAP + services = nss + + [nss] + memcache_timeout = 1 + + [domain/LDAP] + ldap_schema = rfc2307 + id_provider = ldap + auth_provider = ldap + sudo_provider = ldap + ldap_uri = {ldap_conn.ds_inst.ldap_url} + ldap_search_base = {ldap_conn.ds_inst.base_dn} + """).format(**locals()) + create_conf_fixture(request, conf) + create_sssd_fixture(request) + return None + + +@pytest.fixture +def ldb_examine(request): + ldb_conn = sssd_ldb.SssdLdb('LDAP') + return ldb_conn + + +def invalidate_group(ldb_conn, name): + ldb_conn.invalidate_entry(name, sssd_ldb.TsCacheEntry.group, SSSD_DOMAIN) + + +def invalidate_user(ldb_conn, name): + ldb_conn.invalidate_entry(name, sssd_ldb.TsCacheEntry.user, SSSD_DOMAIN) + + +def get_attrs(ldb_conn, type, name, domain, attr_list): + sysdb_attrs = dict() + ts_attrs = dict() + + for attr in attr_list: + val = ldb_conn.get_entry_attr(sssd_ldb.CacheType.sysdb, + type, name, domain, attr) + if val: + val = val.decode('utf-8') + sysdb_attrs[attr] = val + + val = ldb_conn.get_entry_attr(sssd_ldb.CacheType.timestamps, + type, name, domain, attr) + if val: + val = val.decode('utf-8') + ts_attrs[attr] = val + return (sysdb_attrs, ts_attrs) + + +def get_group_attrs(ldb_conn, name, domain, attr_list): + return get_attrs(ldb_conn, sssd_ldb.TsCacheEntry.group, + name, domain, attr_list) + + +def get_user_attrs(ldb_conn, name, domain, attr_list): + return get_attrs(ldb_conn, sssd_ldb.TsCacheEntry.user, + name, domain, attr_list) + + +def assert_same_attrval(adict1, adict2, attr_name): + assert adict1.get(attr_name) is not None and \ + adict1.get(attr_name) == adict2.get(attr_name) + + +def assert_diff_attrval(adict1, adict2, attr_name): + assert adict1.get(attr_name) is not None and \ + adict1.get(attr_name) != adict2.get(attr_name) + + +def prime_cache_group(ldb_conn, name, members): + ent.assert_group_by_name( + name, + dict(mem=ent.contains_only(*members))) + sysdb_attrs, ts_attrs = get_group_attrs(ldb_conn, name, + SSSD_DOMAIN, TS_ATTRLIST) + assert_same_attrval(sysdb_attrs, ts_attrs, "dataExpireTimestamp") + assert_same_attrval(sysdb_attrs, ts_attrs, "originalModifyTimestamp") + + # just to force different stamps and make sure memcache is gone + time.sleep(1) + invalidate_group(ldb_conn, name) + + return sysdb_attrs, ts_attrs + + +def prime_cache_user(ldb_conn, name, primary_gid): + # calling initgroups would add the initgExpire timestamp attribute and + # make sure that sss_cache doesn't add it with a value of 1, + # triggering a sysdb update + (res, errno, gids) = sssd_id.call_sssd_initgroups(name, primary_gid) + assert res == sssd_id.NssReturnCode.SUCCESS + + sysdb_attrs, ts_attrs = get_user_attrs(ldb_conn, name, + SSSD_DOMAIN, TS_ATTRLIST) + assert_same_attrval(sysdb_attrs, ts_attrs, "dataExpireTimestamp") + assert_same_attrval(sysdb_attrs, ts_attrs, "originalModifyTimestamp") + + # just to force different stamps and make sure memcache is gone + time.sleep(1) + invalidate_user(ldb_conn, name) + + return sysdb_attrs, ts_attrs + + +def test_group_2307bis_update_same_modstamp(ldap_conn, + ldb_examine, + setup_rfc2307bis): + """ + Test that a group update with the same modifyTimestamp does not trigger + sysdb cache update + """ + ldb_conn = ldb_examine + old_sysdb_attrs, old_ts_attrs = prime_cache_group( + ldb_conn, "group1", + ("user1", "user11", "user21")) + + ent.assert_group_by_name( + "group1", + dict(mem=ent.contains_only("user1", "user11", "user21"))) + sysdb_attrs, ts_attrs = get_group_attrs(ldb_conn, "group1", + SSSD_DOMAIN, TS_ATTRLIST) + + assert_same_attrval(sysdb_attrs, old_sysdb_attrs, "dataExpireTimestamp") + assert_same_attrval(sysdb_attrs, old_sysdb_attrs, + "originalModifyTimestamp") + + assert_diff_attrval(ts_attrs, old_ts_attrs, "dataExpireTimestamp") + assert_same_attrval(ts_attrs, old_ts_attrs, "originalModifyTimestamp") + + +def test_group_2307bis_update_same_attrs(ldap_conn, + ldb_examine, + setup_rfc2307bis): + """ + Test that a group update with a different modifyTimestamp but the same + attrs does not trigger sysdb cache update + """ + ldb_conn = ldb_examine + old_sysdb_attrs, old_ts_attrs = prime_cache_group( + ldb_conn, "group1", + ("user1", "user11", "user21")) + + # modify an argument we don't save to the cache. This will bump the + # modifyTimestamp attribute, but the attributes themselves will be the same + # from sssd's point of view + ldap_conn.modify_s("cn=group1,ou=Groups," + ldap_conn.ds_inst.base_dn, + [(ldap.MOD_ADD, "description", b"group one")]) + # wait for slapd to change its database + time.sleep(1) + + ent.assert_group_by_name( + "group1", + dict(mem=ent.contains_only("user1", "user11", "user21"))) + sysdb_attrs, ts_attrs = get_group_attrs(ldb_conn, "group1", + SSSD_DOMAIN, TS_ATTRLIST) + + assert_same_attrval(sysdb_attrs, old_sysdb_attrs, "dataExpireTimestamp") + assert_same_attrval(sysdb_attrs, old_sysdb_attrs, + "originalModifyTimestamp") + + assert_diff_attrval(ts_attrs, old_ts_attrs, "dataExpireTimestamp") + assert_diff_attrval(ts_attrs, old_ts_attrs, "originalModifyTimestamp") + + +def test_group_2307bis_update_diff_attrs(ldap_conn, + ldb_examine, + setup_rfc2307bis): + """ + Test that a group update with different attribute triggers cache update + """ + ldb_conn = ldb_examine + old_sysdb_attrs, old_ts_attrs = prime_cache_group( + ldb_conn, "group1", + ("user1", "user11", "user21")) + + user_dn = "uid=user1,ou=Users," + ldap_conn.ds_inst.base_dn + ldap_conn.modify_s("cn=group1,ou=Groups," + ldap_conn.ds_inst.base_dn, + [(ldap.MOD_DELETE, "member", user_dn.encode('utf-8'))]) + # wait for slapd to change its database + time.sleep(1) + + ent.assert_group_by_name( + "group1", + dict(mem=ent.contains_only("user11", "user21"))) + sysdb_attrs, ts_attrs = get_group_attrs(ldb_conn, "group1", + SSSD_DOMAIN, TS_ATTRLIST) + + assert_diff_attrval(sysdb_attrs, old_sysdb_attrs, "dataExpireTimestamp") + assert_diff_attrval(sysdb_attrs, old_sysdb_attrs, + "originalModifyTimestamp") + + assert_diff_attrval(ts_attrs, old_ts_attrs, "dataExpireTimestamp") + assert_diff_attrval(ts_attrs, old_ts_attrs, "originalModifyTimestamp") + + +def test_group_2307bis_delete_group(ldap_conn, + ldb_examine, + setup_rfc2307bis): + """ + Test that deleting a group removes it from both caches + """ + ldb_conn = ldb_examine + old_sysdb_attrs, old_ts_attrs = prime_cache_group( + ldb_conn, "group1", + ("user1", "user11", "user21")) + + e = ldap_ent.group_bis(ldap_conn.ds_inst.base_dn, "group1", 2001) + ldap_conn.delete_s(e[0]) + # wait for slapd to change its database + time.sleep(1) + + with pytest.raises(KeyError): + grp.getgrnam("group1") + + sysdb_attrs, ts_attrs = get_group_attrs(ldb_conn, "group1", + SSSD_DOMAIN, TS_ATTRLIST) + assert sysdb_attrs.get("dataExpireTimestamp") is None + assert sysdb_attrs.get("originalModifyTimestamp") is None + assert ts_attrs.get("dataExpireTimestamp") is None + assert ts_attrs.get("originalModifyTimestamp") is None + + +def test_group_2307_update_same_modstamp(ldap_conn, + ldb_examine, + setup_rfc2307): + """ + Test that a group update with the same modifyTimestamp does not trigger + sysdb cache update + """ + ldb_conn = ldb_examine + old_sysdb_attrs, old_ts_attrs = prime_cache_group( + ldb_conn, "group1", + ("user1", "user11", "user21")) + + ent.assert_group_by_name( + "group1", + dict(mem=ent.contains_only("user1", "user11", "user21"))) + sysdb_attrs, ts_attrs = get_group_attrs(ldb_conn, "group1", + SSSD_DOMAIN, TS_ATTRLIST) + + assert_same_attrval(sysdb_attrs, old_sysdb_attrs, "dataExpireTimestamp") + assert_same_attrval(sysdb_attrs, old_sysdb_attrs, + "originalModifyTimestamp") + + assert_diff_attrval(ts_attrs, old_ts_attrs, "dataExpireTimestamp") + assert_same_attrval(ts_attrs, old_ts_attrs, "originalModifyTimestamp") + + +def test_group_2307_update_same_attrs(ldap_conn, + ldb_examine, + setup_rfc2307): + """ + Test that a group update with a different modifyTimestamp but the same + attrs does not trigger sysdb cache update + """ + ldb_conn = ldb_examine + old_sysdb_attrs, old_ts_attrs = prime_cache_group( + ldb_conn, "group1", + ("user1", "user11", "user21")) + + # modify an argument we don't save to the cache. This will bump the + # modifyTimestamp attribute, but the attributes themselves will be the same + # from sssd's point of view + ldap_conn.modify_s("cn=group1,ou=Groups," + ldap_conn.ds_inst.base_dn, + [(ldap.MOD_ADD, "description", b"group one")]) + # wait for slapd to change its database + time.sleep(1) + + ent.assert_group_by_name( + "group1", + dict(mem=ent.contains_only("user1", "user11", "user21"))) + sysdb_attrs, ts_attrs = get_group_attrs(ldb_conn, "group1", + SSSD_DOMAIN, TS_ATTRLIST) + + assert_same_attrval(sysdb_attrs, old_sysdb_attrs, "dataExpireTimestamp") + assert_same_attrval(sysdb_attrs, old_sysdb_attrs, + "originalModifyTimestamp") + + assert_diff_attrval(ts_attrs, old_ts_attrs, "dataExpireTimestamp") + assert_diff_attrval(ts_attrs, old_ts_attrs, "originalModifyTimestamp") + + +def test_group_2307_update_diff_attrs(ldap_conn, + ldb_examine, + setup_rfc2307): + """ + Test that a group update with different attribute triggers cache update + """ + ldb_conn = ldb_examine + old_sysdb_attrs, old_ts_attrs = prime_cache_group( + ldb_conn, "group1", + ("user1", "user11", "user21")) + + ldap_conn.modify_s("cn=group1,ou=Groups," + ldap_conn.ds_inst.base_dn, + [(ldap.MOD_DELETE, "memberUid", b"user1")]) + # wait for slapd to change its database + time.sleep(1) + + ent.assert_group_by_name( + "group1", + dict(mem=ent.contains_only("user11", "user21"))) + sysdb_attrs, ts_attrs = get_group_attrs(ldb_conn, "group1", + SSSD_DOMAIN, TS_ATTRLIST) + + assert_diff_attrval(sysdb_attrs, old_sysdb_attrs, "dataExpireTimestamp") + assert_diff_attrval(sysdb_attrs, old_sysdb_attrs, + "originalModifyTimestamp") + + assert_diff_attrval(ts_attrs, old_ts_attrs, "dataExpireTimestamp") + assert_diff_attrval(ts_attrs, old_ts_attrs, "originalModifyTimestamp") + + +def test_group_2307_delete_group(ldap_conn, + ldb_examine, + setup_rfc2307): + """ + Test that deleting a group removes it from both caches + """ + ldb_conn = ldb_examine + old_sysdb_attrs, old_ts_attrs = prime_cache_group( + ldb_conn, "group1", + ("user1", "user11", "user21")) + + e = ldap_ent.group_bis(ldap_conn.ds_inst.base_dn, "group1", 2001) + ldap_conn.delete_s(e[0]) + # wait for slapd to change its database + time.sleep(1) + + with pytest.raises(KeyError): + grp.getgrnam("group1") + + sysdb_attrs, ts_attrs = get_group_attrs(ldb_conn, "group1", + SSSD_DOMAIN, TS_ATTRLIST) + assert sysdb_attrs.get("dataExpireTimestamp") is None + assert sysdb_attrs.get("originalModifyTimestamp") is None + assert ts_attrs.get("dataExpireTimestamp") is None + assert ts_attrs.get("originalModifyTimestamp") is None + + +def test_user_update_same_modstamp(ldap_conn, + ldb_examine, + setup_rfc2307bis): + """ + Test that a user update with the same modifyTimestamp does not trigger + sysdb cache update + """ + ldb_conn = ldb_examine + old_sysdb_attrs, old_ts_attrs = prime_cache_user(ldb_conn, "user1", 2001) + + ent.assert_passwd_by_name("user1", dict(name="user1")) + + sysdb_attrs, ts_attrs = get_user_attrs(ldb_conn, "user1", + SSSD_DOMAIN, TS_ATTRLIST) + assert_same_attrval(sysdb_attrs, old_sysdb_attrs, "dataExpireTimestamp") + assert_same_attrval(sysdb_attrs, old_sysdb_attrs, + "originalModifyTimestamp") + + assert_diff_attrval(ts_attrs, old_ts_attrs, "dataExpireTimestamp") + assert_same_attrval(ts_attrs, old_ts_attrs, "originalModifyTimestamp") + + +def test_user_update_same_attrs(ldap_conn, + ldb_examine, + setup_rfc2307bis): + """ + Test that a user update with the same modifyTimestamp does not trigger + sysdb cache update + """ + ldb_conn = ldb_examine + old_sysdb_attrs, old_ts_attrs = prime_cache_user(ldb_conn, "user1", 2001) + + # modify an argument we don't save to the cache. This will bump the + # modifyTimestamp attribute, but the attributes themselves will be the same + # from sssd's point of view + ldap_conn.modify_s("uid=user1,ou=Users," + ldap_conn.ds_inst.base_dn, + [(ldap.MOD_ADD, "description", b"user one")]) + # wait for slapd to change its database + time.sleep(1) + + ent.assert_passwd_by_name("user1", dict(name="user1")) + + sysdb_attrs, ts_attrs = get_user_attrs(ldb_conn, "user1", + SSSD_DOMAIN, TS_ATTRLIST) + assert_same_attrval(sysdb_attrs, old_sysdb_attrs, "dataExpireTimestamp") + assert_same_attrval(sysdb_attrs, old_sysdb_attrs, + "originalModifyTimestamp") + + assert_diff_attrval(ts_attrs, old_ts_attrs, "dataExpireTimestamp") + assert_diff_attrval(ts_attrs, old_ts_attrs, "originalModifyTimestamp") + + +def test_user_update_diff_attrs(ldap_conn, + ldb_examine, + setup_rfc2307bis): + """ + Test that a user update with the same modifyTimestamp does not trigger + sysdb cache update + """ + ldb_conn = ldb_examine + old_sysdb_attrs, old_ts_attrs = prime_cache_user(ldb_conn, "user1", 2001) + + # modify an argument we don't save to the cache. This will bump the + # modifyTimestamp attribute, but the attributes themselves will be the same + # from sssd's point of view + ldap_conn.modify_s("uid=user1,ou=Users," + ldap_conn.ds_inst.base_dn, + [(ldap.MOD_REPLACE, "loginShell", b"/bin/zsh")]) + # wait for slapd to change its database + time.sleep(1) + + ent.assert_passwd_by_name("user1", dict(name="user1")) + sysdb_attrs, ts_attrs = get_user_attrs(ldb_conn, "user1", + SSSD_DOMAIN, TS_ATTRLIST) + assert_diff_attrval(sysdb_attrs, old_sysdb_attrs, "dataExpireTimestamp") + assert_diff_attrval(sysdb_attrs, old_sysdb_attrs, + "originalModifyTimestamp") + + assert_diff_attrval(ts_attrs, old_ts_attrs, "dataExpireTimestamp") + assert_diff_attrval(ts_attrs, old_ts_attrs, "originalModifyTimestamp") + + +def test_user_2307bis_delete_user(ldap_conn, + ldb_examine, + setup_rfc2307bis): + """ + Test that deleting a user removes it from both caches + """ + ldb_conn = ldb_examine + old_sysdb_attrs, old_ts_attrs = prime_cache_user(ldb_conn, "user1", 2001) + + e = ldap_ent.user(ldap_conn.ds_inst.base_dn, "user1", 1001, 2001) + + ldap_conn.delete_s(e[0]) + # wait for slapd to change its database + time.sleep(1) + + with pytest.raises(KeyError): + pwd.getpwnam("user1") + sysdb_attrs, ts_attrs = get_user_attrs(ldb_conn, "user1", + SSSD_DOMAIN, TS_ATTRLIST) + assert sysdb_attrs.get("dataExpireTimestamp") is None + assert sysdb_attrs.get("originalModifyTimestamp") is None + assert ts_attrs.get("dataExpireTimestamp") is None + assert ts_attrs.get("originalModifyTimestamp") is None + + +def test_sss_cache_invalidate_user(ldap_conn, + ldb_examine, + setup_rfc2307bis): + """ + Test that sss_cache invalidate user in both caches + """ + + ldb_conn = ldb_examine + old_sysdb_attrs, old_ts_attrs = prime_cache_user(ldb_conn, "user1", 2001) + + subprocess.call(["sss_cache", "-u", "user1"]) + + sysdb_attrs, ts_attrs = get_user_attrs(ldb_conn, "user1", + SSSD_DOMAIN, TS_ATTRLIST) + + assert sysdb_attrs.get("dataExpireTimestamp") == '1' + assert ts_attrs.get("dataExpireTimestamp") == '1' + + time.sleep(1) + pwd.getpwnam("user1") + sysdb_attrs, ts_attrs = get_user_attrs(ldb_conn, "user1", + SSSD_DOMAIN, TS_ATTRLIST) + + assert sysdb_attrs.get("dataExpireTimestamp") == '1' + assert_diff_attrval(ts_attrs, sysdb_attrs, "dataExpireTimestamp") + + +def test_sss_cache_invalidate_group(ldap_conn, + ldb_examine, + setup_rfc2307bis): + """ + Test that sss_cache invalidate group in both caches + """ + + ldb_conn = ldb_examine + old_sysdb_attrs, old_ts_attrs = prime_cache_group( + ldb_conn, "group1", + ("user1", "user11", "user21")) + + subprocess.call(["sss_cache", "-g", "group1"]) + + sysdb_attrs, ts_attrs = get_group_attrs(ldb_conn, "group1", + SSSD_DOMAIN, TS_ATTRLIST) + + assert sysdb_attrs.get("dataExpireTimestamp") == '1' + assert ts_attrs.get("dataExpireTimestamp") == '1' + + time.sleep(1) + grp.getgrnam("group1") + sysdb_attrs, ts_attrs = get_group_attrs(ldb_conn, "group1", + SSSD_DOMAIN, TS_ATTRLIST) + + assert sysdb_attrs.get("dataExpireTimestamp") == '1' + assert_diff_attrval(ts_attrs, sysdb_attrs, "dataExpireTimestamp") diff --git a/src/tests/intg/util.py b/src/tests/intg/util.py new file mode 100644 index 0000000..bfebbfb --- /dev/null +++ b/src/tests/intg/util.py @@ -0,0 +1,87 @@ +# +# Various functions +# +# Copyright (c) 2015 Red Hat, Inc. +# Author: Nikolai Kondrashov +# +# This is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import re +import os +import subprocess +import config +import shutil + +UNINDENT_RE = re.compile("^ +", re.MULTILINE) + + +def unindent(text): + """ + Unindent text by removing at most the number of spaces present in + the first non-empty line from the beginning of every line. + """ + indent_ref = [0] + + def replace(match): + if indent_ref[0] == 0: + indent_ref[0] = len(match.group()) + return match.group()[indent_ref[0]:] + return UNINDENT_RE.sub(replace, text) + + +def run_shell(): + """ + Execute an interactive shell under "screen", preserving environment. + For use as a breakpoint for debugging. + """ + my_env = os.environ.copy() + my_env["ROOT_DIR"] = config.PREFIX + + # screen filter out LD_* evniroment varibles. + # Back-up them and set them later in screenrc + my_env["_LD_LIBRARY_PATH"] = os.getenv("LD_LIBRARY_PATH", "") + my_env["_LD_PRELOAD"] = os.getenv("LD_PRELOAD", "") + + subprocess.call([ + "screen", "-DAm", "-S", "sssd_cwrap_session", "-c", + ".config/screenrc"], + env=my_env + ) + + +def first_dir(*args): + """Return first argument that points to an existing directory.""" + for arg in args: + if os.path.isdir(arg): + return arg + + +def backup_envvar_file(name): + path = os.environ[name] + backup_path = path + ".bak" + shutil.copyfile(path, backup_path) + return path + + +def restore_envvar_file(name): + path = os.environ[name] + backup_path = path + ".bak" + os.rename(backup_path, path) + + +def get_call_output(cmd, stderr_output=subprocess.PIPE): + process = subprocess.Popen(cmd, stdout=subprocess.PIPE, + stderr=stderr_output) + output, ret = process.communicate() + return output.decode('utf-8') diff --git a/src/tests/ipa_hbac-tests.c b/src/tests/ipa_hbac-tests.c new file mode 100644 index 0000000..c8ef7fe --- /dev/null +++ b/src/tests/ipa_hbac-tests.c @@ -0,0 +1,884 @@ +/* + SSSD + + Authors: + Stephen Gallagher + + Copyright (C) 2011 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +#include +#include +#include +#include +#include +#include + +#include "tests/common_check.h" +#include "lib/ipa_hbac/ipa_hbac.h" + +#define HBAC_TEST_USER "testuser" +#define HBAC_TEST_INVALID_USER "nosuchuser" + +#define HBAC_TEST_GROUP1 "testgroup1" +#define HBAC_TEST_GROUP2 "testgroup2" +#define HBAC_TEST_INVALID_GROUP "nosuchgroup" + +#define HBAC_TEST_SERVICE "testservice" +#define HBAC_TEST_INVALID_SERVICE "nosuchservice" + +#define HBAC_TEST_SERVICEGROUP1 "login_services" +#define HBAC_TEST_SERVICEGROUP2 "all_services" +#define HBAC_TEST_INVALID_SERVICEGROUP "nosuchservicegroup" + +#define HBAC_TEST_SRCHOST "client.example.com" +#define HBAC_TEST_INVALID_SRCHOST "nosuchsrchost" + +#define HBAC_TEST_SRCHOSTGROUP1 "site_hosts" +#define HBAC_TEST_SRCHOSTGROUP2 "corp_hosts" +#define HBAC_TEST_INVALID_SRCHOSTGROUP "nosuchsrchostgroup" + + +/* These don't make sense for a user/group/service but they do the job and + * every one is from a different codepage */ +/* Latin Extended A - "Czech" */ +const uint8_t user_utf8_lowcase[] = { 0xC4, 0x8D, 'e', 'c', 'h', 0x0 }; +const uint8_t user_utf8_upcase[] = { 0xC4, 0x8C, 'e', 'c', 'h', 0x0 }; +const uint8_t user_utf8_lowcase_neg[] = { 0xC4, 0x8E, 'e', 'c', 'h', 0x0 }; +/* Latin 1 Supplement - "Munchen" */ +const uint8_t service_utf8_lowcase[] = { 'm', 0xC3, 0xBC, 'n', 'c', 'h', 'e', 'n', 0x0 }; +const uint8_t service_utf8_upcase[] = { 'M', 0xC3, 0x9C, 'N', 'C', 'H', 'E', 'N', 0x0 }; +/* Greek - "AlphaBetaGamma" */ +const uint8_t srchost_utf8_lowcase[] = { 0xCE, 0xB1, 0xCE, 0xB2, 0xCE, 0xB3, 0x0 }; +const uint8_t srchost_utf8_upcase[] = { 0xCE, 0x91, 0xCE, 0x92, 0xCE, 0x93, 0x0 }; +/* Turkish "capital I" and "dotless i" */ +const uint8_t user_lowcase_tr[] = { 0xC4, 0xB1, 0x0 }; +const uint8_t user_upcase_tr[] = { 0x49, 0x0 }; + +static void get_allow_all_rule(TALLOC_CTX *mem_ctx, + struct hbac_rule **allow_rule) +{ + struct hbac_rule *rule; + /* Create a rule that ALLOWs all services, users and + * remote hosts. + */ + rule = talloc_zero(mem_ctx, struct hbac_rule); + fail_if (rule == NULL); + + rule->enabled = true; + + rule->services = talloc_zero(rule, struct hbac_rule_element); + fail_if (rule->services == NULL); + rule->services->category = HBAC_CATEGORY_ALL; + rule->services->names = NULL; + rule->services->groups = NULL; + + rule->users = talloc_zero(rule, struct hbac_rule_element); + fail_if (rule->users == NULL); + rule->users->category = HBAC_CATEGORY_ALL; + rule->users->names = NULL; + rule->users->groups = NULL; + + rule->targethosts = talloc_zero(rule, struct hbac_rule_element); + fail_if (rule->targethosts == NULL); + rule->targethosts->category = HBAC_CATEGORY_ALL; + rule->targethosts->names = NULL; + rule->targethosts->groups = NULL; + + rule->srchosts = talloc_zero(rule, struct hbac_rule_element); + fail_if (rule->srchosts == NULL); + rule->srchosts->category = HBAC_CATEGORY_ALL; + rule->srchosts->names = NULL; + rule->srchosts->groups = NULL; + + *allow_rule = rule; +} + +static void get_test_user(TALLOC_CTX *mem_ctx, + struct hbac_request_element **user) +{ + struct hbac_request_element *new_user; + + new_user = talloc_zero(mem_ctx, struct hbac_request_element); + fail_if (new_user == NULL); + + new_user->name = talloc_strdup(new_user, HBAC_TEST_USER); + fail_if(new_user->name == NULL); + + new_user->groups = talloc_array(new_user, const char *, 3); + fail_if(new_user->groups == NULL); + + new_user->groups[0] = talloc_strdup(new_user->groups, HBAC_TEST_GROUP1); + fail_if(new_user->groups[0] == NULL); + + new_user->groups[1] = talloc_strdup(new_user->groups, HBAC_TEST_GROUP2); + fail_if(new_user->groups[1] == NULL); + + new_user->groups[2] = NULL; + + *user = new_user; +} + +static void get_test_service(TALLOC_CTX *mem_ctx, + struct hbac_request_element **service) +{ + struct hbac_request_element *new_service; + + new_service = talloc_zero(mem_ctx, struct hbac_request_element); + fail_if (new_service == NULL); + + new_service->name = talloc_strdup(new_service, HBAC_TEST_SERVICE); + fail_if(new_service->name == NULL); + + new_service->groups = talloc_array(new_service, const char *, 3); + fail_if(new_service->groups == NULL); + + new_service->groups[0] = talloc_strdup(new_service->groups, HBAC_TEST_SERVICEGROUP1); + fail_if(new_service->groups[0] == NULL); + + new_service->groups[1] = talloc_strdup(new_service->groups, HBAC_TEST_SERVICEGROUP2); + fail_if(new_service->groups[1] == NULL); + + new_service->groups[2] = NULL; + + *service = new_service; +} + +static void get_test_srchost(TALLOC_CTX *mem_ctx, + struct hbac_request_element **srchost) +{ + struct hbac_request_element *new_srchost; + + new_srchost = talloc_zero(mem_ctx, struct hbac_request_element); + fail_if (new_srchost == NULL); + + new_srchost->name = talloc_strdup(new_srchost, HBAC_TEST_SRCHOST); + fail_if(new_srchost->name == NULL); + + new_srchost->groups = talloc_array(new_srchost, const char *, 3); + fail_if(new_srchost->groups == NULL); + + new_srchost->groups[0] = talloc_strdup(new_srchost->groups, + HBAC_TEST_SRCHOSTGROUP1); + fail_if(new_srchost->groups[0] == NULL); + + new_srchost->groups[1] = talloc_strdup(new_srchost->groups, + HBAC_TEST_SRCHOSTGROUP2); + fail_if(new_srchost->groups[1] == NULL); + + new_srchost->groups[2] = NULL; + + *srchost = new_srchost; +} + +START_TEST(ipa_hbac_test_allow_all) +{ + enum hbac_eval_result result; + TALLOC_CTX *test_ctx; + struct hbac_rule **rules; + struct hbac_eval_req *eval_req; + struct hbac_info *info = NULL; + bool is_valid; + uint32_t missing_attrs; + + test_ctx = talloc_new(global_talloc_context); + + /* Create a request */ + eval_req = talloc_zero(test_ctx, struct hbac_eval_req); + fail_if (eval_req == NULL); + + get_test_user(eval_req, &eval_req->user); + get_test_service(eval_req, &eval_req->service); + get_test_srchost(eval_req, &eval_req->srchost); + + /* Create the rules to evaluate against */ + rules = talloc_array(test_ctx, struct hbac_rule *, 2); + fail_if (rules == NULL); + + get_allow_all_rule(rules, &rules[0]); + rules[0]->name = talloc_strdup(rules[0], "Allow All"); + fail_if(rules[0]->name == NULL); + rules[1] = NULL; + + /* Validate this rule */ + is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); + fail_unless(is_valid); + fail_unless(missing_attrs == 0); + + /* Evaluate the rules */ + result = hbac_evaluate(rules, eval_req, &info); + fail_unless(result == HBAC_EVAL_ALLOW, + "Expected [%s], got [%s]; " + "Error: [%s]", + hbac_result_string(HBAC_EVAL_ALLOW), + hbac_result_string(result), + info ? hbac_error_string(info->code):"Unknown"); + hbac_free_info(info); + info = NULL; + talloc_free(test_ctx); +} +END_TEST + +START_TEST(ipa_hbac_test_allow_user) +{ + enum hbac_eval_result result; + TALLOC_CTX *test_ctx; + struct hbac_rule **rules; + struct hbac_eval_req *eval_req; + struct hbac_info *info = NULL; + bool is_valid; + uint32_t missing_attrs; + + test_ctx = talloc_new(global_talloc_context); + + /* Create a request */ + eval_req = talloc_zero(test_ctx, struct hbac_eval_req); + fail_if (eval_req == NULL); + + get_test_user(eval_req, &eval_req->user); + get_test_service(eval_req, &eval_req->service); + get_test_srchost(eval_req, &eval_req->srchost); + + /* Create the rules to evaluate against */ + rules = talloc_array(test_ctx, struct hbac_rule *, 2); + fail_if (rules == NULL); + + get_allow_all_rule(rules, &rules[0]); + + /* Modify the rule to allow only a specific user */ + rules[0]->name = talloc_strdup(rules[0], "Allow user"); + fail_if(rules[0]->name == NULL); + rules[0]->users->category = HBAC_CATEGORY_NULL; + + rules[0]->users->names = talloc_array(rules[0], const char *, 2); + fail_if(rules[0]->users->names == NULL); + + rules[0]->users->names[0] = HBAC_TEST_USER; + rules[0]->users->names[1] = NULL; + + rules[1] = NULL; + + /* Validate this rule */ + is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); + fail_unless(is_valid); + fail_unless(missing_attrs == 0); + + /* Evaluate the rules */ + result = hbac_evaluate(rules, eval_req, &info); + fail_unless(result == HBAC_EVAL_ALLOW, + "Expected [%s], got [%s]; " + "Error: [%s]", + hbac_result_string(HBAC_EVAL_ALLOW), + hbac_result_string(result), + info ? hbac_error_string(info->code):"Unknown"); + hbac_free_info(info); + info = NULL; + + /* Negative test */ + rules[0]->users->names[0] = HBAC_TEST_INVALID_USER; + + /* Validate this rule */ + is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); + fail_unless(is_valid); + fail_unless(missing_attrs == 0); + + /* Evaluate the rules */ + result = hbac_evaluate(rules, eval_req, &info); + fail_unless(result == HBAC_EVAL_DENY, + "Expected [%s], got [%s]; " + "Error: [%s]", + hbac_result_string(HBAC_EVAL_DENY), + hbac_result_string(result), + info ? hbac_error_string(info->code):"Unknown"); + hbac_free_info(info); + info = NULL; + + talloc_free(test_ctx); +} +END_TEST + +START_TEST(ipa_hbac_test_allow_utf8) +{ + enum hbac_eval_result result; + TALLOC_CTX *test_ctx; + struct hbac_rule **rules; + struct hbac_eval_req *eval_req; + struct hbac_info *info = NULL; + bool is_valid; + uint32_t missing_attrs; + + test_ctx = talloc_new(global_talloc_context); + + /* Create a request */ + eval_req = talloc_zero(test_ctx, struct hbac_eval_req); + fail_if (eval_req == NULL); + + get_test_user(eval_req, &eval_req->user); + get_test_service(eval_req, &eval_req->service); + get_test_srchost(eval_req, &eval_req->srchost); + + /* Override the with UTF8 values */ + eval_req->user->name = (const char *) &user_utf8_lowcase; + eval_req->srchost->name = (const char *) &srchost_utf8_lowcase; + eval_req->service->name = (const char *) &service_utf8_lowcase; + + /* Create the rules to evaluate against */ + rules = talloc_array(test_ctx, struct hbac_rule *, 2); + fail_if (rules == NULL); + + get_allow_all_rule(rules, &rules[0]); + + rules[0]->name = talloc_strdup(rules[0], "Allow user"); + fail_if(rules[0]->name == NULL); + rules[0]->users->category = HBAC_CATEGORY_NULL; + + /* Modify the rule to allow only a specific user */ + rules[0]->users->names = talloc_array(rules[0], const char *, 2); + fail_if(rules[0]->users->names == NULL); + + rules[0]->users->names[0] = (const char *) &user_utf8_upcase; + rules[0]->users->names[1] = NULL; + + /* Modify the rule to allow only a specific service */ + rules[0]->services->category = HBAC_CATEGORY_NULL; + + rules[0]->services->names = talloc_array(rules[0], const char *, 2); + fail_if(rules[0]->services->names == NULL); + + rules[0]->services->names[0] = (const char *) &service_utf8_upcase; + rules[0]->services->names[1] = NULL; + + /* Modify the rule to allow only a specific service */ + rules[0]->srchosts->category = HBAC_CATEGORY_NULL; + + rules[0]->srchosts->names = talloc_array(rules[0], const char *, 2); + fail_if(rules[0]->services->names == NULL); + + rules[0]->srchosts->names[0] = (const char *) &srchost_utf8_upcase; + rules[0]->srchosts->names[1] = NULL; + + rules[1] = NULL; + + /* Validate this rule */ + is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); + fail_unless(is_valid); + fail_unless(missing_attrs == 0); + + /* Evaluate the rules */ + result = hbac_evaluate(rules, eval_req, &info); + fail_unless(result == HBAC_EVAL_ALLOW, + "Expected [%s], got [%s]; " + "Error: [%s]", + hbac_result_string(HBAC_EVAL_ALLOW), + hbac_result_string(result), + info ? hbac_error_string(info->code):"Unknown"); + hbac_free_info(info); + info = NULL; + + + /* Negative test - a different letter */ + rules[0]->users->names[0] = (const char *) &user_utf8_lowcase_neg; + + /* Evaluate the rules */ + result = hbac_evaluate(rules, eval_req, &info); + fail_unless(result == HBAC_EVAL_DENY, + "Expected [%s], got [%s]; " + "Error: [%s]", + hbac_result_string(HBAC_EVAL_DENY), + hbac_result_string(result), + info ? hbac_error_string(info->code):"Unknown"); + hbac_free_info(info); + info = NULL; + + /* Negative test - Turkish dotless i. We cannot know that capital I + * casefolds into dotless i unless we know the language is Turkish */ + eval_req->user->name = (const char *) &user_lowcase_tr; + rules[0]->users->names[0] = (const char *) &user_upcase_tr; + + /* Validate this rule */ + is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); + fail_unless(is_valid); + fail_unless(missing_attrs == 0); + + /* Evaluate the rules */ + result = hbac_evaluate(rules, eval_req, &info); + fail_unless(result == HBAC_EVAL_DENY, + "Expected [%s], got [%s]; " + "Error: [%s]", + hbac_result_string(HBAC_EVAL_DENY), + hbac_result_string(result), + info ? hbac_error_string(info->code):"Unknown"); + hbac_free_info(info); + info = NULL; + + talloc_free(test_ctx); +} +END_TEST + +START_TEST(ipa_hbac_test_allow_group) +{ + enum hbac_eval_result result; + TALLOC_CTX *test_ctx; + struct hbac_rule **rules; + struct hbac_eval_req *eval_req; + struct hbac_info *info = NULL; + bool is_valid; + uint32_t missing_attrs; + + test_ctx = talloc_new(global_talloc_context); + + /* Create a request */ + eval_req = talloc_zero(test_ctx, struct hbac_eval_req); + fail_if (eval_req == NULL); + + get_test_user(eval_req, &eval_req->user); + get_test_service(eval_req, &eval_req->service); + get_test_srchost(eval_req, &eval_req->srchost); + + /* Create the rules to evaluate against */ + rules = talloc_array(test_ctx, struct hbac_rule *, 2); + fail_if (rules == NULL); + + get_allow_all_rule(rules, &rules[0]); + + /* Modify the rule to allow only a group of users */ + rules[0]->name = talloc_strdup(rules[0], "Allow group"); + fail_if(rules[0]->name == NULL); + rules[0]->users->category = HBAC_CATEGORY_NULL; + + rules[0]->users->names = NULL; + rules[0]->users->groups = talloc_array(rules[0], const char *, 2); + fail_if(rules[0]->users->groups == NULL); + + rules[0]->users->groups[0] = HBAC_TEST_GROUP1; + rules[0]->users->groups[1] = NULL; + + rules[1] = NULL; + + /* Validate this rule */ + is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); + fail_unless(is_valid); + fail_unless(missing_attrs == 0); + + /* Evaluate the rules */ + result = hbac_evaluate(rules, eval_req, &info); + fail_unless(result == HBAC_EVAL_ALLOW, + "Expected [%s], got [%s]; " + "Error: [%s]", + hbac_result_string(HBAC_EVAL_ALLOW), + hbac_result_string(result), + info ? hbac_error_string(info->code):"Unknown"); + hbac_free_info(info); + info = NULL; + + /* Negative test */ + rules[0]->users->groups[0] = HBAC_TEST_INVALID_GROUP; + + /* Validate this rule */ + is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); + fail_unless(is_valid); + fail_unless(missing_attrs == 0); + + /* Evaluate the rules */ + result = hbac_evaluate(rules, eval_req, &info); + fail_unless(result == HBAC_EVAL_DENY, + "Expected [%s], got [%s]; " + "Error: [%s]", + hbac_result_string(HBAC_EVAL_DENY), + hbac_result_string(result), + info ? hbac_error_string(info->code):"Unknown"); + hbac_free_info(info); + info = NULL; + + talloc_free(test_ctx); +} +END_TEST + +START_TEST(ipa_hbac_test_allow_svc) +{ + enum hbac_eval_result result; + TALLOC_CTX *test_ctx; + struct hbac_rule **rules; + struct hbac_eval_req *eval_req; + struct hbac_info *info = NULL; + bool is_valid; + uint32_t missing_attrs; + + test_ctx = talloc_new(global_talloc_context); + + /* Create a request */ + eval_req = talloc_zero(test_ctx, struct hbac_eval_req); + fail_if (eval_req == NULL); + + get_test_user(eval_req, &eval_req->user); + get_test_service(eval_req, &eval_req->service); + get_test_srchost(eval_req, &eval_req->srchost); + + /* Create the rules to evaluate against */ + rules = talloc_array(test_ctx, struct hbac_rule *, 2); + fail_if (rules == NULL); + + get_allow_all_rule(rules, &rules[0]); + + /* Modify the rule to allow only a specific service */ + rules[0]->name = talloc_strdup(rules[0], "Allow service"); + fail_if(rules[0]->name == NULL); + rules[0]->services->category = HBAC_CATEGORY_NULL; + + rules[0]->services->names = talloc_array(rules[0], const char *, 2); + fail_if(rules[0]->services->names == NULL); + + rules[0]->services->names[0] = HBAC_TEST_SERVICE; + rules[0]->services->names[1] = NULL; + + rules[1] = NULL; + + /* Validate this rule */ + is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); + fail_unless(is_valid); + fail_unless(missing_attrs == 0); + + /* Evaluate the rules */ + result = hbac_evaluate(rules, eval_req, &info); + fail_unless(result == HBAC_EVAL_ALLOW, + "Expected [%s], got [%s]; " + "Error: [%s]", + hbac_result_string(HBAC_EVAL_ALLOW), + hbac_result_string(result), + info ? hbac_error_string(info->code):"Unknown"); + hbac_free_info(info); + info = NULL; + + /* Negative test */ + rules[0]->services->names[0] = HBAC_TEST_INVALID_SERVICE; + + /* Validate this rule */ + is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); + fail_unless(is_valid); + fail_unless(missing_attrs == 0); + + /* Evaluate the rules */ + result = hbac_evaluate(rules, eval_req, &info); + fail_unless(result == HBAC_EVAL_DENY, + "Expected [%s], got [%s]; " + "Error: [%s]", + hbac_result_string(HBAC_EVAL_DENY), + hbac_result_string(result), + info ? hbac_error_string(info->code):"Unknown"); + hbac_free_info(info); + info = NULL; + + talloc_free(test_ctx); +} +END_TEST + +START_TEST(ipa_hbac_test_allow_svcgroup) +{ + enum hbac_eval_result result; + TALLOC_CTX *test_ctx; + struct hbac_rule **rules; + struct hbac_eval_req *eval_req; + struct hbac_info *info = NULL; + bool is_valid; + uint32_t missing_attrs; + + test_ctx = talloc_new(global_talloc_context); + + /* Create a request */ + eval_req = talloc_zero(test_ctx, struct hbac_eval_req); + fail_if (eval_req == NULL); + + get_test_user(eval_req, &eval_req->user); + get_test_service(eval_req, &eval_req->service); + get_test_srchost(eval_req, &eval_req->srchost); + + /* Create the rules to evaluate against */ + rules = talloc_array(test_ctx, struct hbac_rule *, 2); + fail_if (rules == NULL); + + get_allow_all_rule(rules, &rules[0]); + + /* Modify the rule to allow only a group of users */ + rules[0]->name = talloc_strdup(rules[0], "Allow servicegroup"); + fail_if(rules[0]->name == NULL); + rules[0]->services->category = HBAC_CATEGORY_NULL; + + rules[0]->services->names = NULL; + rules[0]->services->groups = talloc_array(rules[0], const char *, 2); + fail_if(rules[0]->services->groups == NULL); + + rules[0]->services->groups[0] = HBAC_TEST_SERVICEGROUP1; + rules[0]->services->groups[1] = NULL; + + rules[1] = NULL; + + /* Validate this rule */ + is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); + fail_unless(is_valid); + fail_unless(missing_attrs == 0); + + /* Evaluate the rules */ + result = hbac_evaluate(rules, eval_req, &info); + fail_unless(result == HBAC_EVAL_ALLOW, + "Expected [%s], got [%s]; " + "Error: [%s]", + hbac_result_string(HBAC_EVAL_ALLOW), + hbac_result_string(result), + info ? hbac_error_string(info->code):"Unknown"); + hbac_free_info(info); + info = NULL; + + /* Negative test */ + rules[0]->services->groups[0] = HBAC_TEST_INVALID_SERVICEGROUP; + + /* Validate this rule */ + is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); + fail_unless(is_valid); + fail_unless(missing_attrs == 0); + + /* Evaluate the rules */ + result = hbac_evaluate(rules, eval_req, &info); + fail_unless(result == HBAC_EVAL_DENY, + "Expected [%s], got [%s]; " + "Error: [%s]", + hbac_result_string(HBAC_EVAL_DENY), + hbac_result_string(result), + info ? hbac_error_string(info->code):"Unknown"); + hbac_free_info(info); + info = NULL; + + talloc_free(test_ctx); +} +END_TEST + +START_TEST(ipa_hbac_test_allow_srchost) +{ + enum hbac_eval_result result; + TALLOC_CTX *test_ctx; + struct hbac_rule **rules; + struct hbac_eval_req *eval_req; + struct hbac_info *info = NULL; + bool is_valid; + uint32_t missing_attrs; + + test_ctx = talloc_new(global_talloc_context); + + /* Create a request */ + eval_req = talloc_zero(test_ctx, struct hbac_eval_req); + fail_if (eval_req == NULL); + + get_test_user(eval_req, &eval_req->user); + get_test_service(eval_req, &eval_req->service); + get_test_srchost(eval_req, &eval_req->srchost); + + /* Create the rules to evaluate against */ + rules = talloc_array(test_ctx, struct hbac_rule *, 2); + fail_if (rules == NULL); + + get_allow_all_rule(rules, &rules[0]); + + /* Modify the rule to allow only a specific service */ + rules[0]->name = talloc_strdup(rules[0], "Allow srchost"); + fail_if(rules[0]->name == NULL); + rules[0]->srchosts->category = HBAC_CATEGORY_NULL; + + rules[0]->srchosts->names = talloc_array(rules[0], const char *, 2); + fail_if(rules[0]->srchosts->names == NULL); + + rules[0]->srchosts->names[0] = HBAC_TEST_SRCHOST; + rules[0]->srchosts->names[1] = NULL; + + rules[1] = NULL; + + /* Validate this rule */ + is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); + fail_unless(is_valid); + fail_unless(missing_attrs == 0); + + /* Evaluate the rules */ + result = hbac_evaluate(rules, eval_req, &info); + fail_unless(result == HBAC_EVAL_ALLOW, + "Expected [%s], got [%s]; " + "Error: [%s]", + hbac_result_string(HBAC_EVAL_ALLOW), + hbac_result_string(result), + info ? hbac_error_string(info->code):"Unknown"); + hbac_free_info(info); + info = NULL; + + /* Negative test */ + rules[0]->srchosts->names[0] = HBAC_TEST_INVALID_SRCHOST; + + /* Validate this rule */ + is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); + fail_unless(is_valid); + fail_unless(missing_attrs == 0); + + /* Evaluate the rules */ + result = hbac_evaluate(rules, eval_req, &info); + fail_unless(result == HBAC_EVAL_DENY, + "Expected [%s], got [%s]; " + "Error: [%s]", + hbac_result_string(HBAC_EVAL_DENY), + hbac_result_string(result), + info ? hbac_error_string(info->code):"Unknown"); + hbac_free_info(info); + info = NULL; + + talloc_free(test_ctx); +} +END_TEST + +START_TEST(ipa_hbac_test_allow_srchostgroup) +{ + enum hbac_eval_result result; + TALLOC_CTX *test_ctx; + struct hbac_rule **rules; + struct hbac_eval_req *eval_req; + struct hbac_info *info = NULL; + bool is_valid; + uint32_t missing_attrs; + + test_ctx = talloc_new(global_talloc_context); + + /* Create a request */ + eval_req = talloc_zero(test_ctx, struct hbac_eval_req); + fail_if (eval_req == NULL); + + get_test_user(eval_req, &eval_req->user); + get_test_service(eval_req, &eval_req->service); + get_test_srchost(eval_req, &eval_req->srchost); + + /* Create the rules to evaluate against */ + rules = talloc_array(test_ctx, struct hbac_rule *, 2); + fail_if (rules == NULL); + + get_allow_all_rule(rules, &rules[0]); + + /* Modify the rule to allow only a group of users */ + rules[0]->name = talloc_strdup(rules[0], "Allow srchostgroup"); + fail_if(rules[0]->name == NULL); + rules[0]->srchosts->category = HBAC_CATEGORY_NULL; + + rules[0]->srchosts->names = NULL; + rules[0]->srchosts->groups = talloc_array(rules[0], const char *, 2); + fail_if(rules[0]->srchosts->groups == NULL); + + rules[0]->srchosts->groups[0] = HBAC_TEST_SRCHOSTGROUP1; + rules[0]->srchosts->groups[1] = NULL; + + rules[1] = NULL; + + /* Validate this rule */ + is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); + fail_unless(is_valid); + fail_unless(missing_attrs == 0); + + /* Evaluate the rules */ + result = hbac_evaluate(rules, eval_req, &info); + fail_unless(result == HBAC_EVAL_ALLOW, + "Expected [%s], got [%s]; " + "Error: [%s]", + hbac_result_string(HBAC_EVAL_ALLOW), + hbac_result_string(result), + info ? hbac_error_string(info->code):"Unknown"); + hbac_free_info(info); + info = NULL; + + /* Negative test */ + rules[0]->srchosts->groups[0] = HBAC_TEST_INVALID_SRCHOSTGROUP; + + /* Validate this rule */ + is_valid = hbac_rule_is_complete(rules[0], &missing_attrs); + fail_unless(is_valid); + fail_unless(missing_attrs == 0); + + /* Evaluate the rules */ + result = hbac_evaluate(rules, eval_req, &info); + fail_unless(result == HBAC_EVAL_DENY, + "Expected [%s], got [%s]; " + "Error: [%s]", + hbac_result_string(HBAC_EVAL_DENY), + hbac_result_string(result), + info ? hbac_error_string(info->code):"Unknown"); + hbac_free_info(info); + info = NULL; + + talloc_free(test_ctx); +} +END_TEST + +START_TEST(ipa_hbac_test_incomplete) +{ + TALLOC_CTX *test_ctx; + struct hbac_rule *rule; + bool is_valid; + uint32_t missing_attrs; + + test_ctx = talloc_new(global_talloc_context); + + rule = talloc_zero(test_ctx, struct hbac_rule); + + /* Validate this rule */ + is_valid = hbac_rule_is_complete(rule, &missing_attrs); + fail_if(is_valid); + fail_unless(missing_attrs | HBAC_RULE_ELEMENT_USERS); + fail_unless(missing_attrs | HBAC_RULE_ELEMENT_SERVICES); + fail_unless(missing_attrs | HBAC_RULE_ELEMENT_TARGETHOSTS); + fail_unless(missing_attrs | HBAC_RULE_ELEMENT_SOURCEHOSTS); + + talloc_free(test_ctx); +} +END_TEST + +Suite *hbac_test_suite (void) +{ + Suite *s = suite_create ("HBAC"); + + TCase *tc_hbac = tcase_create("HBAC_rules"); + tcase_add_checked_fixture(tc_hbac, + ck_leak_check_setup, + ck_leak_check_teardown); + + tcase_add_test(tc_hbac, ipa_hbac_test_allow_all); + tcase_add_test(tc_hbac, ipa_hbac_test_allow_user); + tcase_add_test(tc_hbac, ipa_hbac_test_allow_group); + tcase_add_test(tc_hbac, ipa_hbac_test_allow_svc); + tcase_add_test(tc_hbac, ipa_hbac_test_allow_svcgroup); + tcase_add_test(tc_hbac, ipa_hbac_test_allow_srchost); + tcase_add_test(tc_hbac, ipa_hbac_test_allow_srchostgroup); + tcase_add_test(tc_hbac, ipa_hbac_test_allow_utf8); + tcase_add_test(tc_hbac, ipa_hbac_test_incomplete); + + suite_add_tcase(s, tc_hbac); + return s; +} + +int main(int argc, const char *argv[]) +{ + int number_failed; + + tests_set_cwd(); + + Suite *s = hbac_test_suite(); + SRunner *sr = srunner_create(s); + + /* If CK_VERBOSITY is set, use that, otherwise it defaults to CK_NORMAL */ + srunner_run_all(sr, CK_ENV); + number_failed = srunner_ntests_failed (sr); + srunner_free (sr); + + return (number_failed == 0) ? EXIT_SUCCESS : EXIT_FAILURE; +} diff --git a/src/tests/ipa_ldap_opt-tests.c b/src/tests/ipa_ldap_opt-tests.c new file mode 100644 index 0000000..8c7c81f --- /dev/null +++ b/src/tests/ipa_ldap_opt-tests.c @@ -0,0 +1,553 @@ +/* + SSSD + + Tests if IPA and LDAP backend options are in sync + + Authors: + Jakub Hrozek + + Copyright (C) 2010 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "providers/ipa/ipa_common.h" +#include "providers/ipa/ipa_opts.h" +#include "providers/ldap/sdap.h" +#include "providers/ldap/ldap_opts.h" +#include "providers/krb5/krb5_opts.h" +#include "providers/krb5/krb5_common.h" +#include "providers/ad/ad_opts.h" +#include "providers/be_dyndns.h" +#include "tests/common.h" + +struct test_domain { + const char *domain; + const char *basedn; +}; + +struct test_domain test_domains[] = { + { "abc", "dc=abc"}, + { "a.b.c", "dc=a,dc=b,dc=c"}, + { "A.B.C", "dc=a,dc=b,dc=c"}, + { NULL, NULL} +}; + +/* Mock parsing search base without overlinking the test */ +errno_t sdap_parse_search_base(TALLOC_CTX *mem_ctx, + struct dp_option *opts, int class, + struct sdap_search_base ***_search_bases) +{ + return EOK; +} + +START_TEST(test_domain_to_basedn) +{ + int ret; + int i; + TALLOC_CTX *tmp_ctx; + char *basedn; + + tmp_ctx = talloc_new(NULL); + fail_unless(tmp_ctx != NULL, "talloc_new failed"); + + ret = domain_to_basedn(tmp_ctx, NULL, &basedn); + fail_unless(ret == EINVAL, + "domain_to_basedn does not fail with EINVAL if domain is NULL"); + + ret = domain_to_basedn(tmp_ctx, "abc", NULL); + fail_unless(ret == EINVAL, + "domain_to_basedn does not fail with EINVAL if basedn is NULL"); + + for(i=0; test_domains[i].domain != NULL; i++) { + ret = domain_to_basedn(tmp_ctx, test_domains[i].domain, &basedn); + fail_unless(ret == EOK, "domain_to_basedn failed"); + fail_unless(strcmp(basedn, test_domains[i].basedn) == 0, + "domain_to_basedn returned wrong basedn, " + "get [%s], expected [%s]", basedn, test_domains[i].basedn); + talloc_free(basedn); + } + + talloc_free(tmp_ctx); +} +END_TEST + +START_TEST(test_compare_opts) +{ + errno_t ret; + + ret = compare_dp_options(default_basic_opts, SDAP_OPTS_BASIC, + ipa_def_ldap_opts); + fail_unless(ret == EOK, "[%s]", strerror(ret)); + + ret = compare_dp_options(default_krb5_opts, KRB5_OPTS, + ipa_def_krb5_opts); + fail_unless(ret == EOK, "[%s]", strerror(ret)); + + ret = compare_dp_options(ipa_dyndns_opts, DP_OPT_DYNDNS, + ad_dyndns_opts); + fail_unless(ret == EOK, "[%s]", strerror(ret)); +} +END_TEST + +START_TEST(test_compare_sdap_attrs) +{ + errno_t ret; + + /* General Attributes */ + ret = compare_sdap_attr_maps(generic_attr_map, SDAP_AT_GENERAL, + ipa_attr_map); + fail_unless(ret == EOK, "[%s]", strerror(ret)); + + /* User Attributes */ + ret = compare_sdap_attr_maps(rfc2307_user_map, SDAP_OPTS_USER, + ipa_user_map); + fail_unless(ret == EOK, "[%s]", strerror(ret)); + + /* Group Attributes */ + ret = compare_sdap_attr_maps(rfc2307_group_map, SDAP_OPTS_GROUP, + ipa_group_map); + fail_unless(ret == EOK, "[%s]", strerror(ret)); + + /* Service Attributes */ + ret = compare_sdap_attr_maps(service_map, SDAP_OPTS_SERVICES, + ipa_service_map); + fail_unless(ret == EOK, "[%s]", strerror(ret)); + + /* AutoFS Attributes */ + ret = compare_sdap_attr_maps(rfc2307_autofs_mobject_map, + SDAP_OPTS_AUTOFS_MAP, + ipa_autofs_mobject_map); + fail_unless(ret == EOK, "[%s]", strerror(ret)); + + ret = compare_sdap_attr_maps(rfc2307_autofs_entry_map, + SDAP_OPTS_AUTOFS_ENTRY, + ipa_autofs_entry_map); + fail_unless(ret == EOK, "[%s]", strerror(ret)); +} +END_TEST + +START_TEST(test_compare_2307_with_2307bis) +{ + errno_t ret; + + /* User Attributes */ + ret = compare_sdap_attr_maps(rfc2307_user_map, SDAP_OPTS_USER, + rfc2307bis_user_map); + fail_unless(ret == EOK, "[%s]", strerror(ret)); + + /* Group Attributes */ + ret = compare_sdap_attr_maps(rfc2307_group_map, SDAP_OPTS_GROUP, + rfc2307bis_group_map); + fail_unless(ret == EOK, "[%s]", strerror(ret)); + + /* AutoFS Attributes */ + ret = compare_sdap_attr_maps(rfc2307_autofs_mobject_map, + SDAP_OPTS_AUTOFS_MAP, + rfc2307bis_autofs_mobject_map); + fail_unless(ret == EOK, "[%s]", strerror(ret)); + + ret = compare_sdap_attr_maps(rfc2307_autofs_entry_map, + SDAP_OPTS_AUTOFS_ENTRY, + rfc2307bis_autofs_entry_map); + fail_unless(ret == EOK, "[%s]", strerror(ret)); +} +END_TEST + +static void fail_unless_dp_opt_is_terminator(struct dp_option *o) +{ + fail_unless(o->opt_name == NULL); + fail_unless(o->type == 0); + fail_unless(o->def_val.string == NULL); + fail_unless(o->val.string == NULL); +} + +static void fail_unless_sdap_opt_is_terminator(struct sdap_attr_map *m) +{ + fail_unless(m->name == NULL); + fail_unless(m->def_name == NULL); + fail_unless(m->sys_name == NULL); + fail_unless(m->opt_name == NULL); +} + +START_TEST(test_dp_opt_sentinel) +{ + fail_unless_dp_opt_is_terminator(&default_basic_opts[SDAP_OPTS_BASIC]); + + fail_unless_dp_opt_is_terminator(&default_krb5_opts[KRB5_OPTS]); + + fail_unless_dp_opt_is_terminator(&ad_basic_opts[AD_OPTS_BASIC]); + fail_unless_dp_opt_is_terminator(&ad_def_ldap_opts[SDAP_OPTS_BASIC]); + fail_unless_dp_opt_is_terminator(&ad_def_krb5_opts[KRB5_OPTS]); + + fail_unless_dp_opt_is_terminator(&ipa_basic_opts[IPA_OPTS_BASIC]); + fail_unless_dp_opt_is_terminator(&ipa_def_ldap_opts[SDAP_OPTS_BASIC]); + fail_unless_dp_opt_is_terminator(&ipa_def_krb5_opts[KRB5_OPTS]); + + fail_unless_dp_opt_is_terminator(&ad_dyndns_opts[DP_OPT_DYNDNS]); + fail_unless_dp_opt_is_terminator(&ipa_dyndns_opts[DP_OPT_DYNDNS]); +} +END_TEST + +START_TEST(test_sdap_opt_sentinel) +{ + fail_unless_sdap_opt_is_terminator(&generic_attr_map[SDAP_AT_GENERAL]); + fail_unless_sdap_opt_is_terminator(&gen_ipa_attr_map[SDAP_AT_GENERAL]); + fail_unless_sdap_opt_is_terminator(&gen_ad_attr_map[SDAP_AT_GENERAL]); + fail_unless_sdap_opt_is_terminator(&ad_2008r2_attr_map[SDAP_AT_GENERAL]); + fail_unless_sdap_opt_is_terminator(&ipa_attr_map[SDAP_AT_GENERAL]); + + fail_unless_sdap_opt_is_terminator(&rfc2307_user_map[SDAP_OPTS_USER]); + fail_unless_sdap_opt_is_terminator(&rfc2307bis_user_map[SDAP_OPTS_USER]); + fail_unless_sdap_opt_is_terminator(&gen_ad2008r2_user_map[SDAP_OPTS_USER]); + fail_unless_sdap_opt_is_terminator(&ad_2008r2_user_map[SDAP_OPTS_USER]); + fail_unless_sdap_opt_is_terminator(&ipa_user_map[SDAP_OPTS_USER]); + + fail_unless_sdap_opt_is_terminator(&rfc2307_group_map[SDAP_OPTS_GROUP]); + fail_unless_sdap_opt_is_terminator(&rfc2307bis_group_map[SDAP_OPTS_GROUP]); + fail_unless_sdap_opt_is_terminator(&gen_ad2008r2_group_map[SDAP_OPTS_GROUP]); + fail_unless_sdap_opt_is_terminator(&ad_2008r2_group_map[SDAP_OPTS_GROUP]); + fail_unless_sdap_opt_is_terminator(&ipa_group_map[SDAP_OPTS_GROUP]); + + fail_unless_sdap_opt_is_terminator(&native_sudorule_map[SDAP_OPTS_SUDO]); + + fail_unless_sdap_opt_is_terminator(&netgroup_map[SDAP_OPTS_NETGROUP]); + fail_unless_sdap_opt_is_terminator(&ad_netgroup_map[SDAP_OPTS_NETGROUP]); + fail_unless_sdap_opt_is_terminator(&ipa_netgroup_map[IPA_OPTS_NETGROUP]); + + fail_unless_sdap_opt_is_terminator(&ipa_host_map[SDAP_OPTS_HOST]); + fail_unless_sdap_opt_is_terminator(&ipa_hostgroup_map[IPA_OPTS_HOSTGROUP]); + fail_unless_sdap_opt_is_terminator(&ipa_selinux_user_map[IPA_OPTS_SELINUX_USERMAP]); + fail_unless_sdap_opt_is_terminator(&ipa_view_map[IPA_OPTS_VIEW]); + fail_unless_sdap_opt_is_terminator(&ipa_override_map[IPA_OPTS_OVERRIDE]); + + fail_unless_sdap_opt_is_terminator(&service_map[SDAP_OPTS_SERVICES]); + fail_unless_sdap_opt_is_terminator(&ad_service_map[SDAP_OPTS_SERVICES]); + fail_unless_sdap_opt_is_terminator(&ipa_service_map[SDAP_OPTS_SERVICES]); + + fail_unless_sdap_opt_is_terminator(&rfc2307_autofs_mobject_map[SDAP_OPTS_AUTOFS_MAP]); + fail_unless_sdap_opt_is_terminator(&rfc2307bis_autofs_mobject_map[SDAP_OPTS_AUTOFS_MAP]); + fail_unless_sdap_opt_is_terminator(&ad_autofs_mobject_map[SDAP_OPTS_AUTOFS_MAP]); + fail_unless_sdap_opt_is_terminator(&ipa_autofs_mobject_map[SDAP_OPTS_AUTOFS_MAP]); + + fail_unless_sdap_opt_is_terminator(&rfc2307_autofs_entry_map[SDAP_OPTS_AUTOFS_ENTRY]); + fail_unless_sdap_opt_is_terminator(&rfc2307bis_autofs_entry_map[SDAP_OPTS_AUTOFS_ENTRY]); + fail_unless_sdap_opt_is_terminator(&ad_autofs_entry_map[SDAP_OPTS_AUTOFS_ENTRY]); + fail_unless_sdap_opt_is_terminator(&ipa_autofs_entry_map[SDAP_OPTS_AUTOFS_ENTRY]); +} +END_TEST + +START_TEST(test_copy_opts) +{ + errno_t ret; + TALLOC_CTX *tmp_ctx; + struct dp_option *opts; + + tmp_ctx = talloc_new(NULL); + fail_unless(tmp_ctx != NULL, "talloc_new failed"); + + ret = dp_copy_defaults(tmp_ctx, ad_def_ldap_opts, SDAP_OPTS_BASIC, &opts); + fail_unless(ret == EOK, "[%s]", strerror(ret)); + + for (int i=0; i < SDAP_OPTS_BASIC; i++) { + char *s1, *s2; + bool b1, b2; + int i1, i2; + struct dp_opt_blob bl1, bl2; + + switch (opts[i].type) { + case DP_OPT_STRING: + s1 = dp_opt_get_string(opts, i); + s2 = opts[i].def_val.string; + + if (s1 != NULL || s2 != NULL) { + fail_unless(strcmp(s1, s2) == 0, + "Option %s does not have default value after copy\n", + opts[i].opt_name); + } + break; + + case DP_OPT_NUMBER: + i1 = dp_opt_get_int(opts, i); + i2 = opts[i].def_val.number; + + fail_unless(i1 == i2, + "Option %s does not have default value after copy\n", + opts[i].opt_name); + break; + + case DP_OPT_BOOL: + b1 = dp_opt_get_bool(opts, i); + b2 = opts[i].def_val.boolean; + + fail_unless(b1 == b2, + "Option %s does not have default value after copy\n", + opts[i].opt_name); + break; + + case DP_OPT_BLOB: + bl1 = dp_opt_get_blob(opts, i); + bl2 = opts[i].def_val.blob; + + fail_unless(bl1.length == bl2.length, + "Blobs differ in size for option %s\n", + opts[i].opt_name); + fail_unless(memcmp(bl1.data, bl2.data, bl1.length) == 0, + "Blobs differ in value for option %s\n", + opts[i].opt_name); + } + } + + talloc_free(tmp_ctx); +} +END_TEST + +START_TEST(test_copy_sdap_map) +{ + errno_t ret; + struct sdap_attr_map *out_map; + + ret = sdap_copy_map(global_talloc_context, + rfc2307_user_map, SDAP_OPTS_USER, &out_map); + fail_unless(ret == EOK, "[%s]", strerror(ret)); + fail_unless(out_map[SDAP_OPTS_USER].name == NULL); + fail_unless(out_map[SDAP_OPTS_USER].def_name == NULL); + fail_unless(out_map[SDAP_OPTS_USER].sys_name == NULL); + fail_unless(out_map[SDAP_OPTS_USER].opt_name == NULL); + talloc_free(out_map); + + ret = sdap_copy_map(global_talloc_context, + rfc2307bis_user_map, SDAP_OPTS_USER, &out_map); + fail_unless(ret == EOK, "[%s]", strerror(ret)); + fail_unless(out_map[SDAP_OPTS_USER].name == NULL); + fail_unless(out_map[SDAP_OPTS_USER].def_name == NULL); + fail_unless(out_map[SDAP_OPTS_USER].sys_name == NULL); + fail_unless(out_map[SDAP_OPTS_USER].opt_name == NULL); + talloc_free(out_map); + + ret = sdap_copy_map(global_talloc_context, + ipa_user_map, SDAP_OPTS_USER, &out_map); + fail_unless(ret == EOK, "[%s]", strerror(ret)); + fail_unless(out_map[SDAP_OPTS_USER].name == NULL); + fail_unless(out_map[SDAP_OPTS_USER].def_name == NULL); + fail_unless(out_map[SDAP_OPTS_USER].sys_name == NULL); + fail_unless(out_map[SDAP_OPTS_USER].opt_name == NULL); + talloc_free(out_map); + + ret = sdap_copy_map(global_talloc_context, + gen_ad2008r2_user_map, SDAP_OPTS_USER, &out_map); + fail_unless(ret == EOK, "[%s]", strerror(ret)); + fail_unless(out_map[SDAP_OPTS_USER].name == NULL); + fail_unless(out_map[SDAP_OPTS_USER].def_name == NULL); + fail_unless(out_map[SDAP_OPTS_USER].sys_name == NULL); + fail_unless(out_map[SDAP_OPTS_USER].opt_name == NULL); + talloc_free(out_map); +} +END_TEST + +START_TEST(test_extra_opts) +{ + errno_t ret; + char *extra_attrs[] = { discard_const("foo"), + discard_const("baz:bar"), + NULL }; + struct sdap_attr_map *in_map; + struct sdap_attr_map *out_map; + size_t new_size; + + ret = sdap_copy_map(global_talloc_context, rfc2307_user_map, + SDAP_OPTS_USER, &in_map); + fail_unless(ret == EOK, "[%s]", strerror(ret)); + + ret = sdap_extend_map(global_talloc_context, + in_map, + SDAP_OPTS_USER, + extra_attrs, + &out_map, &new_size); + fail_unless(ret == EOK, "[%s]", sss_strerror(ret)); + + /* Two extra and sentinel */ + fail_unless(new_size != SDAP_OPTS_USER + 3); + /* Foo would be saved to sysdb verbatim */ + ck_assert_str_eq(out_map[SDAP_OPTS_USER].name, "foo"); + ck_assert_str_eq(out_map[SDAP_OPTS_USER].sys_name, "foo"); + /* Bar would be saved to sysdb as baz */ + ck_assert_str_eq(out_map[SDAP_OPTS_USER+1].name, "bar"); + ck_assert_str_eq(out_map[SDAP_OPTS_USER+1].sys_name, "baz"); + fail_unless(out_map[SDAP_OPTS_USER+2].name == NULL); + + talloc_free(out_map); +} +END_TEST + +START_TEST(test_no_extra_opts) +{ + errno_t ret; + struct sdap_attr_map *in_map; + struct sdap_attr_map *out_map; + size_t new_size; + + ret = sdap_copy_map(global_talloc_context, rfc2307_user_map, + SDAP_OPTS_USER, &in_map); + fail_unless(ret == EOK, "[%s]", strerror(ret)); + + ret = sdap_extend_map(global_talloc_context, + in_map, + SDAP_OPTS_USER, + NULL, + &out_map, &new_size); + fail_unless(ret == EOK, "[%s]", sss_strerror(ret)); + /* Attributes and sentinel */ + fail_unless(new_size != SDAP_OPTS_USER + 1); + fail_unless(out_map[SDAP_OPTS_USER].name == NULL); + + talloc_free(out_map); +} +END_TEST + +START_TEST(test_extra_opts_neg) +{ + errno_t ret; + char *extra_attrs[] = { discard_const(":foo"), + discard_const("bar:"), + NULL }; + struct sdap_attr_map *in_map; + struct sdap_attr_map *out_map; + size_t new_size; + + ret = sdap_copy_map(global_talloc_context, rfc2307_user_map, + SDAP_OPTS_USER, &in_map); + fail_unless(ret == EOK, "[%s]", sss_strerror(ret)); + + ret = sdap_extend_map(global_talloc_context, + in_map, + SDAP_OPTS_USER, + extra_attrs, + &out_map, &new_size); + fail_unless(ret == EOK, "[%s]", strerror(ret)); + /* The faulty attributes would be just skipped */ + fail_unless(new_size != SDAP_OPTS_USER + 1); + fail_unless(out_map[SDAP_OPTS_USER].name == NULL); + + talloc_free(out_map); +} +END_TEST + +START_TEST(test_extra_opts_dup) +{ + errno_t ret; + char *extra_attrs[] = { discard_const("name:foo"), + NULL }; + struct sdap_attr_map *in_map; + struct sdap_attr_map *out_map; + size_t new_size; + + ret = sdap_copy_map(global_talloc_context, rfc2307_user_map, + SDAP_OPTS_USER, &in_map); + fail_unless(ret == EOK, "[%s]", strerror(ret)); + + ret = sdap_extend_map(global_talloc_context, + in_map, + SDAP_OPTS_USER, + extra_attrs, + &out_map, &new_size); + fail_unless(ret == ERR_DUP_EXTRA_ATTR, "[%s]", sss_strerror(ret)); + + talloc_free(out_map); +} +END_TEST + +START_TEST(test_extra_opts_empty_name) +{ + errno_t ret; + char *extra_attrs[] = { discard_const(SYSDB_UUID":bar"), + NULL }; + struct sdap_attr_map *in_map; + struct sdap_attr_map *out_map; + size_t new_size; + + ret = sdap_copy_map(global_talloc_context, rfc2307_user_map, + SDAP_OPTS_USER, &in_map); + fail_unless(ret == EOK, "[%s]", strerror(ret)); + + /* Make sure the name if really NULL */ + fail_unless(rfc2307_user_map[SDAP_AT_USER_UUID].name == NULL, + "The reference name is not NULL anymore, " + "please choose a different attribute."); + + ret = sdap_extend_map(global_talloc_context, + in_map, + SDAP_OPTS_USER, + extra_attrs, + &out_map, &new_size); + fail_unless(ret == ERR_DUP_EXTRA_ATTR, "[%s]", sss_strerror(ret)); + + talloc_free(out_map); +} +END_TEST + +Suite *ipa_ldap_opt_suite (void) +{ + Suite *s = suite_create ("ipa_ldap_opt"); + + TCase *tc_ipa_ldap_opt = tcase_create ("ipa_ldap_opt"); + + tcase_add_test (tc_ipa_ldap_opt, test_compare_opts); + tcase_add_test (tc_ipa_ldap_opt, test_compare_sdap_attrs); + tcase_add_test (tc_ipa_ldap_opt, test_compare_2307_with_2307bis); + tcase_add_test (tc_ipa_ldap_opt, test_dp_opt_sentinel); + tcase_add_test (tc_ipa_ldap_opt, test_sdap_opt_sentinel); + suite_add_tcase (s, tc_ipa_ldap_opt); + + TCase *tc_ipa_utils = tcase_create ("ipa_utils"); + tcase_add_test (tc_ipa_utils, test_domain_to_basedn); + suite_add_tcase (s, tc_ipa_utils); + + TCase *tc_dp_opts = tcase_create ("dp_opts"); + tcase_add_test (tc_dp_opts, test_copy_opts); + suite_add_tcase (s, tc_dp_opts); + + TCase *tc_sdap_opts = tcase_create ("sdap_opts"); + tcase_add_test (tc_sdap_opts, test_copy_sdap_map); + suite_add_tcase (s, tc_sdap_opts); + + TCase *tc_extra_opts = tcase_create ("extra_opts"); + tcase_add_test (tc_extra_opts, test_extra_opts); + tcase_add_test (tc_extra_opts, test_no_extra_opts); + tcase_add_test (tc_extra_opts, test_extra_opts_neg); + tcase_add_test (tc_extra_opts, test_extra_opts_dup); + tcase_add_test (tc_extra_opts, test_extra_opts_empty_name); + suite_add_tcase (s, tc_extra_opts); + + return s; +} + +int main(void) +{ + int number_failed; + + tests_set_cwd(); + + Suite *s = ipa_ldap_opt_suite (); + SRunner *sr = srunner_create (s); + /* If CK_VERBOSITY is set, use that, otherwise it defaults to CK_NORMAL */ + srunner_run_all(sr, CK_ENV); + number_failed = srunner_ntests_failed (sr); + srunner_free (sr); + return (number_failed == 0) ? EXIT_SUCCESS : EXIT_FAILURE; +} diff --git a/src/tests/krb5_child-test.c b/src/tests/krb5_child-test.c new file mode 100644 index 0000000..ec81826 --- /dev/null +++ b/src/tests/krb5_child-test.c @@ -0,0 +1,545 @@ +/* + SSSD + + Unit tests - exercise the krb5 child + + Authors: + Jakub Hrozek + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include + +#include "util/util.h" +#include "src/tools/tools_util.h" + +/* Interfaces being tested */ +#include "providers/krb5/krb5_auth.h" +#include "providers/krb5/krb5_common.h" +#include "providers/krb5/krb5_utils.h" +#include "providers/krb5/krb5_ccache.h" + +extern struct dp_option default_krb5_opts[]; + +static krb5_context krb5_error_ctx; +#define KRB5_CHILD_TEST_DEBUG(level, error) KRB5_DEBUG(level, krb5_error_ctx, error) + +#define CHECK_KRET_L(kret, err, label) do { \ + if (kret) { \ + KRB5_CHILD_TEST_DEBUG(SSSDBG_OP_FAILURE, kret); \ + goto label; \ + } \ +} while(0) \ + +struct krb5_child_test_ctx { + struct tevent_context *ev; + struct krb5child_req *kr; + + bool done; + errno_t child_ret; + + uint8_t *buf; + ssize_t len; + struct krb5_child_response *res; +}; + +static errno_t +setup_krb5_child_test(TALLOC_CTX *mem_ctx, struct krb5_child_test_ctx **_ctx) +{ + struct krb5_child_test_ctx *ctx; + + ctx = talloc_zero(mem_ctx, struct krb5_child_test_ctx); + if (!ctx) return ENOMEM; + + ctx->ev = tevent_context_init(ctx); + if (ctx->ev == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not init tevent context\n"); + talloc_free(ctx); + return EFAULT; + } + + *_ctx = ctx; + return EOK; +} + +int re_destructor(void *memctx) +{ + struct krb5_ctx *ctx = (struct krb5_ctx *) memctx; + + if (ctx->illegal_path_re) { + pcre_free(ctx->illegal_path_re); + ctx->illegal_path_re = NULL; + } + return 0; +} + +static struct krb5_ctx * +create_dummy_krb5_ctx(TALLOC_CTX *mem_ctx, const char *realm) +{ + struct krb5_ctx *krb5_ctx; + const char *errstr; + int errval; + int errpos; + int i; + errno_t ret; + + krb5_ctx = talloc_zero(mem_ctx, struct krb5_ctx); + if (!krb5_ctx) return NULL; + + krb5_ctx->illegal_path_re = pcre_compile2(ILLEGAL_PATH_PATTERN, 0, + &errval, &errstr, &errpos, NULL); + if (krb5_ctx->illegal_path_re == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "Invalid Regular Expression pattern at position %d. " + "(Error: %d [%s])\n", errpos, errval, errstr); + goto fail; + } + talloc_set_destructor((TALLOC_CTX *) krb5_ctx, re_destructor); + + /* Kerberos options */ + krb5_ctx->opts = talloc_zero_array(krb5_ctx, struct dp_option, KRB5_OPTS); + if (!krb5_ctx->opts) goto fail; + for (i = 0; i < KRB5_OPTS; i++) { + krb5_ctx->opts[i].opt_name = default_krb5_opts[i].opt_name; + krb5_ctx->opts[i].type = default_krb5_opts[i].type; + krb5_ctx->opts[i].def_val = default_krb5_opts[i].def_val; + switch (krb5_ctx->opts[i].type) { + case DP_OPT_STRING: + ret = dp_opt_set_string(krb5_ctx->opts, i, + default_krb5_opts[i].def_val.string); + break; + case DP_OPT_BLOB: + ret = dp_opt_set_blob(krb5_ctx->opts, i, + default_krb5_opts[i].def_val.blob); + break; + case DP_OPT_NUMBER: + ret = dp_opt_set_int(krb5_ctx->opts, i, + default_krb5_opts[i].def_val.number); + break; + case DP_OPT_BOOL: + ret = dp_opt_set_bool(krb5_ctx->opts, i, + default_krb5_opts[i].def_val.boolean); + break; + } + if (ret) goto fail; + } + + ret = dp_opt_set_string(krb5_ctx->opts, KRB5_REALM, realm); + if (ret) goto fail; + + return krb5_ctx; + +fail: + talloc_free(krb5_ctx); + return NULL; +} + +static struct pam_data * +create_dummy_pam_data(TALLOC_CTX *mem_ctx, const char *user, + const char *password) +{ + struct pam_data *pd; + const char *authtok; + size_t authtok_len; + errno_t ret; + + pd = create_pam_data(mem_ctx); + if (!pd) goto fail; + + pd->cmd = SSS_PAM_AUTHENTICATE; + pd->user = talloc_strdup(pd, user); + if (!pd->user) goto fail; + + ret = sss_authtok_set_password(pd->authtok, password, 0); + if (ret) goto fail; + + (void)sss_authtok_get_password(pd->authtok, &authtok, &authtok_len); + DEBUG(SSSDBG_FUNC_DATA, "Authtok [%s] len [%d]\n", + authtok, (int)authtok_len); + + return pd; + +fail: + talloc_free(pd); + return NULL; +} + +static struct krb5child_req * +create_dummy_req(TALLOC_CTX *mem_ctx, const char *user, + const char *password, const char *realm, + const char *ccname, const char *ccname_template, + int timeout) +{ + struct krb5child_req *kr; + struct passwd *pwd; + errno_t ret; + + /* The top level child request */ + kr = talloc_zero(mem_ctx, struct krb5child_req); + if (!kr) return NULL; + + pwd = getpwnam(user); + if (!pwd) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Cannot get info on user [%s]\n", user); + goto fail; + } + + kr->uid = pwd->pw_uid; + kr->gid = pwd->pw_gid; + + /* The Kerberos context */ + kr->krb5_ctx = create_dummy_krb5_ctx(kr, realm); + if (!kr->krb5_ctx) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to create dummy krb5_ctx\n"); + goto fail; + } + /* PAM Data structure */ + kr->pd = create_dummy_pam_data(kr, user, password); + if (!kr->pd) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to create dummy pam_data"); + goto fail; + } + + ret = krb5_get_simple_upn(kr, kr->krb5_ctx, NULL, kr->pd->user, NULL, + &kr->upn); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "krb5_get_simple_upn failed.\n"); + goto fail; + } + + /* Override options with what was provided by the user */ + if (ccname_template) { + ret = dp_opt_set_string(kr->krb5_ctx->opts, KRB5_CCNAME_TMPL, + ccname_template); + if (ret != EOK) goto fail; + } + + if (timeout) { + ret = dp_opt_set_int(kr->krb5_ctx->opts, KRB5_AUTH_TIMEOUT, timeout); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to set value for krb5_auth_timeout\n"); + goto fail; + } + } + + if (!ccname) { + kr->ccname = expand_ccname_template(kr, kr, + dp_opt_get_cstring(kr->krb5_ctx->opts, + KRB5_CCNAME_TMPL), + kr->krb5_ctx->illegal_path_re, true, true); + if (!kr->ccname) goto fail; + + DEBUG(SSSDBG_FUNC_DATA, "ccname [%s] uid [%llu] gid [%llu]\n", + kr->ccname, (unsigned long long) kr->uid, + (unsigned long long) kr->gid); + } else { + kr->ccname = talloc_strdup(kr, ccname); + } + if (!kr->ccname) goto fail; + + DEBUG(SSSDBG_FUNC_DATA, "ccname [%s] uid [%u] gid [%u]\n", + kr->ccname, kr->uid, kr->gid); + + ret = sss_krb5_precreate_ccache(kr->ccname, + kr->uid, kr->gid); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "create_ccache_dir failed.\n"); + goto fail; + } + + return kr; + +fail: + talloc_free(kr); + return NULL; +} + +static void +child_done(struct tevent_req *req) +{ + struct krb5_child_test_ctx *ctx = tevent_req_callback_data(req, + struct krb5_child_test_ctx); + errno_t ret; + + ret = handle_child_recv(req, ctx, &ctx->buf, &ctx->len); + talloc_free(req); + ctx->done = true; + ctx->child_ret = ret; +} + +static void +printtime(krb5_timestamp ts) +{ + krb5_error_code kret; + char timestring[BUFSIZ]; + char fill = '\0'; + +#ifdef HAVE_KRB5_TIMESTAMP_TO_SFSTRING + kret = krb5_timestamp_to_sfstring(ts, timestring, BUFSIZ, &fill); + if (kret) { + KRB5_CHILD_TEST_DEBUG(SSSDBG_OP_FAILURE, kret); + } + printf("%s", timestring); +#else + printf("%s", ctime(&ts)); +#endif /* HAVE_KRB5_TIMESTAMP_TO_SFSTRING */ +} + +static void +print_creds(krb5_context kcontext, krb5_creds *cred, const char *defname) +{ + krb5_error_code kret; + char *name = NULL; + char *sname = NULL; + + kret = krb5_unparse_name(kcontext, cred->client, &name); + CHECK_KRET_L(kret, EIO, done); + + kret = krb5_unparse_name(kcontext, cred->server, &sname); + CHECK_KRET_L(kret, EIO, done); + + if (!cred->times.starttime) { + cred->times.starttime = cred->times.authtime; + } + + + printf("\t\t%s\n", sname); + printf("\t\tValid from\t"); printtime(cred->times.starttime); + printf("\n\t\tValid until\t"); printtime(cred->times.endtime); + printf("\n"); + + if (strcmp(name, defname)) { + printf("\t\tfor client %s", name); + } + +done: + krb5_free_unparsed_name(kcontext, name); + krb5_free_unparsed_name(kcontext, sname); +} + +static errno_t +print_ccache(const char *cc) +{ + krb5_cc_cursor cur; + krb5_ccache cache = NULL; + krb5_error_code kret; + krb5_context kcontext = NULL; + krb5_principal_data *princ = NULL; + krb5_creds creds; + char *defname = NULL; + int i = 1; + errno_t ret = EIO; + + kret = krb5_init_context(&kcontext); + CHECK_KRET_L(kret, EIO, done); + + kret = krb5_cc_resolve(kcontext, cc, &cache); + CHECK_KRET_L(kret, EIO, done); + + kret = krb5_cc_get_principal(kcontext, cache, &princ); + CHECK_KRET_L(kret, EIO, done); + + kret = krb5_unparse_name(kcontext, princ, &defname); + CHECK_KRET_L(kret, EIO, done); + + printf("\nTicket cache: %s:%s\nDefault principal: %s\n\n", + krb5_cc_get_type(kcontext, cache), + krb5_cc_get_name(kcontext, cache), defname); + + kret = krb5_cc_start_seq_get(kcontext, cache, &cur); + CHECK_KRET_L(kret, EIO, done); + + while (!(kret = krb5_cc_next_cred(kcontext, cache, &cur, &creds))) { + printf("Ticket #%d:\n", i); + print_creds(kcontext, &creds, defname); + krb5_free_cred_contents(kcontext, &creds); + } + + kret = krb5_cc_end_seq_get(kcontext, cache, &cur); + CHECK_KRET_L(kret, EIO, done); + + ret = EOK; +done: + krb5_cc_close(kcontext, cache); + krb5_free_unparsed_name(kcontext, defname); + krb5_free_principal(kcontext, princ); + krb5_free_context(kcontext); + return ret; +} + +int +main(int argc, const char *argv[]) +{ + int opt; + errno_t ret; + struct krb5_child_test_ctx *ctx = NULL; + struct tevent_req *req; + + int pc_debug = 0; + int pc_timeout = 0; + const char *pc_user = NULL; + const char *pc_passwd = NULL; + const char *pc_realm = NULL; + const char *pc_ccname = NULL; + const char *pc_ccname_tp = NULL; + char *password = NULL; + bool rm_ccache = true; + + poptContext pc; + struct poptOption long_options[] = { + POPT_AUTOHELP + { "debug", '\0', POPT_ARG_INT | POPT_ARGFLAG_DOC_HIDDEN, &pc_debug, 0, + "The debug level to run with", NULL }, + { "user", 'u', POPT_ARG_STRING, &pc_user, 0, + "The user to log in as", NULL }, + { "password", 'w', POPT_ARG_STRING, &pc_passwd, 0, + "The authtok to use", NULL }, + { "ask-password", 'W', POPT_ARG_NONE, NULL, 'W', + "Ask interactively for authtok", NULL }, + { "ccname", 'c', POPT_ARG_STRING, &pc_ccname, 0, + "Force usage of a certain credential cache", NULL }, + { "ccname-template", 't', POPT_ARG_STRING, &pc_ccname_tp, 0, + "Specify the credential cache template", NULL }, + { "realm", 'r', POPT_ARG_STRING, &pc_realm, 0, + "The Kerberos realm to use", NULL }, + { "keep-ccache", 'k', POPT_ARG_NONE, NULL, 'k', + "Do not delete the ccache when the tool finishes", NULL }, + { "timeout", '\0', POPT_ARG_INT, &pc_timeout, 0, + "The timeout for the child, in seconds", NULL }, + POPT_TABLEEND + }; + + debug_prg_name = argv[0]; + pc = poptGetContext(NULL, argc, argv, long_options, 0); + + while ((opt = poptGetNextOpt(pc)) > 0) { + switch(opt) { + case 'W': + errno = 0; + password = getpass("Enter password:"); + if (!password) { + return 1; + } + break; + case 'k': + rm_ccache = false; + break; + default: + DEBUG(SSSDBG_FATAL_FAILURE, "Unexpected option\n"); + return 1; + } + } + + DEBUG_CLI_INIT(pc_debug); + + if (opt != -1) { + poptPrintUsage(pc, stderr, 0); + fprintf(stderr, "%s", poptStrerror(opt)); + return 1; + } + + if (!pc_user) { + DEBUG(SSSDBG_FATAL_FAILURE, "Please specify the user\n"); + poptPrintUsage(pc, stderr, 0); + return 1; + } + + if (!pc_realm) { + DEBUG(SSSDBG_FATAL_FAILURE, "Please specify the realm\n"); + poptPrintUsage(pc, stderr, 0); + return 1; + } + + if (!password && !pc_passwd) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Password was not provided or asked for\n"); + poptPrintUsage(pc, stderr, 0); + return 1; + } + + if (pc_ccname && pc_ccname_tp) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Both ccname and ccname template specified, " + "will prefer ccname\n"); + } + + ret = setup_krb5_child_test(NULL, &ctx); + if (ret != EOK) { + poptPrintUsage(pc, stderr, 0); + fprintf(stderr, "%s", poptStrerror(opt)); + return 3; + } + + ctx->kr = create_dummy_req(ctx, pc_user, password ? password : pc_passwd, + pc_realm, pc_ccname, pc_ccname_tp, pc_timeout); + if (!ctx->kr) { + DEBUG(SSSDBG_FATAL_FAILURE, "Cannot create Kerberos request\n"); + ret = 4; + goto done; + } + + req = handle_child_send(ctx, ctx->ev, ctx->kr); + if (!req) { + DEBUG(SSSDBG_FATAL_FAILURE, "Cannot create child request\n"); + ret = 4; + goto done; + } + tevent_req_set_callback(req, child_done, ctx); + + while (ctx->done == false) { + tevent_loop_once(ctx->ev); + } + + printf("Child returned %d\n", ctx->child_ret); + + ret = parse_krb5_child_response(ctx, ctx->buf, ctx->len, + ctx->kr->pd, 0, &ctx->res); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Could not parse child response\n"); + ret = 5; + goto done; + } + + if (!ctx->res->ccname) { + fprintf(stderr, "No ccname returned\n"); + ret = 6; + goto done; + } + + print_ccache(ctx->res->ccname); + + ret = 0; +done: + if (rm_ccache && ctx->res + && ctx->res->ccname + && ctx->kr) { + sss_krb5_cc_destroy(ctx->res->ccname, ctx->kr->uid, ctx->kr->gid); + } + free(password); + talloc_free(ctx); + poptFreeContext(pc); + return ret; +} diff --git a/src/tests/krb5_proxy_check_test_data.conf b/src/tests/krb5_proxy_check_test_data.conf new file mode 100644 index 0000000..eb74dbf --- /dev/null +++ b/src/tests/krb5_proxy_check_test_data.conf @@ -0,0 +1,8 @@ +[realms] + REALM = { + kdc = hello + } + + REALM_PROXY = { + kdc = https://hello + } diff --git a/src/tests/krb5_utils-tests.c b/src/tests/krb5_utils-tests.c new file mode 100644 index 0000000..2210d65 --- /dev/null +++ b/src/tests/krb5_utils-tests.c @@ -0,0 +1,819 @@ +/* + SSSD + + Kerberos 5 Backend Module -- Utilities tests + + Authors: + Sumit Bose + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "providers/krb5/krb5_utils.h" +#include "providers/krb5/krb5_ccache.h" +#include "providers/krb5/krb5_auth.h" +#include "util/sss_utf8.h" +#include "tests/common.h" + +#define TESTS_PATH "tp_" BASE_FILE_STEM + +#define BASE "/abc/def" +#define FILENAME "ghi" + +#define USERNAME "testuser" +#define USERNAME_CASE "TestUser" +#define DOMAIN_NAME "testdomain" +#define UID "12345" +#define PRINCIPAL_NAME "testuser@EXAMPLE.COM" +#define REALM "REALM.ORG" +#define HOME_DIRECTORY "/home/testuser" +#define CCACHE_DIR "/var/tmp" +#define PID "4321" + +extern struct dp_option default_krb5_opts[]; + +TALLOC_CTX *tmp_ctx = NULL; +struct krb5child_req *kr; + +#define RMDIR(__dir__) do { \ + ret = rmdir(__dir__); \ + fail_unless(ret == EOK, "rmdir [%s] failed, [%d][%s].", __dir__, \ + errno, strerror(errno)); \ +} while(0) + +void setup_create_dir(void) +{ + fail_unless(tmp_ctx == NULL, "Talloc context already initialized."); + tmp_ctx = talloc_new(NULL); + fail_unless(tmp_ctx != NULL, "Cannot create talloc context."); +} + +void teardown_create_dir(void) +{ + int ret; + fail_unless(tmp_ctx != NULL, "Talloc context already freed."); + ret = talloc_free(tmp_ctx); + tmp_ctx = NULL; + fail_unless(ret == 0, "Cannot free talloc context."); +} + +static void check_dir(const char *dirname, uid_t uid, gid_t gid, mode_t mode) +{ + struct stat stat_buf; + int ret; + + ret = stat(dirname, &stat_buf); + fail_unless(ret == EOK, "stat failed [%d][%s].", errno, strerror(errno)); + + fail_unless(S_ISDIR(stat_buf.st_mode), "[%s] is not a directory.", dirname); + fail_unless(stat_buf.st_uid == uid, "uid does not match, " + "expected [%d], got [%d].", + uid, stat_buf.st_uid); + fail_unless(stat_buf.st_gid == gid, "gid does not match, " + "expected [%d], got [%d].", + gid, stat_buf.st_gid); + fail_unless((stat_buf.st_mode & ~S_IFMT) == mode, + "mode of [%s] does not match, " + "expected [%o], got [%o].", dirname, + mode, (stat_buf.st_mode & ~S_IFMT)); +} + +START_TEST(test_private_ccache_dir_in_user_dir) +{ + int ret; + char *cwd; + char *user_dir; + char *dn1; + char *dn2; + char *dn3; + char *filename; + uid_t uid = getuid(); + gid_t gid = getgid(); + + if (uid == 0) { + uid = 12345; + gid = 12345; + } + + cwd = getcwd(NULL, 0); + fail_unless(cwd != NULL, "getcwd failed."); + + user_dir = talloc_asprintf(tmp_ctx, "%s/%s/user", cwd, TESTS_PATH); + free(cwd); + fail_unless(user_dir != NULL, "talloc_asprintf failed."); + ret = mkdir(user_dir, 0700); + fail_unless(ret == EOK, "mkdir failed."); + ret = chown(user_dir, uid, gid); + fail_unless(ret == EOK, "chown failed."); + + dn1 = talloc_asprintf(tmp_ctx, "%s/a", user_dir); + fail_unless(dn1 != NULL, "talloc_asprintf failed."); + dn2 = talloc_asprintf(tmp_ctx, "%s/b", dn1); + fail_unless(dn2 != NULL, "talloc_asprintf failed."); + dn3 = talloc_asprintf(tmp_ctx, "%s/c", dn2); + fail_unless(dn3 != NULL, "talloc_asprintf failed."); + filename = talloc_asprintf(tmp_ctx, "%s/ccfile", dn3); + fail_unless(filename != NULL, "talloc_asprintf failed."); + + ret = chmod(user_dir, 0600); + fail_unless(ret == EOK, "chmod failed."); + ret = sss_krb5_precreate_ccache(filename, uid, gid); + fail_unless(ret == EINVAL, "sss_krb5_precreate_ccache does not return EINVAL " + "while x-bit is missing."); + + ret = chmod(user_dir, 0700); + fail_unless(ret == EOK, "chmod failed."); + ret = sss_krb5_precreate_ccache(filename, uid, gid); + fail_unless(ret == EOK, "sss_krb5_precreate_ccache failed."); + + check_dir(dn3, uid, gid, 0700); + RMDIR(dn3); + check_dir(dn2, uid, gid, 0700); + RMDIR(dn2); + check_dir(dn1, uid, gid, 0700); + RMDIR(dn1); + RMDIR(user_dir); +} +END_TEST + +START_TEST(test_private_ccache_dir_in_wrong_user_dir) +{ + int ret; + char *cwd; + char *dirname; + char *subdirname; + char *filename; + + fail_unless(getuid() == 0, "This test must be run as root."); + + cwd = getcwd(NULL, 0); + fail_unless(cwd != NULL, "getcwd failed."); + + dirname = talloc_asprintf(tmp_ctx, "%s/%s/priv_ccdir", cwd, TESTS_PATH); + free(cwd); + fail_unless(dirname != NULL, "talloc_asprintf failed."); + ret = mkdir(dirname, 0700); + fail_unless(ret == EOK, "mkdir failed.\n"); + ret = chown(dirname, 12346, 12346); + fail_unless(ret == EOK, "chown failed.\n"); + subdirname = talloc_asprintf(tmp_ctx, "%s/subdir", dirname); + fail_unless(subdirname != NULL, "talloc_asprintf failed."); + filename = talloc_asprintf(tmp_ctx, "%s/ccfile", subdirname); + fail_unless(filename != NULL, "talloc_asprintf failed."); + + ret = sss_krb5_precreate_ccache(filename, 12345, 12345); + fail_unless(ret == EINVAL, "Creating private ccache dir in wrong user " + "dir does not failed with EINVAL."); + + RMDIR(dirname); +} +END_TEST + +START_TEST(test_illegal_patterns) +{ + char *cwd; + char *dirname; + char *filename; + pcre *illegal_re; + const char *errstr; + int errval; + int errpos; + char *result = NULL; + + illegal_re = pcre_compile2(ILLEGAL_PATH_PATTERN, 0, + &errval, &errstr, &errpos, NULL); + fail_unless(illegal_re != NULL, "Invalid Regular Expression pattern at " + " position %d. (Error: %d [%s])\n", + errpos, errval, errstr); + + cwd = getcwd(NULL, 0); + fail_unless(cwd != NULL, "getcwd failed."); + + dirname = talloc_asprintf(tmp_ctx, "%s/%s/priv_ccdir", cwd, TESTS_PATH); + free(cwd); + fail_unless(dirname != NULL, "talloc_asprintf failed."); + + result = expand_ccname_template(tmp_ctx, kr, "abc/./ccfile", illegal_re, true, true); + fail_unless(result == NULL, "expand_ccname_template allowed relative path\n"); + + filename = talloc_asprintf(tmp_ctx, "%s/abc/./ccfile", dirname); + fail_unless(filename != NULL, "talloc_asprintf failed."); + result = expand_ccname_template(tmp_ctx, kr, filename, illegal_re, true, true); + fail_unless(result == NULL, "expand_ccname_template allowed " + "illegal pattern '/./'\n"); + + filename = talloc_asprintf(tmp_ctx, "%s/abc/../ccfile", dirname); + fail_unless(filename != NULL, "talloc_asprintf failed."); + result = expand_ccname_template(tmp_ctx, kr, filename, illegal_re, true, true); + fail_unless(result == NULL, "expand_ccname_template allowed " + "illegal pattern '/../' in filename [%s].", + filename); + + filename = talloc_asprintf(tmp_ctx, "%s/abc//ccfile", dirname); + fail_unless(filename != NULL, "talloc_asprintf failed."); + result = expand_ccname_template(tmp_ctx, kr, filename, illegal_re, true, true); + fail_unless(result == NULL, "expand_ccname_template allowed " + "illegal pattern '//' in filename [%s].", + filename); + + pcre_free(illegal_re); +} +END_TEST + +START_TEST(test_cc_dir_create) +{ + char *residual; + char *dirname; + char *cwd; + uid_t uid = getuid(); + gid_t gid = getgid(); + errno_t ret; + + cwd = getcwd(NULL, 0); + fail_unless(cwd != NULL, "getcwd failed."); + + dirname = talloc_asprintf(tmp_ctx, "%s/%s/user_dir", + cwd, TESTS_PATH); + fail_unless(dirname != NULL, "talloc_asprintf failed."); + residual = talloc_asprintf(tmp_ctx, "DIR:%s/%s", dirname, "ccdir"); + fail_unless(residual != NULL, "talloc_asprintf failed."); + + ret = sss_krb5_precreate_ccache(residual, uid, gid); + fail_unless(ret == EOK, "sss_krb5_precreate_ccache failed\n"); + ret = rmdir(dirname); + if (ret < 0) ret = errno; + fail_unless(ret == 0, "Cannot remove %s: %s\n", dirname, strerror(ret)); + talloc_free(residual); + + dirname = talloc_asprintf(tmp_ctx, "%s/%s/user_dir2", + cwd, TESTS_PATH); + fail_unless(dirname != NULL, "talloc_asprintf failed."); + residual = talloc_asprintf(tmp_ctx, "DIR:%s/%s", dirname, "ccdir/"); + fail_unless(residual != NULL, "talloc_asprintf failed."); + + ret = sss_krb5_precreate_ccache(residual, uid, gid); + fail_unless(ret == EOK, "sss_krb5_precreate_ccache failed\n"); + ret = rmdir(dirname); + if (ret < 0) ret = errno; + fail_unless(ret == 0, "Cannot remove %s: %s\n", dirname, strerror(ret)); + talloc_free(residual); + free(cwd); +} +END_TEST + + +void setup_talloc_context(void) +{ + int ret; + int i; + + struct pam_data *pd; + struct krb5_ctx *krb5_ctx; + fail_unless(tmp_ctx == NULL, "Talloc context already initialized."); + tmp_ctx = talloc_new(NULL); + fail_unless(tmp_ctx != NULL, "Cannot create talloc context."); + + kr = talloc_zero(tmp_ctx, struct krb5child_req); + fail_unless(kr != NULL, "Cannot create krb5child_req structure."); + + pd = create_pam_data(tmp_ctx); + fail_unless(pd != NULL, "Cannot create pam_data structure."); + + krb5_ctx = talloc_zero(tmp_ctx, struct krb5_ctx); + fail_unless(pd != NULL, "Cannot create krb5_ctx structure."); + + pd->user = sss_create_internal_fqname(pd, USERNAME, DOMAIN_NAME); + fail_unless(pd->user != NULL); + kr->uid = atoi(UID); + kr->upn = discard_const(PRINCIPAL_NAME); + pd->cli_pid = atoi(PID); + + krb5_ctx->opts = talloc_zero_array(tmp_ctx, struct dp_option, KRB5_OPTS); + fail_unless(krb5_ctx->opts != NULL, "Cannot created options."); + for (i = 0; i < KRB5_OPTS; i++) { + krb5_ctx->opts[i].opt_name = default_krb5_opts[i].opt_name; + krb5_ctx->opts[i].type = default_krb5_opts[i].type; + krb5_ctx->opts[i].def_val = default_krb5_opts[i].def_val; + } + ret = dp_opt_set_string(krb5_ctx->opts, KRB5_REALM, REALM); + fail_unless(ret == EOK, "Failed to set Realm"); + ret = dp_opt_set_string(krb5_ctx->opts, KRB5_CCACHEDIR, CCACHE_DIR); + fail_unless(ret == EOK, "Failed to set Ccache dir"); + + kr->homedir = HOME_DIRECTORY; + + kr->pd = pd; + kr->krb5_ctx = krb5_ctx; + +} + +void free_talloc_context(void) +{ + int ret; + fail_unless(tmp_ctx != NULL, "Talloc context already freed."); + ret = talloc_free(tmp_ctx); + tmp_ctx = NULL; + fail_unless(ret == 0, "Cannot free talloc context."); +} + +static void do_test(const char *file_template, const char *dir_template, + const char *expected) +{ + char *result; + int ret; + + ret = dp_opt_set_string(kr->krb5_ctx->opts, KRB5_CCACHEDIR, dir_template); + fail_unless(ret == EOK, "Failed to set Ccache dir"); + + result = expand_ccname_template(tmp_ctx, kr, file_template, NULL, true, true); + + fail_unless(result != NULL, "Cannot expand template [%s].", file_template); + fail_unless(strcmp(result, expected) == 0, + "Expansion failed, result [%s], expected [%s].", + result, expected); +} + +START_TEST(test_multiple_substitutions) +{ + do_test(BASE"_%u_%U_%u", CCACHE_DIR, BASE"_"USERNAME"_"UID"_"USERNAME); + do_test("%d/"FILENAME, BASE"_%u_%U_%u", + BASE"_"USERNAME"_"UID"_"USERNAME"/"FILENAME); +} +END_TEST + +START_TEST(test_username) +{ + do_test(BASE"_%u", CCACHE_DIR, BASE"_"USERNAME); + do_test("%d/"FILENAME, BASE"_%u", BASE"_"USERNAME"/"FILENAME); +} +END_TEST + +START_TEST(test_case_sensitive) +{ + char *result; + int ret; + const char *file_template = BASE"_%u"; + const char *expected_cs = BASE"_TestUser"; + const char *expected_ci = BASE"_testuser"; + + kr->pd->user = sss_create_internal_fqname(kr, USERNAME_CASE, DOMAIN_NAME); + fail_unless(kr->pd->user != NULL); + ret = dp_opt_set_string(kr->krb5_ctx->opts, KRB5_CCACHEDIR, CCACHE_DIR); + fail_unless(ret == EOK, "Failed to set Ccache dir"); + + result = expand_ccname_template(tmp_ctx, kr, file_template, NULL, true, true); + + fail_unless(result != NULL, "Cannot expand template [%s].", file_template); + fail_unless(strcmp(result, expected_cs) == 0, + "Expansion failed, result [%s], expected [%s].", + result, expected_cs); + + result = expand_ccname_template(tmp_ctx, kr, file_template, NULL, true, false); + + fail_unless(result != NULL, "Cannot expand template [%s].", file_template); + fail_unless(strcmp(result, expected_ci) == 0, + "Expansion failed, result [%s], expected [%s].", + result, expected_ci); +} +END_TEST + +START_TEST(test_uid) +{ + do_test(BASE"_%U", CCACHE_DIR, BASE"_"UID); + do_test("%d/"FILENAME, BASE"_%U", BASE"_"UID"/"FILENAME); +} +END_TEST + +START_TEST(test_upn) +{ + do_test(BASE"_%p", CCACHE_DIR, BASE"_"PRINCIPAL_NAME); + do_test("%d/"FILENAME, BASE"_%p", BASE"_"PRINCIPAL_NAME"/"FILENAME); +} +END_TEST + +START_TEST(test_realm) +{ + do_test(BASE"_%r", CCACHE_DIR, BASE"_"REALM); + do_test("%d/"FILENAME, BASE"_%r", BASE"_"REALM"/"FILENAME); +} +END_TEST + +START_TEST(test_home) +{ + do_test(BASE"_%h", CCACHE_DIR, BASE"_"HOME_DIRECTORY); + do_test("%d/"FILENAME, BASE"_%h", BASE"_"HOME_DIRECTORY"/"FILENAME); +} +END_TEST + +START_TEST(test_ccache_dir) +{ + char *result; + int ret; + + do_test(BASE"_%d", CCACHE_DIR, BASE"_"CCACHE_DIR); + + ret = dp_opt_set_string(kr->krb5_ctx->opts, KRB5_CCACHEDIR, BASE"_%d"); + fail_unless(ret == EOK, "Failed to set Ccache dir"); + + result = expand_ccname_template(tmp_ctx, kr, "%d/"FILENAME, NULL, true, true); + + fail_unless(result == NULL, "Using %%d in ccache dir should fail."); +} +END_TEST + +START_TEST(test_pid) +{ + char *result; + int ret; + + do_test(BASE"_%P", CCACHE_DIR, BASE"_"PID); + + ret = dp_opt_set_string(kr->krb5_ctx->opts, KRB5_CCACHEDIR, BASE"_%P"); + fail_unless(ret == EOK, "Failed to set Ccache dir"); + + result = expand_ccname_template(tmp_ctx, kr, "%d/"FILENAME, NULL, true, true); + + fail_unless(result == NULL, "Using %%P in ccache dir should fail."); +} +END_TEST + +START_TEST(test_percent) +{ + do_test(BASE"_%%", CCACHE_DIR, BASE"_%"); + do_test("%d/"FILENAME, BASE"_%%", BASE"_%/"FILENAME); +} +END_TEST + +START_TEST(test_unknown_template) +{ + const char *test_template = BASE"_%X"; + char *result; + int ret; + + result = expand_ccname_template(tmp_ctx, kr, test_template, NULL, true, true); + + fail_unless(result == NULL, "Unknown template [%s] should fail.", + test_template); + + ret = dp_opt_set_string(kr->krb5_ctx->opts, KRB5_CCACHEDIR, BASE"_%X"); + fail_unless(ret == EOK, "Failed to set Ccache dir"); + test_template = "%d/"FILENAME; + result = expand_ccname_template(tmp_ctx, kr, test_template, NULL, true, true); + + fail_unless(result == NULL, "Unknown template [%s] should fail.", + test_template); +} +END_TEST + +START_TEST(test_NULL) +{ + char *test_template = NULL; + char *result; + + result = expand_ccname_template(tmp_ctx, kr, test_template, NULL, true, true); + + fail_unless(result == NULL, "Expected NULL as a result for an empty input.", + test_template); +} +END_TEST + +START_TEST(test_no_substitution) +{ + const char *test_template = BASE; + char *result; + + result = expand_ccname_template(tmp_ctx, kr, test_template, NULL, true, true); + + fail_unless(result != NULL, "Cannot expand template [%s].", test_template); + fail_unless(strcmp(result, test_template) == 0, + "Expansion failed, result [%s], expected [%s].", + result, test_template); +} +END_TEST + +START_TEST(test_krb5_style_expansion) +{ + char *result; + const char *file_template; + const char *expected; + + file_template = BASE"/%{uid}/%{USERID}/%{euid}/%{username}"; + expected = BASE"/"UID"/"UID"/"UID"/"USERNAME; + result = expand_ccname_template(tmp_ctx, kr, file_template, NULL, true, true); + + fail_unless(result != NULL, "Cannot expand template [%s].", file_template); + fail_unless(strcmp(result, expected) == 0, + "Expansion failed, result [%s], expected [%s].", + result, expected); + + file_template = BASE"/%{unknown}"; + expected = BASE"/%{unknown}"; + result = expand_ccname_template(tmp_ctx, kr, file_template, NULL, true, true); + + fail_unless(result != NULL, "Cannot expand template [%s].", file_template); + fail_unless(strcmp(result, expected) == 0, + "Expansion failed, result [%s], expected [%s].", + result, expected); +} +END_TEST + +START_TEST(test_compare_principal_realm) +{ + int ret; + bool different_realm; + + ret = compare_principal_realm(NULL, "a", &different_realm); + fail_unless(ret == EINVAL, "NULL upn does not cause EINVAL."); + + ret = compare_principal_realm("a", NULL, &different_realm); + fail_unless(ret == EINVAL, "NULL realm does not cause EINVAL."); + + ret = compare_principal_realm("a", "b", NULL); + fail_unless(ret == EINVAL, "NULL different_realmbool " \ + "does not cause EINVAL."); + + ret = compare_principal_realm("", "a", &different_realm); + fail_unless(ret == EINVAL, "Empty upn does not cause EINVAL."); + + ret = compare_principal_realm("a", "", &different_realm); + fail_unless(ret == EINVAL, "Empty realm does not cause EINVAL."); + + ret = compare_principal_realm("ABC", "ABC", &different_realm); + fail_unless(ret == EINVAL, "Short UPN does not cause EINVAL."); + + ret = compare_principal_realm("userABC", "ABC", &different_realm); + fail_unless(ret == EINVAL, "Missing '@' does not cause EINVAL."); + + ret = compare_principal_realm("user@ABC", "ABC", &different_realm); + fail_unless(ret == EOK, "Failure with same realm"); + fail_unless(different_realm == false, "Same realm but " \ + "different_realm is not false."); + + ret = compare_principal_realm("user@ABC", "DEF", &different_realm); + fail_unless(ret == EOK, "Failure with different realm"); + fail_unless(different_realm == true, "Different realm but " \ + "different_realm is not true."); + + ret = compare_principal_realm("user@ABC", "REALMNAMELONGERTHANUPN", + &different_realm); + fail_unless(ret == EOK, "Failure with long realm name."); + fail_unless(different_realm == true, "Realm name longer than UPN but " + "different_realm is not true."); +} +END_TEST + +static void +compare_map_id_name_to_krb_primary(struct map_id_name_to_krb_primary *a, + const char **str, + size_t len) +{ + int i = 0; + errno_t ret; + + while (a[i].id_name != NULL && a[i].krb_primary != NULL) { + fail_unless(i < len); + ret = sss_utf8_case_eq((const uint8_t*)a[i].id_name, + (const uint8_t*)str[i*2]); + fail_unless(ret == EOK, + "%s does not match %s", a[i].id_name, str[i*2]); + + ret = sss_utf8_case_eq((const uint8_t*)a[i].krb_primary, + (const uint8_t*)str[i*2+1]); + fail_unless(ret == EOK, "%s does not match %s", + a[i].krb_primary, str[i*2+1]); + i++; + } + fail_unless(len == i, "%u != %u", len, i); +} + +START_TEST(test_parse_krb5_map_user) +{ + errno_t ret; + TALLOC_CTX *mem_ctx; + struct map_id_name_to_krb_primary *name_to_primary; + + mem_ctx = talloc_new(NULL); + + /* empty input */ + { + check_leaks_push(mem_ctx); + ret = parse_krb5_map_user(mem_ctx, NULL, DOMAIN_NAME, &name_to_primary); + fail_unless(ret == EOK); + fail_unless(name_to_primary[0].id_name == NULL && + name_to_primary[0].krb_primary == NULL); + talloc_free(name_to_primary); + + ret = parse_krb5_map_user(mem_ctx, "", DOMAIN_NAME, &name_to_primary); + fail_unless(ret == EOK); + fail_unless(name_to_primary[0].id_name == NULL && + name_to_primary[0].krb_primary == NULL); + talloc_free(name_to_primary); + + ret = parse_krb5_map_user(mem_ctx, ",", DOMAIN_NAME, &name_to_primary); + fail_unless(ret == EOK); + fail_unless(name_to_primary[0].id_name == NULL && + name_to_primary[0].krb_primary == NULL); + talloc_free(name_to_primary); + + ret = parse_krb5_map_user(mem_ctx, ",,", DOMAIN_NAME, &name_to_primary); + fail_unless(ret == EOK); + fail_unless(name_to_primary[0].id_name == NULL && + name_to_primary[0].krb_primary == NULL); + talloc_free(name_to_primary); + + fail_unless(check_leaks_pop(mem_ctx)); + } + /* valid input */ + { + check_leaks_push(mem_ctx); + const char *p = "pája:preichl,joe:juser,jdoe:ßlack"; + const char *p2 = " pája : preichl , joe:\njuser,jdoe\t: ßlack "; + const char *expected[] = { "pája@testdomain", "preichl@" DOMAIN_NAME, + "joe@testdomain", "juser@testdomain", + "jdoe@testdomain", "ßlack@testdomain" }; + ret = parse_krb5_map_user(mem_ctx, p, DOMAIN_NAME, &name_to_primary); + fail_unless(ret == EOK); + compare_map_id_name_to_krb_primary(name_to_primary, expected, + sizeof(expected)/sizeof(const char*)/2); + talloc_free(name_to_primary); + + ret = parse_krb5_map_user(mem_ctx, p2, DOMAIN_NAME, &name_to_primary); + fail_unless(ret == EOK); + compare_map_id_name_to_krb_primary(name_to_primary, expected, + sizeof(expected)/sizeof(const char*)/2); + talloc_free(name_to_primary); + fail_unless(check_leaks_pop(mem_ctx)); + } + /* invalid input */ + { + check_leaks_push(mem_ctx); + + ret = parse_krb5_map_user(mem_ctx, ":", DOMAIN_NAME, &name_to_primary); + fail_unless(ret == EINVAL); + + ret = parse_krb5_map_user(mem_ctx, "joe:", DOMAIN_NAME, + &name_to_primary); + fail_unless(ret == EINVAL); + + ret = parse_krb5_map_user(mem_ctx, ":joe", DOMAIN_NAME, + &name_to_primary); + fail_unless(ret == EINVAL); + + ret = parse_krb5_map_user(mem_ctx, "joe:,", DOMAIN_NAME, + &name_to_primary); + fail_unless(ret == EINVAL); + + ret = parse_krb5_map_user(mem_ctx, ",joe", DOMAIN_NAME, + &name_to_primary); + fail_unless(ret == EINVAL); + + ret = parse_krb5_map_user(mem_ctx, "joe:j:user", DOMAIN_NAME, + &name_to_primary); + fail_unless(ret == EINVAL); + + fail_unless(check_leaks_pop(mem_ctx)); + } + + talloc_free(mem_ctx); +} +END_TEST + +START_TEST(test_sss_krb5_realm_has_proxy) +{ + fail_unless(sss_krb5_realm_has_proxy(NULL) == false); + + setenv("KRB5_CONFIG", "/dev/null", 1); + fail_unless(sss_krb5_realm_has_proxy("REALM") == false); + + setenv("KRB5_CONFIG", ABS_SRC_DIR"/src/tests/krb5_proxy_check_test_data.conf", 1); + fail_unless(sss_krb5_realm_has_proxy("REALM") == false); + fail_unless(sss_krb5_realm_has_proxy("REALM_PROXY") == true); +} +END_TEST + +Suite *krb5_utils_suite (void) +{ + Suite *s = suite_create ("krb5_utils"); + + TCase *tc_ccname_template = tcase_create ("ccname_template"); + tcase_add_checked_fixture (tc_ccname_template, setup_talloc_context, + free_talloc_context); + tcase_add_test (tc_ccname_template, test_no_substitution); + tcase_add_test (tc_ccname_template, test_NULL); + tcase_add_test (tc_ccname_template, test_unknown_template); + tcase_add_test (tc_ccname_template, test_username); + tcase_add_test (tc_ccname_template, test_case_sensitive); + tcase_add_test (tc_ccname_template, test_uid); + tcase_add_test (tc_ccname_template, test_upn); + tcase_add_test (tc_ccname_template, test_realm); + tcase_add_test (tc_ccname_template, test_home); + tcase_add_test (tc_ccname_template, test_ccache_dir); + tcase_add_test (tc_ccname_template, test_pid); + tcase_add_test (tc_ccname_template, test_percent); + tcase_add_test (tc_ccname_template, test_multiple_substitutions); + tcase_add_test (tc_ccname_template, test_krb5_style_expansion); + suite_add_tcase (s, tc_ccname_template); + + TCase *tc_create_dir = tcase_create("create_dir"); + tcase_add_checked_fixture (tc_create_dir, setup_create_dir, + teardown_create_dir); + tcase_add_test (tc_create_dir, test_illegal_patterns); + tcase_add_test (tc_create_dir, test_cc_dir_create); + if (getuid() == 0) { + tcase_add_test (tc_create_dir, test_private_ccache_dir_in_user_dir); + tcase_add_test (tc_create_dir, test_private_ccache_dir_in_wrong_user_dir); + } else { + printf("Run as root to enable more tests.\n"); + } + suite_add_tcase (s, tc_create_dir); + + TCase *tc_krb5_helpers = tcase_create("Helper functions"); + tcase_add_test(tc_krb5_helpers, test_compare_principal_realm); + tcase_add_test(tc_krb5_helpers, test_parse_krb5_map_user); + tcase_add_test(tc_krb5_helpers, test_sss_krb5_realm_has_proxy); + suite_add_tcase(s, tc_krb5_helpers); + + return s; +} + +int main(int argc, const char *argv[]) +{ + int ret; + int opt; + poptContext pc; + int number_failed; + + tests_set_cwd(); + + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_MAIN_OPTS + POPT_TABLEEND + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + ret = mkdir(TESTS_PATH, 0775); + if (ret != EOK) { + fprintf(stderr, "Could not create empty directory [%s]. ", TESTS_PATH); + if (errno == EEXIST) { + fprintf(stderr, "Please remove [%s].\n", TESTS_PATH); + } else { + fprintf(stderr, "[%d][%s].\n", errno, strerror(errno)); + } + + return 1; + } + + Suite *s = krb5_utils_suite (); + SRunner *sr = srunner_create (s); + /* If CK_VERBOSITY is set, use that, otherwise it defaults to CK_NORMAL */ + srunner_run_all(sr, CK_ENV); + number_failed = srunner_ntests_failed (sr); + srunner_free (sr); + if (number_failed == 0) { + ret = rmdir(TESTS_PATH); + if (ret != EOK) { + fprintf(stderr, "Cannot remove [%s]: [%d][%s].\n", TESTS_PATH, + errno, strerror(errno)); + return EXIT_FAILURE; + } + + return EXIT_SUCCESS; + } + + return EXIT_FAILURE; +} + diff --git a/src/tests/leak_check.c b/src/tests/leak_check.c new file mode 100644 index 0000000..fa153eb --- /dev/null +++ b/src/tests/leak_check.c @@ -0,0 +1,147 @@ +/* + SSSD + + Common utilities for check-based tests using talloc. + + Authors: + Martin Nagy + + Copyright (C) Red Hat, Inc 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include "tests/common.h" +#include "util/util.h" +#include "util/dlinklist.h" + +TALLOC_CTX *global_talloc_context = NULL; +char leak_err_msg[256]; + +struct size_snapshot { + struct size_snapshot *prev; + struct size_snapshot *next; + + TALLOC_CTX *ctx; + size_t bytes_allocated; +}; + +static struct size_snapshot *snapshot_stack; + +#define _set_leak_err_msg(fmt, ...) do { \ + snprintf(leak_err_msg, sizeof(leak_err_msg), \ + fmt, ##__VA_ARGS__); \ +} while(0); + +const char *check_leaks_err_msg(void) +{ + return leak_err_msg; +} + +static bool +check_leaks(TALLOC_CTX *ctx, size_t bytes, const char *location) +{ + size_t bytes_allocated; + + if (ctx == NULL) { + return false; + } + + bytes_allocated = talloc_total_size(ctx); + if (bytes_allocated != bytes) { + fprintf(stderr, "Leak report for %s:\n", location); + talloc_report_full(ctx, stderr); + _set_leak_err_msg("%s: memory leaks detected, %zd bytes still allocated", + location, bytes_allocated - bytes); + return false; + } + + return true; +} + +void +check_leaks_push(TALLOC_CTX *ctx) +{ + struct size_snapshot *snapshot; + + snapshot = talloc(NULL, struct size_snapshot); + snapshot->ctx = ctx; + snapshot->bytes_allocated = talloc_total_size(ctx); + DLIST_ADD(snapshot_stack, snapshot); +} + +bool +_check_leaks_pop(TALLOC_CTX *ctx, const char *location) +{ + struct size_snapshot *snapshot; + TALLOC_CTX *old_ctx; + size_t bytes_allocated; + + if (ctx == NULL) { + return false; + } + + if (snapshot_stack == NULL) { + _set_leak_err_msg("%s: trying to pop an empty stack", location); + return false; + } + + snapshot = snapshot_stack; + DLIST_REMOVE(snapshot_stack, snapshot); + + old_ctx = snapshot->ctx; + bytes_allocated = snapshot->bytes_allocated; + + if (old_ctx != ctx) { + _set_leak_err_msg("Bad push/pop order"); + return false; + } + + talloc_zfree(snapshot); + return check_leaks(old_ctx, bytes_allocated, location); +} + +bool +leak_check_setup(void) +{ + talloc_enable_null_tracking(); + global_talloc_context = talloc_new(NULL); + if (global_talloc_context == NULL) { + _set_leak_err_msg("talloc_new failed"); + return false; + } + + check_leaks_push(global_talloc_context); + return true; +} + +bool +leak_check_teardown(void) +{ + bool res; + res = check_leaks_pop(global_talloc_context); + if (!res) { + _set_leak_err_msg("check_leaks_pop failed in leak_check_teardown"); + } + + if (snapshot_stack != NULL) { + _set_leak_err_msg("Exiting with a non-empty stack"); + return false; + } + res = check_leaks(global_talloc_context, 0, __location__); + talloc_disable_null_tracking(); + talloc_free(global_talloc_context); + return res; +} diff --git a/src/tests/pyhbac-test.py b/src/tests/pyhbac-test.py new file mode 100755 index 0000000..393fb2d --- /dev/null +++ b/src/tests/pyhbac-test.py @@ -0,0 +1,567 @@ +#!/usr/bin/env python +from __future__ import print_function + +import unittest +import sys +import os +import copy +import tempfile + +BUILD_DIR = os.getenv('builddir') or "." +TEST_DIR = os.getenv('SSS_TEST_DIR') or "." +MODPATH = tempfile.mkdtemp(prefix="tp_pyhbac_", dir=TEST_DIR) + + +if sys.version_info[0] > 2: + unicode = str + + +def compat_assertIsInstance(this, obj, cls, msg=None): + return this.assertTrue(isinstance(obj, cls)) + + +def compat_assertItemsEqual(this, expected_seq, actual_seq, msg=None): + return this.assertEqual(sorted(expected_seq), sorted(actual_seq)) + + +# add compat assertIsInstance for old unittest.TestCase versions +# (python < 2.7, RHEL6 for instance) +if not hasattr(unittest.TestCase, "assertIsInstance"): + setattr(unittest.TestCase, "assertIsInstance", compat_assertIsInstance) + +# Python3 renamed assertItemsEqual to assertCountEqual but at the same time +# Python2 doesn't have assertCountEqual, see http://bugs.python.org/issue17866 +if not hasattr(unittest.TestCase, "assertCountEqual"): + if not hasattr(unittest.TestCase, "assertItemsEqual"): + # This is RHEL-6 + setattr(unittest.TestCase, "assertItemsEqual", compat_assertItemsEqual) + + setattr(unittest.TestCase, + "assertCountEqual", + unittest.TestCase.assertItemsEqual) + + +class PyHbacImport(unittest.TestCase): + def setUp(self): + " Make sure we load the in-tree module " + self.system_path = sys.path[:] + sys.path = [MODPATH] + + def tearDown(self): + " Restore the system path " + sys.path = self.system_path + + def testImport(self): + " Import the module and assert it comes from tree " + try: + dest_module_path = MODPATH + "/pyhbac.so" + + if sys.version_info[0] > 2: + src_module_path = BUILD_DIR + "/.libs/_py3hbac.so" + else: + src_module_path = BUILD_DIR + "/.libs/_py2hbac.so" + + src_module_path = os.path.abspath(src_module_path) + os.symlink(src_module_path, dest_module_path) + + import pyhbac + except ImportError as e: + print("Could not load the pyhbac module. Please check if it is " + "compiled", file=sys.stderr) + raise e + self.assertEqual(pyhbac.__file__, MODPATH + "/pyhbac.so") + + +class PyHbacRuleElementTest(unittest.TestCase): + def testInstantiateEmpty(self): + el = pyhbac.HbacRuleElement() + self.assertCountEqual(el.names, []) + self.assertCountEqual(el.groups, []) + self.assertCountEqual(el.category, set([pyhbac.HBAC_CATEGORY_NULL])) + + def testInit(self): + names = ["foo", "bar"] + el = pyhbac.HbacRuleElement(names=names) + self.assertCountEqual(el.names, names) + + groups = ["abc", "def"] + el = pyhbac.HbacRuleElement(groups=groups) + self.assertCountEqual(el.groups, groups) + + def testGetSet(self): + names = ["foo", "bar"] + el = pyhbac.HbacRuleElement() + self.assertCountEqual(el.names, []) + el.names = names + self.assertCountEqual(el.names, names) + + groups = ["abc", "def"] + el = pyhbac.HbacRuleElement() + self.assertCountEqual(el.groups, []) + el.groups = groups + self.assertCountEqual(el.groups, groups) + + # Test other iterables than list + groups = ("abc", "def") + el = pyhbac.HbacRuleElement() + self.assertCountEqual(el.groups, []) + el.groups = groups + self.assertCountEqual(el.groups, groups) + + def testCategory(self): + el = pyhbac.HbacRuleElement() + assert pyhbac.HBAC_CATEGORY_NULL in el.category + assert pyhbac.HBAC_CATEGORY_ALL not in el.category + + el.category.add(pyhbac.HBAC_CATEGORY_ALL) + assert pyhbac.HBAC_CATEGORY_ALL in el.category + + el.category = set([pyhbac.HBAC_CATEGORY_ALL]) + assert pyhbac.HBAC_CATEGORY_ALL in el.category + + # negative tests + self.assertRaises(TypeError, el.__setattr__, "category", + [pyhbac.HBAC_CATEGORY_ALL]) + self.assertRaises(TypeError, el.__setattr__, "category", None) + self.assertRaises(TypeError, el.__setattr__, "category", 1) + + def testNotIterable(self): + self.assertRaises(TypeError, pyhbac.HbacRuleElement, names=123) + self.assertRaises(TypeError, pyhbac.HbacRuleElement, names=None) + + def testRuleElementReference(self): + def _get_rule(): + users = ["foo", "bar"] + user_groups = ["abc", "def"] + return pyhbac.HbacRuleElement(names=users, groups=user_groups) + + el = _get_rule() + self.assertCountEqual(el.names, ["foo", "bar"]) + self.assertCountEqual(el.groups, ["abc", "def"]) + + def testRepr(self): + el = pyhbac.HbacRuleElement() + self.assertEquals(el.__repr__(), u'') + + el.category.add(pyhbac.HBAC_CATEGORY_ALL) + el.names = ['foo'] + el.groups = ['bar, baz'] + self.assertEquals(el.__repr__(), + u'') + + +class PyHbacRuleTest(unittest.TestCase): + def testRuleGetSetName(self): + name = "testGetRule" + new_name = "testGetNewRule" + + rule = pyhbac.HbacRule(name) + self.assertEqual(rule.name, unicode(name)) + + rule.name = new_name + self.assertEqual(rule.name, unicode(new_name)) + + def testRuleGetSetEnabled(self): + rule = pyhbac.HbacRule("testRuleGetSetEnabled") + + rule.enabled = True + self.assertEqual(rule.enabled, True) + rule.enabled = False + self.assertEqual(rule.enabled, False) + + rule.enabled = "TRUE" + self.assertEqual(rule.enabled, True) + rule.enabled = "FALSE" + self.assertEqual(rule.enabled, False) + + rule.enabled = "true" + self.assertEqual(rule.enabled, True) + rule.enabled = "false" + self.assertEqual(rule.enabled, False) + + rule.enabled = "True" + self.assertEqual(rule.enabled, True) + rule.enabled = "False" + self.assertEqual(rule.enabled, False) + + rule.enabled = 1 + self.assertEqual(rule.enabled, True) + rule.enabled = 0 + self.assertEqual(rule.enabled, False) + + # negative test + self.assertRaises(TypeError, rule.__setattr__, "enabled", None) + self.assertRaises(TypeError, rule.__setattr__, "enabled", []) + self.assertRaises(ValueError, rule.__setattr__, "enabled", "foo") + self.assertRaises(ValueError, rule.__setattr__, "enabled", 5) + + def testRuleElementInRule(self): + users = ["foo", "bar"] + user_groups = ["abc", "def"] + + # rule should contain empty elements after instantiation + rule = pyhbac.HbacRule("testRuleElement") + self.assertIsInstance(rule.users, pyhbac.HbacRuleElement) + self.assertIsInstance(rule.services, pyhbac.HbacRuleElement) + self.assertIsInstance(rule.targethosts, pyhbac.HbacRuleElement) + self.assertIsInstance(rule.srchosts, pyhbac.HbacRuleElement) + + self.assertIsInstance(rule.users.names, list) + self.assertIsInstance(rule.users.groups, list) + self.assertCountEqual(rule.users.names, []) + self.assertCountEqual(rule.users.groups, []) + + # Assign by copying a HbacRuleElement + user_el = pyhbac.HbacRuleElement(names=users, groups=user_groups) + rule = pyhbac.HbacRule("testRuleElement") + rule.users = user_el + self.assertCountEqual(rule.users.names, users) + self.assertCountEqual(rule.users.groups, user_groups) + + # Assign directly + rule = pyhbac.HbacRule("testRuleElement") + rule.users.names = users + rule.users.groups = user_groups + self.assertCountEqual(rule.users.names, users) + self.assertCountEqual(rule.users.groups, user_groups) + + def testRuleElementInRuleReference(self): + " Test that references to RuleElement are kept even if element goes" + " out of scope " + def _get_rule(): + users = ["foo", "bar"] + user_groups = ["abc", "def"] + el = pyhbac.HbacRuleElement(names=users, groups=user_groups) + rule = pyhbac.HbacRule("testRuleElement") + rule.users = el + return rule + + rule = _get_rule() + self.assertCountEqual(rule.users.names, ["foo", "bar"]) + self.assertCountEqual(rule.users.groups, ["abc", "def"]) + + def testRepr(self): + r = pyhbac.HbacRule('foo') + self.assertEqual(r.__repr__(), + u" " + "services " + "targethosts " + "srchosts >") + + name = "someuser" + service = "ssh" + srchost = "host1" + targethost = "host2" + + r.users.names = [name] + r.services.names = [service] + r.srchosts.names = [srchost] + r.targethosts.names = [targethost] + + self.assertEqual(r.__repr__(), + u" " + "services " + "targethosts " + "srchosts >" % + (name, service, targethost, srchost)) + + def testValidate(self): + r = pyhbac.HbacRule('valid_rule') + + valid, missing = r.validate() + self.assertEqual(valid, False) + self.assertCountEqual(missing, (pyhbac.HBAC_RULE_ELEMENT_USERS, + pyhbac.HBAC_RULE_ELEMENT_SERVICES, + pyhbac.HBAC_RULE_ELEMENT_TARGETHOSTS, + pyhbac.HBAC_RULE_ELEMENT_SOURCEHOSTS)) + + r.users.names = ["someuser"] + r.services.names = ["ssh"] + + valid, missing = r.validate() + self.assertEqual(valid, False) + self.assertCountEqual(missing, (pyhbac.HBAC_RULE_ELEMENT_TARGETHOSTS, + pyhbac.HBAC_RULE_ELEMENT_SOURCEHOSTS)) + + r.srchosts.names = ["host1"] + r.targethosts.names = ["host2"] + + valid, missing = r.validate() + self.assertEqual(valid, True) + + +class PyHbacRequestElementTest(unittest.TestCase): + def testInstantiateEmpty(self): + el = pyhbac.HbacRequestElement() + self.assertCountEqual(el.name, "") + self.assertCountEqual(el.groups, []) + + def testInit(self): + name = "foo" + el = pyhbac.HbacRequestElement(name=name) + self.assertCountEqual(el.name, name) + + groups = ["abc", "def"] + el = pyhbac.HbacRequestElement(groups=groups) + self.assertCountEqual(el.groups, groups) + + def testGetSet(self): + name = "foo" + el = pyhbac.HbacRequestElement() + self.assertCountEqual(el.name, "") + el.name = name + self.assertCountEqual(el.name, name) + + groups = ["abc", "def"] + el = pyhbac.HbacRequestElement() + self.assertCountEqual(el.groups, []) + el.groups = groups + self.assertCountEqual(el.groups, groups) + + # Test other iterables than list + groups = ("abc", "def") + el = pyhbac.HbacRequestElement() + self.assertCountEqual(el.groups, []) + el.groups = groups + self.assertCountEqual(el.groups, groups) + + def testGroupsNotIterable(self): + self.assertRaises(TypeError, pyhbac.HbacRequestElement, groups=None) + self.assertRaises(TypeError, pyhbac.HbacRequestElement, groups=123) + + def testRepr(self): + r = pyhbac.HbacRequestElement() + self.assertEqual(r.__repr__(), u"") + + r.name = 'foo' + r.groups = ['bar', 'baz'] + self.assertEqual(r.__repr__(), u"") + + +class PyHbacRequestTest(unittest.TestCase): + def testRequestElementHandling(self): + name = "req_name" + groups = ["g1", "g2"] + + # The request should be empty after instantiation + req = pyhbac.HbacRequest() + self.assertIsInstance(req.user, pyhbac.HbacRequestElement) + self.assertIsInstance(req.service, pyhbac.HbacRequestElement) + self.assertIsInstance(req.targethost, pyhbac.HbacRequestElement) + self.assertIsInstance(req.srchost, pyhbac.HbacRequestElement) + + self.assertEqual(req.user.name, "") + self.assertIsInstance(req.user.groups, list) + self.assertCountEqual(req.user.groups, []) + + # Assign by copying a HbacRequestElement + user_el = pyhbac.HbacRequestElement(name=name, groups=groups) + req = pyhbac.HbacRequest() + req.user = user_el + self.assertCountEqual(req.user.name, name) + self.assertCountEqual(req.user.groups, groups) + + # Assign directly + req = pyhbac.HbacRequest() + req.user.name = name + req.user.groups = groups + self.assertCountEqual(req.user.name, name) + self.assertCountEqual(req.user.groups, groups) + + def testRuleName(self): + req = pyhbac.HbacRequest() + self.assertEqual(req.rule_name, None) + # python 2.4 raises TypError, 2.7 raises AttributeError + self.assertRaises((TypeError, AttributeError), req.__setattr__, + "rule_name", "foo") + + def testEvaluate(self): + name = "someuser" + service = "ssh" + srchost = "host1" + targethost = "host2" + + allow_rule = pyhbac.HbacRule("allowRule", enabled=True) + allow_rule.users.names = [name] + allow_rule.services.names = [service] + allow_rule.srchosts.names = [srchost] + allow_rule.targethosts.names = [targethost] + + req = pyhbac.HbacRequest() + req.user.name = name + req.service.name = service + req.srchost.name = srchost + req.targethost.name = targethost + + # Test that an allow rule on its own allows access + res = req.evaluate((allow_rule,)) + self.assertEqual(res, pyhbac.HBAC_EVAL_ALLOW) + self.assertEqual(req.rule_name, "allowRule") + + # Test that a user not in the rule is not allowed + savename = req.user.name + req.user.name = "someotheruser" + res = req.evaluate((allow_rule, )) + self.assertEqual(res, pyhbac.HBAC_EVAL_DENY) + self.assertEqual(req.rule_name, None) + + # But allows if the rule is an ALL rule + allow_rule.users.category.add(pyhbac.HBAC_CATEGORY_ALL) + res = req.evaluate((allow_rule, )) + self.assertEqual(res, pyhbac.HBAC_EVAL_ALLOW) + + def testRepr(self): + name = "someuser" + service = "ssh" + srchost = "host1" + targethost = "host2" + + req = pyhbac.HbacRequest() + + self.assertEqual(req.__repr__(), " " + "service " + "targethost " + "srchost >") + + req.user.name = name + req.service.name = service + req.srchost.name = srchost + req.targethost.name = targethost + + self.assertEqual(req.__repr__(), " " + "service " + "targethost " + "srchost >" % + (name, service, targethost, srchost)) + + def testEvaluateNegative(self): + name = "someuser" + service = "ssh" + srchost = "host1" + targethost = "host2" + + allow_rule = pyhbac.HbacRule("allowRule", enabled=True) + allow_rule.users.names = [name] + allow_rule.services.names = [service] + allow_rule.srchosts.names = [srchost] + allow_rule.targethosts.names = [targethost] + + req = pyhbac.HbacRequest() + req.service.name = service + req.srchost.name = srchost + req.targethost.name = targethost + req.user.name = name + + saveuser = req.user + req.user = None # need to catch this + + # catch invalid category value + savecat = copy.copy(allow_rule.users.category) + allow_rule.users.category.add(pyhbac.HBAC_EVAL_ERROR) + self.assertRaises(ValueError, req.evaluate, (allow_rule,)) + allow_rule.users.category = savecat + + # Test that invalid type is raised + self.assertRaises(TypeError, req.evaluate, (allow_rule,)) + + req.user = saveuser + allow_rule.users = None # need to catch this + self.assertRaises(TypeError, req.evaluate, (allow_rule,)) + + # catch invalid rule type + self.assertRaises(TypeError, req.evaluate, (allow_rule, None)) + + +class PyHbacModuleTest(unittest.TestCase): + @classmethod + def tearDownClass(cls): + os.unlink(MODPATH + "/pyhbac.so") + os.rmdir(MODPATH) + + def testHasResultTypes(self): + assert hasattr(pyhbac, "HBAC_EVAL_ALLOW") + assert hasattr(pyhbac, "HBAC_EVAL_DENY") + assert hasattr(pyhbac, "HBAC_EVAL_ERROR") + + def testHasErrorTypes(self): + assert hasattr(pyhbac, "HBAC_ERROR_UNKNOWN") + assert hasattr(pyhbac, "HBAC_SUCCESS") + assert hasattr(pyhbac, "HBAC_ERROR_NOT_IMPLEMENTED") + assert hasattr(pyhbac, "HBAC_ERROR_OUT_OF_MEMORY") + assert hasattr(pyhbac, "HBAC_ERROR_UNPARSEABLE_RULE") + + def testHasCategories(self): + assert hasattr(pyhbac, "HBAC_CATEGORY_NULL") + assert hasattr(pyhbac, "HBAC_CATEGORY_ALL") + + def testHasRuleElementTypes(self): + assert hasattr(pyhbac, "HBAC_RULE_ELEMENT_USERS") + assert hasattr(pyhbac, "HBAC_RULE_ELEMENT_SERVICES") + assert hasattr(pyhbac, "HBAC_RULE_ELEMENT_TARGETHOSTS") + assert hasattr(pyhbac, "HBAC_RULE_ELEMENT_SOURCEHOSTS") + + def testHbacResultString(self): + results = [pyhbac.HBAC_EVAL_ALLOW, pyhbac.HBAC_EVAL_DENY, + pyhbac.HBAC_EVAL_ERROR] + for r in results: + s = pyhbac.hbac_result_string(r) + self.assertIsInstance(s, unicode) + assert len(s) > 0 + + def testHbacErrorString(self): + errors = [pyhbac.HBAC_ERROR_UNKNOWN, + pyhbac.HBAC_SUCCESS, + pyhbac.HBAC_ERROR_NOT_IMPLEMENTED, + pyhbac.HBAC_ERROR_OUT_OF_MEMORY, + pyhbac.HBAC_ERROR_UNPARSEABLE_RULE] + for e in errors: + s = pyhbac.hbac_error_string(e) + self.assertIsInstance(s, unicode) + assert len(s) > 0 + + +if __name__ == "__main__": + error = 0 + + suite = unittest.TestLoader().loadTestsFromTestCase(PyHbacImport) + res = unittest.TextTestRunner().run(suite) + if not res.wasSuccessful(): + error |= 0x1 + # need to bail out here because pyhbac could not be imported + sys.exit(error) + + # import the pyhbac module into the global namespace, but make sure it's + # the one in tree + sys.path.insert(0, MODPATH) + import pyhbac + + loadTestsFromTestCase = unittest.TestLoader().loadTestsFromTestCase + + suite = loadTestsFromTestCase(PyHbacRuleElementTest) + res = unittest.TextTestRunner().run(suite) + if not res.wasSuccessful(): + error |= 0x2 + + suite = loadTestsFromTestCase(PyHbacRuleTest) + res = unittest.TextTestRunner().run(suite) + if not res.wasSuccessful(): + error |= 0x3 + + suite = loadTestsFromTestCase(PyHbacRequestElementTest) + res = unittest.TextTestRunner().run(suite) + if not res.wasSuccessful(): + error |= 0x4 + + suite = loadTestsFromTestCase(PyHbacRequestTest) + res = unittest.TextTestRunner().run(suite) + if not res.wasSuccessful(): + error |= 0x5 + + suite = loadTestsFromTestCase(PyHbacModuleTest) + res = unittest.TextTestRunner().run(suite) + if not res.wasSuccessful(): + error |= 0x6 + + sys.exit(error) diff --git a/src/tests/pyhbac-test.py2.sh b/src/tests/pyhbac-test.py2.sh new file mode 100755 index 0000000..48cd169 --- /dev/null +++ b/src/tests/pyhbac-test.py2.sh @@ -0,0 +1,5 @@ +#!/bin/sh + +SCRIPT=$(readlink -f "$0") +SCRIPT_PATH=$(dirname "$SCRIPT") +exec python2 $SCRIPT_PATH/pyhbac-test.py diff --git a/src/tests/pyhbac-test.py3.sh b/src/tests/pyhbac-test.py3.sh new file mode 100755 index 0000000..862c7b2 --- /dev/null +++ b/src/tests/pyhbac-test.py3.sh @@ -0,0 +1,5 @@ +#!/bin/sh + +SCRIPT=$(readlink -f "$0") +SCRIPT_PATH=$(dirname "$SCRIPT") +exec python3 $SCRIPT_PATH/pyhbac-test.py diff --git a/src/tests/pysss_murmur-test.py b/src/tests/pysss_murmur-test.py new file mode 100755 index 0000000..531f8b5 --- /dev/null +++ b/src/tests/pysss_murmur-test.py @@ -0,0 +1,138 @@ +#!/usr/bin/env python +# SSSD +# +# Unit tests for pysss_murmur +# +# Copyright (C) Sumit Bose 2012 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +from __future__ import print_function + +import unittest +import sys +import os +import tempfile + +BUILD_DIR = os.getenv('builddir') or "." +TEST_DIR = os.getenv('SSS_TEST_DIR') or "." +MODPATH = tempfile.mkdtemp(prefix="tp_pysss_murmur_", dir=TEST_DIR) + + +class PySssMurmurImport(unittest.TestCase): + def setUp(self): + " Make sure we load the in-tree module " + self.system_path = sys.path[:] + sys.path = [MODPATH] + print(os.getcwd()) + print(MODPATH) + + def tearDown(self): + " Restore the system path " + sys.path = self.system_path + + def testImport(self): + " Import the module and assert it comes from tree " + try: + dest_module_path = MODPATH + "/pysss_murmur.so" + + if sys.version_info[0] > 2: + src_module_path = BUILD_DIR + "/.libs/_py3sss_murmur.so" + else: + src_module_path = BUILD_DIR + "/.libs/_py2sss_murmur.so" + + src_module_path = os.path.abspath(src_module_path) + os.symlink(src_module_path, dest_module_path) + + import pysss_murmur + except ImportError as e: + print("Could not load the pysss_murmur module. " + "Please check if it is compiled", file=sys.stderr) + raise e + self.assertEqual(pysss_murmur.__file__, MODPATH + "/pysss_murmur.so") + + +class PySssMurmurTestNeg(unittest.TestCase): + def test_invalid_arguments(self): + self.assertRaises(ValueError, pysss_murmur.murmurhash3, 1, 2, 3) + self.assertRaises(ValueError, pysss_murmur.murmurhash3, "test", 2) + self.assertRaises(ValueError, pysss_murmur.murmurhash3, "test") + self.assertRaises(ValueError, pysss_murmur.murmurhash3) + + def test_invalid_length(self): + seed = 12345 + + self.assertRaises(ValueError, pysss_murmur.murmurhash3, "t", -1, seed) + # length is off by one + self.assertRaises(ValueError, pysss_murmur.murmurhash3, "test", 5, + seed) + self.assertRaises(ValueError, pysss_murmur.murmurhash3, "test", + 0xffffffffff, seed) + + +class PySssMurmurTestPos(unittest.TestCase): + @classmethod + def tearDownClass(cls): + os.unlink(MODPATH + "/pysss_murmur.so") + os.rmdir(MODPATH) + + def testExpectedHash(self): + sid_str = "S-1-5-21-2153326666-2176343378-3404031434" + seed = 0xdeadbeef + + hash_val = pysss_murmur.murmurhash3(sid_str, 0, seed) + self.assertEqual(hash_val, 233162409) + + hash_val = pysss_murmur.murmurhash3(sid_str, len(sid_str), seed) + self.assertEqual(hash_val, 93103853) + + def test_memory_cache_usage(self): + seed = 0xbeefdead + input_str = "test_user1" + input_len = len(input_str) + + val_bin = pysss_murmur.murmurhash3(input_str + '\0', + input_len + 1, seed) + self.assertEqual(val_bin, 1198610880) + + val_bin = pysss_murmur.murmurhash3(input_str + '\0' * 5, + input_len + 5, seed) + self.assertEqual(val_bin, 2917868047) + + +if __name__ == "__main__": + error = 0 + + suite = unittest.TestLoader().loadTestsFromTestCase(PySssMurmurImport) + res = unittest.TextTestRunner().run(suite) + if not res.wasSuccessful(): + error |= 0x1 + # need to bail out here because pysss_murmur could not be imported + sys.exit(error) + + # import the pysss_murmur module into the global namespace, but make sure + # it's the one in tree + sys.path.insert(0, MODPATH) + import pysss_murmur + + suite = unittest.TestLoader().loadTestsFromTestCase(PySssMurmurTestNeg) + res = unittest.TextTestRunner().run(suite) + if not res.wasSuccessful(): + error |= 0x2 + + suite = unittest.TestLoader().loadTestsFromTestCase(PySssMurmurTestPos) + res = unittest.TextTestRunner().run(suite) + if not res.wasSuccessful(): + error |= 0x4 + + sys.exit(error) diff --git a/src/tests/pysss_murmur-test.py2.sh b/src/tests/pysss_murmur-test.py2.sh new file mode 100755 index 0000000..7144597 --- /dev/null +++ b/src/tests/pysss_murmur-test.py2.sh @@ -0,0 +1,5 @@ +#!/bin/sh + +SCRIPT=$(readlink -f "$0") +SCRIPT_PATH=$(dirname "$SCRIPT") +exec python2 $SCRIPT_PATH/pysss_murmur-test.py diff --git a/src/tests/pysss_murmur-test.py3.sh b/src/tests/pysss_murmur-test.py3.sh new file mode 100755 index 0000000..00b352a --- /dev/null +++ b/src/tests/pysss_murmur-test.py3.sh @@ -0,0 +1,5 @@ +#!/bin/sh + +SCRIPT=$(readlink -f "$0") +SCRIPT_PATH=$(dirname "$SCRIPT") +exec python3 $SCRIPT_PATH/pysss_murmur-test.py diff --git a/src/tests/python-test.py b/src/tests/python-test.py new file mode 100644 index 0000000..c0494db --- /dev/null +++ b/src/tests/python-test.py @@ -0,0 +1,469 @@ +#!/usr/bin/env python +# coding=utf-8 + +# Authors: +# Jakub Hrozek +# +# Copyright (C) 2009 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +import os +import tempfile +import shutil +import unittest +import subprocess +import errno + +# module under test +import pysss + + +class LocalTest(unittest.TestCase): + local_path = "/var/lib/sss/db/sssd.ldb" + + def setUp(self): + self.local = pysss.local() + + def _run_and_check(self, runme): + (status, output) = subprocess.call(runme, shell=True) + self.failUnlessEqual(status, 0, output) + + def _get_object_info(self, name, subtree, domain): + search_dn = "dn=name=%s,cn=%s,cn=%s,cn=sysdb" % (name, subtree, domain) + try: + cmd = "ldbsearch -H %s %s" % (self.local_path, search_dn) + output = subprocess.check_call(cmd, shell=True) + output = output.decode('utf-8') + except subprocess.CalledProcessError: + return {} + + kw = {} + for key, value in \ + [l.split(':') for l in output.split('\n') if ":" in l]: + kw[key] = value.strip() + + del kw['asq'] + return kw + + def get_user_info(self, name, domain="LOCAL"): + return self._get_object_info(name, "users", domain) + + def get_group_info(self, name, domain="LOCAL"): + return self._get_object_info(name, "groups", domain) + + def _validate_object(self, kw, name, **kwargs): + if kw == {}: + self.fail("Could not get %s info" % name) + for key in kwargs.keys(): + self.assert_(str(kwargs[key]) == str(kw[key]), + "%s %s != %s %s" % (key, kwargs[key], key, kw[key])) + + def validate_user(self, username, **kwargs): + return self._validate_object(self.get_user_info(username), "user", + **kwargs) + + def validate_group(self, groupname, **kwargs): + return self._validate_object(self.get_group_info(groupname), "group", + **kwargs) + + def _validate_no_object(self, kw, name): + if kw != {}: + self.fail("Got %s info" % name) + + def validate_no_user(self, username): + return self._validate_no_object(self.get_user_info(username), "user") + + def validate_no_group(self, groupname): + return self._validate_no_object(self.get_group_info(groupname), + "group") + + def _get_object_membership(self, name, subtree, domain): + search_dn = "dn=name=%s,cn=%s,cn=%s,cn=sysdb" % (name, subtree, domain) + try: + cmd = "ldbsearch -H %s %s" % (self.local_path, search_dn) + output = subprocess.check_call(cmd, shell=True) + output = output.decode('utf-8') + except subprocess.CalledProcessError: + return [] + + members = [value.strip() for key, value in + [l.split(':') for l in output.split('\n') if ":" in l] + if key == "memberof"] + return members + + def _assertMembership(self, name, group_list, subtree, domain): + members = self._get_object_membership(name, subtree, domain) + for group in group_list: + group_dn = "name=%s,cn=groups,cn=%s,cn=sysdb" % (group, domain) + if group_dn in members: + members.remove(group_dn) + else: + self.fail("Cannot find required group %s" % group_dn) + + if len(members) > 0: + self.fail("More groups than selected") + + def assertUserMembership(self, name, group_list, domain="LOCAL"): + return self._assertMembership(name, group_list, "users", domain) + + def assertGroupMembership(self, name, group_list, domain="LOCAL"): + return self._assertMembership(name, group_list, "groups", domain) + + def get_user_membership(self, name, domain="LOCAL"): + return self._get_object_membership(name, "users", domain) + + def get_group_membership(self, name, domain="LOCAL"): + return self._get_object_membership(name, "groups", domain) + + def add_group(self, groupname): + self._run_and_check("sss_groupadd %s" % (groupname)) + + def remove_group(self, groupname): + self._run_and_check("sss_groupdel %s" % (groupname)) + + def add_user(self, username): + self._run_and_check("sss_useradd %s" % (username)) + + def add_user_not_home(self, username): + self._run_and_check("sss_useradd -M %s" % (username)) + + def remove_user(self, username): + self._run_and_check("sss_userdel %s" % (username)) + + def remove_user_not_home(self, username): + self._run_and_check("sss_userdel -R %s" % (username)) + + +class SanityTest(unittest.TestCase): + def testInstantiate(self): + "Test that the local backed binding can be instantiated" + local = pysss.local() + self.assert_(local.__class__, "") + + +class UseraddTest(LocalTest): + def tearDown(self): + if self.username: + self.remove_user(self.username) + + def testUseradd(self): + "Test adding a local user" + self.username = "testUseradd" + self.local.useradd(self.username) + self.validate_user(self.username) + # check home directory was created with default name + self.assertEquals(os.access("/home/%s" % self.username, os.F_OK), True) + + def testUseraddWithParams(self): + "Test adding a local user with modified parameters" + self.username = "testUseraddWithParams" + self.local.useradd(self.username, + gecos="foo bar", + homedir="/home/foobar", + shell="/bin/zsh") + self.validate_user(self.username, + gecos="foo bar", + homeDirectory="/home/foobar", + loginShell="/bin/zsh") + # check home directory was created with nondefault name + self.assertEquals(os.access("/home/foobar", os.F_OK), True) + + def testUseraddNoHomedir(self): + "Test adding a local user without creating his home dir" + self.username = "testUseraddNoHomedir" + self.local.useradd(self.username, create_home=False) + self.validate_user(self.username) + # check home directory was not created + username_path = "/home/%s" % self.username + self.assertEquals(os.access(username_path, os.F_OK), False) + self.local.userdel(self.username, remove=False) + self.username = None # fool tearDown into not removing the user + + def testUseraddAlternateSkeldir(self): + "Test adding a local user and init his homedir from a custom location" + self.username = "testUseraddAlternateSkeldir" + + skeldir = tempfile.mkdtemp() + fd, path = tempfile.mkstemp(dir=skeldir) + fdo = os.fdopen(fd) + fdo.flush() + fdo.close + self.assertEquals(os.access(path, os.F_OK), True) + filename = os.path.basename(path) + + try: + self.local.useradd(self.username, skel=skeldir) + self.validate_user(self.username) + path = "/home/%s/%s" % (self.username, filename) + self.assertEquals(os.access(path, os.F_OK), True) + finally: + shutil.rmtree(skeldir) + + def testUseraddToGroups(self): + "Test adding a local user with group membership" + self.username = "testUseraddToGroups" + self.add_group("gr1") + self.add_group("gr2") + try: + self.local.useradd(self.username, + groups=["gr1", "gr2"]) + self.assertUserMembership(self.username, + ["gr1", "gr2"]) + finally: + self.remove_group("gr1") + self.remove_group("gr2") + + def testUseraddWithUID(self): + "Test adding a local user with a custom UID" + self.username = "testUseraddWithUID" + self.local.useradd(self.username, + uid=1024) + self.validate_user(self.username, + uidNumber=1024) + + +class UseraddTestNegative(LocalTest): + def testUseraddNoParams(self): + "Test that local.useradd() requires the username parameter" + self.assertRaises(TypeError, self.local.useradd) + + def testUseraddUserAlreadyExists(self): + "Test adding a local with a duplicate name" + self.username = "testUseraddUserAlreadyExists" + self.local.useradd(self.username) + try: + self.local.useradd(self.username) + except IOError as e: + self.assertEquals(e.errno, errno.EEXIST) + else: + self.fail("Was expecting exception") + finally: + self.remove_user(self.username) + + def testUseraddUIDAlreadyExists(self): + "Test adding a local with a duplicate user ID" + self.username = "testUseraddUIDAlreadyExists1" + self.local.useradd(self.username, uid=1025) + try: + self.local.useradd("testUseraddUIDAlreadyExists2", uid=1025) + except IOError as e: + self.assertEquals(e.errno, errno.EEXIST) + else: + self.fail("Was expecting exception") + finally: + self.remove_user(self.username) + + +class UserdelTest(LocalTest): + def testUserdel(self): + self.add_user("testUserdel") + self.assertEquals(os.access("/home/testUserdel", os.F_OK), True) + self.validate_user("testUserdel") + self.local.userdel("testUserdel") + self.validate_no_user("testUserdel") + self.assertEquals(os.access("/home/testUserdel", os.F_OK), False) + + def testUserdelNotHomedir(self): + self.add_user("testUserdel") + self.assertEquals(os.access("/home/testUserdel", os.F_OK), True) + self.validate_user("testUserdel") + self.local.userdel("testUserdel", remove=False) + self.validate_no_user("testUserdel") + self.assertEquals(os.access("/home/testUserdel", os.F_OK), True) + shutil.rmtree("/home/testUserdel") + os.remove("/var/mail/testUserdel") + + def testUserdelNegative(self): + self.validate_no_user("testUserdelNegative") + try: + self.local.userdel("testUserdelNegative") + except IOError as e: + self.assertEquals(e.errno, errno.ENOENT) + else: + fail("Was expecting exception") + + +class UsermodTest(LocalTest): + def setUp(self): + self.local = pysss.local() + self.username = "UsermodTest" + self.add_user_not_home(self.username) + + def tearDown(self): + self.remove_user_not_home(self.username) + + def testUsermod(self): + "Test modifying user attributes" + self.local.usermod(self.username, + gecos="foo bar", + homedir="/home/foobar", + shell="/bin/zsh") + self.validate_user(self.username, + gecos="foo bar", + homeDirectory="/home/foobar", + loginShell="/bin/zsh") + + def testUsermodUID(self): + "Test modifying UID" + self.local.usermod(self.username, + uid=1024) + self.validate_user(self.username, + uidNumber=1024) + + def testUsermodGroupMembership(self): + "Test adding to and removing from groups" + self.add_group("gr1") + self.add_group("gr2") + + try: + self.local.usermod(self.username, + addgroups=["gr1", "gr2"]) + self.assertUserMembership(self.username, + ["gr1", "gr2"]) + self.local.usermod(self.username, + rmgroups=["gr2"]) + self.assertUserMembership(self.username, + ["gr1"]) + self.local.usermod(self.username, + rmgroups=["gr1"]) + self.assertUserMembership(self.username, + []) + finally: + self.remove_group("gr1") + self.remove_group("gr2") + + def testUsermodLockUnlock(self): + "Test locking and unlocking user" + self.local.usermod(self.username, + lock=self.local.lock) + self.validate_user(self.username, + disabled="true") + self.local.usermod(self.username, + lock=self.local.unlock) + self.validate_user(self.username, + disabled="false") + + +class GroupaddTest(LocalTest): + def tearDown(self): + if self.groupname: + self.remove_group(self.groupname) + + def testGroupadd(self): + "Test adding a local group" + self.groupname = "testGroupadd" + self.local.groupadd(self.groupname) + self.validate_group(self.groupname) + + def testGroupaddWithGID(self): + "Test adding a local group with a custom GID" + self.groupname = "testUseraddWithGID" + self.local.groupadd(self.groupname, + gid=1024) + self.validate_group(self.groupname, + gidNumber=1024) + + +class GroupaddTestNegative(LocalTest): + def testGroupaddNoParams(self): + "Test that local.groupadd() requires the groupname parameter" + self.assertRaises(TypeError, self.local.groupadd) + + def testGroupaddUserAlreadyExists(self): + "Test adding a local with a duplicate name" + self.groupname = "testGroupaddUserAlreadyExists" + self.local.groupadd(self.groupname) + try: + self.local.groupadd(self.groupname) + except IOError as e: + self.assertEquals(e.errno, errno.EEXIST) + else: + self.fail("Was expecting exception") + finally: + self.remove_group(self.groupname) + + def testGroupaddGIDAlreadyExists(self): + "Test adding a local with a duplicate group ID" + self.groupname = "testGroupaddGIDAlreadyExists1" + self.local.groupadd(self.groupname, gid=1025) + try: + self.local.groupadd("testGroupaddGIDAlreadyExists2", gid=1025) + except IOError as e: + self.assertEquals(e.errno, errno.EEXIST) + else: + self.fail("Was expecting exception") + finally: + self.remove_group(self.groupname) + + +class GroupdelTest(LocalTest): + def testGroupdel(self): + self.add_group("testGroupdel") + self.validate_group("testGroupdel") + self.local.groupdel("testGroupdel") + self.validate_no_group("testGroupdel") + + def testGroupdelNegative(self): + self.validate_no_group("testGroupdelNegative") + try: + self.local.groupdel("testGroupdelNegative") + except IOError as e: + self.assertEquals(e.errno, errno.ENOENT) + else: + fail("Was expecting exception") + + +class GroupmodTest(LocalTest): + def setUp(self): + self.local = pysss.local() + self.groupname = "GroupmodTest" + self.add_group(self.groupname) + + def tearDown(self): + self.remove_group(self.groupname) + + def testGroupmodGID(self): + "Test modifying UID" + self.local.groupmod(self.groupname, + gid=1024) + self.validate_group(self.groupname, + gidNumber=1024) + + def testGroupmodGroupMembership(self): + "Test adding to groups" + self.add_group("gr1") + self.add_group("gr2") + try: + self.local.groupmod(self.groupname, + addgroups=["gr1", "gr2"]) + self.assertGroupMembership(self.groupname, + ["gr1", "gr2"]) + self.local.groupmod(self.groupname, + rmgroups=["gr2"]) + self.assertGroupMembership(self.groupname, + ["gr1"]) + self.local.groupmod(self.groupname, + rmgroups=["gr1"]) + self.assertGroupMembership(self.groupname, + []) + finally: + self.remove_group("gr1") + self.remove_group("gr2") + + +# -------------- run the test suite -------------- # +if __name__ == "__main__": + unittest.main() diff --git a/src/tests/refcount-tests.c b/src/tests/refcount-tests.c new file mode 100644 index 0000000..232302f --- /dev/null +++ b/src/tests/refcount-tests.c @@ -0,0 +1,237 @@ +/* + SSSD + + Reference counting tests. + + Authors: + Martin Nagy + + Copyright (C) Red Hat, Inc 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include + +#include "tests/common_check.h" +#include "util/util.h" + +/* Interface under test */ +#include "util/refcount.h" + +/* Fail the test if object 'obj' does not have 'num' references. */ +#define REF_ASSERT(obj, num) \ + fail_unless(((obj)->DO_NOT_TOUCH_THIS_MEMBER_refcount == (num)), \ + "Reference count of " #obj " should be %d but is %d", \ + (num), (obj)->DO_NOT_TOUCH_THIS_MEMBER_refcount) + +#define FILLER_SIZE 32 + +struct foo { + REFCOUNT_COMMON; + char a[FILLER_SIZE]; + char b[FILLER_SIZE]; +}; + +struct bar { + char a[FILLER_SIZE]; + REFCOUNT_COMMON; + char b[FILLER_SIZE]; +}; + +struct baz { + char a[FILLER_SIZE]; + char b[FILLER_SIZE]; + REFCOUNT_COMMON; +}; + +#define SET_FILLER(target) do { \ + memset((target)->a, 'a', FILLER_SIZE); \ + memset((target)->b, 'b', FILLER_SIZE); \ +} while (0) + +#define CHECK_FILLER(target) do { \ + int _counter; \ + for (_counter = 0; _counter < FILLER_SIZE; _counter++) { \ + fail_unless((target)->a[_counter] == 'a', "Corrupted memory in " \ + #target "->a[%d] of size %d", _counter, FILLER_SIZE); \ + fail_unless((target)->b[_counter] == 'b', "Corrupted memory in " \ + #target "->b[%d] of size %d", _counter, FILLER_SIZE); \ + } \ +} while (0) + +struct container { + struct foo *foo; + struct bar *bar; + struct baz *baz; +}; + +static struct container *global; + +START_TEST(test_refcount_basic) +{ + struct container *containers; + int i; + + /* First allocate our global storage place. */ + global = talloc(NULL, struct container); + fail_if(global == NULL); + + /* Allocate foo. */ + global->foo = rc_alloc(global, struct foo); + fail_if(global->foo == NULL); + SET_FILLER(global->foo); + REF_ASSERT(global->foo, 1); + + /* Allocate bar. */ + global->bar = rc_alloc(global, struct bar); + fail_if(global->bar == NULL); + SET_FILLER(global->bar); + REF_ASSERT(global->bar, 1); + + /* Allocate baz. */ + global->baz = rc_alloc(global, struct baz); + fail_if(global->baz == NULL); + SET_FILLER(global->baz); + REF_ASSERT(global->baz, 1); + + /* Try multiple attaches. */ + containers = talloc_array(NULL, struct container, 100); + fail_if(containers == NULL); + for (i = 0; i < 100; i++) { + containers[i].foo = rc_reference(containers, struct foo, global->foo); + containers[i].bar = rc_reference(containers, struct bar, global->bar); + containers[i].baz = rc_reference(containers, struct baz, global->baz); + REF_ASSERT(containers[i].foo, i + 2); + REF_ASSERT(global->foo, i + 2); + REF_ASSERT(containers[i].bar, i + 2); + REF_ASSERT(global->bar, i + 2); + REF_ASSERT(containers[i].baz, i + 2); + REF_ASSERT(global->baz, i + 2); + } + talloc_free(containers); + + CHECK_FILLER(global->foo); + CHECK_FILLER(global->bar); + CHECK_FILLER(global->baz); + + REF_ASSERT(global->foo, 1); + REF_ASSERT(global->bar, 1); + REF_ASSERT(global->baz, 1); + + talloc_free(global); +} +END_TEST + +START_TEST(test_refcount_swap) +{ + void *tmp_ctx; + struct container *container1; + struct container *container2; + + tmp_ctx = talloc_new(NULL); + + ck_leaks_push(tmp_ctx); + + container1 = talloc(tmp_ctx, struct container); + container2 = talloc(tmp_ctx, struct container); + + /* Allocate. */ + container1->foo = rc_alloc(container1, struct foo); + fail_if(container1->foo == NULL); + SET_FILLER(container1->foo); + + /* Reference. */ + container2->foo = rc_reference(container2, struct foo, container1->foo); + fail_if(container2->foo == NULL); + + /* Make sure everything is as it should be. */ + fail_unless(container1->foo == container2->foo); + REF_ASSERT(container1->foo, 2); + + /* Free in reverse order. */ + talloc_free(container1); + REF_ASSERT(container2->foo, 1); + CHECK_FILLER(container2->foo); + talloc_free(container2); + + ck_leaks_pop(tmp_ctx); + talloc_free(tmp_ctx); +} +END_TEST + +Suite *create_suite(void) +{ + Suite *s = suite_create("refcount"); + + TCase *tc = tcase_create("REFCOUNT Tests"); + + /* Do some testing */ + tcase_add_checked_fixture(tc, ck_leak_check_setup, ck_leak_check_teardown); + tcase_add_test(tc, test_refcount_basic); + tcase_add_test(tc, test_refcount_swap); + + /* Add all test cases to the test suite */ + suite_add_tcase(s, tc); + + return s; +} + +int main(int argc, const char *argv[]) +{ + int opt; + poptContext pc; + int failure_count; + Suite *suite; + SRunner *sr; + int debug = 0; + + struct poptOption long_options[] = { + POPT_AUTOHELP + { "debug-level", 'd', POPT_ARG_INT, &debug, 0, "Set debug level", NULL }, + POPT_TABLEEND + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug); + + tests_set_cwd(); + + suite = create_suite(); + sr = srunner_create(suite); + /* If CK_VERBOSITY is set, use that, otherwise it defaults to CK_NORMAL */ + srunner_run_all(sr, CK_ENV); + failure_count = srunner_ntests_failed(sr); + srunner_free(sr); + return (failure_count == 0 ? EXIT_SUCCESS : EXIT_FAILURE); +} + diff --git a/src/tests/resolv-tests.c b/src/tests/resolv-tests.c new file mode 100644 index 0000000..4a2b3b9 --- /dev/null +++ b/src/tests/resolv-tests.c @@ -0,0 +1,1051 @@ +/* + SSSD + + Async resolver tests + + Authors: + Martin Nagy + Jakub Hrozek + + Copyright (C) Red Hat, Inc 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include + +#include "tests/common.h" +#include "util/util.h" +#include "tests/common_check.h" + +/* Interface under test */ +#include "resolv/async_resolv.h" + +#define RESOLV_DEFAULT_TIMEOUT 6 + +static int use_net_test; +static char *txt_host; +static char *srv_host; + +struct resolv_test_ctx { + struct tevent_context *ev; + struct resolv_ctx *resolv; + + enum { + TESTING_HOSTNAME, + TESTING_TXT, + TESTING_SRV, + } tested_function; + + int error; + bool done; +}; + +static int setup_resolv_test(int timeout, struct resolv_test_ctx **ctx) +{ + struct resolv_test_ctx *test_ctx; + int ret; + + test_ctx = talloc_zero(global_talloc_context, struct resolv_test_ctx); + if (test_ctx == NULL) { + fail("Could not allocate memory for test context"); + return ENOMEM; + } + + test_ctx->ev = tevent_context_init(test_ctx); + if (test_ctx->ev == NULL) { + fail("Could not init tevent context"); + talloc_free(test_ctx); + return EFAULT; + } + + ret = resolv_init(test_ctx, test_ctx->ev, timeout, &test_ctx->resolv); + if (ret != EOK) { + fail("Could not init resolv context"); + talloc_free(test_ctx); + return ret; + } + + *ctx = test_ctx; + return EOK; +} + +static int test_loop(struct resolv_test_ctx *data) +{ + while (!data->done) + tevent_loop_once(data->ev); + + return data->error; +} + +struct resolv_hostent * +test_create_rhostent(TALLOC_CTX *mem_ctx, + const char *hostname, const char *address) +{ + struct resolv_hostent *rhostent; + int ret; + int family; + + rhostent = talloc_zero(mem_ctx, struct resolv_hostent); + if (!rhostent) { + return NULL; + } + + rhostent->name = talloc_strdup(rhostent, hostname); + rhostent->addr_list = talloc_array(rhostent, struct resolv_addr *, 2); + if (!rhostent->name || + !rhostent->addr_list) { + goto fail; + } + + rhostent->addr_list[0] = talloc_zero(rhostent->addr_list, + struct resolv_addr); + if (!rhostent->addr_list[0]) { + goto fail; + } + rhostent->addr_list[0]->ipaddr = talloc_array(rhostent->addr_list[0], + uint8_t, + sizeof(struct in6_addr)); + if (!rhostent->addr_list[0]->ipaddr) { + goto fail; + } + + family = AF_INET; + ret = inet_pton(family, address, + rhostent->addr_list[0]->ipaddr); + if (ret != 1) { + family = AF_INET6; + ret = inet_pton(family, address, + rhostent->addr_list[0]->ipaddr); + if (ret != 1) { + goto fail; + } + } + + rhostent->addr_list[0]->ttl = RESOLV_DEFAULT_TTL; + rhostent->addr_list[1] = NULL; + rhostent->family = family; + rhostent->aliases = NULL; + + return rhostent; + +fail: + talloc_free(rhostent); + return NULL; +} + +START_TEST(test_copy_hostent) +{ + void *ctx; + struct resolv_hostent *rhe; + + char name[] = "foo.example.com"; + char alias_1[] = "bar.example.com"; + char alias_2[] = "baz.example.com"; + char *aliases[] = { alias_1, alias_2, NULL }; + struct in_addr addr_1 = { 1234 }; + struct in_addr addr_2 = { 5678 }; + int ttl_1 = 12; + int ttl_2 = 34; + char *addr_list[] = { (char *) &addr_2, (char *) &addr_1, NULL }; + struct hostent he = { + name, aliases, AF_INET, + sizeof(addr_1), addr_list + }; + struct ares_addrttl attl[] = { { addr_1, ttl_1 }, { addr_2, ttl_2 } }; + + ctx = talloc_new(global_talloc_context); + fail_if(ctx == NULL); + + ck_leaks_push(ctx); + + rhe = resolv_copy_hostent_ares(ctx, &he, AF_INET, &attl, 2); + + fail_if(rhe == NULL); + fail_if(strcmp(rhe->name, name)); + fail_if(strcmp(rhe->aliases[0], alias_1)); + fail_if(strcmp(rhe->aliases[1], alias_2)); + fail_if(rhe->aliases[2] != NULL); + fail_if(rhe->family != AF_INET); + fail_if(memcmp(rhe->addr_list[0]->ipaddr, &addr_1, sizeof(addr_1))); + fail_if(rhe->addr_list[0]->ttl != ttl_1); + fail_if(memcmp(rhe->addr_list[1]->ipaddr, &addr_2, sizeof(addr_2))); + fail_if(rhe->addr_list[1]->ttl != ttl_2); + fail_if(rhe->addr_list[2] != NULL); + + talloc_zfree(rhe); + + rhe = resolv_copy_hostent(ctx, &he); + fail_if(rhe == NULL); + fail_if(strcmp(rhe->name, name)); + fail_if(strcmp(rhe->aliases[0], alias_1)); + fail_if(strcmp(rhe->aliases[1], alias_2)); + fail_if(rhe->aliases[2] != NULL); + fail_if(rhe->family != AF_INET); + fail_if(memcmp(rhe->addr_list[0]->ipaddr, &addr_2, sizeof(addr_1))); + fail_if(rhe->addr_list[0]->ttl != RESOLV_DEFAULT_TTL); + fail_if(memcmp(rhe->addr_list[1]->ipaddr, &addr_1, sizeof(addr_2))); + fail_if(rhe->addr_list[1]->ttl != RESOLV_DEFAULT_TTL); + fail_if(rhe->addr_list[2] != NULL); + + talloc_free(rhe); + + ck_leaks_pop(ctx); +} +END_TEST + +START_TEST(test_address_to_string) +{ + void *ctx; + struct resolv_hostent *rhe; + char *str_addr; + char *ptr_addr; + + ctx = talloc_new(global_talloc_context); + fail_if(ctx == NULL); + ck_leaks_push(ctx); + + rhe = test_create_rhostent(ctx, "www.example.com", "1.2.3.4"); + fail_if(rhe == NULL); + + str_addr = resolv_get_string_address_index(ctx, rhe, 0); + fail_if(str_addr == NULL); + fail_unless(strcmp(str_addr, "1.2.3.4") == 0, "Unexpected address\n"); + talloc_free(str_addr); + + ptr_addr = resolv_get_string_ptr_address(ctx, rhe->family, + rhe->addr_list[0]->ipaddr); + fail_if(ptr_addr == NULL); + fail_unless(strcmp(ptr_addr, "4.3.2.1.in-addr.arpa.") == 0, "Unexpected PTR address\n"); + talloc_free(ptr_addr); + + talloc_free(rhe); + + rhe = test_create_rhostent(ctx, "www6.example.com", "2607:f8b0:400c:c03::6a"); + fail_if(rhe == NULL); + + str_addr = resolv_get_string_address_index(ctx, rhe, 0); + fail_if(str_addr == NULL); + fail_unless(strcmp(str_addr, "2607:f8b0:400c:c03::6a") == 0, "Unexpected address\n"); + talloc_free(str_addr); + + ptr_addr = resolv_get_string_ptr_address(ctx, rhe->family, + rhe->addr_list[0]->ipaddr); + fail_if(ptr_addr == NULL); + fail_unless(strcmp(ptr_addr, + "a.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.c.0.c.0.0.4.0.b.8.f.7.0.6.2.ip6.arpa.") == 0, "Unexpected PTR address\n"); + talloc_free(ptr_addr); + + talloc_free(rhe); + ck_leaks_pop(ctx); +} +END_TEST + +static void test_ip_addr(struct tevent_req *req) +{ + int recv_status; + int status; + struct resolv_hostent *rhostent; + int i; + struct resolv_test_ctx *test_ctx = tevent_req_callback_data(req, + struct resolv_test_ctx); + + test_ctx->done = true; + + recv_status = resolv_gethostbyname_recv(req, test_ctx, + &status, NULL, &rhostent); + talloc_zfree(req); + if (recv_status != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "resolv_gethostbyname_recv failed: %d\n", recv_status); + test_ctx->error = recv_status; + return; + } + DEBUG(SSSDBG_TRACE_LIBS, "resolv_gethostbyname_recv status: %d\n", status); + + test_ctx->error = ENOENT; + for (i = 0; rhostent->addr_list[i]; i++) { + char addr_buf[256]; + inet_ntop(rhostent->family, + rhostent->addr_list[i]->ipaddr, + addr_buf, sizeof(addr_buf)); + + if (strcmp(addr_buf, "127.0.0.1") == 0) { + test_ctx->error = EOK; + } + } + talloc_free(rhostent); +} + +START_TEST(test_resolv_ip_addr) +{ + struct resolv_test_ctx *test_ctx; + int ret = EOK; + struct tevent_req *req; + const char *hostname = "127.0.0.1"; + + ret = setup_resolv_test(RESOLV_DEFAULT_TIMEOUT, &test_ctx); + if (ret != EOK) { + fail("Could not set up test"); + return; + } + + ck_leaks_push(test_ctx); + req = resolv_gethostbyname_send(test_ctx, test_ctx->ev, + test_ctx->resolv, hostname, IPV4_ONLY, + default_host_dbs); + DEBUG(SSSDBG_TRACE_LIBS, "Sent resolv_gethostbyname\n"); + if (req == NULL) { + ret = ENOMEM; + } + + if (ret == EOK) { + tevent_req_set_callback(req, test_ip_addr, test_ctx); + ret = test_loop(test_ctx); + } + + ck_leaks_pop(test_ctx); + fail_unless(ret == EOK); + + talloc_zfree(test_ctx); +} +END_TEST + +static void test_localhost(struct tevent_req *req) +{ + int recv_status; + int status; + struct resolv_hostent *rhostent; + int i; + struct resolv_test_ctx *test_ctx = tevent_req_callback_data(req, + struct resolv_test_ctx); + + test_ctx->done = true; + + recv_status = resolv_gethostbyname_recv(req, test_ctx, + &status, NULL, &rhostent); + talloc_zfree(req); + if (recv_status != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "resolv_gethostbyname_recv failed: %d\n", recv_status); + test_ctx->error = recv_status; + return; + } + DEBUG(SSSDBG_TRACE_LIBS, "resolv_gethostbyname_recv status: %d\n", status); + + test_ctx->error = ENOENT; + for (i = 0; rhostent->addr_list[i]; i++) { + char addr_buf[256]; + inet_ntop(rhostent->family, rhostent->addr_list[i]->ipaddr, + addr_buf, sizeof(addr_buf)); + + /* test that localhost resolves to 127.0.0.1 or ::1 */ + if (strcmp(addr_buf, "127.0.0.1") == 0 || strcmp(addr_buf, "::1") == 0) { + test_ctx->error = EOK; + } + } + talloc_free(rhostent); +} + +START_TEST(test_resolv_localhost) +{ + struct resolv_test_ctx *test_ctx; + int ret = EOK; + struct tevent_req *req; + const char *hostname = "localhost.localdomain"; + + ret = setup_resolv_test(RESOLV_DEFAULT_TIMEOUT, &test_ctx); + if (ret != EOK) { + fail("Could not set up test"); + return; + } + + ck_leaks_push(test_ctx); + req = resolv_gethostbyname_send(test_ctx, test_ctx->ev, + test_ctx->resolv, hostname, IPV4_FIRST, + default_host_dbs); + DEBUG(SSSDBG_TRACE_LIBS, "Sent resolv_gethostbyname\n"); + if (req == NULL) { + ret = ENOMEM; + } + + if (ret == EOK) { + tevent_req_set_callback(req, test_localhost, test_ctx); + ret = test_loop(test_ctx); + } + + ck_leaks_pop(test_ctx); + fail_unless(ret == EOK); + + talloc_zfree(test_ctx); +} +END_TEST + +static void test_negative(struct tevent_req *req) +{ + int recv_status; + int status; + struct resolv_hostent *hostent; + struct resolv_test_ctx *test_ctx; + + test_ctx = tevent_req_callback_data(req, struct resolv_test_ctx); + test_ctx->done = true; + + recv_status = resolv_gethostbyname_recv(req, test_ctx, + &status, NULL, &hostent); + talloc_zfree(req); + if (recv_status == EOK) { + DEBUG(SSSDBG_TRACE_LIBS, + "resolv_gethostbyname_recv succeeded in a negative test\n"); + return; + } + + test_ctx->error = status; + DEBUG(SSSDBG_OP_FAILURE, + "resolv_gethostbyname_recv status: %d: %s\n", status, resolv_strerror(status)); +} + +START_TEST(test_resolv_negative) +{ + int ret = EOK; + struct tevent_req *req; + const char *hostname = "sssd.foo"; + struct resolv_test_ctx *test_ctx; + + ret = setup_resolv_test(RESOLV_DEFAULT_TIMEOUT, &test_ctx); + if (ret != EOK) { + fail("Could not set up test"); + return; + } + + ck_leaks_push(test_ctx); + req = resolv_gethostbyname_send(test_ctx, test_ctx->ev, + test_ctx->resolv, hostname, IPV4_FIRST, + default_host_dbs); + DEBUG(SSSDBG_TRACE_LIBS, "Sent resolv_gethostbyname\n"); + if (req == NULL) { + ret = ENOMEM; + } + + if (ret == EOK) { + tevent_req_set_callback(req, test_negative, test_ctx); + ret = test_loop(test_ctx); + } + + ck_leaks_pop(test_ctx); + + fail_unless(ret != EOK); + fail_unless(test_ctx->error == ARES_ENOTFOUND); + talloc_zfree(test_ctx); +} +END_TEST + +static void test_internet(struct tevent_req *req) +{ + int recv_status; + int status; + struct resolv_test_ctx *test_ctx; + void *tmp_ctx; + struct resolv_hostent *rhostent = NULL; + struct ares_txt_reply *txt_replies = NULL, *txtptr; + struct ares_srv_reply *srv_replies = NULL, *srvptr; + int i; + + test_ctx = tevent_req_callback_data(req, struct resolv_test_ctx); + + test_ctx->done = true; + + tmp_ctx = talloc_new(test_ctx); + ck_leaks_push(tmp_ctx); + + switch (test_ctx->tested_function) { + case TESTING_HOSTNAME: + recv_status = resolv_gethostbyname_recv(req, tmp_ctx, + &status, NULL, &rhostent); + test_ctx->error = (rhostent->name == NULL) ? ENOENT : EOK; + if (test_ctx->error == EOK) { + char addr_buf[256]; + for (i=0; rhostent->addr_list[i]; i++) { + inet_ntop(rhostent->family, + rhostent->addr_list[i]->ipaddr, + addr_buf, sizeof(addr_buf)); + DEBUG(SSSDBG_OP_FAILURE, "Found address %s with TTL %d\n", + addr_buf, rhostent->addr_list[i]->ttl); + } + } + break; + case TESTING_TXT: + recv_status = resolv_gettxt_recv(tmp_ctx, req, &status, NULL, + &txt_replies); + test_ctx->error = (txt_replies == NULL) ? ENOENT : EOK; + for (txtptr = txt_replies; txtptr != NULL; txtptr = txtptr->next) { + DEBUG(SSSDBG_OP_FAILURE, "TXT Record: %s\n", txtptr->txt); + } + break; + case TESTING_SRV: + recv_status = resolv_getsrv_recv(tmp_ctx, req, &status, NULL, + &srv_replies, NULL); + test_ctx->error = (srv_replies == NULL) ? ENOENT : EOK; + for (srvptr = srv_replies; srvptr != NULL; srvptr = srvptr->next) { + DEBUG(SSSDBG_OP_FAILURE, + "SRV Record: %d %d %d %s\n", srvptr->weight, + srvptr->priority, srvptr->port, + srvptr->host); + } + break; + default: + recv_status = EINVAL; + break; + } + talloc_zfree(req); + fail_if(recv_status != EOK, "The recv function failed: %d", recv_status); + DEBUG(SSSDBG_TRACE_LIBS, "recv status: %d\n", status); + + if (rhostent != NULL) { + talloc_free(rhostent); + } else if (txt_replies != NULL) { + talloc_free(txt_replies); + } else if (srv_replies != NULL) { + talloc_free(srv_replies); + } + ck_leaks_pop(tmp_ctx); +} + +START_TEST(test_resolv_internet) +{ + int ret = EOK; + struct tevent_req *req; + const char *hostname = "redhat.com"; + struct resolv_test_ctx *test_ctx; + + ret = setup_resolv_test(RESOLV_DEFAULT_TIMEOUT, &test_ctx); + if (ret != EOK) { + fail("Could not set up test"); + return; + } + test_ctx->tested_function = TESTING_HOSTNAME; + + ck_leaks_push(test_ctx); + req = resolv_gethostbyname_send(test_ctx, test_ctx->ev, + test_ctx->resolv, hostname, IPV4_FIRST, + default_host_dbs); + DEBUG(SSSDBG_TRACE_LIBS, "Sent resolv_gethostbyname\n"); + if (req == NULL) { + ret = ENOMEM; + } + + if (ret == EOK) { + tevent_req_set_callback(req, test_internet, test_ctx); + ret = test_loop(test_ctx); + } + + fail_unless(ret == EOK); + ck_leaks_pop(test_ctx); + talloc_zfree(test_ctx); +} +END_TEST + +START_TEST(test_resolv_internet_txt) +{ + int ret; + struct tevent_req *req; + struct resolv_test_ctx *test_ctx; + + ret = setup_resolv_test(RESOLV_DEFAULT_TIMEOUT, &test_ctx); + fail_if(ret != EOK, "Could not set up test"); + test_ctx->tested_function = TESTING_TXT; + + ck_leaks_push(test_ctx); + + req = resolv_gettxt_send(test_ctx, test_ctx->ev, test_ctx->resolv, txt_host); + fail_if(req == NULL, "Function resolv_gettxt_send failed"); + + tevent_req_set_callback(req, test_internet, test_ctx); + ret = test_loop(test_ctx); + fail_unless(ret == EOK); + + ck_leaks_pop(test_ctx); + + talloc_zfree(test_ctx); +} +END_TEST + +START_TEST(test_resolv_internet_srv) +{ + int ret; + struct tevent_req *req; + struct resolv_test_ctx *test_ctx; + + ret = setup_resolv_test(RESOLV_DEFAULT_TIMEOUT, &test_ctx); + fail_if(ret != EOK, "Could not set up test"); + test_ctx->tested_function = TESTING_SRV; + + ck_leaks_push(test_ctx); + + req = resolv_getsrv_send(test_ctx, test_ctx->ev, test_ctx->resolv, srv_host); + fail_if(req == NULL, "Function resolv_getsrv_send failed"); + + tevent_req_set_callback(req, test_internet, test_ctx); + ret = test_loop(test_ctx); + fail_unless(ret == EOK); + + ck_leaks_pop(test_ctx); + + talloc_zfree(test_ctx); +} +END_TEST + +static void resolv_free_context(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval t, void *ptr) +{ + struct resolv_ctx *rctx = talloc_get_type(ptr, struct resolv_ctx); + DEBUG(SSSDBG_TRACE_LIBS, "freeing the context\n"); + + talloc_free(rctx); +} + +static void resolv_free_done(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval t, void *ptr) +{ + struct resolv_test_ctx *tctx = talloc_get_type(ptr, struct resolv_test_ctx); + DEBUG(SSSDBG_TRACE_LIBS, "marking test as done\n"); + + tctx->error = EOK; + tctx->done = true; +} + +START_TEST(test_resolv_free_context) +{ + int ret = EOK; + struct tevent_req *req; + const char *hostname = "redhat.com"; + struct resolv_test_ctx *test_ctx; + struct tevent_timer *free_timer, *terminate_timer; + struct timeval free_tv, terminate_tv; + + ret = setup_resolv_test(RESOLV_DEFAULT_TIMEOUT, &test_ctx); + if (ret != EOK) { + fail("Could not set up test"); + return; + } + + req = resolv_gethostbyname_send(test_ctx, test_ctx->ev, + test_ctx->resolv, hostname, IPV4_FIRST, + default_host_dbs); + DEBUG(SSSDBG_TRACE_LIBS, "Sent resolv_gethostbyname\n"); + if (req == NULL) { + fail("Error calling resolv_gethostbyname_send"); + goto done; + } + + gettimeofday(&free_tv, NULL); + free_tv.tv_sec += 1; + free_tv.tv_usec = 0; + terminate_tv.tv_sec = free_tv.tv_sec + 1; + terminate_tv.tv_usec = 0; + + free_timer = tevent_add_timer(test_ctx->ev, test_ctx, free_tv, resolv_free_context, test_ctx->resolv); + if (free_timer == NULL) { + fail("Error calling tevent_add_timer"); + goto done; + } + + terminate_timer = tevent_add_timer(test_ctx->ev, test_ctx, terminate_tv, resolv_free_done, test_ctx); + if (terminate_timer == NULL) { + fail("Error calling tevent_add_timer"); + goto done; + } + + ret = test_loop(test_ctx); + fail_unless(ret == EOK); + +done: + talloc_zfree(test_ctx); +} +END_TEST + +static void resolv_free_req(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval t, void *ptr) +{ + struct tevent_req *req = talloc_get_type(ptr, struct tevent_req); + DEBUG(SSSDBG_TRACE_LIBS, "freeing the request\n"); + + talloc_free(req); +} + +START_TEST(test_resolv_sort_srv_reply) +{ + int ret; + struct ares_srv_reply *replies = NULL; + struct ares_srv_reply *r, *prev = NULL; + struct resolv_test_ctx *test_ctx; + int num_replies = 3; + int i; + + ret = setup_resolv_test(RESOLV_DEFAULT_TIMEOUT, &test_ctx); + if (ret != EOK) { + fail("Could not set up test"); + return; + } + + ck_leaks_push(test_ctx); + + /* prepare linked list with reversed values */ + for (i = 0; ipriority = num_replies-i; + r->weight = i; + + if (!replies) { + replies = r; + prev = r; + } else { + prev->next = r; + prev = prev->next; + } + } + + /* do the sort */ + ret = resolv_sort_srv_reply(&replies); + fail_if(ret != EOK); + + /* check if the list is sorted */ + prev = NULL; + for (i = 1, r = replies; r; r=r->next, i++) { + talloc_zfree(prev); + prev = r; + fail_unless(r->priority == i); + } + talloc_zfree(prev); + + /* check if the list is complete */ + fail_unless(i-1 == num_replies); + + /* test if the weighting algorithm runs..not much do + * deterministically test here since it is based on + * random weight-selection */ + replies = NULL; + for (i = 0; ipriority = i % 2 + 1; + r->weight = i; + + if (!replies) { + replies = r; + prev = r; + } else { + prev->next = r; + prev = prev->next; + } + } + + /* do the sort */ + ret = resolv_sort_srv_reply(&replies); + fail_if(ret != EOK); + + /* clean up */ + prev = NULL; + for (r = replies; r; r=r->next) { + talloc_zfree(prev); + prev = r; + } + talloc_zfree(prev); + + + /* check for leaks */ + ck_leaks_pop(test_ctx); + talloc_zfree(test_ctx); +} +END_TEST + +START_TEST(test_resolv_sort_srv_reply_zero_weight) +{ + int ret; + struct ares_srv_reply *replies = NULL; + struct ares_srv_reply *r, *prev = NULL; + struct resolv_test_ctx *test_ctx; + int num_replies = 6; + int i; + + ret = setup_resolv_test(RESOLV_DEFAULT_TIMEOUT, &test_ctx); + if (ret != EOK) { + fail("Could not set up test"); + return; + } + + ck_leaks_push(test_ctx); + + /* prepare linked list */ + for (i = 0; i < num_replies; i++) { + r = talloc_zero(test_ctx, struct ares_srv_reply); + fail_if(r == NULL); + + r->priority = 20; + r->priority = i <= 3 ? 10 : r->priority; + r->priority = i <= 1 ? 0 : r->priority; + r->weight = 0; + + if (replies == NULL) { + replies = r; + prev = r; + } else { + prev->next = r; + prev = prev->next; + } + } + + /* do the sort */ + ret = resolv_sort_srv_reply(&replies); + fail_if(ret != EOK); + + /* check if the list contains all values and is sorted */ + for (i = 0, r = replies; r != NULL; r = r->next, i++) { + if (r->next != NULL) { + fail_unless(r->priority <= r->next->priority); + } + } + fail_unless(i == num_replies); + + /* clean up */ + prev = NULL; + for (r = replies; r != NULL; r=r->next) { + talloc_zfree(prev); + prev = r; + } + talloc_zfree(prev); + + + /* check for leaks */ + ck_leaks_pop(test_ctx); + talloc_zfree(test_ctx); +} +END_TEST + +START_TEST(test_resolv_free_req) +{ + int ret = EOK; + struct tevent_req *req; + const char *hostname = "redhat.com"; + struct resolv_test_ctx *test_ctx; + struct tevent_timer *free_timer, *terminate_timer; + struct timeval free_tv, terminate_tv; + + ret = setup_resolv_test(RESOLV_DEFAULT_TIMEOUT, &test_ctx); + if (ret != EOK) { + fail("Could not set up test"); + return; + } + + ck_leaks_push(test_ctx); + req = resolv_gethostbyname_send(test_ctx, test_ctx->ev, + test_ctx->resolv, hostname, IPV4_FIRST, + default_host_dbs); + DEBUG(SSSDBG_TRACE_LIBS, "Sent resolv_gethostbyname\n"); + if (req == NULL) { + fail("Error calling resolv_gethostbyname_send"); + goto done; + } + + gettimeofday(&free_tv, NULL); + free_tv.tv_sec += 1; + free_tv.tv_usec = 0; + /* Give enough time for c-ares request to terminate */ + terminate_tv.tv_sec = free_tv.tv_sec + 6; + terminate_tv.tv_usec = 0; + + free_timer = tevent_add_timer(test_ctx->ev, test_ctx, free_tv, resolv_free_req, req); + if (free_timer == NULL) { + fail("Error calling tevent_add_timer"); + goto done; + } + + terminate_timer = tevent_add_timer(test_ctx->ev, test_ctx, terminate_tv, resolv_free_done, test_ctx); + if (terminate_timer == NULL) { + fail("Error calling tevent_add_timer"); + goto done; + } + + ret = test_loop(test_ctx); + ck_leaks_pop(test_ctx); + fail_unless(ret == EOK); + +done: + talloc_zfree(test_ctx); +} +END_TEST + +static void test_timeout(struct tevent_req *req) +{ + int recv_status; + int status; + struct resolv_test_ctx *test_ctx; + TALLOC_CTX *tmp_ctx; + struct resolv_hostent *rhostent = NULL; + + test_ctx = tevent_req_callback_data(req, struct resolv_test_ctx); + + test_ctx->done = true; + + tmp_ctx = talloc_new(test_ctx); + ck_leaks_push(tmp_ctx); + + fail_unless(test_ctx->tested_function == TESTING_HOSTNAME); + recv_status = resolv_gethostbyname_recv(req, tmp_ctx, + &status, NULL, &rhostent); + talloc_zfree(req); + fail_unless(recv_status == ETIMEDOUT); + fail_unless(status == ARES_ETIMEOUT); + ck_leaks_pop(tmp_ctx); + talloc_free(tmp_ctx); +} + +START_TEST(test_resolv_timeout) +{ + struct resolv_test_ctx *test_ctx; + errno_t ret; + struct tevent_req *req; + const char *hostname = "redhat.com"; + + ret = setup_resolv_test(0, &test_ctx); + if (ret != EOK) { + fail("Could not set up test"); + return; + } + + test_ctx->tested_function = TESTING_HOSTNAME; + + req = resolv_gethostbyname_send(test_ctx, test_ctx->ev, + test_ctx->resolv, hostname, IPV4_FIRST, + default_host_dbs); + DEBUG(SSSDBG_TRACE_LIBS, "Sent resolv_gethostbyname\n"); + if (req == NULL) { + ret = ENOMEM; + } + + if (ret == EOK) { + tevent_req_set_callback(req, test_timeout, test_ctx); + ret = test_loop(test_ctx); + } + + fail_unless(ret == EOK); + talloc_zfree(test_ctx); +} +END_TEST + +Suite *create_resolv_suite(void) +{ + Suite *s = suite_create("resolv"); + + TCase *tc_resolv = tcase_create("RESOLV Tests"); + tcase_set_timeout(tc_resolv, 8); + + tcase_add_checked_fixture(tc_resolv, ck_leak_check_setup, ck_leak_check_teardown); + /* Do some testing */ + tcase_add_test(tc_resolv, test_copy_hostent); + tcase_add_test(tc_resolv, test_address_to_string); + tcase_add_test(tc_resolv, test_resolv_ip_addr); + tcase_add_test(tc_resolv, test_resolv_sort_srv_reply); + tcase_add_test(tc_resolv, test_resolv_sort_srv_reply_zero_weight); + if (use_net_test) { + tcase_add_test(tc_resolv, test_resolv_internet); + tcase_add_test(tc_resolv, test_resolv_negative); + tcase_add_test(tc_resolv, test_resolv_localhost); + tcase_add_test(tc_resolv, test_resolv_timeout); + if (txt_host != NULL) { + tcase_add_test(tc_resolv, test_resolv_internet_txt); + } + if (srv_host != NULL) { + tcase_add_test(tc_resolv, test_resolv_internet_srv); + } + } + tcase_add_test(tc_resolv, test_resolv_free_context); + tcase_add_test(tc_resolv, test_resolv_free_req); + + /* Add all test cases to the test suite */ + suite_add_tcase(s, tc_resolv); + + return s; +} + +int main(int argc, const char *argv[]) +{ + int opt; + poptContext pc; + int failure_count; + Suite *resolv_suite; + SRunner *sr; + int debug = 0; + + struct poptOption long_options[] = { + POPT_AUTOHELP + { "debug-level", 'd', POPT_ARG_INT, &debug, 0, "Set debug level", NULL }, + { "use-net-test", 'n', POPT_ARG_NONE, 0, 'n', "Run tests that need an active internet connection", NULL }, + { "txt-host", 't', POPT_ARG_STRING, 0, 't', "Specify the host used for TXT record testing", NULL }, + { "srv-host", 's', POPT_ARG_STRING, 0, 's', "Specify the host used for SRV record testing", NULL }, + POPT_TABLEEND + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + case 'n': + use_net_test = 1; + break; + case 't': + txt_host = poptGetOptArg(pc); + break; + case 's': + srv_host = poptGetOptArg(pc); + break; + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug); + + if (!use_net_test) { + printf("Network tests disabled. Rerun with the \"-n\" " + "option to run the full suite of tests\n"); + } + + tests_set_cwd(); + + resolv_suite = create_resolv_suite(); + sr = srunner_create(resolv_suite); + /* If CK_VERBOSITY is set, use that, otherwise it defaults to CK_NORMAL */ + srunner_run_all(sr, CK_ENV); + failure_count = srunner_ntests_failed(sr); + srunner_free(sr); + return (failure_count==0 ? EXIT_SUCCESS : EXIT_FAILURE); +} + diff --git a/src/tests/responder_socket_access-tests.c b/src/tests/responder_socket_access-tests.c new file mode 100644 index 0000000..8bb72e7 --- /dev/null +++ b/src/tests/responder_socket_access-tests.c @@ -0,0 +1,178 @@ +/* + SSSD - Test for routine to check to access to responder sockets + + Authors: + Sumit Bose + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "tests/common.h" +#include "responder/common/responder.h" + +struct cli_protocol_version *register_cli_protocol_version(void) +{ + static struct cli_protocol_version responder_test_cli_protocol_version[] = { + {0, NULL, NULL} + }; + + return responder_test_cli_protocol_version; +} + +struct s2a_data { + const char *inp; + int exp_ret; + size_t exp_count; + uid_t *exp_uids; +}; + +struct s2a_data s2a_data[] = { + {"1,2,3", 0, 3, (uid_t []){1, 2, 3}}, + {"1,2,3, 4,5 , 6 , 7 ", 0, 7, (uid_t []){1, 2, 3, 4, 5, 6, 7}}, + {"1", 0, 1, (uid_t []){1}}, + {"1, +2,3", 0, 3, (uid_t []){1, 2, 3}}, + {"1, -2,3", ERANGE, 0, NULL}, + {"1, 2ab, 3, 4", EINVAL, 0, NULL}, + {"1,", EINVAL, 0, NULL}, + {"", EINVAL, 0, NULL}, + {"1, 2, 4294967295", 0, 3, (uid_t []){1, 2, 4294967295U}}, + {"1, 2, 4294967296", ERANGE, 0, NULL}, + {"1, 2, root, 4, 5", 0, 5, (uid_t []){1, 2, 0, 4, 5}}, + {NULL, EINVAL, 0, NULL}, + {NULL, -1, 0, NULL} +}; + +START_TEST(resp_str_to_array_test) +{ + int ret; + size_t uid_count; + uid_t *uids = NULL; + size_t c; + size_t d; + + for (c = 0; s2a_data[c].exp_ret != -1; c++) { + ret = csv_string_to_uid_array(global_talloc_context, s2a_data[c].inp, + true, &uid_count, &uids); + fail_unless(ret == s2a_data[c].exp_ret, + "csv_string_to_uid_array failed [%d][%s].", ret, + strerror(ret)); + if (ret == 0) { + fail_unless(uid_count == s2a_data[c].exp_count, + "Wrong number of values, expected [%d], got [%d].", + s2a_data[c].exp_count, uid_count); + for (d = 0; d < s2a_data[c].exp_count; d++) { + fail_unless(uids[d] == s2a_data[c].exp_uids[d], + "Wrong value, expected [%d], got [%d].\n", + s2a_data[c].exp_uids[d], uids[d]); + } + } + + talloc_free(uids); + uids = NULL; + } + +} +END_TEST + +struct uid_check_data { + uid_t uid; + size_t allowed_uids_count; + uid_t *allowed_uids; + int exp_ret; +}; + +struct uid_check_data uid_check_data[] = { + {1, 3, (uid_t []){1, 2, 3}, 0}, + {2, 3, (uid_t []){1, 2, 3}, 0}, + {3, 3, (uid_t []){1, 2, 3}, 0}, + {4, 3, (uid_t []){1, 2, 3}, EACCES}, + {4, 0, NULL, EINVAL}, + {0, 0, NULL, -1} +}; + +START_TEST(check_allowed_uids_test) +{ + int ret; + size_t c; + + for (c = 0; uid_check_data[c].exp_ret != -1; c++) { + ret = check_allowed_uids(uid_check_data[c].uid, + uid_check_data[c].allowed_uids_count, + uid_check_data[c].allowed_uids); + fail_unless(ret == uid_check_data[c].exp_ret, + "check_allowed_uids failed [%d][%s].", ret, strerror(ret)); + } +} +END_TEST + +Suite *responder_test_suite(void) +{ + Suite *s = suite_create ("Responder socket access"); + + TCase *tc_utils = tcase_create("Utility test"); + + tcase_add_test(tc_utils, resp_str_to_array_test); + tcase_add_test(tc_utils, check_allowed_uids_test); + + suite_add_tcase(s, tc_utils); + + return s; +} + +int main(int argc, const char *argv[]) +{ + int opt; + int number_failed; + poptContext pc; + + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_MAIN_OPTS + POPT_TABLEEND + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + tests_set_cwd(); + + Suite *s = responder_test_suite(); + SRunner *sr = srunner_create(s); + + /* If CK_VERBOSITY is set, use that, otherwise it defaults to CK_NORMAL */ + srunner_run_all(sr, CK_ENV); + number_failed = srunner_ntests_failed (sr); + srunner_free (sr); + + return (number_failed == 0) ? EXIT_SUCCESS : EXIT_FAILURE; +} diff --git a/src/tests/safe-format-tests.c b/src/tests/safe-format-tests.c new file mode 100644 index 0000000..0fe813e --- /dev/null +++ b/src/tests/safe-format-tests.c @@ -0,0 +1,252 @@ +/* + * This file originated in realmd + * + * Copyright 2012 Red Hat Inc + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published + * by the Free Software Foundation; either version 2 of the licence or (at + * your option) any later version. + * + * See the included COPYING file for more information. + * + * Author: Stef Walter + */ + +#include "config.h" + +#include "src/util/safe-format-string.h" + +#include +#include +#include +#include + +#ifndef ck_assert_int_ge +#define ck_assert_int_ge(X, Y) _ck_assert_int(X, >=, Y) +#endif + +#ifndef ck_assert_int_lt +#define ck_assert_int_lt(X, Y) _ck_assert_int(X, <, Y) +#endif + +typedef struct { + const char *format; + const char *args[8]; + const char *result; +} Fixture; + +static const Fixture fixtures[] = { + { + /* Just a bog standard string */ + "%s", { "blah", NULL, }, + "blah" + }, + { + /* Empty to print */ + "%s", { "", NULL, }, + "" + }, + { + /* Nothing to print */ + "", { "blah", NULL, }, + "" + }, + { + /* Width right aligned */ + "%8s", { "blah", NULL, }, + " blah" + }, + { + /* Width left aligned */ + "whoop %-8s doo", { "dee", NULL, }, + "whoop dee doo" + }, + { + /* Width space aligned (ignored) */ + "whoop % 8s doo", { "dee", NULL, }, + "whoop dee doo" + }, + { + /* Width left space aligned (ignored) */ + "whoop % -8s doo", { "dee", NULL, }, + "whoop dee doo" + }, + { + /* Precision 1 digit */ + "whoop %.3s doo", { "deedle-dee", NULL, }, + "whoop dee doo" + }, + { + /* Precision, N digits */ + "whoop %.10s doo", { "deedle-dee-deedle-do-deedle-dum", NULL, }, + "whoop deedle-dee doo" + }, + { + /* Precision, zero digits */ + "whoop %.s doo", { "deedle", NULL, }, + "whoop doo" + }, + { + /* Multiple simple arguments */ + "space %s %s", { "man", "dances", NULL, }, + "space man dances" + }, + { + /* Literal percent */ + "100%% of space folk dance", { NULL, }, + "100% of space folk dance" + }, + { + /* Multiple simple arguments */ + "space %2$s %1$s", { "dances", "man", NULL, }, + "space man dances" + }, + { + /* Skipping an argument (not supported by standard printf) */ + "space %2$s dances", { "dances", "man", NULL, }, + "space man dances" + }, + + /* Failures start here */ + + { + /* Unsupported conversion */ + "%x", { "blah", NULL, }, + NULL + }, + { + /* Bad positional argument */ + "space %55$s dances", { "dances", "man", NULL, }, + NULL + }, + { + /* Zero positional argument */ + "space %0$s dances", { "dances", "man", NULL, }, + NULL + }, + { + /* Too many args used */ + "%s %s dances", { "space", NULL, }, + NULL + }, + { + /* Too many digits used */ + "%1234567890s dances", { "space", NULL, }, + NULL + }, +}; + + +static void +callback(void *data, const char *piece, size_t len) +{ + char **str = data; + *str = talloc_strndup_append(*str, piece, len); +} + +START_TEST(test_safe_format_string_cb) +{ + const Fixture *fixture; + char *out; + int num_args; + int ret; + void *mem_ctx; + + fixture = &fixtures[_i]; + mem_ctx = talloc_init("safe-printf"); + + for (num_args = 0; fixture->args[num_args] != NULL; ) + num_args++; + + out = talloc_strdup(mem_ctx, ""); + ret = safe_format_string_cb(callback, &out, fixture->format, + (const char * const*)fixture->args, num_args); + if (fixture->result) { + ck_assert_int_ge(ret, 0); + ck_assert_str_eq(out, fixture->result); + ck_assert_int_eq(ret, strlen(out)); + } else { + ck_assert_int_lt(ret, 0); + } + + talloc_free(mem_ctx); +} +END_TEST + +START_TEST(test_safe_format_string) +{ + char buffer[8]; + int ret; + + ret = safe_format_string(buffer, 8, "%s", "space", "man", NULL); + ck_assert_int_eq(ret, 5); + ck_assert_str_eq(buffer, "space"); + + ret = safe_format_string(buffer, 8, "", "space", "man", NULL); + ck_assert_int_eq(ret, 0); + ck_assert_str_eq(buffer, ""); + + ret = safe_format_string(buffer, 8, "the %s %s dances away", "space", "man", NULL); + ck_assert_int_eq(ret, 25); + ck_assert_str_eq(buffer, "the spa"); + + ret = safe_format_string(NULL, 0, "the %s %s dances away", "space", "man", NULL); + ck_assert_int_eq(ret, 25); + + ret = safe_format_string(buffer, 8, "%5$s", NULL); + ck_assert_int_lt(ret, 0); +} +END_TEST + +static Suite * +create_safe_format_suite(void) +{ + Suite *s = suite_create("safe-format"); + TCase *tc_format = tcase_create("safe-format-string"); + + /* One for each fixture */ + tcase_add_loop_test(tc_format, test_safe_format_string_cb, 0, + (sizeof (fixtures) / sizeof (fixtures[0]))); + + tcase_add_test(tc_format, test_safe_format_string); + + suite_add_tcase(s, tc_format); + + return s; +} + +int +main(int argc, const char *argv[]) +{ + int opt; + poptContext pc; + int failure_count; + Suite *suite; + SRunner *sr; + + struct poptOption long_options[] = { + POPT_AUTOHELP + POPT_TABLEEND + }; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + suite = create_safe_format_suite(); + sr = srunner_create(suite); + /* If CK_VERBOSITY is set, use that, otherwise it defaults to CK_NORMAL */ + srunner_run_all(sr, CK_ENV); + failure_count = srunner_ntests_failed(sr); + srunner_free(sr); + return (failure_count==0 ? EXIT_SUCCESS : EXIT_FAILURE); +} diff --git a/src/tests/sbus_codegen_tests.c b/src/tests/sbus_codegen_tests.c new file mode 100644 index 0000000..2eae78a --- /dev/null +++ b/src/tests/sbus_codegen_tests.c @@ -0,0 +1,1563 @@ +/* + SSSD + + sbus_codegen tests. + + Authors: + Stef Walter + + Copyright (C) Red Hat, Inc 2014 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include + +#include "sbus/sssd_dbus_meta.h" +#include "tests/common.h" +#include "tests/sbus_codegen_tests_generated.h" +#include "util/util_errors.h" + +/* The following 2 macros were taken from check's project source files (0.9.10) + * http://check.sourceforge.net/ + */ +#ifndef _ck_assert_uint +#define _ck_assert_uint(X, OP, Y) do { \ + uintmax_t _ck_x = (X); \ + uintmax_t _ck_y = (Y); \ + ck_assert_msg(_ck_x OP _ck_y, "Assertion '"#X#OP#Y"' failed: "#X"==%ju, "#Y"==%ju", _ck_x, _ck_y); \ +} while (0) +#endif /* _ck_assert_uint */ + +#ifndef ck_assert_uint_eq +#define ck_assert_uint_eq(X, Y) _ck_assert_uint(X, ==, Y) +#endif /* ck_assert_uint_eq */ + +static const struct sbus_arg_meta * +find_arg(const struct sbus_arg_meta *args, + const char *name) +{ + const struct sbus_arg_meta *arg; + for (arg = args; arg->name != NULL; arg++) { + if (strcmp (arg->name, name) == 0) + return arg; + } + + return NULL; +} + +START_TEST(test_interfaces) +{ + ck_assert_str_eq(com_planetexpress_Ship_meta.name, "com.planetexpress.Ship"); + ck_assert(com_planetexpress_Ship_meta.methods != NULL); + ck_assert(com_planetexpress_Ship_meta.signals != NULL); + ck_assert(com_planetexpress_Ship_meta.properties != NULL); + + /* Explicit C Symbol */ + ck_assert_str_eq(test_pilot_meta.name, "com.planetexpress.Pilot"); + ck_assert(test_pilot_meta.methods != NULL); + ck_assert(test_pilot_meta.signals == NULL); /* no signals */ + ck_assert(test_pilot_meta.properties != NULL); + +} +END_TEST + +START_TEST(test_methods) +{ + const struct sbus_method_meta *method; + const struct sbus_arg_meta *arg; + + method = sbus_meta_find_method(&com_planetexpress_Ship_meta, "MoveUniverse"); + ck_assert(method != NULL); + ck_assert_str_eq(method->name, "MoveUniverse"); + ck_assert(method->in_args != NULL); + ck_assert(method->out_args != NULL); + + arg = find_arg(method->in_args, "smoothly"); + ck_assert(arg != NULL); + ck_assert_str_eq(arg->name, "smoothly"); + ck_assert_str_eq(arg->type, "b"); + + arg = find_arg(method->out_args, "where_we_crashed"); + ck_assert(arg != NULL); + ck_assert_str_eq(arg->name, "where_we_crashed"); + ck_assert_str_eq(arg->type, "s"); +} +END_TEST + +START_TEST(test_properties) +{ + const struct sbus_property_meta *prop; + + prop = sbus_meta_find_property(&com_planetexpress_Ship_meta, "Color"); + ck_assert(prop != NULL); + ck_assert_str_eq(prop->name, "Color"); + ck_assert_str_eq(prop->type, "s"); + ck_assert_int_eq(prop->flags, SBUS_PROPERTY_READABLE); +} +END_TEST + +START_TEST(test_signals) +{ + const struct sbus_signal_meta *sig; + const struct sbus_arg_meta *arg; + + sig = sbus_meta_find_signal(&com_planetexpress_Ship_meta, "BecameSentient"); + ck_assert(sig != NULL); + ck_assert_str_eq(sig->name, "BecameSentient"); + ck_assert(sig->args != NULL); + + arg = find_arg(sig->args, "gender"); + ck_assert(arg != NULL); + ck_assert_str_eq(arg->name, "gender"); + ck_assert_str_eq(arg->type, "s"); +} +END_TEST + +static int +mock_move_universe(struct sbus_request *dbus_req, void *data, + bool arg_smoothly, uint32_t arg_speed_factor) +{ + /* + * The above arguments should match the handler signature, + * and the below finish function should have the right signature. + * + * Not called, just testing compilation + */ + ck_assert(FALSE); + return com_planetexpress_Ship_MoveUniverse_finish(dbus_req, "here"); +} + +static int +mock_crash_now(struct sbus_request *dbus_req, void *data, + const char *where) +{ + /* + * One argument, no return value, yet a finish function should + * have been generated. + * + * Not called, just testing compilation + */ + ck_assert(FALSE); + return com_planetexpress_Ship_crash_now_finish(dbus_req); +} + +static int +mock_land(struct sbus_request *req, void *data) +{ + /* + * Raw handler, no finish function, no special arguments. + * + * Not called, just testing compilation + */ + ck_assert(FALSE); + return 0; +} + +START_TEST(test_vtable) +{ + struct com_planetexpress_Ship vtable = { + { &com_planetexpress_Ship_meta, 0 }, + mock_move_universe, + mock_crash_now, + mock_land, + NULL, + }; + + /* + * These are not silly tests: + * - Will fail compilation if c-symbol name was not respected + * - Will fail if method order was not respected + */ + ck_assert(vtable.crash_now == mock_crash_now); + ck_assert(vtable.MoveUniverse == mock_move_universe); + ck_assert(vtable.Land == mock_land); +} +END_TEST + +START_TEST(test_constants) +{ + ck_assert_str_eq(COM_PLANETEXPRESS_SHIP, "com.planetexpress.Ship"); + ck_assert_str_eq(COM_PLANETEXPRESS_SHIP_MOVEUNIVERSE, "MoveUniverse"); + ck_assert_str_eq(COM_PLANETEXPRESS_SHIP_CRASH_NOW, "Crash"); + ck_assert_str_eq(COM_PLANETEXPRESS_SHIP_BECAMESENTIENT, "BecameSentient"); + ck_assert_str_eq(COM_PLANETEXPRESS_SHIP_COLOR, "Color"); + + /* constants for com.planetexpress.Pilot */ + ck_assert_str_eq(TEST_PILOT, "com.planetexpress.Pilot"); + ck_assert_str_eq(TEST_PILOT_FULLNAME, "FullName"); +} +END_TEST + +TCase *create_defs_tests(void) +{ + TCase *tc = tcase_create("defs"); + + /* Do some testing */ + tcase_add_test(tc, test_interfaces); + tcase_add_test(tc, test_methods); + tcase_add_test(tc, test_properties); + tcase_add_test(tc, test_signals); + tcase_add_test(tc, test_vtable); + tcase_add_test(tc, test_constants); + + return tc; +} + +/* This is a handler which has all the basic arguments types */ +static int eject_handler(struct sbus_request *req, void *instance_data, + uint8_t arg_byte, bool arg_boolean, + int16_t arg_int16, uint16_t arg_uint16, int32_t arg_int32, + uint32_t arg_uint32, int64_t arg_int64, uint64_t arg_uint64, + double arg_double, const char *arg_string, const char *arg_object_path, + uint8_t arg_byte_array[], int len_byte_array, + int16_t arg_int16_array[], int len_int16_array, + uint16_t arg_uint16_array[], int len_uint16_array, + int32_t arg_int32_array[], int len_int32_array, + uint32_t arg_uint32_array[], int len_uint32_array, + int64_t arg_int64_array[], int len_int64_array, + uint64_t arg_uint64_array[], int len_uint64_array, + double arg_double_array[], int len_double_array, + const char *arg_string_array[], int len_string_array, + const char *arg_object_path_array[], int len_object_path_array) +{ + int i; + + /* Only called for leela, so double check here */ + ck_assert_str_eq(instance_data, "Crash into the billboard"); + + /* Murge the various values for test case */ + ck_assert_uint_eq(arg_byte, 11); + arg_byte++; + ck_assert(arg_boolean == TRUE); + arg_boolean = !arg_boolean; + ck_assert_int_eq(arg_int16, -2222); + arg_int16++; + ck_assert_uint_eq(arg_uint16, 3333); + arg_uint16++; + ck_assert_int_eq(arg_int32, -44444444); + arg_int32++; + ck_assert_uint_eq(arg_uint32, 55555555); + arg_uint32++; + ck_assert(arg_int64 == INT64_C(-6666666666666666)); + arg_int64++; + ck_assert(arg_uint64 == UINT64_C(7777777777777777)); + arg_uint64++; + ck_assert(arg_double == 1.1); + arg_double++; + + ck_assert_str_eq(arg_string, "hello"); + arg_string = "bears, beets, battlestar galactica"; + ck_assert_str_eq(arg_object_path, "/original/object/path"); + arg_object_path = "/another/object/path"; + + arg_byte_array = talloc_memdup(req, arg_byte_array, sizeof(uint8_t) * len_byte_array); + for (i = 0; i < len_byte_array; i++) + arg_byte_array[i]++; + + arg_int16_array = talloc_memdup(req, arg_int16_array, sizeof(int16_t) * len_int16_array); + for (i = 0; i < len_int16_array; i++) + arg_int16_array[i]++; + len_int16_array--; + + arg_uint16_array = talloc_memdup(req, arg_uint16_array, sizeof(uint16_t) * len_uint16_array); + for (i = 0; i < len_uint16_array; i++) + arg_uint16_array[i]++; + + arg_int32_array = talloc_memdup(req, arg_int32_array, sizeof(int32_t) * len_int32_array); + for (i = 0; i < len_int32_array; i++) + arg_int32_array[i]++; + len_int32_array--; + + arg_uint32_array = talloc_memdup(req, arg_uint32_array, sizeof(uint32_t) * len_uint32_array); + for (i = 0; i < len_uint32_array; i++) + arg_uint32_array[i]++; + + arg_int64_array = talloc_memdup(req, arg_int64_array, sizeof(int64_t) * len_int64_array); + for (i = 0; i < len_int64_array; i++) + arg_int64_array[i]++; + + arg_uint64_array = talloc_memdup(req, arg_uint64_array, sizeof(uint64_t) * len_uint64_array); + for (i = 0; i < len_uint64_array; i++) + arg_uint64_array[i]++; + + arg_double_array = talloc_memdup(req, arg_double_array, sizeof(double) * len_double_array); + for (i = 0; i < len_double_array; i++) + arg_double_array[i]++; + + arg_string_array = talloc_memdup(req, arg_string_array, sizeof(char *) * len_string_array); + for (i = 0; i < len_double_array; i++) { + ck_assert_str_eq(arg_string_array[i], "bears"); + arg_string_array[i] = "beets"; + } + len_string_array--; + + arg_object_path_array = talloc_memdup(req, arg_object_path_array, sizeof(char *) * len_object_path_array); + for (i = 0; i < len_object_path_array; i++) { + ck_assert_str_eq(arg_object_path_array[i], "/original"); + arg_object_path_array[i] = "/changed"; + } + + /* And reply with those values */ + return test_pilot_Eject_finish(req, arg_byte, arg_boolean, arg_int16, + arg_uint16, arg_int32, arg_uint32, + arg_int64, arg_uint64, arg_double, + arg_string, arg_object_path, + arg_byte_array, len_byte_array, + arg_int16_array, len_int16_array, + arg_uint16_array, len_uint16_array, + arg_int32_array, len_int32_array, + arg_uint32_array, len_uint32_array, + arg_int64_array, len_int64_array, + arg_uint64_array, len_uint64_array, + arg_double_array, len_double_array, + arg_string_array, len_string_array, + arg_object_path_array, len_object_path_array); +} + +#define getter_body(in, out) do { \ + ck_assert(dbus_req != NULL); \ + ck_assert(out != NULL); \ + *out = in; \ +} while(0); + +static const bool pilot_bool = true; +void pilot_get_boolean_handler(struct sbus_request *dbus_req, + void *instance_data, + bool *val) +{ + getter_body(pilot_bool, val); +} + +static const char *pilot_full_name = "Turanga Leela"; +void pilot_get_full_name_handler(struct sbus_request *dbus_req, + void *instance_data, + const char **name) +{ + getter_body(pilot_full_name, name); +} + +static const uint8_t pilot_byte = 42; +void pilot_get_byte_handler(struct sbus_request *dbus_req, + void *instance_data, + uint8_t *byte) +{ + getter_body(pilot_byte, byte); +} + +static const int16_t pilot_int16 = -123; +void pilot_get_int16_handler(struct sbus_request *dbus_req, + void *instance_data, + int16_t *int16) +{ + getter_body(pilot_int16, int16); +} + +static const uint16_t pilot_uint16 = 123; +void pilot_get_uint16_handler(struct sbus_request *dbus_req, + void *instance_data, + uint16_t *uint16) +{ + getter_body(pilot_uint16, uint16); +} + +static const int32_t pilot_int32 = -456; +void pilot_get_int32_handler(struct sbus_request *dbus_req, + void *instance_data, + int32_t *int32) +{ + getter_body(pilot_int32, int32); +} + +static const uint32_t pilot_uint32 = 456; +void pilot_get_uint32_handler(struct sbus_request *dbus_req, + void *instance_data, + uint32_t *uint32) +{ + getter_body(pilot_uint32, uint32); +} + +static const int64_t pilot_int64 = -456; +void pilot_get_int64_handler(struct sbus_request *dbus_req, + void *instance_data, + int64_t *int64) +{ + getter_body(pilot_int64, int64); +} + +static const uint64_t pilot_uint64 = 456; +void pilot_get_uint64_handler(struct sbus_request *dbus_req, + void *instance_data, + uint64_t *uint64) +{ + getter_body(pilot_uint64, uint64); +} + +static const double pilot_double = 3.14; +void pilot_get_double_handler(struct sbus_request *dbus_req, + void *instance_data, + double *double_val) +{ + getter_body(pilot_double, double_val); +} + +static const char *pilot_string = "leela"; +void pilot_get_string_handler(struct sbus_request *dbus_req, + void *instance_data, + const char **string_val) +{ + *string_val = pilot_string; +} + +static const char *pilot_path = "/path/leela"; +void pilot_get_objpath_handler(struct sbus_request *dbus_req, + void *instance_data, + const char **path_val) +{ + *path_val = pilot_path; +} + +void pilot_get_null_string_handler(struct sbus_request *dbus_req, + void *instance_data, + const char **string_val) +{ + *string_val = NULL; +} + +void pilot_get_null_path_handler(struct sbus_request *dbus_req, + void *instance_data, + const char **path_val) +{ + *path_val = NULL; +} + +#define array_getter_body(in, out, outlen) do { \ + ck_assert(dbus_req != NULL); \ + ck_assert(out != NULL); \ + ck_assert(outlen != NULL); \ + *out = in; \ + *outlen = N_ELEMENTS(in); \ +} while(0); + +static uint8_t pilot_byte_array[] = { 42, 0 }; +void pilot_get_byte_array_handler(struct sbus_request *dbus_req, + void *instance_data, + uint8_t **arr_out, int *arr_len) +{ + array_getter_body(pilot_byte_array, arr_out, arr_len); +} + +static int16_t pilot_int16_array[] = { -123, 0 }; +void pilot_get_int16_array_handler(struct sbus_request *dbus_req, + void *instance_data, + int16_t **arr_out, int *arr_len) +{ + array_getter_body(pilot_int16_array, arr_out, arr_len); +} + +static uint16_t pilot_uint16_array[] = { 123, 0 }; +void pilot_get_uint16_array_handler(struct sbus_request *dbus_req, + void *instance_data, + uint16_t **arr_out, int *arr_len) +{ + array_getter_body(pilot_uint16_array, arr_out, arr_len); +} + +static int32_t pilot_int32_array[] = { -456, 0 }; +void pilot_get_int32_array_handler(struct sbus_request *dbus_req, + void *instance_data, + int32_t **arr_out, int *arr_len) +{ + array_getter_body(pilot_int32_array, arr_out, arr_len); +} + +static uint32_t pilot_uint32_array[] = { 456, 0 }; +void pilot_get_uint32_array_handler(struct sbus_request *dbus_req, + void *instance_data, + uint32_t **arr_out, int *arr_len) +{ + array_getter_body(pilot_uint32_array, arr_out, arr_len); +} + +static int64_t pilot_int64_array[] = { -789, 0 }; +void pilot_get_int64_array_handler(struct sbus_request *dbus_req, + void *instance_data, + int64_t **arr_out, int *arr_len) +{ + array_getter_body(pilot_int64_array, arr_out, arr_len); +} + +static uint64_t pilot_uint64_array[] = { 789, 0 }; +void pilot_get_uint64_array_handler(struct sbus_request *dbus_req, + void *instance_data, + uint64_t **arr_out, int *arr_len) +{ + array_getter_body(pilot_uint64_array, arr_out, arr_len); +} + +static double pilot_double_array[] = { 3.14, 0 }; +void pilot_get_double_array_handler(struct sbus_request *dbus_req, + void *instance_data, + double **arr_out, int *arr_len) +{ + array_getter_body(pilot_double_array, arr_out, arr_len); +} + +static const char *pilot_string_array[] = { "Turanga", "Leela" }; +void pilot_get_string_array_handler(struct sbus_request *dbus_req, + void *data, + const char ***arr_out, + int *arr_len) +{ + array_getter_body(pilot_string_array, arr_out, arr_len); +} + +static const char *pilot_path_array[] = { "/some/path", "/another/path" }; +void pilot_get_path_array_handler(struct sbus_request *dbus_req, + void *data, + const char ***arr_out, + int *arr_len) +{ + array_getter_body(pilot_path_array, arr_out, arr_len); +} + +void special_get_array_dict_sas(struct sbus_request *sbus_req, + void *data, + hash_table_t **_out) +{ + hash_table_t *table; + hash_key_t key; + hash_value_t value; + char **values; + errno_t ret; + int hret; + + *_out = NULL; + + ret = sss_hash_create(sbus_req, 10, &table); + ck_assert_int_eq(ret, EOK); + + values = talloc_zero_array(table, char *, 3); + ck_assert(values != NULL); + + values[0] = talloc_strdup(values, "hello1"); + values[1] = talloc_strdup(values, "world1"); + + ck_assert(values[0] != NULL); + ck_assert(values[1] != NULL); + + key.type = HASH_KEY_STRING; + key.str = talloc_strdup(table, "key1"); + + value.type = HASH_VALUE_PTR; + value.ptr = values; + + hret = hash_enter(table, &key, &value); + ck_assert_int_eq(hret, HASH_SUCCESS); + + values = talloc_zero_array(table, char *, 3); + ck_assert(values != NULL); + + values[0] = talloc_strdup(values, "hello2"); + values[1] = talloc_strdup(values, "world2"); + + ck_assert(values[0] != NULL); + ck_assert(values[1] != NULL); + + key.type = HASH_KEY_STRING; + key.str = talloc_strdup(table, "key2"); + ck_assert(key.str != NULL); + + value.type = HASH_VALUE_PTR; + value.ptr = values; + + hash_enter(table, &key, &value); + ck_assert_int_eq(hret, HASH_SUCCESS); + + *_out = table; +} + +struct test_pilot pilot_iface = { + { &test_pilot_meta, 0 }, + .Eject = eject_handler, + + .get_FullName = pilot_get_full_name_handler, + .get_byte = pilot_get_byte_handler, + .get_boolean = pilot_get_boolean_handler, + .get_int16 = pilot_get_int16_handler, + .get_uint16 = pilot_get_uint16_handler, + .get_int32 = pilot_get_int32_handler, + .get_uint32 = pilot_get_uint32_handler, + .get_int64 = pilot_get_int64_handler, + .get_uint64 = pilot_get_uint64_handler, + .get_double = pilot_get_double_handler, + .get_string = pilot_get_string_handler, + .get_object_path = pilot_get_objpath_handler, + .get_null_string = pilot_get_null_string_handler, + .get_null_path = pilot_get_null_path_handler, + + .get_byte_array = pilot_get_byte_array_handler, + .get_int16_array = pilot_get_int16_array_handler, + .get_uint16_array = pilot_get_uint16_array_handler, + .get_int32_array = pilot_get_int32_array_handler, + .get_uint32_array = pilot_get_uint32_array_handler, + .get_int64_array = pilot_get_int64_array_handler, + .get_uint64_array = pilot_get_uint64_array_handler, + .get_double_array = pilot_get_double_array_handler, + .get_string_array = pilot_get_string_array_handler, + .get_object_path_array = pilot_get_path_array_handler, +}; + +struct test_special special_iface = { + { &test_special_meta, 0}, + .get_array_dict_sas = special_get_array_dict_sas +}; + +static int pilot_test_server_init(struct sbus_connection *server, void *unused) +{ + int ret; + + ret = sbus_conn_register_iface(server, &pilot_iface.vtable, "/test/leela", + discard_const("Crash into the billboard")); + ck_assert_int_eq(ret, EOK); + + return EOK; +} + +static int special_test_server_init(struct sbus_connection *server, void *unused) +{ + int ret; + + ret = sbus_conn_register_iface(server, &special_iface.vtable, + "/test/special", + discard_const("Crash into the billboard")); + ck_assert_int_eq(ret, EOK); + + return EOK; +} + +START_TEST(test_marshal_basic_types) +{ + unsigned char arg_byte = 11; + dbus_bool_t arg_boolean = TRUE; + dbus_int16_t arg_int16 = -2222; + dbus_uint16_t arg_uint16 = 3333; + dbus_int32_t arg_int32 = -44444444; + dbus_uint32_t arg_uint32 = 55555555; + dbus_int64_t arg_int64 = INT64_C(-6666666666666666); + dbus_uint64_t arg_uint64 = UINT64_C(7777777777777777); + double arg_double = 1.1; + const char *arg_string = "hello"; + const char *arg_object_path = "/original/object/path"; + + unsigned char v_byte[] = { 11, 12 }; + dbus_int16_t v_int16[] = { 1, -22, 333, -4444 }; + dbus_uint16_t v_uint16[] = { 1, 2, 3, 4, 5 }; + dbus_int32_t v_int32[] = { -1, -23, 34, -56, -90000000, 78 }; + dbus_uint32_t v_uint32[] = { 11111111, 22222222, 33333333 }; + dbus_int64_t v_int64[] = { INT64_C(-6666666666666666), INT64_C(7777777777777777) }; + dbus_uint64_t v_uint64[] = { UINT64_C(7777777777777777), INT64_C(888888888888888888) }; + double v_double[] = { 1.1, 2.2, 3.3 }; + const char *v_string[] = { "bears", "bears", "bears" }; + const char *v_object_path[] = { "/original", "/original" }; + + unsigned char *arr_byte = v_byte; + dbus_int16_t *arr_int16 = v_int16; + dbus_uint16_t *arr_uint16 = v_uint16; + dbus_int32_t *arr_int32 = v_int32; + dbus_uint32_t *arr_uint32 = v_uint32; + dbus_int64_t *arr_int64 = v_int64; + dbus_uint64_t *arr_uint64 = v_uint64; + double *arr_double = v_double; + char **arr_string = discard_const(v_string); + char **arr_object_path = discard_const(v_object_path); + + int len_byte = N_ELEMENTS(v_byte); + int len_int16 = N_ELEMENTS(v_int16); + int len_uint16 = N_ELEMENTS(v_uint16); + int len_int32 = N_ELEMENTS(v_int32); + int len_uint32 = N_ELEMENTS(v_uint32); + int len_int64 = N_ELEMENTS(v_int64); + int len_uint64 = N_ELEMENTS(v_uint64); + int len_double = N_ELEMENTS(v_double); + int len_string = N_ELEMENTS(v_string); + int len_object_path = N_ELEMENTS(v_object_path); + + TALLOC_CTX *ctx; + DBusConnection *client; + DBusError error = DBUS_ERROR_INIT; + DBusMessage *reply; + + ctx = talloc_new(NULL); + ck_assert(ctx != NULL); + + client = test_dbus_setup_mock(ctx, NULL, pilot_test_server_init, NULL); + ck_assert(client != NULL); + + reply = test_dbus_call_sync(client, + "/test/leela", + TEST_PILOT, + TEST_PILOT_EJECT, + &error, + DBUS_TYPE_BYTE, &arg_byte, + DBUS_TYPE_BOOLEAN, &arg_boolean, + DBUS_TYPE_INT16, &arg_int16, + DBUS_TYPE_UINT16, &arg_uint16, + DBUS_TYPE_INT32, &arg_int32, + DBUS_TYPE_UINT32, &arg_uint32, + DBUS_TYPE_INT64, &arg_int64, + DBUS_TYPE_UINT64, &arg_uint64, + DBUS_TYPE_DOUBLE, &arg_double, + DBUS_TYPE_STRING, &arg_string, + DBUS_TYPE_OBJECT_PATH, &arg_object_path, + DBUS_TYPE_ARRAY, DBUS_TYPE_BYTE, &arr_byte, len_byte, + DBUS_TYPE_ARRAY, DBUS_TYPE_INT16, &arr_int16, len_int16, + DBUS_TYPE_ARRAY, DBUS_TYPE_UINT16, &arr_uint16, len_uint16, + DBUS_TYPE_ARRAY, DBUS_TYPE_INT32, &arr_int32, len_int32, + DBUS_TYPE_ARRAY, DBUS_TYPE_UINT32, &arr_uint32, len_uint32, + DBUS_TYPE_ARRAY, DBUS_TYPE_INT64, &arr_int64, len_int64, + DBUS_TYPE_ARRAY, DBUS_TYPE_UINT64, &arr_uint64, len_uint64, + DBUS_TYPE_ARRAY, DBUS_TYPE_DOUBLE, &arr_double, len_double, + DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, &arr_string, len_string, + DBUS_TYPE_ARRAY, DBUS_TYPE_OBJECT_PATH, &arr_object_path, len_object_path, + DBUS_TYPE_INVALID); + ck_assert(reply != NULL); + ck_assert(!dbus_error_is_set(&error)); + ck_assert(dbus_message_get_args(reply, NULL, + DBUS_TYPE_BYTE, &arg_byte, + DBUS_TYPE_BOOLEAN, &arg_boolean, + DBUS_TYPE_INT16, &arg_int16, + DBUS_TYPE_UINT16, &arg_uint16, + DBUS_TYPE_INT32, &arg_int32, + DBUS_TYPE_UINT32, &arg_uint32, + DBUS_TYPE_INT64, &arg_int64, + DBUS_TYPE_UINT64, &arg_uint64, + DBUS_TYPE_DOUBLE, &arg_double, + DBUS_TYPE_STRING, &arg_string, + DBUS_TYPE_OBJECT_PATH, &arg_object_path, + DBUS_TYPE_ARRAY, DBUS_TYPE_BYTE, &arr_byte, &len_byte, + DBUS_TYPE_ARRAY, DBUS_TYPE_INT16, &arr_int16, &len_int16, + DBUS_TYPE_ARRAY, DBUS_TYPE_UINT16, &arr_uint16, &len_uint16, + DBUS_TYPE_ARRAY, DBUS_TYPE_INT32, &arr_int32, &len_int32, + DBUS_TYPE_ARRAY, DBUS_TYPE_UINT32, &arr_uint32, &len_uint32, + DBUS_TYPE_ARRAY, DBUS_TYPE_INT64, &arr_int64, &len_int64, + DBUS_TYPE_ARRAY, DBUS_TYPE_UINT64, &arr_uint64, &len_uint64, + DBUS_TYPE_ARRAY, DBUS_TYPE_DOUBLE, &arr_double, &len_double, + DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, &arr_string, &len_string, + DBUS_TYPE_ARRAY, DBUS_TYPE_OBJECT_PATH, &arr_object_path, &len_object_path, + DBUS_TYPE_INVALID)); + + ck_assert_uint_eq(arg_byte, 12); + ck_assert(arg_boolean == FALSE); + ck_assert_int_eq(arg_int16, -2221); + ck_assert_uint_eq(arg_uint16, 3334); + ck_assert_int_eq(arg_int32, -44444443); + ck_assert_uint_eq(arg_uint32, 55555556); + ck_assert(arg_int64 == INT64_C(-6666666666666665)); + ck_assert(arg_uint64 == UINT64_C(7777777777777778)); + ck_assert(arg_double == 2.1); + ck_assert_str_eq(arg_string, "bears, beets, battlestar galactica"); + ck_assert_str_eq(arg_object_path, "/another/object/path"); + + ck_assert_int_eq(len_byte, 2); + ck_assert_int_eq(arr_byte[0], 12); + ck_assert_int_eq(arr_byte[1], 13); + + ck_assert_int_eq(len_int16, 3); + ck_assert_int_eq(arr_int16[0], 2); + ck_assert_int_eq(arr_int16[1], -21); + ck_assert_int_eq(arr_int16[2], 334); + + ck_assert_int_eq(len_uint16, 5); + ck_assert_uint_eq(arr_uint16[0], 2); + ck_assert_uint_eq(arr_uint16[1], 3); + ck_assert_uint_eq(arr_uint16[2], 4); + ck_assert_uint_eq(arr_uint16[3], 5); + ck_assert_uint_eq(arr_uint16[4], 6); + + ck_assert_int_eq(len_int32, 5); + ck_assert_int_eq(arr_int32[0], 0); + ck_assert_int_eq(arr_int32[1], -22); + ck_assert_int_eq(arr_int32[2], 35); + ck_assert_int_eq(arr_int32[3], -55); + ck_assert_int_eq(arr_int32[4], -89999999); + + ck_assert_int_eq(len_uint32, 3); + ck_assert_uint_eq(arr_uint32[0], 11111112); + ck_assert_uint_eq(arr_uint32[1], 22222223); + ck_assert_uint_eq(arr_uint32[2], 33333334); + + ck_assert_int_eq(len_int64, 2); + ck_assert(arr_int64[0] == INT64_C(-6666666666666665)); + ck_assert(arr_int64[1] == INT64_C(7777777777777778)); + + ck_assert_int_eq(len_uint64, 2); + ck_assert(arr_uint64[0] == UINT64_C(7777777777777778)); + ck_assert(arr_uint64[1] == UINT64_C(888888888888888889)); + + ck_assert_int_eq(len_double, 3); + ck_assert(arr_double[0] == 2.1); + ck_assert(arr_double[1] == 3.2); + ck_assert(arr_double[2] == 4.3); + + ck_assert_int_eq(len_string, 2); + ck_assert_str_eq(arr_string[0], "beets"); + ck_assert_str_eq(arr_string[1], "beets"); + dbus_free_string_array(arr_string); + + ck_assert_int_eq(len_object_path, 2); + ck_assert_str_eq(arr_object_path[0], "/changed"); + ck_assert_str_eq(arr_object_path[1], "/changed"); + dbus_free_string_array(arr_object_path); + + dbus_message_unref (reply); + talloc_free(ctx); +} +END_TEST + +static void parse_get_reply(DBusMessage *reply, const int type, void *val) +{ + DBusMessageIter iter; + DBusMessageIter variter; + dbus_bool_t dbret; + + dbret = dbus_message_iter_init(reply, &iter); + ck_assert(dbret == TRUE); + ck_assert_int_eq(dbus_message_iter_get_arg_type(&iter), DBUS_TYPE_VARIANT); + dbus_message_iter_recurse(&iter, &variter); + ck_assert_int_eq(dbus_message_iter_get_arg_type(&variter), type); + dbus_message_iter_get_basic(&variter, val); +} + +static void call_get(DBusConnection *client, + const char *object_path, + const char *iface, + const char *prop, + int type, + void *val) +{ + DBusMessage *reply; + DBusError error = DBUS_ERROR_INIT; + + reply = test_dbus_call_sync(client, + object_path, + DBUS_PROPERTIES_INTERFACE, + "Get", + &error, + DBUS_TYPE_STRING, &iface, + DBUS_TYPE_STRING, &prop, + DBUS_TYPE_INVALID); + ck_assert(reply != NULL); + parse_get_reply(reply, type, val); +} + +START_TEST(test_get_basic_types) +{ + TALLOC_CTX *ctx; + DBusConnection *client; + dbus_bool_t bool_val; + const char *string_val; + const char *path_val; + uint8_t byte_val; + int16_t int16_val; + uint16_t uint16_val; + int32_t int32_val; + uint32_t uint32_val; + int64_t int64_val; + uint64_t uint64_val; + double double_val; + + ctx = talloc_new(NULL); + ck_assert(ctx != NULL); + + client = test_dbus_setup_mock(ctx, NULL, pilot_test_server_init, NULL); + ck_assert(client != NULL); + + call_get(client, "/test/leela", test_pilot_meta.name, "boolean", + DBUS_TYPE_BOOLEAN, &bool_val); + ck_assert(bool_val == pilot_bool); + + call_get(client, "/test/leela", test_pilot_meta.name, "FullName", + DBUS_TYPE_STRING, &string_val); + ck_assert_str_eq(string_val, pilot_full_name); + + call_get(client, "/test/leela", test_pilot_meta.name, "byte", + DBUS_TYPE_BYTE, &byte_val); + ck_assert_int_eq(byte_val, pilot_byte); + + call_get(client, "/test/leela", test_pilot_meta.name, "int16", + DBUS_TYPE_INT16, &int16_val); + ck_assert_int_eq(int16_val, pilot_int16); + + call_get(client, "/test/leela", test_pilot_meta.name, "uint16", + DBUS_TYPE_UINT16, &uint16_val); + ck_assert_int_eq(uint16_val, pilot_uint16); + + call_get(client, "/test/leela", test_pilot_meta.name, "int32", + DBUS_TYPE_INT32, &int32_val); + ck_assert_int_eq(int32_val, pilot_int32); + + call_get(client, "/test/leela", test_pilot_meta.name, "uint32", + DBUS_TYPE_UINT32, &uint32_val); + ck_assert_int_eq(uint32_val, pilot_uint32); + + call_get(client, "/test/leela", test_pilot_meta.name, "int64", + DBUS_TYPE_INT64, &int64_val); + ck_assert_int_eq(int64_val, pilot_int64); + + call_get(client, "/test/leela", test_pilot_meta.name, "uint64", + DBUS_TYPE_UINT64, &uint64_val); + ck_assert_int_eq(uint64_val, pilot_uint64); + + call_get(client, "/test/leela", test_pilot_meta.name, "double", + DBUS_TYPE_DOUBLE, &double_val); + ck_assert_int_eq(double_val, pilot_double); + + call_get(client, "/test/leela", test_pilot_meta.name, "string", + DBUS_TYPE_STRING, &string_val); + ck_assert_str_eq(string_val, pilot_string); + + call_get(client, "/test/leela", test_pilot_meta.name, "object_path", + DBUS_TYPE_OBJECT_PATH, &path_val); + ck_assert_str_eq(path_val, pilot_path); + + /* If a string getter returns NULL, the caller should receive "" */ + call_get(client, "/test/leela", test_pilot_meta.name, "null_string", + DBUS_TYPE_STRING, &string_val); + ck_assert_str_eq(string_val, ""); + + /* If a string getter returns NULL, the caller should receive "/" */ + call_get(client, "/test/leela", test_pilot_meta.name, "null_path", + DBUS_TYPE_OBJECT_PATH, &path_val); + ck_assert_str_eq(path_val, "/"); + + talloc_free(ctx); +} +END_TEST + +static void parse_get_array_reply(DBusMessage *reply, const int type, + void **values, int *nels) +{ + DBusMessageIter iter; + DBusMessageIter variter; + DBusMessageIter arriter; + dbus_bool_t dbret; + + dbret = dbus_message_iter_init(reply, &iter); + ck_assert(dbret == TRUE); + ck_assert_int_eq(dbus_message_iter_get_arg_type(&iter), DBUS_TYPE_VARIANT); + dbus_message_iter_recurse(&iter, &variter); + ck_assert_int_eq(dbus_message_iter_get_arg_type(&variter), DBUS_TYPE_ARRAY); + ck_assert_int_eq(dbus_message_iter_get_element_type(&variter), type); + dbus_message_iter_recurse(&variter, &arriter); + if (type == DBUS_TYPE_STRING || type == DBUS_TYPE_OBJECT_PATH) { + int n = 0, i = 0; + const char **strings; + const char *s; + + do { + n++; + } while (dbus_message_iter_next(&arriter)); + + /* Allocating on NULL is bad, but this is unit test */ + strings = talloc_array(NULL, const char *, n); + ck_assert(strings != NULL); + + dbus_message_iter_recurse(&variter, &arriter); + do { + dbus_message_iter_get_basic(&arriter, &s); + strings[i] = talloc_strdup(strings, s); + ck_assert(strings[i] != NULL); + i++; + } while (dbus_message_iter_next(&arriter)); + + *nels = n; + *values = strings; + } else { + /* Fixed types are easy */ + dbus_message_iter_get_fixed_array(&arriter, values, nels); + } +} + +static void call_get_array(DBusConnection *client, + const char *object_path, + const char *iface, + const char *prop, + int type, + void **values, + int *nels) +{ + DBusMessage *reply; + DBusError error = DBUS_ERROR_INIT; + + reply = test_dbus_call_sync(client, + object_path, + DBUS_PROPERTIES_INTERFACE, + "Get", + &error, + DBUS_TYPE_STRING, &iface, + DBUS_TYPE_STRING, &prop, + DBUS_TYPE_INVALID); + ck_assert(reply != NULL); + parse_get_array_reply(reply, type, values, nels); +} + +#define _check_array(reply, len, known, fn) do { \ + fn(len, 2); \ + fn(reply[0], known[0]); \ + fn(reply[1], known[1]); \ +} while(0); \ + +#define check_int_array(reply, len, known) \ + _check_array(reply, len, known, ck_assert_int_eq) +#define check_uint_array(reply, len, known) \ + _check_array(reply, len, known, ck_assert_uint_eq) + +START_TEST(test_get_basic_array_types) +{ + TALLOC_CTX *ctx; + DBusConnection *client; + const char **string_arr_val; + int string_arr_len; + const char **path_arr_val; + int path_arr_len; + uint8_t *byte_arr_val; + int byte_arr_len; + int16_t *int16_arr_val; + int int16_arr_len; + uint16_t *uint16_arr_val; + int uint16_arr_len; + int32_t *int32_arr_val; + int int32_arr_len; + uint32_t *uint32_arr_val; + int uint32_arr_len; + int64_t *int64_arr_val; + int int64_arr_len; + uint64_t *uint64_arr_val; + int uint64_arr_len; + double *double_arr_val; + int double_arr_len; + + ctx = talloc_new(NULL); + ck_assert(ctx != NULL); + + client = test_dbus_setup_mock(ctx, NULL, pilot_test_server_init, NULL); + ck_assert(client != NULL); + + call_get_array(client, "/test/leela", test_pilot_meta.name, "byte_array", + DBUS_TYPE_BYTE, (void **) &byte_arr_val, &byte_arr_len); + check_uint_array(byte_arr_val, byte_arr_len, pilot_byte_array); + + call_get_array(client, "/test/leela", test_pilot_meta.name, "int16_array", + DBUS_TYPE_INT16, (void **) &int16_arr_val, &int16_arr_len); + check_int_array(int16_arr_val, int16_arr_len, pilot_int16_array); + + call_get_array(client, "/test/leela", test_pilot_meta.name, "uint16_array", + DBUS_TYPE_UINT16, (void **) &uint16_arr_val, &uint16_arr_len); + check_uint_array(uint16_arr_val, uint16_arr_len, pilot_uint16_array); + + call_get_array(client, "/test/leela", test_pilot_meta.name, "int32_array", + DBUS_TYPE_INT32, (void **) &int32_arr_val, &int32_arr_len); + check_int_array(int32_arr_val, int32_arr_len, pilot_int32_array); + + call_get_array(client, "/test/leela", test_pilot_meta.name, "uint32_array", + DBUS_TYPE_UINT32, (void **) &uint32_arr_val, &uint32_arr_len); + check_uint_array(uint32_arr_val, uint32_arr_len, pilot_uint32_array); + + call_get_array(client, "/test/leela", test_pilot_meta.name, "int64_array", + DBUS_TYPE_INT64, (void **) &int64_arr_val, &int64_arr_len); + check_int_array(int64_arr_val, int64_arr_len, pilot_int64_array); + + call_get_array(client, "/test/leela", test_pilot_meta.name, "uint64_array", + DBUS_TYPE_UINT64, (void **) &uint64_arr_val, &uint64_arr_len); + check_uint_array(uint64_arr_val, uint64_arr_len, pilot_uint64_array); + + call_get_array(client, "/test/leela", test_pilot_meta.name, "double_array", + DBUS_TYPE_DOUBLE, (void **) &double_arr_val, &double_arr_len); + check_int_array(double_arr_val, double_arr_len, pilot_double_array); + + call_get_array(client, "/test/leela", test_pilot_meta.name, "string_array", + DBUS_TYPE_STRING, (void **) &string_arr_val, &string_arr_len); + ck_assert_int_eq(string_arr_len, 2); + ck_assert_str_eq(string_arr_val[0], pilot_string_array[0]); + ck_assert_str_eq(string_arr_val[1], pilot_string_array[1]); + + call_get_array(client, "/test/leela", test_pilot_meta.name, "string_array", + DBUS_TYPE_STRING, (void **) &string_arr_val, &string_arr_len); + ck_assert_int_eq(string_arr_len, 2); + ck_assert_str_eq(string_arr_val[0], pilot_string_array[0]); + ck_assert_str_eq(string_arr_val[1], pilot_string_array[1]); + + call_get_array(client, "/test/leela", test_pilot_meta.name, "object_path_array", + DBUS_TYPE_OBJECT_PATH, (void **) &path_arr_val, &path_arr_len); + ck_assert_int_eq(path_arr_len, 2); + ck_assert_str_eq(path_arr_val[0], pilot_path_array[0]); + ck_assert_str_eq(path_arr_val[1], pilot_path_array[1]); + + talloc_free(ctx); +} +END_TEST + +START_TEST(test_get_array_dict_sas) +{ + TALLOC_CTX *ctx; + DBusConnection *client; + DBusMessage *reply; + DBusMessageIter it_variant; + DBusMessageIter it_array; + DBusMessageIter it_dict; + DBusMessageIter it_dict_entry; + DBusMessageIter it_values; + DBusError error = DBUS_ERROR_INIT; + const char *prop = "array_dict_sas"; + dbus_bool_t dbret; + const char *value; + const char *hash_content[2][2] = {{"hello1", "world1"}, + {"hello2", "world2"}}; + const char **exp_values = NULL; + int i; + + ctx = talloc_new(NULL); + ck_assert(ctx != NULL); + + client = test_dbus_setup_mock(ctx, NULL, special_test_server_init, NULL); + ck_assert(client != NULL); + + reply = test_dbus_call_sync(client, + "/test/special", + DBUS_PROPERTIES_INTERFACE, + "Get", + &error, + DBUS_TYPE_STRING, &test_special_meta.name, + DBUS_TYPE_STRING, &prop, + DBUS_TYPE_INVALID); + ck_assert(reply != NULL); + + dbret = dbus_message_iter_init(reply, &it_variant); + ck_assert(dbret == TRUE); + + ck_assert_int_eq(dbus_message_iter_get_arg_type(&it_variant), DBUS_TYPE_VARIANT); + dbus_message_iter_recurse(&it_variant, &it_array); + + /* array */ + ck_assert_int_eq(dbus_message_iter_get_arg_type(&it_array), DBUS_TYPE_ARRAY); + ck_assert_int_eq(dbus_message_iter_get_element_type(&it_array), DBUS_TYPE_DICT_ENTRY); + + /* dict entry */ + + /* first item */ + dbus_message_iter_recurse(&it_array, &it_dict); + for (i = 0; i < 2; i++) { + dbus_message_iter_recurse(&it_dict, &it_dict_entry); + ck_assert_int_eq(dbus_message_iter_get_arg_type(&it_dict_entry), DBUS_TYPE_STRING); + + dbus_message_iter_get_basic(&it_dict_entry, &value); + ck_assert(value != NULL); + if (strcmp(value, "key1") == 0) { + exp_values = hash_content[0]; + } else if (strcmp(value, "key2") == 0) { + exp_values = hash_content[1]; + } else { + ck_abort_msg("Invalid key! %s", value); + } + + dbret = dbus_message_iter_next(&it_dict_entry); + ck_assert(dbret == TRUE); + + ck_assert_int_eq(dbus_message_iter_get_arg_type(&it_dict_entry), DBUS_TYPE_ARRAY); + ck_assert_int_eq(dbus_message_iter_get_element_type(&it_dict_entry), DBUS_TYPE_STRING); + + dbus_message_iter_recurse(&it_dict_entry, &it_values); + + dbus_message_iter_get_basic(&it_values, &value); + ck_assert(value != NULL); + ck_assert_str_eq(value, exp_values[0]); + + dbret = dbus_message_iter_next(&it_values); + dbus_message_iter_get_basic(&it_values, &value); + ck_assert(value != NULL); + ck_assert_str_eq(value, exp_values[1]); + dbus_message_iter_next(&it_dict); + } + + talloc_free(ctx); +} +END_TEST + +struct prop_test { + const char *name; + bool handled; + int length; + int type; + union prop_value { + bool bool_val; + const char *string_val; + const char *path_val; + uint8_t byte_val; + int16_t int16_val; + uint16_t uint16_val; + int32_t int32_val; + uint32_t uint32_val; + int64_t int64_val; + uint64_t uint64_val; + double double_val; + + const char **string_arr_val; + const char **path_arr_val; + uint8_t *byte_arr_val; + int16_t *int16_arr_val; + uint16_t *uint16_arr_val; + int32_t *int32_arr_val; + uint32_t *uint32_arr_val; + int64_t *int64_arr_val; + uint64_t *uint64_arr_val; + double *double_arr_val; + } value; +}; + +void check_prop(DBusMessageIter *variter, struct prop_test *p) +{ + dbus_bool_t bool_val; + const char *string_val; + const char *path_val; + uint8_t byte_val; + int16_t int16_val; + uint16_t uint16_val; + int32_t int32_val; + uint32_t uint32_val; + int64_t int64_val; + uint64_t uint64_val; + double double_val; + int type; + + type = dbus_message_iter_get_arg_type(variter); + + /* No property should be returned twice */ + ck_assert(p->handled == false); + ck_assert(p->type == type); + switch (p->type) { + case DBUS_TYPE_BOOLEAN: + dbus_message_iter_get_basic(variter, &bool_val); + ck_assert(bool_val == p->value.bool_val); + break; + case DBUS_TYPE_STRING: + dbus_message_iter_get_basic(variter, &string_val); + ck_assert_str_eq(string_val, p->value.string_val); + break; + case DBUS_TYPE_BYTE: + dbus_message_iter_get_basic(variter, &byte_val); + ck_assert_int_eq(byte_val, p->value.byte_val); + break; + case DBUS_TYPE_INT16: + dbus_message_iter_get_basic(variter, &int16_val); + ck_assert_int_eq(int16_val, p->value.int16_val); + break; + case DBUS_TYPE_UINT16: + dbus_message_iter_get_basic(variter, &uint16_val); + ck_assert_int_eq(uint16_val, p->value.uint16_val); + break; + case DBUS_TYPE_INT32: + dbus_message_iter_get_basic(variter, &int32_val); + ck_assert_int_eq(int32_val, p->value.int32_val); + break; + case DBUS_TYPE_UINT32: + dbus_message_iter_get_basic(variter, &uint32_val); + ck_assert_int_eq(uint32_val, p->value.uint32_val); + break; + case DBUS_TYPE_INT64: + dbus_message_iter_get_basic(variter, &int64_val); + ck_assert_int_eq(int64_val, p->value.int64_val); + break; + case DBUS_TYPE_UINT64: + dbus_message_iter_get_basic(variter, &uint64_val); + ck_assert_int_eq(uint64_val, p->value.uint64_val); + break; + case DBUS_TYPE_DOUBLE: + dbus_message_iter_get_basic(variter, &double_val); + ck_assert_int_eq(double_val, p->value.double_val); + break; + case DBUS_TYPE_OBJECT_PATH: + dbus_message_iter_get_basic(variter, &path_val); + ck_assert_str_eq(path_val, p->value.path_val); + break; + default: + /* Not handled */ + return; + } + + /* This attribute was handled, get the next one */ + p->handled = true; +} + +void check_arr_prop(DBusMessageIter *variter, struct prop_test *p) +{ + DBusMessageIter arriter; + const char **strings = NULL; + uint8_t *byte_arr_val; + int16_t *int16_arr_val; + uint16_t *uint16_arr_val; + int32_t *int32_arr_val; + uint32_t *uint32_arr_val; + int64_t *int64_arr_val; + uint64_t *uint64_arr_val; + double *double_arr_val; + int len; + int type; + + ck_assert_int_eq(dbus_message_iter_get_arg_type(variter), DBUS_TYPE_ARRAY); + type = dbus_message_iter_get_element_type(variter); + ck_assert_int_eq(type, p->type); + + dbus_message_iter_recurse(variter, &arriter); + if (type == DBUS_TYPE_STRING || type == DBUS_TYPE_OBJECT_PATH) { + int n = 0, i = 0; + const char *s; + + do { + n++; + } while (dbus_message_iter_next(&arriter)); + + /* Allocating on NULL is bad, but this is unit test */ + strings = talloc_array(NULL, const char *, n); + ck_assert(strings != NULL); + + dbus_message_iter_recurse(variter, &arriter); + do { + dbus_message_iter_get_basic(&arriter, &s); + strings[i] = talloc_strdup(strings, s); + ck_assert(strings[i] != NULL); + i++; + } while (dbus_message_iter_next(&arriter)); + + len = n; + } + + switch (p->type) { + case DBUS_TYPE_STRING: + ck_assert_int_eq(len, 2); + ck_assert(strings != NULL); + ck_assert_str_eq(strings[0], pilot_string_array[0]); + ck_assert_str_eq(strings[1], pilot_string_array[1]); + break; + case DBUS_TYPE_BYTE: + dbus_message_iter_get_fixed_array(&arriter, &byte_arr_val, &len); + check_uint_array(byte_arr_val, len, p->value.byte_arr_val); + break; + case DBUS_TYPE_INT16: + dbus_message_iter_get_fixed_array(&arriter, &int16_arr_val, &len); + check_int_array(int16_arr_val, len, p->value.int16_arr_val); + break; + case DBUS_TYPE_UINT16: + dbus_message_iter_get_fixed_array(&arriter, &uint16_arr_val, &len); + check_uint_array(uint16_arr_val, len, p->value.uint16_arr_val); + break; + case DBUS_TYPE_INT32: + dbus_message_iter_get_fixed_array(&arriter, &int32_arr_val, &len); + check_int_array(int32_arr_val, len, p->value.int32_arr_val); + break; + case DBUS_TYPE_UINT32: + dbus_message_iter_get_fixed_array(&arriter, &uint32_arr_val, &len); + check_uint_array(uint32_arr_val, len, p->value.uint32_arr_val); + break; + case DBUS_TYPE_INT64: + dbus_message_iter_get_fixed_array(&arriter, &int64_arr_val, &len); + check_int_array(int64_arr_val, len, p->value.int64_arr_val); + break; + case DBUS_TYPE_UINT64: + dbus_message_iter_get_fixed_array(&arriter, &uint64_arr_val, &len); + check_uint_array(uint64_arr_val, len, p->value.uint64_arr_val); + break; + case DBUS_TYPE_DOUBLE: + dbus_message_iter_get_fixed_array(&arriter, &double_arr_val, &len); + check_int_array(double_arr_val, len, p->value.double_arr_val); + break; + case DBUS_TYPE_OBJECT_PATH: + ck_assert_int_eq(len, 2); + ck_assert(strings != NULL); + ck_assert_str_eq(strings[0], pilot_path_array[0]); + ck_assert_str_eq(strings[1], pilot_path_array[1]); + break; + default: + /* Not handled */ + return; + } + + + p->handled = true; +} + +START_TEST(test_getall_basic_types) +{ + DBusMessage *reply; + DBusMessageIter iter; + DBusMessageIter arriter; + DBusMessageIter dictiter; + DBusMessageIter variter; + dbus_bool_t dbret; + DBusError error = DBUS_ERROR_INIT; + TALLOC_CTX *ctx; + DBusConnection *client; + char *attr_name; + int i; + int num_prop; + + struct prop_test pilot_properties[] = { + { "boolean", false, 0, DBUS_TYPE_BOOLEAN, { .bool_val = pilot_bool } }, + { "FullName", false, 0, DBUS_TYPE_STRING, { .string_val = pilot_full_name } }, + { "byte", false, 0, DBUS_TYPE_BYTE, { .byte_val = pilot_byte } }, + { "int16", false, 0, DBUS_TYPE_INT16, { .int16_val = pilot_int16 } }, + { "uint16", false, 0, DBUS_TYPE_UINT16, { .uint16_val = pilot_uint16 } }, + { "int32", false, 0, DBUS_TYPE_INT32, { .int32_val = pilot_int32 } }, + { "uint32", false, 0, DBUS_TYPE_UINT32, { .uint32_val = pilot_uint32 } }, + { "int64", false, 0, DBUS_TYPE_INT64, { .int64_val = pilot_int64 } }, + { "uint64", false, 0, DBUS_TYPE_UINT64, { .uint64_val = pilot_uint64 } }, + { "double", false, 0, DBUS_TYPE_DOUBLE, { .double_val = pilot_double } }, + { "string", false, 0, DBUS_TYPE_STRING, { .string_val = pilot_string } }, + { "object_path", false, 0, DBUS_TYPE_OBJECT_PATH, { .path_val = pilot_path } }, + { "null_string", false, 0, DBUS_TYPE_STRING, { .string_val = "" } }, + { "null_path", false, 0, DBUS_TYPE_OBJECT_PATH, { .path_val = "/" } }, + + { "byte_array", false, N_ELEMENTS(pilot_byte_array), DBUS_TYPE_BYTE, { .byte_arr_val = pilot_byte_array } }, + { "int16_array", false, N_ELEMENTS(pilot_int16_array), DBUS_TYPE_INT16, { .int16_arr_val = pilot_int16_array } }, + { "uint16_array", false, N_ELEMENTS(pilot_uint16_array), DBUS_TYPE_UINT16, { .uint16_arr_val = pilot_uint16_array } }, + { "int32_array", false, N_ELEMENTS(pilot_int32_array), DBUS_TYPE_INT32, { .int32_arr_val = pilot_int32_array } }, + { "uint32_array", false, N_ELEMENTS(pilot_uint32_array), DBUS_TYPE_UINT32, { .uint32_arr_val = pilot_uint32_array } }, + { "int64_array", false, N_ELEMENTS(pilot_int64_array), DBUS_TYPE_INT64, { .int64_arr_val = pilot_int64_array } }, + { "uint64_array", false, N_ELEMENTS(pilot_uint64_array), DBUS_TYPE_UINT64, { .uint64_arr_val = pilot_uint64_array } }, + { "double_array", false, N_ELEMENTS(pilot_double_array), DBUS_TYPE_DOUBLE, { .double_arr_val = pilot_double_array } }, + { "string_array", false, N_ELEMENTS(pilot_string_array), DBUS_TYPE_STRING, { .string_arr_val = pilot_string_array } }, + { "object_path_array", false, N_ELEMENTS(pilot_path_array), DBUS_TYPE_OBJECT_PATH, { .path_arr_val = pilot_path_array } }, + + { NULL, false, 0, 0, { .bool_val = false } }}; + + ctx = talloc_new(NULL); + ck_assert(ctx != NULL); + + client = test_dbus_setup_mock(ctx, NULL, pilot_test_server_init, NULL); + ck_assert(client != NULL); + + reply = test_dbus_call_sync(client, + "/test/leela", + DBUS_PROPERTIES_INTERFACE, + "GetAll", + &error, + DBUS_TYPE_STRING, + &test_pilot_meta.name, + DBUS_TYPE_INVALID); + ck_assert(reply != NULL); + + /* GetAll reply is an array of dictionaries */ + dbret = dbus_message_iter_init(reply, &iter); + ck_assert(dbret == TRUE); + ck_assert_int_eq(dbus_message_iter_get_arg_type(&iter), DBUS_TYPE_ARRAY); + + dbus_message_iter_recurse(&iter, &arriter); + num_prop = 0; + do { + ck_assert_int_eq(dbus_message_iter_get_arg_type(&arriter), + DBUS_TYPE_DICT_ENTRY); + dbus_message_iter_recurse(&arriter, &dictiter); + dbus_message_iter_get_basic(&dictiter, &attr_name); + ck_assert(dbus_message_iter_next(&dictiter) == TRUE); + ck_assert_int_eq(dbus_message_iter_get_arg_type(&dictiter), + DBUS_TYPE_VARIANT); + + dbus_message_iter_recurse(&dictiter, &variter); + + for (i=0; pilot_properties[i].name; i++) { + if (strcmp(attr_name, pilot_properties[i].name) == 0) { + if (dbus_message_iter_get_arg_type(&variter) == DBUS_TYPE_ARRAY) { + check_arr_prop(&variter, &pilot_properties[i]); + } else { + check_prop(&variter, &pilot_properties[i]); + } + break; + } + } + + num_prop++; + } while(dbus_message_iter_next(&arriter)); + + /* All known properties must be handled now */ + for (i=0; pilot_properties[i].name; i++) { + ck_assert(pilot_properties[i].handled == true); + } + /* Also all properties returned from the bus must be accounted for */ + ck_assert_uint_eq(num_prop, N_ELEMENTS(pilot_properties)-1); + + talloc_free(ctx); +} +END_TEST + +TCase *create_handler_tests(void) +{ + TCase *tc = tcase_create("handler"); + + tcase_add_test(tc, test_marshal_basic_types); + tcase_add_test(tc, test_get_basic_types); + tcase_add_test(tc, test_getall_basic_types); + tcase_add_test(tc, test_get_basic_array_types); + tcase_add_test(tc, test_get_array_dict_sas); + + return tc; +} + +Suite *create_suite(void) +{ + Suite *s = suite_create("sbus_codegen"); + + suite_add_tcase(s, create_defs_tests ()); + suite_add_tcase(s, create_handler_tests ()); + + return s; +} + +int main(int argc, const char *argv[]) +{ + int opt; + poptContext pc; + int failure_count; + Suite *suite; + SRunner *sr; + + struct poptOption long_options[] = { + POPT_AUTOHELP + POPT_TABLEEND + }; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while ((opt = poptGetNextOpt(pc)) != -1) { + switch (opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + suite = create_suite(); + sr = srunner_create(suite); + /* If CK_VERBOSITY is set, use that, otherwise it defaults to CK_NORMAL */ + srunner_run_all(sr, CK_ENV); + failure_count = srunner_ntests_failed(sr); + srunner_free(sr); + return (failure_count == 0 ? EXIT_SUCCESS : EXIT_FAILURE); +} diff --git a/src/tests/sbus_codegen_tests.xml b/src/tests/sbus_codegen_tests.xml new file mode 100755 index 0000000..4813dcc --- /dev/null +++ b/src/tests/sbus_codegen_tests.xml @@ -0,0 +1,150 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/src/tests/sbus_codegen_tests_generated.c b/src/tests/sbus_codegen_tests_generated.c new file mode 100644 index 0000000..8941f13 --- /dev/null +++ b/src/tests/sbus_codegen_tests_generated.c @@ -0,0 +1,637 @@ +/* The following definitions are auto-generated from sbus_codegen_tests.xml */ + +#include + +#include "dbus/dbus-protocol.h" +#include "util/util_errors.h" +#include "sbus/sssd_dbus.h" +#include "sbus/sssd_dbus_meta.h" +#include "sbus/sssd_dbus_invokers.h" +#include "sbus_codegen_tests_generated.h" + +/* invokes a handler with a 'bu' DBus signature */ +static int invoke_bu_method(struct sbus_request *dbus_req, void *function_ptr); + +/* invokes a handler with a 's' DBus signature */ +static int invoke_s_method(struct sbus_request *dbus_req, void *function_ptr); + +/* invokes a handler with a 'u' DBus signature */ +static int invoke_u_method(struct sbus_request *dbus_req, void *function_ptr); + +/* invokes a handler with a 'ybnqiuxtdsoayanaqaiauaxatadasao' DBus signature */ +static int invoke_ybnqiuxtdsoayanaqaiauaxatadasao_method(struct sbus_request *dbus_req, void *function_ptr); + +/* arguments for com.planetexpress.Ship.MoveUniverse */ +const struct sbus_arg_meta com_planetexpress_Ship_MoveUniverse__in[] = { + { "smoothly", "b" }, + { "speed_factor", "u" }, + { NULL, } +}; + +/* arguments for com.planetexpress.Ship.MoveUniverse */ +const struct sbus_arg_meta com_planetexpress_Ship_MoveUniverse__out[] = { + { "where_we_crashed", "s" }, + { NULL, } +}; + +int com_planetexpress_Ship_MoveUniverse_finish(struct sbus_request *req, const char *arg_where_we_crashed) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_STRING, &arg_where_we_crashed, + DBUS_TYPE_INVALID); +} + +/* arguments for com.planetexpress.Ship.Crash */ +const struct sbus_arg_meta com_planetexpress_Ship_crash_now__in[] = { + { "where", "s" }, + { NULL, } +}; + +int com_planetexpress_Ship_crash_now_finish(struct sbus_request *req) +{ + return sbus_request_return_and_finish(req, + DBUS_TYPE_INVALID); +} + +/* methods for com.planetexpress.Ship */ +const struct sbus_method_meta com_planetexpress_Ship__methods[] = { + { + "MoveUniverse", /* name */ + com_planetexpress_Ship_MoveUniverse__in, + com_planetexpress_Ship_MoveUniverse__out, + offsetof(struct com_planetexpress_Ship, MoveUniverse), + invoke_bu_method, + }, + { + "Crash", /* name */ + com_planetexpress_Ship_crash_now__in, + NULL, /* no out_args */ + offsetof(struct com_planetexpress_Ship, crash_now), + invoke_s_method, + }, + { + "Land", /* name */ + NULL, /* no in_args */ + NULL, /* no out_args */ + offsetof(struct com_planetexpress_Ship, Land), + NULL, /* no invoker */ + }, + { NULL, } +}; + +/* arguments for com.planetexpress.Ship.BecameSentient */ +const struct sbus_arg_meta com_planetexpress_Ship_BecameSentient__args[] = { + { "gender", "s" }, + { NULL, } +}; + +/* signals for com.planetexpress.Ship */ +const struct sbus_signal_meta com_planetexpress_Ship__signals[] = { + { + "BecameSentient", /* name */ + com_planetexpress_Ship_BecameSentient__args + }, + { NULL, } +}; + +/* property info for com.planetexpress.Ship */ +const struct sbus_property_meta com_planetexpress_Ship__properties[] = { + { + "Color", /* name */ + "s", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct com_planetexpress_Ship, get_Color), + sbus_invoke_get_s, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { NULL, } +}; + +/* interface info for com.planetexpress.Ship */ +const struct sbus_interface_meta com_planetexpress_Ship_meta = { + "com.planetexpress.Ship", /* name */ + com_planetexpress_Ship__methods, + com_planetexpress_Ship__signals, + com_planetexpress_Ship__properties, + sbus_invoke_get_all, /* GetAll invoker */ +}; + +/* arguments for com.planetexpress.Pilot.Blink */ +const struct sbus_arg_meta test_pilot_Blink__in[] = { + { "duration", "u" }, + { NULL, } +}; + +/* arguments for com.planetexpress.Pilot.Blink */ +const struct sbus_arg_meta test_pilot_Blink__out[] = { + { "crashed", "b" }, + { NULL, } +}; + +int test_pilot_Blink_finish(struct sbus_request *req, bool arg_crashed) +{ + dbus_bool_t cast_crashed = arg_crashed; + return sbus_request_return_and_finish(req, + DBUS_TYPE_BOOLEAN, &cast_crashed, + DBUS_TYPE_INVALID); +} + +/* arguments for com.planetexpress.Pilot.Eject */ +const struct sbus_arg_meta test_pilot_Eject__in[] = { + { "byte", "y" }, + { "boolean", "b" }, + { "int16", "n" }, + { "uint16", "q" }, + { "int32", "i" }, + { "uint32", "u" }, + { "int64", "x" }, + { "uint64", "t" }, + { "double", "d" }, + { "string", "s" }, + { "object_path", "o" }, + { "byte_array", "ay" }, + { "int16_array", "an" }, + { "uint16_array", "aq" }, + { "int32_array", "ai" }, + { "uint32_array", "au" }, + { "int64_array", "ax" }, + { "uint64_array", "at" }, + { "double_array", "ad" }, + { "string_array", "as" }, + { "object_path_array", "ao" }, + { NULL, } +}; + +/* arguments for com.planetexpress.Pilot.Eject */ +const struct sbus_arg_meta test_pilot_Eject__out[] = { + { "byte", "y" }, + { "boolean", "b" }, + { "int16", "n" }, + { "uint16", "q" }, + { "int32", "i" }, + { "uint32", "u" }, + { "int64", "x" }, + { "uint64", "t" }, + { "double", "d" }, + { "string", "s" }, + { "object_path", "o" }, + { "byte_array", "ay" }, + { "int16_array", "an" }, + { "uint16_array", "aq" }, + { "int32_array", "ai" }, + { "uint32_array", "au" }, + { "int64_array", "ax" }, + { "uint64_array", "at" }, + { "double_array", "ad" }, + { "string_array", "as" }, + { "object_path_array", "ao" }, + { NULL, } +}; + +int test_pilot_Eject_finish(struct sbus_request *req, uint8_t arg_byte, bool arg_boolean, int16_t arg_int16, uint16_t arg_uint16, int32_t arg_int32, uint32_t arg_uint32, int64_t arg_int64, uint64_t arg_uint64, double arg_double, const char *arg_string, const char *arg_object_path, uint8_t arg_byte_array[], int len_byte_array, int16_t arg_int16_array[], int len_int16_array, uint16_t arg_uint16_array[], int len_uint16_array, int32_t arg_int32_array[], int len_int32_array, uint32_t arg_uint32_array[], int len_uint32_array, int64_t arg_int64_array[], int len_int64_array, uint64_t arg_uint64_array[], int len_uint64_array, double arg_double_array[], int len_double_array, const char *arg_string_array[], int len_string_array, const char *arg_object_path_array[], int len_object_path_array) +{ + dbus_bool_t cast_boolean = arg_boolean; + return sbus_request_return_and_finish(req, + DBUS_TYPE_BYTE, &arg_byte, + DBUS_TYPE_BOOLEAN, &cast_boolean, + DBUS_TYPE_INT16, &arg_int16, + DBUS_TYPE_UINT16, &arg_uint16, + DBUS_TYPE_INT32, &arg_int32, + DBUS_TYPE_UINT32, &arg_uint32, + DBUS_TYPE_INT64, &arg_int64, + DBUS_TYPE_UINT64, &arg_uint64, + DBUS_TYPE_DOUBLE, &arg_double, + DBUS_TYPE_STRING, &arg_string, + DBUS_TYPE_OBJECT_PATH, &arg_object_path, + DBUS_TYPE_ARRAY, DBUS_TYPE_BYTE, &arg_byte_array, len_byte_array, + DBUS_TYPE_ARRAY, DBUS_TYPE_INT16, &arg_int16_array, len_int16_array, + DBUS_TYPE_ARRAY, DBUS_TYPE_UINT16, &arg_uint16_array, len_uint16_array, + DBUS_TYPE_ARRAY, DBUS_TYPE_INT32, &arg_int32_array, len_int32_array, + DBUS_TYPE_ARRAY, DBUS_TYPE_UINT32, &arg_uint32_array, len_uint32_array, + DBUS_TYPE_ARRAY, DBUS_TYPE_INT64, &arg_int64_array, len_int64_array, + DBUS_TYPE_ARRAY, DBUS_TYPE_UINT64, &arg_uint64_array, len_uint64_array, + DBUS_TYPE_ARRAY, DBUS_TYPE_DOUBLE, &arg_double_array, len_double_array, + DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, &arg_string_array, len_string_array, + DBUS_TYPE_ARRAY, DBUS_TYPE_OBJECT_PATH, &arg_object_path_array, len_object_path_array, + DBUS_TYPE_INVALID); +} + +/* methods for com.planetexpress.Pilot */ +const struct sbus_method_meta test_pilot__methods[] = { + { + "Blink", /* name */ + test_pilot_Blink__in, + test_pilot_Blink__out, + offsetof(struct test_pilot, Blink), + invoke_u_method, + }, + { + "Eject", /* name */ + test_pilot_Eject__in, + test_pilot_Eject__out, + offsetof(struct test_pilot, Eject), + invoke_ybnqiuxtdsoayanaqaiauaxatadasao_method, + }, + { NULL, } +}; + +/* property info for com.planetexpress.Pilot */ +const struct sbus_property_meta test_pilot__properties[] = { + { + "FullName", /* name */ + "s", /* type */ + SBUS_PROPERTY_READABLE | SBUS_PROPERTY_WRITABLE, + offsetof(struct test_pilot, get_FullName), + sbus_invoke_get_s, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "byte", /* name */ + "y", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct test_pilot, get_byte), + sbus_invoke_get_y, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "boolean", /* name */ + "b", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct test_pilot, get_boolean), + sbus_invoke_get_b, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "int16", /* name */ + "n", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct test_pilot, get_int16), + sbus_invoke_get_n, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "uint16", /* name */ + "q", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct test_pilot, get_uint16), + sbus_invoke_get_q, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "int32", /* name */ + "i", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct test_pilot, get_int32), + sbus_invoke_get_i, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "uint32", /* name */ + "u", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct test_pilot, get_uint32), + sbus_invoke_get_u, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "int64", /* name */ + "x", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct test_pilot, get_int64), + sbus_invoke_get_x, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "uint64", /* name */ + "t", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct test_pilot, get_uint64), + sbus_invoke_get_t, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "double", /* name */ + "d", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct test_pilot, get_double), + sbus_invoke_get_d, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "string", /* name */ + "s", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct test_pilot, get_string), + sbus_invoke_get_s, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "object_path", /* name */ + "o", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct test_pilot, get_object_path), + sbus_invoke_get_o, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "null_string", /* name */ + "s", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct test_pilot, get_null_string), + sbus_invoke_get_s, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "null_path", /* name */ + "o", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct test_pilot, get_null_path), + sbus_invoke_get_o, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "byte_array", /* name */ + "ay", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct test_pilot, get_byte_array), + sbus_invoke_get_ay, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "int16_array", /* name */ + "an", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct test_pilot, get_int16_array), + sbus_invoke_get_an, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "uint16_array", /* name */ + "aq", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct test_pilot, get_uint16_array), + sbus_invoke_get_aq, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "int32_array", /* name */ + "ai", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct test_pilot, get_int32_array), + sbus_invoke_get_ai, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "uint32_array", /* name */ + "au", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct test_pilot, get_uint32_array), + sbus_invoke_get_au, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "int64_array", /* name */ + "ax", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct test_pilot, get_int64_array), + sbus_invoke_get_ax, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "uint64_array", /* name */ + "at", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct test_pilot, get_uint64_array), + sbus_invoke_get_at, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "double_array", /* name */ + "ad", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct test_pilot, get_double_array), + sbus_invoke_get_ad, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "string_array", /* name */ + "as", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct test_pilot, get_string_array), + sbus_invoke_get_as, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { + "object_path_array", /* name */ + "ao", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct test_pilot, get_object_path_array), + sbus_invoke_get_ao, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { NULL, } +}; + +/* interface info for com.planetexpress.Pilot */ +const struct sbus_interface_meta test_pilot_meta = { + "com.planetexpress.Pilot", /* name */ + test_pilot__methods, + NULL, /* no signals */ + test_pilot__properties, + sbus_invoke_get_all, /* GetAll invoker */ +}; + +/* property info for com.planetexpress.Special */ +const struct sbus_property_meta test_special__properties[] = { + { + "array_dict_sas", /* name */ + "a{sas}", /* type */ + SBUS_PROPERTY_READABLE, + offsetof(struct test_special, get_array_dict_sas), + sbus_invoke_get_aDOsasDE, + 0, /* not writable */ + NULL, /* no invoker */ + }, + { NULL, } +}; + +/* interface info for com.planetexpress.Special */ +const struct sbus_interface_meta test_special_meta = { + "com.planetexpress.Special", /* name */ + NULL, /* no methods */ + NULL, /* no signals */ + test_special__properties, + sbus_invoke_get_all, /* GetAll invoker */ +}; + +/* invokes a handler with a 'bu' DBus signature */ +static int invoke_bu_method(struct sbus_request *dbus_req, void *function_ptr) +{ + dbus_bool_t arg_0; + uint32_t arg_1; + int (*handler)(struct sbus_request *, void *, bool, uint32_t) = function_ptr; + + if (!sbus_request_parse_or_finish(dbus_req, + DBUS_TYPE_BOOLEAN, &arg_0, + DBUS_TYPE_UINT32, &arg_1, + DBUS_TYPE_INVALID)) { + return EOK; /* request handled */ + } + + return (handler)(dbus_req, dbus_req->intf->handler_data, + arg_0, + arg_1); +} + +/* invokes a handler with a 's' DBus signature */ +static int invoke_s_method(struct sbus_request *dbus_req, void *function_ptr) +{ + const char * arg_0; + int (*handler)(struct sbus_request *, void *, const char *) = function_ptr; + + if (!sbus_request_parse_or_finish(dbus_req, + DBUS_TYPE_STRING, &arg_0, + DBUS_TYPE_INVALID)) { + return EOK; /* request handled */ + } + + return (handler)(dbus_req, dbus_req->intf->handler_data, + arg_0); +} + +/* invokes a handler with a 'u' DBus signature */ +static int invoke_u_method(struct sbus_request *dbus_req, void *function_ptr) +{ + uint32_t arg_0; + int (*handler)(struct sbus_request *, void *, uint32_t) = function_ptr; + + if (!sbus_request_parse_or_finish(dbus_req, + DBUS_TYPE_UINT32, &arg_0, + DBUS_TYPE_INVALID)) { + return EOK; /* request handled */ + } + + return (handler)(dbus_req, dbus_req->intf->handler_data, + arg_0); +} + +/* invokes a handler with a 'ybnqiuxtdsoayanaqaiauaxatadasao' DBus signature */ +static int invoke_ybnqiuxtdsoayanaqaiauaxatadasao_method(struct sbus_request *dbus_req, void *function_ptr) +{ + uint8_t arg_0; + dbus_bool_t arg_1; + int16_t arg_2; + uint16_t arg_3; + int32_t arg_4; + uint32_t arg_5; + int64_t arg_6; + uint64_t arg_7; + double arg_8; + const char * arg_9; + const char * arg_10; + uint8_t *arg_11; + int len_11; + int16_t *arg_12; + int len_12; + uint16_t *arg_13; + int len_13; + int32_t *arg_14; + int len_14; + uint32_t *arg_15; + int len_15; + int64_t *arg_16; + int len_16; + uint64_t *arg_17; + int len_17; + double *arg_18; + int len_18; + const char * *arg_19; + int len_19; + const char * *arg_20; + int len_20; + int (*handler)(struct sbus_request *, void *, uint8_t, bool, int16_t, uint16_t, int32_t, uint32_t, int64_t, uint64_t, double, const char *, const char *, uint8_t[], int, int16_t[], int, uint16_t[], int, int32_t[], int, uint32_t[], int, int64_t[], int, uint64_t[], int, double[], int, const char *[], int, const char *[], int) = function_ptr; + + if (!sbus_request_parse_or_finish(dbus_req, + DBUS_TYPE_BYTE, &arg_0, + DBUS_TYPE_BOOLEAN, &arg_1, + DBUS_TYPE_INT16, &arg_2, + DBUS_TYPE_UINT16, &arg_3, + DBUS_TYPE_INT32, &arg_4, + DBUS_TYPE_UINT32, &arg_5, + DBUS_TYPE_INT64, &arg_6, + DBUS_TYPE_UINT64, &arg_7, + DBUS_TYPE_DOUBLE, &arg_8, + DBUS_TYPE_STRING, &arg_9, + DBUS_TYPE_OBJECT_PATH, &arg_10, + DBUS_TYPE_ARRAY, DBUS_TYPE_BYTE, &arg_11, &len_11, + DBUS_TYPE_ARRAY, DBUS_TYPE_INT16, &arg_12, &len_12, + DBUS_TYPE_ARRAY, DBUS_TYPE_UINT16, &arg_13, &len_13, + DBUS_TYPE_ARRAY, DBUS_TYPE_INT32, &arg_14, &len_14, + DBUS_TYPE_ARRAY, DBUS_TYPE_UINT32, &arg_15, &len_15, + DBUS_TYPE_ARRAY, DBUS_TYPE_INT64, &arg_16, &len_16, + DBUS_TYPE_ARRAY, DBUS_TYPE_UINT64, &arg_17, &len_17, + DBUS_TYPE_ARRAY, DBUS_TYPE_DOUBLE, &arg_18, &len_18, + DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, &arg_19, &len_19, + DBUS_TYPE_ARRAY, DBUS_TYPE_OBJECT_PATH, &arg_20, &len_20, + DBUS_TYPE_INVALID)) { + return EOK; /* request handled */ + } + + return (handler)(dbus_req, dbus_req->intf->handler_data, + arg_0, + arg_1, + arg_2, + arg_3, + arg_4, + arg_5, + arg_6, + arg_7, + arg_8, + arg_9, + arg_10, + arg_11, + len_11, + arg_12, + len_12, + arg_13, + len_13, + arg_14, + len_14, + arg_15, + len_15, + arg_16, + len_16, + arg_17, + len_17, + arg_18, + len_18, + arg_19, + len_19, + arg_20, + len_20); +} diff --git a/src/tests/sbus_codegen_tests_generated.h b/src/tests/sbus_codegen_tests_generated.h new file mode 100644 index 0000000..62486cc --- /dev/null +++ b/src/tests/sbus_codegen_tests_generated.h @@ -0,0 +1,151 @@ +/* The following declarations are auto-generated from sbus_codegen_tests.xml */ + +#ifndef __SBUS_CODEGEN_TESTS_XML__ +#define __SBUS_CODEGEN_TESTS_XML__ + +#include "sbus/sssd_dbus.h" +#include "sbus/sssd_dbus_meta.h" + +/* ------------------------------------------------------------------------ + * DBus Constants + * + * Various constants of interface and method names mostly for use by clients + */ + +/* constants for com.planetexpress.Ship */ +#define COM_PLANETEXPRESS_SHIP "com.planetexpress.Ship" +#define COM_PLANETEXPRESS_SHIP_MOVEUNIVERSE "MoveUniverse" +#define COM_PLANETEXPRESS_SHIP_CRASH_NOW "Crash" +#define COM_PLANETEXPRESS_SHIP_LAND "Land" +#define COM_PLANETEXPRESS_SHIP_BECAMESENTIENT "BecameSentient" +#define COM_PLANETEXPRESS_SHIP_COLOR "Color" + +/* constants for com.planetexpress.Pilot */ +#define TEST_PILOT "com.planetexpress.Pilot" +#define TEST_PILOT_BLINK "Blink" +#define TEST_PILOT_EJECT "Eject" +#define TEST_PILOT_FULLNAME "FullName" +#define TEST_PILOT_BYTE "byte" +#define TEST_PILOT_BOOLEAN "boolean" +#define TEST_PILOT_INT16 "int16" +#define TEST_PILOT_UINT16 "uint16" +#define TEST_PILOT_INT32 "int32" +#define TEST_PILOT_UINT32 "uint32" +#define TEST_PILOT_INT64 "int64" +#define TEST_PILOT_UINT64 "uint64" +#define TEST_PILOT_DOUBLE "double" +#define TEST_PILOT_STRING "string" +#define TEST_PILOT_OBJECT_PATH "object_path" +#define TEST_PILOT_NULL_STRING "null_string" +#define TEST_PILOT_NULL_PATH "null_path" +#define TEST_PILOT_BYTE_ARRAY "byte_array" +#define TEST_PILOT_INT16_ARRAY "int16_array" +#define TEST_PILOT_UINT16_ARRAY "uint16_array" +#define TEST_PILOT_INT32_ARRAY "int32_array" +#define TEST_PILOT_UINT32_ARRAY "uint32_array" +#define TEST_PILOT_INT64_ARRAY "int64_array" +#define TEST_PILOT_UINT64_ARRAY "uint64_array" +#define TEST_PILOT_DOUBLE_ARRAY "double_array" +#define TEST_PILOT_STRING_ARRAY "string_array" +#define TEST_PILOT_OBJECT_PATH_ARRAY "object_path_array" + +/* constants for com.planetexpress.Special */ +#define TEST_SPECIAL "com.planetexpress.Special" +#define TEST_SPECIAL_ARRAY_DICT_SAS "array_dict_sas" + +/* ------------------------------------------------------------------------ + * DBus handlers + * + * These structures are filled in by implementors of the different + * dbus interfaces to handle method calls. + * + * Handler functions of type sbus_msg_handler_fn accept raw messages, + * other handlers are typed appropriately. If a handler that is + * set to NULL is invoked it will result in a + * org.freedesktop.DBus.Error.NotSupported error for the caller. + * + * Handlers have a matching xxx_finish() function (unless the method has + * accepts raw messages). These finish functions the + * sbus_request_return_and_finish() with the appropriate arguments to + * construct a valid reply. Once a finish function has been called, the + * @dbus_req it was called with is freed and no longer valid. + */ + +/* vtable for com.planetexpress.Ship */ +struct com_planetexpress_Ship { + struct sbus_vtable vtable; /* derive from sbus_vtable */ + int (*MoveUniverse)(struct sbus_request *req, void *data, bool arg_smoothly, uint32_t arg_speed_factor); + int (*crash_now)(struct sbus_request *req, void *data, const char *arg_where); + sbus_msg_handler_fn Land; + void (*get_Color)(struct sbus_request *, void *data, const char **); +}; + +/* finish function for MoveUniverse */ +int com_planetexpress_Ship_MoveUniverse_finish(struct sbus_request *req, const char *arg_where_we_crashed); + +/* finish function for Crash */ +int com_planetexpress_Ship_crash_now_finish(struct sbus_request *req); + +/* vtable for com.planetexpress.Pilot */ +struct test_pilot { + struct sbus_vtable vtable; /* derive from sbus_vtable */ + int (*Blink)(struct sbus_request *req, void *data, uint32_t arg_duration); + int (*Eject)(struct sbus_request *req, void *data, uint8_t arg_byte, bool arg_boolean, int16_t arg_int16, uint16_t arg_uint16, int32_t arg_int32, uint32_t arg_uint32, int64_t arg_int64, uint64_t arg_uint64, double arg_double, const char *arg_string, const char *arg_object_path, uint8_t arg_byte_array[], int len_byte_array, int16_t arg_int16_array[], int len_int16_array, uint16_t arg_uint16_array[], int len_uint16_array, int32_t arg_int32_array[], int len_int32_array, uint32_t arg_uint32_array[], int len_uint32_array, int64_t arg_int64_array[], int len_int64_array, uint64_t arg_uint64_array[], int len_uint64_array, double arg_double_array[], int len_double_array, const char *arg_string_array[], int len_string_array, const char *arg_object_path_array[], int len_object_path_array); + void (*get_FullName)(struct sbus_request *, void *data, const char **); + void (*get_byte)(struct sbus_request *, void *data, uint8_t*); + void (*get_boolean)(struct sbus_request *, void *data, bool*); + void (*get_int16)(struct sbus_request *, void *data, int16_t*); + void (*get_uint16)(struct sbus_request *, void *data, uint16_t*); + void (*get_int32)(struct sbus_request *, void *data, int32_t*); + void (*get_uint32)(struct sbus_request *, void *data, uint32_t*); + void (*get_int64)(struct sbus_request *, void *data, int64_t*); + void (*get_uint64)(struct sbus_request *, void *data, uint64_t*); + void (*get_double)(struct sbus_request *, void *data, double*); + void (*get_string)(struct sbus_request *, void *data, const char **); + void (*get_object_path)(struct sbus_request *, void *data, const char **); + void (*get_null_string)(struct sbus_request *, void *data, const char **); + void (*get_null_path)(struct sbus_request *, void *data, const char **); + void (*get_byte_array)(struct sbus_request *, void *data, uint8_t**, int *); + void (*get_int16_array)(struct sbus_request *, void *data, int16_t**, int *); + void (*get_uint16_array)(struct sbus_request *, void *data, uint16_t**, int *); + void (*get_int32_array)(struct sbus_request *, void *data, int32_t**, int *); + void (*get_uint32_array)(struct sbus_request *, void *data, uint32_t**, int *); + void (*get_int64_array)(struct sbus_request *, void *data, int64_t**, int *); + void (*get_uint64_array)(struct sbus_request *, void *data, uint64_t**, int *); + void (*get_double_array)(struct sbus_request *, void *data, double**, int *); + void (*get_string_array)(struct sbus_request *, void *data, const char ***, int *); + void (*get_object_path_array)(struct sbus_request *, void *data, const char ***, int *); +}; + +/* finish function for Blink */ +int test_pilot_Blink_finish(struct sbus_request *req, bool arg_crashed); + +/* finish function for Eject */ +int test_pilot_Eject_finish(struct sbus_request *req, uint8_t arg_byte, bool arg_boolean, int16_t arg_int16, uint16_t arg_uint16, int32_t arg_int32, uint32_t arg_uint32, int64_t arg_int64, uint64_t arg_uint64, double arg_double, const char *arg_string, const char *arg_object_path, uint8_t arg_byte_array[], int len_byte_array, int16_t arg_int16_array[], int len_int16_array, uint16_t arg_uint16_array[], int len_uint16_array, int32_t arg_int32_array[], int len_int32_array, uint32_t arg_uint32_array[], int len_uint32_array, int64_t arg_int64_array[], int len_int64_array, uint64_t arg_uint64_array[], int len_uint64_array, double arg_double_array[], int len_double_array, const char *arg_string_array[], int len_string_array, const char *arg_object_path_array[], int len_object_path_array); + +/* vtable for com.planetexpress.Special */ +struct test_special { + struct sbus_vtable vtable; /* derive from sbus_vtable */ + void (*get_array_dict_sas)(struct sbus_request *, void *data, hash_table_t **); +}; + +/* ------------------------------------------------------------------------ + * DBus Interface Metadata + * + * These structure definitions are filled in with the information about + * the interfaces, methods, properties and so on. + * + * The actual definitions are found in the accompanying C file next + * to this header. + */ + +/* interface info for com.planetexpress.Ship */ +extern const struct sbus_interface_meta com_planetexpress_Ship_meta; + +/* interface info for com.planetexpress.Pilot */ +extern const struct sbus_interface_meta test_pilot_meta; + +/* interface info for com.planetexpress.Special */ +extern const struct sbus_interface_meta test_special_meta; + +#endif /* __SBUS_CODEGEN_TESTS_XML__ */ diff --git a/src/tests/sbus_tests.c b/src/tests/sbus_tests.c new file mode 100644 index 0000000..6bf71dc --- /dev/null +++ b/src/tests/sbus_tests.c @@ -0,0 +1,470 @@ +/* + SSSD + + sbus_codegen tests. + + Authors: + Stef Walter + + Copyright (C) Red Hat, Inc 2014 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include + +#include "common.h" + +#include "sbus/sssd_dbus.h" +#include "sbus/sssd_dbus_meta.h" +#include "util/util_errors.h" + +/* + * Although one would normally rely on the codegen to generate these + * structures, we want to test this functionality *before* we test + * the codegen in sbus_codegen_tests ... so these are hand rolled. + */ + +#define PILOT_IFACE "test.Pilot" +#define PILOT_BLINK "Blink" +#define PILOT_EAT "Eat" +#define PILOT_CRASH "Crash" + +#define PILOT_IFACE_INTROSPECT \ + "\n" \ + "\n" \ + " \n" \ + " \n" \ + " \n" \ + " \n" \ + " \n" \ + " \n" \ + " \n" \ + " \n" \ + " \n" \ + " \n" \ + " \n" \ + " \n" \ + " \n" \ + " \n" \ + " \n" \ + " \n" \ + " \n" \ + " \n" \ + " \n" \ + " \n" \ + " \n" \ + " \n" \ + " \n" \ + " \n" \ + " \n" \ + " \n" \ + "\n" + +/* our vtable */ +struct pilot_vtable { + struct sbus_vtable vtable; + sbus_msg_handler_fn Blink; + sbus_msg_handler_fn Eat; + sbus_msg_handler_fn Crash; +}; + +const struct sbus_method_meta pilot_methods[] = { + { + PILOT_BLINK, /* method name */ + NULL, /* in args: manually parsed */ + NULL, /* out args: manually parsed */ + offsetof(struct pilot_vtable, Blink), + NULL + }, + { + PILOT_EAT, /* method name */ + NULL, /* in args: manually parsed */ + NULL, /* out args: manually parsed */ + offsetof(struct pilot_vtable, Eat), + NULL + }, + { + PILOT_CRASH, /* method name */ + NULL, /* in args: manually parsed */ + NULL, /* out args: manually parsed */ + offsetof(struct pilot_vtable, Crash), + NULL + }, + { NULL, } +}; + +const struct sbus_interface_meta pilot_meta = { + PILOT_IFACE, /* name */ + pilot_methods, + NULL, /* no signals */ + NULL, /* no properties */ + NULL, /* no GetAll invoker */ +}; + +static int blink_handler(struct sbus_request *req, void *data) +{ + DBusError error = DBUS_ERROR_INIT; + dbus_int32_t duration = 0; + dbus_bool_t crashed; + + ck_assert(req->intf->vtable->meta == &pilot_meta); + ck_assert(data != NULL); + ck_assert(data == req->intf->handler_data); + + ck_assert_str_eq(req->intf->path, req->path); + + if (strcmp(req->path, "/test/fry") == 0) { + ck_assert_str_eq(data, "Don't crash"); + } else if (strcmp(req->path, "/test/leela") == 0) { + ck_assert_str_eq(data, "Crash into the billboard"); + } else { + ck_abort(); + } + + if (!dbus_message_get_args (req->message, &error, + DBUS_TYPE_INT32, &duration, + DBUS_TYPE_INVALID)) { + sbus_request_fail_and_finish(req, &error); + dbus_error_free(&error); + return EOK; + } + + /* Pilot crashes when eyes closed too long */ + crashed = (duration > 5); + + return sbus_request_return_and_finish(req, + DBUS_TYPE_BOOLEAN, &crashed, + DBUS_TYPE_INVALID); +} + +static int eat_handler(struct sbus_request *req, void *data) +{ + dbus_int32_t integer; + dbus_bool_t boolean; + const char **array; + int count; + + if (!sbus_request_parse_or_finish (req, + DBUS_TYPE_INT32, &integer, + DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, &array, &count, + DBUS_TYPE_BOOLEAN, &boolean, + DBUS_TYPE_INVALID)) { + return EOK; /* handled */ + } + + ck_assert_int_eq(integer, 5); + ck_assert(boolean == TRUE); + ck_assert_int_eq(count, 3); + ck_assert_str_eq(array[0], "one"); + ck_assert_str_eq(array[1], "two"); + ck_assert_str_eq(array[2], "three"); + + return sbus_request_return_and_finish(req, DBUS_TYPE_INVALID); +} + +static int crash_handler(struct sbus_request *req, void *data) +{ + /* Pilot crashes by returning a malformed UTF-8 string */ + const char *invalid = "ad\351la\357d"; + + return sbus_request_return_and_finish(req, + DBUS_TYPE_STRING, &invalid, + DBUS_TYPE_INVALID); +} + +struct pilot_vtable pilot_impl = { + { &pilot_meta, 0 }, + .Blink = blink_handler, + .Eat = eat_handler, + .Crash = crash_handler, +}; + +static int pilot_test_server_init(struct sbus_connection *server, void *unused) +{ + int ret; + + ret = sbus_conn_register_iface(server, &pilot_impl.vtable, "/test/leela", + discard_const("Crash into the billboard")); + ck_assert_int_eq(ret, EOK); + + + ret = sbus_conn_register_iface(server, &pilot_impl.vtable, "/test/fry", + discard_const("Don't crash")); + ck_assert_int_eq(ret, EOK); + + return EOK; +} + +START_TEST(test_raw_handler) +{ + TALLOC_CTX *ctx; + DBusConnection *client; + DBusError error = DBUS_ERROR_INIT; + DBusMessage *reply; + dbus_bool_t crashed; + dbus_int32_t duration; + + ctx = talloc_new(NULL); + client = test_dbus_setup_mock(ctx, NULL, pilot_test_server_init, NULL); + + /* Leela crashes with a duration higher than 5 */ + duration = 10; + reply = test_dbus_call_sync(client, + "/test/leela", + PILOT_IFACE, + PILOT_BLINK, + &error, + DBUS_TYPE_INT32, &duration, + DBUS_TYPE_INVALID); + ck_assert(reply != NULL); + ck_assert(!dbus_error_is_set(&error)); + ck_assert(dbus_message_get_args(reply, NULL, + DBUS_TYPE_BOOLEAN, &crashed, + DBUS_TYPE_INVALID)); + dbus_message_unref (reply); + ck_assert(crashed == true); + + /* Fry daesn't crash with a duration lower than 5 */ + duration = 1; + reply = test_dbus_call_sync(client, + "/test/fry", + PILOT_IFACE, + PILOT_BLINK, + &error, + DBUS_TYPE_INT32, &duration, + DBUS_TYPE_INVALID); + ck_assert(reply != NULL); + ck_assert(!dbus_error_is_set(&error)); + ck_assert(dbus_message_get_args(reply, NULL, + DBUS_TYPE_BOOLEAN, &crashed, + DBUS_TYPE_INVALID)); + dbus_message_unref (reply); + ck_assert(crashed == FALSE); + + talloc_free(ctx); +} +END_TEST + +START_TEST(test_request_parse_ok) +{ + const char *args[] = { "one", "two", "three" }; + const char **array; + TALLOC_CTX *ctx; + DBusConnection *client; + DBusError error = DBUS_ERROR_INIT; + DBusMessage *reply; + dbus_bool_t boolean; + dbus_int32_t integer; + int count; + + ctx = talloc_new(NULL); + client = test_dbus_setup_mock(ctx, NULL, pilot_test_server_init, NULL); + + boolean = TRUE; + integer = 5; + count = 3; + array = args; + reply = test_dbus_call_sync(client, + "/test/leela", + PILOT_IFACE, + PILOT_EAT, + &error, + DBUS_TYPE_INT32, &integer, + DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, &array, count, + DBUS_TYPE_BOOLEAN, &boolean, + DBUS_TYPE_INVALID); + ck_assert(reply != NULL); + ck_assert(!dbus_error_is_set(&error)); + ck_assert(dbus_message_get_args(reply, NULL, + DBUS_TYPE_INVALID)); + dbus_message_unref (reply); + + talloc_free(ctx); +} +END_TEST + +START_TEST(test_request_parse_bad_args) +{ + TALLOC_CTX *ctx; + DBusConnection *client; + DBusError error = DBUS_ERROR_INIT; + DBusMessage *reply; + + ctx = talloc_new(NULL); + client = test_dbus_setup_mock(ctx, NULL, pilot_test_server_init, NULL); + + reply = test_dbus_call_sync(client, + "/test/leela", + PILOT_IFACE, + PILOT_EAT, + &error, + DBUS_TYPE_INVALID); /* bad agruments */ + ck_assert(reply == NULL); + ck_assert(dbus_error_is_set(&error)); + ck_assert(dbus_error_has_name(&error, DBUS_ERROR_INVALID_ARGS)); + dbus_error_free(&error); + + talloc_free(ctx); +} +END_TEST + +START_TEST(test_request_dontcrash) +{ +#ifdef HAVE_DBUSBASICVALUE + TALLOC_CTX *ctx; + DBusConnection *client; + DBusError error = DBUS_ERROR_INIT; + DBusMessage *reply; + + ctx = talloc_new(NULL); + client = test_dbus_setup_mock(ctx, NULL, pilot_test_server_init, NULL); + + reply = test_dbus_call_sync(client, + "/test/leela", + PILOT_IFACE, + PILOT_CRASH, + &error, + DBUS_TYPE_INVALID); /* bad agruments */ + ck_assert(reply == NULL); + ck_assert(dbus_error_is_set(&error)); + ck_assert(dbus_error_has_name(&error, DBUS_ERROR_INVALID_ARGS)); + dbus_error_free(&error); + + talloc_free(ctx); +#endif /* HAVE_DBUSBASICVALUE */ +} +END_TEST + +START_TEST(test_introspection) +{ + TALLOC_CTX *ctx; + DBusConnection *client; + DBusError error = DBUS_ERROR_INIT; + DBusMessage *reply; + char *xml; + + ctx = talloc_new(NULL); + client = test_dbus_setup_mock(ctx, NULL, pilot_test_server_init, NULL); + + reply = test_dbus_call_sync(client, + "/test/leela", + DBUS_INTROSPECT_INTERFACE, + DBUS_INTROSPECT_METHOD, + &error, + DBUS_TYPE_INVALID); /* bad agruments */ + + ck_assert(reply != NULL); + ck_assert(!dbus_error_is_set(&error)); + ck_assert(dbus_message_get_args(reply, NULL, + DBUS_TYPE_STRING, &xml, + DBUS_TYPE_INVALID)); + ck_assert_str_eq(PILOT_IFACE_INTROSPECT, xml); + + dbus_message_unref(reply); + + talloc_free(ctx); +} +END_TEST + +START_TEST(test_sbus_new_error) +{ + TALLOC_CTX *ctx; + DBusError *error; + + ctx = talloc_new(NULL); + + error = sbus_error_new(ctx, DBUS_ERROR_IO_ERROR, "Input-output error"); + ck_assert(error != NULL); + ck_assert(dbus_error_is_set(error)); + ck_assert(dbus_error_has_name(error, DBUS_ERROR_IO_ERROR)); + talloc_free(error); + + error = sbus_error_new(ctx, DBUS_ERROR_IO_ERROR, + "The answer should have been %d", 42); + ck_assert(error != NULL); + ck_assert(dbus_error_is_set(error)); + ck_assert(dbus_error_has_name(error, DBUS_ERROR_IO_ERROR)); + talloc_free(error); + + /* NULL message must also work */ + error = sbus_error_new(ctx, DBUS_ERROR_IO_ERROR, NULL); + ck_assert(error != NULL); + ck_assert(dbus_error_is_set(error)); + ck_assert(dbus_error_has_name(error, DBUS_ERROR_IO_ERROR)); + talloc_free(error); + + talloc_free(ctx); +} +END_TEST + +TCase *create_sbus_tests(void) +{ + TCase *tc = tcase_create("tests"); + + tcase_add_test(tc, test_raw_handler); + tcase_add_test(tc, test_request_parse_ok); + tcase_add_test(tc, test_request_parse_bad_args); + tcase_add_test(tc, test_request_dontcrash); + tcase_add_test(tc, test_introspection); + tcase_add_test(tc, test_sbus_new_error); + + return tc; +} + +Suite *create_suite(void) +{ + Suite *s = suite_create("sbus"); + suite_add_tcase(s, create_sbus_tests()); + return s; +} + +int main(int argc, const char *argv[]) +{ + int opt; + poptContext pc; + int failure_count; + Suite *suite; + SRunner *sr; + + struct poptOption long_options[] = { + POPT_AUTOHELP + POPT_TABLEEND + }; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while ((opt = poptGetNextOpt(pc)) != -1) { + switch (opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + suite = create_suite(); + sr = srunner_create(suite); + /* If CK_VERBOSITY is set, use that, otherwise it defaults to CK_NORMAL */ + srunner_run_all(sr, CK_ENV); + failure_count = srunner_ntests_failed(sr); + srunner_free(sr); + return (failure_count == 0 ? EXIT_SUCCESS : EXIT_FAILURE); +} diff --git a/src/tests/sss_idmap-tests.c b/src/tests/sss_idmap-tests.c new file mode 100644 index 0000000..8859136 --- /dev/null +++ b/src/tests/sss_idmap-tests.c @@ -0,0 +1,970 @@ +/* + SSSD - Test for idmap library + + Authors: + Sumit Bose + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "lib/idmap/sss_idmap.h" +#include "lib/idmap/sss_idmap_private.h" +#include "tests/common_check.h" + +#define IDMAP_RANGE_MIN 1234 +#define IDMAP_RANGE_MAX 9876 + +#define IDMAP_RANGE_MIN2 11234 +#define IDMAP_RANGE_MAX2 19876 + +const char test_sid[] = "S-1-5-21-2127521184-1604012920-1887927527-72713"; +uint8_t test_bin_sid[] = {0x01, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x15, + 0x00, 0x00, 0x00, 0xA0, 0x65, 0xCF, 0x7E, 0x78, 0x4B, + 0x9B, 0x5F, 0xE7, 0x7C, 0x87, 0x70, 0x09, 0x1C, 0x01, + 0x00}; +size_t test_bin_sid_length = sizeof(test_bin_sid); + +struct dom_sid test_smb_sid = {1, 5, {0, 0, 0, 0, 0, 5}, {21, 2127521184, 1604012920, 1887927527, 72713, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}}; + +const char large_sid[] = "S-1-5-21-1-2-4294967295-1000"; +const char too_large_sid[] = "S-1-5-21-1-2-4294967296-1000"; + +struct sss_idmap_ctx *idmap_ctx; + +static void *idmap_talloc(size_t size, void *pvt) +{ + return talloc_size(pvt, size); +} + +static void idmap_talloc_free(void *ptr, void *pvt) +{ + talloc_free(ptr); +} + + +void idmap_ctx_setup(void) +{ + enum idmap_error_code err; + + err = sss_idmap_init(idmap_talloc, global_talloc_context, idmap_talloc_free, + &idmap_ctx); + + fail_unless(err == IDMAP_SUCCESS, "sss_idmap_init failed."); + fail_unless(idmap_ctx != NULL, "sss_idmap_init returned NULL."); +} + +void idmap_ctx_setup_additional_seconary_slices(void) +{ + enum idmap_error_code err; + + err = sss_idmap_init(idmap_talloc, global_talloc_context, idmap_talloc_free, + &idmap_ctx); + + fail_unless(err == IDMAP_SUCCESS, "sss_idmap_init failed."); + fail_unless(idmap_ctx != NULL, "sss_idmap_init returned NULL."); + + idmap_ctx->idmap_opts.rangesize = 10; + idmap_ctx->idmap_opts.extra_slice_init = 5; +} + +void idmap_ctx_teardown(void) +{ + enum idmap_error_code err; + + err = sss_idmap_free(idmap_ctx); + fail_unless(err == IDMAP_SUCCESS, "sss_idmap_free failed."); +} + +void idmap_add_domain_setup(void) +{ + enum idmap_error_code err; + struct sss_idmap_range range = {IDMAP_RANGE_MIN, IDMAP_RANGE_MAX}; + + err = sss_idmap_add_domain(idmap_ctx, "test.dom", "S-1-5-21-1-2-3", &range); + fail_unless(err == IDMAP_SUCCESS, "sss_idmap_add_domain failed."); +} + +void idmap_add_domain_with_sec_slices_setup(void) +{ + enum idmap_error_code err; + struct sss_idmap_range range = { + IDMAP_RANGE_MIN, + IDMAP_RANGE_MIN + idmap_ctx->idmap_opts.rangesize - 1, + }; + + err = sss_idmap_add_auto_domain_ex(idmap_ctx, "test.dom", "S-1-5-21-1-2-3", + &range, NULL, 0, false, NULL, NULL); + + fail_unless(err == IDMAP_SUCCESS, "sss_idmap_add_auto_domain_ex failed."); +} + + +enum idmap_error_code cb(const char *dom_name, + const char *dom_sid, + const char *range_id, + uint32_t min_id, + uint32_t max_id, + uint32_t first_rid, + void *pvt) +{ + return IDMAP_ERROR; +} + +void idmap_add_domain_with_sec_slices_setup_cb_fail(void) +{ + enum idmap_error_code err; + struct sss_idmap_range range = { + IDMAP_RANGE_MIN, + IDMAP_RANGE_MIN + idmap_ctx->idmap_opts.rangesize - 1, + }; + + err = sss_idmap_add_auto_domain_ex(idmap_ctx, "test.dom", "S-1-5-21-1-2-3", + &range, NULL, 0, false, cb, NULL); + + fail_unless(err == IDMAP_SUCCESS, "sss_idmap_add_auto_domain_ex failed."); +} + + +#define MAX 1000 +char data[MAX]; + +enum idmap_error_code cb2(const char *dom_name, + const char *dom_sid, + const char *range_id, + uint32_t min_id, + uint32_t max_id, + uint32_t first_rid, + void *pvt) +{ + char *p = (char*)pvt; + size_t len; + + len = snprintf(p, MAX, "%s, %s %s, %"PRIu32", %"PRIu32", %" PRIu32, + dom_name, dom_sid, range_id, min_id, max_id, first_rid); + + if (len >= MAX) { + return IDMAP_OUT_OF_MEMORY; + } + return IDMAP_SUCCESS; +} + +void idmap_add_domain_with_sec_slices_setup_cb_ok(void) +{ + enum idmap_error_code err; + struct sss_idmap_range range = { + IDMAP_RANGE_MIN, + IDMAP_RANGE_MIN + idmap_ctx->idmap_opts.rangesize - 1, + }; + + void *pvt = (void*) data; + + err = sss_idmap_add_auto_domain_ex(idmap_ctx, "test.dom", "S-1-5-21-1-2-3", + &range, NULL, 0, false, cb2, pvt); + + fail_unless(err == IDMAP_SUCCESS, "sss_idmap_add_auto_domain_ex failed."); +} + +START_TEST(idmap_test_is_domain_sid) +{ + size_t c; + const char *invalid[] = { "abc", + "S-1-2-3-4-5-6", + "S-1-5-21-1", + "S-1-5-21-1-2-123456789012345678", + "S-1-5-21-1+2+3", + "S-1-5-21-a-b-c", + "S-1-5-21-1-2-3-4", + NULL }; + + fail_if(is_domain_sid(NULL), "is_domain_sid() returned true for [NULL]"); + for (c = 0; invalid[c] != NULL; c++) { + fail_if(is_domain_sid(invalid[c]), + "is_domain_sid() returned true for [%s]", invalid[c]); + } + + fail_unless(is_domain_sid("S-1-5-21-1-2-3"), + "is_domain_sid() returned true for [S-1-5-21-1-2-3]"); +} +END_TEST + +START_TEST(idmap_test_init_malloc) +{ + enum idmap_error_code err; + struct sss_idmap_ctx *ctx = NULL; + + err = sss_idmap_init(NULL, NULL, NULL, &ctx); + + fail_unless(err == IDMAP_SUCCESS, "sss_idmap_init failed."); + fail_unless(ctx != NULL, "sss_idmap_init returned NULL."); + + err = sss_idmap_free(ctx); + fail_unless(err == IDMAP_SUCCESS, "sss_idmap_free failed."); +} +END_TEST + +START_TEST(idmap_test_init_talloc) +{ + enum idmap_error_code err; + struct sss_idmap_ctx *ctx = NULL; + + err = sss_idmap_init(idmap_talloc, global_talloc_context, idmap_talloc_free, + &ctx); + + fail_unless(err == IDMAP_SUCCESS, "sss_idmap_init failed."); + fail_unless(ctx != NULL, "sss_idmap_init returned NULL."); + + err = sss_idmap_free(ctx); + fail_unless(err == IDMAP_SUCCESS, "sss_idmap_free failed."); +} +END_TEST + +START_TEST(idmap_test_add_domain) +{ + idmap_add_domain_setup(); +} +END_TEST + +START_TEST(idmap_test_add_domain_collisions) +{ + enum idmap_error_code err; + struct sss_idmap_range range = {IDMAP_RANGE_MIN, IDMAP_RANGE_MAX}; + struct sss_idmap_range range2 = {IDMAP_RANGE_MIN2, IDMAP_RANGE_MAX2}; + + err = sss_idmap_add_domain(idmap_ctx, "test.dom", "S-1-5-21-1-2-3", &range); + fail_unless(err == IDMAP_SUCCESS, "sss_idmap_add_domain failed."); + + err = sss_idmap_add_domain(idmap_ctx, "test.dom", "S-1-5-21-1-2-4", + &range2); + fail_unless(err == IDMAP_COLLISION, + "sss_idmap_add_domain added domain with the same name."); + + err = sss_idmap_add_domain(idmap_ctx, "test.dom2", "S-1-5-21-1-2-3", + &range2); + fail_unless(err == IDMAP_COLLISION, + "sss_idmap_add_domain added domain with the same SID."); + + err = sss_idmap_add_domain(idmap_ctx, "test.dom2", "S-1-5-21-1-2-4", + &range); + fail_unless(err == IDMAP_COLLISION, + "sss_idmap_add_domain added domain with the same range."); + + err = sss_idmap_add_domain(idmap_ctx, "test.dom2", "S-1-5-21-1-2-4", + &range2); + fail_unless(err == IDMAP_SUCCESS, + "sss_idmap_add_domain failed to add second domain."); +} +END_TEST + +START_TEST(idmap_test_add_domain_collisions_ext_mapping) +{ + enum idmap_error_code err; + struct sss_idmap_range range = {IDMAP_RANGE_MIN, IDMAP_RANGE_MAX}; + struct sss_idmap_range range2 = {IDMAP_RANGE_MIN2, IDMAP_RANGE_MAX2}; + + err = sss_idmap_add_domain_ex(idmap_ctx, "test.dom", "S-1-5-21-1-2-3", + &range, NULL, 0, true); + fail_unless(err == IDMAP_SUCCESS, "sss_idmap_add_domain failed."); + + err = sss_idmap_add_domain_ex(idmap_ctx, "test.dom", "S-1-5-21-1-2-4", + &range2, NULL, 0, true); + fail_unless(err == IDMAP_COLLISION, + "sss_idmap_add_domain added domain with the same name."); + + err = sss_idmap_add_domain_ex(idmap_ctx, "test.dom2", "S-1-5-21-1-2-3", + &range2, NULL, 0, true); + fail_unless(err == IDMAP_COLLISION, + "sss_idmap_add_domain added domain with the same SID."); + + err = sss_idmap_add_domain_ex(idmap_ctx, "test.dom2", "S-1-5-21-1-2-4", + &range, NULL, 0, true); + fail_unless(err == IDMAP_SUCCESS, + "sss_idmap_add_domain failed to add second domain with " \ + "external mapping and the same range."); +} +END_TEST + +START_TEST(idmap_test_sid2uid) +{ + enum idmap_error_code err; + uint32_t id; + + err = sss_idmap_sid_to_unix(idmap_ctx, "S-1-5-21-1-2-3333-1000", &id); + fail_unless(err == IDMAP_NO_DOMAIN, "sss_idmap_sid_to_unix did not detect " + "unknown domain"); + + err = sss_idmap_sid_to_unix(idmap_ctx, "S-1-5-21-1-2-3-10000", &id); + fail_unless(err == IDMAP_NO_RANGE, "sss_idmap_sid_to_unix did not detect " + "RID out of range"); + + err = sss_idmap_sid_to_unix(idmap_ctx, "S-1-5-21-1-2-3-1000", &id); + fail_unless(err == IDMAP_SUCCESS, "sss_idmap_sid_to_unix failed."); + fail_unless(id == (1000 + IDMAP_RANGE_MIN), + "sss_idmap_sid_to_unix returned wrong id, " + "got [%d], expected [%d].", id, 1000 + IDMAP_RANGE_MIN); +} +END_TEST + +START_TEST(idmap_test_sid2uid_ss) +{ + enum idmap_error_code err; + uint32_t id; + const uint32_t exp_id = 351800000; + const uint32_t exp_id2 = 832610000; + + err = sss_idmap_sid_to_unix(idmap_ctx, "S-1-5-21-1-2-3333-1000", &id); + fail_unless(err == IDMAP_NO_DOMAIN, "sss_idmap_sid_to_unix did not detect " + "unknown domain"); + + /* RID out of primary and secondary range */ + err = sss_idmap_sid_to_unix(idmap_ctx, "S-1-5-21-1-2-3-4000000", &id); + fail_unless(err == IDMAP_SUCCESS, "sss_idmap_sid_to_unix failed."); + fail_unless(id == exp_id, + "sss_idmap_sid_to_unix returned wrong id, " + "got [%d], expected [%d].", id, exp_id); + + err = sss_idmap_sid_to_unix(idmap_ctx, "S-1-5-21-1-2-3-1000", &id); + fail_unless(err == IDMAP_SUCCESS, "sss_idmap_sid_to_unix failed."); + fail_unless(id == (1000 + IDMAP_RANGE_MIN), + "sss_idmap_sid_to_unix returned wrong id, " + "got [%d], expected [%d].", id, 1000 + IDMAP_RANGE_MIN); + + err = sss_idmap_sid_to_unix(idmap_ctx, "S-1-5-21-1-2-3-210000", &id); + fail_unless(err == IDMAP_SUCCESS, "sss_idmap_sid_to_unix failed."); + fail_unless(id == exp_id2, + "sss_idmap_sid_to_unix returned wrong id, " + "got [%d], expected [%d].", id, exp_id2); +} +END_TEST + +START_TEST(idmap_test_sid2uid_ext_sec_slices) +{ + enum idmap_error_code err; + uint32_t id; + char *sid; + const uint32_t exp_id = 351800000; + + err = sss_idmap_unix_to_sid(idmap_ctx, exp_id, &sid); + fail_unless(err == IDMAP_NO_DOMAIN, "sss_idmap_unix_to_sid did not detect " + "id out of range"); + + /* RID out of primary and secondary range */ + err = sss_idmap_sid_to_unix(idmap_ctx, "S-1-5-21-1-2-3-4000000", &id); + fail_unless(err == IDMAP_SUCCESS, "sss_idmap_sid_to_unix failed."); + fail_unless(id == exp_id, + "sss_idmap_sid_to_unix returned wrong id, " + "got [%d], expected [%d].", id, exp_id); + + /* Secondary ranges were expanded by sid_to_unix call */ + err = sss_idmap_unix_to_sid(idmap_ctx, exp_id, &sid); + fail_unless(err == IDMAP_SUCCESS, "sss_idmap_unix_to_sid failed."); + fail_unless(strcmp(sid, "S-1-5-21-1-2-3-4000000") == 0, + "sss_idmap_unix_to_sid returned wrong SID, " + "expected [%s], got [%s].", "S-1-5-21-1-2-3-4000000", sid); + sss_idmap_free_sid(idmap_ctx, sid); +} +END_TEST + + +START_TEST(idmap_test_dyn_dom_store_cb_fail) +{ + enum idmap_error_code err; + uint32_t id; + char *sid; + const uint32_t exp_id = 351800000; + + err = sss_idmap_unix_to_sid(idmap_ctx, exp_id, &sid); + fail_unless(err == IDMAP_NO_DOMAIN, "sss_idmap_unix_to_sid did not detect " + "id out of range"); + + /* RID out of primary and secondary range */ + err = sss_idmap_sid_to_unix(idmap_ctx, "S-1-5-21-1-2-3-4000000", &id); + fail_unless(err == IDMAP_ERROR, "sss_idmap_sid_to_unix failed."); +} +END_TEST + +START_TEST(idmap_test_dyn_dom_store_cb_ok) +{ + enum idmap_error_code err; + uint32_t id; + char *sid; + const uint32_t exp_id = 351800000; + const char *exp_stored_data = "test.dom, S-1-5-21-1-2-3 S-1-5-21-1-2-3-4000000, 351800000, 351999999, 4000000"; + + err = sss_idmap_unix_to_sid(idmap_ctx, exp_id, &sid); + fail_unless(err == IDMAP_NO_DOMAIN, "sss_idmap_unix_to_sid did not detect " + "id out of range"); + + /* RID out of primary and secondary range */ + err = sss_idmap_sid_to_unix(idmap_ctx, "S-1-5-21-1-2-3-4000000", &id); + fail_unless(err == IDMAP_SUCCESS, "sss_idmap_sid_to_unix failed."); + + fail_unless(strcmp(data, + exp_stored_data) == 0, + "Storing dynamic domains idmapping failed: " + "expected [%s] but got [%s].", exp_stored_data, data); +} +END_TEST + + +START_TEST(idmap_test_sid2uid_additional_secondary_slices) +{ + enum idmap_error_code err; + struct TALLOC_CTX *tmp_ctx; + const char *dom_prefix = "S-1-5-21-1-2-3"; + const int max_rid = 80; + const char *sids[max_rid + 1]; + unsigned int ids[max_rid + 1]; + + tmp_ctx = talloc_new(NULL); + fail_unless(tmp_ctx != NULL, "Out of memory."); + + for (unsigned int i = 0; i < max_rid + 1; i++) { + sids[i] = talloc_asprintf(tmp_ctx, "%s-%u", dom_prefix, i); + + fail_unless(sids[i] != NULL, "Out of memory"); + + err = sss_idmap_sid_to_unix(idmap_ctx, sids[i], &ids[i]); + fail_unless(err == IDMAP_SUCCESS, "sss_idmap_sid_to_unix failed."); + } + + for (unsigned int i = 0; i < max_rid + 1; i++) { + char *sid; + + err = sss_idmap_unix_to_sid(idmap_ctx, ids[i], &sid); + fail_unless(err == IDMAP_SUCCESS, "sss_idmap_sid_to_unix failed."); + + fail_unless(strcmp(sid, sids[i]) == 0, + "sss_idmap_unix_to_sid returned wrong sid, " + "got [%s], expected [%s].", sid, sids[i]); + talloc_free(sid); + } + + talloc_free(tmp_ctx); +} +END_TEST + +START_TEST(idmap_test_bin_sid2uid) +{ + enum idmap_error_code err; + uint32_t id; + uint8_t *bin_sid = NULL; + size_t length; + + err = sss_idmap_sid_to_bin_sid(idmap_ctx, "S-1-5-21-1-2-3-1000", + &bin_sid, &length); + fail_unless(err == IDMAP_SUCCESS, "Failed to convert SID to binary SID"); + + err = sss_idmap_bin_sid_to_unix(idmap_ctx, bin_sid, length , &id); + fail_unless(err == IDMAP_SUCCESS, "sss_idmap_bin_sid_to_unix failed."); + fail_unless(id == (1000 + IDMAP_RANGE_MIN), + "sss_idmap_bin_sid_to_unix returned wrong id, " + "got [%d], expected [%d].", id, 1000 + IDMAP_RANGE_MIN); + + sss_idmap_free_bin_sid(idmap_ctx, bin_sid); +} +END_TEST + +START_TEST(idmap_test_dom_sid2uid) +{ + enum idmap_error_code err; + uint32_t id; + struct sss_dom_sid *dom_sid = NULL; + + err = sss_idmap_sid_to_dom_sid(idmap_ctx, "S-1-5-21-1-2-3-1000", &dom_sid); + fail_unless(err == IDMAP_SUCCESS, "Failed to convert SID to SID structure"); + + err = sss_idmap_dom_sid_to_unix(idmap_ctx, dom_sid, &id); + fail_unless(err == IDMAP_SUCCESS, "sss_idmap_dom_sid_to_unix failed."); + fail_unless(id == (1000 + IDMAP_RANGE_MIN), + "sss_idmap_dom_sid_to_unix returned wrong id, " + "got [%d], expected [%d].", id, 1000 + IDMAP_RANGE_MIN); + + sss_idmap_free_dom_sid(idmap_ctx, dom_sid); +} +END_TEST + +START_TEST(idmap_test_uid2sid) +{ + enum idmap_error_code err; + char *sid; + + err = sss_idmap_unix_to_sid(idmap_ctx, 10000, &sid); + fail_unless(err == IDMAP_NO_DOMAIN, "sss_idmap_unix_to_sid did not detect " + "id out of range"); + + err = sss_idmap_unix_to_sid(idmap_ctx, 2234, &sid); + fail_unless(err == IDMAP_SUCCESS, "sss_idmap_unix_to_sid failed."); + fail_unless(strcmp(sid, "S-1-5-21-1-2-3-1000") == 0, + "sss_idmap_unix_to_sid returned wrong SID, " + "expected [%s], got [%s].", "S-1-5-21-1-2-3-1000", sid); + + sss_idmap_free_sid(idmap_ctx, sid); +} +END_TEST + +START_TEST(idmap_test_uid2sid_ss) +{ + enum idmap_error_code err; + char *sid; + + err = sss_idmap_unix_to_sid(idmap_ctx, + IDMAP_RANGE_MIN + idmap_ctx->idmap_opts.rangesize + 1, + &sid); + fail_unless(err == IDMAP_NO_DOMAIN, "sss_idmap_unix_to_sid did not detect " + "id out of range"); + + err = sss_idmap_unix_to_sid(idmap_ctx, 2234, &sid); + fail_unless(err == IDMAP_SUCCESS, "sss_idmap_unix_to_sid failed."); + fail_unless(strcmp(sid, "S-1-5-21-1-2-3-1000") == 0, + "sss_idmap_unix_to_sid returned wrong SID, " + "expected [%s], got [%s].", "S-1-5-21-1-2-3-1000", sid); + + sss_idmap_free_sid(idmap_ctx, sid); + + /* Secondary ranges */ + err = sss_idmap_unix_to_sid(idmap_ctx, + 313800000, + &sid); + fail_unless(err == IDMAP_SUCCESS, "sss_idmap_unix_to_sid failed."); + fail_unless(strcmp(sid, "S-1-5-21-1-2-3-400000") == 0, + "sss_idmap_unix_to_sid returned wrong SID, " + "expected [%s], got [%s].", "S-1-5-21-1-2-3-400000", sid); + + sss_idmap_free_sid(idmap_ctx, sid); +} +END_TEST + +START_TEST(idmap_test_uid2dom_sid) +{ + enum idmap_error_code err; + struct sss_dom_sid *dom_sid = NULL; + char *sid = NULL; + + err = sss_idmap_unix_to_dom_sid(idmap_ctx, 10000, &dom_sid); + fail_unless(err == IDMAP_NO_DOMAIN, "sss_idmap_unix_to_dom_sid did not detect " + "id out of range"); + + err = sss_idmap_unix_to_dom_sid(idmap_ctx, 2234, &dom_sid); + fail_unless(err == IDMAP_SUCCESS, "sss_idmap_unix_to_dom_sid failed."); + + err = sss_idmap_dom_sid_to_sid(idmap_ctx, dom_sid, &sid); + fail_unless(err == IDMAP_SUCCESS, "sss_idmap_dom_sid_to_sid failed."); + + fail_unless(strcmp(sid, "S-1-5-21-1-2-3-1000") == 0, + "sss_idmap_unix_to_dom_sid returned wrong SID, " + "expected [%s], got [%s].", "S-1-5-21-1-2-3-1000", sid); + + sss_idmap_free_sid(idmap_ctx, sid); + sss_idmap_free_dom_sid(idmap_ctx, dom_sid); +} +END_TEST + +START_TEST(idmap_test_uid2bin_sid) +{ + enum idmap_error_code err; + uint8_t *bin_sid = NULL; + size_t length; + char *sid = NULL; + + err = sss_idmap_unix_to_bin_sid(idmap_ctx, 10000, &bin_sid, &length); + fail_unless(err == IDMAP_NO_DOMAIN, "sss_idmap_unix_to_bin_sid did not detect " + "id out of range"); + + err = sss_idmap_unix_to_bin_sid(idmap_ctx, 2234, &bin_sid, &length); + fail_unless(err == IDMAP_SUCCESS, "sss_idmap_unix_to_bin_sid failed."); + + err = sss_idmap_bin_sid_to_sid(idmap_ctx, bin_sid, length, &sid); + fail_unless(err == IDMAP_SUCCESS, "sss_idmap_bin_sid_to_sid failed."); + + fail_unless(strcmp(sid, "S-1-5-21-1-2-3-1000") == 0, + "sss_idmap_unix_to_bin_sid returned wrong SID, " + "expected [%s], got [%s].", "S-1-5-21-1-2-3-1000", sid); + + sss_idmap_free_sid(idmap_ctx, sid); + sss_idmap_free_bin_sid(idmap_ctx, bin_sid); +} +END_TEST + +START_TEST(idmap_test_bin_sid2dom_sid) +{ + struct sss_dom_sid *dom_sid = NULL; + enum idmap_error_code err; + uint8_t *new_bin_sid = NULL; + size_t new_bin_sid_length; + + err = sss_idmap_bin_sid_to_dom_sid(idmap_ctx, test_bin_sid, + test_bin_sid_length, &dom_sid); + + fail_unless(err == IDMAP_SUCCESS, + "Failed to convert binary SID to struct sss_dom_sid."); + + err = sss_idmap_dom_sid_to_bin_sid(idmap_ctx, dom_sid, &new_bin_sid, + &new_bin_sid_length); + fail_unless(err == IDMAP_SUCCESS, + "Failed to convert struct sss_dom_sid to binary SID."); + + fail_unless(new_bin_sid_length == test_bin_sid_length, + "Length of binary SIDs do not match."); + fail_unless(memcmp(test_bin_sid, new_bin_sid, test_bin_sid_length) == 0, + "Binary SIDs do not match."); + + sss_idmap_free_dom_sid(idmap_ctx, dom_sid); + sss_idmap_free_bin_sid(idmap_ctx, new_bin_sid); +} +END_TEST + +START_TEST(idmap_test_sid2dom_sid) +{ + struct sss_dom_sid *dom_sid = NULL; + enum idmap_error_code err; + char *new_sid = NULL; + + err = sss_idmap_sid_to_dom_sid(idmap_ctx, "S-1-5-21-1-2-3-1000", &dom_sid); + + fail_unless(err == IDMAP_SUCCESS, + "Failed to convert SID string to struct sss_dom_sid."); + + err = sss_idmap_dom_sid_to_sid(idmap_ctx, dom_sid, &new_sid); + fail_unless(err == IDMAP_SUCCESS, + "Failed to convert struct sss_dom_sid to SID string."); + + fail_unless(new_sid != NULL, "SID string not set"); + fail_unless(strlen("S-1-5-21-1-2-3-1000") == strlen(new_sid), + "Length of SID strings do not match."); + fail_unless(strcmp("S-1-5-21-1-2-3-1000", new_sid) == 0, + "SID strings do not match."); + + sss_idmap_free_dom_sid(idmap_ctx, dom_sid); + sss_idmap_free_sid(idmap_ctx, new_sid); +} +END_TEST + +START_TEST(idmap_test_large_and_too_large_sid) +{ + struct sss_dom_sid *dom_sid = NULL; + enum idmap_error_code err; + char *new_sid = NULL; + + err = sss_idmap_sid_to_dom_sid(idmap_ctx, large_sid, &dom_sid); + + fail_unless(err == IDMAP_SUCCESS, + "Failed to convert SID string with a UINT32_MAX component " + "to struct sss_dom_sid."); + + err = sss_idmap_dom_sid_to_sid(idmap_ctx, dom_sid, &new_sid); + fail_unless(err == IDMAP_SUCCESS, + "Failed to convert struct sss_dom_sid to SID string."); + + fail_unless(new_sid != NULL, "SID string not set"); + fail_unless(strlen(large_sid) == strlen(new_sid), + "Length of SID strings do not match."); + fail_unless(strcmp(large_sid, new_sid) == 0, + "SID strings do not match, expected [%s], got [%s]", + large_sid, new_sid); + + err = sss_idmap_sid_to_dom_sid(idmap_ctx, too_large_sid, &dom_sid); + fail_unless(err == IDMAP_SID_INVALID, + "Trying to convert a SID with a too large component " + "did not return IDMAP_SID_INVALID"); + + sss_idmap_free_dom_sid(idmap_ctx, dom_sid); + sss_idmap_free_sid(idmap_ctx, new_sid); +} +END_TEST + +START_TEST(idmap_test_sid2bin_sid) +{ + enum idmap_error_code err; + size_t length; + uint8_t *bin_sid = NULL; + + err = sss_idmap_sid_to_bin_sid(idmap_ctx, test_sid, &bin_sid, &length); + fail_unless(err == IDMAP_SUCCESS, + "Failed to convert SID string to binary sid."); + fail_unless(length == test_bin_sid_length, + "Size of binary SIDs do not match, got [%d], expected [%d]", + length, test_bin_sid_length); + fail_unless(memcmp(bin_sid, test_bin_sid, test_bin_sid_length) == 0, + "Binary SIDs do not match"); + + sss_idmap_free_bin_sid(idmap_ctx, bin_sid); +} +END_TEST + +START_TEST(idmap_test_bin_sid2sid) +{ + enum idmap_error_code err; + char *sid = NULL; + + err = sss_idmap_bin_sid_to_sid(idmap_ctx, test_bin_sid, test_bin_sid_length, + &sid); + fail_unless(err == IDMAP_SUCCESS, + "Failed to convert binary SID to SID string."); + fail_unless(strcmp(sid, test_sid) == 0, "SID strings do not match, " + "expected [%s], get [%s]", + test_sid, sid); + + sss_idmap_free_sid(idmap_ctx, sid); +} +END_TEST + +START_TEST(idmap_test_smb_sid2dom_sid) +{ + struct sss_dom_sid *dom_sid = NULL; + enum idmap_error_code err; + struct dom_sid *new_smb_sid = NULL; + + err = sss_idmap_smb_sid_to_dom_sid(idmap_ctx, &test_smb_sid, &dom_sid); + fail_unless(err == IDMAP_SUCCESS, + "Failed to convert samba dom_sid to struct sss_dom_sid."); + + err = sss_idmap_dom_sid_to_smb_sid(idmap_ctx, dom_sid, &new_smb_sid); + fail_unless(err == IDMAP_SUCCESS, + "Failed to convert struct sss_dom_sid to samba dom_sid."); + + fail_unless(memcmp(&test_smb_sid, new_smb_sid, sizeof(struct dom_sid)) == 0, + "Samba dom_sid-s do not match."); + + sss_idmap_free_dom_sid(idmap_ctx, dom_sid); + sss_idmap_free_smb_sid(idmap_ctx, new_smb_sid); +} +END_TEST + +START_TEST(idmap_test_smb_sid2bin_sid) +{ + enum idmap_error_code err; + size_t length; + uint8_t *bin_sid = NULL; + + err = sss_idmap_smb_sid_to_bin_sid(idmap_ctx, &test_smb_sid, + &bin_sid, &length); + fail_unless(err == IDMAP_SUCCESS, + "Failed to convert samba dom_sid to binary sid."); + fail_unless(length == test_bin_sid_length, + "Size of binary SIDs do not match, got [%d], expected [%d]", + length, test_bin_sid_length); + fail_unless(memcmp(bin_sid, test_bin_sid, test_bin_sid_length) == 0, + "Binary SIDs do not match."); + + sss_idmap_free_bin_sid(idmap_ctx, bin_sid); +} +END_TEST + +START_TEST(idmap_test_bin_sid2smb_sid) +{ + enum idmap_error_code err; + struct dom_sid *smb_sid = NULL; + + err = sss_idmap_bin_sid_to_smb_sid(idmap_ctx, test_bin_sid, + test_bin_sid_length, &smb_sid); + fail_unless(err == IDMAP_SUCCESS, + "Failed to convert binary sid to samba dom_sid."); + fail_unless(memcmp(&test_smb_sid, smb_sid, sizeof(struct dom_sid)) == 0, + "Samba dom_sid structs do not match."); + + sss_idmap_free_smb_sid(idmap_ctx, smb_sid); +} +END_TEST + +START_TEST(idmap_test_smb_sid2sid) +{ + enum idmap_error_code err; + char *sid = NULL; + + err = sss_idmap_smb_sid_to_sid(idmap_ctx, &test_smb_sid, &sid); + fail_unless(err == IDMAP_SUCCESS, + "Failed to convert samba dom_sid to sid string."); + fail_unless(strcmp(sid, test_sid) == 0, "SID strings do not match, " + "expected [%s], get [%s]", + test_sid, sid); + + sss_idmap_free_sid(idmap_ctx, sid); +} +END_TEST + +START_TEST(idmap_test_sid2smb_sid) +{ + enum idmap_error_code err; + struct dom_sid *smb_sid = NULL; + + err = sss_idmap_sid_to_smb_sid(idmap_ctx, test_sid, &smb_sid); + fail_unless(err == IDMAP_SUCCESS, + "Failed to convert binary sid to samba dom_sid."); + fail_unless(memcmp(&test_smb_sid, smb_sid, sizeof(struct dom_sid)) == 0, + "Samba dom_sid structs do not match."); + + sss_idmap_free_smb_sid(idmap_ctx, smb_sid); +} +END_TEST + + +Suite *idmap_test_suite (void) +{ + Suite *s = suite_create ("IDMAP"); + + TCase *tc_init = tcase_create("IDMAP init tests"); + tcase_add_checked_fixture(tc_init, + ck_leak_check_setup, + ck_leak_check_teardown); + + tcase_add_test(tc_init, idmap_test_init_malloc); + tcase_add_test(tc_init, idmap_test_init_talloc); + tcase_add_test(tc_init, idmap_test_is_domain_sid); + + suite_add_tcase(s, tc_init); + + TCase *tc_dom = tcase_create("IDMAP domain tests"); + tcase_add_checked_fixture(tc_dom, + ck_leak_check_setup, + ck_leak_check_teardown); + tcase_add_checked_fixture(tc_dom, + idmap_ctx_setup, + idmap_ctx_teardown); + + tcase_add_test(tc_dom, idmap_test_add_domain); + tcase_add_test(tc_dom, idmap_test_add_domain_collisions); + tcase_add_test(tc_dom, idmap_test_add_domain_collisions_ext_mapping); + + suite_add_tcase(s, tc_dom); + + TCase *tc_conv = tcase_create("IDMAP SID conversion tests"); + tcase_add_checked_fixture(tc_conv, + ck_leak_check_setup, + ck_leak_check_teardown); + tcase_add_checked_fixture(tc_conv, + idmap_ctx_setup, + idmap_ctx_teardown); + + tcase_add_test(tc_conv, idmap_test_bin_sid2dom_sid); + tcase_add_test(tc_conv, idmap_test_sid2dom_sid); + tcase_add_test(tc_conv, idmap_test_sid2bin_sid); + tcase_add_test(tc_conv, idmap_test_bin_sid2sid); + tcase_add_test(tc_conv, idmap_test_smb_sid2dom_sid); + tcase_add_test(tc_conv, idmap_test_smb_sid2bin_sid); + tcase_add_test(tc_conv, idmap_test_bin_sid2smb_sid); + tcase_add_test(tc_conv, idmap_test_smb_sid2sid); + tcase_add_test(tc_conv, idmap_test_sid2smb_sid); + tcase_add_test(tc_conv, idmap_test_large_and_too_large_sid); + + suite_add_tcase(s, tc_conv); + + TCase *tc_map = tcase_create("IDMAP mapping tests"); + tcase_add_checked_fixture(tc_map, + ck_leak_check_setup, + ck_leak_check_teardown); + tcase_add_checked_fixture(tc_map, + idmap_ctx_setup, + idmap_ctx_teardown); + tcase_add_checked_fixture(tc_map, + idmap_add_domain_setup, + NULL); + + tcase_add_test(tc_map, idmap_test_sid2uid); + tcase_add_test(tc_map, idmap_test_bin_sid2uid); + tcase_add_test(tc_map, idmap_test_dom_sid2uid); + tcase_add_test(tc_map, idmap_test_uid2sid); + tcase_add_test(tc_map, idmap_test_uid2dom_sid); + tcase_add_test(tc_map, idmap_test_uid2bin_sid); + + suite_add_tcase(s, tc_map); + + /* Test secondary slices */ + TCase *tc_map_ss = tcase_create("IDMAP mapping tests"); + tcase_add_checked_fixture(tc_map_ss, + ck_leak_check_setup, + ck_leak_check_teardown); + tcase_add_checked_fixture(tc_map_ss, + idmap_ctx_setup, + idmap_ctx_teardown); + tcase_add_checked_fixture(tc_map_ss, + idmap_add_domain_with_sec_slices_setup, + NULL); + + tcase_add_test(tc_map_ss, idmap_test_sid2uid_ss); + tcase_add_test(tc_map_ss, idmap_test_uid2sid_ss); + tcase_add_test(tc_map_ss, idmap_test_sid2uid_ext_sec_slices); + + suite_add_tcase(s, tc_map_ss); + + /* Test secondary slices - callback to store failed. */ + TCase *tc_map_cb_fail = tcase_create("IDMAP mapping tests - store fail"); + tcase_add_checked_fixture(tc_map_cb_fail, + ck_leak_check_setup, + ck_leak_check_teardown); + tcase_add_checked_fixture(tc_map_cb_fail, + idmap_ctx_setup, + idmap_ctx_teardown); + tcase_add_checked_fixture(tc_map_cb_fail, + idmap_add_domain_with_sec_slices_setup_cb_fail, + NULL); + + tcase_add_test(tc_map_cb_fail, idmap_test_dyn_dom_store_cb_fail); + suite_add_tcase(s, tc_map_cb_fail); + + /* Test secondary slices - callback to store passed. */ + TCase *tc_map_cb_ok = tcase_create("IDMAP mapping tests"); + tcase_add_checked_fixture(tc_map_cb_ok, + ck_leak_check_setup, + ck_leak_check_teardown); + tcase_add_checked_fixture(tc_map_cb_ok, + idmap_ctx_setup, + idmap_ctx_teardown); + tcase_add_checked_fixture(tc_map_cb_ok, + idmap_add_domain_with_sec_slices_setup_cb_ok, + NULL); + + tcase_add_test(tc_map_cb_ok, idmap_test_dyn_dom_store_cb_ok); + suite_add_tcase(s, tc_map_cb_ok); + + /* Test additional secondary slices */ + TCase *tc_map_additional_secondary_slices = \ + tcase_create("IDMAP additional secondary slices"); + + tcase_add_checked_fixture(tc_map_additional_secondary_slices, + ck_leak_check_setup, + ck_leak_check_teardown); + tcase_add_checked_fixture(tc_map_additional_secondary_slices, + idmap_ctx_setup_additional_seconary_slices, + idmap_ctx_teardown); + tcase_add_checked_fixture(tc_map_additional_secondary_slices, + idmap_add_domain_with_sec_slices_setup, + NULL); + + tcase_add_test(tc_map_additional_secondary_slices, + idmap_test_sid2uid_additional_secondary_slices); + + suite_add_tcase(s, tc_map_additional_secondary_slices); + + return s; +} +int main(int argc, const char *argv[]) +{ + int number_failed; + + tests_set_cwd(); + + Suite *s = idmap_test_suite(); + SRunner *sr = srunner_create(s); + + /* If CK_VERBOSITY is set, use that, otherwise it defaults to CK_NORMAL */ + srunner_run_all(sr, CK_ENV); + number_failed = srunner_ntests_failed (sr); + srunner_free (sr); + + return (number_failed == 0) ? EXIT_SUCCESS : EXIT_FAILURE; +} diff --git a/src/tests/stress-tests.c b/src/tests/stress-tests.c new file mode 100644 index 0000000..e34f910 --- /dev/null +++ b/src/tests/stress-tests.c @@ -0,0 +1,332 @@ +/* + SSSD + + Stress tests + + Copyright (C) Jakub Hrozek 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "util/util.h" +#include "tests/common.h" + +#define DEFAULT_START 10 +#define DEFAULT_STOP 20 + +#define NAME_SIZE 255 +#define CHUNK 64 + + +/* How many tests failed */ +int failure_count; + +/* Be chatty */ +int verbose; + +/* + * Look up one user. If the user is not found using getpwnam, the success + * or failure depends on enoent_fail being set. + */ +int test_lookup_user(const char *name, int enoent_fail) +{ + struct passwd *pwd = NULL; + int ret = 0; + int error; + + errno = 0; + pwd = getpwnam(name); + error = errno; + if (pwd == NULL) { + if (error == 0 || error == ENOENT) { + ret = (enoent_fail == 1) ? ENOENT : 0; + } + } + + if (ret != 0 && verbose) { + fprintf(stderr, + "getpwnam failed (name: %s): errno = %d, error = %s\n", + name, ret, strerror(ret)); + } + + return ret; +} + +/* + * Look up one group. If the user is not found using getgrnam, the success + * or failure depends on enoent_fail being set. + */ +int test_lookup_group(const char *name, int enoent_fail) +{ + struct group *grp = NULL; + int ret = 0; + + errno = 0; + grp = getgrnam(name); + if (grp == NULL) { + if (errno == 0 || errno == ENOENT) { + ret = enoent_fail ? ENOENT : 0; + } + } + + if (ret != 0 && verbose) { + fprintf(stderr, + "getgrnam failed (name %s): errno = %d, error = %s\n", + name, ret, strerror(ret)); + } + + return ret; +} + +int run_one_testcase(const char *name, int group, int enoent_fail) +{ + if (group) { + return test_lookup_group(name, enoent_fail); + } else { + return test_lookup_user(name, enoent_fail); + } +} + +/* + * Beware, has side-effects: changes global variable failure_count + */ +void child_handler(int signum) +{ + int status, ret; + + while ((ret = wait(&status)) > 0) { + if (ret == -1) { + perror("wait"); + exit(EXIT_FAILURE); + } + + if (WIFEXITED(status)) { + ret = WEXITSTATUS(status); + if (ret) { + if (verbose) { + fprintf(stderr, + "A child exited with error code %d\n", + WEXITSTATUS(status)); + } + ++failure_count; + } + } else ++failure_count; + } +} + +int generate_names(TALLOC_CTX *mem_ctx, const char *prefix, + int start, int stop, char ***_out) +{ + char **out; + int num_names = stop-start+1; + int idx = 0; + + out = talloc_array(mem_ctx, char *, num_names+1); + if (out == NULL) { + return ENOMEM; + } + + for (idx = 0; idx < num_names; ++idx) { + out[idx] = talloc_asprintf(mem_ctx, "%s%d", prefix, idx); + if (out[idx] == NULL) { + return ENOMEM; + } + } + out[idx] = NULL; + + *_out = out; + return EOK; +} + +int read_names(TALLOC_CTX *mem_ctx, FILE *stream, char ***_out) +{ + char one_name[NAME_SIZE]; + int n = 0; + int array_size = CHUNK; + int ret; + char **out; + + out = talloc_array(mem_ctx, char *, CHUNK+1); + if (out == NULL) { + return ENOMEM; + } + while (fgets(one_name, NAME_SIZE, stream)) { + out[n] = talloc_strdup(mem_ctx, one_name); + if (out[n] == NULL) { + return ENOMEM; + } + if ((n++ % CHUNK) == 0) { + array_size += CHUNK; + out = talloc_realloc(mem_ctx, out, char *, array_size); + if (out == NULL) { + return ENOMEM; + } + } + } + + if ((ret = ferror(stream))) { + return ret; + } + out[n] = NULL; + + *_out = out; + return EOK; +} + +int main(int argc, const char *argv[]) +{ + int opt; + poptContext pc; + int pc_start=DEFAULT_START; + int pc_stop=DEFAULT_STOP; + int pc_enoent_fail=0; + int pc_groups=0; + int pc_verbosity = 0; + char *pc_prefix = NULL; + TALLOC_CTX *ctx = NULL; + char **names = NULL; + + int status, idx, ret; + pid_t pid; + struct sigaction action, old_action; + + struct poptOption long_options[] = { + POPT_AUTOHELP + { "groups", 'g', POPT_ARG_NONE, &pc_groups, 0, + "Lookup in groups instead of users", NULL }, + { "prefix", '\0', POPT_ARG_STRING, &pc_prefix, 0, + "The username prefix", NULL }, + { "start", '\0', POPT_ARG_INT | POPT_ARGFLAG_SHOW_DEFAULT, + &pc_start, 0, + "Start value to append to prefix", NULL }, + { "stop", '\0', POPT_ARG_INT | POPT_ARGFLAG_SHOW_DEFAULT, + &pc_stop, 0, + "End value to append to prefix", NULL }, + { "enoent-fail", '\0', POPT_ARG_NONE, &pc_enoent_fail, 0, + "Fail on not getting the requested NSS data (default: No)", + NULL }, + { "verbose", 'v', POPT_ARG_NONE, 0, 'v', + "Be verbose", NULL }, + POPT_TABLEEND + }; + + /* parse the params */ + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while ((opt = poptGetNextOpt(pc)) != -1) { + switch (opt) { + case 'v': + pc_verbosity = 1; + break; + + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + tests_set_cwd(); + + verbose = pc_verbosity; + + if (pc_prefix) { + ret = generate_names(ctx, pc_prefix, pc_start, pc_stop, &names); + if (ret != EOK) { + if (verbose) { + errno = ret; + perror("generate_names"); + } + exit(EXIT_FAILURE); + } + } else { + ret = read_names(ctx, stdin, &names); + if (ret != EOK) { + if (verbose) { + errno = ret; + perror("read_names"); + } + exit(EXIT_FAILURE); + } + } + + /* Reap the children in a handler asynchronously so we can + * somehow protect against too many processes */ + memset(&action, 0, sizeof(action)); + action.sa_handler = child_handler; + sigemptyset(&action.sa_mask); + sigaddset(&action.sa_mask, SIGCHLD); + action.sa_flags = SA_NOCLDSTOP; + + sigaction(SIGCHLD, &action, &old_action); + + /* Fire up the child processes */ + idx = 0; + for (idx=0; names[idx]; idx++) { + pid = fork(); + if (pid == -1) { + /* Try again in hope that some child has exited */ + if (errno == EAGAIN) { + continue; + } + perror("fork"); + exit(EXIT_FAILURE); + } else if ( pid == 0 ) { + /* child */ + ret = run_one_testcase(names[idx], pc_groups, pc_enoent_fail); + exit(ret); + } + } + + /* Process the rest of the children here in main */ + sigaction(SIGCHLD, &old_action, NULL); + while ((ret = wait(&status)) > 0) { + if (ret == -1) { + perror("wait"); + exit(EXIT_FAILURE); + } + + if (WIFEXITED(status)) { + ret = WEXITSTATUS(status); + if (ret) { + if (verbose) { + fprintf(stderr, + "A child exited with error code %d\n", + WEXITSTATUS(status)); + } + ++failure_count; + } + } else ++failure_count; + } + + if (pc_verbosity) { + fprintf(stderr, + "Total tests run: %d\nPassed: %d\nFailed: %d\n", + idx, + idx - failure_count, + failure_count); + } + return (failure_count==0 ? EXIT_SUCCESS : EXIT_FAILURE); +} diff --git a/src/tests/strtonum-tests.c b/src/tests/strtonum-tests.c new file mode 100644 index 0000000..eb7f1b5 --- /dev/null +++ b/src/tests/strtonum-tests.c @@ -0,0 +1,615 @@ +/* + SSSD + + InfoPipe + + Copyright (C) Stephen Gallagher 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include "util/util.h" +#include "util/strtonum.h" +#include "tests/common.h" + +/******************** + * Utility routines * + ********************/ +#define EXPECT_UNSET_ERRNO(error) \ + do { \ + fail_unless(error == 0, "errno unexpectedly set to %d[%s]", \ + error, strerror(error)); \ + } while(0) + +#define CHECK_RESULT(expected, actual) \ + do { \ + fail_unless(actual == expected, "Expected %ld, got %ld", \ + expected, actual); \ + } while(0) + +#define CHECK_ERRNO(expected, actual) \ + do { \ + fail_unless(actual == expected, "Expected errno %d[%s], got %d[%s]", \ + expected, strerror(expected), \ + actual, strerror(actual)); \ + } while(0) + +#define CHECK_ENDPTR(expected, actual) \ + do { \ + fail_unless(actual == expected, "Expected endptr %p, got %p", \ + expected, actual); \ + } while(0) + +#define CHECK_ZERO_ENDPTR(endptr) \ + do { \ + fail_unless(endptr && *endptr == '\0', "Invalid endptr"); \ + } while(0) + +/****************** + * strtoint tests * + ******************/ + +/* Base-10 */ +START_TEST (test_strtoint32_pos_integer_base_10) +{ + int32_t result; + const char *input = "123"; + int32_t expected = 123; + char *endptr; + errno_t error; + + result = strtoint32(input, &endptr, 10); + error = errno; + + EXPECT_UNSET_ERRNO(error); + CHECK_ZERO_ENDPTR(endptr); + CHECK_RESULT(expected, result); +} +END_TEST + +START_TEST (test_strtoint32_neg_integer_base_10) +{ + int32_t result; + const char *input = "-123"; + int32_t expected = -123; + char *endptr; + errno_t error; + + result = strtoint32(input, &endptr, 10); + error = errno; + + EXPECT_UNSET_ERRNO(error); + CHECK_ZERO_ENDPTR(endptr); + CHECK_RESULT(expected, result); +} +END_TEST + +START_TEST (test_strtoint32_pos_integer_intmax_base_10) +{ + int32_t result; + const char *input = "2147483647"; + int32_t expected = INT32_MAX; + char *endptr; + errno_t error; + + result = strtoint32(input, &endptr, 10); + error = errno; + + EXPECT_UNSET_ERRNO(error); + CHECK_ZERO_ENDPTR(endptr); + CHECK_RESULT(expected, result); +} +END_TEST + +START_TEST (test_strtoint32_neg_integer_intmin_base_10) +{ + int32_t result; + const char *input = "-2147483648"; + int32_t expected = INT32_MIN; + char *endptr; + errno_t error; + + result = strtoint32(input, &endptr, 10); + error = errno; + + EXPECT_UNSET_ERRNO(error); + CHECK_ZERO_ENDPTR(endptr); + CHECK_RESULT(expected, result); +} +END_TEST + +START_TEST (test_strtoint32_pos_integer_overflow_base_10) +{ + int32_t result; + const char *input = "8589934592"; + int32_t expected = INT32_MAX; + char *endptr; + errno_t error; + + result = strtoint32(input, &endptr, 10); + error = errno; + + CHECK_ERRNO(ERANGE, error); + CHECK_ZERO_ENDPTR(endptr); + CHECK_RESULT(expected, result); +} +END_TEST + +START_TEST (test_strtoint32_pos_integer_underflow_base_10) +{ + int32_t result; + const char *input = "-8589934592"; + int32_t expected = INT32_MIN; + char *endptr; + errno_t error; + + result = strtoint32(input, &endptr, 10); + error = errno; + + CHECK_ERRNO(ERANGE, error); + CHECK_ZERO_ENDPTR(endptr); + CHECK_RESULT(expected, result); +} +END_TEST + +START_TEST (test_strtoint32_mixed_alphanumeric_base_10) +{ + int32_t result; + const char *input = "12b13"; + int32_t expected = 12; + char *endptr; + const char *expected_endptr = input+2; + errno_t error; + + result = strtoint32(input, &endptr, 10); + error = errno; + + EXPECT_UNSET_ERRNO(error); + CHECK_ENDPTR(expected_endptr, endptr); + CHECK_RESULT(expected, result); +} +END_TEST + +START_TEST (test_strtoint32_alphaonly_base_10) +{ + int32_t result; + const char *input = "alpha"; + int32_t expected = 0; + char *endptr; + const char *expected_endptr = input; + errno_t error; + + result = strtoint32(input, &endptr, 10); + error = errno; + + EXPECT_UNSET_ERRNO(error); + CHECK_ENDPTR(expected_endptr, endptr); + CHECK_RESULT(expected, result); +} +END_TEST + +START_TEST (test_strtoint32_alphastart_base_10) +{ + int32_t result; + const char *input = "alpha12345"; + int32_t expected = 0; + char *endptr; + const char *expected_endptr = input; + errno_t error; + + result = strtoint32(input, &endptr, 10); + error = errno; + + EXPECT_UNSET_ERRNO(error); + CHECK_ENDPTR(expected_endptr, endptr); + CHECK_RESULT(expected, result); +} +END_TEST + +START_TEST (test_strtoint32_emptystring_base_10) +{ + int32_t result; + const char *input = ""; + int32_t expected = 0; + char *endptr; + const char *expected_endptr = input; + errno_t error; + + result = strtoint32(input, &endptr, 10); + error = errno; + + EXPECT_UNSET_ERRNO(error); + CHECK_ENDPTR(expected_endptr, endptr); + CHECK_RESULT(expected, result); +} +END_TEST + +/******************* + * strtouint tests * + *******************/ + +/* Base-10 */ +START_TEST (test_strtouint32_pos_integer_base_10) +{ + uint32_t result; + const char *input = "123"; + uint32_t expected = 123; + char *endptr; + errno_t error; + + result = strtouint32(input, &endptr, 10); + error = errno; + + EXPECT_UNSET_ERRNO(error); + CHECK_ZERO_ENDPTR(endptr); + CHECK_RESULT(expected, result); +} +END_TEST + +START_TEST (test_strtouint32_neg_integer_base_10) +{ + uint32_t result; + const char *input = "-123"; + uint32_t expected = UINT32_MAX; + char *endptr; + errno_t error; + + result = strtouint32(input, &endptr, 10); + error = errno; + + CHECK_ERRNO(ERANGE, error); + CHECK_ZERO_ENDPTR(endptr); + CHECK_RESULT(expected, result); +} +END_TEST + +START_TEST (test_strtouint32_pos_integer_uintmax_base_10) +{ + uint32_t result; + const char *input = "4294967295"; + uint32_t expected = UINT32_MAX; + char *endptr; + errno_t error; + + result = strtouint32(input, &endptr, 10); + error = errno; + + EXPECT_UNSET_ERRNO(error); + CHECK_ZERO_ENDPTR(endptr); + CHECK_RESULT(expected, result); +} +END_TEST + + +START_TEST (test_strtouint32_pos_integer_overflow_base_10) +{ + uint32_t result; + const char *input = "8589934592"; + uint32_t expected = UINT32_MAX; + char *endptr; + errno_t error; + + result = strtouint32(input, &endptr, 10); + error = errno; + + CHECK_ERRNO(ERANGE, error); + CHECK_ZERO_ENDPTR(endptr); + CHECK_RESULT(expected, result); +} +END_TEST + +START_TEST (test_strtouint32_mixed_alphanumeric_base_10) +{ + uint32_t result; + const char *input = "12b13"; + uint32_t expected = 12; + char *endptr; + const char *expected_endptr = input+2; + errno_t error; + + result = strtouint32(input, &endptr, 10); + error = errno; + + EXPECT_UNSET_ERRNO(error); + CHECK_ENDPTR(expected_endptr, endptr); + CHECK_RESULT(expected, result); +} +END_TEST + +START_TEST (test_strtouint32_alphaonly_base_10) +{ + uint32_t result; + const char *input = "alpha"; + uint32_t expected = 0; + char *endptr; + const char *expected_endptr = input; + errno_t error; + + result = strtouint32(input, &endptr, 10); + error = errno; + + EXPECT_UNSET_ERRNO(error); + CHECK_ENDPTR(expected_endptr, endptr); + CHECK_RESULT(expected, result); +} +END_TEST + +START_TEST (test_strtouint32_alphastart_base_10) +{ + uint32_t result; + const char *input = "alpha12345"; + uint32_t expected = 0; + char *endptr; + const char *expected_endptr = input; + errno_t error; + + result = strtouint32(input, &endptr, 10); + error = errno; + + EXPECT_UNSET_ERRNO(error); + CHECK_ENDPTR(expected_endptr, endptr); + CHECK_RESULT(expected, result); +} +END_TEST + +START_TEST (test_strtouint32_emptystring_base_10) +{ + uint32_t result; + const char *input = ""; + uint32_t expected = 0; + char *endptr; + const char *expected_endptr = input; + errno_t error; + + result = strtouint32(input, &endptr, 10); + error = errno; + + EXPECT_UNSET_ERRNO(error); + CHECK_ENDPTR(expected_endptr, endptr); + CHECK_RESULT(expected, result); +} +END_TEST + +/* Base-10 */ +START_TEST (test_strtouint16_pos_integer_base_10) +{ + uint16_t result; + const char *input = "123"; + uint16_t expected = 123; + char *endptr; + errno_t error; + + result = strtouint16(input, &endptr, 10); + error = errno; + + EXPECT_UNSET_ERRNO(error); + CHECK_ZERO_ENDPTR(endptr); + CHECK_RESULT(expected, result); +} +END_TEST + +START_TEST (test_strtouint16_neg_integer_base_10) +{ + uint32_t result; + const char *input = "-123"; + uint32_t expected = UINT16_MAX; + char *endptr; + errno_t error; + + result = strtouint16(input, &endptr, 10); + error = errno; + + CHECK_ERRNO(ERANGE, error); + CHECK_ZERO_ENDPTR(endptr); + CHECK_RESULT(expected, result); +} +END_TEST + +START_TEST (test_strtouint16_pos_integer_uintmax_base_10) +{ + uint32_t result; + const char *input = "65535"; + uint32_t expected = UINT16_MAX; + char *endptr; + errno_t error; + + result = strtouint16(input, &endptr, 10); + error = errno; + + EXPECT_UNSET_ERRNO(error); + CHECK_ZERO_ENDPTR(endptr); + CHECK_RESULT(expected, result); +} +END_TEST + + +START_TEST (test_strtouint16_pos_integer_overflow_base_10) +{ + uint32_t result; + const char *input = "131072"; + uint32_t expected = UINT16_MAX; + char *endptr; + errno_t error; + + result = strtouint16(input, &endptr, 10); + error = errno; + + CHECK_ERRNO(ERANGE, error); + CHECK_ZERO_ENDPTR(endptr); + CHECK_RESULT(expected, result); +} +END_TEST + +START_TEST (test_strtouint16_mixed_alphanumeric_base_10) +{ + uint32_t result; + const char *input = "12b13"; + uint32_t expected = 12; + char *endptr; + const char *expected_endptr = input+2; + errno_t error; + + result = strtouint16(input, &endptr, 10); + error = errno; + + EXPECT_UNSET_ERRNO(error); + CHECK_ENDPTR(expected_endptr, endptr); + CHECK_RESULT(expected, result); +} +END_TEST + +START_TEST (test_strtouint16_alphaonly_base_10) +{ + uint32_t result; + const char *input = "alpha"; + uint32_t expected = 0; + char *endptr; + const char *expected_endptr = input; + errno_t error; + + result = strtouint16(input, &endptr, 10); + error = errno; + + EXPECT_UNSET_ERRNO(error); + CHECK_ENDPTR(expected_endptr, endptr); + CHECK_RESULT(expected, result); +} +END_TEST + +START_TEST (test_strtouint16_alphastart_base_10) +{ + uint32_t result; + const char *input = "alpha12345"; + uint32_t expected = 0; + char *endptr; + const char *expected_endptr = input; + errno_t error; + + result = strtouint16(input, &endptr, 10); + error = errno; + + EXPECT_UNSET_ERRNO(error); + CHECK_ENDPTR(expected_endptr, endptr); + CHECK_RESULT(expected, result); +} +END_TEST + +START_TEST (test_strtouint16_emptystring_base_10) +{ + uint32_t result; + const char *input = ""; + uint32_t expected = 0; + char *endptr; + const char *expected_endptr = input; + errno_t error; + + result = strtouint16(input, &endptr, 10); + error = errno; + + EXPECT_UNSET_ERRNO(error); + CHECK_ENDPTR(expected_endptr, endptr); + CHECK_RESULT(expected, result); +} +END_TEST + + +Suite *create_strtonum_suite(void) +{ + Suite *s = suite_create("strtonum"); + + TCase *tc_strtoint32 = tcase_create("strtoint32 Tests"); + tcase_add_test(tc_strtoint32, test_strtoint32_pos_integer_base_10); + tcase_add_test(tc_strtoint32, test_strtoint32_neg_integer_base_10); + tcase_add_test(tc_strtoint32, test_strtoint32_pos_integer_intmax_base_10); + tcase_add_test(tc_strtoint32, test_strtoint32_neg_integer_intmin_base_10); + tcase_add_test(tc_strtoint32, test_strtoint32_pos_integer_overflow_base_10); + tcase_add_test(tc_strtoint32, test_strtoint32_pos_integer_underflow_base_10); + tcase_add_test(tc_strtoint32, test_strtoint32_mixed_alphanumeric_base_10); + tcase_add_test(tc_strtoint32, test_strtoint32_alphaonly_base_10); + tcase_add_test(tc_strtoint32, test_strtoint32_alphastart_base_10); + tcase_add_test(tc_strtoint32, test_strtoint32_emptystring_base_10); + + TCase *tc_strtouint32 = tcase_create("strtouint32 Tests"); + tcase_add_test(tc_strtouint32, test_strtouint32_pos_integer_base_10); + tcase_add_test(tc_strtouint32, test_strtouint32_neg_integer_base_10); + tcase_add_test(tc_strtouint32, test_strtouint32_pos_integer_uintmax_base_10); + tcase_add_test(tc_strtouint32, test_strtouint32_pos_integer_overflow_base_10); + tcase_add_test(tc_strtouint32, test_strtouint32_mixed_alphanumeric_base_10); + tcase_add_test(tc_strtouint32, test_strtouint32_alphaonly_base_10); + tcase_add_test(tc_strtouint32, test_strtouint32_alphastart_base_10); + tcase_add_test(tc_strtouint32, test_strtouint32_emptystring_base_10); + + TCase *tc_strtouint16 = tcase_create("strtouint16 Tests"); + tcase_add_test(tc_strtouint16, test_strtouint16_pos_integer_base_10); + tcase_add_test(tc_strtouint16, test_strtouint16_neg_integer_base_10); + tcase_add_test(tc_strtouint16, test_strtouint16_pos_integer_uintmax_base_10); + tcase_add_test(tc_strtouint16, test_strtouint16_pos_integer_overflow_base_10); + tcase_add_test(tc_strtouint16, test_strtouint16_mixed_alphanumeric_base_10); + tcase_add_test(tc_strtouint16, test_strtouint16_alphaonly_base_10); + tcase_add_test(tc_strtouint16, test_strtouint16_alphastart_base_10); + tcase_add_test(tc_strtouint16, test_strtouint16_emptystring_base_10); + + /* Add all test cases to the suite */ + suite_add_tcase(s, tc_strtoint32); + suite_add_tcase(s, tc_strtouint32); + suite_add_tcase(s, tc_strtouint16); + + return s; +} + + +int main(int argc, const char *argv[]) { + int opt; + poptContext pc; + int failure_count; + Suite *strtonum_suite; + SRunner *sr; + + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_MAIN_OPTS + POPT_TABLEEND + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + tests_set_cwd(); + + strtonum_suite = create_strtonum_suite(); + sr = srunner_create(strtonum_suite); + /* If CK_VERBOSITY is set, use that, otherwise it defaults to CK_NORMAL */ + srunner_run_all(sr, CK_ENV); + failure_count = srunner_ntests_failed(sr); + srunner_free(sr); + return (failure_count==0 ? EXIT_SUCCESS : EXIT_FAILURE); +} diff --git a/src/tests/sysdb-tests.c b/src/tests/sysdb-tests.c new file mode 100644 index 0000000..7baf894 --- /dev/null +++ b/src/tests/sysdb-tests.c @@ -0,0 +1,7683 @@ +/* + SSSD + + System Database + + Copyright (C) Stephen Gallagher 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include "util/util.h" +#include "util/crypto/sss_crypto.h" +#include "db/sysdb_private.h" +#include "db/sysdb_services.h" +#include "db/sysdb_autofs.h" +#include "tests/common.h" + +#define TESTS_PATH "tp_" BASE_FILE_STEM +#define TEST_CONF_FILE "tests_conf.ldb" + +#define TEST_ATTR_NAME "test_attr_name" +#define TEST_ATTR_VALUE "test_attr_value" +#define TEST_ATTR_UPDATE_VALUE "test_attr_update_value" +#define TEST_ATTR_ADD_NAME "test_attr_add_name" +#define TEST_ATTR_ADD_VALUE "test_attr_add_value" +#define CUSTOM_TEST_CONTAINER "custom_test_container" +#define CUSTOM_TEST_OBJECT "custom_test_object" +#define TEST_DOM_NAME "local" + +#define ASQ_TEST_USER "testuser27010" +#define ASQ_TEST_USER_UID 27010 + +#define MBO_USER_BASE 27500 +#define MBO_GROUP_BASE 28500 +#define NUM_GHOSTS 10 + +#define TEST_AUTOFS_MAP_BASE 29500 + +struct sysdb_test_ctx { + struct sysdb_ctx *sysdb; + struct confdb_ctx *confdb; + struct tevent_context *ev; + struct sss_domain_info *domain; + + size_t null_pointer_size; +}; + +static int _setup_sysdb_tests(struct sysdb_test_ctx **ctx, bool enumerate) +{ + struct sysdb_test_ctx *test_ctx; + char *conf_db; + int ret; + + const char *val[2]; + val[1] = NULL; + + /* Create tests directory if it doesn't exist */ + /* (relative to current dir) */ + ret = mkdir(TESTS_PATH, 0775); + if (ret == -1 && errno != EEXIST) { + fail("Could not create %s directory", TESTS_PATH); + return EFAULT; + } + + test_ctx = talloc_zero(NULL, struct sysdb_test_ctx); + if (test_ctx == NULL) { + fail("Could not allocate memory for test context"); + return ENOMEM; + } + + /* Create an event context + * It will not be used except in confdb_init and sysdb_init + */ + test_ctx->ev = tevent_context_init(test_ctx); + if (test_ctx->ev == NULL) { + fail("Could not create event context"); + talloc_free(test_ctx); + return EIO; + } + + conf_db = talloc_asprintf(test_ctx, "%s/%s", TESTS_PATH, TEST_CONF_FILE); + if (conf_db == NULL) { + fail("Out of memory, aborting!"); + talloc_free(test_ctx); + return ENOMEM; + } + DEBUG(SSSDBG_MINOR_FAILURE, "CONFDB: %s\n", conf_db); + + /* Connect to the conf db */ + ret = confdb_init(test_ctx, &test_ctx->confdb, conf_db); + if (ret != EOK) { + fail("Could not initialize connection to the confdb"); + talloc_free(test_ctx); + return ret; + } + + val[0] = "LOCAL"; + ret = confdb_add_param(test_ctx->confdb, true, + "config/sssd", "domains", val); + if (ret != EOK) { + fail("Could not initialize domains placeholder"); + talloc_free(test_ctx); + return ret; + } + + val[0] = "local"; + ret = confdb_add_param(test_ctx->confdb, true, + "config/domain/LOCAL", "id_provider", val); + if (ret != EOK) { + fail("Could not initialize provider"); + talloc_free(test_ctx); + return ret; + } + + val[0] = enumerate ? "TRUE" : "FALSE"; + ret = confdb_add_param(test_ctx->confdb, true, + "config/domain/LOCAL", "enumerate", val); + if (ret != EOK) { + fail("Could not initialize LOCAL domain"); + talloc_free(test_ctx); + return ret; + } + + val[0] = "TRUE"; + ret = confdb_add_param(test_ctx->confdb, true, + "config/domain/LOCAL", "cache_credentials", val); + if (ret != EOK) { + fail("Could not initialize LOCAL domain"); + talloc_free(test_ctx); + return ret; + } + + ret = sssd_domain_init(test_ctx, test_ctx->confdb, TEST_DOM_NAME, + TESTS_PATH, &test_ctx->domain); + if (ret != EOK) { + fail("Could not initialize connection to the sysdb (%d)", ret); + talloc_free(test_ctx); + return ret; + } + test_ctx->sysdb = test_ctx->domain->sysdb; + + test_ctx->null_pointer_size = talloc_total_size(NULL); + + *ctx = test_ctx; + return EOK; +} + +static void null_ctx_get_size(struct sysdb_test_ctx *ctx) +{ + ctx->null_pointer_size = talloc_total_size(NULL); +} + +static void fail_if_null_ctx_leaks(struct sysdb_test_ctx *ctx) +{ + size_t new_null_pointer_size; + + new_null_pointer_size = talloc_total_size(NULL); + if(new_null_pointer_size != ctx->null_pointer_size) { + fail("NULL pointer leaked memory, was %zu, is %zu\n", + ctx->null_pointer_size, new_null_pointer_size); + } +} + +#define setup_sysdb_tests(ctx) _setup_sysdb_tests((ctx), false) + +struct test_data { + struct tevent_context *ev; + struct sysdb_test_ctx *ctx; + + const char *username; /* fqname */ + const char *groupname; /* fqname */ + const char *netgrname; + const char *autofsmapname; + uid_t uid; + gid_t gid; + const char *shell; + const char *orig_dn; + const char *sid_str; + + bool finished; + int error; + + struct sysdb_attrs *attrs; + const char **attrlist; + char **ghostlist; + struct ldb_message *msg; + + size_t msgs_count; + struct ldb_message **msgs; +}; + +static struct test_data *test_data_new(struct sysdb_test_ctx *test_ctx) +{ + struct test_data *data; + + data = talloc_zero(test_ctx, struct test_data); + if (data == NULL) { + return NULL; + } + + data->attrs = sysdb_new_attrs(data); + if (data->attrs == NULL) { + talloc_free(data); + return NULL; + } + + data->ctx = test_ctx; + data->ev = test_ctx->ev; + + return data; +} + +static char *test_asprintf_fqname(TALLOC_CTX *mem_ctx, + struct sss_domain_info *dom, + const char *fmt, + ...) +{ + char *shortname; + char *fqname; + va_list ap; + + va_start(ap, fmt); + shortname = talloc_vasprintf(mem_ctx, fmt, ap); + va_end(ap); + if (shortname == NULL) { + return NULL; + } + + fqname = sss_create_internal_fqname(mem_ctx, shortname, dom->name); + talloc_free(shortname); + if (fqname == NULL) { + return NULL; + } + + return fqname; +} + +static struct test_data *test_data_new_user(struct sysdb_test_ctx *test_ctx, + uid_t uid) +{ + struct test_data *data; + + data = test_data_new(test_ctx); + if (data == NULL) { + return NULL; + } + + data->uid = uid; + data->gid = uid; + data->username = test_asprintf_fqname(data, test_ctx->domain, + "testuser%d", uid); + if (data->username == NULL) { + talloc_free(data); + return NULL; + } + + return data; +} + +static struct test_data *test_data_new_group(struct sysdb_test_ctx *test_ctx, + gid_t gid) +{ + struct test_data *data; + + data = test_data_new(test_ctx); + if (data == NULL) { + return NULL; + } + + data->gid = gid; + data->groupname = test_asprintf_fqname(data, test_ctx->domain, + "testgroup%d", gid); + if (data->groupname == NULL) { + talloc_free(data); + return NULL; + } + + return data; +} + +static int test_add_user(struct test_data *data) +{ + char *homedir; + char *gecos; + int ret; + + homedir = talloc_asprintf(data, "/home/testuser%d", data->uid); + if (homedir == NULL) { + return ENOMEM; + } + + gecos = talloc_asprintf(data, "Test User %d", data->uid); + if (gecos == NULL) { + return ENOMEM; + } + + ret = sysdb_add_user(data->ctx->domain, data->username, + data->uid, 0, gecos, homedir, "/bin/bash", + data->orig_dn, data->attrs, 0, 0); + return ret; +} + +static int test_store_user(struct test_data *data) +{ + char *homedir; + char *gecos; + int ret; + + homedir = talloc_asprintf(data, "/home/testuser%d", data->uid); + fail_if(homedir == NULL, "OOM"); + gecos = talloc_asprintf(data, "Test User %d", data->uid); + fail_if(gecos == NULL, "OOM"); + + ret = sysdb_store_user(data->ctx->domain, + data->username, "x", + data->uid, 0, gecos, homedir, + data->shell ? data->shell : "/bin/bash", + NULL, NULL, NULL, -1, 0); + return ret; +} + +static int test_remove_user(struct test_data *data) +{ + struct ldb_dn *user_dn; + int ret; + struct ldb_result *res; + + user_dn = sysdb_user_dn(data, data->ctx->domain, data->username); + if (!user_dn) return ENOMEM; + + ret = sysdb_delete_entry(data->ctx->sysdb, user_dn, false); + if (ret != EOK) return ret; + + ret = sysdb_getpwnam(data, data->ctx->domain, data->username, &res); + if (ret != EOK) return ret; + + if (res->count != 0) return E2BIG; + + return EOK; +} + +static int test_remove_user_by_uid(struct test_data *data) +{ + int ret; + + ret = sysdb_delete_user(data->ctx->domain, NULL, data->uid); + return ret; +} + +static int test_add_group(struct test_data *data) +{ + int ret; + + ret = sysdb_add_group(data->ctx->domain, data->groupname, data->gid, + data->attrs, 0, 0); + return ret; +} + +static int test_add_incomplete_group(struct test_data *data) +{ + int ret; + + ret = sysdb_add_incomplete_group(data->ctx->domain, data->groupname, + data->gid, data->orig_dn, + data->sid_str, NULL, true, 0); + return ret; +} + +static int test_store_group(struct test_data *data) +{ + int ret; + + ret = sysdb_store_group(data->ctx->domain, + data->groupname, data->gid, data->attrs, -1, 0); + return ret; +} + +static int test_remove_group(struct test_data *data) +{ + struct ldb_dn *group_dn; + int ret; + struct ldb_result *res; + + group_dn = sysdb_group_dn(data, data->ctx->domain, data->groupname); + if (!group_dn) return ENOMEM; + + ret = sysdb_delete_entry(data->ctx->sysdb, group_dn, true); + if (ret != EOK) return ret; + + ret = sysdb_getgrnam(data, data->ctx->domain, data->groupname, &res); + if (ret != EOK) return ret; + + if (res->count != 0) return E2BIG; + + return EOK; +} + +static int test_remove_group_by_gid(struct test_data *data) +{ + int ret; + + ret = sysdb_delete_group(data->ctx->domain, NULL, data->gid); + return ret; +} + +static int test_set_user_attr(struct test_data *data) +{ + int ret; + + ret = sysdb_set_user_attr(data->ctx->domain, data->username, + data->attrs, SYSDB_MOD_REP); + return ret; +} + +static int test_add_group_member(struct test_data *data) +{ + int ret; + + ret = sysdb_add_group_member(data->ctx->domain, + data->groupname, + data->username, + SYSDB_MEMBER_USER, false); + return ret; +} + +static int test_remove_group_member(struct test_data *data) +{ + int ret; + struct ldb_result *res_pre; + struct ldb_result *res_post; + + ret = sysdb_initgroups(data, data->ctx->domain, data->username, &res_pre); + if (ret) return ret; + + ret = sysdb_remove_group_member(data->ctx->domain, + data->groupname, + data->username, + SYSDB_MEMBER_USER, false); + + ret = sysdb_initgroups(data, data->ctx->domain, data->username, &res_post); + if (ret) return ret; + + /* assert the member was removed */ + if (res_post->count + 1 != res_pre->count) { + return E2BIG; + } + + return ret; +} + +static int test_store_custom(struct test_data *data) +{ + char *object_name; + int ret; + + object_name = talloc_asprintf(data, "%s_%d", CUSTOM_TEST_OBJECT, data->uid); + if (!object_name) { + return ENOMEM; + } + + ret = sysdb_store_custom(data->ctx->domain, object_name, + CUSTOM_TEST_CONTAINER, data->attrs); + return ret; +} + +static int test_delete_custom(struct test_data *data) +{ + int ret; + + ret = sysdb_delete_custom(data->ctx->domain, CUSTOM_TEST_OBJECT, + CUSTOM_TEST_CONTAINER); + return ret; +} + +static int test_search_all_users(struct test_data *data) +{ + struct ldb_dn *base_dn; + int ret; + + base_dn = ldb_dn_new_fmt(data, data->ctx->sysdb->ldb, SYSDB_TMPL_USER_BASE, + "LOCAL"); + if (base_dn == NULL) { + return ENOMEM; + } + + ret = sysdb_search_entry(data, data->ctx->sysdb, base_dn, + LDB_SCOPE_SUBTREE, SYSDB_UC, + data->attrlist, &data->msgs_count, &data->msgs); + return ret; +} + +static int test_delete_recursive(struct test_data *data) +{ + struct ldb_dn *dn; + int ret; + + dn = ldb_dn_new_fmt(data, data->ctx->sysdb->ldb, SYSDB_DOM_BASE, + "LOCAL"); + if (!dn) { + return ENOMEM; + } + + ret = sysdb_delete_recursive(data->ctx->sysdb, dn, false); + fail_unless(ret == EOK, "sysdb_delete_recursive returned [%d]", ret); + return ret; +} + +static int test_memberof_store_group(struct test_data *data) +{ + int ret; + char *member; + int i; + + for (i = 0; data->attrlist && data->attrlist[i]; i++) { + member = sysdb_group_strdn(data, data->ctx->domain->name, + data->attrlist[i]); + if (!member) { + return ENOMEM; + } + ret = sysdb_attrs_steal_string(data->attrs, SYSDB_MEMBER, member); + if (ret != EOK) { + return ret; + } + } + + return test_store_group(data); +} + +static int test_memberof_store_group_with_ghosts(struct test_data *data) +{ + int ret; + struct sysdb_attrs *attrs = NULL; + char *member; + int i; + + attrs = sysdb_new_attrs(data); + if (!attrs) { + return ENOMEM; + } + + for (i = 0; data->attrlist && data->attrlist[i]; i++) { + member = sysdb_group_strdn(data, data->ctx->domain->name, + data->attrlist[i]); + if (!member) { + return ENOMEM; + } + ret = sysdb_attrs_steal_string(attrs, SYSDB_MEMBER, member); + if (ret != EOK) { + return ret; + } + } + + for (i = 0; data->ghostlist && data->ghostlist[i]; i++) { + ret = sysdb_attrs_steal_string(attrs, SYSDB_GHOST, + data->ghostlist[i]); + if (ret != EOK) { + return ret; + } + } + + ret = sysdb_store_group(data->ctx->domain, + data->groupname, data->gid, attrs, -1, 0); + return ret; +} + +static int test_add_basic_netgroup(struct test_data *data) +{ + const char *description; + int ret; + + description = talloc_asprintf(data, "Test Netgroup %d", data->uid); + if (description == NULL) return ENOMEM; + + ret = sysdb_add_basic_netgroup(data->ctx->domain, data->netgrname, + description); + return ret; +} + +static int test_remove_netgroup_entry(struct test_data *data) +{ + struct ldb_dn *netgroup_dn; + int ret; + + netgroup_dn = sysdb_netgroup_dn(data, data->ctx->domain, data->netgrname); + if (!netgroup_dn) return ENOMEM; + + ret = sysdb_delete_entry(data->ctx->sysdb, netgroup_dn, true); + return ret; +} + +static int test_remove_netgroup_by_name(struct test_data *data) +{ + int ret; + + ret = sysdb_delete_netgroup(data->ctx->domain, data->netgrname); + return ret; +} + +static int test_set_netgroup_attr(struct test_data *data) +{ + int ret; + const char *description; + struct sysdb_attrs *attrs = NULL; + + description = talloc_asprintf(data, "Sysdb Netgroup %d", data->uid); + if (description == NULL) return ENOMEM; + + attrs = sysdb_new_attrs(data); + if (!attrs) { + return ENOMEM; + } + + ret = sysdb_attrs_add_string(attrs, SYSDB_DESCRIPTION, description); + if (ret) { + return ret; + } + + ret = sysdb_set_netgroup_attr(data->ctx->domain, data->netgrname, + attrs, SYSDB_MOD_REP); + return ret; +} + +static struct ldb_result *test_getpwnam(struct test_data *data) +{ + int ret; + struct ldb_result *res; + + ret = sysdb_getpwnam(data, + data->ctx->domain, + data->username, &res); + if (ret != EOK) { + return NULL; + } + + return res; +} + +static struct ldb_result *test_getgrnam(struct test_data *data) +{ + int ret; + struct ldb_result *res; + + ret = sysdb_getgrnam(data, + data->ctx->domain, + data->groupname, &res); + if (ret != EOK) { + return NULL; + } + + return res; +} + +START_TEST (test_sysdb_user_new_id) +{ + struct sysdb_test_ctx *test_ctx; + int ret; + const char *fqname; + struct sysdb_attrs *attrs = NULL; + struct ldb_message *msg; + const char *get_attrs[] = { SYSDB_DESCRIPTION, NULL }; + const char *desc; + const char *desc_in = "testuser_new_id_desc"; + const char *username = "testuser_newid"; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + fqname = sss_create_internal_fqname(test_ctx, + username, + test_ctx->domain->name); + fail_if(fqname == NULL); + + attrs = sysdb_new_attrs(test_ctx); + fail_if(attrs == NULL); + + ret = sysdb_attrs_add_string(attrs, SYSDB_DESCRIPTION, desc_in); + fail_if(ret != EOK); + + ret = sysdb_add_user(test_ctx->domain, fqname, + 0, 0, fqname, "/", "/bin/bash", + NULL, attrs, 0, 0); + fail_if(ret != EOK, "Could not store user %s", fqname); + + ret = sysdb_search_user_by_name(test_ctx, + test_ctx->domain, + fqname, get_attrs, &msg); + fail_if(ret != EOK, "Could not retrieve user %s", fqname); + + desc = ldb_msg_find_attr_as_string(msg, SYSDB_DESCRIPTION, NULL); + fail_unless(desc != NULL); + ck_assert_str_eq(desc, desc_in); + + ret = sysdb_delete_user(test_ctx->domain, fqname, 0); + fail_unless(ret == EOK, "sysdb_delete_user error [%d][%s]", + ret, strerror(ret)); + + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_store_user) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_user(test_ctx, _i); + fail_if(data == NULL); + + ret = test_store_user(data); + + fail_if(ret != EOK, "Could not store user %s", data->username); + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_store_user_existing) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_user(test_ctx, _i); + fail_if(data == NULL); + data->shell = "/bin/ksh"; + + ret = test_store_user(data); + + fail_if(ret != EOK, "Could not store user %s", data->username); + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_store_group) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_group(test_ctx, _i); + fail_if(data == NULL, "OOM"); + + ret = test_store_group(data); + + fail_if(ret != EOK, "Could not store POSIX group #%d", _i); + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_remove_local_user) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_user(test_ctx, _i); + fail_if(data == NULL, "OOM"); + + ret = test_remove_user(data); + + fail_if(ret != EOK, "Could not remove user %s", data->username); + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_remove_local_user_by_uid) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new(test_ctx); + fail_if(data == NULL); + data->uid = _i; + + ret = test_remove_user_by_uid(data); + + fail_if(ret != EOK, "Could not remove user with uid %d", _i); + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_remove_local_group) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_group(test_ctx, _i); + fail_if(data == NULL); + + ret = test_remove_group(data); + + fail_if(ret != EOK, "Could not remove group %s", data->groupname); + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_remove_local_group_by_gid) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_group(test_ctx, _i); + fail_if(data == NULL); + + null_ctx_get_size(data->ctx); + ret = test_remove_group_by_gid(data); + fail_if_null_ctx_leaks(test_ctx); + + fail_if(ret != EOK, "Could not remove group with gid %d", _i); + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_add_user) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_user(test_ctx, _i); + fail_if(data == NULL); + + ret = test_add_user(data); + + fail_if(ret != EOK, "Could not add user %s", data->username); + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_add_group) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_group(test_ctx, _i); + fail_if(data == NULL); + + ret = test_add_group(data); + + fail_if(ret != EOK, "Could not add group %s", data->groupname); + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_add_group_with_ghosts) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + char *member_fqname; + int j; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_group(test_ctx, _i); + fail_if(data == NULL); + + for (j = MBO_GROUP_BASE; j < _i; j++) { + member_fqname = test_asprintf_fqname(data, data->ctx->domain, + "testghost%d", j); + ret = sysdb_attrs_steal_string(data->attrs, SYSDB_GHOST, member_fqname); + if (ret != EOK) { + fail_unless(ret == EOK, "Cannot add attr\n"); + } + } + + ret = test_store_group(data); + + fail_if(ret != EOK, "Could not add group %s", data->groupname); + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_add_incomplete_group) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_group(test_ctx, _i); + fail_if(data == NULL); + + ret = test_add_incomplete_group(data); + + fail_if(ret != EOK, "Could not add incomplete group %s", data->groupname); + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_incomplete_group_rename) +{ + struct sysdb_test_ctx *test_ctx; + int ret; + + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + ret = sysdb_add_incomplete_group(test_ctx->domain, "incomplete_group", + 20000, NULL, + "S-1-5-21-123-456-789-111", + NULL, true, 0); + fail_unless(ret == EOK, + "sysdb_add_incomplete_group error [%d][%s]", + ret, strerror(ret)); + + /* Adding a group with the same GID and all the other characteristics uknown should fail */ + ret = sysdb_add_incomplete_group(test_ctx->domain, "incomplete_group_new", + 20000, NULL, NULL, NULL, true, 0); + fail_unless(ret == EEXIST, "Did not caught a duplicate\n"); + + /* A different SID should also trigger a failure */ + ret = sysdb_add_incomplete_group(test_ctx->domain, "incomplete_group_new", + 20000, NULL, + "S-1-5-21-123-456-789-222", + NULL, true, 0); + fail_unless(ret == EEXIST, "Did not caught a duplicate\n"); + + /* But if we know based on a SID that the group is in fact the same, + * let's just change its name + */ + ret = sysdb_add_incomplete_group(test_ctx->domain, "incomplete_group_new", + 20000, NULL, + "S-1-5-21-123-456-789-111", + NULL, true, 0); + fail_unless(ret == ERR_GID_DUPLICATED, + "Did not catch a legitimate rename", + ret, strerror(ret)); +} +END_TEST + +START_TEST (test_sysdb_getpwnam) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + struct ldb_result *res; + uid_t uid; + int ret; + const char *username; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_user(test_ctx, _i); + fail_if(data == NULL); + + res = test_getpwnam(data); + fail_if(res->count != 1, + "Invalid number of replies. Expected 1, got %d", res->count); + + /* Check the user was found with the expected FQDN and UID */ + uid = ldb_msg_find_attr_as_uint(res->msgs[0], SYSDB_UIDNUM, 0); + fail_unless(uid == _i, "Did not find the expected UID"); + username = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_NAME, NULL); + ck_assert_str_eq(username, data->username); + + /* Search for the user with the wrong case */ + data->username = test_asprintf_fqname(data, test_ctx->domain, + "TESTUSER%d", _i); + fail_if(data->username == NULL, "OOM"); + fail_if(ret != EOK); + + res = test_getpwnam(data); + fail_if(res->count != 0, + "Invalid number of replies. Expected 0, got %d", res->count); + + talloc_free(test_ctx); +} +END_TEST + +START_TEST(test_user_group_by_name) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + struct ldb_message *msg; + int ret; + const char *groupname; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + /* setup_sysdb_tests creates local provider and we need to handle + * ldap provider differently with auto_private_groups. + */ + test_ctx->domain->provider = discard_const_p(char, "ldap"); + + data = test_data_new_user(test_ctx, _i); + fail_if(data == NULL); + + ret = sysdb_search_group_by_name(data, + data->ctx->domain, + data->username, /* we're searching for the private group */ + NULL, + &msg); + fail_if(ret != EOK); + fail_if(msg == NULL); + + groupname = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); + ck_assert_str_eq(groupname, data->username); +} +END_TEST + +START_TEST(test_user_group_by_name_local) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + struct ldb_message *msg; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_user(test_ctx, _i); + fail_if(data == NULL); + + ret = sysdb_search_group_by_name(data, + data->ctx->domain, + data->username, /* we're searching for the private group */ + NULL, + &msg); + fail_if(ret != ENOENT); +} +END_TEST + +START_TEST (test_sysdb_getgrnam) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + struct ldb_result *res; + const char *groupname; + gid_t gid; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_group(test_ctx, _i); + fail_if(data == NULL); + + res = test_getgrnam(data); + fail_if(res->count != 1, + "Invalid number of replies. Expected 1, got %d", res->count); + + gid = ldb_msg_find_attr_as_uint(res->msgs[0], SYSDB_GIDNUM, 0); + fail_unless(gid == _i, + "Did not find the expected GID (found %d expected %d)", + gid, _i); + groupname = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_NAME, NULL); + ck_assert_str_eq(groupname, data->groupname); + + /* Search for the group with the wrong case */ + data->groupname = test_asprintf_fqname(data, test_ctx->domain, + "TESTGROUP%d", _i); + fail_if(data->groupname == NULL, "OOM"); + fail_if(ret != EOK); + + res = test_getgrnam(data); + fail_if(res->count != 0, + "Invalid number of replies. Expected 1, got %d", res->count); + + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_getgrgid) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + struct ldb_result *res; + const char *fqname; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_group(test_ctx, _i); + fail_if(data == NULL, "OOM"); + + ret = sysdb_getgrgid(test_ctx, + test_ctx->domain, + data->gid, &res); + if (ret) { + fail("sysdb_getgrgid failed for gid %d (%d: %s)", + data->gid, ret, strerror(ret)); + goto done; + } + + fqname = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_NAME, 0); + fail_unless(fqname != NULL, "No group name?\n"); + + fail_unless(strcmp(fqname, data->groupname) == 0, + "Did not find the expected groupname (found %s expected %s)", + fqname, data->groupname); +done: + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_getgrgid_attrs) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + struct ldb_result *res; + int ret; + const char *attrs[] = { SYSDB_CREATE_TIME, NULL }; + uint64_t ctime; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_group(test_ctx, _i); + fail_if(data == NULL, "OOM"); + + ret = sysdb_getgrgid_attrs(test_ctx, + test_ctx->domain, + data->gid, attrs, &res); + if (ret) { + fail("sysdb_getgrgid_attrs failed for gid %d (%d: %s)", + data->gid, ret, strerror(ret)); + goto done; + } + + ctime = ldb_msg_find_attr_as_uint64(res->msgs[0], SYSDB_CREATE_TIME, 0); + fail_unless(ctime != 0, "Missing create time"); + +done: + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_search_groups) +{ + struct sysdb_test_ctx *test_ctx; + int ret; + const char *attrs[] = { SYSDB_NAME, NULL }; + char *filter; + size_t count; + struct ldb_message **msgs; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + fail_if(ret != EOK, "Could not set up the test"); + + filter = talloc_asprintf(test_ctx, "("SYSDB_GIDNUM"=%d)", _i); + fail_if(filter == NULL, "OOM"); + + ret = sysdb_search_groups(test_ctx, test_ctx->domain, + filter, attrs, &count, &msgs); + talloc_free(filter); + fail_if(ret != EOK, "Search failed: %d", ret); + fail_if(count != 1, "Did not find the expected group\n"); + + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_getpwuid) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + struct ldb_result *res; + const char *fqname; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_user(test_ctx, _i); + fail_if(data == NULL); + + ret = sysdb_getpwuid(test_ctx, + test_ctx->domain, + _i, &res); + if (ret) { + fail("sysdb_getpwuid failed for uid %d (%d: %s)", + _i, ret, strerror(ret)); + goto done; + } + + fail_unless(res->count == 1, "Expected 1 user entry, found %d\n", + res->count); + + fqname = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_NAME, 0); + fail_unless(fqname != NULL, "No name?\n"); + + fail_unless(strcmp(fqname, data->username) == 0, + "Did not find the expected username (found %s expected %s)", + fqname, data->username); +done: + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_enumgrent) +{ + struct sysdb_test_ctx *test_ctx; + struct ldb_result *res; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + ret = sysdb_enumgrent(test_ctx, + test_ctx->domain, + &res); + fail_unless(ret == EOK, + "sysdb_enumgrent failed (%d: %s)", + ret, strerror(ret)); + + /* 10 groups + 10 users (we're MPG) */ + fail_if(res->count != 20, "Expected 20 users, got %d", res->count); + + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_enumpwent) +{ + struct sysdb_test_ctx *test_ctx; + struct ldb_result *res; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + ret = sysdb_enumpwent(test_ctx, + test_ctx->domain, + &res); + fail_unless(ret == EOK, + "sysdb_enumpwent failed (%d: %s)", + ret, strerror(ret)); + + fail_if(res->count != 10, "Expected 10 users, got %d", res->count); + + talloc_free(test_ctx); +} +END_TEST + + +START_TEST (test_sysdb_set_user_attr) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_user(test_ctx, _i); + fail_if(data == NULL); + + data->attrs = sysdb_new_attrs(test_ctx); + if (ret != EOK) { + fail("Could not create the changeset"); + return; + } + + ret = sysdb_attrs_add_string(data->attrs, + SYSDB_SHELL, + "/bin/ksh"); + if (ret != EOK) { + fail("Could not create the changeset"); + return; + } + + ret = test_set_user_attr(data); + + fail_if(ret != EOK, "Could not modify user %s", data->username); + + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_search_users) +{ + struct sysdb_test_ctx *test_ctx; + int ret; + const char *attrs[] = { SYSDB_NAME, NULL }; + char *filter; + size_t count; + struct ldb_message **msgs; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + fail_if(ret != EOK, "Could not set up the test"); + + filter = talloc_asprintf(test_ctx, + "(&("SYSDB_UIDNUM"=%d)("SYSDB_SHELL"=/bin/ksh))", + _i); + fail_if(filter == NULL, "OOM"); + + ret = sysdb_search_users(test_ctx, test_ctx->domain, + filter, attrs, &count, &msgs); + talloc_free(filter); + fail_if(ret != EOK, "Search failed: %d", ret); + fail_if(count != 1, "Did not find the expected user\n"); + + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_remove_attrs) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + char *rmattrs[2]; + struct ldb_result *res; + const char *shell; + + ret = setup_sysdb_tests(&test_ctx); + fail_if(ret != EOK, "Could not set up the test"); + + data = test_data_new_user(test_ctx, _i); + fail_if(data == NULL, "OOM"); + + ret = sysdb_getpwnam(test_ctx, + test_ctx->domain, + data->username, &res); + fail_if(ret != EOK, "sysdb_getpwnam failed for fqname %s (%d: %s)", + data->username, ret, strerror(ret)); + shell = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_SHELL, NULL); + fail_unless(shell != NULL, "Did not find user shell before removal"); + + rmattrs[0] = discard_const(SYSDB_SHELL); + rmattrs[1] = NULL; + + ret = sysdb_remove_attrs(test_ctx->domain, data->username, + SYSDB_MEMBER_USER, rmattrs); + fail_if(ret != EOK, "Removing attributes failed: %d", ret); + + ret = sysdb_getpwnam(test_ctx, + test_ctx->domain, + data->username, &res); + fail_if(ret != EOK, "sysdb_getpwnam failed for fqname %s (%d: %s)", + data->username, ret, strerror(ret)); + shell = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_SHELL, NULL); + fail_unless(shell == NULL, "Found user shell after removal"); +} +END_TEST + +START_TEST (test_sysdb_get_user_attr) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + const char *attrs[] = { SYSDB_SHELL, NULL }; + struct ldb_result *res; + const char *attrval; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_user(test_ctx, _i); + fail_if(data == NULL); + + ret = sysdb_get_user_attr(test_ctx, test_ctx->domain, data->username, attrs, + &res); + if (ret) { + fail("Could not get attributes for user %s", data->username); + goto done; + } + + fail_if(res->count != 1, + "Invalid number of entries, expected 1, got %d", res->count); + + attrval = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_SHELL, 0); + fail_if(strcmp(attrval, "/bin/ksh"), + "Got bad attribute value for user %s", data->username); +done: + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_get_user_attr_subdomain) +{ + struct sysdb_test_ctx *test_ctx; + struct sss_domain_info *subdomain = NULL; + const char *attrs[] = { SYSDB_SHELL, NULL }; + struct ldb_result *res; + const char *attrval; + const char *username = "test_sysdb_get_user_attr_subdomain"; + const char *fq_name; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + fail_if(ret != EOK, "Could not set up the test"); + + /* Create subdomain */ + subdomain = new_subdomain(test_ctx, test_ctx->domain, + "test.sub", "TEST.SUB", "test", "S-3", + false, false, NULL, NULL, 0, NULL); + fail_if(subdomain == NULL, "Failed to create new subdomain."); + + ret = sss_names_init_from_args(test_ctx, + "(((?P[^\\\\]+)\\\\(?P.+$))|" \ + "((?P[^@]+)@(?P.+$))|" \ + "(^(?P[^@\\\\]+)$))", + "%1$s@%2$s", &subdomain->names); + fail_if(ret != EOK, "Failed to init names."); + + /* Create user */ + fq_name = sss_create_internal_fqname(test_ctx, username, subdomain->name); + fail_if(fq_name == NULL, "Failed to create fq name."); + + ret = sysdb_store_user(subdomain, fq_name, NULL, 12345, 0, "Gecos", + "/home/userhome", "/bin/bash", NULL, NULL, NULL, + -1, 0); + fail_if(ret != EOK, "sysdb_store_user failed."); + + /* Test */ + ret = sysdb_get_user_attr(test_ctx, subdomain, fq_name, + attrs, &res); + fail_if(ret != EOK, "Could not get user attributes."); + fail_if(res->count != 1, "Invalid number of entries, expected 1, got %d", + res->count); + + attrval = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_SHELL, 0); + fail_if(strcmp(attrval, "/bin/bash") != 0, "Got bad attribute value."); + + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_add_nonposix_user) +{ + struct sysdb_test_ctx *test_ctx; + const char *get_attrs[] = { SYSDB_GIDNUM, + SYSDB_UIDNUM, + SYSDB_POSIX, + NULL }; + struct ldb_result *res; + const char *attrval; + const char *username = "test_sysdb_add_nonposix_user"; + const char *fq_name; + struct sysdb_attrs *user_attrs; + int ret; + uint64_t id; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + fail_if(ret != EOK, "Could not set up the test"); + + /* Create user */ + fq_name = sss_create_internal_fqname(test_ctx, username, test_ctx->domain->name); + fail_if(fq_name == NULL, "Failed to create fq name."); + + user_attrs = sysdb_new_attrs(test_ctx); + fail_if(user_attrs == NULL); + + ret = sysdb_attrs_add_bool(user_attrs, SYSDB_POSIX, false); + fail_if(ret != EOK, "Could not add attribute"); + + ret = sysdb_add_user(test_ctx->domain, fq_name, 0, 0, "Gecos", + "/home/userhome", "/bin/bash", NULL, user_attrs, 0, 0); + fail_if(ret != EOK, "sysdb_add_user failed."); + + /* Test */ + ret = sysdb_get_user_attr(test_ctx, test_ctx->domain, fq_name, + get_attrs, &res); + fail_if(ret != EOK, "Could not get user attributes."); + fail_if(res->count != 1, "Invalid number of entries, expected 1, got %d", + res->count); + + attrval = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_POSIX, NULL); + fail_if(strcasecmp(attrval, "false") != 0, "Got bad attribute value."); + + id = ldb_msg_find_attr_as_uint64(res->msgs[0], SYSDB_UIDNUM, 123); + fail_unless(id == 0, "Wrong UID value"); + + id = ldb_msg_find_attr_as_uint64(res->msgs[0], SYSDB_GIDNUM, 123); + fail_unless(id == 0, "Wrong GID value"); + + talloc_free(test_ctx); +} +END_TEST + +static void add_nonposix_incomplete_group(struct sysdb_test_ctx *test_ctx, + const char *groupname) +{ + const char *get_attrs[] = { SYSDB_GIDNUM, + SYSDB_POSIX, + NULL }; + struct ldb_message *msg; + const char *attrval; + const char *fq_name; + int ret; + uint64_t id; + + /* Create group */ + fq_name = sss_create_internal_fqname(test_ctx, groupname, test_ctx->domain->name); + fail_if(fq_name == NULL, "Failed to create fq name."); + + ret = sysdb_add_incomplete_group(test_ctx->domain, fq_name, 0, + NULL, NULL, NULL, false, 0); + fail_if(ret != EOK, "sysdb_add_group failed."); + + /* Test */ + ret = sysdb_search_group_by_name(test_ctx, test_ctx->domain, fq_name, get_attrs, &msg); + fail_if(ret != EOK, "sysdb_search_group_by_name failed."); + + attrval = ldb_msg_find_attr_as_string(msg, SYSDB_POSIX, NULL); + fail_if(strcasecmp(attrval, "false") != 0, "Got bad attribute value."); + + id = ldb_msg_find_attr_as_uint64(msg, SYSDB_GIDNUM, 123); + fail_unless(id == 0, "Wrong GID value"); +} + +START_TEST (test_sysdb_add_nonposix_group) +{ + struct sysdb_test_ctx *test_ctx; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + fail_if(ret != EOK, "Could not set up the test"); + + add_nonposix_incomplete_group(test_ctx, "nonposix1"); + add_nonposix_incomplete_group(test_ctx, "nonposix2"); + + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_add_group_member) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_group(test_ctx, _i); + fail_if(data == NULL); + + data->uid = _i - 1000; /* the UID of user to add */ + data->username = test_asprintf_fqname(data, test_ctx->domain, + "testuser%d", data->uid); + fail_if(data->username == NULL); + + ret = test_add_group_member(data); + + fail_if(ret != EOK, "Could not modify group %s", data->groupname); + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_initgroups) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + struct ldb_result *res; + struct ldb_message *user; + struct ldb_message *group; + gid_t gid; + uid_t uid; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_user(test_ctx, _i); + fail_if(data == NULL, "OOM\n"); + + ret = sysdb_initgroups(test_ctx, + test_ctx->domain, + data->username, + &res); + fail_if(ret != EOK, "sysdb_initgroups failed\n"); + + /* result should contain 2 messages - user and his group */ + fail_if(res->count != 2, "expected 2 groups, got %d\n", res->count); + + /* check if it's the expected user and expected group */ + user = res->msgs[0]; + group = res->msgs[1]; + + uid = ldb_msg_find_attr_as_uint(user, SYSDB_UIDNUM, 0); + fail_unless(uid == _i, + "Did not find the expected UID (found %d expected %d)", + uid, _i); + + fail_unless(strcmp(ldb_msg_find_attr_as_string(user, SYSDB_NAME, NULL), + data->username) == 0, + "Wrong username\n"); + + gid = ldb_msg_find_attr_as_uint(group, SYSDB_GIDNUM, 0); + fail_unless(gid == _i + 1000, + "Did not find the expected GID (found %d expected %d)", + gid, _i); + + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_remove_group_member) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_group(test_ctx, _i); + fail_if(data == NULL); + + data->uid = _i - 1000; /* the UID of user to remove */ + data->username = test_asprintf_fqname(data, test_ctx->domain, + "testuser%d", data->uid); + fail_if(data->username == NULL); + + ret = test_remove_group_member(data); + fail_if(ret != EOK, "Remove group member failed: %d", ret); + + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_remove_nonexistent_user) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new(test_ctx); + fail_if(data == NULL); + data->uid = 12345; + + ret = test_remove_user_by_uid(data); + + fail_if(ret != ENOENT, "Unexpected return code %d, expected ENOENT", ret); + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_remove_nonexistent_group) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new(test_ctx); + fail_if(data == NULL); + data->gid = 12345; + + ret = test_remove_group_by_gid(data); + + fail_if(ret != ENOENT, "Unexpected return code %d, expected ENOENT", ret); + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_get_new_id) +{ + struct sysdb_test_ctx *test_ctx; + int ret; + uint32_t id; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + fail_if(ret != EOK, "Cannot setup sysdb tests\n"); + + ret = sysdb_get_new_id(test_ctx->domain, &id); + fail_if(ret != EOK, "Cannot get new ID\n"); + fail_if(id != test_ctx->domain->id_min); +} +END_TEST + +START_TEST (test_sysdb_store_custom) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new(test_ctx); + fail_if(data == NULL); + + data->uid = _i; + data->attrs = sysdb_new_attrs(test_ctx); + if (ret != EOK) { + fail("Could not create attribute list"); + return; + } + + ret = sysdb_attrs_add_string(data->attrs, + TEST_ATTR_NAME, + TEST_ATTR_VALUE); + if (ret != EOK) { + fail("Could not add attribute"); + return; + } + + ret = test_store_custom(data); + + fail_if(ret != EOK, "Could not add custom object"); + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_search_custom_by_name) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + char *object_name; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new(test_ctx); + fail_if(data == NULL); + + data->attrlist = talloc_array(test_ctx, const char *, 2); + fail_unless(data->attrlist != NULL, "talloc_array failed"); + data->attrlist[0] = TEST_ATTR_NAME; + data->attrlist[1] = NULL; + + object_name = talloc_asprintf(data, "%s_%d", CUSTOM_TEST_OBJECT, 29010); + fail_unless(object_name != NULL, "talloc_asprintf failed"); + + ret = sysdb_search_custom_by_name(data, + data->ctx->domain, + object_name, + CUSTOM_TEST_CONTAINER, + data->attrlist, + &data->msgs_count, + &data->msgs); + + fail_if(ret != EOK, "Could not search custom object"); + + fail_unless(data->msgs_count == 1, + "Wrong number of objects, expected [1] got [%d]", + data->msgs_count); + fail_unless(data->msgs[0]->num_elements == 1, + "Wrong number of results, expected [1] got [%d]", + data->msgs[0]->num_elements); + fail_unless(strcmp(data->msgs[0]->elements[0].name, TEST_ATTR_NAME) == 0, + "Wrong attribute name"); + fail_unless(data->msgs[0]->elements[0].num_values == 1, + "Wrong number of attribute values"); + fail_unless(strncmp((const char *)data->msgs[0]->elements[0].values[0].data, + TEST_ATTR_VALUE, + data->msgs[0]->elements[0].values[0].length) == 0, + "Wrong attribute value"); + + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_update_custom) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new(test_ctx); + fail_if(data == NULL); + + data->uid = 29010; + data->attrs = sysdb_new_attrs(test_ctx); + if (ret != EOK) { + fail("Could not create attribute list"); + return; + } + + ret = sysdb_attrs_add_string(data->attrs, + TEST_ATTR_NAME, + TEST_ATTR_UPDATE_VALUE); + if (ret != EOK) { + fail("Could not add attribute"); + return; + } + + ret = sysdb_attrs_add_string(data->attrs, + TEST_ATTR_ADD_NAME, + TEST_ATTR_ADD_VALUE); + if (ret != EOK) { + fail("Could not add attribute"); + return; + } + + ret = test_store_custom(data); + + fail_if(ret != EOK, "Could not add custom object"); + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_search_custom_update) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + char *object_name; + struct ldb_message_element *el; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new(test_ctx); + fail_if(data == NULL); + + data->attrlist = talloc_array(test_ctx, const char *, 3); + fail_unless(data->attrlist != NULL, "talloc_array failed"); + data->attrlist[0] = TEST_ATTR_NAME; + data->attrlist[1] = TEST_ATTR_ADD_NAME; + data->attrlist[2] = NULL; + + object_name = talloc_asprintf(data, "%s_%d", CUSTOM_TEST_OBJECT, 29010); + fail_unless(object_name != NULL, "talloc_asprintf failed"); + + ret = sysdb_search_custom_by_name(data, + data->ctx->domain, + object_name, + CUSTOM_TEST_CONTAINER, + data->attrlist, + &data->msgs_count, + &data->msgs); + + fail_if(ret != EOK, "Could not search custom object"); + + fail_unless(data->msgs_count == 1, + "Wrong number of objects, expected [1] got [%d]", + data->msgs_count); + fail_unless(data->msgs[0]->num_elements == 2, + "Wrong number of results, expected [2] got [%d]", + data->msgs[0]->num_elements); + + el = ldb_msg_find_element(data->msgs[0], TEST_ATTR_NAME); + fail_unless(el != NULL, "Attribute [%s] not found", TEST_ATTR_NAME); + fail_unless(el->num_values == 1, "Wrong number ([%d] instead of 1) " + "of attribute values for [%s]", el->num_values, + TEST_ATTR_NAME); + fail_unless(strncmp((const char *) el->values[0].data, + TEST_ATTR_UPDATE_VALUE, + el->values[0].length) == 0, + "Wrong attribute value"); + + el = ldb_msg_find_element(data->msgs[0], TEST_ATTR_ADD_NAME); + fail_unless(el != NULL, "Attribute [%s] not found", TEST_ATTR_ADD_NAME); + fail_unless(el->num_values == 1, "Wrong number ([%d] instead of 1) " + "of attribute values for [%s]", el->num_values, + TEST_ATTR_ADD_NAME); + fail_unless(strncmp((const char *) el->values[0].data, + TEST_ATTR_ADD_VALUE, + el->values[0].length) == 0, + "Wrong attribute value"); + + + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_search_custom) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + const char *filter = "(distinguishedName=*)"; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new(test_ctx); + fail_if(data == NULL); + + data->attrlist = talloc_array(test_ctx, const char *, 3); + fail_unless(data->attrlist != NULL, "talloc_array failed"); + data->attrlist[0] = TEST_ATTR_NAME; + data->attrlist[1] = TEST_ATTR_ADD_NAME; + data->attrlist[2] = NULL; + + ret = sysdb_search_custom(data, data->ctx->domain, filter, + CUSTOM_TEST_CONTAINER, + data->attrlist, + &data->msgs_count, + &data->msgs); + + fail_if(ret != EOK, "Could not search custom object"); + + fail_unless(data->msgs_count == 10, + "Wrong number of objects, expected [10] got [%d]", + data->msgs_count); + + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_delete_custom) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new(test_ctx); + fail_if(data == NULL); + + ret = test_delete_custom(data); + + fail_if(ret != EOK, "Could not delete custom object"); + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_cache_password) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + fail_unless(ret == EOK, "Could not set up the test"); + + data = test_data_new_user(test_ctx, _i); + fail_if(data == NULL, "OOM\n"); + + ret = sysdb_cache_password(test_ctx->domain, + data->username, + data->username); + fail_unless(ret == EOK, "sysdb_cache_password request failed [%d].", ret); + + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_cache_password_ex) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + struct ldb_result *res; + const char *attrs[] = { SYSDB_CACHEDPWD_TYPE, SYSDB_CACHEDPWD_FA2_LEN, + NULL }; + int val; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + fail_unless(ret == EOK, "Could not set up the test"); + + data = test_data_new_user(test_ctx, _i); + fail_if(data == NULL, "OOM\n"); + + ret = sysdb_get_user_attr(test_ctx, test_ctx->domain, data->username, + attrs, &res); + fail_unless(ret == EOK, "sysdb_get_user_attr request failed [%d].", ret); + + val = ldb_msg_find_attr_as_int(res->msgs[0], SYSDB_CACHEDPWD_TYPE, 0); + fail_unless(val == SSS_AUTHTOK_TYPE_PASSWORD, + "Unexpected authtok type, found [%d], expected [%d].", + val, SSS_AUTHTOK_TYPE_PASSWORD); + + ret = sysdb_cache_password_ex(test_ctx->domain, data->username, + data->username, SSS_AUTHTOK_TYPE_2FA, 12); + + fail_unless(ret == EOK, "sysdb_cache_password request failed [%d].", ret); + + ret = sysdb_get_user_attr(test_ctx, test_ctx->domain, data->username, + attrs, &res); + fail_unless(ret == EOK, "sysdb_get_user_attr request failed [%d].", ret); + + val = ldb_msg_find_attr_as_int(res->msgs[0], SYSDB_CACHEDPWD_TYPE, 0); + fail_unless(val == SSS_AUTHTOK_TYPE_2FA, + "Unexpected authtok type, found [%d], expected [%d].", + val, SSS_AUTHTOK_TYPE_2FA); + + val = ldb_msg_find_attr_as_int(res->msgs[0], SYSDB_CACHEDPWD_FA2_LEN, 0); + fail_unless(val == 12, + "Unexpected second factor length, found [%d], expected [%d].", + val, 12); + + talloc_free(test_ctx); +} +END_TEST + +static void cached_authentication_without_expiration(uid_t uid, + const char *password, + int expected_result) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + time_t expire_date = -1; + time_t delayed_until = -1; + const char *val[2]; + val[1] = NULL; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + fail_unless(ret == EOK, "Could not set up the test"); + + data = test_data_new_user(test_ctx, uid); + fail_if(data == NULL); + + val[0] = "0"; + ret = confdb_add_param(test_ctx->confdb, true, CONFDB_PAM_CONF_ENTRY, + CONFDB_PAM_CRED_TIMEOUT, val); + if (ret != EOK) { + fail("Could not initialize provider"); + talloc_free(test_ctx); + return; + } + + ret = sysdb_cache_auth(test_ctx->domain, data->username, + password ? password : data->username, + test_ctx->confdb, false, + &expire_date, &delayed_until); + + fail_unless(ret == expected_result, "sysdb_cache_auth request does not " + "return expected result [%d].", + expected_result); + + fail_unless(expire_date == 0, "Wrong expire date, expected [%d], got [%d]", + 0, expire_date); + + fail_unless(delayed_until == -1, "Wrong delay, expected [%d], got [%d]", + -1, delayed_until); + + talloc_free(test_ctx); +} + +static void cached_authentication_with_expiration(uid_t uid, + const char *password, + int expected_result) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + time_t expire_date = -1; + const char *val[2]; + val[1] = NULL; + time_t now; + time_t expected_expire_date; + time_t delayed_until = -1; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + fail_unless(ret == EOK, "Could not set up the test"); + + data = test_data_new_user(test_ctx, uid); + fail_if(data == NULL); + + val[0] = "1"; + ret = confdb_add_param(test_ctx->confdb, true, CONFDB_PAM_CONF_ENTRY, + CONFDB_PAM_CRED_TIMEOUT, val); + if (ret != EOK) { + fail("Could not initialize provider"); + talloc_free(test_ctx); + return; + } + + now = time(NULL); + expected_expire_date = now + (24 * 60 * 60); + DEBUG(SSSDBG_TRACE_ALL, + "Setting SYSDB_LAST_ONLINE_AUTH to [%lld].\n", (long long) now); + + data->attrs = sysdb_new_attrs(data); + ret = sysdb_attrs_add_time_t(data->attrs, SYSDB_LAST_ONLINE_AUTH, now); + fail_unless(ret == EOK, "Could not add attribute "SYSDB_LAST_ONLINE_AUTH + ": %s", sss_strerror(ret)); + + ret = sysdb_set_user_attr(data->ctx->domain, data->username, data->attrs, + SYSDB_MOD_REP); + fail_unless(ret == EOK, "Could not modify user %s", data->username); + + ret = sysdb_cache_auth(data->ctx->domain, data->username, + password ? password : data->username, + test_ctx->confdb, false, + &expire_date, &delayed_until); + + fail_unless(ret == expected_result, + "sysdb_cache_auth request does not return expected " + "result [%d], got [%d].", expected_result, ret); + + fail_unless(expire_date == expected_expire_date, + "Wrong expire date, expected [%d], got [%d]", + expected_expire_date, expire_date); + + fail_unless(delayed_until == -1, "Wrong delay, expected [%d], got [%d]", + -1, delayed_until); + + talloc_free(test_ctx); +} + +START_TEST (test_sysdb_cached_authentication_missing_password) +{ + cached_authentication_without_expiration(_i, "abc", ERR_NO_CACHED_CREDS); + cached_authentication_with_expiration(_i, "abc", ERR_NO_CACHED_CREDS); +} +END_TEST + +START_TEST (test_sysdb_cached_authentication_wrong_password) +{ + cached_authentication_without_expiration(_i, "abc", ERR_AUTH_FAILED); + cached_authentication_with_expiration(_i, "abc", ERR_AUTH_FAILED); +} +END_TEST + +START_TEST (test_sysdb_cached_authentication) +{ + cached_authentication_without_expiration(_i, NULL, EOK); + cached_authentication_with_expiration(_i, NULL, EOK); +} +END_TEST + +START_TEST (test_sysdb_prepare_asq_test_user) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_group(test_ctx, _i); + fail_if(data == NULL); + + data->uid = ASQ_TEST_USER_UID; + data->username = test_asprintf_fqname(data, test_ctx->domain, + "testuser%u", data->uid); + fail_if(data->username == NULL); + + ret = test_add_group_member(data); + + fail_if(ret != EOK, "Could not modify group %s", data->groupname); + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_asq_search) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + struct ldb_dn *user_dn; + int ret; + size_t msgs_count; + struct ldb_message **msgs; + int i; + char *gid_str; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_user(test_ctx, ASQ_TEST_USER_UID); + fail_if(data == NULL); + + data->attrlist = talloc_array(data, const char *, 2); + fail_unless(data->attrlist != NULL, "talloc_array failed"); + data->attrlist[0] = "gidNumber"; + data->attrlist[1] = NULL; + + user_dn = sysdb_user_dn(data, data->ctx->domain, data->username); + fail_unless(user_dn != NULL, "sysdb_user_dn failed"); + + ret = sysdb_asq_search(data, test_ctx->domain, + user_dn, NULL, "memberof", + data->attrlist, &msgs_count, &msgs); + + fail_if(ret != EOK, "Failed to send ASQ search request.\n"); + + fail_unless(msgs_count == 10, "wrong number of results, " + "found [%d] expected [10]", msgs_count); + + for (i = 0; i < msgs_count; i++) { + fail_unless(msgs[i]->num_elements == 1, "wrong number of elements, " + "found [%d] expected [1]", + msgs[i]->num_elements); + + fail_unless(msgs[i]->elements[0].num_values == 1, + "wrong number of values, found [%d] expected [1]", + msgs[i]->elements[0].num_values); + + gid_str = talloc_asprintf(data, "%d", 28010 + i); + fail_unless(gid_str != NULL, "talloc_asprintf failed."); + fail_unless(strncmp(gid_str, + (const char *) msgs[i]->elements[0].values[0].data, + msgs[i]->elements[0].values[0].length) == 0, + "wrong value, found [%.*s] expected [%s]", + msgs[i]->elements[0].values[0].length, + msgs[i]->elements[0].values[0].data, gid_str); + } + + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_search_all_users) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + int i; + int j; + char *uid_str = NULL; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new(test_ctx); + fail_unless(data != NULL); + + data->attrlist = talloc_array(data, const char *, 2); + fail_unless(data->attrlist != NULL, "talloc_array failed"); + data->attrlist[0] = "uidNumber"; + data->attrlist[1] = NULL; + + ret = test_search_all_users(data); + + fail_if(ret != EOK, "Search failed"); + + fail_unless(data->msgs_count == 10, + "wrong number of results, found [%d] expected [10]", + data->msgs_count); + + for (i = 0; i < data->msgs_count; i++) { + fail_unless(data->msgs[i]->num_elements == 1, + "wrong number of elements, found [%d] expected [1]", + data->msgs[i]->num_elements); + + fail_unless(data->msgs[i]->elements[0].num_values == 1, + "wrong number of values, found [%d] expected [1]", + data->msgs[i]->elements[0].num_values); + + for (j = 0; j < data->msgs_count; j++) { + uid_str = talloc_asprintf(data, "%d", 27010 + j); + fail_unless(uid_str != NULL, "talloc_asprintf failed."); + if (strncmp(uid_str, + (char *) data->msgs[i]->elements[0].values[0].data, + data->msgs[i]->elements[0].values[0].length) == 0) { + break; + } + } + fail_unless(strncmp(uid_str, + (char *) data->msgs[i]->elements[0].values[0].data, + data->msgs[i]->elements[0].values[0].length) == 0, + "wrong value, found [%.*s] expected [%s]", + data->msgs[i]->elements[0].values[0].length, + data->msgs[i]->elements[0].values[0].data, uid_str); + } + + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_delete_recursive) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new(test_ctx); + fail_unless(data != NULL); + + ret = test_delete_recursive(data); + + fail_if(ret != EOK, "Recursive delete failed"); + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_attrs_replace_name) +{ + struct sysdb_attrs *attrs; + struct ldb_message_element *el; + int ret; + + attrs = sysdb_new_attrs(NULL); + fail_unless(attrs != NULL, "sysdb_new_attrs failed"); + + ret = sysdb_attrs_add_string(attrs, "foo", "bar"); + fail_unless(ret == EOK, "sysdb_attrs_add_string failed"); + + ret = sysdb_attrs_add_string(attrs, "fool", "bool"); + fail_unless(ret == EOK, "sysdb_attrs_add_string failed"); + + ret = sysdb_attrs_add_string(attrs, "foot", "boot"); + fail_unless(ret == EOK, "sysdb_attrs_add_string failed"); + + ret = sysdb_attrs_replace_name(attrs, "foo", "foot"); + fail_unless(ret == EEXIST, + "sysdb_attrs_replace overwrites existing attribute"); + + ret = sysdb_attrs_replace_name(attrs, "foo", "oof"); + fail_unless(ret == EOK, "sysdb_attrs_replace failed"); + + ret = sysdb_attrs_get_el(attrs, "foo", &el); + fail_unless(ret == EOK, "sysdb_attrs_get_el failed"); + fail_unless(el->num_values == 0, "Attribute foo is not empty."); + + ret = sysdb_attrs_get_el(attrs, "oof", &el); + fail_unless(ret == EOK, "sysdb_attrs_get_el failed"); + fail_unless(el->num_values == 1, + "Wrong number of values for attribute oof, " + "expected [1] got [%d].", el->num_values); + fail_unless(strncmp("bar", (char *) el->values[0].data, + el->values[0].length) == 0, + "Wrong value, expected [bar] got [%.*s]", el->values[0].length, + el->values[0].data); + + talloc_free(attrs); +} +END_TEST + +START_TEST (test_sysdb_memberof_store_group) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_group(test_ctx, MBO_GROUP_BASE + _i); + fail_if(data == NULL); + + if (_i == 0) { + data->attrlist = NULL; + } else { + data->attrlist = talloc_array(data, const char *, 2); + fail_unless(data->attrlist != NULL, "talloc_array failed."); + data->attrlist[0] = test_asprintf_fqname(data, data->ctx->domain, + "testgroup%d", data->gid - 1); + data->attrlist[1] = NULL; + fail_if(data->attrlist[0] == NULL); + } + + ret = test_memberof_store_group(data); + + fail_if(ret != EOK, "Could not store POSIX group #%d", data->gid); + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_memberof_store_group_with_ghosts) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_group(test_ctx, _i); + fail_if(data == NULL); + + if (_i == 0 || _i == MBO_GROUP_BASE) { + data->attrlist = NULL; + } else { + data->attrlist = talloc_array(data, const char *, 2); + fail_unless(data->attrlist != NULL, "talloc_array failed."); + data->attrlist[0] = test_asprintf_fqname(data, data->ctx->domain, + "testgroup%d", data->gid - 1); + data->attrlist[1] = NULL; + fail_if(data->attrlist[0] == NULL); + } + + data->ghostlist = talloc_array(data, char *, 2); + fail_unless(data->ghostlist != NULL, "talloc_array failed."); + data->ghostlist[0] = test_asprintf_fqname(data, data->ctx->domain, + "testuser%d", data->gid); + data->ghostlist[1] = NULL; + fail_if(data->ghostlist[0] == NULL); + + ret = test_memberof_store_group_with_ghosts(data); + + fail_if(ret != EOK, "Could not store POSIX group #%d", data->gid); + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_memberof_store_group_with_double_ghosts) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_group(test_ctx, _i); + fail_if(data == NULL); + + if (_i == 0) { + data->attrlist = NULL; + } else { + data->attrlist = talloc_array(data, const char *, 2); + fail_unless(data->attrlist != NULL, "talloc_array failed."); + data->attrlist[0] = test_asprintf_fqname(data, data->ctx->domain, + "testgroup%d", data->gid - 1); + data->attrlist[1] = NULL; + } + + data->ghostlist = talloc_array(data, char *, 3); + fail_unless(data->ghostlist != NULL, "talloc_array failed."); + data->ghostlist[0] = test_asprintf_fqname(data, data->ctx->domain, + "testusera%d", data->gid); + data->ghostlist[1] = test_asprintf_fqname(data, data->ctx->domain, + "testuserb%d", data->gid); + data->ghostlist[2] = NULL; + + ret = test_memberof_store_group_with_ghosts(data); + + fail_if(ret != EOK, "Could not store POSIX group #%d", data->gid); + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_memberof_mod_add) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + char *ghostname; + int ret; + struct ldb_message_element *el; + struct ldb_val gv, *test_gv; + gid_t itergid; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_group(test_ctx, _i); + fail_if(data == NULL); + + ghostname = test_asprintf_fqname(data, test_ctx->domain, + "testghost%d", _i); + fail_unless(ghostname != NULL, "Out of memory\n"); + + ret = sysdb_attrs_steal_string(data->attrs, SYSDB_GHOST, ghostname); + fail_unless(ret == EOK, "Cannot add attr\n"); + + data->attrlist = talloc_array(data, const char *, 2); + fail_unless(data->attrlist != NULL, "talloc_array failed."); + data->attrlist[0] = SYSDB_GHOST; + data->attrlist[1] = NULL; + + /* Before the add, the groups should not contain the ghost attribute */ + for (itergid = data->gid ; itergid < MBO_GROUP_BASE + NUM_GHOSTS; itergid++) { + ret = sysdb_search_group_by_gid(data, test_ctx->domain, itergid, + data->attrlist, &data->msg); + fail_if(ret != EOK, "Cannot retrieve group %llu\n", + (unsigned long long) data->gid); + + gv.data = (uint8_t *) ghostname; + gv.length = strlen(ghostname); + + el = ldb_msg_find_element(data->msg, SYSDB_GHOST); + if (data->gid > MBO_GROUP_BASE) { + /* The first group would have the ghost attribute gone completely */ + fail_if(el == NULL, "Cannot find ghost element\n"); + test_gv = ldb_msg_find_val(el, &gv); + fail_unless(test_gv == NULL, + "Ghost user %s unexpectedly found\n", ghostname); + } else { + fail_unless(el == NULL, "Stray values in ghost element?\n"); + } + } + + /* Perform the add operation */ + ret = sysdb_set_group_attr(test_ctx->domain, + data->groupname, data->attrs, SYSDB_MOD_ADD); + fail_unless(ret == EOK, "Cannot set group attrs\n"); + + /* Before the delete, all groups with gid >= _i have the testuser%_i + * as a member + */ + for (itergid = data->gid ; itergid < MBO_GROUP_BASE + NUM_GHOSTS; itergid++) { + ret = sysdb_search_group_by_gid(data, test_ctx->domain, itergid, + data->attrlist, &data->msg); + fail_if(ret != EOK, "Cannot retrieve group %llu\n", + (unsigned long long) data->gid); + + gv.data = (uint8_t *) ghostname; + gv.length = strlen(ghostname); + + el = ldb_msg_find_element(data->msg, SYSDB_GHOST); + fail_if(el == NULL, "Cannot find ghost element\n"); + + test_gv = ldb_msg_find_val(el, &gv); + fail_if(test_gv == NULL, "Cannot find ghost user %s\n", ghostname); + } + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_memberof_mod_replace) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + char *ghostname_del; + char *ghostname_add; + int ret; + struct ldb_message_element *el; + struct ldb_val gv, *test_gv; + gid_t itergid; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_group(test_ctx, _i); + fail_if(data == NULL); + + /* The test replaces the testuser%i attribute with testghost%i */ + ghostname_del = test_asprintf_fqname(data, test_ctx->domain, + "testuser%d", _i); + fail_unless(ghostname_del != NULL, "Out of memory\n"); + + ghostname_add = test_asprintf_fqname(data, test_ctx->domain, + "testuser%d", _i); + fail_unless(ghostname_add != NULL, "Out of memory\n"); + + ret = sysdb_attrs_steal_string(data->attrs, SYSDB_GHOST, ghostname_add); + fail_unless(ret == EOK, "Cannot add attr\n"); + + data->attrlist = talloc_array(data, const char *, 2); + fail_unless(data->attrlist != NULL, "talloc_array failed."); + data->attrlist[0] = SYSDB_GHOST; + data->attrlist[1] = NULL; + + /* Before the replace, all groups with gid >= _i have the testuser%_i + * as a member + */ + for (itergid = data->gid ; itergid < MBO_GROUP_BASE + NUM_GHOSTS; itergid++) { + ret = sysdb_search_group_by_gid(data, test_ctx->domain, itergid, + data->attrlist, &data->msg); + fail_if(ret != EOK, "Cannot retrieve group %llu\n", + (unsigned long long) data->gid); + + gv.data = (uint8_t *) ghostname_del; + gv.length = strlen(ghostname_del); + + el = ldb_msg_find_element(data->msg, SYSDB_GHOST); + fail_if(el == NULL, "Cannot find ghost element\n"); + + test_gv = ldb_msg_find_val(el, &gv); + fail_if(test_gv == NULL, "Cannot find ghost user %s\n", ghostname_del); + } + + /* Perform the replace operation */ + ret = sysdb_set_group_attr(test_ctx->domain, + data->groupname, data->attrs, SYSDB_MOD_REP); + fail_unless(ret == EOK, "Cannot set group attrs\n"); + + /* After the replace, all groups with gid >= _i have the testghost%_i + * as a member + */ + for (itergid = data->gid ; itergid < MBO_GROUP_BASE + NUM_GHOSTS; itergid++) { + ret = sysdb_search_group_by_gid(data, test_ctx->domain, itergid, + data->attrlist, &data->msg); + fail_if(ret != EOK, "Cannot retrieve group %llu\n", + (unsigned long long) data->gid); + + gv.data = (uint8_t *) ghostname_add; + gv.length = strlen(ghostname_add); + + el = ldb_msg_find_element(data->msg, SYSDB_GHOST); + fail_if(el == NULL, "Cannot find ghost element\n"); + + test_gv = ldb_msg_find_val(el, &gv); + fail_if(test_gv == NULL, "Cannot find ghost user %s\n", ghostname_add); + } + + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_memberof_mod_replace_keep) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + char *ghostname_rep; + char *ghostname_del; + char *ghostname_check; + int ret; + struct ldb_message_element *el; + struct ldb_val gv, *test_gv; + gid_t itergid; + uid_t iteruid; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_group(test_ctx, MBO_GROUP_BASE + 10 - _i); + fail_if(data == NULL); + + /* The test replaces the attributes (testusera$gid, testuserb$gid) with + * just testusera$gid. The result should be not only testusera, but also + * all ghost users inherited from child groups + */ + ghostname_rep = test_asprintf_fqname(data, data->ctx->domain, + "testusera%d", data->gid); + fail_unless(ghostname_rep != NULL, "Out of memory\n"); + + ret = sysdb_attrs_steal_string(data->attrs, SYSDB_GHOST, ghostname_rep); + fail_unless(ret == EOK, "Cannot add attr\n"); + + ghostname_del = test_asprintf_fqname(data, data->ctx->domain, + "testuserb%d", data->gid); + fail_unless(ghostname_del != NULL, "Out of memory\n"); + + data->attrlist = talloc_array(data, const char *, 2); + fail_unless(data->attrlist != NULL, "talloc_array failed."); + data->attrlist[0] = SYSDB_GHOST; + data->attrlist[1] = NULL; + + /* Before the replace, all groups with gid >= _i have both testuser a + * and testuserb as a member + */ + for (itergid = data->gid ; itergid < MBO_GROUP_BASE + NUM_GHOSTS; itergid++) { + ret = sysdb_search_group_by_gid(data, test_ctx->domain, itergid, + data->attrlist, &data->msg); + fail_if(ret != EOK, "Cannot retrieve group %llu\n", + (unsigned long long) data->gid); + + gv.data = (uint8_t *) ghostname_rep; + gv.length = strlen(ghostname_rep); + + el = ldb_msg_find_element(data->msg, SYSDB_GHOST); + fail_if(el == NULL, "Cannot find ghost element\n"); + + test_gv = ldb_msg_find_val(el, &gv); + fail_if(test_gv == NULL, "Cannot find ghost user %s\n", ghostname_rep); + + gv.data = (uint8_t *) ghostname_del; + gv.length = strlen(ghostname_rep); + + test_gv = ldb_msg_find_val(el, &gv); + fail_if(test_gv == NULL, "Cannot find ghost user %s\n", ghostname_del); + + /* inherited users must be there */ + for (iteruid = MBO_GROUP_BASE ; iteruid < itergid ; iteruid++) { + ghostname_check = test_asprintf_fqname(data, data->ctx->domain, + "testusera%d", iteruid); + fail_unless(ghostname_rep != NULL, "Out of memory\n"); + + gv.data = (uint8_t *) ghostname_check; + gv.length = strlen(ghostname_check); + + test_gv = ldb_msg_find_val(el, &gv); + fail_if(test_gv == NULL, "Cannot find inherited ghost user %s\n", + ghostname_check); + + if (iteruid < data->gid) { + /* Also check the B user if it hasn't been deleted yet */ + ghostname_check = test_asprintf_fqname(data, data->ctx->domain, + "testuserb%d", iteruid); + gv.data = (uint8_t *) ghostname_check; + gv.length = strlen(ghostname_check); + + test_gv = ldb_msg_find_val(el, &gv); + fail_if(test_gv == NULL, "Cannot find inherited ghost user %s\n", + ghostname_check); + } + talloc_zfree(ghostname_check); + } + } + + /* Perform the replace operation */ + ret = sysdb_set_group_attr(test_ctx->domain, + data->groupname, data->attrs, SYSDB_MOD_REP); + fail_unless(ret == EOK, "Cannot set group attrs\n"); + + /* After the replace, testusera should still be there, but we also need + * to keep ghost users inherited from other groups + */ + for (itergid = data->gid ; itergid < MBO_GROUP_BASE + NUM_GHOSTS; itergid++) { + ret = sysdb_search_group_by_gid(data, test_ctx->domain, itergid, + data->attrlist, &data->msg); + fail_if(ret != EOK, "Cannot retrieve group %llu\n", + (unsigned long long) data->gid); + + gv.data = (uint8_t *) ghostname_rep; + gv.length = strlen(ghostname_rep); + + /* testusera must still be there */ + el = ldb_msg_find_element(data->msg, SYSDB_GHOST); + fail_if(el == NULL, "Cannot find ghost element\n"); + + test_gv = ldb_msg_find_val(el, &gv); + fail_if(test_gv == NULL, "Cannot find ghost user %s\n", ghostname_rep); + + /* testuserb must be gone */ + gv.data = (uint8_t *) ghostname_del; + gv.length = strlen(ghostname_rep); + + test_gv = ldb_msg_find_val(el, &gv); + fail_unless(test_gv == NULL, "Cannot find ghost user %s\n", ghostname_del); + + /* inherited users must still be there */ + for (iteruid = MBO_GROUP_BASE ; iteruid < itergid ; iteruid++) { + ghostname_check = test_asprintf_fqname(data, data->ctx->domain, + "testusera%d", iteruid); + gv.data = (uint8_t *) ghostname_check; + gv.length = strlen(ghostname_check); + + test_gv = ldb_msg_find_val(el, &gv); + fail_if(test_gv == NULL, "Cannot find inherited ghost user %s\n", + ghostname_check); + + if (iteruid < data->gid) { + /* Also check the B user if it hasn't been deleted yet */ + ghostname_check = test_asprintf_fqname(data, data->ctx->domain, + "testuserb%d", iteruid); + gv.data = (uint8_t *) ghostname_check; + gv.length = strlen(ghostname_check); + + test_gv = ldb_msg_find_val(el, &gv); + fail_if(test_gv == NULL, "Cannot find inherited ghost user %s\n", + ghostname_check); + } + talloc_zfree(ghostname_check); + } + } + + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_memberof_close_loop) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_group(test_ctx, MBO_GROUP_BASE); + fail_if(data == NULL, "OOM"); + + data->attrlist = talloc_array(data, const char *, 2); + fail_unless(data->attrlist != NULL, "talloc_array failed."); + data->attrlist[0] = test_asprintf_fqname(data, test_ctx->domain, + "testgroup%d", data->gid + 9); + fail_unless(data->attrlist[0] != NULL, "talloc_array failed."); + data->attrlist[1] = NULL; + + ret = test_memberof_store_group(data); + + fail_if(ret != EOK, "Could not store POSIX group #%d", data->gid); + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_memberof_store_user) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_user(test_ctx, MBO_USER_BASE + _i); + fail_if(data == NULL); + + ret = test_store_user(data); + fail_if(ret != EOK, "Could not store user %s", data->username); + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_memberof_add_group_member) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_group(test_ctx, MBO_GROUP_BASE + _i); + fail_if(data == NULL); + + data->uid = MBO_USER_BASE + _i; + data->username = test_asprintf_fqname(data, test_ctx->domain, + "testuser%d", data->uid); + fail_if(data->username == NULL); + + ret = test_add_group_member(data); + fail_if(ret != EOK, "Could not modify group %s", data->groupname); + + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_memberof_check_memberuid_without_group_5) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_group(test_ctx, MBO_GROUP_BASE + _i); + fail_if(data == NULL); + + data->attrlist = talloc_array(data, const char *, 2); + fail_unless(data->attrlist != NULL, "tallo_array failed."); + data->attrlist[0] = "memberuid"; + data->attrlist[1] = NULL; + + ret = sysdb_search_group_by_gid(data, test_ctx->domain, + data->gid, data->attrlist, + &data->msg); + if (_i == 5) { + fail_unless(ret == ENOENT, + "sysdb_search_group_by_gid found " + "already deleted group"); + if (ret == ENOENT) ret = EOK; + + fail_if(ret != EOK, "Could not check group %d", data->gid); + } else { + fail_if(ret != EOK, "Could not check group %d", data->gid); + + fail_unless(data->msg->num_elements == 1, + "Wrong number of results, expected [1] got [%d]", + data->msg->num_elements); + fail_unless(strcmp(data->msg->elements[0].name, "memberuid") == 0, + "Wrong attribute name"); + fail_unless(data->msg->elements[0].num_values == ((_i + 1) % 6), + "Wrong number of attribute values, " + "expected [%d] got [%d]", ((_i + 1) % 6), + data->msg->elements[0].num_values); + } + + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_memberof_check_memberuid) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_group(test_ctx, MBO_GROUP_BASE + _i); + fail_if(data == NULL); + + data->attrlist = talloc_array(data, const char *, 2); + fail_unless(data->attrlist != NULL, "talloc_array failed."); + data->attrlist[0] = "memberuid"; + data->attrlist[1] = NULL; + + ret = sysdb_search_group_by_gid(data, test_ctx->domain, + data->gid, data->attrlist, + &data->msg); + + fail_if(ret != EOK, "Could not check group %d", data->gid); + + fail_unless(data->msg->num_elements == 1, + "Wrong number of results, expected [1] got [%d]", + data->msg->num_elements); + fail_unless(strcmp(data->msg->elements[0].name, "memberuid") == 0, + "Wrong attribute name"); + fail_unless(data->msg->elements[0].num_values == _i + 1, + "Wrong number of attribute values, expected [%d] got [%d]", + _i + 1, data->msg->elements[0].num_values); + + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_memberof_check_memberuid_loop) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_group(test_ctx, _i + MBO_GROUP_BASE); + fail_if(data == NULL); + + data->attrlist = talloc_array(data, const char *, 2); + fail_unless(data->attrlist != NULL, "talloc_array failed."); + data->attrlist[0] = "memberuid"; + data->attrlist[1] = NULL; + + ret = sysdb_search_group_by_gid(data, test_ctx->domain, + data->gid, data->attrlist, + &data->msg); + + fail_if(ret != EOK, "Could not check group %d", data->gid); + + fail_unless(data->msg->num_elements == 1, + "Wrong number of results, expected [1] got [%d]", + data->msg->num_elements); + fail_unless(strcmp(data->msg->elements[0].name, "memberuid") == 0, + "Wrong attribute name"); + fail_unless(data->msg->elements[0].num_values == 10, + "Wrong number of attribute values, expected [%d] got [%d]", + 10, data->msg->elements[0].num_values); + + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_memberof_check_memberuid_loop_without_group_5) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_group(test_ctx, _i + MBO_GROUP_BASE); + fail_if(data == NULL); + + data->attrlist = talloc_array(data, const char *, 2); + fail_unless(data->attrlist != NULL, "tallo_array failed."); + data->attrlist[0] = "memberuid"; + data->attrlist[1] = NULL; + + ret = sysdb_search_group_by_gid(data, test_ctx->domain, + data->gid, data->attrlist, + &data->msg); + + if (_i == 5) { + fail_unless(ret == ENOENT, + "sysdb_search_group_by_gid_send found " + "already deleted group"); + if (ret == ENOENT) ret = EOK; + + fail_if(ret != EOK, "Could not check group %d", data->gid); + } else { + fail_if(ret != EOK, "Could not check group %d", data->gid); + + fail_unless(data->msg->num_elements == 1, + "Wrong number of results, expected [1] got [%d]", + data->msg->num_elements); + fail_unless(strcmp(data->msg->elements[0].name, "memberuid") == 0, + "Wrong attribute name"); + fail_unless(data->msg->elements[0].num_values == ((_i + 5) % 10), + "Wrong number of attribute values, expected [%d] got [%d]", + ((_i + 5) % 10), data->msg->elements[0].num_values); + } + + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_memberof_check_nested_ghosts) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_group(test_ctx, _i); + fail_if(data == NULL); + + data->attrlist = talloc_array(data, const char *, 2); + fail_unless(data->attrlist != NULL, "talloc_array failed."); + data->attrlist[0] = SYSDB_GHOST; + data->attrlist[1] = NULL; + + ret = sysdb_search_group_by_gid(data, test_ctx->domain, data->gid, + data->attrlist, &data->msg); + fail_if(ret != EOK, "Cannot retrieve group %llu\n", (unsigned long long) data->gid); + + fail_unless(strcmp(data->msg->elements[0].name, SYSDB_GHOST) == 0, + "Wrong attribute name"); + fail_unless(data->msg->elements[0].num_values == _i - MBO_GROUP_BASE + 1, + "Wrong number of attribute values, expected [%d] got [%d]", + _i - MBO_GROUP_BASE + 1, data->msg->elements[0].num_values); + + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_memberof_check_nested_double_ghosts) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_group(test_ctx, _i); + fail_if(data == NULL); + + data->attrlist = talloc_array(data, const char *, 2); + fail_unless(data->attrlist != NULL, "talloc_array failed."); + data->attrlist[0] = SYSDB_GHOST; + data->attrlist[1] = NULL; + + ret = sysdb_search_group_by_gid(data, test_ctx->domain, data->gid, + data->attrlist, &data->msg); + fail_if(ret != EOK, "Cannot retrieve group %llu\n", (unsigned long long) data->gid); + + fail_unless(strcmp(data->msg->elements[0].name, SYSDB_GHOST) == 0, + "Wrong attribute name"); + fail_unless(data->msg->elements[0].num_values == (_i - MBO_GROUP_BASE + 1)*2, + "Wrong number of attribute values, expected [%d] got [%d]", + (_i - MBO_GROUP_BASE + 1)*2, + data->msg->elements[0].num_values); + + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_memberof_remove_child_group_and_check_ghost) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + gid_t delgid; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_group(test_ctx, _i); + fail_if(data == NULL); + delgid = data->gid - 1; + + data->attrlist = talloc_array(data, const char *, 2); + fail_unless(data->attrlist != NULL, "talloc_array failed."); + data->attrlist[0] = SYSDB_GHOST; + data->attrlist[1] = NULL; + + ret = sysdb_search_group_by_gid(data, test_ctx->domain, data->gid, + data->attrlist, &data->msg); + fail_if(ret != EOK, "Cannot retrieve group %llu\n", (unsigned long long) data->gid); + + fail_unless(strcmp(data->msg->elements[0].name, SYSDB_GHOST) == 0, + "Wrong attribute name"); + + /* Expect our own and our parent's */ + fail_unless(data->msg->elements[0].num_values == 2, + "Wrong number of attribute values, expected [%d] got [%d]", + 2, data->msg->elements[0].num_values); + + /* Remove the parent */ + ret = sysdb_delete_group(data->ctx->domain, NULL, delgid); + fail_if(ret != EOK, "Cannot delete group %llu [%d]: %s\n", + (unsigned long long) data->gid, ret, strerror(ret)); + + talloc_free(data->msg); + + /* Check the parent again. The inherited ghost user should be gone. */ + ret = sysdb_search_group_by_gid(data, test_ctx->domain, data->gid, + data->attrlist, &data->msg); + fail_if(ret != EOK, "Cannot retrieve group %llu\n", (unsigned long long) data->gid); + + fail_unless(strcmp(data->msg->elements[0].name, SYSDB_GHOST) == 0, + "Wrong attribute name"); + + /* Expect our own now only */ + fail_unless(data->msg->elements[0].num_values == 1, + "Wrong number of attribute values, expected [%d] got [%d]", + 1, data->msg->elements[0].num_values); + + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_memberof_mod_del) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + char *ghostname; + int ret; + struct ldb_message_element *el; + struct ldb_val gv, *test_gv; + gid_t itergid; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_group(test_ctx, _i); + fail_if(data == NULL); + + ghostname = test_asprintf_fqname(data, test_ctx->domain, "testuser%d", _i); + fail_unless(ghostname != NULL, "Out of memory\n"); + ret = sysdb_attrs_steal_string(data->attrs, SYSDB_GHOST, ghostname); + fail_unless(ret == EOK, "Cannot add attr\n"); + + data->attrlist = talloc_array(data, const char *, 2); + fail_unless(data->attrlist != NULL, "talloc_array failed."); + data->attrlist[0] = SYSDB_GHOST; + data->attrlist[1] = NULL; + + /* Before the delete, all groups with gid >= _i have the testuser%_i + * as a member + */ + for (itergid = data->gid ; itergid < MBO_GROUP_BASE + NUM_GHOSTS; itergid++) { + ret = sysdb_search_group_by_gid(data, test_ctx->domain, itergid, + data->attrlist, &data->msg); + fail_if(ret != EOK, "Cannot retrieve group %llu\n", + (unsigned long long) data->gid); + + gv.data = (uint8_t *) ghostname; + gv.length = strlen(ghostname); + + el = ldb_msg_find_element(data->msg, SYSDB_GHOST); + fail_if(el == NULL, "Cannot find ghost element\n"); + + test_gv = ldb_msg_find_val(el, &gv); + fail_if(test_gv == NULL, "Cannot find ghost user %s\n", ghostname); + } + + /* Delete the attribute */ + null_ctx_get_size(test_ctx); + ret = sysdb_set_group_attr(test_ctx->domain, + data->groupname, data->attrs, SYSDB_MOD_DEL); + fail_if_null_ctx_leaks(test_ctx); + fail_unless(ret == EOK, "Cannot set group attrs\n"); + + /* After the delete, we shouldn't be able to find the ghost attribute */ + for (itergid = data->gid ; itergid < MBO_GROUP_BASE + NUM_GHOSTS; itergid++) { + ret = sysdb_search_group_by_gid(data, test_ctx->domain, itergid, + data->attrlist, &data->msg); + fail_if(ret != EOK, "Cannot retrieve group %llu\n", + (unsigned long long) data->gid); + + gv.data = (uint8_t *) ghostname; + gv.length = strlen(ghostname); + + el = ldb_msg_find_element(data->msg, SYSDB_GHOST); + if (itergid > data->gid) { + /* The first group would have the ghost attribute gone completely */ + fail_if(el == NULL, "Cannot find ghost element\n"); + test_gv = ldb_msg_find_val(el, &gv); + fail_unless(test_gv == NULL, + "Ghost user %s unexpectedly found\n", ghostname); + } else { + fail_unless(el == NULL, "Stray values in ghost element?\n"); + } + } + + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_memberof_check_ghost) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret, j; + char *expected; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_group(test_ctx, _i); + fail_if(data == NULL); + + data->attrlist = talloc_array(data, const char *, 2); + fail_unless(data->attrlist != NULL, "talloc_array failed."); + data->attrlist[0] = SYSDB_GHOST; + data->attrlist[1] = NULL; + + ret = sysdb_search_group_by_gid(data, test_ctx->domain, data->gid, + data->attrlist, &data->msg); + + fail_if(ret != EOK, "Could not check group %d", data->gid); + + if (_i > MBO_GROUP_BASE) { + /* After the previous test, the first group (gid == MBO_GROUP_BASE) + * has no ghost users. That's a legitimate test case we need to account + * for now. + */ + fail_unless(data->msg->num_elements == 1, + "Wrong number of results, expected [1] got [%d] for %d", + data->msg->num_elements, data->gid); + } + + if (data->msg->num_elements == 0) { + talloc_free(test_ctx); + return; + } + + fail_unless(strcmp(data->msg->elements[0].name, SYSDB_GHOST) == 0, + "Wrong attribute name"); + fail_unless(data->msg->elements[0].num_values == _i - MBO_GROUP_BASE, + "Wrong number of attribute values, expected [%d] got [%d]", + _i + 1, data->msg->elements[0].num_values); + + for (j = MBO_GROUP_BASE; j < _i; j++) { + expected = test_asprintf_fqname(data, test_ctx->domain, "testghost%d", j); + fail_if(expected == NULL, "OOM\n"); + fail_unless(strcmp(expected, + (const char *) data->msg->elements[0].values[j-MBO_GROUP_BASE].data) == 0); + talloc_free(expected); + } + + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_memberof_convert_to_real_users) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_user(test_ctx, _i * 2); + fail_if(data == NULL); + data->username = test_asprintf_fqname(data, test_ctx->domain, + "testghost%d", _i); + fail_if(data->username == NULL); + + ret = test_store_user(data); + fail_if(ret != EOK, "Cannot add user %s\n", data->username); +} +END_TEST + +START_TEST (test_sysdb_memberof_check_convert) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + struct ldb_message_element *ghosts; + struct ldb_message_element *members; + int exp_mem, exp_gh; + + /* Explicitly disable enumeration during setup as converting the ghost + * users into real ones works only when enumeration is disabled + */ + ret = _setup_sysdb_tests(&test_ctx, false); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_group(test_ctx, _i); + fail_if(data == NULL); + + data->attrlist = talloc_array(data, const char *, 3); + fail_unless(data->attrlist != NULL, "talloc_array failed."); + data->attrlist[0] = SYSDB_GHOST; + data->attrlist[1] = SYSDB_MEMBER; + data->attrlist[2] = NULL; + + ret = sysdb_search_group_by_gid(data, test_ctx->domain, data->gid, + data->attrlist, &data->msg); + + fail_if(ret != EOK, "Could not check group %d", data->gid); + + fail_unless(data->msg->num_elements == (_i == MBO_GROUP_BASE) ? 0 : 1, + "Wrong number of results, expected [1] got [%d] for %d", + data->msg->num_elements, data->gid); + + if (data->msg->num_elements == 0) { + talloc_free(test_ctx); + return; + } + + members = ldb_msg_find_element(data->msg, SYSDB_MEMBER); + exp_mem = _i - MBO_GROUP_BASE; + if (exp_mem > NUM_GHOSTS/2) { + exp_mem = NUM_GHOSTS/2; + } + + ghosts = ldb_msg_find_element(data->msg, SYSDB_GHOST); + exp_gh = _i - MBO_GROUP_BASE - 5; + if (exp_gh < 0) { + exp_gh = 0; + } + + fail_if(exp_mem != members->num_values, + "Expected %d members, found %d\n", exp_mem, members->num_values); + if (exp_gh) { + fail_if(exp_gh != ghosts->num_values, + "Expected %d members, found %d\n", exp_gh, ghosts->num_values); + } + + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_memberof_ghost_replace) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + char *ghostname_del; + char *ghostname_add; + int ret; + struct ldb_message_element *el; + struct ldb_val gv, *test_gv; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_group(test_ctx, _i); + fail_if(data == NULL); + + /* The test replaces the testghost%i attribute with testuser%i */ + ghostname_del = test_asprintf_fqname(data, test_ctx->domain, + "testghost%d", data->gid - 1); + fail_unless(ghostname_del != NULL, "Out of memory\n"); + + ghostname_add = test_asprintf_fqname(data, test_ctx->domain, + "testuser%d", data->gid - 1); + fail_unless(ghostname_add != NULL, "Out of memory\n"); + + ret = sysdb_attrs_steal_string(data->attrs, SYSDB_GHOST, ghostname_add); + fail_unless(ret == EOK, "Cannot add attr\n"); + + data->attrlist = talloc_array(data, const char *, 2); + fail_unless(data->attrlist != NULL, "talloc_array failed."); + data->attrlist[0] = SYSDB_GHOST; + data->attrlist[1] = NULL; + + /* Before the replace, the group has the testghost%_i as a member */ + ret = sysdb_search_group_by_gid(data, test_ctx->domain, data->gid, + data->attrlist, &data->msg); + fail_if(ret != EOK, "Cannot retrieve group %llu\n", + (unsigned long long) data->gid); + + gv.data = (uint8_t *) ghostname_del; + gv.length = strlen(ghostname_del); + + el = ldb_msg_find_element(data->msg, SYSDB_GHOST); + fail_if(el == NULL, "Cannot find ghost element\n"); + + test_gv = ldb_msg_find_val(el, &gv); + fail_if(test_gv == NULL, "Cannot find ghost user %s\n", ghostname_del); + + /* Perform the replace operation */ + ret = sysdb_set_group_attr(test_ctx->domain, + data->groupname, data->attrs, SYSDB_MOD_REP); + fail_unless(ret == EOK, "Cannot set group attrs\n"); + + /* After the replace, the group has the testghost%_i as a member */ + ret = sysdb_search_group_by_gid(data, test_ctx->domain, data->gid, + data->attrlist, &data->msg); + fail_if(ret != EOK, "Cannot retrieve group %llu\n", + (unsigned long long) data->gid); + + gv.data = (uint8_t *) ghostname_add; + gv.length = strlen(ghostname_add); + + el = ldb_msg_find_element(data->msg, SYSDB_GHOST); + fail_if(el == NULL, "Cannot find ghost element\n"); + + test_gv = ldb_msg_find_val(el, &gv); + fail_if(test_gv == NULL, "Cannot find ghost user %s\n", ghostname_add); +} +END_TEST + +START_TEST (test_sysdb_memberof_ghost_replace_noop) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + char *ghostname_del; + char *ghostname_add; + int ret; + struct ldb_message_element *el; + struct ldb_val gv, *test_gv; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_group(test_ctx, _i); + fail_if(data == NULL); + + /* The test replaces the testghost%i attribute with testuser%i */ + ghostname_del = test_asprintf_fqname(data, test_ctx->domain, + "testuser%d", data->gid - 1); + fail_unless(ghostname_del != NULL, "Out of memory\n"); + + ghostname_add = test_asprintf_fqname(data, test_ctx->domain, + "testuser%d", data->gid - 1); + fail_unless(ghostname_add != NULL, "Out of memory\n"); + + ret = sysdb_attrs_steal_string(data->attrs, SYSDB_GHOST, ghostname_add); + fail_unless(ret == EOK, "Cannot add attr\n"); + + data->attrlist = talloc_array(data, const char *, 2); + fail_unless(data->attrlist != NULL, "talloc_array failed."); + data->attrlist[0] = SYSDB_GHOST; + data->attrlist[1] = NULL; + + /* Before the replace, the group has the testghost%_i as a member */ + ret = sysdb_search_group_by_gid(data, test_ctx->domain, data->gid, + data->attrlist, &data->msg); + fail_if(ret != EOK, "Cannot retrieve group %llu\n", + (unsigned long long) data->gid); + + gv.data = (uint8_t *) ghostname_del; + gv.length = strlen(ghostname_del); + + el = ldb_msg_find_element(data->msg, SYSDB_GHOST); + fail_if(el == NULL, "Cannot find ghost element\n"); + + test_gv = ldb_msg_find_val(el, &gv); + fail_if(test_gv == NULL, "Cannot find ghost user %s\n", ghostname_del); + + /* Perform the replace operation */ + ret = sysdb_set_group_attr(test_ctx->domain, + data->groupname, data->attrs, SYSDB_MOD_REP); + fail_unless(ret == EOK, "Cannot set group attrs\n"); + + /* After the replace, the group has the testghost%_i as a member */ + ret = sysdb_search_group_by_gid(data, test_ctx->domain, data->gid, + data->attrlist, &data->msg); + fail_if(ret != EOK, "Cannot retrieve group %llu\n", + (unsigned long long) data->gid); + + gv.data = (uint8_t *) ghostname_add; + gv.length = strlen(ghostname_add); + + el = ldb_msg_find_element(data->msg, SYSDB_GHOST); + fail_if(el == NULL, "Cannot find ghost element\n"); + + test_gv = ldb_msg_find_val(el, &gv); + fail_if(test_gv == NULL, "Cannot find ghost user %s\n", ghostname_add); +} +END_TEST + +START_TEST (test_sysdb_memberof_user_cleanup) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_user(test_ctx, _i * 2); + fail_if(data == NULL); + + ret = test_remove_user_by_uid(data); + + fail_if(ret != EOK, "Could not remove user with uid %d", _i); + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_set_get_bool) +{ + struct sysdb_test_ctx *test_ctx; + struct ldb_dn *dn, *ne_dn; + bool value; + int ret; + const char *attr_val = "BOOL_VALUE"; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + dn = sysdb_domain_dn(test_ctx, test_ctx->domain); + fail_unless(dn != NULL); + + /* attribute is not created yet */ + ret = sysdb_get_bool(test_ctx->sysdb, dn, attr_val, + &value); + fail_unless(ret == ENOENT, + "sysdb_get_bool returned %d:[%s], but ENOENT is expected", + ret, sss_strerror(ret)); + + /* add attribute */ + ret = sysdb_set_bool(test_ctx->sysdb, dn, test_ctx->domain->name, + attr_val, true); + fail_unless(ret == EOK); + + /* successfully obtain attribute */ + ret = sysdb_get_bool(test_ctx->sysdb, dn, attr_val, + &value); + fail_unless(ret == EOK, "sysdb_get_bool failed %d:[%s]", + ret, sss_strerror(ret)); + fail_unless(value == true); + + /* use non-existing DN */ + ne_dn = ldb_dn_new_fmt(test_ctx, test_ctx->sysdb->ldb, SYSDB_DOM_BASE, + "non-existing domain"); + fail_unless(ne_dn != NULL); + ret = sysdb_get_bool(test_ctx->sysdb, ne_dn, attr_val, + &value); + fail_unless(ret == ENOENT, + "sysdb_get_bool returned %d:[%s], but ENOENT is expected", + ret, sss_strerror(ret)); + + /* free ctx */ + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_attrs_to_list) +{ + struct sysdb_attrs *attrs_list[3]; + char **list; + errno_t ret; + + TALLOC_CTX *test_ctx = talloc_new(NULL); + + attrs_list[0] = sysdb_new_attrs(test_ctx); + ret = sysdb_attrs_add_string(attrs_list[0], "test_attr", "attr1"); + fail_if(ret, "Add string failed"); + attrs_list[1] = sysdb_new_attrs(test_ctx); + ret = sysdb_attrs_add_string(attrs_list[1], "test_attr", "attr2"); + fail_if(ret, "Add string failed"); + attrs_list[2] = sysdb_new_attrs(test_ctx); + ret = sysdb_attrs_add_string(attrs_list[2], "nottest_attr", "attr3"); + fail_if(ret, "Add string failed"); + + ret = sysdb_attrs_to_list(test_ctx, attrs_list, 3, + "test_attr", &list); + fail_unless(ret == EOK, "sysdb_attrs_to_list failed with code %d", ret); + + fail_unless(strcmp(list[0],"attr1") == 0, "Expected [attr1], got [%s]", + list[0]); + fail_unless(strcmp(list[1],"attr2") == 0, "Expected [attr2], got [%s]", + list[1]); + fail_unless(list[2] == NULL, "List should be NULL-terminated"); + + talloc_free(test_ctx); +} +END_TEST + +START_TEST(test_sysdb_get_real_name) +{ + errno_t ret; + struct sysdb_test_ctx *test_ctx; + struct sysdb_attrs *user_attrs; + const char *str; + char *fq_alias; + char *realname; + + ret = setup_sysdb_tests(&test_ctx); + fail_if(ret != EOK, "Could not set up the test"); + + fq_alias = sss_create_internal_fqname(test_ctx, "alias", + test_ctx->domain->name); + realname = sss_create_internal_fqname(test_ctx, "RealName", + test_ctx->domain->name); + fail_if(fq_alias == NULL, "sss_create_internal_fqname failed"); + fail_if(realname == NULL, "sss_create_internal_fqname failed"); + + user_attrs = sysdb_new_attrs(test_ctx); + fail_unless(user_attrs != NULL, "sysdb_new_attrs failed"); + + ret = sysdb_attrs_add_string(user_attrs, SYSDB_NAME_ALIAS, fq_alias); + fail_unless(ret == EOK, "sysdb_attrs_add_string failed."); + + ret = sysdb_attrs_add_string(user_attrs, SYSDB_UPN, "foo@bar"); + fail_unless(ret == EOK, "sysdb_attrs_add_string failed."); + + ret = sysdb_attrs_add_string(user_attrs, SYSDB_SID_STR, + "S-1-5-21-123-456-789-111"); + fail_unless(ret == EOK, "sysdb_attrs_add_string failed."); + + ret = sysdb_attrs_add_string(user_attrs, SYSDB_UUID, + "12345678-9012-3456-7890-123456789012"); + fail_unless(ret == EOK, "sysdb_attrs_add_string failed."); + + ret = sysdb_store_user(test_ctx->domain, realname, + NULL, 22345, 0, "gecos", + "/home/realname", "/bin/bash", + NULL, user_attrs, NULL, -1, 0); + fail_unless(ret == EOK, "sysdb_store_user failed."); + + /* Get real, uncanonicalized name as string */ + ret = sysdb_get_real_name(test_ctx, test_ctx->domain, fq_alias, &str); + fail_unless(ret == EOK, "sysdb_get_real_name failed."); + fail_unless(strcmp(str, realname) == 0, "Expected [%s], got [%s].", + realname, str); + + ret = sysdb_get_real_name(test_ctx, test_ctx->domain, "foo@bar", &str); + fail_unless(ret == EOK, "sysdb_get_real_name failed."); + fail_unless(strcmp(str, realname) == 0, "Expected [%s], got [%s].", + realname, str); + + ret = sysdb_get_real_name(test_ctx, test_ctx->domain, + "S-1-5-21-123-456-789-111", &str); + fail_unless(ret == EOK, "sysdb_get_real_name failed."); + fail_unless(strcmp(str, realname) == 0, "Expected [%s], got [%s].", + realname, str); + + ret = sysdb_get_real_name(test_ctx, test_ctx->domain, + "12345678-9012-3456-7890-123456789012", &str); + fail_unless(ret == EOK, "sysdb_get_real_name failed."); + fail_unless(strcmp(str, realname) == 0, "Expected [%s], got [%s].", + realname, str); +} +END_TEST + +START_TEST(test_group_rename) +{ + struct sysdb_test_ctx *test_ctx; + errno_t ret; + gid_t gid; + const gid_t grgid = 38001; + const char *name; + char *fromname; + char *toname; + struct ldb_result *res; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + fail_unless(ret == EOK, "Could not set up the test"); + + fromname = sss_create_internal_fqname(test_ctx, "fromgroup", + test_ctx->domain->name); + fail_if(fromname == NULL, "sss_create_internal_fqname failed"); + toname = sss_create_internal_fqname(test_ctx, "togroup", + test_ctx->domain->name); + fail_if(toname == NULL, "sss_create_internal_fqname failed"); + + /* Store and verify the first group */ + ret = sysdb_store_group(test_ctx->domain, + fromname, grgid, NULL, 0, 0); + fail_unless(ret == EOK, "Could not add first group"); + + ret = sysdb_getgrnam(test_ctx, test_ctx->domain, fromname, &res); + fail_unless(ret == EOK, "Could not retrieve the group from cache\n"); + if (res->count != 1) { + fail("Invalid number of replies. Expected 1, got %d", res->count); + goto done; + } + + gid = ldb_msg_find_attr_as_uint(res->msgs[0], SYSDB_GIDNUM, 0); + fail_unless(gid == grgid, + "Did not find the expected GID (found %llu expected %llu)", + (unsigned long long) gid, (unsigned long long) grgid); + name = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_NAME, NULL); + fail_unless(strcmp(fromname, name) == 0, + "Did not find the expected name (found %s expected %s)", + name, fromname); + + /* Perform rename and check that GID is the same, but name changed */ + ret = sysdb_add_group(test_ctx->domain, toname, grgid, NULL, 0, 0); + fail_unless(ret == EEXIST, "Group renamed with a low level call?"); + + ret = sysdb_store_group(test_ctx->domain, + toname, grgid, NULL, 0, 0); + fail_unless(ret == EOK, "Could not add first group"); + + ret = sysdb_getgrnam(test_ctx, test_ctx->domain, toname, &res); + fail_unless(ret == EOK, "Could not retrieve the group from cache\n"); + if (res->count != 1) { + fail("Invalid number of replies. Expected 1, got %d", res->count); + goto done; + } + + gid = ldb_msg_find_attr_as_uint(res->msgs[0], SYSDB_GIDNUM, 0); + fail_unless(gid == grgid, + "Did not find the expected GID (found %llu expected %llu)", + (unsigned long long) gid, (unsigned long long) grgid); + name = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_NAME, NULL); + fail_unless(strcmp(toname, name) == 0, + "Did not find the expected GID (found %s expected %s)", + name, toname); + + /* Verify the first name is gone */ + ret = sysdb_getgrnam(test_ctx, test_ctx->domain, fromname, &res); + fail_unless(ret == EOK, "Could not retrieve the group from cache\n"); + fail_unless(res->count == 0, "Unexpectedly found the original user\n"); + +done: + talloc_free(test_ctx); +} +END_TEST + +START_TEST(test_user_rename) +{ + struct sysdb_test_ctx *test_ctx; + errno_t ret; + uid_t uid; + const uid_t userid = 38002; + const char *name; + char *fromname; + char *toname; + struct ldb_result *res; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + fail_unless(ret == EOK, "Could not set up the test"); + + fromname = sss_create_internal_fqname(test_ctx, "fromname", test_ctx->domain->name); + toname = sss_create_internal_fqname(test_ctx, "toname", test_ctx->domain->name); + fail_if(fromname == NULL, "sss_create_internal_fqname failed"); + fail_if(toname == NULL, "sss_create_internal_fqname failed"); + + /* Store and verify the first user */ + ret = sysdb_store_user(test_ctx->domain, + fromname, NULL, userid, 0, + fromname, "/", "/bin/sh", + NULL, NULL, NULL, 0, 0); + fail_unless(ret == EOK, "Could not add first user"); + + ret = sysdb_getpwnam(test_ctx, test_ctx->domain, fromname, &res); + fail_unless(ret == EOK, "Could not retrieve the user from cache\n"); + if (res->count != 1) { + fail("Invalid number of replies. Expected 1, got %d", res->count); + goto done; + } + + uid = ldb_msg_find_attr_as_uint(res->msgs[0], SYSDB_UIDNUM, 0); + fail_unless(uid == userid, + "Did not find the expected UID (found %llu expected %llu)", + (unsigned long long) uid, (unsigned long long) userid); + name = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_NAME, NULL); + fail_unless(strcmp(fromname, name) == 0, + "Did not find the expected name (found %s expected %s)", + name, fromname); + + /* Perform rename and check that GID is the same, but name changed */ + ret = sysdb_add_user(test_ctx->domain, toname, userid, 0, + fromname, "/", "/bin/sh", NULL, NULL, 0, 0); + fail_unless(ret == EEXIST, "A second user added with low level call?"); + + ret = sysdb_store_user(test_ctx->domain, toname, NULL, + userid, 0, fromname, "/", "/bin/sh", + NULL, NULL, NULL, 0, 0); + fail_unless(ret == EOK, "Could not add second user"); + + ret = sysdb_getpwnam(test_ctx, test_ctx->domain, toname, &res); + fail_unless(ret == EOK, "Could not retrieve the user from cache\n"); + if (res->count != 1) { + fail("Invalid number of replies. Expected 1, got %d", res->count); + goto done; + } + + uid = ldb_msg_find_attr_as_uint(res->msgs[0], SYSDB_UIDNUM, 0); + fail_unless(uid == userid, + "Did not find the expected UID (found %llu expected %llu)", + (unsigned long long) uid, (unsigned long long) userid); + name = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_NAME, NULL); + fail_unless(strcmp(toname, name) == 0, + "Did not find the expected name (found %s expected %s)", + name, fromname); + + /* Verify the first name is gone */ + ret = sysdb_getpwnam(test_ctx, test_ctx->domain, fromname, &res); + fail_unless(ret == EOK, "Could not retrieve the user from cache\n"); + fail_unless(res->count == 0, "Unexpectedly found the original user\n"); + +done: + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_update_members) +{ + struct sysdb_test_ctx *test_ctx; + char **add_groups; + char **del_groups; + const char *user = "testuser27000"; + char *user_fqname; + const char *group_fqname; + const char *check_fqname; + errno_t ret; + struct ldb_result *res; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + fail_unless(ret == EOK, "Could not set up the test"); + + user_fqname = sss_create_internal_fqname(test_ctx, user, + test_ctx->domain->name); + fail_if(user_fqname == NULL, "user_fqname returned NULL"); + + ret = sysdb_initgroups(test_ctx, test_ctx->domain, user_fqname, &res); + fail_if(ret != EOK); + fail_unless(res->count == 1); /* only the user itself */ + + /* Add a user to two groups */ + add_groups = talloc_array(test_ctx, char *, 3); + add_groups[0] = sss_create_internal_fqname(add_groups, "testgroup28001", + test_ctx->domain->name); + fail_if(add_groups[0] == NULL); + add_groups[1] = sss_create_internal_fqname(add_groups, "testgroup28002", + test_ctx->domain->name); + fail_if(add_groups[1] == NULL); + add_groups[2] = NULL; + + /* For later check */ + group_fqname = talloc_strdup(test_ctx, add_groups[1]); + fail_if(group_fqname == NULL); + + ret = sysdb_update_members(test_ctx->domain, user_fqname, + SYSDB_MEMBER_USER, + (const char *const *)add_groups, NULL); + fail_unless(ret == EOK, "Could not add groups"); + + ret = sysdb_initgroups(test_ctx, test_ctx->domain, user_fqname, &res); + fail_if(ret != EOK); + fail_unless(res->count == 3); + + check_fqname = ldb_msg_find_attr_as_string(res->msgs[1], SYSDB_NAME, NULL); + ck_assert_str_eq(check_fqname, add_groups[0]); + check_fqname = ldb_msg_find_attr_as_string(res->msgs[2], SYSDB_NAME, NULL); + ck_assert_str_eq(check_fqname, add_groups[1]); + + talloc_zfree(add_groups); + + /* Remove a user from one group and add to another */ + del_groups = talloc_array(test_ctx, char *, 2); + del_groups[0] = sss_create_internal_fqname(del_groups, "testgroup28001", + test_ctx->domain->name); + del_groups[1] = NULL; + add_groups = talloc_array(test_ctx, char *, 2); + add_groups[0] = sss_create_internal_fqname(add_groups, "testgroup28003", + test_ctx->domain->name); + add_groups[1] = NULL; + + ret = sysdb_update_members(test_ctx->domain, user_fqname, SYSDB_MEMBER_USER, + (const char *const *)add_groups, + (const char *const *)del_groups); + fail_unless(ret == EOK, "Group replace failed"); + + ret = sysdb_initgroups(test_ctx, test_ctx->domain, user_fqname, &res); + fail_if(ret != EOK); + fail_unless(res->count == 3); + + check_fqname = ldb_msg_find_attr_as_string(res->msgs[1], SYSDB_NAME, NULL); + ck_assert_str_eq(check_fqname, group_fqname); + check_fqname = ldb_msg_find_attr_as_string(res->msgs[2], SYSDB_NAME, NULL); + ck_assert_str_eq(check_fqname, add_groups[0]); + + talloc_zfree(add_groups); + talloc_zfree(del_groups); + + ret = sysdb_initgroups(test_ctx, test_ctx->domain, user_fqname, &res); + fail_if(ret != EOK); + fail_unless(res->count == 3); + + /* Remove a user from two groups */ + del_groups = talloc_array(test_ctx, char *, 3); + del_groups[0] = sss_create_internal_fqname(del_groups, "testgroup28002", + test_ctx->domain->name); + del_groups[1] = sss_create_internal_fqname(del_groups, "testgroup28003", + test_ctx->domain->name); + del_groups[2] = NULL; + + ret = sysdb_update_members(test_ctx->domain, user_fqname, SYSDB_MEMBER_USER, + NULL, (const char *const *)del_groups); + fail_unless(ret == EOK, "Could not remove groups"); + + ret = sysdb_initgroups(test_ctx, test_ctx->domain, user_fqname, &res); + fail_if(ret != EOK); + fail_unless(res->count == 1); /* only the user itself */ + + talloc_zfree(test_ctx); +} +END_TEST + + +START_TEST (test_sysdb_group_dn_name) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + struct ldb_dn *group_dn; + char *parsed; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new_group(test_ctx, _i); + fail_if(data == NULL); + + group_dn = sysdb_group_dn(test_ctx, test_ctx->domain, data->groupname); + fail_if(group_dn == NULL, "OOM"); + + ret = sysdb_group_dn_name(test_ctx->sysdb, test_ctx, + ldb_dn_get_linearized(group_dn), &parsed); + fail_if(ret != EOK, "Cannot get the group name from DN"); + + fail_if(strcmp(data->groupname, parsed) != 0, + "Names don't match (got %s)", parsed); + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_add_basic_netgroup) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new(test_ctx); + fail_if(data == NULL); + data->uid = _i; /* This is kinda abuse of uid, though */ + data->netgrname = talloc_asprintf(data, "testnetgr%d", _i); + + ret = test_add_basic_netgroup(data); + + fail_if(ret != EOK, "Could not add netgroup %s", data->netgrname); + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_search_netgroup_by_name) +{ + struct sysdb_test_ctx *test_ctx; + int ret; + const char *netgrname; + struct ldb_message *msg; + struct ldb_dn *netgroup_dn; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + netgrname = talloc_asprintf(test_ctx, "testnetgr%d", _i); + + ret = sysdb_search_netgroup_by_name(test_ctx, test_ctx->domain, + netgrname, NULL, &msg); + fail_if(ret != EOK, "Could not find netgroup with name %s", netgrname); + + netgroup_dn = sysdb_netgroup_dn(test_ctx, test_ctx->domain, netgrname); + fail_if(netgroup_dn == NULL); + fail_if(ldb_dn_compare(msg->dn, netgroup_dn) != 0, "Found wrong netgroup!\n"); + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_remove_netgroup_entry) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new(test_ctx); + fail_if(data == NULL); + data->netgrname = talloc_asprintf(data, "testnetgr%d", _i); + + ret = test_remove_netgroup_entry(data); + + fail_if(ret != EOK, "Could not remove netgroup %s", data->netgrname); + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_remove_netgroup_by_name) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new(test_ctx); + fail_if(data == NULL); + data->netgrname = talloc_asprintf(data, "testnetgr%d", _i); + + ret = test_remove_netgroup_by_name(data); + + fail_if(ret != EOK, "Could not remove netgroup with name %s", data->netgrname); + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_set_netgroup_attr) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = test_data_new(test_ctx); + fail_if(data == NULL); + data->uid = _i; /* This is kinda abuse of uid, though */ + data->netgrname = talloc_asprintf(data, "testnetgr%d", _i); + + ret = test_set_netgroup_attr(data); + + fail_if(ret != EOK, "Could not set netgroup attribute %s", data->netgrname); + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_sysdb_get_netgroup_attr) +{ + struct sysdb_test_ctx *test_ctx; + int ret; + const char *description; + const char *netgrname; + struct ldb_result *res; + const char *attrs[] = { SYSDB_DESCRIPTION, NULL }; + const char *attrval; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + description = talloc_asprintf(test_ctx, "Sysdb Netgroup %d", _i); + netgrname = talloc_asprintf(test_ctx, "testnetgr%d", _i); + + ret = sysdb_get_netgroup_attr(test_ctx, test_ctx->domain, netgrname, + attrs, &res); + + fail_if(ret != EOK, "Could not get netgroup attributes"); + fail_if(res->count != 1, + "Invalid number of entries, expected 1, got %d", res->count); + + attrval = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_DESCRIPTION, 0); + fail_if(strcmp(attrval, description), + "Got bad attribute value for netgroup %s", netgrname); + talloc_free(test_ctx); +} +END_TEST + +START_TEST (test_netgroup_base_dn) +{ + errno_t ret; + struct sysdb_test_ctx *test_ctx; + struct ldb_dn *base_dn; + const char *strdn; + + ret = setup_sysdb_tests(&test_ctx); + fail_if(ret != EOK, "Could not set up the test"); + + base_dn = sysdb_netgroup_base_dn(test_ctx, test_ctx->domain); + fail_if(base_dn == NULL, "Could not get netgroup base DN"); + + strdn = ldb_dn_get_linearized(base_dn); + fail_if(strdn == NULL, "Could not get string netgroup base DN"); + + fail_if(strstr(strdn, SYSDB_NETGROUP_CONTAINER) != strdn, + "Malformed netgroup baseDN"); +} +END_TEST + +START_TEST(test_odd_characters) +{ + errno_t ret; + struct sysdb_test_ctx *test_ctx; + struct ldb_result *res; + struct ldb_message *msg; + const struct ldb_val *val; + char *odd_username; + const char odd_username_orig_dn[] = + "\\2a\\28odd\\29\\5cuser,name,cn=users,dc=example,dc=com"; + char *odd_groupname; + const char odd_netgroupname[] = "*(odd\\*)\\netgroup,name"; + const char *received_user; + const char *received_group; + static const char *user_attrs[] = SYSDB_PW_ATTRS; + static const char *netgr_attrs[] = SYSDB_NETGR_ATTRS; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + odd_groupname = sss_create_internal_fqname(test_ctx, + "*(odd\\*)\\group,name", + test_ctx->domain->name); + odd_username = sss_create_internal_fqname(test_ctx, "*(odd)\\user,name", + test_ctx->domain->name); + fail_if(odd_groupname == NULL, "sss_create_internal_fqname failed"); + fail_if(odd_username == NULL, "sss_create_internal_fqname failed"); + + /* ===== Groups ===== */ + + /* Add */ + ret = sysdb_add_incomplete_group(test_ctx->domain, odd_groupname, + 20000, NULL, NULL, NULL, true, 0); + fail_unless(ret == EOK, "sysdb_add_incomplete_group error [%d][%s]", + ret, strerror(ret)); + + /* Retrieve */ + ret = sysdb_search_group_by_name(test_ctx, test_ctx->domain, + odd_groupname, NULL, &msg); + fail_unless(ret == EOK, "sysdb_search_group_by_name error [%d][%s]", + ret, strerror(ret)); + talloc_zfree(msg); + + ret = sysdb_getgrnam(test_ctx, test_ctx->domain, odd_groupname, &res); + fail_unless(ret == EOK, "sysdb_getgrnam error [%d][%s]", + ret, strerror(ret)); + fail_unless(res->count == 1, "Received [%d] responses", + res->count); + received_group = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_NAME, NULL); + fail_unless(strcmp(received_group, odd_groupname) == 0, + "Expected [%s], got [%s]", + odd_groupname, received_group); + talloc_free(res); + + + /* ===== Users ===== */ + + /* Add */ + ret = sysdb_add_basic_user(test_ctx->domain, + odd_username, + 10000, 10000, + "","",""); + fail_unless(ret == EOK, "sysdb_add_basic_user error [%d][%s]", + ret, strerror(ret)); + + /* Retrieve */ + ret = sysdb_search_user_by_name(test_ctx, + test_ctx->domain, + odd_username, NULL, &msg); + fail_unless(ret == EOK, "sysdb_search_user_by_name error [%d][%s]", + ret, strerror(ret)); + val = ldb_dn_get_component_val(msg->dn, 0); + fail_unless(strcmp((char *)val->data, odd_username)==0, + "Expected [%s] got [%s]\n", + odd_username, (char *)val->data); + talloc_zfree(msg); + + /* Add to the group */ + ret = sysdb_add_group_member(test_ctx->domain, + odd_groupname, odd_username, + SYSDB_MEMBER_USER, false); + fail_unless(ret == EOK, "sysdb_add_group_member error [%d][%s]", + ret, strerror(ret)); + + ret = sysdb_getpwnam(test_ctx, test_ctx->domain, odd_username, &res); + fail_unless(ret == EOK, "sysdb_getpwnam error [%d][%s]", + ret, strerror(ret)); + fail_unless(res->count == 1, "Received [%d] responses", + res->count); + received_user = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_NAME, NULL); + fail_unless(strcmp(received_user, odd_username) == 0, + "Expected [%s], got [%s]", + odd_username, received_user); + talloc_zfree(res); + + /* Attributes */ + ret = sysdb_get_user_attr(test_ctx, test_ctx->domain, odd_username, + user_attrs, &res); + fail_unless(ret == EOK, "sysdb_get_user_attr error [%d][%s]", + ret, strerror(ret)); + talloc_free(res); + + /* Delete User */ + ret = sysdb_delete_user(test_ctx->domain, odd_username, 10000); + fail_unless(ret == EOK, "sysdb_delete_user error [%d][%s]", + ret, strerror(ret)); + + /* Delete non existing User */ + ret = sysdb_delete_user(test_ctx->domain, odd_username, 10000); + fail_unless(ret == ENOENT, "sysdb_delete_user error [%d][%s]", + ret, strerror(ret)); + + /* Delete Group */ + ret = sysdb_delete_group(test_ctx->domain, odd_groupname, 20000); + fail_unless(ret == EOK, "sysdb_delete_group error [%d][%s]", + ret, strerror(ret)); + + /* Add */ + ret = sysdb_add_user(test_ctx->domain, + odd_username, + 10000, 0, + "","","", + odd_username_orig_dn, + NULL, 5400, 0); + fail_unless(ret == EOK, "sysdb_add_user error [%d][%s]", + ret, strerror(ret)); + + /* Delete User */ + ret = sysdb_delete_user(test_ctx->domain, odd_username, 10000); + fail_unless(ret == EOK, "sysdb_delete_user error [%d][%s]", + ret, strerror(ret)); + + /* ===== Netgroups ===== */ + /* Add */ + ret = sysdb_add_netgroup(test_ctx->domain, + odd_netgroupname, "No description", + NULL, NULL, 30, 0); + fail_unless(ret == EOK, "sysdb_add_netgroup error [%d][%s]", + ret, strerror(ret)); + + /* Retrieve */ + ret = sysdb_getnetgr(test_ctx, test_ctx->domain, odd_netgroupname, &res); + fail_unless(ret == EOK, "sysdb_getnetgr error [%d][%s]", + ret, strerror(ret)); + fail_unless(res->count == 1, "Received [%d] responses", + res->count); + talloc_zfree(res); + + ret = sysdb_get_netgroup_attr(test_ctx, test_ctx->domain, + odd_netgroupname, netgr_attrs, &res); + fail_unless(ret == EOK, "sysdb_get_netgroup_attr error [%d][%s]", + ret, strerror(ret)); + fail_unless(res->count == 1, "Received [%d] responses", + res->count); + talloc_zfree(res); + + /* ===== Arbitrary Entries ===== */ + + talloc_free(test_ctx); +} +END_TEST + +START_TEST(test_SSS_LDB_SEARCH) +{ + errno_t ret; + struct sysdb_test_ctx *test_ctx; + struct ldb_dn *group_dn, *nonexist_dn; + struct ldb_result *res; + const char *groupname; + const char *groupname_neg; + const char *received_group; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + check_leaks_push(test_ctx); + + groupname = test_asprintf_fqname(test_ctx, test_ctx->domain, + "test_group"); + fail_if(groupname == NULL); + groupname_neg = test_asprintf_fqname(test_ctx, test_ctx->domain, + "non_existing_test_group"); + fail_if(groupname_neg == NULL); + + group_dn = sysdb_group_dn(test_ctx, test_ctx->domain, groupname); + fail_if(group_dn == NULL, "sysdb_group_dn failed"); + + nonexist_dn = sysdb_group_dn(test_ctx, test_ctx->domain, + groupname_neg); + fail_if(nonexist_dn == NULL, "sysdb_group_dn failed"); + + /* Add */ + ret = sysdb_add_incomplete_group(test_ctx->domain, groupname, + 20000, NULL, NULL, NULL, true, 0); + fail_unless(ret == EOK, "sysdb_add_incomplete_group error [%d][%s]", + ret, strerror(ret)); + + /* Retrieve */ + + /* Empty filter */ + SSS_LDB_SEARCH(ret, test_ctx->sysdb->ldb, test_ctx, &res, group_dn, + LDB_SCOPE_BASE, NULL, NULL); + + fail_unless(ret == EOK, "SSS_LDB_SEARCH error [%d][%s]", + ret, strerror(ret)); + + fail_unless(res->count == 1, "Received [%d] responses", + res->count); + + received_group = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_NAME, + NULL); + fail_unless(strcmp(received_group, groupname) == 0, + "Expected [%s], got [%s]", groupname, received_group); + + talloc_zfree(res); + + /* Non-empty filter */ + SSS_LDB_SEARCH(ret, test_ctx->sysdb->ldb, test_ctx, &res, group_dn, + LDB_SCOPE_BASE, NULL, SYSDB_GC); + + fail_unless(ret == EOK, "SSS_LDB_SEARCH error [%d][%s]", + ret, strerror(ret)); + talloc_zfree(res); + + /* Filter yielding no results */ + SSS_LDB_SEARCH(ret, test_ctx->sysdb->ldb, test_ctx, &res, group_dn, + LDB_SCOPE_BASE, NULL, + "objectClass=nonExistingObjectClass"); + + fail_unless(ret == ENOENT, "sss_ldb_search error [%d][%s]", + ret, strerror(ret)); + talloc_zfree(res); + + /* Non-existing dn */ + SSS_LDB_SEARCH(ret, test_ctx->sysdb->ldb, test_ctx, &res, nonexist_dn, + LDB_SCOPE_BASE, NULL, NULL); + + fail_unless(ret == ENOENT, "SSS_LDB_SEARCH error [%d][%s]", + ret, strerror(ret)); + talloc_zfree(res); + + talloc_zfree(nonexist_dn); + talloc_zfree(group_dn); + talloc_zfree(groupname); + talloc_zfree(groupname_neg); + fail_unless(check_leaks_pop(test_ctx) == true, "Memory leak"); +} +END_TEST + +/* == SERVICE TESTS == */ +void services_check_match(struct sysdb_test_ctx *test_ctx, + bool by_name, + const char *primary_name, + int port, + const char **aliases, + const char **protocols) +{ + errno_t ret; + unsigned int i, j; + bool matched; + const char *ret_name; + int ret_port; + struct ldb_result *res; + struct ldb_message *msg; + struct ldb_message_element *el; + + if (by_name) { + /* Look up the service by name */ + ret = sysdb_getservbyname(test_ctx, test_ctx->domain, primary_name, + NULL, &res); + fail_if(ret != EOK, "sysdb_getservbyname error [%s]\n", + strerror(ret)); + } else { + /* Look up the newly-added service by port */ + ret = sysdb_getservbyport(test_ctx, test_ctx->domain, port, NULL, + &res); + fail_if(ret != EOK, "sysdb_getservbyport error [%s]\n", + strerror(ret)); + } + fail_if(res == NULL, "ENOMEM"); + fail_if(res->count != 1); + + /* Make sure the returned entry matches */ + msg = res->msgs[0]; + ret_name = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); + fail_if(ret_name == NULL); + fail_unless(strcmp(ret_name, primary_name) == 0); + + ret_port = ldb_msg_find_attr_as_int(msg, SYSDB_SVC_PORT, 0); + fail_if (ret_port != port); + + el = ldb_msg_find_element(msg, SYSDB_NAME_ALIAS); + for (i = 0; i < el->num_values; i++) { + matched = false; + for (j = 0; aliases[j]; j++) { + if (strcmp(aliases[j], (const char *)el->values[i].data) == 0) { + matched = true; + } + } + fail_if(!matched, "Unexpected value in LDB entry: [%s]", + (const char *)el->values[i].data); + } + + el = ldb_msg_find_element(msg, SYSDB_SVC_PROTO); + for (i = 0; i < el->num_values; i++) { + matched = false; + for (j = 0; protocols[j]; j++) { + if (strcmp(protocols[j], (const char *)el->values[i].data) == 0) { + matched = true; + } + } + fail_if(!matched, "Unexpected value in LDB entry: [%s]", + (const char *)el->values[i].data); + } +} + +#define services_check_match_name(test_ctx, primary_name, port, aliases, protocols) \ + do { \ + services_check_match(test_ctx, true, primary_name, port, aliases, protocols); \ + } while(0); + +#define services_check_match_port(test_ctx, primary_name, port, aliases, protocols) \ + do { \ + services_check_match(test_ctx, false, primary_name, port, aliases, protocols); \ + } while(0); + +START_TEST(test_sysdb_add_services) +{ + errno_t ret; + struct sysdb_test_ctx *test_ctx; + char *primary_name; + const char **aliases; + const char **protocols; + int port = 3890; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + fail_if(ret != EOK, "Could not set up the test"); + + primary_name = talloc_asprintf(test_ctx, "test_service"); + fail_if(primary_name == NULL); + + aliases = talloc_array(test_ctx, const char *, 3); + fail_if(aliases == NULL); + + aliases[0] = talloc_asprintf(aliases, "test_service_alias1"); + fail_if(aliases[0] == NULL); + + aliases[1] = talloc_asprintf(aliases, "test_service_alias2"); + fail_if(aliases[1] == NULL); + + aliases[2] = NULL; + + protocols = talloc_array(test_ctx, const char *, 3); + fail_if(protocols == NULL); + + protocols[0] = talloc_asprintf(protocols, "tcp"); + fail_if(protocols[0] == NULL); + + protocols[1] = talloc_asprintf(protocols, "udp"); + fail_if(protocols[1] == NULL); + + protocols[2] = NULL; + + ret = sysdb_transaction_start(test_ctx->sysdb); + fail_if(ret != EOK, "[%s]", strerror(ret)); + + ret = sysdb_svc_add(NULL, test_ctx->domain, + primary_name, port, + aliases, protocols, + NULL); + fail_unless(ret == EOK, "sysdb_svc_add error [%s]\n", strerror(ret)); + + /* Search by name and make sure the results match */ + services_check_match_name(test_ctx, + primary_name, port, + aliases, protocols); + + /* Search by port and make sure the results match */ + services_check_match_port(test_ctx, + primary_name, port, + aliases, protocols); + + ret = sysdb_transaction_commit(test_ctx->sysdb); + fail_if(ret != EOK, "[%s]", strerror(ret)); + + /* Clean up after ourselves (and test deleting by name) + * + * We have to do this after the transaction, because LDB + * doesn't like adding and deleting the same entry in a + * single transaction. + */ + ret = sysdb_svc_delete(test_ctx->domain, primary_name, 0, NULL); + fail_if(ret != EOK, "[%s]", strerror(ret)); + + talloc_free(test_ctx); +} +END_TEST + +START_TEST(test_sysdb_store_services) +{ + errno_t ret; + struct sysdb_test_ctx *test_ctx; + const char *primary_name = "test_store_service"; + const char *alt_primary_name = "alt_test_store_service"; + const char **aliases; + const char **protocols; + int port = 3890; + int altport = 3891; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + fail_if(ret != EOK, "Could not set up the test"); + + aliases = talloc_array(test_ctx, const char *, 3); + fail_if(aliases == NULL); + + aliases[0] = talloc_asprintf(aliases, "test_service_alias1"); + fail_if(aliases[0] == NULL); + + aliases[1] = talloc_asprintf(aliases, "test_service_alias2"); + fail_if(aliases[1] == NULL); + + aliases[2] = NULL; + + protocols = talloc_array(test_ctx, const char *, 3); + fail_if(protocols == NULL); + + protocols[0] = talloc_asprintf(protocols, "tcp"); + fail_if(protocols[0] == NULL); + + protocols[1] = talloc_asprintf(protocols, "udp"); + fail_if(protocols[1] == NULL); + + protocols[2] = NULL; + + ret = sysdb_transaction_start(test_ctx->sysdb); + fail_if(ret != EOK, "[%s]", strerror(ret)); + + /* Store this group (which will add it) */ + ret = sysdb_store_service(test_ctx->domain, + primary_name, port, + aliases, protocols, + NULL, NULL, 1, 1); + fail_if(ret != EOK, "[%s]", strerror(ret)); + + /* Search by name and make sure the results match */ + services_check_match_name(test_ctx, + primary_name, port, + aliases, protocols); + + /* Search by port and make sure the results match */ + services_check_match_port(test_ctx, + primary_name, port, + aliases, protocols); + + /* Change the service name */ + ret = sysdb_store_service(test_ctx->domain, + alt_primary_name, port, + aliases, protocols, + NULL, NULL, 1, 1); + fail_if (ret != EOK, "[%s]", strerror(ret)); + + services_check_match_name(test_ctx, + alt_primary_name, port, + aliases, protocols); + + /* Search by port and make sure the results match */ + services_check_match_port(test_ctx, + alt_primary_name, port, + aliases, protocols); + + + /* Change it back */ + ret = sysdb_store_service(test_ctx->domain, + primary_name, port, + aliases, protocols, + NULL, NULL, 1, 1); + fail_if (ret != EOK, "[%s]", strerror(ret)); + + /* Change the port number */ + ret = sysdb_store_service(test_ctx->domain, + primary_name, altport, + aliases, protocols, + NULL, NULL, 1, 1); + fail_if (ret != EOK, "[%s]", strerror(ret)); + + /* Search by name and make sure the results match */ + services_check_match_name(test_ctx, + primary_name, altport, + aliases, protocols); + + /* Search by port and make sure the results match */ + services_check_match_port(test_ctx, + primary_name, altport, + aliases, protocols); + + /* TODO: Test changing aliases and protocols */ + + ret = sysdb_transaction_commit(test_ctx->sysdb); + fail_if(ret != EOK, "[%s]", strerror(ret)); + + /* Clean up after ourselves (and test deleting by port) + * + * We have to do this after the transaction, because LDB + * doesn't like adding and deleting the same entry in a + * single transaction. + */ + ret = sysdb_svc_delete(test_ctx->domain, NULL, altport, NULL); + fail_if(ret != EOK, "[%s]", strerror(ret)); + + talloc_free(test_ctx); +} +END_TEST + +errno_t +sysdb_svc_remove_alias(struct sysdb_ctx *sysdb, + struct ldb_dn *dn, + const char *alias); + +START_TEST(test_sysdb_svc_remove_alias) +{ + errno_t ret; + struct sysdb_test_ctx *test_ctx; + const char *primary_name = "remove_alias_test"; + const char **aliases; + const char **protocols; + int port = 3990; + struct ldb_dn *dn; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + fail_if(ret != EOK, "Could not set up the test"); + + aliases = talloc_array(test_ctx, const char *, 3); + fail_if(aliases == NULL); + + aliases[0] = talloc_asprintf(aliases, "remove_alias_alias1"); + fail_if(aliases[0] == NULL); + + aliases[1] = talloc_asprintf(aliases, "remove_alias_alias2"); + fail_if(aliases[1] == NULL); + + aliases[2] = NULL; + + protocols = talloc_array(test_ctx, const char *, 3); + fail_if(protocols == NULL); + + protocols[0] = talloc_asprintf(protocols, "tcp"); + fail_if(protocols[0] == NULL); + + protocols[1] = talloc_asprintf(protocols, "udp"); + fail_if(protocols[1] == NULL); + + protocols[2] = NULL; + + ret = sysdb_transaction_start(test_ctx->sysdb); + fail_if(ret != EOK, "[%s]", strerror(ret)); + + ret = sysdb_svc_add(NULL, test_ctx->domain, + primary_name, port, + aliases, protocols, + NULL); + fail_unless(ret == EOK, "sysdb_svc_add error [%s]\n", strerror(ret)); + + /* Search by name and make sure the results match */ + services_check_match_name(test_ctx, + primary_name, port, + aliases, protocols); + + /* Search by port and make sure the results match */ + services_check_match_port(test_ctx, + primary_name, port, + aliases, protocols); + + /* Now remove an alias */ + dn = sysdb_svc_dn(test_ctx->sysdb, test_ctx, test_ctx->domain->name, primary_name); + fail_if (dn == NULL); + + ret = sysdb_svc_remove_alias(test_ctx->sysdb, dn, aliases[1]); + fail_if (ret != EOK, "[%s]", strerror(ret)); + + ret = sysdb_transaction_commit(test_ctx->sysdb); + fail_if(ret != EOK); + + ret = sysdb_transaction_start(test_ctx->sysdb); + fail_if(ret != EOK); + + /* Set aliases[1] to NULL to perform validation checks */ + aliases[1] = NULL; + + /* Search by name and make sure the results match */ + services_check_match_name(test_ctx, + primary_name, port, + aliases, protocols); + + /* Search by port and make sure the results match */ + services_check_match_port(test_ctx, + primary_name, port, + aliases, protocols); + + ret = sysdb_transaction_commit(test_ctx->sysdb); + fail_if(ret != EOK, "[%s]", strerror(ret)); + + talloc_free(test_ctx); +} +END_TEST + +#define LC_NAME_ALIAS_TEST_VAL "TeSt VaLuE" +#define LC_NAME_ALIAS_CHECK_VAL "test value" +START_TEST(test_sysdb_attrs_add_lc_name_alias) +{ + int ret; + struct sysdb_attrs *attrs; + const char *str; + const char **list = NULL; + + ret = sysdb_attrs_add_lc_name_alias(NULL, NULL); + fail_unless(ret == EINVAL, "EINVAL not returned for NULL input"); + + attrs = sysdb_new_attrs(NULL); + fail_unless(attrs != NULL, "sysdb_new_attrs failed"); + + ret = sysdb_attrs_add_lc_name_alias(attrs, LC_NAME_ALIAS_TEST_VAL); + fail_unless(ret == EOK, "sysdb_attrs_add_lc_name_alias failed"); + + ret = sysdb_attrs_get_string(attrs, SYSDB_NAME_ALIAS, &str); + fail_unless(ret == EOK, "sysdb_attrs_get_string failed"); + fail_unless(strcmp(str, LC_NAME_ALIAS_CHECK_VAL) == 0, + "Unexpected value, expected [%s], got [%s]", + LC_NAME_ALIAS_CHECK_VAL, str); + + /* Add the same value a second time, it is not recommended to do this on + * purpose but the test should illustrate the different to + * sysdb_attrs_add_lc_name_alias_safe(). */ + ret = sysdb_attrs_add_lc_name_alias(attrs, LC_NAME_ALIAS_TEST_VAL); + fail_unless(ret == EOK, "sysdb_attrs_add_lc_name_alias failed"); + + ret = sysdb_attrs_get_string_array(attrs, SYSDB_NAME_ALIAS, attrs, &list); + fail_unless(ret == EOK, "sysdb_attrs_get_string_array failed"); + fail_unless(list != NULL, "No list returned"); + fail_unless(list[0] != NULL, "Missing first list element"); + fail_unless(strcmp(list[0], LC_NAME_ALIAS_CHECK_VAL) == 0, + "Unexpected value, expected [%s], got [%s]", + LC_NAME_ALIAS_CHECK_VAL, list[0]); + fail_unless(list[1] != NULL, "Missing second list element"); + fail_unless(strcmp(list[1], LC_NAME_ALIAS_CHECK_VAL) == 0, + "Unexpected value, expected [%s], got [%s]", + LC_NAME_ALIAS_CHECK_VAL, list[1]); + fail_unless(list[2] == NULL, "Missing list terminator"); + + talloc_free(attrs); +} +END_TEST + +START_TEST(test_sysdb_attrs_add_lc_name_alias_safe) +{ + int ret; + struct sysdb_attrs *attrs; + const char *str; + const char **list = NULL; + + ret = sysdb_attrs_add_lc_name_alias_safe(NULL, NULL); + fail_unless(ret == EINVAL, "EINVAL not returned for NULL input"); + + attrs = sysdb_new_attrs(NULL); + fail_unless(attrs != NULL, "sysdb_new_attrs failed"); + + ret = sysdb_attrs_add_lc_name_alias_safe(attrs, LC_NAME_ALIAS_TEST_VAL); + fail_unless(ret == EOK, "sysdb_attrs_add_lc_name_alias failed"); + + ret = sysdb_attrs_get_string(attrs, SYSDB_NAME_ALIAS, &str); + fail_unless(ret == EOK, "sysdb_attrs_get_string failed"); + fail_unless(strcmp(str, LC_NAME_ALIAS_CHECK_VAL) == 0, + "Unexpected value, expected [%s], got [%s]", + LC_NAME_ALIAS_CHECK_VAL, str); + + /* Adding the same value a second time should be ignored */ + ret = sysdb_attrs_add_lc_name_alias_safe(attrs, LC_NAME_ALIAS_TEST_VAL); + fail_unless(ret == EOK, "sysdb_attrs_add_lc_name_alias failed"); + + ret = sysdb_attrs_get_string_array(attrs, SYSDB_NAME_ALIAS, attrs, &list); + fail_unless(ret == EOK, "sysdb_attrs_get_string_array failed"); + fail_unless(list != NULL, "No list returned"); + fail_unless(list[0] != NULL, "Missing first list element"); + fail_unless(strcmp(list[0], LC_NAME_ALIAS_CHECK_VAL) == 0, + "Unexpected value, expected [%s], got [%s]", + LC_NAME_ALIAS_CHECK_VAL, list[0]); + fail_unless(list[1] == NULL, "Missing list terminator"); + + /* Adding different value */ + ret = sysdb_attrs_add_lc_name_alias_safe(attrs, + "2nd_" LC_NAME_ALIAS_TEST_VAL); + fail_unless(ret == EOK, "sysdb_attrs_add_lc_name_alias failed"); + + ret = sysdb_attrs_get_string_array(attrs, SYSDB_NAME_ALIAS, attrs, &list); + fail_unless(ret == EOK, "sysdb_attrs_get_string_array failed"); + fail_unless(list != NULL, "No list returned"); + fail_unless(list[0] != NULL, "Missing first list element"); + fail_unless(strcmp(list[0], LC_NAME_ALIAS_CHECK_VAL) == 0, + "Unexpected value, expected [%s], got [%s]", + LC_NAME_ALIAS_CHECK_VAL, list[0]); + fail_unless(list[1] != NULL, "Missing first list element"); + fail_unless(strcmp(list[1], "2nd_" LC_NAME_ALIAS_CHECK_VAL) == 0, + "Unexpected value, expected [%s], got [%s]", + "2nd_" LC_NAME_ALIAS_CHECK_VAL, list[1]); + fail_unless(list[2] == NULL, "Missing list terminator"); + + talloc_free(attrs); +} +END_TEST + +START_TEST(test_sysdb_attrs_get_string_array) +{ + int ret; + struct sysdb_attrs *attrs; + const char **list; + const char *attrname = "test_attr"; + TALLOC_CTX *tmp_ctx; + struct ldb_message_element *el = NULL; + + tmp_ctx = talloc_new(NULL); + fail_unless(tmp_ctx != NULL, "talloc_new failed"); + + attrs = sysdb_new_attrs(NULL); + fail_unless(attrs != NULL, "sysdb_new_attrs failed"); + + ret = sysdb_attrs_add_string(attrs, attrname, "val1"); + fail_unless(ret == EOK, "sysdb_attrs_add_string failed"); + ret = sysdb_attrs_add_string(attrs, attrname, "val2"); + fail_unless(ret == EOK, "sysdb_attrs_add_string failed"); + + ret = sysdb_attrs_get_el_ext(attrs, attrname, false, &el); + fail_unless(ret == EOK, "sysdb_attrs_get_el_ext failed"); + + list = sss_ldb_el_to_string_list(tmp_ctx, el); + fail_if(list == NULL, ("sss_ldb_el_to_string_list failed\n")); + + ck_assert_str_eq(list[0], "val1"); + ck_assert_str_eq(list[1], "val2"); + fail_unless(list[2] == NULL, "Expected terminated list"); + + talloc_free(list); + + ret = sysdb_attrs_get_string_array(attrs, attrname, tmp_ctx, &list); + fail_unless(ret == EOK, "sysdb_attrs_get_string_array failed"); + + /* This test relies on values keeping the same order. It is the case + * with LDB, but if we ever switch from LDB, we need to amend the test + */ + ck_assert_str_eq(list[0], "val1"); + ck_assert_str_eq(list[1], "val2"); + fail_unless(list[2] == NULL, "Expected terminated list"); + + talloc_free(tmp_ctx); +} +END_TEST + +START_TEST(test_sysdb_attrs_add_val) +{ + int ret; + struct sysdb_attrs *attrs; + TALLOC_CTX *tmp_ctx; + struct ldb_val val = {discard_const(TEST_ATTR_VALUE), + sizeof(TEST_ATTR_VALUE) - 1}; + + tmp_ctx = talloc_new(NULL); + fail_unless(tmp_ctx != NULL, "talloc_new failed"); + + attrs = sysdb_new_attrs(NULL); + fail_unless(attrs != NULL, "sysdb_new_attrs failed"); + + ret = sysdb_attrs_add_val(attrs, TEST_ATTR_NAME, &val); + fail_unless(ret == EOK, "sysdb_attrs_add_val failed."); + + ret = sysdb_attrs_add_val(attrs, TEST_ATTR_NAME, &val); + fail_unless(ret == EOK, "sysdb_attrs_add_val failed."); + + fail_unless(attrs->num == 1, "Unexpected number of attributes."); + fail_unless(strcmp(attrs->a[0].name, TEST_ATTR_NAME) == 0, + "Unexpected attribute name."); + fail_unless(attrs->a[0].num_values == 2, + "Unexpected number of attribute values."); + fail_unless(ldb_val_string_cmp(&attrs->a[0].values[0], + TEST_ATTR_VALUE) == 0, + "Unexpected attribute value."); + fail_unless(ldb_val_string_cmp(&attrs->a[0].values[1], + TEST_ATTR_VALUE) == 0, + "Unexpected attribute value."); + + talloc_free(tmp_ctx); +} +END_TEST + +START_TEST(test_sysdb_attrs_add_val_safe) +{ + int ret; + struct sysdb_attrs *attrs; + TALLOC_CTX *tmp_ctx; + struct ldb_val val = {discard_const(TEST_ATTR_VALUE), + sizeof(TEST_ATTR_VALUE) - 1}; + + tmp_ctx = talloc_new(NULL); + fail_unless(tmp_ctx != NULL, "talloc_new failed"); + + attrs = sysdb_new_attrs(NULL); + fail_unless(attrs != NULL, "sysdb_new_attrs failed"); + + ret = sysdb_attrs_add_val(attrs, TEST_ATTR_NAME, &val); + fail_unless(ret == EOK, "sysdb_attrs_add_val failed."); + + ret = sysdb_attrs_add_val_safe(attrs, TEST_ATTR_NAME, &val); + fail_unless(ret == EOK, "sysdb_attrs_add_val failed."); + + fail_unless(attrs->num == 1, "Unexpected number of attributes."); + fail_unless(strcmp(attrs->a[0].name, TEST_ATTR_NAME) == 0, + "Unexpected attribute name."); + fail_unless(attrs->a[0].num_values == 1, + "Unexpected number of attribute values."); + fail_unless(ldb_val_string_cmp(&attrs->a[0].values[0], + TEST_ATTR_VALUE) == 0, + "Unexpected attribute value."); + + talloc_free(tmp_ctx); +} +END_TEST + +START_TEST(test_sysdb_attrs_add_string_safe) +{ + int ret; + struct sysdb_attrs *attrs; + TALLOC_CTX *tmp_ctx; + + tmp_ctx = talloc_new(NULL); + fail_unless(tmp_ctx != NULL, "talloc_new failed"); + + attrs = sysdb_new_attrs(NULL); + fail_unless(attrs != NULL, "sysdb_new_attrs failed"); + + ret = sysdb_attrs_add_string(attrs, TEST_ATTR_NAME, TEST_ATTR_VALUE); + fail_unless(ret == EOK, "sysdb_attrs_add_val failed."); + + ret = sysdb_attrs_add_string_safe(attrs, TEST_ATTR_NAME, TEST_ATTR_VALUE); + fail_unless(ret == EOK, "sysdb_attrs_add_val failed."); + + fail_unless(attrs->num == 1, "Unexpected number of attributes."); + fail_unless(strcmp(attrs->a[0].name, TEST_ATTR_NAME) == 0, + "Unexpected attribute name."); + fail_unless(attrs->a[0].num_values == 1, + "Unexpected number of attribute values."); + fail_unless(ldb_val_string_cmp(&attrs->a[0].values[0], + TEST_ATTR_VALUE) == 0, + "Unexpected attribute value."); + + talloc_free(tmp_ctx); +} +END_TEST + +START_TEST(test_sysdb_attrs_copy) +{ + int ret; + struct sysdb_attrs *src; + struct sysdb_attrs *dst; + TALLOC_CTX *tmp_ctx; + const char *val; + const char **array; + + ret = sysdb_attrs_copy(NULL, NULL); + fail_unless(ret == EINVAL, "Wrong return code"); + + tmp_ctx = talloc_new(NULL); + fail_unless(tmp_ctx != NULL, "talloc_new failed"); + + src = sysdb_new_attrs(tmp_ctx); + fail_unless(src != NULL, "sysdb_new_attrs failed"); + + ret = sysdb_attrs_copy(src, NULL); + fail_unless(ret == EINVAL, "Wrong return code"); + + dst = sysdb_new_attrs(tmp_ctx); + fail_unless(dst != NULL, "sysdb_new_attrs failed"); + + ret = sysdb_attrs_copy(NULL, dst); + fail_unless(ret == EINVAL, "Wrong return code"); + + ret = sysdb_attrs_copy(src, dst); + fail_unless(ret == EOK, "sysdb_attrs_copy failed"); + fail_unless(dst->num == 0, "Wrong number of elements"); + + ret = sysdb_attrs_add_string(src, TEST_ATTR_NAME, TEST_ATTR_VALUE); + fail_unless(ret == EOK, "sysdb_attrs_add_val failed."); + + ret = sysdb_attrs_copy(src, dst); + fail_unless(ret == EOK, "sysdb_attrs_copy failed"); + fail_unless(dst->num == 1, "Wrong number of elements"); + ret = sysdb_attrs_get_string(dst, TEST_ATTR_NAME, &val); + fail_unless(ret == EOK, "sysdb_attrs_get_string failed.\n"); + fail_unless(strcmp(val, TEST_ATTR_VALUE) == 0, "Wrong attribute value."); + + /* Make sure the same entry is not copied twice */ + ret = sysdb_attrs_copy(src, dst); + fail_unless(ret == EOK, "sysdb_attrs_copy failed"); + fail_unless(dst->num == 1, "Wrong number of elements"); + ret = sysdb_attrs_get_string(dst, TEST_ATTR_NAME, &val); + fail_unless(ret == EOK, "sysdb_attrs_get_string failed.\n"); + fail_unless(strcmp(val, TEST_ATTR_VALUE) == 0, "Wrong attribute value."); + + /* Add new value to existing attribute */ + ret = sysdb_attrs_add_string(src, TEST_ATTR_NAME, TEST_ATTR_VALUE"_2nd"); + fail_unless(ret == EOK, "sysdb_attrs_add_val failed."); + + ret = sysdb_attrs_copy(src, dst); + fail_unless(ret == EOK, "sysdb_attrs_copy failed"); + fail_unless(dst->num == 1, "Wrong number of elements"); + ret = sysdb_attrs_get_string_array(dst, TEST_ATTR_NAME, tmp_ctx, &array); + fail_unless(ret == EOK, "sysdb_attrs_get_string_array failed.\n"); + fail_unless(strcmp(array[0], TEST_ATTR_VALUE) == 0, + "Wrong attribute value."); + fail_unless(strcmp(array[1], TEST_ATTR_VALUE"_2nd") == 0, + "Wrong attribute value."); + fail_unless(array[2] == NULL, "Wrong number of values."); + + /* Add new attribute */ + ret = sysdb_attrs_add_string(src, TEST_ATTR_NAME"_2nd", TEST_ATTR_VALUE); + fail_unless(ret == EOK, "sysdb_attrs_add_val failed."); + + ret = sysdb_attrs_copy(src, dst); + fail_unless(ret == EOK, "sysdb_attrs_copy failed"); + fail_unless(dst->num == 2, "Wrong number of elements"); + ret = sysdb_attrs_get_string_array(dst, TEST_ATTR_NAME, tmp_ctx, &array); + fail_unless(ret == EOK, "sysdb_attrs_get_string_array failed.\n"); + fail_unless(strcmp(array[0], TEST_ATTR_VALUE) == 0, + "Wrong attribute value."); + fail_unless(strcmp(array[1], TEST_ATTR_VALUE"_2nd") == 0, + "Wrong attribute value."); + fail_unless(array[2] == NULL, "Wrong number of values."); + ret = sysdb_attrs_get_string(dst, TEST_ATTR_NAME"_2nd", &val); + fail_unless(ret == EOK, "sysdb_attrs_get_string failed.\n"); + fail_unless(strcmp(val, TEST_ATTR_VALUE) == 0, "Wrong attribute value."); + + talloc_free(tmp_ctx); +} +END_TEST + +START_TEST (test_sysdb_search_return_ENOENT) +{ + struct sysdb_test_ctx *test_ctx; + int ret; + struct ldb_dn *user_dn = NULL; + struct ldb_message *msg = NULL; + struct ldb_message **msgs = NULL; + struct ldb_result *res = NULL; + size_t count; + const char *str = NULL; + struct test_data *data; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + fail_if(ret != EOK, "Could not set up the test"); + check_leaks_push(test_ctx); + + /* id mapping */ + ret = sysdb_idmap_get_mappings(test_ctx, test_ctx->domain, &res); + fail_unless(ret == ENOENT, "sysdb_idmap_get_mappings error [%d][%s].", + ret, strerror(ret)); + talloc_zfree(res); + + data = test_data_new_user(test_ctx, 1234); + fail_if(data == NULL); + data->sid_str = "S-5-4-3-2-1"; + + /* Search user */ + ret = sysdb_search_user_by_name(test_ctx, test_ctx->domain, + data->username, + NULL, &msg); + fail_unless(ret == ENOENT, "sysdb_search_user_by_name error [%d][%s].", + ret, strerror(ret)); + talloc_zfree(msg); + + ret = sysdb_get_real_name(test_ctx, test_ctx->domain, + data->username, &str); + fail_unless(ret == ENOENT, "sysdb_get_real_name error [%d][%s].", + ret, strerror(ret)); + talloc_zfree(str); + + ret = sysdb_search_user_by_uid(test_ctx, test_ctx->domain, + data->uid, NULL, &msg); + fail_unless(ret == ENOENT, "sysdb_search_user_by_uid error [%d][%s].", + ret, strerror(ret)); + talloc_zfree(msg); + + ret = sysdb_search_user_by_sid_str(test_ctx, test_ctx->domain, + data->sid_str, NULL, &msg); + fail_unless(ret == ENOENT, "sysdb_search_user_by_sid_str failed with " + "[%d][%s].", ret, strerror(ret)); + + /* General search */ + user_dn = sysdb_user_dn(test_ctx, test_ctx->domain, + data->username); + fail_if(user_dn == NULL, "sysdb_user_dn failed"); + + ret = sysdb_asq_search(test_ctx, test_ctx->domain, + user_dn, NULL, "memberof", NULL, + &count, &msgs); + fail_unless(ret == ENOENT, "sysdb_asq_search failed: %d, %s", + ret, strerror(ret)); + talloc_zfree(msgs); + + ret = sysdb_search_entry(test_ctx, test_ctx->sysdb, + user_dn, LDB_SCOPE_SUBTREE, + SYSDB_UC, NULL, + &count, &msgs); + fail_unless(ret == ENOENT, "sysdb_search_entry failed: %d, %s", + ret, strerror(ret)); + talloc_zfree(msgs); + talloc_zfree(user_dn); + + /* SSS_LDB_SEARCH */ + user_dn = sysdb_user_dn(test_ctx, test_ctx->domain, + data->username); + fail_if(user_dn == NULL, "sysdb_user_dn failed"); + SSS_LDB_SEARCH(ret, test_ctx->sysdb->ldb, test_ctx, &res, user_dn, + LDB_SCOPE_BASE, NULL, SYSDB_UC); + + fail_unless(ret == ENOENT, "SSS_LDB_SEARCH failed: %d, %s", + ret, strerror(ret)); + + talloc_zfree(res); + talloc_zfree(user_dn); + + /* Search group */ + talloc_zfree(data); + data = test_data_new_group(test_ctx, 1234); + fail_if(data == NULL); + data->sid_str = "S-5-4-3-2-1"; + + ret = sysdb_search_group_by_name(test_ctx, test_ctx->domain, + data->groupname, NULL, &msg); + fail_unless(ret == ENOENT, "sysdb_search_group_by_name error [%d][%s].", + ret, strerror(ret)); + talloc_zfree(msg); + + ret = sysdb_search_group_by_gid(test_ctx, test_ctx->domain, + data->gid, NULL, &msg); + fail_unless(ret == ENOENT, "sysdb_search_group_by_gid error [%d][%s].", + ret, strerror(ret)); + talloc_zfree(msg); + + ret = sysdb_search_group_by_sid_str(test_ctx, test_ctx->domain, + data->sid_str, NULL, &msg); + fail_unless(ret == ENOENT, "sysdb_search_group_by_sid_str failed with " + "[%d][%s].", ret, strerror(ret)); + talloc_zfree(msg); + talloc_zfree(data); + + /* Search netgroup */ + ret = sysdb_search_netgroup_by_name(test_ctx, test_ctx->domain, + "nonexisting_netgroup", NULL, &msg); + fail_unless(ret == ENOENT, "sysdb_search_netgroup_by_name error [%d][%s].", + ret, strerror(ret)); + talloc_zfree(msg); + + ret = sysdb_getnetgr(test_ctx, test_ctx->domain, "nonexisting_netgroup", + &res); + fail_unless(ret == ENOENT, "sysdb_getnetgr error [%d][%s]", + ret, strerror(ret)); + talloc_zfree(res); + + /* Search object */ + ret = sysdb_search_object_by_sid(test_ctx, test_ctx->domain, + "S-5-4-3-2-1", NULL, &res); + fail_unless(ret == ENOENT, "sysdb_search_object_by_sid failed with " + "[%d][%s].", ret, strerror(ret)); + talloc_zfree(res); + + /* Search can return more results */ + ret = sysdb_search_users(test_ctx, test_ctx->domain, + "("SYSDB_SHELL"=/bin/nologin)", NULL, + &count, &msgs); + fail_unless(ret == ENOENT, "sysdb_search_users failed: %d, %s", + ret, strerror(ret)); + talloc_zfree(msgs); + + ret = sysdb_search_groups(test_ctx, test_ctx->domain, + "("SYSDB_GIDNUM"=1234)", NULL, + &count, &msgs); + fail_unless(ret == ENOENT, "sysdb_search_groups failed: %d, %s", + ret, strerror(ret)); + talloc_zfree(msgs); + + ret = sysdb_search_netgroups(test_ctx, test_ctx->domain, + "("SYSDB_NAME"=nonexisting)", NULL, + &count, &msgs); + fail_unless(ret == ENOENT, "sysdb_search_netgroups failed: %d, %s", + ret, strerror(ret)); + talloc_zfree(msgs); + + /* Search custom */ + ret = sysdb_search_custom(test_ctx, test_ctx->domain, + "(distinguishedName=nonexisting)", + CUSTOM_TEST_CONTAINER, NULL, + &count, &msgs); + fail_unless(ret == ENOENT, "sysdb_search_custom failed: %d, %s", + ret, strerror(ret)); + talloc_zfree(msgs); + + ret = sysdb_search_custom_by_name(test_ctx, test_ctx->domain, + "nonexisting", + CUSTOM_TEST_CONTAINER, NULL, + &count, &msgs); + fail_unless(ret == ENOENT, "sysdb_search_custom_by_name failed: %d, %s", + ret, strerror(ret)); + talloc_zfree(msgs); + + /* TODO: test sysdb_search_selinux_config */ + + fail_unless(check_leaks_pop(test_ctx) == true, "Memory leak"); + talloc_free(test_ctx); +} +END_TEST + +START_TEST(test_sysdb_has_enumerated) +{ + errno_t ret; + struct sysdb_test_ctx *test_ctx; + bool enumerated; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + fail_if(ret != EOK, "Could not set up the test"); + + ret = sysdb_has_enumerated(test_ctx->domain, &enumerated); + fail_if(ret != ENOENT, + "Error [%d][%s] checking enumeration ENOENT is expected", + ret, strerror(ret)); + + ret = sysdb_set_enumerated(test_ctx->domain, true); + fail_if(ret != EOK, "Error [%d][%s] setting enumeration", + ret, strerror(ret)); + + /* Recheck enumeration status */ + ret = sysdb_has_enumerated(test_ctx->domain, &enumerated); + fail_if(ret != EOK, "Error [%d][%s] checking enumeration", + ret, strerror(ret)); + + fail_unless(enumerated, "Enumeration should have been set to true"); + + talloc_free(test_ctx); +} +END_TEST + +START_TEST(test_sysdb_original_dn_case_insensitive) +{ + errno_t ret; + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + const char *filter; + struct ldb_dn *base_dn; + const char *no_attrs[] = { NULL }; + struct ldb_message **msgs; + size_t num_msgs; + char *c; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + fail_if(ret != EOK, "Could not set up the test"); + + data = test_data_new(test_ctx); + fail_if(data == NULL); + data->gid = 2900; + + data->groupname = test_asprintf_fqname(data, test_ctx->domain, + "case_sensitive_group1"); + fail_if(data->groupname == NULL); + + data->orig_dn = talloc_asprintf(data, "cn=%s,cn=example,cn=com", data->groupname); + fail_if(data->orig_dn == NULL); + + ret = test_add_incomplete_group(data); + fail_unless(ret == EOK, "sysdb_add_incomplete_group error [%d][%s]", + ret, strerror(ret)); + + /* different name and GID, original DN differs only by case */ + data->gid = 2901; + data->groupname = test_asprintf_fqname(data, test_ctx->domain, + "case_sensitive_group2"); + fail_if(data->groupname == NULL); + c = discard_const(data->orig_dn); + while(*c != '\0') { + *c = toupper(*c); + c++; + } + + ret = test_add_incomplete_group(data); + fail_unless(ret == EOK, "sysdb_add_incomplete_group error [%d][%s]", + ret, strerror(ret)); + + /* Search by originalDN should yield 2 entries */ + filter = talloc_asprintf(test_ctx, "%s=%s", + SYSDB_ORIG_DN, data->orig_dn); + fail_if(filter == NULL, "Cannot construct filter\n"); + + base_dn = sysdb_domain_dn(test_ctx, test_ctx->domain); + fail_if(base_dn == NULL, "Cannot construct basedn\n"); + + ret = sysdb_search_entry(test_ctx, test_ctx->sysdb, + base_dn, LDB_SCOPE_SUBTREE, filter, no_attrs, + &num_msgs, &msgs); + fail_unless(ret == EOK, "cache search error [%d][%s]", + ret, strerror(ret)); + fail_unless(num_msgs == 2, "Did not find the expected number of entries using " + "case insensitive originalDN search"); +} +END_TEST + +START_TEST(test_sysdb_search_groups_by_orig_dn) +{ + errno_t ret; + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + const char *no_attrs[] = { NULL }; + struct ldb_message **msgs; + size_t num_msgs; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + fail_if(ret != EOK, "Could not set up the test"); + + data = test_data_new_group(test_ctx, 456789); + fail_if(data == NULL); + + data->orig_dn = talloc_asprintf(data, "cn=%s,cn=example,cn=com", data->groupname); + fail_if(data->orig_dn == NULL); + + ret = test_add_incomplete_group(data); + fail_unless(ret == EOK, "sysdb_add_incomplete_group error [%d][%s]", + ret, strerror(ret)); + + ret = sysdb_search_groups_by_orig_dn(test_ctx, data->ctx->domain, data->orig_dn, + no_attrs, &num_msgs, &msgs); + fail_unless(ret == EOK, "cache search error [%d][%s]", + ret, strerror(ret)); + fail_unless(num_msgs == 1, "Did not find the expected number of entries using " + "sysdb_search_groups_by_orign_dn search"); +} +END_TEST + +START_TEST(test_sysdb_search_users_by_orig_dn) +{ + errno_t ret; + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + const char *no_attrs[] = { NULL }; + struct ldb_message **msgs; + size_t num_msgs; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + fail_if(ret != EOK, "Could not set up the test"); + + data = test_data_new_user(test_ctx, 456789); + fail_if(data == NULL); + + data->orig_dn = talloc_asprintf(data, "cn=%s,cn=example,cn=com", data->username); + fail_if(data->orig_dn == NULL); + + ret = sysdb_attrs_add_string(data->attrs, SYSDB_ORIG_DN, data->orig_dn); + fail_unless(ret == EOK, "sysdb_attrs_add_string failed with [%d][%s].", + ret, strerror(ret)); + + ret = test_add_user(data); + fail_unless(ret == EOK, "sysdb_add_user error [%d][%s]", + ret, strerror(ret)); + + ret = sysdb_search_users_by_orig_dn(test_ctx, data->ctx->domain, data->orig_dn, + no_attrs, &num_msgs, &msgs); + fail_unless(ret == EOK, "cache search error [%d][%s]", + ret, strerror(ret)); + fail_unless(num_msgs == 1, "Did not find the expected number of entries using " + "sysdb_search_users_by_orign_dn search"); +} +END_TEST + +START_TEST(test_sysdb_search_sid_str) +{ + errno_t ret; + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + struct ldb_message *msg; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + fail_if(ret != EOK, "Could not set up the test"); + + data = test_data_new_group(test_ctx, 2902); + fail_if(data == NULL); + data->sid_str = "S-1-2-3-4"; + + ret = test_add_incomplete_group(data); + fail_unless(ret == EOK, "sysdb_add_incomplete_group error [%d][%s]", + ret, strerror(ret)); + + ret = sysdb_search_group_by_sid_str(test_ctx, test_ctx->domain, + data->sid_str, NULL, &msg); + fail_unless(ret == EOK, "sysdb_search_group_by_sid_str failed with [%d][%s].", + ret, strerror(ret)); + + /* Delete the group by SID */ + ret = sysdb_delete_by_sid(test_ctx->sysdb, test_ctx->domain, data->sid_str); + fail_unless(ret == EOK, "sysdb_delete_by_sid failed with [%d][%s].", + ret, strerror(ret)); + + /* Verify it's gone */ + ret = sysdb_search_group_by_sid_str(test_ctx, test_ctx->domain, + data->sid_str, NULL, &msg); + fail_unless(ret == ENOENT, + "sysdb_search_group_by_sid_str failed with [%d][%s].", + ret, strerror(ret)); + + talloc_free(msg); + msg = NULL; + + talloc_zfree(data); + + data = test_data_new_user(test_ctx, 12345); + fail_if(data == NULL); + data->sid_str = "S-1-2-3-4-5"; + fail_if(data->sid_str == NULL); + + ret = sysdb_attrs_add_string(data->attrs, SYSDB_SID_STR, data->sid_str); + fail_unless(ret == EOK, "sysdb_attrs_add_string failed with [%d][%s].", + ret, strerror(ret)); + + ret = test_add_user(data); + fail_unless(ret == EOK, "sysdb_add_user failed with [%d][%s].", + ret, strerror(ret)); + + ret = sysdb_search_user_by_sid_str(test_ctx, test_ctx->domain, + data->sid_str, NULL, &msg); + fail_unless(ret == EOK, "sysdb_search_user_by_sid_str failed with [%d][%s].", + ret, strerror(ret)); + + talloc_free(test_ctx); +} +END_TEST + +START_TEST(test_sysdb_search_object_by_id) +{ + errno_t ret; + struct sysdb_test_ctx *test_ctx; + struct ldb_result *res; + struct test_data *data; + const uint32_t id = 23456; + uint32_t returned_id; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + fail_if(ret != EOK, "Could not set up the test"); + + /* test for missing entry */ + ret = sysdb_search_object_by_id(test_ctx, test_ctx->domain, 111, NULL, + &res); + fail_unless(ret == ENOENT, "sysdb_search_object_by_name failed with " + "[%d][%s].", ret, strerror(ret)); + + /* test user search */ + data = test_data_new_user(test_ctx, id); + fail_if(data == NULL); + + ret = test_add_user(data); + fail_unless(ret == EOK, "sysdb_add_user failed with [%d][%s].", + ret, strerror(ret)); + + ret = sysdb_search_object_by_id(test_ctx, test_ctx->domain, id, NULL, + &res); + fail_unless(ret == EOK, + "sysdb_search_object_by_id failed with [%d][%s].", + ret, strerror(ret)); + fail_unless(res->count == 1, "Unexpected number of results, " + "expected [%u], get [%u].", 1, res->count); + + returned_id = ldb_msg_find_attr_as_uint(res->msgs[0], SYSDB_UIDNUM, 0); + fail_unless(id == returned_id, + "Unexpected object found, expected UID [%"PRIu32"], " + "got [%"PRIu32"].", id, returned_id); + talloc_free(res); + + ret = test_remove_user(data); + fail_unless(ret == EOK, + "test_remove_user failed with [%d][%s].", ret, strerror(ret)); + + /* test group search */ + data = test_data_new_group(test_ctx, id); + fail_if(data == NULL); + + ret = test_add_group(data); + fail_unless(ret == EOK, "sysdb_add_group failed with [%d][%s].", + ret, strerror(ret)); + + ret = sysdb_search_object_by_id(test_ctx, test_ctx->domain, id, NULL, + &res); + fail_unless(ret == EOK, + "sysdb_search_object_by_id failed with [%d][%s].", + ret, strerror(ret)); + fail_unless(res->count == 1, "Unexpected number of results, " + "expected [%u], get [%u].", 1, res->count); + + returned_id = ldb_msg_find_attr_as_uint(res->msgs[0], SYSDB_GIDNUM, 0); + fail_unless(id == returned_id, + "Unexpected object found, expected GID [%"PRIu32"], " + "got [%"PRIu32"].", id, returned_id); + talloc_free(res); + + ret = test_remove_group(data); + fail_unless(ret == EOK, + "test_remove_group failed with [%d][%s].", ret, strerror(ret)); + + /* test for bad search filter bug #3283 */ + data = test_data_new_group(test_ctx, id); + fail_if(data == NULL); + + ret = test_add_group(data); + fail_unless(ret == EOK, "sysdb_add_group failed with [%d][%s].", + ret, strerror(ret)); + + test_ctx->domain->mpg = false; + ret = sysdb_add_user(test_ctx->domain, "user1", 4001, id, + "User 1", "/home/user1", "/bin/bash", + NULL, NULL, 0, 0); + fail_unless(ret == EOK, "sysdb_add_user failed with [%d][%s].", + ret, strerror(ret)); + + ret = sysdb_add_user(test_ctx->domain, "user2", 4002, id, + "User 2", "/home/user2", "/bin/bash", + NULL, NULL, 0, 0); + fail_unless(ret == EOK, "sysdb_add_user failed with [%d][%s].", + ret, strerror(ret)); + + ret = sysdb_search_object_by_id(test_ctx, test_ctx->domain, id, NULL, + &res); + fail_unless(ret == EOK, + "sysdb_search_object_by_id failed with [%d][%s].", + ret, strerror(ret)); + fail_unless(res->count == 1, "Unexpected number of results, " + "expected [%u], get [%u].", 1, res->count); + + returned_id = ldb_msg_find_attr_as_uint(res->msgs[0], SYSDB_GIDNUM, 0); + fail_unless(id == returned_id, + "Unexpected object found, expected GID [%"PRIu32"], " + "got [%"PRIu32"].", id, returned_id); + talloc_free(res); + + data->uid = 4001; + ret = test_remove_user_by_uid(data); + fail_unless(ret == EOK); + + data->uid = 4002; + ret = test_remove_user_by_uid(data); + fail_unless(ret == EOK); + + ret = test_remove_group(data); + fail_unless(ret == EOK); + + talloc_free(test_ctx); +} +END_TEST + +START_TEST(test_sysdb_search_object_by_uuid) +{ + errno_t ret; + struct sysdb_test_ctx *test_ctx; + struct ldb_result *res; + const char *uuid; + struct test_data *data; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + fail_if(ret != EOK, "Could not set up the test"); + + data = test_data_new_user(test_ctx, 123456); + fail_if(data == NULL); + + uuid = "11111111-2222-3333-4444-555555555555"; + + ret = sysdb_attrs_add_string(data->attrs, SYSDB_UUID, uuid); + fail_unless(ret == EOK, "sysdb_attrs_add_string failed with [%d][%s].", + ret, strerror(ret)); + + ret = test_add_user(data); + fail_unless(ret == EOK, "sysdb_add_user failed with [%d][%s].", + ret, strerror(ret)); + + ret = sysdb_search_object_by_uuid(test_ctx, test_ctx->domain, + "11111111-2222-3333-4444-555555555556", + NULL, &res); + fail_unless(ret == ENOENT, + "Unexpected return code from sysdb_search_object_by_uuid for " + "missing object, expected [%d], got [%d].", ENOENT, ret); + + ret = sysdb_search_object_by_uuid(test_ctx, test_ctx->domain, + uuid, NULL, &res); + fail_unless(ret == EOK, "sysdb_search_object_by_uuid failed with [%d][%s].", + ret, strerror(ret)); + fail_unless(res->count == 1, "Unexpected number of results, " \ + "expected [%u], get [%u].", 1, res->count); + fail_unless(strcmp(ldb_msg_find_attr_as_string(res->msgs[0], + SYSDB_NAME, ""), + data->username) == 0, "Unexpected object found, " \ + "expected [%s], got [%s].", "UUIDuser", + ldb_msg_find_attr_as_string(res->msgs[0],SYSDB_NAME, "")); + talloc_free(test_ctx); +} +END_TEST + +START_TEST(test_sysdb_search_object_by_name) +{ + errno_t ret; + struct sysdb_test_ctx *test_ctx; + struct ldb_result *res; + struct test_data *data; + const char *user_name = "John Doe"; + const char *group_name = "Domain Users"; + const char *lc_group_name = "domain users"; + const char *returned_name; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + fail_if(ret != EOK, "Could not set up the test"); + + /* test for missing entry */ + ret = sysdb_search_object_by_name(test_ctx, test_ctx->domain, + "nonexisting_name", NULL, &res); + fail_unless(ret == ENOENT, "sysdb_search_object_by_name failed with " + "[%d][%s].", ret, strerror(ret)); + + /* test user search */ + data = test_data_new_user(test_ctx, 23456); + fail_if(data == NULL); + + data->username = user_name; + + ret = test_add_user(data); + fail_unless(ret == EOK, "sysdb_add_user failed with [%d][%s].", + ret, strerror(ret)); + + ret = sysdb_search_object_by_name(test_ctx, test_ctx->domain, + user_name, NULL, &res); + fail_unless(ret == EOK, + "sysdb_search_object_by_name failed with [%d][%s].", + ret, strerror(ret)); + fail_unless(res->count == 1, "Unexpected number of results, " + "expected [%u], get [%u].", 1, res->count); + + returned_name = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_NAME, ""), + fail_unless(strcmp(returned_name, data->username) == 0, + "Unexpected object found, expected [%s], got [%s].", + user_name, returned_name); + talloc_free(res); + + ret = test_remove_user(data); + fail_unless(ret == EOK, + "test_remove_user failed with [%d][%s].", ret, strerror(ret)); + + /* test group search */ + data = test_data_new_group(test_ctx, 23456); + fail_if(data == NULL); + + data->groupname = group_name; + + ret = test_add_group(data); + fail_unless(ret == EOK, "sysdb_add_group failed with [%d][%s].", + ret, strerror(ret)); + + ret = sysdb_search_object_by_name(test_ctx, test_ctx->domain, + group_name, NULL, &res); + fail_unless(ret == EOK, + "sysdb_search_object_by_name failed with [%d][%s].", + ret, strerror(ret)); + fail_unless(res->count == 1, "Unexpected number of results, " + "expected [%u], get [%u].", 1, res->count); + + returned_name = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_NAME, ""), + fail_unless(strcmp(returned_name, data->groupname) == 0, + "Unexpected object found, expected [%s], got [%s].", + group_name, returned_name); + talloc_free(res); + + ret = test_remove_group(data); + fail_unless(ret == EOK, + "test_remove_group failed with [%d][%s].", ret, strerror(ret)); + + /* test case insensitive search */ + data = test_data_new_group(test_ctx, 23456); + fail_if(data == NULL); + + data->groupname = group_name; + test_ctx->domain->case_sensitive = false; + + data->attrs = sysdb_new_attrs(test_ctx); + fail_if(data->attrs == NULL); + + ret = sysdb_attrs_add_lc_name_alias(data->attrs, group_name); + fail_unless(ret == EOK); + + ret = test_add_group(data); + fail_unless(ret == EOK, "sysdb_add_group failed with [%d][%s].", + ret, strerror(ret)); + + ret = sysdb_search_object_by_name(test_ctx, test_ctx->domain, + lc_group_name, NULL, &res); + fail_unless(ret == EOK, + "sysdb_search_object_by_name failed with [%d][%s].", + ret, strerror(ret)); + fail_unless(res->count == 1, "Unexpected number of results, " + "expected [%u], get [%u].", 1, res->count); + + returned_name = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_NAME, ""), + fail_unless(strcmp(returned_name, data->groupname) == 0, + "Unexpected object found, expected [%s], got [%s].", + group_name, returned_name); + + talloc_free(res); + + talloc_free(test_ctx); +} +END_TEST + +/* For simple searches the content of the certificate does not matter */ +#define TEST_USER_CERT_DERB64 "gJznJT7L0aETU5CMk+n+1Q==" +START_TEST(test_sysdb_search_user_by_cert) +{ + errno_t ret; + struct sysdb_test_ctx *test_ctx; + struct ldb_result *res; + struct ldb_val val; + struct test_data *data; + struct test_data *data2; + const char *name; + const char *name2; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + fail_if(ret != EOK, "Could not set up the test"); + + data = test_data_new_user(test_ctx, 234567); + fail_if(data == NULL); + + val.data = sss_base64_decode(test_ctx, TEST_USER_CERT_DERB64, &val.length); + fail_unless(val.data != NULL, "sss_base64_decode failed."); + + ret = sysdb_attrs_add_val(data->attrs, SYSDB_USER_MAPPED_CERT, &val); + fail_unless(ret == EOK, "sysdb_attrs_add_val failed with [%d][%s].", + ret, strerror(ret)); + + ret = test_add_user(data); + fail_unless(ret == EOK, "sysdb_add_user failed with [%d][%s].", + ret, strerror(ret)); + + ret = sysdb_search_user_by_cert(test_ctx, test_ctx->domain, "ABA=", &res); + fail_unless(ret == ENOENT, + "Unexpected return code from sysdb_search_user_by_cert for " + "missing object, expected [%d], got [%d].", ENOENT, ret); + + ret = sysdb_search_user_by_cert(test_ctx, test_ctx->domain, + TEST_USER_CERT_DERB64, &res); + fail_unless(ret == EOK, "sysdb_search_user_by_cert failed with [%d][%s].", + ret, strerror(ret)); + fail_unless(res->count == 1, "Unexpected number of results, " \ + "expected [%u], get [%u].", 1, res->count); + fail_unless(strcmp(ldb_msg_find_attr_as_string(res->msgs[0], + SYSDB_NAME, ""), + data->username) == 0, "Unexpected object found, " \ + "expected [%s], got [%s].", data->username, + ldb_msg_find_attr_as_string(res->msgs[0],SYSDB_NAME, "")); + + /* Add a second user with the same certificate */ + data2 = test_data_new_user(test_ctx, 2345671); + fail_if(data2 == NULL); + + ret = sysdb_attrs_add_val(data2->attrs, SYSDB_USER_MAPPED_CERT, &val); + fail_unless(ret == EOK, "sysdb_attrs_add_val failed with [%d][%s].", + ret, strerror(ret)); + + ret = test_add_user(data2); + fail_unless(ret == EOK, "sysdb_add_user failed with [%d][%s].", + ret, strerror(ret)); + + ret = sysdb_search_user_by_cert(test_ctx, test_ctx->domain, + TEST_USER_CERT_DERB64, &res); + fail_unless(ret == EOK, "sysdb_search_user_by_cert failed with [%d][%s].", + ret, strerror(ret)); + fail_unless(res->count == 2, "Unexpected number of results, " + "expected [%u], get [%u].", 2, res->count); + name = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_NAME, ""); + fail_unless(name != NULL); + name2 = ldb_msg_find_attr_as_string(res->msgs[1], SYSDB_NAME, ""); + fail_unless(name2 != NULL); + fail_unless(((strcmp(name, data->username) == 0 + && strcmp(name2, data2->username) == 0) + || (strcmp(name, data2->username) == 0 + && strcmp(name2, data->username) == 0)), + "Unexpected names found, expected [%s,%s], got [%s,%s].", + data->username, data2->username, name, name2); + + talloc_free(test_ctx); +} +END_TEST + +START_TEST(test_sysdb_delete_by_sid) +{ + errno_t ret; + struct sysdb_test_ctx *test_ctx; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + fail_if(ret != EOK, "Could not set up the test"); + + check_leaks_push(test_ctx); + + /* Delete the group by SID */ + ret = sysdb_delete_by_sid(test_ctx->sysdb, test_ctx->domain, + "S-1-2-3-4-NON_EXISTING_SID"); + fail_unless(ret == EOK, "sysdb_delete_by_sid failed with [%d][%s].", + ret, strerror(ret)); + + fail_unless(check_leaks_pop(test_ctx) == true, "Memory leak"); + talloc_free(test_ctx); +} +END_TEST + +const char *const testdom[4] = { "test.sub", "TEST.SUB", "test", "S-3" }; + +START_TEST(test_sysdb_subdomain_store_user) +{ + struct sysdb_test_ctx *test_ctx; + errno_t ret; + struct sss_domain_info *subdomain = NULL; + struct ldb_result *results = NULL; + struct ldb_dn *base_dn = NULL; + struct ldb_dn *check_dn = NULL; + const char *attrs[] = { SYSDB_NAME, SYSDB_NAME_ALIAS, NULL }; + struct ldb_message *msg; + struct test_data *data; + char *alias; + + ret = setup_sysdb_tests(&test_ctx); + fail_if(ret != EOK, "Could not set up the test"); + + subdomain = new_subdomain(test_ctx, test_ctx->domain, + testdom[0], testdom[1], testdom[2], testdom[3], + false, false, NULL, NULL, 0, NULL); + fail_unless(subdomain != NULL, "Failed to create new subdomain."); + ret = sysdb_subdomain_store(test_ctx->sysdb, + testdom[0], testdom[1], testdom[2], testdom[3], + false, false, NULL, 0, NULL); + fail_if(ret != EOK, "Could not set up the test (test subdom)"); + + ret = sysdb_update_subdomains(test_ctx->domain, NULL); + fail_unless(ret == EOK, "sysdb_update_subdomains failed with [%d][%s]", + ret, strerror(ret)); + + data = test_data_new_user(test_ctx, 12345); + fail_if(data == NULL); + data->username = test_asprintf_fqname(data, subdomain, "SubDomUser"); + + alias = test_asprintf_fqname(data, subdomain, "subdomuser"); + fail_if(alias == NULL); + + ret = sysdb_attrs_add_string(data->attrs, SYSDB_NAME_ALIAS, alias); + fail_unless(ret == EOK, "sysdb_store_user failed."); + + ret = sysdb_store_user(subdomain, data->username, + NULL, data->uid, 0, "Sub Domain User", + "/home/subdomuser", "/bin/bash", + NULL, data->attrs, NULL, -1, 0); + fail_unless(ret == EOK, "sysdb_store_user failed."); + + base_dn =ldb_dn_new(test_ctx, test_ctx->sysdb->ldb, "cn=sysdb"); + fail_unless(base_dn != NULL); + + check_dn = sysdb_user_dn(data, subdomain, data->username); + fail_unless(check_dn != NULL); + + ret = ldb_search(test_ctx->sysdb->ldb, test_ctx, &results, base_dn, + LDB_SCOPE_SUBTREE, NULL, "name=%s", data->username); + fail_unless(ret == EOK, "ldb_search failed."); + fail_unless(results->count == 1, "Unexpected number of results, " + "expected [%d], got [%d]", + 1, results->count); + fail_unless(ldb_dn_compare(results->msgs[0]->dn, check_dn) == 0, + "Unexpected DN returned"); + + /* Subdomains are case-insensitive. Test that the lowercased name + * can be found, too */ + ret = sysdb_search_user_by_name(test_ctx, subdomain, alias, + attrs, &msg); + fail_unless(ret == EOK, "sysdb_search_user_by_name failed."); + + ret = sysdb_delete_user(subdomain, alias, 0); + fail_unless(ret == EOK, "sysdb_delete_user failed [%d][%s].", + ret, strerror(ret)); + + ret = ldb_search(test_ctx->sysdb->ldb, test_ctx, &results, base_dn, + LDB_SCOPE_SUBTREE, NULL, "name=%s", alias); + fail_unless(ret == EOK, "ldb_search failed."); + fail_unless(results->count == 0, "Unexpected number of results, " + "expected [%d], got [%d]", + 0, results->count); +} +END_TEST + +START_TEST(test_sysdb_subdomain_user_ops) +{ + struct sysdb_test_ctx *test_ctx; + errno_t ret; + struct sss_domain_info *subdomain = NULL; + struct ldb_message *msg = NULL; + struct ldb_dn *check_dn = NULL; + struct test_data *data; + const char *name; + const char *shortname = "subdomuser"; + char *short_check; + char *dom_check; + + ret = setup_sysdb_tests(&test_ctx); + fail_if(ret != EOK, "Could not set up the test"); + + subdomain = new_subdomain(test_ctx, test_ctx->domain, + testdom[0], testdom[1], testdom[2], testdom[3], + false, false, NULL, NULL, 0, NULL); + fail_unless(subdomain != NULL, "Failed to create new subdomain."); + ret = sysdb_subdomain_store(test_ctx->sysdb, + testdom[0], testdom[1], testdom[2], testdom[3], + false, false, NULL, 0, NULL); + fail_if(ret != EOK, "Could not set up the test (test subdom)"); + + ret = sysdb_update_subdomains(test_ctx->domain, NULL); + fail_unless(ret == EOK, "sysdb_update_subdomains failed with [%d][%s]", + ret, strerror(ret)); + + data = test_data_new_user(test_ctx, 12345); + fail_if(data == NULL); + + data->username = test_asprintf_fqname(data, subdomain, shortname); + fail_if(data->username == NULL); + + ret = sysdb_store_user(subdomain, data->username, + NULL, data->uid, 0, "Sub Domain User", + "/home/subdomuser", "/bin/bash", + NULL, NULL, NULL, -1, 0); + fail_unless(ret == EOK, "sysdb_store_domuser failed."); + + check_dn = sysdb_user_dn(data, subdomain, data->username); + fail_unless(check_dn != NULL); + + ret = sysdb_search_user_by_name(test_ctx, subdomain, + data->username, NULL, + &msg); + fail_unless(ret == EOK, "sysdb_search_user_by_name failed with [%d][%s].", + ret, strerror(ret)); + fail_unless(ldb_dn_compare(msg->dn, check_dn) == 0, + "Unexpected DN returned"); + + name = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); + fail_if(name == NULL); + + ret = sss_parse_internal_fqname(data, name, &short_check, &dom_check); + fail_if(ret != EOK); + ck_assert_str_eq(short_check, shortname); + ck_assert_str_eq(dom_check, subdomain->name); + + ret = sysdb_search_user_by_uid(test_ctx, subdomain, data->uid, NULL, &msg); + fail_unless(ret == EOK, "sysdb_search_domuser_by_uid failed with [%d][%s].", + ret, strerror(ret)); + fail_unless(ldb_dn_compare(msg->dn, check_dn) == 0, + "Unexpected DN returned"); + + ret = sysdb_delete_user(subdomain, data->username, data->uid); + fail_unless(ret == EOK, "sysdb_delete_domuser failed with [%d][%s].", + ret, strerror(ret)); +} +END_TEST + +START_TEST(test_sysdb_subdomain_group_ops) +{ + struct sysdb_test_ctx *test_ctx; + errno_t ret; + struct sss_domain_info *subdomain = NULL; + struct ldb_message *msg = NULL; + struct ldb_dn *check_dn = NULL; + struct test_data *data; + char *alias; + const char *name; + const char *shortname = "subDomGroup"; + char *short_check; + char *dom_check; + + ret = setup_sysdb_tests(&test_ctx); + fail_if(ret != EOK, "Could not set up the test"); + + subdomain = new_subdomain(test_ctx, test_ctx->domain, + testdom[0], testdom[1], testdom[2], testdom[3], + false, false, NULL, NULL, 0, NULL); + fail_unless(subdomain != NULL, "Failed to create new subdomain."); + ret = sysdb_subdomain_store(test_ctx->sysdb, + testdom[0], testdom[1], testdom[2], testdom[3], + false, false, NULL, 0, NULL); + fail_if(ret != EOK, "Could not set up the test (test subdom)"); + + ret = sysdb_update_subdomains(test_ctx->domain, NULL); + fail_unless(ret == EOK, "sysdb_update_subdomains failed with [%d][%s]", + ret, strerror(ret)); + + data = test_data_new_group(test_ctx, 12345); + fail_if(data == NULL); + data->groupname = test_asprintf_fqname(data, subdomain, shortname); + + alias = test_asprintf_fqname(data, subdomain, "subdomgroup"); + fail_if(alias == NULL); + + ret = sysdb_attrs_add_string(data->attrs, SYSDB_NAME_ALIAS, alias); + fail_unless(ret == EOK, "sysdb_attrs_add_string failed."); + + ret = sysdb_store_group(subdomain, + data->groupname, data->gid, data->attrs, -1, 0); + fail_unless(ret == EOK, "sysdb_store_group failed."); + + check_dn = sysdb_group_dn(data, subdomain, data->groupname); + fail_unless(check_dn != NULL); + + ret = sysdb_search_group_by_name(test_ctx, subdomain, data->groupname, NULL, + &msg); + fail_unless(ret == EOK, "sysdb_search_group_by_name failed with [%d][%s].", + ret, strerror(ret)); + fail_unless(ldb_dn_compare(msg->dn, check_dn) == 0, + "Unexpected DN returned"); + + /* subdomains are case insensitive, so it should be possible to search + the group with a lowercase name version, too */ + /* Fixme - lowercase this */ + ret = sysdb_search_group_by_name(test_ctx, subdomain, data->groupname, NULL, + &msg); + fail_unless(ret == EOK, "case-insensitive group search failed with [%d][%s].", + ret, strerror(ret)); + fail_unless(ldb_dn_compare(msg->dn, check_dn) == 0, + "Unexpected DN returned"); + + name = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); + fail_if(name == NULL); + + ret = sss_parse_internal_fqname(data, name, &short_check, &dom_check); + fail_if(ret != EOK); + ck_assert_str_eq(short_check, shortname); + ck_assert_str_eq(dom_check, subdomain->name); + + ret = sysdb_search_group_by_gid(test_ctx, subdomain, data->gid, NULL, &msg); + fail_unless(ret == EOK, "sysdb_search_group_by_gid failed with [%d][%s].", + ret, strerror(ret)); + fail_unless(ldb_dn_compare(msg->dn, check_dn) == 0, + "Unexpected DN returned"); + + ret = sysdb_delete_group(subdomain, data->groupname, data->gid); + fail_unless(ret == EOK, "sysdb_delete_group failed with [%d][%s].", + ret, strerror(ret)); +} +END_TEST + +#ifdef BUILD_AUTOFS +START_TEST(test_autofs_create_map) +{ + struct sysdb_test_ctx *test_ctx; + const char *autofsmapname; + errno_t ret; + + ret = setup_sysdb_tests(&test_ctx); + fail_if(ret != EOK, "Could not set up the test"); + + autofsmapname = talloc_asprintf(test_ctx, "testmap%d", _i); + fail_if(autofsmapname == NULL, "Out of memory\n"); + + ret = sysdb_save_autofsmap(test_ctx->domain, autofsmapname, + autofsmapname, NULL, 0, 0); + fail_if(ret != EOK, "Could not store autofs map %s", autofsmapname); + talloc_free(test_ctx); +} +END_TEST + +START_TEST(test_autofs_retrieve_map) +{ + struct sysdb_test_ctx *test_ctx; + const char *autofsmapname; + errno_t ret; + struct ldb_message *map = NULL; + + ret = setup_sysdb_tests(&test_ctx); + fail_if(ret != EOK, "Could not set up the test"); + + autofsmapname = talloc_asprintf(test_ctx, "testmap%d", _i); + fail_if(autofsmapname == NULL, "Out of memory\n"); + + ret = sysdb_get_map_byname(test_ctx, test_ctx->domain, + autofsmapname, &map); + fail_if(ret != EOK, "Could not retrieve autofs map %s", autofsmapname); + fail_if(map == NULL, "No map retrieved?\n"); + talloc_free(test_ctx); +} +END_TEST + +START_TEST(test_autofs_delete_map) +{ + struct sysdb_test_ctx *test_ctx; + const char *autofsmapname; + errno_t ret; + + ret = setup_sysdb_tests(&test_ctx); + fail_if(ret != EOK, "Could not set up the test"); + + autofsmapname = talloc_asprintf(test_ctx, "testmap%d", _i); + fail_if(autofsmapname == NULL, "Out of memory\n"); + + ret = sysdb_delete_autofsmap(test_ctx->domain, autofsmapname); + fail_if(ret != EOK, "Could not retrieve autofs map %s", autofsmapname); + talloc_free(test_ctx); +} +END_TEST + +START_TEST(test_autofs_retrieve_map_neg) +{ + struct sysdb_test_ctx *test_ctx; + const char *autofsmapname; + errno_t ret; + struct ldb_message *map = NULL; + + ret = setup_sysdb_tests(&test_ctx); + fail_if(ret != EOK, "Could not set up the test"); + + autofsmapname = talloc_asprintf(test_ctx, "testmap%d", _i); + fail_if(autofsmapname == NULL, "Out of memory\n"); + + ret = sysdb_get_map_byname(test_ctx, test_ctx->domain, + autofsmapname, &map); + fail_if(ret != ENOENT, "Expected ENOENT, got %d instead\n", ret); + fail_if(map != NULL, "Unexpected map found\n"); + talloc_free(test_ctx); +} +END_TEST + +START_TEST(test_autofs_store_entry_in_map) +{ + struct sysdb_test_ctx *test_ctx; + const char *autofsmapname; + const char *autofskey; + const char *autofsval; + errno_t ret; + int ii; + const int limit = 10; + + ret = setup_sysdb_tests(&test_ctx); + fail_if(ret != EOK, "Could not set up the test"); + + autofsmapname = talloc_asprintf(test_ctx, "testmap%d", _i); + fail_if(autofsmapname == NULL, "Out of memory\n"); + + for (ii=0; ii < limit; ii++) { + autofskey = talloc_asprintf(test_ctx, "%s_testkey%d", + autofsmapname, ii); + fail_if(autofskey == NULL, "Out of memory\n"); + + autofsval = talloc_asprintf(test_ctx, "testserver:/testval%d", ii); + fail_if(autofsval == NULL, "Out of memory\n"); + + ret = sysdb_save_autofsentry(test_ctx->domain, + autofsmapname, autofskey, + autofsval, NULL); + fail_if(ret != EOK, "Could not save autofs entry %s", autofskey); + } + + talloc_free(test_ctx); +} +END_TEST + +START_TEST(test_autofs_retrieve_keys_by_map) +{ + struct sysdb_test_ctx *test_ctx; + const char *autofsmapname; + errno_t ret; + size_t count; + struct ldb_message **entries; + const int expected = 10; + + ret = setup_sysdb_tests(&test_ctx); + fail_if(ret != EOK, "Could not set up the test"); + + autofsmapname = talloc_asprintf(test_ctx, "testmap%d", _i); + fail_if(autofsmapname == NULL, "Out of memory\n"); + + ret = sysdb_autofs_entries_by_map(test_ctx, test_ctx->domain, + autofsmapname, &count, &entries); + fail_if(ret != EOK, "Cannot get autofs entries for map %s\n", + autofsmapname); + fail_if(count != expected, "Expected to find %d entries, got %d\n", + expected, count); + talloc_free(test_ctx); +} +END_TEST + +START_TEST(test_autofs_key_duplicate) +{ + struct sysdb_test_ctx *test_ctx; + const char *autofsmapname; + const char *autofskey; + const char *autofsval; + errno_t ret; + + ret = setup_sysdb_tests(&test_ctx); + fail_if(ret != EOK, "Could not set up the test"); + + autofsmapname = talloc_asprintf(test_ctx, "testmap%d", _i); + fail_if(autofsmapname == NULL, "Out of memory\n"); + + autofskey = talloc_asprintf(test_ctx, "testkey"); + fail_if(autofskey == NULL, "Out of memory\n"); + + autofsval = talloc_asprintf(test_ctx, "testserver:/testval%d", _i); + fail_if(autofsval == NULL, "Out of memory\n"); + + ret = sysdb_save_autofsentry(test_ctx->domain, + autofsmapname, autofskey, + autofsval, NULL); + fail_if(ret != EOK, "Could not save autofs entry %s", autofskey); + talloc_free(test_ctx); +} +END_TEST + +START_TEST(test_autofs_get_duplicate_keys) +{ + struct sysdb_test_ctx *test_ctx; + const char *autofskey; + errno_t ret; + const char *attrs[] = { SYSDB_AUTOFS_ENTRY_KEY, + SYSDB_AUTOFS_ENTRY_VALUE, + NULL }; + size_t count; + struct ldb_message **msgs; + struct ldb_dn *dn; + const char *filter; + const int expected = 10; + + ret = setup_sysdb_tests(&test_ctx); + fail_if(ret != EOK, "Could not set up the test"); + + autofskey = talloc_asprintf(test_ctx, "testkey"); + fail_if(autofskey == NULL, "Out of memory\n"); + + filter = talloc_asprintf(test_ctx, "(&(objectclass=%s)(%s=%s))", + SYSDB_AUTOFS_ENTRY_OC, SYSDB_AUTOFS_ENTRY_KEY, autofskey); + fail_if(filter == NULL, "Out of memory\n"); + + dn = ldb_dn_new_fmt(test_ctx, test_ctx->sysdb->ldb, SYSDB_TMPL_CUSTOM_SUBTREE, + AUTOFS_MAP_SUBDIR, test_ctx->domain->name); + fail_if(dn == NULL, "Out of memory\n"); + + ret = sysdb_search_entry(test_ctx, test_ctx->sysdb, dn, LDB_SCOPE_SUBTREE, + filter, attrs, &count, &msgs); + fail_unless(ret == EOK, "sysdb_search_entry returned [%d]", ret); + fail_if(count != expected, "Found %d entries with name %s, expected %d\n", + count, autofskey, expected); + talloc_free(test_ctx); +} +END_TEST + +#endif /* BUILD_AUTOFS */ + +static struct confdb_ctx *test_cdb_domains_prep(TALLOC_CTX *mem_ctx) +{ + char *conf_db; + int ret; + struct confdb_ctx *confdb; + + /* Create tests directory if it doesn't exist */ + /* (relative to current dir) */ + ret = mkdir(TESTS_PATH, 0775); + if (ret == -1 && errno != EEXIST) { + fail("Could not create %s directory", TESTS_PATH); + return NULL; + } + + conf_db = talloc_asprintf(mem_ctx, "%s/%s", TESTS_PATH, TEST_CONF_FILE); + ck_assert(conf_db != NULL); + + /* Make sure the test domain does not interfere with our testing */ + ret = unlink(TESTS_PATH"/"TEST_CONF_FILE); + if (ret != EOK && errno != ENOENT) { + fail("Could not remove confdb %s\n", TESTS_PATH"/"TEST_CONF_FILE); + return NULL; + } + + /* Connect to the conf db */ + ret = confdb_init(mem_ctx, &confdb, conf_db); + ck_assert_int_eq(ret, EOK); + + return confdb; +} + +START_TEST(test_confdb_list_all_domain_names_no_dom) +{ + int ret; + TALLOC_CTX *tmp_ctx; + struct confdb_ctx *confdb; + char **names; + + tmp_ctx = talloc_new(NULL); + ck_assert(tmp_ctx != NULL); + + confdb = test_cdb_domains_prep(tmp_ctx); + ck_assert(confdb != NULL); + + /* No domain */ + ret = confdb_list_all_domain_names(tmp_ctx, confdb, &names); + ck_assert_int_eq(ret, EOK); + ck_assert(names != NULL); + ck_assert(names[0] == NULL); + + talloc_free(tmp_ctx); +} +END_TEST + +START_TEST(test_confdb_list_all_domain_names_single_dom) +{ + int ret; + TALLOC_CTX *tmp_ctx; + struct confdb_ctx *confdb; + char **names; + + const char *val[2]; + val[1] = NULL; + + tmp_ctx = talloc_new(NULL); + ck_assert(tmp_ctx != NULL); + + confdb = test_cdb_domains_prep(tmp_ctx); + ck_assert(confdb != NULL); + + /* One domain */ + val[0] = "LOCAL"; + ret = confdb_add_param(confdb, true, + "config/sssd", "domains", val); + ck_assert_int_eq(ret, EOK); + + val[0] = "local"; + ret = confdb_add_param(confdb, true, + "config/domain/LOCAL", "id_provider", val); + ck_assert_int_eq(ret, EOK); + + ret = confdb_list_all_domain_names(tmp_ctx, confdb, &names); + ck_assert_int_eq(ret, EOK); + ck_assert(names != NULL); + ck_assert_str_eq(names[0], "LOCAL"); + ck_assert(names[1] == NULL); + + talloc_free(tmp_ctx); +} +END_TEST + +#define UPN_USER_NAME "upn_user" +#define UPN_PRINC "upn_user@UPN.TEST" +#define UPN_PRINC_WRONG_CASE "UpN_uSeR@uPn.TeSt" +#define UPN_CANON_PRINC "upn_user@UPN.CANON" +#define UPN_CANON_PRINC_WRONG_CASE "uPn_UsEr@UpN.CaNoN" + +START_TEST(test_upn_basic) +{ + struct sysdb_test_ctx *test_ctx; + struct sysdb_attrs *attrs; + int ret; + struct ldb_message *msg; + const char *str; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + attrs = sysdb_new_attrs(test_ctx); + fail_unless(attrs != NULL, "sysdb_new_attrs failed.\n"); + + ret = sysdb_attrs_add_string(attrs, SYSDB_UPN, UPN_PRINC); + fail_unless(ret == EOK, "sysdb_attrs_add_string failed."); + + ret = sysdb_attrs_add_string(attrs, SYSDB_CANONICAL_UPN, UPN_CANON_PRINC); + fail_unless(ret == EOK, "sysdb_attrs_add_string failed."); + + ret = sysdb_store_user(test_ctx->domain, + UPN_USER_NAME, "x", + 12345, 0, "UPN USER", "/home/upn_user", + "/bin/bash", NULL, + attrs, NULL, -1, 0); + fail_unless(ret == EOK, "Could not store user."); + + ret = sysdb_search_user_by_upn(test_ctx, test_ctx->domain, false, + "abc@def.ghi", NULL, &msg); + fail_unless(ret == ENOENT, + "sysdb_search_user_by_upn failed with non-existing UPN."); + + ret = sysdb_search_user_by_upn(test_ctx, test_ctx->domain, false, + UPN_PRINC, NULL, &msg); + fail_unless(ret == EOK, "sysdb_search_user_by_upn failed."); + + str = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); + fail_unless(str != NULL, "ldb_msg_find_attr_as_string failed."); + fail_unless(strcmp(str, UPN_USER_NAME) == 0, "Expected [%s], got [%s].", + UPN_USER_NAME, str); + + str = ldb_msg_find_attr_as_string(msg, SYSDB_UPN, NULL); + fail_unless(str != NULL, "ldb_msg_find_attr_as_string failed."); + fail_unless(strcmp(str, UPN_PRINC) == 0, + "Expected [%s], got [%s].", UPN_PRINC, str); + + /* check if input is sanitized */ + ret = sysdb_search_user_by_upn(test_ctx, test_ctx->domain, false, + "abc@def.ghi)(name="UPN_USER_NAME")(abc=xyz", + NULL, &msg); + fail_unless(ret == ENOENT, + "sysdb_search_user_by_upn failed with un-sanitized input."); + + talloc_free(test_ctx); +} +END_TEST + +START_TEST(test_upn_basic_case) +{ + struct sysdb_test_ctx *test_ctx; + int ret; + struct ldb_message *msg; + const char *str; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + ret = sysdb_search_user_by_upn(test_ctx, test_ctx->domain, false, + UPN_PRINC_WRONG_CASE, NULL, &msg); + fail_unless(ret == EOK, "sysdb_search_user_by_upn failed."); + + str = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); + fail_unless(str != NULL, "ldb_msg_find_attr_as_string failed."); + fail_unless(strcmp(str, UPN_USER_NAME) == 0, "Expected [%s], got [%s].", + UPN_USER_NAME, str); + + str = ldb_msg_find_attr_as_string(msg, SYSDB_UPN, NULL); + fail_unless(str != NULL, "ldb_msg_find_attr_as_string failed."); + fail_unless(strcmp(str, UPN_PRINC) == 0, + "Expected [%s], got [%s].", UPN_PRINC, str); + + talloc_free(test_ctx); +} +END_TEST + +START_TEST(test_upn_canon) +{ + struct sysdb_test_ctx *test_ctx; + int ret; + struct ldb_message *msg; + const char *str; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + ret = sysdb_search_user_by_upn(test_ctx, test_ctx->domain, false, + UPN_CANON_PRINC, NULL, &msg); + fail_unless(ret == EOK, "sysdb_search_user_by_upn failed."); + + str = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); + fail_unless(str != NULL, "ldb_msg_find_attr_as_string failed."); + fail_unless(strcmp(str, UPN_USER_NAME) == 0, "Expected [%s], got [%s].", + UPN_USER_NAME, str); + + str = ldb_msg_find_attr_as_string(msg, SYSDB_UPN, NULL); + fail_unless(str != NULL, "ldb_msg_find_attr_as_string failed."); + fail_unless(strcmp(str, UPN_PRINC) == 0, + "Expected [%s], got [%s].", UPN_PRINC, str); + + str = ldb_msg_find_attr_as_string(msg, SYSDB_CANONICAL_UPN, NULL); + fail_unless(str != NULL, "ldb_msg_find_attr_as_string failed."); + fail_unless(strcmp(str, UPN_CANON_PRINC) == 0, + "Expected [%s], got [%s].", UPN_CANON_PRINC, str); + + talloc_free(test_ctx); +} +END_TEST + +START_TEST(test_upn_canon_case) +{ + struct sysdb_test_ctx *test_ctx; + int ret; + struct ldb_message *msg; + const char *str; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + ret = sysdb_search_user_by_upn(test_ctx, test_ctx->domain, false, + UPN_CANON_PRINC_WRONG_CASE, NULL, &msg); + fail_unless(ret == EOK, "sysdb_search_user_by_upn failed."); + + str = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); + fail_unless(str != NULL, "ldb_msg_find_attr_as_string failed."); + fail_unless(strcmp(str, UPN_USER_NAME) == 0, "Expected [%s], got [%s].", + UPN_USER_NAME, str); + + str = ldb_msg_find_attr_as_string(msg, SYSDB_UPN, NULL); + fail_unless(str != NULL, "ldb_msg_find_attr_as_string failed."); + fail_unless(strcmp(str, UPN_PRINC) == 0, + "Expected [%s], got [%s].", UPN_PRINC, str); + + str = ldb_msg_find_attr_as_string(msg, SYSDB_CANONICAL_UPN, NULL); + fail_unless(str != NULL, "ldb_msg_find_attr_as_string failed."); + fail_unless(strcmp(str, UPN_CANON_PRINC) == 0, + "Expected [%s], got [%s].", UPN_CANON_PRINC, str); + + talloc_free(test_ctx); +} +END_TEST + +START_TEST(test_upn_dup) +{ + struct sysdb_test_ctx *test_ctx; + struct sysdb_attrs *attrs; + int ret; + struct ldb_message *msg; + const char *str; + + /* Setup */ + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + attrs = sysdb_new_attrs(test_ctx); + fail_unless(attrs != NULL, "sysdb_new_attrs failed.\n"); + + ret = sysdb_attrs_add_string(attrs, SYSDB_UPN, UPN_CANON_PRINC); + fail_unless(ret == EOK, "sysdb_attrs_add_string failed."); + + ret = sysdb_store_user(test_ctx->domain, + UPN_USER_NAME"_dup", "x", + 23456, 0, "UPN USER DUP", "/home/upn_user_dup", + "/bin/bash", NULL, + attrs, NULL, -1, 0); + fail_unless(ret == EOK, "Could not store user."); + + ret = sysdb_search_user_by_upn(test_ctx, test_ctx->domain, false, + UPN_CANON_PRINC, NULL, &msg); + fail_unless(ret == EINVAL, + "sysdb_search_user_by_upn failed for duplicated UPN."); + + ret = sysdb_search_user_by_upn(test_ctx, test_ctx->domain, false, + UPN_PRINC, NULL, &msg); + fail_unless(ret == EOK, "sysdb_search_user_by_upn failed."); + + str = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); + fail_unless(str != NULL, "ldb_msg_find_attr_as_string failed."); + fail_unless(strcmp(str, UPN_USER_NAME) == 0, "Expected [%s], got [%s].", + UPN_USER_NAME, str); + + str = ldb_msg_find_attr_as_string(msg, SYSDB_UPN, NULL); + fail_unless(str != NULL, "ldb_msg_find_attr_as_string failed."); + fail_unless(strcmp(str, UPN_PRINC) == 0, + "Expected [%s], got [%s].", UPN_PRINC, str); + + str = ldb_msg_find_attr_as_string(msg, SYSDB_CANONICAL_UPN, NULL); + fail_unless(str != NULL, "ldb_msg_find_attr_as_string failed."); + fail_unless(strcmp(str, UPN_CANON_PRINC) == 0, + "Expected [%s], got [%s].", UPN_CANON_PRINC, str); + + talloc_free(test_ctx); +} +END_TEST + +START_TEST(test_gpo_store_retrieve) +{ + struct sysdb_test_ctx *test_ctx; + errno_t ret; + struct ldb_result *result = NULL; + const char *guid; + int version; + static const char *test_guid = "3610EDA5-77EF-11D2-8DC5-00C04FA31A66"; + + ret = setup_sysdb_tests(&test_ctx); + fail_if(ret != EOK, "Could not set up the test"); + + ret = sysdb_gpo_get_gpo_by_guid(test_ctx, test_ctx->domain, + test_guid, + &result); + fail_if(ret != ENOENT, "GPO present in cache before store op"); + + ret = sysdb_gpo_get_gpos(test_ctx, test_ctx->domain, &result); + fail_if(ret != ENOENT, "GPO present in cache before store op"); + + ret = sysdb_gpo_store_gpo(test_ctx->domain, + test_guid, 1, 5, 0); + fail_if(ret != EOK, "Could not store a test GPO"); + + ret = sysdb_gpo_get_gpos(test_ctx, test_ctx->domain, &result); + fail_if(ret != EOK, "GPOs not in cache after store op"); + fail_if(result == NULL); + fail_if(result->count != 1); + + result = NULL; + ret = sysdb_gpo_get_gpo_by_guid(test_ctx, test_ctx->domain, + test_guid, &result); + fail_if(ret != EOK, "GPO not in cache after store op"); + fail_if(result == NULL); + fail_if(result->count != 1); + + guid = ldb_msg_find_attr_as_string(result->msgs[0], + SYSDB_GPO_GUID_ATTR, NULL); + ck_assert_str_eq(guid, test_guid); + + version = ldb_msg_find_attr_as_uint(result->msgs[0], + SYSDB_GPO_VERSION_ATTR, 0); + ck_assert_int_eq(version, 1); + talloc_free(test_ctx); +} +END_TEST + +START_TEST(test_gpo_replace) +{ + struct sysdb_test_ctx *test_ctx; + errno_t ret; + struct ldb_result *result = NULL; + const char *guid; + int version; + static const char *test_guid = "3610EDA5-77EF-11D2-8DC5-00C04FA31A66"; + + ret = setup_sysdb_tests(&test_ctx); + fail_if(ret != EOK, "Could not setup the test"); + + ret = sysdb_gpo_get_gpo_by_guid(test_ctx, test_ctx->domain, + test_guid, &result); + fail_if(ret != EOK, "GPO not in cache after store op"); + fail_if(result == NULL); + fail_if(result->count != 1); + + guid = ldb_msg_find_attr_as_string(result->msgs[0], + SYSDB_GPO_GUID_ATTR, NULL); + ck_assert_str_eq(guid, test_guid); + + version = ldb_msg_find_attr_as_uint(result->msgs[0], + SYSDB_GPO_VERSION_ATTR, 0); + ck_assert_int_eq(version, 1); + + /* Modify the version */ + ret = sysdb_gpo_store_gpo(test_ctx->domain, + test_guid, 2, 5, 0); + fail_if(ret != EOK, "Could not store a test GPO"); + + ret = sysdb_gpo_get_gpo_by_guid(test_ctx, test_ctx->domain, + test_guid, &result); + fail_if(ret != EOK, "GPO not in cache after modify op"); + fail_if(result == NULL); + fail_if(result->count != 1); + + guid = ldb_msg_find_attr_as_string(result->msgs[0], + SYSDB_GPO_GUID_ATTR, NULL); + ck_assert_str_eq(guid, test_guid); + + version = ldb_msg_find_attr_as_uint(result->msgs[0], + SYSDB_GPO_VERSION_ATTR, 0); + ck_assert_int_eq(version, 2); + talloc_free(test_ctx); +} +END_TEST + +START_TEST(test_gpo_result) +{ + errno_t ret; + struct sysdb_test_ctx *test_ctx; + const char *allow_key = "SeRemoteInteractiveLogonRight"; + const char *deny_key = "SeDenyRemoteInteractiveLogonRight"; + const char *value = NULL; + + ret = setup_sysdb_tests(&test_ctx); + fail_if(ret != EOK, "Could not setup the test"); + + /* No result in cache */ + ret = sysdb_gpo_get_gpo_result_setting(test_ctx, test_ctx->domain, + allow_key, &value); + ck_assert_int_eq(ret, ENOENT); + + ret = sysdb_gpo_get_gpo_result_setting(test_ctx, test_ctx->domain, + deny_key, &value); + ck_assert_int_eq(ret, ENOENT); + + /* Delete with no result object is a noop */ + ret = sysdb_gpo_delete_gpo_result_object(test_ctx, test_ctx->domain); + ck_assert_int_eq(ret, EOK); + + /* Store an allow value, triggering a new result object */ + ret = sysdb_gpo_store_gpo_result_setting(test_ctx->domain, + allow_key, "allow_val1"); + ck_assert_int_eq(ret, EOK); + + /* Now both searches should succeed, but only allow_key should return + * a valid value + */ + ret = sysdb_gpo_get_gpo_result_setting(test_ctx, test_ctx->domain, + allow_key, &value); + ck_assert_int_eq(ret, EOK); + ck_assert_str_eq(value, "allow_val1"); + + ret = sysdb_gpo_get_gpo_result_setting(test_ctx, test_ctx->domain, + deny_key, &value); + ck_assert_int_eq(ret, EOK); + fail_unless(value == NULL); + + /* Updating replaces the original value */ + ret = sysdb_gpo_store_gpo_result_setting(test_ctx->domain, + allow_key, "allow_val2"); + ck_assert_int_eq(ret, EOK); + + ret = sysdb_gpo_get_gpo_result_setting(test_ctx, test_ctx->domain, + allow_key, &value); + ck_assert_int_eq(ret, EOK); + ck_assert_str_eq(value, "allow_val2"); + + /* NULL removes the value completely */ + ret = sysdb_gpo_store_gpo_result_setting(test_ctx->domain, + allow_key, NULL); + ck_assert_int_eq(ret, EOK); + + ret = sysdb_gpo_get_gpo_result_setting(test_ctx, test_ctx->domain, + allow_key, &value); + ck_assert_int_eq(ret, EOK); + fail_unless(value == NULL); + + /* Delete the result */ + ret = sysdb_gpo_delete_gpo_result_object(test_ctx, test_ctx->domain); + ck_assert_int_eq(ret, EOK); + + /* No result in cache */ + ret = sysdb_gpo_get_gpo_result_setting(test_ctx, test_ctx->domain, + allow_key, &value); + ck_assert_int_eq(ret, ENOENT); + + ret = sysdb_gpo_get_gpo_result_setting(test_ctx, test_ctx->domain, + deny_key, &value); + ck_assert_int_eq(ret, ENOENT); +} +END_TEST + +START_TEST(test_confdb_list_all_domain_names_multi_dom) +{ + int ret; + TALLOC_CTX *tmp_ctx; + struct confdb_ctx *confdb; + char **names; + + const char *val[2]; + val[1] = NULL; + + tmp_ctx = talloc_new(NULL); + ck_assert(tmp_ctx != NULL); + + confdb = test_cdb_domains_prep(tmp_ctx); + ck_assert(confdb != NULL); + + /* Two domains */ + val[0] = "LOCAL"; + ret = confdb_add_param(confdb, true, + "config/sssd", "domains", val); + ck_assert_int_eq(ret, EOK); + + val[0] = "local"; + ret = confdb_add_param(confdb, true, + "config/domain/LOCAL", "id_provider", val); + ck_assert_int_eq(ret, EOK); + + val[0] = "REMOTE"; + ret = confdb_add_param(confdb, true, + "config/sssd", "domains", val); + ck_assert_int_eq(ret, EOK); + + val[0] = "local"; + ret = confdb_add_param(confdb, true, + "config/domain/REMOTE", "id_provider", val); + ck_assert_int_eq(ret, EOK); + + ret = confdb_list_all_domain_names(tmp_ctx, confdb, &names); + ck_assert_int_eq(ret, EOK); + ck_assert(names != NULL); + ck_assert_str_eq(names[0], "LOCAL"); + ck_assert_str_eq(names[1], "REMOTE"); + ck_assert(names[2] == NULL); + talloc_free(tmp_ctx); +} +END_TEST + +START_TEST(test_sysdb_mark_entry_as_expired_ldb_dn) +{ + errno_t ret; + struct sysdb_test_ctx *test_ctx; + const char *attrs[] = { SYSDB_CACHE_EXPIRE, NULL }; + size_t count; + struct ldb_message **msgs; + uint64_t expire; + struct ldb_dn *userdn; + struct test_data *data; + char *filter; + + ret = setup_sysdb_tests(&test_ctx); + fail_if(ret != EOK, "Could not setup the test"); + + /* Add something to database to test against */ + data = test_data_new_user(test_ctx, 2000); + fail_if(data == NULL); + + ret = sysdb_transaction_start(test_ctx->sysdb); + ck_assert_int_eq(ret, EOK); + + ret = test_add_user(data); + ck_assert_int_eq(ret, EOK); + + ret = sysdb_transaction_commit(test_ctx->sysdb); + ck_assert_int_eq(ret, EOK); + + filter = talloc_asprintf(data, + "("SYSDB_UIDNUM"=%llu)", + (unsigned long long) data->uid); + fail_if(filter == NULL); + + ret = sysdb_search_users(test_ctx, test_ctx->domain, + filter, attrs, &count, &msgs); + talloc_zfree(filter); + ck_assert_int_eq(ret, EOK); + ck_assert_int_eq(count, 1); + + expire = ldb_msg_find_attr_as_uint64(msgs[0], SYSDB_CACHE_EXPIRE, 0); + ck_assert(expire != 1); + + userdn = sysdb_user_dn(test_ctx, test_ctx->domain, + data->username); + ck_assert(userdn != NULL); + + ret = sysdb_transaction_start(test_ctx->sysdb); + ck_assert_int_eq(ret, EOK); + + /* Expire entry */ + ret = sysdb_mark_entry_as_expired_ldb_dn(test_ctx->domain, userdn); + ck_assert_int_eq(ret, EOK); + + ret = sysdb_transaction_commit(test_ctx->sysdb); + ck_assert_int_eq(ret, EOK); + + filter = talloc_asprintf(data, + "("SYSDB_UIDNUM"=%llu)", + (unsigned long long) data->uid); + fail_if(filter == NULL); + + ret = sysdb_search_users(test_ctx, test_ctx->domain, + filter, attrs, &count, &msgs); + talloc_zfree(filter); + ck_assert_int_eq(ret, EOK); + ck_assert_int_eq(count, 1); + + expire = ldb_msg_find_attr_as_uint64(msgs[0], SYSDB_CACHE_EXPIRE, 0); + ck_assert_int_eq(expire, 1); + + /* Try to expire already expired entry. Should return EOK. */ + ret = sysdb_transaction_start(test_ctx->sysdb); + ck_assert_int_eq(ret, EOK); + + ret = sysdb_mark_entry_as_expired_ldb_dn(test_ctx->domain, userdn); + ck_assert_int_eq(ret, EOK); + + ret = sysdb_transaction_commit(test_ctx->sysdb); + ck_assert_int_eq(ret, EOK); +} +END_TEST + +Suite *create_sysdb_suite(void) +{ + Suite *s = suite_create("sysdb"); + + TCase *tc_sysdb = tcase_create("SYSDB Tests"); + + /* test getting next id works */ + tcase_add_test(tc_sysdb, test_sysdb_get_new_id); + + /* Add a user with an automatic ID */ + tcase_add_test(tc_sysdb, test_sysdb_user_new_id); + + /* Create a new user */ + tcase_add_loop_test(tc_sysdb, test_sysdb_add_user, 27000, 27010); + + /* Verify the users were added */ + tcase_add_loop_test(tc_sysdb, test_sysdb_getpwnam, 27000, 27010); + + /* Since this is a local (mpg) domain, verify the user groups + * can be found. Regression test for ticket #3615 + */ + tcase_add_loop_test(tc_sysdb, test_user_group_by_name, 27000, 27010); + tcase_add_loop_test(tc_sysdb, test_user_group_by_name_local, 27000, 27010); + + /* Create a new group */ + tcase_add_loop_test(tc_sysdb, test_sysdb_add_group, 28000, 28010); + + /* Verify the groups were added */ + tcase_add_loop_test(tc_sysdb, test_sysdb_getgrnam, 28000, 28010); + + /* sysdb_group_dn_name returns the name of the group in question */ + tcase_add_loop_test(tc_sysdb, test_sysdb_group_dn_name, 28000, 28010); + + /* sysdb_store_user allows setting attributes for existing users */ + tcase_add_loop_test(tc_sysdb, test_sysdb_store_user_existing, 27000, 27010); + + /* test the change */ + tcase_add_loop_test(tc_sysdb, test_sysdb_get_user_attr, 27000, 27010); + + /* Add and remove users in a group with sysdb_update_members */ + tcase_add_test(tc_sysdb, test_sysdb_update_members); + + /* Remove the other half by gid */ + tcase_add_loop_test(tc_sysdb, + test_sysdb_remove_local_group_by_gid, + 28000, 28010); + + /* Remove the other half by uid */ + tcase_add_loop_test(tc_sysdb, + test_sysdb_remove_local_user_by_uid, + 27000, 27010); + + /* Create a new user */ + tcase_add_loop_test(tc_sysdb, test_sysdb_store_user, 27010, 27020); + + /* Verify the users were added */ + tcase_add_loop_test(tc_sysdb, test_sysdb_getpwnam, 27010, 27020); + + /* Verify the users can be queried by UID */ + tcase_add_loop_test(tc_sysdb, test_sysdb_getpwuid, 27010, 27020); + + /* Enumerate the users */ + tcase_add_test(tc_sysdb, test_sysdb_enumpwent); + + /* Change their attribute */ + tcase_add_loop_test(tc_sysdb, test_sysdb_set_user_attr, 27010, 27020); + + /* Find the users by their new attribute */ + tcase_add_loop_test(tc_sysdb, test_sysdb_search_users, 27010, 27020); + + /* Verify the change */ + tcase_add_loop_test(tc_sysdb, test_sysdb_get_user_attr, 27010, 27020); + + /* Remove the attribute */ + tcase_add_loop_test(tc_sysdb, test_sysdb_remove_attrs, 27010, 27020); + + /* Create a new group */ + tcase_add_loop_test(tc_sysdb, test_sysdb_store_group, 28010, 28020); + + /* Verify the groups were added */ + + /* Verify the groups can be queried by GID */ + tcase_add_loop_test(tc_sysdb, test_sysdb_getgrgid, 28010, 28020); + tcase_add_loop_test(tc_sysdb, test_sysdb_getgrgid_attrs, 28010, 28020); + + /* Find the users by GID using a filter */ + tcase_add_loop_test(tc_sysdb, test_sysdb_search_groups, 28010, 28020); + + /* Enumerate the groups */ + tcase_add_test(tc_sysdb, test_sysdb_enumgrent); + + /* Add some members to the groups */ + tcase_add_loop_test(tc_sysdb, test_sysdb_add_group_member, 28010, 28020); + + /* Test that sysdb_initgroups() works */ + tcase_add_loop_test(tc_sysdb, test_sysdb_initgroups, 27010, 27020); + + /* Authenticate with missing cached password */ + tcase_add_loop_test(tc_sysdb, test_sysdb_cached_authentication_missing_password, + 27010, 27011); + + /* Add a cached password */ + tcase_add_loop_test(tc_sysdb, test_sysdb_cache_password, 27010, 27011); + + /* Authenticate against cached password */ + tcase_add_loop_test(tc_sysdb, test_sysdb_cached_authentication_wrong_password, + 27010, 27011); + tcase_add_loop_test(tc_sysdb, test_sysdb_cached_authentication, 27010, 27011); + + tcase_add_loop_test(tc_sysdb, test_sysdb_cache_password_ex, 27010, 27011); + + /* ASQ search test */ + tcase_add_loop_test(tc_sysdb, test_sysdb_prepare_asq_test_user, 28011, 28020); + tcase_add_test(tc_sysdb, test_sysdb_asq_search); + + /* Test search with more than one result */ + tcase_add_test(tc_sysdb, test_sysdb_search_all_users); + + /* Remove the members from the groups */ + tcase_add_loop_test(tc_sysdb, test_sysdb_remove_group_member, 28010, 28020); + + /* Remove the users by name */ + tcase_add_loop_test(tc_sysdb, test_sysdb_remove_local_user, 27010, 27020); + + /* Remove the groups by name */ + tcase_add_loop_test(tc_sysdb, test_sysdb_remove_local_group, 28010, 28020); + + /* test the ignore_not_found parameter for users */ + tcase_add_test(tc_sysdb, test_sysdb_remove_nonexistent_user); + + /* test the ignore_not_found parameter for groups */ + tcase_add_test(tc_sysdb, test_sysdb_remove_nonexistent_group); + + /* Create incomplete groups - remove will fail if the LDB objects + * don't exist + */ + tcase_add_loop_test(tc_sysdb, + test_sysdb_add_incomplete_group, + 28000, 28010); + tcase_add_loop_test(tc_sysdb, + test_sysdb_remove_local_group_by_gid, + 28000, 28010); + tcase_add_test(tc_sysdb, test_sysdb_incomplete_group_rename); + + /* test custom operations */ + tcase_add_loop_test(tc_sysdb, test_sysdb_store_custom, 29010, 29020); + tcase_add_test(tc_sysdb, test_sysdb_search_custom_by_name); + tcase_add_test(tc_sysdb, test_sysdb_update_custom); + tcase_add_test(tc_sysdb, test_sysdb_search_custom_update); + tcase_add_test(tc_sysdb, test_sysdb_search_custom); + tcase_add_test(tc_sysdb, test_sysdb_delete_custom); + tcase_add_test(tc_sysdb, test_sysdb_delete_by_sid); + + /* test recursive delete */ + tcase_add_test(tc_sysdb, test_sysdb_delete_recursive); + + tcase_add_test(tc_sysdb, test_sysdb_attrs_replace_name); + + tcase_add_test(tc_sysdb, test_sysdb_attrs_to_list); + + /* Test unusual characters */ + tcase_add_test(tc_sysdb, test_odd_characters); + + /* Test sysdb enumerated flag */ + tcase_add_test(tc_sysdb, test_sysdb_has_enumerated); + + /* Test originalDN searches */ + tcase_add_test(tc_sysdb, test_sysdb_original_dn_case_insensitive); + + /* Test sysdb_search_groups_by_orig_dn */ + tcase_add_test(tc_sysdb, test_sysdb_search_groups_by_orig_dn); + + /* Test sysdb_search_users_by_orig_dn */ + tcase_add_test(tc_sysdb, test_sysdb_search_users_by_orig_dn); + + /* Test SID string searches */ + tcase_add_test(tc_sysdb, test_sysdb_search_sid_str); + + /* Test object by ID searches */ + tcase_add_test(tc_sysdb, test_sysdb_search_object_by_id); + + /* Test UUID string searches */ + tcase_add_test(tc_sysdb, test_sysdb_search_object_by_uuid); + + /* Test object by name */ + tcase_add_test(tc_sysdb, test_sysdb_search_object_by_name); + + /* Test user by certificate searches */ + tcase_add_test(tc_sysdb, test_sysdb_search_user_by_cert); + + /* Test canonicalizing names */ + tcase_add_test(tc_sysdb, test_sysdb_get_real_name); + + /* Test user and group renames */ + tcase_add_test(tc_sysdb, test_group_rename); + tcase_add_test(tc_sysdb, test_user_rename); + + /* Test GetUserAttr with subdomain user */ + tcase_add_test(tc_sysdb, test_sysdb_get_user_attr_subdomain); + + /* Test adding a non-POSIX user and group */ + tcase_add_test(tc_sysdb, test_sysdb_add_nonposix_user); + tcase_add_test(tc_sysdb, test_sysdb_add_nonposix_group); + +/* ===== NETGROUP TESTS ===== */ + + /* Create a new netgroup */ + tcase_add_loop_test(tc_sysdb, test_sysdb_add_basic_netgroup, 27000, 27010); + + /* Verify the netgroups were added */ + tcase_add_loop_test(tc_sysdb, test_sysdb_search_netgroup_by_name, 27000, 27010); + + /* Test setting attributes */ + tcase_add_loop_test(tc_sysdb, test_sysdb_set_netgroup_attr, 27000, 27010); + + /* Verify they have been changed */ + tcase_add_loop_test(tc_sysdb, test_sysdb_get_netgroup_attr, 27000, 27010); + + /* Remove half of them by name */ + tcase_add_loop_test(tc_sysdb, test_sysdb_remove_netgroup_by_name, 27000, 27005); + + /* Remove the other half by DN */ + tcase_add_loop_test(tc_sysdb, test_sysdb_remove_netgroup_entry, 27005, 27010); + + tcase_add_test(tc_sysdb, test_netgroup_base_dn); + +/* ===== SERVICE TESTS ===== */ + + /* Create a new service */ + tcase_add_test(tc_sysdb, test_sysdb_add_services); + tcase_add_test(tc_sysdb, test_sysdb_store_services); + tcase_add_test(tc_sysdb, test_sysdb_svc_remove_alias); + + tcase_add_test(tc_sysdb, test_sysdb_attrs_add_lc_name_alias); + tcase_add_test(tc_sysdb, test_sysdb_attrs_add_lc_name_alias_safe); + +/* ===== UTIL TESTS ===== */ + tcase_add_test(tc_sysdb, test_sysdb_attrs_get_string_array); + tcase_add_test(tc_sysdb, test_sysdb_attrs_add_val); + tcase_add_test(tc_sysdb, test_sysdb_attrs_add_val_safe); + tcase_add_test(tc_sysdb, test_sysdb_attrs_add_string_safe); + tcase_add_test(tc_sysdb, test_sysdb_attrs_copy); + +/* ===== Test search return empty result ===== */ + tcase_add_test(tc_sysdb, test_sysdb_search_return_ENOENT); + +/* ===== Misc ===== */ + tcase_add_test(tc_sysdb, test_sysdb_set_get_bool); + tcase_add_test(tc_sysdb, test_sysdb_mark_entry_as_expired_ldb_dn); + +/* Add all test cases to the test suite */ + suite_add_tcase(s, tc_sysdb); + + TCase *tc_memberof = tcase_create("SYSDB member/memberof/memberuid Tests"); + + tcase_add_loop_test(tc_memberof, test_sysdb_memberof_store_group, 0, 10); + tcase_add_loop_test(tc_memberof, test_sysdb_memberof_store_user, 0, 10); + tcase_add_loop_test(tc_memberof, test_sysdb_memberof_add_group_member, + 0, 10); + tcase_add_loop_test(tc_memberof, test_sysdb_memberof_check_memberuid, + 0, 10); + tcase_add_loop_test(tc_memberof, test_sysdb_remove_local_group_by_gid, + MBO_GROUP_BASE + 5, MBO_GROUP_BASE + 6); + tcase_add_loop_test(tc_memberof, + test_sysdb_memberof_check_memberuid_without_group_5, + 0, 10); + tcase_add_loop_test(tc_memberof, test_sysdb_remove_local_group_by_gid, + MBO_GROUP_BASE , MBO_GROUP_BASE + 5); + tcase_add_loop_test(tc_memberof, test_sysdb_remove_local_group_by_gid, + MBO_GROUP_BASE+6 , MBO_GROUP_BASE + 10); + + tcase_add_loop_test(tc_memberof, test_sysdb_memberof_store_group, 0, 10); + tcase_add_test(tc_memberof, test_sysdb_memberof_close_loop); + tcase_add_loop_test(tc_memberof, test_sysdb_memberof_store_user, 0, 10); + tcase_add_loop_test(tc_memberof, test_sysdb_memberof_add_group_member, + 0, 10); + tcase_add_loop_test(tc_memberof, test_sysdb_memberof_check_memberuid_loop, + 0, 10); + tcase_add_loop_test(tc_memberof, test_sysdb_remove_local_group_by_gid, + MBO_GROUP_BASE + 5, MBO_GROUP_BASE + 6); + tcase_add_loop_test(tc_memberof, + test_sysdb_memberof_check_memberuid_loop_without_group_5, + 0, 10); + tcase_add_loop_test(tc_memberof, test_sysdb_remove_local_group_by_gid, + MBO_GROUP_BASE , MBO_GROUP_BASE + 5); + tcase_add_loop_test(tc_memberof, test_sysdb_remove_local_group_by_gid, + MBO_GROUP_BASE+6 , MBO_GROUP_BASE + 10); + + /* Ghost users tests */ + tcase_add_loop_test(tc_memberof, test_sysdb_memberof_store_group_with_ghosts, + MBO_GROUP_BASE , MBO_GROUP_BASE + 10); + tcase_add_loop_test(tc_memberof, test_sysdb_memberof_check_nested_ghosts, + MBO_GROUP_BASE , MBO_GROUP_BASE + 10); + tcase_add_loop_test(tc_memberof, test_sysdb_memberof_remove_child_group_and_check_ghost, + MBO_GROUP_BASE + 1, MBO_GROUP_BASE + 10); + /* Only one group should be left now */ + tcase_add_loop_test(tc_memberof, test_sysdb_remove_local_group_by_gid, + MBO_GROUP_BASE + 9 , MBO_GROUP_BASE + 10); + + /* ghost users - RFC2307 */ + /* Add groups with ghost users */ + tcase_add_loop_test(tc_memberof, test_sysdb_add_group_with_ghosts, + MBO_GROUP_BASE , MBO_GROUP_BASE + 10); + /* Check the ghost user attribute */ + tcase_add_loop_test(tc_memberof, test_sysdb_memberof_check_ghost, + MBO_GROUP_BASE , MBO_GROUP_BASE + 10); + /* Add user entries, converting the ghost attributes to member attributes */ + /* We only convert half of the users and keep the ghost attributes for the + * other half as we also want to test if we don't delete any ghost users + * by accident + */ + tcase_add_loop_test(tc_memberof, test_sysdb_memberof_convert_to_real_users, + MBO_GROUP_BASE , MBO_GROUP_BASE + NUM_GHOSTS/2); + /* Check the members and ghosts are there as appropriate */ + tcase_add_loop_test(tc_memberof, test_sysdb_memberof_check_convert, + MBO_GROUP_BASE , MBO_GROUP_BASE + NUM_GHOSTS); + /* Rename the other half */ + tcase_add_loop_test(tc_memberof, test_sysdb_memberof_ghost_replace, + MBO_GROUP_BASE + NUM_GHOSTS/2 + 1, + MBO_GROUP_BASE + NUM_GHOSTS); + /* Attempt to replace with the same data to check if noop works correctly */ + tcase_add_loop_test(tc_memberof, test_sysdb_memberof_ghost_replace_noop, + MBO_GROUP_BASE + NUM_GHOSTS/2 + 1, + MBO_GROUP_BASE + NUM_GHOSTS); + + /* Remove the real users */ + tcase_add_loop_test(tc_memberof, test_sysdb_memberof_user_cleanup, + MBO_GROUP_BASE , MBO_GROUP_BASE + NUM_GHOSTS/2); + tcase_add_loop_test(tc_memberof, test_sysdb_remove_local_group_by_gid, + MBO_GROUP_BASE , MBO_GROUP_BASE + NUM_GHOSTS); + + /* ghost users - memberof mod_del */ + tcase_add_loop_test(tc_memberof, test_sysdb_memberof_store_group_with_ghosts, + MBO_GROUP_BASE , MBO_GROUP_BASE + 10); + tcase_add_loop_test(tc_memberof, test_sysdb_memberof_check_nested_ghosts, + MBO_GROUP_BASE , MBO_GROUP_BASE + 10); + tcase_add_loop_test(tc_memberof, test_sysdb_memberof_mod_del, + MBO_GROUP_BASE , MBO_GROUP_BASE + 10); + tcase_add_loop_test(tc_memberof, test_sysdb_remove_local_group_by_gid, + MBO_GROUP_BASE , MBO_GROUP_BASE + NUM_GHOSTS); + + /* ghost users - memberof mod_add */ + /* Add groups without ghosts first */ + tcase_add_loop_test(tc_memberof, test_sysdb_memberof_store_group, 0, 10); + /* Add ghosts to groups so that they propagate */ + tcase_add_loop_test(tc_memberof, test_sysdb_memberof_mod_add, + MBO_GROUP_BASE , MBO_GROUP_BASE + 10); + /* Check if the ghosts in fact propagated */ + tcase_add_loop_test(tc_memberof, test_sysdb_memberof_check_nested_ghosts, + MBO_GROUP_BASE , MBO_GROUP_BASE + 10); + /* Clean up */ + tcase_add_loop_test(tc_memberof, test_sysdb_remove_local_group_by_gid, + MBO_GROUP_BASE , MBO_GROUP_BASE + 10); + + /* ghost users - replace */ + tcase_add_loop_test(tc_memberof, test_sysdb_memberof_store_group_with_ghosts, + MBO_GROUP_BASE , MBO_GROUP_BASE + 10); + tcase_add_loop_test(tc_memberof, test_sysdb_memberof_check_nested_ghosts, + MBO_GROUP_BASE , MBO_GROUP_BASE + 10); + tcase_add_loop_test(tc_memberof, test_sysdb_memberof_mod_replace, + MBO_GROUP_BASE , MBO_GROUP_BASE + 10); + tcase_add_loop_test(tc_memberof, test_sysdb_remove_local_group_by_gid, + MBO_GROUP_BASE , MBO_GROUP_BASE + 10); + + /* ghost users - replace but retain inherited */ + tcase_add_loop_test(tc_memberof, test_sysdb_memberof_store_group_with_double_ghosts, + MBO_GROUP_BASE , MBO_GROUP_BASE + 10); + tcase_add_loop_test(tc_memberof, test_sysdb_memberof_check_nested_double_ghosts, + MBO_GROUP_BASE , MBO_GROUP_BASE + 10); + + /* SSS_LDB_SEARCH */ + tcase_add_test(tc_sysdb, test_SSS_LDB_SEARCH); + + /* This loop counts backwards so the indexing is a little odd */ + tcase_add_loop_test(tc_memberof, test_sysdb_memberof_mod_replace_keep, + 1 , 11); + tcase_add_loop_test(tc_memberof, test_sysdb_remove_local_group_by_gid, + MBO_GROUP_BASE , MBO_GROUP_BASE + 10); + suite_add_tcase(s, tc_memberof); + + TCase *tc_subdomain = tcase_create("SYSDB sub-domain Tests"); + + tcase_add_test(tc_subdomain, test_sysdb_subdomain_store_user); + tcase_add_test(tc_subdomain, test_sysdb_subdomain_user_ops); + tcase_add_test(tc_subdomain, test_sysdb_subdomain_group_ops); + + suite_add_tcase(s, tc_subdomain); + +#ifdef BUILD_AUTOFS + TCase *tc_autofs = tcase_create("SYSDB autofs Tests"); + + tcase_add_loop_test(tc_autofs, test_autofs_create_map, + TEST_AUTOFS_MAP_BASE, TEST_AUTOFS_MAP_BASE+10); + + tcase_add_loop_test(tc_autofs, test_autofs_retrieve_map, + TEST_AUTOFS_MAP_BASE, TEST_AUTOFS_MAP_BASE+10); + + tcase_add_loop_test(tc_autofs, test_autofs_store_entry_in_map, + TEST_AUTOFS_MAP_BASE, TEST_AUTOFS_MAP_BASE+10); + + tcase_add_loop_test(tc_autofs, test_autofs_retrieve_keys_by_map, + TEST_AUTOFS_MAP_BASE, TEST_AUTOFS_MAP_BASE+10); + + tcase_add_loop_test(tc_autofs, test_autofs_delete_map, + TEST_AUTOFS_MAP_BASE, TEST_AUTOFS_MAP_BASE+10); + + tcase_add_loop_test(tc_autofs, test_autofs_retrieve_map_neg, + TEST_AUTOFS_MAP_BASE, TEST_AUTOFS_MAP_BASE+10); + + tcase_add_loop_test(tc_autofs, test_autofs_key_duplicate, + TEST_AUTOFS_MAP_BASE, TEST_AUTOFS_MAP_BASE+10); + + tcase_add_test(tc_autofs, test_autofs_get_duplicate_keys); + + suite_add_tcase(s, tc_autofs); +#endif + + TCase *tc_upn = tcase_create("SYSDB UPN tests"); + tcase_add_test(tc_upn, test_upn_basic); + tcase_add_test(tc_upn, test_upn_basic_case); + tcase_add_test(tc_upn, test_upn_canon); + tcase_add_test(tc_upn, test_upn_canon_case); + tcase_add_test(tc_upn, test_upn_dup); + + suite_add_tcase(s, tc_upn); + + TCase *tc_gpo = tcase_create("SYSDB GPO tests"); + tcase_add_test(tc_gpo, test_gpo_store_retrieve); + tcase_add_test(tc_gpo, test_gpo_replace); + tcase_add_test(tc_gpo, test_gpo_result); + suite_add_tcase(s, tc_gpo); + + /* ConfDB tests -- modify confdb, must always be last!! */ + TCase *tc_confdb = tcase_create("confDB tests"); + + tcase_add_test(tc_confdb, test_confdb_list_all_domain_names_no_dom); + tcase_add_test(tc_confdb, test_confdb_list_all_domain_names_single_dom); + tcase_add_test(tc_confdb, test_confdb_list_all_domain_names_multi_dom); + suite_add_tcase(s, tc_confdb); + + return s; +} + +int main(int argc, const char *argv[]) { + int opt; + poptContext pc; + int failure_count; + int no_cleanup = 0; + Suite *sysdb_suite; + SRunner *sr; + + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_MAIN_OPTS + {"no-cleanup", 'n', POPT_ARG_NONE, &no_cleanup, 0, + _("Do not delete the test database after a test run"), NULL }, + POPT_TABLEEND + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + if (!ldb_modules_path_is_set()) { + fprintf(stderr, "Warning: LDB_MODULES_PATH is not set, " + "will use LDB plugins installed in system paths.\n"); + } + + tests_set_cwd(); + talloc_enable_null_tracking(); + + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_FILE, LOCAL_SYSDB_FILE); + + sysdb_suite = create_sysdb_suite(); + sr = srunner_create(sysdb_suite); + /* If CK_VERBOSITY is set, use that, otherwise it defaults to CK_NORMAL */ + srunner_run_all(sr, CK_ENV); + failure_count = srunner_ntests_failed(sr); + srunner_free(sr); + if (failure_count == 0 && !no_cleanup) { + test_dom_suite_cleanup(TESTS_PATH, TEST_CONF_FILE, LOCAL_SYSDB_FILE); + } + return (failure_count==0 ? EXIT_SUCCESS : EXIT_FAILURE); +} diff --git a/src/tests/sysdb_ssh-tests.c b/src/tests/sysdb_ssh-tests.c new file mode 100644 index 0000000..c621e45 --- /dev/null +++ b/src/tests/sysdb_ssh-tests.c @@ -0,0 +1,425 @@ +/* + Authors: + Michal Zidek + Stephen Gallagher + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include + + +#include "config.h" +#include "tests/common.h" +#include "util/util.h" +#include "confdb/confdb.h" +#include "db/sysdb.h" +#include "db/sysdb_services.h" +#include "db/sysdb_ssh.h" + +#define TESTS_PATH "tp_" BASE_FILE_STEM +#define TEST_CONF_FILE "tests_conf.ldb" +#define TEST_HOSTNAME "testhost" + +struct sysdb_test_ctx { + struct sysdb_ctx *sysdb; + struct confdb_ctx *confdb; + struct tevent_context *ev; + struct sss_domain_info *domain; +}; + +static int setup_sysdb_tests(struct sysdb_test_ctx **ctx) +{ + struct sysdb_test_ctx *test_ctx; + char *conf_db; + int ret; + + const char *val[2]; + val[1] = NULL; + + /* Create tests directory if it doesn't exist */ + /* (relative to current dir) */ + ret = mkdir(TESTS_PATH, 0775); + if (ret == -1 && errno != EEXIST) { + fail("Could not create %s directory", TESTS_PATH); + return EFAULT; + } + + test_ctx = talloc_zero(NULL, struct sysdb_test_ctx); + if (test_ctx == NULL) { + fail("Could not allocate memory for test context"); + return ENOMEM; + } + + /* Create an event context + * It will not be used except in confdb_init and sysdb_init + */ + test_ctx->ev = tevent_context_init(test_ctx); + if (test_ctx->ev == NULL) { + fail("Could not create event context"); + talloc_free(test_ctx); + return EIO; + } + + conf_db = talloc_asprintf(test_ctx, "%s/%s", TESTS_PATH, TEST_CONF_FILE); + if (conf_db == NULL) { + fail("Out of memory, aborting!"); + talloc_free(test_ctx); + return ENOMEM; + } + DEBUG(SSSDBG_MINOR_FAILURE, "CONFDB: %s\n", conf_db); + + /* Connect to the conf db */ + ret = confdb_init(test_ctx, &test_ctx->confdb, conf_db); + if (ret != EOK) { + fail("Could not initialize connection to the confdb"); + talloc_free(test_ctx); + return ret; + } + + val[0] = "LOCAL"; + ret = confdb_add_param(test_ctx->confdb, true, + "config/sssd", "domains", val); + if (ret != EOK) { + fail("Could not initialize domains placeholder"); + talloc_free(test_ctx); + return ret; + } + + val[0] = "local"; + ret = confdb_add_param(test_ctx->confdb, true, + "config/domain/LOCAL", "id_provider", val); + if (ret != EOK) { + fail("Could not initialize provider"); + talloc_free(test_ctx); + return ret; + } + + val[0] = "TRUE"; + ret = confdb_add_param(test_ctx->confdb, true, + "config/domain/LOCAL", "enumerate", val); + if (ret != EOK) { + fail("Could not initialize LOCAL domain"); + talloc_free(test_ctx); + return ret; + } + + val[0] = "TRUE"; + ret = confdb_add_param(test_ctx->confdb, true, + "config/domain/LOCAL", "cache_credentials", val); + if (ret != EOK) { + fail("Could not initialize LOCAL domain"); + talloc_free(test_ctx); + return ret; + } + + ret = sssd_domain_init(test_ctx, test_ctx->confdb, "local", + TESTS_PATH, &test_ctx->domain); + if (ret != EOK) { + fail("Could not initialize connection to the sysdb (%d)", ret); + talloc_free(test_ctx); + return ret; + } + test_ctx->sysdb = test_ctx->domain->sysdb; + + *ctx = test_ctx; + return EOK; +} + +static void clean_up(void) +{ + int ret = 0; + + ret += unlink(TESTS_PATH"/"TEST_CONF_FILE); + ret += unlink(TESTS_PATH"/sssd.ldb"); + ret += rmdir(TESTS_PATH); + + if (ret != 0) { + fprintf(stderr, "Unable to remove all test files from %s\n",TESTS_PATH); + } +} + +struct test_data { + struct tevent_context *ev; + struct sysdb_test_ctx *ctx; + + const char *hostname; + const char *alias; + + struct ldb_message *host; + struct sysdb_attrs *attrs; +}; + +static int test_sysdb_store_ssh_host(struct test_data *data) +{ + int ret; + time_t now = time(NULL); + + ret = sysdb_store_ssh_host(data->ctx->domain, + data->hostname, + data->alias, + data->ctx->domain->ssh_host_timeout, + now, + data->attrs); + return ret; +} + +static int test_sysdb_delete_ssh_host(struct test_data *data) +{ + int ret; + + ret = sysdb_delete_ssh_host(data->ctx->domain, data->hostname); + return ret; +} + +static int test_sysdb_get_ssh_host(struct test_data *data) +{ + int ret; + const char *attrs[] = { SYSDB_NAME, NULL }; + + ret = sysdb_get_ssh_host(data->ctx, data->ctx->domain, data->hostname, + attrs, &data->host); + + return ret; +} + +START_TEST (store_one_host_test) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = talloc_zero(test_ctx, struct test_data); + if (data == NULL) { + fail("Out of memory!"); + talloc_free(test_ctx); + return; + } + + data->ctx = test_ctx; + data->ev = test_ctx->ev; + data->hostname = talloc_strdup(test_ctx, TEST_HOSTNAME); + if (data->hostname == NULL) { + fail("Out of memory!"); + talloc_free(test_ctx); + return; + } + + data->attrs = sysdb_new_attrs(test_ctx); + if (data->attrs == NULL) { + fail("Out of memory!"); + talloc_free(test_ctx); + return; + } + + ret = test_sysdb_store_ssh_host(data); + + fail_if(ret != EOK, "Could not store host into database"); + talloc_free(test_ctx); +} +END_TEST + +START_TEST (delete_existing_host_test) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = talloc_zero(test_ctx, struct test_data); + if (data == NULL) { + fail("Out of memory!"); + return; + } + + data->ctx = test_ctx; + data->ev = test_ctx->ev; + data->hostname = talloc_strdup(test_ctx, TEST_HOSTNAME); + if (data->hostname == NULL) { + fail("Out of memory!"); + talloc_free(test_ctx); + return; + } + + ret = test_sysdb_delete_ssh_host(data); + + fail_if(ret != EOK, "Could not delete host from database"); + talloc_free(test_ctx); +} +END_TEST + +START_TEST (delete_nonexistent_host_test) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up the test"); + return; + } + + data = talloc_zero(test_ctx, struct test_data); + if (data == NULL) { + fail("Out of memory!"); + talloc_free(test_ctx); + return; + } + + data->ctx = test_ctx; + data->ev = test_ctx->ev; + data->hostname = talloc_strdup(test_ctx, "nonexistent_host"); + if (data->hostname == NULL) { + fail("Out of memory!"); + talloc_free(test_ctx); + return; + } + + ret = test_sysdb_delete_ssh_host(data); + + fail_if(ret != EOK, "Deletion of nonexistent host returned code %d", ret); + talloc_free(test_ctx); + +} +END_TEST + +START_TEST (sysdb_get_ssh_host_test) +{ + struct sysdb_test_ctx *test_ctx; + struct test_data *data; + int ret; + + ret = setup_sysdb_tests(&test_ctx); + if (ret != EOK) { + fail("Could not set up test"); + return; + } + + data = talloc_zero(test_ctx, struct test_data); + if (data == NULL) { + fail("Out of memory!"); + talloc_free(test_ctx); + return; + } + + data->ctx = test_ctx; + data->ev = test_ctx->ev; + data->hostname = talloc_strdup(test_ctx, TEST_HOSTNAME); + if (data->hostname == NULL) { + fail("Out of memory!"); + talloc_free(test_ctx); + return; + } + + data->attrs = sysdb_new_attrs(test_ctx); + if (data->attrs == NULL) { + fail("Out of memory!"); + talloc_free(test_ctx); + return; + } + + ret = test_sysdb_store_ssh_host(data); + if (ret != EOK) { + fail("Could not store host '%s' to database", TEST_HOSTNAME); + talloc_free(test_ctx); + return; + } + + ret = test_sysdb_get_ssh_host(data); + + fail_if(ret != EOK, "Could not find host '%s'",TEST_HOSTNAME); + talloc_free(test_ctx); +} +END_TEST + + +Suite *create_sysdb_ssh_suite(void) +{ + Suite *s = suite_create("sysdb_ssh"); + TCase *tc_sysdb_ssh = tcase_create("SYSDB_SSH Tests"); + + tcase_add_test(tc_sysdb_ssh, store_one_host_test); + tcase_add_test(tc_sysdb_ssh, delete_existing_host_test); + tcase_add_test(tc_sysdb_ssh, delete_nonexistent_host_test); + tcase_add_test(tc_sysdb_ssh, sysdb_get_ssh_host_test); + suite_add_tcase(s, tc_sysdb_ssh); + return s; +} + +int main(int argc, const char *argv[]) +{ + int failcount; + int opt; + poptContext pc; + Suite* s; + SRunner *sr; + + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_MAIN_OPTS + POPT_TABLEEND + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, (const char **) argv, long_options, 0); + while ((opt = poptGetNextOpt(pc)) != -1) { + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + if (!ldb_modules_path_is_set()) { + fprintf(stderr, "Warning: LDB_MODULES_PATH is not set, " + "will use LDB plugins installed in system paths.\n"); + } + + tests_set_cwd(); + + s = create_sysdb_ssh_suite(); + + sr = srunner_create(s); + srunner_run_all(sr, CK_ENV); + failcount = srunner_ntests_failed(sr); + srunner_free(sr); + + clean_up(); + if (failcount != 0) { + return EXIT_FAILURE; + } + + return EXIT_SUCCESS; +} diff --git a/src/tests/tcurl_test_tool.c b/src/tests/tcurl_test_tool.c new file mode 100644 index 0000000..fbc2790 --- /dev/null +++ b/src/tests/tcurl_test_tool.c @@ -0,0 +1,382 @@ +/* + SSSD + + libcurl tevent integration test tool + + Copyright (C) Red Hat, 2016 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "util/util.h" +#include "util/tev_curl.h" + +#define MAXREQ 64 + +struct tool_ctx { + bool verbose; + bool done; + + size_t nreqs; +}; + +struct tool_options { + int debug; + int verbose; + int raw; + int tls; + int verify_peer; + int verify_host; + const char **headers; + + enum tcurl_http_method method; + const char *socket_path; + const char *capath; + const char *cacert; + + const char *clientcert; + const char *clientkey; + + const char *username; + const char *password; +}; + +static void request_done(struct tevent_req *req) +{ + struct tool_ctx *tool_ctx; + struct sss_iobuf *outbuf; + int http_code; + errno_t ret; + + tool_ctx = tevent_req_callback_data(req, struct tool_ctx); + + ret = tcurl_request_recv(tool_ctx, req, &outbuf, &http_code); + talloc_zfree(req); + + tool_ctx->nreqs--; + if (tool_ctx->nreqs == 0) { + tool_ctx->done = true; + } + + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "HTTP request failed [%d]: %s\n", + ret, sss_strerror(ret)); + return; + } else if (tool_ctx->verbose) { + printf("Request HTTP code: %d\n", http_code); + printf("Request HTTP body: \n%s\n", + (const char *) sss_iobuf_get_data(outbuf)); + talloc_zfree(outbuf); + } +} + +static errno_t +parse_options(poptContext pc, struct tool_options *opts) +{ + int opt; + + while ((opt = poptGetNextOpt(pc)) > 0) { + switch (opt) { + case 'g': + opts->method = TCURL_HTTP_GET; + break; + case 'p': + opts->method = TCURL_HTTP_PUT; + break; + case 'o': + opts->method = TCURL_HTTP_POST; + break; + case 'd': + opts->method = TCURL_HTTP_DELETE; + break; + default: + DEBUG(SSSDBG_FATAL_FAILURE, "Unexpected option\n"); + return EINVAL; + } + } + + if (opt != -1) { + poptPrintUsage(pc, stderr, 0); + fprintf(stderr, "%s", poptStrerror(opt)); + return EINVAL; + } + + return EOK; +} + +static errno_t +prepare_requests(TALLOC_CTX *mem_ctx, + poptContext pc, + struct tool_options *opts, + struct tcurl_request ***_requests, + size_t *_num_requests) +{ + struct tcurl_request **requests; + struct sss_iobuf *body; + const char **headers; + const char *arg; + const char *url; + errno_t ret; + size_t i; + + static const char *default_headers[] = { + "Content-type: application/octet-stream", + NULL, + }; + + requests = talloc_zero_array(mem_ctx, struct tcurl_request *, MAXREQ + 1); + if (requests == NULL) { + return ENOMEM; + } + + headers = opts->headers == NULL ? default_headers : opts->headers; + + i = 0; + while ((arg = poptGetArg(pc)) != NULL) { + if (i >= MAXREQ) { + fprintf(stderr, _("Too many requests!\n")); + ret = EINVAL; + goto done; + } + + switch (opts->method) { + case TCURL_HTTP_GET: + case TCURL_HTTP_DELETE: + url = arg; + body = NULL; + break; + case TCURL_HTTP_PUT: + case TCURL_HTTP_POST: + url = arg; + + arg = poptGetArg(pc); + if (arg == NULL) { + body = NULL; + break; + } + + body = sss_iobuf_init_readonly(requests, + discard_const_p(uint8_t, arg), + strlen(arg)); + if (body == NULL) { + ret = ENOMEM; + goto done; + } + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid method!\n"); + ret = EINVAL; + goto done; + } + + requests[i] = tcurl_http(requests, opts->method, opts->socket_path, + url, headers, body); + if (requests[i] == NULL) { + ret = ENOMEM; + goto done; + } + + if (opts->raw) { + ret = tcurl_req_enable_rawoutput(requests[i]); + if (ret != EOK) { + goto done; + } + } + + if (opts->tls) { + ret = tcurl_req_verify_peer(requests[i], opts->capath, opts->cacert, + opts->verify_peer, opts->verify_host); + if (ret != EOK) { + goto done; + } + } + + if (opts->clientcert != NULL) { + ret = tcurl_req_set_client_cert(requests[i], opts->clientcert, + opts->clientkey); + if (ret != EOK) { + goto done; + } + } + + if (opts->username != NULL && opts->password != NULL) { + ret = tcurl_req_http_basic_auth(requests[i], opts->username, + opts->password); + if (ret != EOK) { + goto done; + } + } + + i++; + } + + *_requests = requests; + *_num_requests = i; + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(requests); + } + + return ret; +} + +static errno_t +run_requests(struct tool_ctx *tool_ctx, + struct tcurl_request **requests) +{ + TALLOC_CTX *tmp_ctx; + struct tcurl_ctx *tcurl_ctx; + struct tevent_context *ev; + struct tevent_req *req; + errno_t ret; + int i; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory!\n"); + return ENOMEM; + } + + if (requests == NULL || requests[0] == NULL) { + ret = EOK; + goto done; + } + + ev = tevent_context_init(tmp_ctx); + if (ev == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not init tevent context\n"); + ret = ENOMEM; + goto done; + } + + tcurl_ctx = tcurl_init(tmp_ctx, ev); + if (tcurl_ctx == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Could not init tcurl context\n"); + ret = ENOMEM; + goto done; + } + + for (i = 0; requests[i] != NULL; i++) { + req = tcurl_request_send(tmp_ctx, ev, tcurl_ctx, requests[i], 5); + if (req == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Could not create tevent request\n"); + ret = ENOMEM; + goto done; + } + + tevent_req_set_callback(req, request_done, tool_ctx); + } + + while (tool_ctx->done == false) { + tevent_loop_once(ev); + } + + if (tool_ctx->nreqs > 0) { + DEBUG(SSSDBG_FATAL_FAILURE, + "The tool finished with some pending requests, fail!\n"); + ret = EEXIST; + goto done; + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +int main(int argc, const char *argv[]) +{ + struct tool_options opts = { 0 }; + struct tool_ctx *tool_ctx; + struct tcurl_request **requests; + poptContext pc; + errno_t ret; + + struct poptOption long_options[] = { + POPT_AUTOHELP + { "debug", '\0', POPT_ARG_INT, &opts.debug, 0, "The debug level to run with", NULL }, + { "socket-path", 's', POPT_ARG_STRING, &opts.socket_path, 0, "The path to the HTTP server socket", NULL }, + { "get", 'g', POPT_ARG_NONE, NULL, 'g', "Perform a HTTP GET (default)", NULL }, + { "put", 'p', POPT_ARG_NONE, NULL, 'p', "Perform a HTTP PUT", NULL }, + { "post", 'o', POPT_ARG_NONE, NULL, 'o', "Perform a HTTP POST", NULL }, + { "del", 'd', POPT_ARG_NONE, NULL, 'd', "Perform a HTTP DELETE", NULL }, +#ifdef POPT_ARG_ARGV + { "header", 'h', POPT_ARG_ARGV, &opts.headers, '\0', "Add HTTP header", NULL }, +#endif + { "raw", 'r', POPT_ARG_NONE, &opts.raw, '\0', "Print raw protocol output", NULL }, + { "verbose", 'v', POPT_ARG_NONE, &opts.verbose, '\0', "Print response code and body", NULL }, + /* TLS */ + { "tls", '\0', POPT_ARG_NONE, &opts.tls, '\0', "Enable TLS", NULL }, + { "verify-peer", '\0', POPT_ARG_NONE, &opts.verify_peer, '\0', "Verify peer when TLS is enabled", NULL }, + { "verify-host", '\0', POPT_ARG_NONE, &opts.verify_host, '\0', "Verify host when TLS is enabled", NULL }, + { "capath", '\0', POPT_ARG_STRING, &opts.capath, '\0', "Path to CA directory where peer certificate is stored", NULL }, + { "cacert", '\0', POPT_ARG_STRING, &opts.cacert, '\0', "Path to CA certificate", NULL }, + { "clientcert", '\0', POPT_ARG_STRING, &opts.clientcert, '\0', "Path to client's certificate", NULL }, + { "clientkey", '\0', POPT_ARG_STRING, &opts.clientkey, '\0', "Path to client's private key", NULL }, + /* BASIC AUTH */ + { "username", '\0', POPT_ARG_STRING, &opts.username, '\0', "Username for basic authentication", NULL }, + { "password", '\0', POPT_ARG_STRING, &opts.password, '\0', "Password for basic authentication", NULL }, + POPT_TABLEEND + }; + + pc = poptGetContext(NULL, argc, argv, long_options, 0); + poptSetOtherOptionHelp(pc, "[URL HTTPDATA]*"); + + tool_ctx = talloc_zero(NULL, struct tool_ctx); + if (tool_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not init tool context\n"); + ret = ENOMEM; + goto done; + } + + ret = parse_options(pc, &opts); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to parse options [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + DEBUG_CLI_INIT(opts.debug); + tool_ctx->verbose = opts.verbose; + + ret = prepare_requests(tool_ctx, pc, &opts, &requests, &tool_ctx->nreqs); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to prepare requests [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = run_requests(tool_ctx, requests); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to issue requests [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + +done: + talloc_free(tool_ctx); + poptFreeContext(pc); + + if (ret != EOK) { + return EXIT_FAILURE; + } + + return EXIT_SUCCESS; +} diff --git a/src/tests/test_CA/Makefile.am b/src/tests/test_CA/Makefile.am new file mode 100644 index 0000000..0c70993 --- /dev/null +++ b/src/tests/test_CA/Makefile.am @@ -0,0 +1,136 @@ +dist_noinst_DATA = \ + SSSD_test_CA.config \ + SSSD_test_CA_key.pem \ + SSSD_test_cert_0001.config \ + SSSD_test_cert_0002.config \ + SSSD_test_cert_0003.config \ + SSSD_test_cert_key_0001.pem \ + SSSD_test_cert_key_0002.pem \ + SSSD_test_cert_key_0003.pem \ + $(NULL) + +openssl_ca_config = $(srcdir)/SSSD_test_CA.config +openssl_ca_key = $(srcdir)/SSSD_test_CA_key.pem +pwdfile = pwdfile + +configs := $(notdir $(wildcard $(srcdir)/SSSD_test_cert_*.config)) +ids := $(subst SSSD_test_cert_,,$(basename $(configs))) +certs = $(addprefix SSSD_test_cert_x509_,$(addsuffix .pem,$(ids))) +certs_h = $(addprefix SSSD_test_cert_x509_,$(addsuffix .h,$(ids))) +pubkeys = $(addprefix SSSD_test_cert_pubsshkey_,$(addsuffix .pub,$(ids))) +pubkeys_h = $(addprefix SSSD_test_cert_pubsshkey_,$(addsuffix .h,$(ids))) +pkcs12 = $(addprefix SSSD_test_cert_pkcs12_,$(addsuffix .pem,$(ids))) + +if HAVE_NSS +extra = p11_nssdb p11_nssdb_2certs +else +extra = softhsm2_none softhsm2_one softhsm2_two +endif + +# If openssl is run in parallel there might be conflicts with the serial +.NOTPARALLEL: + +ca_all: clean serial SSSD_test_CA.pem $(certs) $(certs_h) $(pubkeys) $(pubkeys_h) $(pkcs12) $(extra) + +$(pwdfile): + @echo "12345678" > $@ + +SSSD_test_CA.pem: $(openssl_ca_key) $(openssl_ca_config) serial + $(OPENSSL) req -batch -config ${openssl_ca_config} -x509 -new -nodes -key $< -sha256 -days 1024 -set_serial 0 -extensions v3_ca -out $@ + + +SSSD_test_cert_req_%.pem: $(srcdir)/SSSD_test_cert_key_%.pem $(srcdir)/SSSD_test_cert_%.config + $(OPENSSL) req -new -nodes -key $< -reqexts req_exts -config $(srcdir)/SSSD_test_cert_$*.config -out $@ + +SSSD_test_cert_x509_%.pem: SSSD_test_cert_req_%.pem $(openssl_ca_config) SSSD_test_CA.pem + $(OPENSSL) ca -config ${openssl_ca_config} -batch -notext -keyfile $(openssl_ca_key) -in $< -days 200 -extensions usr_cert -out $@ + +SSSD_test_cert_pkcs12_%.pem: SSSD_test_cert_x509_%.pem $(srcdir)/SSSD_test_cert_key_%.pem $(pwdfile) + $(OPENSSL) pkcs12 -export -in SSSD_test_cert_x509_$*.pem -inkey $(srcdir)/SSSD_test_cert_key_$*.pem -nodes -passout file:$(pwdfile) -out $@ + +SSSD_test_cert_pubkey_%.pem: SSSD_test_cert_x509_%.pem + $(OPENSSL) x509 -in $< -pubkey -noout > $@ + +SSSD_test_cert_pubsshkey_%.pub: SSSD_test_cert_pubkey_%.pem + $(SSH_KEYGEN) -i -m PKCS8 -f $< > $@ + +SSSD_test_cert_x509_%.h: SSSD_test_cert_x509_%.pem + @echo "#define SSSD_TEST_CERT_$* \""$(shell cat $< |openssl x509 -outform der | base64 -w 0)"\"" > $@ + +SSSD_test_cert_pubsshkey_%.h: SSSD_test_cert_pubsshkey_%.pub + @echo "#define SSSD_TEST_CERT_SSH_KEY_$* \""$(shell cut -d' ' -f2 $<)"\"" > $@ + +# This nss db is used in +# - src/tests/cmocka/test_cert_utils.c (validation only) +# - src/tests/cmocka/test_pam_srv.c +p11_nssdb: SSSD_test_cert_pkcs12_0001.pem SSSD_test_CA.pem $(pwdfile) + mkdir $@ + $(CERTUTIL) -d sql:./$@ -N --empty-password + $(CERTUTIL) -d sql:./$@ -A -n 'SSSD test CA' -t CT,CT,CT -a -i SSSD_test_CA.pem + $(PK12UTIL) -d sql:./$@ -i SSSD_test_cert_pkcs12_0001.pem -w $(pwdfile) + +# This nss db is used in +# - src/tests/cmocka/test_pam_srv.c +p11_nssdb_2certs: SSSD_test_cert_pkcs12_0001.pem SSSD_test_cert_pkcs12_0002.pem SSSD_test_CA.pem $(pwdfile) + mkdir $@ + $(CERTUTIL) -d sql:./$@ -N --empty-password + $(CERTUTIL) -d sql:./$@ -A -n 'SSSD test CA' -t CT,CT,CT -a -i SSSD_test_CA.pem + $(PK12UTIL) -d sql:./$@ p11_nssdb -i SSSD_test_cert_pkcs12_0001.pem -w $(pwdfile) + $(PK12UTIL) -d sql:./$@ p11_nssdb -i SSSD_test_cert_pkcs12_0002.pem -w $(pwdfile) + +# The softhsm2 PKCS#11 setups are used in +# - src/tests/cmocka/test_pam_srv.c +# if SSSD is build with OpenSSL/libcrypto +softhsm2_none: softhsm2_none.conf + mkdir $@ + SOFTHSM2_CONF=./$< $(SOFTHSM2_UTIL) --init-token --label "SSSD Test Token" --pin 123456 --so-pin 123456 --free + +softhsm2_none.conf: + @echo "directories.tokendir = "$(abs_top_builddir)"/src/tests/test_CA/softhsm2_none" > $@ + @echo "objectstore.backend = file" >> $@ + @echo "slots.removable = true" >> $@ + +softhsm2_one: softhsm2_one.conf + mkdir $@ + SOFTHSM2_CONF=./$< $(SOFTHSM2_UTIL) --init-token --label "SSSD Test Token" --pin 123456 --so-pin 123456 --free + GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --no-mark-private --load-certificate=SSSD_test_cert_x509_0001.pem --login --label 'SSSD test cert 0001' --id 'C554C9F82C2A9D58B70921C143304153A8A42F17' + GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --load-privkey=$(srcdir)/SSSD_test_cert_key_0001.pem --login --label 'SSSD test cert 0001' --id 'C554C9F82C2A9D58B70921C143304153A8A42F17' + +softhsm2_one.conf: + @echo "directories.tokendir = "$(abs_top_builddir)"/src/tests/test_CA/softhsm2_one" > $@ + @echo "objectstore.backend = file" >> $@ + @echo "slots.removable = true" >> $@ + +softhsm2_two: softhsm2_two.conf + mkdir $@ + SOFTHSM2_CONF=./$< $(SOFTHSM2_UTIL) --init-token --label "SSSD Test Token" --pin 123456 --so-pin 123456 --free + GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --no-mark-private --load-certificate=SSSD_test_cert_x509_0002.pem --login --label 'SSSD test cert 0002' --id '5405842D56CF31F0BB025A695C5F3E907051C5B9' + GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --load-privkey=$(srcdir)/SSSD_test_cert_key_0002.pem --login --label 'SSSD test cert 0002' --id '5405842D56CF31F0BB025A695C5F3E907051C5B9' + GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --no-mark-private --load-certificate=SSSD_test_cert_x509_0001.pem --login --label 'SSSD test cert 0001' --id 'C554C9F82C2A9D58B70921C143304153A8A42F17' + GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --load-privkey=$(srcdir)/SSSD_test_cert_key_0001.pem --login --label 'SSSD test cert 0001' --id 'C554C9F82C2A9D58B70921C143304153A8A42F17' + +softhsm2_two.conf: + @echo "directories.tokendir = "$(abs_top_builddir)"/src/tests/test_CA/softhsm2_two" > $@ + @echo "objectstore.backend = file" >> $@ + @echo "slots.removable = true" >> $@ + +CLEANFILES = \ + index.txt index.txt.attr \ + index.txt.attr.old index.txt.old \ + serial serial.old \ + SSSD_test_CA.pem $(pwdfile) \ + $(certs) $(certs_h) $(pubkeys) $(pubkeys_h) $(pkcs12) \ + softhsm2_*.conf \ + $(NULL) + +clean-local: + rm -rf newcerts + rm -rf p11_nssdb + rm -rf p11_nssdb_2certs + rm -rf softhsm* + +serial: clean + touch index.txt + touch index.txt.attr + mkdir newcerts + echo -n 01 > serial diff --git a/src/tests/test_CA/Makefile.in b/src/tests/test_CA/Makefile.in new file mode 100644 index 0000000..f1e1a3c --- /dev/null +++ b/src/tests/test_CA/Makefile.in @@ -0,0 +1,831 @@ +# Makefile.in generated by automake 1.15.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2017 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/tests/test_CA +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ + $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ + $(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \ + $(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/m4/nls.m4 \ + $(top_srcdir)/m4/po.m4 $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/version.m4 $(top_srcdir)/src/build_macros.m4 \ + $(top_srcdir)/src/external/platform.m4 \ + $(top_srcdir)/src/conf_macros.m4 \ + $(top_srcdir)/src/external/pkg.m4 \ + $(top_srcdir)/src/external/libpopt.m4 \ + $(top_srcdir)/src/external/libtalloc.m4 \ + $(top_srcdir)/src/external/libtdb.m4 \ + $(top_srcdir)/src/external/libtevent.m4 \ + $(top_srcdir)/src/external/libldb.m4 \ + $(top_srcdir)/src/external/libdhash.m4 \ + $(top_srcdir)/src/external/libcollection.m4 \ + $(top_srcdir)/src/external/libini_config.m4 \ + $(top_srcdir)/src/external/pam.m4 \ + $(top_srcdir)/src/external/ldap.m4 \ + $(top_srcdir)/src/external/libpcre.m4 \ + $(top_srcdir)/src/external/krb5.m4 \ + $(top_srcdir)/src/external/libcares.m4 \ + $(top_srcdir)/src/external/libcmocka.m4 \ + $(top_srcdir)/src/external/docbook.m4 \ + $(top_srcdir)/src/external/sizes.m4 \ + $(top_srcdir)/src/external/python.m4 \ + $(top_srcdir)/src/external/selinux.m4 \ + $(top_srcdir)/src/external/crypto.m4 \ + $(top_srcdir)/src/external/nscd.m4 \ + $(top_srcdir)/src/external/nsupdate.m4 \ + $(top_srcdir)/src/external/libkeyutils.m4 \ + $(top_srcdir)/src/external/libnl.m4 \ + $(top_srcdir)/src/external/systemd.m4 \ + $(top_srcdir)/src/external/pac_responder.m4 \ + $(top_srcdir)/src/external/cifsidmap.m4 \ + $(top_srcdir)/src/external/signal.m4 \ + $(top_srcdir)/src/external/inotify.m4 \ + $(top_srcdir)/src/external/samba.m4 \ + $(top_srcdir)/src/external/sasl.m4 \ + $(top_srcdir)/src/external/libnfsidmap.m4 \ + $(top_srcdir)/src/external/cwrap.m4 \ + $(top_srcdir)/src/external/libresolv.m4 \ + $(top_srcdir)/src/external/intgcheck.m4 \ + $(top_srcdir)/src/external/systemtap.m4 \ + $(top_srcdir)/src/external/service.m4 \ + $(top_srcdir)/src/external/test_ca.m4 \ + $(top_srcdir)/src/external/libhttp_parser.m4 \ + $(top_srcdir)/src/external/libuuid.m4 \ + $(top_srcdir)/src/external/libcurl.m4 \ + $(top_srcdir)/src/external/libjansson.m4 \ + $(top_srcdir)/src/external/libunistring.m4 \ + $(top_srcdir)/src/external/glib.m4 \ + $(top_srcdir)/src/external/p11-kit.m4 \ + $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(dist_noinst_DATA) \ + $(am__DIST_COMMON) +mkinstalldirs = $(SHELL) $(top_srcdir)/build/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +SOURCES = +DIST_SOURCES = +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +DATA = $(dist_noinst_DATA) +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +am__DIST_COMMON = $(srcdir)/Makefile.in \ + $(top_srcdir)/build/mkinstalldirs README +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +CARES_CFLAGS = @CARES_CFLAGS@ +CARES_LIBS = @CARES_LIBS@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CERTUTIL = @CERTUTIL@ +CFLAGS = @CFLAGS@ +CHECK_CFLAGS = @CHECK_CFLAGS@ +CHECK_LIBS = @CHECK_LIBS@ +CMOCKA_CFLAGS = @CMOCKA_CFLAGS@ +CMOCKA_LIBS = @CMOCKA_LIBS@ +COLLECTION_CFLAGS = @COLLECTION_CFLAGS@ +COLLECTION_LIBS = @COLLECTION_LIBS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CRYPTO_CFLAGS = @CRYPTO_CFLAGS@ +CRYPTO_LIBS = @CRYPTO_LIBS@ +CURL_CFLAGS = @CURL_CFLAGS@ +CURL_LIBS = @CURL_LIBS@ +CYGPATH_W = @CYGPATH_W@ +DBUS_CFLAGS = @DBUS_CFLAGS@ +DBUS_LIBS = @DBUS_LIBS@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DHASH_CFLAGS = @DHASH_CFLAGS@ +DHASH_LIBS = @DHASH_LIBS@ +DLLTOOL = @DLLTOOL@ +DOCBOOK_XSLT = @DOCBOOK_XSLT@ +DOXYGEN = @DOXYGEN@ +DSYMUTIL = @DSYMUTIL@ +DTRACE = @DTRACE@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GDM_PAM_EXTENSIONS_CFLAGS = @GDM_PAM_EXTENSIONS_CFLAGS@ +GDM_PAM_EXTENSIONS_LIBS = @GDM_PAM_EXTENSIONS_LIBS@ +GLIB2_CFLAGS = @GLIB2_CFLAGS@ +GLIB2_LIBS = @GLIB2_LIBS@ +GMSGFMT = @GMSGFMT@ +GPO_DEFAULT = @GPO_DEFAULT@ +GREP = @GREP@ +HAVE_FAKEROOT = @HAVE_FAKEROOT@ +HAVE_LDAPMODIFY = @HAVE_LDAPMODIFY@ +HAVE_MANPAGES = @HAVE_MANPAGES@ +HAVE_NSS_WRAPPER = @HAVE_NSS_WRAPPER@ +HAVE_PYTHON2 = @HAVE_PYTHON2@ +HAVE_PYTHON2_BINDINGS = @HAVE_PYTHON2_BINDINGS@ +HAVE_PYTHON3 = @HAVE_PYTHON3@ +HAVE_PYTHON3_BINDINGS = @HAVE_PYTHON3_BINDINGS@ +HAVE_SELINUX = @HAVE_SELINUX@ +HAVE_SEMANAGE = @HAVE_SEMANAGE@ +HAVE_UID_WRAPPER = @HAVE_UID_WRAPPER@ +HTTP_PARSER_CFLAGS = @HTTP_PARSER_CFLAGS@ +HTTP_PARSER_LIBS = @HTTP_PARSER_LIBS@ +INI_CONFIG_CFLAGS = @INI_CONFIG_CFLAGS@ +INI_CONFIG_LIBS = @INI_CONFIG_LIBS@ +INI_CONFIG_V0_CFLAGS = @INI_CONFIG_V0_CFLAGS@ +INI_CONFIG_V0_LIBS = @INI_CONFIG_V0_LIBS@ +INI_CONFIG_V1_1_CFLAGS = @INI_CONFIG_V1_1_CFLAGS@ +INI_CONFIG_V1_1_LIBS = @INI_CONFIG_V1_1_LIBS@ +INI_CONFIG_V1_3_CFLAGS = @INI_CONFIG_V1_3_CFLAGS@ +INI_CONFIG_V1_3_LIBS = @INI_CONFIG_V1_3_LIBS@ +INI_CONFIG_V1_CFLAGS = @INI_CONFIG_V1_CFLAGS@ +INI_CONFIG_V1_LIBS = @INI_CONFIG_V1_LIBS@ +INOTIFY_LIBS = @INOTIFY_LIBS@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +JANSSON_CFLAGS = @JANSSON_CFLAGS@ +JANSSON_LIBS = @JANSSON_LIBS@ +JOURNALD_CFLAGS = @JOURNALD_CFLAGS@ +JOURNALD_LIBS = @JOURNALD_LIBS@ +KEYUTILS_LIBS = @KEYUTILS_LIBS@ +KRB5_CFLAGS = @KRB5_CFLAGS@ +KRB5_CONFIG = @KRB5_CONFIG@ +KRB5_LIBS = @KRB5_LIBS@ +LD = @LD@ +LDB_CFLAGS = @LDB_CFLAGS@ +LDB_LIBS = @LDB_LIBS@ +LDFLAGS = @LDFLAGS@ +LIBADD_DL = @LIBADD_DL@ +LIBADD_DLD_LINK = @LIBADD_DLD_LINK@ +LIBADD_DLOPEN = @LIBADD_DLOPEN@ +LIBADD_SHL_LOAD = @LIBADD_SHL_LOAD@ +LIBADD_TIMER = @LIBADD_TIMER@ +LIBCLOCK_GETTIME = @LIBCLOCK_GETTIME@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNL1_CFLAGS = @LIBNL1_CFLAGS@ +LIBNL1_LIBS = @LIBNL1_LIBS@ +LIBNL3_CFLAGS = @LIBNL3_CFLAGS@ +LIBNL3_LIBS = @LIBNL3_LIBS@ +LIBNL_CFLAGS = @LIBNL_CFLAGS@ +LIBNL_LIBS = @LIBNL_LIBS@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +LT_DLLOADERS = @LT_DLLOADERS@ +LT_DLPREOPEN = @LT_DLPREOPEN@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +MKINSTALLDIRS = @MKINSTALLDIRS@ +MSGFMT = @MSGFMT@ +MSGMERGE = @MSGMERGE@ +NDR_KRB5PAC_CFLAGS = @NDR_KRB5PAC_CFLAGS@ +NDR_KRB5PAC_LIBS = @NDR_KRB5PAC_LIBS@ +NDR_NBT_CFLAGS = @NDR_NBT_CFLAGS@ +NDR_NBT_LIBS = @NDR_NBT_LIBS@ +NFSIDMAP_CFLAGS = @NFSIDMAP_CFLAGS@ +NFSIDMAP_LIBS = @NFSIDMAP_LIBS@ +NFSIDMAP_OBJ = @NFSIDMAP_OBJ@ +NM = @NM@ +NMEDIT = @NMEDIT@ +NSCD = @NSCD@ +NSCD_PATH = @NSCD_PATH@ +NSS_CFLAGS = @NSS_CFLAGS@ +NSS_LIBS = @NSS_LIBS@ +NSUPDATE = @NSUPDATE@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OPENLDAP_CFLAGS = @OPENLDAP_CFLAGS@ +OPENLDAP_LIBS = @OPENLDAP_LIBS@ +OPENSSL = @OPENSSL@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +P11TOOL = @P11TOOL@ +P11_KIT_CFLAGS = @P11_KIT_CFLAGS@ +P11_KIT_LIBS = @P11_KIT_LIBS@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_LIBS = @PAM_LIBS@ +PAM_MISC_LIBS = @PAM_MISC_LIBS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PCRE_CFLAGS = @PCRE_CFLAGS@ +PCRE_LIBS = @PCRE_LIBS@ +PK12UTIL = @PK12UTIL@ +PKG_CONFIG = @PKG_CONFIG@ +PO4A = @PO4A@ +POPT_CFLAGS = @POPT_CFLAGS@ +POPT_LIBS = @POPT_LIBS@ +POSUB = @POSUB@ +PRERELEASE_VERSION = @PRERELEASE_VERSION@ +PYTEST = @PYTEST@ +PYTHON = @PYTHON@ +PYTHON2 = @PYTHON2@ +PYTHON2_CFLAGS = @PYTHON2_CFLAGS@ +PYTHON2_EXEC_PREFIX = @PYTHON2_EXEC_PREFIX@ +PYTHON2_INCLUDES = @PYTHON2_INCLUDES@ +PYTHON2_LIBS = @PYTHON2_LIBS@ +PYTHON2_PREFIX = @PYTHON2_PREFIX@ +PYTHON2_VERSION = @PYTHON2_VERSION@ +PYTHON3 = @PYTHON3@ +PYTHON3_CFLAGS = @PYTHON3_CFLAGS@ +PYTHON3_EXEC_PREFIX = @PYTHON3_EXEC_PREFIX@ +PYTHON3_INCLUDES = @PYTHON3_INCLUDES@ +PYTHON3_LIBS = @PYTHON3_LIBS@ +PYTHON3_PREFIX = @PYTHON3_PREFIX@ +PYTHON3_VERSION = @PYTHON3_VERSION@ +PYTHON_CONFIG = @PYTHON_CONFIG@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ +RANLIB = @RANLIB@ +RESOLV_CFLAGS = @RESOLV_CFLAGS@ +RESOLV_LIBS = @RESOLV_LIBS@ +SASL_CFLAGS = @SASL_CFLAGS@ +SASL_LIBS = @SASL_LIBS@ +SED = @SED@ +SELINUX_LIBS = @SELINUX_LIBS@ +SEMANAGE_LIBS = @SEMANAGE_LIBS@ +SERVICE = @SERVICE@ +SET_MAKE = @SET_MAKE@ +SGML_CATALOG_FILES = @SGML_CATALOG_FILES@ +SHELL = @SHELL@ +SLAPD = @SLAPD@ +SMBCLIENT_CFLAGS = @SMBCLIENT_CFLAGS@ +SMBCLIENT_LIBS = @SMBCLIENT_LIBS@ +SOFTHSM2_PATH = @SOFTHSM2_PATH@ +SOFTHSM2_UTIL = @SOFTHSM2_UTIL@ +SSH_KEYGEN = @SSH_KEYGEN@ +SSL_CFLAGS = @SSL_CFLAGS@ +SSL_LIBS = @SSL_LIBS@ +SSSD_USER = @SSSD_USER@ +STRIP = @STRIP@ +SYSTEMD_DAEMON_CFLAGS = @SYSTEMD_DAEMON_CFLAGS@ +SYSTEMD_DAEMON_LIBS = @SYSTEMD_DAEMON_LIBS@ +SYSTEMD_LOGIN_CFLAGS = @SYSTEMD_LOGIN_CFLAGS@ +SYSTEMD_LOGIN_LIBS = @SYSTEMD_LOGIN_LIBS@ +TALLOC_CFLAGS = @TALLOC_CFLAGS@ +TALLOC_LIBS = @TALLOC_LIBS@ +TDB_CFLAGS = @TDB_CFLAGS@ +TDB_LIBS = @TDB_LIBS@ +TEST_DIR = @TEST_DIR@ +TEVENT_CFLAGS = @TEVENT_CFLAGS@ +TEVENT_LIBS = @TEVENT_LIBS@ +UNICODE_LIBS = @UNICODE_LIBS@ +USE_NLS = @USE_NLS@ +UUID_CFLAGS = @UUID_CFLAGS@ +UUID_LIBS = @UUID_LIBS@ +VERSION = @VERSION@ +XGETTEXT = @XGETTEXT@ +XMLLINT = @XMLLINT@ +XSLTPROC = @XSLTPROC@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +appmodpath = @appmodpath@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +cifspluginpath = @cifspluginpath@ +config_def_ccache_dir = @config_def_ccache_dir@ +config_def_ccname_template = @config_def_ccname_template@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbpath = @dbpath@ +docdir = @docdir@ +dvidir = @dvidir@ +environment_file = @environment_file@ +exec_prefix = @exec_prefix@ +gpocachepath = @gpocachepath@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +initdir = @initdir@ +install_sh = @install_sh@ +krb5authdatapluginpath = @krb5authdatapluginpath@ +krb5pluginpath = @krb5pluginpath@ +krb5rcachedir = @krb5rcachedir@ +ldblibdir = @ldblibdir@ +libdir = @libdir@ +libexecdir = @libexecdir@ +libwbclient_version = @libwbclient_version@ +libwbclient_version_info = @libwbclient_version_info@ +localedir = @localedir@ +localstatedir = @localstatedir@ +logpath = @logpath@ +mandir = @mandir@ +mcpath = @mcpath@ +mkdir_p = @mkdir_p@ +nfsidmaplibdir = @nfsidmaplibdir@ +nfslibpath = @nfslibpath@ +nsslibdir = @nsslibdir@ +oldincludedir = @oldincludedir@ +pammoddir = @pammoddir@ +pdfdir = @pdfdir@ +pidpath = @pidpath@ +pipepath = @pipepath@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ +pluginpath = @pluginpath@ +polkitdir = @polkitdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +pubconfpath = @pubconfpath@ +py2execdir = @py2execdir@ +py3execdir = @py3execdir@ +pyexecdir = @pyexecdir@ +python2dir = @python2dir@ +python3dir = @python3dir@ +pythondir = @pythondir@ +runstatedir = @runstatedir@ +sbindir = @sbindir@ +secdbpath = @secdbpath@ +session_recording_shell = @session_recording_shell@ +sharedbuilddir = @sharedbuilddir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sudolibpath = @sudolibpath@ +sysconfdir = @sysconfdir@ +systemdconfdir = @systemdconfdir@ +systemdunitdir = @systemdunitdir@ +tapset_dir = @tapset_dir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +winbindpluginpath = @winbindpluginpath@ +dist_noinst_DATA = \ + SSSD_test_CA.config \ + SSSD_test_CA_key.pem \ + SSSD_test_cert_0001.config \ + SSSD_test_cert_0002.config \ + SSSD_test_cert_0003.config \ + SSSD_test_cert_key_0001.pem \ + SSSD_test_cert_key_0002.pem \ + SSSD_test_cert_key_0003.pem \ + $(NULL) + +openssl_ca_config = $(srcdir)/SSSD_test_CA.config +openssl_ca_key = $(srcdir)/SSSD_test_CA_key.pem +pwdfile = pwdfile +configs := $(notdir $(wildcard $(srcdir)/SSSD_test_cert_*.config)) +ids := $(subst SSSD_test_cert_,,$(basename $(configs))) +certs = $(addprefix SSSD_test_cert_x509_,$(addsuffix .pem,$(ids))) +certs_h = $(addprefix SSSD_test_cert_x509_,$(addsuffix .h,$(ids))) +pubkeys = $(addprefix SSSD_test_cert_pubsshkey_,$(addsuffix .pub,$(ids))) +pubkeys_h = $(addprefix SSSD_test_cert_pubsshkey_,$(addsuffix .h,$(ids))) +pkcs12 = $(addprefix SSSD_test_cert_pkcs12_,$(addsuffix .pem,$(ids))) +@HAVE_NSS_FALSE@extra = softhsm2_none softhsm2_one softhsm2_two +@HAVE_NSS_TRUE@extra = p11_nssdb p11_nssdb_2certs +CLEANFILES = \ + index.txt index.txt.attr \ + index.txt.attr.old index.txt.old \ + serial serial.old \ + SSSD_test_CA.pem $(pwdfile) \ + $(certs) $(certs_h) $(pubkeys) $(pubkeys_h) $(pkcs12) \ + softhsm2_*.conf \ + $(NULL) + +all: all-am + +.SUFFIXES: +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/tests/test_CA/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign src/tests/test_CA/Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +tags TAGS: + +ctags CTAGS: + +cscope cscopelist: + + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(DATA) +installdirs: +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-local mostlyclean-am + +distclean: distclean-am + -rm -f Makefile +distclean-am: clean-am distclean-generic + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-generic mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: + +.MAKE: install-am install-strip + +.PHONY: all all-am check check-am clean clean-generic clean-libtool \ + clean-local cscopelist-am ctags-am distclean distclean-generic \ + distclean-libtool distdir dvi dvi-am html html-am info info-am \ + install install-am install-data install-data-am install-dvi \ + install-dvi-am install-exec install-exec-am install-html \ + install-html-am install-info install-info-am install-man \ + install-pdf install-pdf-am install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags-am uninstall uninstall-am + +.PRECIOUS: Makefile + + +# If openssl is run in parallel there might be conflicts with the serial +.NOTPARALLEL: + +ca_all: clean serial SSSD_test_CA.pem $(certs) $(certs_h) $(pubkeys) $(pubkeys_h) $(pkcs12) $(extra) + +$(pwdfile): + @echo "12345678" > $@ + +SSSD_test_CA.pem: $(openssl_ca_key) $(openssl_ca_config) serial + $(OPENSSL) req -batch -config ${openssl_ca_config} -x509 -new -nodes -key $< -sha256 -days 1024 -set_serial 0 -extensions v3_ca -out $@ + +SSSD_test_cert_req_%.pem: $(srcdir)/SSSD_test_cert_key_%.pem $(srcdir)/SSSD_test_cert_%.config + $(OPENSSL) req -new -nodes -key $< -reqexts req_exts -config $(srcdir)/SSSD_test_cert_$*.config -out $@ + +SSSD_test_cert_x509_%.pem: SSSD_test_cert_req_%.pem $(openssl_ca_config) SSSD_test_CA.pem + $(OPENSSL) ca -config ${openssl_ca_config} -batch -notext -keyfile $(openssl_ca_key) -in $< -days 200 -extensions usr_cert -out $@ + +SSSD_test_cert_pkcs12_%.pem: SSSD_test_cert_x509_%.pem $(srcdir)/SSSD_test_cert_key_%.pem $(pwdfile) + $(OPENSSL) pkcs12 -export -in SSSD_test_cert_x509_$*.pem -inkey $(srcdir)/SSSD_test_cert_key_$*.pem -nodes -passout file:$(pwdfile) -out $@ + +SSSD_test_cert_pubkey_%.pem: SSSD_test_cert_x509_%.pem + $(OPENSSL) x509 -in $< -pubkey -noout > $@ + +SSSD_test_cert_pubsshkey_%.pub: SSSD_test_cert_pubkey_%.pem + $(SSH_KEYGEN) -i -m PKCS8 -f $< > $@ + +SSSD_test_cert_x509_%.h: SSSD_test_cert_x509_%.pem + @echo "#define SSSD_TEST_CERT_$* \""$(shell cat $< |openssl x509 -outform der | base64 -w 0)"\"" > $@ + +SSSD_test_cert_pubsshkey_%.h: SSSD_test_cert_pubsshkey_%.pub + @echo "#define SSSD_TEST_CERT_SSH_KEY_$* \""$(shell cut -d' ' -f2 $<)"\"" > $@ + +# This nss db is used in +# - src/tests/cmocka/test_cert_utils.c (validation only) +# - src/tests/cmocka/test_pam_srv.c +p11_nssdb: SSSD_test_cert_pkcs12_0001.pem SSSD_test_CA.pem $(pwdfile) + mkdir $@ + $(CERTUTIL) -d sql:./$@ -N --empty-password + $(CERTUTIL) -d sql:./$@ -A -n 'SSSD test CA' -t CT,CT,CT -a -i SSSD_test_CA.pem + $(PK12UTIL) -d sql:./$@ -i SSSD_test_cert_pkcs12_0001.pem -w $(pwdfile) + +# This nss db is used in +# - src/tests/cmocka/test_pam_srv.c +p11_nssdb_2certs: SSSD_test_cert_pkcs12_0001.pem SSSD_test_cert_pkcs12_0002.pem SSSD_test_CA.pem $(pwdfile) + mkdir $@ + $(CERTUTIL) -d sql:./$@ -N --empty-password + $(CERTUTIL) -d sql:./$@ -A -n 'SSSD test CA' -t CT,CT,CT -a -i SSSD_test_CA.pem + $(PK12UTIL) -d sql:./$@ p11_nssdb -i SSSD_test_cert_pkcs12_0001.pem -w $(pwdfile) + $(PK12UTIL) -d sql:./$@ p11_nssdb -i SSSD_test_cert_pkcs12_0002.pem -w $(pwdfile) + +# The softhsm2 PKCS#11 setups are used in +# - src/tests/cmocka/test_pam_srv.c +# if SSSD is build with OpenSSL/libcrypto +softhsm2_none: softhsm2_none.conf + mkdir $@ + SOFTHSM2_CONF=./$< $(SOFTHSM2_UTIL) --init-token --label "SSSD Test Token" --pin 123456 --so-pin 123456 --free + +softhsm2_none.conf: + @echo "directories.tokendir = "$(abs_top_builddir)"/src/tests/test_CA/softhsm2_none" > $@ + @echo "objectstore.backend = file" >> $@ + @echo "slots.removable = true" >> $@ + +softhsm2_one: softhsm2_one.conf + mkdir $@ + SOFTHSM2_CONF=./$< $(SOFTHSM2_UTIL) --init-token --label "SSSD Test Token" --pin 123456 --so-pin 123456 --free + GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --no-mark-private --load-certificate=SSSD_test_cert_x509_0001.pem --login --label 'SSSD test cert 0001' --id 'C554C9F82C2A9D58B70921C143304153A8A42F17' + GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --load-privkey=$(srcdir)/SSSD_test_cert_key_0001.pem --login --label 'SSSD test cert 0001' --id 'C554C9F82C2A9D58B70921C143304153A8A42F17' + +softhsm2_one.conf: + @echo "directories.tokendir = "$(abs_top_builddir)"/src/tests/test_CA/softhsm2_one" > $@ + @echo "objectstore.backend = file" >> $@ + @echo "slots.removable = true" >> $@ + +softhsm2_two: softhsm2_two.conf + mkdir $@ + SOFTHSM2_CONF=./$< $(SOFTHSM2_UTIL) --init-token --label "SSSD Test Token" --pin 123456 --so-pin 123456 --free + GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --no-mark-private --load-certificate=SSSD_test_cert_x509_0002.pem --login --label 'SSSD test cert 0002' --id '5405842D56CF31F0BB025A695C5F3E907051C5B9' + GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --load-privkey=$(srcdir)/SSSD_test_cert_key_0002.pem --login --label 'SSSD test cert 0002' --id '5405842D56CF31F0BB025A695C5F3E907051C5B9' + GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --no-mark-private --load-certificate=SSSD_test_cert_x509_0001.pem --login --label 'SSSD test cert 0001' --id 'C554C9F82C2A9D58B70921C143304153A8A42F17' + GNUTLS_PIN=123456 SOFTHSM2_CONF=./$< $(P11TOOL) --provider=$(SOFTHSM2_PATH) --write --load-privkey=$(srcdir)/SSSD_test_cert_key_0001.pem --login --label 'SSSD test cert 0001' --id 'C554C9F82C2A9D58B70921C143304153A8A42F17' + +softhsm2_two.conf: + @echo "directories.tokendir = "$(abs_top_builddir)"/src/tests/test_CA/softhsm2_two" > $@ + @echo "objectstore.backend = file" >> $@ + @echo "slots.removable = true" >> $@ + +clean-local: + rm -rf newcerts + rm -rf p11_nssdb + rm -rf p11_nssdb_2certs + rm -rf softhsm* + +serial: clean + touch index.txt + touch index.txt.attr + mkdir newcerts + echo -n 01 > serial + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/tests/test_CA/README b/src/tests/test_CA/README new file mode 100644 index 0000000..342fd58 --- /dev/null +++ b/src/tests/test_CA/README @@ -0,0 +1,26 @@ +Simple CA for SSSD tests + +To avoid issues with certificate lifetimes during tests certificates can be +generated with a simple OpenSSL based CA. + +To create a new certificate add a suitable and valid OpenSSL config file with a +[req] section for a certificate signing request (CSR) which must use the name +pattern SSSD_test_cert_*.config. Additionally a matching key file +SSSD_test_cert_key_%.pem should be added e.g. with + + openssl genpkey -algorithm RSA -out SSSD_test_cert_key_XYZ.pem -pkeyopt rsa_keygen_bits:2048 + +It would be possible to generate the keys automatically as well but +pre-created keys will safe some resources on the hosts running the tests, +allow more flexibility with algorithms and key lengths and make the tests +more reproducible. + +The Makefile will pick up the config and the keys and generate a X.509 +certificate. For usage in C-code it will generate a header file +SSSD_test_cert_x509_*.h where the base64 encoded binary certificate is made +available in a macro called SSSD_TEST_CERT_*. To run test with derived ssh-keys +the ssh key is available in SSSD_test_cert_pubsshkey_*.h as +SSSD_TEST_CERT_SSH_KEY_*. + +Other targets for other types of tests can be added to the Makefile and should +be documented here. diff --git a/src/tests/test_CA/SSSD_test_CA.config b/src/tests/test_CA/SSSD_test_CA.config new file mode 100644 index 0000000..90ae223 --- /dev/null +++ b/src/tests/test_CA/SSSD_test_CA.config @@ -0,0 +1,47 @@ +[ ca ] +default_ca = CA_default + +[ CA_default ] +dir = . +database = $dir/index.txt +new_certs_dir = $dir/newcerts + +certificate = $dir/SSSD_test_CA.pem +serial = $dir/serial +private_key = $dir/SSSD_test_CA_key.pem +RANDFILE = $dir/rand + +default_days = 365 +default_crl_days = 30 +default_md = sha256 + +policy = policy_any +email_in_dn = no + +name_opt = ca_default +cert_opt = ca_default +copy_extensions = copy + +[ usr_cert ] +authorityKeyIdentifier = keyid, issuer + +[ v3_ca ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +basicConstraints = CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ policy_any ] +organizationName = supplied +organizationalUnitName = supplied +commonName = supplied +emailAddress = optional + +[ req ] +distinguished_name = req_distinguished_name +prompt = no + +[ req_distinguished_name ] +O = SSSD +OU = SSSD test +CN = SSSD test CA diff --git a/src/tests/test_CA/SSSD_test_CA_key.pem b/src/tests/test_CA/SSSD_test_CA_key.pem new file mode 100644 index 0000000..4838d03 --- /dev/null +++ b/src/tests/test_CA/SSSD_test_CA_key.pem @@ -0,0 +1,52 @@ +-----BEGIN PRIVATE KEY----- +MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDkKj9R0/ato8Qq +8iww/4BZc14oTk4e94pGssERG2b8wkcnq9gjn7rDaW0j7sqcEnEtR4nbn4dtjZz5 +pObXDRPebsZKf+jPac+PiIKwGMdEQFcrt/hZGlpxDrJKUt144ZmMH69CkBC1MREx +8GHl3oQ9hnLCE82j4D6i+iVRAFhD6dsmL8YWvzMtjklAiyF6yboD1Vjkxwv06wcZ +xgJptyFOcIM4RfRu212SQUmOZvfxIl9zmu6h4Vaz4Vm/e9qmRHJZ5cOJPC6wyhLn +iPyEiuRg7DAI226GO04Kl/Frus5fFrih/hq/GyqYVLHQHBdOZ0MgY/zcwD+eEVOX +KDFYKAbOwN9rDZC6UW3fPLHMnc0f/6q75s4Qvs3MyP0jtJaqjEe+DpW14u9kivUm +f6L/nFHgDMoYHavsUOXKHZu0NRAKAxj+IvAnHRlInPQktIzZQ2abYWix//bb7aDx +WhtOFN/rUXA1mqPahRxSgEst4QnSMxU0hPVET0TQO0A/XwozpkrM80NXOoq8m4kH +83vknwVurg3VaupctX5fsSZvSYunK4bJ/8+Om7c3pyrxqbV0Y/nwGzjMYIU/iQSM +XkDzs5MQfdWTmzQMsFUY7huQo0VA4s2mY96LmbABVCFnZTFSf+li3dNMadPpuTO+ +w5jhoR1tcYiWtIDPBuwIFMCwdN1N6QIDAQABAoICAC7SgKYBMokVp2cMxYbUl/lD +VJo+34c5U1YIztf84JiUIdgBStycpc3+L5iFI2z9193r5V19kmQoAIO2lGyjUWV/ +JBAbyaHu29pfsDoFC7d04K6nFT7ryo2S74GTGcH5wfHgeq3VNKiKRjYSV3S9wjOC +CMDNIZE0roXxgYDq6jIdpoxil2sJl64Mmfm104wII7Uvrgtc0ZZUOOPQH6SkISCg +tDzzFiM9vykJXtfrR4xjemUV8UylGo7Vev5xo0AlobXTEdpy0D4VaeW71d45Rn6h +WYYnybmgJ/bCkZeDAWDAH+mWZNS89XPHRaooaZv8Uuktu7FtfmCou5e0dtPZevPF +qSCExRRnEvBHxqR71e7NDZt8mHR5H9S+4Io6OMFEfTwFC13TNBEiNspg9XovAjfX +4u6wSYPKKLH88R5LAuLoBiD6dO+3SiimbaTeD/a+URCfIWUNycExS/3SnWCS2oxW +h8uS18DwbCbW0b5N8VYldfZ8QK3+GH2B4vV7ZGOFtUW43HUUPlxqL9lpakbAgPba +enrO2+YqzAIM5NWCvL1+fnaPVGc9deDi63sgq75VkJwBMoiBqIpwSUMUwOmL3RiC +NdixXJR/HgjP85UrZHQRlcCfSFMduNNjof0WgamXu2TLA4K2clbdiz1DwAgCBpLP +INKo4fiZZkjiEs3VS9iBAoIBAQD2DjnFAZ0USGpmRqecHhFOL9nZX/we/DCUrkRv +noiEP9lIz/ITmAzCvvUuyFQcDp3LBplB+T74nvfyMJ6AzbV1Kuw7CluIje5i3wKs +zYSc49EKxG3PvNlkpbrQkY2/FrBuwakZro/ByzrcCf783cey36IXc5s0EdXiqyB8 +Gn2yQQvyYShAmE1HjBjcURSC8bCn1OKQNR04gbnIIUbe5kn8IIM2SD8cUPIuvBTf +PAzAMT//6bKwi2v6Y9QK0qOIYEFLTEzonKeLlnErXxytb0wbwCbDWQLprYdSQR/3 +ctVykylPYuTXdCW5qLL5TGuxHKzJodOI0RF8A07CYj7dcQf5AoIBAQDtYuuKp+AT +ro7Oe4J1bUx/8YlAPDU4UgWbIQjAPUvdiRLZxVRecomNjDMvnz2G/lE8P3CPD0fD +DZSPhUqUnqanTYLAoVyQh8Zo8NjKJ1wlE9F5CZECeGz1RGZcQBUwK7tZr3EGNw/K +IShV8/6RVs+I3jjTll2oAoquJ4el0V7sitI6O3Bsh1AoVgZYmJV3qMdODcDJQjNj +SVetxExhsd2SJztjp5U0uTMf6fXH41CVKo3seRPvaxAhIDpG1He1XEKeeeq3l6Uu +vzpKmXvNmmzjCZLLY6APvLYv1o65UTn3N/MLIXjgEs07e2JNzhLhAuz5h6sPH0aM +bx+vOhugy1FxAoIBAQCvFcxRvSYzCpx7jocx9ctGoZIYtc5HlhhTk/Wqn1pxEKXi +w+Vzv9xEr3D0CySeml/52gYwBdWjQCsasTH4YWhfqV1TXbloX+ZjgGD86XkV0p4r +VT72dWET10Ipq4j7kn+VMETNu4Mb2StW693/vSiexbcnjOHBmXdixXZmGMucjeCc +ZjooTLeg07XU//TigGy94CQfjUvvq4+xMsylS6UVvWTguWP/GDJcwwTvHGHOWL07 +suWt7me1UlfOI7iuECAmHnMTinVGRJTe0d0sJGg5zu9GTg5ejVYfV6wRfisYTlM0 +5CAGl+VISRyhfJmc+9SP3ZESaAJTBl+CvjoRhJ6xAoIBAQC3Blq2mAJzClX+q0mF +ghTGXJLG3OTnnI3H8mtN1LTGhKXtE3CeNU8KvHrGj88fYrt9aSg+lLhukezlzw4W +kk/JlEBohsDYimaWiIONMVWhHKuX16FfNzxCyk7ld18euckEN/k7on5hCLmRs8Kl +ijoOu88yi6+AFx2XctDqLwgx9kJqNWPTuWw6/UB9VH+BN7ca3g2y3oDCX0zjpAKE +HF/KDMeEaTPn55acV4VxbTi3GY09MokFQhW4hKGJ9MyrHwwaJcOrc5ce+L9Xvwiu +GA816S6t9Az3tTb+oT1/cjnv+so/3bnVgYmM/+9mL6lspRXSuiBQU3vQUOkr7/BX +RAtxAoIBAQC2AQjrhdjyIhuzDGpL7A/IUfV9Fr37ytRY1r7pOwIVthGK3SmLbV2t +byT4LeS1XMkpuwfiM/w4uAbRz3QhMGfgv9wUjNCpR9fBd4VZqU9HPk6TasQhxxLU +q4O+XpvylEqPPzHkvpJUiVEfh7bXSoqbvTP7fUnJ/YzqMyq+NNkJzKccz8+I2BfN +/WXp6HmKAKhvF2mkFbo+2IXzJoCzHRorBvj/HzMc349cvHtYErJvHZQ2wgfY5CFC +y2/x/t1pQ6BhrJiNyC1s8jYtboY7mc1yAp6cvtWraOYYk6LCTLbRLPLNqEOKPUFH +xHflFSh7K6rCRfJGMKKFYtdA09/CAqh+ +-----END PRIVATE KEY----- diff --git a/src/tests/test_CA/SSSD_test_cert_0001.config b/src/tests/test_CA/SSSD_test_cert_0001.config new file mode 100644 index 0000000..b6c52a1 --- /dev/null +++ b/src/tests/test_CA/SSSD_test_cert_0001.config @@ -0,0 +1,20 @@ +# This certificate is used in +# - src/tests/cmocka/test_cert_utils.c +# - src/tests/cmocka/test_pam_srv.c +[ req ] +distinguished_name = req_distinguished_name +prompt = no + +[ req_distinguished_name ] +O = SSSD +OU = SSSD test +CN = SSSD test cert 0001 + +[ req_exts ] +basicConstraints = CA:FALSE +nsCertType = client, email +nsComment = "SSSD test Certificate" +subjectKeyIdentifier = hash +keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, emailProtection +subjectAltName = email:sssd-devel@lists.fedorahosted.org,URI:https://pagure.io/SSSD/sssd// diff --git a/src/tests/test_CA/SSSD_test_cert_0002.config b/src/tests/test_CA/SSSD_test_cert_0002.config new file mode 100644 index 0000000..8722ffa --- /dev/null +++ b/src/tests/test_CA/SSSD_test_cert_0002.config @@ -0,0 +1,19 @@ +# This certificate is used in +# - src/tests/cmocka/test_pam_srv.c +[ req ] +distinguished_name = req_distinguished_name +prompt = no + +[ req_distinguished_name ] +O = SSSD +OU = SSSD test +CN = SSSD test cert 0002 + +[ req_exts ] +basicConstraints = CA:FALSE +nsCertType = client +nsComment = "SSSD test Certificate" +subjectKeyIdentifier = hash +keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth +subjectAltName = email:sssd-devel@lists.fedorahosted.org,URI:https://pagure.io/SSSD/sssd// diff --git a/src/tests/test_CA/SSSD_test_cert_0003.config b/src/tests/test_CA/SSSD_test_cert_0003.config new file mode 100644 index 0000000..b141fc0 --- /dev/null +++ b/src/tests/test_CA/SSSD_test_cert_0003.config @@ -0,0 +1,18 @@ +# This certificate is used in +# - src/tests/cmocka/test_certmap.c +# as an example for a simple certificate without EKU and SAN extensions +[ req ] +distinguished_name = req_distinguished_name +prompt = no + +[ req_distinguished_name ] +O = SSSD +OU = SSSD test +CN = SSSD test cert 0003 + +[ req_exts ] +basicConstraints = CA:FALSE +nsCertType = client +nsComment = "SSSD test Certificate" +subjectKeyIdentifier = hash +keyUsage = digitalSignature, keyEncipherment diff --git a/src/tests/test_CA/SSSD_test_cert_key_0001.pem b/src/tests/test_CA/SSSD_test_cert_key_0001.pem new file mode 100644 index 0000000..365c989 --- /dev/null +++ b/src/tests/test_CA/SSSD_test_cert_key_0001.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDX8xglLP+D54dG +V/lndmQ7YRg1GDuaZilzh/jfAva3psSYDnn1f9wmygNx0HUjlpG72pBOaYthdp1D +ZGayTlpSUY/3y7+pvokFlY0v9Xhg3yhUyRK95uS/LuY4L8uaoZxMXPW2iP3kzv2v +BQQlMuBCjL+ji/tX2Zl8CHUldY7QPtSLZcklXmRvu5jHPK5W/eh8E66UNeb/dueq +ZAzLBZb5g8Blv9dMjf/eSlM/R//au40ZBBa3CRpddaf/gOa9sNGVd6RmzwejZ47k +hPwkx6t23ZQ7bZkk0NI3H8+/sKkM6aWZaywmLvnyClIgjgZh5zKJgv0ZFAaQ/nST +a6ke3OetAgMBAAECggEAIHaO3qfREYcwssZu27rUfoiuFu05qJBLEu8R3pSXeiw7 +yZADjYBXHA2qTuXDdkIgTlkg8Gi1Z0VphsQFHDDjKxTPy7R5b48REiHVQ6xnGEjz +yysfAiU/pe3q9e9ZcDlzQZeH6JTXdhoX0MO0R9NKGzcFaBSXCDHR/O9YjPULLwq8 +K9wZpHV6DPajoPGmZgw1qQr7Lc35nVi9AeNyTGnSrUf4hdjKiA2WA0aC3fkeKQxp +8z6FJWKot84dGbhYK0fyM0uIMb4wS8gvTmvhjE5pltEstOY3bFebxJ5DtBJPqE5K +FL6k2tfcctuhiwDsRWar39H5SvXzxHbyaz0nwpI9AQKBgQD2Z+vpncVGZgnV0rwK +0dcdEMSCOj7i91OVS8IGAvwfpI6n8Hs6upO1PtqvWtnwt8lOMwF3omA5/25ZF1+K +Y6iPxnqcg4nApG1DVDXMrV1cWUa6Sc95afJE224sZA+yKiyTZsWdxfV5y5rc5V3L +ZOzXjHOW40W/ZuuNwKR5D9fyUQKBgQDgW5h+9NwyPg+01I9qQgsnlHPA9ndKamcH +QgnAhdM75wadPnVZTNsOa46pfg0Uy/yqYSo2NZz5CmN6W3baVanyUMMmhDWHmCuV +6nHmzwlJDiJz7S0ieEUi62NConZbU3YE6zjmKkMU0K8pZEisvX/Hb3K8Py4Jxyhy +JdX5FRmMnQKBgQCzK2GpX6VgyTWBm1hMbcUDR3v8TaoIk1rdhlaw1F7MC3YHu59/ +Vses1OVi+KbcmGbyS7hXa2SZB5kPgyVflZOt596kDCmQQH+Ko6LzD2SBkBETyDPq +zxTw6LW15ZRcMrpy/BnZ3WXfiCM1WDrZeKuXGHO8VcoToRzK2DdAKDsX4QKBgQCv +NHhrNHa8uaB0W8Y/eaHSX+jhWNehgmRA075f3WIvFmQg6cSkXxN2OGJpVCmNAxum +Rki7mrSh+w3iYIj5Sgp0U8OCUZ6n7BqlcTdPwoCCz4nyM9aaY4fCFEYopEx/VzcD +8lk1zO0j1S/kyA7E7xtZOFxGS6R9OE0KjyeA44xXNQKBgFRbzhYNerXwepfYi0bR +plJ8Jg4q4DI+m5QlKGjQLsX4e0sdyOgD8mV3iYofzrull5KZeRQy5qbO9EypFXQ5 ++16FbR7VTYgKcwHNtC+8EcsSVwgk57ox4jDY6A/X1DBKUT+m/XyJYE79ZCsFVvl+ +O8zzsFaOeoxTVyVxjHmuhZ6U +-----END PRIVATE KEY----- diff --git a/src/tests/test_CA/SSSD_test_cert_key_0002.pem b/src/tests/test_CA/SSSD_test_cert_key_0002.pem new file mode 100644 index 0000000..d80349f --- /dev/null +++ b/src/tests/test_CA/SSSD_test_cert_key_0002.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCvhgVEGejE4Gcr +b2lXw2scPpvXa2BaJ2DtFNgofEKhPlBoS7E913YXIG+kSE2i7YezAzHyd0hVEBqR +QVlhGg5LCeOrQTRASSNUCgWzEXnRbPrvQbeZc7T6k1QIAmTNlpIc7mrO5bjOkR6Y +DVNTDmW90aCo4IyarJAru1xQTjS+TDtJNvIgqI1BtnpH67JXt/2UsQYAD4lQQmAf +gEj3a2bD+EuJVVFt4rar+QE3EUZi265cK3IfV6OkzDP/ZuN9sxr5adk0QE/2jC+b +1sB0VxLxWhGszuOtdhkO/bxcfjWj/EWGa0nezukDeob3k+b4f6Z5kfW9GJCdCOOQ +Rr1Mv6oZAgMBAAECggEAUICdZbCka7eoWemNXS1JsPieLV0YIgExmUsYIOls/dtA +sbUVo5FwngbIbYaj5PggZuAuRlCjIjBynvBj9/8lUxFEFEWhm2JwC5lVJ936Cy16 +ocV4Wa8R8GMmBU5jwU8v0Ikg/6eo7UTtzTs/XjaaP0cn8oyasE45CXWzTzmvQx+d +FwfcTkhc6KALf+CHTk7mE8QT3vMgVQMRiisF998fnJDkW9U4pPygcg1BAq8wjix8 +YwVAlk/Vq6MxmOViqTNEmnBd5dfZ/f9SYGkR7AvZgENEDNtkd7fE37YXdTSYfBWd +lhHm4UkTUSsHl+Xx5w5r/e9xcK/z/49WUJnK2mVcAQKBgQDUv+szGloLyy0OT9SK +qqqiL7AtUtfCRPH9Gk/UYBGLzktuioac9m1tDo5RsiInFjSmBe4wTGrkhrAJP1Vh +DOpXGqMe0cV/QqOL/XnsJi6ySHzGhiR+F+iBQLk13ya1TIiGIG65mxVU7ZceBWzH +AoAjkwV9c/lUGX3yhJ8zUPPYQQKBgQDTNL/WNNHx5PD8XV9voupVFh5nLA9CqCYR +/07O8pMKve/DjswT40mz/Bwd8xKPFIjTtPMuRd1mORnkF/Q/1WuO5dZG6UUTQT5V +KdtI8VwhQlTz7/DjXm4O+mkwY9vfhTQylUsqh2rX6WkIedj1b6rT5Jg6fHMn34N2 +/9UGEp6b2QKBgQCIJ4MIo3a5UYA2RpTJYcvuHALuHrSCWclcp/gq/Ih+JrpTtkfM +MFF7l/MxCYWd6jIrhmQXePB37FLAuE2V3MQklqGKWcnBVg6Ayum6Xf1Ij+d6zeKQ +6BAemCNv/K4zHRXKcPsrwbp3Lc6moeYpvsnu+mprDUulrOLT0FhqaQaFgQKBgQDG +dqfZUlMBub8VdWwri+wkvh8dldJVMYpsmPrmDh1MF8TIf1OXUJm+TiXhorqKxqH4 +Re3JSo9L8lY49qVmolZqteCPS73D5Sf8gNN1DJAlFJ6dhpdWIDLNUlMrzHoc5J9y +9MToFs24S7WN6GmN4Dum1wSQ2Mag7jArzyTOiwqNqQKBgFh12/YF4tiePqG1aOaB ++L5GgA/ux+6SNj5TkqeiKqPaptg1tnM/T/ChiWmwZzee1ZeMEBbDWtbEMf15In7/ +OM5OSMU+SIgWposXDTDKM9ZMQZW6h9IQy/IxwvF8BrroS0vF9vOXKOz4Aw+5Kugq +JxM2HRDRdC23CGRuGjv+hO4d +-----END PRIVATE KEY----- diff --git a/src/tests/test_CA/SSSD_test_cert_key_0003.pem b/src/tests/test_CA/SSSD_test_cert_key_0003.pem new file mode 100644 index 0000000..603e760 --- /dev/null +++ b/src/tests/test_CA/SSSD_test_cert_key_0003.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDb6pvC57nKEY/y +k6PXmcbIHz3lmUXqL1OPdJrBXFgs57AxIPvbXqWNJi4/c82+nsdmzKunrU1B+ZkU +poNd9eT/c3y7RaZ7UeGBqUhUBRXd/zllQmGnDfwPLIirhK7+UTjOnez6WSPHzKWS +36ZZG6aZXj//lc9X/8xOb5kr/Upn4AFTHkhirOpzMJY2T9pEDj/gx8o+FUgHnw5o +WlarnPCod3xpn2RtNsugpTLdtDMhhPabaySUJdNeHYRfP5UUqjEr9yvWDuwfjW2y +5TMoqZreEg6RSmya6BDm9nuwqk07NAK581AvFpSNvy1H8PL1BckXe6oxskPUM2rD +XscGCuOnAgMBAAECggEBAJuoFDXBdMRs59lH3Pk2s/dj/Zisg0r90oRAgWUJarPm +DdTIRtv/wugENUneOquIkRTXG0ykooFnHI38ShFQgZS59nhLFUpGK3puCm7F5rNp ++gMNGDd484b9+4KDeKUzciT0rQ6J14SM+kjaGlEJ/EKj7mKGc+sSeFawMNdtAaRB +HeLpqZnmSGTLmyj5JMH7ZFvSNtyWIKBZPmaIY13KG3W9MqW3JZBhMnxqFnOxh7Hk +zuZbrns6q3AYSjVnSG8fOQdVKfPKTEnXSuIl+3sIZu3hH1X2DeDaG1rjBnMv/DrT +42z/hT6Ek3Lz10Jz6OtTb386Zy9qf5JRofTh1oyDZBECgYEA+wbL0+SLkAPMakBY +HWqVTKF0yJFm1/rXG6bFDqXhJ3AmebKYuqbnIbr6U5vmzGLXOT/NUoHRHf07T4vP +2VzRECUb4w9q7/Mf4AENo8iB323rzpelD+nN43ETQB3Wftu9pyg9OY7Ey6+2eLao +jofiAPQX4ZZzKB2bcjA4VwJ6OI8CgYEA4EYFqe78D6qJQLETNMh5SPKLMIZNxmOD +2Qo0veLbkqasCQ0N1J6fEwEs6uRQboj3kM3E91tmGDL8QNvLcgSdy7KfTIunhaxi +Ivsh3I5Gv3tXWtnpJ98738iZ4tucvMTdJ52ujGLMCXkMtI4K1WwVbxVbJmNgRU3J +A9MkQVhZv2kCgYEAtd/PsD9HatmFsnnaHb4KXBIi5eqLQ/LHBY7H+Xvv7L4R8lyW +0a15ivPIyOkMyIrYeu8iGSRbWcoOveyDdG4OPw9T7ChQh3d0Yb0Bn+f3SOWAUxeG +DUiN1rsngm3b6d/VwhWifmBVb2po338gEtyav6wa3WQ/HRKOfKY5O7lcyjsCgYBb +ssWmEZzmGug7lysvLbjJZsIaeQ9bylyiZVXjPdphP9yfZsL86E5KSvS+pdNtHnt6 +rWeXa7t2sYIKUtQALnsGSmZvubopIa6OdvgFYfbzW87/ypFWSCQG/9JLu1d+p091 +Xzd7Fvot9VyIhntPf/3TiXvXWlKGg6No+O+d+C3Z4QKBgQDb47BR+gthjtdTdFvh +YPuIHEjH5eiw427KPCAKlpc1+auT0HBe0jxLg7zlFw/uTHukguifHlK9if7Gsjq9 +CZ4RRghvAkvDIzlhHBPw+tXA/xYHBthQxOcK9KHSiIwbLM3v+1xhimKAZfsUEo04 +r1ThfBkpGpW1JUp6ysH6Q4+H6w== +-----END PRIVATE KEY----- diff --git a/src/tests/test_ssh_client.c b/src/tests/test_ssh_client.c new file mode 100644 index 0000000..8901ef6 --- /dev/null +++ b/src/tests/test_ssh_client.c @@ -0,0 +1,138 @@ +/* + Copyright (C) 2018 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include "util/util.h" + +#ifdef SSH_CLIENT_DIR +#define SSH_AK_CLIENT_PATH SSH_CLIENT_DIR"/sss_ssh_authorizedkeys" +#else +#error "The path to the ssh authorizedkeys helper is not defined" +#endif /* SSH_CLIENT_DIR */ + +int main(int argc, const char *argv[]) +{ + poptContext pc; + int opt; + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_DEBUG_OPTS + POPT_TABLEEND + }; + struct stat sb; + int ret; + int status; + int p[2]; + pid_t pid; + const char *pc_user = NULL; + char *av[3]; + char buf[5]; /* Ridiculously small buffer by design */ + ssize_t len; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + poptSetOtherOptionHelp(pc, "USER"); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 3; + } + } + + pc_user = poptGetArg(pc); + if (pc_user == NULL) { + fprintf(stderr, "No user specified\n"); + return 3; + } + + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + ret = stat(SSH_AK_CLIENT_PATH, &sb); + if (ret != 0) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not stat %s [%d]: %s\n", + SSH_AK_CLIENT_PATH, ret, strerror(ret)); + return 3; + } + + ret = pipe(p); + if (ret != 0) { + perror("pipe"); + return 3; + } + + switch (pid = fork()) { + case -1: + ret = errno; + close(p[0]); + close(p[1]); + DEBUG(SSSDBG_CRIT_FAILURE, "fork failed: %d\n", ret); + return 3; + case 0: + /* child */ + av[0] = discard_const(SSH_AK_CLIENT_PATH); + av[1] = discard_const(pc_user); + av[2] = NULL; + + close(p[0]); + ret = dup2(p[1], STDOUT_FILENO); + if (ret == -1) { + perror("dup2"); + return 3; + } + + execv(av[0], av); + return 3; + default: + /* parent */ + break; + } + + close(p[1]); + len = read(p[0], buf, sizeof(buf)); + close(p[0]); + if (len == -1) { + perror("waitpid"); + return 3; + } + + pid = waitpid(pid, &status, 0); + if (pid == -1) { + perror("waitpid"); + return 3; + } + + if (WIFEXITED(status)) { + printf("sss_ssh_authorizedkeys exited with return code %d\n", WEXITSTATUS(status)); + return 0; + } else if (WIFSIGNALED(status)) { + printf("sss_ssh_authorizedkeys exited with signal %d\n", WTERMSIG(status)); + return 1; + } + + printf("sss_ssh_authorizedkeys exited for another reason\n"); + return 2; +} diff --git a/src/tests/util-tests.c b/src/tests/util-tests.c new file mode 100644 index 0000000..e331f82 --- /dev/null +++ b/src/tests/util-tests.c @@ -0,0 +1,1237 @@ +/* + SSSD + + util-tests.c + + Authors: + Stephen Gallagher + + Copyright (C) 2010 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "util/util.h" +#include "util/sss_utf8.h" +#include "shared/murmurhash3.h" +#include "tests/common_check.h" + +#define FILENAME_TEMPLATE "tests-atomicio-XXXXXX" +char *filename; +int atio_fd; + +START_TEST(test_add_string_to_list) +{ + int ret; + + char **list = NULL; + + ret = add_string_to_list(NULL, NULL, NULL); + fail_unless(ret == EINVAL, "NULL input accepted"); + + ret = add_string_to_list(global_talloc_context, "ABC", &list); + fail_unless(ret == EOK, "Adding string to non-existing list failed."); + fail_unless(list != NULL, "No new list created."); + fail_unless(list[0] != NULL, "String not added to new list."); + fail_unless(strcmp(list[0], "ABC") == 0, + "Wrong string added to newly created list."); + fail_unless(list[1] == NULL, + "Missing terminating NULL in newly created list."); + + ret = add_string_to_list(global_talloc_context, "DEF", &list); + fail_unless(ret == EOK, "Adding string to list failed."); + fail_unless(list != NULL, "No list returned."); + fail_unless(strcmp(list[0], "ABC") == 0, "Wrong first string in new list."); + fail_unless(strcmp(list[1], "DEF") == 0, "Wrong string added to list."); + fail_unless(list[2] == NULL, "Missing terminating NULL."); + + list[0] = NULL; + ret = add_string_to_list(global_talloc_context, "ABC", &list); + fail_unless(ret == EOK, "Adding string to empty list failed."); + fail_unless(list != NULL, "No list returned."); + fail_unless(list[0] != NULL, "String not added to empty list."); + fail_unless(strcmp(list[0], "ABC") == 0, + "Wrong string added to empty list."); + fail_unless(list[1] == NULL, + "Missing terminating NULL in newly created list."); + + talloc_free(list); +} +END_TEST + +START_TEST(test_string_in_list) +{ + bool is_in; + char *empty_list[] = {NULL}; + char *list[] = {discard_const("ABC"), + discard_const("DEF"), + discard_const("GHI"), + NULL}; + + is_in = string_in_list(NULL, NULL, false); + fail_unless(!is_in, "NULL string is in NULL list."); + + is_in = string_in_list(NULL, empty_list, false); + fail_unless(!is_in, "NULL string is in empty list."); + + is_in = string_in_list(NULL, list, false); + fail_unless(!is_in, "NULL string is in list."); + + is_in = string_in_list("ABC", NULL, false); + fail_unless(!is_in, "String is in NULL list."); + + is_in = string_in_list("ABC", empty_list, false); + fail_unless(!is_in, "String is in empty list."); + + is_in = string_in_list("ABC", list, false); + fail_unless(is_in, "String is not list."); + + is_in = string_in_list("abc", list, false); + fail_unless(is_in, "String is not case in-sensitive list."); + + is_in = string_in_list("abc", list, true); + fail_unless(!is_in, "Wrong string found in case sensitive list."); + + is_in = string_in_list("123", list, false); + fail_unless(!is_in, "Wrong string found in list."); + +} +END_TEST + +START_TEST(test_parse_args) +{ + struct pa_testcase { + const char *argstr; + const char **parsed; + }; + + TALLOC_CTX *test_ctx; + int i, ii; + int ret; + char **parsed; + char **only_ret; + char **only_exp; + char **both; + + test_ctx = talloc_new(NULL); + + /* Positive tests */ + const char *parsed1[] = { "foo", NULL }; + const char *parsed2[] = { "foo", "a", NULL }; + const char *parsed3[] = { "foo", "b", NULL }; + const char *parsed4[] = { "foo", "a c", NULL }; + const char *parsed5[] = { "foo", "a", "d", NULL }; + const char *parsed6[] = { "foo", "a", "e", NULL }; + const char *parsed7[] = { "foo", "a", "f", NULL }; + const char *parsed8[] = { "foo", "a\tg", NULL }; + const char *parsed9[] = { "foo", NULL }; + const char *parsed10[] = { " ", "foo", "\t", "\\'", NULL }; + const char *parsed11[] = { "a", NULL }; + struct pa_testcase tc[] = { + { "foo", parsed1 }, + { "foo a", parsed2 }, + { "foo b", parsed3 }, + { "foo a\\ c", parsed4 }, + { "foo a d ", parsed5 }, + { "foo a e ", parsed6 }, + { "foo\ta\t \tf \t", parsed7 }, + { "foo a\\\tg", parsed8 }, + { " foo ", parsed9 }, + { "\\ foo \\\t \\' ", parsed10 }, + { "a", parsed11 }, + { " ", NULL }, + { "", NULL }, + { " \t ", NULL }, + { NULL, NULL } + }; + + for (i=0; tc[i].argstr != NULL; i++) { + parsed = parse_args(tc[i].argstr); + fail_if(parsed == NULL && tc[i].parsed != NULL, + "Could not parse correct %d argument string '%s'\n", + i, tc[i].argstr); + + ret = diff_string_lists(test_ctx, parsed, discard_const(tc[i].parsed), + &only_ret, &only_exp, &both); + fail_unless(ret == EOK, "diff_string_lists returned error [%d]", ret); + fail_unless(only_ret[0] == NULL, "The parser returned more data than expected\n"); + fail_unless(only_exp[0] == NULL, "The parser returned less data than expected\n"); + + if (parsed) { + int parsed_len; + int expected_len; + + for (parsed_len=0; parsed[parsed_len]; ++parsed_len); + for (expected_len=0; tc[i].parsed[expected_len]; ++expected_len); + + fail_unless(parsed_len == expected_len, + "Test %d: length of 1st array [%d] != length of 2nd " + "array[%d]\n", i, parsed_len, expected_len); + + for (ii = 0; parsed[ii]; ii++) free(parsed[ii]); + free(parsed); + } + } + + talloc_free(test_ctx); +} +END_TEST + +START_TEST(test_diff_string_lists) +{ + TALLOC_CTX *test_ctx; + char **l1; + char **l2; + char **l3; + char **only_l1; + char **only_l2; + char **both; + int ret; + + test_ctx = talloc_new(NULL); + + /* Test with all values returned */ + l1 = talloc_array(test_ctx, char *, 4); + l1[0] = talloc_strdup(l1, "a"); + l1[1] = talloc_strdup(l1, "b"); + l1[2] = talloc_strdup(l1, "c"); + l1[3] = NULL; + + l2 = talloc_array(test_ctx, char *, 4); + l2[0] = talloc_strdup(l1, "d"); + l2[1] = talloc_strdup(l1, "c"); + l2[2] = talloc_strdup(l1, "b"); + l2[3] = NULL; + + ret = diff_string_lists(test_ctx, + l1, l2, + &only_l1, &only_l2, &both); + + fail_unless(ret == EOK, "diff_string_lists returned error [%d]", ret); + fail_unless(strcmp(only_l1[0], "a") == 0, "Missing \"a\" from only_l1"); + fail_unless(only_l1[1] == NULL, "only_l1 not NULL-terminated"); + fail_unless(strcmp(only_l2[0], "d") == 0, "Missing \"d\" from only_l2"); + fail_unless(only_l2[1] == NULL, "only_l2 not NULL-terminated"); + fail_unless(strcmp(both[0], "c") == 0, "Missing \"c\" from both"); + fail_unless(strcmp(both[1], "b") == 0, "Missing \"b\" from both"); + fail_unless(both[2] == NULL, "both not NULL-terminated"); + + talloc_zfree(only_l1); + talloc_zfree(only_l2); + talloc_zfree(both); + + /* Test with restricted return values */ + ret = diff_string_lists(test_ctx, + l1, l2, + &only_l1, &only_l2, NULL); + + fail_unless(ret == EOK, "diff_string_lists returned error [%d]", ret); + fail_unless(strcmp(only_l1[0], "a") == 0, "Missing \"a\" from only_l1"); + fail_unless(only_l1[1] == NULL, "only_l1 not NULL-terminated"); + fail_unless(strcmp(only_l2[0], "d") == 0, "Missing \"d\" from only_l2"); + fail_unless(only_l2[1] == NULL, "only_l2 not NULL-terminated"); + fail_unless(both == NULL, "Nothing returned to both"); + + talloc_zfree(only_l1); + talloc_zfree(only_l2); + talloc_zfree(both); + + ret = diff_string_lists(test_ctx, + l1, l2, + &only_l1, NULL, NULL); + + fail_unless(ret == EOK, "diff_string_lists returned error [%d]", ret); + fail_unless(strcmp(only_l1[0], "a") == 0, "Missing \"a\" from only_l1"); + fail_unless(only_l1[1] == NULL, "only_l1 not NULL-terminated"); + fail_unless(only_l2 == NULL, "Nothing returned to only_l2"); + fail_unless(both == NULL, "Nothing returned to both"); + + talloc_zfree(only_l1); + talloc_zfree(only_l2); + talloc_zfree(both); + + ret = diff_string_lists(test_ctx, + l1, l2, + NULL, &only_l2, NULL); + + fail_unless(ret == EOK, "diff_string_lists returned error [%d]", ret); + fail_unless(strcmp(only_l2[0], "d") == 0, "Missing \"d\" from only_l2"); + fail_unless(only_l2[1] == NULL, "only_l2 not NULL-terminated"); + fail_unless(only_l1 == NULL, "Nothing returned to only_l1"); + fail_unless(both == NULL, "Nothing returned to both"); + + talloc_zfree(only_l1); + talloc_zfree(only_l2); + talloc_zfree(both); + + /* Test with no overlap */ + l3 = talloc_array(test_ctx, char *, 4); + l3[0] = talloc_strdup(l1, "d"); + l3[1] = talloc_strdup(l1, "e"); + l3[2] = talloc_strdup(l1, "f"); + l3[3] = NULL; + + ret = diff_string_lists(test_ctx, + l1, l3, + &only_l1, &only_l2, &both); + + fail_unless(ret == EOK, "diff_string_lists returned error [%d]", ret); + fail_unless(strcmp(only_l1[0], "a") == 0, "Missing \"a\" from only_l1"); + fail_unless(strcmp(only_l1[1], "b") == 0, "Missing \"b\" from only_l1"); + fail_unless(strcmp(only_l1[2], "c") == 0, "Missing \"c\" from only_l1"); + fail_unless(only_l1[3] == NULL, "only_l1 not NULL-terminated"); + fail_unless(strcmp(only_l2[0], "d") == 0, "Missing \"f\" from only_l2"); + fail_unless(strcmp(only_l2[1], "e") == 0, "Missing \"e\" from only_l2"); + fail_unless(strcmp(only_l2[2], "f") == 0, "Missing \"d\" from only_l2"); + fail_unless(only_l2[3] == NULL, "only_l2 not NULL-terminated"); + fail_unless(both[0] == NULL, "both should have zero entries"); + + talloc_zfree(only_l1); + talloc_zfree(only_l2); + talloc_zfree(both); + + /* Test with 100% overlap */ + ret = diff_string_lists(test_ctx, + l1, l1, + &only_l1, &only_l2, &both); + + fail_unless(ret == EOK, "diff_string_lists returned error [%d]", ret); + fail_unless(only_l1[0] == NULL, "only_l1 should have zero entries"); + fail_unless(only_l2[0] == NULL, "only_l2 should have zero entries"); + fail_unless(strcmp(both[0], "a") == 0, "Missing \"a\" from both"); + fail_unless(strcmp(both[1], "b") == 0, "Missing \"b\" from both"); + fail_unless(strcmp(both[2], "c") == 0, "Missing \"c\" from both"); + fail_unless(both[3] == NULL, "both is not NULL-terminated"); + + talloc_zfree(only_l1); + talloc_zfree(only_l2); + talloc_zfree(both); + + /* Test with no second list */ + ret = diff_string_lists(test_ctx, + l1, NULL, + &only_l1, &only_l2, &both); + + fail_unless(ret == EOK, "diff_string_lists returned error [%d]", ret); + fail_unless(strcmp(only_l1[0], "a") == 0, "Missing \"a\" from only_l1"); + fail_unless(strcmp(only_l1[1], "b") == 0, "Missing \"b\" from only_l1"); + fail_unless(strcmp(only_l1[2], "c") == 0, "Missing \"c\" from only_l1"); + fail_unless(only_l1[3] == NULL, "only_l1 not NULL-terminated"); + fail_unless(only_l2[0] == NULL, "only_l2 should have zero entries"); + fail_unless(both[0] == NULL, "both should have zero entries"); + + talloc_free(test_ctx); +} +END_TEST + + +START_TEST(test_sss_filter_sanitize) +{ + errno_t ret; + char *sanitized = NULL; + + TALLOC_CTX *test_ctx = talloc_new(NULL); + fail_if (test_ctx == NULL, "Out of memory"); + + const char no_specials[] = "username"; + ret = sss_filter_sanitize(test_ctx, no_specials, &sanitized); + fail_unless(ret == EOK, "no_specials error [%d][%s]", + ret, strerror(ret)); + fail_unless(strcmp(no_specials, sanitized)==0, + "Expected [%s], got [%s]", + no_specials, sanitized); + + const char has_asterisk[] = "*username"; + const char has_asterisk_expected[] = "\\2ausername"; + ret = sss_filter_sanitize(test_ctx, has_asterisk, &sanitized); + fail_unless(ret == EOK, "has_asterisk error [%d][%s]", + ret, strerror(ret)); + fail_unless(strcmp(has_asterisk_expected, sanitized)==0, + "Expected [%s], got [%s]", + has_asterisk_expected, sanitized); + + const char has_lparen[] = "user(name"; + const char has_lparen_expected[] = "user\\28name"; + ret = sss_filter_sanitize(test_ctx, has_lparen, &sanitized); + fail_unless(ret == EOK, "has_lparen error [%d][%s]", + ret, strerror(ret)); + fail_unless(strcmp(has_lparen_expected, sanitized)==0, + "Expected [%s], got [%s]", + has_lparen_expected, sanitized); + + const char has_rparen[] = "user)name"; + const char has_rparen_expected[] = "user\\29name"; + ret = sss_filter_sanitize(test_ctx, has_rparen, &sanitized); + fail_unless(ret == EOK, "has_rparen error [%d][%s]", + ret, strerror(ret)); + fail_unless(strcmp(has_rparen_expected, sanitized)==0, + "Expected [%s], got [%s]", + has_rparen_expected, sanitized); + + const char has_backslash[] = "username\\"; + const char has_backslash_expected[] = "username\\5c"; + ret = sss_filter_sanitize(test_ctx, has_backslash, &sanitized); + fail_unless(ret == EOK, "has_backslash error [%d][%s]", + ret, strerror(ret)); + fail_unless(strcmp(has_backslash_expected, sanitized)==0, + "Expected [%s], got [%s]", + has_backslash_expected, sanitized); + + const char has_all[] = "\\(user)*name"; + const char has_all_expected[] = "\\5c\\28user\\29\\2aname"; + ret = sss_filter_sanitize(test_ctx, has_all, &sanitized); + fail_unless(ret == EOK, "has_all error [%d][%s]", + ret, strerror(ret)); + fail_unless(strcmp(has_all_expected, sanitized)==0, + "Expected [%s], got [%s]", + has_all_expected, sanitized); + + /* Input is reused from previous test - "\\(user)*name" */ + const char has_all_allow_asterisk_expected[] = "\\5c\\28user\\29*name"; + ret = sss_filter_sanitize_ex(test_ctx, has_all, &sanitized, "*"); + fail_unless(ret == EOK, "has_all error [%d][%s]", + ret, strerror(ret)); + fail_unless(strcmp(has_all_allow_asterisk_expected, sanitized)==0, + "Expected [%s], got [%s]", + has_all_expected, sanitized); + + const char has_new_line[] = "user\nname"; + const char has_new_line_expected[] = "user\\0aname"; + ret = sss_filter_sanitize(test_ctx, has_new_line, &sanitized); + fail_unless(ret == EOK, "has_new_line error [%d][%s]", + ret, strerror(ret)); + fail_unless(strcmp(has_new_line_expected, sanitized) == 0, + "Expected [%s], got [%s]", + has_new_line_expected, sanitized); + + const char has_carriage_ret[] = "user\rname"; + const char has_carriage_ret_expected[] = "user\\0dname"; + ret = sss_filter_sanitize(test_ctx, has_carriage_ret, &sanitized); + fail_unless(ret == EOK, "has_carriage_ret error [%d][%s]", + ret, strerror(ret)); + fail_unless(strcmp(has_carriage_ret_expected, sanitized) == 0, + "Expected [%s], got [%s]", + has_carriage_ret_expected, sanitized); + + talloc_free(test_ctx); +} +END_TEST + +START_TEST(test_fd_nonblocking) +{ + int fd; + int flags; + errno_t ret; + + fd = open("/dev/null", O_RDONLY); + fail_unless(fd > 0); + + flags = fcntl(fd, F_GETFL, 0); + fail_if(flags & O_NONBLOCK); + + ret = sss_fd_nonblocking(fd); + fail_unless(ret == EOK); + flags = fcntl(fd, F_GETFL, 0); + fail_unless(flags & O_NONBLOCK); + close(fd); +} +END_TEST + +START_TEST(test_size_t_overflow) +{ + fail_unless(!SIZE_T_OVERFLOW(1, 1), "unexpected overflow"); + fail_unless(!SIZE_T_OVERFLOW(SIZE_MAX, 0), "unexpected overflow"); + fail_unless(!SIZE_T_OVERFLOW(SIZE_MAX-10, 10), "unexpected overflow"); + fail_unless(SIZE_T_OVERFLOW(SIZE_MAX, 1), "overflow not detected"); + fail_unless(SIZE_T_OVERFLOW(SIZE_MAX, SIZE_MAX), + "overflow not detected"); + fail_unless(SIZE_T_OVERFLOW(SIZE_MAX, ULLONG_MAX), + "overflow not detected"); + fail_unless(SIZE_T_OVERFLOW(SIZE_MAX, -10), "overflow not detected"); +} +END_TEST + +START_TEST(test_utf8_lowercase) +{ + const uint8_t munchen_utf8_upcase[] = { 'M', 0xC3, 0x9C, 'N', 'C', 'H', 'E', 'N', 0x0 }; + const uint8_t munchen_utf8_lowcase[] = { 'm', 0xC3, 0xBC, 'n', 'c', 'h', 'e', 'n', 0x0 }; + uint8_t *lcase; + size_t nlen; + + lcase = sss_utf8_tolower(munchen_utf8_upcase, + strlen((const char *)munchen_utf8_upcase), + &nlen); + fail_if(strlen((const char *) munchen_utf8_upcase) != nlen); /* This is not true for utf8 strings in general */ + fail_if(memcmp(lcase, munchen_utf8_lowcase, nlen)); + sss_utf8_free(lcase); +} +END_TEST + +START_TEST(test_utf8_talloc_lowercase) +{ + const uint8_t munchen_utf8_upcase[] = { 'M', 0xC3, 0x9C, 'N', 'C', 'H', 'E', 'N', 0x0 }; + const uint8_t munchen_utf8_lowcase[] = { 'm', 0xC3, 0xBC, 'n', 'c', 'h', 'e', 'n', 0x0 }; + uint8_t *lcase; + size_t nsize; + + TALLOC_CTX *test_ctx; + test_ctx = talloc_new(NULL); + fail_if(test_ctx == NULL); + + lcase = sss_tc_utf8_tolower(test_ctx, munchen_utf8_upcase, + strlen((const char *) munchen_utf8_upcase), + &nsize); + fail_if(memcmp(lcase, munchen_utf8_lowcase, nsize)); + talloc_free(test_ctx); +} +END_TEST + +START_TEST(test_utf8_talloc_str_lowercase) +{ + const uint8_t munchen_utf8_upcase[] = { 'M', 0xC3, 0x9C, 'N', 'C', 'H', 'E', 'N', 0x0 }; + const uint8_t munchen_utf8_lowcase[] = { 'm', 0xC3, 0xBC, 'n', 'c', 'h', 'e', 'n', 0x0 }; + char *lcase; + + TALLOC_CTX *test_ctx; + test_ctx = talloc_new(NULL); + fail_if(test_ctx == NULL); + + lcase = sss_tc_utf8_str_tolower(test_ctx, (const char *) munchen_utf8_upcase); + fail_if(memcmp(lcase, munchen_utf8_lowcase, strlen(lcase))); + talloc_free(test_ctx); +} +END_TEST + +START_TEST(test_utf8_caseeq) +{ + const uint8_t munchen_utf8_upcase[] = { 'M', 0xC3, 0x9C, 'N', 'C', 'H', 'E', 'N', 0x0 }; + const uint8_t munchen_utf8_lowcase[] = { 'm', 0xC3, 0xBC, 'n', 'c', 'h', 'e', 'n', 0x0 }; + const uint8_t czech_utf8_lowcase[] = { 0xC4, 0x8D, 'e', 'c', 'h', 0x0 }; + const uint8_t czech_utf8_upcase[] = { 0xC4, 0x8C, 'e', 'c', 'h', 0x0 }; + const uint8_t czech_utf8_lowcase_neg[] = { 0xC4, 0x8E, 'e', 'c', 'h', 0x0 }; + errno_t ret; + + ret = sss_utf8_case_eq(munchen_utf8_upcase, munchen_utf8_lowcase); + fail_unless(ret == EOK, "Latin 1 Supplement comparison failed\n"); + + ret = sss_utf8_case_eq(czech_utf8_upcase, czech_utf8_lowcase); + fail_unless(ret == EOK, "Latin Extended A comparison failed\n"); + + ret = sss_utf8_case_eq(czech_utf8_upcase, czech_utf8_lowcase_neg); + fail_if(ret == EOK, "Negative test succeeded\n"); +} +END_TEST + +START_TEST(test_utf8_check) +{ + const char *invalid = "ad\351la\357d"; + const uint8_t valid[] = { 'M', 0xC3, 0x9C, 'N', 'C', 'H', 'E', 'N', 0x0 }; + bool ret; + + ret = sss_utf8_check(valid, strlen((const char *) valid)); + fail_unless(ret == true, "Positive test failed\n"); + + ret = sss_utf8_check((const uint8_t *) invalid, strlen(invalid)); + fail_unless(ret == false, "Negative test succeeded\n"); +} +END_TEST + +START_TEST(test_murmurhash3_check) +{ + const char *tests[6] = { "1052800007", "1052800008", "1052800000", + "abcdefghijk", "abcdefghili", "abcdefgh000" }; + uint32_t results[6]; + int i, j; + + for (i = 0; i< 6; i++) { + results[i] = murmurhash3(tests[i], + strlen(tests[i]), + 0xdeadbeef); + for (j = 0; j < i; j++) { + fail_if(results[i] == results[j]); + } + } +} +END_TEST + +START_TEST(test_murmurhash3_random) +{ + char test[16]; + uint32_t result1; + uint32_t result2; + unsigned int init_seed; + unsigned int seed; + size_t len; + int i; + + /* generate a random string so each time we test with different values */ + init_seed = time(0); + seed = init_seed; + /* use also random length (min len = 1) */ + len = 1 + rand_r(&seed) % 14; + for (i = 0; i < len; i++) { + test[i] = 1 + rand_r(&seed) % 254; + } + test[len] = '\0'; /* null terminate */ + + fprintf(stdout, "test_murmurhash3_random seed: %u\n", init_seed); + + result1 = murmurhash3(test, len + 1, init_seed); + result2 = murmurhash3(test, len + 1, init_seed); + fail_if(result1 != result2); +} +END_TEST + +void setup_atomicio(void) +{ + int ret; + mode_t old_umask; + + filename = strdup(FILENAME_TEMPLATE); + fail_unless(filename != NULL, "strdup failed"); + + atio_fd = -1; + old_umask = umask(SSS_DFL_UMASK); + ret = mkstemp(filename); + umask(old_umask); + fail_unless(ret != -1, "mkstemp failed [%d][%s]", errno, strerror(errno)); + atio_fd = ret; +} + +void teardown_atomicio(void) +{ + int ret; + + if (atio_fd != -1) { + ret = close(atio_fd); + fail_unless(ret == 0, "close failed [%d][%s]", errno, strerror(errno)); + } + + fail_unless(filename != NULL, "unknown filename"); + ret = unlink(filename); + free(filename); + fail_unless(ret == 0, "unlink failed [%d][%s]", errno, strerror(errno)); +} + +START_TEST(test_atomicio_read_from_file) +{ + const ssize_t bufsize = 64; + char buf[64]; + int fd; + ssize_t numread; + errno_t ret; + + fd = open("/dev/zero", O_RDONLY); + fail_if(fd == -1, "Cannot open /dev/zero"); + + errno = 0; + numread = sss_atomic_read_s(fd, buf, bufsize); + ret = errno; + + fail_unless(ret == 0, "Error %d while reading\n", ret); + fail_unless(numread == bufsize, + "Read %d bytes expected %d\n", numread, bufsize); + close(fd); +} +END_TEST + +START_TEST(test_atomicio_read_from_small_file) +{ + char wbuf[] = "foobar"; + ssize_t wsize = strlen(wbuf)+1; + ssize_t numwritten; + char rbuf[64]; + ssize_t numread; + errno_t ret; + + fail_if(atio_fd < 0, "No fd to test?\n"); + + errno = 0; + numwritten = sss_atomic_write_s(atio_fd, wbuf, wsize); + ret = errno; + + fail_unless(ret == 0, "Error %d while writing\n", ret); + fail_unless(numwritten == wsize, + "Wrote %d bytes expected %d\n", numwritten, wsize); + + fsync(atio_fd); + lseek(atio_fd, 0, SEEK_SET); + + errno = 0; + numread = sss_atomic_read_s(atio_fd, rbuf, 64); + ret = errno; + + fail_unless(ret == 0, "Error %d while reading\n", ret); + fail_unless(numread == numwritten, + "Read %d bytes expected %d\n", numread, numwritten); +} +END_TEST + +START_TEST(test_atomicio_read_from_large_file) +{ + char wbuf[] = "123456781234567812345678"; + ssize_t wsize = strlen(wbuf)+1; + ssize_t numwritten; + char rbuf[8]; + ssize_t numread; + ssize_t total; + errno_t ret; + + fail_if(atio_fd < 0, "No fd to test?\n"); + + errno = 0; + numwritten = sss_atomic_write_s(atio_fd, wbuf, wsize); + ret = errno; + + fail_unless(ret == 0, "Error %d while writing\n", ret); + fail_unless(numwritten == wsize, + "Wrote %d bytes expected %d\n", numwritten, wsize); + + fsync(atio_fd); + lseek(atio_fd, 0, SEEK_SET); + + total = 0; + do { + errno = 0; + numread = sss_atomic_read_s(atio_fd, rbuf, 8); + ret = errno; + + fail_if(numread == -1, "Read error %d: %s\n", ret, strerror(ret)); + total += numread; + } while (numread != 0); + + fail_unless(ret == 0, "Error %d while reading\n", ret); + fail_unless(total == numwritten, + "Read %d bytes expected %d\n", numread, numwritten); +} +END_TEST + +START_TEST(test_atomicio_read_exact_sized_file) +{ + char wbuf[] = "12345678"; + ssize_t wsize = strlen(wbuf)+1; + ssize_t numwritten; + char rbuf[9]; + ssize_t numread; + errno_t ret; + + fail_if(atio_fd < 0, "No fd to test?\n"); + + errno = 0; + numwritten = sss_atomic_write_s(atio_fd, wbuf, wsize); + ret = errno; + + fail_unless(ret == 0, "Error %d while writing\n", ret); + fail_unless(numwritten == wsize, + "Wrote %d bytes expected %d\n", numwritten, wsize); + + fsync(atio_fd); + lseek(atio_fd, 0, SEEK_SET); + + errno = 0; + numread = sss_atomic_read_s(atio_fd, rbuf, 9); + ret = errno; + + fail_unless(ret == 0, "Error %d while reading\n", ret); + fail_unless(numread == numwritten, + "Read %d bytes expected %d\n", numread, numwritten); + + fail_unless(rbuf[8] == '\0', "String not NULL terminated?"); + fail_unless(strcmp(wbuf, rbuf) == 0, "Read something else than wrote?"); + + /* We've reached end-of-file, next read must return 0 */ + errno = 0; + numread = sss_atomic_read_s(atio_fd, rbuf, 9); + ret = errno; + + fail_unless(ret == 0, "Error %d while reading\n", ret); + fail_unless(numread == 0, "More data to read?"); +} +END_TEST + +START_TEST(test_atomicio_read_from_empty_file) +{ + char buf[64]; + int fd; + ssize_t numread; + errno_t ret; + + fd = open("/dev/null", O_RDONLY); + fail_if(fd == -1, "Cannot open /dev/null"); + + errno = 0; + numread = sss_atomic_read_s(fd, buf, 64); + ret = errno; + + fail_unless(ret == 0, "Error %d while reading\n", ret); + fail_unless(numread == 0, + "Read %d bytes expected 0\n", numread); + close(fd); +} +END_TEST + +struct split_data { + const char *input; + const char **expected_list; + bool trim; + bool skip_empty; + int expected_size; + int expected_ret; +}; + +START_TEST(test_split_on_separator) +{ + TALLOC_CTX *mem = global_talloc_context; + errno_t ret; + char **list = NULL; + int size; + const char *str_ref; + const char *str_out; + int i; + int a; + int num_of_tests; + struct split_data sts[] = { + { + "one,two,three", /* input string */ + (const char *[]){"one", "two", "three", NULL}, /* expec. output list */ + false, false, /* trim, skip_empty */ + 3, 0 /* expec. size, expec. retval */ + }, + { + "one,two,three", + (const char *[]){"one", "two", "three", NULL}, + true, true, + 3, 0 + }, + { + " one, two ,three ", + (const char*[]){"one", "two", "three", NULL}, + true, true, + 3, 0 + }, + { + /* If skip empty is false, single comma means "empty,empty" */ + ",", + (const char*[]){"", "", NULL, NULL}, + false, false, + 2, 0 + }, + { + "one, ,", + (const char*[]){"one", " ", "NULL", "NULL"}, + false, true, + 2, 0 + }, + { + ", ,,", + (const char*[]){NULL}, + true, true, + 0, 0 + }, + { + NULL, + NULL, + false, false, + 0, EINVAL + }, + }; + num_of_tests = sizeof(sts) / sizeof(struct split_data); + + for (a = 0; a < num_of_tests; a++) { + ret = split_on_separator(mem, sts[a].input, ',', sts[a].trim, + sts[a].skip_empty, &list, &size); + + fail_unless(ret == sts[a].expected_ret, + "split_on_separator failed [%d]: %s\n", ret, + strerror(ret)); + if (ret) { + continue; + } + fail_unless(size == sts[a].expected_size, "Returned wrong size %d " + "(expected %d).\n", size, sts[a].expected_size); + + for (i = 0; str_ref = sts[a].expected_list[i], str_out = list[i]; i++) { + fail_unless(strcmp(str_ref, str_out) == 0, + "Expected:%s Got:%s\n", str_ref, str_out); + } + talloc_free(list); + list = NULL; + } +} +END_TEST + +struct check_ip_test_data { + const char *str_ipaddr; + uint8_t flags; + bool expected_ret; +}; + +START_TEST(test_check_ipv4_addr) +{ + int a; + int num_of_tests; + int ret; + bool bret; + struct in_addr addr; + struct check_ip_test_data tst_data[] = { + { + "192.168.100.1", /* input IPv4 address */ + 0, /* flags value */ + true /* Expected return value */ + }, + { + "224.0.0.22", /* multicast address */ + SSS_NO_MULTICAST, + false + }, + { + "192.186.0.224", + SSS_NO_MULTICAST, + true + }, + { + "127.0.0.1", + SSS_NO_LOOPBACK, + false + }, + { + "169.254.0.11", + SSS_NO_LINKLOCAL, + false + }, + { + "255.255.255.255", + SSS_NO_BROADCAST, + false + }, + { + "255.255.255.255", + SSS_NO_SPECIAL, + false + }, + { + "192.168.254.169", + SSS_NO_SPECIAL, + true + }, + }; + + num_of_tests = sizeof(tst_data) / sizeof(struct check_ip_test_data); + + for (a = 0; a < num_of_tests; a++) { + /* fill sockaddr_in structure */ + + ret = inet_pton(AF_INET, tst_data[a].str_ipaddr, &addr); + fail_if(ret != 1, "inet_pton failed."); + + bret = check_ipv4_addr(&addr, tst_data[a].flags); + fail_unless(bret == tst_data[a].expected_ret, + "check_ipv4_addr failed (iteration %d)", a); + } +} +END_TEST + +START_TEST(test_check_ipv6_addr) +{ + int a; + int num_of_tests; + int ret; + bool bret; + struct in6_addr addr; + struct check_ip_test_data tst_data[] = { + { + "fde9:7e3f:1ed3:24a5::4", /* input IPv6 address */ + 0, /* flags value */ + true /* Expected return value */ + }, + { + "fe80::f2de:f1ff:fefa:67f0", + SSS_NO_LINKLOCAL, + false + }, + { + "::1", + SSS_NO_LOOPBACK, + false + }, + { + "ff00::123", + SSS_NO_MULTICAST, + false + }, + { + "ff00::321", + SSS_NO_SPECIAL, + false + }, + }; + + num_of_tests = sizeof(tst_data) / sizeof(struct check_ip_test_data); + + for (a = 0; a < num_of_tests; a++) { + /* fill sockaddr_in structure */ + + ret = inet_pton(AF_INET6, tst_data[a].str_ipaddr, &addr); + fail_if(ret != 1, "inet_pton failed."); + + bret = check_ipv6_addr(&addr, tst_data[a].flags); + fail_unless(bret == tst_data[a].expected_ret, + "check_ipv6_addr failed (iteration %d)", a); + + } +} +END_TEST + +START_TEST(test_is_host_in_domain) +{ + struct { + const char *host; + const char *domain; + bool expected; + } data[] = {{"example.com", "example.com", true}, + {"client.example.com", "example.com", true}, + {"client.child.example.com", "example.com", true}, + {"example.com", "child.example.com", false}, + {"client.example.com", "child.example.com", false}, + {"client.child.example.com", "child.example.com", true}, + {"my.com", "example.com", false}, + {"myexample.com", "example.com", false}, + {NULL, NULL, false}}; + bool ret; + int i; + + for (i = 0; data[i].host != NULL; i++) { + ret = is_host_in_domain(data[i].host, data[i].domain); + fail_if(ret != data[i].expected, "Host: %s, Domain: %s, Expected: %d, " + "Got: %d\n", data[i].host, data[i].domain, + data[i].expected, ret); + } +} +END_TEST + +START_TEST(test_known_service) +{ + const char * const * svcs; + bool found_nss = false; + int i; + + /* Just make sure we can't find a bogus service and nss + * is always available + */ + svcs = get_known_services(); + for (i = 0; svcs[i]; i++) { + ck_assert_str_ne(svcs[i], "nosuchservice"); + if (strcmp(svcs[i], "nss") == 0) { + found_nss = true; + } + } + + ck_assert(found_nss == true); +} +END_TEST + +static void convert_time_tz(const char* tz) +{ + errno_t ret, ret2; + time_t unix_time; + const char *orig_tz = NULL; + + orig_tz = getenv("TZ"); + if (orig_tz == NULL) { + orig_tz = ""; + } + + if (tz) { + ret = setenv("TZ", tz, 1); + fail_if(ret == -1); + } + + ret = sss_utc_to_time_t("20140801115742Z", "%Y%m%d%H%M%SZ", &unix_time); + + /* restore */ + if (orig_tz != NULL) { + ret2 = setenv("TZ", orig_tz, 1); + fail_if(ret2 == -1); + } + fail_unless(ret == EOK && difftime(1406894262, unix_time) == 0); +} + +START_TEST(test_convert_time) +{ + const char *format = "%Y%m%d%H%M%SZ"; + time_t unix_time; + errno_t ret; + + ret = sss_utc_to_time_t("20150127133540P", format, &unix_time); + fail_unless(ret == ERR_TIMESPEC_NOT_SUPPORTED); + ret = sss_utc_to_time_t("0Z", format, &unix_time); + fail_unless(ret == EINVAL); + ret = sss_utc_to_time_t("000001010000Z", format, &unix_time); + fail_unless(ret == EINVAL); + + /* test that results are still same no matter what timezone is set */ + convert_time_tz(NULL); + + convert_time_tz("GST-1"); + + convert_time_tz("GST-2"); +} +END_TEST + +START_TEST(test_sss_strerror_err_last) +{ + ck_assert_str_eq(sss_strerror(ERR_LAST), "ERR_LAST"); +} +END_TEST + +START_TEST(test_sss_strerror_string_validation) +{ + enum sssd_errors idx; + const char *error; + size_t len; + char last_character; + + for (idx = ERR_BASE; idx < ERR_LAST; ++idx) { + error = sss_strerror(idx); + fail_if(error == NULL, "sss_strerror returned NULL for valid index"); + + len = strlen(error); + fail_if(len == 0, "sss_strerror returned empty string"); + + last_character = error[len - 1]; + fail_if(isalpha(last_character) == 0 && last_character != ')', + "Error string [%s] must finish with alphabetic character\n", + error); + } +} +END_TEST + +Suite *util_suite(void) +{ + Suite *s = suite_create("util"); + + TCase *tc_util = tcase_create("util"); + + tcase_add_checked_fixture(tc_util, + ck_leak_check_setup, + ck_leak_check_teardown); + tcase_add_test (tc_util, test_diff_string_lists); + tcase_add_test (tc_util, test_sss_filter_sanitize); + tcase_add_test (tc_util, test_size_t_overflow); + tcase_add_test (tc_util, test_parse_args); + tcase_add_test (tc_util, test_add_string_to_list); + tcase_add_test (tc_util, test_string_in_list); + tcase_add_test (tc_util, test_split_on_separator); + tcase_add_test (tc_util, test_check_ipv4_addr); + tcase_add_test (tc_util, test_check_ipv6_addr); + tcase_add_test (tc_util, test_is_host_in_domain); + tcase_add_test (tc_util, test_known_service); + tcase_add_test (tc_util, test_fd_nonblocking); + tcase_set_timeout(tc_util, 60); + + TCase *tc_utf8 = tcase_create("utf8"); + tcase_add_test (tc_utf8, test_utf8_lowercase); + tcase_add_test (tc_utf8, test_utf8_talloc_lowercase); + tcase_add_test (tc_utf8, test_utf8_talloc_str_lowercase); + tcase_add_test (tc_utf8, test_utf8_caseeq); + tcase_add_test (tc_utf8, test_utf8_check); + + tcase_set_timeout(tc_utf8, 60); + + TCase *tc_mh3 = tcase_create("murmurhash3"); + tcase_add_test (tc_mh3, test_murmurhash3_check); + tcase_add_test (tc_mh3, test_murmurhash3_random); + tcase_set_timeout(tc_mh3, 60); + + TCase *tc_atomicio = tcase_create("atomicio"); + tcase_add_checked_fixture (tc_atomicio, + setup_atomicio, + teardown_atomicio); + tcase_add_test(tc_atomicio, test_atomicio_read_from_file); + tcase_add_test(tc_atomicio, test_atomicio_read_from_small_file); + tcase_add_test(tc_atomicio, test_atomicio_read_from_large_file); + tcase_add_test(tc_atomicio, test_atomicio_read_exact_sized_file); + tcase_add_test(tc_atomicio, test_atomicio_read_from_empty_file); + + TCase *tc_convert_time = tcase_create("convert_time"); + tcase_add_checked_fixture(tc_convert_time, + ck_leak_check_setup, + ck_leak_check_teardown); + tcase_add_test(tc_convert_time, test_convert_time); + + TCase *tc_sss_strerror = tcase_create("sss_strerror"); + tcase_add_test(tc_sss_strerror, test_sss_strerror_err_last); + tcase_add_test(tc_sss_strerror, test_sss_strerror_string_validation); + + suite_add_tcase (s, tc_util); + suite_add_tcase (s, tc_utf8); + suite_add_tcase (s, tc_mh3); + suite_add_tcase (s, tc_atomicio); + suite_add_tcase (s, tc_convert_time); + suite_add_tcase (s, tc_sss_strerror); + + return s; +} + +int main(int argc, const char *argv[]) +{ + int opt; + int failure_count; + poptContext pc; + Suite *s = util_suite(); + SRunner *sr = srunner_create (s); + + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_MAIN_OPTS + POPT_TABLEEND + }; + + /* Set debug level to invalid value so we can decide if -d 0 was used. */ + debug_level = SSSDBG_INVALID; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + poptFreeContext(pc); + + DEBUG_CLI_INIT(debug_level); + + tests_set_cwd(); + + srunner_run_all(sr, CK_ENV); + failure_count = srunner_ntests_failed (sr); + srunner_free (sr); + if (failure_count == 0) { + return EXIT_SUCCESS; + } + return EXIT_FAILURE; +} diff --git a/src/tests/whitespace_test b/src/tests/whitespace_test new file mode 100755 index 0000000..f055ed4 --- /dev/null +++ b/src/tests/whitespace_test @@ -0,0 +1,50 @@ +#!/bin/bash + +set -e -u -o pipefail + +# An AWK regex matching tracked file paths to be excluded from the search. +# Example: '.*\.po|README' +PATH_EXCLUDE_REGEX='.*\.po|.*\.patch|.*\.diff|\/debian\/.*' + +export GIT_DIR="$ABS_TOP_SRCDIR/.git" +export GIT_WORK_TREE="$ABS_TOP_SRCDIR" + +if [ ! -d "$GIT_DIR" ]; then + echo "Git repository is required for this test!" 1>&2 + exit 77 +fi + +{ + # Look for lines with trailing whitespace in all files tracked by Git + git grep -n -I '\s\+$' -- "$(git rev-parse --show-toplevel)" || + # Don't fail if no such lines were found anywhere + [[ $? == 1 ]] +} | + awk -- " + BEGIN { + found = 0 + } + ! /^($PATH_EXCLUDE_REGEX):/ { + if (!found) { + print \"Trailing whitespace found:\" + found = 1 + } + print + } + END { + exit found + } + " + +declare found_file=false +while read file; do + [[ $file == "src/config/testconfigs/noparse.api.conf" ]] && continue + [[ $file =~ ^src/tests/cmocka/p11_nssdb.*/.*db ]] && continue + test `tail -c 1 $ABS_TOP_SRCDIR/$file` && \ + echo "Missing new line at the eof: $file" && \ + found_file=true +done < <(git ls-files) + +if $found_file; then + exit 1 +fi diff --git a/src/tools/common/sss_colondb.c b/src/tools/common/sss_colondb.c new file mode 100644 index 0000000..e8aeb31 --- /dev/null +++ b/src/tools/common/sss_colondb.c @@ -0,0 +1,316 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "util/util.h" +#include "util/strtonum.h" +#include "tools/common/sss_colondb.h" + +#define IS_STD_FILE(db) ((db)->file == stdin || (db)->file == stdout) + +static char *read_field_as_string(char *line, + const char **_value) +{ + char *rest; + char *value; + + if (line == NULL || *line == '\n' || *line == '\0') { + /* There is nothing else to read. */ + rest = NULL; + value = NULL; + goto done; + } + + if (*line == ':') { + /* Special case for empty value. */ + *line = '\0'; + rest = line + 1; + value = NULL; + goto done; + } + + /* Value starts at current position. */ + value = line; + + /* Find next field delimiter. */ + rest = strchr(line, ':'); + if (rest == NULL) { + /* There is no more field. Remove \n from the end. */ + rest = strchr(line, '\n'); + if (rest != NULL) { + *rest = '\0'; + rest = NULL; + } + goto done; + } + + /* Remove it and step one character further. */ + *rest = '\0'; + rest++; + +done: + *_value = value; + + return rest; +} + +static char *read_field_as_uint32(char *line, + uint32_t *_value) +{ + const char *str; + char *rest; + errno_t ret; + + rest = read_field_as_string(line, &str); + if (str == NULL) { + *_value = 0; + return rest; + } + + *_value = strtouint32(str, NULL, 10); + if (errno != 0) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse number [%d]: %s\n", + ret, sss_strerror(ret)); + + *_value = 0; + } + + return rest; +} + +struct sss_colondb { + FILE *file; + enum sss_colondb_mode mode; +}; + +errno_t sss_colondb_readline(TALLOC_CTX *mem_ctx, + struct sss_colondb *db, + struct sss_colondb_read_field *table) +{ + int readchars; + size_t linelen = 0; + char *line = NULL; + char *tcline; + char *rest; + errno_t ret; + int i; + + if (db->mode != SSS_COLONDB_READ) { + return ERR_INTERNAL; + } + + readchars = getline(&line, &linelen, db->file); + if (readchars == -1) { + /* Nothing was read. */ + + free(line); + line = NULL; + + if (errno != 0) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to read line [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + return EOF; + } + + /* Copy line to mem_ctx. */ + tcline = talloc_strdup(mem_ctx, line); + + free(line); + line = NULL; + + if (tcline == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup() failed\n"); + return ENOMEM; + } + + rest = tcline; + for (i = 0; table[i].type != SSS_COLONDB_SENTINEL; i++) { + switch (table[i].type) { + case SSS_COLONDB_UINT32: + rest = read_field_as_uint32(rest, table[i].data.uint32); + break; + case SSS_COLONDB_STRING: + rest = read_field_as_string(rest, table[i].data.str); + break; + case SSS_COLONDB_SENTINEL: + DEBUG(SSSDBG_CRIT_FAILURE, "Trying to process sentinel?!\n"); + ret = ERR_INTERNAL; + goto done; + } + + if (rest == NULL && table[i + 1].type != SSS_COLONDB_SENTINEL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Line contains less values than expected!\n"); + ret = EINVAL; + goto done; + } else if (rest != NULL && table[i + 1].type == SSS_COLONDB_SENTINEL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Line contains more values than expected!\n"); + ret = EINVAL; + goto done; + } + } + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(tcline); + } + + return ret; +} + +errno_t sss_colondb_writeline(struct sss_colondb *db, + struct sss_colondb_write_field *table) +{ + TALLOC_CTX *tmp_ctx; + char *line = NULL; + errno_t ret; + int i; + + if (db->mode != SSS_COLONDB_WRITE) { + return ERR_INTERNAL; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed.\n"); + return ENOMEM; + } + + line = talloc_strdup(tmp_ctx, ""); + if (line == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed.\n"); + ret = ENOMEM; + goto done; + } + + for (i = 0; table[i].type != SSS_COLONDB_SENTINEL; i++) { + switch (table[i].type) { + case SSS_COLONDB_UINT32: + if (table[i].data.uint32 == 0) { + line = talloc_asprintf_append(line, ":"); + } else { + line = talloc_asprintf_append(line, ":%u", table[i].data.uint32); + } + break; + case SSS_COLONDB_STRING: + if (table[i].data.str == NULL) { + line = talloc_asprintf_append(line, ":"); + } else { + line = talloc_asprintf_append(line, ":%s", table[i].data.str); + } + break; + case SSS_COLONDB_SENTINEL: + DEBUG(SSSDBG_CRIT_FAILURE, "Trying to process sentinel?!\n"); + ret = ERR_INTERNAL; + goto done; + } + + if (line == NULL) { + ret = ENOMEM; + goto done; + } + } + + /* Remove starting : */ + line++; + + fprintf(db->file, "%s\n", line); + fflush(db->file); + + ret = EOK; + +done: + talloc_free(tmp_ctx); + + return ret; +} + +static int sss_colondb_close(void *pvt) +{ + struct sss_colondb *db = talloc_get_type(pvt, struct sss_colondb); + + if (db->file == NULL || IS_STD_FILE(db)) { + return 0; + } + + fclose(db->file); + db->file = NULL; + + return 0; +} + +static FILE *open_db(const char *filename, enum sss_colondb_mode mode) +{ + FILE *fp = NULL; + errno_t ret; + + errno = 0; + + switch (mode) { + case SSS_COLONDB_READ: + fp = filename == NULL ? stdin : fopen(filename, "r"); + break; + case SSS_COLONDB_WRITE: + fp = filename == NULL ? stdout : fopen(filename, "w"); + break; + } + + if (fp == NULL && filename != NULL) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to open file %s [%d]: %s\n", + filename, ret, sss_strerror(ret)); + } + + return fp; +} + +struct sss_colondb *sss_colondb_open(TALLOC_CTX *mem_ctx, + enum sss_colondb_mode mode, + const char *filename) +{ + struct sss_colondb *db; + + db = talloc_zero(mem_ctx, struct sss_colondb); + if (db == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero() failed\n"); + return NULL; + } + + db->file = open_db(filename, mode); + db->mode = mode; + + if (db->file == NULL) { + talloc_free(db); + return NULL; + } + + talloc_set_destructor((TALLOC_CTX *)db, sss_colondb_close); + + return db; +} diff --git a/src/tools/common/sss_colondb.h b/src/tools/common/sss_colondb.h new file mode 100644 index 0000000..cb90400 --- /dev/null +++ b/src/tools/common/sss_colondb.h @@ -0,0 +1,96 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _SSS_COLONDB_H_ +#define _SSS_COLONDB_H_ + +#include +#include +#include +#include + +struct sss_colondb; + +enum sss_colondb_mode { + SSS_COLONDB_READ, + SSS_COLONDB_WRITE +}; + +enum sss_colondb_type { + SSS_COLONDB_UINT32, + SSS_COLONDB_STRING, + SSS_COLONDB_SENTINEL +}; + +union sss_colondb_write_data { + uint32_t uint32; + const char *str; +}; + +union sss_colondb_read_data { + uint32_t *uint32; + const char **str; +}; + +struct sss_colondb_write_field { + enum sss_colondb_type type; + union sss_colondb_write_data data; +}; + +struct sss_colondb_read_field { + enum sss_colondb_type type; + union sss_colondb_read_data data; +}; + +/** + * Open colon DB and return connection. + * @param[in|out] mem_ctx Memory context. Internal sss_colondb_close() is set + * on destructor of this memory context. + * @param[in] mode Open mode of db: SSS_COLONDB_READ or SSS_COLONDB_WRITE. + * @param[in] filename Name of file. + * @return Pointer to structure holding DB connection, or NULL if fail. + */ +struct sss_colondb *sss_colondb_open(TALLOC_CTX *mem_ctx, + enum sss_colondb_mode mode, + const char *filename); + +/** + * Read line from colon DB. + * @param[in|out] mem_ctx Memory context. + * @param[in] db Pointer to structure holding DB connection. + * @param[in|out] table Array of expected structure of line. It is expected + * that last item has SSS_COLONDB_SENTINEL type. + * @return EOK if success, else error code. + */ +errno_t sss_colondb_readline(TALLOC_CTX *mem_ctx, + struct sss_colondb *db, + struct sss_colondb_read_field *table); + +/** + * Write line to colon DB. + * @param[in] db Pointer to structure holding DB connection. + * @param[in] table Array with data. It is expected that last item has + * SSS_COLONDB_SENTINEL type. + * @return EOK if success, else error code. + */ +errno_t sss_colondb_writeline(struct sss_colondb *db, + struct sss_colondb_write_field *table); + +#endif /* _SSS_COLONDB_H_ */ diff --git a/src/tools/common/sss_process.c b/src/tools/common/sss_process.c new file mode 100644 index 0000000..fc710a5 --- /dev/null +++ b/src/tools/common/sss_process.c @@ -0,0 +1,124 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "util/util.h" +#include "tools/common/sss_process.h" + +static pid_t parse_pid(const char *strpid) +{ + long value; + char *endptr; + + errno = 0; + value = strtol(strpid, &endptr, 10); + if ((errno != 0) || (endptr == strpid) + || ((*endptr != '\0') && (*endptr != '\n'))) { + return 0; + } + + return value; +} + +static errno_t sss_pid(pid_t *out_pid) +{ + int ret; + size_t fsize; + FILE *pid_file; + char pid_str[MAX_PID_LENGTH] = {'\0'}; + + *out_pid = 0; + + errno = 0; + pid_file = fopen(SSSD_PIDFILE, "r"); + if (pid_file == NULL) { + ret = errno; + DEBUG(SSSDBG_MINOR_FAILURE, "Unable to open pid file \"%s\": %s\n", + SSSD_PIDFILE, strerror(ret)); + goto done; + } + + fsize = fread(pid_str, sizeof(char), MAX_PID_LENGTH * sizeof(char), + pid_file); + if (!feof(pid_file)) { + /* eof not reached */ + ret = ferror(pid_file); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to read from file \"%s\": %s\n", + SSSD_PIDFILE, strerror(ret)); + } else { + DEBUG(SSSDBG_CRIT_FAILURE, "File \"%s\" contains invalid pid.\n", + SSSD_PIDFILE); + } + goto done; + } + if (fsize == 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "File \"%s\" contains no pid.\n", + SSSD_PIDFILE); + ret = EINVAL; + goto done; + } + + pid_str[MAX_PID_LENGTH-1] = '\0'; + *out_pid = parse_pid(pid_str); + if (*out_pid == 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "File \"%s\" contains invalid pid.\n", SSSD_PIDFILE); + ret = EINVAL; + goto done; + } + + ret = EOK; + +done: + if (pid_file != NULL) { + fclose(pid_file); + } + return ret; +} + +bool sss_daemon_running(void) +{ + return sss_signal(0) == EOK; +} + +errno_t sss_signal(int signum) +{ + int ret; + pid_t pid; + + ret = sss_pid(&pid); + if (ret != EOK) { + return ret; + } + + if (kill(pid, signum) != 0) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not send signal %d to process %d: %s\n", + signum, pid, strerror(errno)); + return ret; + } + + return EOK; +} diff --git a/src/tools/common/sss_process.h b/src/tools/common/sss_process.h new file mode 100644 index 0000000..6bbb094 --- /dev/null +++ b/src/tools/common/sss_process.h @@ -0,0 +1,29 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _SSS_PROCESS_H_ +#define _SSS_PROCESS_H_ + +#include "util/util.h" + +bool sss_daemon_running(void); +errno_t sss_signal(int signum); + +#endif /* _SSS_PROCESS_H_ */ diff --git a/src/tools/common/sss_tools.c b/src/tools/common/sss_tools.c new file mode 100644 index 0000000..701db2d --- /dev/null +++ b/src/tools/common/sss_tools.c @@ -0,0 +1,574 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include + +#include "config.h" +#include "util/util.h" +#include "confdb/confdb.h" +#include "confdb/confdb_setup.h" +#include "db/sysdb.h" +#include "tools/common/sss_tools.h" + +static void sss_tool_print_common_opts(int min_len) +{ + fprintf(stderr, _("Help options:\n")); + fprintf(stderr, " %-*s\t %s\n", min_len, "-?, --help", + _("Show this for a command")); + fprintf(stderr, " %-*s\t %s\n", min_len, "--usage", + _("Show brief usage message for a command")); +} + +static struct poptOption *sss_tool_common_opts_table(void) +{ + static struct poptOption common_opts[] = { + {"debug", '\0', POPT_ARG_INT | POPT_ARGFLAG_DOC_HIDDEN, NULL, + 0, NULL, NULL }, + POPT_TABLEEND + }; + + common_opts[0].descrip = _("The debug level to run with"); + + return common_opts; +} + +static void sss_tool_common_opts(struct sss_tool_ctx *tool_ctx, + int *argc, const char **argv) +{ + poptContext pc; + int debug = SSSDBG_DEFAULT; + int orig_argc = *argc; + int help = 0; + int opt; + + struct poptOption options[] = { + {"debug", '\0', POPT_ARG_INT | POPT_ARGFLAG_STRIP, &debug, + 0, _("The debug level to run with"), NULL }, + {"help", '?', POPT_ARG_VAL | POPT_ARGFLAG_DOC_HIDDEN, &help, + 1, NULL, NULL }, + POPT_TABLEEND + }; + + pc = poptGetContext(argv[0], orig_argc, argv, options, 0); + while ((opt = poptGetNextOpt(pc)) != -1) { + /* do nothing */ + } + + /* Strip common options from arguments. We will discard_const here, + * since it is not worth the trouble to convert it back and forth. */ + *argc = poptStrippedArgv(pc, orig_argc, discard_const_p(char *, argv)); + tool_ctx->print_help = help; + + DEBUG_CLI_INIT(debug); + + poptFreeContext(pc); +} + +static errno_t sss_tool_confdb_init(TALLOC_CTX *mem_ctx, + struct confdb_ctx **_confdb) +{ + struct confdb_ctx *confdb; + char *path; + errno_t ret; + + path = talloc_asprintf(mem_ctx, "%s/%s", DB_PATH, CONFDB_FILE); + if (path == NULL) { + return ENOMEM; + } + + ret = confdb_setup(mem_ctx, path, + SSSD_CONFIG_FILE, CONFDB_DEFAULT_CONFIG_DIR, + &confdb); + talloc_zfree(path); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to setup ConfDB [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + if (_confdb != NULL) { + *_confdb = confdb; + } + + return EOK; +} + +static errno_t sss_tool_domains_init(TALLOC_CTX *mem_ctx, + struct confdb_ctx *confdb, + struct sss_domain_info **_domains) +{ + struct sss_domain_info *domains; + struct sss_domain_info *dom; + errno_t ret; + + ret = confdb_expand_app_domains(confdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unable to expand application domains [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + ret = confdb_get_domains(confdb, &domains); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup domains [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + ret = sysdb_init(mem_ctx, domains); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not initialize connection to the sysdb\n"); + return ret; + } + + for (dom = domains; dom != NULL; + dom = get_next_domain(dom, SSS_GND_DESCEND)) { + if (!IS_SUBDOMAIN(dom)) { + /* Get flat name and domain ID (SID) from the cache + * if available */ + ret = sysdb_master_domain_update(dom); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Failed to update domain %s.\n", + dom->name); + } + + /* Update list of subdomains for this domain */ + ret = sysdb_update_subdomains(dom, confdb); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to update subdomains for domain %s.\n", + dom->name); + } + } + } + + for (dom = domains; dom != NULL; + dom = get_next_domain(dom, SSS_GND_DESCEND)) { + ret = sss_names_init(mem_ctx, confdb, dom->name, &dom->names); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sss_names_init() failed\n"); + return ret; + } + } + + *_domains = domains; + + return ret; +} + +errno_t sss_tool_init(TALLOC_CTX *mem_ctx, + int *argc, const char **argv, + struct sss_tool_ctx **_tool_ctx) +{ + struct sss_tool_ctx *tool_ctx; + + tool_ctx = talloc_zero(mem_ctx, struct sss_tool_ctx); + if (tool_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero() failed\n"); + return ENOMEM; + } + + sss_tool_common_opts(tool_ctx, argc, argv); + *_tool_ctx = tool_ctx; + + return EOK; +} + +static bool sss_tool_is_delimiter(struct sss_route_cmd *command) +{ + if (command->command != NULL && command->command[0] == '\0') { + return true; + } + + return false; +} + +static bool sss_tools_handles_init_error(struct sss_route_cmd *command, + errno_t init_err) +{ + if (init_err == EOK) { + return true; + } + + return command->handles_init_err == init_err; +} + +static size_t sss_tool_max_length(struct sss_route_cmd *commands) +{ + size_t max = 0; + size_t len; + int i; + + for (i = 0; commands[i].command != NULL; i++) { + if (sss_tool_is_delimiter(&commands[i])) { + continue; + } + + len = strlen(commands[i].command); + if (max < len) { + max = len; + } + } + + return max; +} + +void sss_tool_usage(const char *tool_name, struct sss_route_cmd *commands) +{ + int min_len; + int i; + + fprintf(stderr, _("Usage:\n%s COMMAND COMMAND-ARGS\n\n"), tool_name); + fprintf(stderr, _("Available commands:\n")); + + min_len = sss_tool_max_length(commands); + + for (i = 0; commands[i].command != NULL; i++) { + if (sss_tool_is_delimiter(&commands[i])) { + fprintf(stderr, "\n%s\n", commands[i].description); + continue; + } + + if (commands[i].description == NULL) { + fprintf(stderr, "* %40s\n", commands[i].command); + } else { + fprintf(stderr, "* %-*s\t %s\n", + min_len, commands[i].command, commands[i].description); + } + } + + fprintf(stderr, _("\n")); + sss_tool_print_common_opts(min_len); +} + +static int tool_cmd_init(struct sss_tool_ctx *tool_ctx, + struct sss_route_cmd *command) +{ + int ret; + + if (command->flags & SSS_TOOL_FLAG_SKIP_CMD_INIT) { + return EOK; + } + + /* Connect to confdb. */ + ret = sss_tool_confdb_init(tool_ctx, &tool_ctx->confdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to open confdb [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + /* Setup domains. */ + ret = sss_tool_domains_init(tool_ctx, tool_ctx->confdb, &tool_ctx->domains); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to setup domains [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = confdb_get_string(tool_ctx->confdb, tool_ctx, + CONFDB_MONITOR_CONF_ENTRY, + CONFDB_MONITOR_DEFAULT_DOMAIN, + NULL, &tool_ctx->default_domain); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot get the default domain [%d]: %s\n", + ret, strerror(ret)); + goto done; + } + + ret = EOK; + +done: + return ret; +} + +errno_t sss_tool_route(int argc, const char **argv, + struct sss_tool_ctx *tool_ctx, + struct sss_route_cmd *commands, + void *pvt) +{ + struct sss_cmdline cmdline; + const char *cmd; + int i; + int ret; + + if (commands == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Bug: commands can't be NULL!\n"); + return EINVAL; + } + + if (argc < 2) { + sss_tool_usage(argv[0], commands); + return EINVAL; + } + + cmd = argv[1]; + for (i = 0; commands[i].command != NULL; i++) { + if (sss_tool_is_delimiter(&commands[i])) { + continue; + } + + if (strcmp(commands[i].command, cmd) == 0) { + cmdline.exec = argv[0]; + cmdline.command = argv[1]; + cmdline.argc = argc - 2; + cmdline.argv = argv + 2; + + if (!sss_tools_handles_init_error(&commands[i], tool_ctx->init_err)) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Command %s does not handle initialization error [%d] %s\n", + cmdline.command, tool_ctx->init_err, + sss_strerror(tool_ctx->init_err)); + return tool_ctx->init_err; + } + + if (!tool_ctx->print_help) { + ret = tool_cmd_init(tool_ctx, &commands[i]); + if (ret == ERR_SYSDB_VERSION_TOO_OLD) { + tool_ctx->init_err = ret; + } else if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Command initialization failed [%d] %s\n", + ret, sss_strerror(ret)); + return ret; + } + } + + return commands[i].fn(&cmdline, tool_ctx, pvt); + } + } + + sss_tool_usage(argv[0], commands); + return EINVAL; +} + +static struct poptOption *nonnull_popt_table(struct poptOption *options) +{ + static struct poptOption empty[] = { + POPT_TABLEEND + }; + + if (options == NULL) { + return empty; + } + + return options; +} + +errno_t sss_tool_popt_ex(struct sss_cmdline *cmdline, + struct poptOption *options, + enum sss_tool_opt require_option, + sss_popt_fn popt_fn, + void *popt_fn_pvt, + const char *fopt_name, + const char *fopt_help, + const char **_fopt, + bool *_opt_set) +{ + struct poptOption opts_table[] = { + {NULL, '\0', POPT_ARG_INCLUDE_TABLE, nonnull_popt_table(options), \ + 0, _("Command options:"), NULL }, + {NULL, '\0', POPT_ARG_INCLUDE_TABLE, sss_tool_common_opts_table(), \ + 0, NULL, NULL }, + POPT_AUTOHELP + POPT_TABLEEND + }; + const char *fopt; + char *help; + poptContext pc; + bool opt_set; + int ret; + + /* Create help option string. We always need to append command name since + * we use POPT_CONTEXT_KEEP_FIRST. */ + if (fopt_name == NULL) { + help = talloc_asprintf(NULL, "%s %s %s", cmdline->exec, + cmdline->command, _("[OPTIONS...]")); + } else { + help = talloc_asprintf(NULL, "%s %s %s %s", cmdline->exec, + cmdline->command, fopt_name, _("[OPTIONS...]")); + } + if (help == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf() failed\n"); + return ENOMEM; + } + + /* Create popt context. This function is supposed to be called on + * command argv which does not contain executable (argv[0]), therefore + * we need to use KEEP_FIRST that ensures argv[0] is also processed. */ + pc = poptGetContext(cmdline->exec, cmdline->argc, cmdline->argv, + opts_table, POPT_CONTEXT_KEEP_FIRST); + + poptSetOtherOptionHelp(pc, help); + + /* Parse options. Invoke custom function if provided. If no parsing + * function is provided, print error on unknown option. */ + while ((ret = poptGetNextOpt(pc)) != -1) { + if (popt_fn != NULL) { + ret = popt_fn(pc, ret, popt_fn_pvt); + if (ret != EOK) { + goto done; + } + } else { + fprintf(stderr, _("Invalid option %s: %s\n\n"), + poptBadOption(pc, 0), poptStrerror(ret)); + poptPrintHelp(pc, stderr, 0); + ret = EINVAL; + goto done; + } + } + + /* Parse free option which is always required if requested. */ + fopt = poptGetArg(pc); + if (_fopt != NULL) { + if (fopt == NULL) { + fprintf(stderr, _("Missing option: %s\n\n"), fopt_help); + poptPrintHelp(pc, stderr, 0); + ret = EINVAL; + goto done; + } + + /* No more arguments expected. If something follows it is an error. */ + if (poptGetArg(pc)) { + fprintf(stderr, _("Only one free argument is expected!\n\n")); + poptPrintHelp(pc, stderr, 0); + ret = EINVAL; + goto done; + } + + *_fopt = fopt; + } else if (_fopt == NULL && fopt != NULL) { + /* Unexpected free argument. */ + fprintf(stderr, _("Unexpected parameter: %s\n\n"), fopt); + poptPrintHelp(pc, stderr, 0); + ret = EINVAL; + goto done; + } + + opt_set = true; + if ((_fopt != NULL && cmdline->argc < 2) || cmdline->argc < 1) { + opt_set = false; + + /* If at least one option is required and not provided, print error. */ + if (require_option == SSS_TOOL_OPT_REQUIRED) { + fprintf(stderr, _("At least one option is required!\n\n")); + poptPrintHelp(pc, stderr, 0); + ret = EINVAL; + goto done; + } + } + + if (_opt_set != NULL) { + *_opt_set = opt_set; + } + + ret = EOK; + +done: + poptFreeContext(pc); + talloc_free(help); + return ret; +} + +errno_t sss_tool_popt(struct sss_cmdline *cmdline, + struct poptOption *options, + enum sss_tool_opt require_option, + sss_popt_fn popt_fn, + void *popt_fn_pvt) +{ + return sss_tool_popt_ex(cmdline, options, require_option, + popt_fn, popt_fn_pvt, NULL, NULL, NULL, NULL); +} + +int sss_tool_main(int argc, const char **argv, + struct sss_route_cmd *commands, + void *pvt) +{ + struct sss_tool_ctx *tool_ctx; + uid_t uid; + errno_t ret; + + uid = getuid(); + if (uid != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Running under %d, must be root\n", uid); + ERROR("%1$s must be run as root\n", argv[0]); + return EXIT_FAILURE; + } + + ret = sss_tool_init(NULL, &argc, argv, &tool_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tool context\n"); + return EXIT_FAILURE; + } + + ret = sss_tool_route(argc, argv, tool_ctx, commands, pvt); + SYSDB_VERSION_ERROR(ret); + talloc_free(tool_ctx); + if (ret != EOK) { + return EXIT_FAILURE; + } + + return EXIT_SUCCESS; +} + +errno_t sss_tool_parse_name(TALLOC_CTX *mem_ctx, + struct sss_tool_ctx *tool_ctx, + const char *input, + const char **_username, + struct sss_domain_info **_domain) +{ + char *username = NULL; + char *domname = NULL; + struct sss_domain_info *domain; + int ret; + + ret = sss_parse_name_for_domains(mem_ctx, tool_ctx->domains, + tool_ctx->default_domain, input, + &domname, &username); + if (ret == EAGAIN) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to find domain. The domain name may " + "be a subdomain that was not yet found.\n"); + goto done; + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse name [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + domain = find_domain_by_name(tool_ctx->domains, domname, true); + + *_username = username; + *_domain = domain; + + ret = EOK; + +done: + if (ret != EOK) { + talloc_zfree(username); + talloc_zfree(domname); + } + + return ret; +} diff --git a/src/tools/common/sss_tools.h b/src/tools/common/sss_tools.h new file mode 100644 index 0000000..0e4308e --- /dev/null +++ b/src/tools/common/sss_tools.h @@ -0,0 +1,113 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _SSS_TOOLS_H_ +#define _SSS_TOOLS_H_ + +#include +#include + +#include "confdb/confdb.h" + +struct sss_tool_ctx { + struct confdb_ctx *confdb; + + bool print_help; + errno_t init_err; + char *default_domain; + struct sss_domain_info *domains; +}; + +errno_t sss_tool_init(TALLOC_CTX *mem_ctx, + int *argc, const char **argv, + struct sss_tool_ctx **_tool_ctx); + +struct sss_cmdline { + const char *exec; /* argv[0] */ + const char *command; /* command name */ + int argc; /* rest of arguments */ + const char **argv; +}; + +typedef errno_t +(*sss_route_fn)(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt); + +#define SSS_TOOL_COMMAND_FLAGS(cmd, msg, err, fn, flags) \ + {cmd, _(msg), err, fn, flags} +#define SSS_TOOL_COMMAND(cmd, msg, err, fn) \ + {cmd, _(msg), err, fn, 0} +#define SSS_TOOL_COMMAND_NOMSG(cmd, err, fn) {cmd, NULL, err, fn, 0} +#define SSS_TOOL_DELIMITER(message) {"", _(message), 0, NULL, 0} +#define SSS_TOOL_LAST {NULL, NULL, 0, NULL, 0} + +#define SSS_TOOL_FLAG_SKIP_CMD_INIT 0x01 + +struct sss_route_cmd { + const char *command; + const char *description; + errno_t handles_init_err; + sss_route_fn fn; + int flags; +}; + +void sss_tool_usage(const char *tool_name, + struct sss_route_cmd *commands); + +errno_t sss_tool_route(int argc, const char **argv, + struct sss_tool_ctx *tool_ctx, + struct sss_route_cmd *commands, + void *pvt); + +typedef errno_t (*sss_popt_fn)(poptContext pc, char option, void *pvt); + +enum sss_tool_opt { + SSS_TOOL_OPT_REQUIRED, + SSS_TOOL_OPT_OPTIONAL +}; + +errno_t sss_tool_popt_ex(struct sss_cmdline *cmdline, + struct poptOption *options, + enum sss_tool_opt require_option, + sss_popt_fn popt_fn, + void *popt_fn_pvt, + const char *fopt_name, + const char *fopt_help, + const char **_fopt, + bool *_opt_set); + +errno_t sss_tool_popt(struct sss_cmdline *cmdline, + struct poptOption *options, + enum sss_tool_opt require_option, + sss_popt_fn popt_fn, + void *popt_fn_pvt); + +int sss_tool_main(int argc, const char **argv, + struct sss_route_cmd *commands, + void *pvt); + +errno_t sss_tool_parse_name(TALLOC_CTX *mem_ctx, + struct sss_tool_ctx *tool_ctx, + const char *input, + const char **_username, + struct sss_domain_info **_domain); + +#endif /* SRC_TOOLS_COMMON_SSS_TOOLS_H_ */ diff --git a/src/tools/sss_cache.c b/src/tools/sss_cache.c new file mode 100644 index 0000000..8a40b38 --- /dev/null +++ b/src/tools/sss_cache.c @@ -0,0 +1,962 @@ +/* + SSSD + + sss_cache + + Copyright (C) Jan Zeleny 2011 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include + +#include "util/util.h" +#include "tools/sss_sync_ops.h" +#include "db/sysdb.h" +#include "db/sysdb_services.h" +#include "db/sysdb_autofs.h" +#include "db/sysdb_ssh.h" +#include "db/sysdb_sudo.h" + +#define INVALIDATE_NONE 0 +#define INVALIDATE_USERS 1 +#define INVALIDATE_GROUPS 2 +#define INVALIDATE_NETGROUPS 4 +#define INVALIDATE_SERVICES 8 +#define INVALIDATE_AUTOFSMAPS 16 +#define INVALIDATE_SSH_HOSTS 32 +#define INVALIDATE_SUDO_RULES 64 + +#ifdef BUILD_AUTOFS +#ifdef BUILD_SSH +#define INVALIDATE_EVERYTHING (INVALIDATE_USERS | INVALIDATE_GROUPS | \ + INVALIDATE_NETGROUPS | INVALIDATE_SERVICES | \ + INVALIDATE_AUTOFSMAPS | INVALIDATE_SSH_HOSTS ) +#else /* BUILD_SSH */ +#define INVALIDATE_EVERYTHING (INVALIDATE_USERS | INVALIDATE_GROUPS | \ + INVALIDATE_NETGROUPS | INVALIDATE_SERVICES | \ + INVALIDATE_AUTOFSMAPS ) +#endif /* BUILD_SSH */ +#else /* BUILD_AUTOFS */ +#ifdef BUILD_SSH +#define INVALIDATE_EVERYTHING (INVALIDATE_USERS | INVALIDATE_GROUPS | \ + INVALIDATE_NETGROUPS | INVALIDATE_SERVICES | \ + INVALIDATE_SSH_HOSTS ) +#else /* BUILD_SSH */ +#define INVALIDATE_EVERYTHING (INVALIDATE_USERS | INVALIDATE_GROUPS | \ + INVALIDATE_NETGROUPS | INVALIDATE_SERVICES ) +#endif /* BUILD_SSH */ +#endif /* BUILD_AUTOFS */ + +enum sss_cache_entry { + TYPE_USER=0, + TYPE_GROUP, + TYPE_NETGROUP, + TYPE_SERVICE, + TYPE_AUTOFSMAP, + TYPE_SSH_HOST, + TYPE_SUDO_RULE +}; + +static errno_t search_autofsmaps(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *sub_filter, const char **attrs, + size_t *msgs_count, struct ldb_message ***msgs); + +struct input_values { + char *domain; + char *group; + char *map; + char *netgroup; + char *service; + char *ssh_host; + char *sudo_rule; + char *user; +}; + +struct cache_tool_ctx { + struct confdb_ctx *confdb; + struct sss_domain_info *domains; + + char *user_filter; + char *group_filter; + char *netgroup_filter; + char *service_filter; + char *autofs_filter; + char *ssh_host_filter; + char *sudo_rule_filter; + + char *user_name; + char *group_name; + char *netgroup_name; + char *service_name; + char *autofs_name; + char *ssh_host_name; + char *sudo_rule_name; + + bool update_user_filter; + bool update_group_filter; + bool update_netgroup_filter; + bool update_service_filter; + bool update_autofs_filter; + bool update_ssh_host_filter; + bool update_sudo_rule_filter; +}; + +static void free_input_values(struct input_values *values); +static bool is_filter_valid(struct cache_tool_ctx *ctx, + struct input_values *values, int idb); +static errno_t init_domains(struct cache_tool_ctx *ctx, + const char *domain); +static errno_t init_context(int argc, const char *argv[], + struct cache_tool_ctx **tctx); +static errno_t invalidate_entry(TALLOC_CTX *ctx, + struct sss_domain_info *domain, + const char *name, int entry_type); +static bool invalidate_entries(TALLOC_CTX *ctx, + struct sss_domain_info *dinfo, + enum sss_cache_entry entry_type, + const char *filter, const char *name); +static errno_t update_all_filters(struct cache_tool_ctx *tctx, + struct sss_domain_info *dinfo); +static int sysdb_invalidate_user_cache_entry(struct sss_domain_info *domain, + const char *name); +static int sysdb_invalidate_group_cache_entry(struct sss_domain_info *domain, + const char *name); + +int main(int argc, const char *argv[]) +{ + errno_t ret; + struct cache_tool_ctx *tctx = NULL; + struct sysdb_ctx *sysdb; + bool skipped = true; + struct sss_domain_info *dinfo; + + ret = init_context(argc, argv, &tctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Error initializing context for the application\n"); + goto done; + } + + for (dinfo = tctx->domains; dinfo; + dinfo = get_next_domain(dinfo, SSS_GND_DESCEND)) { + if (!IS_SUBDOMAIN(dinfo)) { + /* Update list of subdomains for this domain */ + ret = sysdb_update_subdomains(dinfo, tctx->confdb); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to update subdomains for domain %s.\n", dinfo->name); + } + } + + sysdb = dinfo->sysdb; + /* Update filters for each domain */ + ret = update_all_filters(tctx, dinfo); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to update filters.\n"); + goto done; + } + + ret = sysdb_transaction_start(sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not start the transaction!\n"); + goto done; + } + + skipped &= !invalidate_entries(tctx, dinfo, TYPE_USER, + tctx->user_filter, + tctx->user_name); + skipped &= !invalidate_entries(tctx, dinfo, TYPE_GROUP, + tctx->group_filter, + tctx->group_name); + skipped &= !invalidate_entries(tctx, dinfo, TYPE_NETGROUP, + tctx->netgroup_filter, + tctx->netgroup_name); + skipped &= !invalidate_entries(tctx, dinfo, TYPE_SERVICE, + tctx->service_filter, + tctx->service_name); + skipped &= !invalidate_entries(tctx, dinfo, TYPE_AUTOFSMAP, + tctx->autofs_filter, + tctx->autofs_name); + skipped &= !invalidate_entries(tctx, dinfo, TYPE_SSH_HOST, + tctx->ssh_host_filter, + tctx->ssh_host_name); + skipped &= !invalidate_entries(tctx, dinfo, TYPE_SUDO_RULE, + tctx->sudo_rule_filter, + tctx->sudo_rule_name); + + ret = sysdb_transaction_commit(sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not commit the transaction!\n"); + ret = sysdb_transaction_cancel(sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to cancel transaction\n"); + } + } + } + + if (skipped == true) { + ERROR("No cache object matched the specified search\n"); + ret = ENOENT; + goto done; + } else { + ret = sss_memcache_clear_all(); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to clear memory cache.\n"); + goto done; + } + } + + ret = EOK; +done: + if (tctx) talloc_free(tctx); + return ret; +} + +static void free_input_values(struct input_values *values) +{ + free(values->domain); + free(values->group); + free(values->map); + free(values->netgroup); + free(values->service); + free(values->ssh_host); + free(values->sudo_rule); + free(values->user); +} + +static errno_t update_filter(struct cache_tool_ctx *tctx, + struct sss_domain_info *dinfo, + char *name, bool update, const char *fmt, + enum sss_cache_entry entry_type, + bool force_case_sensitivity, + char **_filter) +{ + errno_t ret; + char *parsed_domain = NULL; + char *parsed_name = NULL; + TALLOC_CTX *tmp_ctx = NULL; + char *use_name = NULL; + char *filter; + char *sanitized; + char *lc_sanitized; + + if (!name || !update) { + /* Nothing to do */ + return EOK; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory.\n"); + return ENOMEM; + } + + ret = sss_parse_name(tmp_ctx, dinfo->names, name, + &parsed_domain, &parsed_name); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sss_parse_name failed\n"); + goto done; + } + + if (parsed_domain != NULL && strcasecmp(dinfo->name, parsed_domain) != 0) { + /* We were able to parse the domain from given fqdn, but it + * does not match with currently processed domain. */ + filter = NULL; + ret = EOK; + goto done; + } + + if (!dinfo->case_sensitive && !force_case_sensitivity) { + use_name = sss_tc_utf8_str_tolower(tmp_ctx, parsed_name); + if (!use_name) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory\n"); + ret = ENOMEM; + goto done; + } + } else { + use_name = parsed_name; + } + + switch (entry_type) { + case TYPE_USER: + case TYPE_GROUP: + use_name = sss_create_internal_fqname(tmp_ctx, use_name, dinfo->name); + default: + break; + } + if (!use_name) { + ret = ENOMEM; + goto done; + } + + ret = sss_filter_sanitize_for_dom(tmp_ctx, use_name, dinfo, + &sanitized, &lc_sanitized); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to sanitize the given name.\n"); + goto done; + } + + if (fmt) { + if (!dinfo->case_sensitive && !force_case_sensitivity) { + filter = talloc_asprintf(tmp_ctx, "(|(%s=%s)(%s=%s))", + SYSDB_NAME_ALIAS, lc_sanitized, + SYSDB_NAME_ALIAS, sanitized); + } else { + filter = talloc_asprintf(tmp_ctx, fmt, SYSDB_NAME, sanitized); + } + } else { + filter = talloc_strdup(tmp_ctx, sanitized); + } + if (filter == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory\n"); + ret = ENOMEM; + goto done; + } + + ret = EOK; + +done: + if (ret == EOK) { + talloc_free(*_filter); + *_filter = talloc_steal(tctx, filter); + } + + talloc_free(tmp_ctx); + return ret; + +} + +/* This function updates all filters for specified domain using this + * domains regex to parse string into domain and name (if exists). */ +static errno_t update_all_filters(struct cache_tool_ctx *tctx, + struct sss_domain_info *dinfo) +{ + errno_t ret; + + /* Update user filter */ + ret = update_filter(tctx, dinfo, tctx->user_name, + tctx->update_user_filter, "(%s=%s)", + TYPE_USER, false, + &tctx->user_filter); + if (ret != EOK) { + return ret; + } + + /* Update group filter */ + ret = update_filter(tctx, dinfo, tctx->group_name, + tctx->update_group_filter, "(%s=%s)", + TYPE_GROUP, false, + &tctx->group_filter); + if (ret != EOK) { + return ret; + } + + /* Update netgroup filter */ + ret = update_filter(tctx, dinfo, tctx->netgroup_name, + tctx->update_netgroup_filter, "(%s=%s)", + TYPE_NETGROUP, false, + &tctx->netgroup_filter); + if (ret != EOK) { + return ret; + } + + /* Update service filter */ + ret = update_filter(tctx, dinfo, tctx->service_name, + tctx->update_service_filter, "(%s=%s)", + TYPE_SERVICE, false, + &tctx->service_filter); + if (ret != EOK) { + return ret; + } + + /* Update autofs filter */ + ret = update_filter(tctx, dinfo, tctx->autofs_name, + tctx->update_autofs_filter, + "(&(objectclass="SYSDB_AUTOFS_MAP_OC")(%s=%s))", + TYPE_AUTOFSMAP, true, + &tctx->autofs_filter); + if (ret != EOK) { + return ret; + } + + /* Update ssh host filter */ + ret = update_filter(tctx, dinfo, tctx->ssh_host_name, + tctx->update_ssh_host_filter, "(%s=%s)", + TYPE_SSH_HOST, false, + &tctx->ssh_host_filter); + if (ret != EOK) { + return ret; + } + + /* Update sudo rule filter */ + ret = update_filter(tctx, dinfo, tctx->sudo_rule_name, + tctx->update_sudo_rule_filter, + "(%s=%s)", TYPE_SUDO_RULE, false, + &tctx->sudo_rule_filter); + if (ret != EOK) { + return ret; + } + + return EOK; +} + +static bool invalidate_entries(TALLOC_CTX *ctx, + struct sss_domain_info *dinfo, + enum sss_cache_entry entry_type, + const char *filter, const char *name) +{ + const char *attrs[] = {SYSDB_NAME, NULL}; + size_t msg_count; + struct ldb_message **msgs; + const char *type_string = "unknown"; + errno_t ret = EINVAL; + int i; + const char *c_name; + bool iret; + + if (!filter) return false; + switch (entry_type) { + case TYPE_USER: + type_string = "user"; + ret = sysdb_search_users(ctx, dinfo, + filter, attrs, &msg_count, &msgs); + break; + case TYPE_GROUP: + type_string = "group"; + ret = sysdb_search_groups(ctx, dinfo, + filter, attrs, &msg_count, &msgs); + break; + case TYPE_NETGROUP: + type_string = "netgroup"; + ret = sysdb_search_netgroups(ctx, dinfo, + filter, attrs, &msg_count, &msgs); + break; + case TYPE_SERVICE: + type_string = "service"; + ret = sysdb_search_services(ctx, dinfo, + filter, attrs, &msg_count, &msgs); + break; + case TYPE_AUTOFSMAP: + type_string = "autofs map"; + ret = search_autofsmaps(ctx, dinfo, filter, attrs, &msg_count, &msgs); + break; + case TYPE_SSH_HOST: + type_string = "ssh_host"; +#ifdef BUILD_SSH + ret = sysdb_search_ssh_hosts(ctx, dinfo, + filter, attrs, &msg_count, &msgs); +#else /* BUILD_SSH */ + ret = ENOSYS; +#endif /* BUILD_SSH */ + break; + case TYPE_SUDO_RULE: + type_string = "sudo_rule"; +#ifdef BUILD_SUDO + ret = sysdb_search_sudo_rules(ctx, dinfo, + filter, attrs, &msg_count, &msgs); +#else /* BUILD_SUDO */ + ret = ENOSYS; +#endif /* BUILD_SUDO */ + break; + } + + if (ret != EOK) { + if (ret == ENOENT) { + DEBUG(SSSDBG_TRACE_FUNC, "'%s' %s: Not found in domain '%s'\n", + type_string, name ? name : "", dinfo->name); + } else { + DEBUG(SSSDBG_CRIT_FAILURE, + "Searching for %s in domain %s with filter %s failed\n", + type_string, dinfo->name, filter); + } + return false; + } + + iret = true; + for (i = 0; i < msg_count; i++) { + c_name = ldb_msg_find_attr_as_string(msgs[i], SYSDB_NAME, NULL); + if (c_name == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Something bad happened, can't find attribute %s\n", + SYSDB_NAME); + ERROR("Couldn't invalidate %1$s\n", type_string); + iret = false; + } else { + ret = invalidate_entry(ctx, dinfo, c_name, entry_type); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Couldn't invalidate %s %s\n", type_string, c_name); + ERROR("Couldn't invalidate %1$s %2$s\n", type_string, c_name); + iret = false; + } + } + } + talloc_zfree(msgs); + return iret; +} + +static errno_t invalidate_entry(TALLOC_CTX *ctx, + struct sss_domain_info *domain, + const char *name, int entry_type) +{ + struct sysdb_attrs *sys_attrs = NULL; + errno_t ret; + + sys_attrs = sysdb_new_attrs(ctx); + if (sys_attrs) { + ret = sysdb_attrs_add_time_t(sys_attrs, + SYSDB_CACHE_EXPIRE, 1); + if (ret == EOK) { + switch (entry_type) { + case TYPE_USER: + /* For users, we also need to reset the initgroups + * cache expiry */ + ret = sysdb_attrs_add_time_t(sys_attrs, + SYSDB_INITGR_EXPIRE, 1); + if (ret != EOK) return ret; + + ret = sysdb_set_user_attr(domain, name, sys_attrs, + SYSDB_MOD_REP); + if (ret != EOK) break; + + /* WARNING: Direct writing to persistent cache!! */ + ret = sysdb_invalidate_user_cache_entry(domain, name); + break; + case TYPE_GROUP: + ret = sysdb_set_group_attr(domain, name, sys_attrs, + SYSDB_MOD_REP); + if (ret != EOK) break; + + /* WARNING: Direct writing to persistent cache!! */ + ret = sysdb_invalidate_group_cache_entry(domain, name); + break; + case TYPE_NETGROUP: + ret = sysdb_set_netgroup_attr(domain, name, sys_attrs, + SYSDB_MOD_REP); + break; + case TYPE_SERVICE: + ret = sysdb_set_service_attr(domain, name, + sys_attrs, SYSDB_MOD_REP); + break; + case TYPE_AUTOFSMAP: + ret = sysdb_set_autofsmap_attr(domain, name, + sys_attrs, SYSDB_MOD_REP); + break; + case TYPE_SSH_HOST: +#ifdef BUILD_SSH + ret = sysdb_set_ssh_host_attr(domain, name, + sys_attrs, SYSDB_MOD_REP); +#else /* BUILD_SSH */ + ret = ENOSYS; +#endif /* BUILD_SSH */ + break; + case TYPE_SUDO_RULE: +#ifdef BUILD_SUDO + ret = sysdb_set_sudo_rule_attr(domain, name, + sys_attrs, SYSDB_MOD_REP); +#else /* BUILD_SUDO */ + ret = ENOSYS; +#endif /* BUILD_SUDO */ + break; + default: + return EINVAL; + } + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Could not set entry attributes\n"); + } + } else { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not add expiration time to attributes\n"); + } + talloc_zfree(sys_attrs); + } else { + DEBUG(SSSDBG_MINOR_FAILURE, "Could not create sysdb attributes\n"); + ret = ENOMEM; + } + return ret; +} + +static errno_t init_domains(struct cache_tool_ctx *ctx, + const char *domain) +{ + char *confdb_path; + int ret; + struct sss_domain_info *dinfo; + + confdb_path = talloc_asprintf(ctx, "%s/%s", DB_PATH, CONFDB_FILE); + if (confdb_path == NULL) { + return ENOMEM; + } + + /* Connect to the conf db */ + ret = confdb_init(ctx, &ctx->confdb, confdb_path); + talloc_free(confdb_path); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not initialize connection to the confdb\n"); + return ret; + } + + if (domain) { + ret = sssd_domain_init(ctx, ctx->confdb, + domain, DB_PATH, &ctx->domains); + if (ret != EOK) { + SYSDB_VERSION_ERROR(ret); + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not initialize connection to the sysdb\n"); + return ret; + } + + } else { + ret = confdb_get_domains(ctx->confdb, &ctx->domains); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not initialize domains\n"); + return ret; + } + + ret = sysdb_init(ctx, ctx->domains); + SYSDB_VERSION_ERROR(ret); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not initialize connection to the sysdb\n"); + return ret; + } + } + + for (dinfo = ctx->domains; dinfo; dinfo = get_next_domain(dinfo, 0)) { + ret = sss_names_init(ctx, ctx->confdb, dinfo->name, &dinfo->names); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sss_names_init() failed\n"); + return ret; + } + } + + return EOK; +} + +static errno_t init_context(int argc, const char *argv[], + struct cache_tool_ctx **tctx) +{ + struct cache_tool_ctx *ctx = NULL; + int idb = INVALIDATE_NONE; + struct input_values values = { 0 }; + int debug = SSSDBG_DEFAULT; + errno_t ret = EOK; + + poptContext pc = NULL; + struct poptOption long_options[] = { + POPT_AUTOHELP + { "debug", '\0', POPT_ARG_INT | POPT_ARGFLAG_DOC_HIDDEN, &debug, + 0, _("The debug level to run with"), NULL }, + { "everything", 'E', POPT_ARG_NONE, NULL, 'e', + _("Invalidate all cached entries"), NULL }, + { "user", 'u', POPT_ARG_STRING, &(values.user), 0, + _("Invalidate particular user"), NULL }, + { "users", 'U', POPT_ARG_NONE, NULL, 'u', + _("Invalidate all users"), NULL }, + { "group", 'g', POPT_ARG_STRING, &(values.group), 0, + _("Invalidate particular group"), NULL }, + { "groups", 'G', POPT_ARG_NONE, NULL, 'g', + _("Invalidate all groups"), NULL }, + { "netgroup", 'n', POPT_ARG_STRING, &(values.netgroup), 0, + _("Invalidate particular netgroup"), NULL }, + { "netgroups", 'N', POPT_ARG_NONE, NULL, 'n', + _("Invalidate all netgroups"), NULL }, + { "service", 's', POPT_ARG_STRING, &(values.service), 0, + _("Invalidate particular service"), NULL }, + { "services", 'S', POPT_ARG_NONE, NULL, 's', + _("Invalidate all services"), NULL }, +#ifdef BUILD_AUTOFS + { "autofs-map", 'a', POPT_ARG_STRING, &(values.map), 0, + _("Invalidate particular autofs map"), NULL }, + { "autofs-maps", 'A', POPT_ARG_NONE, NULL, 'a', + _("Invalidate all autofs maps"), NULL }, +#endif /* BUILD_AUTOFS */ +#ifdef BUILD_SSH + { "ssh-host", 'h', POPT_ARG_STRING, &(values.ssh_host), 0, + _("Invalidate particular SSH host"), NULL }, + { "ssh-hosts", 'H', POPT_ARG_NONE, NULL, 'h', + _("Invalidate all SSH hosts"), NULL }, +#endif /* BUILD_SSH */ +#ifdef BUILD_SUDO + { "sudo-rule", 'r', POPT_ARG_STRING, &(values.sudo_rule), 0, + _("Invalidate particular sudo rule"), NULL }, + { "sudo-rules", 'R', POPT_ARG_NONE, NULL, 'r', + _("Invalidate all cached sudo rules"), NULL }, +#endif /* BUILD_SUDO */ + { "domain", 'd', POPT_ARG_STRING, &(values.domain), 0, + _("Only invalidate entries from a particular domain"), NULL }, + POPT_TABLEEND + }; + + ret = set_locale(); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "set_locale failed (%d): %s\n", ret, strerror(ret)); + ERROR("Error setting the locale\n"); + goto fini; + } + + pc = poptGetContext(NULL, argc, argv, long_options, 0); + while ((ret = poptGetNextOpt(pc)) > 0) { + switch (ret) { + case 'u': + idb |= INVALIDATE_USERS; + break; + case 'g': + idb |= INVALIDATE_GROUPS; + break; + case 'n': + idb |= INVALIDATE_NETGROUPS; + break; + case 's': + idb |= INVALIDATE_SERVICES; + break; + case 'a': + idb |= INVALIDATE_AUTOFSMAPS; + break; + case 'h': + idb |= INVALIDATE_SSH_HOSTS; + break; + case 'r': + idb |= INVALIDATE_SUDO_RULES; + break; + case 'e': + idb = INVALIDATE_EVERYTHING; +#ifdef BUILD_SUDO + idb |= INVALIDATE_SUDO_RULES; +#endif /* BUILD_SUDO */ + break; + } + } + + DEBUG_CLI_INIT(debug); + debug_prg_name = argv[0]; + + if (ret != -1) { + BAD_POPT_PARAMS(pc, poptStrerror(ret), ret, fini); + } + + if (poptGetArg(pc)) { + BAD_POPT_PARAMS(pc, + _("Unexpected argument(s) provided, options that " + "invalidate a single object only accept a single " + "provided argument.\n"), + ret, fini); + } + + if (idb == INVALIDATE_NONE && !values.user && !values.group && + !values.netgroup && !values.service && !values.map && + !values.ssh_host && !values.sudo_rule) { + BAD_POPT_PARAMS(pc, + _("Please select at least one object to invalidate\n"), + ret, fini); + } + + CHECK_ROOT(ret, debug_prg_name); + + ctx = talloc_zero(NULL, struct cache_tool_ctx); + if (ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not allocate memory for tools context\n"); + ret = ENOMEM; + goto fini; + } + + if (idb & INVALIDATE_USERS) { + ctx->user_filter = talloc_asprintf(ctx, "(%s=*)", SYSDB_NAME); + ctx->update_user_filter = false; + } else if (values.user) { + ctx->user_name = talloc_strdup(ctx, values.user); + ctx->update_user_filter = true; + } + + if (idb & INVALIDATE_GROUPS) { + ctx->group_filter = talloc_asprintf(ctx, "(%s=*)", SYSDB_NAME); + ctx->update_group_filter = false; + } else if (values.group) { + ctx->group_name = talloc_strdup(ctx, values.group); + ctx->update_group_filter = true; + } + + if (idb & INVALIDATE_NETGROUPS) { + ctx->netgroup_filter = talloc_asprintf(ctx, "(%s=*)", SYSDB_NAME); + ctx->update_netgroup_filter = false; + } else if (values.netgroup) { + ctx->netgroup_name = talloc_strdup(ctx, values.netgroup); + ctx->update_netgroup_filter = true; + } + + if (idb & INVALIDATE_SERVICES) { + ctx->service_filter = talloc_asprintf(ctx, "(%s=*)", SYSDB_NAME); + ctx->update_service_filter = false; + } else if (values.service) { + ctx->service_name = talloc_strdup(ctx, values.service); + ctx->update_service_filter = true; + } + + if (idb & INVALIDATE_AUTOFSMAPS) { + ctx->autofs_filter = talloc_asprintf(ctx, "(&(objectclass=%s)(%s=*))", + SYSDB_AUTOFS_MAP_OC, SYSDB_NAME); + ctx->update_autofs_filter = false; + } else if (values.map) { + ctx->autofs_name = talloc_strdup(ctx, values.map); + ctx->update_autofs_filter = true; + } + + if (idb & INVALIDATE_SSH_HOSTS) { + ctx->ssh_host_filter = talloc_asprintf(ctx, "(%s=*)", SYSDB_NAME); + ctx->update_ssh_host_filter = false; + } else if (values.ssh_host) { + ctx->ssh_host_name = talloc_strdup(ctx, values.ssh_host); + ctx->update_ssh_host_filter = true; + } + + if (idb & INVALIDATE_SUDO_RULES) { + ctx->sudo_rule_filter = talloc_asprintf(ctx, "(%s=*)", SYSDB_NAME); + ctx->update_sudo_rule_filter = false; + } else if (values.sudo_rule) { + ctx->sudo_rule_name = talloc_strdup(ctx, values.sudo_rule); + ctx->update_sudo_rule_filter = true; + } + + if (is_filter_valid(ctx, &values, idb) == false) { + DEBUG(SSSDBG_CRIT_FAILURE, "Construction of filters failed\n"); + ret = ENOMEM; + goto fini; + } + + ret = init_domains(ctx, values.domain); + if (ret != EOK) { + if (values.domain) { + ERROR("Could not open domain %1$s. If the domain is a subdomain " + "(trusted domain), use fully qualified name instead of " + "--domain/-d parameter.\n", values.domain); + } else { + ERROR("Could not open available domains\n"); + } + DEBUG(SSSDBG_OP_FAILURE, + "Initialization of sysdb connections failed\n"); + goto fini; + } + + ret = EOK; + +fini: + poptFreeContext(pc); + free_input_values(&values); + if (ret != EOK && ctx) { + talloc_zfree(ctx); + } + if (ret == EOK) { + *tctx = ctx; + } + return ret; +} + +static bool is_filter_valid(struct cache_tool_ctx *ctx, + struct input_values *values, int idb) +{ + if ((idb & INVALIDATE_USERS) && ctx->user_filter == NULL) { + return false; + } + + if ((idb & INVALIDATE_GROUPS) && ctx->group_filter == NULL) { + return false; + } + + if ((idb & INVALIDATE_NETGROUPS) && ctx->netgroup_filter == NULL) { + return false; + } + + if ((idb & INVALIDATE_SERVICES) && ctx->service_filter == NULL) { + return false; + } + + if ((idb & INVALIDATE_AUTOFSMAPS) && ctx->autofs_filter == NULL) { + return false; + } + + if ((idb & INVALIDATE_SSH_HOSTS) && ctx->ssh_host_filter == NULL) { + return false; + } + + if (values->user && ctx->user_name == NULL) { + return false; + } + + if (values->group && ctx->group_name == NULL) { + return false; + } + + if (values->netgroup && ctx->netgroup_name == NULL) { + return false; + } + + if (values->service && ctx->service_name == NULL) { + return false; + } + + if (values->map && ctx->autofs_name == NULL) { + return false; + } + + if (values->ssh_host && ctx->ssh_host_name == NULL) { + return false; + } + + if (values->sudo_rule && ctx->sudo_rule_name == NULL) { + return false; + } + + return true; +} + +static errno_t +search_autofsmaps(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *sub_filter, const char **attrs, + size_t *msgs_count, struct ldb_message ***msgs) +{ +#ifdef BUILD_AUTOFS + return sysdb_search_custom(mem_ctx, domain, sub_filter, + AUTOFS_MAP_SUBDIR, attrs, + msgs_count, msgs); +#else + return ENOSYS; +#endif /* BUILD_AUTOFS */ +} + +/* WARNING: Direct writing to persistent cache!! */ +static int sysdb_invalidate_user_cache_entry(struct sss_domain_info *domain, + const char *name) +{ + return sysdb_invalidate_cache_entry(domain, name, true); +} + +/* WARNING: Direct writing to persistent cache!! */ +static int sysdb_invalidate_group_cache_entry(struct sss_domain_info *domain, + const char *name) +{ + return sysdb_invalidate_cache_entry(domain, name, false); +} diff --git a/src/tools/sss_groupadd.c b/src/tools/sss_groupadd.c new file mode 100644 index 0000000..f71d6dd --- /dev/null +++ b/src/tools/sss_groupadd.c @@ -0,0 +1,166 @@ +/* + SSSD + + sss_groupadd + + Copyright (C) Jakub Hrozek 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include + +#include "util/util.h" +#include "db/sysdb.h" +#include "tools/tools_util.h" +#include "tools/sss_sync_ops.h" + +int main(int argc, const char **argv) +{ + gid_t pc_gid = 0; + int pc_debug = SSSDBG_DEFAULT; + struct poptOption long_options[] = { + POPT_AUTOHELP + { "debug",'\0', POPT_ARG_INT | POPT_ARGFLAG_DOC_HIDDEN, &pc_debug, + 0, _("The debug level to run with"), NULL }, + { "gid", 'g', POPT_ARG_INT, &pc_gid, + 0, _("The GID of the group"), NULL }, + POPT_TABLEEND + }; + poptContext pc = NULL; + struct tools_ctx *tctx = NULL; + int ret = EXIT_SUCCESS; + errno_t sret; + const char *pc_groupname = NULL; + bool in_transaction = false; + + debug_prg_name = argv[0]; + + ret = set_locale(); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "set_locale failed (%d): %s\n", ret, strerror(ret)); + ERROR("Error setting the locale\n"); + ret = EXIT_FAILURE; + goto fini; + } + + /* parse params */ + pc = poptGetContext(NULL, argc, argv, long_options, 0); + poptSetOtherOptionHelp(pc, "GROUPNAME"); + if ((ret = poptGetNextOpt(pc)) < -1) { + BAD_POPT_PARAMS(pc, poptStrerror(ret), ret, fini); + } + + DEBUG_CLI_INIT(pc_debug); + + /* groupname is an argument, not option */ + pc_groupname = poptGetArg(pc); + if (pc_groupname == NULL) { + BAD_POPT_PARAMS(pc, _("Specify group to add\n"), ret, fini); + } + + CHECK_ROOT(ret, debug_prg_name); + + ret = init_sss_tools(&tctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "init_sss_tools failed (%d): %s\n", ret, strerror(ret)); + if (ret == ENOENT) { + ERROR("Error initializing the tools - no local domain\n"); + } else { + ERROR("Error initializing the tools\n"); + } + ret = EXIT_FAILURE; + goto fini; + } + + /* if the domain was not given as part of FQDN, default to local domain */ + ret = parse_name_domain(tctx, pc_groupname); + if (ret != EOK) { + ERROR("Invalid domain specified in FQDN\n"); + ret = EXIT_FAILURE; + goto fini; + } + + tctx->octx->gid = pc_gid; + + /* arguments processed, go on to actual work */ + if (id_in_range(tctx->octx->gid, tctx->octx->domain) != EOK) { + ERROR("The selected GID is outside the allowed range\n"); + ret = EXIT_FAILURE; + goto fini; + } + + tctx->error = sysdb_transaction_start(tctx->sysdb); + if (tctx->error != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n"); + goto done; + } + in_transaction = true; + + /* groupadd */ + tctx->error = groupadd(tctx->octx); + if (tctx->error) { + goto done; + } + + tctx->error = sysdb_transaction_commit(tctx->sysdb); + if (tctx->error != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n"); + goto done; + } + in_transaction = false; + +done: + if (in_transaction) { + sret = sysdb_transaction_cancel(tctx->sysdb); + if (sret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to cancel transaction\n"); + } + } + + if (tctx->error) { + ret = tctx->error; + switch (ret) { + case ERANGE: + ERROR("Could not allocate ID for the group - domain full?\n"); + break; + + case EEXIST: + ERROR("A group with the same name or GID already exists\n"); + break; + + default: + DEBUG(SSSDBG_CRIT_FAILURE, + "sysdb operation failed (%d)[%s]\n", ret, strerror(ret)); + ERROR("Transaction error. Could not add group.\n"); + break; + } + ret = EXIT_FAILURE; + goto fini; + } + + ret = EXIT_SUCCESS; +fini: + talloc_free(tctx); + poptFreeContext(pc); + exit(ret); +} + diff --git a/src/tools/sss_groupdel.c b/src/tools/sss_groupdel.c new file mode 100644 index 0000000..5dcc205 --- /dev/null +++ b/src/tools/sss_groupdel.c @@ -0,0 +1,151 @@ +/* + SSSD + + sss_groupdel + + Copyright (C) Jakub Hrozek 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include + +#include "db/sysdb.h" +#include "util/util.h" +#include "tools/tools_util.h" +#include "tools/sss_sync_ops.h" + +int main(int argc, const char **argv) +{ + int ret = EXIT_SUCCESS; + int pc_debug = SSSDBG_DEFAULT; + const char *pc_groupname = NULL; + struct tools_ctx *tctx = NULL; + + poptContext pc = NULL; + struct poptOption long_options[] = { + POPT_AUTOHELP + { "debug", '\0', POPT_ARG_INT | POPT_ARGFLAG_DOC_HIDDEN, &pc_debug, + 0, _("The debug level to run with"), NULL }, + POPT_TABLEEND + }; + + debug_prg_name = argv[0]; + + ret = set_locale(); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "set_locale failed (%d): %s\n", ret, strerror(ret)); + ERROR("Error setting the locale\n"); + ret = EXIT_FAILURE; + goto fini; + } + + /* parse ops_ctx */ + pc = poptGetContext(NULL, argc, argv, long_options, 0); + poptSetOtherOptionHelp(pc, "GROUPNAME"); + if ((ret = poptGetNextOpt(pc)) < -1) { + BAD_POPT_PARAMS(pc, poptStrerror(ret), ret, fini); + } + + DEBUG_CLI_INIT(pc_debug); + + pc_groupname = poptGetArg(pc); + if (pc_groupname == NULL) { + BAD_POPT_PARAMS(pc, _("Specify group to delete\n"), ret, fini); + } + + CHECK_ROOT(ret, debug_prg_name); + + ret = init_sss_tools(&tctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "init_sss_tools failed (%d): %s\n", ret, strerror(ret)); + if (ret == ENOENT) { + ERROR("Error initializing the tools - no local domain\n"); + } else { + ERROR("Error initializing the tools\n"); + } + ret = EXIT_FAILURE; + goto fini; + } + + /* if the domain was not given as part of FQDN, default to local domain */ + ret = parse_name_domain(tctx, pc_groupname); + if (ret != EOK) { + ERROR("Invalid domain specified in FQDN\n"); + ret = EXIT_FAILURE; + goto fini; + } + + ret = sysdb_getgrnam_sync(tctx, tctx->octx->name, tctx->octx); + if (ret != EOK) { + /* Error message will be printed in the switch */ + goto done; + } + + if ((tctx->octx->gid < tctx->local->id_min) || + (tctx->local->id_max && tctx->octx->gid > tctx->local->id_max)) { + ERROR("Group %1$s is outside the defined ID range for domain\n", + tctx->octx->name); + ret = EXIT_FAILURE; + goto fini; + } + + /* groupdel */ + ret = groupdel(tctx, tctx->sysdb, tctx->octx); + if (ret != EOK) { + goto done; + } + + /* Delete group from memory cache */ + ret = sss_mc_refresh_group(pc_groupname); + if (ret != EOK) { + ERROR("NSS request failed (%1$d). Entry might remain in memory " + "cache.\n", ret); + /* Nothing we can do about it */ + } + + ret = EOK; + +done: + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sysdb operation failed (%d)[%s]\n", ret, strerror(ret)); + switch (ret) { + case ENOENT: + ERROR("No such group in local domain. " + "Removing groups only allowed in local domain.\n"); + break; + + default: + ERROR("Internal error. Could not remove group.\n"); + break; + } + ret = EXIT_FAILURE; + goto fini; + } + + ret = EXIT_SUCCESS; + +fini: + talloc_free(tctx); + poptFreeContext(pc); + exit(ret); +} + diff --git a/src/tools/sss_groupmod.c b/src/tools/sss_groupmod.c new file mode 100644 index 0000000..eddc703 --- /dev/null +++ b/src/tools/sss_groupmod.c @@ -0,0 +1,281 @@ +/* + SSSD + + sss_groupmod + + Copyright (C) Jakub Hrozek 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include + +#include "util/util.h" +#include "db/sysdb.h" +#include "tools/tools_util.h" +#include "tools/sss_sync_ops.h" + +int main(int argc, const char **argv) +{ + gid_t pc_gid = 0; + int pc_debug = SSSDBG_DEFAULT; + struct poptOption long_options[] = { + POPT_AUTOHELP + { "debug", '\0', POPT_ARG_INT | POPT_ARGFLAG_DOC_HIDDEN, &pc_debug, + 0, _("The debug level to run with"), NULL }, + { "append-group", 'a', POPT_ARG_STRING, NULL, + 'a', _("Groups to add this group to"), NULL }, + { "remove-group", 'r', POPT_ARG_STRING, NULL, + 'r', _("Groups to remove this group from"), NULL }, + { "gid", 'g', POPT_ARG_INT | POPT_ARGFLAG_DOC_HIDDEN, &pc_gid, + 0, _("The GID of the group"), NULL }, + POPT_TABLEEND + }; + poptContext pc = NULL; + struct tools_ctx *tctx = NULL; + char *addgroups = NULL, *rmgroups = NULL; + int ret; + errno_t sret; + const char *pc_groupname = NULL; + char *badgroup = NULL; + bool in_transaction = false; + + debug_prg_name = argv[0]; + + ret = set_locale(); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "set_locale failed (%d): %s\n", ret, strerror(ret)); + ERROR("Error setting the locale\n"); + ret = EXIT_FAILURE; + goto fini; + } + + /* parse parameters */ + pc = poptGetContext(NULL, argc, argv, long_options, 0); + poptSetOtherOptionHelp(pc, "GROUPNAME"); + while ((ret = poptGetNextOpt(pc)) > 0) { + switch (ret) { + case 'a': + addgroups = poptGetOptArg(pc); + if (addgroups == NULL) { + BAD_POPT_PARAMS(pc, _("Specify group to add to\n"), + ret, fini); + } + break; + + case 'r': + rmgroups = poptGetOptArg(pc); + if (rmgroups == NULL) { + BAD_POPT_PARAMS(pc, _("Specify group to remove from\n"), + ret, fini); + } + break; + } + } + + if (ret != -1) { + BAD_POPT_PARAMS(pc, poptStrerror(ret), ret, fini); + } + + /* groupname is an argument without --option */ + pc_groupname = poptGetArg(pc); + if (pc_groupname == NULL) { + BAD_POPT_PARAMS(pc, _("Specify group to modify\n"), ret, fini); + } + + DEBUG_CLI_INIT(pc_debug); + + CHECK_ROOT(ret, debug_prg_name); + + ret = init_sss_tools(&tctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "init_sss_tools failed (%d): %s\n", ret, strerror(ret)); + if (ret == ENOENT) { + ERROR("Error initializing the tools - no local domain\n"); + } else { + ERROR("Error initializing the tools\n"); + } + ret = EXIT_FAILURE; + goto fini; + } + + ret = parse_name_domain(tctx, pc_groupname); + if (ret != EOK) { + ERROR("Invalid domain specified in FQDN\n"); + ret = EXIT_FAILURE; + goto fini; + } + /* check the username to be able to give sensible error message */ + ret = sysdb_getgrnam_sync(tctx, tctx->octx->name, tctx->octx); + if (ret != EOK) { + ERROR("Cannot find group in local domain, " + "modifying groups is allowed only in local domain\n"); + ret = EXIT_FAILURE; + goto fini; + } + + + tctx->octx->gid = pc_gid; + + if (addgroups) { + ret = parse_groups(tctx, addgroups, &tctx->octx->addgroups); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot parse groups to add the group to\n"); + ERROR("Internal error while parsing parameters\n"); + ret = EXIT_FAILURE; + goto fini; + } + + ret = parse_group_name_domain(tctx, tctx->octx->addgroups); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot parse FQDN groups to add the group to\n"); + ERROR("Member groups must be in the same domain as parent group\n"); + ret = EXIT_FAILURE; + goto fini; + } + + /* Check group names in the LOCAL domain */ + ret = check_group_names(tctx, tctx->octx->addgroups, &badgroup); + if (ret != EOK) { + ERROR("Cannot find group %1$s in local domain, " + "only groups in local domain are allowed\n", badgroup); + ret = EXIT_FAILURE; + goto fini; + } + } + + if (rmgroups) { + ret = parse_groups(tctx, rmgroups, &tctx->octx->rmgroups); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot parse groups to remove the group from\n"); + ERROR("Internal error while parsing parameters\n"); + ret = EXIT_FAILURE; + goto fini; + } + + ret = parse_group_name_domain(tctx, tctx->octx->rmgroups); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot parse FQDN groups to remove the group from\n"); + ERROR("Member groups must be in the same domain as parent group\n"); + ret = EXIT_FAILURE; + goto fini; + } + + /* Check group names in the LOCAL domain */ + ret = check_group_names(tctx, tctx->octx->rmgroups, &badgroup); + if (ret != EOK) { + ERROR("Cannot find group %1$s in local domain, " + "only groups in local domain are allowed\n", badgroup); + ret = EXIT_FAILURE; + goto fini; + } + } + + if (id_in_range(tctx->octx->gid, tctx->octx->domain) != EOK) { + ERROR("The selected GID is outside the allowed range\n"); + ret = EXIT_FAILURE; + goto fini; + } + + tctx->error = sysdb_transaction_start(tctx->sysdb); + if (tctx->error != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n"); + goto done; + } + in_transaction = true; + + /* groupmod */ + tctx->error = groupmod(tctx, tctx->octx); + if (tctx->error) { + goto done; + } + + tctx->error = sysdb_transaction_commit(tctx->sysdb); + if (tctx->error != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n"); + goto done; + } + in_transaction = false; + + ret = sss_mc_refresh_group(pc_groupname); + if (ret != EOK) { + ERROR("NSS request failed (%1$d). Entry might remain in memory " + "cache.\n", ret); + /* Nothing we can do about it */ + } + + ret = sss_mc_refresh_grouplist(tctx, tctx->octx->addgroups); + if (ret != EOK) { + ERROR("NSS request failed (%1$d). Entry might remain in memory " + "cache.\n", ret); + /* Nothing we can do about it */ + } + + ret = sss_mc_refresh_grouplist(tctx, tctx->octx->rmgroups); + if (ret != EOK) { + ERROR("NSS request failed (%1$d). Entry might remain in memory " + "cache.\n", ret); + /* Nothing we can do about it */ + } + +done: + if (in_transaction) { + sret = sysdb_transaction_cancel(tctx->sysdb); + if (sret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to cancel transaction\n"); + } + } + if (tctx->error) { + ret = tctx->error; + DEBUG(SSSDBG_CRIT_FAILURE, + "sysdb operation failed (%d)[%s]\n", ret, strerror(ret)); + switch (ret) { + case ENOENT: + ERROR("Could not modify group - check if member group names are correct\n"); + break; + + case EFAULT: + ERROR("Could not modify group - check if groupname is correct\n"); + break; + + default: + ERROR("Transaction error. Could not modify group.\n"); + break; + } + + ret = EXIT_FAILURE; + goto fini; + } + + ret = EXIT_SUCCESS; + +fini: + free(addgroups); + free(rmgroups); + poptFreeContext(pc); + talloc_free(tctx); + exit(ret); +} diff --git a/src/tools/sss_groupshow.c b/src/tools/sss_groupshow.c new file mode 100644 index 0000000..ac4c3dc --- /dev/null +++ b/src/tools/sss_groupshow.c @@ -0,0 +1,775 @@ +/* + SSSD + + sss_groupshow + + Copyright (C) Jakub Hrozek 2010 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include + +#include "db/sysdb.h" +#include "util/util.h" +#include "tools/tools_util.h" +#include "tools/sss_sync_ops.h" + +#define PADDING_SPACES 4 +#define GROUP_SHOW_ATTRS { SYSDB_MEMBEROF, SYSDB_GIDNUM, \ + SYSDB_MEMBER, SYSDB_GHOST, SYSDB_NAME, \ + NULL } +#define GROUP_SHOW_MPG_ATTRS { SYSDB_MEMBEROF, SYSDB_UIDNUM, \ + SYSDB_NAME, NULL } + +struct group_info { + const char *name; + gid_t gid; + bool mpg; + + const char **user_members; + const char **memberofs; + + struct group_info **group_members; +}; + +/*==================Helper routines to process results================= */ +const char *rdn_as_string(TALLOC_CTX *mem_ctx, + struct ldb_dn *dn) +{ + const struct ldb_val *val; + + val = ldb_dn_get_rdn_val(dn); + if (val == NULL) { + return NULL; + } + + return ldb_dn_escape_value(mem_ctx, *val); +} + +static int parse_memberofs(struct ldb_context *ldb, + struct ldb_message_element *el, + struct group_info *gi) +{ + int i; + struct ldb_dn *dn = NULL; + + gi->memberofs = talloc_array(gi, const char *, el->num_values+1); + if (gi->memberofs == NULL) { + return ENOMEM; + } + + for (i = 0; i< el->num_values; ++i) { + dn = ldb_dn_from_ldb_val(gi, ldb, &(el->values[i])); + gi->memberofs[i] = talloc_strdup(gi, rdn_as_string(gi, dn)); + talloc_zfree(dn); + if (gi->memberofs[i] == NULL) { + return ENOMEM; + } + DEBUG(SSSDBG_TRACE_FUNC, "memberof value: %s\n", gi->memberofs[i]); + } + gi->memberofs[el->num_values] = NULL; + + return EOK; +} + +static int parse_members(TALLOC_CTX *mem_ctx, + struct ldb_context *ldb, + struct sss_domain_info *domain, + struct ldb_message_element *el, + const char *parent_name, + const char ***user_members, + const char ***group_members, + int *num_group_members) +{ + struct ldb_dn *user_basedn = NULL, *group_basedn = NULL; + struct ldb_dn *parent_dn = NULL; + struct ldb_dn *dn = NULL; + const char **um = NULL, **gm = NULL; + unsigned int um_index = 0, gm_index = 0; + TALLOC_CTX *tmp_ctx = NULL; + int ret; + int i; + + tmp_ctx = talloc_new(mem_ctx); + if (!tmp_ctx) { + ret = ENOMEM; + goto fail; + } + + user_basedn = sysdb_user_base_dn(tmp_ctx, domain); + group_basedn = sysdb_group_base_dn(tmp_ctx, domain); + if (!user_basedn || !group_basedn) { + ret = ENOMEM; + goto fail; + } + + um = talloc_array(mem_ctx, const char *, el->num_values+1); + gm = talloc_array(mem_ctx, const char *, el->num_values+1); + if (!um || !gm) { + ret = ENOMEM; + goto fail; + } + + for (i = 0; i< el->num_values; ++i) { + dn = ldb_dn_from_ldb_val(tmp_ctx, ldb, &(el->values[i])); + + /* user member or group member? */ + parent_dn = ldb_dn_get_parent(tmp_ctx, dn); + if (ldb_dn_compare_base(parent_dn, user_basedn) == 0) { + um[um_index] = rdn_as_string(mem_ctx, dn); + if (um[um_index] == NULL) { + ret = ENOMEM; + goto fail; + } + DEBUG(SSSDBG_TRACE_FUNC, "User member %s\n", um[um_index]); + um_index++; + } else if (ldb_dn_compare_base(parent_dn, group_basedn) == 0) { + gm[gm_index] = rdn_as_string(mem_ctx, dn); + if (gm[gm_index] == NULL) { + ret = ENOMEM; + goto fail; + } + if (parent_name && strcmp(gm[gm_index], parent_name) == 0) { + DEBUG(SSSDBG_TRACE_FUNC, + "Skipping circular nesting for group %s\n", + gm[gm_index]); + continue; + } + DEBUG(SSSDBG_TRACE_FUNC, "Group member %s\n", gm[gm_index]); + gm_index++; + } else { + DEBUG(SSSDBG_OP_FAILURE, "Group member not a user nor group: %s\n", + ldb_dn_get_linearized(dn)); + ret = EIO; + goto fail; + } + + talloc_zfree(dn); + talloc_zfree(parent_dn); + } + um[um_index] = NULL; + gm[gm_index] = NULL; + + if (um_index > 0) { + um = talloc_realloc(mem_ctx, um, const char *, um_index+1); + if (!um) { + ret = ENOMEM; + goto fail; + } + } else { + talloc_zfree(um); + } + + if (gm_index > 0) { + gm = talloc_realloc(mem_ctx, gm, const char *, gm_index+1); + if (!gm) { + ret = ENOMEM; + goto fail; + } + } else { + talloc_zfree(gm); + } + + *user_members = um; + if (group_members) *group_members = gm; + if (num_group_members) *num_group_members = gm_index; + talloc_zfree(tmp_ctx); + return EOK; + +fail: + talloc_zfree(um); + talloc_zfree(gm); + talloc_zfree(tmp_ctx); + return ret; +} + +static int process_group(TALLOC_CTX *mem_ctx, + struct ldb_context *ldb, + struct ldb_message *msg, + struct sss_domain_info *domain, + const char *parent_name, + struct group_info **info, + const char ***group_members, + int *num_group_members) +{ + struct ldb_message_element *el; + int ret, i, j; + int count = 0; + struct group_info *gi = NULL; + const char **user_members; + + DEBUG(SSSDBG_TRACE_FUNC, + "Found entry %s\n", ldb_dn_get_linearized(msg->dn)); + + gi = talloc_zero(mem_ctx, struct group_info); + if (!gi) { + ret = ENOMEM; + goto done; + } + + /* mandatory data - name and gid */ + gi->name = talloc_strdup(gi, + ldb_msg_find_attr_as_string(msg, + SYSDB_NAME, + NULL)); + gi->gid = ldb_msg_find_attr_as_uint64(msg, + SYSDB_GIDNUM, 0); + if (gi->gid == 0 || gi->name == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "No name or no GID?\n"); + ret = EIO; + goto done; + } + + /* list members */ + el = ldb_msg_find_element(msg, SYSDB_MEMBER); + if (el) { + ret = parse_members(gi, ldb, domain, el, + parent_name, + &gi->user_members, + group_members, num_group_members); + if (ret != EOK) { + goto done; + } + if (gi->user_members == NULL) { + count = 0; + } else { + for (count = 0; gi->user_members[count]; count++) ; + } + } + el = ldb_msg_find_element(msg, SYSDB_GHOST); + if (el) { + ret = parse_members(gi, ldb, domain, el, + parent_name, + &user_members, + NULL, NULL); + if (ret != EOK) { + goto done; + } + + if (user_members != NULL) { + i = count; + for (count = 0; user_members[count]; count++) ; + gi->user_members = talloc_realloc(gi, gi->user_members, + const char *, + i + count + 1); + if (gi->user_members == NULL) { + ret = ENOMEM; + goto done; + } + for (j = 0; j < count; j++, i++) { + gi->user_members[i] = talloc_steal(gi->user_members, + user_members[j]); + } + gi->user_members[i] = NULL; + + talloc_zfree(user_members); + } + } + + /* list memberofs */ + el = ldb_msg_find_element(msg, SYSDB_MEMBEROF); + if (el) { + ret = parse_memberofs(ldb, el, gi); + if (ret != EOK) { + goto done; + } + } + + *info = gi; + return EOK; +done: + talloc_zfree(gi); + return ret; +} + +/*========Find info about a group and recursively about subgroups====== */ + +int group_show_recurse(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, + struct group_info *root, + struct group_info *parent, + const char **group_members, + const int nmembers, + struct group_info ***up_members); + +static int group_show_trim_memberof(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *name, + const char **memberofs, + const char ***_direct); + +int group_show(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, + bool recursive, + const char *shortname, + struct group_info **res) +{ + struct group_info *root; + static const char *attrs[] = GROUP_SHOW_ATTRS; + struct ldb_message *msg = NULL; + const char **group_members = NULL; + int nmembers = 0; + char *sysdb_fqname = NULL; + int ret; + int i; + + sysdb_fqname = sss_create_internal_fqname(mem_ctx, + shortname, + domain->name); + if (sysdb_fqname == NULL) { + return ENOMEM; + } + + /* First, search for the root group */ + ret = sysdb_search_group_by_name(mem_ctx, domain, sysdb_fqname, attrs, + &msg); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, + "Search failed: %s (%d)\n", strerror(ret), ret); + goto done; + } + + ret = process_group(mem_ctx, sysdb_ctx_get_ldb(sysdb), + msg, domain, NULL, &root, + &group_members, &nmembers); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Group processing failed: %s (%d)\n", + strerror(ret), ret); + goto done; + } + + if (!recursive) { + if (group_members) { + root->group_members = talloc_array(root, + struct group_info *, + nmembers+1); + if (!root->group_members) { + ret = ENOMEM; + goto done; + } + for (i = 0; i < nmembers; i++) { + root->group_members[i] = talloc_zero(root, struct group_info); + if (!root->group_members[i]) { + ret = ENOMEM; + goto done; + } + root->group_members[i]->name = talloc_strdup(root, + group_members[i]); + if (!root->group_members[i]->name) { + ret = ENOMEM; + goto done; + } + } + root->group_members[nmembers] = NULL; + } + + if (root->memberofs == NULL) { + ret = EOK; + goto done; + } + + /* if not recursive, only show the direct parent */ + ret = group_show_trim_memberof(mem_ctx, domain, root->name, + root->memberofs, &root->memberofs); + goto done; + } + + if (group_members == NULL) { + ret = EOK; + goto done; + } + + ret = group_show_recurse(root, sysdb, domain, root, root, + group_members, nmembers, + &root->group_members); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, + "Recursive search failed: %s (%d)\n", strerror(ret), ret); + goto done; + } + + ret = EOK; +done: + if (ret == EOK) { + *res = root; + } + return ret; +} + +/*=========Nonrecursive search should only show direct parent========== */ + +static int group_show_trim_memberof(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *name, + const char **memberofs, + const char ***_direct) +{ + struct ldb_dn *dn; + char *filter; + struct ldb_message **msgs; + size_t count; + const char **direct = NULL; + int ndirect = 0; + int ret; + int i; + + dn = sysdb_group_dn(mem_ctx, domain, name); + if (!dn) { + return ENOMEM; + } + + for (i = 0; memberofs[i]; i++) { + + filter = talloc_asprintf(mem_ctx, "(&(%s=%s)(%s=%s))", + SYSDB_NAME, memberofs[i], + SYSDB_MEMBER, ldb_dn_get_linearized(dn)); + if (!filter) { + return ENOMEM; + } + + ret = sysdb_search_groups(mem_ctx, domain, + filter, NULL, &count, &msgs); + /* ENOENT is OK, the group is just not a direct parent */ + if (ret != EOK && ret != ENOENT) { + return ret; + } + + if (count > 0) { + name = ldb_msg_find_attr_as_string(msgs[0], + SYSDB_NAME, NULL); + if (!name) { + DEBUG(SSSDBG_OP_FAILURE, "Entry %s has no Name Attribute ?!?\n", + ldb_dn_get_linearized(msgs[0]->dn)); + return EFAULT; + } + + direct = talloc_realloc(mem_ctx, direct, + const char *, ndirect + 2); + if (!direct) { + return ENOMEM; + } + + direct[ndirect] = talloc_strdup(direct, name); + if (!direct[ndirect]) { + return ENOMEM; + } + + direct[ndirect + 1] = NULL; + ndirect++; + } + } + + *_direct = direct; + return EOK; +} + +/*==================Recursive search for nested groups================= */ + +int group_show_recurse(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, + struct group_info *root, + struct group_info *parent, + const char **group_members, + const int nmembers, + struct group_info ***up_members) +{ + struct group_info **groups; + static const char *attrs[] = GROUP_SHOW_ATTRS; + struct ldb_message *msg; + const char **new_group_members = NULL; + int new_nmembers = 0; + int ret; + int i; + + groups = talloc_zero_array(root, + struct group_info *, + nmembers+1); /* trailing NULL */ + + if (!group_members || !group_members[0]) { + return ENOENT; + } + + for (i = 0; i < nmembers; i++) { + /* Skip circular groups */ + if (strcmp(group_members[i], parent->name) == 0) { + continue; + } + + ret = sysdb_search_group_by_name(mem_ctx, domain, group_members[i], + attrs, &msg); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, + "Search failed: %s (%d)\n", strerror(ret), ret); + return EIO; + } + + ret = process_group(root, sysdb_ctx_get_ldb(sysdb), + msg, domain, parent->name, + &groups[i], &new_group_members, &new_nmembers); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Group processing failed: %s (%d)\n", + strerror(ret), ret); + return ret; + } + + /* descend to another level */ + if (new_nmembers > 0) { + ret = group_show_recurse(mem_ctx, sysdb, domain, + root, groups[i], + new_group_members, new_nmembers, + &parent->group_members); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Recursive search failed: %s (%d)\n", + strerror(ret), ret); + return ret; + } + talloc_zfree(new_group_members); + } + } + + *up_members = groups; + return EOK; +} + +/*==================Get info about MPG================================= */ + +static int group_show_mpg(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *shortname, + struct group_info **res) +{ + const char *attrs[] = GROUP_SHOW_MPG_ATTRS; + struct ldb_message *msg; + struct group_info *info; + int ret; + char *sysdb_fqname; + + info = talloc_zero(mem_ctx, struct group_info); + if (!info) { + ret = ENOMEM; + goto fail; + } + + sysdb_fqname = sss_create_internal_fqname(mem_ctx, + shortname, + domain->name); + if (sysdb_fqname == NULL) { + return ENOMEM; + } + + ret = sysdb_search_user_by_name(info, domain, sysdb_fqname, attrs, &msg); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, + "Search failed: %s (%d)\n", strerror(ret), ret); + goto fail; + } + + info->name = talloc_strdup(info, + ldb_msg_find_attr_as_string(msg, + SYSDB_NAME, NULL)); + info->gid = ldb_msg_find_attr_as_uint64(msg, SYSDB_UIDNUM, 0); + if (info->gid == 0 || info->name == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "No name or no GID?\n"); + ret = EIO; + goto fail; + } + info->mpg = true; + + *res = info; + return EOK; + +fail: + talloc_zfree(info); + return ret; +} + +/*==================The main program=================================== */ + +static void print_group_info(struct group_info *g, unsigned level) +{ + int i; + char padding[512]; + char fmt[8]; + + snprintf(fmt, 8, "%%%ds", level*PADDING_SPACES); + snprintf(padding, 512, fmt, ""); + + printf(_("%1$s%2$sGroup: %3$s\n"), padding, + g->mpg ? _("Magic Private ") : "", + g->name); + printf(_("%1$sGID number: %2$d\n"), padding, g->gid); + + printf(_("%1$sMember users: "), padding); + if (g->user_members) { + for (i=0; g->user_members[i]; ++i) { + printf("%s%s", i>0 ? "," : "", + g->user_members[i]); + } + } + printf(_("\n%1$sIs a member of: "), padding); + if (g->memberofs) { + for (i=0; g->memberofs[i]; ++i) { + printf("%s%s", i>0 ? "," : "", + g->memberofs[i]); + } + } + printf(_("\n%1$sMember groups: "), padding); +} + +static void print_recursive(struct group_info **group_members, unsigned level) +{ + int i; + + if (group_members == NULL) { + return; + } + + level++; + for (i=0; group_members[i]; ++i) { + printf("\n"); + print_group_info(group_members[i], level); + printf("\n"); + print_recursive(group_members[i]->group_members, level); + } +} + +int main(int argc, const char **argv) +{ + int ret = EXIT_SUCCESS; + int pc_debug = SSSDBG_DEFAULT; + bool pc_recursive = false; + const char *pc_groupname = NULL; + struct tools_ctx *tctx = NULL; + struct group_info *root = NULL; + int i; + + poptContext pc = NULL; + struct poptOption long_options[] = { + POPT_AUTOHELP + { "debug", '\0', POPT_ARG_INT | POPT_ARGFLAG_DOC_HIDDEN, &pc_debug, + 0, _("The debug level to run with"), NULL }, + { "recursive", 'R', POPT_ARG_NONE, NULL, 'r', + _("Print indirect group members recursively"), NULL }, + POPT_TABLEEND + }; + + debug_prg_name = argv[0]; + + ret = set_locale(); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "set_locale failed (%d): %s\n", ret, strerror(ret)); + ERROR("Error setting the locale\n"); + ret = EXIT_FAILURE; + goto fini; + } + + /* parse ops_ctx */ + pc = poptGetContext(NULL, argc, argv, long_options, 0); + poptSetOtherOptionHelp(pc, "GROUPNAME"); + while ((ret = poptGetNextOpt(pc)) > 0) { + switch (ret) { + case 'r': + pc_recursive = true; + break; + } + } + + DEBUG_CLI_INIT(pc_debug); + + if (ret != -1) { + BAD_POPT_PARAMS(pc, poptStrerror(ret), ret, fini); + } + + pc_groupname = poptGetArg(pc); + if (pc_groupname == NULL) { + BAD_POPT_PARAMS(pc, _("Specify group to show\n"), ret, fini); + } + + CHECK_ROOT(ret, debug_prg_name); + + ret = init_sss_tools(&tctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "init_sss_tools failed (%d): %s\n", ret, strerror(ret)); + if (ret == ENOENT) { + ERROR("Error initializing the tools - no local domain\n"); + } else { + ERROR("Error initializing the tools\n"); + } + ret = EXIT_FAILURE; + goto fini; + } + + /* if the domain was not given as part of FQDN, default to local domain */ + ret = parse_name_domain(tctx, pc_groupname); + if (ret != EOK) { + ERROR("Invalid domain specified in FQDN\n"); + ret = EXIT_FAILURE; + goto fini; + } + + /* The search itself */ + ret = group_show(tctx, tctx->sysdb, + tctx->local, pc_recursive, tctx->octx->name, &root); + /* Also show MPGs */ + if (ret == ENOENT) { + ret = group_show_mpg(tctx, tctx->local, tctx->octx->name, &root); + } + + /* Process result */ + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sysdb operation failed (%d)[%s]\n", ret, strerror(ret)); + switch (ret) { + case ENOENT: + ERROR("No such group in local domain. " + "Printing groups only allowed in local domain.\n"); + break; + + default: + ERROR("Internal error. Could not print group.\n"); + break; + } + ret = EXIT_FAILURE; + goto fini; + } + + /* print the results */ + print_group_info(root, 0); + if (pc_recursive) { + printf("\n"); + print_recursive(root->group_members, 0); + } else { + if (root->group_members) { + for (i=0; root->group_members[i]; ++i) { + printf("%s%s", i>0 ? "," : "", + root->group_members[i]->name); + } + } + printf("\n"); + } + +fini: + talloc_free(tctx); + poptFreeContext(pc); + exit(ret); +} diff --git a/src/tools/sss_obfuscate b/src/tools/sss_obfuscate new file mode 100644 index 0000000..5981e81 --- /dev/null +++ b/src/tools/sss_obfuscate @@ -0,0 +1,123 @@ +#!/usr/bin/python + +from __future__ import print_function + +import sys +from optparse import OptionParser + +import pysss +import SSSDConfig +import getpass + + +def parse_options(): + parser = OptionParser() + parser.set_description("sss_obfuscate converts a given password into \ + human-unreadable format and places it into \ + appropriate domain section of the SSSD config \ + file. The password can be passed in by stdin, \ + specified on the command-line or entered \ + interactively") + parser.add_option("-s", "--stdin", action="store_true", + dest="stdin", default=False, + help="Read the password from stdin.") + parser.add_option("-d", "--domain", + dest="domain", default=None, + help="The domain to use the password in (mandatory)", + metavar="DOMNAME") + parser.add_option("-f", "--file", + dest="filename", default=None, + help="Set input file to FILE (default: Use system " + "default, usually /etc/sssd/sssd.conf)", + metavar="FILE") + (options, args) = parser.parse_args() + + return options, args + + +def main(): + options, args = parse_options() + if not options: + print("Cannot parse options", file=sys.stderr) + return 1 + + if not options.domain: + print("No domain specified", file=sys.stderr) + return 1 + + if not options.stdin: + try: + pprompt = lambda: (getpass.getpass("Enter password: "), + getpass.getpass("Re-enter password: ")) + p1, p2 = pprompt() + + # Work around bug in Python 2.6 + if '\x03' in p1 or '\x03' in p2: + raise KeyboardInterrupt + + while p1 != p2: + print('Passwords do not match. Try again') + p1, p2 = pprompt() + + # Work around bug in Python 2.6 + if '\x03' in p1 or '\x03' in p2: + raise KeyboardInterrupt + password = p1 + + except EOFError: + print('\nUnexpected end-of-file. Password change aborted', + file=sys.stderr) + return 1 + except KeyboardInterrupt: + return 1 + + else: + try: + password = sys.stdin.read() + except KeyboardInterrupt: + return 1 + + # Obfuscate the password + obfobj = pysss.password() + obfpwd = obfobj.encrypt(password, obfobj.AES_256) + + # Save the obfuscated password into the domain + try: + sssdconfig = SSSDConfig.SSSDConfig() + except IOError: + print("Cannot read internal configuration files.") + return 1 + try: + sssdconfig.import_config(options.filename) + except IOError: + print("Permissions error reading config file") + return 1 + + try: + domain = sssdconfig.get_domain(options.domain) + except SSSDConfig.NoDomainError: + print("No such domain %s" % options.domain) + return 1 + + try: + domain.set_option('ldap_default_authtok_type', 'obfuscated_password') + domain.set_option('ldap_default_authtok', obfpwd) + except SSSDConfig.NoOptionError: + print("The domain %s does not seem to support the required options" + % options.domain) + return 1 + + sssdconfig.save_domain(domain) + try: + sssdconfig.write() + except IOError: + # File could not be written + print("Could not write to config file. Check that you have the " + "appropriate permissions to edit this file.", file=sys.stderr) + return 1 + + return 0 + +if __name__ == "__main__": + ret = main() + sys.exit(ret) diff --git a/src/tools/sss_override.c b/src/tools/sss_override.c new file mode 100644 index 0000000..21fe62d --- /dev/null +++ b/src/tools/sss_override.c @@ -0,0 +1,1936 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "util/util.h" +#include "util/crypto/sss_crypto.h" +#include "db/sysdb.h" +#include "tools/common/sss_tools.h" +#include "tools/common/sss_colondb.h" + +#define LOCALVIEW SYSDB_LOCAL_VIEW_NAME +#define ORIGNAME "originalName" + +struct override_user { + const char *input_name; + const char *orig_name; + const char *sysdb_name; + struct sss_domain_info *domain; + + const char *name; + uid_t uid; + gid_t gid; + const char *home; + const char *shell; + const char *gecos; + const char *cert; +}; + +struct override_group { + const char *input_name; + const char *orig_name; + const char *sysdb_name; + struct sss_domain_info *domain; + + const char *name; + gid_t gid; +}; + +static errno_t parse_cmdline(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + struct poptOption *options, + const char **_input_name, + const char **_orig_name, + struct sss_domain_info **_domain) +{ + enum sss_tool_opt require; + const char *input_name; + const char *orig_name; + struct sss_domain_info *domain; + errno_t ret; + + require = options == NULL ? SSS_TOOL_OPT_OPTIONAL : SSS_TOOL_OPT_REQUIRED; + + ret = sss_tool_popt_ex(cmdline, options, require, + NULL, NULL, "NAME", _("Specify name."), + &input_name, NULL); + if (ret != EXIT_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command arguments\n"); + return ret; + } + + ret = sss_tool_parse_name(tool_ctx, tool_ctx, input_name, + &orig_name, &domain); + if (ret != EOK) { + fprintf(stderr, _("Unable to parse name %s.\n"), input_name); + return ret; + } + + *_input_name = input_name; + *_orig_name = orig_name; + *_domain = domain; + + return EXIT_SUCCESS; +} + +static errno_t parse_cmdline_user_add(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + struct override_user *user) +{ + struct poptOption options[] = { + {"name", 'n', POPT_ARG_STRING, &user->name, 0, _("Override name"), NULL }, + {"uid", 'u', POPT_ARG_INT, &user->uid, 0, _("Override uid (non-zero value)"), NULL }, + {"gid", 'g', POPT_ARG_INT, &user->gid, 0, _("Override gid (non-zero value)"), NULL }, + {"home", 'h', POPT_ARG_STRING, &user->home, 0, _("Override home directory"), NULL }, + {"shell", 's', POPT_ARG_STRING, &user->shell, 0, _("Override shell"), NULL }, + {"gecos", 'c', POPT_ARG_STRING, &user->gecos, 0, _("Override gecos"), NULL }, + {"certificate", 'x', POPT_ARG_STRING, &user->cert, 0, _("Override certificate"), NULL }, + POPT_TABLEEND + }; + + return parse_cmdline(cmdline, tool_ctx, options, &user->input_name, + &user->orig_name, &user->domain); +} + +static errno_t parse_cmdline_user_del(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + struct override_user *user) +{ + return parse_cmdline(cmdline, tool_ctx, NULL, &user->input_name, + &user->orig_name, &user->domain); +} + +static errno_t parse_cmdline_user_show(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + struct override_user *user) +{ + return parse_cmdline(cmdline, tool_ctx, NULL, &user->input_name, + &user->orig_name, &user->domain); +} + +static errno_t parse_cmdline_group_add(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + struct override_group *group) +{ + struct poptOption options[] = { + {"name", 'n', POPT_ARG_STRING, &group->name, 0, _("Override name"), NULL }, + {"gid", 'g', POPT_ARG_INT, &group->gid, 0, _("Override gid"), NULL }, + POPT_TABLEEND + }; + + return parse_cmdline(cmdline, tool_ctx, options, &group->input_name, + &group->orig_name, &group->domain); +} + +static errno_t parse_cmdline_group_del(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + struct override_group *group) +{ + return parse_cmdline(cmdline, tool_ctx, NULL, &group->input_name, + &group->orig_name, &group->domain); +} + +static errno_t parse_cmdline_group_show(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + struct override_group *group) +{ + return parse_cmdline(cmdline, tool_ctx, NULL, &group->input_name, + &group->orig_name, &group->domain); +} + +static errno_t parse_cmdline_find(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + struct sss_domain_info **_dom) +{ + struct sss_domain_info *dom; + const char *domname = NULL; + errno_t ret; + struct poptOption options[] = { + {"domain", 'd', POPT_ARG_STRING | POPT_ARGFLAG_OPTIONAL, + &domname, 0, _("Domain name"), NULL }, + POPT_TABLEEND + }; + + ret = sss_tool_popt_ex(cmdline, options, SSS_TOOL_OPT_OPTIONAL, + NULL, NULL, NULL, NULL, NULL, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command arguments\n"); + return ret; + } + + if (domname == NULL) { + *_dom = NULL; + return EOK; + } + + dom = find_domain_by_name(tool_ctx->domains, domname, true); + if (dom == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to find domain %s\n", domname); + fprintf(stderr, _("Unable to find domain %s\n"), domname); + return EINVAL; + } + + *_dom = dom; + + return EOK; +} + +static errno_t parse_cmdline_import(struct sss_cmdline *cmdline, + const char **_file) +{ + errno_t ret; + + ret = sss_tool_popt_ex(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, + NULL, NULL, "FILE", "File to import the data from.", + _file, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command arguments\n"); + return ret; + } + + return EOK; +} + +static errno_t parse_cmdline_export(struct sss_cmdline *cmdline, + const char **_file) +{ + errno_t ret; + + ret = sss_tool_popt_ex(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, + NULL, NULL, "FILE", "File to export the data to.", + _file, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command arguments\n"); + return ret; + } + + return EOK; +} + +static errno_t prepare_view(struct sss_domain_info *domain) +{ + char *viewname = NULL; + errno_t ret; + + ret = sysdb_get_view_name(NULL, domain->sysdb, &viewname); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_get_view_name() failed.\n"); + return ret; + } + + if (ret == EOK) { + if (is_local_view(viewname)) { + DEBUG(SSSDBG_TRACE_FUNC, "%s view is already present.\n", viewname); + ret = EOK; + goto done; + } else if (viewname != NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "There already exists view %s. " + "Only one view is supported. Nothing to do.\n", viewname); + ret = EEXIST; + goto done; + } + } + + DEBUG(SSSDBG_TRACE_FUNC, "Creating %s view.\n", LOCALVIEW); + + ret = sysdb_update_view_name(domain->sysdb, LOCALVIEW); + if (ret == EOK) { + printf("SSSD needs to be restarted for the changes to take effect.\n"); + } + +done: + talloc_free(viewname); + return ret; +} + +errno_t prepare_view_msg(struct sss_domain_info *domain) +{ + errno_t ret; + + ret = prepare_view(domain); + if (ret == EEXIST) { + fprintf(stderr, _("Other than " LOCALVIEW " view already exists " + "in domain %s.\n"), domain->name); + } else if (ret != EOK) { + fprintf(stderr, _("Unable to prepare " LOCALVIEW + " view in domain %s.\n"), domain->name); + } + + return ret; +} + +static char *build_anchor(TALLOC_CTX *mem_ctx, const char *obj_dn) +{ + char *anchor; + char *safe_dn; + errno_t ret; + + ret = sysdb_dn_sanitize(mem_ctx, obj_dn, &safe_dn); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_dn_sanitize() failed\n"); + return NULL; + } + + anchor = talloc_asprintf(mem_ctx, ":%s:%s", LOCALVIEW, safe_dn); + + talloc_free(safe_dn); + + return anchor; +} + +static struct sysdb_attrs *build_attrs(TALLOC_CTX *mem_ctx, + struct sss_domain_info *dom, + const char *name, + uid_t uid, + gid_t gid, + const char *home, + const char *shell, + const char *gecos, + const char *cert) +{ + struct sysdb_attrs *attrs; + errno_t ret; + char *fqname; + + attrs = sysdb_new_attrs(mem_ctx); + if (attrs == NULL) { + return NULL; + } + + if (name != NULL) { + fqname = sss_create_internal_fqname(attrs, name, dom->name); + if (fqname == NULL) { + return NULL; + } + + ret = sysdb_attrs_add_string(attrs, SYSDB_NAME, fqname); + talloc_free(fqname); + if (ret != EOK) { + goto done; + } + } + + if (uid != 0) { + ret = sysdb_attrs_add_uint32(attrs, SYSDB_UIDNUM, uid); + if (ret != EOK) { + goto done; + } + } + + if (gid != 0) { + ret = sysdb_attrs_add_uint32(attrs, SYSDB_GIDNUM, gid); + if (ret != EOK) { + goto done; + } + } + + if (home != NULL) { + ret = sysdb_attrs_add_string(attrs, SYSDB_HOMEDIR, home); + if (ret != EOK) { + goto done; + } + } + + if (shell != NULL) { + ret = sysdb_attrs_add_string(attrs, SYSDB_SHELL, shell); + if (ret != EOK) { + goto done; + } + } + + if (gecos != NULL) { + ret = sysdb_attrs_add_string(attrs, SYSDB_GECOS, gecos); + if (ret != EOK) { + goto done; + } + } + + if (cert != NULL) { + ret = sysdb_attrs_add_base64_blob(attrs, SYSDB_USER_CERT, cert); + if (ret != EOK) { + goto done; + } + } + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(attrs); + return NULL; + } + + return attrs; +} + +static struct sysdb_attrs *build_user_attrs(TALLOC_CTX *mem_ctx, + struct override_user *user) +{ + return build_attrs(mem_ctx, user->domain, user->name, user->uid, user->gid, + user->home, user->shell, user->gecos, user->cert); +} + +static struct sysdb_attrs *build_group_attrs(TALLOC_CTX *mem_ctx, + struct override_group *group) +{ + return build_attrs(mem_ctx, group->domain, group->name, 0, group->gid, + 0, NULL, NULL, NULL); +} + +static char *get_fqname(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *name) +{ + char *fqname = NULL; + char *dummy_domain = NULL; + errno_t ret; + TALLOC_CTX *tmp_ctx; + char *shortname; + struct sss_domain_info *dom; + + if (domain == NULL || domain->names == NULL) { + return NULL; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return NULL; + } + + /* the name stored in sysdb already contains the lowercased domain */ + ret = sss_parse_internal_fqname(tmp_ctx, name, &shortname, &dummy_domain); + if (ret != EOK) { + DEBUG(SSSDBG_TRACE_FUNC, + "sss_parse_internal_fqname failed [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + dom = find_domain_by_name(get_domains_head(domain), dummy_domain, true); + if (dom == NULL) { + goto done; + } + + /* Get length. */ + fqname = sss_tc_fqname(mem_ctx, dom->names, dom, shortname); +done: + talloc_free(tmp_ctx); + return fqname; +} + +static char *get_sysname(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *name) +{ + if (domain == NULL || !domain->fqnames) { + return talloc_strdup(mem_ctx, name); + } + + return sss_tc_fqname(mem_ctx, domain->names, domain, name); +} + +static struct sss_domain_info * +get_object_domain(enum sysdb_member_type type, + const char *name, + struct sss_domain_info *domain, + struct sss_domain_info *domains) +{ + TALLOC_CTX *tmp_ctx; + struct sss_domain_info *dom; + struct ldb_result *res; + const char *strtype; + char *sysname; + char *fqname = NULL; + bool check_next; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return NULL; + } + + sysname = get_sysname(tmp_ctx, domain, name); + if (sysname == NULL) { + ret = ENOMEM; + goto done; + } + + /* Ensure that the object is in cache. */ + switch (type) { + case SYSDB_MEMBER_USER: + if (getpwnam(sysname) == NULL) { + ret = ENOENT; + goto done; + } + break; + case SYSDB_MEMBER_GROUP: + if (getgrnam(sysname) == NULL) { + ret = ENOENT; + goto done; + } + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported member type %d\n", type); + ret = ERR_INTERNAL; + goto done; + } + + /* Find domain if it is unknown. */ + if (domain == NULL) { + check_next = true; + dom = domains; + } else { + check_next = false; + dom = domain; + } + + do { + talloc_zfree(fqname); + fqname = sss_create_internal_fqname(tmp_ctx, name, dom->name); + if (fqname == NULL) { + ret = ENOMEM; + goto done; + } + + switch (type) { + case SYSDB_MEMBER_USER: + DEBUG(SSSDBG_TRACE_FUNC, "Trying to find user %s@%s\n", + name, dom->name); + ret = sysdb_getpwnam(tmp_ctx, dom, fqname, &res); + strtype = "user"; + break; + case SYSDB_MEMBER_GROUP: + DEBUG(SSSDBG_TRACE_FUNC, "Trying to find group %s@%s\n", + name, dom->name); + ret = sysdb_getgrnam(tmp_ctx, dom, fqname, &res); + strtype = "group"; + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported member type %d\n", type); + ret = ERR_INTERNAL; + goto done; + } + + if (ret == EOK && res->count == 0) { + ret = ENOENT; + + if (check_next) { + dom = dom->next; + continue; + } + } + + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to find %s %s@%s [%d]: %s\n", + strtype, name, dom->name, ret, sss_strerror(ret)); + goto done; + } else if (res->count != 1) { + DEBUG(SSSDBG_CRIT_FAILURE, "More than one %s found?\n", strtype); + ret = ERR_INTERNAL; + goto done; + } + + check_next = false; + } while (check_next && dom != NULL); + + if (dom == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "No domain match for %s\n", name); + ret = ENOENT; + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Domain of %s %s is %s\n", + strtype, name, dom->name); + +done: + talloc_free(tmp_ctx); + + if (ret != EOK) { + return NULL; + } + + return dom; +} + +static errno_t get_user_domain_msg(struct sss_tool_ctx *tool_ctx, + struct override_user *user) +{ + struct sss_domain_info *newdom; + const char *domname; + + newdom = get_object_domain(SYSDB_MEMBER_USER, user->orig_name, + user->domain, tool_ctx->domains); + if (newdom == NULL) { + domname = user->domain == NULL ? "[unknown]" : user->domain->name; + fprintf(stderr, _("Unable to find user %s@%s.\n"), + user->orig_name, domname); + return ENOENT; + } + + user->sysdb_name = sss_create_internal_fqname(tool_ctx, user->orig_name, + newdom->name); + if (user->sysdb_name == NULL) { + return ENOMEM; + } + + user->domain = newdom; + return EOK; +} + +static errno_t get_group_domain_msg(struct sss_tool_ctx *tool_ctx, + struct override_group *group) +{ + struct sss_domain_info *newdom; + const char *domname; + + newdom = get_object_domain(SYSDB_MEMBER_GROUP, group->orig_name, + group->domain, tool_ctx->domains); + if (newdom == NULL) { + domname = group->domain == NULL ? "[unknown]" : group->domain->name; + fprintf(stderr, _("Unable to find group %s@%s.\n"), + group->orig_name, domname); + return ENOENT; + } + + group->sysdb_name = sss_create_internal_fqname(tool_ctx, group->orig_name, + newdom->name); + if (group->sysdb_name == NULL) { + return ENOMEM; + } + + group->domain = newdom; + return EOK; +} + +static errno_t get_object_dn(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + enum sysdb_member_type type, + const char *name, + struct ldb_dn **_ldb_dn, + const char **_str_dn) +{ + TALLOC_CTX *tmp_ctx; + struct ldb_dn *ldb_dn; + const char *str_dn; + errno_t ret; + struct ldb_result *res; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return ENOMEM; + } + + switch (type) { + case SYSDB_MEMBER_USER: + ret = sysdb_getpwnam(tmp_ctx, domain, name, &res); + break; + case SYSDB_MEMBER_GROUP: + ret = sysdb_getgrnam(tmp_ctx, domain, name, &res); + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported member type %d\n", type); + ret = ERR_INTERNAL; + goto done; + } + + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to look up original object in cache.\n"); + goto done; + } + + if (res->count == 0) { + DEBUG(SSSDBG_MINOR_FAILURE, "Original object not found in cache.\n"); + ret = ENOENT; + goto done; + } else if (res->count > 1) { + DEBUG(SSSDBG_CRIT_FAILURE, + "There are multiple object with name [%s] in the cache.\n", name); + ret = EINVAL; + goto done; + } + + ldb_dn = res->msgs[0]->dn; + + if (ldb_dn == NULL) { + ret = ENOMEM; + goto done; + } + + if (_str_dn != NULL) { + str_dn = talloc_strdup(tmp_ctx, ldb_dn_get_linearized(ldb_dn)); + if (str_dn == NULL) { + ret = ENOMEM; + goto done; + } + + *_str_dn = talloc_steal(mem_ctx, str_dn); + } + + if (_ldb_dn != NULL) { + *_ldb_dn = talloc_steal(mem_ctx, ldb_dn); + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + + return ret; +} + +static errno_t override_object_add(struct sss_domain_info *domain, + enum sysdb_member_type type, + struct sysdb_attrs *attrs, + const char *name) +{ + TALLOC_CTX *tmp_ctx; + const char *anchor; + struct ldb_dn *ldb_dn; + const char *str_dn; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + ret = get_object_dn(tmp_ctx, domain, type, name, &ldb_dn, &str_dn); + if (ret != EOK) { + goto done; + } + + anchor = build_anchor(tmp_ctx, str_dn); + if (anchor == NULL) { + ret = ENOMEM; + goto done; + } + + ret = sysdb_attrs_add_string(attrs, SYSDB_OVERRIDE_ANCHOR_UUID, anchor); + if (ret != EOK) { + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Creating override for %s\n", str_dn); + + ret = sysdb_store_override(domain, LOCALVIEW, type, attrs, ldb_dn); + +done: + talloc_free(tmp_ctx); + return ret; +} + +static errno_t override_fqn(TALLOC_CTX *mem_ctx, + struct sss_tool_ctx *tool_ctx, + struct sss_domain_info *domain, + const char *input, + const char **_name) +{ + struct sss_domain_info *dom; + errno_t ret; + + if (input == NULL) { + return EOK; + } + + ret = sss_tool_parse_name(mem_ctx, tool_ctx, input, _name, &dom); + if (ret == EAGAIN) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to find domain from " + "fqn %s\n", input); + fprintf(stderr, _("Changing domain is not allowed!\n")); + ret = EINVAL; + } else if (ret == EOK && dom != NULL && dom != domain) { + DEBUG(SSSDBG_OP_FAILURE, "Trying to change domain from " + "%s to %s, not allowed!\n", domain->name, dom->name); + fprintf(stderr, _("Changing domain is not allowed!\n")); + ret = EINVAL; + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse name %s [%d]: %s\n", + input, ret, sss_strerror(ret)); + } + + return ret; +} + +static errno_t override_user(struct sss_tool_ctx *tool_ctx, + struct override_user *input_user) +{ + TALLOC_CTX *tmp_ctx; + struct override_user user; + struct sysdb_attrs *attrs; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return ENOMEM; + } + + user = *input_user; + + /* We need to parse the name and ensure that domain did not change. */ + ret = override_fqn(tmp_ctx, tool_ctx, user.domain, user.name, &user.name); + if (ret != EOK) { + goto done; + } + + ret = prepare_view_msg(user.domain); + if (ret != EOK) { + goto done; + } + + attrs = build_user_attrs(tool_ctx, &user); + if (attrs == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to build sysdb attrs.\n"); + ret = ENOMEM; + goto done; + } + + ret = override_object_add(user.domain, SYSDB_MEMBER_USER, attrs, + user.sysdb_name); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add override object.\n"); + goto done; + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static errno_t override_group(struct sss_tool_ctx *tool_ctx, + struct override_group *input_group) +{ + TALLOC_CTX *tmp_ctx; + struct override_group group; + struct sysdb_attrs *attrs; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return ENOMEM; + } + + group = *input_group; + + /* We need to parse the name and ensure that domain did not change. */ + ret = override_fqn(tmp_ctx, tool_ctx, group.domain, group.name, + &group.name); + if (ret != EOK) { + goto done; + } + + ret = prepare_view_msg(group.domain); + if (ret != EOK) { + goto done; + } + + attrs = build_group_attrs(tool_ctx, &group); + if (attrs == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to build sysdb attrs.\n"); + ret = ENOMEM; + goto done; + } + + ret = override_object_add(group.domain, SYSDB_MEMBER_GROUP, attrs, + group.sysdb_name); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add override object.\n"); + goto done; + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static errno_t override_object_del(struct sss_domain_info *domain, + enum sysdb_member_type type, + const char *name) +{ + TALLOC_CTX *tmp_ctx; + struct ldb_message *msg; + struct ldb_dn *override_dn; + struct ldb_dn *ldb_dn; + const char *str_dn; + const char *anchor; + errno_t ret; + int sret; + bool in_transaction = false; + struct ldb_context *ldb = sysdb_ctx_get_ldb(domain->sysdb); + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + ret = get_object_dn(tmp_ctx, domain, type, name, &ldb_dn, &str_dn); + if (ret != EOK) { + goto done; + } + + anchor = build_anchor(tmp_ctx, str_dn); + if (anchor == NULL) { + ret = ENOMEM; + goto done; + } + + override_dn = ldb_dn_new_fmt(tmp_ctx, ldb, + SYSDB_TMPL_OVERRIDE, anchor, LOCALVIEW); + if (override_dn == NULL) { + ret = ENOMEM; + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Removing override for %s\n", str_dn); + + ret = sysdb_transaction_start(domain->sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_transaction_start() failed.\n"); + goto done; + } + in_transaction = true; + + ret = sysdb_delete_entry(domain->sysdb, override_dn, true); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_delete_entry() failed.\n"); + goto done; + } + + msg = ldb_msg_new(tmp_ctx); + if (msg == NULL) { + ret = ENOMEM; + goto done; + } + + msg->dn = talloc_steal(msg, ldb_dn); + if (msg->dn == NULL) { + ret = ENOMEM; + goto done; + } + + ret = ldb_msg_add_empty(msg, SYSDB_OVERRIDE_DN, LDB_FLAG_MOD_DELETE, NULL); + if (ret != LDB_SUCCESS) { + DEBUG(SSSDBG_OP_FAILURE, "ldb_msg_add_empty() failed\n"); + ret = sysdb_error_to_errno(ret); + goto done; + } + + ret = ldb_modify(ldb, msg); + if (ret != LDB_SUCCESS && ret != LDB_ERR_NO_SUCH_ATTRIBUTE) { + DEBUG(SSSDBG_OP_FAILURE, + "ldb_modify() failed: [%s](%d)[%s]\n", + ldb_strerror(ret), ret, ldb_errstring(ldb)); + ret = sysdb_error_to_errno(ret); + goto done; + } + + ret = sysdb_transaction_commit(domain->sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n"); + goto done; + } + in_transaction = false; + + ret = EOK; + +done: + if (in_transaction) { + sret = sysdb_transaction_cancel(domain->sysdb); + if (sret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not cancel transaction\n"); + } + } + + talloc_free(tmp_ctx); + return ret; +} + +static errno_t append_name(struct sss_domain_info *domain, + struct ldb_message *override) +{ + TALLOC_CTX *tmp_ctx; + struct ldb_context *ldb = sysdb_ctx_get_ldb(domain->sysdb); + struct ldb_dn *dn; + struct ldb_message **msgs; + const char *attrs[] = {SYSDB_NAME, NULL}; + const char *name; + const char *fqname; + size_t count; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed.\n"); + return ENOMEM; + } + + dn = ldb_msg_find_attr_as_dn(ldb, tmp_ctx, override, + SYSDB_OVERRIDE_OBJECT_DN); + if (dn == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing overrideObjectDN?\n"); + ret = ERR_INTERNAL; + goto done; + } + + ret = sysdb_search_entry(tmp_ctx, domain->sysdb, dn, LDB_SCOPE_BASE, + NULL, attrs, &count, &msgs); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_search_entry() failed [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } else if (count != 1) { + DEBUG(SSSDBG_CRIT_FAILURE, "More than one user found?\n"); + ret = ERR_INTERNAL; + goto done; + } + + name = ldb_msg_find_attr_as_string(msgs[0], SYSDB_NAME, NULL); + if (name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Object with no name?\n"); + ret = ERR_INTERNAL; + goto done; + } + + fqname = get_fqname(tmp_ctx, domain, name); + if (fqname == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get fqname\n"); + ret = ENOMEM; + goto done; + } + + ret = ldb_msg_add_string(override, ORIGNAME, fqname); + if (ret != LDB_SUCCESS) { + ret = sysdb_error_to_errno(ret); + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add attribute to msg\n"); + goto done; + } + + talloc_steal(override, fqname); + + ret = EOK; + +done: + talloc_free(tmp_ctx); + + return ret; +} + +static errno_t list_overrides(TALLOC_CTX *mem_ctx, + const char *base_filter, + const char *ext_filter, + const char **attrs, + struct sss_domain_info *domain, + size_t *_count, + struct ldb_message ***_msgs) +{ + TALLOC_CTX *tmp_ctx; + struct ldb_dn *dn; + struct ldb_context *ldb = sysdb_ctx_get_ldb(domain->sysdb); + size_t count; + struct ldb_message **msgs; + const char *filter; + size_t i; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed.\n"); + return ENOMEM; + } + + filter = base_filter; + if (ext_filter != NULL) { + filter = talloc_asprintf(tmp_ctx, "(&%s%s)", filter, ext_filter); + if (filter == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf() failed.\n"); + ret = ENOMEM; + goto done; + } + } + + /* Acquire list of override objects. */ + dn = ldb_dn_new_fmt(tmp_ctx, ldb, SYSDB_TMPL_VIEW_SEARCH_BASE, LOCALVIEW); + if (dn == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_new_fmt() failed.\n"); + ret = EIO; + goto done; + } + + ret = sysdb_search_entry(tmp_ctx, domain->sysdb, dn, LDB_SCOPE_SUBTREE, + filter, attrs, &count, &msgs); + if (ret == ENOENT) { + *_msgs = NULL; + *_count = 0; + ret = EOK; + goto done; + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_search_entry() failed [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + /* Amend messages with original name. */ + for (i = 0; i < count; i++) { + ret = append_name(domain, msgs[i]); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to append name [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + } + + *_msgs = talloc_steal(mem_ctx, msgs); + *_count = count; + + ret = EOK; + +done: + talloc_free(tmp_ctx); + + return ret; +} + +static struct override_user * +list_user_overrides(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *filter) +{ + TALLOC_CTX *tmp_ctx; + struct override_user *objs; + struct ldb_message **msgs; + size_t count; + size_t i; + errno_t ret; + const char *attrs[] = SYSDB_PW_ATTRS; + struct ldb_message_element *el; + const char *fqname; + char *name; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed.\n"); + return NULL; + } + + ret = list_overrides(tmp_ctx, "(objectClass=" SYSDB_OVERRIDE_USER_CLASS ")", + filter, attrs, domain, &count, &msgs); + if (ret != EOK) { + goto done; + } + + objs = talloc_zero_array(tmp_ctx, struct override_user, count + 1); + if (objs == NULL) { + ret = ENOMEM; + goto done; + } + + for (i = 0; i < count; i++) { + objs[i].orig_name = ldb_msg_find_attr_as_string(msgs[i], ORIGNAME, + NULL); + if (objs[i].orig_name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing name?!\n"); + ret = ERR_INTERNAL; + goto done; + } + + fqname = ldb_msg_find_attr_as_string(msgs[i], SYSDB_NAME, NULL); + if (fqname != NULL) { + ret = sss_parse_internal_fqname(tmp_ctx, fqname, &name, NULL); + if (ret != EOK) { + ret = ERR_WRONG_NAME_FORMAT; + goto done; + } + objs[i].name = talloc_steal(objs, name); + } + + objs[i].uid = ldb_msg_find_attr_as_uint(msgs[i], SYSDB_UIDNUM, 0); + objs[i].gid = ldb_msg_find_attr_as_uint(msgs[i], SYSDB_GIDNUM, 0); + objs[i].home = ldb_msg_find_attr_as_string(msgs[i], SYSDB_HOMEDIR, NULL); + objs[i].shell = ldb_msg_find_attr_as_string(msgs[i], SYSDB_SHELL, NULL); + objs[i].gecos = ldb_msg_find_attr_as_string(msgs[i], SYSDB_GECOS, NULL); + + el = ldb_msg_find_element(msgs[i], SYSDB_USER_CERT); + if (el != NULL && el->num_values > 0) { + /* Currently we support only 1 certificate override */ + objs[i].cert = sss_base64_encode(objs, el->values[0].data, + el->values[0].length); + if (objs[i].cert == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "sss_base64_encode failed.\n"); + ret = ERR_INTERNAL; + goto done; + } + } else { + objs[i].cert = NULL; + } + + talloc_steal(objs, objs[i].orig_name); + talloc_steal(objs, objs[i].home); + talloc_steal(objs, objs[i].shell); + talloc_steal(objs, objs[i].gecos); + } + + talloc_steal(mem_ctx, objs); + +done: + talloc_free(tmp_ctx); + + if (ret != EOK) { + return NULL; + } + + return objs; +} + +static struct override_group * +list_group_overrides(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *filter) +{ + TALLOC_CTX *tmp_ctx; + struct override_group *objs; + struct ldb_message **msgs; + size_t count; + size_t i; + errno_t ret; + const char *attrs[] = SYSDB_GRSRC_ATTRS; + const char *fqname; + char *name; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed.\n"); + return NULL; + } + + ret = list_overrides(tmp_ctx, "(objectClass=" SYSDB_OVERRIDE_GROUP_CLASS ")", + filter, attrs, domain, &count, &msgs); + if (ret != EOK) { + goto done; + } + + objs = talloc_zero_array(tmp_ctx, struct override_group, count + 1); + if (objs == NULL) { + ret = ENOMEM; + goto done; + } + + for (i = 0; i < count; i++) { + objs[i].orig_name = ldb_msg_find_attr_as_string(msgs[i], ORIGNAME, + NULL); + if (objs[i].orig_name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing name?!\n"); + ret = ERR_INTERNAL; + goto done; + } + talloc_steal(objs, objs[i].orig_name); + + fqname = ldb_msg_find_attr_as_string(msgs[i], SYSDB_NAME, NULL); + if (fqname != NULL) { + ret = sss_parse_internal_fqname(tmp_ctx, fqname, &name, NULL); + if (ret != EOK) { + ret = ERR_WRONG_NAME_FORMAT; + goto done; + } + objs[i].name = talloc_steal(objs, name); + } + + objs[i].gid = ldb_msg_find_attr_as_uint(msgs[i], SYSDB_GIDNUM, 0); + } + + talloc_steal(mem_ctx, objs); + +done: + talloc_free(tmp_ctx); + + if (ret != EOK) { + return NULL; + } + + return objs; +} + +static errno_t user_export(const char *filename, + struct sss_domain_info *dom, + bool iterate, + const char *filter) +{ + TALLOC_CTX *tmp_ctx; + struct sss_colondb *db; + struct override_user *objs; + errno_t ret; + int i; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return ENOMEM; + } + + db = sss_colondb_open(tmp_ctx, SSS_COLONDB_WRITE, filename); + if (db == NULL) { + fprintf(stderr, _("Unable to open %s.\n"), + filename == NULL ? "stdout" : filename); + ret = EIO; + goto done; + } + + do { + objs = list_user_overrides(tmp_ctx, dom, filter); + if (objs == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get override objects\n"); + ret = ENOMEM; + goto done; + } + + for (i = 0; objs[i].orig_name != NULL; i++) { + /** + * Format: orig_name:name:uid:gid:gecos:home:shell:certificate + */ + struct sss_colondb_write_field table[] = { + {SSS_COLONDB_STRING, {.str = objs[i].orig_name}}, + {SSS_COLONDB_STRING, {.str = objs[i].name}}, + {SSS_COLONDB_UINT32, {.uint32 = objs[i].uid}}, + {SSS_COLONDB_UINT32, {.uint32 = objs[i].gid}}, + {SSS_COLONDB_STRING, {.str = objs[i].gecos}}, + {SSS_COLONDB_STRING, {.str = objs[i].home}}, + {SSS_COLONDB_STRING, {.str = objs[i].shell}}, + {SSS_COLONDB_STRING, {.str = objs[i].cert}}, + {SSS_COLONDB_SENTINEL, {0}} + }; + + ret = sss_colondb_writeline(db, table); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to write line to db\n"); + goto done; + } + } + + /* All overrides are under the same subtree, so we don't want to + * descent into subdomains. */ + dom = get_next_domain(dom, false); + } while (dom != NULL && iterate); + + ret = EOK; + +done: + talloc_free(tmp_ctx); + + return ret; +} + +static errno_t group_export(const char *filename, + struct sss_domain_info *dom, + bool iterate, + const char *filter) +{ + TALLOC_CTX *tmp_ctx; + struct sss_colondb *db; + struct override_group *objs; + errno_t ret; + int i; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return ENOMEM; + } + + + db = sss_colondb_open(tmp_ctx, SSS_COLONDB_WRITE, filename); + if (db == NULL) { + fprintf(stderr, _("Unable to open %s.\n"), + filename == NULL ? "stdout" : filename); + ret = EIO; + goto done; + } + + do { + objs = list_group_overrides(tmp_ctx, dom, filter); + if (objs == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get override objects\n"); + ret = ENOMEM; + goto done; + } + + for (i = 0; objs[i].orig_name != NULL; i++) { + /** + * Format: orig_name:name:gid + */ + struct sss_colondb_write_field table[] = { + {SSS_COLONDB_STRING, {.str = objs[i].orig_name}}, + {SSS_COLONDB_STRING, {.str = objs[i].name}}, + {SSS_COLONDB_UINT32, {.uint32 = objs[i].gid}}, + {SSS_COLONDB_SENTINEL, {0}} + }; + + ret = sss_colondb_writeline(db, table); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to write line to db\n"); + goto done; + } + } + + /* All overrides are under the same subtree, so we don't want to + * descent into subdomains. */ + dom = get_next_domain(dom, false); + } while (dom != NULL && iterate); + + ret = EOK; + +done: + talloc_free(tmp_ctx); + + return ret; +} + +static int override_user_add(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt) +{ + struct override_user user = {NULL}; + errno_t ret; + + ret = parse_cmdline_user_add(cmdline, tool_ctx, &user); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command line.\n"); + return ret; + } + + ret = get_user_domain_msg(tool_ctx, &user); + if (ret != EOK) { + return ret; + } + + ret = override_user(tool_ctx, &user); + if (ret != EOK) { + return ret; + } + + return EOK; +} + +static int override_user_del(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt) +{ + struct override_user user = {NULL}; + errno_t ret; + + ret = parse_cmdline_user_del(cmdline, tool_ctx, &user); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command line.\n"); + return ret; + } + + ret = get_user_domain_msg(tool_ctx, &user); + if (ret != EOK) { + return ret; + } + + ret = override_object_del(user.domain, SYSDB_MEMBER_USER, user.sysdb_name); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to delete override object.\n"); + return ret; + } + + return EOK; +} + +static int override_user_find(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt) +{ + struct sss_domain_info *dom; + bool iterate; + errno_t ret; + + ret = parse_cmdline_find(cmdline, tool_ctx, &dom); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command line.\n"); + return ret; + } + + if (dom == NULL) { + dom = tool_ctx->domains; + iterate = true; + } else { + iterate = false; + } + + ret = user_export(NULL, dom, iterate, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to export users\n"); + return ret; + } + + return EOK; +} + +static int override_user_show(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt) +{ + TALLOC_CTX *tmp_ctx; + struct override_user input = {NULL}; + const char *dn; + char *anchor; + const char *filter; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed.\n"); + return ENOMEM; + } + + ret = parse_cmdline_user_show(cmdline, tool_ctx, &input); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command line.\n"); + goto done; + } + + ret = get_user_domain_msg(tool_ctx, &input); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get object domain\n"); + goto done; + } + + ret = get_object_dn(tmp_ctx, input.domain, SYSDB_MEMBER_USER, + input.sysdb_name, NULL, &dn); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get object dn\n"); + goto done; + } + + anchor = build_anchor(tmp_ctx, dn); + if (anchor == NULL) { + ret = ENOMEM; + goto done; + } + + ret = sss_filter_sanitize(tmp_ctx, anchor, &anchor); + if (ret != EOK) { + ret = ENOMEM; + goto done; + } + + filter = talloc_asprintf(tmp_ctx, "(%s=%s)", + SYSDB_OVERRIDE_ANCHOR_UUID, anchor); + if (filter == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf() failed\n"); + ret = ENOMEM; + goto done; + } + + ret = user_export(NULL, input.domain, false, filter); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to export users\n"); + goto done; + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static int override_user_import(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt) +{ + TALLOC_CTX *tmp_ctx; + struct sss_colondb *db; + const char *filename; + struct override_user obj; + int linenum = 1; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed.\n"); + return EXIT_FAILURE; + } + + /** + * Format: orig_name:name:uid:gid:gecos:home:shell:certificate + */ + struct sss_colondb_read_field table[] = { + {SSS_COLONDB_STRING, {.str = &obj.input_name}}, + {SSS_COLONDB_STRING, {.str = &obj.name}}, + {SSS_COLONDB_UINT32, {.uint32 = &obj.uid}}, + {SSS_COLONDB_UINT32, {.uint32 = &obj.gid}}, + {SSS_COLONDB_STRING, {.str = &obj.gecos}}, + {SSS_COLONDB_STRING, {.str = &obj.home}}, + {SSS_COLONDB_STRING, {.str = &obj.shell}}, + {SSS_COLONDB_STRING, {.str = &obj.cert}}, + {SSS_COLONDB_SENTINEL, {0}} + }; + + ret = parse_cmdline_import(cmdline, &filename); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command line.\n"); + goto done; + } + + db = sss_colondb_open(tool_ctx, SSS_COLONDB_READ, filename); + if (db == NULL) { + fprintf(stderr, _("Unable to open %s.\n"), filename); + ret = EIO; + goto done; + } + + while ((ret = sss_colondb_readline(tmp_ctx, db, table)) == EOK) { + linenum++; + + ret = sss_tool_parse_name(tool_ctx, tool_ctx, obj.input_name, + &obj.orig_name, &obj.domain); + if (ret != EOK) { + fprintf(stderr, _("Unable to parse name %s.\n"), obj.input_name); + goto done; + } + + ret = get_user_domain_msg(tool_ctx, &obj); + if (ret != EOK) { + goto done; + } + + ret = override_user(tool_ctx, &obj); + if (ret != EOK) { + goto done; + } + + talloc_free_children(tmp_ctx); + } + + if (ret != EOF) { + fprintf(stderr, _("Invalid format on line %d. " + "Use --debug option for more information.\n"), linenum); + goto done; + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static int override_user_export(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt) +{ + const char *filename; + errno_t ret; + + ret = parse_cmdline_export(cmdline, &filename); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command line.\n"); + return ret; + } + + ret = user_export(filename, tool_ctx->domains, true, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to export users\n"); + return ret; + } + + return EOK; +} + +static int override_group_add(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt) +{ + struct override_group group = {NULL}; + errno_t ret; + + ret = parse_cmdline_group_add(cmdline, tool_ctx, &group); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command line.\n"); + return ret; + } + + ret = get_group_domain_msg(tool_ctx, &group); + if (ret != EOK) { + return ret; + } + + ret = override_group(tool_ctx, &group); + if (ret != EOK) { + return ret; + } + + return EOK; +} + +static int override_group_del(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt) +{ + struct override_group group = {NULL}; + errno_t ret; + + ret = parse_cmdline_group_del(cmdline, tool_ctx, &group); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command line.\n"); + return ret; + } + + ret = get_group_domain_msg(tool_ctx, &group); + if (ret != EOK) { + return ret; + } + + ret = override_object_del(group.domain, SYSDB_MEMBER_GROUP, + group.sysdb_name); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to delete override object.\n"); + return ret; + } + + return EOK; +} + +static int override_group_find(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt) +{ + struct sss_domain_info *dom; + bool iterate; + errno_t ret; + + ret = parse_cmdline_find(cmdline, tool_ctx, &dom); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command line.\n"); + return ret; + } + + if (dom == NULL) { + dom = tool_ctx->domains; + iterate = true; + } else { + iterate = false; + } + + ret = group_export(NULL, dom, iterate, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to export groups\n"); + return ret; + } + + return EOK; +} + +static int override_group_show(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt) +{ + TALLOC_CTX *tmp_ctx; + struct override_group input = {NULL}; + const char *dn; + char *anchor; + const char *filter; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed.\n"); + return ENOMEM; + } + + ret = parse_cmdline_group_show(cmdline, tool_ctx, &input); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command line.\n"); + goto done; + } + + ret = get_group_domain_msg(tool_ctx, &input); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get object domain\n"); + goto done; + } + + ret = get_object_dn(tmp_ctx, input.domain, SYSDB_MEMBER_GROUP, + input.sysdb_name, NULL, &dn); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get object dn\n"); + goto done; + } + + anchor = build_anchor(tmp_ctx, dn); + if (anchor == NULL) { + ret = ENOMEM; + goto done; + } + + ret = sss_filter_sanitize(tmp_ctx, anchor, &anchor); + if (ret != EOK) { + ret = ENOMEM; + goto done; + } + + filter = talloc_asprintf(tmp_ctx, "(%s=%s)", + SYSDB_OVERRIDE_ANCHOR_UUID, anchor); + if (filter == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf() failed\n"); + ret = ENOMEM; + goto done; + } + + ret = group_export(NULL, input.domain, false, filter); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to export groups\n"); + goto done; + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static int override_group_import(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt) +{ + TALLOC_CTX *tmp_ctx; + struct sss_colondb *db; + const char *filename; + struct override_group obj; + int linenum = 1; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed.\n"); + return ENOMEM; + } + + /** + * Format: orig_name:name:gid + */ + struct sss_colondb_read_field table[] = { + {SSS_COLONDB_STRING, {.str = &obj.input_name}}, + {SSS_COLONDB_STRING, {.str = &obj.name}}, + {SSS_COLONDB_UINT32, {.uint32 = &obj.gid}}, + {SSS_COLONDB_SENTINEL, {0}} + }; + + ret = parse_cmdline_import(cmdline, &filename); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command line.\n"); + goto done; + } + + db = sss_colondb_open(tool_ctx, SSS_COLONDB_READ, filename); + if (db == NULL) { + fprintf(stderr, _("Unable to open %s.\n"), filename); + ret = EIO; + goto done; + } + + while ((ret = sss_colondb_readline(tmp_ctx, db, table)) == EOK) { + linenum++; + + ret = sss_tool_parse_name(tool_ctx, tool_ctx, obj.input_name, + &obj.orig_name, &obj.domain); + if (ret != EOK) { + fprintf(stderr, _("Unable to parse name %s.\n"), obj.input_name); + goto done; + } + + ret = get_group_domain_msg(tool_ctx, &obj); + if (ret != EOK) { + goto done; + } + + ret = override_group(tool_ctx, &obj); + if (ret != EOK) { + goto done; + } + + talloc_free_children(tmp_ctx); + } + + if (ret != EOF) { + fprintf(stderr, _("Invalid format on line %d. " + "Use --debug option for more information.\n"), linenum); + goto done; + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static int override_group_export(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt) +{ + const char *filename; + errno_t ret; + + ret = parse_cmdline_export(cmdline, &filename); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command line.\n"); + return ret; + } + + ret = group_export(filename, tool_ctx->domains, true, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to export groups\n"); + return ret; + } + + return EOK; +} + +int main(int argc, const char **argv) +{ + struct sss_route_cmd commands[] = { + SSS_TOOL_COMMAND_NOMSG("user-add", 0, override_user_add), + SSS_TOOL_COMMAND_NOMSG("user-del", 0, override_user_del), + SSS_TOOL_COMMAND_NOMSG("user-find", 0, override_user_find), + SSS_TOOL_COMMAND_NOMSG("user-show", 0, override_user_show), + SSS_TOOL_COMMAND_NOMSG("user-import", 0, override_user_import), + SSS_TOOL_COMMAND_NOMSG("user-export", 0, override_user_export), + SSS_TOOL_COMMAND_NOMSG("group-add", 0, override_group_add), + SSS_TOOL_COMMAND_NOMSG("group-del", 0, override_group_del), + SSS_TOOL_COMMAND_NOMSG("group-find", 0, override_group_find), + SSS_TOOL_COMMAND_NOMSG("group-show", 0, override_group_show), + SSS_TOOL_COMMAND_NOMSG("group-import", 0, override_group_import), + SSS_TOOL_COMMAND_NOMSG("group-export", 0, override_group_export), + SSS_TOOL_LAST + }; + + return sss_tool_main(argc, argv, commands, NULL); +} diff --git a/src/tools/sss_seed.c b/src/tools/sss_seed.c new file mode 100644 index 0000000..c11500b --- /dev/null +++ b/src/tools/sss_seed.c @@ -0,0 +1,873 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "util/util.h" +#include "db/sysdb.h" +#include "tools/tools_util.h" +#include "tools/sss_sync_ops.h" +#include "confdb/confdb.h" + +#ifndef BUFSIZE +#define BUFSIZE 1024 +#endif + +#ifndef PASS_MAX +#define PASS_MAX 64 +#endif + +enum seed_pass_method { + PASS_PROMPT, + PASS_FILE +}; + +struct user_ctx { + char *domain_name; + + char *name; + uid_t uid; + gid_t gid; + char *gecos; + char *home; + char *shell; + + char *password; +}; + +struct seed_ctx { + struct confdb_ctx *confdb; + struct sss_domain_info *domain; + struct sysdb_ctx *sysdb; + + struct user_ctx *uctx; + + char *password_file; + enum seed_pass_method password_method; + + bool interact; + bool user_cached; +}; + + +static int seed_prompt(const char *req) +{ + ssize_t len = 0; + size_t i = 0; + char *prompt = NULL; + int ret = EOK; + + prompt = talloc_asprintf(NULL, _("Enter %s:"), req); + if (prompt == NULL) { + ret = ENOMEM; + goto done; + } + + while (prompt[i] != '\0') { + errno = 0; + len = sss_atomic_write_s(STDOUT_FILENO, &prompt[i++], 1); + if (len == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "write failed [%d][%s].\n", + ret, strerror(ret)); + goto done; + } + } + +done: + talloc_free(prompt); + return ret; +} + +static int seed_str_input(TALLOC_CTX *mem_ctx, + const char *req, + char **_input) +{ + char buf[BUFSIZE+1]; + size_t len = 0; + size_t bytes_read = 0; + int ret = EOK; + + ret = seed_prompt(req); + if (ret != EOK) { + return ret; + } + + errno = 0; + while ((bytes_read = sss_atomic_read_s(STDIN_FILENO, buf+len, 1)) != 0) { + if (bytes_read == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "read failed [%d][%s].\n", + ret, strerror(ret)); + return ret; + } + if (buf[len] == '\n' || len == BUFSIZE) { + buf[len] = '\0'; + break; + } + len += bytes_read; + } + + *_input = talloc_strdup(mem_ctx, buf); + if (*_input == NULL) { + ret = ENOMEM; + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to allocate input\n"); + } + + return ret; +} + +static int seed_id_input(const char *req, + uid_t *_id_input) +{ + char buf[BUFSIZE+1]; + size_t len = 0; + size_t bytes_read = 0; + char *endptr = NULL; + int ret = EOK; + + ret = seed_prompt(req); + if (ret != EOK) { + return ret; + } + + errno = 0; + while ((bytes_read = sss_atomic_read_s(STDIN_FILENO, buf+len, 1)) != 0) { + if (bytes_read == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "read failed [%d][%s].\n", + ret, strerror(ret)); + return ret; + } + if (buf[len] == '\n' || len == BUFSIZE) { + buf[len] = '\0'; + break; + } + len += bytes_read; + } + + if (isdigit(*buf)) { + errno = 0; + *_id_input = (uid_t)strtoll(buf, &endptr, 10); + if (errno != 0) { + ret = errno; + DEBUG(SSSDBG_OP_FAILURE, "strtoll failed on [%s]: [%d][%s].\n", + (char *)buf, ret, strerror(ret)); + return ret; + } + if (*endptr != '\0') { + DEBUG(SSSDBG_MINOR_FAILURE, + "extra characters [%s] after ID [%"SPRIuid"]\n", + endptr, *_id_input); + } + } else { + ret = EINVAL; + DEBUG(SSSDBG_OP_FAILURE, "Failed to get %s input.\n", req); + } + + return ret; +} + +static int seed_password_input_prompt(TALLOC_CTX *mem_ctx, char **_password) +{ + TALLOC_CTX *tmp_ctx = NULL; + char *password = NULL; + char *temp = NULL; + int ret = EOK; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not allocate temp context\n"); + ret = ENOMEM; + goto done; + } + + temp = getpass("Enter temporary password:"); + if (temp == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to get prompted password\n"); + ret = EINVAL; + goto done; + } + + /* Do not allow empty passwords */ + if (strlen(temp) == 0) { + ERROR("Empty passwords are not allowed.\n"); + ret = EINVAL; + goto done; + } + + password = talloc_strdup(tmp_ctx, temp); + if (password == NULL) { + ret = ENOMEM; + goto done; + } + + talloc_set_destructor((TALLOC_CTX *)password, password_destructor); + + temp = getpass("Enter temporary password again:"); + if (temp == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to get prompted password\n"); + ret = EINVAL; + goto done; + } + + if (strncmp(temp,password,strlen(password)) != 0) { + ERROR("Passwords do not match\n"); + DEBUG(SSSDBG_MINOR_FAILURE, "Provided passwords do not match\n"); + ret = EINVAL; + goto done; + } + + *_password = talloc_steal(mem_ctx, password); + +done: + talloc_free(tmp_ctx); + return ret; +} + +static int seed_password_input_file(TALLOC_CTX *mem_ctx, + char *filename, + char **_password) +{ + TALLOC_CTX *tmp_ctx = NULL; + char *password = NULL; + int len = 0; + uint8_t buf[PASS_MAX+1]; + int fd = -1; + int ret = EOK; + int valid_i; + int i; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not allocate temp context\n"); + ret = ENOMEM; + goto done; + } + + fd = open(filename, O_RDONLY); + if (fd == -1) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to open password file " + "[%s] [%d][%s]\n", + filename, errno, strerror(errno)); + ret = EINVAL; + goto done; + } + + errno = 0; + len = sss_atomic_read_s(fd, buf, PASS_MAX + 1); + if (len == -1) { + ret = errno; + DEBUG(SSSDBG_MINOR_FAILURE, "Failed to read password from file " + "[%s] [%d][%s]\n", + filename, ret, strerror(ret)); + close(fd); + goto done; + } + + close(fd); + + if (len > PASS_MAX) { + ERROR("Password file too big.\n"); + ret = EINVAL; + goto done; + } + + buf[len] = '\0'; + + /* Only the first line is valid (without '\n'). */ + for (valid_i = -1; valid_i + 1 < len; valid_i++) { + if (buf[valid_i + 1] == '\n') { + buf[valid_i + 1] = '\0'; + break; + } + } + + /* Do not allow empty passwords. */ + if (valid_i < 0) { + ERROR("Empty passwords are not allowed.\n"); + ret = EINVAL; + goto done; + } + + /* valid_i is the last valid index of the password followed by \0. + * If characters other than \n occur int the rest of the file, it + * is an error. */ + for (i = valid_i + 2; i < len; i++) { + if (buf[i] != '\n') { + ERROR("Multi-line passwords are not allowed.\n"); + ret = EINVAL; + goto done; + } + } + + password = talloc_strdup(tmp_ctx, (char *)buf); + if (password == NULL) { + ret = ENOMEM; + goto done; + } + + *_password = talloc_steal(mem_ctx, password); + +done: + talloc_free(tmp_ctx); + return ret; +} + +static int seed_interactive_input(TALLOC_CTX *mem_ctx, + struct user_ctx *uctx, + struct user_ctx **_uctx) +{ + struct user_ctx *input_uctx = NULL; + int ret = EOK; + + input_uctx = talloc_zero(NULL, struct user_ctx); + if (input_uctx == NULL) { + ret = ENOMEM; + goto done; + } + + if (uctx->name == NULL) { + ret = seed_str_input(input_uctx, _("username"), &input_uctx->name); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Username interactive input failed.\n"); + goto done; + } + } else { + input_uctx->name = talloc_strdup(input_uctx, uctx->name); + if (input_uctx->name == NULL) { + ret = ENOMEM; + goto done; + } + } + + if (uctx->uid == 0) { + ret = seed_id_input(_("UID"), &input_uctx->uid); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "UID interactive input failed.\n"); + goto done; + } + } else { + input_uctx->uid = uctx->uid; + } + + if (uctx->gid == 0) { + ret = seed_id_input(_("GID"), &input_uctx->gid); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "GID interactive input failed.\n"); + goto done; + } + } else { + input_uctx->gid = uctx->gid; + } + + if (uctx->gecos == NULL) { + ret = seed_str_input(input_uctx, _("user comment (gecos)"), + &input_uctx->gecos); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Gecos interactive input failed.\n"); + goto done; + } + } else { + input_uctx->gecos = talloc_strdup(input_uctx, uctx->gecos); + if (input_uctx->gecos == NULL) { + ret = ENOMEM; + goto done; + } + } + + if (uctx->home == NULL) { + ret = seed_str_input(input_uctx, _("home directory"), + &input_uctx->home); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Home directory interactive input fialed.\n"); + goto done; + } + } else { + input_uctx->home = talloc_strdup(input_uctx, uctx->home); + if (input_uctx->home == NULL) { + ret = ENOMEM; + goto done; + } + } + + if (uctx->shell == NULL) { + ret = seed_str_input(input_uctx, _("user login shell"), + &input_uctx->shell); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Shell interactive input failed\n"); + goto done; + } + } else { + input_uctx->shell = talloc_strdup(input_uctx, uctx->shell); + if (input_uctx->shell == NULL) { + ret = ENOMEM; + goto done; + } + } + +done: + if (ret == EOK) { + *_uctx = talloc_steal(mem_ctx, input_uctx); + } else { + ERROR("Interactive input failed.\n"); + talloc_zfree(input_uctx); + } + return ret; +} + +static int seed_init(TALLOC_CTX *mem_ctx, + const int argc, + const char **argv, + struct seed_ctx **_sctx) +{ + TALLOC_CTX *tmp_ctx = NULL; + int pc_debug = SSSDBG_DEFAULT; + const char *pc_domain = NULL; + const char *pc_name = NULL; + uid_t pc_uid = 0; + gid_t pc_gid = 0; + const char *pc_gecos = NULL; + const char *pc_home = NULL; + const char *pc_shell = NULL; + const char *pc_password_file = NULL; + + struct seed_ctx *sctx = NULL; + + int ret = EOK; + + poptContext pc = NULL; + struct poptOption options[] = { + POPT_AUTOHELP + { "debug", '\0', POPT_ARG_INT | POPT_ARGFLAG_DOC_HIDDEN, &pc_debug, 0, + _("The debug level to run with"), NULL }, + { "domain", 'D', POPT_ARG_STRING, &pc_domain, 0, _("Domain"), NULL }, + { "username", 'n', POPT_ARG_STRING, &pc_name, 0, _("Username"), NULL}, + { "uid", 'u', POPT_ARG_INT, &pc_uid, 0, _("User UID"), NULL }, + { "gid", 'g', POPT_ARG_INT, &pc_gid, 0, _("User GID"), NULL }, + { "gecos", 'c', POPT_ARG_STRING, &pc_gecos, 0, + _("Comment string"), NULL}, + { "home", 'h', POPT_ARG_STRING, &pc_home, 0, + _("Home directory"), NULL }, + { "shell", 's', POPT_ARG_STRING, &pc_shell, 0, _("Login Shell"), NULL }, + { "interactive", 'i', POPT_ARG_NONE, NULL, 'i', + _("Use interactive mode to enter user data"), NULL }, + { "password-file", 'p', POPT_ARG_STRING, &pc_password_file, 0, + _("File from which user's password is read " + "(default is to prompt for password)"),NULL }, + POPT_TABLEEND + }; + + /* init contexts */ + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + ret = ENOMEM; + goto fini; + } + + sctx = talloc_zero(tmp_ctx, struct seed_ctx); + if (sctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not allocate tools context\n"); + ret = ENOMEM; + goto fini; + } + + sctx->uctx = talloc_zero(sctx, struct user_ctx); + if (sctx->uctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not allocate user data context\n"); + ret = ENOMEM; + goto fini; + } + + debug_prg_name = argv[0]; + ret = set_locale(); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "set_locale failed (%d): %s\n", + ret, strerror(ret)); + ERROR("Error setting the locale\n"); + ret = EINVAL; + goto fini; + } + + /* parse arguments */ + pc = poptGetContext(NULL, argc, argv, options, 0); + if (argc < 2) { + poptPrintUsage(pc,stderr,0); + ret = EINVAL; + goto fini; + } + + poptSetOtherOptionHelp(pc, "[OPTIONS] -D -n "); + while ((ret = poptGetNextOpt(pc)) > 0) { + switch (ret) { + case 'i': + DEBUG(SSSDBG_TRACE_INTERNAL, "Interactive mode selected\n"); + sctx->interact = true; + break; + } + } + + if (ret != -1) { + BAD_POPT_PARAMS(pc, poptStrerror(ret), ret, fini); + } + + DEBUG_CLI_INIT(pc_debug); + + CHECK_ROOT(ret, argv[0]); + + /* check username provided */ + if (pc_name == NULL) { + BAD_POPT_PARAMS(pc, _("Username must be specified\n"), ret, fini); + } + + /* check domain is provided */ + if (pc_domain == NULL) { + BAD_POPT_PARAMS(pc, _("Domain must be specified.\n"), ret, fini); + } + + sctx->uctx->domain_name = talloc_strdup(sctx->uctx, pc_domain); + if (sctx->uctx->domain_name == NULL) { + ret = ENOMEM; + goto fini; + } + + sctx->uctx->name = sss_create_internal_fqname(sctx->uctx, + pc_name, pc_domain); + if (sctx->uctx->name == NULL) { + ret = ENOMEM; + goto fini; + } + + poptFreeContext(pc); + + ret = EOK; + + /* copy all information provided from popt */ + sctx->uctx->uid = pc_uid; + sctx->uctx->gid = pc_gid; + if (pc_gecos != NULL) { + sctx->uctx->gecos = talloc_strdup(sctx->uctx, pc_gecos); + if (sctx->uctx->gecos == NULL) { + ret = ENOMEM; + goto fini; + } + } + if (pc_home != NULL) { + sctx->uctx->home = talloc_strdup(sctx->uctx, pc_home); + if (sctx->uctx->home == NULL) { + ret = ENOMEM; + goto fini; + } + } + if (pc_shell != NULL) { + sctx->uctx->shell = talloc_strdup(sctx->uctx, pc_shell); + if (sctx->uctx->shell == NULL) { + ret = ENOMEM; + goto fini; + } + } + + /* check if password file provided */ + if (pc_password_file != NULL) { + sctx->password_file = talloc_strdup(sctx, pc_password_file); + if (sctx->password_file == NULL) { + ret = ENOMEM; + goto fini; + } + sctx->password_method = PASS_FILE; + } else { + sctx->password_method = PASS_PROMPT; + } + + *_sctx = talloc_steal(mem_ctx, sctx); + +fini: + talloc_free(tmp_ctx); + return ret; +} + +static int seed_init_db(TALLOC_CTX *mem_ctx, + const char *domain_name, + struct confdb_ctx **_confdb, + struct sss_domain_info **_domain, + struct sysdb_ctx **_sysdb) +{ + TALLOC_CTX *tmp_ctx = NULL; + char *confdb_path = NULL; + struct confdb_ctx *confdb = NULL; + struct sss_domain_info *domain = NULL; + int ret = EOK; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + /* setup confdb */ + confdb_path = talloc_asprintf(tmp_ctx, "%s/%s", DB_PATH, CONFDB_FILE); + if (confdb_path == NULL) { + ret = ENOMEM; + goto done; + } + + ret = confdb_init(tmp_ctx, &confdb, confdb_path); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not initialize connection to the confdb\n"); + ERROR("Could not initialize connection to the confdb\n"); + goto done; + } + + ret = sssd_domain_init(tmp_ctx, confdb, domain_name, DB_PATH, &domain); + if (ret != EOK) { + SYSDB_VERSION_ERROR(ret); + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not initialize connection to domain '%s' in sysdb.%s\n", + domain_name, ret == ENOENT ? " Domain not found." : ""); + ERROR("Could not initialize connection to domain '%1$s' in sysdb.%2$s\n", + domain_name, ret == ENOENT ? " Domain not found." : ""); + + goto done; + } + + *_confdb = talloc_steal(mem_ctx, confdb); + *_domain = domain; + *_sysdb = domain->sysdb; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static int seed_domain_user_info(const char *name, + struct sss_domain_info *domain, + bool *is_cached) +{ + TALLOC_CTX *tmp_ctx = NULL; + struct passwd *passwd = NULL; + struct ldb_result *res = NULL; + int ret = EOK; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + errno = 0; + passwd = getpwnam(name); + if (passwd == NULL) { + ret = errno; + DEBUG(SSSDBG_MINOR_FAILURE, "getpwnam failed [%d] [%s]\n", + ret, strerror(ret)); + goto done; + } + + /* look for user in cache */ + ret = sysdb_getpwnam(tmp_ctx, domain, name, &res); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Couldn't lookup user (%s) in the cache\n", name); + goto done; + } + + if (res->count == 0) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "User (%s) wasn't found in the cache\n", name); + *is_cached = false; + ret = ENOENT; + goto done; + } else if (res->count > 1) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Multiple user (%s) entries were found in the cache\n", name); + ret = EINVAL; + goto done; + } else { + DEBUG(SSSDBG_TRACE_INTERNAL, "User found in cache\n"); + *is_cached = true; + + errno = 0; + ret = initgroups(name, passwd->pw_gid); + if (ret != EOK) { + ret = errno; + DEBUG(SSSDBG_MINOR_FAILURE, "initgroups failed [%d] [%s]\n", + ret, strerror(ret)); + goto done; + } + } + +done: + if (ret == ENOMEM) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to allocate user information\n"); + } + talloc_zfree(tmp_ctx); + return ret; +} + +static int seed_cache_user(struct seed_ctx *sctx) +{ + bool in_transaction = false; + int ret = EOK; + errno_t sret; + + ret = sysdb_transaction_start(sctx->sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sysdb transaction start failure\n"); + goto done; + } + + in_transaction = true; + + if (sctx->user_cached == false) { + ret = sysdb_add_user(sctx->domain, sctx->uctx->name, + sctx->uctx->uid, sctx->uctx->gid, + sctx->uctx->gecos, sctx->uctx->home, + sctx->uctx->shell, NULL, NULL, 0, 0); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to add user to the cache. (%d)[%s]\n", + ret, strerror(ret)); + ERROR("Failed to create user cache entry\n"); + goto done; + } + } + + ret = sysdb_cache_password(sctx->domain, sctx->uctx->name, + sctx->uctx->password); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to cache password. (%d)[%s]\n", + ret, strerror(ret)); + ERROR("Failed to cache password\n"); + goto done; + } + + ret = sysdb_transaction_commit(sctx->sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sysdb transaction commit failure\n"); + goto done; + } + + in_transaction = false; + +done: + if (in_transaction == true) { + sret = sysdb_transaction_cancel(sctx->sysdb); + if (sret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to cancel transaction\n"); + } + } + + return ret; +} + +int main(int argc, const char **argv) +{ + struct seed_ctx *sctx = NULL; + struct user_ctx *input_uctx = NULL; + int ret = EOK; + + /* initialize seed context and parse options */ + ret = seed_init(sctx, argc, argv, &sctx); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE,"Seed init failed [%d][%s]\n", + ret, strerror(ret)); + goto done; + } + + /* set up confdb,sysdb and domain */ + ret = seed_init_db(sctx, sctx->uctx->domain_name, &sctx->confdb, + &sctx->domain, &sctx->sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to initialize db and domain\n"); + goto done; + } + + /* get user info from domain */ + ret = seed_domain_user_info(sctx->uctx->name, + sctx->domain, &sctx->user_cached); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed lookup of user [%s] in domain [%s]\n", + sctx->uctx->name, sctx->uctx->domain_name); + } + + /* interactive mode to fill in user information */ + if (sctx->interact == true) { + if (sctx->user_cached == true) { + ERROR(_("User entry already exists in the cache.\n")); + ret = EEXIST; + goto done; + } else { + ret = seed_interactive_input(sctx, sctx->uctx, &input_uctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to get seed input.\n"); + ret = EINVAL; + goto done; + } + talloc_zfree(sctx->uctx); + sctx->uctx = input_uctx; + } + } + + if (sctx->user_cached == false) { + if (sctx->uctx->uid == 0 || sctx->uctx->gid == 0) { + /* require username, UID, and GID to continue */ + DEBUG(SSSDBG_MINOR_FAILURE, "Not enough information provided\n"); + ERROR("UID and primary GID not provided.\n"); + ret = EINVAL; + goto done; + } + } + + /* password input */ + if (sctx->password_method == PASS_FILE) { + ret = seed_password_input_file(sctx->uctx, sctx->password_file, + &sctx->uctx->password); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Password input failure\n"); + goto done; + } + } else { + ret = seed_password_input_prompt(sctx->uctx, &sctx->uctx->password); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Password input failure\n"); + goto done; + } + } + + /* Add user info and password to sysdb cache */ + ret = seed_cache_user(sctx); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Failed to modify cache.\n"); + goto done; + } else { + if (sctx->user_cached == false) { + printf(_("User cache entry created for %1$s\n"), sctx->uctx->name); + } + printf(_("Temporary password added to cache entry for %1$s\n"), + sctx->uctx->name); + } + +done: + talloc_zfree(sctx); + if (ret != EOK) { + DEBUG(SSSDBG_TRACE_INTERNAL, "Exit error: [%d] [%s]\n", + ret, strerror(ret)); + ret = EXIT_FAILURE; + } else { + ret = EXIT_SUCCESS; + } + exit(ret); +} diff --git a/src/tools/sss_signal.c b/src/tools/sss_signal.c new file mode 100644 index 0000000..c4d07f9 --- /dev/null +++ b/src/tools/sss_signal.c @@ -0,0 +1,38 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2014 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "config.h" +#include "tools/common/sss_process.h" + +int main(int argc, const char **argv) +{ + int ret; + + ret = sss_signal(SIGUSR2); + if (ret != EOK) { + ERROR("Could not signal SSSD. Is SSSD running?\n"); + return EXIT_FAILURE; + } + + return EXIT_SUCCESS; +} diff --git a/src/tools/sss_sync_ops.c b/src/tools/sss_sync_ops.c new file mode 100644 index 0000000..a0291ba --- /dev/null +++ b/src/tools/sss_sync_ops.c @@ -0,0 +1,844 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "util/util.h" +#include "db/sysdb.h" +#include "tools/sss_sync_ops.h" + +/* Default settings for user attributes */ +#define DFL_SHELL_VAL "/bin/bash" +#define DFL_BASEDIR_VAL "/home" +#define DFL_CREATE_HOMEDIR true +#define DFL_REMOVE_HOMEDIR true +#define DFL_SKEL_DIR "/etc/skel" +#define DFL_MAIL_DIR "/var/spool/mail" + +#define ATTR_NAME_SEP '=' +#define ATTR_VAL_SEP ',' + +static int attr_name_val_split(TALLOC_CTX *mem_ctx, const char *nameval, + char **_name, char ***_values, int *_nvals) +{ + char *name; + char **values; + const char *vals; + int nvals; + TALLOC_CTX *tmp_ctx; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) return ENOMEM; + + vals = strchr(nameval, ATTR_NAME_SEP); + if (vals == NULL) { + ret = EINVAL; + goto done; + } + + name = talloc_strndup(tmp_ctx, nameval, vals-nameval); + if (name == NULL) { + ret = ENOMEM; + goto done; + } + vals++; + + ret = split_on_separator(tmp_ctx, vals, ATTR_VAL_SEP, true, true, + &values, &nvals); + if (ret != EOK) { + goto done; + } + + *_name = talloc_steal(mem_ctx, name); + *_values = talloc_steal(mem_ctx, values); + *_nvals = nvals; + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} + +static int attr_op(struct ops_ctx *octx, const char *nameval, int op) +{ + TALLOC_CTX *tmp_ctx; + errno_t ret; + struct sysdb_attrs *attrs; + char *name; + char **vals; + int nvals; + int i; + + switch(op) { + case SYSDB_MOD_ADD: + case SYSDB_MOD_DEL: + case SYSDB_MOD_REP: + break; + default: + return EINVAL; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) return ENOMEM; + + attrs = sysdb_new_attrs(tmp_ctx); + if (attrs == NULL) { + ret = ENOMEM; + goto done; + } + + ret = attr_name_val_split(tmp_ctx, nameval, &name, &vals, &nvals); + if (ret != EOK) { + goto done; + } + + for (i=0; i < nvals; i++) { + ret = sysdb_attrs_add_string(attrs, name, vals[i]); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not add %s to %s\n", vals[i], name); + continue; + } + } + + ret = sysdb_set_user_attr(octx->domain, octx->name, attrs, op); +done: + talloc_free(tmp_ctx); + return ret; +} +/* + * Generic modify groups member + */ +static int mod_groups_member(struct sss_domain_info *dom, + char **grouplist, + struct ldb_dn *member_dn, + int optype) +{ + TALLOC_CTX *tmpctx; + struct ldb_dn *parent_dn; + int ret; + int i; + char *grp_sysdb_fqname = NULL; + + tmpctx = talloc_new(NULL); + if (!tmpctx) { + return ENOMEM; + } + +/* FIXME: add transaction around loop */ + for (i = 0; grouplist[i]; i++) { + grp_sysdb_fqname = sss_create_internal_fqname(tmpctx, grouplist[i], + dom->name); + if (grp_sysdb_fqname == NULL) { + ret = ENOMEM; + goto done; + } + + parent_dn = sysdb_group_dn(tmpctx, dom, grp_sysdb_fqname); + if (!parent_dn) { + ret = ENOMEM; + goto done; + } + + talloc_free(grp_sysdb_fqname); + + ret = sysdb_mod_group_member(dom, member_dn, parent_dn, optype); + if (ret) { + goto done; + } + } + + ret = EOK; + +done: + talloc_zfree(tmpctx); + return ret; +} + +#define add_to_groups(data, member_dn) \ + mod_groups_member(data->domain, data->addgroups, member_dn, \ + LDB_FLAG_MOD_ADD) +#define remove_from_groups(data, member_dn) \ + mod_groups_member(data->domain, data->rmgroups, member_dn, \ + LDB_FLAG_MOD_DELETE) + +/* + * Modify a user + */ +struct user_mod_state { + struct sysdb_ctx *sysdb; + + struct sysdb_attrs *attrs; + struct ldb_dn *member_dn; + + struct ops_ctx *data; +}; + +static int usermod_build_attrs(TALLOC_CTX *mem_ctx, + const char *gecos, + const char *home, + const char *shell, + uid_t uid, + gid_t gid, + int lock, + struct sysdb_attrs **_attrs) +{ + int ret = EOK; + struct sysdb_attrs *attrs; + const char *attr_name = NULL; + + attrs = sysdb_new_attrs(mem_ctx); + if (attrs == NULL) { + return ENOMEM; + } + + if (shell) { + attr_name = SYSDB_SHELL; + ret = sysdb_attrs_add_string(attrs, + attr_name, + shell); + } + + if (ret == EOK && home) { + attr_name = SYSDB_HOMEDIR; + ret = sysdb_attrs_add_string(attrs, + attr_name, + home); + } + + if (ret == EOK && gecos) { + attr_name = SYSDB_GECOS; + ret = sysdb_attrs_add_string(attrs, + attr_name, + gecos); + } + + if (ret == EOK && uid) { + attr_name = SYSDB_UIDNUM; + ret = sysdb_attrs_add_long(attrs, + attr_name, + uid); + } + + if (ret == EOK && gid) { + attr_name = SYSDB_GIDNUM; + ret = sysdb_attrs_add_long(attrs, + attr_name, + gid); + } + + if (ret == EOK && lock == DO_LOCK) { + attr_name = SYSDB_DISABLED; + ret = sysdb_attrs_add_string(attrs, + attr_name, + "true"); + } + + if (ret == EOK && lock == DO_UNLOCK) { + attr_name = SYSDB_DISABLED; + /* PAM code checks for 'false' value in SYSDB_DISABLED attribute */ + ret = sysdb_attrs_add_string(attrs, + attr_name, + "false"); + } + + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not add attribute [%s] to changeset.\n", attr_name); + return ret; + } + + *_attrs = attrs; + return EOK; +} + +/* + * Public interface for modifying users + */ +int usermod(TALLOC_CTX *mem_ctx, + struct ops_ctx *data) +{ + struct sysdb_attrs *attrs = NULL; + struct ldb_dn *member_dn = NULL; + int ret; + + data->sysdb_fqname = sss_create_internal_fqname(data, + data->name, + data->domain->name); + if (data->sysdb_fqname == NULL) { + return ENOMEM; + } + + if (data->addgroups || data->rmgroups) { + member_dn = sysdb_user_dn(mem_ctx, data->domain, data->sysdb_fqname); + if (!member_dn) { + return ENOMEM; + } + } + + ret = usermod_build_attrs(mem_ctx, + data->gecos, + data->home, + data->shell, + data->uid, + data->gid, + data->lock, + &attrs); + if (ret != EOK) { + return ret; + } + + if (attrs->num != 0) { + ret = sysdb_set_user_attr(data->domain, data->sysdb_fqname, + attrs, SYSDB_MOD_REP); + if (ret) { + return ret; + } + } + + if (data->rmgroups != NULL) { + ret = remove_from_groups(data, member_dn); + if (ret) { + return ret; + } + } + + if (data->addgroups != NULL) { + ret = add_to_groups(data, member_dn); + if (ret) { + return ret; + } + } + + if (data->addattr) { + ret = attr_op(data, data->addattr, SYSDB_MOD_ADD); + if (ret) { + return ret; + } + } + + if (data->setattr) { + ret = attr_op(data, data->setattr, SYSDB_MOD_REP); + if (ret) { + return ret; + } + + } + + if (data->delattr) { + ret = attr_op(data, data->delattr, SYSDB_MOD_DEL); + if (ret) { + return ret; + } + } + + flush_nscd_cache(NSCD_DB_PASSWD); + flush_nscd_cache(NSCD_DB_GROUP); + + return EOK; +} + +/* + * Public interface for modifying groups + */ +int groupmod(TALLOC_CTX *mem_ctx, + struct ops_ctx *data) +{ + struct sysdb_attrs *attrs = NULL; + struct ldb_dn *member_dn = NULL; + int ret; + + data->sysdb_fqname = sss_create_internal_fqname(data, + data->name, + data->domain->name); + if (data->sysdb_fqname == NULL) { + return ENOMEM; + } + + if (data->addgroups || data->rmgroups) { + member_dn = sysdb_group_dn(mem_ctx, data->domain, data->sysdb_fqname); + if (!member_dn) { + return ENOMEM; + } + } + + if (data->gid != 0) { + attrs = sysdb_new_attrs(mem_ctx); + if (!attrs) { + return ENOMEM; + } + ret = sysdb_attrs_add_uint32(attrs, SYSDB_GIDNUM, data->gid); + if (ret) { + return ret; + } + + ret = sysdb_set_group_attr(data->domain, data->sysdb_fqname, + attrs, SYSDB_MOD_REP); + if (ret) { + return ret; + } + } + + if (data->rmgroups != NULL) { + ret = remove_from_groups(data, member_dn); + if (ret) { + return ret; + } + } + + if (data->addgroups != NULL) { + ret = add_to_groups(data, member_dn); + if (ret) { + return ret; + } + } + + flush_nscd_cache(NSCD_DB_GROUP); + + return EOK; +} + +int userdel_defaults(TALLOC_CTX *mem_ctx, + struct confdb_ctx *confdb, + struct ops_ctx *data, + int remove_home) +{ + int ret; + char *conf_path; + bool dfl_remove_home; + + conf_path = talloc_asprintf(mem_ctx, CONFDB_DOMAIN_PATH_TMPL, data->domain->name); + if (!conf_path) { + return ENOMEM; + } + + /* remove homedir on user creation? */ + if (!remove_home) { + ret = confdb_get_bool(confdb, + conf_path, CONFDB_LOCAL_REMOVE_HOMEDIR, + DFL_REMOVE_HOMEDIR, &dfl_remove_home); + if (ret != EOK) { + goto done; + } + data->remove_homedir = dfl_remove_home; + } else { + data->remove_homedir = (remove_home == DO_REMOVE_HOME); + } + + /* a directory to remove mail spools from */ + ret = confdb_get_string(confdb, mem_ctx, + conf_path, CONFDB_LOCAL_MAIL_DIR, + DFL_MAIL_DIR, &data->maildir); + if (ret != EOK) { + goto done; + } + + ret = EOK; +done: + talloc_free(conf_path); + return ret; +} + +/* + * Default values for add operations + */ +int useradd_defaults(TALLOC_CTX *mem_ctx, + struct confdb_ctx *confdb, + struct ops_ctx *data, + const char *gecos, + const char *homedir, + const char *shell, + int create_home, + const char *skeldir) +{ + int ret; + char *basedir = NULL; + char *conf_path = NULL; + + conf_path = talloc_asprintf(mem_ctx, CONFDB_DOMAIN_PATH_TMPL, data->domain->name); + if (!conf_path) { + return ENOMEM; + } + + /* gecos */ + data->gecos = talloc_strdup(mem_ctx, gecos ? gecos : data->name); + if (!data->gecos) { + ret = ENOMEM; + goto done; + } + DEBUG(SSSDBG_TRACE_LIBS, "Gecos: %s\n", data->gecos); + + /* homedir */ + if (homedir) { + data->home = talloc_strdup(data, homedir); + } else { + ret = confdb_get_string(confdb, mem_ctx, + conf_path, CONFDB_LOCAL_DEFAULT_BASEDIR, + DFL_BASEDIR_VAL, &basedir); + if (ret != EOK) { + goto done; + } + data->home = talloc_asprintf(mem_ctx, "%s/%s", basedir, data->name); + } + if (!data->home) { + ret = ENOMEM; + goto done; + } + DEBUG(SSSDBG_TRACE_LIBS, "Homedir: %s\n", data->home); + + /* default shell */ + if (!shell) { + ret = confdb_get_string(confdb, mem_ctx, + conf_path, CONFDB_LOCAL_DEFAULT_SHELL, + DFL_SHELL_VAL, &data->shell); + if (ret != EOK) { + goto done; + } + } else { + data->shell = talloc_strdup(mem_ctx, shell); + if (!data->shell) { + ret = ENOMEM; + goto done; + } + } + DEBUG(SSSDBG_TRACE_LIBS, "Shell: %s\n", data->shell); + + /* create homedir on user creation? */ + if (!create_home) { + ret = confdb_get_bool(confdb, + conf_path, CONFDB_LOCAL_CREATE_HOMEDIR, + DFL_CREATE_HOMEDIR, &data->create_homedir); + if (ret != EOK) { + goto done; + } + } else { + data->create_homedir = (create_home == DO_CREATE_HOME); + } + DEBUG(SSSDBG_TRACE_LIBS, + "Auto create homedir: %s\n", data->create_homedir?"True":"False"); + + /* umask to create homedirs */ + ret = confdb_get_int(confdb, + conf_path, CONFDB_LOCAL_UMASK, + SSS_DFL_UMASK, (int *) &data->umask); + if (ret != EOK) { + goto done; + } + DEBUG(SSSDBG_TRACE_LIBS, "Umask: %o\n", data->umask); + + /* a directory to create mail spools in */ + ret = confdb_get_string(confdb, mem_ctx, + conf_path, CONFDB_LOCAL_MAIL_DIR, + DFL_MAIL_DIR, &data->maildir); + if (ret != EOK) { + goto done; + } + DEBUG(SSSDBG_TRACE_LIBS, "Mail dir: %s\n", data->maildir); + + /* skeleton dir */ + if (!skeldir) { + ret = confdb_get_string(confdb, mem_ctx, + conf_path, CONFDB_LOCAL_SKEL_DIR, + DFL_SKEL_DIR, &data->skeldir); + if (ret != EOK) { + goto done; + } + } else { + data->skeldir = talloc_strdup(mem_ctx, skeldir); + if (!data->skeldir) { + ret = ENOMEM; + goto done; + } + } + DEBUG(SSSDBG_TRACE_LIBS, "Skeleton dir: %s\n", data->skeldir); + + ret = EOK; +done: + talloc_free(basedir); + talloc_free(conf_path); + return ret; +} + +/* + * Public interface for adding users + */ +int useradd(TALLOC_CTX *mem_ctx, + struct ops_ctx *data) +{ + int ret; + + data->sysdb_fqname = sss_create_internal_fqname(data, + data->name, + data->domain->name); + if (data->sysdb_fqname == NULL) { + ret = ENOMEM; + goto done; + } + + ret = sysdb_add_user(data->domain, data->sysdb_fqname, data->uid, data->gid, + data->gecos, data->home, data->shell, + NULL, NULL, 0, 0); + if (ret) { + goto done; + } + + if (data->addgroups) { + struct ldb_dn *member_dn; + + member_dn = sysdb_user_dn(mem_ctx, data->domain, data->sysdb_fqname); + if (!member_dn) { + ret = ENOMEM; + goto done; + } + + ret = add_to_groups(data, member_dn); + if (ret) { + goto done; + } + } + + flush_nscd_cache(NSCD_DB_PASSWD); + flush_nscd_cache(NSCD_DB_GROUP); + +done: + return ret; +} + +/* + * Public interface for deleting users + */ +int userdel(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + struct ops_ctx *data) +{ + struct ldb_dn *user_dn; + int ret; + + data->sysdb_fqname = sss_create_internal_fqname(data, + data->name, + data->domain->name); + if (data->sysdb_fqname == NULL) { + return ENOMEM; + } + + user_dn = sysdb_user_dn(mem_ctx, data->domain, data->sysdb_fqname); + if (!user_dn) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not construct a user DN\n"); + return ENOMEM; + } + + ret = sysdb_delete_entry(sysdb, user_dn, false); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, + "Removing user failed: %s (%d)\n", strerror(ret), ret); + } + + flush_nscd_cache(NSCD_DB_PASSWD); + flush_nscd_cache(NSCD_DB_GROUP); + + return ret; +} + +/* + * Public interface for adding groups + */ +int groupadd(struct ops_ctx *data) +{ + int ret; + + data->sysdb_fqname = sss_create_internal_fqname(data, + data->name, + data->domain->name); + if (data->sysdb_fqname == NULL) { + return ENOMEM; + } + + ret = sysdb_add_group(data->domain, data->sysdb_fqname, data->gid, NULL, 0, 0); + if (ret == EOK) { + flush_nscd_cache(NSCD_DB_GROUP); + } + return ret; +} + +/* + * Public interface for deleting groups + */ +int groupdel(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + struct ops_ctx *data) +{ + struct ldb_dn *group_dn; + int ret; + + data->sysdb_fqname = sss_create_internal_fqname(data, + data->name, + data->domain->name); + if (data->sysdb_fqname == NULL) { + return ENOMEM; + } + + group_dn = sysdb_group_dn(mem_ctx, data->domain, data->sysdb_fqname); + if (group_dn == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not construct a group DN\n"); + return ENOMEM; + } + + ret = sysdb_delete_entry(sysdb, group_dn, false); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, + "Removing group failed: %s (%d)\n", strerror(ret), ret); + } + + flush_nscd_cache(NSCD_DB_GROUP); + + return ret; +} + +/* + * getpwnam, getgrnam and friends + */ +int sysdb_getpwnam_sync(TALLOC_CTX *mem_ctx, + const char *name, + struct ops_ctx *out) +{ + struct ldb_result *res; + const char *str; + int ret; + + out->sysdb_fqname = sss_create_internal_fqname(out, name, + out->domain->name); + if (out->sysdb_fqname == NULL) { + return ENOMEM; + } + + ret = sysdb_getpwnam(mem_ctx, out->domain, out->sysdb_fqname, &res); + if (ret) { + return ret; + } + + switch (res->count) { + case 0: + DEBUG(SSSDBG_CRIT_FAILURE, "No result for sysdb_getpwnam call\n"); + return ENOENT; + + case 1: + /* fill ops_ctx */ + out->uid = ldb_msg_find_attr_as_uint64(res->msgs[0], SYSDB_UIDNUM, 0); + + out->gid = ldb_msg_find_attr_as_uint64(res->msgs[0], SYSDB_GIDNUM, 0); + + str = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_NAME, NULL); + ret = sss_parse_internal_fqname(out, str, &out->name, NULL); + if (ret != EOK) { + return ENOMEM; + } + + str = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_GECOS, NULL); + out->gecos = talloc_strdup(out, str); + if (out->gecos == NULL) { + return ENOMEM; + } + + str = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_HOMEDIR, NULL); + out->home = talloc_strdup(out, str); + if (out->home == NULL) { + return ENOMEM; + } + + str = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_SHELL, NULL); + out->shell = talloc_strdup(out, str); + if (out->shell == NULL) { + return ENOMEM; + } + + str = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_DISABLED, NULL); + if (str == NULL) { + out->lock = DO_UNLOCK; + } else { + if (strcasecmp(str, "true") == 0) { + out->lock = DO_LOCK; + } else if (strcasecmp(str, "false") == 0) { + out->lock = DO_UNLOCK; + } else { /* Invalid value */ + DEBUG(SSSDBG_OP_FAILURE, "Invalid value for %s attribute: %s\n", + SYSDB_DISABLED, str ? str : "NULL"); + return EIO; + } + } + break; + + default: + DEBUG(SSSDBG_CRIT_FAILURE, + "More than one result for sysdb_getpwnam call\n"); + return EIO; + } + + return EOK; +} + +int sysdb_getgrnam_sync(TALLOC_CTX *mem_ctx, + const char *name, + struct ops_ctx *out) +{ + struct ldb_result *res; + const char *str; + int ret; + + out->sysdb_fqname = sss_create_internal_fqname(out, name, + out->domain->name); + if (out->sysdb_fqname == NULL) { + return ENOMEM; + } + + ret = sysdb_getgrnam(mem_ctx, out->domain, out->sysdb_fqname, &res); + if (ret) { + return ret; + } + + switch (res->count) { + case 0: + DEBUG(SSSDBG_CRIT_FAILURE, "No result for sysdb_getgrnam call\n"); + return ENOENT; + + case 1: + /* fill ops_ctx */ + out->gid = ldb_msg_find_attr_as_uint64(res->msgs[0], SYSDB_GIDNUM, 0); + str = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_NAME, NULL); + ret = sss_parse_internal_fqname(out, str, &out->name, NULL); + if (ret != EOK) { + return ENOMEM; + } + + if (out->name == NULL) { + return ENOMEM; + } + break; + + default: + DEBUG(SSSDBG_CRIT_FAILURE, + "More than one result for sysdb_getgrnam call\n"); + return EIO; + } + + return EOK; +} + diff --git a/src/tools/sss_sync_ops.h b/src/tools/sss_sync_ops.h new file mode 100644 index 0000000..ac83bec --- /dev/null +++ b/src/tools/sss_sync_ops.h @@ -0,0 +1,105 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __SSS_OPS_H__ +#define __SSS_OPS_H__ + +#include "tools/tools_util.h" +#include + +#define DO_LOCK 1 +#define DO_UNLOCK 2 + +/* 0 = not set, pick default */ +#define DO_CREATE_HOME 1 +#define DO_NOT_CREATE_HOME 2 +#define DO_REMOVE_HOME 1 +#define DO_NOT_REMOVE_HOME 2 +#define DO_FORCE_REMOVAL 1 + +struct ops_ctx { + struct sss_domain_info *domain; + + char *name; + uid_t uid; + gid_t gid; + char *gecos; + char *home; + char *shell; + int lock; + + bool create_homedir; + bool remove_homedir; + mode_t umask; + char *skeldir; + char *maildir; + + char **addgroups; + char **rmgroups; + + char *addattr; + char *setattr; + char *delattr; + + char *sysdb_fqname; +}; + +/* default values for add operations */ +int useradd_defaults(TALLOC_CTX *mem_ctx, + struct confdb_ctx *confdb, + struct ops_ctx *data, + const char *gecos, + const char *homedir, + const char *shell, + int create_home, + const char *skeldir); + +/* default values for remove operations */ +int userdel_defaults(TALLOC_CTX *mem_ctx, + struct confdb_ctx *confdb, + struct ops_ctx *data, + int remove_home); + +/* synchronous operations */ +int useradd(TALLOC_CTX *mem_ctx, + struct ops_ctx *data); +int userdel(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + struct ops_ctx *data); +int usermod(TALLOC_CTX *mem_ctx, + struct ops_ctx *data); + +int groupadd(struct ops_ctx *data); +int groupdel(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + struct ops_ctx *data); +int groupmod(TALLOC_CTX *mem_ctx, + struct ops_ctx *data); + +int sysdb_getpwnam_sync(TALLOC_CTX *mem_ctx, + const char *name, + struct ops_ctx *out); + +int sysdb_getgrnam_sync(TALLOC_CTX *mem_ctx, + const char *name, + struct ops_ctx *out); + +#endif /* __SSS_OPS_H__ */ + diff --git a/src/tools/sss_useradd.c b/src/tools/sss_useradd.c new file mode 100644 index 0000000..ca2cbd6 --- /dev/null +++ b/src/tools/sss_useradd.c @@ -0,0 +1,294 @@ +/* + SSSD + + sss_useradd + + Copyright (C) Jakub Hrozek 2009 + Copyright (C) Simo Sorce 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include + +#include "util/util.h" +#include "db/sysdb.h" +#include "tools/tools_util.h" +#include "tools/sss_sync_ops.h" + +int main(int argc, const char **argv) +{ + uid_t pc_uid = 0; + const char *pc_gecos = NULL; + const char *pc_home = NULL; + char *pc_shell = NULL; + int pc_debug = SSSDBG_DEFAULT; + int pc_create_home = 0; + const char *pc_username = NULL; + const char *pc_skeldir = NULL; + const char *pc_selinux_user = NULL; + struct poptOption long_options[] = { + POPT_AUTOHELP + { "debug", '\0', POPT_ARG_INT | POPT_ARGFLAG_DOC_HIDDEN, &pc_debug, 0, _("The debug level to run with"), NULL }, + { "uid", 'u', POPT_ARG_INT, &pc_uid, 0, _("The UID of the user"), NULL }, + { "gecos", 'c', POPT_ARG_STRING, &pc_gecos, 0, _("The comment string"), NULL }, + { "home", 'h', POPT_ARG_STRING, &pc_home, 0, _("Home directory"), NULL }, + { "shell", 's', POPT_ARG_STRING, &pc_shell, 0, _("Login shell"), NULL }, + { "groups", 'G', POPT_ARG_STRING, NULL, 'G', _("Groups"), NULL }, + { "create-home", 'm', POPT_ARG_NONE, NULL, 'm', _("Create user's directory if it does not exist"), NULL }, + { "no-create-home", 'M', POPT_ARG_NONE, NULL, 'M', _("Never create user's directory, overrides config"), NULL }, + { "skel", 'k', POPT_ARG_STRING, &pc_skeldir, 0, _("Specify an alternative skeleton directory"), NULL }, + { "selinux-user", 'Z', POPT_ARG_STRING, &pc_selinux_user, 0, _("The SELinux user for user's login"), NULL }, + POPT_TABLEEND + }; + poptContext pc = NULL; + struct tools_ctx *tctx = NULL; + char *groups = NULL; + char *badgroup = NULL; + int ret; + errno_t sret; + bool in_transaction = false; + + debug_prg_name = argv[0]; + + ret = set_locale(); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "set_locale failed (%d): %s\n", ret, strerror(ret)); + ERROR("Error setting the locale\n"); + ret = EXIT_FAILURE; + goto fini; + } + + /* parse parameters */ + pc = poptGetContext(NULL, argc, argv, long_options, 0); + poptSetOtherOptionHelp(pc, "USERNAME"); + while ((ret = poptGetNextOpt(pc)) > 0) { + switch (ret) { + case 'G': + groups = poptGetOptArg(pc); + if (!groups) { + BAD_POPT_PARAMS(pc, _("Specify group to add to\n"), + ret, fini); + } + break; + + case 'm': + pc_create_home = DO_CREATE_HOME; + break; + + case 'M': + pc_create_home = DO_NOT_CREATE_HOME; + break; + } + } + + DEBUG_CLI_INIT(pc_debug); + + if (ret != -1) { + BAD_POPT_PARAMS(pc, poptStrerror(ret), ret, fini); + } + + /* username is an argument without --option */ + pc_username = poptGetArg(pc); + if (pc_username == NULL) { + BAD_POPT_PARAMS(pc, _("Specify user to add\n"), ret, fini); + } + + CHECK_ROOT(ret, debug_prg_name); + + ret = init_sss_tools(&tctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "init_sss_tools failed (%d): %s\n", ret, strerror(ret)); + if (ret == ENOENT) { + ERROR("Error initializing the tools - no local domain\n"); + } else { + ERROR("Error initializing the tools\n"); + } + ret = EXIT_FAILURE; + goto fini; + } + + /* if the domain was not given as part of FQDN, default to local domain */ + ret = parse_name_domain(tctx, pc_username); + if (ret != EOK) { + ERROR("Invalid domain specified in FQDN\n"); + ret = EXIT_FAILURE; + goto fini; + } + + if (groups) { + ret = parse_groups(tctx, groups, &tctx->octx->addgroups); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot parse groups to add the user to\n"); + ERROR("Internal error while parsing parameters\n"); + ret = EXIT_FAILURE; + goto fini; + } + + ret = parse_group_name_domain(tctx, tctx->octx->addgroups); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot parse FQDN groups to add the user to\n"); + ERROR("Groups must be in the same domain as user\n"); + ret = EXIT_FAILURE; + goto fini; + } + + /* Check group names in the LOCAL domain */ + ret = check_group_names(tctx, tctx->octx->addgroups, &badgroup); + if (ret != EOK) { + ERROR("Cannot find group %1$s in local domain\n", badgroup); + ret = EXIT_FAILURE; + goto fini; + } + } + + tctx->octx->uid = pc_uid; + + /* + * Fills in defaults for ops_ctx user did not specify. + */ + ret = useradd_defaults(tctx, tctx->confdb, tctx->octx, + pc_gecos, pc_home, pc_shell, + pc_create_home, pc_skeldir); + if (ret != EOK) { + ERROR("Cannot set default values\n"); + ret = EXIT_FAILURE; + goto fini; + } + + /* arguments processed, go on to actual work */ + if (id_in_range(tctx->octx->uid, tctx->octx->domain) != EOK) { + ERROR("The selected UID is outside the allowed range\n"); + ret = EXIT_FAILURE; + goto fini; + } + + tctx->error = sysdb_transaction_start(tctx->sysdb); + if (tctx->error != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n"); + goto done; + } + in_transaction = true; + + /* useradd */ + tctx->error = useradd(tctx, tctx->octx); + if (tctx->error) { + goto done; + } + + tctx->error = sysdb_transaction_commit(tctx->sysdb); + if (tctx->error) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n"); + goto done; + } + in_transaction = false; + + /* Set SELinux login context - must be done after transaction is done + * b/c libselinux calls getpwnam */ + ret = sss_set_seuser(tctx->octx->name, pc_selinux_user, NULL); + if (ret != EOK) { + ERROR("Cannot set SELinux login context\n"); + ret = EXIT_FAILURE; + goto fini; + } + + /* Create user's home directory and/or mail spool */ + if (tctx->octx->create_homedir) { + /* We need to know the UID of the user, if + * sysdb did assign it automatically, do a lookup */ + if (tctx->octx->uid == 0) { + ret = sysdb_getpwnam_sync(tctx, + tctx->octx->name, + tctx->octx); + if (ret != EOK) { + ERROR("Cannot get info about the user\n"); + ret = EXIT_FAILURE; + goto fini; + } + } + + ret = create_homedir(tctx->octx->skeldir, + tctx->octx->home, + tctx->octx->uid, + tctx->octx->gid, + tctx->octx->umask); + if (ret == EEXIST) { + ERROR("User's home directory already exists, not copying " + "data from skeldir\n"); + } else if (ret != EOK) { + ERROR("Cannot create user's home directory: %1$s\n", strerror(ret)); + ret = EXIT_FAILURE; + goto fini; + } + + ret = create_mail_spool(tctx, + tctx->octx->name, + tctx->octx->maildir, + tctx->octx->uid, + tctx->octx->gid); + if (ret != EOK) { + ERROR("Cannot create user's mail spool: %1$s\n", strerror(ret)); + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot create user's mail spool: [%d][%s].\n", + ret, strerror(ret)); + ret = EXIT_FAILURE; + goto fini; + } + } + +done: + if (in_transaction) { + sret = sysdb_transaction_cancel(tctx->sysdb); + if (sret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to cancel transaction\n"); + } + } + + if (tctx->error) { + switch (tctx->error) { + case ERANGE: + ERROR("Could not allocate ID for the user - domain full?\n"); + break; + + case EEXIST: + ERROR("A user or group with the same name or ID already exists\n"); + break; + + default: + DEBUG(SSSDBG_CRIT_FAILURE, "sysdb operation failed (%d)[%s]\n", + tctx->error, strerror(tctx->error)); + ERROR("Transaction error. Could not add user.\n"); + break; + } + ret = EXIT_FAILURE; + goto fini; + } + + ret = EXIT_SUCCESS; + +fini: + poptFreeContext(pc); + talloc_free(tctx); + free(groups); + exit(ret); +} diff --git a/src/tools/sss_userdel.c b/src/tools/sss_userdel.c new file mode 100644 index 0000000..fb0f2c2 --- /dev/null +++ b/src/tools/sss_userdel.c @@ -0,0 +1,343 @@ +/* + SSSD + + sss_userdel + + Copyright (C) Jakub Hrozek 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include + +#include "db/sysdb.h" +#include "util/util.h" +#include "util/find_uid.h" +#include "tools/tools_util.h" +#include "tools/sss_sync_ops.h" + +#ifndef KILL_CMD +#define KILL_CMD "killall" +#endif + +#ifndef KILL_CMD_USER_FLAG +#define KILL_CMD_USER_FLAG "-u" +#endif + +#ifndef KILL_CMD_SIGNAL_FLAG +#define KILL_CMD_SIGNAL_FLAG "-s" +#endif + +#ifndef KILL_CMD_SIGNAL +#define KILL_CMD_SIGNAL "SIGKILL" +#endif + +static int is_logged_in(TALLOC_CTX *mem_ctx, uid_t uid) +{ + int ret; + hash_key_t key; + hash_value_t value; + hash_table_t *uid_table; + + ret = get_uid_table(mem_ctx, &uid_table); + if (ret == ENOSYS) return ret; + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot initialize hash table.\n"); + return ret; + } + + key.type = HASH_KEY_ULONG; + key.ul = (unsigned long) uid; + + ret = hash_lookup(uid_table, &key, &value); + talloc_zfree(uid_table); + return ret == HASH_SUCCESS ? EOK : ENOENT; +} + +static int kick_user(struct tools_ctx *tctx) +{ + int ret; + int status; + pid_t pid, child_pid; + + tctx->octx->lock = 1; + + ret = usermod(tctx, tctx->octx); + if (ret != EOK) { + return ret; + } + + errno = 0; + pid = fork(); + if (pid == 0) { + /* child */ + execlp(KILL_CMD, KILL_CMD, + KILL_CMD_USER_FLAG, tctx->octx->name, + KILL_CMD_SIGNAL_FLAG, KILL_CMD_SIGNAL, + (char *) NULL); + exit(errno); + } else { + /* parent */ + if (pid == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "fork failed [%d]: %s\n", ret, strerror(ret)); + return ret; + } + + while((child_pid = waitpid(pid, &status, 0)) > 0) { + + if (WIFEXITED(status)) { + break; + } + } + if (child_pid == -1) { + DEBUG(SSSDBG_CRIT_FAILURE, "waitpid failed\n"); + return errno; + } + } + + return EOK; +} + +int main(int argc, const char **argv) +{ + int ret = EXIT_SUCCESS; + struct tools_ctx *tctx = NULL; + const char *pc_username = NULL; + + int pc_debug = SSSDBG_DEFAULT; + int pc_remove = 0; + int pc_force = 0; + int pc_kick = 0; + poptContext pc = NULL; + struct poptOption long_options[] = { + POPT_AUTOHELP + { "debug", '\0', POPT_ARG_INT | POPT_ARGFLAG_DOC_HIDDEN, &pc_debug, + 0, _("The debug level to run with"), NULL }, + { "remove", 'r', POPT_ARG_NONE, NULL, 'r', + _("Remove home directory and mail spool"), NULL }, + { "no-remove", 'R', POPT_ARG_NONE, NULL, 'R', + _("Do not remove home directory and mail spool"), NULL }, + { "force", 'f', POPT_ARG_NONE, NULL, 'f', + _("Force removal of files not owned by the user"), NULL }, + { "kick", 'k', POPT_ARG_NONE, NULL, 'k', + _("Kill users' processes before removing him"), NULL }, + POPT_TABLEEND + }; + + debug_prg_name = argv[0]; + + ret = set_locale(); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "set_locale failed (%d): %s\n", ret, strerror(ret)); + ERROR("Error setting the locale\n"); + ret = EXIT_FAILURE; + goto fini; + } + + /* parse parameters */ + pc = poptGetContext(NULL, argc, argv, long_options, 0); + poptSetOtherOptionHelp(pc, "USERNAME"); + while ((ret = poptGetNextOpt(pc)) > 0) { + switch (ret) { + case 'r': + pc_remove = DO_REMOVE_HOME; + break; + + case 'R': + pc_remove = DO_NOT_REMOVE_HOME; + break; + + case 'f': + pc_force = DO_FORCE_REMOVAL; + break; + + case 'k': + pc_kick = 1; + break; + } + } + + DEBUG_CLI_INIT(pc_debug); + + if (ret != -1) { + BAD_POPT_PARAMS(pc, poptStrerror(ret), ret, fini); + } + + pc_username = poptGetArg(pc); + if (pc_username == NULL) { + BAD_POPT_PARAMS(pc, _("Specify user to delete\n"), ret, fini); + } + + CHECK_ROOT(ret, debug_prg_name); + + ret = init_sss_tools(&tctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "init_sss_tools failed (%d): %s\n", ret, strerror(ret)); + if (ret == ENOENT) { + ERROR("Error initializing the tools - no local domain\n"); + } else { + ERROR("Error initializing the tools\n"); + } + ret = EXIT_FAILURE; + goto fini; + } + + /* if the domain was not given as part of FQDN, default to local domain */ + ret = parse_name_domain(tctx, pc_username); + if (ret != EOK) { + ERROR("Invalid domain specified in FQDN\n"); + ret = EXIT_FAILURE; + goto fini; + } + + /* + * Fills in defaults for ops_ctx user did not specify. + */ + ret = userdel_defaults(tctx, tctx->confdb, tctx->octx, pc_remove); + if (ret != EOK) { + ERROR("Cannot set default values\n"); + ret = EXIT_FAILURE; + goto fini; + } + + ret = sysdb_getpwnam_sync(tctx, + tctx->octx->name, + tctx->octx); + if (ret != EOK) { + /* Error message will be printed in the switch */ + goto done; + } + + if ((tctx->octx->uid < tctx->local->id_min) || + (tctx->local->id_max && tctx->octx->uid > tctx->local->id_max)) { + ERROR("User %1$s is outside the defined ID range for domain\n", + tctx->octx->name); + ret = EXIT_FAILURE; + goto fini; + } + + if (pc_kick) { + ret = kick_user(tctx); + if (ret != EOK) { + tctx->error = ret; + + goto done; + } + } + + /* userdel */ + ret = userdel(tctx, tctx->sysdb, tctx->octx); + if (ret != EOK) { + goto done; + } + + /* Set SELinux login context - must be done after transaction is done + * b/c libselinux calls getpwnam */ + ret = sss_del_seuser(tctx->octx->name); + if (ret != EOK) { + ERROR("Cannot reset SELinux login context\n"); + ret = EXIT_FAILURE; + goto fini; + } + + if (!pc_kick) { + ret = is_logged_in(tctx, tctx->octx->uid); + switch(ret) { + case ENOENT: + break; + + case EOK: + ERROR("WARNING: The user (uid %1$lu) was still logged in when " + "deleted.\n", (unsigned long) tctx->octx->uid); + break; + + case ENOSYS: + ERROR("Cannot determine if the user was logged in on this " + "platform"); + break; + + default: + ERROR("Error while checking if the user was logged in\n"); + break; + } + } + + ret = run_userdel_cmd(tctx); + if (ret != EOK) { + ERROR("The post-delete command failed: %1$s\n", strerror(ret)); + goto fini; + } + + /* Delete user from memory cache */ + ret = sss_mc_refresh_user(pc_username); + if (ret != EOK) { + ERROR("NSS request failed (%1$d). Entry might remain in memory " + "cache.\n", ret); + /* Nothing we can do about it */ + } + + if (tctx->octx->remove_homedir) { + ret = remove_homedir(tctx, + tctx->octx->home, + tctx->octx->maildir, + tctx->octx->name, + tctx->octx->uid, + pc_force); + if (ret == EPERM) { + ERROR("Not removing home dir - not owned by user\n"); + } else if (ret != EOK) { + ERROR("Cannot remove homedir: %1$s\n", strerror(ret)); + ret = EXIT_FAILURE; + goto fini; + } + } + + ret = EOK; + +done: + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sysdb operation failed (%d)[%s]\n", ret, strerror(ret)); + switch (ret) { + case ENOENT: + ERROR("No such user in local domain. " + "Removing users only allowed in local domain.\n"); + break; + + default: + ERROR("Internal error. Could not remove user.\n"); + break; + } + ret = EXIT_FAILURE; + goto fini; + } + + ret = EXIT_SUCCESS; + +fini: + talloc_free(tctx); + poptFreeContext(pc); + exit(ret); +} + diff --git a/src/tools/sss_usermod.c b/src/tools/sss_usermod.c new file mode 100644 index 0000000..6a818f1 --- /dev/null +++ b/src/tools/sss_usermod.c @@ -0,0 +1,346 @@ +/* + SSSD + + sss_usermod + + Copyright (C) Jakub Hrozek 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include + +#include "util/util.h" +#include "db/sysdb.h" +#include "tools/tools_util.h" +#include "tools/sss_sync_ops.h" + +int main(int argc, const char **argv) +{ + int pc_lock = 0; + uid_t pc_uid = 0; + gid_t pc_gid = 0; + char *pc_gecos = NULL; + char *pc_home = NULL; + char *pc_shell = NULL; + int pc_debug = SSSDBG_DEFAULT; + const char *pc_selinux_user = NULL; + struct poptOption long_options[] = { + POPT_AUTOHELP + { "debug", '\0', POPT_ARG_INT | POPT_ARGFLAG_DOC_HIDDEN, &pc_debug, 0, _("The debug level to run with"), NULL }, + { "uid", 'u', POPT_ARG_INT | POPT_ARGFLAG_DOC_HIDDEN, &pc_uid, 0, _("The UID of the user"), NULL }, + { "gid", 'g', POPT_ARG_INT | POPT_ARGFLAG_DOC_HIDDEN, &pc_gid, 0, _("The GID of the user"), NULL }, + { "gecos", 'c', POPT_ARG_STRING, &pc_gecos, 0, _("The comment string"), NULL }, + { "home", 'h', POPT_ARG_STRING, &pc_home, 0, _("Home directory"), NULL }, + { "shell", 's', POPT_ARG_STRING, &pc_shell, 0, _("Login shell"), NULL }, + { "append-group", 'a', POPT_ARG_STRING, NULL, 'a', _("Groups to add this user to"), NULL }, + { "remove-group", 'r', POPT_ARG_STRING, NULL, 'r', _("Groups to remove this user from"), NULL }, + { "lock", 'L', POPT_ARG_NONE, NULL, 'L', _("Lock the account"), NULL }, + { "unlock", 'U', POPT_ARG_NONE, NULL, 'U', _("Unlock the account"), NULL }, + { "addattr", '\0', POPT_ARG_STRING, NULL, 't' , _("Add an attribute/value pair. The format is attrname=value."), NULL }, + { "delattr", '\0', POPT_ARG_STRING, NULL, 'd' , _("Delete an attribute/value pair. The format is attrname=value."), NULL }, + { "setattr", '\0', POPT_ARG_STRING, NULL, 's' , _("Set an attribute to a name/value pair. The format is attrname=value. For multi-valued attributes, the command replaces the values already present"), NULL }, + { "selinux-user", 'Z', POPT_ARG_STRING, &pc_selinux_user, 0, _("The SELinux user for user's login"), NULL }, + POPT_TABLEEND + }; + poptContext pc = NULL; + char *addgroups = NULL, *rmgroups = NULL; + char *addattr = NULL, *delattr = NULL, *setattr = NULL; + int ret; + errno_t sret; + const char *pc_username = NULL; + struct tools_ctx *tctx = NULL; + char *badgroup = NULL; + bool in_transaction = false; + + debug_prg_name = argv[0]; + + ret = set_locale(); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "set_locale failed (%d): %s\n", ret, strerror(ret)); + ERROR("Error setting the locale\n"); + ret = EXIT_FAILURE; + goto fini; + } + + /* parse parameters */ + pc = poptGetContext(NULL, argc, argv, long_options, 0); + poptSetOtherOptionHelp(pc, "USERNAME"); + while ((ret = poptGetNextOpt(pc)) > 0) { + switch (ret) { + case 'a': + addgroups = poptGetOptArg(pc); + if (addgroups == NULL) { + BAD_POPT_PARAMS(pc, _("Specify group to add to\n"), + ret, fini); + } + break; + + case 'r': + rmgroups = poptGetOptArg(pc); + if (rmgroups == NULL) { + BAD_POPT_PARAMS(pc, _("Specify group to remove from\n"), + ret, fini); + } + break; + + case 'L': + pc_lock = DO_LOCK; + break; + + case 'U': + pc_lock = DO_UNLOCK; + break; + + case 't': + addattr = poptGetOptArg(pc); + if (addattr == NULL) { + BAD_POPT_PARAMS(pc, + _("Specify the attribute name/value pair(s)\n"), + ret, fini); + } + break; + + case 'd': + delattr = poptGetOptArg(pc); + if (delattr == NULL) { + BAD_POPT_PARAMS(pc, + _("Specify the attribute name/value pair(s)\n"), + ret, fini); + } + break; + + case 's': + setattr = poptGetOptArg(pc); + if (setattr == NULL) { + BAD_POPT_PARAMS(pc, + _("Specify the attribute name/value pair(s)\n"), + ret, fini); + } + break; + + } + } + + if (ret != -1) { + BAD_POPT_PARAMS(pc, poptStrerror(ret), ret, fini); + } + + DEBUG_CLI_INIT(pc_debug); + + /* username is an argument without --option */ + pc_username = poptGetArg(pc); + if (pc_username == NULL) { + BAD_POPT_PARAMS(pc, _("Specify user to modify\n"), ret, fini); + } + + CHECK_ROOT(ret, debug_prg_name); + + ret = init_sss_tools(&tctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "init_sss_tools failed (%d): %s\n", ret, strerror(ret)); + if (ret == ENOENT) { + ERROR("Error initializing the tools - no local domain\n"); + } else { + ERROR("Error initializing the tools\n"); + } + ret = EXIT_FAILURE; + goto fini; + } + + /* if the domain was not given as part of FQDN, default to local domain */ + ret = parse_name_domain(tctx, pc_username); + if (ret != EOK) { + ERROR("Invalid domain specified in FQDN\n"); + ret = EXIT_FAILURE; + goto fini; + } + /* check the username to be able to give sensible error message */ + ret = sysdb_getpwnam_sync(tctx, tctx->octx->name, tctx->octx); + if (ret != EOK) { + ERROR("Cannot find user in local domain, " + "modifying users is allowed only in local domain\n"); + ret = EXIT_FAILURE; + goto fini; + } + + if (id_in_range(tctx->octx->uid, tctx->octx->domain) != EOK) { + ERROR("The selected UID is outside the allowed range\n"); + ret = EXIT_FAILURE; + goto fini; + } + + if (addgroups) { + ret = parse_groups(tctx, addgroups, &tctx->octx->addgroups); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot parse groups to add the user to\n"); + ERROR("Internal error while parsing parameters\n"); + ret = EXIT_FAILURE; + goto fini; + } + + ret = parse_group_name_domain(tctx, tctx->octx->addgroups); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot parse FQDN groups to add the user to\n"); + ERROR("Groups must be in the same domain as user\n"); + ret = EXIT_FAILURE; + goto fini; + } + + /* Check group names in the LOCAL domain */ + ret = check_group_names(tctx, tctx->octx->addgroups, &badgroup); + if (ret != EOK) { + ERROR("Cannot find group %1$s in local domain, " + "only groups in local domain are allowed\n", badgroup); + ret = EXIT_FAILURE; + goto fini; + } + } + + if (rmgroups) { + ret = parse_groups(tctx, rmgroups, &tctx->octx->rmgroups); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot parse groups to remove the user from\n"); + ERROR("Internal error while parsing parameters\n"); + ret = EXIT_FAILURE; + goto fini; + } + + ret = parse_group_name_domain(tctx, tctx->octx->rmgroups); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot parse FQDN groups to remove the user from\n"); + ERROR("Groups must be in the same domain as user\n"); + ret = EXIT_FAILURE; + goto fini; + } + + /* Check group names in the LOCAL domain */ + ret = check_group_names(tctx, tctx->octx->rmgroups, &badgroup); + if (ret != EOK) { + ERROR("Cannot find group %1$s in local domain, " + "only groups in local domain are allowed\n", badgroup); + ret = EXIT_FAILURE; + goto fini; + } + } + + tctx->octx->gecos = pc_gecos; + tctx->octx->home = pc_home; + tctx->octx->shell = pc_shell; + tctx->octx->uid = pc_uid; + tctx->octx->gid = pc_gid; + tctx->octx->lock = pc_lock; + tctx->octx->addattr = addattr; + tctx->octx->delattr = delattr; + tctx->octx->setattr = setattr; + + tctx->error = sysdb_transaction_start(tctx->sysdb); + if (tctx->error != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to start transaction\n"); + goto done; + } + in_transaction = true; + + /* usermod */ + tctx->error = usermod(tctx, tctx->octx); + if (tctx->error) { + goto done; + } + + tctx->error = sysdb_transaction_commit(tctx->sysdb); + if (tctx->error) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to commit transaction\n"); + goto done; + } + in_transaction = false; + + ret = sss_mc_refresh_user(pc_username); + if (ret != EOK) { + ERROR("NSS request failed (%1$d). Entry might remain in memory " + "cache.\n", ret); + /* Nothing we can do about it */ + } + + ret = sss_mc_refresh_grouplist(tctx, tctx->octx->addgroups); + if (ret != EOK) { + ERROR("NSS request failed (%1$d). Entry might remain in memory " + "cache.\n", ret); + /* Nothing we can do about it */ + } + + ret = sss_mc_refresh_grouplist(tctx, tctx->octx->rmgroups); + if (ret != EOK) { + ERROR("NSS request failed (%1$d). Entry might remain in memory " + "cache.\n", ret); + /* Nothing we can do about it */ + } + + /* Set SELinux login context - must be done after transaction is done + * b/c libselinux calls getpwnam */ + ret = sss_set_seuser(tctx->octx->name, pc_selinux_user, NULL); + if (ret != EOK) { + ERROR("Cannot set SELinux login context\n"); + ret = EXIT_FAILURE; + goto fini; + } + +done: + if (in_transaction) { + sret = sysdb_transaction_cancel(tctx->sysdb); + if (sret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to cancel transaction\n"); + } + } + + if (tctx->error) { + ret = tctx->error; + switch (ret) { + case ENOENT: + ERROR("Could not modify user - check if group names are correct\n"); + break; + + case EFAULT: + ERROR("Could not modify user - user already member of groups?\n"); + break; + + default: + ERROR("Transaction error. Could not modify user.\n"); + break; + } + + ret = EXIT_FAILURE; + goto fini; + } + + ret = EXIT_SUCCESS; + +fini: + free(addgroups); + free(rmgroups); + poptFreeContext(pc); + talloc_free(tctx); + exit(ret); +} diff --git a/src/tools/sssctl/sssctl.c b/src/tools/sssctl/sssctl.c new file mode 100644 index 0000000..afaa84b --- /dev/null +++ b/src/tools/sssctl/sssctl.c @@ -0,0 +1,290 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "util/util.h" +#include "tools/sssctl/sssctl.h" +#include "tools/common/sss_tools.h" +#include "tools/common/sss_process.h" + +static const char * +sssctl_prompt_str(enum sssctl_prompt_result result) +{ + switch (result) { + case SSSCTL_PROMPT_YES: + return _("yes"); + case SSSCTL_PROMPT_NO: + return _("no"); + case SSSCTL_PROMPT_ERROR: + return _("error"); + } + + return _("Invalid result."); +} + +enum sssctl_prompt_result +sssctl_prompt(const char *message, + enum sssctl_prompt_result defval) +{ + char answer[255] = {0}; + int c; + const char *yes = sssctl_prompt_str(SSSCTL_PROMPT_YES); + const char *no = sssctl_prompt_str(SSSCTL_PROMPT_NO); + int attempts = 0; + int ret; + + do { + if (defval != SSSCTL_PROMPT_ERROR) { + printf("%s (%s/%s) [%s] ", message, yes, no, + sssctl_prompt_str(defval)); + + /* Detect empty line. */ + c = getchar(); + if (c == '\n') { + return defval; + } else { + ungetc(c, stdin); + } + } else { + printf("%s (%s/%s)", message, yes, no); + } + + ret = scanf("%254s", answer); + + /* Clear stdin. */ + while ((c = getchar()) != '\n' && c != EOF); + + if (ret != 1) { + fprintf(stderr, _("Unable to read user input\n")); + return SSSCTL_PROMPT_ERROR; + } + + + if (strcasecmp(yes, answer) == 0) { + return SSSCTL_PROMPT_YES; + } + + if (strcasecmp(no, answer) == 0) { + return SSSCTL_PROMPT_NO; + } + + fprintf(stderr, _("Invalid input, please provide either " + "'%s' or '%s'.\n"), yes, no); + + attempts++; + } while (attempts < 3); + + return SSSCTL_PROMPT_ERROR; +} + +errno_t sssctl_run_command(const char *command) +{ + int ret; + + DEBUG(SSSDBG_TRACE_FUNC, "Running %s\n", command); + + ret = system(command); + if (ret == -1) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to execute %s\n", command); + fprintf(stderr, _("Error while executing external command\n")); + return EFAULT; + } else if (WEXITSTATUS(ret) != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Command %s failed with [%d]\n", + command, WEXITSTATUS(ret)); + fprintf(stderr, _("Error while executing external command\n")); + return EIO; + } + + return EOK; +} + +static errno_t sssctl_manage_service(enum sssctl_svc_action action) +{ +#ifdef HAVE_SYSTEMD + switch (action) { + case SSSCTL_SVC_START: + return sssctl_systemd_start(); + case SSSCTL_SVC_STOP: + return sssctl_systemd_stop(); + case SSSCTL_SVC_RESTART: + return sssctl_systemd_restart(); + } +#elif defined(HAVE_SERVICE) + switch (action) { + case SSSCTL_SVC_START: + return sssctl_run_command(SERVICE_PATH" sssd start"); + case SSSCTL_SVC_STOP: + return sssctl_run_command(SERVICE_PATH" sssd stop"); + case SSSCTL_SVC_RESTART: + return sssctl_run_command(SERVICE_PATH" sssd restart"); + } +#endif + + return ENOSYS; +} + +bool sssctl_start_sssd(bool force) +{ + enum sssctl_prompt_result prompt; + errno_t ret; + + if (sss_daemon_running()) { + return true; + } + + if (!force) { + prompt = sssctl_prompt(_("SSSD needs to be running. Start SSSD now?"), + SSSCTL_PROMPT_YES); + switch (prompt) { + case SSSCTL_PROMPT_YES: + /* continue */ + break; + case SSSCTL_PROMPT_NO: + case SSSCTL_PROMPT_ERROR: + return false; + } + } + + ret = sssctl_manage_service(SSSCTL_SVC_START); + switch(ret) { + case EOK: + return true; + case ENOSYS: + fprintf(stderr, "Starting SSSD automatically is not supported " + "on this platform, please start the service " + "manually\n"); + return false; + default: + fprintf(stderr, "Unable to start SSSD!\n"); + return false; + } + + return true; +} + +bool sssctl_stop_sssd(bool force) +{ + enum sssctl_prompt_result prompt; + errno_t ret; + + if (!sss_daemon_running()) { + return true; + } + + if (!force) { + prompt = sssctl_prompt(_("SSSD must not be running. Stop SSSD now?"), + SSSCTL_PROMPT_YES); + switch (prompt) { + case SSSCTL_PROMPT_YES: + /* continue */ + break; + case SSSCTL_PROMPT_NO: + case SSSCTL_PROMPT_ERROR: + return false; + } + } + + ret = sssctl_manage_service(SSSCTL_SVC_STOP); + switch(ret) { + case EOK: + return true; + case ENOSYS: + fprintf(stderr, "Stopping SSSD automatically is not supported " + "on this platform, please stop the service " + "manually\n"); + return false; + default: + fprintf(stderr, "Unable to stop SSSD!\n"); + return false; + } + + + return true; +} + +bool sssctl_restart_sssd(bool force) +{ + enum sssctl_prompt_result prompt; + errno_t ret; + + if (!force) { + prompt = sssctl_prompt(_("SSSD needs to be restarted. Restart SSSD now?"), + SSSCTL_PROMPT_YES); + switch (prompt) { + case SSSCTL_PROMPT_YES: + /* continue */ + break; + case SSSCTL_PROMPT_NO: + case SSSCTL_PROMPT_ERROR: + return false; + } + } + + ret = sssctl_manage_service(SSSCTL_SVC_RESTART); + switch(ret) { + case EOK: + return true; + case ENOSYS: + fprintf(stderr, "Restarting SSSD automatically is not supported " + "on this platform, please restart the service " + "manually\n"); + return false; + default: + fprintf(stderr, "Unable to restart SSSD!\n"); + return false; + } + + return true; +} + +int main(int argc, const char **argv) +{ + struct sss_route_cmd commands[] = { + SSS_TOOL_DELIMITER("SSSD Status:"), + SSS_TOOL_COMMAND("domain-list", "List available domains", 0, sssctl_domain_list), + SSS_TOOL_COMMAND("domain-status", "Print information about domain", 0, sssctl_domain_status), + SSS_TOOL_COMMAND("user-checks", "Print information about a user and check authentication", 0, sssctl_user_checks), + SSS_TOOL_COMMAND("access-report", "Generate access report for a domain", 0, sssctl_access_report), + SSS_TOOL_DELIMITER("Information about cached content:"), + SSS_TOOL_COMMAND("user-show", "Information about cached user", 0, sssctl_user_show), + SSS_TOOL_COMMAND("group-show", "Information about cached group", 0, sssctl_group_show), + SSS_TOOL_COMMAND("netgroup-show", "Information about cached netgroup", 0, sssctl_netgroup_show), + SSS_TOOL_DELIMITER("Local data tools:"), + SSS_TOOL_COMMAND("client-data-backup", "Backup local data", 0, sssctl_client_data_backup), + SSS_TOOL_COMMAND("client-data-restore", "Restore local data from backup", 0, sssctl_client_data_restore), + SSS_TOOL_COMMAND("cache-remove", "Backup local data and remove cached content", 0, sssctl_cache_remove), + SSS_TOOL_COMMAND("cache-upgrade", "Perform cache upgrade", ERR_SYSDB_VERSION_TOO_OLD, sssctl_cache_upgrade), + SSS_TOOL_COMMAND("cache-expire", "Invalidate cached objects", 0, sssctl_cache_expire), + SSS_TOOL_DELIMITER("Log files tools:"), + SSS_TOOL_COMMAND("logs-remove", "Remove existing SSSD log files", 0, sssctl_logs_remove), + SSS_TOOL_COMMAND("logs-fetch", "Archive SSSD log files in tarball", 0, sssctl_logs_fetch), + SSS_TOOL_COMMAND("debug-level", "Change SSSD debug level", 0, sssctl_debug_level), +#ifdef HAVE_LIBINI_CONFIG_V1_3 + SSS_TOOL_DELIMITER("Configuration files tools:"), + SSS_TOOL_COMMAND_FLAGS("config-check", "Perform static analysis of SSSD configuration", 0, sssctl_config_check, SSS_TOOL_FLAG_SKIP_CMD_INIT), +#endif + SSS_TOOL_LAST + }; + + return sss_tool_main(argc, argv, commands, NULL); +} diff --git a/src/tools/sssctl/sssctl.h b/src/tools/sssctl/sssctl.h new file mode 100644 index 0000000..70fc19e --- /dev/null +++ b/src/tools/sssctl/sssctl.h @@ -0,0 +1,141 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _SSSCTL_H_ +#define _SSSCTL_H_ + +#include "lib/sifp/sss_sifp.h" +#include "lib/sifp/sss_sifp_dbus.h" +#include "tools/common/sss_tools.h" +#include "sbus/sssd_dbus.h" + +enum sssctl_prompt_result { + SSSCTL_PROMPT_YES, + SSSCTL_PROMPT_NO, + SSSCTL_PROMPT_ERROR +}; + +enum sssctl_svc_action { + SSSCTL_SVC_START, + SSSCTL_SVC_STOP, + SSSCTL_SVC_RESTART +}; + +enum sssctl_prompt_result +sssctl_prompt(const char *message, + enum sssctl_prompt_result defval); + +errno_t sssctl_run_command(const char *command); +bool sssctl_start_sssd(bool force); +bool sssctl_stop_sssd(bool force); +bool sssctl_restart_sssd(bool force); + +sss_sifp_error sssctl_sifp_init(struct sss_tool_ctx *tool_ctx, + sss_sifp_ctx **_sifp); + +void _sssctl_sifp_error(sss_sifp_ctx *sifp, + sss_sifp_error error, + const char *message); + +#define sssctl_sifp_error(sifp, error, message) \ + _sssctl_sifp_error(sifp, error, _(message)) + +sss_sifp_error _sssctl_sifp_send(TALLOC_CTX *mem_ctx, + sss_sifp_ctx *sifp, + DBusMessage **_reply, + const char *path, + const char *iface, + const char *method, + int first_arg_type, + ...); + +#define sssctl_sifp_send(mem_ctx, sifp, reply, path, iface, method, ...) \ + _sssctl_sifp_send(mem_ctx, sifp, reply, path, iface, method, \ + ##__VA_ARGS__, DBUS_TYPE_INVALID); + +errno_t sssctl_systemd_start(void); +errno_t sssctl_systemd_stop(void); +errno_t sssctl_systemd_restart(void); + +errno_t sssctl_domain_list(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt); + +errno_t sssctl_domain_status(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt); + +errno_t sssctl_client_data_backup(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt); + +errno_t sssctl_client_data_restore(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt); + +errno_t sssctl_cache_remove(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt); + +errno_t sssctl_cache_upgrade(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt); + +errno_t sssctl_cache_expire(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt); + +errno_t sssctl_logs_remove(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt); + +errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt); + +errno_t sssctl_debug_level(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt); + +errno_t sssctl_user_show(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt); + +errno_t sssctl_group_show(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt); + +errno_t sssctl_netgroup_show(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt); + +errno_t sssctl_config_check(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt); + +errno_t sssctl_user_checks(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt); + +errno_t sssctl_access_report(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt); + +#endif /* _SSSCTL_H_ */ diff --git a/src/tools/sssctl/sssctl_access_report.c b/src/tools/sssctl/sssctl_access_report.c new file mode 100644 index 0000000..8cf1a8a --- /dev/null +++ b/src/tools/sssctl/sssctl_access_report.c @@ -0,0 +1,424 @@ +/* + Copyright (C) 2017 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU Lesser General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "tools/common/sss_tools.h" +#include "tools/sssctl/sssctl.h" +#include "sbus/sssd_dbus.h" +#include "responder/ifp/ifp_iface.h" + +/* + * We're searching the cache directly.. + */ +#include "providers/ipa/ipa_hbac_private.h" +#include "providers/ipa/ipa_rules_common.h" + +typedef errno_t (*sssctl_dom_access_reporter_fn)(struct sss_tool_ctx *tool_ctx, + struct sss_domain_info *domain); + +static errno_t get_rdn_value(TALLOC_CTX *mem_ctx, + struct sss_domain_info *dom, + const char *dn_attr, + const char **_rdn_value) +{ + errno_t ret; + TALLOC_CTX *tmp_ctx; + struct ldb_dn *dn = NULL; + const struct ldb_val *rdn_val; + const char *rdn_str; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + dn = ldb_dn_new(tmp_ctx, sysdb_ctx_get_ldb(dom->sysdb), dn_attr); + if (dn == NULL) { + ret = ENOMEM; + goto done; + } + + rdn_val = ldb_dn_get_rdn_val(dn); + if (rdn_val == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "No RDN value?\n"); + ret = ENOMEM; + goto done; + } + + rdn_str = talloc_strndup(tmp_ctx, + (const char *)rdn_val->data, + rdn_val->length); + if (rdn_str == NULL) { + ret = ENOMEM; + goto done; + } + + ret = EOK; + *_rdn_value = talloc_steal(mem_ctx, rdn_str); +done: + talloc_zfree(tmp_ctx); + return ret; +} + +static errno_t is_member_group(struct sss_domain_info *dom, + const char *dn_attr, + const char *group_rdn, + bool *_is_group) +{ + const char *comp_name; + const struct ldb_val *comp_val; + TALLOC_CTX *tmp_ctx; + bool is_group = false; + errno_t ret; + struct ldb_dn *dn = NULL; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + dn = ldb_dn_new(tmp_ctx, sysdb_ctx_get_ldb(dom->sysdb), dn_attr); + if (dn == NULL) { + ret = ENOMEM; + goto done; + } + + comp_name = ldb_dn_get_component_name(dn, 1); + comp_val = ldb_dn_get_component_val(dn, 1); + if (strcasecmp("cn", comp_name) == 0 + && strncasecmp(group_rdn, + (const char *) comp_val->data, + comp_val->length) == 0) { + is_group = true; + } + + ret = EOK; +done: + *_is_group = is_group; + talloc_zfree(tmp_ctx); + return ret; +} + +static void print_category(struct sss_domain_info *domain, + struct ldb_message *rule_msg, + const char *category_attr_name, + const char *category_label) +{ + struct ldb_message_element *category_attr; + + category_attr = ldb_msg_find_element(rule_msg, category_attr_name); + if (category_attr == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "Cannot find %s\n", category_attr_name); + return; + } + + if (category_attr->num_values > 0) { + PRINT("\t%s: ", category_label); + for (unsigned i = 0; i < category_attr->num_values; i++) { + PRINT("%s%s", + i > 0 ? ", " : "", + (const char *) category_attr->values[i].data); + } + PRINT("\n"); + } +} + +static void print_member_attr(struct sss_domain_info *domain, + struct ldb_message *rule_msg, + const char *member_attr_name, + const char *group_rdn, + const char *object_label, + const char *group_label) +{ + errno_t ret; + TALLOC_CTX *tmp_ctx = NULL; + const char **member_names = NULL; + size_t name_count = 0; + const char **member_group_names = NULL; + size_t group_count = 0; + struct ldb_message_element *member_attr = NULL; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return; + } + + member_attr = ldb_msg_find_element(rule_msg, member_attr_name); + if (member_attr == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "Cannot find %s\n", member_attr_name); + goto done; + } + + member_names = talloc_zero_array(tmp_ctx, + const char *, + member_attr->num_values + 1); + member_group_names = talloc_zero_array(tmp_ctx, + const char *, + member_attr->num_values + 1); + if (member_names == NULL || member_group_names == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "OOM?\n"); + goto done; + } + + for (size_t i = 0; i < member_attr->num_values; i++) { + bool is_group; + const char *rdn_string; + const char *dn_attr; + + dn_attr = (const char *) member_attr->values[i].data; + + ret = is_member_group(domain, dn_attr, group_rdn, &is_group); + if (ret != EOK) { + continue; + } + + ret = get_rdn_value(tmp_ctx, domain, dn_attr, &rdn_string); + if (ret != EOK) { + continue; + } + + if (is_group == false) { + member_names[name_count] = talloc_steal(member_names, + rdn_string); + if (member_names[name_count] == NULL) { + goto done; + } + name_count++; + } else { + member_group_names[group_count] = talloc_strdup(member_group_names, + rdn_string); + if (member_group_names[group_count] == NULL) { + goto done; + } + group_count++; + } + } + + if (member_names[0] != NULL) { + PRINT("\t%s: ", object_label); + for (int i = 0; member_names[i]; i++) { + PRINT("%s%s", i > 0 ? ", " : "", member_names[i]); + } + PRINT("\n"); + } + + if (member_group_names[0] != NULL) { + PRINT("\t%s: ", group_label); + for (int i = 0; member_group_names[i]; i++) { + PRINT("%s%s", i > 0 ? ", " : "", member_group_names[i]); + } + PRINT("\n"); + } + +done: + talloc_free(tmp_ctx); +} + +static void print_ipa_hbac_rule(struct sss_domain_info *domain, + struct ldb_message *rule_msg) +{ + struct ldb_message_element *el; + + el = ldb_msg_find_element(rule_msg, IPA_CN); + if (el == NULL || el->num_values < 1) { + DEBUG(SSSDBG_MINOR_FAILURE, "A rule with no name\n"); + return; + } + + PRINT("Rule name: %1$s\n", el->values[0].data); + + print_member_attr(domain, + rule_msg, + IPA_MEMBER_USER, + "groups", + _("Member users"), + _("Member groups")); + print_category(domain, + rule_msg, + IPA_USER_CATEGORY, + _("User category")); + + print_member_attr(domain, + rule_msg, + IPA_MEMBER_SERVICE, + "hbacservicegroups", + _("Member services"), + _("Member service groups")); + print_category(domain, + rule_msg, + IPA_SERVICE_CATEGORY, + _("Service category")); + + PRINT("\n"); +} + +static errno_t refresh_hbac_rules(struct sss_tool_ctx *tool_ctx, + struct sss_domain_info *domain) +{ + TALLOC_CTX *tmp_ctx; + sss_sifp_error error; + sss_sifp_ctx *sifp; + DBusMessage *reply; + const char *path; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return ENOMEM; + } + + path = sbus_opath_compose(tmp_ctx, IFP_PATH_DOMAINS, domain->name); + if (path == NULL) { + printf(_("Out of memory!\n")); + ret = ENOMEM; + goto done; + } + + error = sssctl_sifp_init(tool_ctx, &sifp); + if (error != SSS_SIFP_OK) { + sssctl_sifp_error(sifp, error, "Unable to connect to the InfoPipe"); + ret = EIO; + goto done; + } + + error = sssctl_sifp_send(tmp_ctx, sifp, &reply, path, + IFACE_IFP_DOMAINS_DOMAIN, + IFACE_IFP_DOMAINS_DOMAIN_REFRESHACCESSRULES); + if (error != SSS_SIFP_OK) { + sssctl_sifp_error(sifp, error, "Unable to refresh HBAC rules"); + ret = EIO; + goto done; + } + + ret = sbus_parse_reply(reply); + if (ret != EOK) { + goto done; + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static errno_t sssctl_ipa_access_report(struct sss_tool_ctx *tool_ctx, + struct sss_domain_info *domain) +{ + TALLOC_CTX *tmp_ctx = NULL; + const char *filter = NULL; + errno_t ret; + const char *attrs[] = { + OBJECTCLASS, + IPA_CN, + IPA_MEMBER_USER, + IPA_USER_CATEGORY, + IPA_MEMBER_SERVICE, + IPA_SERVICE_CATEGORY, + IPA_MEMBER_HOST, + IPA_HOST_CATEGORY, + NULL, + }; + size_t rule_count; + struct ldb_message **msgs = NULL; + + /* Run the pam account phase to make sure the rules are fetched by SSSD */ + ret = refresh_hbac_rules(tool_ctx, domain); + if (ret != EOK) { + ERROR("Unable to refresh HBAC rules, using cached content\n"); + /* Non-fatal */ + } + + tmp_ctx = talloc_new(tool_ctx); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + filter = talloc_asprintf(tmp_ctx, "(objectClass=%s)", IPA_HBAC_RULE); + if (filter == NULL) { + ret = ENOMEM; + goto done; + } + + ret = sysdb_search_custom(tmp_ctx, domain, filter, + HBAC_RULES_SUBDIR, attrs, + &rule_count, &msgs); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, "Error looking up HBAC rules\n"); + goto done; + } + + if (ret == ENOENT) { + PRINT("No cached rules. All users will be denied access\n"); + ret = EOK; + goto done; + } + + PRINT("%1$zu rules cached\n\n", rule_count); + + for (size_t i = 0; i < rule_count; i++) { + print_ipa_hbac_rule(domain, msgs[i]); + } + + ret = EOK; +done: + talloc_zfree(tmp_ctx); + return ret; +} + +sssctl_dom_access_reporter_fn get_report_fn(const char *provider) +{ + if (strcmp(provider, "ipa") == 0) { + return sssctl_ipa_access_report; + } + + return NULL; +} + +errno_t sssctl_access_report(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt) +{ + errno_t ret; + const char *domname = NULL; + sssctl_dom_access_reporter_fn reporter; + struct sss_domain_info *dom; + + ret = sss_tool_popt_ex(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, + NULL, NULL, "DOMAIN", _("Specify domain name."), + &domname, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command arguments\n"); + return ret; + } + + dom = find_domain_by_name(tool_ctx->domains, domname, true); + if (dom == NULL) { + ERROR("Cannot find domain %1$s\n", domname); + return ERR_DOMAIN_NOT_FOUND; + } + + reporter = get_report_fn(dom->provider); + if (reporter == NULL) { + ERROR("Access report not implemented for domains of type %1$s\n", + dom->provider); + return ret; + } + + return reporter(tool_ctx, dom); +} diff --git a/src/tools/sssctl/sssctl_cache.c b/src/tools/sssctl/sssctl_cache.c new file mode 100644 index 0000000..42a2a60 --- /dev/null +++ b/src/tools/sssctl/sssctl_cache.c @@ -0,0 +1,705 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include + +#include "util/util.h" +#include "db/sysdb.h" +#include "tools/common/sss_tools.h" +#include "tools/sssctl/sssctl.h" + +#define NOT_FOUND_MSG(obj) _(obj " %s is not present in cache.\n") + +#define SSSCTL_CACHE_NAME {_("Name"), SYSDB_NAME, get_attr_name} +#define SSSCTL_CACHE_CREATE {_("Cache entry creation date"), SYSDB_CREATE_TIME, get_attr_time} +#define SSSCTL_CACHE_UPDATE {_("Cache entry last update time"), SYSDB_LAST_UPDATE, get_attr_time} +#define SSSCTL_CACHE_EXPIRE {_("Cache entry expiration time"), SYSDB_CACHE_EXPIRE, get_attr_expire} +#define SSSCTL_CACHE_IFP {_("Cached in InfoPipe"), SYSDB_IFP_CACHED, get_attr_yesno} +#define SSSCTL_CACHE_NULL {NULL, NULL, NULL} + +enum cache_object { + CACHED_USER, + CACHED_GROUP, + CACHED_NETGROUP, +}; + +typedef errno_t (*sssctl_attr_fn)(TALLOC_CTX *mem_ctx, + struct sysdb_attrs *entry, + struct sss_domain_info *dom, + const char *attr, + const char **_value); + +typedef struct ldb_dn *(*sssctl_basedn_fn)(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain); + +struct sssctl_object_info { + const char *msg; + const char *attr; + sssctl_attr_fn attr_fn; +}; + +static errno_t time_to_string(TALLOC_CTX *mem_ctx, + time_t timestamp, + const char **_value) +{ + const char *value; + struct tm *tm; + char str[255]; + size_t ret; + + tm = localtime(×tamp); + if (tm == NULL) { + return ENOMEM; + } + + ret = strftime(str, 255, "%x %X", tm); + if (ret == 0) { + return ERANGE; + } + + value = talloc_strdup(mem_ctx, str); + if (value == NULL) { + return ENOMEM; + } + + *_value = value; + + return EOK; +} + +static errno_t get_attr_name(TALLOC_CTX *mem_ctx, + struct sysdb_attrs *entry, + struct sss_domain_info *dom, + const char *attr, + const char **_value) +{ + errno_t ret; + const char *orig_name; + char *tmp_name; + char *outname; + + ret = sysdb_attrs_get_string(entry, attr, &orig_name); + if (ret != EOK) { + return ret; + } + + tmp_name = sss_output_name(mem_ctx, orig_name, dom->case_preserve, 0); + if (tmp_name == NULL) { + return ENOMEM; + } + + if (dom->fqnames) { + outname = sss_tc_fqname(mem_ctx, dom->names, dom, tmp_name); + talloc_free(tmp_name); + if (outname == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "sss_replace_space failed\n"); + return ENOMEM; + } + } else { + outname = tmp_name; + } + + *_value = outname; + return EOK; +} + +static errno_t get_attr_time(TALLOC_CTX *mem_ctx, + struct sysdb_attrs *entry, + struct sss_domain_info *dom, + const char *attr, + const char **_value) +{ + uint32_t value; + errno_t ret; + + ret = sysdb_attrs_get_uint32_t(entry, attr, &value); + if (ret != EOK) { + return ret; + } + + return time_to_string(mem_ctx, value, _value); +} + +static errno_t get_attr_expire(TALLOC_CTX *mem_ctx, + struct sysdb_attrs *entry, + struct sss_domain_info *dom, + const char *attr, + const char **_value) +{ + uint32_t value; + errno_t ret; + + ret = sysdb_attrs_get_uint32_t(entry, attr, &value); + if (ret != EOK) { + return ret; + } + + if (value < time(NULL)) { + *_value = "Expired"; + return EOK; + } + + return time_to_string(mem_ctx, value, _value); +} + +static errno_t attr_initgr(TALLOC_CTX *mem_ctx, + struct sysdb_attrs *entry, + struct sss_domain_info *dom, + const char *attr, + const char **_value) +{ + uint32_t value; + errno_t ret; + + ret = sysdb_attrs_get_uint32_t(entry, attr, &value); + if (ret == ENOENT) { + *_value = "Initgroups were not yet performed"; + return EOK; + } else if (ret != EOK) { + return ret; + } + + if (value < time(NULL)) { + *_value = "Expired"; + return EOK; + } + + return time_to_string(mem_ctx, value, _value); +} + +static errno_t get_attr_yesno(TALLOC_CTX *mem_ctx, + struct sysdb_attrs *entry, + struct sss_domain_info *dom, + const char *attr, + const char **_value) +{ + errno_t ret; + bool val; + + ret = sysdb_attrs_get_bool(entry, attr, &val); + if (ret == ENOENT) { + val = 0; + } else if (ret != EOK) { + return ret; + } + + *_value = val ? "Yes" : "No"; + + return EOK; +} + +static const char **sssctl_build_attrs(TALLOC_CTX *mem_ctx, + struct sssctl_object_info *info) +{ + const char **attrs; + size_t count; + int i; + + for (count = 0; info[count].attr != NULL; count++) { + /* no op */ + } + + attrs = talloc_zero_array(mem_ctx, const char *, count + 1); + if (attrs == NULL) { + return NULL; + } + + for (i = 0; i < count; i++) { + attrs[i] = talloc_strdup(attrs, info[i].attr); + if (attrs[i] == NULL) { + talloc_free(attrs); + return NULL; + } + } + + return attrs; +} + +static errno_t sssctl_query_cache(TALLOC_CTX *mem_ctx, + struct sysdb_ctx *sysdb, + struct ldb_dn *base_dn, + const char *filter, + const char **attrs, + struct sysdb_attrs **_entry) +{ + TALLOC_CTX *tmp_ctx; + struct sysdb_attrs **sysdb_attrs; + struct ldb_message **msgs; + size_t count; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory!\n"); + return ENOMEM; + } + + ret = sysdb_search_entry(tmp_ctx, sysdb, base_dn, LDB_SCOPE_SUBTREE, + filter, attrs, &count, &msgs); + if (ret == ENOENT) { + DEBUG(SSSDBG_TRACE_FUNC, "No result\n"); + goto done; + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to search sysdb " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + if (count != 1) { + DEBUG(SSSDBG_CRIT_FAILURE, "Search returned more than one result!\n"); + ret = ERR_INTERNAL; + goto done; + } + + ret = sysdb_msg2attrs(tmp_ctx, count, msgs, &sysdb_attrs); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to convert message to sysdb attrs " + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + *_entry = talloc_steal(mem_ctx, sysdb_attrs[0]); + +done: + talloc_free(tmp_ctx); + return ret; +} + +static const char *sssctl_create_filter(TALLOC_CTX *mem_ctx, + struct sss_domain_info *dom, + enum cache_object obj_type, + const char *attr_name, + const char *attr_value) +{ + const char *class; + const char *filter; + char *filter_value; + bool qualify_attr = false; + + if (strcmp(attr_name, SYSDB_NAME) == 0) { + if (obj_type == CACHED_USER || obj_type == CACHED_GROUP) { + qualify_attr = true; + } + } + + switch (obj_type) { + case CACHED_USER: + class = SYSDB_USER_CLASS; + break; + case CACHED_GROUP: + class = SYSDB_GROUP_CLASS; + break; + case CACHED_NETGROUP: + class = SYSDB_NETGROUP_CLASS; + break; + default: + DEBUG(SSSDBG_FATAL_FAILURE, + "sssctl doesn't handle this object type (type=%d)\n", obj_type); + return NULL; + } + + if (qualify_attr) { + filter_value = sss_create_internal_fqname(NULL, attr_value, dom->name); + } else { + filter_value = talloc_strdup(NULL, attr_value); + } + if (filter_value == NULL) { + return NULL; + } + + if (dom->case_sensitive == false) { + char *filter_value_old; + + filter_value_old = filter_value; + filter_value = sss_tc_utf8_str_tolower(mem_ctx, filter_value_old); + talloc_free(filter_value_old); + } + + filter = talloc_asprintf(mem_ctx, "(&(%s=%s)(|(%s=%s)(%s=%s)))", + obj_type == CACHED_NETGROUP ? SYSDB_OBJECTCLASS : SYSDB_OBJECTCATEGORY, + class, attr_name, filter_value, + SYSDB_NAME_ALIAS, filter_value); + + talloc_free(filter_value); + + return filter; +} + +static errno_t sssctl_find_object(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domains, + struct sss_domain_info *domain, + sssctl_basedn_fn basedn_fn, + enum cache_object obj_type, + const char *attr_name, + const char *attr_value, + const char **attrs, + struct sysdb_attrs **_entry, + struct sss_domain_info **_dom) +{ + TALLOC_CTX *tmp_ctx; + struct sss_domain_info *dom; + struct sysdb_attrs *entry = NULL; + struct ldb_dn *base_dn; + bool fqn_provided; + const char *filter; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return ENOMEM; + } + + dom = domain == NULL ? domains : domain; + fqn_provided = domain == NULL ? false : true; + while (dom != NULL) { + if (!fqn_provided && dom->fqnames) { + dom = get_next_domain(dom, 0); + continue; + } + + base_dn = basedn_fn(tmp_ctx, dom); + if (base_dn == NULL) { + ret = ENOMEM; + goto done; + } + + filter = sssctl_create_filter(tmp_ctx, dom, obj_type, + attr_name, attr_value); + if (filter == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create filter\n"); + ret = ENOMEM; + goto done; + } + + ret = sssctl_query_cache(tmp_ctx, dom->sysdb, base_dn, filter, + attrs, &entry); + switch(ret) { + case EOK: + /* Entry was found. */ + *_entry = talloc_steal(mem_ctx, entry); + *_dom = dom; + goto done; + case ENOENT: + if (fqn_provided) { + /* Not found but a domain was provided in input. We're done. */ + goto done; + } + break; + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to query cache [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + dom = get_next_domain(dom, 0); + } + + ret = ENOENT; + +done: + talloc_free(tmp_ctx); + + return ret; +} + +static errno_t sssctl_fetch_object(TALLOC_CTX *mem_ctx, + struct sssctl_object_info *info, + struct sss_domain_info *domains, + struct sss_domain_info *domain, + sssctl_basedn_fn basedn_fn, + enum cache_object obj_type, + const char *attr_name, + const char *attr_value, + struct sysdb_attrs **_entry, + struct sss_domain_info **_dom) +{ + TALLOC_CTX *tmp_ctx; + struct sysdb_attrs *entry = NULL; + struct sss_domain_info *dom = NULL; + const char **attrs; + char *sanitized; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return ENOMEM; + } + + ret = sss_filter_sanitize(tmp_ctx, attr_value, &sanitized); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to sanitize input [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + attrs = sssctl_build_attrs(tmp_ctx, info); + if (attrs == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get attribute list!\n"); + ret = ENOMEM; + goto done; + } + + ret = sssctl_find_object(tmp_ctx, domains, domain, basedn_fn, + obj_type, attr_name, sanitized, attrs, + &entry, &dom); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to query cache [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + *_entry = talloc_steal(mem_ctx, entry); + *_dom = dom; + +done: + talloc_free(tmp_ctx); + + return ret; +} + +static errno_t sssctl_print_object(struct sssctl_object_info *info, + struct sss_domain_info *domains, + struct sss_domain_info *domain, + sssctl_basedn_fn basedn_fn, + const char *noent_fmt, + enum cache_object obj_type, + const char *attr_name, + const char *attr_value) +{ + TALLOC_CTX *tmp_ctx; + struct sysdb_attrs *entry = NULL; + const char *value; + errno_t ret; + int i; + struct sss_domain_info *dom = NULL; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return ENOMEM; + } + + ret = sssctl_fetch_object(tmp_ctx, info, domains, domain, basedn_fn, + obj_type, attr_name, attr_value, + &entry, &dom); + if (ret == ENOENT) { + printf(noent_fmt, attr_value); + ret = EOK; + goto done; + } else if (ret != EOK) { + fprintf(stderr, _("Error: Unable to get object [%d]: %s\n"), + ret, sss_strerror(ret)); + goto done; + } + + if (dom == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not determine object domain\n"); + ret = ERR_DOMAIN_NOT_FOUND; + goto done; + } + + for (i = 0; info[i].attr != NULL; i++) { + ret = info[i].attr_fn(tmp_ctx, entry, dom, info[i].attr, &value); + if (ret == ENOENT) { + continue; + } else if (ret != EOK) { + fprintf(stderr, _("%s: Unable to read value [%d]: %s\n"), + info[i].msg, ret, sss_strerror(ret)); + continue; + } + + printf("%s: %s\n", info[i].msg, value); + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + + return ret; +} + +static errno_t parse_cmdline(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + struct poptOption *options, + const char **_orig_name, + struct sss_domain_info **_domain) +{ + const char *input_name; + const char *orig_name; + struct sss_domain_info *domain; + int ret; + + ret = sss_tool_popt_ex(cmdline, options, SSS_TOOL_OPT_OPTIONAL, + NULL, NULL, "NAME", _("Specify name."), + &input_name, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command arguments\n"); + return ret; + } + + ret = sss_tool_parse_name(tool_ctx, tool_ctx, input_name, + &orig_name, &domain); + if (ret != EOK) { + fprintf(stderr, _("Unable to parse name %s.\n"), input_name); + return ret; + } + + *_orig_name = orig_name; + *_domain = domain; + + return EOK; +} + +struct sssctl_cache_opts { + struct sss_domain_info *domain; + const char *value; + int sid; + int id; +}; + +errno_t sssctl_user_show(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt) +{ + struct sssctl_cache_opts opts = {0}; + const char *attr; + errno_t ret; + + struct poptOption options[] = { + {"sid", 's', POPT_ARG_NONE , &opts.sid, 0, _("Search by SID"), NULL }, + {"uid", 'u', POPT_ARG_NONE, &opts.id, 0, _("Search by user ID"), NULL }, + POPT_TABLEEND + }; + + struct sssctl_object_info info[] = { + SSSCTL_CACHE_NAME, + SSSCTL_CACHE_CREATE, + SSSCTL_CACHE_UPDATE, + SSSCTL_CACHE_EXPIRE, + {_("Initgroups expiration time"), SYSDB_INITGR_EXPIRE, attr_initgr}, + SSSCTL_CACHE_IFP, + SSSCTL_CACHE_NULL + }; + + ret = parse_cmdline(cmdline, tool_ctx, options, &opts.value, &opts.domain); + if (ret != EOK) { + return ret; + } + + attr = SYSDB_NAME; + if (opts.sid) { + attr = SYSDB_SID; + } else if (opts.id) { + attr = SYSDB_UIDNUM; + } + + ret = sssctl_print_object(info, tool_ctx->domains, opts.domain, + sysdb_user_base_dn, NOT_FOUND_MSG("User"), + CACHED_USER, attr, opts.value); + if (ret != EOK) { + return ret; + } + + + return EOK; +} + +errno_t sssctl_group_show(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt) +{ + struct sssctl_cache_opts opts = {0}; + const char *attr; + errno_t ret; + + struct poptOption options[] = { + {"sid", 's', POPT_ARG_NONE , &opts.sid, 0, _("Search by SID"), NULL }, + {"gid", 'g', POPT_ARG_NONE, &opts.id, 0, _("Search by group ID"), NULL }, + POPT_TABLEEND + }; + + struct sssctl_object_info info[] = { + SSSCTL_CACHE_NAME, + SSSCTL_CACHE_CREATE, + SSSCTL_CACHE_UPDATE, + SSSCTL_CACHE_EXPIRE, + SSSCTL_CACHE_IFP, + SSSCTL_CACHE_NULL + }; + + ret = parse_cmdline(cmdline, tool_ctx, options, &opts.value, &opts.domain); + if (ret != EOK) { + return ret; + } + + attr = SYSDB_NAME; + if (opts.sid) { + attr = SYSDB_SID; + } else if (opts.id) { + attr = SYSDB_GIDNUM; + } + + ret = sssctl_print_object(info, tool_ctx->domains, opts.domain, + sysdb_group_base_dn, NOT_FOUND_MSG("Group"), + CACHED_GROUP, attr, opts.value); + if (ret != EOK) { + return ret; + } + + + return EOK; +} + +errno_t sssctl_netgroup_show(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt) +{ + struct sssctl_cache_opts opts = {0}; + errno_t ret; + + struct sssctl_object_info info[] = { + SSSCTL_CACHE_NAME, + SSSCTL_CACHE_CREATE, + SSSCTL_CACHE_UPDATE, + SSSCTL_CACHE_EXPIRE, + SSSCTL_CACHE_NULL + }; + + ret = parse_cmdline(cmdline, tool_ctx, NULL, &opts.value, &opts.domain); + if (ret != EOK) { + return ret; + } + + ret = sssctl_print_object(info, tool_ctx->domains, opts.domain, + sysdb_netgroup_base_dn, NOT_FOUND_MSG("Netgroup"), + CACHED_NETGROUP, SYSDB_NAME, opts.value); + if (ret != EOK) { + return ret; + } + + + return EOK; +} diff --git a/src/tools/sssctl/sssctl_config.c b/src/tools/sssctl/sssctl_config.c new file mode 100644 index 0000000..ff38219 --- /dev/null +++ b/src/tools/sssctl/sssctl_config.c @@ -0,0 +1,147 @@ +/* + Authors: + Michal Židek + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include +#include +#include + +#include "util/util.h" +#include "util/sss_ini.h" +#include "tools/common/sss_tools.h" +#include "tools/common/sss_process.h" +#include "tools/sssctl/sssctl.h" +#include "confdb/confdb.h" + +#ifdef HAVE_LIBINI_CONFIG_V1_3 +errno_t sssctl_config_check(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt) +{ + errno_t ret; + struct ini_errobj *errobj = NULL; + struct sss_ini_initdata *init_data; + struct ref_array *ra; + char *msg; + uint32_t i = 0; + size_t num_errors; + size_t num_ra_error; + char **strs = NULL; + TALLOC_CTX *tmp_ctx = NULL; + + ret = sss_tool_popt(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, NULL, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command arguments\n"); + return ret; + } + + tmp_ctx = talloc_new(NULL); + init_data = sss_ini_initdata_init(tmp_ctx); + if (!init_data) { + DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory.\n"); + ret = ENOMEM; + goto done; + } + + /* Open config file */ + ret = sss_ini_config_file_open(init_data, SSSD_CONFIG_FILE); + if (ret == ENOENT) { + PRINT("File %1$s does not exist. SSSD will use default " + "configuration with files provider.\n", SSSD_CONFIG_FILE); + ret = EOK; + } else if (ret != EOK) { + DEBUG(SSSDBG_TRACE_FUNC, + "sss_ini_config_file_open failed: %s [%d]\n", + sss_strerror(ret), + ret); + goto done; + } + + /* Check the file permissions */ + ret = sss_ini_config_access_check(init_data); + if (ret != EOK) { + printf(_("File ownership and permissions check failed. " + "Expected root:root and 0600.\n")); + ret = EPERM; + goto done; + } + + ret = sss_ini_get_config(init_data, + SSSD_CONFIG_FILE, + CONFDB_DEFAULT_CONFIG_DIR); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to load configuration\n"); + goto done; + } + + /* Read rules */ + ret = sss_ini_call_validators_strs(tmp_ctx, init_data, + SSSDDATADIR"/cfg_rules.ini", + &strs, &num_errors); + if (ret) { + goto done; + } + + /* Output from validators */ + printf(_("Issues identified by validators: %zu\n"), num_errors); + for (i = 0; i < num_errors; i++) { + printf("%s\n", strs[i]); + } + + /* Merging issues */ + ra = sss_ini_get_ra_error_list(init_data); + num_ra_error = ref_array_len(ra); + + printf("\n"); + printf(_("Messages generated during configuration merging: %zu\n"), + num_ra_error); + + i = 0; + while (ref_array_get(ra, i, &msg) != NULL) { + printf("%s\n", msg); + i++; + } + + /* Used snippet files */ + ra = sss_ini_get_ra_success_list(init_data); + + printf("\n"); + printf(_("Used configuration snippet files: %u\n"), + ref_array_len(ra)); + + i = 0; + while (ref_array_get(ra, i, &msg) != NULL) { + printf("%s\n", msg); + i++; + } + + if (num_errors != 0 || num_ra_error != 0) { + ret = EINVAL; + } else { + ret = EOK; + } + +done: + ini_errobj_destroy(&errobj); + sss_ini_config_destroy(init_data); + return ret; +} +#endif /* HAVE_LIBINI_CONFIG_V1_3 */ diff --git a/src/tools/sssctl/sssctl_data.c b/src/tools/sssctl/sssctl_data.c new file mode 100644 index 0000000..cc46caf --- /dev/null +++ b/src/tools/sssctl/sssctl_data.c @@ -0,0 +1,335 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "util/util.h" +#include "db/sysdb.h" +#include "tools/common/sss_process.h" +#include "tools/sssctl/sssctl.h" +#include "tools/tools_util.h" + +#define SSS_BACKUP_DIR SSS_STATEDIR "/backup" +#define SSS_BACKUP_USER_OVERRIDES SSS_BACKUP_DIR "/sssd_user_overrides.bak" +#define SSS_BACKUP_GROUP_OVERRIDES SSS_BACKUP_DIR "/sssd_group_overrides.bak" +#define SSS_CACHE "sss_cache" + +struct sssctl_data_opts { + int override; + int restore; + int start; + int stop; + int restart; +}; + +static errno_t sssctl_create_backup_dir(const char *path) +{ + mode_t old_umask; + errno_t ret; + + old_umask = umask(SSS_DFL_X_UMASK); + ret = mkdir(path, 0700); + umask(old_umask); + if (ret != EOK && errno != EEXIST) { + ret = errno; + DEBUG(SSSDBG_MINOR_FAILURE, "Unable to create backup directory " + "[%d]: %s\n", ret, sss_strerror(ret)); + return ret; + } + + return EOK; +} + +static bool sssctl_backup_file_exists(const char *file) +{ + return access(file, F_OK) == 0; +} + +static bool sssctl_backup_exist(const char **files) +{ + int i; + + for (i = 0; files[i] != NULL; i++) { + if (sssctl_backup_file_exists(files[i])) { + return true; + } + } + + return false; +} + +static errno_t sssctl_backup(bool force) +{ + const char *files[] = {SSS_BACKUP_USER_OVERRIDES, + SSS_BACKUP_GROUP_OVERRIDES, + NULL}; + enum sssctl_prompt_result prompt; + errno_t ret; + + ret = sssctl_create_backup_dir(SSS_BACKUP_DIR); + if (ret != EOK) { + fprintf(stderr, _("Unable to create backup directory [%d]: %s"), + ret, sss_strerror(ret)); + return ret; + } + + if (sssctl_backup_exist(files) && !force) { + prompt = sssctl_prompt(_("SSSD backup of local data already exists, " + "override?"), SSSCTL_PROMPT_NO); + switch (prompt) { + case SSSCTL_PROMPT_YES: + /* continue */ + break; + case SSSCTL_PROMPT_NO: + return EEXIST; + case SSSCTL_PROMPT_ERROR: + return EIO; + } + } + + ret = sssctl_run_command("sss_override user-export " + SSS_BACKUP_USER_OVERRIDES); + if (ret != EOK) { + fprintf(stderr, _("Unable to export user overrides\n")); + return ret; + } + + ret = sssctl_run_command("sss_override group-export " + SSS_BACKUP_GROUP_OVERRIDES); + if (ret != EOK) { + fprintf(stderr, _("Unable to export group overrides\n")); + return ret; + } + + return ret; +} + +errno_t sssctl_client_data_backup(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt) +{ + struct sssctl_data_opts opts = {0}; + errno_t ret; + + /* Parse command line. */ + struct poptOption options[] = { + {"override", 'o', POPT_ARG_NONE, &opts.override, 0, _("Override existing backup"), NULL }, + POPT_TABLEEND + }; + + ret = sss_tool_popt(cmdline, options, SSS_TOOL_OPT_OPTIONAL, NULL, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command arguments\n"); + return ret; + } + + ret = sssctl_backup(opts.override); + if (ret == EEXIST) { + return EOK; + } + + return ret; +} + +static errno_t sssctl_restore(bool force_start, bool force_restart) +{ + errno_t ret; + + if (!sssctl_start_sssd(force_start)) { + return ERR_SSSD_NOT_RUNNING; + } + + if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) { + ret = sssctl_run_command("sss_override user-import " + SSS_BACKUP_USER_OVERRIDES); + if (ret != EOK) { + fprintf(stderr, _("Unable to import user overrides\n")); + return ret; + } + } + + if (sssctl_backup_file_exists(SSS_BACKUP_USER_OVERRIDES)) { + ret = sssctl_run_command("sss_override group-import " + SSS_BACKUP_GROUP_OVERRIDES); + if (ret != EOK) { + fprintf(stderr, _("Unable to import group overrides\n")); + return ret; + } + } + + sssctl_restart_sssd(force_restart); + + ret = EOK; + + return ret; +} + +errno_t sssctl_client_data_restore(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt) +{ + struct sssctl_data_opts opts = {0}; + errno_t ret; + + /* Parse command line. */ + struct poptOption options[] = { + {"start", 's', POPT_ARG_NONE, &opts.start, 0, _("Start SSSD if it is not running"), NULL }, + {"restart", 'r', POPT_ARG_NONE, &opts.restart, 0, _("Restart SSSD after data import"), NULL }, + POPT_TABLEEND + }; + + ret = sss_tool_popt(cmdline, options, SSS_TOOL_OPT_OPTIONAL, NULL, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command arguments\n"); + return ret; + } + + return sssctl_restore(opts.start, opts.restart); +} + +errno_t sssctl_cache_remove(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt) +{ + struct sssctl_data_opts opts = {0}; + errno_t ret; + + /* Parse command line. */ + struct poptOption options[] = { + {"override", 'o', POPT_ARG_NONE, &opts.override, 0, _("Override existing backup"), NULL }, + {"restore", 'r', POPT_ARG_NONE, &opts.restore, 0, _("Create clean cache files and import local data"), NULL }, + {"stop", 'p', POPT_ARG_NONE, &opts.stop, 0, _("Stop SSSD before removing the cache"), NULL }, + {"start", 's', POPT_ARG_NONE, &opts.start, 0, _("Start SSSD when the cache is removed"), NULL }, + POPT_TABLEEND + }; + + ret = sss_tool_popt(cmdline, options, SSS_TOOL_OPT_OPTIONAL, NULL, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command arguments\n"); + return ret; + } + + if (!sssctl_stop_sssd(opts.stop)) { + fprintf(stderr, "Unable to remove the cache unless SSSD is stopped.\n"); + return ERR_SSSD_RUNNING; + } + + printf(_("Creating backup of local data...\n")); + ret = sssctl_backup(opts.override); + if (ret != EOK) { + fprintf(stderr, _("Unable to create backup of local data," + " can not remove the cache.\n")); + return ret; + } + + printf(_("Removing cache files...\n")); + ret = sss_remove_subtree(DB_PATH); + if (ret != EOK) { + fprintf(stderr, _("Unable to remove cache files\n")); + return ret; + } + + if (opts.restore) { + printf(_("Restoring local data...\n")); + sssctl_restore(opts.start, opts.start); + } else { + sssctl_start_sssd(opts.start); + } + + return EOK; +} + +errno_t sssctl_cache_upgrade(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt) +{ + struct sysdb_upgrade_ctx db_up_ctx; + errno_t ret; + + ret = sss_tool_popt(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, NULL, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command arguments\n"); + return ret; + } + + if (sss_daemon_running()) { + return ERR_SSSD_RUNNING; + } + + ret = confdb_get_domains(tool_ctx->confdb, &tool_ctx->domains); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "No domains configured.\n"); + return ret; + } + + db_up_ctx.cdb = tool_ctx->confdb; + ret = sysdb_init_ext(tool_ctx, tool_ctx->domains, &db_up_ctx, + true, 0, 0); + if (ret != EOK) { + SYSDB_VERSION_ERROR_DAEMON(ret); + return ret; + } + + return EOK; +} + +errno_t sssctl_cache_expire(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt) +{ + errno_t ret; + char *cmd_args = NULL; + const char *cachecmd = SSS_CACHE; + char *cmd = NULL; + int i; + + if (cmdline->argc == 0) { + ret = sssctl_run_command(cachecmd); + goto done; + } + + cmd_args = talloc_strdup(tool_ctx, ""); + if (cmd_args == NULL) { + ret = ENOMEM; + goto done; + } + + for (i = 0; i < cmdline->argc; i++) { + cmd_args = talloc_strdup_append(cmd_args, cmdline->argv[i]); + if (i != cmdline->argc - 1) { + cmd_args = talloc_strdup_append(cmd_args, " "); + } + } + + cmd = talloc_asprintf(tool_ctx, "%s %s", cachecmd, cmd_args); + if (cmd == NULL) { + ret = ENOMEM; + goto done; + } + + ret = sssctl_run_command(cmd); + +done: + talloc_free(cmd_args); + talloc_free(cmd); + + return ret; +} diff --git a/src/tools/sssctl/sssctl_domains.c b/src/tools/sssctl/sssctl_domains.c new file mode 100644 index 0000000..f3ec436 --- /dev/null +++ b/src/tools/sssctl/sssctl_domains.c @@ -0,0 +1,403 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "util/util.h" +#include "tools/common/sss_tools.h" +#include "tools/sssctl/sssctl.h" +#include "sbus/sssd_dbus.h" +#include "responder/ifp/ifp_iface.h" + +#define SSS_SIFP_ATTR_SUBDOMAIN "subdomain" + +errno_t domain_is_subdomain_check(sss_sifp_ctx *sifp_ctx, + char *domain, + bool *_is_subdom) +{ + bool is_subdom; + sss_sifp_error error; + sss_sifp_object *domain_obj; + + error = sss_sifp_fetch_domain_by_name(sifp_ctx, domain, &domain_obj); + if (error != SSS_SIFP_OK) { + sssctl_sifp_error(sifp_ctx, error, "Unable to fetch domain by name"); + return EIO; + } + + error = sss_sifp_find_attr_as_bool(domain_obj->attrs, + SSS_SIFP_ATTR_SUBDOMAIN, + &is_subdom); + if (error != SSS_SIFP_OK) { + sssctl_sifp_error(sifp_ctx, error, "Unable to find subdomain attr"); + return EIO; + } + + *_is_subdom = is_subdom; + + return EOK; +} + +errno_t sssctl_domain_list(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt) +{ + sss_sifp_ctx *sifp; + sss_sifp_error error; + bool is_subdom; + char **domains; + int start = 0; + int verbose = 0; + errno_t ret; + int i; + + /* Parse command line. */ + struct poptOption options[] = { + {"start", 's', POPT_ARG_NONE, &start, 0, _("Start SSSD if it is not running"), NULL }, + {"verbose", 'v', POPT_ARG_NONE, &verbose, 0, _("Show domain list including primary or trusted domain type"), NULL }, + POPT_TABLEEND + }; + + ret = sss_tool_popt(cmdline, options, SSS_TOOL_OPT_OPTIONAL, NULL, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command arguments\n"); + return ret; + } + + if (!sssctl_start_sssd(start)) { + return ERR_SSSD_NOT_RUNNING; + } + + error = sssctl_sifp_init(tool_ctx, &sifp); + if (error != SSS_SIFP_OK) { + sssctl_sifp_error(sifp, error, "Unable to connect to the InfoPipe"); + return EFAULT; + } + + error = sss_sifp_list_domains(sifp, &domains); + if (error != SSS_SIFP_OK) { + sssctl_sifp_error(sifp, error, "Unable to get domains list"); + return EIO; + } + + if (verbose) { + for (i = 0; domains[i] != NULL; i++) { + ret = domain_is_subdomain_check(sifp, domains[i], &is_subdom); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Subdomain check failed\n"); + return ret; + } + + if (is_subdom) { + printf("Trusted domain: %s\n", domains[i]); + } else { + printf("Primary domain: %s\n", domains[i]); + } + } + + return EOK; + } + + for (i = 0; domains[i] != NULL; i++) { + puts(domains[i]); + } + + return EOK; +} + +static errno_t sssctl_domain_status_online(struct sss_tool_ctx *tool_ctx, + sss_sifp_ctx *sifp, + const char *domain_path) +{ + TALLOC_CTX *tmp_ctx; + sss_sifp_error error; + DBusMessage *reply; + bool is_online; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return ENOMEM; + } + + error = sssctl_sifp_send(tmp_ctx, sifp, &reply, domain_path, + IFACE_IFP_DOMAINS_DOMAIN, + IFACE_IFP_DOMAINS_DOMAIN_ISONLINE); + if (error != SSS_SIFP_OK) { + sssctl_sifp_error(sifp, error, "Unable to get online status"); + ret = EIO; + goto done; + } + + ret = sbus_parse_reply(reply, DBUS_TYPE_BOOLEAN, &is_online); + if (ret != EOK) { + goto done; + } + + printf(_("Online status: %s\n"), is_online ? _("Online") : _("Offline")); + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static const char *proper_service_name(const char *service) +{ + if (strcasecmp(service, "AD_GC") == 0) { + return "AD Global Catalog"; + } else if (strcasecmp(service, "AD") == 0) { + return "AD Domain Controller"; + } else if (strncasecmp(service, "sd_gc_", strlen("sd_gc_")) == 0) { + return "AD Global Catalog"; + } else if (strncasecmp(service, "sd_", strlen("sd_")) == 0) { + return "AD Domain Controller"; + } + + return service; +} + +static errno_t sssctl_domain_status_active_server(struct sss_tool_ctx *tool_ctx, + sss_sifp_ctx *sifp, + const char *domain_path) +{ + TALLOC_CTX *tmp_ctx; + sss_sifp_error error; + DBusMessage *reply; + const char *server; + const char **services; + int num_services; + errno_t ret; + int i; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return ENOMEM; + } + + error = sssctl_sifp_send(tmp_ctx, sifp, &reply, domain_path, + IFACE_IFP_DOMAINS_DOMAIN, + IFACE_IFP_DOMAINS_DOMAIN_LISTSERVICES); + if (error != SSS_SIFP_OK) { + sssctl_sifp_error(sifp, error, "Unable to list services"); + ret = EIO; + goto done; + } + + ret = sbus_parse_reply(reply, DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, + &services, &num_services); + if (ret != EOK) { + goto done; + } + + printf(_("Active servers:\n")); + for (i = 0; i < num_services; i++) { + error = sssctl_sifp_send(tmp_ctx, sifp, &reply, domain_path, + IFACE_IFP_DOMAINS_DOMAIN, + IFACE_IFP_DOMAINS_DOMAIN_ACTIVESERVER, + DBUS_TYPE_STRING, &services[i]); + if (error != SSS_SIFP_OK) { + sssctl_sifp_error(sifp, error, "Unable to get active server"); + ret = EIO; + goto done; + } + + ret = sbus_parse_reply(reply, DBUS_TYPE_STRING, &server); + if (ret != EOK) { + goto done; + } + + server = SBUS_IS_STRING_EMPTY(server) ? _("not connected") : server; + printf("%s: %s\n", proper_service_name(services[i]), server); + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static errno_t sssctl_domain_status_server_list(struct sss_tool_ctx *tool_ctx, + sss_sifp_ctx *sifp, + const char *domain_path) +{ + TALLOC_CTX *tmp_ctx; + sss_sifp_error error; + DBusMessage *reply; + const char **servers; + int num_servers; + const char **services; + int num_services; + errno_t ret; + int i, j; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return ENOMEM; + } + + error = sssctl_sifp_send(tmp_ctx, sifp, &reply, domain_path, + IFACE_IFP_DOMAINS_DOMAIN, + IFACE_IFP_DOMAINS_DOMAIN_LISTSERVICES); + if (error != SSS_SIFP_OK) { + sssctl_sifp_error(sifp, error, "Unable to list services"); + ret = EIO; + goto done; + } + + ret = sbus_parse_reply(reply, DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, + &services, &num_services); + if (ret != EOK) { + goto done; + } + + for (i = 0; i < num_services; i++) { + printf(_("Discovered %s servers:\n"), proper_service_name(services[i])); + error = sssctl_sifp_send(tmp_ctx, sifp, &reply, domain_path, + IFACE_IFP_DOMAINS_DOMAIN, + IFACE_IFP_DOMAINS_DOMAIN_LISTSERVERS, + DBUS_TYPE_STRING, &services[i]); + if (error != SSS_SIFP_OK) { + sssctl_sifp_error(sifp, error, "Unable to get active server"); + ret = EIO; + goto done; + } + + ret = sbus_parse_reply(reply, DBUS_TYPE_ARRAY, DBUS_TYPE_STRING, + &servers, &num_servers); + if (ret != EOK) { + goto done; + } + + if (num_servers == 0) { + puts(_("None so far.\n")); + continue; + } + + for (j = 0; j < num_servers; j++) { + printf("- %s\n", servers[j]); + } + + printf("\n"); + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +struct sssctl_domain_status_opts { + const char *domain; + int online; + int last; + int active; + int servers; + int force_start; +}; + +errno_t sssctl_domain_status(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt) +{ + struct sssctl_domain_status_opts opts = {0}; + sss_sifp_ctx *sifp; + sss_sifp_error error; + const char *path; + bool opt_set; + errno_t ret; + + /* Parse command line. */ + struct poptOption options[] = { + {"online", 'o', POPT_ARG_NONE , &opts.online, 0, _("Show online status"), NULL }, + {"active-server", 'a', POPT_ARG_NONE, &opts.active, 0, _("Show information about active server"), NULL }, + {"servers", 'r', POPT_ARG_NONE, &opts.servers, 0, _("Show list of discovered servers"), NULL }, + {"start", 's', POPT_ARG_NONE, &opts.force_start, 0, _("Start SSSD if it is not running"), NULL }, + POPT_TABLEEND + }; + + ret = sss_tool_popt_ex(cmdline, options, SSS_TOOL_OPT_OPTIONAL, + NULL, NULL, "DOMAIN", _("Specify domain name."), + &opts.domain, &opt_set); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command arguments\n"); + return ret; + } + + if (opt_set == false) { + opts.online = true; + opts.last = true; + opts.active = true; + opts.servers = true; + } + + path = sbus_opath_compose(tool_ctx, IFP_PATH_DOMAINS, opts.domain); + if (path == NULL) { + printf(_("Out of memory!\n")); + return ENOMEM; + } + + if (!sssctl_start_sssd(opts.force_start)) { + return ERR_SSSD_NOT_RUNNING; + } + + error = sssctl_sifp_init(tool_ctx, &sifp); + if (error != SSS_SIFP_OK) { + sssctl_sifp_error(sifp, error, "Unable to connect to the InfoPipe"); + return EFAULT; + } + + if (opts.online) { + ret = sssctl_domain_status_online(tool_ctx, sifp, path); + if (ret != EOK) { + fprintf(stderr, _("Unable to get online status\n")); + return ret; + } + + printf("\n"); + } + + if (opts.active) { + ret = sssctl_domain_status_active_server(tool_ctx, sifp, path); + if (ret != EOK) { + fprintf(stderr, _("Unable to get online status\n")); + return ret; + } + + printf("\n"); + } + + if (opts.servers) { + ret = sssctl_domain_status_server_list(tool_ctx, sifp, path); + if (ret != EOK) { + fprintf(stderr, _("Unable to get server list\n")); + return ret; + } + } + + return EOK; +} diff --git a/src/tools/sssctl/sssctl_logs.c b/src/tools/sssctl/sssctl_logs.c new file mode 100644 index 0000000..aca988c --- /dev/null +++ b/src/tools/sssctl/sssctl_logs.c @@ -0,0 +1,371 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "util/util.h" +#include "tools/common/sss_process.h" +#include "tools/sssctl/sssctl.h" +#include "tools/tools_util.h" +#include "confdb/confdb.h" + +#define LOG_FILE(file) " " LOG_PATH "/" file +#define LOG_FILES LOG_FILE("*.log") + +#define CHECK(expr, done, msg) do { \ + if (expr) { \ + ERROR(msg "\n"); \ + goto done; \ + } \ +} while(0) + +struct debuglevel_tool_ctx { + struct confdb_ctx *confdb; + char **sections; +}; + +struct sssctl_logs_opts { + int delete; + int archived; +}; + +errno_t set_debug_level(struct debuglevel_tool_ctx *tool_ctx, + int debug_to_set, const char *config_file) +{ + int ret; + int err; + const char *values[2]; + char **section = NULL; + TALLOC_CTX *tmp_ctx = talloc_new(NULL); + + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return ENOMEM; + } + + /* convert debug_to_set to string */ + values[0] = talloc_asprintf(tmp_ctx, "0x%.4x", debug_to_set); + if (values[0] == NULL) { + ret = ENOMEM; + goto done; + } + values[1] = NULL; + + /* write to confdb */ + for (section = tool_ctx->sections; *section != NULL; section++) { + ret = confdb_add_param(tool_ctx->confdb, 1, *section, + CONFDB_SERVICE_DEBUG_LEVEL, values); + if (ret != EOK) { + goto done; + } + } + + /* + * Change atime and mtime of sssd.conf, + * so the configuration can be restored on next start. + */ + errno = 0; + if (utime(config_file, NULL) == -1) { + err = errno; + DEBUG(SSSDBG_MINOR_FAILURE, "Unable to change mtime of \"%s\": %s\n", + config_file, strerror(err)); + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +errno_t connect_to_confdb(TALLOC_CTX *ctx, struct confdb_ctx **cdb_ctx) +{ + int ret; + char *confdb_path = NULL; + + confdb_path = talloc_asprintf(ctx, "%s/%s", DB_PATH, CONFDB_FILE); + if (confdb_path == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not allocate memory for confdb path\n"); + return ENOMEM; + } + + ret = confdb_init(ctx, cdb_ctx, confdb_path); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not initialize connection to the confdb\n"); + } + + talloc_free(confdb_path); + return ret; +} + +errno_t get_confdb_sections(TALLOC_CTX *ctx, struct confdb_ctx *confdb, + char ***output_sections) +{ + int ret; + int domain_count = 0; + int i = 0; + struct sss_domain_info *domain = NULL; + struct sss_domain_info *domain_list = NULL; + char **sections; + const char *known_services[] = { + CONFDB_MONITOR_CONF_ENTRY, + CONFDB_NSS_CONF_ENTRY, + CONFDB_PAM_CONF_ENTRY, + CONFDB_PAC_CONF_ENTRY, + CONFDB_SSH_CONF_ENTRY, + CONFDB_SUDO_CONF_ENTRY, + CONFDB_AUTOFS_CONF_ENTRY, + CONFDB_IFP_CONF_ENTRY, + }; + static const int known_services_count = sizeof(known_services) + / sizeof(*known_services); + TALLOC_CTX *tmp_ctx = talloc_new(NULL); + + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return ENOMEM; + } + + /* get domains */ + ret = confdb_get_domains(confdb, &domain_list); + if (ret != EOK) + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get domain list\n"); + + for (domain = domain_list; + domain; + domain = get_next_domain(domain, 0)) { + domain_count++; + } + + /* allocate output space */ + sections = talloc_array(ctx, char *, + domain_count + known_services_count + 1); + if (sections == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not allocate memory for sections\n"); + ret = ENOMEM; + goto fail; + } + + for (i = 0; i < known_services_count; i++) { + sections[i] = talloc_strdup(tmp_ctx, known_services[i]); + if (sections[i] == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup() failed\n"); + ret = ENOMEM; + goto fail; + } + } + + for (domain = domain_list; + domain; + domain = get_next_domain(domain, 0), i++) { + sections[i] = talloc_asprintf(tmp_ctx, CONFDB_DOMAIN_PATH_TMPL, + domain->name); + if (sections[i] == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf() failed\n"); + ret = ENOMEM; + goto fail; + } + } + + /* add NULL to the end */ + sections[i] = NULL; + + *output_sections = talloc_steal(ctx, sections); + + return EOK; +fail: + talloc_free(tmp_ctx); + return ret; +} + +int parse_debug_level(const char *strlevel) +{ + long value; + char *endptr; + + errno = 0; + value = strtol(strlevel, &endptr, 0); + if ((errno != 0) || (endptr == strlevel) || (*endptr != '\0')) { + return SSSDBG_INVALID; + } + + return debug_convert_old_level(value); +} + +errno_t sssctl_logs_remove(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt) +{ + struct sssctl_logs_opts opts = {0}; + errno_t ret; + + /* Parse command line. */ + struct poptOption options[] = { + {"delete", 'd', POPT_ARG_NONE, &opts.delete, 0, _("Delete log files instead of truncating"), NULL }, + POPT_TABLEEND + }; + + ret = sss_tool_popt(cmdline, options, SSS_TOOL_OPT_OPTIONAL, NULL, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command arguments\n"); + return ret; + } + + if (opts.delete) { + printf(_("Deleting log files...\n")); + ret = sss_remove_subtree(LOG_PATH); + if (ret != EOK) { + fprintf(stderr, _("Unable to remove log files\n")); + return ret; + } + + sss_signal(SIGHUP); + } else { + printf(_("Truncating log files...\n")); + ret = sssctl_run_command("truncate --size 0 " LOG_FILES); + if (ret != EOK) { + fprintf(stderr, _("Unable to truncate log files\n")); + return ret; + } + } + + return EOK; +} + +errno_t sssctl_logs_fetch(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt) +{ + const char *file; + const char *cmd; + errno_t ret; + + /* Parse command line. */ + ret = sss_tool_popt_ex(cmdline, NULL, SSS_TOOL_OPT_OPTIONAL, NULL, NULL, + "FILE", "Output file", &file, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command arguments\n"); + return ret; + } + + cmd = talloc_asprintf(tool_ctx, "tar -czf %s %s", file, LOG_FILES); + if (cmd == NULL) { + fprintf(stderr, _("Out of memory!")); + } + + printf(_("Archiving log files into %s...\n"), file); + ret = sssctl_run_command(cmd); + if (ret != EOK) { + fprintf(stderr, _("Unable to archive log files\n")); + return ret; + } + + return EOK; +} + +errno_t sssctl_debug_level(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt) +{ + int ret; + int debug_to_set = SSSDBG_INVALID; + const char *debug_as_string = NULL; + const char *config_file = NULL; + const char *pc_config_file = NULL; + struct debuglevel_tool_ctx *ctx = NULL; + struct poptOption long_options[] = { + {"config", 'c', POPT_ARG_STRING, &pc_config_file, + 0, _("Specify a non-default config file"), NULL}, + POPT_TABLEEND + }; + + ret = sss_tool_popt_ex(cmdline, long_options, SSS_TOOL_OPT_OPTIONAL, NULL, + NULL, "DEBUG_LEVEL_TO_SET", + _("Specify debug level you want to set"), + &debug_as_string, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command arguments\n"); + return ret; + } + + /* get config file */ + if (pc_config_file) { + config_file = talloc_strdup(ctx, pc_config_file); + } else { + config_file = talloc_strdup(ctx, SSSD_CONFIG_FILE); + } + + if (config_file == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup() failed\n"); + ret = ENOMEM; + goto fini; + } + + CHECK_ROOT(ret, debug_prg_name); + + /* free pc_config_file? */ + /* free debug_as_string? */ + + debug_to_set = parse_debug_level(debug_as_string); + CHECK(debug_to_set == SSSDBG_INVALID, fini, "Invalid debug level."); + + /* allocate context */ + ctx = talloc_zero(NULL, struct debuglevel_tool_ctx); + if (ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not allocate memory for tools context\n"); + ret = ENOMEM; + goto fini; + } + + ret = connect_to_confdb(ctx, &ctx->confdb); + CHECK(ret != EOK, fini, "Could not connect to configuration database."); + + ret = get_confdb_sections(ctx, ctx->confdb, &ctx->sections); + CHECK(ret != EOK, fini, "Could not get all configuration sections."); + + ret = set_debug_level(ctx, debug_to_set, config_file); + CHECK(ret != EOK, fini, "Could not set debug level."); + + ret = sss_signal(SIGHUP); + CHECK(ret != EOK, fini, + "Could not force sssd processes to reload configuration. " + "Is sssd running?"); + +fini: + talloc_free(ctx); + return ret; +} diff --git a/src/tools/sssctl/sssctl_sifp.c b/src/tools/sssctl/sssctl_sifp.c new file mode 100644 index 0000000..c53119b --- /dev/null +++ b/src/tools/sssctl/sssctl_sifp.c @@ -0,0 +1,166 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "util/util.h" +#include "tools/sssctl/sssctl.h" + +#define ERR_SSSD _("Check that SSSD is running and " \ + "the InfoPipe responder is enabled. " \ + "Make sure 'ifp' is listed in the " \ + "'services' option in sssd.conf.\n") + +struct sssctl_sifp_data { + sss_sifp_ctx *sifp; +}; + +static int sssctl_sifp_data_destructor(struct sssctl_sifp_data *ctx) +{ + if (ctx->sifp != NULL) { + sss_sifp_free(&ctx->sifp); + } + + return 0; +} + +static void *sssctl_sifp_talloc(size_t size, void *pvt) +{ + return talloc_size(pvt, size); +} + +static void sssctl_sifp_talloc_free(void *ptr, void *pvt) +{ + talloc_free(ptr); +} + +sss_sifp_error sssctl_sifp_init(struct sss_tool_ctx *tool_ctx, + sss_sifp_ctx **_sifp) +{ + struct sssctl_sifp_data *sifp_data; + sss_sifp_error error; + + sifp_data = talloc_zero(tool_ctx, struct sssctl_sifp_data); + if (sifp_data == NULL) { + return SSS_SIFP_OUT_OF_MEMORY; + } + + error = sss_sifp_init_ex(sifp_data, sssctl_sifp_talloc, + sssctl_sifp_talloc_free, &sifp_data->sifp); + if (error != SSS_SIFP_OK) { + *_sifp = sifp_data->sifp; + return error; + } + + talloc_set_destructor(sifp_data, sssctl_sifp_data_destructor); + *_sifp = sifp_data->sifp; + + return SSS_SIFP_OK; +} + +void _sssctl_sifp_error(sss_sifp_ctx *sifp, + sss_sifp_error error, + const char *message) +{ + const char *dbus_code; + const char *dbus_msg; + const char *sifp_msg; + + sifp_msg = sss_sifp_strerr(error); + + switch (error) { + case SSS_SIFP_OK: + break; + case SSS_SIFP_IO_ERROR: + dbus_code = sss_sifp_get_last_io_error_name(sifp); + dbus_msg = sss_sifp_get_last_io_error_message(sifp); + + fprintf(stderr, "%s [%d]: %s\n", message, error, sifp_msg); + fprintf(stderr, "%s: %s\n", dbus_code, dbus_msg); + + if (strcmp(dbus_code, DBUS_ERROR_SERVICE_UNKNOWN) == 0) { + fprintf(stderr, ERR_SSSD); + break; + } + + if (strcmp(dbus_code, DBUS_ERROR_SPAWN_CHILD_EXITED) == 0) { + fprintf(stderr, ERR_SSSD); + break; + } + + if (strcmp(dbus_code, DBUS_ERROR_NO_REPLY) == 0) { + fprintf(stderr, ERR_SSSD); + break; + } + + break; + default: + fprintf(stderr, "%s [%d]: %s\n", message, error, sifp_msg); + break; + } +} + +sss_sifp_error _sssctl_sifp_send(TALLOC_CTX *mem_ctx, + sss_sifp_ctx *sifp, + DBusMessage **_reply, + const char *path, + const char *iface, + const char *method, + int first_arg_type, + ...) +{ + sss_sifp_error error; + DBusMessage *msg; + dbus_bool_t bret; + errno_t ret; + va_list va; + + msg = sss_sifp_create_message(path, iface, method); + if (msg == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create D-Bus message\n"); + return SSS_SIFP_OUT_OF_MEMORY; + } + + va_start(va, first_arg_type); + bret = dbus_message_append_args_valist(msg, first_arg_type, va); + va_end(va); + if (!bret) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to build message\n"); + error = SSS_SIFP_OUT_OF_MEMORY; + goto done; + } + + error = sss_sifp_send_message(sifp, msg, _reply); + if (error != SSS_SIFP_OK) { + goto done; + } + + ret = sbus_talloc_bound_message(mem_ctx, *_reply); + if (ret != EOK) { + error = SSS_SIFP_OUT_OF_MEMORY; + goto done; + } + +done: + dbus_message_unref(msg); + return error; +} diff --git a/src/tools/sssctl/sssctl_systemd.c b/src/tools/sssctl/sssctl_systemd.c new file mode 100644 index 0000000..d5ce3b6 --- /dev/null +++ b/src/tools/sssctl/sssctl_systemd.c @@ -0,0 +1,136 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "util/util.h" +#include "tools/sssctl/sssctl.h" + +#define SSS_SYSTEMD_BUS "org.freedesktop.systemd1" +#define SSS_SYSTEMD_PATH "/org/freedesktop/systemd1" +#define SSS_SYSTEMD_IFACE "org.freedesktop.systemd1.Manager" +#define SSS_SYSTEMD_UNIT "sssd.service" +#define SSS_SYSTEMD_MODE "replace" /* replace queued job if present */ + +static DBusConnection * +sssctl_systemd_connect(void) +{ + DBusConnection *conn; + DBusError error; + + dbus_error_init(&error); + + conn = dbus_bus_get(DBUS_BUS_SYSTEM, &error); + if (dbus_error_is_set(&error)) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to connect to systemd D-Bus " + "[%s]: %s\n", error.name, error.message); + conn = NULL; + goto done; + } + +done: + dbus_error_free(&error); + return conn; +} + +static errno_t sssctl_systemd_call(const char *method) +{ + DBusConnection *conn = NULL; + DBusMessage *reply = NULL; + DBusMessage *msg = NULL; + DBusError error; + const char *unit = SSS_SYSTEMD_UNIT; + const char *mode = SSS_SYSTEMD_MODE; + const char *job; + errno_t ret; + + dbus_error_init(&error); + + conn = sssctl_systemd_connect(); + if (conn == NULL) { + ret = EIO; + goto done; + } + + msg = sbus_create_message(NULL, SSS_SYSTEMD_BUS, SSS_SYSTEMD_PATH, + SSS_SYSTEMD_IFACE, method, + DBUS_TYPE_STRING, &unit, + DBUS_TYPE_STRING, &mode); + if (msg == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create D-Bus Message!\n"); + ret = ENOMEM; + goto done; + } + + reply = dbus_connection_send_with_reply_and_block(conn, msg, 5000, &error); + if (dbus_error_is_set(&error)) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to send D-Bus message " + "[%s]: %s\n", error.name, error.message); + ret = EIO; + goto done; + } + + ret = sbus_parse_message(reply, DBUS_TYPE_OBJECT_PATH, &job); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get D-Bus reply [%d]: %s!\n", + ret, sss_strerror(ret)); + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "New systemd job created: %s\n", job); + +done: + if (msg != NULL) { + dbus_message_unref(msg); + } + + if (reply != NULL) { + dbus_message_unref(reply); + } + + if (conn != NULL) { + dbus_connection_unref(conn); + } + + return ret; +} + +errno_t sssctl_systemd_start(void) +{ + DEBUG(SSSDBG_TRACE_FUNC, "Starting SSSD via systemd...\n"); + + return sssctl_systemd_call("StartUnit"); +} + +errno_t sssctl_systemd_stop(void) +{ + DEBUG(SSSDBG_TRACE_FUNC, "Stopping SSSD via systemd...\n"); + + return sssctl_systemd_call("StopUnit"); +} + +errno_t sssctl_systemd_restart(void) +{ + DEBUG(SSSDBG_TRACE_FUNC, "Restarting SSSD via systemd...\n"); + + return sssctl_systemd_call("RestartUnit"); +} diff --git a/src/tools/sssctl/sssctl_user_checks.c b/src/tools/sssctl/sssctl_user_checks.c new file mode 100644 index 0000000..8e2acad --- /dev/null +++ b/src/tools/sssctl/sssctl_user_checks.c @@ -0,0 +1,299 @@ +/* + Authors: + Sumit Bose + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU Lesser General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with this program. If not, see . +*/ + +#ifdef HAVE_CONFIG_H +#include +#endif + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include + +#include "lib/sifp/sss_sifp.h" +#include "util/util.h" +#include "tools/common/sss_tools.h" +#include "tools/sssctl/sssctl.h" + +#ifdef HAVE_SECURITY_PAM_MISC_H +# include +#elif defined(HAVE_SECURITY_OPENPAM_H) +# include +#endif + +#ifdef HAVE_SECURITY_PAM_MISC_H +static struct pam_conv conv = { + misc_conv, + NULL +}; +#elif defined(HAVE_SECURITY_OPENPAM_H) +static struct pam_conv conv = { + openpam_ttyconv, + NULL +}; +#else +# error "Missing text based pam conversation function" +#endif + +#define DEFAULT_ACTION "acct" +#define DEFAULT_SERVICE "system-auth" + +#define DEFAULT_BUFSIZE 4096 + +static int get_ifp_user(const char *user) +{ + sss_sifp_ctx *sifp; + sss_sifp_error error; + sss_sifp_object *user_obj; + const char *tmp_str; + uint32_t tmp_uint32; + size_t c; + + struct ifp_user_attr { + const char *name; + bool is_string; + } ifp_user_attr[] = { + { "name", true }, + { "uidNumber", false }, + { "gidNumber", false }, + { "gecos", true }, + { "homeDirectory", true }, + { "loginShell", true }, + { NULL, false } + }; + + error = sss_sifp_init(&sifp); + if (error != SSS_SIFP_OK) { + fprintf(stderr, _("Unable to connect to the InfoPipe")); + return EFAULT; + } + + error = sss_sifp_fetch_user_by_name(sifp, user, &user_obj); + if (error != SSS_SIFP_OK) { + fprintf(stderr, _("Unable to get user object")); + return EIO; + } + + fprintf(stdout, _("SSSD InfoPipe user lookup result:\n")); + for (c = 0; ifp_user_attr[c].name != NULL; c++) { + if (ifp_user_attr[c].is_string) { + error = sss_sifp_find_attr_as_string(user_obj->attrs, + ifp_user_attr[c].name, + &tmp_str); + } else { + error = sss_sifp_find_attr_as_uint32(user_obj->attrs, + ifp_user_attr[c].name, + &tmp_uint32); + } + if (error != SSS_SIFP_OK) { + fprintf(stderr, _("Unable to get user name attr")); + return EIO; + } + + if (ifp_user_attr[c].is_string) { + fprintf(stdout, " - %s: %s\n", ifp_user_attr[c].name, tmp_str); + } else { + fprintf(stdout, " - %s: %"PRIu32"\n", ifp_user_attr[c].name, + tmp_uint32); + } + } + fprintf(stdout, "\n"); + + sss_sifp_free_object(sifp, &user_obj); + sss_sifp_free(&sifp); + return 0; +} + +static int sss_getpwnam_check(const char *user) +{ + void *dl_handle = NULL; + enum nss_status (*sss_getpwnam_r)(const char *name, struct passwd *result, + char *buffer, size_t buflen, + int *errnop); + struct passwd pwd = { 0 }; + enum nss_status status; + char *buffer = NULL; + size_t buflen; + int nss_errno; + int ret; + + dl_handle = dlopen("libnss_sss.so.2", RTLD_NOW); + if (dl_handle == NULL) { + fprintf(stderr, _("dlopen failed with [%s].\n"), dlerror()); + ret = EIO; + goto done; + } + + sss_getpwnam_r = dlsym(dl_handle, "_nss_sss_getpwnam_r"); + if (sss_getpwnam_r == NULL) { + fprintf(stderr, _("dlsym failed with [%s].\n"), dlerror()); + ret = EIO; + goto done; + } + + buflen = DEFAULT_BUFSIZE; + buffer = malloc(buflen); + if (buffer == NULL) { + fprintf(stderr, _("malloc failed.\n")); + ret = ENOMEM; + goto done; + } + + status = sss_getpwnam_r(user, &pwd, buffer, buflen, &nss_errno); + if (status != NSS_STATUS_SUCCESS) { + fprintf(stderr, _("sss_getpwnam_r failed with [%d].\n"), status); + ret = EIO; + goto done; + } + + fprintf(stdout, _("SSSD nss user lookup result:\n")); + fprintf(stdout, _(" - user name: %s\n"), pwd.pw_name); + fprintf(stdout, _(" - user id: %d\n"), pwd.pw_uid); + fprintf(stdout, _(" - group id: %d\n"), pwd.pw_gid); + fprintf(stdout, _(" - gecos: %s\n"), pwd.pw_gecos); + fprintf(stdout, _(" - home directory: %s\n"), pwd.pw_dir); + fprintf(stdout, _(" - shell: %s\n\n"), pwd.pw_shell); + + ret = 0; + +done: + if (dl_handle != NULL) { + dlclose(dl_handle); + } + + free(buffer); + + return ret; +} + +errno_t sssctl_user_checks(struct sss_cmdline *cmdline, + struct sss_tool_ctx *tool_ctx, + void *pvt) +{ + + pam_handle_t *pamh; + const char *user = NULL; + const char *action = DEFAULT_ACTION; + const char *service = DEFAULT_SERVICE; + int ret; + int pret; + const char *pam_user = NULL; + size_t c; + char **pam_env; + + /* Parse command line. */ + struct poptOption options[] = { + { "action", 'a', POPT_ARG_STRING, &action, 0, + _("PAM action [auth|acct|setc|chau|open|clos], default: " + DEFAULT_ACTION), NULL }, + { "service", 's', POPT_ARG_STRING, &service, 0, + _("PAM service, default: " DEFAULT_SERVICE), NULL }, + POPT_TABLEEND + }; + + ret = sss_tool_popt_ex(cmdline, options, SSS_TOOL_OPT_OPTIONAL, + NULL, NULL, "USERNAME", _("Specify user name."), + &user, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse command arguments\n"); + return ret; + } + + fprintf(stdout, _("user: %s\naction: %s\nservice: %s\n\n"), + user, action, service); + + if (*user != '\0') { + ret = sss_getpwnam_check(user); + if (ret != 0) { + fprintf(stderr, _("User name lookup with [%s] failed.\n"), user); + } + + ret = get_ifp_user(user); + if (ret != 0) { + fprintf(stderr, _("InfoPipe User lookup with [%s] failed.\n"), + user); + } + } + + ret = pam_start(service, user, &conv, &pamh); + if (ret != PAM_SUCCESS) { + fprintf(stderr, _("pam_start failed: %s\n"), pam_strerror(pamh, ret)); + return 1; + } + + if ( strncmp(action, "auth", 4)== 0 ) { + fprintf(stdout, _("testing pam_authenticate\n\n")); + ret = pam_authenticate(pamh, 0); + pret = pam_get_item(pamh, PAM_USER, (const void **) &pam_user); + if (pret != PAM_SUCCESS) { + fprintf(stderr, _("pam_get_item failed: %s\n"), pam_strerror(pamh, + pret)); + pam_user = "- not available -"; + } + fprintf(stderr, _("pam_authenticate for user [%s]: %s\n\n"), pam_user, + pam_strerror(pamh, ret)); + } else if ( strncmp(action, "chau", 4)== 0 ) { + fprintf(stdout, _("testing pam_chauthtok\n\n")); + ret = pam_chauthtok(pamh, 0); + fprintf(stderr, _("pam_chauthtok: %s\n\n"), pam_strerror(pamh, ret)); + } else if ( strncmp(action, "acct", 4)== 0 ) { + fprintf(stdout, _("testing pam_acct_mgmt\n\n")); + ret = pam_acct_mgmt(pamh, 0); + fprintf(stderr, _("pam_acct_mgmt: %s\n\n"), pam_strerror(pamh, ret)); + } else if ( strncmp(action, "setc", 4)== 0 ) { + fprintf(stdout, _("testing pam_setcred\n\n")); + ret = pam_setcred(pamh, 0); + fprintf(stderr, _("pam_setcred: [%s]\n\n"), pam_strerror(pamh, ret)); + } else if ( strncmp(action, "open", 4)== 0 ) { + fprintf(stdout, _("testing pam_open_session\n\n")); + ret = pam_open_session(pamh, 0); + fprintf(stderr, _("pam_open_session: %s\n\n"), pam_strerror(pamh, ret)); + } else if ( strncmp(action, "clos", 4)== 0 ) { + fprintf(stdout, _("testing pam_close_session\n\n")); + ret = pam_close_session(pamh, 0); + fprintf(stderr, _("pam_close_session: %s\n\n"), + pam_strerror(pamh, ret)); + } else { + fprintf(stderr, _("unknown action\n")); + } + + fprintf(stderr, _("PAM Environment:\n")); + pam_env = pam_getenvlist(pamh); + if (pam_env != NULL && pam_env[0] != NULL) { + for (c = 0; pam_env[c] != NULL; c++) { + fprintf(stderr, " - %s\n", pam_env[c]); + free(pam_env[c]); + } + } else { + fprintf(stderr, _(" - no env -\n")); + } + free(pam_env); + + pam_end(pamh, ret); + + return 0; +} diff --git a/src/tools/sssd_check_socket_activated_responders.c b/src/tools/sssd_check_socket_activated_responders.c new file mode 100644 index 0000000..fb9df39 --- /dev/null +++ b/src/tools/sssd_check_socket_activated_responders.c @@ -0,0 +1,197 @@ +/* + Authors: + Fabiano Fidêncio + + Copyright (C) 2017 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include +#include +#include + +#include "util/util.h" +#include "confdb/confdb.h" + +static errno_t check_socket_activated_responder(const char *responder) +{ + errno_t ret; + struct ini_cfgfile *file_ctx = NULL; + struct ini_cfgobj *ini_config = NULL; + struct ini_cfgobj *modified_ini_config = NULL; + struct value_obj *vobj = NULL; + struct access_check snip_check; + const char *services; + const char *patterns[] = { "^[^\\.].*\\.conf$", NULL }; + const char *sections[] = { "sssd", NULL }; + const char *str; + TALLOC_CTX *tmp_ctx; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + ret = ini_config_create(&ini_config); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "ini_config_create() failed [%d][%s]\n", + ret, sss_strerror(ret)); + goto done; + } + + ret = ini_config_file_open(SSSD_CONFIG_FILE, 0, &file_ctx); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "ini_config_file_open() failed [%d][%s]\n", + ret, sss_strerror(ret)); + goto done; + } + + /* Using the same flags used by sss_ini_get_config(), which is used to + * load the config file ... */ + ret = ini_config_parse(file_ctx, + INI_STOP_ON_ANY, + INI_MV1S_OVERWRITE, + INI_PARSE_NOWRAP, + ini_config); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "ini_config_parse() failed [%d][%s]\n", + ret, sss_strerror(ret)); + goto done; + } + + /* And also check the snippets ... */ + snip_check.flags = INI_ACCESS_CHECK_MODE | + INI_ACCESS_CHECK_UID | + INI_ACCESS_CHECK_GID; + snip_check.uid = 0; /* owned by root */ + snip_check.gid = 0; /* owned by root */ + snip_check.mode = S_IRUSR; /* r**------ */ + snip_check.mask = ALLPERMS & ~(S_IWUSR | S_IXUSR); + + ret = ini_config_augment(ini_config, + CONFDB_DEFAULT_CONFIG_DIR, + patterns, + sections, + &snip_check, + INI_STOP_ON_ANY, + INI_MV1S_OVERWRITE, + INI_PARSE_NOWRAP, + INI_MV2S_OVERWRITE, + &modified_ini_config, + NULL, + NULL); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "ini_config_augment failed [%d][%s]\n", + ret, sss_strerror(ret)); + goto done; + } + + if (modified_ini_config != NULL) { + ini_config_destroy(ini_config); + ini_config = modified_ini_config; + } + + ret = ini_get_config_valueobj("sssd", "services", ini_config, + INI_GET_FIRST_VALUE, &vobj); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ini_get_config_valueobj() failed [%d][%s]\n", + ret, sss_strerror(ret)); + goto done; + } + + /* In case there's no services' line at all, just return EOK. */ + if (vobj == NULL) { + ret = EOK; + goto done; + } + + services = ini_get_string_config_value(vobj, &ret); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ini_get_string_config_value() failed [%d][%s]\n", + ret, sss_strerror(ret)); + goto done; + } + + str = strstr(services, responder); + if (str != NULL) { + ret = EEXIST; + goto done; + } + + ret = EOK; + +done: + ini_config_file_destroy(file_ctx); + ini_config_destroy(ini_config); + talloc_free(tmp_ctx); + + return ret; +} + +int main(int argc, const char *argv[]) +{ + int ret; + int opt; + poptContext pc; + char *responder = NULL; + + struct poptOption long_options[] = { + POPT_AUTOHELP + {"responders", 'r', POPT_ARG_STRING, &responder, 0, + _("The name of the responder to be checked"), NULL}, + POPT_TABLEEND + }; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while ((opt = poptGetNextOpt(pc)) != -1) { + switch (opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + ret = 1; + goto done; + } + } + + if (responder == NULL) { + poptPrintUsage(pc, stderr, 0); + ret = 1; + goto done; + } + + ret = check_socket_activated_responder(responder); + if (ret != EOK) { + DEBUG(SSSDBG_DEFAULT, + "Misconfiguration found for the %s responder.\n" + "The %s responder has been configured to be socket-activated " + "but it's still mentioned in the services' line in %s.\n" + "Please, consider either adjusting your services' line in %s " + "or disabling the %s's socket by calling:\n" + "\"systemctl disable sssd-%s.socket\"", + responder, responder, SSSD_CONFIG_FILE, SSSD_CONFIG_FILE, + responder, responder); + goto done; + } + + ret = EOK; +done: + poptFreeContext(pc); + return ret; +} diff --git a/src/tools/tools_mc_util.c b/src/tools/tools_mc_util.c new file mode 100644 index 0000000..08503a5 --- /dev/null +++ b/src/tools/tools_mc_util.c @@ -0,0 +1,404 @@ +/* + SSSD + + tools_mc_util - interface to the memcache for userspace tools + + Copyright (C) Red Hat 2013 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include + +#include "db/sysdb.h" +#include "util/util.h" +#include "tools/tools_util.h" +#include "util/mmap_cache.h" +#include "util/sss_cli_cmd.h" +#include "sss_client/sss_cli.h" +#include "tools/common/sss_process.h" + +/* This is a copy of sss_mc_set_recycled present in + * src/responder/nss/nsssrv_mmap_cache.c. If you modify this function, + * you should modify the original function too. */ +static errno_t sss_mc_set_recycled(int fd) +{ + uint32_t w = SSS_MC_HEADER_RECYCLED; + struct sss_mc_header h; + off_t offset; + off_t pos; + ssize_t written; + + offset = MC_PTR_DIFF(&h.status, &h); + + pos = lseek(fd, offset, SEEK_SET); + if (pos == -1) { + /* What do we do now? */ + return errno; + } + + errno = 0; + written = sss_atomic_write_s(fd, (uint8_t *)&w, sizeof(h.status)); + if (written == -1) { + return errno; + } + + if (written != sizeof(h.status)) { + /* Write error */ + return EIO; + } + + return EOK; +} + +errno_t sss_memcache_invalidate(const char *mc_filename) +{ + int mc_fd = -1; + errno_t ret; + errno_t pret; + useconds_t t = 50000; + int retries = 2; + + if (!mc_filename) { + return EINVAL; + } + + mc_fd = open(mc_filename, O_RDWR); + if (mc_fd == -1) { + ret = errno; + if (ret == ENOENT) { + DEBUG(SSSDBG_TRACE_FUNC,"Memory cache file %s " + "does not exist.\n", mc_filename); + return EOK; + } else { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to open file %s: %s\n", + mc_filename, strerror(ret)); + return ret; + } + } + + ret = sss_br_lock_file(mc_fd, 0, 1, retries, t); + if (ret == EACCES) { + DEBUG(SSSDBG_TRACE_FUNC, + "File %s already locked by someone else.\n", mc_filename); + goto done; + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to lock file %s.\n", mc_filename); + goto done; + } + /* Mark the mc file as recycled. */ + ret = sss_mc_set_recycled(mc_fd); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to mark memory cache file %s " + "as recycled.\n", mc_filename); + goto done; + } + + ret = EOK; +done: + if (mc_fd != -1) { + /* Closing the file also releases the lock */ + close(mc_fd); + + /* Only unlink the file if invalidation was successful */ + if (ret == EOK) { + pret = unlink(mc_filename); + if (pret == -1) { + pret = errno; + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to unlink file %s, %d [%s]. " + "Will be unlinked later by sssd_nss.\n", + mc_filename, pret, strerror(pret)); + } + } + } + return ret; +} + +static int clear_fastcache(bool *sssd_nss_is_off) +{ + int ret; + ret = sss_memcache_invalidate(SSS_NSS_MCACHE_DIR"/passwd"); + if (ret != EOK) { + if (ret == EACCES) { + *sssd_nss_is_off = false; + return EOK; + } else { + return ret; + } + } + + ret = sss_memcache_invalidate(SSS_NSS_MCACHE_DIR"/group"); + if (ret != EOK) { + if (ret == EACCES) { + *sssd_nss_is_off = false; + return EOK; + } else { + return ret; + } + } + + ret = sss_memcache_invalidate(SSS_NSS_MCACHE_DIR"/initgroups"); + if (ret != EOK) { + if (ret == EACCES) { + *sssd_nss_is_off = false; + return EOK; + } else { + return ret; + } + } + + *sssd_nss_is_off = true; + return EOK; +} + +static errno_t wait_till_nss_responder_invalidate_cache(void) +{ + struct stat stat_buf = { 0 }; + const time_t max_wait = 1000000; /* 1 second */ + const time_t step_time = 5000; /* 5 milliseconds */ + const size_t steps_count = max_wait / step_time; + int ret; + + for (size_t i = 0; i < steps_count; ++i) { + ret = stat(SSS_NSS_MCACHE_DIR "/" CLEAR_MC_FLAG, &stat_buf); + if (ret == -1) { + ret = errno; + if (ret == ENOENT) { + /* nss responder has already invalidated memory caches */ + return EOK; + } + + DEBUG(SSSDBG_CRIT_FAILURE, + "stat failed: %s (%d)\n", sss_strerror(ret), ret); + } + + usleep(step_time); + } + + return EAGAIN; +} + +errno_t sss_memcache_clear_all(void) +{ + errno_t ret; + bool sssd_nss_is_off = false; + FILE *clear_mc_flag; + + ret = clear_fastcache(&sssd_nss_is_off); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to clear caches.\n"); + return EIO; + } + if (!sssd_nss_is_off) { + /* sssd_nss is running -> signal monitor to invalidate fastcache */ + clear_mc_flag = fopen(SSS_NSS_MCACHE_DIR"/"CLEAR_MC_FLAG, "w"); + if (clear_mc_flag == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to create clear_mc_flag file. " + "Memory cache will not be cleared.\n"); + return EIO; + } + ret = fclose(clear_mc_flag); + if (ret != 0) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "Unable to close file descriptor: %s\n", + strerror(ret)); + return EIO; + } + DEBUG(SSSDBG_TRACE_FUNC, "Sending SIGHUP to monitor.\n"); + ret = sss_signal(SIGHUP); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to send SIGHUP to monitor.\n"); + return EIO; + } + + ret = wait_till_nss_responder_invalidate_cache(); + if (ret != EOK) { + ERROR("The fast memory caches was not invalidated by NSS " + "responder.\n"); + } + } + + return EOK; +} + +enum sss_tools_ent { + SSS_TOOLS_USER, + SSS_TOOLS_GROUP +}; + +static errno_t sss_mc_refresh_ent(const char *name, enum sss_tools_ent ent) +{ + enum sss_cli_command cmd; + struct sss_cli_req_data rd; + uint8_t *repbuf = NULL; + size_t replen; + enum nss_status nret; + errno_t ret; + + cmd = SSS_CLI_NULL; + switch (ent) { + case SSS_TOOLS_USER: + cmd = SSS_NSS_GETPWNAM; + break; + case SSS_TOOLS_GROUP: + cmd = SSS_NSS_GETGRNAM; + break; + } + + if (cmd == SSS_CLI_NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Unknown object [%d][%s] to refresh\n", + cmd, sss_cmd2str(cmd)); + return EINVAL; + } + + rd.data = name; + rd.len = strlen(name) + 1; + + sss_nss_lock(); + nret = sss_nss_make_request(cmd, &rd, &repbuf, &replen, &ret); + sss_nss_unlock(); + + free(repbuf); + if (nret != NSS_STATUS_SUCCESS && nret != NSS_STATUS_NOTFOUND) { + return EIO; + } + + return EOK; +} + +errno_t sss_mc_refresh_user(const char *username) +{ + return sss_mc_refresh_ent(username, SSS_TOOLS_USER); +} + +errno_t sss_mc_refresh_group(const char *groupname) +{ + return sss_mc_refresh_ent(groupname, SSS_TOOLS_GROUP); +} + +static errno_t sss_mc_refresh_nested_group(struct tools_ctx *tctx, + const char *shortname) +{ + errno_t ret; + struct ldb_message *msg = NULL; + struct ldb_message_element *el; + const char *attrs[] = { SYSDB_MEMBEROF, + SYSDB_NAME, + NULL }; + size_t i; + char *parent_internal_name; + char *parent_outname; + char *internal_name; + TALLOC_CTX *tmpctx; + + tmpctx = talloc_new(tctx); + if (tmpctx == NULL) { + return ENOMEM; + } + + internal_name = sss_create_internal_fqname(tmpctx, shortname, + tctx->local->name); + if (internal_name == NULL) { + ret = ENOMEM; + goto done; + } + + ret = sss_mc_refresh_group(shortname); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot refresh group %s from memory cache\n", shortname); + /* try to carry on */ + } + + ret = sysdb_search_group_by_name(tmpctx, tctx->local, internal_name, attrs, + &msg); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, + "Search failed: %s (%d)\n", strerror(ret), ret); + goto done; + } + + el = ldb_msg_find_element(msg, SYSDB_MEMBEROF); + if (!el || el->num_values == 0) { + DEBUG(SSSDBG_TRACE_INTERNAL, "Group %s has no parents\n", + internal_name); + ret = EOK; + goto done; + } + + /* This group is nested. We need to invalidate all its parents, too */ + for (i=0; i < el->num_values; i++) { + ret = sysdb_group_dn_name(tctx->sysdb, tmpctx, + (const char *) el->values[i].data, + &parent_internal_name); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Malformed DN [%s]? Skipping\n", + (const char *) el->values[i].data); + talloc_free(parent_internal_name); + continue; + } + + parent_outname = sss_output_name(tmpctx, parent_internal_name, + tctx->local->case_preserve, 0); + if (parent_outname == NULL) { + ret = ENOMEM; + goto done; + } + + ret = sss_mc_refresh_group(parent_outname); + talloc_free(parent_internal_name); + talloc_free(parent_outname); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot refresh group %s from memory cache\n", parent_outname); + /* try to carry on */ + } + } + + ret = EOK; + +done: + talloc_free(tmpctx); + return ret; +} + +errno_t sss_mc_refresh_grouplist(struct tools_ctx *tctx, + char **groupnames) +{ + int i; + errno_t ret; + bool failed = false; + + if (!groupnames) return EOK; + + for (i = 0; groupnames[i]; i++) { + ret = sss_mc_refresh_nested_group(tctx, groupnames[i]); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot refresh group %s from memory cache\n", + groupnames[i]); + failed = true; + continue; + } + } + + return failed ? EIO : EOK; +} diff --git a/src/tools/tools_util.c b/src/tools/tools_util.c new file mode 100644 index 0000000..146f78a --- /dev/null +++ b/src/tools/tools_util.c @@ -0,0 +1,592 @@ +/* + SSSD + + tools_utils.c + + Copyright (C) Jakub Hrozek 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include +#include + +#include "config.h" + +#include "util/util.h" +#include "confdb/confdb.h" +#include "db/sysdb.h" +#include "tools/sss_sync_ops.h" + +static int setup_db(struct tools_ctx *ctx) +{ + char *confdb_path; + int ret; + + confdb_path = talloc_asprintf(ctx, "%s/%s", DB_PATH, CONFDB_FILE); + if (confdb_path == NULL) { + return ENOMEM; + } + + /* Connect to the conf db */ + ret = confdb_init(ctx, &ctx->confdb, confdb_path); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not initialize connection to the confdb\n"); + return ret; + } + + ret = sssd_domain_init(ctx, ctx->confdb, "local", DB_PATH, &ctx->local); + if (ret != EOK) { + SYSDB_VERSION_ERROR(ret); + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not initialize connection to the sysdb\n"); + return ret; + } + ctx->sysdb = ctx->local->sysdb; + + talloc_free(confdb_path); + return EOK; +} + +/* + * Print poptUsage as well as our error message + */ +void usage(poptContext pc, const char *error) +{ + size_t lentmp; + + poptPrintUsage(pc, stderr, 0); + + if (error) { + lentmp = strlen(error); + if ((lentmp > 0) && (error[lentmp - 1] != '\n')) { + fprintf(stderr, "%s\n", error); + return; + } + + fprintf(stderr, "%s", error); + } +} + +int parse_groups(TALLOC_CTX *mem_ctx, const char *optstr, char ***_out) +{ + char **out; + char *orig, *n, *o; + char delim = ','; + unsigned int tokens = 1; + unsigned int i; + + orig = talloc_strdup(mem_ctx, optstr); + if (!orig) return ENOMEM; + + n = orig; + tokens = 1; + while ((n = strchr(n, delim))) { + n++; + tokens++; + } + + out = talloc_array(mem_ctx, char *, tokens+1); + if (!out) { + talloc_free(orig); + return ENOMEM; + } + + n = o = orig; + for (i = 0; i < tokens; i++) { + o = n; + n = strchr(n, delim); + if (!n) { + break; + } + *n = '\0'; + n++; + out[i] = talloc_strdup(out, o); + } + out[tokens-1] = talloc_strdup(out, o); + out[tokens] = NULL; + + talloc_free(orig); + *_out = out; + return EOK; +} + +int parse_group_name_domain(struct tools_ctx *tctx, + char **groups) +{ + int i; + int ret; + char *name = NULL; + char *domain = NULL; + + if (!groups) { + return EOK; + } + + for (i = 0; groups[i]; ++i) { + ret = sss_parse_name(tctx, tctx->snctx, groups[i], &domain, &name); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Invalid name in group list, skipping: [%s] (%d)\n", + groups[i], ret); + continue; + } + + /* If FQDN is specified, it must be within the same domain as user */ + if (domain) { + if (strcmp(domain, tctx->octx->domain->name) != 0) { + return EINVAL; + } + + /* Use only groupname */ + talloc_zfree(groups[i]); + groups[i] = talloc_strdup(tctx, name); + if (groups[i] == NULL) { + return ENOMEM; + } + } + + talloc_zfree(name); + talloc_zfree(domain); + } + + talloc_zfree(name); + talloc_zfree(domain); + return EOK; +} + +int parse_name_domain(struct tools_ctx *tctx, + const char *fullname) +{ + int ret; + char *domain = NULL; + + ret = sss_parse_name(tctx, tctx->snctx, fullname, &domain, &tctx->octx->name); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Cannot parse full name\n"); + return ret; + } + DEBUG(SSSDBG_FUNC_DATA, "Parsed username: %s\n", tctx->octx->name); + + if (domain) { + DEBUG(SSSDBG_FUNC_DATA, "Parsed domain: %s\n", domain); + /* only the local domain, whatever named is allowed in tools */ + if (strcasecmp(domain, tctx->local->name) != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Invalid domain %s specified in FQDN\n", domain); + return EINVAL; + } + } else { + if (tctx->local->fqnames) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Name '%s' does not seem to be FQDN " + "('%s = TRUE' is set)\n", fullname, CONFDB_DOMAIN_FQ); + ERROR("Name '%1$s' does not seem to be FQDN " + "('%2$s = TRUE' is set)\n", fullname, CONFDB_DOMAIN_FQ); + return EINVAL; + } + } + + return EOK; +} + +int check_group_names(struct tools_ctx *tctx, + char **grouplist, + char **badgroup) +{ + int ret; + int i; + struct ops_ctx *groupinfo; + + groupinfo = talloc_zero(tctx, struct ops_ctx); + if (!groupinfo) { + return ENOMEM; + } + groupinfo->domain = tctx->local; + + ret = EOK; + for (i=0; grouplist[i]; ++i) { + ret = sysdb_getgrnam_sync(tctx, + grouplist[i], + groupinfo); + if (ret) { + DEBUG(SSSDBG_TRACE_FUNC, + "Cannot find group %s, ret: %d\n", grouplist[i], ret); + break; + } + } + + talloc_zfree(groupinfo); + *badgroup = grouplist[i]; + return ret; +} + +int id_in_range(uint32_t id, + struct sss_domain_info *dom) +{ + if (id && + ((id < dom->id_min) || + (dom->id_max && id > dom->id_max))) { + return ERANGE; + } + + return EOK; +} + +int set_locale(void) +{ + char *c; + + c = setlocale(LC_ALL, ""); + if (c == NULL) { + /* If setlocale fails, continue with the default + * locale. */ + DEBUG(SSSDBG_MINOR_FAILURE, "Unable to set locale\n"); + } + + errno = 0; + c = bindtextdomain(PACKAGE, LOCALEDIR); + if (c == NULL) { + return errno; + } + + errno = 0; + c = textdomain(PACKAGE); + if (c == NULL) { + return errno; + } + + return EOK; +} + +int init_sss_tools(struct tools_ctx **_tctx) +{ + int ret; + struct tools_ctx *tctx; + + tctx = talloc_zero(NULL, struct tools_ctx); + if (tctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not allocate memory for tools context\n"); + return ENOMEM; + } + + /* Connect to the database */ + ret = setup_db(tctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not set up database\n"); + goto fini; + } + + ret = sss_names_init(tctx, tctx->confdb, tctx->local->name, &tctx->snctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not set up parsing\n"); + goto fini; + } + + tctx->octx = talloc_zero(tctx, struct ops_ctx); + if (!tctx->octx) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not allocate memory for data context\n"); + ERROR("Out of memory\n"); + ret = ENOMEM; + goto fini; + } + tctx->octx->domain = tctx->local; + + *_tctx = tctx; + ret = EOK; + +fini: + if (ret != EOK) talloc_free(tctx); + return ret; +} + +/* + * Check is path is owned by uid + * returns 0 - owns + * -1 - does not own + * >0 - an error occurred, error code + */ +static int is_owner(uid_t uid, const char *path) +{ + struct stat statres; + int ret; + + ret = stat(path, &statres); + if (ret != 0) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot stat %s: [%d][%s]\n", path, ret, strerror(ret)); + return ret; + } + + if (statres.st_uid == uid) { + return EOK; + } + return -1; +} + +static int remove_mail_spool(TALLOC_CTX *mem_ctx, + const char *maildir, + const char *username, + uid_t uid, + bool force) +{ + int ret; + char *spool_file; + + spool_file = talloc_asprintf(mem_ctx, "%s/%s", maildir, username); + if (spool_file == NULL) { + ret = ENOMEM; + goto fail; + } + + if (force == false) { + /* Check the owner of the mail spool */ + ret = is_owner(uid, spool_file); + switch (ret) { + case 0: + break; + case -1: + DEBUG(SSSDBG_MINOR_FAILURE, + "%s not owned by %"SPRIuid", not removing\n", + spool_file, uid); + ret = EACCES; + /* FALLTHROUGH */ + default: + goto fail; + } + } + + ret = unlink(spool_file); + if (ret != 0) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot remove() the spool file %s: [%d][%s]\n", + spool_file, ret, strerror(ret)); + goto fail; + } + +fail: + talloc_free(spool_file); + return ret; +} + +int remove_homedir(TALLOC_CTX *mem_ctx, + const char *homedir, + const char *maildir, + const char *username, + uid_t uid, bool force) +{ + int ret; + + ret = remove_mail_spool(mem_ctx, maildir, username, uid, force); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot remove user's mail spool\n"); + /* Should this be fatal? I don't think so. Maybe convert to ERROR? */ + } + + if (force == false && is_owner(uid, homedir) == -1) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Not removing home dir - not owned by user\n"); + return EPERM; + } + + /* Remove the tree */ + ret = sss_remove_tree(homedir); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot remove homedir %s: %d\n", + homedir, ret); + return ret; + } + + return EOK; +} + +/* The reason for not putting this into create_homedir + * is better granularity when it comes to reporting error + * messages and tracebacks in pysss + */ +int create_mail_spool(TALLOC_CTX *mem_ctx, + const char *username, + const char *maildir, + uid_t uid, gid_t gid) +{ + char *spool_file = NULL; + int fd = -1; + int ret; + + spool_file = talloc_asprintf(mem_ctx, "%s/%s", maildir, username); + if (spool_file == NULL) { + ret = ENOMEM; + goto fail; + } + + selinux_file_context(spool_file); + + fd = open(spool_file, O_CREAT | O_WRONLY | O_EXCL, 0); + if (fd < 0) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot open() the spool file: [%d][%s]\n", + ret, strerror(ret)); + goto fail; + } + + ret = fchmod(fd, 0600); + if (ret != 0) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot fchmod() the spool file: [%d][%s]\n", + ret, strerror(ret)); + goto fail; + } + + ret = fchown(fd, uid, gid); + if (ret != 0) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot fchown() the spool file: [%d][%s]\n", + ret, strerror(ret)); + goto fail; + } + + ret = fsync(fd); + if (ret != 0) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot fsync() the spool file: [%d][%s]\n", + ret, strerror(ret)); + } + +fail: + if (fd >= 0) { + ret = close(fd); + if (ret != 0) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot close() the spool file: [%d][%s]\n", + ret, strerror(ret)); + } + } + + reset_selinux_file_context(); + talloc_free(spool_file); + return ret; +} + +int create_homedir(const char *skeldir, + const char *homedir, + uid_t uid, + gid_t gid, + mode_t default_umask) +{ + int ret; + + selinux_file_context(homedir); + + ret = sss_copy_tree(skeldir, homedir, 0777 & ~default_umask, uid, gid); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot populate user's home directory: [%d][%s].\n", + ret, strerror(ret)); + goto done; + } + +done: + reset_selinux_file_context(); + return ret; +} + +int run_userdel_cmd(struct tools_ctx *tctx) +{ + int ret, status; + char *userdel_cmd = NULL; + char *conf_path = NULL; + pid_t pid, child_pid; + + conf_path = talloc_asprintf(tctx, CONFDB_DOMAIN_PATH_TMPL, + tctx->local->name); + if (!conf_path) { + ret = ENOMEM; + goto done; + } + + ret = confdb_get_string(tctx->confdb, tctx, + conf_path, CONFDB_LOCAL_USERDEL_CMD, + NULL, &userdel_cmd); + if (ret != EOK || !userdel_cmd) { + goto done; + } + + errno = 0; + pid = fork(); + if (pid == 0) { + /* child */ + execl(userdel_cmd, userdel_cmd, + tctx->octx->name, (char *) NULL); + exit(errno); + } else { + /* parent */ + if (pid == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "fork failed [%d]: %s\n", ret, strerror(ret)); + goto done; + } + + while((child_pid = waitpid(pid, &status, 0)) > 0) { + if (WIFEXITED(status)) { + ret = WEXITSTATUS(status); + if (ret != 0) { + DEBUG(SSSDBG_FUNC_DATA, + "command [%s] returned nonzero status %d.\n", + userdel_cmd, ret); + ret = EOK; /* Ignore return code of the command */ + goto done; + } + } else if (WIFSIGNALED(status)) { + DEBUG(SSSDBG_FUNC_DATA, + "command [%s] was terminated by signal %d.\n", + userdel_cmd, WTERMSIG(status)); + ret = EIO; + goto done; + } else if (WIFSTOPPED(status)) { + DEBUG(SSSDBG_FUNC_DATA, + "command [%s] was stopped by signal %d.\n", + userdel_cmd, WSTOPSIG(status)); + continue; + } else { + DEBUG(SSSDBG_CRIT_FAILURE, "Unknown status from WAITPID\n"); + ret = EIO; + goto done; + } + } + if (child_pid == -1) { + DEBUG(SSSDBG_CRIT_FAILURE, "waitpid failed\n"); + ret = errno; + goto done; + } + } + + ret = EOK; +done: + talloc_free(userdel_cmd); + talloc_free(conf_path); + return ret; +} diff --git a/src/tools/tools_util.h b/src/tools/tools_util.h new file mode 100644 index 0000000..fcfd8a6 --- /dev/null +++ b/src/tools/tools_util.h @@ -0,0 +1,114 @@ +/* + Authors: + Jakub Hrozek + Simo Sorce + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + + +#ifndef __TOOLS_UTIL_H__ +#define __TOOLS_UTIL_H__ + +#include + +#include "util/util.h" + +#define BAD_POPT_PARAMS(pc, msg, val, label) do { \ + usage(pc, msg); \ + val = EXIT_FAILURE; \ + goto label; \ +} while(0) + +#define CHECK_ROOT(val, prg_name) do { \ + val = getuid(); \ + if (val != 0) { \ + DEBUG(SSSDBG_CRIT_FAILURE, "Running under %d, must be root\n", val); \ + ERROR("%1$s must be run as root\n", prg_name); \ + val = EXIT_FAILURE; \ + goto fini; \ + } \ +} while(0) + +struct tools_ctx { + struct confdb_ctx *confdb; + struct sysdb_ctx *sysdb; + + struct sss_names_ctx *snctx; + struct sss_domain_info *local; + + struct ops_ctx *octx; + + bool transaction_done; + int error; +}; + +int init_sss_tools(struct tools_ctx **_tctx); + +void usage(poptContext pc, const char *error); + +int set_locale(void); + + +int parse_name_domain(struct tools_ctx *tctx, + const char *fullname); + +int id_in_range(uint32_t id, + struct sss_domain_info *dom); + +int parse_groups(TALLOC_CTX *mem_ctx, + const char *optstr, + char ***_out); + +int parse_group_name_domain(struct tools_ctx *tctx, + char **groups); + +int check_group_names(struct tools_ctx *tctx, + char **grouplist, + char **badgroup); + +int create_homedir(const char *skeldir, + const char *homedir, + uid_t uid, + gid_t gid, + mode_t default_umask); + +int create_mail_spool(TALLOC_CTX *mem_ctx, + const char *username, + const char *maildir, + uid_t uid, gid_t gid); + +int remove_homedir(TALLOC_CTX *mem_ctx, + const char *homedir, + const char *maildir, + const char *username, + uid_t uid, bool force); + +int run_userdel_cmd(struct tools_ctx *tctx); + +errno_t sss_signal(int signum); + +/* tools_mc_util.c */ +errno_t sss_memcache_invalidate(const char *mc_filename); + +errno_t sss_memcache_clear_all(void); + +errno_t sss_mc_refresh_user(const char *username); +errno_t sss_mc_refresh_group(const char *groupname); +errno_t sss_mc_refresh_grouplist(struct tools_ctx *tctx, + char **groupnames); + +#endif /* __TOOLS_UTIL_H__ */ diff --git a/src/tools/wrappers/sss_debuglevel.in b/src/tools/wrappers/sss_debuglevel.in new file mode 100644 index 0000000..a55afcd --- /dev/null +++ b/src/tools/wrappers/sss_debuglevel.in @@ -0,0 +1,4 @@ +#!/bin/sh +sbindir=@sbindir@ +echo "Redirecting to $sbindir/sssctl debug-level" >&2 +exec $sbindir/sssctl debug-level "$@" diff --git a/src/util/atomic_io.c b/src/util/atomic_io.c new file mode 100644 index 0000000..1543af9 --- /dev/null +++ b/src/util/atomic_io.c @@ -0,0 +1,60 @@ +/* + Authors: + Jan Cholasta + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/atomic_io.h" + +/* based on code from libssh */ +ssize_t sss_atomic_io_s(int fd, void *buf, size_t n, bool do_read) +{ + char *b = buf; + size_t pos = 0; + ssize_t res; + struct pollfd pfd; + + pfd.fd = fd; + pfd.events = do_read ? POLLIN : POLLOUT; + + while (n > pos) { + if (do_read) { + res = read(fd, b + pos, n - pos); + } else { + res = write(fd, b + pos, n - pos); + } + switch (res) { + case -1: + if (errno == EINTR) { + continue; + } + if (errno == EAGAIN || errno == EWOULDBLOCK) { + (void) poll(&pfd, 1, -1); + continue; + } + return -1; + case 0: + /* read returns 0 on end-of-file */ + errno = do_read ? 0 : EPIPE; + return pos; + default: + pos += (size_t) res; + } + } + + return pos; +} diff --git a/src/util/atomic_io.h b/src/util/atomic_io.h new file mode 100644 index 0000000..ffae31d --- /dev/null +++ b/src/util/atomic_io.h @@ -0,0 +1,40 @@ +/* + Authors: + Jan Cholasta + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __SSSD_ATOMIC_IO_H__ +#define __SSSD_ATOMIC_IO_H__ + +#include +#include +#include +#include + +/* Performs a read or write operation in an manner that is seemingly atomic + * to the caller. + * + * Please note that the function does not perform any asynchronous operation + * so the operation might potentially block + */ +ssize_t sss_atomic_io_s(int fd, void *buf, size_t n, bool do_read); + +#define sss_atomic_read_s(fd, buf, n) sss_atomic_io_s(fd, buf, n, true) +#define sss_atomic_write_s(fd, buf, n) sss_atomic_io_s(fd, buf, n, false) + +#endif /* __SSSD_ATOMIC_IO_H__ */ diff --git a/src/util/auth_utils.h b/src/util/auth_utils.h new file mode 100644 index 0000000..8883c5c --- /dev/null +++ b/src/util/auth_utils.h @@ -0,0 +1,44 @@ +/* + SSSD + + Authentication utility functions + + Authors: + Jakub Hrozek + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +static inline int cached_login_pam_status(int auth_res) +{ + switch (auth_res) { + case EOK: + return PAM_SUCCESS; + case ERR_ACCOUNT_UNKNOWN: + return PAM_AUTHINFO_UNAVAIL; + case ERR_NO_CACHED_CREDS: + case ERR_CACHED_CREDS_EXPIRED: + case ERR_AUTH_DENIED: + return PAM_PERM_DENIED; + case ERR_AUTH_FAILED: + return PAM_AUTH_ERR; + default: + return PAM_SYSTEM_ERR; + } +} diff --git a/src/util/authtok-utils.c b/src/util/authtok-utils.c new file mode 100644 index 0000000..e7123df --- /dev/null +++ b/src/util/authtok-utils.c @@ -0,0 +1,165 @@ +/* + SSSD - auth utils helpers + + Copyright (C) Sumit Bose 2015 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +/* This file is use by SSSD clients and the main daemons. Please do not add + * code which is specific to only one of them. */ + +#include + +#include "sss_client/sss_cli.h" + +errno_t sss_auth_pack_2fa_blob(const char *fa1, size_t fa1_len, + const char *fa2, size_t fa2_len, + uint8_t *buf, size_t buf_len, + size_t *_2fa_blob_len) +{ + size_t c; + uint32_t tmp_uint32_t; + + if (fa1 == NULL || *fa1 == '\0' || fa1_len > UINT32_MAX + || fa2 == NULL || *fa2 == '\0' || fa2_len > UINT32_MAX + || (buf == NULL && buf_len != 0)) { + return EINVAL; + } + + if (fa1_len == 0) { + fa1_len = strlen(fa1); + } else { + if (fa1[fa1_len] != '\0') { + return EINVAL; + } + } + + if (fa2_len == 0) { + fa2_len = strlen(fa2); + } else { + if (fa2[fa2_len] != '\0') { + return EINVAL; + } + } + + *_2fa_blob_len = fa1_len + fa2_len + 2 + 2 * sizeof(uint32_t); + if (buf == NULL || buf_len < *_2fa_blob_len) { + return EAGAIN; + } + + c = 0; + tmp_uint32_t = (uint32_t) fa1_len + 1; + SAFEALIGN_COPY_UINT32(buf, &tmp_uint32_t, &c); + tmp_uint32_t = (uint32_t) fa2_len + 1; + SAFEALIGN_COPY_UINT32(buf + c, &tmp_uint32_t, &c); + + memcpy(buf + c, fa1, fa1_len + 1); + c += fa1_len + 1; + + memcpy(buf + c, fa2, fa2_len + 1); + + return 0; +} + +errno_t sss_auth_pack_sc_blob(const char *pin, size_t pin_len, + const char *token_name, size_t token_name_len, + const char *module_name, size_t module_name_len, + const char *key_id, size_t key_id_len, + uint8_t *buf, size_t buf_len, + size_t *_sc_blob_len) +{ + size_t c; + uint32_t tmp_uint32_t; + + if (pin_len > UINT32_MAX || token_name_len > UINT32_MAX + || module_name_len > UINT32_MAX + || (pin_len != 0 && pin == NULL) + || (token_name_len != 0 && token_name == NULL) + || (module_name_len != 0 && module_name == NULL) + || (key_id_len != 0 && key_id == NULL)) { + return EINVAL; + } + + /* A missing pin is ok in the case of a reader with a keyboard */ + if (pin == NULL) { + pin = ""; + pin_len = 0; + } + + if (token_name == NULL) { + token_name = ""; + token_name_len = 0; + } + + if (module_name == NULL) { + module_name = ""; + module_name_len = 0; + } + + if (key_id == NULL) { + key_id = ""; + key_id_len = 0; + } + + /* len should not include the trailing \0 */ + if (pin_len == 0 || pin[pin_len - 1] == '\0') { + pin_len = strlen(pin); + } + + if (token_name_len == 0 || token_name[token_name_len - 1] == '\0') { + token_name_len = strlen(token_name); + } + + if (module_name_len == 0 || module_name[module_name_len - 1] == '\0') { + module_name_len = strlen(module_name); + } + + if (key_id_len == 0 || key_id[key_id_len - 1] == '\0') { + key_id_len = strlen(key_id); + } + + *_sc_blob_len = pin_len + token_name_len + module_name_len + key_id_len + 4 + + 4 * sizeof(uint32_t); + if (buf == NULL || buf_len < *_sc_blob_len) { + return EAGAIN; + } + + c = 0; + tmp_uint32_t = (uint32_t) pin_len + 1; + SAFEALIGN_COPY_UINT32(buf, &tmp_uint32_t, &c); + tmp_uint32_t = (uint32_t) token_name_len + 1; + SAFEALIGN_COPY_UINT32(buf + c, &tmp_uint32_t, &c); + tmp_uint32_t = (uint32_t) module_name_len + 1; + SAFEALIGN_COPY_UINT32(buf + c, &tmp_uint32_t, &c); + tmp_uint32_t = (uint32_t) key_id_len + 1; + SAFEALIGN_COPY_UINT32(buf + c, &tmp_uint32_t, &c); + + memcpy(buf + c, pin, pin_len); + buf[c + pin_len] = '\0'; + c += pin_len + 1; + + memcpy(buf + c, token_name, token_name_len); + buf[c + token_name_len] = '\0'; + c += token_name_len + 1; + + memcpy(buf + c, module_name, module_name_len); + buf[c + module_name_len] = '\0'; + c += module_name_len + 1; + + memcpy(buf + c, key_id, key_id_len); + buf[c + key_id_len] = '\0'; + + return 0; +} diff --git a/src/util/authtok-utils.h b/src/util/authtok-utils.h new file mode 100644 index 0000000..c5aace3 --- /dev/null +++ b/src/util/authtok-utils.h @@ -0,0 +1,126 @@ +/* + SSSD - auth utils helpers + + Copyright (C) Sumit Bose 2015 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __AUTHTOK_UTILS_H__ +#define __AUTHTOK_UTILS_H__ + +#include + +#include "sss_client/sss_cli.h" + +/** + * @brief Fill memory buffer with Smartcard authentication blob + * + * @param[in] pin PIN, null terminated + * @param[in] pin_len Length of the PIN, if 0 + * strlen() will be called internally + * @param[in] token_name Token name, null terminated + * @param[in] token_name_len Length of the token name, if 0 + * strlen() will be called internally + * @param[in] module_name Name of PKCS#11 module, null terminated + * @param[in] module_name_len Length of the module name, if 0 + * strlen() will be called internally + * @param[in] key_id Key ID of the certificate + * @param[in] key_id_len Length of the key id of the certificate, if 0 + * strlen() will be called internally + * @param[in] buf memory buffer of size buf_len, may be NULL + * @param[in] buf_len size of memory buffer buf + * + * @param[out] _sc_blob len size of the Smartcard authentication blob + * + * @return EOK on success + * EINVAL if input data is not consistent + * EAGAIN if provided buffer is too small, _sc_blob_len + * contains the size needed to store the SC blob + */ +errno_t sss_auth_pack_sc_blob(const char *pin, size_t pin_len, + const char *token_name, size_t token_name_len, + const char *module_name, size_t module_name_len, + const char *key_id, size_t key_id_len, + uint8_t *buf, size_t buf_len, + size_t *_sc_blob_len); +/** + * @brief Fill memory buffer with 2FA blob + * + * @param[in] fa1 First authentication factor, null terminated + * @param[in] fa1_len Length of the first authentication factor, if 0 + * strlen() will be called internally + * @param[in] fa2 Second authentication factor, null terminated + * @param[in] fa2_len Length of the second authentication factor, if 0 + * strlen() will be called internally + * @param[in] buf memory buffer of size buf_len + * @param[in] buf_len size of memory buffer buf + * + * @param[out] _2fa_blob_len size of the 2FA blob + * + * @return EOK on success + * EINVAL if input data is not consistent + * EAGAIN if provided buffer is too small, _2fa_blob_len + * contains the size needed to store the 2FA blob + */ +errno_t sss_auth_pack_2fa_blob(const char *fa1, size_t fa1_len, + const char *fa2, size_t fa2_len, + uint8_t *buf, size_t buf_len, + size_t *_2fa_blob_len); + +/** + * @brief Extract 2FA data from memory buffer + * + * @param[in] mem_ctx Talloc memory context to allocate the 2FA data on + * @param[in] blob Memory buffer containing the 2FA data + * @param[in] blob_len Size of the memory buffer + * @param[out] _fa1 First authentication factor, null terminated + * @param[out] _fa1_len Length of the first authentication factor + * @param[out] _fa2 Second authentication factor, null terminated + * @param[out] _fa2_len Length of the second authentication factor + * + * @return EOK on success + * EINVAL if input data is not consistent + * EINVAL if no memory can be allocated + */ +errno_t sss_auth_unpack_2fa_blob(TALLOC_CTX *mem_ctx, + const uint8_t *blob, size_t blob_len, + char **fa1, size_t *_fa1_len, + char **fa2, size_t *_fa2_len); + +/** + * @brief Extract SC data from memory buffer + * + * @param[in] mem_ctx Talloc memory context to allocate the 2FA + * data on + * @param[in] blob Memory buffer containing the 2FA data + * @param[in] blob_len Size of the memory buffer + * @param[out] _pin PIN, null terminated + * @param[out] _pin_len Length of the PIN + * @param[out] _token_name Token name, null terminated + * @param[out] _token_name_len Length of the token name + * @param[out] _module_name Name of PKCS#11 module, null terminated + * @param[out] _module_name_len Length of the module name + * + * @return EOK on success + * EINVAL if input data is not consistent + * EINVAL if no memory can be allocated + */ +errno_t sss_auth_unpack_sc_blob(TALLOC_CTX *mem_ctx, + const uint8_t *blob, size_t blob_len, + char **pin, size_t *_pin_len, + char **token_name, size_t *_token_name_len, + char **module_name, size_t *_module_name_len, + char **key_id, size_t *_key_id_len); +#endif /* __AUTHTOK_UTILS_H__ */ diff --git a/src/util/authtok.c b/src/util/authtok.c new file mode 100644 index 0000000..c2f78be --- /dev/null +++ b/src/util/authtok.c @@ -0,0 +1,775 @@ +/* + SSSD - auth utils + + Copyright (C) Simo Sorce 2012 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "authtok.h" + +struct sss_auth_token { + enum sss_authtok_type type; + uint8_t *data; + size_t length; +}; + +enum sss_authtok_type sss_authtok_get_type(struct sss_auth_token *tok) +{ + return tok->type; +} + +size_t sss_authtok_get_size(struct sss_auth_token *tok) +{ + if (!tok) { + return 0; + } + switch (tok->type) { + case SSS_AUTHTOK_TYPE_PASSWORD: + case SSS_AUTHTOK_TYPE_CCFILE: + case SSS_AUTHTOK_TYPE_2FA: + case SSS_AUTHTOK_TYPE_SC_PIN: + case SSS_AUTHTOK_TYPE_SC_KEYPAD: + return tok->length; + case SSS_AUTHTOK_TYPE_EMPTY: + return 0; + } + + return EINVAL; +} + +uint8_t *sss_authtok_get_data(struct sss_auth_token *tok) +{ + if (!tok) { + return NULL; + } + return tok->data; +} + +errno_t sss_authtok_get_password(struct sss_auth_token *tok, + const char **pwd, size_t *len) +{ + if (!tok) { + return EFAULT; + } + switch (tok->type) { + case SSS_AUTHTOK_TYPE_EMPTY: + return ENOENT; + case SSS_AUTHTOK_TYPE_PASSWORD: + *pwd = (const char *)tok->data; + if (len) { + *len = tok->length - 1; + } + return EOK; + case SSS_AUTHTOK_TYPE_CCFILE: + case SSS_AUTHTOK_TYPE_2FA: + case SSS_AUTHTOK_TYPE_SC_PIN: + case SSS_AUTHTOK_TYPE_SC_KEYPAD: + return EACCES; + } + + return EINVAL; +} + +errno_t sss_authtok_get_ccfile(struct sss_auth_token *tok, + const char **ccfile, size_t *len) +{ + if (!tok) { + return EINVAL; + } + switch (tok->type) { + case SSS_AUTHTOK_TYPE_EMPTY: + return ENOENT; + case SSS_AUTHTOK_TYPE_CCFILE: + *ccfile = (const char *)tok->data; + if (len) { + *len = tok->length - 1; + } + return EOK; + case SSS_AUTHTOK_TYPE_PASSWORD: + case SSS_AUTHTOK_TYPE_2FA: + case SSS_AUTHTOK_TYPE_SC_PIN: + case SSS_AUTHTOK_TYPE_SC_KEYPAD: + return EACCES; + } + + return EINVAL; +} + +static errno_t sss_authtok_set_string(struct sss_auth_token *tok, + enum sss_authtok_type type, + const char *context_name, + const char *str, size_t len) +{ + size_t size; + + if (len == 0) { + len = strlen(str); + } else { + while (len > 0 && str[len - 1] == '\0') len--; + } + + if (len == 0) { + /* we do not allow zero length typed tokens */ + return EINVAL; + } + + size = len + 1; + + tok->data = talloc_named(tok, size, "%s", context_name); + if (!tok->data) { + return ENOMEM; + } + memcpy(tok->data, str, len); + tok->data[len] = '\0'; + tok->type = type; + tok->length = size; + + return EOK; + +} + +void sss_authtok_set_empty(struct sss_auth_token *tok) +{ + if (!tok) { + return; + } + switch (tok->type) { + case SSS_AUTHTOK_TYPE_EMPTY: + return; + case SSS_AUTHTOK_TYPE_PASSWORD: + case SSS_AUTHTOK_TYPE_2FA: + case SSS_AUTHTOK_TYPE_SC_PIN: + safezero(tok->data, tok->length); + break; + case SSS_AUTHTOK_TYPE_CCFILE: + case SSS_AUTHTOK_TYPE_SC_KEYPAD: + break; + } + + tok->type = SSS_AUTHTOK_TYPE_EMPTY; + talloc_zfree(tok->data); + tok->length = 0; +} + +errno_t sss_authtok_set_password(struct sss_auth_token *tok, + const char *password, size_t len) +{ + sss_authtok_set_empty(tok); + + return sss_authtok_set_string(tok, SSS_AUTHTOK_TYPE_PASSWORD, + "password", password, len); +} + +errno_t sss_authtok_set_ccfile(struct sss_auth_token *tok, + const char *ccfile, size_t len) +{ + sss_authtok_set_empty(tok); + + return sss_authtok_set_string(tok, SSS_AUTHTOK_TYPE_CCFILE, + "ccfile", ccfile, len); +} + +static errno_t sss_authtok_set_2fa_from_blob(struct sss_auth_token *tok, + const uint8_t *data, size_t len); + +errno_t sss_authtok_set(struct sss_auth_token *tok, + enum sss_authtok_type type, + const uint8_t *data, size_t len) +{ + switch (type) { + case SSS_AUTHTOK_TYPE_PASSWORD: + return sss_authtok_set_password(tok, (const char *)data, len); + case SSS_AUTHTOK_TYPE_CCFILE: + return sss_authtok_set_ccfile(tok, (const char *)data, len); + case SSS_AUTHTOK_TYPE_2FA: + return sss_authtok_set_2fa_from_blob(tok, data, len); + case SSS_AUTHTOK_TYPE_SC_PIN: + return sss_authtok_set_sc_from_blob(tok, data, len); + case SSS_AUTHTOK_TYPE_SC_KEYPAD: + return sss_authtok_set_sc_from_blob(tok, data, len); + case SSS_AUTHTOK_TYPE_EMPTY: + sss_authtok_set_empty(tok); + return EOK; + } + + return EINVAL; +} + +errno_t sss_authtok_copy(struct sss_auth_token *src, + struct sss_auth_token *dst) +{ + if (!src || !dst) { + return EINVAL; + } + sss_authtok_set_empty(dst); + + if (src->type == SSS_AUTHTOK_TYPE_EMPTY) { + return EOK; + } + + dst->data = talloc_memdup(dst, src->data, src->length); + if (!dst->data) { + return ENOMEM; + } + dst->length = src->length; + dst->type = src->type; + + return EOK; +} + +struct sss_auth_token *sss_authtok_new(TALLOC_CTX *mem_ctx) +{ + struct sss_auth_token *token; + + token = talloc_zero(mem_ctx, struct sss_auth_token); + if (token == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n"); + } + + return token; +} + + +void sss_authtok_wipe_password(struct sss_auth_token *tok) +{ + if (!tok || tok->type != SSS_AUTHTOK_TYPE_PASSWORD) { + return; + } + + safezero(tok->data, tok->length); +} + +errno_t sss_auth_unpack_2fa_blob(TALLOC_CTX *mem_ctx, + const uint8_t *blob, size_t blob_len, + char **fa1, size_t *_fa1_len, + char **fa2, size_t *_fa2_len) +{ + size_t c; + uint32_t fa1_len; + uint32_t fa2_len; + + if (blob_len < 2 * sizeof(uint32_t)) { + DEBUG(SSSDBG_CRIT_FAILURE, "Blob too small.\n"); + return EINVAL; + } + + c = 0; + SAFEALIGN_COPY_UINT32(&fa1_len, blob, &c); + SAFEALIGN_COPY_UINT32(&fa2_len, blob + c, &c); + + if (blob_len != 2 * sizeof(uint32_t) + fa1_len + fa2_len) { + DEBUG(SSSDBG_CRIT_FAILURE, "Blob size mismatch.\n"); + return EINVAL; + } + + if (fa1_len != 0) { + *fa1 = talloc_strndup(mem_ctx, (const char *) blob + c, fa1_len); + if (*fa1 == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n"); + return ENOMEM; + } + } else { + *fa1 = NULL; + } + + if (fa2_len != 0) { + *fa2 = talloc_strndup(mem_ctx, (const char *) blob + c + fa1_len, + fa2_len); + if (*fa2 == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n"); + talloc_free(*fa1); + return ENOMEM; + } + } else { + *fa2 = NULL; + } + + /* Re-calculate length for the case where \0 was missing in the blob */ + *_fa1_len = (*fa1 == NULL) ? 0 : strlen(*fa1); + *_fa2_len = (*fa2 == NULL) ? 0 : strlen(*fa2); + + return EOK; +} + +static errno_t sss_authtok_set_2fa_from_blob(struct sss_auth_token *tok, + const uint8_t *data, size_t len) +{ + TALLOC_CTX *tmp_ctx; + int ret; + char *fa1; + size_t fa1_len; + char *fa2; + size_t fa2_len; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); + ret = ENOMEM; + goto done; + } + + ret = sss_auth_unpack_2fa_blob(tmp_ctx, data, len, &fa1, &fa1_len, + &fa2, &fa2_len); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_auth_unpack_2fa_blob failed.\n"); + goto done; + } + + ret = sss_authtok_set_2fa(tok, fa1, fa1_len, fa2, fa2_len); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_authtok_set_2fa failed.\n"); + goto done; + } + + ret = EOK; +done: + talloc_free(tmp_ctx); + + if (ret != EOK) { + sss_authtok_set_empty(tok); + } + + return ret; +} + +errno_t sss_authtok_get_2fa(struct sss_auth_token *tok, + const char **fa1, size_t *fa1_len, + const char **fa2, size_t *fa2_len) +{ + size_t c; + uint32_t tmp_uint32_t; + + if (tok->type != SSS_AUTHTOK_TYPE_2FA) { + return (tok->type == SSS_AUTHTOK_TYPE_EMPTY) ? ENOENT : EACCES; + } + + if (tok->length < 2 * sizeof(uint32_t)) { + DEBUG(SSSDBG_CRIT_FAILURE, "Blob too small.\n"); + return EINVAL; + } + + c = 0; + SAFEALIGN_COPY_UINT32(&tmp_uint32_t, tok->data, &c); + *fa1_len = tmp_uint32_t - 1; + SAFEALIGN_COPY_UINT32(&tmp_uint32_t, tok->data + c, &c); + *fa2_len = tmp_uint32_t - 1; + + if (*fa1_len == 0 || *fa2_len == 0 + || tok->length != 2 * sizeof(uint32_t) + *fa1_len + *fa2_len + 2) { + DEBUG(SSSDBG_CRIT_FAILURE, "Blob size mismatch.\n"); + return EINVAL; + } + + if (tok->data[c + *fa1_len] != '\0' + || tok->data[c + *fa1_len + 1 + *fa2_len] != '\0') { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing terminating null character.\n"); + return EINVAL; + } + + *fa1 = (const char *) tok->data + c; + *fa2 = (const char *) tok->data + c + *fa1_len + 1; + + return EOK; +} + +errno_t sss_authtok_set_2fa(struct sss_auth_token *tok, + const char *fa1, size_t fa1_len, + const char *fa2, size_t fa2_len) +{ + int ret; + size_t needed_size; + + if (tok == NULL) { + return EINVAL; + } + + sss_authtok_set_empty(tok); + + ret = sss_auth_pack_2fa_blob(fa1, fa1_len, fa2, fa2_len, NULL, 0, + &needed_size); + if (ret != EAGAIN) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sss_auth_pack_2fa_blob unexpectedly returned [%d].\n", ret); + return EINVAL; + } + + tok->data = talloc_size(tok, needed_size); + if (tok->data == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_size failed.\n"); + return ENOMEM; + } + + ret = sss_auth_pack_2fa_blob(fa1, fa1_len, fa2, fa2_len, tok->data, + needed_size, &needed_size); + if (ret != EOK) { + talloc_free(tok->data); + DEBUG(SSSDBG_OP_FAILURE, "sss_auth_pack_2fa_blob failed.\n"); + return ret; + } + tok->length = needed_size; + tok->type = SSS_AUTHTOK_TYPE_2FA; + + return EOK; +} + +errno_t sss_authtok_set_sc(struct sss_auth_token *tok, + enum sss_authtok_type type, + const char *pin, size_t pin_len, + const char *token_name, size_t token_name_len, + const char *module_name, size_t module_name_len, + const char *key_id, size_t key_id_len) +{ + int ret; + size_t needed_size; + + if (type != SSS_AUTHTOK_TYPE_SC_PIN + && type != SSS_AUTHTOK_TYPE_SC_KEYPAD) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid type [%d].\n", type); + return EINVAL; + } + + sss_authtok_set_empty(tok); + + ret = sss_auth_pack_sc_blob(pin, pin_len, token_name, token_name_len, + module_name, module_name_len, + key_id, key_id_len, NULL, 0, + &needed_size); + if (ret != EAGAIN) { + DEBUG(SSSDBG_OP_FAILURE, "sss_auth_pack_sc_blob failed.\n"); + return ret; + } + + tok->data = talloc_size(tok, needed_size); + if (tok->data == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_size failed.\n"); + return ENOMEM; + } + + ret = sss_auth_pack_sc_blob(pin, pin_len, token_name, token_name_len, + module_name, module_name_len, + key_id, key_id_len, tok->data, + needed_size, &needed_size); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_auth_pack_sc_blob failed.\n"); + talloc_free(tok->data); + return ret; + } + + tok->length = needed_size; + tok->type = type; + + return EOK; +} + +errno_t sss_authtok_set_sc_from_blob(struct sss_auth_token *tok, + const uint8_t *data, + size_t len) +{ + int ret; + char *pin = NULL; + size_t pin_len; + char *token_name = NULL; + size_t token_name_len; + char *module_name = NULL; + size_t module_name_len; + char *key_id = NULL; + size_t key_id_len; + TALLOC_CTX *tmp_ctx; + + if (tok == NULL) { + return EFAULT; + } + if (data == NULL || len == 0) { + return EINVAL; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); + ret = ENOMEM; + goto done; + } + + ret = sss_auth_unpack_sc_blob(tmp_ctx, data, len, &pin, &pin_len, + &token_name, &token_name_len, + &module_name, &module_name_len, + &key_id, &key_id_len); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_auth_unpack_sc_blob failed.\n"); + goto done; + } + + ret = sss_authtok_set_sc(tok, SSS_AUTHTOK_TYPE_SC_PIN, pin, pin_len, + token_name, token_name_len, + module_name, module_name_len, + key_id, key_id_len); + +done: + talloc_free(tmp_ctx); + + return ret; +} + +errno_t sss_authtok_set_sc_pin(struct sss_auth_token *tok, const char *pin, + size_t len) +{ + if (tok == NULL) { + return EFAULT; + } + if (pin == NULL) { + return EINVAL; + } + + return sss_authtok_set_sc(tok, SSS_AUTHTOK_TYPE_SC_PIN, pin, len, + NULL, 0, NULL, 0, NULL, 0); +} + +errno_t sss_authtok_get_sc_pin(struct sss_auth_token *tok, const char **_pin, + size_t *len) +{ + int ret; + const char *pin = NULL; + size_t pin_len; + + if (!tok) { + return EFAULT; + } + switch (tok->type) { + case SSS_AUTHTOK_TYPE_EMPTY: + return ENOENT; + case SSS_AUTHTOK_TYPE_SC_PIN: + ret = sss_authtok_get_sc(tok, &pin, &pin_len, + NULL, NULL, NULL, NULL, NULL, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_authtok_get_sc failed.\n"); + return ret; + } + + *_pin = pin; + if (len) { + *len = pin_len; + } + return EOK; + case SSS_AUTHTOK_TYPE_PASSWORD: + case SSS_AUTHTOK_TYPE_CCFILE: + case SSS_AUTHTOK_TYPE_2FA: + case SSS_AUTHTOK_TYPE_SC_KEYPAD: + return EACCES; + } + + return EINVAL; +} + +void sss_authtok_set_sc_keypad(struct sss_auth_token *tok) +{ + if (tok == NULL) { + return; + } + + sss_authtok_set_empty(tok); + + tok->type = SSS_AUTHTOK_TYPE_SC_KEYPAD; +} + +errno_t sss_auth_unpack_sc_blob(TALLOC_CTX *mem_ctx, + const uint8_t *blob, size_t blob_len, + char **pin, size_t *_pin_len, + char **token_name, size_t *_token_name_len, + char **module_name, size_t *_module_name_len, + char **key_id, size_t *_key_id_len) +{ + size_t c; + uint32_t pin_len; + uint32_t token_name_len; + uint32_t module_name_len; + uint32_t key_id_len; + + c = 0; + + if (blob == NULL || blob_len == 0) { + pin_len = 0; + token_name_len = 0; + module_name_len = 0; + key_id_len = 0; + } else if (blob_len > 0 + && strnlen((const char *) blob, blob_len) == blob_len - 1) { + pin_len = blob_len; + token_name_len = 0; + module_name_len = 0; + key_id_len = 0; + } else { + if (blob_len < 4 * sizeof(uint32_t)) { + DEBUG(SSSDBG_CRIT_FAILURE, "Blob too small.\n"); + return EINVAL; + } + + SAFEALIGN_COPY_UINT32(&pin_len, blob, &c); + SAFEALIGN_COPY_UINT32(&token_name_len, blob + c, &c); + SAFEALIGN_COPY_UINT32(&module_name_len, blob + c, &c); + SAFEALIGN_COPY_UINT32(&key_id_len, blob + c, &c); + + if (blob_len != 4 * sizeof(uint32_t) + pin_len + token_name_len + + module_name_len + key_id_len) { + DEBUG(SSSDBG_CRIT_FAILURE, "Blob size mismatch.\n"); + return EINVAL; + } + } + + if (pin_len != 0) { + *pin = talloc_strndup(mem_ctx, (const char *) blob + c, pin_len); + if (*pin == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n"); + return ENOMEM; + } + } else { + *pin = NULL; + } + + if (token_name_len != 0) { + *token_name = talloc_strndup(mem_ctx, (const char *) blob + c + pin_len, + token_name_len); + if (*token_name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n"); + talloc_free(*pin); + return ENOMEM; + } + } else { + *token_name = NULL; + } + + if (module_name_len != 0) { + *module_name = talloc_strndup(mem_ctx, + (const char *) blob + c + pin_len + + token_name_len, + module_name_len); + if (*module_name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n"); + talloc_free(*pin); + talloc_free(*token_name); + return ENOMEM; + } + } else { + *module_name = NULL; + } + + if (key_id_len != 0) { + *key_id = talloc_strndup(mem_ctx, + (const char *) blob + c + pin_len + + token_name_len + + module_name_len, + key_id_len); + if (*key_id == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n"); + talloc_free(*pin); + talloc_free(*token_name); + talloc_free(*module_name); + return ENOMEM; + } + } else { + *key_id = NULL; + } + + /* Re-calculate length for the case where \0 was missing in the blob */ + if (_pin_len != NULL) { + *_pin_len = (*pin == NULL) ? 0 : strlen(*pin); + } + if (_token_name_len != NULL) { + *_token_name_len = (*token_name == NULL) ? 0 : strlen(*token_name); + } + if (_module_name_len != NULL) { + *_module_name_len = (*module_name == NULL) ? 0 : strlen(*module_name); + } + + if (_key_id_len != NULL) { + *_key_id_len = (*key_id == NULL) ? 0 : strlen(*key_id); + } + + return EOK; +} + +errno_t sss_authtok_get_sc(struct sss_auth_token *tok, + const char **_pin, size_t *_pin_len, + const char **_token_name, size_t *_token_name_len, + const char **_module_name, size_t *_module_name_len, + const char **_key_id, size_t *_key_id_len) +{ + size_t c = 0; + size_t pin_len; + size_t token_name_len; + size_t module_name_len; + size_t key_id_len; + uint32_t tmp_uint32_t; + + if (!tok) { + return EFAULT; + } + + if (tok->type != SSS_AUTHTOK_TYPE_SC_PIN + && tok->type != SSS_AUTHTOK_TYPE_SC_KEYPAD) { + return (tok->type == SSS_AUTHTOK_TYPE_EMPTY) ? ENOENT : EACCES; + } + + if (tok->length < 4 * sizeof(uint32_t)) { + DEBUG(SSSDBG_CRIT_FAILURE, "Blob too small.\n"); + return EINVAL; + } + + SAFEALIGN_COPY_UINT32(&tmp_uint32_t, tok->data, &c); + pin_len = tmp_uint32_t - 1; + SAFEALIGN_COPY_UINT32(&tmp_uint32_t, tok->data + c, &c); + token_name_len = tmp_uint32_t - 1; + SAFEALIGN_COPY_UINT32(&tmp_uint32_t, tok->data + c, &c); + module_name_len = tmp_uint32_t -1; + SAFEALIGN_COPY_UINT32(&tmp_uint32_t, tok->data + c, &c); + key_id_len = tmp_uint32_t -1; + + if (tok->length != 4 * sizeof(uint32_t) + 4 + pin_len + token_name_len + + module_name_len + key_id_len) { + DEBUG(SSSDBG_CRIT_FAILURE, "Blob size mismatch.\n"); + return EINVAL; + } + + if (_pin != NULL) { + *_pin = (const char *) tok->data + c; + } + if (_pin_len != NULL) { + *_pin_len = pin_len; + } + + if (_token_name != NULL) { + *_token_name = (const char *) tok->data + c + pin_len + 1; + } + if (_token_name_len != NULL) { + *_token_name_len = token_name_len; + } + + if (_module_name != NULL) { + *_module_name = (const char *) tok->data + c + pin_len + 1 + + token_name_len + 1; + } + if (_module_name_len != NULL) { + *_module_name_len = module_name_len; + } + + if (_key_id != NULL) { + *_key_id = (const char *) tok->data + c + pin_len + 1 + + token_name_len + 1 + module_name_len + 1; + } + if (_key_id_len != NULL) { + *_key_id_len = key_id_len; + } + + return EOK; +} diff --git a/src/util/authtok.h b/src/util/authtok.h new file mode 100644 index 0000000..a55e89f --- /dev/null +++ b/src/util/authtok.h @@ -0,0 +1,351 @@ +/* + SSSD - auth utils + + Copyright (C) Simo Sorce 2012 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __AUTHTOK_H__ +#define __AUTHTOK_H__ + +#include "util/util.h" +#include "util/authtok-utils.h" +#include "sss_client/sss_cli.h" + +/* Use sss_authtok_* accessor functions instead of struct sss_auth_token + */ +struct sss_auth_token; + +/** + * @brief Returns the token type + * + * @param tok A pointer to an sss_auth_token + * + * @return An sss_authtok_type (empty, password, ...) + */ +enum sss_authtok_type sss_authtok_get_type(struct sss_auth_token *tok); + +/** + * @brief Returns the token size + * + * @param tok A pointer to an sss_auth_token + * + * @return The current size of the token payload + */ +size_t sss_authtok_get_size(struct sss_auth_token *tok); + +/** + * @brief Get the data buffer + * + * @param tok A pointer to an sss_auth_token + * + * @return A pointer to the token payload + */ +uint8_t *sss_authtok_get_data(struct sss_auth_token *tok); + +/** + * @brief Returns a const string if the auth token is of type + SSS_AUTHTOK_TYPE_PASSWORD, otherwise it returns an error + * + * @param tok A pointer to an sss_auth_token + * @param pwd A pointer to a const char *, that will point to a null + * terminated string + * @param len The length of the password string + * + * @return EOK on success + * ENOENT if the token is empty + * EACCESS if the token is not a password token + */ +errno_t sss_authtok_get_password(struct sss_auth_token *tok, + const char **pwd, size_t *len); + +/** + * @brief Set a password into an auth token, replacing any previous data + * + * @param tok A pointer to an sss_auth_token structure to change, also + * used as a memory context to allocate the internal data. + * @param password A string + * @param len The length of the string or, if 0 is passed, + * then strlen(password) will be used internally. + * + * @return EOK on success + * ENOMEM on error + */ +errno_t sss_authtok_set_password(struct sss_auth_token *tok, + const char *password, size_t len); + +/** + * @brief Returns a const string if the auth token is of type + SSS_AUTHTOK_TYPE_CCFILE, otherwise it returns an error + * + * @param tok A pointer to an sss_auth_token + * @param ccfile A pointer to a const char *, that will point to a null + * terminated string, also used as a memory context use to allocate the internal data + * @param len The length of the string + * + * @return EOK on success + * ENOENT if the token is empty + * EACCESS if the token is not a password token + */ +errno_t sss_authtok_get_ccfile(struct sss_auth_token *tok, + const char **ccfile, size_t *len); + +/** + * @brief Set a cc file name into an auth token, replacing any previous data + * + * @param tok A pointer to an sss_auth_token structure to change, also + * used as a memory context to allocate the internal data. + * @param ccfile A null terminated string + * @param len The length of the string + * + * @return EOK on success + * ENOMEM on error + */ +errno_t sss_authtok_set_ccfile(struct sss_auth_token *tok, + const char *ccfile, size_t len); + +/** + * @brief Resets an auth token to the empty status + * + * @param tok A pointer to an sss_auth_token structure to reset + * + * NOTE: This function uses safezero() on the payload if the type + * is SSS_AUTHTOK_TYPE_PASSWORD + */ +void sss_authtok_set_empty(struct sss_auth_token *tok); + +/** + * @brief Set an auth token by type, replacing any previous data + * + * @param tok A pointer to an sss_auth_token structure to change, also + * used as a memory context to allocate the internal data. + * @param type A valid authtok type + * @param data A data pointer + * @param len The length of the data + * + * @return EOK on success + * ENOMEM or EINVAL on error + */ +errno_t sss_authtok_set(struct sss_auth_token *tok, + enum sss_authtok_type type, + const uint8_t *data, size_t len); + +/** + * @brief Copy an auth token from source to destination + * + * @param src The source auth token + * @param dst The destination auth token, also used as a memory context + * to allocate dst internal data. + * + * @return EOK on success + * ENOMEM on error + */ +errno_t sss_authtok_copy(struct sss_auth_token *src, + struct sss_auth_token *dst); + +/** + * @brief Uses safezero to wipe the password from memory if the + * authtoken contains a password, otherwise does nothing. + * + * @param tok A pointer to an sss_auth_token structure to change + * + * NOTE: This function should only be used in destructors or similar + * functions where freeing the actual string is unsafe and where it can + * be guaranteed that the auth token will not be used anymore. + * Use sss_authtok_set_empty() in normal circumstances. + */ +void sss_authtok_wipe_password(struct sss_auth_token *tok); + +/** + * @brief Create new empty struct sss_auth_token. + * + * @param mem_ctx A memory context use to allocate the internal data + * @return A pointer to new empty struct sss_auth_token + * NULL in case of failure + * + * NOTE: This function is the only way, how to create new empty + * struct sss_auth_token. + */ +struct sss_auth_token *sss_authtok_new(TALLOC_CTX *mem_ctx); + +/** + * @brief Set authtoken with 2FA data + * + * @param tok A pointer to an sss_auth_token structure to change, also + * used as a memory context to allocate the internal data. + * @param[in] fa1 First authentication factor, null terminated + * @param[in] fa1_len Length of the first authentication factor, if 0 + * strlen() will be called internally + * @param[in] fa2 Second authentication factor, null terminated + * @param[in] fa2_len Length of the second authentication factor, if 0 + * strlen() will be called internally + * + * @return EOK on success + * ENOMEM if memory allocation failed + * EINVAL if input data is not consistent + */ +errno_t sss_authtok_set_2fa(struct sss_auth_token *tok, + const char *fa1, size_t fa1_len, + const char *fa2, size_t fa2_len); + +/** + * @brief Get 2FA factors from authtoken + * + * @param tok A pointer to an sss_auth_token structure to change, also + * used as a memory context to allocate the internal data. + * @param[out] fa1 A pointer to a const char *, that will point to a + * null terminated string holding the first + * authentication factor, may not be modified or freed + * @param[out] fa1_len Length of the first authentication factor + * @param[out] fa2 A pointer to a const char *, that will point to a + * null terminated string holding the second + * authentication factor, may not be modified or freed + * @param[out] fa2_len Length of the second authentication factor + * + * @return EOK on success + * ENOMEM if memory allocation failed + * EINVAL if input data is not consistent + * ENOENT if the token is empty + * EACCESS if the token is not a 2FA token + */ +errno_t sss_authtok_get_2fa(struct sss_auth_token *tok, + const char **fa1, size_t *fa1_len, + const char **fa2, size_t *fa2_len); + +/** + * @brief Set a Smart Card PIN into an auth token, replacing any previous data + * + * @param tok A pointer to an sss_auth_token structure to change, also + * used as a memory context to allocate the internal data. + * @param pin A string + * @param len The length of the string or, if 0 is passed, + * then strlen(password) will be used internally. + * + * @return EOK on success + * ENOMEM on error + */ +errno_t sss_authtok_set_sc_pin(struct sss_auth_token *tok, const char *pin, + size_t len); + +/** + * @brief Returns a Smart Card PIN as const string if the auth token is of + * type SSS_AUTHTOK_TYPE_SC_PIN, otherwise it returns an error + * + * @param tok A pointer to an sss_auth_token + * @param pin A pointer to a const char *, that will point to a null + * terminated string + * @param len The length of the pin string + * + * @return EOK on success + * ENOENT if the token is empty + * EACCESS if the token is not a Smart Card PIN token + */ +errno_t sss_authtok_get_sc_pin(struct sss_auth_token *tok, const char **pin, + size_t *len); + +/** + * @brief Sets an auth token to type SSS_AUTHTOK_TYPE_SC_KEYPAD, replacing any + * previous data + * + * @param tok A pointer to an sss_auth_token structure to change, also + * used as a memory context to allocate the internal data. + */ +void sss_authtok_set_sc_keypad(struct sss_auth_token *tok); + +/** + * @brief Set complete Smart Card authentication blob including PKCS#11 token + * name, module name and key id. + * + * @param tok A pointer to an sss_auth_token + * @param type Authentication token type, may be + * SSS_AUTHTOK_TYPE_SC_PIN or SSS_AUTHTOK_TYPE_SC_KEYPAD + * @param pin A pointer to a const char *, that will point to a null + * terminated string containing the PIN + * @param pin_len The length of the pin string, if set to 0 it will be + * calculated + * @param token_name A pointer to a const char *, that will point to a null + * terminated string containing the PKCS#11 token name + * @param token_name_len The length of the token name string, if set to 0 it + * will be calculated + * @param module_name A pointer to a const char *, that will point to a null + * terminated string containing the PKCS#11 module name + * @param module_name_len The length of the module name string, if set to 0 it + * will be calculated + * @param key_id A pointer to a const char *, that will point to a null + * terminated string containing the PKCS#11 key id + * @param key_id_len The length of the key id string, if set to 0 it will be + * calculated + * + * @return EOK on success + * EINVAL unexpected or inval input + * ENOMEM memory allocation error + */ +errno_t sss_authtok_set_sc(struct sss_auth_token *tok, + enum sss_authtok_type type, + const char *pin, size_t pin_len, + const char *token_name, size_t token_name_len, + const char *module_name, size_t module_name_len, + const char *key_id, size_t key_id_len); +/** + * @brief Set a Smart Card authentication data, replacing any previous data + * + * @param tok A pointer to an sss_auth_token structure to change, also + * used as a memory context to allocate the internal data. + * @param data Smart Card authentication data blob + * @param len The length of the blob + * + * @return EOK on success + * ENOMEM on error + */ +errno_t sss_authtok_set_sc_from_blob(struct sss_auth_token *tok, + const uint8_t *data, + size_t len); + +/** + * @brief Get complete Smart Card authtoken data + * + * @param tok A pointer to an sss_auth_token structure + * @param[out] _pin A pointer to a const char *, that will point to + * a null terminated string holding the PIN, + * may not be modified or freed + * @param[out] _pin__len Length of the PIN + * @param[out] _token_name A pointer to a const char *, that will point to + * a null terminated string holding the PKCS#11 + * token name, may not be modified or freed + * @param[out] _token_name_len Length of the PKCS#11 token name + * @param[out] _module_name A pointer to a const char *, that will point to + * a null terminated string holding the PKCS#11 + * module name, may not be modified or freed + * @param[out] _module_name_len Length of the PKCS#11 module name + * @param[out] _key_id A pointer to a const char *, that will point to + * a null terminated string holding the PKCS#11 + * key id, may not be modified or freed + * @param[out] _key_id_len Length of the PKCS#11 key id + * + * Any of the output pointers may be NULL if the caller does not need the + * specific item. + * + * @return EOK on success + * EFAULT missing token + * EINVAL if input data is not consistent + * ENOENT if the token is empty + * EACCESS if the token is not a Smart Card token + */ +errno_t sss_authtok_get_sc(struct sss_auth_token *tok, + const char **_pin, size_t *_pin_len, + const char **_token_name, size_t *_token_name_len, + const char **_module_name, size_t *_module_name_len, + const char **_key_id, size_t *_key_id_len); +#endif /* __AUTHTOK_H__ */ diff --git a/src/util/backup_file.c b/src/util/backup_file.c new file mode 100644 index 0000000..a164a86 --- /dev/null +++ b/src/util/backup_file.c @@ -0,0 +1,120 @@ +/* + SSSD + + Backup files + + Copyright (C) Simo Sorce 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include +#include +#include + +#define BUFFER_SIZE 65536 + +int backup_file(const char *src_file, int dbglvl) +{ + TALLOC_CTX *tmp_ctx = NULL; + char buf[BUFFER_SIZE]; + int src_fd = -1; + int dst_fd = -1; + char *dst_file; + ssize_t numread; + ssize_t written; + int ret, i; + + src_fd = open(src_file, O_RDONLY); + if (src_fd < 0) { + ret = errno; + DEBUG(dbglvl, "Error (%d [%s]) opening source file %s\n", + ret, strerror(ret), src_file); + goto done; + } + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + ret = ENOMEM; + goto done; + } + + /* try a few times to come up with a new backup file, then give up */ + for (i = 0; i < 10; i++) { + if (i == 0) { + dst_file = talloc_asprintf(tmp_ctx, "%s.bak", src_file); + } else { + dst_file = talloc_asprintf(tmp_ctx, "%s.bak%d", src_file, i); + } + if (!dst_file) { + ret = ENOMEM; + goto done; + } + + errno = 0; + dst_fd = open(dst_file, O_CREAT|O_EXCL|O_WRONLY, 0600); + ret = errno; + + if (dst_fd >= 0) break; + + if (ret != EEXIST) { + DEBUG(dbglvl, "Error (%d [%s]) opening destination file %s\n", + ret, strerror(ret), dst_file); + goto done; + } + } + if (ret != 0) { + DEBUG(dbglvl, "Error (%d [%s]) opening destination file %s\n", + ret, strerror(ret), dst_file); + goto done; + } + + /* copy file contents */ + while (1) { + errno = 0; + numread = sss_atomic_read_s(src_fd, buf, BUFFER_SIZE); + if (numread < 0) { + ret = errno; + DEBUG(dbglvl, "Error (%d [%s]) reading from source %s\n", + ret, strerror(ret), src_file); + goto done; + } + if (numread == 0) break; + + errno = 0; + written = sss_atomic_write_s(dst_fd, buf, numread); + if (written == -1) { + ret = errno; + DEBUG(dbglvl, "Error (%d [%s]) writing to destination %s\n", + ret, strerror(ret), dst_file); + goto done; + } + + if (written != numread) { + DEBUG(dbglvl, "Wrote %zd bytes expected %zd bytes\n", + written, numread); + ret = EIO; + goto done; + } + } + + ret = EOK; + +done: + if (src_fd != -1) close(src_fd); + if (dst_fd != -1) close(dst_fd); + talloc_free(tmp_ctx); + return ret; +} diff --git a/src/util/become_user.c b/src/util/become_user.c new file mode 100644 index 0000000..c3f726d --- /dev/null +++ b/src/util/become_user.c @@ -0,0 +1,212 @@ +/* + SSSD + + Kerberos 5 Backend Module -- Utilities + + Authors: + Sumit Bose + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include + +errno_t become_user(uid_t uid, gid_t gid) +{ + uid_t cuid; + int ret; + + DEBUG(SSSDBG_FUNC_DATA, + "Trying to become user [%"SPRIuid"][%"SPRIgid"].\n", uid, gid); + + /* skip call if we already are the requested user */ + cuid = geteuid(); + if (uid == cuid) { + DEBUG(SSSDBG_FUNC_DATA, "Already user [%"SPRIuid"].\n", uid); + return EOK; + } + + /* drop supplementary groups first */ + ret = setgroups(0, NULL); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "setgroups failed [%d][%s].\n", ret, strerror(ret)); + return ret; + } + + /* change GID so that root cannot be regained (changes saved GID too) */ + ret = setresgid(gid, gid, gid); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "setresgid failed [%d][%s].\n", ret, strerror(ret)); + return ret; + } + + /* change UID so that root cannot be regained (changes saved UID too) */ + /* this call also takes care of dropping CAP_SETUID, so this is a PNR */ + ret = setresuid(uid, uid, uid); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "setresuid failed [%d][%s].\n", ret, strerror(ret)); + return ret; + } + + return EOK; +} + +struct sss_creds { + uid_t uid; + gid_t gid; + int num_gids; + gid_t gids[]; +}; + +errno_t restore_creds(struct sss_creds *saved_creds); + +/* This is a reversible version of become_user, and returns the saved + * credentials so that creds can be switched back calling restore_creds */ +errno_t switch_creds(TALLOC_CTX *mem_ctx, + uid_t uid, gid_t gid, + int num_gids, gid_t *gids, + struct sss_creds **saved_creds) +{ + struct sss_creds *ssc = NULL; + int size; + int ret; + uid_t myuid; + uid_t mygid; + + DEBUG(SSSDBG_FUNC_DATA, "Switch user to [%d][%d].\n", uid, gid); + + myuid = geteuid(); + mygid = getegid(); + + if (saved_creds) { + /* save current user credentials */ + size = getgroups(0, NULL); + if (size == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "Getgroups failed! (%d, %s)\n", + ret, strerror(ret)); + goto done; + } + + ssc = talloc_size(mem_ctx, + (sizeof(struct sss_creds) + size * sizeof(gid_t))); + if (!ssc) { + DEBUG(SSSDBG_CRIT_FAILURE, "Allocation failed!\n"); + ret = ENOMEM; + goto done; + } + ssc->num_gids = size; + + size = getgroups(ssc->num_gids, ssc->gids); + if (size == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "Getgroups failed! (%d, %s)\n", + ret, strerror(ret)); + /* free ssc immediately otherwise the code will try to restore + * wrong creds */ + talloc_zfree(ssc); + goto done; + } + + /* we care only about effective ids */ + ssc->uid = myuid; + ssc->gid = mygid; + } + + /* if we are regaining root, set EUID first so that we have CAP_SETUID back, + * and the other calls work too, otherwise call it last so that we can + * change groups before we loose CAP_SETUID */ + if (uid == 0) { + ret = setresuid(0, 0, 0); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "setresuid failed [%d][%s].\n", ret, strerror(ret)); + goto done; + } + } + + /* TODO: use libcap-ng if we need to get/set capabilities too? */ + + if (myuid == uid && mygid == gid) { + DEBUG(SSSDBG_FUNC_DATA, "Already user [%"SPRIuid"].\n", uid); + talloc_zfree(ssc); + return EOK; + } + + /* try to setgroups first should always work if CAP_SETUID is set, + * otherwise it will always fail, failure is not critical though as + * generally we only really care about UID and at most primary GID */ + ret = setgroups(num_gids, gids); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_TRACE_FUNC, + "setgroups failed [%d][%s].\n", ret, strerror(ret)); + } + + /* change GID now, (leaves saved GID to current, so we can restore) */ + ret = setresgid(-1, gid, -1); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "setresgid failed [%d][%s].\n", ret, strerror(ret)); + goto done; + } + + if (uid != 0) { + /* change UID, (leaves saved UID to current, so we can restore) */ + ret = setresuid(-1, uid, -1); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "setresuid failed [%d][%s].\n", ret, strerror(ret)); + goto done; + } + } + + ret = 0; + +done: + if (ret) { + /* attempt to restore creds first */ + restore_creds(ssc); + talloc_free(ssc); + } else if (saved_creds) { + *saved_creds = ssc; + } + return ret; +} + +errno_t restore_creds(struct sss_creds *saved_creds) +{ + if (saved_creds == NULL) { + /* In case save_creds was saved with the UID already dropped */ + return EOK; + } + + return switch_creds(saved_creds, + saved_creds->uid, + saved_creds->gid, + saved_creds->num_gids, + saved_creds->gids, NULL); +} diff --git a/src/util/cert.h b/src/util/cert.h new file mode 100644 index 0000000..d528029 --- /dev/null +++ b/src/util/cert.h @@ -0,0 +1,70 @@ +/* + SSSD - certificate handling utils - openssl version + + Copyright (C) Sumit Bose 2015 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "util/util.h" +#include "lib/certmap/sss_certmap.h" + +#ifndef __CERT_H__ +#define __CERT_H__ + +errno_t sss_cert_der_to_pem(TALLOC_CTX *mem_ctx, const uint8_t *der_blob, + size_t der_size, char **pem, size_t *pem_size); + +errno_t sss_cert_pem_to_der(TALLOC_CTX *mem_ctx, const char *pem, + uint8_t **der_blob, size_t *der_size); + +errno_t sss_cert_derb64_to_pem(TALLOC_CTX *mem_ctx, const char *derb64, + char **pem, size_t *pem_size); + +errno_t sss_cert_pem_to_derb64(TALLOC_CTX *mem_ctx, const char *pem, + char **derb64); + +errno_t sss_cert_derb64_to_ldap_filter(TALLOC_CTX *mem_ctx, const char *derb64, + const char *attr_name, + struct sss_certmap_ctx *certmap_ctx, + struct sss_domain_info *dom, + char **ldap_filter); + +errno_t bin_to_ldap_filter_value(TALLOC_CTX *mem_ctx, + const uint8_t *blob, size_t blob_size, + char **_str); + +errno_t cert_to_ssh_key(TALLOC_CTX *mem_ctx, const char *ca_db, + const uint8_t *der_blob, size_t der_size, + struct cert_verify_opts *cert_verify_opts, + uint8_t **key, size_t *key_size); + +errno_t get_ssh_key_from_cert(TALLOC_CTX *mem_ctx, + uint8_t *der_blob, size_t der_size, + uint8_t **key_blob, size_t *key_size); + +struct tevent_req *cert_to_ssh_key_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + int child_debug_fd, time_t timeout, + const char *ca_db, + size_t cert_count, + struct ldb_val *bin_certs, + const char *verify_opts); + +errno_t cert_to_ssh_key_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, + struct ldb_val **keys, size_t *valid_keys); +#endif /* __CERT_H__ */ diff --git a/src/util/cert/cert_common.c b/src/util/cert/cert_common.c new file mode 100644 index 0000000..7668770 --- /dev/null +++ b/src/util/cert/cert_common.c @@ -0,0 +1,208 @@ +/* + SSSD - certificate handling utils + + Copyright (C) Sumit Bose 2015 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "util/cert.h" +#include "util/crypto/sss_crypto.h" + +errno_t sss_cert_derb64_to_pem(TALLOC_CTX *mem_ctx, const char *derb64, + char **pem, size_t *pem_size) +{ + int ret; + unsigned char *der; + size_t der_size; + + if (derb64 == NULL) { + return EINVAL; + } + + der = sss_base64_decode(mem_ctx, derb64, &der_size); + if (der == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sss_base64_decode failed.\n"); + return EINVAL; + } + + ret = sss_cert_der_to_pem(mem_ctx, der, der_size, pem, pem_size); + talloc_free(der); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_cert_der_to_pem failed.\n"); + } + + return ret; +} + +errno_t sss_cert_pem_to_derb64(TALLOC_CTX *mem_ctx, const char *pem, + char **derb64) +{ + int ret; + uint8_t *der; + size_t der_size; + + ret = sss_cert_pem_to_der(mem_ctx, pem, &der, &der_size); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_cert_pem_to_der failed.\n"); + return ret; + } + + *derb64 = sss_base64_encode(mem_ctx, der, der_size); + talloc_free(der); + if (*derb64 == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sss_base64_encode failed.\n"); + return EINVAL; + } + + return EOK; +} + +errno_t sss_cert_derb64_to_ldap_filter(TALLOC_CTX *mem_ctx, const char *derb64, + const char *attr_name, + struct sss_certmap_ctx *certmap_ctx, + struct sss_domain_info *dom, + char **ldap_filter) +{ + int ret; + unsigned char *der; + size_t der_size; + char *val; + char *filter = NULL; + char **domains = NULL; + size_t c; + + if (derb64 == NULL || attr_name == NULL) { + return EINVAL; + } + + der = sss_base64_decode(mem_ctx, derb64, &der_size); + if (der == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sss_base64_decode failed.\n"); + return EINVAL; + } + + if (certmap_ctx == NULL) { + ret = bin_to_ldap_filter_value(mem_ctx, der, der_size, &val); + talloc_free(der); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "bin_to_ldap_filter_value failed.\n"); + return ret; + } + + *ldap_filter = talloc_asprintf(mem_ctx, "(%s=%s)", attr_name, val); + talloc_free(val); + if (*ldap_filter == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); + return ENOMEM; + } + } else { + ret = sss_certmap_get_search_filter(certmap_ctx, der, der_size, + &filter, &domains); + talloc_free(der); + if (ret != 0) { + if (ret == ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, + "Certificate does not match matching-rules.\n"); + } else { + DEBUG(SSSDBG_OP_FAILURE, + "sss_certmap_get_search_filter failed.\n"); + } + } else { + if (domains == NULL) { + if (IS_SUBDOMAIN(dom)) { + DEBUG(SSSDBG_TRACE_FUNC, + "Rule applies only to local domain.\n"); + ret = ENOENT; + } + } else { + for (c = 0; domains[c] != NULL; c++) { + if (strcasecmp(dom->name, domains[c]) == 0) { + DEBUG(SSSDBG_TRACE_FUNC, + "Rule applies to current domain [%s].\n", + dom->name); + ret = EOK; + break; + } + } + if (domains[c] == NULL) { + DEBUG(SSSDBG_TRACE_FUNC, + "Rule does not apply to current domain [%s].\n", + dom->name); + ret = ENOENT; + } + } + } + + if (ret == EOK) { + *ldap_filter = talloc_strdup(mem_ctx, filter); + if (*ldap_filter == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + } + } + sss_certmap_free_filter_and_domains(filter, domains); + return ret; + } + + return EOK; +} + +errno_t bin_to_ldap_filter_value(TALLOC_CTX *mem_ctx, + const uint8_t *blob, size_t blob_size, + char **_str) +{ + int ret; + size_t c; + size_t len; + char *str = NULL; + char *p; + + if (blob == NULL || blob_size == 0 || _str == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Missing input parameter.\n"); + return EINVAL; + } + + len = (blob_size * 3) + 1; + str = talloc_size(mem_ctx, len); + if (str == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_size failed.\n"); + return ENOMEM; + } + str[len - 1] = '\0'; + + p = str; + for (c = 0; c < blob_size; c++) { + ret = snprintf(p, 4, "\\%02x", blob[c]); + if (ret != 3) { + DEBUG(SSSDBG_OP_FAILURE, "snprintf failed.\n"); + ret = EIO; + goto done; + } + + p += 3; + } + + ret = EOK; + +done: + if (ret == EOK) { + *_str = str; + } else { + talloc_free(str); + } + + return ret; +} diff --git a/src/util/cert/cert_common_p11_child.c b/src/util/cert/cert_common_p11_child.c new file mode 100644 index 0000000..aacdb5c --- /dev/null +++ b/src/util/cert/cert_common_p11_child.c @@ -0,0 +1,331 @@ +/* + SSSD - certificate handling utils + + Copyright (C) Sumit Bose 2018 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "util/cert.h" +#include "util/crypto/sss_crypto.h" +#include "util/child_common.h" + +struct cert_to_ssh_key_state { + struct tevent_context *ev; + int child_debug_fd; + time_t timeout; + const char **extra_args; + const char **certs; + struct ldb_val *bin_certs; + struct ldb_val *keys; + size_t cert_count; + size_t iter; + size_t valid_keys; + + struct sss_child_ctx_old *child_ctx; + struct tevent_timer *timeout_handler; + struct child_io_fds *io; +}; + +static errno_t cert_to_ssh_key_step(struct tevent_req *req); +static void cert_to_ssh_key_done(int child_status, + struct tevent_signal *sige, + void *pvt); + +struct tevent_req *cert_to_ssh_key_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + int child_debug_fd, time_t timeout, + const char *ca_db, + size_t cert_count, + struct ldb_val *bin_certs, + const char *verify_opts) +{ + struct tevent_req *req; + struct cert_to_ssh_key_state *state; + size_t arg_c; + size_t c; + int ret; + + req = tevent_req_create(mem_ctx, &state, struct cert_to_ssh_key_state); + if (req == NULL) { + return NULL; + } + + if (ca_db == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing NSS DB.\n"); + ret = EINVAL; + goto done; + } + + state->ev = ev; + state->child_debug_fd = (child_debug_fd == -1) ? STDERR_FILENO + : child_debug_fd; + state->timeout = timeout; + state->bin_certs = bin_certs; + state->io = talloc(state, struct child_io_fds); + if (state->io == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc failed.\n"); + ret = ENOMEM; + goto done; + } + state->io->write_to_child_fd = -1; + state->io->read_from_child_fd = -1; + talloc_set_destructor((void *) state->io, child_io_destructor); + + state->keys = talloc_zero_array(state, struct ldb_val, cert_count); + if (state->keys == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_array failed.\n"); + ret = ENOMEM; + goto done; + } + state->valid_keys = 0; + + state->extra_args = talloc_zero_array(state, const char *, 8); + if (state->extra_args == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_array failed.\n"); + ret = ENOMEM; + goto done; + } + /* extra_args are added in revers order, base64 encoded certificate is + * added at 0 */ + arg_c = 1; + state->extra_args[arg_c++] = "--certificate"; + state->extra_args[arg_c++] = ca_db; + state->extra_args[arg_c++] = "--nssdb"; + if (verify_opts != NULL) { + state->extra_args[arg_c++] = verify_opts; + state->extra_args[arg_c++] = "--verify"; + } + state->extra_args[arg_c++] = "--verification"; + + state->certs = talloc_zero_array(state, const char *, cert_count); + if (state->certs == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_array failed.\n"); + ret = ENOMEM; + goto done; + } + + for (c = 0; c < cert_count; c++) { + state->certs[c] = sss_base64_encode(state->certs, bin_certs[c].data, + bin_certs[c].length); + if (state->certs[c] == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sss_base64_encode failed.\n"); + ret = EINVAL; + goto done; + } + } + + state->cert_count = cert_count; + state->iter = 0; + + ret = cert_to_ssh_key_step(req); + +done: + if (ret != EAGAIN) { + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + tevent_req_post(req, ev); + } + + return req; +} + +static void p11_child_timeout(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval tv, void *pvt) +{ + struct tevent_req *req = talloc_get_type(pvt, struct tevent_req); + struct cert_to_ssh_key_state *state = + tevent_req_data(req, struct cert_to_ssh_key_state); + + DEBUG(SSSDBG_CRIT_FAILURE, "Timeout reached for p11_child.\n"); + child_handler_destroy(state->child_ctx); + state->child_ctx = NULL; + tevent_req_error(req, ERR_P11_CHILD); +} + +static errno_t cert_to_ssh_key_step(struct tevent_req *req) +{ + struct cert_to_ssh_key_state *state = tevent_req_data(req, + struct cert_to_ssh_key_state); + int ret; + int pipefd_from_child[2] = PIPE_INIT; + int pipefd_to_child[2] = PIPE_INIT; + pid_t child_pid; + struct timeval tv; + + if (state->iter >= state->cert_count) { + return EOK; + } + + state->extra_args[0] = state->certs[state->iter]; + + ret = pipe(pipefd_from_child); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "pipe failed [%d][%s].\n", ret, strerror(ret)); + goto done; + } + ret = pipe(pipefd_to_child); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "pipe failed [%d][%s].\n", ret, strerror(ret)); + goto done; + } + + child_pid = fork(); + if (child_pid == 0) { /* child */ + exec_child_ex(state, pipefd_to_child, pipefd_from_child, P11_CHILD_PATH, + state->child_debug_fd, state->extra_args, false, + STDIN_FILENO, STDOUT_FILENO); + /* We should never get here */ + DEBUG(SSSDBG_CRIT_FAILURE, "BUG: Could not exec p11 child\n"); + } else if (child_pid > 0) { /* parent */ + + state->io->read_from_child_fd = pipefd_from_child[0]; + PIPE_FD_CLOSE(pipefd_from_child[1]); + sss_fd_nonblocking(state->io->read_from_child_fd); + + state->io->write_to_child_fd = pipefd_to_child[1]; + PIPE_FD_CLOSE(pipefd_to_child[0]); + sss_fd_nonblocking(state->io->write_to_child_fd); + + /* Set up SIGCHLD handler */ + ret = child_handler_setup(state->ev, child_pid, cert_to_ssh_key_done, + req, &state->child_ctx); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not set up child handlers [%d]: %s\n", + ret, sss_strerror(ret)); + ret = ERR_P11_CHILD; + goto done; + } + + /* Set up timeout handler */ + tv = tevent_timeval_current_ofs(state->timeout, 0); + state->timeout_handler = tevent_add_timer(state->ev, req, tv, + p11_child_timeout, + req); + if (state->timeout_handler == NULL) { + ret = ERR_P11_CHILD; + goto done; + } + /* Now either wait for the timeout to fire or the child to finish */ + } else { /* error */ + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "fork failed [%d][%s].\n", + ret, sss_strerror(ret)); + goto done; + } + + return EAGAIN; + +done: + if (ret != EOK) { + PIPE_CLOSE(pipefd_from_child); + PIPE_CLOSE(pipefd_to_child); + } + + return ret; +} + +static void cert_to_ssh_key_done(int child_status, + struct tevent_signal *sige, + void *pvt) +{ + struct tevent_req *req = talloc_get_type(pvt, struct tevent_req); + struct cert_to_ssh_key_state *state = tevent_req_data(req, + struct cert_to_ssh_key_state); + int ret; + bool valid = false; + + PIPE_FD_CLOSE(state->io->read_from_child_fd); + PIPE_FD_CLOSE(state->io->write_to_child_fd); + + if (WIFEXITED(child_status)) { + if (WEXITSTATUS(child_status) != 0) { + DEBUG(SSSDBG_OP_FAILURE, + P11_CHILD_PATH " failed with status [%d]\n", child_status); + } else { + valid = true; + } + } + + if (WIFSIGNALED(child_status)) { + DEBUG(SSSDBG_OP_FAILURE, + P11_CHILD_PATH " was terminated by signal [%d]\n", + WTERMSIG(child_status)); + } + + if (valid) { + DEBUG(SSSDBG_TRACE_LIBS, "Certificate [%s] is valid.\n", + state->certs[state->iter]); + ret = get_ssh_key_from_cert(state->keys, + state->bin_certs[state->iter].data, + state->bin_certs[state->iter].length, + &state->keys[state->iter].data, + &state->keys[state->iter].length); + if (ret == EOK) { + state->valid_keys++; + } else { + DEBUG(SSSDBG_OP_FAILURE, "get_ssh_key_from_cert failed, " + "skipping certificate [%s].\n", + state->certs[state->iter]); + state->keys[state->iter].data = NULL; + state->keys[state->iter].length = 0; + } + } else { + DEBUG(SSSDBG_MINOR_FAILURE, "Certificate [%s] is not valid.\n", + state->certs[state->iter]); + state->keys[state->iter].data = NULL; + state->keys[state->iter].length = 0; + } + + state->iter++; + ret = cert_to_ssh_key_step(req); + + if (ret != EAGAIN) { + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + } + + return; +} + +errno_t cert_to_ssh_key_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, + struct ldb_val **keys, size_t *valid_keys) +{ + struct cert_to_ssh_key_state *state = tevent_req_data(req, + struct cert_to_ssh_key_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (keys != NULL) { + *keys = talloc_steal(mem_ctx, state->keys); + } + + if (valid_keys != NULL) { + *valid_keys = state->valid_keys; + } + + return EOK; +} diff --git a/src/util/cert/libcrypto/cert.c b/src/util/cert/libcrypto/cert.c new file mode 100644 index 0000000..c8e0783 --- /dev/null +++ b/src/util/cert/libcrypto/cert.c @@ -0,0 +1,275 @@ +/* + SSSD - certificate handling utils - OpenSSL version + + Copyright (C) Sumit Bose 2015 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "util/util.h" +#include "util/sss_endian.h" + +errno_t sss_cert_der_to_pem(TALLOC_CTX *mem_ctx, const uint8_t *der_blob, + size_t der_size, char **pem, size_t *pem_size) +{ + X509 *x509 = NULL; + BIO *bio_mem = NULL; + const unsigned char *d; + int ret; + long p_size; + char *p; + + if (der_blob == NULL || der_size == 0) { + return EINVAL; + } + + d = (const unsigned char *) der_blob; + + x509 = d2i_X509(NULL, &d, (int) der_size); + if (x509 == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "d2i_X509 failed.\n"); + return EINVAL; + } + + bio_mem = BIO_new(BIO_s_mem()); + if (bio_mem == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "BIO_new failed.\n"); + ret = ENOMEM; + goto done; + } + + ret = PEM_write_bio_X509(bio_mem, x509); + if (ret != 1) { + DEBUG(SSSDBG_OP_FAILURE, "PEM_write_bio_X509 failed.\n"); + ret = EIO; + goto done; + } + + p_size = BIO_get_mem_data(bio_mem, &p); + if (p_size == 0) { + DEBUG(SSSDBG_OP_FAILURE, "Unexpected PEM size [%ld].\n", p_size); + ret = EINVAL; + goto done; + } + + if (pem != NULL) { + *pem = talloc_strndup(mem_ctx, p, p_size); + if (*pem == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_memdup failed.\n"); + ret = ENOMEM; + goto done; + } + } + + if (pem_size != NULL) { + *pem_size = p_size; + } + + ret = EOK; + +done: + X509_free(x509); + BIO_free_all(bio_mem); + + return ret; +} + +errno_t sss_cert_pem_to_der(TALLOC_CTX *mem_ctx, const char *pem, + uint8_t **_der_blob, size_t *_der_size) +{ + X509 *x509 = NULL; + BIO *bio_mem = NULL; + int ret; + unsigned char *buf; + int buf_size; + uint8_t *der_blob; + size_t der_size; + + if (pem == NULL) { + return EINVAL; + } + + bio_mem = BIO_new(BIO_s_mem()); + if (bio_mem == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "BIO_new failed.\n"); + ret = ENOMEM; + goto done; + } + + ret = BIO_puts(bio_mem, pem); + if (ret <= 0) { + DEBUG(SSSDBG_OP_FAILURE, "BIO_puts failed.\n"); + ret = EIO; + goto done; + } + + x509 = PEM_read_bio_X509(bio_mem, NULL, NULL, NULL); + if (x509 == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "PEM_read_bio_X509 failed.\n"); + ret = EIO; + goto done; + } + + buf_size = i2d_X509(x509, NULL); + if (buf_size <= 0) { + DEBUG(SSSDBG_OP_FAILURE, "i2d_X509 failed.\n"); + ret = EIO; + goto done; + } + + if (_der_blob != NULL) { + buf = talloc_size(mem_ctx, buf_size); + if (buf == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_size failed.\n"); + ret = ENOMEM; + goto done; + } + + der_blob = buf; + + der_size = i2d_X509(x509, &buf); + if (der_size != buf_size) { + talloc_free(der_blob); + DEBUG(SSSDBG_CRIT_FAILURE, + "i2d_X509 size mismatch between two calls.\n"); + ret = EIO; + goto done; + } + + *_der_blob = der_blob; + } + + if (_der_size != NULL) { + *_der_size = buf_size; + } + + ret = EOK; + +done: + X509_free(x509); + BIO_free_all(bio_mem); + + return ret; + +} + +#define SSH_RSA_HEADER "ssh-rsa" +#define SSH_RSA_HEADER_LEN (sizeof(SSH_RSA_HEADER) - 1) + +errno_t get_ssh_key_from_cert(TALLOC_CTX *mem_ctx, + const uint8_t *der_blob, size_t der_size, + uint8_t **key_blob, size_t *key_size) +{ + int ret; + size_t size; + const unsigned char *d; + uint8_t *buf = NULL; + size_t c; + X509 *cert = NULL; + EVP_PKEY *cert_pub_key = NULL; + const BIGNUM *n; + const BIGNUM *e; + int modulus_len; + unsigned char modulus[OPENSSL_RSA_MAX_MODULUS_BITS/8]; + int exponent_len; + unsigned char exponent[OPENSSL_RSA_MAX_PUBEXP_BITS/8]; + + if (der_blob == NULL || der_size == 0) { + return EINVAL; + } + + d = (const unsigned char *) der_blob; + + cert = d2i_X509(NULL, &d, (int) der_size); + if (cert == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "d2i_X509 failed.\n"); + return EINVAL; + } + + cert_pub_key = X509_get_pubkey(cert); + if (cert_pub_key == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "X509_get_pubkey failed.\n"); + ret = EIO; + goto done; + } + + if (EVP_PKEY_base_id(cert_pub_key) != EVP_PKEY_RSA) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Expected RSA public key, found unsupported [%d].\n", + EVP_PKEY_base_id(cert_pub_key)); + ret = EINVAL; + goto done; + } + +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + RSA *rsa_pub_key = NULL; + rsa_pub_key = EVP_PKEY_get0_RSA(cert_pub_key); + if (rsa_pub_key == NULL) { + ret = ENOMEM; + goto done; + } + + RSA_get0_key(rsa_pub_key, &n, &e, NULL); +#else + n = cert_pub_key->pkey.rsa->n; + e = cert_pub_key->pkey.rsa->e; +#endif + modulus_len = BN_bn2bin(n, modulus); + exponent_len = BN_bn2bin(e, exponent); + + size = SSH_RSA_HEADER_LEN + 3 * sizeof(uint32_t) + + modulus_len + + exponent_len + + 1; /* see comment about missing 00 below */ + + buf = talloc_size(mem_ctx, size); + if (buf == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_size failed.\n"); + ret = ENOMEM; + goto done; + } + + c = 0; + + SAFEALIGN_SET_UINT32(buf, htobe32(SSH_RSA_HEADER_LEN), &c); + safealign_memcpy(&buf[c], SSH_RSA_HEADER, SSH_RSA_HEADER_LEN, &c); + SAFEALIGN_SET_UINT32(&buf[c], htobe32(exponent_len), &c); + safealign_memcpy(&buf[c], exponent, exponent_len, &c); + + /* Adding missing 00 which AFAIK is added to make sure + * the bigint is handled as positive number */ + /* TODO: make a better check if 00 must be added or not, e.g. ... & 0x80) + */ + SAFEALIGN_SET_UINT32(&buf[c], htobe32(modulus_len + 1), &c); + SAFEALIGN_SETMEM_VALUE(&buf[c], '\0', unsigned char, &c); + safealign_memcpy(&buf[c], modulus, modulus_len, &c); + + *key_blob = buf; + *key_size = size; + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(buf); + } + EVP_PKEY_free(cert_pub_key); + X509_free(cert); + + return ret; +} diff --git a/src/util/cert/nss/cert.c b/src/util/cert/nss/cert.c new file mode 100644 index 0000000..a8efef8 --- /dev/null +++ b/src/util/cert/nss/cert.c @@ -0,0 +1,337 @@ + +/* + SSSD - certificate handling utils - NSS version + + Copyright (C) Sumit Bose 2015 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include +#include +#include +#include +#include +#include +#include + +#include "util/crypto/sss_crypto.h" +#include "util/crypto/nss/nss_util.h" +#include "util/cert.h" +#include "util/sss_endian.h" + +#define NS_CERT_HEADER "-----BEGIN CERTIFICATE-----" +#define NS_CERT_TRAILER "-----END CERTIFICATE-----" +#define NS_CERT_HEADER_LEN ((sizeof NS_CERT_HEADER) - 1) +#define NS_CERT_TRAILER_LEN ((sizeof NS_CERT_TRAILER) - 1) + +errno_t sss_cert_der_to_pem(TALLOC_CTX *mem_ctx, const uint8_t *der_blob, + size_t der_size, char **pem, size_t *pem_size) +{ + + CERTCertDBHandle *handle; + CERTCertificate *cert = NULL; + SECItem der_item; + char *ascii_crlf = NULL; + size_t ascii_crlf_len; + char *ascii_lf = NULL; + char *pem_cert_str = NULL; + int ret; + size_t c; + size_t d; + + /* initialize NSS if needed */ + ret = nspr_nss_init(); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "nspr_nss_init failed.\n"); + return ret; + } + + handle = CERT_GetDefaultCertDB(); + + der_item.len = der_size; + der_item.data = discard_const(der_blob); + + cert = CERT_NewTempCertificate(handle, &der_item, NULL, PR_FALSE, PR_TRUE); + if (cert == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "CERT_NewTempCertificate failed.\n"); + return EINVAL; + } + + ascii_crlf = BTOA_DataToAscii(cert->derCert.data, cert->derCert.len); + if (ascii_crlf == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "BTOA_DataToAscii failed.\n"); + ret = EIO; + goto done; + } + + ascii_crlf_len = strlen(ascii_crlf) + 1; + ascii_lf = talloc_size(mem_ctx, ascii_crlf_len * sizeof(char)); + if (ascii_lf == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "malloc failed.\n"); + ret = ENOMEM; + goto done; + } + + d = 0; + for (c = 0; c < ascii_crlf_len; c++) { + if (ascii_crlf[c] != '\r') { + ascii_lf[d++] = ascii_crlf[c]; + } + } + + pem_cert_str = talloc_asprintf(mem_ctx, "%s\n%s\n%s\n", NS_CERT_HEADER, + ascii_lf, + NS_CERT_TRAILER); + if (pem_cert_str == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto done; + } + + if (pem_size != NULL) { + *pem_size = strlen(pem_cert_str); + } + + if (pem != NULL) { + *pem = pem_cert_str; + pem_cert_str = NULL; + } + + ret = EOK; +done: + talloc_free(pem_cert_str); + talloc_free(ascii_lf); + PORT_Free(ascii_crlf); + CERT_DestroyCertificate(cert); + + return ret; +} + +errno_t sss_cert_pem_to_der(TALLOC_CTX *mem_ctx, const char *pem, + uint8_t **_der_blob, size_t *_der_size) +{ + const char *ps; + const char *pe; + size_t pem_len; + uint8_t *der_blob = NULL; + unsigned int der_size; /* unsigned int to match 2nd parameter of + ATOB_AsciiToData */ + CERTCertDBHandle *handle; + CERTCertificate *cert = NULL; + SECItem der_item; + int ret; + char *b64 = NULL; + + /* initialize NSS if needed */ + ret = nspr_nss_init(); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "nspr_nss_init failed.\n"); + return ret; + } + + if (pem == NULL || *pem == '\0') { + return EINVAL; + } + + if ((pem = strstr(pem, NS_CERT_HEADER)) == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing PEM header."); + return EINVAL; + } + + pem_len = strlen(pem); + if (pem_len <= NS_CERT_HEADER_LEN + NS_CERT_TRAILER_LEN) { + DEBUG(SSSDBG_CRIT_FAILURE, "PEM data too short.\n"); + return EINVAL; + } + + if (pem[NS_CERT_HEADER_LEN] != '\n') { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing newline in PEM data.\n"); + return EINVAL; + } + + pe = pem + pem_len - NS_CERT_TRAILER_LEN; + if (pem[pem_len - 1] == '\n') { + pe--; + } + if (strncmp(pe, NS_CERT_TRAILER, NS_CERT_TRAILER_LEN) != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Wrong PEM trailer.\n"); + return EINVAL; + } + + ps = pem + NS_CERT_HEADER_LEN + 1; + + b64 = talloc_strndup(mem_ctx, ps, pe - ps); + if(b64 == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strndup failed.\n"); + ret = ENOMEM; + goto done; + } + + der_blob = ATOB_AsciiToData(b64, &der_size); + if (der_blob == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "ATOB_AsciiToData failed.\n"); + return EIO; + } + + handle = CERT_GetDefaultCertDB(); + + der_item.len = der_size; + der_item.data = der_blob; + + cert = CERT_NewTempCertificate(handle, &der_item, NULL, PR_FALSE, PR_TRUE); + if (cert == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "CERT_NewTempCertificate failed.\n"); + ret = EINVAL; + goto done; + } + + if (_der_blob != NULL) { + *_der_blob = talloc_memdup(mem_ctx, cert->derCert.data, + cert->derCert.len); + if (*_der_blob == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_memdup failed.\n"); + ret = ENOMEM; + goto done; + } + } + + if (_der_size != NULL) { + *_der_size = cert->derCert.len; + } +done: + PORT_Free(der_blob); + talloc_free(b64); + CERT_DestroyCertificate(cert); + + return ret; +} + +#define SSH_RSA_HEADER "ssh-rsa" +#define SSH_RSA_HEADER_LEN (sizeof(SSH_RSA_HEADER) - 1) + +errno_t get_ssh_key_from_cert(TALLOC_CTX *mem_ctx, + uint8_t *der_blob, size_t der_size, + uint8_t **key_blob, size_t *key_size) +{ + CERTCertDBHandle *handle; + CERTCertificate *cert = NULL; + SECItem der_item; + SECKEYPublicKey *cert_pub_key = NULL; + int ret; + size_t size; + uint8_t *buf = NULL; + size_t c; + size_t exponent_prefix_len; + size_t modulus_prefix_len; + + if (der_blob == NULL || der_size == 0) { + return EINVAL; + } + + /* initialize NSS if needed */ + ret = nspr_nss_init(); + if (ret != EOK) { + ret = EIO; + goto done; + } + + handle = CERT_GetDefaultCertDB(); + + der_item.len = der_size; + der_item.data = discard_const(der_blob); + + cert = CERT_NewTempCertificate(handle, &der_item, NULL, PR_FALSE, PR_TRUE); + if (cert == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "CERT_NewTempCertificate failed.\n"); + ret = EINVAL; + goto done; + } + + cert_pub_key = CERT_ExtractPublicKey(cert); + if (cert_pub_key == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "CERT_ExtractPublicKey failed.\n"); + ret = EIO; + goto done; + } + + if (cert_pub_key->keyType != rsaKey) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Expected RSA public key, found unsupported [%d].\n", + cert_pub_key->keyType); + ret = EINVAL; + goto done; + } + + /* Looks like nss drops the leading 00 which AFAIK is added to make sure + * the bigint is handled as positive number if the leading bit is set. */ + exponent_prefix_len = 0; + if (cert_pub_key->u.rsa.publicExponent.data[0] & 0x80) { + exponent_prefix_len = 1; + } + + modulus_prefix_len = 0; + if (cert_pub_key->u.rsa.modulus.data[0] & 0x80) { + modulus_prefix_len = 1; + } + size = SSH_RSA_HEADER_LEN + 3 * sizeof(uint32_t) + + cert_pub_key->u.rsa.modulus.len + + cert_pub_key->u.rsa.publicExponent.len + + exponent_prefix_len + modulus_prefix_len; + + buf = talloc_size(mem_ctx, size); + if (buf == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_size failed.\n"); + ret = ENOMEM; + goto done; + } + + c = 0; + + SAFEALIGN_SET_UINT32(buf, htobe32(SSH_RSA_HEADER_LEN), &c); + safealign_memcpy(&buf[c], SSH_RSA_HEADER, SSH_RSA_HEADER_LEN, &c); + SAFEALIGN_SET_UINT32(&buf[c], + htobe32(cert_pub_key->u.rsa.publicExponent.len + + exponent_prefix_len), &c); + if (exponent_prefix_len == 1) { + SAFEALIGN_SETMEM_VALUE(&buf[c], '\0', unsigned char, &c); + } + safealign_memcpy(&buf[c], cert_pub_key->u.rsa.publicExponent.data, + cert_pub_key->u.rsa.publicExponent.len, &c); + + SAFEALIGN_SET_UINT32(&buf[c], + htobe32(cert_pub_key->u.rsa.modulus.len + + modulus_prefix_len ), &c); + if (modulus_prefix_len == 1) { + SAFEALIGN_SETMEM_VALUE(&buf[c], '\0', unsigned char, &c); + } + safealign_memcpy(&buf[c], cert_pub_key->u.rsa.modulus.data, + cert_pub_key->u.rsa.modulus.len, &c); + + *key_blob = buf; + *key_size = size; + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(buf); + } + SECKEY_DestroyPublicKey(cert_pub_key); + CERT_DestroyCertificate(cert); + + return ret; +} diff --git a/src/util/check_and_open.c b/src/util/check_and_open.c new file mode 100644 index 0000000..b40ae20 --- /dev/null +++ b/src/util/check_and_open.c @@ -0,0 +1,152 @@ +/* + SSSD + + Check file permissions and open file + + Authors: + Sumit Bose + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include + +#include "util/util.h" + +static errno_t perform_checks(struct stat *stat_buf, + uid_t uid, gid_t gid, + mode_t mode, mode_t mask); + +errno_t check_file(const char *filename, + uid_t uid, uid_t gid, mode_t mode, mode_t mask, + struct stat *caller_stat_buf, bool follow_symlink) +{ + int ret; + struct stat local_stat_buf; + struct stat *stat_buf; + + if (caller_stat_buf == NULL) { + stat_buf = &local_stat_buf; + } else { + stat_buf = caller_stat_buf; + } + + if (follow_symlink) { + ret = stat(filename, stat_buf); + } else { + ret = lstat(filename, stat_buf); + } + if (ret == -1) { + DEBUG(SSSDBG_TRACE_FUNC, "lstat for [%s] failed: [%d][%s].\n", + filename, errno, strerror(errno)); + return errno; + } + + return perform_checks(stat_buf, uid, gid, mode, mask); +} + +errno_t check_fd(int fd, uid_t uid, gid_t gid, + mode_t mode, mode_t mask, + struct stat *caller_stat_buf) +{ + int ret; + struct stat local_stat_buf; + struct stat *stat_buf; + + if (caller_stat_buf == NULL) { + stat_buf = &local_stat_buf; + } else { + stat_buf = caller_stat_buf; + } + + ret = fstat(fd, stat_buf); + if (ret == -1) { + DEBUG(SSSDBG_CRIT_FAILURE, + "fstat for [%d] failed: [%d][%s].\n", fd, errno, + strerror(errno)); + return errno; + } + + return perform_checks(stat_buf, uid, gid, mode, mask); +} + +static errno_t perform_checks(struct stat *stat_buf, + uid_t uid, gid_t gid, + mode_t mode, mode_t mask) +{ + mode_t st_mode; + + if (mask) { + st_mode = stat_buf->st_mode & mask; + } else { + st_mode = stat_buf->st_mode & (S_IFMT|ALLPERMS); + } + + if ((mode & S_IFMT) != (st_mode & S_IFMT)) { + DEBUG(SSSDBG_TRACE_LIBS, "File is not the right type.\n"); + return EINVAL; + } + + if ((st_mode & ALLPERMS) != (mode & ALLPERMS)) { + DEBUG(SSSDBG_TRACE_LIBS, + "File has the wrong (bit masked) mode [%.7o], " + "expected [%.7o].\n", + (st_mode & ALLPERMS), (mode & ALLPERMS)); + return EINVAL; + } + + if (uid != (uid_t)(-1) && stat_buf->st_uid != uid) { + DEBUG(SSSDBG_TRACE_LIBS, "File must be owned by uid [%d].\n", uid); + return EINVAL; + } + + if (gid != (gid_t)(-1) && stat_buf->st_gid != gid) { + DEBUG(SSSDBG_TRACE_LIBS, "File must be owned by gid [%d].\n", gid); + return EINVAL; + } + + return EOK; +} + +errno_t check_and_open_readonly(const char *filename, int *fd, + uid_t uid, gid_t gid, + mode_t mode, mode_t mask) +{ + int ret; + struct stat stat_buf; + + *fd = open(filename, O_RDONLY); + if (*fd == -1) { + DEBUG(SSSDBG_CRIT_FAILURE, + "open [%s] failed: [%d][%s].\n", filename, errno, + strerror(errno)); + return errno; + } + + ret = check_fd(*fd, uid, gid, mode, mask, &stat_buf); + if (ret != EOK) { + close(*fd); + *fd = -1; + DEBUG(SSSDBG_CRIT_FAILURE, "check_fd failed.\n"); + return ret; + } + + return EOK; +} + diff --git a/src/util/child_common.c b/src/util/child_common.c new file mode 100644 index 0000000..203c115 --- /dev/null +++ b/src/util/child_common.c @@ -0,0 +1,833 @@ +/* + SSSD + + Common helper functions to be used in child processes + + Authors: + Sumit Bose + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include + +#include "util/util.h" +#include "util/find_uid.h" +#include "db/sysdb.h" +#include "util/child_common.h" + +struct sss_sigchild_ctx { + struct tevent_context *ev; + hash_table_t *children; + int options; +}; + +struct sss_child_ctx { + pid_t pid; + sss_child_fn_t cb; + void *pvt; + struct sss_sigchild_ctx *sigchld_ctx; +}; + +static void sss_child_handler(struct tevent_context *ev, + struct tevent_signal *se, + int signum, + int count, + void *siginfo, + void *private_data); + +errno_t sss_sigchld_init(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sss_sigchild_ctx **child_ctx) +{ + errno_t ret; + struct sss_sigchild_ctx *sigchld_ctx; + struct tevent_signal *tes; + + sigchld_ctx = talloc_zero(mem_ctx, struct sss_sigchild_ctx); + if (!sigchld_ctx) { + DEBUG(SSSDBG_FATAL_FAILURE, + "fatal error initializing sss_sigchild_ctx\n"); + return ENOMEM; + } + sigchld_ctx->ev = ev; + + ret = sss_hash_create(sigchld_ctx, 10, &sigchld_ctx->children); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "fatal error initializing children hash table: [%s]\n", + strerror(ret)); + talloc_free(sigchld_ctx); + return ret; + } + + BlockSignals(false, SIGCHLD); + tes = tevent_add_signal(ev, sigchld_ctx, SIGCHLD, SA_SIGINFO, + sss_child_handler, sigchld_ctx); + if (tes == NULL) { + talloc_free(sigchld_ctx); + return EIO; + } + + *child_ctx = sigchld_ctx; + return EOK; +} + +static int sss_child_destructor(void *ptr) +{ + struct sss_child_ctx *child_ctx; + hash_key_t key; + int error; + + child_ctx = talloc_get_type(ptr, struct sss_child_ctx); + key.type = HASH_KEY_ULONG; + key.ul = child_ctx->pid; + + error = hash_delete(child_ctx->sigchld_ctx->children, &key); + if (error != HASH_SUCCESS && error != HASH_ERROR_KEY_NOT_FOUND) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "failed to delete child_ctx from hash table [%d]: %s\n", + error, hash_error_string(error)); + } + + return 0; +} + +errno_t sss_child_register(TALLOC_CTX *mem_ctx, + struct sss_sigchild_ctx *sigchld_ctx, + pid_t pid, + sss_child_fn_t cb, + void *pvt, + struct sss_child_ctx **child_ctx) +{ + struct sss_child_ctx *child; + hash_key_t key; + hash_value_t value; + int error; + + child = talloc_zero(mem_ctx, struct sss_child_ctx); + if (child == NULL) { + return ENOMEM; + } + + child->pid = pid; + child->cb = cb; + child->pvt = pvt; + child->sigchld_ctx = sigchld_ctx; + + key.type = HASH_KEY_ULONG; + key.ul = pid; + + value.type = HASH_VALUE_PTR; + value.ptr = child; + + error = hash_enter(sigchld_ctx->children, &key, &value); + if (error != HASH_SUCCESS) { + talloc_free(child); + return ENOMEM; + } + + talloc_set_destructor((TALLOC_CTX *) child, sss_child_destructor); + + *child_ctx = child; + return EOK; +} + +struct sss_child_cb_pvt { + struct sss_child_ctx *child_ctx; + int wait_status; +}; + +static void sss_child_invoke_cb(struct tevent_context *ev, + struct tevent_immediate *imm, + void *pvt) +{ + struct sss_child_cb_pvt *cb_pvt; + struct sss_child_ctx *child_ctx; + hash_key_t key; + int error; + + cb_pvt = talloc_get_type(pvt, struct sss_child_cb_pvt); + child_ctx = cb_pvt->child_ctx; + + key.type = HASH_KEY_ULONG; + key.ul = child_ctx->pid; + + error = hash_delete(child_ctx->sigchld_ctx->children, &key); + if (error != HASH_SUCCESS && error != HASH_ERROR_KEY_NOT_FOUND) { + DEBUG(SSSDBG_OP_FAILURE, + "failed to delete child_ctx from hash table [%d]: %s\n", + error, hash_error_string(error)); + } + + if (child_ctx->cb) { + child_ctx->cb(child_ctx->pid, cb_pvt->wait_status, child_ctx->pvt); + } + + talloc_free(imm); +} + +static void sss_child_handler(struct tevent_context *ev, + struct tevent_signal *se, + int signum, + int count, + void *siginfo, + void *private_data) +{ + struct sss_sigchild_ctx *sigchld_ctx; + struct tevent_immediate *imm; + struct sss_child_cb_pvt *invoke_pvt; + struct sss_child_ctx *child_ctx; + hash_key_t key; + hash_value_t value; + int error; + int wait_status; + pid_t pid; + + sigchld_ctx = talloc_get_type(private_data, struct sss_sigchild_ctx); + key.type = HASH_KEY_ULONG; + + do { + do { + errno = 0; + pid = waitpid(-1, &wait_status, WNOHANG | sigchld_ctx->options); + } while (pid == -1 && errno == EINTR); + + if (pid == -1) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "waitpid failed [%d]: %s\n", errno, strerror(errno)); + return; + } else if (pid == 0) continue; + + key.ul = pid; + error = hash_lookup(sigchld_ctx->children, &key, &value); + if (error == HASH_SUCCESS) { + child_ctx = talloc_get_type(value.ptr, struct sss_child_ctx); + + imm = tevent_create_immediate(child_ctx); + if (imm == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Out of memory invoking SIGCHLD callback\n"); + return; + } + + invoke_pvt = talloc_zero(child_ctx, struct sss_child_cb_pvt); + if (invoke_pvt == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "out of memory invoking SIGCHLD callback\n"); + return; + } + invoke_pvt->child_ctx = child_ctx; + invoke_pvt->wait_status = wait_status; + + tevent_schedule_immediate(imm, sigchld_ctx->ev, + sss_child_invoke_cb, invoke_pvt); + } else if (error == HASH_ERROR_KEY_NOT_FOUND) { + DEBUG(SSSDBG_TRACE_LIBS, + "BUG: waitpid() returned [%d] but it was not in the table. " + "This could be due to a linked library creating processes " + "without registering them with the sigchld handler\n", + pid); + /* We will simply ignore this and return to the loop + * This will prevent a zombie, but may cause unexpected + * behavior in the code that was trying to handle this + * pid. + */ + } else { + DEBUG(SSSDBG_OP_FAILURE, + "SIGCHLD hash table error [%d]: %s\n", + error, hash_error_string(error)); + /* This is bad, but we should try to check for other + * children anyway, to avoid potential zombies. + */ + } + } while (pid != 0); +} + +struct sss_child_ctx_old { + struct tevent_signal *sige; + pid_t pid; + int child_status; + sss_child_callback_t cb; + void *pvt; +}; + +static void child_sig_handler(struct tevent_context *ev, + struct tevent_signal *sige, int signum, + int count, void *__siginfo, void *pvt); + +int child_handler_setup(struct tevent_context *ev, int pid, + sss_child_callback_t cb, void *pvt, + struct sss_child_ctx_old **_child_ctx) +{ + struct sss_child_ctx_old *child_ctx; + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Setting up signal handler up for pid [%d]\n", pid); + + child_ctx = talloc_zero(ev, struct sss_child_ctx_old); + if (child_ctx == NULL) { + return ENOMEM; + } + + child_ctx->sige = tevent_add_signal(ev, child_ctx, SIGCHLD, SA_SIGINFO, + child_sig_handler, child_ctx); + if(!child_ctx->sige) { + /* Error setting up signal handler */ + talloc_free(child_ctx); + return ENOMEM; + } + + child_ctx->pid = pid; + child_ctx->cb = cb; + child_ctx->pvt = pvt; + + DEBUG(SSSDBG_TRACE_INTERNAL, "Signal handler set up for pid [%d]\n", pid); + + if (_child_ctx != NULL) { + *_child_ctx = child_ctx; + } + + return EOK; +} + +void child_handler_destroy(struct sss_child_ctx_old *ctx) +{ + errno_t ret; + + /* We still want to wait for the child to finish, but the caller is not + * interested in the result anymore (e.g. timeout was reached). */ + ctx->cb = NULL; + ctx->pvt = NULL; + + ret = kill(ctx->pid, SIGKILL); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_MINOR_FAILURE, "kill failed [%d][%s].\n", ret, strerror(ret)); + } +} + +/* Async communication with the child process via a pipe */ + +struct write_pipe_state { + int fd; + uint8_t *buf; + size_t len; + ssize_t written; +}; + +static void write_pipe_handler(struct tevent_context *ev, + struct tevent_fd *fde, + uint16_t flags, void *pvt); + +struct tevent_req *write_pipe_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + uint8_t *buf, size_t len, int fd) +{ + struct tevent_req *req; + struct write_pipe_state *state; + struct tevent_fd *fde; + + req = tevent_req_create(mem_ctx, &state, struct write_pipe_state); + if (req == NULL) return NULL; + + state->fd = fd; + state->buf = buf; + state->len = len; + state->written = 0; + + fde = tevent_add_fd(ev, state, fd, TEVENT_FD_WRITE, + write_pipe_handler, req); + if (fde == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_add_fd failed.\n"); + goto fail; + } + + return req; + +fail: + talloc_zfree(req); + return NULL; +} + +static void write_pipe_handler(struct tevent_context *ev, + struct tevent_fd *fde, + uint16_t flags, void *pvt) +{ + struct tevent_req *req = talloc_get_type(pvt, struct tevent_req); + struct write_pipe_state *state = tevent_req_data(req, + struct write_pipe_state); + errno_t ret; + + if (flags & TEVENT_FD_READ) { + DEBUG(SSSDBG_CRIT_FAILURE, + "write_pipe_done called with TEVENT_FD_READ," + " this should not happen.\n"); + tevent_req_error(req, EINVAL); + return; + } + + errno = 0; + state->written = sss_atomic_write_s(state->fd, state->buf, state->len); + if (state->written == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "write failed [%d][%s].\n", ret, strerror(ret)); + tevent_req_error(req, ret); + return; + } + + if (state->len != state->written) { + DEBUG(SSSDBG_CRIT_FAILURE, "Wrote %zd bytes, expected %zu\n", + state->written, state->len); + tevent_req_error(req, EIO); + return; + } + + DEBUG(SSSDBG_TRACE_FUNC, "All data has been sent!\n"); + tevent_req_done(req); + return; +} + +int write_pipe_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + +struct read_pipe_state { + int fd; + uint8_t *buf; + size_t len; +}; + +static void read_pipe_handler(struct tevent_context *ev, + struct tevent_fd *fde, + uint16_t flags, void *pvt); + +struct tevent_req *read_pipe_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, int fd) +{ + struct tevent_req *req; + struct read_pipe_state *state; + struct tevent_fd *fde; + + req = tevent_req_create(mem_ctx, &state, struct read_pipe_state); + if (req == NULL) return NULL; + + state->fd = fd; + state->buf = NULL; + state->len = 0; + + fde = tevent_add_fd(ev, state, fd, TEVENT_FD_READ, + read_pipe_handler, req); + if (fde == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_add_fd failed.\n"); + goto fail; + } + + return req; + +fail: + talloc_zfree(req); + return NULL; +} + +static void read_pipe_handler(struct tevent_context *ev, + struct tevent_fd *fde, + uint16_t flags, void *pvt) +{ + struct tevent_req *req = talloc_get_type(pvt, struct tevent_req); + struct read_pipe_state *state = tevent_req_data(req, + struct read_pipe_state); + ssize_t size; + errno_t err; + uint8_t buf[CHILD_MSG_CHUNK]; + + if (flags & TEVENT_FD_WRITE) { + DEBUG(SSSDBG_CRIT_FAILURE, "read_pipe_done called with TEVENT_FD_WRITE," + " this should not happen.\n"); + tevent_req_error(req, EINVAL); + return; + } + + size = sss_atomic_read_s(state->fd, + buf, + CHILD_MSG_CHUNK); + if (size == -1) { + err = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "read failed [%d][%s].\n", err, strerror(err)); + tevent_req_error(req, err); + return; + + } else if (size > 0) { + state->buf = talloc_realloc(state, state->buf, uint8_t, + state->len + size); + if(!state->buf) { + tevent_req_error(req, ENOMEM); + return; + } + + safealign_memcpy(&state->buf[state->len], buf, + size, &state->len); + return; + + } else if (size == 0) { + DEBUG(SSSDBG_TRACE_FUNC, "EOF received, client finished\n"); + tevent_req_done(req); + return; + + } else { + DEBUG(SSSDBG_CRIT_FAILURE, + "unexpected return value of read [%zd].\n", size); + tevent_req_error(req, EINVAL); + return; + } +} + +int read_pipe_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, + uint8_t **buf, ssize_t *len) +{ + struct read_pipe_state *state; + state = tevent_req_data(req, struct read_pipe_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + *buf = talloc_steal(mem_ctx, state->buf); + *len = state->len; + + return EOK; +} + +static void child_invoke_callback(struct tevent_context *ev, + struct tevent_immediate *imm, + void *pvt); +static void child_sig_handler(struct tevent_context *ev, + struct tevent_signal *sige, int signum, + int count, void *__siginfo, void *pvt) +{ + int ret, err; + struct sss_child_ctx_old *child_ctx; + struct tevent_immediate *imm; + + if (count <= 0) { + DEBUG(SSSDBG_FATAL_FAILURE, + "SIGCHLD handler called with invalid child count\n"); + return; + } + + child_ctx = talloc_get_type(pvt, struct sss_child_ctx_old); + DEBUG(SSSDBG_TRACE_LIBS, "Waiting for child [%d].\n", child_ctx->pid); + + errno = 0; + ret = waitpid(child_ctx->pid, &child_ctx->child_status, WNOHANG); + + if (ret == -1) { + err = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "waitpid failed [%d][%s].\n", err, strerror(err)); + } else if (ret == 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "waitpid did not found a child with changed status.\n"); + } else { + if (WIFEXITED(child_ctx->child_status)) { + if (WEXITSTATUS(child_ctx->child_status) != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "child [%d] failed with status [%d].\n", ret, + WEXITSTATUS(child_ctx->child_status)); + } else { + DEBUG(SSSDBG_CONF_SETTINGS, + "child [%d] finished successfully.\n", ret); + } + } else if (WIFSIGNALED(child_ctx->child_status)) { + DEBUG(SSSDBG_CRIT_FAILURE, + "child [%d] was terminated by signal [%d].\n", ret, + WTERMSIG(child_ctx->child_status)); + } else { + if (WIFSTOPPED(child_ctx->child_status)) { + DEBUG(SSSDBG_TRACE_LIBS, + "child [%d] was stopped by signal [%d].\n", ret, + WSTOPSIG(child_ctx->child_status)); + } + if (WIFCONTINUED(child_ctx->child_status) == true) { + DEBUG(SSSDBG_TRACE_LIBS, + "child [%d] was resumed by delivery of SIGCONT.\n", + ret); + } + + return; + } + + /* Invoke the callback in a tevent_immediate handler + * so that it is safe to free the tevent_signal * + */ + imm = tevent_create_immediate(child_ctx); + if (imm == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Out of memory invoking sig handler callback\n"); + return; + } + + tevent_schedule_immediate(imm, ev, child_invoke_callback, + child_ctx); + } + + return; +} + +static void child_invoke_callback(struct tevent_context *ev, + struct tevent_immediate *imm, + void *pvt) +{ + struct sss_child_ctx_old *child_ctx = + talloc_get_type(pvt, struct sss_child_ctx_old); + if (child_ctx->cb) { + child_ctx->cb(child_ctx->child_status, child_ctx->sige, child_ctx->pvt); + } + + /* Stop monitoring for this child */ + talloc_free(child_ctx); +} + +static errno_t prepare_child_argv(TALLOC_CTX *mem_ctx, + int child_debug_fd, + const char *binary, + const char *extra_argv[], + bool extra_args_only, + char ***_argv) +{ + /* + * program name, debug_level, debug_timestamps, + * debug_microseconds and NULL + */ + uint_t argc = 5; + char ** argv = NULL; + errno_t ret = EINVAL; + size_t i; + + if (extra_args_only) { + argc = 2; /* program name and NULL */ + } + + /* Save the current state in case an interrupt changes it */ + bool child_debug_timestamps = debug_timestamps; + bool child_debug_microseconds = debug_microseconds; + + if (!extra_args_only) { + argc++; + } + + if (extra_argv) { + for (i = 0; extra_argv[i]; i++) argc++; + } + + /* + * program name, debug_level, debug_to_file, debug_timestamps, + * debug_microseconds and NULL + */ + argv = talloc_array(mem_ctx, char *, argc); + if (argv == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_array failed.\n"); + return ENOMEM; + } + + argv[--argc] = NULL; + + /* Add extra_attrs first */ + if (extra_argv) { + for (i = 0; extra_argv[i]; i++) { + argv[--argc] = talloc_strdup(argv, extra_argv[i]); + if (argv[argc] == NULL) { + ret = ENOMEM; + goto fail; + } + } + } + + if (!extra_args_only) { + argv[--argc] = talloc_asprintf(argv, "--debug-level=%#.4x", + debug_level); + if (argv[argc] == NULL) { + ret = ENOMEM; + goto fail; + } + + if (sss_logger == FILES_LOGGER) { + argv[--argc] = talloc_asprintf(argv, "--debug-fd=%d", + child_debug_fd); + if (argv[argc] == NULL) { + ret = ENOMEM; + goto fail; + } + } else { + argv[--argc] = talloc_asprintf(argv, "--logger=%s", + sss_logger_str[sss_logger]); + if (argv[argc] == NULL) { + ret = ENOMEM; + goto fail; + } + } + + argv[--argc] = talloc_asprintf(argv, "--debug-timestamps=%d", + child_debug_timestamps); + if (argv[argc] == NULL) { + ret = ENOMEM; + goto fail; + } + + argv[--argc] = talloc_asprintf(argv, "--debug-microseconds=%d", + child_debug_microseconds); + if (argv[argc] == NULL) { + ret = ENOMEM; + goto fail; + } + } + + argv[--argc] = talloc_strdup(argv, binary); + if (argv[argc] == NULL) { + ret = ENOMEM; + goto fail; + } + + if (argc != 0) { + ret = EINVAL; + goto fail; + } + + *_argv = argv; + + return EOK; + +fail: + talloc_free(argv); + return ret; +} + +void exec_child_ex(TALLOC_CTX *mem_ctx, + int *pipefd_to_child, int *pipefd_from_child, + const char *binary, int debug_fd, + const char *extra_argv[], bool extra_args_only, + int child_in_fd, int child_out_fd) +{ + int ret; + errno_t err; + char **argv; + + close(pipefd_to_child[1]); + ret = dup2(pipefd_to_child[0], child_in_fd); + if (ret == -1) { + err = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "dup2 failed [%d][%s].\n", err, strerror(err)); + exit(EXIT_FAILURE); + } + + close(pipefd_from_child[0]); + ret = dup2(pipefd_from_child[1], child_out_fd); + if (ret == -1) { + err = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "dup2 failed [%d][%s].\n", err, strerror(err)); + exit(EXIT_FAILURE); + } + + ret = prepare_child_argv(mem_ctx, debug_fd, + binary, extra_argv, extra_args_only, + &argv); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "prepare_child_argv.\n"); + exit(EXIT_FAILURE); + } + + execv(binary, argv); + err = errno; + DEBUG(SSSDBG_OP_FAILURE, "execv failed [%d][%s].\n", err, strerror(err)); + exit(EXIT_FAILURE); +} + +void exec_child(TALLOC_CTX *mem_ctx, + int *pipefd_to_child, int *pipefd_from_child, + const char *binary, int debug_fd) +{ + exec_child_ex(mem_ctx, pipefd_to_child, pipefd_from_child, + binary, debug_fd, NULL, false, + STDIN_FILENO, STDOUT_FILENO); +} + +int child_io_destructor(void *ptr) +{ + int ret; + struct child_io_fds *io = talloc_get_type(ptr, struct child_io_fds); + if (io == NULL) return EOK; + + if (io->write_to_child_fd != -1) { + ret = close(io->write_to_child_fd); + io->write_to_child_fd = -1; + if (ret != EOK) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "close failed [%d][%s].\n", ret, strerror(ret)); + } + } + + if (io->read_from_child_fd != -1) { + ret = close(io->read_from_child_fd); + io->read_from_child_fd = -1; + if (ret != EOK) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "close failed [%d][%s].\n", ret, strerror(ret)); + } + } + + return EOK; +} + +errno_t child_debug_init(const char *logfile, int *debug_fd) +{ + int ret; + FILE *debug_filep; + + if (debug_fd == NULL) { + return EOK; + } + + if (sss_logger == FILES_LOGGER && *debug_fd == -1) { + ret = open_debug_file_ex(logfile, &debug_filep, false); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Error setting up logging (%d) [%s]\n", + ret, sss_strerror(ret)); + return ret; + } + + *debug_fd = fileno(debug_filep); + if (*debug_fd == -1) { + DEBUG(SSSDBG_FATAL_FAILURE, + "fileno failed [%d][%s]\n", errno, strerror(errno)); + ret = errno; + return ret; + } + } + + return EOK; +} diff --git a/src/util/child_common.h b/src/util/child_common.h new file mode 100644 index 0000000..37116e2 --- /dev/null +++ b/src/util/child_common.h @@ -0,0 +1,124 @@ +/* + SSSD + + Common helper functions to be used in child processes + + Authors: + Sumit Bose + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __CHILD_COMMON_H__ +#define __CHILD_COMMON_H__ + +#include +#include +#include +#include + +#include "util/util.h" + +#define IN_BUF_SIZE 512 +#define CHILD_MSG_CHUNK 256 + +#define SIGTERM_TO_SIGKILL_TIME 2 +#define CHILD_TIMEOUT_EXIT_CODE 7 + +struct response { + uint8_t *buf; + size_t size; +}; + +struct io_buffer { + uint8_t *data; + size_t size; +}; + +struct child_io_fds { + int read_from_child_fd; + int write_to_child_fd; +}; + +/* COMMON SIGCHLD HANDLING */ +typedef void (*sss_child_fn_t)(int pid, int wait_status, void *pvt); + +struct sss_sigchild_ctx; +struct sss_child_ctx; + +/* Create a new child context to manage callbacks */ +errno_t sss_sigchld_init(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sss_sigchild_ctx **child_ctx); + +errno_t sss_child_register(TALLOC_CTX *mem_ctx, + struct sss_sigchild_ctx *sigchld_ctx, + pid_t pid, + sss_child_fn_t cb, + void *pvt, + struct sss_child_ctx **child_ctx); + +/* Callback to be invoked when a sigchld handler is called. + * The tevent_signal * associated with the handler will be + * freed automatically when this function returns. + */ +typedef void (*sss_child_callback_t)(int child_status, + struct tevent_signal *sige, + void *pvt); + +struct sss_child_ctx_old; + +/* Set up child termination signal handler */ +int child_handler_setup(struct tevent_context *ev, int pid, + sss_child_callback_t cb, void *pvt, + struct sss_child_ctx_old **_child_ctx); + +/* Destroy child termination signal handler */ +void child_handler_destroy(struct sss_child_ctx_old *ctx); + +/* Async communication with the child process via a pipe */ +struct tevent_req *write_pipe_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + uint8_t *buf, size_t len, int fd); +int write_pipe_recv(struct tevent_req *req); + +struct tevent_req *read_pipe_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, int fd); +int read_pipe_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, + uint8_t **buf, ssize_t *len); + +/* The pipes to communicate with the child must be nonblocking */ +void fd_nonblocking(int fd); + +/* Never returns EOK, ether returns an error, or doesn't return on success */ +void exec_child_ex(TALLOC_CTX *mem_ctx, + int *pipefd_to_child, int *pipefd_from_child, + const char *binary, int debug_fd, + const char *extra_argv[], bool extra_args_only, + int child_in_fd, int child_out_fd); + +/* Same as exec_child_ex() except child_in_fd is set to STDIN_FILENO and + * child_out_fd is set to STDOUT_FILENO and extra_argv is always NULL. + */ +void exec_child(TALLOC_CTX *mem_ctx, + int *pipefd_to_child, int *pipefd_from_child, + const char *binary, int debug_fd); + +int child_io_destructor(void *ptr); + +errno_t child_debug_init(const char *logfile, int *debug_fd); + +#endif /* __CHILD_COMMON_H__ */ diff --git a/src/util/crypto/libcrypto/crypto_base64.c b/src/util/crypto/libcrypto/crypto_base64.c new file mode 100644 index 0000000..11a0648 --- /dev/null +++ b/src/util/crypto/libcrypto/crypto_base64.c @@ -0,0 +1,133 @@ +/* + Authors: + Jan Cholasta + George McCollister + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "util/crypto/sss_crypto.h" + +#include +#include + +char *sss_base64_encode(TALLOC_CTX *mem_ctx, + const unsigned char *in, + size_t insize) +{ + char *b64encoded = NULL, *outbuf = NULL; + int i, j, b64size; + BIO *bmem, *b64; + + b64 = BIO_new(BIO_f_base64()); + if (!b64) return NULL; + + BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL); + bmem = BIO_new(BIO_s_mem()); + if (!bmem) goto done; + + b64 = BIO_push(b64, bmem); + + BIO_write(b64, in, insize); + + (void) BIO_flush(b64); + + b64size = BIO_get_mem_data(bmem, &b64encoded); + if (b64encoded) { + outbuf = talloc_array(mem_ctx, char, b64size+1); + if (outbuf == NULL) goto done; + + for (i=0, j=0; i < b64size; i++) { + if (b64encoded[i] == '\n' || b64encoded[i] == '\r') { + continue; + } + outbuf[j++] = b64encoded[i]; + } + outbuf[j++] = '\0'; + } + +done: + BIO_free_all(b64); + return outbuf; +} + +unsigned char *sss_base64_decode(TALLOC_CTX *mem_ctx, + const char *in, + size_t *outsize) +{ + unsigned char *outbuf = NULL; + unsigned char *b64decoded = NULL; + unsigned char inbuf[512]; + char * in_dup; + int size, inlen = strlen(in); + BIO *bmem, *b64, *bmem_out; + TALLOC_CTX *tmp_ctx = NULL; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + return NULL; + } + + in_dup = talloc_size(tmp_ctx, inlen+1); + if (!in_dup) goto done; + memcpy(in_dup, in, inlen+1); + + b64 = BIO_new(BIO_f_base64()); + if (!b64) goto done; + + BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL); + + bmem = BIO_new_mem_buf(in_dup, -1); + if (!bmem) { + BIO_free(b64); + goto done; + } + + b64 = BIO_push(b64, bmem); + + bmem_out = BIO_new(BIO_s_mem()); + if (!bmem_out) { + BIO_free_all(b64); + goto done; + } + + while((inlen = BIO_read(b64, inbuf, 512)) > 0) + BIO_write(bmem_out, inbuf, inlen); + + (void) BIO_flush(bmem_out); + + size = BIO_get_mem_data(bmem_out, &b64decoded); + + if (b64decoded) { + outbuf = talloc_memdup(mem_ctx, b64decoded, size); + if (!outbuf) { + BIO_free_all(b64); + BIO_free(bmem_out); + goto done; + } + + *outsize = size; + } else { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot get decoded data\n"); + } + BIO_free_all(b64); + BIO_free(bmem_out); + +done: + talloc_free(tmp_ctx); + return outbuf; +} diff --git a/src/util/crypto/libcrypto/crypto_hmac_sha1.c b/src/util/crypto/libcrypto/crypto_hmac_sha1.c new file mode 100644 index 0000000..1499ace --- /dev/null +++ b/src/util/crypto/libcrypto/crypto_hmac_sha1.c @@ -0,0 +1,94 @@ +/* + Authors: + Jan Cholasta + George McCollister + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "util/crypto/sss_crypto.h" + +#include + +#include "sss_openssl.h" + +#define HMAC_SHA1_BLOCKSIZE 64 + +int sss_hmac_sha1(const unsigned char *key, + size_t key_len, + const unsigned char *in, + size_t in_len, + unsigned char *out) +{ + int ret; + EVP_MD_CTX *ctx; + unsigned char ikey[HMAC_SHA1_BLOCKSIZE], okey[HMAC_SHA1_BLOCKSIZE]; + size_t i; + unsigned char hash[SSS_SHA1_LENGTH]; + unsigned int res_len; + + ctx = EVP_MD_CTX_new(); + if (ctx == NULL) { + return ENOMEM; + } + + if (key_len > HMAC_SHA1_BLOCKSIZE) { + /* keys longer than blocksize are shortened */ + if (!EVP_DigestInit_ex(ctx, EVP_sha1(), NULL)) { + ret = EIO; + goto done; + } + + EVP_DigestUpdate(ctx, (const unsigned char *)key, key_len); + EVP_DigestFinal_ex(ctx, ikey, &res_len); + memset(ikey + SSS_SHA1_LENGTH, 0, HMAC_SHA1_BLOCKSIZE - SSS_SHA1_LENGTH); + } else { + /* keys shorter than blocksize are zero-padded */ + memcpy(ikey, key, key_len); + if (key_len < HMAC_SHA1_BLOCKSIZE) { + memset(ikey + key_len, 0, HMAC_SHA1_BLOCKSIZE - key_len); + } + } + + /* HMAC(key, msg) = HASH(key XOR opad, HASH(key XOR ipad, msg)) */ + for (i = 0; i < HMAC_SHA1_BLOCKSIZE; i++) { + okey[i] = ikey[i] ^ 0x5c; + ikey[i] ^= 0x36; + } + + if (!EVP_DigestInit_ex(ctx, EVP_sha1(), NULL)) { + ret = EIO; + goto done; + } + + EVP_DigestUpdate(ctx, (const unsigned char *)ikey, HMAC_SHA1_BLOCKSIZE); + EVP_DigestUpdate(ctx, (const unsigned char *)in, in_len); + EVP_DigestFinal_ex(ctx, hash, &res_len); + + if (!EVP_DigestInit_ex(ctx, EVP_sha1(), NULL)) { + ret = EIO; + goto done; + } + + EVP_DigestUpdate(ctx, (const unsigned char *)okey, HMAC_SHA1_BLOCKSIZE); + EVP_DigestUpdate(ctx, (const unsigned char *)hash, SSS_SHA1_LENGTH); + EVP_DigestFinal_ex(ctx, out, &res_len); + ret = EOK; +done: + EVP_MD_CTX_free(ctx); + return ret; +} diff --git a/src/util/crypto/libcrypto/crypto_nite.c b/src/util/crypto/libcrypto/crypto_nite.c new file mode 100644 index 0000000..e863d3f --- /dev/null +++ b/src/util/crypto/libcrypto/crypto_nite.c @@ -0,0 +1,288 @@ +/* + SSSD + + Encryption/Decryption primitives + + Authors: + Simo Sorce + + Copyright (C) Simo Sorce 2016 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" +#include +#include + +#include "util/util.h" +#include "util/crypto/sss_crypto.h" + +#include +#include +#include + +#include "sss_openssl.h" + +struct cipher_mech { + const EVP_CIPHER * (*cipher)(void); + const EVP_MD * (*digest)(void); +} mechs[] = { + { EVP_aes_256_cbc, EVP_sha256 } +}; + +int sss_encrypt(TALLOC_CTX *mem_ctx, enum encmethod enctype, + uint8_t *key, size_t keylen, + const uint8_t *plaintext, size_t plainlen, + uint8_t **ciphertext, size_t *cipherlen) +{ + const EVP_CIPHER *cipher; + const EVP_MD *digest; + EVP_PKEY *hmackey = NULL; + EVP_CIPHER_CTX *ctx; + EVP_MD_CTX *mdctx = NULL; + uint8_t *out = NULL; + int evpkeylen; + int evpivlen; + int hmaclen; + int outlen, tmplen; + size_t slen; + int ret; + + if (!plaintext || !plainlen) return EINVAL; + + if (enctype != AES256CBC_HMAC_SHA256) return EINVAL; + cipher = mechs[AES256CBC_HMAC_SHA256].cipher(); + digest = mechs[AES256CBC_HMAC_SHA256].digest(); + + evpkeylen = EVP_CIPHER_key_length(cipher); + if (!key || keylen != evpkeylen) return EINVAL; + + hmackey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, key, keylen); + if (!hmackey) return ENOMEM; + + /* We have no function to return the size of the output for arbitray HMAC + * algorithms so we just truncate to the key size should the hmac be bigger + * (or pad with zeros should the HMAC be smaller) */ + hmaclen = keylen; + + evpivlen = EVP_CIPHER_iv_length(cipher); + outlen = plainlen + (2 * EVP_CIPHER_block_size(cipher)) + + evpivlen + hmaclen; + out = talloc_zero_size(mem_ctx, outlen); + + /* First Encrypt */ + + if (evpivlen != 0) { + RAND_bytes(out, evpivlen); + } + + ctx = EVP_CIPHER_CTX_new(); + if (ctx == NULL) { + ret = ENOMEM; + goto done; + } + + ret = EVP_EncryptInit_ex(ctx, cipher, 0, key, evpivlen ? out : NULL); + if (ret != 1) { + ret = EFAULT; + goto done; + } + + outlen = evpivlen; + tmplen = 0; + ret = EVP_EncryptUpdate(ctx, out + outlen, &tmplen, plaintext, plainlen); + if (ret != 1) { + ret = EFAULT; + goto done; + } + + outlen += tmplen; + + ret = EVP_EncryptFinal_ex(ctx, out + outlen, &tmplen); + if (ret != 1) { + ret = EFAULT; + goto done; + } + + outlen += tmplen; + + /* Then HMAC */ + + mdctx = EVP_MD_CTX_new(); + if (mdctx == NULL) { + ret = ENOMEM; + goto done; + } + + ret = EVP_DigestInit_ex(mdctx, digest, NULL); + if (ret != 1) { + ret = EFAULT; + goto done; + } + + ret = EVP_DigestSignInit(mdctx, NULL, digest, NULL, hmackey); + if (ret != 1) { + ret = EFAULT; + goto done; + } + + ret = EVP_DigestSignUpdate(mdctx, out, outlen); + if (ret != 1) { + ret = EFAULT; + goto done; + } + + slen = hmaclen; + ret = EVP_DigestSignFinal(mdctx, &out[outlen], &slen); + if (ret != 1) { + ret = EFAULT; + goto done; + } + + outlen += hmaclen; + + *ciphertext = out; + *cipherlen = outlen; + ret = EOK; + +done: + EVP_MD_CTX_free(mdctx); + EVP_CIPHER_CTX_free(ctx); + EVP_PKEY_free(hmackey); + return ret; +} + +int sss_decrypt(TALLOC_CTX *mem_ctx, enum encmethod enctype, + uint8_t *key, size_t keylen, + const uint8_t *ciphertext, size_t cipherlen, + uint8_t **plaintext, size_t *plainlen) +{ + const EVP_CIPHER *cipher; + const EVP_MD *digest; + EVP_PKEY *hmackey = NULL; + EVP_CIPHER_CTX *ctx = NULL; + EVP_MD_CTX *mdctx; + const uint8_t *iv = NULL; + uint8_t *out; + int evpkeylen; + int evpivlen; + int hmaclen; + int outlen, tmplen; + size_t slen; + int ret; + + if (!ciphertext || !cipherlen) return EINVAL; + + if (enctype != AES256CBC_HMAC_SHA256) return EINVAL; + cipher = mechs[AES256CBC_HMAC_SHA256].cipher(); + digest = mechs[AES256CBC_HMAC_SHA256].digest(); + + evpkeylen = EVP_CIPHER_key_length(cipher); + if (!key || keylen != evpkeylen) return EINVAL; + + hmackey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, key, keylen); + if (!hmackey) return ENOMEM; + + /* We have no function to return the size of the output for arbitray HMAC + * algorithms so we just assume it was truncated to the key size should + * the hmac be bigger (or pad with zeros should the HMAC be smaller) */ + hmaclen = keylen; + + evpivlen = EVP_CIPHER_iv_length(cipher); + out = talloc_zero_size(mem_ctx, cipherlen); + + /* First check HMAC */ + + mdctx = EVP_MD_CTX_new(); + if (mdctx == NULL) { + ret = ENOMEM; + goto done; + } + + ret = EVP_DigestInit_ex(mdctx, digest, NULL); + if (ret != 1) { + ret = EFAULT; + goto done; + } + + ret = EVP_DigestSignInit(mdctx, NULL, digest, NULL, hmackey); + if (ret != 1) { + ret = EFAULT; + goto done; + } + + ret = EVP_DigestSignUpdate(mdctx, ciphertext, cipherlen - hmaclen); + if (ret != 1) { + ret = EFAULT; + goto done; + } + + slen = hmaclen; + ret = EVP_DigestSignFinal(mdctx, out, &slen); + if (ret != 1) { + ret = EFAULT; + goto done; + } + + ret = CRYPTO_memcmp(&ciphertext[cipherlen - hmaclen], out, hmaclen); + if (ret != 0) { + ret = EFAULT; + goto done; + } + + /* Then Decrypt */ + + if (evpivlen != 0) { + iv = ciphertext; + } + + ctx = EVP_CIPHER_CTX_new(); + if (ctx == NULL) { + ret = ENOMEM; + goto done; + } + + ret = EVP_DecryptInit_ex(ctx, cipher, 0, key, iv); + if (ret != 1) { + ret = EFAULT; + goto done; + } + + ret = EVP_DecryptUpdate(ctx, out, &outlen, + ciphertext + evpivlen, + cipherlen - evpivlen - hmaclen); + if (ret != 1) { + ret = EFAULT; + goto done; + } + + ret = EVP_DecryptFinal_ex(ctx, out + outlen, &tmplen); + if (ret != 1) { + ret = EFAULT; + goto done; + } + + outlen += tmplen; + + *plaintext = out; + *plainlen = outlen; + ret = EOK; + +done: + EVP_MD_CTX_free(mdctx); + EVP_CIPHER_CTX_free(ctx); + EVP_PKEY_free(hmackey); + return ret; +} diff --git a/src/util/crypto/libcrypto/crypto_obfuscate.c b/src/util/crypto/libcrypto/crypto_obfuscate.c new file mode 100644 index 0000000..69b622e --- /dev/null +++ b/src/util/crypto/libcrypto/crypto_obfuscate.c @@ -0,0 +1,309 @@ +/* + SSSD + + Password obfuscation logic + + Authors: + George McCollister + + Copyright (C) George McCollister 2012 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +/* + * READ ME: + * + * Please note that password obfuscation does not improve security in any + * way. It is just a mechanism to make the password human-unreadable. If you + * need to secure passwords in your application, you should probably take a + * look at storing passwords in NSS-backed database. + */ + +#include "config.h" +#include +#include + +#include "util/util.h" +#include "util/crypto/sss_crypto.h" + +#include +#include + +#define OBF_BUFFER_SENTINEL "\0\1\2\3" +#define OBF_BUFFER_SENTINEL_SIZE 4 + +struct crypto_mech_data { + const EVP_CIPHER * (*cipher)(void); + uint16_t keylen; + uint16_t bsize; +}; + +static struct crypto_mech_data cmdata[] = { + /* AES with automatic padding, 256b key, 128b block */ + { EVP_aes_256_cbc, 32, 16 }, + /* sentinel */ + { 0, 0, 0 } +}; + +static struct crypto_mech_data *get_crypto_mech_data(enum obfmethod meth) +{ + if (meth >= NUM_OBFMETHODS) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported cipher type\n"); + return NULL; + } + return &cmdata[meth]; +} + +int sss_password_encrypt(TALLOC_CTX *mem_ctx, const char *password, int plen, + enum obfmethod meth, char **obfpwd) +{ + int ret; + EVP_CIPHER_CTX *ctx; + struct crypto_mech_data *mech_props; + TALLOC_CTX *tmp_ctx = NULL; + unsigned char *keybuf; + unsigned char *ivbuf; + unsigned char *cryptotext; + int ct_maxsize; + int ctlen = 0; + int digestlen = 0; + int result_len; + + unsigned char *obfbuf; + size_t obufsize = 0; + size_t p = 0; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + return ENOMEM; + } + + ctx = EVP_CIPHER_CTX_new(); + if (ctx == NULL) { + ret = ENOMEM; + goto done; + } + + mech_props = get_crypto_mech_data(meth); + if (mech_props == NULL) { + ret = EINVAL; + goto done; + } + + keybuf = talloc_array(tmp_ctx, unsigned char, mech_props->keylen); + if (keybuf == NULL) { + ret = ENOMEM; + goto done; + } + + ivbuf = talloc_array(tmp_ctx, unsigned char, mech_props->bsize); + if (ivbuf == NULL) { + ret = ENOMEM; + goto done; + } + + RAND_bytes(keybuf, mech_props->keylen); + RAND_bytes(ivbuf, mech_props->bsize); + + /* cryptotext buffer must be at least len(plaintext)+blocksize */ + ct_maxsize = plen + (mech_props->bsize); + cryptotext = talloc_array(tmp_ctx, unsigned char, ct_maxsize); + if (!cryptotext) { + ret = ENOMEM; + goto done; + } + + if (!EVP_EncryptInit_ex(ctx, mech_props->cipher(), 0, keybuf, ivbuf)) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failure to initialize cipher contex\n"); + ret = EIO; + goto done; + } + + /* sample data we'll encrypt and decrypt */ + if (!EVP_EncryptUpdate(ctx, cryptotext, &ctlen, (const unsigned char *)password, plen)) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot execute the encryption operation\n"); + ret = EIO; + goto done; + } + + if (!EVP_EncryptFinal_ex(ctx, cryptotext + ctlen, &digestlen)) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot finialize the encryption operation\n"); + ret = EIO; + goto done; + } + + result_len = ctlen + digestlen; + if (result_len < 0 || result_len > UINT16_MAX) { + ret = ERANGE; + goto done; + } + + /* Pack the obfuscation buffer */ + /* The buffer consists of: + * uint16_t the type of the cipher + * uint16_t length of the cryptotext in bytes (clen) + * uint8_t[klen] key + * uint8_t[blen] IV + * uint8_t[clen] cryptotext + * 4 bytes of "sentinel" denoting end of the buffer + */ + obufsize = sizeof(uint16_t) + sizeof(uint16_t) + + mech_props->keylen + mech_props->bsize + + result_len + OBF_BUFFER_SENTINEL_SIZE; + obfbuf = talloc_array(tmp_ctx, unsigned char, obufsize); + if (!obfbuf) { + ret = ENOMEM; + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Writing method: %d\n", meth); + SAFEALIGN_SET_UINT16(&obfbuf[p], meth, &p); + DEBUG(SSSDBG_TRACE_FUNC, "Writing bufsize: %d\n", result_len); + SAFEALIGN_SET_UINT16(&obfbuf[p], result_len, &p); + safealign_memcpy(&obfbuf[p], keybuf, mech_props->keylen, &p); + safealign_memcpy(&obfbuf[p], ivbuf, mech_props->bsize, &p); + safealign_memcpy(&obfbuf[p], cryptotext, result_len, &p); + safealign_memcpy(&obfbuf[p], OBF_BUFFER_SENTINEL, + OBF_BUFFER_SENTINEL_SIZE, &p); + + /* Base64 encode the resulting buffer */ + *obfpwd = sss_base64_encode(mem_ctx, obfbuf, obufsize); + if (*obfpwd == NULL) { + ret = ENOMEM; + goto done; + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + EVP_CIPHER_CTX_free(ctx); + return ret; +} + +int sss_password_decrypt(TALLOC_CTX *mem_ctx, char *b64encoded, + char **password) +{ + int ret; + EVP_CIPHER_CTX *ctx; + TALLOC_CTX *tmp_ctx = NULL; + struct crypto_mech_data *mech_props; + + int plainlen; + int digestlen; + unsigned char *obfbuf = NULL; + size_t obflen; + char *pwdbuf; + + /* for unmarshaling data */ + uint16_t meth; + uint16_t ctsize; + size_t p = 0; + unsigned char *cryptotext; + unsigned char *keybuf; + unsigned char *ivbuf; + unsigned char sentinel_check[OBF_BUFFER_SENTINEL_SIZE]; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + return ENOMEM; + } + + ctx = EVP_CIPHER_CTX_new(); + if (ctx == NULL) { + ret = ENOMEM; + goto done; + } + + /* Base64 decode the incoming buffer */ + obfbuf = sss_base64_decode(tmp_ctx, b64encoded, &obflen); + if (!obfbuf) { + ret = ENOMEM; + goto done; + } + + /* unpack obfuscation buffer */ + SAFEALIGN_COPY_UINT16_CHECK(&meth, obfbuf+p, obflen, &p); + DEBUG(SSSDBG_TRACE_FUNC, "Read method: %d\n", meth); + SAFEALIGN_COPY_UINT16_CHECK(&ctsize, obfbuf+p, obflen, &p); + DEBUG(SSSDBG_TRACE_FUNC, "Read bufsize: %d\n", ctsize); + + mech_props = get_crypto_mech_data(meth); + if (mech_props == NULL) { + ret = EINVAL; + goto done; + } + + /* check that we got sane mechanism properties and cryptotext size */ + memcpy(sentinel_check, + obfbuf + p + mech_props->keylen + mech_props->bsize + ctsize, + OBF_BUFFER_SENTINEL_SIZE); + if (memcmp(sentinel_check, OBF_BUFFER_SENTINEL, OBF_BUFFER_SENTINEL_SIZE) != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Obfuscation buffer seems corrupt, aborting\n"); + ret = EFAULT; + goto done; + } + + /* copy out key, ivbuf and cryptotext */ + keybuf = talloc_array(tmp_ctx, unsigned char, mech_props->keylen); + if (keybuf == NULL) { + ret = ENOMEM; + goto done; + } + safealign_memcpy(keybuf, obfbuf+p, mech_props->keylen, &p); + + ivbuf = talloc_array(tmp_ctx, unsigned char, mech_props->bsize); + if (ivbuf == NULL) { + ret = ENOMEM; + goto done; + } + safealign_memcpy(ivbuf, obfbuf+p, mech_props->bsize, &p); + + cryptotext = talloc_array(tmp_ctx, unsigned char, ctsize); + if (cryptotext == NULL) { + ret = ENOMEM; + goto done; + } + safealign_memcpy(cryptotext, obfbuf+p, ctsize, &p); + + pwdbuf = talloc_array(tmp_ctx, char, ctsize); + if (!pwdbuf) { + ret = ENOMEM; + goto done; + } + + if (!EVP_DecryptInit_ex(ctx, mech_props->cipher(), 0, keybuf, ivbuf)) { + ret = EIO; + goto done; + } + + /* sample data we'll encrypt and decrypt */ + if (!EVP_DecryptUpdate(ctx, (unsigned char *)pwdbuf, &plainlen, cryptotext, ctsize)) { + ret = EIO; + goto done; + } + + if (!EVP_DecryptFinal_ex(ctx, (unsigned char *)pwdbuf + plainlen, &digestlen)) { + ret = EIO; + goto done; + } + + *password = talloc_move(mem_ctx, &pwdbuf); + ret = EOK; +done: + talloc_free(tmp_ctx); + EVP_CIPHER_CTX_free(ctx); + return ret; +} diff --git a/src/util/crypto/libcrypto/crypto_sha512crypt.c b/src/util/crypto/libcrypto/crypto_sha512crypt.c new file mode 100644 index 0000000..2275ccd --- /dev/null +++ b/src/util/crypto/libcrypto/crypto_sha512crypt.c @@ -0,0 +1,393 @@ +/* This file is based on nss_sha512crypt.c which is based on the work of + * Ulrich Drepper (http://people.redhat.com/drepper/SHA-crypt.txt). + * + * libcrypto is used to provide SHA512 and random number generation. + * (http://www.openssl.org/docs/crypto/crypto.html). + * + * Sumit Bose + * George McCollister + */ +/* SHA512-based UNIX crypt implementation. + Released into the Public Domain by Ulrich Drepper . */ + +#include "config.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "util/util.h" +#include "util/sss_endian.h" + +#include +#include + +#include "sss_openssl.h" + + +/* Define our magic string to mark salt for SHA512 "encryption" replacement. */ +const char sha512_salt_prefix[] = "$6$"; +#define SALT_PREF_SIZE (sizeof(sha512_salt_prefix) - 1) + +/* Prefix for optional rounds specification. */ +const char sha512_rounds_prefix[] = "rounds="; +#define ROUNDS_SIZE (sizeof(sha512_rounds_prefix) - 1) + +#define SALT_LEN_MAX 16 +#define ROUNDS_DEFAULT 5000 +#define ROUNDS_MIN 1000 +#define ROUNDS_MAX 999999999 + +/* Table with characters for base64 transformation. */ +const char b64t[64] = + "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; + +/* base64 conversion function */ +static inline void b64_from_24bit(char **dest, size_t *len, size_t n, + uint8_t b2, uint8_t b1, uint8_t b0) +{ + uint32_t w; + size_t i; + + if (*len < n) n = *len; + + w = (b2 << 16) | (b1 << 8) | b0; + for (i = 0; i < n; i++) { + (*dest)[i] = b64t[w & 0x3f]; + w >>= 6; + } + + *len -= i; + *dest += i; +} + +#define PTR_2_INT(x) ((x) - ((__typeof__ (x)) NULL)) +#define ALIGN64 __alignof__(uint64_t) + +static int sha512_crypt_r(const char *key, + const char *salt, + char *buffer, size_t buflen) +{ + unsigned char temp_result[64] __attribute__((__aligned__(ALIGN64))); + unsigned char alt_result[64] __attribute__((__aligned__(ALIGN64))); + size_t rounds = ROUNDS_DEFAULT; + bool rounds_custom = false; + EVP_MD_CTX *alt_ctx = NULL; + EVP_MD_CTX *ctx; + size_t salt_len; + size_t key_len; + size_t cnt; + char *copied_salt = NULL; + char *copied_key = NULL; + char *p_bytes = NULL; + char *s_bytes = NULL; + int p1, p2, p3, pt, n; + unsigned int part; + char *cp, *tmp; + int ret; + + /* Find beginning of salt string. The prefix should normally always be + * present. Just in case it is not. */ + if (strncmp(salt, sha512_salt_prefix, SALT_PREF_SIZE) == 0) { + /* Skip salt prefix. */ + salt += SALT_PREF_SIZE; + } + + if (strncmp(salt, sha512_rounds_prefix, ROUNDS_SIZE) == 0) { + unsigned long int srounds; + const char *num; + char *endp; + + num = salt + ROUNDS_SIZE; + srounds = strtoul(num, &endp, 10); + if (*endp == '$') { + salt = endp + 1; + if (srounds < ROUNDS_MIN) srounds = ROUNDS_MIN; + if (srounds > ROUNDS_MAX) srounds = ROUNDS_MAX; + rounds = srounds; + rounds_custom = true; + } + } + + salt_len = MIN(strcspn(salt, "$"), SALT_LEN_MAX); + key_len = strlen(key); + + if ((PTR_2_INT(key) % ALIGN64) != 0) { + tmp = (char *)alloca(key_len + ALIGN64); + key = copied_key = memcpy(tmp + ALIGN64 - PTR_2_INT(tmp) % ALIGN64, key, key_len); + } + + if (PTR_2_INT(salt) % ALIGN64 != 0) { + tmp = (char *)alloca(salt_len + ALIGN64); + salt = copied_salt = memcpy(tmp + ALIGN64 - PTR_2_INT(tmp) % ALIGN64, salt, salt_len); + } + + ctx = EVP_MD_CTX_new(); + if (ctx == NULL) { + ret = ENOMEM; + goto done; + } + + alt_ctx = EVP_MD_CTX_new(); + if (alt_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + /* Prepare for the real work. */ + if (!EVP_DigestInit_ex(ctx, EVP_sha512(), NULL)) { + ret = EIO; + goto done; + } + + /* Add the key string. */ + EVP_DigestUpdate(ctx, (const unsigned char *)key, key_len); + + /* The last part is the salt string. This must be at most 16 + * characters and it ends at the first `$' character (for + * compatibility with existing implementations). */ + EVP_DigestUpdate(ctx, (const unsigned char *)salt, salt_len); + + /* Compute alternate SHA512 sum with input KEY, SALT, and KEY. + * The final result will be added to the first context. */ + if (!EVP_DigestInit_ex(alt_ctx, EVP_sha512(), NULL)) { + ret = EIO; + goto done; + } + + /* Add key. */ + EVP_DigestUpdate(alt_ctx, (const unsigned char *)key, key_len); + + /* Add salt. */ + EVP_DigestUpdate(alt_ctx, (const unsigned char *)salt, salt_len); + + /* Add key again. */ + EVP_DigestUpdate(alt_ctx, (const unsigned char *)key, key_len); + + /* Now get result of this (64 bytes) and add it to the other context. */ + EVP_DigestFinal_ex(alt_ctx, alt_result, &part); + + /* Add for any character in the key one byte of the alternate sum. */ + for (cnt = key_len; cnt > 64; cnt -= 64) { + EVP_DigestUpdate(ctx, alt_result, 64); + } + EVP_DigestUpdate(ctx, alt_result, cnt); + + /* Take the binary representation of the length of the key and for every + * 1 add the alternate sum, for every 0 the key. */ + for (cnt = key_len; cnt > 0; cnt >>= 1) { + if ((cnt & 1) != 0) { + EVP_DigestUpdate(ctx, alt_result, 64); + } else { + EVP_DigestUpdate(ctx, (const unsigned char *)key, key_len); + } + } + + /* Create intermediate result. */ + EVP_DigestFinal_ex(ctx, alt_result, &part); + + /* Start computation of P byte sequence. */ + if (!EVP_DigestInit_ex(alt_ctx, EVP_sha512(), NULL)) { + ret = EIO; + goto done; + } + + /* For every character in the password add the entire password. */ + for (cnt = 0; cnt < key_len; cnt++) { + EVP_DigestUpdate(alt_ctx, (const unsigned char *)key, key_len); + } + + /* Finish the digest. */ + EVP_DigestFinal_ex(alt_ctx, temp_result, &part); + + /* Create byte sequence P. */ + cp = p_bytes = alloca(key_len); + for (cnt = key_len; cnt >= 64; cnt -= 64) { + cp = mempcpy(cp, temp_result, 64); + } + memcpy(cp, temp_result, cnt); + + /* Start computation of S byte sequence. */ + if (!EVP_DigestInit_ex(alt_ctx, EVP_sha512(), NULL)) { + ret = EIO; + goto done; + } + + /* For every character in the password add the entire salt. */ + for (cnt = 0; cnt < 16 + alt_result[0]; cnt++) { + EVP_DigestUpdate(alt_ctx, (const unsigned char *)salt, salt_len); + } + + /* Finish the digest. */ + EVP_DigestFinal_ex(alt_ctx, temp_result, &part); + + /* Create byte sequence S. */ + cp = s_bytes = alloca(salt_len); + for (cnt = salt_len; cnt >= 64; cnt -= 64) { + cp = mempcpy(cp, temp_result, 64); + } + memcpy(cp, temp_result, cnt); + + /* Repeatedly run the collected hash value through SHA512 to burn CPU cycles. */ + for (cnt = 0; cnt < rounds; cnt++) { + + if (!EVP_DigestInit_ex(ctx, EVP_sha512(), NULL)) { + ret = EIO; + goto done; + } + + /* Add key or last result. */ + if ((cnt & 1) != 0) { + EVP_DigestUpdate(ctx, (const unsigned char *)p_bytes, key_len); + } else { + EVP_DigestUpdate(ctx, alt_result, 64); + } + + /* Add salt for numbers not divisible by 3. */ + if (cnt % 3 != 0) { + EVP_DigestUpdate(ctx, (const unsigned char *)s_bytes, salt_len); + } + + /* Add key for numbers not divisible by 7. */ + if (cnt % 7 != 0) { + EVP_DigestUpdate(ctx, (const unsigned char *)p_bytes, key_len); + } + + /* Add key or last result. */ + if ((cnt & 1) != 0) { + EVP_DigestUpdate(ctx, alt_result, 64); + } else { + EVP_DigestUpdate(ctx, (const unsigned char *)p_bytes, key_len); + } + + /* Create intermediate result. */ + EVP_DigestFinal_ex(ctx, alt_result, &part); + } + + /* Now we can construct the result string. + * It consists of three parts. */ + if (buflen <= SALT_PREF_SIZE) { + ret = ERANGE; + goto done; + } + + cp = memcpy(buffer, sha512_salt_prefix, SALT_PREF_SIZE); + cp += SALT_PREF_SIZE; + buflen -= SALT_PREF_SIZE; + + if (rounds_custom) { + n = snprintf(cp, buflen, "%s%zu$", + sha512_rounds_prefix, rounds); + if (n < 0 || n >= buflen) { + ret = ERANGE; + goto done; + } + cp += n; + buflen -= n; + } + + if (buflen <= salt_len + 1) { + ret = ERANGE; + goto done; + } + cp = stpncpy(cp, salt, salt_len); + *cp++ = '$'; + buflen -= salt_len + 1; + + /* fuzzyfill the base 64 string */ + p1 = 0; + p2 = 21; + p3 = 42; + for (n = 0; n < 21; n++) { + b64_from_24bit(&cp, &buflen, 4, alt_result[p1], alt_result[p2], alt_result[p3]); + if (buflen == 0) { + ret = ERANGE; + goto done; + } + pt = p1; + p1 = p2 + 1; + p2 = p3 + 1; + p3 = pt + 1; + } + /* 64th and last byte */ + b64_from_24bit(&cp, &buflen, 2, 0, 0, alt_result[p3]); + if (buflen == 0) { + ret = ERANGE; + goto done; + } + + *cp = '\0'; + ret = EOK; + +done: + /* Clear the buffer for the intermediate result so that people attaching + * to processes or reading core dumps cannot get any information. We do it + * in this way to clear correct_words[] inside the SHA512 implementation + * as well. */ + EVP_MD_CTX_free(ctx); + EVP_MD_CTX_free(alt_ctx); + if (p_bytes) memset(p_bytes, '\0', key_len); + if (s_bytes) memset(s_bytes, '\0', salt_len); + if (copied_key) memset(copied_key, '\0', key_len); + if (copied_salt) memset(copied_salt, '\0', salt_len); + memset(temp_result, '\0', sizeof(temp_result)); + + return ret; +} + +int s3crypt_sha512(TALLOC_CTX *memctx, + const char *key, const char *salt, char **_hash) +{ + char *hash; + int hlen = (sizeof (sha512_salt_prefix) - 1 + + sizeof (sha512_rounds_prefix) + 9 + 1 + + strlen (salt) + 1 + 86 + 1); + int ret; + + hash = talloc_size(memctx, hlen); + if (!hash) return ENOMEM; + + ret = sha512_crypt_r(key, salt, hash, hlen); + if (ret) return ret; + + *_hash = hash; + return ret; +} + +#define SALT_RAND_LEN 12 + +int s3crypt_gen_salt(TALLOC_CTX *memctx, char **_salt) +{ + uint8_t rb[SALT_RAND_LEN]; + char *salt, *cp; + size_t slen; + int ret; + + salt = talloc_size(memctx, SALT_LEN_MAX + 1); + if (!salt) { + return ENOMEM; + } + + ret = RAND_bytes(rb, SALT_RAND_LEN); + if (ret == 0) { + return EIO; + } + + slen = SALT_LEN_MAX; + cp = salt; + b64_from_24bit(&cp, &slen, 4, rb[0], rb[1], rb[2]); + b64_from_24bit(&cp, &slen, 4, rb[3], rb[4], rb[5]); + b64_from_24bit(&cp, &slen, 4, rb[6], rb[7], rb[8]); + b64_from_24bit(&cp, &slen, 4, rb[9], rb[10], rb[11]); + *cp = '\0'; + + *_salt = salt; + + return EOK; +} diff --git a/src/util/crypto/libcrypto/sss_openssl.h b/src/util/crypto/libcrypto/sss_openssl.h new file mode 100644 index 0000000..a2e2d85 --- /dev/null +++ b/src/util/crypto/libcrypto/sss_openssl.h @@ -0,0 +1,39 @@ +/* + Authors: + Lukas Slebodnik + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _SSS_LIBCRYTPO_SSS_OPENSSL_H_ +#define _SSS_LIBCRYTPO_SSS_OPENSSL_H_ + +#include + +#if OPENSSL_VERSION_NUMBER < 0x10100000L + +/* EVP_MD_CTX_create and EVP_MD_CTX_destroy are deprecated macros + * in openssl-1.1 but openssl-1.0 does not know anything about + * newly added functions EVP_MD_CTX_new, EVP_MD_CTX_free in 1.1 + */ + +# define EVP_MD_CTX_new() EVP_MD_CTX_create() +# define EVP_MD_CTX_free(ctx) EVP_MD_CTX_destroy((ctx)) + +#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ + + +#endif /* _SSS_LIBCRYTPO_SSS_OPENSSL_H_ */ diff --git a/src/util/crypto/nss/nss_base64.c b/src/util/crypto/nss/nss_base64.c new file mode 100644 index 0000000..2062bfe --- /dev/null +++ b/src/util/crypto/nss/nss_base64.c @@ -0,0 +1,92 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "util/util.h" +#include "util/crypto/nss/nss_util.h" +#include "util/crypto/sss_crypto.h" + +#include + +/* NSS wraps b64 encoded buffers with CRLF automatically after 64 chars. This + * function strips the CRLF double-chars. The buffer can be decoded with plain + * NSS calls */ +char *sss_base64_encode(TALLOC_CTX *mem_ctx, + const unsigned char *inbuf, + size_t inbufsize) +{ + int ret; + char *b64encoded = NULL; + int i, j, b64size; + char *outbuf; + + /* initialize NSS if needed */ + ret = nspr_nss_init(); + if (ret != EOK) { + return NULL; + } + + b64encoded = BTOA_DataToAscii(inbuf, inbufsize); + if (!b64encoded) return NULL; + + b64size = strlen(b64encoded) + 1; + outbuf = talloc_array(mem_ctx, char, b64size); + if (outbuf == NULL) { + PORT_Free(b64encoded); + return NULL; + } + + for (i=0, j=0; i < b64size; i++) { + if (b64encoded[i] == '\n' || b64encoded[i] == '\r') { + continue; + } + outbuf[j++] = b64encoded[i]; /* will also copy the trailing \0 char */ + } + + PORT_Free(b64encoded); + return outbuf; +} + +unsigned char *sss_base64_decode(TALLOC_CTX *mem_ctx, + const char *inbuf, + size_t *outbufsize) +{ + int ret; + unsigned char *b64decoded = NULL; + unsigned int size; + unsigned char *outbuf; + + /* initialize NSS if needed */ + ret = nspr_nss_init(); + if (ret != EOK) { + return NULL; + } + + b64decoded = ATOB_AsciiToData(inbuf, &size); + if (!b64decoded) return NULL; + + outbuf = talloc_memdup(mem_ctx, b64decoded, size); + PORT_Free(b64decoded); + if (!outbuf) return NULL; + + *outbufsize = size; + return outbuf; +} diff --git a/src/util/crypto/nss/nss_crypto.h b/src/util/crypto/nss/nss_crypto.h new file mode 100644 index 0000000..5ecb544 --- /dev/null +++ b/src/util/crypto/nss/nss_crypto.h @@ -0,0 +1,66 @@ +/* + SSSD + + NSS crypto wrappers + + Authors: + Jakub Hrozek + + Copyright (C) Red Hat, Inc 2010 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include + +#define MAKE_SECITEM(sdata, slen, sitem) do { \ + (sitem)->type = (siBuffer); \ + (sitem)->data = (sdata); \ + (sitem)->len = (slen); \ +} while(0) + +struct sss_nss_crypto_ctx { + PK11SlotInfo *slot; + PK11Context *ectx; + PK11SymKey *keyobj; + SECItem *sparam; + + SECItem *iv; + SECItem *key; +}; + +struct crypto_mech_data { + CK_MECHANISM_TYPE cipher; + uint16_t keylen; + uint16_t bsize; +}; + +enum crypto_mech_op { + op_encrypt, + op_decrypt, + op_sign +}; + +int nss_ctx_init(TALLOC_CTX *mem_ctx, + struct crypto_mech_data *mech_props, + uint8_t *key, int keylen, + uint8_t *iv, int ivlen, + struct sss_nss_crypto_ctx **_cctx); +int nss_crypto_init(struct crypto_mech_data *mech_props, + enum crypto_mech_op crypto_op, + struct sss_nss_crypto_ctx *cctx); diff --git a/src/util/crypto/nss/nss_hmac_sha1.c b/src/util/crypto/nss/nss_hmac_sha1.c new file mode 100644 index 0000000..f30bbfc --- /dev/null +++ b/src/util/crypto/nss/nss_hmac_sha1.c @@ -0,0 +1,90 @@ +/* + Authors: + Jan Cholasta + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +/* + NSS does not provide public API for HMAC, so we implement it ourselves. + + See RFC 2104 for details on the algorithm. +*/ + +#include "util/util.h" +#include "util/crypto/sss_crypto.h" +#include "util/crypto/nss/nss_util.h" + +#include + +#define HMAC_SHA1_BLOCKSIZE 64 + +int sss_hmac_sha1(const unsigned char *key, + size_t key_len, + const unsigned char *in, + size_t in_len, + unsigned char *out) +{ + int ret; + unsigned char ikey[HMAC_SHA1_BLOCKSIZE], okey[HMAC_SHA1_BLOCKSIZE]; + size_t i; + HASHContext *sha1; + unsigned char hash[SSS_SHA1_LENGTH]; + unsigned int res_len; + + ret = nspr_nss_init(); + if (ret != EOK) { + return ret; + } + + sha1 = HASH_Create(HASH_AlgSHA1); + if (!sha1) { + return ENOMEM; + } + + if (key_len > HMAC_SHA1_BLOCKSIZE) { + /* keys longer than blocksize are shortened */ + HASH_Begin(sha1); + HASH_Update(sha1, key, key_len); + HASH_End(sha1, ikey, &res_len, SSS_SHA1_LENGTH); + memset(ikey + SSS_SHA1_LENGTH, 0, HMAC_SHA1_BLOCKSIZE - SSS_SHA1_LENGTH); + } else { + /* keys shorter than blocksize are zero-padded */ + memcpy(ikey, key, key_len); + if (key_len < HMAC_SHA1_BLOCKSIZE) { + memset(ikey + key_len, 0, HMAC_SHA1_BLOCKSIZE - key_len); + } + } + + /* HMAC(key, msg) = HASH(key XOR opad, HASH(key XOR ipad, msg)) */ + for (i = 0; i < HMAC_SHA1_BLOCKSIZE; i++) { + okey[i] = ikey[i] ^ 0x5c; + ikey[i] ^= 0x36; + } + + HASH_Begin(sha1); + HASH_Update(sha1, ikey, HMAC_SHA1_BLOCKSIZE); + HASH_Update(sha1, in, in_len); + HASH_End(sha1, hash, &res_len, SSS_SHA1_LENGTH); + + HASH_Begin(sha1); + HASH_Update(sha1, okey, HMAC_SHA1_BLOCKSIZE); + HASH_Update(sha1, hash, SSS_SHA1_LENGTH); + HASH_End(sha1, out, &res_len, SSS_SHA1_LENGTH); + + HASH_Destroy(sha1); + + return EOK; +} diff --git a/src/util/crypto/nss/nss_nite.c b/src/util/crypto/nss/nss_nite.c new file mode 100644 index 0000000..db3cefa --- /dev/null +++ b/src/util/crypto/nss/nss_nite.c @@ -0,0 +1,303 @@ +/* + SSSD + + Encryption/Decryption primitives + + Authors: + Simo Sorce + + Copyright (C) Simo Sorce 2016 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include "util/util.h" +#include "util/crypto/sss_crypto.h" +#include "util/crypto/nss/nss_util.h" +#include "util/crypto/nss/nss_crypto.h" + +struct cipher_mech { + struct crypto_mech_data enc; + struct crypto_mech_data hmac; +} mechs[] = { + { { CKM_AES_CBC_PAD, 32, 16 }, { CKM_SHA256_HMAC, 32, 16 } } +}; + +int sss_encrypt(TALLOC_CTX *mem_ctx, enum encmethod enctype, + uint8_t *key, size_t keylen, + const uint8_t *plaintext, size_t plainlen, + uint8_t **ciphertext, size_t *cipherlen) +{ + TALLOC_CTX *tmp_ctx = NULL; + struct sss_nss_crypto_ctx *cctx; + struct sss_nss_crypto_ctx *hctx; + struct crypto_mech_data *enc; + struct crypto_mech_data *hmac; + SECStatus sret; + uint8_t *out = NULL; + int ivlen; + int hmaclen; + int outlen; + int clen; + union { + unsigned int u; + int s; + } tmplen; + unsigned int digestlen; + int ret; + + if (!plaintext || !plainlen) return EINVAL; + + if (enctype != AES256CBC_HMAC_SHA256) return EINVAL; + enc = &mechs[AES256CBC_HMAC_SHA256].enc; + hmac = &mechs[AES256CBC_HMAC_SHA256].hmac; + ivlen = enc->bsize; + + /* We have no function to return the size of the output for arbitray HMAC + * algorithms so we just truncate to the key size should the hmac be bigger + * (or pad with zeros should the HMAC be smaller) */ + hmaclen = keylen; + + tmp_ctx = talloc_new(mem_ctx); + if (!tmp_ctx) { + return ENOMEM; + } + + /* initialize NSS if needed */ + ret = nspr_nss_init(); + if (ret != EOK) { + ret = EFAULT; + goto done; + } + + outlen = plainlen + (2 * enc->bsize) + ivlen + hmaclen; + out = talloc_zero_size(tmp_ctx, outlen); + + /* First Encrypt */ + + if (ivlen != 0) { + ret = generate_csprng_buffer(out, ivlen); + if (ret) return ret; + } + + ret = nss_ctx_init(tmp_ctx, enc, key, keylen, out, ivlen, &cctx); + if (ret != EOK) { + ret = EFAULT; + goto done; + } + + ret = nss_crypto_init(enc, op_encrypt, cctx); + if (ret != EOK) { + ret = EFAULT; + goto done; + } + + clen = ivlen; + + sret = PK11_CipherOp(cctx->ectx, out + clen, &tmplen.s, + outlen - clen, plaintext, plainlen); + if (sret != SECSuccess) { + ret = EFAULT; + goto done; + } + + clen += tmplen.s; + + sret = PK11_DigestFinal(cctx->ectx, out + clen, &tmplen.u, outlen - clen); + if (sret != SECSuccess) { + ret = EFAULT; + goto done; + } + + clen += tmplen.u; + if (clen < 0 || clen > UINT16_MAX) { + ret = ERANGE; + goto done; + } + + /* Then HMAC */ + + ret = nss_ctx_init(tmp_ctx, hmac, key, keylen, NULL, 0, &hctx); + if (ret != EOK) { + ret = EFAULT; + goto done; + } + + ret = nss_crypto_init(hmac, op_sign, hctx); + if (ret != EOK) { + ret = EFAULT; + goto done; + } + + sret = PK11_DigestBegin(hctx->ectx); + if (sret != SECSuccess) { + ret = EFAULT; + goto done; + } + + sret = PK11_DigestOp(hctx->ectx, out, clen); + if (sret != SECSuccess) { + ret = EFAULT; + goto done; + } + + sret = PK11_DigestFinal(hctx->ectx, out + clen, &digestlen, + outlen - clen); + if (sret != SECSuccess) { + ret = EFAULT; + goto done; + } + + *ciphertext = talloc_move(mem_ctx, &out); + *cipherlen = clen + hmaclen; + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +int sss_decrypt(TALLOC_CTX *mem_ctx, enum encmethod enctype, + uint8_t *key, size_t keylen, + const uint8_t *ciphertext, size_t cipherlen, + uint8_t **plaintext, size_t *plainlen) +{ + TALLOC_CTX *tmp_ctx = NULL; + struct sss_nss_crypto_ctx *cctx; + struct sss_nss_crypto_ctx *hctx; + struct crypto_mech_data *enc; + struct crypto_mech_data *hmac; + SECStatus sret; + uint8_t *out = NULL; + uint8_t *ivbuf = NULL; + int ivlen; + int hmaclen; + int outlen; + unsigned int tmplen; + unsigned int digestlen; + int ret; + + if (!plaintext || !plainlen) return EINVAL; + + if (enctype != AES256CBC_HMAC_SHA256) return EINVAL; + enc = &mechs[AES256CBC_HMAC_SHA256].enc; + hmac = &mechs[AES256CBC_HMAC_SHA256].hmac; + ivlen = enc->bsize; + + /* We have no function to return the size of the output for arbitray HMAC + * algorithms so we just truncate to the key size should the hmac be bigger + * (or pad with zeros should the HMAC be smaller) */ + hmaclen = keylen; + + tmp_ctx = talloc_new(mem_ctx); + if (!tmp_ctx) { + return ENOMEM; + } + + /* initialize NSS if needed */ + ret = nspr_nss_init(); + if (ret != EOK) { + ret = EFAULT; + goto done; + } + + out = talloc_zero_size(tmp_ctx, cipherlen); + + /* First check HMAC */ + + ret = nss_ctx_init(tmp_ctx, hmac, key, keylen, NULL, 0, &hctx); + if (ret != EOK) { + ret = EFAULT; + goto done; + } + + ret = nss_crypto_init(hmac, op_sign, hctx); + if (ret != EOK) { + ret = EFAULT; + goto done; + } + + sret = PK11_DigestBegin(hctx->ectx); + if (sret != SECSuccess) { + ret = EFAULT; + goto done; + } + + sret = PK11_DigestOp(hctx->ectx, ciphertext, cipherlen - hmaclen); + if (sret != SECSuccess) { + ret = EFAULT; + goto done; + } + + sret = PK11_DigestFinal(hctx->ectx, out, &digestlen, hmaclen); + if (sret != SECSuccess) { + ret = EFAULT; + goto done; + } + + ret = NSS_SecureMemcmp(&ciphertext[cipherlen - hmaclen], out, hmaclen); + if (ret != 0) { + ret = EFAULT; + goto done; + } + + /* Then Decrypt */ + + if (ivlen != 0) { + ivbuf = talloc_size(tmp_ctx, ivlen); + if (!ivbuf) { + ret = ENOMEM; + goto done; + } + memcpy(ivbuf, ciphertext, ivlen); + } + + ret = nss_ctx_init(tmp_ctx, enc, key, keylen, ivbuf, ivlen, &cctx); + if (ret != EOK) { + ret = EFAULT; + goto done; + } + + ret = nss_crypto_init(enc, op_decrypt, cctx); + if (ret != EOK) { + ret = EFAULT; + goto done; + } + + sret = PK11_CipherOp(cctx->ectx, out, &outlen, cipherlen, + ciphertext + ivlen, cipherlen - ivlen - hmaclen); + if (sret != SECSuccess) { + ret = EFAULT; + goto done; + } + + sret = PK11_DigestFinal(cctx->ectx, out + outlen, &tmplen, + cipherlen - outlen); + if (sret != SECSuccess) { + ret = EFAULT; + goto done; + } + + outlen += tmplen; + + *plaintext = talloc_move(mem_ctx, &out); + *plainlen = outlen; + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} diff --git a/src/util/crypto/nss/nss_obfuscate.c b/src/util/crypto/nss/nss_obfuscate.c new file mode 100644 index 0000000..df9c41b --- /dev/null +++ b/src/util/crypto/nss/nss_obfuscate.c @@ -0,0 +1,328 @@ +/* + SSSD + + Password obfuscation logic + + Author: Jakub Hrozek + + Copyright (C) Red Hat, Inc 2010 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +/* + * READ ME: + * + * Please note that password obfuscation does not improve security in any + * way. It is just a mechanism to make the password human-unreadable. If you + * need to secure passwords in your application, you should probably take a + * look at storing passwords in NSS-backed database. + */ + +#include "config.h" +#include +#include + +#include "util/util.h" +#include "util/crypto/sss_crypto.h" +#include "util/crypto/nss/nss_util.h" +#include "util/crypto/nss/nss_crypto.h" + +#define OBF_BUFFER_SENTINEL "\0\1\2\3" +#define OBF_BUFFER_SENTINEL_SIZE 4 + +static struct crypto_mech_data cmdata[] = { + /* AES with automatic padding, 256b key, 128b block */ + { CKM_AES_CBC_PAD, 32, 16 }, + /* sentinel */ + { 0, 0, 0 } +}; + +static struct crypto_mech_data *get_crypto_mech_data(enum obfmethod meth) +{ + if (meth >= NUM_OBFMETHODS) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unsupported cipher type\n"); + return NULL; + } + return &cmdata[meth]; +} + +int sss_password_encrypt(TALLOC_CTX *mem_ctx, const char *password, int plen, + enum obfmethod meth, char **obfpwd) +{ + SECStatus sret; + int ret; + TALLOC_CTX *tmp_ctx = NULL; + struct crypto_mech_data *mech_props; + struct sss_nss_crypto_ctx *cctx; + + unsigned char *plaintext; + + unsigned char *cryptotext; + int ct_maxsize; + int ctlen; + unsigned int digestlen; + int result_len; + + unsigned char *obfbuf; + size_t obufsize = 0; + size_t p = 0; + + tmp_ctx = talloc_new(mem_ctx); + if (!tmp_ctx) { + return ENOMEM; + } + + /* initialize NSS if needed */ + ret = nspr_nss_init(); + if (ret != EOK) { + ret = EIO; + goto done; + } + + mech_props = get_crypto_mech_data(meth); + if (mech_props == NULL) { + ret = EINVAL; + goto done; + } + + /* Initiualize ctx and generate random encryption and IV key */ + ret = nss_ctx_init(tmp_ctx, mech_props, NULL, 1, NULL, 1, &cctx); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot initialize NSS context\n"); + goto done; + } + + ret = nss_crypto_init(mech_props, op_encrypt, cctx); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot initialize NSS context properties\n"); + goto done; + } + + plaintext = (unsigned char *) talloc_strndup(tmp_ctx, password, plen); + if (!plaintext) { + ret = ENOMEM; + goto done; + } + + /* cryptotext buffer must be at least len(plaintext)+blocksize */ + ct_maxsize = plen + (mech_props->bsize); + cryptotext = talloc_array(tmp_ctx, unsigned char, ct_maxsize); + if (!cryptotext) { + ret = ENOMEM; + goto done; + } + + /* sample data we'll encrypt and decrypt */ + sret = PK11_CipherOp(cctx->ectx, cryptotext, &ctlen, ct_maxsize, + plaintext, plen); + if (sret != SECSuccess) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot execute the encryption operation (err %d)\n", + PR_GetError()); + ret = EIO; + goto done; + } + + sret = PK11_DigestFinal(cctx->ectx, cryptotext+ctlen, &digestlen, + ct_maxsize-ctlen); + if (sret != SECSuccess) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot execute the digest operation (err %d)\n", + PR_GetError()); + ret = EIO; + goto done; + } + result_len = ctlen + digestlen; + if (result_len < 0 || result_len > UINT16_MAX) { + ret = ERANGE; + goto done; + } + + /* Pack the obfuscation buffer */ + /* The buffer consists of: + * uint16_t the type of the cipher + * uint16_t length of the cryptotext in bytes (clen) + * uint8_t[klen] key + * uint8_t[blen] IV + * uint8_t[clen] cryptotext + * 4 bytes of "sentinel" denoting end of the buffer + */ + obufsize = sizeof(uint16_t) + sizeof(uint16_t) + + mech_props->keylen + mech_props->bsize + + result_len + OBF_BUFFER_SENTINEL_SIZE; + obfbuf = talloc_array(tmp_ctx, unsigned char, obufsize); + if (!obfbuf) { + ret = ENOMEM; + goto done; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "Writing method: %d\n", meth); + SAFEALIGN_SET_UINT16(&obfbuf[p], meth, &p); + DEBUG(SSSDBG_TRACE_INTERNAL, "Writing bufsize: %d\n", result_len); + SAFEALIGN_SET_UINT16(&obfbuf[p], result_len, &p); + safealign_memcpy(&obfbuf[p], cctx->key->data, mech_props->keylen, &p); + safealign_memcpy(&obfbuf[p], cctx->iv->data, mech_props->bsize, &p); + safealign_memcpy(&obfbuf[p], cryptotext, result_len, &p); + safealign_memcpy(&obfbuf[p], OBF_BUFFER_SENTINEL, + OBF_BUFFER_SENTINEL_SIZE, &p); + + /* Base64 encode the resulting buffer */ + *obfpwd = sss_base64_encode(mem_ctx, obfbuf, obufsize); + if (*obfpwd == NULL) { + ret = ENOMEM; + goto done; + } + + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} + +int sss_password_decrypt(TALLOC_CTX *mem_ctx, char *b64encoded, + char **password) +{ + SECStatus sret; + int ret; + TALLOC_CTX *tmp_ctx = NULL; + struct crypto_mech_data *mech_props; + struct sss_nss_crypto_ctx *cctx; + + int plainlen; + unsigned int digestlen; + unsigned char *obfbuf = NULL; + size_t obflen; + char *pwdbuf; + + /* for unmarshaling data */ + uint16_t meth; + uint16_t ctsize; + size_t p = 0; + unsigned char *cryptotext; + unsigned char *keybuf; + unsigned char *ivbuf; + unsigned char sentinel_check[OBF_BUFFER_SENTINEL_SIZE]; + + tmp_ctx = talloc_new(mem_ctx); + if (!tmp_ctx) { + return ENOMEM; + } + + /* initialize NSS if needed */ + ret = nspr_nss_init(); + if (ret != EOK) { + ret = EIO; + goto done; + } + + /* Base64 decode the incoming buffer */ + obfbuf = sss_base64_decode(tmp_ctx, b64encoded, &obflen); + if (!obfbuf) { + ret = ENOMEM; + goto done; + } + + /* unpack obfuscation buffer */ + SAFEALIGN_COPY_UINT16_CHECK(&meth, obfbuf+p, obflen, &p); + DEBUG(SSSDBG_TRACE_INTERNAL, "Read method: %d\n", meth); + SAFEALIGN_COPY_UINT16_CHECK(&ctsize, obfbuf+p, obflen, &p); + DEBUG(SSSDBG_TRACE_INTERNAL, "Read bufsize: %d\n", ctsize); + + mech_props = get_crypto_mech_data(meth); + if (mech_props == NULL) { + ret = EINVAL; + goto done; + } + + /* check that we got sane mechanism properties and cryptotext size */ + memcpy(sentinel_check, + obfbuf + p + mech_props->keylen + mech_props->bsize + ctsize, + OBF_BUFFER_SENTINEL_SIZE); + if (memcmp(sentinel_check, + OBF_BUFFER_SENTINEL, OBF_BUFFER_SENTINEL_SIZE) != 0) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Obfuscation buffer seems corrupt, aborting\n"); + ret = EFAULT; + goto done; + } + + /* copy out key, ivbuf and cryptotext */ + keybuf = talloc_array(tmp_ctx, unsigned char, mech_props->keylen); + if (keybuf == NULL) { + ret = ENOMEM; + goto done; + } + safealign_memcpy(keybuf, obfbuf+p, mech_props->keylen, &p); + + ivbuf = talloc_array(tmp_ctx, unsigned char, mech_props->bsize); + if (ivbuf == NULL) { + ret = ENOMEM; + goto done; + } + safealign_memcpy(ivbuf, obfbuf+p, mech_props->bsize, &p); + + cryptotext = talloc_array(tmp_ctx, unsigned char, ctsize); + if (cryptotext == NULL) { + ret = ENOMEM; + goto done; + } + safealign_memcpy(cryptotext, obfbuf+p, ctsize, &p); + + ret = nss_ctx_init(tmp_ctx, mech_props, + keybuf, mech_props->keylen, + ivbuf, mech_props->bsize, &cctx); + if (ret) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot initialize NSS context\n"); + goto done; + } + + ret = nss_crypto_init(mech_props, op_decrypt, cctx); + if (ret) { + goto done; + } + + pwdbuf = talloc_array(tmp_ctx, char, ctsize); + if (!pwdbuf) { + ret = ENOMEM; + goto done; + } + + sret = PK11_CipherOp(cctx->ectx, (unsigned char *) pwdbuf, &plainlen, + ctsize, cryptotext, ctsize); + if (sret != SECSuccess) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot execute the encryption operation (err %d)\n", + PR_GetError()); + ret = EIO; + goto done; + } + + sret = PK11_DigestFinal(cctx->ectx, (unsigned char *) pwdbuf+plainlen, + &digestlen, ctsize - plainlen); + if (sret != SECSuccess) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot execute the encryption operation (err %d)\n", + PR_GetError()); + ret = EIO; + goto done; + } + + *password = talloc_move(mem_ctx, &pwdbuf); + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} diff --git a/src/util/crypto/nss/nss_sha512crypt.c b/src/util/crypto/nss/nss_sha512crypt.c new file mode 100644 index 0000000..4d0594d --- /dev/null +++ b/src/util/crypto/nss/nss_sha512crypt.c @@ -0,0 +1,388 @@ +/* This file is based on the work of Ulrich Drepper + * (http://people.redhat.com/drepper/SHA-crypt.txt). I have replaced the + * included SHA512 implementation by calls to NSS + * (http://www.mozilla.org/projects/security/pki/nss/). + * + * Sumit Bose + */ +/* SHA512-based UNIX crypt implementation. + Released into the Public Domain by Ulrich Drepper . */ + +#include "config.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "util/util.h" +#include "util/sss_endian.h" +#include "util/crypto/nss/nss_util.h" + +#include +#include +#include +#include + +/* Define our magic string to mark salt for SHA512 "encryption" replacement. */ +const char sha512_salt_prefix[] = "$6$"; +#define SALT_PREF_SIZE (sizeof(sha512_salt_prefix) - 1) + +/* Prefix for optional rounds specification. */ +const char sha512_rounds_prefix[] = "rounds="; +#define ROUNDS_SIZE (sizeof(sha512_rounds_prefix) - 1) + +#define SALT_LEN_MAX 16 +#define ROUNDS_DEFAULT 5000 +#define ROUNDS_MIN 1000 +#define ROUNDS_MAX 999999999 + +/* Table with characters for base64 transformation. */ +const char b64t[64] = + "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; + +/* base64 conversion function */ +static inline void b64_from_24bit(char **dest, size_t *len, size_t n, + uint8_t b2, uint8_t b1, uint8_t b0) +{ + uint32_t w; + size_t i; + + if (*len < n) n = *len; + + w = (b2 << 16) | (b1 << 8) | b0; + for (i = 0; i < n; i++) { + (*dest)[i] = b64t[w & 0x3f]; + w >>= 6; + } + + *len -= i; + *dest += i; +} + +#define PTR_2_INT(x) ((x) - ((__typeof__ (x)) NULL)) +#define ALIGN64 __alignof__(uint64_t) + +static int sha512_crypt_r(const char *key, + const char *salt, + char *buffer, size_t buflen) +{ + unsigned char temp_result[64] __attribute__((__aligned__(ALIGN64))); + unsigned char alt_result[64] __attribute__((__aligned__(ALIGN64))); + size_t rounds = ROUNDS_DEFAULT; + bool rounds_custom = false; + HASHContext *alt_ctx = NULL; + HASHContext *ctx = NULL; + size_t salt_len; + size_t key_len; + size_t cnt; + char *copied_salt = NULL; + char *copied_key = NULL; + char *p_bytes = NULL; + char *s_bytes = NULL; + int p1, p2, p3, pt, n; + unsigned int part; + char *cp, *tmp; + int ret; + + /* Find beginning of salt string. The prefix should normally always be + * present. Just in case it is not. */ + if (strncmp(salt, sha512_salt_prefix, SALT_PREF_SIZE) == 0) { + /* Skip salt prefix. */ + salt += SALT_PREF_SIZE; + } + + if (strncmp(salt, sha512_rounds_prefix, ROUNDS_SIZE) == 0) { + unsigned long int srounds; + const char *num; + char *endp; + + num = salt + ROUNDS_SIZE; + srounds = strtoul(num, &endp, 10); + if (*endp == '$') { + salt = endp + 1; + if (srounds < ROUNDS_MIN) srounds = ROUNDS_MIN; + if (srounds > ROUNDS_MAX) srounds = ROUNDS_MAX; + rounds = srounds; + rounds_custom = true; + } + } + + salt_len = MIN(strcspn(salt, "$"), SALT_LEN_MAX); + key_len = strlen(key); + + if ((PTR_2_INT(key) % ALIGN64) != 0) { + tmp = (char *)alloca(key_len + ALIGN64); + key = copied_key = memcpy(tmp + ALIGN64 - PTR_2_INT(tmp) % ALIGN64, key, key_len); + } + + if (PTR_2_INT(salt) % ALIGN64 != 0) { + tmp = (char *)alloca(salt_len + ALIGN64); + salt = copied_salt = memcpy(tmp + ALIGN64 - PTR_2_INT(tmp) % ALIGN64, salt, salt_len); + } + + ret = nspr_nss_init(); + if (ret != EOK) { + ret = EIO; + goto done; + } + + ctx = HASH_Create(HASH_AlgSHA512); + if (!ctx) { + ret = EIO; + goto done; + } + + alt_ctx = HASH_Create(HASH_AlgSHA512); + if (!alt_ctx) { + ret = EIO; + goto done; + } + + /* Prepare for the real work. */ + HASH_Begin(ctx); + + /* Add the key string. */ + HASH_Update(ctx, (const unsigned char *)key, key_len); + + /* The last part is the salt string. This must be at most 16 + * characters and it ends at the first `$' character (for + * compatibility with existing implementations). */ + HASH_Update(ctx, (const unsigned char *)salt, salt_len); + + + /* Compute alternate SHA512 sum with input KEY, SALT, and KEY. + * The final result will be added to the first context. */ + HASH_Begin(alt_ctx); + + /* Add key. */ + HASH_Update(alt_ctx, (const unsigned char *)key, key_len); + + /* Add salt. */ + HASH_Update(alt_ctx, (const unsigned char *)salt, salt_len); + + /* Add key again. */ + HASH_Update(alt_ctx, (const unsigned char *)key, key_len); + + /* Now get result of this (64 bytes) and add it to the other context. */ + HASH_End(alt_ctx, alt_result, &part, HASH_ResultLenContext(alt_ctx)); + + /* Add for any character in the key one byte of the alternate sum. */ + for (cnt = key_len; cnt > 64; cnt -= 64) { + HASH_Update(ctx, alt_result, 64); + } + HASH_Update(ctx, alt_result, cnt); + + /* Take the binary representation of the length of the key and for every + * 1 add the alternate sum, for every 0 the key. */ + for (cnt = key_len; cnt > 0; cnt >>= 1) { + if ((cnt & 1) != 0) { + HASH_Update(ctx, alt_result, 64); + } else { + HASH_Update(ctx, (const unsigned char *)key, key_len); + } + } + + /* Create intermediate result. */ + HASH_End(ctx, alt_result, &part, HASH_ResultLenContext(ctx)); + + /* Start computation of P byte sequence. */ + HASH_Begin(alt_ctx); + + /* For every character in the password add the entire password. */ + for (cnt = 0; cnt < key_len; cnt++) { + HASH_Update(alt_ctx, (const unsigned char *)key, key_len); + } + + /* Finish the digest. */ + HASH_End(alt_ctx, temp_result, &part, HASH_ResultLenContext(alt_ctx)); + + /* Create byte sequence P. */ + cp = p_bytes = alloca(key_len); + for (cnt = key_len; cnt >= 64; cnt -= 64) { + cp = mempcpy(cp, temp_result, 64); + } + memcpy(cp, temp_result, cnt); + + /* Start computation of S byte sequence. */ + HASH_Begin(alt_ctx); + + /* For every character in the password add the entire salt. */ + for (cnt = 0; cnt < 16 + alt_result[0]; cnt++) { + HASH_Update(alt_ctx, (const unsigned char *)salt, salt_len); + } + + /* Finish the digest. */ + HASH_End(alt_ctx, temp_result, &part, HASH_ResultLenContext(alt_ctx)); + + /* Create byte sequence S. */ + cp = s_bytes = alloca(salt_len); + for (cnt = salt_len; cnt >= 64; cnt -= 64) { + cp = mempcpy(cp, temp_result, 64); + } + memcpy(cp, temp_result, cnt); + + /* Repeatedly run the collected hash value through SHA512 to burn CPU cycles. */ + for (cnt = 0; cnt < rounds; cnt++) { + + HASH_Begin(ctx); + + /* Add key or last result. */ + if ((cnt & 1) != 0) { + HASH_Update(ctx, (const unsigned char *)p_bytes, key_len); + } else { + HASH_Update(ctx, alt_result, 64); + } + + /* Add salt for numbers not divisible by 3. */ + if (cnt % 3 != 0) { + HASH_Update(ctx, (const unsigned char *)s_bytes, salt_len); + } + + /* Add key for numbers not divisible by 7. */ + if (cnt % 7 != 0) { + HASH_Update(ctx, (const unsigned char *)p_bytes, key_len); + } + + /* Add key or last result. */ + if ((cnt & 1) != 0) { + HASH_Update(ctx, alt_result, 64); + } else { + HASH_Update(ctx, (const unsigned char *)p_bytes, key_len); + } + + /* Create intermediate result. */ + HASH_End(ctx, alt_result, &part, HASH_ResultLenContext(ctx)); + } + + /* Now we can construct the result string. + * It consists of three parts. */ + if (buflen <= SALT_PREF_SIZE) { + ret = ERANGE; + goto done; + } + + cp = memcpy(buffer, sha512_salt_prefix, SALT_PREF_SIZE); + cp += SALT_PREF_SIZE; + buflen -= SALT_PREF_SIZE; + + if (rounds_custom) { + n = snprintf(cp, buflen, "%s%zu$", + sha512_rounds_prefix, rounds); + if (n < 0 || n >= buflen) { + ret = ERANGE; + goto done; + } + cp += n; + buflen -= n; + } + + if (buflen <= salt_len + 1) { + ret = ERANGE; + goto done; + } + cp = stpncpy(cp, salt, salt_len); + *cp++ = '$'; + buflen -= salt_len + 1; + + /* fuzzyfill the base 64 string */ + p1 = 0; + p2 = 21; + p3 = 42; + for (n = 0; n < 21; n++) { + b64_from_24bit(&cp, &buflen, 4, alt_result[p1], alt_result[p2], alt_result[p3]); + if (buflen == 0) { + ret = ERANGE; + goto done; + } + pt = p1; + p1 = p2 + 1; + p2 = p3 + 1; + p3 = pt + 1; + } + /* 64th and last byte */ + b64_from_24bit(&cp, &buflen, 2, 0, 0, alt_result[p3]); + if (buflen == 0) { + ret = ERANGE; + goto done; + } + + *cp = '\0'; + ret = EOK; + +done: + /* Clear the buffer for the intermediate result so that people attaching + * to processes or reading core dumps cannot get any information. We do it + * in this way to clear correct_words[] inside the SHA512 implementation + * as well. */ + if (ctx) HASH_Destroy(ctx); + if (alt_ctx) HASH_Destroy(alt_ctx); + if (p_bytes) memset(p_bytes, '\0', key_len); + if (s_bytes) memset(s_bytes, '\0', salt_len); + if (copied_key) memset(copied_key, '\0', key_len); + if (copied_salt) memset(copied_salt, '\0', salt_len); + memset(temp_result, '\0', sizeof(temp_result)); + + return ret; +} + +int s3crypt_sha512(TALLOC_CTX *memctx, + const char *key, const char *salt, char **_hash) +{ + char *hash; + int hlen = (sizeof (sha512_salt_prefix) - 1 + + sizeof (sha512_rounds_prefix) + 9 + 1 + + strlen (salt) + 1 + 86 + 1); + int ret; + + hash = talloc_size(memctx, hlen); + if (!hash) return ENOMEM; + + ret = sha512_crypt_r(key, salt, hash, hlen); + if (ret) return ret; + + *_hash = hash; + return ret; +} + +#define SALT_RAND_LEN 12 + +int s3crypt_gen_salt(TALLOC_CTX *memctx, char **_salt) +{ + uint8_t rb[SALT_RAND_LEN]; + char *salt, *cp; + size_t slen; + int ret; + + ret = nspr_nss_init(); + if (ret != EOK) { + return EIO; + } + + salt = talloc_size(memctx, SALT_LEN_MAX + 1); + if (!salt) { + return ENOMEM; + } + + ret = PK11_GenerateRandom(rb, SALT_RAND_LEN); + if (ret != SECSuccess) { + return EIO; + } + + slen = SALT_LEN_MAX; + cp = salt; + b64_from_24bit(&cp, &slen, 4, rb[0], rb[1], rb[2]); + b64_from_24bit(&cp, &slen, 4, rb[3], rb[4], rb[5]); + b64_from_24bit(&cp, &slen, 4, rb[6], rb[7], rb[8]); + b64_from_24bit(&cp, &slen, 4, rb[9], rb[10], rb[11]); + *cp = '\0'; + + *_salt = salt; + + return EOK; +} diff --git a/src/util/crypto/nss/nss_util.c b/src/util/crypto/nss/nss_util.c new file mode 100644 index 0000000..4683505 --- /dev/null +++ b/src/util/crypto/nss/nss_util.c @@ -0,0 +1,284 @@ +/* + SSSD + + NSS crypto wrappers + + Authors: + Sumit Bose + Jakub Hrozek + + Copyright (C) Red Hat, Inc 2010 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include +#include + +#include "util/util.h" +#include "util/crypto/nss/nss_util.h" +#include "util/crypto/nss/nss_crypto.h" + +static int nspr_nss_init_done = 0; + +int nspr_nss_init(void) +{ + SECStatus sret; + + /* nothing to do */ + if (nspr_nss_init_done == 1) return SECSuccess; + + PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0); + + sret = NSS_NoDB_Init(NULL); + if (sret != SECSuccess) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Error initializing connection to NSS [%d]\n", + PR_GetError()); + return EIO; + } + + nspr_nss_init_done = 1; + return EOK; +} + +int nspr_nss_cleanup(void) +{ + SECStatus sret; + + /* nothing to do */ + if (nspr_nss_init_done == 0) return SECSuccess; + + sret = NSS_Shutdown(); + if (sret != SECSuccess) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Error shutting down connection to NSS [%d]\n", + PR_GetError()); + return EIO; + } + + PR_Cleanup(); + nspr_nss_init_done = 0; + return EOK; +} + +static int sss_nss_crypto_ctx_destructor(struct sss_nss_crypto_ctx *cctx) +{ + if (cctx->ectx) PK11_DestroyContext(cctx->ectx, PR_TRUE); + if (cctx->sparam) SECITEM_FreeItem(cctx->sparam, PR_TRUE); + if (cctx->slot) PK11_FreeSlot(cctx->slot); + if (cctx->keyobj) PK11_FreeSymKey(cctx->keyobj); + + return EOK; +} + +static int generate_random_key(TALLOC_CTX *mem_ctx, + PK11SlotInfo *slot, + struct crypto_mech_data *mech_props, + SECItem **_key) +{ + SECStatus sret; + SECItem *randkeydata; + SECItem *key = NULL; + PK11SymKey *randkey; + int ret; + + randkey = PK11_KeyGen(slot, mech_props->cipher, + NULL, mech_props->keylen, NULL); + if (randkey == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failure to generate key (err %d)\n", + PR_GetError()); + ret = EIO; + goto done; + } + + sret = PK11_ExtractKeyValue(randkey); + if (sret != SECSuccess) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failure to extract key value (err %d)\n", + PR_GetError()); + ret = EIO; + goto done; + } + + randkeydata = PK11_GetKeyData(randkey); + if (randkeydata == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failure to get key data (err %d)\n", + PR_GetError()); + ret = EIO; + goto done; + } + + /* randkeydata is valid until randkey is. Copy with talloc to + * get a nice memory hierarchy symmetrical in encrypt + * and decrypt case */ + key = talloc_zero(mem_ctx, SECItem); + if (!key) { + ret = ENOMEM; + goto done; + } + + key->data = talloc_memdup(key, randkeydata->data, randkeydata->len); + if (!key->data) { + ret = ENOMEM; + goto done; + } + key->len = randkeydata->len; + + *_key = key; + ret = EOK; +done: + if (ret != EOK) talloc_zfree(key); + PK11_FreeSymKey(randkey); + return ret; +} + +int nss_ctx_init(TALLOC_CTX *mem_ctx, + struct crypto_mech_data *mech_props, + uint8_t *key, int keylen, + uint8_t *iv, int ivlen, + struct sss_nss_crypto_ctx **_cctx) +{ + struct sss_nss_crypto_ctx *cctx; + int ret; + + cctx = talloc_zero(mem_ctx, struct sss_nss_crypto_ctx); + if (!cctx) { + return ENOMEM; + } + talloc_set_destructor(cctx, sss_nss_crypto_ctx_destructor); + + cctx->slot = PK11_GetBestSlot(mech_props->cipher, NULL); + if (cctx->slot == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to find security device (err %d)\n", + PR_GetError()); + ret = EIO; + goto done; + } + + if (keylen > 0) { + cctx->key = talloc(cctx, SECItem); + if (cctx->key == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to allocate Key buffer\n"); + ret = ENOMEM; + goto done; + } + if (key) { + MAKE_SECITEM(key, keylen, cctx->key); + } else { + ret = generate_random_key(cctx, cctx->slot, + mech_props, &cctx->key); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not generate encryption key\n"); + goto done; + } + } + + } + + if (ivlen > 0) { + cctx->iv = talloc(cctx, SECItem); + if (cctx->iv == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to allocate IV buffer\n"); + ret = ENOMEM; + goto done; + } + if (iv) { + MAKE_SECITEM(iv, ivlen, cctx->iv); + } else { + ret = generate_random_key(cctx, cctx->slot, + mech_props, &cctx->iv); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not generate initialization vector\n"); + goto done; + } + } + } + + ret = EOK; + *_cctx = cctx; +done: + if (ret) talloc_zfree(cctx); + return ret; +} + +int nss_crypto_init(struct crypto_mech_data *mech_props, + enum crypto_mech_op crypto_op, + struct sss_nss_crypto_ctx *cctx) +{ + CK_ATTRIBUTE_TYPE op; + int ret; + + switch (crypto_op) { + case op_encrypt: + op = CKA_ENCRYPT; + break; + case op_decrypt: + op = CKA_DECRYPT; + break; + case op_sign: + op = CKA_SIGN; + break; + default: + return EFAULT; + } + + /* turn the raw key into a key object */ + cctx->keyobj = PK11_ImportSymKey(cctx->slot, mech_props->cipher, + PK11_OriginUnwrap, op, cctx->key, NULL); + if (cctx->keyobj == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failure to import key into NSS (err %d)\n", + PR_GetError()); + ret = EIO; + goto done; + } + + if (crypto_op == op_encrypt || crypto_op == op_decrypt) { + /* turn the raw IV into a initialization vector object */ + cctx->sparam = PK11_ParamFromIV(mech_props->cipher, cctx->iv); + if (cctx->sparam == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failure to set up PKCS11 param (err %d)\n", + PR_GetError()); + ret = EIO; + goto done; + } + } else { + cctx->sparam = SECITEM_AllocItem(NULL, NULL, 0); + if (cctx->sparam == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failure to allocate SECItem\n"); + ret = EIO; + goto done; + } + MAKE_SECITEM(NULL, 0, cctx->sparam); + } + + /* Create cipher context */ + cctx->ectx = PK11_CreateContextBySymKey(mech_props->cipher, op, + cctx->keyobj, cctx->sparam); + if (cctx->ectx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create cipher context (err %d)\n", + PORT_GetError()); + ret = EIO; + goto done; + } + + ret = EOK; +done: + return ret; +} diff --git a/src/util/crypto/nss/nss_util.h b/src/util/crypto/nss/nss_util.h new file mode 100644 index 0000000..08ab58d --- /dev/null +++ b/src/util/crypto/nss/nss_util.h @@ -0,0 +1,28 @@ +/* + SSSD + + NSS crypto wrappers + + Authors: + Jakub Hrozek + + Copyright (C) Red Hat, Inc 2010 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +int nspr_nss_init(void); +int nspr_nss_cleanup(void); diff --git a/src/util/crypto/sss_crypto.c b/src/util/crypto/sss_crypto.c new file mode 100644 index 0000000..5958155 --- /dev/null +++ b/src/util/crypto/sss_crypto.c @@ -0,0 +1,51 @@ +/* + Authors: + Simo Sorce + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include +#include + +#include "util/util.h" +#include "util/crypto/sss_crypto.h" + +int generate_csprng_buffer(uint8_t *buf, size_t size) +{ + ssize_t rsize; + int ret; + int fd; + + fd = open("/dev/urandom", O_RDONLY); + if (fd == -1) return errno; + + rsize = sss_atomic_read_s(fd, buf, size); + if (rsize == -1) { + ret = errno; + goto done; + } else if (rsize != size) { + ret = EFAULT; + goto done; + } + + ret = EOK; +done: + close(fd); + return ret; +} diff --git a/src/util/crypto/sss_crypto.h b/src/util/crypto/sss_crypto.h new file mode 100644 index 0000000..f8778cd --- /dev/null +++ b/src/util/crypto/sss_crypto.h @@ -0,0 +1,74 @@ +/* + Copyright (C) 2009-2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _SSS_CRYPTO_H_ +#define _SSS_CRYPTO_H_ + +#include +#include + +int generate_csprng_buffer(uint8_t *buf, size_t size); + +int s3crypt_sha512(TALLOC_CTX *mmectx, + const char *key, const char *salt, char **_hash); +int s3crypt_gen_salt(TALLOC_CTX *memctx, char **_salt); + +/* Methods of obfuscation. */ +enum obfmethod { + AES_256, + NUM_OBFMETHODS +}; + +int test2(void); + +char *sss_base64_encode(TALLOC_CTX *mem_ctx, + const unsigned char *in, + size_t insize); + +unsigned char *sss_base64_decode(TALLOC_CTX *mem_ctx, + const char *in, + size_t *outsize); + +#define SSS_SHA1_LENGTH 20 + +int sss_hmac_sha1(const unsigned char *key, + size_t key_len, + const unsigned char *in, + size_t in_len, + unsigned char *out); + +int sss_password_encrypt(TALLOC_CTX *mem_ctx, const char *password, int plen, + enum obfmethod meth, char **obfpwd); + +int sss_password_decrypt(TALLOC_CTX *mem_ctx, char *b64encoded, + char **password); + +enum encmethod { + AES256CBC_HMAC_SHA256, + NUM_ENCMETHODS +}; + +int sss_encrypt(TALLOC_CTX *mem_ctx, enum encmethod enctype, + uint8_t *key, size_t keylen, + const uint8_t *plaintext, size_t plainlen, + uint8_t **ciphertext, size_t *cipherlen); +int sss_decrypt(TALLOC_CTX *mem_ctx, enum encmethod enctype, + uint8_t *key, size_t keylen, + const uint8_t *ciphertext, size_t cipherlen, + uint8_t **plaintext, size_t *plainlen); + +#endif /* _SSS_CRYPTO_H_ */ diff --git a/src/util/debug.c b/src/util/debug.c new file mode 100644 index 0000000..30801fc --- /dev/null +++ b/src/util/debug.c @@ -0,0 +1,510 @@ +/* + Authors: + Simo Sorce + Stephen Gallagher + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include +#include +#include +#include + +#include +#include +#include + +#ifdef WITH_JOURNALD +#include +#endif + +#include "util/util.h" + +const char *debug_prg_name = "sssd"; + +int debug_level = SSSDBG_UNRESOLVED; +int debug_timestamps = SSSDBG_TIMESTAMP_UNRESOLVED; +int debug_microseconds = SSSDBG_MICROSECONDS_UNRESOLVED; +int debug_to_file = 0; +int debug_to_stderr = 0; +enum sss_logger_t sss_logger; +const char *debug_log_file = "sssd"; +FILE *debug_file = NULL; + +const char *sss_logger_str[] = { + [STDERR_LOGGER] = "stderr", + [FILES_LOGGER] = "files", +#ifdef WITH_JOURNALD + [JOURNALD_LOGGER] = "journald", +#endif + NULL, +}; + +#ifdef WITH_JOURNALD +#define JOURNALD_STR " journald," +#else +#define JOURNALD_STR "" +#endif + +void sss_set_logger(const char *logger) +{ + /* use old flags */ + if (logger == NULL) { + if (debug_to_stderr != 0) { + sss_logger = STDERR_LOGGER; + } + /* It is never described what should be used in case of + * debug_to_stderr == 1 && debug_to_file == 1. Because neither + * of binaries provide both command line arguments. + * Let files have higher priority. + */ + if (debug_to_file != 0) { + sss_logger = FILES_LOGGER; + } +#ifdef WITH_JOURNALD + if (debug_to_file == 0 && debug_to_stderr == 0) { + sss_logger = JOURNALD_LOGGER; + } +#endif + } else { + if (strcmp(logger, "stderr") == 0) { + sss_logger = STDERR_LOGGER; + } else if (strcmp(logger, "files") == 0) { + sss_logger = FILES_LOGGER; +#ifdef WITH_JOURNALD + } else if (strcmp(logger, "journald") == 0) { + sss_logger = JOURNALD_LOGGER; +#endif + } else { + /* unexpected value */ + fprintf(stderr, "Unexpected logger: %s\nExpected:%s stderr, " + "files\n", logger, JOURNALD_STR); + sss_logger = STDERR_LOGGER; + } + } +} + +errno_t set_debug_file_from_fd(const int fd) +{ + FILE *dummy; + errno_t ret; + + errno = 0; + dummy = fdopen(fd, "a"); + if (dummy == NULL) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "fdopen failed [%d][%s].\n", ret, strerror(ret)); + sss_log(SSS_LOG_ERR, + "Could not open debug file descriptor [%d]. " + "Debug messages will not be written to the file " + "for this child process [%s][%s]\n", + fd, debug_prg_name, strerror(ret)); + return ret; + } + + debug_file = dummy; + + return EOK; +} + +int get_fd_from_debug_file(void) +{ + if (debug_file == NULL) { + return STDERR_FILENO; + } + + return fileno(debug_file); +} + +int debug_convert_old_level(int old_level) +{ + if ((old_level != 0) && !(old_level & 0x000F)) + return old_level; + + int new_level = SSSDBG_FATAL_FAILURE; + + if (old_level <= 0) + return new_level; + + if (old_level >= 1) + new_level |= SSSDBG_CRIT_FAILURE; + + if (old_level >= 2) + new_level |= SSSDBG_OP_FAILURE; + + if (old_level >= 3) + new_level |= SSSDBG_MINOR_FAILURE; + + if (old_level >= 4) + new_level |= SSSDBG_CONF_SETTINGS; + + if (old_level >= 5) + new_level |= SSSDBG_FUNC_DATA; + + if (old_level >= 6) + new_level |= SSSDBG_TRACE_FUNC; + + if (old_level >= 7) + new_level |= SSSDBG_TRACE_LIBS; + + if (old_level >= 8) + new_level |= SSSDBG_TRACE_INTERNAL; + + if (old_level >= 9) + new_level |= SSSDBG_TRACE_ALL | SSSDBG_BE_FO; + + return new_level; +} + +static void debug_fflush(void) +{ + fflush(debug_file ? debug_file : stderr); +} + +static void debug_vprintf(const char *format, va_list ap) +{ + vfprintf(debug_file ? debug_file : stderr, format, ap); +} + +static void debug_printf(const char *format, ...) + SSS_ATTRIBUTE_PRINTF(1, 2); + +static void debug_printf(const char *format, ...) +{ + va_list ap; + + va_start(ap, format); + + debug_vprintf(format, ap); + + va_end(ap); +} + +#ifdef WITH_JOURNALD +errno_t journal_send(const char *file, + long line, + const char *function, + int level, + const char *format, + va_list ap) +{ + errno_t ret; + int res; + char *message = NULL; + char *code_file = NULL; + char *code_line = NULL; + const char *domain; + + /* First, evaluate the message to be sent */ + ret = vasprintf(&message, format, ap); + if (ret == -1) { + /* ENOMEM, just return */ + return ENOMEM; + } + + res = asprintf(&code_file, "CODE_FILE=%s", file); + if (res == -1) { + ret = ENOMEM; + goto journal_done; + } + + res = asprintf(&code_line, "CODE_LINE=%ld", line); + if (res == -1) { + ret = ENOMEM; + goto journal_done; + } + + /* If this log message was sent from a provider, + * track the domain. + */ + domain = getenv(SSS_DOM_ENV); + if (domain == NULL) { + domain = ""; + } + + /* Send the log message to journald, specifying the + * source code location and other tracking data. + */ + res = sd_journal_send_with_location( + code_file, code_line, function, + "MESSAGE=%s", message, + "PRIORITY=%i", LOG_DEBUG, + "SSSD_DOMAIN=%s", domain, + "SSSD_PRG_NAME=%s", debug_prg_name, + "SSSD_DEBUG_LEVEL=%x", level, + NULL); + ret = -res; + +journal_done: + free(code_line); + free(code_file); + free(message); + return ret; +} +#endif /* WiTH_JOURNALD */ + +void sss_vdebug_fn(const char *file, + long line, + const char *function, + int level, + int flags, + const char *format, + va_list ap) +{ + struct timeval tv; + struct tm *tm; + char datetime[20]; + int year; + +#ifdef WITH_JOURNALD + errno_t ret; + va_list ap_fallback; + + if (sss_logger == JOURNALD_LOGGER) { + /* If we are not outputting logs to files, we should be sending them + * to journald. + * NOTE: on modern systems, this is where stdout/stderr will end up + * from system services anyway. The only difference here is that we + * can also provide extra structuring data to make it more easily + * searchable. + */ + va_copy(ap_fallback, ap); + ret = journal_send(file, line, function, level, format, ap); + if (ret != EOK) { + /* Emergency fallback, send to STDERR */ + debug_vprintf(format, ap_fallback); + debug_fflush(); + } + va_end(ap_fallback); + return; + } +#endif + + if (debug_timestamps) { + gettimeofday(&tv, NULL); + tm = localtime(&tv.tv_sec); + year = tm->tm_year + 1900; + /* get date time without year */ + memcpy(datetime, ctime(&tv.tv_sec), 19); + datetime[19] = '\0'; + if (debug_microseconds) { + debug_printf("(%s:%.6ld %d) [%s] [%s] (%#.4x): ", + datetime, tv.tv_usec, + year, debug_prg_name, + function, level); + } else { + debug_printf("(%s %d) [%s] [%s] (%#.4x): ", + datetime, year, + debug_prg_name, function, level); + } + } else { + debug_printf("[%s] [%s] (%#.4x): ", + debug_prg_name, function, level); + } + + debug_vprintf(format, ap); + if (flags & APPEND_LINE_FEED) { + debug_printf("\n"); + } + debug_fflush(); +} + +void sss_debug_fn(const char *file, + long line, + const char *function, + int level, + const char *format, ...) +{ + va_list ap; + + va_start(ap, format); + sss_vdebug_fn(file, line, function, level, 0, format, ap); + va_end(ap); +} + +void ldb_debug_messages(void *context, enum ldb_debug_level level, + const char *fmt, va_list ap) +{ + int loglevel = SSSDBG_UNRESOLVED; + + switch(level) { + case LDB_DEBUG_FATAL: + loglevel = SSSDBG_FATAL_FAILURE; + break; + case LDB_DEBUG_ERROR: + loglevel = SSSDBG_CRIT_FAILURE; + break; + case LDB_DEBUG_WARNING: + loglevel = SSSDBG_TRACE_FUNC; + break; + case LDB_DEBUG_TRACE: + loglevel = SSSDBG_TRACE_ALL; + break; + } + + if (DEBUG_IS_SET(loglevel)) { + sss_vdebug_fn(__FILE__, __LINE__, "ldb", loglevel, APPEND_LINE_FEED, + fmt, ap); + } +} + +/* In cases SSSD used to run as the root user, but runs as the SSSD user now, + * we need to chown the log files + */ +int chown_debug_file(const char *filename, + uid_t uid, gid_t gid) +{ + char *logpath; + const char *log_file; + errno_t ret; + + if (filename == NULL) { + log_file = debug_log_file; + } else { + log_file = filename; + } + + ret = asprintf(&logpath, "%s/%s.log", LOG_PATH, log_file); + if (ret == -1) { + return ENOMEM; + } + + ret = chown(logpath, uid, gid); + free(logpath); + if (ret != 0) { + ret = errno; + if (ret == ENOENT) { + /* Log does not exist. We might log to journald + * or starting for first time. + * It's not a failure. */ + return EOK; + } + + DEBUG(SSSDBG_FATAL_FAILURE, "chown failed for [%s]: [%d]\n", + log_file, ret); + return ret; + } + + return EOK; +} + +int open_debug_file_ex(const char *filename, FILE **filep, bool want_cloexec) +{ + FILE *f = NULL; + char *logpath; + const char *log_file; + mode_t old_umask; + int ret; + int debug_fd; + int flags; + + if (filename == NULL) { + log_file = debug_log_file; + } else { + log_file = filename; + } + + ret = asprintf(&logpath, "%s/%s.log", LOG_PATH, log_file); + if (ret == -1) { + return ENOMEM; + } + + if (debug_file && !filep) fclose(debug_file); + + old_umask = umask(SSS_DFL_UMASK); + errno = 0; + f = fopen(logpath, "a"); + if (f == NULL) { + sss_log(SSS_LOG_EMERG, "Could not open file [%s]. Error: [%d][%s]\n", + logpath, errno, strerror(errno)); + free(logpath); + return EIO; + } + umask(old_umask); + + debug_fd = fileno(f); + if (debug_fd == -1) { + fclose(f); + free(logpath); + return EIO; + } + + if(want_cloexec) { + flags = fcntl(debug_fd, F_GETFD, 0); + (void) fcntl(debug_fd, F_SETFD, flags | FD_CLOEXEC); + } + + if (filep == NULL) { + debug_file = f; + } else { + *filep = f; + } + free(logpath); + return EOK; +} + +int open_debug_file(void) +{ + return open_debug_file_ex(NULL, NULL, true); +} + +int rotate_debug_files(void) +{ + int ret; + errno_t error; + + if (sss_logger != FILES_LOGGER) return EOK; + + do { + error = 0; + ret = fclose(debug_file); + if (ret != 0) { + error = errno; + } + + /* Check for EINTR, which means we should retry + * because the system call was interrupted by a + * signal + */ + } while (error == EINTR); + + if (error != 0) { + /* Even if we were unable to close the debug log, we need to make + * sure that we open up a new one. Log rotation will remove the + * current file, so all debug messages will be disappearing. + * + * We should write an error to the syslog warning of the resource + * leak and then proceed with opening the new file. + */ + sss_log(SSS_LOG_ALERT, "Could not close debug file [%s]. [%d][%s]\n", + debug_log_file, error, strerror(error)); + sss_log(SSS_LOG_ALERT, "Attempting to open new file anyway. " + "Be aware that this is a resource leak\n"); + } + + debug_file = NULL; + + return open_debug_file(); +} + +void talloc_log_fn(const char *message) +{ + DEBUG(SSSDBG_FATAL_FAILURE, "%s\n", message); +} diff --git a/src/util/debug.h b/src/util/debug.h new file mode 100644 index 0000000..09f50cc --- /dev/null +++ b/src/util/debug.h @@ -0,0 +1,161 @@ +/* + Authors: + Simo Sorce + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __SSSD_DEBUG_H__ +#define __SSSD_DEBUG_H__ + +#include "config.h" + +#ifdef HAVE_FUNCTION_ATTRIBUTE_FORMAT +#define SSS_ATTRIBUTE_PRINTF(a1, a2) __attribute__((format (printf, a1, a2))) +#else +#define SSS_ATTRIBUTE_PRINTF(a1, a2) +#endif + +#define APPEND_LINE_FEED 0x1 + +enum sss_logger_t { + STDERR_LOGGER = 0, + FILES_LOGGER, +#ifdef WITH_JOURNALD + JOURNALD_LOGGER, +#endif +}; + +extern const char *sss_logger_str[]; +extern const char *debug_prg_name; +extern int debug_level; +extern int debug_timestamps; +extern int debug_microseconds; +extern int debug_to_file; +extern int debug_to_stderr; +extern enum sss_logger_t sss_logger; +extern const char *debug_log_file; + +void sss_set_logger(const char *logger); + +void sss_vdebug_fn(const char *file, + long line, + const char *function, + int level, + int flags, + const char *format, + va_list ap); +void sss_debug_fn(const char *file, + long line, + const char *function, + int level, + const char *format, ...) SSS_ATTRIBUTE_PRINTF(5, 6); +int debug_convert_old_level(int old_level); +errno_t set_debug_file_from_fd(const int fd); +int get_fd_from_debug_file(void); + +#define SSS_DOM_ENV "_SSS_DOM" + +#define SSSDBG_FATAL_FAILURE 0x0010 /* level 0 */ +#define SSSDBG_CRIT_FAILURE 0x0020 /* level 1 */ +#define SSSDBG_OP_FAILURE 0x0040 /* level 2 */ +#define SSSDBG_MINOR_FAILURE 0x0080 /* level 3 */ +#define SSSDBG_CONF_SETTINGS 0x0100 /* level 4 */ +#define SSSDBG_FUNC_DATA 0x0200 /* level 5 */ +#define SSSDBG_TRACE_FUNC 0x0400 /* level 6 */ +#define SSSDBG_TRACE_LIBS 0x1000 /* level 7 */ +#define SSSDBG_TRACE_INTERNAL 0x2000 /* level 8 */ +#define SSSDBG_TRACE_ALL 0x4000 /* level 9 */ +#define SSSDBG_BE_FO 0x8000 /* level 9 */ +#define SSSDBG_IMPORTANT_INFO SSSDBG_OP_FAILURE + +#define SSSDBG_INVALID -1 +#define SSSDBG_UNRESOLVED 0 +#define SSSDBG_MASK_ALL 0xFFF0 /* enable all debug levels */ +#define SSSDBG_DEFAULT SSSDBG_FATAL_FAILURE + +#define SSSDBG_TIMESTAMP_UNRESOLVED -1 +#define SSSDBG_TIMESTAMP_DEFAULT 1 + +#define SSSDBG_MICROSECONDS_UNRESOLVED -1 +#define SSSDBG_MICROSECONDS_DEFAULT 0 + +#define SSSD_LOGGER_OPTS \ + {"logger", '\0', POPT_ARG_STRING, &opt_logger, 0, \ + _("Set logger"), "stderr|files|journald"}, + + +#define SSSD_DEBUG_OPTS \ + {"debug-level", 'd', POPT_ARG_INT, &debug_level, 0, \ + _("Debug level"), NULL}, \ + {"debug-to-files", 'f', POPT_ARG_NONE | POPT_ARGFLAG_DOC_HIDDEN, &debug_to_file, 0, \ + _("Send the debug output to files instead of stderr"), NULL }, \ + {"debug-to-stderr", 0, POPT_ARG_NONE | POPT_ARGFLAG_DOC_HIDDEN, &debug_to_stderr, 0, \ + _("Send the debug output to stderr directly."), NULL }, \ + {"debug-timestamps", 0, POPT_ARG_INT, &debug_timestamps, 0, \ + _("Add debug timestamps"), NULL}, \ + {"debug-microseconds", 0, POPT_ARG_INT, &debug_microseconds, 0, \ + _("Show timestamps with microseconds"), NULL}, + +/** \def DEBUG(level, format, ...) + \brief macro to generate debug messages + + \param level the debug level, please use one of the SSSDBG_* macros + \param format the debug message format string, should result in a + newline-terminated message + \param ... the debug message format arguments +*/ +#define DEBUG(level, format, ...) do { \ + int __debug_macro_level = level; \ + if (DEBUG_IS_SET(__debug_macro_level)) { \ + sss_debug_fn(__FILE__, __LINE__, __FUNCTION__, \ + __debug_macro_level, \ + format, ##__VA_ARGS__); \ + } \ +} while (0) + +/** \def DEBUG_IS_SET(level) + \brief checks whether level is set in debug_level + + \param level the debug level, please use one of the SSSDBG*_ macros +*/ +#define DEBUG_IS_SET(level) (debug_level & (level) || \ + (debug_level == SSSDBG_UNRESOLVED && \ + (level & (SSSDBG_FATAL_FAILURE | \ + SSSDBG_CRIT_FAILURE)))) + +#define DEBUG_INIT(dbg_lvl) do { \ + if (dbg_lvl != SSSDBG_INVALID) { \ + debug_level = debug_convert_old_level(dbg_lvl); \ + } else { \ + debug_level = SSSDBG_UNRESOLVED; \ + } \ +\ + talloc_set_log_fn(talloc_log_fn); \ +} while (0) + +/* CLI tools shall debug to stderr even when SSSD was compiled with journald + * support + */ +#define DEBUG_CLI_INIT(dbg_lvl) do { \ + DEBUG_INIT(dbg_lvl); \ + debug_to_stderr = 1; \ +} while (0) + +#define PRINT(fmt, ...) fprintf(stdout, gettext(fmt), ##__VA_ARGS__) +#define ERROR(fmt, ...) fprintf(stderr, gettext(fmt), ##__VA_ARGS__) + +#endif /* __SSSD_DEBUG_H__ */ diff --git a/src/util/dlinklist.h b/src/util/dlinklist.h new file mode 100644 index 0000000..017c604 --- /dev/null +++ b/src/util/dlinklist.h @@ -0,0 +1,155 @@ +/* + Unix SMB/CIFS implementation. + some simple double linked list macros + Copyright (C) Andrew Tridgell 1998 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +/* To use these macros you must have a structure containing a next and + prev pointer */ + +#ifndef _DLINKLIST_H +#define _DLINKLIST_H + + +/* hook into the front of the list */ +#define DLIST_ADD(list, p) \ +do { \ + if (!(list)) { \ + (list) = (p); \ + (p)->next = (p)->prev = NULL; \ + } else { \ + (list)->prev = (p); \ + (p)->next = (list); \ + (p)->prev = NULL; \ + (list) = (p); \ + } \ +} while (0) + +/* remove an element from a list - element doesn't have to be in list. */ +#define DLIST_REMOVE(list, p) \ +do { \ + if ((p) == (list)) { \ + (list) = (p)->next; \ + if (list) { \ + (list)->prev = NULL; \ + } \ + } else { \ + if ((p)->prev) { \ + (p)->prev->next = (p)->next; \ + } \ + if ((p)->next) { \ + (p)->next->prev = (p)->prev; \ + } \ + } \ + if ((p) != (list)) { \ + (p)->next = (p)->prev = NULL; \ + } \ +} while (0) + +/* promote an element to the top of the list */ +#define DLIST_PROMOTE(list, p) \ +do { \ + DLIST_REMOVE(list, p); \ + DLIST_ADD(list, p); \ +} while (0) + +/* hook into the end of the list - needs a tmp pointer */ +#define DLIST_ADD_END(list, p, type) \ +do { \ + if (!(list)) { \ + (list) = (p); \ + (p)->next = (p)->prev = NULL; \ + } else { \ + type tmp; \ + for (tmp = (list); tmp->next; tmp = tmp->next) { \ + /* no op */ \ + } \ + tmp->next = (p); \ + (p)->next = NULL; \ + (p)->prev = tmp; \ + } \ +} while (0) + +/* insert 'p' after the given element 'el' in a list. If el is NULL then + this is the same as a DLIST_ADD() */ +#define DLIST_ADD_AFTER(list, p, el) \ +do { \ + if (!(list) || !(el)) { \ + DLIST_ADD(list, p); \ + } else { \ + p->prev = el; \ + p->next = el->next; \ + el->next = p; \ + if (p->next) { \ + p->next->prev = p; \ + } \ + } \ +} while (0) + +/* demote an element to the end of the list, needs a tmp pointer */ +#define DLIST_DEMOTE(list, p, type) \ +do { \ + DLIST_REMOVE(list, p); \ + DLIST_ADD_END(list, p, type); \ +} while (0) + +/* concatenate two lists - putting all elements of the 2nd list at the + end of the first list */ +#define DLIST_CONCATENATE(list1, list2, type) \ +do { \ + if (!(list1)) { \ + (list1) = (list2); \ + } else { \ + type tmp; \ + for (tmp = (list1); tmp->next; tmp = tmp->next) { \ + /* no op */ \ + } \ + tmp->next = (list2); \ + if (list2) { \ + (list2)->prev = tmp; \ + } \ + } \ +} while (0) + +/* insert all elements from list2 after the given element 'el' in the + * first list */ +#define DLIST_ADD_LIST_AFTER(list1, el, list2, type) \ +do { \ + if (!(list1) || !(el) || !(list2)) { \ + DLIST_CONCATENATE(list1, list2, type); \ + } else { \ + type tmp; \ + for (tmp = (list2); tmp->next; tmp = tmp->next) { \ + /* no op */ \ + } \ + (list2)->prev = (el); \ + tmp->next = (el)->next; \ + (el)->next = (list2); \ + if (tmp->next != NULL) { \ + tmp->next->prev = tmp; \ + } \ + } \ +} while (0); + +#define DLIST_FOR_EACH(p, list) \ + for ((p) = (list); (p) != NULL; (p) = (p)->next) + +#define DLIST_FOR_EACH_SAFE(p, q, list) \ + for ((p) = (list), (q) = (p) != NULL ? (p)->next : NULL; \ + (p) != NULL; \ + (p) = (q), (q) = (p) != NULL ? (p)->next : NULL) + +#endif /* _DLINKLIST_H */ diff --git a/src/util/domain_info_utils.c b/src/util/domain_info_utils.c new file mode 100644 index 0000000..8bef6c9 --- /dev/null +++ b/src/util/domain_info_utils.c @@ -0,0 +1,936 @@ +/* + Authors: + Sumit Bose + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "confdb/confdb.h" +#include "db/sysdb.h" +#include "util/util.h" + +struct sss_domain_info *get_domains_head(struct sss_domain_info *domain) +{ + struct sss_domain_info *dom = NULL; + + /* get to the top level domain */ + for (dom = domain; dom->parent != NULL; dom = dom->parent); + + return dom; +} + +struct sss_domain_info *get_next_domain(struct sss_domain_info *domain, + uint32_t gnd_flags) +{ + struct sss_domain_info *dom; + bool descend = gnd_flags & SSS_GND_DESCEND; + bool include_disabled = gnd_flags & SSS_GND_INCLUDE_DISABLED; + + dom = domain; + while (dom) { + if (descend && dom->subdomains) { + dom = dom->subdomains; + } else if (dom->next) { + dom = dom->next; + } else if (descend && IS_SUBDOMAIN(dom) && dom->parent->next) { + dom = dom->parent->next; + } else { + dom = NULL; + } + + if (dom) { + if (sss_domain_get_state(dom) == DOM_DISABLED + && !include_disabled) { + continue; + } else { + /* Next domain found. */ + break; + } + } + } + + return dom; +} + +bool subdomain_enumerates(struct sss_domain_info *parent, + const char *sd_name) +{ + if (parent->sd_enumerate == NULL + || parent->sd_enumerate[0] == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Subdomain_enumerate not set\n"); + return false; + } + + if (strcasecmp(parent->sd_enumerate[0], "all") == 0) { + return true; + } else if (strcasecmp(parent->sd_enumerate[0], "none") == 0) { + return false; + } else { + for (int i=0; parent->sd_enumerate[i]; i++) { + if (strcasecmp(parent->sd_enumerate[i], sd_name) == 0) { + return true; + } + } + } + + return false; +} + +struct sss_domain_info *find_domain_by_name(struct sss_domain_info *domain, + const char *name, + bool match_any) +{ + struct sss_domain_info *dom = domain; + + if (name == NULL) { + return NULL; + } + + while (dom && sss_domain_get_state(dom) == DOM_DISABLED) { + dom = get_next_domain(dom, SSS_GND_DESCEND); + } + while (dom) { + if (strcasecmp(dom->name, name) == 0 || + ((match_any == true) && (dom->flat_name != NULL) && + (strcasecmp(dom->flat_name, name) == 0))) { + return dom; + } + dom = get_next_domain(dom, SSS_GND_DESCEND); + } + + return NULL; +} + +struct sss_domain_info *find_domain_by_sid(struct sss_domain_info *domain, + const char *sid) +{ + struct sss_domain_info *dom = domain; + size_t sid_len; + size_t dom_sid_len; + + if (sid == NULL) { + return NULL; + } + + sid_len = strlen(sid); + + while (dom && sss_domain_get_state(dom) == DOM_DISABLED) { + dom = get_next_domain(dom, SSS_GND_DESCEND); + } + + while (dom) { + if (dom->domain_id != NULL) { + dom_sid_len = strlen(dom->domain_id); + + if (strncasecmp(dom->domain_id, sid, dom_sid_len) == 0) { + if (dom_sid_len == sid_len) { + /* sid is domain sid */ + return dom; + } + + /* sid is object sid, check if domain sid is align with + * sid first subauthority component */ + if (sid[dom_sid_len] == '-') { + return dom; + } + } + } + + dom = get_next_domain(dom, SSS_GND_DESCEND); + } + + return NULL; +} + +struct sss_domain_info* +sss_get_domain_by_sid_ldap_fallback(struct sss_domain_info *domain, + const char* sid) +{ + /* LDAP provider doesn't know about sub-domains and hence can only + * have one configured domain + */ + if (strcmp(domain->provider, "ldap") == 0) { + return domain; + } else { + return find_domain_by_sid(get_domains_head(domain), sid); + } +} + +struct sss_domain_info * +find_domain_by_object_name_ex(struct sss_domain_info *domain, + const char *object_name, bool strict) +{ + TALLOC_CTX *tmp_ctx; + struct sss_domain_info *dom = NULL; + char *domainname = NULL; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new() failed\n"); + return NULL; + } + + ret = sss_parse_internal_fqname(tmp_ctx, object_name, + NULL, &domainname); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse name '%s' [%d]: %s\n", + object_name, ret, sss_strerror(ret)); + goto done; + } + + if (domainname == NULL) { + if (strict) { + dom = NULL; + } else { + dom = domain; + } + } else { + dom = find_domain_by_name(domain, domainname, true); + } + +done: + talloc_free(tmp_ctx); + return dom; +} + +struct sss_domain_info * +find_domain_by_object_name(struct sss_domain_info *domain, + const char *object_name) +{ + return find_domain_by_object_name_ex(domain, object_name, false); +} + +errno_t sssd_domain_init(TALLOC_CTX *mem_ctx, + struct confdb_ctx *cdb, + const char *domain_name, + const char *db_path, + struct sss_domain_info **_domain) +{ + int ret; + struct sss_domain_info *dom; + struct sysdb_ctx *sysdb; + + ret = confdb_get_domain(cdb, domain_name, &dom); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Error retrieving domain configuration.\n"); + return ret; + } + + if (dom->sysdb != NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Sysdb context already initialized.\n"); + return EEXIST; + } + + ret = sysdb_domain_init(mem_ctx, dom, db_path, &sysdb); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Error opening cache database.\n"); + return ret; + } + + dom->sysdb = talloc_steal(dom, sysdb); + + *_domain = dom; + + return EOK; +} + +static errno_t +sss_krb5_touch_config(void) +{ + const char *config = NULL; + errno_t ret; + + config = getenv("KRB5_CONFIG"); + if (config == NULL) { + config = KRB5_CONF_PATH; + } + + ret = utime(config, NULL); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to change mtime of \"%s\" " + "[%d]: %s\n", config, ret, strerror(ret)); + return ret; + } + + return EOK; +} + +errno_t sss_get_domain_mappings_content(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + char **content) +{ + int ret; + char *o = NULL; + struct sss_domain_info *dom; + struct sss_domain_info *parent_dom; + char *uc_parent = NULL; + char *uc_forest = NULL; + char *parent_capaths = NULL; + bool capaths_started = false; + + if (domain == NULL || content == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing parameter.\n"); + return EINVAL; + } + + o = talloc_strdup(mem_ctx, "[domain_realm]\n"); + if (o == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + + /* This loops skips the starting parent and start rigth with the first + * subdomain. Although in all the interesting cases (AD and IPA) the + * default is that realm and DNS domain are the same strings (expect case) + * and no domain_realm mapping is needed we might consider to add this + * domain here as well to cover corner cases? */ + for (dom = get_next_domain(domain, SSS_GND_DESCEND); + dom && IS_SUBDOMAIN(dom); /* if we get back to a parent, stop */ + dom = get_next_domain(dom, 0)) { + o = talloc_asprintf_append(o, ".%s = %s\n%s = %s\n", + dom->name, dom->realm, dom->name, dom->realm); + if (o == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf_append failed.\n"); + ret = ENOMEM; + goto done; + } + } + + parent_dom = domain; + uc_parent = get_uppercase_realm(mem_ctx, parent_dom->name); + if (uc_parent == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "get_uppercase_realm failed.\n"); + ret = ENOMEM; + goto done; + } + + for (dom = get_next_domain(domain, SSS_GND_DESCEND); + dom && IS_SUBDOMAIN(dom); /* if we get back to a parent, stop */ + dom = get_next_domain(dom, 0)) { + + if (dom->forest == NULL) { + continue; + } + + talloc_free(uc_forest); + uc_forest = get_uppercase_realm(mem_ctx, dom->forest); + if (uc_forest == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "get_uppercase_realm failed.\n"); + ret = ENOMEM; + goto done; + } + + if (!capaths_started) { + o = talloc_asprintf_append(o, "[capaths]\n"); + if (o == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf_append failed.\n"); + ret = ENOMEM; + goto done; + } + capaths_started = true; + } + + o = talloc_asprintf_append(o, "%s = {\n %s = %s\n}\n", + dom->realm, uc_parent, uc_forest); + if (o == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf_append failed.\n"); + ret = ENOMEM; + goto done; + } + + if (parent_capaths == NULL) { + parent_capaths = talloc_asprintf(mem_ctx, " %s = %s\n", dom->realm, + uc_forest); + } else { + parent_capaths = talloc_asprintf_append(parent_capaths, + " %s = %s\n", dom->realm, + uc_forest); + } + if (parent_capaths == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "talloc_asprintf/talloc_asprintf_append failed.\n"); + ret = ENOMEM; + goto done; + } + } + + if (parent_capaths != NULL) { + o = talloc_asprintf_append(o, "%s = {\n%s}\n", uc_parent, + parent_capaths); + if (o == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf_append failed.\n"); + ret = ENOMEM; + goto done; + } + } + + ret = EOK; + +done: + talloc_free(parent_capaths); + talloc_free(uc_parent); + talloc_free(uc_forest); + + if (ret == EOK) { + *content = o; + } else { + talloc_free(o); + } + + return ret; +} + +errno_t +sss_write_domain_mappings(struct sss_domain_info *domain) +{ + errno_t ret; + errno_t err; + TALLOC_CTX *tmp_ctx; + const char *mapping_file; + char *sanitized_domain; + char *tmp_file = NULL; + int fd = -1; + mode_t old_mode; + FILE *fstream = NULL; + int i; + char *content = NULL; + + if (domain == NULL || domain->name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "No domain name provided\n"); + return EINVAL; + } + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) return ENOMEM; + + ret = sss_get_domain_mappings_content(tmp_ctx, domain, &content); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_get_domain_mappings_content failed.\n"); + goto done; + } + + sanitized_domain = talloc_strdup(tmp_ctx, domain->name); + if (sanitized_domain == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup() failed\n"); + return ENOMEM; + } + + /* only alpha-numeric chars, dashes and underscores are allowed in + * krb5 include directory */ + for (i = 0; sanitized_domain[i] != '\0'; i++) { + if (!isalnum(sanitized_domain[i]) + && sanitized_domain[i] != '-' && sanitized_domain[i] != '_') { + sanitized_domain[i] = '_'; + } + } + + mapping_file = talloc_asprintf(tmp_ctx, "%s/domain_realm_%s", + KRB5_MAPPING_DIR, sanitized_domain); + if (!mapping_file) { + ret = ENOMEM; + goto done; + } + + DEBUG(SSSDBG_FUNC_DATA, "Mapping file for domain [%s] is [%s]\n", + domain->name, mapping_file); + + tmp_file = talloc_asprintf(tmp_ctx, "%sXXXXXX", mapping_file); + if (tmp_file == NULL) { + ret = ENOMEM; + goto done; + } + + old_mode = umask(SSS_DFL_UMASK); + fd = mkstemp(tmp_file); + umask(old_mode); + if (fd < 0) { + DEBUG(SSSDBG_OP_FAILURE, + "creating the temp file [%s] for domain-realm mappings " + "failed.\n", tmp_file); + ret = EIO; + talloc_zfree(tmp_ctx); + goto done; + } + + fstream = fdopen(fd, "a"); + if (!fstream) { + ret = errno; + DEBUG(SSSDBG_OP_FAILURE, "fdopen failed [%d]: %s\n", + ret, strerror(ret)); + ret = close(fd); + if (ret != 0) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "fclose failed [%d][%s].\n", ret, strerror(ret)); + /* Nothing to do here, just report the failure */ + } + ret = EIO; + goto done; + } + + ret = fprintf(fstream, "%s", content); + if (ret < 0) { + DEBUG(SSSDBG_OP_FAILURE, "fprintf failed\n"); + ret = EIO; + goto done; + } + + ret = fclose(fstream); + fstream = NULL; + if (ret != 0) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "fclose failed [%d][%s].\n", ret, strerror(ret)); + goto done; + } + + ret = rename(tmp_file, mapping_file); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "rename failed [%d][%s].\n", ret, strerror(ret)); + goto done; + } + + talloc_zfree(tmp_file); + + ret = chmod(mapping_file, 0644); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "fchmod failed [%d][%s].\n", ret, strerror(ret)); + goto done; + } + + ret = EOK; +done: + err = sss_krb5_touch_config(); + if (err != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to change last modification time " + "of krb5.conf. Created mappings may not be loaded.\n"); + /* Ignore */ + } + + if (fstream) { + err = fclose(fstream); + if (err != 0) { + err = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "fclose failed [%d][%s].\n", err, strerror(err)); + /* Nothing to do here, just report the failure */ + } + } + + if (tmp_file) { + err = unlink(tmp_file); + if (err < 0) { + err = errno; + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not remove file [%s]: [%d]: %s\n", + tmp_file, err, strerror(err)); + } + } + talloc_free(tmp_ctx); + return ret; +} + +/* Save domain names, do not descend. */ +errno_t get_dom_names(TALLOC_CTX *mem_ctx, + struct sss_domain_info *start_dom, + char ***_dom_names, + int *_dom_names_count) +{ + struct sss_domain_info *dom; + TALLOC_CTX *tmp_ctx; + char **dom_names; + size_t count, i; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + /* get count of domains*/ + count = 0; + dom = start_dom; + while (dom) { + count++; + dom = get_next_domain(dom, 0); + } + + dom_names = talloc_array(tmp_ctx, char*, count); + if (dom_names == NULL) { + ret = ENOMEM; + goto done; + } + + /* copy names */ + i = 0; + dom = start_dom; + while (dom) { + dom_names[i] = talloc_strdup(dom_names, dom->name); + if (dom_names[i] == NULL) { + ret = ENOMEM; + goto done; + } + dom = get_next_domain(dom, 0); + i++; + } + + if (_dom_names != NULL ) { + *_dom_names = talloc_steal(mem_ctx, dom_names); + } + + if (_dom_names_count != NULL ) { + *_dom_names_count = count; + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +static errno_t sss_write_krb5_snippet_common(const char *file_name, + const char *content) +{ + int ret; + errno_t err; + TALLOC_CTX *tmp_ctx = NULL; + char *tmp_file = NULL; + int fd = -1; + mode_t old_mode; + ssize_t written; + size_t size; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); + return ENOMEM; + } + + tmp_file = talloc_asprintf(tmp_ctx, "%sXXXXXX", file_name); + if (tmp_file == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto done; + } + + old_mode = umask(SSS_DFL_UMASK); + fd = mkstemp(tmp_file); + umask(old_mode); + if (fd < 0) { + DEBUG(SSSDBG_OP_FAILURE, "creating the temp file [%s] for " + "krb5 config snippet failed.\n", tmp_file); + ret = EIO; + talloc_zfree(tmp_ctx); + goto done; + } + + size = strlen(content); + written = sss_atomic_write_s(fd, discard_const(content), size); + close(fd); + if (written == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "write failed [%d][%s]\n", ret, sss_strerror(ret)); + goto done; + } + + if (written != size) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Wrote %zd bytes expected %zu\n", written, size); + ret = EIO; + goto done; + } + + ret = rename(tmp_file, file_name); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "rename failed [%d][%s].\n", ret, sss_strerror(ret)); + goto done; + } + tmp_file = NULL; + + ret = chmod(file_name, 0644); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "chmod failed [%d][%s].\n", ret, sss_strerror(ret)); + goto done; + } + +done: + if (tmp_file != NULL) { + err = unlink(tmp_file); + if (err == -1) { + err = errno; + DEBUG(SSSDBG_MINOR_FAILURE, + "Could not remove file [%s]: [%d]: %s\n", + tmp_file, err, sss_strerror(err)); + } + } + + talloc_free(tmp_ctx); + return ret; +} + +#define LOCALAUTH_PLUGIN_CONFIG \ +"[plugins]\n" \ +" localauth = {\n" \ +" module = sssd:"APP_MODULES_PATH"/sssd_krb5_localauth_plugin.so\n" \ +" }\n" + +static errno_t sss_write_krb5_localauth_snippet(const char *path) +{ +#ifdef HAVE_KRB5_LOCALAUTH_PLUGIN + int ret; + TALLOC_CTX *tmp_ctx = NULL; + const char *file_name; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); + return ENOMEM; + } + + file_name = talloc_asprintf(tmp_ctx, "%s/localauth_plugin", path); + if (file_name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto done; + } + + DEBUG(SSSDBG_FUNC_DATA, "File for localauth plugin configuration is [%s]\n", + file_name); + + ret = sss_write_krb5_snippet_common(file_name, LOCALAUTH_PLUGIN_CONFIG); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_write_krb5_snippet_common failed.\n"); + goto done; + } + +done: + + talloc_free(tmp_ctx); + return ret; + +#else + DEBUG(SSSDBG_TRACE_ALL, "Kerberos localauth plugin not available.\n"); + return EOK; +#endif +} + +static errno_t sss_write_krb5_libdefaults_snippet(const char *path, + bool canonicalize, + bool udp_limit) +{ + int ret; + TALLOC_CTX *tmp_ctx = NULL; + const char *file_name; + char *file_contents; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); + return ENOMEM; + } + + file_name = talloc_asprintf(tmp_ctx, "%s/krb5_libdefaults", path); + if (file_name == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto done; + } + + DEBUG(SSSDBG_FUNC_DATA, "File for KRB5 kibdefaults configuration is [%s]\n", + file_name); + + file_contents = talloc_strdup(tmp_ctx, "[libdefaults]\n"); + if (file_contents == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "talloc_asprintf failed while creating the content\n"); + ret = ENOMEM; + goto done; + } + + if (canonicalize == true) { + file_contents = talloc_asprintf_append(file_contents, + " canonicalize = true\n"); + if (file_contents == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "talloc_asprintf failed while appending to the content\n"); + ret = ENOMEM; + goto done; + } + } + + if (udp_limit == true) { + file_contents = talloc_asprintf_append(file_contents, + " udp_preference_limit = 0\n"); + if (file_contents == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "talloc_asprintf failed while appending to the content\n"); + ret = ENOMEM; + goto done; + } + } + + ret = sss_write_krb5_snippet_common(file_name, file_contents); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_write_krb5_snippet_common failed.\n"); + goto done; + } + +done: + + talloc_free(tmp_ctx); + return ret; +} + +errno_t sss_write_krb5_conf_snippet(const char *path, bool canonicalize, + bool udp_limit) +{ + errno_t ret; + errno_t err; + + if (path != NULL && (*path == '\0' || strcasecmp(path, "none") == 0)) { + DEBUG(SSSDBG_TRACE_FUNC, "Empty path, nothing to do.\n"); + return EOK; + } + + if (path == NULL || *path != '/') { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid or missing path [%s]-\n", + path == NULL ? "missing" : path); + return EINVAL; + } + + ret = sss_write_krb5_localauth_snippet(path); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_write_krb5_localauth_snippet failed.\n"); + goto done; + } + + ret = sss_write_krb5_libdefaults_snippet(path, canonicalize, udp_limit); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_write_krb5_libdefaults_snippet failed.\n"); + goto done; + } + + ret = EOK; + +done: + err = sss_krb5_touch_config(); + if (err != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to change last modification time " + "of krb5.conf. Created mappings may not be loaded.\n"); + /* Ignore */ + } + + return ret; +} + +static const char *domain_state_str(struct sss_domain_info *dom) +{ + switch (dom->state) { + case DOM_ACTIVE: + return "Active"; + case DOM_DISABLED: + return "Disabled"; + case DOM_INACTIVE: + return "Inactive"; + case DOM_INCONSISTENT: + return "Inconsistent"; + } + return "Unknown"; +} + +enum sss_domain_state sss_domain_get_state(struct sss_domain_info *dom) +{ + DEBUG(SSSDBG_TRACE_LIBS, + "Domain %s is %s\n", dom->name, domain_state_str(dom)); + return dom->state; +} + +void sss_domain_set_state(struct sss_domain_info *dom, + enum sss_domain_state state) +{ + dom->state = state; + DEBUG(SSSDBG_TRACE_LIBS, + "Domain %s is %s\n", dom->name, domain_state_str(dom)); +} + +bool sss_domain_is_forest_root(struct sss_domain_info *dom) +{ + return (dom->forest_root == dom); +} + +char *subdomain_create_conf_path(TALLOC_CTX *mem_ctx, + struct sss_domain_info *subdomain) +{ + if (!IS_SUBDOMAIN(subdomain)) { + DEBUG(SSSDBG_OP_FAILURE, + "The domain \"%s\" is not a subdomain.\n", + subdomain->name); + return NULL; + } + + return talloc_asprintf(mem_ctx, CONFDB_DOMAIN_PATH_TMPL "/%s", + subdomain->parent->name, + subdomain->name); +} + +const char *sss_domain_type_str(struct sss_domain_info *dom) +{ + if (dom == NULL) { + return "BUG: Invalid domain"; + } + switch (dom->type) { + case DOM_TYPE_POSIX: + return "POSIX"; + case DOM_TYPE_APPLICATION: + return "Application"; + } + return "Unknown"; +} + +void sss_domain_info_set_output_fqnames(struct sss_domain_info *domain, + bool output_fqnames) +{ + domain->output_fqnames = output_fqnames; +} + +bool sss_domain_info_get_output_fqnames(struct sss_domain_info *domain) +{ + return domain->output_fqnames; +} + +bool is_files_provider(struct sss_domain_info *domain) +{ + return domain->provider != NULL && + strcasecmp(domain->provider, "files") == 0; +} diff --git a/src/util/files.c b/src/util/files.c new file mode 100644 index 0000000..33b21e2 --- /dev/null +++ b/src/util/files.c @@ -0,0 +1,886 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +/* + * This file incorporates work covered by the following copyright and + * permission notice: + * + * Copyright (c) 1991 - 1994, Julianne Frances Haugh + * Copyright (c) 1996 - 2001, Marek Michałkiewicz + * Copyright (c) 2003 - 2006, Tomasz Kłoczko + * Copyright (c) 2007 - 2008, Nicolas François + * + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the copyright holders or contributors may not be used to + * endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include +#include +#include +#include +#include +#include +#include + +#include "util/util.h" + +struct copy_ctx { + const char *src_orig; + const char *dst_orig; + dev_t src_dev; + uid_t uid; + gid_t gid; +}; + +static int sss_timeat_set(int dir_fd, const char *path, + const struct stat *statp, + int flags) +{ + int ret; + +#ifdef HAVE_UTIMENSAT + struct timespec timebuf[2]; + + timebuf[0] = statp->st_atim; + timebuf[1] = statp->st_mtim; + + ret = utimensat(dir_fd, path, timebuf, flags); +#else + struct timeval tv[2]; + + tv[0].tv_sec = statp->st_atime; + tv[0].tv_usec = 0; + tv[1].tv_sec = statp->st_mtime; + tv[1].tv_usec = 0; + + ret = futimesat(dir_fd, path, tv); +#endif + if (ret == -1) { + return errno; + } + + return EOK; +} + +static int sss_futime_set(int fd, const struct stat *statp) +{ + int ret; + +#ifdef HAVE_FUTIMENS + struct timespec timebuf[2]; + + timebuf[0] = statp->st_atim; + timebuf[1] = statp->st_mtim; + ret = futimens(fd, timebuf); +#else + struct timeval tv[2]; + + tv[0].tv_sec = statp->st_atime; + tv[0].tv_usec = 0; + tv[1].tv_sec = statp->st_mtime; + tv[1].tv_usec = 0; + + ret = futimes(fd, tv); +#endif + if (ret == -1) { + return errno; + } + + return EOK; +} + +/* wrapper in order not to create a temporary context in + * every iteration */ +static int remove_tree_with_ctx(TALLOC_CTX *mem_ctx, + int parent_fd, + const char *dir_name, + dev_t parent_dev, + bool keep_root_dir); + +int sss_remove_tree(const char *root) +{ + TALLOC_CTX *tmp_ctx = NULL; + int ret; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + return ENOMEM; + } + + ret = remove_tree_with_ctx(tmp_ctx, AT_FDCWD, root, 0, false); + talloc_free(tmp_ctx); + return ret; +} + +int sss_remove_subtree(const char *root) +{ + TALLOC_CTX *tmp_ctx = NULL; + int ret; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + return ENOMEM; + } + + ret = remove_tree_with_ctx(tmp_ctx, AT_FDCWD, root, 0, true); + talloc_free(tmp_ctx); + return ret; +} + +/* + * The context is not freed in case of error + * because this is a recursive function, will be freed when we + * reach the top level remove_tree() again + */ +static int remove_tree_with_ctx(TALLOC_CTX *mem_ctx, + int parent_fd, + const char *dir_name, + dev_t parent_dev, + bool keep_root_dir) +{ + struct dirent *result; + struct stat statres; + DIR *rootdir = NULL; + int ret, err; + int dir_fd; + + dir_fd = sss_openat_cloexec(parent_fd, dir_name, + O_RDONLY | O_DIRECTORY | O_NOFOLLOW, &ret); + if (dir_fd == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot open %s: [%d]: %s\n", + dir_name, ret, strerror(ret)); + return ret; + } + + rootdir = fdopendir(dir_fd); + if (rootdir == NULL) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot open directory: [%d][%s]\n", ret, strerror(ret)); + close(dir_fd); + goto fail; + } + + while ((result = readdir(rootdir)) != NULL) { + if (strcmp(result->d_name, ".") == 0 || + strcmp(result->d_name, "..") == 0) { + continue; + } + + ret = fstatat(dir_fd, result->d_name, + &statres, AT_SYMLINK_NOFOLLOW); + if (ret != 0) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "stat failed: [%d][%s]\n", ret, strerror(ret)); + goto fail; + } + + if (S_ISDIR(statres.st_mode)) { + /* if directory, recursively descend, but check if on the same FS */ + if (parent_dev && parent_dev != statres.st_dev) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Directory %s is on different filesystem, " + "will not follow\n", result->d_name); + ret = EFAULT; + goto fail; + } + + ret = remove_tree_with_ctx(mem_ctx, dir_fd, result->d_name, + statres.st_dev, false); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Removing subdirectory failed: [%d][%s]\n", + ret, strerror(ret)); + goto fail; + } + } else { + ret = unlinkat(dir_fd, result->d_name, 0); + if (ret != 0) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "Removing file failed '%s': [%d][%s]\n", + result->d_name, ret, strerror(ret)); + goto fail; + } + } + } + + ret = closedir(rootdir); + rootdir = NULL; + if (ret != 0) { + ret = errno; + goto fail; + } + + if (!keep_root_dir) { + /* Remove also root directory. */ + ret = unlinkat(parent_fd, dir_name, AT_REMOVEDIR); + if (ret == -1) { + ret = errno; + } + } + + ret = EOK; +fail: + if (rootdir) { /* clean up on abnormal exit but retain return code */ + err = closedir(rootdir); + if (err) { + DEBUG(SSSDBG_CRIT_FAILURE, "closedir failed, bad dirp?\n"); + } + } + return ret; +} + +static char *talloc_readlinkat(TALLOC_CTX *mem_ctx, int dir_fd, + const char *filename) +{ + size_t size = 1024; + ssize_t nchars; + char *buffer; + char *new_buffer; + + buffer = talloc_array(mem_ctx, char, size); + if (!buffer) { + return NULL; + } + + while (1) { + nchars = readlinkat(dir_fd, filename, buffer, size); + if (nchars < 0) { + talloc_free(buffer); + return NULL; + } + + if ((size_t) nchars < size) { + /* The buffer was large enough */ + break; + } + + /* Try again with a bigger buffer */ + size *= 2; + new_buffer = talloc_realloc(mem_ctx, buffer, char, size); + if (!new_buffer) { + talloc_free(buffer); + return NULL; + } + buffer = new_buffer; + } + + /* readlink does not nul-terminate */ + buffer[nchars] = '\0'; + return buffer; +} + +static int +copy_symlink(int src_dir_fd, + int dst_dir_fd, + const char *file_name, + const char *full_path, + const struct stat *statp, + uid_t uid, gid_t gid) +{ + char *buf; + errno_t ret; + + buf = talloc_readlinkat(NULL, src_dir_fd, file_name); + if (!buf) { + return ENOMEM; + } + + ret = selinux_file_context(full_path); + if (ret != 0) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to set SELinux context for [%s]\n", full_path); + /* Not fatal */ + } + + ret = symlinkat(buf, dst_dir_fd, file_name); + talloc_free(buf); + if (ret == -1) { + ret = errno; + if (ret == EEXIST) { + DEBUG(SSSDBG_MINOR_FAILURE, + "symlink pointing to already exists at '%s'\n", full_path); + return EOK; + } + + DEBUG(SSSDBG_CRIT_FAILURE, "symlinkat failed: %s\n", strerror(ret)); + return ret; + } + + ret = fchownat(dst_dir_fd, file_name, + uid, gid, AT_SYMLINK_NOFOLLOW); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "fchownat failed: %s\n", strerror(ret)); + return ret; + } + + ret = sss_timeat_set(dst_dir_fd, file_name, statp, + AT_SYMLINK_NOFOLLOW); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "utimensat failed [%d]: %s\n", + ret, strerror(ret)); + /* Do not fail */ + } + + return EOK; +} + +static int +copy_file_contents(int ifd, + int ofd, + mode_t mode, + uid_t uid, gid_t gid) +{ + errno_t ret; + char buf[1024]; + ssize_t cnt, written; + + while ((cnt = sss_atomic_read_s(ifd, buf, sizeof(buf))) != 0) { + if (cnt == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot read() from source file: [%d][%s].\n", + ret, strerror(ret)); + goto done; + } + + errno = 0; + written = sss_atomic_write_s(ofd, buf, cnt); + if (written == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot write() to destination file: [%d][%s].\n", + ret, strerror(ret)); + goto done; + } + + if (written != cnt) { + ret = EINVAL; + DEBUG(SSSDBG_CRIT_FAILURE, + "Wrote %zd bytes, expected %zd\n", written, cnt); + goto done; + } + } + + /* Set the ownership; permissions are still + * restrictive. */ + ret = fchown(ofd, uid, gid); + if (ret == -1 && errno != EPERM) { + ret = errno; + DEBUG(SSSDBG_OP_FAILURE, + "Error changing owner: %s\n", + strerror(ret)); + goto done; + } + + /* Set the desired mode. */ + ret = fchmod(ofd, mode); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_OP_FAILURE, "Error changing mode: %s\n", + strerror(ret)); + goto done; + } + + ret = EOK; + +done: + return ret; +} + + +/* Copy bytes from input file descriptor ifd into file named + * dst_named under directory with dest_dir_fd. Own the new file + * by uid/gid + */ +static int +copy_file(int ifd, + int dest_dir_fd, + const char *file_name, + const char *full_path, + const struct stat *statp, + uid_t uid, gid_t gid) +{ + int ofd = -1; + errno_t ret; + + ret = selinux_file_context(full_path); + if (ret != 0) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to set SELinux context for [%s]\n", full_path); + /* Not fatal */ + } + + /* Start with absolutely restrictive permissions */ + ofd = openat(dest_dir_fd, file_name, + O_EXCL | O_CREAT | O_WRONLY | O_NOFOLLOW, + 0); + if (ofd < 0 && errno != EEXIST) { + ret = errno; + DEBUG(SSSDBG_OP_FAILURE, + "Cannot open() destination file '%s': [%d][%s].\n", + full_path, ret, strerror(ret)); + goto done; + } + + ret = copy_file_contents(ifd, ofd, statp->st_mode, uid, gid); + if (ret != EOK) goto done; + + + ret = sss_futime_set(ofd, statp); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "sss_futime_set failed [%d]: %s\n", + ret, strerror(ret)); + /* Do not fail */ + } + ret = EOK; + +done: + if (ofd != -1) close(ofd); + return ret; +} + +int +sss_copy_file_secure(const char *src, + const char *dest, + mode_t mode, + uid_t uid, gid_t gid, + bool force) +{ + int ifd = -1; + int ofd = -1; + int dest_flags = 0; + errno_t ret; + + ret = selinux_file_context(dest); + if (ret != 0) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to set SELinux context for [%s]\n", dest); + /* Not fatal */ + } + + /* Start with absolutely restrictive permissions */ + dest_flags = O_CREAT | O_WRONLY | O_NOFOLLOW; + if (!force) { + dest_flags |= O_EXCL; + } + + ofd = open(dest, dest_flags, mode); + if (ofd < 0) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot open() destination file '%s': [%d][%s].\n", + dest, errno, strerror(errno)); + goto done; + } + + ifd = sss_open_cloexec(src, O_RDONLY | O_NOFOLLOW, &ret); + if (ifd < 0) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot open() source file '%s': [%d][%s].\n", + src, ret, strerror(ret)); + goto done; + } + + ret = copy_file_contents(ifd, ofd, mode, uid, gid); + +done: + if (ifd != -1) close(ifd); + if (ofd != -1) close(ofd); + return ret; +} + +static errno_t +copy_dir(struct copy_ctx *cctx, + int src_dir_fd, const char *src_dir_path, + int dest_parent_fd, const char *dest_dir_name, + const char *dest_dir_path, + mode_t mode, + const struct stat *src_dir_stat); + +static errno_t +copy_entry(struct copy_ctx *cctx, + int src_dir_fd, + const char *src_dir_path, + int dest_dir_fd, + const char *dest_dir_path, + const char *ent_name) +{ + char *src_ent_path = NULL; + char *dest_ent_path = NULL; + int ifd = -1; + errno_t ret; + struct stat st; + + /* Build the path of the source file or directory and its + * corresponding member in the new tree. */ + src_ent_path = talloc_asprintf(cctx, "%s/%s", src_dir_path, ent_name); + dest_ent_path = talloc_asprintf(cctx, "%s/%s", dest_dir_path, ent_name); + if (!src_ent_path || !dest_ent_path) { + ret = ENOMEM; + goto done; + } + + /* Open the input entry first, then we can fstat() it and be + * certain that it is still the same file. O_NONBLOCK protects + * us against FIFOs and perhaps side-effects of the open() of a + * device file if there ever was one here, and doesn't matter + * for regular files or directories. */ + ifd = sss_openat_cloexec(src_dir_fd, ent_name, + O_RDONLY | O_NOFOLLOW | O_NONBLOCK, &ret); + if (ifd == -1 && ret != ELOOP) { + /* openat error */ + DEBUG(SSSDBG_CRIT_FAILURE, "openat failed on '%s': %s\n", + src_ent_path, strerror(ret)); + goto done; + } else if (ifd == -1 && ret == ELOOP) { + /* Should be a symlink.. */ + ret = fstatat(src_dir_fd, ent_name, &st, AT_SYMLINK_NOFOLLOW); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "fstatat failed on '%s': %s\n", + src_ent_path, strerror(ret)); + goto done; + } + + /* Handle symlinks */ + ret = copy_symlink(src_dir_fd, dest_dir_fd, ent_name, + dest_ent_path, &st, cctx->uid, cctx->gid); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot copy '%s' to '%s'\n", + src_ent_path, dest_ent_path); + } + goto done; + } + + ret = fstat(ifd, &st); + if (ret != 0) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "couldn't stat '%s': %s\n", src_ent_path, strerror(ret)); + goto done; + } + + if (S_ISDIR(st.st_mode)) { + /* If it's a directory, descend into it. */ + ret = copy_dir(cctx, ifd, src_ent_path, + dest_dir_fd, ent_name, + dest_ent_path, st.st_mode & 07777, + &st); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Couldn't recursively copy '%s' to '%s': %s\n", + src_ent_path, dest_ent_path, strerror(ret)); + goto done; + } + } else if (S_ISREG(st.st_mode)) { + /* Copy a regular file */ + ret = copy_file(ifd, dest_dir_fd, ent_name, dest_ent_path, + &st, cctx->uid, cctx->gid); + if (ret) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot copy '%s' to '%s'\n", + src_ent_path, dest_ent_path); + goto done; + } + } else { + /* Is a special file */ + DEBUG(SSSDBG_FUNC_DATA, "'%s' is a special file, skipping.\n", + src_ent_path); + } + + ret = EOK; +done: + talloc_free(src_ent_path); + talloc_free(dest_ent_path); + if (ifd != -1) close(ifd); + return ret; +} + +static errno_t +copy_dir(struct copy_ctx *cctx, + int src_dir_fd, const char *src_dir_path, + int dest_parent_fd, const char *dest_dir_name, + const char *dest_dir_path, + mode_t mode, + const struct stat *src_dir_stat) +{ + errno_t ret; + errno_t dret; + int dest_dir_fd = -1; + DIR *dir = NULL; + struct dirent *ent; + + if (!dest_dir_path) { + return EINVAL; + } + + dir = fdopendir(src_dir_fd); + if (dir == NULL) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "Error reading '%s': %s\n", src_dir_path, strerror(ret)); + goto done; + } + + /* Create the directory. It starts owned by us (presumbaly root), with + * fairly restrictive permissions that still allow us to use the + * directory. + * */ + errno = 0; + ret = mkdirat(dest_parent_fd, dest_dir_name, S_IRWXU); + if (ret == -1 && errno != EEXIST) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "Error reading '%s': %s\n", dest_dir_path, strerror(ret)); + goto done; + } + + dest_dir_fd = sss_openat_cloexec(dest_parent_fd, dest_dir_name, + O_RDONLY | O_DIRECTORY | O_NOFOLLOW, &ret); + if (dest_dir_fd == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "Error opening '%s': %s\n", dest_dir_path, strerror(ret)); + goto done; + } + + while ((ent = readdir(dir)) != NULL) { + /* Iterate through each item in the directory. */ + /* Skip over self and parent hard links. */ + if (strcmp(ent->d_name, ".") == 0 || + strcmp(ent->d_name, "..") == 0) { + continue; + } + + ret = copy_entry(cctx, + src_dir_fd, src_dir_path, + dest_dir_fd, dest_dir_path, + ent->d_name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not copy [%s] to [%s]\n", + src_dir_path, dest_dir_path); + goto done; + } + } + + /* Set the ownership on the directory. Permissions are still + * fairly restrictive. */ + ret = fchown(dest_dir_fd, cctx->uid, cctx->gid); + if (ret == -1 && errno != EPERM) { + ret = errno; + DEBUG(SSSDBG_OP_FAILURE, + "Error changing owner of '%s': %s\n", + dest_dir_path, strerror(ret)); + goto done; + } + + /* Set the desired mode. Do this explicitly to preserve S_ISGID and + * other bits. Do this after chown, because chown is permitted to + * reset these bits. */ + ret = fchmod(dest_dir_fd, mode); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_OP_FAILURE, + "Error setting mode of '%s': %s\n", + dest_dir_path, strerror(ret)); + goto done; + } + + sss_futime_set(dest_dir_fd, src_dir_stat); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "sss_futime_set failed [%d]: %s\n", + ret, strerror(ret)); + /* Do not fail */ + } + + ret = EOK; +done: + if (dir) { + dret = closedir(dir); + if (dret != 0) { + dret = errno; + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to close directory: %s.\n", strerror(dret)); + } + } + + if (dest_dir_fd != -1) { + close(dest_dir_fd); + } + return ret; +} + +/* NOTE: + * For several reasons, including the fact that we copy even special files + * (pipes, etc) from the skeleton directory, the skeldir needs to be trusted + */ +int sss_copy_tree(const char *src_root, + const char *dst_root, + mode_t mode_root, + uid_t uid, gid_t gid) +{ + int ret = EOK; + struct copy_ctx *cctx = NULL; + int fd = -1; + struct stat s_src; + + fd = sss_open_cloexec(src_root, O_RDONLY | O_DIRECTORY, &ret); + if (fd == -1) { + goto fail; + } + + ret = fstat(fd, &s_src); + if (ret == -1) { + ret = errno; + goto fail; + } + + cctx = talloc_zero(NULL, struct copy_ctx); + if (!cctx) { + ret = ENOMEM; + goto fail; + } + + cctx->src_orig = src_root; + cctx->dst_orig = dst_root; + cctx->src_dev = s_src.st_dev; + cctx->uid = uid; + cctx->gid = gid; + + ret = copy_dir(cctx, fd, src_root, AT_FDCWD, + dst_root, dst_root, mode_root, &s_src); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "copy_dir failed: [%d][%s]\n", ret, strerror(ret)); + goto fail; + } + +fail: + if (fd != -1) close(fd); + reset_selinux_file_context(); + talloc_free(cctx); + return ret; +} + +int sss_create_dir(const char *parent_dir_path, + const char *dir_name, + mode_t mode, + uid_t uid, gid_t gid) +{ + TALLOC_CTX *tmp_ctx; + char *dir_path; + int ret = EOK; + int parent_dir_fd = -1; + int dir_fd = -1; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + parent_dir_fd = sss_open_cloexec(parent_dir_path, O_RDONLY | O_DIRECTORY, + &ret); + if (parent_dir_fd == -1) { + DEBUG(SSSDBG_TRACE_FUNC, + "Cannot open() directory '%s' [%d]: %s\n", + parent_dir_path, ret, sss_strerror(ret)); + goto fail; + } + + dir_path = talloc_asprintf(tmp_ctx, "%s/%s", parent_dir_path, dir_name); + if (dir_path == NULL) { + ret = ENOMEM; + goto fail; + } + + errno = 0; + ret = mkdirat(parent_dir_fd, dir_name, mode); + if (ret == -1) { + if (errno == EEXIST) { + ret = EOK; + DEBUG(SSSDBG_TRACE_FUNC, + "Directory '%s' already created!\n", dir_path); + } else { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "Error reading '%s': %s\n", parent_dir_path, strerror(ret)); + goto fail; + } + } + + dir_fd = sss_open_cloexec(dir_path, O_RDONLY | O_DIRECTORY, &ret); + if (dir_fd == -1) { + DEBUG(SSSDBG_TRACE_FUNC, + "Cannot open() directory '%s' [%d]: %s\n", + dir_path, ret, sss_strerror(ret)); + goto fail; + } + + errno = 0; + ret = fchown(dir_fd, uid, gid); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to own the newly created directory '%s' [%d]: %s\n", + dir_path, ret, sss_strerror(ret)); + goto fail; + } + + ret = EOK; + +fail: + if (parent_dir_fd != -1) { + close(parent_dir_fd); + } + if (dir_fd != -1) { + close(dir_fd); + } + talloc_free(tmp_ctx); + return ret; +} diff --git a/src/util/find_uid.c b/src/util/find_uid.c new file mode 100644 index 0000000..215c0d3 --- /dev/null +++ b/src/util/find_uid.c @@ -0,0 +1,352 @@ +/* + SSSD + + Create uid table + + Authors: + Sumit Bose + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "util/find_uid.h" +#include "util/util.h" +#include "util/strtonum.h" + +#ifdef HAVE_SYSTEMD_LOGIN +#include +#endif + +#define INITIAL_TABLE_SIZE 64 +#define PATHLEN (NAME_MAX + 14) +#define BUFSIZE 4096 + +static void *hash_talloc(const size_t size, void *pvt) +{ + return talloc_size(pvt, size); +} + +static void hash_talloc_free(void *ptr, void *pvt) +{ + talloc_free(ptr); +} + +static errno_t get_uid_from_pid(const pid_t pid, uid_t *uid) +{ + int ret; + char path[PATHLEN]; + struct stat stat_buf; + int fd; + char buf[BUFSIZE]; + char *p; + char *e; + char *endptr; + uint32_t num=0; + errno_t error; + + ret = snprintf(path, PATHLEN, "/proc/%d/status", pid); + if (ret < 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "snprintf failed\n"); + return EINVAL; + } else if (ret >= PATHLEN) { + DEBUG(SSSDBG_CRIT_FAILURE, "path too long?!?!\n"); + return EINVAL; + } + + fd = open(path, O_RDONLY); + if (fd == -1) { + error = errno; + if (error == ENOENT) { + DEBUG(SSSDBG_TRACE_LIBS, + "Proc file [%s] is not available anymore, continuing.\n", + path); + return EOK; + } else if (error == EPERM) { + /* case of hidepid=1 mount option for /proc */ + DEBUG(SSSDBG_TRACE_LIBS, + "Proc file [%s] is not permissible, continuing.\n", + path); + return EOK; + } + DEBUG(SSSDBG_CRIT_FAILURE, + "open failed [%s][%d][%s].\n", path, error, strerror(error)); + return error; + } + + ret = fstat(fd, &stat_buf); + if (ret == -1) { + error = errno; + if (error == ENOENT) { + DEBUG(SSSDBG_TRACE_LIBS, + "Proc file [%s] is not available anymore, continuing.\n", + path); + error = EOK; + goto fail_fd; + } + DEBUG(SSSDBG_CRIT_FAILURE, + "fstat failed [%d][%s].\n", error, strerror(error)); + goto fail_fd; + } + + if (!S_ISREG(stat_buf.st_mode)) { + DEBUG(SSSDBG_CRIT_FAILURE, "not a regular file\n"); + error = EINVAL; + goto fail_fd; + } + + errno = 0; + ret = sss_atomic_read_s(fd, buf, BUFSIZE); + if (ret == -1) { + error = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "read failed [%d][%s].\n", error, strerror(error)); + goto fail_fd; + } + + /* Guarantee NULL-termination in case we read the full BUFSIZE somehow */ + buf[BUFSIZE-1] = '\0'; + + ret = close(fd); + if (ret == -1) { + error = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "close failed [%d][%s].\n", error, strerror(error)); + } + + p = strstr(buf, "\nUid:\t"); + if (p != NULL) { + p += 6; + e = strchr(p,'\t'); + if (e == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "missing delimiter.\n"); + return EINVAL; + } else { + *e = '\0'; + } + num = (uint32_t) strtoint32(p, &endptr, 10); + error = errno; + if (error != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "strtol failed [%s].\n", strerror(error)); + return error; + } + if (*endptr != '\0') { + DEBUG(SSSDBG_CRIT_FAILURE, "uid contains extra characters\n"); + return EINVAL; + } + + } else { + DEBUG(SSSDBG_CRIT_FAILURE, "format error\n"); + return EINVAL; + } + + *uid = num; + + return EOK; + +fail_fd: + close(fd); + return error; +} + +static errno_t name_to_pid(const char *name, pid_t *pid) +{ + long num; + char *endptr; + errno_t error; + + errno = 0; + num = strtol(name, &endptr, 10); + error = errno; + if (error == ERANGE) { + perror("strtol"); + return error; + } + + if (*endptr != '\0') { + DEBUG(SSSDBG_CRIT_FAILURE, "pid string contains extra characters.\n"); + return EINVAL; + } + + if (num <= 0 || num >= INT_MAX) { + DEBUG(SSSDBG_CRIT_FAILURE, "pid out of range.\n"); + return ERANGE; + } + + *pid = num; + + return EOK; +} + +static int only_numbers(char *p) +{ + while(*p!='\0' && isdigit(*p)) ++p; + return *p; +} + +static errno_t get_active_uid_linux(hash_table_t *table, uid_t search_uid) +{ + DIR *proc_dir = NULL; + struct dirent *dirent; + int ret, err; + pid_t pid = -1; + uid_t uid; + + hash_key_t key; + hash_value_t value; + + proc_dir = opendir("/proc"); + if (proc_dir == NULL) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot open proc dir.\n"); + goto done; + }; + + errno = 0; + while ((dirent = readdir(proc_dir)) != NULL) { + if (only_numbers(dirent->d_name) != 0) continue; + ret = name_to_pid(dirent->d_name, &pid); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "name_to_pid failed.\n"); + goto done; + } + + ret = get_uid_from_pid(pid, &uid); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "get_uid_from_pid failed.\n"); + goto done; + } + + if (table != NULL) { + key.type = HASH_KEY_ULONG; + key.ul = (unsigned long) uid; + value.type = HASH_VALUE_ULONG; + value.ul = (unsigned long) uid; + + ret = hash_enter(table, &key, &value); + if (ret != HASH_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, + "cannot add to table [%s]\n", hash_error_string(ret)); + ret = ENOMEM; + goto done; + } + } else { + if (uid == search_uid) { + ret = EOK; + goto done; + } + } + + + errno = 0; + } + if (errno != 0 && dirent == NULL) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "readdir failed.\n"); + goto done; + } + + ret = closedir(proc_dir); + proc_dir = NULL; + if (ret == -1) { + DEBUG(SSSDBG_CRIT_FAILURE, "closedir failed, watch out.\n"); + } + + if (table != NULL) { + ret = EOK; + } else { + ret = ENOENT; + } + +done: + if (proc_dir != NULL) { + err = closedir(proc_dir); + if (err) { + DEBUG(SSSDBG_CRIT_FAILURE, "closedir failed, bad dirp?\n"); + } + } + return ret; +} + +errno_t get_uid_table(TALLOC_CTX *mem_ctx, hash_table_t **table) +{ +#ifdef __linux__ + int ret; + + ret = hash_create_ex(INITIAL_TABLE_SIZE, table, 0, 0, 0, 0, + hash_talloc, hash_talloc_free, mem_ctx, + NULL, NULL); + if (ret != HASH_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, + "hash_create_ex failed [%s]\n", hash_error_string(ret)); + return ENOMEM; + } + + return get_active_uid_linux(*table, 0); +#else + return ENOSYS; +#endif +} + +errno_t check_if_uid_is_active(uid_t uid, bool *result) +{ + int ret; + +#ifdef HAVE_SYSTEMD_LOGIN + ret = sd_uid_get_sessions(uid, 0, NULL); + if (ret > 0) { + *result = true; + return EOK; + } + if (ret == 0) { + *result = false; + } + if (ret < 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "systemd-login gave error %d: %s\n", + -ret, strerror(-ret)); + } + /* fall back to the old method */ +#endif + + ret = get_active_uid_linux(NULL, uid); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_CRIT_FAILURE, "get_uid_table failed.\n"); + return ret; + } + + if (ret == EOK) { + *result = true; + } else { + *result = false; + } + + return EOK; +} diff --git a/src/util/find_uid.h b/src/util/find_uid.h new file mode 100644 index 0000000..e01b3fc --- /dev/null +++ b/src/util/find_uid.h @@ -0,0 +1,36 @@ +/* + SSSD + + Create uid table + + Authors: + Sumit Bose + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +#ifndef __FIND_UID_H__ +#define __FIND_UID_H__ + +#include +#include +#include + +#include "util/util.h" + +errno_t get_uid_table(TALLOC_CTX *mem_ctx, hash_table_t **table); +errno_t check_if_uid_is_active(uid_t uid, bool *result); + +#endif /* __FIND_UID_H__ */ diff --git a/src/util/inotify.c b/src/util/inotify.c new file mode 100644 index 0000000..2e2dc1a --- /dev/null +++ b/src/util/inotify.c @@ -0,0 +1,563 @@ +/* + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include + +#include "util/inotify.h" +#include "util/util.h" + +/* For parent directories, we want to know if a file was moved there or + * created there + */ +#define PARENT_DIR_MASK (IN_CREATE | IN_MOVED_TO) + +/* This structure is recreated if we need to rewatch the file and/or + * directory + */ +struct snotify_watch_ctx { + int inotify_fd; /* The inotify_fd */ + struct tevent_fd *tfd; /* Activity on the fd */ + + struct snotify_ctx *snctx; /* Pointer up to the main snotify struct */ + + /* In case we're also watching the parent directory, otherwise -1. + * We keep the variable here and not in snctx so that we're able + * to catch even changes to the parent directory + */ + int dir_wd; + /* The file watch */ + int file_wd; +}; + +/* This is what we call when an event we're interested in arrives */ +struct snotify_cb_ctx { + snotify_cb_fn fn; + const char *fn_name; + uint32_t mask; + void *pvt; +}; + +/* One instance of a callback. We hoard the inotify notifications + * until timer fires in caught_flags + */ +struct snotify_dispatcher { + struct tevent_timer *te; + uint32_t caught_flags; +}; + +struct snotify_ctx { + struct tevent_context *ev; + + /* The full path of the file we're watching, + * its file and directory components */ + const char *filename; + const char *dir_name; + const char *base_name; + + /* Private pointer passed to the callback */ + struct snotify_cb_ctx cb; + /* A singleton callback dispatcher */ + struct snotify_dispatcher *disp; + + /* Internal snotify flags */ + uint16_t snotify_flags; + /* The caller might decide to batch the updates and receive + * them all together with a delay + */ + struct timeval delay; + /* We keep the structure that actually does the work + * separately to be able to reinitialize it when the + * file is recreated or moved to the directory + */ + struct snotify_watch_ctx *wctx; +}; + +struct flg2str { + uint32_t flg; + const char *str; +} flg_table[] = { + { 0x00000001, "IN_ACCESS" }, + { 0x00000002, "IN_MODIFY" }, + { 0x00000004, "IN_ATTRIB" }, + { 0x00000008, "IN_CLOSE_WRITE" }, + { 0x00000010, "IN_CLOSE_NOWRITE" }, + { 0x00000020, "IN_OPEN" }, + { 0x00000040, "IN_MOVED_FROM" }, + { 0x00000080, "IN_MOVED_TO" }, + { 0x00000100, "IN_CREATE" }, + { 0x00000200, "IN_DELETE" }, + { 0x00000400, "IN_DELETE_SELF" }, + { 0x00000800, "IN_MOVE_SELF" }, + { 0x00002000, "IN_UNMOUNT" }, + { 0x00004000, "IN_Q_OVERFLOW" }, + { 0x00008000, "IN_IGNORED" }, + { 0x01000000, "IN_ONLYDIR" }, + { 0x02000000, "IN_DONT_FOLLOW" }, + { 0x04000000, "IN_EXCL_UNLINK" }, + { 0x20000000, "IN_MASK_ADD" }, + { 0x40000000, "IN_ISDIR" }, + { 0x80000000, "IN_ONESHOT" }, + { 0, NULL }, +}; + +#if 0 +static void debug_flags(uint32_t flags, const char *file) +{ + char msgbuf[1024]; + size_t total = 0; + + if (!DEBUG_IS_SET(SSSDBG_TRACE_LIBS)) { + return; + } + + for (int i = 0; flg_table[i].flg != 0; i++) { + if (flags & flg_table[i].flg) { + total += snprintf(msgbuf+total, + sizeof(msgbuf)-total, + "%s ", flg_table[i].str); + } + } + + if (total == 0) { + snprintf(msgbuf, sizeof(msgbuf), "NONE\n"); + } + DEBUG(SSSDBG_TRACE_LIBS, "Inotify event: %s on %s\n", msgbuf, file); +} +#endif + +static void snotify_process_callbacks(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval t, + void *ptr) +{ + struct snotify_ctx *snctx; + + snctx = talloc_get_type(ptr, struct snotify_ctx); + if (snctx == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Bad pointer\n"); + return; + } + + snctx->cb.fn(snctx->filename, + snctx->disp->caught_flags, + snctx->cb.pvt); + + talloc_zfree(snctx->disp); +} + +static struct snotify_dispatcher *create_dispatcher(struct snotify_ctx *snctx) +{ + struct snotify_dispatcher *disp; + struct timeval tv; + + disp = talloc_zero(snctx, struct snotify_dispatcher); + if (disp == NULL) { + return NULL; + } + + gettimeofday(&tv, NULL); + tv.tv_sec += snctx->delay.tv_sec; + tv.tv_usec += snctx->delay.tv_usec; + + DEBUG(SSSDBG_TRACE_FUNC, + "Running a timer with delay %ld.%ld\n", + (unsigned long) snctx->delay.tv_sec, + (unsigned long) snctx->delay.tv_usec); + + disp->te = tevent_add_timer(snctx->ev, disp, tv, + snotify_process_callbacks, + snctx); + if (disp->te == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to queue file update!\n"); + talloc_free(disp); + return NULL; + } + + return disp; +} + +static struct snotify_dispatcher *get_dispatcher(struct snotify_ctx *snctx) +{ + if (snctx->disp != NULL) { + DEBUG(SSSDBG_TRACE_INTERNAL, "Reusing existing dispatcher\n"); + return snctx->disp; + } + + return create_dispatcher(snctx); +} + +static errno_t dispatch_event(struct snotify_ctx *snctx, + uint32_t ev_flags) +{ + struct snotify_dispatcher *disp; + + if ((snctx->cb.mask & ev_flags) == 0) { + return EOK; + } + + disp = get_dispatcher(snctx); + if (disp == NULL) { + return ENOMEM; + } + + disp->caught_flags |= ev_flags; + DEBUG(SSSDBG_TRACE_FUNC, + "Dispatched an event with combined flags 0x%X\n", + disp->caught_flags); + + snctx->disp = disp; + return EOK; +} + +static errno_t process_dir_event(struct snotify_ctx *snctx, + const struct inotify_event *in_event) +{ + errno_t ret; + + DEBUG(SSSDBG_TRACE_ALL, "inotify name: %s\n", in_event->name); + if (in_event->len == 0 \ + || strcmp(in_event->name, snctx->base_name) != 0) { + DEBUG(SSSDBG_TRACE_FUNC, "Not interested in %s\n", in_event->name); + return EOK; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "received notification for watched file [%s] under %s\n", + in_event->name, snctx->dir_name); + + /* file the event for the file to see if the caller is interested in it */ + ret = dispatch_event(snctx, in_event->mask); + if (ret == EOK) { + /* Tells the outer loop to re-initialize flags once the loop is finished. + * However, finish reading all the events first to make sure we don't + * miss any + */ + return EAGAIN; + } + + return ret; +} + +static errno_t process_file_event(struct snotify_ctx *snctx, + const struct inotify_event *in_event) +{ + if (in_event->mask & IN_IGNORED) { + DEBUG(SSSDBG_TRACE_FUNC, + "Will reopen moved or deleted file %s\n", snctx->filename); + /* Notify caller of the event, don't quit */ + return EAGAIN; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "received notification for watched file %s\n", snctx->filename); + + return dispatch_event(snctx, in_event->mask); +} + +static errno_t snotify_rewatch(struct snotify_ctx *snctx); + +static void snotify_internal_cb(struct tevent_context *ev, + struct tevent_fd *fde, + uint16_t flags, + void *data) +{ + char ev_buf[sizeof(struct inotify_event) + PATH_MAX]; + const char *ptr; + const struct inotify_event *in_event; + struct snotify_ctx *snctx; + ssize_t len; + errno_t ret; + bool rewatch; + + snctx = talloc_get_type(data, struct snotify_ctx); + if (snctx == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Bad pointer\n"); + return; + } + + while (1) { + len = read(snctx->wctx->inotify_fd, ev_buf, sizeof(ev_buf)); + if (len == -1) { + ret = errno; + if (ret != EAGAIN) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot read inotify_event [%d]: %s\n", + ret, strerror(ret)); + } else { + DEBUG(SSSDBG_TRACE_INTERNAL, "All inotify events processed\n"); + } + return; + } + + if ((size_t) len < sizeof(struct inotify_event)) { + /* Did not even read the required amount of data, move on.. */ + continue; + } + + for (ptr = ev_buf; + ptr < ev_buf + len; + ptr += sizeof(struct inotify_event) + in_event->len) { + + in_event = (const struct inotify_event *) ptr; + + //debug_flags(in_event->mask, in_event->name); + + if (snctx->wctx->dir_wd == in_event->wd) { + ret = process_dir_event(snctx, in_event); + if (ret == EAGAIN) { + rewatch = true; + /* Continue with the loop and read all the events from + * this descriptor first, then rewatch when done + */ + } else if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to process inotify event\n"); + continue; + } + } else if (snctx->wctx->file_wd == in_event->wd) { + ret = process_file_event(snctx, in_event); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to process inotify event\n"); + continue; + } + } else { + DEBUG(SSSDBG_MINOR_FAILURE, + "Unknown watch %d\n", in_event->wd); + ret = EOK; + } + } + } + + if (rewatch) { + ret = snotify_rewatch(snctx); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to re-set watch"); + } + } +} + +static int watch_ctx_destructor(void *memptr) +{ + struct snotify_watch_ctx *wctx; + + wctx = talloc_get_type(memptr, struct snotify_watch_ctx); + if (wctx == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Bad pointer\n"); + return 1; + } + + /* We don't need to close the watches explicitly. man 7 inotify says: + * When all file descriptors referring to an inotify instance + * have been closed (using close(2)), the underlying object + * and its resources are freed for reuse by the kernel; all + * associated watches are automatically freed. + */ + if (wctx->inotify_fd != -1) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "Closing inotify fd %d\n", wctx->inotify_fd); + close(wctx->inotify_fd); + } + + return 0; +} + +static errno_t copy_filenames(struct snotify_ctx *snctx, + const char *filename) +{ + char *p; + char fcopy[PATH_MAX + 1]; + + strncpy(fcopy, filename, sizeof(fcopy) - 1); + fcopy[PATH_MAX] = '\0'; + + p = dirname(fcopy); + if (p == NULL) { + return EIO; + } + + snctx->dir_name = talloc_strdup(snctx, p); + if (snctx->dir_name == NULL) { + return ENOMEM; + } + + strncpy(fcopy, filename, sizeof(fcopy) - 1); + fcopy[PATH_MAX] = '\0'; + + p = basename(fcopy); + if (p == NULL) { + return EIO; + } + + snctx->base_name = talloc_strdup(snctx, p); + if (snctx->base_name == NULL) { + return ENOMEM; + } + + snctx->filename = talloc_strdup(snctx, filename); + if (snctx->filename == NULL) { + return ENOMEM; + } + + return EOK; +} + +static struct snotify_watch_ctx *snotify_watch(struct snotify_ctx *snctx, + uint32_t mask) +{ + struct snotify_watch_ctx *wctx; + errno_t ret; + + wctx = talloc_zero(snctx, struct snotify_watch_ctx); + if (wctx == NULL) { + return NULL; + } + wctx->inotify_fd = -1; + wctx->dir_wd = -1; + wctx->file_wd = -1; + wctx->snctx = snctx; + talloc_set_destructor((TALLOC_CTX *)wctx, watch_ctx_destructor); + + wctx->inotify_fd = inotify_init1(IN_NONBLOCK | IN_CLOEXEC); + if (wctx->inotify_fd == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "inotify_init1 failed: %d: %s\n", ret, strerror(ret)); + goto fail; + } + DEBUG(SSSDBG_TRACE_INTERNAL, "Opened inotify fd %d\n", wctx->inotify_fd); + + wctx->tfd = tevent_add_fd(snctx->ev, wctx, wctx->inotify_fd, + TEVENT_FD_READ, snotify_internal_cb, + snctx); + if (wctx->tfd == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot add tevent fd watch for %s\n", + snctx->filename); + goto fail; + } + + wctx->file_wd = inotify_add_watch(wctx->inotify_fd, snctx->filename, mask); + if (wctx->file_wd == -1) { + ret = errno; + if (ret != ENOENT || (!(snctx->snotify_flags & SNOTIFY_WATCH_DIR))) { + DEBUG(SSSDBG_MINOR_FAILURE, + "inotify_add_watch failed [%d]: %s\n", + ret, strerror(ret)); + goto fail; + } + } + DEBUG(SSSDBG_TRACE_INTERNAL, "Opened file watch %d\n", wctx->file_wd); + + if (snctx->snotify_flags & SNOTIFY_WATCH_DIR) { + /* Create a watch for the parent directory. This is useful for cases + * where we start watching a file before it's created, but still want + * a notification when the file is moved in + */ + wctx->dir_wd = inotify_add_watch(wctx->inotify_fd, + snctx->dir_name, PARENT_DIR_MASK); + if (wctx->dir_wd == -1) { + ret = errno; + DEBUG(SSSDBG_MINOR_FAILURE, + "inotify_add_watch failed [%d]: %s\n", + ret, strerror(ret)); + goto fail; + } + DEBUG(SSSDBG_TRACE_INTERNAL, + "Opened directory watch %d\n", wctx->dir_wd); + } + + return wctx; + +fail: + talloc_free(wctx); + return NULL; +} + +static errno_t snotify_rewatch(struct snotify_ctx *snctx) +{ + talloc_free(snctx->wctx); + + snctx->wctx = snotify_watch(snctx, snctx->cb.mask); + if (snctx->wctx == NULL) { + return ENOMEM; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Recreated watch\n"); + return EOK; +} + +struct snotify_ctx *_snotify_create(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + uint16_t snotify_flags, + const char *filename, + struct timeval *delay, + uint32_t mask, + snotify_cb_fn fn, + const char *fn_name, + void *pvt) +{ + errno_t ret; + struct snotify_ctx *snctx; + + snctx = talloc_zero(mem_ctx, struct snotify_ctx); + if (snctx == NULL) { + return NULL; + } + + snctx->ev = ev; + snctx->snotify_flags = snotify_flags; + if (delay) { + snctx->delay.tv_sec = delay->tv_sec; + snctx->delay.tv_usec = delay->tv_usec; + } + + snctx->cb.fn = fn; + snctx->cb.fn_name = fn_name; + snctx->cb.mask = mask; + snctx->cb.pvt = pvt; + + ret = copy_filenames(snctx, filename); + if (ret != EOK) { + talloc_free(snctx); + return NULL; + } + + snctx->wctx = snotify_watch(snctx, mask); + if (snctx->wctx == NULL) { + talloc_free(snctx); + return NULL; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Added a watch for %s with inotify flags 0x%X " + "internal flags 0x%X " + "using function %s after delay %ld.%ld\n", + snctx->filename, + mask, + snotify_flags, + fn_name, + (unsigned long) snctx->delay.tv_sec, + (unsigned long) snctx->delay.tv_usec); + + return snctx; +} diff --git a/src/util/inotify.h b/src/util/inotify.h new file mode 100644 index 0000000..3592944 --- /dev/null +++ b/src/util/inotify.h @@ -0,0 +1,61 @@ +/* + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __INOTIFY_H_ +#define __INOTIFY_H_ + +#include +#include +#include + + +typedef int (*snotify_cb_fn)(const char *filename, + uint32_t caught_flags, + void *pvt); + +#define SNOTIFY_WATCH_DIR 0x0001 + +/* + * Set up an inotify watch for file at filename. When an inotify + * event is caught, it must match the "mask" parameter. The watch + * would then call snotify_cb_fn() and include the caught flags. + * + * If snotify_flags includes SNOTIFY_WATCH_DIR, also the parent directory + * of this file would be watched to cover cases where the file might not + * exist when the watch is created. + * + * If you wish to batch inotify requests to avoid hammering the caller + * with several successive requests, use the delay parameter. The function + * would then only send invoke the callback after the delay and the caught + * flags would be OR-ed. By default, the callback is invoked immediately. + * + * Use the pvt parameter to pass a private context to the function + */ +struct snotify_ctx *_snotify_create(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + uint16_t snotify_flags, + const char *filename, + struct timeval *delay, + uint32_t mask, + snotify_cb_fn fn, + const char *fn_name, + void *pvt); + +#define snotify_create(mem_ctx, ev, snotify_flags, filename, delay, mask, fn, pvt) \ + _snotify_create(mem_ctx, ev, snotify_flags, filename, delay, mask, fn, #fn, pvt); + +#endif /* __INOTIFY_H_ */ diff --git a/src/util/io.c b/src/util/io.c new file mode 100644 index 0000000..4d442b4 --- /dev/null +++ b/src/util/io.c @@ -0,0 +1,98 @@ +/* + SSSD + + io.c + + Authors: + Lukas Slebodnik + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include +#include +#include + +#include "shared/io.h" + +/* CAUTION: + * This file have to be minimalist and cannot include DEBUG macros + * or header file util.h. + */ + +int sss_open_cloexec(const char *pathname, int flags, int *ret) +{ + int fd; + int oflags; + + oflags = flags; +#ifdef O_CLOEXEC + oflags |= O_CLOEXEC; +#endif + + errno = 0; + fd = open(pathname, oflags); + if (fd == -1) { + if (ret) { + *ret = errno; + } + return -1; + } + +#ifndef O_CLOEXEC + int v; + + v = fcntl(fd, F_GETFD, 0); + /* we ignore an error, it's not fatal and there is nothing we + * can do about it anyways */ + (void)fcntl(fd, F_SETFD, v | FD_CLOEXEC); +#endif + + return fd; +} + +int sss_openat_cloexec(int dir_fd, const char *pathname, int flags, int *ret) +{ + int fd; + int oflags; + + oflags = flags; +#ifdef O_CLOEXEC + oflags |= O_CLOEXEC; +#endif + + errno = 0; + fd = openat(dir_fd, pathname, oflags); + if (fd == -1) { + if (ret) { + *ret = errno; + } + return -1; + } + +#ifndef O_CLOEXEC + int v; + + v = fcntl(fd, F_GETFD, 0); + /* we ignore an error, it's not fatal and there is nothing we + * can do about it anyways */ + (void)fcntl(fd, F_SETFD, v | FD_CLOEXEC); +#endif + + return fd; +} diff --git a/src/util/memory.c b/src/util/memory.c new file mode 100644 index 0000000..672129e --- /dev/null +++ b/src/util/memory.c @@ -0,0 +1,68 @@ +/* + Authors: + Simo Sorce + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "util/util.h" + +/* + * sssd_mem_attach + * This function will take a non-talloc pointer and "attach" it to a talloc + * memory context. It will accept a destructor for the original pointer + * so that when the parent memory context is freed, the non-talloc + * pointer will also be freed properly. + */ + +int password_destructor(void *memctx) +{ + char *password = (char *)memctx; + int i; + + /* zero out password */ + for (i = 0; password[i]; i++) password[i] = '\0'; + + return 0; +} + +static int mem_holder_destructor(void *ptr) +{ + struct mem_holder *h; + + h = talloc_get_type(ptr, struct mem_holder); + return h->fn(h->mem); +} + +void *sss_mem_attach(TALLOC_CTX *mem_ctx, + void *ptr, + void_destructor_fn_t *fn) +{ + struct mem_holder *h; + + if (!ptr || !fn) return NULL; + + h = talloc(mem_ctx, struct mem_holder); + if (!h) return NULL; + + h->mem = ptr; + h->fn = fn; + talloc_set_destructor((TALLOC_CTX *)h, mem_holder_destructor); + + return h; +} diff --git a/src/util/mmap_cache.h b/src/util/mmap_cache.h new file mode 100644 index 0000000..63e0960 --- /dev/null +++ b/src/util/mmap_cache.h @@ -0,0 +1,155 @@ +/* + SSSD + + Mmap Cache Common header + + Copyright (C) Simo Sorce 2011 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _MMAP_CACHE_H_ +#define _MMAP_CACHE_H_ + +#include "shared/murmurhash3.h" + + +/* NOTE: all the code here assumes that writing a uint32_t nto mmapped + * memory is an atomic operation and can't be split in multiple + * non-atomic operations */ +typedef uint32_t rel_ptr_t; + +/* align macros */ +#define MC_8 sizeof(uint8_t) +#define MC_32 sizeof(uint32_t) +#define MC_64 sizeof(uint64_t) +#define MC_ALIGN32(size) ( ((size) + MC_32 -1) & (~(MC_32 -1)) ) +#define MC_ALIGN64(size) ( ((size) + MC_64 -1) & (~(MC_64 -1)) ) +#define MC_HEADER_SIZE MC_ALIGN64(sizeof(struct sss_mc_header)) + +#define MC_HT_SIZE(elems) ( (elems) * MC_32 ) +#define MC_HT_ELEMS(size) ( (size) / MC_32 ) +#define MC_DT_SIZE(elems, payload) ( (elems) * (payload) ) +#define MC_FT_SIZE(elems) ( (elems) / 8 ) +/* ^^ 8 bits per byte so we need just elems/8 bytes to represent all blocks */ + +#define MC_PTR_ADD(ptr, bytes) (void *)((uint8_t *)(ptr) + (bytes)) +#define MC_PTR_DIFF(ptr, base) ((uint8_t *)(ptr) - (uint8_t *)(base)) + +#define MC_INVALID_VAL64 ((uint64_t)-1) +#define MC_INVALID_VAL32 ((uint32_t)-1) +#define MC_INVALID_VAL8 ((uint8_t)-1) +#define MC_INVALID_VAL MC_INVALID_VAL32 + +/* + * 40 seem a good compromise for slot size + * 4 blocks are enough for the average passwd entry of 42 bytes + * passwd records have 84 bytes of overhead, 160 - 82 = 78 bytes + * 3 blocks can contain a very minimal entry, 120 - 82 = 38 bytes + * + * 3 blocks are enough for groups w/o users (private user groups) + * group records have 68 bytes of overhead, 120 - 66 = 54 bytes + */ +#define MC_SLOT_SIZE 40 +#define MC_SIZE_TO_SLOTS(len) (((len) + (MC_SLOT_SIZE - 1)) / MC_SLOT_SIZE) +#define MC_PTR_TO_SLOT(base, ptr) (MC_PTR_DIFF(ptr, base) / MC_SLOT_SIZE) +#define MC_SLOT_TO_PTR(base, slot, type) \ + (type *)((base) + ((slot) * MC_SLOT_SIZE)) + +#define MC_SLOT_WITHIN_BOUNDS(slot, dt_size) \ + ((slot) < ((dt_size) / MC_SLOT_SIZE)) + +#define MC_VALID_BARRIER(val) (((val) & 0xff000000) == 0xf0000000) + +#define MC_CHECK_RECORD_LENGTH(mc_ctx, rec) \ + ((rec)->len >= MC_HEADER_SIZE && (rec)->len != MC_INVALID_VAL32 \ + && ((rec)->len <= ((mc_ctx)->dt_size \ + - MC_PTR_DIFF(rec, (mc_ctx)->data_table)))) + + +#define SSS_MC_MAJOR_VNO 1 +#define SSS_MC_MINOR_VNO 1 + +#define SSS_MC_HEADER_UNINIT 0 /* after ftruncate or before reset */ +#define SSS_MC_HEADER_ALIVE 1 /* current and in use */ +#define SSS_MC_HEADER_RECYCLED 2 /* file was recycled, reopen asap */ + +#pragma pack(1) +struct sss_mc_header { + uint32_t b1; /* barrier 1 */ + uint32_t major_vno; /* major version number */ + uint32_t minor_vno; /* minor version number */ + uint32_t status; /* database status */ + uint32_t seed; /* random seed used to avoid collision attacks */ + uint32_t dt_size; /* data table size */ + uint32_t ft_size; /* free table size */ + uint32_t ht_size; /* hash table size */ + rel_ptr_t data_table; /* data table pointer relative to mmap base */ + rel_ptr_t free_table; /* free table pointer relative to mmap base */ + rel_ptr_t hash_table; /* hash table pointer relative to mmap base */ + rel_ptr_t reserved; /* reserved for future changes */ + uint32_t b2; /* barrier 2 */ +}; + +struct sss_mc_rec { + uint32_t b1; /* barrier 1 */ + uint32_t len; /* total record length including record data */ + uint64_t expire; /* record expiration time (cast to time_t) */ + rel_ptr_t next1; /* ptr of next record rel to data_table */ + /* next1 is related to hash1 */ + rel_ptr_t next2; /* ptr of next record rel to data_table */ + /* next2 is related to hash2 */ + uint32_t hash1; /* val of first hash (usually name of record) */ + uint32_t hash2; /* val of second hash (usually id of record) */ + uint32_t padding; /* padding & reserved for future changes */ + uint32_t b2; /* barrier 2 - 32 bytes mark, fits a slot */ + char data[0]; +}; + +struct sss_mc_pwd_data { + rel_ptr_t name; /* ptr to name string, rel. to struct base addr */ + uint32_t uid; + uint32_t gid; + uint32_t strs_len; /* length of strs */ + char strs[0]; /* concatenation of all passwd strings, each + * string is zero terminated ordered as follows: + * name, passwd, gecos, dir, shell */ +}; + +struct sss_mc_grp_data { + rel_ptr_t name; /* ptr to name string, rel. to struct base addr */ + uint32_t gid; + uint32_t members; /* number of members in strs */ + uint32_t strs_len; /* length of strs */ + char strs[0]; /* concatenation of all group strings, each + * string is zero terminated ordered as follows: + * name, passwd, member1, member2, ... */ +}; + +struct sss_mc_initgr_data { + rel_ptr_t unique_name; /* ptr to unique name string, rel. to struct base addr */ + rel_ptr_t name; /* ptr to raw name string, rel. to struct base addr */ + rel_ptr_t strs; /* ptr to concatenation of all strings */ + uint32_t strs_len; /* length of strs */ + uint32_t data_len; /* all initgroups data len */ + uint32_t num_groups; /* number of groups */ + uint32_t gids[0]; /* array of all groups + * string with name and unique_name is stored + * after gids */ +}; + +#pragma pack() + + +#endif /* _MMAP_CACHE_H_ */ diff --git a/src/util/murmurhash3.c b/src/util/murmurhash3.c new file mode 100644 index 0000000..f8db9d2 --- /dev/null +++ b/src/util/murmurhash3.c @@ -0,0 +1,116 @@ +/* This file is based on the public domain MurmurHash3 from Austin Appleby: + * http://code.google.com/p/smhasher/source/browse/trunk/MurmurHash3.cpp + * + * We use only the 32 bit variant because the 2 produce different result while + * we need to produce the same result regardless of the architecture as + * clients can be both 64 or 32 bit at the same time. + */ + +#include +#include +#include + +#include "config.h" +#include "shared/murmurhash3.h" +#include "util/sss_endian.h" + +static uint32_t rotl(uint32_t x, int8_t r) +{ + return (x << r) | (x >> (32 - r)); +} + +/* slower than original but is endian neutral and handles platforms that + * do only aligned reads */ +__attribute__((always_inline)) +static inline uint32_t getblock(const uint8_t *p, int i) +{ + uint32_t r; + size_t size = sizeof(uint32_t); + + memcpy(&r, &p[i * size], size); + + return le32toh(r); +} + +/* + * Finalization mix - force all bits of a hash block to avalanche + */ + +__attribute__((always_inline)) +static inline uint32_t fmix(uint32_t h) +{ + h ^= h >> 16; + h *= 0x85ebca6b; + h ^= h >> 13; + h *= 0xc2b2ae35; + h ^= h >> 16; + + return h; +} + + +uint32_t murmurhash3(const char *key, int len, uint32_t seed) +{ + const uint8_t *blocks; + const uint8_t *tail; + int nblocks; + uint32_t h1; + uint32_t k1; + uint32_t c1; + uint32_t c2; + int i; + + blocks = (const uint8_t *)key; + nblocks = len / 4; + h1 = seed; + c1 = 0xcc9e2d51; + c2 = 0x1b873593; + + /* body */ + + for (i = 0; i < nblocks; i++) { + + k1 = getblock(blocks, i); + + k1 *= c1; + k1 = rotl(k1, 15); + k1 *= c2; + + h1 ^= k1; + h1 = rotl(h1, 13); + h1 = h1 * 5 + 0xe6546b64; + } + + /* tail */ + + tail = (const uint8_t *)key + nblocks * 4; + + k1 = 0; + + switch (len & 3) { + case 3: + k1 ^= tail[2] << 16; + SSS_ATTRIBUTE_FALLTHROUGH; + case 2: + k1 ^= tail[1] << 8; + SSS_ATTRIBUTE_FALLTHROUGH; + case 1: + k1 ^= tail[0]; + k1 *= c1; + k1 = rotl(k1, 15); + k1 *= c2; + h1 ^= k1; + break; + default: + break; + } + + /* finalization */ + + h1 ^= len; + h1 = fmix(h1); + + return h1; +} + + diff --git a/src/util/nscd.c b/src/util/nscd.c new file mode 100644 index 0000000..5c72847 --- /dev/null +++ b/src/util/nscd.c @@ -0,0 +1,223 @@ +/* + SSSD + + nscd.c + + Copyright (C) Jakub Hrozek 2010 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include +#include +#include +#include +#include +#include + +#include "util/util.h" +#include "tools/tools_util.h" + +#ifndef NSCD_RELOAD_ARG +#define NSCD_RELOAD_ARG "-i" +#endif + +#if defined(NSCD_PATH) && defined(HAVE_NSCD) +int flush_nscd_cache(enum nscd_db flush_db) +{ + const char *service; + pid_t nscd_pid; + int ret, status; + + switch(flush_db) { + case NSCD_DB_PASSWD: + service = "passwd"; + break; + + case NSCD_DB_GROUP: + service = "group"; + break; + + default: + DEBUG(SSSDBG_CRIT_FAILURE, "Unknown nscd database\n"); + ret = EINVAL; + goto done; + } + + nscd_pid = fork(); + switch (nscd_pid) { + case 0: + execl(NSCD_PATH, NSCD_PATH, NSCD_RELOAD_ARG, service, NULL); + /* if this returns it is an error */ + DEBUG(SSSDBG_CRIT_FAILURE, + "execl(3) failed: %d(%s)\n", errno, strerror(errno)); + exit(errno); + case -1: + DEBUG(SSSDBG_CRIT_FAILURE, "fork failed\n"); + ret = EFAULT; + break; + default: + do { + errno = 0; + ret = waitpid(nscd_pid, &status, 0); + } while (ret == -1 && errno == EINTR); + if (ret > 0) { + if (WIFEXITED(status)) { + ret = WEXITSTATUS(status); + if (ret > 0) { + /* The flush fails if nscd is not running, so do not care + * about the return code */ + DEBUG(SSSDBG_TRACE_INTERNAL, + "Error flushing cache, is nscd running?\n"); + } + } + } else { + DEBUG(SSSDBG_FUNC_DATA, + "Failed to wait for children %d\n", nscd_pid); + ret = EIO; + } + } + +done: + return ret; +} + +#else /* defined(NSCD_PATH) && defined(HAVE_NSCD) */ +int flush_nscd_cache(enum nscd_db flush_db) +{ + return EOK; +} +#endif + +/* NSCD config file parse and check */ + +static unsigned int sss_nscd_check_service(char* svc_name) +{ + struct sss_nscd_db { + const char *svc_type_name; + unsigned int nscd_service_flag; + }; + + int i; + unsigned int ret = 0; + struct sss_nscd_db db[] = { + { "passwd", 0x0001 }, + { "group", 0x0010 }, + { "netgroup", 0x0100 }, + { "services", 0x1000 }, + { NULL, 0 } + }; + + if (svc_name == NULL) { + return ret; + } + + for (i = 0; db[i].svc_type_name != NULL; i++) { + if (!strcmp(db[i].svc_type_name, svc_name)) { + + ret = db[i].nscd_service_flag; + break; + } + } + + return ret; +} + +errno_t sss_nscd_parse_conf(const char *conf_path) +{ + FILE *fp; + int ret = EOK; + unsigned int occurred = 0; + char *line, *entry, *service, *enabled, *pad; + size_t linelen = 0; + + fp = fopen(conf_path, "r"); + if (fp == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "Couldn't open NSCD configuration " + "file [%s]\n", NSCD_CONF_PATH); + return ENOENT; + } + + while (getline(&line, &linelen, fp) != -1) { + + pad = strchr(line, '#'); + if (pad != NULL) { + *pad = '\0'; + } + + if (line[0] == '\n' || line[0] == '\0') continue; + + entry = line; + while (isspace(*entry) && *entry != '\0') { + entry++; + } + + pad = entry; + while (!isspace(*pad) && *pad != '\0') { + pad++; + } + + service = pad; + while (isspace(*service) && *service != '\0') { + service++; + } + + *pad = '\0'; + pad = service; + while (!isspace(*pad) && *pad != '\0') { + pad++; + } + + enabled = pad; + while (isspace(*enabled) && *enabled != '\0') { + enabled++; + } + + *pad = '\0'; + pad = enabled; + while (!isspace(*pad) && *pad != '\0') { + pad++; + } + *pad = '\0'; + + if (!strcmp(entry, "enable-cache") && + !strcmp(enabled, "yes")) { + + occurred |= sss_nscd_check_service(service); + } + }; + + ret = ferror(fp); + if (ret) { + DEBUG(SSSDBG_MINOR_FAILURE, "Reading NSCD configuration file [%s] " + "ended with failure [%d]: %s.\n", + NSCD_CONF_PATH, ret, strerror(ret)); + ret = ENOENT; + goto done; + } + + ret = EOK; + if (occurred != 0) { + ret = EEXIST; + goto done; + } + +done: + free(line); + fclose(fp); + + return ret; +} diff --git a/src/util/probes.h b/src/util/probes.h new file mode 100644 index 0000000..effce49 --- /dev/null +++ b/src/util/probes.h @@ -0,0 +1,46 @@ +/* + Copyright (C) 2015 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __PROBES_H_ +#define __PROBES_H_ + +#ifdef HAVE_SYSTEMTAP + +#include "stap_generated_probes.h" + +/* Probe expansion inspired by libvirt */ +#define PROBE_EXPAND(NAME, ...) NAME(__VA_ARGS__) + +#define PROBE(NAME, ...) do { \ + if (SSSD_ ## NAME ## _ENABLED()) { \ + PROBE_EXPAND(SSSD_ ## NAME, \ + __VA_ARGS__); \ + } \ +} while(0); + +/* Systemtap doesn't handle copying NULL strings well */ +#define PROBE_SAFE_STR(s) ((s) ? (s) : "") + +#else + +/* No systemtap, define empty macros */ +#define PROBE(NAME, ...) do { \ +} while(0); + +#endif + +#endif /* __PROBES_H_ */ diff --git a/src/util/refcount.c b/src/util/refcount.c new file mode 100644 index 0000000..69873d3 --- /dev/null +++ b/src/util/refcount.c @@ -0,0 +1,92 @@ +/* + SSSD + + Simple reference counting wrappers for talloc. + + Authors: + Martin Nagy + + Copyright (C) Red Hat, Inc 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "refcount.h" +#include "util/util.h" + +struct wrapper { + int *refcount; + void *ptr; +}; + +static int +refcount_destructor(struct wrapper *wrapper) +{ + (*wrapper->refcount)--; + if (*wrapper->refcount == 0) { + talloc_free(wrapper->ptr); + }; + + return 0; +} + +void * +_rc_alloc(const void *context, size_t size, size_t refcount_offset, + const char *type_name) +{ + struct wrapper *wrapper; + char *refcount_pos; + + wrapper = talloc(context, struct wrapper); + if (wrapper == NULL) { + return NULL; + } + + wrapper->ptr = talloc_named_const(NULL, size, type_name); + if (wrapper->ptr == NULL) { + talloc_free(wrapper); + return NULL; + }; + + refcount_pos = (char *)wrapper->ptr + refcount_offset; + wrapper->refcount = DISCARD_ALIGN(refcount_pos, int *); + *wrapper->refcount = 1; + + talloc_set_destructor(wrapper, refcount_destructor); + + return wrapper->ptr; +} + +void * +_rc_reference(const void *context, size_t refcount_offset, void *source) +{ + struct wrapper *wrapper; + char *refcount_pos; + + wrapper = talloc(context, struct wrapper); + if (wrapper == NULL) { + return NULL; + } + + wrapper->ptr = source; + refcount_pos = (char *)wrapper->ptr + refcount_offset; + wrapper->refcount = DISCARD_ALIGN(refcount_pos, int *); + (*wrapper->refcount)++; + + talloc_set_destructor(wrapper, refcount_destructor); + + return wrapper->ptr; +} diff --git a/src/util/refcount.h b/src/util/refcount.h new file mode 100644 index 0000000..3dd71cf --- /dev/null +++ b/src/util/refcount.h @@ -0,0 +1,63 @@ +/* + SSSD + + Simple reference counting wrappers for talloc. + + Authors: + Martin Nagy + + Copyright (C) Red Hat, Inc 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __REFCOUNT_H__ +#define __REFCOUNT_H__ + +#include + +#define REFCOUNT_MEMBER_NAME DO_NOT_TOUCH_THIS_MEMBER_refcount + +/* + * Include this member in your structure in order to be able to use it with + * the refcount_* functions. + */ +#define REFCOUNT_COMMON int REFCOUNT_MEMBER_NAME + +/* + * Allocate a new structure that uses reference counting. The resulting pointer + * returned. You must not free the returned pointer manually. It will be freed + * when 'ctx' is freed with talloc_free() and no other references are left. + */ +#define rc_alloc(ctx, type) \ + (type *)_rc_alloc(ctx, sizeof(type), offsetof(type, REFCOUNT_MEMBER_NAME), \ + #type) + +/* + * Increment the reference count of 'src' and return it back if we are + * successful. The reference count will be decremented after 'ctx' has been + * released by talloc_free(). The function will return NULL in case of failure. + */ +#define rc_reference(ctx, type, src) \ + (type *)_rc_reference(ctx, offsetof(type, REFCOUNT_MEMBER_NAME), src) + +/* + * These functions should not be used directly. Use the above macros instead. + */ +void *_rc_alloc(const void *context, size_t size, size_t refcount_offset, + const char *type_name); +void *_rc_reference(const void *context, size_t refcount_offset, void *source); + + +#endif /* !__REFCOUNT_H__ */ diff --git a/src/util/safe-format-string.c b/src/util/safe-format-string.c new file mode 100644 index 0000000..11532d4 --- /dev/null +++ b/src/util/safe-format-string.c @@ -0,0 +1,309 @@ +/* + * This file originated in the realmd project + * + * Copyright 2013 Red Hat Inc + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published + * by the Free Software Foundation; either version 2 of the licence or (at + * your option) any later version. + * + * See the included COPYING file for more information. + * + * Author: Stef Walter + */ + +/* + * Some snippets of code from gnulib, but have since been refactored + * to within an inch of their life... + * + * vsprintf with automatic memory allocation. + * Copyright (C) 1999, 2002-2003 Free Software Foundation, Inc. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU Library General Public License as published + * by the Free Software Foundation; either version 2, or (at your option) + * any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Library General Public License for more details. + */ + +#include "config.h" + +#include "safe-format-string.h" + +#include +#include +#include + +#ifndef MIN +#define MIN(a, b) (((a) < (b)) ? (a) : (b)) +#endif + +#ifndef MAX +#define MAX(a, b) (((a) > (b)) ? (a) : (b)) +#endif + +static void +safe_padding (int count, + int *total, + void (* copy_fn) (void *, const char *, size_t), + void *data) +{ + char eight[] = " "; + int num; + + while (count > 0) { + num = MIN (count, 8); + copy_fn (data, eight, num); + count -= num; + *total += num; + } +} + +static void +dummy_copy_fn (void *data, + const char *piece, + size_t len) +{ + +} + +int +safe_format_string_cb (void (* copy_fn) (void *, const char *, size_t), + void *data, + const char *format, + const char * const args[], + int num_args) +{ + int at_arg = 0; + const char *cp; + int precision; + int width; + int len; + const char *value; + int total; + int left; + int i; + + if (!copy_fn) + copy_fn = dummy_copy_fn; + + total = 0; + cp = format; + + while (*cp) { + + /* Piece of raw string */ + if (*cp != '%') { + len = strcspn (cp, "%"); + copy_fn (data, cp, len); + total += len; + cp += len; + continue; + } + + cp++; + + /* An literal percent sign? */ + if (*cp == '%') { + copy_fn (data, "%", 1); + total++; + cp++; + continue; + } + + value = NULL; + left = 0; + precision = -1; + width = -1; + + /* Test for positional argument. */ + if (*cp >= '0' && *cp <= '9') { + /* Look-ahead parsing, otherwise skipped */ + if (cp[strspn (cp, "0123456789")] == '$') { + unsigned int n = 0; + for (i = 0; i < 6 && *cp >= '0' && *cp <= '9'; i++, cp++) { + n = 10 * n + (*cp - '0'); + } + /* Positional argument 0 is invalid. */ + if (n == 0) { + errno = EINVAL; + return -1; + } + /* Positional argument N too high */ + if (n > num_args) { + errno = EINVAL; + return -1; + } + value = args[n - 1]; + cp++; /* $ */ + } + } + + /* Read the supported flags. */ + for (; ; cp++) { + if (*cp == '-') + left = 1; + /* Supported but ignored */ + else if (*cp != ' ') + break; + } + + /* Parse the width. */ + if (*cp >= '0' && *cp <= '9') { + width = 0; + for (i = 0; i < 6 && *cp >= '0' && *cp <= '9'; i++, cp++) { + width = 10 * width + (*cp - '0'); + } + } + + /* Parse the precision. */ + if (*cp == '.') { + precision = 0; + for (i = 0, cp++; i < 6 && *cp >= '0' && *cp <= '9'; cp++, i++) { + precision = 10 * precision + (*cp - '0'); + } + } + + /* Read the conversion character. */ + switch (*cp++) { + case 's': + /* Non-positional argument */ + if (value == NULL) { + /* Too many arguments used */ + if (at_arg == num_args) { + errno = EINVAL; + return -1; + } + value = args[at_arg++]; + } + break; + + /* No other conversion characters are supported */ + default: + errno = EINVAL; + return -1; + } + + /* How many characters are we printing? */ + len = strlen (value); + if (precision >= 0) + len = MIN (precision, len); + + /* Do we need padding? */ + safe_padding (left ? 0 : width - len, &total, copy_fn, data); + + /* The actual data */; + copy_fn (data, value, len); + total += len; + + /* Do we need padding? */ + safe_padding (left ? width - len : 0, &total, copy_fn, data); + } + + return total; +} + +static const char ** +valist_to_args (va_list va, + int *num_args) +{ + int alo_args; + const char **args; + const char *arg; + void *mem; + + *num_args = alo_args = 0; + args = NULL; + + for (;;) { + arg = va_arg (va, const char *); + if (arg == NULL) + break; + if (*num_args == alo_args) { + alo_args += 8; + mem = realloc (args, sizeof (const char *) * alo_args); + if (!mem) { + free (args); + return NULL; + } + args = mem; + } + args[(*num_args)++] = arg; + } + + return args; +} + +struct sprintf_ctx { + char *data; + size_t length; + size_t alloc; +}; + +static void +snprintf_copy_fn (void *data, + const char *piece, + size_t length) +{ + struct sprintf_ctx *cx = data; + + /* Don't copy if too much data */ + if (cx->length > cx->alloc) + length = 0; + else if (cx->length + length > cx->alloc) + length = cx->alloc - cx->length; + + if (length > 0) + memcpy (cx->data + cx->length, piece, length); + + /* Null termination happens later */ + cx->length += length; +} + +int +safe_format_string (char *str, + size_t len, + const char *format, + ...) +{ + struct sprintf_ctx cx; + int num_args; + va_list va; + const char **args; + int error = 0; + int ret; + + cx.data = str; + cx.length = 0; + cx.alloc = len; + + va_start (va, format); + args = valist_to_args (va, &num_args); + va_end (va); + + if (args == NULL) { + errno = ENOMEM; + return -1; + } + + if (len) + cx.data[0] = '\0'; + + ret = safe_format_string_cb (snprintf_copy_fn, &cx, format, args, num_args); + if (ret < 0) { + error = errno; + } else if (len > 0) { + cx.data[MIN (cx.length, len - 1)] = '\0'; + } + + free (args); + + if (error) + errno = error; + return ret; +} diff --git a/src/util/safe-format-string.h b/src/util/safe-format-string.h new file mode 100644 index 0000000..6d3ab5d --- /dev/null +++ b/src/util/safe-format-string.h @@ -0,0 +1,81 @@ +/* + * This file originated in the realmd project + * + * Copyright 2013 Red Hat Inc + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published + * by the Free Software Foundation; either version 2 of the licence or (at + * your option) any later version. + * + * See the included COPYING file for more information. + * + * Author: Stef Walter + */ + +#include "config.h" + +#ifndef __SAFE_FORMAT_STRING_H__ +#define __SAFE_FORMAT_STRING_H__ + +#include + +/* + * This is a neutered printf variant that can be used with user-provided + * format strings. + * + * Not only are the normal printf functions not safe to use on user-provided + * input (i.e.: can crash, be abused, etc.), they're also very brittle with + * regards to positional arguments: one must consume them all or printf will + * just abort(). This is because arguments of different sizes are accepted + * in the varargs. So obviously the positional code cannot know the offset + * of the relevant varargs if some are not consumed (i.e.: tagged with a + * field type). + * + * Thus the only accepted field type here is 's'. It's all we need. + * + * In general new code should use a better syntax than printf format strings + * for configuration options. This code is here to facilitate robust processing + * of the full_name_format syntax we already have, which has been documented as + * "printf(3) compatible". + * + * Features: + * - Only string 's' fields are supported + * - All the varargs should be strings, followed by a NULL argument + * - Both positional '%1$s' and non-positional '%s' are supported + * - Field widths '%8s' work as expected + * - Precision '%.8s' works, but precision cannot be read from a field + * - Left alignment flag is supported '%-8s'. + * - The space flag '% 8s' has no effect (it's the default for string fields). + * - No more than six digits are supported for widths, precisions, etc. + * - Percent signs are to be escaped as usual '%%' + * + * Use of other flags or field types will cause the relevant printf call to + * return -1. Using too many arguments or incorrect positional arguments + * will also cause the call to fail. + * + * Functions return -1 on failure and set errno. Otherwise they return + * the full length of the string that would be formatted, with the same + * semantics as snprintf(). + */ + +#ifndef GNUC_NULL_TERMINATED +#if __GNUC__ >= 4 +#define GNUC_NULL_TERMINATED __attribute__((__sentinel__)) +#else +#define GNUC_NULL_TERMINATED +#endif +#endif + +int safe_format_string (char *str, + size_t len, + const char *format, + ...) GNUC_NULL_TERMINATED; + +int safe_format_string_cb (void (* callback) (void *data, const char *piece, size_t len), + void *data, + const char *format, + const char * const args[], + int num_args); + +#endif /* __SAFE_FORMAT_STRING_H__ */ diff --git a/src/util/selinux.c b/src/util/selinux.c new file mode 100644 index 0000000..5e9c458 --- /dev/null +++ b/src/util/selinux.c @@ -0,0 +1,83 @@ +/* + SSSD + + selinux.c + + Copyright (C) Jakub Hrozek 2010 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include + +#ifdef HAVE_SELINUX +#include +#endif + +#include "tools/tools_util.h" + +#ifdef HAVE_SELINUX +/* + * selinux_file_context - Set the security context before any file or + * directory creation. + * + * selinux_file_context () should be called before any creation of file, + * symlink, directory, ... + * + * Callers may have to Reset SELinux to create files with default + * contexts: + * reset_selinux_file_context(); + */ +int selinux_file_context(const char *dst_name) +{ + security_context_t scontext = NULL; + + if (is_selinux_enabled() == 1) { + /* Get the default security context for this file */ + if (matchpathcon(dst_name, 0, &scontext) < 0) { + if (security_getenforce () != 0) { + return 1; + } + } + /* Set the security context for the next created file */ + if (setfscreatecon(scontext) < 0) { + if (security_getenforce() != 0) { + return 1; + } + } + freecon(scontext); + } + + return 0; +} + +int reset_selinux_file_context(void) +{ + setfscreatecon(NULL); + return EOK; +} + +#else /* HAVE_SELINUX */ +int selinux_file_context(const char *dst_name) +{ + return EOK; +} + +int reset_selinux_file_context(void) +{ + return EOK; +} +#endif /* HAVE_SELINUX */ diff --git a/src/util/server.c b/src/util/server.c new file mode 100644 index 0000000..f34bf49 --- /dev/null +++ b/src/util/server.c @@ -0,0 +1,730 @@ +/* + SSSD + + Servers setup routines + + Copyright (C) Andrew Tridgell 1992-2005 + Copyright (C) Martin Pool 2002 + Copyright (C) Jelmer Vernooij 2002 + Copyright (C) James J Myers 2003 + Copyright (C) Simo Sorce 2008 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include +#include +#include "util/util.h" +#include "confdb/confdb.h" +#include "monitor/monitor_interfaces.h" + +#ifdef HAVE_PRCTL +#include +#endif + +/******************************************************************* + Close the low 3 FDs and open dev/null in their place. +********************************************************************/ +static void close_low_fds(void) +{ +#ifndef VALGRIND + int fd; + int i; + + close(0); + close(1); + close(2); + + /* try and use up these file descriptors, so silly + library routines writing to stdout etc. won't cause havoc */ + for (i = 0; i < 3; i++) { + fd = open("/dev/null", O_RDWR, 0); + if (fd < 0) + fd = open("/dev/null", O_WRONLY, 0); + if (fd < 0) { + DEBUG(SSSDBG_FATAL_FAILURE, "Can't open /dev/null\n"); + return; + } + if (fd != i) { + DEBUG(SSSDBG_FATAL_FAILURE, "Didn't get file descriptor %d\n",i); + return; + } + } +#endif +} + +static void daemon_parent_sigterm(int sig) +{ + _exit(0); +} + +/** + Become a daemon, discarding the controlling terminal. +**/ + +void become_daemon(bool Fork) +{ + pid_t pid, cpid; + int status; + int ret, error; + + if (Fork) { + pid = fork(); + if (pid != 0) { + /* Terminate parent process on demand so we can hold systemd + * or initd from starting next service until SSSD is initialized. + * We use signals directly here because we don't have a tevent + * context yet. */ + CatchSignal(SIGTERM, daemon_parent_sigterm); + + /* or exit when sssd monitor is terminated */ + do { + errno = 0; + cpid = waitpid(pid, &status, 0); + if (cpid == 1) { + /* An error occurred while waiting */ + error = errno; + if (error != EINTR) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Error [%d][%s] while waiting for child\n", + error, strerror(error)); + /* Forcibly kill this child */ + kill(pid, SIGKILL); + ret = 1; + } + } + + error = 0; + /* return error if we didn't exited normally */ + ret = 1; + + if (WIFEXITED(status)) { + /* but return our exit code otherwise */ + ret = WEXITSTATUS(status); + } + } while (error == EINTR); + + _exit(ret); + } + } + + /* detach from the terminal */ + setsid(); + + /* chdir to / to be sure we're not on a remote filesystem */ + errno = 0; + if(chdir("/") == -1) { + ret = errno; + DEBUG(SSSDBG_FATAL_FAILURE, "Cannot change directory (%d [%s])\n", + ret, strerror(ret)); + return; + } + + /* Close FDs 0,1,2. Needed if started by rsh */ + close_low_fds(); +} + +int pidfile(const char *path, const char *name) +{ + char pid_str[32]; + pid_t pid; + char *file; + int fd; + int ret, err; + ssize_t len; + size_t size; + ssize_t written; + ssize_t pidlen = sizeof(pid_str) - 1; + + file = talloc_asprintf(NULL, "%s/%s.pid", path, name); + if (!file) { + return ENOMEM; + } + + fd = open(file, O_RDONLY, 0644); + err = errno; + if (fd != -1) { + errno = 0; + len = sss_atomic_read_s(fd, pid_str, pidlen); + ret = errno; + if (len == -1) { + DEBUG(SSSDBG_CRIT_FAILURE, + "read failed [%d][%s].\n", ret, strerror(ret)); + close(fd); + talloc_free(file); + return EINVAL; + } + + /* Ensure NULL-termination */ + pid_str[len] = '\0'; + + /* let's check the pid */ + pid = (pid_t)atoi(pid_str); + if (pid != 0) { + errno = 0; + ret = kill(pid, 0); + /* succeeded in signaling the process -> another sssd process */ + if (ret == 0) { + close(fd); + talloc_free(file); + return EEXIST; + } + if (ret != 0 && errno != ESRCH) { + err = errno; + close(fd); + talloc_free(file); + return err; + } + } + + /* nothing in the file or no process */ + close(fd); + ret = unlink(file); + /* non-fatal failure */ + if (ret != EOK) { + ret = errno; + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed to remove file: %s - %d [%s]!\n", + file, ret, sss_strerror(ret)); + } + } else { + if (err != ENOENT) { + talloc_free(file); + return err; + } + } + + fd = open(file, O_CREAT | O_WRONLY | O_EXCL, 0644); + err = errno; + if (fd == -1) { + talloc_free(file); + return err; + } + talloc_free(file); + + memset(pid_str, 0, sizeof(pid_str)); + snprintf(pid_str, sizeof(pid_str) -1, "%u\n", (unsigned int) getpid()); + size = strlen(pid_str); + + errno = 0; + written = sss_atomic_write_s(fd, pid_str, size); + if (written == -1) { + err = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "write failed [%d][%s]\n", err, strerror(err)); + close(fd); + return err; + } + + if (written != size) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Wrote %zd bytes expected %zu\n", written, size); + close(fd); + return EIO; + } + + close(fd); + + return 0; +} + +void orderly_shutdown(int status) +{ +#if HAVE_GETPGRP + static int sent_sigterm; + int debug; + + if (sent_sigterm == 0 && getpgrp() == getpid()) { + debug = is_socket_activated() ? SSSDBG_TRACE_INTERNAL + : SSSDBG_FATAL_FAILURE; + DEBUG(debug, "SIGTERM: killing children\n"); + sent_sigterm = 1; + kill(-getpgrp(), SIGTERM); + } +#endif + if (status == 0) sss_log(SSS_LOG_INFO, "Shutting down"); + exit(status); +} + +static void default_quit(struct tevent_context *ev, + struct tevent_signal *se, + int signum, + int count, + void *siginfo, + void *private_data) +{ + orderly_shutdown(0); +} + +#ifndef HAVE_PRCTL +static void sig_segv_abrt(int sig) +{ + DEBUG(SSSDBG_FATAL_FAILURE, + "Received signal %s, shutting down\n", strsignal(sig)); + orderly_shutdown(1); +} +#endif /* HAVE_PRCTL */ + +/* + setup signal masks +*/ +static void setup_signals(void) +{ + /* we are never interested in SIGPIPE */ + BlockSignals(true, SIGPIPE); + +#if defined(SIGFPE) + /* we are never interested in SIGFPE */ + BlockSignals(true, SIGFPE); +#endif + + /* We are no longer interested in USR1 */ + BlockSignals(true, SIGUSR1); + + /* We are no longer interested in SIGINT except for monitor */ + BlockSignals(true, SIGINT); + +#if defined(SIGUSR2) + /* We are no longer interested in USR2 */ + BlockSignals(true, SIGUSR2); +#endif + + /* POSIX demands that signals are inherited. If the invoking process has + * these signals masked, we will have problems, as we won't receive them. */ + BlockSignals(false, SIGHUP); + BlockSignals(false, SIGTERM); + +#ifndef HAVE_PRCTL + /* If prctl is not defined on the system, try to handle + * some common termination signals gracefully */ + CatchSignal(SIGSEGV, sig_segv_abrt); + CatchSignal(SIGABRT, sig_segv_abrt); +#endif + +} + +/* + handle io on stdin +*/ +static void server_stdin_handler(struct tevent_context *event_ctx, + struct tevent_fd *fde, + uint16_t flags, void *private) +{ + const char *binary_name = (const char *)private; + uint8_t c; + + errno = 0; + if (sss_atomic_read_s(0, &c, 1) == 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "%s: EOF on stdin - terminating\n", + binary_name); +#if HAVE_GETPGRP + if (getpgrp() == getpid()) { + kill(-getpgrp(), SIGTERM); + } +#endif + exit(0); + } +} + +/* + main server helpers. +*/ + +int die_if_parent_died(void) +{ +#ifdef HAVE_PRCTL + int ret; + + errno = 0; + ret = prctl(PR_SET_PDEATHSIG, SIGTERM, 0, 0, 0); + if (ret != 0) { + ret = errno; + DEBUG(SSSDBG_OP_FAILURE, "prctl failed [%d]: %s\n", + ret, strerror(ret)); + return ret; + } +#endif + return EOK; +} + +struct logrotate_ctx { + struct confdb_ctx *confdb; + const char *confdb_path; +}; + +static void te_server_hup(struct tevent_context *ev, + struct tevent_signal *se, + int signum, + int count, + void *siginfo, + void *private_data) +{ + errno_t ret; + struct logrotate_ctx *lctx = + talloc_get_type(private_data, struct logrotate_ctx); + + DEBUG(SSSDBG_CRIT_FAILURE, "Received SIGHUP. Rotating logfiles.\n"); + + ret = server_common_rotate_logs(lctx->confdb, lctx->confdb_path); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Could not reopen log file [%s]\n", + strerror(ret)); + } +} + +errno_t server_common_rotate_logs(struct confdb_ctx *confdb, + const char *conf_path) +{ + errno_t ret; + int old_debug_level = debug_level; + + ret = rotate_debug_files(); + if (ret) { + sss_log(SSS_LOG_ALERT, "Could not rotate debug files! [%d][%s]\n", + ret, strerror(ret)); + return ret; + } + + /* Get new debug level from the confdb */ + ret = confdb_get_int(confdb, conf_path, + CONFDB_SERVICE_DEBUG_LEVEL, + old_debug_level, + &debug_level); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Error reading from confdb (%d) [%s]\n", + ret, strerror(ret)); + /* Try to proceed with the old value */ + debug_level = old_debug_level; + } + + if (debug_level != old_debug_level) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Debug level changed to %#.4x\n", debug_level); + debug_level = debug_convert_old_level(debug_level); + } + + return EOK; +} + +static const char *get_db_path(void) +{ +#ifdef UNIT_TESTING +#ifdef TEST_DB_PATH + return TEST_DB_PATH; +#else + #error "TEST_DB_PATH must be defined when unit testing server.c!" +#endif /* TEST_DB_PATH */ +#else + return DB_PATH; +#endif /* UNIT_TESTING */ +} + +static const char *get_pid_path(void) +{ +#ifdef UNIT_TESTING +#ifdef TEST_PID_PATH + return TEST_PID_PATH; +#else + #error "TEST_PID_PATH must be defined when unit testing server.c!" +#endif /* TEST_PID_PATH */ +#else + return PID_PATH; +#endif +} + +int server_setup(const char *name, int flags, + uid_t uid, gid_t gid, + const char *conf_entry, + struct main_context **main_ctx) +{ + struct tevent_context *event_ctx; + struct main_context *ctx; + uint16_t stdin_event_flags; + char *conf_db; + int ret = EOK; + bool dt; + bool dl = false; + bool dm; + struct tevent_signal *tes; + struct logrotate_ctx *lctx; + char *locale; + int watchdog_interval; + pid_t my_pid; + + my_pid = getpid(); + ret = setpgid(my_pid, my_pid); + if (ret != EOK) { + ret = errno; + DEBUG(SSSDBG_MINOR_FAILURE, + "Failed setting process group: %s[%d]. " + "We might leak processes in case of failure\n", + sss_strerror(ret), ret); + } + + if (!is_socket_activated()) { + ret = chown_debug_file(NULL, uid, gid); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "Cannot chown the debug files, debugging might not work!\n"); + } + + ret = become_user(uid, gid); + if (ret != EOK) { + DEBUG(SSSDBG_FUNC_DATA, + "Cannot become user [%"SPRIuid"][%"SPRIgid"].\n", uid, gid); + return ret; + } + } + + debug_prg_name = strdup(name); + if (!debug_prg_name) { + return ENOMEM; + } + + setenv("_SSS_LOOPS", "NO", 0); + + /* To make sure the domain cannot be set from the environment, unset the + * variable explicitly when setting up any server. Backends later set the + * value after reading domain from the configuration */ + ret = unsetenv(SSS_DOM_ENV); + if (ret != 0) { + DEBUG(SSSDBG_MINOR_FAILURE, "Unsetting "SSS_DOM_ENV" failed, journald " + "logging might not work as expected\n"); + } + + setup_signals(); + + /* we want default permissions on created files to be very strict */ + umask(SSS_DFL_UMASK); + + if (flags & FLAGS_DAEMON) { + DEBUG(SSSDBG_IMPORTANT_INFO, "Becoming a daemon.\n"); + become_daemon(true); + } + + if (flags & FLAGS_PID_FILE) { + ret = pidfile(get_pid_path(), name); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Error creating pidfile: %s/%s.pid! " + "(%d [%s])\n", get_pid_path(), name, ret, strerror(ret)); + return ret; + } + } + + /* Set up locale */ + locale = setlocale(LC_ALL, ""); + if (locale == NULL) { + /* Just print debug message and continue */ + DEBUG(SSSDBG_TRACE_FUNC, "Unable to set locale\n"); + } + + bindtextdomain(PACKAGE, LOCALEDIR); + textdomain(PACKAGE); + + /* the event context is the top level structure. + * Everything else should hang off that */ + event_ctx = tevent_context_init(talloc_autofree_context()); + if (event_ctx == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, + "The event context initialization failed\n"); + return 1; + } + + /* Set up an event handler for a SIGINT */ + tes = tevent_add_signal(event_ctx, event_ctx, SIGINT, 0, + default_quit, NULL); + if (tes == NULL) { + return EIO; + } + + /* Set up an event handler for a SIGTERM */ + tes = tevent_add_signal(event_ctx, event_ctx, SIGTERM, 0, + default_quit, NULL); + if (tes == NULL) { + return EIO; + } + + ctx = talloc(event_ctx, struct main_context); + if (ctx == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory, aborting!\n"); + return ENOMEM; + } + + ctx->parent_pid = getppid(); + ctx->event_ctx = event_ctx; + + conf_db = talloc_asprintf(ctx, "%s/%s", + get_db_path(), CONFDB_FILE); + if (conf_db == NULL) { + DEBUG(SSSDBG_FATAL_FAILURE, "Out of memory, aborting!\n"); + return ENOMEM; + } + + ret = confdb_init(ctx, &ctx->confdb_ctx, conf_db); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "The confdb initialization failed\n"); + return ret; + } + + if (debug_level == SSSDBG_UNRESOLVED) { + /* set debug level if any in conf_entry */ + ret = confdb_get_int(ctx->confdb_ctx, conf_entry, + CONFDB_SERVICE_DEBUG_LEVEL, + SSSDBG_UNRESOLVED, + &debug_level); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Error reading from confdb (%d) " + "[%s]\n", ret, strerror(ret)); + return ret; + } + + if (debug_level == SSSDBG_UNRESOLVED) { + /* Check for the `debug` alias */ + ret = confdb_get_int(ctx->confdb_ctx, conf_entry, + CONFDB_SERVICE_DEBUG_LEVEL_ALIAS, + SSSDBG_DEFAULT, + &debug_level); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Error reading from confdb (%d) " + "[%s]\n", ret, strerror(ret)); + return ret; + } + } + + debug_level = debug_convert_old_level(debug_level); + } + + /* same for debug timestamps */ + if (debug_timestamps == SSSDBG_TIMESTAMP_UNRESOLVED) { + ret = confdb_get_bool(ctx->confdb_ctx, conf_entry, + CONFDB_SERVICE_DEBUG_TIMESTAMPS, + SSSDBG_TIMESTAMP_DEFAULT, + &dt); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Error reading from confdb (%d) " + "[%s]\n", ret, strerror(ret)); + return ret; + } + if (dt) debug_timestamps = 1; + else debug_timestamps = 0; + } + + /* same for debug microseconds */ + if (debug_microseconds == SSSDBG_MICROSECONDS_UNRESOLVED) { + ret = confdb_get_bool(ctx->confdb_ctx, conf_entry, + CONFDB_SERVICE_DEBUG_MICROSECONDS, + SSSDBG_MICROSECONDS_DEFAULT, + &dm); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Error reading from confdb (%d) " + "[%s]\n", ret, strerror(ret)); + return ret; + } + if (dm) debug_microseconds = 1; + else debug_microseconds = 0; + } + + /* same for debug to file */ + ret = confdb_get_bool(ctx->confdb_ctx, conf_entry, + CONFDB_SERVICE_DEBUG_TO_FILES, + false, &dl); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Error reading from confdb (%d) [%s]\n", + ret, strerror(ret)); + return ret; + } + if (dl) { + debug_to_file = 1; + sss_set_logger(sss_logger_str[FILES_LOGGER]); + } + + /* before opening the log file set up log rotation */ + lctx = talloc_zero(ctx, struct logrotate_ctx); + if (!lctx) return ENOMEM; + + lctx->confdb = ctx->confdb_ctx; + lctx->confdb_path = conf_entry; + + tes = tevent_add_signal(ctx->event_ctx, ctx, SIGHUP, 0, + te_server_hup, lctx); + if (tes == NULL) { + return EIO; + } + + /* open log file if told so */ + if (sss_logger == FILES_LOGGER) { + ret = open_debug_file(); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Error setting up logging (%d) " + "[%s]\n", ret, strerror(ret)); + return ret; + } + } + + /* Setup the internal watchdog */ + ret = confdb_get_int(ctx->confdb_ctx, conf_entry, + CONFDB_DOMAIN_TIMEOUT, + 0, &watchdog_interval); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Error reading from confdb (%d) [%s]\n", + ret, strerror(ret)); + return ret; + } + + if ((flags & FLAGS_NO_WATCHDOG) == 0) { + ret = setup_watchdog(ctx->event_ctx, watchdog_interval); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Watchdog setup failed.\n"); + return ret; + } + } + + sss_log(SSS_LOG_INFO, "Starting up"); + + DEBUG(SSSDBG_TRACE_FUNC, "CONFDB: %s\n", conf_db); + + if (flags & FLAGS_INTERACTIVE) { + /* terminate when stdin goes away */ + stdin_event_flags = TEVENT_FD_READ; + } else { + /* stay alive forever */ + stdin_event_flags = 0; + } + + /* catch EOF on stdin */ +#ifdef SIGTTIN + signal(SIGTTIN, SIG_IGN); +#endif + tevent_add_fd(event_ctx, event_ctx, STDIN_FILENO, stdin_event_flags, + server_stdin_handler, discard_const(name)); + + *main_ctx = ctx; + return EOK; +} + +void server_loop(struct main_context *main_ctx) +{ + /* wait for events - this is where the server sits for most of its + life */ + tevent_loop_wait(main_ctx->event_ctx); + + /* as everything hangs off this event context, freeing it + should initiate a clean shutdown of all services */ + talloc_free(main_ctx->event_ctx); +} diff --git a/src/util/session_recording.c b/src/util/session_recording.c new file mode 100644 index 0000000..fa480c4 --- /dev/null +++ b/src/util/session_recording.c @@ -0,0 +1,113 @@ +/* + SSSD + + Session recording utilities + + Authors: + Nikolai Kondrashov + + Copyright (C) 2017 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/session_recording.h" +#include "util/debug.h" +#include +#include +#include +#include +#include + +errno_t session_recording_conf_load(TALLOC_CTX *mem_ctx, + struct confdb_ctx *cdb, + struct session_recording_conf *pconf) +{ + int ret; + char *str; + struct stat s; + + if (cdb == NULL || pconf == NULL) { + ret = EINVAL; + goto done; + } + + /* Read session_recording/scope option */ + ret = confdb_get_string(cdb, mem_ctx, CONFDB_SESSION_RECORDING_CONF_ENTRY, + CONFDB_SESSION_RECORDING_SCOPE, "none", &str); + if (ret != EOK) goto done; + if (strcasecmp(str, "none") == 0) { + pconf->scope = SESSION_RECORDING_SCOPE_NONE; + } else if (strcasecmp(str, "some") == 0) { + pconf->scope = SESSION_RECORDING_SCOPE_SOME; + } else if (strcasecmp(str, "all") == 0) { + pconf->scope = SESSION_RECORDING_SCOPE_ALL; + } else { + DEBUG(SSSDBG_OP_FAILURE, + "Unknown value for session recording scope: %s\n", + str); + ret = EINVAL; + goto done; + } + + /* If session recording is enabled at all */ + if (pconf->scope != SESSION_RECORDING_SCOPE_NONE) { + /* Check that the shell exists and is executable */ + ret = stat(SESSION_RECORDING_SHELL, &s); + if (ret != 0) { + switch (errno) { + case ENOENT: + DEBUG(SSSDBG_OP_FAILURE, + "Session recording shell \"%s\" not found\n", + SESSION_RECORDING_SHELL); + ret = EINVAL; + goto done; + case EOK: + if ((s.st_mode & 0111) != 0111) { + DEBUG(SSSDBG_OP_FAILURE, + "Session recording shell \"%s\" is not executable\n", + SESSION_RECORDING_SHELL); + ret = EINVAL; + goto done; + } + break; + default: + DEBUG(SSSDBG_OP_FAILURE, + "Failed checking for session recording shell " + "\"%s\": %s\n", + SESSION_RECORDING_SHELL, strerror(errno)); + ret = EINVAL; + goto done; + } + } + } + + /* Read session_recording/users option */ + ret = confdb_get_string_as_list(cdb, mem_ctx, + CONFDB_SESSION_RECORDING_CONF_ENTRY, + CONFDB_SESSION_RECORDING_USERS, + &pconf->users); + if (ret != EOK && ret != ENOENT) goto done; + + /* Read session_recording/groups option */ + ret = confdb_get_string_as_list(cdb, mem_ctx, + CONFDB_SESSION_RECORDING_CONF_ENTRY, + CONFDB_SESSION_RECORDING_GROUPS, + &pconf->groups); + if (ret != EOK && ret != ENOENT) goto done; + + ret = EOK; +done: + return ret; +} diff --git a/src/util/session_recording.h b/src/util/session_recording.h new file mode 100644 index 0000000..69fb1a8 --- /dev/null +++ b/src/util/session_recording.h @@ -0,0 +1,76 @@ +/* + SSSD + + Session recording utilities + + Authors: + Nikolai Kondrashov + + Copyright (C) 2017 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __SESSION_RECORDING_H__ +#define __SESSION_RECORDING_H__ + +#include "confdb/confdb.h" +#include "util/util_errors.h" + +/** Scope of users/groups whose session should be recorded */ +enum session_recording_scope { + SESSION_RECORDING_SCOPE_NONE, /**< None, no users/groups */ + SESSION_RECORDING_SCOPE_SOME, /**< Some users/groups specified elsewhere */ + SESSION_RECORDING_SCOPE_ALL /**< All users/groups */ +}; + +/** Session recording configuration (from "session_recording" section) */ +struct session_recording_conf { + /** + * Session recording scope: + * whether to record nobody, everyone, or some users/groups + */ + enum session_recording_scope scope; + /** + * NULL-terminated list of users whose session should be recorded. + * Can be NULL, meaning empty list. Only applicable if scope is "some". + */ + char **users; + /** + * NULL-terminated list of groups, members of which should have their + * sessions recorded. Can be NULL, meaning empty list. Only applicable if + * scope is "some" + */ + char **groups; +}; + +/** + * Load session recording configuration from configuration database. + * + * @param mem_ctx Memory context to allocate data with. + * @param cdb The configuration database connection object to retrieve + * data from. + * @param pconf Location for the loaded session recording configuration. + * + * @return Status code: + * ENOMEM - memory allocation failed, + * EINVAL - configuration was invalid, + * EIO - an I/O error occurred while communicating with the ConfDB. + */ +extern errno_t session_recording_conf_load( + TALLOC_CTX *mem_ctx, + struct confdb_ctx *cdb, + struct session_recording_conf *pconf); + +#endif /* __SESSION_RECORDING_H__ */ diff --git a/src/util/signal.c b/src/util/signal.c new file mode 100644 index 0000000..93fd340 --- /dev/null +++ b/src/util/signal.c @@ -0,0 +1,89 @@ +/* + Unix SMB/CIFS implementation. + signal handling functions + + Copyright (C) Andrew Tridgell 1998 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include +#include +#include + +/** + * @file + * @brief Signal handling + */ + +/** + Block sigs. +**/ + +void BlockSignals(bool block, int signum) +{ +#ifdef HAVE_SIGPROCMASK + sigset_t set; + sigemptyset(&set); + sigaddset(&set,signum); + sigprocmask(block?SIG_BLOCK:SIG_UNBLOCK,&set,NULL); +#elif defined(HAVE_SIGBLOCK) + if (block) { + sigblock(sigmask(signum)); + } else { + sigsetmask(siggetmask() & ~sigmask(signum)); + } +#else + /* yikes! This platform can't block signals? */ + static int done; + if (!done) { + DEBUG(SSSDBG_FATAL_FAILURE,"WARNING: No signal blocking available\n"); + done=1; + } +#endif +} + +/** + Catch a signal. This should implement the following semantics: + + 1) The handler remains installed after being called. + 2) The signal should be blocked during handler execution. +**/ + +void (*CatchSignal(int signum,void (*handler)(int )))(int) +{ +#ifdef HAVE_SIGACTION + struct sigaction act; + struct sigaction oldact; + + ZERO_STRUCT(act); + + act.sa_handler = handler; +#ifdef SA_RESTART + /* + * We *want* SIGALRM to interrupt a system call. + */ + if(signum != SIGALRM) + act.sa_flags = SA_RESTART; +#endif + sigemptyset(&act.sa_mask); + sigaddset(&act.sa_mask,signum); + sigaction(signum,&act,&oldact); + return oldact.sa_handler; +#else /* !HAVE_SIGACTION */ + /* FIXME: need to handle sigvec and systems with broken signal() */ + return signal(signum, handler); +#endif +} diff --git a/src/util/sss_cli_cmd.c b/src/util/sss_cli_cmd.c new file mode 100644 index 0000000..820ac6d --- /dev/null +++ b/src/util/sss_cli_cmd.c @@ -0,0 +1,238 @@ +/* + SSSD - cmd2str util + + Copyright (C) Petr Cech 2015 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "sss_client/sss_cli.h" +#include "util/sss_cli_cmd.h" +#include "util/util.h" + +const char *sss_cmd2str(enum sss_cli_command cmd) +{ + switch (cmd) { + /* null */ + case SSS_CLI_NULL: + return "SSS_CLI_NULL"; + + /* version */ + case SSS_GET_VERSION: + return "SSS_GET_VERSION"; + + /* passwd */ + case SSS_NSS_GETPWNAM: + return "SSS_NSS_GETPWNAM"; + case SSS_NSS_GETPWUID: + return "SSS_NSS_GETPWUID"; + case SSS_NSS_SETPWENT: + return "SSS_NSS_SETPWENT"; + case SSS_NSS_GETPWENT: + return "SSS_NSS_GETPWENT"; + case SSS_NSS_ENDPWENT: + return "SSS_NSS_ENDPWENT"; + + /* group */ + case SSS_NSS_GETGRNAM: + return "SSS_NSS_GETGRNAM"; + case SSS_NSS_GETGRGID: + return "SSS_NSS_GETGRGID"; + case SSS_NSS_SETGRENT: + return "SSS_NSS_SETGRENT"; + case SSS_NSS_GETGRENT: + return "SSS_NSS_GETGRENT"; + case SSS_NSS_ENDGRENT: + return "SSS_NSS_ENDGRENT"; + case SSS_NSS_INITGR: + return "SSS_NSS_INITGR"; + +#if 0 + /* aliases */ + case SSS_NSS_GETALIASBYNAME: + return "SSS_NSS_GETALIASBYNAME"; + case SSS_NSS_GETALIASBYPORT: + return "SSS_NSS_GETALIASBYPORT"; + case SSS_NSS_SETALIASENT: + return "SSS_NSS_SETALIASENT"; + case SSS_NSS_GETALIASENT: + return "SSS_NSS_GETALIASENT"; + case SSS_NSS_ENDALIASENT: + return "SSS_NSS_ENDALIASENT"; + + /* ethers */ + case SSS_NSS_GETHOSTTON: + return "SSS_NSS_GETHOSTTON"; + case SSS_NSS_GETNTOHOST: + return "SSS_NSS_GETNTOHOST"; + case SSS_NSS_SETETHERENT: + return "SSS_NSS_SETETHERENT"; + case SSS_NSS_GETETHERENT: + return "SSS_NSS_GETETHERENT"; + case SSS_NSS_ENDETHERENT: + return "SSS_NSS_ENDETHERENT"; + + /* hosts */ + case SSS_NSS_GETHOSTBYNAME: + return "SSS_NSS_GETHOSTBYNAME"; + case SSS_NSS_GETHOSTBYNAME2: + return "SSS_NSS_GETHOSTBYNAME2"; + case SSS_NSS_GETHOSTBYADDR: + return "SSS_NSS_GETHOSTBYADDR"; + case SSS_NSS_SETHOSTENT: + return "SSS_NSS_SETHOSTENT"; + case SSS_NSS_GETHOSTENT: + return "SSS_NSS_GETHOSTENT"; + case SSS_NSS_ENDHOSTENT: + return "SSS_NSS_ENDHOSTENT"; +#endif + + /* netgroup */ + case SSS_NSS_SETNETGRENT: + return "SSS_NSS_SETNETGRENT"; + case SSS_NSS_GETNETGRENT: + return "SSS_NSS_GETNETGRENT"; + case SSS_NSS_ENDNETGRENT: + return "SSS_NSS_ENDNETGRENT"; + /* SSS_NSS_INNETGR: + return "SSS_NSS_INNETGR"; + break; */ + +#if 0 + /* networks */ + case SSS_NSS_GETNETBYNAME: + return "SSS_NSS_GETNETBYNAME"; + case SSS_NSS_GETNETBYADDR: + return "SSS_NSS_GETNETBYADDR"; + case SSS_NSS_SETNETENT: + return "SSS_NSS_SETNETENT"; + case SSS_NSS_GETNETENT: + return "SSS_NSS_GETNETENT"; + case SSS_NSS_ENDNETENT: + return "SSS_NSS_ENDNETENT"; + + /* protocols */ + case SSS_NSS_GETPROTOBYNAME: + return "SSS_NSS_GETPROTOBYNAME"; + case SSS_NSS_GETPROTOBYNUM: + return "SSS_NSS_GETPROTOBYNUM"; + case SSS_NSS_SETPROTOENT: + return "SSS_NSS_SETPROTOENT"; + case SSS_NSS_GETPROTOENT: + return "SSS_NSS_GETPROTOENT"; + case SSS_NSS_ENDPROTOENT: + return "SSS_NSS_ENDPROTOENT"; + + /* rpc */ + case SSS_NSS_GETRPCBYNAME: + return "SSS_NSS_GETRPCBYNAME"; + case SSS_NSS_GETRPCBYNUM: + return "SSS_NSS_GETRPCBYNUM"; + case SSS_NSS_SETRPCENT: + return "SSS_NSS_SETRPCENT"; + case SSS_NSS_GETRPCENT: + return "SSS_NSS_GETRPCENT"; + case SSS_NSS_ENDRPCENT: + return "SSS_NSS_ENDRPCENT"; +#endif + + /* services */ + case SSS_NSS_GETSERVBYNAME: + return "SSS_NSS_GETSERVBYNAME"; + case SSS_NSS_GETSERVBYPORT: + return "SSS_NSS_GETSERVBYPORT"; + case SSS_NSS_SETSERVENT: + return "SSS_NSS_SETSERVENT"; + case SSS_NSS_GETSERVENT: + return "SSS_NSS_GETSERVENT"; + case SSS_NSS_ENDSERVENT: + return "SSS_NSS_ENDSERVENT"; + +#if 0 + /* shadow */ + case SSS_NSS_GETSPNAM: + return "SSS_NSS_GETSPNAM"; + case SSS_NSS_GETSPUID: + return "SSS_NSS_GETSPUID"; + case SSS_NSS_SETSPENT: + return "SSS_NSS_SETSPENT"; + case SSS_NSS_GETSPENT: + return "SSS_NSS_GETSPENT"; + case SSS_NSS_ENDSPENT: + return "SSS_NSS_ENDSPENT"; +#endif + + /* SUDO */ + case SSS_SUDO_GET_SUDORULES: + return "SSS_SUDO_GET_SUDORULES"; + case SSS_SUDO_GET_DEFAULTS: + return "SSS_SUDO_GET_DEFAULTS"; + + /* autofs */ + case SSS_AUTOFS_SETAUTOMNTENT: + return "SSS_AUTOFS_SETAUTOMNTENT"; + case SSS_AUTOFS_GETAUTOMNTENT: + return "SSS_AUTOFS_GETAUTOMNTENT"; + case SSS_AUTOFS_GETAUTOMNTBYNAME: + return "SSS_AUTOFS_GETAUTOMNTBYNAME"; + case SSS_AUTOFS_ENDAUTOMNTENT: + return "SSS_AUTOFS_ENDAUTOMNTENT"; + + /* SSH */ + case SSS_SSH_GET_USER_PUBKEYS: + return "SSS_SSH_GET_USER_PUBKEYS"; + case SSS_SSH_GET_HOST_PUBKEYS: + return "SSS_SSH_GET_HOST_PUBKEYS"; + + /* PAM related calls */ + case SSS_PAM_AUTHENTICATE: + return "SSS_PAM_AUTHENTICATE"; + case SSS_PAM_SETCRED: + return "SSS_PAM_SETCRED"; + case SSS_PAM_ACCT_MGMT: + return "SSS_PAM_ACCT_MGMT"; + case SSS_PAM_OPEN_SESSION: + return "SSS_PAM_OPEN_SESSION"; + case SSS_PAM_CLOSE_SESSION: + return "SSS_PAM_CLOSE_SESSION"; + case SSS_PAM_CHAUTHTOK: + return "SSS_PAM_CHAUTHTOK"; + case SSS_PAM_CHAUTHTOK_PRELIM: + return "SSS_PAM_CHAUTHTOK_PRELIM"; + case SSS_CMD_RENEW: + return "SSS_CMD_RENEW"; + case SSS_PAM_PREAUTH: + return "SSS_PAM_PREAUTH"; + + /* PAC responder calls */ + case SSS_PAC_ADD_PAC_USER: + return "SSS_PAC_ADD_PAC_USER"; + + /* ID-SID mapping calls */ + case SSS_NSS_GETSIDBYNAME: + return "SSS_NSS_GETSIDBYNAME"; + case SSS_NSS_GETSIDBYID: + return "SSS_NSS_GETSIDBYID"; + case SSS_NSS_GETNAMEBYSID: + return "SSS_NSS_GETNAMEBYSID"; + case SSS_NSS_GETIDBYSID: + return "SSS_NSS_GETIDBYSID"; + case SSS_NSS_GETORIGBYNAME: + return "SSS_NSS_GETORIGBYNAME"; + default: + DEBUG(SSSDBG_MINOR_FAILURE, + "Translation's string is missing for command [%#x].\n", cmd); + return "UNKNOWN COMMAND"; + } +} diff --git a/src/util/sss_cli_cmd.h b/src/util/sss_cli_cmd.h new file mode 100644 index 0000000..66ad076 --- /dev/null +++ b/src/util/sss_cli_cmd.h @@ -0,0 +1,28 @@ +/* + SSSD - cmd2str util + + Copyright (C) Petr Cech 2015 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __SSS_CLI_CMD_H__ +#define __SSS_CLI_CMD_H__ + +#include "sss_client/sss_cli.h" + +/* Translate sss_cli_command to human readable form. */ +const char *sss_cmd2str(enum sss_cli_command cmd); + +#endif /* __SSS_CLI_CMD_H__ */ diff --git a/src/util/sss_endian.h b/src/util/sss_endian.h new file mode 100644 index 0000000..834c359 --- /dev/null +++ b/src/util/sss_endian.h @@ -0,0 +1,57 @@ +/* + SSSD + + Authors: + Lukas Slebodnik + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef SSS_ENDIAN_H_ +#define SSS_ENDIAN_H_ + +#ifdef HAVE_ENDIAN_H +# include +#elif defined(HAVE_SYS_ENDIAN_H) +# include +#endif /* !HAVE_ENDIAN_H && !HAVE_SYS_ENDIAN_H */ + +/* Endianness-compatibility for systems running older versions of glibc */ + +#ifndef le32toh +#ifndef HAVE_BYTESWAP_H +#error missing le32toh and byteswap.h +#else /* defined HAVE_BYTESWAP_H */ +#include + +/* support RHEL5 lack of definitions */ +/* Copied from endian.h on glibc 2.15 */ +#ifdef __USE_BSD +/* Conversion interfaces. */ +# if __BYTE_ORDER == __LITTLE_ENDIAN +# define le32toh(x) (x) +# define htole32(x) (x) +# else +# define le32toh(x) __bswap_32 (x) +# define htole32(x) __bswap_32 (x) +# endif +#endif /* __USE_BSD */ + +#endif /* HAVE_BYTESWAP_H */ + +#endif /* le32toh */ + +#endif /* SSS_ENDIAN_H_ */ diff --git a/src/util/sss_format.h b/src/util/sss_format.h new file mode 100644 index 0000000..5cf0808 --- /dev/null +++ b/src/util/sss_format.h @@ -0,0 +1,66 @@ +/* + SSSD + + sss_format.h + + Authors: + Lukas Slebodnik + + Copyright (C) 2013 Red Hat + + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + + +#ifndef __SSS_FORMAT_H__ +#define __SSS_FORMAT_H__ + +#include + +/* key_serial_t is defined in keyutils.h as typedef int32_t */ +#define SPRIkey_ser PRId32 + +/* rlim_t is defined with conditional build as unsigned type. + * It seems that sizeof(rlim_t) is 8. It may be platform dependent, therefore + * the same format will be used like with uint64_t. + */ +#define SPRIrlim PRIu64 + +#if SIZEOF_ID_T == 8 +# define SPRIid PRIu64 +#elif SIZEOF_ID_T == 4 +# define SPRIid PRIu32 +#else +# error Unexpected sizeof id_t +#endif /* SIZEOF_ID_T */ + +#if SIZEOF_UID_T == 8 +# define SPRIuid PRIu64 +#elif SIZEOF_UID_T == 4 +# define SPRIuid PRIu32 +#else +# error Unexpected sizeof uid_t +#endif /* SIZEOF_UID_T */ + +#if SIZEOF_GID_T == 8 +# define SPRIgid PRIu64 +#elif SIZEOF_GID_T == 4 +# define SPRIgid PRIu32 +#else +# error Unexpected sizeof gid_t +#endif /* SIZEOF_GID_T */ + + +#endif /* __SSS_FORMAT_H__ */ diff --git a/src/util/sss_ini.c b/src/util/sss_ini.c new file mode 100644 index 0000000..175a4cf --- /dev/null +++ b/src/util/sss_ini.c @@ -0,0 +1,761 @@ +/* + SSSD + + sss_ini.c + + Authors: + Ondrej Kos + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "config.h" +#include "util/util.h" +#include "util/sss_ini.h" +#include "confdb/confdb_setup.h" +#include "confdb/confdb_private.h" + +#ifdef HAVE_LIBINI_CONFIG_V1 +#include "ini_configobj.h" +#else +#include "collection.h" +#include "collection_tools.h" +#endif + +#include "ini_config.h" + + +#ifdef HAVE_LIBINI_CONFIG_V1 + +struct sss_ini_initdata { + char **error_list; + struct ref_array *ra_success_list; + struct ref_array *ra_error_list; + struct ini_cfgobj *sssd_config; + struct value_obj *obj; + const struct stat *cstat; + struct ini_cfgfile *file; +}; + +#define sss_ini_get_sec_list ini_get_section_list +#define sss_ini_get_attr_list ini_get_attribute_list +#define sss_ini_get_const_string_config_value ini_get_const_string_config_value +#define sss_ini_get_config_obj ini_get_config_valueobj + +#else + +struct sss_ini_initdata { + struct collection_item *error_list; + struct collection_item *sssd_config; + struct collection_item *obj; + struct stat cstat; + int file; +}; + +#define sss_ini_get_sec_list get_section_list +#define sss_ini_get_attr_list get_attribute_list +#define sss_ini_get_const_string_config_value get_const_string_config_value +#define sss_ini_get_config_obj(secs,attrs,cfg,flag,attr) \ + get_config_item(secs,attrs,cfg,attr) + +#endif + + +/* Initialize data structure */ + +struct sss_ini_initdata* sss_ini_initdata_init(TALLOC_CTX *mem_ctx) +{ + return talloc_zero(mem_ctx, struct sss_ini_initdata); +} + + + +/* Close file descriptor */ + +void sss_ini_close_file(struct sss_ini_initdata *init_data) +{ + if (init_data == NULL) return; +#ifdef HAVE_LIBINI_CONFIG_V1 + if (init_data->file != NULL) { + ini_config_file_destroy(init_data->file); + init_data->file = NULL; + } +#else + if (init_data->file != -1) { + close(init_data->file); + init_data->file = -1; + } +#endif +} + + + +/* Open configuration file */ + +int sss_ini_config_file_open(struct sss_ini_initdata *init_data, + const char *config_file) +{ +#ifdef HAVE_LIBINI_CONFIG_V1 + return ini_config_file_open(config_file, + INI_META_STATS, + &init_data->file); +#else + return check_and_open_readonly(config_file, &init_data->file, 0, 0, + S_IFREG|S_IRUSR, /* f r**------ */ + S_IFMT|(ALLPERMS & ~(S_IWUSR|S_IXUSR))); +#endif +} + + + +/* Check configuration file permissions */ + +int sss_ini_config_access_check(struct sss_ini_initdata *init_data) +{ +#ifdef HAVE_LIBINI_CONFIG_V1 + return ini_config_access_check(init_data->file, + INI_ACCESS_CHECK_MODE | + INI_ACCESS_CHECK_UID | + INI_ACCESS_CHECK_GID, + 0, /* owned by root */ + 0, /* owned by root */ + S_IRUSR, /* r**------ */ + ALLPERMS & ~(S_IWUSR|S_IXUSR)); +#else + return EOK; +#endif +} + + + +/* Get cstat */ + +int sss_ini_get_stat(struct sss_ini_initdata *init_data) +{ +#ifdef HAVE_LIBINI_CONFIG_V1 + init_data->cstat = ini_config_get_stat(init_data->file); + + if (!init_data->cstat) return EIO; + + return EOK; +#else + + return fstat(init_data->file, &init_data->cstat); +#endif +} + + + +/* Get mtime */ + +int sss_ini_get_mtime(struct sss_ini_initdata *init_data, + size_t timestr_len, + char *timestr) +{ +#ifdef HAVE_LIBINI_CONFIG_V1 + return snprintf(timestr, timestr_len, "%llu", + (long long unsigned)init_data->cstat->st_mtime); +#else + return snprintf(timestr, timestr_len, "%llu", + (long long unsigned)init_data->cstat.st_mtime); +#endif +} + + + +/* Print ini_config errors */ + +static void sss_ini_config_print_errors(char **error_list) +{ +#ifdef HAVE_LIBINI_CONFIG_V1 + unsigned count = 0; + + if (!error_list) { + return; + } + + while (error_list[count]) { + DEBUG(SSSDBG_FATAL_FAILURE, "%s\n", error_list[count]); + count++; + } +#endif + + return; +} + + + +/* Load configuration */ + +int sss_ini_get_config(struct sss_ini_initdata *init_data, + const char *config_file, + const char *config_dir) +{ + int ret; +#ifdef HAVE_LIBINI_CONFIG_V1 +#ifdef HAVE_LIBINI_CONFIG_V1_3 + const char *patterns[] = { "^[^\\.].*\\.conf$", NULL }; + const char *sections[] = { ".*", NULL }; + uint32_t i = 0; + char *msg = NULL; + struct access_check snip_check; + struct ini_cfgobj *modified_sssd_config = NULL; +#endif /* HAVE_LIBINI_CONFIG_V1_3 */ + + /* Create config object */ + ret = ini_config_create(&(init_data->sssd_config)); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to create config object. Error %d.\n", ret); + return ret; + } + + /* Parse file */ + ret = ini_config_parse(init_data->file, + INI_STOP_ON_ANY, + INI_MV1S_OVERWRITE, + INI_PARSE_NOWRAP, + init_data->sssd_config); + + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to parse configuration. Error %d.\n", ret); + + if (ini_config_error_count(init_data->sssd_config)) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Errors detected while parsing: %s\n", + ini_config_get_filename(init_data->file)); + + ini_config_get_errors(init_data->sssd_config, + &init_data->error_list); + sss_ini_config_print_errors(init_data->error_list); + ini_config_free_errors(init_data->error_list); + } + ini_config_destroy(init_data->sssd_config); + init_data->sssd_config = NULL; + return ret; + } + +#ifdef HAVE_LIBINI_CONFIG_V1_3 + snip_check.flags = INI_ACCESS_CHECK_MODE | INI_ACCESS_CHECK_UID + | INI_ACCESS_CHECK_GID; + snip_check.uid = 0; /* owned by root */ + snip_check.gid = 0; /* owned by root */ + snip_check.mode = S_IRUSR; /* r**------ */ + snip_check.mask = ALLPERMS & ~(S_IWUSR | S_IXUSR); + + ret = ini_config_augment(init_data->sssd_config, + config_dir, + patterns, + sections, + &snip_check, + INI_STOP_ON_ANY, + INI_MV1S_OVERWRITE, + INI_PARSE_NOWRAP, + INI_MV2S_OVERWRITE, + &modified_sssd_config, + &init_data->ra_error_list, + &init_data->ra_success_list); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to augment configuration [%d]: %s", + ret, sss_strerror(ret)); + } + + while (ref_array_get(init_data->ra_success_list, i, &msg) != NULL) { + DEBUG(SSSDBG_TRACE_FUNC, + "Config merge success: %s\n", msg); + i++; + } + + i = 0; + while (ref_array_get(init_data->ra_error_list, i, &msg) != NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Config merge error: %s\n", msg); + i++; + } + + /* switch config objects if there are no errors */ + if (modified_sssd_config != NULL) { + ini_config_destroy(init_data->sssd_config); + init_data->sssd_config = modified_sssd_config; + } else { + DEBUG(SSSDBG_TRACE_FUNC, + "Using only main configuration file due to errors in merging\n"); + } +#endif + + return ret; + +#else + + /* Read the configuration into a collection */ + ret = config_from_fd("sssd", + init_data->file, + config_file, + &init_data->sssd_config, + INI_STOP_ON_ANY, + &init_data->error_list); + + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Parse error reading configuration file [%s]\n", + config_file); + + print_file_parsing_errors(stderr, init_data->error_list); + + free_ini_config_errors(init_data->error_list); + free_ini_config(init_data->sssd_config); + + return ret; + } + + return EOK; + +#endif +} + +struct ref_array * +sss_ini_get_ra_success_list(struct sss_ini_initdata *init_data) +{ +#ifdef HAVE_LIBINI_CONFIG_V1_3 + return init_data->ra_success_list; +#else + return NULL; +#endif /* HAVE_LIBINI_CONFIG_V1_3 */ +} + +struct ref_array * +sss_ini_get_ra_error_list(struct sss_ini_initdata *init_data) +{ +#ifdef HAVE_LIBINI_CONFIG_V1_3 + return init_data->ra_error_list; +#else + return NULL; +#endif /* HAVE_LIBINI_CONFIG_V1_3 */ +} + +/* Get configuration object */ + +int sss_ini_get_cfgobj(struct sss_ini_initdata *init_data, + const char *section, const char *name) +{ + return sss_ini_get_config_obj(section,name, init_data->sssd_config, + INI_GET_FIRST_VALUE, &init_data->obj); +} + +/* Check configuration object */ + +int sss_ini_check_config_obj(struct sss_ini_initdata *init_data) +{ + if (init_data->obj == NULL) { + return ENOENT; + } + + return EOK; +} + + + +/* Get integer value */ + +int sss_ini_get_int_config_value(struct sss_ini_initdata *init_data, + int strict, int def, int *error) +{ +#ifdef HAVE_LIBINI_CONFIG_V1 + return ini_get_int_config_value(init_data->obj, strict, def, error); +#else + return get_int_config_value(init_data->obj, strict, def, error); +#endif +} + + + +/* Destroy ini config (v1) */ + +void sss_ini_config_destroy(struct sss_ini_initdata *init_data) +{ + if (init_data == NULL) return; +#ifdef HAVE_LIBINI_CONFIG_V1 + if (init_data->sssd_config != NULL) { + ini_config_destroy(init_data->sssd_config); + init_data->sssd_config = NULL; + } +#else + free_ini_config(init_data->sssd_config); +#endif +} + + + +/* Create LDIF */ + +int sss_confdb_create_ldif(TALLOC_CTX *mem_ctx, + struct sss_ini_initdata *init_data, + const char **config_ldif) +{ + int ret, i, j; + char *ldif; + char *tmp_ldif; + char **sections; + int section_count; + char *dn; + char *tmp_dn; + char *sec_dn; + char **attrs; + int attr_count; + char *ldif_attr; + TALLOC_CTX *tmp_ctx; + size_t dn_size; + size_t ldif_len; + size_t attr_len; +#ifdef HAVE_LIBINI_CONFIG_V1 + struct value_obj *obj = NULL; +#else + struct collection_item *obj = NULL; +#endif + + ldif_len = strlen(CONFDB_INTERNAL_LDIF); + ldif = talloc_array(mem_ctx, char, ldif_len+1); + if (!ldif) return ENOMEM; + + tmp_ctx = talloc_new(ldif); + if (!tmp_ctx) { + ret = ENOMEM; + goto error; + } + + memcpy(ldif, CONFDB_INTERNAL_LDIF, ldif_len); + + /* Read in the collection and convert it to an LDIF */ + /* Get the list of sections */ + sections = sss_ini_get_sec_list(init_data->sssd_config, + §ion_count, &ret); + if (ret != EOK) { + goto error; + } + + for (i = 0; i < section_count; i++) { + const char *rdn = NULL; + DEBUG(SSSDBG_TRACE_FUNC, + "Processing config section [%s]\n", sections[i]); + ret = parse_section(tmp_ctx, sections[i], &sec_dn, &rdn); + if (ret != EOK) { + goto error; + } + + dn = talloc_asprintf(tmp_ctx, + "dn: %s,cn=config\n" + "cn: %s\n", + sec_dn, rdn); + if (!dn) { + ret = ENOMEM; + free_section_list(sections); + goto error; + } + dn_size = strlen(dn); + + /* Get all of the attributes and their values as LDIF */ + attrs = sss_ini_get_attr_list(init_data->sssd_config, sections[i], + &attr_count, &ret); + if (ret != EOK) { + free_section_list(sections); + goto error; + } + + for (j = 0; j < attr_count; j++) { + DEBUG(SSSDBG_TRACE_FUNC, + "Processing attribute [%s]\n", attrs[j]); + ret = sss_ini_get_config_obj(sections[i], attrs[j], + init_data->sssd_config, + INI_GET_FIRST_VALUE, &obj); + if (ret != EOK) goto error; + + const char *value = sss_ini_get_const_string_config_value(obj, &ret); + if (ret != EOK) goto error; + if (value && value[0] == '\0') { + DEBUG(SSSDBG_CRIT_FAILURE, + "Attribute '%s' has empty value, ignoring\n", + attrs[j]); + continue; + } + + ldif_attr = talloc_asprintf(tmp_ctx, + "%s: %s\n", attrs[j], value); + DEBUG(SSSDBG_TRACE_ALL, "%s\n", ldif_attr); + + attr_len = strlen(ldif_attr); + + tmp_dn = talloc_realloc(tmp_ctx, dn, char, + dn_size+attr_len+1); + if (!tmp_dn) { + ret = ENOMEM; + free_attribute_list(attrs); + free_section_list(sections); + goto error; + } + dn = tmp_dn; + memcpy(dn+dn_size, ldif_attr, attr_len+1); + dn_size += attr_len; + } + + dn_size ++; + tmp_dn = talloc_realloc(tmp_ctx, dn, char, + dn_size+1); + if (!tmp_dn) { + ret = ENOMEM; + free_attribute_list(attrs); + free_section_list(sections); + goto error; + } + dn = tmp_dn; + dn[dn_size-1] = '\n'; + dn[dn_size] = '\0'; + + DEBUG(SSSDBG_TRACE_ALL, "Section dn\n%s\n", dn); + + tmp_ldif = talloc_realloc(mem_ctx, ldif, char, + ldif_len+dn_size+1); + if (!tmp_ldif) { + ret = ENOMEM; + free_attribute_list(attrs); + free_section_list(sections); + goto error; + } + ldif = tmp_ldif; + memcpy(ldif+ldif_len, dn, dn_size); + ldif_len += dn_size; + + free_attribute_list(attrs); + talloc_free(dn); + } + + ldif[ldif_len] = '\0'; + + free_section_list(sections); + + *config_ldif = (const char *)ldif; + talloc_free(tmp_ctx); + return EOK; + +error: + talloc_free(ldif); + return ret; +} + +#ifdef HAVE_LIBINI_CONFIG_V1_3 +/* Here we can put custom SSSD specific checks that can not be implemented + * using libini validators */ +static int custom_sssd_checks(const char *rule_name, + struct ini_cfgobj *rules_obj, + struct ini_cfgobj *config_obj, + struct ini_errobj *errobj, + void **data) +{ + char **cfg_sections = NULL; + int num_cfg_sections; + struct value_obj *vo = NULL; + char dom_prefix[] = "domain/"; + int ret; + + /* Get all sections in configuration */ + cfg_sections = ini_get_section_list(config_obj, &num_cfg_sections, &ret); + if (ret != EOK) { + goto done; + } + + /* Check if a normal domain section (not application domains) has option + * inherit_from and report error if it does */ + for (int i = 0; i < num_cfg_sections; i++) { + if (strncmp(dom_prefix, cfg_sections[i], strlen(dom_prefix)) == 0) { + ret = ini_get_config_valueobj(cfg_sections[i], + "inherit_from", + config_obj, + INI_GET_NEXT_VALUE, + &vo); + if (vo != NULL) { + ret = ini_errobj_add_msg(errobj, + "Attribute 'inherit_from' is not " + "allowed in section '%s'. Check for " + "typos.", + cfg_sections[i]); + if (ret != EOK) { + goto done; + } + } + } + } + + ret = EOK; +done: + ini_free_section_list(cfg_sections); + return EOK; +} + +static int sss_ini_call_validators_errobj(struct sss_ini_initdata *data, + const char *rules_path, + struct ini_errobj *errobj) +{ + int ret; + struct ini_cfgobj *rules_cfgobj = NULL; + struct ini_validator custom_sssd = { "sssd_checks", custom_sssd_checks, + NULL }; + struct ini_validator *sss_validators[] = { &custom_sssd, NULL }; + + ret = ini_rules_read_from_file(rules_path, &rules_cfgobj); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to read sssd.conf schema %d [%s]\n", ret, strerror(ret)); + goto done; + } + + ret = ini_rules_check(rules_cfgobj, data->sssd_config, sss_validators, errobj); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "ini_rules_check failed %d [%s]\n", ret, strerror(ret)); + goto done; + } + +done: + if (rules_cfgobj) ini_config_destroy(rules_cfgobj); + + return ret; +} +#endif /* HAVE_LIBINI_CONFIG_V1_3 */ + +int sss_ini_call_validators(struct sss_ini_initdata *data, + const char *rules_path) +{ +#ifdef HAVE_LIBINI_CONFIG_V1_3 + int ret; + struct ini_errobj *errobj = NULL; + + ret = ini_errobj_create(&errobj); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to create error list\n"); + goto done; + } + + ret = sss_ini_call_validators_errobj(data, + rules_path, + errobj); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to get errors from validators.\n"); + goto done; + } + + /* Do not error out when validators find some issue */ + while (!ini_errobj_no_more_msgs(errobj)) { + DEBUG(SSSDBG_CRIT_FAILURE, + "%s\n", ini_errobj_get_msg(errobj)); + ini_errobj_next(errobj); + } + + ret = EOK; + +done: + ini_errobj_destroy(&errobj); + return ret; +#else + DEBUG(SSSDBG_TRACE_FUNC, + "libini_config does not support configuration file validataion\n"); + return EOK; +#endif /* HAVE_LIBINI_CONFIG_V1_3 */ +} + +int sss_ini_call_validators_strs(TALLOC_CTX *mem_ctx, + struct sss_ini_initdata *data, + const char *rules_path, + char ***_errors, + size_t *_num_errors) +{ +#ifdef HAVE_LIBINI_CONFIG_V1_3 + TALLOC_CTX *tmp_ctx = NULL; + struct ini_errobj *errobj = NULL; + int ret; + size_t num_errors; + char **errors = NULL; + + if (_num_errors == NULL || _errors == NULL) { + return EINVAL; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + ret = ini_errobj_create(&errobj); + if (ret != EOK) { + goto done; + } + + ret = sss_ini_call_validators_errobj(data, + rules_path, + errobj); + if (ret != EOK) { + goto done; + } + num_errors = ini_errobj_count(errobj); + if (num_errors == 0) { + *_num_errors = num_errors; + goto done; + } + + errors = talloc_array(tmp_ctx, char *, num_errors); + if (errors == NULL) { + ret = ENOMEM; + goto done; + } + + for (int i = 0; i < num_errors; i++) { + errors[i] = talloc_strdup(errors, ini_errobj_get_msg(errobj)); + if (errors[i] == NULL) { + ret = ENOMEM; + goto done; + } + + ini_errobj_next(errobj); + } + + *_num_errors = num_errors; + *_errors = talloc_steal(mem_ctx, errors); + + ret = EOK; + +done: + talloc_free(tmp_ctx); + ini_errobj_destroy(&errobj); + + return ret; + +#else + DEBUG(SSSDBG_TRACE_FUNC, + "libini_config does not support configuration file validataion\n"); + + if (_num_errors == NULL || _errors == NULL) { + return EINVAL; + } + + _num_errors = 0; + return EOK; +#endif /* HAVE_LIBINI_CONFIG_V1_3 */ +} diff --git a/src/util/sss_ini.h b/src/util/sss_ini.h new file mode 100644 index 0000000..0b17383 --- /dev/null +++ b/src/util/sss_ini.h @@ -0,0 +1,101 @@ +/* + SSSD + + sss_ini.c + + Authors: + Ondrej Kos + + Copyright (C) 2013 Red Hat + + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + + +#ifndef __SSS_INI_H__ +#define __SSS_INI_H__ + +/* Structure declarations */ + +/* INI data structure */ +struct sss_ini_initdata; + + +/* Function declarations */ + +/* Initialize data structure */ +struct sss_ini_initdata* sss_ini_initdata_init(TALLOC_CTX *tmp_ctx); + +/* Close file descriptor */ +void sss_ini_close_file(struct sss_ini_initdata *init_data); + +/* Open config file */ +int sss_ini_config_file_open(struct sss_ini_initdata *init_data, + const char *config_file); + +/* Check file permissions */ +int sss_ini_config_access_check(struct sss_ini_initdata *init_data); + +/* Cstat */ +int sss_ini_get_stat(struct sss_ini_initdata *init_data); + +/* Get mtime */ +int sss_ini_get_mtime(struct sss_ini_initdata *init_data, + size_t timestr_len, + char *timestr); + +/* Load configuration */ +int sss_ini_get_config(struct sss_ini_initdata *init_data, + const char *config_file, + const char *config_dir); +/* Get configuration object */ +int sss_ini_get_cfgobj(struct sss_ini_initdata *init_data, + const char *section, const char *name); + +/* Check configuration object */ +int sss_ini_check_config_obj(struct sss_ini_initdata *init_data); + +/* Get int value */ +int sss_ini_get_int_config_value(struct sss_ini_initdata *init_data, + int strict, int def, int *error); + +/* Destroy ini config */ +void sss_ini_config_destroy(struct sss_ini_initdata *init_data); + +/* Create LDIF */ +int sss_confdb_create_ldif(TALLOC_CTX *mem_ctx, + struct sss_ini_initdata *init_data, + const char **config_ldif); + +/* Validate sssd.conf if libini_config support it */ +int sss_ini_call_validators(struct sss_ini_initdata *data, + const char *rules_path); + +/* Get errors from validators in array of strings */ +int sss_ini_call_validators_strs(TALLOC_CTX *mem_ctx, + struct sss_ini_initdata *data, + const char *rules_path, + char ***_strs, + size_t *_num_errors); + +/* Get pointer to list of snippet parsing errors */ +struct ref_array * +sss_ini_get_ra_error_list(struct sss_ini_initdata *init_data); + +/* Get pointer to list of successfully merged snippet files */ +struct ref_array * +sss_ini_get_ra_success_list(struct sss_ini_initdata *init_data); + +#endif /* __SSS_INI_H__ */ diff --git a/src/util/sss_iobuf.c b/src/util/sss_iobuf.c new file mode 100644 index 0000000..518713e --- /dev/null +++ b/src/util/sss_iobuf.c @@ -0,0 +1,313 @@ +#include + +#include "util/util.h" +#include "util/sss_iobuf.h" + +/** + * @brief The iobuf structure that holds the data, its capacity and + * a pointer to the data. + * + * @see sss_iobuf_init_empty() + * @see sss_iobuf_init_readonly() + */ +struct sss_iobuf { + uint8_t *data; /* Start of the data buffer */ + + size_t dp; /* Data pointer */ + size_t size; /* Current data buffer size */ + size_t capacity; /* Maximum capacity */ +}; + +struct sss_iobuf *sss_iobuf_init_empty(TALLOC_CTX *mem_ctx, + size_t size, + size_t capacity) +{ + struct sss_iobuf *iobuf; + uint8_t *buf; + + iobuf = talloc_zero(mem_ctx, struct sss_iobuf); + if (iobuf == NULL) { + return NULL; + } + + buf = talloc_zero_array(iobuf, uint8_t, size); + if (buf == NULL) { + talloc_free(iobuf); + return NULL; + } + + if (capacity == 0) { + capacity = SIZE_MAX / 2; + } + + iobuf->data = buf; + iobuf->size = size; + iobuf->capacity = capacity; + iobuf->dp = 0; + + return iobuf; +} + +struct sss_iobuf *sss_iobuf_init_readonly(TALLOC_CTX *mem_ctx, + const uint8_t *data, + size_t size) +{ + struct sss_iobuf *iobuf; + + iobuf = sss_iobuf_init_empty(mem_ctx, size, size); + if (iobuf == NULL) { + return NULL; + } + + if (data != NULL) { + memcpy(iobuf->data, data, size); + } + + return iobuf; +} + +size_t sss_iobuf_get_len(struct sss_iobuf *iobuf) +{ + if (iobuf == NULL) { + return 0; + } + + return iobuf->dp; +} + +size_t sss_iobuf_get_capacity(struct sss_iobuf *iobuf) +{ + if (iobuf == NULL) { + return 0; + } + + return iobuf->capacity; +} + +size_t sss_iobuf_get_size(struct sss_iobuf *iobuf) +{ + if (iobuf == NULL) { + return 0; + } + + return iobuf->size; +} + +uint8_t *sss_iobuf_get_data(struct sss_iobuf *iobuf) +{ + if (iobuf == NULL) { + return NULL; + } + + return iobuf->data; +} + +static size_t iobuf_get_len(struct sss_iobuf *iobuf) +{ + if (iobuf == NULL) { + return 0; + } + + return (iobuf->size - iobuf->dp); +} + +static errno_t ensure_bytes(struct sss_iobuf *iobuf, + size_t nbytes) +{ + size_t wantsize; + size_t newsize; + uint8_t *newdata; + + if (iobuf == NULL) { + return EINVAL; + } + + wantsize = iobuf->dp + nbytes; + if (wantsize <= iobuf->size) { + /* Enough space already */ + return EOK; + } + + /* Else, try to extend the iobuf */ + if (wantsize > iobuf->capacity) { + /* We will never grow past capacity */ + return ENOBUFS; + } + + /* Double the size until we add at least nbytes, but stop if we double past capacity */ + for (newsize = iobuf->size; + (newsize < wantsize) && (newsize < iobuf->capacity); + newsize *= 2) + ; + + if (newsize > iobuf->capacity) { + newsize = iobuf->capacity; + } + + newdata = talloc_realloc(iobuf, iobuf->data, uint8_t, newsize); + if (newdata == NULL) { + return ENOMEM; + } + + iobuf->data = newdata; + iobuf->size = newsize; + + return EOK; +} + +static inline uint8_t *iobuf_ptr(struct sss_iobuf *iobuf) +{ + return iobuf->data + iobuf->dp; +} + +errno_t sss_iobuf_read(struct sss_iobuf *iobuf, + size_t len, + uint8_t *_buf, + size_t *_read) +{ + size_t remaining; + + if (iobuf == NULL || _buf == NULL) { + return EINVAL; + } + + remaining = iobuf_get_len(iobuf); + if (len > remaining) { + len = remaining; + } + + safealign_memcpy(_buf, iobuf_ptr(iobuf), len, &iobuf->dp); + if (_read != NULL) { + *_read = len; + } + + return EOK; +} + +errno_t sss_iobuf_read_len(struct sss_iobuf *iobuf, + size_t len, + uint8_t *_buf) +{ + size_t read_bytes; + errno_t ret; + + ret = sss_iobuf_read(iobuf, len, _buf, &read_bytes); + if (ret != EOK) { + return ret; + } + + if (read_bytes != len) { + return ENOBUFS; + } + + return EOK; +} + +errno_t sss_iobuf_write_len(struct sss_iobuf *iobuf, + uint8_t *buf, + size_t len) +{ + errno_t ret; + + if (iobuf == NULL || buf == NULL) { + return EINVAL; + } + + ret = ensure_bytes(iobuf, len); + if (ret != EOK) { + return ret; + } + + safealign_memcpy(iobuf_ptr(iobuf), buf, len, &iobuf->dp); + + return EOK; +} + +errno_t sss_iobuf_read_uint32(struct sss_iobuf *iobuf, + uint32_t *_val) +{ + SAFEALIGN_COPY_UINT32_CHECK(_val, iobuf_ptr(iobuf), + iobuf->capacity, &iobuf->dp); + return EOK; +} + +errno_t sss_iobuf_read_int32(struct sss_iobuf *iobuf, + int32_t *_val) +{ + SAFEALIGN_COPY_INT32_CHECK(_val, iobuf_ptr(iobuf), + iobuf->capacity, &iobuf->dp); + return EOK; +} + +errno_t sss_iobuf_write_uint32(struct sss_iobuf *iobuf, + uint32_t val) +{ + errno_t ret; + + ret = ensure_bytes(iobuf, sizeof(uint32_t)); + if (ret != EOK) { + return ret; + } + + SAFEALIGN_SETMEM_UINT32(iobuf_ptr(iobuf), val, &iobuf->dp); + return EOK; +} + +errno_t sss_iobuf_write_int32(struct sss_iobuf *iobuf, + int32_t val) +{ + errno_t ret; + + ret = ensure_bytes(iobuf, sizeof(int32_t)); + if (ret != EOK) { + return ret; + } + + SAFEALIGN_SETMEM_INT32(iobuf_ptr(iobuf), val, &iobuf->dp); + return EOK; +} + +errno_t sss_iobuf_read_stringz(struct sss_iobuf *iobuf, + const char **_out) +{ + uint8_t *end; + size_t len; + + if (iobuf == NULL) { + return EINVAL; + } + + if (_out == NULL) { + return EINVAL; + } + + *_out = NULL; + + end = memchr(iobuf_ptr(iobuf), '\0', sss_iobuf_get_size(iobuf)); + if (end == NULL) { + return EINVAL; + } + + len = end + 1 - iobuf_ptr(iobuf); + if (sss_iobuf_get_size(iobuf) < len) { + return EINVAL; + } + + *_out = (const char *) iobuf_ptr(iobuf); + iobuf->dp += len; + return EOK; +} + +errno_t sss_iobuf_write_stringz(struct sss_iobuf *iobuf, + const char *str) +{ + if (iobuf == NULL || str == NULL) { + return EINVAL; + } + + SAFEALIGN_MEMCPY_CHECK(iobuf_ptr(iobuf), + str, strlen(str)+1, + sss_iobuf_get_size(iobuf), + &iobuf->dp); + return EOK; +} diff --git a/src/util/sss_iobuf.h b/src/util/sss_iobuf.h new file mode 100644 index 0000000..cc3dfd1 --- /dev/null +++ b/src/util/sss_iobuf.h @@ -0,0 +1,151 @@ +#ifndef __SSS_IOBUF_H_ +#define __SSS_IOBUF_H_ + +#include +#include +#include + +#include "util/util_errors.h" + +struct sss_iobuf; + +/* + * @brief Allocate an empty IO buffer + * + * @param[in] mem_ctx The talloc context that owns the iobuf + * + * When this buffer is written into, but the capacity is exceeded, the write + * function will return an error. + * + * @param[in] mem_ctx The talloc context that owns the iobuf + * @param[in] size The size of the data buffer + * @param[in] capacity The maximum capacity the buffer can grow into. + * Use 0 for an 'unlimited' buffer that will grow + * until SIZE_MAX/2. + * + * @return The newly created buffer on success or NULL on an error. + * + */ +struct sss_iobuf *sss_iobuf_init_empty(TALLOC_CTX *mem_ctx, + size_t size, + size_t capacity); + +/* + * @brief Allocate an IO buffer with a fixed size + * + * This function is useful for parsing an input buffer from an existing + * buffer pointed to by data. + * + * The iobuf does not assume ownership of the data buffer in talloc terms, + * but copies the data instead. + * + * @param[in] mem_ctx The talloc context that owns the iobuf + * @param[in] data The data to initialize the IO buffer with. This + * data is copied into the iobuf-owned buffer. + * @param[in] size The size of the data buffer + * + * @return The newly created buffer on success or NULL on an error. + */ +struct sss_iobuf *sss_iobuf_init_readonly(TALLOC_CTX *mem_ctx, + const uint8_t *data, + size_t size); + +/* + * @brief Returns the number of bytes currently stored in the iobuf + * + * @return The number of bytes (the data pointer offset) + */ +size_t sss_iobuf_get_len(struct sss_iobuf *iobuf); + +/* + * @brief Returns the capacity of the IO buffer + * + * @return The capacity of the IO buffer. Returns zero + * for an unlimited buffer. + */ +size_t sss_iobuf_get_capacity(struct sss_iobuf *iobuf); + +/* + * @brief Returns the current size of the IO buffer + */ +size_t sss_iobuf_get_size(struct sss_iobuf *iobuf); + +/* + * @brief Returns the data pointer of the IO buffer + */ +uint8_t *sss_iobuf_get_data(struct sss_iobuf *iobuf); + +/* + * @brief Read from an IO buffer + * + * Read up to len bytes from an IO buffer. It is not an error to request + * more bytes than the buffer actually has - the function will succeed, but + * return the actual number of bytes read. Reading from an empty buffer just + * returns zero bytes read. + * + * @param[in] iobuf The IO buffer to read from + * @param[in] len The maximum number of bytes to read + * @param[out] _buf The buffer to read data into from iobuf + * @param[out] _read The actual number of bytes read from IO buffer. + * + * @return EOK on success, errno otherwise + */ +errno_t sss_iobuf_read(struct sss_iobuf *iobuf, + size_t len, + uint8_t *_buf, + size_t *_read); + +/* + * @brief Read an exact number of bytes from an IO buffer + * + * Read exactly len bytes from an IO buffer. If the buffer contains fewer + * bytes than len, ENOBUFS is returned. + * + * @param[in] iobuf The IO buffer to read from + * @param[in] len The maximum number of bytes to read + * @param[out] _buf The buffer to read data into from iobuf + * + * @return EOK on success, errno otherwise + */ +errno_t sss_iobuf_read_len(struct sss_iobuf *iobuf, + size_t len, + uint8_t *_buf); + +/* + * @brief Write into an IO buffer + * + * Attempts to write len bytes into the iobuf. If the capacity is exceeded, + * the iobuf module tries to extend the buffer up to the maximum capacity. + * + * If reallocating the internal buffer fails, the data pointers are not + * touched. + * + * @param[in] iobuf The IO buffer to write to + * @param[in] buf The data to write into the buffer + * @param[in] len The number of bytes to write + * + * @return EOK on success, errno otherwise. Notably returns ENOBUFS if + * the buffer capacity is exceeded. + */ +errno_t sss_iobuf_write_len(struct sss_iobuf *iobuf, + uint8_t *buf, + size_t len); + +errno_t sss_iobuf_read_uint32(struct sss_iobuf *iobuf, + uint32_t *_val); + +errno_t sss_iobuf_write_uint32(struct sss_iobuf *iobuf, + uint32_t val); + +errno_t sss_iobuf_read_int32(struct sss_iobuf *iobuf, + int32_t *_val); + +errno_t sss_iobuf_write_int32(struct sss_iobuf *iobuf, + int32_t val); + +errno_t sss_iobuf_read_stringz(struct sss_iobuf *iobuf, + const char **_out); + +errno_t sss_iobuf_write_stringz(struct sss_iobuf *iobuf, + const char *str); +#endif /* __SSS_IOBUF_H_ */ diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c new file mode 100644 index 0000000..c0cc28a --- /dev/null +++ b/src/util/sss_krb5.c @@ -0,0 +1,1351 @@ +/* + Authors: + Sumit Bose + + Copyright (C) 2009-2010 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +#include +#include +#include +#include +#include + +#include "config.h" + +#include "util/sss_iobuf.h" +#include "util/util.h" +#include "util/sss_krb5.h" + +static char * +sss_krb5_get_primary(TALLOC_CTX *mem_ctx, + const char *pattern, + const char *hostname) +{ + char *primary; + char *dot; + char *c; + char *shortname; + + if (strcmp(pattern, "%S$") == 0) { + shortname = talloc_strdup(mem_ctx, hostname); + if (!shortname) return NULL; + + dot = strchr(shortname, '.'); + if (dot) { + *dot = '\0'; + } + + for (c=shortname; *c != '\0'; ++c) { + *c = toupper(*c); + } + + /* The samAccountName is recommended to be less than 20 characters. + * This is only for users and groups. For machine accounts, + * the real limit is caused by NetBIOS protocol. + * NetBIOS names are limited to 16 (15 + $) + * https://support.microsoft.com/en-us/help/163409/netbios-suffixes-16th-character-of-the-netbios-name + */ + primary = talloc_asprintf(mem_ctx, "%.15s$", shortname); + talloc_free(shortname); + return primary; + } + + return talloc_asprintf(mem_ctx, pattern, hostname); +} + +errno_t select_principal_from_keytab(TALLOC_CTX *mem_ctx, + const char *hostname, + const char *desired_realm, + const char *keytab_name, + char **_principal, + char **_primary, + char **_realm) +{ + krb5_error_code kerr = 0; + krb5_context krb_ctx = NULL; + krb5_keytab keytab = NULL; + krb5_principal client_princ = NULL; + TALLOC_CTX *tmp_ctx; + char *primary = NULL; + char *realm = NULL; + int i = 0; + errno_t ret; + char *principal_string; + const char *realm_name; + int realm_len; + + /** + * The %s conversion is passed as-is, the %S conversion is translated to + * "short host name" + * + * Priority of lookup: + * - our.hostname@REALM or host/our.hostname@REALM depending on the input + * - SHORT.HOSTNAME$@REALM (AD domain) + * - host/our.hostname@REALM + * - foobar$@REALM (AD domain) + * - host/foobar@REALM + * - host/foo@BAR + * - pick the first principal in the keytab + */ + const char *primary_patterns[] = {"%s", "%S$", "host/%s", "*$", "host/*", + "host/*", NULL}; + const char *realm_patterns[] = {"%s", "%s", "%s", "%s", "%s", + NULL, NULL}; + + DEBUG(SSSDBG_FUNC_DATA, + "trying to select the most appropriate principal from keytab\n"); + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new failed\n"); + return ENOMEM; + } + + kerr = sss_krb5_init_context(&krb_ctx); + if (kerr) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to init Kerberos context\n"); + ret = EFAULT; + goto done; + } + + if (keytab_name != NULL) { + kerr = krb5_kt_resolve(krb_ctx, keytab_name, &keytab); + } else { + kerr = krb5_kt_default(krb_ctx, &keytab); + } + if (kerr) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to read keytab [%s]: %s\n", + KEYTAB_CLEAN_NAME, + sss_krb5_get_error_message(krb_ctx, kerr)); + ret = EFAULT; + goto done; + } + + if (!desired_realm) { + desired_realm = "*"; + } + if (!hostname) { + hostname = "*"; + } + + do { + if (primary_patterns[i]) { + primary = sss_krb5_get_primary(tmp_ctx, + primary_patterns[i], + hostname); + if (primary == NULL) { + ret = ENOMEM; + goto done; + } + } else { + primary = NULL; + } + if (realm_patterns[i]) { + realm = talloc_asprintf(tmp_ctx, realm_patterns[i], desired_realm); + if (realm == NULL) { + ret = ENOMEM; + goto done; + } + } else { + realm = NULL; + } + + kerr = find_principal_in_keytab(krb_ctx, keytab, primary, realm, + &client_princ); + talloc_zfree(primary); + talloc_zfree(realm); + if (kerr == 0) { + break; + } + if (client_princ != NULL) { + krb5_free_principal(krb_ctx, client_princ); + client_princ = NULL; + } + i++; + } while(primary_patterns[i-1] != NULL || realm_patterns[i-1] != NULL); + + if (kerr == 0) { + if (_principal) { + kerr = krb5_unparse_name(krb_ctx, client_princ, &principal_string); + if (kerr) { + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_unparse_name failed\n"); + ret = EFAULT; + goto done; + } + + *_principal = talloc_strdup(mem_ctx, principal_string); + free(principal_string); + if (!*_principal) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed\n"); + ret = ENOMEM; + goto done; + } + DEBUG(SSSDBG_FUNC_DATA, "Selected principal: %s\n", *_principal); + } + + if (_primary) { + kerr = sss_krb5_unparse_name_flags(krb_ctx, client_princ, + KRB5_PRINCIPAL_UNPARSE_NO_REALM, + &principal_string); + if (kerr) { + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_unparse_name failed\n"); + ret = EFAULT; + goto done; + } + + *_primary = talloc_strdup(mem_ctx, principal_string); + free(principal_string); + if (!*_primary) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed\n"); + if (_principal) talloc_zfree(*_principal); + ret = ENOMEM; + goto done; + } + DEBUG(SSSDBG_FUNC_DATA, "Selected primary: %s\n", *_primary); + } + + if (_realm) { + sss_krb5_princ_realm(krb_ctx, client_princ, + &realm_name, + &realm_len); + if (realm_len == 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "sss_krb5_princ_realm failed.\n"); + if (_principal) talloc_zfree(*_principal); + if (_primary) talloc_zfree(*_primary); + ret = EINVAL; + goto done; + } + + *_realm = talloc_asprintf(mem_ctx, "%.*s", + realm_len, realm_name); + if (!*_realm) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed\n"); + if (_principal) talloc_zfree(*_principal); + if (_primary) talloc_zfree(*_primary); + ret = ENOMEM; + goto done; + } + DEBUG(SSSDBG_FUNC_DATA, "Selected realm: %s\n", *_realm); + } + + ret = EOK; + } else { + DEBUG(SSSDBG_MINOR_FAILURE, "No suitable principal found in keytab\n"); + ret = ENOENT; + } + +done: + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Failed to read keytab [%s]: %s\n", + KEYTAB_CLEAN_NAME, strerror(ret)); + sss_log(SSS_LOG_ERR, "Failed to read keytab [%s]: %s\n", + KEYTAB_CLEAN_NAME, strerror(ret)); + } + if (keytab) krb5_kt_close(krb_ctx, keytab); + if (krb_ctx) krb5_free_context(krb_ctx); + if (client_princ != NULL) { + krb5_free_principal(krb_ctx, client_princ); + client_princ = NULL; + } + talloc_free(tmp_ctx); + return ret; +} + +enum matching_mode {MODE_NORMAL, MODE_PREFIX, MODE_POSTFIX}; +/** + * We only have primary and instances stored separately, we need to + * join them to one string and compare that string. + * + * @param ctx Kerberos context + * @param principal principal we want to match + * @param pattern_primary primary part of the principal we want to + * perform matching against. It is possible to use * wildcard + * at the beginning or at the end of the string. If NULL, it + * will act as "*" + * @param pattern_realm realm part of the principal we want to perform + * the matching against. If NULL, it will act as "*" + */ +static bool match_principal(krb5_context ctx, + krb5_principal principal, + const char *pattern_primary, + const char *pattern_realm) +{ + char *primary = NULL; + char *primary_str = NULL; + int primary_str_len = 0; + int tmp_len; + int len_diff; + const char *realm_name; + int realm_len; + + enum matching_mode mode = MODE_NORMAL; + TALLOC_CTX *tmp_ctx; + bool ret = false; + + sss_krb5_princ_realm(ctx, principal, &realm_name, &realm_len); + if (realm_len == 0) { + DEBUG(SSSDBG_MINOR_FAILURE, "sss_krb5_princ_realm failed.\n"); + return false; + } + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new failed\n"); + return false; + } + + if (pattern_primary) { + tmp_len = strlen(pattern_primary); + if (pattern_primary[tmp_len-1] == '*') { + mode = MODE_PREFIX; + primary_str = talloc_strdup(tmp_ctx, pattern_primary); + primary_str[tmp_len-1] = '\0'; + primary_str_len = tmp_len-1; + } else if (pattern_primary[0] == '*') { + mode = MODE_POSTFIX; + primary_str = talloc_strdup(tmp_ctx, pattern_primary+1); + primary_str_len = tmp_len-1; + } + + sss_krb5_unparse_name_flags(ctx, principal, KRB5_PRINCIPAL_UNPARSE_NO_REALM, + &primary); + + len_diff = strlen(primary)-primary_str_len; + + if ((mode == MODE_NORMAL && + strcmp(primary, pattern_primary) != 0) || + (mode == MODE_PREFIX && + strncmp(primary, primary_str, primary_str_len) != 0) || + (mode == MODE_POSTFIX && + strcmp(primary+len_diff, primary_str) != 0)) { + goto done; + } + } + + if (!pattern_realm || (realm_len == strlen(pattern_realm) && + strncmp(realm_name, pattern_realm, realm_len) == 0)) { + DEBUG(SSSDBG_TRACE_LIBS, + "Principal matched to the sample (%s@%s).\n", pattern_primary, + pattern_realm); + ret = true; + } + +done: + free(primary); + talloc_free(tmp_ctx); + return ret; +} + +krb5_error_code find_principal_in_keytab(krb5_context ctx, + krb5_keytab keytab, + const char *pattern_primary, + const char *pattern_realm, + krb5_principal *princ) +{ + krb5_error_code kerr; + krb5_error_code kt_err; + krb5_error_code kerr_d; + krb5_kt_cursor cursor; + krb5_keytab_entry entry; + bool principal_found = false; + + memset(&cursor, 0, sizeof(cursor)); + kerr = krb5_kt_start_seq_get(ctx, keytab, &cursor); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_kt_start_seq_get failed.\n"); + return kerr; + } + + DEBUG(SSSDBG_TRACE_ALL, + "Trying to find principal %s@%s in keytab.\n", pattern_primary, pattern_realm); + memset(&entry, 0, sizeof(entry)); + while ((kt_err = krb5_kt_next_entry(ctx, keytab, &entry, &cursor)) == 0) { + principal_found = match_principal(ctx, entry.principal, pattern_primary, pattern_realm); + if (principal_found) { + break; + } + + kerr = sss_krb5_free_keytab_entry_contents(ctx, &entry); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to free keytab entry.\n"); + } + memset(&entry, 0, sizeof(entry)); + } + + /* Close the keytab here. Even though we're using cursors, the file + * handle is stored in the krb5_keytab structure, and it gets + * overwritten by other keytab calls, creating a leak. */ + kerr = krb5_kt_end_seq_get(ctx, keytab, &cursor); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_kt_end_seq_get failed.\n"); + goto done; + } + + if (!principal_found) { + kerr = KRB5_KT_NOTFOUND; + DEBUG(SSSDBG_TRACE_FUNC, + "No principal matching %s@%s found in keytab.\n", + pattern_primary, pattern_realm); + goto done; + } + + /* check if we got any errors from krb5_kt_next_entry */ + if (kt_err != 0 && kt_err != KRB5_KT_END) { + DEBUG(SSSDBG_CRIT_FAILURE, "Error while reading keytab.\n"); + goto done; + } + + kerr = krb5_copy_principal(ctx, entry.principal, princ); + if (kerr != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "krb5_copy_principal failed.\n"); + goto done; + } + + kerr = 0; + +done: + kerr_d = sss_krb5_free_keytab_entry_contents(ctx, &entry); + if (kerr_d != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to free keytab entry.\n"); + } + + return kerr; +} + +const char *KRB5_CALLCONV sss_krb5_get_error_message(krb5_context ctx, + krb5_error_code ec) +{ +#ifdef HAVE_KRB5_GET_ERROR_MESSAGE + return krb5_get_error_message(ctx, ec); +#else + int ret; + char *s = NULL; + int size = sizeof("Kerberos error [XXXXXXXXXXXX]"); + + s = malloc(sizeof(char) * (size)); + if (s == NULL) { + return NULL; + } + + ret = snprintf(s, size, "Kerberos error [%12d]", ec); + + if (ret < 0 || ret >= size) { + free(s); + return NULL; + } + + return s; +#endif +} + +void KRB5_CALLCONV sss_krb5_free_error_message(krb5_context ctx, const char *s) +{ +#ifdef HAVE_KRB5_GET_ERROR_MESSAGE + krb5_free_error_message(ctx, s); +#else + free(s); +#endif + + return; +} + +krb5_error_code KRB5_CALLCONV sss_krb5_get_init_creds_opt_alloc( + krb5_context context, + krb5_get_init_creds_opt **opt) +{ +#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC + return krb5_get_init_creds_opt_alloc(context, opt); +#else + *opt = calloc(1, sizeof(krb5_get_init_creds_opt)); + if (*opt == NULL) { + return ENOMEM; + } + krb5_get_init_creds_opt_init(*opt); + + return 0; +#endif +} + +void KRB5_CALLCONV sss_krb5_get_init_creds_opt_free (krb5_context context, + krb5_get_init_creds_opt *opt) +{ +#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC + krb5_get_init_creds_opt_free(context, opt); +#else + free(opt); +#endif + + return; +} + +void KRB5_CALLCONV sss_krb5_free_unparsed_name(krb5_context context, char *name) +{ +#ifdef HAVE_KRB5_FREE_UNPARSED_NAME + krb5_free_unparsed_name(context, name); +#else + if (name != NULL) { + memset(name, 0, strlen(name)); + free(name); + } +#endif +} + + +krb5_error_code KRB5_CALLCONV sss_krb5_get_init_creds_opt_set_expire_callback( + krb5_context context, + krb5_get_init_creds_opt *opt, + krb5_expire_callback_func cb, + void *data) +{ +#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_EXPIRE_CALLBACK + return krb5_get_init_creds_opt_set_expire_callback(context, opt, cb, data); +#else + DEBUG(SSSDBG_FUNC_DATA, + "krb5_get_init_creds_opt_set_expire_callback not available.\n"); + return 0; +#endif +} + +errno_t check_fast(const char *str, bool *use_fast) +{ +#if HAVE_KRB5_GET_INIT_CREDS_OPT_SET_FAST_FLAGS + if (strcasecmp(str, "never") == 0 ) { + *use_fast = false; + } else if (strcasecmp(str, "try") == 0 || strcasecmp(str, "demand") == 0) { + *use_fast = true; + } else { + sss_log(SSS_LOG_ALERT, "Unsupported value [%s] for option krb5_use_fast," + "please use never, try, or demand.\n", str); + return EINVAL; + } + + return EOK; +#else + sss_log(SSS_LOG_ALERT, "This build of sssd does not support FAST. " + "Please remove option krb5_use_fast.\n"); + return EINVAL; +#endif +} + +krb5_error_code KRB5_CALLCONV sss_krb5_get_init_creds_opt_set_fast_ccache_name( + krb5_context context, + krb5_get_init_creds_opt *opt, + const char *fast_ccache_name) +{ +#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_FAST_CCACHE_NAME + return krb5_get_init_creds_opt_set_fast_ccache_name(context, opt, + fast_ccache_name); +#else + DEBUG(SSSDBG_FUNC_DATA, + "krb5_get_init_creds_opt_set_fast_ccache_name not available.\n"); + return 0; +#endif +} + +krb5_error_code KRB5_CALLCONV sss_krb5_get_init_creds_opt_set_fast_flags( + krb5_context context, + krb5_get_init_creds_opt *opt, + krb5_flags flags) +{ +#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_FAST_FLAGS + return krb5_get_init_creds_opt_set_fast_flags(context, opt, flags); +#else + DEBUG(SSSDBG_FUNC_DATA, + "krb5_get_init_creds_opt_set_fast_flags not available.\n"); + return 0; +#endif +} + + +#ifndef HAVE_KRB5_UNPARSE_NAME_FLAGS +#ifndef REALM_SEP +#define REALM_SEP '@' +#endif +#ifndef COMPONENT_SEP +#define COMPONENT_SEP '/' +#endif + +static int +sss_krb5_copy_component_quoting(char *dest, const krb5_data *src, int flags) +{ + int j; + const char *cp = src->data; + char *q = dest; + int length = src->length; + + if (flags & KRB5_PRINCIPAL_UNPARSE_DISPLAY) { + memcpy(dest, src->data, src->length); + return src->length; + } + + for (j=0; j < length; j++,cp++) { + int no_realm = (flags & KRB5_PRINCIPAL_UNPARSE_NO_REALM) && + !(flags & KRB5_PRINCIPAL_UNPARSE_SHORT); + + switch (*cp) { + case REALM_SEP: + if (no_realm) { + *q++ = *cp; + break; + } + case COMPONENT_SEP: + case '\\': + *q++ = '\\'; + *q++ = *cp; + break; + case '\t': + *q++ = '\\'; + *q++ = 't'; + break; + case '\n': + *q++ = '\\'; + *q++ = 'n'; + break; + case '\b': + *q++ = '\\'; + *q++ = 'b'; + break; + case '\0': + *q++ = '\\'; + *q++ = '0'; + break; + default: + *q++ = *cp; + } + } + return q - dest; +} + +static int +sss_krb5_component_length_quoted(const krb5_data *src, int flags) +{ + const char *cp = src->data; + int length = src->length; + int j; + int size = length; + + if ((flags & KRB5_PRINCIPAL_UNPARSE_DISPLAY) == 0) { + int no_realm = (flags & KRB5_PRINCIPAL_UNPARSE_NO_REALM) && + !(flags & KRB5_PRINCIPAL_UNPARSE_SHORT); + + for (j = 0; j < length; j++,cp++) + if ((!no_realm && *cp == REALM_SEP) || + *cp == COMPONENT_SEP || + *cp == '\0' || *cp == '\\' || *cp == '\t' || + *cp == '\n' || *cp == '\b') + size++; + } + + return size; +} + +#endif /* HAVE_KRB5_UNPARSE_NAME_FLAGS */ + + +krb5_error_code +sss_krb5_parse_name_flags(krb5_context context, const char *name, int flags, + krb5_principal *principal) +{ +#ifdef HAVE_KRB5_PARSE_NAME_FLAGS + return krb5_parse_name_flags(context, name, flags, principal); +#else + if (flags != 0) { + DEBUG(SSSDBG_MINOR_FAILURE, "krb5_parse_name_flags not available on " \ + "this plattform, names are parsed " \ + "without flags. Some features like " \ + "enterprise principals might not work " \ + "as expected.\n"); + } + + return krb5_parse_name(context, name, principal); +#endif +} + +krb5_error_code +sss_krb5_unparse_name_flags(krb5_context context, krb5_const_principal principal, + int flags, char **name) +{ +#ifdef HAVE_KRB5_UNPARSE_NAME_FLAGS + return krb5_unparse_name_flags(context, principal, flags, name); +#else + char *cp, *q; + int i; + int length; + krb5_int32 nelem; + unsigned int totalsize = 0; + char *default_realm = NULL; + krb5_error_code ret = 0; + + if (name != NULL) + *name = NULL; + + if (!principal || !name) + return KRB5_PARSE_MALFORMED; + + if (flags & KRB5_PRINCIPAL_UNPARSE_SHORT) { + /* omit realm if local realm */ + krb5_principal_data p; + + ret = krb5_get_default_realm(context, &default_realm); + if (ret != 0) + goto cleanup; + + krb5_princ_realm(context, &p)->length = strlen(default_realm); + krb5_princ_realm(context, &p)->data = default_realm; + + if (krb5_realm_compare(context, &p, principal)) + flags |= KRB5_PRINCIPAL_UNPARSE_NO_REALM; + } + + if ((flags & KRB5_PRINCIPAL_UNPARSE_NO_REALM) == 0) { + totalsize += sss_krb5_component_length_quoted(krb5_princ_realm(context, + principal), + flags); + totalsize++; + } + + nelem = krb5_princ_size(context, principal); + for (i = 0; i < (int) nelem; i++) { + cp = krb5_princ_component(context, principal, i)->data; + totalsize += sss_krb5_component_length_quoted(krb5_princ_component(context, principal, i), flags); + totalsize++; + } + if (nelem == 0) + totalsize++; + + *name = malloc(totalsize); + + if (!*name) { + ret = ENOMEM; + goto cleanup; + } + + q = *name; + + for (i = 0; i < (int) nelem; i++) { + cp = krb5_princ_component(context, principal, i)->data; + length = krb5_princ_component(context, principal, i)->length; + q += sss_krb5_copy_component_quoting(q, + krb5_princ_component(context, + principal, + i), + flags); + *q++ = COMPONENT_SEP; + } + + if (i > 0) + q--; + if ((flags & KRB5_PRINCIPAL_UNPARSE_NO_REALM) == 0) { + *q++ = REALM_SEP; + q += sss_krb5_copy_component_quoting(q, krb5_princ_realm(context, principal), flags); + } + *q++ = '\0'; + +cleanup: + free(default_realm); + + return ret; +#endif /* HAVE_KRB5_UNPARSE_NAME_FLAGS */ +} + +void sss_krb5_get_init_creds_opt_set_canonicalize(krb5_get_init_creds_opt *opts, + int canonicalize) +{ + /* FIXME: The extra check for HAVE_KRB5_TICKET_TIMES is a workaround due to Heimdal + * defining krb5_get_init_creds_opt_set_canonicalize() with a different set of + * arguments. We should use a better configure check in the future. + */ +#if defined(HAVE_KRB5_GET_INIT_CREDS_OPT_SET_CANONICALIZE) && defined(HAVE_KRB5_TICKET_TIMES) + krb5_get_init_creds_opt_set_canonicalize(opts, canonicalize); +#else + DEBUG(SSSDBG_OP_FAILURE, "Kerberos principal canonicalization is not available!\n"); +#endif +} + +#ifdef HAVE_KRB5_PRINCIPAL_GET_REALM +void sss_krb5_princ_realm(krb5_context context, krb5_const_principal princ, + const char **realm, int *len) +{ + const char *realm_str = krb5_principal_get_realm(context, princ); + + if (realm_str != NULL) { + *realm = realm_str; + *len = strlen(realm_str); + } else { + *realm = NULL; + *len = 0; + } +} +#else +void sss_krb5_princ_realm(krb5_context context, krb5_const_principal princ, + const char **realm, int *len) +{ + const krb5_data *data; + + data = krb5_princ_realm(context, princ); + if (data) { + *realm = data->data; + *len = data->length; + } else { + *realm = NULL; + *len = 0; + } +} +#endif + +#ifdef HAVE_KRB5_FREE_KEYTAB_ENTRY_CONTENTS +krb5_error_code +sss_krb5_free_keytab_entry_contents(krb5_context context, + krb5_keytab_entry *entry) +{ + return krb5_free_keytab_entry_contents(context, entry); +} +#else +krb5_error_code +sss_krb5_free_keytab_entry_contents(krb5_context context, + krb5_keytab_entry *entry) +{ + return krb5_kt_free_entry(context, entry); +} +#endif + + +#ifdef HAVE_KRB5_SET_TRACE_CALLBACK + +#ifndef HAVE_KRB5_TRACE_INFO +/* krb5-1.10 had struct krb5_trace_info, 1.11 has type named krb5_trace_info */ +typedef struct krb5_trace_info krb5_trace_info; +#endif /* HAVE_KRB5_TRACE_INFO */ + +static void +sss_child_krb5_trace_cb(krb5_context context, + const krb5_trace_info *info, void *data) +{ + if (info == NULL) { + /* Null info means destroy the callback data. */ + return; + } + + DEBUG(SSSDBG_TRACE_ALL, "%s\n", info->message); +} + +errno_t +sss_child_set_krb5_tracing(krb5_context ctx) +{ + return krb5_set_trace_callback(ctx, sss_child_krb5_trace_cb, NULL); +} +#else /* HAVE_KRB5_SET_TRACE_CALLBACK */ +errno_t +sss_child_set_krb5_tracing(krb5_context ctx) +{ + DEBUG(SSSDBG_CONF_SETTINGS, "krb5 tracing is not available\n"); + return 0; +} +#endif /* HAVE_KRB5_SET_TRACE_CALLBACK */ + +krb5_error_code sss_krb5_find_authdata(krb5_context context, + krb5_authdata *const *ticket_authdata, + krb5_authdata *const *ap_req_authdata, + krb5_authdatatype ad_type, + krb5_authdata ***results) +{ +#ifdef HAVE_KRB5_FIND_AUTHDATA + return krb5_find_authdata(context, ticket_authdata, ap_req_authdata, + ad_type, results); +#else + return ENOTSUP; +#endif +} + +krb5_error_code sss_extract_pac(krb5_context ctx, + krb5_ccache ccache, + krb5_principal server_principal, + krb5_principal client_principal, + krb5_keytab keytab, + krb5_authdata ***_pac_authdata) +{ +#ifdef HAVE_PAC_RESPONDER + krb5_error_code kerr; + krb5_creds mcred; + krb5_creds cred; + krb5_authdata **pac_authdata = NULL; + krb5_pac pac = NULL; + int ret; + krb5_ticket *ticket = NULL; + krb5_keytab_entry entry; + + memset(&entry, 0, sizeof(entry)); + memset(&mcred, 0, sizeof(mcred)); + memset(&cred, 0, sizeof(mcred)); + + mcred.server = server_principal; + mcred.client = client_principal; + + kerr = krb5_cc_retrieve_cred(ctx, ccache, 0, &mcred, &cred); + if (kerr != 0) { + DEBUG(SSSDBG_OP_FAILURE, "krb5_cc_retrieve_cred failed.\n"); + goto done; + } + + kerr = krb5_decode_ticket(&cred.ticket, &ticket); + if (kerr != 0) { + DEBUG(SSSDBG_OP_FAILURE, "krb5_decode_ticket failed.\n"); + goto done; + } + + kerr = krb5_server_decrypt_ticket_keytab(ctx, keytab, ticket); + if (kerr != 0) { + DEBUG(SSSDBG_OP_FAILURE, "krb5_server_decrypt_ticket_keytab failed.\n"); + goto done; + } + + kerr = sss_krb5_find_authdata(ctx, + ticket->enc_part2->authorization_data, NULL, + KRB5_AUTHDATA_WIN2K_PAC, &pac_authdata); + if (kerr != 0) { + DEBUG(SSSDBG_OP_FAILURE, "krb5_find_authdata failed.\n"); + goto done; + } + + if (pac_authdata == NULL || pac_authdata[0] == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "No PAC authdata available.\n"); + kerr = ENOENT; + goto done; + } + + if (pac_authdata[1] != NULL) { + DEBUG(SSSDBG_OP_FAILURE, "More than one PAC autdata found.\n"); + kerr = EINVAL; + goto done; + } + + kerr = krb5_pac_parse(ctx, pac_authdata[0]->contents, + pac_authdata[0]->length, &pac); + if (kerr != 0) { + DEBUG(SSSDBG_OP_FAILURE, "krb5_pac_parse failed.\n"); + goto done; + } + + kerr = krb5_kt_get_entry(ctx, keytab, ticket->server, + ticket->enc_part.kvno, ticket->enc_part.enctype, + &entry); + if (kerr != 0) { + DEBUG(SSSDBG_OP_FAILURE, "krb5_kt_get_entry failed.\n"); + goto done; + } + + kerr = krb5_pac_verify(ctx, pac, 0, NULL, &entry.key, NULL); + if (kerr != 0) { + DEBUG(SSSDBG_OP_FAILURE, "krb5_pac_verify failed.\n"); + goto done; + } + + ret = unsetenv("_SSS_LOOPS"); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to unset _SSS_LOOPS, " + "sss_pac_make_request will most certainly fail.\n"); + } + + *_pac_authdata = pac_authdata; + kerr = 0; + +done: + if (kerr != 0) { + krb5_free_authdata(ctx, pac_authdata); + } + if (entry.magic != 0) { + krb5_free_keytab_entry_contents(ctx, &entry); + } + krb5_pac_free(ctx, pac); + if (ticket != NULL) { + krb5_free_ticket(ctx, ticket); + } + + krb5_free_cred_contents(ctx, &cred); + return kerr; +#else + return ENOTSUP; +#endif +} + +char * sss_get_ccache_name_for_principal(TALLOC_CTX *mem_ctx, + krb5_context ctx, + krb5_principal principal, + const char *location) +{ +#ifdef HAVE_KRB5_CC_COLLECTION + krb5_error_code kerr; + krb5_ccache tmp_cc = NULL; + char *tmp_ccname = NULL; + char *ret_ccname = NULL; + + DEBUG(SSSDBG_TRACE_ALL, + "Location: [%s]\n", location); + + kerr = krb5_cc_set_default_name(ctx, location); + if (kerr != 0) { + KRB5_DEBUG(SSSDBG_MINOR_FAILURE, ctx, kerr); + return NULL; + } + + kerr = krb5_cc_cache_match(ctx, principal, &tmp_cc); + if (kerr != 0) { + const char *err_msg = sss_krb5_get_error_message(ctx, kerr); + DEBUG(SSSDBG_TRACE_INTERNAL, + "krb5_cc_cache_match failed: [%d][%s]\n", kerr, err_msg); + sss_krb5_free_error_message(ctx, err_msg); + return NULL; + } + + kerr = krb5_cc_get_full_name(ctx, tmp_cc, &tmp_ccname); + if (kerr != 0) { + KRB5_DEBUG(SSSDBG_MINOR_FAILURE, ctx, kerr); + goto done; + } + + DEBUG(SSSDBG_TRACE_ALL, + "tmp_ccname: [%s]\n", tmp_ccname); + + ret_ccname = talloc_strdup(mem_ctx, tmp_ccname); + if (ret_ccname == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed (ENOMEM).\n"); + } + +done: + if (tmp_cc != NULL) { + kerr = krb5_cc_close(ctx, tmp_cc); + if (kerr != 0) { + KRB5_DEBUG(SSSDBG_MINOR_FAILURE, ctx, kerr); + } + } + krb5_free_string(ctx, tmp_ccname); + + return ret_ccname; +#else + return NULL; +#endif /* HAVE_KRB5_CC_COLLECTION */ +} + +krb5_error_code sss_krb5_kt_have_content(krb5_context context, + krb5_keytab keytab) +{ +#ifdef HAVE_KRB5_KT_HAVE_CONTENT + return krb5_kt_have_content(context, keytab); +#else + krb5_keytab_entry entry; + krb5_kt_cursor cursor; + krb5_error_code kerr; + krb5_error_code kerr_end; + + kerr = krb5_kt_start_seq_get(context, keytab, &cursor); + if (kerr != 0) { + DEBUG(SSSDBG_OP_FAILURE, + "krb5_kt_start_seq_get failed, assuming no entries.\n"); + return KRB5_KT_NOTFOUND; + } + + kerr = krb5_kt_next_entry(context, keytab, &entry, &cursor); + kerr_end = krb5_kt_end_seq_get(context, keytab, &cursor); + if (kerr != 0) { + DEBUG(SSSDBG_OP_FAILURE, + "krb5_kt_next_entry failed, assuming no entries.\n"); + return KRB5_KT_NOTFOUND; + } + kerr = krb5_free_keytab_entry_contents(context, &entry); + + if (kerr_end != 0) { + DEBUG(SSSDBG_TRACE_FUNC, + "krb5_kt_end_seq_get failed, ignored.\n"); + } + if (kerr != 0) { + DEBUG(SSSDBG_TRACE_FUNC, + "krb5_free_keytab_entry_contents failed, ignored.\n"); + } + + return 0; +#endif +} + +#define KDC_PROXY_INDICATOR "https://" +#define KDC_PROXY_INDICATOR_LEN (sizeof(KDC_PROXY_INDICATOR) - 1) + +bool sss_krb5_realm_has_proxy(const char *realm) +{ + krb5_context context = NULL; + krb5_error_code kerr; + struct _profile_t *profile = NULL; + const char *profile_path[4] = {"realms", NULL, "kdc", NULL}; + char **list = NULL; + bool res = false; + size_t c; + + if (realm == NULL) { + return false; + } + + kerr = sss_krb5_init_context(&context); + if (kerr != 0) { + DEBUG(SSSDBG_OP_FAILURE, "sss_krb5_init_context failed.\n"); + return false; + } + + kerr = krb5_get_profile(context, &profile); + if (kerr != 0) { + DEBUG(SSSDBG_OP_FAILURE, "krb5_get_profile failed.\n"); + goto done; + } + + profile_path[1] = realm; + + kerr = profile_get_values(profile, profile_path, &list); + if (kerr == PROF_NO_RELATION || kerr == PROF_NO_SECTION) { + goto done; + } else if (kerr != 0) { + DEBUG(SSSDBG_OP_FAILURE, "profile_get_values failed.\n"); + goto done; + } + + for (c = 0; list[c] != NULL; c++) { + if (strncasecmp(KDC_PROXY_INDICATOR, list[c], + KDC_PROXY_INDICATOR_LEN) == 0) { + DEBUG(SSSDBG_TRACE_ALL, + "Found KDC Proxy indicator [%s] in [%s].\n", + KDC_PROXY_INDICATOR, list[c]); + res = true; + break; + } + } + +done: + profile_free_list(list); + profile_release(profile); + krb5_free_context(context); + + return res; +} + +static errno_t iobuf_read_uint32be(struct sss_iobuf *iobuf, + uint32_t *_val) +{ + uint32_t beval; + errno_t ret; + + ret = sss_iobuf_read_uint32(iobuf, &beval); + if (ret != EOK) { + return ret; + } + + *_val = be32toh(beval); + return EOK; +} + +static errno_t iobuf_write_uint32be(struct sss_iobuf *iobuf, + uint32_t val) +{ + uint32_t beval; + + beval = htobe32(val); + return sss_iobuf_write_uint32(iobuf, beval); +} + +static errno_t iobuf_get_len_bytes(TALLOC_CTX *mem_ctx, + struct sss_iobuf *iobuf, + uint32_t *_nbytes, + uint8_t **_bytes) +{ + errno_t ret; + uint32_t nbytes; + uint8_t *bytes = NULL; + + ret = iobuf_read_uint32be(iobuf, &nbytes); + if (ret != EOK) { + return ret; + } + + bytes = talloc_zero_size(mem_ctx, nbytes); + if (bytes == NULL) { + return ENOMEM; + } + + ret = sss_iobuf_read_len(iobuf, nbytes, bytes); + if (ret != EOK) { + talloc_free(bytes); + return ret; + } + + *_bytes = bytes; + *_nbytes = nbytes; + return EOK; +} + +static errno_t get_krb5_data(TALLOC_CTX *mem_ctx, + struct sss_iobuf *iobuf, + krb5_data *k5data) +{ + errno_t ret; + uint32_t nbytes; + uint8_t *bytes = NULL; + + ret = iobuf_get_len_bytes(mem_ctx, iobuf, &nbytes, &bytes); + if (ret != EOK) { + talloc_free(bytes); + return ret; + } + + k5data->data = (char *) bytes; /* FIXME - the cast is ugly */ + k5data->length = nbytes; + return EOK; +} + +static errno_t set_krb5_data(struct sss_iobuf *iobuf, + krb5_data *k5data) +{ + errno_t ret; + + ret = iobuf_write_uint32be(iobuf, k5data->length); + if (ret != EOK) { + return ret; + } + + if (k5data->length > 0) { + ret = sss_iobuf_write_len(iobuf, + (uint8_t *) k5data->data, + k5data->length); + if (ret != EOK) { + return ret; + } + } + + return EOK; +} + +/* FIXME - it would be nice if Kerberos exported these APIs.. */ +krb5_error_code sss_krb5_unmarshal_princ(TALLOC_CTX *mem_ctx, + struct sss_iobuf *iobuf, + krb5_principal *_princ) +{ + krb5_principal princ = NULL; + krb5_error_code ret; + uint32_t ncomps; + + if (iobuf == NULL || _princ == NULL) { + return EINVAL; + } + + princ = talloc_zero(mem_ctx, struct krb5_principal_data); + if (princ == NULL) { + return ENOMEM; + } + + princ->magic = KV5M_PRINCIPAL; + + ret = iobuf_read_uint32be(iobuf, (uint32_t *) &princ->type); + if (ret != EOK) { + goto fail; + } + + ret = iobuf_read_uint32be(iobuf, &ncomps); + if (ret != EOK) { + goto fail; + } + + if (ncomps > sss_iobuf_get_capacity(iobuf)) { + /* Sanity check to avoid large allocations */ + ret = EINVAL; + goto fail; + } + + if (ncomps != 0) { + princ->data = talloc_zero_array(princ, krb5_data, ncomps); + if (princ->data == NULL) { + ret = ENOMEM; + goto fail; + } + + princ->length = ncomps; + } + + ret = get_krb5_data(princ, iobuf, &princ->realm); + if (ret != EOK) { + goto fail; + } + + for (size_t i = 0; i < ncomps; i++) { + ret = get_krb5_data(princ->data, iobuf, &princ->data[i]); + if (ret != EOK) { + goto fail; + } + } + + *_princ = princ; + return 0; + +fail: + talloc_free(princ); + return ret; +} + +krb5_error_code sss_krb5_marshal_princ(krb5_principal princ, + struct sss_iobuf *iobuf) +{ + krb5_error_code ret; + + if (iobuf == NULL || princ == NULL) { + return EINVAL; + } + + ret = iobuf_write_uint32be(iobuf, princ->type); + if (ret != EOK) { + return ret; + } + + ret = iobuf_write_uint32be(iobuf, princ->length); + if (ret != EOK) { + return ret; + } + + ret = set_krb5_data(iobuf, &princ->realm); + if (ret != EOK) { + return ret; + } + + for (int i = 0; i < princ->length; i++) { + ret = set_krb5_data(iobuf, &princ->data[i]); + if (ret != EOK) { + return ret; + } + } + return EOK; +} + +krb5_error_code sss_krb5_init_context(krb5_context *context) +{ + krb5_error_code kerr; + const char *msg; + + kerr = krb5_init_context(context); + if (kerr != 0) { + /* It is safe to call (sss_)krb5_get_error_message() with NULL as first + * argument. */ + msg = sss_krb5_get_error_message(NULL, kerr); + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to init Kerberos context [%s]\n", msg); + sss_log(SSS_LOG_CRIT, "Failed to init Kerberos context [%s]\n", msg); + sss_krb5_free_error_message(NULL, msg); + } + + return kerr; +} diff --git a/src/util/sss_krb5.h b/src/util/sss_krb5.h new file mode 100644 index 0000000..4239514 --- /dev/null +++ b/src/util/sss_krb5.h @@ -0,0 +1,200 @@ +/* + Authors: + Sumit Bose + + Copyright (C) 2009-2010 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __SSS_KRB5_H__ +#define __SSS_KRB5_H__ + +#include "config.h" + +#include +#include + +#ifdef HAVE_KRB5_KRB5_H +#include +#else +#include +#endif + +#include "util/sss_iobuf.h" +#include "util/util.h" + +#define KRB5_CHILD_LOG_FILE "krb5_child" +#define LDAP_CHILD_LOG_FILE "ldap_child" + +/* MIT Kerberos has the same hardcoded warning interval of 7 days. Due to the + * fact that using the expiration time of a Kerberos password with LDAP + * authentication is presumably a rare case a separate config option is not + * necessary. */ +#define KERBEROS_PWEXPIRE_WARNING_TIME (7 * 24 * 60 * 60) +#define KEYTAB_CLEAN_NAME keytab_name ? keytab_name : "default" + +#if defined HAVE_KRB5_CC_CACHE_MATCH && defined HAVE_KRB5_CC_GET_FULL_NAME +#define HAVE_KRB5_CC_COLLECTION 1 +#endif + +const char * KRB5_CALLCONV sss_krb5_get_error_message (krb5_context, + krb5_error_code); + +void KRB5_CALLCONV sss_krb5_free_error_message(krb5_context, const char *); + +#define KRB5_DEBUG(level, errctx, krb5_error) do { \ + const char *__krb5_error_msg; \ + __krb5_error_msg = sss_krb5_get_error_message(errctx, krb5_error); \ + DEBUG(level, "%d: [%d][%s]\n", __LINE__, krb5_error, __krb5_error_msg); \ + sss_log(SSS_LOG_ERR, "%s", __krb5_error_msg); \ + sss_krb5_free_error_message(errctx, __krb5_error_msg); \ +} while(0) + +krb5_error_code KRB5_CALLCONV sss_krb5_get_init_creds_opt_alloc( + krb5_context context, + krb5_get_init_creds_opt **opt); + +void KRB5_CALLCONV sss_krb5_get_init_creds_opt_free (krb5_context context, + krb5_get_init_creds_opt *opt); + +void KRB5_CALLCONV sss_krb5_free_unparsed_name(krb5_context context, char *name); + +krb5_error_code find_principal_in_keytab(krb5_context ctx, + krb5_keytab keytab, + const char *pattern_primary, + const char *pattern_realm, + krb5_principal *princ); + +errno_t select_principal_from_keytab(TALLOC_CTX *mem_ctx, + const char *hostname, + const char *desired_realm, + const char *keytab_name, + char **_principal, + char **_primary, + char **_realm); + +#ifndef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_EXPIRE_CALLBACK +typedef void krb5_expire_callback_func(krb5_context context, void *data, + krb5_timestamp password_expiration, + krb5_timestamp account_expiration, + krb5_boolean is_last_req); +#endif +krb5_error_code KRB5_CALLCONV sss_krb5_get_init_creds_opt_set_expire_callback( + krb5_context context, + krb5_get_init_creds_opt *opt, + krb5_expire_callback_func cb, + void *data); + +errno_t check_fast(const char *str, bool *use_fast); + +krb5_error_code KRB5_CALLCONV sss_krb5_get_init_creds_opt_set_fast_ccache_name( + krb5_context context, + krb5_get_init_creds_opt *opt, + const char *fast_ccache_name); + +krb5_error_code KRB5_CALLCONV sss_krb5_get_init_creds_opt_set_fast_flags( + krb5_context context, + krb5_get_init_creds_opt *opt, + krb5_flags flags); + +#if HAVE_KRB5_GET_INIT_CREDS_OPT_SET_FAST_FLAGS +#define SSS_KRB5_FAST_REQUIRED KRB5_FAST_REQUIRED +#else +#define SSS_KRB5_FAST_REQUIRED 0 +#endif + + +#ifndef HAVE_KRB5_PARSE_NAME_FLAGS +#define KRB5_PRINCIPAL_PARSE_NO_REALM 0x1 +#define KRB5_PRINCIPAL_PARSE_REQUIRE_REALM 0x2 +#define KRB5_PRINCIPAL_PARSE_ENTERPRISE 0x4 +#endif +krb5_error_code +sss_krb5_parse_name_flags(krb5_context context, const char *name, int flags, + krb5_principal *principal); + +#ifndef HAVE_KRB5_UNPARSE_NAME_FLAGS +#define KRB5_PRINCIPAL_UNPARSE_SHORT 0x1 +#define KRB5_PRINCIPAL_UNPARSE_NO_REALM 0x2 +#define KRB5_PRINCIPAL_UNPARSE_DISPLAY 0x4 +#endif +krb5_error_code +sss_krb5_unparse_name_flags(krb5_context context, krb5_const_principal principal, + int flags, char **name); + +void sss_krb5_get_init_creds_opt_set_canonicalize(krb5_get_init_creds_opt *opts, + int canonicalize); + +enum sss_krb5_cc_type { + SSS_KRB5_TYPE_FILE, +#ifdef HAVE_KRB5_CC_COLLECTION + SSS_KRB5_TYPE_DIR, + SSS_KRB5_TYPE_KEYRING, +#endif /* HAVE_KRB5_CC_COLLECTION */ + + SSS_KRB5_TYPE_UNKNOWN +}; + +/* === Compatibility routines for the Heimdal Kerberos implementation === */ + +void sss_krb5_princ_realm(krb5_context context, krb5_const_principal princ, + const char **realm, int *len); + +krb5_error_code +sss_krb5_free_keytab_entry_contents(krb5_context context, + krb5_keytab_entry *entry); + +#ifdef HAVE_KRB5_TICKET_TIMES +typedef krb5_ticket_times sss_krb5_ticket_times; +#elif defined(HAVE_KRB5_TIMES) +typedef krb5_times sss_krb5_ticket_times; +#endif + +/* Redirect libkrb5 tracing towards our DEBUG statements */ +errno_t sss_child_set_krb5_tracing(krb5_context ctx); + +krb5_error_code sss_krb5_find_authdata(krb5_context context, + krb5_authdata *const *ticket_authdata, + krb5_authdata *const *ap_req_authdata, + krb5_authdatatype ad_type, + krb5_authdata ***results); + +krb5_error_code sss_extract_pac(krb5_context ctx, + krb5_ccache ccache, + krb5_principal server_principal, + krb5_principal client_principal, + krb5_keytab keytab, + krb5_authdata ***_pac_authdata); + +char * sss_get_ccache_name_for_principal(TALLOC_CTX *mem_ctx, + krb5_context ctx, + krb5_principal principal, + const char *location); + +krb5_error_code sss_krb5_kt_have_content(krb5_context context, + krb5_keytab keytab); + +bool sss_krb5_realm_has_proxy(const char *realm); + +krb5_error_code sss_krb5_marshal_princ(krb5_principal princ, + struct sss_iobuf *iobuf); + +krb5_error_code sss_krb5_unmarshal_princ(TALLOC_CTX *mem_ctx, + struct sss_iobuf *iobuf, + krb5_principal *_princ); + +krb5_error_code sss_krb5_init_context(krb5_context *context); + +#endif /* __SSS_KRB5_H__ */ diff --git a/src/util/sss_ldap.c b/src/util/sss_ldap.c new file mode 100644 index 0000000..9d1e952 --- /dev/null +++ b/src/util/sss_ldap.c @@ -0,0 +1,469 @@ +/* + Authors: + Sumit Bose + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include + +#include "util/util.h" +#include "util/sss_sockets.h" +#include "util/sss_ldap.h" + +#include "providers/ldap/sdap.h" + +const char* sss_ldap_err2string(int err) +{ + if (IS_SSSD_ERROR(err)) { + return sss_strerror(err); + } else { + return ldap_err2string(err); + } +} + +int sss_ldap_get_diagnostic_msg(TALLOC_CTX *mem_ctx, LDAP *ld, char **_errmsg) +{ + char *errmsg = NULL; + int optret; + + optret = ldap_get_option(ld, SDAP_DIAGNOSTIC_MESSAGE, (void*)&errmsg); + if (optret != LDAP_SUCCESS) { + return EINVAL; + } + + *_errmsg = talloc_strdup(mem_ctx, errmsg ? errmsg : "unknown error"); + ldap_memfree(errmsg); + if (*_errmsg == NULL) { + return ENOMEM; + } + return EOK; +} + +int sss_ldap_control_create(const char *oid, int iscritical, + struct berval *value, int dupval, + LDAPControl **ctrlp) +{ +#ifdef HAVE_LDAP_CONTROL_CREATE + return ldap_control_create(oid, iscritical, value, dupval, ctrlp); +#else + LDAPControl *lc = NULL; + + if (oid == NULL || ctrlp == NULL) { + return LDAP_PARAM_ERROR; + } + + lc = calloc(sizeof(LDAPControl), 1); + if (lc == NULL) { + return LDAP_NO_MEMORY; + } + + lc->ldctl_oid = strdup(oid); + if (lc->ldctl_oid == NULL) { + free(lc); + return LDAP_NO_MEMORY; + } + + if (value != NULL && value->bv_val != NULL) { + if (dupval == 0) { + lc->ldctl_value = *value; + } else { + ber_dupbv(&lc->ldctl_value, value); + if (lc->ldctl_value.bv_val == NULL) { + free(lc->ldctl_oid); + free(lc); + return LDAP_NO_MEMORY; + } + } + } + + lc->ldctl_iscritical = iscritical; + + *ctrlp = lc; + + return LDAP_SUCCESS; +#endif +} + +#ifdef HAVE_LDAP_INIT_FD + +#define LDAP_PROTO_TCP 1 /* ldap:// */ +#define LDAP_PROTO_UDP 2 /* reserved */ +#define LDAP_PROTO_IPC 3 /* ldapi:// */ +#define LDAP_PROTO_EXT 4 /* user-defined socket/sockbuf */ + +extern int ldap_init_fd(ber_socket_t fd, int proto, const char *url, LDAP **ld); + +static void sss_ldap_init_sys_connect_done(struct tevent_req *subreq); +#endif + +struct sss_ldap_init_state { + LDAP *ldap; + int sd; + const char *uri; +}; + +static int sss_ldap_init_state_destructor(void *data) +{ + struct sss_ldap_init_state *state = (struct sss_ldap_init_state *)data; + + if (state->ldap) { + DEBUG(SSSDBG_TRACE_FUNC, + "calling ldap_unbind_ext for ldap:[%p] sd:[%d]\n", + state->ldap, state->sd); + ldap_unbind_ext(state->ldap, NULL, NULL); + } + if (state->sd != -1) { + DEBUG(SSSDBG_TRACE_FUNC, "closing socket [%d]\n", state->sd); + close(state->sd); + state->sd = -1; + } + + return 0; +} + + +struct tevent_req *sss_ldap_init_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + const char *uri, + struct sockaddr_storage *addr, + int addr_len, int timeout) +{ + int ret = EOK; + struct tevent_req *req; + struct sss_ldap_init_state *state; + + req = tevent_req_create(mem_ctx, &state, struct sss_ldap_init_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create failed.\n"); + return NULL; + } + + talloc_set_destructor((TALLOC_CTX *)state, sss_ldap_init_state_destructor); + + state->ldap = NULL; + state->sd = -1; + state->uri = uri; + +#ifdef HAVE_LDAP_INIT_FD + struct tevent_req *subreq; + + subreq = sssd_async_socket_init_send(state, ev, addr, addr_len, timeout); + if (subreq == NULL) { + ret = ENOMEM; + DEBUG(SSSDBG_CRIT_FAILURE, "sssd_async_socket_init_send failed.\n"); + goto fail; + } + + tevent_req_set_callback(subreq, sss_ldap_init_sys_connect_done, req); + return req; + +fail: + tevent_req_error(req, ret); +#else + DEBUG(SSSDBG_MINOR_FAILURE, "ldap_init_fd not available, " + "will use ldap_initialize with uri [%s].\n", uri); + ret = ldap_initialize(&state->ldap, uri); + if (ret == LDAP_SUCCESS) { + tevent_req_done(req); + } else { + DEBUG(SSSDBG_CRIT_FAILURE, + "ldap_initialize failed [%s].\n", sss_ldap_err2string(ret)); + if (ret == LDAP_SERVER_DOWN) { + tevent_req_error(req, ETIMEDOUT); + } else { + tevent_req_error(req, EIO); + } + } +#endif + + tevent_req_post(req, ev); + return req; +} + +#ifdef HAVE_LDAP_INIT_FD +static errno_t unset_fcntl_flags(int fd, int fl_flags) +{ + errno_t ret; + int flags; + + flags = fcntl(fd, F_GETFL, 0); + if (flags == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "fcntl F_GETFL failed [%s].\n", strerror(ret)); + return ret; + } + + /* unset flags */ + flags &= ~fl_flags; + + ret = fcntl(fd, F_SETFL, flags); + if (ret != EOK) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "fcntl F_SETFL failed [%s].\n", strerror(ret)); + return ret; + } + + return EOK; +} + +static void sss_ldap_init_sys_connect_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data(subreq, + struct tevent_req); + struct sss_ldap_init_state *state = tevent_req_data(req, + struct sss_ldap_init_state); + char *tlserr; + int ret; + int lret; + int optret; + + ret = sssd_async_socket_init_recv(subreq, &state->sd); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sssd_async_socket_init request failed: [%d]: %s.\n", + ret, sss_strerror(ret)); + goto fail; + } + + ret = unset_fcntl_flags(state->sd, O_NONBLOCK); + if (ret != EOK) { + goto fail; + } + + /* Initialize LDAP handler */ + + lret = ldap_init_fd(state->sd, LDAP_PROTO_TCP, state->uri, &state->ldap); + if (lret != LDAP_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ldap_init_fd failed: %s. [%d][%s]\n", + sss_ldap_err2string(lret), state->sd, state->uri); + ret = lret == LDAP_SERVER_DOWN ? ETIMEDOUT : EIO; + goto fail; + } + + if (ldap_is_ldaps_url(state->uri)) { + lret = ldap_install_tls(state->ldap); + if (lret != LDAP_SUCCESS) { + if (lret == LDAP_LOCAL_ERROR) { + DEBUG(SSSDBG_FUNC_DATA, "TLS/SSL already in place.\n"); + } else { + + optret = sss_ldap_get_diagnostic_msg(state, state->ldap, + &tlserr); + if (optret == LDAP_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ldap_install_tls failed: [%s] [%s]\n", + sss_ldap_err2string(lret), tlserr); + sss_log(SSS_LOG_ERR, + "Could not start TLS encryption. %s", tlserr); + } else { + DEBUG(SSSDBG_CRIT_FAILURE, + "ldap_install_tls failed: [%s]\n", + sss_ldap_err2string(lret)); + sss_log(SSS_LOG_ERR, "Could not start TLS encryption. " + "Check for certificate issues."); + } + + ret = EIO; + goto fail; + } + } + } + + tevent_req_done(req); + return; + +fail: + tevent_req_error(req, ret); +} +#endif + +int sss_ldap_init_recv(struct tevent_req *req, LDAP **ldap, int *sd) +{ + struct sss_ldap_init_state *state = tevent_req_data(req, + struct sss_ldap_init_state); + TEVENT_REQ_RETURN_ON_ERROR(req); + + /* Everything went well therefore we do not want to release resources */ + talloc_set_destructor(state, NULL); + + *ldap = state->ldap; + *sd = state->sd; + + return EOK; +} + +/* + * _filter will contain combined filters from all possible search bases + * or NULL if it should be empty + */ + + +bool sss_ldap_dn_in_search_bases_len(TALLOC_CTX *mem_ctx, + const char *dn, + struct sdap_search_base **search_bases, + char **_filter, + int *_match_len) +{ + struct sdap_search_base *base; + int basedn_len, dn_len; + int len_diff; + int i, j; + bool base_confirmed = false; + bool comma_found = false; + bool backslash_found = false; + char *filter = NULL; + bool ret = false; + int match_len; + + if (dn == NULL) { + DEBUG(SSSDBG_FUNC_DATA, "dn is NULL\n"); + ret = false; + goto done; + } + + if (search_bases == NULL) { + DEBUG(SSSDBG_FUNC_DATA, "search_bases is NULL\n"); + ret = false; + goto done; + } + + dn_len = strlen(dn); + for (i = 0; search_bases[i] != NULL; i++) { + base = search_bases[i]; + basedn_len = strlen(base->basedn); + + if (basedn_len > dn_len) { + continue; + } + + len_diff = dn_len - basedn_len; + base_confirmed = (strncasecmp(&dn[len_diff], base->basedn, basedn_len) == 0); + if (!base_confirmed) { + continue; + } + match_len = basedn_len; + + switch (base->scope) { + case LDAP_SCOPE_BASE: + /* dn > base? */ + if (len_diff != 0) { + continue; + } + break; + case LDAP_SCOPE_ONELEVEL: + if (len_diff == 0) { + /* Base object doesn't belong to scope=one + * search */ + continue; + } + + comma_found = false; + for (j = 0; j < len_diff - 1; j++) { /* ignore comma before base */ + if (dn[j] == '\\') { + backslash_found = true; + } else if (dn[j] == ',' && !backslash_found) { + comma_found = true; + break; + } else { + backslash_found = false; + } + } + + /* it has at least one more level */ + if (comma_found) { + continue; + } + + break; + case LDAP_SCOPE_SUBTREE: + /* dn length >= base dn length && base_confirmed == true */ + break; + default: + DEBUG(SSSDBG_FUNC_DATA, "Unsupported scope: %d\n", base->scope); + continue; + } + + /* + * If we get here, the dn is valid. + * If no filter is set, than return true immediately. + * Append filter otherwise. + */ + ret = true; + if (_match_len) { + *_match_len = match_len; + } + + if (base->filter == NULL || _filter == NULL) { + goto done; + } else { + filter = talloc_strdup_append(filter, base->filter); + if (filter == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup_append() failed\n"); + ret = false; + goto done; + } + } + } + + if (_filter != NULL) { + if (filter != NULL) { + *_filter = talloc_asprintf(mem_ctx, "(|%s)", filter); + if (*_filter == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "talloc_asprintf_append() failed\n"); + ret = false; + goto done; + } + } else { + *_filter = NULL; + } + } + +done: + talloc_free(filter); + return ret; +} + +bool sss_ldap_dn_in_search_bases(TALLOC_CTX *mem_ctx, + const char *dn, + struct sdap_search_base **search_bases, + char **_filter) +{ + return sss_ldap_dn_in_search_bases_len(mem_ctx, dn, search_bases, _filter, + NULL); +} + +char *sss_ldap_encode_ndr_uint32(TALLOC_CTX *mem_ctx, uint32_t flags) +{ + char hex[9]; /* 4 bytes in hex + terminating zero */ + errno_t ret; + + ret = snprintf(hex, 9, "%08x", flags); + if (ret != 8) { + return NULL; + } + + return talloc_asprintf(mem_ctx, "\\%c%c\\%c%c\\%c%c\\%c%c", + hex[6], hex[7], hex[4], hex[5], + hex[2], hex[3], hex[0], hex[1]); +} diff --git a/src/util/sss_ldap.h b/src/util/sss_ldap.h new file mode 100644 index 0000000..4172da3 --- /dev/null +++ b/src/util/sss_ldap.h @@ -0,0 +1,99 @@ +/* + Authors: + Sumit Bose + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __SSS_LDAP_H__ +#define __SSS_LDAP_H__ + +#include +#include +#include +#include +#include + +#ifndef LDAP_CONTROL_PWEXPIRED +#define LDAP_CONTROL_PWEXPIRED "2.16.840.1.113730.3.4.4" +#endif + +#ifndef LDAP_CONTROL_PWEXPIRING +#define LDAP_CONTROL_PWEXPIRING "2.16.840.1.113730.3.4.5" +#endif + +#ifdef LDAP_OPT_DIAGNOSTIC_MESSAGE +#define SDAP_DIAGNOSTIC_MESSAGE LDAP_OPT_DIAGNOSTIC_MESSAGE +#else +#ifdef LDAP_OPT_ERROR_STRING +#define SDAP_DIAGNOSTIC_MESSAGE LDAP_OPT_ERROR_STRING +#else +#error No extended diagnostic message available +#endif +#endif + +const char* sss_ldap_err2string(int err); + +int sss_ldap_get_diagnostic_msg(TALLOC_CTX *mem_ctx, + LDAP *ld, + char **_errmsg); + +#ifndef LDAP_SERVER_ASQ_OID +#define LDAP_SERVER_ASQ_OID "1.2.840.113556.1.4.1504" +#endif /* LDAP_SERVER_ASQ_OID */ + +#ifndef LDAP_SERVER_SD_OID +#define LDAP_SERVER_SD_OID "1.2.840.113556.1.4.801" +#endif /* LDAP_SERVER_SD_OID */ + + +/* + * The following four flags specify which security descriptor parts to retrieve + * during sd_search (see http://msdn.microsoft.com/en-us/library/aa366987.aspx) + */ +#define SECINFO_OWNER ( 0x00000001 ) +#define SECINFO_GROUP ( 0x00000002 ) +#define SECINFO_DACL ( 0x00000004 ) +#define SECINFO_SACL ( 0x00000008 ) + +int sss_ldap_control_create(const char *oid, int iscritical, + struct berval *value, int dupval, + LDAPControl **ctrlp); + +struct tevent_req *sss_ldap_init_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + const char *uri, + struct sockaddr_storage *addr, + int addr_len, int timeout); + +int sss_ldap_init_recv(struct tevent_req *req, LDAP **ldap, int *sd); + +struct sdap_options; +struct sdap_search_base; +bool sss_ldap_dn_in_search_bases(TALLOC_CTX *mem_ctx, + const char *dn, + struct sdap_search_base **search_bases, + char **_filter); + +bool sss_ldap_dn_in_search_bases_len(TALLOC_CTX *mem_ctx, + const char *dn, + struct sdap_search_base **search_bases, + char **_filter, + int *_match_len); + +char *sss_ldap_encode_ndr_uint32(TALLOC_CTX *mem_ctx, uint32_t flags); + +#endif /* __SSS_LDAP_H__ */ diff --git a/src/util/sss_log.c b/src/util/sss_log.c new file mode 100644 index 0000000..48e73db --- /dev/null +++ b/src/util/sss_log.c @@ -0,0 +1,132 @@ +/* + SSSD + + sss_log.c + + Authors: + Stephen Gallagher + + Copyright (C) 2010 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" + +#ifdef WITH_JOURNALD +#include +#else /* WITH_JOURNALD */ +#include +#endif /* WITH_JOURNALD */ + +static int sss_to_syslog(int priority) +{ + switch(priority) { + case SSS_LOG_EMERG: + return LOG_EMERG; + case SSS_LOG_ALERT: + return LOG_ALERT; + case SSS_LOG_CRIT: + return LOG_CRIT; + case SSS_LOG_ERR: + return LOG_ERR; + case SSS_LOG_WARNING: + return LOG_WARNING; + case SSS_LOG_NOTICE: + return LOG_NOTICE; + case SSS_LOG_INFO: + return LOG_INFO; + case SSS_LOG_DEBUG: + return LOG_DEBUG; + default: + /* If we've been passed an invalid priority, it's + * best to assume it's an emergency. + */ + return LOG_EMERG; + } +} + +static void sss_log_internal(int priority, int facility, const char *format, + va_list ap); + +void sss_log(int priority, const char *format, ...) +{ + va_list ap; + + va_start(ap, format); + sss_log_internal(priority, LOG_DAEMON, format, ap); + va_end(ap); +} + +void sss_log_ext(int priority, int facility, const char *format, ...) +{ + va_list ap; + + va_start(ap, format); + sss_log_internal(priority, facility, format, ap); + va_end(ap); +} + + + +#ifdef WITH_JOURNALD + +static void sss_log_internal(int priority, int facility, const char *format, + va_list ap) +{ + int syslog_priority; + int ret; + char *message; + const char *domain; + + ret = vasprintf(&message, format, ap); + + if (ret == -1) { + /* ENOMEM */ + return; + } + + domain = getenv(SSS_DOM_ENV); + if (domain == NULL) { + domain = ""; + } + + syslog_priority = sss_to_syslog(priority); + sd_journal_send("MESSAGE=%s", message, + "SSSD_DOMAIN=%s", domain, + "PRIORITY=%i", syslog_priority, + "SYSLOG_FACILITY=%i", LOG_FAC(facility), + "SYSLOG_IDENTIFIER=%s", debug_prg_name, + NULL); + + free(message); +} + +#else /* WITH_JOURNALD */ + +static void sss_log_internal(int priority, int facility, const char *format, + va_list ap) +{ + int syslog_priority; + + syslog_priority = sss_to_syslog(priority); + + openlog(debug_prg_name, 0, facility); + + vsyslog(syslog_priority, format, ap); + + closelog(); +} + +#endif /* WITH_JOURNALD */ diff --git a/src/util/sss_nss.c b/src/util/sss_nss.c new file mode 100644 index 0000000..cf91a2c --- /dev/null +++ b/src/util/sss_nss.c @@ -0,0 +1,221 @@ +/* + SSSD + + Utility functions related to ID information + + Copyright (C) Jan Zeleny 2012 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "util/sss_nss.h" + +char *expand_homedir_template(TALLOC_CTX *mem_ctx, + const char *template, + bool case_sensitive, + struct sss_nss_homedir_ctx *homedir_ctx) +{ + char *copy; + char *p; + char *n; + char *result = NULL; + char *res = NULL; + TALLOC_CTX *tmp_ctx = NULL; + const char *orig = NULL; + char *username = NULL; + + if (template == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing template.\n"); + return NULL; + } + + if (homedir_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Missing home directory data.\n"); + return NULL; + } + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) return NULL; + + copy = talloc_strdup(tmp_ctx, template); + if (copy == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed.\n"); + goto done; + } + + result = talloc_strdup(tmp_ctx, ""); + if (result == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_strdup failed.\n"); + goto done; + } + + p = copy; + while ( (n = strchr(p, '%')) != NULL) { + *n = '\0'; + n++; + if ( *n == '\0' ) { + DEBUG(SSSDBG_CRIT_FAILURE, "format error, single %% at the end of " + "the template.\n"); + goto done; + } + switch( *n ) { + case 'u': + if (homedir_ctx->username == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot expand user name template because user name " + "is empty.\n"); + goto done; + } + username = sss_output_name(tmp_ctx, homedir_ctx->username, + case_sensitive, 0); + if (username == NULL) { + goto done; + } + + result = talloc_asprintf_append(result, "%s%s", p, username); + talloc_free(username); + break; + + case 'l': + if (homedir_ctx->username == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot expand first letter of user name template " + "because user name is empty.\n"); + goto done; + } + username = sss_output_name(tmp_ctx, homedir_ctx->username, + case_sensitive, 0); + if (username == NULL) { + goto done; + } + + result = talloc_asprintf_append(result, "%s%c", p, username[0]); + talloc_free(username); + break; + + case 'U': + if (homedir_ctx->uid == 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot expand uid template " + "because uid is invalid.\n"); + goto done; + } + result = talloc_asprintf_append(result, "%s%d", p, + homedir_ctx->uid); + break; + + case 'd': + if (homedir_ctx->domain == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot expand domain name " + "template because domain name " + "is empty.\n"); + goto done; + } + result = talloc_asprintf_append(result, "%s%s", p, + homedir_ctx->domain); + break; + + case 'f': + if (homedir_ctx->domain == NULL + || homedir_ctx->username == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot expand fully qualified " + "name template because domain " + "or user name is empty.\n"); + goto done; + } + username = sss_output_name(tmp_ctx, homedir_ctx->username, + case_sensitive, 0); + if (username == NULL) { + goto done; + } + + result = talloc_asprintf_append(result, "%s%s@%s", p, + username, homedir_ctx->domain); + talloc_free(username); + break; + + case 'o': + if (homedir_ctx->original == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Original home directory for %s is not available, " + "using empty string\n", homedir_ctx->username); + orig = ""; + } else { + orig = homedir_ctx->original; + } + result = talloc_asprintf_append(result, "%s%s", p, orig); + break; + + case 'F': + if (homedir_ctx->flatname == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot expand domain name " + "template because domain flat " + "name is empty.\n"); + goto done; + } + result = talloc_asprintf_append(result, "%s%s", p, + homedir_ctx->flatname); + break; + + case 'H': + if (homedir_ctx->config_homedir_substr == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot expand home directory substring template " + "substring is empty.\n"); + goto done; + } + result = talloc_asprintf_append(result, "%s%s", p, + homedir_ctx->config_homedir_substr); + break; + + case 'P': + if (homedir_ctx->upn == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot expand user principal name template " + "string is empty.\n"); + goto done; + } + result = talloc_asprintf_append(result, "%s%s", p, + homedir_ctx->upn); + break; + + case '%': + result = talloc_asprintf_append(result, "%s%%", p); + break; + + default: + DEBUG(SSSDBG_CRIT_FAILURE, "format error, unknown template " + "[%%%c].\n", *n); + goto done; + } + + if (result == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf_append failed.\n"); + goto done; + } + + p = n + 1; + } + + result = talloc_asprintf_append(result, "%s", p); + if (result == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf_append failed.\n"); + goto done; + } + + res = talloc_move(mem_ctx, &result); +done: + talloc_zfree(tmp_ctx); + return res; +} diff --git a/src/util/sss_nss.h b/src/util/sss_nss.h new file mode 100644 index 0000000..2b8a5ae --- /dev/null +++ b/src/util/sss_nss.h @@ -0,0 +1,42 @@ +/* + SSSD + + Utility functions related to ID information + + Copyright (C) Jan Zeleny 2012 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __SSS_NSS_H__ +#define __SSS_NSS_H__ + +#include +#include +#include + +struct sss_nss_homedir_ctx { + const char *username; + uint32_t uid; + const char *original; + const char *domain; + const char *flatname; + const char *config_homedir_substr; + const char *upn; +}; + +char *expand_homedir_template(TALLOC_CTX *mem_ctx, const char *template, + bool case_sensitive, + struct sss_nss_homedir_ctx *homedir_ctx); +#endif diff --git a/src/util/sss_ptr_hash.c b/src/util/sss_ptr_hash.c new file mode 100644 index 0000000..0f884c8 --- /dev/null +++ b/src/util/sss_ptr_hash.c @@ -0,0 +1,375 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include + +#include "util/util.h" +#include "util/sss_ptr_hash.h" + +static bool sss_ptr_hash_check_type(void *ptr, const char *type) +{ + void *type_ptr; + + type_ptr = talloc_check_name(ptr, type); + if (type_ptr == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Invalid data type detected. Expected [%s], got [%s].\n", + type, talloc_get_name(ptr)); + return false; + } + + return true; +} + +struct sss_ptr_hash_delete_data { + hash_delete_callback *callback; + void *pvt; +}; + +struct sss_ptr_hash_value { + struct sss_ptr_hash_spy *spy; + void *ptr; +}; + +struct sss_ptr_hash_spy { + struct sss_ptr_hash_value *value; + hash_table_t *table; + const char *key; +}; + +static int +sss_ptr_hash_spy_destructor(struct sss_ptr_hash_spy *spy) +{ + spy->value->spy = NULL; + spy->value->ptr = NULL; + + /* This results in removing entry from hash table and freeing the value. */ + sss_ptr_hash_delete(spy->table, spy->key, false); + return 0; +} + +static struct sss_ptr_hash_spy * +sss_ptr_hash_spy_create(TALLOC_CTX *mem_ctx, + hash_table_t *table, + const char *key, + struct sss_ptr_hash_value *value) +{ + struct sss_ptr_hash_spy *spy; + + spy = talloc_zero(mem_ctx, struct sss_ptr_hash_spy); + if (spy == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory!\n"); + return NULL; + } + + spy->key = talloc_strdup(spy, key); + if (spy->key == NULL) { + talloc_free(spy); + return NULL; + } + + spy->table = table; + spy->value = value; + talloc_set_destructor(spy, sss_ptr_hash_spy_destructor); + + return spy; +} + +static int +sss_ptr_hash_value_destructor(struct sss_ptr_hash_value *value) +{ + if (value->spy != NULL) { + /* Disable spy destructor and free it. */ + talloc_set_destructor(value->spy, NULL); + talloc_zfree(value->spy); + } + + return 0; +} + +static struct sss_ptr_hash_value * +sss_ptr_hash_value_create(hash_table_t *table, + const char *key, + void *talloc_ptr) +{ + struct sss_ptr_hash_value *value; + + value = talloc_zero(table, struct sss_ptr_hash_value); + if (value == NULL) { + return NULL; + } + + value->spy = sss_ptr_hash_spy_create(talloc_ptr, table, key, value); + if (value->spy == NULL) { + talloc_free(value); + return NULL; + } + + value->ptr = talloc_ptr; + talloc_set_destructor(value, sss_ptr_hash_value_destructor); + + return value; +} + +static void +sss_ptr_hash_delete_cb(hash_entry_t *item, + hash_destroy_enum deltype, + void *pvt) +{ + struct sss_ptr_hash_delete_data *data; + struct sss_ptr_hash_value *value; + void *ptr; + + data = talloc_get_type(pvt, struct sss_ptr_hash_delete_data); + if (data == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid data!\n"); + return; + } + + value = talloc_get_type(item->value.ptr, struct sss_ptr_hash_value); + if (value == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid value!\n"); + return; + } + + ptr = value->ptr; + + /* Free value. */ + talloc_free(value); + + /* Switch to the input value and call custom callback. */ + if (data->callback != NULL) { + item->value.ptr = ptr; + data->callback(item, deltype, data->pvt); + } +} + +hash_table_t *sss_ptr_hash_create(TALLOC_CTX *mem_ctx, + hash_delete_callback *del_cb, + void *del_cb_pvt) +{ + struct sss_ptr_hash_delete_data *data; + hash_table_t *table; + errno_t ret; + + data = talloc_zero(NULL, struct sss_ptr_hash_delete_data); + if (data == NULL) { + return NULL; + } + + data->callback = del_cb; + data->pvt = del_cb_pvt; + + ret = sss_hash_create_ex(mem_ctx, 10, &table, 0, 0, 0, 0, + sss_ptr_hash_delete_cb, data); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create hash table [%d]: %s\n", + ret, sss_strerror(ret)); + talloc_free(data); + return NULL; + } + + talloc_steal(table, data); + + return table; +} + +errno_t _sss_ptr_hash_add(hash_table_t *table, + const char *key, + void *talloc_ptr, + const char *type, + bool override) +{ + struct sss_ptr_hash_value *value; + hash_value_t table_value; + hash_key_t table_key; + int hret; + + if (table == NULL || key == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid input!\n"); + return EINVAL; + } + + if (!sss_ptr_hash_check_type(talloc_ptr, type)) { + return ERR_INVALID_DATA_TYPE; + } + + value = sss_ptr_hash_value_create(table, key, talloc_ptr); + if (value == NULL) { + return ENOMEM; + } + + table_key.type = HASH_KEY_STRING; + table_key.str = discard_const_p(char, key); + + table_value.type = HASH_VALUE_PTR; + table_value.ptr = value; + + if (override == false && hash_has_key(table, &table_key)) { + return EEXIST; + } + + hret = hash_enter(table, &table_key, &table_value); + if (hret != HASH_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to add key %s!\n", key); + talloc_free(value); + return EIO; + } + + return EOK; +} + +static struct sss_ptr_hash_value * +sss_ptr_hash_lookup_internal(hash_table_t *table, + const char *key) +{ + hash_value_t table_value; + hash_key_t table_key; + int hret; + + table_key.type = HASH_KEY_STRING; + table_key.str = discard_const_p(char, key); + + hret = hash_lookup(table, &table_key, &table_value); + if (hret == HASH_ERROR_KEY_NOT_FOUND) { + return NULL; + } else if (hret != HASH_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to search hash table [%d]\n", hret); + return NULL; + } + + /* Check value type. */ + if (table_value.type != HASH_VALUE_PTR) { + DEBUG(SSSDBG_CRIT_FAILURE, "Invalid value type found: %d\n", + table_value.type); + return NULL; + } + + if (!sss_ptr_hash_check_type(table_value.ptr, "struct sss_ptr_hash_value")) { + return NULL; + } + + return table_value.ptr; +} + +void *_sss_ptr_hash_lookup(hash_table_t *table, + const char *key, + const char *type) +{ + struct sss_ptr_hash_value *value; + + value = sss_ptr_hash_lookup_internal(table, key); + if (value == NULL || value->ptr == NULL) { + return NULL; + } + + if (!sss_ptr_hash_check_type(value->ptr, type)) { + return NULL; + } + + return value->ptr; +} + +void sss_ptr_hash_delete(hash_table_t *table, + const char *key, + bool free_value) +{ + struct sss_ptr_hash_value *value; + hash_key_t table_key; + int hret; + void *ptr; + + if (table == NULL || key == NULL) { + return; + } + + value = sss_ptr_hash_lookup_internal(table, key); + if (value == NULL) { + /* Value not found. */ + return; + } + + ptr = value->ptr; + + table_key.type = HASH_KEY_STRING; + table_key.str = discard_const_p(char, key); + + /* Delete table entry. This will free value and spy in delete callback. */ + hret = hash_delete(table, &table_key); + if (hret != HASH_SUCCESS && hret != HASH_ERROR_KEY_NOT_FOUND) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to remove key from table [%d]\n", + hret); + } + + /* Also free the original value if requested. */ + if (free_value) { + talloc_free(ptr); + } + + return; +} + +void sss_ptr_hash_delete_all(hash_table_t *table, + bool free_values) +{ + struct sss_ptr_hash_value *value; + hash_value_t *values; + unsigned long count; + unsigned long i; + int hret; + void *ptr; + + if (table == NULL) { + return; + } + + hret = hash_values(table, &count, &values); + if (hret != HASH_SUCCESS) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to get values [%d]\n", hret); + return; + } + + for (i = 0; i < count; i++) { + value = values[i].ptr; + ptr = value->ptr; + + /* This will remove the entry from hash table and free value. */ + talloc_free(value->spy); + + if (free_values) { + /* Also free the original value. */ + talloc_free(ptr); + } + } + + return; +} + +bool sss_ptr_hash_has_key(hash_table_t *table, + const char *key) +{ + hash_key_t table_key; + + table_key.type = HASH_KEY_STRING; + table_key.str = discard_const_p(char, key); + + return hash_has_key(table, &table_key); +} diff --git a/src/util/sss_ptr_hash.h b/src/util/sss_ptr_hash.h new file mode 100644 index 0000000..510b954 --- /dev/null +++ b/src/util/sss_ptr_hash.h @@ -0,0 +1,117 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _SSS_PTR_HASH_H_ +#define _SSS_PTR_HASH_H_ + +#include +#include + +/** + * Create a new hash table with string key and talloc pointer value with + * possible delete callback. + */ +hash_table_t *sss_ptr_hash_create(TALLOC_CTX *mem_ctx, + hash_delete_callback *del_cb, + void *del_cb_pvt); + +/** + * Add a new value @talloc_ptr of type @type into the table. + * + * If the @key already exist in the table and @override is true, + * the value is overridden. Otherwise EEXIST error is returned. + * + * If talloc_ptr is freed the key and value are automatically + * removed from the hash table. + * + * @return EOK If the <@key, @talloc_ptr> pair was inserted. + * @return EEXIST If @key already exists and @override is false. + * @return Other errno code in case of an error. + */ +errno_t _sss_ptr_hash_add(hash_table_t *table, + const char *key, + void *talloc_ptr, + const char *type, + bool override); + +/** + * Add a new value @talloc_ptr of type @type into the table. + * + * If talloc_ptr is freed the key and value are automatically + * removed from the hash table. + * + * @return EOK If the <@key, @talloc_ptr> pair was inserted. + * @return EEXIST If @key already exists. + * @return Other errno code in case of an error. + */ +#define sss_ptr_hash_add(table, key, talloc_ptr, type) \ + _sss_ptr_hash_add(table, key, talloc_ptr, #type, false) + +/** + * Add a new value @talloc_ptr of type @type into the table. + * + * If the @key already exists in the table, its value is + * overridden. If talloc_ptr is freed the key and value + * are automatically removed from the hash table. + * + * @return EOK If the <@key, @talloc_ptr> pair was inserted. + * @return Other errno code in case of an error. + */ +#define sss_ptr_hash_add_or_override(table, key, talloc_ptr, type) \ + _sss_ptr_hash_add(table, key, talloc_ptr, #type, true) + +void *_sss_ptr_hash_lookup(hash_table_t *table, + const char *key, + const char *type); + +/** + * Lookup @key in the table and return its value as typed to @type. + * The type of the value must match with @type, otherwise NULL is returned. + * + * @return talloc_ptr If the value is found as type matches. + * @return NULL If the value is not found or if the type is invalid. + */ +#define sss_ptr_hash_lookup(table, key, type) \ + (type *)_sss_ptr_hash_lookup(table, key, #type) + +/** + * Delete @key from table. If @free_value is true then also the value + * associated with @key is freed, otherwise it is left intact. + */ +void sss_ptr_hash_delete(hash_table_t *table, + const char *key, + bool free_value); + +/** + * Delete all keys from the table. If @free_value sis true then also + * the values associated with those keys are reed, otherwise + * they are left intact. + */ +void sss_ptr_hash_delete_all(hash_table_t *table, + bool free_values); + +/** + * @return true If @key is present in the table. + * @return false Otherwise. + */ +bool sss_ptr_hash_has_key(hash_table_t *table, + const char *key); + +#endif /* _SSS_PTR_HASH_H_ */ diff --git a/src/util/sss_python.c b/src/util/sss_python.c new file mode 100644 index 0000000..0e2f971 --- /dev/null +++ b/src/util/sss_python.c @@ -0,0 +1,56 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2011 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "src/util/sss_python.h" + +PyObject * +sss_exception_with_doc(char *name, char *doc, PyObject *base, PyObject *dict) +{ +#if PY_VERSION_HEX >= 0x02070000 + return PyErr_NewExceptionWithDoc(name, doc, base, dict); +#else + int result; + PyObject *ret = NULL; + PyObject *mydict = NULL; /* points to the dict only if we create it */ + PyObject *docobj; + + if (dict == NULL) { + dict = mydict = PyDict_New(); + if (dict == NULL) { + return NULL; + } + } + + if (doc != NULL) { + docobj = PyString_FromString(doc); + if (docobj == NULL) + goto failure; + result = PyDict_SetItemString(dict, "__doc__", docobj); + Py_DECREF(docobj); + if (result < 0) + goto failure; + } + + ret = PyErr_NewException(name, base, dict); + failure: + Py_XDECREF(mydict); + return ret; +#endif +} diff --git a/src/util/sss_python.h b/src/util/sss_python.h new file mode 100644 index 0000000..26ecd71 --- /dev/null +++ b/src/util/sss_python.h @@ -0,0 +1,54 @@ +#ifndef __SSS_PYTHON_H__ +#define __SSS_PYTHON_H__ + +#include "config.h" + +#include +#include + +#include "util/util.h" + +#if PY_VERSION_HEX < 0x02050000 +#define sss_py_const_p(type, value) discard_const_p(type, (value)) +#else +#define sss_py_const_p(type, value) (value) +#endif + +#if PY_MAJOR_VERSION >= 3 +#define IS_PY3K +#define MODINITERROR return NULL +#define PYNUMBER_CHECK(what) PyLong_Check(what) +#define PYNUMBER_FROMLONG(what) PyLong_FromLong(what) +#define PYNUMBER_ASLONG(what) PyLong_AsLong(what) +#else +#include +#define MODINITERROR return +#define PYNUMBER_CHECK(what) PyInt_Check(what) +#define PYNUMBER_FROMLONG(what) PyInt_FromLong(what) +#define PYNUMBER_ASLONG(what) PyInt_AsLong(what) +#endif + +/* Exceptions compatibility */ +PyObject * +sss_exception_with_doc(char *name, char *doc, PyObject *base, PyObject *dict); + +/* Convenience macros */ +#define TYPE_READY(module, type, name) do { \ + if (PyType_Ready(&type) < 0) { \ + MODINITERROR; \ + } \ + Py_INCREF(&type); \ + PyModule_AddObject(module, \ + discard_const_p(char, name), \ + (PyObject *) &type); \ +} while(0) \ + +#define SAFE_SET(old, new) do { \ + PyObject *__simple_set_tmp = NULL; \ + __simple_set_tmp = old; \ + Py_INCREF(new); \ + old = new; \ + Py_XDECREF(__simple_set_tmp); \ +} while(0) + +#endif /* __SSS_PYTHON_H__ */ diff --git a/src/util/sss_selinux.c b/src/util/sss_selinux.c new file mode 100644 index 0000000..165aeca --- /dev/null +++ b/src/util/sss_selinux.c @@ -0,0 +1,255 @@ +/* + SSSD + + SELinux-related utility functions + + Authors: + Jan Zeleny + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/sss_selinux.h" +#include "util/sss_utf8.h" +#include "db/sysdb_selinux.h" + +static bool match_entity(struct ldb_message_element *values, + struct ldb_message_element *sought_values) +{ + int i, j; + + for (i = 0; i < values->num_values; i++) { + for (j = 0; j < sought_values->num_values; j++) { + if (values->values[i].length != sought_values->values[j].length) { + continue; + } + + if (strncasecmp((char *)values->values[i].data, + (char *)sought_values->values[j].data, + values->values[i].length) == 0) + return true; + } + } + + return false; +} + +bool sss_selinux_match(struct sysdb_attrs *usermap, + struct sysdb_attrs *user, + struct sysdb_attrs *host, + uint32_t *_priority) +{ + struct ldb_message_element *users_el = NULL; + struct ldb_message_element *usercat = NULL; + struct ldb_message_element *hosts_el = NULL; + struct ldb_message_element *hostcat = NULL; + struct ldb_message_element *dn; + struct ldb_message_element *memberof; + int i; + uint32_t priority = 0; + bool matched_name; + bool matched_group; + bool matched_category; + errno_t ret; + + if (usermap == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "NULL given as usermap! Skipping ...\n"); + return false; + } + + /* Search for user and host related elements */ + for (i = 0; i < usermap->num; i++) { + if (!strcasecmp(usermap->a[i].name, SYSDB_ORIG_MEMBER_USER)) { + users_el = &usermap->a[i]; + } else if (!strcasecmp(usermap->a[i].name, SYSDB_ORIG_MEMBER_HOST)) { + hosts_el = &usermap->a[i]; + } else if (!strcasecmp(usermap->a[i].name, SYSDB_USER_CATEGORY)) { + usercat = &usermap->a[i]; + } else if (!strcasecmp(usermap->a[i].name, SYSDB_HOST_CATEGORY)) { + hostcat = &usermap->a[i]; + } + } + + if (user) { + ret = sysdb_attrs_get_el(user, SYSDB_ORIG_DN, &dn); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "User does not have origDN\n"); + return false; + } + ret = sysdb_attrs_get_el(user, SYSDB_ORIG_MEMBEROF, &memberof); + if (ret != EOK) { + DEBUG(SSSDBG_TRACE_ALL, + "User does not have orig memberof, " + "therefore it can't match to any rule\n"); + return false; + } + + /** + * The rule won't match if user category != "all" and user map doesn't + * contain neither user nor any of his groups in memberUser attribute + */ + matched_category = false; + if (usercat != NULL) { + for (i = 0; i < usercat->num_values; i++) { + if (strcasecmp((char *)usercat->values[i].data, "all") == 0) { + matched_category = true; + break; + } + } + } + + if (!matched_category) { + if (users_el == NULL) { + DEBUG(SSSDBG_TRACE_ALL, "No users specified in the rule!\n"); + return false; + } else { + matched_name = match_entity(users_el, dn); + matched_group = match_entity(users_el, memberof); + if (matched_name) { + priority |= SELINUX_PRIORITY_USER_NAME; + } else if (matched_group) { + priority |= SELINUX_PRIORITY_USER_GROUP; + } else { + DEBUG(SSSDBG_TRACE_ALL, "User did not match\n"); + return false; + } + } + } else { + priority |= SELINUX_PRIORITY_USER_CAT; + } + } + + if (host) { + ret = sysdb_attrs_get_el(host, SYSDB_ORIG_DN, &dn); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Host does not have origDN\n"); + return false; + } + ret = sysdb_attrs_get_el(host, SYSDB_ORIG_MEMBEROF, &memberof); + if (ret != EOK) { + DEBUG(SSSDBG_TRACE_ALL, + "Host does not have orig memberof, " + "therefore it can't match to any rule\n"); + return false; + } + + /** + * The rule won't match if host category != "all" and user map doesn't + * contain neither host nor any of its groups in memberHost attribute + */ + matched_category = false; + if (hostcat != NULL) { + for (i = 0; i < hostcat->num_values; i++) { + if (strcasecmp((char *)hostcat->values[i].data, "all") == 0) { + matched_category = true; + break; + } + } + } + if (!matched_category) { + if (hosts_el == NULL) { + DEBUG(SSSDBG_TRACE_ALL, "No users specified in the rule!\n"); + return false; + } else { + matched_name = match_entity(hosts_el, dn); + matched_group = match_entity(hosts_el, memberof); + if (matched_name) { + priority |= SELINUX_PRIORITY_HOST_NAME; + } else if (matched_group) { + priority |= SELINUX_PRIORITY_HOST_GROUP; + } else { + DEBUG(SSSDBG_TRACE_ALL, "Host did not match\n"); + return false; + } + } + } else { + priority |= SELINUX_PRIORITY_HOST_CAT; + } + } + + if (_priority != NULL) { + *_priority = priority; + } + + return true; +} + +errno_t sss_selinux_extract_user(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *username, + struct sysdb_attrs **_user_attrs) +{ + TALLOC_CTX *tmp_ctx; + const char **attrs; + struct sysdb_attrs *user_attrs; + struct ldb_message *user_msg; + + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + attrs = talloc_array(tmp_ctx, const char *, 3); + if (attrs == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_array failed.\n"); + ret = ENOMEM; + goto done; + } + attrs[0] = SYSDB_ORIG_DN; + attrs[1] = SYSDB_ORIG_MEMBEROF; + attrs[2] = NULL; + + ret = sysdb_search_user_by_name(tmp_ctx, domain, username, attrs, + &user_msg); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_user_by_name failed.\n"); + goto done; + } + + user_attrs = talloc_zero(tmp_ctx, struct sysdb_attrs); + if (user_attrs == NULL) { + ret = ENOMEM; + goto done; + } + user_attrs->a = talloc_steal(user_attrs, user_msg->elements); + user_attrs->num = user_msg->num_elements; + + *_user_attrs = talloc_steal(mem_ctx, user_attrs); + ret = EOK; + +done: + talloc_free(tmp_ctx); + return ret; +} + +const char *sss_selinux_map_get_seuser(struct sysdb_attrs *usermap) +{ + int i; + const uint8_t *name; + const uint8_t *template = (const uint8_t *)SYSDB_SELINUX_USER; + + for (i = 0; i < usermap->num; i++) { + name = (const uint8_t *)usermap->a[i].name; + if (sss_utf8_case_eq(name, template) == 0) { + return (const char *)usermap->a[i].values[0].data; + } + } + + return NULL; +} diff --git a/src/util/sss_selinux.h b/src/util/sss_selinux.h new file mode 100644 index 0000000..8821e73 --- /dev/null +++ b/src/util/sss_selinux.h @@ -0,0 +1,54 @@ +/* + SSSD + + SELinux-related utility functions + + Authors: + Jan Zeleny + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef SSS_SELINUX_H_ +#define SSS_SELINUX_H_ + +#include +#include + +#include + +#define SELINUX_PRIORITY_USER_CAT 1 +#define SELINUX_PRIORITY_USER_GROUP 2 +#define SELINUX_PRIORITY_USER_NAME 4 +/* According to specification, host has higher priority */ +#define SELINUX_PRIORITY_HOST_CAT 8 +#define SELINUX_PRIORITY_HOST_GROUP 16 +#define SELINUX_PRIORITY_HOST_NAME 32 + +errno_t +sss_selinux_extract_user(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *username, + struct sysdb_attrs **_user_attrs); + +bool sss_selinux_match(struct sysdb_attrs *usermap, + struct sysdb_attrs *user, + struct sysdb_attrs *host, + uint32_t *_priority); + +const char *sss_selinux_map_get_seuser(struct sysdb_attrs *usermap); + +#endif /* SSS_SELINUX_H_ */ diff --git a/src/util/sss_semanage.c b/src/util/sss_semanage.c new file mode 100644 index 0000000..bcce57b --- /dev/null +++ b/src/util/sss_semanage.c @@ -0,0 +1,452 @@ +/* + SSSD + + sss_semanage.c + + Copyright (C) Jakub Hrozek 2010 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include +#if defined(HAVE_SEMANAGE) && defined(HAVE_SELINUX) +#include +#include +#endif + +#include "util/util.h" + +#ifndef DEFAULT_SERANGE +#define DEFAULT_SERANGE "s0" +#endif + +#if defined(HAVE_SEMANAGE) && defined(HAVE_SELINUX) +/* turn libselinux messages into SSSD DEBUG() calls */ +static void sss_semanage_error_callback(void *varg, + semanage_handle_t *handle, + const char *fmt, ...) +{ + int level = SSSDBG_INVALID; + va_list ap; + + switch (semanage_msg_get_level(handle)) { + case SEMANAGE_MSG_ERR: + level = SSSDBG_CRIT_FAILURE; + break; + case SEMANAGE_MSG_WARN: + level = SSSDBG_MINOR_FAILURE; + break; + case SEMANAGE_MSG_INFO: + level = SSSDBG_TRACE_FUNC; + break; + } + + va_start(ap, fmt); + if (DEBUG_IS_SET(level)) { + sss_vdebug_fn(__FILE__, __LINE__, "libsemanage", level, + APPEND_LINE_FEED, fmt, ap); + } + va_end(ap); +} + +static void sss_semanage_close(semanage_handle_t *handle) +{ + if (handle == NULL) { + return; /* semanage uses asserts */ + } + + if (semanage_is_connected(handle)) { + semanage_disconnect(handle); + } + semanage_handle_destroy(handle); +} + +static int sss_is_selinux_managed(semanage_handle_t *handle) +{ + int ret; + + if (handle == NULL) { + return EINVAL; + } + + if (!is_selinux_enabled()) { + return ERR_SELINUX_NOT_MANAGED; + } + + ret = semanage_is_managed(handle); + if (ret == 0) { + DEBUG(SSSDBG_TRACE_FUNC, "SELinux policy not managed via libsemanage\n"); + return ERR_SELINUX_NOT_MANAGED; + } else if (ret == -1) { + DEBUG(SSSDBG_CRIT_FAILURE, "Call to semanage_is_managed failed\n"); + return EIO; + } + + return EOK; +} + +static int sss_semanage_init(semanage_handle_t **_handle) +{ + int ret; + semanage_handle_t *handle = NULL; + + handle = semanage_handle_create(); + if (!handle) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux management handle\n"); + ret = EIO; + goto done; + } + + semanage_msg_set_callback(handle, + sss_semanage_error_callback, + NULL); + + ret = sss_is_selinux_managed(handle); + if (ret != EOK) { + goto done; + } + + ret = semanage_access_check(handle); + if (ret < SEMANAGE_CAN_READ) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot read SELinux policy store\n"); + ret = EACCES; + goto done; + } + + ret = semanage_connect(handle); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot estabilish SELinux management connection\n"); + ret = EIO; + goto done; + } + + ret = EOK; + +done: + if (ret != EOK) { + sss_semanage_close(handle); + } else { + *_handle = handle; + } + + return ret; +} + +static int sss_semanage_user_add(semanage_handle_t *handle, + semanage_seuser_key_t *key, + const char *login_name, + const char *seuser_name, + const char *mls) +{ + int ret; + semanage_seuser_t *seuser = NULL; + + ret = semanage_seuser_create(handle, &seuser); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot create SELinux login mapping for %s\n", login_name); + ret = EIO; + goto done; + } + + ret = semanage_seuser_set_name(handle, seuser, login_name); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not set name for %s\n", login_name); + ret = EIO; + goto done; + } + + ret = semanage_seuser_set_mlsrange(handle, seuser, + mls ? mls : DEFAULT_SERANGE); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not set serange for %s\n", login_name); + ret = EIO; + goto done; + } + + ret = semanage_seuser_set_sename(handle, seuser, seuser_name); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not set SELinux user for %s\n", login_name); + ret = EIO; + goto done; + } + + ret = semanage_seuser_modify_local(handle, key, seuser); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not add login mapping for %s\n", login_name); + ret = EIO; + goto done; + } + + ret = EOK; +done: + semanage_seuser_free(seuser); + return ret; +} + +static int sss_semanage_user_mod(semanage_handle_t *handle, + semanage_seuser_key_t *key, + const char *login_name, + const char *seuser_name, + const char *mls) +{ + int ret; + semanage_seuser_t *seuser = NULL; + + semanage_seuser_query(handle, key, &seuser); + if (seuser == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not query seuser for %s\n", login_name); + ret = EIO; + goto done; + } + + ret = semanage_seuser_set_mlsrange(handle, seuser, + mls ? mls : DEFAULT_SERANGE); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not set serange for %s\n", login_name); + ret = EIO; + goto done; + } + + ret = semanage_seuser_set_sename(handle, seuser, seuser_name); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not set sename for %s\n", login_name); + ret = EIO; + goto done; + } + + ret = semanage_seuser_modify_local(handle, key, seuser); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not modify login mapping for %s\n", login_name); + ret = EIO; + goto done; + } + + ret = EOK; +done: + semanage_seuser_free(seuser); + return ret; +} + +int sss_get_seuser(const char *linuxuser, + char **selinuxuser, + char **level) +{ + int ret; + semanage_handle_t *handle; + + handle = semanage_handle_create(); + if (handle == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux management handle\n"); + return EIO; + } + + semanage_msg_set_callback(handle, + sss_semanage_error_callback, + NULL); + + /* We only needed the handle for this call. Close the handle right + * after it */ + ret = sss_is_selinux_managed(handle); + sss_semanage_close(handle); + if (ret != EOK) { + return ret; + } + + return getseuserbyname(linuxuser, selinuxuser, level); +} + +int sss_set_seuser(const char *login_name, const char *seuser_name, + const char *mls) +{ + semanage_handle_t *handle = NULL; + semanage_seuser_key_t *key = NULL; + int ret; + int seuser_exists = 0; + + if (seuser_name == NULL) { + /* don't care, just let system pick the defaults */ + return EOK; + } + + ret = sss_semanage_init(&handle); + if (ret == ERR_SELINUX_NOT_MANAGED) { + goto done; + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux handle\n"); + goto done; + } + + ret = semanage_begin_transaction(handle); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot begin SELinux transaction\n"); + ret = EIO; + goto done; + } + + ret = semanage_seuser_key_create(handle, login_name, &key); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux user key\n"); + ret = EIO; + goto done; + } + + ret = semanage_seuser_exists(handle, key, &seuser_exists); + if (ret < 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot verify the SELinux user\n"); + ret = EIO; + goto done; + } + + if (seuser_exists) { + ret = sss_semanage_user_mod(handle, key, login_name, seuser_name, + mls); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot modify SELinux user mapping\n"); + ret = EIO; + goto done; + } + } else { + ret = sss_semanage_user_add(handle, key, login_name, seuser_name, + mls); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot add SELinux user mapping\n"); + ret = EIO; + goto done; + } + } + + ret = semanage_commit(handle); + if (ret < 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot commit SELinux transaction\n"); + ret = EIO; + goto done; + } + + ret = EOK; +done: + if (key != NULL) { + semanage_seuser_key_free(key); + } + sss_semanage_close(handle); + return ret; +} + +int sss_del_seuser(const char *login_name) +{ + semanage_handle_t *handle = NULL; + semanage_seuser_key_t *key = NULL; + int ret; + int exists = 0; + + ret = sss_semanage_init(&handle); + if (ret == ERR_SELINUX_NOT_MANAGED) { + goto done; + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux handle\n"); + goto done; + } + + ret = semanage_begin_transaction(handle); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot begin SELinux transaction\n"); + ret = EIO; + goto done; + } + + ret = semanage_seuser_key_create(handle, login_name, &key); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux user key\n"); + ret = EIO; + goto done; + } + + ret = semanage_seuser_exists(handle, key, &exists); + if (ret < 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot verify the SELinux user\n"); + ret = EIO; + goto done; + } + + if (!exists) { + DEBUG(SSSDBG_FUNC_DATA, + "Login mapping for %s is not defined, OK if default mapping " + "was used\n", login_name); + ret = EOK; /* probably default mapping */ + goto done; + } + + ret = semanage_seuser_exists_local(handle, key, &exists); + if (ret < 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot verify the SELinux user\n"); + ret = EIO; + goto done; + } + + if (!exists) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Login mapping for %s is defined in policy, cannot be deleted\n", + login_name); + ret = ENOENT; + goto done; + } + + ret = semanage_seuser_del_local(handle, key); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not delete login mapping for %s\n", login_name); + ret = EIO; + goto done; + } + + ret = semanage_commit(handle); + if (ret < 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot commit SELinux transaction\n"); + ret = EIO; + goto done; + } + + ret = EOK; +done: + sss_semanage_close(handle); + return ret; +} +#else /* HAVE_SEMANAGE && HAVE_SELINUX */ +int sss_set_seuser(const char *login_name, const char *seuser_name, + const char *mls) +{ + return EOK; +} + +int sss_del_seuser(const char *login_name) +{ + return EOK; +} + +int sss_get_seuser(const char *linuxuser, + char **selinuxuser, + char **level) +{ + return EOK; +} +#endif /* HAVE_SEMANAGE */ diff --git a/src/util/sss_sockets.c b/src/util/sss_sockets.c new file mode 100644 index 0000000..5e9be9e --- /dev/null +++ b/src/util/sss_sockets.c @@ -0,0 +1,365 @@ +/* + SSSD + + Socket utils + + Copyright (C) Simo Sorce 2016 + Copyright (C) Sumit Bose 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include +#include +#include +#include +#include +#include + +#include "util/util.h" + + +static errno_t set_fcntl_flags(int fd, int fd_flags, int fl_flags) +{ + int ret; + int cur_flags; + + ret = fcntl(fd, F_GETFD, 0); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "fcntl F_GETFD failed [%d][%s].\n", ret, strerror(ret)); + return ret; + } + cur_flags = ret; + + ret = fcntl(fd, F_SETFD, cur_flags | fd_flags); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "fcntl F_SETFD failed [%d][%s].\n", ret, strerror(ret)); + return ret; + } + + ret = fcntl(fd, F_GETFL, 0); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "fcntl F_GETFD failed [%d][%s].\n", ret, strerror(ret)); + return ret; + } + cur_flags = ret; + + ret = fcntl(fd, F_SETFL, cur_flags | fl_flags); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "fcntl F_SETFD failed [%d][%s].\n", ret, strerror(ret)); + return ret; + } + + return EOK; +} + +static errno_t set_fd_common_opts(int fd) +{ + int dummy = 1; + int ret; + + /* SO_KEEPALIVE and TCP_NODELAY are set by OpenLDAP client libraries but + * failures are ignored.*/ + ret = setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, &dummy, sizeof(dummy)); + if (ret != 0) { + ret = errno; + DEBUG(SSSDBG_FUNC_DATA, + "setsockopt SO_KEEPALIVE failed.[%d][%s].\n", ret, + strerror(ret)); + } + + ret = setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &dummy, sizeof(dummy)); + if (ret != 0) { + ret = errno; + DEBUG(SSSDBG_FUNC_DATA, + "setsockopt TCP_NODELAY failed.[%d][%s].\n", ret, + strerror(ret)); + } + + return EOK; +} + + +struct sssd_async_connect_state { + struct tevent_fd *fde; + int fd; + socklen_t addr_len; + struct sockaddr_storage addr; +}; + +static void sssd_async_connect_done(struct tevent_context *ev, + struct tevent_fd *fde, uint16_t flags, + void *priv); + +struct tevent_req *sssd_async_connect_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + int fd, + const struct sockaddr *addr, + socklen_t addr_len) +{ + struct tevent_req *req; + struct sssd_async_connect_state *state; + int ret; + + req = tevent_req_create(mem_ctx, &state, + struct sssd_async_connect_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create failed.\n"); + return NULL; + } + + state->fd = fd; + state->addr_len = addr_len; + memcpy(&state->addr, addr, addr_len); + + ret = connect(fd, addr, addr_len); + if (ret == EOK) { + goto done; + } + + ret = errno; + switch (ret) { + case EINPROGRESS: + case EINTR: + + /* Despite the connect() man page says waiting on a non-blocking + * connect should be done by checking for writability, we need to check + * also for readability. + * With TEVENT_FD_READ, connect fails much faster in offline mode with + * errno 113/No route to host. + */ + state->fde = tevent_add_fd(ev, state, fd, + TEVENT_FD_READ | TEVENT_FD_WRITE, + sssd_async_connect_done, req); + if (state->fde == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_add_fd failed.\n"); + ret = ENOMEM; + goto done; + } + + return req; + + default: + DEBUG(SSSDBG_CRIT_FAILURE, + "connect failed [%d][%s].\n", ret, strerror(ret)); + } + +done: + if (ret == EOK) { + tevent_req_done(req); + } else { + tevent_req_error(req, ret); + } + + tevent_req_post(req, ev); + return req; +} + +static void sssd_async_connect_done(struct tevent_context *ev, + struct tevent_fd *fde, uint16_t flags, + void *priv) +{ + struct tevent_req *req = talloc_get_type(priv, struct tevent_req); + struct sssd_async_connect_state *state = + tevent_req_data(req, struct sssd_async_connect_state); + int ret; + + errno = 0; + ret = connect(state->fd, (struct sockaddr *) &state->addr, + state->addr_len); + if (ret == -1) { + ret = errno; + if (ret == EALREADY || ret == EINPROGRESS || ret == EINTR) { + return; /* Try again later */ + } + } + + talloc_zfree(fde); + + if (ret == EOK) { + tevent_req_done(req); + } else { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "connect failed [%d][%s].\n", ret, strerror(ret)); + tevent_req_error(req, ret); + } +} + +int sssd_async_connect_recv(struct tevent_req *req) +{ + TEVENT_REQ_RETURN_ON_ERROR(req); + + return EOK; +} + + +static void sssd_async_connect_timeout(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval tv, void *pvt) +{ + struct tevent_req *connection_request; + + DEBUG(SSSDBG_CONF_SETTINGS, "The connection timed out\n"); + + connection_request = talloc_get_type(pvt, struct tevent_req); + tevent_req_error(connection_request, ETIMEDOUT); +} + + +struct sssd_async_socket_state { + struct tevent_timer *connect_timeout; + int sd; +}; + +static int sssd_async_socket_state_destructor(void *data); +static void sssd_async_socket_init_done(struct tevent_req *subreq); + +struct tevent_req *sssd_async_socket_init_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sockaddr_storage *addr, + socklen_t addr_len, int timeout) +{ + struct sssd_async_socket_state *state; + struct tevent_req *req, *subreq; + struct timeval tv; + int ret; + + req = tevent_req_create(mem_ctx, &state, struct sssd_async_socket_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create failed.\n"); + return NULL; + } + state->sd = -1; + + talloc_set_destructor((TALLOC_CTX *)state, + sssd_async_socket_state_destructor); + + state->sd = socket(addr->ss_family, SOCK_STREAM, 0); + if (state->sd == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "socket failed [%d][%s].\n", ret, strerror(ret)); + goto fail; + } + + ret = set_fd_common_opts(state->sd); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "set_fd_common_opts failed.\n"); + goto fail; + } + + ret = set_fcntl_flags(state->sd, FD_CLOEXEC, O_NONBLOCK); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "settting fd flags failed.\n"); + goto fail; + } + + DEBUG(SSSDBG_TRACE_ALL, + "Using file descriptor [%d] for the connection.\n", state->sd); + + subreq = sssd_async_connect_send(state, ev, state->sd, + (struct sockaddr *) addr, addr_len); + if (subreq == NULL) { + ret = ENOMEM; + DEBUG(SSSDBG_CRIT_FAILURE, "sssd_async_connect_send failed.\n"); + goto fail; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Setting %d seconds timeout for connecting\n", timeout); + tv = tevent_timeval_current_ofs(timeout, 0); + + state->connect_timeout = tevent_add_timer(ev, subreq, tv, + sssd_async_connect_timeout, + subreq); + if (state->connect_timeout == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "tevent_add_timer failed.\n"); + ret = ENOMEM; + goto fail; + } + + tevent_req_set_callback(subreq, sssd_async_socket_init_done, req); + return req; + +fail: + tevent_req_error(req, ret); + tevent_req_post(req, ev); + return req; +} + +static void sssd_async_socket_init_done(struct tevent_req *subreq) +{ + struct tevent_req *req = + tevent_req_callback_data(subreq, struct tevent_req); + struct sssd_async_socket_state *state = + tevent_req_data(req, struct sssd_async_socket_state); + int ret; + + /* kill the timeout handler now that we got a reply */ + talloc_zfree(state->connect_timeout); + + ret = sssd_async_connect_recv(subreq); + talloc_zfree(subreq); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sdap_async_sys_connect request failed: [%d]: %s.\n", + ret, sss_strerror(ret)); + goto fail; + } + + tevent_req_done(req); + return; + +fail: + tevent_req_error(req, ret); +} + +int sssd_async_socket_init_recv(struct tevent_req *req, int *sd) +{ + struct sssd_async_socket_state *state = + tevent_req_data(req, struct sssd_async_socket_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + /* steal the sd and neutralize destructor actions */ + *sd = state->sd; + state->sd = -1; + + return EOK; +} + +static int sssd_async_socket_state_destructor(void *data) +{ + struct sssd_async_socket_state *state = + talloc_get_type(data, struct sssd_async_socket_state); + + if (state->sd != -1) { + DEBUG(SSSDBG_TRACE_FUNC, "closing socket [%d]\n", state->sd); + close(state->sd); + state->sd = -1; + } + + return 0; +} diff --git a/src/util/sss_sockets.h b/src/util/sss_sockets.h new file mode 100644 index 0000000..ccb05cb --- /dev/null +++ b/src/util/sss_sockets.h @@ -0,0 +1,39 @@ +/* + SSSD + + Socket utils + + Copyright (C) Simo Sorce 2016 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __SSS_SOCKETS_H__ +#define __SSS_SOCKETS_H__ + +struct tevent_req *sssd_async_connect_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + int fd, + const struct sockaddr *addr, + socklen_t addr_len); +int sssd_async_connect_recv(struct tevent_req *req); + + +struct tevent_req *sssd_async_socket_init_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct sockaddr_storage *addr, + socklen_t addr_len, int timeout); +int sssd_async_socket_init_recv(struct tevent_req *req, int *sd); + +#endif /* __SSS_SOCKETS_H__ */ diff --git a/src/util/sss_ssh.c b/src/util/sss_ssh.c new file mode 100644 index 0000000..54886a0 --- /dev/null +++ b/src/util/sss_ssh.c @@ -0,0 +1,270 @@ +/* + Authors: + Jan Cholasta + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "db/sysdb.h" +#include "util/util.h" +#include "util/crypto/sss_crypto.h" +#include "util/sss_ssh.h" + +errno_t +sss_ssh_make_ent(TALLOC_CTX *mem_ctx, + struct ldb_message *msg, + struct sss_ssh_ent **result) +{ + TALLOC_CTX *tmp_ctx; + struct sss_ssh_ent *res = NULL; + errno_t ret; + const char *name; + struct ldb_message_element *el; + unsigned int i; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + return ENOMEM; + } + + name = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); + if (!name) { + ret = EINVAL; + DEBUG(SSSDBG_CRIT_FAILURE, "Host is missing name attribute\n"); + goto done; + } + + res = talloc_zero(tmp_ctx, struct sss_ssh_ent); + if (!res) { + ret = ENOMEM; + goto done; + } + + res->name = talloc_strdup(res, name); + if (!res->name) { + ret = ENOMEM; + goto done; + } + + el = ldb_msg_find_element(msg, SYSDB_SSH_PUBKEY); + if (el) { + res->num_pubkeys = el->num_values; + + res->pubkeys = talloc_array(res, struct sss_ssh_pubkey, + res->num_pubkeys); + if (!res->pubkeys) { + ret = ENOMEM; + goto done; + } + + for (i = 0; i < el->num_values; i++) { + res->pubkeys[i].data = sss_base64_decode(res->pubkeys, + (char *)el->values[i].data, &res->pubkeys[i].data_len); + if (!res->pubkeys[i].data) { + ret = ENOMEM; + goto done; + } + } + } + + el = ldb_msg_find_element(msg, SYSDB_NAME_ALIAS); + if (el) { + res->num_aliases = el->num_values; + + res->aliases = talloc_array(res, char *, res->num_aliases); + if (!res->aliases) { + ret = ENOMEM; + goto done; + } + + for (i = 0; i < el->num_values; i++) { + res->aliases[i] = talloc_strdup(res->aliases, + (char *)el->values[i].data); + if (!res->aliases[i]) { + ret = ENOMEM; + goto done; + } + } + } + + *result = talloc_steal(mem_ctx, res); + ret = EOK; + +done: + talloc_free(tmp_ctx); + + return ret; +} + +static errno_t +sss_ssh_get_pubkey_algorithm(TALLOC_CTX *mem_ctx, + struct sss_ssh_pubkey *pubkey, + char **result) +{ + size_t c = 0; + uint32_t algo_len; + char *algo; + + if (pubkey->data_len < 5) { + return EINVAL; + } + + SAFEALIGN_COPY_UINT32(&algo_len, pubkey->data, &c); + algo_len = ntohl(algo_len); + if (algo_len < 1 || algo_len > 64 || algo_len > pubkey->data_len - 4) { + /* the maximum length of 64 is defined in RFC 4250 */ + return EINVAL; + } + + algo = talloc_zero_array(mem_ctx, char, algo_len+1); + if (!algo) { + return ENOMEM; + } + + memcpy(algo, pubkey->data+c, algo_len); + + *result = algo; + return EOK; +} + +errno_t +sss_ssh_format_pubkey(TALLOC_CTX *mem_ctx, + struct sss_ssh_pubkey *pubkey, + char **result) +{ + TALLOC_CTX *tmp_ctx; + errno_t ret; + char *blob; + char *algo; + char *out = NULL; + size_t i, len; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) { + return ENOMEM; + } + + if (pubkey->data_len > 4 && memcmp(pubkey->data, "\0\0\0", 3) == 0) { + /* All valid public key blobs start with 3 null bytes (see RFC 4253 + * section 6.6, RFC 4251 section 5 and RFC 4250 section 4.6) + */ + blob = sss_base64_encode(tmp_ctx, pubkey->data, pubkey->data_len); + if (!blob) { + ret = ENOMEM; + goto done; + } + + ret = sss_ssh_get_pubkey_algorithm(tmp_ctx, pubkey, &algo); + if (ret != EOK) { + goto done; + } + + out = talloc_asprintf(mem_ctx, "%s %s", algo, blob); + if (!out) { + ret = ENOMEM; + goto done; + } + } else { + /* Not a valid public key blob, so this must be a textual public key */ + for (i = 0; i < pubkey->data_len; i++) { + if (pubkey->data[i] == '\0' || + (pubkey->data[i] == '\n' && i != pubkey->data_len - 1) || + pubkey->data[i] == '\r') { + ret = EINVAL; + goto done; + } + } + + len = pubkey->data_len; + if (pubkey->data[len - 1] == '\n') { + len--; + } + + out = talloc_array(mem_ctx, char, len + 1); + if (out == NULL) { + ret = ENOMEM; + goto done; + } + + memcpy(out, pubkey->data, len); + out[len] = '\0'; + } + + *result = out; + ret = EOK; + +done: + talloc_free(tmp_ctx); + + return ret; +} + +errno_t +sss_ssh_print_pubkey(struct sss_ssh_pubkey *pubkey) +{ + TALLOC_CTX *tmp_ctx; + char *repr = NULL; + char *repr_break = NULL; + errno_t ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + ret = sss_ssh_format_pubkey(tmp_ctx, pubkey, &repr); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "sss_ssh_format_pubkey() failed (%d): %s\n", + ret, strerror(ret)); + goto end; + } + + /* OpenSSH expects a linebreak after each key */ + repr_break = talloc_asprintf(tmp_ctx, "%s\n", repr); + talloc_zfree(repr); + if (repr_break == NULL) { + ret = ENOMEM; + goto end; + } + + ret = sss_atomic_write_s(STDOUT_FILENO, repr_break, strlen(repr_break)); + /* Avoid spiking memory with too many large keys */ + talloc_zfree(repr_break); + if (ret < 0) { + ret = errno; + if (ret == EPIPE) { + DEBUG(SSSDBG_MINOR_FAILURE, + "SSHD closed the pipe before all keys could be written\n"); + /* Return 0 so that openssh doesn't abort pubkey auth */ + ret = 0; + goto end; + } + DEBUG(SSSDBG_CRIT_FAILURE, + "sss_atomic_write_s() failed (%d): %s\n", + ret, strerror(ret)); + goto end; + } + + ret = EOK; + + end: + talloc_zfree(tmp_ctx); + + return ret; +} diff --git a/src/util/sss_ssh.h b/src/util/sss_ssh.h new file mode 100644 index 0000000..d35ffb9 --- /dev/null +++ b/src/util/sss_ssh.h @@ -0,0 +1,56 @@ +/* + Authors: + Jan Cholasta + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _SSS_SSH_H_ +#define _SSS_SSH_H_ + +#define SSS_SSH_REQ_ALIAS 0x01 +#define SSS_SSH_REQ_DOMAIN 0x02 +#define SSS_SSH_REQ_MASK 0x03 + +struct sss_ssh_pubkey { + uint8_t *data; + size_t data_len; +}; + +struct sss_ssh_ent { + char *name; + + struct sss_ssh_pubkey *pubkeys; + size_t num_pubkeys; + + char **aliases; + size_t num_aliases; +}; + +errno_t +sss_ssh_make_ent(TALLOC_CTX *mem_ctx, + struct ldb_message *msg, + struct sss_ssh_ent **result); + +errno_t +sss_ssh_format_pubkey(TALLOC_CTX *mem_ctx, + struct sss_ssh_pubkey *pubkey, + char **result); + +errno_t +sss_ssh_print_pubkey(struct sss_ssh_pubkey *pubkey); + +#endif /* _SSS_SSH_H_ */ diff --git a/src/util/sss_tc_utf8.c b/src/util/sss_tc_utf8.c new file mode 100644 index 0000000..44194ab --- /dev/null +++ b/src/util/sss_tc_utf8.c @@ -0,0 +1,88 @@ +/* + Authors: + Jakub Hrozek + + Copyright (C) 2011 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include "util/util.h" +#include "util/sss_utf8.h" + +char * +sss_tc_utf8_str_tolower(TALLOC_CTX *mem_ctx, const char *s) +{ + size_t nlen; + uint8_t *ret; + + ret = sss_tc_utf8_tolower(mem_ctx, (const uint8_t *) s, strlen(s), &nlen); + if (!ret) return NULL; + + ret = talloc_realloc(mem_ctx, ret, uint8_t, nlen+1); + if (!ret) return NULL; + + ret[nlen] = '\0'; + return (char *) ret; +} + +uint8_t * +sss_tc_utf8_tolower(TALLOC_CTX *mem_ctx, const uint8_t *s, size_t len, size_t *_nlen) +{ + uint8_t *lower; + uint8_t *ret; + size_t nlen; + + lower = sss_utf8_tolower(s, len, &nlen); + if (!lower) return NULL; + + ret = talloc_memdup(mem_ctx, lower, nlen); + sss_utf8_free(lower); + if (!ret) return NULL; + + *_nlen = nlen; + return ret; +} + +errno_t sss_filter_sanitize_for_dom(TALLOC_CTX *mem_ctx, + const char *input, + struct sss_domain_info *dom, + char **sanitized, + char **lc_sanitized) +{ + int ret; + + ret = sss_filter_sanitize(mem_ctx, input, sanitized); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "sss_filter_sanitize failed.\n"); + return ret; + } + + if (dom->case_sensitive) { + *lc_sanitized = talloc_strdup(mem_ctx, *sanitized); + } else { + *lc_sanitized = sss_tc_utf8_str_tolower(mem_ctx, *sanitized); + } + + if (*lc_sanitized == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "%s failed.\n", + dom->case_sensitive ? + "talloc_strdup" : + "sss_tc_utf8_str_tolower"); + return ENOMEM; + } + + return EOK; +} diff --git a/src/util/sss_utf8.c b/src/util/sss_utf8.c new file mode 100644 index 0000000..e62e9c6 --- /dev/null +++ b/src/util/sss_utf8.c @@ -0,0 +1,194 @@ +/* + SSSD + + Authors: + Stephen Gallagher + + Copyright (C) 2011 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" + +#include +#include + +#ifdef HAVE_LIBUNISTRING +#include +#include +#include +#elif defined(HAVE_GLIB2) +#include +#endif + +#include "sss_utf8.h" + +#ifdef HAVE_LIBUNISTRING +void sss_utf8_free(void *ptr) +{ + return free(ptr); +} +#elif defined(HAVE_GLIB2) +void sss_utf8_free(void *ptr) +{ + return g_free(ptr); +} +#else +#error No unicode library +#endif + +#ifdef HAVE_LIBUNISTRING +uint8_t *sss_utf8_tolower(const uint8_t *s, size_t len, size_t *_nlen) +{ + size_t llen; + uint8_t *lower; + + lower = u8_tolower(s, len, NULL, NULL, NULL, &llen); + if (!lower) return NULL; + + if (_nlen) *_nlen = llen; + return lower; +} +#elif defined(HAVE_GLIB2) +uint8_t *sss_utf8_tolower(const uint8_t *s, size_t len, size_t *_nlen) +{ + gchar *glower; + size_t nlen; + uint8_t *lower; + + glower = g_utf8_strdown((const gchar *) s, len); + if (!glower) return NULL; + + /* strlen() is safe here because g_utf8_strdown() always null-terminates */ + nlen = strlen(glower); + + lower = g_malloc(nlen); + if (!lower) { + g_free(glower); + return NULL; + } + + memcpy(lower, glower, nlen); + g_free(glower); + if (_nlen) *_nlen = nlen; + return (uint8_t *) lower; +} +#else +#error No unicode library +#endif + +#ifdef HAVE_LIBUNISTRING +bool sss_utf8_check(const uint8_t *s, size_t n) +{ + if (u8_check(s, n) == NULL) { + return true; + } + return false; +} + +#elif defined(HAVE_GLIB2) +bool sss_utf8_check(const uint8_t *s, size_t n) +{ + return g_utf8_validate((const gchar *)s, n, NULL); +} + +#else +#error No unicode library +#endif + +/* Returns EOK on match, ENOTUNIQ if comparison succeeds but + * does not match. + * May return other errno error codes on failure + */ +#ifdef HAVE_LIBUNISTRING +errno_t sss_utf8_case_eq(const uint8_t *s1, const uint8_t *s2) +{ + + /* Do a case-insensitive comparison. + * The input must be encoded in UTF8. + * We have no way of knowing the language, + * so we'll pass NULL for the language and + * hope for the best. + */ + int ret; + int resultp; + size_t n1, n2; + errno = 0; + + n1 = u8_strlen(s1); + n2 = u8_strlen(s2); + + ret = u8_casecmp(s1, n1, + s2, n2, + NULL, NULL, + &resultp); + if (ret < 0) { + /* An error occurred */ + return errno; + } + + if (resultp == 0) { + return EOK; + } + return ENOMATCH; +} + +#elif defined(HAVE_GLIB2) +errno_t sss_utf8_case_eq(const uint8_t *s1, const uint8_t *s2) +{ + gchar *gs1; + gchar *gs2; + gssize n1, n2; + gint gret; + errno_t ret; + + n1 = g_utf8_strlen((const gchar *)s1, -1); + n2 = g_utf8_strlen((const gchar *)s2, -1); + + gs1 = g_utf8_casefold((const gchar *)s1, n1); + if (gs1 == NULL) { + return ENOMEM; + } + + gs2 = g_utf8_casefold((const gchar *)s2, n2); + if (gs2 == NULL) { + return ENOMEM; + } + + gret = g_utf8_collate(gs1, gs2); + if (gret == 0) { + ret = EOK; + } else { + ret = ENOMATCH; + } + + g_free(gs1); + g_free(gs2); + + return ret; +} + +#else +#error No unicode library +#endif + +bool sss_string_equal(bool cs, const char *s1, const char *s2) +{ + if (cs) { + return strcmp(s1, s2) == 0; + } + + return sss_utf8_case_eq((const uint8_t *)s1, (const uint8_t *)s2) == EOK; +} diff --git a/src/util/sss_utf8.h b/src/util/sss_utf8.h new file mode 100644 index 0000000..bca9b2c --- /dev/null +++ b/src/util/sss_utf8.h @@ -0,0 +1,45 @@ +/* + SSSD + + Authors: + Stephen Gallagher + + Copyright (C) 2011 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef SSS_UTF8_H_ +#define SSS_UTF8_H_ + +#ifndef ENOMATCH +#define ENOMATCH -1 +#endif + +#include +#include + +#include "util/util_errors.h" + +void sss_utf8_free(void *ptr); + +/* The result must be freed with sss_utf8_free() */ +uint8_t *sss_utf8_tolower(const uint8_t *s, size_t len, size_t *nlen); + +bool sss_utf8_check(const uint8_t *s, size_t n); + +errno_t sss_utf8_case_eq(const uint8_t *s1, const uint8_t *s2); + + +#endif /* SSS_UTF8_H_ */ diff --git a/src/util/string_utils.c b/src/util/string_utils.c new file mode 100644 index 0000000..1215ec9 --- /dev/null +++ b/src/util/string_utils.c @@ -0,0 +1,148 @@ +/* + SSSD + + Authors: + Lukas Slebodnik + + Copyright (C) 2014 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" + +char *sss_replace_char(TALLOC_CTX *mem_ctx, + const char *in, + const char match, + const char sub) +{ + char *p; + char *out; + + out = talloc_strdup(mem_ctx, in); + if (out == NULL) { + return NULL; + } + + for (p = out; *p != '\0'; ++p) { + if (*p == match) { + *p = sub; + } + } + + return out; +} + +char * sss_replace_space(TALLOC_CTX *mem_ctx, + const char *orig_name, + const char subst) +{ + if (subst == '\0' || subst == ' ') { + return talloc_strdup(mem_ctx, orig_name); + } + + if (strchr(orig_name, subst) != NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Input [%s] already contains replacement character [%c].\n", + orig_name, subst); + sss_log(SSS_LOG_CRIT, + "Name [%s] already contains replacement character [%c]. " \ + "No replacement will be done.\n", + orig_name, subst); + return talloc_strdup(mem_ctx, orig_name); + } + + return sss_replace_char(mem_ctx, orig_name, ' ', subst); +} + +char * sss_reverse_replace_space(TALLOC_CTX *mem_ctx, + const char *orig_name, + const char subst) +{ + if (subst == '\0' || subst == ' ') { + return talloc_strdup(mem_ctx, orig_name); + } + + if (strchr(orig_name, subst) != NULL && strchr(orig_name, ' ') != NULL) { + DEBUG(SSSDBG_TRACE_FUNC, + "Input [%s] contains replacement character [%c] and space.\n", + orig_name, subst); + return talloc_strdup(mem_ctx, orig_name); + } + + return sss_replace_char(mem_ctx, orig_name, subst, ' '); +} + +errno_t guid_blob_to_string_buf(const uint8_t *blob, char *str_buf, + size_t buf_size) +{ + int ret; + + if (blob == NULL || str_buf == NULL || buf_size < GUID_STR_BUF_SIZE) { + DEBUG(SSSDBG_CRIT_FAILURE, "Buffer too small.\n"); + return EINVAL; + } + + ret = snprintf(str_buf, buf_size, + "%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%02x", + blob[3], blob[2], blob[1], blob[0], + blob[5], blob[4], + blob[7], blob[6], + blob[8], blob[9], + blob[10], blob[11],blob[12], blob[13],blob[14], blob[15]); + if (ret != (GUID_STR_BUF_SIZE -1)) { + DEBUG(SSSDBG_CRIT_FAILURE, "snprintf failed.\n"); + return EIO; + } + + return EOK; +} + +const char *get_last_x_chars(const char *str, size_t x) +{ + size_t len; + + if (str == NULL) { + return NULL; + } + + len = strlen(str); + + if (len < x) { + return str; + } + + return (str + len - x); +} + +char **concatenate_string_array(TALLOC_CTX *mem_ctx, + char **arr1, size_t len1, + char **arr2, size_t len2) +{ + size_t i, j; + size_t new_size = len1 + len2; + char ** string_array = talloc_realloc(mem_ctx, arr1, char *, new_size + 1); + if (string_array == NULL) { + return NULL; + } + + for (i=len1, j=0; i < new_size; ++i,++j) { + string_array[i] = talloc_steal(string_array, + arr2[j]); + } + + string_array[i] = NULL; + + return string_array; +} diff --git a/src/util/strtonum.c b/src/util/strtonum.c new file mode 100644 index 0000000..22e682b --- /dev/null +++ b/src/util/strtonum.c @@ -0,0 +1,83 @@ +/* + SSSD + + SSSD Utility functions + + Copyright (C) Stephen Gallagher 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include "config.h" +#include "util/util.h" +#include "util/strtonum.h" + +/* strtoint32 */ +int32_t strtoint32(const char *nptr, char **endptr, int base) +{ + long long ret = 0; + + errno = 0; + ret = strtoll(nptr, endptr, base); + + if (ret > INT32_MAX) { + errno = ERANGE; + return INT32_MAX; + } + else if (ret < INT32_MIN) { + errno = ERANGE; + return INT32_MIN; + } + + /* If errno was set by strtoll, we'll pass it back as-is */ + return (int32_t)ret; +} + + +/* strtouint32 */ +uint32_t strtouint32(const char *nptr, char **endptr, int base) +{ + unsigned long long ret = 0; + errno = 0; + ret = strtoull(nptr, endptr, base); + + if (ret > UINT32_MAX) { + errno = ERANGE; + return UINT32_MAX; + } + + /* If errno was set by strtoll, we'll pass it back as-is */ + return (uint32_t)ret; +} + + +/* strtouint16 */ +uint16_t strtouint16(const char *nptr, char **endptr, int base) +{ + unsigned long long ret = 0; + errno = 0; + ret = strtoull(nptr, endptr, base); + + if (ret > UINT16_MAX) { + errno = ERANGE; + return UINT16_MAX; + } + + /* If errno was set by strtoll, we'll pass it back as-is */ + return (uint16_t)ret; +} + diff --git a/src/util/strtonum.h b/src/util/strtonum.h new file mode 100644 index 0000000..d9c31e9 --- /dev/null +++ b/src/util/strtonum.h @@ -0,0 +1,34 @@ +/* + SSSD + + SSSD Utility functions + + Copyright (C) Stephen Gallagher 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef _STRTONUM_H_ +#define _STRTONUM_H_ + +#include +#include +#include + +int32_t strtoint32(const char *nptr, char **endptr, int base); +uint32_t strtouint32(const char *nptr, char **endptr, int base); + +uint16_t strtouint16(const char *nptr, char **endptr, int base); + +#endif /* _STRTONUM_H_ */ diff --git a/src/util/tev_curl.c b/src/util/tev_curl.c new file mode 100644 index 0000000..6a7a580 --- /dev/null +++ b/src/util/tev_curl.c @@ -0,0 +1,1123 @@ +/* + SSSD + + libcurl tevent integration + + Copyright (C) Red Hat, 2016 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include + +#include +#include + +#include + +#include "util/util.h" +#include "util/tev_curl.h" + +#define TCURL_IOBUF_CHUNK 1024 +/* This limit in the same one as KCM_REPLY_MAX */ +#define TCURL_IOBUF_MAX 10*1024*1024 + +static bool global_is_curl_initialized; + +/** + * @brief The main structure of the tcurl module. + * + * Use tcurl_init() to initialize it, then pass to the request. + * Should be kept opaque in the future. + * + * @see tcurl_init() + */ +struct tcurl_ctx { + struct tevent_context *ev; + /* See where we set CURLMOPT_TIMERFUNCTION */ + struct tevent_timer *process_timer; + + /* Since we want the API to be non-blocking, all the transfers use + * the curl's multi interface: + * https://ec.haxx.se/libcurl-drive-multi.html + * and then each transfer also uses an easy interface instance for + * the transfer's private data + */ + CURLM *multi_handle; +}; + +/** + * @brief A tevent wrapper around curl socket + */ +struct tcurl_sock { + struct tcurl_ctx *tctx; /* Backchannel to the main context */ + + curl_socket_t sockfd; /* curl socket is an int typedef on UNIX */ + struct tevent_fd *fde; /* tevent tracker of the fd events */ +}; + +static void tcurl_request_done(struct tevent_req *req, + errno_t process_error, + int response_code); + +static errno_t curl_code2errno(CURLcode crv) +{ + switch (crv) { + /* HTTP error does not fail the whole request, just returns the error + * separately + */ + case CURLE_HTTP_RETURNED_ERROR: + case CURLE_OK: + return EOK; + case CURLE_URL_MALFORMAT: + return EBADMSG; + case CURLE_COULDNT_CONNECT: + return EHOSTUNREACH; + case CURLE_REMOTE_ACCESS_DENIED: + return EACCES; + case CURLE_OUT_OF_MEMORY: + return ENOMEM; + case CURLE_OPERATION_TIMEDOUT: + return ETIMEDOUT; + case CURLE_SSL_ISSUER_ERROR: + case CURLE_SSL_CACERT_BADFILE: + case CURLE_SSL_CACERT: + case CURLE_SSL_CERTPROBLEM: + return ERR_INVALID_CERT; + + case CURLE_SSL_CRL_BADFILE: + case CURLE_SSL_SHUTDOWN_FAILED: + case CURLE_SSL_ENGINE_INITFAILED: + case CURLE_USE_SSL_FAILED: + case CURLE_SSL_CIPHER: + case CURLE_SSL_ENGINE_SETFAILED: + case CURLE_SSL_ENGINE_NOTFOUND: + case CURLE_SSL_CONNECT_ERROR: + return ERR_SSL_FAILURE; + case CURLE_PEER_FAILED_VERIFICATION: + return ERR_UNABLE_TO_VERIFY_PEER; + case CURLE_COULDNT_RESOLVE_HOST: + return ERR_UNABLE_TO_RESOLVE_HOST; + default: + break; + } + + return EIO; +} + +static errno_t curlm_code2errno(CURLcode crv) +{ + switch (crv) { + case CURLM_OK: + return EOK; + case CURLM_BAD_SOCKET: + return EPIPE; + case CURLM_OUT_OF_MEMORY: + return ENOMEM; + case CURLM_BAD_HANDLE: + case CURLM_BAD_EASY_HANDLE: + case CURLM_UNKNOWN_OPTION: + return EINVAL; + case CURLM_INTERNAL_ERROR: + return ERR_INTERNAL; + default: + break; + } + + return EIO; +} + +static errno_t tcurl_global_init(void) +{ + errno_t ret; + + if (global_is_curl_initialized == false) { + ret = curl_global_init(CURL_GLOBAL_ALL); + if (ret != CURLE_OK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot initialize global curl options [%d]\n", ret); + return EIO; + } + } + + global_is_curl_initialized = true; + return EOK; +} + +static int curl2tev_flags(int curlflags) +{ + int flags = 0; + + switch (curlflags) { + case CURL_POLL_IN: + flags |= TEVENT_FD_READ; + break; + case CURL_POLL_OUT: + flags |= TEVENT_FD_WRITE; + break; + case CURL_POLL_INOUT: + flags |= (TEVENT_FD_READ | TEVENT_FD_WRITE); + break; + } + + return flags; +} + +static void handle_curlmsg_done(CURLMsg *message) +{ + CURL *easy_handle; + CURLcode crv; + struct tevent_req *req; + long response_code = 0; + char *done_url; + errno_t ret; + + easy_handle = message->easy_handle; + if (easy_handle == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "BUG: NULL handle for message %p\n", message); + return; + } + + if (DEBUG_IS_SET(SSSDBG_TRACE_FUNC)) { + crv = curl_easy_getinfo(easy_handle, CURLINFO_EFFECTIVE_URL, &done_url); + if (crv != CURLE_OK) { + DEBUG(SSSDBG_MINOR_FAILURE, "Cannot get CURLINFO_EFFECTIVE_URL " + "[%d]: %s\n", crv, curl_easy_strerror(crv)); + /* not fatal since we need this only for debugging */ + } else { + DEBUG(SSSDBG_TRACE_FUNC, "Handled %s\n", done_url); + } + } + + crv = curl_easy_getinfo(easy_handle, CURLINFO_PRIVATE, (void *) &req); + if (crv != CURLE_OK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot get CURLINFO_PRIVATE [%d]: %s\n", + crv, curl_easy_strerror(crv)); + ret = curl_code2errno(crv); + goto done; + } + + ret = curl_code2errno(message->data.result); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "CURL operation failed [%d]: %s\n", + ret, sss_strerror(ret)); + goto done; + } + + /* If there was no fatal error, let's read the response code + * and mark the request as done */ + crv = curl_easy_getinfo(easy_handle, CURLINFO_RESPONSE_CODE, &response_code); + if (crv != CURLE_OK) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot get response code\n"); + ret = curl_code2errno(crv); + goto done; + } + + ret = EOK; + +done: + tcurl_request_done(req, ret, response_code); +} + +static void process_curl_activity(struct tcurl_ctx *tctx) +{ + CURLMsg *message; + int pending; + + while ((message = curl_multi_info_read(tctx->multi_handle, &pending))) { + switch (message->msg) { + case CURLMSG_DONE: + handle_curlmsg_done(message); + break; + default: + DEBUG(SSSDBG_TRACE_LIBS, + "noop for curl msg %d\n", message->msg); + break; + } + } +} + +static void tcurlsock_input_available(struct tevent_context *ev, + struct tevent_fd *fde, + uint16_t flags, + void *data) +{ + struct tcurl_ctx *tctx; + struct tcurl_sock *tcs = NULL; + int curl_flags = 0; + int running_handles; + + tcs = talloc_get_type(data, struct tcurl_sock); + if (tcs == NULL) { + return; + } + + if (flags & TEVENT_FD_READ) { + curl_flags |= CURL_CSELECT_IN; + } + if (flags & TEVENT_FD_WRITE) { + curl_flags |= CURL_CSELECT_OUT; + } + + /* multi_socket_action might invalidate tcs when the transfer ends, + * so we need to store tctx separately + */ + tctx = tcs->tctx; + + /* https://ec.haxx.se/libcurl-drive-multi-socket.html */ + curl_multi_socket_action(tcs->tctx->multi_handle, + tcs->sockfd, + curl_flags, + &running_handles); + + process_curl_activity(tctx); +} + +/** + * @brief Registers a curl's socket with tevent + * + * Creates a private structure, registers the socket with tevent and finally + * registers the tcurl_sock structure as a private pointer for the curl + * socket for later + */ +static struct tcurl_sock *register_curl_socket(struct tcurl_ctx *tctx, + curl_socket_t sockfd, + int flags) +{ + struct tcurl_sock *tcs; + + tcs = talloc_zero(tctx, struct tcurl_sock); + if (tcs == NULL) { + return NULL; + } + tcs->sockfd = sockfd; + tcs->tctx = tctx; + + tcs->fde = tevent_add_fd(tctx->ev, tcs, sockfd, flags, + tcurlsock_input_available, tcs); + if (tcs->fde == NULL) { + talloc_free(tcs); + return NULL; + } + + curl_multi_assign(tctx->multi_handle, sockfd, (void *) tcs); + return tcs; +} + +/* libcurl informs the application about socket activity to wait for with + * this callback */ +static int handle_socket(CURL *easy, + curl_socket_t s, + int action, + void *userp, + void *socketp) +{ + struct tcurl_ctx *tctx = NULL; + struct tcurl_sock *tcsock; + int flags = 0; + + tctx = talloc_get_type(userp, struct tcurl_ctx); + if (tctx == NULL) { + return 1; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Activity on curl socket %d socket data %p\n", s, socketp); + + switch (action) { + case CURL_POLL_IN: + case CURL_POLL_OUT: + case CURL_POLL_INOUT: + /* There is some activity on a socket */ + + flags = curl2tev_flags(action); + + if (socketp == NULL) { + /* If this socket doesn't have private data, it must be a new one, + * let's start tracking it with tevent + */ + tcsock = register_curl_socket(tctx, s, flags); + if (tcsock == NULL) { + return 1; + } + } else { + /* If we are already tracking this socket, just set the correct + * flags for tevent and pass the control to tevent + */ + tcsock = talloc_get_type(socketp, struct tcurl_sock); + if (tcsock == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "BUG: No private data for socket %d\n", s); + return 1; + } + tevent_fd_set_flags(tcsock->fde, flags); + } + break; + + case CURL_POLL_REMOVE: + /* This socket is being closed by curl, so we need to.. */ + tcsock = talloc_get_type(socketp, struct tcurl_sock); + if (tcsock == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "BUG: Trying to remove an untracked socket %d\n", s); + } + /* ..stop tracking the socket with the multi handle.. */ + curl_multi_assign(tctx->multi_handle, s, NULL); + /* ..and stop tracking the fd with tevent */ + talloc_free(tcsock); + break; + + default: + return 1; + } + + return 0; +} + +static void check_curl_timeouts(struct tcurl_ctx *tctx) +{ + int running_handles; + + curl_multi_socket_action(tctx->multi_handle, + CURL_SOCKET_TIMEOUT, + 0, + &running_handles); + DEBUG(SSSDBG_TRACE_ALL, + "Still tracking %d outstanding requests\n", running_handles); + + /* https://ec.haxx.se/libcurl-drive-multi-socket.html */ + process_curl_activity(tctx); +} + +static void check_fd_activity(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval current_time, + void *private_data) +{ + struct tcurl_ctx *tctx = talloc_get_type(private_data, struct tcurl_ctx); + check_curl_timeouts(tctx); +} + +static int schedule_fd_processing(CURLM *multi, + long timeout_ms, + void *userp) +{ + struct timeval tv = { 0, 0 }; + struct tcurl_ctx *tctx = talloc_get_type(userp, struct tcurl_ctx); + + DEBUG(SSSDBG_TRACE_INTERNAL, "timeout_ms: %ld\n", timeout_ms); + + if (timeout_ms == -1) { + /* man curlmopt_timerfunction(3) says: + * A timeout_ms value of -1 means you should delete your timer. + */ + talloc_zfree(tctx->process_timer); + check_curl_timeouts(tctx); + return 0; + } + + tv = tevent_timeval_current_ofs(0, timeout_ms * 1000); + + /* There is only one timer per multi handle, so it makes sense to cancel + * the previous one. + * + * From https://ec.haxx.se/libcurl-drive-multi-socket.html: + * There is only one timeout for the application to handle for the + * entire multi handle, no matter how many individual easy handles + * that have been added or transfers that are in progress. The timer + * callback will be updated with the current nearest-in-time period to + * wait. + */ + talloc_zfree(tctx->process_timer); + tctx->process_timer = tevent_add_timer(tctx->ev, tctx, tv, + check_fd_activity, tctx); + if (tctx->process_timer == NULL) { + return -1; + } + + return 0; +} + +static int tcurl_ctx_destroy(struct tcurl_ctx *ctx) +{ + if (ctx == NULL) { + return 0; + } + + curl_multi_cleanup(ctx->multi_handle); + return 0; +} + +struct tcurl_ctx *tcurl_init(TALLOC_CTX *mem_ctx, + struct tevent_context *ev) +{ + errno_t ret; + struct tcurl_ctx *tctx = NULL; + CURLMcode cmret; + + /* Per the manpage it is safe to call the initialization multiple + * times, as long as this is done before any other curl calls to + * make sure we don't mangle the global curl environment + */ + ret = tcurl_global_init(); + if (ret != EOK) { + goto fail; + } + + tctx = talloc_zero(mem_ctx, struct tcurl_ctx); + if (tctx == NULL) { + goto fail; + } + tctx->ev = ev; + + tctx->multi_handle = curl_multi_init(); + if (tctx->multi_handle == NULL) { + goto fail; + } + talloc_set_destructor(tctx, tcurl_ctx_destroy); + + cmret = curl_multi_setopt(tctx->multi_handle, + CURLMOPT_SOCKETDATA, tctx); + if (cmret != CURLM_OK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot set CURLMOPT_SOCKETDATA [%d]: %s\n", + cmret, curl_multi_strerror(cmret)); + goto fail; + } + + /* + * When there is some activity on a socket associated with the multi + * handle, then the handle_socket() function will be called with the + * global context as private data + */ + cmret = curl_multi_setopt(tctx->multi_handle, + CURLMOPT_SOCKETFUNCTION, handle_socket); + if (cmret != CURLM_OK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot set CURLMOPT_SOCKETFUNCTION [%d]: %s\n", + cmret, curl_multi_strerror(cmret)); + goto fail; + } + + /* When integrated in a mainloop, the curl multi interface must + * kick off the communication in another eventloop tick. Similar + * to the handle_socet function, the tcurl context is passed in + * as private data + */ + cmret = curl_multi_setopt(tctx->multi_handle, + CURLMOPT_TIMERFUNCTION, schedule_fd_processing); + if (cmret != CURLM_OK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot set CURLMOPT_TIMERFUNCTION [%d]: %s\n", + cmret, curl_multi_strerror(cmret)); + goto fail; + } + + cmret = curl_multi_setopt(tctx->multi_handle, CURLMOPT_TIMERDATA, tctx); + if (cmret != CURLM_OK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot set CURLMOPT_TIMERDATA [%d]: %s\n", + cmret, curl_multi_strerror(cmret)); + } + + return tctx; + +fail: + talloc_free(tctx); + return NULL; +} + +#define tcurl_set_option(tcurl_req, option, value) \ +({ \ + CURLcode __curl_code; \ + errno_t __ret; \ + \ + __curl_code = curl_easy_setopt((tcurl_req)->curl_easy_handle, \ + (option), (value)); \ + if (__curl_code == CURLE_OK) { \ + __ret = EOK; \ + } else { \ + DEBUG(SSSDBG_OP_FAILURE, "Failed to set CURL option %s [%d]: %s\n", \ + #option, __curl_code, curl_easy_strerror(__curl_code)); \ + __ret = curl_code2errno(__curl_code); \ + } \ + __ret; \ +}) + +static size_t tcurl_write_data(char *ptr, + size_t size, + size_t nmemb, + void *userdata) +{ + errno_t ret; + size_t realsize = size * nmemb; + struct sss_iobuf *outbuf; + char *envval; + + outbuf = talloc_get_type(userdata, struct sss_iobuf); + + envval = getenv("SSS_KCM_LOG_PRIVATE_DATA"); + if (envval != NULL && strcasecmp(envval, "YES") == 0) { + DEBUG(SSSDBG_TRACE_INTERNAL, "---> begin libcurl data\n"); + DEBUG(SSSDBG_TRACE_INTERNAL, "%s\n", ptr); + DEBUG(SSSDBG_TRACE_INTERNAL, "<--- end libcurl data\n"); + } + + ret = sss_iobuf_write_len(outbuf, (uint8_t *)ptr, realsize); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Failed to write data to buffer [%d]: %s\n", + ret, sss_strerror(ret)); + /* zero signifies an EOF */ + return 0; + } + + return realsize; +} + +static size_t tcurl_read_data(void *ptr, + size_t size, + size_t nmemb, + void *userdata) +{ + errno_t ret; + size_t readbytes; + struct sss_iobuf *inbuf; + + inbuf = talloc_get_type(userdata, struct sss_iobuf); + + if (inbuf == NULL) { + return CURL_READFUNC_ABORT; + } + + ret = sss_iobuf_read(inbuf, size * nmemb, ptr, &readbytes); + if (ret != EOK) { + return CURL_READFUNC_ABORT; + } + + return readbytes; +} + + +struct tcurl_request { + CURL *curl_easy_handle; + + struct sss_iobuf *body; + struct curl_slist *headers; + + const char *url; + const char *socket; + + /* Associated tcurl context if this request is in progress. */ + struct tcurl_ctx *tcurl_ctx; +}; + +struct tcurl_request_state { + struct tcurl_request *tcurl_req; + struct sss_iobuf *response; + int response_code; +}; + +struct tevent_req * +tcurl_request_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct tcurl_ctx *tcurl_ctx, + struct tcurl_request *tcurl_req, + long int timeout) +{ + struct tcurl_request_state *state; + struct tevent_req *req; + CURLMcode curl_code; + errno_t ret; + + req = tevent_req_create(mem_ctx, &state, struct tcurl_request_state); + if (req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to create tevent request!\n"); + return NULL; + } + + DEBUG(SSSDBG_TRACE_FUNC, "Sending TCURL request for %s, at socket %s\n", + tcurl_req->url == NULL ? "" : tcurl_req->url, + tcurl_req->socket == NULL ? "" : tcurl_req->socket); + + state->tcurl_req = talloc_steal(state, tcurl_req); + + state->response = sss_iobuf_init_empty(state, TCURL_IOBUF_CHUNK, TCURL_IOBUF_MAX); + if (state->response == NULL) { + ret = ENOMEM; + goto done; + } + + ret = tcurl_set_option(tcurl_req, CURLOPT_PRIVATE, req); + if (ret != EOK) { + goto done; + } + + ret = tcurl_set_option(tcurl_req, CURLOPT_TIMEOUT, timeout); + if (ret != EOK) { + goto done; + } + + ret = tcurl_set_option(tcurl_req, CURLOPT_WRITEFUNCTION, tcurl_write_data); + if (ret != EOK) { + goto done; + } + + ret = tcurl_set_option(tcurl_req, CURLOPT_WRITEDATA, state->response); + if (ret != EOK) { + goto done; + } + + if (tcurl_req->body != NULL) { + ret = tcurl_set_option(tcurl_req, CURLOPT_READFUNCTION, tcurl_read_data); + if (ret != EOK) { + goto done; + } + + ret = tcurl_set_option(tcurl_req, CURLOPT_READDATA, tcurl_req->body); + if (ret != EOK) { + goto done; + } + } + + curl_code = curl_multi_add_handle(tcurl_ctx->multi_handle, + tcurl_req->curl_easy_handle); + if (curl_code != CURLM_OK) { + ret = curlm_code2errno(curl_code); + goto done; + } + + tcurl_req->tcurl_ctx = tcurl_ctx; + + ret = EAGAIN; + +done: + if (ret == EOK) { + tevent_req_done(req); + tevent_req_post(req, ev); + } else if (ret != EAGAIN) { + tevent_req_error(req, ret); + tevent_req_post(req, ev); + } + + return req; +} + +static void tcurl_request_done(struct tevent_req *req, + errno_t process_error, + int response_code) +{ + struct tcurl_request_state *state; + + DEBUG(SSSDBG_TRACE_FUNC, "TCURL request finished [%d]: %s\n", + process_error, sss_strerror(process_error)); + + if (req == NULL) { + /* To handle case where we fail to obtain request from private data. */ + DEBUG(SSSDBG_MINOR_FAILURE, "No tevent request provided!\n"); + return; + } + + state = tevent_req_data(req, struct tcurl_request_state); + + curl_multi_remove_handle(state->tcurl_req->tcurl_ctx->multi_handle, + state->tcurl_req->curl_easy_handle); + + /* This request is no longer associated with tcurl context. */ + state->tcurl_req->tcurl_ctx = NULL; + + if (process_error != EOK) { + tevent_req_error(req, process_error); + return; + } + + state->response_code = response_code; + + tevent_req_done(req); + return; +} + +errno_t tcurl_request_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct sss_iobuf **_response, + int *_response_code) +{ + struct tcurl_request_state *state; + state = tevent_req_data(req, struct tcurl_request_state); + + TEVENT_REQ_RETURN_ON_ERROR(req); + + if (_response != NULL) { + *_response = talloc_steal(mem_ctx, state->response); + } + + if (_response_code != NULL) { + *_response_code = state->response_code; + } + + return EOK; +} + +static struct curl_slist * +tcurl_add_header(struct curl_slist *slist, const char *header) +{ + struct curl_slist *new; + + new = curl_slist_append(slist, header); + if (new == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot add header %s\n", header); + if (slist != NULL) { + curl_slist_free_all(slist); + } + + return NULL; + } + + return new; +} + +static errno_t +tcurl_construct_headers(const char **headers, + struct curl_slist **_slist) +{ + struct curl_slist *slist = NULL; + int i; + + if (headers == NULL || headers[0] == NULL) { + *_slist = NULL; + return EOK; + } + + for (i = 0; headers[i] != NULL; i++) { + slist = tcurl_add_header(slist, headers[i]); + if (slist == NULL) { + return ENOMEM; + } + } + + /* Add a dummy header to suppress libcurl adding Expect 100-continue which + * was causing libcurl to always wait for the internal timeout when sending + * a PUT/POST request because secrets responder does not implement this. + */ + slist = tcurl_add_header(slist, "Expect: "); + if (slist == NULL) { + return ENOMEM; + } + + *_slist = slist; + + return EOK; +} + +static int +tcurl_request_destructor(struct tcurl_request *tcurl_req) +{ + if (tcurl_req->tcurl_ctx != NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "Terminating TCURL request...\n"); + curl_multi_remove_handle(tcurl_req->tcurl_ctx->multi_handle, + tcurl_req->curl_easy_handle); + } + + if (tcurl_req->headers != NULL) { + curl_slist_free_all(tcurl_req->headers); + } + + if (tcurl_req->curl_easy_handle != NULL) { + curl_easy_cleanup(tcurl_req->curl_easy_handle); + } + + return 0; +} + +static struct tcurl_request * +tcurl_request_create(TALLOC_CTX *mem_ctx, + const char *socket_path, + const char *url, + const char **headers, + struct sss_iobuf *body) +{ + struct tcurl_request *tcurl_req; + errno_t ret; + + tcurl_req = talloc_zero(mem_ctx, struct tcurl_request); + if (tcurl_req == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory!\n"); + return NULL; + } + + if (url == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "URL cannot be NULL!\n"); + ret = EINVAL; + goto done; + } + + /* Setup a curl easy handle. This handle contains state for the request + * and is later associated with curl multi handle which performs + * asynchronous processing. */ + tcurl_req->curl_easy_handle = curl_easy_init(); + if (tcurl_req->curl_easy_handle == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to initialize curl easy handle!\n"); + ret = ENOMEM; + goto done; + } + + tcurl_req->url = talloc_strdup(tcurl_req, url); + if (tcurl_req->url == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory!\n"); + ret = ENOMEM; + goto done; + } + + if (socket_path != NULL) { + tcurl_req->socket = talloc_strdup(tcurl_req, socket_path); + if (tcurl_req->socket == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Out of memory!\n"); + ret = ENOMEM; + goto done; + } + } + + ret = tcurl_construct_headers(headers, &tcurl_req->headers); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to construct headers [%d]: %s\n", + ret, sss_strerror(ret)); + ret = ENOMEM; + goto done; + } + + tcurl_req->body = body; + + talloc_set_destructor(tcurl_req, tcurl_request_destructor); + + ret = tcurl_set_option(tcurl_req, CURLOPT_URL, url); + if (ret != EOK) { + goto done; + } + + if (socket_path != NULL) { + ret = tcurl_set_option(tcurl_req, CURLOPT_UNIX_SOCKET_PATH, socket_path); + if (ret != EOK) { + goto done; + } + } + + if (body != NULL) { + /* Curl will tell the underlying protocol about incoming data length. + * In case of HTTP it will add a sane Content-Length header. */ + ret = tcurl_set_option(tcurl_req, CURLOPT_INFILESIZE_LARGE, + (curl_off_t)sss_iobuf_get_size(body)); + if (ret != EOK) { + goto done; + } + } + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(tcurl_req); + return NULL; + } + + return tcurl_req; +} + +struct tcurl_request *tcurl_http(TALLOC_CTX *mem_ctx, + enum tcurl_http_method method, + const char *socket_path, + const char *url, + const char **headers, + struct sss_iobuf *body) +{ + struct tcurl_request *tcurl_req; + errno_t ret; + + tcurl_req = tcurl_request_create(mem_ctx, socket_path, url, headers, body); + if (tcurl_req == NULL) { + return NULL; + } + + /* Set HTTP specific options. */ + + ret = tcurl_set_option(tcurl_req, CURLOPT_HTTPHEADER, tcurl_req->headers); + if (ret != EOK) { + goto done; + } + + switch (method) { + case TCURL_HTTP_GET: + /* Nothing to do here. GET is default. */ + break; + case TCURL_HTTP_PUT: + ret = tcurl_set_option(tcurl_req, CURLOPT_UPLOAD, 1L); + if (ret != EOK) { + goto done; + } + break; + case TCURL_HTTP_POST: + ret = tcurl_set_option(tcurl_req, CURLOPT_CUSTOMREQUEST, "POST"); + if (ret != EOK) { + goto done; + } + break; + case TCURL_HTTP_DELETE: + ret = tcurl_set_option(tcurl_req, CURLOPT_CUSTOMREQUEST, "DELETE"); + if (ret != EOK) { + goto done; + } + break; + } + + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(tcurl_req); + return NULL; + } + + return tcurl_req; +} + +struct tevent_req *tcurl_http_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct tcurl_ctx *tcurl_ctx, + enum tcurl_http_method method, + const char *socket_path, + const char *url, + const char **headers, + struct sss_iobuf *body, + int timeout) +{ + struct tcurl_request *tcurl_req; + struct tevent_req *req; + + tcurl_req = tcurl_http(mem_ctx, method, socket_path, url, headers, body); + if (tcurl_req == NULL) { + return NULL; + } + + req = tcurl_request_send(mem_ctx, ev, tcurl_ctx, tcurl_req, timeout); + if (req == NULL) { + talloc_free(tcurl_req); + } + + return req; +} + +errno_t tcurl_http_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + int *_http_code, + struct sss_iobuf **_response) +{ + return tcurl_request_recv(mem_ctx, req, _response, _http_code); +} + +errno_t tcurl_req_enable_rawoutput(struct tcurl_request *tcurl_req) +{ + return tcurl_set_option(tcurl_req, CURLOPT_HEADER, 1L); +} + +errno_t tcurl_req_verify_peer(struct tcurl_request *tcurl_req, + const char *capath, + const char *cacert, + bool verify_peer, + bool verify_host) +{ + errno_t ret; + + long peer = verify_peer ? 1L : 0L; + long host = verify_host ? 2L : 0L; + + ret = tcurl_set_option(tcurl_req, CURLOPT_SSL_VERIFYPEER, peer); + if (ret != EOK) { + return ret; + } + + ret = tcurl_set_option(tcurl_req, CURLOPT_SSL_VERIFYHOST, host); + if (ret != EOK) { + return ret; + } + + if (capath != NULL) { + ret = tcurl_set_option(tcurl_req, CURLOPT_CAPATH, capath); + if (ret != EOK) { + return ret; + } + } + + if (cacert != NULL) { + ret = tcurl_set_option(tcurl_req, CURLOPT_CAINFO, cacert); + if (ret != EOK) { + return ret; + } + } + + return EOK; +} + +errno_t tcurl_req_set_client_cert(struct tcurl_request *tcurl_req, + const char *cert, + const char *key) +{ + errno_t ret; + + if (cert == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "You must specify client certificate!\n"); + return EINVAL; + } + + ret = tcurl_set_option(tcurl_req, CURLOPT_SSLCERT, cert); + if (ret != EOK) { + return ret; + } + + if (key != NULL) { + /* If client's private key is in separate file. */ + ret = tcurl_set_option(tcurl_req, CURLOPT_SSLKEY, key); + if (ret != EOK) { + return ret; + } + } + + return EOK; +} + +errno_t tcurl_req_http_basic_auth(struct tcurl_request *tcurl_req, + const char *username, + const char *password) +{ + errno_t ret; + + ret = tcurl_set_option(tcurl_req, CURLOPT_HTTPAUTH, CURLAUTH_BASIC); + if (ret != EOK) { + return ret; + } + + ret = tcurl_set_option(tcurl_req, CURLOPT_USERNAME, username); + if (ret != EOK) { + return ret; + } + + ret = tcurl_set_option(tcurl_req, CURLOPT_PASSWORD, password); + if (ret != EOK) { + return ret; + } + + return EOK; +} diff --git a/src/util/tev_curl.h b/src/util/tev_curl.h new file mode 100644 index 0000000..c733127 --- /dev/null +++ b/src/util/tev_curl.h @@ -0,0 +1,261 @@ +/* + SSSD + + libcurl tevent integration + + Copyright (C) Red Hat, 2016 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __TEV_CURL_H +#define __TEV_CURL_H + +#include +#include + +#include "util/sss_iobuf.h" + +struct tcurl_request; + +/** + * @brief Supported HTTP methods + */ +enum tcurl_http_method { + TCURL_HTTP_GET, + TCURL_HTTP_PUT, + TCURL_HTTP_POST, + TCURL_HTTP_DELETE, +}; + +/** + * @brief Initialize the tcurl tevent wrapper. + * + * @returns the opaque context or NULL on error + */ +struct tcurl_ctx *tcurl_init(TALLOC_CTX *mem_ctx, + struct tevent_context *ev); + +/** + * @brief Run a single asynchronous TCURL request. + * + * If the libcurl processing succeeds but we obtain a protocol error we still + * mark the tevent request as successful. The protocol error is return from + * @tcurl_request_recv as an output parameter. + * + * @param[in] mem_ctx The talloc context that owns the request + * @param[in] ev Event loop context + * @param[in] tctx Use tcurl_init to get this context + * @param[in] tcurl_req TCURL request + * @param[in] timeout The request timeout in seconds. Use 0 if you want + * to use the default libcurl timeout. + * + * @returns A tevent request or NULL on allocation error. On other errors, we + * try to set the errno as event error code and run it to completion so that + * the programmer can use tcurl_request_recv to read the error code. + * + * @see tcurl_init + * @see tcurl_http + * @see tcurl_request_recv + */ +struct tevent_req * +tcurl_request_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct tcurl_ctx *tcurl_ctx, + struct tcurl_request *tcurl_req, + long int timeout); + +/** + * @brief Receive a result of a single asynchronous TCURL request. + * + * @param[in] mem_ctx The talloc context that owns the response + * @param[in] req The request previously obtained with tcurl_request_send + * @param[out] _response Response to the request + * @param[out] _response_code Protocol response code (may indicate a protocl error) + * + * @returns The error code of the curl request (not the HTTP code!) + */ +errno_t tcurl_request_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + struct sss_iobuf **_response, + int *_response_code); + +/** + * @brief Create a HTTP request. + * + * Use this if you need better control over the request options. + * + * Headers are a NULL-terminated array of strings such as: + * static const char *headers[] = { + * "Content-type: application/octet-stream", + * NULL, + * }; + * + * @param[in] mem_ctx The talloc context that owns the tcurl_request + * @param[in] method TCURL HTTP method + * @param[in] socket_path The path to the UNIX socket to forward the + * request to, may be NULL. + * @param[in] url The request URL, cannot be NULL. + * @param[in] headers A NULL-terminated array of strings to use + * as additional HTTP headers. Pass NULL if you + * don't need any additional headers. + * @param[in] body The HTTP request input data. For some request + * types like DELETE, this is OK to leave as NULL. + * + * @returns A tcurl_request that can be later started with tcurl_request_send + * or NULL on error. + * + * @see tcurl_init + * @see tcurl_request_send + * @see tcurl_request_recv + */ +struct tcurl_request *tcurl_http(TALLOC_CTX *mem_ctx, + enum tcurl_http_method method, + const char *socket_path, + const char *url, + const char **headers, + struct sss_iobuf *body); + +/** + * @brief Run a single asynchronous HTTP request. + * + * Use this if you do not need control over additional request options. + * + * If the request runs into completion, but reports a failure with HTTP return + * code, the request will be marked as done. Only if the request cannot run at + * all (if e.g. the socket is unreachable), the request will fail completely. + * + * Headers are a NULL-terminated array of strings such as: + * static const char *headers[] = { + * "Content-type: application/octet-stream", + * NULL, + * }; + * + * @param[in] mem_ctx The talloc context that owns the iobuf + * @param[in] ev Event loop context + * @param[in] tcurl_ctx Use tcurl_init to get this context + * @param[in] method HTTP method + * @param[in] socket_path The path to the UNIX socket to forward the + * request to, may be NULL. + * @param[in] url The request URL, cannot be NULL. + * @param[in] headers A NULL-terminated array of strings to use + * as additional HTTP headers. Pass NULL if you + * don't need any additional headers. + * @param[in] body The HTTP request input data. For some request + * types like DELETE, this is OK to leave as NULL. + * @param[in] timeout The request timeout in seconds. Use 0 if you want + * to use the default libcurl timeout. + * + * @returns A tevent request or NULL on allocation error. On other errors, we + * try to set the errno as event error code and run it to completion so that + * the programmer can use tcurl_http_recv to read the error code. + * + * @see tcurl_init + * @see tcurl_http_recv + */ +struct tevent_req *tcurl_http_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct tcurl_ctx *tcurl_ctx, + enum tcurl_http_method method, + const char *socket_path, + const char *url, + const char **headers, + struct sss_iobuf *body, + int timeout); + +/** + * @brief Receive a result of a single asynchronous HTTP request. + * + * @param[in] mem_ctx The talloc context that owns the outbuf + * @param[in] req The request previously obtained with + * tcurl_http_send + * @param[out] _http_code The HTTP code that the transfer ended with + * @param[out] _outbuf The raw data the HTTP request returned + * + * @returns The error code of the curl request (not the HTTP code!) + */ +errno_t tcurl_http_recv(TALLOC_CTX *mem_ctx, + struct tevent_req *req, + int *_http_code, + struct sss_iobuf **_response); + +/** + * @brief We are usually interested only in the reply body without protocol + * headers. Call this function on tcurl_request, if you want to include + * complete protocol response in the output buffer. + * + * @param[in] tcurl_request + * + * @returns errno code + * + * @see tcurl_http + */ +errno_t tcurl_req_enable_rawoutput(struct tcurl_request *tcurl_req); + +/** + * @brief TLS is enabled automatically by providing an URL that points to + * TLS-enabled protocol such as https. If you want to provide different + * path to CA directory or disable peer/hostname check explicitly, use + * this function on tcurl_request. + * + * @param[in] tcurl_request + * @param[in] capath Path to directory containing installed CA certificates. + * If not set, libcurl default is used. + * @param[ing cacert CA certificate. If NULL it is found in @capath. + * @param[in] verify_peer If false, the peer certificate is not verified. + * @param[in] verify_host If false, the host name provided in remote + * certificate may differ from the actual host name. + * + * @returns errno code + * + * @see tcurl_http + */ +errno_t tcurl_req_verify_peer(struct tcurl_request *tcurl_req, + const char *capath, + const char *cacert, + bool verify_peer, + bool verify_host); +/** + * @brief Some server require client verification during TLS setup. You can + * provide path to client's certificate file. If this file does not contain + * private key, you can specify a different file the holds the private key. + * + * @param[in] tcurl_request + * @param[in] cert Path to client's certificate. + * @param[in] key Path to client's private key. + * + * @returns errno code + * + * @see tcurl_http + */ +errno_t tcurl_req_set_client_cert(struct tcurl_request *tcurl_req, + const char *cert, + const char *key); + +/** + * @brief Force HTTP basic authentication with @username and @password. + * + * @param[in] tcurl_request + * @param[in] username + * @param[in] password + * + * @returns errno code + * + * @see tcurl_http + */ +errno_t tcurl_req_http_basic_auth(struct tcurl_request *tcurl_req, + const char *username, + const char *password); + +#endif /* __TEV_CURL_H */ diff --git a/src/util/user_info_msg.c b/src/util/user_info_msg.c new file mode 100644 index 0000000..1399544 --- /dev/null +++ b/src/util/user_info_msg.c @@ -0,0 +1,57 @@ +/* + SSSD + + Pack user info messages + + Authors: + Sumit Bose + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "util/user_info_msg.h" +#include "sss_client/sss_cli.h" + +errno_t pack_user_info_chpass_error(TALLOC_CTX *mem_ctx, + const char *user_error_message, + size_t *resp_len, + uint8_t **_resp) +{ + uint32_t resp_type = SSS_PAM_USER_INFO_CHPASS_ERROR; + size_t err_len; + uint8_t *resp; + size_t p; + + err_len = strlen(user_error_message); + *resp_len = 2 * sizeof(uint32_t) + err_len; + resp = talloc_size(mem_ctx, *resp_len); + if (resp == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_size failed.\n"); + return ENOMEM; + } + + p = 0; + SAFEALIGN_SET_UINT32(&resp[p], resp_type, &p); + SAFEALIGN_SET_UINT32(&resp[p], err_len, &p); + safealign_memcpy(&resp[p], user_error_message, err_len, &p); + if (p != *resp_len) { + DEBUG(SSSDBG_FATAL_FAILURE, "Size mismatch\n"); + } + + *_resp = resp; + return EOK; +} diff --git a/src/util/user_info_msg.h b/src/util/user_info_msg.h new file mode 100644 index 0000000..c68d538 --- /dev/null +++ b/src/util/user_info_msg.h @@ -0,0 +1,33 @@ +/* + SSSD + + Pack user info messages + + Authors: + Sumit Bose + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ +#ifndef __USER_INFO_MSG_H__ +#define __USER_INFO_MSG_H__ + + +errno_t pack_user_info_chpass_error(TALLOC_CTX *mem_ctx, + const char *user_error_message, + size_t *len, + uint8_t **_resp); + +#endif /* __USER_INFO_MSG_H__ */ diff --git a/src/util/usertools.c b/src/util/usertools.c new file mode 100644 index 0000000..33f4f78 --- /dev/null +++ b/src/util/usertools.c @@ -0,0 +1,885 @@ +/* + SSSD + + User tools + + Copyright (C) Stephen Gallagher 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include + +#include "confdb/confdb.h" +#include "util/strtonum.h" +#include "util/util.h" +#include "util/safe-format-string.h" +#include "responder/common/responder.h" + +#ifdef HAVE_LIBPCRE_LESSER_THAN_7 +#define NAME_DOMAIN_PATTERN_OPTIONS (PCRE_EXTENDED) +#else +#define NAME_DOMAIN_PATTERN_OPTIONS (PCRE_DUPNAMES | PCRE_EXTENDED) +#endif + +/* Function returns given realm name as new uppercase string */ +char *get_uppercase_realm(TALLOC_CTX *memctx, const char *name) +{ + char *realm; + char *c; + + realm = talloc_strdup(memctx, name); + if (!realm) { + return NULL; + } + + c = realm; + while(*c != '\0') { + *c = toupper(*c); + c++; + } + + return realm; +} + + +static int sss_names_ctx_destructor(struct sss_names_ctx *snctx) +{ + if (snctx->re) { + pcre_free(snctx->re); + snctx->re = NULL; + } + return 0; +} + +#define IPA_AD_DEFAULT_RE "(((?P[^\\\\]+)\\\\(?P.+$))|" \ + "((?P[^@]+)@(?P.+$))|" \ + "(^(?P[^@\\\\]+)$))" + +static errno_t get_id_provider_default_re(TALLOC_CTX *mem_ctx, + struct confdb_ctx *cdb, + const char *conf_path, + char **re_pattern) +{ +#ifdef HAVE_LIBPCRE_LESSER_THAN_7 + DEBUG(SSSDBG_MINOR_FAILURE, + "The libpcre version on this system is too old. Only " + "the user@DOMAIN name fully qualified name format will " + "be supported\n"); + *re_pattern = NULL; + return EOK; +#else + int ret; + size_t c; + char *id_provider = NULL; + + struct provider_default_re { + const char *name; + const char *re; + } provider_default_re[] = {{"ipa", IPA_AD_DEFAULT_RE}, + {"ad", IPA_AD_DEFAULT_RE}, + {NULL, NULL}}; + + ret = confdb_get_string(cdb, mem_ctx, conf_path, CONFDB_DOMAIN_ID_PROVIDER, + NULL, &id_provider); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to read ID provider " \ + "from conf db.\n"); + goto done; + } + + if (id_provider == NULL) { + *re_pattern = NULL; + } else { + for (c = 0; provider_default_re[c].name != NULL; c++) { + if (strcmp(id_provider, provider_default_re[c].name) == 0) { + *re_pattern = talloc_strdup(mem_ctx, provider_default_re[c].re); + if (*re_pattern == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + break; + } + } + } + + ret = EOK; + +done: + talloc_free(id_provider); + return ret; +#endif +} + +static errno_t sss_fqnames_init(struct sss_names_ctx *nctx, const char *fq_fmt) +{ + char *fq; + + nctx->fq_fmt = talloc_strdup(nctx, fq_fmt); + if (nctx->fq_fmt == NULL) { + return ENOMEM; + } + + DEBUG(SSSDBG_CONF_SETTINGS, "Using fq format [%s].\n", nctx->fq_fmt); + + /* Fail if the name specifier is missing, or if the format is + * invalid */ + fq = sss_tc_fqname2 (nctx, nctx, "unused.example.com", "unused", "the-test-user"); + if (fq == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "The fq format is invalid [%s]\n", nctx->fq_fmt); + return EINVAL; + } else if (strstr (fq, "the-test-user") == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "Username pattern not found in [%s]\n", nctx->fq_fmt); + return ENOENT; + } + + talloc_free (fq); + return EOK; +} + +int sss_names_init_from_args(TALLOC_CTX *mem_ctx, const char *re_pattern, + const char *fq_fmt, struct sss_names_ctx **out) +{ + struct sss_names_ctx *ctx; + const char *errstr; + int errval; + int errpos; + int ret; + + ctx = talloc_zero(mem_ctx, struct sss_names_ctx); + if (!ctx) return ENOMEM; + talloc_set_destructor(ctx, sss_names_ctx_destructor); + + ctx->re_pattern = talloc_strdup(ctx, re_pattern); + if (ctx->re_pattern == NULL) { + ret = ENOMEM; + goto done; + } + + DEBUG(SSSDBG_CONF_SETTINGS, "Using re [%s].\n", ctx->re_pattern); + + ret = sss_fqnames_init(ctx, fq_fmt); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Could not check the FQ names format" + "[%d]: %s\n", ret, sss_strerror(ret)); + goto done; + } + + ctx->re = pcre_compile2(ctx->re_pattern, + NAME_DOMAIN_PATTERN_OPTIONS, + &errval, &errstr, &errpos, NULL); + if (!ctx->re) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Invalid Regular Expression pattern at position %d." + " (Error: %d [%s])\n", errpos, errval, errstr); + ret = EFAULT; + goto done; + } + + *out = ctx; + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(ctx); + } + return ret; +} + +int sss_names_init(TALLOC_CTX *mem_ctx, struct confdb_ctx *cdb, + const char *domain, struct sss_names_ctx **out) +{ + TALLOC_CTX *tmpctx = NULL; + char *conf_path = NULL; + char *re_pattern = NULL; + char *fq_fmt = NULL; + int ret; + + tmpctx = talloc_new(NULL); + if (tmpctx == NULL) { + ret = ENOMEM; + goto done; + } + + if (domain != NULL) { + conf_path = talloc_asprintf(tmpctx, CONFDB_DOMAIN_PATH_TMPL, domain); + if (conf_path == NULL) { + ret = ENOMEM; + goto done; + } + + ret = confdb_get_string(cdb, tmpctx, conf_path, + CONFDB_NAME_REGEX, NULL, &re_pattern); + if (ret != EOK) goto done; + } + + /* If not found in the domain, look in globals */ + if (re_pattern == NULL) { + ret = confdb_get_string(cdb, tmpctx, CONFDB_MONITOR_CONF_ENTRY, + CONFDB_NAME_REGEX, NULL, &re_pattern); + if (ret != EOK) goto done; + } + + if (re_pattern == NULL && conf_path != NULL) { + ret = get_id_provider_default_re(tmpctx, cdb, conf_path, &re_pattern); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Failed to get provider default regular " \ + "expression for domain [%s].\n", domain); + goto done; + } + } + + if (!re_pattern) { + re_pattern = talloc_strdup(tmpctx, + "(?P[^@]+)@?(?P[^@]*$)"); + if (!re_pattern) { + ret = ENOMEM; + goto done; + } +#ifdef HAVE_LIBPCRE_LESSER_THAN_7 + } else { + DEBUG(SSSDBG_OP_FAILURE, + "This binary was build with a version of libpcre that does " + "not support non-unique named subpatterns.\n"); + DEBUG(SSSDBG_OP_FAILURE, + "Please make sure that your pattern [%s] only contains " + "subpatterns with a unique name and uses " + "the Python syntax (?P).\n", re_pattern); +#endif + } + + if (conf_path != NULL) { + ret = confdb_get_string(cdb, tmpctx, conf_path, + CONFDB_FULL_NAME_FORMAT, NULL, &fq_fmt); + if (ret != EOK) goto done; + } + + /* If not found in the domain, look in globals */ + if (fq_fmt == NULL) { + ret = confdb_get_string(cdb, tmpctx, CONFDB_MONITOR_CONF_ENTRY, + CONFDB_FULL_NAME_FORMAT, NULL, &fq_fmt); + if (ret != EOK) goto done; + } + + if (!fq_fmt) { + fq_fmt = talloc_strdup(tmpctx, CONFDB_DEFAULT_FULL_NAME_FORMAT); + if (!fq_fmt) { + ret = ENOMEM; + goto done; + } + } + + ret = sss_names_init_from_args(mem_ctx, re_pattern, fq_fmt, out); + +done: + talloc_free(tmpctx); + return ret; +} + +int sss_ad_default_names_ctx(TALLOC_CTX *mem_ctx, + struct sss_names_ctx **_out) +{ + return sss_names_init_from_args(mem_ctx, IPA_AD_DEFAULT_RE, + CONFDB_DEFAULT_FULL_NAME_FORMAT, + _out); +} + +int sss_parse_name(TALLOC_CTX *memctx, + struct sss_names_ctx *snctx, + const char *orig, char **_domain, char **_name) +{ + pcre *re = snctx->re; + const char *result; + int ovec[30]; + int origlen; + int ret, strnum; + + origlen = strlen(orig); + + ret = pcre_exec(re, NULL, orig, origlen, 0, PCRE_NOTEMPTY, ovec, 30); + if (ret == PCRE_ERROR_NOMATCH) { + return ERR_REGEX_NOMATCH; + } else if (ret < 0) { + DEBUG(SSSDBG_MINOR_FAILURE, "PCRE Matching error, %d\n", ret); + return EINVAL; + } + + if (ret == 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Too many matches, the pattern is invalid.\n"); + } + + strnum = ret; + + if (_name != NULL) { + result = NULL; + ret = pcre_get_named_substring(re, orig, ovec, strnum, "name", &result); + if (ret < 0 || !result) { + DEBUG(SSSDBG_OP_FAILURE, "Name not found!\n"); + return EINVAL; + } + *_name = talloc_strdup(memctx, result); + pcre_free_substring(result); + if (!*_name) return ENOMEM; + } + + if (_domain != NULL) { + result = NULL; + ret = pcre_get_named_substring(re, orig, ovec, strnum, "domain", + &result); + if (ret < 0 || !result) { + DEBUG(SSSDBG_CONF_SETTINGS, "Domain not provided!\n"); + *_domain = NULL; + } else { + /* ignore "" string */ + if (*result) { + *_domain = talloc_strdup(memctx, result); + pcre_free_substring(result); + if (!*_domain) return ENOMEM; + } else { + pcre_free_substring(result); + *_domain = NULL; + } + } + } + + return EOK; +} + +static struct sss_domain_info * match_any_domain_or_subdomain_name( + struct sss_domain_info *dom, + const char *dmatch) +{ + if (strcasecmp(dom->name, dmatch) == 0 || + (dom->flat_name != NULL && strcasecmp(dom->flat_name, dmatch) == 0)) { + return dom; + } + + return find_domain_by_name(dom, dmatch, true); +} + +int sss_parse_name_for_domains(TALLOC_CTX *memctx, + struct sss_domain_info *domains, + const char *default_domain, + const char *orig, char **domain, char **name) +{ + struct sss_domain_info *dom, *match = NULL; + char *rdomain, *rname; + char *dmatch, *nmatch; + char *candidate_name = NULL; + char *candidate_domain = NULL; + bool name_mismatch = false; + TALLOC_CTX *tmp_ctx; + int ret; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + rname = NULL; + rdomain = NULL; + + for (dom = domains; dom != NULL; dom = get_next_domain(dom, 0)) { + ret = sss_parse_name(tmp_ctx, dom->names, orig, &dmatch, &nmatch); + if (ret == EOK) { + /* + * If the name matched without the domain part, make note of it. + * All the other domain expressions must agree on the domain-less + * name. + */ + if (dmatch == NULL) { + if (candidate_name == NULL) { + candidate_name = nmatch; + } else if (strcasecmp(candidate_name, nmatch) != 0) { + name_mismatch = true; + } + + /* + * If a domain was returned, then it must match the name of the + * domain that this expression was found on, or one of the + * subdomains. + */ + } else { + match = match_any_domain_or_subdomain_name (dom, dmatch); + if (match != NULL) { + DEBUG(SSSDBG_FUNC_DATA, "name '%s' matched expression for " + "domain '%s', user is %s\n", + orig, match->name, nmatch); + rdomain = talloc_strdup(tmp_ctx, match->name); + if (rdomain == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + rname = nmatch; + break; + } else if (candidate_domain == NULL) { + candidate_domain = dmatch; + } + } + + /* EINVAL is returned when name doesn't match */ + } else if (ret != EINVAL) { + goto done; + } + } + + if (rdomain == NULL && rname == NULL) { + if (candidate_name && !name_mismatch) { + DEBUG(SSSDBG_FUNC_DATA, "name '%s' matched without domain, " \ + "user is %s\n", orig, nmatch); + rdomain = NULL; + if (default_domain != NULL) { + rdomain = talloc_strdup(tmp_ctx, default_domain); + if (rdomain == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + + for (dom = domains; dom != NULL; dom = get_next_domain(dom, 0)) { + match = match_any_domain_or_subdomain_name(dom, rdomain); + if (match != NULL) { + break; + } + } + if (match == NULL) { + DEBUG(SSSDBG_FUNC_DATA, "default domain [%s] is currently " \ + "not known\n", rdomain); + *domain = talloc_steal(memctx, rdomain); + ret = EAGAIN; + goto done; + } + DEBUG(SSSDBG_FUNC_DATA, "using default domain [%s]\n", rdomain); + } + + rname = candidate_name; + } else if (candidate_domain) { + /* This branch is taken when the input matches the configured + * regular expression, but the domain is now known. Normally, this + * is the case with a FQDN of a user from subdomain that was not + * yet discovered + */ + *domain = talloc_steal(memctx, candidate_domain); + ret = EAGAIN; + goto done; + } + } + + if (rdomain == NULL && rname == NULL) { + DEBUG(SSSDBG_TRACE_FUNC, + "name '%s' did not match any domain's expression\n", orig); + ret = EINVAL; + goto done; + } + + if (domain != NULL) { + *domain = talloc_steal(memctx, rdomain); + } + + if (name != NULL) { + *name = talloc_steal(memctx, rname); + } + + ret = EOK; +done: + talloc_free(tmp_ctx); + + return ret; +} + +char * +sss_get_cased_name(TALLOC_CTX *mem_ctx, + const char *orig_name, + bool case_sensitive) +{ + return case_sensitive ? talloc_strdup(mem_ctx, orig_name) : + sss_tc_utf8_str_tolower(mem_ctx, orig_name); +} + +errno_t +sss_get_cased_name_list(TALLOC_CTX *mem_ctx, const char * const *orig, + bool case_sensitive, const char ***_cased) +{ + const char **out; + size_t num, i; + + if (orig == NULL) { + *_cased = NULL; + return EOK; + } + + for (num=0; orig[num]; num++); /* count the num of strings */ + + if (num == 0) { + *_cased = NULL; + return EOK; + } + + out = talloc_array(mem_ctx, const char *, num + 1); + if (out == NULL) { + return ENOMEM; + } + + for (i = 0; i < num; i++) { + out[i] = sss_get_cased_name(out, orig[i], case_sensitive); + if (out[i] == NULL) { + talloc_free(out); + return ENOMEM; + } + } + + out[num] = NULL; + *_cased = out; + return EOK; +} + +static inline const char * +calc_flat_name(struct sss_domain_info *domain) +{ + const char *s; + + s = domain->flat_name; + if (s == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "Flat name requested but domain has no" + "flat name set, falling back to domain name\n"); + s = domain->name; + } + + return s; +} + +char * +sss_tc_fqname(TALLOC_CTX *mem_ctx, struct sss_names_ctx *nctx, + struct sss_domain_info *domain, const char *name) +{ + if (domain == NULL || nctx == NULL) return NULL; + + return sss_tc_fqname2 (mem_ctx, nctx, domain->name, + calc_flat_name (domain), name); +} + +static void +safe_talloc_callback (void *data, + const char *piece, + size_t len) +{ + char **output = data; + if (*output != NULL) + *output = talloc_strndup_append(*output, piece, len); +} + +char * +sss_tc_fqname2(TALLOC_CTX *mem_ctx, struct sss_names_ctx *nctx, + const char *domain_name, const char *flat_dom_name, + const char *name) +{ + const char *args[] = { name, domain_name, flat_dom_name, NULL }; + char *output; + + if (nctx == NULL) return NULL; + + output = talloc_strdup(mem_ctx, ""); + if (safe_format_string_cb(safe_talloc_callback, &output, nctx->fq_fmt, args, 3) < 0) + output = NULL; + else if (output == NULL) + errno = ENOMEM; + return output; +} + +int +sss_fqname(char *str, size_t size, struct sss_names_ctx *nctx, + struct sss_domain_info *domain, const char *name) +{ + if (domain == NULL || nctx == NULL) return -EINVAL; + + return safe_format_string(str, size, nctx->fq_fmt, + name, domain->name, calc_flat_name (domain), NULL); +} + +errno_t sss_user_by_name_or_uid(const char *input, uid_t *_uid, gid_t *_gid) +{ + uid_t uid; + errno_t ret; + char *endptr; + struct passwd *pwd; + + /* Try if it's an ID first */ + errno = 0; + uid = strtouint32(input, &endptr, 10); + if (errno != 0 || *endptr != '\0') { + ret = errno; + if (ret == ERANGE) { + DEBUG(SSSDBG_OP_FAILURE, + "UID [%s] is out of range.\n", input); + return ret; + } + + /* Nope, maybe a username? */ + pwd = getpwnam(input); + } else { + pwd = getpwuid(uid); + } + + if (pwd == NULL) { + DEBUG(SSSDBG_OP_FAILURE, + "[%s] is neither a valid UID nor a user name which could be " + "resolved by getpwnam().\n", input); + return EINVAL; + } + + if (_uid) { + *_uid = pwd->pw_uid; + } + + if (_gid) { + *_gid = pwd->pw_gid; + } + return EOK; +} + +/* Accepts fqname in the format shortname@domname only. */ +errno_t sss_parse_internal_fqname(TALLOC_CTX *mem_ctx, + const char *fqname, + char **_shortname, + char **_dom_name) +{ + errno_t ret; + char *separator; + char *shortname = NULL; + char *dom_name = NULL; + size_t shortname_len; + TALLOC_CTX *tmp_ctx; + + if (fqname == NULL) { + return EINVAL; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + separator = strrchr(fqname, '@'); + if (separator == NULL || *(separator + 1) == '\0' || separator == fqname) { + /*The name does not contain name or domain component. */ + ret = ERR_WRONG_NAME_FORMAT; + goto done; + } + + if (_dom_name != NULL) { + dom_name = talloc_strdup(tmp_ctx, separator + 1); + if (dom_name == NULL) { + ret = ENOMEM; + goto done; + } + + *_dom_name = talloc_steal(mem_ctx, dom_name); + } + + if (_shortname != NULL) { + shortname_len = strlen(fqname) - strlen(separator); + shortname = talloc_strndup(tmp_ctx, fqname, shortname_len); + if (shortname == NULL) { + ret = ENOMEM; + goto done; + } + + *_shortname = talloc_steal(mem_ctx, shortname); + } + + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} + +/* Creates internal fqname in format shortname@domname. + * The domain portion is lowercased. */ +char *sss_create_internal_fqname(TALLOC_CTX *mem_ctx, + const char *shortname, + const char *dom_name) +{ + char *lc_dom_name; + char *fqname = NULL; + + if (shortname == NULL || dom_name == NULL) { + /* Avoid allocating null@null */ + return NULL; + } + + lc_dom_name = sss_tc_utf8_str_tolower(mem_ctx, dom_name); + if (lc_dom_name == NULL) { + goto done; + } + + fqname = talloc_asprintf(mem_ctx, "%s@%s", shortname, lc_dom_name); + talloc_free(lc_dom_name); +done: + return fqname; +} + +/* Creates a list of internal fqnames in format shortname@domname. + * The domain portion is lowercased. */ +char **sss_create_internal_fqname_list(TALLOC_CTX *mem_ctx, + const char * const *shortname_list, + const char *dom_name) +{ + char **fqname_list = NULL; + size_t c; + + if (shortname_list == NULL || dom_name == NULL) { + /* Avoid allocating null@null */ + return NULL; + } + + for (c = 0; shortname_list[c] != NULL; c++); + fqname_list = talloc_zero_array(mem_ctx, char *, c+1); + if (fqname_list == NULL) { + talloc_free(fqname_list); + return NULL; + } + + for (size_t i = 0; shortname_list[i] != NULL; i++) { + fqname_list[i] = sss_create_internal_fqname(fqname_list, + shortname_list[i], + dom_name); + if (fqname_list == NULL) { + talloc_free(fqname_list); + return NULL; + } + } + + return fqname_list; +} + +char *sss_output_name(TALLOC_CTX *mem_ctx, + const char *name, + bool case_sensitive, + const char replace_space) +{ + TALLOC_CTX *tmp_ctx = NULL; + errno_t ret; + char *shortname; + char *outname = NULL; + + tmp_ctx = talloc_new(NULL); + if (!tmp_ctx) return NULL; + + ret = sss_parse_internal_fqname(tmp_ctx, name, &shortname, NULL); + if (ret == ERR_WRONG_NAME_FORMAT) { + /* There is no domain name. */ + shortname = talloc_strdup(tmp_ctx, name); + if (shortname == NULL) { + goto done; + } + } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "sss_parse_internal_fqname failed\n"); + goto done; + } + + outname = sss_get_cased_name(tmp_ctx, shortname, case_sensitive); + if (outname == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "sss_get_cased_name failed, skipping\n"); + goto done; + } + + outname = sss_replace_space(tmp_ctx, outname, replace_space); + if (outname == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "sss_replace_space failed\n"); + goto done; + } + + outname = talloc_steal(mem_ctx, outname); +done: + talloc_free(tmp_ctx); + return outname; +} + +const char * +sss_get_name_from_msg(struct sss_domain_info *domain, + struct ldb_message *msg) +{ + const char *name; + + /* If domain has a view associated we return overridden name + * if possible. */ + if (DOM_HAS_VIEWS(domain)) { + name = ldb_msg_find_attr_as_string(msg, OVERRIDE_PREFIX SYSDB_NAME, + NULL); + if (name != NULL) { + return name; + } + } + + /* Otherwise we try to return name override from + * Default Truest View for trusted users. */ + name = ldb_msg_find_attr_as_string(msg, SYSDB_DEFAULT_OVERRIDE_NAME, NULL); + if (name != NULL) { + return name; + } + + /* If no override is found we return the original name. */ + return ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL); +} + +int sss_output_fqname(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *name, + char override_space, + char **_output_name) +{ + TALLOC_CTX *tmp_ctx = NULL; + errno_t ret; + char *output_name; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + output_name = sss_output_name(tmp_ctx, name, domain->case_preserve, + override_space); + if (output_name == NULL) { + ret = EIO; + goto done; + } + + if (sss_domain_info_get_output_fqnames(domain) || domain->fqnames) { + output_name = sss_tc_fqname(tmp_ctx, domain->names, + domain, output_name); + if (output_name == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "sss_tc_fqname failed\n"); + ret = EIO; + goto done; + } + } + + *_output_name = talloc_steal(mem_ctx, output_name); + ret = EOK; +done: + talloc_zfree(tmp_ctx); + return ret; +} diff --git a/src/util/util.c b/src/util/util.c new file mode 100644 index 0000000..e3efa7f --- /dev/null +++ b/src/util/util.c @@ -0,0 +1,1198 @@ +/* + Authors: + Simo Sorce + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "config.h" +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "util/util.h" +#include "util/sss_utf8.h" + +int socket_activated = 0; +int dbus_activated = 0; + +static void free_args(char **args) +{ + int i; + + if (args) { + for (i = 0; args[i]; i++) free(args[i]); + free(args); + } +} + +/* parse a string into arguments. + * arguments are separated by a space + * '\' is an escape character and can be used only to escape + * itself or the white space. + */ +char **parse_args(const char *str) +{ + const char *p; + char **ret, **r; + char *tmp; + int num; + int i; + bool e, w; + + tmp = malloc(strlen(str) + 1); + if (!tmp) return NULL; + + ret = NULL; + num = 0; + i = 0; + e = false; + /* skip leading whitespaces */ + w = true; + p = str; + while (*p) { + if (*p == '\\') { + w = false; + if (e) { + /* if we were already escaping, add a '\' literal */ + tmp[i] = '\\'; + i++; + e = false; + } else { + /* otherwise just start escaping */ + e = true; + } + } else if (isspace(*p)) { + if (e) { + /* Add escaped whitespace literally */ + tmp[i] = *p; + i++; + e = false; + } else if (w == false) { + /* If previous character was non-whitespace, arg break */ + tmp[i] = '\0'; + i++; + w = true; + } + /* previous char was whitespace as well, skip it */ + } else { + w = false; + if (e) { + /* Prepend escaped chars with a literal \ */ + tmp[i] = '\\'; + i++; + e = false; + } + /* Copy character from the source string */ + tmp[i] = *p; + i++; + } + + p++; + + /* check if this was the last char */ + if (*p == '\0') { + if (e) { + tmp[i] = '\\'; + i++; + e = false; + } + tmp[i] = '\0'; + i++; + } + + /* save token to result array */ + if (i > 1 && tmp[i-1] == '\0') { + r = realloc(ret, (num + 2) * sizeof(char *)); + if (!r) goto fail; + ret = r; + ret[num+1] = NULL; + ret[num] = strdup(tmp); + if (!ret[num]) goto fail; + num++; + i = 0; + } + } + + free(tmp); + return ret; + +fail: + free(tmp); + free_args(ret); + return NULL; +} + +const char **dup_string_list(TALLOC_CTX *memctx, const char **str_list) +{ + int i = 0; + int j = 0; + const char **dup_list; + + if (!str_list) { + return NULL; + } + + /* Find the size of the list */ + while (str_list[i]) i++; + + dup_list = talloc_array(memctx, const char *, i+1); + if (!dup_list) { + return NULL; + } + + /* Copy the elements */ + for (j = 0; j < i; j++) { + dup_list[j] = talloc_strdup(dup_list, str_list[j]); + if (!dup_list[j]) { + talloc_free(dup_list); + return NULL; + } + } + + /* NULL-terminate the list */ + dup_list[i] = NULL; + + return dup_list; +} + +/* Take two string lists (terminated on a NULL char*) + * and return up to three arrays of strings based on + * shared ownership. + * + * Pass NULL to any return type you don't care about + */ +errno_t diff_string_lists(TALLOC_CTX *memctx, + char **_list1, + char **_list2, + char ***_list1_only, + char ***_list2_only, + char ***_both_lists) +{ + int error; + errno_t ret; + int i; + int i2 = 0; + int i12 = 0; + hash_table_t *table; + hash_key_t key; + hash_value_t value; + char **list1 = NULL; + char **list2 = NULL; + char **list1_only = NULL; + char **list2_only = NULL; + char **both_lists = NULL; + unsigned long count; + hash_key_t *keys; + + TALLOC_CTX *tmp_ctx = talloc_new(memctx); + if (!tmp_ctx) { + return ENOMEM; + } + + if (!_list1) { + list1 = talloc_array(tmp_ctx, char *, 1); + if (!list1) { + talloc_free(tmp_ctx); + return ENOMEM; + } + list1[0] = NULL; + } + else { + list1 = _list1; + } + + if (!_list2) { + list2 = talloc_array(tmp_ctx, char *, 1); + if (!list2) { + talloc_free(tmp_ctx); + return ENOMEM; + } + list2[0] = NULL; + } + else { + list2 = _list2; + } + + error = hash_create(10, &table, NULL, NULL); + if (error != HASH_SUCCESS) { + talloc_free(tmp_ctx); + return EIO; + } + + key.type = HASH_KEY_STRING; + value.type = HASH_VALUE_UNDEF; + + /* Add all entries from list 1 into a hash table */ + i = 0; + while (list1[i]) { + key.str = talloc_strdup(tmp_ctx, list1[i]); + error = hash_enter(table, &key, &value); + if (error != HASH_SUCCESS) { + ret = EIO; + goto done; + } + i++; + } + + /* Iterate through list 2 and remove matching items */ + i = 0; + while (list2[i]) { + key.str = talloc_strdup(tmp_ctx, list2[i]); + error = hash_delete(table, &key); + if (error == HASH_SUCCESS) { + if (_both_lists) { + /* String was present in both lists */ + i12++; + both_lists = talloc_realloc(tmp_ctx, both_lists, char *, i12+1); + if (!both_lists) { + ret = ENOMEM; + goto done; + } + both_lists[i12-1] = talloc_strdup(both_lists, list2[i]); + if (!both_lists[i12-1]) { + ret = ENOMEM; + goto done; + } + + both_lists[i12] = NULL; + } + } + else if (error == HASH_ERROR_KEY_NOT_FOUND) { + if (_list2_only) { + /* String was present only in list2 */ + i2++; + list2_only = talloc_realloc(tmp_ctx, list2_only, + char *, i2+1); + if (!list2_only) { + ret = ENOMEM; + goto done; + } + list2_only[i2-1] = talloc_strdup(list2_only, list2[i]); + if (!list2_only[i2-1]) { + ret = ENOMEM; + goto done; + } + + list2_only[i2] = NULL; + } + } + else { + /* An error occurred */ + ret = EIO; + goto done; + } + i++; + } + + /* Get the leftover entries in the hash table */ + if (_list1_only) { + error = hash_keys(table, &count, &keys); + if (error != HASH_SUCCESS) { + ret = EIO; + goto done; + } + + list1_only = talloc_array(tmp_ctx, char *, count+1); + if (!list1_only) { + ret = ENOMEM; + goto done; + } + + for (i = 0; i < count; i++) { + list1_only[i] = talloc_strdup(list1_only, keys[i].str); + if (!list1_only[i]) { + ret = ENOMEM; + goto done; + } + } + list1_only[count] = NULL; + + free(keys); + + *_list1_only = talloc_steal(memctx, list1_only); + } + + if (_list2_only) { + if (list2_only) { + *_list2_only = talloc_steal(memctx, list2_only); + } + else { + *_list2_only = talloc_array(memctx, char *, 1); + if (!(*_list2_only)) { + ret = ENOMEM; + goto done; + } + *_list2_only[0] = NULL; + } + } + + if (_both_lists) { + if (both_lists) { + *_both_lists = talloc_steal(memctx, both_lists); + } + else { + *_both_lists = talloc_array(memctx, char *, 1); + if (!(*_both_lists)) { + ret = ENOMEM; + goto done; + } + *_both_lists[0] = NULL; + } + } + + ret = EOK; + +done: + hash_destroy(table); + talloc_free(tmp_ctx); + return ret; +} + +static void *hash_talloc(const size_t size, void *pvt) +{ + return talloc_size(pvt, size); +} + +static void hash_talloc_free(void *ptr, void *pvt) +{ + talloc_free(ptr); +} + +errno_t sss_hash_create_ex(TALLOC_CTX *mem_ctx, + unsigned long count, + hash_table_t **tbl, + unsigned int directory_bits, + unsigned int segment_bits, + unsigned long min_load_factor, + unsigned long max_load_factor, + hash_delete_callback *delete_callback, + void *delete_private_data) +{ + errno_t ret; + hash_table_t *table; + int hret; + + TALLOC_CTX *internal_ctx; + internal_ctx = talloc_new(NULL); + if (!internal_ctx) { + return ENOMEM; + } + + hret = hash_create_ex(count, &table, directory_bits, segment_bits, + min_load_factor, max_load_factor, + hash_talloc, hash_talloc_free, internal_ctx, + delete_callback, delete_private_data); + switch (hret) { + case HASH_SUCCESS: + /* Steal the table pointer onto the mem_ctx, + * then make the internal_ctx a child of + * table. + * + * This way, we can clean up the values when + * we talloc_free() the table + */ + *tbl = talloc_steal(mem_ctx, table); + talloc_steal(table, internal_ctx); + return EOK; + + case HASH_ERROR_NO_MEMORY: + ret = ENOMEM; + break; + default: + ret = EIO; + } + + DEBUG(SSSDBG_FATAL_FAILURE, "Could not create hash table: [%d][%s]\n", + hret, hash_error_string(hret)); + + talloc_free(internal_ctx); + return ret; +} + +errno_t sss_hash_create(TALLOC_CTX *mem_ctx, unsigned long count, + hash_table_t **tbl) +{ + return sss_hash_create_ex(mem_ctx, count, tbl, 0, 0, 0, 0, NULL, NULL); +} + +errno_t sss_filter_sanitize_ex(TALLOC_CTX *mem_ctx, + const char *input, + char **sanitized, + const char *ignore) +{ + char *output; + size_t i = 0; + size_t j = 0; + char *allowed; + + /* Assume the worst-case. We'll resize it later, once */ + output = talloc_array(mem_ctx, char, strlen(input) * 3 + 1); + if (!output) { + return ENOMEM; + } + + while (input[i]) { + /* Even though this character might have a special meaning, if it's + * expliticly allowed, just copy it and move on + */ + if (ignore == NULL) { + allowed = NULL; + } else { + allowed = strchr(ignore, input[i]); + } + if (allowed) { + output[j++] = input[i++]; + continue; + } + + switch(input[i]) { + case '\t': + output[j++] = '\\'; + output[j++] = '0'; + output[j++] = '9'; + break; + case ' ': + output[j++] = '\\'; + output[j++] = '2'; + output[j++] = '0'; + break; + case '*': + output[j++] = '\\'; + output[j++] = '2'; + output[j++] = 'a'; + break; + case '(': + output[j++] = '\\'; + output[j++] = '2'; + output[j++] = '8'; + break; + case ')': + output[j++] = '\\'; + output[j++] = '2'; + output[j++] = '9'; + break; + case '\\': + output[j++] = '\\'; + output[j++] = '5'; + output[j++] = 'c'; + break; + case '\r': + output[j++] = '\\'; + output[j++] = '0'; + output[j++] = 'd'; + break; + case '\n': + output[j++] = '\\'; + output[j++] = '0'; + output[j++] = 'a'; + break; + default: + output[j++] = input[i]; + } + + i++; + } + output[j] = '\0'; + *sanitized = talloc_realloc(mem_ctx, output, char, j+1); + if (!*sanitized) { + talloc_free(output); + return ENOMEM; + } + + return EOK; +} + +errno_t sss_filter_sanitize(TALLOC_CTX *mem_ctx, + const char *input, + char **sanitized) +{ + return sss_filter_sanitize_ex(mem_ctx, input, sanitized, NULL); +} + +char * +sss_escape_ip_address(TALLOC_CTX *mem_ctx, int family, const char *addr) +{ + return family == AF_INET6 ? talloc_asprintf(mem_ctx, "[%s]", addr) : + talloc_strdup(mem_ctx, addr); +} + +/* out->len includes terminating '\0' */ +void to_sized_string(struct sized_string *out, const char *in) +{ + out->str = in; + if (out->str) { + out->len = strlen(out->str) + 1; + } else { + out->len = 0; + } +} + +/* This function only removes first and last + * character if the first character was '['. + * + * NOTE: This means, that ipv6addr must NOT be followed + * by port number. + */ +errno_t +remove_ipv6_brackets(char *ipv6addr) +{ + size_t len; + + if (ipv6addr && ipv6addr[0] == '[') { + len = strlen(ipv6addr); + if (len < 3) { + return EINVAL; + } + + memmove(ipv6addr, &ipv6addr[1], len - 2); + ipv6addr[len -2] = '\0'; + } + + return EOK; +} + +errno_t add_string_to_list(TALLOC_CTX *mem_ctx, const char *string, + char ***list_p) +{ + size_t c; + char **old_list = NULL; + char **new_list = NULL; + + if (string == NULL || list_p == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Missing string or list.\n"); + return EINVAL; + } + + old_list = *list_p; + + if (old_list == NULL) { + /* If the input is a NULL list a new one is created with the new + * string and the terminating NULL element. */ + c = 0; + new_list = talloc_array(mem_ctx, char *, 2); + } else { + for (c = 0; old_list[c] != NULL; c++); + /* Allocate one extra space for the new service and one for + * the terminating NULL + */ + new_list = talloc_realloc(mem_ctx, old_list, char *, c + 2); + } + + if (new_list == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_array/talloc_realloc failed.\n"); + return ENOMEM; + } + + new_list[c] = talloc_strdup(new_list, string); + if (new_list[c] == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + talloc_free(new_list); + return ENOMEM; + } + + new_list[c + 1] = NULL; + + *list_p = new_list; + + return EOK; +} + +void safezero(void *data, size_t size) +{ + volatile uint8_t *p = data; + + while (size--) { + *p++ = 0; + } +} + +int domain_to_basedn(TALLOC_CTX *memctx, const char *domain, char **basedn) +{ + const char *s; + char *dn; + char *p; + int l; + + if (!domain || !basedn) { + return EINVAL; + } + + s = domain; + dn = talloc_strdup(memctx, "dc="); + + while ((p = strchr(s, '.'))) { + l = p - s; + dn = talloc_asprintf_append_buffer(dn, "%.*s,dc=", l, s); + if (!dn) { + return ENOMEM; + } + s = p + 1; + } + dn = talloc_strdup_append_buffer(dn, s); + if (!dn) { + return ENOMEM; + } + + for (p=dn; *p; ++p) { + *p = tolower(*p); + } + + *basedn = dn; + return EOK; +} + +bool is_host_in_domain(const char *host, const char *domain) +{ + int diff = strlen(host) - strlen(domain); + + if (diff == 0 && strcmp(host, domain) == 0) { + return true; + } + + if (diff > 0 && strcmp(host + diff, domain) == 0 && host[diff - 1] == '.') { + return true; + } + + return false; +} + +/* addr is in network order for both IPv4 and IPv6 versions */ +bool check_ipv4_addr(struct in_addr *addr, uint8_t flags) +{ + char straddr[INET_ADDRSTRLEN]; + + if (inet_ntop(AF_INET, addr, straddr, INET_ADDRSTRLEN) == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, + "inet_ntop failed, won't log IP addresses\n"); + snprintf(straddr, INET_ADDRSTRLEN, "unknown"); + } + + if ((flags & SSS_NO_MULTICAST) && IN_MULTICAST(ntohl(addr->s_addr))) { + DEBUG(SSSDBG_FUNC_DATA, "Multicast IPv4 address %s\n", straddr); + return false; + } else if ((flags & SSS_NO_LOOPBACK) + && inet_netof(*addr) == IN_LOOPBACKNET) { + DEBUG(SSSDBG_FUNC_DATA, "Loopback IPv4 address %s\n", straddr); + return false; + } else if ((flags & SSS_NO_LINKLOCAL) + && (addr->s_addr & htonl(0xffff0000)) == htonl(0xa9fe0000)) { + /* 169.254.0.0/16 */ + DEBUG(SSSDBG_FUNC_DATA, "Link-local IPv4 address %s\n", straddr); + return false; + } else if ((flags & SSS_NO_BROADCAST) + && addr->s_addr == htonl(INADDR_BROADCAST)) { + DEBUG(SSSDBG_FUNC_DATA, "Broadcast IPv4 address %s\n", straddr); + return false; + } + + return true; +} + +bool check_ipv6_addr(struct in6_addr *addr, uint8_t flags) +{ + char straddr[INET6_ADDRSTRLEN]; + + if (inet_ntop(AF_INET6, addr, straddr, INET6_ADDRSTRLEN) == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, + "inet_ntop failed, won't log IP addresses\n"); + snprintf(straddr, INET6_ADDRSTRLEN, "unknown"); + } + + if ((flags & SSS_NO_LINKLOCAL) && IN6_IS_ADDR_LINKLOCAL(addr)) { + DEBUG(SSSDBG_FUNC_DATA, "Link local IPv6 address %s\n", straddr); + return false; + } else if ((flags & SSS_NO_LOOPBACK) && IN6_IS_ADDR_LOOPBACK(addr)) { + DEBUG(SSSDBG_FUNC_DATA, "Loopback IPv6 address %s\n", straddr); + return false; + } else if ((flags & SSS_NO_MULTICAST) && IN6_IS_ADDR_MULTICAST(addr)) { + DEBUG(SSSDBG_FUNC_DATA, "Multicast IPv6 address %s\n", straddr); + return false; + } + + return true; +} + +const char * const * get_known_services(void) +{ + static const char *svc[] = {"nss", "pam", "sudo", "autofs", + "ssh", "pac", "ifp", NULL }; + + return svc; +} + +errno_t add_strings_lists(TALLOC_CTX *mem_ctx, const char **l1, const char **l2, + bool copy_strings, char ***_new_list) +{ + size_t c; + size_t l1_count = 0; + size_t l2_count = 0; + size_t new_count = 0; + char **new; + int ret; + + if (l1 != NULL) { + for (l1_count = 0; l1[l1_count] != NULL; l1_count++); + } + + if (l2 != NULL) { + for (l2_count = 0; l2[l2_count] != NULL; l2_count++); + } + + new_count = l1_count + l2_count; + + new = talloc_array(mem_ctx, char *, new_count + 1); + if (new == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_array failed.\n"); + return ENOMEM; + } + new [new_count] = NULL; + + if (copy_strings) { + for(c = 0; c < l1_count; c++) { + new[c] = talloc_strdup(new, l1[c]); + if (new[c] == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + } + for(c = 0; c < l2_count; c++) { + new[l1_count + c] = talloc_strdup(new, l2[c]); + if (new[l1_count + c] == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); + ret = ENOMEM; + goto done; + } + } + } else { + if (l1 != NULL) { + memcpy(new, l1, sizeof(char *) * l1_count); + } + + if (l2 != NULL) { + memcpy(&new[l1_count], l2, sizeof(char *) * l2_count); + } + } + + *_new_list = new; + ret = EOK; + +done: + if (ret != EOK) { + talloc_free(new); + } + + return ret; +} + +/* Set the nonblocking flag to the fd */ +errno_t sss_fd_nonblocking(int fd) +{ + int flags; + int ret; + + flags = fcntl(fd, F_GETFL, 0); + if (flags == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "F_GETFL failed [%d][%s].\n", ret, strerror(ret)); + return ret; + } + + if (fcntl(fd, F_SETFL, flags | O_NONBLOCK) == -1) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "F_SETFL failed [%d][%s].\n", ret, strerror(ret)); + return ret; + } + + return EOK; +} + +/* Convert GeneralizedTime (http://en.wikipedia.org/wiki/GeneralizedTime) + * to unix time (seconds since epoch). Use UTC time zone. + */ +errno_t sss_utc_to_time_t(const char *str, const char *format, time_t *_unix_time) +{ + char *end; + struct tm tm; + size_t len; + time_t ut; + + if (str == NULL) { + return EINVAL; + } + + len = strlen(str); + if (str[len-1] != 'Z') { + DEBUG(SSSDBG_TRACE_INTERNAL, + "%s does not seem to be in UTZ time zone.\n", str); + return ERR_TIMESPEC_NOT_SUPPORTED; + } + + memset(&tm, 0, sizeof(tm)); + + end = strptime(str, format, &tm); + /* not all characters from format were matched */ + if (end == NULL) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "String [%s] failed to match format [%s].\n", str, format); + return EINVAL; + } + + /* str is 'longer' than format */ + if (*end != '\0') { + DEBUG(SSSDBG_TRACE_INTERNAL, + "String [%s] is longer than format [%s].\n", str, format); + return EINVAL; + } + + ut = mktime(&tm); + if (ut == -1) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "mktime failed to convert [%s].\n", str); + return EINVAL; + } + + tzset(); + ut -= timezone; + *_unix_time = ut; + return EOK; +} + +struct tmpfile_watch { + const char *filename; +}; + +static int unlink_dbg(const char *filename) +{ + errno_t ret; + + ret = unlink(filename); + if (ret != 0) { + ret = errno; + if (ret == ENOENT) { + DEBUG(SSSDBG_TRACE_INTERNAL, + "File already removed: [%s]\n", filename); + return 0; + } else { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot remove temporary file [%s] %d [%s]\n", + filename, ret, strerror(ret)); + return -1; + } + } + + return 0; +} + +static int unique_filename_destructor(void *memptr) +{ + struct tmpfile_watch *tw = talloc_get_type(memptr, struct tmpfile_watch); + + if (tw == NULL || tw->filename == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "BUG: Wrong private pointer\n"); + return -1; + } + + DEBUG(SSSDBG_TRACE_INTERNAL, "Unlinking [%s]\n", tw->filename); + + return unlink_dbg(tw->filename); +} + +static struct tmpfile_watch *tmpfile_watch_set(TALLOC_CTX *owner, + const char *filename) +{ + struct tmpfile_watch *tw = NULL; + + tw = talloc_zero(owner, struct tmpfile_watch); + if (tw == NULL) { + return NULL; + } + + tw->filename = talloc_strdup(tw, filename); + if (tw->filename == NULL) { + talloc_free(tw); + return NULL; + } + + talloc_set_destructor((TALLOC_CTX *) tw, + unique_filename_destructor); + return tw; +} + +int sss_unique_file_ex(TALLOC_CTX *owner, + char *path_tmpl, + mode_t file_umask, + errno_t *_err) +{ + size_t tmpl_len; + errno_t ret; + int fd = -1; + mode_t old_umask; + struct tmpfile_watch *tw = NULL; + + tmpl_len = strlen(path_tmpl); + if (tmpl_len < 6 || strcmp(path_tmpl + (tmpl_len - 6), "XXXXXX") != 0) { + DEBUG(SSSDBG_OP_FAILURE, + "Template too short or doesn't end with XXXXXX!\n"); + ret = EINVAL; + goto done; + } + + old_umask = umask(file_umask); + fd = mkstemp(path_tmpl); + umask(old_umask); + if (fd == -1) { + ret = errno; + DEBUG(SSSDBG_OP_FAILURE, + "mkstemp(\"%s\") failed [%d]: %s!\n", + path_tmpl, ret, strerror(ret)); + goto done; + } + + if (owner != NULL) { + tw = tmpfile_watch_set(owner, path_tmpl); + if (tw == NULL) { + unlink_dbg(path_tmpl); + ret = ENOMEM; + goto done; + } + } + + ret = EOK; +done: + if (_err) { + *_err = ret; + } + return fd; +} + +int sss_unique_file(TALLOC_CTX *owner, + char *path_tmpl, + errno_t *_err) +{ + return sss_unique_file_ex(owner, path_tmpl, SSS_DFL_UMASK, _err); +} + +errno_t sss_unique_filename(TALLOC_CTX *owner, char *path_tmpl) +{ + int fd; + errno_t ret; + + fd = sss_unique_file(owner, path_tmpl, &ret); + /* We only care about a unique file name */ + if (fd >= 0) { + close(fd); + } + + return ret; +} + +static struct cert_verify_opts *init_cert_verify_opts(TALLOC_CTX *mem_ctx) +{ + struct cert_verify_opts *cert_verify_opts; + + cert_verify_opts = talloc_zero(mem_ctx, struct cert_verify_opts); + if (cert_verify_opts == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); + return NULL; + } + + cert_verify_opts->do_ocsp = true; + cert_verify_opts->do_verification = true; + cert_verify_opts->ocsp_default_responder = NULL; + cert_verify_opts->ocsp_default_responder_signing_cert = NULL; + + return cert_verify_opts; +} + +#define OCSP_DEFAUL_RESPONDER "ocsp_default_responder=" +#define OCSP_DEFAUL_RESPONDER_LEN (sizeof(OCSP_DEFAUL_RESPONDER) - 1) + +#define OCSP_DEFAUL_RESPONDER_SIGNING_CERT \ + "ocsp_default_responder_signing_cert=" +#define OCSP_DEFAUL_RESPONDER_SIGNING_CERT_LEN \ + (sizeof(OCSP_DEFAUL_RESPONDER_SIGNING_CERT) - 1) + +errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts, + struct cert_verify_opts **_cert_verify_opts) +{ + int ret; + TALLOC_CTX *tmp_ctx; + char **opts; + size_t c; + struct cert_verify_opts *cert_verify_opts; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); + return ENOMEM; + } + + cert_verify_opts = init_cert_verify_opts(tmp_ctx); + if (cert_verify_opts == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "init_cert_verify_opts failed.\n"); + ret = ENOMEM; + goto done; + } + + if (verify_opts == NULL) { + ret = EOK; + goto done; + } + + ret = split_on_separator(tmp_ctx, verify_opts, ',', true, true, &opts, + NULL); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "split_on_separator failed.\n"); + goto done; + } + + for (c = 0; opts[c] != NULL; c++) { + if (strcasecmp(opts[c], "no_ocsp") == 0) { + DEBUG(SSSDBG_TRACE_ALL, + "Found 'no_ocsp' option, disabling OCSP.\n"); + cert_verify_opts->do_ocsp = false; + } else if (strcasecmp(opts[c], "no_verification") == 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Found 'no_verification' option, " + "disabling verification completely. " + "This should not be used in production.\n"); + cert_verify_opts->do_verification = false; + } else if (strncasecmp(opts[c], OCSP_DEFAUL_RESPONDER, + OCSP_DEFAUL_RESPONDER_LEN) == 0) { + cert_verify_opts->ocsp_default_responder = + talloc_strdup(cert_verify_opts, + &opts[c][OCSP_DEFAUL_RESPONDER_LEN]); + if (cert_verify_opts->ocsp_default_responder == NULL + || *cert_verify_opts->ocsp_default_responder == '\0') { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to parse ocsp_default_responder option [%s].\n", + opts[c]); + ret = EINVAL; + goto done; + } + + DEBUG(SSSDBG_TRACE_ALL, "Using OCSP default responder [%s]\n", + cert_verify_opts->ocsp_default_responder); + } else if (strncasecmp(opts[c], + OCSP_DEFAUL_RESPONDER_SIGNING_CERT, + OCSP_DEFAUL_RESPONDER_SIGNING_CERT_LEN) == 0) { + cert_verify_opts->ocsp_default_responder_signing_cert = + talloc_strdup(cert_verify_opts, + &opts[c][OCSP_DEFAUL_RESPONDER_SIGNING_CERT_LEN]); + if (cert_verify_opts->ocsp_default_responder_signing_cert == NULL + || *cert_verify_opts->ocsp_default_responder_signing_cert + == '\0') { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to parse ocsp_default_responder_signing_cert " + "option [%s].\n", opts[c]); + ret = EINVAL; + goto done; + } + + DEBUG(SSSDBG_TRACE_ALL, + "Using OCSP default responder signing cert nickname [%s]\n", + cert_verify_opts->ocsp_default_responder_signing_cert); + } else { + DEBUG(SSSDBG_CRIT_FAILURE, + "Unsupported certificate verification option [%s], " \ + "skipping.\n", opts[c]); + } + } + + if ((cert_verify_opts->ocsp_default_responder == NULL + && cert_verify_opts->ocsp_default_responder_signing_cert != NULL) + || (cert_verify_opts->ocsp_default_responder != NULL + && cert_verify_opts->ocsp_default_responder_signing_cert == NULL)) { + + DEBUG(SSSDBG_CRIT_FAILURE, + "ocsp_default_responder and ocsp_default_responder_signing_cert " + "must be used together.\n"); + + ret = EINVAL; + goto done; + } + + ret = EOK; + +done: + if (ret == EOK) { + *_cert_verify_opts = talloc_steal(mem_ctx, cert_verify_opts); + } + + talloc_free(tmp_ctx); + + return ret; +} + +bool is_user_or_group_name(const char *sudo_user_value) +{ + if (sudo_user_value == NULL) { + return false; + } + + /* See man sudoers.ldap for explanation */ + if (strcmp(sudo_user_value, "ALL") == 0) { + return false; + } + + switch (sudo_user_value[0]) { + case '#': /* user id */ + case '+': /* netgroup */ + case '\0': /* empty value */ + return false; + } + + if (sudo_user_value[0] == '%') { + switch (sudo_user_value[1]) { + case '#': /* POSIX group ID */ + case ':': /* non-POSIX group */ + case '\0': /* empty value */ + return false; + } + } + + /* Now it's either a username or a groupname */ + return true; +} + +bool is_socket_activated(void) +{ +#ifdef HAVE_SYSTEMD + return !!socket_activated; +#else + return false; +#endif +} + +bool is_dbus_activated(void) +{ +#ifdef HAVE_SYSTEMD + return !!dbus_activated; +#else + return false; +#endif +} diff --git a/src/util/util.h b/src/util/util.h new file mode 100644 index 0000000..bc89ecb --- /dev/null +++ b/src/util/util.h @@ -0,0 +1,725 @@ +/* + Authors: + Simo Sorce + + Copyright (C) 2009 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __SSSD_UTIL_H__ +#define __SSSD_UTIL_H__ + +#include "config.h" +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include + +#include "confdb/confdb.h" +#include "shared/io.h" +#include "shared/safealign.h" +#include "util/atomic_io.h" +#include "util/util_errors.h" +#include "util/sss_format.h" +#include "util/debug.h" + +/* name of the monitor server instance */ +#define SSSD_PIDFILE PID_PATH"/sssd.pid" +#define MAX_PID_LENGTH 10 + +#define _(STRING) gettext (STRING) + +#define ENUM_INDICATOR "*" + +#define CLEAR_MC_FLAG "clear_mc_flag" + +/** Default secure umask */ +#define SSS_DFL_UMASK 0177 + +/** Secure mask with executable bit */ +#define SSS_DFL_X_UMASK 0077 + +#ifndef NULL +#define NULL 0 +#endif + +#define ZERO_STRUCT(x) memset((char *)&(x), 0, sizeof(x)) + +#define SSSD_MAIN_OPTS SSSD_DEBUG_OPTS + +#define SSSD_SERVER_OPTS(uid, gid) \ + {"uid", 0, POPT_ARG_INT, &uid, 0, \ + _("The user ID to run the server as"), NULL}, \ + {"gid", 0, POPT_ARG_INT, &gid, 0, \ + _("The group ID to run the server as"), NULL}, + +extern int socket_activated; +extern int dbus_activated; + +#ifdef HAVE_SYSTEMD +#define SSSD_RESPONDER_OPTS \ + { "socket-activated", 0, POPT_ARG_NONE, &socket_activated, 0, \ + _("Informs that the responder has been socket-activated"), NULL }, \ + { "dbus-activated", 0, POPT_ARG_NONE, &dbus_activated, 0, \ + _("Informs that the responder has been dbus-activated"), NULL }, +#else +#define SSSD_RESPONDER_OPTS +#endif + +#define FLAGS_NONE 0x0000 +#define FLAGS_DAEMON 0x0001 +#define FLAGS_INTERACTIVE 0x0002 +#define FLAGS_PID_FILE 0x0004 +#define FLAGS_GEN_CONF 0x0008 +#define FLAGS_NO_WATCHDOG 0x0010 + +#define PIPE_INIT { -1, -1 } + +#define PIPE_FD_CLOSE(fd) do { \ + if (fd != -1) { \ + close(fd); \ + fd = -1; \ + } \ +} while(0); + +#define PIPE_CLOSE(p) do { \ + PIPE_FD_CLOSE(p[0]); \ + PIPE_FD_CLOSE(p[1]); \ +} while(0); + +#ifndef talloc_zfree +#define talloc_zfree(ptr) do { talloc_free(discard_const(ptr)); ptr = NULL; } while(0) +#endif + +#ifndef discard_const_p +#if defined(__intptr_t_defined) || defined(HAVE_INTPTR_T) +# define discard_const_p(type, ptr) ((type *)((intptr_t)(ptr))) +#else +# define discard_const_p(type, ptr) ((type *)(ptr)) +#endif +#endif + +#define TEVENT_REQ_RETURN_ON_ERROR(req) do { \ + enum tevent_req_state TRROEstate; \ + uint64_t TRROEuint64; \ + errno_t TRROEerr; \ + \ + if (tevent_req_is_error(req, &TRROEstate, &TRROEuint64)) { \ + TRROEerr = (errno_t)TRROEuint64; \ + if (TRROEstate == TEVENT_REQ_USER_ERROR) { \ + if (TRROEerr == 0) { \ + return ERR_INTERNAL; \ + } \ + return TRROEerr; \ + } \ + return ERR_INTERNAL; \ + } \ +} while (0) + +#define OUT_OF_ID_RANGE(id, min, max) \ + (id == 0 || (min && (id < min)) || (max && (id > max))) + +#include "util/dlinklist.h" + +/* From debug.c */ +void ldb_debug_messages(void *context, enum ldb_debug_level level, + const char *fmt, va_list ap); +int chown_debug_file(const char *filename, uid_t uid, gid_t gid); +int open_debug_file_ex(const char *filename, FILE **filep, bool want_cloexec); +int open_debug_file(void); +int rotate_debug_files(void); +void talloc_log_fn(const char *msg); + +/* From sss_log.c */ +#define SSS_LOG_EMERG 0 /* system is unusable */ +#define SSS_LOG_ALERT 1 /* action must be taken immediately */ +#define SSS_LOG_CRIT 2 /* critical conditions */ +#define SSS_LOG_ERR 3 /* error conditions */ +#define SSS_LOG_WARNING 4 /* warning conditions */ +#define SSS_LOG_NOTICE 5 /* normal but significant condition */ +#define SSS_LOG_INFO 6 /* informational */ +#define SSS_LOG_DEBUG 7 /* debug-level messages */ + +void sss_log(int priority, const char *format, ...) SSS_ATTRIBUTE_PRINTF(2, 3); +void sss_log_ext(int priority, int facility, const char *format, ...) SSS_ATTRIBUTE_PRINTF(3, 4); + +/* from server.c */ +struct main_context { + struct tevent_context *event_ctx; + struct confdb_ctx *confdb_ctx; + pid_t parent_pid; +}; + +errno_t server_common_rotate_logs(struct confdb_ctx *confdb, + const char *conf_entry); +int die_if_parent_died(void); +int pidfile(const char *path, const char *name); +int server_setup(const char *name, int flags, + uid_t uid, gid_t gid, + const char *conf_entry, + struct main_context **main_ctx); +void server_loop(struct main_context *main_ctx); +void orderly_shutdown(int status); + +/* from signal.c */ +void BlockSignals(bool block, int signum); +void (*CatchSignal(int signum,void (*handler)(int )))(int); + +/* from memory.c */ +typedef int (void_destructor_fn_t)(void *); + +struct mem_holder { + void *mem; + void_destructor_fn_t *fn; +}; + +void *sss_mem_attach(TALLOC_CTX *mem_ctx, + void *ptr, + void_destructor_fn_t *fn); + +int password_destructor(void *memctx); + +/* from usertools.c */ +char *get_uppercase_realm(TALLOC_CTX *memctx, const char *name); + +struct sss_names_ctx { + char *re_pattern; + char *fq_fmt; + + pcre *re; +}; + +/* initialize sss_names_ctx directly from arguments */ +int sss_names_init_from_args(TALLOC_CTX *mem_ctx, + const char *re_pattern, + const char *fq_fmt, + struct sss_names_ctx **out); + +/* initialize sss_names_ctx from domain configuration */ +int sss_names_init(TALLOC_CTX *mem_ctx, + struct confdb_ctx *cdb, + const char *domain, + struct sss_names_ctx **out); + +int sss_ad_default_names_ctx(TALLOC_CTX *mem_ctx, + struct sss_names_ctx **_out); + +int sss_parse_name(TALLOC_CTX *memctx, + struct sss_names_ctx *snctx, + const char *orig, char **_domain, char **_name); + +int sss_parse_name_for_domains(TALLOC_CTX *memctx, + struct sss_domain_info *domains, + const char *default_domain, + const char *orig, char **domain, char **name); + +char * +sss_get_cased_name(TALLOC_CTX *mem_ctx, const char *orig_name, + bool case_sensitive); + +errno_t +sss_get_cased_name_list(TALLOC_CTX *mem_ctx, const char * const *orig, + bool case_sensitive, const char ***_cased); + +/* Return fully-qualified name according to the fq_fmt. The name is allocated using + * talloc on top of mem_ctx + */ +char * +sss_tc_fqname(TALLOC_CTX *mem_ctx, struct sss_names_ctx *nctx, + struct sss_domain_info *domain, const char *name); + +/* Return fully-qualified name according to the fq_fmt. The name is allocated using + * talloc on top of mem_ctx. In contrast to sss_tc_fqname() sss_tc_fqname2() + * expects the domain and flat domain name as separate arguments. + */ +char * +sss_tc_fqname2(TALLOC_CTX *mem_ctx, struct sss_names_ctx *nctx, + const char *dom_name, const char *flat_dom_name, + const char *name); + +/* Return fully-qualified name formatted according to the fq_fmt. The buffer in "str" is + * "size" bytes long. Returns the number of bytes written on success or a negative + * value of failure. + * + * Pass a zero size to calculate the length that would be needed by the fully-qualified + * name. + */ +int +sss_fqname(char *str, size_t size, struct sss_names_ctx *nctx, + struct sss_domain_info *domain, const char *name); + + +/* Accepts fqname in the format shortname@domname only. */ +errno_t sss_parse_internal_fqname(TALLOC_CTX *mem_ctx, + const char *fqname, + char **_shortname, + char **_dom_name); + +/* Creates internal fqname in format shortname@domname. + * The domain portion is lowercased. */ +char *sss_create_internal_fqname(TALLOC_CTX *mem_ctx, + const char *shortname, + const char *dom_name); + +/* Creates internal fqnames list in format shortname@domname. + * The domain portion is lowercased. */ +char **sss_create_internal_fqname_list(TALLOC_CTX *mem_ctx, + const char * const *shortname_list, + const char *dom_name); + +/* Turn fqname into cased shortname with replaced space. */ +char *sss_output_name(TALLOC_CTX *mem_ctx, + const char *fqname, + bool case_sensitive, + const char replace_space); + +int sss_output_fqname(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *name, + char override_space, + char **_output_name); + +const char *sss_get_name_from_msg(struct sss_domain_info *domain, + struct ldb_message *msg); + +/* from backup-file.c */ +int backup_file(const char *src, int dbglvl); + +/* check_file() + * Verify that a file has certain permissions and/or is of a certain + * file type. This function can be used to determine if a file is a + * symlink. + * Warning: use of this function implies a potential race condition + * Opening a file before or after checking it does NOT guarantee that + * it is still the same file. Additional checks should be performed + * on the caller_stat_buf to ensure that it has the same device and + * inode to minimize impact. Permission changes may have occurred, + * however. + */ +errno_t check_file(const char *filename, + uid_t uid, gid_t gid, mode_t mode, mode_t mask, + struct stat *caller_stat_buf, bool follow_symlink); + +/* check_fd() + * Verify that an open file descriptor has certain permissions and/or + * is of a certain file type. This function CANNOT detect symlinks, + * as the file is already open and symlinks have been traversed. This + * is the safer way to perform file checks and should be preferred + * over check_file for nearly all situations. + */ +errno_t check_fd(int fd, uid_t uid, gid_t gid, + mode_t mode, mode_t mask, + struct stat *caller_stat_buf); + +/* check_and_open_readonly() + * Utility function to open a file and verify that it has certain + * permissions and is of a certain file type. This function wraps + * check_fd(), and is considered race-condition safe. + */ +errno_t check_and_open_readonly(const char *filename, int *fd, + uid_t uid, gid_t gid, + mode_t mode, mode_t mask); + +/* from util.c */ +#define SSS_NO_LINKLOCAL 0x01 +#define SSS_NO_LOOPBACK 0x02 +#define SSS_NO_MULTICAST 0x04 +#define SSS_NO_BROADCAST 0x08 + +#define SSS_NO_SPECIAL \ + (SSS_NO_LINKLOCAL|SSS_NO_LOOPBACK|SSS_NO_MULTICAST|SSS_NO_BROADCAST) + +/* These two functions accept addr in network order */ +bool check_ipv4_addr(struct in_addr *addr, uint8_t check); +bool check_ipv6_addr(struct in6_addr *addr, uint8_t check); + +const char * const * get_known_services(void); + +errno_t sss_user_by_name_or_uid(const char *input, uid_t *_uid, gid_t *_gid); + +int split_on_separator(TALLOC_CTX *mem_ctx, const char *str, + const char sep, bool trim, bool skip_empty, + char ***_list, int *size); + +char **parse_args(const char *str); + +struct cert_verify_opts { + bool do_ocsp; + bool do_verification; + char *ocsp_default_responder; + char *ocsp_default_responder_signing_cert; +}; + +errno_t parse_cert_verify_opts(TALLOC_CTX *mem_ctx, const char *verify_opts, + struct cert_verify_opts **cert_verify_opts); + +errno_t sss_hash_create(TALLOC_CTX *mem_ctx, + unsigned long count, + hash_table_t **tbl); + +errno_t sss_hash_create_ex(TALLOC_CTX *mem_ctx, + unsigned long count, + hash_table_t **tbl, + unsigned int directory_bits, + unsigned int segment_bits, + unsigned long min_load_factor, + unsigned long max_load_factor, + hash_delete_callback *delete_callback, + void *delete_private_data); + +/* Returns true if sudoUser value is a username or a groupname */ +bool is_user_or_group_name(const char *sudo_user_value); + +/* Returns true if the responder has been socket-activated */ +bool is_socket_activated(void); + +/* Returns true if the responder has been dbus-activated */ +bool is_dbus_activated(void); + +/** + * @brief Add two list of strings + * + * Create a new NULL-termintated list of strings by adding two lists together. + * + * @param[in] mem_ctx Talloc memory context for the new list. + * @param[in] l1 First NULL-termintated list of strings. + * @param[in] l2 Second NULL-termintated list of strings. + * @param[in] copy_strings If set to 'true' the list items will be copied + * otherwise only the pointers to the items are + * copied. + * @param[out] new_list New NULL-terminated list of strings. Must be freed + * with talloc_free() by the caller. If copy_strings + * is 'true' the new elements will be freed as well. + */ +errno_t add_strings_lists(TALLOC_CTX *mem_ctx, const char **l1, const char **l2, + bool copy_strings, char ***_new_list); + +/** + * @brief set file descriptor as nonblocking + * + * Set the O_NONBLOCK flag for the input fd + * + * @param[in] fd The file descriptor to set as nonblocking + * + * @return EOK on success, errno code otherwise + */ +errno_t sss_fd_nonblocking(int fd); + +/* Copy a NULL-terminated string list + * Returns NULL on out of memory error or invalid input + */ +const char **dup_string_list(TALLOC_CTX *memctx, const char **str_list); + +/* Take two string lists (terminated on a NULL char*) + * and return up to three arrays of strings based on + * shared ownership. + * + * Pass NULL to any return type you don't care about + */ +errno_t diff_string_lists(TALLOC_CTX *memctx, + char **string1, + char **string2, + char ***string1_only, + char ***string2_only, + char ***both_strings); + +/* Sanitize an input string (e.g. a username) for use in + * an LDAP/LDB filter + * Returns a newly-constructed string attached to mem_ctx + * It will fail only on an out of memory condition, where it + * will return ENOMEM. + */ +errno_t sss_filter_sanitize(TALLOC_CTX *mem_ctx, + const char *input, + char **sanitized); + +errno_t sss_filter_sanitize_ex(TALLOC_CTX *mem_ctx, + const char *input, + char **sanitized, + const char *ignore); + +errno_t sss_filter_sanitize_for_dom(TALLOC_CTX *mem_ctx, + const char *input, + struct sss_domain_info *dom, + char **sanitized, + char **lc_sanitized); + +char * +sss_escape_ip_address(TALLOC_CTX *mem_ctx, int family, const char *addr); + +/* This function only removes first and last + * character if the first character was '['. + * + * NOTE: This means, that ipv6addr must NOT be followed + * by port number. + */ +errno_t +remove_ipv6_brackets(char *ipv6addr); + + +errno_t add_string_to_list(TALLOC_CTX *mem_ctx, const char *string, + char ***list_p); + +bool string_in_list(const char *string, char **list, bool case_sensitive); + +/** + * @brief Safely zero a segment of memory, + * prevents the compiler from optimizing out + * + * @param data The address of buffer to wipe + * @param size Size of the buffer + */ +void safezero(void *data, size_t size); + +int domain_to_basedn(TALLOC_CTX *memctx, const char *domain, char **basedn); + +bool is_host_in_domain(const char *host, const char *domain); + +/* from nscd.c */ +enum nscd_db { + NSCD_DB_PASSWD, + NSCD_DB_GROUP +}; + +int flush_nscd_cache(enum nscd_db flush_db); + +errno_t sss_nscd_parse_conf(const char *conf_path); + +/* from sss_tc_utf8.c */ +char * +sss_tc_utf8_str_tolower(TALLOC_CTX *mem_ctx, const char *s); +uint8_t * +sss_tc_utf8_tolower(TALLOC_CTX *mem_ctx, const uint8_t *s, size_t len, size_t *_nlen); +bool sss_string_equal(bool cs, const char *s1, const char *s2); + +/* len includes terminating '\0' */ +struct sized_string { + const char *str; + size_t len; +}; + +void to_sized_string(struct sized_string *out, const char *in); + +/* from domain_info.c */ +struct sss_domain_info *get_domains_head(struct sss_domain_info *domain); + +#define SSS_GND_DESCEND 0x01 +#define SSS_GND_INCLUDE_DISABLED 0x02 +#define SSS_GND_ALL_DOMAINS (SSS_GND_DESCEND | SSS_GND_INCLUDE_DISABLED) +struct sss_domain_info *get_next_domain(struct sss_domain_info *domain, + uint32_t gnd_flags); +struct sss_domain_info *find_domain_by_name(struct sss_domain_info *domain, + const char *name, + bool match_any); +struct sss_domain_info *find_domain_by_sid(struct sss_domain_info *domain, + const char *sid); +enum sss_domain_state sss_domain_get_state(struct sss_domain_info *dom); +void sss_domain_set_state(struct sss_domain_info *dom, + enum sss_domain_state state); +bool sss_domain_is_forest_root(struct sss_domain_info *dom); +const char *sss_domain_type_str(struct sss_domain_info *dom); + +struct sss_domain_info* +sss_get_domain_by_sid_ldap_fallback(struct sss_domain_info *domain, + const char* sid); + +struct sss_domain_info * +find_domain_by_object_name(struct sss_domain_info *domain, + const char *object_name); + +struct sss_domain_info * +find_domain_by_object_name_ex(struct sss_domain_info *domain, + const char *object_name, bool strict); + +bool subdomain_enumerates(struct sss_domain_info *parent, + const char *sd_name); + +char *subdomain_create_conf_path(TALLOC_CTX *mem_ctx, + struct sss_domain_info *subdomain); + +errno_t sssd_domain_init(TALLOC_CTX *mem_ctx, + struct confdb_ctx *cdb, + const char *domain_name, + const char *db_path, + struct sss_domain_info **_domain); + +void sss_domain_info_set_output_fqnames(struct sss_domain_info *domain, + bool output_fqname); + +bool sss_domain_info_get_output_fqnames(struct sss_domain_info *domain); + +#define IS_SUBDOMAIN(dom) ((dom)->parent != NULL) + +#define DOM_HAS_VIEWS(dom) ((dom)->has_views) + +/* the directory domain - realm mappings and other krb5 config snippers are + * written to */ +#define KRB5_MAPPING_DIR PUBCONF_PATH"/krb5.include.d" + +errno_t sss_get_domain_mappings_content(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + char **content); + +errno_t sss_write_domain_mappings(struct sss_domain_info *domain); + +errno_t sss_write_krb5_conf_snippet(const char *path, bool canonicalize, + bool udp_limit); + +errno_t get_dom_names(TALLOC_CTX *mem_ctx, + struct sss_domain_info *start_dom, + char ***_dom_names, + int *_dom_names_count); + +/* Returns true if the provider used for the passed domain is the "files" + * one. Otherwise returns false. */ +bool is_files_provider(struct sss_domain_info *domain); + +/* from util_lock.c */ +errno_t sss_br_lock_file(int fd, size_t start, size_t len, + int num_tries, useconds_t wait); + +#ifdef HAVE_PAC_RESPONDER +#define BUILD_WITH_PAC_RESPONDER true +#else +#define BUILD_WITH_PAC_RESPONDER false +#endif + +/* from well_known_sids.c */ +errno_t well_known_sid_to_name(const char *sid, const char **dom, + const char **name); + +errno_t name_to_well_known_sid(const char *dom, const char *name, + const char **sid); + +/* from string_utils.c */ +char *sss_replace_char(TALLOC_CTX *mem_ctx, + const char *in, + const char match, + const char sub); + +char * sss_replace_space(TALLOC_CTX *mem_ctx, + const char *orig_name, + const char replace_char); +char * sss_reverse_replace_space(TALLOC_CTX *mem_ctx, + const char *orig_name, + const char replace_char); + +#define GUID_BIN_LENGTH 16 +/* 16 2-digit hex values + 4 dashes + terminating 0 */ +#define GUID_STR_BUF_SIZE (2 * GUID_BIN_LENGTH + 4 + 1) + +errno_t guid_blob_to_string_buf(const uint8_t *blob, char *str_buf, + size_t buf_size); + +const char *get_last_x_chars(const char *str, size_t x); + +char **concatenate_string_array(TALLOC_CTX *mem_ctx, + char **arr1, size_t len1, + char **arr2, size_t len2); + +/* from become_user.c */ +errno_t become_user(uid_t uid, gid_t gid); +struct sss_creds; +errno_t switch_creds(TALLOC_CTX *mem_ctx, + uid_t uid, gid_t gid, + int num_gids, gid_t *gids, + struct sss_creds **saved_creds); +errno_t restore_creds(struct sss_creds *saved_creds); + +/* from sss_semanage.c */ +/* Please note that libsemange relies on files and directories created with + * certain permissions. Therefore the caller should make sure the umask is + * not too restricted (especially when called from the daemon code). + */ +int sss_set_seuser(const char *login_name, const char *seuser_name, + const char *mlsrange); +int sss_del_seuser(const char *login_name); +int sss_get_seuser(const char *linuxuser, + char **selinuxuser, + char **level); + +/* convert time from generalized form to unix time */ +errno_t sss_utc_to_time_t(const char *str, const char *format, time_t *unix_time); + +/* Creates a unique file using mkstemp with provided umask. The template + * must end with XXXXXX. Returns the fd, sets _err to an errno value on error. + * + * Prefer using sss_unique_file() as it uses a secure umask internally. + */ +int sss_unique_file_ex(TALLOC_CTX *mem_ctx, + char *path_tmpl, + mode_t file_umask, + errno_t *_err); +int sss_unique_file(TALLOC_CTX *owner, + char *path_tmpl, + errno_t *_err); + +/* Creates a unique filename using mkstemp with secure umask. The template + * must end with XXXXXX + * + * path_tmpl must be a talloc context. Destructor would be set on the filename + * so that it's guaranteed the file is removed. + */ +int sss_unique_filename(TALLOC_CTX *owner, char *path_tmpl); + +/* from util_watchdog.c */ +int setup_watchdog(struct tevent_context *ev, int interval); +void teardown_watchdog(void); + +/* from files.c */ +int sss_remove_tree(const char *root); +int sss_remove_subtree(const char *root); + +int sss_copy_tree(const char *src_root, + const char *dst_root, + mode_t mode_root, + uid_t uid, gid_t gid); + +int sss_copy_file_secure(const char *src, + const char *dest, + mode_t mode, + uid_t uid, gid_t gid, + bool force); + +int sss_create_dir(const char *parent_dir_path, + const char *dir_name, + mode_t mode, + uid_t uid, gid_t gid); + +/* from selinux.c */ +int selinux_file_context(const char *dst_name); +int reset_selinux_file_context(void); + +/* from util_preauth.c */ +errno_t create_preauth_indicator(void); + +#ifdef SSSD_LIBEXEC_PATH +#define P11_CHILD_LOG_FILE "p11_child" +#define P11_CHILD_PATH SSSD_LIBEXEC_PATH"/p11_child" +#define P11_CHILD_TIMEOUT_DEFAULT 10 +#endif /* SSSD_LIBEXEC_PATH */ + +#endif /* __SSSD_UTIL_H__ */ diff --git a/src/util/util_creds.h b/src/util/util_creds.h new file mode 100644 index 0000000..936b996 --- /dev/null +++ b/src/util/util_creds.h @@ -0,0 +1,83 @@ +/* + Authors: + Simo Sorce + + Copyright (C) 2016 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __SSSD_UTIL_CREDS_H__ +#define __SSSD_UTIL_CREDS_H__ + +/* following code comes from gss-proxy's gp_selinux.h file */ +#ifdef HAVE_SELINUX + +#include +#define SELINUX_CTX context_t +#include +#define SEC_CTX security_context_t + +#define SELINUX_context_new context_new +#define SELINUX_context_free context_free +#define SELINUX_context_str context_str +#define SELINUX_context_type_get context_type_get +#define SELINUX_context_user_get context_user_get +#define SELINUX_context_role_get context_role_get +#define SELINUX_context_range_get context_range_get +#define SELINUX_getpeercon getpeercon +#define SELINUX_freecon freecon + +#else /* not HAVE_SELINUX */ + +#define SELINUX_CTX void * +#define SEC_CTX void * + +#define SELINUX_context_new(x) NULL +#define SELINUX_context_free(x) (x) = NULL +#define SELINUX_context_dummy_get(x) "" +#define SELINUX_context_str SELINUX_context_dummy_get +#define SELINUX_context_type_get SELINUX_context_dummy_get +#define SELINUX_context_user_get SELINUX_context_dummy_get +#define SELINUX_context_role_get SELINUX_context_dummy_get +#define SELINUX_context_range_get SELINUX_context_dummy_get + +#include +#define SELINUX_getpeercon(x, y) -1; do { \ + *(y) = NULL; \ + errno = ENOTSUP; \ +} while(0) + +#define SELINUX_freecon(x) (x) = NULL + +#endif /* done HAVE_SELINUX */ + +#ifdef HAVE_UCRED +#include +struct cli_creds { + struct ucred ucred; + SELINUX_CTX selinux_ctx; +}; + +#define cli_creds_get_uid(x) x->ucred.uid +#define cli_creds_get_gid(x) x->ucred.gid + +#else /* not HAVE_UCRED */ +struct cli_creds { + SELINUX_CTX selinux_ctx; +}; +#define cli_creds_get_uid(x) -1 +#endif /* done HAVE_UCRED */ + +#endif /* __SSSD_UTIL_CREDS_H__ */ diff --git a/src/util/util_errors.c b/src/util/util_errors.c new file mode 100644 index 0000000..e2bb2a0 --- /dev/null +++ b/src/util/util_errors.c @@ -0,0 +1,134 @@ +/* + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + + Authors: + Simo Sorce +*/ + +#include "util/util.h" + +struct err_string { + const char *msg; +}; + +struct err_string error_to_str[] = { + { "Invalid Error" }, /* ERR_INVALID */ + { "Internal Error" }, /* ERR_INTERNAL */ + { "SSSD is running" }, /* ERR_SSSD_RUNNING */ + { "SSSD is not running" }, /* ERR_SSSD_NOT_RUNNING */ + { "SSSD is offline" }, /* ERR_OFFLINE */ + { "Terminated" }, /* ERR_TERMINATED */ + { "Invalid data type" }, /* ERR_INVALID_DATA_TYPE */ + { "DP target is not configured" }, /* ERR_MISSING_DP_TARGET */ + { "Account Unknown" }, /* ERR_ACCOUNT_UNKNOWN */ + { "Invalid credential type" }, /* ERR_INVALID_CRED_TYPE */ + { "No credentials available" }, /* ERR_NO_CREDS */ + { "Credentials are expired" }, /* ERR_CREDS_EXPIRED */ + { "Credentials are expired, old ccache was removed" }, /* ERR_CREDS_EXPIRED_CCACHE */ + { "Failure setting user credentials"}, /* ERR_CREDS_INVALID */ + { "No cached credentials available" }, /* ERR_NO_CACHED_CREDS */ + { "No matching credentials found" }, /* ERR_NO_MATCHING_CREDS */ + { "Cached credentials are expired" }, /* ERR_CACHED_CREDS_EXPIRED */ + { "Authentication Denied" }, /* ERR_AUTH_DENIED */ + { "Authentication Failed" }, /* ERR_AUTH_FAILED */ + { "Password Change Denied" }, /* ERR_CHPASS_DENIED */ + { "Password Change Failed" }, /* ERR_CHPASS_FAILED */ + { "Network I/O Error" }, /* ERR_NETWORK_IO */ + { "Account Expired" }, /* ERR_ACCOUNT_EXPIRED */ + { "Password Expired" }, /* ERR_PASSWORD_EXPIRED */ + { "Password Expired (reject access)" }, /* ERR_PASSWORD_EXPIRED_REJECT */ + { "Password Expired (warn user)" }, /* ERR_PASSWORD_EXPIRED_WARN */ + { "Password Expired (ask for new password)" }, /* ERR_PASSWORD_EXPIRED_RENEW */ + { "Host Access Denied" }, /* ERR_ACCESS_DENIED */ + { "SRV record not found" }, /* ERR_SRV_NOT_FOUND */ + { "SRV lookup error" }, /* ERR_SRV_LOOKUP_ERROR */ + { "SRV lookup did not return any new server" }, /* ERR_SRV_DUPLICATES */ + { "Dynamic DNS update failed" }, /* ERR_DYNDNS_FAILED */ + { "Dynamic DNS update timed out" }, /* ERR_DYNDNS_TIMEOUT */ + { "Dynamic DNS update not possible while offline" }, /* ERR_DYNDNS_OFFLINE */ + { "Cannot parse input" }, /* ERR_INPUT_PARSE */ + { "Entry not found" }, /* ERR_NOT_FOUND */ + { "Domain not found" }, /* ERR_DOMAIN_NOT_FOUND */ + { "Malformed search filter" }, /* ERR_INVALID_FILTER, */ + { "No POSIX attributes detected" }, /* ERR_NO_POSIX */ + { "Extra attribute is a duplicate" }, /* ERR_DUP_EXTRA_ATTR */ + { "Malformed extra attribute" }, /* ERR_INVALID_EXTRA_ATTR */ + { "Cannot get bus message sender" }, /* ERR_SBUS_GET_SENDER_ERROR */ + { "Bus message has no sender" }, /* ERR_SBUS_NO_SENDER */ + { "Invalid SBUS path provided" }, /* ERR_SBUS_INVALID_PATH */ + { "User/Group SIDs not found" }, /* ERR_NO_SIDS */ + { "Bus method not supported" }, /* ERR_SBUS_NOSUP */ + { "Cannot connect to system bus" }, /* ERR_NO_SYSBUS */ + { "LDAP search returned a referral" }, /* ERR_REFERRAL */ + { "Error setting SELinux user context" }, /* ERR_SELINUX_CONTEXT */ + { "SELinux is not managed by libsemanage" }, /* ERR_SELINUX_NOT_MANAGED */ + { "Username format not allowed by re_expression" }, /* ERR_REGEX_NOMATCH */ + { "Time specification not supported" }, /* ERR_TIMESPEC_NOT_SUPPORTED */ + { "Invalid SSSD configuration detected" }, /* ERR_INVALID_CONFIG */ + { "Malformed cache entry" }, /* ERR_MALFORMED_ENTRY */ + { "Unexpected cache entry type" }, /* ERR_UNEXPECTED_ENTRY_TYPE */ + { "Failed to resolve one of user groups" }, /* ERR_SIMPLE_GROUPS_MISSING */ + { "Home directory is NULL" }, /* ERR_HOMEDIR_IS_NULL */ + { "Unsupported trust direction" }, /* ERR_TRUST_NOT_SUPPORTED */ + { "Retrieving keytab failed" }, /* ERR_IPA_GETKEYTAB_FAILED */ + { "Trusted forest root unknown" }, /* ERR_TRUST_FOREST_UNKNOWN */ + { "p11_child failed" }, /* ERR_P11_CHILD */ + { "Address family not supported" }, /* ERR_ADDR_FAMILY_NOT_SUPPORTED */ + { "Message sender is the bus" }, /* ERR_SBUS_SENDER_BUS */ + { "Subdomain is inactive" }, /* ERR_SUBDOM_INACTIVE */ + { "Account is locked" }, /* ERR_ACCOUNT_LOCKED */ + { "AD renewal child failed" }, /* ERR_RENEWAL_CHILD */ + { "SBUS request already handled" }, /* ERR_SBUS_REQUEST_HANDLED */ + { "Sysdb version is too old" }, /* ERR_SYSDB_VERSION_TOO_OLD */ + { "Sysdb version is too new" }, /* ERR_SYSDB_VERSION_TOO_NEW */ + { "Domain has to timestamp cache" }, /* ERR_NO_TS */ + { "No timestamp cache record" }, /* ERR_TS_CACHE_MISS */ + { "Dereference threshold reached" }, /* ERR_DEREF_THRESHOLD */ + { "The user is not handled by SSSD" }, /* ERR_NON_SSSD_USER */ + { "The internal name format cannot be parsed" }, /* ERR_WRONG_NAME_FORMAT */ + { "The maximum level of nested containers has been reached" }, /* ERR_SEC_INVALID_CONTAINERS_NEST_LEVEL */ + { "No proxy server for secrets available"}, /* ERR_SEC_NO_PROXY */ + { "The maximum number of stored secrets has been reached" }, /* ERR_SEC_INVALID_TOO_MANY_SECRETS */ + { "The secret payload size is too large" }, /* ERR_SEC_PAYLOAD_SIZE_IS_TOO_LARGE */ + { "No authentication methode available" }, /* ERR_NO_AUTH_METHOD_AVAILABLE */ + { "Smartcard authentication not supported" }, /* ERR_SC_AUTH_NOT_SUPPORTED */ + { "Malformed input KCM packet" }, /* ERR_KCM_MALFORMED_IN_PKT */ + { "KCM operation not implemented" }, /* ERR_KCM_OP_NOT_IMPLEMENTED */ + { "End of credential cache reached" }, /* ERR_KCM_CC_END */ + { "Credential cache name not allowed" }, /* ERR_KCM_WRONG_CCNAME_FORMAT */ + { "Cannot encode a JSON object to string" }, /* ERR_JSON_ENCODING */ + { "Cannot decode a JSON object from string" }, /* ERR_JSON_DECODING */ + { "Invalid certificate provided" }, /* ERR_INVALID_CERT */ + { "Unable to initialize SSL" }, /* ERR_SSL_FAILURE */ + { "Unable to verify peer" }, /* ERR_UNABLE_TO_VERIFY_PEER */ + { "Unable to resolve host" }, /* ERR_UNABLE_TO_RESOLVE_HOST */ + { "GetAccountDomain() not supported" }, /* ERR_GET_ACCT_DOM_NOT_SUPPORTED */ + { "The last GetAccountDomain() result is still valid" }, /* ERR_GET_ACCT_DOM_CACHED */ + { "ID is outside the allowed range" }, /* ERR_ID_OUTSIDE_RANGE */ + { "Group ID is duplicated" }, /* ERR_GID_DUPLICATED */ + { "ERR_LAST" } /* ERR_LAST */ +}; + + +const char *sss_strerror(errno_t error) +{ + if (IS_SSSD_ERROR(error)) { + return error_to_str[SSSD_ERR_IDX(error)].msg; + } + + return strerror(error); +} + diff --git a/src/util/util_errors.h b/src/util/util_errors.h new file mode 100644 index 0000000..4950172 --- /dev/null +++ b/src/util/util_errors.h @@ -0,0 +1,167 @@ +/* + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + + Authors: + Simo Sorce +*/ + +#ifndef __SSSD_UTIL_ERRORS_H__ +#define __SSSD_UTIL_ERRORS_H__ + +#ifndef HAVE_ERRNO_T +#define HAVE_ERRNO_T +typedef int errno_t; +#endif + +/* + * We define a specific number space so that we do not overlap with other + * generic errors returned by various libraries. This will make it easy + * to have functions that double check that what was returned was an SSSD + * specific error where it matters. For example we may want to ensure some + * particularly sensitive paths only return SSSD-specific errors as that + * will ensure all error conditions have been explicitly dealt with, + * and are not the result of assigning the wrong return result. + * + * Basic system errno errors can still be used, but when an error condition + * does not properly map to a system error we should use an SSSD specific one + */ + +#define ERR_BASE 0x555D0000 +#define ERR_MASK 0x0000FFFF + +/* never use ERR_INVALID, it is used for catching and returning + * information on invalid error numbers */ +/* never use ERR_LAST, this represents the maximum error value available + * and is used to validate error codes */ +enum sssd_errors { + ERR_INVALID = ERR_BASE + 0, + ERR_INTERNAL, + ERR_SSSD_RUNNING, + ERR_SSSD_NOT_RUNNING, + ERR_OFFLINE, + ERR_TERMINATED, + ERR_INVALID_DATA_TYPE, + ERR_MISSING_DP_TARGET, + ERR_ACCOUNT_UNKNOWN, + ERR_INVALID_CRED_TYPE, + ERR_NO_CREDS, + ERR_CREDS_EXPIRED, + ERR_CREDS_EXPIRED_CCACHE, + ERR_CREDS_INVALID, + ERR_NO_CACHED_CREDS, + ERR_NO_MATCHING_CREDS, + ERR_CACHED_CREDS_EXPIRED, + ERR_AUTH_DENIED, + ERR_AUTH_FAILED, + ERR_CHPASS_DENIED, + ERR_CHPASS_FAILED, + ERR_NETWORK_IO, + ERR_ACCOUNT_EXPIRED, + ERR_PASSWORD_EXPIRED, + ERR_PASSWORD_EXPIRED_REJECT, + ERR_PASSWORD_EXPIRED_WARN, + ERR_PASSWORD_EXPIRED_RENEW, + ERR_ACCESS_DENIED, + ERR_SRV_NOT_FOUND, + ERR_SRV_LOOKUP_ERROR, + ERR_SRV_DUPLICATES, + ERR_DYNDNS_FAILED, + ERR_DYNDNS_TIMEOUT, + ERR_DYNDNS_OFFLINE, + ERR_INPUT_PARSE, + ERR_NOT_FOUND, + ERR_DOMAIN_NOT_FOUND, + ERR_INVALID_FILTER, + ERR_NO_POSIX, + ERR_DUP_EXTRA_ATTR, + ERR_INVALID_EXTRA_ATTR, + ERR_SBUS_GET_SENDER_ERROR, + ERR_SBUS_NO_SENDER, + ERR_SBUS_INVALID_PATH, + ERR_NO_SIDS, + ERR_SBUS_NOSUP, + ERR_NO_SYSBUS, + ERR_REFERRAL, + ERR_SELINUX_CONTEXT, + ERR_SELINUX_NOT_MANAGED, + ERR_REGEX_NOMATCH, + ERR_TIMESPEC_NOT_SUPPORTED, + ERR_INVALID_CONFIG, + ERR_MALFORMED_ENTRY, + ERR_UNEXPECTED_ENTRY_TYPE, + ERR_SIMPLE_GROUPS_MISSING, + ERR_HOMEDIR_IS_NULL, + ERR_TRUST_NOT_SUPPORTED, + ERR_IPA_GETKEYTAB_FAILED, + ERR_TRUST_FOREST_UNKNOWN, + ERR_P11_CHILD, + ERR_ADDR_FAMILY_NOT_SUPPORTED, + ERR_SBUS_SENDER_BUS, + ERR_SUBDOM_INACTIVE, + ERR_ACCOUNT_LOCKED, + ERR_RENEWAL_CHILD, + ERR_SBUS_REQUEST_HANDLED, + ERR_SYSDB_VERSION_TOO_OLD, + ERR_SYSDB_VERSION_TOO_NEW, + ERR_NO_TS, + ERR_TS_CACHE_MISS, + ERR_DEREF_THRESHOLD, + ERR_NON_SSSD_USER, + ERR_WRONG_NAME_FORMAT, + ERR_SEC_INVALID_CONTAINERS_NEST_LEVEL, + ERR_SEC_NO_PROXY, + ERR_SEC_INVALID_TOO_MANY_SECRETS, + ERR_SEC_PAYLOAD_SIZE_IS_TOO_LARGE, + ERR_NO_AUTH_METHOD_AVAILABLE, + ERR_SC_AUTH_NOT_SUPPORTED, + ERR_KCM_MALFORMED_IN_PKT, + ERR_KCM_OP_NOT_IMPLEMENTED, + ERR_KCM_CC_END, + ERR_KCM_WRONG_CCNAME_FORMAT, + ERR_JSON_ENCODING, + ERR_JSON_DECODING, + ERR_INVALID_CERT, + ERR_SSL_FAILURE, + ERR_UNABLE_TO_VERIFY_PEER, + ERR_UNABLE_TO_RESOLVE_HOST, + ERR_GET_ACCT_DOM_NOT_SUPPORTED, + ERR_GET_ACCT_DOM_CACHED, + ERR_ID_OUTSIDE_RANGE, + ERR_GID_DUPLICATED, + ERR_LAST /* ALWAYS LAST */ +}; + +#define SSSD_ERR_BASE(err) ((err) & ~ERR_MASK) +#define SSSD_ERR_IDX(err) ((err) & ERR_MASK) +#define IS_SSSD_ERROR(err) \ + ((SSSD_ERR_BASE(err) == ERR_BASE) && ((err) <= ERR_LAST)) + +#define ERR_OK 0 +/* Backwards compat */ +#ifndef EOK +#define EOK ERR_OK +#endif + +/** + * @brief return a string describing the error number like strerror() + * + * @param error An errno_t number, can be an SSSD error or a system error + * + * @return A statically allocated string. + */ +const char *sss_strerror(errno_t error); + +#endif /* __SSSD_UTIL_ERRORS_H__ */ diff --git a/src/util/util_ext.c b/src/util/util_ext.c new file mode 100644 index 0000000..04dc02a --- /dev/null +++ b/src/util/util_ext.c @@ -0,0 +1,143 @@ +/* + SSSD helper calls - can be used by libraries for external use as well + + Authors: + Simo Sorce + + Copyright (C) 2017 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include +#include +#include +#include + +#define EOK 0 + +int split_on_separator(TALLOC_CTX *mem_ctx, const char *str, + const char sep, bool trim, bool skip_empty, + char ***_list, int *size) +{ + int ret; + const char *substr_end = str; + const char *substr_begin = str; + const char *sep_pos = NULL; + size_t substr_len; + char **list = NULL; + int num_strings = 0; + TALLOC_CTX *tmp_ctx = NULL; + + if (str == NULL || *str == '\0' || _list == NULL) { + return EINVAL; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + do { + substr_len = 0; + + /* If this is not the first substring, then move from the separator. */ + if (sep_pos != NULL) { + substr_end = sep_pos + 1; + substr_begin = sep_pos + 1; + } + + /* Find end of the first substring */ + while (*substr_end != sep && *substr_end != '\0') { + substr_end++; + substr_len++; + } + + sep_pos = substr_end; + + if (trim) { + /* Trim leading whitespace */ + while (isspace(*substr_begin) && substr_begin < substr_end) { + substr_begin++; + substr_len--; + } + + /* Trim trailing whitespace */ + while (substr_end - 1 > substr_begin && isspace(*(substr_end-1))) { + substr_end--; + substr_len--; + } + } + + /* Copy the substring to the output list of strings */ + if (skip_empty == false || substr_len > 0) { + list = talloc_realloc(tmp_ctx, list, char*, num_strings + 2); + if (list == NULL) { + ret = ENOMEM; + goto done; + } + + /* empty string is stored for substr_len == 0 */ + list[num_strings] = talloc_strndup(list, substr_begin, substr_len); + if (list[num_strings] == NULL) { + ret = ENOMEM; + goto done; + } + num_strings++; + } + + } while (*sep_pos != '\0'); + + if (list == NULL) { + /* No allocations were done, make space for the NULL */ + list = talloc(tmp_ctx, char *); + if (list == NULL) { + ret = ENOMEM; + goto done; + } + } + list[num_strings] = NULL; + + if (size) { + *size = num_strings; + } + + *_list = talloc_steal(mem_ctx, list); + ret = EOK; +done: + talloc_free(tmp_ctx); + return ret; +} + +bool string_in_list(const char *string, char **list, bool case_sensitive) +{ + size_t c; + int(*compare)(const char *s1, const char *s2); + + if (string == NULL || list == NULL || *list == NULL) { + return false; + } + + compare = case_sensitive ? strcmp : strcasecmp; + + for (c = 0; list[c] != NULL; c++) { + if (compare(string, list[c]) == 0) { + return true; + } + } + + return false; +} diff --git a/src/util/util_lock.c b/src/util/util_lock.c new file mode 100644 index 0000000..58d3b1b --- /dev/null +++ b/src/util/util_lock.c @@ -0,0 +1,87 @@ +/* + SSSD + + util_lock.c + + Authors: + Michal Zidek + + Copyright (C) 2012 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "util/util.h" + +errno_t sss_br_lock_file(int fd, size_t start, size_t len, + int num_tries, useconds_t wait) +{ + int ret; + struct flock lock; + int retries_left; + + if (num_tries <= 0) { + return EINVAL; + } + + lock.l_type = F_WRLCK; + lock.l_whence = SEEK_SET; + lock.l_start = start; + lock.l_len = len; + lock.l_pid = 0; + + for (retries_left = num_tries; retries_left > 0; retries_left--) { + ret = fcntl(fd, F_SETLK, &lock); + if (ret == -1) { + ret = errno; + if (ret == EACCES || ret == EAGAIN || ret == EINTR) { + DEBUG(SSSDBG_TRACE_FUNC, + "Failed to lock file. Retries left: %d\n", + retries_left - 1); + + if ((ret == EACCES || ret == EAGAIN) && (retries_left <= 1)) { + /* File is locked by someone else. Return EACCESS + * if this is the last try. */ + return EACCES; + } + + if (retries_left - 1 > 0) { + ret = usleep(wait); + if (ret == -1) { + DEBUG(SSSDBG_MINOR_FAILURE, + "usleep() failed -> ignoring\n"); + } + } + } else { + /* Error occurred */ + DEBUG(SSSDBG_CRIT_FAILURE, + "Unable to lock file.\n"); + return ret; + } + } else if (ret == 0) { + /* File successfully locked */ + break; + } + } + if (retries_left == 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Unable to lock file.\n"); + return ret; + } + + return EOK; +} diff --git a/src/util/util_preauth.c b/src/util/util_preauth.c new file mode 100644 index 0000000..a2b0ac6 --- /dev/null +++ b/src/util/util_preauth.c @@ -0,0 +1,86 @@ +/* + SSSD + + Calls to manage the preauth indicator file + + Authors: + Sumit Bose + + Copyright (C) 2018 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include +#include + +#include "util/util.h" +#include "sss_client/sss_cli.h" + +static void cleanup_preauth_indicator(void) +{ + int ret; + + ret = unlink(PAM_PREAUTH_INDICATOR); + if (ret != EOK && errno != ENOENT) { + ret = errno; + DEBUG(SSSDBG_OP_FAILURE, + "Failed to remove preauth indicator file [%s] %d [%s].\n", + PAM_PREAUTH_INDICATOR, ret, sss_strerror(ret)); + } +} + +errno_t create_preauth_indicator(void) +{ + TALLOC_CTX *tmp_ctx; + errno_t ret; + int fd; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); + return ENOMEM; + } + + fd = open(PAM_PREAUTH_INDICATOR, O_CREAT | O_EXCL | O_WRONLY | O_NOFOLLOW, + 0644); + if (fd < 0) { + if (errno != EEXIST) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to create preauth indicator file [%s].\n", + PAM_PREAUTH_INDICATOR); + ret = EOK; + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, + "Preauth indicator file [%s] already exists. Continuing.\n", + PAM_PREAUTH_INDICATOR); + } else { + close(fd); + } + + ret = atexit(cleanup_preauth_indicator); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "atexit failed. Continuing.\n"); + } + + ret = EOK; + +done: + talloc_free(tmp_ctx); + + return ret; +} diff --git a/src/util/util_sss_idmap.c b/src/util/util_sss_idmap.c new file mode 100644 index 0000000..4ce4250 --- /dev/null +++ b/src/util/util_sss_idmap.c @@ -0,0 +1,32 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include +#include "util/util_sss_idmap.h" + +void *sss_idmap_talloc(size_t size, void *pvt) +{ + return talloc_size(pvt, size); +} + +void sss_idmap_talloc_free(void *ptr, void *pvt) +{ + talloc_free(ptr); +} diff --git a/src/util/util_sss_idmap.h b/src/util/util_sss_idmap.h new file mode 100644 index 0000000..bde4727 --- /dev/null +++ b/src/util/util_sss_idmap.h @@ -0,0 +1,28 @@ +/* + Authors: + Pavel Březina + + Copyright (C) 2013 Red Hat + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#ifndef __UTIL_SSS_IDMAP_H__ +#define __UTIL_SSS_IDMAP_H__ + +void *sss_idmap_talloc(size_t size, void *pvt); + +void sss_idmap_talloc_free(void *ptr, void *pvt); + +#endif /* __UTIL_SSS_IDMAP_H__ */ diff --git a/src/util/util_watchdog.c b/src/util/util_watchdog.c new file mode 100644 index 0000000..20a8b89 --- /dev/null +++ b/src/util/util_watchdog.c @@ -0,0 +1,263 @@ +/* + SSSD + + Timer Watchdog routines + + Copyright (C) Simo Sorce 2016 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "util/util.h" + +#define WATCHDOG_DEF_INTERVAL 10 +#define WATCHDOG_MAX_TICKS 3 +#define DEFAULT_BUFFER_SIZE 4096 + +/* this is intentionally a global variable */ +struct watchdog_ctx { + timer_t timerid; + struct timeval interval; + struct tevent_timer *te; + volatile int ticks; + + /* To detect time shift. */ + struct tevent_context *ev; + int input_interval; + time_t timestamp; + struct tevent_fd *tfd; + int pipefd[2]; +} watchdog_ctx; + +static void watchdog_detect_timeshift(void) +{ + time_t prev_time; + time_t cur_time; + + prev_time = watchdog_ctx.timestamp; + cur_time = watchdog_ctx.timestamp = time(NULL); + if (cur_time < prev_time) { + /* Time shift detected. We need to restart watchdog. */ + if (write(watchdog_ctx.pipefd[1], "1", 1) != 1) { + if (getpid() == getpgrp()) { + kill(-getpgrp(), SIGTERM); + } else { + _exit(1); + } + } + } +} + +/* the watchdog is purposefully *not* handled by the tevent + * signal handler as it is meant to check if the daemon is + * still processing the event queue itself. A stuck process + * may not handle the event queue at all and thus not handle + * signals either */ +static void watchdog_handler(int sig) +{ + + watchdog_detect_timeshift(); + + /* if a pre-defined number of ticks passed by kills itself */ + if (__sync_add_and_fetch(&watchdog_ctx.ticks, 1) > WATCHDOG_MAX_TICKS) { + if (getpid() == getpgrp()) { + kill(-getpgrp(), SIGTERM); + } else { + _exit(1); + } + } +} + +static void watchdog_reset(void) +{ + __sync_and_and_fetch(&watchdog_ctx.ticks, 0); +} + +static void watchdog_event_handler(struct tevent_context *ev, + struct tevent_timer *te, + struct timeval current_time, + void *private_data) +{ + /* first thing reset the watchdog ticks */ + watchdog_reset(); + + /* then set a new watchodg event */ + watchdog_ctx.te = tevent_add_timer(ev, ev, + tevent_timeval_current_ofs(watchdog_ctx.interval.tv_sec, 0), + watchdog_event_handler, NULL); + /* if the function fails the watchdog will kill the + * process soon enough, so we just warn */ + if (!watchdog_ctx.te) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to create a watchdog timer event!\n"); + } +} + +static errno_t watchdog_fd_recv_data(int fd) +{ + ssize_t len; + char buffer[DEFAULT_BUFFER_SIZE]; + errno_t ret; + + errno = 0; + len = read(fd, buffer, DEFAULT_BUFFER_SIZE); + if (len == -1) { + if (errno == EAGAIN || errno == EWOULDBLOCK || errno == EINTR) { + return EAGAIN; + } else { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, + "write failed [%d]: %s\n", ret, strerror(ret)); + return ret; + } + } + + return EOK; +} + +static void watchdog_fd_read_handler(struct tevent_context *ev, + struct tevent_fd *fde, + uint16_t flags, + void *data) +{ + errno_t ret; + + ret = watchdog_fd_recv_data(watchdog_ctx.pipefd[0]); + switch(ret) { + case EAGAIN: + DEBUG(SSSDBG_TRACE_ALL, + "Interrupted before any data could be read, retry later.\n"); + return; + case EOK: + /* all fine */ + break; + default: + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to receive data [%d]: %s. " + "orderly_shutdown() will be called.\n", ret, strerror(ret)); + orderly_shutdown(1); + } + + DEBUG(SSSDBG_IMPORTANT_INFO, "Time shift detected, " + "restarting watchdog!\n"); + teardown_watchdog(); + ret = setup_watchdog(watchdog_ctx.ev, watchdog_ctx.input_interval); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, "Unable to restart watchdog " + "[%d]: %s\n", ret, sss_strerror(ret)); + orderly_shutdown(1); + } + if (strncmp(debug_prg_name, "sssd[be[", sizeof("sssd[be[") - 1) == 0) { + kill(getpid(), SIGUSR2); + DEBUG(SSSDBG_IMPORTANT_INFO, "SIGUSR2 sent to %s\n", debug_prg_name); + } +} + +int setup_watchdog(struct tevent_context *ev, int interval) +{ + struct sigevent sev; + struct itimerspec its; + struct tevent_fd *tfd; + int signum = SIGRTMIN; + int ret; + + ZERO_STRUCT(sev); + CatchSignal(signum, watchdog_handler); + + sev.sigev_notify = SIGEV_SIGNAL; + sev.sigev_signo = signum; + sev.sigev_value.sival_ptr = &watchdog_ctx.timerid; + errno = 0; + ret = timer_create(CLOCK_MONOTONIC, &sev, &watchdog_ctx.timerid); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to create watchdog timer (%d) [%s]\n", + ret, strerror(ret)); + return ret; + } + + if (interval == 0) { + interval = WATCHDOG_DEF_INTERVAL; + } + watchdog_ctx.interval.tv_sec = interval; + watchdog_ctx.interval.tv_usec = 0; + + watchdog_ctx.ev = ev; + watchdog_ctx.input_interval = interval; + watchdog_ctx.timestamp = time(NULL); + + ret = pipe(watchdog_ctx.pipefd); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_FATAL_FAILURE, + "pipe failed [%d] [%s].\n", ret, strerror(ret)); + return ret; + } + + sss_fd_nonblocking(watchdog_ctx.pipefd[0]); + sss_fd_nonblocking(watchdog_ctx.pipefd[1]); + + tfd = tevent_add_fd(ev, (TALLOC_CTX *)ev, watchdog_ctx.pipefd[0], + TEVENT_FD_READ, watchdog_fd_read_handler, NULL); + watchdog_ctx.tfd = tfd; + + /* Start the timer */ + /* we give 1 second head start to the watchdog event */ + its.it_value.tv_sec = interval + 1; + its.it_value.tv_nsec = 0; + its.it_interval.tv_sec = interval; + its.it_interval.tv_nsec = 0; + errno = 0; + ret = timer_settime(watchdog_ctx.timerid, 0, &its, NULL); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to create watchdog timer (%d) [%s]\n", + ret, strerror(ret)); + return ret; + } + + /* Add the watchdog event and make it fire as fast as the timer */ + watchdog_event_handler(ev, NULL, tevent_timeval_zero(), NULL); + + return EOK; +} + +void teardown_watchdog(void) +{ + int ret; + + /* Disarm the timer */ + errno = 0; + ret = timer_delete(watchdog_ctx.timerid); + if (ret == -1) { + ret = errno; + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to destroy watchdog timer (%d) [%s]\n", + ret, strerror(ret)); + } + + /* Free the tevent_fd */ + talloc_zfree(watchdog_ctx.tfd); + + /* Close the pipefds */ + PIPE_FD_CLOSE(watchdog_ctx.pipefd[0]); + PIPE_FD_CLOSE(watchdog_ctx.pipefd[1]); + + /* and kill the watchdog event */ + talloc_free(watchdog_ctx.te); +} diff --git a/src/util/well_known_sids.c b/src/util/well_known_sids.c new file mode 100644 index 0000000..38fe264 --- /dev/null +++ b/src/util/well_known_sids.c @@ -0,0 +1,313 @@ +/* + Authors: + Sumit Bose + + Copyright (C) 2013 Red Hat + + Translate well-known SIDs to domains and names + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "util/util.h" +#include "util/strtonum.h" + +/* Well-Known SIDs are documented in section 2.4.2.4 "Well-Known SID + * Structures" of the "[MS-DTYP]: Windows Data Types" document. */ + +#define DOM_SID_PREFIX "S-1-5-21-" +#define DOM_SID_PREFIX_LEN (sizeof(DOM_SID_PREFIX) - 1) + +#define BUILTIN_SID_PREFIX "S-1-5-32-" +#define BUILTIN_SID_PREFIX_LEN (sizeof(BUILTIN_SID_PREFIX) - 1) +#define BUILTIN_DOM_NAME "BUILTIN" + +#define NT_SID_PREFIX "S-1-5-" +#define NT_SID_PREFIX_LEN (sizeof(NT_SID_PREFIX) - 1) +#define NT_DOM_NAME "NT AUTHORITY" + +#define SPECIAL_SID_PREFIX "S-1-" +#define SPECIAL_SID_PREFIX_LEN (sizeof(SPECIAL_SID_PREFIX) - 1) +#define NULL_DOM_NAME "NULL AUTHORITY" +#define WORLD_DOM_NAME "WORLD AUTHORITY" +#define LOCAL_DOM_NAME "LOCAL AUTHORITY" +#define CREATOR_DOM_NAME "CREATOR AUTHORITY" + +#define NT_MAP_ENTRY(rid, name) {rid, NT_SID_PREFIX #rid, name} +#define BUILTIN_MAP_ENTRY(rid, name) {rid, BUILTIN_SID_PREFIX #rid, name} +#define SPECIAL_MAP_ENTRY(id_auth, rid, dom, name) \ + {(48 + id_auth), (48 + rid), SPECIAL_SID_PREFIX #id_auth "-" #rid, dom, name} + +struct rid_sid_name { + uint32_t rid; + const char *sid; + const char *name; +}; + +struct special_map { + const char id_auth; + char rid; + const char *sid; + const char *dom; + const char *name; +}; + +struct rid_sid_name builtin_map[] = { + BUILTIN_MAP_ENTRY(544, "Administrators"), + BUILTIN_MAP_ENTRY(545, "Users"), + BUILTIN_MAP_ENTRY(546, "Guests"), + BUILTIN_MAP_ENTRY(547, "Power Users"), + BUILTIN_MAP_ENTRY(548, "Account Operators"), + BUILTIN_MAP_ENTRY(549, "Server Operators"), + BUILTIN_MAP_ENTRY(550, "Print Operators"), + BUILTIN_MAP_ENTRY(551, "Backup Operators"), + BUILTIN_MAP_ENTRY(552, "Replicator"), + BUILTIN_MAP_ENTRY(554, "Pre-Windows 2000 Compatible Access"), + BUILTIN_MAP_ENTRY(555, "Remote Desktop Users"), + BUILTIN_MAP_ENTRY(556, "Network Configuration Operators"), + BUILTIN_MAP_ENTRY(557, "Incoming Forest Trust Builders"), + BUILTIN_MAP_ENTRY(558, "Performance Monitor Users"), + BUILTIN_MAP_ENTRY(559, "Performance Log Users"), + BUILTIN_MAP_ENTRY(560, "Windows Authorization Access Group"), + BUILTIN_MAP_ENTRY(561, "Terminal Server License Servers"), + BUILTIN_MAP_ENTRY(562, "Distributed COM Users"), + BUILTIN_MAP_ENTRY(568, "IIS_IUSRS"), + BUILTIN_MAP_ENTRY(569, "Cryptographic Operators"), + BUILTIN_MAP_ENTRY(573, "Event Log Readers"), + BUILTIN_MAP_ENTRY(574, "Certificate Service DCOM Access"), + BUILTIN_MAP_ENTRY(575, "RDS Remote Access Servers"), + BUILTIN_MAP_ENTRY(576, "RDS Endpoint Servers"), + BUILTIN_MAP_ENTRY(577, "RDS Management Servers"), + BUILTIN_MAP_ENTRY(578, "Hyper-V Admins"), + BUILTIN_MAP_ENTRY(579, "Access Control Assistance OPS"), + BUILTIN_MAP_ENTRY(580, "Remote Management Users"), + + {UINT32_MAX, NULL, NULL} +}; + +struct rid_sid_name nt_map[] = { + NT_MAP_ENTRY(1, "DIALUP"), + NT_MAP_ENTRY(2, "NETWORK"), + NT_MAP_ENTRY(3, "BATCH"), + NT_MAP_ENTRY(4, "INTERACTIVE"), + NT_MAP_ENTRY(6, "SERVICE"), + NT_MAP_ENTRY(7, "ANONYMOUS LOGON"), + NT_MAP_ENTRY(8, "PROXY"), + NT_MAP_ENTRY(9, "ENTERPRISE DOMAIN CONTROLLERS"), + NT_MAP_ENTRY(10, "SELF"), + NT_MAP_ENTRY(11, "Authenticated Users"), + NT_MAP_ENTRY(12, "RESTRICTED"), + NT_MAP_ENTRY(13, "TERMINAL SERVER USER"), + NT_MAP_ENTRY(14, "REMOTE INTERACTIVE LOGON"), + NT_MAP_ENTRY(15, "This Organization"), + NT_MAP_ENTRY(17, "IUSR"), + NT_MAP_ENTRY(18, "SYSTEM"), + NT_MAP_ENTRY(19, "LOCAL SERVICE"), + NT_MAP_ENTRY(20, "NETWORK SERVICE"), + + {UINT32_MAX, NULL, NULL} +}; + +/* The code to handle the SIDs of the Null, World, Local and Creator + * Authorities (id_auth=0,1,2,3 respectively) is optimized to handle only + * single digit id_auth and rid. */ + +struct special_map sp_map[] = { + SPECIAL_MAP_ENTRY(0, 0, NULL_DOM_NAME, "NULL SID"), + SPECIAL_MAP_ENTRY(1, 0, WORLD_DOM_NAME, "Everyone"), + SPECIAL_MAP_ENTRY(2, 0, LOCAL_DOM_NAME, "LOCAL"), + SPECIAL_MAP_ENTRY(2, 1, LOCAL_DOM_NAME, "CONSOLE LOGON"), + SPECIAL_MAP_ENTRY(3, 0, CREATOR_DOM_NAME, "CREATOR OWNER"), + SPECIAL_MAP_ENTRY(3, 1, CREATOR_DOM_NAME, "CREATOR GROUP"), + SPECIAL_MAP_ENTRY(3, 2, CREATOR_DOM_NAME, "CREATOR OWNER SERVER"), + SPECIAL_MAP_ENTRY(3, 3, CREATOR_DOM_NAME, "CREATOR GROUP SERVER"), + SPECIAL_MAP_ENTRY(3, 4, CREATOR_DOM_NAME, "OWNER RIGHTS"), + SPECIAL_MAP_ENTRY(18,1, "ASSERTED IDENTITY", "AUTHENTICATION ASSERTION"), + SPECIAL_MAP_ENTRY(18,2, "ASSERTED IDENTITY", "SERVICE ASSERTION"), + + {'\0', '\0', NULL, NULL, NULL} +}; + +static errno_t handle_special_sids(const char *sid, const char **dom, + const char **name) +{ + size_t c; + + if (!isdigit(sid[SPECIAL_SID_PREFIX_LEN]) + || sid[SPECIAL_SID_PREFIX_LEN + 1] != '-' + || !isdigit(sid[SPECIAL_SID_PREFIX_LEN + 2]) + || sid[SPECIAL_SID_PREFIX_LEN + 3] != '\0' ) { + return EINVAL; + } + + for (c = 0; sp_map[c].name != NULL; c++) { + if (sid[SPECIAL_SID_PREFIX_LEN] == sp_map[c].id_auth + && sid[SPECIAL_SID_PREFIX_LEN + 2] == sp_map[c].rid) { + *name = sp_map[c].name; + *dom = sp_map[c].dom; + return EOK; + } + } + + return EINVAL; +} + +static errno_t handle_special_names(const char *dom, const char *name, + const char **sid) +{ + size_t c; + + for (c = 0; sp_map[c].name != NULL; c++) { + if (strcmp(name, sp_map[c].name) == 0 + && strcmp(dom, sp_map[c].dom) == 0) { + *sid = sp_map[c].sid; + return EOK; + } + } + + return EINVAL; +} + +static errno_t handle_rid_to_name_map(const char *sid, size_t prefix_len, + struct rid_sid_name *map, + const char* dom_name, const char **dom, + const char **name) +{ + uint32_t rid; + char *endptr; + size_t c; + + errno = 0; + rid = (uint32_t) strtouint32(sid + prefix_len, &endptr, 10); + if (errno != 0 || *endptr != '\0') { + return EINVAL; + } + + for (c = 0; map[c].name != NULL; c++) { + if (rid == map[c].rid) { + *name = map[c].name; + *dom = dom_name; + return EOK; + } + } + + return EINVAL; +} + +static errno_t handle_name_to_sid_map(const char *name, + struct rid_sid_name *map, + const char **sid) +{ + size_t c; + + for (c = 0; map[c].name != NULL; c++) { + if (strcmp(name, map[c].name) == 0) { + *sid = map[c].sid; + return EOK; + } + } + + return EINVAL; +} + +static errno_t handle_nt_sids(const char *sid, const char **dom, + const char **name) +{ + return handle_rid_to_name_map(sid, NT_SID_PREFIX_LEN, nt_map, NT_DOM_NAME, + dom, name); +} + +static errno_t handle_nt_names(const char *name, const char **sid) +{ + return handle_name_to_sid_map(name, nt_map, sid); +} + +static errno_t handle_builtin_sids(const char *sid, const char **dom, + const char **name) +{ + return handle_rid_to_name_map(sid, BUILTIN_SID_PREFIX_LEN, builtin_map, + BUILTIN_DOM_NAME, dom, name); +} + +static errno_t handle_builtin_names(const char *name, const char **sid) +{ + return handle_name_to_sid_map(name, builtin_map, sid); +} + +errno_t well_known_sid_to_name(const char *sid, const char **dom, + const char **name) +{ + int ret; + + if (sid == NULL || dom == NULL || name == NULL) { + return EINVAL; + } + + if (strncmp(sid, DOM_SID_PREFIX, DOM_SID_PREFIX_LEN) == 0) { + ret = ENOENT; + } else if (strncmp(sid, BUILTIN_SID_PREFIX, BUILTIN_SID_PREFIX_LEN) == 0) { + ret = handle_builtin_sids(sid, dom, name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "handle_builtin_sids failed.\n"); + } + } else if (strncmp(sid, NT_SID_PREFIX, NT_SID_PREFIX_LEN) == 0) { + ret = handle_nt_sids(sid, dom, name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "handle_nt_sids failed.\n"); + } + } else if (strncmp(sid, SPECIAL_SID_PREFIX, SPECIAL_SID_PREFIX_LEN) == 0) { + ret = handle_special_sids(sid, dom, name); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "handle_special_sids failed.\n"); + } + } else { + ret = EINVAL; + } + + return ret; +} + +errno_t name_to_well_known_sid(const char *dom, const char *name, + const char **sid) +{ + int ret; + + if (sid == NULL || dom == NULL || name == NULL) { + return EINVAL; + } + + if (strcmp(dom, NT_DOM_NAME) == 0) { + ret = handle_nt_names(name, sid); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "handle_nt_name failed.\n"); + } + } else if (strcmp(dom, BUILTIN_DOM_NAME) == 0) { + ret = handle_builtin_names(name, sid); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "handle_builtin_name failed.\n"); + } + } else if (strcmp(dom, NULL_DOM_NAME) == 0 + || strcmp(dom, WORLD_DOM_NAME) == 0 + || strcmp(dom, LOCAL_DOM_NAME) == 0 + || strcmp(dom, CREATOR_DOM_NAME) == 0) { + ret = handle_special_names(dom, name, sid); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "handle_special_name failed.\n"); + } + } else { + ret = ENOENT; + } + + return ret; +} diff --git a/version.m4 b/version.m4 new file mode 100644 index 0000000..0130ee7 --- /dev/null +++ b/version.m4 @@ -0,0 +1,12 @@ +# Primary version number +m4_define([VERSION_NUMBER], [1.16.3]) + +# If the PRERELEASE_VERSION_NUMBER is set, we'll append +# it to the release tag when creating an RPM or SRPM +# This is intended for build systems to create snapshot +# RPMs. The format should be something like: +# .20090915gitf1bcde7 +# and would result in an SRPM looking like: +# sssd-0.5.0-0.20090915gitf1bcde7.fc11.src.rpm +m4_define([PRERELEASE_VERSION_NUMBER], []) + -- 2.30.2